From dc58f6fa8748fe947f6a039d5dc332e4cc48cadf Mon Sep 17 00:00:00 2001
From: dilanbhalla <dbhalla21@berkeley.edu>
Date: Thu, 25 Jun 2020 11:39:09 -0700
Subject: [PATCH 0001/1429] function/class synatax

---
 .../Classes/NamingConventionsClasses.qhelp    | 30 +++++++++++++++++++
 .../src/Classes/NamingConventionsClasses.ql   | 17 +++++++++++
 .../NamingConventionsFunctions.qhelp          | 30 +++++++++++++++++++
 .../Functions/NamingConventionsFunctions.ql   | 17 +++++++++++
 .../Naming/NamingConventionsClasses.expected  |  1 +
 .../Naming/NamingConventionsClasses.py        | 11 +++++++
 .../Naming/NamingConventionsClasses.qlref     |  1 +
 .../NamingConventionsFunctions.expected       |  1 +
 .../general/NamingConventionsFunctions.py     |  9 ++++++
 .../general/NamingConventionsFunctions.qlref  |  1 +
 10 files changed, 118 insertions(+)
 create mode 100644 python/ql/src/Classes/NamingConventionsClasses.qhelp
 create mode 100644 python/ql/src/Classes/NamingConventionsClasses.ql
 create mode 100644 python/ql/src/Functions/NamingConventionsFunctions.qhelp
 create mode 100644 python/ql/src/Functions/NamingConventionsFunctions.ql
 create mode 100644 python/ql/test/query-tests/Classes/Naming/NamingConventionsClasses.expected
 create mode 100644 python/ql/test/query-tests/Classes/Naming/NamingConventionsClasses.py
 create mode 100644 python/ql/test/query-tests/Classes/Naming/NamingConventionsClasses.qlref
 create mode 100644 python/ql/test/query-tests/Functions/general/NamingConventionsFunctions.expected
 create mode 100644 python/ql/test/query-tests/Functions/general/NamingConventionsFunctions.py
 create mode 100644 python/ql/test/query-tests/Functions/general/NamingConventionsFunctions.qlref

diff --git a/python/ql/src/Classes/NamingConventionsClasses.qhelp b/python/ql/src/Classes/NamingConventionsClasses.qhelp
new file mode 100644
index 00000000000..7a6c0ca13dd
--- /dev/null
+++ b/python/ql/src/Classes/NamingConventionsClasses.qhelp
@@ -0,0 +1,30 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+
+<overview>
+<p>A class name that begins with a lowercase letter does not follow standard
+naming conventions. This decreases code readability. For example, <code>class background</code>.
+</p>
+
+</overview>
+<recommendation>
+
+<p>
+Write the class name beginning with an uppercase letter. For example, <code>class Background</code>.
+</p>
+
+</recommendation>
+
+<references>
+
+<li>
+  Guido van Rossum, Barry Warsaw, Nick Coghlan <em>PEP 8 -- Style Guide for Python Code<em>
+  <a href="https://www.python.org/dev/peps/pep-0008/#class-names"</a>
+</li>
+
+</references>
+
+</qhelp>
diff --git a/python/ql/src/Classes/NamingConventionsClasses.ql b/python/ql/src/Classes/NamingConventionsClasses.ql
new file mode 100644
index 00000000000..a1744f5d3e6
--- /dev/null
+++ b/python/ql/src/Classes/NamingConventionsClasses.ql
@@ -0,0 +1,17 @@
+/**
+ * @name Misnamed class
+ * @description A class name that begins with a lowercase letter decreases readability.
+ * @kind problem
+ * @problem.severity recommendation
+ * @precision medium
+ * @id python/misnamed-type
+ * @tags maintainability
+ */
+
+import python
+
+from Class c
+where
+  c.inSource() and
+  not c.getName().substring(0, 1).toUpperCase() = c.getName().substring(0, 1)
+select c, "Class names should start in uppercase."
diff --git a/python/ql/src/Functions/NamingConventionsFunctions.qhelp b/python/ql/src/Functions/NamingConventionsFunctions.qhelp
new file mode 100644
index 00000000000..15014045542
--- /dev/null
+++ b/python/ql/src/Functions/NamingConventionsFunctions.qhelp
@@ -0,0 +1,30 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+
+<overview>
+<p>A function name that begins with an uppercase letter does not follow standard
+naming conventions. This decreases code readability. For example, <code>Jump</code>.
+</p>
+
+</overview>
+<recommendation>
+
+<p>
+Write the function name beginning with an lowercase letter. For example, <code>jump</code>.
+</p>
+
+</recommendation>
+
+<references>
+
+<li>
+  Guido van Rossum, Barry Warsaw, Nick Coghlan <em>PEP 8 -- Style Guide for Python Code<em>
+  <a href="https://www.python.org/dev/peps/pep-0008/#function-and-variable-names"</a>
+</li>
+
+</references>
+
+</qhelp>
diff --git a/python/ql/src/Functions/NamingConventionsFunctions.ql b/python/ql/src/Functions/NamingConventionsFunctions.ql
new file mode 100644
index 00000000000..3ed619bc084
--- /dev/null
+++ b/python/ql/src/Functions/NamingConventionsFunctions.ql
@@ -0,0 +1,17 @@
+/**
+ * @name Misnamed function
+ * @description A function name that begins with an uppercase letter decreases readability.
+ * @kind problem
+ * @problem.severity recommendation
+ * @precision medium
+ * @id python/misnamed-function
+ * @tags maintainability
+ */
+
+import python
+
+from Function f
+where
+  f.inSource() and
+  not f.getName().substring(0, 1).toLowerCase() = f.getName().substring(0, 1)
+select f, "Function names should start in lowercase."
diff --git a/python/ql/test/query-tests/Classes/Naming/NamingConventionsClasses.expected b/python/ql/test/query-tests/Classes/Naming/NamingConventionsClasses.expected
new file mode 100644
index 00000000000..8e6dea7fce4
--- /dev/null
+++ b/python/ql/test/query-tests/Classes/Naming/NamingConventionsClasses.expected
@@ -0,0 +1 @@
+| NamingConventionsClasses.py:2:1:2:14 | Class badName | Class names should start in uppercase. |
diff --git a/python/ql/test/query-tests/Classes/Naming/NamingConventionsClasses.py b/python/ql/test/query-tests/Classes/Naming/NamingConventionsClasses.py
new file mode 100644
index 00000000000..c07bdb57234
--- /dev/null
+++ b/python/ql/test/query-tests/Classes/Naming/NamingConventionsClasses.py
@@ -0,0 +1,11 @@
+# BAD, do not start class or interface name with lowercase letter
+class badName:
+
+    def hello(self):
+        print("hello")
+
+# Good, class name starts with capital letter
+class GoodName:
+
+    def hello(self):
+        print("hello")
\ No newline at end of file
diff --git a/python/ql/test/query-tests/Classes/Naming/NamingConventionsClasses.qlref b/python/ql/test/query-tests/Classes/Naming/NamingConventionsClasses.qlref
new file mode 100644
index 00000000000..01ad29859da
--- /dev/null
+++ b/python/ql/test/query-tests/Classes/Naming/NamingConventionsClasses.qlref
@@ -0,0 +1 @@
+Classes/NamingConventionsClasses.ql
\ No newline at end of file
diff --git a/python/ql/test/query-tests/Functions/general/NamingConventionsFunctions.expected b/python/ql/test/query-tests/Functions/general/NamingConventionsFunctions.expected
new file mode 100644
index 00000000000..d87fe6c16f3
--- /dev/null
+++ b/python/ql/test/query-tests/Functions/general/NamingConventionsFunctions.expected
@@ -0,0 +1 @@
+| NamingConventionsFunctions.py:4:5:4:25 | Function HelloWorld | Function names should start in lowercase. |
diff --git a/python/ql/test/query-tests/Functions/general/NamingConventionsFunctions.py b/python/ql/test/query-tests/Functions/general/NamingConventionsFunctions.py
new file mode 100644
index 00000000000..fb3e89ab8e9
--- /dev/null
+++ b/python/ql/test/query-tests/Functions/general/NamingConventionsFunctions.py
@@ -0,0 +1,9 @@
+class Test:
+
+    # BAD, do not start function name with uppercase letter
+    def HelloWorld(self):
+        print("hello world")
+
+    # GOOD, function name starts with lowercase letter
+    def hello_world(self):
+        print("hello world")
\ No newline at end of file
diff --git a/python/ql/test/query-tests/Functions/general/NamingConventionsFunctions.qlref b/python/ql/test/query-tests/Functions/general/NamingConventionsFunctions.qlref
new file mode 100644
index 00000000000..da4780ecbe9
--- /dev/null
+++ b/python/ql/test/query-tests/Functions/general/NamingConventionsFunctions.qlref
@@ -0,0 +1 @@
+Functions/NamingConventionsFunctions.ql
\ No newline at end of file

From dc73fcc4e856cbfc3ea5967013dcf858679563f8 Mon Sep 17 00:00:00 2001
From: dilanbhalla <dbhalla21@berkeley.edu>
Date: Wed, 1 Jul 2020 09:54:58 -0700
Subject: [PATCH 0002/1429] moved to experimental

---
 .../{ => experimental}/Classes/NamingConventionsClasses.qhelp    | 0
 .../src/{ => experimental}/Classes/NamingConventionsClasses.ql   | 0
 .../Functions/NamingConventionsFunctions.qhelp                   | 0
 .../{ => experimental}/Functions/NamingConventionsFunctions.ql   | 0
 .../query-tests/Classes/Naming/NamingConventionsClasses.expected | 0
 .../query-tests/Classes/Naming/NamingConventionsClasses.py       | 0
 .../query-tests/Classes/Naming/NamingConventionsClasses.qlref    | 1 +
 .../Functions/general/NamingConventionsFunctions.expected        | 0
 .../query-tests/Functions/general/NamingConventionsFunctions.py  | 0
 .../Functions/general/NamingConventionsFunctions.qlref           | 1 +
 .../query-tests/Classes/Naming/NamingConventionsClasses.qlref    | 1 -
 .../Functions/general/NamingConventionsFunctions.qlref           | 1 -
 12 files changed, 2 insertions(+), 2 deletions(-)
 rename python/ql/src/{ => experimental}/Classes/NamingConventionsClasses.qhelp (100%)
 rename python/ql/src/{ => experimental}/Classes/NamingConventionsClasses.ql (100%)
 rename python/ql/src/{ => experimental}/Functions/NamingConventionsFunctions.qhelp (100%)
 rename python/ql/src/{ => experimental}/Functions/NamingConventionsFunctions.ql (100%)
 rename python/ql/test/{ => experimental}/query-tests/Classes/Naming/NamingConventionsClasses.expected (100%)
 rename python/ql/test/{ => experimental}/query-tests/Classes/Naming/NamingConventionsClasses.py (100%)
 create mode 100644 python/ql/test/experimental/query-tests/Classes/Naming/NamingConventionsClasses.qlref
 rename python/ql/test/{ => experimental}/query-tests/Functions/general/NamingConventionsFunctions.expected (100%)
 rename python/ql/test/{ => experimental}/query-tests/Functions/general/NamingConventionsFunctions.py (100%)
 create mode 100644 python/ql/test/experimental/query-tests/Functions/general/NamingConventionsFunctions.qlref
 delete mode 100644 python/ql/test/query-tests/Classes/Naming/NamingConventionsClasses.qlref
 delete mode 100644 python/ql/test/query-tests/Functions/general/NamingConventionsFunctions.qlref

diff --git a/python/ql/src/Classes/NamingConventionsClasses.qhelp b/python/ql/src/experimental/Classes/NamingConventionsClasses.qhelp
similarity index 100%
rename from python/ql/src/Classes/NamingConventionsClasses.qhelp
rename to python/ql/src/experimental/Classes/NamingConventionsClasses.qhelp
diff --git a/python/ql/src/Classes/NamingConventionsClasses.ql b/python/ql/src/experimental/Classes/NamingConventionsClasses.ql
similarity index 100%
rename from python/ql/src/Classes/NamingConventionsClasses.ql
rename to python/ql/src/experimental/Classes/NamingConventionsClasses.ql
diff --git a/python/ql/src/Functions/NamingConventionsFunctions.qhelp b/python/ql/src/experimental/Functions/NamingConventionsFunctions.qhelp
similarity index 100%
rename from python/ql/src/Functions/NamingConventionsFunctions.qhelp
rename to python/ql/src/experimental/Functions/NamingConventionsFunctions.qhelp
diff --git a/python/ql/src/Functions/NamingConventionsFunctions.ql b/python/ql/src/experimental/Functions/NamingConventionsFunctions.ql
similarity index 100%
rename from python/ql/src/Functions/NamingConventionsFunctions.ql
rename to python/ql/src/experimental/Functions/NamingConventionsFunctions.ql
diff --git a/python/ql/test/query-tests/Classes/Naming/NamingConventionsClasses.expected b/python/ql/test/experimental/query-tests/Classes/Naming/NamingConventionsClasses.expected
similarity index 100%
rename from python/ql/test/query-tests/Classes/Naming/NamingConventionsClasses.expected
rename to python/ql/test/experimental/query-tests/Classes/Naming/NamingConventionsClasses.expected
diff --git a/python/ql/test/query-tests/Classes/Naming/NamingConventionsClasses.py b/python/ql/test/experimental/query-tests/Classes/Naming/NamingConventionsClasses.py
similarity index 100%
rename from python/ql/test/query-tests/Classes/Naming/NamingConventionsClasses.py
rename to python/ql/test/experimental/query-tests/Classes/Naming/NamingConventionsClasses.py
diff --git a/python/ql/test/experimental/query-tests/Classes/Naming/NamingConventionsClasses.qlref b/python/ql/test/experimental/query-tests/Classes/Naming/NamingConventionsClasses.qlref
new file mode 100644
index 00000000000..7ed945d782c
--- /dev/null
+++ b/python/ql/test/experimental/query-tests/Classes/Naming/NamingConventionsClasses.qlref
@@ -0,0 +1 @@
+experimental/Classes/NamingConventionsClasses.ql
\ No newline at end of file
diff --git a/python/ql/test/query-tests/Functions/general/NamingConventionsFunctions.expected b/python/ql/test/experimental/query-tests/Functions/general/NamingConventionsFunctions.expected
similarity index 100%
rename from python/ql/test/query-tests/Functions/general/NamingConventionsFunctions.expected
rename to python/ql/test/experimental/query-tests/Functions/general/NamingConventionsFunctions.expected
diff --git a/python/ql/test/query-tests/Functions/general/NamingConventionsFunctions.py b/python/ql/test/experimental/query-tests/Functions/general/NamingConventionsFunctions.py
similarity index 100%
rename from python/ql/test/query-tests/Functions/general/NamingConventionsFunctions.py
rename to python/ql/test/experimental/query-tests/Functions/general/NamingConventionsFunctions.py
diff --git a/python/ql/test/experimental/query-tests/Functions/general/NamingConventionsFunctions.qlref b/python/ql/test/experimental/query-tests/Functions/general/NamingConventionsFunctions.qlref
new file mode 100644
index 00000000000..0204694de0a
--- /dev/null
+++ b/python/ql/test/experimental/query-tests/Functions/general/NamingConventionsFunctions.qlref
@@ -0,0 +1 @@
+experimental/Functions/NamingConventionsFunctions.ql
\ No newline at end of file
diff --git a/python/ql/test/query-tests/Classes/Naming/NamingConventionsClasses.qlref b/python/ql/test/query-tests/Classes/Naming/NamingConventionsClasses.qlref
deleted file mode 100644
index 01ad29859da..00000000000
--- a/python/ql/test/query-tests/Classes/Naming/NamingConventionsClasses.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Classes/NamingConventionsClasses.ql
\ No newline at end of file
diff --git a/python/ql/test/query-tests/Functions/general/NamingConventionsFunctions.qlref b/python/ql/test/query-tests/Functions/general/NamingConventionsFunctions.qlref
deleted file mode 100644
index da4780ecbe9..00000000000
--- a/python/ql/test/query-tests/Functions/general/NamingConventionsFunctions.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Functions/NamingConventionsFunctions.ql
\ No newline at end of file

From 26b030f8ccaf1b1922623a035e15cef239ec7314 Mon Sep 17 00:00:00 2001
From: dilanbhalla <dbhalla21@berkeley.edu>
Date: Tue, 7 Jul 2020 10:52:26 -0700
Subject: [PATCH 0003/1429] fixed pr suggestions

---
 .../Classes/NamingConventionsClasses.qhelp         |  2 +-
 .../Classes/NamingConventionsClasses.ql            | 14 ++++++++++----
 .../Functions/NamingConventionsFunctions.qhelp     |  2 +-
 .../Functions/NamingConventionsFunctions.ql        | 14 ++++++++++----
 4 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/python/ql/src/experimental/Classes/NamingConventionsClasses.qhelp b/python/ql/src/experimental/Classes/NamingConventionsClasses.qhelp
index 7a6c0ca13dd..1a7f4bc45a4 100644
--- a/python/ql/src/experimental/Classes/NamingConventionsClasses.qhelp
+++ b/python/ql/src/experimental/Classes/NamingConventionsClasses.qhelp
@@ -22,7 +22,7 @@ Write the class name beginning with an uppercase letter. For example, <code>clas
 
 <li>
   Guido van Rossum, Barry Warsaw, Nick Coghlan <em>PEP 8 -- Style Guide for Python Code<em>
-  <a href="https://www.python.org/dev/peps/pep-0008/#class-names"</a>
+  <a href="https://www.python.org/dev/peps/pep-0008/#class-names">Python Class Names</a>
 </li>
 
 </references>
diff --git a/python/ql/src/experimental/Classes/NamingConventionsClasses.ql b/python/ql/src/experimental/Classes/NamingConventionsClasses.ql
index a1744f5d3e6..d4919c3ece8 100644
--- a/python/ql/src/experimental/Classes/NamingConventionsClasses.ql
+++ b/python/ql/src/experimental/Classes/NamingConventionsClasses.ql
@@ -3,15 +3,21 @@
  * @description A class name that begins with a lowercase letter decreases readability.
  * @kind problem
  * @problem.severity recommendation
- * @precision medium
- * @id python/misnamed-type
+ * @id py/misnamed-class
  * @tags maintainability
  */
 
 import python
 
-from Class c
+from Class c, string first_char
 where
   c.inSource() and
-  not c.getName().substring(0, 1).toUpperCase() = c.getName().substring(0, 1)
+  first_char = c.getName().prefix(1) and
+  not first_char = first_char.toUpperCase() and
+  not exists(Class c1, string first_char1 |
+    c1 != c and
+    c1.getLocation().getFile() = c.getLocation().getFile() and
+    first_char1 = c1.getName().prefix(1) and
+    not first_char1 = first_char1.toUpperCase()
+  )
 select c, "Class names should start in uppercase."
diff --git a/python/ql/src/experimental/Functions/NamingConventionsFunctions.qhelp b/python/ql/src/experimental/Functions/NamingConventionsFunctions.qhelp
index 15014045542..46d948592ff 100644
--- a/python/ql/src/experimental/Functions/NamingConventionsFunctions.qhelp
+++ b/python/ql/src/experimental/Functions/NamingConventionsFunctions.qhelp
@@ -22,7 +22,7 @@ Write the function name beginning with an lowercase letter. For example, <code>j
 
 <li>
   Guido van Rossum, Barry Warsaw, Nick Coghlan <em>PEP 8 -- Style Guide for Python Code<em>
-  <a href="https://www.python.org/dev/peps/pep-0008/#function-and-variable-names"</a>
+  <a href="https://www.python.org/dev/peps/pep-0008/#function-and-variable-names">Python Function and Variable Names</a>
 </li>
 
 </references>
diff --git a/python/ql/src/experimental/Functions/NamingConventionsFunctions.ql b/python/ql/src/experimental/Functions/NamingConventionsFunctions.ql
index 3ed619bc084..80dc0e99cd8 100644
--- a/python/ql/src/experimental/Functions/NamingConventionsFunctions.ql
+++ b/python/ql/src/experimental/Functions/NamingConventionsFunctions.ql
@@ -3,15 +3,21 @@
  * @description A function name that begins with an uppercase letter decreases readability.
  * @kind problem
  * @problem.severity recommendation
- * @precision medium
- * @id python/misnamed-function
+ * @id py/misnamed-function
  * @tags maintainability
  */
 
 import python
 
-from Function f
+from Function f, string first_char
 where
   f.inSource() and
-  not f.getName().substring(0, 1).toLowerCase() = f.getName().substring(0, 1)
+  first_char = f.getName().prefix(1) and
+  not first_char = first_char.toLowerCase() and
+  not exists(Function f1, string first_char1 |
+    f1 != f and
+    f1.getLocation().getFile() = f.getLocation().getFile() and
+    first_char1 = f1.getName().prefix(1) and
+    not first_char1 = first_char1.toLowerCase()
+  )
 select f, "Function names should start in lowercase."

From 8119fd2ad1e2d009991f9a12969ccd55054163c4 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Thu, 18 Feb 2021 18:11:10 +0800
Subject: [PATCH 0004/1429] *)add JsonHijacking ql query

---
 .../Security/CWE/CWE-352/JsonHijacking.java   | 119 ++++++++++++++++++
 .../Security/CWE/CWE-352/JsonHijacking.qhelp  |  35 ++++++
 .../src/Security/CWE/CWE-352/JsonHijacking.ql |  32 +++++
 .../Security/CWE/CWE-352/JsonHijackingLib.qll |  92 ++++++++++++++
 .../Security/CWE/CWE-352/JsonStringLib.qll    |  42 +++++++
 .../security/CWE-352/JsonHijacking.expected   |  48 +++++++
 .../security/CWE-352/JsonHijacking.java       | 119 ++++++++++++++++++
 .../security/CWE-352/JsonHijacking.qlref      |   1 +
 .../query-tests/security/CWE-352/options      |   1 +
 .../com/alibaba/fastjson/JSON.java            |   4 +
 .../stereotype/Controller.java                |  14 +++
 .../core/annotation/AliasFor.class            | Bin 0 -> 385 bytes
 .../core/annotation/AliasFor.java             |  10 ++
 .../web/bind/annotation/GetMapping.class      | Bin 0 -> 504 bytes
 .../web/bind/annotation/GetMapping.java       |  19 +++
 .../web/bind/annotation/RequestMapping.java   |  13 ++
 .../web/bind/annotation/ResponseBody.class    | Bin 0 -> 184 bytes
 .../web/bind/annotation/ResponseBody.java     |   4 +
 18 files changed, 553 insertions(+)
 create mode 100644 java/ql/src/Security/CWE/CWE-352/JsonHijacking.java
 create mode 100644 java/ql/src/Security/CWE/CWE-352/JsonHijacking.qhelp
 create mode 100644 java/ql/src/Security/CWE/CWE-352/JsonHijacking.ql
 create mode 100644 java/ql/src/Security/CWE/CWE-352/JsonHijackingLib.qll
 create mode 100644 java/ql/src/Security/CWE/CWE-352/JsonStringLib.qll
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.qlref
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/options
 create mode 100644 java/ql/test/stubs/spring-context-5.3.2/org/springframework/stereotype/Controller.java
 create mode 100644 java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/annotation/AliasFor.class
 create mode 100644 java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/annotation/AliasFor.java
 create mode 100644 java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/GetMapping.class
 create mode 100644 java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/GetMapping.java
 create mode 100644 java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMapping.java
 create mode 100644 java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/ResponseBody.class
 create mode 100644 java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/ResponseBody.java

diff --git a/java/ql/src/Security/CWE/CWE-352/JsonHijacking.java b/java/ql/src/Security/CWE/CWE-352/JsonHijacking.java
new file mode 100644
index 00000000000..d08d436fa07
--- /dev/null
+++ b/java/ql/src/Security/CWE/CWE-352/JsonHijacking.java
@@ -0,0 +1,119 @@
+import com.alibaba.fastjson.JSONObject;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.gson.Gson;
+import java.io.PrintWriter;
+import java.util.HashMap;
+import java.util.Random;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+@Controller
+public class JsonHijacking {
+
+    private static HashMap hashMap = new HashMap();
+
+    static {
+        hashMap.put("username","admin");
+        hashMap.put("password","123456");
+    }
+
+
+    @GetMapping(value = "jsonp1")
+    @ResponseBody
+    public String bad1(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+        resultStr = jsonpCallback + "(" + result + ")";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp2")
+    @ResponseBody
+    public String bad2(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+
+        resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")";
+
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp3")
+    @ResponseBody
+    public String bad3(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp4")
+    @ResponseBody
+    public String bad4(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp5")
+    @ResponseBody
+    public void bad5(HttpServletRequest request,
+            HttpServletResponse response) throws Exception {
+        response.setContentType("application/json");
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+
+        String resultStr = null;
+        pw = response.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+    }
+
+    @GetMapping(value = "jsonp6")
+    @ResponseBody
+    public void bad6(HttpServletRequest request,
+            HttpServletResponse response) throws Exception {
+        response.setContentType("application/json");
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        ObjectMapper mapper = new ObjectMapper();
+        String result = mapper.writeValueAsString(hashMap);
+        String resultStr = null;
+        pw = response.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+    }
+
+    @GetMapping(value = "jsonp7")
+    @ResponseBody
+    public String good(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+
+        String val = "";
+        Random random = new Random();
+        for (int i = 0; i < 10; i++) {
+            val += String.valueOf(random.nextInt(10));
+        }
+        // good
+        jsonpCallback = jsonpCallback + "_" + val;
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+    public static String getJsonStr(Object result) {
+        return JSONObject.toJSONString(result);
+    }
+}
\ No newline at end of file
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonHijacking.qhelp b/java/ql/src/Security/CWE/CWE-352/JsonHijacking.qhelp
new file mode 100644
index 00000000000..38e1845f992
--- /dev/null
+++ b/java/ql/src/Security/CWE/CWE-352/JsonHijacking.qhelp
@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The software uses external input as the function name to wrap JSON data and return it to the client as a request response. When there is a cross-domain problem, 
+there is a problem of sensitive information leakage.</p>
+
+</overview>
+<recommendation>
+
+<p>The function name verification processing for external input can effectively prevent the leakage of sensitive information.</p>
+
+</recommendation>
+<example>
+
+<p>The following example shows the case of no verification processing and verification processing for the external input function name.</p>
+
+<sample src="JsonHijacking.java" />
+
+</example>
+<references>
+
+<li>
+OWASPLondon20161124_JSON_Hijacking_Gareth_Heyes: 
+<a href="https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20161124_JSON_Hijacking_Gareth_Heyes.pdf">JSON hijacking</a>.
+</li>
+<li>
+Practical JSONP Injection:
+<a href="https://securitycafe.ro/2017/01/18/practical-jsonp-injection">
+  Completely controllable from the URL (GET variable)
+</a>.
+</li>
+</references>
+</qhelp>
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonHijacking.ql b/java/ql/src/Security/CWE/CWE-352/JsonHijacking.ql
new file mode 100644
index 00000000000..a6a6d2475f0
--- /dev/null
+++ b/java/ql/src/Security/CWE/CWE-352/JsonHijacking.ql
@@ -0,0 +1,32 @@
+/**
+ * @name JSON Hijacking
+ * @description User-controlled callback function names that are not verified are vulnerable
+ *              to json hijacking attacks.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/Json-hijacking
+ * @tags security
+ *       external/cwe/cwe-352
+ */
+
+import java
+import JsonHijackingLib
+import semmle.code.java.dataflow.FlowSources
+import DataFlow::PathGraph
+
+/** Taint-tracking configuration tracing flow from remote sources to output jsonp data. */
+class JsonHijackingConfig extends TaintTracking::Configuration {
+  JsonHijackingConfig() { this = "JsonHijackingConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof JsonHijackingSink }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, JsonHijackingConfig conf
+where
+  conf.hasFlowPath(source, sink) and
+  exists(JsonHijackingFlowConfig jhfc | jhfc.hasFlowTo(sink.getNode()))
+select sink.getNode(), source, sink, "Json Hijacking query might include code from $@.",
+  source.getNode(), "this user input"
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonHijackingLib.qll b/java/ql/src/Security/CWE/CWE-352/JsonHijackingLib.qll
new file mode 100644
index 00000000000..ba91a6670bf
--- /dev/null
+++ b/java/ql/src/Security/CWE/CWE-352/JsonHijackingLib.qll
@@ -0,0 +1,92 @@
+import java
+import DataFlow
+import JsonStringLib
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.frameworks.spring.SpringController
+
+/** A data flow sink for unvalidated user input that is used to jsonp. */
+abstract class JsonHijackingSink extends DataFlow::Node { }
+
+/** Use ```print```, ```println```, ```write``` to output result. */
+private class WriterPrintln extends JsonHijackingSink {
+  WriterPrintln() {
+    exists(MethodAccess ma |
+      ma.getMethod().getName().regexpMatch("print|println|write") and
+      ma.getMethod()
+          .getDeclaringType()
+          .getASourceSupertype*()
+          .hasQualifiedName("java.io", "PrintWriter") and
+      ma.getArgument(0) = this.asExpr()
+    )
+  }
+}
+
+/** Spring Request Method return result. */
+private class SpringReturn extends JsonHijackingSink {
+  SpringReturn() {
+    exists(ReturnStmt rs, Method m | m = rs.getEnclosingCallable() |
+      m instanceof SpringRequestMappingMethod and
+      rs.getResult() = this.asExpr()
+    )
+  }
+}
+
+/** A concatenate expression using `(` and `)` or `);`. */
+class JsonHijackingExpr extends AddExpr {
+  JsonHijackingExpr() {
+    getRightOperand().toString().regexpMatch("\"\\)\"|\"\\);\"") and
+    getLeftOperand()
+        .(AddExpr)
+        .getLeftOperand()
+        .(AddExpr)
+        .getRightOperand()
+        .toString()
+        .regexpMatch("\"\\(\"")
+  }
+
+  /** Get the jsonp function name of this expression */
+  Expr getFunctionName() {
+    result = getLeftOperand().(AddExpr).getLeftOperand().(AddExpr).getLeftOperand()
+  }
+
+  /** Get the json data of this expression */
+  Expr getJsonExpr() { result = getLeftOperand().(AddExpr).getRightOperand() }
+}
+
+/** A data flow configuration tracing flow from remote sources to jsonp function name. */
+class RemoteFlowConfig extends DataFlow2::Configuration {
+  RemoteFlowConfig() { this = "RemoteFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(JsonHijackingExpr jhe | jhe.getFunctionName() = sink.asExpr())
+  }
+}
+
+/** A data flow configuration tracing flow from json data to splicing jsonp data. */
+class JsonDataFlowConfig extends DataFlow2::Configuration {
+  JsonDataFlowConfig() { this = "JsonDataFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) { src instanceof JsonpStringSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(JsonHijackingExpr jhe | jhe.getJsonExpr() = sink.asExpr())
+  }
+}
+
+/** Taint-tracking configuration tracing flow from user-controllable function name jsonp data to output jsonp data. */
+class JsonHijackingFlowConfig extends TaintTracking::Configuration {
+  JsonHijackingFlowConfig() { this = "JsonHijackingFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) {
+    exists(JsonHijackingExpr jhe, JsonDataFlowConfig jdfc, RemoteFlowConfig rfc |
+      jhe = src.asExpr() and
+      jdfc.hasFlowTo(DataFlow::exprNode(jhe.getJsonExpr())) and
+      rfc.hasFlowTo(DataFlow::exprNode(jhe.getFunctionName()))
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof JsonHijackingSink }
+}
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonStringLib.qll b/java/ql/src/Security/CWE/CWE-352/JsonStringLib.qll
new file mode 100644
index 00000000000..0da8bc860d1
--- /dev/null
+++ b/java/ql/src/Security/CWE/CWE-352/JsonStringLib.qll
@@ -0,0 +1,42 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.FlowSources
+import DataFlow::PathGraph
+
+/** Json string type data */
+abstract class JsonpStringSource extends DataFlow::Node { }
+
+/** Convert to String using Gson library. */
+private class GsonString extends JsonpStringSource {
+  GsonString() {
+    exists(MethodAccess ma, Method m | ma.getMethod() = m |
+      m.hasName("toJson") and
+      m.getDeclaringType().getASupertype*().hasQualifiedName("com.google.gson", "Gson") and
+      this.asExpr() = ma
+    )
+  }
+}
+
+/** Convert to String using Fastjson library. */
+private class FastjsonString extends JsonpStringSource {
+  FastjsonString() {
+    exists(MethodAccess ma, Method m | ma.getMethod() = m |
+      m.hasName("toJSONString") and
+      m.getDeclaringType().getASupertype*().hasQualifiedName("com.alibaba.fastjson", "JSON") and
+      this.asExpr() = ma
+    )
+  }
+}
+
+/** Convert to String using Jackson library. */
+private class JacksonString extends JsonpStringSource {
+  JacksonString() {
+    exists(MethodAccess ma, Method m | ma.getMethod() = m |
+      m.hasName("writeValueAsString") and
+      m.getDeclaringType()
+          .getASupertype*()
+          .hasQualifiedName("com.fasterxml.jackson.databind", "ObjectMapper") and
+      this.asExpr() = ma
+    )
+  }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.expected
new file mode 100644
index 00000000000..8efc3be1673
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.expected
@@ -0,0 +1,48 @@
+edges
+| JsonHijacking.java:28:32:28:68 | getParameter(...) : String | JsonHijacking.java:33:16:33:24 | resultStr |
+| JsonHijacking.java:32:21:32:54 | ... + ... : String | JsonHijacking.java:33:16:33:24 | resultStr |
+| JsonHijacking.java:40:32:40:68 | getParameter(...) : String | JsonHijacking.java:44:16:44:24 | resultStr |
+| JsonHijacking.java:42:21:42:80 | ... + ... : String | JsonHijacking.java:44:16:44:24 | resultStr |
+| JsonHijacking.java:51:32:51:68 | getParameter(...) : String | JsonHijacking.java:54:16:54:24 | resultStr |
+| JsonHijacking.java:53:21:53:55 | ... + ... : String | JsonHijacking.java:54:16:54:24 | resultStr |
+| JsonHijacking.java:61:32:61:68 | getParameter(...) : String | JsonHijacking.java:64:16:64:24 | resultStr |
+| JsonHijacking.java:63:21:63:54 | ... + ... : String | JsonHijacking.java:64:16:64:24 | resultStr |
+| JsonHijacking.java:72:32:72:68 | getParameter(...) : String | JsonHijacking.java:80:20:80:28 | resultStr |
+| JsonHijacking.java:79:21:79:54 | ... + ... : String | JsonHijacking.java:80:20:80:28 | resultStr |
+| JsonHijacking.java:88:32:88:68 | getParameter(...) : String | JsonHijacking.java:95:20:95:28 | resultStr |
+| JsonHijacking.java:94:21:94:54 | ... + ... : String | JsonHijacking.java:95:20:95:28 | resultStr |
+| JsonHijacking.java:102:32:102:68 | getParameter(...) : String | JsonHijacking.java:113:16:113:24 | resultStr |
+nodes
+| JsonHijacking.java:28:32:28:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonHijacking.java:32:21:32:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonHijacking.java:33:16:33:24 | resultStr | semmle.label | resultStr |
+| JsonHijacking.java:33:16:33:24 | resultStr | semmle.label | resultStr |
+| JsonHijacking.java:40:32:40:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonHijacking.java:42:21:42:80 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonHijacking.java:44:16:44:24 | resultStr | semmle.label | resultStr |
+| JsonHijacking.java:44:16:44:24 | resultStr | semmle.label | resultStr |
+| JsonHijacking.java:51:32:51:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonHijacking.java:53:21:53:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonHijacking.java:54:16:54:24 | resultStr | semmle.label | resultStr |
+| JsonHijacking.java:54:16:54:24 | resultStr | semmle.label | resultStr |
+| JsonHijacking.java:61:32:61:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonHijacking.java:63:21:63:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonHijacking.java:64:16:64:24 | resultStr | semmle.label | resultStr |
+| JsonHijacking.java:64:16:64:24 | resultStr | semmle.label | resultStr |
+| JsonHijacking.java:72:32:72:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonHijacking.java:79:21:79:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonHijacking.java:80:20:80:28 | resultStr | semmle.label | resultStr |
+| JsonHijacking.java:80:20:80:28 | resultStr | semmle.label | resultStr |
+| JsonHijacking.java:88:32:88:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonHijacking.java:94:21:94:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonHijacking.java:95:20:95:28 | resultStr | semmle.label | resultStr |
+| JsonHijacking.java:95:20:95:28 | resultStr | semmle.label | resultStr |
+| JsonHijacking.java:102:32:102:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonHijacking.java:113:16:113:24 | resultStr | semmle.label | resultStr |
+#select
+| JsonHijacking.java:33:16:33:24 | resultStr | JsonHijacking.java:28:32:28:68 | getParameter(...) : String | JsonHijacking.java:33:16:33:24 | resultStr | Json Hijacking query might include code from $@. | JsonHijacking.java:28:32:28:68 | getParameter(...) | this user input |
+| JsonHijacking.java:44:16:44:24 | resultStr | JsonHijacking.java:40:32:40:68 | getParameter(...) : String | JsonHijacking.java:44:16:44:24 | resultStr | Json Hijacking query might include code from $@. | JsonHijacking.java:40:32:40:68 | getParameter(...) | this user input |
+| JsonHijacking.java:54:16:54:24 | resultStr | JsonHijacking.java:51:32:51:68 | getParameter(...) : String | JsonHijacking.java:54:16:54:24 | resultStr | Json Hijacking query might include code from $@. | JsonHijacking.java:51:32:51:68 | getParameter(...) | this user input |
+| JsonHijacking.java:64:16:64:24 | resultStr | JsonHijacking.java:61:32:61:68 | getParameter(...) : String | JsonHijacking.java:64:16:64:24 | resultStr | Json Hijacking query might include code from $@. | JsonHijacking.java:61:32:61:68 | getParameter(...) | this user input |
+| JsonHijacking.java:80:20:80:28 | resultStr | JsonHijacking.java:72:32:72:68 | getParameter(...) : String | JsonHijacking.java:80:20:80:28 | resultStr | Json Hijacking query might include code from $@. | JsonHijacking.java:72:32:72:68 | getParameter(...) | this user input |
+| JsonHijacking.java:95:20:95:28 | resultStr | JsonHijacking.java:88:32:88:68 | getParameter(...) : String | JsonHijacking.java:95:20:95:28 | resultStr | Json Hijacking query might include code from $@. | JsonHijacking.java:88:32:88:68 | getParameter(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.java
new file mode 100644
index 00000000000..9b473e0610c
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.java
@@ -0,0 +1,119 @@
+import com.alibaba.fastjson.JSONObject;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.gson.Gson;
+import java.io.PrintWriter;
+import java.util.HashMap;
+import java.util.Random;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+@Controller
+public class JsonHijacking {
+
+    private static HashMap hashMap = new HashMap();
+
+    static {
+        hashMap.put("username","admin");
+        hashMap.put("password","123456");
+    }
+
+
+    @GetMapping(value = "jsonp1")
+    @ResponseBody
+    public String bad1(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+        resultStr = jsonpCallback + "(" + result + ")";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp2")
+    @ResponseBody
+    public String bad2(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+
+        resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")";
+
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp3")
+    @ResponseBody
+    public String bad3(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp4")
+    @ResponseBody
+    public String bad4(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp5")
+    @ResponseBody
+    public void bad5(HttpServletRequest request,
+            HttpServletResponse response) throws Exception {
+        response.setContentType("application/json");
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+
+        String resultStr = null;
+        pw = response.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+    }
+
+    @GetMapping(value = "jsonp6")
+    @ResponseBody
+    public void bad6(HttpServletRequest request,
+            HttpServletResponse response) throws Exception {
+        response.setContentType("application/json");
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        ObjectMapper mapper = new ObjectMapper();
+        String result = mapper.writeValueAsString(hashMap);
+        String resultStr = null;
+        pw = response.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+    }
+
+    @GetMapping(value = "jsonp7")
+    @ResponseBody
+    public String good(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+
+        String val = "";
+        Random random = new Random();
+        for (int i = 0; i < 10; i++) {
+            val += String.valueOf(random.nextInt(10));
+        }
+        // good
+        jsonpCallback = jsonpCallback + "_" + val;
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+    public static String getJsonStr(Object result) {
+        return JSONObject.toJSONString(result);
+    }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.qlref b/java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.qlref
new file mode 100644
index 00000000000..e79471b3c1e
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-352/JsonHijacking.ql
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/options b/java/ql/test/experimental/query-tests/security/CWE-352/options
new file mode 100644
index 00000000000..3676b8e38b6
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../stubs/gson-2.8.6/:${testdir}/../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../stubs/springframework-5.2.3/:${testdir}/../../../../stubs/spring-context-5.3.2/:${testdir}/../../../../stubs/spring-web-5.3.2/:${testdir}/../../../../stubs/spring-core-5.3.2/
diff --git a/java/ql/test/stubs/fastjson-1.2.74/com/alibaba/fastjson/JSON.java b/java/ql/test/stubs/fastjson-1.2.74/com/alibaba/fastjson/JSON.java
index b71e890e9b7..99e2873d375 100644
--- a/java/ql/test/stubs/fastjson-1.2.74/com/alibaba/fastjson/JSON.java
+++ b/java/ql/test/stubs/fastjson-1.2.74/com/alibaba/fastjson/JSON.java
@@ -26,6 +26,10 @@ import com.alibaba.fastjson.parser.*;
 import com.alibaba.fastjson.parser.deserializer.ParseProcess;
 
 public abstract class JSON {
+    public static String toJSONString(Object object) {
+        return null;
+    }
+
     public static Object parse(String text) {
         return null;
     }
diff --git a/java/ql/test/stubs/spring-context-5.3.2/org/springframework/stereotype/Controller.java b/java/ql/test/stubs/spring-context-5.3.2/org/springframework/stereotype/Controller.java
new file mode 100644
index 00000000000..9b1751fa2ae
--- /dev/null
+++ b/java/ql/test/stubs/spring-context-5.3.2/org/springframework/stereotype/Controller.java
@@ -0,0 +1,14 @@
+package org.springframework.stereotype;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target({ElementType.TYPE})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface Controller {
+    String value() default "";
+}
diff --git a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/annotation/AliasFor.class b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/annotation/AliasFor.class
new file mode 100644
index 0000000000000000000000000000000000000000..438065489278b92503abc2ad8d75716c5e56ac08
GIT binary patch
literal 385
zcmb7=!Ab)$5QhJ0x31k<t>DdrH&Kx0=)qG#3PM4!PcXZrOKO@(l3m};gAd?CiL-}x
zJqaEL=Fj~6^G&|KKRyB6W0qr@<21(^Vbrp1G~wdrcD3b}m1S3}bqdDS4}|lDb3So0
z-aYCKH#QMKxO{0`GCTd`S`$rab#IG=`O1e{#kVeF6L_cJeRx%s4_fgdPA#nAxb#7`
zj5*1|vPl9`tbG$Iy);(DbZ?q>Y=pc21QTZcMbG6{R|0?4KmBGoU|o}(H;@|2R}C^k
ghLPwaQNxHF$I?t>JeJBL3UL&FIx;a%x-6Xh0OC_*bpQYW

literal 0
HcmV?d00001

diff --git a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/annotation/AliasFor.java b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/annotation/AliasFor.java
new file mode 100644
index 00000000000..3a823fade5b
--- /dev/null
+++ b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/annotation/AliasFor.java
@@ -0,0 +1,10 @@
+package org.springframework.core.annotation;
+
+public @interface AliasFor {
+    @AliasFor("attribute")
+    String value() default "";
+
+    @AliasFor("value")
+    String attribute() default "";
+
+}
diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/GetMapping.class b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/GetMapping.class
new file mode 100644
index 0000000000000000000000000000000000000000..5392ca0ebc1593d6bfa2f7d765ee4ca169fb260f
GIT binary patch
literal 504
zcma)&y-ve06orr5G%4k$Ewlp@8)_FUu~3N#3Bgi?)JiO!oYW02i5(KVeK!UkfQLfd
z3?&dTFj%_xlg>TI=i~G39l#Za0geNl1Q;-QTBMR;Fd9$SVk3AWbj;^AS316C=-+5<
ztgy=HTe%W0u?%2nZA9WoH5`o>f62T|*k=Ym6S+tWhIV9h;Zj+SS#FjtD#y;;xIB_~
zDxp)|dubm;mXYs88HC|<=CoC*d{Tu96Imr8>11m1m={?Yb44C<Yw{Pql_3w6UUKoB
zn$P5`lf~{ded+SQ$|?{;uj=M8T+4`RIIGYPyDH^5qoNx0n$)@PQPXJA=F`?J5D;i%
gZwD3tfleLl*TF#@9R332cSQFa=%QD;()m8{1xN6E{{R30

literal 0
HcmV?d00001

diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/GetMapping.java b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/GetMapping.java
new file mode 100644
index 00000000000..1190be7b879
--- /dev/null
+++ b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/GetMapping.java
@@ -0,0 +1,19 @@
+package org.springframework.web.bind.annotation;
+
+import org.springframework.core.annotation.AliasFor;
+
+@RequestMapping
+public @interface GetMapping {
+   
+    String name() default "";
+
+    String[] value() default {};
+
+    String[] path() default {};
+
+    String[] params() default {};
+
+    String[] consumes() default {};
+
+    String[] produces() default {};
+}
diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMapping.java b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMapping.java
new file mode 100644
index 00000000000..3415800b927
--- /dev/null
+++ b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMapping.java
@@ -0,0 +1,13 @@
+package org.springframework.web.bind.annotation;
+
+import org.springframework.core.annotation.AliasFor;
+
+public @interface RequestMapping {
+    String name() default "";
+
+    @AliasFor("path")
+    String[] value() default {};
+
+    @AliasFor("value")
+    String[] path() default {};
+}
diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/ResponseBody.class b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/ResponseBody.class
new file mode 100644
index 0000000000000000000000000000000000000000..5e08f3e6a0acd663e6130e304a4d1251a31188fb
GIT binary patch
literal 184
zcmX^0Z`VEs1_pBmPId-1b_RBK1`b9BuHgLAqU2P!%$!t42Em}z;)49V;#8;nluEs<
z#Ii(229x}vbp7IjqRhPXw4%h^)bjkIZ2j`oB>kk!ycGS!yuAF9#FEVXJbh%nj0^%G
u-TFC+dFlH8Nm;4MC5#O62q7eGj&Kvy7#SEDn1GlW=t>44%>pEu7+3+XjWw+R

literal 0
HcmV?d00001

diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/ResponseBody.java b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/ResponseBody.java
new file mode 100644
index 00000000000..b2134009968
--- /dev/null
+++ b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/ResponseBody.java
@@ -0,0 +1,4 @@
+package org.springframework.web.bind.annotation;
+
+public @interface ResponseBody {
+}

From 872a000a33e1b0d6fb2efeb926c7ed9e18725bd5 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Wed, 24 Feb 2021 20:36:12 +0800
Subject: [PATCH 0005/1429] *)update to JSONP injection

---
 .../Security/CWE/CWE-352/JsonpInjection.java  | 170 +++++++++++++++++
 .../Security/CWE/CWE-352/JsonpInjection.qhelp |  35 ++++
 .../Security/CWE/CWE-352/JsonpInjection.ql    |  55 ++++++
 .../CWE/CWE-352/JsonpInjectionLib.qll         |  92 ++++++++++
 .../security/CWE-352/JsonpInjection.expected  |  60 ++++++
 .../security/CWE-352/JsonpInjection.java      | 171 ++++++++++++++++++
 .../security/CWE-352/JsonpInjection.qlref     |   1 +
 7 files changed, 584 insertions(+)
 create mode 100644 java/ql/src/Security/CWE/CWE-352/JsonpInjection.java
 create mode 100644 java/ql/src/Security/CWE/CWE-352/JsonpInjection.qhelp
 create mode 100644 java/ql/src/Security/CWE/CWE-352/JsonpInjection.ql
 create mode 100644 java/ql/src/Security/CWE/CWE-352/JsonpInjectionLib.qll
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.qlref

diff --git a/java/ql/src/Security/CWE/CWE-352/JsonpInjection.java b/java/ql/src/Security/CWE/CWE-352/JsonpInjection.java
new file mode 100644
index 00000000000..8b4e7cc005e
--- /dev/null
+++ b/java/ql/src/Security/CWE/CWE-352/JsonpInjection.java
@@ -0,0 +1,170 @@
+import com.alibaba.fastjson.JSONObject;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.gson.Gson;
+import java.io.PrintWriter;
+import java.util.HashMap;
+import java.util.Random;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+@Controller
+public class JsonpInjection {
+private static HashMap hashMap = new HashMap();
+
+    static {
+        hashMap.put("username","admin");
+        hashMap.put("password","123456");
+    }
+
+
+    @GetMapping(value = "jsonp1")
+    @ResponseBody
+    public String bad1(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+        resultStr = jsonpCallback + "(" + result + ")";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp2")
+    @ResponseBody
+    public String bad2(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+
+        resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")";
+
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp3")
+    @ResponseBody
+    public String bad3(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp4")
+    @ResponseBody
+    public String bad4(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp5")
+    @ResponseBody
+    public void bad5(HttpServletRequest request,
+            HttpServletResponse response) throws Exception {
+        response.setContentType("application/json");
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+
+        String resultStr = null;
+        pw = response.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+    }
+
+    @GetMapping(value = "jsonp6")
+    @ResponseBody
+    public void bad6(HttpServletRequest request,
+            HttpServletResponse response) throws Exception {
+        response.setContentType("application/json");
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        ObjectMapper mapper = new ObjectMapper();
+        String result = mapper.writeValueAsString(hashMap);
+        String resultStr = null;
+        pw = response.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+    }
+
+    @GetMapping(value = "jsonp7")
+    @ResponseBody
+    public String good(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+
+        String val = "";
+        Random random = new Random();
+        for (int i = 0; i < 10; i++) {
+            val += String.valueOf(random.nextInt(10));
+        }
+        // good
+        jsonpCallback = jsonpCallback + "_" + val;
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp8")
+    @ResponseBody
+    public String good1(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+
+        String token = request.getParameter("token");
+
+        // good
+        if (verifToken(token)){
+            System.out.println(token);
+            String jsonStr = getJsonStr(hashMap);
+            resultStr = jsonpCallback + "(" + jsonStr + ")";
+            return resultStr;
+        }
+
+        return "error";
+    }
+
+    @GetMapping(value = "jsonp9")
+    @ResponseBody
+    public String good2(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+
+        String referer = request.getHeader("Referer");
+
+        boolean result = verifReferer(referer);
+        // good
+        if (result){
+            String jsonStr = getJsonStr(hashMap);
+            resultStr = jsonpCallback + "(" + jsonStr + ")";
+            return resultStr;
+        }
+
+        return "error";
+    }
+
+    public static String getJsonStr(Object result) {
+        return JSONObject.toJSONString(result);
+    }
+
+    public static boolean verifToken(String token){
+        if (token != "xxxx"){
+            return false;
+        }
+        return true;
+    }
+
+    public static boolean verifReferer(String referer){
+        if (!referer.startsWith("http://test.com/")){
+            return false;
+        }
+        return true;
+    }
+}
\ No newline at end of file
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonpInjection.qhelp b/java/ql/src/Security/CWE/CWE-352/JsonpInjection.qhelp
new file mode 100644
index 00000000000..b063b409d3a
--- /dev/null
+++ b/java/ql/src/Security/CWE/CWE-352/JsonpInjection.qhelp
@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The software uses external input as the function name to wrap JSON data and return it to the client as a request response. When there is a cross-domain problem, 
+there is a problem of sensitive information leakage.</p>
+
+</overview>
+<recommendation>
+
+<p>Adding `Referer` or random `token` verification processing can effectively prevent the leakage of sensitive information.</p>
+
+</recommendation>
+<example>
+
+<p>The following example shows the case of no verification processing and verification processing for the external input function name.</p>
+
+<sample src="JsonHijacking.java" />
+
+</example>
+<references>
+
+<li>
+OWASPLondon20161124_JSON_Hijacking_Gareth_Heyes: 
+<a href="https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20161124_JSON_Hijacking_Gareth_Heyes.pdf">JSON hijacking</a>.
+</li>
+<li>
+Practical JSONP Injection:
+<a href="https://securitycafe.ro/2017/01/18/practical-jsonp-injection">
+  Completely controllable from the URL (GET variable)
+</a>.
+</li>
+</references>
+</qhelp>
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/Security/CWE/CWE-352/JsonpInjection.ql
new file mode 100644
index 00000000000..e7ca2d41e34
--- /dev/null
+++ b/java/ql/src/Security/CWE/CWE-352/JsonpInjection.ql
@@ -0,0 +1,55 @@
+/**
+ * @name JSON Hijacking
+ * @description User-controlled callback function names that are not verified are vulnerable
+ *              to json hijacking attacks.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/Json-hijacking
+ * @tags security
+ *       external/cwe/cwe-352
+ */
+
+import java
+import JsonpInjectionLib
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.deadcode.WebEntryPoints
+import DataFlow::PathGraph
+
+class VerifAuth extends DataFlow::BarrierGuard {
+  VerifAuth() {
+    exists(MethodAccess ma, Node prod, Node succ |
+      this = ma and
+      ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer).*") and
+      prod instanceof RemoteFlowSource and
+      succ.asExpr() = ma.getAnArgument() and
+      ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer).*") and
+      localFlowStep*(prod, succ)
+    )
+  }
+
+  override predicate checks(Expr e, boolean branch) {
+    exists(ReturnStmt rs |
+      e = rs.getResult() and
+      branch = true
+    )
+  }
+}
+
+/** Taint-tracking configuration tracing flow from remote sources to output jsonp data. */
+class JsonpInjectionConfig extends TaintTracking::Configuration {
+  JsonpInjectionConfig() { this = "JsonpInjectionConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof JsonpInjectionSink }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { guard instanceof VerifAuth }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, JsonpInjectionConfig conf
+where
+  conf.hasFlowPath(source, sink) and
+  exists(JsonpInjectionFlowConfig jhfc | jhfc.hasFlowTo(sink.getNode()))
+select sink.getNode(), source, sink, "Json Hijacking query might include code from $@.",
+  source.getNode(), "this user input"
\ No newline at end of file
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/Security/CWE/CWE-352/JsonpInjectionLib.qll
new file mode 100644
index 00000000000..4294a5e8c8f
--- /dev/null
+++ b/java/ql/src/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -0,0 +1,92 @@
+import java
+import DataFlow
+import JsonStringLib
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.frameworks.spring.SpringController
+
+/** A data flow sink for unvalidated user input that is used to jsonp. */
+abstract class JsonpInjectionSink extends DataFlow::Node { }
+
+/** Use ```print```, ```println```, ```write``` to output result. */
+private class WriterPrintln extends JsonpInjectionSink {
+  WriterPrintln() {
+    exists(MethodAccess ma |
+      ma.getMethod().getName().regexpMatch("print|println|write") and
+      ma.getMethod()
+          .getDeclaringType()
+          .getASourceSupertype*()
+          .hasQualifiedName("java.io", "PrintWriter") and
+      ma.getArgument(0) = this.asExpr()
+    )
+  }
+}
+
+/** Spring Request Method return result. */
+private class SpringReturn extends JsonpInjectionSink {
+  SpringReturn() {
+    exists(ReturnStmt rs, Method m | m = rs.getEnclosingCallable() |
+      m instanceof SpringRequestMappingMethod and
+      rs.getResult() = this.asExpr()
+    )
+  }
+}
+
+/** A concatenate expression using `(` and `)` or `);`. */
+class JsonpInjectionExpr extends AddExpr {
+  JsonpInjectionExpr() {
+    getRightOperand().toString().regexpMatch("\"\\)\"|\"\\);\"") and
+    getLeftOperand()
+        .(AddExpr)
+        .getLeftOperand()
+        .(AddExpr)
+        .getRightOperand()
+        .toString()
+        .regexpMatch("\"\\(\"")
+  }
+
+  /** Get the jsonp function name of this expression */
+  Expr getFunctionName() {
+    result = getLeftOperand().(AddExpr).getLeftOperand().(AddExpr).getLeftOperand()
+  }
+
+  /** Get the json data of this expression */
+  Expr getJsonExpr() { result = getLeftOperand().(AddExpr).getRightOperand() }
+}
+
+/** A data flow configuration tracing flow from remote sources to jsonp function name. */
+class RemoteFlowConfig extends DataFlow2::Configuration {
+  RemoteFlowConfig() { this = "RemoteFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(JsonpInjectionExpr jhe | jhe.getFunctionName() = sink.asExpr())
+  }
+}
+
+/** A data flow configuration tracing flow from json data to splicing jsonp data. */
+class JsonDataFlowConfig extends DataFlow2::Configuration {
+  JsonDataFlowConfig() { this = "JsonDataFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) { src instanceof JsonpStringSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(JsonpInjectionExpr jhe | jhe.getJsonExpr() = sink.asExpr())
+  }
+}
+
+/** Taint-tracking configuration tracing flow from user-controllable function name jsonp data to output jsonp data. */
+class JsonpInjectionFlowConfig extends DataFlow::Configuration {
+  JsonpInjectionFlowConfig() { this = "JsonpInjectionFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) {
+    exists(JsonpInjectionExpr jhe, JsonDataFlowConfig jdfc, RemoteFlowConfig rfc |
+      jhe = src.asExpr() and
+      jdfc.hasFlowTo(DataFlow::exprNode(jhe.getJsonExpr())) and
+      rfc.hasFlowTo(DataFlow::exprNode(jhe.getFunctionName()))
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof JsonpInjectionSink }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected
new file mode 100644
index 00000000000..019af8f5c05
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected
@@ -0,0 +1,60 @@
+edges
+| JsonpInjection.java:28:32:28:68 | getParameter(...) : String | JsonpInjection.java:33:16:33:24 | resultStr |
+| JsonpInjection.java:32:21:32:54 | ... + ... : String | JsonpInjection.java:33:16:33:24 | resultStr |
+| JsonpInjection.java:40:32:40:68 | getParameter(...) : String | JsonpInjection.java:44:16:44:24 | resultStr |
+| JsonpInjection.java:42:21:42:80 | ... + ... : String | JsonpInjection.java:44:16:44:24 | resultStr |
+| JsonpInjection.java:51:32:51:68 | getParameter(...) : String | JsonpInjection.java:54:16:54:24 | resultStr |
+| JsonpInjection.java:53:21:53:55 | ... + ... : String | JsonpInjection.java:54:16:54:24 | resultStr |
+| JsonpInjection.java:61:32:61:68 | getParameter(...) : String | JsonpInjection.java:64:16:64:24 | resultStr |
+| JsonpInjection.java:63:21:63:54 | ... + ... : String | JsonpInjection.java:64:16:64:24 | resultStr |
+| JsonpInjection.java:72:32:72:68 | getParameter(...) : String | JsonpInjection.java:80:20:80:28 | resultStr |
+| JsonpInjection.java:79:21:79:54 | ... + ... : String | JsonpInjection.java:80:20:80:28 | resultStr |
+| JsonpInjection.java:88:32:88:68 | getParameter(...) : String | JsonpInjection.java:95:20:95:28 | resultStr |
+| JsonpInjection.java:94:21:94:54 | ... + ... : String | JsonpInjection.java:95:20:95:28 | resultStr |
+| JsonpInjection.java:102:32:102:68 | getParameter(...) : String | JsonpInjection.java:113:16:113:24 | resultStr |
+| JsonpInjection.java:128:25:128:59 | ... + ... : String | JsonpInjection.java:129:20:129:28 | resultStr |
+| JsonpInjection.java:147:25:147:59 | ... + ... : String | JsonpInjection.java:148:20:148:28 | resultStr |
+nodes
+| JsonpInjection.java:28:32:28:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjection.java:32:21:32:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:33:16:33:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:33:16:33:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:40:32:40:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjection.java:42:21:42:80 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:44:16:44:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:44:16:44:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:51:32:51:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjection.java:53:21:53:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:54:16:54:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:54:16:54:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:61:32:61:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjection.java:63:21:63:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:64:16:64:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:64:16:64:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:72:32:72:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjection.java:79:21:79:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:80:20:80:28 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:80:20:80:28 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:88:32:88:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjection.java:94:21:94:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:95:20:95:28 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:95:20:95:28 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:102:32:102:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjection.java:113:16:113:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:128:25:128:59 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:129:20:129:28 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:147:25:147:59 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:148:20:148:28 | resultStr | semmle.label | resultStr |
+#select
+| JsonpInjection.java:33:16:33:24 | resultStr | JsonpInjection.java:28:32:28:68 | getParameter(...) : String | JsonpInjection.java:33:16:33:24 | resultStr | Json Hijacking query 
+might include code from $@. | JsonpInjection.java:28:32:28:68 | getParameter(...) | this user input |
+| JsonpInjection.java:44:16:44:24 | resultStr | JsonpInjection.java:40:32:40:68 | getParameter(...) : String | JsonpInjection.java:44:16:44:24 | resultStr | Json Hijacking query 
+might include code from $@. | JsonpInjection.java:40:32:40:68 | getParameter(...) | this user input |
+| JsonpInjection.java:54:16:54:24 | resultStr | JsonpInjection.java:51:32:51:68 | getParameter(...) : String | JsonpInjection.java:54:16:54:24 | resultStr | Json Hijacking query 
+might include code from $@. | JsonpInjection.java:51:32:51:68 | getParameter(...) | this user input |
+| JsonpInjection.java:64:16:64:24 | resultStr | JsonpInjection.java:61:32:61:68 | getParameter(...) : String | JsonpInjection.java:64:16:64:24 | resultStr | Json Hijacking query 
+might include code from $@. | JsonpInjection.java:61:32:61:68 | getParameter(...) | this user input |
+| JsonpInjection.java:80:20:80:28 | resultStr | JsonpInjection.java:72:32:72:68 | getParameter(...) : String | JsonpInjection.java:80:20:80:28 | resultStr | Json Hijacking query 
+might include code from $@. | JsonpInjection.java:72:32:72:68 | getParameter(...) | this user input |
+| JsonpInjection.java:95:20:95:28 | resultStr | JsonpInjection.java:88:32:88:68 | getParameter(...) : String | JsonpInjection.java:95:20:95:28 | resultStr | Json Hijacking query 
+might include code from $@. | JsonpInjection.java:88:32:88:68 | getParameter(...) | this user input |
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.java
new file mode 100644
index 00000000000..df3aa2c02fe
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.java
@@ -0,0 +1,171 @@
+import com.alibaba.fastjson.JSONObject;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.gson.Gson;
+import java.io.PrintWriter;
+import java.util.HashMap;
+import java.util.Random;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+@Controller
+public class JsonpInjection {
+    
+    private static HashMap hashMap = new HashMap();
+
+    static {
+        hashMap.put("username","admin");
+        hashMap.put("password","123456");
+    }
+
+
+    @GetMapping(value = "jsonp1")
+    @ResponseBody
+    public String bad1(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+        resultStr = jsonpCallback + "(" + result + ")";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp2")
+    @ResponseBody
+    public String bad2(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+
+        resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")";
+
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp3")
+    @ResponseBody
+    public String bad3(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp4")
+    @ResponseBody
+    public String bad4(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp5")
+    @ResponseBody
+    public void bad5(HttpServletRequest request,
+            HttpServletResponse response) throws Exception {
+        response.setContentType("application/json");
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+
+        String resultStr = null;
+        pw = response.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+    }
+
+    @GetMapping(value = "jsonp6")
+    @ResponseBody
+    public void bad6(HttpServletRequest request,
+            HttpServletResponse response) throws Exception {
+        response.setContentType("application/json");
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        ObjectMapper mapper = new ObjectMapper();
+        String result = mapper.writeValueAsString(hashMap);
+        String resultStr = null;
+        pw = response.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+    }
+
+    @GetMapping(value = "jsonp7")
+    @ResponseBody
+    public String good(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+
+        String val = "";
+        Random random = new Random();
+        for (int i = 0; i < 10; i++) {
+            val += String.valueOf(random.nextInt(10));
+        }
+        // good
+        jsonpCallback = jsonpCallback + "_" + val;
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp8")
+    @ResponseBody
+    public String good1(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+
+        String token = request.getParameter("token");
+
+        // good
+        if (verifToken(token)){
+            System.out.println(token);
+            String jsonStr = getJsonStr(hashMap);
+            resultStr = jsonpCallback + "(" + jsonStr + ")";
+            return resultStr;
+        }
+
+        return "error";
+    }
+
+    @GetMapping(value = "jsonp9")
+    @ResponseBody
+    public String good2(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+
+        String referer = request.getHeader("Referer");
+
+        boolean result = verifReferer(referer);
+        // good
+        if (result){
+            String jsonStr = getJsonStr(hashMap);
+            resultStr = jsonpCallback + "(" + jsonStr + ")";
+            return resultStr;
+        }
+
+        return "error";
+    }
+
+    public static String getJsonStr(Object result) {
+        return JSONObject.toJSONString(result);
+    }
+
+    public static boolean verifToken(String token){
+        if (token != "xxxx"){
+            return false;
+        }
+        return true;
+    }
+
+    public static boolean verifReferer(String referer){
+        if (!referer.startsWith("http://test.com/")){
+            return false;
+        }
+        return true;
+    }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.qlref
new file mode 100644
index 00000000000..6ad4b8acda7
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-352/JsonpInjection.ql

From 6fe8bafc7d35f77d5db38d0802b192b6abb45dd1 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Wed, 24 Feb 2021 20:59:51 +0800
Subject: [PATCH 0006/1429] *)update

---
 .../Security/CWE/CWE-352/JsonHijacking.java   | 119 ------------------
 .../Security/CWE/CWE-352/JsonHijacking.qhelp  |  35 ------
 .../src/Security/CWE/CWE-352/JsonHijacking.ql |  32 -----
 .../Security/CWE/CWE-352/JsonHijackingLib.qll |  92 --------------
 .../security/CWE-352/JsonHijacking.expected   |  48 -------
 .../security/CWE-352/JsonHijacking.java       | 119 ------------------
 .../security/CWE-352/JsonHijacking.qlref      |   1 -
 7 files changed, 446 deletions(-)
 delete mode 100644 java/ql/src/Security/CWE/CWE-352/JsonHijacking.java
 delete mode 100644 java/ql/src/Security/CWE/CWE-352/JsonHijacking.qhelp
 delete mode 100644 java/ql/src/Security/CWE/CWE-352/JsonHijacking.ql
 delete mode 100644 java/ql/src/Security/CWE/CWE-352/JsonHijackingLib.qll
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.expected
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.java
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.qlref

diff --git a/java/ql/src/Security/CWE/CWE-352/JsonHijacking.java b/java/ql/src/Security/CWE/CWE-352/JsonHijacking.java
deleted file mode 100644
index d08d436fa07..00000000000
--- a/java/ql/src/Security/CWE/CWE-352/JsonHijacking.java
+++ /dev/null
@@ -1,119 +0,0 @@
-import com.alibaba.fastjson.JSONObject;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.google.gson.Gson;
-import java.io.PrintWriter;
-import java.util.HashMap;
-import java.util.Random;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-@Controller
-public class JsonHijacking {
-
-    private static HashMap hashMap = new HashMap();
-
-    static {
-        hashMap.put("username","admin");
-        hashMap.put("password","123456");
-    }
-
-
-    @GetMapping(value = "jsonp1")
-    @ResponseBody
-    public String bad1(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-
-        Gson gson = new Gson();
-        String result = gson.toJson(hashMap);
-        resultStr = jsonpCallback + "(" + result + ")";
-        return resultStr;
-    }
-
-    @GetMapping(value = "jsonp2")
-    @ResponseBody
-    public String bad2(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-
-        resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")";
-
-        return resultStr;
-    }
-
-    @GetMapping(value = "jsonp3")
-    @ResponseBody
-    public String bad3(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
-        return resultStr;
-    }
-
-    @GetMapping(value = "jsonp4")
-    @ResponseBody
-    public String bad4(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String restr = JSONObject.toJSONString(hashMap);
-        resultStr = jsonpCallback + "(" + restr + ");";
-        return resultStr;
-    }
-
-    @GetMapping(value = "jsonp5")
-    @ResponseBody
-    public void bad5(HttpServletRequest request,
-            HttpServletResponse response) throws Exception {
-        response.setContentType("application/json");
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        PrintWriter pw = null;
-        Gson gson = new Gson();
-        String result = gson.toJson(hashMap);
-
-        String resultStr = null;
-        pw = response.getWriter();
-        resultStr = jsonpCallback + "(" + result + ")";
-        pw.println(resultStr);
-    }
-
-    @GetMapping(value = "jsonp6")
-    @ResponseBody
-    public void bad6(HttpServletRequest request,
-            HttpServletResponse response) throws Exception {
-        response.setContentType("application/json");
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        PrintWriter pw = null;
-        ObjectMapper mapper = new ObjectMapper();
-        String result = mapper.writeValueAsString(hashMap);
-        String resultStr = null;
-        pw = response.getWriter();
-        resultStr = jsonpCallback + "(" + result + ")";
-        pw.println(resultStr);
-    }
-
-    @GetMapping(value = "jsonp7")
-    @ResponseBody
-    public String good(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-
-        String val = "";
-        Random random = new Random();
-        for (int i = 0; i < 10; i++) {
-            val += String.valueOf(random.nextInt(10));
-        }
-        // good
-        jsonpCallback = jsonpCallback + "_" + val;
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
-        return resultStr;
-    }
-
-    public static String getJsonStr(Object result) {
-        return JSONObject.toJSONString(result);
-    }
-}
\ No newline at end of file
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonHijacking.qhelp b/java/ql/src/Security/CWE/CWE-352/JsonHijacking.qhelp
deleted file mode 100644
index 38e1845f992..00000000000
--- a/java/ql/src/Security/CWE/CWE-352/JsonHijacking.qhelp
+++ /dev/null
@@ -1,35 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<overview>
-<p>The software uses external input as the function name to wrap JSON data and return it to the client as a request response. When there is a cross-domain problem, 
-there is a problem of sensitive information leakage.</p>
-
-</overview>
-<recommendation>
-
-<p>The function name verification processing for external input can effectively prevent the leakage of sensitive information.</p>
-
-</recommendation>
-<example>
-
-<p>The following example shows the case of no verification processing and verification processing for the external input function name.</p>
-
-<sample src="JsonHijacking.java" />
-
-</example>
-<references>
-
-<li>
-OWASPLondon20161124_JSON_Hijacking_Gareth_Heyes: 
-<a href="https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20161124_JSON_Hijacking_Gareth_Heyes.pdf">JSON hijacking</a>.
-</li>
-<li>
-Practical JSONP Injection:
-<a href="https://securitycafe.ro/2017/01/18/practical-jsonp-injection">
-  Completely controllable from the URL (GET variable)
-</a>.
-</li>
-</references>
-</qhelp>
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonHijacking.ql b/java/ql/src/Security/CWE/CWE-352/JsonHijacking.ql
deleted file mode 100644
index a6a6d2475f0..00000000000
--- a/java/ql/src/Security/CWE/CWE-352/JsonHijacking.ql
+++ /dev/null
@@ -1,32 +0,0 @@
-/**
- * @name JSON Hijacking
- * @description User-controlled callback function names that are not verified are vulnerable
- *              to json hijacking attacks.
- * @kind path-problem
- * @problem.severity error
- * @precision high
- * @id java/Json-hijacking
- * @tags security
- *       external/cwe/cwe-352
- */
-
-import java
-import JsonHijackingLib
-import semmle.code.java.dataflow.FlowSources
-import DataFlow::PathGraph
-
-/** Taint-tracking configuration tracing flow from remote sources to output jsonp data. */
-class JsonHijackingConfig extends TaintTracking::Configuration {
-  JsonHijackingConfig() { this = "JsonHijackingConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof JsonHijackingSink }
-}
-
-from DataFlow::PathNode source, DataFlow::PathNode sink, JsonHijackingConfig conf
-where
-  conf.hasFlowPath(source, sink) and
-  exists(JsonHijackingFlowConfig jhfc | jhfc.hasFlowTo(sink.getNode()))
-select sink.getNode(), source, sink, "Json Hijacking query might include code from $@.",
-  source.getNode(), "this user input"
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonHijackingLib.qll b/java/ql/src/Security/CWE/CWE-352/JsonHijackingLib.qll
deleted file mode 100644
index ba91a6670bf..00000000000
--- a/java/ql/src/Security/CWE/CWE-352/JsonHijackingLib.qll
+++ /dev/null
@@ -1,92 +0,0 @@
-import java
-import DataFlow
-import JsonStringLib
-import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.frameworks.spring.SpringController
-
-/** A data flow sink for unvalidated user input that is used to jsonp. */
-abstract class JsonHijackingSink extends DataFlow::Node { }
-
-/** Use ```print```, ```println```, ```write``` to output result. */
-private class WriterPrintln extends JsonHijackingSink {
-  WriterPrintln() {
-    exists(MethodAccess ma |
-      ma.getMethod().getName().regexpMatch("print|println|write") and
-      ma.getMethod()
-          .getDeclaringType()
-          .getASourceSupertype*()
-          .hasQualifiedName("java.io", "PrintWriter") and
-      ma.getArgument(0) = this.asExpr()
-    )
-  }
-}
-
-/** Spring Request Method return result. */
-private class SpringReturn extends JsonHijackingSink {
-  SpringReturn() {
-    exists(ReturnStmt rs, Method m | m = rs.getEnclosingCallable() |
-      m instanceof SpringRequestMappingMethod and
-      rs.getResult() = this.asExpr()
-    )
-  }
-}
-
-/** A concatenate expression using `(` and `)` or `);`. */
-class JsonHijackingExpr extends AddExpr {
-  JsonHijackingExpr() {
-    getRightOperand().toString().regexpMatch("\"\\)\"|\"\\);\"") and
-    getLeftOperand()
-        .(AddExpr)
-        .getLeftOperand()
-        .(AddExpr)
-        .getRightOperand()
-        .toString()
-        .regexpMatch("\"\\(\"")
-  }
-
-  /** Get the jsonp function name of this expression */
-  Expr getFunctionName() {
-    result = getLeftOperand().(AddExpr).getLeftOperand().(AddExpr).getLeftOperand()
-  }
-
-  /** Get the json data of this expression */
-  Expr getJsonExpr() { result = getLeftOperand().(AddExpr).getRightOperand() }
-}
-
-/** A data flow configuration tracing flow from remote sources to jsonp function name. */
-class RemoteFlowConfig extends DataFlow2::Configuration {
-  RemoteFlowConfig() { this = "RemoteFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(JsonHijackingExpr jhe | jhe.getFunctionName() = sink.asExpr())
-  }
-}
-
-/** A data flow configuration tracing flow from json data to splicing jsonp data. */
-class JsonDataFlowConfig extends DataFlow2::Configuration {
-  JsonDataFlowConfig() { this = "JsonDataFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) { src instanceof JsonpStringSource }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(JsonHijackingExpr jhe | jhe.getJsonExpr() = sink.asExpr())
-  }
-}
-
-/** Taint-tracking configuration tracing flow from user-controllable function name jsonp data to output jsonp data. */
-class JsonHijackingFlowConfig extends TaintTracking::Configuration {
-  JsonHijackingFlowConfig() { this = "JsonHijackingFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) {
-    exists(JsonHijackingExpr jhe, JsonDataFlowConfig jdfc, RemoteFlowConfig rfc |
-      jhe = src.asExpr() and
-      jdfc.hasFlowTo(DataFlow::exprNode(jhe.getJsonExpr())) and
-      rfc.hasFlowTo(DataFlow::exprNode(jhe.getFunctionName()))
-    )
-  }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof JsonHijackingSink }
-}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.expected
deleted file mode 100644
index 8efc3be1673..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.expected
+++ /dev/null
@@ -1,48 +0,0 @@
-edges
-| JsonHijacking.java:28:32:28:68 | getParameter(...) : String | JsonHijacking.java:33:16:33:24 | resultStr |
-| JsonHijacking.java:32:21:32:54 | ... + ... : String | JsonHijacking.java:33:16:33:24 | resultStr |
-| JsonHijacking.java:40:32:40:68 | getParameter(...) : String | JsonHijacking.java:44:16:44:24 | resultStr |
-| JsonHijacking.java:42:21:42:80 | ... + ... : String | JsonHijacking.java:44:16:44:24 | resultStr |
-| JsonHijacking.java:51:32:51:68 | getParameter(...) : String | JsonHijacking.java:54:16:54:24 | resultStr |
-| JsonHijacking.java:53:21:53:55 | ... + ... : String | JsonHijacking.java:54:16:54:24 | resultStr |
-| JsonHijacking.java:61:32:61:68 | getParameter(...) : String | JsonHijacking.java:64:16:64:24 | resultStr |
-| JsonHijacking.java:63:21:63:54 | ... + ... : String | JsonHijacking.java:64:16:64:24 | resultStr |
-| JsonHijacking.java:72:32:72:68 | getParameter(...) : String | JsonHijacking.java:80:20:80:28 | resultStr |
-| JsonHijacking.java:79:21:79:54 | ... + ... : String | JsonHijacking.java:80:20:80:28 | resultStr |
-| JsonHijacking.java:88:32:88:68 | getParameter(...) : String | JsonHijacking.java:95:20:95:28 | resultStr |
-| JsonHijacking.java:94:21:94:54 | ... + ... : String | JsonHijacking.java:95:20:95:28 | resultStr |
-| JsonHijacking.java:102:32:102:68 | getParameter(...) : String | JsonHijacking.java:113:16:113:24 | resultStr |
-nodes
-| JsonHijacking.java:28:32:28:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonHijacking.java:32:21:32:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonHijacking.java:33:16:33:24 | resultStr | semmle.label | resultStr |
-| JsonHijacking.java:33:16:33:24 | resultStr | semmle.label | resultStr |
-| JsonHijacking.java:40:32:40:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonHijacking.java:42:21:42:80 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonHijacking.java:44:16:44:24 | resultStr | semmle.label | resultStr |
-| JsonHijacking.java:44:16:44:24 | resultStr | semmle.label | resultStr |
-| JsonHijacking.java:51:32:51:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonHijacking.java:53:21:53:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonHijacking.java:54:16:54:24 | resultStr | semmle.label | resultStr |
-| JsonHijacking.java:54:16:54:24 | resultStr | semmle.label | resultStr |
-| JsonHijacking.java:61:32:61:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonHijacking.java:63:21:63:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonHijacking.java:64:16:64:24 | resultStr | semmle.label | resultStr |
-| JsonHijacking.java:64:16:64:24 | resultStr | semmle.label | resultStr |
-| JsonHijacking.java:72:32:72:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonHijacking.java:79:21:79:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonHijacking.java:80:20:80:28 | resultStr | semmle.label | resultStr |
-| JsonHijacking.java:80:20:80:28 | resultStr | semmle.label | resultStr |
-| JsonHijacking.java:88:32:88:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonHijacking.java:94:21:94:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonHijacking.java:95:20:95:28 | resultStr | semmle.label | resultStr |
-| JsonHijacking.java:95:20:95:28 | resultStr | semmle.label | resultStr |
-| JsonHijacking.java:102:32:102:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonHijacking.java:113:16:113:24 | resultStr | semmle.label | resultStr |
-#select
-| JsonHijacking.java:33:16:33:24 | resultStr | JsonHijacking.java:28:32:28:68 | getParameter(...) : String | JsonHijacking.java:33:16:33:24 | resultStr | Json Hijacking query might include code from $@. | JsonHijacking.java:28:32:28:68 | getParameter(...) | this user input |
-| JsonHijacking.java:44:16:44:24 | resultStr | JsonHijacking.java:40:32:40:68 | getParameter(...) : String | JsonHijacking.java:44:16:44:24 | resultStr | Json Hijacking query might include code from $@. | JsonHijacking.java:40:32:40:68 | getParameter(...) | this user input |
-| JsonHijacking.java:54:16:54:24 | resultStr | JsonHijacking.java:51:32:51:68 | getParameter(...) : String | JsonHijacking.java:54:16:54:24 | resultStr | Json Hijacking query might include code from $@. | JsonHijacking.java:51:32:51:68 | getParameter(...) | this user input |
-| JsonHijacking.java:64:16:64:24 | resultStr | JsonHijacking.java:61:32:61:68 | getParameter(...) : String | JsonHijacking.java:64:16:64:24 | resultStr | Json Hijacking query might include code from $@. | JsonHijacking.java:61:32:61:68 | getParameter(...) | this user input |
-| JsonHijacking.java:80:20:80:28 | resultStr | JsonHijacking.java:72:32:72:68 | getParameter(...) : String | JsonHijacking.java:80:20:80:28 | resultStr | Json Hijacking query might include code from $@. | JsonHijacking.java:72:32:72:68 | getParameter(...) | this user input |
-| JsonHijacking.java:95:20:95:28 | resultStr | JsonHijacking.java:88:32:88:68 | getParameter(...) : String | JsonHijacking.java:95:20:95:28 | resultStr | Json Hijacking query might include code from $@. | JsonHijacking.java:88:32:88:68 | getParameter(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.java
deleted file mode 100644
index 9b473e0610c..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.java
+++ /dev/null
@@ -1,119 +0,0 @@
-import com.alibaba.fastjson.JSONObject;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.google.gson.Gson;
-import java.io.PrintWriter;
-import java.util.HashMap;
-import java.util.Random;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-@Controller
-public class JsonHijacking {
-
-    private static HashMap hashMap = new HashMap();
-
-    static {
-        hashMap.put("username","admin");
-        hashMap.put("password","123456");
-    }
-
-
-    @GetMapping(value = "jsonp1")
-    @ResponseBody
-    public String bad1(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-
-        Gson gson = new Gson();
-        String result = gson.toJson(hashMap);
-        resultStr = jsonpCallback + "(" + result + ")";
-        return resultStr;
-    }
-
-    @GetMapping(value = "jsonp2")
-    @ResponseBody
-    public String bad2(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-
-        resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")";
-
-        return resultStr;
-    }
-
-    @GetMapping(value = "jsonp3")
-    @ResponseBody
-    public String bad3(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
-        return resultStr;
-    }
-
-    @GetMapping(value = "jsonp4")
-    @ResponseBody
-    public String bad4(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String restr = JSONObject.toJSONString(hashMap);
-        resultStr = jsonpCallback + "(" + restr + ");";
-        return resultStr;
-    }
-
-    @GetMapping(value = "jsonp5")
-    @ResponseBody
-    public void bad5(HttpServletRequest request,
-            HttpServletResponse response) throws Exception {
-        response.setContentType("application/json");
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        PrintWriter pw = null;
-        Gson gson = new Gson();
-        String result = gson.toJson(hashMap);
-
-        String resultStr = null;
-        pw = response.getWriter();
-        resultStr = jsonpCallback + "(" + result + ")";
-        pw.println(resultStr);
-    }
-
-    @GetMapping(value = "jsonp6")
-    @ResponseBody
-    public void bad6(HttpServletRequest request,
-            HttpServletResponse response) throws Exception {
-        response.setContentType("application/json");
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        PrintWriter pw = null;
-        ObjectMapper mapper = new ObjectMapper();
-        String result = mapper.writeValueAsString(hashMap);
-        String resultStr = null;
-        pw = response.getWriter();
-        resultStr = jsonpCallback + "(" + result + ")";
-        pw.println(resultStr);
-    }
-
-    @GetMapping(value = "jsonp7")
-    @ResponseBody
-    public String good(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-
-        String val = "";
-        Random random = new Random();
-        for (int i = 0; i < 10; i++) {
-            val += String.valueOf(random.nextInt(10));
-        }
-        // good
-        jsonpCallback = jsonpCallback + "_" + val;
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
-        return resultStr;
-    }
-
-    public static String getJsonStr(Object result) {
-        return JSONObject.toJSONString(result);
-    }
-}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.qlref b/java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.qlref
deleted file mode 100644
index e79471b3c1e..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonHijacking.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/CWE/CWE-352/JsonHijacking.ql

From f795d5e0d3b4f1a7fc5446755020786c3faecae1 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Sat, 27 Feb 2021 16:25:17 +0800
Subject: [PATCH 0007/1429] update JSONP Injection ql

---
 .../Security/CWE/CWE-352/JsonpInjection.ql    |  45 +++++---
 .../CWE/CWE-352/JsonpInjectionFilterLib.qll   |  77 +++++++++++++
 .../CWE/CWE-352/JsonpInjectionLib.qll         |  65 ++++++++++-
 .../CWE/CWE-352/JsonpInjectionServlet.java    |  60 ++++++++++
 .../CWE/CWE-352/JsonpInjectionServlet1.java   |  64 +++++++++++
 .../CWE/CWE-352/JsonpInjectionServlet2.java   |  50 +++++++++
 .../semmle/code/java/frameworks/Servlets.qll  |  27 +++++
 .../security/CWE-352/JsonpInjection.expected  | 106 +++++++++---------
 .../security/CWE-352/JsonpInjection.java      |  13 ++-
 .../core/annotation/AliasFor.class            | Bin 385 -> 0 bytes
 .../web/bind/annotation/GetMapping.class      | Bin 504 -> 0 bytes
 .../web/bind/annotation/RequestMapping.java   |   2 +
 .../web/bind/annotation/RequestMethod.java    |  15 +++
 .../web/bind/annotation/ResponseBody.class    | Bin 184 -> 0 bytes
 14 files changed, 448 insertions(+), 76 deletions(-)
 create mode 100644 java/ql/src/Security/CWE/CWE-352/JsonpInjectionFilterLib.qll
 create mode 100644 java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet.java
 create mode 100644 java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet1.java
 create mode 100644 java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet2.java
 delete mode 100644 java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/annotation/AliasFor.class
 delete mode 100644 java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/GetMapping.class
 create mode 100644 java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMethod.java
 delete mode 100644 java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/ResponseBody.class

diff --git a/java/ql/src/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/Security/CWE/CWE-352/JsonpInjection.ql
index e7ca2d41e34..53ee6182511 100644
--- a/java/ql/src/Security/CWE/CWE-352/JsonpInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-352/JsonpInjection.ql
@@ -1,55 +1,68 @@
 /**
- * @name JSON Hijacking
+ * @name JSONP Injection
  * @description User-controlled callback function names that are not verified are vulnerable
- *              to json hijacking attacks.
+ *              to jsonp injection attacks.
  * @kind path-problem
  * @problem.severity error
  * @precision high
- * @id java/Json-hijacking
+ * @id java/JSONP-Injection
  * @tags security
  *       external/cwe/cwe-352
  */
 
 import java
 import JsonpInjectionLib
+import JsonpInjectionFilterLib
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.deadcode.WebEntryPoints
 import DataFlow::PathGraph
 
-class VerifAuth extends DataFlow::BarrierGuard {
-  VerifAuth() {
+
+/** If there is a method to verify `token`, `auth`, `referer`, and `origin`, it will not pass. */
+class ServletVerifAuth extends DataFlow::BarrierGuard {
+  ServletVerifAuth() {
     exists(MethodAccess ma, Node prod, Node succ |
-      this = ma and
-      ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer).*") and
+      ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*") and
       prod instanceof RemoteFlowSource and
       succ.asExpr() = ma.getAnArgument() and
-      ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer).*") and
-      localFlowStep*(prod, succ)
+      ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*") and
+      localFlowStep*(prod, succ) and
+      this = ma
     )
   }
 
   override predicate checks(Expr e, boolean branch) {
-    exists(ReturnStmt rs |
-      e = rs.getResult() and
+    exists(Node node |
+      node instanceof JsonpInjectionSink and
+      e = node.asExpr() and
       branch = true
     )
   }
 }
 
-/** Taint-tracking configuration tracing flow from remote sources to output jsonp data. */
+/** Taint-tracking configuration tracing flow from get method request sources to output jsonp data. */
 class JsonpInjectionConfig extends TaintTracking::Configuration {
   JsonpInjectionConfig() { this = "JsonpInjectionConfig" }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  override predicate isSource(DataFlow::Node source) { source instanceof GetHttpRequestSource }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof JsonpInjectionSink }
 
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { guard instanceof VerifAuth }
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof ServletVerifAuth
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(MethodAccess ma |
+      isRequestGetParamMethod(ma) and pred.asExpr() = ma.getQualifier() and succ.asExpr() = ma
+    )
+  }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, JsonpInjectionConfig conf
 where
+  not checks() = false and
   conf.hasFlowPath(source, sink) and
   exists(JsonpInjectionFlowConfig jhfc | jhfc.hasFlowTo(sink.getNode()))
-select sink.getNode(), source, sink, "Json Hijacking query might include code from $@.",
-  source.getNode(), "this user input"
\ No newline at end of file
+select sink.getNode(), source, sink, "Jsonp Injection query might include code from $@.",
+  source.getNode(), "this user input"
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonpInjectionFilterLib.qll b/java/ql/src/Security/CWE/CWE-352/JsonpInjectionFilterLib.qll
new file mode 100644
index 00000000000..b349bed2641
--- /dev/null
+++ b/java/ql/src/Security/CWE/CWE-352/JsonpInjectionFilterLib.qll
@@ -0,0 +1,77 @@
+/**
+ * @name JSONP Injection
+ * @description User-controlled callback function names that are not verified are vulnerable
+ *              to json hijacking attacks.
+ * @kind path-problem
+ */
+
+import java
+import DataFlow
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking2
+import DataFlow::PathGraph
+
+class FilterVerifAuth extends DataFlow::BarrierGuard {
+  FilterVerifAuth() {
+    exists(MethodAccess ma, Node prod, Node succ |
+      ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*") and
+      prod instanceof RemoteFlowSource and
+      succ.asExpr() = ma.getAnArgument() and
+      ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*") and
+      localFlowStep*(prod, succ) and
+      this = ma
+    )
+  }
+
+  override predicate checks(Expr e, boolean branch) {
+    exists(Node node |
+      node instanceof DoFilterMethodSink and
+      e = node.asExpr() and
+      branch = true
+    )
+  }
+}
+
+/** A data flow source for `Filter.doFilter` method paramters. */
+private class DoFilterMethodSource extends DataFlow::Node {
+  DoFilterMethodSource() {
+    exists(Method m |
+      isDoFilterMethod(m) and
+      m.getAParameter().getAnAccess() = this.asExpr()
+    )
+  }
+}
+
+/** A data flow sink for `FilterChain.doFilter` method qualifying expression. */
+private class DoFilterMethodSink extends DataFlow::Node {
+  DoFilterMethodSink() {
+    exists(MethodAccess ma, Method m | ma.getMethod() = m |
+      m.hasName("doFilter") and
+      m.getDeclaringType*().hasQualifiedName("javax.servlet", "FilterChain") and
+      ma.getQualifier() = this.asExpr()
+    )
+  }
+}
+
+/** Taint-tracking configuration tracing flow from `doFilter` method paramter source to output 
+ * `FilterChain.doFilter` method qualifying expression. 
+ * */
+class DoFilterMethodConfig extends TaintTracking::Configuration {
+  DoFilterMethodConfig() { this = "DoFilterMethodConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof DoFilterMethodSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof DoFilterMethodSink }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof FilterVerifAuth
+  }
+}
+
+/** Implement class modeling verification for `Filter.doFilter`, return false if it fails. */
+boolean checks() {
+  exists(DataFlow::PathNode source, DataFlow::PathNode sink, DoFilterMethodConfig conf |
+    conf.hasFlowPath(source, sink) and
+    result = false
+  )
+}
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/Security/CWE/CWE-352/JsonpInjectionLib.qll
index 4294a5e8c8f..3f730425823 100644
--- a/java/ql/src/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -5,6 +5,69 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.spring.SpringController
 
+/** Holds if `m` is a method of some override of `HttpServlet.doGet`. */
+private predicate isGetServletMethod(Method m) {
+  isServletRequestMethod(m) and m.getName() = "doGet"
+}
+
+/** Holds if `m` is a method of some override of `HttpServlet.doGet`. */
+private predicate isGetSpringControllerMethod(Method m) {
+  exists(Annotation a |
+    a = m.getAnAnnotation() and
+    a.getType().hasQualifiedName("org.springframework.web.bind.annotation", "GetMapping")
+  )
+  or
+  exists(Annotation a |
+    a = m.getAnAnnotation() and
+    a.getType().hasQualifiedName("org.springframework.web.bind.annotation", "RequestMapping") and
+    a.getValue("method").toString().regexpMatch("RequestMethod.GET|\\{...\\}")
+  )
+}
+
+/** Method parameters use the annotation `@RequestParam` or the parameter type is `ServletRequest`, `String`, `Object` */
+predicate checkSpringMethodParameterType(Method m, int i) {
+  m.getParameter(i).getType() instanceof ServletRequest
+  or
+  exists(Parameter p |
+    p = m.getParameter(i) and
+    p.hasAnnotation() and
+    p.getAnAnnotation()
+        .getType()
+        .hasQualifiedName("org.springframework.web.bind.annotation", "RequestParam") and
+    p.getType().getName().regexpMatch("String|Object")
+  )
+  or
+  exists(Parameter p |
+    p = m.getParameter(i) and
+    not p.hasAnnotation() and
+    p.getType().getName().regexpMatch("String|Object")
+  )
+}
+
+/** A data flow source for get method request parameters. */
+abstract class GetHttpRequestSource extends DataFlow::Node { }
+
+/** A data flow source for servlet get method request parameters. */
+private class ServletGetHttpRequestSource extends GetHttpRequestSource {
+  ServletGetHttpRequestSource() {
+    exists(Method m |
+      isGetServletMethod(m) and
+      m.getParameter(0).getAnAccess() = this.asExpr()
+    )
+  }
+}
+
+/** A data flow source for spring controller get method request parameters. */
+private class SpringGetHttpRequestSource extends GetHttpRequestSource {
+  SpringGetHttpRequestSource() {
+    exists(SpringControllerMethod scm, int i |
+      isGetSpringControllerMethod(scm) and
+      checkSpringMethodParameterType(scm, i) and
+      scm.getParameter(i).getAnAccess() = this.asExpr()
+    )
+  }
+}
+
 /** A data flow sink for unvalidated user input that is used to jsonp. */
 abstract class JsonpInjectionSink extends DataFlow::Node { }
 
@@ -26,7 +89,7 @@ private class WriterPrintln extends JsonpInjectionSink {
 private class SpringReturn extends JsonpInjectionSink {
   SpringReturn() {
     exists(ReturnStmt rs, Method m | m = rs.getEnclosingCallable() |
-      m instanceof SpringRequestMappingMethod and
+      isGetSpringControllerMethod(m) and
       rs.getResult() = this.asExpr()
     )
   }
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet.java b/java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet.java
new file mode 100644
index 00000000000..916cd9bf676
--- /dev/null
+++ b/java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet.java
@@ -0,0 +1,60 @@
+import com.google.gson.Gson;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.HashMap;
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class JsonpInjectionServlet  extends HttpServlet {
+
+    private static HashMap hashMap = new HashMap();
+
+    static {
+        hashMap.put("username","admin");
+        hashMap.put("password","123456");
+    }
+
+    private static final long serialVersionUID = 1L;
+
+    private String key = "test";
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        String jsonpCallback = req.getParameter("jsonpCallback");
+
+        PrintWriter pw = null;
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+
+        String resultStr = null;
+        pw = resp.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+        pw.flush();
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        String jsonpCallback = req.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+
+        String resultStr = null;
+        pw = resp.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+        pw.flush();
+    }
+
+    @Override
+    public void init(ServletConfig config) throws ServletException {
+        this.key = config.getInitParameter("key");
+        System.out.println("�始化" + this.key);
+        super.init(config);
+    }
+
+}
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet1.java b/java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet1.java
new file mode 100644
index 00000000000..14ef76275b1
--- /dev/null
+++ b/java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet1.java
@@ -0,0 +1,64 @@
+import com.google.gson.Gson;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.HashMap;
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class JsonpInjectionServlet1 extends HttpServlet {
+
+    private static HashMap hashMap = new HashMap();
+
+    static {
+        hashMap.put("username","admin");
+        hashMap.put("password","123456");
+    }
+
+    private static final long serialVersionUID = 1L;
+
+    private String key = "test";
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        doPost(req, resp);
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        resp.setContentType("application/json");
+        String jsonpCallback = req.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        Gson gson = new Gson();
+        String jsonResult = gson.toJson(hashMap);
+
+        String referer = req.getHeader("Referer");
+
+        boolean result = verifReferer(referer);
+
+        // good
+        if (result){
+            String resultStr = null;
+            pw = resp.getWriter();
+            resultStr = jsonpCallback + "(" + jsonResult + ")";
+            pw.println(resultStr);
+            pw.flush();
+        }
+    }
+
+    public static boolean verifReferer(String referer){
+        if (!referer.startsWith("http://test.com/")){
+            return false;
+        }
+        return true;
+    }
+
+    @Override
+    public void init(ServletConfig config) throws ServletException {
+        this.key = config.getInitParameter("key");
+        System.out.println("�始化" + this.key);
+        super.init(config);
+    }
+
+}
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet2.java b/java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet2.java
new file mode 100644
index 00000000000..bbfbc2dc436
--- /dev/null
+++ b/java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet2.java
@@ -0,0 +1,50 @@
+import com.google.gson.Gson;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.HashMap;
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class JsonpInjectionServlet2  extends HttpServlet {
+
+    private static HashMap hashMap = new HashMap();
+
+    static {
+        hashMap.put("username","admin");
+        hashMap.put("password","123456");
+    }
+
+    private static final long serialVersionUID = 1L;
+
+    private String key = "test";
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        doPost(req, resp);
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        resp.setContentType("application/json");
+        String jsonpCallback = req.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+
+        String resultStr = null;
+        pw = resp.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+        pw.flush();
+    }
+
+    @Override
+    public void init(ServletConfig config) throws ServletException {
+        this.key = config.getInitParameter("key");
+        System.out.println("�始化" + this.key);
+        super.init(config);
+    }
+
+}
diff --git a/java/ql/src/semmle/code/java/frameworks/Servlets.qll b/java/ql/src/semmle/code/java/frameworks/Servlets.qll
index 3fad8c4e18b..b2054dc30cb 100644
--- a/java/ql/src/semmle/code/java/frameworks/Servlets.qll
+++ b/java/ql/src/semmle/code/java/frameworks/Servlets.qll
@@ -337,3 +337,30 @@ predicate isRequestGetParamMethod(MethodAccess ma) {
   ma.getMethod() instanceof ServletRequestGetParameterMapMethod or
   ma.getMethod() instanceof HttpServletRequestGetQueryStringMethod
 }
+
+
+/**
+ * A class that has `javax.servlet.Filter` as an ancestor.
+ */
+class FilterClass extends Class {
+  FilterClass() { getAnAncestor().hasQualifiedName("javax.servlet", "Filter") }
+}
+
+
+/**
+ * The interface `javax.servlet.FilterChain`
+ */
+class FilterChain extends RefType {
+  FilterChain() {
+    hasQualifiedName("javax.servlet", "FilterChain")
+  }
+}
+
+/** Holds if `m` is a request handler method (for example `doGet` or `doPost`). */
+predicate isDoFilterMethod(Method m) {
+  m.getDeclaringType() instanceof FilterClass and
+  m.getNumberOfParameters() = 3 and
+  m.getParameter(0).getType() instanceof ServletRequest and
+  m.getParameter(1).getType() instanceof ServletResponse and
+  m.getParameter(2).getType() instanceof FilterChain
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected
index 019af8f5c05..7e3069cf1d9 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected
@@ -1,60 +1,60 @@
 edges
-| JsonpInjection.java:28:32:28:68 | getParameter(...) : String | JsonpInjection.java:33:16:33:24 | resultStr |
-| JsonpInjection.java:32:21:32:54 | ... + ... : String | JsonpInjection.java:33:16:33:24 | resultStr |
-| JsonpInjection.java:40:32:40:68 | getParameter(...) : String | JsonpInjection.java:44:16:44:24 | resultStr |
-| JsonpInjection.java:42:21:42:80 | ... + ... : String | JsonpInjection.java:44:16:44:24 | resultStr |
-| JsonpInjection.java:51:32:51:68 | getParameter(...) : String | JsonpInjection.java:54:16:54:24 | resultStr |
-| JsonpInjection.java:53:21:53:55 | ... + ... : String | JsonpInjection.java:54:16:54:24 | resultStr |
-| JsonpInjection.java:61:32:61:68 | getParameter(...) : String | JsonpInjection.java:64:16:64:24 | resultStr |
-| JsonpInjection.java:63:21:63:54 | ... + ... : String | JsonpInjection.java:64:16:64:24 | resultStr |
-| JsonpInjection.java:72:32:72:68 | getParameter(...) : String | JsonpInjection.java:80:20:80:28 | resultStr |
+| JsonpInjection.java:29:32:29:38 | request : HttpServletRequest | JsonpInjection.java:34:16:34:24 | resultStr |
+| JsonpInjection.java:33:21:33:54 | ... + ... : String | JsonpInjection.java:34:16:34:24 | resultStr |
+| JsonpInjection.java:41:32:41:38 | request : HttpServletRequest | JsonpInjection.java:45:16:45:24 | resultStr |
+| JsonpInjection.java:43:21:43:80 | ... + ... : String | JsonpInjection.java:45:16:45:24 | resultStr |
+| JsonpInjection.java:52:32:52:38 | request : HttpServletRequest | JsonpInjection.java:55:16:55:24 | resultStr |
+| JsonpInjection.java:54:21:54:55 | ... + ... : String | JsonpInjection.java:55:16:55:24 | resultStr |
+| JsonpInjection.java:62:32:62:38 | request : HttpServletRequest | JsonpInjection.java:65:16:65:24 | resultStr |
+| JsonpInjection.java:64:21:64:54 | ... + ... : String | JsonpInjection.java:65:16:65:24 | resultStr |
+| JsonpInjection.java:72:32:72:38 | request : HttpServletRequest | JsonpInjection.java:80:20:80:28 | resultStr |
 | JsonpInjection.java:79:21:79:54 | ... + ... : String | JsonpInjection.java:80:20:80:28 | resultStr |
-| JsonpInjection.java:88:32:88:68 | getParameter(...) : String | JsonpInjection.java:95:20:95:28 | resultStr |
-| JsonpInjection.java:94:21:94:54 | ... + ... : String | JsonpInjection.java:95:20:95:28 | resultStr |
-| JsonpInjection.java:102:32:102:68 | getParameter(...) : String | JsonpInjection.java:113:16:113:24 | resultStr |
-| JsonpInjection.java:128:25:128:59 | ... + ... : String | JsonpInjection.java:129:20:129:28 | resultStr |
-| JsonpInjection.java:147:25:147:59 | ... + ... : String | JsonpInjection.java:148:20:148:28 | resultStr |
+| JsonpInjection.java:87:32:87:38 | request : HttpServletRequest | JsonpInjection.java:94:20:94:28 | resultStr |
+| JsonpInjection.java:93:21:93:54 | ... + ... : String | JsonpInjection.java:94:20:94:28 | resultStr |
+| JsonpInjection.java:101:32:101:38 | request : HttpServletRequest | JsonpInjection.java:112:16:112:24 | resultStr |
+| JsonpInjection.java:127:25:127:59 | ... + ... : String | JsonpInjection.java:128:20:128:28 | resultStr |
+| JsonpInjection.java:148:25:148:59 | ... + ... : String | JsonpInjection.java:149:20:149:28 | resultStr |
 nodes
-| JsonpInjection.java:28:32:28:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjection.java:32:21:32:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:33:16:33:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:33:16:33:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:40:32:40:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjection.java:42:21:42:80 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:44:16:44:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:44:16:44:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:51:32:51:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjection.java:53:21:53:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:54:16:54:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:54:16:54:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:61:32:61:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjection.java:63:21:63:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:64:16:64:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:64:16:64:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:72:32:72:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjection.java:29:32:29:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
+| JsonpInjection.java:33:21:33:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:34:16:34:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:34:16:34:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:41:32:41:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
+| JsonpInjection.java:43:21:43:80 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:45:16:45:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:45:16:45:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:52:32:52:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
+| JsonpInjection.java:54:21:54:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:55:16:55:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:55:16:55:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:62:32:62:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
+| JsonpInjection.java:64:21:64:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:65:16:65:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:65:16:65:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:72:32:72:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
 | JsonpInjection.java:79:21:79:54 | ... + ... : String | semmle.label | ... + ... : String |
 | JsonpInjection.java:80:20:80:28 | resultStr | semmle.label | resultStr |
 | JsonpInjection.java:80:20:80:28 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:88:32:88:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjection.java:94:21:94:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:95:20:95:28 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:95:20:95:28 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:102:32:102:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjection.java:113:16:113:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:128:25:128:59 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:129:20:129:28 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:147:25:147:59 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:148:20:148:28 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:87:32:87:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
+| JsonpInjection.java:93:21:93:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:94:20:94:28 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:94:20:94:28 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:101:32:101:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
+| JsonpInjection.java:112:16:112:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:127:25:127:59 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:128:20:128:28 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:148:25:148:59 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:149:20:149:28 | resultStr | semmle.label | resultStr |
 #select
-| JsonpInjection.java:33:16:33:24 | resultStr | JsonpInjection.java:28:32:28:68 | getParameter(...) : String | JsonpInjection.java:33:16:33:24 | resultStr | Json Hijacking query 
-might include code from $@. | JsonpInjection.java:28:32:28:68 | getParameter(...) | this user input |
-| JsonpInjection.java:44:16:44:24 | resultStr | JsonpInjection.java:40:32:40:68 | getParameter(...) : String | JsonpInjection.java:44:16:44:24 | resultStr | Json Hijacking query 
-might include code from $@. | JsonpInjection.java:40:32:40:68 | getParameter(...) | this user input |
-| JsonpInjection.java:54:16:54:24 | resultStr | JsonpInjection.java:51:32:51:68 | getParameter(...) : String | JsonpInjection.java:54:16:54:24 | resultStr | Json Hijacking query 
-might include code from $@. | JsonpInjection.java:51:32:51:68 | getParameter(...) | this user input |
-| JsonpInjection.java:64:16:64:24 | resultStr | JsonpInjection.java:61:32:61:68 | getParameter(...) : String | JsonpInjection.java:64:16:64:24 | resultStr | Json Hijacking query 
-might include code from $@. | JsonpInjection.java:61:32:61:68 | getParameter(...) | this user input |
-| JsonpInjection.java:80:20:80:28 | resultStr | JsonpInjection.java:72:32:72:68 | getParameter(...) : String | JsonpInjection.java:80:20:80:28 | resultStr | Json Hijacking query 
-might include code from $@. | JsonpInjection.java:72:32:72:68 | getParameter(...) | this user input |
-| JsonpInjection.java:95:20:95:28 | resultStr | JsonpInjection.java:88:32:88:68 | getParameter(...) : String | JsonpInjection.java:95:20:95:28 | resultStr | Json Hijacking query 
-might include code from $@. | JsonpInjection.java:88:32:88:68 | getParameter(...) | this user input |
\ No newline at end of file
+| JsonpInjection.java:34:16:34:24 | resultStr | JsonpInjection.java:29:32:29:38 | request : HttpServletRequest | JsonpInjection.java:34:16:34:24 | 
+resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:29:32:29:38 | request | this user input |
+| JsonpInjection.java:45:16:45:24 | resultStr | JsonpInjection.java:41:32:41:38 | request : HttpServletRequest | JsonpInjection.java:45:16:45:24 | 
+resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:41:32:41:38 | request | this user input |
+| JsonpInjection.java:55:16:55:24 | resultStr | JsonpInjection.java:52:32:52:38 | request : HttpServletRequest | JsonpInjection.java:55:16:55:24 | 
+resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:52:32:52:38 | request | this user input |
+| JsonpInjection.java:65:16:65:24 | resultStr | JsonpInjection.java:62:32:62:38 | request : HttpServletRequest | JsonpInjection.java:65:16:65:24 | 
+resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:62:32:62:38 | request | this user input |
+| JsonpInjection.java:80:20:80:28 | resultStr | JsonpInjection.java:72:32:72:38 | request : HttpServletRequest | JsonpInjection.java:80:20:80:28 | 
+resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:72:32:72:38 | request | this user input |
+| JsonpInjection.java:94:20:94:28 | resultStr | JsonpInjection.java:87:32:87:38 | request : HttpServletRequest | JsonpInjection.java:94:20:94:28 | 
+resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:87:32:87:38 | request | this user input |
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.java
index df3aa2c02fe..9f079513a8b 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.java
@@ -8,11 +8,12 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 @Controller
 public class JsonpInjection {
-    
     private static HashMap hashMap = new HashMap();
 
     static {
@@ -21,7 +22,7 @@ public class JsonpInjection {
     }
 
 
-    @GetMapping(value = "jsonp1")
+    @GetMapping(value = "jsonp1", produces="text/javascript")
     @ResponseBody
     public String bad1(HttpServletRequest request) {
         String resultStr = null;
@@ -68,7 +69,6 @@ public class JsonpInjection {
     @ResponseBody
     public void bad5(HttpServletRequest request,
             HttpServletResponse response) throws Exception {
-        response.setContentType("application/json");
         String jsonpCallback = request.getParameter("jsonpCallback");
         PrintWriter pw = null;
         Gson gson = new Gson();
@@ -84,7 +84,6 @@ public class JsonpInjection {
     @ResponseBody
     public void bad6(HttpServletRequest request,
             HttpServletResponse response) throws Exception {
-        response.setContentType("application/json");
         String jsonpCallback = request.getParameter("jsonpCallback");
         PrintWriter pw = null;
         ObjectMapper mapper = new ObjectMapper();
@@ -141,8 +140,10 @@ public class JsonpInjection {
         String referer = request.getHeader("Referer");
 
         boolean result = verifReferer(referer);
+
+        boolean test = result;
         // good
-        if (result){
+        if (test){
             String jsonStr = getJsonStr(hashMap);
             resultStr = jsonpCallback + "(" + jsonStr + ")";
             return resultStr;
@@ -168,4 +169,4 @@ public class JsonpInjection {
         }
         return true;
     }
-}
+}
\ No newline at end of file
diff --git a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/annotation/AliasFor.class b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/annotation/AliasFor.class
deleted file mode 100644
index 438065489278b92503abc2ad8d75716c5e56ac08..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 385
zcmb7=!Ab)$5QhJ0x31k<t>DdrH&Kx0=)qG#3PM4!PcXZrOKO@(l3m};gAd?CiL-}x
zJqaEL=Fj~6^G&|KKRyB6W0qr@<21(^Vbrp1G~wdrcD3b}m1S3}bqdDS4}|lDb3So0
z-aYCKH#QMKxO{0`GCTd`S`$rab#IG=`O1e{#kVeF6L_cJeRx%s4_fgdPA#nAxb#7`
zj5*1|vPl9`tbG$Iy);(DbZ?q>Y=pc21QTZcMbG6{R|0?4KmBGoU|o}(H;@|2R}C^k
ghLPwaQNxHF$I?t>JeJBL3UL&FIx;a%x-6Xh0OC_*bpQYW

diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/GetMapping.class b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/GetMapping.class
deleted file mode 100644
index 5392ca0ebc1593d6bfa2f7d765ee4ca169fb260f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 504
zcma)&y-ve06orr5G%4k$Ewlp@8)_FUu~3N#3Bgi?)JiO!oYW02i5(KVeK!UkfQLfd
z3?&dTFj%_xlg>TI=i~G39l#Za0geNl1Q;-QTBMR;Fd9$SVk3AWbj;^AS316C=-+5<
ztgy=HTe%W0u?%2nZA9WoH5`o>f62T|*k=Ym6S+tWhIV9h;Zj+SS#FjtD#y;;xIB_~
zDxp)|dubm;mXYs88HC|<=CoC*d{Tu96Imr8>11m1m={?Yb44C<Yw{Pql_3w6UUKoB
zn$P5`lf~{ded+SQ$|?{;uj=M8T+4`RIIGYPyDH^5qoNx0n$)@PQPXJA=F`?J5D;i%
gZwD3tfleLl*TF#@9R332cSQFa=%QD;()m8{1xN6E{{R30

diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMapping.java b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMapping.java
index 3415800b927..ddb36bce4c0 100644
--- a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMapping.java
+++ b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMapping.java
@@ -10,4 +10,6 @@ public @interface RequestMapping {
 
     @AliasFor("value")
     String[] path() default {};
+
+    RequestMethod[] method() default {};
 }
diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMethod.java b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMethod.java
new file mode 100644
index 00000000000..78c90a6ef75
--- /dev/null
+++ b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMethod.java
@@ -0,0 +1,15 @@
+package org.springframework.web.bind.annotation;
+
+public enum RequestMethod {
+    GET,
+    HEAD,
+    POST,
+    PUT,
+    PATCH,
+    DELETE,
+    OPTIONS,
+    TRACE;
+
+    private RequestMethod() {
+    }
+}
diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/ResponseBody.class b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/ResponseBody.class
deleted file mode 100644
index 5e08f3e6a0acd663e6130e304a4d1251a31188fb..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 184
zcmX^0Z`VEs1_pBmPId-1b_RBK1`b9BuHgLAqU2P!%$!t42Em}z;)49V;#8;nluEs<
z#Ii(229x}vbp7IjqRhPXw4%h^)bjkIZ2j`oB>kk!ycGS!yuAF9#FEVXJbh%nj0^%G
u-TFC+dFlH8Nm;4MC5#O62q7eGj&Kvy7#SEDn1GlW=t>44%>pEu7+3+XjWw+R


From 95d1994196dc52ad516b7c6df06e673be8906d9b Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Mon, 1 Mar 2021 22:06:52 +0000
Subject: [PATCH 0008/1429] Query to check sensitive cookies without the
 HttpOnly flag set

---
 .../CWE-1004/SensitiveCookieNotHttpOnly.java  |  44 +++
 .../CWE-1004/SensitiveCookieNotHttpOnly.qhelp |  27 ++
 .../CWE-1004/SensitiveCookieNotHttpOnly.ql    | 194 ++++++++++
 .../SensitiveCookieNotHttpOnly.expected       |  13 +
 .../CWE-1004/SensitiveCookieNotHttpOnly.java  |  57 +++
 .../CWE-1004/SensitiveCookieNotHttpOnly.qlref |   1 +
 .../query-tests/security/CWE-1004/options     |   1 +
 .../javax/ws/rs/core/Cookie.java              | 187 +++++++++
 .../javax/ws/rs/core/NewCookie.java           | 359 ++++++++++++++++++
 .../javax/servlet/http/Cookie.java            |  33 ++
 .../servlet/http/HttpServletResponse.java     |   6 +
 11 files changed, 922 insertions(+)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.java
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.qhelp
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.qlref
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-1004/options
 create mode 100644 java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/Cookie.java
 create mode 100644 java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/NewCookie.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.java b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.java
new file mode 100644
index 00000000000..48d80707ff8
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.java
@@ -0,0 +1,44 @@
+class SensitiveCookieNotHttpOnly {
+    // GOOD - Create a sensitive cookie with the `HttpOnly` flag set.
+    public void addCookie(String jwt_token, HttpServletRequest request, HttpServletResponse response) {
+        Cookie jwtCookie =new Cookie("jwt_token", jwt_token);
+        jwtCookie.setPath("/");
+        jwtCookie.setMaxAge(3600*24*7);
+        jwtCookie.setHttpOnly(true);
+        response.addCookie(jwtCookie);
+    }
+
+    // BAD - Create a sensitive cookie without the `HttpOnly` flag set.
+    public void addCookie2(String jwt_token, String userId, HttpServletRequest request, HttpServletResponse response) {
+        Cookie jwtCookie =new Cookie("jwt_token", jwt_token);
+        jwtCookie.setPath("/");
+        jwtCookie.setMaxAge(3600*24*7);
+        response.addCookie(jwtCookie);
+    }
+
+    // GOOD - Set a sensitive cookie header with the `HttpOnly` flag set.
+    public void addCookie3(String authId, HttpServletRequest request, HttpServletResponse response) {
+        response.addHeader("Set-Cookie", "token=" +authId + ";HttpOnly;Secure");
+    }
+
+    // BAD - Set a sensitive cookie header without the `HttpOnly` flag set.
+    public void addCookie4(String authId, HttpServletRequest request, HttpServletResponse response) {
+        response.addHeader("Set-Cookie", "token=" +authId + ";Secure");
+    }
+    
+    // GOOD - Set a sensitive cookie header using the class `javax.ws.rs.core.Cookie` with the `HttpOnly` flag set through string concatenation.
+    public void addCookie5(String accessKey, HttpServletRequest request, HttpServletResponse response) {
+        response.setHeader("Set-Cookie", new NewCookie("session-access-key", accessKey, "/", null, null, 0, true) + ";HttpOnly");
+    }
+
+    // BAD - Set a sensitive cookie header using the class `javax.ws.rs.core.Cookie` without the `HttpOnly` flag set.
+    public void addCookie6(String accessKey, HttpServletRequest request, HttpServletResponse response) {
+        response.setHeader("Set-Cookie", new NewCookie("session-access-key", accessKey, "/", null, null, 0, true).toString());
+    }
+
+    // GOOD - Set a sensitive cookie header using the class `javax.ws.rs.core.Cookie` with the `HttpOnly` flag set through the constructor.
+    public void addCookie7(String accessKey, HttpServletRequest request, HttpServletResponse response) {
+        NewCookie accessKeyCookie = new NewCookie("session-access-key", accessKey, "/", null, null, 0, true, true);
+        response.setHeader("Set-Cookie", accessKeyCookie.toString());
+    }
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.qhelp b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.qhelp
new file mode 100644
index 00000000000..880ed767be9
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.qhelp
@@ -0,0 +1,27 @@
+<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>Cross-Site Scripting (XSS) is categorized as one of the OWASP Top 10 Security Vulnerabilities. The <code>HttpOnly</code> flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header for a sensitive cookie helps mitigate the risk associated with XSS where an attacker's script code attempts to read the contents of a cookie and exfiltrate information obtained.</p>
+  </overview>
+
+  <recommendation>
+    <p>Use the <code>HttpOnly</code> flag when generating a cookie containing sensitive information to help mitigate the risk of client side script accessing the protected cookie.</p>
+  </recommendation>
+
+  <example>
+    <p>The following example shows two ways of generating sensitive cookies. In the 'BAD' cases, the <code>HttpOnly</code> flag is not set. In the 'GOOD' cases, the <code>HttpOnly</code> flag is set.</p>
+    <sample src="SensitiveCookieNotHttpOnly.java" />
+  </example>
+
+  <references>
+    <li>
+      PortSwigger:
+      <a href="https://portswigger.net/kb/issues/00500600_cookie-without-httponly-flag-set">Cookie without HttpOnly flag set</a>
+    </li>
+    <li>
+      OWASP:
+      <a href="https://owasp.org/www-community/HttpOnly">HttpOnly</a>
+    </li>
+  </references>
+</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
new file mode 100644
index 00000000000..bf4e60134c9
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -0,0 +1,194 @@
+/**
+ * @name Sensitive cookies without the HttpOnly response header set
+ * @description Sensitive cookies without 'HttpOnly' leaves session cookies vulnerable to an XSS attack.
+ * @kind path-problem
+ * @id java/sensitive-cookie-not-httponly
+ * @tags security
+ *       external/cwe/cwe-1004
+ */
+
+import java
+import semmle.code.java.frameworks.Servlets
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+import DataFlow::PathGraph
+
+/** Gets a regular expression for matching common names of sensitive cookies. */
+string getSensitiveCookieNameRegex() { result = "(?i).*(auth|session|token|key|credential).*" }
+
+/** Holds if a string is concatenated with the name of a sensitive cookie. */
+predicate isSensitiveCookieNameExpr(Expr expr) {
+  expr.(StringLiteral)
+      .getRepresentedString()
+      .toLowerCase()
+      .regexpMatch(getSensitiveCookieNameRegex()) or
+  isSensitiveCookieNameExpr(expr.(AddExpr).getAnOperand())
+}
+
+/** Holds if a string is concatenated with the `HttpOnly` flag. */
+predicate hasHttpOnlyExpr(Expr expr) {
+  expr.(StringLiteral).getRepresentedString().toLowerCase().matches("%httponly%") or
+  hasHttpOnlyExpr(expr.(AddExpr).getAnOperand())
+}
+
+/** The method call `Set-Cookie` of `addHeader` or `setHeader`. */
+class SetCookieMethodAccess extends MethodAccess {
+  SetCookieMethodAccess() {
+    (
+      this.getMethod() instanceof ResponseAddHeaderMethod or
+      this.getMethod() instanceof ResponseSetHeaderMethod
+    ) and
+    this.getArgument(0).(StringLiteral).getRepresentedString().toLowerCase() = "set-cookie"
+  }
+}
+
+/** Sensitive cookie name used in a `Cookie` constructor or a `Set-Cookie` call. */
+class SensitiveCookieNameExpr extends Expr {
+  SensitiveCookieNameExpr() {
+    isSensitiveCookieNameExpr(this) and
+    (
+      exists(
+        ClassInstanceExpr cie // new Cookie("jwt_token", token)
+      |
+        (
+          cie.getConstructor().getDeclaringType().hasQualifiedName("javax.servlet.http", "Cookie") or
+          cie.getConstructor()
+              .getDeclaringType()
+              .getASupertype*()
+              .hasQualifiedName("javax.ws.rs.core", "Cookie") or
+          cie.getConstructor()
+              .getDeclaringType()
+              .getASupertype*()
+              .hasQualifiedName("jakarta.ws.rs.core", "Cookie")
+        ) and
+        DataFlow::localExprFlow(this, cie.getArgument(0))
+      )
+      or
+      exists(
+        SetCookieMethodAccess ma // response.addHeader("Set-Cookie: token=" +authId + ";HttpOnly;Secure")
+      |
+        DataFlow::localExprFlow(this, ma.getArgument(1))
+      )
+    )
+  }
+}
+
+/** Sink of adding a cookie to the HTTP response. */
+class CookieResponseSink extends DataFlow::ExprNode {
+  CookieResponseSink() {
+    exists(MethodAccess ma |
+      (
+        ma.getMethod() instanceof ResponseAddCookieMethod or
+        ma instanceof SetCookieMethodAccess
+      ) and
+      ma.getAnArgument() = this.getExpr()
+    )
+  }
+}
+
+/** Holds if the `node` is a method call of `setHttpOnly(true)` on a cookie. */
+predicate setHttpOnlyMethodAccess(DataFlow::Node node) {
+  exists(
+    MethodAccess addCookie, Variable cookie, MethodAccess m // jwtCookie.setHttpOnly(true)
+  |
+    addCookie.getMethod() instanceof ResponseAddCookieMethod and
+    addCookie.getArgument(0) = cookie.getAnAccess() and
+    m.getMethod().getName() = "setHttpOnly" and
+    m.getArgument(0).(BooleanLiteral).getBooleanValue() = true and
+    m.getQualifier() = cookie.getAnAccess() and
+    node.asExpr() = cookie.getAnAccess()
+  )
+}
+
+/** Holds if the `node` is a method call of `Set-Cookie` header with the `HttpOnly` flag whose cookie name is sensitive. */
+predicate setHttpOnlyInSetCookie(DataFlow::Node node) {
+  exists(SetCookieMethodAccess sa |
+    hasHttpOnlyExpr(node.asExpr()) and
+    DataFlow::localExprFlow(node.asExpr(), sa.getArgument(1))
+  )
+}
+
+/** Holds if the `node` is an invocation of a JAX-RS `NewCookie` constructor that sets `HttpOnly` to true. */
+predicate setHttpOnlyInNewCookie(DataFlow::Node node) {
+  exists(ClassInstanceExpr cie |
+    cie.getConstructor().getDeclaringType().hasName("NewCookie") and
+    DataFlow::localExprFlow(node.asExpr(), cie.getArgument(0)) and
+    (
+      cie.getNumArgument() = 6 and cie.getArgument(5).(BooleanLiteral).getBooleanValue() = true // NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
+      or
+      cie.getNumArgument() = 8 and
+      cie.getArgument(6).getType() instanceof BooleanType and
+      cie.getArgument(7).(BooleanLiteral).getBooleanValue() = true // NewCookie(String name, String value, String path, String domain, String comment, int maxAge, boolean secure, boolean httpOnly)
+      or
+      cie.getNumArgument() = 10 and cie.getArgument(9).(BooleanLiteral).getBooleanValue() = true // NewCookie(String name, String value, String path, String domain, int version, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
+    )
+  )
+}
+
+/**
+ * Holds if the node is a test method indicated by:
+ *    a) in a test directory such as `src/test/java`
+ *    b) in a test package whose name has the word `test`
+ *    c) in a test class whose name has the word `test`
+ *    d) in a test class implementing a test framework such as JUnit or TestNG
+ */
+predicate isTestMethod(DataFlow::Node node) {
+  exists(MethodAccess ma, Method m |
+    node.asExpr() = ma.getAnArgument() and
+    m = ma.getEnclosingCallable() and
+    (
+      m.getDeclaringType().getName().toLowerCase().matches("%test%") or // Simple check to exclude test classes to reduce FPs
+      m.getDeclaringType().getPackage().getName().toLowerCase().matches("%test%") or // Simple check to exclude classes in test packages to reduce FPs
+      exists(m.getLocation().getFile().getAbsolutePath().indexOf("/src/test/java")) or //  Match test directory structure of build tools like maven
+      m instanceof TestMethod // Test method of a test case implementing a test framework such as JUnit or TestNG
+    )
+  )
+}
+
+/** A taint configuration tracking flow from a sensitive cookie without HttpOnly flag set to its HTTP response. */
+class MissingHttpOnlyConfiguration extends TaintTracking::Configuration {
+  MissingHttpOnlyConfiguration() { this = "MissingHttpOnlyConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr() instanceof SensitiveCookieNameExpr
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof CookieResponseSink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    // cookie.setHttpOnly(true)
+    setHttpOnlyMethodAccess(node)
+    or
+    // response.addHeader("Set-Cookie: token=" +authId + ";HttpOnly;Secure")
+    setHttpOnlyInSetCookie(node)
+    or
+    // new NewCookie("session-access-key", accessKey, "/", null, null, 0, true, true)
+    setHttpOnlyInNewCookie(node)
+    or
+    // Test class or method
+    isTestMethod(node)
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(
+      ClassInstanceExpr cie // `NewCookie` constructor
+    |
+      cie.getAnArgument() = pred.asExpr() and
+      cie = succ.asExpr() and
+      cie.getConstructor().getDeclaringType().hasName("NewCookie")
+    )
+    or
+    exists(
+      MethodAccess ma // `toString` call on a cookie object
+    |
+      ma.getQualifier() = pred.asExpr() and
+      ma.getMethod().hasName("toString") and
+      ma = succ.asExpr()
+    )
+  }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, MissingHttpOnlyConfiguration c
+where c.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "$@ doesn't have the HttpOnly flag set.", source.getNode(),
+  "This sensitive cookie"
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
new file mode 100644
index 00000000000..84d6be3863a
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
@@ -0,0 +1,13 @@
+edges
+| SensitiveCookieNotHttpOnly.java:22:38:22:48 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie |
+| SensitiveCookieNotHttpOnly.java:49:56:49:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) |
+nodes
+| SensitiveCookieNotHttpOnly.java:22:38:22:48 | "jwt_token" : String | semmle.label | "jwt_token" : String |
+| SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | semmle.label | jwtCookie |
+| SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | semmle.label | ... + ... |
+| SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) | semmle.label | toString(...) |
+| SensitiveCookieNotHttpOnly.java:49:56:49:75 | "session-access-key" : String | semmle.label | "session-access-key" : String |
+#select
+| SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | SensitiveCookieNotHttpOnly.java:22:38:22:48 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:22:38:22:48 | "jwt_token" | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) | SensitiveCookieNotHttpOnly.java:49:56:49:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:49:56:49:75 | "session-access-key" | This sensitive cookie |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
new file mode 100644
index 00000000000..5e4f349f7c8
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
@@ -0,0 +1,57 @@
+import java.io.IOException;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.ServletException;
+
+import javax.ws.rs.core.NewCookie;
+
+class SensitiveCookieNotHttpOnly {
+    // GOOD - Tests adding a sensitive cookie with the `HttpOnly` flag set.
+    public void addCookie(String jwt_token, HttpServletRequest request, HttpServletResponse response) {
+        Cookie jwtCookie =new Cookie("jwt_token", jwt_token);
+        jwtCookie.setPath("/");
+        jwtCookie.setMaxAge(3600*24*7);
+        jwtCookie.setHttpOnly(true);
+        response.addCookie(jwtCookie);
+    }
+
+    // BAD - Tests adding a sensitive cookie without the `HttpOnly` flag set.
+    public void addCookie2(String jwt_token, String userId, HttpServletRequest request, HttpServletResponse response) {
+        Cookie jwtCookie =new Cookie("jwt_token", jwt_token);
+        Cookie userIdCookie =new Cookie("user_id", userId.toString());
+        jwtCookie.setPath("/");
+        userIdCookie.setPath("/");
+        jwtCookie.setMaxAge(3600*24*7);
+        userIdCookie.setMaxAge(3600*24*7);
+        response.addCookie(jwtCookie);
+        response.addCookie(userIdCookie);
+    }
+
+    // GOOD - Tests set a sensitive cookie header with the `HttpOnly` flag set.
+    public void addCookie3(String authId, HttpServletRequest request, HttpServletResponse response) {
+        response.addHeader("Set-Cookie", "token=" +authId + ";HttpOnly;Secure");
+    }
+
+    // BAD - Tests set a sensitive cookie header without the `HttpOnly` flag set.
+    public void addCookie4(String authId, HttpServletRequest request, HttpServletResponse response) {
+        response.addHeader("Set-Cookie", "token=" +authId + ";Secure");
+    }
+    
+    // GOOD - Tests set a sensitive cookie header using the class `javax.ws.rs.core.Cookie` with the `HttpOnly` flag set through string concatenation.
+    public void addCookie5(String accessKey, HttpServletRequest request, HttpServletResponse response) {
+        response.setHeader("Set-Cookie", new NewCookie("session-access-key", accessKey, "/", null, null, 0, true) + ";HttpOnly");
+    }
+
+    // BAD - Tests set a sensitive cookie header using the class `javax.ws.rs.core.Cookie` without the `HttpOnly` flag set.
+    public void addCookie6(String accessKey, HttpServletRequest request, HttpServletResponse response) {
+        response.setHeader("Set-Cookie", new NewCookie("session-access-key", accessKey, "/", null, null, 0, true).toString());
+    }
+
+    // GOOD - Tests set a sensitive cookie header using the class `javax.ws.rs.core.Cookie` with the `HttpOnly` flag set through the constructor.
+    public void addCookie7(String accessKey, HttpServletRequest request, HttpServletResponse response) {
+        NewCookie accessKeyCookie = new NewCookie("session-access-key", accessKey, "/", null, null, 0, true, true);
+        response.setHeader("Set-Cookie", accessKeyCookie.toString());
+    }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.qlref b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.qlref
new file mode 100644
index 00000000000..cc2baaf6f7b
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/options b/java/ql/test/experimental/query-tests/security/CWE-1004/options
new file mode 100644
index 00000000000..7f2b253fb20
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/options
@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jsr311-api-1.1.1
\ No newline at end of file
diff --git a/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/Cookie.java b/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/Cookie.java
new file mode 100644
index 00000000000..4e4c7585c35
--- /dev/null
+++ b/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/Cookie.java
@@ -0,0 +1,187 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 2010-2015 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * http://glassfish.java.net/public/CDDL+GPL_1_1.html
+ * or packager/legal/LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at packager/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+
+package javax.ws.rs.core;
+
+/**
+ * Represents the value of a HTTP cookie, transferred in a request.
+ * RFC 2109 specifies the legal characters for name,
+ * value, path and domain. The default version of 1 corresponds to RFC 2109.
+ *
+ * @author Paul Sandoz
+ * @author Marc Hadley
+ * @see <a href="http://www.ietf.org/rfc/rfc2109.txt">IETF RFC 2109</a>
+ * @since 1.0
+ */
+public class Cookie {
+    /**
+     * Cookies using the default version correspond to RFC 2109.
+     */
+    public static final int DEFAULT_VERSION = 1;
+
+    /**
+     * Create a new instance.
+     *
+     * @param name    the name of the cookie.
+     * @param value   the value of the cookie.
+     * @param path    the URI path for which the cookie is valid.
+     * @param domain  the host domain for which the cookie is valid.
+     * @param version the version of the specification to which the cookie complies.
+     * @throws IllegalArgumentException if name is {@code null}.
+     */
+    public Cookie(final String name, final String value, final String path, final String domain, final int version)
+            throws IllegalArgumentException {
+    }
+
+    /**
+     * Create a new instance.
+     *
+     * @param name   the name of the cookie.
+     * @param value  the value of the cookie.
+     * @param path   the URI path for which the cookie is valid.
+     * @param domain the host domain for which the cookie is valid.
+     * @throws IllegalArgumentException if name is {@code null}.
+     */
+    public Cookie(final String name, final String value, final String path, final String domain)
+            throws IllegalArgumentException {
+    }
+
+    /**
+     * Create a new instance.
+     *
+     * @param name  the name of the cookie.
+     * @param value the value of the cookie.
+     * @throws IllegalArgumentException if name is {@code null}.
+     */
+    public Cookie(final String name, final String value)
+            throws IllegalArgumentException {
+    }
+
+    /**
+     * Creates a new instance of {@code Cookie} by parsing the supplied string.
+     *
+     * @param value the cookie string.
+     * @return the newly created {@code Cookie}.
+     * @throws IllegalArgumentException if the supplied string cannot be parsed
+     *                                  or is {@code null}.
+     */
+    public static Cookie valueOf(final String value) {
+        return null;
+    }
+
+    /**
+     * Get the name of the cookie.
+     *
+     * @return the cookie name.
+     */
+    public String getName() {
+        return null;
+    }
+
+    /**
+     * Get the value of the cookie.
+     *
+     * @return the cookie value.
+     */
+    public String getValue() {
+        return null;
+    }
+
+    /**
+     * Get the version of the cookie.
+     *
+     * @return the cookie version.
+     */
+    public int getVersion() {
+        return -1;
+    }
+
+    /**
+     * Get the domain of the cookie.
+     *
+     * @return the cookie domain.
+     */
+    public String getDomain() {
+        return null;
+    }
+
+    /**
+     * Get the path of the cookie.
+     *
+     * @return the cookie path.
+     */
+    public String getPath() {
+        return null;
+    }
+
+    /**
+     * Convert the cookie to a string suitable for use as the value of the
+     * corresponding HTTP header.
+     *
+     * @return a stringified cookie.
+     */
+    @Override
+    public String toString() {
+        return null;
+    }
+
+    /**
+     * Generate a hash code by hashing all of the cookies properties.
+     *
+     * @return the cookie hash code.
+     */
+    @Override
+    public int hashCode() {
+        return -1;
+    }
+
+    /**
+     * Compare for equality.
+     *
+     * @param obj the object to compare to.
+     * @return {@code true}, if the object is a {@code Cookie} with the same
+     *         value for all properties, {@code false} otherwise.
+     */
+    @SuppressWarnings({"StringEquality", "RedundantIfStatement"})
+    @Override
+    public boolean equals(final Object obj) {
+        return true;
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/NewCookie.java b/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/NewCookie.java
new file mode 100644
index 00000000000..43a4899e0ca
--- /dev/null
+++ b/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/NewCookie.java
@@ -0,0 +1,359 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 2010-2015 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * http://glassfish.java.net/public/CDDL+GPL_1_1.html
+ * or packager/legal/LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at packager/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+
+package javax.ws.rs.core;
+
+import java.util.Date;
+
+/**
+ * Used to create a new HTTP cookie, transferred in a response.
+ *
+ * @author Paul Sandoz
+ * @author Marc Hadley
+ * @see <a href="http://www.ietf.org/rfc/rfc2109.txt">IETF RFC 2109</a>
+ * @since 1.0
+ */
+public class NewCookie extends Cookie {
+
+    /**
+     * Specifies that the cookie expires with the current application/browser session.
+     */
+    public static final int DEFAULT_MAX_AGE = -1;
+
+    private final String comment;
+    private final int maxAge;
+    private final Date expiry;
+    private final boolean secure;
+    private final boolean httpOnly;
+
+    /**
+     * Create a new instance.
+     *
+     * @param name  the name of the cookie.
+     * @param value the value of the cookie.
+     * @throws IllegalArgumentException if name is {@code null}.
+     */
+    public NewCookie(String name, String value) {
+        this(name, value, null, null, DEFAULT_VERSION, null, DEFAULT_MAX_AGE, null, false, false);
+    }
+
+    /**
+     * Create a new instance.
+     *
+     * @param name    the name of the cookie.
+     * @param value   the value of the cookie.
+     * @param path    the URI path for which the cookie is valid.
+     * @param domain  the host domain for which the cookie is valid.
+     * @param comment the comment.
+     * @param maxAge  the maximum age of the cookie in seconds.
+     * @param secure  specifies whether the cookie will only be sent over a secure connection.
+     * @throws IllegalArgumentException if name is {@code null}.
+     */
+    public NewCookie(String name,
+                     String value,
+                     String path,
+                     String domain,
+                     String comment,
+                     int maxAge,
+                     boolean secure) {
+        this(name, value, path, domain, DEFAULT_VERSION, comment, maxAge, null, secure, false);                  
+    }
+
+    /**
+     * Create a new instance.
+     *
+     * @param name     the name of the cookie.
+     * @param value    the value of the cookie.
+     * @param path     the URI path for which the cookie is valid.
+     * @param domain   the host domain for which the cookie is valid.
+     * @param comment  the comment.
+     * @param maxAge   the maximum age of the cookie in seconds.
+     * @param secure   specifies whether the cookie will only be sent over a secure connection.
+     * @param httpOnly if {@code true} make the cookie HTTP only, i.e. only visible as part of an HTTP request.
+     * @throws IllegalArgumentException if name is {@code null}.
+     * @since 2.0
+     */
+    public NewCookie(String name,
+                     String value,
+                     String path,
+                     String domain,
+                     String comment,
+                     int maxAge,
+                     boolean secure,
+                     boolean httpOnly) {
+        this(name, value, path, domain, DEFAULT_VERSION, comment, maxAge, null, secure, httpOnly);
+    }
+
+    /**
+     * Create a new instance.
+     *
+     * @param name    the name of the cookie
+     * @param value   the value of the cookie
+     * @param path    the URI path for which the cookie is valid
+     * @param domain  the host domain for which the cookie is valid
+     * @param version the version of the specification to which the cookie complies
+     * @param comment the comment
+     * @param maxAge  the maximum age of the cookie in seconds
+     * @param secure  specifies whether the cookie will only be sent over a secure connection
+     * @throws IllegalArgumentException if name is {@code null}.
+     */
+    public NewCookie(String name,
+                     String value,
+                     String path,
+                     String domain,
+                     int version,
+                     String comment,
+                     int maxAge,
+                     boolean secure) {
+        this(name, value, path, domain, version, comment, maxAge, null, secure, false);                 
+    }
+
+    /**
+     * Create a new instance.
+     *
+     * @param name     the name of the cookie
+     * @param value    the value of the cookie
+     * @param path     the URI path for which the cookie is valid
+     * @param domain   the host domain for which the cookie is valid
+     * @param version  the version of the specification to which the cookie complies
+     * @param comment  the comment
+     * @param maxAge   the maximum age of the cookie in seconds
+     * @param expiry   the cookie expiry date.
+     * @param secure   specifies whether the cookie will only be sent over a secure connection
+     * @param httpOnly if {@code true} make the cookie HTTP only, i.e. only visible as part of an HTTP request.
+     * @throws IllegalArgumentException if name is {@code null}.
+     * @since 2.0
+     */
+    public NewCookie(String name,
+                     String value,
+                     String path,
+                     String domain,
+                     int version,
+                     String comment,
+                     int maxAge,
+                     Date expiry,
+                     boolean secure,
+                     boolean httpOnly) {
+            super(name, value, path, domain, version);
+            this.comment = comment;
+            this.maxAge = maxAge;
+            this.expiry = expiry;
+            this.secure = secure;
+            this.httpOnly = httpOnly;
+    }
+
+    /**
+     * Create a new instance copying the information in the supplied cookie.
+     *
+     * @param cookie the cookie to clone.
+     * @throws IllegalArgumentException if cookie is {@code null}.
+     */
+    public NewCookie(Cookie cookie) {
+        this(cookie, null, DEFAULT_MAX_AGE, null, false, false);
+    }
+
+    /**
+     * Create a new instance supplementing the information in the supplied cookie.
+     *
+     * @param cookie  the cookie to clone.
+     * @param comment the comment.
+     * @param maxAge  the maximum age of the cookie in seconds.
+     * @param secure  specifies whether the cookie will only be sent over a secure connection.
+     * @throws IllegalArgumentException if cookie is {@code null}.
+     */
+    public NewCookie(Cookie cookie, String comment, int maxAge, boolean secure) {
+        this(cookie, comment, maxAge, null, secure, false);
+    }
+
+    /**
+     * Create a new instance supplementing the information in the supplied cookie.
+     *
+     * @param cookie   the cookie to clone.
+     * @param comment  the comment.
+     * @param maxAge   the maximum age of the cookie in seconds.
+     * @param expiry   the cookie expiry date.
+     * @param secure   specifies whether the cookie will only be sent over a secure connection.
+     * @param httpOnly if {@code true} make the cookie HTTP only, i.e. only visible as part of an HTTP request.
+     * @throws IllegalArgumentException if cookie is {@code null}.
+     * @since 2.0
+     */
+    public NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly) {
+        super(cookie == null ? null : cookie.getName(),
+        cookie == null ? null : cookie.getValue(),
+        cookie == null ? null : cookie.getPath(),
+        cookie == null ? null : cookie.getDomain(),
+        cookie == null ? Cookie.DEFAULT_VERSION : cookie.getVersion());
+        this.comment = comment;
+        this.maxAge = maxAge;
+        this.expiry = expiry;
+        this.secure = secure;
+        this.httpOnly = httpOnly;        
+    }
+
+    /**
+     * Creates a new instance of NewCookie by parsing the supplied string.
+     *
+     * @param value the cookie string.
+     * @return the newly created {@code NewCookie}.
+     * @throws IllegalArgumentException if the supplied string cannot be parsed
+     *                                  or is {@code null}.
+     */
+    public static NewCookie valueOf(String value) {
+        return null;
+    }
+
+    /**
+     * Get the comment associated with the cookie.
+     *
+     * @return the comment or null if none set
+     */
+    public String getComment() {
+        return null;
+    }
+
+    /**
+     * Get the maximum age of the the cookie in seconds. Cookies older than
+     * the maximum age are discarded. A cookie can be unset by sending a new
+     * cookie with maximum age of 0 since it will overwrite any existing cookie
+     * and then be immediately discarded. The default value of {@code -1} indicates
+     * that the cookie will be discarded at the end of the browser/application session.
+     * <p>
+     * Note that it is recommended to use {@code Max-Age} to control cookie
+     * expiration, however some browsers do not understand {@code Max-Age}, in which case
+     * setting {@link #getExpiry()} Expires} parameter may be necessary.
+     * </p>
+     *
+     * @return the maximum age in seconds.
+     * @see #getExpiry()
+     */
+    public int getMaxAge() {
+        return -1;
+    }
+
+    /**
+     * Get the cookie expiry date. Cookies whose expiry date has passed are discarded.
+     * A cookie can be unset by setting a new cookie with an expiry date in the past,
+     * typically the lowest possible date that can be set.
+     * <p>
+     * Note that it is recommended to use {@link #getMaxAge() Max-Age} to control cookie
+     * expiration, however some browsers do not understand {@code Max-Age}, in which case
+     * setting {@code Expires} parameter may be necessary.
+     * </p>
+     *
+     * @return cookie expiry date or {@code null} if no expiry date was set.
+     * @see #getMaxAge()
+     * @since 2.0
+     */
+    public Date getExpiry() {
+        return null;
+    }
+
+    /**
+     * Whether the cookie will only be sent over a secure connection. Defaults
+     * to {@code false}.
+     *
+     * @return {@code true} if the cookie will only be sent over a secure connection,
+     *         {@code false} otherwise.
+     */
+    public boolean isSecure() {
+        return false;
+    }
+
+    /**
+     * Returns {@code true} if this cookie contains the {@code HttpOnly} attribute.
+     * This means that the cookie should not be accessible to scripting engines,
+     * like javascript.
+     *
+     * @return {@code true} if this cookie should be considered http only, {@code false}
+     *         otherwise.
+     * @since 2.0
+     */
+    public boolean isHttpOnly() {
+        return false;
+    }
+
+    /**
+     * Obtain a new instance of a {@link Cookie} with the same name, value, path,
+     * domain and version as this {@code NewCookie}. This method can be used to
+     * obtain an object that can be compared for equality with another {@code Cookie};
+     * since a {@code Cookie} will never compare equal to a {@code NewCookie}.
+     *
+     * @return a {@link Cookie}
+     */
+    public Cookie toCookie() {
+        return null;
+    }
+
+    /**
+     * Convert the cookie to a string suitable for use as the value of the
+     * corresponding HTTP header.
+     *
+     * @return a stringified cookie.
+     */
+    @Override
+    public String toString() {
+        return null;
+    }
+
+    /**
+     * Generate a hash code by hashing all of the properties.
+     *
+     * @return the hash code.
+     */
+    @Override
+    public int hashCode() {
+        return -1;
+    }
+
+    /**
+     * Compare for equality. Use {@link #toCookie()} to compare a
+     * {@code NewCookie} to a {@code Cookie} considering only the common
+     * properties.
+     *
+     * @param obj the object to compare to
+     * @return true if the object is a {@code NewCookie} with the same value for
+     *         all properties, false otherwise.
+     */
+    @SuppressWarnings({"StringEquality", "RedundantIfStatement"})
+    @Override
+    public boolean equals(Object obj) {
+        return true;
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/stubs/servlet-api-2.4/javax/servlet/http/Cookie.java b/java/ql/test/stubs/servlet-api-2.4/javax/servlet/http/Cookie.java
index d8348e13e2e..a93fec853e0 100644
--- a/java/ql/test/stubs/servlet-api-2.4/javax/servlet/http/Cookie.java
+++ b/java/ql/test/stubs/servlet-api-2.4/javax/servlet/http/Cookie.java
@@ -32,6 +32,7 @@ public class Cookie implements Cloneable {
     private String path; // ;Path=VALUE ... URLs that see the cookie
     private boolean secure; // ;Secure ... e.g. use SSL
     private int version = 0; // ;Version=1 ... means RFC 2109++ style
+    private boolean isHttpOnly = false;
 
     public Cookie(String name, String value) {
         this.name = name;
@@ -81,4 +82,36 @@ public class Cookie implements Cloneable {
     }
     public void setVersion(int v) {
     }
+
+    /**
+     * Marks or unmarks this Cookie as <i>HttpOnly</i>.
+     *
+     * <p>If <tt>isHttpOnly</tt> is set to <tt>true</tt>, this cookie is
+     * marked as <i>HttpOnly</i>, by adding the <tt>HttpOnly</tt> attribute
+     * to it.
+     *
+     * <p><i>HttpOnly</i> cookies are not supposed to be exposed to
+     * client-side scripting code, and may therefore help mitigate certain
+     * kinds of cross-site scripting attacks.
+     *
+     * @param isHttpOnly true if this cookie is to be marked as
+     * <i>HttpOnly</i>, false otherwise
+     *
+     * @since Servlet 3.0
+     */
+    public void setHttpOnly(boolean isHttpOnly) {
+        this.isHttpOnly = isHttpOnly;
+    }
+ 
+    /**
+     * Checks whether this Cookie has been marked as <i>HttpOnly</i>.
+     *
+     * @return true if this Cookie has been marked as <i>HttpOnly</i>,
+     * false otherwise
+     *
+     * @since Servlet 3.0
+     */
+    public boolean isHttpOnly() {
+        return isHttpOnly;
+    }
 }
diff --git a/java/ql/test/stubs/servlet-api-2.4/javax/servlet/http/HttpServletResponse.java b/java/ql/test/stubs/servlet-api-2.4/javax/servlet/http/HttpServletResponse.java
index 2971e023390..162ac0db3cc 100644
--- a/java/ql/test/stubs/servlet-api-2.4/javax/servlet/http/HttpServletResponse.java
+++ b/java/ql/test/stubs/servlet-api-2.4/javax/servlet/http/HttpServletResponse.java
@@ -24,6 +24,7 @@
 package javax.servlet.http;
 
 import java.io.IOException;
+import java.util.Collection;
 import javax.servlet.ServletResponse;
 
 public interface HttpServletResponse extends ServletResponse {
@@ -44,6 +45,11 @@ public interface HttpServletResponse extends ServletResponse {
     public void addIntHeader(String name, int value);
     public void setStatus(int sc);
     public void setStatus(int sc, String sm);
+    public int getStatus();
+    public String getHeader(String name);
+    public Collection<String> getHeaders(String name);
+    public Collection<String> getHeaderNames();
+
 
     public static final int SC_CONTINUE = 100;
     public static final int SC_SWITCHING_PROTOCOLS = 101;

From b366ffa69e98e21ac8998bb08a8815fc4cae6b4f Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Wed, 3 Mar 2021 13:38:18 +0000
Subject: [PATCH 0009/1429] Revamp source of the query

---
 .../CWE-1004/SensitiveCookieNotHttpOnly.qhelp |   2 +-
 .../CWE-1004/SensitiveCookieNotHttpOnly.ql    | 116 +++++++++---------
 .../SensitiveCookieNotHttpOnly.expected       |  12 +-
 .../javax/ws/rs/core/Cookie.java              |  59 +++------
 .../javax/ws/rs/core/NewCookie.java           |  36 ------
 5 files changed, 82 insertions(+), 143 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.qhelp b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.qhelp
index 880ed767be9..ee3e8a4181a 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.qhelp
@@ -2,7 +2,7 @@
 <qhelp>
 
   <overview>
-    <p>Cross-Site Scripting (XSS) is categorized as one of the OWASP Top 10 Security Vulnerabilities. The <code>HttpOnly</code> flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header for a sensitive cookie helps mitigate the risk associated with XSS where an attacker's script code attempts to read the contents of a cookie and exfiltrate information obtained.</p>
+    <p>Cross-Site Scripting (XSS) is categorized as one of the OWASP Top 10 Security Vulnerabilities. The <code>HttpOnly</code> flag directs compatible browsers to prevent client-side script from accessing cookies. Including the <code>HttpOnly</code> flag in the Set-Cookie HTTP response header for a sensitive cookie helps mitigate the risk associated with XSS where an attacker's script code attempts to read the contents of a cookie and exfiltrate information obtained.</p>
   </overview>
 
   <recommendation>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
index bf4e60134c9..842e8b7eabb 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -9,7 +9,6 @@
 
 import java
 import semmle.code.java.frameworks.Servlets
-import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 import DataFlow::PathGraph
 
@@ -18,8 +17,8 @@ string getSensitiveCookieNameRegex() { result = "(?i).*(auth|session|token|key|c
 
 /** Holds if a string is concatenated with the name of a sensitive cookie. */
 predicate isSensitiveCookieNameExpr(Expr expr) {
-  expr.(StringLiteral)
-      .getRepresentedString()
+  expr.(CompileTimeConstantExpr)
+      .getStringValue()
       .toLowerCase()
       .regexpMatch(getSensitiveCookieNameRegex()) or
   isSensitiveCookieNameExpr(expr.(AddExpr).getAnOperand())
@@ -27,7 +26,7 @@ predicate isSensitiveCookieNameExpr(Expr expr) {
 
 /** Holds if a string is concatenated with the `HttpOnly` flag. */
 predicate hasHttpOnlyExpr(Expr expr) {
-  expr.(StringLiteral).getRepresentedString().toLowerCase().matches("%httponly%") or
+  expr.(CompileTimeConstantExpr).getStringValue().toLowerCase().matches("%httponly%") or
   hasHttpOnlyExpr(expr.(AddExpr).getAnOperand())
 }
 
@@ -38,37 +37,34 @@ class SetCookieMethodAccess extends MethodAccess {
       this.getMethod() instanceof ResponseAddHeaderMethod or
       this.getMethod() instanceof ResponseSetHeaderMethod
     ) and
-    this.getArgument(0).(StringLiteral).getRepresentedString().toLowerCase() = "set-cookie"
+    this.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() = "set-cookie"
   }
 }
 
 /** Sensitive cookie name used in a `Cookie` constructor or a `Set-Cookie` call. */
 class SensitiveCookieNameExpr extends Expr {
   SensitiveCookieNameExpr() {
-    isSensitiveCookieNameExpr(this) and
-    (
-      exists(
-        ClassInstanceExpr cie // new Cookie("jwt_token", token)
-      |
-        (
-          cie.getConstructor().getDeclaringType().hasQualifiedName("javax.servlet.http", "Cookie") or
-          cie.getConstructor()
-              .getDeclaringType()
-              .getASupertype*()
-              .hasQualifiedName("javax.ws.rs.core", "Cookie") or
-          cie.getConstructor()
-              .getDeclaringType()
-              .getASupertype*()
-              .hasQualifiedName("jakarta.ws.rs.core", "Cookie")
-        ) and
-        DataFlow::localExprFlow(this, cie.getArgument(0))
-      )
-      or
-      exists(
-        SetCookieMethodAccess ma // response.addHeader("Set-Cookie: token=" +authId + ";HttpOnly;Secure")
-      |
-        DataFlow::localExprFlow(this, ma.getArgument(1))
-      )
+    exists(
+      ClassInstanceExpr cie, Expr e // new Cookie("jwt_token", token)
+    |
+      (
+        cie.getConstructor().getDeclaringType().hasQualifiedName("javax.servlet.http", "Cookie") or
+        cie.getConstructor()
+            .getDeclaringType()
+            .getASupertype*()
+            .hasQualifiedName(["javax.ws.rs.core", "jakarta.ws.rs.core"], "Cookie")
+      ) and
+      this = cie and
+      isSensitiveCookieNameExpr(e) and
+      DataFlow::localExprFlow(e, cie.getArgument(0))
+    )
+    or
+    exists(
+      SetCookieMethodAccess ma, Expr e // response.addHeader("Set-Cookie: token=" +authId + ";HttpOnly;Secure")
+    |
+      this = ma.getArgument(1) and
+      isSensitiveCookieNameExpr(e) and
+      DataFlow::localExprFlow(e, ma.getArgument(1))
     )
   }
 }
@@ -78,15 +74,20 @@ class CookieResponseSink extends DataFlow::ExprNode {
   CookieResponseSink() {
     exists(MethodAccess ma |
       (
-        ma.getMethod() instanceof ResponseAddCookieMethod or
-        ma instanceof SetCookieMethodAccess
-      ) and
-      ma.getAnArgument() = this.getExpr()
+        ma.getMethod() instanceof ResponseAddCookieMethod and
+        this.getExpr() = ma.getArgument(0)
+        or
+        ma instanceof SetCookieMethodAccess and
+        this.getExpr() = ma.getArgument(1)
+      )
     )
   }
 }
 
-/** Holds if the `node` is a method call of `setHttpOnly(true)` on a cookie. */
+/**
+ * Holds if `node` is an access to a variable which has `setHttpOnly(true)` called on it and is also
+ * the first argument to a call to the method `addCookie` of `javax.servlet.http.HttpServletResponse`.
+ */
 predicate setHttpOnlyMethodAccess(DataFlow::Node node) {
   exists(
     MethodAccess addCookie, Variable cookie, MethodAccess m // jwtCookie.setHttpOnly(true)
@@ -100,7 +101,10 @@ predicate setHttpOnlyMethodAccess(DataFlow::Node node) {
   )
 }
 
-/** Holds if the `node` is a method call of `Set-Cookie` header with the `HttpOnly` flag whose cookie name is sensitive. */
+/**
+ * Holds if `node` is a string that contains `httponly` and which flows to the second argument
+ * of a method to set a cookie.
+ */
 predicate setHttpOnlyInSetCookie(DataFlow::Node node) {
   exists(SetCookieMethodAccess sa |
     hasHttpOnlyExpr(node.asExpr()) and
@@ -108,20 +112,17 @@ predicate setHttpOnlyInSetCookie(DataFlow::Node node) {
   )
 }
 
-/** Holds if the `node` is an invocation of a JAX-RS `NewCookie` constructor that sets `HttpOnly` to true. */
-predicate setHttpOnlyInNewCookie(DataFlow::Node node) {
-  exists(ClassInstanceExpr cie |
-    cie.getConstructor().getDeclaringType().hasName("NewCookie") and
-    DataFlow::localExprFlow(node.asExpr(), cie.getArgument(0)) and
-    (
-      cie.getNumArgument() = 6 and cie.getArgument(5).(BooleanLiteral).getBooleanValue() = true // NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
-      or
-      cie.getNumArgument() = 8 and
-      cie.getArgument(6).getType() instanceof BooleanType and
-      cie.getArgument(7).(BooleanLiteral).getBooleanValue() = true // NewCookie(String name, String value, String path, String domain, String comment, int maxAge, boolean secure, boolean httpOnly)
-      or
-      cie.getNumArgument() = 10 and cie.getArgument(9).(BooleanLiteral).getBooleanValue() = true // NewCookie(String name, String value, String path, String domain, int version, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
-    )
+/** Holds if `cie` is an invocation of a JAX-RS `NewCookie` constructor that sets `HttpOnly` to true. */
+predicate setHttpOnlyInNewCookie(ClassInstanceExpr cie) {
+  cie.getConstructedType().hasQualifiedName(["javax.ws.rs.core", "jakarta.ws.rs.core"], "NewCookie") and
+  (
+    cie.getNumArgument() = 6 and cie.getArgument(5).(BooleanLiteral).getBooleanValue() = true // NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
+    or
+    cie.getNumArgument() = 8 and
+    cie.getArgument(6).getType() instanceof BooleanType and
+    cie.getArgument(7).(BooleanLiteral).getBooleanValue() = true // NewCookie(String name, String value, String path, String domain, String comment, int maxAge, boolean secure, boolean httpOnly)
+    or
+    cie.getNumArgument() = 10 and cie.getArgument(9).(BooleanLiteral).getBooleanValue() = true // NewCookie(String name, String value, String path, String domain, int version, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
   )
 }
 
@@ -145,7 +146,10 @@ predicate isTestMethod(DataFlow::Node node) {
   )
 }
 
-/** A taint configuration tracking flow from a sensitive cookie without HttpOnly flag set to its HTTP response. */
+/**
+ * A taint configuration tracking flow from a sensitive cookie without the `HttpOnly` flag
+ * set to its HTTP response.
+ */
 class MissingHttpOnlyConfiguration extends TaintTracking::Configuration {
   MissingHttpOnlyConfiguration() { this = "MissingHttpOnlyConfiguration" }
 
@@ -159,25 +163,17 @@ class MissingHttpOnlyConfiguration extends TaintTracking::Configuration {
     // cookie.setHttpOnly(true)
     setHttpOnlyMethodAccess(node)
     or
-    // response.addHeader("Set-Cookie: token=" +authId + ";HttpOnly;Secure")
+    // response.addHeader("Set-Cookie", "token=" +authId + ";HttpOnly;Secure")
     setHttpOnlyInSetCookie(node)
     or
     // new NewCookie("session-access-key", accessKey, "/", null, null, 0, true, true)
-    setHttpOnlyInNewCookie(node)
+    setHttpOnlyInNewCookie(node.asExpr())
     or
     // Test class or method
     isTestMethod(node)
   }
 
   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(
-      ClassInstanceExpr cie // `NewCookie` constructor
-    |
-      cie.getAnArgument() = pred.asExpr() and
-      cie = succ.asExpr() and
-      cie.getConstructor().getDeclaringType().hasName("NewCookie")
-    )
-    or
     exists(
       MethodAccess ma // `toString` call on a cookie object
     |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
index 84d6be3863a..e2d05a9b24d 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
@@ -1,13 +1,13 @@
 edges
-| SensitiveCookieNotHttpOnly.java:22:38:22:48 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie |
-| SensitiveCookieNotHttpOnly.java:49:56:49:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) |
+| SensitiveCookieNotHttpOnly.java:22:27:22:60 | new Cookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie |
+| SensitiveCookieNotHttpOnly.java:49:42:49:113 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) |
 nodes
-| SensitiveCookieNotHttpOnly.java:22:38:22:48 | "jwt_token" : String | semmle.label | "jwt_token" : String |
+| SensitiveCookieNotHttpOnly.java:22:27:22:60 | new Cookie(...) : Cookie | semmle.label | new Cookie(...) : Cookie |
 | SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | semmle.label | jwtCookie |
 | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | semmle.label | ... + ... |
+| SensitiveCookieNotHttpOnly.java:49:42:49:113 | new NewCookie(...) : NewCookie | semmle.label | new NewCookie(...) : NewCookie |
 | SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) | semmle.label | toString(...) |
-| SensitiveCookieNotHttpOnly.java:49:56:49:75 | "session-access-key" : String | semmle.label | "session-access-key" : String |
 #select
-| SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | SensitiveCookieNotHttpOnly.java:22:38:22:48 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:22:38:22:48 | "jwt_token" | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | SensitiveCookieNotHttpOnly.java:22:27:22:60 | new Cookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:22:27:22:60 | new Cookie(...) | This sensitive cookie |
 | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) | SensitiveCookieNotHttpOnly.java:49:56:49:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:49:56:49:75 | "session-access-key" | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) | SensitiveCookieNotHttpOnly.java:49:42:49:113 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:49:42:49:113 | new NewCookie(...) | This sensitive cookie |
diff --git a/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/Cookie.java b/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/Cookie.java
index 4e4c7585c35..f810600a766 100644
--- a/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/Cookie.java
+++ b/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/Cookie.java
@@ -51,10 +51,16 @@ package javax.ws.rs.core;
  * @since 1.0
  */
 public class Cookie {
+
     /**
      * Cookies using the default version correspond to RFC 2109.
      */
     public static final int DEFAULT_VERSION = 1;
+    private final String name;
+    private final String value;
+    private final int version;
+    private final String path;
+    private final String domain;
 
     /**
      * Create a new instance.
@@ -68,6 +74,11 @@ public class Cookie {
      */
     public Cookie(final String name, final String value, final String path, final String domain, final int version)
             throws IllegalArgumentException {
+        this.name = name;
+        this.value = value;
+        this.version = version;
+        this.domain = domain;
+        this.path = path;
     }
 
     /**
@@ -81,6 +92,7 @@ public class Cookie {
      */
     public Cookie(final String name, final String value, final String path, final String domain)
             throws IllegalArgumentException {
+        this(name, value, path, domain, DEFAULT_VERSION);
     }
 
     /**
@@ -92,6 +104,7 @@ public class Cookie {
      */
     public Cookie(final String name, final String value)
             throws IllegalArgumentException {
+        this(name, value, null, null);
     }
 
     /**
@@ -112,7 +125,7 @@ public class Cookie {
      * @return the cookie name.
      */
     public String getName() {
-        return null;
+        return name;
     }
 
     /**
@@ -121,7 +134,7 @@ public class Cookie {
      * @return the cookie value.
      */
     public String getValue() {
-        return null;
+        return value;
     }
 
     /**
@@ -130,7 +143,7 @@ public class Cookie {
      * @return the cookie version.
      */
     public int getVersion() {
-        return -1;
+        return version;
     }
 
     /**
@@ -139,7 +152,7 @@ public class Cookie {
      * @return the cookie domain.
      */
     public String getDomain() {
-        return null;
+        return domain;
     }
 
     /**
@@ -148,40 +161,6 @@ public class Cookie {
      * @return the cookie path.
      */
     public String getPath() {
-        return null;
+        return path;
     }
-
-    /**
-     * Convert the cookie to a string suitable for use as the value of the
-     * corresponding HTTP header.
-     *
-     * @return a stringified cookie.
-     */
-    @Override
-    public String toString() {
-        return null;
-    }
-
-    /**
-     * Generate a hash code by hashing all of the cookies properties.
-     *
-     * @return the cookie hash code.
-     */
-    @Override
-    public int hashCode() {
-        return -1;
-    }
-
-    /**
-     * Compare for equality.
-     *
-     * @param obj the object to compare to.
-     * @return {@code true}, if the object is a {@code Cookie} with the same
-     *         value for all properties, {@code false} otherwise.
-     */
-    @SuppressWarnings({"StringEquality", "RedundantIfStatement"})
-    @Override
-    public boolean equals(final Object obj) {
-        return true;
-    }
-}
\ No newline at end of file
+}
diff --git a/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/NewCookie.java b/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/NewCookie.java
index 43a4899e0ca..7f2e3ec0535 100644
--- a/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/NewCookie.java
+++ b/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/NewCookie.java
@@ -320,40 +320,4 @@ public class NewCookie extends Cookie {
     public Cookie toCookie() {
         return null;
     }
-
-    /**
-     * Convert the cookie to a string suitable for use as the value of the
-     * corresponding HTTP header.
-     *
-     * @return a stringified cookie.
-     */
-    @Override
-    public String toString() {
-        return null;
-    }
-
-    /**
-     * Generate a hash code by hashing all of the properties.
-     *
-     * @return the hash code.
-     */
-    @Override
-    public int hashCode() {
-        return -1;
-    }
-
-    /**
-     * Compare for equality. Use {@link #toCookie()} to compare a
-     * {@code NewCookie} to a {@code Cookie} considering only the common
-     * properties.
-     *
-     * @param obj the object to compare to
-     * @return true if the object is a {@code NewCookie} with the same value for
-     *         all properties, false otherwise.
-     */
-    @SuppressWarnings({"StringEquality", "RedundantIfStatement"})
-    @Override
-    public boolean equals(Object obj) {
-        return true;
-    }
 }
\ No newline at end of file

From 1b1c3f953b9ebb828e161e4b36d67075a7bca510 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Wed, 3 Mar 2021 13:54:26 +0000
Subject: [PATCH 0010/1429] Remove localflow from the source

---
 .../CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql         | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
index 842e8b7eabb..258b2545b27 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -45,7 +45,7 @@ class SetCookieMethodAccess extends MethodAccess {
 class SensitiveCookieNameExpr extends Expr {
   SensitiveCookieNameExpr() {
     exists(
-      ClassInstanceExpr cie, Expr e // new Cookie("jwt_token", token)
+      ClassInstanceExpr cie // new Cookie("jwt_token", token)
     |
       (
         cie.getConstructor().getDeclaringType().hasQualifiedName("javax.servlet.http", "Cookie") or
@@ -55,16 +55,14 @@ class SensitiveCookieNameExpr extends Expr {
             .hasQualifiedName(["javax.ws.rs.core", "jakarta.ws.rs.core"], "Cookie")
       ) and
       this = cie and
-      isSensitiveCookieNameExpr(e) and
-      DataFlow::localExprFlow(e, cie.getArgument(0))
+      isSensitiveCookieNameExpr(cie.getArgument(0))
     )
     or
     exists(
-      SetCookieMethodAccess ma, Expr e // response.addHeader("Set-Cookie: token=" +authId + ";HttpOnly;Secure")
+      SetCookieMethodAccess ma // response.addHeader("Set-Cookie: token=" +authId + ";HttpOnly;Secure")
     |
       this = ma.getArgument(1) and
-      isSensitiveCookieNameExpr(e) and
-      DataFlow::localExprFlow(e, ma.getArgument(1))
+      isSensitiveCookieNameExpr(this)
     )
   }
 }

From 502cf38fccef4c0b2a1120f2fe175571ec1b9cb5 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Wed, 3 Mar 2021 14:07:43 +0000
Subject: [PATCH 0011/1429] Use concise API

---
 .../Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql      | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
index 258b2545b27..d9104cbad97 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -48,9 +48,8 @@ class SensitiveCookieNameExpr extends Expr {
       ClassInstanceExpr cie // new Cookie("jwt_token", token)
     |
       (
-        cie.getConstructor().getDeclaringType().hasQualifiedName("javax.servlet.http", "Cookie") or
-        cie.getConstructor()
-            .getDeclaringType()
+        cie.getConstructedType().hasQualifiedName("javax.servlet.http", "Cookie") or
+        cie.getConstructedType()
             .getASupertype*()
             .hasQualifiedName(["javax.ws.rs.core", "jakarta.ws.rs.core"], "Cookie")
       ) and

From 86dde6eab16f9f28cc6bb68c8b2ed7fa8c40e3bd Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Wed, 17 Feb 2021 11:34:05 +0100
Subject: [PATCH 0012/1429] Python: start of port

---
 .../src/Security/CWE-327/InsecureProtocol.ql  | 299 +++++++++++++++++-
 .../examples/secure_default_protocol.py       |  13 +
 .../CWE-327/examples/secure_protocol.py       |  11 +
 3 files changed, 307 insertions(+), 16 deletions(-)
 create mode 100644 python/ql/src/Security/CWE-327/examples/secure_default_protocol.py
 create mode 100644 python/ql/src/Security/CWE-327/examples/secure_protocol.py

diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.ql b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
index d1ae714b6be..6f2feedce22 100644
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
@@ -10,7 +10,270 @@
  */
 
 import python
+import semmle.python.ApiGraphs
 
+// The idea is to track flow from the creation of an insecure context to a use
+// such as `wrap_socket`. There should be a data-flow path for each insecure version
+// and each path should have a version specific sanitizer. This will allow fluent api
+// style code to block the paths one by one.
+//
+// class InsecureContextCreation extends DataFlow::CfgNode {
+//   override CallNode node;
+//   InsecureContextCreation() {
+//     this = API::moduleImport("ssl").getMember("SSLContext").getACall() and
+//     insecure_version().asCfgNode() in [node.getArg(0), node.getArgByName("protocol")]
+//   }
+// }
+// class InsecureSSLContextCreation extends DataFlow::CfgNode {
+//   override CallNode node;
+//   InsecureSSLContextCreation() {
+//     this = API::moduleImport("ssl").getMember("create_default_context").getACall()
+//     or
+//     this = API::moduleImport("ssl").getMember("SSLContext").getACall() and
+//     API::moduleImport("ssl").getMember("PROTOCOL_TLS").getAUse().asCfgNode() in [
+//         node.getArg(0), node.getArgByName("protocol")
+//       ]
+//   }
+// }
+abstract class ContextCreation extends DataFlow::CfgNode {
+  abstract DataFlow::CfgNode getProtocol();
+}
+
+class SSLContextCreation extends ContextCreation {
+  override CallNode node;
+
+  SSLContextCreation() { this = API::moduleImport("ssl").getMember("SSLContext").getACall() }
+
+  override DataFlow::CfgNode getProtocol() {
+    result.getNode() in [node.getArg(0), node.getArgByName("protocol")]
+  }
+}
+
+class PyOpenSSLContextCreation extends ContextCreation {
+  override CallNode node;
+
+  PyOpenSSLContextCreation() {
+    this = API::moduleImport("pyOpenSSL").getMember("SSL").getMember("Context").getACall()
+  }
+
+  override DataFlow::CfgNode getProtocol() {
+    result.getNode() in [node.getArg(0), node.getArgByName("method")]
+  }
+}
+
+abstract class ConnectionCreation extends DataFlow::CfgNode {
+  abstract DataFlow::CfgNode getContext();
+}
+
+class WrapSocketCall extends ConnectionCreation {
+  override CallNode node;
+
+  WrapSocketCall() { node.getFunction().(AttrNode).getName() = "wrap_socket" }
+
+  override DataFlow::CfgNode getContext() {
+    result.getNode() = node.getFunction().(AttrNode).getObject()
+  }
+}
+
+class ConnectionCall extends ConnectionCreation {
+  override CallNode node;
+
+  ConnectionCall() {
+    this = API::moduleImport("pyOpenSSL").getMember("SSL").getMember("Connection").getACall()
+  }
+
+  override DataFlow::CfgNode getContext() {
+    result.getNode() in [node.getArg(0), node.getArgByName("context")]
+  }
+}
+
+abstract class TlsLibrary extends string {
+  TlsLibrary() { this in ["ssl"] }
+
+  abstract string specific_insecure_version_name();
+
+  abstract string unspecific_version_name();
+
+  abstract API::Node version_constants();
+
+  DataFlow::Node insecure_version() {
+    result = version_constants().getMember(specific_insecure_version_name()).getAUse()
+  }
+
+  DataFlow::Node unspecific_version() {
+    result = version_constants().getMember(unspecific_version_name()).getAUse()
+  }
+
+  abstract DataFlow::CfgNode default_context_creation();
+
+  abstract ContextCreation specific_context_creation();
+
+  ContextCreation insecure_context_creation() {
+    result = specific_context_creation() and
+    result.getProtocol() = insecure_version()
+  }
+
+  DataFlow::CfgNode unspecific_context_creation() {
+    result = default_context_creation()
+    or
+    result = specific_context_creation() and
+    result.(ContextCreation).getProtocol() = unspecific_version()
+  }
+
+  abstract ConnectionCreation connection_creation();
+}
+
+class Ssl extends TlsLibrary {
+  Ssl() { this = "ssl" }
+
+  override string specific_insecure_version_name() {
+    result in [
+        "PROTOCOL_SSLv2", "PROTOCOL_SSLv3", "PROTOCOL_SSLv23", "PROTOCOL_TLSv1", "PROTOCOL_TLSv1_1"
+      ]
+  }
+
+  override string unspecific_version_name() { result = "PROTOCOL_TLS" }
+
+  override API::Node version_constants() { result = API::moduleImport("ssl") }
+
+  override DataFlow::CfgNode default_context_creation() {
+    result = API::moduleImport("ssl").getMember("create_default_context").getACall()
+  }
+
+  override ContextCreation specific_context_creation() { result instanceof SSLContextCreation }
+
+  override ConnectionCreation connection_creation() { result instanceof WrapSocketCall }
+}
+
+class PyOpenSSL extends TlsLibrary {
+  PyOpenSSL() { this = "pyOpenSSL" }
+
+  override string specific_insecure_version_name() {
+    result in ["SSLv2_METHOD", "SSLv23_METHOD", "SSLv3_METHOD", "TLSv1_METHOD", "TLSv1_1_METHOD"]
+  }
+
+  override string unspecific_version_name() { result = "TLS_METHOD" }
+
+  override API::Node version_constants() {
+    result = API::moduleImport("pyOpenSSL").getMember("SSL")
+  }
+
+  override DataFlow::CfgNode default_context_creation() { none() }
+
+  override ContextCreation specific_context_creation() {
+    result instanceof PyOpenSSLContextCreation
+  }
+
+  override ConnectionCreation connection_creation() { result instanceof ConnectionCall }
+}
+
+module ssl {
+  string insecure_version_name() {
+    result = "PROTOCOL_SSLv2" or
+    result = "PROTOCOL_SSLv3" or
+    result = "PROTOCOL_SSLv23" or
+    result = "PROTOCOL_TLSv1" or
+    result = "PROTOCOL_TLSv1_1"
+  }
+
+  DataFlow::Node insecure_version() {
+    result = API::moduleImport("ssl").getMember(insecure_version_name()).getAUse()
+  }
+}
+
+module pyOpenSSL {
+  string insecure_version_name() {
+    result = "SSLv2_METHOD" or
+    result = "SSLv23_METHOD" or
+    result = "SSLv3_METHOD" or
+    result = "TLSv1_METHOD" or
+    result = "TLSv1_1_METHOD"
+  }
+
+  DataFlow::Node insecure_version() {
+    result =
+      API::moduleImport("pyOpenSSL").getMember("SSL").getMember(insecure_version_name()).getAUse()
+  }
+}
+
+class InsecureContextConfiguration extends DataFlow::Configuration {
+  TlsLibrary library;
+
+  InsecureContextConfiguration() { this = library + ["AllowsTLSv1", "AllowsTLSv1_1"] }
+
+  override predicate isSource(DataFlow::Node source) {
+    source = library.unspecific_context_creation()
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = library.connection_creation().getContext()
+  }
+
+  abstract string flag();
+
+  override predicate isBarrierOut(DataFlow::Node node) {
+    exists(AugAssign aa, AttrNode attr |
+      aa.getOperation().getOp() instanceof BitOr and
+      aa.getTarget() = attr.getNode() and
+      attr.getName() = "options" and
+      attr.getObject() = node.asCfgNode() and
+      aa.getValue() = API::moduleImport("ssl").getMember(flag()).getAUse().asExpr()
+    )
+  }
+}
+
+class AllowsTLSv1 extends InsecureContextConfiguration {
+  AllowsTLSv1() { this = library + "AllowsTLSv1" }
+
+  override string flag() { result = "OP_NO_TLSv1" }
+}
+
+class AllowsTLSv1_1 extends InsecureContextConfiguration {
+  AllowsTLSv1_1() { this = library + "AllowsTLSv1_1" }
+
+  override string flag() { result = "OP_NO_TLSv1_2" }
+}
+
+predicate unsafe_connection_creation(DataFlow::Node node) {
+  exists(AllowsTLSv1 c | c.hasFlowTo(node)) or
+  exists(AllowsTLSv1_1 c | c.hasFlowTo(node)) //or
+  // node = API::moduleImport("ssl").getMember("wrap_socket").getACall()
+}
+
+predicate unsafe_context_creation(DataFlow::Node node) {
+  exists(TlsLibrary l | l.insecure_context_creation() = node)
+}
+
+// class InsecureTLSContextConfiguration extends DataFlow::Configuration {
+//   InsecureTLSContextConfiguration() { this in ["AllowsTLSv1", "AllowsTLSv1_1"] }
+//   override predicate isSource(DataFlow::Node source) {
+//     source instanceof InsecureSSLContextCreation
+//   }
+//   override predicate isSink(DataFlow::Node sink) { sink = any(WrapSocketCall c).getContext() }
+//   abstract string flag();
+//   override predicate isBarrierOut(DataFlow::Node node) {
+//     exists(AugAssign aa, AttrNode attr |
+//       aa.getOperation().getOp() instanceof BitOr and
+//       aa.getTarget() = attr.getNode() and
+//       attr.getName() = "options" and
+//       attr.getObject() = node.asCfgNode() and
+//       aa.getValue() = API::moduleImport("ssl").getMember(flag()).getAUse().asExpr()
+//     )
+//   }
+// }
+// class AllowsTLSv1 extends InsecureTLSContextConfiguration {
+//   AllowsTLSv1() { this = "AllowsTLSv1" }
+//   override string flag() { result = "OP_NO_TLSv1" }
+// }
+// class AllowsTLSv1_1 extends InsecureTLSContextConfiguration {
+//   AllowsTLSv1_1() { this = "AllowsTLSv1_1" }
+//   override string flag() { result = "OP_NO_TLSv1_1" }
+// }
+// predicate unsafe_wrap_socket_call(DataFlow::Node node) {
+//   exists(AllowsTLSv1 c | c.hasFlowTo(node)) or
+//   exists(AllowsTLSv1_1 c | c.hasFlowTo(node)) or
+//   node = API::moduleImport("ssl").getMember("wrap_socket").getACall()
+// }
 private ModuleValue the_ssl_module() { result = Module::named("ssl") }
 
 FunctionValue ssl_wrap_socket() { result = the_ssl_module().attr("wrap_socket") }
@@ -21,20 +284,24 @@ private ModuleValue the_pyOpenSSL_module() { result = Value::named("pyOpenSSL.SS
 
 ClassValue the_pyOpenSSL_Context_class() { result = Value::named("pyOpenSSL.SSL.Context") }
 
-string insecure_version_name() {
-  // For `pyOpenSSL.SSL`
-  result = "SSLv2_METHOD" or
-  result = "SSLv23_METHOD" or
-  result = "SSLv3_METHOD" or
-  result = "TLSv1_METHOD" or
-  // For the `ssl` module
-  result = "PROTOCOL_SSLv2" or
-  result = "PROTOCOL_SSLv3" or
-  result = "PROTOCOL_SSLv23" or
-  result = "PROTOCOL_TLS" or
-  result = "PROTOCOL_TLSv1"
-}
-
+// Since version 3.6, it is fine to call `ssl.SSLContext(protocol=PROTOCOL_TLS)`
+// if one also specifies either OP_NO_TLSv1 (introduced in 3.2)
+// or SSLContext.minimum_version other than TLSVersion.TLSv1 (introduced in 3.7)
+// See https://docs.python.org/3/library/ssl.html?highlight=ssl#ssl.SSLContext
+// and https://docs.python.org/3/library/ssl.html?highlight=ssl#protocol-versions
+// FP reported here: https://github.com/github/codeql/issues/2554
+// string insecure_version_name() {
+//   // For `pyOpenSSL.SSL`
+//   result = "SSLv2_METHOD" or
+//   result = "SSLv23_METHOD" or
+//   result = "SSLv3_METHOD" or
+//   result = "TLSv1_METHOD" or
+//   // For the `ssl` module
+//   result = "PROTOCOL_SSLv2" or
+//   result = "PROTOCOL_SSLv3" or
+//   result = "PROTOCOL_SSLv23" or
+//   result = "PROTOCOL_TLSv1"
+// }
 /*
  * A syntactic check for cases where points-to analysis cannot infer the presence of
  * a protocol constant, e.g. if it has been removed in later versions of the `ssl`
@@ -71,7 +338,7 @@ predicate unsafe_ssl_wrap_socket_call(
     named_argument = "protocol" and
     method_name = "ssl.SSLContext"
   ) and
-  insecure_version = insecure_version_name() and
+  insecure_version = ssl::insecure_version_name() and
   (
     call.getArgByName(named_argument).pointsTo(the_ssl_module().attr(insecure_version))
     or
@@ -81,7 +348,7 @@ predicate unsafe_ssl_wrap_socket_call(
 
 predicate unsafe_pyOpenSSL_Context_call(CallNode call, string insecure_version) {
   call = the_pyOpenSSL_Context_class().getACall() and
-  insecure_version = insecure_version_name() and
+  insecure_version = pyOpenSSL::insecure_version_name() and
   call.getArg(0).pointsTo(the_pyOpenSSL_module().attr(insecure_version))
 }
 
diff --git a/python/ql/src/Security/CWE-327/examples/secure_default_protocol.py b/python/ql/src/Security/CWE-327/examples/secure_default_protocol.py
new file mode 100644
index 00000000000..83c6dbbba0e
--- /dev/null
+++ b/python/ql/src/Security/CWE-327/examples/secure_default_protocol.py
@@ -0,0 +1,13 @@
+# taken from https://docs.python.org/3/library/ssl.html?highlight=ssl#ssl.SSLContext
+
+import socket
+import ssl
+
+hostname = 'www.python.org'
+context = ssl.create_default_context()
+context.options |= ssl.OP_NO_TLSv1 # This added by me
+context.options |= ssl.OP_NO_TLSv1_1 # This added by me
+
+with socket.create_connection((hostname, 443)) as sock:
+    with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+        print(ssock.version())
diff --git a/python/ql/src/Security/CWE-327/examples/secure_protocol.py b/python/ql/src/Security/CWE-327/examples/secure_protocol.py
new file mode 100644
index 00000000000..94b3557d017
--- /dev/null
+++ b/python/ql/src/Security/CWE-327/examples/secure_protocol.py
@@ -0,0 +1,11 @@
+import socket
+import ssl
+
+hostname = 'www.python.org'
+context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+context.options |= ssl.OP_NO_TLSv1
+context.options |= ssl.OP_NO_TLSv1_1 # This added by me
+
+with socket.create_connection((hostname, 443)) as sock:
+    with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+        print(ssock.version())

From 72b37a5b1bb344dcdd9b4e2d1172c540df678408 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Wed, 17 Feb 2021 13:21:33 +0100
Subject: [PATCH 0013/1429] Python: factor out barrier

---
 .../src/Security/CWE-327/InsecureProtocol.ql  | 58 ++++++++++++++++---
 1 file changed, 51 insertions(+), 7 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.ql b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
index 6f2feedce22..6b5b2e75d22 100644
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
@@ -87,6 +87,46 @@ class ConnectionCall extends ConnectionCreation {
   }
 }
 
+class ProtocolRestriction extends DataFlow::CfgNode {
+  abstract DataFlow::CfgNode getContext();
+
+  abstract string getRestriction();
+}
+
+class OptionsAugOr extends ProtocolRestriction {
+  string restriction;
+
+  OptionsAugOr() {
+    exists(AugAssign aa, AttrNode attr |
+      aa.getOperation().getOp() instanceof BitOr and
+      aa.getTarget() = attr.getNode() and
+      attr.getName() = "options" and
+      attr.getObject() = node and
+      aa.getValue() = API::moduleImport("ssl").getMember(restriction).getAUse().asExpr()
+    )
+  }
+
+  override DataFlow::CfgNode getContext() { result = this }
+
+  override string getRestriction() { result = restriction }
+}
+
+class SetOptionsCall extends ProtocolRestriction {
+  override CallNode node;
+
+  SetOptionsCall() { node.getFunction().(AttrNode).getName() = "set_options" }
+
+  override DataFlow::CfgNode getContext() {
+    result.getNode() = node.getFunction().(AttrNode).getObject()
+  }
+
+  override string getRestriction() {
+    API::moduleImport("PyOpenSSL").getMember("SSL").getMember(result).getAUse().asCfgNode() in [
+        node.getArg(0), node.getArgByName("options")
+      ]
+  }
+}
+
 abstract class TlsLibrary extends string {
   TlsLibrary() { this in ["ssl"] }
 
@@ -121,6 +161,8 @@ abstract class TlsLibrary extends string {
   }
 
   abstract ConnectionCreation connection_creation();
+
+  abstract ProtocolRestriction protocol_restriction();
 }
 
 class Ssl extends TlsLibrary {
@@ -143,6 +185,8 @@ class Ssl extends TlsLibrary {
   override ContextCreation specific_context_creation() { result instanceof SSLContextCreation }
 
   override ConnectionCreation connection_creation() { result instanceof WrapSocketCall }
+
+  override ProtocolRestriction protocol_restriction() { result instanceof OptionsAugOr }
 }
 
 class PyOpenSSL extends TlsLibrary {
@@ -165,6 +209,8 @@ class PyOpenSSL extends TlsLibrary {
   }
 
   override ConnectionCreation connection_creation() { result instanceof ConnectionCall }
+
+  override ProtocolRestriction protocol_restriction() { result instanceof OptionsAugOr }
 }
 
 module ssl {
@@ -212,12 +258,10 @@ class InsecureContextConfiguration extends DataFlow::Configuration {
   abstract string flag();
 
   override predicate isBarrierOut(DataFlow::Node node) {
-    exists(AugAssign aa, AttrNode attr |
-      aa.getOperation().getOp() instanceof BitOr and
-      aa.getTarget() = attr.getNode() and
-      attr.getName() = "options" and
-      attr.getObject() = node.asCfgNode() and
-      aa.getValue() = API::moduleImport("ssl").getMember(flag()).getAUse().asExpr()
+    exists(ProtocolRestriction r |
+      r = library.protocol_restriction() and
+      node = r.getContext() and
+      r.getRestriction() = flag()
     )
   }
 }
@@ -231,7 +275,7 @@ class AllowsTLSv1 extends InsecureContextConfiguration {
 class AllowsTLSv1_1 extends InsecureContextConfiguration {
   AllowsTLSv1_1() { this = library + "AllowsTLSv1_1" }
 
-  override string flag() { result = "OP_NO_TLSv1_2" }
+  override string flag() { result = "OP_NO_TLSv1_1" }
 }
 
 predicate unsafe_connection_creation(DataFlow::Node node) {

From 7ed018aff6c9f79a3ea60ef8ae4d2f2067b81442 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Wed, 17 Feb 2021 14:30:28 +0100
Subject: [PATCH 0014/1429] Python: refactor into modules and turn on the
 pyOpenSSL module

---
 .../src/Security/CWE-327/InsecureProtocol.ql  | 429 +++++++-----------
 1 file changed, 160 insertions(+), 269 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.ql b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
index 6b5b2e75d22..81b3558907e 100644
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
@@ -39,96 +39,18 @@ abstract class ContextCreation extends DataFlow::CfgNode {
   abstract DataFlow::CfgNode getProtocol();
 }
 
-class SSLContextCreation extends ContextCreation {
-  override CallNode node;
-
-  SSLContextCreation() { this = API::moduleImport("ssl").getMember("SSLContext").getACall() }
-
-  override DataFlow::CfgNode getProtocol() {
-    result.getNode() in [node.getArg(0), node.getArgByName("protocol")]
-  }
-}
-
-class PyOpenSSLContextCreation extends ContextCreation {
-  override CallNode node;
-
-  PyOpenSSLContextCreation() {
-    this = API::moduleImport("pyOpenSSL").getMember("SSL").getMember("Context").getACall()
-  }
-
-  override DataFlow::CfgNode getProtocol() {
-    result.getNode() in [node.getArg(0), node.getArgByName("method")]
-  }
-}
-
 abstract class ConnectionCreation extends DataFlow::CfgNode {
   abstract DataFlow::CfgNode getContext();
 }
 
-class WrapSocketCall extends ConnectionCreation {
-  override CallNode node;
-
-  WrapSocketCall() { node.getFunction().(AttrNode).getName() = "wrap_socket" }
-
-  override DataFlow::CfgNode getContext() {
-    result.getNode() = node.getFunction().(AttrNode).getObject()
-  }
-}
-
-class ConnectionCall extends ConnectionCreation {
-  override CallNode node;
-
-  ConnectionCall() {
-    this = API::moduleImport("pyOpenSSL").getMember("SSL").getMember("Connection").getACall()
-  }
-
-  override DataFlow::CfgNode getContext() {
-    result.getNode() in [node.getArg(0), node.getArgByName("context")]
-  }
-}
-
 class ProtocolRestriction extends DataFlow::CfgNode {
   abstract DataFlow::CfgNode getContext();
 
   abstract string getRestriction();
 }
 
-class OptionsAugOr extends ProtocolRestriction {
-  string restriction;
-
-  OptionsAugOr() {
-    exists(AugAssign aa, AttrNode attr |
-      aa.getOperation().getOp() instanceof BitOr and
-      aa.getTarget() = attr.getNode() and
-      attr.getName() = "options" and
-      attr.getObject() = node and
-      aa.getValue() = API::moduleImport("ssl").getMember(restriction).getAUse().asExpr()
-    )
-  }
-
-  override DataFlow::CfgNode getContext() { result = this }
-
-  override string getRestriction() { result = restriction }
-}
-
-class SetOptionsCall extends ProtocolRestriction {
-  override CallNode node;
-
-  SetOptionsCall() { node.getFunction().(AttrNode).getName() = "set_options" }
-
-  override DataFlow::CfgNode getContext() {
-    result.getNode() = node.getFunction().(AttrNode).getObject()
-  }
-
-  override string getRestriction() {
-    API::moduleImport("PyOpenSSL").getMember("SSL").getMember(result).getAUse().asCfgNode() in [
-        node.getArg(0), node.getArgByName("options")
-      ]
-  }
-}
-
 abstract class TlsLibrary extends string {
-  TlsLibrary() { this in ["ssl"] }
+  TlsLibrary() { this in ["ssl", "pyOpenSSL"] }
 
   abstract string specific_insecure_version_name();
 
@@ -160,85 +82,149 @@ abstract class TlsLibrary extends string {
     result.(ContextCreation).getProtocol() = unspecific_version()
   }
 
+  /** A connection is created in an outright insecure manner. */
+  abstract DataFlow::CfgNode insecure_connection_creation();
+
+  /** A connection is created from a context. */
   abstract ConnectionCreation connection_creation();
 
   abstract ProtocolRestriction protocol_restriction();
 }
 
-class Ssl extends TlsLibrary {
-  Ssl() { this = "ssl" }
-
-  override string specific_insecure_version_name() {
-    result in [
-        "PROTOCOL_SSLv2", "PROTOCOL_SSLv3", "PROTOCOL_SSLv23", "PROTOCOL_TLSv1", "PROTOCOL_TLSv1_1"
-      ]
-  }
-
-  override string unspecific_version_name() { result = "PROTOCOL_TLS" }
-
-  override API::Node version_constants() { result = API::moduleImport("ssl") }
-
-  override DataFlow::CfgNode default_context_creation() {
-    result = API::moduleImport("ssl").getMember("create_default_context").getACall()
-  }
-
-  override ContextCreation specific_context_creation() { result instanceof SSLContextCreation }
-
-  override ConnectionCreation connection_creation() { result instanceof WrapSocketCall }
-
-  override ProtocolRestriction protocol_restriction() { result instanceof OptionsAugOr }
-}
-
-class PyOpenSSL extends TlsLibrary {
-  PyOpenSSL() { this = "pyOpenSSL" }
-
-  override string specific_insecure_version_name() {
-    result in ["SSLv2_METHOD", "SSLv23_METHOD", "SSLv3_METHOD", "TLSv1_METHOD", "TLSv1_1_METHOD"]
-  }
-
-  override string unspecific_version_name() { result = "TLS_METHOD" }
-
-  override API::Node version_constants() {
-    result = API::moduleImport("pyOpenSSL").getMember("SSL")
-  }
-
-  override DataFlow::CfgNode default_context_creation() { none() }
-
-  override ContextCreation specific_context_creation() {
-    result instanceof PyOpenSSLContextCreation
-  }
-
-  override ConnectionCreation connection_creation() { result instanceof ConnectionCall }
-
-  override ProtocolRestriction protocol_restriction() { result instanceof OptionsAugOr }
-}
-
 module ssl {
-  string insecure_version_name() {
-    result = "PROTOCOL_SSLv2" or
-    result = "PROTOCOL_SSLv3" or
-    result = "PROTOCOL_SSLv23" or
-    result = "PROTOCOL_TLSv1" or
-    result = "PROTOCOL_TLSv1_1"
+  class SSLContextCreation extends ContextCreation {
+    override CallNode node;
+
+    SSLContextCreation() { this = API::moduleImport("ssl").getMember("SSLContext").getACall() }
+
+    override DataFlow::CfgNode getProtocol() {
+      result.getNode() in [node.getArg(0), node.getArgByName("protocol")]
+    }
   }
 
-  DataFlow::Node insecure_version() {
-    result = API::moduleImport("ssl").getMember(insecure_version_name()).getAUse()
+  class WrapSocketCall extends ConnectionCreation {
+    override CallNode node;
+
+    WrapSocketCall() { node.getFunction().(AttrNode).getName() = "wrap_socket" }
+
+    override DataFlow::CfgNode getContext() {
+      result.getNode() = node.getFunction().(AttrNode).getObject()
+    }
+  }
+
+  class OptionsAugOr extends ProtocolRestriction {
+    string restriction;
+
+    OptionsAugOr() {
+      exists(AugAssign aa, AttrNode attr |
+        aa.getOperation().getOp() instanceof BitOr and
+        aa.getTarget() = attr.getNode() and
+        attr.getName() = "options" and
+        attr.getObject() = node and
+        aa.getValue() = API::moduleImport("ssl").getMember(restriction).getAUse().asExpr()
+      )
+    }
+
+    override DataFlow::CfgNode getContext() { result = this }
+
+    override string getRestriction() { result = restriction }
+  }
+
+  class Ssl extends TlsLibrary {
+    Ssl() { this = "ssl" }
+
+    override string specific_insecure_version_name() {
+      result in [
+          "PROTOCOL_SSLv2", "PROTOCOL_SSLv3", "PROTOCOL_SSLv23", "PROTOCOL_TLSv1",
+          "PROTOCOL_TLSv1_1"
+        ]
+    }
+
+    override string unspecific_version_name() { result = "PROTOCOL_TLS" }
+
+    override API::Node version_constants() { result = API::moduleImport("ssl") }
+
+    override DataFlow::CfgNode default_context_creation() {
+      result = API::moduleImport("ssl").getMember("create_default_context").getACall()
+    }
+
+    override ContextCreation specific_context_creation() { result instanceof SSLContextCreation }
+
+    override DataFlow::CfgNode insecure_connection_creation() {
+      result = API::moduleImport("ssl").getMember("wrap_socket").getACall()
+    }
+
+    override ConnectionCreation connection_creation() { result instanceof WrapSocketCall }
+
+    override ProtocolRestriction protocol_restriction() { result instanceof OptionsAugOr }
   }
 }
 
 module pyOpenSSL {
-  string insecure_version_name() {
-    result = "SSLv2_METHOD" or
-    result = "SSLv23_METHOD" or
-    result = "SSLv3_METHOD" or
-    result = "TLSv1_METHOD" or
-    result = "TLSv1_1_METHOD"
+  class PyOpenSSLContextCreation extends ContextCreation {
+    override CallNode node;
+
+    PyOpenSSLContextCreation() {
+      this = API::moduleImport("pyOpenSSL").getMember("SSL").getMember("Context").getACall()
+    }
+
+    override DataFlow::CfgNode getProtocol() {
+      result.getNode() in [node.getArg(0), node.getArgByName("method")]
+    }
   }
 
-  DataFlow::Node insecure_version() {
-    result =
-      API::moduleImport("pyOpenSSL").getMember("SSL").getMember(insecure_version_name()).getAUse()
+  class ConnectionCall extends ConnectionCreation {
+    override CallNode node;
+
+    ConnectionCall() {
+      this = API::moduleImport("pyOpenSSL").getMember("SSL").getMember("Connection").getACall()
+    }
+
+    override DataFlow::CfgNode getContext() {
+      result.getNode() in [node.getArg(0), node.getArgByName("context")]
+    }
+  }
+
+  class SetOptionsCall extends ProtocolRestriction {
+    override CallNode node;
+
+    SetOptionsCall() { node.getFunction().(AttrNode).getName() = "set_options" }
+
+    override DataFlow::CfgNode getContext() {
+      result.getNode() = node.getFunction().(AttrNode).getObject()
+    }
+
+    override string getRestriction() {
+      API::moduleImport("PyOpenSSL").getMember("SSL").getMember(result).getAUse().asCfgNode() in [
+          node.getArg(0), node.getArgByName("options")
+        ]
+    }
+  }
+
+  class PyOpenSSL extends TlsLibrary {
+    PyOpenSSL() { this = "pyOpenSSL" }
+
+    override string specific_insecure_version_name() {
+      result in ["SSLv2_METHOD", "SSLv23_METHOD", "SSLv3_METHOD", "TLSv1_METHOD", "TLSv1_1_METHOD"]
+    }
+
+    override string unspecific_version_name() { result = "TLS_METHOD" }
+
+    override API::Node version_constants() {
+      result = API::moduleImport("pyOpenSSL").getMember("SSL")
+    }
+
+    override DataFlow::CfgNode default_context_creation() { none() }
+
+    override ContextCreation specific_context_creation() {
+      result instanceof PyOpenSSLContextCreation
+    }
+
+    override DataFlow::CfgNode insecure_connection_creation() { none() }
+
+    override ConnectionCreation connection_creation() { result instanceof ConnectionCall }
+
+    override ProtocolRestriction protocol_restriction() { result instanceof SetOptionsCall }
   }
 }
 
@@ -278,129 +264,34 @@ class AllowsTLSv1_1 extends InsecureContextConfiguration {
   override string flag() { result = "OP_NO_TLSv1_1" }
 }
 
-predicate unsafe_connection_creation(DataFlow::Node node) {
-  exists(AllowsTLSv1 c | c.hasFlowTo(node)) or
-  exists(AllowsTLSv1_1 c | c.hasFlowTo(node)) //or
-  // node = API::moduleImport("ssl").getMember("wrap_socket").getACall()
-}
-
-predicate unsafe_context_creation(DataFlow::Node node) {
-  exists(TlsLibrary l | l.insecure_context_creation() = node)
-}
-
-// class InsecureTLSContextConfiguration extends DataFlow::Configuration {
-//   InsecureTLSContextConfiguration() { this in ["AllowsTLSv1", "AllowsTLSv1_1"] }
-//   override predicate isSource(DataFlow::Node source) {
-//     source instanceof InsecureSSLContextCreation
-//   }
-//   override predicate isSink(DataFlow::Node sink) { sink = any(WrapSocketCall c).getContext() }
-//   abstract string flag();
-//   override predicate isBarrierOut(DataFlow::Node node) {
-//     exists(AugAssign aa, AttrNode attr |
-//       aa.getOperation().getOp() instanceof BitOr and
-//       aa.getTarget() = attr.getNode() and
-//       attr.getName() = "options" and
-//       attr.getObject() = node.asCfgNode() and
-//       aa.getValue() = API::moduleImport("ssl").getMember(flag()).getAUse().asExpr()
-//     )
-//   }
-// }
-// class AllowsTLSv1 extends InsecureTLSContextConfiguration {
-//   AllowsTLSv1() { this = "AllowsTLSv1" }
-//   override string flag() { result = "OP_NO_TLSv1" }
-// }
-// class AllowsTLSv1_1 extends InsecureTLSContextConfiguration {
-//   AllowsTLSv1_1() { this = "AllowsTLSv1_1" }
-//   override string flag() { result = "OP_NO_TLSv1_1" }
-// }
-// predicate unsafe_wrap_socket_call(DataFlow::Node node) {
-//   exists(AllowsTLSv1 c | c.hasFlowTo(node)) or
-//   exists(AllowsTLSv1_1 c | c.hasFlowTo(node)) or
-//   node = API::moduleImport("ssl").getMember("wrap_socket").getACall()
-// }
-private ModuleValue the_ssl_module() { result = Module::named("ssl") }
-
-FunctionValue ssl_wrap_socket() { result = the_ssl_module().attr("wrap_socket") }
-
-ClassValue ssl_Context_class() { result = the_ssl_module().attr("SSLContext") }
-
-private ModuleValue the_pyOpenSSL_module() { result = Value::named("pyOpenSSL.SSL") }
-
-ClassValue the_pyOpenSSL_Context_class() { result = Value::named("pyOpenSSL.SSL.Context") }
-
-// Since version 3.6, it is fine to call `ssl.SSLContext(protocol=PROTOCOL_TLS)`
-// if one also specifies either OP_NO_TLSv1 (introduced in 3.2)
-// or SSLContext.minimum_version other than TLSVersion.TLSv1 (introduced in 3.7)
-// See https://docs.python.org/3/library/ssl.html?highlight=ssl#ssl.SSLContext
-// and https://docs.python.org/3/library/ssl.html?highlight=ssl#protocol-versions
-// FP reported here: https://github.com/github/codeql/issues/2554
-// string insecure_version_name() {
-//   // For `pyOpenSSL.SSL`
-//   result = "SSLv2_METHOD" or
-//   result = "SSLv23_METHOD" or
-//   result = "SSLv3_METHOD" or
-//   result = "TLSv1_METHOD" or
-//   // For the `ssl` module
-//   result = "PROTOCOL_SSLv2" or
-//   result = "PROTOCOL_SSLv3" or
-//   result = "PROTOCOL_SSLv23" or
-//   result = "PROTOCOL_TLSv1"
-// }
-/*
- * A syntactic check for cases where points-to analysis cannot infer the presence of
- * a protocol constant, e.g. if it has been removed in later versions of the `ssl`
- * library.
- */
-
-bindingset[named_argument]
-predicate probable_insecure_ssl_constant(
-  CallNode call, string insecure_version, string named_argument
-) {
-  exists(ControlFlowNode arg |
-    arg = call.getArgByName(named_argument) or
-    arg = call.getArg(0)
-  |
-    arg.(AttrNode).getObject(insecure_version).pointsTo(the_ssl_module())
-    or
-    arg.(NameNode).getId() = insecure_version and
-    exists(Import imp |
-      imp.getAnImportedModuleName() = "ssl" and
-      imp.getAName().getAsname().(Name).getId() = insecure_version
-    )
-  )
-}
-
-predicate unsafe_ssl_wrap_socket_call(
-  CallNode call, string method_name, string insecure_version, string named_argument
-) {
-  (
-    call = ssl_wrap_socket().getACall() and
-    method_name = "deprecated method ssl.wrap_socket" and
-    named_argument = "ssl_version"
-    or
-    call = ssl_Context_class().getACall() and
-    named_argument = "protocol" and
-    method_name = "ssl.SSLContext"
-  ) and
-  insecure_version = ssl::insecure_version_name() and
-  (
-    call.getArgByName(named_argument).pointsTo(the_ssl_module().attr(insecure_version))
-    or
-    probable_insecure_ssl_constant(call, insecure_version, named_argument)
-  )
-}
-
-predicate unsafe_pyOpenSSL_Context_call(CallNode call, string insecure_version) {
-  call = the_pyOpenSSL_Context_class().getACall() and
-  insecure_version = pyOpenSSL::insecure_version_name() and
-  call.getArg(0).pointsTo(the_pyOpenSSL_module().attr(insecure_version))
-}
-
-from CallNode call, string method_name, string insecure_version
-where
-  unsafe_ssl_wrap_socket_call(call, method_name, insecure_version, _)
+predicate unsafe_connection_creation(DataFlow::Node node, string insecure_version) {
+  exists(AllowsTLSv1 c | c.hasFlowTo(node)) and
+  insecure_version = "TLSv1"
   or
-  unsafe_pyOpenSSL_Context_call(call, insecure_version) and method_name = "pyOpenSSL.SSL.Context"
-select call,
-  "Insecure SSL/TLS protocol version " + insecure_version + " specified in call to " + method_name +
-    "."
+  exists(AllowsTLSv1_1 c | c.hasFlowTo(node)) and
+  insecure_version = "TLSv1"
+  or
+  exists(TlsLibrary l | l.insecure_connection_creation() = node) and
+  insecure_version = "[multiple]"
+}
+
+predicate unsafe_context_creation(DataFlow::Node node, string insecure_version) {
+  exists(TlsLibrary l, ContextCreation cc | cc = l.insecure_context_creation() |
+    cc = node and insecure_version = cc.getProtocol().toString()
+  )
+}
+
+from DataFlow::Node node, string insecure_version
+where
+  unsafe_connection_creation(node, insecure_version)
+  or
+  unsafe_context_creation(node, insecure_version)
+select node, "Insecure SSL/TLS protocol version " + insecure_version //+ " specified in call to " + method_name + "."
+// from CallNode call, string method_name, string insecure_version
+// where
+//   unsafe_ssl_wrap_socket_call(call, method_name, insecure_version, _)
+//   or
+//   unsafe_pyOpenSSL_Context_call(call, insecure_version) and method_name = "pyOpenSSL.SSL.Context"
+// select call,
+//   "Insecure SSL/TLS protocol version " + insecure_version + " specified in call to " + method_name +
+//     "."

From 186db7f43ec254792ca3b0ded440fd0a06080711 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Sun, 21 Feb 2021 12:07:48 +0100
Subject: [PATCH 0015/1429] Python: factor into modules and files

---
 .../src/Security/CWE-327/FluentApiModel.qll   |  54 ++++
 .../src/Security/CWE-327/InsecureProtocol.ql  | 268 +-----------------
 python/ql/src/Security/CWE-327/PyOpenSSL.qll  |  73 +++++
 python/ql/src/Security/CWE-327/Ssl.qll        | 106 +++++++
 .../src/Security/CWE-327/TlsLibraryModel.qll  |  80 ++++++
 5 files changed, 315 insertions(+), 266 deletions(-)
 create mode 100644 python/ql/src/Security/CWE-327/FluentApiModel.qll
 create mode 100644 python/ql/src/Security/CWE-327/PyOpenSSL.qll
 create mode 100644 python/ql/src/Security/CWE-327/Ssl.qll
 create mode 100644 python/ql/src/Security/CWE-327/TlsLibraryModel.qll

diff --git a/python/ql/src/Security/CWE-327/FluentApiModel.qll b/python/ql/src/Security/CWE-327/FluentApiModel.qll
new file mode 100644
index 00000000000..4c2278b8694
--- /dev/null
+++ b/python/ql/src/Security/CWE-327/FluentApiModel.qll
@@ -0,0 +1,54 @@
+import python
+import TlsLibraryModel
+
+class InsecureContextConfiguration extends DataFlow::Configuration {
+  TlsLibrary library;
+
+  InsecureContextConfiguration() { this = library + ["AllowsTLSv1", "AllowsTLSv1_1"] }
+
+  override predicate isSource(DataFlow::Node source) {
+    source = library.unspecific_context_creation()
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = library.connection_creation().getContext()
+  }
+
+  abstract string flag();
+
+  override predicate isBarrierOut(DataFlow::Node node) {
+    exists(ProtocolRestriction r |
+      r = library.protocol_restriction() and
+      node = r.getContext() and
+      r.getRestriction() = flag()
+    )
+  }
+}
+
+class AllowsTLSv1 extends InsecureContextConfiguration {
+  AllowsTLSv1() { this = library + "AllowsTLSv1" }
+
+  override string flag() { result = "TLSv1" }
+}
+
+class AllowsTLSv1_1 extends InsecureContextConfiguration {
+  AllowsTLSv1_1() { this = library + "AllowsTLSv1_1" }
+
+  override string flag() { result = "TLSv1_1" }
+}
+
+predicate unsafe_connection_creation(DataFlow::Node node, ProtocolVersion insecure_version) {
+  exists(AllowsTLSv1 c | c.hasFlowTo(node)) and
+  insecure_version = "TLSv1"
+  or
+  exists(AllowsTLSv1_1 c | c.hasFlowTo(node)) and
+  insecure_version = "TLSv1_1"
+  or
+  exists(TlsLibrary l | l.insecure_connection_creation(insecure_version) = node)
+}
+
+predicate unsafe_context_creation(DataFlow::Node node, string insecure_version) {
+  exists(TlsLibrary l, ContextCreation cc | cc = l.insecure_context_creation(insecure_version) |
+    cc = node
+  )
+}
diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.ql b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
index 81b3558907e..b873e5f3ce8 100644
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
@@ -10,277 +10,13 @@
  */
 
 import python
-import semmle.python.ApiGraphs
+import FluentApiModel
 
+// string foo(ProtocolRestriction r) { result = r.getRestriction() }
 // The idea is to track flow from the creation of an insecure context to a use
 // such as `wrap_socket`. There should be a data-flow path for each insecure version
 // and each path should have a version specific sanitizer. This will allow fluent api
 // style code to block the paths one by one.
-//
-// class InsecureContextCreation extends DataFlow::CfgNode {
-//   override CallNode node;
-//   InsecureContextCreation() {
-//     this = API::moduleImport("ssl").getMember("SSLContext").getACall() and
-//     insecure_version().asCfgNode() in [node.getArg(0), node.getArgByName("protocol")]
-//   }
-// }
-// class InsecureSSLContextCreation extends DataFlow::CfgNode {
-//   override CallNode node;
-//   InsecureSSLContextCreation() {
-//     this = API::moduleImport("ssl").getMember("create_default_context").getACall()
-//     or
-//     this = API::moduleImport("ssl").getMember("SSLContext").getACall() and
-//     API::moduleImport("ssl").getMember("PROTOCOL_TLS").getAUse().asCfgNode() in [
-//         node.getArg(0), node.getArgByName("protocol")
-//       ]
-//   }
-// }
-abstract class ContextCreation extends DataFlow::CfgNode {
-  abstract DataFlow::CfgNode getProtocol();
-}
-
-abstract class ConnectionCreation extends DataFlow::CfgNode {
-  abstract DataFlow::CfgNode getContext();
-}
-
-class ProtocolRestriction extends DataFlow::CfgNode {
-  abstract DataFlow::CfgNode getContext();
-
-  abstract string getRestriction();
-}
-
-abstract class TlsLibrary extends string {
-  TlsLibrary() { this in ["ssl", "pyOpenSSL"] }
-
-  abstract string specific_insecure_version_name();
-
-  abstract string unspecific_version_name();
-
-  abstract API::Node version_constants();
-
-  DataFlow::Node insecure_version() {
-    result = version_constants().getMember(specific_insecure_version_name()).getAUse()
-  }
-
-  DataFlow::Node unspecific_version() {
-    result = version_constants().getMember(unspecific_version_name()).getAUse()
-  }
-
-  abstract DataFlow::CfgNode default_context_creation();
-
-  abstract ContextCreation specific_context_creation();
-
-  ContextCreation insecure_context_creation() {
-    result = specific_context_creation() and
-    result.getProtocol() = insecure_version()
-  }
-
-  DataFlow::CfgNode unspecific_context_creation() {
-    result = default_context_creation()
-    or
-    result = specific_context_creation() and
-    result.(ContextCreation).getProtocol() = unspecific_version()
-  }
-
-  /** A connection is created in an outright insecure manner. */
-  abstract DataFlow::CfgNode insecure_connection_creation();
-
-  /** A connection is created from a context. */
-  abstract ConnectionCreation connection_creation();
-
-  abstract ProtocolRestriction protocol_restriction();
-}
-
-module ssl {
-  class SSLContextCreation extends ContextCreation {
-    override CallNode node;
-
-    SSLContextCreation() { this = API::moduleImport("ssl").getMember("SSLContext").getACall() }
-
-    override DataFlow::CfgNode getProtocol() {
-      result.getNode() in [node.getArg(0), node.getArgByName("protocol")]
-    }
-  }
-
-  class WrapSocketCall extends ConnectionCreation {
-    override CallNode node;
-
-    WrapSocketCall() { node.getFunction().(AttrNode).getName() = "wrap_socket" }
-
-    override DataFlow::CfgNode getContext() {
-      result.getNode() = node.getFunction().(AttrNode).getObject()
-    }
-  }
-
-  class OptionsAugOr extends ProtocolRestriction {
-    string restriction;
-
-    OptionsAugOr() {
-      exists(AugAssign aa, AttrNode attr |
-        aa.getOperation().getOp() instanceof BitOr and
-        aa.getTarget() = attr.getNode() and
-        attr.getName() = "options" and
-        attr.getObject() = node and
-        aa.getValue() = API::moduleImport("ssl").getMember(restriction).getAUse().asExpr()
-      )
-    }
-
-    override DataFlow::CfgNode getContext() { result = this }
-
-    override string getRestriction() { result = restriction }
-  }
-
-  class Ssl extends TlsLibrary {
-    Ssl() { this = "ssl" }
-
-    override string specific_insecure_version_name() {
-      result in [
-          "PROTOCOL_SSLv2", "PROTOCOL_SSLv3", "PROTOCOL_SSLv23", "PROTOCOL_TLSv1",
-          "PROTOCOL_TLSv1_1"
-        ]
-    }
-
-    override string unspecific_version_name() { result = "PROTOCOL_TLS" }
-
-    override API::Node version_constants() { result = API::moduleImport("ssl") }
-
-    override DataFlow::CfgNode default_context_creation() {
-      result = API::moduleImport("ssl").getMember("create_default_context").getACall()
-    }
-
-    override ContextCreation specific_context_creation() { result instanceof SSLContextCreation }
-
-    override DataFlow::CfgNode insecure_connection_creation() {
-      result = API::moduleImport("ssl").getMember("wrap_socket").getACall()
-    }
-
-    override ConnectionCreation connection_creation() { result instanceof WrapSocketCall }
-
-    override ProtocolRestriction protocol_restriction() { result instanceof OptionsAugOr }
-  }
-}
-
-module pyOpenSSL {
-  class PyOpenSSLContextCreation extends ContextCreation {
-    override CallNode node;
-
-    PyOpenSSLContextCreation() {
-      this = API::moduleImport("pyOpenSSL").getMember("SSL").getMember("Context").getACall()
-    }
-
-    override DataFlow::CfgNode getProtocol() {
-      result.getNode() in [node.getArg(0), node.getArgByName("method")]
-    }
-  }
-
-  class ConnectionCall extends ConnectionCreation {
-    override CallNode node;
-
-    ConnectionCall() {
-      this = API::moduleImport("pyOpenSSL").getMember("SSL").getMember("Connection").getACall()
-    }
-
-    override DataFlow::CfgNode getContext() {
-      result.getNode() in [node.getArg(0), node.getArgByName("context")]
-    }
-  }
-
-  class SetOptionsCall extends ProtocolRestriction {
-    override CallNode node;
-
-    SetOptionsCall() { node.getFunction().(AttrNode).getName() = "set_options" }
-
-    override DataFlow::CfgNode getContext() {
-      result.getNode() = node.getFunction().(AttrNode).getObject()
-    }
-
-    override string getRestriction() {
-      API::moduleImport("PyOpenSSL").getMember("SSL").getMember(result).getAUse().asCfgNode() in [
-          node.getArg(0), node.getArgByName("options")
-        ]
-    }
-  }
-
-  class PyOpenSSL extends TlsLibrary {
-    PyOpenSSL() { this = "pyOpenSSL" }
-
-    override string specific_insecure_version_name() {
-      result in ["SSLv2_METHOD", "SSLv23_METHOD", "SSLv3_METHOD", "TLSv1_METHOD", "TLSv1_1_METHOD"]
-    }
-
-    override string unspecific_version_name() { result = "TLS_METHOD" }
-
-    override API::Node version_constants() {
-      result = API::moduleImport("pyOpenSSL").getMember("SSL")
-    }
-
-    override DataFlow::CfgNode default_context_creation() { none() }
-
-    override ContextCreation specific_context_creation() {
-      result instanceof PyOpenSSLContextCreation
-    }
-
-    override DataFlow::CfgNode insecure_connection_creation() { none() }
-
-    override ConnectionCreation connection_creation() { result instanceof ConnectionCall }
-
-    override ProtocolRestriction protocol_restriction() { result instanceof SetOptionsCall }
-  }
-}
-
-class InsecureContextConfiguration extends DataFlow::Configuration {
-  TlsLibrary library;
-
-  InsecureContextConfiguration() { this = library + ["AllowsTLSv1", "AllowsTLSv1_1"] }
-
-  override predicate isSource(DataFlow::Node source) {
-    source = library.unspecific_context_creation()
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    sink = library.connection_creation().getContext()
-  }
-
-  abstract string flag();
-
-  override predicate isBarrierOut(DataFlow::Node node) {
-    exists(ProtocolRestriction r |
-      r = library.protocol_restriction() and
-      node = r.getContext() and
-      r.getRestriction() = flag()
-    )
-  }
-}
-
-class AllowsTLSv1 extends InsecureContextConfiguration {
-  AllowsTLSv1() { this = library + "AllowsTLSv1" }
-
-  override string flag() { result = "OP_NO_TLSv1" }
-}
-
-class AllowsTLSv1_1 extends InsecureContextConfiguration {
-  AllowsTLSv1_1() { this = library + "AllowsTLSv1_1" }
-
-  override string flag() { result = "OP_NO_TLSv1_1" }
-}
-
-predicate unsafe_connection_creation(DataFlow::Node node, string insecure_version) {
-  exists(AllowsTLSv1 c | c.hasFlowTo(node)) and
-  insecure_version = "TLSv1"
-  or
-  exists(AllowsTLSv1_1 c | c.hasFlowTo(node)) and
-  insecure_version = "TLSv1"
-  or
-  exists(TlsLibrary l | l.insecure_connection_creation() = node) and
-  insecure_version = "[multiple]"
-}
-
-predicate unsafe_context_creation(DataFlow::Node node, string insecure_version) {
-  exists(TlsLibrary l, ContextCreation cc | cc = l.insecure_context_creation() |
-    cc = node and insecure_version = cc.getProtocol().toString()
-  )
-}
-
 from DataFlow::Node node, string insecure_version
 where
   unsafe_connection_creation(node, insecure_version)
diff --git a/python/ql/src/Security/CWE-327/PyOpenSSL.qll b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
new file mode 100644
index 00000000000..b9a68648f93
--- /dev/null
+++ b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
@@ -0,0 +1,73 @@
+import python
+import semmle.python.ApiGraphs
+import TlsLibraryModel
+
+class PyOpenSSLContextCreation extends ContextCreation {
+  override CallNode node;
+
+  PyOpenSSLContextCreation() {
+    this = API::moduleImport("OpenSSL").getMember("SSL").getMember("Context").getACall()
+  }
+
+  override DataFlow::CfgNode getProtocol() {
+    result.getNode() in [node.getArg(0), node.getArgByName("method")]
+  }
+}
+
+class ConnectionCall extends ConnectionCreation {
+  override CallNode node;
+
+  ConnectionCall() {
+    this = API::moduleImport("OpenSSL").getMember("SSL").getMember("Connection").getACall()
+  }
+
+  override DataFlow::CfgNode getContext() {
+    result.getNode() in [node.getArg(0), node.getArgByName("context")]
+  }
+}
+
+class SetOptionsCall extends ProtocolRestriction {
+  override CallNode node;
+
+  SetOptionsCall() { node.getFunction().(AttrNode).getName() = "set_options" }
+
+  override DataFlow::CfgNode getContext() {
+    result.getNode() = node.getFunction().(AttrNode).getObject()
+  }
+
+  override ProtocolVersion getRestriction() {
+    API::moduleImport("OpenSSL").getMember("SSL").getMember("OP_NO_" + result).getAUse().asCfgNode() in [
+        node.getArg(0), node.getArgByName("options")
+      ]
+  }
+}
+
+class PyOpenSSL extends TlsLibrary {
+  PyOpenSSL() { this = "pyOpenSSL" }
+
+  override string specific_insecure_version_name(ProtocolVersion version) {
+    version in ["SSLv2", "SSLv3", "TLSv1", "TLSv1_1"] and
+    result = version + "_METHOD"
+  }
+
+  override string unspecific_version_name() {
+    result in [
+        "TLS_METHOD", // This is not actually available in pyOpenSSL yet
+        "SSLv23_METHOD" // This is what can negotiate TLS 1.3 (indeed, I know, I did test that..)
+      ]
+  }
+
+  override API::Node version_constants() { result = API::moduleImport("OpenSSL").getMember("SSL") }
+
+  override DataFlow::CfgNode default_context_creation() { none() }
+
+  override ContextCreation specific_context_creation() {
+    result instanceof PyOpenSSLContextCreation
+  }
+
+  override DataFlow::CfgNode insecure_connection_creation(ProtocolVersion version) { none() }
+
+  override ConnectionCreation connection_creation() { result instanceof ConnectionCall }
+
+  override ProtocolRestriction protocol_restriction() { result instanceof SetOptionsCall }
+}
diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
new file mode 100644
index 00000000000..369149fd638
--- /dev/null
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -0,0 +1,106 @@
+import python
+import semmle.python.ApiGraphs
+import semmle.python.dataflow.new.internal.Attributes as Attributes
+import TlsLibraryModel
+
+class SSLContextCreation extends ContextCreation {
+  override CallNode node;
+
+  SSLContextCreation() { this = API::moduleImport("ssl").getMember("SSLContext").getACall() }
+
+  override DataFlow::CfgNode getProtocol() {
+    result.getNode() in [node.getArg(0), node.getArgByName("protocol")]
+  }
+}
+
+class WrapSocketCall extends ConnectionCreation {
+  override CallNode node;
+
+  WrapSocketCall() { node.getFunction().(AttrNode).getName() = "wrap_socket" }
+
+  override DataFlow::CfgNode getContext() {
+    result.getNode() = node.getFunction().(AttrNode).getObject()
+  }
+}
+
+class OptionsAugOr extends ProtocolRestriction {
+  ProtocolVersion restriction;
+
+  OptionsAugOr() {
+    exists(AugAssign aa, AttrNode attr |
+      aa.getOperation().getOp() instanceof BitOr and
+      aa.getTarget() = attr.getNode() and
+      attr.getName() = "options" and
+      attr.getObject() = node and
+      API::moduleImport("ssl").getMember("OP_NO_" + restriction).getAUse().asExpr() in [
+          aa.getValue(), aa.getValue().getAChildNode()
+        ]
+    )
+  }
+
+  override DataFlow::CfgNode getContext() { result = this }
+
+  override ProtocolVersion getRestriction() { result = restriction }
+}
+
+class ContextSetVersion extends ProtocolRestriction {
+  string restriction;
+
+  ContextSetVersion() {
+    exists(Attributes::AttrWrite aw |
+      aw.getObject().asCfgNode() = node and
+      aw.getAttributeName() = "minimum_version" and
+      aw.getValue() =
+        API::moduleImport("ssl").getMember("TLSVersion").getMember(restriction).getAUse()
+    )
+  }
+
+  override DataFlow::CfgNode getContext() { result = this }
+
+  override ProtocolVersion getRestriction() { result.lessThan(restriction) }
+}
+
+class Ssl extends TlsLibrary {
+  Ssl() { this = "ssl" }
+
+  override string specific_insecure_version_name(ProtocolVersion version) {
+    version in ["SSLv2", "SSLv3", "TLSv1", "TLSv1_1"] and
+    result = "PROTOCOL_" + version
+    // result in ["PROTOCOL_SSLv2", "PROTOCOL_SSLv3", "PROTOCOL_TLSv1", "PROTOCOL_TLSv1_1"]
+  }
+
+  override string unspecific_version_name() {
+    result =
+      "PROTOCOL_" +
+        [
+          "TLS",
+          // This can negotiate a TLS 1.3 connection (!)
+          // see https://docs.python.org/3/library/ssl.html#ssl-contexts
+          "SSLv23"
+        ]
+  }
+
+  override API::Node version_constants() { result = API::moduleImport("ssl") }
+
+  override DataFlow::CfgNode default_context_creation() {
+    result = API::moduleImport("ssl").getMember("create_default_context").getACall() //and
+    // see https://docs.python.org/3/library/ssl.html#context-creation
+    // version in ["TLSv1", "TLSv1_1"]
+  }
+
+  override ContextCreation specific_context_creation() { result instanceof SSLContextCreation }
+
+  override DataFlow::CfgNode insecure_connection_creation(ProtocolVersion version) {
+    result = API::moduleImport("ssl").getMember("wrap_socket").getACall() and
+    insecure_version(version).asCfgNode() =
+      result.asCfgNode().(CallNode).getArgByName("ssl_version")
+  }
+
+  override ConnectionCreation connection_creation() { result instanceof WrapSocketCall }
+
+  override ProtocolRestriction protocol_restriction() {
+    result instanceof OptionsAugOr
+    or
+    result instanceof ContextSetVersion
+  }
+}
diff --git a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
new file mode 100644
index 00000000000..41db81ad1c8
--- /dev/null
+++ b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
@@ -0,0 +1,80 @@
+import python
+import semmle.python.ApiGraphs
+import Ssl
+import PyOpenSSL
+
+/**
+ * A specific protocol version.
+ * We use this to identify a protocol.
+ */
+class ProtocolVersion extends string {
+  ProtocolVersion() { this in ["SSLv2", "SSLv3", "TLSv1", "TLSv1_1", "TLSv1_2", "TLSv1_3"] }
+
+  predicate lessThan(ProtocolVersion version) {
+    this = "SSLv2" and version = "SSLv3"
+    or
+    this = "TLSv1" and version = ["TLSv1_1", "TLSv1_2", "TLSv1_3"]
+    or
+    this = ["TLSv1", "TLSv1_1"] and version = ["TLSv1_2", "TLSv1_3"]
+    or
+    this = ["TLSv1", "TLSv1_1", "TLSv1_2"] and version = "TLSv1_3"
+  }
+}
+
+abstract class ContextCreation extends DataFlow::CfgNode {
+  abstract DataFlow::CfgNode getProtocol();
+}
+
+abstract class ConnectionCreation extends DataFlow::CfgNode {
+  abstract DataFlow::CfgNode getContext();
+}
+
+abstract class ProtocolRestriction extends DataFlow::CfgNode {
+  abstract DataFlow::CfgNode getContext();
+
+  abstract ProtocolVersion getRestriction();
+}
+
+abstract class TlsLibrary extends string {
+  TlsLibrary() { this in ["ssl", "pyOpenSSL"] }
+
+  /** The name of a specific protocol version, known to be insecure. */
+  abstract string specific_insecure_version_name(ProtocolVersion version);
+
+  /** The name of an unspecific protocol version, say TLS, known to have insecure insatnces. */
+  abstract string unspecific_version_name();
+
+  abstract API::Node version_constants();
+
+  DataFlow::Node insecure_version(ProtocolVersion version) {
+    result = version_constants().getMember(specific_insecure_version_name(version)).getAUse()
+  }
+
+  DataFlow::Node unspecific_version() {
+    result = version_constants().getMember(unspecific_version_name()).getAUse()
+  }
+
+  abstract DataFlow::CfgNode default_context_creation();
+
+  abstract ContextCreation specific_context_creation();
+
+  ContextCreation insecure_context_creation(ProtocolVersion version) {
+    result = specific_context_creation() and
+    result.getProtocol() = insecure_version(version)
+  }
+
+  DataFlow::CfgNode unspecific_context_creation() {
+    result = default_context_creation()
+    or
+    result = specific_context_creation() and
+    result.(ContextCreation).getProtocol() = unspecific_version()
+  }
+
+  /** A connection is created in an outright insecure manner. */
+  abstract DataFlow::CfgNode insecure_connection_creation(ProtocolVersion version);
+
+  /** A connection is created from a context. */
+  abstract ConnectionCreation connection_creation();
+
+  abstract ProtocolRestriction protocol_restriction();
+}

From 87e1a062ea750a3b2acc95d75583099c055defe9 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Sun, 21 Feb 2021 12:08:11 +0100
Subject: [PATCH 0016/1429] Python: fluent api tests

---
 .../Security/CWE-327/pyOpenSSL_fluent.py      | 31 +++++++
 .../Security/CWE-327/ssl_fluent.py            | 87 +++++++++++++++++++
 2 files changed, 118 insertions(+)
 create mode 100644 python/ql/test/query-tests/Security/CWE-327/pyOpenSSL_fluent.py
 create mode 100644 python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py

diff --git a/python/ql/test/query-tests/Security/CWE-327/pyOpenSSL_fluent.py b/python/ql/test/query-tests/Security/CWE-327/pyOpenSSL_fluent.py
new file mode 100644
index 00000000000..028c318be66
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-327/pyOpenSSL_fluent.py
@@ -0,0 +1,31 @@
+import socket
+from OpenSSL import SSL
+
+def test_fluent():
+    hostname = 'www.python.org'
+    context = SSL.Context(SSL.SSLv23_METHOD)
+
+    conn = SSL.Connection(context, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
+    r = conn.connect((hostname, 443))
+    print(conn.get_protocol_version_name())
+
+
+def test_fluent_no_TLSv1():
+    hostname = 'www.python.org'
+    context = SSL.Context(SSL.SSLv23_METHOD)
+    context.set_options(SSL.OP_NO_TLSv1)
+
+    conn = SSL.Connection(context, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
+    r = conn.connect((hostname, 443))
+    print(conn.get_protocol_version_name())
+
+
+def test_fluent_safe():
+    hostname = 'www.python.org'
+    context = SSL.Context(SSL.SSLv23_METHOD)
+    context.set_options(SSL.OP_NO_TLSv1)
+    context.set_options(SSL.OP_NO_TLSv1_1)
+
+    conn = SSL.Connection(context, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
+    r = conn.connect((hostname, 443))
+    print(r, conn.get_protocol_version_name())
diff --git a/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py b/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
new file mode 100644
index 00000000000..9f9e01294cb
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
@@ -0,0 +1,87 @@
+import socket
+import ssl
+
+def test_fluent_tls():
+    hostname = 'www.python.org'
+    context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+
+    with socket.create_connection((hostname, 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+
+def test_fluent_tls_no_TLSv1():
+    hostname = 'www.python.org'
+    context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+    context.options |= ssl.OP_NO_TLSv1
+
+    with socket.create_connection((hostname, 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+def test_fluent_tls_safe():
+    hostname = 'www.python.org'
+    context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+    context.options |= ssl.OP_NO_TLSv1
+    context.options |= ssl.OP_NO_TLSv1_1
+
+    with socket.create_connection((hostname, 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+def test_fluent_ssl():
+    hostname = 'www.python.org'
+    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+
+    with socket.create_connection((hostname, 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+
+def test_fluent_ssl_no_TLSv1():
+    hostname = 'www.python.org'
+    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    context.options |= ssl.OP_NO_TLSv1
+
+    with socket.create_connection((hostname, 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+def test_fluent_ssl_safe():
+    hostname = 'www.python.org'
+    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    context.options |= ssl.OP_NO_TLSv1
+    context.options |= ssl.OP_NO_TLSv1_1
+
+    with socket.create_connection((hostname, 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+def test_fluent_ssl_safe_combined():
+    hostname = 'www.python.org'
+    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+
+    with socket.create_connection((hostname, 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+# From Python 3.7
+# see https://docs.python.org/3/library/ssl.html#ssl.SSLContext.minimum_version
+def test_fluent_ssl_unsafe_version():
+    hostname = 'www.python.org'
+    context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+    context.minimum_version = ssl.TLSVersion.TLSv1_1
+
+    with socket.create_connection((hostname, 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+def test_fluent_ssl_safe_version():
+    hostname = 'www.python.org'
+    context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+    context.minimum_version = ssl.TLSVersion.TLSv1_3
+
+    with socket.create_connection((hostname, 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())

From ea8c6f04e2ba137b6501152f22b93f642e17b372 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Sun, 21 Feb 2021 12:09:56 +0100
Subject: [PATCH 0017/1429] Python: Update old test and qlhelp

---
 .../Security/CWE-327/InsecureProtocol.qhelp   |  6 ++---
 python/ql/src/Security/CWE-327/ReadMe.md      | 24 +++++++++++++++++++
 .../Security/CWE-327/InsecureProtocol.py      |  8 +++----
 3 files changed, 31 insertions(+), 7 deletions(-)
 create mode 100644 python/ql/src/Security/CWE-327/ReadMe.md

diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.qhelp b/python/ql/src/Security/CWE-327/InsecureProtocol.qhelp
index 63545129cc7..4a7364ca14e 100644
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.qhelp
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.qhelp
@@ -13,8 +13,8 @@
 
           <p>
             Ensure that a modern, strong protocol is used. All versions of SSL,
-            and TLS 1.0 are known to be vulnerable to attacks. Using TLS 1.1 or
-            above is strongly recommended.
+            and TLS versions 1.0 and 1.1 are known to be vulnerable to attacks.
+            Using TLS 1.2 or above is strongly recommended.
           </p>
 
      </recommendation>
@@ -30,7 +30,7 @@
 
           <p>
             All cases should be updated to use a secure protocol, such as
-            <code>PROTOCOL_TLSv1_1</code>.
+            <code>PROTOCOL_TLSv1_2</code>.
           </p>
           <p>
             Note that <code>ssl.wrap_socket</code> has been deprecated in
diff --git a/python/ql/src/Security/CWE-327/ReadMe.md b/python/ql/src/Security/CWE-327/ReadMe.md
new file mode 100644
index 00000000000..c5330a78fda
--- /dev/null
+++ b/python/ql/src/Security/CWE-327/ReadMe.md
@@ -0,0 +1,24 @@
+# Current status (Feb 2021)
+
+This should be kept up to date; the world is moving fast and protocols are being broken.
+
+## Protocols
+
+- All versions of SSL are insecure
+- TLS 1.0 and TLS 1.1 are insecure
+- TLS 1.2 have some issues. but TLS 1.3 is not widely supported
+
+## Conection methods
+
+- `ssl.wrap_socket` is creating insecure connections, use `SSLContext.wrap_socket` instead. [link](https://docs.python.org/3/library/ssl.html#ssl.wrap_socket)
+    > Deprecated since version 3.7: Since Python 3.2 and 2.7.9, it is recommended to use the `SSLContext.wrap_socket()` instead of `wrap_socket()`. The top-level function is limited and creates an insecure client socket without server name indication or hostname matching.
+- Default consteructors are fine, a sluent api is used to constrain possible protocols later.
+
+## Current recomendation
+
+TLS 1.2 or TLS 1.3
+
+## Queries
+
+- `InsecureProtocol` detects uses of insecure protocols.
+- `InsecureDefaultProtocol` detect default constructions, this is no longer unsafe.
diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
index 5a6d044aa6d..cb21a6623c9 100644
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
@@ -1,5 +1,5 @@
 import ssl
-from pyOpenSSL import SSL
+from OpenSSL import SSL
 from ssl import SSLContext
 
 # true positives
@@ -33,9 +33,9 @@ SSL.Context(METHOD)
 
 # secure versions
 
-ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1_1)
-SSLContext(protocol=ssl.PROTOCOL_TLSv1_1)
-SSL.Context(SSL.TLSv1_1_METHOD)
+ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1_2)
+SSLContext(protocol=ssl.PROTOCOL_TLSv1_2)
+SSL.Context(SSL.TLSv1_2_METHOD)
 
 # possibly insecure default
 ssl.wrap_socket()

From 3b856010f28ade83481b3e9fe553c4bb56f0f432 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Tue, 23 Feb 2021 19:29:30 +0100
Subject: [PATCH 0018/1429] Python: add TODO comment

---
 python/ql/src/Security/CWE-327/Ssl.qll | 1 +
 1 file changed, 1 insertion(+)

diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index 369149fd638..e3247d5143c 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -32,6 +32,7 @@ class OptionsAugOr extends ProtocolRestriction {
       aa.getTarget() = attr.getNode() and
       attr.getName() = "options" and
       attr.getObject() = node and
+      // TODO: Use something like BoolExpr::impliesValue here
       API::moduleImport("ssl").getMember("OP_NO_" + restriction).getAUse().asExpr() in [
           aa.getValue(), aa.getValue().getAChildNode()
         ]

From d5171fc043cd4a66372780bcbe5c758cd7c594e2 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 26 Feb 2021 21:12:34 +0100
Subject: [PATCH 0019/1429] Python: Comment everything

---
 .../src/Security/CWE-327/FluentApiModel.qll   | 15 +++++++++++++
 .../src/Security/CWE-327/InsecureProtocol.ql  | 13 ------------
 python/ql/src/Security/CWE-327/PyOpenSSL.qll  |  2 +-
 python/ql/src/Security/CWE-327/Ssl.qll        | 17 ++++++++++-----
 .../src/Security/CWE-327/TlsLibraryModel.qll  | 21 ++++++++++++++++---
 5 files changed, 46 insertions(+), 22 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/FluentApiModel.qll b/python/ql/src/Security/CWE-327/FluentApiModel.qll
index 4c2278b8694..3dc12e2f434 100644
--- a/python/ql/src/Security/CWE-327/FluentApiModel.qll
+++ b/python/ql/src/Security/CWE-327/FluentApiModel.qll
@@ -1,6 +1,11 @@
 import python
 import TlsLibraryModel
 
+/**
+ * Configuration to track flow from the creation of a context to
+ * that context being used to create a connection.
+ * Flow is broken if the insecure protocol of interest is being restricted.
+ */
 class InsecureContextConfiguration extends DataFlow::Configuration {
   TlsLibrary library;
 
@@ -25,28 +30,38 @@ class InsecureContextConfiguration extends DataFlow::Configuration {
   }
 }
 
+/** Configuration to specifically track the insecure protocol TLS 1.0 */
 class AllowsTLSv1 extends InsecureContextConfiguration {
   AllowsTLSv1() { this = library + "AllowsTLSv1" }
 
   override string flag() { result = "TLSv1" }
 }
 
+/** Configuration to specifically track the insecure protocol TLS 1.1 */
 class AllowsTLSv1_1 extends InsecureContextConfiguration {
   AllowsTLSv1_1() { this = library + "AllowsTLSv1_1" }
 
   override string flag() { result = "TLSv1_1" }
 }
 
+/**
+ * A connection is created from a context allowing an insecure protocol,
+ * and that protocol has not been restricted appropriately.
+ */
 predicate unsafe_connection_creation(DataFlow::Node node, ProtocolVersion insecure_version) {
+  // Connection created from a context allowing TLS 1.0.
   exists(AllowsTLSv1 c | c.hasFlowTo(node)) and
   insecure_version = "TLSv1"
   or
+  // Connection created from a context allowing TLS 1.1.
   exists(AllowsTLSv1_1 c | c.hasFlowTo(node)) and
   insecure_version = "TLSv1_1"
   or
+  // Connection created from a context for an insecure protocol.
   exists(TlsLibrary l | l.insecure_connection_creation(insecure_version) = node)
 }
 
+/** A connection is created insecurely without reference to a context. */
 predicate unsafe_context_creation(DataFlow::Node node, string insecure_version) {
   exists(TlsLibrary l, ContextCreation cc | cc = l.insecure_context_creation(insecure_version) |
     cc = node
diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.ql b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
index b873e5f3ce8..c902d9a284d 100644
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
@@ -12,22 +12,9 @@
 import python
 import FluentApiModel
 
-// string foo(ProtocolRestriction r) { result = r.getRestriction() }
-// The idea is to track flow from the creation of an insecure context to a use
-// such as `wrap_socket`. There should be a data-flow path for each insecure version
-// and each path should have a version specific sanitizer. This will allow fluent api
-// style code to block the paths one by one.
 from DataFlow::Node node, string insecure_version
 where
   unsafe_connection_creation(node, insecure_version)
   or
   unsafe_context_creation(node, insecure_version)
 select node, "Insecure SSL/TLS protocol version " + insecure_version //+ " specified in call to " + method_name + "."
-// from CallNode call, string method_name, string insecure_version
-// where
-//   unsafe_ssl_wrap_socket_call(call, method_name, insecure_version, _)
-//   or
-//   unsafe_pyOpenSSL_Context_call(call, insecure_version) and method_name = "pyOpenSSL.SSL.Context"
-// select call,
-//   "Insecure SSL/TLS protocol version " + insecure_version + " specified in call to " + method_name +
-//     "."
diff --git a/python/ql/src/Security/CWE-327/PyOpenSSL.qll b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
index b9a68648f93..a89c7ff0886 100644
--- a/python/ql/src/Security/CWE-327/PyOpenSSL.qll
+++ b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
@@ -59,7 +59,7 @@ class PyOpenSSL extends TlsLibrary {
 
   override API::Node version_constants() { result = API::moduleImport("OpenSSL").getMember("SSL") }
 
-  override DataFlow::CfgNode default_context_creation() { none() }
+  override ContextCreation default_context_creation() { none() }
 
   override ContextCreation specific_context_creation() {
     result instanceof PyOpenSSLContextCreation
diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index e3247d5143c..ba91b39bdeb 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -13,6 +13,16 @@ class SSLContextCreation extends ContextCreation {
   }
 }
 
+class SSLDefaultContextCreation extends ContextCreation {
+  SSLDefaultContextCreation() {
+    this = API::moduleImport("ssl").getMember("create_default_context").getACall()
+  }
+
+  // Allowed insecure versions are "TLSv1" and "TLSv1_1"
+  // see https://docs.python.org/3/library/ssl.html#context-creation
+  override DataFlow::CfgNode getProtocol() { none() }
+}
+
 class WrapSocketCall extends ConnectionCreation {
   override CallNode node;
 
@@ -67,7 +77,6 @@ class Ssl extends TlsLibrary {
   override string specific_insecure_version_name(ProtocolVersion version) {
     version in ["SSLv2", "SSLv3", "TLSv1", "TLSv1_1"] and
     result = "PROTOCOL_" + version
-    // result in ["PROTOCOL_SSLv2", "PROTOCOL_SSLv3", "PROTOCOL_TLSv1", "PROTOCOL_TLSv1_1"]
   }
 
   override string unspecific_version_name() {
@@ -83,10 +92,8 @@ class Ssl extends TlsLibrary {
 
   override API::Node version_constants() { result = API::moduleImport("ssl") }
 
-  override DataFlow::CfgNode default_context_creation() {
-    result = API::moduleImport("ssl").getMember("create_default_context").getACall() //and
-    // see https://docs.python.org/3/library/ssl.html#context-creation
-    // version in ["TLSv1", "TLSv1_1"]
+  override ContextCreation default_context_creation() {
+    result instanceof SSLDefaultContextCreation
   }
 
   override ContextCreation specific_context_creation() { result instanceof SSLContextCreation }
diff --git a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
index 41db81ad1c8..36e58acd926 100644
--- a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
+++ b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
@@ -21,17 +21,24 @@ class ProtocolVersion extends string {
   }
 }
 
+/** The creation of a context. */
 abstract class ContextCreation extends DataFlow::CfgNode {
+  /** Gets the requested protocol if any. */
   abstract DataFlow::CfgNode getProtocol();
 }
 
+/** The creation of a connection from a context. */
 abstract class ConnectionCreation extends DataFlow::CfgNode {
+  /** Gets the context used to create the connection. */
   abstract DataFlow::CfgNode getContext();
 }
 
+/** A context is being restricted on which protocols it can accepts. */
 abstract class ProtocolRestriction extends DataFlow::CfgNode {
+  /** Gets the context being restricted. */
   abstract DataFlow::CfgNode getContext();
 
+  /** Gets the protocol version being disallowed. */
   abstract ProtocolVersion getRestriction();
 }
 
@@ -41,28 +48,35 @@ abstract class TlsLibrary extends string {
   /** The name of a specific protocol version, known to be insecure. */
   abstract string specific_insecure_version_name(ProtocolVersion version);
 
-  /** The name of an unspecific protocol version, say TLS, known to have insecure insatnces. */
+  /** The name of an unspecific protocol version, say TLS, known to have insecure instances. */
   abstract string unspecific_version_name();
 
+  /** The module or class holding the version constants. */
   abstract API::Node version_constants();
 
+  /** A dataflow node representing a specific protocol version, known to be insecure. */
   DataFlow::Node insecure_version(ProtocolVersion version) {
     result = version_constants().getMember(specific_insecure_version_name(version)).getAUse()
   }
 
+  /** A dataflow node representing an unspecific protocol version, say TLS, known to have insecure instances. */
   DataFlow::Node unspecific_version() {
     result = version_constants().getMember(unspecific_version_name()).getAUse()
   }
 
-  abstract DataFlow::CfgNode default_context_creation();
+  /** The creation of a context with a deafult protocol. */
+  abstract ContextCreation default_context_creation();
 
+  /** The creation of a context with a specific protocol. */
   abstract ContextCreation specific_context_creation();
 
+  /** The creation of a context with a specific protocol version, known to be insecure. */
   ContextCreation insecure_context_creation(ProtocolVersion version) {
     result = specific_context_creation() and
     result.getProtocol() = insecure_version(version)
   }
 
+  /** The creation of a context with an unspecific protocol version, say TLS, known to have insecure instances. */
   DataFlow::CfgNode unspecific_context_creation() {
     result = default_context_creation()
     or
@@ -70,11 +84,12 @@ abstract class TlsLibrary extends string {
     result.(ContextCreation).getProtocol() = unspecific_version()
   }
 
-  /** A connection is created in an outright insecure manner. */
+  /** A connection is created in an insecure manner, not from a context. */
   abstract DataFlow::CfgNode insecure_connection_creation(ProtocolVersion version);
 
   /** A connection is created from a context. */
   abstract ConnectionCreation connection_creation();
 
+  /** A context is being restricted on which protocols it can accepts. */
   abstract ProtocolRestriction protocol_restriction();
 }

From 9e696ff0fbaac008a12bfa1a7241a0f0140bbc9d Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 26 Feb 2021 21:58:00 +0100
Subject: [PATCH 0020/1429] Python: Add false negative to test

---
 .../ql/test/query-tests/Security/CWE-327/ssl_fluent.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py b/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
index 9f9e01294cb..252ab0a9e49 100644
--- a/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
+++ b/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
@@ -85,3 +85,13 @@ def test_fluent_ssl_safe_version():
     with socket.create_connection((hostname, 443)) as sock:
         with context.wrap_socket(sock, server_hostname=hostname) as ssock:
             print(ssock.version())
+
+# Taken from https://docs.python.org/3/library/ssl.html#context-creation
+def test_fluent_explicitly_unsafe():
+    hostname = 'www.python.org'
+    context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+    context.options &= ~ssl.OP_NO_SSLv3  # This not recognized
+
+    with socket.create_connection((hostname, 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:  # SSLv3 not flagged here
+            print(ssock.version())

From 60525ec3018924898d47d72d133cb0b1431a2bea Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 26 Feb 2021 21:58:30 +0100
Subject: [PATCH 0021/1429] Python: Also track offending call update test
 expectations at this point

---
 .../src/Security/CWE-327/FluentApiModel.qll   | 20 +++++++---
 .../src/Security/CWE-327/InsecureProtocol.ql  | 18 ++++++---
 .../CWE-327/InsecureProtocol.expected         | 38 ++++++++++++-------
 3 files changed, 51 insertions(+), 25 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/FluentApiModel.qll b/python/ql/src/Security/CWE-327/FluentApiModel.qll
index 3dc12e2f434..23922a90595 100644
--- a/python/ql/src/Security/CWE-327/FluentApiModel.qll
+++ b/python/ql/src/Security/CWE-327/FluentApiModel.qll
@@ -48,22 +48,30 @@ class AllowsTLSv1_1 extends InsecureContextConfiguration {
  * A connection is created from a context allowing an insecure protocol,
  * and that protocol has not been restricted appropriately.
  */
-predicate unsafe_connection_creation(DataFlow::Node node, ProtocolVersion insecure_version) {
+predicate unsafe_connection_creation(
+  DataFlow::Node node, ProtocolVersion insecure_version, CallNode call
+) {
   // Connection created from a context allowing TLS 1.0.
-  exists(AllowsTLSv1 c | c.hasFlowTo(node)) and
+  exists(AllowsTLSv1 c, ContextCreation cc | c.hasFlow(cc, node) | cc.getNode() = call) and
   insecure_version = "TLSv1"
   or
   // Connection created from a context allowing TLS 1.1.
-  exists(AllowsTLSv1_1 c | c.hasFlowTo(node)) and
+  exists(AllowsTLSv1_1 c, ContextCreation cc | c.hasFlow(cc, node) | cc.getNode() = call) and
   insecure_version = "TLSv1_1"
   or
   // Connection created from a context for an insecure protocol.
-  exists(TlsLibrary l | l.insecure_connection_creation(insecure_version) = node)
+  exists(TlsLibrary l, DataFlow::CfgNode cc |
+    cc = l.insecure_connection_creation(insecure_version)
+  |
+    cc = node and
+    cc.getNode() = call
+  )
 }
 
 /** A connection is created insecurely without reference to a context. */
-predicate unsafe_context_creation(DataFlow::Node node, string insecure_version) {
+predicate unsafe_context_creation(DataFlow::Node node, string insecure_version, CallNode call) {
   exists(TlsLibrary l, ContextCreation cc | cc = l.insecure_context_creation(insecure_version) |
-    cc = node
+    cc = node and
+    cc.getNode() = call
   )
 }
diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.ql b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
index c902d9a284d..51247dbd75a 100644
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
@@ -12,9 +12,17 @@
 import python
 import FluentApiModel
 
-from DataFlow::Node node, string insecure_version
-where
-  unsafe_connection_creation(node, insecure_version)
+string callName(AstNode call) {
+  result = call.(Name).getId()
   or
-  unsafe_context_creation(node, insecure_version)
-select node, "Insecure SSL/TLS protocol version " + insecure_version //+ " specified in call to " + method_name + "."
+  exists(Attribute a | a = call | result = callName(a.getObject()) + "." + a.getName())
+}
+
+from DataFlow::Node node, string insecure_version, CallNode call
+where
+  unsafe_connection_creation(node, insecure_version, call)
+  or
+  unsafe_context_creation(node, insecure_version, call)
+select node, "Insecure SSL/TLS protocol version " + insecure_version + " specified in $@ ", call,
+  "call to " + callName(call.getFunction().getNode())
+//+ " specified in call to " + method_name + "."
diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
index 33542e4a048..7b646f9fd3e 100644
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
@@ -1,14 +1,24 @@
-| InsecureProtocol.py:6:1:6:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to deprecated method ssl.wrap_socket. |
-| InsecureProtocol.py:7:1:7:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version PROTOCOL_SSLv3 specified in call to deprecated method ssl.wrap_socket. |
-| InsecureProtocol.py:8:1:8:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version PROTOCOL_TLSv1 specified in call to deprecated method ssl.wrap_socket. |
-| InsecureProtocol.py:10:1:10:39 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to ssl.SSLContext. |
-| InsecureProtocol.py:11:1:11:39 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version PROTOCOL_SSLv3 specified in call to ssl.SSLContext. |
-| InsecureProtocol.py:12:1:12:39 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version PROTOCOL_TLSv1 specified in call to ssl.SSLContext. |
-| InsecureProtocol.py:14:1:14:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2_METHOD specified in call to pyOpenSSL.SSL.Context. |
-| InsecureProtocol.py:15:1:15:30 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv23_METHOD specified in call to pyOpenSSL.SSL.Context. |
-| InsecureProtocol.py:16:1:16:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv3_METHOD specified in call to pyOpenSSL.SSL.Context. |
-| InsecureProtocol.py:17:1:17:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version TLSv1_METHOD specified in call to pyOpenSSL.SSL.Context. |
-| InsecureProtocol.py:32:1:32:19 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2_METHOD specified in call to pyOpenSSL.SSL.Context. |
-| InsecureProtocol.py:48:1:48:43 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to deprecated method ssl.wrap_socket. |
-| InsecureProtocol.py:49:1:49:35 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version PROTOCOL_SSLv2 specified in call to ssl.SSLContext. |
-| InsecureProtocol.py:52:1:52:33 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv23_METHOD specified in call to ssl.SSLContext. |
+| InsecureProtocol.py:6:1:6:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified in $@  | InsecureProtocol.py:6:1:6:47 | ControlFlowNode for Attribute() | call to ssl.wrap_socket |
+| InsecureProtocol.py:7:1:7:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv3 specified in $@  | InsecureProtocol.py:7:1:7:47 | ControlFlowNode for Attribute() | call to ssl.wrap_socket |
+| InsecureProtocol.py:8:1:8:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version TLSv1 specified in $@  | InsecureProtocol.py:8:1:8:47 | ControlFlowNode for Attribute() | call to ssl.wrap_socket |
+| InsecureProtocol.py:10:1:10:39 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version SSLv2 specified in $@  | InsecureProtocol.py:10:1:10:39 | ControlFlowNode for SSLContext() | call to SSLContext |
+| InsecureProtocol.py:11:1:11:39 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version SSLv3 specified in $@  | InsecureProtocol.py:11:1:11:39 | ControlFlowNode for SSLContext() | call to SSLContext |
+| InsecureProtocol.py:12:1:12:39 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version TLSv1 specified in $@  | InsecureProtocol.py:12:1:12:39 | ControlFlowNode for SSLContext() | call to SSLContext |
+| InsecureProtocol.py:14:1:14:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified in $@  | InsecureProtocol.py:14:1:14:29 | ControlFlowNode for Attribute() | call to SSL.Context |
+| InsecureProtocol.py:16:1:16:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv3 specified in $@  | InsecureProtocol.py:16:1:16:29 | ControlFlowNode for Attribute() | call to SSL.Context |
+| InsecureProtocol.py:17:1:17:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version TLSv1 specified in $@  | InsecureProtocol.py:17:1:17:29 | ControlFlowNode for Attribute() | call to SSL.Context |
+| InsecureProtocol.py:32:1:32:19 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified in $@  | InsecureProtocol.py:32:1:32:19 | ControlFlowNode for Attribute() | call to SSL.Context |
+| InsecureProtocol.py:48:1:48:43 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified in $@  | InsecureProtocol.py:48:1:48:43 | ControlFlowNode for Attribute() | call to ssl.wrap_socket |
+| InsecureProtocol.py:49:1:49:35 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version SSLv2 specified in $@  | InsecureProtocol.py:49:1:49:35 | ControlFlowNode for SSLContext() | call to SSLContext |
+| pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context |
+| pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context |
+| pyOpenSSL_fluent.py:18:27:18:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | pyOpenSSL_fluent.py:15:15:15:44 | ControlFlowNode for Attribute() | call to SSL.Context |
+| ssl_fluent.py:9:14:9:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:6:15:6:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:9:14:9:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:6:15:6:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:19:14:19:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:15:15:15:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:37:14:37:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:34:15:34:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:37:14:37:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:34:15:34:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:47:14:47:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:43:15:43:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:77:14:77:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:73:15:73:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:96:14:96:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:92:15:92:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
+| ssl_fluent.py:96:14:96:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:92:15:92:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |

From 7a1d953fcac8d159440345dd26dd13b4136f1481 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Tue, 2 Mar 2021 22:46:01 +0100
Subject: [PATCH 0022/1429] Python: More tests

---
 .../CWE-327/InsecureProtocol.expected         | 14 ++-
 .../Security/CWE-327/ssl_fluent.py            | 96 +++++++++++++++++++
 2 files changed, 107 insertions(+), 3 deletions(-)

diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
index 7b646f9fd3e..e116662ce65 100644
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
@@ -19,6 +19,14 @@
 | ssl_fluent.py:37:14:37:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:34:15:34:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | ssl_fluent.py:37:14:37:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:34:15:34:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | ssl_fluent.py:47:14:47:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:43:15:43:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:77:14:77:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:73:15:73:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:96:14:96:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:92:15:92:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
-| ssl_fluent.py:96:14:96:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:92:15:92:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
+| ssl_fluent.py:75:14:75:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:71:15:71:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:75:14:75:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:71:15:71:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:89:12:89:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:128:15:128:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:89:12:89:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:128:15:128:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:104:14:104:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:89:12:89:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:104:14:104:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:89:12:89:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:173:14:173:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:169:15:169:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:192:14:192:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:188:15:188:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
+| ssl_fluent.py:192:14:192:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:188:15:188:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
diff --git a/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py b/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
index 252ab0a9e49..eceacaebe21 100644
--- a/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
+++ b/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
@@ -66,6 +66,102 @@ def test_fluent_ssl_safe_combined():
         with context.wrap_socket(sock, server_hostname=hostname) as ssock:
             print(ssock.version())
 
+def test_fluent_ssl_unsafe_combined_wrongly():
+    hostname = 'www.python.org'
+    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    context.options |= ssl.OP_NO_TLSv1 & ssl.OP_NO_TLSv1_1
+
+    with socket.create_connection((hostname, 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+def test_fluent_ssl_safe_combined_multiple():
+    hostname = 'www.python.org'
+    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2
+
+    with socket.create_connection((hostname, 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+
+def create_relaxed_context():
+    return ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+
+def create_secure_context():
+    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+    return context
+
+def create_connection(context):
+    with socket.create_connection(('www.python.org', 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+def test_delegated_context_unsafe():
+    context = create_relaxed_context()
+    with socket.create_connection(('www.python.org', 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+def test_delegated_context_safe():
+    context = create_secure_context()
+    with socket.create_connection(('www.python.org', 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+def test_delegated_context_made_safe():
+    context = create_relaxed_context()
+    context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+    with socket.create_connection(('www.python.org', 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+def test_delegated_context_made_unsafe():
+    context = create_secure_context()
+    context.options &= ~ssl.OP_NO_TLSv1_1
+    with socket.create_connection(('www.python.org', 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+def test_delegated_connection_unsafe():
+    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    create_connection(context)
+
+def test_delegated_connection_safe():
+    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+    create_connection(context)
+
+def test_delegated_connection_made_safe():
+    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+    create_connection(context)
+
+def test_delegated_connection_made_unsafe():
+    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+    context.options &= ~ssl.OP_NO_TLSv1_1
+    create_connection(context)
+
+def test_delegated_unsafe():
+    context = create_relaxed_context()
+    create_connection(context)
+
+def test_delegated_safe():
+    context = create_secure_context()
+    create_connection(context)
+
+def test_delegated_made_safe():
+    context = create_relaxed_context()
+    context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+    create_connection(context)
+
+def test_delegated_made_unsafe():
+    context = create_secure_context()
+    context.options &= ~ssl.OP_NO_TLSv1_1
+    create_connection(context)
+
 # From Python 3.7
 # see https://docs.python.org/3/library/ssl.html#ssl.SSLContext.minimum_version
 def test_fluent_ssl_unsafe_version():

From 97d26687fed6b102c0c2be075ec6a0350a9ef246 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Mon, 1 Mar 2021 15:04:48 +0100
Subject: [PATCH 0023/1429] Python: Improve logic of bit fields

---
 python/ql/src/Security/CWE-327/Ssl.qll | 31 +++++++++++++++++++++-----
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index ba91b39bdeb..4caa0ae7302 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -37,15 +37,17 @@ class OptionsAugOr extends ProtocolRestriction {
   ProtocolVersion restriction;
 
   OptionsAugOr() {
-    exists(AugAssign aa, AttrNode attr |
+    exists(AugAssign aa, AttrNode attr, Expr flag |
       aa.getOperation().getOp() instanceof BitOr and
       aa.getTarget() = attr.getNode() and
       attr.getName() = "options" and
       attr.getObject() = node and
-      // TODO: Use something like BoolExpr::impliesValue here
-      API::moduleImport("ssl").getMember("OP_NO_" + restriction).getAUse().asExpr() in [
-          aa.getValue(), aa.getValue().getAChildNode()
-        ]
+      flag = API::moduleImport("ssl").getMember("OP_NO_" + restriction).getAUse().asExpr() and
+      (
+        aa.getValue() = flag
+        or
+        impliesValue(aa.getValue(), flag, false, false)
+      )
     )
   }
 
@@ -54,6 +56,25 @@ class OptionsAugOr extends ProtocolRestriction {
   override ProtocolVersion getRestriction() { result = restriction }
 }
 
+/** Whether `part` evaluates to `partIsTrue` if `whole` evaluates to `wholeIsTrue`. */
+predicate impliesValue(BinaryExpr whole, Expr part, boolean partIsTrue, boolean wholeIsTrue) {
+  whole.getOp() instanceof BitAnd and
+  (
+    wholeIsTrue = true and partIsTrue = true and part in [whole.getLeft(), whole.getRight()]
+    or
+    wholeIsTrue = true and
+    impliesValue([whole.getLeft(), whole.getRight()], part, partIsTrue, wholeIsTrue)
+  )
+  or
+  whole.getOp() instanceof BitOr and
+  (
+    wholeIsTrue = false and partIsTrue = false and part in [whole.getLeft(), whole.getRight()]
+    or
+    wholeIsTrue = false and
+    impliesValue([whole.getLeft(), whole.getRight()], part, partIsTrue, wholeIsTrue)
+  )
+}
+
 class ContextSetVersion extends ProtocolRestriction {
   string restriction;
 

From cbbc7b2bcd160bdfc268252644f35daf4c1bcfd9 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Wed, 3 Mar 2021 23:42:48 +0100
Subject: [PATCH 0024/1429] Python: support unrestrictions Also pyOpenSSL
 allows SSL 2 and SSL 3 on `SSLv23`

---
 .../src/Security/CWE-327/FluentApiModel.qll   | 62 ++++++++--------
 .../src/Security/CWE-327/InsecureProtocol.ql  | 28 ++++++--
 python/ql/src/Security/CWE-327/PyOpenSSL.qll  | 18 +++--
 python/ql/src/Security/CWE-327/Ssl.qll        | 63 ++++++++++++----
 .../src/Security/CWE-327/TlsLibraryModel.qll  | 48 +++++++++++--
 .../CWE-327/InsecureProtocol.expected         | 72 ++++++++++---------
 6 files changed, 201 insertions(+), 90 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/FluentApiModel.qll b/python/ql/src/Security/CWE-327/FluentApiModel.qll
index 23922a90595..d222af70499 100644
--- a/python/ql/src/Security/CWE-327/FluentApiModel.qll
+++ b/python/ql/src/Security/CWE-327/FluentApiModel.qll
@@ -8,40 +8,44 @@ import TlsLibraryModel
  */
 class InsecureContextConfiguration extends DataFlow::Configuration {
   TlsLibrary library;
+  ProtocolVersion tracked_version;
 
-  InsecureContextConfiguration() { this = library + ["AllowsTLSv1", "AllowsTLSv1_1"] }
+  InsecureContextConfiguration() {
+    this = library + "Allows" + tracked_version and
+    tracked_version.isInsecure()
+  }
+
+  ProtocolVersion getTrackedVersion() { result = tracked_version }
 
   override predicate isSource(DataFlow::Node source) {
-    source = library.unspecific_context_creation()
+    // source = library.unspecific_context_creation()
+    exists(ProtocolUnrestriction pu |
+      pu = library.protocol_unrestriction() and
+      pu.getUnrestriction() = tracked_version
+    |
+      source = pu.getContext()
+    )
   }
 
   override predicate isSink(DataFlow::Node sink) {
     sink = library.connection_creation().getContext()
   }
 
-  abstract string flag();
-
   override predicate isBarrierOut(DataFlow::Node node) {
     exists(ProtocolRestriction r |
       r = library.protocol_restriction() and
       node = r.getContext() and
-      r.getRestriction() = flag()
+      r.getRestriction() = tracked_version
     )
   }
-}
 
-/** Configuration to specifically track the insecure protocol TLS 1.0 */
-class AllowsTLSv1 extends InsecureContextConfiguration {
-  AllowsTLSv1() { this = library + "AllowsTLSv1" }
-
-  override string flag() { result = "TLSv1" }
-}
-
-/** Configuration to specifically track the insecure protocol TLS 1.1 */
-class AllowsTLSv1_1 extends InsecureContextConfiguration {
-  AllowsTLSv1_1() { this = library + "AllowsTLSv1_1" }
-
-  override string flag() { result = "TLSv1_1" }
+  override predicate isBarrierIn(DataFlow::Node node) {
+    exists(ProtocolUnrestriction r |
+      r = library.protocol_unrestriction() and
+      node = r.getContext() and
+      r.getUnrestriction() = tracked_version
+    )
+  }
 }
 
 /**
@@ -49,22 +53,22 @@ class AllowsTLSv1_1 extends InsecureContextConfiguration {
  * and that protocol has not been restricted appropriately.
  */
 predicate unsafe_connection_creation(
-  DataFlow::Node node, ProtocolVersion insecure_version, CallNode call
+  DataFlow::Node creation, ProtocolVersion insecure_version, DataFlow::Node source, boolean specific
 ) {
-  // Connection created from a context allowing TLS 1.0.
-  exists(AllowsTLSv1 c, ContextCreation cc | c.hasFlow(cc, node) | cc.getNode() = call) and
-  insecure_version = "TLSv1"
+  // Connection created from a context allowing `insecure_version`.
+  exists(InsecureContextConfiguration c, ProtocolUnrestriction cc | c.hasFlow(cc, creation) |
+    insecure_version = c.getTrackedVersion() and
+    source = cc and
+    specific = false
+  )
   or
-  // Connection created from a context allowing TLS 1.1.
-  exists(AllowsTLSv1_1 c, ContextCreation cc | c.hasFlow(cc, node) | cc.getNode() = call) and
-  insecure_version = "TLSv1_1"
-  or
-  // Connection created from a context for an insecure protocol.
+  // Connection created from a context specifying `insecure_version`.
   exists(TlsLibrary l, DataFlow::CfgNode cc |
     cc = l.insecure_connection_creation(insecure_version)
   |
-    cc = node and
-    cc.getNode() = call
+    creation = cc and
+    source = cc and
+    specific = true
   )
 }
 
diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.ql b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
index 51247dbd75a..194cc1f5ec1 100644
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
@@ -18,11 +18,25 @@ string callName(AstNode call) {
   exists(Attribute a | a = call | result = callName(a.getObject()) + "." + a.getName())
 }
 
-from DataFlow::Node node, string insecure_version, CallNode call
-where
-  unsafe_connection_creation(node, insecure_version, call)
+string sourceName(DataFlow::Node source) {
+  result = "call to " + callName(source.asCfgNode().(CallNode).getFunction().getNode())
   or
-  unsafe_context_creation(node, insecure_version, call)
-select node, "Insecure SSL/TLS protocol version " + insecure_version + " specified in $@ ", call,
-  "call to " + callName(call.getFunction().getNode())
-//+ " specified in call to " + method_name + "."
+  not source.asCfgNode() instanceof CallNode and
+  not source instanceof ContextCreation and
+  result = "context modification"
+}
+
+string verb(boolean specific) {
+  specific = true and result = "specified"
+  or
+  specific = false and result = "allowed"
+}
+
+from DataFlow::Node creation, string insecure_version, DataFlow::Node source, boolean specific
+where
+  unsafe_connection_creation(creation, insecure_version, source, specific)
+  or
+  unsafe_context_creation(creation, insecure_version, source.asCfgNode()) and specific = true
+select creation,
+  "Insecure SSL/TLS protocol version " + insecure_version + " " + verb(specific) + " by $@ ",
+  source, sourceName(source)
diff --git a/python/ql/src/Security/CWE-327/PyOpenSSL.qll b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
index a89c7ff0886..3c36c568ef5 100644
--- a/python/ql/src/Security/CWE-327/PyOpenSSL.qll
+++ b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
@@ -26,6 +26,8 @@ class ConnectionCall extends ConnectionCreation {
   }
 }
 
+// This cannot be used to unrestrict,
+// see https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_options
 class SetOptionsCall extends ProtocolRestriction {
   override CallNode node;
 
@@ -42,6 +44,10 @@ class SetOptionsCall extends ProtocolRestriction {
   }
 }
 
+class UnspecificPyOpenSSLContextCreation extends PyOpenSSLContextCreation, UnspecificContextCreation {
+  UnspecificPyOpenSSLContextCreation() { library = "pyOpenSSL" }
+}
+
 class PyOpenSSL extends TlsLibrary {
   PyOpenSSL() { this = "pyOpenSSL" }
 
@@ -50,11 +56,9 @@ class PyOpenSSL extends TlsLibrary {
     result = version + "_METHOD"
   }
 
-  override string unspecific_version_name() {
-    result in [
-        "TLS_METHOD", // This is not actually available in pyOpenSSL yet
-        "SSLv23_METHOD" // This is what can negotiate TLS 1.3 (indeed, I know, I did test that..)
-      ]
+  override string unspecific_version_name(ProtocolFamily family) {
+    // `"TLS_METHOD"` is not actually available in pyOpenSSL yet, but should be coming soon..
+    result = family + "_METHOD"
   }
 
   override API::Node version_constants() { result = API::moduleImport("OpenSSL").getMember("SSL") }
@@ -70,4 +74,8 @@ class PyOpenSSL extends TlsLibrary {
   override ConnectionCreation connection_creation() { result instanceof ConnectionCall }
 
   override ProtocolRestriction protocol_restriction() { result instanceof SetOptionsCall }
+
+  override ProtocolUnrestriction protocol_unrestriction() {
+    result instanceof UnspecificPyOpenSSLContextCreation
+  }
 }
diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index 4caa0ae7302..e749bb9bc3c 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -56,6 +56,31 @@ class OptionsAugOr extends ProtocolRestriction {
   override ProtocolVersion getRestriction() { result = restriction }
 }
 
+class OptionsAugAndNot extends ProtocolUnrestriction {
+  ProtocolVersion restriction;
+
+  OptionsAugAndNot() {
+    exists(AugAssign aa, AttrNode attr, Expr flag, UnaryExpr notFlag |
+      aa.getOperation().getOp() instanceof BitAnd and
+      aa.getTarget() = attr.getNode() and
+      attr.getName() = "options" and
+      attr.getObject() = node and
+      notFlag.getOp() instanceof Invert and
+      notFlag.getOperand() = flag and
+      flag = API::moduleImport("ssl").getMember("OP_NO_" + restriction).getAUse().asExpr() and
+      (
+        aa.getValue() = notFlag
+        or
+        impliesValue(aa.getValue(), notFlag, true, true)
+      )
+    )
+  }
+
+  override DataFlow::CfgNode getContext() { result = this }
+
+  override ProtocolVersion getUnrestriction() { result = restriction }
+}
+
 /** Whether `part` evaluates to `partIsTrue` if `whole` evaluates to `wholeIsTrue`. */
 predicate impliesValue(BinaryExpr whole, Expr part, boolean partIsTrue, boolean wholeIsTrue) {
   whole.getOp() instanceof BitAnd and
@@ -75,8 +100,8 @@ predicate impliesValue(BinaryExpr whole, Expr part, boolean partIsTrue, boolean
   )
 }
 
-class ContextSetVersion extends ProtocolRestriction {
-  string restriction;
+class ContextSetVersion extends ProtocolRestriction, ProtocolUnrestriction {
+  ProtocolVersion restriction;
 
   ContextSetVersion() {
     exists(Attributes::AttrWrite aw |
@@ -90,6 +115,21 @@ class ContextSetVersion extends ProtocolRestriction {
   override DataFlow::CfgNode getContext() { result = this }
 
   override ProtocolVersion getRestriction() { result.lessThan(restriction) }
+
+  override ProtocolVersion getUnrestriction() {
+    restriction = result or restriction.lessThan(result)
+  }
+}
+
+class UnspecificSSLContextCreation extends SSLContextCreation, UnspecificContextCreation {
+  UnspecificSSLContextCreation() { library = "ssl" }
+
+  override ProtocolVersion getUnrestriction() {
+    result = UnspecificContextCreation.super.getUnrestriction() and
+    // These are turned off by default
+    // see https://docs.python.org/3/library/ssl.html#ssl-contexts
+    not result in ["SSLv2", "SSLv3"]
+  }
 }
 
 class Ssl extends TlsLibrary {
@@ -100,16 +140,7 @@ class Ssl extends TlsLibrary {
     result = "PROTOCOL_" + version
   }
 
-  override string unspecific_version_name() {
-    result =
-      "PROTOCOL_" +
-        [
-          "TLS",
-          // This can negotiate a TLS 1.3 connection (!)
-          // see https://docs.python.org/3/library/ssl.html#ssl-contexts
-          "SSLv23"
-        ]
-  }
+  override string unspecific_version_name(ProtocolFamily family) { result = "PROTOCOL_" + family }
 
   override API::Node version_constants() { result = API::moduleImport("ssl") }
 
@@ -132,4 +163,12 @@ class Ssl extends TlsLibrary {
     or
     result instanceof ContextSetVersion
   }
+
+  override ProtocolUnrestriction protocol_unrestriction() {
+    result instanceof OptionsAugAndNot
+    or
+    result instanceof ContextSetVersion
+    or
+    result instanceof UnspecificSSLContextCreation
+  }
 }
diff --git a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
index 36e58acd926..97ceec00688 100644
--- a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
+++ b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
@@ -19,6 +19,13 @@ class ProtocolVersion extends string {
     or
     this = ["TLSv1", "TLSv1_1", "TLSv1_2"] and version = "TLSv1_3"
   }
+
+  predicate isInsecure() { this in ["SSLv2", "SSLv3", "TLSv1", "TLSv1_1"] }
+}
+
+/** An unspecific protocol version */
+class ProtocolFamily extends string {
+  ProtocolFamily() { this in ["SSLv23", "TLS"] }
 }
 
 /** The creation of a context. */
@@ -42,6 +49,34 @@ abstract class ProtocolRestriction extends DataFlow::CfgNode {
   abstract ProtocolVersion getRestriction();
 }
 
+/** A context is being relaxed on which protocols it can accepts. */
+abstract class ProtocolUnrestriction extends DataFlow::CfgNode {
+  /** Gets the context being relaxed. */
+  abstract DataFlow::CfgNode getContext();
+
+  /** Gets the protocol version being allowed. */
+  abstract ProtocolVersion getUnrestriction();
+}
+
+abstract class UnspecificContextCreation extends ContextCreation, ProtocolUnrestriction {
+  TlsLibrary library;
+  ProtocolFamily family;
+
+  UnspecificContextCreation() { this.getProtocol() = library.unspecific_version(family) }
+
+  override DataFlow::CfgNode getContext() { result = this }
+
+  override ProtocolVersion getUnrestriction() {
+    family = "TLS" and
+    result in ["TLSv1", "TLSv1_1", "TLSv1_2", "TLSv1_3"]
+    or
+    // This can negotiate a TLS 1.3 connection (!)
+    // see https://docs.python.org/3/library/ssl.html#ssl-contexts
+    family = "SSLv23" and
+    result in ["SSLv2", "SSLv3", "TLSv1", "TLSv1_1", "TLSv1_2", "TLSv1_3"]
+  }
+}
+
 abstract class TlsLibrary extends string {
   TlsLibrary() { this in ["ssl", "pyOpenSSL"] }
 
@@ -49,7 +84,7 @@ abstract class TlsLibrary extends string {
   abstract string specific_insecure_version_name(ProtocolVersion version);
 
   /** The name of an unspecific protocol version, say TLS, known to have insecure instances. */
-  abstract string unspecific_version_name();
+  abstract string unspecific_version_name(ProtocolFamily family);
 
   /** The module or class holding the version constants. */
   abstract API::Node version_constants();
@@ -60,8 +95,8 @@ abstract class TlsLibrary extends string {
   }
 
   /** A dataflow node representing an unspecific protocol version, say TLS, known to have insecure instances. */
-  DataFlow::Node unspecific_version() {
-    result = version_constants().getMember(unspecific_version_name()).getAUse()
+  DataFlow::Node unspecific_version(ProtocolFamily family) {
+    result = version_constants().getMember(unspecific_version_name(family)).getAUse()
   }
 
   /** The creation of a context with a deafult protocol. */
@@ -77,11 +112,11 @@ abstract class TlsLibrary extends string {
   }
 
   /** The creation of a context with an unspecific protocol version, say TLS, known to have insecure instances. */
-  DataFlow::CfgNode unspecific_context_creation() {
+  DataFlow::CfgNode unspecific_context_creation(ProtocolFamily family) {
     result = default_context_creation()
     or
     result = specific_context_creation() and
-    result.(ContextCreation).getProtocol() = unspecific_version()
+    result.(ContextCreation).getProtocol() = unspecific_version(family)
   }
 
   /** A connection is created in an insecure manner, not from a context. */
@@ -92,4 +127,7 @@ abstract class TlsLibrary extends string {
 
   /** A context is being restricted on which protocols it can accepts. */
   abstract ProtocolRestriction protocol_restriction();
+
+  /** A context is being relaxed on which protocols it can accepts. */
+  abstract ProtocolUnrestriction protocol_unrestriction();
 }
diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
index e116662ce65..afd9cc15d9f 100644
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
@@ -1,32 +1,40 @@
-| InsecureProtocol.py:6:1:6:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified in $@  | InsecureProtocol.py:6:1:6:47 | ControlFlowNode for Attribute() | call to ssl.wrap_socket |
-| InsecureProtocol.py:7:1:7:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv3 specified in $@  | InsecureProtocol.py:7:1:7:47 | ControlFlowNode for Attribute() | call to ssl.wrap_socket |
-| InsecureProtocol.py:8:1:8:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version TLSv1 specified in $@  | InsecureProtocol.py:8:1:8:47 | ControlFlowNode for Attribute() | call to ssl.wrap_socket |
-| InsecureProtocol.py:10:1:10:39 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version SSLv2 specified in $@  | InsecureProtocol.py:10:1:10:39 | ControlFlowNode for SSLContext() | call to SSLContext |
-| InsecureProtocol.py:11:1:11:39 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version SSLv3 specified in $@  | InsecureProtocol.py:11:1:11:39 | ControlFlowNode for SSLContext() | call to SSLContext |
-| InsecureProtocol.py:12:1:12:39 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version TLSv1 specified in $@  | InsecureProtocol.py:12:1:12:39 | ControlFlowNode for SSLContext() | call to SSLContext |
-| InsecureProtocol.py:14:1:14:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified in $@  | InsecureProtocol.py:14:1:14:29 | ControlFlowNode for Attribute() | call to SSL.Context |
-| InsecureProtocol.py:16:1:16:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv3 specified in $@  | InsecureProtocol.py:16:1:16:29 | ControlFlowNode for Attribute() | call to SSL.Context |
-| InsecureProtocol.py:17:1:17:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version TLSv1 specified in $@  | InsecureProtocol.py:17:1:17:29 | ControlFlowNode for Attribute() | call to SSL.Context |
-| InsecureProtocol.py:32:1:32:19 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified in $@  | InsecureProtocol.py:32:1:32:19 | ControlFlowNode for Attribute() | call to SSL.Context |
-| InsecureProtocol.py:48:1:48:43 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified in $@  | InsecureProtocol.py:48:1:48:43 | ControlFlowNode for Attribute() | call to ssl.wrap_socket |
-| InsecureProtocol.py:49:1:49:35 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version SSLv2 specified in $@  | InsecureProtocol.py:49:1:49:35 | ControlFlowNode for SSLContext() | call to SSLContext |
-| pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context |
-| pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context |
-| pyOpenSSL_fluent.py:18:27:18:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | pyOpenSSL_fluent.py:15:15:15:44 | ControlFlowNode for Attribute() | call to SSL.Context |
-| ssl_fluent.py:9:14:9:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:6:15:6:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:9:14:9:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:6:15:6:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:19:14:19:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:15:15:15:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:37:14:37:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:34:15:34:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:37:14:37:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:34:15:34:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:47:14:47:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:43:15:43:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:75:14:75:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:71:15:71:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:75:14:75:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:71:15:71:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:89:12:89:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:128:15:128:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:89:12:89:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:128:15:128:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:104:14:104:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:89:12:89:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:104:14:104:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:89:12:89:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:173:14:173:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:169:15:169:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:192:14:192:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 specified in $@  | ssl_fluent.py:188:15:188:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
-| ssl_fluent.py:192:14:192:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 specified in $@  | ssl_fluent.py:188:15:188:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
+| InsecureProtocol.py:6:1:6:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@  | InsecureProtocol.py:6:1:6:47 | ControlFlowNode for Attribute() | call to ssl.wrap_socket |
+| InsecureProtocol.py:7:1:7:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv3 specified by $@  | InsecureProtocol.py:7:1:7:47 | ControlFlowNode for Attribute() | call to ssl.wrap_socket |
+| InsecureProtocol.py:8:1:8:47 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version TLSv1 specified by $@  | InsecureProtocol.py:8:1:8:47 | ControlFlowNode for Attribute() | call to ssl.wrap_socket |
+| InsecureProtocol.py:10:1:10:39 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version SSLv2 specified by $@  | InsecureProtocol.py:10:1:10:39 | ControlFlowNode for SSLContext() | call to SSLContext |
+| InsecureProtocol.py:11:1:11:39 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version SSLv3 specified by $@  | InsecureProtocol.py:11:1:11:39 | ControlFlowNode for SSLContext() | call to SSLContext |
+| InsecureProtocol.py:12:1:12:39 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version TLSv1 specified by $@  | InsecureProtocol.py:12:1:12:39 | ControlFlowNode for SSLContext() | call to SSLContext |
+| InsecureProtocol.py:14:1:14:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@  | InsecureProtocol.py:14:1:14:29 | ControlFlowNode for Attribute() | call to SSL.Context |
+| InsecureProtocol.py:16:1:16:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv3 specified by $@  | InsecureProtocol.py:16:1:16:29 | ControlFlowNode for Attribute() | call to SSL.Context |
+| InsecureProtocol.py:17:1:17:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version TLSv1 specified by $@  | InsecureProtocol.py:17:1:17:29 | ControlFlowNode for Attribute() | call to SSL.Context |
+| InsecureProtocol.py:32:1:32:19 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@  | InsecureProtocol.py:32:1:32:19 | ControlFlowNode for Attribute() | call to SSL.Context |
+| InsecureProtocol.py:48:1:48:43 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@  | InsecureProtocol.py:48:1:48:43 | ControlFlowNode for Attribute() | call to ssl.wrap_socket |
+| InsecureProtocol.py:49:1:49:35 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version SSLv2 specified by $@  | InsecureProtocol.py:49:1:49:35 | ControlFlowNode for SSLContext() | call to SSLContext |
+| pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv2 allowed by $@  | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context |
+| pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv3 allowed by $@  | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context |
+| pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context |
+| pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context |
+| pyOpenSSL_fluent.py:18:27:18:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv2 allowed by $@  | pyOpenSSL_fluent.py:15:15:15:44 | ControlFlowNode for Attribute() | call to SSL.Context |
+| pyOpenSSL_fluent.py:18:27:18:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv3 allowed by $@  | pyOpenSSL_fluent.py:15:15:15:44 | ControlFlowNode for Attribute() | call to SSL.Context |
+| pyOpenSSL_fluent.py:18:27:18:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | pyOpenSSL_fluent.py:15:15:15:44 | ControlFlowNode for Attribute() | call to SSL.Context |
+| pyOpenSSL_fluent.py:29:27:29:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv2 allowed by $@  | pyOpenSSL_fluent.py:25:15:25:44 | ControlFlowNode for Attribute() | call to SSL.Context |
+| pyOpenSSL_fluent.py:29:27:29:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv3 allowed by $@  | pyOpenSSL_fluent.py:25:15:25:44 | ControlFlowNode for Attribute() | call to SSL.Context |
+| ssl_fluent.py:9:14:9:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:6:15:6:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:9:14:9:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:6:15:6:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:19:14:19:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:15:15:15:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:37:14:37:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:34:15:34:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:37:14:37:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:34:15:34:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:47:14:47:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:43:15:43:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:75:14:75:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:71:15:71:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:75:14:75:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:71:15:71:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:89:12:89:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:128:15:128:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:89:12:89:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:128:15:128:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:144:5:144:11 | ControlFlowNode for context | context modification |
+| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:162:5:162:11 | ControlFlowNode for context | context modification |
+| ssl_fluent.py:104:14:104:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:89:12:89:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:104:14:104:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:89:12:89:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:124:14:124:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:122:5:122:11 | ControlFlowNode for context | context modification |
+| ssl_fluent.py:173:14:173:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:170:5:170:11 | ControlFlowNode for context | context modification |
+| ssl_fluent.py:192:14:192:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv3 allowed by $@  | ssl_fluent.py:189:5:189:11 | ControlFlowNode for context | context modification |

From ee038373571b4d3fe2490c2fd19eaeb9afbbfa49 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Wed, 3 Mar 2021 23:46:18 +0100
Subject: [PATCH 0025/1429] Python: small refactor

---
 python/ql/src/Security/CWE-327/PyOpenSSL.qll       | 5 +----
 python/ql/src/Security/CWE-327/Ssl.qll             | 5 +----
 python/ql/src/Security/CWE-327/TlsLibraryModel.qll | 7 ++++---
 3 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/PyOpenSSL.qll b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
index 3c36c568ef5..d2cfb74b3ab 100644
--- a/python/ql/src/Security/CWE-327/PyOpenSSL.qll
+++ b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
@@ -51,10 +51,7 @@ class UnspecificPyOpenSSLContextCreation extends PyOpenSSLContextCreation, Unspe
 class PyOpenSSL extends TlsLibrary {
   PyOpenSSL() { this = "pyOpenSSL" }
 
-  override string specific_insecure_version_name(ProtocolVersion version) {
-    version in ["SSLv2", "SSLv3", "TLSv1", "TLSv1_1"] and
-    result = version + "_METHOD"
-  }
+  override string specific_version_name(ProtocolVersion version) { result = version + "_METHOD" }
 
   override string unspecific_version_name(ProtocolFamily family) {
     // `"TLS_METHOD"` is not actually available in pyOpenSSL yet, but should be coming soon..
diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index e749bb9bc3c..66a821e83ac 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -135,10 +135,7 @@ class UnspecificSSLContextCreation extends SSLContextCreation, UnspecificContext
 class Ssl extends TlsLibrary {
   Ssl() { this = "ssl" }
 
-  override string specific_insecure_version_name(ProtocolVersion version) {
-    version in ["SSLv2", "SSLv3", "TLSv1", "TLSv1_1"] and
-    result = "PROTOCOL_" + version
-  }
+  override string specific_version_name(ProtocolVersion version) { result = "PROTOCOL_" + version }
 
   override string unspecific_version_name(ProtocolFamily family) { result = "PROTOCOL_" + family }
 
diff --git a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
index 97ceec00688..3ab880e8bd9 100644
--- a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
+++ b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
@@ -80,8 +80,8 @@ abstract class UnspecificContextCreation extends ContextCreation, ProtocolUnrest
 abstract class TlsLibrary extends string {
   TlsLibrary() { this in ["ssl", "pyOpenSSL"] }
 
-  /** The name of a specific protocol version, known to be insecure. */
-  abstract string specific_insecure_version_name(ProtocolVersion version);
+  /** The name of a specific protocol version. */
+  abstract string specific_version_name(ProtocolVersion version);
 
   /** The name of an unspecific protocol version, say TLS, known to have insecure instances. */
   abstract string unspecific_version_name(ProtocolFamily family);
@@ -91,7 +91,8 @@ abstract class TlsLibrary extends string {
 
   /** A dataflow node representing a specific protocol version, known to be insecure. */
   DataFlow::Node insecure_version(ProtocolVersion version) {
-    result = version_constants().getMember(specific_insecure_version_name(version)).getAUse()
+    version.isInsecure() and
+    result = version_constants().getMember(specific_version_name(version)).getAUse()
   }
 
   /** A dataflow node representing an unspecific protocol version, say TLS, known to have insecure instances. */

From de9469bbfc1769e6e705165b6e53efa12a0c97eb Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Thu, 4 Mar 2021 00:01:44 +0100
Subject: [PATCH 0026/1429] Python: complete `ssl.create_default_context`

---
 python/ql/src/Security/CWE-327/Ssl.qll | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index 66a821e83ac..d4886219d08 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -132,6 +132,15 @@ class UnspecificSSLContextCreation extends SSLContextCreation, UnspecificContext
   }
 }
 
+class UnspecificSSLDefaultContextCreation extends SSLDefaultContextCreation, ProtocolUnrestriction {
+  override DataFlow::CfgNode getContext() { result = this }
+
+  // see https://docs.python.org/3/library/ssl.html#ssl.create_default_context
+  override ProtocolVersion getUnrestriction() {
+    result in ["TLSv1", "TLSv1_1", "TLSv1_2", "TLSv1_3"]
+  }
+}
+
 class Ssl extends TlsLibrary {
   Ssl() { this = "ssl" }
 
@@ -167,5 +176,7 @@ class Ssl extends TlsLibrary {
     result instanceof ContextSetVersion
     or
     result instanceof UnspecificSSLContextCreation
+    or
+    result instanceof UnspecificSSLDefaultContextCreation
   }
 }

From d02c5298725695e1fe3dc663922619a7f0a8b35d Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Thu, 4 Mar 2021 00:06:36 +0100
Subject: [PATCH 0027/1429] Python: Update annotation

---
 python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py b/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
index eceacaebe21..ab65e3bd206 100644
--- a/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
+++ b/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
@@ -186,7 +186,7 @@ def test_fluent_ssl_safe_version():
 def test_fluent_explicitly_unsafe():
     hostname = 'www.python.org'
     context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
-    context.options &= ~ssl.OP_NO_SSLv3  # This not recognized
+    context.options &= ~ssl.OP_NO_SSLv3
 
     with socket.create_connection((hostname, 443)) as sock:
         with context.wrap_socket(sock, server_hostname=hostname) as ssock:  # SSLv3 not flagged here

From c5577cb09a073c2fb4f6feeca887c437d5fbe2fb Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Thu, 4 Mar 2021 19:54:49 +0800
Subject: [PATCH 0028/1429] Fix the problem

---
 .../Security/CWE/CWE-352/JsonpInjection.ql    |  68 --------
 .../CWE/CWE-352/JsonpInjectionFilterLib.qll   |  77 ---------
 .../CWE/CWE-352/JsonpInjectionLib.qll         | 155 ------------------
 .../Security/CWE/CWE-352/JsonStringLib.qll    |   0
 .../CWE/CWE-352/JsonpController.java}         |  48 +-----
 .../Security/CWE/CWE-352/JsonpInjection.java  |   0
 .../Security/CWE/CWE-352/JsonpInjection.qhelp |   2 +-
 .../Security/CWE/CWE-352/JsonpInjection.ql    |  64 ++++++++
 .../CWE/CWE-352/JsonpInjectionLib.qll         | 130 +++++++++++++++
 .../CWE/CWE-352/JsonpInjectionServlet1.java   |   0
 .../CWE/CWE-352/JsonpInjectionServlet2.java   |   0
 .../Security/CWE/CWE-352/RefererFilter.java   |  43 +++++
 .../semmle/code/java/frameworks/Servlets.qll  |  12 +-
 .../security/CWE-352/JsonpController.java     | 128 +++++++++++++++
 .../security/CWE-352/JsonpInjection.expected  |  60 -------
 .../CWE-352/JsonpInjectionServlet1.java       |  64 ++++++++
 .../CWE-352/JsonpInjectionServlet2.java}      |  16 +-
 .../CWE-352/JsonpInjection_1.expected         |  60 +++++++
 .../CWE-352/JsonpInjection_2.expected         |  78 +++++++++
 .../CWE-352/JsonpInjection_3.expected         |  66 ++++++++
 .../query-tests/security/CWE-352/Readme       |   3 +
 .../security/CWE-352/RefererFilter.java       |  43 +++++
 .../gson-2.8.6/com/google/gson/Gson.java      |   7 +
 .../org/springframework/util/StringUtils.java |   8 +
 .../javax/servlet/Filter.java                 |  13 ++
 .../javax/servlet/FilterChain.java            |   8 +
 .../javax/servlet/FilterConfig.java           |   3 +
 .../javax/servlet/ServletException.java       |   8 +
 .../javax/servlet/ServletRequest.java         |  87 ++++++++++
 .../javax/servlet/ServletResponse.java        |  39 +++++
 .../servlet/http/HttpServletRequest.java      | 116 +++++++++++++
 .../servlet/http/HttpServletResponse.java     | 106 ++++++++++++
 32 files changed, 1084 insertions(+), 428 deletions(-)
 delete mode 100644 java/ql/src/Security/CWE/CWE-352/JsonpInjection.ql
 delete mode 100644 java/ql/src/Security/CWE/CWE-352/JsonpInjectionFilterLib.qll
 delete mode 100644 java/ql/src/Security/CWE/CWE-352/JsonpInjectionLib.qll
 rename java/ql/src/{ => experimental}/Security/CWE/CWE-352/JsonStringLib.qll (100%)
 rename java/ql/{test/experimental/query-tests/security/CWE-352/JsonpInjection.java => src/experimental/Security/CWE/CWE-352/JsonpController.java} (72%)
 rename java/ql/src/{ => experimental}/Security/CWE/CWE-352/JsonpInjection.java (100%)
 rename java/ql/src/{ => experimental}/Security/CWE/CWE-352/JsonpInjection.qhelp (96%)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
 rename java/ql/src/{ => experimental}/Security/CWE/CWE-352/JsonpInjectionServlet1.java (100%)
 rename java/ql/src/{ => experimental}/Security/CWE/CWE-352/JsonpInjectionServlet2.java (100%)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-352/RefererFilter.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpController.java
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionServlet1.java
 rename java/ql/{src/Security/CWE/CWE-352/JsonpInjectionServlet.java => test/experimental/query-tests/security/CWE-352/JsonpInjectionServlet2.java} (75%)
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_1.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_2.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_3.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/Readme
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/RefererFilter.java
 create mode 100644 java/ql/test/stubs/gson-2.8.6/com/google/gson/Gson.java
 create mode 100644 java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/StringUtils.java
 create mode 100644 java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/Filter.java
 create mode 100644 java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/FilterChain.java
 create mode 100644 java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/FilterConfig.java
 create mode 100644 java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletException.java
 create mode 100644 java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletRequest.java
 create mode 100644 java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletResponse.java
 create mode 100644 java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/http/HttpServletRequest.java
 create mode 100644 java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/http/HttpServletResponse.java

diff --git a/java/ql/src/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/Security/CWE/CWE-352/JsonpInjection.ql
deleted file mode 100644
index 53ee6182511..00000000000
--- a/java/ql/src/Security/CWE/CWE-352/JsonpInjection.ql
+++ /dev/null
@@ -1,68 +0,0 @@
-/**
- * @name JSONP Injection
- * @description User-controlled callback function names that are not verified are vulnerable
- *              to jsonp injection attacks.
- * @kind path-problem
- * @problem.severity error
- * @precision high
- * @id java/JSONP-Injection
- * @tags security
- *       external/cwe/cwe-352
- */
-
-import java
-import JsonpInjectionLib
-import JsonpInjectionFilterLib
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.deadcode.WebEntryPoints
-import DataFlow::PathGraph
-
-
-/** If there is a method to verify `token`, `auth`, `referer`, and `origin`, it will not pass. */
-class ServletVerifAuth extends DataFlow::BarrierGuard {
-  ServletVerifAuth() {
-    exists(MethodAccess ma, Node prod, Node succ |
-      ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*") and
-      prod instanceof RemoteFlowSource and
-      succ.asExpr() = ma.getAnArgument() and
-      ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*") and
-      localFlowStep*(prod, succ) and
-      this = ma
-    )
-  }
-
-  override predicate checks(Expr e, boolean branch) {
-    exists(Node node |
-      node instanceof JsonpInjectionSink and
-      e = node.asExpr() and
-      branch = true
-    )
-  }
-}
-
-/** Taint-tracking configuration tracing flow from get method request sources to output jsonp data. */
-class JsonpInjectionConfig extends TaintTracking::Configuration {
-  JsonpInjectionConfig() { this = "JsonpInjectionConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof GetHttpRequestSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof JsonpInjectionSink }
-
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-    guard instanceof ServletVerifAuth
-  }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(MethodAccess ma |
-      isRequestGetParamMethod(ma) and pred.asExpr() = ma.getQualifier() and succ.asExpr() = ma
-    )
-  }
-}
-
-from DataFlow::PathNode source, DataFlow::PathNode sink, JsonpInjectionConfig conf
-where
-  not checks() = false and
-  conf.hasFlowPath(source, sink) and
-  exists(JsonpInjectionFlowConfig jhfc | jhfc.hasFlowTo(sink.getNode()))
-select sink.getNode(), source, sink, "Jsonp Injection query might include code from $@.",
-  source.getNode(), "this user input"
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonpInjectionFilterLib.qll b/java/ql/src/Security/CWE/CWE-352/JsonpInjectionFilterLib.qll
deleted file mode 100644
index b349bed2641..00000000000
--- a/java/ql/src/Security/CWE/CWE-352/JsonpInjectionFilterLib.qll
+++ /dev/null
@@ -1,77 +0,0 @@
-/**
- * @name JSONP Injection
- * @description User-controlled callback function names that are not verified are vulnerable
- *              to json hijacking attacks.
- * @kind path-problem
- */
-
-import java
-import DataFlow
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.dataflow.TaintTracking2
-import DataFlow::PathGraph
-
-class FilterVerifAuth extends DataFlow::BarrierGuard {
-  FilterVerifAuth() {
-    exists(MethodAccess ma, Node prod, Node succ |
-      ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*") and
-      prod instanceof RemoteFlowSource and
-      succ.asExpr() = ma.getAnArgument() and
-      ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*") and
-      localFlowStep*(prod, succ) and
-      this = ma
-    )
-  }
-
-  override predicate checks(Expr e, boolean branch) {
-    exists(Node node |
-      node instanceof DoFilterMethodSink and
-      e = node.asExpr() and
-      branch = true
-    )
-  }
-}
-
-/** A data flow source for `Filter.doFilter` method paramters. */
-private class DoFilterMethodSource extends DataFlow::Node {
-  DoFilterMethodSource() {
-    exists(Method m |
-      isDoFilterMethod(m) and
-      m.getAParameter().getAnAccess() = this.asExpr()
-    )
-  }
-}
-
-/** A data flow sink for `FilterChain.doFilter` method qualifying expression. */
-private class DoFilterMethodSink extends DataFlow::Node {
-  DoFilterMethodSink() {
-    exists(MethodAccess ma, Method m | ma.getMethod() = m |
-      m.hasName("doFilter") and
-      m.getDeclaringType*().hasQualifiedName("javax.servlet", "FilterChain") and
-      ma.getQualifier() = this.asExpr()
-    )
-  }
-}
-
-/** Taint-tracking configuration tracing flow from `doFilter` method paramter source to output 
- * `FilterChain.doFilter` method qualifying expression. 
- * */
-class DoFilterMethodConfig extends TaintTracking::Configuration {
-  DoFilterMethodConfig() { this = "DoFilterMethodConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof DoFilterMethodSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof DoFilterMethodSink }
-
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-    guard instanceof FilterVerifAuth
-  }
-}
-
-/** Implement class modeling verification for `Filter.doFilter`, return false if it fails. */
-boolean checks() {
-  exists(DataFlow::PathNode source, DataFlow::PathNode sink, DoFilterMethodConfig conf |
-    conf.hasFlowPath(source, sink) and
-    result = false
-  )
-}
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/Security/CWE/CWE-352/JsonpInjectionLib.qll
deleted file mode 100644
index 3f730425823..00000000000
--- a/java/ql/src/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ /dev/null
@@ -1,155 +0,0 @@
-import java
-import DataFlow
-import JsonStringLib
-import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.frameworks.spring.SpringController
-
-/** Holds if `m` is a method of some override of `HttpServlet.doGet`. */
-private predicate isGetServletMethod(Method m) {
-  isServletRequestMethod(m) and m.getName() = "doGet"
-}
-
-/** Holds if `m` is a method of some override of `HttpServlet.doGet`. */
-private predicate isGetSpringControllerMethod(Method m) {
-  exists(Annotation a |
-    a = m.getAnAnnotation() and
-    a.getType().hasQualifiedName("org.springframework.web.bind.annotation", "GetMapping")
-  )
-  or
-  exists(Annotation a |
-    a = m.getAnAnnotation() and
-    a.getType().hasQualifiedName("org.springframework.web.bind.annotation", "RequestMapping") and
-    a.getValue("method").toString().regexpMatch("RequestMethod.GET|\\{...\\}")
-  )
-}
-
-/** Method parameters use the annotation `@RequestParam` or the parameter type is `ServletRequest`, `String`, `Object` */
-predicate checkSpringMethodParameterType(Method m, int i) {
-  m.getParameter(i).getType() instanceof ServletRequest
-  or
-  exists(Parameter p |
-    p = m.getParameter(i) and
-    p.hasAnnotation() and
-    p.getAnAnnotation()
-        .getType()
-        .hasQualifiedName("org.springframework.web.bind.annotation", "RequestParam") and
-    p.getType().getName().regexpMatch("String|Object")
-  )
-  or
-  exists(Parameter p |
-    p = m.getParameter(i) and
-    not p.hasAnnotation() and
-    p.getType().getName().regexpMatch("String|Object")
-  )
-}
-
-/** A data flow source for get method request parameters. */
-abstract class GetHttpRequestSource extends DataFlow::Node { }
-
-/** A data flow source for servlet get method request parameters. */
-private class ServletGetHttpRequestSource extends GetHttpRequestSource {
-  ServletGetHttpRequestSource() {
-    exists(Method m |
-      isGetServletMethod(m) and
-      m.getParameter(0).getAnAccess() = this.asExpr()
-    )
-  }
-}
-
-/** A data flow source for spring controller get method request parameters. */
-private class SpringGetHttpRequestSource extends GetHttpRequestSource {
-  SpringGetHttpRequestSource() {
-    exists(SpringControllerMethod scm, int i |
-      isGetSpringControllerMethod(scm) and
-      checkSpringMethodParameterType(scm, i) and
-      scm.getParameter(i).getAnAccess() = this.asExpr()
-    )
-  }
-}
-
-/** A data flow sink for unvalidated user input that is used to jsonp. */
-abstract class JsonpInjectionSink extends DataFlow::Node { }
-
-/** Use ```print```, ```println```, ```write``` to output result. */
-private class WriterPrintln extends JsonpInjectionSink {
-  WriterPrintln() {
-    exists(MethodAccess ma |
-      ma.getMethod().getName().regexpMatch("print|println|write") and
-      ma.getMethod()
-          .getDeclaringType()
-          .getASourceSupertype*()
-          .hasQualifiedName("java.io", "PrintWriter") and
-      ma.getArgument(0) = this.asExpr()
-    )
-  }
-}
-
-/** Spring Request Method return result. */
-private class SpringReturn extends JsonpInjectionSink {
-  SpringReturn() {
-    exists(ReturnStmt rs, Method m | m = rs.getEnclosingCallable() |
-      isGetSpringControllerMethod(m) and
-      rs.getResult() = this.asExpr()
-    )
-  }
-}
-
-/** A concatenate expression using `(` and `)` or `);`. */
-class JsonpInjectionExpr extends AddExpr {
-  JsonpInjectionExpr() {
-    getRightOperand().toString().regexpMatch("\"\\)\"|\"\\);\"") and
-    getLeftOperand()
-        .(AddExpr)
-        .getLeftOperand()
-        .(AddExpr)
-        .getRightOperand()
-        .toString()
-        .regexpMatch("\"\\(\"")
-  }
-
-  /** Get the jsonp function name of this expression */
-  Expr getFunctionName() {
-    result = getLeftOperand().(AddExpr).getLeftOperand().(AddExpr).getLeftOperand()
-  }
-
-  /** Get the json data of this expression */
-  Expr getJsonExpr() { result = getLeftOperand().(AddExpr).getRightOperand() }
-}
-
-/** A data flow configuration tracing flow from remote sources to jsonp function name. */
-class RemoteFlowConfig extends DataFlow2::Configuration {
-  RemoteFlowConfig() { this = "RemoteFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(JsonpInjectionExpr jhe | jhe.getFunctionName() = sink.asExpr())
-  }
-}
-
-/** A data flow configuration tracing flow from json data to splicing jsonp data. */
-class JsonDataFlowConfig extends DataFlow2::Configuration {
-  JsonDataFlowConfig() { this = "JsonDataFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) { src instanceof JsonpStringSource }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(JsonpInjectionExpr jhe | jhe.getJsonExpr() = sink.asExpr())
-  }
-}
-
-/** Taint-tracking configuration tracing flow from user-controllable function name jsonp data to output jsonp data. */
-class JsonpInjectionFlowConfig extends DataFlow::Configuration {
-  JsonpInjectionFlowConfig() { this = "JsonpInjectionFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) {
-    exists(JsonpInjectionExpr jhe, JsonDataFlowConfig jdfc, RemoteFlowConfig rfc |
-      jhe = src.asExpr() and
-      jdfc.hasFlowTo(DataFlow::exprNode(jhe.getJsonExpr())) and
-      rfc.hasFlowTo(DataFlow::exprNode(jhe.getFunctionName()))
-    )
-  }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof JsonpInjectionSink }
-}
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonStringLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonStringLib.qll
similarity index 100%
rename from java/ql/src/Security/CWE/CWE-352/JsonStringLib.qll
rename to java/ql/src/experimental/Security/CWE/CWE-352/JsonStringLib.qll
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.java b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpController.java
similarity index 72%
rename from java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.java
rename to java/ql/src/experimental/Security/CWE/CWE-352/JsonpController.java
index 9f079513a8b..84a172a7aeb 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpController.java
@@ -3,17 +3,14 @@ import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.gson.Gson;
 import java.io.PrintWriter;
 import java.util.HashMap;
-import java.util.Random;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 @Controller
-public class JsonpInjection {
+public class JsonpController {
     private static HashMap hashMap = new HashMap();
 
     static {
@@ -96,54 +93,13 @@ public class JsonpInjection {
 
     @GetMapping(value = "jsonp7")
     @ResponseBody
-    public String good(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-
-        String val = "";
-        Random random = new Random();
-        for (int i = 0; i < 10; i++) {
-            val += String.valueOf(random.nextInt(10));
-        }
-        // good
-        jsonpCallback = jsonpCallback + "_" + val;
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
-        return resultStr;
-    }
-
-    @GetMapping(value = "jsonp8")
-    @ResponseBody
     public String good1(HttpServletRequest request) {
         String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
 
         String token = request.getParameter("token");
 
-        // good
         if (verifToken(token)){
-            System.out.println(token);
-            String jsonStr = getJsonStr(hashMap);
-            resultStr = jsonpCallback + "(" + jsonStr + ")";
-            return resultStr;
-        }
-
-        return "error";
-    }
-
-    @GetMapping(value = "jsonp9")
-    @ResponseBody
-    public String good2(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-
-        String referer = request.getHeader("Referer");
-
-        boolean result = verifReferer(referer);
-
-        boolean test = result;
-        // good
-        if (test){
+            String jsonpCallback = request.getParameter("jsonpCallback");
             String jsonStr = getJsonStr(hashMap);
             resultStr = jsonpCallback + "(" + jsonStr + ")";
             return resultStr;
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonpInjection.java b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java
similarity index 100%
rename from java/ql/src/Security/CWE/CWE-352/JsonpInjection.java
rename to java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonpInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
similarity index 96%
rename from java/ql/src/Security/CWE/CWE-352/JsonpInjection.qhelp
rename to java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
index b063b409d3a..bb5d628ac0b 100644
--- a/java/ql/src/Security/CWE/CWE-352/JsonpInjection.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
@@ -16,7 +16,7 @@ there is a problem of sensitive information leakage.</p>
 
 <p>The following example shows the case of no verification processing and verification processing for the external input function name.</p>
 
-<sample src="JsonHijacking.java" />
+<sample src="JsonpInjection.java" />
 
 </example>
 <references>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
new file mode 100644
index 00000000000..f3ae25daa03
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
@@ -0,0 +1,64 @@
+/**
+ * @name JSONP Injection
+ * @description User-controlled callback function names that are not verified are vulnerable
+ *              to jsonp injection attacks.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/JSONP-Injection
+ * @tags security
+ *       external/cwe/cwe-352
+ */
+
+import java
+import JsonpInjectionLib
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.deadcode.WebEntryPoints
+import semmle.code.java.security.XSS
+import DataFlow::PathGraph
+
+/** Determine whether there is a verification method for the remote streaming source data flow path method. */
+predicate existsFilterVerificationMethod() {
+  exists(MethodAccess ma,Node existsNode, Method m|
+    ma.getMethod() instanceof VerificationMethodClass and
+    existsNode.asExpr() = ma and
+    m = getAnMethod(existsNode.getEnclosingCallable()) and
+    isDoFilterMethod(m)
+  )
+}
+
+/** Determine whether there is a verification method for the remote streaming source data flow path method. */
+predicate existsServletVerificationMethod(Node checkNode) {
+  exists(MethodAccess ma,Node existsNode|
+    ma.getMethod() instanceof VerificationMethodClass and
+    existsNode.asExpr() = ma and
+    getAnMethod(existsNode.getEnclosingCallable()) = getAnMethod(checkNode.getEnclosingCallable())
+  )
+}
+
+/** Taint-tracking configuration tracing flow from get method request sources to output jsonp data. */
+class RequestResponseFlowConfig extends TaintTracking::Configuration {
+  RequestResponseFlowConfig() { this = "RequestResponseFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource and
+    getAnMethod(source.getEnclosingCallable()) instanceof RequestGetMethod
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(MethodAccess ma |
+      isRequestGetParamMethod(ma) and pred.asExpr() = ma.getQualifier() and succ.asExpr() = ma
+    )
+  }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, RequestResponseFlowConfig conf
+where
+  not existsServletVerificationMethod(source.getNode()) and
+  not existsFilterVerificationMethod() and
+  conf.hasFlowPath(source, sink) and
+  exists(JsonpInjectionFlowConfig jhfc | jhfc.hasFlowTo(sink.getNode()))
+select sink.getNode(), source, sink, "Jsonp Injection query might include code from $@.",
+  source.getNode(), "this user input"
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
new file mode 100644
index 00000000000..b8964524a9f
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -0,0 +1,130 @@
+import java
+import DataFlow
+import JsonStringLib
+import semmle.code.java.security.XSS
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.frameworks.spring.SpringController
+
+/** Taint-tracking configuration tracing flow from user-controllable function name jsonp data to output jsonp data. */
+class VerificationMethodFlowConfig extends TaintTracking::Configuration {
+  VerificationMethodFlowConfig() { this = "VerificationMethodFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma, BarrierGuard bg |
+      ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*") and
+      bg = ma and
+      sink.asExpr() = ma.getAnArgument()
+    )
+  }
+}
+
+/** The parameter name of the method is `token`, `auth`, `referer`, `origin`. */
+class VerificationMethodClass extends Method {
+  VerificationMethodClass() {
+    exists(MethodAccess ma, BarrierGuard bg, VerificationMethodFlowConfig vmfc, Node node |
+      this = ma.getMethod() and
+      this.getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*") and
+      bg = ma and
+      node.asExpr() = ma.getAnArgument() and
+      vmfc.hasFlowTo(node)
+    )
+  }
+}
+
+/** Get Callable by recursive method. */
+Callable getAnMethod(Callable call) {
+  result = call
+  or
+  result = getAnMethod(call.getAReference().getEnclosingCallable())
+}
+
+abstract class RequestGetMethod extends Method { }
+
+/** Holds if `m` is a method of some override of `HttpServlet.doGet`. */
+private class ServletGetMethod extends RequestGetMethod {
+  ServletGetMethod() {
+    exists(Method m |
+      m = this and
+      isServletRequestMethod(m) and
+      m.getName() = "doGet"
+    )
+  }
+}
+
+/** Holds if `m` is a method of some override of `HttpServlet.doGet`. */
+private class SpringControllerGetMethod extends RequestGetMethod {
+  SpringControllerGetMethod() {
+    exists(Annotation a |
+      a = this.getAnAnnotation() and
+      a.getType().hasQualifiedName("org.springframework.web.bind.annotation", "GetMapping")
+    )
+    or
+    exists(Annotation a |
+      a = this.getAnAnnotation() and
+      a.getType().hasQualifiedName("org.springframework.web.bind.annotation", "RequestMapping") and
+      a.getValue("method").toString().regexpMatch("RequestMethod.GET|\\{...\\}")
+    )
+  }
+}
+
+/** A concatenate expression using `(` and `)` or `);`. */
+class JsonpInjectionExpr extends AddExpr {
+  JsonpInjectionExpr() {
+    getRightOperand().toString().regexpMatch("\"\\)\"|\"\\);\"") and
+    getLeftOperand()
+        .(AddExpr)
+        .getLeftOperand()
+        .(AddExpr)
+        .getRightOperand()
+        .toString()
+        .regexpMatch("\"\\(\"")
+  }
+
+  /** Get the jsonp function name of this expression */
+  Expr getFunctionName() {
+    result = getLeftOperand().(AddExpr).getLeftOperand().(AddExpr).getLeftOperand()
+  }
+
+  /** Get the json data of this expression */
+  Expr getJsonExpr() { result = getLeftOperand().(AddExpr).getRightOperand() }
+}
+
+/** A data flow configuration tracing flow from remote sources to jsonp function name. */
+class RemoteFlowConfig extends DataFlow2::Configuration {
+  RemoteFlowConfig() { this = "RemoteFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(JsonpInjectionExpr jhe | jhe.getFunctionName() = sink.asExpr())
+  }
+}
+
+/** A data flow configuration tracing flow from json data to splicing jsonp data. */
+class JsonDataFlowConfig extends DataFlow2::Configuration {
+  JsonDataFlowConfig() { this = "JsonDataFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) { src instanceof JsonpStringSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(JsonpInjectionExpr jhe | jhe.getJsonExpr() = sink.asExpr())
+  }
+}
+
+/** Taint-tracking configuration tracing flow from user-controllable function name jsonp data to output jsonp data. */
+class JsonpInjectionFlowConfig extends TaintTracking::Configuration {
+  JsonpInjectionFlowConfig() { this = "JsonpInjectionFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) {
+    exists(JsonpInjectionExpr jhe, JsonDataFlowConfig jdfc, RemoteFlowConfig rfc |
+      jhe = src.asExpr() and
+      jdfc.hasFlowTo(DataFlow::exprNode(jhe.getJsonExpr())) and
+      rfc.hasFlowTo(DataFlow::exprNode(jhe.getFunctionName()))
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
+}
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet1.java b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionServlet1.java
similarity index 100%
rename from java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet1.java
rename to java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionServlet1.java
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet2.java b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionServlet2.java
similarity index 100%
rename from java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet2.java
rename to java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionServlet2.java
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/RefererFilter.java b/java/ql/src/experimental/Security/CWE/CWE-352/RefererFilter.java
new file mode 100644
index 00000000000..97444932ae1
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/RefererFilter.java
@@ -0,0 +1,43 @@
+import java.io.IOException;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.springframework.util.StringUtils;
+
+public class RefererFilter implements Filter {
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+    }
+
+    @Override
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+        HttpServletRequest request = (HttpServletRequest) servletRequest;
+        HttpServletResponse response = (HttpServletResponse) servletResponse;
+        String refefer = request.getHeader("Referer");
+        boolean result = verifReferer(refefer);
+        if (result){
+            filterChain.doFilter(servletRequest, servletResponse);
+        }
+        response.sendError(444, "Referer xxx.");
+    }
+
+    @Override
+    public void destroy() {
+    }
+
+    public static boolean verifReferer(String referer){
+        if (StringUtils.isEmpty(referer)){
+            return false;
+        }
+        if (referer.startsWith("http://www.baidu.com/")){
+            return true;
+        }
+        return false;
+    }
+}
diff --git a/java/ql/src/semmle/code/java/frameworks/Servlets.qll b/java/ql/src/semmle/code/java/frameworks/Servlets.qll
index b2054dc30cb..5cccf62122f 100644
--- a/java/ql/src/semmle/code/java/frameworks/Servlets.qll
+++ b/java/ql/src/semmle/code/java/frameworks/Servlets.qll
@@ -338,7 +338,6 @@ predicate isRequestGetParamMethod(MethodAccess ma) {
   ma.getMethod() instanceof HttpServletRequestGetQueryStringMethod
 }
 
-
 /**
  * A class that has `javax.servlet.Filter` as an ancestor.
  */
@@ -346,21 +345,18 @@ class FilterClass extends Class {
   FilterClass() { getAnAncestor().hasQualifiedName("javax.servlet", "Filter") }
 }
 
-
 /**
  * The interface `javax.servlet.FilterChain`
  */
-class FilterChain extends RefType {
-  FilterChain() {
-    hasQualifiedName("javax.servlet", "FilterChain")
-  }
+class FilterChain extends Interface {
+  FilterChain() { hasQualifiedName("javax.servlet", "FilterChain") }
 }
 
-/** Holds if `m` is a request handler method (for example `doGet` or `doPost`). */
+/** Holds if `m` is a filter handler method (for example `doFilter`). */
 predicate isDoFilterMethod(Method m) {
   m.getDeclaringType() instanceof FilterClass and
   m.getNumberOfParameters() = 3 and
   m.getParameter(0).getType() instanceof ServletRequest and
   m.getParameter(1).getType() instanceof ServletResponse and
   m.getParameter(2).getType() instanceof FilterChain
-}
\ No newline at end of file
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpController.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpController.java
new file mode 100644
index 00000000000..cf860c75640
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpController.java
@@ -0,0 +1,128 @@
+import com.alibaba.fastjson.JSONObject;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.gson.Gson;
+import java.io.PrintWriter;
+import java.util.HashMap;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+@Controller
+public class JsonpController {
+    private static HashMap hashMap = new HashMap();
+
+    static {
+        hashMap.put("username","admin");
+        hashMap.put("password","123456");
+    }
+
+
+    @GetMapping(value = "jsonp1", produces="text/javascript")
+    @ResponseBody
+    public String bad1(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+        resultStr = jsonpCallback + "(" + result + ")";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp2")
+    @ResponseBody
+    public String bad2(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+
+        resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")";
+
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp3")
+    @ResponseBody
+    public String bad3(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp4")
+    @ResponseBody
+    public String bad4(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp5")
+    @ResponseBody
+    public void bad5(HttpServletRequest request,
+            HttpServletResponse response) throws Exception {
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+
+        String resultStr = null;
+        pw = response.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+    }
+
+    @GetMapping(value = "jsonp6")
+    @ResponseBody
+    public void bad6(HttpServletRequest request,
+            HttpServletResponse response) throws Exception {
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        ObjectMapper mapper = new ObjectMapper();
+        String result = mapper.writeValueAsString(hashMap);
+        String resultStr = null;
+        pw = response.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+    }
+
+    @GetMapping(value = "jsonp7")
+    @ResponseBody
+    public String good1(HttpServletRequest request) {
+        String resultStr = null;
+
+        String token = request.getParameter("token");
+
+        if (verifToken(token)){
+            String jsonpCallback = request.getParameter("jsonpCallback");
+            String jsonStr = getJsonStr(hashMap);
+            resultStr = jsonpCallback + "(" + jsonStr + ")";
+            return resultStr;
+        }
+
+        return "error";
+    }
+
+    public static String getJsonStr(Object result) {
+        return JSONObject.toJSONString(result);
+    }
+
+    public static boolean verifToken(String token){
+        if (token != "xxxx"){
+            return false;
+        }
+        return true;
+    }
+
+    public static boolean verifReferer(String referer){
+        if (!referer.startsWith("http://test.com/")){
+            return false;
+        }
+        return true;
+    }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected
deleted file mode 100644
index 7e3069cf1d9..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected
+++ /dev/null
@@ -1,60 +0,0 @@
-edges
-| JsonpInjection.java:29:32:29:38 | request : HttpServletRequest | JsonpInjection.java:34:16:34:24 | resultStr |
-| JsonpInjection.java:33:21:33:54 | ... + ... : String | JsonpInjection.java:34:16:34:24 | resultStr |
-| JsonpInjection.java:41:32:41:38 | request : HttpServletRequest | JsonpInjection.java:45:16:45:24 | resultStr |
-| JsonpInjection.java:43:21:43:80 | ... + ... : String | JsonpInjection.java:45:16:45:24 | resultStr |
-| JsonpInjection.java:52:32:52:38 | request : HttpServletRequest | JsonpInjection.java:55:16:55:24 | resultStr |
-| JsonpInjection.java:54:21:54:55 | ... + ... : String | JsonpInjection.java:55:16:55:24 | resultStr |
-| JsonpInjection.java:62:32:62:38 | request : HttpServletRequest | JsonpInjection.java:65:16:65:24 | resultStr |
-| JsonpInjection.java:64:21:64:54 | ... + ... : String | JsonpInjection.java:65:16:65:24 | resultStr |
-| JsonpInjection.java:72:32:72:38 | request : HttpServletRequest | JsonpInjection.java:80:20:80:28 | resultStr |
-| JsonpInjection.java:79:21:79:54 | ... + ... : String | JsonpInjection.java:80:20:80:28 | resultStr |
-| JsonpInjection.java:87:32:87:38 | request : HttpServletRequest | JsonpInjection.java:94:20:94:28 | resultStr |
-| JsonpInjection.java:93:21:93:54 | ... + ... : String | JsonpInjection.java:94:20:94:28 | resultStr |
-| JsonpInjection.java:101:32:101:38 | request : HttpServletRequest | JsonpInjection.java:112:16:112:24 | resultStr |
-| JsonpInjection.java:127:25:127:59 | ... + ... : String | JsonpInjection.java:128:20:128:28 | resultStr |
-| JsonpInjection.java:148:25:148:59 | ... + ... : String | JsonpInjection.java:149:20:149:28 | resultStr |
-nodes
-| JsonpInjection.java:29:32:29:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
-| JsonpInjection.java:33:21:33:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:34:16:34:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:34:16:34:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:41:32:41:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
-| JsonpInjection.java:43:21:43:80 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:45:16:45:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:45:16:45:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:52:32:52:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
-| JsonpInjection.java:54:21:54:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:55:16:55:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:55:16:55:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:62:32:62:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
-| JsonpInjection.java:64:21:64:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:65:16:65:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:65:16:65:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:72:32:72:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
-| JsonpInjection.java:79:21:79:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:80:20:80:28 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:80:20:80:28 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:87:32:87:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
-| JsonpInjection.java:93:21:93:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:94:20:94:28 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:94:20:94:28 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:101:32:101:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
-| JsonpInjection.java:112:16:112:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:127:25:127:59 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:128:20:128:28 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:148:25:148:59 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:149:20:149:28 | resultStr | semmle.label | resultStr |
-#select
-| JsonpInjection.java:34:16:34:24 | resultStr | JsonpInjection.java:29:32:29:38 | request : HttpServletRequest | JsonpInjection.java:34:16:34:24 | 
-resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:29:32:29:38 | request | this user input |
-| JsonpInjection.java:45:16:45:24 | resultStr | JsonpInjection.java:41:32:41:38 | request : HttpServletRequest | JsonpInjection.java:45:16:45:24 | 
-resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:41:32:41:38 | request | this user input |
-| JsonpInjection.java:55:16:55:24 | resultStr | JsonpInjection.java:52:32:52:38 | request : HttpServletRequest | JsonpInjection.java:55:16:55:24 | 
-resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:52:32:52:38 | request | this user input |
-| JsonpInjection.java:65:16:65:24 | resultStr | JsonpInjection.java:62:32:62:38 | request : HttpServletRequest | JsonpInjection.java:65:16:65:24 | 
-resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:62:32:62:38 | request | this user input |
-| JsonpInjection.java:80:20:80:28 | resultStr | JsonpInjection.java:72:32:72:38 | request : HttpServletRequest | JsonpInjection.java:80:20:80:28 | 
-resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:72:32:72:38 | request | this user input |
-| JsonpInjection.java:94:20:94:28 | resultStr | JsonpInjection.java:87:32:87:38 | request : HttpServletRequest | JsonpInjection.java:94:20:94:28 | 
-resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:87:32:87:38 | request | this user input |
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionServlet1.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionServlet1.java
new file mode 100644
index 00000000000..14ef76275b1
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionServlet1.java
@@ -0,0 +1,64 @@
+import com.google.gson.Gson;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.HashMap;
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class JsonpInjectionServlet1 extends HttpServlet {
+
+    private static HashMap hashMap = new HashMap();
+
+    static {
+        hashMap.put("username","admin");
+        hashMap.put("password","123456");
+    }
+
+    private static final long serialVersionUID = 1L;
+
+    private String key = "test";
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        doPost(req, resp);
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        resp.setContentType("application/json");
+        String jsonpCallback = req.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        Gson gson = new Gson();
+        String jsonResult = gson.toJson(hashMap);
+
+        String referer = req.getHeader("Referer");
+
+        boolean result = verifReferer(referer);
+
+        // good
+        if (result){
+            String resultStr = null;
+            pw = resp.getWriter();
+            resultStr = jsonpCallback + "(" + jsonResult + ")";
+            pw.println(resultStr);
+            pw.flush();
+        }
+    }
+
+    public static boolean verifReferer(String referer){
+        if (!referer.startsWith("http://test.com/")){
+            return false;
+        }
+        return true;
+    }
+
+    @Override
+    public void init(ServletConfig config) throws ServletException {
+        this.key = config.getInitParameter("key");
+        System.out.println("�始化" + this.key);
+        super.init(config);
+    }
+
+}
diff --git a/java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionServlet2.java
similarity index 75%
rename from java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet.java
rename to java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionServlet2.java
index 916cd9bf676..bbfbc2dc436 100644
--- a/java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionServlet2.java
@@ -4,12 +4,11 @@ import java.io.PrintWriter;
 import java.util.HashMap;
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletException;
-import javax.servlet.annotation.WebServlet;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-public class JsonpInjectionServlet  extends HttpServlet {
+public class JsonpInjectionServlet2  extends HttpServlet {
 
     private static HashMap hashMap = new HashMap();
 
@@ -23,21 +22,12 @@ public class JsonpInjectionServlet  extends HttpServlet {
     private String key = "test";
     @Override
     protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
-        String jsonpCallback = req.getParameter("jsonpCallback");
-
-        PrintWriter pw = null;
-        Gson gson = new Gson();
-        String result = gson.toJson(hashMap);
-
-        String resultStr = null;
-        pw = resp.getWriter();
-        resultStr = jsonpCallback + "(" + result + ")";
-        pw.println(resultStr);
-        pw.flush();
+        doPost(req, resp);
     }
 
     @Override
     protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        resp.setContentType("application/json");
         String jsonpCallback = req.getParameter("jsonpCallback");
         PrintWriter pw = null;
         Gson gson = new Gson();
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_1.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_1.expected
new file mode 100644
index 00000000000..a89d03b67a7
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_1.expected
@@ -0,0 +1,60 @@
+edges
+| JsonpController.java:26:32:26:68 | getParameter(...) : String | JsonpController.java:31:16:31:24 | resultStr |
+| JsonpController.java:30:21:30:54 | ... + ... : String | JsonpController.java:31:16:31:24 | resultStr |
+| JsonpController.java:38:32:38:68 | getParameter(...) : String | JsonpController.java:42:16:42:24 | resultStr |
+| JsonpController.java:40:21:40:80 | ... + ... : String | JsonpController.java:42:16:42:24 | resultStr |
+| JsonpController.java:49:32:49:68 | getParameter(...) : String | JsonpController.java:52:16:52:24 | resultStr |
+| JsonpController.java:51:21:51:55 | ... + ... : String | JsonpController.java:52:16:52:24 | resultStr |
+| JsonpController.java:59:32:59:68 | getParameter(...) : String | JsonpController.java:62:16:62:24 | resultStr |
+| JsonpController.java:61:21:61:54 | ... + ... : String | JsonpController.java:62:16:62:24 | resultStr |
+| JsonpController.java:69:32:69:68 | getParameter(...) : String | JsonpController.java:77:20:77:28 | resultStr |
+| JsonpController.java:76:21:76:54 | ... + ... : String | JsonpController.java:77:20:77:28 | resultStr |
+| JsonpController.java:84:32:84:68 | getParameter(...) : String | JsonpController.java:91:20:91:28 | resultStr |
+| JsonpController.java:90:21:90:54 | ... + ... : String | JsonpController.java:91:20:91:28 | resultStr |
+| JsonpController.java:99:24:99:52 | getParameter(...) : String | JsonpController.java:101:24:101:28 | token |
+| JsonpController.java:102:36:102:72 | getParameter(...) : String | JsonpController.java:105:20:105:28 | resultStr |
+| JsonpController.java:104:25:104:59 | ... + ... : String | JsonpController.java:105:20:105:28 | resultStr |
+nodes
+| JsonpController.java:26:32:26:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:30:21:30:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:38:32:38:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:40:21:40:80 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:49:32:49:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:51:21:51:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:59:32:59:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:61:21:61:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:69:32:69:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:76:21:76:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:84:32:84:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:90:21:90:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:99:24:99:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:101:24:101:28 | token | semmle.label | token |
+| JsonpController.java:102:36:102:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:104:25:104:59 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
+#select
+| JsonpController.java:31:16:31:24 | resultStr | JsonpController.java:26:32:26:68 | getParameter(...) : String | JsonpController.java:31:16:31:24 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:26:32:26:68 | getParameter(...) | this user input |
+| JsonpController.java:42:16:42:24 | resultStr | JsonpController.java:38:32:38:68 | getParameter(...) : String | JsonpController.java:42:16:42:24 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:38:32:38:68 | getParameter(...) | this user input |
+| JsonpController.java:52:16:52:24 | resultStr | JsonpController.java:49:32:49:68 | getParameter(...) : String | JsonpController.java:52:16:52:24 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:49:32:49:68 | getParameter(...) | this user input |
+| JsonpController.java:62:16:62:24 | resultStr | JsonpController.java:59:32:59:68 | getParameter(...) : String | JsonpController.java:62:16:62:24 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:59:32:59:68 | getParameter(...) | this user input |
+| JsonpController.java:77:20:77:28 | resultStr | JsonpController.java:69:32:69:68 | getParameter(...) : String | JsonpController.java:77:20:77:28 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:69:32:69:68 | getParameter(...) | this user input |
+| JsonpController.java:91:20:91:28 | resultStr | JsonpController.java:84:32:84:68 | getParameter(...) : String | JsonpController.java:91:20:91:28 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:84:32:84:68 | getParameter(...) | this user input |
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_2.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_2.expected
new file mode 100644
index 00000000000..4b12308a212
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_2.expected
@@ -0,0 +1,78 @@
+edges
+| JsonpController.java:26:32:26:68 | getParameter(...) : String | JsonpController.java:31:16:31:24 | resultStr |
+| JsonpController.java:30:21:30:54 | ... + ... : String | JsonpController.java:31:16:31:24 | resultStr |
+| JsonpController.java:38:32:38:68 | getParameter(...) : String | JsonpController.java:42:16:42:24 | resultStr |
+| JsonpController.java:40:21:40:80 | ... + ... : String | JsonpController.java:42:16:42:24 | resultStr |
+| JsonpController.java:49:32:49:68 | getParameter(...) : String | JsonpController.java:52:16:52:24 | resultStr |
+| JsonpController.java:51:21:51:55 | ... + ... : String | JsonpController.java:52:16:52:24 | resultStr |
+| JsonpController.java:59:32:59:68 | getParameter(...) : String | JsonpController.java:62:16:62:24 | resultStr |
+| JsonpController.java:61:21:61:54 | ... + ... : String | JsonpController.java:62:16:62:24 | resultStr |
+| JsonpController.java:69:32:69:68 | getParameter(...) : String | JsonpController.java:77:20:77:28 | resultStr |
+| JsonpController.java:76:21:76:54 | ... + ... : String | JsonpController.java:77:20:77:28 | resultStr |
+| JsonpController.java:84:32:84:68 | getParameter(...) : String | JsonpController.java:91:20:91:28 | resultStr |
+| JsonpController.java:90:21:90:54 | ... + ... : String | JsonpController.java:91:20:91:28 | resultStr |
+| JsonpController.java:99:24:99:52 | getParameter(...) : String | JsonpController.java:101:24:101:28 | token |
+| JsonpController.java:102:36:102:72 | getParameter(...) : String | JsonpController.java:105:20:105:28 | resultStr |
+| JsonpController.java:104:25:104:59 | ... + ... : String | JsonpController.java:105:20:105:28 | resultStr |
+| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
+| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | JsonpInjectionServlet1.java:38:39:38:45 | referer |
+| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
+| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
+| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
+nodes
+| JsonpController.java:26:32:26:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:30:21:30:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:38:32:38:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:40:21:40:80 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:49:32:49:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:51:21:51:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:59:32:59:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:61:21:61:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:69:32:69:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:76:21:76:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:84:32:84:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:90:21:90:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:99:24:99:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:101:24:101:28 | token | semmle.label | token |
+| JsonpController.java:102:36:102:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:104:25:104:59 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| JsonpInjectionServlet1.java:38:39:38:45 | referer | semmle.label | referer |
+| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
+#select
+| JsonpController.java:31:16:31:24 | resultStr | JsonpController.java:26:32:26:68 | getParameter(...) : String | JsonpController.java:31:16:31:24 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:26:32:26:68 | getParameter(...) | this user input |
+| JsonpController.java:42:16:42:24 | resultStr | JsonpController.java:38:32:38:68 | getParameter(...) : String | JsonpController.java:42:16:42:24 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:38:32:38:68 | getParameter(...) | this user input |
+| JsonpController.java:52:16:52:24 | resultStr | JsonpController.java:49:32:49:68 | getParameter(...) : String | JsonpController.java:52:16:52:24 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:49:32:49:68 | getParameter(...) | this user input |
+| JsonpController.java:62:16:62:24 | resultStr | JsonpController.java:59:32:59:68 | getParameter(...) : String | JsonpController.java:62:16:62:24 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:59:32:59:68 | getParameter(...) | this user input |
+| JsonpController.java:77:20:77:28 | resultStr | JsonpController.java:69:32:69:68 | getParameter(...) : String | JsonpController.java:77:20:77:28 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:69:32:69:68 | getParameter(...) | this user input |
+| JsonpController.java:91:20:91:28 | resultStr | JsonpController.java:84:32:84:68 | getParameter(...) : String | JsonpController.java:91:20:91:28 |
+ resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:84:32:84:68 | getParameter(...) | this user input |
+| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServle
+t2.java:39:20:39:28 | resultStr | Jsonp Injection query might include code from $@. | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) |
+ this user input |
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_3.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_3.expected
new file mode 100644
index 00000000000..8e33ca6984c
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_3.expected
@@ -0,0 +1,66 @@
+edges
+| JsonpController.java:26:32:26:68 | getParameter(...) : String | JsonpController.java:31:16:31:24 | resultStr |
+| JsonpController.java:30:21:30:54 | ... + ... : String | JsonpController.java:31:16:31:24 | resultStr |
+| JsonpController.java:38:32:38:68 | getParameter(...) : String | JsonpController.java:42:16:42:24 | resultStr |
+| JsonpController.java:40:21:40:80 | ... + ... : String | JsonpController.java:42:16:42:24 | resultStr |
+| JsonpController.java:49:32:49:68 | getParameter(...) : String | JsonpController.java:52:16:52:24 | resultStr |
+| JsonpController.java:51:21:51:55 | ... + ... : String | JsonpController.java:52:16:52:24 | resultStr |
+| JsonpController.java:59:32:59:68 | getParameter(...) : String | JsonpController.java:62:16:62:24 | resultStr |
+| JsonpController.java:61:21:61:54 | ... + ... : String | JsonpController.java:62:16:62:24 | resultStr |
+| JsonpController.java:69:32:69:68 | getParameter(...) : String | JsonpController.java:77:20:77:28 | resultStr |
+| JsonpController.java:76:21:76:54 | ... + ... : String | JsonpController.java:77:20:77:28 | resultStr |
+| JsonpController.java:84:32:84:68 | getParameter(...) : String | JsonpController.java:91:20:91:28 | resultStr |
+| JsonpController.java:90:21:90:54 | ... + ... : String | JsonpController.java:91:20:91:28 | resultStr |
+| JsonpController.java:99:24:99:52 | getParameter(...) : String | JsonpController.java:101:24:101:28 | token |
+| JsonpController.java:102:36:102:72 | getParameter(...) : String | JsonpController.java:105:20:105:28 | resultStr |
+| JsonpController.java:104:25:104:59 | ... + ... : String | JsonpController.java:105:20:105:28 | resultStr |
+| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
+| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | JsonpInjectionServlet1.java:38:39:38:45 | referer |
+| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
+| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
+| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
+| RefererFilter.java:22:26:22:53 | getHeader(...) : String | RefererFilter.java:23:39:23:45 | refefer |
+nodes
+| JsonpController.java:26:32:26:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:30:21:30:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:38:32:38:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:40:21:40:80 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:49:32:49:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:51:21:51:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:59:32:59:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:61:21:61:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:69:32:69:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:76:21:76:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:84:32:84:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:90:21:90:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:99:24:99:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:101:24:101:28 | token | semmle.label | token |
+| JsonpController.java:102:36:102:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:104:25:104:59 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| JsonpInjectionServlet1.java:38:39:38:45 | referer | semmle.label | referer |
+| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
+| RefererFilter.java:22:26:22:53 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| RefererFilter.java:23:39:23:45 | refefer | semmle.label | refefer |
+#select
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/Readme b/java/ql/test/experimental/query-tests/security/CWE-352/Readme
new file mode 100644
index 00000000000..15715d6187c
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/Readme
@@ -0,0 +1,3 @@
+1. The JsonpInjection_1.expected result is obtained through the test of `JsonpController.java`.
+2. The JsonpInjection_2.expected result is obtained through the test of `JsonpController.java`, `JsonpInjectionServlet1.java`, `JsonpInjectionServlet2.java`.
+3. The JsonpInjection_3.expected result is obtained through the test of `JsonpController.java`, `JsonpInjectionServlet1.java`, `JsonpInjectionServlet2.java`, `RefererFilter.java`.
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/RefererFilter.java b/java/ql/test/experimental/query-tests/security/CWE-352/RefererFilter.java
new file mode 100644
index 00000000000..97444932ae1
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/RefererFilter.java
@@ -0,0 +1,43 @@
+import java.io.IOException;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.springframework.util.StringUtils;
+
+public class RefererFilter implements Filter {
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+    }
+
+    @Override
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+        HttpServletRequest request = (HttpServletRequest) servletRequest;
+        HttpServletResponse response = (HttpServletResponse) servletResponse;
+        String refefer = request.getHeader("Referer");
+        boolean result = verifReferer(refefer);
+        if (result){
+            filterChain.doFilter(servletRequest, servletResponse);
+        }
+        response.sendError(444, "Referer xxx.");
+    }
+
+    @Override
+    public void destroy() {
+    }
+
+    public static boolean verifReferer(String referer){
+        if (StringUtils.isEmpty(referer)){
+            return false;
+        }
+        if (referer.startsWith("http://www.baidu.com/")){
+            return true;
+        }
+        return false;
+    }
+}
diff --git a/java/ql/test/stubs/gson-2.8.6/com/google/gson/Gson.java b/java/ql/test/stubs/gson-2.8.6/com/google/gson/Gson.java
new file mode 100644
index 00000000000..bbe53dc2a5f
--- /dev/null
+++ b/java/ql/test/stubs/gson-2.8.6/com/google/gson/Gson.java
@@ -0,0 +1,7 @@
+package com.google.gson;
+
+public final class Gson {
+    public String toJson(Object src) {
+        return null;
+    }
+}
diff --git a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/StringUtils.java b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/StringUtils.java
new file mode 100644
index 00000000000..6ee07f84593
--- /dev/null
+++ b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/StringUtils.java
@@ -0,0 +1,8 @@
+package org.springframework.util;
+
+public abstract class StringUtils {
+
+    public static boolean isEmpty(Object str) {
+        return str == null || "".equals(str);
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/Filter.java b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/Filter.java
new file mode 100644
index 00000000000..5833e3c909d
--- /dev/null
+++ b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/Filter.java
@@ -0,0 +1,13 @@
+package javax.servlet;
+
+import java.io.IOException;
+
+public interface Filter {
+    default void init(FilterConfig filterConfig) throws ServletException {
+    }
+
+    void doFilter(ServletRequest var1, ServletResponse var2, FilterChain var3) throws IOException, ServletException;
+
+    default void destroy() {
+    }
+}
diff --git a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/FilterChain.java b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/FilterChain.java
new file mode 100644
index 00000000000..6a1dfc588b6
--- /dev/null
+++ b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/FilterChain.java
@@ -0,0 +1,8 @@
+package javax.servlet;
+
+import java.io.IOException;
+
+public interface FilterChain {
+    void doFilter(ServletRequest var1, ServletResponse var2) throws IOException, ServletException;
+}
+
diff --git a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/FilterConfig.java b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/FilterConfig.java
new file mode 100644
index 00000000000..66c13eb54f0
--- /dev/null
+++ b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/FilterConfig.java
@@ -0,0 +1,3 @@
+package javax.servlet;
+
+public interface FilterConfig {}
diff --git a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletException.java b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletException.java
new file mode 100644
index 00000000000..ce5f7c4465a
--- /dev/null
+++ b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletException.java
@@ -0,0 +1,8 @@
+package javax.servlet;
+
+public class ServletException extends Exception {
+    private static final long serialVersionUID = 1L;
+
+    public ServletException() {
+    }
+}
diff --git a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletRequest.java b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletRequest.java
new file mode 100644
index 00000000000..4ee0026d066
--- /dev/null
+++ b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletRequest.java
@@ -0,0 +1,87 @@
+package javax.servlet;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Map;
+
+public interface ServletRequest {
+    Object getAttribute(String var1);
+
+    Enumeration<String> getAttributeNames();
+
+    String getCharacterEncoding();
+
+    void setCharacterEncoding(String var1) throws UnsupportedEncodingException;
+
+    int getContentLength();
+
+    long getContentLengthLong();
+
+    String getContentType();
+
+    ServletInputStream getInputStream() throws IOException;
+
+    String getParameter(String var1);
+
+    Enumeration<String> getParameterNames();
+
+    String[] getParameterValues(String var1);
+
+    Map<String, String[]> getParameterMap();
+
+    String getProtocol();
+
+    String getScheme();
+
+    String getServerName();
+
+    int getServerPort();
+
+    BufferedReader getReader() throws IOException;
+
+    String getRemoteAddr();
+
+    String getRemoteHost();
+
+    void setAttribute(String var1, Object var2);
+
+    void removeAttribute(String var1);
+
+    Locale getLocale();
+
+    Enumeration<Locale> getLocales();
+
+    boolean isSecure();
+
+    RequestDispatcher getRequestDispatcher(String var1);
+
+    /** @deprecated */
+    @Deprecated
+    String getRealPath(String var1);
+
+    int getRemotePort();
+
+    String getLocalName();
+
+    String getLocalAddr();
+
+    int getLocalPort();
+
+    ServletContext getServletContext();
+
+    AsyncContext startAsync() throws IllegalStateException;
+
+    AsyncContext startAsync(ServletRequest var1, ServletResponse var2) throws IllegalStateException;
+
+    boolean isAsyncStarted();
+
+    boolean isAsyncSupported();
+
+    AsyncContext getAsyncContext();
+
+    DispatcherType getDispatcherType();
+}
+
diff --git a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletResponse.java b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletResponse.java
new file mode 100644
index 00000000000..0aa6121e686
--- /dev/null
+++ b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletResponse.java
@@ -0,0 +1,39 @@
+package javax.servlet;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.Locale;
+
+public interface ServletResponse {
+    String getCharacterEncoding();
+
+    String getContentType();
+
+    ServletOutputStream getOutputStream() throws IOException;
+
+    PrintWriter getWriter() throws IOException;
+
+    void setCharacterEncoding(String var1);
+
+    void setContentLength(int var1);
+
+    void setContentLengthLong(long var1);
+
+    void setContentType(String var1);
+
+    void setBufferSize(int var1);
+
+    int getBufferSize();
+
+    void flushBuffer() throws IOException;
+
+    void resetBuffer();
+
+    boolean isCommitted();
+
+    void reset();
+
+    void setLocale(Locale var1);
+
+    Locale getLocale();
+}
diff --git a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/http/HttpServletRequest.java b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/http/HttpServletRequest.java
new file mode 100644
index 00000000000..02d53a96a33
--- /dev/null
+++ b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/http/HttpServletRequest.java
@@ -0,0 +1,116 @@
+package javax.servlet.http;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.Map;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+
+public interface HttpServletRequest extends ServletRequest {
+    String BASIC_AUTH = "BASIC";
+    String FORM_AUTH = "FORM";
+    String CLIENT_CERT_AUTH = "CLIENT_CERT";
+    String DIGEST_AUTH = "DIGEST";
+
+    String getAuthType();
+
+    Cookie[] getCookies();
+
+    long getDateHeader(String var1);
+
+    String getHeader(String var1);
+
+    Enumeration<String> getHeaders(String var1);
+
+    Enumeration<String> getHeaderNames();
+
+    int getIntHeader(String var1);
+
+    default HttpServletMapping getHttpServletMapping() {
+        return new HttpServletMapping() {
+            public String getMatchValue() {
+                return "";
+            }
+
+            public String getPattern() {
+                return "";
+            }
+
+            public String getServletName() {
+                return "";
+            }
+
+            public MappingMatch getMappingMatch() {
+                return null;
+            }
+        };
+    }
+
+    String getMethod();
+
+    String getPathInfo();
+
+    String getPathTranslated();
+
+    default PushBuilder newPushBuilder() {
+        return null;
+    }
+
+    String getContextPath();
+
+    String getQueryString();
+
+    String getRemoteUser();
+
+    boolean isUserInRole(String var1);
+
+    Principal getUserPrincipal();
+
+    String getRequestedSessionId();
+
+    String getRequestURI();
+
+    StringBuffer getRequestURL();
+
+    String getServletPath();
+
+    HttpSession getSession(boolean var1);
+
+    HttpSession getSession();
+
+    String changeSessionId();
+
+    boolean isRequestedSessionIdValid();
+
+    boolean isRequestedSessionIdFromCookie();
+
+    boolean isRequestedSessionIdFromURL();
+
+    /** @deprecated */
+    @Deprecated
+    boolean isRequestedSessionIdFromUrl();
+
+    boolean authenticate(HttpServletResponse var1) throws IOException, ServletException;
+
+    void login(String var1, String var2) throws ServletException;
+
+    void logout() throws ServletException;
+
+    Collection<Part> getParts() throws IOException, ServletException;
+
+    Part getPart(String var1) throws IOException, ServletException;
+
+    <T extends HttpUpgradeHandler> T upgrade(Class<T> var1) throws IOException, ServletException;
+
+    default Map<String, String> getTrailerFields() {
+        return Collections.emptyMap();
+    }
+
+    default boolean isTrailerFieldsReady() {
+        return false;
+    }
+}
+
diff --git a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/http/HttpServletResponse.java b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/http/HttpServletResponse.java
new file mode 100644
index 00000000000..0a2c6af0913
--- /dev/null
+++ b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/http/HttpServletResponse.java
@@ -0,0 +1,106 @@
+package javax.servlet.http;
+
+import java.io.IOException;
+import java.util.Collection;
+import java.util.Map;
+import java.util.function.Supplier;
+import javax.servlet.ServletResponse;
+
+public interface HttpServletResponse extends ServletResponse {
+    int SC_CONTINUE = 100;
+    int SC_SWITCHING_PROTOCOLS = 101;
+    int SC_OK = 200;
+    int SC_CREATED = 201;
+    int SC_ACCEPTED = 202;
+    int SC_NON_AUTHORITATIVE_INFORMATION = 203;
+    int SC_NO_CONTENT = 204;
+    int SC_RESET_CONTENT = 205;
+    int SC_PARTIAL_CONTENT = 206;
+    int SC_MULTIPLE_CHOICES = 300;
+    int SC_MOVED_PERMANENTLY = 301;
+    int SC_MOVED_TEMPORARILY = 302;
+    int SC_FOUND = 302;
+    int SC_SEE_OTHER = 303;
+    int SC_NOT_MODIFIED = 304;
+    int SC_USE_PROXY = 305;
+    int SC_TEMPORARY_REDIRECT = 307;
+    int SC_BAD_REQUEST = 400;
+    int SC_UNAUTHORIZED = 401;
+    int SC_PAYMENT_REQUIRED = 402;
+    int SC_FORBIDDEN = 403;
+    int SC_NOT_FOUND = 404;
+    int SC_METHOD_NOT_ALLOWED = 405;
+    int SC_NOT_ACCEPTABLE = 406;
+    int SC_PROXY_AUTHENTICATION_REQUIRED = 407;
+    int SC_REQUEST_TIMEOUT = 408;
+    int SC_CONFLICT = 409;
+    int SC_GONE = 410;
+    int SC_LENGTH_REQUIRED = 411;
+    int SC_PRECONDITION_FAILED = 412;
+    int SC_REQUEST_ENTITY_TOO_LARGE = 413;
+    int SC_REQUEST_URI_TOO_LONG = 414;
+    int SC_UNSUPPORTED_MEDIA_TYPE = 415;
+    int SC_REQUESTED_RANGE_NOT_SATISFIABLE = 416;
+    int SC_EXPECTATION_FAILED = 417;
+    int SC_INTERNAL_SERVER_ERROR = 500;
+    int SC_NOT_IMPLEMENTED = 501;
+    int SC_BAD_GATEWAY = 502;
+    int SC_SERVICE_UNAVAILABLE = 503;
+    int SC_GATEWAY_TIMEOUT = 504;
+    int SC_HTTP_VERSION_NOT_SUPPORTED = 505;
+
+    void addCookie(Cookie var1);
+
+    boolean containsHeader(String var1);
+
+    String encodeURL(String var1);
+
+    String encodeRedirectURL(String var1);
+
+    /** @deprecated */
+    @Deprecated
+    String encodeUrl(String var1);
+
+    /** @deprecated */
+    @Deprecated
+    String encodeRedirectUrl(String var1);
+
+    void sendError(int var1, String var2) throws IOException;
+
+    void sendError(int var1) throws IOException;
+
+    void sendRedirect(String var1) throws IOException;
+
+    void setDateHeader(String var1, long var2);
+
+    void addDateHeader(String var1, long var2);
+
+    void setHeader(String var1, String var2);
+
+    void addHeader(String var1, String var2);
+
+    void setIntHeader(String var1, int var2);
+
+    void addIntHeader(String var1, int var2);
+
+    void setStatus(int var1);
+
+    /** @deprecated */
+    @Deprecated
+    void setStatus(int var1, String var2);
+
+    int getStatus();
+
+    String getHeader(String var1);
+
+    Collection<String> getHeaders(String var1);
+
+    Collection<String> getHeaderNames();
+
+    default void setTrailerFields(Supplier<Map<String, String>> supplier) {
+    }
+
+    default Supplier<Map<String, String>> getTrailerFields() {
+        return null;
+    }
+}

From 01c13c470350c2784d427c5a47d68a198a503fd1 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Thu, 4 Mar 2021 16:14:11 +0300
Subject: [PATCH 0029/1429] Add files via upload

---
 ...ratorPrecedenceLogicErrorWhenUseBoolType.c | 11 +++++
 ...rPrecedenceLogicErrorWhenUseBoolType.qhelp | 28 +++++++++++
 ...atorPrecedenceLogicErrorWhenUseBoolType.ql | 48 +++++++++++++++++++
 3 files changed, 87 insertions(+)
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.c
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.qhelp
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.c b/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.c
new file mode 100644
index 00000000000..8458d82f7ad
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.c
@@ -0,0 +1,11 @@
+if(len=funcReadData()==0) return 1; // BAD: variable `len` will not equal the value returned by function `funcReadData()`
+...
+if((len=funcReadData())==0) return 1; // GOOD: variable `len` equal the value returned by function `funcReadData()`
+...
+bool a=true;
+a++;// BAD: variable `a` does not change its meaning
+bool b;
+b=-a;// BAD: variable `b` equal `true`
+...
+a=false;// GOOD: variable `a` equal `false`
+b=!a;// GOOD: variable `b` equal `false`
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.qhelp
new file mode 100644
index 00000000000..8114da831fe
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.qhelp
@@ -0,0 +1,28 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Finding places of confusing use of boolean type. For example, a unary minus does not work before a boolean type and an increment always gives true.</p>
+
+
+</overview>
+<recommendation>
+
+<p>we recommend making the code simpler.</p>
+
+</recommendation>
+<example>
+<p>The following example demonstrates erroneous and fixed methods for using a boolean data type.</p>
+<sample src="OperatorPrecedenceLogicErrorWhenUseBoolType.c" />
+
+</example>
+<references>
+
+<li>
+  CERT C Coding Standard:
+  <a href="https://wiki.sei.cmu.edu/confluence/display/c/EXP00-C.+Use+parentheses+for+precedence+of+operation">EXP00-C. Use parentheses for precedence of operation</a>.
+</li>
+
+</references>
+</qhelp>
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql b/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
new file mode 100644
index 00000000000..1a116a83dbf
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
@@ -0,0 +1,48 @@
+/**
+ * @name Operator Precedence Logic Error When Use Bool Type
+ * @description --Finding places of confusing use of boolean type.
+ *              --For example, a unary minus does not work before a boolean type and an increment always gives true.
+ * @kind problem
+ * @id cpp/operator-precedence-logic-error-when-use-bool-type
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-783
+ *       external/cwe/cwe-480
+ */
+
+import cpp
+import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+
+/** Holds, if it is an expression, a boolean increment. */
+predicate incrementBoolType(Expr exp) {
+  exp.(IncrementOperation).getOperand().getType() instanceof BoolType
+}
+
+/** Holds, if this is an expression, applies a minus to a boolean type. */
+predicate revertSignBoolType(Expr exp) {
+  exp.(AssignExpr).getRValue().(UnaryMinusExpr).getAnOperand().getType() instanceof BoolType and
+  exp.(AssignExpr).getLValue().getType() instanceof BoolType
+}
+
+/** Holds, if this is an expression, uses comparison and assignment outside of execution precedence. */
+predicate assignBoolType(Expr exp) {
+  exists(ComparisonOperation co |
+    exp.(AssignExpr).getRValue() = co and
+    exp.isCondition() and
+    not co.isParenthesised() and
+    not exp.(AssignExpr).getLValue().getType() instanceof BoolType and
+    co.getLeftOperand() instanceof FunctionCall and
+    not co.getRightOperand().getType() instanceof BoolType and
+    not co.getRightOperand().getValue() = "0" and
+    not co.getRightOperand().getValue() = "1"
+  )
+}
+
+from Expr exp
+where
+  incrementBoolType(exp) or
+  revertSignBoolType(exp) or
+  assignBoolType(exp)
+select exp, "this expression needs attention"

From 10cc57428907c41e08786242051028c996935ef3 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Thu, 4 Mar 2021 16:15:26 +0300
Subject: [PATCH 0030/1429] Add files via upload

---
 ...ecedenceLogicErrorWhenUseBoolType.expected |  5 ++++
 ...rPrecedenceLogicErrorWhenUseBoolType.qlref |  1 +
 .../CWE/CWE-788/semmle/tests/test.cpp         | 26 +++++++++++++++++++
 3 files changed, 32 insertions(+)
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.expected
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.qlref
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.cpp

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.expected
new file mode 100644
index 00000000000..76062fc360a
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.expected
@@ -0,0 +1,5 @@
+| test.cpp:10:3:10:10 | ... = ... | this expression needs attention |
+| test.cpp:12:3:12:6 | ... ++ | this expression needs attention |
+| test.cpp:13:3:13:6 | ++ ... | this expression needs attention |
+| test.cpp:14:6:14:21 | ... = ... | this expression needs attention |
+| test.cpp:16:6:16:21 | ... = ... | this expression needs attention |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.qlref
new file mode 100644
index 00000000000..5189abcce5d
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.cpp
new file mode 100644
index 00000000000..f08d2a45757
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.cpp
@@ -0,0 +1,26 @@
+int tmpFunc()
+{
+  return 12;
+}
+void testFunction()
+{
+  int i1,i2,i3;
+  bool b1,b2,b3;
+  char c1,c2,c3;
+  b1 = -b2; //BAD
+  b1 = !b2; //GOOD
+  b1++; //BAD
+  ++b1; //BAD
+  if(i1=tmpFunc()!=i2) //BAD
+    return;
+  if(i1=tmpFunc()!=11) //BAD
+    return;
+  if((i1=tmpFunc())!=i2) //GOOD
+    return;
+  if((i1=tmpFunc())!=11) //GOOD
+    return;
+  if(i1=tmpFunc()!=1) //GOOD
+    return;
+  if(i1=tmpFunc()==b1) //GOOD
+    return;
+}

From 919c6b4b0aae6053a1b4b4d1e3657ac50e4a94f5 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Fri, 5 Mar 2021 02:50:54 +0000
Subject: [PATCH 0031/1429] Optimize flow steps

---
 .../CWE-1004/SensitiveCookieNotHttpOnly.ql    | 36 ++++++++++---------
 .../SensitiveCookieNotHttpOnly.expected       | 10 ++++--
 .../CWE-1004/SensitiveCookieNotHttpOnly.java  | 13 +++++--
 3 files changed, 37 insertions(+), 22 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
index d9104cbad97..f22e99e567c 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -8,6 +8,7 @@
  */
 
 import java
+import semmle.code.java.dataflow.FlowSteps
 import semmle.code.java.frameworks.Servlets
 import semmle.code.java.dataflow.TaintTracking
 import DataFlow::PathGraph
@@ -41,18 +42,31 @@ class SetCookieMethodAccess extends MethodAccess {
   }
 }
 
+/** The cookie class of Java EE. */
+class CookieClass extends RefType {
+  CookieClass() {
+    this.getASupertype*()
+        .hasQualifiedName(["javax.servlet.http", "javax.ws.rs.core", "jakarta.ws.rs.core"], "Cookie")
+  }
+}
+
+/** The method call `toString` to get a stringified cookie representation. */
+class CookieInstanceExpr extends TaintPreservingCallable {
+  CookieInstanceExpr() {
+    this.getDeclaringType() instanceof CookieClass and
+    this.hasName("toString")
+  }
+
+  override predicate returnsTaintFrom(int arg) { arg = -1 }
+}
+
 /** Sensitive cookie name used in a `Cookie` constructor or a `Set-Cookie` call. */
 class SensitiveCookieNameExpr extends Expr {
   SensitiveCookieNameExpr() {
     exists(
       ClassInstanceExpr cie // new Cookie("jwt_token", token)
     |
-      (
-        cie.getConstructedType().hasQualifiedName("javax.servlet.http", "Cookie") or
-        cie.getConstructedType()
-            .getASupertype*()
-            .hasQualifiedName(["javax.ws.rs.core", "jakarta.ws.rs.core"], "Cookie")
-      ) and
+      cie.getConstructedType() instanceof CookieClass and
       this = cie and
       isSensitiveCookieNameExpr(cie.getArgument(0))
     )
@@ -169,16 +183,6 @@ class MissingHttpOnlyConfiguration extends TaintTracking::Configuration {
     // Test class or method
     isTestMethod(node)
   }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(
-      MethodAccess ma // `toString` call on a cookie object
-    |
-      ma.getQualifier() = pred.asExpr() and
-      ma.getMethod().hasName("toString") and
-      ma = succ.asExpr()
-    )
-  }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, MissingHttpOnlyConfiguration c
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
index e2d05a9b24d..5ccd2bb19f9 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
@@ -1,13 +1,17 @@
 edges
-| SensitiveCookieNotHttpOnly.java:22:27:22:60 | new Cookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie |
+| SensitiveCookieNotHttpOnly.java:22:28:22:61 | new Cookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie |
 | SensitiveCookieNotHttpOnly.java:49:42:49:113 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) |
+| SensitiveCookieNotHttpOnly.java:60:37:60:115 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:62:42:62:47 | keyStr |
 nodes
-| SensitiveCookieNotHttpOnly.java:22:27:22:60 | new Cookie(...) : Cookie | semmle.label | new Cookie(...) : Cookie |
+| SensitiveCookieNotHttpOnly.java:22:28:22:61 | new Cookie(...) : Cookie | semmle.label | new Cookie(...) : Cookie |
 | SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | semmle.label | jwtCookie |
 | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | semmle.label | ... + ... |
 | SensitiveCookieNotHttpOnly.java:49:42:49:113 | new NewCookie(...) : NewCookie | semmle.label | new NewCookie(...) : NewCookie |
 | SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) | semmle.label | toString(...) |
+| SensitiveCookieNotHttpOnly.java:60:37:60:115 | new NewCookie(...) : NewCookie | semmle.label | new NewCookie(...) : NewCookie |
+| SensitiveCookieNotHttpOnly.java:62:42:62:47 | keyStr | semmle.label | keyStr |
 #select
-| SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | SensitiveCookieNotHttpOnly.java:22:27:22:60 | new Cookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:22:27:22:60 | new Cookie(...) | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | SensitiveCookieNotHttpOnly.java:22:28:22:61 | new Cookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:22:28:22:61 | new Cookie(...) | This sensitive cookie |
 | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | This sensitive cookie |
 | SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) | SensitiveCookieNotHttpOnly.java:49:42:49:113 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:49:42:49:113 | new NewCookie(...) | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:62:42:62:47 | keyStr | SensitiveCookieNotHttpOnly.java:60:37:60:115 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:62:42:62:47 | keyStr | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:60:37:60:115 | new NewCookie(...) | This sensitive cookie |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
index 5e4f349f7c8..1d1e6986b44 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
@@ -10,7 +10,7 @@ import javax.ws.rs.core.NewCookie;
 class SensitiveCookieNotHttpOnly {
     // GOOD - Tests adding a sensitive cookie with the `HttpOnly` flag set.
     public void addCookie(String jwt_token, HttpServletRequest request, HttpServletResponse response) {
-        Cookie jwtCookie =new Cookie("jwt_token", jwt_token);
+        Cookie jwtCookie = new Cookie("jwt_token", jwt_token);
         jwtCookie.setPath("/");
         jwtCookie.setMaxAge(3600*24*7);
         jwtCookie.setHttpOnly(true);
@@ -19,8 +19,8 @@ class SensitiveCookieNotHttpOnly {
 
     // BAD - Tests adding a sensitive cookie without the `HttpOnly` flag set.
     public void addCookie2(String jwt_token, String userId, HttpServletRequest request, HttpServletResponse response) {
-        Cookie jwtCookie =new Cookie("jwt_token", jwt_token);
-        Cookie userIdCookie =new Cookie("user_id", userId.toString());
+        Cookie jwtCookie = new Cookie("jwt_token", jwt_token);
+        Cookie userIdCookie = new Cookie("user_id", userId);
         jwtCookie.setPath("/");
         userIdCookie.setPath("/");
         jwtCookie.setMaxAge(3600*24*7);
@@ -54,4 +54,11 @@ class SensitiveCookieNotHttpOnly {
         NewCookie accessKeyCookie = new NewCookie("session-access-key", accessKey, "/", null, null, 0, true, true);
         response.setHeader("Set-Cookie", accessKeyCookie.toString());
     }
+
+    // BAD - Tests set a sensitive cookie header using the class `javax.ws.rs.core.Cookie` without the `HttpOnly` flag set.
+    public void addCookie8(String accessKey, HttpServletRequest request, HttpServletResponse response) {
+        NewCookie accessKeyCookie = new NewCookie("session-access-key", accessKey, "/", null, 0, null, 86400, true);
+        String keyStr = accessKeyCookie.toString();
+        response.setHeader("Set-Cookie", keyStr);
+    }
 }

From a93aabab408442a96a9ae8e46718f94291b269b8 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Fri, 5 Mar 2021 03:05:49 +0000
Subject: [PATCH 0032/1429] Add the toString() method

---
 .../jsr311-api-1.1.1/javax/ws/rs/core/NewCookie.java  | 11 +++++++++++
 .../servlet-api-2.4/javax/servlet/http/Cookie.java    | 11 +++++++++++
 2 files changed, 22 insertions(+)

diff --git a/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/NewCookie.java b/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/NewCookie.java
index 7f2e3ec0535..26279d7fe0a 100644
--- a/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/NewCookie.java
+++ b/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/NewCookie.java
@@ -320,4 +320,15 @@ public class NewCookie extends Cookie {
     public Cookie toCookie() {
         return null;
     }
+
+    /**
+     * Convert the cookie to a string suitable for use as the value of the
+     * corresponding HTTP header.
+     *
+     * @return a stringified cookie.
+     */
+    @Override
+    public String toString() {
+        return null;
+    }    
 }
\ No newline at end of file
diff --git a/java/ql/test/stubs/servlet-api-2.4/javax/servlet/http/Cookie.java b/java/ql/test/stubs/servlet-api-2.4/javax/servlet/http/Cookie.java
index a93fec853e0..47b1d883e47 100644
--- a/java/ql/test/stubs/servlet-api-2.4/javax/servlet/http/Cookie.java
+++ b/java/ql/test/stubs/servlet-api-2.4/javax/servlet/http/Cookie.java
@@ -114,4 +114,15 @@ public class Cookie implements Cloneable {
     public boolean isHttpOnly() {
         return isHttpOnly;
     }
+
+    /**
+     * Convert the cookie to a string suitable for use as the value of the
+     * corresponding HTTP header.
+     *
+     * @return a stringified cookie.
+     */
+    @Override
+    public String toString() {
+        return null;
+    }    
 }

From 7d556b354de8cec425caab93fcdd9db0a1ac5ffc Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 5 Mar 2021 09:16:35 +0100
Subject: [PATCH 0033/1429] Python: Update test annotation and expectation

---
 .../test/query-tests/Security/CWE-327/InsecureProtocol.expected | 2 ++
 python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py       | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
index afd9cc15d9f..f4202a4634d 100644
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
@@ -38,3 +38,5 @@
 | ssl_fluent.py:124:14:124:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:122:5:122:11 | ControlFlowNode for context | context modification |
 | ssl_fluent.py:173:14:173:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:170:5:170:11 | ControlFlowNode for context | context modification |
 | ssl_fluent.py:192:14:192:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv3 allowed by $@  | ssl_fluent.py:189:5:189:11 | ControlFlowNode for context | context modification |
+| ssl_fluent.py:192:14:192:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:188:15:188:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
+| ssl_fluent.py:192:14:192:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:188:15:188:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
diff --git a/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py b/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
index ab65e3bd206..577f342765e 100644
--- a/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
+++ b/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
@@ -189,5 +189,5 @@ def test_fluent_explicitly_unsafe():
     context.options &= ~ssl.OP_NO_SSLv3
 
     with socket.create_connection((hostname, 443)) as sock:
-        with context.wrap_socket(sock, server_hostname=hostname) as ssock:  # SSLv3 not flagged here
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
             print(ssock.version())

From 31eaa80f5b881531bc66551e568fed1ffc380325 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Sat, 6 Mar 2021 00:56:15 +0000
Subject: [PATCH 0034/1429] Revamp the source

---
 .../CWE-1004/SensitiveCookieNotHttpOnly.ql    | 24 ++++------
 .../SensitiveCookieNotHttpOnly.expected       | 44 +++++++++++++------
 .../CWE-1004/SensitiveCookieNotHttpOnly.java  |  9 +++-
 3 files changed, 46 insertions(+), 31 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
index f22e99e567c..229a9d50325 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -60,24 +60,16 @@ class CookieInstanceExpr extends TaintPreservingCallable {
   override predicate returnsTaintFrom(int arg) { arg = -1 }
 }
 
+/** The cookie constructor. */
+class CookieTaintPreservingConstructor extends Constructor, TaintPreservingCallable {
+  CookieTaintPreservingConstructor() { this.getDeclaringType() instanceof CookieClass }
+
+  override predicate returnsTaintFrom(int arg) { arg = 0 }
+}
+
 /** Sensitive cookie name used in a `Cookie` constructor or a `Set-Cookie` call. */
 class SensitiveCookieNameExpr extends Expr {
-  SensitiveCookieNameExpr() {
-    exists(
-      ClassInstanceExpr cie // new Cookie("jwt_token", token)
-    |
-      cie.getConstructedType() instanceof CookieClass and
-      this = cie and
-      isSensitiveCookieNameExpr(cie.getArgument(0))
-    )
-    or
-    exists(
-      SetCookieMethodAccess ma // response.addHeader("Set-Cookie: token=" +authId + ";HttpOnly;Secure")
-    |
-      this = ma.getArgument(1) and
-      isSensitiveCookieNameExpr(this)
-    )
-  }
+  SensitiveCookieNameExpr() { isSensitiveCookieNameExpr(this) }
 }
 
 /** Sink of adding a cookie to the HTTP response. */
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
index 5ccd2bb19f9..c9fe15d4082 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
@@ -1,17 +1,33 @@
 edges
-| SensitiveCookieNotHttpOnly.java:22:28:22:61 | new Cookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie |
-| SensitiveCookieNotHttpOnly.java:49:42:49:113 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) |
-| SensitiveCookieNotHttpOnly.java:60:37:60:115 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:62:42:62:47 | keyStr |
+| SensitiveCookieNotHttpOnly.java:22:33:22:43 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:29:28:29:36 | jwtCookie |
+| SensitiveCookieNotHttpOnly.java:40:42:40:49 | "token=" : String | SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... |
+| SensitiveCookieNotHttpOnly.java:40:42:40:57 | ... + ... : String | SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... |
+| SensitiveCookieNotHttpOnly.java:50:56:50:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:50:42:50:124 | toString(...) |
+| SensitiveCookieNotHttpOnly.java:61:51:61:70 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:63:42:63:47 | keyStr |
+| SensitiveCookieNotHttpOnly.java:68:28:68:35 | "token=" : String | SensitiveCookieNotHttpOnly.java:69:42:69:50 | secString |
+| SensitiveCookieNotHttpOnly.java:68:28:68:43 | ... + ... : String | SensitiveCookieNotHttpOnly.java:69:42:69:50 | secString |
+| SensitiveCookieNotHttpOnly.java:68:28:68:55 | ... + ... : String | SensitiveCookieNotHttpOnly.java:69:42:69:50 | secString |
 nodes
-| SensitiveCookieNotHttpOnly.java:22:28:22:61 | new Cookie(...) : Cookie | semmle.label | new Cookie(...) : Cookie |
-| SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | semmle.label | jwtCookie |
-| SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | semmle.label | ... + ... |
-| SensitiveCookieNotHttpOnly.java:49:42:49:113 | new NewCookie(...) : NewCookie | semmle.label | new NewCookie(...) : NewCookie |
-| SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) | semmle.label | toString(...) |
-| SensitiveCookieNotHttpOnly.java:60:37:60:115 | new NewCookie(...) : NewCookie | semmle.label | new NewCookie(...) : NewCookie |
-| SensitiveCookieNotHttpOnly.java:62:42:62:47 | keyStr | semmle.label | keyStr |
+| SensitiveCookieNotHttpOnly.java:22:33:22:43 | "jwt_token" : String | semmle.label | "jwt_token" : String |
+| SensitiveCookieNotHttpOnly.java:29:28:29:36 | jwtCookie | semmle.label | jwtCookie |
+| SensitiveCookieNotHttpOnly.java:40:42:40:49 | "token=" : String | semmle.label | "token=" : String |
+| SensitiveCookieNotHttpOnly.java:40:42:40:57 | ... + ... : String | semmle.label | ... + ... : String |
+| SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... | semmle.label | ... + ... |
+| SensitiveCookieNotHttpOnly.java:50:42:50:124 | toString(...) | semmle.label | toString(...) |
+| SensitiveCookieNotHttpOnly.java:50:56:50:75 | "session-access-key" : String | semmle.label | "session-access-key" : String |
+| SensitiveCookieNotHttpOnly.java:61:51:61:70 | "session-access-key" : String | semmle.label | "session-access-key" : String |
+| SensitiveCookieNotHttpOnly.java:63:42:63:47 | keyStr | semmle.label | keyStr |
+| SensitiveCookieNotHttpOnly.java:68:28:68:35 | "token=" : String | semmle.label | "token=" : String |
+| SensitiveCookieNotHttpOnly.java:68:28:68:43 | ... + ... : String | semmle.label | ... + ... : String |
+| SensitiveCookieNotHttpOnly.java:68:28:68:55 | ... + ... : String | semmle.label | ... + ... : String |
+| SensitiveCookieNotHttpOnly.java:69:42:69:50 | secString | semmle.label | secString |
 #select
-| SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | SensitiveCookieNotHttpOnly.java:22:28:22:61 | new Cookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:28:28:28:36 | jwtCookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:22:28:22:61 | new Cookie(...) | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:39:42:39:69 | ... + ... | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) | SensitiveCookieNotHttpOnly.java:49:42:49:113 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:49:42:49:124 | toString(...) | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:49:42:49:113 | new NewCookie(...) | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:62:42:62:47 | keyStr | SensitiveCookieNotHttpOnly.java:60:37:60:115 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:62:42:62:47 | keyStr | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:60:37:60:115 | new NewCookie(...) | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:29:28:29:36 | jwtCookie | SensitiveCookieNotHttpOnly.java:22:33:22:43 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:29:28:29:36 | jwtCookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:22:33:22:43 | "jwt_token" | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... | SensitiveCookieNotHttpOnly.java:40:42:40:49 | "token=" : String | SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:40:42:40:49 | "token=" | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... | SensitiveCookieNotHttpOnly.java:40:42:40:57 | ... + ... : String | SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:40:42:40:57 | ... + ... | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... | SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... | SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:50:42:50:124 | toString(...) | SensitiveCookieNotHttpOnly.java:50:56:50:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:50:42:50:124 | toString(...) | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:50:56:50:75 | "session-access-key" | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:63:42:63:47 | keyStr | SensitiveCookieNotHttpOnly.java:61:51:61:70 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:63:42:63:47 | keyStr | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:61:51:61:70 | "session-access-key" | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:69:42:69:50 | secString | SensitiveCookieNotHttpOnly.java:68:28:68:35 | "token=" : String | SensitiveCookieNotHttpOnly.java:69:42:69:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:68:28:68:35 | "token=" | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:69:42:69:50 | secString | SensitiveCookieNotHttpOnly.java:68:28:68:43 | ... + ... : String | SensitiveCookieNotHttpOnly.java:69:42:69:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:68:28:68:43 | ... + ... | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:69:42:69:50 | secString | SensitiveCookieNotHttpOnly.java:68:28:68:55 | ... + ... : String | SensitiveCookieNotHttpOnly.java:69:42:69:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:68:28:68:55 | ... + ... | This sensitive cookie |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
index 1d1e6986b44..6572577a697 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
@@ -19,7 +19,8 @@ class SensitiveCookieNotHttpOnly {
 
     // BAD - Tests adding a sensitive cookie without the `HttpOnly` flag set.
     public void addCookie2(String jwt_token, String userId, HttpServletRequest request, HttpServletResponse response) {
-        Cookie jwtCookie = new Cookie("jwt_token", jwt_token);
+        String tokenCookieStr = "jwt_token";
+        Cookie jwtCookie = new Cookie(tokenCookieStr, jwt_token);
         Cookie userIdCookie = new Cookie("user_id", userId);
         jwtCookie.setPath("/");
         userIdCookie.setPath("/");
@@ -61,4 +62,10 @@ class SensitiveCookieNotHttpOnly {
         String keyStr = accessKeyCookie.toString();
         response.setHeader("Set-Cookie", keyStr);
     }
+
+    // BAD - Tests set a sensitive cookie header using a variable without the `HttpOnly` flag set.
+    public void addCookie9(String authId, HttpServletRequest request, HttpServletResponse response) {
+        String secString = "token=" +authId + ";Secure";
+        response.addHeader("Set-Cookie", secString);
+    }    
 }

From 48975fa7d220b7debe5d0c8a0b84c8ec64351435 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Wed, 10 Mar 2021 00:17:26 +0000
Subject: [PATCH 0035/1429] Replace sanitizers

---
 .../CWE-1004/SensitiveCookieNotHttpOnly.ql    | 105 +++++++-----------
 1 file changed, 41 insertions(+), 64 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
index 229a9d50325..716975d0486 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -50,23 +50,6 @@ class CookieClass extends RefType {
   }
 }
 
-/** The method call `toString` to get a stringified cookie representation. */
-class CookieInstanceExpr extends TaintPreservingCallable {
-  CookieInstanceExpr() {
-    this.getDeclaringType() instanceof CookieClass and
-    this.hasName("toString")
-  }
-
-  override predicate returnsTaintFrom(int arg) { arg = -1 }
-}
-
-/** The cookie constructor. */
-class CookieTaintPreservingConstructor extends Constructor, TaintPreservingCallable {
-  CookieTaintPreservingConstructor() { this.getDeclaringType() instanceof CookieClass }
-
-  override predicate returnsTaintFrom(int arg) { arg = 0 }
-}
-
 /** Sensitive cookie name used in a `Cookie` constructor or a `Set-Cookie` call. */
 class SensitiveCookieNameExpr extends Expr {
   SensitiveCookieNameExpr() { isSensitiveCookieNameExpr(this) }
@@ -78,55 +61,58 @@ class CookieResponseSink extends DataFlow::ExprNode {
     exists(MethodAccess ma |
       (
         ma.getMethod() instanceof ResponseAddCookieMethod and
-        this.getExpr() = ma.getArgument(0)
+        this.getExpr() = ma.getArgument(0) and
+        not exists(
+          MethodAccess ma2 // cookie.setHttpOnly(true)
+        |
+          ma2.getMethod().getName() = "setHttpOnly" and
+          ma2.getArgument(0).(BooleanLiteral).getBooleanValue() = true and
+          DataFlow::localExprFlow(ma2.getQualifier(), this.getExpr())
+        )
         or
         ma instanceof SetCookieMethodAccess and
-        this.getExpr() = ma.getArgument(1)
+        this.getExpr() = ma.getArgument(1) and
+        not hasHttpOnlyExpr(this.getExpr()) // response.addHeader("Set-Cookie", "token=" +authId + ";HttpOnly;Secure")
       )
     )
   }
 }
 
-/**
- * Holds if `node` is an access to a variable which has `setHttpOnly(true)` called on it and is also
- * the first argument to a call to the method `addCookie` of `javax.servlet.http.HttpServletResponse`.
- */
-predicate setHttpOnlyMethodAccess(DataFlow::Node node) {
-  exists(
-    MethodAccess addCookie, Variable cookie, MethodAccess m // jwtCookie.setHttpOnly(true)
-  |
-    addCookie.getMethod() instanceof ResponseAddCookieMethod and
-    addCookie.getArgument(0) = cookie.getAnAccess() and
-    m.getMethod().getName() = "setHttpOnly" and
-    m.getArgument(0).(BooleanLiteral).getBooleanValue() = true and
-    m.getQualifier() = cookie.getAnAccess() and
-    node.asExpr() = cookie.getAnAccess()
-  )
+/** A JAX-RS `NewCookie` constructor that sets `HttpOnly` to true. */
+class HttpOnlyNewCookie extends ClassInstanceExpr {
+  HttpOnlyNewCookie() {
+    this.getConstructedType()
+        .hasQualifiedName(["javax.ws.rs.core", "jakarta.ws.rs.core"], "NewCookie") and
+    (
+      this.getNumArgument() = 6 and this.getArgument(5).(BooleanLiteral).getBooleanValue() = true // NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
+      or
+      this.getNumArgument() = 8 and
+      this.getArgument(6).getType() instanceof BooleanType and
+      this.getArgument(7).(BooleanLiteral).getBooleanValue() = true // NewCookie(String name, String value, String path, String domain, String comment, int maxAge, boolean secure, boolean httpOnly)
+      or
+      this.getNumArgument() = 10 and this.getArgument(9).(BooleanLiteral).getBooleanValue() = true // NewCookie(String name, String value, String path, String domain, int version, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
+    )
+  }
 }
 
-/**
- * Holds if `node` is a string that contains `httponly` and which flows to the second argument
- * of a method to set a cookie.
- */
-predicate setHttpOnlyInSetCookie(DataFlow::Node node) {
-  exists(SetCookieMethodAccess sa |
-    hasHttpOnlyExpr(node.asExpr()) and
-    DataFlow::localExprFlow(node.asExpr(), sa.getArgument(1))
-  )
+/** The cookie constructor. */
+class CookieTaintPreservingConstructor extends Constructor, TaintPreservingCallable {
+  CookieTaintPreservingConstructor() {
+    this.getDeclaringType() instanceof CookieClass and
+    not exists(HttpOnlyNewCookie hie | hie.getConstructor() = this)
+  }
+
+  override predicate returnsTaintFrom(int arg) { arg = 0 }
 }
 
-/** Holds if `cie` is an invocation of a JAX-RS `NewCookie` constructor that sets `HttpOnly` to true. */
-predicate setHttpOnlyInNewCookie(ClassInstanceExpr cie) {
-  cie.getConstructedType().hasQualifiedName(["javax.ws.rs.core", "jakarta.ws.rs.core"], "NewCookie") and
-  (
-    cie.getNumArgument() = 6 and cie.getArgument(5).(BooleanLiteral).getBooleanValue() = true // NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
-    or
-    cie.getNumArgument() = 8 and
-    cie.getArgument(6).getType() instanceof BooleanType and
-    cie.getArgument(7).(BooleanLiteral).getBooleanValue() = true // NewCookie(String name, String value, String path, String domain, String comment, int maxAge, boolean secure, boolean httpOnly)
-    or
-    cie.getNumArgument() = 10 and cie.getArgument(9).(BooleanLiteral).getBooleanValue() = true // NewCookie(String name, String value, String path, String domain, int version, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
-  )
+/** The method call `toString` to get a stringified cookie representation. */
+class CookieInstanceExpr extends TaintPreservingCallable {
+  CookieInstanceExpr() {
+    this.getDeclaringType() instanceof CookieClass and
+    this.hasName("toString")
+  }
+
+  override predicate returnsTaintFrom(int arg) { arg = -1 }
 }
 
 /**
@@ -163,15 +149,6 @@ class MissingHttpOnlyConfiguration extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof CookieResponseSink }
 
   override predicate isSanitizer(DataFlow::Node node) {
-    // cookie.setHttpOnly(true)
-    setHttpOnlyMethodAccess(node)
-    or
-    // response.addHeader("Set-Cookie", "token=" +authId + ";HttpOnly;Secure")
-    setHttpOnlyInSetCookie(node)
-    or
-    // new NewCookie("session-access-key", accessKey, "/", null, null, 0, true, true)
-    setHttpOnlyInNewCookie(node.asExpr())
-    or
     // Test class or method
     isTestMethod(node)
   }

From 72f28513eb6478024cb184f9affe71490c8217d3 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Wed, 10 Mar 2021 12:12:27 +0000
Subject: [PATCH 0036/1429] Move test check to the sink

---
 .../CWE-1004/SensitiveCookieNotHttpOnly.ql    | 44 ++++++++-----------
 1 file changed, 19 insertions(+), 25 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
index 716975d0486..eee4d8c89d1 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -73,34 +73,29 @@ class CookieResponseSink extends DataFlow::ExprNode {
         ma instanceof SetCookieMethodAccess and
         this.getExpr() = ma.getArgument(1) and
         not hasHttpOnlyExpr(this.getExpr()) // response.addHeader("Set-Cookie", "token=" +authId + ";HttpOnly;Secure")
-      )
+      ) and
+      not isTestMethod(ma) // Test class or method
     )
   }
 }
 
-/** A JAX-RS `NewCookie` constructor that sets `HttpOnly` to true. */
-class HttpOnlyNewCookie extends ClassInstanceExpr {
-  HttpOnlyNewCookie() {
-    this.getConstructedType()
-        .hasQualifiedName(["javax.ws.rs.core", "jakarta.ws.rs.core"], "NewCookie") and
-    (
-      this.getNumArgument() = 6 and this.getArgument(5).(BooleanLiteral).getBooleanValue() = true // NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
-      or
-      this.getNumArgument() = 8 and
-      this.getArgument(6).getType() instanceof BooleanType and
-      this.getArgument(7).(BooleanLiteral).getBooleanValue() = true // NewCookie(String name, String value, String path, String domain, String comment, int maxAge, boolean secure, boolean httpOnly)
-      or
-      this.getNumArgument() = 10 and this.getArgument(9).(BooleanLiteral).getBooleanValue() = true // NewCookie(String name, String value, String path, String domain, int version, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
-    )
-  }
+/** Holds if `cie` is an invocation of a JAX-RS `NewCookie` constructor that sets `HttpOnly` to true. */
+predicate setHttpOnlyInNewCookie(ClassInstanceExpr cie) {
+  cie.getConstructedType().hasQualifiedName(["javax.ws.rs.core", "jakarta.ws.rs.core"], "NewCookie") and
+  (
+    cie.getNumArgument() = 6 and cie.getArgument(5).(BooleanLiteral).getBooleanValue() = true // NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
+    or
+    cie.getNumArgument() = 8 and
+    cie.getArgument(6).getType() instanceof BooleanType and
+    cie.getArgument(7).(BooleanLiteral).getBooleanValue() = true // NewCookie(String name, String value, String path, String domain, String comment, int maxAge, boolean secure, boolean httpOnly)
+    or
+    cie.getNumArgument() = 10 and cie.getArgument(9).(BooleanLiteral).getBooleanValue() = true // NewCookie(String name, String value, String path, String domain, int version, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
+  )
 }
 
 /** The cookie constructor. */
 class CookieTaintPreservingConstructor extends Constructor, TaintPreservingCallable {
-  CookieTaintPreservingConstructor() {
-    this.getDeclaringType() instanceof CookieClass and
-    not exists(HttpOnlyNewCookie hie | hie.getConstructor() = this)
-  }
+  CookieTaintPreservingConstructor() { this.getDeclaringType() instanceof CookieClass }
 
   override predicate returnsTaintFrom(int arg) { arg = 0 }
 }
@@ -122,9 +117,8 @@ class CookieInstanceExpr extends TaintPreservingCallable {
  *    c) in a test class whose name has the word `test`
  *    d) in a test class implementing a test framework such as JUnit or TestNG
  */
-predicate isTestMethod(DataFlow::Node node) {
-  exists(MethodAccess ma, Method m |
-    node.asExpr() = ma.getAnArgument() and
+predicate isTestMethod(MethodAccess ma) {
+  exists(Method m |
     m = ma.getEnclosingCallable() and
     (
       m.getDeclaringType().getName().toLowerCase().matches("%test%") or // Simple check to exclude test classes to reduce FPs
@@ -149,8 +143,8 @@ class MissingHttpOnlyConfiguration extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof CookieResponseSink }
 
   override predicate isSanitizer(DataFlow::Node node) {
-    // Test class or method
-    isTestMethod(node)
+    // new NewCookie("session-access-key", accessKey, "/", null, null, 0, true, true)
+    setHttpOnlyInNewCookie(node.asExpr())
   }
 }
 

From f0ddfc9283607f01603a93e6a05357aa27a579ce Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Wed, 10 Mar 2021 12:18:55 +0000
Subject: [PATCH 0037/1429] Minor qldoc changes

---
 .../Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql    | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
index eee4d8c89d1..c3f9349dbc8 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -79,7 +79,10 @@ class CookieResponseSink extends DataFlow::ExprNode {
   }
 }
 
-/** Holds if `cie` is an invocation of a JAX-RS `NewCookie` constructor that sets `HttpOnly` to true. */
+/**
+ * Holds if `ClassInstanceExpr` cie is an invocation of a JAX-RS `NewCookie` constructor
+ * that sets `HttpOnly` to true.
+ */
 predicate setHttpOnlyInNewCookie(ClassInstanceExpr cie) {
   cie.getConstructedType().hasQualifiedName(["javax.ws.rs.core", "jakarta.ws.rs.core"], "NewCookie") and
   (
@@ -111,7 +114,7 @@ class CookieInstanceExpr extends TaintPreservingCallable {
 }
 
 /**
- * Holds if the node is a test method indicated by:
+ * Holds if the MethodAccess `ma` is a test method call indicated by:
  *    a) in a test directory such as `src/test/java`
  *    b) in a test package whose name has the word `test`
  *    c) in a test class whose name has the word `test`

From a0a1ddee86382c183b774e9cb88509a1b4aac1d9 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Wed, 10 Mar 2021 17:07:31 +0000
Subject: [PATCH 0038/1429] Update class name

---
 .../Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
index c3f9349dbc8..985c546b555 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -104,8 +104,8 @@ class CookieTaintPreservingConstructor extends Constructor, TaintPreservingCalla
 }
 
 /** The method call `toString` to get a stringified cookie representation. */
-class CookieInstanceExpr extends TaintPreservingCallable {
-  CookieInstanceExpr() {
+class CookieToString extends TaintPreservingCallable {
+  CookieToString() {
     this.getDeclaringType() instanceof CookieClass and
     this.hasName("toString")
   }

From eeac7e322ad0d450f8dac1f0dad9195e4d3b8c33 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Thu, 11 Mar 2021 13:46:32 +0000
Subject: [PATCH 0039/1429] Query to detect insecure configuration of Spring
 Boot Actuator

---
 .../InsecureSpringActuatorConfig.qhelp        |  47 ++++++++
 .../CWE-016/InsecureSpringActuatorConfig.ql   | 112 ++++++++++++++++++
 .../CWE/CWE-016/application.properties        |  22 ++++
 .../Security/CWE/CWE-016/pom_bad.xml          |  50 ++++++++
 .../Security/CWE/CWE-016/pom_good.xml         |  50 ++++++++
 .../InsecureSpringActuatorConfig.expected     |   1 +
 .../InsecureSpringActuatorConfig.qlref        |   1 +
 .../security/CWE-016/SensitiveInfo.java       |  13 ++
 .../security/CWE-016/application.properties   |  14 +++
 .../query-tests/security/CWE-016/pom.xml      |  47 ++++++++
 10 files changed, 357 insertions(+)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.qhelp
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/application.properties
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/pom_bad.xml
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-016/pom_good.xml
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.qlref
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/SensitiveInfo.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/application.properties
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-016/pom.xml

diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.qhelp b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.qhelp
new file mode 100644
index 00000000000..e201156728a
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.qhelp
@@ -0,0 +1,47 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>Spring Boot is a popular framework that facilitates the development of stand-alone applications
+and micro services. Spring Boot Actuator helps to expose production-ready support features against 
+Spring Boot applications.</p>
+
+    <p>Endpoints of Spring Boot Actuator allow to monitor and interact with a Spring Boot application. 
+Exposing unprotected actuator endpoints through configuration files can lead to information disclosure 
+or even remote code execution vulnerability.</p>
+
+    <p>Rather than programmatically permitting endpoint requests or enforcing access control, frequently
+developers simply leave management endpoints publicly accessible in the application configuration file 
+<code>application.properties</code> without enforcing access control through Spring Security.</p>
+  </overview>
+
+  <recommendation>
+    <p>Declare the Spring Boot Starter Security module in XML configuration or programmatically enforce 
+security checks on management endpoints using Spring Security. Otherwise accessing management endpoints 
+on a different HTTP port other than the port that the web application is listening on also helps to 
+improve the security.</p>
+  </recommendation>
+
+  <example>
+    <p>The following examples show both 'BAD' and 'GOOD' configurations. In the 'BAD' configuration, 
+no security module is declared and sensitive management endpoints are exposed. In the 'GOOD' configuration, 
+security is enforced and only endpoints requiring exposure are exposed.</p>
+    <sample src="pom_good.xml" />
+    <sample src="pom_bad.xml" />
+    <sample src="application.properties" />
+  </example>
+
+  <references>
+    <li>
+      Spring Boot documentation:
+      <a href="https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html">Spring Boot Actuator: Production-ready Features</a>
+    </li>
+    <li>
+      VERACODE Blog:
+      <a href="https://www.veracode.com/blog/research/exploiting-spring-boot-actuators">Exploiting Spring Boot Actuators</a>
+    </li>
+    <li>
+      HackerOne Report:
+      <a href="https://hackerone.com/reports/862589">Spring Actuator endpoints publicly available, leading to account takeover</a>
+    </li>
+  </references>
+</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
new file mode 100644
index 00000000000..2dc11e8e38e
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
@@ -0,0 +1,112 @@
+/**
+ * @name Insecure Spring Boot Actuator Configuration
+ * @description Exposed Spring Boot Actuator through configuration files without declarative or procedural security enforcement leads to information leak or even remote code execution.
+ * @kind problem
+ * @id java/insecure-spring-actuator-config
+ * @tags security
+ *       external/cwe-016
+ */
+
+import java
+import semmle.code.configfiles.ConfigFiles
+import semmle.code.java.security.SensitiveActions
+import semmle.code.xml.MavenPom
+
+/** The parent node of the `org.springframework.boot` group. */
+class SpringBootParent extends Parent {
+  SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" }
+}
+
+/** Class of Spring Boot dependencies. */
+class SpringBootPom extends Pom {
+  SpringBootPom() { this.getParentElement() instanceof SpringBootParent }
+
+  /** Holds if the Spring Boot Actuator module `spring-boot-starter-actuator` is used in the project. */
+  predicate isSpringBootActuatorUsed() {
+    this.getADependency().getArtifact().getValue() = "spring-boot-starter-actuator"
+  }
+
+  /** Holds if the Spring Boot Security module is used in the project, which brings in other security related libraries. */
+  predicate isSpringBootSecurityUsed() {
+    this.getADependency().getArtifact().getValue() = "spring-boot-starter-security"
+  }
+}
+
+/** The properties file `application.properties`. */
+class ApplicationProperties extends ConfigPair {
+  ApplicationProperties() { this.getFile().getBaseName() = "application.properties" }
+}
+
+/** The configuration property `management.security.enabled`. */
+class ManagementSecurityEnabled extends ApplicationProperties {
+  ManagementSecurityEnabled() { this.getNameElement().getName() = "management.security.enabled" }
+
+  string getManagementSecurityEnabled() { result = this.getValueElement().getValue() }
+
+  predicate hasSecurityDisabled() { getManagementSecurityEnabled() = "false" }
+
+  predicate hasSecurityEnabled() { getManagementSecurityEnabled() = "true" }
+}
+
+/** The configuration property `management.endpoints.web.exposure.include`. */
+class ManagementEndPointInclude extends ApplicationProperties {
+  ManagementEndPointInclude() {
+    this.getNameElement().getName() = "management.endpoints.web.exposure.include"
+  }
+
+  string getManagementEndPointInclude() { result = this.getValueElement().getValue().trim() }
+}
+
+/** The configuration property `management.endpoints.web.exposure.exclude`. */
+class ManagementEndPointExclude extends ApplicationProperties {
+  ManagementEndPointExclude() {
+    this.getNameElement().getName() = "management.endpoints.web.exposure.exclude"
+  }
+
+  string getManagementEndPointExclude() { result = this.getValueElement().getValue().trim() }
+}
+
+/** Holds if an application handles sensitive information judging by its variable names. */
+predicate isProtectedApp() {
+  exists(VarAccess va | va.getVariable().getName().regexpMatch(getCommonSensitiveInfoRegex()))
+}
+
+from SpringBootPom pom, ApplicationProperties ap, Dependency d
+where
+  isProtectedApp() and
+  pom.isSpringBootActuatorUsed() and
+  not pom.isSpringBootSecurityUsed() and
+  ap.getFile()
+      .getParentContainer()
+      .getAbsolutePath()
+      .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory
+  exists(string s | s = pom.getParentElement().getVersionString() |
+    s.regexpMatch("1\\.[0|1|2|3|4].*") and
+    not exists(ManagementSecurityEnabled me |
+      me.hasSecurityEnabled() and me.getFile() = ap.getFile()
+    )
+    or
+    s.regexpMatch("1\\.5.*") and
+    exists(ManagementSecurityEnabled me | me.hasSecurityDisabled() and me.getFile() = ap.getFile())
+    or
+    s.regexpMatch("2.*") and
+    exists(ManagementEndPointInclude mi |
+      mi.getFile() = ap.getFile() and
+      (
+        mi.getManagementEndPointInclude() = "*" // all endpoints are enabled
+        or
+        mi.getManagementEndPointInclude()
+            .matches([
+                "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%",
+                "%beans%", "%sessions%"
+              ]) // all endpoints apart from '/health' and '/info' are considered sensitive
+      ) and
+      not exists(ManagementEndPointExclude mx |
+        mx.getFile() = ap.getFile() and
+        mx.getManagementEndPointExclude() = mi.getManagementEndPointInclude()
+      )
+    )
+  ) and
+  d = pom.getADependency() and
+  d.getArtifact().getValue() = "spring-boot-starter-actuator"
+select d, "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints."
diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/application.properties b/java/ql/src/experimental/Security/CWE/CWE-016/application.properties
new file mode 100644
index 00000000000..aa489435a12
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/application.properties
@@ -0,0 +1,22 @@
+#management.endpoints.web.base-path=/admin
+
+
+#### BAD: All management endpoints are accessible #### 
+# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default
+
+# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators
+management.security.enabled=false
+
+# vulnerable configuration (spring boot 2+): exposes health and info only by default
+management.endpoints.web.exposure.include=*
+
+
+#### GOOD: All management endpoints have access control #### 
+# safe configuration (spring boot 1.0 - 1.4): exposes actuators by default
+management.security.enabled=true
+
+# safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators
+management.security.enabled=true
+
+# safe configuration (spring boot 2+): exposes health and info only by default
+management.endpoints.web.exposure.include=beans,info,health
diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/pom_bad.xml b/java/ql/src/experimental/Security/CWE/CWE-016/pom_bad.xml
new file mode 100644
index 00000000000..9dd5c9c188b
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/pom_bad.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>spring-boot-actuator-app</groupId>
+    <artifactId>spring-boot-actuator-app</artifactId>
+    <version>1.0-SNAPSHOT</version>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <maven.compiler.source>1.8</maven.compiler.source>
+        <maven.compiler.target>1.8</maven.compiler.target>
+    </properties>
+
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>2.3.8.RELEASE</version>
+        <relativePath/>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-actuator</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-devtools</artifactId>
+        </dependency>
+
+        <!-- BAD: No Spring Security enabled -->
+        <!-- dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency -->
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-test</artifactId>
+        </dependency>
+    </dependencies>
+
+</project>
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/pom_good.xml b/java/ql/src/experimental/Security/CWE/CWE-016/pom_good.xml
new file mode 100644
index 00000000000..89f577f21e5
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/pom_good.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>spring-boot-actuator-app</groupId>
+    <artifactId>spring-boot-actuator-app</artifactId>
+    <version>1.0-SNAPSHOT</version>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <maven.compiler.source>1.8</maven.compiler.source>
+        <maven.compiler.target>1.8</maven.compiler.target>
+    </properties>
+
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>2.3.8.RELEASE</version>
+        <relativePath/>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-actuator</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-devtools</artifactId>
+        </dependency>
+
+        <!-- GOOD: Enable Spring Security -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-test</artifactId>
+        </dependency>
+    </dependencies>
+
+</project>
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.expected b/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.expected
new file mode 100644
index 00000000000..48630293985
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.expected
@@ -0,0 +1 @@
+| pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.qlref b/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.qlref
new file mode 100644
index 00000000000..9cd12d5e4fb
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-016/InsecureSpringActuatorConfig.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/SensitiveInfo.java b/java/ql/test/experimental/query-tests/security/CWE-016/SensitiveInfo.java
new file mode 100644
index 00000000000..a3ff69c1b81
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-016/SensitiveInfo.java
@@ -0,0 +1,13 @@
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+@Controller
+public class SensitiveInfo {
+	@RequestMapping
+	public void handleLogin(@RequestParam String username, @RequestParam String password) throws Exception {
+		if (!username.equals("") && password.equals("")) {
+			//Blank processing
+		}
+	}
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/application.properties b/java/ql/test/experimental/query-tests/security/CWE-016/application.properties
new file mode 100644
index 00000000000..95e704f3a1a
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-016/application.properties
@@ -0,0 +1,14 @@
+#management.endpoints.web.base-path=/admin
+
+# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default
+
+# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators
+management.security.enabled=false
+
+# vulnerable configuration (spring boot 2+): exposes health and info only by default
+management.endpoints.web.exposure.include=*
+management.endpoints.web.exposure.exclude=beans
+
+management.endpoint.shutdown.enabled=true
+
+management.endpoint.health.show-details=when_authorized
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/pom.xml b/java/ql/test/experimental/query-tests/security/CWE-016/pom.xml
new file mode 100644
index 00000000000..a9d5fa920c8
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-016/pom.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>spring-boot-actuator-app</groupId>
+    <artifactId>spring-boot-actuator-app</artifactId>
+    <version>1.0-SNAPSHOT</version>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <maven.compiler.source>1.8</maven.compiler.source>
+        <maven.compiler.target>1.8</maven.compiler.target>
+    </properties>
+
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>2.3.8.RELEASE</version>
+        <relativePath/>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-actuator</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-devtools</artifactId>
+        </dependency>
+        <!-- dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-test</artifactId>
+        </dependency>
+    </dependencies>
+
+</project>
\ No newline at end of file

From 0a35feef766249b88abfc78f8a9dd552664ab083 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Thu, 11 Mar 2021 17:28:07 +0000
Subject: [PATCH 0040/1429] Exclude CSRF cookies to reduce FPs

---
 .../CWE-1004/SensitiveCookieNotHttpOnly.ql    | 16 +++--
 .../SensitiveCookieNotHttpOnly.expected       | 60 +++++++++----------
 .../CWE-1004/SensitiveCookieNotHttpOnly.java  | 22 ++++++-
 .../query-tests/security/CWE-1004/options     |  2 +-
 .../security/web/csrf/CsrfToken.java          | 50 ++++++++++++++++
 5 files changed, 113 insertions(+), 37 deletions(-)
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/security/web/csrf/CsrfToken.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
index 985c546b555..693dad68082 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -16,12 +16,18 @@ import DataFlow::PathGraph
 /** Gets a regular expression for matching common names of sensitive cookies. */
 string getSensitiveCookieNameRegex() { result = "(?i).*(auth|session|token|key|credential).*" }
 
-/** Holds if a string is concatenated with the name of a sensitive cookie. */
+/** Gets a regular expression for matching CSRF cookies. */
+string getCsrfCookieNameRegex() { result = "(?i).*(csrf).*" }
+
+/**
+ * Holds if a string is concatenated with the name of a sensitive cookie. Excludes CSRF cookies since
+ * they are special cookies implementing the Synchronizer Token Pattern that can be used in JavaScript.
+ */
 predicate isSensitiveCookieNameExpr(Expr expr) {
-  expr.(CompileTimeConstantExpr)
-      .getStringValue()
-      .toLowerCase()
-      .regexpMatch(getSensitiveCookieNameRegex()) or
+  exists(string s | s = expr.(CompileTimeConstantExpr).getStringValue().toLowerCase() |
+    s.regexpMatch(getSensitiveCookieNameRegex()) and not s.regexpMatch(getCsrfCookieNameRegex())
+  )
+  or
   isSensitiveCookieNameExpr(expr.(AddExpr).getAnOperand())
 }
 
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
index c9fe15d4082..8fa688bef2a 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
@@ -1,33 +1,33 @@
 edges
-| SensitiveCookieNotHttpOnly.java:22:33:22:43 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:29:28:29:36 | jwtCookie |
-| SensitiveCookieNotHttpOnly.java:40:42:40:49 | "token=" : String | SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... |
-| SensitiveCookieNotHttpOnly.java:40:42:40:57 | ... + ... : String | SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... |
-| SensitiveCookieNotHttpOnly.java:50:56:50:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:50:42:50:124 | toString(...) |
-| SensitiveCookieNotHttpOnly.java:61:51:61:70 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:63:42:63:47 | keyStr |
-| SensitiveCookieNotHttpOnly.java:68:28:68:35 | "token=" : String | SensitiveCookieNotHttpOnly.java:69:42:69:50 | secString |
-| SensitiveCookieNotHttpOnly.java:68:28:68:43 | ... + ... : String | SensitiveCookieNotHttpOnly.java:69:42:69:50 | secString |
-| SensitiveCookieNotHttpOnly.java:68:28:68:55 | ... + ... : String | SensitiveCookieNotHttpOnly.java:69:42:69:50 | secString |
+| SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie |
+| SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... |
+| SensitiveCookieNotHttpOnly.java:42:42:42:57 | ... + ... : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... |
+| SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) |
+| SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:65:42:65:47 | keyStr |
+| SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString |
+| SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString |
+| SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString |
 nodes
-| SensitiveCookieNotHttpOnly.java:22:33:22:43 | "jwt_token" : String | semmle.label | "jwt_token" : String |
-| SensitiveCookieNotHttpOnly.java:29:28:29:36 | jwtCookie | semmle.label | jwtCookie |
-| SensitiveCookieNotHttpOnly.java:40:42:40:49 | "token=" : String | semmle.label | "token=" : String |
-| SensitiveCookieNotHttpOnly.java:40:42:40:57 | ... + ... : String | semmle.label | ... + ... : String |
-| SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... | semmle.label | ... + ... |
-| SensitiveCookieNotHttpOnly.java:50:42:50:124 | toString(...) | semmle.label | toString(...) |
-| SensitiveCookieNotHttpOnly.java:50:56:50:75 | "session-access-key" : String | semmle.label | "session-access-key" : String |
-| SensitiveCookieNotHttpOnly.java:61:51:61:70 | "session-access-key" : String | semmle.label | "session-access-key" : String |
-| SensitiveCookieNotHttpOnly.java:63:42:63:47 | keyStr | semmle.label | keyStr |
-| SensitiveCookieNotHttpOnly.java:68:28:68:35 | "token=" : String | semmle.label | "token=" : String |
-| SensitiveCookieNotHttpOnly.java:68:28:68:43 | ... + ... : String | semmle.label | ... + ... : String |
-| SensitiveCookieNotHttpOnly.java:68:28:68:55 | ... + ... : String | semmle.label | ... + ... : String |
-| SensitiveCookieNotHttpOnly.java:69:42:69:50 | secString | semmle.label | secString |
+| SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" : String | semmle.label | "jwt_token" : String |
+| SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie | semmle.label | jwtCookie |
+| SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" : String | semmle.label | "token=" : String |
+| SensitiveCookieNotHttpOnly.java:42:42:42:57 | ... + ... : String | semmle.label | ... + ... : String |
+| SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | semmle.label | ... + ... |
+| SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) | semmle.label | toString(...) |
+| SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" : String | semmle.label | "session-access-key" : String |
+| SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" : String | semmle.label | "session-access-key" : String |
+| SensitiveCookieNotHttpOnly.java:65:42:65:47 | keyStr | semmle.label | keyStr |
+| SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" : String | semmle.label | "token=" : String |
+| SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | semmle.label | ... + ... : String |
+| SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... : String | semmle.label | ... + ... : String |
+| SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | semmle.label | secString |
 #select
-| SensitiveCookieNotHttpOnly.java:29:28:29:36 | jwtCookie | SensitiveCookieNotHttpOnly.java:22:33:22:43 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:29:28:29:36 | jwtCookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:22:33:22:43 | "jwt_token" | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... | SensitiveCookieNotHttpOnly.java:40:42:40:49 | "token=" : String | SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:40:42:40:49 | "token=" | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... | SensitiveCookieNotHttpOnly.java:40:42:40:57 | ... + ... : String | SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:40:42:40:57 | ... + ... | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... | SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... | SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:40:42:40:69 | ... + ... | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:50:42:50:124 | toString(...) | SensitiveCookieNotHttpOnly.java:50:56:50:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:50:42:50:124 | toString(...) | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:50:56:50:75 | "session-access-key" | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:63:42:63:47 | keyStr | SensitiveCookieNotHttpOnly.java:61:51:61:70 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:63:42:63:47 | keyStr | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:61:51:61:70 | "session-access-key" | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:69:42:69:50 | secString | SensitiveCookieNotHttpOnly.java:68:28:68:35 | "token=" : String | SensitiveCookieNotHttpOnly.java:69:42:69:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:68:28:68:35 | "token=" | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:69:42:69:50 | secString | SensitiveCookieNotHttpOnly.java:68:28:68:43 | ... + ... : String | SensitiveCookieNotHttpOnly.java:69:42:69:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:68:28:68:43 | ... + ... | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:69:42:69:50 | secString | SensitiveCookieNotHttpOnly.java:68:28:68:55 | ... + ... : String | SensitiveCookieNotHttpOnly.java:69:42:69:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:68:28:68:55 | ... + ... | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | SensitiveCookieNotHttpOnly.java:42:42:42:57 | ... + ... : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:42:42:42:57 | ... + ... | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) | SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:65:42:65:47 | keyStr | SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:65:42:65:47 | keyStr | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... | This sensitive cookie |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
index 6572577a697..337a99cc096 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
@@ -7,6 +7,8 @@ import javax.servlet.ServletException;
 
 import javax.ws.rs.core.NewCookie;
 
+import org.springframework.security.web.csrf.CsrfToken;
+
 class SensitiveCookieNotHttpOnly {
     // GOOD - Tests adding a sensitive cookie with the `HttpOnly` flag set.
     public void addCookie(String jwt_token, HttpServletRequest request, HttpServletResponse response) {
@@ -67,5 +69,23 @@ class SensitiveCookieNotHttpOnly {
     public void addCookie9(String authId, HttpServletRequest request, HttpServletResponse response) {
         String secString = "token=" +authId + ";Secure";
         response.addHeader("Set-Cookie", secString);
-    }    
+    }
+
+    // GOOD - CSRF token doesn't need to have the `HttpOnly` flag set.
+    public void addCsrfCookie(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        // Spring put the CSRF token in session attribute "_csrf"
+        CsrfToken csrfToken = (CsrfToken) request.getAttribute("_csrf");
+    
+        // Send the cookie only if the token has changed
+        String actualToken = request.getHeader("X-CSRF-TOKEN");
+        if (actualToken == null || !actualToken.equals(csrfToken.getToken())) {
+            // Session cookie that can be used by AngularJS
+            String pCookieName = "CSRF-TOKEN";
+            Cookie cookie = new Cookie(pCookieName, csrfToken.getToken());
+            cookie.setMaxAge(-1);
+            cookie.setHttpOnly(false);
+            cookie.setPath("/");
+            response.addCookie(cookie);
+        }
+    }
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/options b/java/ql/test/experimental/query-tests/security/CWE-1004/options
index 7f2b253fb20..d61a358d97f 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-1004/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/options
@@ -1 +1 @@
-// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jsr311-api-1.1.1
\ No newline at end of file
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jsr311-api-1.1.1:${testdir}/../../../../stubs/springframework-5.2.3
\ No newline at end of file
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/security/web/csrf/CsrfToken.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/security/web/csrf/CsrfToken.java
new file mode 100644
index 00000000000..bc59a2e496a
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/security/web/csrf/CsrfToken.java
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.csrf;
+
+import java.io.Serializable;
+
+/**
+ * Provides the information about an expected CSRF token.
+ *
+ * @author Rob Winch
+ * @since 3.2
+ * @see DefaultCsrfToken
+ */
+public interface CsrfToken extends Serializable {
+
+	/**
+	 * Gets the HTTP header that the CSRF is populated on the response and can be placed
+	 * on requests instead of the parameter. Cannot be null.
+	 * @return the HTTP header that the CSRF is populated on the response and can be
+	 * placed on requests instead of the parameter
+	 */
+	String getHeaderName();
+
+	/**
+	 * Gets the HTTP parameter name that should contain the token. Cannot be null.
+	 * @return the HTTP parameter name that should contain the token.
+	 */
+	String getParameterName();
+
+	/**
+	 * Gets the token value. Cannot be null.
+	 * @return the token value
+	 */
+	String getToken();
+
+}

From c8b1bc3a89b6f0c6b006449f38f4966899f0bc3d Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Thu, 11 Mar 2021 21:41:34 +0000
Subject: [PATCH 0041/1429] Enhance the query

---
 .../CWE-016/InsecureSpringActuatorConfig.ql   | 58 +++++++------------
 .../CWE/CWE-016/application.properties        |  4 +-
 .../security/CWE-016/application.properties   |  2 +-
 3 files changed, 24 insertions(+), 40 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
index 2dc11e8e38e..06ba0d8a288 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
@@ -1,6 +1,7 @@
 /**
  * @name Insecure Spring Boot Actuator Configuration
- * @description Exposed Spring Boot Actuator through configuration files without declarative or procedural security enforcement leads to information leak or even remote code execution.
+ * @description Exposed Spring Boot Actuator through configuration files without declarative or procedural
+ *              security enforcement leads to information leak or even remote code execution.
  * @kind problem
  * @id java/insecure-spring-actuator-config
  * @tags security
@@ -9,7 +10,6 @@
 
 import java
 import semmle.code.configfiles.ConfigFiles
-import semmle.code.java.security.SensitiveActions
 import semmle.code.xml.MavenPom
 
 /** The parent node of the `org.springframework.boot` group. */
@@ -26,7 +26,10 @@ class SpringBootPom extends Pom {
     this.getADependency().getArtifact().getValue() = "spring-boot-starter-actuator"
   }
 
-  /** Holds if the Spring Boot Security module is used in the project, which brings in other security related libraries. */
+  /**
+   * Holds if the Spring Boot Security module is used in the project, which brings in other security
+   * related libraries.
+   */
   predicate isSpringBootSecurityUsed() {
     this.getADependency().getArtifact().getValue() = "spring-boot-starter-security"
   }
@@ -38,14 +41,14 @@ class ApplicationProperties extends ConfigPair {
 }
 
 /** The configuration property `management.security.enabled`. */
-class ManagementSecurityEnabled extends ApplicationProperties {
-  ManagementSecurityEnabled() { this.getNameElement().getName() = "management.security.enabled" }
+class ManagementSecurityConfig extends ApplicationProperties {
+  ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" }
 
-  string getManagementSecurityEnabled() { result = this.getValueElement().getValue() }
+  string getValue() { result = this.getValueElement().getValue().trim() }
 
-  predicate hasSecurityDisabled() { getManagementSecurityEnabled() = "false" }
+  predicate hasSecurityDisabled() { getValue() = "false" }
 
-  predicate hasSecurityEnabled() { getManagementSecurityEnabled() = "true" }
+  predicate hasSecurityEnabled() { getValue() = "true" }
 }
 
 /** The configuration property `management.endpoints.web.exposure.include`. */
@@ -54,56 +57,37 @@ class ManagementEndPointInclude extends ApplicationProperties {
     this.getNameElement().getName() = "management.endpoints.web.exposure.include"
   }
 
-  string getManagementEndPointInclude() { result = this.getValueElement().getValue().trim() }
-}
-
-/** The configuration property `management.endpoints.web.exposure.exclude`. */
-class ManagementEndPointExclude extends ApplicationProperties {
-  ManagementEndPointExclude() {
-    this.getNameElement().getName() = "management.endpoints.web.exposure.exclude"
-  }
-
-  string getManagementEndPointExclude() { result = this.getValueElement().getValue().trim() }
-}
-
-/** Holds if an application handles sensitive information judging by its variable names. */
-predicate isProtectedApp() {
-  exists(VarAccess va | va.getVariable().getName().regexpMatch(getCommonSensitiveInfoRegex()))
+  string getValue() { result = this.getValueElement().getValue().trim() }
 }
 
 from SpringBootPom pom, ApplicationProperties ap, Dependency d
 where
-  isProtectedApp() and
   pom.isSpringBootActuatorUsed() and
   not pom.isSpringBootSecurityUsed() and
   ap.getFile()
       .getParentContainer()
       .getAbsolutePath()
       .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory
-  exists(string s | s = pom.getParentElement().getVersionString() |
-    s.regexpMatch("1\\.[0|1|2|3|4].*") and
-    not exists(ManagementSecurityEnabled me |
+  exists(string springBootVersion | springBootVersion = pom.getParentElement().getVersionString() |
+    springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4
+    not exists(ManagementSecurityConfig me |
       me.hasSecurityEnabled() and me.getFile() = ap.getFile()
     )
     or
-    s.regexpMatch("1\\.5.*") and
-    exists(ManagementSecurityEnabled me | me.hasSecurityDisabled() and me.getFile() = ap.getFile())
+    springBootVersion.matches("1.5%") and // version 1.5
+    exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = ap.getFile())
     or
-    s.regexpMatch("2.*") and
+    springBootVersion.matches("2.%") and //version 2.x
     exists(ManagementEndPointInclude mi |
       mi.getFile() = ap.getFile() and
       (
-        mi.getManagementEndPointInclude() = "*" // all endpoints are enabled
+        mi.getValue() = "*" // all endpoints are enabled
         or
-        mi.getManagementEndPointInclude()
+        mi.getValue()
             .matches([
                 "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%",
                 "%beans%", "%sessions%"
-              ]) // all endpoints apart from '/health' and '/info' are considered sensitive
-      ) and
-      not exists(ManagementEndPointExclude mx |
-        mx.getFile() = ap.getFile() and
-        mx.getManagementEndPointExclude() = mi.getManagementEndPointInclude()
+              ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring
       )
     )
   ) and
diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/application.properties b/java/ql/src/experimental/Security/CWE/CWE-016/application.properties
index aa489435a12..4f5defdd948 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-016/application.properties
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/application.properties
@@ -7,7 +7,7 @@
 # vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators
 management.security.enabled=false
 
-# vulnerable configuration (spring boot 2+): exposes health and info only by default
+# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything
 management.endpoints.web.exposure.include=*
 
 
@@ -18,5 +18,5 @@ management.security.enabled=true
 # safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators
 management.security.enabled=true
 
-# safe configuration (spring boot 2+): exposes health and info only by default
+# safe configuration (spring boot 2+): exposes health and info only by default, here overridden to expose one additional endpoint which we assume is intentional and safe.
 management.endpoints.web.exposure.include=beans,info,health
diff --git a/java/ql/test/experimental/query-tests/security/CWE-016/application.properties b/java/ql/test/experimental/query-tests/security/CWE-016/application.properties
index 95e704f3a1a..797906a3ca3 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-016/application.properties
+++ b/java/ql/test/experimental/query-tests/security/CWE-016/application.properties
@@ -5,7 +5,7 @@
 # vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators
 management.security.enabled=false
 
-# vulnerable configuration (spring boot 2+): exposes health and info only by default
+# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything
 management.endpoints.web.exposure.include=*
 management.endpoints.web.exposure.exclude=beans
 

From 1a2e341b7c767fc4b6e21e9dc38d25110aa8b50e Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Fri, 12 Mar 2021 12:19:37 +0000
Subject: [PATCH 0042/1429] Refactor the business logic of the query into a
 separate predicate

---
 .../CWE/CWE-016/InsecureSpringActuatorConfig.ql    | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
index 06ba0d8a288..3acd22e767a 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
@@ -60,8 +60,11 @@ class ManagementEndPointInclude extends ApplicationProperties {
   string getValue() { result = this.getValueElement().getValue().trim() }
 }
 
-from SpringBootPom pom, ApplicationProperties ap, Dependency d
-where
+/**
+ * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom
+ * has a vulnerable configuration of Spring Boot Actuator management endpoints.
+ */
+predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationProperties ap) {
   pom.isSpringBootActuatorUsed() and
   not pom.isSpringBootSecurityUsed() and
   ap.getFile()
@@ -90,7 +93,12 @@ where
               ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring
       )
     )
-  ) and
+  )
+}
+
+from SpringBootPom pom, ApplicationProperties ap, Dependency d
+where
+  hasConfidentialEndPointExposed(pom, ap) and
   d = pom.getADependency() and
   d.getArtifact().getValue() = "spring-boot-starter-actuator"
 select d, "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints."

From 9b8056371fe5c17fdcf70c43a815ee6941cb4fa9 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Fri, 12 Mar 2021 13:51:24 +0100
Subject: [PATCH 0043/1429] Python: Make the type tracking implementation
 shareable

---
 .../experimental/typetracking/TypeTracker.qll | 393 ++++++++++++++++++
 .../typetracking/TypeTrackerPrivate.qll       |  95 +++++
 2 files changed, 488 insertions(+)
 create mode 100644 python/ql/src/experimental/typetracking/TypeTracker.qll
 create mode 100644 python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll

diff --git a/python/ql/src/experimental/typetracking/TypeTracker.qll b/python/ql/src/experimental/typetracking/TypeTracker.qll
new file mode 100644
index 00000000000..9ef29f46205
--- /dev/null
+++ b/python/ql/src/experimental/typetracking/TypeTracker.qll
@@ -0,0 +1,393 @@
+/** Step Summaries and Type Tracking */
+
+private import TypeTrackerPrivate
+
+/** Any string that may appear as the name of a piece of content. */
+class ContentName extends string {
+  ContentName() { this = getPossibleContentName() }
+}
+
+/** Either a content name, or the empty string (representing no content). */
+class OptionalContentName extends string {
+  OptionalContentName() { this instanceof ContentName or this = "" }
+}
+
+/**
+ * A description of a step on an inter-procedural data flow path.
+ */
+private newtype TStepSummary =
+  LevelStep() or
+  CallStep() or
+  ReturnStep() or
+  StoreStep(ContentName content) or
+  LoadStep(ContentName content)
+
+/**
+ * INTERNAL: Use `TypeTracker` or `TypeBackTracker` instead.
+ *
+ * A description of a step on an inter-procedural data flow path.
+ */
+class StepSummary extends TStepSummary {
+  /** Gets a textual representation of this step summary. */
+  string toString() {
+    this instanceof LevelStep and result = "level"
+    or
+    this instanceof CallStep and result = "call"
+    or
+    this instanceof ReturnStep and result = "return"
+    or
+    exists(string content | this = StoreStep(content) | result = "store " + content)
+    or
+    exists(string content | this = LoadStep(content) | result = "load " + content)
+  }
+}
+
+/** Provides predicates for updating step summaries (`StepSummary`s). */
+module StepSummary {
+  /**
+   * Gets the summary that corresponds to having taken a forwards
+   * heap and/or inter-procedural step from `nodeFrom` to `nodeTo`.
+   */
+  cached
+  predicate step(LocalSourceNode nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {
+    exists(Node mid | nodeFrom.flowsTo(mid) and smallstep(mid, nodeTo, summary))
+  }
+
+  /**
+   * Gets the summary that corresponds to having taken a forwards
+   * local, heap and/or inter-procedural step from `nodeFrom` to `nodeTo`.
+   *
+   * Unlike `StepSummary::step`, this predicate does not compress
+   * type-preserving steps.
+   */
+  predicate smallstep(Node nodeFrom, Node nodeTo, StepSummary summary) {
+    typePreservingStep(nodeFrom, nodeTo) and
+    summary = LevelStep()
+    or
+    callStep(nodeFrom, nodeTo) and summary = CallStep()
+    or
+    returnStep(nodeFrom, nodeTo) and
+    summary = ReturnStep()
+    or
+    exists(string content |
+      basicStoreStep(nodeFrom, nodeTo, content) and
+      summary = StoreStep(content)
+      or
+      basicLoadStep(nodeFrom, nodeTo, content) and summary = LoadStep(content)
+    )
+  }
+}
+
+/** Holds if it's reasonable to expect the data flow step from `nodeFrom` to `nodeTo` to preserve types. */
+private predicate typePreservingStep(Node nodeFrom, Node nodeTo) {
+  simpleLocalFlowStep(nodeFrom, nodeTo) or
+  jumpStep(nodeFrom, nodeTo)
+}
+
+/**
+ * A utility class that is equivalent to `boolean` but does not require type joining.
+ */
+private class Boolean extends boolean {
+  Boolean() { this = true or this = false }
+}
+
+private newtype TTypeTracker = MkTypeTracker(Boolean hasCall, OptionalContentName content)
+
+/**
+ * Summary of the steps needed to track a value to a given dataflow node.
+ *
+ * This can be used to track objects that implement a certain API in order to
+ * recognize calls to that API. Note that type-tracking does not by itself provide a
+ * source/sink relation, that is, it may determine that a node has a given type,
+ * but it won't determine where that type came from.
+ *
+ * It is recommended that all uses of this type are written in the following form,
+ * for tracking some type `myType`:
+ * ```
+ * DataFlow::LocalSourceNode myType(DataFlow::TypeTracker t) {
+ *   t.start() and
+ *   result = < source of myType >
+ *   or
+ *   exists (DataFlow::TypeTracker t2 |
+ *     result = myType(t2).track(t2, t)
+ *   )
+ * }
+ *
+ * DataFlow::Node myType() { myType(DataFlow::TypeTracker::end()).flowsTo(result) }
+ * ```
+ *
+ * Instead of `result = myType(t2).track(t2, t)`, you can also use the equivalent
+ * `t = t2.step(myType(t2), result)`. If you additionally want to track individual
+ * intra-procedural steps, use `t = t2.smallstep(myCallback(t2), result)`.
+ */
+class TypeTracker extends TTypeTracker {
+  Boolean hasCall;
+  OptionalContentName content;
+
+  TypeTracker() { this = MkTypeTracker(hasCall, content) }
+
+  /** Gets the summary resulting from appending `step` to this type-tracking summary. */
+  cached
+  TypeTracker append(StepSummary step) {
+    step = LevelStep() and result = this
+    or
+    step = CallStep() and result = MkTypeTracker(true, content)
+    or
+    step = ReturnStep() and hasCall = false and result = this
+    or
+    step = LoadStep(content) and result = MkTypeTracker(hasCall, "")
+    or
+    exists(string p | step = StoreStep(p) and content = "" and result = MkTypeTracker(hasCall, p))
+  }
+
+  /** Gets a textual representation of this summary. */
+  string toString() {
+    exists(string withCall, string withContent |
+      (if hasCall = true then withCall = "with" else withCall = "without") and
+      (if content != "" then withContent = " with content " + content else withContent = "") and
+      result = "type tracker " + withCall + " call steps" + withContent
+    )
+  }
+
+  /**
+   * Holds if this is the starting point of type tracking.
+   */
+  predicate start() { hasCall = false and content = "" }
+
+  /**
+   * Holds if this is the starting point of type tracking, and the value starts in the content named `contentName`.
+   * The type tracking only ends after the content has been loaded.
+   */
+  predicate startInContent(ContentName contentName) { hasCall = false and content = contentName }
+
+  /**
+   * Holds if this is the starting point of type tracking
+   * when tracking a parameter into a call, but not out of it.
+   */
+  predicate call() { hasCall = true and content = "" }
+
+  /**
+   * Holds if this is the end point of type tracking.
+   */
+  predicate end() { content = "" }
+
+  /**
+   * INTERNAL. DO NOT USE.
+   *
+   * Holds if this type has been tracked into a call.
+   */
+  boolean hasCall() { result = hasCall }
+
+  /**
+   * INTERNAL. DO NOT USE.
+   *
+   * Gets the content associated with this type tracker.
+   */
+  string getContent() { result = content }
+
+  /**
+   * Gets a type tracker that starts where this one has left off to allow continued
+   * tracking.
+   *
+   * This predicate is only defined if the type is not associated to a piece of content.
+   */
+  TypeTracker continue() { content = "" and result = this }
+
+  /**
+   * Gets the summary that corresponds to having taken a forwards
+   * heap and/or inter-procedural step from `nodeFrom` to `nodeTo`.
+   */
+  pragma[inline]
+  TypeTracker step(LocalSourceNode nodeFrom, Node nodeTo) {
+    exists(StepSummary summary |
+      StepSummary::step(nodeFrom, nodeTo, summary) and
+      result = this.append(summary)
+    )
+  }
+
+  /**
+   * Gets the summary that corresponds to having taken a forwards
+   * local, heap and/or inter-procedural step from `nodeFrom` to `nodeTo`.
+   *
+   * Unlike `TypeTracker::step`, this predicate exposes all edges
+   * in the flow graph, and not just the edges between `Node`s.
+   * It may therefore be less performant.
+   *
+   * Type tracking predicates using small steps typically take the following form:
+   * ```ql
+   * DataFlow::Node myType(DataFlow::TypeTracker t) {
+   *   t.start() and
+   *   result = < source of myType >
+   *   or
+   *   exists (DataFlow::TypeTracker t2 |
+   *     t = t2.smallstep(myType(t2), result)
+   *   )
+   * }
+   *
+   * DataFlow::Node myType() {
+   *   result = myType(DataFlow::TypeTracker::end())
+   * }
+   * ```
+   */
+  pragma[inline]
+  TypeTracker smallstep(Node nodeFrom, Node nodeTo) {
+    exists(StepSummary summary |
+      StepSummary::smallstep(nodeFrom, nodeTo, summary) and
+      result = this.append(summary)
+    )
+    or
+    typePreservingStep(nodeFrom, nodeTo) and
+    result = this
+  }
+}
+
+/** Provides predicates for implementing custom `TypeTracker`s. */
+module TypeTracker {
+  /**
+   * Gets a valid end point of type tracking.
+   */
+  TypeTracker end() { result.end() }
+}
+
+private newtype TTypeBackTracker = MkTypeBackTracker(Boolean hasReturn, OptionalContentName content)
+
+/**
+ * Summary of the steps needed to back-track a use of a value to a given dataflow node.
+ *
+ * This can for example be used to track callbacks that are passed to a certain API,
+ * so we can model specific parameters of that callback as having a certain type.
+ *
+ * Note that type back-tracking does not provide a source/sink relation, that is,
+ * it may determine that a node will be used in an API call somewhere, but it won't
+ * determine exactly where that use was, or the path that led to the use.
+ *
+ * It is recommended that all uses of this type are written in the following form,
+ * for back-tracking some callback type `myCallback`:
+ *
+ * ```
+ * DataFlow::LocalSourceNode myCallback(DataFlow::TypeBackTracker t) {
+ *   t.start() and
+ *   result = (< some API call >).getArgument(< n >).getALocalSource()
+ *   or
+ *   exists (DataFlow::TypeBackTracker t2 |
+ *     result = myCallback(t2).backtrack(t2, t)
+ *   )
+ * }
+ *
+ * DataFlow::LocalSourceNode myCallback() { result = myCallback(DataFlow::TypeBackTracker::end()) }
+ * ```
+ *
+ * Instead of `result = myCallback(t2).backtrack(t2, t)`, you can also use the equivalent
+ * `t2 = t.step(result, myCallback(t2))`. If you additionally want to track individual
+ * intra-procedural steps, use `t2 = t.smallstep(result, myCallback(t2))`.
+ */
+class TypeBackTracker extends TTypeBackTracker {
+  Boolean hasReturn;
+  string content;
+
+  TypeBackTracker() { this = MkTypeBackTracker(hasReturn, content) }
+
+  /** Gets the summary resulting from prepending `step` to this type-tracking summary. */
+  TypeBackTracker prepend(StepSummary step) {
+    step = LevelStep() and result = this
+    or
+    step = CallStep() and hasReturn = false and result = this
+    or
+    step = ReturnStep() and result = MkTypeBackTracker(true, content)
+    or
+    exists(string p |
+      step = LoadStep(p) and content = "" and result = MkTypeBackTracker(hasReturn, p)
+    )
+    or
+    step = StoreStep(content) and result = MkTypeBackTracker(hasReturn, "")
+  }
+
+  /** Gets a textual representation of this summary. */
+  string toString() {
+    exists(string withReturn, string withContent |
+      (if hasReturn = true then withReturn = "with" else withReturn = "without") and
+      (if content != "" then withContent = " with content " + content else withContent = "") and
+      result = "type back-tracker " + withReturn + " return steps" + withContent
+    )
+  }
+
+  /**
+   * Holds if this is the starting point of type tracking.
+   */
+  predicate start() { hasReturn = false and content = "" }
+
+  /**
+   * Holds if this is the end point of type tracking.
+   */
+  predicate end() { content = "" }
+
+  /**
+   * INTERNAL. DO NOT USE.
+   *
+   * Holds if this type has been back-tracked into a call through return edge.
+   */
+  boolean hasReturn() { result = hasReturn }
+
+  /**
+   * Gets a type tracker that starts where this one has left off to allow continued
+   * tracking.
+   *
+   * This predicate is only defined if the type has not been tracked into a piece of content.
+   */
+  TypeBackTracker continue() { content = "" and result = this }
+
+  /**
+   * Gets the summary that corresponds to having taken a backwards
+   * heap and/or inter-procedural step from `nodeTo` to `nodeFrom`.
+   */
+  pragma[inline]
+  TypeBackTracker step(LocalSourceNode nodeFrom, LocalSourceNode nodeTo) {
+    exists(StepSummary summary |
+      StepSummary::step(nodeFrom, nodeTo, summary) and
+      this = result.prepend(summary)
+    )
+  }
+
+  /**
+   * Gets the summary that corresponds to having taken a backwards
+   * local, heap and/or inter-procedural step from `nodeTo` to `nodeFrom`.
+   *
+   * Unlike `TypeBackTracker::step`, this predicate exposes all edges
+   * in the flowgraph, and not just the edges between
+   * `LocalSourceNode`s. It may therefore be less performant.
+   *
+   * Type tracking predicates using small steps typically take the following form:
+   * ```ql
+   * DataFlow::Node myType(DataFlow::TypeBackTracker t) {
+   *   t.start() and
+   *   result = < some API call >.getArgument(< n >)
+   *   or
+   *   exists (DataFlow::TypeBackTracker t2 |
+   *     t = t2.smallstep(result, myType(t2))
+   *   )
+   * }
+   *
+   * DataFlow::Node myType() {
+   *   result = myType(DataFlow::TypeBackTracker::end())
+   * }
+   * ```
+   */
+  pragma[inline]
+  TypeBackTracker smallstep(Node nodeFrom, Node nodeTo) {
+    exists(StepSummary summary |
+      StepSummary::smallstep(nodeFrom, nodeTo, summary) and
+      this = result.prepend(summary)
+    )
+    or
+    typePreservingStep(nodeFrom, nodeTo) and
+    this = result
+  }
+}
+
+/** Provides predicates for implementing custom `TypeBackTracker`s. */
+module TypeBackTracker {
+  /**
+   * Gets a valid end point of type back-tracking.
+   */
+  TypeBackTracker end() { result.end() }
+}
diff --git a/python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll b/python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll
new file mode 100644
index 00000000000..f8f915f175d
--- /dev/null
+++ b/python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll
@@ -0,0 +1,95 @@
+private import python
+private import semmle.python.dataflow.new.internal.DataFlowPublic as DataFlowPublic
+private import semmle.python.dataflow.new.internal.DataFlowPrivate as DataFlowPrivate
+
+class Node = DataFlowPublic::Node;
+
+class LocalSourceNode = DataFlowPublic::LocalSourceNode;
+
+predicate jumpStep = DataFlowPrivate::jumpStep/2;
+
+predicate simpleLocalFlowStep = DataFlowPrivate::simpleLocalFlowStep/2;
+
+/**
+ * Gets the name of a possible piece of content. This will usually include things like
+ *
+ * - Attribute names (in Python)
+ * - Property names (in JavaScript)
+ */
+string getPossibleContentName() { result = any(DataFlowPublic::AttrRef a).getAttributeName() }
+
+/**
+ * Gets a callable for the call where `nodeFrom` is used as the `i`'th argument.
+ *
+ * Helper predicate to avoid bad join order experienced in `callStep`.
+ * This happened when `isParameterOf` was joined _before_ `getCallable`.
+ */
+pragma[nomagic]
+private DataFlowPrivate::DataFlowCallable getCallableForArgument(
+  DataFlowPublic::ArgumentNode nodeFrom, int i
+) {
+  exists(DataFlowPrivate::DataFlowCall call |
+    nodeFrom.argumentOf(call, i) and
+    result = call.getCallable()
+  )
+}
+
+/** Holds if `nodeFrom` steps to `nodeTo` by being passed as a parameter in a call. */
+predicate callStep(DataFlowPublic::ArgumentNode nodeFrom, DataFlowPublic::ParameterNode nodeTo) {
+  // TODO: Support special methods?
+  exists(DataFlowPrivate::DataFlowCallable callable, int i |
+    callable = getCallableForArgument(nodeFrom, i) and
+    nodeTo.isParameterOf(callable, i)
+  )
+}
+
+/** Holds if `nodeFrom` steps to `nodeTo` by being returned from a call. */
+predicate returnStep(DataFlowPrivate::ReturnNode nodeFrom, Node nodeTo) {
+  exists(DataFlowPrivate::DataFlowCall call |
+    nodeFrom.getEnclosingCallable() = call.getCallable() and nodeTo.asCfgNode() = call.getNode()
+  )
+}
+
+/**
+ * Holds if `nodeFrom` is being written to the `content` content of the object in `nodeTo`.
+ *
+ * Note that the choice of `nodeTo` does not have to make sense "chronologically".
+ * All we care about is whether the `content` content of `nodeTo` can have a specific type,
+ * and the assumption is that if a specific type appears here, then any access of that
+ * particular content can yield something of that particular type.
+ *
+ * Thus, in an example such as
+ *
+ * ```python
+ * def foo(y):
+ *    x = Foo()
+ *    bar(x)
+ *    x.content = y
+ *    baz(x)
+ *
+ * def bar(x):
+ *    z = x.content
+ * ```
+ * for the content write `x.content = y`, we will have `content` being the literal string `"content"`,
+ * `nodeFrom` will be `y`, and `nodeTo` will be the object `Foo()` created on the first line of the
+ * function. This means we will track the fact that `x.content` can have the type of `y` into the
+ * assignment to `z` inside `bar`, even though this content write happens _after_ `bar` is called.
+ */
+predicate basicStoreStep(Node nodeFrom, LocalSourceNode nodeTo, string content) {
+  exists(DataFlowPublic::AttrWrite a |
+    a.mayHaveAttributeName(content) and
+    nodeFrom = a.getValue() and
+    nodeTo.flowsTo(a.getObject())
+  )
+}
+
+/**
+ * Holds if `nodeTo` is the result of accessing the `content` content of `nodeFrom`.
+ */
+predicate basicLoadStep(Node nodeFrom, Node nodeTo, string content) {
+  exists(DataFlowPublic::AttrRead a |
+    a.mayHaveAttributeName(content) and
+    nodeFrom = a.getObject() and
+    nodeTo = a
+  )
+}

From f05313435d68b06b96e3172d823024f9beb1df49 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Fri, 12 Mar 2021 14:06:39 +0100
Subject: [PATCH 0044/1429] Python: Move `typePreservingStep` into `Private`

---
 python/ql/src/experimental/typetracking/TypeTracker.qll   | 6 ------
 .../src/experimental/typetracking/TypeTrackerPrivate.qll  | 8 +++++---
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/python/ql/src/experimental/typetracking/TypeTracker.qll b/python/ql/src/experimental/typetracking/TypeTracker.qll
index 9ef29f46205..f21d3a2a91b 100644
--- a/python/ql/src/experimental/typetracking/TypeTracker.qll
+++ b/python/ql/src/experimental/typetracking/TypeTracker.qll
@@ -78,12 +78,6 @@ module StepSummary {
   }
 }
 
-/** Holds if it's reasonable to expect the data flow step from `nodeFrom` to `nodeTo` to preserve types. */
-private predicate typePreservingStep(Node nodeFrom, Node nodeTo) {
-  simpleLocalFlowStep(nodeFrom, nodeTo) or
-  jumpStep(nodeFrom, nodeTo)
-}
-
 /**
  * A utility class that is equivalent to `boolean` but does not require type joining.
  */
diff --git a/python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll b/python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll
index f8f915f175d..d26a76b3355 100644
--- a/python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll
+++ b/python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll
@@ -6,9 +6,11 @@ class Node = DataFlowPublic::Node;
 
 class LocalSourceNode = DataFlowPublic::LocalSourceNode;
 
-predicate jumpStep = DataFlowPrivate::jumpStep/2;
-
-predicate simpleLocalFlowStep = DataFlowPrivate::simpleLocalFlowStep/2;
+/** Holds if it's reasonable to expect the data flow step from `nodeFrom` to `nodeTo` to preserve types. */
+predicate typePreservingStep(Node nodeFrom, Node nodeTo) {
+  DataFlowPrivate::simpleLocalFlowStep(nodeFrom, nodeTo) or
+  DataFlowPrivate::jumpStep(nodeFrom, nodeTo)
+}
 
 /**
  * Gets the name of a possible piece of content. This will usually include things like

From 41c9394b4bd12063e133222310a9facac689b330 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Sun, 14 Mar 2021 09:22:47 +0100
Subject: [PATCH 0045/1429] Python: update qhelp and example

---
 .../Security/CWE-327/InsecureProtocol.qhelp   | 21 +++++++++++++++++++
 .../examples/secure_default_protocol.py       | 16 ++++++--------
 2 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.qhelp b/python/ql/src/Security/CWE-327/InsecureProtocol.qhelp
index 4a7364ca14e..cfcebd0930d 100644
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.qhelp
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.qhelp
@@ -38,12 +38,33 @@
             <code>ssl.SSLContext</code>, which is supported in Python 2.7.9 and
             3.2 and later versions.
           </p>
+          <p>
+            Note that <code>ssl.wrap_socket</code> has been deprecated in
+            Python 3.7. The recommended alternatives are:
+          </p>
+          <ul>
+            <li><code>ssl.SSLContext</code> - supported in Python 2.7.9,
+                  3.2, and later versions</li>
+            <li><code>ssl.create_default_context</code> - a convenience function,
+                  supported in Python 3.4 and later versions.</li>
+          </ul>
+          <p>
+            Even when you use these alternatives, you should
+            ensure that a safe protocol is used. The following code illustrates
+            how to use flags (available since Python 3.2) or the `minimum_version`
+            field (favored since Python 3.7) to restrict the protocols accepted when
+            creating a connection.
+          </p>
+
+          <sample src="examples/secure_default_protocol.py" />
      </example>
 
      <references>
        <li>Wikipedia: <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security"> Transport Layer Security</a>.</li>
        <li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#ssl.SSLContext"> class ssl.SSLContext</a>.</li>
        <li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#ssl.wrap_socket"> ssl.wrap_socket</a>.</li>
+       <li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#functions-constants-and-exceptions"> notes on context creation</a>.</li>
+       <li>Python 3 documentation: <a href="https://docs.python.org/3/library/ssl.html#ssl-security"> notes on security considerations</a>.</li>
        <li>pyOpenSSL documentation: <a href="https://pyopenssl.org/en/stable/api/ssl.html"> An interface to the SSL-specific parts of OpenSSL</a>.</li>
      </references>
 
diff --git a/python/ql/src/Security/CWE-327/examples/secure_default_protocol.py b/python/ql/src/Security/CWE-327/examples/secure_default_protocol.py
index 83c6dbbba0e..535a97f0b93 100644
--- a/python/ql/src/Security/CWE-327/examples/secure_default_protocol.py
+++ b/python/ql/src/Security/CWE-327/examples/secure_default_protocol.py
@@ -1,13 +1,9 @@
-# taken from https://docs.python.org/3/library/ssl.html?highlight=ssl#ssl.SSLContext
-
-import socket
 import ssl
 
-hostname = 'www.python.org'
-context = ssl.create_default_context()
-context.options |= ssl.OP_NO_TLSv1 # This added by me
-context.options |= ssl.OP_NO_TLSv1_1 # This added by me
+# Using flags to restrict the protocol
+context = ssl.SSLContext()
+context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
 
-with socket.create_connection((hostname, 443)) as sock:
-    with context.wrap_socket(sock, server_hostname=hostname) as ssock:
-        print(ssock.version())
+# Declaring a minimum version to restrict the protocol
+context = ssl.create_default_context()
+context.minimum_version = ssl.TLSVersion.TLSv1_2

From 4094b184074ca1c4b20e4ad599bef6d536f518c3 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Mon, 15 Mar 2021 16:28:08 +0100
Subject: [PATCH 0046/1429] Python: Clean up tests

---
 .../CWE-327/InsecureProtocol.expected         | 10 ++---
 .../Security/CWE-327/InsecureProtocol.py      | 39 ++++++-------------
 2 files changed, 17 insertions(+), 32 deletions(-)

diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
index f4202a4634d..db30e41b480 100644
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
@@ -5,11 +5,11 @@
 | InsecureProtocol.py:11:1:11:39 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version SSLv3 specified by $@  | InsecureProtocol.py:11:1:11:39 | ControlFlowNode for SSLContext() | call to SSLContext |
 | InsecureProtocol.py:12:1:12:39 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version TLSv1 specified by $@  | InsecureProtocol.py:12:1:12:39 | ControlFlowNode for SSLContext() | call to SSLContext |
 | InsecureProtocol.py:14:1:14:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@  | InsecureProtocol.py:14:1:14:29 | ControlFlowNode for Attribute() | call to SSL.Context |
-| InsecureProtocol.py:16:1:16:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv3 specified by $@  | InsecureProtocol.py:16:1:16:29 | ControlFlowNode for Attribute() | call to SSL.Context |
-| InsecureProtocol.py:17:1:17:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version TLSv1 specified by $@  | InsecureProtocol.py:17:1:17:29 | ControlFlowNode for Attribute() | call to SSL.Context |
-| InsecureProtocol.py:32:1:32:19 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@  | InsecureProtocol.py:32:1:32:19 | ControlFlowNode for Attribute() | call to SSL.Context |
-| InsecureProtocol.py:48:1:48:43 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@  | InsecureProtocol.py:48:1:48:43 | ControlFlowNode for Attribute() | call to ssl.wrap_socket |
-| InsecureProtocol.py:49:1:49:35 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version SSLv2 specified by $@  | InsecureProtocol.py:49:1:49:35 | ControlFlowNode for SSLContext() | call to SSLContext |
+| InsecureProtocol.py:15:1:15:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv3 specified by $@  | InsecureProtocol.py:15:1:15:29 | ControlFlowNode for Attribute() | call to SSL.Context |
+| InsecureProtocol.py:16:1:16:29 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version TLSv1 specified by $@  | InsecureProtocol.py:16:1:16:29 | ControlFlowNode for Attribute() | call to SSL.Context |
+| InsecureProtocol.py:19:1:19:19 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@  | InsecureProtocol.py:19:1:19:19 | ControlFlowNode for Attribute() | call to SSL.Context |
+| InsecureProtocol.py:23:1:23:43 | ControlFlowNode for Attribute() | Insecure SSL/TLS protocol version SSLv2 specified by $@  | InsecureProtocol.py:23:1:23:43 | ControlFlowNode for Attribute() | call to ssl.wrap_socket |
+| InsecureProtocol.py:24:1:24:35 | ControlFlowNode for SSLContext() | Insecure SSL/TLS protocol version SSLv2 specified by $@  | InsecureProtocol.py:24:1:24:35 | ControlFlowNode for SSLContext() | call to SSLContext |
 | pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv2 allowed by $@  | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context |
 | pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv3 allowed by $@  | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context |
 | pyOpenSSL_fluent.py:8:27:8:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | pyOpenSSL_fluent.py:6:15:6:44 | ControlFlowNode for Attribute() | call to SSL.Context |
diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
index cb21a6623c9..3ff1207b527 100644
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
@@ -2,7 +2,7 @@ import ssl
 from OpenSSL import SSL
 from ssl import SSLContext
 
-# true positives
+# insecure versions specified
 ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv2)
 ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv3)
 ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1)
@@ -12,41 +12,26 @@ SSLContext(protocol=ssl.PROTOCOL_SSLv3)
 SSLContext(protocol=ssl.PROTOCOL_TLSv1)
 
 SSL.Context(SSL.SSLv2_METHOD)
-SSL.Context(SSL.SSLv23_METHOD)
 SSL.Context(SSL.SSLv3_METHOD)
 SSL.Context(SSL.TLSv1_METHOD)
 
-# not relevant
-wrap_socket(ssl_version=ssl.PROTOCOL_SSLv3)
-wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1)
-wrap_socket(ssl_version=ssl.PROTOCOL_SSLv2)
-
-Context(SSL.SSLv3_METHOD)
-Context(SSL.TLSv1_METHOD)
-Context(SSL.SSLv2_METHOD)
-Context(SSL.SSLv23_METHOD)
-
-# true positive using flow
-
 METHOD = SSL.SSLv2_METHOD
 SSL.Context(METHOD)
 
-# secure versions
+# importing the protocol constant directly
+from ssl import PROTOCOL_SSLv2
+ssl.wrap_socket(ssl_version=PROTOCOL_SSLv2)
+SSLContext(protocol=PROTOCOL_SSLv2)
 
+# secure versions specified
 ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1_2)
 SSLContext(protocol=ssl.PROTOCOL_TLSv1_2)
 SSL.Context(SSL.TLSv1_2_METHOD)
 
-# possibly insecure default
-ssl.wrap_socket()
-context = SSLContext()
+# possibly secure versions specified
+SSLContext(protocol=ssl.PROTOCOL_SSLv23)
+SSLContext(protocol=ssl.PROTOCOL_TLS)
+SSLContext(protocol=ssl.PROTOCOL_TLS_CLIENT)
+SSLContext(protocol=ssl.PROTOCOL_TLS_SERVER)
 
-# importing the protocol constant directly
-
-from ssl import PROTOCOL_SSLv2
-
-ssl.wrap_socket(ssl_version=PROTOCOL_SSLv2)
-SSLContext(protocol=PROTOCOL_SSLv2)
-
-# FP for insecure default
-ssl.SSLContext(ssl.SSLv23_METHOD)
+SSL.Context(SSL.SSLv23_METHOD)

From 731f4559b415dce07d8118707a42081bcba42c08 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Mon, 15 Mar 2021 17:23:58 +0100
Subject: [PATCH 0047/1429] Python: update test expectations

---
 .../Security/CWE-327/InsecureDefaultProtocol.expected           | 2 --
 1 file changed, 2 deletions(-)

diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.expected b/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.expected
index 1e389aefdc1..e69de29bb2d 100644
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.expected
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureDefaultProtocol.expected
@@ -1,2 +0,0 @@
-| InsecureProtocol.py:41:1:41:17 | ControlFlowNode for Attribute() | Call to deprecated method ssl.wrap_socket does not specify a protocol, which may result in an insecure default being used. |
-| InsecureProtocol.py:42:11:42:22 | ControlFlowNode for SSLContext() | Call to ssl.SSLContext does not specify a protocol, which may result in an insecure default being used. |

From 87f3ba26843b8f861df47b9ca03226926aa58b5b Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Mon, 15 Mar 2021 17:24:39 +0100
Subject: [PATCH 0048/1429] Python: add tests for `ssl.PROTOCOL_TLS_SERVER` and
 `ssl.PROTOCOL_TLS_CLIENT`

---
 .../CWE-327/InsecureProtocol.expected         | 36 +++++++++----------
 .../Security/CWE-327/ssl_fluent.py            | 18 ++++++++++
 2 files changed, 36 insertions(+), 18 deletions(-)

diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
index db30e41b480..3f383ea5297 100644
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
@@ -22,21 +22,21 @@
 | ssl_fluent.py:9:14:9:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:6:15:6:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | ssl_fluent.py:9:14:9:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:6:15:6:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | ssl_fluent.py:19:14:19:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:15:15:15:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:37:14:37:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:34:15:34:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:37:14:37:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:34:15:34:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:47:14:47:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:43:15:43:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:75:14:75:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:71:15:71:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:75:14:75:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:71:15:71:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:89:12:89:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:128:15:128:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:89:12:89:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:128:15:128:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:144:5:144:11 | ControlFlowNode for context | context modification |
-| ssl_fluent.py:98:14:98:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:162:5:162:11 | ControlFlowNode for context | context modification |
-| ssl_fluent.py:104:14:104:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:89:12:89:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:104:14:104:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:89:12:89:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:124:14:124:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:122:5:122:11 | ControlFlowNode for context | context modification |
-| ssl_fluent.py:173:14:173:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:170:5:170:11 | ControlFlowNode for context | context modification |
-| ssl_fluent.py:192:14:192:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv3 allowed by $@  | ssl_fluent.py:189:5:189:11 | ControlFlowNode for context | context modification |
-| ssl_fluent.py:192:14:192:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:188:15:188:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
-| ssl_fluent.py:192:14:192:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:188:15:188:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
+| ssl_fluent.py:55:14:55:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:52:15:52:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:55:14:55:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:52:15:52:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:65:14:65:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:61:15:61:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:93:14:93:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:89:15:89:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:93:14:93:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:89:15:89:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:116:14:116:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:107:12:107:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:116:14:116:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:146:15:146:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:116:14:116:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:107:12:107:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:116:14:116:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:146:15:146:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:116:14:116:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:162:5:162:11 | ControlFlowNode for context | context modification |
+| ssl_fluent.py:116:14:116:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:180:5:180:11 | ControlFlowNode for context | context modification |
+| ssl_fluent.py:122:14:122:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:107:12:107:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:122:14:122:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:107:12:107:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:142:14:142:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:140:5:140:11 | ControlFlowNode for context | context modification |
+| ssl_fluent.py:191:14:191:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:188:5:188:11 | ControlFlowNode for context | context modification |
+| ssl_fluent.py:210:14:210:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv3 allowed by $@  | ssl_fluent.py:207:5:207:11 | ControlFlowNode for context | context modification |
+| ssl_fluent.py:210:14:210:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:206:15:206:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
+| ssl_fluent.py:210:14:210:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:206:15:206:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
diff --git a/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py b/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
index 577f342765e..ceddaa32f09 100644
--- a/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
+++ b/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
@@ -19,6 +19,24 @@ def test_fluent_tls_no_TLSv1():
         with context.wrap_socket(sock, server_hostname=hostname) as ssock:
             print(ssock.version())
 
+def test_fluent_tls_client_no_TLSv1():
+    hostname = 'www.python.org'
+    context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+    context.options |= ssl.OP_NO_TLSv1
+
+    with socket.create_connection((hostname, 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
+def test_fluent_tls_server_no_TLSv1():
+    hostname = 'www.python.org'
+    context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+    context.options |= ssl.OP_NO_TLSv1
+
+    with socket.create_server((hostname, 443)) as sock:
+        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+            print(ssock.version())
+
 def test_fluent_tls_safe():
     hostname = 'www.python.org'
     context = ssl.SSLContext(ssl.PROTOCOL_TLS)

From 514a69c47ad79318883483f159662503bc7358b0 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Mon, 15 Mar 2021 17:30:01 +0100
Subject: [PATCH 0049/1429] Python: Support `ssl.PROTOCOL_TLS_SERVER` and
 `ssl.PROTOCOL_TLS_CLIENT`

---
 python/ql/src/Security/CWE-327/Ssl.qll                      | 6 +++++-
 .../query-tests/Security/CWE-327/InsecureProtocol.expected  | 2 ++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index d4886219d08..be16138b961 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -146,7 +146,11 @@ class Ssl extends TlsLibrary {
 
   override string specific_version_name(ProtocolVersion version) { result = "PROTOCOL_" + version }
 
-  override string unspecific_version_name(ProtocolFamily family) { result = "PROTOCOL_" + family }
+  override string unspecific_version_name(ProtocolFamily family) {
+    family = "SSLv23" and result = "PROTOCOL_" + family
+    or
+    family = "TLS" and result = "PROTOCOL_" + family + ["", "_CLIENT", "_SERVER"]
+  }
 
   override API::Node version_constants() { result = API::moduleImport("ssl") }
 
diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
index 3f383ea5297..e578a335d84 100644
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
@@ -22,6 +22,8 @@
 | ssl_fluent.py:9:14:9:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:6:15:6:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | ssl_fluent.py:9:14:9:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:6:15:6:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | ssl_fluent.py:19:14:19:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:15:15:15:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:28:14:28:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:24:15:24:53 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:37:14:37:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:33:15:33:53 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | ssl_fluent.py:55:14:55:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:52:15:52:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | ssl_fluent.py:55:14:55:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:52:15:52:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | ssl_fluent.py:65:14:65:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:61:15:61:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |

From 9a962305236c194d18d80d6321bf11ddc6eabe8b Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Mon, 15 Mar 2021 17:35:30 +0100
Subject: [PATCH 0050/1429] Python: Add changenote

---
 python/change-notes/2021-03-15-port-insecure-protocol.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 python/change-notes/2021-03-15-port-insecure-protocol.md

diff --git a/python/change-notes/2021-03-15-port-insecure-protocol.md b/python/change-notes/2021-03-15-port-insecure-protocol.md
new file mode 100644
index 00000000000..c92f387b29a
--- /dev/null
+++ b/python/change-notes/2021-03-15-port-insecure-protocol.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Ported use of insecure SSL/TLS version (`py/insecure-protocol`) query to use new data-flow library. This might result in different results, but overall a more robust and accurate analysis.

From 98204a15a6ad8c8dd5dfb42269bfdd153cfc1827 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Wed, 17 Mar 2021 15:28:04 +0800
Subject: [PATCH 0051/1429] Fix the problem

---
 .../Security/CWE/CWE-352/JsonStringLib.qll    |   2 +-
 .../Security/CWE/CWE-352/JsonpInjection.java  | 117 ++++++----
 .../Security/CWE/CWE-352/JsonpInjection.qhelp |  11 +-
 .../Security/CWE/CWE-352/JsonpInjection.ql    |  24 ++-
 .../CWE/CWE-352/JsonpInjectionLib.qll         |  66 +++---
 .../Security/CWE/CWE-598/SensitiveGetQuery.ql |  10 -
 .../semmle/code/java/frameworks/Servlets.qll  |  11 +
 .../security/CWE-352/JsonpInjection.qlref     |   1 -
 .../JsonpController.java                      | 105 +++++++--
 .../JsonpInjection.expected                   |  87 ++++++++
 .../JsonpInjection.qlref                      |   1 +
 .../JsonpInjectionServlet1.java               |   0
 .../JsonpInjectionServlet2.java               |   0
 .../RefererFilter.java                        |   0
 .../CWE-352/JsonpInjectionWithFilter/options  |   1 +
 .../JsonpController.java                      | 107 +++++++--
 .../JsonpInjection.expected                   |  76 +++++++
 .../JsonpInjection.qlref                      |   1 +
 .../options                                   |   1 +
 .../JsonpController.java                      | 203 ++++++++++++++++++
 .../JsonpInjection.expected                   |  92 ++++++++
 .../JsonpInjection.qlref                      |   1 +
 .../JsonpInjectionServlet1.java               |   0
 .../JsonpInjectionServlet2.java               |   0
 .../options                                   |   1 +
 .../CWE-352/JsonpInjection_1.expected         |  60 ------
 .../CWE-352/JsonpInjection_2.expected         |  78 -------
 .../CWE-352/JsonpInjection_3.expected         |  66 ------
 .../query-tests/security/CWE-352/Readme       |   3 -
 .../security/CWE-352/RefererFilter.java       |  43 ----
 .../query-tests/security/CWE-352/options      |   1 -
 .../core/annotation/AliasFor.java             |  13 +-
 .../core/io/InputStreamSource.java            |   8 +
 .../org/springframework/core/io/Resource.java |  46 ++++
 .../org/springframework/lang/Nullable.java    |  13 ++
 .../springframework/util/FileCopyUtils.java   |  53 +++++
 .../org/springframework/util/StringUtils.java |   2 +-
 .../web/bind/annotation/GetMapping.java       |  36 +++-
 .../web/bind/annotation/Mapping.java          |   4 +
 .../web/bind/annotation/RequestMapping.java   |  19 +-
 .../web/bind/annotation/RequestParam.java     |  23 ++
 .../web/bind/annotation/ResponseBody.java     |   9 +
 .../web/multipart/MultipartFile.java          |  38 ++++
 .../javax/servlet/annotation/WebServlet.java  |  30 +++
 44 files changed, 1075 insertions(+), 388 deletions(-)
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.qlref
 rename java/ql/test/experimental/query-tests/security/CWE-352/{ => JsonpInjectionWithFilter}/JsonpController.java (54%)
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.qlref
 rename java/ql/{src/experimental/Security/CWE/CWE-352 => test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter}/JsonpInjectionServlet1.java (100%)
 rename java/ql/{src/experimental/Security/CWE/CWE-352 => test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter}/JsonpInjectionServlet2.java (100%)
 rename java/ql/{src/experimental/Security/CWE/CWE-352 => test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter}/RefererFilter.java (100%)
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/options
 rename java/ql/{src/experimental/Security/CWE/CWE-352 => test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController}/JsonpController.java (54%)
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.qlref
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/options
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpController.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.qlref
 rename java/ql/test/experimental/query-tests/security/CWE-352/{ => JsonpInjectionWithSpringControllerAndServlet}/JsonpInjectionServlet1.java (100%)
 rename java/ql/test/experimental/query-tests/security/CWE-352/{ => JsonpInjectionWithSpringControllerAndServlet}/JsonpInjectionServlet2.java (100%)
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/options
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_1.expected
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_2.expected
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_3.expected
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/Readme
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/RefererFilter.java
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/options
 create mode 100644 java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/io/InputStreamSource.java
 create mode 100644 java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/io/Resource.java
 create mode 100644 java/ql/test/stubs/spring-core-5.3.2/org/springframework/lang/Nullable.java
 create mode 100644 java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/FileCopyUtils.java
 create mode 100644 java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/Mapping.java
 create mode 100644 java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestParam.java
 create mode 100644 java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/multipart/MultipartFile.java
 create mode 100644 java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/annotation/WebServlet.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonStringLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonStringLib.qll
index 0da8bc860d1..5cc52e97e33 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonStringLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonStringLib.qll
@@ -3,7 +3,7 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
 import DataFlow::PathGraph
 
-/** Json string type data */
+/** Json string type data. */
 abstract class JsonpStringSource extends DataFlow::Node { }
 
 /** Convert to String using Gson library. */
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java
index 8b4e7cc005e..7f479a8c023 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java
@@ -1,31 +1,39 @@
 import com.alibaba.fastjson.JSONObject;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.gson.Gson;
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
 import java.io.PrintWriter;
 import java.util.HashMap;
-import java.util.Random;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.multipart.MultipartFile;
 
 @Controller
 public class JsonpInjection {
-private static HashMap hashMap = new HashMap();
+
+    private static HashMap hashMap = new HashMap();
 
     static {
         hashMap.put("username","admin");
         hashMap.put("password","123456");
     }
 
+    private String name = null;
+
 
     @GetMapping(value = "jsonp1")
     @ResponseBody
     public String bad1(HttpServletRequest request) {
         String resultStr = null;
         String jsonpCallback = request.getParameter("jsonpCallback");
-
         Gson gson = new Gson();
         String result = gson.toJson(hashMap);
         resultStr = jsonpCallback + "(" + result + ")";
@@ -37,9 +45,7 @@ private static HashMap hashMap = new HashMap();
     public String bad2(HttpServletRequest request) {
         String resultStr = null;
         String jsonpCallback = request.getParameter("jsonpCallback");
-
         resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")";
-
         return resultStr;
     }
 
@@ -67,7 +73,6 @@ private static HashMap hashMap = new HashMap();
     @ResponseBody
     public void bad5(HttpServletRequest request,
             HttpServletResponse response) throws Exception {
-        response.setContentType("application/json");
         String jsonpCallback = request.getParameter("jsonpCallback");
         PrintWriter pw = null;
         Gson gson = new Gson();
@@ -83,7 +88,6 @@ private static HashMap hashMap = new HashMap();
     @ResponseBody
     public void bad6(HttpServletRequest request,
             HttpServletResponse response) throws Exception {
-        response.setContentType("application/json");
         String jsonpCallback = request.getParameter("jsonpCallback");
         PrintWriter pw = null;
         ObjectMapper mapper = new ObjectMapper();
@@ -94,60 +98,96 @@ private static HashMap hashMap = new HashMap();
         pw.println(resultStr);
     }
 
-    @GetMapping(value = "jsonp7")
+    @RequestMapping(value = "jsonp7", method = RequestMethod.GET)
     @ResponseBody
-    public String good(HttpServletRequest request) {
+    public String bad7(HttpServletRequest request) {
         String resultStr = null;
         String jsonpCallback = request.getParameter("jsonpCallback");
-
-        String val = "";
-        Random random = new Random();
-        for (int i = 0; i < 10; i++) {
-            val += String.valueOf(random.nextInt(10));
-        }
-        // good
-        jsonpCallback = jsonpCallback + "_" + val;
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+        resultStr = jsonpCallback + "(" + result + ")";
         return resultStr;
     }
 
+
     @GetMapping(value = "jsonp8")
     @ResponseBody
     public String good1(HttpServletRequest request) {
         String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-
         String token = request.getParameter("token");
-
-        // good
         if (verifToken(token)){
-            System.out.println(token);
+            String jsonpCallback = request.getParameter("jsonpCallback");
             String jsonStr = getJsonStr(hashMap);
             resultStr = jsonpCallback + "(" + jsonStr + ")";
             return resultStr;
         }
-
         return "error";
     }
 
+
     @GetMapping(value = "jsonp9")
     @ResponseBody
     public String good2(HttpServletRequest request) {
         String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-
-        String referer = request.getHeader("Referer");
-
-        boolean result = verifReferer(referer);
-        // good
+        String token = request.getParameter("token");
+        boolean result = verifToken(token);
         if (result){
-            String jsonStr = getJsonStr(hashMap);
-            resultStr = jsonpCallback + "(" + jsonStr + ")";
-            return resultStr;
+            return "";
         }
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
 
-        return "error";
+    @RequestMapping(value = "jsonp10")
+    @ResponseBody
+    public String good3(HttpServletRequest request) {
+        JSONObject parameterObj = readToJSONObect(request);
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    @RequestMapping(value = "jsonp11")
+    @ResponseBody
+    public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
+        if(null == file){
+            return "upload file error";
+        }
+        String fileName = file.getOriginalFilename();
+        System.out.println("file operations");
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    public static JSONObject readToJSONObect(HttpServletRequest request){
+        String jsonText = readPostContent(request);
+        JSONObject jsonObj = JSONObject.parseObject(jsonText, JSONObject.class);
+        return jsonObj;
+    }
+
+    public static String readPostContent(HttpServletRequest request){
+        BufferedReader in= null;
+        String content = null;
+        String line = null;
+        try {
+            in = new BufferedReader(new InputStreamReader(request.getInputStream(),"UTF-8"));
+            StringBuilder buf = new StringBuilder();
+            while ((line = in.readLine()) != null) {
+                buf.append(line);
+            }
+            content = buf.toString();
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+        String uri = request.getRequestURI();
+        return content;
     }
 
     public static String getJsonStr(Object result) {
@@ -160,11 +200,4 @@ private static HashMap hashMap = new HashMap();
         }
         return true;
     }
-
-    public static boolean verifReferer(String referer){
-        if (!referer.startsWith("http://test.com/")){
-            return false;
-        }
-        return true;
-    }
 }
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
index bb5d628ac0b..93c167d6c2c 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
@@ -3,18 +3,21 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>The software uses external input as the function name to wrap JSON data and return it to the client as a request response. When there is a cross-domain problem, 
-there is a problem of sensitive information leakage.</p>
+<p>The software uses external input as the function name to wrap JSON data and returns it to the client as a request response. 
+When there is a cross-domain problem, the problem of sensitive information leakage may occur.</p>
 
 </overview>
 <recommendation>
 
-<p>Adding `Referer` or random `token` verification processing can effectively prevent the leakage of sensitive information.</p>
+<p>Adding <code>Referer</code>/<code>Origin</code> or random <code>token</code> verification processing can effectively prevent the leakage of sensitive information.</p>
 
 </recommendation>
 <example>
 
-<p>The following example shows the case of no verification processing and verification processing for the external input function name.</p>
+<p>The following examples show the bad case and the good case respectively. Bad case, such as <code>bad1</code> to <code>bad7</code>, 
+will cause information leakage problems when there are cross-domain problems. In a good case, for example, in the <code>good1</code> 
+method and the <code>good2</code> method, use the <code>verifToken</code> method to do the random <code>token</code> Verification can 
+solve the problem of information leakage caused by cross-domain.</p>
 
 <sample src="JsonpInjection.java" />
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
index f3ae25daa03..068469328ea 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
@@ -14,25 +14,25 @@ import java
 import JsonpInjectionLib
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.deadcode.WebEntryPoints
-import semmle.code.java.security.XSS
 import DataFlow::PathGraph
 
 /** Determine whether there is a verification method for the remote streaming source data flow path method. */
 predicate existsFilterVerificationMethod() {
-  exists(MethodAccess ma,Node existsNode, Method m|
+  exists(MethodAccess ma, Node existsNode, Method m |
     ma.getMethod() instanceof VerificationMethodClass and
     existsNode.asExpr() = ma and
-    m = getAnMethod(existsNode.getEnclosingCallable()) and
+    m = getACallingCallableOrSelf(existsNode.getEnclosingCallable()) and
     isDoFilterMethod(m)
   )
 }
 
 /** Determine whether there is a verification method for the remote streaming source data flow path method. */
 predicate existsServletVerificationMethod(Node checkNode) {
-  exists(MethodAccess ma,Node existsNode|
+  exists(MethodAccess ma, Node existsNode |
     ma.getMethod() instanceof VerificationMethodClass and
     existsNode.asExpr() = ma and
-    getAnMethod(existsNode.getEnclosingCallable()) = getAnMethod(checkNode.getEnclosingCallable())
+    getACallingCallableOrSelf(existsNode.getEnclosingCallable()) =
+      getACallingCallableOrSelf(checkNode.getEnclosingCallable())
   )
 }
 
@@ -40,13 +40,15 @@ predicate existsServletVerificationMethod(Node checkNode) {
 class RequestResponseFlowConfig extends TaintTracking::Configuration {
   RequestResponseFlowConfig() { this = "RequestResponseFlowConfig" }
 
-  override predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource and
-    getAnMethod(source.getEnclosingCallable()) instanceof RequestGetMethod
-  }
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
 
+  /** Eliminate the method of calling the node is not the get method. */
+  override predicate isSanitizer(DataFlow::Node node) {
+    not getACallingCallableOrSelf(node.getEnclosingCallable()) instanceof RequestGetMethod 
+  }
+
   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
     exists(MethodAccess ma |
       isRequestGetParamMethod(ma) and pred.asExpr() = ma.getQualifier() and succ.asExpr() = ma
@@ -60,5 +62,5 @@ where
   not existsFilterVerificationMethod() and
   conf.hasFlowPath(source, sink) and
   exists(JsonpInjectionFlowConfig jhfc | jhfc.hasFlowTo(sink.getNode()))
-select sink.getNode(), source, sink, "Jsonp Injection query might include code from $@.",
-  source.getNode(), "this user input"
\ No newline at end of file
+select sink.getNode(), source, sink, "Jsonp response might include code from $@.", source.getNode(),
+  "this user input"
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index b8964524a9f..d0e00bcb634 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -6,28 +6,25 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.spring.SpringController
 
-/** Taint-tracking configuration tracing flow from user-controllable function name jsonp data to output jsonp data. */
+/** Taint-tracking configuration tracing flow from untrusted inputs to verification of remote user input. */
 class VerificationMethodFlowConfig extends TaintTracking::Configuration {
   VerificationMethodFlowConfig() { this = "VerificationMethodFlowConfig" }
 
   override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma, BarrierGuard bg |
+    exists(MethodAccess ma |
       ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*") and
-      bg = ma and
-      sink.asExpr() = ma.getAnArgument()
+      ma.getAnArgument() = sink.asExpr()
     )
   }
 }
 
-/** The parameter name of the method is `token`, `auth`, `referer`, `origin`. */
+/** The parameter names of this method are token/auth/referer/origin. */
 class VerificationMethodClass extends Method {
   VerificationMethodClass() {
-    exists(MethodAccess ma, BarrierGuard bg, VerificationMethodFlowConfig vmfc, Node node |
+    exists(MethodAccess ma, VerificationMethodFlowConfig vmfc, Node node |
       this = ma.getMethod() and
-      this.getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*") and
-      bg = ma and
       node.asExpr() = ma.getAnArgument() and
       vmfc.hasFlowTo(node)
     )
@@ -35,38 +32,43 @@ class VerificationMethodClass extends Method {
 }
 
 /** Get Callable by recursive method. */
-Callable getAnMethod(Callable call) {
+Callable getACallingCallableOrSelf(Callable call) {
   result = call
   or
-  result = getAnMethod(call.getAReference().getEnclosingCallable())
+  result = getACallingCallableOrSelf(call.getAReference().getEnclosingCallable())
 }
 
 abstract class RequestGetMethod extends Method { }
 
-/** Holds if `m` is a method of some override of `HttpServlet.doGet`. */
+/** Override method of `doGet` of `Servlet` subclass. */
 private class ServletGetMethod extends RequestGetMethod {
-  ServletGetMethod() {
-    exists(Method m |
-      m = this and
-      isServletRequestMethod(m) and
-      m.getName() = "doGet"
-    )
+  ServletGetMethod() { this instanceof DoGetServletMethod }
+}
+
+/** The method of SpringController class processing `get` request. */
+abstract class SpringControllerGetMethod extends RequestGetMethod { }
+
+/** Method using `GetMapping` annotation in SpringController class. */
+class SpringControllerGetMappingGetMethod extends SpringControllerGetMethod {
+  SpringControllerGetMappingGetMethod() {
+    this.getAnAnnotation()
+        .getType()
+        .hasQualifiedName("org.springframework.web.bind.annotation", "GetMapping")
   }
 }
 
-/** Holds if `m` is a method of some override of `HttpServlet.doGet`. */
-private class SpringControllerGetMethod extends RequestGetMethod {
-  SpringControllerGetMethod() {
-    exists(Annotation a |
-      a = this.getAnAnnotation() and
-      a.getType().hasQualifiedName("org.springframework.web.bind.annotation", "GetMapping")
-    )
-    or
-    exists(Annotation a |
-      a = this.getAnAnnotation() and
-      a.getType().hasQualifiedName("org.springframework.web.bind.annotation", "RequestMapping") and
-      a.getValue("method").toString().regexpMatch("RequestMethod.GET|\\{...\\}")
-    )
+/** The method that uses the `RequestMapping` annotation in the SpringController class and only handles the get request. */
+class SpringControllerRequestMappingGetMethod extends SpringControllerGetMethod {
+  SpringControllerRequestMappingGetMethod() {
+    this.getAnAnnotation()
+        .getType()
+        .hasQualifiedName("org.springframework.web.bind.annotation", "RequestMapping") and
+    this.getAnAnnotation().getValue("method").toString().regexpMatch("RequestMethod.GET|\\{...\\}") and
+    not exists(MethodAccess ma |
+      ma.getMethod() instanceof ServletRequestGetBodyMethod and
+      this = getACallingCallableOrSelf(ma.getEnclosingCallable())
+    ) and
+    not this.getAParamType().getName() = "MultipartFile"
   }
 }
 
@@ -83,12 +85,12 @@ class JsonpInjectionExpr extends AddExpr {
         .regexpMatch("\"\\(\"")
   }
 
-  /** Get the jsonp function name of this expression */
+  /** Get the jsonp function name of this expression. */
   Expr getFunctionName() {
     result = getLeftOperand().(AddExpr).getLeftOperand().(AddExpr).getLeftOperand()
   }
 
-  /** Get the json data of this expression */
+  /** Get the json data of this expression. */
   Expr getJsonExpr() { result = getLeftOperand().(AddExpr).getRightOperand() }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql b/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
index bc9850cfddb..c381595af14 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
@@ -23,16 +23,6 @@ class SensitiveInfoExpr extends Expr {
   }
 }
 
-/** Holds if `m` is a method of some override of `HttpServlet.doGet`. */
-private predicate isGetServletMethod(Method m) {
-  isServletRequestMethod(m) and m.getName() = "doGet"
-}
-
-/** The `doGet` method of `HttpServlet`. */
-class DoGetServletMethod extends Method {
-  DoGetServletMethod() { isGetServletMethod(this) }
-}
-
 /** Holds if `ma` is (perhaps indirectly) called from the `doGet` method of `HttpServlet`. */
 predicate isReachableFromServletDoGet(MethodAccess ma) {
   ma.getEnclosingCallable() instanceof DoGetServletMethod
diff --git a/java/ql/src/semmle/code/java/frameworks/Servlets.qll b/java/ql/src/semmle/code/java/frameworks/Servlets.qll
index 5cccf62122f..7ac452affa9 100644
--- a/java/ql/src/semmle/code/java/frameworks/Servlets.qll
+++ b/java/ql/src/semmle/code/java/frameworks/Servlets.qll
@@ -354,9 +354,20 @@ class FilterChain extends Interface {
 
 /** Holds if `m` is a filter handler method (for example `doFilter`). */
 predicate isDoFilterMethod(Method m) {
+  m.getName().matches("doFilter") and
   m.getDeclaringType() instanceof FilterClass and
   m.getNumberOfParameters() = 3 and
   m.getParameter(0).getType() instanceof ServletRequest and
   m.getParameter(1).getType() instanceof ServletResponse and
   m.getParameter(2).getType() instanceof FilterChain
 }
+
+/** Holds if `m` is a method of some override of `HttpServlet.doGet`. */
+predicate isGetServletMethod(Method m) {
+  isServletRequestMethod(m) and m.getName() = "doGet"
+}
+
+/** The `doGet` method of `HttpServlet`. */
+class DoGetServletMethod extends Method {
+  DoGetServletMethod() { isGetServletMethod(this) }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.qlref
deleted file mode 100644
index 6ad4b8acda7..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/CWE/CWE-352/JsonpInjection.ql
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpController.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpController.java
similarity index 54%
rename from java/ql/test/experimental/query-tests/security/CWE-352/JsonpController.java
rename to java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpController.java
index cf860c75640..e5b5e70a38d 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpController.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpController.java
@@ -1,16 +1,24 @@
 import com.alibaba.fastjson.JSONObject;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.gson.Gson;
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
 import java.io.PrintWriter;
 import java.util.HashMap;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.multipart.MultipartFile;
 
 @Controller
 public class JsonpController {
+
     private static HashMap hashMap = new HashMap();
 
     static {
@@ -18,13 +26,14 @@ public class JsonpController {
         hashMap.put("password","123456");
     }
 
+    private String name = null;
 
-    @GetMapping(value = "jsonp1", produces="text/javascript")
+
+    @GetMapping(value = "jsonp1")
     @ResponseBody
     public String bad1(HttpServletRequest request) {
         String resultStr = null;
         String jsonpCallback = request.getParameter("jsonpCallback");
-
         Gson gson = new Gson();
         String result = gson.toJson(hashMap);
         resultStr = jsonpCallback + "(" + result + ")";
@@ -36,9 +45,7 @@ public class JsonpController {
     public String bad2(HttpServletRequest request) {
         String resultStr = null;
         String jsonpCallback = request.getParameter("jsonpCallback");
-
         resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")";
-
         return resultStr;
     }
 
@@ -91,23 +98,98 @@ public class JsonpController {
         pw.println(resultStr);
     }
 
-    @GetMapping(value = "jsonp7")
+    @RequestMapping(value = "jsonp7", method = RequestMethod.GET)
+    @ResponseBody
+    public String bad7(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+        resultStr = jsonpCallback + "(" + result + ")";
+        return resultStr;
+    }
+
+
+    @GetMapping(value = "jsonp8")
     @ResponseBody
     public String good1(HttpServletRequest request) {
         String resultStr = null;
-
         String token = request.getParameter("token");
-
         if (verifToken(token)){
             String jsonpCallback = request.getParameter("jsonpCallback");
             String jsonStr = getJsonStr(hashMap);
             resultStr = jsonpCallback + "(" + jsonStr + ")";
             return resultStr;
         }
-
         return "error";
     }
 
+
+    @GetMapping(value = "jsonp9")
+    @ResponseBody
+    public String good2(HttpServletRequest request) {
+        String resultStr = null;
+        String token = request.getParameter("token");
+        boolean result = verifToken(token);
+        if (result){
+            return "";
+        }
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+    @RequestMapping(value = "jsonp10")
+    @ResponseBody
+    public String good3(HttpServletRequest request) {
+        JSONObject parameterObj = readToJSONObect(request);
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    @RequestMapping(value = "jsonp11")
+    @ResponseBody
+    public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
+        if(null == file){
+            return "upload file error";
+        }
+        String fileName = file.getOriginalFilename();
+        System.out.println("file operations");
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    public static JSONObject readToJSONObect(HttpServletRequest request){
+        String jsonText = readPostContent(request);
+        JSONObject jsonObj = JSONObject.parseObject(jsonText, JSONObject.class);
+        return jsonObj;
+    }
+
+    public static String readPostContent(HttpServletRequest request){
+        BufferedReader in= null;
+        String content = null;
+        String line = null;
+        try {
+            in = new BufferedReader(new InputStreamReader(request.getInputStream(),"UTF-8"));
+            StringBuilder buf = new StringBuilder();
+            while ((line = in.readLine()) != null) {
+                buf.append(line);
+            }
+            content = buf.toString();
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+        String uri = request.getRequestURI();
+        return content;
+    }
+
     public static String getJsonStr(Object result) {
         return JSONObject.toJSONString(result);
     }
@@ -118,11 +200,4 @@ public class JsonpController {
         }
         return true;
     }
-
-    public static boolean verifReferer(String referer){
-        if (!referer.startsWith("http://test.com/")){
-            return false;
-        }
-        return true;
-    }
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.expected
new file mode 100644
index 00000000000..501565f2b4e
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.expected
@@ -0,0 +1,87 @@
+edges
+| JsonpController.java:36:32:36:68 | getParameter(...) : String | JsonpController.java:40:16:40:24 | resultStr |
+| JsonpController.java:39:21:39:54 | ... + ... : String | JsonpController.java:40:16:40:24 | resultStr |
+| JsonpController.java:47:32:47:68 | getParameter(...) : String | JsonpController.java:49:16:49:24 | resultStr |
+| JsonpController.java:48:21:48:80 | ... + ... : String | JsonpController.java:49:16:49:24 | resultStr |
+| JsonpController.java:56:32:56:68 | getParameter(...) : String | JsonpController.java:59:16:59:24 | resultStr |
+| JsonpController.java:58:21:58:55 | ... + ... : String | JsonpController.java:59:16:59:24 | resultStr |
+| JsonpController.java:66:32:66:68 | getParameter(...) : String | JsonpController.java:69:16:69:24 | resultStr |
+| JsonpController.java:68:21:68:54 | ... + ... : String | JsonpController.java:69:16:69:24 | resultStr |
+| JsonpController.java:76:32:76:68 | getParameter(...) : String | JsonpController.java:84:20:84:28 | resultStr |
+| JsonpController.java:83:21:83:54 | ... + ... : String | JsonpController.java:84:20:84:28 | resultStr |
+| JsonpController.java:91:32:91:68 | getParameter(...) : String | JsonpController.java:98:20:98:28 | resultStr |
+| JsonpController.java:97:21:97:54 | ... + ... : String | JsonpController.java:98:20:98:28 | resultStr |
+| JsonpController.java:105:32:105:68 | getParameter(...) : String | JsonpController.java:109:16:109:24 | resultStr |
+| JsonpController.java:108:21:108:54 | ... + ... : String | JsonpController.java:109:16:109:24 | resultStr |
+| JsonpController.java:117:24:117:52 | getParameter(...) : String | JsonpController.java:118:24:118:28 | token |
+| JsonpController.java:119:36:119:72 | getParameter(...) : String | JsonpController.java:122:20:122:28 | resultStr |
+| JsonpController.java:121:25:121:59 | ... + ... : String | JsonpController.java:122:20:122:28 | resultStr |
+| JsonpController.java:132:24:132:52 | getParameter(...) : String | JsonpController.java:133:37:133:41 | token |
+| JsonpController.java:137:32:137:68 | getParameter(...) : String | JsonpController.java:140:16:140:24 | resultStr |
+| JsonpController.java:139:21:139:55 | ... + ... : String | JsonpController.java:140:16:140:24 | resultStr |
+| JsonpController.java:150:21:150:54 | ... + ... : String | JsonpController.java:151:16:151:24 | resultStr |
+| JsonpController.java:165:21:165:54 | ... + ... : String | JsonpController.java:166:16:166:24 | resultStr |
+| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
+| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | JsonpInjectionServlet1.java:38:39:38:45 | referer |
+| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
+| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
+| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
+| RefererFilter.java:22:26:22:53 | getHeader(...) : String | RefererFilter.java:23:39:23:45 | refefer |
+nodes
+| JsonpController.java:36:32:36:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:39:21:39:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:47:32:47:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:48:21:48:80 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:56:32:56:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:58:21:58:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:66:32:66:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:68:21:68:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:76:32:76:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:83:21:83:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:91:32:91:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:97:21:97:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:105:32:105:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:108:21:108:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:117:24:117:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:118:24:118:28 | token | semmle.label | token |
+| JsonpController.java:119:36:119:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:121:25:121:59 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:132:24:132:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:133:37:133:41 | token | semmle.label | token |
+| JsonpController.java:137:32:137:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:139:21:139:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:150:21:150:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:151:16:151:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:165:21:165:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:166:16:166:24 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| JsonpInjectionServlet1.java:38:39:38:45 | referer | semmle.label | referer |
+| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
+| RefererFilter.java:22:26:22:53 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| RefererFilter.java:23:39:23:45 | refefer | semmle.label | refefer |
+#select
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.qlref
new file mode 100644
index 00000000000..3f5fc450669
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-352/JsonpInjection.ql
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionServlet1.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet1.java
similarity index 100%
rename from java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionServlet1.java
rename to java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet1.java
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionServlet2.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet2.java
similarity index 100%
rename from java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionServlet2.java
rename to java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet2.java
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/RefererFilter.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/RefererFilter.java
similarity index 100%
rename from java/ql/src/experimental/Security/CWE/CWE-352/RefererFilter.java
rename to java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/RefererFilter.java
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/options b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/options
new file mode 100644
index 00000000000..c53e31e467f
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../../stubs/gson-2.8.6/:${testdir}/../../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../../stubs/spring-context-5.3.2/:${testdir}/../../../../../stubs/spring-web-5.3.2/:${testdir}/../../../../../stubs/spring-core-5.3.2/:${testdir}/../../../../../stubs/tomcat-embed-core-9.0.41/
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpController.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpController.java
similarity index 54%
rename from java/ql/src/experimental/Security/CWE/CWE-352/JsonpController.java
rename to java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpController.java
index 84a172a7aeb..e5b5e70a38d 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpController.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpController.java
@@ -1,16 +1,24 @@
 import com.alibaba.fastjson.JSONObject;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.gson.Gson;
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
 import java.io.PrintWriter;
 import java.util.HashMap;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.multipart.MultipartFile;
 
 @Controller
 public class JsonpController {
+
     private static HashMap hashMap = new HashMap();
 
     static {
@@ -18,13 +26,14 @@ public class JsonpController {
         hashMap.put("password","123456");
     }
 
+    private String name = null;
 
-    @GetMapping(value = "jsonp1", produces="text/javascript")
+
+    @GetMapping(value = "jsonp1")
     @ResponseBody
     public String bad1(HttpServletRequest request) {
         String resultStr = null;
         String jsonpCallback = request.getParameter("jsonpCallback");
-
         Gson gson = new Gson();
         String result = gson.toJson(hashMap);
         resultStr = jsonpCallback + "(" + result + ")";
@@ -36,9 +45,7 @@ public class JsonpController {
     public String bad2(HttpServletRequest request) {
         String resultStr = null;
         String jsonpCallback = request.getParameter("jsonpCallback");
-
         resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")";
-
         return resultStr;
     }
 
@@ -91,23 +98,98 @@ public class JsonpController {
         pw.println(resultStr);
     }
 
-    @GetMapping(value = "jsonp7")
+    @RequestMapping(value = "jsonp7", method = RequestMethod.GET)
+    @ResponseBody
+    public String bad7(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+        resultStr = jsonpCallback + "(" + result + ")";
+        return resultStr;
+    }
+
+
+    @GetMapping(value = "jsonp8")
     @ResponseBody
     public String good1(HttpServletRequest request) {
         String resultStr = null;
-
         String token = request.getParameter("token");
-
         if (verifToken(token)){
             String jsonpCallback = request.getParameter("jsonpCallback");
             String jsonStr = getJsonStr(hashMap);
             resultStr = jsonpCallback + "(" + jsonStr + ")";
             return resultStr;
         }
-
         return "error";
     }
 
+
+    @GetMapping(value = "jsonp9")
+    @ResponseBody
+    public String good2(HttpServletRequest request) {
+        String resultStr = null;
+        String token = request.getParameter("token");
+        boolean result = verifToken(token);
+        if (result){
+            return "";
+        }
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+    @RequestMapping(value = "jsonp10")
+    @ResponseBody
+    public String good3(HttpServletRequest request) {
+        JSONObject parameterObj = readToJSONObect(request);
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    @RequestMapping(value = "jsonp11")
+    @ResponseBody
+    public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
+        if(null == file){
+            return "upload file error";
+        }
+        String fileName = file.getOriginalFilename();
+        System.out.println("file operations");
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    public static JSONObject readToJSONObect(HttpServletRequest request){
+        String jsonText = readPostContent(request);
+        JSONObject jsonObj = JSONObject.parseObject(jsonText, JSONObject.class);
+        return jsonObj;
+    }
+
+    public static String readPostContent(HttpServletRequest request){
+        BufferedReader in= null;
+        String content = null;
+        String line = null;
+        try {
+            in = new BufferedReader(new InputStreamReader(request.getInputStream(),"UTF-8"));
+            StringBuilder buf = new StringBuilder();
+            while ((line = in.readLine()) != null) {
+                buf.append(line);
+            }
+            content = buf.toString();
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+        String uri = request.getRequestURI();
+        return content;
+    }
+
     public static String getJsonStr(Object result) {
         return JSONObject.toJSONString(result);
     }
@@ -118,11 +200,4 @@ public class JsonpController {
         }
         return true;
     }
-
-    public static boolean verifReferer(String referer){
-        if (!referer.startsWith("http://test.com/")){
-            return false;
-        }
-        return true;
-    }
-}
\ No newline at end of file
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected
new file mode 100644
index 00000000000..91d23cebbda
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected
@@ -0,0 +1,76 @@
+edges
+| JsonpController.java:36:32:36:68 | getParameter(...) : String | JsonpController.java:40:16:40:24 | resultStr |
+| JsonpController.java:39:21:39:54 | ... + ... : String | JsonpController.java:40:16:40:24 | resultStr |
+| JsonpController.java:47:32:47:68 | getParameter(...) : String | JsonpController.java:49:16:49:24 | resultStr |
+| JsonpController.java:48:21:48:80 | ... + ... : String | JsonpController.java:49:16:49:24 | resultStr |
+| JsonpController.java:56:32:56:68 | getParameter(...) : String | JsonpController.java:59:16:59:24 | resultStr |
+| JsonpController.java:58:21:58:55 | ... + ... : String | JsonpController.java:59:16:59:24 | resultStr |
+| JsonpController.java:66:32:66:68 | getParameter(...) : String | JsonpController.java:69:16:69:24 | resultStr |
+| JsonpController.java:68:21:68:54 | ... + ... : String | JsonpController.java:69:16:69:24 | resultStr |
+| JsonpController.java:76:32:76:68 | getParameter(...) : String | JsonpController.java:84:20:84:28 | resultStr |
+| JsonpController.java:83:21:83:54 | ... + ... : String | JsonpController.java:84:20:84:28 | resultStr |
+| JsonpController.java:91:32:91:68 | getParameter(...) : String | JsonpController.java:98:20:98:28 | resultStr |
+| JsonpController.java:97:21:97:54 | ... + ... : String | JsonpController.java:98:20:98:28 | resultStr |
+| JsonpController.java:105:32:105:68 | getParameter(...) : String | JsonpController.java:109:16:109:24 | resultStr |
+| JsonpController.java:108:21:108:54 | ... + ... : String | JsonpController.java:109:16:109:24 | resultStr |
+| JsonpController.java:117:24:117:52 | getParameter(...) : String | JsonpController.java:118:24:118:28 | token |
+| JsonpController.java:119:36:119:72 | getParameter(...) : String | JsonpController.java:122:20:122:28 | resultStr |
+| JsonpController.java:121:25:121:59 | ... + ... : String | JsonpController.java:122:20:122:28 | resultStr |
+| JsonpController.java:132:24:132:52 | getParameter(...) : String | JsonpController.java:133:37:133:41 | token |
+| JsonpController.java:137:32:137:68 | getParameter(...) : String | JsonpController.java:140:16:140:24 | resultStr |
+| JsonpController.java:139:21:139:55 | ... + ... : String | JsonpController.java:140:16:140:24 | resultStr |
+| JsonpController.java:150:21:150:54 | ... + ... : String | JsonpController.java:151:16:151:24 | resultStr |
+| JsonpController.java:165:21:165:54 | ... + ... : String | JsonpController.java:166:16:166:24 | resultStr |
+nodes
+| JsonpController.java:36:32:36:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:39:21:39:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:47:32:47:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:48:21:48:80 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:56:32:56:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:58:21:58:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:66:32:66:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:68:21:68:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:76:32:76:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:83:21:83:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:91:32:91:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:97:21:97:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:105:32:105:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:108:21:108:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:117:24:117:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:118:24:118:28 | token | semmle.label | token |
+| JsonpController.java:119:36:119:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:121:25:121:59 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:132:24:132:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:133:37:133:41 | token | semmle.label | token |
+| JsonpController.java:137:32:137:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:139:21:139:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:150:21:150:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:151:16:151:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:165:21:165:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:166:16:166:24 | resultStr | semmle.label | resultStr |
+#select
+| JsonpController.java:40:16:40:24 | resultStr | JsonpController.java:36:32:36:68 | getParameter(...) : String | JsonpController.java:40:16:40:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:36:32:36:68 | getParameter(...) | this user input |
+| JsonpController.java:49:16:49:24 | resultStr | JsonpController.java:47:32:47:68 | getParameter(...) : String | JsonpController.java:49:16:49:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:47:32:47:68 | getParameter(...) | this user input |
+| JsonpController.java:59:16:59:24 | resultStr | JsonpController.java:56:32:56:68 | getParameter(...) : String | JsonpController.java:59:16:59:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:56:32:56:68 | getParameter(...) | this user input |
+| JsonpController.java:69:16:69:24 | resultStr | JsonpController.java:66:32:66:68 | getParameter(...) : String | JsonpController.java:69:16:69:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:66:32:66:68 | getParameter(...) | this user input |
+| JsonpController.java:84:20:84:28 | resultStr | JsonpController.java:76:32:76:68 | getParameter(...) : String | JsonpController.java:84:20:84:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:76:32:76:68 | getParameter(...) | this user input |
+| JsonpController.java:98:20:98:28 | resultStr | JsonpController.java:91:32:91:68 | getParameter(...) : String | JsonpController.java:98:20:98:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:91:32:91:68 | getParameter(...) | this user input |
+| JsonpController.java:109:16:109:24 | resultStr | JsonpController.java:105:32:105:68 | getParameter(...) : String | JsonpController.java:109:16:109:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:105:32:105:68 | getParameter(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.qlref
new file mode 100644
index 00000000000..3f5fc450669
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-352/JsonpInjection.ql
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/options b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/options
new file mode 100644
index 00000000000..c53e31e467f
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../../stubs/gson-2.8.6/:${testdir}/../../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../../stubs/spring-context-5.3.2/:${testdir}/../../../../../stubs/spring-web-5.3.2/:${testdir}/../../../../../stubs/spring-core-5.3.2/:${testdir}/../../../../../stubs/tomcat-embed-core-9.0.41/
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpController.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpController.java
new file mode 100644
index 00000000000..e5b5e70a38d
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpController.java
@@ -0,0 +1,203 @@
+import com.alibaba.fastjson.JSONObject;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.gson.Gson;
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.PrintWriter;
+import java.util.HashMap;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.multipart.MultipartFile;
+
+@Controller
+public class JsonpController {
+
+    private static HashMap hashMap = new HashMap();
+
+    static {
+        hashMap.put("username","admin");
+        hashMap.put("password","123456");
+    }
+
+    private String name = null;
+
+
+    @GetMapping(value = "jsonp1")
+    @ResponseBody
+    public String bad1(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+        resultStr = jsonpCallback + "(" + result + ")";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp2")
+    @ResponseBody
+    public String bad2(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp3")
+    @ResponseBody
+    public String bad3(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp4")
+    @ResponseBody
+    public String bad4(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp5")
+    @ResponseBody
+    public void bad5(HttpServletRequest request,
+            HttpServletResponse response) throws Exception {
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+
+        String resultStr = null;
+        pw = response.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+    }
+
+    @GetMapping(value = "jsonp6")
+    @ResponseBody
+    public void bad6(HttpServletRequest request,
+            HttpServletResponse response) throws Exception {
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        ObjectMapper mapper = new ObjectMapper();
+        String result = mapper.writeValueAsString(hashMap);
+        String resultStr = null;
+        pw = response.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+    }
+
+    @RequestMapping(value = "jsonp7", method = RequestMethod.GET)
+    @ResponseBody
+    public String bad7(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+        resultStr = jsonpCallback + "(" + result + ")";
+        return resultStr;
+    }
+
+
+    @GetMapping(value = "jsonp8")
+    @ResponseBody
+    public String good1(HttpServletRequest request) {
+        String resultStr = null;
+        String token = request.getParameter("token");
+        if (verifToken(token)){
+            String jsonpCallback = request.getParameter("jsonpCallback");
+            String jsonStr = getJsonStr(hashMap);
+            resultStr = jsonpCallback + "(" + jsonStr + ")";
+            return resultStr;
+        }
+        return "error";
+    }
+
+
+    @GetMapping(value = "jsonp9")
+    @ResponseBody
+    public String good2(HttpServletRequest request) {
+        String resultStr = null;
+        String token = request.getParameter("token");
+        boolean result = verifToken(token);
+        if (result){
+            return "";
+        }
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+    @RequestMapping(value = "jsonp10")
+    @ResponseBody
+    public String good3(HttpServletRequest request) {
+        JSONObject parameterObj = readToJSONObect(request);
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    @RequestMapping(value = "jsonp11")
+    @ResponseBody
+    public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
+        if(null == file){
+            return "upload file error";
+        }
+        String fileName = file.getOriginalFilename();
+        System.out.println("file operations");
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    public static JSONObject readToJSONObect(HttpServletRequest request){
+        String jsonText = readPostContent(request);
+        JSONObject jsonObj = JSONObject.parseObject(jsonText, JSONObject.class);
+        return jsonObj;
+    }
+
+    public static String readPostContent(HttpServletRequest request){
+        BufferedReader in= null;
+        String content = null;
+        String line = null;
+        try {
+            in = new BufferedReader(new InputStreamReader(request.getInputStream(),"UTF-8"));
+            StringBuilder buf = new StringBuilder();
+            while ((line = in.readLine()) != null) {
+                buf.append(line);
+            }
+            content = buf.toString();
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+        String uri = request.getRequestURI();
+        return content;
+    }
+
+    public static String getJsonStr(Object result) {
+        return JSONObject.toJSONString(result);
+    }
+
+    public static boolean verifToken(String token){
+        if (token != "xxxx"){
+            return false;
+        }
+        return true;
+    }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected
new file mode 100644
index 00000000000..c2bcab77d4d
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected
@@ -0,0 +1,92 @@
+edges
+| JsonpController.java:36:32:36:68 | getParameter(...) : String | JsonpController.java:40:16:40:24 | resultStr |
+| JsonpController.java:39:21:39:54 | ... + ... : String | JsonpController.java:40:16:40:24 | resultStr |
+| JsonpController.java:47:32:47:68 | getParameter(...) : String | JsonpController.java:49:16:49:24 | resultStr |
+| JsonpController.java:48:21:48:80 | ... + ... : String | JsonpController.java:49:16:49:24 | resultStr |
+| JsonpController.java:56:32:56:68 | getParameter(...) : String | JsonpController.java:59:16:59:24 | resultStr |
+| JsonpController.java:58:21:58:55 | ... + ... : String | JsonpController.java:59:16:59:24 | resultStr |
+| JsonpController.java:66:32:66:68 | getParameter(...) : String | JsonpController.java:69:16:69:24 | resultStr |
+| JsonpController.java:68:21:68:54 | ... + ... : String | JsonpController.java:69:16:69:24 | resultStr |
+| JsonpController.java:76:32:76:68 | getParameter(...) : String | JsonpController.java:84:20:84:28 | resultStr |
+| JsonpController.java:83:21:83:54 | ... + ... : String | JsonpController.java:84:20:84:28 | resultStr |
+| JsonpController.java:91:32:91:68 | getParameter(...) : String | JsonpController.java:98:20:98:28 | resultStr |
+| JsonpController.java:97:21:97:54 | ... + ... : String | JsonpController.java:98:20:98:28 | resultStr |
+| JsonpController.java:105:32:105:68 | getParameter(...) : String | JsonpController.java:109:16:109:24 | resultStr |
+| JsonpController.java:108:21:108:54 | ... + ... : String | JsonpController.java:109:16:109:24 | resultStr |
+| JsonpController.java:117:24:117:52 | getParameter(...) : String | JsonpController.java:118:24:118:28 | token |
+| JsonpController.java:119:36:119:72 | getParameter(...) : String | JsonpController.java:122:20:122:28 | resultStr |
+| JsonpController.java:121:25:121:59 | ... + ... : String | JsonpController.java:122:20:122:28 | resultStr |
+| JsonpController.java:132:24:132:52 | getParameter(...) : String | JsonpController.java:133:37:133:41 | token |
+| JsonpController.java:137:32:137:68 | getParameter(...) : String | JsonpController.java:140:16:140:24 | resultStr |
+| JsonpController.java:139:21:139:55 | ... + ... : String | JsonpController.java:140:16:140:24 | resultStr |
+| JsonpController.java:150:21:150:54 | ... + ... : String | JsonpController.java:151:16:151:24 | resultStr |
+| JsonpController.java:165:21:165:54 | ... + ... : String | JsonpController.java:166:16:166:24 | resultStr |
+| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
+| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | JsonpInjectionServlet1.java:38:39:38:45 | referer |
+| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
+| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
+| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
+nodes
+| JsonpController.java:36:32:36:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:39:21:39:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:47:32:47:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:48:21:48:80 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:56:32:56:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:58:21:58:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:66:32:66:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:68:21:68:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:76:32:76:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:83:21:83:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:91:32:91:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:97:21:97:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:105:32:105:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:108:21:108:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:117:24:117:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:118:24:118:28 | token | semmle.label | token |
+| JsonpController.java:119:36:119:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:121:25:121:59 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:132:24:132:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:133:37:133:41 | token | semmle.label | token |
+| JsonpController.java:137:32:137:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:139:21:139:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:150:21:150:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:151:16:151:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:165:21:165:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:166:16:166:24 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| JsonpInjectionServlet1.java:38:39:38:45 | referer | semmle.label | referer |
+| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
+| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
+#select
+| JsonpController.java:40:16:40:24 | resultStr | JsonpController.java:36:32:36:68 | getParameter(...) : String | JsonpController.java:40:16:40:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:36:32:36:68 | getParameter(...) | this user input |
+| JsonpController.java:49:16:49:24 | resultStr | JsonpController.java:47:32:47:68 | getParameter(...) : String | JsonpController.java:49:16:49:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:47:32:47:68 | getParameter(...) | this user input |
+| JsonpController.java:59:16:59:24 | resultStr | JsonpController.java:56:32:56:68 | getParameter(...) : String | JsonpController.java:59:16:59:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:56:32:56:68 | getParameter(...) | this user input |
+| JsonpController.java:69:16:69:24 | resultStr | JsonpController.java:66:32:66:68 | getParameter(...) : String | JsonpController.java:69:16:69:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:66:32:66:68 | getParameter(...) | this user input |
+| JsonpController.java:84:20:84:28 | resultStr | JsonpController.java:76:32:76:68 | getParameter(...) : String | JsonpController.java:84:20:84:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:76:32:76:68 | getParameter(...) | this user input |
+| JsonpController.java:98:20:98:28 | resultStr | JsonpController.java:91:32:91:68 | getParameter(...) : String | JsonpController.java:98:20:98:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:91:32:91:68 | getParameter(...) | this user input |
+| JsonpController.java:109:16:109:24 | resultStr | JsonpController.java:105:32:105:68 | getParameter(...) : String | JsonpController.java:109:16:109:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:105:32:105:68 | getParameter(...) | this user input |
+| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr | Jsonp response might include code from $@. | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.qlref
new file mode 100644
index 00000000000..3f5fc450669
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-352/JsonpInjection.ql
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionServlet1.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjectionServlet1.java
similarity index 100%
rename from java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionServlet1.java
rename to java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjectionServlet1.java
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionServlet2.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjectionServlet2.java
similarity index 100%
rename from java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionServlet2.java
rename to java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjectionServlet2.java
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/options b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/options
new file mode 100644
index 00000000000..c53e31e467f
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../../stubs/gson-2.8.6/:${testdir}/../../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../../stubs/spring-context-5.3.2/:${testdir}/../../../../../stubs/spring-web-5.3.2/:${testdir}/../../../../../stubs/spring-core-5.3.2/:${testdir}/../../../../../stubs/tomcat-embed-core-9.0.41/
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_1.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_1.expected
deleted file mode 100644
index a89d03b67a7..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_1.expected
+++ /dev/null
@@ -1,60 +0,0 @@
-edges
-| JsonpController.java:26:32:26:68 | getParameter(...) : String | JsonpController.java:31:16:31:24 | resultStr |
-| JsonpController.java:30:21:30:54 | ... + ... : String | JsonpController.java:31:16:31:24 | resultStr |
-| JsonpController.java:38:32:38:68 | getParameter(...) : String | JsonpController.java:42:16:42:24 | resultStr |
-| JsonpController.java:40:21:40:80 | ... + ... : String | JsonpController.java:42:16:42:24 | resultStr |
-| JsonpController.java:49:32:49:68 | getParameter(...) : String | JsonpController.java:52:16:52:24 | resultStr |
-| JsonpController.java:51:21:51:55 | ... + ... : String | JsonpController.java:52:16:52:24 | resultStr |
-| JsonpController.java:59:32:59:68 | getParameter(...) : String | JsonpController.java:62:16:62:24 | resultStr |
-| JsonpController.java:61:21:61:54 | ... + ... : String | JsonpController.java:62:16:62:24 | resultStr |
-| JsonpController.java:69:32:69:68 | getParameter(...) : String | JsonpController.java:77:20:77:28 | resultStr |
-| JsonpController.java:76:21:76:54 | ... + ... : String | JsonpController.java:77:20:77:28 | resultStr |
-| JsonpController.java:84:32:84:68 | getParameter(...) : String | JsonpController.java:91:20:91:28 | resultStr |
-| JsonpController.java:90:21:90:54 | ... + ... : String | JsonpController.java:91:20:91:28 | resultStr |
-| JsonpController.java:99:24:99:52 | getParameter(...) : String | JsonpController.java:101:24:101:28 | token |
-| JsonpController.java:102:36:102:72 | getParameter(...) : String | JsonpController.java:105:20:105:28 | resultStr |
-| JsonpController.java:104:25:104:59 | ... + ... : String | JsonpController.java:105:20:105:28 | resultStr |
-nodes
-| JsonpController.java:26:32:26:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:30:21:30:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:38:32:38:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:40:21:40:80 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:49:32:49:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:51:21:51:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:59:32:59:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:61:21:61:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:69:32:69:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:76:21:76:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:84:32:84:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:90:21:90:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:99:24:99:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:101:24:101:28 | token | semmle.label | token |
-| JsonpController.java:102:36:102:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:104:25:104:59 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
-#select
-| JsonpController.java:31:16:31:24 | resultStr | JsonpController.java:26:32:26:68 | getParameter(...) : String | JsonpController.java:31:16:31:24 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:26:32:26:68 | getParameter(...) | this user input |
-| JsonpController.java:42:16:42:24 | resultStr | JsonpController.java:38:32:38:68 | getParameter(...) : String | JsonpController.java:42:16:42:24 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:38:32:38:68 | getParameter(...) | this user input |
-| JsonpController.java:52:16:52:24 | resultStr | JsonpController.java:49:32:49:68 | getParameter(...) : String | JsonpController.java:52:16:52:24 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:49:32:49:68 | getParameter(...) | this user input |
-| JsonpController.java:62:16:62:24 | resultStr | JsonpController.java:59:32:59:68 | getParameter(...) : String | JsonpController.java:62:16:62:24 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:59:32:59:68 | getParameter(...) | this user input |
-| JsonpController.java:77:20:77:28 | resultStr | JsonpController.java:69:32:69:68 | getParameter(...) : String | JsonpController.java:77:20:77:28 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:69:32:69:68 | getParameter(...) | this user input |
-| JsonpController.java:91:20:91:28 | resultStr | JsonpController.java:84:32:84:68 | getParameter(...) : String | JsonpController.java:91:20:91:28 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:84:32:84:68 | getParameter(...) | this user input |
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_2.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_2.expected
deleted file mode 100644
index 4b12308a212..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_2.expected
+++ /dev/null
@@ -1,78 +0,0 @@
-edges
-| JsonpController.java:26:32:26:68 | getParameter(...) : String | JsonpController.java:31:16:31:24 | resultStr |
-| JsonpController.java:30:21:30:54 | ... + ... : String | JsonpController.java:31:16:31:24 | resultStr |
-| JsonpController.java:38:32:38:68 | getParameter(...) : String | JsonpController.java:42:16:42:24 | resultStr |
-| JsonpController.java:40:21:40:80 | ... + ... : String | JsonpController.java:42:16:42:24 | resultStr |
-| JsonpController.java:49:32:49:68 | getParameter(...) : String | JsonpController.java:52:16:52:24 | resultStr |
-| JsonpController.java:51:21:51:55 | ... + ... : String | JsonpController.java:52:16:52:24 | resultStr |
-| JsonpController.java:59:32:59:68 | getParameter(...) : String | JsonpController.java:62:16:62:24 | resultStr |
-| JsonpController.java:61:21:61:54 | ... + ... : String | JsonpController.java:62:16:62:24 | resultStr |
-| JsonpController.java:69:32:69:68 | getParameter(...) : String | JsonpController.java:77:20:77:28 | resultStr |
-| JsonpController.java:76:21:76:54 | ... + ... : String | JsonpController.java:77:20:77:28 | resultStr |
-| JsonpController.java:84:32:84:68 | getParameter(...) : String | JsonpController.java:91:20:91:28 | resultStr |
-| JsonpController.java:90:21:90:54 | ... + ... : String | JsonpController.java:91:20:91:28 | resultStr |
-| JsonpController.java:99:24:99:52 | getParameter(...) : String | JsonpController.java:101:24:101:28 | token |
-| JsonpController.java:102:36:102:72 | getParameter(...) : String | JsonpController.java:105:20:105:28 | resultStr |
-| JsonpController.java:104:25:104:59 | ... + ... : String | JsonpController.java:105:20:105:28 | resultStr |
-| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
-| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | JsonpInjectionServlet1.java:38:39:38:45 | referer |
-| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
-| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
-| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
-nodes
-| JsonpController.java:26:32:26:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:30:21:30:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:38:32:38:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:40:21:40:80 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:49:32:49:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:51:21:51:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:59:32:59:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:61:21:61:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:69:32:69:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:76:21:76:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:84:32:84:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:90:21:90:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:99:24:99:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:101:24:101:28 | token | semmle.label | token |
-| JsonpController.java:102:36:102:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:104:25:104:59 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| JsonpInjectionServlet1.java:38:39:38:45 | referer | semmle.label | referer |
-| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
-#select
-| JsonpController.java:31:16:31:24 | resultStr | JsonpController.java:26:32:26:68 | getParameter(...) : String | JsonpController.java:31:16:31:24 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:26:32:26:68 | getParameter(...) | this user input |
-| JsonpController.java:42:16:42:24 | resultStr | JsonpController.java:38:32:38:68 | getParameter(...) : String | JsonpController.java:42:16:42:24 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:38:32:38:68 | getParameter(...) | this user input |
-| JsonpController.java:52:16:52:24 | resultStr | JsonpController.java:49:32:49:68 | getParameter(...) : String | JsonpController.java:52:16:52:24 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:49:32:49:68 | getParameter(...) | this user input |
-| JsonpController.java:62:16:62:24 | resultStr | JsonpController.java:59:32:59:68 | getParameter(...) : String | JsonpController.java:62:16:62:24 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:59:32:59:68 | getParameter(...) | this user input |
-| JsonpController.java:77:20:77:28 | resultStr | JsonpController.java:69:32:69:68 | getParameter(...) : String | JsonpController.java:77:20:77:28 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:69:32:69:68 | getParameter(...) | this user input |
-| JsonpController.java:91:20:91:28 | resultStr | JsonpController.java:84:32:84:68 | getParameter(...) : String | JsonpController.java:91:20:91:28 |
- resultStr | Jsonp Injection query might include code from $@. | JsonpController.java:84:32:84:68 | getParameter(...) | this user input |
-| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServle
-t2.java:39:20:39:28 | resultStr | Jsonp Injection query might include code from $@. | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) |
- this user input |
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_3.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_3.expected
deleted file mode 100644
index 8e33ca6984c..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection_3.expected
+++ /dev/null
@@ -1,66 +0,0 @@
-edges
-| JsonpController.java:26:32:26:68 | getParameter(...) : String | JsonpController.java:31:16:31:24 | resultStr |
-| JsonpController.java:30:21:30:54 | ... + ... : String | JsonpController.java:31:16:31:24 | resultStr |
-| JsonpController.java:38:32:38:68 | getParameter(...) : String | JsonpController.java:42:16:42:24 | resultStr |
-| JsonpController.java:40:21:40:80 | ... + ... : String | JsonpController.java:42:16:42:24 | resultStr |
-| JsonpController.java:49:32:49:68 | getParameter(...) : String | JsonpController.java:52:16:52:24 | resultStr |
-| JsonpController.java:51:21:51:55 | ... + ... : String | JsonpController.java:52:16:52:24 | resultStr |
-| JsonpController.java:59:32:59:68 | getParameter(...) : String | JsonpController.java:62:16:62:24 | resultStr |
-| JsonpController.java:61:21:61:54 | ... + ... : String | JsonpController.java:62:16:62:24 | resultStr |
-| JsonpController.java:69:32:69:68 | getParameter(...) : String | JsonpController.java:77:20:77:28 | resultStr |
-| JsonpController.java:76:21:76:54 | ... + ... : String | JsonpController.java:77:20:77:28 | resultStr |
-| JsonpController.java:84:32:84:68 | getParameter(...) : String | JsonpController.java:91:20:91:28 | resultStr |
-| JsonpController.java:90:21:90:54 | ... + ... : String | JsonpController.java:91:20:91:28 | resultStr |
-| JsonpController.java:99:24:99:52 | getParameter(...) : String | JsonpController.java:101:24:101:28 | token |
-| JsonpController.java:102:36:102:72 | getParameter(...) : String | JsonpController.java:105:20:105:28 | resultStr |
-| JsonpController.java:104:25:104:59 | ... + ... : String | JsonpController.java:105:20:105:28 | resultStr |
-| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
-| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | JsonpInjectionServlet1.java:38:39:38:45 | referer |
-| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
-| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
-| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
-| RefererFilter.java:22:26:22:53 | getHeader(...) : String | RefererFilter.java:23:39:23:45 | refefer |
-nodes
-| JsonpController.java:26:32:26:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:30:21:30:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:31:16:31:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:38:32:38:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:40:21:40:80 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:42:16:42:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:49:32:49:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:51:21:51:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:52:16:52:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:59:32:59:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:61:21:61:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:62:16:62:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:69:32:69:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:76:21:76:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:77:20:77:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:84:32:84:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:90:21:90:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:91:20:91:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:99:24:99:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:101:24:101:28 | token | semmle.label | token |
-| JsonpController.java:102:36:102:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:104:25:104:59 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:105:20:105:28 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| JsonpInjectionServlet1.java:38:39:38:45 | referer | semmle.label | referer |
-| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
-| RefererFilter.java:22:26:22:53 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| RefererFilter.java:23:39:23:45 | refefer | semmle.label | refefer |
-#select
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/Readme b/java/ql/test/experimental/query-tests/security/CWE-352/Readme
deleted file mode 100644
index 15715d6187c..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/Readme
+++ /dev/null
@@ -1,3 +0,0 @@
-1. The JsonpInjection_1.expected result is obtained through the test of `JsonpController.java`.
-2. The JsonpInjection_2.expected result is obtained through the test of `JsonpController.java`, `JsonpInjectionServlet1.java`, `JsonpInjectionServlet2.java`.
-3. The JsonpInjection_3.expected result is obtained through the test of `JsonpController.java`, `JsonpInjectionServlet1.java`, `JsonpInjectionServlet2.java`, `RefererFilter.java`.
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/RefererFilter.java b/java/ql/test/experimental/query-tests/security/CWE-352/RefererFilter.java
deleted file mode 100644
index 97444932ae1..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/RefererFilter.java
+++ /dev/null
@@ -1,43 +0,0 @@
-import java.io.IOException;
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import org.springframework.util.StringUtils;
-
-public class RefererFilter implements Filter {
-
-    @Override
-    public void init(FilterConfig filterConfig) throws ServletException {
-    }
-
-    @Override
-    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
-        HttpServletRequest request = (HttpServletRequest) servletRequest;
-        HttpServletResponse response = (HttpServletResponse) servletResponse;
-        String refefer = request.getHeader("Referer");
-        boolean result = verifReferer(refefer);
-        if (result){
-            filterChain.doFilter(servletRequest, servletResponse);
-        }
-        response.sendError(444, "Referer xxx.");
-    }
-
-    @Override
-    public void destroy() {
-    }
-
-    public static boolean verifReferer(String referer){
-        if (StringUtils.isEmpty(referer)){
-            return false;
-        }
-        if (referer.startsWith("http://www.baidu.com/")){
-            return true;
-        }
-        return false;
-    }
-}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/options b/java/ql/test/experimental/query-tests/security/CWE-352/options
deleted file mode 100644
index 3676b8e38b6..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/options
+++ /dev/null
@@ -1 +0,0 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../stubs/gson-2.8.6/:${testdir}/../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../stubs/springframework-5.2.3/:${testdir}/../../../../stubs/spring-context-5.3.2/:${testdir}/../../../../stubs/spring-web-5.3.2/:${testdir}/../../../../stubs/spring-core-5.3.2/
diff --git a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/annotation/AliasFor.java b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/annotation/AliasFor.java
index 3a823fade5b..edfe917400b 100644
--- a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/annotation/AliasFor.java
+++ b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/annotation/AliasFor.java
@@ -1,10 +1,21 @@
 package org.springframework.core.annotation;
 
+import java.lang.annotation.Annotation;
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Retention(RetentionPolicy.RUNTIME)
+@Target({ElementType.METHOD})
+@Documented
 public @interface AliasFor {
     @AliasFor("attribute")
     String value() default "";
 
     @AliasFor("value")
     String attribute() default "";
-
+ 
+    Class<? extends Annotation> annotation() default Annotation.class;
 }
diff --git a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/io/InputStreamSource.java b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/io/InputStreamSource.java
new file mode 100644
index 00000000000..372d06cc738
--- /dev/null
+++ b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/io/InputStreamSource.java
@@ -0,0 +1,8 @@
+package org.springframework.core.io;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+public interface InputStreamSource {
+    InputStream getInputStream() throws IOException;
+}
diff --git a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/io/Resource.java b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/io/Resource.java
new file mode 100644
index 00000000000..6bd357f2228
--- /dev/null
+++ b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/io/Resource.java
@@ -0,0 +1,46 @@
+package org.springframework.core.io;
+
+import java.io.File;
+import java.io.IOException;
+import java.net.URI;
+import java.net.URL;
+import java.nio.channels.Channels;
+import java.nio.channels.ReadableByteChannel;
+import org.springframework.lang.Nullable;
+
+public interface Resource extends InputStreamSource {
+    boolean exists();
+
+    default boolean isReadable() {
+        return this.exists();
+    }
+
+    default boolean isOpen() {
+        return false;
+    }
+
+    default boolean isFile() {
+        return false;
+    }
+
+    URL getURL() throws IOException;
+
+    URI getURI() throws IOException;
+
+    File getFile() throws IOException;
+
+    default ReadableByteChannel readableChannel() throws IOException {
+        return null;
+    }
+
+    long contentLength() throws IOException;
+
+    long lastModified() throws IOException;
+
+    Resource createRelative(String var1) throws IOException;
+
+    @Nullable
+    String getFilename();
+
+    String getDescription();
+}
diff --git a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/lang/Nullable.java b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/lang/Nullable.java
new file mode 100644
index 00000000000..44bdae10fda
--- /dev/null
+++ b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/lang/Nullable.java
@@ -0,0 +1,13 @@
+package org.springframework.lang;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target({ElementType.METHOD, ElementType.PARAMETER, ElementType.FIELD})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface Nullable {
+}
diff --git a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/FileCopyUtils.java b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/FileCopyUtils.java
new file mode 100644
index 00000000000..78d384d7266
--- /dev/null
+++ b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/FileCopyUtils.java
@@ -0,0 +1,53 @@
+package org.springframework.util;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.Closeable;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.Reader;
+import java.io.StringWriter;
+import java.io.Writer;
+import java.nio.file.Files;
+import org.springframework.lang.Nullable;
+
+public abstract class FileCopyUtils {
+    public static final int BUFFER_SIZE = 4096;
+
+    public FileCopyUtils() {
+    }
+
+    public static int copy(File in, File out) throws IOException {
+        return 1;
+    }
+
+    public static void copy(byte[] in, File out) throws IOException {}
+
+    public static byte[] copyToByteArray(File in) throws IOException {
+        return null;
+    }
+
+    public static int copy(InputStream in, OutputStream out) throws IOException {
+        return 1;
+    }
+
+    public static void copy(byte[] in, OutputStream out) throws IOException {}
+
+    public static byte[] copyToByteArray(@Nullable InputStream in) throws IOException {
+        return null;    
+    }
+
+    public static int copy(Reader in, Writer out) throws IOException {
+        return 1;
+    }
+
+    public static void copy(String in, Writer out) throws IOException {}
+
+    public static String copyToString(@Nullable Reader in) throws IOException {
+        return null;
+    }
+
+    private static void close(Closeable closeable) {}
+}
diff --git a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/StringUtils.java b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/StringUtils.java
index 6ee07f84593..6ea27bbffa2 100644
--- a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/StringUtils.java
+++ b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/StringUtils.java
@@ -5,4 +5,4 @@ public abstract class StringUtils {
     public static boolean isEmpty(Object str) {
         return str == null || "".equals(str);
     }
-}
\ No newline at end of file
+}
diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/GetMapping.java b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/GetMapping.java
index 1190be7b879..541c7cd4e21 100644
--- a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/GetMapping.java
+++ b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/GetMapping.java
@@ -1,19 +1,51 @@
 package org.springframework.web.bind.annotation;
 
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
 import org.springframework.core.annotation.AliasFor;
 
-@RequestMapping
+@Target({ElementType.METHOD})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+@RequestMapping(
+    method = {RequestMethod.GET}
+)
 public @interface GetMapping {
-   
+    @AliasFor(
+        annotation = RequestMapping.class
+    )
     String name() default "";
 
+    @AliasFor(
+        annotation = RequestMapping.class
+    )
     String[] value() default {};
 
+    @AliasFor(
+        annotation = RequestMapping.class
+    )
     String[] path() default {};
 
+    @AliasFor(
+        annotation = RequestMapping.class
+    )
     String[] params() default {};
 
+    @AliasFor(
+        annotation = RequestMapping.class
+    )
+    String[] headers() default {};
+
+    @AliasFor(
+        annotation = RequestMapping.class
+    )
     String[] consumes() default {};
 
+    @AliasFor(
+        annotation = RequestMapping.class
+    )
     String[] produces() default {};
 }
diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/Mapping.java b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/Mapping.java
new file mode 100644
index 00000000000..5f269bbcbb8
--- /dev/null
+++ b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/Mapping.java
@@ -0,0 +1,4 @@
+package org.springframework.web.bind.annotation;
+
+public @interface Mapping {
+}
diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMapping.java b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMapping.java
index ddb36bce4c0..ed692a03063 100644
--- a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMapping.java
+++ b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMapping.java
@@ -1,15 +1,32 @@
 package org.springframework.web.bind.annotation;
 
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
 import org.springframework.core.annotation.AliasFor;
 
+@Target({ElementType.TYPE, ElementType.METHOD})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+@Mapping
 public @interface RequestMapping {
     String name() default "";
 
     @AliasFor("path")
     String[] value() default {};
-
+    
     @AliasFor("value")
     String[] path() default {};
 
     RequestMethod[] method() default {};
+
+    String[] params() default {};
+
+    String[] headers() default {};
+
+    String[] consumes() default {};
+
+    String[] produces() default {};
 }
diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestParam.java b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestParam.java
new file mode 100644
index 00000000000..56094811c37
--- /dev/null
+++ b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestParam.java
@@ -0,0 +1,23 @@
+package org.springframework.web.bind.annotation;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import org.springframework.core.annotation.AliasFor;
+
+@Target({ElementType.PARAMETER})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface RequestParam {
+    @AliasFor("name")
+    String value() default "";
+
+    @AliasFor("value")
+    String name() default "";
+
+    boolean required() default true;
+
+    String defaultValue() default "\n\t\t\n\t\t\n\ue000\ue001\ue002\n\t\t\t\t\n";
+}
diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/ResponseBody.java b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/ResponseBody.java
index b2134009968..4f21b6daaaf 100644
--- a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/ResponseBody.java
+++ b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/ResponseBody.java
@@ -1,4 +1,13 @@
 package org.springframework.web.bind.annotation;
 
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target({ElementType.TYPE, ElementType.METHOD})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
 public @interface ResponseBody {
 }
diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/multipart/MultipartFile.java b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/multipart/MultipartFile.java
new file mode 100644
index 00000000000..93ea3439fed
--- /dev/null
+++ b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/multipart/MultipartFile.java
@@ -0,0 +1,38 @@
+package org.springframework.web.multipart;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import org.springframework.core.io.InputStreamSource;
+import org.springframework.core.io.Resource;
+import org.springframework.lang.Nullable;
+import org.springframework.util.FileCopyUtils;
+
+public interface MultipartFile extends InputStreamSource {
+    String getName();
+
+    @Nullable
+    String getOriginalFilename();
+
+    @Nullable
+    String getContentType();
+
+    boolean isEmpty();
+
+    long getSize();
+
+    byte[] getBytes() throws IOException;
+
+    InputStream getInputStream() throws IOException;
+
+    default Resource getResource() {
+        return null;
+    }
+
+    void transferTo(File var1) throws IOException, IllegalStateException;
+
+    default void transferTo(Path dest) throws IOException, IllegalStateException {
+    }
+}
diff --git a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/annotation/WebServlet.java b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/annotation/WebServlet.java
new file mode 100644
index 00000000000..cc255efc00f
--- /dev/null
+++ b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/annotation/WebServlet.java
@@ -0,0 +1,30 @@
+package javax.servlet.annotation;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target({ElementType.TYPE})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface WebServlet {
+    String name() default "";
+
+    String[] value() default {};
+
+    String[] urlPatterns() default {};
+
+    int loadOnStartup() default -1;
+
+    boolean asyncSupported() default false;
+
+    String smallIcon() default "";
+
+    String largeIcon() default "";
+
+    String description() default "";
+
+    String displayName() default "";
+}

From 15206fd2ce3d53168caa2d0250c2b9036dccfca9 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Wed, 17 Mar 2021 15:52:05 +0800
Subject: [PATCH 0052/1429] JsonpInjection.ql autoformatted

---
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
index 068469328ea..eb4fe4e5b66 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
@@ -46,7 +46,7 @@ class RequestResponseFlowConfig extends TaintTracking::Configuration {
 
   /** Eliminate the method of calling the node is not the get method. */
   override predicate isSanitizer(DataFlow::Node node) {
-    not getACallingCallableOrSelf(node.getEnclosingCallable()) instanceof RequestGetMethod 
+    not getACallingCallableOrSelf(node.getEnclosingCallable()) instanceof RequestGetMethod
   }
 
   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {

From 79d6731ed8e1725c1064214b7a201c4ad0794009 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 19 Mar 2021 11:01:28 +0100
Subject: [PATCH 0053/1429] C#: Adjust make_stubs.py to use codeql instead of
 odasa

---
 csharp/ql/src/Stubs/make_stubs.py | 50 ++++++++++++++-----------------
 1 file changed, 23 insertions(+), 27 deletions(-)

diff --git a/csharp/ql/src/Stubs/make_stubs.py b/csharp/ql/src/Stubs/make_stubs.py
index e94cf0c7261..19a917cd8ab 100644
--- a/csharp/ql/src/Stubs/make_stubs.py
+++ b/csharp/ql/src/Stubs/make_stubs.py
@@ -43,12 +43,6 @@ if not foundCS:
     print("Test directory does not contain .cs files. Please specify a working qltest directory.")
     exit(1)
 
-cmd = ['odasa', 'selfTest']
-print('Running ' + ' '.join(cmd))
-if subprocess.check_call(cmd):
-    print("odasa selfTest failed. Ensure odasa is on your current path.")
-    exit(1)
-
 csharpQueries = os.path.abspath(os.path.dirname(sys.argv[0]))
 outputFile = os.path.join(testDir, 'stubs.cs')
 
@@ -58,35 +52,36 @@ if os.path.isfile(outputFile):
     os.remove(outputFile)  # It would interfere with the test.
     print("Removed previous", outputFile)
 
-cmd = ['odasa', 'qltest', '--optimize', '--leave-temp-files', testDir]
+cmd = ['codeql', 'test', 'run', '--keep-databases', testDir]
 print('Running ' + ' '.join(cmd))
 if subprocess.check_call(cmd):
-    print("qltest failed. Please fix up the test before proceeding.")
+    print("codeql test failed. Please fix up the test before proceeding.")
     exit(1)
 
-dbDir = os.path.join(testDir, os.path.basename(testDir) + ".testproj", "db-csharp")
+dbDir = os.path.join(testDir, os.path.basename(testDir) + ".testproj")
 
 if not os.path.isdir(dbDir):
-    print("Expected database directory " + dbDir + " not found. Please contact Semmle.")
+    print("Expected database directory " + dbDir + " not found.")
     exit(1)
 
-cmd = ['odasa', 'runQuery', '--query', os.path.join(csharpQueries, 'MinimalStubsFromSource.ql'), '--db', dbDir, '--output-file', outputFile]
+cmd = ['codeql', 'query', 'run', os.path.join(
+    csharpQueries, 'MinimalStubsFromSource.ql'), '--database', dbDir, '--output', outputFile]
 print('Running ' + ' '.join(cmd))
 if subprocess.check_call(cmd):
-    print('Failed to run the query to generate output file. Please contact Semmle.')
+    print('Failed to run the query to generate output file.')
     exit(1)
 
 # Remove the leading " and trailing " bytes from the file
 len = os.stat(outputFile).st_size
 f = open(outputFile, "rb")
 try:
-    quote = f.read(1)
-    if quote != b'"':
-        print("Unexpected character in file. Please contact Semmle.")
-    contents = f.read(len-3)
-    quote = f.read(1)
-    if quote != b'"':
-        print("Unexpected end character. Please contact Semmle.", quote)
+    quote = f.read(6)
+    if quote != b"\x02\x01\x86'\x85'":
+        print("Unexpected start characters in file.", quote)
+    contents = f.read(len-21)
+    quote = f.read(15)
+    if quote != b'\x0e\x01\x08#select\x01\x01\x00s\x00':
+        print("Unexpected end character in file.", quote)
 finally:
     f.close()
 
@@ -94,16 +89,17 @@ f = open(outputFile, "wb")
 f.write(contents)
 f.close()
 
-cmd = ['odasa', 'qltest', '--optimize', testDir]
+cmd = ['codeql', 'test', 'run', testDir]
 print('Running ' + ' '.join(cmd))
 if subprocess.check_call(cmd):
-  print('\nTest failed. You may need to fix up', outputFile)
-  print('It may help to view', outputFile, ' in Visual Studio')
-  print("Next steps:")
-  print('1. Look at the compilation errors, and fix up', outputFile, 'so that the test compiles')
-  print('2. Re-run odasa qltest --optimize "' + testDir + '"')
-  print('3. git add "' + outputFile + '"')
-  exit(1)
+    print('\nTest failed. You may need to fix up', outputFile)
+    print('It may help to view', outputFile, ' in Visual Studio')
+    print("Next steps:")
+    print('1. Look at the compilation errors, and fix up',
+          outputFile, 'so that the test compiles')
+    print('2. Re-run codeql test run "' + testDir + '"')
+    print('3. git add "' + outputFile + '"')
+    exit(1)
 
 print("\nStub generation successful! Next steps:")
 print('1. Edit "semmle-extractor-options" in the .cs files to remove unused references')

From 164b383fda25be40906e216a53581c5fec4da4df Mon Sep 17 00:00:00 2001
From: yoff <lerchedahl@gmail.com>
Date: Fri, 19 Mar 2021 19:12:13 +0100
Subject: [PATCH 0054/1429] Update
 python/ql/test/query-tests/Security/CWE-327/pyOpenSSL_fluent.py

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
---
 .../test/query-tests/Security/CWE-327/pyOpenSSL_fluent.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/python/ql/test/query-tests/Security/CWE-327/pyOpenSSL_fluent.py b/python/ql/test/query-tests/Security/CWE-327/pyOpenSSL_fluent.py
index 028c318be66..e4205c49824 100644
--- a/python/ql/test/query-tests/Security/CWE-327/pyOpenSSL_fluent.py
+++ b/python/ql/test/query-tests/Security/CWE-327/pyOpenSSL_fluent.py
@@ -29,3 +29,11 @@ def test_fluent_safe():
     conn = SSL.Connection(context, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
     r = conn.connect((hostname, 443))
     print(r, conn.get_protocol_version_name())
+    
+def test_safe_by_construction():
+    hostname = 'www.python.org'
+    context = SSL.Context(SSL.TLSv1_2_METHOD)
+
+    conn = SSL.Connection(context, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
+    r = conn.connect((hostname, 443))
+    print(conn.get_protocol_version_name())

From 1385b2264234bc6fa3deaaeb7537ee47d89c47fe Mon Sep 17 00:00:00 2001
From: Dilan <dbhalla21@berkeley.edu>
Date: Fri, 19 Mar 2021 16:43:29 -0700
Subject: [PATCH 0055/1429] pr fixes, typo in qhelp file and helper method for
 queries

---
 .../Classes/NamingConventionsClasses.qhelp    |  2 +-
 .../Classes/NamingConventionsClasses.ql       | 17 +++++++-----
 .../NamingConventionsFunctions.qhelp          |  2 +-
 .../Functions/NamingConventionsFunctions.ql   | 27 +++++++++++--------
 4 files changed, 29 insertions(+), 19 deletions(-)

diff --git a/python/ql/src/experimental/Classes/NamingConventionsClasses.qhelp b/python/ql/src/experimental/Classes/NamingConventionsClasses.qhelp
index 1a7f4bc45a4..a928668dc6f 100644
--- a/python/ql/src/experimental/Classes/NamingConventionsClasses.qhelp
+++ b/python/ql/src/experimental/Classes/NamingConventionsClasses.qhelp
@@ -21,7 +21,7 @@ Write the class name beginning with an uppercase letter. For example, <code>clas
 <references>
 
 <li>
-  Guido van Rossum, Barry Warsaw, Nick Coghlan <em>PEP 8 -- Style Guide for Python Code<em>
+  Guido van Rossum, Barry Warsaw, Nick Coghlan <em>PEP 8 -- Style Guide for Python Code</em>
   <a href="https://www.python.org/dev/peps/pep-0008/#class-names">Python Class Names</a>
 </li>
 
diff --git a/python/ql/src/experimental/Classes/NamingConventionsClasses.ql b/python/ql/src/experimental/Classes/NamingConventionsClasses.ql
index d4919c3ece8..f16d242eadf 100644
--- a/python/ql/src/experimental/Classes/NamingConventionsClasses.ql
+++ b/python/ql/src/experimental/Classes/NamingConventionsClasses.ql
@@ -9,15 +9,20 @@
 
 import python
 
-from Class c, string first_char
+predicate lower_case_class(Class c) {
+  exists(string first_char | 
+    first_char = c.getName().prefix(1) and
+    not first_char = first_char.toUpperCase()
+  )
+}
+
+from Class c
 where
   c.inSource() and
-  first_char = c.getName().prefix(1) and
-  not first_char = first_char.toUpperCase() and
-  not exists(Class c1, string first_char1 |
+  lower_case_class(c) and
+  not exists(Class c1 |
     c1 != c and
     c1.getLocation().getFile() = c.getLocation().getFile() and
-    first_char1 = c1.getName().prefix(1) and
-    not first_char1 = first_char1.toUpperCase()
+    lower_case_class(c1)
   )
 select c, "Class names should start in uppercase."
diff --git a/python/ql/src/experimental/Functions/NamingConventionsFunctions.qhelp b/python/ql/src/experimental/Functions/NamingConventionsFunctions.qhelp
index 46d948592ff..b4ff738782c 100644
--- a/python/ql/src/experimental/Functions/NamingConventionsFunctions.qhelp
+++ b/python/ql/src/experimental/Functions/NamingConventionsFunctions.qhelp
@@ -21,7 +21,7 @@ Write the function name beginning with an lowercase letter. For example, <code>j
 <references>
 
 <li>
-  Guido van Rossum, Barry Warsaw, Nick Coghlan <em>PEP 8 -- Style Guide for Python Code<em>
+  Guido van Rossum, Barry Warsaw, Nick Coghlan <em>PEP 8 -- Style Guide for Python Code</em>
   <a href="https://www.python.org/dev/peps/pep-0008/#function-and-variable-names">Python Function and Variable Names</a>
 </li>
 
diff --git a/python/ql/src/experimental/Functions/NamingConventionsFunctions.ql b/python/ql/src/experimental/Functions/NamingConventionsFunctions.ql
index 80dc0e99cd8..d2868af22c9 100644
--- a/python/ql/src/experimental/Functions/NamingConventionsFunctions.ql
+++ b/python/ql/src/experimental/Functions/NamingConventionsFunctions.ql
@@ -9,15 +9,20 @@
 
 import python
 
-from Function f, string first_char
-where
-  f.inSource() and
-  first_char = f.getName().prefix(1) and
-  not first_char = first_char.toLowerCase() and
-  not exists(Function f1, string first_char1 |
-    f1 != f and
-    f1.getLocation().getFile() = f.getLocation().getFile() and
-    first_char1 = f1.getName().prefix(1) and
-    not first_char1 = first_char1.toLowerCase()
+predicate upper_case_function(Function func) {
+  exists(string first_char | 
+    first_char = func.getName().prefix(1) and
+    not first_char = first_char.toLowerCase()
   )
-select f, "Function names should start in lowercase."
+}
+
+from Function func
+where
+  func.inSource() and
+  upper_case_function(func) and
+  not exists(Function func1 |
+    func1 != func and
+    func1.getLocation().getFile() = func.getLocation().getFile() and
+    upper_case_function(func1)
+  )
+select func, "Function names should start in lowercase."

From 26bac9f425c2ecab54759797da19bcc1586ed95d Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Sun, 21 Mar 2021 15:25:29 +0300
Subject: [PATCH 0056/1429] Apply suggestions from code review

Co-authored-by: Robert Marsh <rdmarsh2@gmail.com>
---
 .../CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql b/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
index 1a116a83dbf..034df703bc3 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
@@ -15,12 +15,12 @@
 import cpp
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 
-/** Holds, if it is an expression, a boolean increment. */
+/** Holds if `exp` increments a boolean value. */
 predicate incrementBoolType(Expr exp) {
   exp.(IncrementOperation).getOperand().getType() instanceof BoolType
 }
 
-/** Holds, if this is an expression, applies a minus to a boolean type. */
+/** Holds if `exp` applies the unary minus operator to a boolean type. */
 predicate revertSignBoolType(Expr exp) {
   exp.(AssignExpr).getRValue().(UnaryMinusExpr).getAnOperand().getType() instanceof BoolType and
   exp.(AssignExpr).getLValue().getType() instanceof BoolType

From 0200aedc2efc939b96170951d848d440fcbb8e4a Mon Sep 17 00:00:00 2001
From: yo-h <55373593+yo-h@users.noreply.github.com>
Date: Sun, 21 Mar 2021 12:55:25 -0400
Subject: [PATCH 0057/1429] Java 16: adjust test `options`

---
 java/ql/test/library-tests/dataflow/records/options      | 2 +-
 java/ql/test/library-tests/dataflow/taint-format/options | 1 -
 java/ql/test/library-tests/printAst/options              | 2 +-
 java/ql/test/library-tests/ssa/options                   | 2 +-
 java/ql/test/query-tests/StringFormat/options            | 1 -
 5 files changed, 3 insertions(+), 5 deletions(-)
 delete mode 100644 java/ql/test/library-tests/dataflow/taint-format/options
 delete mode 100644 java/ql/test/query-tests/StringFormat/options

diff --git a/java/ql/test/library-tests/dataflow/records/options b/java/ql/test/library-tests/dataflow/records/options
index 81817b37785..fc57fe025b9 100644
--- a/java/ql/test/library-tests/dataflow/records/options
+++ b/java/ql/test/library-tests/dataflow/records/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args --enable-preview -source 15 -target 15
+//semmle-extractor-options: --javac-args -source 16 -target 16
diff --git a/java/ql/test/library-tests/dataflow/taint-format/options b/java/ql/test/library-tests/dataflow/taint-format/options
deleted file mode 100644
index 81817b37785..00000000000
--- a/java/ql/test/library-tests/dataflow/taint-format/options
+++ /dev/null
@@ -1 +0,0 @@
-//semmle-extractor-options: --javac-args --enable-preview -source 15 -target 15
diff --git a/java/ql/test/library-tests/printAst/options b/java/ql/test/library-tests/printAst/options
index 81817b37785..e41003a6e3c 100644
--- a/java/ql/test/library-tests/printAst/options
+++ b/java/ql/test/library-tests/printAst/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args --enable-preview -source 15 -target 15
+//semmle-extractor-options: --javac-args --enable-preview -source 16 -target 16
diff --git a/java/ql/test/library-tests/ssa/options b/java/ql/test/library-tests/ssa/options
index 81817b37785..e41003a6e3c 100644
--- a/java/ql/test/library-tests/ssa/options
+++ b/java/ql/test/library-tests/ssa/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args --enable-preview -source 15 -target 15
+//semmle-extractor-options: --javac-args --enable-preview -source 16 -target 16
diff --git a/java/ql/test/query-tests/StringFormat/options b/java/ql/test/query-tests/StringFormat/options
deleted file mode 100644
index 81817b37785..00000000000
--- a/java/ql/test/query-tests/StringFormat/options
+++ /dev/null
@@ -1 +0,0 @@
-//semmle-extractor-options: --javac-args --enable-preview -source 15 -target 15

From 73e940de74bb326664db451b97fa58e67e683400 Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Tue, 2 Feb 2021 17:37:14 +0100
Subject: [PATCH 0058/1429] Added query for Jakarta EL injections

- Added JakartaExpressionInjection.ql
- Added a qhelp file with examples
---
 .../Security/CWE/CWE-094/InjectionLib.qll     | 14 +++
 .../CWE-094/JakartaExpressionInjection.qhelp  | 65 ++++++++++++
 .../CWE/CWE-094/JakartaExpressionInjection.ql | 20 ++++
 .../CWE-094/JakartaExpressionInjectionLib.qll | 98 +++++++++++++++++++
 .../Security/CWE/CWE-094/JexlInjectionLib.qll | 13 +--
 .../SaferExpressionEvaluationWithJuel.java    | 10 ++
 .../UnsafeExpressionEvaluationWithJuel.java   |  5 +
 7 files changed, 213 insertions(+), 12 deletions(-)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/InjectionLib.qll
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.qhelp
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/SaferExpressionEvaluationWithJuel.java
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/UnsafeExpressionEvaluationWithJuel.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/InjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/InjectionLib.qll
new file mode 100644
index 00000000000..adab79d6f5c
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/InjectionLib.qll
@@ -0,0 +1,14 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+
+/**
+ * Holds if `fromNode` to `toNode` is a dataflow step that returns data from
+ * a bean by calling one of its getters.
+ */
+predicate returnsDataFromBean(DataFlow::Node fromNode, DataFlow::Node toNode) {
+  exists(MethodAccess ma, Method m | ma.getMethod() = m |
+    m instanceof GetterMethod and
+    ma.getQualifier() = fromNode.asExpr() and
+    ma = toNode.asExpr()
+  )
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.qhelp
new file mode 100644
index 00000000000..6e6b5f63394
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.qhelp
@@ -0,0 +1,65 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Jakarta Expression Language (EL) is an expression language for Java applications.
+There are a single language specification and multiple implementations
+such as Glassfish, Juel, Apache Commons EL, etc.
+The language allows invocation of methods available in the JVM.
+If an expression is built using attacker-controlled data,
+and then evaluated, then it may allow the attacker to run arbitrary code.
+</p>
+</overview>
+
+<recommendation>
+<p>
+It is generally recommended to avoid using untrusted data in an EL expression.
+Before using untrusted data to build an EL expressoin, the data should be validated
+to ensure it is not evaluated as expression language. If the EL implementaion offers
+configuring a sandbox for EL expression, they should be run in a restircitive sandbox
+that allows accessing only explicitly allowed classes. If the EL implementation
+does not allow sandboxing, consider using other expressiong language implementations
+with sandboxing capabilities such as Apache Commons JEXL or the Spring Expression Language.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example shows how untrusted data is used to build and run an expression
+using the JUEL interpreter:
+</p>
+<sample src="UnsafeExpressionEvaluationWithJUEL.java" />
+
+<p>
+JUEL does not allow to run expression in a sandbox. To prevent running arbitrary code,
+incoming data has to be checked before including to an expression. The next example
+uses a Regex pattern to check whether a user tries to run an allowed exression or not:
+</p>
+<sample src="SaferExpressionEvaluationWithJUEL.java" />
+
+</example>
+
+<references>
+<li>
+  Eclipse Foundation:
+  <a href="https://projects.eclipse.org/projects/ee4j.el">Jakarta Expression Language</a>.
+</li>
+<li>
+  Jakarta EE documentation:
+  <a href="https://javadoc.io/doc/jakarta.el/jakarta.el-api/latest/index.html">Jakarta Expression Language API</a>
+</li>
+<li>
+  OWASP:
+  <a href="https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection">Expression Language Injection</a>.
+</li>
+<li>
+  JUEL:
+  <a href="http://juel.sourceforge.net">Home page</a>
+</li>
+<li>
+  Apache Foundation:
+  <a href="https://commons.apache.org/dormant/commons-el/">Apache Commons EL</a>
+</li>
+</references>
+</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql
new file mode 100644
index 00000000000..b94c98201de
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Java EE Expression Language injection
+ * @description Evaluation of a user-controlled Jave EE expression
+ *              may lead to arbitrary code execution.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/javaee-expression-injection
+ * @tags security
+ *       external/cwe/cwe-094
+ */
+
+import java
+import JavaEEExpressionInjectionLib
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, JavaEEExpressionInjectionConfig conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Java EE Expression Language injection from $@.",
+  source.getNode(), "this user input"
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
new file mode 100644
index 00000000000..d43b31c9888
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
@@ -0,0 +1,98 @@
+import java
+import InjectionLib
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+
+/**
+ * A taint-tracking configuration for unsafe user input
+ * that is used to construct and evaluate a Java EE expression.
+ */
+class JavaEEExpressionInjectionConfig extends TaintTracking::Configuration {
+  JavaEEExpressionInjectionConfig() { this = "JavaEEExpressionInjectionConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionEvaluationSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
+    any(TaintPropagatingCall c).taintFlow(fromNode, toNode) or
+    returnsDataFromBean(fromNode, toNode)
+  }
+}
+
+/**
+ * A sink for Expresssion Language injection vulnerabilities,
+ * i.e. method calls that run evaluation of a Java EE expression.
+ */
+private class ExpressionEvaluationSink extends DataFlow::ExprNode {
+  ExpressionEvaluationSink() {
+    exists(MethodAccess ma, Method m, Expr taintFrom |
+      ma.getMethod() = m and taintFrom = this.asExpr()
+    |
+      m.getDeclaringType() instanceof ValueExpression and
+      m.hasName(["getValue", "setValue"]) and
+      ma.getQualifier() = taintFrom
+      or
+      m.getDeclaringType() instanceof MethodExpression and
+      m.hasName("invoke") and
+      ma.getQualifier() = taintFrom
+      or
+      m.getDeclaringType() instanceof LambdaExpression and
+      m.hasName("invoke") and
+      ma.getQualifier() = taintFrom
+      or
+      m.getDeclaringType() instanceof ELProcessor and
+      m.hasName(["eval", "getValue", "setValue"]) and
+      ma.getArgument(0) = taintFrom
+    )
+  }
+}
+
+/**
+ * Defines method calls that propagate tainted expressions.
+ */
+private class TaintPropagatingCall extends Call {
+  Expr taintFromExpr;
+
+  TaintPropagatingCall() {
+    taintFromExpr = this.getArgument(1) and
+    exists(Method m | this.(MethodAccess).getMethod() = m |
+      m.getDeclaringType() instanceof ExpressionFactory and
+      m.hasName(["createValueExpression", "createMethodExpression"]) and
+      taintFromExpr.getType() instanceof TypeString
+    )
+    or
+    exists(Constructor c | this.(ConstructorCall).getConstructor() = c |
+      c.getDeclaringType() instanceof LambdaExpression and
+      taintFromExpr.getType() instanceof ValueExpression
+    )
+  }
+
+  /**
+   * Holds if `fromNode` to `toNode` is a dataflow step that propagates
+   * tainted data.
+   */
+  predicate taintFlow(DataFlow::Node fromNode, DataFlow::Node toNode) {
+    fromNode.asExpr() = taintFromExpr and toNode.asExpr() = this
+  }
+}
+
+private class ELProcessor extends RefType {
+  ELProcessor() { hasQualifiedName("javax.el", "ELProcessor") }
+}
+
+private class ExpressionFactory extends RefType {
+  ExpressionFactory() { hasQualifiedName("javax.el", "ExpressionFactory") }
+}
+
+private class ValueExpression extends RefType {
+  ValueExpression() { hasQualifiedName("javax.el", "ValueExpression") }
+}
+
+private class MethodExpression extends RefType {
+  MethodExpression() { hasQualifiedName("javax.el", "MethodExpression") }
+}
+
+private class LambdaExpression extends RefType {
+  LambdaExpression() { hasQualifiedName("javax.el", "LambdaExpression") }
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
index 561d7e46ae9..51084a9862c 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
@@ -1,4 +1,5 @@
 import java
+import InjectionLib
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 
@@ -152,18 +153,6 @@ private predicate createsJexlEngine(DataFlow::Node fromNode, DataFlow::Node toNo
   )
 }
 
-/**
- * Holds if `fromNode` to `toNode` is a dataflow step that returns data from
- * a bean by calling one of its getters.
- */
-private predicate returnsDataFromBean(DataFlow::Node fromNode, DataFlow::Node toNode) {
-  exists(MethodAccess ma, Method m | ma.getMethod() = m |
-    m instanceof GetterMethod and
-    ma.getQualifier() = fromNode.asExpr() and
-    ma = toNode.asExpr()
-  )
-}
-
 /**
  * A methods in the `JexlEngine` class that gets or sets a property with a JEXL expression.
  */
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/SaferExpressionEvaluationWithJuel.java b/java/ql/src/experimental/Security/CWE/CWE-094/SaferExpressionEvaluationWithJuel.java
new file mode 100644
index 00000000000..54fb9a0ed36
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/SaferExpressionEvaluationWithJuel.java
@@ -0,0 +1,10 @@
+String input = getRemoteUserInput();
+String pattern = "(inside|outside)\\.(temperature|humidity)";
+if (!input.matches(pattern)) {
+    throw new IllegalArgumentException("Unexpected exression");
+}
+String expression = "${" + input + "}";
+ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();
+ValueExpression e = factory.createValueExpression(context, expression, Object.class);
+SimpleContext context = getContext();
+Object result = e.getValue(context);
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/UnsafeExpressionEvaluationWithJuel.java b/java/ql/src/experimental/Security/CWE/CWE-094/UnsafeExpressionEvaluationWithJuel.java
new file mode 100644
index 00000000000..27afa0fcb49
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/UnsafeExpressionEvaluationWithJuel.java
@@ -0,0 +1,5 @@
+String expression = "${" + getRemoteUserInput() + "}";
+ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();
+ValueExpression e = factory.createValueExpression(context, expression, Object.class);
+SimpleContext context = getContext();
+Object result = e.getValue(context);
\ No newline at end of file

From adb1ed380ac4736860eac8ea6cfadb8f38497db5 Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Sun, 21 Mar 2021 20:36:47 +0300
Subject: [PATCH 0059/1429] Added tests for Jakarta expression injection

---
 .../CWE/CWE-094/JakartaExpressionInjection.ql | 10 +--
 .../CWE-094/JakartaExpressionInjectionLib.qll |  8 +-
 .../JakartaExpressionInjection.expected       | 59 +++++++++++++
 .../CWE-094/JakartaExpressionInjection.java   | 87 +++++++++++++++++++
 .../CWE-094/JakartaExpressionInjection.qlref  |  1 +
 .../query-tests/security/CWE-094/options      |  3 +-
 .../stubs/java-ee-el/javax/el/ELContext.java  |  3 +
 .../stubs/java-ee-el/javax/el/ELManager.java  |  5 ++
 .../java-ee-el/javax/el/ELProcessor.java      |  7 ++
 .../javax/el/ExpressionFactory.java           | 17 ++++
 .../java-ee-el/javax/el/LambdaExpression.java |  8 ++
 .../java-ee-el/javax/el/MethodExpression.java |  5 ++
 .../javax/el/StandardELContext.java           |  5 ++
 .../java-ee-el/javax/el/ValueExpression.java  |  6 ++
 .../de/odysseus/el/ExpressionFactoryImpl.java |  5 ++
 .../de/odysseus/el/util/SimpleContext.java    |  5 ++
 16 files changed, 223 insertions(+), 11 deletions(-)
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.qlref
 create mode 100644 java/ql/test/stubs/java-ee-el/javax/el/ELContext.java
 create mode 100644 java/ql/test/stubs/java-ee-el/javax/el/ELManager.java
 create mode 100644 java/ql/test/stubs/java-ee-el/javax/el/ELProcessor.java
 create mode 100644 java/ql/test/stubs/java-ee-el/javax/el/ExpressionFactory.java
 create mode 100644 java/ql/test/stubs/java-ee-el/javax/el/LambdaExpression.java
 create mode 100644 java/ql/test/stubs/java-ee-el/javax/el/MethodExpression.java
 create mode 100644 java/ql/test/stubs/java-ee-el/javax/el/StandardELContext.java
 create mode 100644 java/ql/test/stubs/java-ee-el/javax/el/ValueExpression.java
 create mode 100644 java/ql/test/stubs/juel-2.2/de/odysseus/el/ExpressionFactoryImpl.java
 create mode 100644 java/ql/test/stubs/juel-2.2/de/odysseus/el/util/SimpleContext.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql
index b94c98201de..8190ec3d61f 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql
@@ -1,6 +1,6 @@
 /**
- * @name Java EE Expression Language injection
- * @description Evaluation of a user-controlled Jave EE expression
+ * @name Jakarta Expression Language injection
+ * @description Evaluation of a user-controlled expression
  *              may lead to arbitrary code execution.
  * @kind path-problem
  * @problem.severity error
@@ -11,10 +11,10 @@
  */
 
 import java
-import JavaEEExpressionInjectionLib
+import JakartaExpressionInjectionLib
 import DataFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, JavaEEExpressionInjectionConfig conf
+from DataFlow::PathNode source, DataFlow::PathNode sink, JakartaExpressionInjectionConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Java EE Expression Language injection from $@.",
+select sink.getNode(), source, sink, "Jakarta Expression Language injection from $@.",
   source.getNode(), "this user input"
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
index d43b31c9888..bc22f7c3257 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
@@ -5,10 +5,10 @@ import semmle.code.java.dataflow.TaintTracking
 
 /**
  * A taint-tracking configuration for unsafe user input
- * that is used to construct and evaluate a Java EE expression.
+ * that is used to construct and evaluate an expression.
  */
-class JavaEEExpressionInjectionConfig extends TaintTracking::Configuration {
-  JavaEEExpressionInjectionConfig() { this = "JavaEEExpressionInjectionConfig" }
+class JakartaExpressionInjectionConfig extends TaintTracking::Configuration {
+  JakartaExpressionInjectionConfig() { this = "JakartaExpressionInjectionConfig" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
@@ -22,7 +22,7 @@ class JavaEEExpressionInjectionConfig extends TaintTracking::Configuration {
 
 /**
  * A sink for Expresssion Language injection vulnerabilities,
- * i.e. method calls that run evaluation of a Java EE expression.
+ * i.e. method calls that run evaluation of an expression.
  */
 private class ExpressionEvaluationSink extends DataFlow::ExprNode {
   ExpressionEvaluationSink() {
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected
new file mode 100644
index 00000000000..111cc81541c
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected
@@ -0,0 +1,59 @@
+edges
+| JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:24:31:24:40 | expression : String |
+| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:30:24:30:33 | expression : String |
+| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:37:24:37:33 | expression : String |
+| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:44:24:44:33 | expression : String |
+| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:54:24:54:33 | expression : String |
+| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:61:24:61:33 | expression : String |
+| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:70:24:70:33 | expression : String |
+| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:79:24:79:33 | expression : String |
+| JakartaExpressionInjection.java:30:24:30:33 | expression : String | JakartaExpressionInjection.java:32:28:32:37 | expression |
+| JakartaExpressionInjection.java:37:24:37:33 | expression : String | JakartaExpressionInjection.java:39:32:39:41 | expression |
+| JakartaExpressionInjection.java:44:24:44:33 | expression : String | JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression |
+| JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression | JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression |
+| JakartaExpressionInjection.java:54:24:54:33 | expression : String | JakartaExpressionInjection.java:56:32:56:41 | expression |
+| JakartaExpressionInjection.java:61:24:61:33 | expression : String | JakartaExpressionInjection.java:64:33:64:96 | createValueExpression(...) : ValueExpression |
+| JakartaExpressionInjection.java:61:24:61:33 | expression : String | JakartaExpressionInjection.java:65:13:65:13 | e |
+| JakartaExpressionInjection.java:61:24:61:33 | expression : String | JakartaExpressionInjection.java:65:13:65:13 | e : ValueExpression |
+| JakartaExpressionInjection.java:64:33:64:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression |
+| JakartaExpressionInjection.java:64:33:64:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:65:13:65:13 | e |
+| JakartaExpressionInjection.java:64:33:64:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:65:13:65:13 | e : ValueExpression |
+| JakartaExpressionInjection.java:65:13:65:13 | e : ValueExpression | JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression |
+| JakartaExpressionInjection.java:70:24:70:33 | expression : String | JakartaExpressionInjection.java:73:33:73:96 | createValueExpression(...) : ValueExpression |
+| JakartaExpressionInjection.java:70:24:70:33 | expression : String | JakartaExpressionInjection.java:74:13:74:13 | e |
+| JakartaExpressionInjection.java:70:24:70:33 | expression : String | JakartaExpressionInjection.java:74:13:74:13 | e : ValueExpression |
+| JakartaExpressionInjection.java:73:33:73:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression |
+| JakartaExpressionInjection.java:73:33:73:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:74:13:74:13 | e |
+| JakartaExpressionInjection.java:73:33:73:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:74:13:74:13 | e : ValueExpression |
+| JakartaExpressionInjection.java:74:13:74:13 | e : ValueExpression | JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression |
+| JakartaExpressionInjection.java:79:24:79:33 | expression : String | JakartaExpressionInjection.java:83:13:83:13 | e |
+nodes
+| JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| JakartaExpressionInjection.java:24:31:24:40 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:30:24:30:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:32:28:32:37 | expression | semmle.label | expression |
+| JakartaExpressionInjection.java:37:24:37:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:39:32:39:41 | expression | semmle.label | expression |
+| JakartaExpressionInjection.java:44:24:44:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression | semmle.label | new LambdaExpression(...) : LambdaExpression |
+| JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression | semmle.label | lambdaExpression |
+| JakartaExpressionInjection.java:54:24:54:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:56:32:56:41 | expression | semmle.label | expression |
+| JakartaExpressionInjection.java:61:24:61:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:64:33:64:96 | createValueExpression(...) : ValueExpression | semmle.label | createValueExpression(...) : ValueExpression |
+| JakartaExpressionInjection.java:65:13:65:13 | e | semmle.label | e |
+| JakartaExpressionInjection.java:65:13:65:13 | e : ValueExpression | semmle.label | e : ValueExpression |
+| JakartaExpressionInjection.java:70:24:70:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:73:33:73:96 | createValueExpression(...) : ValueExpression | semmle.label | createValueExpression(...) : ValueExpression |
+| JakartaExpressionInjection.java:74:13:74:13 | e | semmle.label | e |
+| JakartaExpressionInjection.java:74:13:74:13 | e : ValueExpression | semmle.label | e : ValueExpression |
+| JakartaExpressionInjection.java:79:24:79:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:83:13:83:13 | e | semmle.label | e |
+#select
+| JakartaExpressionInjection.java:32:28:32:37 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:32:28:32:37 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:39:32:39:41 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:39:32:39:41 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:56:32:56:41 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:56:32:56:41 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:65:13:65:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:65:13:65:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:74:13:74:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:74:13:74:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:83:13:83:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:83:13:83:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.java b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.java
new file mode 100644
index 00000000000..a9fb2d45d6f
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.java
@@ -0,0 +1,87 @@
+import java.io.IOException;
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.util.ArrayList;
+import java.util.function.Consumer;
+
+import javax.el.ELContext;
+import javax.el.ELManager;
+import javax.el.ELProcessor;
+import javax.el.ExpressionFactory;
+import javax.el.LambdaExpression;
+import javax.el.MethodExpression;
+import javax.el.StandardELContext;
+import javax.el.ValueExpression;
+
+public class JakartaExpressionInjection {
+    
+    private static void testWithSocket(Consumer<String> action) throws IOException {
+        try (ServerSocket serverSocket = new ServerSocket(0)) {
+            try (Socket socket = serverSocket.accept()) {
+                byte[] bytes = new byte[1024];
+                int n = socket.getInputStream().read(bytes);
+                String expression = new String(bytes, 0, n);
+                action.accept(expression);
+            }
+        }
+    }
+
+    private static void testWithELProcessorEval() throws IOException {
+        testWithSocket(expression -> {
+            ELProcessor processor = new ELProcessor();
+            processor.eval(expression);
+        });
+    }
+
+    private static void testWithELProcessorGetValue() throws IOException {
+        testWithSocket(expression -> {   
+            ELProcessor processor = new ELProcessor();
+            processor.getValue(expression, Object.class);
+        });
+    }
+
+    private static void testWithLambdaExpressionInvoke() throws IOException {
+        testWithSocket(expression -> {
+            ExpressionFactory factory = ELManager.getExpressionFactory();
+            StandardELContext context = new StandardELContext(factory);
+            ValueExpression valueExpression = factory.createValueExpression(context, expression, Object.class);
+            LambdaExpression lambdaExpression = new LambdaExpression(new ArrayList<>(), valueExpression);
+            lambdaExpression.invoke(context, new Object[0]);
+        });
+    }
+
+    private static void testWithELProcessorSetValue() throws IOException {
+        testWithSocket(expression -> {
+            ELProcessor processor = new ELProcessor();
+            processor.setValue(expression, new Object());
+        });
+    }
+
+    private static void testWithJuelValueExpressionGetValue() throws IOException {
+        testWithSocket(expression -> {
+            ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();
+            ELContext context = new de.odysseus.el.util.SimpleContext();
+            ValueExpression e = factory.createValueExpression(context, expression, Object.class);
+            e.getValue(context);
+        });
+    }
+
+    private static void testWithJuelValueExpressionSetValue() throws IOException {
+        testWithSocket(expression -> {
+            ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();
+            ELContext context = new de.odysseus.el.util.SimpleContext();
+            ValueExpression e = factory.createValueExpression(context, expression, Object.class);
+            e.setValue(context, new Object());
+        });
+    }
+
+    private static void testWithJuelMethodExpressionInvoke() throws IOException {
+        testWithSocket(expression -> {
+            ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();
+            ELContext context = new de.odysseus.el.util.SimpleContext();
+            MethodExpression e = factory.createMethodExpression(context, expression, Object.class, new Class[0]);
+            e.invoke(context, new Object[0]);
+        });
+    }
+
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.qlref
new file mode 100644
index 00000000000..3154ee5ccad
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/options b/java/ql/test/experimental/query-tests/security/CWE-094/options
index a8e30ce30b4..ec3354ea41c 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/options
@@ -1,2 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine
-
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2
\ No newline at end of file
diff --git a/java/ql/test/stubs/java-ee-el/javax/el/ELContext.java b/java/ql/test/stubs/java-ee-el/javax/el/ELContext.java
new file mode 100644
index 00000000000..ce3840c69c8
--- /dev/null
+++ b/java/ql/test/stubs/java-ee-el/javax/el/ELContext.java
@@ -0,0 +1,3 @@
+package javax.el;
+
+public class ELContext {}
diff --git a/java/ql/test/stubs/java-ee-el/javax/el/ELManager.java b/java/ql/test/stubs/java-ee-el/javax/el/ELManager.java
new file mode 100644
index 00000000000..7d24f739a3f
--- /dev/null
+++ b/java/ql/test/stubs/java-ee-el/javax/el/ELManager.java
@@ -0,0 +1,5 @@
+package javax.el;
+
+public class ELManager {
+    public static ExpressionFactory getExpressionFactory() { return null; }
+}
\ No newline at end of file
diff --git a/java/ql/test/stubs/java-ee-el/javax/el/ELProcessor.java b/java/ql/test/stubs/java-ee-el/javax/el/ELProcessor.java
new file mode 100644
index 00000000000..3c523e685c5
--- /dev/null
+++ b/java/ql/test/stubs/java-ee-el/javax/el/ELProcessor.java
@@ -0,0 +1,7 @@
+package javax.el;
+
+public class ELProcessor {
+    public Object eval(String expression) { return null; }
+    public Object getValue(String expression, Class<?> expectedType) { return null; }
+    public void setValue(String expression, Object value) {}
+}
diff --git a/java/ql/test/stubs/java-ee-el/javax/el/ExpressionFactory.java b/java/ql/test/stubs/java-ee-el/javax/el/ExpressionFactory.java
new file mode 100644
index 00000000000..31ff79169ac
--- /dev/null
+++ b/java/ql/test/stubs/java-ee-el/javax/el/ExpressionFactory.java
@@ -0,0 +1,17 @@
+package javax.el;
+
+public class ExpressionFactory {
+    public MethodExpression createMethodExpression(ELContext context, String expression, Class<?> expectedReturnType,
+            Class<?>[] expectedParamTypes) {
+
+        return null;
+    }
+
+    public ValueExpression createValueExpression(ELContext context, String expression, Class<?> expectedType) {
+        return null;
+    }
+
+    public ValueExpression createValueExpression(Object instance, Class<?> expectedType) {
+        return null;
+    }
+}
diff --git a/java/ql/test/stubs/java-ee-el/javax/el/LambdaExpression.java b/java/ql/test/stubs/java-ee-el/javax/el/LambdaExpression.java
new file mode 100644
index 00000000000..4be01e9d2e4
--- /dev/null
+++ b/java/ql/test/stubs/java-ee-el/javax/el/LambdaExpression.java
@@ -0,0 +1,8 @@
+package javax.el;
+
+import java.util.List;
+
+public class LambdaExpression {
+    public LambdaExpression(List<String> formalParameters, ValueExpression expression) {}
+    public Object invoke(Object... args) { return null; }
+}
diff --git a/java/ql/test/stubs/java-ee-el/javax/el/MethodExpression.java b/java/ql/test/stubs/java-ee-el/javax/el/MethodExpression.java
new file mode 100644
index 00000000000..ac50ece80e3
--- /dev/null
+++ b/java/ql/test/stubs/java-ee-el/javax/el/MethodExpression.java
@@ -0,0 +1,5 @@
+package javax.el;
+
+public class MethodExpression {
+    public Object invoke(ELContext context, Object[] params) { return null; }
+}
diff --git a/java/ql/test/stubs/java-ee-el/javax/el/StandardELContext.java b/java/ql/test/stubs/java-ee-el/javax/el/StandardELContext.java
new file mode 100644
index 00000000000..22e3f2a9fc1
--- /dev/null
+++ b/java/ql/test/stubs/java-ee-el/javax/el/StandardELContext.java
@@ -0,0 +1,5 @@
+package javax.el;
+
+public class StandardELContext extends ELContext {
+    public StandardELContext(ExpressionFactory factory) {}
+}
diff --git a/java/ql/test/stubs/java-ee-el/javax/el/ValueExpression.java b/java/ql/test/stubs/java-ee-el/javax/el/ValueExpression.java
new file mode 100644
index 00000000000..9a231215640
--- /dev/null
+++ b/java/ql/test/stubs/java-ee-el/javax/el/ValueExpression.java
@@ -0,0 +1,6 @@
+package javax.el;
+
+public class ValueExpression {
+    public Object getValue(ELContext context) { return null; }
+    public void setValue(ELContext context, Object value) {}
+}
diff --git a/java/ql/test/stubs/juel-2.2/de/odysseus/el/ExpressionFactoryImpl.java b/java/ql/test/stubs/juel-2.2/de/odysseus/el/ExpressionFactoryImpl.java
new file mode 100644
index 00000000000..a555cf88dee
--- /dev/null
+++ b/java/ql/test/stubs/juel-2.2/de/odysseus/el/ExpressionFactoryImpl.java
@@ -0,0 +1,5 @@
+package de.odysseus.el;
+
+import javax.el.ExpressionFactory;
+
+public class ExpressionFactoryImpl extends ExpressionFactory {}
diff --git a/java/ql/test/stubs/juel-2.2/de/odysseus/el/util/SimpleContext.java b/java/ql/test/stubs/juel-2.2/de/odysseus/el/util/SimpleContext.java
new file mode 100644
index 00000000000..aa4f449e5fa
--- /dev/null
+++ b/java/ql/test/stubs/juel-2.2/de/odysseus/el/util/SimpleContext.java
@@ -0,0 +1,5 @@
+package de.odysseus.el.util;
+
+import javax.el.ELContext;
+
+public class SimpleContext extends ELContext {}

From 6c246994035a35925d870f97abc58c04162d53f9 Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Sun, 21 Mar 2021 21:16:00 +0300
Subject: [PATCH 0060/1429] Cover both javax.el and jakarta.el packages

---
 .../CWE-094/JakartaExpressionInjectionLib.qll | 22 +++++++++++--------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
index bc22f7c3257..22f421b8bf8 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
@@ -77,22 +77,26 @@ private class TaintPropagatingCall extends Call {
   }
 }
 
-private class ELProcessor extends RefType {
-  ELProcessor() { hasQualifiedName("javax.el", "ELProcessor") }
+private class JakartaType extends RefType {
+  JakartaType() { getPackage().hasName(["javax.el", "jakarta.el"]) }
 }
 
-private class ExpressionFactory extends RefType {
-  ExpressionFactory() { hasQualifiedName("javax.el", "ExpressionFactory") }
+private class ELProcessor extends JakartaType {
+  ELProcessor() { hasName("ELProcessor") }
 }
 
-private class ValueExpression extends RefType {
-  ValueExpression() { hasQualifiedName("javax.el", "ValueExpression") }
+private class ExpressionFactory extends JakartaType {
+  ExpressionFactory() { hasName("ExpressionFactory") }
 }
 
-private class MethodExpression extends RefType {
-  MethodExpression() { hasQualifiedName("javax.el", "MethodExpression") }
+private class ValueExpression extends JakartaType {
+  ValueExpression() { hasName("ValueExpression") }
+}
+
+private class MethodExpression extends JakartaType {
+  MethodExpression() { hasName("MethodExpression") }
 }
 
 private class LambdaExpression extends RefType {
-  LambdaExpression() { hasQualifiedName("javax.el", "LambdaExpression") }
+  LambdaExpression() { hasName("LambdaExpression") }
 }

From 1534b387bb64cdcd6d88cf36f8516d2b830fd4d5 Mon Sep 17 00:00:00 2001
From: Marcono1234 <Marcono1234@users.noreply.github.com>
Date: Mon, 22 Mar 2021 00:54:14 +0100
Subject: [PATCH 0061/1429] Java: Improve documentation regarding minus in
 front of numeric literals

---
 java/ql/src/semmle/code/java/Expr.qll | 45 ++++++++++++++++++++++++---
 1 file changed, 41 insertions(+), 4 deletions(-)

diff --git a/java/ql/src/semmle/code/java/Expr.qll b/java/ql/src/semmle/code/java/Expr.qll
index 43ad6634fc1..2e90075c1eb 100755
--- a/java/ql/src/semmle/code/java/Expr.qll
+++ b/java/ql/src/semmle/code/java/Expr.qll
@@ -638,7 +638,20 @@ class BooleanLiteral extends Literal, @booleanliteral {
   override string getAPrimaryQlClass() { result = "BooleanLiteral" }
 }
 
-/** An integer literal. For example, `23`. */
+/**
+ * An integer literal. For example, `23`.
+ *
+ * An integer literal can never be negative except when:
+ * - It is written in binary, octal or hexadecimal notation
+ * - It is written in decimal notation, has the value `2147483648` and is preceded
+ *   by a minus; in this case the value of the IntegerLiteral is -2147483648 and
+ *   the preceding minus will *not* be modeled as `MinusExpr`.<br/>
+ *   In all other cases the preceding minus, if any, will be modeled as separate
+ *   `MinusExpr`.
+ *
+ * The last exception is necessary because `2147483648` on its own would not be
+ * a valid integer literal (and could also not be parsed as CodeQL `int`).
+ */
 class IntegerLiteral extends Literal, @integerliteral {
   /** Gets the int representation of this literal. */
   int getIntValue() { result = getValue().toInt() }
@@ -646,17 +659,41 @@ class IntegerLiteral extends Literal, @integerliteral {
   override string getAPrimaryQlClass() { result = "IntegerLiteral" }
 }
 
-/** A long literal. For example, `23l`. */
+/**
+ * A long literal. For example, `23L`.
+ *
+ * A long literal can never be negative except when:
+ * - It is written in binary, octal or hexadecimal notation
+ * - It is written in decimal notation, has the value `9223372036854775808` and
+ *   is preceded by a minus; in this case the value of the LongLiteral is
+ *   -9223372036854775808 and the preceding minus will *not* be modeled as
+ *   `MinusExpr`.<br/>
+ *   In all other cases the preceding minus, if any, will be modeled as separate
+ *   `MinusExpr`.
+ *
+ * The last exception is necessary because `9223372036854775808` on its own
+ * would not be a valid long literal.
+ */
 class LongLiteral extends Literal, @longliteral {
   override string getAPrimaryQlClass() { result = "LongLiteral" }
 }
 
-/** A floating point literal. For example, `4.2f`. */
+/**
+ * A float literal. For example, `4.2f`.
+ *
+ * A float literal is never negative; a preceding minus, if any, will always
+ * be modeled as separate `MinusExpr`.
+ */
 class FloatingPointLiteral extends Literal, @floatingpointliteral {
   override string getAPrimaryQlClass() { result = "FloatingPointLiteral" }
 }
 
-/** A double literal. For example, `4.2`. */
+/**
+ * A double literal. For example, `4.2`.
+ *
+ * A double literal is never negative; a preceding minus, if any, will always
+ * be modeled as separate `MinusExpr`.
+ */
 class DoubleLiteral extends Literal, @doubleliteral {
   override string getAPrimaryQlClass() { result = "DoubleLiteral" }
 }

From 701b935564521d64cc35dc51753493f4dc2782f6 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 22 Mar 2021 00:57:43 +0100
Subject: [PATCH 0062/1429] Python: Add example of QuerySet chain (django)

---
 python/ql/test/library-tests/frameworks/django/SqlExecution.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/python/ql/test/library-tests/frameworks/django/SqlExecution.py b/python/ql/test/library-tests/frameworks/django/SqlExecution.py
index 67a6ee81a5d..fba2ccdc73e 100644
--- a/python/ql/test/library-tests/frameworks/django/SqlExecution.py
+++ b/python/ql/test/library-tests/frameworks/django/SqlExecution.py
@@ -27,3 +27,6 @@ def test_model():
 
     raw = RawSQL("so raw")
     User.objects.annotate(val=raw)  # $getSql="so raw"
+
+    # chaining QuerySet calls
+    User.objects.using("db-name").exclude(username="admin").extra("some sql") # $ MISSING: getSql="some sql"

From 7a0bfd1a69c9a0eb7e13d665ad1f4ce67d05d6fd Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Mon, 22 Mar 2021 12:20:35 +0100
Subject: [PATCH 0063/1429] Skip through any stub preamble

---
 csharp/ql/src/Stubs/make_stubs.py | 43 +++++++++++++++++++++----------
 1 file changed, 30 insertions(+), 13 deletions(-)

diff --git a/csharp/ql/src/Stubs/make_stubs.py b/csharp/ql/src/Stubs/make_stubs.py
index 19a917cd8ab..dcdd9e87cfe 100644
--- a/csharp/ql/src/Stubs/make_stubs.py
+++ b/csharp/ql/src/Stubs/make_stubs.py
@@ -71,19 +71,36 @@ if subprocess.check_call(cmd):
     print('Failed to run the query to generate output file.')
     exit(1)
 
-# Remove the leading " and trailing " bytes from the file
-len = os.stat(outputFile).st_size
-f = open(outputFile, "rb")
-try:
-    quote = f.read(6)
-    if quote != b"\x02\x01\x86'\x85'":
-        print("Unexpected start characters in file.", quote)
-    contents = f.read(len-21)
-    quote = f.read(15)
-    if quote != b'\x0e\x01\x08#select\x01\x01\x00s\x00':
-        print("Unexpected end character in file.", quote)
-finally:
-    f.close()
+# Remove the leading and trailing bytes from the file
+length = os.stat(outputFile).st_size
+if length < 20:
+    contents = b''
+else:
+    f = open(outputFile, "rb")
+    try:
+        countTillSlash = 0
+        foundSlash = False
+        slash = f.read(1)
+        while slash != b'':
+            if slash == b'/':
+                foundSlash = True
+                break
+            countTillSlash += 1
+            slash = f.read(1)
+
+        if not foundSlash:
+            countTillSlash = 0
+
+        f.seek(0)
+        quote = f.read(countTillSlash)
+        print("Start characters in file skipped.", quote)
+        post = b'\x0e\x01\x08#select\x01\x01\x00s\x00'
+        contents = f.read(length - len(post) - countTillSlash)
+        quote = f.read(len(post))
+        if quote != post:
+            print("Unexpected end character in file.", quote)
+    finally:
+        f.close()
 
 f = open(outputFile, "wb")
 f.write(contents)

From c8a6e837b57513df5c8ccd081e193be3443987d1 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 22 Mar 2021 14:36:29 +0100
Subject: [PATCH 0064/1429] Python: Model QuerySet chains in django

---
 .../2021-03-22-django-queryset-chains.md      |   2 +
 .../src/semmle/python/frameworks/Django.qll   | 128 +++++++-----------
 .../frameworks/django/SqlExecution.py         |   2 +-
 3 files changed, 54 insertions(+), 78 deletions(-)
 create mode 100644 python/change-notes/2021-03-22-django-queryset-chains.md

diff --git a/python/change-notes/2021-03-22-django-queryset-chains.md b/python/change-notes/2021-03-22-django-queryset-chains.md
new file mode 100644
index 00000000000..116a7573360
--- /dev/null
+++ b/python/change-notes/2021-03-22-django-queryset-chains.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Improved modeling of `django` to recognize QuerySet chains such as `User.objects.using("db-name").exclude(username="admin").extra("some sql")`. This can lead to new results for `py/sql-injection`.
diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index 9f56bd5a299..384fdf69a15 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -8,6 +8,7 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.PEP249
 private import semmle.python.regex
 
@@ -104,9 +105,6 @@ private module Django {
       // -------------------------------------------------------------------------
       // django.db.models
       // -------------------------------------------------------------------------
-      // NOTE: The modelling of django models is currently fairly incomplete.
-      // It does not fully take `Model`s, `Manager`s, `and QuerySet`s into account.
-      // It simply identifies some common dangerous cases.
       /** Gets a reference to the `django.db.models` module. */
       private DataFlow::Node models(DataFlow::TypeTracker t) {
         t.start() and
@@ -123,72 +121,52 @@ private module Django {
 
       /** Provides models for the `django.db.models` module. */
       module models {
-        /** Provides models for the `django.db.models.Model` class. */
+        /**
+         * Provides models for the `django.db.models.Model` class and subclasses.
+         *
+         * See https://docs.djangoproject.com/en/3.1/topics/db/models/.
+         */
         module Model {
-          /** Gets a reference to the `django.db.models.Model` class. */
-          private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-            t.start() and
-            result = DataFlow::importNode("django.db.models.Model")
-            or
-            t.startInAttr("Model") and
-            result = models()
-            or
-            // subclass
-            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
-            or
-            exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
+          /** Gets a reference to the `flask.views.View` class or any subclass. */
+          API::Node subclassRef() {
+            result =
+              API::moduleImport("django")
+                  .getMember("db")
+                  .getMember("models")
+                  .getMember("Model")
+                  .getASubclass*()
           }
-
-          /** Gets a reference to the `django.db.models.Model` class. */
-          DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
-        }
-
-        /** Gets a reference to the `objects` object of a django model. */
-        private DataFlow::Node objects(DataFlow::TypeTracker t) {
-          t.startInAttr("objects") and
-          result = Model::classRef()
-          or
-          exists(DataFlow::TypeTracker t2 | result = objects(t2).track(t2, t))
-        }
-
-        /** Gets a reference to the `objects` object of a model. */
-        DataFlow::Node objects() { result = objects(DataFlow::TypeTracker::end()) }
-
-        /**
-         * Gets a reference to the attribute `attr_name` of an `objects` object.
-         * WARNING: Only holds for a few predefined attributes.
-         */
-        private DataFlow::Node objects_attr(DataFlow::TypeTracker t, string attr_name) {
-          attr_name in ["annotate", "extra", "raw"] and
-          t.startInAttr(attr_name) and
-          result = objects()
-          or
-          // Due to bad performance when using normal setup with `objects_attr(t2, attr_name).track(t2, t)`
-          // we have inlined that code and forced a join
-          exists(DataFlow::TypeTracker t2 |
-            exists(DataFlow::StepSummary summary |
-              objects_attr_first_join(t2, attr_name, result, summary) and
-              t = t2.append(summary)
-            )
-          )
-        }
-
-        pragma[nomagic]
-        private predicate objects_attr_first_join(
-          DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-          DataFlow::StepSummary summary
-        ) {
-          DataFlow::StepSummary::step(objects_attr(t2, attr_name), res, summary)
         }
 
         /**
-         * Gets a reference to the attribute `attr_name` of an `objects` object.
-         * WARNING: Only holds for a few predefined attributes.
+         * Gets a reference to the Manager (django.db.models.Manager) for a django Model,
+         * accessed by `<ModelName>.objects`.
          */
-        DataFlow::Node objects_attr(string attr_name) {
-          result = objects_attr(DataFlow::TypeTracker::end(), attr_name)
+        API::Node manager() { result = Model::subclassRef().getMember("objects") }
+
+        /**
+         * Gets a method with `name` that returns a QuerySet.
+         * This method can originate on a QuerySet or a Manager.
+         *
+         * See https://docs.djangoproject.com/en/3.1/ref/models/querysets/
+         */
+        API::Node querySetReturningMethod(string name) {
+          name in [
+              "none", "all", "filter", "exclude", "complex_filter", "union", "intersection",
+              "difference", "select_for_update", "select_related", "prefetch_related", "order_by",
+              "distinct", "reverse", "defer", "only", "using", "annotate", "extra", "raw",
+              "datetimes", "dates", "values", "values_list"
+            ] and
+          result = [manager(), querySet()].getMember(name)
         }
 
+        /**
+         * Gets a reference to a QuerySet (django.db.models.query.QuerySet).
+         *
+         * See https://docs.djangoproject.com/en/3.1/ref/models/querysets/
+         */
+        API::Node querySet() { result = querySetReturningMethod(_).getReturn() }
+
         /** Gets a reference to the `django.db.models.expressions` module. */
         private DataFlow::Node expressions(DataFlow::TypeTracker t) {
           t.start() and
@@ -253,14 +231,13 @@ private module Django {
      *
      * See https://docs.djangoproject.com/en/3.1/ref/models/querysets/#annotate
      */
-    private class ObjectsAnnotate extends SqlExecution::Range, DataFlow::CfgNode {
-      override CallNode node;
+    private class ObjectsAnnotate extends SqlExecution::Range, DataFlow::CallCfgNode {
       ControlFlowNode sql;
 
       ObjectsAnnotate() {
-        node.getFunction() = django::db::models::objects_attr("annotate").asCfgNode() and
-        django::db::models::expressions::RawSQL::instance(sql).asCfgNode() in [
-            node.getArg(_), node.getArgByName(_)
+        this = django::db::models::querySetReturningMethod("annotate").getACall() and
+        django::db::models::expressions::RawSQL::instance(sql) in [
+            this.getArg(_), this.getArgByName(_)
           ]
       }
 
@@ -274,12 +251,10 @@ private module Django {
      * - https://docs.djangoproject.com/en/3.1/topics/db/sql/#django.db.models.Manager.raw
      * - https://docs.djangoproject.com/en/3.1/ref/models/querysets/#raw
      */
-    private class ObjectsRaw extends SqlExecution::Range, DataFlow::CfgNode {
-      override CallNode node;
+    private class ObjectsRaw extends SqlExecution::Range, DataFlow::CallCfgNode {
+      ObjectsRaw() { this = django::db::models::querySetReturningMethod("raw").getACall() }
 
-      ObjectsRaw() { node.getFunction() = django::db::models::objects_attr("raw").asCfgNode() }
-
-      override DataFlow::Node getSql() { result.asCfgNode() = node.getArg(0) }
+      override DataFlow::Node getSql() { result = this.getArg(0) }
     }
 
     /**
@@ -287,14 +262,13 @@ private module Django {
      *
      * See https://docs.djangoproject.com/en/3.1/ref/models/querysets/#extra
      */
-    private class ObjectsExtra extends SqlExecution::Range, DataFlow::CfgNode {
-      override CallNode node;
-
-      ObjectsExtra() { node.getFunction() = django::db::models::objects_attr("extra").asCfgNode() }
+    private class ObjectsExtra extends SqlExecution::Range, DataFlow::CallCfgNode {
+      ObjectsExtra() { this = django::db::models::querySetReturningMethod("extra").getACall() }
 
       override DataFlow::Node getSql() {
-        result.asCfgNode() =
-          [node.getArg([0, 1, 3, 4]), node.getArgByName(["select", "where", "tables", "order_by"])]
+        result in [
+            this.getArg([0, 1, 3, 4]), this.getArgByName(["select", "where", "tables", "order_by"])
+          ]
       }
     }
 
diff --git a/python/ql/test/library-tests/frameworks/django/SqlExecution.py b/python/ql/test/library-tests/frameworks/django/SqlExecution.py
index fba2ccdc73e..449983fc898 100644
--- a/python/ql/test/library-tests/frameworks/django/SqlExecution.py
+++ b/python/ql/test/library-tests/frameworks/django/SqlExecution.py
@@ -29,4 +29,4 @@ def test_model():
     User.objects.annotate(val=raw)  # $getSql="so raw"
 
     # chaining QuerySet calls
-    User.objects.using("db-name").exclude(username="admin").extra("some sql") # $ MISSING: getSql="some sql"
+    User.objects.using("db-name").exclude(username="admin").extra("some sql") # $ getSql="some sql"

From 993999f64fd519d358b1276d19b81215a7073e6f Mon Sep 17 00:00:00 2001
From: Marcono1234 <Marcono1234@users.noreply.github.com>
Date: Mon, 22 Mar 2021 17:37:54 +0100
Subject: [PATCH 0065/1429] Java: Add test for negative numeric literals

---
 .../literals-numeric/NumericLiterals.java        | 16 ++++++++++++++++
 .../negativeNumericLiteral.expected              | 12 ++++++++++++
 .../literals-numeric/negativeNumericLiteral.ql   |  9 +++++++++
 3 files changed, 37 insertions(+)
 create mode 100644 java/ql/test/library-tests/literals-numeric/NumericLiterals.java
 create mode 100644 java/ql/test/library-tests/literals-numeric/negativeNumericLiteral.expected
 create mode 100644 java/ql/test/library-tests/literals-numeric/negativeNumericLiteral.ql

diff --git a/java/ql/test/library-tests/literals-numeric/NumericLiterals.java b/java/ql/test/library-tests/literals-numeric/NumericLiterals.java
new file mode 100644
index 00000000000..02f2fbfcc6b
--- /dev/null
+++ b/java/ql/test/library-tests/literals-numeric/NumericLiterals.java
@@ -0,0 +1,16 @@
+class NumericLiterals {    
+	void negativeLiterals() {
+		float f = -1f;
+		double d = -1d;
+		int i1 = -2147483647;
+		int i2 = -2147483648; // CodeQL models minus as part of literal
+		int i3 = -0b10000000000000000000000000000000; // binary
+		int i4 = -020000000000; // octal
+		int i5 = -0x80000000; // hex
+		long l1 = -9223372036854775807L;
+		long l2 = -9223372036854775808L; // CodeQL models minus as part of literal
+		long l3 = -0b1000000000000000000000000000000000000000000000000000000000000000L; // binary
+		long l4 = -01000000000000000000000L; // octal
+		long l5 = -0x8000000000000000L; // hex
+	}
+}
diff --git a/java/ql/test/library-tests/literals-numeric/negativeNumericLiteral.expected b/java/ql/test/library-tests/literals-numeric/negativeNumericLiteral.expected
new file mode 100644
index 00000000000..95100f259dd
--- /dev/null
+++ b/java/ql/test/library-tests/literals-numeric/negativeNumericLiteral.expected
@@ -0,0 +1,12 @@
+| NumericLiterals.java:3:14:3:15 | 1f | 1.0 | NumericLiterals.java:3:13:3:15 | -... |
+| NumericLiterals.java:4:15:4:16 | 1d | 1.0 | NumericLiterals.java:4:14:4:16 | -... |
+| NumericLiterals.java:5:13:5:22 | 2147483647 | 2147483647 | NumericLiterals.java:5:12:5:22 | -... |
+| NumericLiterals.java:6:12:6:22 | -2147483648 | -2147483648 | NumericLiterals.java:6:7:6:22 | i2 |
+| NumericLiterals.java:7:13:7:46 | 0b10000000000000000000000000000000 | -2147483648 | NumericLiterals.java:7:12:7:46 | -... |
+| NumericLiterals.java:8:13:8:24 | 020000000000 | -2147483648 | NumericLiterals.java:8:12:8:24 | -... |
+| NumericLiterals.java:9:13:9:22 | 0x80000000 | -2147483648 | NumericLiterals.java:9:12:9:22 | -... |
+| NumericLiterals.java:10:14:10:33 | 9223372036854775807L | 9223372036854775807 | NumericLiterals.java:10:13:10:33 | -... |
+| NumericLiterals.java:11:13:11:33 | -9223372036854775808L | -9223372036854775808 | NumericLiterals.java:11:8:11:33 | l2 |
+| NumericLiterals.java:12:14:12:80 | 0b1000000000000000000000000000000000000000000000000000000000000000L | -9223372036854775808 | NumericLiterals.java:12:13:12:80 | -... |
+| NumericLiterals.java:13:14:13:37 | 01000000000000000000000L | -9223372036854775808 | NumericLiterals.java:13:13:13:37 | -... |
+| NumericLiterals.java:14:14:14:32 | 0x8000000000000000L | -9223372036854775808 | NumericLiterals.java:14:13:14:32 | -... |
diff --git a/java/ql/test/library-tests/literals-numeric/negativeNumericLiteral.ql b/java/ql/test/library-tests/literals-numeric/negativeNumericLiteral.ql
new file mode 100644
index 00000000000..0fbb3989c7a
--- /dev/null
+++ b/java/ql/test/library-tests/literals-numeric/negativeNumericLiteral.ql
@@ -0,0 +1,9 @@
+import java
+
+from Literal l
+where
+  l instanceof IntegerLiteral or
+  l instanceof LongLiteral or
+  l instanceof FloatingPointLiteral or
+  l instanceof DoubleLiteral
+select l, l.getValue(), l.getParent()

From 0e81fd26248875838c751ce44345aee1b8e6c36d Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Mon, 22 Mar 2021 18:41:22 +0100
Subject: [PATCH 0066/1429] Python: Move `Boolean` into `TypeTrackerPrivate`

In general, this may be defined already for other languages, so moving
it in here will avoid potential clashes.
---
 python/ql/src/experimental/typetracking/TypeTracker.qll    | 5 -----
 .../src/experimental/typetracking/TypeTrackerPrivate.qll   | 7 +++++++
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/python/ql/src/experimental/typetracking/TypeTracker.qll b/python/ql/src/experimental/typetracking/TypeTracker.qll
index f21d3a2a91b..056e7ba5cf0 100644
--- a/python/ql/src/experimental/typetracking/TypeTracker.qll
+++ b/python/ql/src/experimental/typetracking/TypeTracker.qll
@@ -78,11 +78,6 @@ module StepSummary {
   }
 }
 
-/**
- * A utility class that is equivalent to `boolean` but does not require type joining.
- */
-private class Boolean extends boolean {
-  Boolean() { this = true or this = false }
 }
 
 private newtype TTypeTracker = MkTypeTracker(Boolean hasCall, OptionalContentName content)
diff --git a/python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll b/python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll
index d26a76b3355..ab39e8be5be 100644
--- a/python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll
+++ b/python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll
@@ -95,3 +95,10 @@ predicate basicLoadStep(Node nodeFrom, Node nodeTo, string content) {
     nodeTo = a
   )
 }
+
+/**
+ * A utility class that is equivalent to `boolean` but does not require type joining.
+ */
+class Boolean extends boolean {
+  Boolean() { this = true or this = false }
+}

From 7cdf439b83b3d166ac0b9083968178b7a1e380ca Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Mon, 22 Mar 2021 18:42:24 +0100
Subject: [PATCH 0067/1429] Python: Clean up `basicStoreStep`

Moves the `flowsTo` logic into the shared implementation, so that
`TypeTrackingPrivate` only has to define the shape of immediate store
steps.

Also cleans up the documentation to talk a bit more about what
`content` can represent, and what caveats there are.
---
 .../experimental/typetracking/TypeTracker.qll | 48 +++++++++++++++++--
 .../typetracking/TypeTrackerPrivate.qll       | 32 ++-----------
 2 files changed, 47 insertions(+), 33 deletions(-)

diff --git a/python/ql/src/experimental/typetracking/TypeTracker.qll b/python/ql/src/experimental/typetracking/TypeTracker.qll
index 056e7ba5cf0..46461d3e22e 100644
--- a/python/ql/src/experimental/typetracking/TypeTracker.qll
+++ b/python/ql/src/experimental/typetracking/TypeTracker.qll
@@ -2,7 +2,18 @@
 
 private import TypeTrackerPrivate
 
-/** Any string that may appear as the name of a piece of content. */
+/**
+ * Any string that may appear as the name of a piece of content. This will usually include things like:
+ * - Attribute names (in Python)
+ * - Property names (in JavaScript)
+ *
+ * In general, this can also be used to model things like stores to specific list indices. To ensure
+ * correctness, it is important that
+ *
+ * - different types of content do not have overlapping names, and
+ * - the empty string `""` is not a valid piece of content, as it is used to indicate the absence of
+ *   content instead.
+ */
 class ContentName extends string {
   ContentName() { this = getPossibleContentName() }
 }
@@ -70,14 +81,41 @@ module StepSummary {
     summary = ReturnStep()
     or
     exists(string content |
-      basicStoreStep(nodeFrom, nodeTo, content) and
+      localSourceStoreStep(nodeFrom, nodeTo, content) and
       summary = StoreStep(content)
       or
       basicLoadStep(nodeFrom, nodeTo, content) and summary = LoadStep(content)
     )
   }
-}
 
+  /**
+   * Holds if `nodeFrom` is being written to the `content` content of the object in `nodeTo`.
+   *
+   * Note that `nodeTo` will always be a local source node that flows to the place where the content
+   * is written in `basicStoreStep`. This may lead to the flow of information going "back in time"
+   * from the point of view of the execution of the program.
+   *
+   * For instance, if we interpret attribute writes in Python as writing to content with the same
+   * name as the attribute and consider the following snippet
+   *
+   * ```python
+   * def foo(y):
+   *    x = Foo()
+   *    bar(x)
+   *    x.attr = y
+   *    baz(x)
+   *
+   * def bar(x):
+   *    z = x.attr
+   * ```
+   * for the attribute write `x.attr = y`, we will have `content` being the literal string `"attr"`,
+   * `nodeFrom` will be `y`, and `nodeTo` will be the object `Foo()` created on the first line of the
+   * function. This means we will track the fact that `x.attr` can have the type of `y` into the
+   * assignment to `z` inside `bar`, even though this attribute write happens _after_ `bar` is called.
+   */
+  predicate localSourceStoreStep(Node nodeFrom, LocalSourceNode nodeTo, string content) {
+    exists(Node obj | nodeTo.flowsTo(obj) and basicStoreStep(nodeFrom, obj, content))
+  }
 }
 
 private newtype TTypeTracker = MkTypeTracker(Boolean hasCall, OptionalContentName content)
@@ -92,7 +130,7 @@ private newtype TTypeTracker = MkTypeTracker(Boolean hasCall, OptionalContentNam
  *
  * It is recommended that all uses of this type are written in the following form,
  * for tracking some type `myType`:
- * ```
+ * ```ql
  * DataFlow::LocalSourceNode myType(DataFlow::TypeTracker t) {
  *   t.start() and
  *   result = < source of myType >
@@ -253,7 +291,7 @@ private newtype TTypeBackTracker = MkTypeBackTracker(Boolean hasReturn, Optional
  * It is recommended that all uses of this type are written in the following form,
  * for back-tracking some callback type `myCallback`:
  *
- * ```
+ * ```ql
  * DataFlow::LocalSourceNode myCallback(DataFlow::TypeBackTracker t) {
  *   t.start() and
  *   result = (< some API call >).getArgument(< n >).getALocalSource()
diff --git a/python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll b/python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll
index ab39e8be5be..6469eb93d98 100644
--- a/python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll
+++ b/python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll
@@ -13,10 +13,8 @@ predicate typePreservingStep(Node nodeFrom, Node nodeTo) {
 }
 
 /**
- * Gets the name of a possible piece of content. This will usually include things like
- *
- * - Attribute names (in Python)
- * - Property names (in JavaScript)
+ * Gets the name of a possible piece of content. For Python, this is currently only attribute names,
+ * using the name of the attribute for the corresponding content.
  */
 string getPossibleContentName() { result = any(DataFlowPublic::AttrRef a).getAttributeName() }
 
@@ -54,34 +52,12 @@ predicate returnStep(DataFlowPrivate::ReturnNode nodeFrom, Node nodeTo) {
 
 /**
  * Holds if `nodeFrom` is being written to the `content` content of the object in `nodeTo`.
- *
- * Note that the choice of `nodeTo` does not have to make sense "chronologically".
- * All we care about is whether the `content` content of `nodeTo` can have a specific type,
- * and the assumption is that if a specific type appears here, then any access of that
- * particular content can yield something of that particular type.
- *
- * Thus, in an example such as
- *
- * ```python
- * def foo(y):
- *    x = Foo()
- *    bar(x)
- *    x.content = y
- *    baz(x)
- *
- * def bar(x):
- *    z = x.content
- * ```
- * for the content write `x.content = y`, we will have `content` being the literal string `"content"`,
- * `nodeFrom` will be `y`, and `nodeTo` will be the object `Foo()` created on the first line of the
- * function. This means we will track the fact that `x.content` can have the type of `y` into the
- * assignment to `z` inside `bar`, even though this content write happens _after_ `bar` is called.
  */
-predicate basicStoreStep(Node nodeFrom, LocalSourceNode nodeTo, string content) {
+predicate basicStoreStep(Node nodeFrom, Node nodeTo, string content) {
   exists(DataFlowPublic::AttrWrite a |
     a.mayHaveAttributeName(content) and
     nodeFrom = a.getValue() and
-    nodeTo.flowsTo(a.getObject())
+    nodeTo = a.getObject()
   )
 }
 

From 08c3bf26d558d1bfaf0504fa1a0ba6837910829a Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Tue, 16 Mar 2021 03:18:26 +0000
Subject: [PATCH 0068/1429] Update the query to accommodate more cases

---
 .../CWE-1004/SensitiveCookieNotHttpOnly.ql    | 73 +++++++++++++++++--
 .../SensitiveCookieNotHttpOnly.expected       |  8 ++
 .../CWE-1004/SensitiveCookieNotHttpOnly.java  | 57 +++++++++++++++
 3 files changed, 130 insertions(+), 8 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
index 693dad68082..ac33a6cecb2 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -33,7 +33,23 @@ predicate isSensitiveCookieNameExpr(Expr expr) {
 
 /** Holds if a string is concatenated with the `HttpOnly` flag. */
 predicate hasHttpOnlyExpr(Expr expr) {
-  expr.(CompileTimeConstantExpr).getStringValue().toLowerCase().matches("%httponly%") or
+  (
+    expr.(CompileTimeConstantExpr).getStringValue().toLowerCase().matches("%httponly%")
+    or
+    exists(
+      StaticMethodAccess ma // String.format("%s=%s;HttpOnly", "sessionkey", sessionKey)
+    |
+      ma.getType().getName() = "String" and
+      ma.getMethod().getName() = "format" and
+      ma.getArgument(0)
+          .(CompileTimeConstantExpr)
+          .getStringValue()
+          .toLowerCase()
+          .matches("%httponly%") and
+      expr = ma
+    )
+  )
+  or
   hasHttpOnlyExpr(expr.(AddExpr).getAnOperand())
 }
 
@@ -56,6 +72,40 @@ class CookieClass extends RefType {
   }
 }
 
+/** Holds if the `Expr` expr is evaluated to boolean true. */
+predicate isBooleanTrue(Expr expr) {
+  expr.(CompileTimeConstantExpr).getBooleanValue() = true or
+  expr.(VarAccess).getVariable().getAnAssignedValue().(CompileTimeConstantExpr).getBooleanValue() =
+    true
+}
+
+/** Holds if the method or a wrapper method sets the `HttpOnly` flag. */
+predicate setHttpOnlyInCookie(MethodAccess ma) {
+  ma.getMethod().getName() = "setHttpOnly" and
+  (
+    isBooleanTrue(ma.getArgument(0)) // boolean literal true
+    or
+    exists(
+      MethodAccess mpa, int i // runtime assignment of boolean value true
+    |
+      TaintTracking::localTaint(DataFlow::parameterNode(mpa.getMethod().getParameter(i)),
+        DataFlow::exprNode(ma.getArgument(0))) and
+      isBooleanTrue(mpa.getArgument(i))
+    )
+  )
+  or
+  exists(MethodAccess mca |
+    ma.getMethod().calls(mca.getMethod()) and
+    setHttpOnlyInCookie(mca)
+  )
+}
+
+/** Holds if the method or a wrapper method removes a cookie. */
+predicate removeCookie(MethodAccess ma) {
+  ma.getMethod().getName() = "setMaxAge" and
+  ma.getArgument(0).(IntegerLiteral).getIntValue() = 0
+}
+
 /** Sensitive cookie name used in a `Cookie` constructor or a `Set-Cookie` call. */
 class SensitiveCookieNameExpr extends Expr {
   SensitiveCookieNameExpr() { isSensitiveCookieNameExpr(this) }
@@ -69,11 +119,16 @@ class CookieResponseSink extends DataFlow::ExprNode {
         ma.getMethod() instanceof ResponseAddCookieMethod and
         this.getExpr() = ma.getArgument(0) and
         not exists(
-          MethodAccess ma2 // cookie.setHttpOnly(true)
+          MethodAccess ma2 // a method or wrapper method that invokes cookie.setHttpOnly(true)
         |
-          ma2.getMethod().getName() = "setHttpOnly" and
-          ma2.getArgument(0).(BooleanLiteral).getBooleanValue() = true and
-          DataFlow::localExprFlow(ma2.getQualifier(), this.getExpr())
+          (
+            setHttpOnlyInCookie(ma2) or
+            removeCookie(ma2)
+          ) and
+          (
+            DataFlow::localExprFlow(ma2.getQualifier(), this.getExpr()) or
+            DataFlow::localExprFlow(ma2, this.getExpr())
+          )
         )
         or
         ma instanceof SetCookieMethodAccess and
@@ -92,13 +147,15 @@ class CookieResponseSink extends DataFlow::ExprNode {
 predicate setHttpOnlyInNewCookie(ClassInstanceExpr cie) {
   cie.getConstructedType().hasQualifiedName(["javax.ws.rs.core", "jakarta.ws.rs.core"], "NewCookie") and
   (
-    cie.getNumArgument() = 6 and cie.getArgument(5).(BooleanLiteral).getBooleanValue() = true // NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
+    cie.getNumArgument() = 6 and
+    isBooleanTrue(cie.getArgument(5)) // NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
     or
     cie.getNumArgument() = 8 and
     cie.getArgument(6).getType() instanceof BooleanType and
-    cie.getArgument(7).(BooleanLiteral).getBooleanValue() = true // NewCookie(String name, String value, String path, String domain, String comment, int maxAge, boolean secure, boolean httpOnly)
+    isBooleanTrue(cie.getArgument(7)) // NewCookie(String name, String value, String path, String domain, String comment, int maxAge, boolean secure, boolean httpOnly)
     or
-    cie.getNumArgument() = 10 and cie.getArgument(9).(BooleanLiteral).getBooleanValue() = true // NewCookie(String name, String value, String path, String domain, int version, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
+    cie.getNumArgument() = 10 and
+    isBooleanTrue(cie.getArgument(9)) // NewCookie(String name, String value, String path, String domain, int version, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
   )
 }
 
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
index 8fa688bef2a..dae98e92e67 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
@@ -7,6 +7,9 @@ edges
 | SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString |
 | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString |
 | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString |
+| SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" : String | SensitiveCookieNotHttpOnly.java:91:16:91:21 | cookie : Cookie |
+| SensitiveCookieNotHttpOnly.java:91:16:91:21 | cookie : Cookie | SensitiveCookieNotHttpOnly.java:102:25:102:64 | createAuthenticationCookie(...) : Cookie |
+| SensitiveCookieNotHttpOnly.java:102:25:102:64 | createAuthenticationCookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:103:28:103:33 | cookie |
 nodes
 | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" : String | semmle.label | "jwt_token" : String |
 | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie | semmle.label | jwtCookie |
@@ -21,6 +24,10 @@ nodes
 | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | semmle.label | ... + ... : String |
 | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... : String | semmle.label | ... + ... : String |
 | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | semmle.label | secString |
+| SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" : String | semmle.label | "Presto-UI-Token" : String |
+| SensitiveCookieNotHttpOnly.java:91:16:91:21 | cookie : Cookie | semmle.label | cookie : Cookie |
+| SensitiveCookieNotHttpOnly.java:102:25:102:64 | createAuthenticationCookie(...) : Cookie | semmle.label | createAuthenticationCookie(...) : Cookie |
+| SensitiveCookieNotHttpOnly.java:103:28:103:33 | cookie | semmle.label | cookie |
 #select
 | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" | This sensitive cookie |
 | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" | This sensitive cookie |
@@ -31,3 +38,4 @@ nodes
 | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" | This sensitive cookie |
 | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... | This sensitive cookie |
 | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:103:28:103:33 | cookie | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" : String | SensitiveCookieNotHttpOnly.java:103:28:103:33 | cookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" | This sensitive cookie |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
index 337a99cc096..fdc831d7836 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
@@ -71,6 +71,63 @@ class SensitiveCookieNotHttpOnly {
         response.addHeader("Set-Cookie", secString);
     }
 
+    // GOOD - Tests set a sensitive cookie header with the `HttpOnly` flag set using `String.format(...)`.
+    public void addCookie10(HttpServletRequest request, HttpServletResponse response) {
+        response.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly", "sessionkey", request.getSession().getAttribute("sessionkey")));
+    }
+
+    public Cookie createHttpOnlyAuthenticationCookie(HttpServletRequest request, String jwt) {
+        String PRESTO_UI_COOKIE = "Presto-UI-Token";
+        Cookie cookie = new Cookie(PRESTO_UI_COOKIE, jwt);
+        cookie.setHttpOnly(true);
+        cookie.setPath("/ui");
+        return cookie;
+    }
+
+    public Cookie createAuthenticationCookie(HttpServletRequest request, String jwt) {
+        String PRESTO_UI_COOKIE = "Presto-UI-Token";
+        Cookie cookie = new Cookie(PRESTO_UI_COOKIE, jwt);
+        cookie.setPath("/ui");
+        return cookie;
+    }
+
+    // GOOD - Tests set a sensitive cookie header with the `HttpOnly` flag set using a wrapper method.
+    public void addCookie11(HttpServletRequest request, HttpServletResponse response, String jwt) {
+        Cookie cookie = createHttpOnlyAuthenticationCookie(request, jwt);
+        response.addCookie(cookie);
+    }
+
+    // BAD - Tests set a sensitive cookie header without the `HttpOnly` flag set using a wrapper method.
+    public void addCookie12(HttpServletRequest request, HttpServletResponse response, String jwt) {
+        Cookie cookie = createAuthenticationCookie(request, jwt);
+        response.addCookie(cookie);
+    }
+
+    private Cookie createCookie(String name, String value, Boolean httpOnly){
+        Cookie cookie = null;
+        cookie = new Cookie(name, value);
+        cookie.setDomain("/");
+        cookie.setHttpOnly(httpOnly);
+
+        //for production https
+        cookie.setSecure(true);
+
+        cookie.setMaxAge(60*60*24*30);
+        cookie.setPath("/");
+
+        return cookie;
+    }
+
+    // GOOD - Tests set a sensitive cookie header with the `HttpOnly` flag set through a boolean variable using a wrapper method.
+    public void addCookie13(HttpServletRequest request, HttpServletResponse response, String refreshToken) {
+        response.addCookie(createCookie("refresh_token", refreshToken, true));
+    }
+
+    // BAD - Tests set a sensitive cookie header with the `HttpOnly` flag not set through a boolean variable using a wrapper method.
+    public void addCookie14(HttpServletRequest request, HttpServletResponse response, String refreshToken) {
+        response.addCookie(createCookie("refresh_token", refreshToken, false));
+    }
+
     // GOOD - CSRF token doesn't need to have the `HttpOnly` flag set.
     public void addCsrfCookie(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
         // Spring put the CSRF token in session attribute "_csrf"

From fe0e7f5eac232e2aae155fe332c57c9e30e61cdf Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Thu, 25 Mar 2021 01:45:13 +0000
Subject: [PATCH 0069/1429] Change method check to taint flow

---
 .../CWE-1004/SensitiveCookieNotHttpOnly.ql    | 70 ++++++++++---------
 .../SensitiveCookieNotHttpOnly.expected       | 10 +--
 .../CWE-1004/SensitiveCookieNotHttpOnly.java  | 18 ++++-
 3 files changed, 58 insertions(+), 40 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
index ac33a6cecb2..db9adc2ee09 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -11,6 +11,7 @@ import java
 import semmle.code.java.dataflow.FlowSteps
 import semmle.code.java.frameworks.Servlets
 import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.TaintTracking2
 import DataFlow::PathGraph
 
 /** Gets a regular expression for matching common names of sensitive cookies. */
@@ -31,28 +32,6 @@ predicate isSensitiveCookieNameExpr(Expr expr) {
   isSensitiveCookieNameExpr(expr.(AddExpr).getAnOperand())
 }
 
-/** Holds if a string is concatenated with the `HttpOnly` flag. */
-predicate hasHttpOnlyExpr(Expr expr) {
-  (
-    expr.(CompileTimeConstantExpr).getStringValue().toLowerCase().matches("%httponly%")
-    or
-    exists(
-      StaticMethodAccess ma // String.format("%s=%s;HttpOnly", "sessionkey", sessionKey)
-    |
-      ma.getType().getName() = "String" and
-      ma.getMethod().getName() = "format" and
-      ma.getArgument(0)
-          .(CompileTimeConstantExpr)
-          .getStringValue()
-          .toLowerCase()
-          .matches("%httponly%") and
-      expr = ma
-    )
-  )
-  or
-  hasHttpOnlyExpr(expr.(AddExpr).getAnOperand())
-}
-
 /** The method call `Set-Cookie` of `addHeader` or `setHeader`. */
 class SetCookieMethodAccess extends MethodAccess {
   SetCookieMethodAccess() {
@@ -64,6 +43,22 @@ class SetCookieMethodAccess extends MethodAccess {
   }
 }
 
+/**
+ * A taint configuration tracking flow from the text `httponly` to argument 1 of
+ * `SetCookieMethodAccess`.
+ */
+class MatchesHttpOnlyConfiguration extends TaintTracking2::Configuration {
+  MatchesHttpOnlyConfiguration() { this = "MatchesHttpOnlyConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr().(CompileTimeConstantExpr).getStringValue().toLowerCase().matches("%httponly%")
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() = any(SetCookieMethodAccess ma).getArgument(1)
+  }
+}
+
 /** The cookie class of Java EE. */
 class CookieClass extends RefType {
   CookieClass() {
@@ -79,7 +74,7 @@ predicate isBooleanTrue(Expr expr) {
     true
 }
 
-/** Holds if the method or a wrapper method sets the `HttpOnly` flag. */
+/** Holds if the method call sets the `HttpOnly` flag. */
 predicate setHttpOnlyInCookie(MethodAccess ma) {
   ma.getMethod().getName() = "setHttpOnly" and
   (
@@ -93,14 +88,24 @@ predicate setHttpOnlyInCookie(MethodAccess ma) {
       isBooleanTrue(mpa.getArgument(i))
     )
   )
-  or
-  exists(MethodAccess mca |
-    ma.getMethod().calls(mca.getMethod()) and
-    setHttpOnlyInCookie(mca)
-  )
 }
 
-/** Holds if the method or a wrapper method removes a cookie. */
+/**
+ * A taint configuration tracking flow of a method or a wrapper method that sets
+ * the `HttpOnly` flag.
+ */
+class SetHttpOnlyInCookieConfiguration extends TaintTracking2::Configuration {
+  SetHttpOnlyInCookieConfiguration() { this = "SetHttpOnlyInCookieConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { any() }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() =
+      any(MethodAccess ma | ma.getMethod() instanceof ResponseAddCookieMethod).getArgument(0)
+  }
+}
+
+/** Holds if the method call removes a cookie. */
 predicate removeCookie(MethodAccess ma) {
   ma.getMethod().getName() = "setMaxAge" and
   ma.getArgument(0).(IntegerLiteral).getIntValue() = 0
@@ -125,15 +130,14 @@ class CookieResponseSink extends DataFlow::ExprNode {
             setHttpOnlyInCookie(ma2) or
             removeCookie(ma2)
           ) and
-          (
-            DataFlow::localExprFlow(ma2.getQualifier(), this.getExpr()) or
-            DataFlow::localExprFlow(ma2, this.getExpr())
+          exists(SetHttpOnlyInCookieConfiguration cc |
+            cc.hasFlow(DataFlow::exprNode(ma2.getQualifier()), this)
           )
         )
         or
         ma instanceof SetCookieMethodAccess and
         this.getExpr() = ma.getArgument(1) and
-        not hasHttpOnlyExpr(this.getExpr()) // response.addHeader("Set-Cookie", "token=" +authId + ";HttpOnly;Secure")
+        not exists(MatchesHttpOnlyConfiguration cc | cc.hasFlowToExpr(ma.getArgument(1))) // response.addHeader("Set-Cookie", "token=" +authId + ";HttpOnly;Secure")
       ) and
       not isTestMethod(ma) // Test class or method
     )
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
index dae98e92e67..a9d126ca4a9 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
@@ -8,8 +8,8 @@ edges
 | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString |
 | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString |
 | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" : String | SensitiveCookieNotHttpOnly.java:91:16:91:21 | cookie : Cookie |
-| SensitiveCookieNotHttpOnly.java:91:16:91:21 | cookie : Cookie | SensitiveCookieNotHttpOnly.java:102:25:102:64 | createAuthenticationCookie(...) : Cookie |
-| SensitiveCookieNotHttpOnly.java:102:25:102:64 | createAuthenticationCookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:103:28:103:33 | cookie |
+| SensitiveCookieNotHttpOnly.java:91:16:91:21 | cookie : Cookie | SensitiveCookieNotHttpOnly.java:110:25:110:64 | createAuthenticationCookie(...) : Cookie |
+| SensitiveCookieNotHttpOnly.java:110:25:110:64 | createAuthenticationCookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:111:28:111:33 | cookie |
 nodes
 | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" : String | semmle.label | "jwt_token" : String |
 | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie | semmle.label | jwtCookie |
@@ -26,8 +26,8 @@ nodes
 | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | semmle.label | secString |
 | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" : String | semmle.label | "Presto-UI-Token" : String |
 | SensitiveCookieNotHttpOnly.java:91:16:91:21 | cookie : Cookie | semmle.label | cookie : Cookie |
-| SensitiveCookieNotHttpOnly.java:102:25:102:64 | createAuthenticationCookie(...) : Cookie | semmle.label | createAuthenticationCookie(...) : Cookie |
-| SensitiveCookieNotHttpOnly.java:103:28:103:33 | cookie | semmle.label | cookie |
+| SensitiveCookieNotHttpOnly.java:110:25:110:64 | createAuthenticationCookie(...) : Cookie | semmle.label | createAuthenticationCookie(...) : Cookie |
+| SensitiveCookieNotHttpOnly.java:111:28:111:33 | cookie | semmle.label | cookie |
 #select
 | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" | This sensitive cookie |
 | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" | This sensitive cookie |
@@ -38,4 +38,4 @@ nodes
 | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" | This sensitive cookie |
 | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... | This sensitive cookie |
 | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... | This sensitive cookie |
-| SensitiveCookieNotHttpOnly.java:103:28:103:33 | cookie | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" : String | SensitiveCookieNotHttpOnly.java:103:28:103:33 | cookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" | This sensitive cookie |
+| SensitiveCookieNotHttpOnly.java:111:28:111:33 | cookie | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" : String | SensitiveCookieNotHttpOnly.java:111:28:111:33 | cookie | $@ doesn't have the HttpOnly flag set. | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" | This sensitive cookie |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
index fdc831d7836..0bb912f6ce6 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
@@ -91,6 +91,14 @@ class SensitiveCookieNotHttpOnly {
         return cookie;
     }
 
+    public Cookie removeAuthenticationCookie(HttpServletRequest request, String jwt) {
+        String PRESTO_UI_COOKIE = "Presto-UI-Token";
+        Cookie cookie = new Cookie(PRESTO_UI_COOKIE, jwt);
+        cookie.setPath("/ui");
+        cookie.setMaxAge(0);
+        return cookie;
+    }
+
     // GOOD - Tests set a sensitive cookie header with the `HttpOnly` flag set using a wrapper method.
     public void addCookie11(HttpServletRequest request, HttpServletResponse response, String jwt) {
         Cookie cookie = createHttpOnlyAuthenticationCookie(request, jwt);
@@ -103,6 +111,12 @@ class SensitiveCookieNotHttpOnly {
         response.addCookie(cookie);
     }
 
+    // GOOD - Tests remove a sensitive cookie header without the `HttpOnly` flag set using a wrapper method.
+    public void addCookie13(HttpServletRequest request, HttpServletResponse response, String jwt) {
+        Cookie cookie = removeAuthenticationCookie(request, jwt);
+        response.addCookie(cookie);
+    }
+
     private Cookie createCookie(String name, String value, Boolean httpOnly){
         Cookie cookie = null;
         cookie = new Cookie(name, value);
@@ -119,12 +133,12 @@ class SensitiveCookieNotHttpOnly {
     }
 
     // GOOD - Tests set a sensitive cookie header with the `HttpOnly` flag set through a boolean variable using a wrapper method.
-    public void addCookie13(HttpServletRequest request, HttpServletResponse response, String refreshToken) {
+    public void addCookie14(HttpServletRequest request, HttpServletResponse response, String refreshToken) {
         response.addCookie(createCookie("refresh_token", refreshToken, true));
     }
 
     // BAD - Tests set a sensitive cookie header with the `HttpOnly` flag not set through a boolean variable using a wrapper method.
-    public void addCookie14(HttpServletRequest request, HttpServletResponse response, String refreshToken) {
+    public void addCookie15(HttpServletRequest request, HttpServletResponse response, String refreshToken) {
         response.addCookie(createCookie("refresh_token", refreshToken, false));
     }
 

From 57bd3f3c1459c04aa0098a254522bcc405f86d80 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Thu, 25 Mar 2021 10:44:26 +0000
Subject: [PATCH 0070/1429] Optimize the taint flow source

---
 .../CWE-1004/SensitiveCookieNotHttpOnly.ql    | 19 ++++++-------------
 1 file changed, 6 insertions(+), 13 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
index db9adc2ee09..f1bc7879b8a 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -97,7 +97,10 @@ predicate setHttpOnlyInCookie(MethodAccess ma) {
 class SetHttpOnlyInCookieConfiguration extends TaintTracking2::Configuration {
   SetHttpOnlyInCookieConfiguration() { this = "SetHttpOnlyInCookieConfiguration" }
 
-  override predicate isSource(DataFlow::Node source) { any() }
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr() =
+      any(MethodAccess ma | setHttpOnlyInCookie(ma) or removeCookie(ma)).getQualifier()
+  }
 
   override predicate isSink(DataFlow::Node sink) {
     sink.asExpr() =
@@ -123,21 +126,11 @@ class CookieResponseSink extends DataFlow::ExprNode {
       (
         ma.getMethod() instanceof ResponseAddCookieMethod and
         this.getExpr() = ma.getArgument(0) and
-        not exists(
-          MethodAccess ma2 // a method or wrapper method that invokes cookie.setHttpOnly(true)
-        |
-          (
-            setHttpOnlyInCookie(ma2) or
-            removeCookie(ma2)
-          ) and
-          exists(SetHttpOnlyInCookieConfiguration cc |
-            cc.hasFlow(DataFlow::exprNode(ma2.getQualifier()), this)
-          )
-        )
+        not exists(SetHttpOnlyInCookieConfiguration cc | cc.hasFlowTo(this))
         or
         ma instanceof SetCookieMethodAccess and
         this.getExpr() = ma.getArgument(1) and
-        not exists(MatchesHttpOnlyConfiguration cc | cc.hasFlowToExpr(ma.getArgument(1))) // response.addHeader("Set-Cookie", "token=" +authId + ";HttpOnly;Secure")
+        not exists(MatchesHttpOnlyConfiguration cc | cc.hasFlowTo(this)) // response.addHeader("Set-Cookie", "token=" +authId + ";HttpOnly;Secure")
       ) and
       not isTestMethod(ma) // Test class or method
     )

From 2576c86ebf2e8a87a8cbe5165ae2ab95a7bec155 Mon Sep 17 00:00:00 2001
From: alexet <alexet@semmle.com>
Date: Thu, 25 Mar 2021 16:16:16 +0000
Subject: [PATCH 0071/1429] Docs: Update the language specification for changes
 to super.

---
 .../ql-language-reference/ql-language-specification.rst  | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/docs/codeql/ql-language-reference/ql-language-specification.rst b/docs/codeql/ql-language-reference/ql-language-specification.rst
index 0fe54210504..ad88b791019 100644
--- a/docs/codeql/ql-language-reference/ql-language-specification.rst
+++ b/docs/codeql/ql-language-reference/ql-language-specification.rst
@@ -1116,8 +1116,6 @@ A super expression may only occur in a QL program as the receiver expression for
 
 If a super expression includes a ``type``, then that type must be a class that the enclosing class inherits from.
 
-If the super expression does not include a type, then the enclosing class must have a single declared base type, and that base type must be a class.
-
 The value of a super expression is the same as the value of ``this`` in the named tuple.
 
 Casts
@@ -1169,7 +1167,12 @@ A valid call with results *resolves* to a set of predicates. The ways a call can
 
 -  If the call has no receiver and the predicate name is a selection identifier, then the qualifier is resolved as a module (see "`Module resolution <#module-resolution>`__"). The identifier is then resolved in the exported predicate environment of the qualifier module.
 
--  If the call has a super expression as the receiver, then it resolves to a member predicate in a class the enclosing class inherits from. If the super expression is unqualified, then the super-class is the single class that the current class inherits from. If there is not exactly one such class, then the program is invalid. Otherwise the super-class is the class named by the qualifier of the super expression. The predicate is resolved by looking up its name and arity in the exported predicate environment of the super-class. 
+-  If the call has a super expression as the receiver, then it resolves to a member predicate in a class that the enclosing class inherits from:
+    -  If the super expression is unqualified and there is a single class that the current class inherits from then the super-class is that class. 
+    -  If the super expression is unqualified and there is are multiple classes that the current class inherits from then the super-class is the domain type.
+    -  Otherwise the super-class is the class named by the qualifier of the super expression. 
+
+   The predicate is resolved by looking up its name and arity in the exported predicate environment of the super-class. 
 
 -  If the type of the receiver is the same as the enclosing class, the predicate is resolved by looking up its name and arity in the visible predicate environment of the class.
 

From 2ca95166d916cc89bf2d7086aa664ef3757c95e4 Mon Sep 17 00:00:00 2001
From: Porcuiney Hairs <porcupiney.hairs@protonmail.com>
Date: Wed, 13 Jan 2021 01:32:54 +0530
Subject: [PATCH 0072/1429] Java : add query to detect insecure loading of Dex
 File

---
 .../CWE/CWE-094/InsecureDexLoading.qhelp      |  44 ++++++++
 .../CWE/CWE-094/InsecureDexLoading.ql         |  20 ++++
 .../CWE/CWE-094/InsecureDexLoading.qll        | 100 ++++++++++++++++++
 .../CWE/CWE-094/InsecureDexLoadingBad.java    |  32 ++++++
 .../CWE/CWE-094/InsecureDexLoadingGood.java   |  23 ++++
 5 files changed, 219 insertions(+)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qhelp
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.ql
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qll
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoadingBad.java
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoadingGood.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qhelp
new file mode 100644
index 00000000000..feda3af3fc2
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qhelp
@@ -0,0 +1,44 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+Shared world writable storage spaces are not secure to load Dex libraries from. A malicious actor can replace a dex file with a maliciously crafted file 
+which when loaded by the app can lead to code execution. 
+</p>
+  </overview>
+
+  <recommendation>
+    <p>
+      Loading a file from private storage instead of a world writable one can prevent this issue.
+      As the attacker cannot access files stored by the app in its private storage. 
+    </p>
+  </recommendation>
+
+  <example>
+    <p>
+      The following example loads a Dex file from a shared world writable location. in this case, 
+      since the `/sdcard` directory is on external storage, any one can read/write to the location. 
+      bypassing all Android security policies. Hence, this is insecure.
+    </p>
+    <sample src="InsecureDexLoadingBad.java" />
+
+    <p>
+    The next example loads a Dex file stored inside the app's private storage. 
+    This is not exploitable as nobody else except the app can access the data stored here.
+    </p>
+    <sample src="InsecureDexLoadingGood.java" />
+  </example>
+
+  <references>
+    <li>
+      Android Documentation:
+      <a href="https://developer.android.com/training/data-storage/">Data and file storage overview</a>
+      .
+    </li>
+    <li>
+      Android Documentation:
+      <a href="https://developer.android.com/reference/dalvik/system/DexClassLoader">DexClassLoader</a>
+      .
+    </li>
+  </references>
+</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.ql b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.ql
new file mode 100644
index 00000000000..58d9844d38a
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Insecure loading of an Android Dex File
+ * @description Loading a DEX library located in a world-readable/ writable location such as
+ * a SD card can cause arbitary code execution vulnerabilities.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/android-insecure-dex-loading
+ * @tags security
+ *       external/cwe/cwe-094
+ */
+
+import java
+import InsecureDexLoading
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, InsecureDexConfiguration conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Potential arbitary code execution due to $@.",
+  source.getNode(), "a value loaded from a world readable/writable source."
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qll b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qll
new file mode 100644
index 00000000000..2a4b387be7e
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qll
@@ -0,0 +1,100 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+
+/**
+ * A taint-tracking configuration fordetecting unsafe use of a
+ * `DexClassLoader` by an Android app.
+ */
+class InsecureDexConfiguration extends TaintTracking::Configuration {
+  InsecureDexConfiguration() { this = "Insecure Dex File Load" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof InsecureDexSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof InsecureDexSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    flowStep(pred, succ)
+  }
+}
+
+/** A data flow source for insecure Dex class loading vulnerabilities. */
+abstract class InsecureDexSource extends DataFlow::Node { }
+
+/** A data flow sink for insecure Dex class loading vulnerabilities. */
+abstract class InsecureDexSink extends DataFlow::Node { }
+
+private predicate flowStep(DataFlow::Node pred, DataFlow::Node succ) {
+  // propagate from a `java.io.File` via the `File.getAbsolutePath` call.
+  exists(MethodAccess m |
+    m.getMethod().getDeclaringType() instanceof TypeFile and
+    m.getMethod().hasName("getAbsolutePath") and
+    m.getQualifier() = pred.asExpr() and
+    m = succ.asExpr()
+  )
+  or
+  // propagate from a `java.io.File` via the `File.toString` call.
+  exists(MethodAccess m |
+    m.getMethod().getDeclaringType() instanceof TypeFile and
+    m.getMethod().hasName("toString") and
+    m.getQualifier() = pred.asExpr() and
+    m = succ.asExpr()
+  )
+  or
+  // propagate to newly created `File` if the parent directory of the new `File` is tainted
+  exists(ConstructorCall cc |
+    cc.getConstructedType() instanceof TypeFile and
+    cc.getArgument(0) = pred.asExpr() and
+    cc = succ.asExpr()
+  )
+}
+
+/**
+ * An argument to a `DexClassLoader` call taken as a sink for
+ * insecure Dex class loading vulnerabilities.
+ */
+private class DexClassLoader extends InsecureDexSink {
+  DexClassLoader() {
+    exists(ConstructorCall cc |
+      cc.getConstructedType().hasQualifiedName("dalvik.system", "DexClassLoader")
+    |
+      this.asExpr() = cc.getArgument(0)
+    )
+  }
+}
+
+/**
+ * An `File` instance which reads from an SD card
+ * taken as a source for insecure Dex class loading vulnerabilities.
+ */
+private class ExternalFile extends InsecureDexSource {
+  ExternalFile() {
+    exists(ConstructorCall cc, Argument a |
+      cc.getConstructedType() instanceof TypeFile and
+      a = cc.getArgument(0) and
+      a.(CompileTimeConstantExpr).getStringValue().matches("%sdcard%")
+    |
+      this.asExpr() = a
+    )
+  }
+}
+
+/**
+ * A directory or file which may be stored in an world writable directory
+ * taken as a source for insecure Dex class loading vulnerabilities.
+ */
+private class ExternalStorageDirSource extends InsecureDexSource {
+  ExternalStorageDirSource() {
+    exists(Method m |
+      m.getDeclaringType().hasQualifiedName("android.os", "Environment") and
+      m.hasName("getExternalStorageDirectory")
+      or
+      m.getDeclaringType().hasQualifiedName("android.content", "Context") and
+      m.hasName([
+          "getExternalFilesDir", "getExternalFilesDirs", "getExternalMediaDirs",
+          "getExternalCacheDir", "getExternalCacheDirs"
+        ])
+    |
+      this.asExpr() = m.getAReference()
+    )
+  }
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoadingBad.java b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoadingBad.java
new file mode 100644
index 00000000000..d8fdd828f4f
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoadingBad.java
@@ -0,0 +1,32 @@
+
+import android.app.Application;
+import android.content.Context;
+import android.content.pm.PackageInfo;
+import android.os.Bundle;
+
+import dalvik.system.DexClassLoader;
+import dalvik.system.DexFile;
+
+public class InsecureDexLoading extends Application {
+	@Override
+	public void onCreate() {
+		super.onCreate();
+		updateChecker();
+	}
+
+	private void updateChecker() {
+		try {
+			File file = new File("/sdcard/updater.apk");
+			if (file.exists() && file.isFile() && file.length() <= 1000) {
+				DexClassLoader cl = new DexClassLoader(file.getAbsolutePath(), getCacheDir().getAbsolutePath(), null,
+						getClassLoader());
+				int version = (int) cl.loadClass("my.package.class").getDeclaredMethod("myMethod").invoke(null);
+				if (Build.VERSION.SDK_INT < version) {
+					Toast.makeText(this, "Securely loaded Dex!", Toast.LENGTH_LONG).show();
+				}
+			}
+		} catch (Exception e) {
+			// ignore
+		}
+	}
+}
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoadingGood.java b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoadingGood.java
new file mode 100644
index 00000000000..e45e3938f7b
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoadingGood.java
@@ -0,0 +1,23 @@
+public class SecureDexLoading extends Application {
+	@Override
+	public void onCreate() {
+		super.onCreate();
+		updateChecker();
+	}
+
+	private void updateChecker() {
+		try {
+			File file = new File(getCacheDir() + "/updater.apk");
+			if (file.exists() && file.isFile() && file.length() <= 1000) {
+				DexClassLoader cl = new DexClassLoader(file.getAbsolutePath(), getCacheDir().getAbsolutePath(), null,
+						getClassLoader());
+				int version = (int) cl.loadClass("my.package.class").getDeclaredMethod("myMethod").invoke(null);
+				if (Build.VERSION.SDK_INT < version) {
+					Toast.makeText(this, "Securely loaded Dex!", Toast.LENGTH_LONG).show();
+				}
+			}
+		} catch (Exception e) {
+			// ignore
+		}
+	}
+}
\ No newline at end of file

From 62a0775cf69c8bda45aeb9b0cdf60f28dafd9c72 Mon Sep 17 00:00:00 2001
From: yoff <lerchedahl@gmail.com>
Date: Thu, 25 Mar 2021 23:09:11 +0100
Subject: [PATCH 0073/1429] Update
 python/ql/src/Security/CWE-327/examples/secure_protocol.py

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
---
 python/ql/src/Security/CWE-327/examples/secure_protocol.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/Security/CWE-327/examples/secure_protocol.py b/python/ql/src/Security/CWE-327/examples/secure_protocol.py
index 94b3557d017..e349bdae832 100644
--- a/python/ql/src/Security/CWE-327/examples/secure_protocol.py
+++ b/python/ql/src/Security/CWE-327/examples/secure_protocol.py
@@ -4,7 +4,7 @@ import ssl
 hostname = 'www.python.org'
 context = ssl.SSLContext(ssl.PROTOCOL_TLS)
 context.options |= ssl.OP_NO_TLSv1
-context.options |= ssl.OP_NO_TLSv1_1 # This added by me
+context.options |= ssl.OP_NO_TLSv1_1
 
 with socket.create_connection((hostname, 443)) as sock:
     with context.wrap_socket(sock, server_hostname=hostname) as ssock:

From 2b257318f1c9e1d4a27f9022d94a08fc3e4cc3da Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Thu, 25 Mar 2021 23:22:24 +0100
Subject: [PATCH 0074/1429] Python: more precise comment

---
 python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
index 3ff1207b527..ab80ed47dac 100644
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.py
@@ -28,7 +28,7 @@ ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1_2)
 SSLContext(protocol=ssl.PROTOCOL_TLSv1_2)
 SSL.Context(SSL.TLSv1_2_METHOD)
 
-# possibly secure versions specified
+# insecure versions allowed by specified range
 SSLContext(protocol=ssl.PROTOCOL_SSLv23)
 SSLContext(protocol=ssl.PROTOCOL_TLS)
 SSLContext(protocol=ssl.PROTOCOL_TLS_CLIENT)

From 54dad57cf4a22a9d01a434d0633606fa8adf7c8f Mon Sep 17 00:00:00 2001
From: yoff <lerchedahl@gmail.com>
Date: Fri, 26 Mar 2021 00:25:40 +0100
Subject: [PATCH 0075/1429] Update
 python/ql/test/query-tests/Security/CWE-327/pyOpenSSL_fluent.py

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
---
 python/ql/test/query-tests/Security/CWE-327/pyOpenSSL_fluent.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/python/ql/test/query-tests/Security/CWE-327/pyOpenSSL_fluent.py b/python/ql/test/query-tests/Security/CWE-327/pyOpenSSL_fluent.py
index e4205c49824..fa771411882 100644
--- a/python/ql/test/query-tests/Security/CWE-327/pyOpenSSL_fluent.py
+++ b/python/ql/test/query-tests/Security/CWE-327/pyOpenSSL_fluent.py
@@ -23,6 +23,8 @@ def test_fluent_no_TLSv1():
 def test_fluent_safe():
     hostname = 'www.python.org'
     context = SSL.Context(SSL.SSLv23_METHOD)
+    context.set_options(SSL.OP_NO_SSLv2)
+    context.set_options(SSL.OP_NO_SSLv3)
     context.set_options(SSL.OP_NO_TLSv1)
     context.set_options(SSL.OP_NO_TLSv1_1)
 

From 554404575d243ffdff19559e8cbbf4c300019d32 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 26 Mar 2021 00:29:40 +0100
Subject: [PATCH 0076/1429] Python: fix typo and name.

---
 python/ql/src/Security/CWE-327/ReadMe.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/Security/CWE-327/ReadMe.md b/python/ql/src/Security/CWE-327/ReadMe.md
index c5330a78fda..680ae56f493 100644
--- a/python/ql/src/Security/CWE-327/ReadMe.md
+++ b/python/ql/src/Security/CWE-327/ReadMe.md
@@ -12,7 +12,7 @@ This should be kept up to date; the world is moving fast and protocols are being
 
 - `ssl.wrap_socket` is creating insecure connections, use `SSLContext.wrap_socket` instead. [link](https://docs.python.org/3/library/ssl.html#ssl.wrap_socket)
     > Deprecated since version 3.7: Since Python 3.2 and 2.7.9, it is recommended to use the `SSLContext.wrap_socket()` instead of `wrap_socket()`. The top-level function is limited and creates an insecure client socket without server name indication or hostname matching.
-- Default consteructors are fine, a sluent api is used to constrain possible protocols later.
+- Default consteructors are fine, a fluent api is used to constrain possible protocols later.
 
 ## Current recomendation
 

From 9488b8bb18fa89614480024700f51c3500f96725 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 26 Mar 2021 00:31:56 +0100
Subject: [PATCH 0077/1429] Python: actually rename

---
 python/ql/src/Security/CWE-327/{ReadMe.md => README.md} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename python/ql/src/Security/CWE-327/{ReadMe.md => README.md} (100%)

diff --git a/python/ql/src/Security/CWE-327/ReadMe.md b/python/ql/src/Security/CWE-327/README.md
similarity index 100%
rename from python/ql/src/Security/CWE-327/ReadMe.md
rename to python/ql/src/Security/CWE-327/README.md

From d33b04cd965de99180434c998f96a15f98c1f5fa Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Fri, 26 Mar 2021 02:33:40 +0000
Subject: [PATCH 0078/1429] Query to detect plaintext credentials in Java
 properties files

---
 .../CWE-555/CredentialsInPropertiesFile.qhelp | 45 ++++++++++
 .../CWE-555/CredentialsInPropertiesFile.ql    | 87 +++++++++++++++++++
 .../CWE/CWE-555/configuration.properties      | 26 ++++++
 .../CredentialsInPropertiesFile.expected      |  5 ++
 .../CWE-555/CredentialsInPropertiesFile.qlref |  1 +
 .../security/CWE-555/configuration.properties | 37 ++++++++
 .../security/CWE-555/messages.properties      |  8 ++
 7 files changed, 209 insertions(+)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.qhelp
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-555/configuration.properties
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.qlref
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-555/configuration.properties
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-555/messages.properties

diff --git a/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.qhelp b/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.qhelp
new file mode 100644
index 00000000000..afbd40685ba
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.qhelp
@@ -0,0 +1,45 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      Credentials management issues occur when credentials are stored in plaintext in 
+      an application’s properties file. Common credentials include but are not limited 
+      to LDAP, mail, database, proxy account, and so on. Storing plaintext credentials 
+      in a properties file allows anyone who can read the file access to the protected 
+      resource. Good credentials management guidelines require that credentials never 
+      be stored in plaintext.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>
+      Credentials stored in properties files should be encrypted and recycled regularly. 
+      In a Java EE deployment scenario, utilities provided by application servers like 
+      keystore and password vault can be used to encrypt and manage credentials.
+    </p>
+  </recommendation>
+
+  <example>
+    <p>
+      In the first example, the credentials of a LDAP and datasource properties are stored 
+      in cleartext in the properties file.
+    </p>
+
+    <p>
+      In the second example, the credentials of a LDAP and datasource properties are stored
+      in the encrypted format.
+    </p>
+    <sample src="configuration.properties" />
+  </example>
+
+  <references>
+    <li>
+      OWASP:
+      <a href="https://owasp.org/www-community/vulnerabilities/Password_Plaintext_Storage">Password Plaintext Storage</a>
+    </li>
+    <li>
+      Medium (Rajeev Shukla):
+      <a href="https://medium.com/@mail2rajeevshukla/hiding-encrypting-database-password-in-the-application-properties-34d59fe104eb">Encrypting database password in the application.properties file</a>
+    </li>
+  </references>
+</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql b/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql
new file mode 100644
index 00000000000..2ab074e56d8
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql
@@ -0,0 +1,87 @@
+/**
+ * @name Cleartext Credentials in Properties File
+ * @description Finds cleartext credentials in Java properties files.
+ * @kind problem
+ * @id java/credentials-in-properties
+ * @tags security
+ *       external/cwe/cwe-555
+ *       external/cwe/cwe-256
+ *       external/cwe/cwe-260
+ */
+
+import java
+import semmle.code.configfiles.ConfigFiles
+
+private string suspicious() {
+  result = "%password%" or
+  result = "%passwd%" or
+  result = "%account%" or
+  result = "%accnt%" or
+  result = "%credential%" or
+  result = "%token%" or
+  result = "%secret%" or
+  result = "%access%key%"
+}
+
+private string nonSuspicious() {
+  result = "%hashed%" or
+  result = "%encrypted%" or
+  result = "%crypt%"
+}
+
+/** Holds if the value is not cleartext credentials. */
+bindingset[value]
+predicate isNotCleartextCredentials(string value) {
+  value = "" // Empty string
+  or
+  value.length() < 7 // Typical credentials are no less than 6 characters
+  or
+  value.matches("% %") // Sentences containing spaces
+  or
+  value.regexpMatch(".*[^a-zA-Z\\d]{3,}.*") // Contain repeated non-alphanumeric characters such as a fake password pass**** or ????
+  or
+  value.matches("@%") // Starts with the "@" sign
+  or
+  value.regexpMatch("\\$\\{.*\\}") // Variable placeholder ${credentials}
+  or
+  value.matches("%=") // A basic check of encrypted credentials ending with padding characters
+  or
+  value.matches("ENC(%)") // Encrypted value
+  or
+  value.toLowerCase().matches(suspicious()) // Could be message properties or fake passwords
+}
+
+/**
+ * Holds if the credentials are in a non-production properties file indicated by:
+ *    a) in a non-production directory
+ *    b) with a non-production file name
+ */
+predicate isNonProdCredentials(CredentialsConfig cc) {
+  cc.getFile().getAbsolutePath().matches(["%dev%", "%test%", "%sample%"]) and
+  not cc.getFile().getAbsolutePath().matches("%codeql%") // CodeQL test cases
+}
+
+/** The properties file with configuration key/value pairs. */
+class ConfigProperties extends ConfigPair {
+  ConfigProperties() { this.getFile().getBaseName().toLowerCase().matches("%.properties") }
+}
+
+/** The credentials configuration property. */
+class CredentialsConfig extends ConfigProperties {
+  CredentialsConfig() {
+    this.getNameElement().getName().trim().toLowerCase().matches(suspicious()) and
+    not this.getNameElement().getName().trim().toLowerCase().matches(nonSuspicious())
+  }
+
+  string getName() { result = this.getNameElement().getName().trim() }
+
+  string getValue() { result = this.getValueElement().getValue().trim() }
+}
+
+from CredentialsConfig cc
+where
+  not isNotCleartextCredentials(cc.getValue()) and
+  not isNonProdCredentials(cc)
+select cc,
+  "Plaintext credentials " + cc.getName() + " have cleartext value " + cc.getValue() +
+    " in properties file."
diff --git a/java/ql/src/experimental/Security/CWE/CWE-555/configuration.properties b/java/ql/src/experimental/Security/CWE/CWE-555/configuration.properties
new file mode 100644
index 00000000000..55e8b0d86da
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-555/configuration.properties
@@ -0,0 +1,26 @@
+#***************************** LDAP Credentials *****************************************#
+ 
+ldap.ldapHost = ldap.example.com
+ldap.ldapPort = 636
+ldap.loginDN = cn=Directory Manager
+
+#### BAD: LDAP credentials are stored in cleartext #### 
+ldap.password = mysecpass
+
+#### GOOD: LDAP credentials are stored in the encrypted format #### 
+ldap.password = eFRZ3Cqo5zDJWMYLiaEupw==
+
+ldap.domain1 = example
+ldap.domain2 = com
+ldap.url= ldaps://ldap.example.com:636/dc=example,dc=com
+
+#*************************** MS SQL Database Connection **********************************# 
+datasource1.driverClassName = com.microsoft.sqlserver.jdbc.SQLServerDriver
+datasource1.url = jdbc:sqlserver://ms.example.com\\exampledb:1433;
+datasource1.username = sa
+
+#### BAD: Datasource credentials are stored in cleartext #### 
+datasource1.password = Passw0rd@123
+
+#### GOOD: Datasource credentials are stored in the encrypted format #### 
+datasource1.password = VvOgflYS1EUzJdVNDoBcnA==
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.expected b/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.expected
new file mode 100644
index 00000000000..0ce33913932
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.expected
@@ -0,0 +1,5 @@
+| configuration.properties:6:1:6:25 | ldap.password=mysecpass | Plaintext credentials ldap.password have cleartext value mysecpass in properties file. |
+| configuration.properties:18:1:18:35 | datasource1.password=Passw0rd@123 | Plaintext credentials datasource1.password have cleartext value Passw0rd@123 in properties file. |
+| configuration.properties:25:1:25:31 | mail.password=MysecPWxWa@1993 | Plaintext credentials mail.password have cleartext value MysecPWxWa@1993 in properties file. |
+| configuration.properties:33:1:33:50 | com.example.aws.s3.access_key=AKMAMQPBYMCD6YSAYCBA | Plaintext credentials com.example.aws.s3.access_key have cleartext value AKMAMQPBYMCD6YSAYCBA in properties file. |
+| configuration.properties:34:1:34:70 | com.example.aws.s3.secret_key=8lMPSfWzZq+wcWtck5+QPLOJDZzE783pS09/IO3k | Plaintext credentials com.example.aws.s3.secret_key have cleartext value 8lMPSfWzZq+wcWtck5+QPLOJDZzE783pS09/IO3k in properties file. |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.qlref b/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.qlref
new file mode 100644
index 00000000000..e2536bfe883
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/configuration.properties b/java/ql/test/experimental/query-tests/security/CWE-555/configuration.properties
new file mode 100644
index 00000000000..a044161f097
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-555/configuration.properties
@@ -0,0 +1,37 @@
+#***************************** LDAP Credentials *****************************************#
+ldap.ldapHost = ldap.example.com
+ldap.ldapPort = 636
+ldap.loginDN = cn=Directory Manager
+#### BAD: LDAP credentials are stored in cleartext #### 
+ldap.password = mysecpass
+#### GOOD: LDAP credentials are stored in the encrypted format #### 
+ldap.password = eFRZ3Cqo5zDJWMYLiaEupw==
+ldap.domain1 = example
+ldap.domain2 = com
+ldap.url= ldaps://ldap.example.com:636/dc=example,dc=com
+
+#*************************** MS SQL Database Connection **********************************# 
+datasource1.driverClassName = com.microsoft.sqlserver.jdbc.SQLServerDriver
+datasource1.url = jdbc:sqlserver://ms.example.com\\exampledb:1433;
+datasource1.username = sa
+#### BAD: Datasource credentials are stored in cleartext #### 
+datasource1.password = Passw0rd@123
+#### GOOD: Datasource credentials are stored in the encrypted format #### 
+datasource1.password = VvOgflYS1EUzJdVNDoBcnA==
+
+#*************************** Mail Connection **********************************# 
+mail.username = test@example.com
+#### BAD: Mail credentials are stored in cleartext #### 
+mail.password = MysecPWxWa@1993
+#### GOOD: Mail credentials are stored in the encrypted format #### 
+mail.password = M*********@1993
+
+#*************************** AWS S3 Connection **********************************# 
+com.example.aws.s3.bucket_name=com-bucket-1
+com.example.aws.s3.directory_name=com-directory-1
+#### BAD: Access keys are stored in properties file in cleartext #### 
+com.example.aws.s3.access_key=AKMAMQPBYMCD6YSAYCBA
+com.example.aws.s3.secret_key=8lMPSfWzZq+wcWtck5+QPLOJDZzE783pS09/IO3k
+#### GOOD: Access keys are not stored in properties file #### 
+com.example.aws.s3.access_key=${ENV:AWS_ACCESS_KEY_ID}
+com.example.aws.s3.secret_key=${ENV:AWS_SECRET_ACCESS_KEY}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/messages.properties b/java/ql/test/experimental/query-tests/security/CWE-555/messages.properties
new file mode 100644
index 00000000000..fac63ec23e8
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-555/messages.properties
@@ -0,0 +1,8 @@
+prompt.username=Username
+prompt.password=Password
+
+forgot_password.error=Please enter a valid email address.
+reset_password.error=Passwords must match and not be empty.
+
+login.password_expired=Your current password has expired. Please reset your password.
+login.login_failure=Unable to verify username or password. Please try again.

From 936757b4bf385addba174a37c24f029781110553 Mon Sep 17 00:00:00 2001
From: yoff <lerchedahl@gmail.com>
Date: Fri, 26 Mar 2021 08:05:51 +0100
Subject: [PATCH 0079/1429] Update
 python/ql/src/Security/CWE-327/FluentApiModel.qll

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
---
 python/ql/src/Security/CWE-327/FluentApiModel.qll | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/FluentApiModel.qll b/python/ql/src/Security/CWE-327/FluentApiModel.qll
index d222af70499..4d63a14bdbc 100644
--- a/python/ql/src/Security/CWE-327/FluentApiModel.qll
+++ b/python/ql/src/Security/CWE-327/FluentApiModel.qll
@@ -39,13 +39,7 @@ class InsecureContextConfiguration extends DataFlow::Configuration {
     )
   }
 
-  override predicate isBarrierIn(DataFlow::Node node) {
-    exists(ProtocolUnrestriction r |
-      r = library.protocol_unrestriction() and
-      node = r.getContext() and
-      r.getUnrestriction() = tracked_version
-    )
-  }
+  override predicate isBarrierIn(DataFlow::Node node) { this.isSource(node) }
 }
 
 /**

From f1619f1ee8f6c5df2aa4d4b862deb46626bed2db Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 26 Mar 2021 08:18:11 +0100
Subject: [PATCH 0080/1429] Python: "source" -> "contextOrigin"

---
 .../ql/src/Security/CWE-327/InsecureProtocol.ql | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.ql b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
index 194cc1f5ec1..b945f2e609b 100644
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
@@ -18,11 +18,11 @@ string callName(AstNode call) {
   exists(Attribute a | a = call | result = callName(a.getObject()) + "." + a.getName())
 }
 
-string sourceName(DataFlow::Node source) {
-  result = "call to " + callName(source.asCfgNode().(CallNode).getFunction().getNode())
+string originName(DataFlow::Node contextOrigin) {
+  result = "call to " + callName(contextOrigin.asCfgNode().(CallNode).getFunction().getNode())
   or
-  not source.asCfgNode() instanceof CallNode and
-  not source instanceof ContextCreation and
+  not contextOrigin.asCfgNode() instanceof CallNode and
+  not contextOrigin instanceof ContextCreation and
   result = "context modification"
 }
 
@@ -32,11 +32,12 @@ string verb(boolean specific) {
   specific = false and result = "allowed"
 }
 
-from DataFlow::Node creation, string insecure_version, DataFlow::Node source, boolean specific
+from
+  DataFlow::Node creation, string insecure_version, DataFlow::Node contextOrigin, boolean specific
 where
-  unsafe_connection_creation(creation, insecure_version, source, specific)
+  unsafe_connection_creation(creation, insecure_version, contextOrigin, specific)
   or
-  unsafe_context_creation(creation, insecure_version, source.asCfgNode()) and specific = true
+  unsafe_context_creation(creation, insecure_version, contextOrigin.asCfgNode()) and specific = true
 select creation,
   "Insecure SSL/TLS protocol version " + insecure_version + " " + verb(specific) + " by $@ ",
-  source, sourceName(source)
+  contextOrigin, originName(contextOrigin)

From e936540863385a7ff8437f890bc7bba24b00c547 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 26 Mar 2021 08:22:09 +0100
Subject: [PATCH 0081/1429] Python: remove internal import

---
 python/ql/src/Security/CWE-327/Ssl.qll | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index be16138b961..88aaebf67ba 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -1,6 +1,5 @@
 import python
 import semmle.python.ApiGraphs
-import semmle.python.dataflow.new.internal.Attributes as Attributes
 import TlsLibraryModel
 
 class SSLContextCreation extends ContextCreation {
@@ -104,7 +103,7 @@ class ContextSetVersion extends ProtocolRestriction, ProtocolUnrestriction {
   ProtocolVersion restriction;
 
   ContextSetVersion() {
-    exists(Attributes::AttrWrite aw |
+    exists(DataFlow::AttrWrite aw |
       aw.getObject().asCfgNode() = node and
       aw.getAttributeName() = "minimum_version" and
       aw.getValue() =

From b21672c81cbc9a82f56e54093652b6a741dbe3e6 Mon Sep 17 00:00:00 2001
From: Alexander Eyers-Taylor <alexet@semmle.com>
Date: Fri, 26 Mar 2021 11:14:09 +0000
Subject: [PATCH 0082/1429] Apply suggestions from code review

Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
---
 .../ql-language-reference/ql-language-specification.rst     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/codeql/ql-language-reference/ql-language-specification.rst b/docs/codeql/ql-language-reference/ql-language-specification.rst
index ad88b791019..fb89100b401 100644
--- a/docs/codeql/ql-language-reference/ql-language-specification.rst
+++ b/docs/codeql/ql-language-reference/ql-language-specification.rst
@@ -1168,9 +1168,9 @@ A valid call with results *resolves* to a set of predicates. The ways a call can
 -  If the call has no receiver and the predicate name is a selection identifier, then the qualifier is resolved as a module (see "`Module resolution <#module-resolution>`__"). The identifier is then resolved in the exported predicate environment of the qualifier module.
 
 -  If the call has a super expression as the receiver, then it resolves to a member predicate in a class that the enclosing class inherits from:
-    -  If the super expression is unqualified and there is a single class that the current class inherits from then the super-class is that class. 
-    -  If the super expression is unqualified and there is are multiple classes that the current class inherits from then the super-class is the domain type.
-    -  Otherwise the super-class is the class named by the qualifier of the super expression. 
+    -  If the super expression is unqualified and there is a single class that the current class inherits from, then the super-class is that class. 
+    -  If the super expression is unqualified and there are multiple classes that the current class inherits from, then the super-class is the domain type.
+    -  Otherwise, the super-class is the class named by the qualifier of the super expression. 
 
    The predicate is resolved by looking up its name and arity in the exported predicate environment of the super-class. 
 

From 1be2be843dd4a0afca316598e227d4a89aea5433 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 26 Mar 2021 13:08:23 +0100
Subject: [PATCH 0083/1429] Python: update test expectations

---
 .../test/query-tests/Security/CWE-327/InsecureProtocol.expected | 2 --
 1 file changed, 2 deletions(-)

diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
index e578a335d84..f4cd96eb82e 100644
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
@@ -17,8 +17,6 @@
 | pyOpenSSL_fluent.py:18:27:18:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv2 allowed by $@  | pyOpenSSL_fluent.py:15:15:15:44 | ControlFlowNode for Attribute() | call to SSL.Context |
 | pyOpenSSL_fluent.py:18:27:18:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv3 allowed by $@  | pyOpenSSL_fluent.py:15:15:15:44 | ControlFlowNode for Attribute() | call to SSL.Context |
 | pyOpenSSL_fluent.py:18:27:18:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | pyOpenSSL_fluent.py:15:15:15:44 | ControlFlowNode for Attribute() | call to SSL.Context |
-| pyOpenSSL_fluent.py:29:27:29:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv2 allowed by $@  | pyOpenSSL_fluent.py:25:15:25:44 | ControlFlowNode for Attribute() | call to SSL.Context |
-| pyOpenSSL_fluent.py:29:27:29:33 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv3 allowed by $@  | pyOpenSSL_fluent.py:25:15:25:44 | ControlFlowNode for Attribute() | call to SSL.Context |
 | ssl_fluent.py:9:14:9:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:6:15:6:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | ssl_fluent.py:9:14:9:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:6:15:6:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | ssl_fluent.py:19:14:19:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:15:15:15:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |

From 2e948da3b4a5de3e0bc56d4ad0d19f4f787d5473 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 26 Mar 2021 13:08:45 +0100
Subject: [PATCH 0084/1429] Python: suggested refactor

---
 python/ql/src/Security/CWE-327/FluentApiModel.qll  | 5 ++---
 python/ql/src/Security/CWE-327/InsecureProtocol.ql | 4 +++-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/FluentApiModel.qll b/python/ql/src/Security/CWE-327/FluentApiModel.qll
index 4d63a14bdbc..543c32799bc 100644
--- a/python/ql/src/Security/CWE-327/FluentApiModel.qll
+++ b/python/ql/src/Security/CWE-327/FluentApiModel.qll
@@ -67,9 +67,8 @@ predicate unsafe_connection_creation(
 }
 
 /** A connection is created insecurely without reference to a context. */
-predicate unsafe_context_creation(DataFlow::Node node, string insecure_version, CallNode call) {
+predicate unsafe_context_creation(DataFlow::CallCfgNode call, string insecure_version) {
   exists(TlsLibrary l, ContextCreation cc | cc = l.insecure_context_creation(insecure_version) |
-    cc = node and
-    cc.getNode() = call
+    cc = call
   )
 }
diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.ql b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
index b945f2e609b..a716b894880 100644
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
@@ -37,7 +37,9 @@ from
 where
   unsafe_connection_creation(creation, insecure_version, contextOrigin, specific)
   or
-  unsafe_context_creation(creation, insecure_version, contextOrigin.asCfgNode()) and specific = true
+  unsafe_context_creation(creation, insecure_version) and
+  contextOrigin = creation and
+  specific = true
 select creation,
   "Insecure SSL/TLS protocol version " + insecure_version + " " + verb(specific) + " by $@ ",
   contextOrigin, originName(contextOrigin)

From 7d7cbc49db35d0b05f12594984ac36ef529699a1 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 26 Mar 2021 14:20:38 +0100
Subject: [PATCH 0085/1429] Fix comments. This induced fixing the code, since
 things were wired up wrongly. Currently the only implementation of
 `insecure_connection_creation` is `ssl.wrap_socket`, which is also the sole
 target of  py/insecure-default-protocol`, so perhaps this part should be
 turned off?

---
 .../src/Security/CWE-327/FluentApiModel.qll   | 39 +++++++++++++------
 .../src/Security/CWE-327/InsecureProtocol.ql  | 18 ++++++---
 2 files changed, 40 insertions(+), 17 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/FluentApiModel.qll b/python/ql/src/Security/CWE-327/FluentApiModel.qll
index 543c32799bc..169996081dc 100644
--- a/python/ql/src/Security/CWE-327/FluentApiModel.qll
+++ b/python/ql/src/Security/CWE-327/FluentApiModel.qll
@@ -43,16 +43,21 @@ class InsecureContextConfiguration extends DataFlow::Configuration {
 }
 
 /**
- * A connection is created from a context allowing an insecure protocol,
- * and that protocol has not been restricted appropriately.
+ * Holds if `conectionCreation` marks the creation of a connetion based on the contex
+ * found at `contextOrigin` and allowing `insecure_version`.
+ * `specific` is true iff the context if configured for a specific protocol version rather
+ * than for a family of protocols.
  */
-predicate unsafe_connection_creation(
-  DataFlow::Node creation, ProtocolVersion insecure_version, DataFlow::Node source, boolean specific
+predicate unsafe_connection_creation_with_context(
+  DataFlow::Node connectionCreation, ProtocolVersion insecure_version, DataFlow::Node contextOrigin,
+  boolean specific
 ) {
   // Connection created from a context allowing `insecure_version`.
-  exists(InsecureContextConfiguration c, ProtocolUnrestriction cc | c.hasFlow(cc, creation) |
+  exists(InsecureContextConfiguration c, ProtocolUnrestriction co |
+    c.hasFlow(co, connectionCreation)
+  |
     insecure_version = c.getTrackedVersion() and
-    source = cc and
+    contextOrigin = co and
     specific = false
   )
   or
@@ -60,15 +65,27 @@ predicate unsafe_connection_creation(
   exists(TlsLibrary l, DataFlow::CfgNode cc |
     cc = l.insecure_connection_creation(insecure_version)
   |
-    creation = cc and
-    source = cc and
+    connectionCreation = cc and
+    contextOrigin = cc and
     specific = true
   )
 }
 
-/** A connection is created insecurely without reference to a context. */
-predicate unsafe_context_creation(DataFlow::CallCfgNode call, string insecure_version) {
+/**
+ * Holds if `conectionCreation` marks the creation of a connetion witout reference to a context
+ * and allowing `insecure_version`.
+ * `specific` is true iff the context if configured for a specific protocol version rather
+ * than for a family of protocols.
+ */
+predicate unsafe_connection_creation_without_context(
+  DataFlow::CallCfgNode connectionCreation, string insecure_version
+) {
+  exists(TlsLibrary l | connectionCreation = l.insecure_connection_creation(insecure_version))
+}
+
+/** Holds if `contextCreation` is creating a context ties to a specific insecure version. */
+predicate unsafe_context_creation(DataFlow::CallCfgNode contextCreation, string insecure_version) {
   exists(TlsLibrary l, ContextCreation cc | cc = l.insecure_context_creation(insecure_version) |
-    cc = call
+    contextCreation = cc
   )
 }
diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.ql b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
index a716b894880..974c36ddb0c 100644
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
@@ -33,13 +33,19 @@ string verb(boolean specific) {
 }
 
 from
-  DataFlow::Node creation, string insecure_version, DataFlow::Node contextOrigin, boolean specific
+  DataFlow::Node connectionCreation, string insecure_version, DataFlow::Node protocolConfiguration,
+  boolean specific
 where
-  unsafe_connection_creation(creation, insecure_version, contextOrigin, specific)
+  unsafe_connection_creation_with_context(connectionCreation, insecure_version,
+    protocolConfiguration, specific)
   or
-  unsafe_context_creation(creation, insecure_version) and
-  contextOrigin = creation and
+  unsafe_connection_creation_without_context(connectionCreation, insecure_version) and
+  protocolConfiguration = connectionCreation and
   specific = true
-select creation,
+  or
+  unsafe_context_creation(protocolConfiguration, insecure_version) and
+  connectionCreation = protocolConfiguration and
+  specific = true
+select connectionCreation,
   "Insecure SSL/TLS protocol version " + insecure_version + " " + verb(specific) + " by $@ ",
-  contextOrigin, originName(contextOrigin)
+  protocolConfiguration, originName(protocolConfiguration)

From 851317e34ffbf27c939d4575fa399c7227c85e6e Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Thu, 11 Mar 2021 11:42:32 +0000
Subject: [PATCH 0086/1429] Add models for StrBuilder's fluent methods

---
 .../semmle/code/java/frameworks/apache/Lang.qll    |  9 +++++++++
 .../apache-commons-lang3/StrBuilderTest.java       | 14 ++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
index deab8f4a692..1ddf8876c3d 100644
--- a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
+++ b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
@@ -427,6 +427,15 @@ private class ApacheStrBuilderModel extends SummaryModelCsv {
   }
 }
 
+/**
+ * An Apache Commons-Lang StrBuilder method that returns `this`.
+ */
+private class ApacheStrBuilderFluentMethod extends FluentMethod {
+  ApacheStrBuilderFluentMethod() {
+    this.getReturnType().(RefType).hasQualifiedName("org.apache.commons.lang3.text", "StrBuilder")
+  }
+}
+
 /**
  * Taint-propagating models for `WordUtils`.
  */
diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTest.java b/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTest.java
index bc8887d1150..d460184e176 100644
--- a/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTest.java
+++ b/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTest.java
@@ -128,6 +128,20 @@ class StrBuilderTest {
         StrBuilder sb72 = new StrBuilder(); sb72.append(taint()); sink(sb72.toCharArray(0, 0)); // $hasTaintFlow
         StrBuilder sb73 = new StrBuilder(); sb73.append(taint()); sink(sb73.toStringBuffer()); // $hasTaintFlow
         StrBuilder sb74 = new StrBuilder(); sb74.append(taint()); sink(sb74.toStringBuilder()); // $hasTaintFlow
+
+        // Tests for fluent methods (those returning `this`):
+
+        StrBuilder fluentTest = new StrBuilder();
+        sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $hasTaintFlow
+
+        StrBuilder fluentBackflowTest = new StrBuilder();
+        fluentBackflowTest.append("Harmless").append(taint()).append("Also harmless");
+        sink(fluentBackflowTest.toString()); // $hasTaintFlow
+
+        // Test the case where the fluent method contributing taint is at the end of a statement:
+        StrBuilder fluentBackflowTest2 = new StrBuilder();
+        fluentBackflowTest2.append("Harmless").append(taint());
+        sink(fluentBackflowTest2.toString()); // $hasTaintFlow
     }
 
 }
\ No newline at end of file

From 3a274424abc0bdc7b6d84678aa3a9697c9f2ace0 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Thu, 11 Mar 2021 13:45:55 +0000
Subject: [PATCH 0087/1429] Convert fluent method models to csv and generalise
 to the three different variants of StrBuilder.

---
 .../code/java/frameworks/apache/Lang.qll      | 86 +++++++++++++++++++
 .../apache-commons-lang3/StrBuilderTest.java  | 62 +++++++++++++
 .../StrBuilderTextTest.java                   | 76 ++++++++++++++++
 .../TextStringBuilderTest.java                | 76 ++++++++++++++++
 4 files changed, 300 insertions(+)

diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
index 1ddf8876c3d..2422efc83d9 100644
--- a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
+++ b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
@@ -427,6 +427,92 @@ private class ApacheStrBuilderModel extends SummaryModelCsv {
   }
 }
 
+private class ApacheStrBuilderFluentMethodsModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "org.apache.commons.lang3.text;StrBuilder;false;append;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendAll;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendFixedWidthPadLeft;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendFixedWidthPadRight;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendln;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendNewLine;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendNull;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendPadding;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendSeparator;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendWithSeparators;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;delete;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;deleteAll;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;deleteCharAt;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;deleteFirst;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;ensureCapacity;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;insert;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;minimizeCapacity;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;replace;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;replaceAll;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;replaceFirst;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;reverse;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;setCharAt;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;setLength;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;setNewLineText;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;setNullText;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;trim;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;append;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;appendAll;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;appendFixedWidthPadLeft;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;appendFixedWidthPadRight;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;appendln;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;appendNewLine;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;appendNull;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;appendPadding;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;appendSeparator;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;appendWithSeparators;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;delete;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;deleteAll;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;deleteCharAt;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;deleteFirst;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;ensureCapacity;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;insert;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;minimizeCapacity;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;replace;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;replaceAll;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;replaceFirst;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;reverse;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;setCharAt;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;setLength;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;setNewLineText;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;setNullText;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;trim;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;append;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;appendAll;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;appendFixedWidthPadLeft;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;appendFixedWidthPadRight;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;appendln;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;appendNewLine;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;appendNull;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;appendPadding;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;appendSeparator;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;appendWithSeparators;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;delete;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;deleteAll;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;deleteCharAt;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;deleteFirst;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;ensureCapacity;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;insert;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;minimizeCapacity;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;replace;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;replaceAll;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;replaceFirst;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;reverse;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;setCharAt;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;setLength;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;setNewLineText;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;setNullText;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;trim;;;Argument[-1];ReturnValue;value"
+      ]
+  }
+}
+
 /**
  * An Apache Commons-Lang StrBuilder method that returns `this`.
  */
diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTest.java b/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTest.java
index d460184e176..0c0e386e9c2 100644
--- a/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTest.java
+++ b/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTest.java
@@ -142,6 +142,68 @@ class StrBuilderTest {
         StrBuilder fluentBackflowTest2 = new StrBuilder();
         fluentBackflowTest2.append("Harmless").append(taint());
         sink(fluentBackflowTest2.toString()); // $hasTaintFlow
+
+        // Test all fluent methods are passing taint through to their result:
+        StrBuilder fluentAllMethodsTest = new StrBuilder(taint());
+        sink(fluentAllMethodsTest // $hasTaintFlow
+        .append("text")
+        .appendAll("text")
+        .appendFixedWidthPadLeft("text", 4, ' ')
+        .appendFixedWidthPadRight("text", 4, ' ')
+        .appendln("text")
+        .appendNewLine()
+        .appendNull()
+        .appendPadding(0, ' ')
+        .appendSeparator(',')
+        .appendWithSeparators(new String[] { }, ",")
+        .delete(0, 0)
+        .deleteAll(' ')
+        .deleteCharAt(0)
+        .deleteFirst("delme")
+        .ensureCapacity(100)
+        .insert(1, "insertme")
+        .minimizeCapacity()
+        .replace(0, 0, "replacement")
+        .replaceAll("find", "replace")
+        .replaceFirst("find", "replace")
+        .reverse()
+        .setCharAt(0, 'a')
+        .setLength(500)
+        .setNewLineText("newline")
+        .setNullText("NULL")
+        .trim());
+
+        // Test all fluent methods are passing taint back to their qualifier:
+        StrBuilder fluentAllMethodsTest2 = new StrBuilder();
+        fluentAllMethodsTest2
+        .append("text")
+        .appendAll("text")
+        .appendFixedWidthPadLeft("text", 4, ' ')
+        .appendFixedWidthPadRight("text", 4, ' ')
+        .appendln("text")
+        .appendNewLine()
+        .appendNull()
+        .appendPadding(0, ' ')
+        .appendSeparator(',')
+        .appendWithSeparators(new String[] { }, ",")
+        .delete(0, 0)
+        .deleteAll(' ')
+        .deleteCharAt(0)
+        .deleteFirst("delme")
+        .ensureCapacity(100)
+        .insert(1, "insertme")
+        .minimizeCapacity()
+        .replace(0, 0, "replacement")
+        .replaceAll("find", "replace")
+        .replaceFirst("find", "replace")
+        .reverse()
+        .setCharAt(0, 'a')
+        .setLength(500)
+        .setNewLineText("newline")
+        .setNullText("NULL")
+        .trim()
+        .append(taint());
+        sink(fluentAllMethodsTest2); // $hasTaintFlow
     }
 
 }
\ No newline at end of file
diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTextTest.java b/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTextTest.java
index 796900e8a3b..74f0f1d17c9 100644
--- a/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTextTest.java
+++ b/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTextTest.java
@@ -128,6 +128,82 @@ class StrBuilderTextTest {
         StrBuilder sb72 = new StrBuilder(); sb72.append(taint()); sink(sb72.toCharArray(0, 0)); // $hasTaintFlow
         StrBuilder sb73 = new StrBuilder(); sb73.append(taint()); sink(sb73.toStringBuffer()); // $hasTaintFlow
         StrBuilder sb74 = new StrBuilder(); sb74.append(taint()); sink(sb74.toStringBuilder()); // $hasTaintFlow
+
+        // Tests for fluent methods (those returning `this`):
+
+        StrBuilder fluentTest = new StrBuilder();
+        sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $hasTaintFlow
+
+        StrBuilder fluentBackflowTest = new StrBuilder();
+        fluentBackflowTest.append("Harmless").append(taint()).append("Also harmless");
+        sink(fluentBackflowTest.toString()); // $hasTaintFlow
+
+        // Test the case where the fluent method contributing taint is at the end of a statement:
+        StrBuilder fluentBackflowTest2 = new StrBuilder();
+        fluentBackflowTest2.append("Harmless").append(taint());
+        sink(fluentBackflowTest2.toString()); // $hasTaintFlow
+
+        // Test all fluent methods are passing taint through to their result:
+        StrBuilder fluentAllMethodsTest = new StrBuilder(taint());
+        sink(fluentAllMethodsTest // $hasTaintFlow
+        .append("text")
+        .appendAll("text")
+        .appendFixedWidthPadLeft("text", 4, ' ')
+        .appendFixedWidthPadRight("text", 4, ' ')
+        .appendln("text")
+        .appendNewLine()
+        .appendNull()
+        .appendPadding(0, ' ')
+        .appendSeparator(',')
+        .appendWithSeparators(new String[] { }, ",")
+        .delete(0, 0)
+        .deleteAll(' ')
+        .deleteCharAt(0)
+        .deleteFirst("delme")
+        .ensureCapacity(100)
+        .insert(1, "insertme")
+        .minimizeCapacity()
+        .replace(0, 0, "replacement")
+        .replaceAll("find", "replace")
+        .replaceFirst("find", "replace")
+        .reverse()
+        .setCharAt(0, 'a')
+        .setLength(500)
+        .setNewLineText("newline")
+        .setNullText("NULL")
+        .trim());
+
+        // Test all fluent methods are passing taint back to their qualifier:
+        StrBuilder fluentAllMethodsTest2 = new StrBuilder();
+        fluentAllMethodsTest2
+        .append("text")
+        .appendAll("text")
+        .appendFixedWidthPadLeft("text", 4, ' ')
+        .appendFixedWidthPadRight("text", 4, ' ')
+        .appendln("text")
+        .appendNewLine()
+        .appendNull()
+        .appendPadding(0, ' ')
+        .appendSeparator(',')
+        .appendWithSeparators(new String[] { }, ",")
+        .delete(0, 0)
+        .deleteAll(' ')
+        .deleteCharAt(0)
+        .deleteFirst("delme")
+        .ensureCapacity(100)
+        .insert(1, "insertme")
+        .minimizeCapacity()
+        .replace(0, 0, "replacement")
+        .replaceAll("find", "replace")
+        .replaceFirst("find", "replace")
+        .reverse()
+        .setCharAt(0, 'a')
+        .setLength(500)
+        .setNewLineText("newline")
+        .setNullText("NULL")
+        .trim()
+        .append(taint());
+        sink(fluentAllMethodsTest2); // $hasTaintFlow
     }
 
 }
\ No newline at end of file
diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/TextStringBuilderTest.java b/java/ql/test/library-tests/frameworks/apache-commons-lang3/TextStringBuilderTest.java
index 69db28cb3e9..e490c11c7cb 100644
--- a/java/ql/test/library-tests/frameworks/apache-commons-lang3/TextStringBuilderTest.java
+++ b/java/ql/test/library-tests/frameworks/apache-commons-lang3/TextStringBuilderTest.java
@@ -129,6 +129,82 @@ class TextStringBuilderTest {
         TextStringBuilder sb72 = new TextStringBuilder(); sb72.append(taint()); sink(sb72.toCharArray(0, 0)); // $hasTaintFlow
         TextStringBuilder sb73 = new TextStringBuilder(); sb73.append(taint()); sink(sb73.toStringBuffer()); // $hasTaintFlow
         TextStringBuilder sb74 = new TextStringBuilder(); sb74.append(taint()); sink(sb74.toStringBuilder()); // $hasTaintFlow
+
+        // Tests for fluent methods (those returning `this`):
+
+        TextStringBuilder fluentTest = new TextStringBuilder();
+        sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $hasTaintFlow
+
+        TextStringBuilder fluentBackflowTest = new TextStringBuilder();
+        fluentBackflowTest.append("Harmless").append(taint()).append("Also harmless");
+        sink(fluentBackflowTest.toString()); // $hasTaintFlow
+
+        // Test the case where the fluent method contributing taint is at the end of a statement:
+        TextStringBuilder fluentBackflowTest2 = new TextStringBuilder();
+        fluentBackflowTest2.append("Harmless").append(taint());
+        sink(fluentBackflowTest2.toString()); // $hasTaintFlow
+
+        // Test all fluent methods are passing taint through to their result:
+        TextStringBuilder fluentAllMethodsTest = new TextStringBuilder(taint());
+        sink(fluentAllMethodsTest // $hasTaintFlow
+        .append("text")
+        .appendAll("text")
+        .appendFixedWidthPadLeft("text", 4, ' ')
+        .appendFixedWidthPadRight("text", 4, ' ')
+        .appendln("text")
+        .appendNewLine()
+        .appendNull()
+        .appendPadding(0, ' ')
+        .appendSeparator(',')
+        .appendWithSeparators(new String[] { }, ",")
+        .delete(0, 0)
+        .deleteAll(' ')
+        .deleteCharAt(0)
+        .deleteFirst("delme")
+        .ensureCapacity(100)
+        .insert(1, "insertme")
+        .minimizeCapacity()
+        .replace(0, 0, "replacement")
+        .replaceAll("find", "replace")
+        .replaceFirst("find", "replace")
+        .reverse()
+        .setCharAt(0, 'a')
+        .setLength(500)
+        .setNewLineText("newline")
+        .setNullText("NULL")
+        .trim());
+
+        // Test all fluent methods are passing taint back to their qualifier:
+        TextStringBuilder fluentAllMethodsTest2 = new TextStringBuilder();
+        fluentAllMethodsTest2
+        .append("text")
+        .appendAll("text")
+        .appendFixedWidthPadLeft("text", 4, ' ')
+        .appendFixedWidthPadRight("text", 4, ' ')
+        .appendln("text")
+        .appendNewLine()
+        .appendNull()
+        .appendPadding(0, ' ')
+        .appendSeparator(',')
+        .appendWithSeparators(new String[] { }, ",")
+        .delete(0, 0)
+        .deleteAll(' ')
+        .deleteCharAt(0)
+        .deleteFirst("delme")
+        .ensureCapacity(100)
+        .insert(1, "insertme")
+        .minimizeCapacity()
+        .replace(0, 0, "replacement")
+        .replaceAll("find", "replace")
+        .replaceFirst("find", "replace")
+        .reverse()
+        .setCharAt(0, 'a')
+        .setLength(500)
+        .setNewLineText("newline")
+        .setNullText("NULL")
+        .trim()
+        .append(taint());
+        sink(fluentAllMethodsTest2); // $hasTaintFlow
     }
 
 }
\ No newline at end of file

From 42b63a61ae82b19a7e61c86bebfe27365d35bf79 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Thu, 11 Mar 2021 18:34:11 +0000
Subject: [PATCH 0088/1429] Add change note

---
 java/change-notes/2021-03-11-commons-strbuilder.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 java/change-notes/2021-03-11-commons-strbuilder.md

diff --git a/java/change-notes/2021-03-11-commons-strbuilder.md b/java/change-notes/2021-03-11-commons-strbuilder.md
new file mode 100644
index 00000000000..ce8f647ab0f
--- /dev/null
+++ b/java/change-notes/2021-03-11-commons-strbuilder.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added support for the Apache Commons Lang and Commons Text StrBuilder class, and its successor TextStringBuilder.

From 8155334fa7b4b72015e1b75bf2563b0b96c699bb Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 26 Mar 2021 15:57:07 +0100
Subject: [PATCH 0089/1429] Python: More elaborate qldoc also refactor code to
 match

---
 .../src/Security/CWE-327/FluentApiModel.qll   | 48 +++++++++++++------
 1 file changed, 33 insertions(+), 15 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/FluentApiModel.qll b/python/ql/src/Security/CWE-327/FluentApiModel.qll
index 169996081dc..d4eb13a133d 100644
--- a/python/ql/src/Security/CWE-327/FluentApiModel.qll
+++ b/python/ql/src/Security/CWE-327/FluentApiModel.qll
@@ -2,9 +2,21 @@ import python
 import TlsLibraryModel
 
 /**
- * Configuration to track flow from the creation of a context to
- * that context being used to create a connection.
- * Flow is broken if the insecure protocol of interest is being restricted.
+ * Configuration to determine the state of a context being used to create
+ * a conection.
+ *
+ * The state is in terms of whether a specific protocol is allowed. This is
+ * either true or false when the context is created and can then be modified
+ * later by either restricting or unrestricting the protocol (see the predicates
+ * `isRestriction` and `isUnrestriction`).
+ *
+ * Since we are interested in the final state, we want the flow to start from
+ * the last unrestriction, so we disallow flow into unrestrictions. We also
+ * model the creation as an unrestriction of everything it allows, to account
+ * for the common case where the creation plays the role of "last unrestriction".
+ *
+ * Since we really want "the last unrestriction, not nullified by a restriction",
+ * we also disallow flow into restrictions.
  */
 class InsecureContextConfiguration extends DataFlow::Configuration {
   TlsLibrary library;
@@ -17,29 +29,35 @@ class InsecureContextConfiguration extends DataFlow::Configuration {
 
   ProtocolVersion getTrackedVersion() { result = tracked_version }
 
-  override predicate isSource(DataFlow::Node source) {
-    // source = library.unspecific_context_creation()
-    exists(ProtocolUnrestriction pu |
-      pu = library.protocol_unrestriction() and
-      pu.getUnrestriction() = tracked_version
-    |
-      source = pu.getContext()
-    )
-  }
+  override predicate isSource(DataFlow::Node source) { this.isUnrestriction(source) }
 
   override predicate isSink(DataFlow::Node sink) {
     sink = library.connection_creation().getContext()
   }
 
-  override predicate isBarrierOut(DataFlow::Node node) {
+  override predicate isBarrierIn(DataFlow::Node node) {
+    this.isRestriction(node)
+    or
+    this.isUnrestriction(node)
+  }
+
+  private predicate isRestriction(DataFlow::Node node) {
     exists(ProtocolRestriction r |
       r = library.protocol_restriction() and
-      node = r.getContext() and
       r.getRestriction() = tracked_version
+    |
+      node = r.getContext()
     )
   }
 
-  override predicate isBarrierIn(DataFlow::Node node) { this.isSource(node) }
+  private predicate isUnrestriction(DataFlow::Node node) {
+    exists(ProtocolUnrestriction pu |
+      pu = library.protocol_unrestriction() and
+      pu.getUnrestriction() = tracked_version
+    |
+      node = pu.getContext()
+    )
+  }
 }
 
 /**

From 98dfe1a00a14e6dfc8c27d84cfeb2ee363515f56 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 26 Mar 2021 17:27:43 +0100
Subject: [PATCH 0090/1429] Python: Elaborate qldoc and renames to match

---
 python/ql/src/Security/CWE-327/Ssl.qll | 34 ++++++++++++++++++--------
 1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index 88aaebf67ba..110b4bf185a 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -45,7 +45,7 @@ class OptionsAugOr extends ProtocolRestriction {
       (
         aa.getValue() = flag
         or
-        impliesValue(aa.getValue(), flag, false, false)
+        impliesBitSet(aa.getValue(), flag, false, false)
       )
     )
   }
@@ -70,7 +70,7 @@ class OptionsAugAndNot extends ProtocolUnrestriction {
       (
         aa.getValue() = notFlag
         or
-        impliesValue(aa.getValue(), notFlag, true, true)
+        impliesBitSet(aa.getValue(), notFlag, true, true)
       )
     )
   }
@@ -80,22 +80,36 @@ class OptionsAugAndNot extends ProtocolUnrestriction {
   override ProtocolVersion getUnrestriction() { result = restriction }
 }
 
-/** Whether `part` evaluates to `partIsTrue` if `whole` evaluates to `wholeIsTrue`. */
-predicate impliesValue(BinaryExpr whole, Expr part, boolean partIsTrue, boolean wholeIsTrue) {
+/**
+ * Holds if
+ *   for every bit, _b_:
+ *     `wholeHasBitSet` represents that _b_ is set in `whole`
+ *     implies
+ *     `partHasBitSet` represents that _b_ is set in `part`
+ *
+ * As an example take `whole` = `part1 & part2`. Then
+ * `impliesBitSet(whole, part1, true, true)` holds
+ * because for any bit in `whole`, if that bit is set it must also be set in `part1`.
+ *
+ * Similarly for `whole` = `part1 | part2`. Here
+ * `impliesBitSet(whole, part1, false, false)` holds
+ * because for any bit in `whole`, if that bit is not set, it cannot be set in `part1`.
+ */
+predicate impliesBitSet(BinaryExpr whole, Expr part, boolean partHasBitSet, boolean wholeHasBitSet) {
   whole.getOp() instanceof BitAnd and
   (
-    wholeIsTrue = true and partIsTrue = true and part in [whole.getLeft(), whole.getRight()]
+    wholeHasBitSet = true and partHasBitSet = true and part in [whole.getLeft(), whole.getRight()]
     or
-    wholeIsTrue = true and
-    impliesValue([whole.getLeft(), whole.getRight()], part, partIsTrue, wholeIsTrue)
+    wholeHasBitSet = true and
+    impliesBitSet([whole.getLeft(), whole.getRight()], part, partHasBitSet, wholeHasBitSet)
   )
   or
   whole.getOp() instanceof BitOr and
   (
-    wholeIsTrue = false and partIsTrue = false and part in [whole.getLeft(), whole.getRight()]
+    wholeHasBitSet = false and partHasBitSet = false and part in [whole.getLeft(), whole.getRight()]
     or
-    wholeIsTrue = false and
-    impliesValue([whole.getLeft(), whole.getRight()], part, partIsTrue, wholeIsTrue)
+    wholeHasBitSet = false and
+    impliesBitSet([whole.getLeft(), whole.getRight()], part, partHasBitSet, wholeHasBitSet)
   )
 }
 

From 470b4d86582595101439a043ab4cd4db935b11a2 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 26 Mar 2021 17:35:36 +0100
Subject: [PATCH 0091/1429] Python: Add missing qldoc

---
 python/ql/src/Security/CWE-327/TlsLibraryModel.qll | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
index 3ab880e8bd9..f66d663a7e2 100644
--- a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
+++ b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
@@ -58,6 +58,10 @@ abstract class ProtocolUnrestriction extends DataFlow::CfgNode {
   abstract ProtocolVersion getUnrestriction();
 }
 
+/**
+ * A context is being created with a range of allowed protocols.
+ * This also serves as unrestricting these protocols.
+ */
 abstract class UnspecificContextCreation extends ContextCreation, ProtocolUnrestriction {
   TlsLibrary library;
   ProtocolFamily family;
@@ -77,6 +81,7 @@ abstract class UnspecificContextCreation extends ContextCreation, ProtocolUnrest
   }
 }
 
+/** A model of a TLS library. */
 abstract class TlsLibrary extends string {
   TlsLibrary() { this in ["ssl", "pyOpenSSL"] }
 

From 44d62df3f72719d8ba57a2519877db2a179f4ec4 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 26 Mar 2021 17:51:18 +0100
Subject: [PATCH 0092/1429] Python: Fix model of `TLS` and add reference

---
 python/ql/src/Security/CWE-327/TlsLibraryModel.qll | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
index f66d663a7e2..245a60b0295 100644
--- a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
+++ b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
@@ -71,11 +71,14 @@ abstract class UnspecificContextCreation extends ContextCreation, ProtocolUnrest
   override DataFlow::CfgNode getContext() { result = this }
 
   override ProtocolVersion getUnrestriction() {
+    // see https://www.openssl.org/docs/man1.1.0/man3/TLS_method.html
     family = "TLS" and
-    result in ["TLSv1", "TLSv1_1", "TLSv1_2", "TLSv1_3"]
+    result in ["SSLv3", "TLSv1", "TLSv1_1", "TLSv1_2", "TLSv1_3"]
     or
     // This can negotiate a TLS 1.3 connection (!)
-    // see https://docs.python.org/3/library/ssl.html#ssl-contexts
+    // see
+    // - https://docs.python.org/3/library/ssl.html#ssl-contexts
+    // - https://www.openssl.org/docs/man1.0.2/man3/TLSv1_method.html
     family = "SSLv23" and
     result in ["SSLv2", "SSLv3", "TLSv1", "TLSv1_1", "TLSv1_2", "TLSv1_3"]
   }

From a72b1340eb6bb3bdbea9cabd6bdd942a9365b848 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Fri, 26 Mar 2021 16:51:43 +0000
Subject: [PATCH 0093/1429] Add a comment on how to run the query

---
 .../Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql  | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
index 3acd22e767a..772ac6cd209 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
@@ -8,6 +8,14 @@
  *       external/cwe-016
  */
 
+/*
+ * Note this query requires properties files to be indexed before it can produce results.
+ * If creating your own database with the CodeQL CLI, you should run
+ * `codeql database index-files --language=properties ...`
+ * If using lgtm.com, you should add `properties_files: true` to the index block of your
+ * lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction)
+ */
+
 import java
 import semmle.code.configfiles.ConfigFiles
 import semmle.code.xml.MavenPom

From e0352fe7638223a1d998bdd26752e358d2ec8e92 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 26 Mar 2021 23:26:24 +0100
Subject: [PATCH 0094/1429] Python: remove deprecated section of qhelp file

---
 python/ql/src/Security/CWE-327/InsecureProtocol.qhelp | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.qhelp b/python/ql/src/Security/CWE-327/InsecureProtocol.qhelp
index cfcebd0930d..9ecc7da0d60 100644
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.qhelp
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.qhelp
@@ -32,12 +32,6 @@
             All cases should be updated to use a secure protocol, such as
             <code>PROTOCOL_TLSv1_2</code>.
           </p>
-          <p>
-            Note that <code>ssl.wrap_socket</code> has been deprecated in
-            Python 3.7. A preferred alternative is to use
-            <code>ssl.SSLContext</code>, which is supported in Python 2.7.9 and
-            3.2 and later versions.
-          </p>
           <p>
             Note that <code>ssl.wrap_socket</code> has been deprecated in
             Python 3.7. The recommended alternatives are:

From bf81122fc6b26584e85d4f0b7b4f854a2296471b Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 26 Mar 2021 23:37:19 +0100
Subject: [PATCH 0095/1429] Python: fix typo and add linebreaks

---
 python/ql/src/Security/CWE-327/FluentApiModel.qll | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/FluentApiModel.qll b/python/ql/src/Security/CWE-327/FluentApiModel.qll
index d4eb13a133d..803b7adab40 100644
--- a/python/ql/src/Security/CWE-327/FluentApiModel.qll
+++ b/python/ql/src/Security/CWE-327/FluentApiModel.qll
@@ -63,7 +63,8 @@ class InsecureContextConfiguration extends DataFlow::Configuration {
 /**
  * Holds if `conectionCreation` marks the creation of a connetion based on the contex
  * found at `contextOrigin` and allowing `insecure_version`.
- * `specific` is true iff the context if configured for a specific protocol version rather
+ *
+ * `specific` is true iff the context is configured for a specific protocol version rather
  * than for a family of protocols.
  */
 predicate unsafe_connection_creation_with_context(
@@ -92,7 +93,8 @@ predicate unsafe_connection_creation_with_context(
 /**
  * Holds if `conectionCreation` marks the creation of a connetion witout reference to a context
  * and allowing `insecure_version`.
- * `specific` is true iff the context if configured for a specific protocol version rather
+ *
+ * `specific` is true iff the context is configured for a specific protocol version rather
  * than for a family of protocols.
  */
 predicate unsafe_connection_creation_without_context(

From bd863884479d4373e17717208441bbe6423d831b Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Sat, 27 Mar 2021 01:07:15 +0100
Subject: [PATCH 0096/1429] Python: Add typetracker to constrain attribute.

---
 python/ql/src/Security/CWE-327/Ssl.qll | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index 110b4bf185a..7f141523390 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -22,10 +22,28 @@ class SSLDefaultContextCreation extends ContextCreation {
   override DataFlow::CfgNode getProtocol() { none() }
 }
 
+/** Gets a reference to an `ssl.Context` instance. */
+private DataFlow::LocalSourceNode sslContextInstance(DataFlow::TypeTracker t) {
+  t.start() and
+  result = API::moduleImport("ssl").getMember(["SSLContext", "create_default_context"]).getACall()
+  or
+  exists(DataFlow::TypeTracker t2 | result = sslContextInstance(t2).track(t2, t))
+}
+
+/** Gets a reference to an `ssl.Context` instance. */
+DataFlow::Node sslContextInstance() {
+  sslContextInstance(DataFlow::TypeTracker::end()).flowsTo(result)
+}
+
 class WrapSocketCall extends ConnectionCreation {
   override CallNode node;
 
-  WrapSocketCall() { node.getFunction().(AttrNode).getName() = "wrap_socket" }
+  WrapSocketCall() {
+    exists(DataFlow::AttrRead call | node.getFunction() = call.asCfgNode() |
+      call.getAttributeName() = "wrap_socket" and
+      call.getObject() = sslContextInstance()
+    )
+  }
 
   override DataFlow::CfgNode getContext() {
     result.getNode() = node.getFunction().(AttrNode).getObject()

From a53cbc1631c2cfc994f74d4c5ce9e39f6c38abbc Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Sat, 27 Mar 2021 00:11:01 +0000
Subject: [PATCH 0097/1429] Update qldoc and make the query more readable

---
 .../CWE-555/CredentialsInPropertiesFile.qhelp |  4 +-
 .../CWE-555/CredentialsInPropertiesFile.ql    | 22 +++--
 .../CWE-555/CredentialsInPropertiesFile.ql    | 84 +++++++++++++++++++
 .../CWE-555/CredentialsInPropertiesFile.qlref |  1 -
 4 files changed, 101 insertions(+), 10 deletions(-)
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.ql
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.qlref

diff --git a/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.qhelp b/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.qhelp
index afbd40685ba..0869b886260 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.qhelp
@@ -15,7 +15,7 @@
     <p>
       Credentials stored in properties files should be encrypted and recycled regularly. 
       In a Java EE deployment scenario, utilities provided by application servers like 
-      keystore and password vault can be used to encrypt and manage credentials.
+      keystores and password vaults can be used to encrypt and manage credentials.
     </p>
   </recommendation>
 
@@ -27,7 +27,7 @@
 
     <p>
       In the second example, the credentials of a LDAP and datasource properties are stored
-      in the encrypted format.
+      in an encrypted format.
     </p>
     <sample src="configuration.properties" />
   </example>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql b/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql
index 2ab074e56d8..1e9b9906096 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql
@@ -9,10 +9,18 @@
  *       external/cwe/cwe-260
  */
 
+/*
+ * Note this query requires properties files to be indexed before it can produce results.
+ * If creating your own database with the CodeQL CLI, you should run
+ * `codeql database index-files --language=properties ...`
+ * If using lgtm.com, you should add `properties_files: true` to the index block of your
+ * lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction)
+ */
+
 import java
 import semmle.code.configfiles.ConfigFiles
 
-private string suspicious() {
+private string possibleSecretName() {
   result = "%password%" or
   result = "%passwd%" or
   result = "%account%" or
@@ -23,7 +31,7 @@ private string suspicious() {
   result = "%access%key%"
 }
 
-private string nonSuspicious() {
+private string possibleEncryptedSecretName() {
   result = "%hashed%" or
   result = "%encrypted%" or
   result = "%crypt%"
@@ -48,7 +56,8 @@ predicate isNotCleartextCredentials(string value) {
   or
   value.matches("ENC(%)") // Encrypted value
   or
-  value.toLowerCase().matches(suspicious()) // Could be message properties or fake passwords
+  // Could be a message property for UI display or fake passwords, e.g. login.password_expired=Your current password has expired.
+  value.toLowerCase().matches(possibleSecretName())
 }
 
 /**
@@ -57,8 +66,7 @@ predicate isNotCleartextCredentials(string value) {
  *    b) with a non-production file name
  */
 predicate isNonProdCredentials(CredentialsConfig cc) {
-  cc.getFile().getAbsolutePath().matches(["%dev%", "%test%", "%sample%"]) and
-  not cc.getFile().getAbsolutePath().matches("%codeql%") // CodeQL test cases
+  cc.getFile().getAbsolutePath().matches(["%dev%", "%test%", "%sample%"])
 }
 
 /** The properties file with configuration key/value pairs. */
@@ -69,8 +77,8 @@ class ConfigProperties extends ConfigPair {
 /** The credentials configuration property. */
 class CredentialsConfig extends ConfigProperties {
   CredentialsConfig() {
-    this.getNameElement().getName().trim().toLowerCase().matches(suspicious()) and
-    not this.getNameElement().getName().trim().toLowerCase().matches(nonSuspicious())
+    this.getNameElement().getName().trim().toLowerCase().matches(possibleSecretName()) and
+    not this.getNameElement().getName().trim().toLowerCase().matches(possibleEncryptedSecretName())
   }
 
   string getName() { result = this.getNameElement().getName().trim() }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.ql b/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.ql
new file mode 100644
index 00000000000..bb7495dc4d9
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.ql
@@ -0,0 +1,84 @@
+/**
+ * @name Cleartext Credentials in Properties File
+ * @description Finds cleartext credentials in Java properties files.
+ * @kind problem
+ * @id java/credentials-in-properties
+ * @tags security
+ *       external/cwe/cwe-555
+ *       external/cwe/cwe-256
+ *       external/cwe/cwe-260
+ */
+
+/*
+ * Note this query requires properties files to be indexed before it can produce results.
+ * If creating your own database with the CodeQL CLI, you should run
+ * `codeql database index-files --language=properties ...`
+ * If using lgtm.com, you should add `properties_files: true` to the index block of your
+ * lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction)
+ */
+
+import java
+import semmle.code.configfiles.ConfigFiles
+
+private string possibleSecretName() {
+  result = "%password%" or
+  result = "%passwd%" or
+  result = "%account%" or
+  result = "%accnt%" or
+  result = "%credential%" or
+  result = "%token%" or
+  result = "%secret%" or
+  result = "%access%key%"
+}
+
+private string possibleEncryptedSecretName() {
+  result = "%hashed%" or
+  result = "%encrypted%" or
+  result = "%crypt%"
+}
+
+/** Holds if the value is not cleartext credentials. */
+bindingset[value]
+predicate isNotCleartextCredentials(string value) {
+  value = "" // Empty string
+  or
+  value.length() < 7 // Typical credentials are no less than 6 characters
+  or
+  value.matches("% %") // Sentences containing spaces
+  or
+  value.regexpMatch(".*[^a-zA-Z\\d]{3,}.*") // Contain repeated non-alphanumeric characters such as a fake password pass**** or ????
+  or
+  value.matches("@%") // Starts with the "@" sign
+  or
+  value.regexpMatch("\\$\\{.*\\}") // Variable placeholder ${credentials}
+  or
+  value.matches("%=") // A basic check of encrypted credentials ending with padding characters
+  or
+  value.matches("ENC(%)") // Encrypted value
+  or
+  // Could be a message property for UI display or fake passwords, e.g. login.password_expired=Your current password has expired.
+  value.toLowerCase().matches(possibleSecretName())
+}
+
+/** The properties file with configuration key/value pairs. */
+class ConfigProperties extends ConfigPair {
+  ConfigProperties() { this.getFile().getBaseName().toLowerCase().matches("%.properties") }
+}
+
+/** The credentials configuration property. */
+class CredentialsConfig extends ConfigProperties {
+  CredentialsConfig() {
+    this.getNameElement().getName().trim().toLowerCase().matches(possibleSecretName()) and
+    not this.getNameElement().getName().trim().toLowerCase().matches(possibleEncryptedSecretName())
+  }
+
+  string getName() { result = this.getNameElement().getName().trim() }
+
+  string getValue() { result = this.getValueElement().getValue().trim() }
+}
+
+from CredentialsConfig cc
+where not isNotCleartextCredentials(cc.getValue())
+select cc,
+  "Plaintext credentials " + cc.getName() + " have cleartext value " + cc.getValue() +
+    " in properties file."
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.qlref b/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.qlref
deleted file mode 100644
index e2536bfe883..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.qlref
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql
\ No newline at end of file

From 7a511c5682ca1aec9368a8e1f0c2106fd0912408 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Sat, 27 Mar 2021 02:20:59 +0100
Subject: [PATCH 0098/1429] Python: update naming

---
 python/ql/src/Security/CWE-327/InsecureProtocol.ql | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.ql b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
index 974c36ddb0c..37aab84795e 100644
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
@@ -18,11 +18,12 @@ string callName(AstNode call) {
   exists(Attribute a | a = call | result = callName(a.getObject()) + "." + a.getName())
 }
 
-string originName(DataFlow::Node contextOrigin) {
-  result = "call to " + callName(contextOrigin.asCfgNode().(CallNode).getFunction().getNode())
+string configName(DataFlow::Node protocolConfiguration) {
+  result =
+    "call to " + callName(protocolConfiguration.asCfgNode().(CallNode).getFunction().getNode())
   or
-  not contextOrigin.asCfgNode() instanceof CallNode and
-  not contextOrigin instanceof ContextCreation and
+  not protocolConfiguration.asCfgNode() instanceof CallNode and
+  not protocolConfiguration instanceof ContextCreation and
   result = "context modification"
 }
 
@@ -48,4 +49,4 @@ where
   specific = true
 select connectionCreation,
   "Insecure SSL/TLS protocol version " + insecure_version + " " + verb(specific) + " by $@ ",
-  protocolConfiguration, originName(protocolConfiguration)
+  protocolConfiguration, configName(protocolConfiguration)

From 16902c2f56993f4ca29f3f05ca1ce1ac35b656be Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Sat, 27 Mar 2021 02:40:13 +0100
Subject: [PATCH 0099/1429] Python: handle default argument

---
 python/ql/src/Security/CWE-327/Ssl.qll | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index 7f141523390..928a5f74e2d 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -160,6 +160,10 @@ class UnspecificSSLContextCreation extends SSLContextCreation, UnspecificContext
     // These are turned off by default
     // see https://docs.python.org/3/library/ssl.html#ssl-contexts
     not result in ["SSLv2", "SSLv3"]
+    or
+    // The default argument is TLS and the SSL versions are turned off by default.
+    not exists(this.getProtocol()) and
+    result in ["TLSv1", "TLSv1_1", "TLSv1_2", "TLSv1_3"]
   }
 }
 

From 6d72b4fd39b51315cf0720c35455bb3b66447cae Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Sat, 27 Mar 2021 03:10:43 +0100
Subject: [PATCH 0100/1429] Python: Limit pretty printing to relevant nodes

---
 .../src/Security/CWE-327/InsecureProtocol.ql  | 37 ++++++++++++++++++-
 1 file changed, 35 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.ql b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
index 37aab84795e..19f6acf5512 100644
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
@@ -12,13 +12,46 @@
 import python
 import FluentApiModel
 
-string callName(AstNode call) {
+// Helper for pretty printer `configName`.
+// This is a consequence of missing pretty priting.
+// We do not want to evaluate our bespoke pretty printer
+// for all `DataFlow::Node`s so we define a sub class of interesting ones.
+class ProtocolConfiguration extends DataFlow::Node {
+  ProtocolConfiguration() {
+    unsafe_connection_creation_with_context(_, _, this, _)
+    or
+    unsafe_connection_creation_without_context(this, _)
+    or
+    unsafe_context_creation(this, _)
+  }
+}
+
+// Helper for pretty printer `callName`.
+// This is a consequence of missing pretty priting.
+// We do not want to evaluate our bespoke pretty printer
+// for all `AstNode`s so we define a sub class of interesting ones.
+//
+// Note that AstNode is abstract and AstNode_ is a library class, so
+// we have to extend @py_ast_node.
+class Namable extends @py_ast_node {
+  Namable() {
+    exists(ProtocolConfiguration protocolConfiguration |
+      this = protocolConfiguration.asCfgNode().(CallNode).getFunction().getNode()
+    )
+    or
+    exists(Namable attr | this = attr.(Attribute).getObject())
+  }
+
+  string toString() { result = "AstNode" }
+}
+
+string callName(Namable call) {
   result = call.(Name).getId()
   or
   exists(Attribute a | a = call | result = callName(a.getObject()) + "." + a.getName())
 }
 
-string configName(DataFlow::Node protocolConfiguration) {
+string configName(ProtocolConfiguration protocolConfiguration) {
   result =
     "call to " + callName(protocolConfiguration.asCfgNode().(CallNode).getFunction().getNode())
   or

From 5ce3f9d6ff6eb740d8c6add31fd7c95fa79f6453 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Sun, 28 Mar 2021 03:15:06 +0000
Subject: [PATCH 0101/1429] Update qldoc and enhance the query

---
 .../CWE-555/CredentialsInPropertiesFile.qhelp |  6 +-
 .../CWE-555/CredentialsInPropertiesFile.ql    | 84 +++++++++++++------
 .../CredentialsInPropertiesFile.expected      | 10 +--
 .../CWE-555/CredentialsInPropertiesFile.ql    | 81 ++++++++++++------
 .../security/CWE-555/PropertiesUtils.java     | 57 +++++++++++++
 .../security/CWE-555/messages.properties      |  1 +
 6 files changed, 179 insertions(+), 60 deletions(-)
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-555/PropertiesUtils.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.qhelp b/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.qhelp
index 0869b886260..5549f188f1f 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.qhelp
@@ -3,7 +3,7 @@
   <overview>
     <p>
       Credentials management issues occur when credentials are stored in plaintext in 
-      an application’s properties file. Common credentials include but are not limited 
+      an application's properties file. Common credentials include but are not limited 
       to LDAP, mail, database, proxy account, and so on. Storing plaintext credentials 
       in a properties file allows anyone who can read the file access to the protected 
       resource. Good credentials management guidelines require that credentials never 
@@ -21,12 +21,12 @@
 
   <example>
     <p>
-      In the first example, the credentials of a LDAP and datasource properties are stored 
+      In the first example, the credentials for the LDAP and datasource properties are stored 
       in cleartext in the properties file.
     </p>
 
     <p>
-      In the second example, the credentials of a LDAP and datasource properties are stored
+      In the second example, the credentials for the LDAP and datasource properties are stored
       in an encrypted format.
     </p>
     <sample src="configuration.properties" />
diff --git a/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql b/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql
index 1e9b9906096..8bbc0d00a46 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql
@@ -14,28 +14,22 @@
  * If creating your own database with the CodeQL CLI, you should run
  * `codeql database index-files --language=properties ...`
  * If using lgtm.com, you should add `properties_files: true` to the index block of your
- * lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction)
+ * lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction#customizing-index)
  */
 
 import java
 import semmle.code.configfiles.ConfigFiles
+import semmle.code.java.dataflow.FlowSources
 
 private string possibleSecretName() {
-  result = "%password%" or
-  result = "%passwd%" or
-  result = "%account%" or
-  result = "%accnt%" or
-  result = "%credential%" or
-  result = "%token%" or
-  result = "%secret%" or
-  result = "%access%key%"
+  result =
+    [
+      "%password%", "%passwd%", "%account%", "%accnt%", "%credential%", "%token%", "%secret%",
+      "%access%key%"
+    ]
 }
 
-private string possibleEncryptedSecretName() {
-  result = "%hashed%" or
-  result = "%encrypted%" or
-  result = "%crypt%"
-}
+private string possibleEncryptedSecretName() { result = ["%hashed%", "%encrypted%", "%crypt%"] }
 
 /** Holds if the value is not cleartext credentials. */
 bindingset[value]
@@ -69,27 +63,63 @@ predicate isNonProdCredentials(CredentialsConfig cc) {
   cc.getFile().getAbsolutePath().matches(["%dev%", "%test%", "%sample%"])
 }
 
-/** The properties file with configuration key/value pairs. */
-class ConfigProperties extends ConfigPair {
-  ConfigProperties() { this.getFile().getBaseName().toLowerCase().matches("%.properties") }
-}
-
 /** The credentials configuration property. */
-class CredentialsConfig extends ConfigProperties {
+class CredentialsConfig extends ConfigPair {
   CredentialsConfig() {
     this.getNameElement().getName().trim().toLowerCase().matches(possibleSecretName()) and
-    not this.getNameElement().getName().trim().toLowerCase().matches(possibleEncryptedSecretName())
+    not this.getNameElement().getName().trim().toLowerCase().matches(possibleEncryptedSecretName()) and
+    not isNotCleartextCredentials(this.getValueElement().getValue().trim())
   }
 
   string getName() { result = this.getNameElement().getName().trim() }
 
   string getValue() { result = this.getValueElement().getValue().trim() }
+
+  /** Returns a description of this vulnerability. */
+  string getConfigDesc() {
+    exists(
+      LoadCredentialsConfiguration cc, DataFlow::Node source, DataFlow::Node sink, MethodAccess ma
+    |
+      this.getName() = source.asExpr().(CompileTimeConstantExpr).getStringValue() and
+      cc.hasFlow(source, sink) and
+      ma.getArgument(0) = sink.asExpr() and
+      result = "Plaintext credentials " + this.getName() + " are loaded in " + ma
+    )
+    or
+    not exists(LoadCredentialsConfiguration cc, DataFlow::Node source, DataFlow::Node sink |
+      this.getName() = source.asExpr().(CompileTimeConstantExpr).getStringValue() and
+      cc.hasFlow(source, sink)
+    ) and
+    result =
+      "Plaintext credentials " + this.getName() + " have cleartext value " + this.getValue() +
+        " in properties file"
+  }
+}
+
+/**
+ * A dataflow configuration tracking flow of a method that loads a credentials property.
+ */
+class LoadCredentialsConfiguration extends DataFlow::Configuration {
+  LoadCredentialsConfiguration() { this = "LoadCredentialsConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(CredentialsConfig cc |
+      source.asExpr().(CompileTimeConstantExpr).getStringValue() = cc.getName()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() =
+      any(MethodAccess ma |
+        ma.getMethod()
+            .getDeclaringType()
+            .getASupertype*()
+            .hasQualifiedName("java.util", "Properties") and
+        ma.getMethod().getName() = "getProperty"
+      ).getArgument(0)
+  }
 }
 
 from CredentialsConfig cc
-where
-  not isNotCleartextCredentials(cc.getValue()) and
-  not isNonProdCredentials(cc)
-select cc,
-  "Plaintext credentials " + cc.getName() + " have cleartext value " + cc.getValue() +
-    " in properties file."
+where not isNonProdCredentials(cc)
+select cc, cc.getConfigDesc()
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.expected b/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.expected
index 0ce33913932..1bdc004a446 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.expected
@@ -1,5 +1,5 @@
-| configuration.properties:6:1:6:25 | ldap.password=mysecpass | Plaintext credentials ldap.password have cleartext value mysecpass in properties file. |
-| configuration.properties:18:1:18:35 | datasource1.password=Passw0rd@123 | Plaintext credentials datasource1.password have cleartext value Passw0rd@123 in properties file. |
-| configuration.properties:25:1:25:31 | mail.password=MysecPWxWa@1993 | Plaintext credentials mail.password have cleartext value MysecPWxWa@1993 in properties file. |
-| configuration.properties:33:1:33:50 | com.example.aws.s3.access_key=AKMAMQPBYMCD6YSAYCBA | Plaintext credentials com.example.aws.s3.access_key have cleartext value AKMAMQPBYMCD6YSAYCBA in properties file. |
-| configuration.properties:34:1:34:70 | com.example.aws.s3.secret_key=8lMPSfWzZq+wcWtck5+QPLOJDZzE783pS09/IO3k | Plaintext credentials com.example.aws.s3.secret_key have cleartext value 8lMPSfWzZq+wcWtck5+QPLOJDZzE783pS09/IO3k in properties file. |
+| configuration.properties:6:1:6:25 | ldap.password=mysecpass | Plaintext credentials ldap.password are loaded in getProperty(...) |
+| configuration.properties:18:1:18:35 | datasource1.password=Passw0rd@123 | Plaintext credentials datasource1.password are loaded in getProperty(...) |
+| configuration.properties:25:1:25:31 | mail.password=MysecPWxWa@1993 | Plaintext credentials mail.password are loaded in getProperty(...) |
+| configuration.properties:33:1:33:50 | com.example.aws.s3.access_key=AKMAMQPBYMCD6YSAYCBA | Plaintext credentials com.example.aws.s3.access_key are loaded in getProperty(...) |
+| configuration.properties:34:1:34:70 | com.example.aws.s3.secret_key=8lMPSfWzZq+wcWtck5+QPLOJDZzE783pS09/IO3k | Plaintext credentials com.example.aws.s3.secret_key are loaded in getProperty(...) |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.ql b/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.ql
index bb7495dc4d9..b6890e4ac9f 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.ql
+++ b/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.ql
@@ -14,28 +14,22 @@
  * If creating your own database with the CodeQL CLI, you should run
  * `codeql database index-files --language=properties ...`
  * If using lgtm.com, you should add `properties_files: true` to the index block of your
- * lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction)
+ * lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction#customizing-index)
  */
 
 import java
 import semmle.code.configfiles.ConfigFiles
+import semmle.code.java.dataflow.FlowSources
 
 private string possibleSecretName() {
-  result = "%password%" or
-  result = "%passwd%" or
-  result = "%account%" or
-  result = "%accnt%" or
-  result = "%credential%" or
-  result = "%token%" or
-  result = "%secret%" or
-  result = "%access%key%"
+  result =
+    [
+      "%password%", "%passwd%", "%account%", "%accnt%", "%credential%", "%token%", "%secret%",
+      "%access%key%"
+    ]
 }
 
-private string possibleEncryptedSecretName() {
-  result = "%hashed%" or
-  result = "%encrypted%" or
-  result = "%crypt%"
-}
+private string possibleEncryptedSecretName() { result = ["%hashed%", "%encrypted%", "%crypt%"] }
 
 /** Holds if the value is not cleartext credentials. */
 bindingset[value]
@@ -60,25 +54,62 @@ predicate isNotCleartextCredentials(string value) {
   value.toLowerCase().matches(possibleSecretName())
 }
 
-/** The properties file with configuration key/value pairs. */
-class ConfigProperties extends ConfigPair {
-  ConfigProperties() { this.getFile().getBaseName().toLowerCase().matches("%.properties") }
-}
-
 /** The credentials configuration property. */
-class CredentialsConfig extends ConfigProperties {
+class CredentialsConfig extends ConfigPair {
   CredentialsConfig() {
     this.getNameElement().getName().trim().toLowerCase().matches(possibleSecretName()) and
-    not this.getNameElement().getName().trim().toLowerCase().matches(possibleEncryptedSecretName())
+    not this.getNameElement().getName().trim().toLowerCase().matches(possibleEncryptedSecretName()) and
+    not isNotCleartextCredentials(this.getValueElement().getValue().trim())
   }
 
   string getName() { result = this.getNameElement().getName().trim() }
 
   string getValue() { result = this.getValueElement().getValue().trim() }
+
+  /** Returns a description of this vulnerability. */
+  string getConfigDesc() {
+    exists(
+      LoadCredentialsConfiguration cc, DataFlow::Node source, DataFlow::Node sink, MethodAccess ma
+    |
+      this.getName() = source.asExpr().(CompileTimeConstantExpr).getStringValue() and
+      cc.hasFlow(source, sink) and
+      ma.getArgument(0) = sink.asExpr() and
+      result = "Plaintext credentials " + this.getName() + " are loaded in " + ma
+    )
+    or
+    not exists(LoadCredentialsConfiguration cc, DataFlow::Node source, DataFlow::Node sink |
+      this.getName() = source.asExpr().(CompileTimeConstantExpr).getStringValue() and
+      cc.hasFlow(source, sink)
+    ) and
+    result =
+      "Plaintext credentials " + this.getName() + " have cleartext value " + this.getValue() +
+        " in properties file"
+  }
+}
+
+/**
+ * A dataflow configuration tracking flow of a method that loads a credentials property.
+ */
+class LoadCredentialsConfiguration extends DataFlow::Configuration {
+  LoadCredentialsConfiguration() { this = "LoadCredentialsConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(CredentialsConfig cc |
+      source.asExpr().(CompileTimeConstantExpr).getStringValue() = cc.getName()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() =
+      any(MethodAccess ma |
+        ma.getMethod()
+            .getDeclaringType()
+            .getASupertype*()
+            .hasQualifiedName("java.util", "Properties") and
+        ma.getMethod().getName() = "getProperty"
+      ).getArgument(0)
+  }
 }
 
 from CredentialsConfig cc
-where not isNotCleartextCredentials(cc.getValue())
-select cc,
-  "Plaintext credentials " + cc.getName() + " have cleartext value " + cc.getValue() +
-    " in properties file."
+select cc, cc.getConfigDesc()
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/PropertiesUtils.java b/java/ql/test/experimental/query-tests/security/CWE-555/PropertiesUtils.java
new file mode 100644
index 00000000000..b54995a9967
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-555/PropertiesUtils.java
@@ -0,0 +1,57 @@
+import java.io.IOException;
+import java.util.Properties;
+
+public class PropertiesUtils {
+	/* Properties declaration. */ 
+	private static Properties properties;  
+
+    /** Static block to initializing the properties. */
+	static {
+		properties = new Properties();
+		try {
+			properties.load(PropertiesUtils.class.getClassLoader().getResourceAsStream("configuration.properties"));
+		} catch (IOException e) {
+			e.printStackTrace();
+		}
+	}
+
+	/** Returns the LDAP DN property value. */
+	public static String getLdapDN() {
+		return properties.getProperty("ldap.loginDN");
+	}
+    
+	/** Returns the LDAP password property value. */
+	public static String getLdapPassword() {
+		return properties.getProperty("ldap.password");
+	}
+
+	/** Returns the SQL Server username property value. */
+	public static String getMSDataSourceUserName() {
+		return properties.getProperty("datasource1.username");
+	}
+
+	/** Returns the SQL Server password property value. */
+	public static String getMSDataSourcePassword() {
+		return properties.getProperty("datasource1.password");
+	}
+    
+	/** Returns the mail account property value. */
+	public static String getMailUserName() {
+		return properties.getProperty("mail.username");
+	}
+
+ 	/** Returns the mail password property value. */
+	public static String getMailPassword() {
+		return properties.getProperty("mail.password");
+	}
+
+	/** Returns the AWS Access Key property value. */
+	public static String getAWSAccessKey() {
+		return properties.getProperty("com.example.aws.s3.access_key");
+	}
+
+	/** Returns the AWS Secret Key property value. */
+	public static String getAWSSecretKey() {
+		return properties.getProperty("com.example.aws.s3.secret_key");
+	}
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/messages.properties b/java/ql/test/experimental/query-tests/security/CWE-555/messages.properties
index fac63ec23e8..27a244c6071 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-555/messages.properties
+++ b/java/ql/test/experimental/query-tests/security/CWE-555/messages.properties
@@ -1,3 +1,4 @@
+# GOOD: UI display messages; not credentials
 prompt.username=Username
 prompt.password=Password
 

From 799d509f26d0954025fea5302945387194fdef46 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 18 Mar 2021 17:31:41 +0100
Subject: [PATCH 0102/1429] Upload LDAP Injection query, qhelp and tests

---
 .../src/Security/CWE-090/LDAPInjection.qhelp  | 32 +++++++
 .../ql/src/Security/CWE-090/LDAPInjection.ql  | 86 +++++++++++++++++++
 .../Security/CWE-090/tests/ldap3_sanitized.py | 58 +++++++++++++
 .../CWE-090/tests/ldap3_sanitized_asObj.py    | 57 ++++++++++++
 .../CWE-090/tests/ldap3_unsanitized.py        | 56 ++++++++++++
 .../CWE-090/tests/ldap3_unsanitized_asObj.py  | 55 ++++++++++++
 .../Security/CWE-090/tests/ldap_sanitized.py  | 56 ++++++++++++
 .../CWE-090/tests/ldap_sanitized_asObj.py     | 57 ++++++++++++
 .../CWE-090/tests/ldap_unsanitized.py         | 52 +++++++++++
 .../CWE-090/tests/ldap_unsanitized_asObj.py   | 52 +++++++++++
 10 files changed, 561 insertions(+)
 create mode 100644 python/ql/src/Security/CWE-090/LDAPInjection.qhelp
 create mode 100644 python/ql/src/Security/CWE-090/LDAPInjection.ql
 create mode 100644 python/ql/src/Security/CWE-090/tests/ldap3_sanitized.py
 create mode 100644 python/ql/src/Security/CWE-090/tests/ldap3_sanitized_asObj.py
 create mode 100644 python/ql/src/Security/CWE-090/tests/ldap3_unsanitized.py
 create mode 100644 python/ql/src/Security/CWE-090/tests/ldap3_unsanitized_asObj.py
 create mode 100644 python/ql/src/Security/CWE-090/tests/ldap_sanitized.py
 create mode 100644 python/ql/src/Security/CWE-090/tests/ldap_sanitized_asObj.py
 create mode 100644 python/ql/src/Security/CWE-090/tests/ldap_unsanitized.py
 create mode 100644 python/ql/src/Security/CWE-090/tests/ldap_unsanitized_asObj.py

diff --git a/python/ql/src/Security/CWE-090/LDAPInjection.qhelp b/python/ql/src/Security/CWE-090/LDAPInjection.qhelp
new file mode 100644
index 00000000000..e077ccc3afe
--- /dev/null
+++ b/python/ql/src/Security/CWE-090/LDAPInjection.qhelp
@@ -0,0 +1,32 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+
+<qhelp>
+  <overview>
+    <p>If an LDAP query is built by a not sanitized user-provided value, a user is likely to be able to run malicious LDAP queries.</p>
+  </overview>
+
+  <recommendation>
+    <p>In case user input must compose an LDAP query, it should be escaped in order to avoid a malicious user supplying special characters that change the actual purpose of the query. To do so, functions that ldap frameworks provide such as <code>escape_filter_chars</code> should be applied to that user input.
+  <recommendation>
+
+
+  <references>
+    <li>
+      OWASP
+      <a href="https://owasp.org/www-community/attacks/LDAP_Injection">LDAP Injection</a>
+    </li>
+    <li>
+      SonarSource
+      <a href="https://rules.sonarsource.com/python/RSPEC-2078">RSPEC-2078</a>
+    </li>
+    <li>
+      Python
+      <a href="https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html">LDAP Documentation</a>
+    </li>
+    <li>
+      CWE-
+      <a href="https://cwe.mitre.org/data/definitions/90.html">090</a>
+    </li>
+  </references>
+
+</qhelp>
\ No newline at end of file
diff --git a/python/ql/src/Security/CWE-090/LDAPInjection.ql b/python/ql/src/Security/CWE-090/LDAPInjection.ql
new file mode 100644
index 00000000000..d6ff1ad5607
--- /dev/null
+++ b/python/ql/src/Security/CWE-090/LDAPInjection.ql
@@ -0,0 +1,86 @@
+/**
+ * @name Python LDAP Injection
+ * @description Python LDAP Injection through search filter
+ * @kind path-problem
+ * @problem.severity error
+ * @id python/ldap-injection
+ * @tags experimental	
+ *       security	
+ *       external/cwe/cwe-090
+ */
+
+import python
+import semmle.python.dataflow.new.RemoteFlowSources
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.dataflow.new.internal.TaintTrackingPublic
+import DataFlow::PathGraph
+
+class InitializeSink extends DataFlow::Node {
+  InitializeSink() {
+    exists(SsaVariable initVar, CallNode searchCall |
+      // get variable whose value equals a call to ldap.initialize
+      initVar.getDefinition().getImmediateDominator() = Value::named("ldap.initialize").getACall() and
+      // get the Call in which the previous variable is used
+      initVar.getAUse().getNode() = searchCall.getNode().getFunc().(Attribute).getObject() and
+      // restrict that call's attribute (something.this) to match %search%
+      searchCall.getNode().getFunc().(Attribute).getName().matches("%search%") and
+      // set the third argument (search_filter) as sink
+      this.asExpr() = searchCall.getArg(2).getNode()
+      // set the first argument (DN) as sink
+      // or this.asExpr() = searchCall.getArg(0) // Should this be set?
+    )
+  }
+}
+
+class ConnectionSink extends DataFlow::Node {
+  ConnectionSink() {
+    exists(SsaVariable connVar, CallNode searchCall |
+      // get variable whose value equals a call to ldap.initialize
+      connVar.getDefinition().getImmediateDominator() = Value::named("ldap3.Connection").getACall() and
+      // get the Call in which the previous variable is used
+      connVar.getAUse().getNode() = searchCall.getNode().getFunc().(Attribute).getObject() and
+      // restrict that call's attribute (something.this) to match %search%
+      searchCall.getNode().getFunc().(Attribute).getName().matches("%search%") and
+      // set the second argument (search_filter) as sink
+      this.asExpr() = searchCall.getArg(1).getNode()
+      // set the first argument (DN) as sink
+      // or this.asExpr() = searchCall.getArg(0) // Should this be set?
+    )
+  }
+}
+
+class EscapeSanitizer extends DataFlow::Node {
+  EscapeSanitizer() {
+    exists(Call c |
+      (
+        // avoid flow through any %escape% function
+        c.getFunc().(Attribute).getName().matches("%escape%") or // something.%escape%()
+        c.getFunc().(Name).getId().matches("%escape%") // %escape%()
+      ) and
+      this.asExpr() = c
+    )
+  }
+}
+
+class LDAPInjectionSink extends DataFlow::Node {
+  LDAPInjectionSink() {
+    this instanceof InitializeSink or
+    this instanceof ConnectionSink
+  }
+}
+
+class LDAPInjectionFlowConfig extends TaintTracking::Configuration {
+  LDAPInjectionFlowConfig() { this = "LDAPInjectionFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof LDAPInjectionSink }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof EscapeSanitizer }
+}
+
+from LDAPInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "$@ LDAP query executes $@.", sink.getNode(), "This",
+  source.getNode(), "a user-provided value"
diff --git a/python/ql/src/Security/CWE-090/tests/ldap3_sanitized.py b/python/ql/src/Security/CWE-090/tests/ldap3_sanitized.py
new file mode 100644
index 00000000000..05bc1e24f71
--- /dev/null
+++ b/python/ql/src/Security/CWE-090/tests/ldap3_sanitized.py
@@ -0,0 +1,58 @@
+import ldap3
+from ldap3.utils.conv import escape_filter_chars
+from flask import request, Flask
+
+app = Flask(__name__)
+
+
+@app.route("/tainted_var")
+def tainted_var():
+    sanitized_dn = "dc=%s" % request.args['dc']
+    sanitized_filter = "(&(objectClass=*)(uid=%s))" % escape_filter_chars(
+        request.args['username'])
+
+    srv = ldap3.Server('localhost', port=1337)
+    conn = ldap3.Connection(srv, user=sanitized_dn, auto_bind=True)
+    conn.search(sanitized_dn, sanitized_filter)
+    return conn.response
+
+
+@app.route("/var_tainted")
+def var_tainted():
+    sanitized_dn = request.args['dc']
+    sanitized_filter = request.args['username']
+
+    dn = "dc=%s" % sanitized_dn
+    search_filter = "(&(objectClass=*)(uid=%s))" % escape_filter_chars(sanitized_filter)
+
+    srv = ldap3.Server('localhost', port=1337)
+    conn = ldap3.Connection(srv, user=dn, auto_bind=True)
+    conn.search(dn, search_filter)
+    return conn.response
+
+
+@app.route("/direct")
+def direct():
+    srv = ldap3.Server('localhost', port=1337)
+    conn = ldap3.Connection(srv, user="dc=%s" %
+                            request.args['dc'], auto_bind=True)
+    conn.search("dc=%s" % request.args['dc'], "(&(objectClass=*)(uid=%s))" %
+                escape_filter_chars(request.args['username']))
+    return conn.response
+
+
+@ app.route("/with_")
+def with_():
+    sanitized_dn = request.args['dc']
+    sanitized_filter = escape_filter_chars(request.args['username'])
+
+    dn = "dc=%s" % sanitized_dn
+    search_filter = "(&(objectClass=*)(uid=%s))" % sanitized_filter
+
+    srv = ldap3.Server('localhost', port=1337)
+    with ldap3.Connection(server, auto_bind=True) as conn:
+        conn.search(dn, search_filter)
+        return conn.response
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
diff --git a/python/ql/src/Security/CWE-090/tests/ldap3_sanitized_asObj.py b/python/ql/src/Security/CWE-090/tests/ldap3_sanitized_asObj.py
new file mode 100644
index 00000000000..c7dbb345058
--- /dev/null
+++ b/python/ql/src/Security/CWE-090/tests/ldap3_sanitized_asObj.py
@@ -0,0 +1,57 @@
+from ldap3 import Server, Connection
+from ldap3.utils.conv import escape_filter_chars
+from flask import request, Flask
+
+app = Flask(__name__)
+
+
+@app.route("/tainted_var")
+def tainted_var():
+    sanitized_dn = "dc=%s" % request.args['dc']
+    sanitized_filter = "(&(objectClass=*)(uid=%s))" % escape_filter_chars(
+        request.args['username'])
+
+    srv = Server('localhost', port=1337)
+    conn = Connection(srv, user=sanitized_dn, auto_bind=True)
+    conn.search(sanitized_dn, sanitized_filter)
+    return conn.response
+
+
+@app.route("/var_tainted")
+def var_tainted():
+    sanitized_dn = request.args['dc']
+    sanitized_filter = request.args['username']
+
+    dn = "dc=%s" % sanitized_dn
+    search_filter = "(&(objectClass=*)(uid=%s))" % escape_filter_chars(sanitized_filter)
+
+    srv = Server('localhost', port=1337)
+    conn = Connection(srv, user=dn, auto_bind=True)
+    conn.search(dn, search_filter)
+    return conn.response
+
+
+@app.route("/direct")
+def direct():
+    srv = Server('localhost', port=1337)
+    conn = Connection(srv, user="dc=%s" % request.args['dc'], auto_bind=True)
+    conn.search("dc=%s" % request.args['dc'], "(&(objectClass=*)(uid=%s))" %
+                escape_filter_chars(request.args['username']))
+    return conn.response
+
+
+@app.route("/with_2")
+def with_2():
+    sanitized_dn = request.args['dc']
+    sanitized_filter = escape_filter_chars(request.args['username'])
+
+    dn = "dc=%s" % sanitized_dn
+    search_filter = "(&(objectClass=*)(uid=%s))" % sanitized_filter
+
+    srv = Server('localhost', port=1337)
+    with Connection(server, auto_bind=True) as conn:
+        conn.search(dn, search_filter)
+        return conn.response
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
diff --git a/python/ql/src/Security/CWE-090/tests/ldap3_unsanitized.py b/python/ql/src/Security/CWE-090/tests/ldap3_unsanitized.py
new file mode 100644
index 00000000000..fcd00c0269c
--- /dev/null
+++ b/python/ql/src/Security/CWE-090/tests/ldap3_unsanitized.py
@@ -0,0 +1,56 @@
+import ldap3
+from flask import request, Flask
+
+app = Flask(__name__)
+
+
+@app.route("/tainted_var")
+def tainted_var():
+    unsanitized_dn = "dc=%s" % request.args['dc']
+    unsanitized_filter = "(&(objectClass=*)(uid=%s))" % request.args['username']
+
+    srv = ldap3.Server('localhost', port=1337)
+    conn = ldap3.Connection(srv, user=unsanitized_dn, auto_bind=True)
+    conn.search(unsanitized_dn, unsanitized_filter)
+    return conn.response
+
+
+@app.route("/var_tainted")
+def var_tainted():
+    unsanitized_dn = request.args['dc']
+    unsanitized_filter = request.args['username']
+
+    dn = "dc=%s" % unsanitized_dn
+    search_filter = "(&(objectClass=*)(uid=%s))" % unsanitized_filter
+
+    srv = ldap3.Server('localhost', port=1337)
+    conn = ldap3.Connection(srv, user=dn, auto_bind=True)
+    conn.search(dn, search_filter)
+    return conn.response
+
+
+@app.route("/direct")
+def direct():
+    srv = ldap3.Server('localhost', port=1337)
+    conn = ldap3.Connection(srv, user="dc=%s" %
+                            request.args['dc'], auto_bind=True)
+    conn.search("dc=%s" % unsanitized_dn,
+                "(&(objectClass=*)(uid=%s))" % request.args['username'])
+    return conn.response
+
+
+@app.route("/with_")
+def with_():
+    unsanitized_dn = request.args['dc']
+    unsanitized_filter = request.args['username']
+
+    dn = "dc=%s" % unsanitized_dn
+    search_filter = "(&(objectClass=*)(uid=%s))" % unsanitized_filter
+
+    srv = ldap3.Server('localhost', port=1337)
+    with ldap3.Connection(server, auto_bind=True) as conn:
+        conn.search(dn, search_filter)
+        return conn.response
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
diff --git a/python/ql/src/Security/CWE-090/tests/ldap3_unsanitized_asObj.py b/python/ql/src/Security/CWE-090/tests/ldap3_unsanitized_asObj.py
new file mode 100644
index 00000000000..634ee992f3e
--- /dev/null
+++ b/python/ql/src/Security/CWE-090/tests/ldap3_unsanitized_asObj.py
@@ -0,0 +1,55 @@
+from ldap3 import Server, Connection
+from flask import request, Flask
+
+app = Flask(__name__)
+
+
+@app.route("/tainted_var")
+def tainted_var():
+    unsanitized_dn = "dc=%s" % request.args['dc']
+    unsanitized_filter = "(&(objectClass=*)(uid=%s))" % request.args['username']
+
+    srv = Server('localhost', port=1337)
+    conn = Connection(srv, user=unsanitized_dn, auto_bind=True)
+    conn.search(unsanitized_dn, unsanitized_filter)
+    return conn.response
+
+
+@app.route("/var_tainted")
+def var_tainted():
+    unsanitized_dn = request.args['dc']
+    unsanitized_filter = request.args['username']
+
+    dn = "dc=%s" % unsanitized_dn
+    search_filter = "(&(objectClass=*)(uid=%s))" % unsanitized_filter
+
+    srv = Server('localhost', port=1337)
+    conn = Connection(srv, user=dn, auto_bind=True)
+    conn.search(dn, search_filter)
+    return conn.response
+
+
+@app.route("/direct")
+def direct():
+    srv = Server('localhost', port=1337)
+    conn = Connection(srv, user="dc=%s" % request.args['dc'], auto_bind=True)
+    conn.search(
+        "dc=%s" % request.args['dc'], "(&(objectClass=*)(uid=%s))" % request.args['username'])
+    return conn.response
+
+
+@app.route("/with_2")
+def with_2():
+    unsanitized_dn = request.args['dc']
+    unsanitized_filter = request.args['username']
+
+    dn = "dc=%s" % unsanitized_dn
+    search_filter = "(&(objectClass=*)(uid=%s))" % unsanitized_filter
+
+    srv = Server('localhost', port=1337)
+    with Connection(server, auto_bind=True) as conn:
+        conn.search(dn, search_filter)
+        return conn.response
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
diff --git a/python/ql/src/Security/CWE-090/tests/ldap_sanitized.py b/python/ql/src/Security/CWE-090/tests/ldap_sanitized.py
new file mode 100644
index 00000000000..83bafa79195
--- /dev/null
+++ b/python/ql/src/Security/CWE-090/tests/ldap_sanitized.py
@@ -0,0 +1,56 @@
+from flask import request, Flask
+import ldap
+import ldap.filter
+import ldap.dn
+
+app = Flask(__name__)
+
+
+@app.route("/tainted_var")
+def tainted_var():
+    sanitized_dn = "dc=%s" % ldap.dn.escape_dn_chars(request.args['dc'])
+    sanitized_filter = "(&(objectClass=*)(uid=%s))" % ldap.filter.escape_filter_chars(
+        request.args['username'])
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s(
+        sanitized_dn, ldap.SCOPE_SUBTREE, sanitized_filter)
+    return user[0]
+
+
+@app.route("/var_tainted")
+def var_tainted():
+    sanitized_dn = request.args['dc']
+    sanitized_filter = request.args['username']
+
+    dn = "dc=%s" % ldap.dn.escape_dn_chars(sanitized_dn)
+    search_filter = "(&(objectClass=*)(uid=%s))" % ldap.filter.escape_filter_chars(sanitized_filter)
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
+    return user[0]
+
+
+@app.route("/direct")
+def direct():
+    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s("dc=%s" % ldap.dn.escape_dn_chars(
+        request.args['dc']), ldap.SCOPE_SUBTREE, "(&(objectClass=*)(uid=%s))" % ldap.filter.escape_filter_chars(request.args['username']))
+    return user[0]
+
+
+@app.route("/with_")
+def with_():
+    sanitized_dn = ldap.dn.escape_dn_chars(request.args['dc'])
+    sanitized_filter = ldap.filter.escape_filter_chars(
+        request.args['username'])
+
+    dn = "dc=%s" % sanitized_dn
+    search_filter = "(&(objectClass=*)(uid=%s))" % sanitized_filter
+
+    with ldap.initialize("ldap://127.0.0.1:1337") as ldap_connection:
+        user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
+        return user[0]
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
diff --git a/python/ql/src/Security/CWE-090/tests/ldap_sanitized_asObj.py b/python/ql/src/Security/CWE-090/tests/ldap_sanitized_asObj.py
new file mode 100644
index 00000000000..1c9662a4bcf
--- /dev/null
+++ b/python/ql/src/Security/CWE-090/tests/ldap_sanitized_asObj.py
@@ -0,0 +1,57 @@
+from flask import request, Flask
+from ldap import initialize
+import ldap.filter
+import ldap.dn
+
+app = Flask(__name__)
+
+
+@app.route("/tainted_var_2")
+def tainted_var_2():
+    sanitized_dn = "dc=%s" % ldap.dn.escape_dn_chars(request.args['dc'])
+    sanitized_filter = "(&(objectClass=*)(uid=%s))" % ldap.filter.escape_filter_chars(
+        request.args['username'])
+
+    ldap_connection = initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s(
+        sanitized_dn, ldap.SCOPE_SUBTREE, sanitized_filter)
+    return user[0]
+
+
+@app.route("/var_tainted_2")
+def var_tainted_2():
+    sanitized_dn = ldap.dn.escape_dn_chars(request.args['dc'])
+    sanitized_filter = ldap.filter.escape_filter_chars(
+        request.args['username'])
+
+    dn = "dc=%s" % sanitized_dn
+    search_filter = "(&(objectClass=*)(uid=%s))" % sanitized_filter
+
+    ldap_connection = initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
+    return user[0]
+
+
+@app.route("/direct_2")
+def direct_2():
+    ldap_connection = initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s("dc=%s" % ldap.dn.escape_dn_chars(
+        request.args['dc']), ldap.SCOPE_SUBTREE, "(&(objectClass=*)(uid=%s))" % ldap.filter.escape_filter_chars(request.args['username']))
+    return user[0]
+
+
+@app.route("/with_2")
+def with_2():
+    sanitized_dn = ldap.dn.escape_dn_chars(request.args['dc'])
+    sanitized_filter = ldap.filter.escape_filter_chars(
+        request.args['username'])
+
+    dn = "dc=%s" % sanitized_dn
+    search_filter = "(&(objectClass=*)(uid=%s))" % sanitized_filter
+
+    with initialize("ldap://127.0.0.1:1337") as ldap_connection:
+        user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
+        return user[0]
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
diff --git a/python/ql/src/Security/CWE-090/tests/ldap_unsanitized.py b/python/ql/src/Security/CWE-090/tests/ldap_unsanitized.py
new file mode 100644
index 00000000000..8b22596b578
--- /dev/null
+++ b/python/ql/src/Security/CWE-090/tests/ldap_unsanitized.py
@@ -0,0 +1,52 @@
+from flask import request, Flask
+import ldap
+
+app = Flask(__name__)
+
+
+@app.route("/tainted_var")
+def tainted_var():
+    unsanitized_dn = "dc=%s" % request.args['dc']
+    unsanitized_filter = "(&(objectClass=*)(uid=%s))" % request.args['username']
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s(
+        unsanitized_dn, ldap.SCOPE_SUBTREE, unsanitized_filter)
+    return user[0]
+
+
+@app.route("/var_tainted")
+def var_tainted():
+    unsanitized_dn = request.args['dc']
+    unsanitized_filter = request.args['username']
+
+    dn = "dc=%s" % unsanitized_dn
+    search_filter = "(&(objectClass=*)(uid=%s))" % unsanitized_filter
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
+    return user[0]
+
+
+@app.route("/direct")
+def direct():
+    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s(
+        "dc=%s" % request.args['dc'], ldap.SCOPE_SUBTREE, "(&(objectClass=*)(uid=%s))" % request.args['username'])
+    return user[0]
+
+
+@app.route("/with_")
+def with_():
+    sanitized_dn = request.args['dc']
+    sanitized_filter = request.args['username']
+
+    dn = "dc=%s" % sanitized_dn
+    search_filter = "(&(objectClass=*)(uid=%s))" % sanitized_filter
+
+    with ldap.initialize("ldap://127.0.0.1:1337") as ldap_connection:
+        user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
+        return user[0]
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
diff --git a/python/ql/src/Security/CWE-090/tests/ldap_unsanitized_asObj.py b/python/ql/src/Security/CWE-090/tests/ldap_unsanitized_asObj.py
new file mode 100644
index 00000000000..49774dda2ec
--- /dev/null
+++ b/python/ql/src/Security/CWE-090/tests/ldap_unsanitized_asObj.py
@@ -0,0 +1,52 @@
+from flask import request, Flask
+from ldap import initialize
+
+app = Flask(__name__)
+
+
+@app.route("/tainted_var")
+def tainted_var():
+    unsanitized_dn = "dc=%s" % request.args['dc']
+    unsanitized_filter = "(&(objectClass=*)(uid=%s))" % request.args['username']
+
+    ldap_connection = initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s(
+        unsanitized_dn, ldap.SCOPE_SUBTREE, unsanitized_filter)
+    return user[0]
+
+
+@app.route("/var_tainted")
+def var_tainted():
+    unsanitized_dn = request.args['dc']
+    unsanitized_filter = request.args['username']
+
+    dn = "dc=%s" % unsanitized_dn
+    search_filter = "(&(objectClass=*)(uid=%s))" % unsanitized_filter
+
+    ldap_connection = initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
+    return user[0]
+
+
+@app.route("/direct")
+def direct():
+    ldap_connection = initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s(
+        "dc=%s" % request.args['dc'], ldap.SCOPE_SUBTREE, "(&(objectClass=*)(uid=%s))" % request.args['username'])
+    return user[0]
+
+
+@app.route("/with_2")
+def with_2():
+    sanitized_dn = request.args['dc']
+    sanitized_filter = request.args['username']
+
+    dn = "dc=%s" % sanitized_dn
+    search_filter = "(&(objectClass=*)(uid=%s))" % sanitized_filter
+
+    with initialize("ldap://127.0.0.1:1337") as ldap_connection:
+        user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
+        return user[0]
+
+# if __name__ == "__main__":
+#     app.run(debug=True)

From 719b48cbaf8193f57560bd499e890f679c8d7931 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 18 Mar 2021 20:21:47 +0100
Subject: [PATCH 0103/1429] Move to experimental folder

---
 .../src/{ => experimental}/Security/CWE-090/LDAPInjection.qhelp   | 0
 .../ql/src/{ => experimental}/Security/CWE-090/LDAPInjection.ql   | 0
 .../{ => experimental}/Security/CWE-090/tests/ldap3_sanitized.py  | 0
 .../Security/CWE-090/tests/ldap3_sanitized_asObj.py               | 0
 .../Security/CWE-090/tests/ldap3_unsanitized.py                   | 0
 .../Security/CWE-090/tests/ldap3_unsanitized_asObj.py             | 0
 .../{ => experimental}/Security/CWE-090/tests/ldap_sanitized.py   | 0
 .../Security/CWE-090/tests/ldap_sanitized_asObj.py                | 0
 .../{ => experimental}/Security/CWE-090/tests/ldap_unsanitized.py | 0
 .../Security/CWE-090/tests/ldap_unsanitized_asObj.py              | 0
 10 files changed, 0 insertions(+), 0 deletions(-)
 rename python/ql/src/{ => experimental}/Security/CWE-090/LDAPInjection.qhelp (100%)
 rename python/ql/src/{ => experimental}/Security/CWE-090/LDAPInjection.ql (100%)
 rename python/ql/src/{ => experimental}/Security/CWE-090/tests/ldap3_sanitized.py (100%)
 rename python/ql/src/{ => experimental}/Security/CWE-090/tests/ldap3_sanitized_asObj.py (100%)
 rename python/ql/src/{ => experimental}/Security/CWE-090/tests/ldap3_unsanitized.py (100%)
 rename python/ql/src/{ => experimental}/Security/CWE-090/tests/ldap3_unsanitized_asObj.py (100%)
 rename python/ql/src/{ => experimental}/Security/CWE-090/tests/ldap_sanitized.py (100%)
 rename python/ql/src/{ => experimental}/Security/CWE-090/tests/ldap_sanitized_asObj.py (100%)
 rename python/ql/src/{ => experimental}/Security/CWE-090/tests/ldap_unsanitized.py (100%)
 rename python/ql/src/{ => experimental}/Security/CWE-090/tests/ldap_unsanitized_asObj.py (100%)

diff --git a/python/ql/src/Security/CWE-090/LDAPInjection.qhelp b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-090/LDAPInjection.qhelp
rename to python/ql/src/experimental/Security/CWE-090/LDAPInjection.qhelp
diff --git a/python/ql/src/Security/CWE-090/LDAPInjection.ql b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
similarity index 100%
rename from python/ql/src/Security/CWE-090/LDAPInjection.ql
rename to python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
diff --git a/python/ql/src/Security/CWE-090/tests/ldap3_sanitized.py b/python/ql/src/experimental/Security/CWE-090/tests/ldap3_sanitized.py
similarity index 100%
rename from python/ql/src/Security/CWE-090/tests/ldap3_sanitized.py
rename to python/ql/src/experimental/Security/CWE-090/tests/ldap3_sanitized.py
diff --git a/python/ql/src/Security/CWE-090/tests/ldap3_sanitized_asObj.py b/python/ql/src/experimental/Security/CWE-090/tests/ldap3_sanitized_asObj.py
similarity index 100%
rename from python/ql/src/Security/CWE-090/tests/ldap3_sanitized_asObj.py
rename to python/ql/src/experimental/Security/CWE-090/tests/ldap3_sanitized_asObj.py
diff --git a/python/ql/src/Security/CWE-090/tests/ldap3_unsanitized.py b/python/ql/src/experimental/Security/CWE-090/tests/ldap3_unsanitized.py
similarity index 100%
rename from python/ql/src/Security/CWE-090/tests/ldap3_unsanitized.py
rename to python/ql/src/experimental/Security/CWE-090/tests/ldap3_unsanitized.py
diff --git a/python/ql/src/Security/CWE-090/tests/ldap3_unsanitized_asObj.py b/python/ql/src/experimental/Security/CWE-090/tests/ldap3_unsanitized_asObj.py
similarity index 100%
rename from python/ql/src/Security/CWE-090/tests/ldap3_unsanitized_asObj.py
rename to python/ql/src/experimental/Security/CWE-090/tests/ldap3_unsanitized_asObj.py
diff --git a/python/ql/src/Security/CWE-090/tests/ldap_sanitized.py b/python/ql/src/experimental/Security/CWE-090/tests/ldap_sanitized.py
similarity index 100%
rename from python/ql/src/Security/CWE-090/tests/ldap_sanitized.py
rename to python/ql/src/experimental/Security/CWE-090/tests/ldap_sanitized.py
diff --git a/python/ql/src/Security/CWE-090/tests/ldap_sanitized_asObj.py b/python/ql/src/experimental/Security/CWE-090/tests/ldap_sanitized_asObj.py
similarity index 100%
rename from python/ql/src/Security/CWE-090/tests/ldap_sanitized_asObj.py
rename to python/ql/src/experimental/Security/CWE-090/tests/ldap_sanitized_asObj.py
diff --git a/python/ql/src/Security/CWE-090/tests/ldap_unsanitized.py b/python/ql/src/experimental/Security/CWE-090/tests/ldap_unsanitized.py
similarity index 100%
rename from python/ql/src/Security/CWE-090/tests/ldap_unsanitized.py
rename to python/ql/src/experimental/Security/CWE-090/tests/ldap_unsanitized.py
diff --git a/python/ql/src/Security/CWE-090/tests/ldap_unsanitized_asObj.py b/python/ql/src/experimental/Security/CWE-090/tests/ldap_unsanitized_asObj.py
similarity index 100%
rename from python/ql/src/Security/CWE-090/tests/ldap_unsanitized_asObj.py
rename to python/ql/src/experimental/Security/CWE-090/tests/ldap_unsanitized_asObj.py

From 95a1dae3154367e47fcaaa97cc35dfdb9b1c1fcb Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 18 Mar 2021 20:36:38 +0100
Subject: [PATCH 0104/1429] Precision warn and Remove CWE reference

---
 .../ql/src/experimental/Security/CWE-090/LDAPInjection.qhelp  | 4 ----
 python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql  | 1 +
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.qhelp b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.qhelp
index e077ccc3afe..a570549abfc 100644
--- a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.qhelp
+++ b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.qhelp
@@ -23,10 +23,6 @@
       Python
       <a href="https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html">LDAP Documentation</a>
     </li>
-    <li>
-      CWE-
-      <a href="https://cwe.mitre.org/data/definitions/90.html">090</a>
-    </li>
   </references>
 
 </qhelp>
\ No newline at end of file
diff --git a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
index d6ff1ad5607..55e477be50a 100644
--- a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
+++ b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
@@ -9,6 +9,7 @@
  *       external/cwe/cwe-090
  */
 
+// Determine precision above
 import python
 import semmle.python.dataflow.new.RemoteFlowSources
 import semmle.python.dataflow.new.DataFlow

From 85ec82a389a76ef721d879e7c294550bb56fe8ac Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Sun, 28 Mar 2021 21:07:08 +0200
Subject: [PATCH 0105/1429] Refactor in progress

---
 .../Security/CWE-090/LDAPInjection.ql         | 82 +++----------------
 .../ldap3_unsanitized.py => ldap3_bad.py}     |  0
 .../ldap3_sanitized.py => ldap3_good.py}      |  0
 .../CWE-090/tests/ldap3_sanitized_asObj.py    | 57 -------------
 .../CWE-090/tests/ldap3_unsanitized_asObj.py  | 55 -------------
 .../Security/CWE-090/tests/ldap_sanitized.py  | 56 -------------
 .../CWE-090/tests/ldap_sanitized_asObj.py     | 57 -------------
 .../CWE-090/tests/ldap_unsanitized.py         | 52 ------------
 .../CWE-090/tests/ldap_unsanitized_asObj.py   | 52 ------------
 .../Security/CWE-090/unit_tests/ldap_bad.py   | 46 +++++++++++
 .../Security/CWE-090/unit_tests/ldap_good.py  | 60 ++++++++++++++
 .../experimental/semmle/python/Concepts.qll   | 43 ++++++++++
 .../semmle/python/frameworks/Stdlib.qll       | 56 +++++++++++++
 .../security/injection/LDAPInjection.qll      | 21 +++++
 14 files changed, 236 insertions(+), 401 deletions(-)
 rename python/ql/src/experimental/Security/CWE-090/{tests/ldap3_unsanitized.py => ldap3_bad.py} (100%)
 rename python/ql/src/experimental/Security/CWE-090/{tests/ldap3_sanitized.py => ldap3_good.py} (100%)
 delete mode 100644 python/ql/src/experimental/Security/CWE-090/tests/ldap3_sanitized_asObj.py
 delete mode 100644 python/ql/src/experimental/Security/CWE-090/tests/ldap3_unsanitized_asObj.py
 delete mode 100644 python/ql/src/experimental/Security/CWE-090/tests/ldap_sanitized.py
 delete mode 100644 python/ql/src/experimental/Security/CWE-090/tests/ldap_sanitized_asObj.py
 delete mode 100644 python/ql/src/experimental/Security/CWE-090/tests/ldap_unsanitized.py
 delete mode 100644 python/ql/src/experimental/Security/CWE-090/tests/ldap_unsanitized_asObj.py
 create mode 100644 python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_bad.py
 create mode 100644 python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_good.py
 create mode 100644 python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll

diff --git a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
index 55e477be50a..778b771f883 100644
--- a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
+++ b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
@@ -11,77 +11,15 @@
 
 // Determine precision above
 import python
-import semmle.python.dataflow.new.RemoteFlowSources
-import semmle.python.dataflow.new.DataFlow
-import semmle.python.dataflow.new.TaintTracking
-import semmle.python.dataflow.new.internal.TaintTrackingPublic
+import experimental.semmle.python.security.injection.LDAPInjection
 import DataFlow::PathGraph
 
-class InitializeSink extends DataFlow::Node {
-  InitializeSink() {
-    exists(SsaVariable initVar, CallNode searchCall |
-      // get variable whose value equals a call to ldap.initialize
-      initVar.getDefinition().getImmediateDominator() = Value::named("ldap.initialize").getACall() and
-      // get the Call in which the previous variable is used
-      initVar.getAUse().getNode() = searchCall.getNode().getFunc().(Attribute).getObject() and
-      // restrict that call's attribute (something.this) to match %search%
-      searchCall.getNode().getFunc().(Attribute).getName().matches("%search%") and
-      // set the third argument (search_filter) as sink
-      this.asExpr() = searchCall.getArg(2).getNode()
-      // set the first argument (DN) as sink
-      // or this.asExpr() = searchCall.getArg(0) // Should this be set?
-    )
-  }
-}
-
-class ConnectionSink extends DataFlow::Node {
-  ConnectionSink() {
-    exists(SsaVariable connVar, CallNode searchCall |
-      // get variable whose value equals a call to ldap.initialize
-      connVar.getDefinition().getImmediateDominator() = Value::named("ldap3.Connection").getACall() and
-      // get the Call in which the previous variable is used
-      connVar.getAUse().getNode() = searchCall.getNode().getFunc().(Attribute).getObject() and
-      // restrict that call's attribute (something.this) to match %search%
-      searchCall.getNode().getFunc().(Attribute).getName().matches("%search%") and
-      // set the second argument (search_filter) as sink
-      this.asExpr() = searchCall.getArg(1).getNode()
-      // set the first argument (DN) as sink
-      // or this.asExpr() = searchCall.getArg(0) // Should this be set?
-    )
-  }
-}
-
-class EscapeSanitizer extends DataFlow::Node {
-  EscapeSanitizer() {
-    exists(Call c |
-      (
-        // avoid flow through any %escape% function
-        c.getFunc().(Attribute).getName().matches("%escape%") or // something.%escape%()
-        c.getFunc().(Name).getId().matches("%escape%") // %escape%()
-      ) and
-      this.asExpr() = c
-    )
-  }
-}
-
-class LDAPInjectionSink extends DataFlow::Node {
-  LDAPInjectionSink() {
-    this instanceof InitializeSink or
-    this instanceof ConnectionSink
-  }
-}
-
-class LDAPInjectionFlowConfig extends TaintTracking::Configuration {
-  LDAPInjectionFlowConfig() { this = "LDAPInjectionFlowConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof LDAPInjectionSink }
-
-  override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof EscapeSanitizer }
-}
-
-from LDAPInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ LDAP query executes $@.", sink.getNode(), "This",
-  source.getNode(), "a user-provided value"
+from
+  LDAPInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
+  LDAPQuery castedSink
+where
+  config.hasFlowPath(source, sink) and
+  castedSink = sink.getNode()
+select sink.getNode(), source, sink, "$@ LDAP query executes $@ as a $@ probably leaking $@.",
+  sink.getNode(), "This", source.getNode(), "a user-provided value", castedSink.getLDAPNode(),
+  castedSink.getLDAPPart(), castedSink.getAttrList(), "this attribute(s)"
diff --git a/python/ql/src/experimental/Security/CWE-090/tests/ldap3_unsanitized.py b/python/ql/src/experimental/Security/CWE-090/ldap3_bad.py
similarity index 100%
rename from python/ql/src/experimental/Security/CWE-090/tests/ldap3_unsanitized.py
rename to python/ql/src/experimental/Security/CWE-090/ldap3_bad.py
diff --git a/python/ql/src/experimental/Security/CWE-090/tests/ldap3_sanitized.py b/python/ql/src/experimental/Security/CWE-090/ldap3_good.py
similarity index 100%
rename from python/ql/src/experimental/Security/CWE-090/tests/ldap3_sanitized.py
rename to python/ql/src/experimental/Security/CWE-090/ldap3_good.py
diff --git a/python/ql/src/experimental/Security/CWE-090/tests/ldap3_sanitized_asObj.py b/python/ql/src/experimental/Security/CWE-090/tests/ldap3_sanitized_asObj.py
deleted file mode 100644
index c7dbb345058..00000000000
--- a/python/ql/src/experimental/Security/CWE-090/tests/ldap3_sanitized_asObj.py
+++ /dev/null
@@ -1,57 +0,0 @@
-from ldap3 import Server, Connection
-from ldap3.utils.conv import escape_filter_chars
-from flask import request, Flask
-
-app = Flask(__name__)
-
-
-@app.route("/tainted_var")
-def tainted_var():
-    sanitized_dn = "dc=%s" % request.args['dc']
-    sanitized_filter = "(&(objectClass=*)(uid=%s))" % escape_filter_chars(
-        request.args['username'])
-
-    srv = Server('localhost', port=1337)
-    conn = Connection(srv, user=sanitized_dn, auto_bind=True)
-    conn.search(sanitized_dn, sanitized_filter)
-    return conn.response
-
-
-@app.route("/var_tainted")
-def var_tainted():
-    sanitized_dn = request.args['dc']
-    sanitized_filter = request.args['username']
-
-    dn = "dc=%s" % sanitized_dn
-    search_filter = "(&(objectClass=*)(uid=%s))" % escape_filter_chars(sanitized_filter)
-
-    srv = Server('localhost', port=1337)
-    conn = Connection(srv, user=dn, auto_bind=True)
-    conn.search(dn, search_filter)
-    return conn.response
-
-
-@app.route("/direct")
-def direct():
-    srv = Server('localhost', port=1337)
-    conn = Connection(srv, user="dc=%s" % request.args['dc'], auto_bind=True)
-    conn.search("dc=%s" % request.args['dc'], "(&(objectClass=*)(uid=%s))" %
-                escape_filter_chars(request.args['username']))
-    return conn.response
-
-
-@app.route("/with_2")
-def with_2():
-    sanitized_dn = request.args['dc']
-    sanitized_filter = escape_filter_chars(request.args['username'])
-
-    dn = "dc=%s" % sanitized_dn
-    search_filter = "(&(objectClass=*)(uid=%s))" % sanitized_filter
-
-    srv = Server('localhost', port=1337)
-    with Connection(server, auto_bind=True) as conn:
-        conn.search(dn, search_filter)
-        return conn.response
-
-# if __name__ == "__main__":
-#     app.run(debug=True)
diff --git a/python/ql/src/experimental/Security/CWE-090/tests/ldap3_unsanitized_asObj.py b/python/ql/src/experimental/Security/CWE-090/tests/ldap3_unsanitized_asObj.py
deleted file mode 100644
index 634ee992f3e..00000000000
--- a/python/ql/src/experimental/Security/CWE-090/tests/ldap3_unsanitized_asObj.py
+++ /dev/null
@@ -1,55 +0,0 @@
-from ldap3 import Server, Connection
-from flask import request, Flask
-
-app = Flask(__name__)
-
-
-@app.route("/tainted_var")
-def tainted_var():
-    unsanitized_dn = "dc=%s" % request.args['dc']
-    unsanitized_filter = "(&(objectClass=*)(uid=%s))" % request.args['username']
-
-    srv = Server('localhost', port=1337)
-    conn = Connection(srv, user=unsanitized_dn, auto_bind=True)
-    conn.search(unsanitized_dn, unsanitized_filter)
-    return conn.response
-
-
-@app.route("/var_tainted")
-def var_tainted():
-    unsanitized_dn = request.args['dc']
-    unsanitized_filter = request.args['username']
-
-    dn = "dc=%s" % unsanitized_dn
-    search_filter = "(&(objectClass=*)(uid=%s))" % unsanitized_filter
-
-    srv = Server('localhost', port=1337)
-    conn = Connection(srv, user=dn, auto_bind=True)
-    conn.search(dn, search_filter)
-    return conn.response
-
-
-@app.route("/direct")
-def direct():
-    srv = Server('localhost', port=1337)
-    conn = Connection(srv, user="dc=%s" % request.args['dc'], auto_bind=True)
-    conn.search(
-        "dc=%s" % request.args['dc'], "(&(objectClass=*)(uid=%s))" % request.args['username'])
-    return conn.response
-
-
-@app.route("/with_2")
-def with_2():
-    unsanitized_dn = request.args['dc']
-    unsanitized_filter = request.args['username']
-
-    dn = "dc=%s" % unsanitized_dn
-    search_filter = "(&(objectClass=*)(uid=%s))" % unsanitized_filter
-
-    srv = Server('localhost', port=1337)
-    with Connection(server, auto_bind=True) as conn:
-        conn.search(dn, search_filter)
-        return conn.response
-
-# if __name__ == "__main__":
-#     app.run(debug=True)
diff --git a/python/ql/src/experimental/Security/CWE-090/tests/ldap_sanitized.py b/python/ql/src/experimental/Security/CWE-090/tests/ldap_sanitized.py
deleted file mode 100644
index 83bafa79195..00000000000
--- a/python/ql/src/experimental/Security/CWE-090/tests/ldap_sanitized.py
+++ /dev/null
@@ -1,56 +0,0 @@
-from flask import request, Flask
-import ldap
-import ldap.filter
-import ldap.dn
-
-app = Flask(__name__)
-
-
-@app.route("/tainted_var")
-def tainted_var():
-    sanitized_dn = "dc=%s" % ldap.dn.escape_dn_chars(request.args['dc'])
-    sanitized_filter = "(&(objectClass=*)(uid=%s))" % ldap.filter.escape_filter_chars(
-        request.args['username'])
-
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
-    user = ldap_connection.search_s(
-        sanitized_dn, ldap.SCOPE_SUBTREE, sanitized_filter)
-    return user[0]
-
-
-@app.route("/var_tainted")
-def var_tainted():
-    sanitized_dn = request.args['dc']
-    sanitized_filter = request.args['username']
-
-    dn = "dc=%s" % ldap.dn.escape_dn_chars(sanitized_dn)
-    search_filter = "(&(objectClass=*)(uid=%s))" % ldap.filter.escape_filter_chars(sanitized_filter)
-
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
-    user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
-    return user[0]
-
-
-@app.route("/direct")
-def direct():
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
-    user = ldap_connection.search_s("dc=%s" % ldap.dn.escape_dn_chars(
-        request.args['dc']), ldap.SCOPE_SUBTREE, "(&(objectClass=*)(uid=%s))" % ldap.filter.escape_filter_chars(request.args['username']))
-    return user[0]
-
-
-@app.route("/with_")
-def with_():
-    sanitized_dn = ldap.dn.escape_dn_chars(request.args['dc'])
-    sanitized_filter = ldap.filter.escape_filter_chars(
-        request.args['username'])
-
-    dn = "dc=%s" % sanitized_dn
-    search_filter = "(&(objectClass=*)(uid=%s))" % sanitized_filter
-
-    with ldap.initialize("ldap://127.0.0.1:1337") as ldap_connection:
-        user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
-        return user[0]
-
-# if __name__ == "__main__":
-#     app.run(debug=True)
diff --git a/python/ql/src/experimental/Security/CWE-090/tests/ldap_sanitized_asObj.py b/python/ql/src/experimental/Security/CWE-090/tests/ldap_sanitized_asObj.py
deleted file mode 100644
index 1c9662a4bcf..00000000000
--- a/python/ql/src/experimental/Security/CWE-090/tests/ldap_sanitized_asObj.py
+++ /dev/null
@@ -1,57 +0,0 @@
-from flask import request, Flask
-from ldap import initialize
-import ldap.filter
-import ldap.dn
-
-app = Flask(__name__)
-
-
-@app.route("/tainted_var_2")
-def tainted_var_2():
-    sanitized_dn = "dc=%s" % ldap.dn.escape_dn_chars(request.args['dc'])
-    sanitized_filter = "(&(objectClass=*)(uid=%s))" % ldap.filter.escape_filter_chars(
-        request.args['username'])
-
-    ldap_connection = initialize("ldap://127.0.0.1:1337")
-    user = ldap_connection.search_s(
-        sanitized_dn, ldap.SCOPE_SUBTREE, sanitized_filter)
-    return user[0]
-
-
-@app.route("/var_tainted_2")
-def var_tainted_2():
-    sanitized_dn = ldap.dn.escape_dn_chars(request.args['dc'])
-    sanitized_filter = ldap.filter.escape_filter_chars(
-        request.args['username'])
-
-    dn = "dc=%s" % sanitized_dn
-    search_filter = "(&(objectClass=*)(uid=%s))" % sanitized_filter
-
-    ldap_connection = initialize("ldap://127.0.0.1:1337")
-    user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
-    return user[0]
-
-
-@app.route("/direct_2")
-def direct_2():
-    ldap_connection = initialize("ldap://127.0.0.1:1337")
-    user = ldap_connection.search_s("dc=%s" % ldap.dn.escape_dn_chars(
-        request.args['dc']), ldap.SCOPE_SUBTREE, "(&(objectClass=*)(uid=%s))" % ldap.filter.escape_filter_chars(request.args['username']))
-    return user[0]
-
-
-@app.route("/with_2")
-def with_2():
-    sanitized_dn = ldap.dn.escape_dn_chars(request.args['dc'])
-    sanitized_filter = ldap.filter.escape_filter_chars(
-        request.args['username'])
-
-    dn = "dc=%s" % sanitized_dn
-    search_filter = "(&(objectClass=*)(uid=%s))" % sanitized_filter
-
-    with initialize("ldap://127.0.0.1:1337") as ldap_connection:
-        user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
-        return user[0]
-
-# if __name__ == "__main__":
-#     app.run(debug=True)
diff --git a/python/ql/src/experimental/Security/CWE-090/tests/ldap_unsanitized.py b/python/ql/src/experimental/Security/CWE-090/tests/ldap_unsanitized.py
deleted file mode 100644
index 8b22596b578..00000000000
--- a/python/ql/src/experimental/Security/CWE-090/tests/ldap_unsanitized.py
+++ /dev/null
@@ -1,52 +0,0 @@
-from flask import request, Flask
-import ldap
-
-app = Flask(__name__)
-
-
-@app.route("/tainted_var")
-def tainted_var():
-    unsanitized_dn = "dc=%s" % request.args['dc']
-    unsanitized_filter = "(&(objectClass=*)(uid=%s))" % request.args['username']
-
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
-    user = ldap_connection.search_s(
-        unsanitized_dn, ldap.SCOPE_SUBTREE, unsanitized_filter)
-    return user[0]
-
-
-@app.route("/var_tainted")
-def var_tainted():
-    unsanitized_dn = request.args['dc']
-    unsanitized_filter = request.args['username']
-
-    dn = "dc=%s" % unsanitized_dn
-    search_filter = "(&(objectClass=*)(uid=%s))" % unsanitized_filter
-
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
-    user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
-    return user[0]
-
-
-@app.route("/direct")
-def direct():
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
-    user = ldap_connection.search_s(
-        "dc=%s" % request.args['dc'], ldap.SCOPE_SUBTREE, "(&(objectClass=*)(uid=%s))" % request.args['username'])
-    return user[0]
-
-
-@app.route("/with_")
-def with_():
-    sanitized_dn = request.args['dc']
-    sanitized_filter = request.args['username']
-
-    dn = "dc=%s" % sanitized_dn
-    search_filter = "(&(objectClass=*)(uid=%s))" % sanitized_filter
-
-    with ldap.initialize("ldap://127.0.0.1:1337") as ldap_connection:
-        user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
-        return user[0]
-
-# if __name__ == "__main__":
-#     app.run(debug=True)
diff --git a/python/ql/src/experimental/Security/CWE-090/tests/ldap_unsanitized_asObj.py b/python/ql/src/experimental/Security/CWE-090/tests/ldap_unsanitized_asObj.py
deleted file mode 100644
index 49774dda2ec..00000000000
--- a/python/ql/src/experimental/Security/CWE-090/tests/ldap_unsanitized_asObj.py
+++ /dev/null
@@ -1,52 +0,0 @@
-from flask import request, Flask
-from ldap import initialize
-
-app = Flask(__name__)
-
-
-@app.route("/tainted_var")
-def tainted_var():
-    unsanitized_dn = "dc=%s" % request.args['dc']
-    unsanitized_filter = "(&(objectClass=*)(uid=%s))" % request.args['username']
-
-    ldap_connection = initialize("ldap://127.0.0.1:1337")
-    user = ldap_connection.search_s(
-        unsanitized_dn, ldap.SCOPE_SUBTREE, unsanitized_filter)
-    return user[0]
-
-
-@app.route("/var_tainted")
-def var_tainted():
-    unsanitized_dn = request.args['dc']
-    unsanitized_filter = request.args['username']
-
-    dn = "dc=%s" % unsanitized_dn
-    search_filter = "(&(objectClass=*)(uid=%s))" % unsanitized_filter
-
-    ldap_connection = initialize("ldap://127.0.0.1:1337")
-    user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
-    return user[0]
-
-
-@app.route("/direct")
-def direct():
-    ldap_connection = initialize("ldap://127.0.0.1:1337")
-    user = ldap_connection.search_s(
-        "dc=%s" % request.args['dc'], ldap.SCOPE_SUBTREE, "(&(objectClass=*)(uid=%s))" % request.args['username'])
-    return user[0]
-
-
-@app.route("/with_2")
-def with_2():
-    sanitized_dn = request.args['dc']
-    sanitized_filter = request.args['username']
-
-    dn = "dc=%s" % sanitized_dn
-    search_filter = "(&(objectClass=*)(uid=%s))" % sanitized_filter
-
-    with initialize("ldap://127.0.0.1:1337") as ldap_connection:
-        user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter)
-        return user[0]
-
-# if __name__ == "__main__":
-#     app.run(debug=True)
diff --git a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_bad.py b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_bad.py
new file mode 100644
index 00000000000..a409a38e019
--- /dev/null
+++ b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_bad.py
@@ -0,0 +1,46 @@
+from flask import request, Flask
+import ldap
+
+app = Flask(__name__)
+
+
+@app.route("/normal")
+def normal():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s(
+        unsafe_dn, ldap.SCOPE_SUBTREE, unsafe_filter, ["testAttr1", "testAttr2"])
+
+
+@app.route("/direct")
+def direct():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    user = ldap.initialize("ldap://127.0.0.1:1337").search_s(
+        unsafe_dn, ldap.SCOPE_SUBTREE, unsafe_filter, ["testAttr1", "testAttr2"])
+
+
+@app.route("/normal_argbyname")
+def normal_argbyname():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s(
+        unsafe_dn, ldap.SCOPE_SUBTREE, attrlist=["testAttr1", "testAttr2"], filterstr=unsafe_filter)
+
+
+@app.route("/direct_argbyname")
+def direct_argbyname():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    user = ldap.initialize("ldap://127.0.0.1:1337").search_s(
+        unsafe_dn, ldap.SCOPE_SUBTREE, attrlist=["testAttr1", "testAttr2"], filterstr=unsafe_filter)
+
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
diff --git a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_good.py b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_good.py
new file mode 100644
index 00000000000..1d04505fa28
--- /dev/null
+++ b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_good.py
@@ -0,0 +1,60 @@
+from flask import request, Flask
+import ldap
+import ldap.filter
+import ldap.dn
+
+app = Flask(__name__)
+
+
+@app.route("/normal")
+def normal():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
+    safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s(
+        safe_dn, ldap.SCOPE_SUBTREE, safe_filter, ["testAttr1", "testAttr2"])
+
+
+@app.route("/direct")
+def direct():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
+    safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
+
+    user = ldap.initialize("ldap://127.0.0.1:1337").search_s(
+        safe_dn, ldap.SCOPE_SUBTREE, safe_filter, ["testAttr1", "testAttr2"])
+
+
+@app.route("/normal_argbyname")
+def normal_argbyname():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
+    safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s(
+        safe_dn, ldap.SCOPE_SUBTREE, attrlist=["testAttr1", "testAttr2"], filterstr=safe_filter)
+
+
+@app.route("/direct_argbyname")
+def direct_argbyname():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
+    safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
+
+    user = ldap.initialize("ldap://127.0.0.1:1337").search_s(
+        safe_dn, ldap.SCOPE_SUBTREE, attrlist=["testAttr1", "testAttr2"], filterstr=safe_filter)
+
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index 904b7967ee8..e2b278e40da 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -13,3 +13,46 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
 private import experimental.semmle.python.Frameworks
+private import semmle.python.ApiGraphs
+
+/**
+ * To-Do
+ *
+ * LDAPQuery -> collect functions executing a search filter/DN
+ * LDAPEscape -> collect functions escaping a search filter/DN
+ */
+module LDAPQuery {
+  abstract class Range extends DataFlow::Node {
+    abstract DataFlow::Node getLDAPNode();
+
+    abstract string getLDAPPart();
+
+    abstract DataFlow::Node getAttrs();
+  }
+}
+
+class LDAPQuery extends DataFlow::Node {
+  LDAPQuery::Range range;
+
+  LDAPQuery() { this = range }
+
+  DataFlow::Node getLDAPNode() { result = range.getLDAPNode() }
+
+  string getLDAPPart() { result = range.getLDAPPart() }
+
+  DataFlow::Node getAttrs() { result = range.getAttrs() }
+}
+
+module LDAPEscape {
+  abstract class Range extends DataFlow::Node {
+    abstract DataFlow::Node getEscapeNode();
+  }
+}
+
+class LDAPEscape extends DataFlow::Node {
+  LDAPEscape::Range range;
+
+  LDAPEscape() { this = range }
+
+  DataFlow::Node getEscapeNode() { result = range.getEscapeNode() }
+}
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index 420caf0d73b..1ef42edbdbb 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -9,3 +9,59 @@ private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import experimental.semmle.python.Concepts
 private import semmle.python.ApiGraphs
+
+private module LDAP {
+  private module LDAP2 {
+    private class LDAP2QueryMethods extends string {
+      LDAP2QueryMethods() {
+        this in ["search", "search_s", "search_st", "search_ext", "search_ext_s"]
+      }
+    }
+
+    private class LDAP2Query extends DataFlow::CallCfgNode, LDAPQuery::Range {
+      DataFlow::Node ldapNode;
+      string ldapPart;
+      DataFlow::Node attrs;
+
+      LDAP2Query() {
+        exists(DataFlow::AttrRead searchMethod, DataFlow::CallCfgNode initCall |
+          this.getFunction() = searchMethod and
+          initCall = API::moduleImport("ldap").getMember("initialize").getACall() and
+          initCall = searchMethod.getObject().getALocalSource() and
+          searchMethod.getAttributeName() instanceof LDAP2QueryMethods and
+          (
+            (
+              ldapNode = this.getArg(2) or
+              ldapNode = this.getArgByName("filterstr")
+            ) and
+            ldapPart = "search_filter"
+            or
+            ldapNode = this.getArg(0) and
+            ldapPart = "DN"
+          ) and
+          ( // what if they're not set?
+            attrs = this.getArg(3) or
+            attrs = this.getArgByName("attrlist")
+          )
+        )
+      }
+
+      override DataFlow::Node getLDAPNode() { result = ldapNode }
+
+      override string getLDAPPart() { result = ldapPart }
+
+      override DataFlow::Node getAttrs() { result = attrs }
+    }
+
+    private class LDAP2EscapeDN extends DataFlow::CallCfgNode, LDAPEscape::Range {
+      DataFlow::Node escapeNode;
+
+      LDAP2EscapeDN() {
+        this = API::moduleImport("ldap").getMember("dn").getMember("escape_dn_chars").getACall() and
+        escapeNode = this.getArg(0)
+      }
+
+      override DataFlow::Node getEscapeNode() { result = escapeNode }
+    }
+  }
+}
diff --git a/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll b/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll
new file mode 100644
index 00000000000..f5fa2306f31
--- /dev/null
+++ b/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll
@@ -0,0 +1,21 @@
+/**
+ * Provides a taint-tracking configuration for detecting LDAP injection vulnerabilities
+ */
+
+import python
+import experimental.semmle.python.Concepts
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.dataflow.new.RemoteFlowSources
+
+/**
+ * A taint-tracking configuration for detecting regular expression injections.
+ */
+class LDAPInjectionFlowConfig extends TaintTracking::Configuration {
+  LDAPInjectionFlowConfig() { this = "LDAPInjectionFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink = any(LDAPQuery lQ).getLDAPNode() }
+  // override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof RemoteFlowSource } // any(LDAPEscape ldapEsc).getEscapeNode() }
+}

From 093c63ea3b15cd33b08b8bd1d1058ffc3c6dd075 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Sun, 28 Mar 2021 23:42:36 +0300
Subject: [PATCH 0106/1429] Update
 OperatorPrecedenceLogicErrorWhenUseBoolType.expected

---
 .../tests/OperatorPrecedenceLogicErrorWhenUseBoolType.expected  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.expected
index 76062fc360a..1209c7e7830 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/OperatorPrecedenceLogicErrorWhenUseBoolType.expected
@@ -1,4 +1,4 @@
-| test.cpp:10:3:10:10 | ... = ... | this expression needs attention |
+| test.cpp:10:8:10:10 | - ... | this expression needs attention |
 | test.cpp:12:3:12:6 | ... ++ | this expression needs attention |
 | test.cpp:13:3:13:6 | ++ ... | this expression needs attention |
 | test.cpp:14:6:14:21 | ... = ... | this expression needs attention |

From 3f215d0954ea56c34f90837e259553be82675f76 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Sun, 28 Mar 2021 23:43:22 +0300
Subject: [PATCH 0107/1429] Update
 OperatorPrecedenceLogicErrorWhenUseBoolType.ql

---
 ...ratorPrecedenceLogicErrorWhenUseBoolType.ql | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql b/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
index 034df703bc3..4f30f112eb0 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
@@ -13,17 +13,17 @@
  */
 
 import cpp
-import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+import semmle.code.cpp.valuenumbering.HashCons
 
 /** Holds if `exp` increments a boolean value. */
-predicate incrementBoolType(Expr exp) {
-  exp.(IncrementOperation).getOperand().getType() instanceof BoolType
+predicate incrementBoolType(IncrementOperation exp) {
+  exp.getOperand().getType() instanceof BoolType
 }
 
 /** Holds if `exp` applies the unary minus operator to a boolean type. */
-predicate revertSignBoolType(Expr exp) {
-  exp.(AssignExpr).getRValue().(UnaryMinusExpr).getAnOperand().getType() instanceof BoolType and
-  exp.(AssignExpr).getLValue().getType() instanceof BoolType
+predicate revertSignBoolType(UnaryMinusExpr exp) {
+  exp.getAnOperand().getType() instanceof BoolType and
+  exp.getFullyConverted().getType() instanceof BoolType
 }
 
 /** Holds, if this is an expression, uses comparison and assignment outside of execution precedence. */
@@ -33,6 +33,12 @@ predicate assignBoolType(Expr exp) {
     exp.isCondition() and
     not co.isParenthesised() and
     not exp.(AssignExpr).getLValue().getType() instanceof BoolType and
+    not exists(Expr exbl |
+      hashCons(exbl.(AssignExpr).getLValue()) = hashCons(exp.(AssignExpr).getLValue()) and
+      not exbl.isCondition() and
+      exbl.(AssignExpr).getRValue().getType() instanceof BoolType and
+      exbl.(AssignExpr).getLValue().getType() = exp.(AssignExpr).getLValue().getType()
+    ) and
     co.getLeftOperand() instanceof FunctionCall and
     not co.getRightOperand().getType() instanceof BoolType and
     not co.getRightOperand().getValue() = "0" and

From 0775d35591511db2003b3b7453c6bfc2284ba250 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Mon, 29 Mar 2021 12:02:37 +0800
Subject: [PATCH 0108/1429] update VerificationMethodFlowConfig, add if test

---
 .../Security/CWE/CWE-352/JsonpInjection.java  |  35 ++--
 .../Security/CWE/CWE-352/JsonpInjection.qhelp |   2 +-
 .../Security/CWE/CWE-352/JsonpInjection.ql    |  27 ++--
 .../CWE/CWE-352/JsonpInjectionLib.qll         |  47 ++++--
 .../JsonpController.java                      |  35 ++--
 .../JsonpInjection.expected                   | 138 ++++++++--------
 .../JsonpController.java                      |  37 +++--
 .../JsonpInjection.expected                   | 147 ++++++++---------
 .../JsonpController.java                      |  37 +++--
 .../JsonpInjection.expected                   | 150 +++++++++---------
 10 files changed, 362 insertions(+), 293 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java
index 7f479a8c023..8e2a0c9005f 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java
@@ -26,9 +26,6 @@ public class JsonpInjection {
         hashMap.put("password","123456");
     }
 
-    private String name = null;
-
-
     @GetMapping(value = "jsonp1")
     @ResponseBody
     public String bad1(HttpServletRequest request) {
@@ -77,7 +74,6 @@ public class JsonpInjection {
         PrintWriter pw = null;
         Gson gson = new Gson();
         String result = gson.toJson(hashMap);
-
         String resultStr = null;
         pw = response.getWriter();
         resultStr = jsonpCallback + "(" + result + ")";
@@ -109,13 +105,25 @@ public class JsonpInjection {
         return resultStr;
     }
 
-
     @GetMapping(value = "jsonp8")
     @ResponseBody
+    public String bad8(HttpServletRequest request) {
+        String resultStr = null;
+        String token = request.getParameter("token");
+        boolean result = verifToken(token); //Just check.
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+
+    @GetMapping(value = "jsonp9")
+    @ResponseBody
     public String good1(HttpServletRequest request) {
         String resultStr = null;
-        String token = request.getParameter("token");
-        if (verifToken(token)){
+        String referer = request.getParameter("referer");
+        if (verifReferer(referer)){
             String jsonpCallback = request.getParameter("jsonpCallback");
             String jsonStr = getJsonStr(hashMap);
             resultStr = jsonpCallback + "(" + jsonStr + ")";
@@ -125,7 +133,7 @@ public class JsonpInjection {
     }
 
 
-    @GetMapping(value = "jsonp9")
+    @GetMapping(value = "jsonp10")
     @ResponseBody
     public String good2(HttpServletRequest request) {
         String resultStr = null;
@@ -140,7 +148,7 @@ public class JsonpInjection {
         return resultStr;
     }
 
-    @RequestMapping(value = "jsonp10")
+    @RequestMapping(value = "jsonp11")
     @ResponseBody
     public String good3(HttpServletRequest request) {
         JSONObject parameterObj = readToJSONObect(request);
@@ -151,7 +159,7 @@ public class JsonpInjection {
         return resultStr;
     }
 
-    @RequestMapping(value = "jsonp11")
+    @RequestMapping(value = "jsonp12")
     @ResponseBody
     public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
         if(null == file){
@@ -200,4 +208,11 @@ public class JsonpInjection {
         }
         return true;
     }
+
+    public static boolean verifReferer(String str){
+        if (str != "xxxx"){
+            return false;
+        }
+        return true;
+    }
 }
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
index 93c167d6c2c..2712f30a3f2 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
@@ -14,7 +14,7 @@ When there is a cross-domain problem, the problem of sensitive information leaka
 </recommendation>
 <example>
 
-<p>The following examples show the bad case and the good case respectively. Bad case, such as <code>bad1</code> to <code>bad7</code>, 
+<p>The following examples show the bad case and the good case respectively. Bad case, such as <code>bad1</code> to <code>bad8</code>, 
 will cause information leakage problems when there are cross-domain problems. In a good case, for example, in the <code>good1</code> 
 method and the <code>good2</code> method, use the <code>verifToken</code> method to do the random <code>token</code> Verification can 
 solve the problem of information leakage caused by cross-domain.</p>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
index eb4fe4e5b66..6e333d83993 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
@@ -18,20 +18,18 @@ import DataFlow::PathGraph
 
 /** Determine whether there is a verification method for the remote streaming source data flow path method. */
 predicate existsFilterVerificationMethod() {
-  exists(MethodAccess ma, Node existsNode, Method m |
-    ma.getMethod() instanceof VerificationMethodClass and
-    existsNode.asExpr() = ma and
-    m = getACallingCallableOrSelf(existsNode.getEnclosingCallable()) and
+  exists(DataFlow::Node source, DataFlow::Node sink, VerificationMethodFlowConfig vmfc, Method m |
+    vmfc.hasFlow(source, sink) and
+    m = getACallingCallableOrSelf(source.getEnclosingCallable()) and
     isDoFilterMethod(m)
   )
 }
 
 /** Determine whether there is a verification method for the remote streaming source data flow path method. */
 predicate existsServletVerificationMethod(Node checkNode) {
-  exists(MethodAccess ma, Node existsNode |
-    ma.getMethod() instanceof VerificationMethodClass and
-    existsNode.asExpr() = ma and
-    getACallingCallableOrSelf(existsNode.getEnclosingCallable()) =
+  exists(DataFlow::Node source, DataFlow::Node sink, VerificationMethodFlowConfig vmfc |
+    vmfc.hasFlow(source, sink) and
+    getACallingCallableOrSelf(source.getEnclosingCallable()) =
       getACallingCallableOrSelf(checkNode.getEnclosingCallable())
   )
 }
@@ -40,13 +38,14 @@ predicate existsServletVerificationMethod(Node checkNode) {
 class RequestResponseFlowConfig extends TaintTracking::Configuration {
   RequestResponseFlowConfig() { this = "RequestResponseFlowConfig" }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource and
+    getACallingCallableOrSelf(source.getEnclosingCallable()) instanceof RequestGetMethod
+  }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
-
-  /** Eliminate the method of calling the node is not the get method. */
-  override predicate isSanitizer(DataFlow::Node node) {
-    not getACallingCallableOrSelf(node.getEnclosingCallable()) instanceof RequestGetMethod
+  override predicate isSink(DataFlow::Node sink) {
+    sink instanceof XssSink and
+    getACallingCallableOrSelf(sink.getEnclosingCallable()) instanceof RequestGetMethod
   }
 
   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index d0e00bcb634..bf90926f72f 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -3,30 +3,47 @@ import DataFlow
 import JsonStringLib
 import semmle.code.java.security.XSS
 import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.DataFlow3
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.spring.SpringController
 
+/** A data flow configuration is tracing flow from the access to the authentication method of token/auth/referer/origin to if condition. */
+class VerificationMethodToIfFlowConfig extends DataFlow3::Configuration {
+  VerificationMethodToIfFlowConfig() { this = "VerificationMethodToIfFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) {
+    exists(MethodAccess ma, BarrierGuard bg | ma = bg |
+      (
+        ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
+        or
+        ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
+      ) and
+      ma = src.asExpr()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(IfStmt is | is.getCondition() = sink.asExpr())
+  }
+}
+
 /** Taint-tracking configuration tracing flow from untrusted inputs to verification of remote user input. */
-class VerificationMethodFlowConfig extends TaintTracking::Configuration {
+class VerificationMethodFlowConfig extends TaintTracking2::Configuration {
   VerificationMethodFlowConfig() { this = "VerificationMethodFlowConfig" }
 
   override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma |
-      ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*") and
-      ma.getAnArgument() = sink.asExpr()
-    )
-  }
-}
-
-/** The parameter names of this method are token/auth/referer/origin. */
-class VerificationMethodClass extends Method {
-  VerificationMethodClass() {
-    exists(MethodAccess ma, VerificationMethodFlowConfig vmfc, Node node |
-      this = ma.getMethod() and
-      node.asExpr() = ma.getAnArgument() and
-      vmfc.hasFlowTo(node)
+    exists(MethodAccess ma, BarrierGuard bg, int i, VerificationMethodToIfFlowConfig vmtifc |
+      ma = bg
+    |
+      (
+        ma.getMethod().getParameter(i).getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
+        or
+        ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
+      ) and
+      ma.getArgument(i) = sink.asExpr() and
+      vmtifc.hasFlow(exprNode(ma), _)
     )
   }
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpController.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpController.java
index e5b5e70a38d..e875da2f699 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpController.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpController.java
@@ -26,9 +26,6 @@ public class JsonpController {
         hashMap.put("password","123456");
     }
 
-    private String name = null;
-
-
     @GetMapping(value = "jsonp1")
     @ResponseBody
     public String bad1(HttpServletRequest request) {
@@ -77,7 +74,6 @@ public class JsonpController {
         PrintWriter pw = null;
         Gson gson = new Gson();
         String result = gson.toJson(hashMap);
-
         String resultStr = null;
         pw = response.getWriter();
         resultStr = jsonpCallback + "(" + result + ")";
@@ -109,13 +105,25 @@ public class JsonpController {
         return resultStr;
     }
 
-
     @GetMapping(value = "jsonp8")
     @ResponseBody
+    public String bad8(HttpServletRequest request) {
+        String resultStr = null;
+        String token = request.getParameter("token");
+        boolean result = verifToken(token); //Just check.
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+
+    @GetMapping(value = "jsonp9")
+    @ResponseBody
     public String good1(HttpServletRequest request) {
         String resultStr = null;
-        String token = request.getParameter("token");
-        if (verifToken(token)){
+        String referer = request.getParameter("referer");
+        if (verifReferer(referer)){
             String jsonpCallback = request.getParameter("jsonpCallback");
             String jsonStr = getJsonStr(hashMap);
             resultStr = jsonpCallback + "(" + jsonStr + ")";
@@ -125,7 +133,7 @@ public class JsonpController {
     }
 
 
-    @GetMapping(value = "jsonp9")
+    @GetMapping(value = "jsonp10")
     @ResponseBody
     public String good2(HttpServletRequest request) {
         String resultStr = null;
@@ -140,7 +148,7 @@ public class JsonpController {
         return resultStr;
     }
 
-    @RequestMapping(value = "jsonp10")
+    @RequestMapping(value = "jsonp11")
     @ResponseBody
     public String good3(HttpServletRequest request) {
         JSONObject parameterObj = readToJSONObect(request);
@@ -151,7 +159,7 @@ public class JsonpController {
         return resultStr;
     }
 
-    @RequestMapping(value = "jsonp11")
+    @RequestMapping(value = "jsonp12")
     @ResponseBody
     public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
         if(null == file){
@@ -200,4 +208,11 @@ public class JsonpController {
         }
         return true;
     }
+
+    public static boolean verifReferer(String str){
+        if (str != "xxxx"){
+            return false;
+        }
+        return true;
+    }
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.expected
index 501565f2b4e..3da805c6a69 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.expected
@@ -1,80 +1,76 @@
 edges
-| JsonpController.java:36:32:36:68 | getParameter(...) : String | JsonpController.java:40:16:40:24 | resultStr |
-| JsonpController.java:39:21:39:54 | ... + ... : String | JsonpController.java:40:16:40:24 | resultStr |
-| JsonpController.java:47:32:47:68 | getParameter(...) : String | JsonpController.java:49:16:49:24 | resultStr |
-| JsonpController.java:48:21:48:80 | ... + ... : String | JsonpController.java:49:16:49:24 | resultStr |
-| JsonpController.java:56:32:56:68 | getParameter(...) : String | JsonpController.java:59:16:59:24 | resultStr |
-| JsonpController.java:58:21:58:55 | ... + ... : String | JsonpController.java:59:16:59:24 | resultStr |
-| JsonpController.java:66:32:66:68 | getParameter(...) : String | JsonpController.java:69:16:69:24 | resultStr |
-| JsonpController.java:68:21:68:54 | ... + ... : String | JsonpController.java:69:16:69:24 | resultStr |
-| JsonpController.java:76:32:76:68 | getParameter(...) : String | JsonpController.java:84:20:84:28 | resultStr |
-| JsonpController.java:83:21:83:54 | ... + ... : String | JsonpController.java:84:20:84:28 | resultStr |
-| JsonpController.java:91:32:91:68 | getParameter(...) : String | JsonpController.java:98:20:98:28 | resultStr |
-| JsonpController.java:97:21:97:54 | ... + ... : String | JsonpController.java:98:20:98:28 | resultStr |
-| JsonpController.java:105:32:105:68 | getParameter(...) : String | JsonpController.java:109:16:109:24 | resultStr |
-| JsonpController.java:108:21:108:54 | ... + ... : String | JsonpController.java:109:16:109:24 | resultStr |
-| JsonpController.java:117:24:117:52 | getParameter(...) : String | JsonpController.java:118:24:118:28 | token |
-| JsonpController.java:119:36:119:72 | getParameter(...) : String | JsonpController.java:122:20:122:28 | resultStr |
-| JsonpController.java:121:25:121:59 | ... + ... : String | JsonpController.java:122:20:122:28 | resultStr |
-| JsonpController.java:132:24:132:52 | getParameter(...) : String | JsonpController.java:133:37:133:41 | token |
-| JsonpController.java:137:32:137:68 | getParameter(...) : String | JsonpController.java:140:16:140:24 | resultStr |
-| JsonpController.java:139:21:139:55 | ... + ... : String | JsonpController.java:140:16:140:24 | resultStr |
-| JsonpController.java:150:21:150:54 | ... + ... : String | JsonpController.java:151:16:151:24 | resultStr |
-| JsonpController.java:165:21:165:54 | ... + ... : String | JsonpController.java:166:16:166:24 | resultStr |
+| JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr |
+| JsonpController.java:36:21:36:54 | ... + ... : String | JsonpController.java:37:16:37:24 | resultStr |
+| JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr |
+| JsonpController.java:45:21:45:80 | ... + ... : String | JsonpController.java:46:16:46:24 | resultStr |
+| JsonpController.java:53:32:53:68 | getParameter(...) : String | JsonpController.java:56:16:56:24 | resultStr |
+| JsonpController.java:55:21:55:55 | ... + ... : String | JsonpController.java:56:16:56:24 | resultStr |
+| JsonpController.java:63:32:63:68 | getParameter(...) : String | JsonpController.java:66:16:66:24 | resultStr |
+| JsonpController.java:65:21:65:54 | ... + ... : String | JsonpController.java:66:16:66:24 | resultStr |
+| JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr |
+| JsonpController.java:79:21:79:54 | ... + ... : String | JsonpController.java:80:20:80:28 | resultStr |
+| JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr |
+| JsonpController.java:93:21:93:54 | ... + ... : String | JsonpController.java:94:20:94:28 | resultStr |
+| JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr |
+| JsonpController.java:104:21:104:54 | ... + ... : String | JsonpController.java:105:16:105:24 | resultStr |
+| JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr |
+| JsonpController.java:116:21:116:55 | ... + ... : String | JsonpController.java:117:16:117:24 | resultStr |
+| JsonpController.java:127:36:127:72 | getParameter(...) : String | JsonpController.java:130:20:130:28 | resultStr |
+| JsonpController.java:129:25:129:59 | ... + ... : String | JsonpController.java:130:20:130:28 | resultStr |
+| JsonpController.java:145:32:145:68 | getParameter(...) : String | JsonpController.java:148:16:148:24 | resultStr |
+| JsonpController.java:147:21:147:55 | ... + ... : String | JsonpController.java:148:16:148:24 | resultStr |
+| JsonpController.java:158:21:158:54 | ... + ... : String | JsonpController.java:159:16:159:24 | resultStr |
+| JsonpController.java:173:21:173:54 | ... + ... : String | JsonpController.java:174:16:174:24 | resultStr |
 | JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
-| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | JsonpInjectionServlet1.java:38:39:38:45 | referer |
 | JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
 | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
 | JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
-| RefererFilter.java:22:26:22:53 | getHeader(...) : String | RefererFilter.java:23:39:23:45 | refefer |
 nodes
-| JsonpController.java:36:32:36:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:39:21:39:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:47:32:47:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:48:21:48:80 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:56:32:56:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:58:21:58:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:66:32:66:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:68:21:68:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:76:32:76:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:83:21:83:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:91:32:91:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:97:21:97:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:105:32:105:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:108:21:108:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:117:24:117:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:118:24:118:28 | token | semmle.label | token |
-| JsonpController.java:119:36:119:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:121:25:121:59 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:132:24:132:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:133:37:133:41 | token | semmle.label | token |
-| JsonpController.java:137:32:137:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:139:21:139:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:150:21:150:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:151:16:151:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:165:21:165:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:166:16:166:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:33:32:33:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:36:21:36:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:37:16:37:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:37:16:37:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:44:32:44:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:45:21:45:80 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:46:16:46:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:46:16:46:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:53:32:53:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:55:21:55:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:56:16:56:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:56:16:56:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:63:32:63:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:65:21:65:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:66:16:66:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:66:16:66:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:73:32:73:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:79:21:79:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:80:20:80:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:80:20:80:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:87:32:87:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:93:21:93:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:94:20:94:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:94:20:94:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:101:32:101:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:104:21:104:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:114:32:114:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:116:21:116:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:127:36:127:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:129:25:129:59 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:145:32:145:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:147:21:147:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:158:21:158:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:159:16:159:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:173:21:173:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:174:16:174:24 | resultStr | semmle.label | resultStr |
 | JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| JsonpInjectionServlet1.java:38:39:38:45 | referer | semmle.label | referer |
 | JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | semmle.label | ... + ... : String |
 | JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
 | JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
@@ -82,6 +78,4 @@ nodes
 | JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | semmle.label | ... + ... : String |
 | JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
 | JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
-| RefererFilter.java:22:26:22:53 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| RefererFilter.java:23:39:23:45 | refefer | semmle.label | refefer |
 #select
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpController.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpController.java
index e5b5e70a38d..4c60b356cfb 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpController.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpController.java
@@ -26,9 +26,6 @@ public class JsonpController {
         hashMap.put("password","123456");
     }
 
-    private String name = null;
-
-
     @GetMapping(value = "jsonp1")
     @ResponseBody
     public String bad1(HttpServletRequest request) {
@@ -77,7 +74,6 @@ public class JsonpController {
         PrintWriter pw = null;
         Gson gson = new Gson();
         String result = gson.toJson(hashMap);
-
         String resultStr = null;
         pw = response.getWriter();
         resultStr = jsonpCallback + "(" + result + ")";
@@ -109,13 +105,25 @@ public class JsonpController {
         return resultStr;
     }
 
-
     @GetMapping(value = "jsonp8")
     @ResponseBody
+    public String bad8(HttpServletRequest request) {
+        String resultStr = null;
+        String token = request.getParameter("token");
+        boolean result = verifToken(token); //Just check.
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+
+    @GetMapping(value = "jsonp9")
+    @ResponseBody
     public String good1(HttpServletRequest request) {
         String resultStr = null;
-        String token = request.getParameter("token");
-        if (verifToken(token)){
+        String referer = request.getParameter("referer");
+        if (verifReferer(referer)){
             String jsonpCallback = request.getParameter("jsonpCallback");
             String jsonStr = getJsonStr(hashMap);
             resultStr = jsonpCallback + "(" + jsonStr + ")";
@@ -125,7 +133,7 @@ public class JsonpController {
     }
 
 
-    @GetMapping(value = "jsonp9")
+    @GetMapping(value = "jsonp10")
     @ResponseBody
     public String good2(HttpServletRequest request) {
         String resultStr = null;
@@ -140,7 +148,7 @@ public class JsonpController {
         return resultStr;
     }
 
-    @RequestMapping(value = "jsonp10")
+    @RequestMapping(value = "jsonp11")
     @ResponseBody
     public String good3(HttpServletRequest request) {
         JSONObject parameterObj = readToJSONObect(request);
@@ -151,7 +159,7 @@ public class JsonpController {
         return resultStr;
     }
 
-    @RequestMapping(value = "jsonp11")
+    @RequestMapping(value = "jsonp12")
     @ResponseBody
     public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
         if(null == file){
@@ -200,4 +208,11 @@ public class JsonpController {
         }
         return true;
     }
-}
+
+    public static boolean verifReferer(String str){
+        if (str != "xxxx"){
+            return false;
+        }
+        return true;
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected
index 91d23cebbda..2e4bc97ff97 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected
@@ -1,76 +1,77 @@
 edges
-| JsonpController.java:36:32:36:68 | getParameter(...) : String | JsonpController.java:40:16:40:24 | resultStr |
-| JsonpController.java:39:21:39:54 | ... + ... : String | JsonpController.java:40:16:40:24 | resultStr |
-| JsonpController.java:47:32:47:68 | getParameter(...) : String | JsonpController.java:49:16:49:24 | resultStr |
-| JsonpController.java:48:21:48:80 | ... + ... : String | JsonpController.java:49:16:49:24 | resultStr |
-| JsonpController.java:56:32:56:68 | getParameter(...) : String | JsonpController.java:59:16:59:24 | resultStr |
-| JsonpController.java:58:21:58:55 | ... + ... : String | JsonpController.java:59:16:59:24 | resultStr |
-| JsonpController.java:66:32:66:68 | getParameter(...) : String | JsonpController.java:69:16:69:24 | resultStr |
-| JsonpController.java:68:21:68:54 | ... + ... : String | JsonpController.java:69:16:69:24 | resultStr |
-| JsonpController.java:76:32:76:68 | getParameter(...) : String | JsonpController.java:84:20:84:28 | resultStr |
-| JsonpController.java:83:21:83:54 | ... + ... : String | JsonpController.java:84:20:84:28 | resultStr |
-| JsonpController.java:91:32:91:68 | getParameter(...) : String | JsonpController.java:98:20:98:28 | resultStr |
-| JsonpController.java:97:21:97:54 | ... + ... : String | JsonpController.java:98:20:98:28 | resultStr |
-| JsonpController.java:105:32:105:68 | getParameter(...) : String | JsonpController.java:109:16:109:24 | resultStr |
-| JsonpController.java:108:21:108:54 | ... + ... : String | JsonpController.java:109:16:109:24 | resultStr |
-| JsonpController.java:117:24:117:52 | getParameter(...) : String | JsonpController.java:118:24:118:28 | token |
-| JsonpController.java:119:36:119:72 | getParameter(...) : String | JsonpController.java:122:20:122:28 | resultStr |
-| JsonpController.java:121:25:121:59 | ... + ... : String | JsonpController.java:122:20:122:28 | resultStr |
-| JsonpController.java:132:24:132:52 | getParameter(...) : String | JsonpController.java:133:37:133:41 | token |
-| JsonpController.java:137:32:137:68 | getParameter(...) : String | JsonpController.java:140:16:140:24 | resultStr |
-| JsonpController.java:139:21:139:55 | ... + ... : String | JsonpController.java:140:16:140:24 | resultStr |
-| JsonpController.java:150:21:150:54 | ... + ... : String | JsonpController.java:151:16:151:24 | resultStr |
-| JsonpController.java:165:21:165:54 | ... + ... : String | JsonpController.java:166:16:166:24 | resultStr |
+| JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr |
+| JsonpController.java:36:21:36:54 | ... + ... : String | JsonpController.java:37:16:37:24 | resultStr |
+| JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr |
+| JsonpController.java:45:21:45:80 | ... + ... : String | JsonpController.java:46:16:46:24 | resultStr |
+| JsonpController.java:53:32:53:68 | getParameter(...) : String | JsonpController.java:56:16:56:24 | resultStr |
+| JsonpController.java:55:21:55:55 | ... + ... : String | JsonpController.java:56:16:56:24 | resultStr |
+| JsonpController.java:63:32:63:68 | getParameter(...) : String | JsonpController.java:66:16:66:24 | resultStr |
+| JsonpController.java:65:21:65:54 | ... + ... : String | JsonpController.java:66:16:66:24 | resultStr |
+| JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr |
+| JsonpController.java:79:21:79:54 | ... + ... : String | JsonpController.java:80:20:80:28 | resultStr |
+| JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr |
+| JsonpController.java:93:21:93:54 | ... + ... : String | JsonpController.java:94:20:94:28 | resultStr |
+| JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr |
+| JsonpController.java:104:21:104:54 | ... + ... : String | JsonpController.java:105:16:105:24 | resultStr |
+| JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr |
+| JsonpController.java:116:21:116:55 | ... + ... : String | JsonpController.java:117:16:117:24 | resultStr |
+| JsonpController.java:127:36:127:72 | getParameter(...) : String | JsonpController.java:130:20:130:28 | resultStr |
+| JsonpController.java:129:25:129:59 | ... + ... : String | JsonpController.java:130:20:130:28 | resultStr |
+| JsonpController.java:145:32:145:68 | getParameter(...) : String | JsonpController.java:148:16:148:24 | resultStr |
+| JsonpController.java:147:21:147:55 | ... + ... : String | JsonpController.java:148:16:148:24 | resultStr |
+| JsonpController.java:158:21:158:54 | ... + ... : String | JsonpController.java:159:16:159:24 | resultStr |
+| JsonpController.java:173:21:173:54 | ... + ... : String | JsonpController.java:174:16:174:24 | resultStr |
 nodes
-| JsonpController.java:36:32:36:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:39:21:39:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:47:32:47:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:48:21:48:80 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:56:32:56:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:58:21:58:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:66:32:66:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:68:21:68:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:76:32:76:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:83:21:83:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:91:32:91:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:97:21:97:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:105:32:105:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:108:21:108:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:117:24:117:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:118:24:118:28 | token | semmle.label | token |
-| JsonpController.java:119:36:119:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:121:25:121:59 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:132:24:132:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:133:37:133:41 | token | semmle.label | token |
-| JsonpController.java:137:32:137:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:139:21:139:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:150:21:150:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:151:16:151:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:165:21:165:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:166:16:166:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:33:32:33:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:36:21:36:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:37:16:37:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:37:16:37:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:44:32:44:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:45:21:45:80 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:46:16:46:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:46:16:46:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:53:32:53:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:55:21:55:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:56:16:56:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:56:16:56:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:63:32:63:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:65:21:65:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:66:16:66:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:66:16:66:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:73:32:73:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:79:21:79:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:80:20:80:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:80:20:80:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:87:32:87:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:93:21:93:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:94:20:94:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:94:20:94:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:101:32:101:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:104:21:104:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:114:32:114:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:116:21:116:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:127:36:127:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:129:25:129:59 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:145:32:145:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:147:21:147:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:158:21:158:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:159:16:159:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:173:21:173:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:174:16:174:24 | resultStr | semmle.label | resultStr |
 #select
-| JsonpController.java:40:16:40:24 | resultStr | JsonpController.java:36:32:36:68 | getParameter(...) : String | JsonpController.java:40:16:40:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:36:32:36:68 | getParameter(...) | this user input |
-| JsonpController.java:49:16:49:24 | resultStr | JsonpController.java:47:32:47:68 | getParameter(...) : String | JsonpController.java:49:16:49:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:47:32:47:68 | getParameter(...) | this user input |
-| JsonpController.java:59:16:59:24 | resultStr | JsonpController.java:56:32:56:68 | getParameter(...) : String | JsonpController.java:59:16:59:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:56:32:56:68 | getParameter(...) | this user input |
-| JsonpController.java:69:16:69:24 | resultStr | JsonpController.java:66:32:66:68 | getParameter(...) : String | JsonpController.java:69:16:69:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:66:32:66:68 | getParameter(...) | this user input |
-| JsonpController.java:84:20:84:28 | resultStr | JsonpController.java:76:32:76:68 | getParameter(...) : String | JsonpController.java:84:20:84:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:76:32:76:68 | getParameter(...) | this user input |
-| JsonpController.java:98:20:98:28 | resultStr | JsonpController.java:91:32:91:68 | getParameter(...) : String | JsonpController.java:98:20:98:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:91:32:91:68 | getParameter(...) | this user input |
-| JsonpController.java:109:16:109:24 | resultStr | JsonpController.java:105:32:105:68 | getParameter(...) : String | JsonpController.java:109:16:109:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:105:32:105:68 | getParameter(...) | this user input |
+| JsonpController.java:37:16:37:24 | resultStr | JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:33:32:33:68 | getParameter(...) | this user input |
+| JsonpController.java:46:16:46:24 | resultStr | JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:44:32:44:68 | getParameter(...) | this user input |
+| JsonpController.java:56:16:56:24 | resultStr | JsonpController.java:53:32:53:68 | getParameter(...) : String | JsonpController.java:56:16:56:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:53:32:53:68 | getParameter(...) | this user input |
+| JsonpController.java:66:16:66:24 | resultStr | JsonpController.java:63:32:63:68 | getParameter(...) : String | JsonpController.java:66:16:66:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:63:32:63:68 | getParameter(...) | this user input |
+| JsonpController.java:80:20:80:28 | resultStr | JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:73:32:73:68 | getParameter(...) | this user input |
+| JsonpController.java:94:20:94:28 | resultStr | JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:87:32:87:68 | getParameter(...) | this user input |
+| JsonpController.java:105:16:105:24 | resultStr | JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:101:32:101:68 | getParameter(...) | this user input |
+| JsonpController.java:117:16:117:24 | resultStr | JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:114:32:114:68 | getParameter(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpController.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpController.java
index e5b5e70a38d..4c60b356cfb 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpController.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpController.java
@@ -26,9 +26,6 @@ public class JsonpController {
         hashMap.put("password","123456");
     }
 
-    private String name = null;
-
-
     @GetMapping(value = "jsonp1")
     @ResponseBody
     public String bad1(HttpServletRequest request) {
@@ -77,7 +74,6 @@ public class JsonpController {
         PrintWriter pw = null;
         Gson gson = new Gson();
         String result = gson.toJson(hashMap);
-
         String resultStr = null;
         pw = response.getWriter();
         resultStr = jsonpCallback + "(" + result + ")";
@@ -109,13 +105,25 @@ public class JsonpController {
         return resultStr;
     }
 
-
     @GetMapping(value = "jsonp8")
     @ResponseBody
+    public String bad8(HttpServletRequest request) {
+        String resultStr = null;
+        String token = request.getParameter("token");
+        boolean result = verifToken(token); //Just check.
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+
+    @GetMapping(value = "jsonp9")
+    @ResponseBody
     public String good1(HttpServletRequest request) {
         String resultStr = null;
-        String token = request.getParameter("token");
-        if (verifToken(token)){
+        String referer = request.getParameter("referer");
+        if (verifReferer(referer)){
             String jsonpCallback = request.getParameter("jsonpCallback");
             String jsonStr = getJsonStr(hashMap);
             resultStr = jsonpCallback + "(" + jsonStr + ")";
@@ -125,7 +133,7 @@ public class JsonpController {
     }
 
 
-    @GetMapping(value = "jsonp9")
+    @GetMapping(value = "jsonp10")
     @ResponseBody
     public String good2(HttpServletRequest request) {
         String resultStr = null;
@@ -140,7 +148,7 @@ public class JsonpController {
         return resultStr;
     }
 
-    @RequestMapping(value = "jsonp10")
+    @RequestMapping(value = "jsonp11")
     @ResponseBody
     public String good3(HttpServletRequest request) {
         JSONObject parameterObj = readToJSONObect(request);
@@ -151,7 +159,7 @@ public class JsonpController {
         return resultStr;
     }
 
-    @RequestMapping(value = "jsonp11")
+    @RequestMapping(value = "jsonp12")
     @ResponseBody
     public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
         if(null == file){
@@ -200,4 +208,11 @@ public class JsonpController {
         }
         return true;
     }
-}
+
+    public static boolean verifReferer(String str){
+        if (str != "xxxx"){
+            return false;
+        }
+        return true;
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected
index c2bcab77d4d..d90d51ab552 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected
@@ -1,79 +1,76 @@
 edges
-| JsonpController.java:36:32:36:68 | getParameter(...) : String | JsonpController.java:40:16:40:24 | resultStr |
-| JsonpController.java:39:21:39:54 | ... + ... : String | JsonpController.java:40:16:40:24 | resultStr |
-| JsonpController.java:47:32:47:68 | getParameter(...) : String | JsonpController.java:49:16:49:24 | resultStr |
-| JsonpController.java:48:21:48:80 | ... + ... : String | JsonpController.java:49:16:49:24 | resultStr |
-| JsonpController.java:56:32:56:68 | getParameter(...) : String | JsonpController.java:59:16:59:24 | resultStr |
-| JsonpController.java:58:21:58:55 | ... + ... : String | JsonpController.java:59:16:59:24 | resultStr |
-| JsonpController.java:66:32:66:68 | getParameter(...) : String | JsonpController.java:69:16:69:24 | resultStr |
-| JsonpController.java:68:21:68:54 | ... + ... : String | JsonpController.java:69:16:69:24 | resultStr |
-| JsonpController.java:76:32:76:68 | getParameter(...) : String | JsonpController.java:84:20:84:28 | resultStr |
-| JsonpController.java:83:21:83:54 | ... + ... : String | JsonpController.java:84:20:84:28 | resultStr |
-| JsonpController.java:91:32:91:68 | getParameter(...) : String | JsonpController.java:98:20:98:28 | resultStr |
-| JsonpController.java:97:21:97:54 | ... + ... : String | JsonpController.java:98:20:98:28 | resultStr |
-| JsonpController.java:105:32:105:68 | getParameter(...) : String | JsonpController.java:109:16:109:24 | resultStr |
-| JsonpController.java:108:21:108:54 | ... + ... : String | JsonpController.java:109:16:109:24 | resultStr |
-| JsonpController.java:117:24:117:52 | getParameter(...) : String | JsonpController.java:118:24:118:28 | token |
-| JsonpController.java:119:36:119:72 | getParameter(...) : String | JsonpController.java:122:20:122:28 | resultStr |
-| JsonpController.java:121:25:121:59 | ... + ... : String | JsonpController.java:122:20:122:28 | resultStr |
-| JsonpController.java:132:24:132:52 | getParameter(...) : String | JsonpController.java:133:37:133:41 | token |
-| JsonpController.java:137:32:137:68 | getParameter(...) : String | JsonpController.java:140:16:140:24 | resultStr |
-| JsonpController.java:139:21:139:55 | ... + ... : String | JsonpController.java:140:16:140:24 | resultStr |
-| JsonpController.java:150:21:150:54 | ... + ... : String | JsonpController.java:151:16:151:24 | resultStr |
-| JsonpController.java:165:21:165:54 | ... + ... : String | JsonpController.java:166:16:166:24 | resultStr |
+| JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr |
+| JsonpController.java:36:21:36:54 | ... + ... : String | JsonpController.java:37:16:37:24 | resultStr |
+| JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr |
+| JsonpController.java:45:21:45:80 | ... + ... : String | JsonpController.java:46:16:46:24 | resultStr |
+| JsonpController.java:53:32:53:68 | getParameter(...) : String | JsonpController.java:56:16:56:24 | resultStr |
+| JsonpController.java:55:21:55:55 | ... + ... : String | JsonpController.java:56:16:56:24 | resultStr |
+| JsonpController.java:63:32:63:68 | getParameter(...) : String | JsonpController.java:66:16:66:24 | resultStr |
+| JsonpController.java:65:21:65:54 | ... + ... : String | JsonpController.java:66:16:66:24 | resultStr |
+| JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr |
+| JsonpController.java:79:21:79:54 | ... + ... : String | JsonpController.java:80:20:80:28 | resultStr |
+| JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr |
+| JsonpController.java:93:21:93:54 | ... + ... : String | JsonpController.java:94:20:94:28 | resultStr |
+| JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr |
+| JsonpController.java:104:21:104:54 | ... + ... : String | JsonpController.java:105:16:105:24 | resultStr |
+| JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr |
+| JsonpController.java:116:21:116:55 | ... + ... : String | JsonpController.java:117:16:117:24 | resultStr |
+| JsonpController.java:127:36:127:72 | getParameter(...) : String | JsonpController.java:130:20:130:28 | resultStr |
+| JsonpController.java:129:25:129:59 | ... + ... : String | JsonpController.java:130:20:130:28 | resultStr |
+| JsonpController.java:145:32:145:68 | getParameter(...) : String | JsonpController.java:148:16:148:24 | resultStr |
+| JsonpController.java:147:21:147:55 | ... + ... : String | JsonpController.java:148:16:148:24 | resultStr |
+| JsonpController.java:158:21:158:54 | ... + ... : String | JsonpController.java:159:16:159:24 | resultStr |
+| JsonpController.java:173:21:173:54 | ... + ... : String | JsonpController.java:174:16:174:24 | resultStr |
 | JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
-| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | JsonpInjectionServlet1.java:38:39:38:45 | referer |
 | JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
 | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
 | JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
 nodes
-| JsonpController.java:36:32:36:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:39:21:39:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:47:32:47:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:48:21:48:80 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:56:32:56:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:58:21:58:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:66:32:66:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:68:21:68:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:76:32:76:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:83:21:83:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:91:32:91:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:97:21:97:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:105:32:105:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:108:21:108:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:117:24:117:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:118:24:118:28 | token | semmle.label | token |
-| JsonpController.java:119:36:119:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:121:25:121:59 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:132:24:132:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:133:37:133:41 | token | semmle.label | token |
-| JsonpController.java:137:32:137:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:139:21:139:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:150:21:150:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:151:16:151:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:165:21:165:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:166:16:166:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:33:32:33:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:36:21:36:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:37:16:37:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:37:16:37:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:44:32:44:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:45:21:45:80 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:46:16:46:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:46:16:46:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:53:32:53:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:55:21:55:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:56:16:56:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:56:16:56:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:63:32:63:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:65:21:65:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:66:16:66:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:66:16:66:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:73:32:73:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:79:21:79:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:80:20:80:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:80:20:80:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:87:32:87:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:93:21:93:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:94:20:94:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:94:20:94:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:101:32:101:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:104:21:104:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:114:32:114:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:116:21:116:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:127:36:127:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:129:25:129:59 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:145:32:145:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:147:21:147:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:158:21:158:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:159:16:159:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:173:21:173:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:174:16:174:24 | resultStr | semmle.label | resultStr |
 | JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| JsonpInjectionServlet1.java:38:39:38:45 | referer | semmle.label | referer |
 | JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | semmle.label | ... + ... : String |
 | JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
 | JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
@@ -82,11 +79,12 @@ nodes
 | JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
 | JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
 #select
-| JsonpController.java:40:16:40:24 | resultStr | JsonpController.java:36:32:36:68 | getParameter(...) : String | JsonpController.java:40:16:40:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:36:32:36:68 | getParameter(...) | this user input |
-| JsonpController.java:49:16:49:24 | resultStr | JsonpController.java:47:32:47:68 | getParameter(...) : String | JsonpController.java:49:16:49:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:47:32:47:68 | getParameter(...) | this user input |
-| JsonpController.java:59:16:59:24 | resultStr | JsonpController.java:56:32:56:68 | getParameter(...) : String | JsonpController.java:59:16:59:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:56:32:56:68 | getParameter(...) | this user input |
-| JsonpController.java:69:16:69:24 | resultStr | JsonpController.java:66:32:66:68 | getParameter(...) : String | JsonpController.java:69:16:69:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:66:32:66:68 | getParameter(...) | this user input |
-| JsonpController.java:84:20:84:28 | resultStr | JsonpController.java:76:32:76:68 | getParameter(...) : String | JsonpController.java:84:20:84:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:76:32:76:68 | getParameter(...) | this user input |
-| JsonpController.java:98:20:98:28 | resultStr | JsonpController.java:91:32:91:68 | getParameter(...) : String | JsonpController.java:98:20:98:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:91:32:91:68 | getParameter(...) | this user input |
-| JsonpController.java:109:16:109:24 | resultStr | JsonpController.java:105:32:105:68 | getParameter(...) : String | JsonpController.java:109:16:109:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:105:32:105:68 | getParameter(...) | this user input |
+| JsonpController.java:37:16:37:24 | resultStr | JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:33:32:33:68 | getParameter(...) | this user input |
+| JsonpController.java:46:16:46:24 | resultStr | JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:44:32:44:68 | getParameter(...) | this user input |
+| JsonpController.java:56:16:56:24 | resultStr | JsonpController.java:53:32:53:68 | getParameter(...) : String | JsonpController.java:56:16:56:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:53:32:53:68 | getParameter(...) | this user input |
+| JsonpController.java:66:16:66:24 | resultStr | JsonpController.java:63:32:63:68 | getParameter(...) : String | JsonpController.java:66:16:66:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:63:32:63:68 | getParameter(...) | this user input |
+| JsonpController.java:80:20:80:28 | resultStr | JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:73:32:73:68 | getParameter(...) | this user input |
+| JsonpController.java:94:20:94:28 | resultStr | JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:87:32:87:68 | getParameter(...) | this user input |
+| JsonpController.java:105:16:105:24 | resultStr | JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:101:32:101:68 | getParameter(...) | this user input |
+| JsonpController.java:117:16:117:24 | resultStr | JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:114:32:114:68 | getParameter(...) | this user input |
 | JsonpInjectionServlet2.java:39:20:39:28 | resultStr | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr | Jsonp response might include code from $@. | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) | this user input |

From ad36bea9d4ce61f804cdbfedddc5d3bebecdf1f6 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Mon, 29 Mar 2021 09:14:35 +0200
Subject: [PATCH 0109/1429] Refactor LDAP3 stuff (untested)

---
 .../Security/CWE-090/LDAPInjection.ql         |  5 +-
 .../experimental/semmle/python/Concepts.qll   |  6 --
 .../semmle/python/frameworks/Stdlib.qll       | 95 +++++++++++++++++--
 .../security/injection/LDAPInjection.qll      |  5 +-
 4 files changed, 94 insertions(+), 17 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
index 778b771f883..7ce3a118918 100644
--- a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
+++ b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
@@ -19,7 +19,8 @@ from
   LDAPQuery castedSink
 where
   config.hasFlowPath(source, sink) and
-  castedSink = sink.getNode()
+  castedSink = sink.getNode() //and
+// if exists(castedSink.getAttrs()) then
 select sink.getNode(), source, sink, "$@ LDAP query executes $@ as a $@ probably leaking $@.",
   sink.getNode(), "This", source.getNode(), "a user-provided value", castedSink.getLDAPNode(),
-  castedSink.getLDAPPart(), castedSink.getAttrList(), "this attribute(s)"
+  castedSink.getLDAPPart(), castedSink.getAttrs(), "this attribute(s)"
diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index e2b278e40da..e0f5c1bdec3 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -15,12 +15,6 @@ private import semmle.python.dataflow.new.TaintTracking
 private import experimental.semmle.python.Frameworks
 private import semmle.python.ApiGraphs
 
-/**
- * To-Do
- *
- * LDAPQuery -> collect functions executing a search filter/DN
- * LDAPEscape -> collect functions escaping a search filter/DN
- */
 module LDAPQuery {
   abstract class Range extends DataFlow::Node {
     abstract DataFlow::Node getLDAPNode();
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index 1ef42edbdbb..aa9013a76c0 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -30,18 +30,14 @@ private module LDAP {
           initCall = searchMethod.getObject().getALocalSource() and
           searchMethod.getAttributeName() instanceof LDAP2QueryMethods and
           (
+            ldapNode = this.getArg(0) and
+            ldapPart = "DN"
+            or
             (
               ldapNode = this.getArg(2) or
               ldapNode = this.getArgByName("filterstr")
             ) and
             ldapPart = "search_filter"
-            or
-            ldapNode = this.getArg(0) and
-            ldapPart = "DN"
-          ) and
-          ( // what if they're not set?
-            attrs = this.getArg(3) or
-            attrs = this.getArgByName("attrlist")
           )
         )
       }
@@ -50,7 +46,9 @@ private module LDAP {
 
       override string getLDAPPart() { result = ldapPart }
 
-      override DataFlow::Node getAttrs() { result = attrs }
+      override DataFlow::Node getAttrs() {
+        result = this.getArg(3) or result = this.getArgByName("attrlist")
+      }
     }
 
     private class LDAP2EscapeDN extends DataFlow::CallCfgNode, LDAPEscape::Range {
@@ -63,5 +61,86 @@ private module LDAP {
 
       override DataFlow::Node getEscapeNode() { result = escapeNode }
     }
+
+    private class LDAP2EscapeFilter extends DataFlow::CallCfgNode, LDAPEscape::Range {
+      DataFlow::Node escapeNode;
+
+      LDAP2EscapeFilter() {
+        this =
+          API::moduleImport("ldap").getMember("filter").getMember("escape_filter_chars").getACall() and
+        escapeNode = this.getArg(0)
+      }
+
+      override DataFlow::Node getEscapeNode() { result = escapeNode }
+    }
+  }
+
+  private module LDAP3 {
+    private class LDAP3QueryMethods extends string {
+      // pending to dig into this although https://github.com/cannatag/ldap3/blob/21001d9087c0d24c399eec433a261c455b7bc97f/ldap3/core/connection.py#L760
+      LDAP3QueryMethods() { this in ["search"] }
+    }
+
+    private class LDAP3Query extends DataFlow::CallCfgNode, LDAPQuery::Range {
+      DataFlow::Node ldapNode;
+      string ldapPart;
+      DataFlow::Node attrs;
+
+      LDAP3Query() {
+        exists(DataFlow::AttrRead searchMethod, DataFlow::CallCfgNode connCall |
+          this.getFunction() = searchMethod and
+          connCall = API::moduleImport("ldap3").getMember("Connection").getACall() and
+          connCall = searchMethod.getObject().getALocalSource() and
+          searchMethod.getAttributeName() instanceof LDAP3QueryMethods and
+          (
+            ldapNode = this.getArg(0) and
+            ldapPart = "DN"
+            or
+            ldapNode = this.getArg(1) and
+            ldapPart = "search_filter"
+          )
+        )
+      }
+
+      override DataFlow::Node getLDAPNode() { result = ldapNode }
+
+      override string getLDAPPart() { result = ldapPart }
+
+      override DataFlow::Node getAttrs() {
+        result = this.getArg(3) or result = this.getArgByName("attributes")
+      }
+    }
+
+    private class LDAP3EscapeDN extends DataFlow::CallCfgNode, LDAPEscape::Range {
+      DataFlow::Node escapeNode;
+
+      LDAP3EscapeDN() {
+        this =
+          API::moduleImport("ldap3")
+              .getMember("utils")
+              .getMember("dn")
+              .getMember("escape_rdn")
+              .getACall() and
+        escapeNode = this.getArg(0)
+      }
+
+      override DataFlow::Node getEscapeNode() { result = escapeNode }
+    }
+
+    private class LDAP3EscapeFilter extends DataFlow::CallCfgNode, LDAPEscape::Range {
+      DataFlow::Node escapeNode;
+
+      LDAP3EscapeFilter() {
+        this =
+          API::moduleImport("ldap3")
+              .getMember("utils")
+              .getMember("conv")
+              .getMember("escape_filter_chars")
+              .getACall() and
+        escapeNode = this.getArg(0)
+      }
+
+      override DataFlow::Node getEscapeNode() { result = escapeNode }
+    }
   }
 }
diff --git a/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll b/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll
index f5fa2306f31..db8bdda7db6 100644
--- a/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll
@@ -17,5 +17,8 @@ class LDAPInjectionFlowConfig extends TaintTracking::Configuration {
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { sink = any(LDAPQuery lQ).getLDAPNode() }
-  // override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof RemoteFlowSource } // any(LDAPEscape ldapEsc).getEscapeNode() }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer = any(LDAPEscape lE).getEscapeNode()
+  }
 }

From 8223539f0c0988e4d1ef79710c80c82533b12901 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Mon, 29 Mar 2021 23:28:28 +0200
Subject: [PATCH 0110/1429] Add a test without attributes

---
 .../Security/CWE-090/unit_tests/ldap_bad.py         | 10 ++++++++++
 .../Security/CWE-090/unit_tests/ldap_good.py        | 13 +++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_bad.py b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_bad.py
index a409a38e019..011f3b82865 100644
--- a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_bad.py
+++ b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_bad.py
@@ -14,6 +14,16 @@ def normal():
         unsafe_dn, ldap.SCOPE_SUBTREE, unsafe_filter, ["testAttr1", "testAttr2"])
 
 
+@app.route("/normal_noAttrs")
+def normal_noAttrs():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s(
+        unsafe_dn, ldap.SCOPE_SUBTREE, unsafe_filter)
+
+
 @app.route("/direct")
 def direct():
     unsafe_dn = "dc=%s" % request.args['dc']
diff --git a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_good.py b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_good.py
index 1d04505fa28..eda3883da6d 100644
--- a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_good.py
+++ b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_good.py
@@ -19,6 +19,19 @@ def normal():
         safe_dn, ldap.SCOPE_SUBTREE, safe_filter, ["testAttr1", "testAttr2"])
 
 
+@app.route("/normal_noAttrs")
+def normal_noAttrs():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
+    safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s(
+        safe_dn, ldap.SCOPE_SUBTREE, safe_filter)
+
+
 @app.route("/direct")
 def direct():
     unsafe_dn = "dc=%s" % request.args['dc']

From 3cda2e52073b72dfc126f7863041a85005d818ae Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Mon, 29 Mar 2021 23:39:49 +0200
Subject: [PATCH 0111/1429] Polish up ldap3 tests

---
 .../Security/CWE-090/ldap3_bad.py             | 56 ------------------
 .../Security/CWE-090/ldap3_good.py            | 58 -------------------
 .../Security/CWE-090/unit_tests/ldap3_bad.py  | 38 ++++++++++++
 .../Security/CWE-090/unit_tests/ldap3_good.py | 49 ++++++++++++++++
 4 files changed, 87 insertions(+), 114 deletions(-)
 delete mode 100644 python/ql/src/experimental/Security/CWE-090/ldap3_bad.py
 delete mode 100644 python/ql/src/experimental/Security/CWE-090/ldap3_good.py
 create mode 100644 python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_bad.py
 create mode 100644 python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_good.py

diff --git a/python/ql/src/experimental/Security/CWE-090/ldap3_bad.py b/python/ql/src/experimental/Security/CWE-090/ldap3_bad.py
deleted file mode 100644
index fcd00c0269c..00000000000
--- a/python/ql/src/experimental/Security/CWE-090/ldap3_bad.py
+++ /dev/null
@@ -1,56 +0,0 @@
-import ldap3
-from flask import request, Flask
-
-app = Flask(__name__)
-
-
-@app.route("/tainted_var")
-def tainted_var():
-    unsanitized_dn = "dc=%s" % request.args['dc']
-    unsanitized_filter = "(&(objectClass=*)(uid=%s))" % request.args['username']
-
-    srv = ldap3.Server('localhost', port=1337)
-    conn = ldap3.Connection(srv, user=unsanitized_dn, auto_bind=True)
-    conn.search(unsanitized_dn, unsanitized_filter)
-    return conn.response
-
-
-@app.route("/var_tainted")
-def var_tainted():
-    unsanitized_dn = request.args['dc']
-    unsanitized_filter = request.args['username']
-
-    dn = "dc=%s" % unsanitized_dn
-    search_filter = "(&(objectClass=*)(uid=%s))" % unsanitized_filter
-
-    srv = ldap3.Server('localhost', port=1337)
-    conn = ldap3.Connection(srv, user=dn, auto_bind=True)
-    conn.search(dn, search_filter)
-    return conn.response
-
-
-@app.route("/direct")
-def direct():
-    srv = ldap3.Server('localhost', port=1337)
-    conn = ldap3.Connection(srv, user="dc=%s" %
-                            request.args['dc'], auto_bind=True)
-    conn.search("dc=%s" % unsanitized_dn,
-                "(&(objectClass=*)(uid=%s))" % request.args['username'])
-    return conn.response
-
-
-@app.route("/with_")
-def with_():
-    unsanitized_dn = request.args['dc']
-    unsanitized_filter = request.args['username']
-
-    dn = "dc=%s" % unsanitized_dn
-    search_filter = "(&(objectClass=*)(uid=%s))" % unsanitized_filter
-
-    srv = ldap3.Server('localhost', port=1337)
-    with ldap3.Connection(server, auto_bind=True) as conn:
-        conn.search(dn, search_filter)
-        return conn.response
-
-# if __name__ == "__main__":
-#     app.run(debug=True)
diff --git a/python/ql/src/experimental/Security/CWE-090/ldap3_good.py b/python/ql/src/experimental/Security/CWE-090/ldap3_good.py
deleted file mode 100644
index 05bc1e24f71..00000000000
--- a/python/ql/src/experimental/Security/CWE-090/ldap3_good.py
+++ /dev/null
@@ -1,58 +0,0 @@
-import ldap3
-from ldap3.utils.conv import escape_filter_chars
-from flask import request, Flask
-
-app = Flask(__name__)
-
-
-@app.route("/tainted_var")
-def tainted_var():
-    sanitized_dn = "dc=%s" % request.args['dc']
-    sanitized_filter = "(&(objectClass=*)(uid=%s))" % escape_filter_chars(
-        request.args['username'])
-
-    srv = ldap3.Server('localhost', port=1337)
-    conn = ldap3.Connection(srv, user=sanitized_dn, auto_bind=True)
-    conn.search(sanitized_dn, sanitized_filter)
-    return conn.response
-
-
-@app.route("/var_tainted")
-def var_tainted():
-    sanitized_dn = request.args['dc']
-    sanitized_filter = request.args['username']
-
-    dn = "dc=%s" % sanitized_dn
-    search_filter = "(&(objectClass=*)(uid=%s))" % escape_filter_chars(sanitized_filter)
-
-    srv = ldap3.Server('localhost', port=1337)
-    conn = ldap3.Connection(srv, user=dn, auto_bind=True)
-    conn.search(dn, search_filter)
-    return conn.response
-
-
-@app.route("/direct")
-def direct():
-    srv = ldap3.Server('localhost', port=1337)
-    conn = ldap3.Connection(srv, user="dc=%s" %
-                            request.args['dc'], auto_bind=True)
-    conn.search("dc=%s" % request.args['dc'], "(&(objectClass=*)(uid=%s))" %
-                escape_filter_chars(request.args['username']))
-    return conn.response
-
-
-@ app.route("/with_")
-def with_():
-    sanitized_dn = request.args['dc']
-    sanitized_filter = escape_filter_chars(request.args['username'])
-
-    dn = "dc=%s" % sanitized_dn
-    search_filter = "(&(objectClass=*)(uid=%s))" % sanitized_filter
-
-    srv = ldap3.Server('localhost', port=1337)
-    with ldap3.Connection(server, auto_bind=True) as conn:
-        conn.search(dn, search_filter)
-        return conn.response
-
-# if __name__ == "__main__":
-#     app.run(debug=True)
diff --git a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_bad.py b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_bad.py
new file mode 100644
index 00000000000..76b7f309bd1
--- /dev/null
+++ b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_bad.py
@@ -0,0 +1,38 @@
+from flask import request, Flask
+import ldap3
+
+app = Flask(__name__)
+
+
+@app.route("/normal")
+def normal():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
+    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True)
+    conn.search(unsafe_dn, unsafe_filter, attributes=[
+                "testAttr1", "testAttr2"])
+
+
+@app.route("/normal_noAttrs")
+def normal_noAttrs():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
+    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True)
+    conn.search(unsafe_dn, unsafe_filter)
+
+
+@app.route("/direct")
+def direct():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
+    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True).search(unsafe_dn, unsafe_filter, attributes=[
+        "testAttr1", "testAttr2"])
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
diff --git a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_good.py b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_good.py
new file mode 100644
index 00000000000..c3cc1272ea7
--- /dev/null
+++ b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_good.py
@@ -0,0 +1,49 @@
+from flask import request, Flask
+import ldap3
+from ldap3.utils.dn import escape_rdn
+from ldap3.utils.conv import escape_filter_chars
+
+app = Flask(__name__)
+
+
+@app.route("/normal")
+def normal():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    safe_dn = escape_rdn(unsafe_dn)
+    safe_filter = escape_filter_chars(unsafe_filter)
+
+    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
+    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True)
+    conn.search(safe_dn, safe_filter, attributes=[
+                "testAttr1", "testAttr2"])
+
+
+@app.route("/normal_noAttrs")
+def normal_noAttrs():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    safe_dn = escape_rdn(unsafe_dn)
+    safe_filter = escape_filter_chars(unsafe_filter)
+
+    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
+    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True)
+    conn.search(safe_dn, safe_filter)
+
+
+@app.route("/direct")
+def direct():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    safe_dn = escape_rdn(unsafe_dn)
+    safe_filter = escape_filter_chars(unsafe_filter)
+
+    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
+    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True).search(safe_dn, safe_filter, attributes=[
+        "testAttr1", "testAttr2"])
+
+# if __name__ == "__main__":
+#     app.run(debug=True)

From 937a620f4d41db65c7203201435aaf3dab6380de Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Tue, 30 Mar 2021 11:33:42 +0100
Subject: [PATCH 0112/1429] JS: Improve mysql2 model

---
 .../src/semmle/javascript/frameworks/SQL.qll  | 32 ++++++++++++++++---
 .../frameworks/SQL/Credentials.expected       |  1 +
 .../frameworks/SQL/SqlString.expected         |  8 +++++
 .../frameworks/SQL/mysql2-promise.js          | 32 +++++++++++++++++++
 .../frameworks/SQL/mysql2-types.ts            |  5 +++
 .../library-tests/frameworks/SQL/mysql2tst.js |  4 +++
 .../library-tests/frameworks/SQL/mysql3.js    |  4 +++
 7 files changed, 81 insertions(+), 5 deletions(-)
 create mode 100644 javascript/ql/test/library-tests/frameworks/SQL/mysql2-promise.js
 create mode 100644 javascript/ql/test/library-tests/frameworks/SQL/mysql2-types.ts

diff --git a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
index 1e41f03d141..cef49ec317d 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
@@ -28,30 +28,52 @@ module SQL {
  * Provides classes modelling the (API compatible) `mysql` and `mysql2` packages.
  */
 private module MySql {
+  private string moduleName() { result = ["mysql", "mysql2", "mysql2/promise"] }
+
   /** Gets the package name `mysql` or `mysql2`. */
-  API::Node mysql() { result = API::moduleImport(["mysql", "mysql2"]) }
+  API::Node mysql() { result = API::moduleImport(moduleName()) }
 
   /** Gets a reference to `mysql.createConnection`. */
-  API::Node createConnection() { result = mysql().getMember("createConnection") }
+  API::Node createConnection() {
+    result = mysql().getMember(["createConnection", "createConnectionPromise"])
+  }
 
   /** Gets a reference to `mysql.createPool`. */
-  API::Node createPool() { result = mysql().getMember("createPool") }
+  API::Node createPool() { result = mysql().getMember(["createPool", "createPoolCluster"]) }
 
   /** Gets a node that contains a MySQL pool created using `mysql.createPool()`. */
-  API::Node pool() { result = createPool().getReturn() }
+  API::Node pool() {
+    result = createPool().getReturn()
+    or
+    result = pool().getMember("on").getReturn()
+    or
+    result = API::Node::ofType(moduleName(), ["Pool", "PoolCluster"])
+  }
 
   /** Gets a data flow node that contains a freshly created MySQL connection instance. */
   API::Node connection() {
     result = createConnection().getReturn()
     or
+    result = createConnection().getReturn().getPromised()
+    or
     result = pool().getMember("getConnection").getParameter(0).getParameter(1)
+    or
+    result = pool().getMember("getConnection").getPromised()
+    or
+    exists(API::CallNode call |
+      call = pool().getMember("on").getACall() and
+      call.getArgument(0).getStringValue() = ["connection", "acquire", "release"] and
+      result = call.getParameter(1).getParameter(0)
+    )
+    or
+    result = API::Node::ofType(moduleName(), ["Connection", "PoolConnection"])
   }
 
   /** A call to the MySql `query` method. */
   private class QueryCall extends DatabaseAccess, DataFlow::MethodCallNode {
     QueryCall() {
       exists(API::Node recv | recv = pool() or recv = connection() |
-        this = recv.getMember("query").getACall()
+        this = recv.getMember(["query", "execute"]).getACall()
       )
     }
 
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/Credentials.expected b/javascript/ql/test/library-tests/frameworks/SQL/Credentials.expected
index a7d4af58a90..190d8a51982 100644
--- a/javascript/ql/test/library-tests/frameworks/SQL/Credentials.expected
+++ b/javascript/ql/test/library-tests/frameworks/SQL/Credentials.expected
@@ -6,6 +6,7 @@
 | mysql1.js:7:14:7:21 | 'secret' | password |
 | mysql1a.js:10:9:10:12 | 'me' | user name |
 | mysql1a.js:11:13:11:20 | 'secret' | password |
+| mysql2-promise.js:8:9:8:14 | 'root' | user name |
 | mysql2.js:7:21:7:25 | 'bob' | user name |
 | mysql2.js:8:21:8:28 | 'secret' | password |
 | mysql2tst.js:8:9:8:14 | 'root' | user name |
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
index b2e0cc4b046..69b45d70307 100644
--- a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
+++ b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
@@ -7,10 +7,18 @@
 | mysql1.js:13:18:13:43 | 'SELECT ... lution' |
 | mysql1.js:18:18:22:1 | {\\n    s ... vid']\\n} |
 | mysql1a.js:17:18:17:43 | 'SELECT ... lution' |
+| mysql2-promise.js:14:3:14:62 | 'SELECT ... ` > 45' |
+| mysql2-promise.js:23:3:23:56 | 'SELECT ... e` > ?' |
+| mysql2-promise.js:31:19:31:39 | 'SELECT ...  users' |
+| mysql2-promise.js:32:21:32:41 | 'SELECT ...  users' |
+| mysql2-types.ts:4:16:4:36 | 'SELECT ...  users' |
 | mysql2.js:12:12:12:37 | 'SELECT ... lution' |
 | mysql2tst.js:14:3:14:62 | 'SELECT ... ` > 45' |
 | mysql2tst.js:23:3:23:56 | 'SELECT ... e` > ?' |
+| mysql2tst.js:31:19:31:39 | 'SELECT ...  users' |
+| mysql2tst.js:32:21:32:41 | 'SELECT ...  users' |
 | mysql3.js:14:20:14:52 | 'SELECT ... etable' |
+| mysql3.js:26:14:26:31 | 'SELECT something' |
 | mysql4.js:14:18:14:20 | sql |
 | mysqlImport.js:3:18:5:1 | {\\n    s ... = ?',\\n} |
 | postgres1.js:37:21:37:24 | text |
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/mysql2-promise.js b/javascript/ql/test/library-tests/frameworks/SQL/mysql2-promise.js
new file mode 100644
index 00000000000..6e40c5cafbc
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/SQL/mysql2-promise.js
@@ -0,0 +1,32 @@
+// Adapted from the documentation of https://github.com/sidorares/node-mysql2,
+// which is licensed under the MIT license; see file node-mysql2-License.
+const mysql = require('mysql2/promise');
+ 
+// create the connection to database
+const connection = await mysql.createConnection({
+  host: 'localhost',
+  user: 'root',
+  database: 'test'
+});
+ 
+// simple query
+connection.query(
+  'SELECT * FROM `table` WHERE `name` = "Page" AND `age` > 45',
+  function(err, results, fields) {
+    console.log(results); // results contains rows returned by server
+    console.log(fields); // fields contains extra meta data about results, if available
+  }
+);
+ 
+// with placeholder
+connection.query(
+  'SELECT * FROM `table` WHERE `name` = ? AND `age` > ?',
+  ['Page', 45],
+  function(err, results) {
+    console.log(results);
+  }
+);
+
+const conn2 = await mysql.createConnectionPromise();
+await conn2.query('SELECT * FROM users');
+await conn2.execute('SELECT * FROM users');
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/mysql2-types.ts b/javascript/ql/test/library-tests/frameworks/SQL/mysql2-types.ts
new file mode 100644
index 00000000000..dba89f2ca47
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/SQL/mysql2-types.ts
@@ -0,0 +1,5 @@
+import { Connection } from "mysql2";
+
+export function doSomething(conn: Connection) {
+    conn.query('SELECT * FROM users');
+}
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/mysql2tst.js b/javascript/ql/test/library-tests/frameworks/SQL/mysql2tst.js
index c066aa8e92e..9121096f77d 100644
--- a/javascript/ql/test/library-tests/frameworks/SQL/mysql2tst.js
+++ b/javascript/ql/test/library-tests/frameworks/SQL/mysql2tst.js
@@ -26,3 +26,7 @@ connection.query(
     console.log(results);
   }
 );
+
+const conn2 = await mysql.createConnectionPromise();
+await conn2.query('SELECT * FROM users');
+await conn2.execute('SELECT * FROM users');
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/mysql3.js b/javascript/ql/test/library-tests/frameworks/SQL/mysql3.js
index 63ac500d067..554777abcb1 100644
--- a/javascript/ql/test/library-tests/frameworks/SQL/mysql3.js
+++ b/javascript/ql/test/library-tests/frameworks/SQL/mysql3.js
@@ -21,3 +21,7 @@ pool.getConnection(function(err, connection) {
     // Don't use the connection here, it has been returned to the pool. 
   });
 });
+
+pool.on('connection', conn => {
+  conn.query('SELECT something');
+});

From 0b21b273edbd1ad3f1a50683ca18e956680c6233 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 29 Mar 2021 16:41:42 +0100
Subject: [PATCH 0113/1429] JS: Improve pg model

---
 .../src/semmle/javascript/frameworks/SQL.qll  | 23 ++++++++++++++++++-
 .../frameworks/SQL/SqlString.expected         |  4 ++++
 .../frameworks/SQL/postgres-types.ts          |  5 ++++
 .../library-tests/frameworks/SQL/postgres2.js |  6 +++++
 4 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 javascript/ql/test/library-tests/frameworks/SQL/postgres-types.ts

diff --git a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
index cef49ec317d..b3f89c82f19 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
@@ -134,7 +134,20 @@ private module Postgres {
     // pool.connect(function(err, client) { ... })
     result = pool().getMember("connect").getParameter(0).getParameter(1)
     or
+    // await pool.connect()
+    result = pool().getMember("connect").getReturn().getPromised()
+    or
     result = pgpConnection().getMember("client")
+    or
+    exists(API::CallNode call |
+      call = pool().getMember("on").getACall() and
+      call.getArgument(0).getStringValue() = ["connect", "acquire"] and
+      result = call.getParameter(1).getParameter(0)
+    )
+    or
+    result = client().getMember("on").getReturn()
+    or
+    result = API::Node::ofType("pg", ["Client", "PoolClient"])
   }
 
   /** Gets a constructor that when invoked constructs a new connection pool. */
@@ -151,6 +164,10 @@ private module Postgres {
     result = newPool().getInstance()
     or
     result = pgpDatabase().getMember("$pool")
+    or
+    result = pool().getMember("on").getReturn()
+    or
+    result = API::Node::ofType("pg", "Pool")
   }
 
   /** A call to the Postgres `query` method. */
@@ -162,7 +179,11 @@ private module Postgres {
 
   /** An expression that is passed to the `query` method and hence interpreted as SQL. */
   class QueryString extends SQL::SqlString {
-    QueryString() { this = any(QueryCall qc).getAQueryArgument().asExpr() }
+    QueryString() {
+      this = any(QueryCall qc).getAQueryArgument().asExpr()
+      or
+      this = API::moduleImport("pg-cursor").getParameter(0).getARhs().asExpr()
+    }
   }
 
   /** An expression that is passed as user name or password when creating a client or a pool. */
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
index 69b45d70307..74efed7d265 100644
--- a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
+++ b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
@@ -23,8 +23,12 @@
 | mysqlImport.js:3:18:5:1 | {\\n    s ... = ?',\\n} |
 | postgres1.js:37:21:37:24 | text |
 | postgres2.js:30:16:30:41 | 'SELECT ... number' |
+| postgres2.js:43:15:43:26 | 'SELECT 123' |
+| postgres2.js:46:15:46:47 | new Cur ... users') |
+| postgres2.js:46:26:46:46 | 'SELECT ...  users' |
 | postgres3.js:15:16:15:40 | 'SELECT ... s name' |
 | postgres5.js:8:21:8:25 | query |
+| postgres-types.ts:4:18:4:29 | 'SELECT 123' |
 | postgresImport.js:4:18:4:43 | 'SELECT ... number' |
 | sequelize2.js:10:17:10:118 | 'SELECT ... Y name' |
 | sequelize.js:8:17:8:118 | 'SELECT ... Y name' |
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/postgres-types.ts b/javascript/ql/test/library-tests/frameworks/SQL/postgres-types.ts
new file mode 100644
index 00000000000..00817e5d63e
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/SQL/postgres-types.ts
@@ -0,0 +1,5 @@
+import { Client } from "pg";
+
+function submitSomething(client: Client) {
+    client.query('SELECT 123');
+}
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/postgres2.js b/javascript/ql/test/library-tests/frameworks/SQL/postgres2.js
index 611f4e286af..fd449ae8765 100644
--- a/javascript/ql/test/library-tests/frameworks/SQL/postgres2.js
+++ b/javascript/ql/test/library-tests/frameworks/SQL/postgres2.js
@@ -38,3 +38,9 @@ pool.connect(function(err, client, done) {
     //output: 1 
   });
 });
+
+let client2 = await pool.connect();
+client2.query('SELECT 123');
+
+const Cursor = require('pg-cursor');
+client2.query(new Cursor('SELECT * from users'));

From 95937c9ac70d7f62c9ed416d041178a8d772140f Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 29 Mar 2021 22:53:47 +0100
Subject: [PATCH 0114/1429] JS: Improve sqlite3 model

---
 .../ql/src/semmle/javascript/frameworks/SQL.qll   | 15 ++++-----------
 .../frameworks/SQL/SqlString.expected             |  1 +
 .../library-tests/frameworks/SQL/sqlite-types.ts  |  5 +++++
 3 files changed, 10 insertions(+), 11 deletions(-)
 create mode 100644 javascript/ql/test/library-tests/frameworks/SQL/sqlite-types.ts

diff --git a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
index b3f89c82f19..15dc5df808c 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
@@ -342,24 +342,17 @@ private module Sqlite {
   }
 
   /** Gets an expression that constructs a Sqlite database instance. */
-  API::Node newDb() {
+  API::Node database() {
     // new require('sqlite3').Database()
     result = sqlite().getMember("Database").getInstance()
+    or
+    result = API::Node::ofType("sqlite3", "Database")
   }
 
   /** A call to a Sqlite query method. */
   private class QueryCall extends DatabaseAccess, DataFlow::MethodCallNode {
     QueryCall() {
-      exists(string meth |
-        meth = "all" or
-        meth = "each" or
-        meth = "exec" or
-        meth = "get" or
-        meth = "prepare" or
-        meth = "run"
-      |
-        this = newDb().getMember(meth).getACall()
-      )
+      this = database().getMember(["all", "each", "exec", "get", "prepare", "run"]).getACall()
     }
 
     override DataFlow::Node getAQueryArgument() { result = getArgument(0) }
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
index 74efed7d265..4b6f1de2e7d 100644
--- a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
+++ b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
@@ -54,6 +54,7 @@
 | spanner.js:19:16:19:34 | { sql: "SQL code" } |
 | spanner.js:19:23:19:32 | "SQL code" |
 | spannerImport.js:4:8:4:17 | "SQL code" |
+| sqlite-types.ts:4:12:4:49 | "UPDATE ... id = ?" |
 | sqlite.js:7:8:7:45 | "UPDATE ... id = ?" |
 | sqliteArray.js:6:12:6:49 | "UPDATE ... id = ?" |
 | sqliteImport.js:2:8:2:44 | "UPDATE ... id = ?" |
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/sqlite-types.ts b/javascript/ql/test/library-tests/frameworks/SQL/sqlite-types.ts
new file mode 100644
index 00000000000..9356cf0bda5
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/SQL/sqlite-types.ts
@@ -0,0 +1,5 @@
+import { Database } from "sqlite3";
+
+export function doSomething(db: Database) {
+    db.run("UPDATE tbl SET name = ? WHERE id = ?", "bar", 2);
+}

From 93500bd95a55b1ca91c23472d21321f6af629593 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Tue, 30 Mar 2021 10:06:14 +0100
Subject: [PATCH 0115/1429] JS: Improve mssql model

---
 .../src/semmle/javascript/frameworks/SQL.qll  | 31 ++++++++++++++-----
 .../frameworks/SQL/SqlString.expected         |  2 ++
 .../frameworks/SQL/mssql-types.ts             |  9 ++++++
 .../library-tests/frameworks/SQL/mssql1.js    |  2 ++
 4 files changed, 37 insertions(+), 7 deletions(-)
 create mode 100644 javascript/ql/test/library-tests/frameworks/SQL/mssql-types.ts

diff --git a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
index 15dc5df808c..f006c73e544 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
@@ -371,15 +371,32 @@ private module MsSql {
   /** Gets a reference to the `mssql` module. */
   API::Node mssql() { result = API::moduleImport("mssql") }
 
-  /** Gets an expression that creates a request object. */
-  API::Node request() {
-    // new require('mssql').Request()
-    result = mssql().getMember("Request").getInstance()
+  /** Gets a node referring to an instance of the given class. */
+  API::Node mssqlClass(string name) {
+    result = mssql().getMember(name).getInstance()
     or
-    // request.input(...)
-    result = request().getMember("input").getReturn()
+    result = API::Node::ofType("mssql", name)
   }
 
+  /** Gets an API node referring to a Request object. */
+  API::Node request() {
+    result = mssqlClass("Request")
+    or
+    result = request().getMember(["input", "replaceInput", "output", "replaceOutput"]).getReturn()
+    or
+    result = [transaction(), pool()].getMember("request").getReturn()
+  }
+
+  /** Gets an API node referring to a Transaction object. */
+  API::Node transaction() {
+    result = mssqlClass("Transaction")
+    or
+    result = pool().getMember("transaction").getReturn()
+  }
+
+  /** Gets a API node referring to a ConnectionPool object. */
+  API::Node pool() { result = mssqlClass("ConnectionPool") }
+
   /** A tagged template evaluated as a query. */
   private class QueryTemplateExpr extends DatabaseAccess, DataFlow::ValueNode {
     override TaggedTemplateExpr astNode;
@@ -395,7 +412,7 @@ private module MsSql {
 
   /** A call to a MsSql query method. */
   private class QueryCall extends DatabaseAccess, DataFlow::MethodCallNode {
-    QueryCall() { this = request().getMember(["query", "batch"]).getACall() }
+    QueryCall() { this = [mssql(), request()].getMember(["query", "batch"]).getACall() }
 
     override DataFlow::Node getAQueryArgument() { result = getArgument(0) }
   }
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
index 4b6f1de2e7d..8720962382b 100644
--- a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
+++ b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
@@ -1,9 +1,11 @@
 | mssql1.js:7:40:7:72 | select  ... e id =  |
 | mssql1.js:7:75:7:79 | value |
+| mssql1.js:10:19:10:30 | 'SELECT 123' |
 | mssql2.js:5:15:5:34 | 'select 1 as number' |
 | mssql2.js:13:15:13:66 | 'create ...  table' |
 | mssql2.js:22:24:22:43 | 'select 1 as number' |
 | mssql2.js:29:30:29:81 | 'create ...  table' |
+| mssql-types.ts:7:31:7:42 | 'SELECT 123' |
 | mysql1.js:13:18:13:43 | 'SELECT ... lution' |
 | mysql1.js:18:18:22:1 | {\\n    s ... vid']\\n} |
 | mysql1a.js:17:18:17:43 | 'SELECT ... lution' |
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/mssql-types.ts b/javascript/ql/test/library-tests/frameworks/SQL/mssql-types.ts
new file mode 100644
index 00000000000..243812e799c
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/SQL/mssql-types.ts
@@ -0,0 +1,9 @@
+import { ConnectionPool } from "mssql";
+
+class Foo {
+  constructor(private pool: ConnectionPool) {}
+
+  doSomething() {
+    this.pool.request().query('SELECT 123');
+  }
+}
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/mssql1.js b/javascript/ql/test/library-tests/frameworks/SQL/mssql1.js
index 39a340ccf83..8f8bf1f0914 100644
--- a/javascript/ql/test/library-tests/frameworks/SQL/mssql1.js
+++ b/javascript/ql/test/library-tests/frameworks/SQL/mssql1.js
@@ -6,6 +6,8 @@ async () => {
         const pool = await sql.connect('mssql://username:password@localhost/database')
         const result = await sql.query`select * from mytable where id = ${value}`
         console.dir(result)
+
+        sql.query('SELECT 123');
     } catch (err) {
         // ... error checks 
     }

From 1349bf7b0ba8b83ee86d5fbdc46b207e32439cd1 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Tue, 30 Mar 2021 02:57:58 +0000
Subject: [PATCH 0116/1429] Create a .qll file to reuse the code and add check
 of Spring properties

---
 .../CWE-555/CredentialsInPropertiesFile.ql    |  93 +--------------
 .../CredentialsInPropertiesFile.qll           | 107 ++++++++++++++++++
 .../CredentialsInPropertiesFile.expected      |  10 +-
 .../CWE-555/CredentialsInPropertiesFile.ql    |  93 +--------------
 .../security/CWE-555/MailConfig.java          |  11 ++
 .../security/CWE-555/PropertiesUtils.java     |  10 --
 .../query-tests/security/CWE-555/options      |   1 +
 .../beans/factory/annotation/Value.java       |  11 ++
 8 files changed, 137 insertions(+), 199 deletions(-)
 create mode 100644 java/ql/src/experimental/semmle/code/java/frameworks/CredentialsInPropertiesFile.qll
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-555/MailConfig.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-555/options
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/beans/factory/annotation/Value.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql b/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql
index 8bbc0d00a46..d4ebe902cf7 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql
@@ -18,41 +18,7 @@
  */
 
 import java
-import semmle.code.configfiles.ConfigFiles
-import semmle.code.java.dataflow.FlowSources
-
-private string possibleSecretName() {
-  result =
-    [
-      "%password%", "%passwd%", "%account%", "%accnt%", "%credential%", "%token%", "%secret%",
-      "%access%key%"
-    ]
-}
-
-private string possibleEncryptedSecretName() { result = ["%hashed%", "%encrypted%", "%crypt%"] }
-
-/** Holds if the value is not cleartext credentials. */
-bindingset[value]
-predicate isNotCleartextCredentials(string value) {
-  value = "" // Empty string
-  or
-  value.length() < 7 // Typical credentials are no less than 6 characters
-  or
-  value.matches("% %") // Sentences containing spaces
-  or
-  value.regexpMatch(".*[^a-zA-Z\\d]{3,}.*") // Contain repeated non-alphanumeric characters such as a fake password pass**** or ????
-  or
-  value.matches("@%") // Starts with the "@" sign
-  or
-  value.regexpMatch("\\$\\{.*\\}") // Variable placeholder ${credentials}
-  or
-  value.matches("%=") // A basic check of encrypted credentials ending with padding characters
-  or
-  value.matches("ENC(%)") // Encrypted value
-  or
-  // Could be a message property for UI display or fake passwords, e.g. login.password_expired=Your current password has expired.
-  value.toLowerCase().matches(possibleSecretName())
-}
+import experimental.semmle.code.java.frameworks.CredentialsInPropertiesFile
 
 /**
  * Holds if the credentials are in a non-production properties file indicated by:
@@ -63,63 +29,6 @@ predicate isNonProdCredentials(CredentialsConfig cc) {
   cc.getFile().getAbsolutePath().matches(["%dev%", "%test%", "%sample%"])
 }
 
-/** The credentials configuration property. */
-class CredentialsConfig extends ConfigPair {
-  CredentialsConfig() {
-    this.getNameElement().getName().trim().toLowerCase().matches(possibleSecretName()) and
-    not this.getNameElement().getName().trim().toLowerCase().matches(possibleEncryptedSecretName()) and
-    not isNotCleartextCredentials(this.getValueElement().getValue().trim())
-  }
-
-  string getName() { result = this.getNameElement().getName().trim() }
-
-  string getValue() { result = this.getValueElement().getValue().trim() }
-
-  /** Returns a description of this vulnerability. */
-  string getConfigDesc() {
-    exists(
-      LoadCredentialsConfiguration cc, DataFlow::Node source, DataFlow::Node sink, MethodAccess ma
-    |
-      this.getName() = source.asExpr().(CompileTimeConstantExpr).getStringValue() and
-      cc.hasFlow(source, sink) and
-      ma.getArgument(0) = sink.asExpr() and
-      result = "Plaintext credentials " + this.getName() + " are loaded in " + ma
-    )
-    or
-    not exists(LoadCredentialsConfiguration cc, DataFlow::Node source, DataFlow::Node sink |
-      this.getName() = source.asExpr().(CompileTimeConstantExpr).getStringValue() and
-      cc.hasFlow(source, sink)
-    ) and
-    result =
-      "Plaintext credentials " + this.getName() + " have cleartext value " + this.getValue() +
-        " in properties file"
-  }
-}
-
-/**
- * A dataflow configuration tracking flow of a method that loads a credentials property.
- */
-class LoadCredentialsConfiguration extends DataFlow::Configuration {
-  LoadCredentialsConfiguration() { this = "LoadCredentialsConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) {
-    exists(CredentialsConfig cc |
-      source.asExpr().(CompileTimeConstantExpr).getStringValue() = cc.getName()
-    )
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() =
-      any(MethodAccess ma |
-        ma.getMethod()
-            .getDeclaringType()
-            .getASupertype*()
-            .hasQualifiedName("java.util", "Properties") and
-        ma.getMethod().getName() = "getProperty"
-      ).getArgument(0)
-  }
-}
-
 from CredentialsConfig cc
 where not isNonProdCredentials(cc)
 select cc, cc.getConfigDesc()
diff --git a/java/ql/src/experimental/semmle/code/java/frameworks/CredentialsInPropertiesFile.qll b/java/ql/src/experimental/semmle/code/java/frameworks/CredentialsInPropertiesFile.qll
new file mode 100644
index 00000000000..9577789ce0c
--- /dev/null
+++ b/java/ql/src/experimental/semmle/code/java/frameworks/CredentialsInPropertiesFile.qll
@@ -0,0 +1,107 @@
+/**
+ * Provides classes for analyzing properties files.
+ */
+
+import java
+import semmle.code.configfiles.ConfigFiles
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.frameworks.Properties
+
+private string possibleSecretName() {
+  result =
+    [
+      "%password%", "%passwd%", "%account%", "%accnt%", "%credential%", "%token%", "%secret%",
+      "%access%key%"
+    ]
+}
+
+private string possibleEncryptedSecretName() { result = ["%hashed%", "%encrypted%", "%crypt%"] }
+
+/** Holds if the value is not cleartext credentials. */
+bindingset[value]
+predicate isNotCleartextCredentials(string value) {
+  value = "" // Empty string
+  or
+  value.length() < 7 // Typical credentials are no less than 6 characters
+  or
+  value.matches("% %") // Sentences containing spaces
+  or
+  value.regexpMatch(".*[^a-zA-Z\\d]{3,}.*") // Contain repeated non-alphanumeric characters such as a fake password pass**** or ????
+  or
+  value.matches("@%") // Starts with the "@" sign
+  or
+  value.regexpMatch("\\$\\{.*\\}") // Variable placeholder ${credentials}
+  or
+  value.matches("%=") // A basic check of encrypted credentials ending with padding characters
+  or
+  value.matches("ENC(%)") // Encrypted value
+  or
+  // Could be a message property for UI display or fake passwords, e.g. login.password_expired=Your current password has expired.
+  value.toLowerCase().matches(possibleSecretName())
+}
+
+/** The credentials configuration property. */
+class CredentialsConfig extends ConfigPair {
+  CredentialsConfig() {
+    this.getNameElement().getName().trim().toLowerCase().matches(possibleSecretName()) and
+    not this.getNameElement().getName().trim().toLowerCase().matches(possibleEncryptedSecretName()) and
+    not isNotCleartextCredentials(this.getValueElement().getValue().trim())
+  }
+
+  string getName() { result = this.getNameElement().getName().trim() }
+
+  string getValue() { result = this.getValueElement().getValue().trim() }
+
+  /** Returns a description of this vulnerability. */
+  string getConfigDesc() {
+    exists(
+      // getProperty(...)
+      LoadCredentialsConfiguration cc, DataFlow::Node source, DataFlow::Node sink, MethodAccess ma
+    |
+      this.getName() = source.asExpr().(CompileTimeConstantExpr).getStringValue() and
+      cc.hasFlow(source, sink) and
+      ma.getArgument(0) = sink.asExpr() and
+      result = "Plaintext credentials " + this.getName() + " are loaded in Java Properties " + ma
+    )
+    or
+    exists(
+      // @Value("${mail.password}")
+      Annotation a
+    |
+      a.getType().hasQualifiedName("org.springframework.beans.factory.annotation", "Value") and
+      a.getAValue().(CompileTimeConstantExpr).getStringValue() = "${" + this.getName() + "}" and
+      result = "Plaintext credentials " + this.getName() + " are loaded in Spring annotation " + a
+    )
+    or
+    not exists(LoadCredentialsConfiguration cc, DataFlow::Node source, DataFlow::Node sink |
+      this.getName() = source.asExpr().(CompileTimeConstantExpr).getStringValue() and
+      cc.hasFlow(source, sink)
+    ) and
+    not exists(Annotation a |
+      a.getType().hasQualifiedName("org.springframework.beans.factory.annotation", "Value") and
+      a.getAValue().(CompileTimeConstantExpr).getStringValue() = "${" + this.getName() + "}"
+    ) and
+    result =
+      "Plaintext credentials " + this.getName() + " have cleartext value " + this.getValue() +
+        " in properties file"
+  }
+}
+
+/**
+ * A dataflow configuration tracking flow of cleartext credentials stored in a properties file
+ *  to a `Properties.getProperty(...)` method call.
+ */
+class LoadCredentialsConfiguration extends DataFlow::Configuration {
+  LoadCredentialsConfiguration() { this = "LoadCredentialsConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(CredentialsConfig cc |
+      source.asExpr().(CompileTimeConstantExpr).getStringValue() = cc.getName()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() =
+      any(MethodAccess ma | ma.getMethod() instanceof PropertiesGetPropertyMethod).getArgument(0)
+  }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.expected b/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.expected
index 1bdc004a446..371a4765c53 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.expected
@@ -1,5 +1,5 @@
-| configuration.properties:6:1:6:25 | ldap.password=mysecpass | Plaintext credentials ldap.password are loaded in getProperty(...) |
-| configuration.properties:18:1:18:35 | datasource1.password=Passw0rd@123 | Plaintext credentials datasource1.password are loaded in getProperty(...) |
-| configuration.properties:25:1:25:31 | mail.password=MysecPWxWa@1993 | Plaintext credentials mail.password are loaded in getProperty(...) |
-| configuration.properties:33:1:33:50 | com.example.aws.s3.access_key=AKMAMQPBYMCD6YSAYCBA | Plaintext credentials com.example.aws.s3.access_key are loaded in getProperty(...) |
-| configuration.properties:34:1:34:70 | com.example.aws.s3.secret_key=8lMPSfWzZq+wcWtck5+QPLOJDZzE783pS09/IO3k | Plaintext credentials com.example.aws.s3.secret_key are loaded in getProperty(...) |
+| configuration.properties:6:1:6:25 | ldap.password=mysecpass | Plaintext credentials ldap.password are loaded in Java Properties getProperty(...) |
+| configuration.properties:18:1:18:35 | datasource1.password=Passw0rd@123 | Plaintext credentials datasource1.password are loaded in Java Properties getProperty(...) |
+| configuration.properties:25:1:25:31 | mail.password=MysecPWxWa@1993 | Plaintext credentials mail.password are loaded in Spring annotation Value |
+| configuration.properties:33:1:33:50 | com.example.aws.s3.access_key=AKMAMQPBYMCD6YSAYCBA | Plaintext credentials com.example.aws.s3.access_key are loaded in Java Properties getProperty(...) |
+| configuration.properties:34:1:34:70 | com.example.aws.s3.secret_key=8lMPSfWzZq+wcWtck5+QPLOJDZzE783pS09/IO3k | Plaintext credentials com.example.aws.s3.secret_key are loaded in Java Properties getProperty(...) |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.ql b/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.ql
index b6890e4ac9f..f085317218c 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.ql
+++ b/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.ql
@@ -18,98 +18,7 @@
  */
 
 import java
-import semmle.code.configfiles.ConfigFiles
-import semmle.code.java.dataflow.FlowSources
-
-private string possibleSecretName() {
-  result =
-    [
-      "%password%", "%passwd%", "%account%", "%accnt%", "%credential%", "%token%", "%secret%",
-      "%access%key%"
-    ]
-}
-
-private string possibleEncryptedSecretName() { result = ["%hashed%", "%encrypted%", "%crypt%"] }
-
-/** Holds if the value is not cleartext credentials. */
-bindingset[value]
-predicate isNotCleartextCredentials(string value) {
-  value = "" // Empty string
-  or
-  value.length() < 7 // Typical credentials are no less than 6 characters
-  or
-  value.matches("% %") // Sentences containing spaces
-  or
-  value.regexpMatch(".*[^a-zA-Z\\d]{3,}.*") // Contain repeated non-alphanumeric characters such as a fake password pass**** or ????
-  or
-  value.matches("@%") // Starts with the "@" sign
-  or
-  value.regexpMatch("\\$\\{.*\\}") // Variable placeholder ${credentials}
-  or
-  value.matches("%=") // A basic check of encrypted credentials ending with padding characters
-  or
-  value.matches("ENC(%)") // Encrypted value
-  or
-  // Could be a message property for UI display or fake passwords, e.g. login.password_expired=Your current password has expired.
-  value.toLowerCase().matches(possibleSecretName())
-}
-
-/** The credentials configuration property. */
-class CredentialsConfig extends ConfigPair {
-  CredentialsConfig() {
-    this.getNameElement().getName().trim().toLowerCase().matches(possibleSecretName()) and
-    not this.getNameElement().getName().trim().toLowerCase().matches(possibleEncryptedSecretName()) and
-    not isNotCleartextCredentials(this.getValueElement().getValue().trim())
-  }
-
-  string getName() { result = this.getNameElement().getName().trim() }
-
-  string getValue() { result = this.getValueElement().getValue().trim() }
-
-  /** Returns a description of this vulnerability. */
-  string getConfigDesc() {
-    exists(
-      LoadCredentialsConfiguration cc, DataFlow::Node source, DataFlow::Node sink, MethodAccess ma
-    |
-      this.getName() = source.asExpr().(CompileTimeConstantExpr).getStringValue() and
-      cc.hasFlow(source, sink) and
-      ma.getArgument(0) = sink.asExpr() and
-      result = "Plaintext credentials " + this.getName() + " are loaded in " + ma
-    )
-    or
-    not exists(LoadCredentialsConfiguration cc, DataFlow::Node source, DataFlow::Node sink |
-      this.getName() = source.asExpr().(CompileTimeConstantExpr).getStringValue() and
-      cc.hasFlow(source, sink)
-    ) and
-    result =
-      "Plaintext credentials " + this.getName() + " have cleartext value " + this.getValue() +
-        " in properties file"
-  }
-}
-
-/**
- * A dataflow configuration tracking flow of a method that loads a credentials property.
- */
-class LoadCredentialsConfiguration extends DataFlow::Configuration {
-  LoadCredentialsConfiguration() { this = "LoadCredentialsConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) {
-    exists(CredentialsConfig cc |
-      source.asExpr().(CompileTimeConstantExpr).getStringValue() = cc.getName()
-    )
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() =
-      any(MethodAccess ma |
-        ma.getMethod()
-            .getDeclaringType()
-            .getASupertype*()
-            .hasQualifiedName("java.util", "Properties") and
-        ma.getMethod().getName() = "getProperty"
-      ).getArgument(0)
-  }
-}
+import experimental.semmle.code.java.frameworks.CredentialsInPropertiesFile
 
 from CredentialsConfig cc
 select cc, cc.getConfigDesc()
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/MailConfig.java b/java/ql/test/experimental/query-tests/security/CWE-555/MailConfig.java
new file mode 100644
index 00000000000..bef99dac3ea
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-555/MailConfig.java
@@ -0,0 +1,11 @@
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class MailConfig {
+    @Value("${mail.password}")
+    private String mailPassword;
+
+    @Value("${mail.username}")
+    private String mailUserName;
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/PropertiesUtils.java b/java/ql/test/experimental/query-tests/security/CWE-555/PropertiesUtils.java
index b54995a9967..f33ef39ee07 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-555/PropertiesUtils.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-555/PropertiesUtils.java
@@ -35,16 +35,6 @@ public class PropertiesUtils {
 		return properties.getProperty("datasource1.password");
 	}
     
-	/** Returns the mail account property value. */
-	public static String getMailUserName() {
-		return properties.getProperty("mail.username");
-	}
-
- 	/** Returns the mail password property value. */
-	public static String getMailPassword() {
-		return properties.getProperty("mail.password");
-	}
-
 	/** Returns the AWS Access Key property value. */
 	public static String getAWSAccessKey() {
 		return properties.getProperty("com.example.aws.s3.access_key");
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/options b/java/ql/test/experimental/query-tests/security/CWE-555/options
new file mode 100644
index 00000000000..cf3d60de0e5
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-555/options
@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3
\ No newline at end of file
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/beans/factory/annotation/Value.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/beans/factory/annotation/Value.java
new file mode 100644
index 00000000000..67c38cf5d20
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/beans/factory/annotation/Value.java
@@ -0,0 +1,11 @@
+package org.springframework.beans.factory.annotation;
+
+public @interface Value {
+
+	/**
+	 * The actual value expression such as <code>#{systemProperties.myProp}</code>
+	 * or property placeholder such as <code>${my.app.myProp}</code>.
+	 */
+	String value();
+
+}
\ No newline at end of file

From 35f294f096c160db887b37fff31a740f32e9f3f8 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Tue, 30 Mar 2021 10:38:13 +0100
Subject: [PATCH 0117/1429] JS: Improve sequelize model

---
 .../src/semmle/javascript/frameworks/SQL.qll  | 24 ++++++++++++++-----
 .../frameworks/SQL/SqlString.expected         |  4 ++++
 .../frameworks/SQL/sequelize-types.ts         |  9 +++++++
 .../frameworks/SQL/sequelize2.js              |  6 +++++
 4 files changed, 37 insertions(+), 6 deletions(-)
 create mode 100644 javascript/ql/test/library-tests/frameworks/SQL/sequelize-types.ts

diff --git a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
index f006c73e544..a84bde4cdd0 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
@@ -463,22 +463,34 @@ private module MsSql {
  * Provides classes modelling the `sequelize` package.
  */
 private module Sequelize {
-  /** Gets an import of the `sequelize` module. */
-  API::Node sequelize() { result = API::moduleImport("sequelize") }
+  /** Gets an import of the `sequelize` module or one that re-exports it. */
+  API::Node sequelize() { result = API::moduleImport(["sequelize", "sequelize-typescript"]) }
 
   /** Gets an expression that creates an instance of the `Sequelize` class. */
-  API::Node newSequelize() { result = sequelize().getInstance() }
+  API::Node instance() {
+    result = [sequelize(), sequelize().getMember("Sequelize")].getInstance()
+    or
+    result = API::Node::ofType(["sequelize", "sequelize-typescript"], ["Sequelize", "default"])
+  }
 
   /** A call to `Sequelize.query`. */
   private class QueryCall extends DatabaseAccess, DataFlow::MethodCallNode {
-    QueryCall() { this = newSequelize().getMember("query").getACall() }
+    QueryCall() { this = instance().getMember("query").getACall() }
 
-    override DataFlow::Node getAQueryArgument() { result = getArgument(0) }
+    override DataFlow::Node getAQueryArgument() {
+      result = getArgument(0)
+      or
+      result = getOptionArgument(0, "query")
+    }
   }
 
   /** An expression that is passed to `Sequelize.query` method and hence interpreted as SQL. */
   class QueryString extends SQL::SqlString {
-    QueryString() { this = any(QueryCall qc).getAQueryArgument().asExpr() }
+    QueryString() {
+      this = any(QueryCall qc).getAQueryArgument().asExpr()
+      or
+      this = sequelize().getMember(["literal", "asIs"]).getParameter(0).getARhs().asExpr()
+    }
   }
 
   /**
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
index 8720962382b..a5e87fe45d8 100644
--- a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
+++ b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
@@ -33,6 +33,10 @@
 | postgres-types.ts:4:18:4:29 | 'SELECT 123' |
 | postgresImport.js:4:18:4:43 | 'SELECT ... number' |
 | sequelize2.js:10:17:10:118 | 'SELECT ... Y name' |
+| sequelize2.js:12:17:15:1 | {\\n  que ... [123]\\n} |
+| sequelize2.js:13:10:13:20 | 'SELECT $1' |
+| sequelize2.js:17:31:17:41 | '123 + 345' |
+| sequelize-types.ts:7:24:7:35 | 'SELECT 123' |
 | sequelize.js:8:17:8:118 | 'SELECT ... Y name' |
 | sequelizeImport.js:3:17:3:118 | 'SELECT ... Y name' |
 | spanner2.js:5:26:5:35 | "SQL code" |
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/sequelize-types.ts b/javascript/ql/test/library-tests/frameworks/SQL/sequelize-types.ts
new file mode 100644
index 00000000000..2591048bdb5
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/SQL/sequelize-types.ts
@@ -0,0 +1,9 @@
+import Sequelize from 'sequelize';
+
+export class Foo {
+    constructor(private seq: Sequelize) {}
+
+    method() {
+        this.seq.query('SELECT 123');
+    }
+}
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/sequelize2.js b/javascript/ql/test/library-tests/frameworks/SQL/sequelize2.js
index 194a921ffdd..9fa7392cad6 100644
--- a/javascript/ql/test/library-tests/frameworks/SQL/sequelize2.js
+++ b/javascript/ql/test/library-tests/frameworks/SQL/sequelize2.js
@@ -9,3 +9,9 @@ const sequelize = new Sequelize('database', {
 });
 sequelize.query('SELECT * FROM Products WHERE (name LIKE \'%' + criteria + '%\') AND deletedAt IS NULL) ORDER BY name');
 
+sequelize.query({
+  query: 'SELECT $1',
+  values: [123]
+});
+
+let value = Sequelize.literal('123 + 345');

From 9db235ac3660a894d610d49388e452317329744d Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Tue, 30 Mar 2021 11:26:44 +0100
Subject: [PATCH 0118/1429] JS: Improve @google-cloud/spanner model

---
 .../src/semmle/javascript/frameworks/SQL.qll  | 80 ++++++++++++-------
 .../frameworks/SQL/SqlString.expected         |  3 +
 .../frameworks/SQL/spanner-types.ts           |  5 ++
 .../library-tests/frameworks/SQL/spanner.js   | 12 +++
 4 files changed, 71 insertions(+), 29 deletions(-)
 create mode 100644 javascript/ql/test/library-tests/frameworks/SQL/spanner-types.ts

diff --git a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
index a84bde4cdd0..ce702decc96 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
@@ -543,6 +543,8 @@ private module Spanner {
   API::Node database() {
     result =
       spanner().getReturn().getMember("instance").getReturn().getMember("database").getReturn()
+    or
+    result = API::Node::ofType("@google-cloud/spanner", "Database")
   }
 
   /**
@@ -550,61 +552,81 @@ private module Spanner {
    */
   API::Node v1SpannerClient() {
     result = spanner().getMember("v1").getMember("SpannerClient").getInstance()
+    or
+    result = API::Node::ofType("@google-cloud/spanner", "v1.SpannerClient")
   }
 
   /**
    * Gets a node that refers to a transaction object.
    */
   API::Node transaction() {
-    result = database().getMember("runTransaction").getParameter(0).getParameter(1)
+    result =
+      database()
+          .getMember(["runTransaction", "runTransactionAsync"])
+          .getParameter([0, 1])
+          .getParameter(1)
+    or
+    result = API::Node::ofType("@google-cloud/spanner", "Transaction")
+  }
+
+  /** Gets an API node referring to a `BatchTransaction` object. */
+  API::Node batchTransaction() {
+    result = database().getMember("batchTransaction").getReturn()
+    or
+    result = database().getMember("createBatchTransaction").getReturn().getPromised()
+    or
+    result = API::Node::ofType("@google-cloud/spanner", "BatchTransaction")
   }
 
   /**
    * A call to a Spanner method that executes a SQL query.
    */
-  abstract class SqlExecution extends DatabaseAccess, DataFlow::InvokeNode {
-    /**
-     * Gets the position of the query argument; default is zero, which can be overridden
-     * by subclasses.
-     */
-    int getQueryArgumentPosition() { result = 0 }
+  abstract class SqlExecution extends DatabaseAccess, DataFlow::InvokeNode { }
+
+  /**
+   * A SQL execution that takes the input directly in the first argument or in the `sql` option.
+   */
+  class SqlExecutionDirect extends SqlExecution {
+    SqlExecutionDirect() {
+      this = database().getMember(["run", "runPartitionedUpdate", "runStream"]).getACall()
+      or
+      this = transaction().getMember(["run", "runStream", "runUpdate"]).getACall()
+      or
+      this = batchTransaction().getMember("createQueryPartitions").getACall()
+    }
 
     override DataFlow::Node getAQueryArgument() {
-      result = getArgument(getQueryArgumentPosition()) or
-      result = getOptionArgument(getQueryArgumentPosition(), "sql")
+      result = getArgument(0)
+      or
+      result = getOptionArgument(0, "sql")
     }
   }
 
   /**
-   * A call to `Database.run`, `Database.runPartitionedUpdate` or `Database.runStream`.
+   * A SQL execution that takes an array of SQL strings or { sql: string } objects.
    */
-  class DatabaseRunCall extends SqlExecution {
-    DatabaseRunCall() {
-      this = database().getMember(["run", "runPartitionedUpdate", "runStream"]).getACall()
+  class SqlExecutionBatch extends SqlExecution, API::CallNode {
+    SqlExecutionBatch() { this = transaction().getMember("batchUpdate").getACall() }
+
+    override DataFlow::Node getAQueryArgument() {
+      // just use the whole array as the query argument, as arrays becomes tainted if one of the elements
+      // are tainted
+      result = getArgument(0)
+      or
+      result = getParameter(0).getUnknownMember().getMember("sql").getARhs()
     }
   }
 
   /**
-   * A call to `Transaction.run`, `Transaction.runStream` or `Transaction.runUpdate`.
+   * A SQL execution that only takes the input in the `sql` option, and do not accept query strings
+   * directly.
    */
-  class TransactionRunCall extends SqlExecution {
-    TransactionRunCall() {
-      this = transaction().getMember(["run", "runStream", "runUpdate"]).getACall()
-    }
-  }
-
-  /**
-   * A call to `v1.SpannerClient.executeSql` or `v1.SpannerClient.executeStreamingSql`.
-   */
-  class ExecuteSqlCall extends SqlExecution {
-    ExecuteSqlCall() {
+  class SqlExecutionWithOption extends SqlExecution {
+    SqlExecutionWithOption() {
       this = v1SpannerClient().getMember(["executeSql", "executeStreamingSql"]).getACall()
     }
 
-    override DataFlow::Node getAQueryArgument() {
-      // `executeSql` and `executeStreamingSql` do not accept query strings directly
-      result = getOptionArgument(0, "sql")
-    }
+    override DataFlow::Node getAQueryArgument() { result = getOptionArgument(0, "sql") }
   }
 
   /**
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
index a5e87fe45d8..41bf9865b16 100644
--- a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
+++ b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
@@ -41,6 +41,7 @@
 | sequelizeImport.js:3:17:3:118 | 'SELECT ... Y name' |
 | spanner2.js:5:26:5:35 | "SQL code" |
 | spanner2.js:7:35:7:44 | "SQL code" |
+| spanner-types.ts:4:12:4:23 | 'SELECT 123' |
 | spanner.js:6:8:6:17 | "SQL code" |
 | spanner.js:7:8:7:26 | { sql: "SQL code" } |
 | spanner.js:7:15:7:24 | "SQL code" |
@@ -59,6 +60,8 @@
 | spanner.js:18:16:18:25 | "SQL code" |
 | spanner.js:19:16:19:34 | { sql: "SQL code" } |
 | spanner.js:19:23:19:32 | "SQL code" |
+| spanner.js:23:12:23:23 | 'SELECT 123' |
+| spanner.js:26:12:26:38 | 'UPDATE ... = @baz' |
 | spannerImport.js:4:8:4:17 | "SQL code" |
 | sqlite-types.ts:4:12:4:49 | "UPDATE ... id = ?" |
 | sqlite.js:7:8:7:45 | "UPDATE ... id = ?" |
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/spanner-types.ts b/javascript/ql/test/library-tests/frameworks/SQL/spanner-types.ts
new file mode 100644
index 00000000000..8dceca56e60
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/SQL/spanner-types.ts
@@ -0,0 +1,5 @@
+import { Database } from "@google-cloud/spanner";
+
+export function doSomething(db: Database) {
+    db.run('SELECT 123');
+}
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/spanner.js b/javascript/ql/test/library-tests/frameworks/SQL/spanner.js
index a27c52d82fd..8396745f7e6 100644
--- a/javascript/ql/test/library-tests/frameworks/SQL/spanner.js
+++ b/javascript/ql/test/library-tests/frameworks/SQL/spanner.js
@@ -17,6 +17,18 @@ db.runTransaction((err, tx) => {
   tx.runStream({ sql: "SQL code" });
   tx.runUpdate("SQL code");
   tx.runUpdate({ sql: "SQL code" });
+
+  const queries = [
+    {
+      sql: 'SELECT 123',
+    },
+    {
+      sql: 'UPDATE foo SET bar = @baz',
+      params: {key: 'baz', value: '123'}
+    }
+  ];
+  
+  tx.batchUpdate(queries, () => {});
 });
 
 exports.instance = instance;

From f8bbda0cdc82aa8c155c8f4d0e76e2f6dd811ab9 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Tue, 30 Mar 2021 11:37:45 +0100
Subject: [PATCH 0119/1429] JS: Change note

---
 javascript/change-notes/2021-03-30-sql-models.md | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 javascript/change-notes/2021-03-30-sql-models.md

diff --git a/javascript/change-notes/2021-03-30-sql-models.md b/javascript/change-notes/2021-03-30-sql-models.md
new file mode 100644
index 00000000000..2ceaf8dc7a7
--- /dev/null
+++ b/javascript/change-notes/2021-03-30-sql-models.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* The SQL library models for `mysql`, `mysql2`, `mssql`, `pg`, `sqlite3`, `sequelize`, and `@google-cloud/spanner` have improved,
+  leading to more SQL injection sinks.

From 8faafb6961d21e652ff3c7223dab498cec9f8332 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Tue, 30 Mar 2021 16:58:02 +0200
Subject: [PATCH 0120/1429] Update Sink

---
 .../Security/CWE-090/LDAPInjection.ql         |  9 +++----
 .../semmle/python/frameworks/Stdlib.qll       |  6 ++---
 .../security/injection/LDAPInjection.qll      | 26 +++++++++++++++++--
 3 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
index 7ce3a118918..a803b39260e 100644
--- a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
+++ b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
@@ -16,11 +16,10 @@ import DataFlow::PathGraph
 
 from
   LDAPInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
-  LDAPQuery castedSink
+  LDAPInjectionSink castedSink
 where
   config.hasFlowPath(source, sink) and
-  castedSink = sink.getNode() //and
+  castedSink.getLDAPNode() = sink.getNode() //and
 // if exists(castedSink.getAttrs()) then
-select sink.getNode(), source, sink, "$@ LDAP query executes $@ as a $@ probably leaking $@.",
-  sink.getNode(), "This", source.getNode(), "a user-provided value", castedSink.getLDAPNode(),
-  castedSink.getLDAPPart(), castedSink.getAttrs(), "this attribute(s)"
+select sink.getNode(), source, sink, "$@ LDAP query executes $@ as a $@.", castedSink, "This",
+  source.getNode(), "a user-provided value", castedSink.getLDAPNode(), castedSink.getLDAPPart() //, castedSink.getAttrs(), "probably leaking this attribute(s)"
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index aa9013a76c0..348367d0370 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -95,10 +95,10 @@ private module LDAP {
           (
             ldapNode = this.getArg(0) and
             ldapPart = "DN"
-            or
-            ldapNode = this.getArg(1) and
-            ldapPart = "search_filter"
           )
+          or
+          ldapNode = this.getArg(1) and
+          ldapPart = "search_filter"
         )
       }
 
diff --git a/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll b/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll
index db8bdda7db6..4814097ff8e 100644
--- a/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll
@@ -8,6 +8,26 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
 
+class LDAPInjectionSink extends DataFlow::Node {
+  // DataFlow::Node attrs;
+  DataFlow::Node ldapNode;
+  string ldapPart;
+
+  LDAPInjectionSink() {
+    exists(LDAPQuery ldapQuery |
+      this = ldapQuery and
+      ldapNode = ldapQuery.getLDAPNode() and
+      ldapPart = ldapQuery.getLDAPPart() // and
+      // if exists(ldapQuery.getAttrs()) then attrs = ldapQuery.getAttrs()
+    )
+  }
+
+  DataFlow::Node getLDAPNode() { result = ldapNode }
+
+  string getLDAPPart() { result = ldapPart }
+  // DataFlow::Node getAttrs() { result = attrs }
+}
+
 /**
  * A taint-tracking configuration for detecting regular expression injections.
  */
@@ -16,9 +36,11 @@ class LDAPInjectionFlowConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) { sink = any(LDAPQuery lQ).getLDAPNode() }
+  override predicate isSink(DataFlow::Node sink) {
+    sink = any(LDAPInjectionSink ldapInjSink).getLDAPNode()
+  }
 
   override predicate isSanitizer(DataFlow::Node sanitizer) {
-    sanitizer = any(LDAPEscape lE).getEscapeNode()
+    sanitizer = any(LDAPEscape ldapEsc).getEscapeNode()
   }
 }

From 57784dc7461f3f4624966b9c9e0356fe0018ee5b Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Wed, 31 Mar 2021 09:23:47 +0100
Subject: [PATCH 0121/1429] JS: Update test output

---
 .../ql/test/library-tests/frameworks/SQL/SqlString.expected      | 1 +
 1 file changed, 1 insertion(+)

diff --git a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
index 41bf9865b16..81338e00140 100644
--- a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
+++ b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
@@ -62,6 +62,7 @@
 | spanner.js:19:23:19:32 | "SQL code" |
 | spanner.js:23:12:23:23 | 'SELECT 123' |
 | spanner.js:26:12:26:38 | 'UPDATE ... = @baz' |
+| spanner.js:31:18:31:24 | queries |
 | spannerImport.js:4:8:4:17 | "SQL code" |
 | sqlite-types.ts:4:12:4:49 | "UPDATE ... id = ?" |
 | sqlite.js:7:8:7:45 | "UPDATE ... id = ?" |

From 8159098dc0e47627a2386d8682e36f3d0445ca3e Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 31 Mar 2021 11:32:01 +0200
Subject: [PATCH 0122/1429] C++: Add test from issue #5190.

---
 .../dataflow/taint-tests/smart_pointer.cpp             | 10 ++++++++++
 cpp/ql/test/library-tests/dataflow/taint-tests/stl.h   |  2 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
index f45260228e8..1f222cbae3e 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
@@ -65,4 +65,14 @@ void test_shared_field_member() {
     std::unique_ptr<A> p = std::make_unique<A>(source(), 0);
     sink(p->x); // $ MISSING: ast,ir
     sink(p->y); // not tainted
+}
+
+void getNumber(std::shared_ptr<int> ptr) {
+  *ptr = source();
+}
+
+int test_from_issue_5190() {
+  std::shared_ptr<int> p(new int);
+  getNumber(p);
+  sink(*p); // $ MISSING: ast,ir
 }
\ No newline at end of file
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h b/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
index 09e77c5a3b6..1382552bdca 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
@@ -348,7 +348,7 @@ namespace std {
 	class shared_ptr {
 	public:
 		shared_ptr() noexcept;
-		explicit shared_ptr(T*);
+		explicit shared_ptr(T*); shared_ptr(const shared_ptr&) noexcept;
 		template<class U> shared_ptr(const shared_ptr<U>&) noexcept;
 		template<class U> shared_ptr(shared_ptr<U>&&) noexcept;
 

From 9ff894bf839a098aad951f8d5df23b6f339da14b Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 31 Mar 2021 11:42:09 +0200
Subject: [PATCH 0123/1429] C++: Add support for AST dataflow out of functions
 that take a smart pointer by value.

---
 .../cpp/dataflow/internal/DataFlowUtil.qll    | 14 ++++
 .../code/cpp/dataflow/internal/FlowVar.qll    | 72 ++++++++++++++++++-
 .../dataflow/internal/TaintTrackingUtil.qll   |  6 +-
 cpp/ql/src/semmle/code/cpp/exprs/Call.qll     |  1 +
 .../dataflow/taint-tests/localTaint.expected  | 22 ++++++
 .../dataflow/taint-tests/smart_pointer.cpp    | 10 +--
 6 files changed, 118 insertions(+), 7 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
index 0a6d459ec79..baf5f72b75b 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -199,6 +199,8 @@ class DefinitionByReferenceOrIteratorNode extends PartialDefinitionNode {
       this.getPartialDefinition() instanceof DefinitionByReference
       or
       this.getPartialDefinition() instanceof DefinitionByIterator
+      or
+      this.getPartialDefinition() instanceof DefinitionBySmartPointer
     )
   }
 
@@ -330,6 +332,18 @@ class IteratorPartialDefinitionNode extends PartialDefinitionNode {
   override Node getPreUpdateNode() { pd.definesExpressions(_, result.asExpr()) }
 }
 
+/**
+ * INTERNAL: do not use.
+ *
+ * A synthetic data flow node used for flow into a collection when a smart pointer
+ * write occurs in a callee.
+ */
+class SmartPointerPartialDefinitionNode extends PartialDefinitionNode {
+  override SmartPointerPartialDefinition pd;
+
+  override Node getPreUpdateNode() { pd.definesExpressions(_, result.asExpr()) }
+}
+
 /**
  * A post-update node on the `e->f` in `f(&e->f)` (and other forms).
  */
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
index f3aa94a7992..21ba4dff36d 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
@@ -7,6 +7,7 @@ private import semmle.code.cpp.controlflow.SSA
 private import semmle.code.cpp.dataflow.internal.SubBasicBlocks
 private import semmle.code.cpp.dataflow.internal.AddressFlow
 private import semmle.code.cpp.models.implementations.Iterator
+private import semmle.code.cpp.models.interfaces.PointerWrapper
 
 /**
  * A conceptual variable that is assigned only once, like an SSA variable. This
@@ -243,6 +244,54 @@ private module PartialDefinitions {
     }
   }
 
+  class SmartPointerPartialDefinition extends PartialDefinition {
+    Variable pointer;
+    Expr innerDefinedExpr;
+
+    SmartPointerPartialDefinition() {
+      exists(Expr convertedInner |
+        not this instanceof Conversion and
+        valueToUpdate(convertedInner, this.getFullyConverted(), node) and
+        innerDefinedExpr = convertedInner.getUnconverted() and
+        innerDefinedExpr = getAPointerWrapperAccess(pointer)
+      )
+      or
+      // iterators passed by value without a copy constructor
+      exists(Call call |
+        call = node and
+        call.getAnArgument() = innerDefinedExpr and
+        innerDefinedExpr = this and
+        this = getAPointerWrapperAccess(pointer) and
+        not call instanceof OverloadedPointerDereferenceExpr
+      )
+      or
+      // iterators passed by value with a copy constructor
+      exists(Call call, ConstructorCall copy |
+        copy.getTarget() instanceof CopyConstructor and
+        call = node and
+        call.getAnArgument() = copy and
+        copy.getArgument(0) = getAPointerWrapperAccess(pointer) and
+        innerDefinedExpr = this and
+        this = copy and
+        not call instanceof OverloadedPointerDereferenceExpr
+      )
+    }
+
+    deprecated override predicate partiallyDefines(Variable v) { v = pointer }
+
+    deprecated override predicate partiallyDefinesThis(ThisExpr e) { none() }
+
+    override predicate definesExpressions(Expr inner, Expr outer) {
+      inner = innerDefinedExpr and
+      outer = this
+    }
+
+    override predicate partiallyDefinesVariableAt(Variable v, ControlFlowNode cfn) {
+      v = pointer and
+      cfn = node
+    }
+  }
+
   /**
    * A partial definition that's a definition via an output iterator.
    */
@@ -256,6 +305,15 @@ private module PartialDefinitions {
   class DefinitionByReference extends VariablePartialDefinition {
     DefinitionByReference() { exists(Call c | this = c.getAnArgument() or this = c.getQualifier()) }
   }
+
+  /**
+   * A partial definition that's a definition via a smart pointer being passed into a function.
+   */
+  class DefinitionBySmartPointer extends SmartPointerPartialDefinition {
+    DefinitionBySmartPointer() {
+      exists(Call c | this = c.getAnArgument() or this = c.getQualifier())
+    }
+  }
 }
 
 import PartialDefinitions
@@ -296,7 +354,8 @@ module FlowVar_internal {
     // treating them as immutable, but for data flow it gives better results in
     // practice to make the variable synonymous with its contents.
     not v.getUnspecifiedType() instanceof ReferenceType and
-    not v instanceof IteratorParameter
+    not v instanceof IteratorParameter and
+    not v instanceof PointerWrapperParameter
   }
 
   /**
@@ -648,6 +707,8 @@ module FlowVar_internal {
     )
     or
     p instanceof IteratorParameter
+    or
+    p instanceof PointerWrapperParameter
   }
 
   /**
@@ -832,10 +893,19 @@ module FlowVar_internal {
     )
   }
 
+  Call getAPointerWrapperAccess(Variable pointer) {
+    pointer.getUnspecifiedType() instanceof PointerWrapper and
+    [result.getQualifier(), result.getAnArgument()] = pointer.getAnAccess()
+  }
+
   class IteratorParameter extends Parameter {
     IteratorParameter() { this.getUnspecifiedType() instanceof Iterator }
   }
 
+  class PointerWrapperParameter extends Parameter {
+    PointerWrapperParameter() { this.getUnspecifiedType() instanceof PointerWrapper }
+  }
+
   /**
    * Holds if `v` is initialized to have value `assignedExpr`.
    */
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
index 1ef340c4f21..591f461c8eb 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
@@ -11,6 +11,7 @@
 private import semmle.code.cpp.models.interfaces.DataFlow
 private import semmle.code.cpp.models.interfaces.Taint
 private import semmle.code.cpp.models.interfaces.Iterator
+private import semmle.code.cpp.models.interfaces.PointerWrapper
 
 private module DataFlow {
   import semmle.code.cpp.dataflow.internal.DataFlowUtil
@@ -141,7 +142,10 @@ private predicate noFlowFromChildExpr(Expr e) {
   or
   e instanceof LogicalOrExpr
   or
-  e instanceof Call
+  // Allow taint from `operator*` on smart pointers.
+  exists(Call call | e = call |
+    not call.getTarget() = any(PointerWrapper wrapper).getAnUnwrapperFunction()
+  )
   or
   e instanceof SizeofOperator
   or
diff --git a/cpp/ql/src/semmle/code/cpp/exprs/Call.qll b/cpp/ql/src/semmle/code/cpp/exprs/Call.qll
index 349efdcee10..6f6f710ac4b 100644
--- a/cpp/ql/src/semmle/code/cpp/exprs/Call.qll
+++ b/cpp/ql/src/semmle/code/cpp/exprs/Call.qll
@@ -314,6 +314,7 @@ class OverloadedPointerDereferenceFunction extends Function {
  * T1 operator*(const T2 &);
  * T1 a; T2 b;
  * a = *b;
+ * ```
  */
 class OverloadedPointerDereferenceExpr extends FunctionCall {
   OverloadedPointerDereferenceExpr() {
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index 4444ea13267..9b1ad0d4f10 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -3223,24 +3223,30 @@
 | smart_pointer.cpp:11:30:11:50 | call to make_shared | smart_pointer.cpp:12:11:12:11 | p |  |
 | smart_pointer.cpp:11:30:11:50 | call to make_shared | smart_pointer.cpp:13:10:13:10 | p |  |
 | smart_pointer.cpp:11:52:11:57 | call to source | smart_pointer.cpp:11:30:11:50 | call to make_shared | TAINT |
+| smart_pointer.cpp:12:10:12:10 | call to operator* [post update] | smart_pointer.cpp:13:10:13:10 | p |  |
 | smart_pointer.cpp:12:11:12:11 | p | smart_pointer.cpp:12:10:12:10 | call to operator* | TAINT |
 | smart_pointer.cpp:12:11:12:11 | ref arg p | smart_pointer.cpp:13:10:13:10 | p |  |
 | smart_pointer.cpp:17:32:17:54 | call to make_shared | smart_pointer.cpp:18:11:18:11 | p |  |
 | smart_pointer.cpp:17:32:17:54 | call to make_shared | smart_pointer.cpp:19:10:19:10 | p |  |
+| smart_pointer.cpp:18:10:18:10 | ref arg call to operator* | smart_pointer.cpp:19:10:19:10 | p |  |
 | smart_pointer.cpp:18:11:18:11 | p | smart_pointer.cpp:18:10:18:10 | call to operator* | TAINT |
 | smart_pointer.cpp:18:11:18:11 | ref arg p | smart_pointer.cpp:19:10:19:10 | p |  |
 | smart_pointer.cpp:23:30:23:50 | call to make_unique | smart_pointer.cpp:24:11:24:11 | p |  |
 | smart_pointer.cpp:23:30:23:50 | call to make_unique | smart_pointer.cpp:25:10:25:10 | p |  |
 | smart_pointer.cpp:23:52:23:57 | call to source | smart_pointer.cpp:23:30:23:50 | call to make_unique | TAINT |
+| smart_pointer.cpp:24:10:24:10 | call to operator* [post update] | smart_pointer.cpp:25:10:25:10 | p |  |
 | smart_pointer.cpp:24:11:24:11 | p | smart_pointer.cpp:24:10:24:10 | call to operator* | TAINT |
 | smart_pointer.cpp:24:11:24:11 | ref arg p | smart_pointer.cpp:25:10:25:10 | p |  |
 | smart_pointer.cpp:29:32:29:54 | call to make_unique | smart_pointer.cpp:30:11:30:11 | p |  |
 | smart_pointer.cpp:29:32:29:54 | call to make_unique | smart_pointer.cpp:31:10:31:10 | p |  |
+| smart_pointer.cpp:30:10:30:10 | ref arg call to operator* | smart_pointer.cpp:31:10:31:10 | p |  |
 | smart_pointer.cpp:30:11:30:11 | p | smart_pointer.cpp:30:10:30:10 | call to operator* | TAINT |
 | smart_pointer.cpp:30:11:30:11 | ref arg p | smart_pointer.cpp:31:10:31:10 | p |  |
 | smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:37:6:37:6 | p |  |
 | smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:38:10:38:10 | p |  |
 | smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:39:11:39:11 | p |  |
+| smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:38:10:38:10 | p |  |
+| smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:39:11:39:11 | p |  |
 | smart_pointer.cpp:37:5:37:17 | ... = ... | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] |  |
 | smart_pointer.cpp:37:6:37:6 | p | smart_pointer.cpp:37:5:37:5 | call to operator* | TAINT |
 | smart_pointer.cpp:37:6:37:6 | ref arg p | smart_pointer.cpp:38:10:38:10 | p |  |
@@ -3251,6 +3257,8 @@
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:45:6:45:6 | p |  |
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:46:10:46:10 | p |  |
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:47:11:47:11 | p |  |
+| smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:46:10:46:10 | p |  |
+| smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:47:11:47:11 | p |  |
 | smart_pointer.cpp:45:5:45:17 | ... = ... | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] |  |
 | smart_pointer.cpp:45:6:45:6 | p | smart_pointer.cpp:45:5:45:5 | call to operator* | TAINT |
 | smart_pointer.cpp:45:6:45:6 | ref arg p | smart_pointer.cpp:46:10:46:10 | p |  |
@@ -3268,7 +3276,21 @@
 | smart_pointer.cpp:65:28:65:46 | call to make_unique | smart_pointer.cpp:67:10:67:10 | p |  |
 | smart_pointer.cpp:65:48:65:53 | call to source | smart_pointer.cpp:65:28:65:46 | call to make_unique | TAINT |
 | smart_pointer.cpp:65:58:65:58 | 0 | smart_pointer.cpp:65:28:65:46 | call to make_unique | TAINT |
+| smart_pointer.cpp:66:10:66:10 | p | smart_pointer.cpp:66:11:66:11 | call to operator-> | TAINT |
 | smart_pointer.cpp:66:10:66:10 | ref arg p | smart_pointer.cpp:67:10:67:10 | p |  |
+| smart_pointer.cpp:67:10:67:10 | p | smart_pointer.cpp:67:11:67:11 | call to operator-> | TAINT |
+| smart_pointer.cpp:70:37:70:39 | ptr | smart_pointer.cpp:70:37:70:39 | ptr |  |
+| smart_pointer.cpp:70:37:70:39 | ptr | smart_pointer.cpp:71:4:71:6 | ptr |  |
+| smart_pointer.cpp:71:3:71:3 | call to operator* [post update] | smart_pointer.cpp:70:37:70:39 | ptr |  |
+| smart_pointer.cpp:71:3:71:17 | ... = ... | smart_pointer.cpp:71:3:71:3 | call to operator* [post update] |  |
+| smart_pointer.cpp:71:4:71:6 | ptr | smart_pointer.cpp:71:3:71:3 | call to operator* | TAINT |
+| smart_pointer.cpp:71:4:71:6 | ref arg ptr | smart_pointer.cpp:70:37:70:39 | ptr |  |
+| smart_pointer.cpp:71:10:71:15 | call to source | smart_pointer.cpp:71:3:71:17 | ... = ... |  |
+| smart_pointer.cpp:75:26:75:33 | call to shared_ptr | smart_pointer.cpp:76:13:76:13 | p |  |
+| smart_pointer.cpp:75:26:75:33 | call to shared_ptr | smart_pointer.cpp:77:9:77:9 | p |  |
+| smart_pointer.cpp:76:13:76:13 | call to shared_ptr [post update] | smart_pointer.cpp:77:9:77:9 | p |  |
+| smart_pointer.cpp:76:13:76:13 | p | smart_pointer.cpp:76:13:76:13 | call to shared_ptr |  |
+| smart_pointer.cpp:77:9:77:9 | p | smart_pointer.cpp:77:8:77:8 | call to operator* | TAINT |
 | standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:39:45:39:51 | source1 |  |
 | standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:40:11:40:17 | source1 |  |
 | standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:41:12:41:18 | source1 |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
index 1f222cbae3e..e5d835d3426 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
@@ -35,16 +35,16 @@ void test_reverse_taint_shared() {
     std::shared_ptr<int> p = std::make_shared<int>();
 
     *p = source();
-    sink(p); // $ MISSING: ast,ir
-    sink(*p); // $ MISSING: ast,ir
+    sink(p); // $ ast MISSING: ir
+    sink(*p); // $ ast MISSING: ir
 }
 
 void test_reverse_taint_unique() {
     std::unique_ptr<int> p = std::unique_ptr<int>();
 
     *p = source();
-    sink(p); // $ MISSING: ast,ir
-    sink(*p); // $ MISSING: ast,ir
+    sink(p); // $ ast MISSING: ir
+    sink(*p); // $ ast MISSING: ir
 }
 
 void test_shared_get() {
@@ -74,5 +74,5 @@ void getNumber(std::shared_ptr<int> ptr) {
 int test_from_issue_5190() {
   std::shared_ptr<int> p(new int);
   getNumber(p);
-  sink(*p); // $ MISSING: ast,ir
+  sink(*p); // $ ast MISSING: ir
 }
\ No newline at end of file

From 43306f4700e1e330abdaeb7c02f80d7288c11670 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 31 Mar 2021 17:17:58 +0200
Subject: [PATCH 0124/1429] Python: Add tests for Module.declaredInAll

---
 .../modules/__all__/DeclaredInAll.expected    |  3 +
 .../modules/__all__/DeclaredInAll.ql          |  5 ++
 .../modules/__all__/all_dynamic.py            |  8 ++
 .../library-tests/modules/__all__/all_list.py |  6 ++
 .../library-tests/modules/__all__/all_set.py  |  6 ++
 .../modules/__all__/all_tuple.py              |  6 ++
 .../library-tests/modules/__all__/main.py     | 74 +++++++++++++++++++
 .../library-tests/modules/__all__/no_all.py   |  3 +
 8 files changed, 111 insertions(+)
 create mode 100644 python/ql/test/library-tests/modules/__all__/DeclaredInAll.expected
 create mode 100644 python/ql/test/library-tests/modules/__all__/DeclaredInAll.ql
 create mode 100644 python/ql/test/library-tests/modules/__all__/all_dynamic.py
 create mode 100644 python/ql/test/library-tests/modules/__all__/all_list.py
 create mode 100644 python/ql/test/library-tests/modules/__all__/all_set.py
 create mode 100644 python/ql/test/library-tests/modules/__all__/all_tuple.py
 create mode 100644 python/ql/test/library-tests/modules/__all__/main.py
 create mode 100644 python/ql/test/library-tests/modules/__all__/no_all.py

diff --git a/python/ql/test/library-tests/modules/__all__/DeclaredInAll.expected b/python/ql/test/library-tests/modules/__all__/DeclaredInAll.expected
new file mode 100644
index 00000000000..5d90821921b
--- /dev/null
+++ b/python/ql/test/library-tests/modules/__all__/DeclaredInAll.expected
@@ -0,0 +1,3 @@
+| all_dynamic.py:0:0:0:0 | Module all_dynamic | foo |
+| all_list.py:0:0:0:0 | Module all_list | bar |
+| all_list.py:0:0:0:0 | Module all_list | foo |
diff --git a/python/ql/test/library-tests/modules/__all__/DeclaredInAll.ql b/python/ql/test/library-tests/modules/__all__/DeclaredInAll.ql
new file mode 100644
index 00000000000..69f9d32f856
--- /dev/null
+++ b/python/ql/test/library-tests/modules/__all__/DeclaredInAll.ql
@@ -0,0 +1,5 @@
+import python
+
+from Module mod, string name
+where mod.declaredInAll(name)
+select mod, name
diff --git a/python/ql/test/library-tests/modules/__all__/all_dynamic.py b/python/ql/test/library-tests/modules/__all__/all_dynamic.py
new file mode 100644
index 00000000000..5213418328d
--- /dev/null
+++ b/python/ql/test/library-tests/modules/__all__/all_dynamic.py
@@ -0,0 +1,8 @@
+foo = "foo"
+bar = "bar"
+baz = "baz"
+
+
+__all__ = ["foo"]
+
+__all__ += ["bar"]
diff --git a/python/ql/test/library-tests/modules/__all__/all_list.py b/python/ql/test/library-tests/modules/__all__/all_list.py
new file mode 100644
index 00000000000..d2ecda63db4
--- /dev/null
+++ b/python/ql/test/library-tests/modules/__all__/all_list.py
@@ -0,0 +1,6 @@
+foo = "foo"
+bar = "bar"
+baz = "baz"
+
+
+__all__ = ["foo", "bar"]
diff --git a/python/ql/test/library-tests/modules/__all__/all_set.py b/python/ql/test/library-tests/modules/__all__/all_set.py
new file mode 100644
index 00000000000..bbd7d0d4c59
--- /dev/null
+++ b/python/ql/test/library-tests/modules/__all__/all_set.py
@@ -0,0 +1,6 @@
+foo = "foo"
+bar = "bar"
+baz = "baz"
+
+
+__all__ = {"foo", "bar"}
diff --git a/python/ql/test/library-tests/modules/__all__/all_tuple.py b/python/ql/test/library-tests/modules/__all__/all_tuple.py
new file mode 100644
index 00000000000..b06def5ddb7
--- /dev/null
+++ b/python/ql/test/library-tests/modules/__all__/all_tuple.py
@@ -0,0 +1,6 @@
+foo = "foo"
+bar = "bar"
+baz = "baz"
+
+
+__all__ = ("foo", "bar")
diff --git a/python/ql/test/library-tests/modules/__all__/main.py b/python/ql/test/library-tests/modules/__all__/main.py
new file mode 100644
index 00000000000..40b63287638
--- /dev/null
+++ b/python/ql/test/library-tests/modules/__all__/main.py
@@ -0,0 +1,74 @@
+# This file showcases how imports work with `__all__`.
+#
+# TL;DR; in `from <module> import *`, if `__all__` is defined in `<module>`, then only
+# the names in `__all__` will be imported -- otherwise all names that doesn't begin with
+# an underscore will be imported.
+#
+# If `__all__` is defined, `__all__` must be a sequence for `from <module> import *` to work.
+#
+# https://docs.python.org/3/reference/simple_stmts.html#the-import-statement
+# https://docs.python.org/3/glossary.html#term-sequence
+
+print("import *")
+print("---")
+
+from no_all import *
+print("no_all.py")
+print("  foo={!r}".format(foo))
+print("  bar={!r}".format(bar))
+print("  baz={!r}".format(baz))
+del foo, bar, baz
+
+from all_list import *
+print("all_list.py")
+print("  foo={!r}".format(foo))
+print("  bar={!r}".format(bar))
+try:
+    print("  baz={!r}".format(baz))
+except NameError:
+    print("  baz not imported")
+del foo, bar
+
+from all_tuple import *
+print("all_tuple.py")
+print("  foo={!r}".format(foo))
+print("  bar={!r}".format(bar))
+try:
+    print("  baz={!r}".format(baz))
+except NameError:
+    print("  baz not imported")
+del foo, bar
+
+from all_dynamic import *
+print("all_dynamic.py")
+print("  foo={!r}".format(foo))
+print("  bar={!r}".format(bar))
+try:
+    print("  baz={!r}".format(baz))
+except NameError:
+    print("  baz not imported")
+del foo, bar
+
+
+# Example of wrong definition of `__all__`, where it is not a sequence.
+try:
+    from all_set import *
+except TypeError as e:
+    assert str(e) == "'set' object does not support indexing"
+    print("from all_set import * could not be imported:", e)
+
+print("")
+print("Direct reference on module")
+print("---")
+# Direct reference always works, no matter how `__all__` is set.
+import no_all
+import all_list
+import all_tuple
+import all_dynamic
+import all_set
+
+for mod in [no_all, all_list, all_tuple, all_dynamic, all_set]:
+    print("{}.py".format(mod.__name__))
+    print("  foo={!r}".format(mod.foo))
+    print("  bar={!r}".format(mod.bar))
+    print("  baz={!r}".format(mod.baz))
diff --git a/python/ql/test/library-tests/modules/__all__/no_all.py b/python/ql/test/library-tests/modules/__all__/no_all.py
new file mode 100644
index 00000000000..ca059c60687
--- /dev/null
+++ b/python/ql/test/library-tests/modules/__all__/no_all.py
@@ -0,0 +1,3 @@
+foo = "foo"
+bar = "bar"
+baz = "baz"

From ab3edf37d70d9e69b7e7226de3ea7ce8a8f973ae Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 31 Mar 2021 17:25:19 +0200
Subject: [PATCH 0125/1429] Python: Handle __all__ assigned to a tuple

Examples where this is used in real code:

- https://github.com/django/django/blob/76c0b32f826469320c59709d31e2f2126dd7c505/django/core/files/temp.py#L24
- https://github.com/django/django/blob/76c0b32f826469320c59709d31e2f2126dd7c505/django/contrib/gis/gdal/__init__.py#L44-L49
---
 python/ql/src/semmle/python/Module.qll                      | 6 +++++-
 .../library-tests/modules/__all__/DeclaredInAll.expected    | 2 ++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/Module.qll b/python/ql/src/semmle/python/Module.qll
index fcf1c0b2925..bc100e262f4 100644
--- a/python/ql/src/semmle/python/Module.qll
+++ b/python/ql/src/semmle/python/Module.qll
@@ -129,7 +129,11 @@ class Module extends Module_, Scope, AstNode {
       a.defines(all) and
       a.getScope() = this and
       all.getId() = "__all__" and
-      a.getValue().(List).getAnElt().(StrConst).getText() = name
+      (
+        a.getValue().(List).getAnElt().(StrConst).getText() = name
+        or
+        a.getValue().(Tuple).getAnElt().(StrConst).getText() = name
+      )
     )
   }
 
diff --git a/python/ql/test/library-tests/modules/__all__/DeclaredInAll.expected b/python/ql/test/library-tests/modules/__all__/DeclaredInAll.expected
index 5d90821921b..86591566217 100644
--- a/python/ql/test/library-tests/modules/__all__/DeclaredInAll.expected
+++ b/python/ql/test/library-tests/modules/__all__/DeclaredInAll.expected
@@ -1,3 +1,5 @@
 | all_dynamic.py:0:0:0:0 | Module all_dynamic | foo |
 | all_list.py:0:0:0:0 | Module all_list | bar |
 | all_list.py:0:0:0:0 | Module all_list | foo |
+| all_tuple.py:0:0:0:0 | Module all_tuple | bar |
+| all_tuple.py:0:0:0:0 | Module all_tuple | foo |

From 95ac2c8edda7f845bfa60df47d77ecc9fbec9d93 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 31 Mar 2021 17:31:55 +0200
Subject: [PATCH 0126/1429] Python: Add another dynamic __all__ test

---
 .../library-tests/modules/__all__/all_dynamic2.py    |  7 +++++++
 python/ql/test/library-tests/modules/__all__/main.py | 12 +++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 python/ql/test/library-tests/modules/__all__/all_dynamic2.py

diff --git a/python/ql/test/library-tests/modules/__all__/all_dynamic2.py b/python/ql/test/library-tests/modules/__all__/all_dynamic2.py
new file mode 100644
index 00000000000..88c0ddaeacc
--- /dev/null
+++ b/python/ql/test/library-tests/modules/__all__/all_dynamic2.py
@@ -0,0 +1,7 @@
+foo = "foo"
+bar = "bar"
+baz = "baz"
+
+
+temp = ["foo", "bar"]
+__all__ = temp
diff --git a/python/ql/test/library-tests/modules/__all__/main.py b/python/ql/test/library-tests/modules/__all__/main.py
index 40b63287638..a36afae0ed4 100644
--- a/python/ql/test/library-tests/modules/__all__/main.py
+++ b/python/ql/test/library-tests/modules/__all__/main.py
@@ -49,6 +49,15 @@ except NameError:
     print("  baz not imported")
 del foo, bar
 
+from all_dynamic2 import *
+print("all_dynamic2.py")
+print("  foo={!r}".format(foo))
+print("  bar={!r}".format(bar))
+try:
+    print("  baz={!r}".format(baz))
+except NameError:
+    print("  baz not imported")
+del foo, bar
 
 # Example of wrong definition of `__all__`, where it is not a sequence.
 try:
@@ -65,9 +74,10 @@ import no_all
 import all_list
 import all_tuple
 import all_dynamic
+import all_dynamic2
 import all_set
 
-for mod in [no_all, all_list, all_tuple, all_dynamic, all_set]:
+for mod in [no_all, all_list, all_tuple, all_dynamic, all_dynamic2, all_set]:
     print("{}.py".format(mod.__name__))
     print("  foo={!r}".format(mod.foo))
     print("  bar={!r}".format(mod.bar))

From ecbce88ec78710f67c0160f7ae58e58c027fb73c Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 31 Mar 2021 22:23:50 +0200
Subject: [PATCH 0127/1429] C++: Fix comment.

---
 cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
index 21ba4dff36d..29b6cd691a4 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
@@ -256,7 +256,7 @@ private module PartialDefinitions {
         innerDefinedExpr = getAPointerWrapperAccess(pointer)
       )
       or
-      // iterators passed by value without a copy constructor
+      // pointer wrappers passed by value without a copy constructor
       exists(Call call |
         call = node and
         call.getAnArgument() = innerDefinedExpr and
@@ -265,7 +265,7 @@ private module PartialDefinitions {
         not call instanceof OverloadedPointerDereferenceExpr
       )
       or
-      // iterators passed by value with a copy constructor
+      // pointer wrappers passed by value with a copy constructor
       exists(Call call, ConstructorCall copy |
         copy.getTarget() instanceof CopyConstructor and
         call = node and

From 4328ff398121d12f800a67a3edc0cd72ea2bf77e Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Wed, 31 Mar 2021 22:26:08 +0200
Subject: [PATCH 0128/1429] Remove attrs feature

---
 .../experimental/Security/CWE-090/LDAPInjection.ql    |  5 ++---
 python/ql/src/experimental/semmle/python/Concepts.qll |  4 ----
 .../experimental/semmle/python/frameworks/Stdlib.qll  | 11 -----------
 .../python/security/injection/LDAPInjection.qll       |  5 +----
 4 files changed, 3 insertions(+), 22 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
index a803b39260e..8d01fc173d4 100644
--- a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
+++ b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
@@ -19,7 +19,6 @@ from
   LDAPInjectionSink castedSink
 where
   config.hasFlowPath(source, sink) and
-  castedSink.getLDAPNode() = sink.getNode() //and
-// if exists(castedSink.getAttrs()) then
+  castedSink.getLDAPNode() = sink.getNode()
 select sink.getNode(), source, sink, "$@ LDAP query executes $@ as a $@.", castedSink, "This",
-  source.getNode(), "a user-provided value", castedSink.getLDAPNode(), castedSink.getLDAPPart() //, castedSink.getAttrs(), "probably leaking this attribute(s)"
+  source.getNode(), "a user-provided value", castedSink.getLDAPNode(), castedSink.getLDAPPart()
diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index e0f5c1bdec3..e62d9680665 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -20,8 +20,6 @@ module LDAPQuery {
     abstract DataFlow::Node getLDAPNode();
 
     abstract string getLDAPPart();
-
-    abstract DataFlow::Node getAttrs();
   }
 }
 
@@ -33,8 +31,6 @@ class LDAPQuery extends DataFlow::Node {
   DataFlow::Node getLDAPNode() { result = range.getLDAPNode() }
 
   string getLDAPPart() { result = range.getLDAPPart() }
-
-  DataFlow::Node getAttrs() { result = range.getAttrs() }
 }
 
 module LDAPEscape {
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index 348367d0370..f56a6603ec7 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -21,7 +21,6 @@ private module LDAP {
     private class LDAP2Query extends DataFlow::CallCfgNode, LDAPQuery::Range {
       DataFlow::Node ldapNode;
       string ldapPart;
-      DataFlow::Node attrs;
 
       LDAP2Query() {
         exists(DataFlow::AttrRead searchMethod, DataFlow::CallCfgNode initCall |
@@ -45,10 +44,6 @@ private module LDAP {
       override DataFlow::Node getLDAPNode() { result = ldapNode }
 
       override string getLDAPPart() { result = ldapPart }
-
-      override DataFlow::Node getAttrs() {
-        result = this.getArg(3) or result = this.getArgByName("attrlist")
-      }
     }
 
     private class LDAP2EscapeDN extends DataFlow::CallCfgNode, LDAPEscape::Range {
@@ -77,14 +72,12 @@ private module LDAP {
 
   private module LDAP3 {
     private class LDAP3QueryMethods extends string {
-      // pending to dig into this although https://github.com/cannatag/ldap3/blob/21001d9087c0d24c399eec433a261c455b7bc97f/ldap3/core/connection.py#L760
       LDAP3QueryMethods() { this in ["search"] }
     }
 
     private class LDAP3Query extends DataFlow::CallCfgNode, LDAPQuery::Range {
       DataFlow::Node ldapNode;
       string ldapPart;
-      DataFlow::Node attrs;
 
       LDAP3Query() {
         exists(DataFlow::AttrRead searchMethod, DataFlow::CallCfgNode connCall |
@@ -105,10 +98,6 @@ private module LDAP {
       override DataFlow::Node getLDAPNode() { result = ldapNode }
 
       override string getLDAPPart() { result = ldapPart }
-
-      override DataFlow::Node getAttrs() {
-        result = this.getArg(3) or result = this.getArgByName("attributes")
-      }
     }
 
     private class LDAP3EscapeDN extends DataFlow::CallCfgNode, LDAPEscape::Range {
diff --git a/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll b/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll
index 4814097ff8e..da71f38457a 100644
--- a/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll
@@ -9,7 +9,6 @@ import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
 
 class LDAPInjectionSink extends DataFlow::Node {
-  // DataFlow::Node attrs;
   DataFlow::Node ldapNode;
   string ldapPart;
 
@@ -17,15 +16,13 @@ class LDAPInjectionSink extends DataFlow::Node {
     exists(LDAPQuery ldapQuery |
       this = ldapQuery and
       ldapNode = ldapQuery.getLDAPNode() and
-      ldapPart = ldapQuery.getLDAPPart() // and
-      // if exists(ldapQuery.getAttrs()) then attrs = ldapQuery.getAttrs()
+      ldapPart = ldapQuery.getLDAPPart()
     )
   }
 
   DataFlow::Node getLDAPNode() { result = ldapNode }
 
   string getLDAPPart() { result = ldapPart }
-  // DataFlow::Node getAttrs() { result = attrs }
 }
 
 /**

From 9b430310b4ecd9535191262249d889d0b9306025 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Wed, 31 Mar 2021 23:19:56 +0200
Subject: [PATCH 0129/1429] Improve Sanitizer calls

---
 .../semmle/python/frameworks/Stdlib.qll       | 44 +++++++------------
 1 file changed, 16 insertions(+), 28 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index f56a6603ec7..cfd02b8b5a5 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -46,27 +46,21 @@ private module LDAP {
       override string getLDAPPart() { result = ldapPart }
     }
 
-    private class LDAP2EscapeDN extends DataFlow::CallCfgNode, LDAPEscape::Range {
-      DataFlow::Node escapeNode;
-
-      LDAP2EscapeDN() {
-        this = API::moduleImport("ldap").getMember("dn").getMember("escape_dn_chars").getACall() and
-        escapeNode = this.getArg(0)
+    private class LDAP2EscapeDNCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
+      LDAP2EscapeDNCall() {
+        this = API::moduleImport("ldap").getMember("dn").getMember("escape_dn_chars").getACall()
       }
 
-      override DataFlow::Node getEscapeNode() { result = escapeNode }
+      override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
     }
 
-    private class LDAP2EscapeFilter extends DataFlow::CallCfgNode, LDAPEscape::Range {
-      DataFlow::Node escapeNode;
-
-      LDAP2EscapeFilter() {
+    private class LDAP2EscapeFilterCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
+      LDAP2EscapeFilterCall() {
         this =
-          API::moduleImport("ldap").getMember("filter").getMember("escape_filter_chars").getACall() and
-        escapeNode = this.getArg(0)
+          API::moduleImport("ldap").getMember("filter").getMember("escape_filter_chars").getACall()
       }
 
-      override DataFlow::Node getEscapeNode() { result = escapeNode }
+      override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
     }
   }
 
@@ -100,36 +94,30 @@ private module LDAP {
       override string getLDAPPart() { result = ldapPart }
     }
 
-    private class LDAP3EscapeDN extends DataFlow::CallCfgNode, LDAPEscape::Range {
-      DataFlow::Node escapeNode;
-
-      LDAP3EscapeDN() {
+    private class LDAP3EscapeDNCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
+      LDAP3EscapeDNCall() {
         this =
           API::moduleImport("ldap3")
               .getMember("utils")
               .getMember("dn")
               .getMember("escape_rdn")
-              .getACall() and
-        escapeNode = this.getArg(0)
+              .getACall()
       }
 
-      override DataFlow::Node getEscapeNode() { result = escapeNode }
+      override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
     }
 
-    private class LDAP3EscapeFilter extends DataFlow::CallCfgNode, LDAPEscape::Range {
-      DataFlow::Node escapeNode;
-
-      LDAP3EscapeFilter() {
+    private class LDAP3EscapeFilterCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
+      LDAP3EscapeFilterCall() {
         this =
           API::moduleImport("ldap3")
               .getMember("utils")
               .getMember("conv")
               .getMember("escape_filter_chars")
-              .getACall() and
-        escapeNode = this.getArg(0)
+              .getACall()
       }
 
-      override DataFlow::Node getEscapeNode() { result = escapeNode }
+      override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
     }
   }
 }

From 480ce39618efaa47d7a51b43a80a044aca7d6532 Mon Sep 17 00:00:00 2001
From: Luke Cartey <5377966+lcartey@users.noreply.github.com>
Date: Thu, 1 Apr 2021 11:23:31 +0100
Subject: [PATCH 0130/1429] C#: Exclude jump-to-def information for elements
 with too many locations

In databases which include multiple duplicated files, we can get an
explosion of definition locations that can cause this query to produce
too many results for the CodeQL toolchain. This commit restricts the
definitions.ql query to producing definition/uses for definitions with
fewer than 10 locations. This replicates the logic used in the C++
definitions.qll library which faces similar problems.
---
 csharp/ql/src/definitions.qll | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/csharp/ql/src/definitions.qll b/csharp/ql/src/definitions.qll
index 2004ad0d218..c1b456f4dbf 100644
--- a/csharp/ql/src/definitions.qll
+++ b/csharp/ql/src/definitions.qll
@@ -187,5 +187,11 @@ cached
 Declaration definitionOf(Use use, string kind) {
   result = use.getDefinition() and
   result.fromSource() and
-  kind = use.getUseType()
+  kind = use.getUseType() and
+  // Some entities have many locations. This can arise for files that
+  // are duplicated multiple times in the database at different
+  // locations. Rather than letting the result set explode, we just
+  // exclude results that are "too ambiguous" -- we could also arbitrarily
+  // pick one location later on.
+  strictcount(result.getLocation()) < 10
 }

From a3421e7ab2e81e155fe211ca78ad25c1171cd5eb Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Thu, 12 Nov 2020 12:43:37 +0000
Subject: [PATCH 0131/1429] JS: Add getALocalUse

---
 javascript/ql/src/semmle/javascript/dataflow/Sources.qll | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/dataflow/Sources.qll b/javascript/ql/src/semmle/javascript/dataflow/Sources.qll
index efbac19b95d..e6d76898d26 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/Sources.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Sources.qll
@@ -52,6 +52,11 @@ class SourceNode extends DataFlow::Node {
    */
   predicate flowsToExpr(Expr sink) { flowsTo(DataFlow::valueNode(sink)) }
 
+  /**
+   * Gets a node into which data may flow from this node in zero or more local steps.
+   */
+  DataFlow::Node getALocalUse() { flowsTo(result) }
+
   /**
    * Gets a reference (read or write) of property `propName` on this node.
    */

From 125d1465c8952c1cbddc0d005a6c9a34e37ec097 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 25 Jan 2021 13:10:07 +0000
Subject: [PATCH 0132/1429] JS: Add DataFlow::functionForwardingStep

---
 .../semmle/javascript/dataflow/DataFlow.qll   | 55 +++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
index 8835b14af05..8474598fef9 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -1683,4 +1683,59 @@ module DataFlow {
   import TypeTracking
 
   predicate localTaintStep = TaintTracking::localTaintStep/2;
+
+  /**
+   * Holds if the function in `succ` forwards all its arguments to a call to `pred` and returns
+   * its result. This can thus be seen as a step `pred -> succ` used for tracking function values
+   * through "wrapper functions", since the `succ` function partially replicates behavior of `pred`.
+   *
+   * Examples:
+   * ```js
+   * function f(x) {
+   *   return g(x); // step: g -> f
+   * }
+   *
+   * function doExec(x) {
+   *   console.log(x);
+   *   return exec(x); // step: exec -> doExec
+   * }
+   *
+   * function doEither(x, y) {
+   *   if (x > y) {
+   *     return foo(x, y); // step: foo -> doEither
+   *   } else {
+   *     return bar(x, y); // step: bar -> doEither
+   *   }
+   * }
+   *
+   * function wrapWithLogging(f) {
+   *   return (x) => {
+   *     console.log(x);
+   *     return f(x); // step: f -> anonymous function
+   *   }
+   * }
+   * wrapWithLogging(g); // step: g -> wrapWithLogging(g)
+   * ```
+   */
+  predicate functionForwardingStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::FunctionNode function, DataFlow::CallNode call |
+      call.flowsTo(function.getReturnNode()) and
+      forall(int i | exists([call.getArgument(i), function.getParameter(i)]) |
+        function.getParameter(i).flowsTo(call.getArgument(i))
+      ) and
+      pred = call.getCalleeNode() and
+      succ = function
+    )
+    or
+    // Given a generic wrapper function like,
+    //
+    //   function wrap(f) { return (x, y) => f(x, y) };
+    //
+    // add steps through calls to that function: `g -> wrap(g)`
+    exists(DataFlow::FunctionNode wrapperFunction, SourceNode param, Node paramUse |
+      FlowSteps::argumentPassing(succ, pred, wrapperFunction.getFunction(), param) and
+      param.flowsTo(paramUse) and
+      functionForwardingStep(paramUse, wrapperFunction.getReturnNode().getALocalSource())
+    )
+  }
 }

From c1651ad30c1f7dfcec201ee75ec49d8975bb791a Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 25 Jan 2021 13:16:15 +0000
Subject: [PATCH 0133/1429] JS: Factor out Unit type

---
 javascript/ql/src/semmle/javascript/Unit.qll           | 10 ++++++++++
 .../src/semmle/javascript/dataflow/Configuration.qll   |  2 +-
 .../src/semmle/javascript/dataflow/TaintTracking.qll   |  2 +-
 .../javascript/dataflow/internal/PreCallGraphStep.qll  |  7 +------
 .../src/semmle/javascript/dataflow/internal/Unit.qll   |  9 ---------
 5 files changed, 13 insertions(+), 17 deletions(-)
 create mode 100644 javascript/ql/src/semmle/javascript/Unit.qll
 delete mode 100644 javascript/ql/src/semmle/javascript/dataflow/internal/Unit.qll

diff --git a/javascript/ql/src/semmle/javascript/Unit.qll b/javascript/ql/src/semmle/javascript/Unit.qll
new file mode 100644
index 00000000000..dbc59f541e6
--- /dev/null
+++ b/javascript/ql/src/semmle/javascript/Unit.qll
@@ -0,0 +1,10 @@
+/** Provides the `Unit` class. */
+
+/** The unit type. */
+private newtype TUnit = TMkUnit()
+
+/** The trivial type with a single element. */
+class Unit extends TUnit {
+  /** Gets a textual representation of this element. */
+  string toString() { result = "Unit" }
+}
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
index 24f767540e1..b4842026e24 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -72,7 +72,7 @@ private import javascript
 private import internal.FlowSteps
 private import internal.AccessPaths
 private import internal.CallGraphs
-private import internal.Unit
+private import semmle.javascript.Unit
 private import semmle.javascript.internal.CachedStages
 
 /**
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
index 6c6734b84d6..251a691501e 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -15,7 +15,7 @@
 
 import javascript
 private import semmle.javascript.dataflow.internal.FlowSteps as FlowSteps
-private import semmle.javascript.dataflow.internal.Unit
+private import semmle.javascript.Unit
 private import semmle.javascript.dataflow.InferredTypes
 private import semmle.javascript.internal.CachedStages
 
diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/PreCallGraphStep.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/PreCallGraphStep.qll
index 7020353ca0b..18db549300a 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/internal/PreCallGraphStep.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/internal/PreCallGraphStep.qll
@@ -4,14 +4,9 @@
  */
 
 private import javascript
+private import semmle.javascript.Unit
 private import semmle.javascript.internal.CachedStages
 
-private newtype TUnit = MkUnit()
-
-private class Unit extends TUnit {
-  string toString() { result = "unit" }
-}
-
 /**
  * Internal extension point for adding flow edges prior to call graph construction
  * and type tracking.
diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/Unit.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/Unit.qll
deleted file mode 100644
index 21018c2f60c..00000000000
--- a/javascript/ql/src/semmle/javascript/dataflow/internal/Unit.qll
+++ /dev/null
@@ -1,9 +0,0 @@
-private newtype TUnit = MkUnit()
-
-/**
- * A class with only one instance.
- */
-class Unit extends TUnit {
-  /** Gets a textual representation of this element. */
-  final string toString() { result = "Unit" }
-}

From 314839fc097f0755ea8d5b1371f8b8fcd89ec65d Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 25 Jan 2021 13:16:32 +0000
Subject: [PATCH 0134/1429] JS: Add @reduxjs/toolkit to composed functions

---
 .../ql/src/semmle/javascript/frameworks/ComposedFunctions.qll   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/ComposedFunctions.qll b/javascript/ql/src/semmle/javascript/frameworks/ComposedFunctions.qll
index 9e4de6cd4dc..8da2286ad79 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/ComposedFunctions.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/ComposedFunctions.qll
@@ -88,7 +88,7 @@ module FunctionCompositionCall {
     RightToLeft() {
       this = DataFlow::moduleImport(["compose-function"]).getACall()
       or
-      this = DataFlow::moduleMember(["redux", "ramda"], "compose").getACall()
+      this = DataFlow::moduleMember(["redux", "ramda", "@reduxjs/toolkit"], "compose").getACall()
       or
       this = LodashUnderscore::member("flowRight").getACall()
     }

From 8fa3fb05612f6660e1464be31ff9396143917543 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 25 Jan 2021 13:00:27 +0000
Subject: [PATCH 0135/1429] JS: Redux model

---
 javascript/ql/src/javascript.qll              |    1 +
 .../semmle/javascript/frameworks/Redux.qll    | 1285 +++++++++++++++++
 .../frameworks/Redux/exportedReducer.js       |   13 +
 .../frameworks/Redux/react-redux.jsx          |   79 +
 .../frameworks/Redux/test.expected            |  154 ++
 .../library-tests/frameworks/Redux/test.ql    |   61 +
 .../library-tests/frameworks/Redux/trivial.js |  137 ++
 7 files changed, 1730 insertions(+)
 create mode 100644 javascript/ql/src/semmle/javascript/frameworks/Redux.qll
 create mode 100644 javascript/ql/test/library-tests/frameworks/Redux/exportedReducer.js
 create mode 100644 javascript/ql/test/library-tests/frameworks/Redux/react-redux.jsx
 create mode 100644 javascript/ql/test/library-tests/frameworks/Redux/test.expected
 create mode 100644 javascript/ql/test/library-tests/frameworks/Redux/test.ql
 create mode 100644 javascript/ql/test/library-tests/frameworks/Redux/trivial.js

diff --git a/javascript/ql/src/javascript.qll b/javascript/ql/src/javascript.qll
index 66dccd8cddd..b565a7cd21f 100644
--- a/javascript/ql/src/javascript.qll
+++ b/javascript/ql/src/javascript.qll
@@ -105,6 +105,7 @@ import semmle.javascript.frameworks.PropertyProjection
 import semmle.javascript.frameworks.Puppeteer
 import semmle.javascript.frameworks.React
 import semmle.javascript.frameworks.ReactNative
+import semmle.javascript.frameworks.Redux
 import semmle.javascript.frameworks.Request
 import semmle.javascript.frameworks.RxJS
 import semmle.javascript.frameworks.ServerLess
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Redux.qll b/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
new file mode 100644
index 00000000000..7f22c3638e2
--- /dev/null
+++ b/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
@@ -0,0 +1,1285 @@
+/**
+ * Provides classes and predicates for reasoning about data flow through the redux package.
+ */
+
+import javascript
+private import semmle.javascript.dataflow.internal.PreCallGraphStep
+private import semmle.javascript.Unit
+
+/**
+ * Provides classes and predicates for reasoning about data flow through the redux package.
+ */
+module Redux {
+  /**
+   * To avoid mixing up the state between independent Redux apps that live in a monorepo,
+   * we do a heuristic program slicing based on `package.json` files. For most projects this has no effect.
+   */
+  private module ProgramSlicing {
+    /** Gets the innermost `package.json` file in a directory containing the given file. */
+    private PackageJSON getPackageJson(Container f) {
+      f = result.getFile().getParentContainer()
+      or
+      not exists(f.getFile("package.json")) and
+      result = getPackageJson(f.getParentContainer())
+    }
+
+    private predicate packageDependsOn(PackageJSON importer, PackageJSON dependency) {
+      importer.getADependenciesObject("").getADependency(dependency.getPackageName(), _)
+    }
+
+    /** A package that can be considered an entry point for a Redux app. */
+    private PackageJSON entryPointPackage() {
+      result = getPackageJson(any(StoreCreation c).getFile())
+      or
+      // Any package that imports a store-creating package is considered a potential entry point.
+      packageDependsOn(result, entryPointPackage())
+    }
+
+    pragma[nomagic]
+    private predicate arePackagesInSameReduxApp(PackageJSON a, PackageJSON b) {
+      exists(PackageJSON entry |
+        entry = entryPointPackage() and
+        packageDependsOn*(entry, a) and
+        packageDependsOn*(entry, b)
+      )
+    }
+
+    /** Holds if the two files are considered to be part of the same Redux app. */
+    pragma[inline]
+    predicate areFilesInSameReduxApp(File a, File b) {
+      not exists(PackageJSON pkg)
+      or
+      arePackagesInSameReduxApp(getPackageJson(a), getPackageJson(b))
+    }
+  }
+
+  /**
+   * Creation of a redux store, usually via a call to `createStore`.
+   */
+  class StoreCreation extends DataFlow::SourceNode {
+    StoreCreation::Range range;
+
+    StoreCreation() { this = range }
+
+    /** Gets a reference to the store. */
+    DataFlow::SourceNode ref() {
+      // We happen to know that all store-creation sources have API nodes, so just reuse the API node type tracking
+      exists(API::Node apiNode |
+        apiNode.getAnImmediateUse() = this and
+        result = apiNode.getAUse()
+      )
+    }
+
+    /** Gets the data flow node holding the root reducer for this store. */
+    DataFlow::Node getReducerArg() { result = range.getReducerArg() }
+
+    /** Gets a data flow node referring to the root reducer. */
+    DataFlow::SourceNode getAReducerSource() { result = getReducerArg().(ReducerArg).getASource() }
+  }
+
+  /** Companion module to the `StoreCreation` class. */
+  module StoreCreation {
+    /**
+     * Creation of a redux store. Additional `StoreCreation` instances can be generated by subclassing this class.
+     */
+    abstract class Range extends DataFlow::SourceNode {
+      /** Gets the data flow node holding the root reducer for this store. */
+      abstract DataFlow::Node getReducerArg();
+    }
+
+    private class CreateStore extends DataFlow::CallNode, Range {
+      CreateStore() {
+        this = API::moduleImport(["redux", "@reduxjs/toolkit"]).getMember("createStore").getACall()
+      }
+
+      override DataFlow::Node getReducerArg() { result = getArgument(0) }
+    }
+
+    private class ToolkitStore extends API::CallNode, Range {
+      ToolkitStore() {
+        this = API::moduleImport("@reduxjs/toolkit").getMember("configureStore").getACall()
+      }
+
+      override DataFlow::Node getReducerArg() {
+        result = getParameter(0).getMember("reducer").getARhs()
+      }
+    }
+  }
+
+  /** An API node that is a source of the Redux root state. */
+  abstract private class RootStateSource extends API::Node { }
+
+  /** Gets an API node referring to the Redux root state. */
+  private API::Node rootState() {
+    result instanceof RootStateSource
+    or
+    stateStep(rootState().getAUse(), result.getAnImmediateUse())
+  }
+
+  /**
+   * Gets an API node referring to the given (non-empty) access path within the Redux state.
+   */
+  private API::Node rootStateAccessPath(string accessPath) {
+    result = rootState().getMember(accessPath)
+    or
+    exists(string base, string prop |
+      result = rootStateAccessPath(base).getMember(prop) and
+      accessPath = joinAccessPaths(base, prop)
+    )
+    or
+    stateStep(rootStateAccessPath(accessPath).getAUse(), result.getAnImmediateUse())
+  }
+
+  /**
+   * Combines two state access paths, while disallowing unbounded growth of access paths.
+   */
+  bindingset[base, prop]
+  private string joinAccessPaths(string base, string prop) {
+    result = base + "." + prop and
+    // Allow at most two occurrences of a given property name in the path
+    // (one in the base, plus the one we're appending now).
+    count(base.indexOf("." + prop + ".")) <= 1
+  }
+
+  /**
+   * Creation of a reducer function that delegates to one or more other reducer functions.
+   *
+   * Delegating reducers can delegate specific parts of the state object (`getStateHandlerArg`),
+   * actions of a specific type (`getActionHandlerArg`), or everything (`getAPlainHandlerArg`).
+   */
+  abstract class DelegatingReducer extends DataFlow::SourceNode {
+    /**
+     * Gets a data flow node holding a reducer to which handling of `state.prop` is delegated.
+     *
+     * For example, gets the `fn` in `combineReducers({foo: fn})` with `prop` bound to `foo`.
+     *
+     * The delegating reducer should behave as a function of this form:
+     * ```js
+     * function outer(state, action) {
+     *   return {
+     *     prop: inner(state.prop, action),
+     *     ...
+     *   }
+     * }
+     * ```
+     */
+    DataFlow::Node getStateHandlerArg(string prop) { none() }
+
+    /**
+     * Gets a data flow node holding a reducer to which actions of the given type are delegated.
+     *
+     * For example, gets the `fn` in `handleAction(a, fn)` with `actionType` bound to `a`.
+     *
+     * The `actionType` node may refer an action creator or a string value corresponding to `action.type`.
+     */
+    DataFlow::Node getActionHandlerArg(DataFlow::Node actionType) { none() }
+
+    /**
+     * Gets a data flow node holding a reducer to which every request is forwarded (for the
+     * purpose of this model).
+     *
+     * For example, gets the `fn` in `persistReducer(config, fn)`.
+     */
+    DataFlow::Node getAPlainHandlerArg() { none() }
+
+    /** Gets the use site of this reducer. */
+    final ReducerArg getUseSite() { result.getASource() = this }
+  }
+
+  private module DelegatingReducer {
+    private API::Node combineReducers() {
+      result =
+        API::moduleImport(["redux", "redux-immutable", "@reduxjs/toolkit"])
+            .getMember("combineReducers")
+    }
+
+    /**
+     * A call to `combineReducers`, which delegates properties of `state` to individual sub-reducers.
+     */
+    private class CombineReducers extends API::CallNode, DelegatingReducer {
+      CombineReducers() { this = combineReducers().getACall() }
+
+      override DataFlow::Node getStateHandlerArg(string prop) {
+        result = getParameter(0).getMember(prop).getARhs()
+      }
+    }
+
+    /**
+     * An object literal flowing into a nested property in a `combineReducers` object, such as the `{ bar }` object in:
+     * ```js
+     * combineReducers({ foo: { bar } })
+     * ```
+     *
+     * Although the object itself is clearly not a function, we use the object to model the corresponding reducer function created by `combineReducers`.
+     */
+    private class NestedCombineReducers extends DelegatingReducer, DataFlow::ObjectLiteralNode {
+      NestedCombineReducers() {
+        this = combineReducers().getParameter(0).getAMember+().getAValueReachingRhs()
+      }
+
+      override DataFlow::Node getStateHandlerArg(string prop) {
+        result = getAPropertyWrite(prop).getRhs()
+      }
+    }
+
+    /**
+     * A call to `handleActions`, creating a reducer function that dispatched based on the action type:
+     *
+     * ```js
+     * let reducer = handleActions({
+     *   actionType1: (state, action) => { ... },
+     *   actionType2: (state, action) => { ... },
+     * })
+     * ```
+     */
+    private class HandleActions extends API::CallNode, DelegatingReducer {
+      HandleActions() {
+        this =
+          API::moduleImport(["redux-actions", "redux-ts-utils"])
+              .getMember("handleActions")
+              .getACall()
+      }
+
+      override DataFlow::Node getActionHandlerArg(DataFlow::Node actionType) {
+        exists(DataFlow::PropWrite write |
+          result = getParameter(0).getAMember().getARhs() and
+          write.getRhs() = result and
+          actionType = write.getPropertyNameExpr().flow()
+        )
+      }
+    }
+
+    /**
+     * A call to `handleAction`, creating a reducer function that only handles a given action type:
+     *
+     * ```js
+     * let reducer = handleAction('actionType', (state, action) => { ... });
+     * ```
+     */
+    private class HandleAction extends API::CallNode, DelegatingReducer {
+      HandleAction() {
+        this =
+          API::moduleImport(["redux-actions", "redux-ts-utils"])
+              .getMember("handleAction")
+              .getACall()
+      }
+
+      override DataFlow::Node getActionHandlerArg(DataFlow::Node actionType) {
+        actionType = getArgument(0) and
+        result = getArgument(1)
+      }
+    }
+
+    /**
+     * A call to `persistReducer`, which we model as a plain wrapper around another reducer.
+     */
+    private class PersistReducer extends DataFlow::CallNode, DelegatingReducer {
+      PersistReducer() {
+        this = API::moduleImport("redux-persist").getMember("persistReducer").getACall()
+      }
+
+      override DataFlow::Node getAPlainHandlerArg() { result = getArgument(1) }
+    }
+
+    /**
+     * A call to `immer` or `immer.produce`, which we model as a plain wrapper around another reducer.
+     */
+    private class ImmerProduce extends DataFlow::CallNode, DelegatingReducer {
+      ImmerProduce() {
+        this = API::moduleImport("immer").getACall()
+        or
+        this = API::moduleImport("immer").getMember("produce").getACall()
+      }
+
+      override DataFlow::Node getAPlainHandlerArg() { result = getArgument(0) }
+    }
+
+    /**
+     * A call to `reduce-reducers`, modelled as a reducer that dispatches to an arbitrary subreducer.
+     *
+     * In reality, this function chains together all of the reducers, but in practice it is only used
+     * when the reducers handle a disjoint set of action types, which makes it behave as if it
+     * dispatched to just one of them.
+     *
+     * For example:
+     * ```js
+     * let reducer = reduceReducers([
+     *   handleAction('action1', (state, action) => { ... }),
+     *   handleAction('action2', (state, action) => { ... }),
+     * ]);
+     * ```
+     */
+    private class ReduceReducers extends DataFlow::CallNode, DelegatingReducer {
+      ReduceReducers() {
+        this = API::moduleImport("reduce-reducers").getACall() or
+        this =
+          API::moduleImport(["redux-actions", "redux-ts-utils"])
+              .getMember("reduceReducers")
+              .getACall()
+      }
+
+      override DataFlow::Node getAPlainHandlerArg() {
+        result = getAnArgument()
+        or
+        result = getArgument(0).getALocalSource().(DataFlow::ArrayCreationNode).getAnElement()
+      }
+    }
+
+    /**
+     * A call to `createReducer`, for example:
+     *
+     * ```js
+     * let reducer = createReducer(initialState, (builder) => {
+     *   builder
+     *     .addCase(actionType1, (state, action) => { ... })
+     *     .addCase(actionType2, (state, action) => { ... });
+     * });
+     * ```
+     */
+    private class CreateReducer extends API::CallNode, DelegatingReducer {
+      CreateReducer() {
+        this = API::moduleImport("@reduxjs/toolkit").getMember("createReducer").getACall()
+      }
+
+      private API::Node getABuilderRef() {
+        result = getParameter(1).getParameter(0)
+        or
+        result = getABuilderRef().getAMember().getReturn()
+      }
+
+      override DataFlow::Node getActionHandlerArg(DataFlow::Node actionType) {
+        exists(API::CallNode addCase |
+          addCase = getABuilderRef().getMember("addCase").getACall() and
+          actionType = addCase.getArgument(0) and
+          result = addCase.getArgument(1)
+        )
+      }
+    }
+
+    /**
+     * A reducer created by a call to `createSlice`. Note that `createSlice` creates both
+     * reducers and actions; this class models the reducers only.
+     *
+     * For example:
+     * ```js
+     * let slice = createSlice({
+     *   name: 'mySlice',
+     *   reducers: {
+     *     actionType1: (state, action) => { ... },
+     *     actionType2: (state, action) => { ... },
+     *   },
+     *   extraReducers: (builder) => {
+     *     builder.addCase('actionType3', (state, action) => { ... })
+     *   }
+     * });
+     * export default slice.reducer;
+     * ```
+     */
+    private class CreateSliceReducer extends DelegatingReducer {
+      API::CallNode call;
+
+      CreateSliceReducer() {
+        call = API::moduleImport("@reduxjs/toolkit").getMember("createSlice").getACall() and
+        this = call.getReturn().getMember("reducer").getAnImmediateUse()
+      }
+
+      private API::Node getABuilderRef() {
+        result = call.getParameter(0).getMember("extraReducers").getParameter(0)
+        or
+        result = getABuilderRef().getAMember().getReturn()
+      }
+
+      override DataFlow::Node getActionHandlerArg(DataFlow::Node actionType) {
+        exists(string name |
+          result = call.getParameter(0).getMember("reducers").getMember(name).getARhs() and
+          actionType = call.getReturn().getMember("actions").getMember(name).getAnImmediateUse()
+        )
+        or
+        // Properties of 'extraReducers':
+        //   { extraReducers: { [action]: reducer }}
+        exists(DataFlow::PropWrite write |
+          result = call.getParameter(0).getMember("extraReducers").getAMember().getARhs() and
+          write.getRhs() = result and
+          actionType = write.getPropertyNameExpr().flow()
+        )
+        or
+        // Builder callback to 'extraReducers':
+        //   extraReducers: builder => builder.addCase(action, reducer)
+        exists(API::CallNode addCase |
+          addCase = getABuilderRef().getMember("addCase").getACall() and
+          actionType = addCase.getArgument(0) and
+          result = addCase.getArgument(1)
+        )
+      }
+    }
+  }
+
+  /**
+   * A function for creating and dispatching action objects of shape `{type, payload}`.
+   *
+   * In the simplest case, an action creator is a function, which, for some string `T` behaves as the function `x => {type: T, payload: x}`.
+   *
+   * An action creator may have a middleware function `f`, which makes it behave as the function `x => {type: T, payload: f(x)}` (that is,
+   * the function `f` converts the argument into the actual payload).
+   *
+   * Some action creators dispatch the action to a store, while for others, the value is returned and it is simply assumed to be dispatched
+   * at some point. We model all action creators as if they dispatch the action they create.
+   */
+  class ActionCreator extends DataFlow::SourceNode {
+    ActionCreator::Range range;
+
+    ActionCreator() { this = range }
+
+    /** Gets the `type` property of actions created by this action creator, if it is known. */
+    string getTypeTag() { result = range.getTypeTag() }
+
+    /**
+     * Gets the middleware function that transforms arguments passed to this function into the
+     * action payload.
+     *
+     * Not every action creator has a middleware function; in such cases the first argument is
+     * treated as the action payload.
+     *
+     * If `async` is true, the middlware function returns a promise whose value eventually becomes
+     * the action payload. Otherwise, the return value is the payload itself.
+     */
+    DataFlow::FunctionNode getMiddlewareFunction(boolean async) {
+      result = range.getMiddlewareFunction(async)
+    }
+
+    /** Gets a data flow node referring to this action creator. */
+    private DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
+      t.start() and
+      result = this
+      or
+      // x -> bindActionCreators({ x, ... })
+      exists(BindActionCreatorsCall bind, string prop |
+        ref(t.continue()).flowsTo(bind.getParameter(0).getMember(prop).getARhs()) and
+        result = bind.getReturn().getMember(prop).getAnImmediateUse()
+      )
+      or
+      // x -> combineActions(x, ...)
+      exists(API::CallNode combiner |
+        combiner =
+          API::moduleImport(["redux-actions", "redux-ts-utils"])
+              .getMember("combineActions")
+              .getACall() and
+        ref(t.continue()).flowsTo(combiner.getAnArgument()) and
+        result = combiner
+      )
+      or
+      // x -> x.fulfilled, for async action creators
+      result = ref(t.continue()).getAPropertyRead("fulfilled")
+      or
+      // follow flow through mapDispatchToProps
+      ReactRedux::dispatchToPropsStep(ref(t.continue()).getALocalUse(), result)
+      or
+      exists(DataFlow::TypeTracker t2 | result = ref(t2).track(t2, t))
+    }
+
+    /** Gets a data flow node referring to this action creator. */
+    DataFlow::SourceNode ref() { result = ref(DataFlow::TypeTracker::end()) }
+
+    /**
+     * Holds if `successBlock` is executed when a check has determined that `action` originated from this action creator.
+     */
+    private ReachableBasicBlock getASuccessfulTypeCheckBlock(DataFlow::SourceNode action) {
+      action = getAnUntypedActionInReducer() and
+      result = getASuccessfulTypeCheckBlock(action, getTypeTag())
+      or
+      // and ProgramSlicing::areFilesInSameReduxApp(result.getFile(), this.getFile()) -- TODO delete?
+      // some action creators implement a .match method for this purpose
+      exists(ConditionGuardNode guard, DataFlow::CallNode call |
+        call = ref().getAMethodCall("match") and
+        guard.getTest() = call.asExpr() and
+        action.flowsTo(call.getArgument(0)) and
+        guard.getOutcome() = true and
+        result = guard.getBasicBlock()
+      )
+    }
+
+    /**
+     * Gets a reducer that handles the type of action created by this action creator, for example:
+     * ```js
+     * handleAction(TYPE, (state, action) => { ... action.payload ... })
+     * ```
+     *
+     * Does not include reducers that perform their own action type checking.
+     */
+    DataFlow::FunctionNode getAReducerFunction() {
+      exists(ReducerArg reducer |
+        reducer.isTypeTagHandler(getTypeTag())
+        or
+        reducer.isActionTypeHandler(ref().getALocalUse())
+      |
+        result = reducer.getASource()
+      )
+    }
+
+    /** Gets a data flow node referring a payload of this action (usually in the reducer function). */
+    DataFlow::SourceNode getAPayloadReference() {
+      // `if (action.type === TYPE) { ... action.payload ... }`
+      exists(DataFlow::SourceNode actionSrc |
+        actionSrc = getAnUntypedActionInReducer() and
+        result = actionSrc.getAPropertyRead("payload") and
+        getASuccessfulTypeCheckBlock(actionSrc).dominates(result.getBasicBlock())
+      )
+      or
+      result = getAReducerFunction().getParameter(1).getAPropertyRead("payload")
+    }
+
+    /** Gets a data flow node referring to the first argument of the action creator invocation. */
+    DataFlow::SourceNode getAMetaArgReference() {
+      exists(ReducerArg reducer |
+        reducer.isActionTypeHandler(ref().getAPropertyRead(["fulfilled", "rejected", "pending"])) and
+        result =
+          reducer
+              .getASource()
+              .(DataFlow::FunctionNode)
+              .getParameter(1)
+              .getAPropertyRead("meta")
+              .getAPropertyRead("arg")
+      )
+    }
+  }
+
+  /** Companion module to the `ActionCreator` class. */
+  module ActionCreator {
+    /** A function for creating and dispatching action objects of shape `{type, payload}`. */
+    abstract class Range extends DataFlow::SourceNode {
+      /** Gets the `type` property of actions created by this action creator */
+      abstract string getTypeTag();
+
+      /** Gets the function transforming arguments into the action payload. */
+      DataFlow::FunctionNode getMiddlewareFunction(boolean async) { none() }
+    }
+
+    /**
+     * An action creator made using `createAction`:
+     * ```js
+     * let action1 = createAction('action1');
+     * let action2 = createAction('action2', (x,y) => { x, y });
+     * ```
+     */
+    private class SingleAction extends Range, API::CallNode {
+      SingleAction() {
+        this =
+          API::moduleImport(["@reduxjs/toolkit", "redux-actions", "redux-ts-utils"])
+              .getMember("createAction")
+              .getACall()
+      }
+
+      override string getTypeTag() { getArgument(0).mayHaveStringValue(result) }
+
+      override DataFlow::FunctionNode getMiddlewareFunction(boolean async) {
+        result = getCallback(1) and async = false
+      }
+    }
+
+    /**
+     * One of the action creators made by a call to `createActions`:
+     * ```js
+     * let { actionOne, actionTwo } = createActions({
+     *   ACTION_ONE: (x, y) => { x, y },
+     *   ACTION_TWO: (x, y) => { x, y },
+     * })
+     * ```
+     */
+    class MultiAction extends Range {
+      API::CallNode createActions;
+      string name;
+
+      MultiAction() {
+        createActions = API::moduleImport("redux-actions").getMember("createActions").getACall() and
+        this = createActions.getReturn().getMember(name).getAnImmediateUse()
+      }
+
+      override DataFlow::FunctionNode getMiddlewareFunction(boolean async) {
+        result.flowsTo(createActions.getParameter(0).getMember(getTypeTag()).getARhs()) and
+        async = false
+      }
+
+      override string getTypeTag() {
+        result = name.regexpReplaceAll("([a-z])([A-Z])", "$1_$2").toUpperCase()
+      }
+    }
+
+    /**
+     * An action creator made by a call to `createSlice`. Note that `createSlice` creates both
+     * reducers and actions; this class models the action creators.
+     *
+     * ```js
+     * let slice = createSlice({
+     *   name: 'mySlice',
+     *   reducers: {
+     *     actionType1: (state, action) => { ... },
+     *     actionType2: (state, action) => { ... },
+     *   },
+     * });
+     * export const { actionType1, actionType2 } = slice.actions;
+     * ```
+     */
+    private class CreateSliceAction extends Range {
+      API::CallNode call;
+      string actionName;
+
+      CreateSliceAction() {
+        call = API::moduleImport("@reduxjs/toolkit").getMember("createSlice").getACall() and
+        this = call.getReturn().getMember("actions").getMember(actionName).getAnImmediateUse()
+      }
+
+      override string getTypeTag() {
+        exists(string prefix |
+          call.getParameter(0).getMember("name").getARhs().mayHaveStringValue(prefix) and
+          result = prefix + "/" + actionName
+        )
+      }
+    }
+
+    /**
+     * An action creator made by a call to `createAsyncThunk`:
+     * ```js
+     * const fetchUserId = createAsyncThunk('fetchUserId', async (id) => {
+     *   return (await fetchUserId(id)).data;
+     * });
+     * ```
+     */
+    private class CreateAsyncThunk extends Range, API::CallNode {
+      CreateAsyncThunk() {
+        this = API::moduleImport("@reduxjs/toolkit").getMember("createAsyncThunk").getACall()
+      }
+
+      override DataFlow::FunctionNode getMiddlewareFunction(boolean async) {
+        async = true and
+        result = getParameter(1).getAValueReachingRhs()
+      }
+
+      override string getTypeTag() { getArgument(0).mayHaveStringValue(result) }
+    }
+  }
+
+  /**
+   * Gets the type tag of an action creator reaching `node`.
+   */
+  private string getAnActionTypeTag(DataFlow::SourceNode node) {
+    exists(ActionCreator action |
+      node = action.ref() and
+      result = action.getTypeTag()
+    )
+  }
+
+  /** Gets the type tag of an action reaching `node`, or the string value of `node`. */
+  // Inlined to avoid duplicating `mayHaveStringValue`
+  pragma[inline]
+  private string getATypeTagFromNode(DataFlow::Node node) {
+    node.mayHaveStringValue(result)
+    or
+    node.asExpr().(Label).getName() = result
+    or
+    result = getAnActionTypeTag(node.getALocalSource())
+  }
+
+  /** A data flow node that is used as a reducer. */
+  class ReducerArg extends DataFlow::Node {
+    ReducerArg() {
+      this = any(StoreCreation c).getReducerArg()
+      or
+      this = any(DelegatingReducer r).getStateHandlerArg(_)
+      or
+      this = any(DelegatingReducer r).getActionHandlerArg(_)
+    }
+
+    /** Gets a data flow node that flows to this reducer argument. */
+    DataFlow::SourceNode getASource(DataFlow::TypeBackTracker t) {
+      t.start() and
+      result = getALocalSource()
+      or
+      // Step through forwarding functions
+      DataFlow::functionForwardingStep(result.getALocalUse(), getASource(t.continue()))
+      or
+      // Step through library functions like `redux-persist`
+      result.getALocalUse() = getASource(t.continue()).(DelegatingReducer).getAPlainHandlerArg()
+      or
+      // Step through function composition (usually composed with various state "enhancer" functions)
+      exists(FunctionCompositionCall compose, DataFlow::CallNode call |
+        getASource(t.continue()) = call and
+        call = compose.getACall() and
+        result.getALocalUse() = [compose.getAnOperandNode(), call.getAnArgument()]
+      )
+      or
+      exists(DataFlow::TypeBackTracker t2 | result = getASource(t2).backtrack(t2, t))
+    }
+
+    /** Gets a data flow node that flows to this reducer argument. */
+    DataFlow::SourceNode getASource() { result = getASource(DataFlow::TypeBackTracker::end()) }
+
+    /**
+     * Holds if the actions dispatched to this reducer have the given type, that is,
+     * it is created by an action creator that flows to `actionType`, or has `action.type` set to
+     * the string value of `actionType`.
+     */
+    predicate isActionTypeHandler(DataFlow::Node actionType) {
+      exists(DelegatingReducer r |
+        this = r.getActionHandlerArg(actionType)
+        or
+        this = r.getStateHandlerArg(_) and
+        r.getUseSite().isActionTypeHandler(actionType)
+      )
+    }
+
+    /**
+     * Holds if the actions dispatched to this reducer have the given `action.type` value.
+     */
+    predicate isTypeTagHandler(string actionType) {
+      exists(DataFlow::Node node |
+        isActionTypeHandler(node) and
+        actionType = getATypeTagFromNode(node)
+      )
+    }
+
+    /**
+     * Holds if this reducer operates on the root state, as opposed to some access path within the state.
+     */
+    predicate isRootStateHandler() {
+      this = any(StoreCreation c).getReducerArg()
+      or
+      exists(DelegatingReducer r |
+        this = r.getActionHandlerArg(_) and
+        r.getUseSite().isRootStateHandler()
+      )
+    }
+  }
+
+  /**
+   * A source of the `dispatch` function, used as starting point for `getADispatchFunctionReference`.
+   */
+  abstract private class DispatchFunctionSource extends DataFlow::SourceNode { }
+
+  /**
+   * A value that is dispatched, that is, flows to the first argument of `dispatch`
+   * (but where the call to `dispatch` is not necessarily explicit in the code).
+   *
+   * Used as starting point for `getADispatchedValueSource`.
+   */
+  abstract private class DispatchedValueSink extends DataFlow::Node { }
+
+  private class StoreDispatchSource extends DispatchFunctionSource {
+    StoreDispatchSource() { this = any(StoreCreation c).ref().getAPropertyRead("dispatch") }
+  }
+
+  /** Gets a data flow node referring to the `dispatch` function. */
+  private DataFlow::SourceNode getADispatchFunctionReference(DataFlow::TypeTracker t) {
+    t.start() and
+    result instanceof DispatchFunctionSource
+    or
+    // When using the redux-thunk middleware, dispatching a function value results in that
+    // function being invoked with (dispatch, getState).
+    // We simply assume redux-thunk middleware is always installed.
+    t.start() and
+    result = getADispatchedValueSource().(DataFlow::FunctionNode).getParameter(0)
+    or
+    exists(DataFlow::TypeTracker t2 | result = getADispatchFunctionReference(t2).track(t2, t))
+  }
+
+  /** Gets a data flow node referring to the `dispatch` function. */
+  DataFlow::SourceNode getADispatchFunctionReference() {
+    result = getADispatchFunctionReference(DataFlow::TypeTracker::end())
+  }
+
+  /** Gets a data flow node that is dispatched as an action. */
+  private DataFlow::SourceNode getADispatchedValueSource(DataFlow::TypeBackTracker t) {
+    t.start() and
+    result = any(DispatchedValueSink d).getALocalSource()
+    or
+    t.start() and
+    result = getADispatchFunctionReference().getACall().getArgument(0).getALocalSource()
+    or
+    exists(DataFlow::TypeBackTracker t2 | result = getADispatchedValueSource(t2).backtrack(t2, t))
+  }
+
+  /**
+   * Gets a data flow node that is dispatched as an action, that is, it flows to the first argument of `dispatch`.
+   */
+  DataFlow::SourceNode getADispatchedValueSource() {
+    result = getADispatchedValueSource(DataFlow::TypeBackTracker::end())
+  }
+
+  /** Gets the `action` parameter of a reducer that isn't behind an implied type guard. */
+  DataFlow::SourceNode getAnUntypedActionInReducer() {
+    exists(ReducerArg reducer |
+      not reducer.isTypeTagHandler(_) and
+      result = reducer.getASource().(DataFlow::FunctionNode).getParameter(1)
+    )
+  }
+
+  /** A call to `bindActionCreators` */
+  private class BindActionCreatorsCall extends API::CallNode {
+    BindActionCreatorsCall() {
+      this =
+        API::moduleImport(["redux", "@reduxjs/toolkit"]).getMember("bindActionCreators").getACall()
+    }
+  }
+
+  /** The return value of a function flowing into `bindActionCreators`, seen as a value that is dispatched. */
+  private class BindActionDispatchSink extends DispatchedValueSink {
+    BindActionDispatchSink() {
+      this = any(BindActionCreatorsCall c).getParameter(0).getAMember().getReturn().getARhs()
+    }
+  }
+
+  /**
+   * Holds if `pred -> succ` is step from an action creation to its use in a reducer function.
+   */
+  predicate actionToReducerStep(DataFlow::Node pred, DataFlow::SourceNode succ) {
+    // Actions created by an action creator library
+    exists(ActionCreator action |
+      exists(DataFlow::CallNode call | call = action.ref().getACall() |
+        exists(int i |
+          pred = call.getArgument(i) and
+          succ = action.getMiddlewareFunction(_).getParameter(i)
+        )
+        or
+        not exists(action.getMiddlewareFunction(_)) and
+        pred = call.getArgument(0) and
+        succ = action.getAPayloadReference()
+        or
+        pred = call.getArgument(0) and
+        succ = action.getAMetaArgReference()
+      )
+      or
+      pred = action.getMiddlewareFunction(false).getReturnNode() and
+      succ = action.getAPayloadReference()
+    )
+    or
+    // Manually created and dispatched actions
+    exists(string actionType, string prop, DataFlow::SourceNode actionSrc |
+      actionSrc = getAnUntypedActionInReducer() and
+      pred = getAManuallyDispatchedValue(actionType).getAPropertyWrite(prop).getRhs() and
+      succ = actionSrc.getAPropertyRead(prop)
+    |
+      getASuccessfulTypeCheckBlock(actionSrc, actionType).dominates(succ.getBasicBlock())
+      or
+      exists(ReducerArg reducer |
+        reducer.isTypeTagHandler(actionType) and
+        actionSrc = reducer.getASource().(DataFlow::FunctionNode).getParameter(1)
+      )
+    )
+  }
+
+  /** Holds if `pred -> succ` is a step from the promise of an action payload to its use in a reducer function. */
+  predicate actionToReducerPromiseStep(DataFlow::Node pred, DataFlow::SourceNode succ) {
+    exists(ActionCreator action |
+      pred = action.getMiddlewareFunction(true).getReturnNode() and
+      succ = action.getAPayloadReference()
+    )
+  }
+
+  private class ActionToReducerStep extends DataFlow::AdditionalFlowStep {
+    ActionToReducerStep() {
+      actionToReducerStep(_, this)
+      or
+      actionToReducerPromiseStep(_, this)
+    }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      actionToReducerStep(pred, succ) and succ = this
+    }
+
+    override predicate loadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+      actionToReducerPromiseStep(pred, succ) and succ = this and prop = Promises::valueProp()
+    }
+  }
+
+  /** Gets the access path which `reducer` operates on. */
+  string getAffectedStateAccessPath(ReducerArg reducer) {
+    exists(DelegatingReducer r |
+      exists(string prop | reducer = r.getStateHandlerArg(prop) |
+        result = joinAccessPaths(getAffectedStateAccessPath(r.getUseSite()), prop)
+        or
+        r.getUseSite().isRootStateHandler() and
+        result = prop
+      )
+      or
+      reducer = r.getActionHandlerArg(_) and
+      result = getAffectedStateAccessPath(r.getUseSite())
+    )
+  }
+
+  /**
+   * Holds if `pred -> succ` should be a step from a reducer to a state access affected by the reducer.
+   */
+  predicate reducerToStateStep(DataFlow::Node pred, DataFlow::Node succ) {
+    reducerToStateStepAux(pred, succ) and
+    ProgramSlicing::areFilesInSameReduxApp(pred.getFile(), succ.getFile())
+  }
+
+  /**
+   * Holds if `pred -> succ` should be a step from a reducer to a state access affected by the reducer.
+   *
+   * This is a helper predicate for `reducerToStateStep` without the program-slicing check.
+   */
+  pragma[nomagic]
+  private predicate reducerToStateStepAux(DataFlow::Node pred, DataFlow::SourceNode succ) {
+    exists(ReducerArg reducer, DataFlow::FunctionNode function, string accessPath |
+      function = reducer.getASource() and
+      accessPath = getAffectedStateAccessPath(reducer)
+    |
+      pred = function.getReturnNode() and
+      succ = rootStateAccessPath(accessPath).getAnImmediateUse()
+      or
+      exists(string suffix, DataFlow::SourceNode base |
+        base = [function.getParameter(0), function.getReturnNode().getALocalSource()] and
+        pred = AccessPath::getAnAssignmentTo(base, suffix) and
+        succ = rootStateAccessPath(accessPath + "." + suffix).getAnImmediateUse()
+      )
+    )
+    or
+    exists(
+      ReducerArg reducer, DataFlow::FunctionNode function, string suffix, DataFlow::SourceNode base
+    |
+      function = reducer.getASource() and
+      reducer.isRootStateHandler() and
+      base = [function.getParameter(0), function.getReturnNode().getALocalSource()] and
+      pred = AccessPath::getAnAssignmentTo(base, suffix) and
+      succ = rootStateAccessPath(suffix).getAnImmediateUse()
+    )
+  }
+
+  private class ReducerToStateStep extends DataFlow::AdditionalFlowStep {
+    ReducerToStateStep() { reducerToStateStep(_, this) }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      reducerToStateStep(pred, succ) and succ = this
+    }
+  }
+
+  /**
+   * Gets a dispatched object literal with a property `type: actionType`.
+   */
+  private DataFlow::ObjectLiteralNode getAManuallyDispatchedValue(string actionType) {
+    result.getAPropertyWrite("type").getRhs().mayHaveStringValue(actionType) and
+    result = getADispatchedValueSource()
+  }
+
+  /**
+   * Gets the block to be executed after a check has determined that `action.type` is `actionType`,
+   * or the entry block of a closure dominated by such a check.
+   */
+  private ReachableBasicBlock getASuccessfulTypeCheckBlock(
+    DataFlow::SourceNode action, string actionType
+  ) {
+    action = getAnUntypedActionInReducer() and
+    (
+      exists(MembershipCandidate candidate, ConditionGuardNode guard |
+        action.getAPropertyRead("type").flowsTo(candidate) and
+        candidate.getAMemberString() = actionType and
+        guard.getTest() = candidate.getTest().asExpr() and
+        guard.getOutcome() = candidate.getTestPolarity() and
+        result = guard.getBasicBlock()
+      )
+      or
+      exists(SwitchStmt switch, SwitchCase case |
+        action.getAPropertyRead("type").flowsTo(switch.getExpr().flow()) and
+        case = switch.getACase() and
+        case.getExpr().mayHaveStringValue(actionType) and
+        result = getCaseBlock(case)
+      )
+    )
+    or
+    exists(Function f |
+      getASuccessfulTypeCheckBlock(action, actionType)
+          .dominates(f.(ControlFlowNode).getBasicBlock()) and
+      result = f.getEntryBB()
+    )
+  }
+
+  /** Gets the block to execute when `case` matches sucessfully. */
+  private BasicBlock getCaseBlock(SwitchCase case) {
+    result = case.getBodyStmt(0).getBasicBlock()
+    or
+    not exists(case.getABodyStmt()) and
+    exists(SwitchStmt stmt, int i |
+      stmt.getCase(i) = case and
+      result = getCaseBlock(stmt.getCase(i + 1))
+    )
+  }
+
+  /**
+   * Defines a flow step to be used for propagating tracking access to `state`.
+   *
+   * An `AdditionalFlowStep` is generated for these steps as well.
+   * It is distinct from `AdditionalFlowStep` to avoid recursion between that and the propagation of `state`.
+   */
+  private class StateStep extends Unit {
+    abstract predicate step(DataFlow::Node pred, DataFlow::Node succ);
+  }
+
+  private predicate stateStep(DataFlow::Node pred, DataFlow::Node succ) {
+    any(StateStep s).step(pred, succ)
+  }
+
+  private class StateStepAsFlowStep extends DataFlow::AdditionalFlowStep {
+    StateStepAsFlowStep() { stateStep(_, this) }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      stateStep(pred, succ) and succ = this
+    }
+  }
+
+  /**
+   * Model of the `react-redux` package.
+   */
+  private module ReactRedux {
+    /** Gets an API node referring to the `useSelector` function. */
+    API::Node useSelector() { result = API::moduleImport("react-redux").getMember("useSelector") }
+
+    /**
+     * Step out of a `useSelector` call, such as from `state.x` to the result of `useSelector(state => state.x)`.
+     */
+    class UseSelectorStep extends StateStep {
+      override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+        exists(API::CallNode call |
+          call = useSelector().getACall() and
+          pred = call.getParameter(0).getReturn().getARhs() and
+          succ = call
+        )
+      }
+    }
+
+    /** The argument to a `useSelector` callback, seen as a root state reference. */
+    class UseSelectorStateSource extends RootStateSource {
+      UseSelectorStateSource() { this = useSelector().getParameter(0).getParameter(0) }
+    }
+
+    /** A call to `useDispatch`, as a source of the `dispatch` function. */
+    private class UseDispatchFunctionSource extends DispatchFunctionSource {
+      UseDispatchFunctionSource() {
+        this =
+          API::moduleImport("react-redux").getMember("useDispatch").getReturn().getAnImmediateUse()
+      }
+    }
+
+    /**
+     * A call to `connect()`, typically as part of a code pattern like the following:
+     * ```js
+     * let withConnect = connect(mapStateToProps, mapDispatchToProps);
+     * let MyAwesomeComponent = compose(withConnect, otherStuff)(MyComponent);
+     * ```
+     */
+    abstract private class ConnectCall extends API::CallNode {
+      /** Gets the API node corresponding to the `mapStateToProps` argument. */
+      abstract API::Node getMapStateToProps();
+
+      /** Gets the API node corresponding to the `mapDispatchToProps` argument. */
+      abstract API::Node getMapDispatchToProps();
+
+      /**
+       * Gets a function whose first argument becomes the React component to connect.
+       */
+      DataFlow::SourceNode getAComponentTransformer() {
+        result = this
+        or
+        exists(FunctionCompositionCall compose |
+          getAComponentTransformer().flowsTo(compose.getAnOperandNode()) and
+          result = compose
+        )
+      }
+
+      /**
+       * Gets a data-flow node that should flow to `props.name` via the `mapDispatchToProps` function.
+       */
+      DataFlow::Node getDispatchPropNode(string name) {
+        // Implicitly bound by bindActionCreators:
+        //
+        //   const mapDispatchToProps = { foo }
+        //
+        result = getMapDispatchToProps().getMember(name).getARhs()
+        or
+        //
+        //   const mapDispatchToProps = dispatch => ( { foo } )
+        //
+        result = getMapDispatchToProps().getReturn().getMember(name).getARhs()
+        or
+        // Explicitly bound by bindActionCreators:
+        //
+        //   const mapDispatchToProps = dispatch => bindActionCreators({ foo }, dispatch);
+        //
+        exists(BindActionCreatorsCall bind |
+          bind.flowsTo(getMapDispatchToProps().getReturn().getARhs()) and
+          result = bind.getOptionArgument(0, name)
+        )
+      }
+
+      /**
+       * Gets the React component decorated by this call, if one can be determined.
+       */
+      ReactComponent getReactComponent() {
+        exists(DataFlow::SourceNode component | component = result.getAComponentCreatorReference() |
+          component.flowsTo(getAComponentTransformer().getACall().getArgument(0))
+          or
+          component.(DataFlow::ClassNode).getADecorator() = getAComponentTransformer()
+        )
+      }
+    }
+
+    /** A call to `connect`. */
+    private class RealConnectFunction extends ConnectCall {
+      RealConnectFunction() {
+        this = API::moduleImport("react-redux").getMember("connect").getACall()
+      }
+
+      override API::Node getMapStateToProps() { result = getParameter(0) }
+
+      override API::Node getMapDispatchToProps() { result = getParameter(1) }
+    }
+
+    /**
+     * An entry point in the API graphs corresponding to functions named `mapDispatchToProps`,
+     * used to catch cases where the call to `connect` was not found (usually because of it being
+     * wrapped in another function, which API graphs won't look through).
+     */
+    private class HeuristicConnectEntryPoint extends API::EntryPoint {
+      HeuristicConnectEntryPoint() { this = "react-redux-connect" }
+
+      override DataFlow::Node getARhs() { none() }
+
+      override DataFlow::SourceNode getAUse() {
+        exists(DataFlow::CallNode call |
+          call.getAnArgument().asExpr().(Identifier).getName() =
+            ["mapStateToProps", "mapDispatchToProps"] and
+          // exclude genuine calls to avoid duplication
+          not call = DataFlow::moduleMember("react-redux", "connect").getACall() and
+          result = call.getCalleeNode().getALocalSource()
+        )
+      }
+    }
+
+    /** A heuristic call to `connect`, recognized by it taking arguments named `mapStateToProps` and `mapDispatchToProps`. */
+    private class HeuristicConnectFunction extends ConnectCall {
+      HeuristicConnectFunction() {
+        this = API::root().getASuccessor(any(HeuristicConnectEntryPoint e)).getACall()
+      }
+
+      override API::Node getMapStateToProps() {
+        result = getAParameter() and
+        result.getARhs().asExpr().(Identifier).getName() = "mapStateToProps"
+      }
+
+      override API::Node getMapDispatchToProps() {
+        result = getAParameter() and
+        result.getARhs().asExpr().(Identifier).getName() = "mapDispatchToProps"
+      }
+    }
+
+    /**
+     * A step from the return value of `mapStateToProps` to a `props` access.
+     */
+    private class StateToPropsStep extends StateStep {
+      override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+        exists(ConnectCall call |
+          pred = call.getMapStateToProps().getReturn().getARhs() and
+          succ = call.getReactComponent().getADirectPropsAccess()
+        )
+      }
+    }
+
+    /**
+     * Holds if `pred -> succ` is a step from `mapDispatchToProps` to a `props` property access.
+     */
+    predicate dispatchToPropsStep(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(ConnectCall call, string member |
+        pred = call.getDispatchPropNode(member) and
+        succ = call.getReactComponent().getAPropRead(member)
+      )
+    }
+
+    /** The first argument to `mapDispatchToProps` as a source of the `dispatch` function */
+    private class MapDispatchToPropsArg extends DispatchFunctionSource {
+      MapDispatchToPropsArg() {
+        this = any(ConnectCall c).getMapDispatchToProps().getParameter(0).getAnImmediateUse()
+      }
+    }
+
+    /** If `mapDispatchToProps` is an object, each method's return value is dispatched. */
+    private class MapDispatchToPropsMember extends DispatchedValueSink {
+      MapDispatchToPropsMember() {
+        this = any(ConnectCall c).getMapDispatchToProps().getAMember().getReturn().getARhs()
+      }
+    }
+
+    /** The first argument to `mapStateToProps` as an access to the root state. */
+    private class MapStateToPropsStateSource extends RootStateSource {
+      MapStateToPropsStateSource() {
+        this = any(ConnectCall c).getMapStateToProps().getParameter(0)
+      }
+    }
+  }
+
+  private module Reselect {
+    /**
+     * A call to `createSelector`.
+     *
+     * Such calls have two forms. The single-argument version is simply a memoized function wrapper:
+     *
+     * ```js
+     *   createSelector(state => state.foo)
+     * ```
+     *
+     * If multiple arguments are used, each callback independently maps over the state, and last
+     * callback collects all the intermediate results into the final result:
+     *
+     * ```js
+     *   creatorSelector(
+     *     state => state.foo,
+     *     state => state.bar,
+     *     ([foo, bar]) => {...}
+     *   )
+     * ```
+     *
+     * Although selectors can work on any data, not just the Redux state, they are in practice only used
+     * with the state.
+     */
+    class CreateSelectorCall extends API::CallNode {
+      CreateSelectorCall() {
+        this =
+          API::moduleImport(["reselect", "@reduxjs/toolkit"]).getMember("createSelector").getACall()
+      }
+
+      /** Gets the `i`th selector callback, that is, a callback other than the result function. */
+      API::Node getSelectorFunction(int i) {
+        // When there are multiple callbacks, exclude the last one
+        result = getParameter(i) and
+        (i = 0 or i < getNumArgument() - 1)
+        or
+        // Selector functions may be given as an array
+        exists(DataFlow::ArrayCreationNode array |
+          array.flowsTo(getArgument(0)) and
+          result.getAUse() = array.getElement(i)
+        )
+      }
+    }
+
+    /** The state argument to a selector */
+    private class SelectorStateArg extends RootStateSource {
+      SelectorStateArg() { this = any(CreateSelectorCall c).getSelectorFunction(_).getParameter(0) }
+    }
+
+    /** A flow step between the callbacks of `createSelector` or out of its final selector. */
+    private class CreateSelectorStep extends StateStep {
+      override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+        // Return value of `i`th callback flows to the `i`th parameter of the last callback.
+        exists(CreateSelectorCall call, int index |
+          call.getNumArgument() > 1 and
+          pred = call.getSelectorFunction(index).getReturn().getARhs() and
+          succ = call.getLastParameter().getParameter(index).getAnImmediateUse()
+        )
+        or
+        // The result of the last callback is the final result
+        exists(CreateSelectorCall call |
+          pred = call.getLastParameter().getReturn().getARhs() and
+          succ = call
+        )
+      }
+    }
+  }
+}
diff --git a/javascript/ql/test/library-tests/frameworks/Redux/exportedReducer.js b/javascript/ql/test/library-tests/frameworks/Redux/exportedReducer.js
new file mode 100644
index 00000000000..4331d0f2157
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Redux/exportedReducer.js
@@ -0,0 +1,13 @@
+import { combineReducers } from 'redux';
+
+export default (state, action) => {
+    return state;
+};
+
+export function notAReducer(notState, notAction) {
+    console.log(notState, notAction);
+}
+
+export const nestedReducer = combineReducers({
+    inner: (state, action) => state
+});
diff --git a/javascript/ql/test/library-tests/frameworks/Redux/react-redux.jsx b/javascript/ql/test/library-tests/frameworks/Redux/react-redux.jsx
new file mode 100644
index 00000000000..abb9729d4bf
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Redux/react-redux.jsx
@@ -0,0 +1,79 @@
+import * as React from 'react';
+import { connect, useDispatch } from 'react-redux';
+import * as rt from '@reduxjs/toolkit';
+
+const toolkitAction = rt.createAction('toolkitAction', (x) => {
+    return {
+        toolkitValue: x
+    }
+});
+const toolkitReducer = rt.createReducer({}, builder => {
+    builder
+        .addCase(toolkitAction, (state, action) => {
+            return {
+                value: action.payload.toolkitValue,
+                ...state
+            };
+        })
+        .addCase(asyncAction.fulfilled, (state, action) => {
+            return {
+                asyncValue: action.payload.x,
+                ...state
+            };
+        });
+});
+
+function manualAction(x) {
+    return {
+        type: 'manualAction',
+        payload: x
+    }
+}
+function manualReducer(state, action) {
+    switch (action.type) {
+        case 'manualAction': {
+            return { ...state, manualValue: action.payload };
+        }
+    }
+    return state;
+}
+const asyncAction = rt.createAsyncThunk('asyncAction', (x) => {
+    return new Promise((resolve) => {
+        setTimeout(() => {
+            resolve({ x });
+        }, 10)
+    });
+});
+
+const store = rt.createStore(rt.combineReducers({
+    toolkit: toolkitReducer,
+    manual: manualReducer,
+}));
+
+function MyComponent(props) {
+    let dispatch = useDispatch();
+    const clickHandler = React.useCallback(() => {
+        props.toolkitAction(source());
+        props.manualAction(source()); // not currently propagated as functions are not type-tracked
+        dispatch(manualAction(source()));
+        dispatch(asyncAction(source()));
+    });
+
+    sink(props.propFromToolkitAction); // NOT OK
+    sink(props.propFromManualAction); // NOT OK
+    sink(props.propFromAsync); // NOT OK
+
+    return <button onClick={{clickHandler}}/>
+}
+
+function mapStateToProps(state) {
+    return {
+        propFromToolkitAction: state.toolkit.value,
+        propFromAsync: state.toolkit.asyncValue,
+        propFromManualAction: state.manual.manualValue
+    }
+}
+
+const mapDispatchToProps = { toolkitAction, manualAction };
+
+const ConnectedComponent = connect(mapStateToProps, mapDispatchToProps)(MyComponent);
diff --git a/javascript/ql/test/library-tests/frameworks/Redux/test.expected b/javascript/ql/test/library-tests/frameworks/Redux/test.expected
new file mode 100644
index 00000000000..db52e1b21b0
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Redux/test.expected
@@ -0,0 +1,154 @@
+reducerArg
+| exportedReducer.js:12:12:12:35 | (state, ... > state |
+| react-redux.jsx:12:33:17:9 | (state, ...       } |
+| react-redux.jsx:18:41:23:9 | (state, ...       } |
+| react-redux.jsx:48:30:51:2 | rt.comb ... cer,\\n}) |
+| react-redux.jsx:49:14:49:27 | toolkitReducer |
+| react-redux.jsx:50:13:50:25 | manualReducer |
+| trivial.js:10:10:10:33 | (state, ... > state |
+| trivial.js:11:10:13:5 | {\\n      ... ,\\n    } |
+| trivial.js:12:14:12:37 | (state, ... > state |
+| trivial.js:16:10:16:33 | (state, ... > state |
+| trivial.js:17:10:19:5 | {\\n      ... ,\\n    } |
+| trivial.js:18:14:18:37 | (state, ... > state |
+| trivial.js:22:10:22:33 | (state, ... > state |
+| trivial.js:23:10:25:5 | {\\n      ... ,\\n    } |
+| trivial.js:24:14:24:37 | (state, ... > state |
+| trivial.js:29:16:29:39 | (state, ... > state |
+| trivial.js:32:73:32:96 | (state, ... > state |
+| trivial.js:46:33:46:56 | (state, ... > state |
+| trivial.js:47:33:47:56 | (state, ... > state |
+| trivial.js:130:14:130:46 | wrapper ...  state) |
+| trivial.js:133:45:133:66 | combine ... Reducer |
+| trivial.js:134:56:134:79 | (state, ... > state |
+| trivial.js:136:14:136:37 | (state, ... > state |
+isActionTypeHandler
+| react-redux.jsx:12:18:12:30 | toolkitAction | react-redux.jsx:12:33:17:9 | (state, ...       } |
+| react-redux.jsx:18:18:18:38 | asyncAc ... lfilled | react-redux.jsx:18:41:23:9 | (state, ...       } |
+| trivial.js:29:5:29:13 | fooAction | trivial.js:29:16:29:39 | (state, ... > state |
+| trivial.js:32:60:32:70 | 'fooAction' | trivial.js:32:73:32:96 | (state, ... > state |
+| trivial.js:46:18:46:30 | toolkitAction | trivial.js:46:33:46:56 | (state, ... > state |
+| trivial.js:47:18:47:30 | toolkitAction | trivial.js:47:33:47:56 | (state, ... > state |
+isTypeTagHandler
+| asyncAction | react-redux.jsx:18:41:23:9 | (state, ...       } |
+| counter/increment | trivial.js:46:33:46:56 | (state, ... > state |
+| counter/increment | trivial.js:47:33:47:56 | (state, ... > state |
+| fooAction | trivial.js:29:16:29:39 | (state, ... > state |
+| fooAction | trivial.js:32:73:32:96 | (state, ... > state |
+| toolkitAction | react-redux.jsx:12:33:17:9 | (state, ...       } |
+isRootStateHandler
+| react-redux.jsx:48:30:51:2 | rt.comb ... cer,\\n}) |
+| trivial.js:133:45:133:66 | combine ... Reducer |
+| trivial.js:134:56:134:79 | (state, ... > state |
+| trivial.js:136:14:136:37 | (state, ... > state |
+delegatingReducer
+| exportedReducer.js:11:30:13:2 | combine ... tate\\n}) |
+| react-redux.jsx:10:24:24:2 | rt.crea ...  });\\n}) |
+| react-redux.jsx:48:30:51:2 | rt.comb ... cer,\\n}) |
+| trivial.js:9:22:14:2 | require ...    }\\n}) |
+| trivial.js:11:10:13:5 | {\\n      ... ,\\n    } |
+| trivial.js:15:26:20:2 | require ...    }\\n}) |
+| trivial.js:17:10:19:5 | {\\n      ... ,\\n    } |
+| trivial.js:21:24:26:2 | require ...    }\\n}) |
+| trivial.js:23:10:25:5 | {\\n      ... ,\\n    } |
+| trivial.js:28:23:30:2 | require ... ate,\\n}) |
+| trivial.js:32:22:32:97 | require ...  state) |
+| trivial.js:34:24:34:88 | require ...  state) |
+| trivial.js:36:15:36:56 | require ...  state) |
+| trivial.js:37:22:37:71 | require ...  state) |
+| trivial.js:39:25:39:76 | require ...  state) |
+| trivial.js:40:25:40:96 | require ... cers1]) |
+| trivial.js:41:25:41:89 | require ...  state) |
+| trivial.js:42:25:42:109 | require ... cers1]) |
+| trivial.js:44:23:48:2 | require ... ate)\\n}) |
+| trivial.js:129:32:131:2 | require ... te),\\n}) |
+getStateHandlerArg
+| exportedReducer.js:11:30:13:2 | combine ... tate\\n}) | inner | exportedReducer.js:12:12:12:35 | (state, ... > state |
+| react-redux.jsx:48:30:51:2 | rt.comb ... cer,\\n}) | manual | react-redux.jsx:50:13:50:25 | manualReducer |
+| react-redux.jsx:48:30:51:2 | rt.comb ... cer,\\n}) | toolkit | react-redux.jsx:49:14:49:27 | toolkitReducer |
+| trivial.js:9:22:14:2 | require ...    }\\n}) | bar | trivial.js:11:10:13:5 | {\\n      ... ,\\n    } |
+| trivial.js:9:22:14:2 | require ...    }\\n}) | foo | trivial.js:10:10:10:33 | (state, ... > state |
+| trivial.js:11:10:13:5 | {\\n      ... ,\\n    } | baz | trivial.js:12:14:12:37 | (state, ... > state |
+| trivial.js:15:26:20:2 | require ...    }\\n}) | bar | trivial.js:17:10:19:5 | {\\n      ... ,\\n    } |
+| trivial.js:15:26:20:2 | require ...    }\\n}) | foo | trivial.js:16:10:16:33 | (state, ... > state |
+| trivial.js:17:10:19:5 | {\\n      ... ,\\n    } | baz | trivial.js:18:14:18:37 | (state, ... > state |
+| trivial.js:21:24:26:2 | require ...    }\\n}) | bar | trivial.js:23:10:25:5 | {\\n      ... ,\\n    } |
+| trivial.js:21:24:26:2 | require ...    }\\n}) | foo | trivial.js:22:10:22:33 | (state, ... > state |
+| trivial.js:23:10:25:5 | {\\n      ... ,\\n    } | baz | trivial.js:24:14:24:37 | (state, ... > state |
+| trivial.js:129:32:131:2 | require ... te),\\n}) | wrapped | trivial.js:130:14:130:46 | wrapper ...  state) |
+getActionHandlerArg
+| react-redux.jsx:10:24:24:2 | rt.crea ...  });\\n}) | react-redux.jsx:12:18:12:30 | toolkitAction | react-redux.jsx:12:33:17:9 | (state, ...       } |
+| react-redux.jsx:10:24:24:2 | rt.crea ...  });\\n}) | react-redux.jsx:18:18:18:38 | asyncAc ... lfilled | react-redux.jsx:18:41:23:9 | (state, ...       } |
+| trivial.js:28:23:30:2 | require ... ate,\\n}) | trivial.js:29:5:29:13 | fooAction | trivial.js:29:16:29:39 | (state, ... > state |
+| trivial.js:32:22:32:97 | require ...  state) | trivial.js:32:60:32:70 | 'fooAction' | trivial.js:32:73:32:96 | (state, ... > state |
+| trivial.js:44:23:48:2 | require ... ate)\\n}) | trivial.js:46:18:46:30 | toolkitAction | trivial.js:46:33:46:56 | (state, ... > state |
+| trivial.js:44:23:48:2 | require ... ate)\\n}) | trivial.js:47:18:47:30 | toolkitAction | trivial.js:47:33:47:56 | (state, ... > state |
+getAPlainHandlerArg
+| trivial.js:36:15:36:56 | require ...  state) | trivial.js:36:32:36:55 | (state, ... > state |
+| trivial.js:37:22:37:71 | require ...  state) | trivial.js:37:47:37:70 | (state, ... > state |
+| trivial.js:39:25:39:76 | require ...  state) | trivial.js:39:52:39:75 | (state, ... > state |
+| trivial.js:40:25:40:96 | require ... cers1]) | trivial.js:40:52:40:95 | [(state ... ucers1] |
+| trivial.js:40:25:40:96 | require ... cers1]) | trivial.js:40:53:40:76 | (state, ... > state |
+| trivial.js:40:25:40:96 | require ... cers1]) | trivial.js:40:79:40:94 | reducerReducers1 |
+| trivial.js:41:25:41:89 | require ...  state) | trivial.js:41:65:41:88 | (state, ... > state |
+| trivial.js:42:25:42:109 | require ... cers1]) | trivial.js:42:65:42:108 | [(state ... ucers1] |
+| trivial.js:42:25:42:109 | require ... cers1]) | trivial.js:42:66:42:89 | (state, ... > state |
+| trivial.js:42:25:42:109 | require ... cers1]) | trivial.js:42:92:42:107 | reducerReducers1 |
+getUseSite
+| react-redux.jsx:10:24:24:2 | rt.crea ...  });\\n}) | react-redux.jsx:49:14:49:27 | toolkitReducer |
+| react-redux.jsx:48:30:51:2 | rt.comb ... cer,\\n}) | react-redux.jsx:48:30:51:2 | rt.comb ... cer,\\n}) |
+| trivial.js:11:10:13:5 | {\\n      ... ,\\n    } | trivial.js:11:10:13:5 | {\\n      ... ,\\n    } |
+| trivial.js:17:10:19:5 | {\\n      ... ,\\n    } | trivial.js:17:10:19:5 | {\\n      ... ,\\n    } |
+| trivial.js:23:10:25:5 | {\\n      ... ,\\n    } | trivial.js:23:10:25:5 | {\\n      ... ,\\n    } |
+| trivial.js:129:32:131:2 | require ... te),\\n}) | trivial.js:133:45:133:66 | combine ... Reducer |
+storeCreation
+| react-redux.jsx:48:15:51:3 | rt.crea ... er,\\n})) |
+| trivial.js:133:16:133:67 | require ... educer) |
+| trivial.js:134:16:134:80 | require ...  state) |
+| trivial.js:135:16:137:2 | require ... tate\\n}) |
+taintFlow
+| react-redux.jsx:56:29:56:36 | source() | react-redux.jsx:62:10:62:36 | props.p ... tAction |
+| react-redux.jsx:58:31:58:38 | source() | react-redux.jsx:63:10:63:35 | props.p ... lAction |
+| react-redux.jsx:59:30:59:37 | source() | react-redux.jsx:64:10:64:28 | props.propFromAsync |
+getAffectedStateAccessPath
+| react-redux.jsx:12:33:17:9 | (state, ...       } | toolkit |
+| react-redux.jsx:18:41:23:9 | (state, ...       } | toolkit |
+| react-redux.jsx:49:14:49:27 | toolkitReducer | toolkit |
+| react-redux.jsx:50:13:50:25 | manualReducer | manual |
+| trivial.js:130:14:130:46 | wrapper ...  state) | wrapped |
+getADispatchFunctionReference
+| react-redux.jsx:54:20:54:32 | useDispatch() |
+getADispatchedValueSource
+| react-redux.jsx:26:1:31:1 | return of function manualAction |
+| react-redux.jsx:27:12:30:5 | {\\n      ... x\\n    } |
+| react-redux.jsx:58:18:58:39 | manualA ... urce()) |
+| react-redux.jsx:59:18:59:38 | asyncAc ... urce()) |
+getAnUntypedActionInReducer
+| exportedReducer.js:12:20:12:25 | action |
+| react-redux.jsx:32:31:32:36 | action |
+| trivial.js:10:18:10:23 | action |
+| trivial.js:12:22:12:27 | action |
+| trivial.js:16:18:16:23 | action |
+| trivial.js:18:22:18:27 | action |
+| trivial.js:22:18:22:23 | action |
+| trivial.js:24:22:24:27 | action |
+| trivial.js:124:20:124:25 | action |
+| trivial.js:130:30:130:35 | action |
+| trivial.js:134:64:134:69 | action |
+| trivial.js:136:22:136:27 | action |
+actionToReducerStep
+| react-redux.jsx:5:56:9:1 | return of anonymous function | react-redux.jsx:14:24:14:37 | action.payload |
+| react-redux.jsx:29:18:29:18 | x | react-redux.jsx:35:45:35:58 | action.payload |
+| react-redux.jsx:56:29:56:36 | source() | react-redux.jsx:5:57:5:57 | x |
+| react-redux.jsx:59:30:59:37 | source() | react-redux.jsx:40:57:40:57 | x |
+actionToReducerPromiseStep
+| react-redux.jsx:40:56:46:1 | return of anonymous function | react-redux.jsx:20:29:20:42 | action.payload |
+reducerToStateStep
+| react-redux.jsx:12:33:17:9 | return of anonymous function | react-redux.jsx:71:32:71:44 | state.toolkit |
+| react-redux.jsx:12:33:17:9 | return of anonymous function | react-redux.jsx:72:24:72:36 | state.toolkit |
+| react-redux.jsx:14:24:14:50 | action. ... itValue | react-redux.jsx:71:32:71:50 | state.toolkit.value |
+| react-redux.jsx:18:41:23:9 | return of anonymous function | react-redux.jsx:71:32:71:44 | state.toolkit |
+| react-redux.jsx:18:41:23:9 | return of anonymous function | react-redux.jsx:72:24:72:36 | state.toolkit |
+| react-redux.jsx:20:29:20:44 | action.payload.x | react-redux.jsx:72:24:72:47 | state.t ... ncValue |
+| react-redux.jsx:32:1:39:1 | return of function manualReducer | react-redux.jsx:73:31:73:42 | state.manual |
+| react-redux.jsx:35:45:35:58 | action.payload | react-redux.jsx:73:31:73:54 | state.m ... alValue |
diff --git a/javascript/ql/test/library-tests/frameworks/Redux/test.ql b/javascript/ql/test/library-tests/frameworks/Redux/test.ql
new file mode 100644
index 00000000000..e289950d63e
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Redux/test.ql
@@ -0,0 +1,61 @@
+import javascript
+
+query predicate getAffectedStateAccessPath = Redux::getAffectedStateAccessPath/1;
+
+query Redux::ReducerArg reducerArg() { any() }
+
+query Redux::ReducerArg isActionTypeHandler(DataFlow::Node actionType) {
+  result.isActionTypeHandler(actionType)
+}
+
+query Redux::ReducerArg isTypeTagHandler(string typeTag) { result.isTypeTagHandler(typeTag) }
+
+query Redux::ReducerArg isRootStateHandler() { result.isRootStateHandler() }
+
+query Redux::DelegatingReducer delegatingReducer() { any() }
+
+query DataFlow::Node getStateHandlerArg(Redux::DelegatingReducer reducer, string prop) {
+  result = reducer.getStateHandlerArg(prop)
+}
+
+query DataFlow::Node getActionHandlerArg(Redux::DelegatingReducer reducer, DataFlow::Node actionType) {
+  result = reducer.getActionHandlerArg(actionType)
+}
+
+query DataFlow::Node getAPlainHandlerArg(Redux::DelegatingReducer reducer) {
+  result = reducer.getAPlainHandlerArg()
+}
+
+query Redux::ReducerArg getUseSite(Redux::DelegatingReducer reducer) {
+  result = reducer.getUseSite()
+}
+
+query predicate getADispatchFunctionReference = Redux::getADispatchFunctionReference/0;
+
+query predicate getADispatchedValueSource = Redux::getADispatchedValueSource/0;
+
+query predicate getAnUntypedActionInReducer = Redux::getAnUntypedActionInReducer/0;
+
+query predicate actionToReducerStep = Redux::actionToReducerStep/2;
+
+query predicate actionToReducerPromiseStep = Redux::actionToReducerPromiseStep/2;
+
+query predicate reducerToStateStep = Redux::reducerToStateStep/2;
+
+query Redux::StoreCreation storeCreation() { any() }
+
+class BasicTaint extends TaintTracking::Configuration {
+  BasicTaint() { this = "BasicTaint" }
+
+  override predicate isSource(DataFlow::Node node) {
+    node.(DataFlow::CallNode).getCalleeName() = "source"
+  }
+
+  override predicate isSink(DataFlow::Node node) {
+    node = any(DataFlow::CallNode call | call.getCalleeName() = "sink").getAnArgument()
+  }
+}
+
+query predicate taintFlow(DataFlow::Node source, DataFlow::Node sink) {
+  any(BasicTaint cfg).hasFlow(source, sink)
+}
diff --git a/javascript/ql/test/library-tests/frameworks/Redux/trivial.js b/javascript/ql/test/library-tests/frameworks/Redux/trivial.js
new file mode 100644
index 00000000000..8e431b04ed8
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Redux/trivial.js
@@ -0,0 +1,137 @@
+// This file contains a lot of trivial reducers and actions, simply to test that
+// the Redux model recognizes them, but no data flow passes through them.
+
+const toolkitAction = require('@reduxjs/toolkit').createAction('counter/increment');
+const toolkitAsyncAction = require('@reduxjs/toolkit').createAsyncThunk('async-action', async (arg) => {
+    return await (await fetch(arg)).json();
+})
+
+const reduxCombine = require('redux').combineReducers({
+    foo: (state, action) => state,
+    bar: {
+        baz: (state, action) => state,
+    }
+});
+const immutableCombine = require('redux-immutable').combineReducers({
+    foo: (state, action) => state,
+    bar: {
+        baz: (state, action) => state,
+    }
+});
+const toolkitCombine = require('@reduxjs/toolkit').combineReducers({
+    foo: (state, action) => state,
+    bar: {
+        baz: (state, action) => state,
+    }
+});
+
+const handleActions = require('redux-actions').handleActions({
+    fooAction: (state, action) => state,
+});
+
+const handleAction = require('redux-actions').handleAction('fooAction', (state, action) => state);
+
+const persistReducer = require('redux-persist').persistReducer((state, action) => state);
+
+const immer = require('immer')((state, action) => state);
+const immerProduce = require('immer').produce((state, action) => state);
+
+const reduceReducers1 = require('reduce-reducers')((state, action) => state);
+const reduceReducers2 = require('reduce-reducers')([(state, action) => state, reducerReducers1]);
+const reduceReducers3 = require('redux-actions').reduceReducers((state, action) => state);
+const reduceReducers4 = require('redux-actions').reduceReducers([(state, action) => state, reducerReducers1]);
+
+const createReducer = require('@reduxjs/toolkit').createReducer(0, builder => {
+    builder
+        .addCase(toolkitAction, (state, action) => state)
+        .addCase(toolkitAction, (state, action) => state)
+});
+
+function createSlice1() {
+    const { increment } = require('@reduxjs/toolkit').createSlice({
+        name: 'counter1',
+        initialState: 0,
+        reducers: {
+            increment(state, action) {
+                return state;
+            }
+        },
+        extraReducers: {
+            [toolkitAction]: (state, action) => {
+                return state;
+            },
+            [toolkitAsyncAction.fulfilled]: (state, action) => {
+                action.meta.arg;
+                return state;
+            },
+            [toolkitAsyncAction.rejected]: (state, action) => {
+                action.meta.arg;
+                return state;
+            },
+            [toolkitAsyncAction.pending]: (state, action) => {
+                action.meta.arg;
+                return state;
+            }
+        }
+    });
+    return increment;
+}
+
+function createSlice2() {
+    const { increment } = require('@reduxjs/toolkit').createSlice({
+        name: 'counter2',
+        initialState: 0,
+        reducers: {
+            increment(state, action) {
+                return state;
+            }
+        },
+        extraReducers: builder => {
+            builder
+                .addCase(toolkitAction, (state, action) => state)
+                .addCase(toolkitAsyncAction.fulfilled, (state, action) => {
+                    action.meta.arg;
+                    return state;
+                });
+        }
+    });
+    return increment;
+}
+
+let importedReducers = combineReducers({
+    foo: {
+        bar: {
+            baz: (state, action) => state
+        },
+        baloon: require('./exportedReducer'),
+    },
+    nestedReducer: require('./exportedReducer').nestedReducer
+});
+
+const reduxActions = require('redux-actions').createAction('reduxActionsCreateAction');
+const tsUtils = require('redux-ts-utils').createAction('tsUtilCreateAction');
+
+const { fooAction2, barAction2 } = require('redux-actions').createActions({
+    foo1Action2(x, y) {
+        return { x, y }
+    },
+    barAction2(x) {
+        return { x }
+    }
+});
+
+function wrapper(fn) {
+    return (state, action) => {
+        console.log('hello');
+        return fn(state, action);
+    }
+}
+const combinedWrappedReducer = require('redux').combineReducers({
+    wrapped: wrapper((state, action) => state),
+});
+
+const store1 = require('redux').createStore(combinedWrappedReducer);
+const store2 = require('@reduxjs/toolkit').createStore((state, action) => state);
+const store3 = require('@reduxjs/toolkit').configureStore({
+    reducer: (state, action) => state
+});

From fd7cbd0c967374ec3b116d28ea26dc70dc9c9c0c Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Tue, 9 Feb 2021 09:12:59 +0000
Subject: [PATCH 0136/1429] JS: Tweak BasicBlock.dominates and friends

---
 .../ql/src/semmle/javascript/BasicBlocks.qll     | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/BasicBlocks.qll b/javascript/ql/src/semmle/javascript/BasicBlocks.qll
index c0868605dc3..d0dc634586c 100644
--- a/javascript/ql/src/semmle/javascript/BasicBlocks.qll
+++ b/javascript/ql/src/semmle/javascript/BasicBlocks.qll
@@ -307,7 +307,7 @@ class ReachableBasicBlock extends BasicBlock {
   /**
    * Holds if this basic block strictly dominates `bb`.
    */
-  cached
+  pragma[inline]
   predicate strictlyDominates(ReachableBasicBlock bb) { bbIDominates+(this, bb) }
 
   /**
@@ -315,15 +315,13 @@ class ReachableBasicBlock extends BasicBlock {
    *
    * This predicate is reflexive: each reachable basic block dominates itself.
    */
-  predicate dominates(ReachableBasicBlock bb) {
-    bb = this or
-    strictlyDominates(bb)
-  }
+  pragma[inline]
+  predicate dominates(ReachableBasicBlock bb) { bbIDominates*(this, bb) }
 
   /**
    * Holds if this basic block strictly post-dominates `bb`.
    */
-  cached
+  pragma[inline]
   predicate strictlyPostDominates(ReachableBasicBlock bb) { bbIPostDominates+(this, bb) }
 
   /**
@@ -331,10 +329,8 @@ class ReachableBasicBlock extends BasicBlock {
    *
    * This predicate is reflexive: each reachable basic block post-dominates itself.
    */
-  predicate postDominates(ReachableBasicBlock bb) {
-    bb = this or
-    strictlyPostDominates(bb)
-  }
+  pragma[inline]
+  predicate postDominates(ReachableBasicBlock bb) { bbIPostDominates*(this, bb) }
 }
 
 /**

From 1ce7c3448f802872ac4ec5c0ffb472c633223c7b Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 15 Feb 2021 12:24:17 +0000
Subject: [PATCH 0137/1429] JS: Address some review comments

---
 javascript/ql/src/semmle/javascript/frameworks/Redux.qll | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Redux.qll b/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
index 7f22c3638e2..6094d0164e0 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
@@ -373,6 +373,7 @@ module Redux {
      *   }
      * });
      * export default slice.reducer;
+     * export const { actionType1, actionType2 } = slice.actions;
      * ```
      */
     private class CreateSliceReducer extends DelegatingReducer {
@@ -481,13 +482,12 @@ module Redux {
     DataFlow::SourceNode ref() { result = ref(DataFlow::TypeTracker::end()) }
 
     /**
-     * Holds if `successBlock` is executed when a check has determined that `action` originated from this action creator.
+     * Gets a block that is executed when a check has determined that `action` originated from this action creator.
      */
     private ReachableBasicBlock getASuccessfulTypeCheckBlock(DataFlow::SourceNode action) {
       action = getAnUntypedActionInReducer() and
       result = getASuccessfulTypeCheckBlock(action, getTypeTag())
       or
-      // and ProgramSlicing::areFilesInSameReduxApp(result.getFile(), this.getFile()) -- TODO delete?
       // some action creators implement a .match method for this purpose
       exists(ConditionGuardNode guard, DataFlow::CallNode call |
         call = ref().getAMethodCall("match") and

From 53def60e4f3cbc16bbdcdc575f7c08c4282f3594 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 15 Feb 2021 13:10:45 +0000
Subject: [PATCH 0138/1429] JS: Add test for if-based type check

---
 .../frameworks/Redux/react-redux.jsx          |  7 ++-
 .../frameworks/Redux/test.expected            | 62 ++++++++++---------
 2 files changed, 39 insertions(+), 30 deletions(-)

diff --git a/javascript/ql/test/library-tests/frameworks/Redux/react-redux.jsx b/javascript/ql/test/library-tests/frameworks/Redux/react-redux.jsx
index abb9729d4bf..d5e7b5cccca 100644
--- a/javascript/ql/test/library-tests/frameworks/Redux/react-redux.jsx
+++ b/javascript/ql/test/library-tests/frameworks/Redux/react-redux.jsx
@@ -35,6 +35,9 @@ function manualReducer(state, action) {
             return { ...state, manualValue: action.payload };
         }
     }
+    if (action.type === 'manualAction') {
+        return { ...state, manualValue2: action.payload };
+    }
     return state;
 }
 const asyncAction = rt.createAsyncThunk('asyncAction', (x) => {
@@ -61,6 +64,7 @@ function MyComponent(props) {
 
     sink(props.propFromToolkitAction); // NOT OK
     sink(props.propFromManualAction); // NOT OK
+    sink(props.propFromManualAction2); // NOT OK
     sink(props.propFromAsync); // NOT OK
 
     return <button onClick={{clickHandler}}/>
@@ -70,7 +74,8 @@ function mapStateToProps(state) {
     return {
         propFromToolkitAction: state.toolkit.value,
         propFromAsync: state.toolkit.asyncValue,
-        propFromManualAction: state.manual.manualValue
+        propFromManualAction: state.manual.manualValue,
+        propFromManualAction2: state.manual.manualValue2
     }
 }
 
diff --git a/javascript/ql/test/library-tests/frameworks/Redux/test.expected b/javascript/ql/test/library-tests/frameworks/Redux/test.expected
index db52e1b21b0..05981a400b4 100644
--- a/javascript/ql/test/library-tests/frameworks/Redux/test.expected
+++ b/javascript/ql/test/library-tests/frameworks/Redux/test.expected
@@ -2,9 +2,9 @@ reducerArg
 | exportedReducer.js:12:12:12:35 | (state, ... > state |
 | react-redux.jsx:12:33:17:9 | (state, ...       } |
 | react-redux.jsx:18:41:23:9 | (state, ...       } |
-| react-redux.jsx:48:30:51:2 | rt.comb ... cer,\\n}) |
-| react-redux.jsx:49:14:49:27 | toolkitReducer |
-| react-redux.jsx:50:13:50:25 | manualReducer |
+| react-redux.jsx:51:30:54:2 | rt.comb ... cer,\\n}) |
+| react-redux.jsx:52:14:52:27 | toolkitReducer |
+| react-redux.jsx:53:13:53:25 | manualReducer |
 | trivial.js:10:10:10:33 | (state, ... > state |
 | trivial.js:11:10:13:5 | {\\n      ... ,\\n    } |
 | trivial.js:12:14:12:37 | (state, ... > state |
@@ -37,14 +37,14 @@ isTypeTagHandler
 | fooAction | trivial.js:32:73:32:96 | (state, ... > state |
 | toolkitAction | react-redux.jsx:12:33:17:9 | (state, ...       } |
 isRootStateHandler
-| react-redux.jsx:48:30:51:2 | rt.comb ... cer,\\n}) |
+| react-redux.jsx:51:30:54:2 | rt.comb ... cer,\\n}) |
 | trivial.js:133:45:133:66 | combine ... Reducer |
 | trivial.js:134:56:134:79 | (state, ... > state |
 | trivial.js:136:14:136:37 | (state, ... > state |
 delegatingReducer
 | exportedReducer.js:11:30:13:2 | combine ... tate\\n}) |
 | react-redux.jsx:10:24:24:2 | rt.crea ...  });\\n}) |
-| react-redux.jsx:48:30:51:2 | rt.comb ... cer,\\n}) |
+| react-redux.jsx:51:30:54:2 | rt.comb ... cer,\\n}) |
 | trivial.js:9:22:14:2 | require ...    }\\n}) |
 | trivial.js:11:10:13:5 | {\\n      ... ,\\n    } |
 | trivial.js:15:26:20:2 | require ...    }\\n}) |
@@ -64,8 +64,8 @@ delegatingReducer
 | trivial.js:129:32:131:2 | require ... te),\\n}) |
 getStateHandlerArg
 | exportedReducer.js:11:30:13:2 | combine ... tate\\n}) | inner | exportedReducer.js:12:12:12:35 | (state, ... > state |
-| react-redux.jsx:48:30:51:2 | rt.comb ... cer,\\n}) | manual | react-redux.jsx:50:13:50:25 | manualReducer |
-| react-redux.jsx:48:30:51:2 | rt.comb ... cer,\\n}) | toolkit | react-redux.jsx:49:14:49:27 | toolkitReducer |
+| react-redux.jsx:51:30:54:2 | rt.comb ... cer,\\n}) | manual | react-redux.jsx:53:13:53:25 | manualReducer |
+| react-redux.jsx:51:30:54:2 | rt.comb ... cer,\\n}) | toolkit | react-redux.jsx:52:14:52:27 | toolkitReducer |
 | trivial.js:9:22:14:2 | require ...    }\\n}) | bar | trivial.js:11:10:13:5 | {\\n      ... ,\\n    } |
 | trivial.js:9:22:14:2 | require ...    }\\n}) | foo | trivial.js:10:10:10:33 | (state, ... > state |
 | trivial.js:11:10:13:5 | {\\n      ... ,\\n    } | baz | trivial.js:12:14:12:37 | (state, ... > state |
@@ -95,34 +95,35 @@ getAPlainHandlerArg
 | trivial.js:42:25:42:109 | require ... cers1]) | trivial.js:42:66:42:89 | (state, ... > state |
 | trivial.js:42:25:42:109 | require ... cers1]) | trivial.js:42:92:42:107 | reducerReducers1 |
 getUseSite
-| react-redux.jsx:10:24:24:2 | rt.crea ...  });\\n}) | react-redux.jsx:49:14:49:27 | toolkitReducer |
-| react-redux.jsx:48:30:51:2 | rt.comb ... cer,\\n}) | react-redux.jsx:48:30:51:2 | rt.comb ... cer,\\n}) |
+| react-redux.jsx:10:24:24:2 | rt.crea ...  });\\n}) | react-redux.jsx:52:14:52:27 | toolkitReducer |
+| react-redux.jsx:51:30:54:2 | rt.comb ... cer,\\n}) | react-redux.jsx:51:30:54:2 | rt.comb ... cer,\\n}) |
 | trivial.js:11:10:13:5 | {\\n      ... ,\\n    } | trivial.js:11:10:13:5 | {\\n      ... ,\\n    } |
 | trivial.js:17:10:19:5 | {\\n      ... ,\\n    } | trivial.js:17:10:19:5 | {\\n      ... ,\\n    } |
 | trivial.js:23:10:25:5 | {\\n      ... ,\\n    } | trivial.js:23:10:25:5 | {\\n      ... ,\\n    } |
 | trivial.js:129:32:131:2 | require ... te),\\n}) | trivial.js:133:45:133:66 | combine ... Reducer |
 storeCreation
-| react-redux.jsx:48:15:51:3 | rt.crea ... er,\\n})) |
+| react-redux.jsx:51:15:54:3 | rt.crea ... er,\\n})) |
 | trivial.js:133:16:133:67 | require ... educer) |
 | trivial.js:134:16:134:80 | require ...  state) |
 | trivial.js:135:16:137:2 | require ... tate\\n}) |
 taintFlow
-| react-redux.jsx:56:29:56:36 | source() | react-redux.jsx:62:10:62:36 | props.p ... tAction |
-| react-redux.jsx:58:31:58:38 | source() | react-redux.jsx:63:10:63:35 | props.p ... lAction |
-| react-redux.jsx:59:30:59:37 | source() | react-redux.jsx:64:10:64:28 | props.propFromAsync |
+| react-redux.jsx:59:29:59:36 | source() | react-redux.jsx:65:10:65:36 | props.p ... tAction |
+| react-redux.jsx:61:31:61:38 | source() | react-redux.jsx:66:10:66:35 | props.p ... lAction |
+| react-redux.jsx:61:31:61:38 | source() | react-redux.jsx:67:10:67:36 | props.p ... Action2 |
+| react-redux.jsx:62:30:62:37 | source() | react-redux.jsx:68:10:68:28 | props.propFromAsync |
 getAffectedStateAccessPath
 | react-redux.jsx:12:33:17:9 | (state, ...       } | toolkit |
 | react-redux.jsx:18:41:23:9 | (state, ...       } | toolkit |
-| react-redux.jsx:49:14:49:27 | toolkitReducer | toolkit |
-| react-redux.jsx:50:13:50:25 | manualReducer | manual |
+| react-redux.jsx:52:14:52:27 | toolkitReducer | toolkit |
+| react-redux.jsx:53:13:53:25 | manualReducer | manual |
 | trivial.js:130:14:130:46 | wrapper ...  state) | wrapped |
 getADispatchFunctionReference
-| react-redux.jsx:54:20:54:32 | useDispatch() |
+| react-redux.jsx:57:20:57:32 | useDispatch() |
 getADispatchedValueSource
 | react-redux.jsx:26:1:31:1 | return of function manualAction |
 | react-redux.jsx:27:12:30:5 | {\\n      ... x\\n    } |
-| react-redux.jsx:58:18:58:39 | manualA ... urce()) |
-| react-redux.jsx:59:18:59:38 | asyncAc ... urce()) |
+| react-redux.jsx:61:18:61:39 | manualA ... urce()) |
+| react-redux.jsx:62:18:62:38 | asyncAc ... urce()) |
 getAnUntypedActionInReducer
 | exportedReducer.js:12:20:12:25 | action |
 | react-redux.jsx:32:31:32:36 | action |
@@ -139,16 +140,19 @@ getAnUntypedActionInReducer
 actionToReducerStep
 | react-redux.jsx:5:56:9:1 | return of anonymous function | react-redux.jsx:14:24:14:37 | action.payload |
 | react-redux.jsx:29:18:29:18 | x | react-redux.jsx:35:45:35:58 | action.payload |
-| react-redux.jsx:56:29:56:36 | source() | react-redux.jsx:5:57:5:57 | x |
-| react-redux.jsx:59:30:59:37 | source() | react-redux.jsx:40:57:40:57 | x |
+| react-redux.jsx:29:18:29:18 | x | react-redux.jsx:39:42:39:55 | action.payload |
+| react-redux.jsx:59:29:59:36 | source() | react-redux.jsx:5:57:5:57 | x |
+| react-redux.jsx:62:30:62:37 | source() | react-redux.jsx:43:57:43:57 | x |
 actionToReducerPromiseStep
-| react-redux.jsx:40:56:46:1 | return of anonymous function | react-redux.jsx:20:29:20:42 | action.payload |
+| react-redux.jsx:43:56:49:1 | return of anonymous function | react-redux.jsx:20:29:20:42 | action.payload |
 reducerToStateStep
-| react-redux.jsx:12:33:17:9 | return of anonymous function | react-redux.jsx:71:32:71:44 | state.toolkit |
-| react-redux.jsx:12:33:17:9 | return of anonymous function | react-redux.jsx:72:24:72:36 | state.toolkit |
-| react-redux.jsx:14:24:14:50 | action. ... itValue | react-redux.jsx:71:32:71:50 | state.toolkit.value |
-| react-redux.jsx:18:41:23:9 | return of anonymous function | react-redux.jsx:71:32:71:44 | state.toolkit |
-| react-redux.jsx:18:41:23:9 | return of anonymous function | react-redux.jsx:72:24:72:36 | state.toolkit |
-| react-redux.jsx:20:29:20:44 | action.payload.x | react-redux.jsx:72:24:72:47 | state.t ... ncValue |
-| react-redux.jsx:32:1:39:1 | return of function manualReducer | react-redux.jsx:73:31:73:42 | state.manual |
-| react-redux.jsx:35:45:35:58 | action.payload | react-redux.jsx:73:31:73:54 | state.m ... alValue |
+| react-redux.jsx:12:33:17:9 | return of anonymous function | react-redux.jsx:75:32:75:44 | state.toolkit |
+| react-redux.jsx:12:33:17:9 | return of anonymous function | react-redux.jsx:76:24:76:36 | state.toolkit |
+| react-redux.jsx:14:24:14:50 | action. ... itValue | react-redux.jsx:75:32:75:50 | state.toolkit.value |
+| react-redux.jsx:18:41:23:9 | return of anonymous function | react-redux.jsx:75:32:75:44 | state.toolkit |
+| react-redux.jsx:18:41:23:9 | return of anonymous function | react-redux.jsx:76:24:76:36 | state.toolkit |
+| react-redux.jsx:20:29:20:44 | action.payload.x | react-redux.jsx:76:24:76:47 | state.t ... ncValue |
+| react-redux.jsx:32:1:42:1 | return of function manualReducer | react-redux.jsx:77:31:77:42 | state.manual |
+| react-redux.jsx:32:1:42:1 | return of function manualReducer | react-redux.jsx:78:32:78:43 | state.manual |
+| react-redux.jsx:35:45:35:58 | action.payload | react-redux.jsx:77:31:77:54 | state.m ... alValue |
+| react-redux.jsx:39:42:39:55 | action.payload | react-redux.jsx:78:32:78:56 | state.m ... lValue2 |

From cca38a64be76255ec2b244ade074f481263fde3d Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 15 Feb 2021 13:19:03 +0000
Subject: [PATCH 0139/1429] JS: Add test for flow to a closure body under a
 type guard

---
 .../frameworks/Redux/react-redux.jsx          | 12 +++-
 .../frameworks/Redux/test.expected            | 68 ++++++++++---------
 2 files changed, 47 insertions(+), 33 deletions(-)

diff --git a/javascript/ql/test/library-tests/frameworks/Redux/react-redux.jsx b/javascript/ql/test/library-tests/frameworks/Redux/react-redux.jsx
index d5e7b5cccca..fc653906226 100644
--- a/javascript/ql/test/library-tests/frameworks/Redux/react-redux.jsx
+++ b/javascript/ql/test/library-tests/frameworks/Redux/react-redux.jsx
@@ -38,6 +38,14 @@ function manualReducer(state, action) {
     if (action.type === 'manualAction') {
         return { ...state, manualValue2: action.payload };
     }
+    if (action.type === 'manualAction') {
+        return {
+            ...state,
+            manualValue3: [1, 2, 3].map(x => {
+                return action.payload + x;
+            })
+        };
+    }
     return state;
 }
 const asyncAction = rt.createAsyncThunk('asyncAction', (x) => {
@@ -65,6 +73,7 @@ function MyComponent(props) {
     sink(props.propFromToolkitAction); // NOT OK
     sink(props.propFromManualAction); // NOT OK
     sink(props.propFromManualAction2); // NOT OK
+    sink(props.propFromManualAction3); // NOT OK
     sink(props.propFromAsync); // NOT OK
 
     return <button onClick={{clickHandler}}/>
@@ -75,7 +84,8 @@ function mapStateToProps(state) {
         propFromToolkitAction: state.toolkit.value,
         propFromAsync: state.toolkit.asyncValue,
         propFromManualAction: state.manual.manualValue,
-        propFromManualAction2: state.manual.manualValue2
+        propFromManualAction2: state.manual.manualValue2,
+        propFromManualAction3: state.manual.manualValue3,
     }
 }
 
diff --git a/javascript/ql/test/library-tests/frameworks/Redux/test.expected b/javascript/ql/test/library-tests/frameworks/Redux/test.expected
index 05981a400b4..2c819949805 100644
--- a/javascript/ql/test/library-tests/frameworks/Redux/test.expected
+++ b/javascript/ql/test/library-tests/frameworks/Redux/test.expected
@@ -2,9 +2,9 @@ reducerArg
 | exportedReducer.js:12:12:12:35 | (state, ... > state |
 | react-redux.jsx:12:33:17:9 | (state, ...       } |
 | react-redux.jsx:18:41:23:9 | (state, ...       } |
-| react-redux.jsx:51:30:54:2 | rt.comb ... cer,\\n}) |
-| react-redux.jsx:52:14:52:27 | toolkitReducer |
-| react-redux.jsx:53:13:53:25 | manualReducer |
+| react-redux.jsx:59:30:62:2 | rt.comb ... cer,\\n}) |
+| react-redux.jsx:60:14:60:27 | toolkitReducer |
+| react-redux.jsx:61:13:61:25 | manualReducer |
 | trivial.js:10:10:10:33 | (state, ... > state |
 | trivial.js:11:10:13:5 | {\\n      ... ,\\n    } |
 | trivial.js:12:14:12:37 | (state, ... > state |
@@ -37,14 +37,14 @@ isTypeTagHandler
 | fooAction | trivial.js:32:73:32:96 | (state, ... > state |
 | toolkitAction | react-redux.jsx:12:33:17:9 | (state, ...       } |
 isRootStateHandler
-| react-redux.jsx:51:30:54:2 | rt.comb ... cer,\\n}) |
+| react-redux.jsx:59:30:62:2 | rt.comb ... cer,\\n}) |
 | trivial.js:133:45:133:66 | combine ... Reducer |
 | trivial.js:134:56:134:79 | (state, ... > state |
 | trivial.js:136:14:136:37 | (state, ... > state |
 delegatingReducer
 | exportedReducer.js:11:30:13:2 | combine ... tate\\n}) |
 | react-redux.jsx:10:24:24:2 | rt.crea ...  });\\n}) |
-| react-redux.jsx:51:30:54:2 | rt.comb ... cer,\\n}) |
+| react-redux.jsx:59:30:62:2 | rt.comb ... cer,\\n}) |
 | trivial.js:9:22:14:2 | require ...    }\\n}) |
 | trivial.js:11:10:13:5 | {\\n      ... ,\\n    } |
 | trivial.js:15:26:20:2 | require ...    }\\n}) |
@@ -64,8 +64,8 @@ delegatingReducer
 | trivial.js:129:32:131:2 | require ... te),\\n}) |
 getStateHandlerArg
 | exportedReducer.js:11:30:13:2 | combine ... tate\\n}) | inner | exportedReducer.js:12:12:12:35 | (state, ... > state |
-| react-redux.jsx:51:30:54:2 | rt.comb ... cer,\\n}) | manual | react-redux.jsx:53:13:53:25 | manualReducer |
-| react-redux.jsx:51:30:54:2 | rt.comb ... cer,\\n}) | toolkit | react-redux.jsx:52:14:52:27 | toolkitReducer |
+| react-redux.jsx:59:30:62:2 | rt.comb ... cer,\\n}) | manual | react-redux.jsx:61:13:61:25 | manualReducer |
+| react-redux.jsx:59:30:62:2 | rt.comb ... cer,\\n}) | toolkit | react-redux.jsx:60:14:60:27 | toolkitReducer |
 | trivial.js:9:22:14:2 | require ...    }\\n}) | bar | trivial.js:11:10:13:5 | {\\n      ... ,\\n    } |
 | trivial.js:9:22:14:2 | require ...    }\\n}) | foo | trivial.js:10:10:10:33 | (state, ... > state |
 | trivial.js:11:10:13:5 | {\\n      ... ,\\n    } | baz | trivial.js:12:14:12:37 | (state, ... > state |
@@ -95,35 +95,36 @@ getAPlainHandlerArg
 | trivial.js:42:25:42:109 | require ... cers1]) | trivial.js:42:66:42:89 | (state, ... > state |
 | trivial.js:42:25:42:109 | require ... cers1]) | trivial.js:42:92:42:107 | reducerReducers1 |
 getUseSite
-| react-redux.jsx:10:24:24:2 | rt.crea ...  });\\n}) | react-redux.jsx:52:14:52:27 | toolkitReducer |
-| react-redux.jsx:51:30:54:2 | rt.comb ... cer,\\n}) | react-redux.jsx:51:30:54:2 | rt.comb ... cer,\\n}) |
+| react-redux.jsx:10:24:24:2 | rt.crea ...  });\\n}) | react-redux.jsx:60:14:60:27 | toolkitReducer |
+| react-redux.jsx:59:30:62:2 | rt.comb ... cer,\\n}) | react-redux.jsx:59:30:62:2 | rt.comb ... cer,\\n}) |
 | trivial.js:11:10:13:5 | {\\n      ... ,\\n    } | trivial.js:11:10:13:5 | {\\n      ... ,\\n    } |
 | trivial.js:17:10:19:5 | {\\n      ... ,\\n    } | trivial.js:17:10:19:5 | {\\n      ... ,\\n    } |
 | trivial.js:23:10:25:5 | {\\n      ... ,\\n    } | trivial.js:23:10:25:5 | {\\n      ... ,\\n    } |
 | trivial.js:129:32:131:2 | require ... te),\\n}) | trivial.js:133:45:133:66 | combine ... Reducer |
 storeCreation
-| react-redux.jsx:51:15:54:3 | rt.crea ... er,\\n})) |
+| react-redux.jsx:59:15:62:3 | rt.crea ... er,\\n})) |
 | trivial.js:133:16:133:67 | require ... educer) |
 | trivial.js:134:16:134:80 | require ...  state) |
 | trivial.js:135:16:137:2 | require ... tate\\n}) |
 taintFlow
-| react-redux.jsx:59:29:59:36 | source() | react-redux.jsx:65:10:65:36 | props.p ... tAction |
-| react-redux.jsx:61:31:61:38 | source() | react-redux.jsx:66:10:66:35 | props.p ... lAction |
-| react-redux.jsx:61:31:61:38 | source() | react-redux.jsx:67:10:67:36 | props.p ... Action2 |
-| react-redux.jsx:62:30:62:37 | source() | react-redux.jsx:68:10:68:28 | props.propFromAsync |
+| react-redux.jsx:67:29:67:36 | source() | react-redux.jsx:73:10:73:36 | props.p ... tAction |
+| react-redux.jsx:69:31:69:38 | source() | react-redux.jsx:74:10:74:35 | props.p ... lAction |
+| react-redux.jsx:69:31:69:38 | source() | react-redux.jsx:75:10:75:36 | props.p ... Action2 |
+| react-redux.jsx:69:31:69:38 | source() | react-redux.jsx:76:10:76:36 | props.p ... Action3 |
+| react-redux.jsx:70:30:70:37 | source() | react-redux.jsx:77:10:77:28 | props.propFromAsync |
 getAffectedStateAccessPath
 | react-redux.jsx:12:33:17:9 | (state, ...       } | toolkit |
 | react-redux.jsx:18:41:23:9 | (state, ...       } | toolkit |
-| react-redux.jsx:52:14:52:27 | toolkitReducer | toolkit |
-| react-redux.jsx:53:13:53:25 | manualReducer | manual |
+| react-redux.jsx:60:14:60:27 | toolkitReducer | toolkit |
+| react-redux.jsx:61:13:61:25 | manualReducer | manual |
 | trivial.js:130:14:130:46 | wrapper ...  state) | wrapped |
 getADispatchFunctionReference
-| react-redux.jsx:57:20:57:32 | useDispatch() |
+| react-redux.jsx:65:20:65:32 | useDispatch() |
 getADispatchedValueSource
 | react-redux.jsx:26:1:31:1 | return of function manualAction |
 | react-redux.jsx:27:12:30:5 | {\\n      ... x\\n    } |
-| react-redux.jsx:61:18:61:39 | manualA ... urce()) |
-| react-redux.jsx:62:18:62:38 | asyncAc ... urce()) |
+| react-redux.jsx:69:18:69:39 | manualA ... urce()) |
+| react-redux.jsx:70:18:70:38 | asyncAc ... urce()) |
 getAnUntypedActionInReducer
 | exportedReducer.js:12:20:12:25 | action |
 | react-redux.jsx:32:31:32:36 | action |
@@ -141,18 +142,21 @@ actionToReducerStep
 | react-redux.jsx:5:56:9:1 | return of anonymous function | react-redux.jsx:14:24:14:37 | action.payload |
 | react-redux.jsx:29:18:29:18 | x | react-redux.jsx:35:45:35:58 | action.payload |
 | react-redux.jsx:29:18:29:18 | x | react-redux.jsx:39:42:39:55 | action.payload |
-| react-redux.jsx:59:29:59:36 | source() | react-redux.jsx:5:57:5:57 | x |
-| react-redux.jsx:62:30:62:37 | source() | react-redux.jsx:43:57:43:57 | x |
+| react-redux.jsx:29:18:29:18 | x | react-redux.jsx:45:24:45:37 | action.payload |
+| react-redux.jsx:67:29:67:36 | source() | react-redux.jsx:5:57:5:57 | x |
+| react-redux.jsx:70:30:70:37 | source() | react-redux.jsx:51:57:51:57 | x |
 actionToReducerPromiseStep
-| react-redux.jsx:43:56:49:1 | return of anonymous function | react-redux.jsx:20:29:20:42 | action.payload |
+| react-redux.jsx:51:56:57:1 | return of anonymous function | react-redux.jsx:20:29:20:42 | action.payload |
 reducerToStateStep
-| react-redux.jsx:12:33:17:9 | return of anonymous function | react-redux.jsx:75:32:75:44 | state.toolkit |
-| react-redux.jsx:12:33:17:9 | return of anonymous function | react-redux.jsx:76:24:76:36 | state.toolkit |
-| react-redux.jsx:14:24:14:50 | action. ... itValue | react-redux.jsx:75:32:75:50 | state.toolkit.value |
-| react-redux.jsx:18:41:23:9 | return of anonymous function | react-redux.jsx:75:32:75:44 | state.toolkit |
-| react-redux.jsx:18:41:23:9 | return of anonymous function | react-redux.jsx:76:24:76:36 | state.toolkit |
-| react-redux.jsx:20:29:20:44 | action.payload.x | react-redux.jsx:76:24:76:47 | state.t ... ncValue |
-| react-redux.jsx:32:1:42:1 | return of function manualReducer | react-redux.jsx:77:31:77:42 | state.manual |
-| react-redux.jsx:32:1:42:1 | return of function manualReducer | react-redux.jsx:78:32:78:43 | state.manual |
-| react-redux.jsx:35:45:35:58 | action.payload | react-redux.jsx:77:31:77:54 | state.m ... alValue |
-| react-redux.jsx:39:42:39:55 | action.payload | react-redux.jsx:78:32:78:56 | state.m ... lValue2 |
+| react-redux.jsx:12:33:17:9 | return of anonymous function | react-redux.jsx:84:32:84:44 | state.toolkit |
+| react-redux.jsx:12:33:17:9 | return of anonymous function | react-redux.jsx:85:24:85:36 | state.toolkit |
+| react-redux.jsx:14:24:14:50 | action. ... itValue | react-redux.jsx:84:32:84:50 | state.toolkit.value |
+| react-redux.jsx:18:41:23:9 | return of anonymous function | react-redux.jsx:84:32:84:44 | state.toolkit |
+| react-redux.jsx:18:41:23:9 | return of anonymous function | react-redux.jsx:85:24:85:36 | state.toolkit |
+| react-redux.jsx:20:29:20:44 | action.payload.x | react-redux.jsx:85:24:85:47 | state.t ... ncValue |
+| react-redux.jsx:32:1:50:1 | return of function manualReducer | react-redux.jsx:86:31:86:42 | state.manual |
+| react-redux.jsx:32:1:50:1 | return of function manualReducer | react-redux.jsx:87:32:87:43 | state.manual |
+| react-redux.jsx:32:1:50:1 | return of function manualReducer | react-redux.jsx:88:32:88:43 | state.manual |
+| react-redux.jsx:35:45:35:58 | action.payload | react-redux.jsx:86:31:86:54 | state.m ... alValue |
+| react-redux.jsx:39:42:39:55 | action.payload | react-redux.jsx:87:32:87:56 | state.m ... lValue2 |
+| react-redux.jsx:44:27:46:14 | [1, 2,  ...      }) | react-redux.jsx:88:32:88:56 | state.m ... lValue3 |

From c926a47d50133a08820244a193522d18f8c4cae6 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 15 Feb 2021 14:39:51 +0000
Subject: [PATCH 0140/1429] JS: QLDoc and test for HeuristicConnectEntryPoint

---
 javascript/ql/src/semmle/javascript/frameworks/Redux.qll  | 8 +++++---
 .../test/library-tests/frameworks/Redux/react-redux.jsx   | 5 +++++
 .../ql/test/library-tests/frameworks/Redux/test.expected  | 4 ++++
 javascript/ql/test/library-tests/frameworks/Redux/test.ql | 2 ++
 4 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Redux.qll b/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
index 6094d0164e0..3e48dc04f34 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
@@ -1134,9 +1134,11 @@ module Redux {
     }
 
     /**
-     * An entry point in the API graphs corresponding to functions named `mapDispatchToProps`,
-     * used to catch cases where the call to `connect` was not found (usually because of it being
-     * wrapped in another function, which API graphs won't look through).
+     * An API entry point corresponding to a `connect` function which we couldn't recognize exactly.
+     *
+     * The `connect` call is recognized based on an argument being named either `mapStateToProps` or `mapDispatchToProps`. 
+     * Used to catch cases where the `connect` function was not recognized by API graphs (usually because of it being
+     * wrapped in another function, which API graphs won't look through). 
      */
     private class HeuristicConnectEntryPoint extends API::EntryPoint {
       HeuristicConnectEntryPoint() { this = "react-redux-connect" }
diff --git a/javascript/ql/test/library-tests/frameworks/Redux/react-redux.jsx b/javascript/ql/test/library-tests/frameworks/Redux/react-redux.jsx
index fc653906226..e1843b5bc92 100644
--- a/javascript/ql/test/library-tests/frameworks/Redux/react-redux.jsx
+++ b/javascript/ql/test/library-tests/frameworks/Redux/react-redux.jsx
@@ -92,3 +92,8 @@ function mapStateToProps(state) {
 const mapDispatchToProps = { toolkitAction, manualAction };
 
 const ConnectedComponent = connect(mapStateToProps, mapDispatchToProps)(MyComponent);
+
+function connectLike(f, g) {
+    return c => somethingWeirdAndComplicated(f, g)(c);
+}
+const ConnectedComponent2 = connectLike(mapStateToProps, mapDispatchToProps)(MyComponent);
diff --git a/javascript/ql/test/library-tests/frameworks/Redux/test.expected b/javascript/ql/test/library-tests/frameworks/Redux/test.expected
index 2c819949805..ec2207885ad 100644
--- a/javascript/ql/test/library-tests/frameworks/Redux/test.expected
+++ b/javascript/ql/test/library-tests/frameworks/Redux/test.expected
@@ -112,6 +112,10 @@ taintFlow
 | react-redux.jsx:69:31:69:38 | source() | react-redux.jsx:75:10:75:36 | props.p ... Action2 |
 | react-redux.jsx:69:31:69:38 | source() | react-redux.jsx:76:10:76:36 | props.p ... Action3 |
 | react-redux.jsx:70:30:70:37 | source() | react-redux.jsx:77:10:77:28 | props.propFromAsync |
+reactComponentRef
+| react-redux.jsx:64:1:80:1 | functio ... r}}/>\\n} | react-redux.jsx:64:1:80:1 | functio ... r}}/>\\n} |
+| react-redux.jsx:64:1:80:1 | functio ... r}}/>\\n} | react-redux.jsx:94:28:94:84 | connect ... ponent) |
+| react-redux.jsx:64:1:80:1 | functio ... r}}/>\\n} | react-redux.jsx:97:12:97:12 | c |
 getAffectedStateAccessPath
 | react-redux.jsx:12:33:17:9 | (state, ...       } | toolkit |
 | react-redux.jsx:18:41:23:9 | (state, ...       } | toolkit |
diff --git a/javascript/ql/test/library-tests/frameworks/Redux/test.ql b/javascript/ql/test/library-tests/frameworks/Redux/test.ql
index e289950d63e..ee0ff683951 100644
--- a/javascript/ql/test/library-tests/frameworks/Redux/test.ql
+++ b/javascript/ql/test/library-tests/frameworks/Redux/test.ql
@@ -59,3 +59,5 @@ class BasicTaint extends TaintTracking::Configuration {
 query predicate taintFlow(DataFlow::Node source, DataFlow::Node sink) {
   any(BasicTaint cfg).hasFlow(source, sink)
 }
+
+query DataFlow::SourceNode reactComponentRef(ReactComponent component) { result = component.getAComponentCreatorReference() }

From cee1a12489891675fe28ff077d509d48fe78d610 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 15 Feb 2021 14:40:20 +0000
Subject: [PATCH 0141/1429] JS: Fix typo in qldoc

---
 javascript/ql/src/semmle/javascript/frameworks/Redux.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Redux.qll b/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
index 3e48dc04f34..0da924f2713 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
@@ -1231,7 +1231,7 @@ module Redux {
      * callback collects all the intermediate results into the final result:
      *
      * ```js
-     *   creatorSelector(
+     *   createSelector(
      *     state => state.foo,
      *     state => state.bar,
      *     ([foo, bar]) => {...}

From cbfa5ad303f93d8d19dff7af081b03bd0afe6eab Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 15 Feb 2021 14:42:03 +0000
Subject: [PATCH 0142/1429] JS: Change type of a parameter

---
 javascript/ql/src/semmle/javascript/frameworks/Redux.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Redux.qll b/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
index 0da924f2713..74a457a30d2 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
@@ -830,7 +830,7 @@ module Redux {
   /**
    * Holds if `pred -> succ` is step from an action creation to its use in a reducer function.
    */
-  predicate actionToReducerStep(DataFlow::Node pred, DataFlow::SourceNode succ) {
+  predicate actionToReducerStep(DataFlow::Node pred, DataFlow::Node succ) {
     // Actions created by an action creator library
     exists(ActionCreator action |
       exists(DataFlow::CallNode call | call = action.ref().getACall() |

From 2850b8e9523ff614839bbd8a68ff48cecb782b2e Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 15 Feb 2021 15:34:36 +0000
Subject: [PATCH 0143/1429] JS: Fix RangeAnalysis after BasicBlock.dominates
 change

---
 javascript/ql/src/semmle/javascript/RangeAnalysis.qll | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/RangeAnalysis.qll b/javascript/ql/src/semmle/javascript/RangeAnalysis.qll
index 57932f9b509..28f8b59c3fe 100644
--- a/javascript/ql/src/semmle/javascript/RangeAnalysis.qll
+++ b/javascript/ql/src/semmle/javascript/RangeAnalysis.qll
@@ -606,10 +606,10 @@ module RangeAnalysis {
         cfg2BB = cfg2.getBasicBlock() and
         cfg2RBB = cfg2BB.(ReachableBasicBlock) and
         (
-          cfg1RBB.strictlyDominates(cfg2BB) and
+          cfg2BB.getImmediateDominator+() = cfg1RBB and
           cfg = cfg2
           or
-          cfg2RBB.strictlyDominates(cfg1RBB) and
+          cfg1BB.getImmediateDominator+() = cfg2BB and
           cfg = cfg1
         )
       )
@@ -681,7 +681,7 @@ module RangeAnalysis {
       midBB = midcfg.getBasicBlock() and
       midRBB = midBB.(ReachableBasicBlock) and
       cfgBB = cfg.getBasicBlock() and
-      midRBB.strictlyDominates(cfgBB)
+      cfgBB.getImmediateDominator+() = midRBB
     )
   }
 

From b43989e6a1bafc4c2044bf4c301e2c8465752769 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 15 Feb 2021 16:04:37 +0000
Subject: [PATCH 0144/1429] JS: Use API nodes to track dispatch/dispatched
 value sources

---
 .../semmle/javascript/frameworks/Redux.qll    | 79 ++++++-------------
 .../frameworks/Redux/test.expected            | 13 ++-
 .../library-tests/frameworks/Redux/test.ql    |  4 +-
 3 files changed, 33 insertions(+), 63 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Redux.qll b/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
index 74a457a30d2..f924f6ce2ec 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
@@ -62,13 +62,10 @@ module Redux {
     StoreCreation() { this = range }
 
     /** Gets a reference to the store. */
-    DataFlow::SourceNode ref() {
-      // We happen to know that all store-creation sources have API nodes, so just reuse the API node type tracking
-      exists(API::Node apiNode |
-        apiNode.getAnImmediateUse() = this and
-        result = apiNode.getAUse()
-      )
-    }
+    DataFlow::SourceNode ref() { result = asApiNode().getAUse() }
+
+    /** Gets an API node that refers to this store creation. */
+    API::Node asApiNode() { result.getAnImmediateUse() = this }
 
     /** Gets the data flow node holding the root reducer for this store. */
     DataFlow::Node getReducerArg() { result = range.getReducerArg() }
@@ -751,57 +748,34 @@ module Redux {
   }
 
   /**
-   * A source of the `dispatch` function, used as starting point for `getADispatchFunctionReference`.
+   * A source of the `dispatch` function, used as starting point for `getADispatchFunctionNode`.
    */
-  abstract private class DispatchFunctionSource extends DataFlow::SourceNode { }
+  abstract private class DispatchFunctionSource extends API::Node { }
 
   /**
    * A value that is dispatched, that is, flows to the first argument of `dispatch`
    * (but where the call to `dispatch` is not necessarily explicit in the code).
    *
-   * Used as starting point for `getADispatchedValueSource`.
+   * Used as starting point for `getADispatchedValueNode`.
    */
-  abstract private class DispatchedValueSink extends DataFlow::Node { }
+  abstract private class DispatchedValueSink extends API::Node { }
 
-  private class StoreDispatchSource extends DispatchFunctionSource {
-    StoreDispatchSource() { this = any(StoreCreation c).ref().getAPropertyRead("dispatch") }
-  }
-
-  /** Gets a data flow node referring to the `dispatch` function. */
-  private DataFlow::SourceNode getADispatchFunctionReference(DataFlow::TypeTracker t) {
-    t.start() and
+  /** Gets an API node referring to the Redux `dispatch` function. */
+  API::Node getADispatchFunctionNode() {
     result instanceof DispatchFunctionSource
     or
-    // When using the redux-thunk middleware, dispatching a function value results in that
-    // function being invoked with (dispatch, getState).
-    // We simply assume redux-thunk middleware is always installed.
-    t.start() and
-    result = getADispatchedValueSource().(DataFlow::FunctionNode).getParameter(0)
-    or
-    exists(DataFlow::TypeTracker t2 | result = getADispatchFunctionReference(t2).track(t2, t))
+    result = getADispatchedValueNode().getParameter(0)
   }
 
-  /** Gets a data flow node referring to the `dispatch` function. */
-  DataFlow::SourceNode getADispatchFunctionReference() {
-    result = getADispatchFunctionReference(DataFlow::TypeTracker::end())
+  /** Gets an API node corresponding to a value being passed to the `dispatch` function. */
+  API::Node getADispatchedValueNode() {
+    result instanceof DispatchedValueSink
+    or
+    result = getADispatchFunctionNode().getParameter(0)
   }
 
-  /** Gets a data flow node that is dispatched as an action. */
-  private DataFlow::SourceNode getADispatchedValueSource(DataFlow::TypeBackTracker t) {
-    t.start() and
-    result = any(DispatchedValueSink d).getALocalSource()
-    or
-    t.start() and
-    result = getADispatchFunctionReference().getACall().getArgument(0).getALocalSource()
-    or
-    exists(DataFlow::TypeBackTracker t2 | result = getADispatchedValueSource(t2).backtrack(t2, t))
-  }
-
-  /**
-   * Gets a data flow node that is dispatched as an action, that is, it flows to the first argument of `dispatch`.
-   */
-  DataFlow::SourceNode getADispatchedValueSource() {
-    result = getADispatchedValueSource(DataFlow::TypeBackTracker::end())
+  private class StoreDispatchSource extends DispatchFunctionSource {
+    StoreDispatchSource() { this = any(StoreCreation c).asApiNode().getMember("dispatch") }
   }
 
   /** Gets the `action` parameter of a reducer that isn't behind an implied type guard. */
@@ -823,7 +797,7 @@ module Redux {
   /** The return value of a function flowing into `bindActionCreators`, seen as a value that is dispatched. */
   private class BindActionDispatchSink extends DispatchedValueSink {
     BindActionDispatchSink() {
-      this = any(BindActionCreatorsCall c).getParameter(0).getAMember().getReturn().getARhs()
+      this = any(BindActionCreatorsCall c).getParameter(0).getAMember().getReturn()
     }
   }
 
@@ -958,7 +932,7 @@ module Redux {
    */
   private DataFlow::ObjectLiteralNode getAManuallyDispatchedValue(string actionType) {
     result.getAPropertyWrite("type").getRhs().mayHaveStringValue(actionType) and
-    result = getADispatchedValueSource()
+    result = getADispatchedValueNode().getAValueReachingRhs()
   }
 
   /**
@@ -1054,8 +1028,7 @@ module Redux {
     /** A call to `useDispatch`, as a source of the `dispatch` function. */
     private class UseDispatchFunctionSource extends DispatchFunctionSource {
       UseDispatchFunctionSource() {
-        this =
-          API::moduleImport("react-redux").getMember("useDispatch").getReturn().getAnImmediateUse()
+        this = API::moduleImport("react-redux").getMember("useDispatch").getReturn()
       }
     }
 
@@ -1136,9 +1109,9 @@ module Redux {
     /**
      * An API entry point corresponding to a `connect` function which we couldn't recognize exactly.
      *
-     * The `connect` call is recognized based on an argument being named either `mapStateToProps` or `mapDispatchToProps`. 
+     * The `connect` call is recognized based on an argument being named either `mapStateToProps` or `mapDispatchToProps`.
      * Used to catch cases where the `connect` function was not recognized by API graphs (usually because of it being
-     * wrapped in another function, which API graphs won't look through). 
+     * wrapped in another function, which API graphs won't look through).
      */
     private class HeuristicConnectEntryPoint extends API::EntryPoint {
       HeuristicConnectEntryPoint() { this = "react-redux-connect" }
@@ -1197,15 +1170,13 @@ module Redux {
 
     /** The first argument to `mapDispatchToProps` as a source of the `dispatch` function */
     private class MapDispatchToPropsArg extends DispatchFunctionSource {
-      MapDispatchToPropsArg() {
-        this = any(ConnectCall c).getMapDispatchToProps().getParameter(0).getAnImmediateUse()
-      }
+      MapDispatchToPropsArg() { this = any(ConnectCall c).getMapDispatchToProps().getParameter(0) }
     }
 
     /** If `mapDispatchToProps` is an object, each method's return value is dispatched. */
     private class MapDispatchToPropsMember extends DispatchedValueSink {
       MapDispatchToPropsMember() {
-        this = any(ConnectCall c).getMapDispatchToProps().getAMember().getReturn().getARhs()
+        this = any(ConnectCall c).getMapDispatchToProps().getAMember().getReturn()
       }
     }
 
diff --git a/javascript/ql/test/library-tests/frameworks/Redux/test.expected b/javascript/ql/test/library-tests/frameworks/Redux/test.expected
index ec2207885ad..36964685247 100644
--- a/javascript/ql/test/library-tests/frameworks/Redux/test.expected
+++ b/javascript/ql/test/library-tests/frameworks/Redux/test.expected
@@ -122,13 +122,12 @@ getAffectedStateAccessPath
 | react-redux.jsx:60:14:60:27 | toolkitReducer | toolkit |
 | react-redux.jsx:61:13:61:25 | manualReducer | manual |
 | trivial.js:130:14:130:46 | wrapper ...  state) | wrapped |
-getADispatchFunctionReference
-| react-redux.jsx:65:20:65:32 | useDispatch() |
-getADispatchedValueSource
-| react-redux.jsx:26:1:31:1 | return of function manualAction |
-| react-redux.jsx:27:12:30:5 | {\\n      ... x\\n    } |
-| react-redux.jsx:69:18:69:39 | manualA ... urce()) |
-| react-redux.jsx:70:18:70:38 | asyncAc ... urce()) |
+getADispatchFunctionNode
+| react-redux.jsx:65:20:65:32 | use (return (member useDispatch (member exports (module react-redux)))) |
+getADispatchedValueNode
+| react-redux.jsx:27:12:30:5 | def (return (member manualAction (parameter 1 (react-redux-connect)))) |
+| react-redux.jsx:69:18:69:39 | def (parameter 0 (return (member useDispatch (member exports (module react-redux))))) |
+| react-redux.jsx:70:18:70:38 | def (parameter 0 (return (member useDispatch (member exports (module react-redux))))) |
 getAnUntypedActionInReducer
 | exportedReducer.js:12:20:12:25 | action |
 | react-redux.jsx:32:31:32:36 | action |
diff --git a/javascript/ql/test/library-tests/frameworks/Redux/test.ql b/javascript/ql/test/library-tests/frameworks/Redux/test.ql
index ee0ff683951..452e861b47a 100644
--- a/javascript/ql/test/library-tests/frameworks/Redux/test.ql
+++ b/javascript/ql/test/library-tests/frameworks/Redux/test.ql
@@ -30,9 +30,9 @@ query Redux::ReducerArg getUseSite(Redux::DelegatingReducer reducer) {
   result = reducer.getUseSite()
 }
 
-query predicate getADispatchFunctionReference = Redux::getADispatchFunctionReference/0;
+query predicate getADispatchFunctionNode = Redux::getADispatchFunctionNode/0;
 
-query predicate getADispatchedValueSource = Redux::getADispatchedValueSource/0;
+query predicate getADispatchedValueNode = Redux::getADispatchedValueNode/0;
 
 query predicate getAnUntypedActionInReducer = Redux::getAnUntypedActionInReducer/0;
 

From 86bc0eb853de8186124b5cafd9112ba46206b6c0 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 15 Feb 2021 16:15:37 +0000
Subject: [PATCH 0145/1429] JS: Autoformat

---
 javascript/ql/test/library-tests/frameworks/Redux/test.ql | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/javascript/ql/test/library-tests/frameworks/Redux/test.ql b/javascript/ql/test/library-tests/frameworks/Redux/test.ql
index 452e861b47a..2faffdbd5d0 100644
--- a/javascript/ql/test/library-tests/frameworks/Redux/test.ql
+++ b/javascript/ql/test/library-tests/frameworks/Redux/test.ql
@@ -60,4 +60,6 @@ query predicate taintFlow(DataFlow::Node source, DataFlow::Node sink) {
   any(BasicTaint cfg).hasFlow(source, sink)
 }
 
-query DataFlow::SourceNode reactComponentRef(ReactComponent component) { result = component.getAComponentCreatorReference() }
+query DataFlow::SourceNode reactComponentRef(ReactComponent component) {
+  result = component.getAComponentCreatorReference()
+}

From 7119eda009b1a7c07e31e303fa6aa4718bb0450e Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Thu, 18 Feb 2021 13:32:42 +0000
Subject: [PATCH 0146/1429] JS: Add redux change note

---
 javascript/change-notes/2021-02-18-redux.md | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 javascript/change-notes/2021-02-18-redux.md

diff --git a/javascript/change-notes/2021-02-18-redux.md b/javascript/change-notes/2021-02-18-redux.md
new file mode 100644
index 00000000000..91a3b95e63c
--- /dev/null
+++ b/javascript/change-notes/2021-02-18-redux.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Support for Redux has improved. The security queries can now track taint through reducer functions and state managed by Redux.
+  Affected packages are `redux`, `react-redux`, `@reduxjs/toolkit`, `redux-actions`, `redux-persist`, `reduce-reducers`, `redux-immutable`, and `immer`.

From a9566728b51acbbd0ac0e6f8251e548f5d1c02ed Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Wed, 24 Mar 2021 15:36:12 +0000
Subject: [PATCH 0147/1429] JS: Update an import of Unit type

---
 javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll
index 4b545b002f5..88d13ce9d77 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll
@@ -9,7 +9,7 @@
 private import javascript
 private import internal.FlowSteps
 private import internal.StepSummary
-private import internal.Unit
+private import semmle.javascript.Unit
 private import semmle.javascript.internal.CachedStages
 
 private newtype TTypeTracker = MkTypeTracker(Boolean hasCall, OptionalPropertyName prop)

From f07030ba972fbe28b85ee46c3c99cb972c5ee1b8 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Wed, 24 Mar 2021 15:36:24 +0000
Subject: [PATCH 0148/1429] JS: Update AdditionalFlowStep -> SharedFlowStep

---
 .../semmle/javascript/frameworks/Redux.qll    | 28 ++++++-------------
 1 file changed, 9 insertions(+), 19 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Redux.qll b/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
index f924f6ce2ec..0986d1079e0 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
@@ -848,19 +848,13 @@ module Redux {
     )
   }
 
-  private class ActionToReducerStep extends DataFlow::AdditionalFlowStep {
-    ActionToReducerStep() {
-      actionToReducerStep(_, this)
-      or
-      actionToReducerPromiseStep(_, this)
-    }
-
+  private class ActionToReducerStep extends DataFlow::SharedFlowStep {
     override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-      actionToReducerStep(pred, succ) and succ = this
+      actionToReducerStep(pred, succ)
     }
 
     override predicate loadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
-      actionToReducerPromiseStep(pred, succ) and succ = this and prop = Promises::valueProp()
+      actionToReducerPromiseStep(pred, succ) and prop = Promises::valueProp()
     }
   }
 
@@ -919,11 +913,9 @@ module Redux {
     )
   }
 
-  private class ReducerToStateStep extends DataFlow::AdditionalFlowStep {
-    ReducerToStateStep() { reducerToStateStep(_, this) }
-
+  private class ReducerToStateStep extends DataFlow::SharedFlowStep {
     override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-      reducerToStateStep(pred, succ) and succ = this
+      reducerToStateStep(pred, succ)
     }
   }
 
@@ -981,8 +973,8 @@ module Redux {
   /**
    * Defines a flow step to be used for propagating tracking access to `state`.
    *
-   * An `AdditionalFlowStep` is generated for these steps as well.
-   * It is distinct from `AdditionalFlowStep` to avoid recursion between that and the propagation of `state`.
+   * A `SharedFlowStep` is generated for these steps as well.
+   * It is distinct from `SharedFlowStep` to avoid recursion between that and the propagation of `state`.
    */
   private class StateStep extends Unit {
     abstract predicate step(DataFlow::Node pred, DataFlow::Node succ);
@@ -992,11 +984,9 @@ module Redux {
     any(StateStep s).step(pred, succ)
   }
 
-  private class StateStepAsFlowStep extends DataFlow::AdditionalFlowStep {
-    StateStepAsFlowStep() { stateStep(_, this) }
-
+  private class StateStepAsFlowStep extends DataFlow::SharedFlowStep {
     override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-      stateStep(pred, succ) and succ = this
+      stateStep(pred, succ)
     }
   }
 

From c4ab6fb7b4dfe809ced84ed4f28093b4e592c7c7 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Thu, 1 Apr 2021 12:43:06 +0100
Subject: [PATCH 0149/1429] JS: Add ImportGraph meta query

---
 javascript/ql/src/meta/alerts/ImportGraph.ql | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 javascript/ql/src/meta/alerts/ImportGraph.ql

diff --git a/javascript/ql/src/meta/alerts/ImportGraph.ql b/javascript/ql/src/meta/alerts/ImportGraph.ql
new file mode 100644
index 00000000000..66173389bd2
--- /dev/null
+++ b/javascript/ql/src/meta/alerts/ImportGraph.ql
@@ -0,0 +1,15 @@
+/**
+ * @name Import graph
+ * @description An edge in the import graph.
+ * @kind problem
+ * @problem.severity recommendation
+ * @id js/meta/alerts/import-graph
+ * @tags meta
+ * @precision very-low
+ */
+
+import javascript
+
+from Import imprt, Module target
+where target = imprt.getImportedModule()
+select imprt, "Import targeting $@", target, target.getFile().getRelativePath()

From 564a6873f87e86cef7698e4ff228ff1da7b25c81 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Thu, 1 Apr 2021 16:31:18 +0100
Subject: [PATCH 0150/1429] JS: Add baseUrl test

---
 .../ql/test/library-tests/TypeScript/BaseUrl/A/index.ts     | 1 +
 .../test/library-tests/TypeScript/BaseUrl/A/tsconfig.json   | 3 +++
 .../ql/test/library-tests/TypeScript/BaseUrl/B/src/foo.ts   | 3 +++
 .../test/library-tests/TypeScript/BaseUrl/B/src/lib/bar.ts  | 3 +++
 .../test/library-tests/TypeScript/BaseUrl/B/tsconfig.json   | 6 ++++++
 .../ql/test/library-tests/TypeScript/BaseUrl/test.expected  | 2 ++
 javascript/ql/test/library-tests/TypeScript/BaseUrl/test.ql | 5 +++++
 .../ql/test/library-tests/TypeScript/BaseUrl/tsconfig.json  | 1 +
 8 files changed, 24 insertions(+)
 create mode 100644 javascript/ql/test/library-tests/TypeScript/BaseUrl/A/index.ts
 create mode 100644 javascript/ql/test/library-tests/TypeScript/BaseUrl/A/tsconfig.json
 create mode 100644 javascript/ql/test/library-tests/TypeScript/BaseUrl/B/src/foo.ts
 create mode 100644 javascript/ql/test/library-tests/TypeScript/BaseUrl/B/src/lib/bar.ts
 create mode 100644 javascript/ql/test/library-tests/TypeScript/BaseUrl/B/tsconfig.json
 create mode 100644 javascript/ql/test/library-tests/TypeScript/BaseUrl/test.expected
 create mode 100644 javascript/ql/test/library-tests/TypeScript/BaseUrl/test.ql
 create mode 100644 javascript/ql/test/library-tests/TypeScript/BaseUrl/tsconfig.json

diff --git a/javascript/ql/test/library-tests/TypeScript/BaseUrl/A/index.ts b/javascript/ql/test/library-tests/TypeScript/BaseUrl/A/index.ts
new file mode 100644
index 00000000000..dabdd5becb1
--- /dev/null
+++ b/javascript/ql/test/library-tests/TypeScript/BaseUrl/A/index.ts
@@ -0,0 +1 @@
+import { Foo } from "../B/src/foo";
diff --git a/javascript/ql/test/library-tests/TypeScript/BaseUrl/A/tsconfig.json b/javascript/ql/test/library-tests/TypeScript/BaseUrl/A/tsconfig.json
new file mode 100644
index 00000000000..a1aaa6366d3
--- /dev/null
+++ b/javascript/ql/test/library-tests/TypeScript/BaseUrl/A/tsconfig.json
@@ -0,0 +1,3 @@
+{
+    "include": ["."]
+}
\ No newline at end of file
diff --git a/javascript/ql/test/library-tests/TypeScript/BaseUrl/B/src/foo.ts b/javascript/ql/test/library-tests/TypeScript/BaseUrl/B/src/foo.ts
new file mode 100644
index 00000000000..8787337fec4
--- /dev/null
+++ b/javascript/ql/test/library-tests/TypeScript/BaseUrl/B/src/foo.ts
@@ -0,0 +1,3 @@
+import { Bar } from "lib/bar";
+
+export class Foo {}
diff --git a/javascript/ql/test/library-tests/TypeScript/BaseUrl/B/src/lib/bar.ts b/javascript/ql/test/library-tests/TypeScript/BaseUrl/B/src/lib/bar.ts
new file mode 100644
index 00000000000..004c1e2fce3
--- /dev/null
+++ b/javascript/ql/test/library-tests/TypeScript/BaseUrl/B/src/lib/bar.ts
@@ -0,0 +1,3 @@
+import { Foo } from "foo";
+
+export class Bar {}
diff --git a/javascript/ql/test/library-tests/TypeScript/BaseUrl/B/tsconfig.json b/javascript/ql/test/library-tests/TypeScript/BaseUrl/B/tsconfig.json
new file mode 100644
index 00000000000..9a40e581b22
--- /dev/null
+++ b/javascript/ql/test/library-tests/TypeScript/BaseUrl/B/tsconfig.json
@@ -0,0 +1,6 @@
+{
+    "include": ["."],
+    "compilerOptions": {
+        "baseUrl": "./src"
+    }
+}
\ No newline at end of file
diff --git a/javascript/ql/test/library-tests/TypeScript/BaseUrl/test.expected b/javascript/ql/test/library-tests/TypeScript/BaseUrl/test.expected
new file mode 100644
index 00000000000..07c851c21a5
--- /dev/null
+++ b/javascript/ql/test/library-tests/TypeScript/BaseUrl/test.expected
@@ -0,0 +1,2 @@
+| A/index.ts:1:1:1:35 | import  ... c/foo"; | B/src/foo.ts:1:1:4:0 | <toplevel> |
+| B/src/lib/bar.ts:1:1:1:26 | import  ...  "foo"; | B/src/foo.ts:1:1:4:0 | <toplevel> |
diff --git a/javascript/ql/test/library-tests/TypeScript/BaseUrl/test.ql b/javascript/ql/test/library-tests/TypeScript/BaseUrl/test.ql
new file mode 100644
index 00000000000..cfb4c9400e7
--- /dev/null
+++ b/javascript/ql/test/library-tests/TypeScript/BaseUrl/test.ql
@@ -0,0 +1,5 @@
+import javascript
+
+query Module getImportedModule(Import imprt) {
+  result = imprt.getImportedModule()
+}
diff --git a/javascript/ql/test/library-tests/TypeScript/BaseUrl/tsconfig.json b/javascript/ql/test/library-tests/TypeScript/BaseUrl/tsconfig.json
new file mode 100644
index 00000000000..9e26dfeeb6e
--- /dev/null
+++ b/javascript/ql/test/library-tests/TypeScript/BaseUrl/tsconfig.json
@@ -0,0 +1 @@
+{}
\ No newline at end of file

From acc28df785190a6129da861070715d4440a84a70 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Thu, 1 Apr 2021 16:03:13 +0100
Subject: [PATCH 0151/1429] JS: Bugfix in tsconfig file inclusion handling

---
 .../extractor/src/com/semmle/js/parser/ParsedProject.java       | 2 +-
 .../ql/test/library-tests/TypeScript/BaseUrl/test.expected      | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/javascript/extractor/src/com/semmle/js/parser/ParsedProject.java b/javascript/extractor/src/com/semmle/js/parser/ParsedProject.java
index 34315111ba6..45fc5c03fe6 100644
--- a/javascript/extractor/src/com/semmle/js/parser/ParsedProject.java
+++ b/javascript/extractor/src/com/semmle/js/parser/ParsedProject.java
@@ -21,7 +21,7 @@ public class ParsedProject {
 
   /** Absolute paths to the files included in this project. */
   public Set<File> getOwnFiles() {
-    return allFiles;
+    return ownFiles;
   }
 
   /** Absolute paths to the files included in or referenced by this project. */
diff --git a/javascript/ql/test/library-tests/TypeScript/BaseUrl/test.expected b/javascript/ql/test/library-tests/TypeScript/BaseUrl/test.expected
index 07c851c21a5..e8d11eba315 100644
--- a/javascript/ql/test/library-tests/TypeScript/BaseUrl/test.expected
+++ b/javascript/ql/test/library-tests/TypeScript/BaseUrl/test.expected
@@ -1,2 +1,3 @@
 | A/index.ts:1:1:1:35 | import  ... c/foo"; | B/src/foo.ts:1:1:4:0 | <toplevel> |
+| B/src/foo.ts:1:1:1:30 | import  ... b/bar"; | B/src/lib/bar.ts:1:1:4:0 | <toplevel> |
 | B/src/lib/bar.ts:1:1:1:26 | import  ...  "foo"; | B/src/foo.ts:1:1:4:0 | <toplevel> |

From 32500c834d383ea6a1ddf0b4a37173582a041342 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Thu, 1 Apr 2021 16:40:21 +0100
Subject: [PATCH 0152/1429] JS: Change note

---
 .../2021-04-01-tsconfig-file-inclusion-handling.md             | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 javascript/change-notes/2021-04-01-tsconfig-file-inclusion-handling.md

diff --git a/javascript/change-notes/2021-04-01-tsconfig-file-inclusion-handling.md b/javascript/change-notes/2021-04-01-tsconfig-file-inclusion-handling.md
new file mode 100644
index 00000000000..a1d61f71723
--- /dev/null
+++ b/javascript/change-notes/2021-04-01-tsconfig-file-inclusion-handling.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Fixed a bug which caused some imports to be resolved incorrectly
+  for projects containing multiple `tsconfig.json` files.

From d1462eda1ca9e9badbdd84b98dfd0028319a1eca Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Tue, 6 Apr 2021 00:59:31 +0200
Subject: [PATCH 0153/1429] [Java] Add "missing jwt signature check" query.

---
 .../CWE/CWE-347/MissingJWTSignatureCheck.ql   | 177 ++++++++++++++++++
 1 file changed, 177 insertions(+)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql

diff --git a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
new file mode 100644
index 00000000000..cd8f079f7fe
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
@@ -0,0 +1,177 @@
+/**
+ * @name Missing JWT signature check
+ * @description Not checking the JWT signature allows an attacker to forge their own tokens.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id java/missing-jwt-signature-check
+ * @tags security
+ *       external/cwe/cwe-347
+ */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+
+/** The interface `io.jsonwebtoken.JwtParser`. */
+class TypeJwtParser extends Interface {
+  TypeJwtParser() { hasQualifiedName("io.jsonwebtoken", "JwtParser") }
+}
+
+/** The interface `io.jsonwebtoken.JwtParserBuilder`. */
+class TypeJwtParserBuilder extends Interface {
+  TypeJwtParserBuilder() { hasQualifiedName("io.jsonwebtoken", "JwtParserBuilder") }
+}
+
+/** The interface `io.jsonwebtoken.JwtHandler`. */
+class TypeJwtHandler extends Interface {
+  TypeJwtHandler() { hasQualifiedName("io.jsonwebtoken", "JwtHandler") }
+}
+
+/** The class `io.jsonwebtoken.JwtHandlerAdapter`. */
+class TypeJwtHandlerAdapter extends Class {
+  TypeJwtHandlerAdapter() { hasQualifiedName("io.jsonwebtoken", "JwtHandlerAdapter") }
+}
+
+/** The `parse(token, handler)` method defined in `TypeJwtParser`. */
+private class JwtParserParseHandlerMethod extends Method {
+  JwtParserParseHandlerMethod() {
+    hasName("parse") and
+    getDeclaringType() instanceof TypeJwtParser and
+    getNumberOfParameters() = 2
+  }
+}
+
+/** The `parse(token)`, `parseClaimsJwt(token)` and `parsePlaintextJwt(token)` methods defined in `TypeJwtParser`. */
+private class JwtParserInsecureParseMethods extends Method {
+  JwtParserInsecureParseMethods() {
+    hasName(["parse", "parseClaimsJwt", "parsePlaintextJwt"]) and
+    getNumberOfParameters() = 1 and
+    getDeclaringType() instanceof TypeJwtParser
+  }
+}
+
+/** The `onClaimsJwt(jwt)` and `onPlaintextJwt(jwt)` methods defined in `TypeJwtHandler`. */
+private class JwtHandlerOnJwtMethods extends Method {
+  JwtHandlerOnJwtMethods() {
+    hasName(["onClaimsJwt", "onPlaintextJwt"]) and
+    getNumberOfParameters() = 1 and
+    getDeclaringType() instanceof TypeJwtHandler
+  }
+}
+
+/** The `onClaimsJwt(jwt)` and `onPlaintextJwt(jwt)` methods defined in `TypeJwtHandlerAdapter`. */
+private class JwtHandlerAdapterOnJwtMethods extends Method {
+  JwtHandlerAdapterOnJwtMethods() {
+    hasName(["onClaimsJwt", "onPlaintextJwt"]) and
+    getNumberOfParameters() = 1 and
+    getDeclaringType() instanceof TypeJwtHandlerAdapter
+  }
+}
+
+/**
+ * Holds if `parseHandlerExpr` is an insecure `JwtHandler`.
+ * That is, it overrides a method from `JwtHandlerOnJwtMethods` and the overriden method is not a method from `JwtHandlerAdapterOnJwtMethods`.
+ * A overriden method which is a method from `JwtHandlerAdapterOnJwtMethods` is safe, because these always throw an exception.
+ */
+private predicate isInsecureParseHandler(Expr parseHandlerExpr) {
+  exists(RefType t |
+    parseHandlerExpr.getType() = t and
+    t.getASourceSupertype*() instanceof TypeJwtHandler and
+    exists(Method m |
+      m = t.getAMethod() and
+      m.getASourceOverriddenMethod+() instanceof JwtHandlerOnJwtMethods and
+      not m.getSourceDeclaration() instanceof JwtHandlerAdapterOnJwtMethods
+    )
+  )
+}
+
+/**
+ * An access to an insecure parsing method.
+ * That is, either a call to a `parse(token)`, `parseClaimsJwt(token)` or `parsePlaintextJwt(token)` method or
+ * a call to a `parse(token, handler)` method where the `handler` is considered insecure.
+ */
+private class JwtParserInsecureParseMethodAccess extends MethodAccess {
+  JwtParserInsecureParseMethodAccess() {
+    getMethod().getASourceOverriddenMethod*() instanceof JwtParserInsecureParseMethods
+    or
+    getMethod().getASourceOverriddenMethod*() instanceof JwtParserParseHandlerMethod and
+    isInsecureParseHandler(this.getArgument(1))
+  }
+}
+
+/**
+ * Holds if `signingMa` directly or indirectly sets a signing key for `expr`, which is a `TypeJwtParser`.
+ * The `setSigningKey` and `setSigningKeyResolver` methods set a signing key for a `TypeJwtParser`.
+ * Directly means code like this:
+ * ```java
+ * Jwts.parser().setSigningKey(key).parse(token);
+ * ```
+ * Here the signing key is set directly on a `TypeJwtParser`.
+ * Indirectly means code like this:
+ * ```java
+ * Jwts.parserBuilder().setSigningKey(key).build().parse(token);
+ * ```
+ * In this case, the signing key is set on a `TypeJwtParserBuilder` indirectly setting the key of `TypeJwtParser` that is created by the call to `build`.
+ */
+private predicate isSigningKeySet(Expr expr, MethodAccess signingMa) {
+  any(SigningToExprDataFlow s).hasFlow(DataFlow::exprNode(signingMa), DataFlow::exprNode(expr))
+}
+
+/** An expr that is a `TypeJwtParser` for which a signing key has been set. */
+private class JwtParserWithSigningKeyExpr extends Expr {
+  MethodAccess signingMa;
+
+  JwtParserWithSigningKeyExpr() {
+    this.getType().(RefType).getASourceSupertype*() instanceof TypeJwtParser and
+    isSigningKeySet(this, signingMa)
+  }
+
+  /** Gets the method access that sets the signing key for this parser. */
+  MethodAccess getSigningMethodAccess() { result = signingMa }
+}
+
+/**
+ * Models flow from `SigningKeyMethodAccess`es to expressions that are a (sub-type of) `TypeJwtParser`.
+ * This is used to determine whether a `TypeJwtParser` has a signing key set.
+ */
+private class SigningToExprDataFlow extends DataFlow::Configuration {
+  SigningToExprDataFlow() { this = "SigningToExprDataFlow" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr() instanceof SigningKeyMethodAccess
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink.asExpr().getType().(RefType).getASourceSupertype*() instanceof TypeJwtParser
+  }
+
+  /** Models the builder style of `TypeJwtParser` and `TypeJwtParserBuilder`. */
+  override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
+    (
+      pred.asExpr().getType().(RefType).getASourceSupertype*() instanceof TypeJwtParser or
+      pred.asExpr().getType().(RefType).getASourceSupertype*() instanceof TypeJwtParserBuilder
+    ) and
+    succ.asExpr().(MethodAccess).getQualifier() = pred.asExpr()
+  }
+}
+
+/** An access to the `setSigningKey` or `setSigningKeyResolver` method (or an overriden method) defined in `TypeJwtParser` and `TypeJwtParserBuilder`. */
+private class SigningKeyMethodAccess extends MethodAccess {
+  SigningKeyMethodAccess() {
+    exists(Method m |
+      m.hasName(["setSigningKey", "setSigningKeyResolver"]) and
+      m.getNumberOfParameters() = 1 and
+      (
+        m.getDeclaringType() instanceof TypeJwtParser or
+        m.getDeclaringType() instanceof TypeJwtParserBuilder
+      )
+    |
+      m = this.getMethod().getASourceOverriddenMethod*()
+    )
+  }
+}
+
+from JwtParserInsecureParseMethodAccess ma, JwtParserWithSigningKeyExpr parserExpr
+where ma.getQualifier() = parserExpr
+select ma, "A signing key is set $@, but the signature is not verified.",
+  parserExpr.getSigningMethodAccess(), "here"

From b7e49c78feca414a83b718bd5a6a72396525bc79 Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Tue, 6 Apr 2021 01:00:24 +0200
Subject: [PATCH 0154/1429] [Java] Add stubs for jwtk-jjwt-0.11.2

---
 .../stubs/jwtk-jjwt-0.11.2/LICENSE            |  201 +++
 .../io/jsonwebtoken/ClaimJwtException.java    |   51 +
 .../io/jsonwebtoken/Claims.java               |  191 +++
 .../io/jsonwebtoken/ClaimsMutator.java        |  102 ++
 .../io/jsonwebtoken/Clock.java                |   33 +
 .../io/jsonwebtoken/CompressionCodec.java     |   55 +
 .../CompressionCodecResolver.java             |   46 +
 .../io/jsonwebtoken/CompressionCodecs.java    |   49 +
 .../io/jsonwebtoken/CompressionException.java |   33 +
 .../io/jsonwebtoken/ExpiredJwtException.java  |   39 +
 .../io/jsonwebtoken/Header.java               |  132 ++
 .../jsonwebtoken/IncorrectClaimException.java |   33 +
 .../jsonwebtoken/InvalidClaimException.java   |   55 +
 .../jwtk-jjwt-0.11.2/io/jsonwebtoken/Jws.java |   28 +
 .../io/jsonwebtoken/JwsHeader.java            |  107 ++
 .../jwtk-jjwt-0.11.2/io/jsonwebtoken/Jwt.java |   40 +
 .../io/jsonwebtoken/JwtBuilder.java           |  530 ++++++++
 .../io/jsonwebtoken/JwtException.java         |   32 +
 .../io/jsonwebtoken/JwtHandler.java           |   68 +
 .../io/jsonwebtoken/JwtHandlerAdapter.java    |   52 +
 .../io/jsonwebtoken/JwtParser.java            |  596 +++++++++
 .../io/jsonwebtoken/JwtParserBuilder.java     |  307 +++++
 .../io/jsonwebtoken/Jwts.java                 |  143 ++
 .../jsonwebtoken/MalformedJwtException.java   |   32 +
 .../jsonwebtoken/MissingClaimException.java   |   32 +
 .../jsonwebtoken/PrematureJwtException.java   |   39 +
 .../jsonwebtoken/RequiredTypeException.java   |   32 +
 .../io/jsonwebtoken/SignatureAlgorithm.java   |  655 ++++++++++
 .../io/jsonwebtoken/SignatureException.java   |   36 +
 .../io/jsonwebtoken/SigningKeyResolver.java   |   73 ++
 .../SigningKeyResolverAdapter.java            |   99 ++
 .../jsonwebtoken/UnsupportedJwtException.java |   36 +
 .../jsonwebtoken/impl/DefaultJwtParser.java   |  211 +++
 .../impl/crypto/JwtSignatureValidator.java    |   21 +
 .../io/jsonwebtoken/io/Base64.java            |  680 ++++++++++
 .../io/jsonwebtoken/io/Base64Decoder.java     |   38 +
 .../io/jsonwebtoken/io/Base64Encoder.java     |   38 +
 .../io/jsonwebtoken/io/Base64Support.java     |   31 +
 .../io/jsonwebtoken/io/Base64UrlDecoder.java  |   26 +
 .../io/jsonwebtoken/io/Base64UrlEncoder.java  |   26 +
 .../io/jsonwebtoken/io/CodecException.java    |   30 +
 .../io/jsonwebtoken/io/Decoder.java           |   24 +
 .../io/jsonwebtoken/io/Decoders.java          |   28 +
 .../io/jsonwebtoken/io/DecodingException.java |   30 +
 .../io/DeserializationException.java          |   30 +
 .../io/jsonwebtoken/io/Deserializer.java      |   24 +
 .../io/jsonwebtoken/io/Encoder.java           |   24 +
 .../io/jsonwebtoken/io/Encoders.java          |   28 +
 .../io/jsonwebtoken/io/EncodingException.java |   26 +
 .../io/ExceptionPropagatingDecoder.java       |   44 +
 .../io/ExceptionPropagatingEncoder.java       |   44 +
 .../io/jsonwebtoken/io/IOException.java       |   32 +
 .../io/jsonwebtoken/io/SerialException.java   |   30 +
 .../io/SerializationException.java            |   30 +
 .../io/jsonwebtoken/io/Serializer.java        |   25 +
 .../io/jsonwebtoken/lang/Arrays.java          |   32 +
 .../io/jsonwebtoken/lang/Assert.java          |  377 ++++++
 .../io/jsonwebtoken/lang/Classes.java         |  254 ++++
 .../io/jsonwebtoken/lang/Collections.java     |  365 ++++++
 .../io/jsonwebtoken/lang/DateFormats.java     |   70 +
 .../lang/InstantiationException.java          |   26 +
 .../io/jsonwebtoken/lang/Maps.java            |   87 ++
 .../io/jsonwebtoken/lang/Objects.java         |  927 +++++++++++++
 .../jsonwebtoken/lang/RuntimeEnvironment.java |   65 +
 .../io/jsonwebtoken/lang/Strings.java         | 1147 +++++++++++++++++
 .../lang/UnknownClassException.java           |   64 +
 .../security/InvalidKeyException.java         |   26 +
 .../jsonwebtoken/security/KeyException.java   |   26 +
 .../io/jsonwebtoken/security/Keys.java        |  231 ++++
 .../security/SecurityException.java           |   32 +
 .../security/SignatureException.java          |   30 +
 .../security/WeakKeyException.java            |   26 +
 72 files changed, 9262 insertions(+)
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/LICENSE
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/ClaimJwtException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Claims.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/ClaimsMutator.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Clock.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodec.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodecResolver.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodecs.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/ExpiredJwtException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Header.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/IncorrectClaimException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/InvalidClaimException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jws.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwsHeader.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jwt.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtBuilder.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtHandler.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtHandlerAdapter.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtParser.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtParserBuilder.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jwts.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/MalformedJwtException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/MissingClaimException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/PrematureJwtException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/RequiredTypeException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SignatureAlgorithm.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SignatureException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SigningKeyResolver.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SigningKeyResolverAdapter.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/UnsupportedJwtException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/impl/DefaultJwtParser.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/impl/crypto/JwtSignatureValidator.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Decoder.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Encoder.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Support.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64UrlDecoder.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64UrlEncoder.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/CodecException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Decoder.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Decoders.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/DecodingException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/DeserializationException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Deserializer.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Encoder.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Encoders.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/EncodingException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/ExceptionPropagatingDecoder.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/ExceptionPropagatingEncoder.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/IOException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/SerialException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/SerializationException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Serializer.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Arrays.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Assert.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Classes.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Collections.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/DateFormats.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/InstantiationException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Maps.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Objects.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/RuntimeEnvironment.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Strings.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/UnknownClassException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/InvalidKeyException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/KeyException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/Keys.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/SecurityException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/SignatureException.java
 create mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/WeakKeyException.java

diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/LICENSE b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/LICENSE
new file mode 100644
index 00000000000..5c304d1a4a7
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/LICENSE
@@ -0,0 +1,201 @@
+Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright {yyyy} {name of copyright owner}
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/ClaimJwtException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/ClaimJwtException.java
new file mode 100644
index 00000000000..bb7c81fd550
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/ClaimJwtException.java
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+/**
+ * ClaimJwtException is a subclass of the {@link JwtException} that is thrown after a validation of an JTW claim failed.
+ *
+ * @since 0.5
+ */
+public abstract class ClaimJwtException extends JwtException {
+
+    public static final String INCORRECT_EXPECTED_CLAIM_MESSAGE_TEMPLATE = "Expected %s claim to be: %s, but was: %s.";
+    public static final String MISSING_EXPECTED_CLAIM_MESSAGE_TEMPLATE = "Expected %s claim to be: %s, but was not present in the JWT claims.";
+
+    private final Header header;
+
+    private final Claims claims;
+
+    protected ClaimJwtException(Header header, Claims claims, String message) {
+        super(message);
+        this.header = header;
+        this.claims = claims;
+    }
+
+    protected ClaimJwtException(Header header, Claims claims, String message, Throwable cause) {
+        super(message, cause);
+        this.header = header;
+        this.claims = claims;
+    }
+
+    public Claims getClaims() {
+        return claims;
+    }
+
+    public Header getHeader() {
+        return header;
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Claims.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Claims.java
new file mode 100644
index 00000000000..b5a404fb988
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Claims.java
@@ -0,0 +1,191 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import java.util.Date;
+import java.util.Map;
+
+/**
+ * A JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4">Claims set</a>.
+ *
+ * <p>This is ultimately a JSON map and any values can be added to it, but JWT standard names are provided as
+ * type-safe getters and setters for convenience.</p>
+ *
+ * <p>Because this interface extends {@code Map&lt;String, Object&gt;}, if you would like to add your own properties,
+ * you simply use map methods, for example:</p>
+ *
+ * <pre>
+ * claims.{@link Map#put(Object, Object) put}("someKey", "someValue");
+ * </pre>
+ *
+ * <h3>Creation</h3>
+ *
+ * <p>It is easiest to create a {@code Claims} instance by calling one of the
+ * {@link Jwts#claims() JWTs.claims()} factory methods.</p>
+ *
+ * @since 0.1
+ */
+public interface Claims extends Map<String, Object>, ClaimsMutator<Claims> {
+
+    /** JWT {@code Issuer} claims parameter name: <code>"iss"</code> */
+    public static final String ISSUER = "iss";
+
+    /** JWT {@code Subject} claims parameter name: <code>"sub"</code> */
+    public static final String SUBJECT = "sub";
+
+    /** JWT {@code Audience} claims parameter name: <code>"aud"</code> */
+    public static final String AUDIENCE = "aud";
+
+    /** JWT {@code Expiration} claims parameter name: <code>"exp"</code> */
+    public static final String EXPIRATION = "exp";
+
+    /** JWT {@code Not Before} claims parameter name: <code>"nbf"</code> */
+    public static final String NOT_BEFORE = "nbf";
+
+    /** JWT {@code Issued At} claims parameter name: <code>"iat"</code> */
+    public static final String ISSUED_AT = "iat";
+
+    /** JWT {@code JWT ID} claims parameter name: <code>"jti"</code> */
+    public static final String ID = "jti";
+
+    /**
+     * Returns the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.1">
+     * <code>iss</code></a> (issuer) value or {@code null} if not present.
+     *
+     * @return the JWT {@code iss} value or {@code null} if not present.
+     */
+    String getIssuer();
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override //only for better/targeted JavaDoc
+    Claims setIssuer(String iss);
+
+    /**
+     * Returns the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.2">
+     * <code>sub</code></a> (subject) value or {@code null} if not present.
+     *
+     * @return the JWT {@code sub} value or {@code null} if not present.
+     */
+    String getSubject();
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override //only for better/targeted JavaDoc
+    Claims setSubject(String sub);
+
+    /**
+     * Returns the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.3">
+     * <code>aud</code></a> (audience) value or {@code null} if not present.
+     *
+     * @return the JWT {@code aud} value or {@code null} if not present.
+     */
+    String getAudience();
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override //only for better/targeted JavaDoc
+    Claims setAudience(String aud);
+
+    /**
+     * Returns the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.4">
+     * <code>exp</code></a> (expiration) timestamp or {@code null} if not present.
+     *
+     * <p>A JWT obtained after this timestamp should not be used.</p>
+     *
+     * @return the JWT {@code exp} value or {@code null} if not present.
+     */
+    Date getExpiration();
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override //only for better/targeted JavaDoc
+    Claims setExpiration(Date exp);
+
+    /**
+     * Returns the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.5">
+     * <code>nbf</code></a> (not before) timestamp or {@code null} if not present.
+     *
+     * <p>A JWT obtained before this timestamp should not be used.</p>
+     *
+     * @return the JWT {@code nbf} value or {@code null} if not present.
+     */
+    Date getNotBefore();
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override //only for better/targeted JavaDoc
+    Claims setNotBefore(Date nbf);
+
+    /**
+     * Returns the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.6">
+     * <code>iat</code></a> (issued at) timestamp or {@code null} if not present.
+     *
+     * <p>If present, this value is the timestamp when the JWT was created.</p>
+     *
+     * @return the JWT {@code iat} value or {@code null} if not present.
+     */
+    Date getIssuedAt();
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override //only for better/targeted JavaDoc
+    Claims setIssuedAt(Date iat);
+
+    /**
+     * Returns the JWTs <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.7">
+     * <code>jti</code></a> (JWT ID) value or {@code null} if not present.
+     *
+     * <p>This value is a CaSe-SenSiTiVe unique identifier for the JWT. If available, this value is expected to be
+     * assigned in a manner that ensures that there is a negligible probability that the same value will be
+     * accidentally
+     * assigned to a different data object.  The ID can be used to prevent the JWT from being replayed.</p>
+     *
+     * @return the JWT {@code jti} value or {@code null} if not present.
+     */
+    String getId();
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override //only for better/targeted JavaDoc
+    Claims setId(String jti);
+
+    /**
+     * Returns the JWTs claim ({@code claimName}) value as a type {@code requiredType}, or {@code null} if not present.
+     *
+     * <p>JJWT only converts simple String, Date, Long, Integer, Short and Byte types automatically. Anything more
+     * complex is expected to be already converted to your desired type by the JSON
+     * {@link io.jsonwebtoken.io.Deserializer Deserializer} implementation. You may specify a custom Deserializer for a
+     * JwtParser with the desired conversion configuration via the {@link JwtParserBuilder#deserializeJsonWith} method.
+     * See <a href="https://github.com/jwtk/jjwt#custom-json-processor">custom JSON processor</a></a> for more
+     * information. If using Jackson, you can specify custom claim POJO types as described in
+     * <a href="https://github.com/jwtk/jjwt#json-jackson-custom-types">custom claim types</a>.
+     *
+     * @param claimName name of claim
+     * @param requiredType the type of the value expected to be returned
+     * @param <T> the type of the value expected to be returned
+     * @return the JWT {@code claimName} value or {@code null} if not present.
+     * @throws RequiredTypeException throw if the claim value is not null and not of type {@code requiredType}
+     */
+    <T> T get(String claimName, Class<T> requiredType);
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/ClaimsMutator.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/ClaimsMutator.java
new file mode 100644
index 00000000000..66528d8ffab
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/ClaimsMutator.java
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import java.util.Date;
+
+/**
+ * Mutation (modifications) to a {@link io.jsonwebtoken.Claims Claims} instance.
+ *
+ * @param <T> the type of mutator
+ * @see io.jsonwebtoken.JwtBuilder
+ * @see io.jsonwebtoken.Claims
+ * @since 0.2
+ */
+public interface ClaimsMutator<T extends ClaimsMutator> {
+
+    /**
+     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.1">
+     * <code>iss</code></a> (issuer) value.  A {@code null} value will remove the property from the JSON map.
+     *
+     * @param iss the JWT {@code iss} value or {@code null} to remove the property from the JSON map.
+     * @return the {@code Claims} instance for method chaining.
+     */
+    T setIssuer(String iss);
+
+    /**
+     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.2">
+     * <code>sub</code></a> (subject) value.  A {@code null} value will remove the property from the JSON map.
+     *
+     * @param sub the JWT {@code sub} value or {@code null} to remove the property from the JSON map.
+     * @return the {@code Claims} instance for method chaining.
+     */
+    T setSubject(String sub);
+
+    /**
+     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.3">
+     * <code>aud</code></a> (audience) value.  A {@code null} value will remove the property from the JSON map.
+     *
+     * @param aud the JWT {@code aud} value or {@code null} to remove the property from the JSON map.
+     * @return the {@code Claims} instance for method chaining.
+     */
+    T setAudience(String aud);
+
+    /**
+     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.4">
+     * <code>exp</code></a> (expiration) timestamp.  A {@code null} value will remove the property from the JSON map.
+     *
+     * <p>A JWT obtained after this timestamp should not be used.</p>
+     *
+     * @param exp the JWT {@code exp} value or {@code null} to remove the property from the JSON map.
+     * @return the {@code Claims} instance for method chaining.
+     */
+    T setExpiration(Date exp);
+
+    /**
+     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.5">
+     * <code>nbf</code></a> (not before) timestamp.  A {@code null} value will remove the property from the JSON map.
+     *
+     * <p>A JWT obtained before this timestamp should not be used.</p>
+     *
+     * @param nbf the JWT {@code nbf} value or {@code null} to remove the property from the JSON map.
+     * @return the {@code Claims} instance for method chaining.
+     */
+    T setNotBefore(Date nbf);
+
+    /**
+     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.6">
+     * <code>iat</code></a> (issued at) timestamp.  A {@code null} value will remove the property from the JSON map.
+     *
+     * <p>The value is the timestamp when the JWT was created.</p>
+     *
+     * @param iat the JWT {@code iat} value or {@code null} to remove the property from the JSON map.
+     * @return the {@code Claims} instance for method chaining.
+     */
+    T setIssuedAt(Date iat);
+
+    /**
+     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.7">
+     * <code>jti</code></a> (JWT ID) value.  A {@code null} value will remove the property from the JSON map.
+     *
+     * <p>This value is a CaSe-SenSiTiVe unique identifier for the JWT. If specified, this value MUST be assigned in a
+     * manner that ensures that there is a negligible probability that the same value will be accidentally
+     * assigned to a different data object.  The ID can be used to prevent the JWT from being replayed.</p>
+     *
+     * @param jti the JWT {@code jti} value or {@code null} to remove the property from the JSON map.
+     * @return the {@code Claims} instance for method chaining.
+     */
+    T setId(String jti);
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Clock.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Clock.java
new file mode 100644
index 00000000000..584dd605f0b
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Clock.java
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import java.util.Date;
+
+/**
+ * A clock represents a time source that can be used when creating and verifying JWTs.
+ *
+ * @since 0.7.0
+ */
+public interface Clock {
+
+    /**
+     * Returns the clock's current timestamp at the instant the method is invoked.
+     *
+     * @return the clock's current timestamp at the instant the method is invoked.
+     */
+    Date now();
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodec.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodec.java
new file mode 100644
index 00000000000..47e54761e19
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodec.java
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2015 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+/**
+ * Compresses and decompresses byte arrays according to a compression algorithm.
+ *
+ * @see CompressionCodecs#DEFLATE
+ * @see CompressionCodecs#GZIP
+ * @since 0.6.0
+ */
+public interface CompressionCodec {
+
+    /**
+     * The compression algorithm name to use as the JWT's {@code zip} header value.
+     *
+     * @return the compression algorithm name to use as the JWT's {@code zip} header value.
+     */
+    String getAlgorithmName();
+
+    /**
+     * Compresses the specified byte array according to the compression {@link #getAlgorithmName() algorithm}.
+     *
+     * @param payload bytes to compress
+     * @return compressed bytes
+     * @throws CompressionException if the specified byte array cannot be compressed according to the compression
+     *                              {@link #getAlgorithmName() algorithm}.
+     */
+    byte[] compress(byte[] payload) throws CompressionException;
+
+    /**
+     * Decompresses the specified compressed byte array according to the compression
+     * {@link #getAlgorithmName() algorithm}.  The specified byte array must already be in compressed form
+     * according to the {@link #getAlgorithmName() algorithm}.
+     *
+     * @param compressed compressed bytes
+     * @return decompressed bytes
+     * @throws CompressionException if the specified byte array cannot be decompressed according to the compression
+     *                              {@link #getAlgorithmName() algorithm}.
+     */
+    byte[] decompress(byte[] compressed) throws CompressionException;
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodecResolver.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodecResolver.java
new file mode 100644
index 00000000000..50ebe08fc62
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodecResolver.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2015 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+/**
+ * Looks for a JWT {@code zip} header, and if found, returns the corresponding {@link CompressionCodec} the parser
+ * can use to decompress the JWT body.
+ *
+ * <p>JJWT's default {@link JwtParser} implementation supports both the
+ * {@link CompressionCodecs#DEFLATE DEFLATE}
+ * and {@link CompressionCodecs#GZIP GZIP} algorithms by default - you do not need to
+ * specify a {@code CompressionCodecResolver} in these cases.</p>
+ *
+ * <p>However, if you want to use a compression algorithm other than {@code DEF} or {@code GZIP}, you must implement
+ * your own {@link CompressionCodecResolver} and specify that when
+ * {@link io.jsonwebtoken.JwtBuilder#compressWith(CompressionCodec) building} and
+ * {@link io.jsonwebtoken.JwtParser#setCompressionCodecResolver(CompressionCodecResolver) parsing} JWTs.</p>
+ *
+ * @since 0.6.0
+ */
+public interface CompressionCodecResolver {
+
+    /**
+     * Looks for a JWT {@code zip} header, and if found, returns the corresponding {@link CompressionCodec} the parser
+     * can use to decompress the JWT body.
+     *
+     * @param header of the JWT
+     * @return CompressionCodec matching the {@code zip} header, or null if there is no {@code zip} header.
+     * @throws CompressionException if a {@code zip} header value is found and not supported.
+     */
+    CompressionCodec resolveCompressionCodec(Header header) throws CompressionException;
+
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodecs.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodecs.java
new file mode 100644
index 00000000000..71c2e8bb55e
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodecs.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import io.jsonwebtoken.lang.Classes;
+
+/**
+ * Provides default implementations of the {@link CompressionCodec} interface.
+ *
+ * @see #DEFLATE
+ * @see #GZIP
+ * @since 0.7.0
+ */
+public final class CompressionCodecs {
+
+    private CompressionCodecs() {
+    } //prevent external instantiation
+
+    /**
+     * Codec implementing the <a href="https://tools.ietf.org/html/rfc7518">JWA</a> standard
+     * <a href="https://en.wikipedia.org/wiki/DEFLATE">deflate</a> compression algorithm
+     */
+    public static final CompressionCodec DEFLATE =
+        Classes.newInstance("io.jsonwebtoken.impl.compression.DeflateCompressionCodec");
+
+    /**
+     * Codec implementing the <a href="https://en.wikipedia.org/wiki/Gzip">gzip</a> compression algorithm.
+     * <h3>Compatibility Warning</h3>
+     * <p><b>This is not a standard JWA compression algorithm</b>.  Be sure to use this only when you are confident
+     * that all parties accessing the token support the gzip algorithm.</p>
+     * <p>If you're concerned about compatibility, the {@link #DEFLATE DEFLATE} code is JWA standards-compliant.</p>
+     */
+    public static final CompressionCodec GZIP =
+        Classes.newInstance("io.jsonwebtoken.impl.compression.GzipCompressionCodec");
+
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionException.java
new file mode 100644
index 00000000000..287ccfb01ae
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionException.java
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2015 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+/**
+ * Exception indicating that either compressing or decompressing an JWT body failed.
+ *
+ * @since 0.6.0
+ */
+public class CompressionException extends JwtException {
+
+    public CompressionException(String message) {
+        super(message);
+    }
+
+    public CompressionException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/ExpiredJwtException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/ExpiredJwtException.java
new file mode 100644
index 00000000000..0748ca367c6
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/ExpiredJwtException.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+/**
+ * Exception indicating that a JWT was accepted after it expired and must be rejected.
+ *
+ * @since 0.3
+ */
+public class ExpiredJwtException extends ClaimJwtException {
+
+    public ExpiredJwtException(Header header, Claims claims, String message) {
+        super(header, claims, message);
+    }
+
+    /**
+     * @param header jwt header
+     * @param claims jwt claims (body)
+     * @param message exception message
+     * @param cause cause
+     * @since 0.5
+     */
+    public ExpiredJwtException(Header header, Claims claims, String message, Throwable cause) {
+        super(header, claims, message, cause);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Header.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Header.java
new file mode 100644
index 00000000000..589af0d55d8
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Header.java
@@ -0,0 +1,132 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import java.util.Map;
+
+/**
+ * A JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-5">JOSE header</a>.
+ *
+ * <p>This is ultimately a JSON map and any values can be added to it, but JWT JOSE standard names are provided as
+ * type-safe getters and setters for convenience.</p>
+ *
+ * <p>Because this interface extends {@code Map&lt;String, Object&gt;}, if you would like to add your own properties,
+ * you simply use map methods, for example:</p>
+ *
+ * <pre>
+ * header.{@link Map#put(Object, Object) put}("headerParamName", "headerParamValue");
+ * </pre>
+ *
+ * <h3>Creation</h3>
+ *
+ * <p>It is easiest to create a {@code Header} instance by calling one of the
+ * {@link Jwts#header() JWTs.header()} factory methods.</p>
+ *
+ * @since 0.1
+ */
+public interface Header<T extends Header<T>> extends Map<String,Object> {
+
+    /** JWT {@code Type} (typ) value: <code>"JWT"</code> */
+    public static final String JWT_TYPE = "JWT";
+
+    /** JWT {@code Type} header parameter name: <code>"typ"</code> */
+    public static final String TYPE = "typ";
+
+    /** JWT {@code Content Type} header parameter name: <code>"cty"</code> */
+    public static final String CONTENT_TYPE = "cty";
+
+    /** JWT {@code Compression Algorithm} header parameter name: <code>"zip"</code> */
+    public static final String COMPRESSION_ALGORITHM = "zip";
+
+    /** JJWT legacy/deprecated compression algorithm header parameter name: <code>"calg"</code>
+     * @deprecated use {@link #COMPRESSION_ALGORITHM} instead. */
+    @Deprecated
+    public static final String DEPRECATED_COMPRESSION_ALGORITHM = "calg";
+
+    /**
+     * Returns the <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-5.1">
+     * <code>typ</code></a> (type) header value or {@code null} if not present.
+     *
+     * @return the {@code typ} header value or {@code null} if not present.
+     */
+    String getType();
+
+    /**
+     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-5.1">
+     * <code>typ</code></a> (Type) header value.  A {@code null} value will remove the property from the JSON map.
+     *
+     * @param typ the JWT JOSE {@code typ} header value or {@code null} to remove the property from the JSON map.
+     * @return the {@code Header} instance for method chaining.
+     */
+    T setType(String typ);
+
+    /**
+     * Returns the <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-5.2">
+     * <code>cty</code></a> (Content Type) header value or {@code null} if not present.
+     *
+     * <p>In the normal case where nested signing or encryption operations are not employed (i.e. a compact
+     * serialization JWT), the use of this header parameter is NOT RECOMMENDED.  In the case that nested
+     * signing or encryption is employed, this Header Parameter MUST be present; in this case, the value MUST be
+     * {@code JWT}, to indicate that a Nested JWT is carried in this JWT.  While media type names are not
+     * case-sensitive, it is RECOMMENDED that {@code JWT} always be spelled using uppercase characters for
+     * compatibility with legacy implementations.  See
+     * <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#appendix-A.2">JWT Appendix A.2</a> for
+     * an example of a Nested JWT.</p>
+     *
+     * @return the {@code typ} header parameter value or {@code null} if not present.
+     */
+    String getContentType();
+
+    /**
+     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-5.2">
+     * <code>cty</code></a> (Content Type) header parameter value.  A {@code null} value will remove the property from
+     * the JSON map.
+     *
+     * <p>In the normal case where nested signing or encryption operations are not employed (i.e. a compact
+     * serialization JWT), the use of this header parameter is NOT RECOMMENDED.  In the case that nested
+     * signing or encryption is employed, this Header Parameter MUST be present; in this case, the value MUST be
+     * {@code JWT}, to indicate that a Nested JWT is carried in this JWT.  While media type names are not
+     * case-sensitive, it is RECOMMENDED that {@code JWT} always be spelled using uppercase characters for
+     * compatibility with legacy implementations.  See
+     * <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#appendix-A.2">JWT Appendix A.2</a> for
+     * an example of a Nested JWT.</p>
+     *
+     * @param cty the JWT JOSE {@code cty} header value or {@code null} to remove the property from the JSON map.
+     */
+    T setContentType(String cty);
+
+    /**
+     * Returns the JWT <code>zip</code> (Compression Algorithm) header value or {@code null} if not present.
+     *
+     * @return the {@code zip} header parameter value or {@code null} if not present.
+     * @since 0.6.0
+     */
+    String getCompressionAlgorithm();
+
+    /**
+     * Sets the JWT <code>zip</code> (Compression Algorithm) header parameter value. A {@code null} value will remove
+     * the property from the JSON map.
+     * <p>
+     * <p>The compression algorithm is NOT part of the <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25">JWT specification</a>
+     * and must be used carefully since, is not expected that other libraries (including previous versions of this one)
+     * be able to deserialize a compressed JTW body correctly. </p>
+     *
+     * @param zip the JWT compression algorithm {@code zip} value or {@code null} to remove the property from the JSON map.
+     * @since 0.6.0
+     */
+    T setCompressionAlgorithm(String zip);
+
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/IncorrectClaimException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/IncorrectClaimException.java
new file mode 100644
index 00000000000..df68fe1e697
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/IncorrectClaimException.java
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2015 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+/**
+ * Exception thrown when discovering that a required claim does not equal the required value, indicating the JWT is
+ * invalid and may not be used.
+ *
+ * @since 0.6
+ */
+public class IncorrectClaimException extends InvalidClaimException {
+
+    public IncorrectClaimException(Header header, Claims claims, String message) {
+        super(header, claims, message);
+    }
+
+    public IncorrectClaimException(Header header, Claims claims, String message, Throwable cause) {
+        super(header, claims, message, cause);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/InvalidClaimException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/InvalidClaimException.java
new file mode 100644
index 00000000000..fbca6cabeeb
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/InvalidClaimException.java
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2015 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+/**
+ * Exception indicating a parsed claim is invalid in some way.  Subclasses reflect the specific
+ * reason the claim is invalid.
+ *
+ * @see IncorrectClaimException
+ * @see MissingClaimException
+ *
+ * @since 0.6
+ */
+public class InvalidClaimException extends ClaimJwtException {
+
+    private String claimName;
+    private Object claimValue;
+
+    protected InvalidClaimException(Header header, Claims claims, String message) {
+        super(header, claims, message);
+    }
+
+    protected InvalidClaimException(Header header, Claims claims, String message, Throwable cause) {
+        super(header, claims, message, cause);
+    }
+
+    public String getClaimName() {
+        return claimName;
+    }
+
+    public void setClaimName(String claimName) {
+        this.claimName = claimName;
+    }
+
+    public Object getClaimValue() {
+        return claimValue;
+    }
+
+    public void setClaimValue(Object claimValue) {
+        this.claimValue = claimValue;
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jws.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jws.java
new file mode 100644
index 00000000000..1be5fb39018
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jws.java
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+/**
+ * An expanded (not compact/serialized) Signed JSON Web Token.
+ *
+ * @param <B> the type of the JWS body contents, either a String or a {@link Claims} instance.
+ *
+ * @since 0.1
+ */
+public interface Jws<B> extends Jwt<JwsHeader,B> {
+
+    String getSignature();
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwsHeader.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwsHeader.java
new file mode 100644
index 00000000000..aaf08d86b93
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwsHeader.java
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+/**
+ * A <a href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31">JWS</a> header.
+ *
+ * @param <T> header type
+ * @since 0.1
+ */
+public interface JwsHeader<T extends JwsHeader<T>> extends Header<T> {
+
+    /** JWS {@code Algorithm} header parameter name: <code>"alg"</code> */
+    public static final String ALGORITHM = "alg";
+
+    /** JWS {@code JWT Set URL} header parameter name: <code>"jku"</code> */
+    public static final String JWK_SET_URL = "jku";
+
+    /** JWS {@code JSON Web Key} header parameter name: <code>"jwk"</code> */
+    public static final String JSON_WEB_KEY = "jwk";
+
+    /** JWS {@code Key ID} header parameter name: <code>"kid"</code> */
+    public static final String KEY_ID = "kid";
+
+    /** JWS {@code X.509 URL} header parameter name: <code>"x5u"</code> */
+    public static final String X509_URL = "x5u";
+
+    /** JWS {@code X.509 Certificate Chain} header parameter name: <code>"x5c"</code> */
+    public static final String X509_CERT_CHAIN = "x5c";
+
+    /** JWS {@code X.509 Certificate SHA-1 Thumbprint} header parameter name: <code>"x5t"</code> */
+    public static final String X509_CERT_SHA1_THUMBPRINT = "x5t";
+
+    /** JWS {@code X.509 Certificate SHA-256 Thumbprint} header parameter name: <code>"x5t#S256"</code> */
+    public static final String X509_CERT_SHA256_THUMBPRINT = "x5t#S256";
+
+    /** JWS {@code Critical} header parameter name: <code>"crit"</code> */
+    public static final String CRITICAL = "crit";
+
+    /**
+     * Returns the JWS <a href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31#section-4.1.1">
+     * <code>alg</code></a> (algorithm) header value or {@code null} if not present.
+     *
+     * <p>The algorithm header parameter identifies the cryptographic algorithm used to secure the JWS.  Consider
+     * using {@link io.jsonwebtoken.SignatureAlgorithm#forName(String) SignatureAlgorithm.forName} to convert this
+     * string value to a type-safe enum instance.</p>
+     *
+     * @return the JWS {@code alg} header value or {@code null} if not present.  This will always be
+     * {@code non-null} on validly constructed JWS instances, but could be {@code null} during construction.
+     */
+    String getAlgorithm();
+
+    /**
+     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31#section-4.1.1">
+     * <code>alg</code></a> (Algorithm) header value.  A {@code null} value will remove the property from the JSON map.
+     *
+     * <p>The algorithm header parameter identifies the cryptographic algorithm used to secure the JWS.  Consider
+     * using a type-safe {@link io.jsonwebtoken.SignatureAlgorithm SignatureAlgorithm} instance and using its
+     * {@link io.jsonwebtoken.SignatureAlgorithm#getValue() value} as the argument to this method.</p>
+     *
+     * @param alg the JWS {@code alg} header value or {@code null} to remove the property from the JSON map.
+     * @return the {@code Header} instance for method chaining.
+     */
+    T setAlgorithm(String alg);
+
+    /**
+     * Returns the JWS <a href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31#section-4.1.4">
+     * <code>kid</code></a> (Key ID) header value or {@code null} if not present.
+     *
+     * <p>The keyId header parameter is a hint indicating which key was used to secure the JWS.  This parameter allows
+     * originators to explicitly signal a change of key to recipients.  The structure of the keyId value is
+     * unspecified.</p>
+     *
+     * <p>When used with a JWK, the keyId value is used to match a JWK {@code keyId} parameter value.</p>
+     *
+     * @return the JWS {@code kid} header value or {@code null} if not present.
+     */
+    String getKeyId();
+
+    /**
+     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31#section-4.1.4">
+     * <code>kid</code></a> (Key ID) header value.  A {@code null} value will remove the property from the JSON map.
+     *
+     * <p>The keyId header parameter is a hint indicating which key was used to secure the JWS.  This parameter allows
+     * originators to explicitly signal a change of key to recipients.  The structure of the keyId value is
+     * unspecified.</p>
+     *
+     * <p>When used with a JWK, the keyId value is used to match a JWK {@code keyId} parameter value.</p>
+     *
+     * @param kid the JWS {@code kid} header value or {@code null} to remove the property from the JSON map.
+     * @return the {@code Header} instance for method chaining.
+     */
+    T setKeyId(String kid);
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jwt.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jwt.java
new file mode 100644
index 00000000000..1de5c6e3141
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jwt.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+/**
+ * An expanded (not compact/serialized) JSON Web Token.
+ *
+ * @param <B> the type of the JWT body contents, either a String or a {@link Claims} instance.
+ *
+ * @since 0.1
+ */
+public interface Jwt<H extends Header, B> {
+
+    /**
+     * Returns the JWT {@link Header} or {@code null} if not present.
+     *
+     * @return the JWT {@link Header} or {@code null} if not present.
+     */
+    H getHeader();
+
+    /**
+     * Returns the JWT body, either a {@code String} or a {@code Claims} instance.
+     *
+     * @return the JWT body, either a {@code String} or a {@code Claims} instance.
+     */
+    B getBody();
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtBuilder.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtBuilder.java
new file mode 100644
index 00000000000..02da2be2fa5
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtBuilder.java
@@ -0,0 +1,530 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import io.jsonwebtoken.io.Decoder;
+import io.jsonwebtoken.io.Decoders;
+import io.jsonwebtoken.io.Encoder;
+import io.jsonwebtoken.io.Serializer;
+import io.jsonwebtoken.security.InvalidKeyException;
+import io.jsonwebtoken.security.Keys;
+import java.security.Key;
+import java.util.Date;
+import java.util.Map;
+
+/**
+ * A builder for constructing JWTs.
+ *
+ * @since 0.1
+ */
+public interface JwtBuilder extends ClaimsMutator<JwtBuilder> {
+
+    //replaces any existing header with the specified header.
+
+    /**
+     * Sets (and replaces) any existing header with the specified header.  If you do not want to replace the existing
+     * header and only want to append to it, use the {@link #setHeaderParams(java.util.Map)} method instead.
+     *
+     * @param header the header to set (and potentially replace any existing header).
+     * @return the builder for method chaining.
+     */
+    JwtBuilder setHeader(Header header);
+
+    /**
+     * Sets (and replaces) any existing header with the specified header.  If you do not want to replace the existing
+     * header and only want to append to it, use the {@link #setHeaderParams(java.util.Map)} method instead.
+     *
+     * @param header the header to set (and potentially replace any existing header).
+     * @return the builder for method chaining.
+     */
+    JwtBuilder setHeader(Map<String, Object> header);
+
+    /**
+     * Applies the specified name/value pairs to the header.  If a header does not yet exist at the time this method
+     * is called, one will be created automatically before applying the name/value pairs.
+     *
+     * @param params the header name/value pairs to append to the header.
+     * @return the builder for method chaining.
+     */
+    JwtBuilder setHeaderParams(Map<String, Object> params);
+
+    //sets the specified header parameter, overwriting any previous value under the same name.
+
+    /**
+     * Applies the specified name/value pair to the header.  If a header does not yet exist at the time this method
+     * is called, one will be created automatically before applying the name/value pair.
+     *
+     * @param name  the header parameter name
+     * @param value the header parameter value
+     * @return the builder for method chaining.
+     */
+    JwtBuilder setHeaderParam(String name, Object value);
+
+    /**
+     * Sets the JWT's payload to be a plaintext (non-JSON) string.  If you want the JWT body to be JSON, use the
+     * {@link #setClaims(Claims)} or {@link #setClaims(java.util.Map)} methods instead.
+     *
+     * <p>The payload and claims properties are mutually exclusive - only one of the two may be used.</p>
+     *
+     * @param payload the plaintext (non-JSON) string that will be the body of the JWT.
+     * @return the builder for method chaining.
+     */
+    JwtBuilder setPayload(String payload);
+
+    /**
+     * Sets the JWT payload to be a JSON Claims instance.  If you do not want the JWT body to be JSON and instead want
+     * it to be a plaintext string, use the {@link #setPayload(String)} method instead.
+     *
+     * <p>The payload and claims properties are mutually exclusive - only one of the two may be used.</p>
+     *
+     * @param claims the JWT claims to be set as the JWT body.
+     * @return the builder for method chaining.
+     */
+    JwtBuilder setClaims(Claims claims);
+
+    /**
+     * Sets the JWT payload to be a JSON Claims instance populated by the specified name/value pairs.  If you do not
+     * want the JWT body to be JSON and instead want it to be a plaintext string, use the {@link #setPayload(String)}
+     * method instead.
+     *
+     * <p>The payload* and claims* properties are mutually exclusive - only one of the two may be used.</p>
+     *
+     * @param claims the JWT claims to be set as the JWT body.
+     * @return the builder for method chaining.
+     */
+    JwtBuilder setClaims(Map<String, ?> claims);
+
+    /**
+     * Adds all given name/value pairs to the JSON Claims in the payload. If a Claims instance does not yet exist at the
+     * time this method is called, one will be created automatically before applying the name/value pairs.
+     *
+     * <p>The payload and claims properties are mutually exclusive - only one of the two may be used.</p>
+     *
+     * @param claims the JWT claims to be added to the JWT body.
+     * @return the builder for method chaining.
+     * @since 0.8
+     */
+    JwtBuilder addClaims(Map<String, Object> claims);
+
+    /**
+     * Sets the JWT Claims <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.1">
+     * <code>iss</code></a> (issuer) value.  A {@code null} value will remove the property from the Claims.
+     *
+     * <p>This is a convenience method.  It will first ensure a Claims instance exists as the JWT body and then set
+     * the Claims {@link Claims#setIssuer(String) issuer} field with the specified value.  This allows you to write
+     * code like this:</p>
+     *
+     * <pre>
+     * String jwt = Jwts.builder().setIssuer("Joe").compact();
+     * </pre>
+     *
+     * <p>instead of this:</p>
+     * <pre>
+     * Claims claims = Jwts.claims().setIssuer("Joe");
+     * String jwt = Jwts.builder().setClaims(claims).compact();
+     * </pre>
+     * <p>if desired.</p>
+     *
+     * @param iss the JWT {@code iss} value or {@code null} to remove the property from the Claims map.
+     * @return the builder instance for method chaining.
+     * @since 0.2
+     */
+    @Override
+    //only for better/targeted JavaDoc
+    JwtBuilder setIssuer(String iss);
+
+    /**
+     * Sets the JWT Claims <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.2">
+     * <code>sub</code></a> (subject) value.  A {@code null} value will remove the property from the Claims.
+     *
+     * <p>This is a convenience method.  It will first ensure a Claims instance exists as the JWT body and then set
+     * the Claims {@link Claims#setSubject(String) subject} field with the specified value.  This allows you to write
+     * code like this:</p>
+     *
+     * <pre>
+     * String jwt = Jwts.builder().setSubject("Me").compact();
+     * </pre>
+     *
+     * <p>instead of this:</p>
+     * <pre>
+     * Claims claims = Jwts.claims().setSubject("Me");
+     * String jwt = Jwts.builder().setClaims(claims).compact();
+     * </pre>
+     * <p>if desired.</p>
+     *
+     * @param sub the JWT {@code sub} value or {@code null} to remove the property from the Claims map.
+     * @return the builder instance for method chaining.
+     * @since 0.2
+     */
+    @Override
+    //only for better/targeted JavaDoc
+    JwtBuilder setSubject(String sub);
+
+    /**
+     * Sets the JWT Claims <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.3">
+     * <code>aud</code></a> (audience) value.  A {@code null} value will remove the property from the Claims.
+     *
+     * <p>This is a convenience method.  It will first ensure a Claims instance exists as the JWT body and then set
+     * the Claims {@link Claims#setAudience(String) audience} field with the specified value.  This allows you to write
+     * code like this:</p>
+     *
+     * <pre>
+     * String jwt = Jwts.builder().setAudience("You").compact();
+     * </pre>
+     *
+     * <p>instead of this:</p>
+     * <pre>
+     * Claims claims = Jwts.claims().setAudience("You");
+     * String jwt = Jwts.builder().setClaims(claims).compact();
+     * </pre>
+     * <p>if desired.</p>
+     *
+     * @param aud the JWT {@code aud} value or {@code null} to remove the property from the Claims map.
+     * @return the builder instance for method chaining.
+     * @since 0.2
+     */
+    @Override
+    //only for better/targeted JavaDoc
+    JwtBuilder setAudience(String aud);
+
+    /**
+     * Sets the JWT Claims <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.4">
+     * <code>exp</code></a> (expiration) value.  A {@code null} value will remove the property from the Claims.
+     *
+     * <p>A JWT obtained after this timestamp should not be used.</p>
+     *
+     * <p>This is a convenience method.  It will first ensure a Claims instance exists as the JWT body and then set
+     * the Claims {@link Claims#setExpiration(java.util.Date) expiration} field with the specified value.  This allows
+     * you to write code like this:</p>
+     *
+     * <pre>
+     * String jwt = Jwts.builder().setExpiration(new Date(System.currentTimeMillis() + 3600000)).compact();
+     * </pre>
+     *
+     * <p>instead of this:</p>
+     * <pre>
+     * Claims claims = Jwts.claims().setExpiration(new Date(System.currentTimeMillis() + 3600000));
+     * String jwt = Jwts.builder().setClaims(claims).compact();
+     * </pre>
+     * <p>if desired.</p>
+     *
+     * @param exp the JWT {@code exp} value or {@code null} to remove the property from the Claims map.
+     * @return the builder instance for method chaining.
+     * @since 0.2
+     */
+    @Override
+    //only for better/targeted JavaDoc
+    JwtBuilder setExpiration(Date exp);
+
+    /**
+     * Sets the JWT Claims <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.5">
+     * <code>nbf</code></a> (not before) value.  A {@code null} value will remove the property from the Claims.
+     *
+     * <p>A JWT obtained before this timestamp should not be used.</p>
+     *
+     * <p>This is a convenience method.  It will first ensure a Claims instance exists as the JWT body and then set
+     * the Claims {@link Claims#setNotBefore(java.util.Date) notBefore} field with the specified value.  This allows
+     * you to write code like this:</p>
+     *
+     * <pre>
+     * String jwt = Jwts.builder().setNotBefore(new Date()).compact();
+     * </pre>
+     *
+     * <p>instead of this:</p>
+     * <pre>
+     * Claims claims = Jwts.claims().setNotBefore(new Date());
+     * String jwt = Jwts.builder().setClaims(claims).compact();
+     * </pre>
+     * <p>if desired.</p>
+     *
+     * @param nbf the JWT {@code nbf} value or {@code null} to remove the property from the Claims map.
+     * @return the builder instance for method chaining.
+     * @since 0.2
+     */
+    @Override
+    //only for better/targeted JavaDoc
+    JwtBuilder setNotBefore(Date nbf);
+
+    /**
+     * Sets the JWT Claims <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.6">
+     * <code>iat</code></a> (issued at) value.  A {@code null} value will remove the property from the Claims.
+     *
+     * <p>The value is the timestamp when the JWT was created.</p>
+     *
+     * <p>This is a convenience method.  It will first ensure a Claims instance exists as the JWT body and then set
+     * the Claims {@link Claims#setIssuedAt(java.util.Date) issuedAt} field with the specified value.  This allows
+     * you to write code like this:</p>
+     *
+     * <pre>
+     * String jwt = Jwts.builder().setIssuedAt(new Date()).compact();
+     * </pre>
+     *
+     * <p>instead of this:</p>
+     * <pre>
+     * Claims claims = Jwts.claims().setIssuedAt(new Date());
+     * String jwt = Jwts.builder().setClaims(claims).compact();
+     * </pre>
+     * <p>if desired.</p>
+     *
+     * @param iat the JWT {@code iat} value or {@code null} to remove the property from the Claims map.
+     * @return the builder instance for method chaining.
+     * @since 0.2
+     */
+    @Override
+    //only for better/targeted JavaDoc
+    JwtBuilder setIssuedAt(Date iat);
+
+    /**
+     * Sets the JWT Claims <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.7">
+     * <code>jti</code></a> (JWT ID) value.  A {@code null} value will remove the property from the Claims.
+     *
+     * <p>The value is a CaSe-SenSiTiVe unique identifier for the JWT. If specified, this value MUST be assigned in a
+     * manner that ensures that there is a negligible probability that the same value will be accidentally
+     * assigned to a different data object.  The ID can be used to prevent the JWT from being replayed.</p>
+     *
+     * <p>This is a convenience method.  It will first ensure a Claims instance exists as the JWT body and then set
+     * the Claims {@link Claims#setId(String) id} field with the specified value.  This allows
+     * you to write code like this:</p>
+     *
+     * <pre>
+     * String jwt = Jwts.builder().setId(UUID.randomUUID().toString()).compact();
+     * </pre>
+     *
+     * <p>instead of this:</p>
+     * <pre>
+     * Claims claims = Jwts.claims().setId(UUID.randomUUID().toString());
+     * String jwt = Jwts.builder().setClaims(claims).compact();
+     * </pre>
+     * <p>if desired.</p>
+     *
+     * @param jti the JWT {@code jti} (id) value or {@code null} to remove the property from the Claims map.
+     * @return the builder instance for method chaining.
+     * @since 0.2
+     */
+    @Override
+    //only for better/targeted JavaDoc
+    JwtBuilder setId(String jti);
+
+    /**
+     * Sets a custom JWT Claims parameter value.  A {@code null} value will remove the property from the Claims.
+     *
+     * <p>This is a convenience method.  It will first ensure a Claims instance exists as the JWT body and then set the
+     * named property on the Claims instance using the Claims {@link Claims#put(Object, Object) put} method. This allows
+     * you to write code like this:</p>
+     *
+     * <pre>
+     * String jwt = Jwts.builder().claim("aName", "aValue").compact();
+     * </pre>
+     *
+     * <p>instead of this:</p>
+     * <pre>
+     * Claims claims = Jwts.claims().put("aName", "aValue");
+     * String jwt = Jwts.builder().setClaims(claims).compact();
+     * </pre>
+     * <p>if desired.</p>
+     *
+     * @param name  the JWT Claims property name
+     * @param value the value to set for the specified Claims property name
+     * @return the builder instance for method chaining.
+     * @since 0.2
+     */
+    JwtBuilder claim(String name, Object value);
+
+    /**
+     * Signs the constructed JWT with the specified key using the key's
+     * {@link SignatureAlgorithm#forSigningKey(Key) recommended signature algorithm}, producing a JWS. If the
+     * recommended signature algorithm isn't sufficient for your needs, consider using
+     * {@link #signWith(Key, SignatureAlgorithm)} instead.
+     *
+     * <p>If you are looking to invoke this method with a byte array that you are confident may be used for HMAC-SHA
+     * algorithms, consider using {@link Keys Keys}.{@link Keys#hmacShaKeyFor(byte[]) hmacShaKeyFor(bytes)} to
+     * convert the byte array into a valid {@code Key}.</p>
+     *
+     * @param key the key to use for signing
+     * @return the builder instance for method chaining.
+     * @throws InvalidKeyException if the Key is insufficient or explicitly disallowed by the JWT specification as
+     *                             described by {@link SignatureAlgorithm#forSigningKey(Key)}.
+     * @see #signWith(Key, SignatureAlgorithm)
+     * @since 0.10.0
+     */
+    JwtBuilder signWith(Key key) throws InvalidKeyException;
+
+    /**
+     * Signs the constructed JWT using the specified algorithm with the specified key, producing a JWS.
+     *
+     * <h4>Deprecation Notice: Deprecated as of 0.10.0</h4>
+     *
+     * <p>Use {@link Keys Keys}.{@link Keys#hmacShaKeyFor(byte[]) hmacShaKeyFor(bytes)} to
+     * obtain the {@code Key} and then invoke {@link #signWith(Key)} or {@link #signWith(Key, SignatureAlgorithm)}.</p>
+     *
+     * <p>This method will be removed in the 1.0 release.</p>
+     *
+     * @param alg       the JWS algorithm to use to digitally sign the JWT, thereby producing a JWS.
+     * @param secretKey the algorithm-specific signing key to use to digitally sign the JWT.
+     * @return the builder for method chaining.
+     * @throws InvalidKeyException if the Key is insufficient or explicitly disallowed by the JWT specification as
+     *                             described by {@link SignatureAlgorithm#forSigningKey(Key)}.
+     * @deprecated as of 0.10.0: use {@link Keys Keys}.{@link Keys#hmacShaKeyFor(byte[]) hmacShaKeyFor(bytes)} to
+     * obtain the {@code Key} and then invoke {@link #signWith(Key)} or {@link #signWith(Key, SignatureAlgorithm)}.
+     * This method will be removed in the 1.0 release.
+     */
+    @Deprecated
+    JwtBuilder signWith(SignatureAlgorithm alg, byte[] secretKey) throws InvalidKeyException;
+
+    /**
+     * Signs the constructed JWT using the specified algorithm with the specified key, producing a JWS.
+     *
+     * <p>This is a convenience method: the string argument is first BASE64-decoded to a byte array and this resulting
+     * byte array is used to invoke {@link #signWith(SignatureAlgorithm, byte[])}.</p>
+     *
+     * <h4>Deprecation Notice: Deprecated as of 0.10.0, will be removed in the 1.0 release.</h4>
+     *
+     * <p>This method has been deprecated because the {@code key} argument for this method can be confusing: keys for
+     * cryptographic operations are always binary (byte arrays), and many people were confused as to how bytes were
+     * obtained from the String argument.</p>
+     *
+     * <p>This method always expected a String argument that was effectively the same as the result of the following
+     * (pseudocode):</p>
+     *
+     * <p>{@code String base64EncodedSecretKey = base64Encode(secretKeyBytes);}</p>
+     *
+     * <p>However, a non-trivial number of JJWT users were confused by the method signature and attempted to
+     * use raw password strings as the key argument - for example {@code signWith(HS256, myPassword)} - which is
+     * almost always incorrect for cryptographic hashes and can produce erroneous or insecure results.</p>
+     *
+     * <p>See this
+     * <a href="https://stackoverflow.com/questions/40252903/static-secret-as-byte-key-or-string/40274325#40274325">
+     * StackOverflow answer</a> explaining why raw (non-base64-encoded) strings are almost always incorrect for
+     * signature operations.</p>
+     *
+     * <p>To perform the correct logic with base64EncodedSecretKey strings with JJWT >= 0.10.0, you may do this:
+     * <pre><code>
+     * byte[] keyBytes = {@link Decoders Decoders}.{@link Decoders#BASE64 BASE64}.{@link Decoder#decode(Object) decode(base64EncodedSecretKey)};
+     * Key key = {@link Keys Keys}.{@link Keys#hmacShaKeyFor(byte[]) hmacShaKeyFor(keyBytes)};
+     * jwtBuilder.signWith(key); //or {@link #signWith(Key, SignatureAlgorithm)}
+     * </code></pre>
+     * </p>
+     *
+     * <p>This method will be removed in the 1.0 release.</p>
+     *
+     * @param alg                    the JWS algorithm to use to digitally sign the JWT, thereby producing a JWS.
+     * @param base64EncodedSecretKey the BASE64-encoded algorithm-specific signing key to use to digitally sign the
+     *                               JWT.
+     * @return the builder for method chaining.
+     * @throws InvalidKeyException if the Key is insufficient or explicitly disallowed by the JWT specification as
+     *                             described by {@link SignatureAlgorithm#forSigningKey(Key)}.
+     * @deprecated as of 0.10.0: use {@link #signWith(Key)} or {@link #signWith(Key, SignatureAlgorithm)} instead.  This
+     * method will be removed in the 1.0 release.
+     */
+    @Deprecated
+    JwtBuilder signWith(SignatureAlgorithm alg, String base64EncodedSecretKey) throws InvalidKeyException;
+
+    /**
+     * Signs the constructed JWT using the specified algorithm with the specified key, producing a JWS.
+     *
+     * <p>It is typically recommended to call the {@link #signWith(Key)} instead for simplicity.
+     * However, this method can be useful if the recommended algorithm heuristics do not meet your needs or if
+     * you want explicit control over the signature algorithm used with the specified key.</p>
+     *
+     * @param alg the JWS algorithm to use to digitally sign the JWT, thereby producing a JWS.
+     * @param key the algorithm-specific signing key to use to digitally sign the JWT.
+     * @return the builder for method chaining.
+     * @throws InvalidKeyException if the Key is insufficient or explicitly disallowed by the JWT specification for
+     *                             the specified algorithm.
+     * @see #signWith(Key)
+     * @deprecated since 0.10.0: use {@link #signWith(Key, SignatureAlgorithm)} instead.  This method will be removed
+     * in the 1.0 release.
+     */
+    @Deprecated
+    JwtBuilder signWith(SignatureAlgorithm alg, Key key) throws InvalidKeyException;
+
+    /**
+     * Signs the constructed JWT with the specified key using the specified algorithm, producing a JWS.
+     *
+     * <p>It is typically recommended to call the {@link #signWith(Key)} instead for simplicity.
+     * However, this method can be useful if the recommended algorithm heuristics do not meet your needs or if
+     * you want explicit control over the signature algorithm used with the specified key.</p>
+     *
+     * @param key the signing key to use to digitally sign the JWT.
+     * @param alg the JWS algorithm to use with the key to digitally sign the JWT, thereby producing a JWS.
+     * @return the builder for method chaining.
+     * @throws InvalidKeyException if the Key is insufficient or explicitly disallowed by the JWT specification for
+     *                             the specified algorithm.
+     * @see #signWith(Key)
+     * @since 0.10.0
+     */
+    JwtBuilder signWith(Key key, SignatureAlgorithm alg) throws InvalidKeyException;
+
+    /**
+     * Compresses the JWT body using the specified {@link CompressionCodec}.
+     *
+     * <p>If your compact JWTs are large, and you want to reduce their total size during network transmission, this
+     * can be useful.  For example, when embedding JWTs  in URLs, some browsers may not support URLs longer than a
+     * certain length.  Using compression can help ensure the compact JWT fits within that length.  However, NOTE:</p>
+     *
+     * <h3>Compatibility Warning</h3>
+     *
+     * <p>The JWT family of specifications defines compression only for JWE (Json Web Encryption)
+     * tokens.  Even so, JJWT will also support compression for JWS tokens as well if you choose to use it.
+     * However, be aware that <b>if you use compression when creating a JWS token, other libraries may not be able to
+     * parse that JWS token</b>.  When using compression for JWS tokens, be sure that that all parties accessing the
+     * JWS token support compression for JWS.</p>
+     *
+     * <p>Compression when creating JWE tokens however should be universally accepted for any
+     * library that supports JWE.</p>
+     *
+     * @param codec implementation of the {@link CompressionCodec} to be used.
+     * @return the builder for method chaining.
+     * @see io.jsonwebtoken.CompressionCodecs
+     * @since 0.6.0
+     */
+    JwtBuilder compressWith(CompressionCodec codec);
+
+    /**
+     * Perform Base64Url encoding with the specified Encoder.
+     *
+     * <p>JJWT uses a spec-compliant encoder that works on all supported JDK versions, but you may call this method
+     * to specify a different encoder if you desire.</p>
+     *
+     * @param base64UrlEncoder the encoder to use when Base64Url-encoding
+     * @return the builder for method chaining.
+     * @since 0.10.0
+     */
+    JwtBuilder base64UrlEncodeWith(Encoder<byte[], String> base64UrlEncoder);
+
+    /**
+     * Performs object-to-JSON serialization with the specified Serializer.  This is used by the builder to convert
+     * JWT/JWS/JWT headers and claims Maps to JSON strings as required by the JWT specification.
+     *
+     * <p>If this method is not called, JJWT will use whatever serializer it can find at runtime, checking for the
+     * presence of well-known implementations such Jackson, Gson, and org.json.  If one of these is not found
+     * in the runtime classpath, an exception will be thrown when the {@link #compact()} method is invoked.</p>
+     *
+     * @param serializer the serializer to use when converting Map objects to JSON strings.
+     * @return the builder for method chaining.
+     * @since 0.10.0
+     */
+    JwtBuilder serializeToJsonWith(Serializer<Map<String, ?>> serializer);
+
+    /**
+     * Actually builds the JWT and serializes it to a compact, URL-safe string according to the
+     * <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-7">JWT Compact Serialization</a>
+     * rules.
+     *
+     * @return A compact URL-safe JWT string.
+     */
+    String compact();
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtException.java
new file mode 100644
index 00000000000..c25aa22392c
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtException.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+/**
+ * Base class for JWT-related runtime exceptions.
+ *
+ * @since 0.1
+ */
+public class JwtException extends RuntimeException {
+
+    public JwtException(String message) {
+        super(message);
+    }
+
+    public JwtException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtHandler.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtHandler.java
new file mode 100644
index 00000000000..0e23f833986
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtHandler.java
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+/**
+ * A JwtHandler is invoked by a {@link io.jsonwebtoken.JwtParser JwtParser} after parsing a JWT to indicate the exact
+ * type of JWT or JWS parsed.
+ *
+ * @param <T> the type of object to return to the parser caller after handling the parsed JWT.
+ * @since 0.2
+ */
+public interface JwtHandler<T> {
+
+    /**
+     * This method is invoked when a {@link io.jsonwebtoken.JwtParser JwtParser} determines that the parsed JWT is
+     * a plaintext JWT.  A plaintext JWT has a String (non-JSON) body payload and it is not cryptographically signed.
+     *
+     * @param jwt the parsed plaintext JWT
+     * @return any object to be used after inspecting the JWT, or {@code null} if no return value is necessary.
+     */
+    T onPlaintextJwt(Jwt<Header, String> jwt);
+
+    /**
+     * This method is invoked when a {@link io.jsonwebtoken.JwtParser JwtParser} determines that the parsed JWT is
+     * a Claims JWT.  A Claims JWT has a {@link Claims} body and it is not cryptographically signed.
+     *
+     * @param jwt the parsed claims JWT
+     * @return any object to be used after inspecting the JWT, or {@code null} if no return value is necessary.
+     */
+    T onClaimsJwt(Jwt<Header, Claims> jwt);
+
+    /**
+     * This method is invoked when a {@link io.jsonwebtoken.JwtParser JwtParser} determines that the parsed JWT is
+     * a plaintext JWS.  A plaintext JWS is a JWT with a String (non-JSON) body (payload) that has been
+     * cryptographically signed.
+     *
+     * <p>This method will only be invoked if the cryptographic signature can be successfully verified.</p>
+     *
+     * @param jws the parsed plaintext JWS
+     * @return any object to be used after inspecting the JWS, or {@code null} if no return value is necessary.
+     */
+    T onPlaintextJws(Jws<String> jws);
+
+    /**
+     * This method is invoked when a {@link io.jsonwebtoken.JwtParser JwtParser} determines that the parsed JWT is
+     * a valid Claims JWS.  A Claims JWS is a JWT with a {@link Claims} body that has been cryptographically signed.
+     *
+     * <p>This method will only be invoked if the cryptographic signature can be successfully verified.</p>
+     *
+     * @param jws the parsed claims JWS
+     * @return any object to be used after inspecting the JWS, or {@code null} if no return value is necessary.
+     */
+    T onClaimsJws(Jws<Claims> jws);
+
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtHandlerAdapter.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtHandlerAdapter.java
new file mode 100644
index 00000000000..749488372e7
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtHandlerAdapter.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+/**
+ * An <a href="http://en.wikipedia.org/wiki/Adapter_pattern">Adapter</a> implementation of the
+ * {@link JwtHandler} interface that allows for anonymous subclasses to process only the JWT results that are
+ * known/expected for a particular use case.
+ *
+ * <p>All of the methods in this implementation throw exceptions: overridden methods represent
+ * scenarios expected by calling code in known situations.  It would be unexpected to receive a JWS or JWT that did
+ * not match parsing expectations, so all non-overridden methods throw exceptions to indicate that the JWT
+ * input was unexpected.</p>
+ *
+ * @param <T> the type of object to return to the parser caller after handling the parsed JWT.
+ * @since 0.2
+ */
+public class JwtHandlerAdapter<T> implements JwtHandler<T> {
+
+    @Override
+    public T onPlaintextJwt(Jwt<Header, String> jwt) {
+        throw new UnsupportedJwtException("Unsigned plaintext JWTs are not supported.");
+    }
+
+    @Override
+    public T onClaimsJwt(Jwt<Header, Claims> jwt) {
+        throw new UnsupportedJwtException("Unsigned Claims JWTs are not supported.");
+    }
+
+    @Override
+    public T onPlaintextJws(Jws<String> jws) {
+        throw new UnsupportedJwtException("Signed plaintext JWSs are not supported.");
+    }
+
+    @Override
+    public T onClaimsJws(Jws<Claims> jws) {
+        throw new UnsupportedJwtException("Signed Claims JWSs are not supported.");
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtParser.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtParser.java
new file mode 100644
index 00000000000..7e86b91136c
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtParser.java
@@ -0,0 +1,596 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import io.jsonwebtoken.io.Decoder;
+import io.jsonwebtoken.io.Deserializer;
+import io.jsonwebtoken.security.SignatureException;
+
+import java.security.Key;
+import java.util.Date;
+import java.util.Map;
+
+/**
+ * A parser for reading JWT strings, used to convert them into a {@link Jwt} object representing the expanded JWT.
+ *
+ * @since 0.1
+ */
+public interface JwtParser {
+
+    public static final char SEPARATOR_CHAR = '.';
+
+    /**
+     * Ensures that the specified {@code jti} exists in the parsed JWT.  If missing or if the parsed
+     * value does not equal the specified value, an exception will be thrown indicating that the
+     * JWT is invalid and may not be used.
+     *
+     * @param id
+     * @return the parser method for chaining.
+     * @see MissingClaimException
+     * @see IncorrectClaimException
+     * @deprecated see {@link JwtParserBuilder#requireId(String)}.
+     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+     * immutable JwtParser.
+     * <p><b>NOTE: this method will be removed before version 1.0</b>
+     */
+    @Deprecated
+    JwtParser requireId(String id);
+
+    /**
+     * Ensures that the specified {@code sub} exists in the parsed JWT.  If missing or if the parsed
+     * value does not equal the specified value, an exception will be thrown indicating that the
+     * JWT is invalid and may not be used.
+     *
+     * @param subject
+     * @return the parser for method chaining.
+     * @see MissingClaimException
+     * @see IncorrectClaimException
+     * @deprecated see {@link JwtParserBuilder#requireSubject(String)}.
+     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+     * immutable JwtParser.
+     * <p><b>NOTE: this method will be removed before version 1.0</b>
+     */
+    @Deprecated
+    JwtParser requireSubject(String subject);
+
+    /**
+     * Ensures that the specified {@code aud} exists in the parsed JWT.  If missing or if the parsed
+     * value does not equal the specified value, an exception will be thrown indicating that the
+     * JWT is invalid and may not be used.
+     *
+     * @param audience
+     * @return the parser for method chaining.
+     * @see MissingClaimException
+     * @see IncorrectClaimException
+     * @deprecated see {@link JwtParserBuilder#requireAudience(String)}.
+     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+     * immutable JwtParser.
+     * <p><b>NOTE: this method will be removed before version 1.0</b>
+     */
+    @Deprecated
+    JwtParser requireAudience(String audience);
+
+    /**
+     * Ensures that the specified {@code iss} exists in the parsed JWT.  If missing or if the parsed
+     * value does not equal the specified value, an exception will be thrown indicating that the
+     * JWT is invalid and may not be used.
+     *
+     * @param issuer
+     * @return the parser for method chaining.
+     * @see MissingClaimException
+     * @see IncorrectClaimException
+     * @deprecated see {@link JwtParserBuilder#requireIssuer(String)}.
+     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+     * immutable JwtParser.
+     * <p><b>NOTE: this method will be removed before version 1.0</b>
+     */
+    @Deprecated
+    JwtParser requireIssuer(String issuer);
+
+    /**
+     * Ensures that the specified {@code iat} exists in the parsed JWT.  If missing or if the parsed
+     * value does not equal the specified value, an exception will be thrown indicating that the
+     * JWT is invalid and may not be used.
+     *
+     * @param issuedAt
+     * @return the parser for method chaining.
+     * @see MissingClaimException
+     * @see IncorrectClaimException
+     * @deprecated see {@link JwtParserBuilder#requireIssuedAt(Date)}.
+     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+     * immutable JwtParser.
+     * <p><b>NOTE: this method will be removed before version 1.0</b>
+     */
+    @Deprecated
+    JwtParser requireIssuedAt(Date issuedAt);
+
+    /**
+     * Ensures that the specified {@code exp} exists in the parsed JWT.  If missing or if the parsed
+     * value does not equal the specified value, an exception will be thrown indicating that the
+     * JWT is invalid and may not be used.
+     *
+     * @param expiration
+     * @return the parser for method chaining.
+     * @see MissingClaimException
+     * @see IncorrectClaimException
+     * @deprecated see {@link JwtParserBuilder#requireExpiration(Date)}.
+     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+     * immutable JwtParser.
+     * <p><b>NOTE: this method will be removed before version 1.0</b>
+     */
+    @Deprecated
+    JwtParser requireExpiration(Date expiration);
+
+    /**
+     * Ensures that the specified {@code nbf} exists in the parsed JWT.  If missing or if the parsed
+     * value does not equal the specified value, an exception will be thrown indicating that the
+     * JWT is invalid and may not be used.
+     *
+     * @param notBefore
+     * @return the parser for method chaining
+     * @see MissingClaimException
+     * @see IncorrectClaimException
+     * @deprecated see {@link JwtParserBuilder#requireNotBefore(Date)}.
+     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+     * immutable JwtParser.
+     * <p><b>NOTE: this method will be removed before version 1.0</b>
+     */
+    @Deprecated
+    JwtParser requireNotBefore(Date notBefore);
+
+    /**
+     * Ensures that the specified {@code claimName} exists in the parsed JWT.  If missing or if the parsed
+     * value does not equal the specified value, an exception will be thrown indicating that the
+     * JWT is invalid and may not be used.
+     *
+     * @param claimName
+     * @param value
+     * @return the parser for method chaining.
+     * @see MissingClaimException
+     * @see IncorrectClaimException
+     * @deprecated see {@link JwtParserBuilder#require(String, Object)}.
+     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+     * immutable JwtParser.
+     * <p><b>NOTE: this method will be removed before version 1.0</b>
+     */
+    @Deprecated
+    JwtParser require(String claimName, Object value);
+
+    /**
+     * Sets the {@link Clock} that determines the timestamp to use when validating the parsed JWT.
+     * The parser uses a default Clock implementation that simply returns {@code new Date()} when called.
+     *
+     * @param clock a {@code Clock} object to return the timestamp to use when validating the parsed JWT.
+     * @return the parser for method chaining.
+     * @since 0.7.0
+     * @deprecated see {@link JwtParserBuilder#setClock(Clock)}.
+     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+     * immutable JwtParser.
+     * <p><b>NOTE: this method will be removed before version 1.0</b>
+     */
+    @Deprecated
+    JwtParser setClock(Clock clock);
+
+    /**
+     * Sets the amount of clock skew in seconds to tolerate when verifying the local time against the {@code exp}
+     * and {@code nbf} claims.
+     *
+     * @param seconds the number of seconds to tolerate for clock skew when verifying {@code exp} or {@code nbf} claims.
+     * @return the parser for method chaining.
+     * @since 0.7.0
+     * @throws IllegalArgumentException if {@code seconds} is a value greater than {@code Long.MAX_VALUE / 1000} as
+     * any such value would cause numeric overflow when multiplying by 1000 to obtain a millisecond value.
+     * @deprecated see {@link JwtParserBuilder#setAllowedClockSkewSeconds(long)}.
+     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+     * immutable JwtParser.
+     * <p><b>NOTE: this method will be removed before version 1.0</b>
+     */
+    @Deprecated
+    JwtParser setAllowedClockSkewSeconds(long seconds) throws IllegalArgumentException;
+
+    /**
+     * Sets the signing key used to verify any discovered JWS digital signature.  If the specified JWT string is not
+     * a JWS (no signature), this key is not used.
+     * <p>
+     * <p>Note that this key <em>MUST</em> be a valid key for the signature algorithm found in the JWT header
+     * (as the {@code alg} header parameter).</p>
+     * <p>
+     * <p>This method overwrites any previously set key.</p>
+     *
+     * @param key the algorithm-specific signature verification key used to validate any discovered JWS digital
+     *            signature.
+     * @return the parser for method chaining.
+     * @deprecated see {@link JwtParserBuilder#setSigningKey(byte[])}.
+     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+     * immutable JwtParser.
+     * <p><b>NOTE: this method will be removed before version 1.0</b>
+     */
+    @Deprecated
+    JwtParser setSigningKey(byte[] key);
+
+    /**
+     * Sets the signing key used to verify any discovered JWS digital signature.  If the specified JWT string is not
+     * a JWS (no signature), this key is not used.
+     *
+     * <p>Note that this key <em>MUST</em> be a valid key for the signature algorithm found in the JWT header
+     * (as the {@code alg} header parameter).</p>
+     *
+     * <p>This method overwrites any previously set key.</p>
+     *
+     * <p>This is a convenience method: the string argument is first BASE64-decoded to a byte array and this resulting
+     * byte array is used to invoke {@link #setSigningKey(byte[])}.</p>
+     *
+     * <h4>Deprecation Notice: Deprecated as of 0.10.0, will be removed in 1.0.0</h4>
+     *
+     * <p>This method has been deprecated because the {@code key} argument for this method can be confusing: keys for
+     * cryptographic operations are always binary (byte arrays), and many people were confused as to how bytes were
+     * obtained from the String argument.</p>
+     *
+     * <p>This method always expected a String argument that was effectively the same as the result of the following
+     * (pseudocode):</p>
+     *
+     * <p>{@code String base64EncodedSecretKey = base64Encode(secretKeyBytes);}</p>
+     *
+     * <p>However, a non-trivial number of JJWT users were confused by the method signature and attempted to
+     * use raw password strings as the key argument - for example {@code setSigningKey(myPassword)} - which is
+     * almost always incorrect for cryptographic hashes and can produce erroneous or insecure results.</p>
+     *
+     * <p>See this
+     * <a href="https://stackoverflow.com/questions/40252903/static-secret-as-byte-key-or-string/40274325#40274325">
+     * StackOverflow answer</a> explaining why raw (non-base64-encoded) strings are almost always incorrect for
+     * signature operations.</p>
+     *
+     * <p>Finally, please use the {@link #setSigningKey(Key) setSigningKey(Key)} instead, as this method and the
+     * {@code byte[]} variant will be removed before the 1.0.0 release.</p>
+     *
+     * @param base64EncodedSecretKey the BASE64-encoded algorithm-specific signature verification key to use to validate
+     *                               any discovered JWS digital signature.
+     * @return the parser for method chaining.
+     * @deprecated see {@link JwtParserBuilder#setSigningKey(String)}.
+     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+     * immutable JwtParser.
+     * <p><b>NOTE: this method will be removed before version 1.0</b>
+     */
+    @Deprecated
+    JwtParser setSigningKey(String base64EncodedSecretKey);
+
+    /**
+     * Sets the signing key used to verify any discovered JWS digital signature.  If the specified JWT string is not
+     * a JWS (no signature), this key is not used.
+     * <p>
+     * <p>Note that this key <em>MUST</em> be a valid key for the signature algorithm found in the JWT header
+     * (as the {@code alg} header parameter).</p>
+     * <p>
+     * <p>This method overwrites any previously set key.</p>
+     *
+     * @param key the algorithm-specific signature verification key to use to validate any discovered JWS digital
+     *            signature.
+     * @return the parser for method chaining.
+     * @deprecated see {@link JwtParserBuilder#setSigningKey(Key)}.
+     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+     * immutable JwtParser.
+     * <p><b>NOTE: this method will be removed before version 1.0</b>
+     */
+    @Deprecated
+    JwtParser setSigningKey(Key key);
+
+    /**
+     * Sets the {@link SigningKeyResolver} used to acquire the <code>signing key</code> that should be used to verify
+     * a JWS's signature.  If the parsed String is not a JWS (no signature), this resolver is not used.
+     * <p>
+     * <p>Specifying a {@code SigningKeyResolver} is necessary when the signing key is not already known before parsing
+     * the JWT and the JWT header or payload (plaintext body or Claims) must be inspected first to determine how to
+     * look up the signing key.  Once returned by the resolver, the JwtParser will then verify the JWS signature with the
+     * returned key.  For example:</p>
+     * <p>
+     * <pre>
+     * Jws&lt;Claims&gt; jws = Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() {
+     *         &#64;Override
+     *         public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
+     *             //inspect the header or claims, lookup and return the signing key
+     *             return getSigningKey(header, claims); //implement me
+     *         }})
+     *     .parseClaimsJws(compact);
+     * </pre>
+     * <p>
+     * <p>A {@code SigningKeyResolver} is invoked once during parsing before the signature is verified.</p>
+     * <p>
+     * <p>This method should only be used if a signing key is not provided by the other {@code setSigningKey*} builder
+     * methods.</p>
+     *
+     * @param signingKeyResolver the signing key resolver used to retrieve the signing key.
+     * @return the parser for method chaining.
+     * @since 0.4
+     * @deprecated see {@link JwtParserBuilder#setSigningKeyResolver(SigningKeyResolver)}.
+     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+     * immutable JwtParser.
+     * <p><b>NOTE: this method will be removed before version 1.0</b>
+     */
+    @Deprecated
+    JwtParser setSigningKeyResolver(SigningKeyResolver signingKeyResolver);
+
+    /**
+     * Sets the {@link CompressionCodecResolver} used to acquire the {@link CompressionCodec} that should be used to
+     * decompress the JWT body. If the parsed JWT is not compressed, this resolver is not used.
+     * <p><b>NOTE:</b> Compression is not defined by the JWT Specification, and it is not expected that other libraries
+     * (including JJWT versions &lt; 0.6.0) are able to consume a compressed JWT body correctly.  This method is only
+     * useful if the compact JWT was compressed with JJWT &gt;= 0.6.0 or another library that you know implements
+     * the same behavior.</p>
+     * <h3>Default Support</h3>
+     * <p>JJWT's default {@link JwtParser} implementation supports both the
+     * {@link CompressionCodecs#DEFLATE DEFLATE}
+     * and {@link CompressionCodecs#GZIP GZIP} algorithms by default - you do not need to
+     * specify a {@code CompressionCodecResolver} in these cases.</p>
+     * <p>However, if you want to use a compression algorithm other than {@code DEF} or {@code GZIP}, you must implement
+     * your own {@link CompressionCodecResolver} and specify that via this method and also when
+     * {@link io.jsonwebtoken.JwtBuilder#compressWith(CompressionCodec) building} JWTs.</p>
+     *
+     * @param compressionCodecResolver the compression codec resolver used to decompress the JWT body.
+     * @return the parser for method chaining.
+     * @since 0.6.0
+     * @deprecated see {@link JwtParserBuilder#setCompressionCodecResolver(CompressionCodecResolver)}.
+     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+     * immutable JwtParser.
+     * <p><b>NOTE: this method will be removed before version 1.0</b>
+     */
+    @Deprecated
+    JwtParser setCompressionCodecResolver(CompressionCodecResolver compressionCodecResolver);
+
+    /**
+     * Perform Base64Url decoding with the specified Decoder
+     *
+     * <p>JJWT uses a spec-compliant decoder that works on all supported JDK versions, but you may call this method
+     * to specify a different decoder if you desire.</p>
+     *
+     * @param base64UrlDecoder the decoder to use when Base64Url-decoding
+     * @return the parser for method chaining.
+     * @since 0.10.0
+     * @deprecated see {@link JwtParserBuilder#base64UrlDecodeWith(Decoder)}.
+     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+     * immutable JwtParser.
+     * <p><b>NOTE: this method will be removed before version 1.0</b>
+     */
+    @Deprecated
+    JwtParser base64UrlDecodeWith(Decoder<String, byte[]> base64UrlDecoder);
+
+    /**
+     * Uses the specified deserializer to convert JSON Strings (UTF-8 byte arrays) into Java Map objects.  This is
+     * used by the parser after Base64Url-decoding to convert JWT/JWS/JWT JSON headers and claims into Java Map
+     * objects.
+     *
+     * <p>If this method is not called, JJWT will use whatever deserializer it can find at runtime, checking for the
+     * presence of well-known implementations such Jackson, Gson, and org.json.  If one of these is not found
+     * in the runtime classpath, an exception will be thrown when one of the various {@code parse}* methods is
+     * invoked.</p>
+     *
+     * @param deserializer the deserializer to use when converting JSON Strings (UTF-8 byte arrays) into Map objects.
+     * @return the parser for method chaining.
+     * @since 0.10.0
+     * @deprecated see {@link JwtParserBuilder#deserializeJsonWith(Deserializer)} )}.
+     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+     * immutable JwtParser.
+     * <p><b>NOTE: this method will be removed before version 1.0</b>
+     */
+    @Deprecated
+    JwtParser deserializeJsonWith(Deserializer<Map<String,?>> deserializer);
+
+    /**
+     * Returns {@code true} if the specified JWT compact string represents a signed JWT (aka a 'JWS'), {@code false}
+     * otherwise.
+     * <p>
+     * <p>Note that if you are reasonably sure that the token is signed, it is more efficient to attempt to
+     * parse the token (and catching exceptions if necessary) instead of calling this method first before parsing.</p>
+     *
+     * @param jwt the compact serialized JWT to check
+     * @return {@code true} if the specified JWT compact string represents a signed JWT (aka a 'JWS'), {@code false}
+     * otherwise.
+     */
+    boolean isSigned(String jwt);
+
+    /**
+     * Parses the specified compact serialized JWT string based on the builder's current configuration state and
+     * returns the resulting JWT or JWS instance.
+     * <p>
+     * <p>This method returns a JWT or JWS based on the parsed string.  Because it may be cumbersome to determine if it
+     * is a JWT or JWS, or if the body/payload is a Claims or String with {@code instanceof} checks, the
+     * {@link #parse(String, JwtHandler) parse(String,JwtHandler)} method allows for a type-safe callback approach that
+     * may help reduce code or instanceof checks.</p>
+     *
+     * @param jwt the compact serialized JWT to parse
+     * @return the specified compact serialized JWT string based on the builder's current configuration state.
+     * @throws MalformedJwtException    if the specified JWT was incorrectly constructed (and therefore invalid).
+     *                                  Invalid
+     *                                  JWTs should not be trusted and should be discarded.
+     * @throws SignatureException       if a JWS signature was discovered, but could not be verified.  JWTs that fail
+     *                                  signature validation should not be trusted and should be discarded.
+     * @throws ExpiredJwtException      if the specified JWT is a Claims JWT and the Claims has an expiration time
+     *                                  before the time this method is invoked.
+     * @throws IllegalArgumentException if the specified string is {@code null} or empty or only whitespace.
+     * @see #parse(String, JwtHandler)
+     * @see #parsePlaintextJwt(String)
+     * @see #parseClaimsJwt(String)
+     * @see #parsePlaintextJws(String)
+     * @see #parseClaimsJws(String)
+     */
+    Jwt parse(String jwt) throws ExpiredJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
+
+    /**
+     * Parses the specified compact serialized JWT string based on the builder's current configuration state and
+     * invokes the specified {@code handler} with the resulting JWT or JWS instance.
+     * <p>
+     * <p>If you are confident of the format of the JWT before parsing, you can create an anonymous subclass using the
+     * {@link io.jsonwebtoken.JwtHandlerAdapter JwtHandlerAdapter} and override only the methods you know are relevant
+     * for your use case(s), for example:</p>
+     * <p>
+     * <pre>
+     * String compactJwt = request.getParameter("jwt"); //we are confident this is a signed JWS
+     *
+     * String subject = Jwts.parser().setSigningKey(key).parse(compactJwt, new JwtHandlerAdapter&lt;String&gt;() {
+     *     &#64;Override
+     *     public String onClaimsJws(Jws&lt;Claims&gt; jws) {
+     *         return jws.getBody().getSubject();
+     *     }
+     * });
+     * </pre>
+     * <p>
+     * <p>If you know the JWT string can be only one type of JWT, then it is even easier to invoke one of the
+     * following convenience methods instead of this one:</p>
+     * <p>
+     * <ul>
+     * <li>{@link #parsePlaintextJwt(String)}</li>
+     * <li>{@link #parseClaimsJwt(String)}</li>
+     * <li>{@link #parsePlaintextJws(String)}</li>
+     * <li>{@link #parseClaimsJws(String)}</li>
+     * </ul>
+     *
+     * @param jwt the compact serialized JWT to parse
+     * @return the result returned by the {@code JwtHandler}
+     * @throws MalformedJwtException    if the specified JWT was incorrectly constructed (and therefore invalid).
+     *                                  Invalid JWTs should not be trusted and should be discarded.
+     * @throws SignatureException       if a JWS signature was discovered, but could not be verified.  JWTs that fail
+     *                                  signature validation should not be trusted and should be discarded.
+     * @throws ExpiredJwtException      if the specified JWT is a Claims JWT and the Claims has an expiration time
+     *                                  before the time this method is invoked.
+     * @throws IllegalArgumentException if the specified string is {@code null} or empty or only whitespace, or if the
+     *                                  {@code handler} is {@code null}.
+     * @see #parsePlaintextJwt(String)
+     * @see #parseClaimsJwt(String)
+     * @see #parsePlaintextJws(String)
+     * @see #parseClaimsJws(String)
+     * @see #parse(String)
+     * @since 0.2
+     */
+    <T> T parse(String jwt, JwtHandler<T> handler)
+        throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
+
+    /**
+     * Parses the specified compact serialized JWT string based on the builder's current configuration state and
+     * returns
+     * the resulting unsigned plaintext JWT instance.
+     * <p>
+     * <p>This is a convenience method that is usable if you are confident that the compact string argument reflects an
+     * unsigned plaintext JWT. An unsigned plaintext JWT has a String (non-JSON) body payload and it is not
+     * cryptographically signed.</p>
+     * <p>
+     * <p><b>If the compact string presented does not reflect an unsigned plaintext JWT with non-JSON string body,
+     * an {@link UnsupportedJwtException} will be thrown.</b></p>
+     *
+     * @param plaintextJwt a compact serialized unsigned plaintext JWT string.
+     * @return the {@link Jwt Jwt} instance that reflects the specified compact JWT string.
+     * @throws UnsupportedJwtException  if the {@code plaintextJwt} argument does not represent an unsigned plaintext
+     *                                  JWT
+     * @throws MalformedJwtException    if the {@code plaintextJwt} string is not a valid JWT
+     * @throws SignatureException       if the {@code plaintextJwt} string is actually a JWS and signature validation
+     *                                  fails
+     * @throws IllegalArgumentException if the {@code plaintextJwt} string is {@code null} or empty or only whitespace
+     * @see #parseClaimsJwt(String)
+     * @see #parsePlaintextJws(String)
+     * @see #parseClaimsJws(String)
+     * @see #parse(String, JwtHandler)
+     * @see #parse(String)
+     * @since 0.2
+     */
+    Jwt<Header, String> parsePlaintextJwt(String plaintextJwt)
+        throws UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
+
+    /**
+     * Parses the specified compact serialized JWT string based on the builder's current configuration state and
+     * returns
+     * the resulting unsigned plaintext JWT instance.
+     * <p>
+     * <p>This is a convenience method that is usable if you are confident that the compact string argument reflects an
+     * unsigned Claims JWT. An unsigned Claims JWT has a {@link Claims} body and it is not cryptographically
+     * signed.</p>
+     * <p>
+     * <p><b>If the compact string presented does not reflect an unsigned Claims JWT, an
+     * {@link UnsupportedJwtException} will be thrown.</b></p>
+     *
+     * @param claimsJwt a compact serialized unsigned Claims JWT string.
+     * @return the {@link Jwt Jwt} instance that reflects the specified compact JWT string.
+     * @throws UnsupportedJwtException  if the {@code claimsJwt} argument does not represent an unsigned Claims JWT
+     * @throws MalformedJwtException    if the {@code claimsJwt} string is not a valid JWT
+     * @throws SignatureException       if the {@code claimsJwt} string is actually a JWS and signature validation
+     *                                  fails
+     * @throws ExpiredJwtException      if the specified JWT is a Claims JWT and the Claims has an expiration time
+     *                                  before the time this method is invoked.
+     * @throws IllegalArgumentException if the {@code claimsJwt} string is {@code null} or empty or only whitespace
+     * @see #parsePlaintextJwt(String)
+     * @see #parsePlaintextJws(String)
+     * @see #parseClaimsJws(String)
+     * @see #parse(String, JwtHandler)
+     * @see #parse(String)
+     * @since 0.2
+     */
+    Jwt<Header, Claims> parseClaimsJwt(String claimsJwt)
+        throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
+
+    /**
+     * Parses the specified compact serialized JWS string based on the builder's current configuration state and
+     * returns
+     * the resulting plaintext JWS instance.
+     * <p>
+     * <p>This is a convenience method that is usable if you are confident that the compact string argument reflects a
+     * plaintext JWS. A plaintext JWS is a JWT with a String (non-JSON) body (payload) that has been
+     * cryptographically signed.</p>
+     * <p>
+     * <p><b>If the compact string presented does not reflect a plaintext JWS, an {@link UnsupportedJwtException}
+     * will be thrown.</b></p>
+     *
+     * @param plaintextJws a compact serialized JWS string.
+     * @return the {@link Jws Jws} instance that reflects the specified compact JWS string.
+     * @throws UnsupportedJwtException  if the {@code plaintextJws} argument does not represent an plaintext JWS
+     * @throws MalformedJwtException    if the {@code plaintextJws} string is not a valid JWS
+     * @throws SignatureException       if the {@code plaintextJws} JWS signature validation fails
+     * @throws IllegalArgumentException if the {@code plaintextJws} string is {@code null} or empty or only whitespace
+     * @see #parsePlaintextJwt(String)
+     * @see #parseClaimsJwt(String)
+     * @see #parseClaimsJws(String)
+     * @see #parse(String, JwtHandler)
+     * @see #parse(String)
+     * @since 0.2
+     */
+    Jws<String> parsePlaintextJws(String plaintextJws)
+        throws UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
+
+    /**
+     * Parses the specified compact serialized JWS string based on the builder's current configuration state and
+     * returns
+     * the resulting Claims JWS instance.
+     * <p>
+     * <p>This is a convenience method that is usable if you are confident that the compact string argument reflects a
+     * Claims JWS. A Claims JWS is a JWT with a {@link Claims} body that has been cryptographically signed.</p>
+     * <p>
+     * <p><b>If the compact string presented does not reflect a Claims JWS, an {@link UnsupportedJwtException} will be
+     * thrown.</b></p>
+     *
+     * @param claimsJws a compact serialized Claims JWS string.
+     * @return the {@link Jws Jws} instance that reflects the specified compact Claims JWS string.
+     * @throws UnsupportedJwtException  if the {@code claimsJws} argument does not represent an Claims JWS
+     * @throws MalformedJwtException    if the {@code claimsJws} string is not a valid JWS
+     * @throws SignatureException       if the {@code claimsJws} JWS signature validation fails
+     * @throws ExpiredJwtException      if the specified JWT is a Claims JWT and the Claims has an expiration time
+     *                                  before the time this method is invoked.
+     * @throws IllegalArgumentException if the {@code claimsJws} string is {@code null} or empty or only whitespace
+     * @see #parsePlaintextJwt(String)
+     * @see #parseClaimsJwt(String)
+     * @see #parsePlaintextJws(String)
+     * @see #parse(String, JwtHandler)
+     * @see #parse(String)
+     * @since 0.2
+     */
+    Jws<Claims> parseClaimsJws(String claimsJws)
+        throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtParserBuilder.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtParserBuilder.java
new file mode 100644
index 00000000000..2e8dd879451
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtParserBuilder.java
@@ -0,0 +1,307 @@
+/*
+ * Copyright (C) 2019 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import io.jsonwebtoken.io.Decoder;
+import io.jsonwebtoken.io.Deserializer;
+
+import java.security.Key;
+import java.util.Date;
+import java.util.Map;
+
+/**
+ * A builder to construct a {@link JwtParser}. Example usage:
+ * <pre>{@code
+ *     Jwts.parserBuilder()
+ *         .setSigningKey(...)
+ *         .requireIssuer("https://issuer.example.com")
+ *         .build()
+ *         .parse(jwtString)
+ * }</pre>
+ * @since 0.11.0
+ */
+public interface JwtParserBuilder {
+
+    /**
+     * Ensures that the specified {@code jti} exists in the parsed JWT.  If missing or if the parsed
+     * value does not equal the specified value, an exception will be thrown indicating that the
+     * JWT is invalid and may not be used.
+     *
+     * @param id
+     * @return the parser builder for method chaining.
+     * @see MissingClaimException
+     * @see IncorrectClaimException
+     */
+    JwtParserBuilder requireId(String id);
+
+    /**
+     * Ensures that the specified {@code sub} exists in the parsed JWT.  If missing or if the parsed
+     * value does not equal the specified value, an exception will be thrown indicating that the
+     * JWT is invalid and may not be used.
+     *
+     * @param subject
+     * @return the parser builder for method chaining.
+     * @see MissingClaimException
+     * @see IncorrectClaimException
+     */
+    JwtParserBuilder requireSubject(String subject);
+
+    /**
+     * Ensures that the specified {@code aud} exists in the parsed JWT.  If missing or if the parsed
+     * value does not equal the specified value, an exception will be thrown indicating that the
+     * JWT is invalid and may not be used.
+     *
+     * @param audience
+     * @return the parser builder for method chaining.
+     * @see MissingClaimException
+     * @see IncorrectClaimException
+     */
+    JwtParserBuilder requireAudience(String audience);
+
+    /**
+     * Ensures that the specified {@code iss} exists in the parsed JWT.  If missing or if the parsed
+     * value does not equal the specified value, an exception will be thrown indicating that the
+     * JWT is invalid and may not be used.
+     *
+     * @param issuer
+     * @return the parser builder for method chaining.
+     * @see MissingClaimException
+     * @see IncorrectClaimException
+     */
+    JwtParserBuilder requireIssuer(String issuer);
+
+    /**
+     * Ensures that the specified {@code iat} exists in the parsed JWT.  If missing or if the parsed
+     * value does not equal the specified value, an exception will be thrown indicating that the
+     * JWT is invalid and may not be used.
+     *
+     * @param issuedAt
+     * @return the parser builder for method chaining.
+     * @see MissingClaimException
+     * @see IncorrectClaimException
+     */
+    JwtParserBuilder requireIssuedAt(Date issuedAt);
+
+    /**
+     * Ensures that the specified {@code exp} exists in the parsed JWT.  If missing or if the parsed
+     * value does not equal the specified value, an exception will be thrown indicating that the
+     * JWT is invalid and may not be used.
+     *
+     * @param expiration
+     * @return the parser builder for method chaining.
+     * @see MissingClaimException
+     * @see IncorrectClaimException
+     */
+    JwtParserBuilder requireExpiration(Date expiration);
+
+    /**
+     * Ensures that the specified {@code nbf} exists in the parsed JWT.  If missing or if the parsed
+     * value does not equal the specified value, an exception will be thrown indicating that the
+     * JWT is invalid and may not be used.
+     *
+     * @param notBefore
+     * @return the parser builder for method chaining
+     * @see MissingClaimException
+     * @see IncorrectClaimException
+     */
+    JwtParserBuilder requireNotBefore(Date notBefore);
+
+    /**
+     * Ensures that the specified {@code claimName} exists in the parsed JWT.  If missing or if the parsed
+     * value does not equal the specified value, an exception will be thrown indicating that the
+     * JWT is invalid and may not be used.
+     *
+     * @param claimName
+     * @param value
+     * @return the parser builder for method chaining.
+     * @see MissingClaimException
+     * @see IncorrectClaimException
+     */
+    JwtParserBuilder require(String claimName, Object value);
+
+    /**
+     * Sets the {@link Clock} that determines the timestamp to use when validating the parsed JWT.
+     * The parser uses a default Clock implementation that simply returns {@code new Date()} when called.
+     *
+     * @param clock a {@code Clock} object to return the timestamp to use when validating the parsed JWT.
+     * @return the parser builder for method chaining.
+     */
+    JwtParserBuilder setClock(Clock clock);
+
+    /**
+     * Sets the amount of clock skew in seconds to tolerate when verifying the local time against the {@code exp}
+     * and {@code nbf} claims.
+     *
+     * @param seconds the number of seconds to tolerate for clock skew when verifying {@code exp} or {@code nbf} claims.
+     * @return the parser builder for method chaining.
+     * @throws IllegalArgumentException if {@code seconds} is a value greater than {@code Long.MAX_VALUE / 1000} as
+     * any such value would cause numeric overflow when multiplying by 1000 to obtain a millisecond value.
+     */
+    JwtParserBuilder setAllowedClockSkewSeconds(long seconds) throws IllegalArgumentException;
+
+    /**
+     * Sets the signing key used to verify any discovered JWS digital signature.  If the specified JWT string is not
+     * a JWS (no signature), this key is not used.
+     * <p>
+     * <p>Note that this key <em>MUST</em> be a valid key for the signature algorithm found in the JWT header
+     * (as the {@code alg} header parameter).</p>
+     * <p>
+     * <p>This method overwrites any previously set key.</p>
+     *
+     * @param key the algorithm-specific signature verification key used to validate any discovered JWS digital
+     *            signature.
+     * @return the parser builder for method chaining.
+     */
+    JwtParserBuilder setSigningKey(byte[] key);
+
+    /**
+     * Sets the signing key used to verify any discovered JWS digital signature.  If the specified JWT string is not
+     * a JWS (no signature), this key is not used.
+     *
+     * <p>Note that this key <em>MUST</em> be a valid key for the signature algorithm found in the JWT header
+     * (as the {@code alg} header parameter).</p>
+     *
+     * <p>This method overwrites any previously set key.</p>
+     *
+     * <p>This is a convenience method: the string argument is first BASE64-decoded to a byte array and this resulting
+     * byte array is used to invoke {@link #setSigningKey(byte[])}.</p>
+     *
+     * <h4>Deprecation Notice: Deprecated as of 0.10.0, will be removed in 1.0.0</h4>
+     *
+     * <p>This method has been deprecated because the {@code key} argument for this method can be confusing: keys for
+     * cryptographic operations are always binary (byte arrays), and many people were confused as to how bytes were
+     * obtained from the String argument.</p>
+     *
+     * <p>This method always expected a String argument that was effectively the same as the result of the following
+     * (pseudocode):</p>
+     *
+     * <p>{@code String base64EncodedSecretKey = base64Encode(secretKeyBytes);}</p>
+     *
+     * <p>However, a non-trivial number of JJWT users were confused by the method signature and attempted to
+     * use raw password strings as the key argument - for example {@code setSigningKey(myPassword)} - which is
+     * almost always incorrect for cryptographic hashes and can produce erroneous or insecure results.</p>
+     *
+     * <p>See this
+     * <a href="https://stackoverflow.com/questions/40252903/static-secret-as-byte-key-or-string/40274325#40274325">
+     * StackOverflow answer</a> explaining why raw (non-base64-encoded) strings are almost always incorrect for
+     * signature operations.</p>
+     *
+     * <p>Finally, please use the {@link #setSigningKey(Key) setSigningKey(Key)} instead, as this method and the
+     * {@code byte[]} variant will be removed before the 1.0.0 release.</p>
+     *
+     * @param base64EncodedSecretKey the BASE64-encoded algorithm-specific signature verification key to use to validate
+     *                               any discovered JWS digital signature.
+     * @return the parser builder for method chaining.
+     */
+    JwtParserBuilder setSigningKey(String base64EncodedSecretKey);
+
+    /**
+     * Sets the signing key used to verify any discovered JWS digital signature.  If the specified JWT string is not
+     * a JWS (no signature), this key is not used.
+     * <p>
+     * <p>Note that this key <em>MUST</em> be a valid key for the signature algorithm found in the JWT header
+     * (as the {@code alg} header parameter).</p>
+     * <p>
+     * <p>This method overwrites any previously set key.</p>
+     *
+     * @param key the algorithm-specific signature verification key to use to validate any discovered JWS digital
+     *            signature.
+     * @return the parser builder for method chaining.
+     */
+    JwtParserBuilder setSigningKey(Key key);
+
+    /**
+     * Sets the {@link SigningKeyResolver} used to acquire the <code>signing key</code> that should be used to verify
+     * a JWS's signature.  If the parsed String is not a JWS (no signature), this resolver is not used.
+     * <p>
+     * <p>Specifying a {@code SigningKeyResolver} is necessary when the signing key is not already known before parsing
+     * the JWT and the JWT header or payload (plaintext body or Claims) must be inspected first to determine how to
+     * look up the signing key.  Once returned by the resolver, the JwtParser will then verify the JWS signature with the
+     * returned key.  For example:</p>
+     * <p>
+     * <pre>
+     * Jws&lt;Claims&gt; jws = Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() {
+     *         &#64;Override
+     *         public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
+     *             //inspect the header or claims, lookup and return the signing key
+     *             return getSigningKey(header, claims); //implement me
+     *         }})
+     *     .parseClaimsJws(compact);
+     * </pre>
+     * <p>
+     * <p>A {@code SigningKeyResolver} is invoked once during parsing before the signature is verified.</p>
+     * <p>
+     * <p>This method should only be used if a signing key is not provided by the other {@code setSigningKey*} builder
+     * methods.</p>
+     *
+     * @param signingKeyResolver the signing key resolver used to retrieve the signing key.
+     * @return the parser builder for method chaining.
+     */
+    JwtParserBuilder setSigningKeyResolver(SigningKeyResolver signingKeyResolver);
+
+    /**
+     * Sets the {@link CompressionCodecResolver} used to acquire the {@link CompressionCodec} that should be used to
+     * decompress the JWT body. If the parsed JWT is not compressed, this resolver is not used.
+     * <p><b>NOTE:</b> Compression is not defined by the JWT Specification, and it is not expected that other libraries
+     * (including JJWT versions &lt; 0.6.0) are able to consume a compressed JWT body correctly.  This method is only
+     * useful if the compact JWT was compressed with JJWT &gt;= 0.6.0 or another library that you know implements
+     * the same behavior.</p>
+     * <h3>Default Support</h3>
+     * <p>JJWT's default {@link JwtParser} implementation supports both the
+     * {@link CompressionCodecs#DEFLATE DEFLATE}
+     * and {@link CompressionCodecs#GZIP GZIP} algorithms by default - you do not need to
+     * specify a {@code CompressionCodecResolver} in these cases.</p>
+     * <p>However, if you want to use a compression algorithm other than {@code DEF} or {@code GZIP}, you must implement
+     * your own {@link CompressionCodecResolver} and specify that via this method and also when
+     * {@link io.jsonwebtoken.JwtBuilder#compressWith(CompressionCodec) building} JWTs.</p>
+     *
+     * @param compressionCodecResolver the compression codec resolver used to decompress the JWT body.
+     * @return the parser builder for method chaining.
+     */
+    JwtParserBuilder setCompressionCodecResolver(CompressionCodecResolver compressionCodecResolver);
+
+    /**
+     * Perform Base64Url decoding with the specified Decoder
+     *
+     * <p>JJWT uses a spec-compliant decoder that works on all supported JDK versions, but you may call this method
+     * to specify a different decoder if you desire.</p>
+     *
+     * @param base64UrlDecoder the decoder to use when Base64Url-decoding
+     * @return the parser builder for method chaining.
+     */
+    JwtParserBuilder base64UrlDecodeWith(Decoder<String, byte[]> base64UrlDecoder);
+
+    /**
+     * Uses the specified deserializer to convert JSON Strings (UTF-8 byte arrays) into Java Map objects.  This is
+     * used by the parser after Base64Url-decoding to convert JWT/JWS/JWT JSON headers and claims into Java Map
+     * objects.
+     *
+     * <p>If this method is not called, JJWT will use whatever deserializer it can find at runtime, checking for the
+     * presence of well-known implementations such Jackson, Gson, and org.json.  If one of these is not found
+     * in the runtime classpath, an exception will be thrown when one of the various {@code parse}* methods is
+     * invoked.</p>
+     *
+     * @param deserializer the deserializer to use when converting JSON Strings (UTF-8 byte arrays) into Map objects.
+     * @return the builder for method chaining.
+     */
+    JwtParserBuilder deserializeJsonWith(Deserializer<Map<String,?>> deserializer);
+
+    /**
+     * Returns an immutable/thread-safe {@link JwtParser} created from the configuration from this JwtParserBuilder.
+     * @return an immutable/thread-safe JwtParser created from the configuration from this JwtParserBuilder.
+     */
+    JwtParser build();
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jwts.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jwts.java
new file mode 100644
index 00000000000..80de65a44f1
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jwts.java
@@ -0,0 +1,143 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import io.jsonwebtoken.lang.Classes;
+
+import java.util.Map;
+
+/**
+ * Factory class useful for creating instances of JWT interfaces.  Using this factory class can be a good
+ * alternative to tightly coupling your code to implementation classes.
+ *
+ * @since 0.1
+ */
+public final class Jwts {
+
+    private static final Class[] MAP_ARG = new Class[]{Map.class};
+
+    private Jwts() {
+    }
+
+    /**
+     * Creates a new {@link Header} instance suitable for <em>plaintext</em> (not digitally signed) JWTs.  As this
+     * is a less common use of JWTs, consider using the {@link #jwsHeader()} factory method instead if you will later
+     * digitally sign the JWT.
+     *
+     * @return a new {@link Header} instance suitable for <em>plaintext</em> (not digitally signed) JWTs.
+     */
+    public static Header header() {
+        return Classes.newInstance("io.jsonwebtoken.impl.DefaultHeader");
+    }
+
+    /**
+     * Creates a new {@link Header} instance suitable for <em>plaintext</em> (not digitally signed) JWTs, populated
+     * with the specified name/value pairs.  As this is a less common use of JWTs, consider using the
+     * {@link #jwsHeader(java.util.Map)} factory method instead if you will later digitally sign the JWT.
+     *
+     * @return a new {@link Header} instance suitable for <em>plaintext</em> (not digitally signed) JWTs.
+     */
+    public static Header header(Map<String, Object> header) {
+        return Classes.newInstance("io.jsonwebtoken.impl.DefaultHeader", MAP_ARG, header);
+    }
+
+    /**
+     * Returns a new {@link JwsHeader} instance suitable for digitally signed JWTs (aka 'JWS's).
+     *
+     * @return a new {@link JwsHeader} instance suitable for digitally signed JWTs (aka 'JWS's).
+     * @see JwtBuilder#setHeader(Header)
+     */
+    public static JwsHeader jwsHeader() {
+        return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwsHeader");
+    }
+
+    /**
+     * Returns a new {@link JwsHeader} instance suitable for digitally signed JWTs (aka 'JWS's), populated with the
+     * specified name/value pairs.
+     *
+     * @return a new {@link JwsHeader} instance suitable for digitally signed JWTs (aka 'JWS's), populated with the
+     * specified name/value pairs.
+     * @see JwtBuilder#setHeader(Header)
+     */
+    public static JwsHeader jwsHeader(Map<String, Object> header) {
+        return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwsHeader", MAP_ARG, header);
+    }
+
+    /**
+     * Returns a new {@link Claims} instance to be used as a JWT body.
+     *
+     * @return a new {@link Claims} instance to be used as a JWT body.
+     */
+    public static Claims claims() {
+        return Classes.newInstance("io.jsonwebtoken.impl.DefaultClaims");
+    }
+
+    /**
+     * Returns a new {@link Claims} instance populated with the specified name/value pairs.
+     *
+     * @param claims the name/value pairs to populate the new Claims instance.
+     * @return a new {@link Claims} instance populated with the specified name/value pairs.
+     */
+    public static Claims claims(Map<String, Object> claims) {
+        return Classes.newInstance("io.jsonwebtoken.impl.DefaultClaims", MAP_ARG, claims);
+    }
+
+    /**
+     * Returns a new {@link JwtParser} instance that can be configured and then used to parse JWT strings.
+     *
+     * @return a new {@link JwtParser} instance that can be configured and then used to parse JWT strings.
+     * @deprecated use {@link Jwts#parserBuilder()} instead. See {@link JwtParserBuilder} for usage details.
+     * <p>Migration to new method structure is minimal, for example:
+     * <p>Old code:
+     * <pre>{@code
+     *     Jwts.parser()
+     *         .requireAudience("string")
+     *         .parse(jwtString)
+     * }</pre>
+     * <p>New code:
+     * <pre>{@code
+     *     Jwts.parserBuilder()
+     *         .requireAudience("string")
+     *         .build()
+     *         .parse(jwtString)
+     * }</pre>
+     * <p><b>NOTE: this method will be removed before version 1.0</b>
+     */
+    @Deprecated
+    public static JwtParser parser() {
+        return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwtParser");
+    }
+
+    /**
+     * Returns a new {@link JwtParserBuilder} instance that can be configured to create an immutable/thread-safe {@link JwtParser).
+     *
+     * @return a new {@link JwtParser} instance that can be configured create an immutable/thread-safe {@link JwtParser).
+     */
+    public static JwtParserBuilder parserBuilder() {
+        return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwtParserBuilder");
+    }
+
+    /**
+     * Returns a new {@link JwtBuilder} instance that can be configured and then used to create JWT compact serialized
+     * strings.
+     *
+     * @return a new {@link JwtBuilder} instance that can be configured and then used to create JWT compact serialized
+     * strings.
+     */
+    public static JwtBuilder builder() {
+        return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwtBuilder");
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/MalformedJwtException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/MalformedJwtException.java
new file mode 100644
index 00000000000..6490550aaf7
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/MalformedJwtException.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+/**
+ * Exception indicating that a JWT was not correctly constructed and should be rejected.
+ *
+ * @since 0.2
+ */
+public class MalformedJwtException extends JwtException {
+
+    public MalformedJwtException(String message) {
+        super(message);
+    }
+
+    public MalformedJwtException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/MissingClaimException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/MissingClaimException.java
new file mode 100644
index 00000000000..030fe98d06b
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/MissingClaimException.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2015 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+/**
+ * Exception thrown when discovering that a required claim is not present, indicating the JWT is
+ * invalid and may not be used.
+ *
+ * @since 0.6
+ */
+public class MissingClaimException extends InvalidClaimException {
+    public MissingClaimException(Header header, Claims claims, String message) {
+        super(header, claims, message);
+    }
+
+    public MissingClaimException(Header header, Claims claims, String message, Throwable cause) {
+        super(header, claims, message, cause);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/PrematureJwtException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/PrematureJwtException.java
new file mode 100644
index 00000000000..8853832e80a
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/PrematureJwtException.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+/**
+ * Exception indicating that a JWT was accepted before it is allowed to be accessed and must be rejected.
+ *
+ * @since 0.3
+ */
+public class PrematureJwtException extends ClaimJwtException {
+
+    public PrematureJwtException(Header header, Claims claims, String message) {
+        super(header, claims, message);
+    }
+
+    /**
+     * @param header jwt header
+     * @param claims jwt claims (body)
+     * @param message exception message
+     * @param cause cause
+     * @since 0.5
+     */
+    public PrematureJwtException(Header header, Claims claims, String message, Throwable cause) {
+        super(header, claims, message, cause);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/RequiredTypeException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/RequiredTypeException.java
new file mode 100644
index 00000000000..eeb60d3084d
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/RequiredTypeException.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+/**
+ * Exception thrown when {@link Claims#get(String, Class)} is called and the value does not match the type of the
+ * {@code Class} argument.
+ *
+ * @since 0.6
+ */
+public class RequiredTypeException extends JwtException {
+    public RequiredTypeException(String message) {
+        super(message);
+    }
+
+    public RequiredTypeException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SignatureAlgorithm.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SignatureAlgorithm.java
new file mode 100644
index 00000000000..9f646502dfa
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SignatureAlgorithm.java
@@ -0,0 +1,655 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import io.jsonwebtoken.security.InvalidKeyException;
+import io.jsonwebtoken.security.Keys;
+import io.jsonwebtoken.security.SignatureException;
+import io.jsonwebtoken.security.WeakKeyException;
+
+import javax.crypto.SecretKey;
+import java.security.Key;
+import java.security.PrivateKey;
+import java.security.interfaces.ECKey;
+import java.security.interfaces.RSAKey;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * Type-safe representation of standard JWT signature algorithm names as defined in the
+ * <a href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-31">JSON Web Algorithms</a> specification.
+ *
+ * @since 0.1
+ */
+public enum SignatureAlgorithm {
+
+    /**
+     * JWA name for {@code No digital signature or MAC performed}
+     */
+    NONE("none", "No digital signature or MAC performed", "None", null, false, 0, 0),
+
+    /**
+     * JWA algorithm name for {@code HMAC using SHA-256}
+     */
+    HS256("HS256", "HMAC using SHA-256", "HMAC", "HmacSHA256", true, 256, 256, "1.2.840.113549.2.9"),
+
+    /**
+     * JWA algorithm name for {@code HMAC using SHA-384}
+     */
+    HS384("HS384", "HMAC using SHA-384", "HMAC", "HmacSHA384", true, 384, 384, "1.2.840.113549.2.10"),
+
+    /**
+     * JWA algorithm name for {@code HMAC using SHA-512}
+     */
+    HS512("HS512", "HMAC using SHA-512", "HMAC", "HmacSHA512", true, 512, 512, "1.2.840.113549.2.11"),
+
+    /**
+     * JWA algorithm name for {@code RSASSA-PKCS-v1_5 using SHA-256}
+     */
+    RS256("RS256", "RSASSA-PKCS-v1_5 using SHA-256", "RSA", "SHA256withRSA", true, 256, 2048),
+
+    /**
+     * JWA algorithm name for {@code RSASSA-PKCS-v1_5 using SHA-384}
+     */
+    RS384("RS384", "RSASSA-PKCS-v1_5 using SHA-384", "RSA", "SHA384withRSA", true, 384, 2048),
+
+    /**
+     * JWA algorithm name for {@code RSASSA-PKCS-v1_5 using SHA-512}
+     */
+    RS512("RS512", "RSASSA-PKCS-v1_5 using SHA-512", "RSA", "SHA512withRSA", true, 512, 2048),
+
+    /**
+     * JWA algorithm name for {@code ECDSA using P-256 and SHA-256}
+     */
+    ES256("ES256", "ECDSA using P-256 and SHA-256", "ECDSA", "SHA256withECDSA", true, 256, 256),
+
+    /**
+     * JWA algorithm name for {@code ECDSA using P-384 and SHA-384}
+     */
+    ES384("ES384", "ECDSA using P-384 and SHA-384", "ECDSA", "SHA384withECDSA", true, 384, 384),
+
+    /**
+     * JWA algorithm name for {@code ECDSA using P-521 and SHA-512}
+     */
+    ES512("ES512", "ECDSA using P-521 and SHA-512", "ECDSA", "SHA512withECDSA", true, 512, 521),
+
+    /**
+     * JWA algorithm name for {@code RSASSA-PSS using SHA-256 and MGF1 with SHA-256}.  <b>This algorithm requires
+     * Java 11 or later or a JCA provider like BouncyCastle to be in the runtime classpath.</b>  If on Java 10 or
+     * earlier, BouncyCastle will be used automatically if found in the runtime classpath.
+     */
+    PS256("PS256", "RSASSA-PSS using SHA-256 and MGF1 with SHA-256", "RSA", "RSASSA-PSS", false, 256, 2048),
+
+    /**
+     * JWA algorithm name for {@code RSASSA-PSS using SHA-384 and MGF1 with SHA-384}.  <b>This algorithm requires
+     * Java 11 or later or a JCA provider like BouncyCastle to be in the runtime classpath.</b>  If on Java 10 or
+     * earlier, BouncyCastle will be used automatically if found in the runtime classpath.
+     */
+    PS384("PS384", "RSASSA-PSS using SHA-384 and MGF1 with SHA-384", "RSA", "RSASSA-PSS", false, 384, 2048),
+
+    /**
+     * JWA algorithm name for {@code RSASSA-PSS using SHA-512 and MGF1 with SHA-512}. <b>This algorithm requires
+     * Java 11 or later or a JCA provider like BouncyCastle to be in the runtime classpath.</b>  If on Java 10 or
+     * earlier, BouncyCastle will be used automatically if found in the runtime classpath.
+     */
+    PS512("PS512", "RSASSA-PSS using SHA-512 and MGF1 with SHA-512", "RSA", "RSASSA-PSS", false, 512, 2048);
+
+    //purposefully ordered higher to lower:
+    private static final List<SignatureAlgorithm> PREFERRED_HMAC_ALGS = Collections.unmodifiableList(Arrays.asList(
+        SignatureAlgorithm.HS512, SignatureAlgorithm.HS384, SignatureAlgorithm.HS256));
+    //purposefully ordered higher to lower:
+    private static final List<SignatureAlgorithm> PREFERRED_EC_ALGS = Collections.unmodifiableList(Arrays.asList(
+        SignatureAlgorithm.ES512, SignatureAlgorithm.ES384, SignatureAlgorithm.ES256));
+
+    private final String value;
+    private final String description;
+    private final String familyName;
+    private final String jcaName;
+    private final boolean jdkStandard;
+    private final int digestLength;
+    private final int minKeyLength;
+    /**
+     * Algorithm name as given by {@link Key#getAlgorithm()} if the key was loaded from a pkcs12 Keystore.
+     *
+     * @deprecated This is just a workaround for https://bugs.openjdk.java.net/browse/JDK-8243551
+     */
+    @Deprecated
+    private final String pkcs12Name;
+
+    SignatureAlgorithm(String value, String description, String familyName, String jcaName, boolean jdkStandard,
+                       int digestLength, int minKeyLength) {
+        this(value, description,familyName, jcaName, jdkStandard, digestLength, minKeyLength, jcaName);
+    }
+
+    SignatureAlgorithm(String value, String description, String familyName, String jcaName, boolean jdkStandard,
+                       int digestLength, int minKeyLength, String pkcs12Name) {
+        this.value = value;
+        this.description = description;
+        this.familyName = familyName;
+        this.jcaName = jcaName;
+        this.jdkStandard = jdkStandard;
+        this.digestLength = digestLength;
+        this.minKeyLength = minKeyLength;
+        this.pkcs12Name = pkcs12Name;
+    }
+
+    /**
+     * Returns the JWA algorithm name constant.
+     *
+     * @return the JWA algorithm name constant.
+     */
+    public String getValue() {
+        return value;
+    }
+
+    /**
+     * Returns the JWA algorithm description.
+     *
+     * @return the JWA algorithm description.
+     */
+    public String getDescription() {
+        return description;
+    }
+
+
+    /**
+     * Returns the cryptographic family name of the signature algorithm.  The value returned is according to the
+     * following table:
+     *
+     * <table>
+     * <caption>Crypto Family</caption>
+     * <thead>
+     * <tr>
+     * <th>SignatureAlgorithm</th>
+     * <th>Family Name</th>
+     * </tr>
+     * </thead>
+     * <tbody>
+     * <tr>
+     * <td>HS256</td>
+     * <td>HMAC</td>
+     * </tr>
+     * <tr>
+     * <td>HS384</td>
+     * <td>HMAC</td>
+     * </tr>
+     * <tr>
+     * <td>HS512</td>
+     * <td>HMAC</td>
+     * </tr>
+     * <tr>
+     * <td>RS256</td>
+     * <td>RSA</td>
+     * </tr>
+     * <tr>
+     * <td>RS384</td>
+     * <td>RSA</td>
+     * </tr>
+     * <tr>
+     * <td>RS512</td>
+     * <td>RSA</td>
+     * </tr>
+     * <tr>
+     * <td>PS256</td>
+     * <td>RSA</td>
+     * </tr>
+     * <tr>
+     * <td>PS384</td>
+     * <td>RSA</td>
+     * </tr>
+     * <tr>
+     * <td>PS512</td>
+     * <td>RSA</td>
+     * </tr>
+     * <tr>
+     * <td>ES256</td>
+     * <td>ECDSA</td>
+     * </tr>
+     * <tr>
+     * <td>ES384</td>
+     * <td>ECDSA</td>
+     * </tr>
+     * <tr>
+     * <td>ES512</td>
+     * <td>ECDSA</td>
+     * </tr>
+     * </tbody>
+     * </table>
+     *
+     * @return Returns the cryptographic family name of the signature algorithm.
+     * @since 0.5
+     */
+    public String getFamilyName() {
+        return familyName;
+    }
+
+    /**
+     * Returns the name of the JCA algorithm used to compute the signature.
+     *
+     * @return the name of the JCA algorithm used to compute the signature.
+     */
+    public String getJcaName() {
+        return jcaName;
+    }
+
+    /**
+     * Returns {@code true} if the algorithm is supported by standard JDK distributions or {@code false} if the
+     * algorithm implementation is not in the JDK and must be provided by a separate runtime JCA Provider (like
+     * BouncyCastle for example).
+     *
+     * @return {@code true} if the algorithm is supported by standard JDK distributions or {@code false} if the
+     * algorithm implementation is not in the JDK and must be provided by a separate runtime JCA Provider (like
+     * BouncyCastle for example).
+     */
+    public boolean isJdkStandard() {
+        return jdkStandard;
+    }
+
+    /**
+     * Returns {@code true} if the enum instance represents an HMAC signature algorithm, {@code false} otherwise.
+     *
+     * @return {@code true} if the enum instance represents an HMAC signature algorithm, {@code false} otherwise.
+     */
+    public boolean isHmac() {
+        return familyName.equals("HMAC");
+    }
+
+    /**
+     * Returns {@code true} if the enum instance represents an RSA public/private key pair signature algorithm,
+     * {@code false} otherwise.
+     *
+     * @return {@code true} if the enum instance represents an RSA public/private key pair signature algorithm,
+     * {@code false} otherwise.
+     */
+    public boolean isRsa() {
+        return familyName.equals("RSA");
+    }
+
+    /**
+     * Returns {@code true} if the enum instance represents an Elliptic Curve ECDSA signature algorithm, {@code false}
+     * otherwise.
+     *
+     * @return {@code true} if the enum instance represents an Elliptic Curve ECDSA signature algorithm, {@code false}
+     * otherwise.
+     */
+    public boolean isEllipticCurve() {
+        return familyName.equals("ECDSA");
+    }
+
+    /**
+     * Returns the minimum key length in bits (not bytes) that may be used with this algorithm according to the
+     * <a href="https://tools.ietf.org/html/rfc7518">JWT JWA Specification (RFC 7518)</a>.
+     *
+     * @return the minimum key length in bits (not bytes) that may be used with this algorithm according to the
+     * <a href="https://tools.ietf.org/html/rfc7518">JWT JWA Specification (RFC 7518)</a>.
+     * @since 0.10.0
+     */
+    public int getMinKeyLength() {
+        return this.minKeyLength;
+    }
+
+    /**
+     * Returns quietly if the specified key is allowed to create signatures using this algorithm
+     * according to the <a href="https://tools.ietf.org/html/rfc7518">JWT JWA Specification (RFC 7518)</a> or throws an
+     * {@link InvalidKeyException} if the key is not allowed or not secure enough for this algorithm.
+     *
+     * @param key the key to check for validity.
+     * @throws InvalidKeyException if the key is not allowed or not secure enough for this algorithm.
+     * @since 0.10.0
+     */
+    public void assertValidSigningKey(Key key) throws InvalidKeyException {
+        assertValid(key, true);
+    }
+
+    /**
+     * Returns quietly if the specified key is allowed to verify signatures using this algorithm
+     * according to the <a href="https://tools.ietf.org/html/rfc7518">JWT JWA Specification (RFC 7518)</a> or throws an
+     * {@link InvalidKeyException} if the key is not allowed or not secure enough for this algorithm.
+     *
+     * @param key the key to check for validity.
+     * @throws InvalidKeyException if the key is not allowed or not secure enough for this algorithm.
+     * @since 0.10.0
+     */
+    public void assertValidVerificationKey(Key key) throws InvalidKeyException {
+        assertValid(key, false);
+    }
+
+    /**
+     * @since 0.10.0 to support assertValid(Key, boolean)
+     */
+    private static String keyType(boolean signing) {
+        return signing ? "signing" : "verification";
+    }
+
+    /**
+     * @since 0.10.0
+     */
+    private void assertValid(Key key, boolean signing) throws InvalidKeyException {
+
+        if (this == NONE) {
+
+            String msg = "The 'NONE' signature algorithm does not support cryptographic keys.";
+            throw new InvalidKeyException(msg);
+
+        } else if (isHmac()) {
+
+            if (!(key instanceof SecretKey)) {
+                String msg = this.familyName + " " + keyType(signing) + " keys must be SecretKey instances.";
+                throw new InvalidKeyException(msg);
+            }
+            SecretKey secretKey = (SecretKey) key;
+
+            byte[] encoded = secretKey.getEncoded();
+            if (encoded == null) {
+                throw new InvalidKeyException("The " + keyType(signing) + " key's encoded bytes cannot be null.");
+            }
+
+            String alg = secretKey.getAlgorithm();
+            if (alg == null) {
+                throw new InvalidKeyException("The " + keyType(signing) + " key's algorithm cannot be null.");
+            }
+
+            // These next checks use equalsIgnoreCase per https://github.com/jwtk/jjwt/issues/381#issuecomment-412912272
+            if (!HS256.jcaName.equalsIgnoreCase(alg) &&
+                !HS384.jcaName.equalsIgnoreCase(alg) &&
+                !HS512.jcaName.equalsIgnoreCase(alg) &&
+                !HS256.pkcs12Name.equals(alg) &&
+                !HS384.pkcs12Name.equals(alg) &&
+                !HS512.pkcs12Name.equals(alg)) {
+                throw new InvalidKeyException("The " + keyType(signing) + " key's algorithm '" + alg +
+                    "' does not equal a valid HmacSHA* algorithm name and cannot be used with " + name() + ".");
+            }
+
+            int size = encoded.length * 8; //size in bits
+            if (size < this.minKeyLength) {
+                String msg = "The " + keyType(signing) + " key's size is " + size + " bits which " +
+                    "is not secure enough for the " + name() + " algorithm.  The JWT " +
+                    "JWA Specification (RFC 7518, Section 3.2) states that keys used with " + name() + " MUST have a " +
+                    "size >= " + minKeyLength + " bits (the key size must be greater than or equal to the hash " +
+                    "output size).  Consider using the " + Keys.class.getName() + " class's " +
+                    "'secretKeyFor(SignatureAlgorithm." + name() + ")' method to create a key guaranteed to be " +
+                    "secure enough for " + name() + ".  See " +
+                    "https://tools.ietf.org/html/rfc7518#section-3.2 for more information.";
+                throw new WeakKeyException(msg);
+            }
+
+        } else { //EC or RSA
+
+            if (signing) {
+                if (!(key instanceof PrivateKey)) {
+                    String msg = familyName + " signing keys must be PrivateKey instances.";
+                    throw new InvalidKeyException(msg);
+                }
+            }
+
+            if (isEllipticCurve()) {
+
+                if (!(key instanceof ECKey)) {
+                    String msg = familyName + " " + keyType(signing) + " keys must be ECKey instances.";
+                    throw new InvalidKeyException(msg);
+                }
+
+                ECKey ecKey = (ECKey) key;
+                int size = ecKey.getParams().getOrder().bitLength();
+                if (size < this.minKeyLength) {
+                    String msg = "The " + keyType(signing) + " key's size (ECParameterSpec order) is " + size +
+                        " bits which is not secure enough for the " + name() + " algorithm.  The JWT " +
+                        "JWA Specification (RFC 7518, Section 3.4) states that keys used with " +
+                        name() + " MUST have a size >= " + this.minKeyLength +
+                        " bits.  Consider using the " + Keys.class.getName() + " class's " +
+                        "'keyPairFor(SignatureAlgorithm." + name() + ")' method to create a key pair guaranteed " +
+                        "to be secure enough for " + name() + ".  See " +
+                        "https://tools.ietf.org/html/rfc7518#section-3.4 for more information.";
+                    throw new WeakKeyException(msg);
+                }
+
+            } else { //RSA
+
+                if (!(key instanceof RSAKey)) {
+                    String msg = familyName + " " + keyType(signing) + " keys must be RSAKey instances.";
+                    throw new InvalidKeyException(msg);
+                }
+
+                RSAKey rsaKey = (RSAKey) key;
+                int size = rsaKey.getModulus().bitLength();
+                if (size < this.minKeyLength) {
+
+                    String section = name().startsWith("P") ? "3.5" : "3.3";
+
+                    String msg = "The " + keyType(signing) + " key's size is " + size + " bits which is not secure " +
+                        "enough for the " + name() + " algorithm.  The JWT JWA Specification (RFC 7518, Section " +
+                        section + ") states that keys used with " + name() + " MUST have a size >= " +
+                        this.minKeyLength + " bits.  Consider using the " + Keys.class.getName() + " class's " +
+                        "'keyPairFor(SignatureAlgorithm." + name() + ")' method to create a key pair guaranteed " +
+                        "to be secure enough for " + name() + ".  See " +
+                        "https://tools.ietf.org/html/rfc7518#section-" + section + " for more information.";
+                    throw new WeakKeyException(msg);
+                }
+            }
+        }
+    }
+
+    /**
+     * Returns the recommended signature algorithm to be used with the specified key according to the following
+     * heuristics:
+     *
+     * <table>
+     * <caption>Key Signature Algorithm</caption>
+     * <thead>
+     * <tr>
+     * <th>If the Key is a:</th>
+     * <th>And:</th>
+     * <th>With a key size of:</th>
+     * <th>The returned SignatureAlgorithm will be:</th>
+     * </tr>
+     * </thead>
+     * <tbody>
+     * <tr>
+     * <td>{@link SecretKey}</td>
+     * <td><code>{@link Key#getAlgorithm() getAlgorithm()}.equals("HmacSHA256")</code><sup>1</sup></td>
+     * <td>256 &lt;= size &lt;= 383 <sup>2</sup></td>
+     * <td>{@link SignatureAlgorithm#HS256 HS256}</td>
+     * </tr>
+     * <tr>
+     * <td>{@link SecretKey}</td>
+     * <td><code>{@link Key#getAlgorithm() getAlgorithm()}.equals("HmacSHA384")</code><sup>1</sup></td>
+     * <td>384 &lt;= size &lt;= 511</td>
+     * <td>{@link SignatureAlgorithm#HS384 HS384}</td>
+     * </tr>
+     * <tr>
+     * <td>{@link SecretKey}</td>
+     * <td><code>{@link Key#getAlgorithm() getAlgorithm()}.equals("HmacSHA512")</code><sup>1</sup></td>
+     * <td>512 &lt;= size</td>
+     * <td>{@link SignatureAlgorithm#HS512 HS512}</td>
+     * </tr>
+     * <tr>
+     * <td>{@link ECKey}</td>
+     * <td><code>instanceof {@link PrivateKey}</code></td>
+     * <td>256 &lt;= size &lt;= 383 <sup>3</sup></td>
+     * <td>{@link SignatureAlgorithm#ES256 ES256}</td>
+     * </tr>
+     * <tr>
+     * <td>{@link ECKey}</td>
+     * <td><code>instanceof {@link PrivateKey}</code></td>
+     * <td>384 &lt;= size &lt;= 511</td>
+     * <td>{@link SignatureAlgorithm#ES384 ES384}</td>
+     * </tr>
+     * <tr>
+     * <td>{@link ECKey}</td>
+     * <td><code>instanceof {@link PrivateKey}</code></td>
+     * <td>4096 &lt;= size</td>
+     * <td>{@link SignatureAlgorithm#ES512 ES512}</td>
+     * </tr>
+     * <tr>
+     * <td>{@link RSAKey}</td>
+     * <td><code>instanceof {@link PrivateKey}</code></td>
+     * <td>2048 &lt;= size &lt;= 3071 <sup>4,5</sup></td>
+     * <td>{@link SignatureAlgorithm#RS256 RS256}</td>
+     * </tr>
+     * <tr>
+     * <td>{@link RSAKey}</td>
+     * <td><code>instanceof {@link PrivateKey}</code></td>
+     * <td>3072 &lt;= size &lt;= 4095 <sup>5</sup></td>
+     * <td>{@link SignatureAlgorithm#RS384 RS384}</td>
+     * </tr>
+     * <tr>
+     * <td>{@link RSAKey}</td>
+     * <td><code>instanceof {@link PrivateKey}</code></td>
+     * <td>4096 &lt;= size <sup>5</sup></td>
+     * <td>{@link SignatureAlgorithm#RS512 RS512}</td>
+     * </tr>
+     * </tbody>
+     * </table>
+     * <p>Notes:</p>
+     * <ol>
+     * <li>{@code SecretKey} instances must have an {@link Key#getAlgorithm() algorithm} name equal
+     * to {@code HmacSHA256}, {@code HmacSHA384} or {@code HmacSHA512}.  If not, the key bytes might not be
+     * suitable for HMAC signatures will be rejected with a {@link InvalidKeyException}. </li>
+     * <li>The JWT <a href="https://tools.ietf.org/html/rfc7518#section-3.2">JWA Specification (RFC 7518,
+     * Section 3.2)</a> mandates that HMAC-SHA-* signing keys <em>MUST</em> be 256 bits or greater.
+     * {@code SecretKey}s with key lengths less than 256 bits will be rejected with an
+     * {@link WeakKeyException}.</li>
+     * <li>The JWT <a href="https://tools.ietf.org/html/rfc7518#section-3.4">JWA Specification (RFC 7518,
+     * Section 3.4)</a> mandates that ECDSA signing key lengths <em>MUST</em> be 256 bits or greater.
+     * {@code ECKey}s with key lengths less than 256 bits will be rejected with a
+     * {@link WeakKeyException}.</li>
+     * <li>The JWT <a href="https://tools.ietf.org/html/rfc7518#section-3.3">JWA Specification (RFC 7518,
+     * Section 3.3)</a> mandates that RSA signing key lengths <em>MUST</em> be 2048 bits or greater.
+     * {@code RSAKey}s with key lengths less than 2048 bits will be rejected with a
+     * {@link WeakKeyException}.</li>
+     * <li>Technically any RSA key of length >= 2048 bits may be used with the {@link #RS256}, {@link #RS384}, and
+     * {@link #RS512} algorithms, so we assume an RSA signature algorithm based on the key length to
+     * parallel similar decisions in the JWT specification for HMAC and ECDSA signature algorithms.
+     * This is not required - just a convenience.</li>
+     * </ol>
+     * <p>This implementation does not return the {@link #PS256}, {@link #PS256}, {@link #PS256} RSA variant for any
+     * specified {@link RSAKey} because:
+     * <ul>
+     * <li>The JWT <a href="https://tools.ietf.org/html/rfc7518#section-3.1">JWA Specification (RFC 7518,
+     * Section 3.1)</a> indicates that {@link #RS256}, {@link #RS384}, and {@link #RS512} are
+     * recommended algorithms while the {@code PS}* variants are simply marked as optional.</li>
+     * <li>The {@link #RS256}, {@link #RS384}, and {@link #RS512} algorithms are available in the JDK by default
+     * while the {@code PS}* variants require an additional JCA Provider (like BouncyCastle).</li>
+     * </ul>
+     * </p>
+     *
+     * <p>Finally, this method will throw an {@link InvalidKeyException} for any key that does not match the
+     * heuristics and requirements documented above, since that inevitably means the Key is either insufficient or
+     * explicitly disallowed by the JWT specification.</p>
+     *
+     * @param key the key to inspect
+     * @return the recommended signature algorithm to be used with the specified key
+     * @throws InvalidKeyException for any key that does not match the heuristics and requirements documented above,
+     *                             since that inevitably means the Key is either insufficient or explicitly disallowed by the JWT specification.
+     * @since 0.10.0
+     */
+    public static SignatureAlgorithm forSigningKey(Key key) throws InvalidKeyException {
+
+        if (key == null) {
+            throw new InvalidKeyException("Key argument cannot be null.");
+        }
+
+        if (!(key instanceof SecretKey ||
+            (key instanceof PrivateKey && (key instanceof ECKey || key instanceof RSAKey)))) {
+            String msg = "JWT standard signing algorithms require either 1) a SecretKey for HMAC-SHA algorithms or " +
+                "2) a private RSAKey for RSA algorithms or 3) a private ECKey for Elliptic Curve algorithms.  " +
+                "The specified key is of type " + key.getClass().getName();
+            throw new InvalidKeyException(msg);
+        }
+
+        if (key instanceof SecretKey) {
+
+            SecretKey secretKey = (SecretKey)key;
+            int bitLength = io.jsonwebtoken.lang.Arrays.length(secretKey.getEncoded()) * Byte.SIZE;
+
+            for(SignatureAlgorithm alg : PREFERRED_HMAC_ALGS) {
+                // ensure compatibility check is based on key length. See https://github.com/jwtk/jjwt/issues/381
+                if (bitLength >= alg.minKeyLength) {
+                    return alg;
+                }
+            }
+
+            String msg = "The specified SecretKey is not strong enough to be used with JWT HMAC signature " +
+                "algorithms.  The JWT specification requires HMAC keys to be >= 256 bits long.  The specified " +
+                "key is " + bitLength + " bits.  See https://tools.ietf.org/html/rfc7518#section-3.2 for more " +
+                "information.";
+            throw new WeakKeyException(msg);
+        }
+
+        if (key instanceof RSAKey) {
+
+            RSAKey rsaKey = (RSAKey) key;
+            int bitLength = rsaKey.getModulus().bitLength();
+
+            if (bitLength >= 4096) {
+                RS512.assertValidSigningKey(key);
+                return RS512;
+            } else if (bitLength >= 3072) {
+                RS384.assertValidSigningKey(key);
+                return RS384;
+            } else if (bitLength >= RS256.minKeyLength) {
+                RS256.assertValidSigningKey(key);
+                return RS256;
+            }
+
+            String msg = "The specified RSA signing key is not strong enough to be used with JWT RSA signature " +
+                "algorithms.  The JWT specification requires RSA keys to be >= 2048 bits long.  The specified RSA " +
+                "key is " + bitLength + " bits.  See https://tools.ietf.org/html/rfc7518#section-3.3 for more " +
+                "information.";
+            throw new WeakKeyException(msg);
+        }
+
+        // if we've made it this far in the method, the key is an ECKey due to the instanceof assertions at the
+        // top of the method
+
+        ECKey ecKey = (ECKey) key;
+        int bitLength = ecKey.getParams().getOrder().bitLength();
+
+        for (SignatureAlgorithm alg : PREFERRED_EC_ALGS) {
+            if (bitLength >= alg.minKeyLength) {
+                alg.assertValidSigningKey(key);
+                return alg;
+            }
+        }
+
+        String msg = "The specified Elliptic Curve signing key is not strong enough to be used with JWT ECDSA " +
+            "signature algorithms.  The JWT specification requires ECDSA keys to be >= 256 bits long.  " +
+            "The specified ECDSA key is " + bitLength + " bits.  See " +
+            "https://tools.ietf.org/html/rfc7518#section-3.4 for more information.";
+        throw new WeakKeyException(msg);
+    }
+
+    /**
+     * Looks up and returns the corresponding {@code SignatureAlgorithm} enum instance based on a
+     * case-<em>insensitive</em> name comparison.
+     *
+     * @param value The case-insensitive name of the {@code SignatureAlgorithm} instance to return
+     * @return the corresponding {@code SignatureAlgorithm} enum instance based on a
+     * case-<em>insensitive</em> name comparison.
+     * @throws SignatureException if the specified value does not match any {@code SignatureAlgorithm}
+     *                            name.
+     */
+    public static SignatureAlgorithm forName(String value) throws SignatureException {
+        for (SignatureAlgorithm alg : values()) {
+            if (alg.getValue().equalsIgnoreCase(value)) {
+                return alg;
+            }
+        }
+
+        throw new SignatureException("Unsupported signature algorithm '" + value + "'");
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SignatureException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SignatureException.java
new file mode 100644
index 00000000000..e98b4c72298
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SignatureException.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import io.jsonwebtoken.security.SecurityException;
+
+/**
+ * Exception indicating that either calculating a signature or verifying an existing signature of a JWT failed.
+ *
+ * @since 0.1
+ * @deprecated in favor of {@link io.jsonwebtoken.security.SecurityException}; this class will be removed before 1.0
+ */
+@Deprecated
+public class SignatureException extends SecurityException {
+
+    public SignatureException(String message) {
+        super(message);
+    }
+
+    public SignatureException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SigningKeyResolver.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SigningKeyResolver.java
new file mode 100644
index 00000000000..fbd9887f983
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SigningKeyResolver.java
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import java.security.Key;
+
+/**
+ * A {@code SigningKeyResolver} can be used by a {@link io.jsonwebtoken.JwtParser JwtParser} to find a signing key that
+ * should be used to verify a JWS signature.
+ *
+ * <p>A {@code SigningKeyResolver} is necessary when the signing key is not already known before parsing the JWT and the
+ * JWT header or payload (plaintext body or Claims) must be inspected first to determine how to look up the signing key.
+ * Once returned by the resolver, the JwtParser will then verify the JWS signature with the returned key.  For
+ * example:</p>
+ *
+ * <pre>
+ * Jws&lt;Claims&gt; jws = Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() {
+ *         &#64;Override
+ *         public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
+ *             //inspect the header or claims, lookup and return the signing key
+ *             return getSigningKeyBytes(header, claims); //implement me
+ *         }})
+ *     .parseClaimsJws(compact);
+ * </pre>
+ *
+ * <p>A {@code SigningKeyResolver} is invoked once during parsing before the signature is verified.</p>
+ *
+ * <h3>SigningKeyResolverAdapter</h3>
+ *
+ * <p>If you only need to resolve a signing key for a particular JWS (either a plaintext or Claims JWS), consider using
+ * the {@link io.jsonwebtoken.SigningKeyResolverAdapter} and overriding only the method you need to support instead of
+ * implementing this interface directly.</p>
+ *
+ * @see io.jsonwebtoken.SigningKeyResolverAdapter
+ * @since 0.4
+ */
+public interface SigningKeyResolver {
+
+    /**
+     * Returns the signing key that should be used to validate a digital signature for the Claims JWS with the specified
+     * header and claims.
+     *
+     * @param header the header of the JWS to validate
+     * @param claims the claims (body) of the JWS to validate
+     * @return the signing key that should be used to validate a digital signature for the Claims JWS with the specified
+     * header and claims.
+     */
+    Key resolveSigningKey(JwsHeader header, Claims claims);
+
+    /**
+     * Returns the signing key that should be used to validate a digital signature for the Plaintext JWS with the
+     * specified header and plaintext payload.
+     *
+     * @param header    the header of the JWS to validate
+     * @param plaintext the plaintext body of the JWS to validate
+     * @return the signing key that should be used to validate a digital signature for the Plaintext JWS with the
+     * specified header and plaintext payload.
+     */
+    Key resolveSigningKey(JwsHeader header, String plaintext);
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SigningKeyResolverAdapter.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SigningKeyResolverAdapter.java
new file mode 100644
index 00000000000..1be7ec55654
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SigningKeyResolverAdapter.java
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import io.jsonwebtoken.lang.Assert;
+
+import javax.crypto.spec.SecretKeySpec;
+import java.security.Key;
+
+/**
+ * An <a href="http://en.wikipedia.org/wiki/Adapter_pattern">Adapter</a> implementation of the
+ * {@link SigningKeyResolver} interface that allows subclasses to process only the type of JWS body that
+ * is known/expected for a particular case.
+ *
+ * <p>The {@link #resolveSigningKey(JwsHeader, Claims)} and {@link #resolveSigningKey(JwsHeader, String)} method
+ * implementations delegate to the
+ * {@link #resolveSigningKeyBytes(JwsHeader, Claims)} and {@link #resolveSigningKeyBytes(JwsHeader, String)} methods
+ * respectively.  The latter two methods simply throw exceptions:  they represent scenarios expected by
+ * calling code in known situations, and it is expected that you override the implementation in those known situations;
+ * non-overridden *KeyBytes methods indicates that the JWS input was unexpected.</p>
+ *
+ * <p>If either {@link #resolveSigningKey(JwsHeader, String)} or {@link #resolveSigningKey(JwsHeader, Claims)}
+ * are not overridden, one (or both) of the *KeyBytes variants must be overridden depending on your expected
+ * use case.  You do not have to override any method that does not represent an expected condition.</p>
+ *
+ * @since 0.4
+ */
+public class SigningKeyResolverAdapter implements SigningKeyResolver {
+
+    @Override
+    public Key resolveSigningKey(JwsHeader header, Claims claims) {
+        SignatureAlgorithm alg = SignatureAlgorithm.forName(header.getAlgorithm());
+        Assert.isTrue(alg.isHmac(), "The default resolveSigningKey(JwsHeader, Claims) implementation cannot be " +
+                                    "used for asymmetric key algorithms (RSA, Elliptic Curve).  " +
+                                    "Override the resolveSigningKey(JwsHeader, Claims) method instead and return a " +
+                                    "Key instance appropriate for the " + alg.name() + " algorithm.");
+        byte[] keyBytes = resolveSigningKeyBytes(header, claims);
+        return new SecretKeySpec(keyBytes, alg.getJcaName());
+    }
+
+    @Override
+    public Key resolveSigningKey(JwsHeader header, String plaintext) {
+        SignatureAlgorithm alg = SignatureAlgorithm.forName(header.getAlgorithm());
+        Assert.isTrue(alg.isHmac(), "The default resolveSigningKey(JwsHeader, String) implementation cannot be " +
+                                    "used for asymmetric key algorithms (RSA, Elliptic Curve).  " +
+                                    "Override the resolveSigningKey(JwsHeader, String) method instead and return a " +
+                                    "Key instance appropriate for the " + alg.name() + " algorithm.");
+        byte[] keyBytes = resolveSigningKeyBytes(header, plaintext);
+        return new SecretKeySpec(keyBytes, alg.getJcaName());
+    }
+
+    /**
+     * Convenience method invoked by {@link #resolveSigningKey(JwsHeader, Claims)} that obtains the necessary signing
+     * key bytes.  This implementation simply throws an exception: if the JWS parsed is a Claims JWS, you must
+     * override this method or the {@link #resolveSigningKey(JwsHeader, Claims)} method instead.
+     *
+     * <p><b>NOTE:</b> You cannot override this method when validating RSA signatures.  If you expect RSA signatures,
+     * you must override the {@link #resolveSigningKey(JwsHeader, Claims)} method instead.</p>
+     *
+     * @param header the parsed {@link JwsHeader}
+     * @param claims the parsed {@link Claims}
+     * @return the signing key bytes to use to verify the JWS signature.
+     */
+    public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
+        throw new UnsupportedJwtException("The specified SigningKeyResolver implementation does not support " +
+                                          "Claims JWS signing key resolution.  Consider overriding either the " +
+                                          "resolveSigningKey(JwsHeader, Claims) method or, for HMAC algorithms, the " +
+                                          "resolveSigningKeyBytes(JwsHeader, Claims) method.");
+    }
+
+    /**
+     * Convenience method invoked by {@link #resolveSigningKey(JwsHeader, String)} that obtains the necessary signing
+     * key bytes.  This implementation simply throws an exception: if the JWS parsed is a plaintext JWS, you must
+     * override this method or the {@link #resolveSigningKey(JwsHeader, String)} method instead.
+     *
+     * @param header the parsed {@link JwsHeader}
+     * @param payload the parsed String plaintext payload
+     * @return the signing key bytes to use to verify the JWS signature.
+     */
+    public byte[] resolveSigningKeyBytes(JwsHeader header, String payload) {
+        throw new UnsupportedJwtException("The specified SigningKeyResolver implementation does not support " +
+                                          "plaintext JWS signing key resolution.  Consider overriding either the " +
+                                          "resolveSigningKey(JwsHeader, String) method or, for HMAC algorithms, the " +
+                                          "resolveSigningKeyBytes(JwsHeader, String) method.");
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/UnsupportedJwtException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/UnsupportedJwtException.java
new file mode 100644
index 00000000000..3735f7d4257
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/UnsupportedJwtException.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+/**
+ * Exception thrown when receiving a JWT in a particular format/configuration that does not match the format expected
+ * by the application.
+ *
+ * <p>For example, this exception would be thrown if parsing an unsigned plaintext JWT when the application
+ * requires a cryptographically signed Claims JWS instead.</p>
+ *
+ * @since 0.2
+ */
+public class UnsupportedJwtException extends JwtException {
+
+    public UnsupportedJwtException(String message) {
+        super(message);
+    }
+
+    public UnsupportedJwtException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/impl/DefaultJwtParser.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/impl/DefaultJwtParser.java
new file mode 100644
index 00000000000..4eef6741d47
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/impl/DefaultJwtParser.java
@@ -0,0 +1,211 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.impl;
+
+import io.jsonwebtoken.ClaimJwtException;
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.Clock;
+import io.jsonwebtoken.CompressionCodec;
+import io.jsonwebtoken.CompressionCodecResolver;
+import io.jsonwebtoken.ExpiredJwtException;
+import io.jsonwebtoken.Header;
+import io.jsonwebtoken.IncorrectClaimException;
+import io.jsonwebtoken.InvalidClaimException;
+import io.jsonwebtoken.Jws;
+import io.jsonwebtoken.JwsHeader;
+import io.jsonwebtoken.Jwt;
+import io.jsonwebtoken.JwtHandler;
+import io.jsonwebtoken.JwtHandlerAdapter;
+import io.jsonwebtoken.JwtParser;
+import io.jsonwebtoken.MalformedJwtException;
+import io.jsonwebtoken.MissingClaimException;
+import io.jsonwebtoken.PrematureJwtException;
+import io.jsonwebtoken.SignatureAlgorithm;
+import io.jsonwebtoken.SigningKeyResolver;
+import io.jsonwebtoken.impl.crypto.JwtSignatureValidator;
+import io.jsonwebtoken.UnsupportedJwtException;
+import io.jsonwebtoken.io.Decoder;
+import io.jsonwebtoken.io.Decoders;
+import io.jsonwebtoken.io.DeserializationException;
+import io.jsonwebtoken.io.Deserializer;
+import io.jsonwebtoken.lang.Assert;
+import io.jsonwebtoken.lang.DateFormats;
+import io.jsonwebtoken.lang.Objects;
+import io.jsonwebtoken.lang.Strings;
+import io.jsonwebtoken.security.InvalidKeyException;
+import io.jsonwebtoken.security.SignatureException;
+import io.jsonwebtoken.security.WeakKeyException;
+
+import javax.crypto.spec.SecretKeySpec;
+import java.security.Key;
+import java.util.Date;
+import java.util.Map;
+
+@SuppressWarnings("unchecked")
+public class DefaultJwtParser implements JwtParser {
+    @Deprecated
+    public DefaultJwtParser() {
+    }
+
+    DefaultJwtParser(SigningKeyResolver signingKeyResolver, Key key, byte[] keyBytes, Clock clock,
+            long allowedClockSkewMillis, Claims expectedClaims, Decoder<String, byte[]> base64UrlDecoder,
+            Deserializer<Map<String, ?>> deserializer, CompressionCodecResolver compressionCodecResolver) {
+    }
+
+    @Override
+    public JwtParser deserializeJsonWith(Deserializer<Map<String, ?>> deserializer) {
+        return null;
+    }
+
+    @Override
+    public JwtParser base64UrlDecodeWith(Decoder<String, byte[]> base64UrlDecoder) {
+        return null;
+    }
+
+    @Override
+    public JwtParser requireIssuedAt(Date issuedAt) {
+        return null;
+    }
+
+    @Override
+    public JwtParser requireIssuer(String issuer) {
+        return null;
+    }
+
+    @Override
+    public JwtParser requireAudience(String audience) {
+        return null;
+    }
+
+    @Override
+    public JwtParser requireSubject(String subject) {
+        return null;
+    }
+
+    @Override
+    public JwtParser requireId(String id) {
+        return null;
+    }
+
+    @Override
+    public JwtParser requireExpiration(Date expiration) {
+        return null;
+    }
+
+    @Override
+    public JwtParser requireNotBefore(Date notBefore) {
+        return null;
+    }
+
+    @Override
+    public JwtParser require(String claimName, Object value) {
+        return null;
+    }
+
+    @Override
+    public JwtParser setClock(Clock clock) {
+        return null;
+    }
+
+    @Override
+    public JwtParser setAllowedClockSkewSeconds(long seconds) throws IllegalArgumentException {
+        return null;
+    }
+
+    @Override
+    public JwtParser setSigningKey(byte[] key) {
+        return null;
+    }
+
+    @Override
+    public JwtParser setSigningKey(String base64EncodedSecretKey) {
+        return null;
+    }
+
+    @Override
+    public JwtParser setSigningKey(Key key) {
+        return null;
+    }
+
+    @Override
+    public JwtParser setSigningKeyResolver(SigningKeyResolver signingKeyResolver) {
+        return null;
+    }
+
+    @Override
+    public JwtParser setCompressionCodecResolver(CompressionCodecResolver compressionCodecResolver) {
+        return null;
+    }
+
+    @Override
+    public boolean isSigned(String jwt) {
+        return false;
+    }
+
+    @Override
+    public Jwt parse(String jwt) throws ExpiredJwtException, MalformedJwtException, SignatureException {
+        return null;
+    }
+
+    /**
+     * @since 0.10.0
+     */
+    private static Object normalize(Object o) {
+        return null;
+    }
+
+    private void validateExpectedClaims(Header header, Claims claims) {
+        return;
+    }
+
+    /*
+     * @since 0.5 mostly to allow testing overrides
+     */
+    protected JwtSignatureValidator createSignatureValidator(SignatureAlgorithm alg, Key key) {
+        return null;
+    }
+
+    @Override
+    public <T> T parse(String compact, JwtHandler<T> handler)
+            throws ExpiredJwtException, MalformedJwtException, SignatureException {
+        return null;
+    }
+
+    @Override
+    public Jwt<Header, String> parsePlaintextJwt(String plaintextJwt) {
+        return null;
+    }
+
+    @Override
+    public Jwt<Header, Claims> parseClaimsJwt(String claimsJwt) {
+        return null;
+    }
+
+    @Override
+    public Jws<String> parsePlaintextJws(String plaintextJws) {
+        return null;
+    }
+
+    @Override
+    public Jws<Claims> parseClaimsJws(String claimsJws) {
+        return null;
+    }
+
+    @SuppressWarnings("unchecked")
+    protected Map<String, ?> readValue(String val) {
+        return null;
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/impl/crypto/JwtSignatureValidator.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/impl/crypto/JwtSignatureValidator.java
new file mode 100644
index 00000000000..a7175070bfe
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/impl/crypto/JwtSignatureValidator.java
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.impl.crypto;
+
+public interface JwtSignatureValidator {
+
+    boolean isValid(String jwtWithoutSignature, String base64UrlEncodedSignature);
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64.java
new file mode 100644
index 00000000000..201e3c543e2
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64.java
@@ -0,0 +1,680 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.io;
+
+import java.util.Arrays;
+
+/**
+ * A very fast and memory efficient class to encode and decode to and from BASE64 or BASE64URL in full accordance
+ * with <a href="https://tools.ietf.org/html/rfc4648">RFC 4648</a>.
+ *
+ * <p>Based initially on MigBase64 with continued modifications for Base64 URL support and JDK-standard code formatting.</p>
+ *
+ * <p>This encode/decode algorithm doesn't create any temporary arrays as many other codecs do, it only
+ * allocates the resulting array. This produces less garbage and it is possible to handle arrays twice
+ * as large as algorithms that create a temporary array.</p>
+ *
+ * <p>There is also a "fast" version of all decode methods that works the same way as the normal ones, but
+ * has a few demands on the decoded input. Normally though, these fast versions should be used if the source if
+ * the input is known and it hasn't bee tampered with.</p>
+ *
+ * @author Mikael Grev
+ * @author Les Hazlewood
+ * @since 0.10.0
+ */
+@SuppressWarnings("Duplicates")
+final class Base64 { //final and package-protected on purpose
+
+    private static final char[] BASE64_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".toCharArray();
+    private static final char[] BASE64URL_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_".toCharArray();
+    private static final int[] BASE64_IALPHABET = new int[256];
+    private static final int[] BASE64URL_IALPHABET = new int[256];
+    private static final int IALPHABET_MAX_INDEX = BASE64_IALPHABET.length - 1;
+
+    static {
+        Arrays.fill(BASE64_IALPHABET, -1);
+        System.arraycopy(BASE64_IALPHABET, 0, BASE64URL_IALPHABET, 0, BASE64_IALPHABET.length);
+        for (int i = 0, iS = BASE64_ALPHABET.length; i < iS; i++) {
+            BASE64_IALPHABET[BASE64_ALPHABET[i]] = i;
+            BASE64URL_IALPHABET[BASE64URL_ALPHABET[i]] = i;
+        }
+        BASE64_IALPHABET['='] = 0;
+        BASE64URL_IALPHABET['='] = 0;
+    }
+
+    static final Base64 DEFAULT = new Base64(false);
+    static final Base64 URL_SAFE = new Base64(true);
+
+    private final boolean urlsafe;
+    private final char[] ALPHABET;
+    private final int[] IALPHABET;
+
+    private Base64(boolean urlsafe) {
+        this.urlsafe = urlsafe;
+        this.ALPHABET = urlsafe ? BASE64URL_ALPHABET : BASE64_ALPHABET;
+        this.IALPHABET = urlsafe ? BASE64URL_IALPHABET : BASE64_IALPHABET;
+    }
+
+    // ****************************************************************************************
+    // *  char[] version
+    // ****************************************************************************************
+
+    private String getName() {
+        return urlsafe ? "base64url" : "base64"; // RFC 4648 codec names are all lowercase
+    }
+
+    /**
+     * Encodes a raw byte array into a BASE64 <code>char[]</code> representation in accordance with RFC 2045.
+     *
+     * @param sArr    The bytes to convert. If <code>null</code> or length 0 an empty array will be returned.
+     * @param lineSep Optional "\r\n" after 76 characters, unless end of file.<br>
+     *                No line separator will be in breach of RFC 2045 which specifies max 76 per line but will be a
+     *                little faster.
+     * @return A BASE64 encoded array. Never <code>null</code>.
+     */
+    private char[] encodeToChar(byte[] sArr, boolean lineSep) {
+
+        // Check special case
+        int sLen = sArr != null ? sArr.length : 0;
+        if (sLen == 0) {
+            return new char[0];
+        }
+
+        int eLen = (sLen / 3) * 3; // # of bytes that can encode evenly into 24-bit chunks
+        int left = sLen - eLen;    // # of bytes that remain after 24-bit chunking. Always 0, 1 or 2
+
+        int cCnt = (((sLen - 1) / 3 + 1) << 2); // # of base64-encoded characters including padding
+        int dLen = cCnt + (lineSep ? (cCnt - 1) / 76 << 1 : 0); // Length of returned char array with padding and any line separators
+
+        int padCount = 0;
+        if (left == 2) {
+            padCount = 1;
+        } else if (left == 1) {
+            padCount = 2;
+        }
+
+        char[] dArr = new char[urlsafe ? (dLen - padCount) : dLen];
+
+        // Encode even 24-bits
+        for (int s = 0, d = 0, cc = 0; s < eLen; ) {
+
+            // Copy next three bytes into lower 24 bits of int, paying attension to sign.
+            int i = (sArr[s++] & 0xff) << 16 | (sArr[s++] & 0xff) << 8 | (sArr[s++] & 0xff);
+
+            // Encode the int into four chars
+            dArr[d++] = ALPHABET[(i >>> 18) & 0x3f];
+            dArr[d++] = ALPHABET[(i >>> 12) & 0x3f];
+            dArr[d++] = ALPHABET[(i >>> 6) & 0x3f];
+            dArr[d++] = ALPHABET[i & 0x3f];
+
+            // Add optional line separator
+            if (lineSep && ++cc == 19 && d < dLen - 2) {
+                dArr[d++] = '\r';
+                dArr[d++] = '\n';
+                cc = 0;
+            }
+        }
+
+        // Pad and encode last bits if source isn't even 24 bits.
+        if (left > 0) {
+            // Prepare the int
+            int i = ((sArr[eLen] & 0xff) << 10) | (left == 2 ? ((sArr[sLen - 1] & 0xff) << 2) : 0);
+
+            // Set last four chars
+            dArr[dLen - 4] = ALPHABET[i >> 12];
+            dArr[dLen - 3] = ALPHABET[(i >>> 6) & 0x3f];
+            //dArr[dLen - 2] = left == 2 ? ALPHABET[i & 0x3f] : '=';
+            //dArr[dLen - 1] = '=';
+            if (left == 2) {
+                dArr[dLen - 2] = ALPHABET[i & 0x3f];
+            } else if (!urlsafe) { // if not urlsafe, we need to include the padding characters
+                dArr[dLen - 2] = '=';
+            }
+            if (!urlsafe) { // include padding
+                dArr[dLen - 1] = '=';
+            }
+        }
+        return dArr;
+    }
+
+    /*
+     * Decodes a BASE64 encoded char array. All illegal characters will be ignored and can handle both arrays with
+     * and without line separators.
+     *
+     * @param sArr The source array. <code>null</code> or length 0 will return an empty array.
+     * @return The decoded array of bytes. May be of length 0. Will be <code>null</code> if the legal characters
+     * (including '=') isn't divideable by 4.  (I.e. definitely corrupted).
+     *
+    public final byte[] decode(char[] sArr) {
+        // Check special case
+        int sLen = sArr != null ? sArr.length : 0;
+        if (sLen == 0) {
+            return new byte[0];
+        }
+
+        // Count illegal characters (including '\r', '\n') to know what size the returned array will be,
+        // so we don't have to reallocate & copy it later.
+        int sepCnt = 0; // Number of separator characters. (Actually illegal characters, but that's a bonus...)
+        for (int i = 0; i < sLen; i++) { // If input is "pure" (I.e. no line separators or illegal chars) base64 this loop can be commented out.
+            if (IALPHABET[sArr[i]] < 0) {
+                sepCnt++;
+            }
+        }
+
+        // Check so that legal chars (including '=') are evenly divideable by 4 as specified in RFC 2045.
+        if ((sLen - sepCnt) % 4 != 0) {
+            return null;
+        }
+
+        int pad = 0;
+        for (int i = sLen; i > 1 && IALPHABET[sArr[--i]] <= 0; ) {
+            if (sArr[i] == '=') {
+                pad++;
+            }
+        }
+
+        int len = ((sLen - sepCnt) * 6 >> 3) - pad;
+
+        byte[] dArr = new byte[len];       // Preallocate byte[] of exact length
+
+        for (int s = 0, d = 0; d < len; ) {
+            // Assemble three bytes into an int from four "valid" characters.
+            int i = 0;
+            for (int j = 0; j < 4; j++) {   // j only increased if a valid char was found.
+                int c = IALPHABET[sArr[s++]];
+                if (c >= 0) {
+                    i |= c << (18 - j * 6);
+                } else {
+                    j--;
+                }
+            }
+            // Add the bytes
+            dArr[d++] = (byte) (i >> 16);
+            if (d < len) {
+                dArr[d++] = (byte) (i >> 8);
+                if (d < len) {
+                    dArr[d++] = (byte) i;
+                }
+            }
+        }
+        return dArr;
+    }
+    */
+
+    private int ctoi(char c) {
+        int i = c > IALPHABET_MAX_INDEX ? -1 : IALPHABET[c];
+        if (i < 0) {
+            String msg = "Illegal " + getName() + " character: '" + c + "'";
+            throw new DecodingException(msg);
+        }
+        return i;
+    }
+
+    /**
+     * Decodes a BASE64 encoded char array that is known to be reasonably well formatted. The preconditions are:<br>
+     * + The array must have a line length of 76 chars OR no line separators at all (one line).<br>
+     * + Line separator must be "\r\n", as specified in RFC 2045
+     * + The array must not contain illegal characters within the encoded string<br>
+     * + The array CAN have illegal characters at the beginning and end, those will be dealt with appropriately.<br>
+     *
+     * @param sArr The source array. Length 0 will return an empty array. <code>null</code> will throw an exception.
+     * @return The decoded array of bytes. May be of length 0.
+     * @throws DecodingException on illegal input
+     */
+    final byte[] decodeFast(char[] sArr) throws DecodingException {
+
+        // Check special case
+        int sLen = sArr != null ? sArr.length : 0;
+        if (sLen == 0) {
+            return new byte[0];
+        }
+
+        int sIx = 0, eIx = sLen - 1;    // Start and end index after trimming.
+
+        // Trim illegal chars from start
+        while (sIx < eIx && IALPHABET[sArr[sIx]] < 0) {
+            sIx++;
+        }
+
+        // Trim illegal chars from end
+        while (eIx > 0 && IALPHABET[sArr[eIx]] < 0) {
+            eIx--;
+        }
+
+        // get the padding count (=) (0, 1 or 2)
+        int pad = sArr[eIx] == '=' ? (sArr[eIx - 1] == '=' ? 2 : 1) : 0;  // Count '=' at end.
+        int cCnt = eIx - sIx + 1;   // Content count including possible separators
+        int sepCnt = sLen > 76 ? (sArr[76] == '\r' ? cCnt / 78 : 0) << 1 : 0;
+
+        int len = ((cCnt - sepCnt) * 6 >> 3) - pad; // The number of decoded bytes
+        byte[] dArr = new byte[len];       // Preallocate byte[] of exact length
+
+        // Decode all but the last 0 - 2 bytes.
+        int d = 0;
+        for (int cc = 0, eLen = (len / 3) * 3; d < eLen; ) {
+
+            // Assemble three bytes into an int from four "valid" characters.
+            int i = ctoi(sArr[sIx++]) << 18 | ctoi(sArr[sIx++]) << 12 | ctoi(sArr[sIx++]) << 6 | ctoi(sArr[sIx++]);
+
+            // Add the bytes
+            dArr[d++] = (byte) (i >> 16);
+            dArr[d++] = (byte) (i >> 8);
+            dArr[d++] = (byte) i;
+
+            // If line separator, jump over it.
+            if (sepCnt > 0 && ++cc == 19) {
+                sIx += 2;
+                cc = 0;
+            }
+        }
+
+        if (d < len) {
+            // Decode last 1-3 bytes (incl '=') into 1-3 bytes
+            int i = 0;
+            for (int j = 0; sIx <= eIx - pad; j++) {
+                i |= ctoi(sArr[sIx++]) << (18 - j * 6);
+            }
+
+            for (int r = 16; d < len; r -= 8) {
+                dArr[d++] = (byte) (i >> r);
+            }
+        }
+
+        return dArr;
+    }
+
+    // ****************************************************************************************
+    // *  byte[] version
+    // ****************************************************************************************
+
+    /*
+     * Encodes a raw byte array into a BASE64 <code>byte[]</code> representation i accordance with RFC 2045.
+     *
+     * @param sArr    The bytes to convert. If <code>null</code> or length 0 an empty array will be returned.
+     * @param lineSep Optional "\r\n" after 76 characters, unless end of file.<br>
+     *                No line separator will be in breach of RFC 2045 which specifies max 76 per line but will be a
+     *                little faster.
+     * @return A BASE64 encoded array. Never <code>null</code>.
+     *
+    public final byte[] encodeToByte(byte[] sArr, boolean lineSep) {
+        return encodeToByte(sArr, 0, sArr != null ? sArr.length : 0, lineSep);
+    }
+
+    /**
+     * Encodes a raw byte array into a BASE64 <code>byte[]</code> representation i accordance with RFC 2045.
+     *
+     * @param sArr    The bytes to convert. If <code>null</code> an empty array will be returned.
+     * @param sOff    The starting position in the bytes to convert.
+     * @param sLen    The number of bytes to convert. If 0 an empty array will be returned.
+     * @param lineSep Optional "\r\n" after 76 characters, unless end of file.<br>
+     *                No line separator will be in breach of RFC 2045 which specifies max 76 per line but will be a
+     *                little faster.
+     * @return A BASE64 encoded array. Never <code>null</code>.
+     *
+    public final byte[] encodeToByte(byte[] sArr, int sOff, int sLen, boolean lineSep) {
+
+        // Check special case
+        if (sArr == null || sLen == 0) {
+            return new byte[0];
+        }
+
+        int eLen = (sLen / 3) * 3;                              // Length of even 24-bits.
+        int cCnt = ((sLen - 1) / 3 + 1) << 2;                   // Returned character count
+        int dLen = cCnt + (lineSep ? (cCnt - 1) / 76 << 1 : 0); // Length of returned array
+        byte[] dArr = new byte[dLen];
+
+        // Encode even 24-bits
+        for (int s = sOff, d = 0, cc = 0; s < sOff + eLen; ) {
+
+            // Copy next three bytes into lower 24 bits of int, paying attension to sign.
+            int i = (sArr[s++] & 0xff) << 16 | (sArr[s++] & 0xff) << 8 | (sArr[s++] & 0xff);
+
+            // Encode the int into four chars
+            dArr[d++] = (byte) ALPHABET[(i >>> 18) & 0x3f];
+            dArr[d++] = (byte) ALPHABET[(i >>> 12) & 0x3f];
+            dArr[d++] = (byte) ALPHABET[(i >>> 6) & 0x3f];
+            dArr[d++] = (byte) ALPHABET[i & 0x3f];
+
+            // Add optional line separator
+            if (lineSep && ++cc == 19 && d < dLen - 2) {
+                dArr[d++] = '\r';
+                dArr[d++] = '\n';
+                cc = 0;
+            }
+        }
+
+        // Pad and encode last bits if source isn't an even 24 bits.
+        int left = sLen - eLen; // 0 - 2.
+        if (left > 0) {
+            // Prepare the int
+            int i = ((sArr[sOff + eLen] & 0xff) << 10) | (left == 2 ? ((sArr[sOff + sLen - 1] & 0xff) << 2) : 0);
+
+            // Set last four chars
+            dArr[dLen - 4] = (byte) ALPHABET[i >> 12];
+            dArr[dLen - 3] = (byte) ALPHABET[(i >>> 6) & 0x3f];
+            dArr[dLen - 2] = left == 2 ? (byte) ALPHABET[i & 0x3f] : (byte) '=';
+            dArr[dLen - 1] = '=';
+        }
+        return dArr;
+    }
+
+    /**
+     * Decodes a BASE64 encoded byte array. All illegal characters will be ignored and can handle both arrays with
+     * and without line separators.
+     *
+     * @param sArr The source array. Length 0 will return an empty array. <code>null</code> will throw an exception.
+     * @return The decoded array of bytes. May be of length 0. Will be <code>null</code> if the legal characters
+     * (including '=') isn't divideable by 4. (I.e. definitely corrupted).
+     *
+    public final byte[] decode(byte[] sArr) {
+        return decode(sArr, 0, sArr.length);
+    }
+
+    /**
+     * Decodes a BASE64 encoded byte array. All illegal characters will be ignored and can handle both arrays with
+     * and without line separators.
+     *
+     * @param sArr The source array. <code>null</code> will throw an exception.
+     * @param sOff The starting position in the source array.
+     * @param sLen The number of bytes to decode from the source array. Length 0 will return an empty array.
+     * @return The decoded array of bytes. May be of length 0. Will be <code>null</code> if the legal characters
+     * (including '=') isn't divideable by 4. (I.e. definitely corrupted).
+     *
+    public final byte[] decode(byte[] sArr, int sOff, int sLen) {
+
+        // Count illegal characters (including '\r', '\n') to know what size the returned array will be,
+        // so we don't have to reallocate & copy it later.
+        int sepCnt = 0; // Number of separator characters. (Actually illegal characters, but that's a bonus...)
+        for (int i = 0; i < sLen; i++) {     // If input is "pure" (I.e. no line separators or illegal chars) base64 this loop can be commented out.
+            if (IALPHABET[sArr[sOff + i] & 0xff] < 0) {
+                sepCnt++;
+            }
+        }
+
+        // Check so that legal chars (including '=') are evenly divideable by 4 as specified in RFC 2045.
+        if ((sLen - sepCnt) % 4 != 0) {
+            return null;
+        }
+
+        int pad = 0;
+        for (int i = sLen; i > 1 && IALPHABET[sArr[sOff + --i] & 0xff] <= 0; ) {
+            if (sArr[sOff + i] == '=') {
+                pad++;
+            }
+        }
+
+        int len = ((sLen - sepCnt) * 6 >> 3) - pad;
+
+        byte[] dArr = new byte[len];       // Preallocate byte[] of exact length
+
+        for (int s = 0, d = 0; d < len; ) {
+            // Assemble three bytes into an int from four "valid" characters.
+            int i = 0;
+            for (int j = 0; j < 4; j++) {   // j only increased if a valid char was found.
+                int c = IALPHABET[sArr[sOff + s++] & 0xff];
+                if (c >= 0) {
+                    i |= c << (18 - j * 6);
+                } else {
+                    j--;
+                }
+            }
+
+            // Add the bytes
+            dArr[d++] = (byte) (i >> 16);
+            if (d < len) {
+                dArr[d++] = (byte) (i >> 8);
+                if (d < len) {
+                    dArr[d++] = (byte) i;
+                }
+            }
+        }
+
+        return dArr;
+    }
+
+
+    /*
+     * Decodes a BASE64 encoded byte array that is known to be resonably well formatted. The method is about twice as
+     * fast as {@link #decode(byte[])}. The preconditions are:<br>
+     * + The array must have a line length of 76 chars OR no line separators at all (one line).<br>
+     * + Line separator must be "\r\n", as specified in RFC 2045
+     * + The array must not contain illegal characters within the encoded string<br>
+     * + The array CAN have illegal characters at the beginning and end, those will be dealt with appropriately.<br>
+     *
+     * @param sArr The source array. Length 0 will return an empty array. <code>null</code> will throw an exception.
+     * @return The decoded array of bytes. May be of length 0.
+     *
+    public final byte[] decodeFast(byte[] sArr) {
+
+        // Check special case
+        int sLen = sArr.length;
+        if (sLen == 0) {
+            return new byte[0];
+        }
+
+        int sIx = 0, eIx = sLen - 1;    // Start and end index after trimming.
+
+        // Trim illegal chars from start
+        while (sIx < eIx && IALPHABET[sArr[sIx] & 0xff] < 0) {
+            sIx++;
+        }
+
+        // Trim illegal chars from end
+        while (eIx > 0 && IALPHABET[sArr[eIx] & 0xff] < 0) {
+            eIx--;
+        }
+
+        // get the padding count (=) (0, 1 or 2)
+        int pad = sArr[eIx] == '=' ? (sArr[eIx - 1] == '=' ? 2 : 1) : 0;  // Count '=' at end.
+        int cCnt = eIx - sIx + 1;   // Content count including possible separators
+        int sepCnt = sLen > 76 ? (sArr[76] == '\r' ? cCnt / 78 : 0) << 1 : 0;
+
+        int len = ((cCnt - sepCnt) * 6 >> 3) - pad; // The number of decoded bytes
+        byte[] dArr = new byte[len];       // Preallocate byte[] of exact length
+
+        // Decode all but the last 0 - 2 bytes.
+        int d = 0;
+        for (int cc = 0, eLen = (len / 3) * 3; d < eLen; ) {
+
+            // Assemble three bytes into an int from four "valid" characters.
+            int i = IALPHABET[sArr[sIx++]] << 18 | IALPHABET[sArr[sIx++]] << 12 | IALPHABET[sArr[sIx++]] << 6 | IALPHABET[sArr[sIx++]];
+
+            // Add the bytes
+            dArr[d++] = (byte) (i >> 16);
+            dArr[d++] = (byte) (i >> 8);
+            dArr[d++] = (byte) i;
+
+            // If line separator, jump over it.
+            if (sepCnt > 0 && ++cc == 19) {
+                sIx += 2;
+                cc = 0;
+            }
+        }
+
+        if (d < len) {
+            // Decode last 1-3 bytes (incl '=') into 1-3 bytes
+            int i = 0;
+            for (int j = 0; sIx <= eIx - pad; j++) {
+                i |= IALPHABET[sArr[sIx++]] << (18 - j * 6);
+            }
+
+            for (int r = 16; d < len; r -= 8) {
+                dArr[d++] = (byte) (i >> r);
+            }
+        }
+
+        return dArr;
+    }
+    */
+
+    // ****************************************************************************************
+    // * String version
+    // ****************************************************************************************
+
+    /**
+     * Encodes a raw byte array into a BASE64 <code>String</code> representation i accordance with RFC 2045.
+     *
+     * @param sArr    The bytes to convert. If <code>null</code> or length 0 an empty array will be returned.
+     * @param lineSep Optional "\r\n" after 76 characters, unless end of file.<br>
+     *                No line separator will be in breach of RFC 2045 which specifies max 76 per line but will be a
+     *                little faster.
+     * @return A BASE64 encoded array. Never <code>null</code>.
+     */
+    final String encodeToString(byte[] sArr, boolean lineSep) {
+        // Reuse char[] since we can't create a String incrementally anyway and StringBuffer/Builder would be slower.
+        return new String(encodeToChar(sArr, lineSep));
+    }
+
+    /*
+     * Decodes a BASE64 encoded <code>String</code>. All illegal characters will be ignored and can handle both strings with
+     * and without line separators.<br>
+     * <b>Note!</b> It can be up to about 2x the speed to call <code>decode(str.toCharArray())</code> instead. That
+     * will create a temporary array though. This version will use <code>str.charAt(i)</code> to iterate the string.
+     *
+     * @param str The source string. <code>null</code> or length 0 will return an empty array.
+     * @return The decoded array of bytes. May be of length 0. Will be <code>null</code> if the legal characters
+     * (including '=') isn't divideable by 4.  (I.e. definitely corrupted).
+     *
+    public final byte[] decode(String str) {
+
+        // Check special case
+        int sLen = str != null ? str.length() : 0;
+        if (sLen == 0) {
+            return new byte[0];
+        }
+
+        // Count illegal characters (including '\r', '\n') to know what size the returned array will be,
+        // so we don't have to reallocate & copy it later.
+        int sepCnt = 0; // Number of separator characters. (Actually illegal characters, but that's a bonus...)
+        for (int i = 0; i < sLen; i++) { // If input is "pure" (I.e. no line separators or illegal chars) base64 this loop can be commented out.
+            if (IALPHABET[str.charAt(i)] < 0) {
+                sepCnt++;
+            }
+        }
+
+        // Check so that legal chars (including '=') are evenly divideable by 4 as specified in RFC 2045.
+        if ((sLen - sepCnt) % 4 != 0) {
+            return null;
+        }
+
+        // Count '=' at end
+        int pad = 0;
+        for (int i = sLen; i > 1 && IALPHABET[str.charAt(--i)] <= 0; ) {
+            if (str.charAt(i) == '=') {
+                pad++;
+            }
+        }
+
+        int len = ((sLen - sepCnt) * 6 >> 3) - pad;
+
+        byte[] dArr = new byte[len];       // Preallocate byte[] of exact length
+
+        for (int s = 0, d = 0; d < len; ) {
+            // Assemble three bytes into an int from four "valid" characters.
+            int i = 0;
+            for (int j = 0; j < 4; j++) {   // j only increased if a valid char was found.
+                int c = IALPHABET[str.charAt(s++)];
+                if (c >= 0) {
+                    i |= c << (18 - j * 6);
+                } else {
+                    j--;
+                }
+            }
+            // Add the bytes
+            dArr[d++] = (byte) (i >> 16);
+            if (d < len) {
+                dArr[d++] = (byte) (i >> 8);
+                if (d < len) {
+                    dArr[d++] = (byte) i;
+                }
+            }
+        }
+        return dArr;
+    }
+
+    /**
+     * Decodes a BASE64 encoded string that is known to be resonably well formatted. The method is about twice as
+     * fast as {@link #decode(String)}. The preconditions are:<br>
+     * + The array must have a line length of 76 chars OR no line separators at all (one line).<br>
+     * + Line separator must be "\r\n", as specified in RFC 2045
+     * + The array must not contain illegal characters within the encoded string<br>
+     * + The array CAN have illegal characters at the beginning and end, those will be dealt with appropriately.<br>
+     *
+     * @param s The source string. Length 0 will return an empty array. <code>null</code> will throw an exception.
+     * @return The decoded array of bytes. May be of length 0.
+     *
+    public final byte[] decodeFast(String s) {
+
+        // Check special case
+        int sLen = s.length();
+        if (sLen == 0) {
+            return new byte[0];
+        }
+
+        int sIx = 0, eIx = sLen - 1;    // Start and end index after trimming.
+
+        // Trim illegal chars from start
+        while (sIx < eIx && IALPHABET[s.charAt(sIx) & 0xff] < 0) {
+            sIx++;
+        }
+
+        // Trim illegal chars from end
+        while (eIx > 0 && IALPHABET[s.charAt(eIx) & 0xff] < 0) {
+            eIx--;
+        }
+
+        // get the padding count (=) (0, 1 or 2)
+        int pad = s.charAt(eIx) == '=' ? (s.charAt(eIx - 1) == '=' ? 2 : 1) : 0;  // Count '=' at end.
+        int cCnt = eIx - sIx + 1;   // Content count including possible separators
+        int sepCnt = sLen > 76 ? (s.charAt(76) == '\r' ? cCnt / 78 : 0) << 1 : 0;
+
+        int len = ((cCnt - sepCnt) * 6 >> 3) - pad; // The number of decoded bytes
+        byte[] dArr = new byte[len];       // Preallocate byte[] of exact length
+
+        // Decode all but the last 0 - 2 bytes.
+        int d = 0;
+        for (int cc = 0, eLen = (len / 3) * 3; d < eLen; ) {
+            // Assemble three bytes into an int from four "valid" characters.
+            int i = IALPHABET[s.charAt(sIx++)] << 18 | IALPHABET[s.charAt(sIx++)] << 12 | IALPHABET[s.charAt(sIx++)] << 6 | IALPHABET[s.charAt(sIx++)];
+
+            // Add the bytes
+            dArr[d++] = (byte) (i >> 16);
+            dArr[d++] = (byte) (i >> 8);
+            dArr[d++] = (byte) i;
+
+            // If line separator, jump over it.
+            if (sepCnt > 0 && ++cc == 19) {
+                sIx += 2;
+                cc = 0;
+            }
+        }
+
+        if (d < len) {
+            // Decode last 1-3 bytes (incl '=') into 1-3 bytes
+            int i = 0;
+            for (int j = 0; sIx <= eIx - pad; j++) {
+                i |= IALPHABET[s.charAt(sIx++)] << (18 - j * 6);
+            }
+
+            for (int r = 16; d < len; r -= 8) {
+                dArr[d++] = (byte) (i >> r);
+            }
+        }
+
+        return dArr;
+    }
+    */
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Decoder.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Decoder.java
new file mode 100644
index 00000000000..3c8bc817daa
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Decoder.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.io;
+
+import io.jsonwebtoken.lang.Assert;
+
+/**
+ * @since 0.10.0
+ */
+class Base64Decoder extends Base64Support implements Decoder<String, byte[]> {
+
+    Base64Decoder() {
+        super(Base64.DEFAULT);
+    }
+
+    Base64Decoder(Base64 base64) {
+        super(base64);
+    }
+
+    @Override
+    public byte[] decode(String s) throws DecodingException {
+        Assert.notNull(s, "String argument cannot be null");
+        return this.base64.decodeFast(s.toCharArray());
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Encoder.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Encoder.java
new file mode 100644
index 00000000000..963d8810c7b
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Encoder.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.io;
+
+import io.jsonwebtoken.lang.Assert;
+
+/**
+ * @since 0.10.0
+ */
+class Base64Encoder extends Base64Support implements Encoder<byte[], String> {
+
+    Base64Encoder() {
+        super(Base64.DEFAULT);
+    }
+
+    Base64Encoder(Base64 base64) {
+        super(base64);
+    }
+
+    @Override
+    public String encode(byte[] bytes) throws EncodingException {
+        Assert.notNull(bytes, "byte array argument cannot be null");
+        return this.base64.encodeToString(bytes, false);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Support.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Support.java
new file mode 100644
index 00000000000..eed404d5834
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Support.java
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.io;
+
+import io.jsonwebtoken.lang.Assert;
+
+/**
+ * @since 0.10.0
+ */
+class Base64Support {
+
+    protected final Base64 base64;
+
+    Base64Support(Base64 base64) {
+        Assert.notNull(base64, "Base64 argument cannot be null");
+        this.base64 = base64;
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64UrlDecoder.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64UrlDecoder.java
new file mode 100644
index 00000000000..0d26d948fad
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64UrlDecoder.java
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.io;
+
+/**
+ * @since 0.10.0
+ */
+class Base64UrlDecoder extends Base64Decoder {
+
+    Base64UrlDecoder() {
+        super(Base64.URL_SAFE);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64UrlEncoder.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64UrlEncoder.java
new file mode 100644
index 00000000000..86781922259
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64UrlEncoder.java
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.io;
+
+/**
+ * @since 0.10.0
+ */
+class Base64UrlEncoder extends Base64Encoder {
+
+    Base64UrlEncoder() {
+        super(Base64.URL_SAFE);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/CodecException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/CodecException.java
new file mode 100644
index 00000000000..5b449bd97e0
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/CodecException.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.io;
+
+/**
+ * @since 0.10.0
+ */
+public class CodecException extends IOException {
+
+    public CodecException(String message) {
+        super(message);
+    }
+
+    public CodecException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Decoder.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Decoder.java
new file mode 100644
index 00000000000..f9f2c189073
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Decoder.java
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.io;
+
+/**
+ * @since 0.10.0
+ */
+public interface Decoder<T, R> {
+
+    R decode(T t) throws DecodingException;
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Decoders.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Decoders.java
new file mode 100644
index 00000000000..3e95c28d754
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Decoders.java
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.io;
+
+/**
+ * @since 0.10.0
+ */
+public final class Decoders {
+
+    public static final Decoder<String, byte[]> BASE64 = new ExceptionPropagatingDecoder<>(new Base64Decoder());
+    public static final Decoder<String, byte[]> BASE64URL = new ExceptionPropagatingDecoder<>(new Base64UrlDecoder());
+
+    private Decoders() { //prevent instantiation
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/DecodingException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/DecodingException.java
new file mode 100644
index 00000000000..0bbe62a160e
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/DecodingException.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.io;
+
+/**
+ * @since 0.10.0
+ */
+public class DecodingException extends CodecException {
+
+    public DecodingException(String message) {
+        super(message);
+    }
+
+    public DecodingException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/DeserializationException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/DeserializationException.java
new file mode 100644
index 00000000000..59559666a47
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/DeserializationException.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.io;
+
+/**
+ * @since 0.10.0
+ */
+public class DeserializationException extends SerialException {
+
+    public DeserializationException(String msg) {
+        super(msg);
+    }
+
+    public DeserializationException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Deserializer.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Deserializer.java
new file mode 100644
index 00000000000..f66a73edb91
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Deserializer.java
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.io;
+
+/**
+ * @since 0.10.0
+ */
+public interface Deserializer<T> {
+
+    T deserialize(byte[] bytes) throws DeserializationException;
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Encoder.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Encoder.java
new file mode 100644
index 00000000000..6b28f31ec82
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Encoder.java
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.io;
+
+/**
+ * @since 0.10.0
+ */
+public interface Encoder<T, R> {
+
+    R encode(T t) throws EncodingException;
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Encoders.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Encoders.java
new file mode 100644
index 00000000000..3b7c060f617
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Encoders.java
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.io;
+
+/**
+ * @since 0.10.0
+ */
+public final class Encoders {
+
+    public static final Encoder<byte[], String> BASE64 = new ExceptionPropagatingEncoder<>(new Base64Encoder());
+    public static final Encoder<byte[], String> BASE64URL = new ExceptionPropagatingEncoder<>(new Base64UrlEncoder());
+
+    private Encoders() { //prevent instantiation
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/EncodingException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/EncodingException.java
new file mode 100644
index 00000000000..5b65389a1ff
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/EncodingException.java
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.io;
+
+/**
+ * @since 0.10.0
+ */
+public class EncodingException extends CodecException {
+
+    public EncodingException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/ExceptionPropagatingDecoder.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/ExceptionPropagatingDecoder.java
new file mode 100644
index 00000000000..a0d98134cec
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/ExceptionPropagatingDecoder.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.io;
+
+import io.jsonwebtoken.lang.Assert;
+
+/**
+ * @since 0.10.0
+ */
+class ExceptionPropagatingDecoder<T, R> implements Decoder<T, R> {
+
+    private final Decoder<T, R> decoder;
+
+    ExceptionPropagatingDecoder(Decoder<T, R> decoder) {
+        Assert.notNull(decoder, "Decoder cannot be null.");
+        this.decoder = decoder;
+    }
+
+    @Override
+    public R decode(T t) throws DecodingException {
+        Assert.notNull(t, "Decode argument cannot be null.");
+        try {
+            return decoder.decode(t);
+        } catch (DecodingException e) {
+            throw e; //propagate
+        } catch (Exception e) {
+            String msg = "Unable to decode input: " + e.getMessage();
+            throw new DecodingException(msg, e);
+        }
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/ExceptionPropagatingEncoder.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/ExceptionPropagatingEncoder.java
new file mode 100644
index 00000000000..c483c8cdd5d
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/ExceptionPropagatingEncoder.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.io;
+
+import io.jsonwebtoken.lang.Assert;
+
+/**
+ * @since 0.10.0
+ */
+class ExceptionPropagatingEncoder<T, R> implements Encoder<T, R> {
+
+    private final Encoder<T, R> encoder;
+
+    ExceptionPropagatingEncoder(Encoder<T, R> encoder) {
+        Assert.notNull(encoder, "Encoder cannot be null.");
+        this.encoder = encoder;
+    }
+
+    @Override
+    public R encode(T t) throws EncodingException {
+        Assert.notNull(t, "Encode argument cannot be null.");
+        try {
+            return this.encoder.encode(t);
+        } catch (EncodingException e) {
+            throw e; //propagate
+        } catch (Exception e) {
+            String msg = "Unable to encode input: " + e.getMessage();
+            throw new EncodingException(msg, e);
+        }
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/IOException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/IOException.java
new file mode 100644
index 00000000000..9ed1e03149c
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/IOException.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.io;
+
+import io.jsonwebtoken.JwtException;
+
+/**
+ * @since 0.10.0
+ */
+public class IOException extends JwtException {
+
+    public IOException(String msg) {
+        super(msg);
+    }
+
+    public IOException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/SerialException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/SerialException.java
new file mode 100644
index 00000000000..86f70920c8c
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/SerialException.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.io;
+
+/**
+ * @since 0.10.0
+ */
+public class SerialException extends IOException {
+
+    public SerialException(String msg) {
+        super(msg);
+    }
+
+    public SerialException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/SerializationException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/SerializationException.java
new file mode 100644
index 00000000000..514830deffb
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/SerializationException.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.io;
+
+/**
+ * @since 0.10.0
+ */
+public class SerializationException extends SerialException {
+
+    public SerializationException(String msg) {
+        super(msg);
+    }
+
+    public SerializationException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Serializer.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Serializer.java
new file mode 100644
index 00000000000..5d6cd794ab8
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Serializer.java
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.io;
+
+/**
+ * @since 0.10.0
+ */
+public interface Serializer<T> {
+
+    byte[] serialize(T t) throws SerializationException;
+
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Arrays.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Arrays.java
new file mode 100644
index 00000000000..6b58a376e88
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Arrays.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.lang;
+
+/**
+ * @since 0.6
+ */
+public final class Arrays {
+
+    private Arrays(){} //prevent instantiation
+
+    public static int length(byte[] bytes) {
+        return bytes != null ? bytes.length : 0;
+    }
+
+    public static byte[] clean(byte[] bytes) {
+        return length(bytes) > 0 ? bytes : null;
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Assert.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Assert.java
new file mode 100644
index 00000000000..7c9e7c36766
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Assert.java
@@ -0,0 +1,377 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.lang;
+
+import java.util.Collection;
+import java.util.Map;
+
+public final class Assert {
+
+    private Assert(){} //prevent instantiation
+
+    /**
+     * Assert a boolean expression, throwing <code>IllegalArgumentException</code>
+     * if the test result is <code>false</code>.
+     * <pre class="code">Assert.isTrue(i &gt; 0, "The value must be greater than zero");</pre>
+     * @param expression a boolean expression
+     * @param message the exception message to use if the assertion fails
+     * @throws IllegalArgumentException if expression is <code>false</code>
+     */
+    public static void isTrue(boolean expression, String message) {
+        if (!expression) {
+            throw new IllegalArgumentException(message);
+        }
+    }
+
+    /**
+     * Assert a boolean expression, throwing <code>IllegalArgumentException</code>
+     * if the test result is <code>false</code>.
+     * <pre class="code">Assert.isTrue(i &gt; 0);</pre>
+     * @param expression a boolean expression
+     * @throws IllegalArgumentException if expression is <code>false</code>
+     */
+    public static void isTrue(boolean expression) {
+        isTrue(expression, "[Assertion failed] - this expression must be true");
+    }
+
+    /**
+     * Assert that an object is <code>null</code> .
+     * <pre class="code">Assert.isNull(value, "The value must be null");</pre>
+     * @param object the object to check
+     * @param message the exception message to use if the assertion fails
+     * @throws IllegalArgumentException if the object is not <code>null</code>
+     */
+    public static void isNull(Object object, String message) {
+        if (object != null) {
+            throw new IllegalArgumentException(message);
+        }
+    }
+
+    /**
+     * Assert that an object is <code>null</code> .
+     * <pre class="code">Assert.isNull(value);</pre>
+     * @param object the object to check
+     * @throws IllegalArgumentException if the object is not <code>null</code>
+     */
+    public static void isNull(Object object) {
+        isNull(object, "[Assertion failed] - the object argument must be null");
+    }
+
+    /**
+     * Assert that an object is not <code>null</code> .
+     * <pre class="code">Assert.notNull(clazz, "The class must not be null");</pre>
+     * @param object the object to check
+     * @param message the exception message to use if the assertion fails
+     * @throws IllegalArgumentException if the object is <code>null</code>
+     */
+    public static void notNull(Object object, String message) {
+        if (object == null) {
+            throw new IllegalArgumentException(message);
+        }
+    }
+
+    /**
+     * Assert that an object is not <code>null</code> .
+     * <pre class="code">Assert.notNull(clazz);</pre>
+     * @param object the object to check
+     * @throws IllegalArgumentException if the object is <code>null</code>
+     */
+    public static void notNull(Object object) {
+        notNull(object, "[Assertion failed] - this argument is required; it must not be null");
+    }
+
+    /**
+     * Assert that the given String is not empty; that is,
+     * it must not be <code>null</code> and not the empty String.
+     * <pre class="code">Assert.hasLength(name, "Name must not be empty");</pre>
+     * @param text the String to check
+     * @param message the exception message to use if the assertion fails
+     * @see Strings#hasLength
+     */
+    public static void hasLength(String text, String message) {
+        if (!Strings.hasLength(text)) {
+            throw new IllegalArgumentException(message);
+        }
+    }
+
+    /**
+     * Assert that the given String is not empty; that is,
+     * it must not be <code>null</code> and not the empty String.
+     * <pre class="code">Assert.hasLength(name);</pre>
+     * @param text the String to check
+     * @see Strings#hasLength
+     */
+    public static void hasLength(String text) {
+        hasLength(text,
+                  "[Assertion failed] - this String argument must have length; it must not be null or empty");
+    }
+
+    /**
+     * Assert that the given String has valid text content; that is, it must not
+     * be <code>null</code> and must contain at least one non-whitespace character.
+     * <pre class="code">Assert.hasText(name, "'name' must not be empty");</pre>
+     * @param text the String to check
+     * @param message the exception message to use if the assertion fails
+     * @see Strings#hasText
+     */
+    public static void hasText(String text, String message) {
+        if (!Strings.hasText(text)) {
+            throw new IllegalArgumentException(message);
+        }
+    }
+
+    /**
+     * Assert that the given String has valid text content; that is, it must not
+     * be <code>null</code> and must contain at least one non-whitespace character.
+     * <pre class="code">Assert.hasText(name, "'name' must not be empty");</pre>
+     * @param text the String to check
+     * @see Strings#hasText
+     */
+    public static void hasText(String text) {
+        hasText(text,
+                "[Assertion failed] - this String argument must have text; it must not be null, empty, or blank");
+    }
+
+    /**
+     * Assert that the given text does not contain the given substring.
+     * <pre class="code">Assert.doesNotContain(name, "rod", "Name must not contain 'rod'");</pre>
+     * @param textToSearch the text to search
+     * @param substring the substring to find within the text
+     * @param message the exception message to use if the assertion fails
+     */
+    public static void doesNotContain(String textToSearch, String substring, String message) {
+        if (Strings.hasLength(textToSearch) && Strings.hasLength(substring) &&
+            textToSearch.indexOf(substring) != -1) {
+            throw new IllegalArgumentException(message);
+        }
+    }
+
+    /**
+     * Assert that the given text does not contain the given substring.
+     * <pre class="code">Assert.doesNotContain(name, "rod");</pre>
+     * @param textToSearch the text to search
+     * @param substring the substring to find within the text
+     */
+    public static void doesNotContain(String textToSearch, String substring) {
+        doesNotContain(textToSearch, substring,
+                       "[Assertion failed] - this String argument must not contain the substring [" + substring + "]");
+    }
+
+
+    /**
+     * Assert that an array has elements; that is, it must not be
+     * <code>null</code> and must have at least one element.
+     * <pre class="code">Assert.notEmpty(array, "The array must have elements");</pre>
+     * @param array the array to check
+     * @param message the exception message to use if the assertion fails
+     * @throws IllegalArgumentException if the object array is <code>null</code> or has no elements
+     */
+    public static void notEmpty(Object[] array, String message) {
+        if (Objects.isEmpty(array)) {
+            throw new IllegalArgumentException(message);
+        }
+    }
+
+    /**
+     * Assert that an array has elements; that is, it must not be
+     * <code>null</code> and must have at least one element.
+     * <pre class="code">Assert.notEmpty(array);</pre>
+     * @param array the array to check
+     * @throws IllegalArgumentException if the object array is <code>null</code> or has no elements
+     */
+    public static void notEmpty(Object[] array) {
+        notEmpty(array, "[Assertion failed] - this array must not be empty: it must contain at least 1 element");
+    }
+
+    public static void notEmpty(byte[] array, String msg) {
+        if (Objects.isEmpty(array)) {
+            throw new IllegalArgumentException(msg);
+        }
+    }
+
+    /**
+     * Assert that an array has no null elements.
+     * Note: Does not complain if the array is empty!
+     * <pre class="code">Assert.noNullElements(array, "The array must have non-null elements");</pre>
+     * @param array the array to check
+     * @param message the exception message to use if the assertion fails
+     * @throws IllegalArgumentException if the object array contains a <code>null</code> element
+     */
+    public static void noNullElements(Object[] array, String message) {
+        if (array != null) {
+            for (int i = 0; i < array.length; i++) {
+                if (array[i] == null) {
+                    throw new IllegalArgumentException(message);
+                }
+            }
+        }
+    }
+
+    /**
+     * Assert that an array has no null elements.
+     * Note: Does not complain if the array is empty!
+     * <pre class="code">Assert.noNullElements(array);</pre>
+     * @param array the array to check
+     * @throws IllegalArgumentException if the object array contains a <code>null</code> element
+     */
+    public static void noNullElements(Object[] array) {
+        noNullElements(array, "[Assertion failed] - this array must not contain any null elements");
+    }
+
+    /**
+     * Assert that a collection has elements; that is, it must not be
+     * <code>null</code> and must have at least one element.
+     * <pre class="code">Assert.notEmpty(collection, "Collection must have elements");</pre>
+     * @param collection the collection to check
+     * @param message the exception message to use if the assertion fails
+     * @throws IllegalArgumentException if the collection is <code>null</code> or has no elements
+     */
+    public static void notEmpty(Collection collection, String message) {
+        if (Collections.isEmpty(collection)) {
+            throw new IllegalArgumentException(message);
+        }
+    }
+
+    /**
+     * Assert that a collection has elements; that is, it must not be
+     * <code>null</code> and must have at least one element.
+     * <pre class="code">Assert.notEmpty(collection, "Collection must have elements");</pre>
+     * @param collection the collection to check
+     * @throws IllegalArgumentException if the collection is <code>null</code> or has no elements
+     */
+    public static void notEmpty(Collection collection) {
+        notEmpty(collection,
+                 "[Assertion failed] - this collection must not be empty: it must contain at least 1 element");
+    }
+
+    /**
+     * Assert that a Map has entries; that is, it must not be <code>null</code>
+     * and must have at least one entry.
+     * <pre class="code">Assert.notEmpty(map, "Map must have entries");</pre>
+     * @param map the map to check
+     * @param message the exception message to use if the assertion fails
+     * @throws IllegalArgumentException if the map is <code>null</code> or has no entries
+     */
+    public static void notEmpty(Map map, String message) {
+        if (Collections.isEmpty(map)) {
+            throw new IllegalArgumentException(message);
+        }
+    }
+
+    /**
+     * Assert that a Map has entries; that is, it must not be <code>null</code>
+     * and must have at least one entry.
+     * <pre class="code">Assert.notEmpty(map);</pre>
+     * @param map the map to check
+     * @throws IllegalArgumentException if the map is <code>null</code> or has no entries
+     */
+    public static void notEmpty(Map map) {
+        notEmpty(map, "[Assertion failed] - this map must not be empty; it must contain at least one entry");
+    }
+
+
+    /**
+     * Assert that the provided object is an instance of the provided class.
+     * <pre class="code">Assert.instanceOf(Foo.class, foo);</pre>
+     * @param clazz the required class
+     * @param obj the object to check
+     * @throws IllegalArgumentException if the object is not an instance of clazz
+     * @see Class#isInstance
+     */
+    public static void isInstanceOf(Class clazz, Object obj) {
+        isInstanceOf(clazz, obj, "");
+    }
+
+    /**
+     * Assert that the provided object is an instance of the provided class.
+     * <pre class="code">Assert.instanceOf(Foo.class, foo);</pre>
+     * @param type the type to check against
+     * @param obj the object to check
+     * @param message a message which will be prepended to the message produced by
+     * the function itself, and which may be used to provide context. It should
+     * normally end in a ": " or ". " so that the function generate message looks
+     * ok when prepended to it.
+     * @throws IllegalArgumentException if the object is not an instance of clazz
+     * @see Class#isInstance
+     */
+    public static void isInstanceOf(Class type, Object obj, String message) {
+        notNull(type, "Type to check against must not be null");
+        if (!type.isInstance(obj)) {
+            throw new IllegalArgumentException(message +
+                                               "Object of class [" + (obj != null ? obj.getClass().getName() : "null") +
+                                               "] must be an instance of " + type);
+        }
+    }
+
+    /**
+     * Assert that <code>superType.isAssignableFrom(subType)</code> is <code>true</code>.
+     * <pre class="code">Assert.isAssignable(Number.class, myClass);</pre>
+     * @param superType the super type to check
+     * @param subType the sub type to check
+     * @throws IllegalArgumentException if the classes are not assignable
+     */
+    public static void isAssignable(Class superType, Class subType) {
+        isAssignable(superType, subType, "");
+    }
+
+    /**
+     * Assert that <code>superType.isAssignableFrom(subType)</code> is <code>true</code>.
+     * <pre class="code">Assert.isAssignable(Number.class, myClass);</pre>
+     * @param superType the super type to check against
+     * @param subType the sub type to check
+     * @param message a message which will be prepended to the message produced by
+     * the function itself, and which may be used to provide context. It should
+     * normally end in a ": " or ". " so that the function generate message looks
+     * ok when prepended to it.
+     * @throws IllegalArgumentException if the classes are not assignable
+     */
+    public static void isAssignable(Class superType, Class subType, String message) {
+        notNull(superType, "Type to check against must not be null");
+        if (subType == null || !superType.isAssignableFrom(subType)) {
+            throw new IllegalArgumentException(message + subType + " is not assignable to " + superType);
+        }
+    }
+
+
+    /**
+     * Assert a boolean expression, throwing <code>IllegalStateException</code>
+     * if the test result is <code>false</code>. Call isTrue if you wish to
+     * throw IllegalArgumentException on an assertion failure.
+     * <pre class="code">Assert.state(id == null, "The id property must not already be initialized");</pre>
+     * @param expression a boolean expression
+     * @param message the exception message to use if the assertion fails
+     * @throws IllegalStateException if expression is <code>false</code>
+     */
+    public static void state(boolean expression, String message) {
+        if (!expression) {
+            throw new IllegalStateException(message);
+        }
+    }
+
+    /**
+     * Assert a boolean expression, throwing {@link IllegalStateException}
+     * if the test result is <code>false</code>.
+     * <p>Call {@link #isTrue(boolean)} if you wish to
+     * throw {@link IllegalArgumentException} on an assertion failure.
+     * <pre class="code">Assert.state(id == null);</pre>
+     * @param expression a boolean expression
+     * @throws IllegalStateException if the supplied expression is <code>false</code>
+     */
+    public static void state(boolean expression) {
+        state(expression, "[Assertion failed] - this state invariant must be true");
+    }
+
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Classes.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Classes.java
new file mode 100644
index 00000000000..27d4d18c2fe
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Classes.java
@@ -0,0 +1,254 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.lang;
+
+import java.io.InputStream;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Method;
+
+/**
+ * @since 0.1
+ */
+public final class Classes {
+
+    private Classes() {} //prevent instantiation
+
+    /**
+     * @since 0.1
+     */
+    private static final ClassLoaderAccessor THREAD_CL_ACCESSOR = new ExceptionIgnoringAccessor() {
+        @Override
+        protected ClassLoader doGetClassLoader() throws Throwable {
+            return Thread.currentThread().getContextClassLoader();
+        }
+    };
+
+    /**
+     * @since 0.1
+     */
+    private static final ClassLoaderAccessor CLASS_CL_ACCESSOR = new ExceptionIgnoringAccessor() {
+        @Override
+        protected ClassLoader doGetClassLoader() throws Throwable {
+            return Classes.class.getClassLoader();
+        }
+    };
+
+    /**
+     * @since 0.1
+     */
+    private static final ClassLoaderAccessor SYSTEM_CL_ACCESSOR = new ExceptionIgnoringAccessor() {
+        @Override
+        protected ClassLoader doGetClassLoader() throws Throwable {
+            return ClassLoader.getSystemClassLoader();
+        }
+    };
+
+    /**
+     * Attempts to load the specified class name from the current thread's
+     * {@link Thread#getContextClassLoader() context class loader}, then the
+     * current ClassLoader (<code>Classes.class.getClassLoader()</code>), then the system/application
+     * ClassLoader (<code>ClassLoader.getSystemClassLoader()</code>, in that order.  If any of them cannot locate
+     * the specified class, an <code>UnknownClassException</code> is thrown (our RuntimeException equivalent of
+     * the JRE's <code>ClassNotFoundException</code>.
+     *
+     * @param fqcn the fully qualified class name to load
+     * @return the located class
+     * @throws UnknownClassException if the class cannot be found.
+     */
+    @SuppressWarnings("unchecked")
+    public static <T> Class<T> forName(String fqcn) throws UnknownClassException {
+
+        Class clazz = THREAD_CL_ACCESSOR.loadClass(fqcn);
+
+        if (clazz == null) {
+            clazz = CLASS_CL_ACCESSOR.loadClass(fqcn);
+        }
+
+        if (clazz == null) {
+            clazz = SYSTEM_CL_ACCESSOR.loadClass(fqcn);
+        }
+
+        if (clazz == null) {
+            String msg = "Unable to load class named [" + fqcn + "] from the thread context, current, or " +
+                    "system/application ClassLoaders.  All heuristics have been exhausted.  Class could not be found.";
+
+            if (fqcn != null && fqcn.startsWith("io.jsonwebtoken.impl")) {
+                msg += "  Have you remembered to include the jjwt-impl.jar in your runtime classpath?";
+            }
+
+            throw new UnknownClassException(msg);
+        }
+
+        return clazz;
+    }
+
+    /**
+     * Returns the specified resource by checking the current thread's
+     * {@link Thread#getContextClassLoader() context class loader}, then the
+     * current ClassLoader (<code>Classes.class.getClassLoader()</code>), then the system/application
+     * ClassLoader (<code>ClassLoader.getSystemClassLoader()</code>, in that order, using
+     * {@link ClassLoader#getResourceAsStream(String) getResourceAsStream(name)}.
+     *
+     * @param name the name of the resource to acquire from the classloader(s).
+     * @return the InputStream of the resource found, or <code>null</code> if the resource cannot be found from any
+     * of the three mentioned ClassLoaders.
+     * @since 0.8
+     */
+    public static InputStream getResourceAsStream(String name) {
+
+        InputStream is = THREAD_CL_ACCESSOR.getResourceStream(name);
+
+        if (is == null) {
+            is = CLASS_CL_ACCESSOR.getResourceStream(name);
+        }
+
+        if (is == null) {
+            is = SYSTEM_CL_ACCESSOR.getResourceStream(name);
+        }
+
+        return is;
+    }
+
+    public static boolean isAvailable(String fullyQualifiedClassName) {
+        try {
+            forName(fullyQualifiedClassName);
+            return true;
+        } catch (UnknownClassException e) {
+            return false;
+        }
+    }
+
+    @SuppressWarnings("unchecked")
+    public static <T> T newInstance(String fqcn) {
+        return (T)newInstance(forName(fqcn));
+    }
+
+    public static <T> T newInstance(String fqcn, Class[] ctorArgTypes, Object... args) {
+        Class<T> clazz = forName(fqcn);
+        Constructor<T> ctor = getConstructor(clazz, ctorArgTypes);
+        return instantiate(ctor, args);
+    }
+
+    @SuppressWarnings("unchecked")
+    public static <T> T newInstance(String fqcn, Object... args) {
+        return (T)newInstance(forName(fqcn), args);
+    }
+
+    public static <T> T newInstance(Class<T> clazz) {
+        if (clazz == null) {
+            String msg = "Class method parameter cannot be null.";
+            throw new IllegalArgumentException(msg);
+        }
+        try {
+            return clazz.newInstance();
+        } catch (Exception e) {
+            throw new InstantiationException("Unable to instantiate class [" + clazz.getName() + "]", e);
+        }
+    }
+
+    public static <T> T newInstance(Class<T> clazz, Object... args) {
+        Class[] argTypes = new Class[args.length];
+        for (int i = 0; i < args.length; i++) {
+            argTypes[i] = args[i].getClass();
+        }
+        Constructor<T> ctor = getConstructor(clazz, argTypes);
+        return instantiate(ctor, args);
+    }
+
+    public static <T> Constructor<T> getConstructor(Class<T> clazz, Class... argTypes) {
+        try {
+            return clazz.getConstructor(argTypes);
+        } catch (NoSuchMethodException e) {
+            throw new IllegalStateException(e);
+        }
+
+    }
+
+    public static <T> T instantiate(Constructor<T> ctor, Object... args) {
+        try {
+            return ctor.newInstance(args);
+        } catch (Exception e) {
+            String msg = "Unable to instantiate instance with constructor [" + ctor + "]";
+            throw new InstantiationException(msg, e);
+        }
+    }
+
+    /**
+     * @since 0.10.0
+     */
+    @SuppressWarnings("unchecked")
+    public static <T> T invokeStatic(String fqcn, String methodName, Class[] argTypes, Object... args) {
+        try {
+            Class clazz = Classes.forName(fqcn);
+            Method method = clazz.getDeclaredMethod(methodName, argTypes);
+            method.setAccessible(true);
+            return(T)method.invoke(null, args);
+        } catch (Exception e) {
+            String msg = "Unable to invoke class method " + fqcn + "#" + methodName + ".  Ensure the necessary " +
+                "implementation is in the runtime classpath.";
+            throw new IllegalStateException(msg, e);
+        }
+    }
+
+    /**
+     * @since 1.0
+     */
+    private static interface ClassLoaderAccessor {
+        Class loadClass(String fqcn);
+
+        InputStream getResourceStream(String name);
+    }
+
+    /**
+     * @since 1.0
+     */
+    private static abstract class ExceptionIgnoringAccessor implements ClassLoaderAccessor {
+
+        public Class loadClass(String fqcn) {
+            Class clazz = null;
+            ClassLoader cl = getClassLoader();
+            if (cl != null) {
+                try {
+                    clazz = cl.loadClass(fqcn);
+                } catch (ClassNotFoundException e) {
+                    //Class couldn't be found by loader
+                }
+            }
+            return clazz;
+        }
+
+        public InputStream getResourceStream(String name) {
+            InputStream is = null;
+            ClassLoader cl = getClassLoader();
+            if (cl != null) {
+                is = cl.getResourceAsStream(name);
+            }
+            return is;
+        }
+
+        protected final ClassLoader getClassLoader() {
+            try {
+                return doGetClassLoader();
+            } catch (Throwable t) {
+                //Unable to get ClassLoader
+            }
+            return null;
+        }
+
+        protected abstract ClassLoader doGetClassLoader() throws Throwable;
+    }
+}
+
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Collections.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Collections.java
new file mode 100644
index 00000000000..d775a002adf
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Collections.java
@@ -0,0 +1,365 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.lang;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Enumeration;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+
+public final class Collections {
+
+    private Collections(){} //prevent instantiation
+
+    /**
+     * Return <code>true</code> if the supplied Collection is <code>null</code>
+     * or empty. Otherwise, return <code>false</code>.
+     * @param collection the Collection to check
+     * @return whether the given Collection is empty
+     */
+    public static boolean isEmpty(Collection collection) {
+        return (collection == null || collection.isEmpty());
+    }
+
+    /**
+     * Returns the collection's size or {@code 0} if the collection is {@code null}.
+     *
+     * @param collection the collection to check.
+     * @return the collection's size or {@code 0} if the collection is {@code null}.
+     * @since 0.9.2
+     */
+    public static int size(Collection collection) {
+        return collection == null ? 0 : collection.size();
+    }
+
+    /**
+     * Returns the map's size or {@code 0} if the map is {@code null}.
+     *
+     * @param map the map to check
+     * @return the map's size or {@code 0} if the map is {@code null}.
+     * @since 0.9.2
+     */
+    public static int size(Map map) {
+        return map == null ? 0 : map.size();
+    }
+
+    /**
+     * Return <code>true</code> if the supplied Map is <code>null</code>
+     * or empty. Otherwise, return <code>false</code>.
+     * @param map the Map to check
+     * @return whether the given Map is empty
+     */
+    public static boolean isEmpty(Map map) {
+        return (map == null || map.isEmpty());
+    }
+
+    /**
+     * Convert the supplied array into a List. A primitive array gets
+     * converted into a List of the appropriate wrapper type.
+     * <p>A <code>null</code> source value will be converted to an
+     * empty List.
+     * @param source the (potentially primitive) array
+     * @return the converted List result
+     * @see Objects#toObjectArray(Object)
+     */
+    public static List arrayToList(Object source) {
+        return Arrays.asList(Objects.toObjectArray(source));
+    }
+
+    /**
+     * Merge the given array into the given Collection.
+     * @param array the array to merge (may be <code>null</code>)
+     * @param collection the target Collection to merge the array into
+     */
+    @SuppressWarnings("unchecked")
+    public static void mergeArrayIntoCollection(Object array, Collection collection) {
+        if (collection == null) {
+            throw new IllegalArgumentException("Collection must not be null");
+        }
+        Object[] arr = Objects.toObjectArray(array);
+        for (Object elem : arr) {
+            collection.add(elem);
+        }
+    }
+
+    /**
+     * Merge the given Properties instance into the given Map,
+     * copying all properties (key-value pairs) over.
+     * <p>Uses <code>Properties.propertyNames()</code> to even catch
+     * default properties linked into the original Properties instance.
+     * @param props the Properties instance to merge (may be <code>null</code>)
+     * @param map the target Map to merge the properties into
+     */
+    @SuppressWarnings("unchecked")
+    public static void mergePropertiesIntoMap(Properties props, Map map) {
+        if (map == null) {
+            throw new IllegalArgumentException("Map must not be null");
+        }
+        if (props != null) {
+            for (Enumeration en = props.propertyNames(); en.hasMoreElements();) {
+                String key = (String) en.nextElement();
+                Object value = props.getProperty(key);
+                if (value == null) {
+                    // Potentially a non-String value...
+                    value = props.get(key);
+                }
+                map.put(key, value);
+            }
+        }
+    }
+
+
+    /**
+     * Check whether the given Iterator contains the given element.
+     * @param iterator the Iterator to check
+     * @param element the element to look for
+     * @return <code>true</code> if found, <code>false</code> else
+     */
+    public static boolean contains(Iterator iterator, Object element) {
+        if (iterator != null) {
+            while (iterator.hasNext()) {
+                Object candidate = iterator.next();
+                if (Objects.nullSafeEquals(candidate, element)) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Check whether the given Enumeration contains the given element.
+     * @param enumeration the Enumeration to check
+     * @param element the element to look for
+     * @return <code>true</code> if found, <code>false</code> else
+     */
+    public static boolean contains(Enumeration enumeration, Object element) {
+        if (enumeration != null) {
+            while (enumeration.hasMoreElements()) {
+                Object candidate = enumeration.nextElement();
+                if (Objects.nullSafeEquals(candidate, element)) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Check whether the given Collection contains the given element instance.
+     * <p>Enforces the given instance to be present, rather than returning
+     * <code>true</code> for an equal element as well.
+     * @param collection the Collection to check
+     * @param element the element to look for
+     * @return <code>true</code> if found, <code>false</code> else
+     */
+    public static boolean containsInstance(Collection collection, Object element) {
+        if (collection != null) {
+            for (Object candidate : collection) {
+                if (candidate == element) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Return <code>true</code> if any element in '<code>candidates</code>' is
+     * contained in '<code>source</code>'; otherwise returns <code>false</code>.
+     * @param source the source Collection
+     * @param candidates the candidates to search for
+     * @return whether any of the candidates has been found
+     */
+    public static boolean containsAny(Collection source, Collection candidates) {
+        if (isEmpty(source) || isEmpty(candidates)) {
+            return false;
+        }
+        for (Object candidate : candidates) {
+            if (source.contains(candidate)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Return the first element in '<code>candidates</code>' that is contained in
+     * '<code>source</code>'. If no element in '<code>candidates</code>' is present in
+     * '<code>source</code>' returns <code>null</code>. Iteration order is
+     * {@link Collection} implementation specific.
+     * @param source the source Collection
+     * @param candidates the candidates to search for
+     * @return the first present object, or <code>null</code> if not found
+     */
+    public static Object findFirstMatch(Collection source, Collection candidates) {
+        if (isEmpty(source) || isEmpty(candidates)) {
+            return null;
+        }
+        for (Object candidate : candidates) {
+            if (source.contains(candidate)) {
+                return candidate;
+            }
+        }
+        return null;
+    }
+
+    /**
+     * Find a single value of the given type in the given Collection.
+     * @param collection the Collection to search
+     * @param type the type to look for
+     * @return a value of the given type found if there is a clear match,
+     * or <code>null</code> if none or more than one such value found
+     */
+    @SuppressWarnings("unchecked")
+    public static <T> T findValueOfType(Collection<?> collection, Class<T> type) {
+        if (isEmpty(collection)) {
+            return null;
+        }
+        T value = null;
+        for (Object element : collection) {
+            if (type == null || type.isInstance(element)) {
+                if (value != null) {
+                    // More than one value found... no clear single value.
+                    return null;
+                }
+                value = (T) element;
+            }
+        }
+        return value;
+    }
+
+    /**
+     * Find a single value of one of the given types in the given Collection:
+     * searching the Collection for a value of the first type, then
+     * searching for a value of the second type, etc.
+     * @param collection the collection to search
+     * @param types the types to look for, in prioritized order
+     * @return a value of one of the given types found if there is a clear match,
+     * or <code>null</code> if none or more than one such value found
+     */
+    public static Object findValueOfType(Collection<?> collection, Class<?>[] types) {
+        if (isEmpty(collection) || Objects.isEmpty(types)) {
+            return null;
+        }
+        for (Class<?> type : types) {
+            Object value = findValueOfType(collection, type);
+            if (value != null) {
+                return value;
+            }
+        }
+        return null;
+    }
+
+    /**
+     * Determine whether the given Collection only contains a single unique object.
+     * @param collection the Collection to check
+     * @return <code>true</code> if the collection contains a single reference or
+     * multiple references to the same instance, <code>false</code> else
+     */
+    public static boolean hasUniqueObject(Collection collection) {
+        if (isEmpty(collection)) {
+            return false;
+        }
+        boolean hasCandidate = false;
+        Object candidate = null;
+        for (Object elem : collection) {
+            if (!hasCandidate) {
+                hasCandidate = true;
+                candidate = elem;
+            }
+            else if (candidate != elem) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    /**
+     * Find the common element type of the given Collection, if any.
+     * @param collection the Collection to check
+     * @return the common element type, or <code>null</code> if no clear
+     * common type has been found (or the collection was empty)
+     */
+    public static Class<?> findCommonElementType(Collection collection) {
+        if (isEmpty(collection)) {
+            return null;
+        }
+        Class<?> candidate = null;
+        for (Object val : collection) {
+            if (val != null) {
+                if (candidate == null) {
+                    candidate = val.getClass();
+                }
+                else if (candidate != val.getClass()) {
+                    return null;
+                }
+            }
+        }
+        return candidate;
+    }
+
+    /**
+     * Marshal the elements from the given enumeration into an array of the given type.
+     * Enumeration elements must be assignable to the type of the given array. The array
+     * returned will be a different instance than the array given.
+     */
+    public static <A,E extends A> A[] toArray(Enumeration<E> enumeration, A[] array) {
+        ArrayList<A> elements = new ArrayList<A>();
+        while (enumeration.hasMoreElements()) {
+            elements.add(enumeration.nextElement());
+        }
+        return elements.toArray(array);
+    }
+
+    /**
+     * Adapt an enumeration to an iterator.
+     * @param enumeration the enumeration
+     * @return the iterator
+     */
+    public static <E> Iterator<E> toIterator(Enumeration<E> enumeration) {
+        return new EnumerationIterator<E>(enumeration);
+    }
+
+    /**
+     * Iterator wrapping an Enumeration.
+     */
+    private static class EnumerationIterator<E> implements Iterator<E> {
+
+        private Enumeration<E> enumeration;
+
+        public EnumerationIterator(Enumeration<E> enumeration) {
+            this.enumeration = enumeration;
+        }
+
+        public boolean hasNext() {
+            return this.enumeration.hasMoreElements();
+        }
+
+        public E next() {
+            return this.enumeration.nextElement();
+        }
+
+        public void remove() throws UnsupportedOperationException {
+            throw new UnsupportedOperationException("Not supported");
+        }
+    }
+}
+
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/DateFormats.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/DateFormats.java
new file mode 100644
index 00000000000..250d9892d93
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/DateFormats.java
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.lang;
+
+import java.text.DateFormat;
+import java.text.ParseException;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.TimeZone;
+
+/**
+ * @since 0.10.0
+ */
+public class DateFormats {
+
+    private static final String ISO_8601_PATTERN = "yyyy-MM-dd'T'HH:mm:ss'Z'";
+
+    private static final String ISO_8601_MILLIS_PATTERN = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'";
+
+    private static final ThreadLocal<DateFormat> ISO_8601 = new ThreadLocal<DateFormat>() {
+        @Override
+        protected DateFormat initialValue() {
+            SimpleDateFormat format = new SimpleDateFormat(ISO_8601_PATTERN);
+            format.setTimeZone(TimeZone.getTimeZone("UTC"));
+            return format;
+        }
+    };
+
+    private static final ThreadLocal<DateFormat> ISO_8601_MILLIS = new ThreadLocal<DateFormat>() {
+        @Override
+        protected DateFormat initialValue() {
+            SimpleDateFormat format = new SimpleDateFormat(ISO_8601_MILLIS_PATTERN);
+            format.setTimeZone(TimeZone.getTimeZone("UTC"));
+            return format;
+        }
+    };
+
+    public static String formatIso8601(Date date) {
+        return formatIso8601(date, true);
+    }
+
+    public static String formatIso8601(Date date, boolean includeMillis) {
+        if (includeMillis) {
+            return ISO_8601_MILLIS.get().format(date);
+        }
+        return ISO_8601.get().format(date);
+    }
+
+    public static Date parseIso8601Date(String s) throws ParseException {
+        Assert.notNull(s, "String argument cannot be null.");
+        if (s.lastIndexOf('.') > -1) { //assume ISO-8601 with milliseconds
+            return ISO_8601_MILLIS.get().parse(s);
+        } else { //assume ISO-8601 without millis:
+            return ISO_8601.get().parse(s);
+        }
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/InstantiationException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/InstantiationException.java
new file mode 100644
index 00000000000..0ee8418f5ea
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/InstantiationException.java
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.lang;
+
+/**
+ * @since 0.1
+ */
+public class InstantiationException extends RuntimeException {
+
+    public InstantiationException(String s, Throwable t) {
+        super(s, t);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Maps.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Maps.java
new file mode 100644
index 00000000000..f96e4cb302c
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Maps.java
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2019 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.lang;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * Utility class to help with the manipulation of working with Maps.
+ * @since 0.11.0
+ */
+public final class Maps {
+
+    private Maps() {} //prevent instantiation
+
+    /**
+     * Creates a new map builder with a single entry.
+     * <p> Typical usage: <pre>{@code
+     * Map<K,V> result = Maps.of("key1", value1)
+     *     .and("key2", value2)
+     *     // ...
+     *     .build();
+     * }</pre>
+     * @param key the key of an map entry to be added
+     * @param value the value of map entry to be added
+     * @param <K> the maps key type
+     * @param <V> the maps value type
+     * Creates a new map builder with a single entry.
+     */
+    public static <K, V> MapBuilder<K, V> of(K key, V value) {
+        return new HashMapBuilder<K, V>().and(key, value);
+    }
+
+    /**
+     * Utility Builder class for fluently building maps:
+     * <p> Typical usage: <pre>{@code
+     * Map<K,V> result = Maps.of("key1", value1)
+     *     .and("key2", value2)
+     *     // ...
+     *     .build();
+     * }</pre>
+     * @param <K> the maps key type
+     * @param <V> the maps value type
+     */
+    public interface MapBuilder<K, V> {
+        /**
+         * Add a new entry to this map builder
+         * @param key the key of an map entry to be added
+         * @param value the value of map entry to be added
+         * @return the current MapBuilder to allow for method chaining.
+         */
+        MapBuilder<K, V> and(K key, V value);
+
+        /**
+         * Returns a the resulting Map object from this MapBuilder.
+         * @return Returns a the resulting Map object from this MapBuilder.
+         */
+        Map<K, V> build();
+    }
+
+    private static class HashMapBuilder<K, V> implements MapBuilder<K, V> {
+
+        private final Map<K, V> data = new HashMap<>();
+
+        public MapBuilder<K, V> and(K key, V value) {
+            data.put(key, value);
+            return this;
+        }
+        public Map<K, V> build() {
+            return Collections.unmodifiableMap(data);
+        }
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Objects.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Objects.java
new file mode 100644
index 00000000000..4960b73553b
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Objects.java
@@ -0,0 +1,927 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.lang;
+
+import java.io.Closeable;
+import java.io.IOException;
+import java.lang.reflect.Array;
+import java.util.Arrays;
+
+public final class Objects {
+
+    private Objects(){} //prevent instantiation
+
+    private static final int INITIAL_HASH = 7;
+    private static final int MULTIPLIER   = 31;
+
+    private static final String EMPTY_STRING            = "";
+    private static final String NULL_STRING             = "null";
+    private static final String ARRAY_START             = "{";
+    private static final String ARRAY_END               = "}";
+    private static final String EMPTY_ARRAY             = ARRAY_START + ARRAY_END;
+    private static final String ARRAY_ELEMENT_SEPARATOR = ", ";
+
+    /**
+     * Return whether the given throwable is a checked exception:
+     * that is, neither a RuntimeException nor an Error.
+     *
+     * @param ex the throwable to check
+     * @return whether the throwable is a checked exception
+     * @see java.lang.Exception
+     * @see java.lang.RuntimeException
+     * @see java.lang.Error
+     */
+    public static boolean isCheckedException(Throwable ex) {
+        return !(ex instanceof RuntimeException || ex instanceof Error);
+    }
+
+    /**
+     * Check whether the given exception is compatible with the exceptions
+     * declared in a throws clause.
+     *
+     * @param ex                 the exception to checked
+     * @param declaredExceptions the exceptions declared in the throws clause
+     * @return whether the given exception is compatible
+     */
+    public static boolean isCompatibleWithThrowsClause(Throwable ex, Class[] declaredExceptions) {
+        if (!isCheckedException(ex)) {
+            return true;
+        }
+        if (declaredExceptions != null) {
+            int i = 0;
+            while (i < declaredExceptions.length) {
+                if (declaredExceptions[i].isAssignableFrom(ex.getClass())) {
+                    return true;
+                }
+                i++;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Determine whether the given object is an array:
+     * either an Object array or a primitive array.
+     *
+     * @param obj the object to check
+     */
+    public static boolean isArray(Object obj) {
+        return (obj != null && obj.getClass().isArray());
+    }
+
+    /**
+     * Determine whether the given array is empty:
+     * i.e. <code>null</code> or of zero length.
+     *
+     * @param array the array to check
+     */
+    public static boolean isEmpty(Object[] array) {
+        return (array == null || array.length == 0);
+    }
+
+    /**
+     * Returns {@code true} if the specified byte array is null or of zero length, {@code false} otherwise.
+     *
+     * @param array the byte array to check
+     * @return {@code true} if the specified byte array is null or of zero length, {@code false} otherwise.
+     */
+    public static boolean isEmpty(byte[] array) {
+        return array == null || array.length == 0;
+    }
+
+    /**
+     * Check whether the given array contains the given element.
+     *
+     * @param array   the array to check (may be <code>null</code>,
+     *                in which case the return value will always be <code>false</code>)
+     * @param element the element to check for
+     * @return whether the element has been found in the given array
+     */
+    public static boolean containsElement(Object[] array, Object element) {
+        if (array == null) {
+            return false;
+        }
+        for (Object arrayEle : array) {
+            if (nullSafeEquals(arrayEle, element)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Check whether the given array of enum constants contains a constant with the given name,
+     * ignoring case when determining a match.
+     *
+     * @param enumValues the enum values to check, typically the product of a call to MyEnum.values()
+     * @param constant   the constant name to find (must not be null or empty string)
+     * @return whether the constant has been found in the given array
+     */
+    public static boolean containsConstant(Enum<?>[] enumValues, String constant) {
+        return containsConstant(enumValues, constant, false);
+    }
+
+    /**
+     * Check whether the given array of enum constants contains a constant with the given name.
+     *
+     * @param enumValues    the enum values to check, typically the product of a call to MyEnum.values()
+     * @param constant      the constant name to find (must not be null or empty string)
+     * @param caseSensitive whether case is significant in determining a match
+     * @return whether the constant has been found in the given array
+     */
+    public static boolean containsConstant(Enum<?>[] enumValues, String constant, boolean caseSensitive) {
+        for (Enum<?> candidate : enumValues) {
+            if (caseSensitive ?
+                candidate.toString().equals(constant) :
+                candidate.toString().equalsIgnoreCase(constant)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Case insensitive alternative to {@link Enum#valueOf(Class, String)}.
+     *
+     * @param <E>        the concrete Enum type
+     * @param enumValues the array of all Enum constants in question, usually per Enum.values()
+     * @param constant   the constant to get the enum value of
+     * @throws IllegalArgumentException if the given constant is not found in the given array
+     *                                  of enum values. Use {@link #containsConstant(Enum[], String)} as a guard to
+     *                                  avoid this exception.
+     */
+    public static <E extends Enum<?>> E caseInsensitiveValueOf(E[] enumValues, String constant) {
+        for (E candidate : enumValues) {
+            if (candidate.toString().equalsIgnoreCase(constant)) {
+                return candidate;
+            }
+        }
+        throw new IllegalArgumentException(
+            String.format("constant [%s] does not exist in enum type %s",
+                          constant, enumValues.getClass().getComponentType().getName()));
+    }
+
+    /**
+     * Append the given object to the given array, returning a new array
+     * consisting of the input array contents plus the given object.
+     *
+     * @param array the array to append to (can be <code>null</code>)
+     * @param obj   the object to append
+     * @return the new array (of the same component type; never <code>null</code>)
+     */
+    public static <A, O extends A> A[] addObjectToArray(A[] array, O obj) {
+        Class<?> compType = Object.class;
+        if (array != null) {
+            compType = array.getClass().getComponentType();
+        } else if (obj != null) {
+            compType = obj.getClass();
+        }
+        int newArrLength = (array != null ? array.length + 1 : 1);
+        @SuppressWarnings("unchecked")
+        A[] newArr = (A[]) Array.newInstance(compType, newArrLength);
+        if (array != null) {
+            System.arraycopy(array, 0, newArr, 0, array.length);
+        }
+        newArr[newArr.length - 1] = obj;
+        return newArr;
+    }
+
+    /**
+     * Convert the given array (which may be a primitive array) to an
+     * object array (if necessary of primitive wrapper objects).
+     * <p>A <code>null</code> source value will be converted to an
+     * empty Object array.
+     *
+     * @param source the (potentially primitive) array
+     * @return the corresponding object array (never <code>null</code>)
+     * @throws IllegalArgumentException if the parameter is not an array
+     */
+    public static Object[] toObjectArray(Object source) {
+        if (source instanceof Object[]) {
+            return (Object[]) source;
+        }
+        if (source == null) {
+            return new Object[0];
+        }
+        if (!source.getClass().isArray()) {
+            throw new IllegalArgumentException("Source is not an array: " + source);
+        }
+        int length = Array.getLength(source);
+        if (length == 0) {
+            return new Object[0];
+        }
+        Class wrapperType = Array.get(source, 0).getClass();
+        Object[] newArray = (Object[]) Array.newInstance(wrapperType, length);
+        for (int i = 0; i < length; i++) {
+            newArray[i] = Array.get(source, i);
+        }
+        return newArray;
+    }
+
+
+    //---------------------------------------------------------------------
+    // Convenience methods for content-based equality/hash-code handling
+    //---------------------------------------------------------------------
+
+    /**
+     * Determine if the given objects are equal, returning <code>true</code>
+     * if both are <code>null</code> or <code>false</code> if only one is
+     * <code>null</code>.
+     * <p>Compares arrays with <code>Arrays.equals</code>, performing an equality
+     * check based on the array elements rather than the array reference.
+     *
+     * @param o1 first Object to compare
+     * @param o2 second Object to compare
+     * @return whether the given objects are equal
+     * @see java.util.Arrays#equals
+     */
+    public static boolean nullSafeEquals(Object o1, Object o2) {
+        if (o1 == o2) {
+            return true;
+        }
+        if (o1 == null || o2 == null) {
+            return false;
+        }
+        if (o1.equals(o2)) {
+            return true;
+        }
+        if (o1.getClass().isArray() && o2.getClass().isArray()) {
+            if (o1 instanceof Object[] && o2 instanceof Object[]) {
+                return Arrays.equals((Object[]) o1, (Object[]) o2);
+            }
+            if (o1 instanceof boolean[] && o2 instanceof boolean[]) {
+                return Arrays.equals((boolean[]) o1, (boolean[]) o2);
+            }
+            if (o1 instanceof byte[] && o2 instanceof byte[]) {
+                return Arrays.equals((byte[]) o1, (byte[]) o2);
+            }
+            if (o1 instanceof char[] && o2 instanceof char[]) {
+                return Arrays.equals((char[]) o1, (char[]) o2);
+            }
+            if (o1 instanceof double[] && o2 instanceof double[]) {
+                return Arrays.equals((double[]) o1, (double[]) o2);
+            }
+            if (o1 instanceof float[] && o2 instanceof float[]) {
+                return Arrays.equals((float[]) o1, (float[]) o2);
+            }
+            if (o1 instanceof int[] && o2 instanceof int[]) {
+                return Arrays.equals((int[]) o1, (int[]) o2);
+            }
+            if (o1 instanceof long[] && o2 instanceof long[]) {
+                return Arrays.equals((long[]) o1, (long[]) o2);
+            }
+            if (o1 instanceof short[] && o2 instanceof short[]) {
+                return Arrays.equals((short[]) o1, (short[]) o2);
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Return as hash code for the given object; typically the value of
+     * <code>{@link Object#hashCode()}</code>. If the object is an array,
+     * this method will delegate to any of the <code>nullSafeHashCode</code>
+     * methods for arrays in this class. If the object is <code>null</code>,
+     * this method returns 0.
+     *
+     * @see #nullSafeHashCode(Object[])
+     * @see #nullSafeHashCode(boolean[])
+     * @see #nullSafeHashCode(byte[])
+     * @see #nullSafeHashCode(char[])
+     * @see #nullSafeHashCode(double[])
+     * @see #nullSafeHashCode(float[])
+     * @see #nullSafeHashCode(int[])
+     * @see #nullSafeHashCode(long[])
+     * @see #nullSafeHashCode(short[])
+     */
+    public static int nullSafeHashCode(Object obj) {
+        if (obj == null) {
+            return 0;
+        }
+        if (obj.getClass().isArray()) {
+            if (obj instanceof Object[]) {
+                return nullSafeHashCode((Object[]) obj);
+            }
+            if (obj instanceof boolean[]) {
+                return nullSafeHashCode((boolean[]) obj);
+            }
+            if (obj instanceof byte[]) {
+                return nullSafeHashCode((byte[]) obj);
+            }
+            if (obj instanceof char[]) {
+                return nullSafeHashCode((char[]) obj);
+            }
+            if (obj instanceof double[]) {
+                return nullSafeHashCode((double[]) obj);
+            }
+            if (obj instanceof float[]) {
+                return nullSafeHashCode((float[]) obj);
+            }
+            if (obj instanceof int[]) {
+                return nullSafeHashCode((int[]) obj);
+            }
+            if (obj instanceof long[]) {
+                return nullSafeHashCode((long[]) obj);
+            }
+            if (obj instanceof short[]) {
+                return nullSafeHashCode((short[]) obj);
+            }
+        }
+        return obj.hashCode();
+    }
+
+    /**
+     * Return a hash code based on the contents of the specified array.
+     * If <code>array</code> is <code>null</code>, this method returns 0.
+     */
+    public static int nullSafeHashCode(Object[] array) {
+        if (array == null) {
+            return 0;
+        }
+        int hash = INITIAL_HASH;
+        int arraySize = array.length;
+        for (int i = 0; i < arraySize; i++) {
+            hash = MULTIPLIER * hash + nullSafeHashCode(array[i]);
+        }
+        return hash;
+    }
+
+    /**
+     * Return a hash code based on the contents of the specified array.
+     * If <code>array</code> is <code>null</code>, this method returns 0.
+     */
+    public static int nullSafeHashCode(boolean[] array) {
+        if (array == null) {
+            return 0;
+        }
+        int hash = INITIAL_HASH;
+        int arraySize = array.length;
+        for (int i = 0; i < arraySize; i++) {
+            hash = MULTIPLIER * hash + hashCode(array[i]);
+        }
+        return hash;
+    }
+
+    /**
+     * Return a hash code based on the contents of the specified array.
+     * If <code>array</code> is <code>null</code>, this method returns 0.
+     */
+    public static int nullSafeHashCode(byte[] array) {
+        if (array == null) {
+            return 0;
+        }
+        int hash = INITIAL_HASH;
+        int arraySize = array.length;
+        for (int i = 0; i < arraySize; i++) {
+            hash = MULTIPLIER * hash + array[i];
+        }
+        return hash;
+    }
+
+    /**
+     * Return a hash code based on the contents of the specified array.
+     * If <code>array</code> is <code>null</code>, this method returns 0.
+     */
+    public static int nullSafeHashCode(char[] array) {
+        if (array == null) {
+            return 0;
+        }
+        int hash = INITIAL_HASH;
+        int arraySize = array.length;
+        for (int i = 0; i < arraySize; i++) {
+            hash = MULTIPLIER * hash + array[i];
+        }
+        return hash;
+    }
+
+    /**
+     * Return a hash code based on the contents of the specified array.
+     * If <code>array</code> is <code>null</code>, this method returns 0.
+     */
+    public static int nullSafeHashCode(double[] array) {
+        if (array == null) {
+            return 0;
+        }
+        int hash = INITIAL_HASH;
+        int arraySize = array.length;
+        for (int i = 0; i < arraySize; i++) {
+            hash = MULTIPLIER * hash + hashCode(array[i]);
+        }
+        return hash;
+    }
+
+    /**
+     * Return a hash code based on the contents of the specified array.
+     * If <code>array</code> is <code>null</code>, this method returns 0.
+     */
+    public static int nullSafeHashCode(float[] array) {
+        if (array == null) {
+            return 0;
+        }
+        int hash = INITIAL_HASH;
+        int arraySize = array.length;
+        for (int i = 0; i < arraySize; i++) {
+            hash = MULTIPLIER * hash + hashCode(array[i]);
+        }
+        return hash;
+    }
+
+    /**
+     * Return a hash code based on the contents of the specified array.
+     * If <code>array</code> is <code>null</code>, this method returns 0.
+     */
+    public static int nullSafeHashCode(int[] array) {
+        if (array == null) {
+            return 0;
+        }
+        int hash = INITIAL_HASH;
+        int arraySize = array.length;
+        for (int i = 0; i < arraySize; i++) {
+            hash = MULTIPLIER * hash + array[i];
+        }
+        return hash;
+    }
+
+    /**
+     * Return a hash code based on the contents of the specified array.
+     * If <code>array</code> is <code>null</code>, this method returns 0.
+     */
+    public static int nullSafeHashCode(long[] array) {
+        if (array == null) {
+            return 0;
+        }
+        int hash = INITIAL_HASH;
+        int arraySize = array.length;
+        for (int i = 0; i < arraySize; i++) {
+            hash = MULTIPLIER * hash + hashCode(array[i]);
+        }
+        return hash;
+    }
+
+    /**
+     * Return a hash code based on the contents of the specified array.
+     * If <code>array</code> is <code>null</code>, this method returns 0.
+     */
+    public static int nullSafeHashCode(short[] array) {
+        if (array == null) {
+            return 0;
+        }
+        int hash = INITIAL_HASH;
+        int arraySize = array.length;
+        for (int i = 0; i < arraySize; i++) {
+            hash = MULTIPLIER * hash + array[i];
+        }
+        return hash;
+    }
+
+    /**
+     * Return the same value as <code>{@link Boolean#hashCode()}</code>.
+     *
+     * @see Boolean#hashCode()
+     */
+    public static int hashCode(boolean bool) {
+        return bool ? 1231 : 1237;
+    }
+
+    /**
+     * Return the same value as <code>{@link Double#hashCode()}</code>.
+     *
+     * @see Double#hashCode()
+     */
+    public static int hashCode(double dbl) {
+        long bits = Double.doubleToLongBits(dbl);
+        return hashCode(bits);
+    }
+
+    /**
+     * Return the same value as <code>{@link Float#hashCode()}</code>.
+     *
+     * @see Float#hashCode()
+     */
+    public static int hashCode(float flt) {
+        return Float.floatToIntBits(flt);
+    }
+
+    /**
+     * Return the same value as <code>{@link Long#hashCode()}</code>.
+     *
+     * @see Long#hashCode()
+     */
+    public static int hashCode(long lng) {
+        return (int) (lng ^ (lng >>> 32));
+    }
+
+
+    //---------------------------------------------------------------------
+    // Convenience methods for toString output
+    //---------------------------------------------------------------------
+
+    /**
+     * Return a String representation of an object's overall identity.
+     *
+     * @param obj the object (may be <code>null</code>)
+     * @return the object's identity as String representation,
+     * or an empty String if the object was <code>null</code>
+     */
+    public static String identityToString(Object obj) {
+        if (obj == null) {
+            return EMPTY_STRING;
+        }
+        return obj.getClass().getName() + "@" + getIdentityHexString(obj);
+    }
+
+    /**
+     * Return a hex String form of an object's identity hash code.
+     *
+     * @param obj the object
+     * @return the object's identity code in hex notation
+     */
+    public static String getIdentityHexString(Object obj) {
+        return Integer.toHexString(System.identityHashCode(obj));
+    }
+
+    /**
+     * Return a content-based String representation if <code>obj</code> is
+     * not <code>null</code>; otherwise returns an empty String.
+     * <p>Differs from {@link #nullSafeToString(Object)} in that it returns
+     * an empty String rather than "null" for a <code>null</code> value.
+     *
+     * @param obj the object to build a display String for
+     * @return a display String representation of <code>obj</code>
+     * @see #nullSafeToString(Object)
+     */
+    public static String getDisplayString(Object obj) {
+        if (obj == null) {
+            return EMPTY_STRING;
+        }
+        return nullSafeToString(obj);
+    }
+
+    /**
+     * Determine the class name for the given object.
+     * <p>Returns <code>"null"</code> if <code>obj</code> is <code>null</code>.
+     *
+     * @param obj the object to introspect (may be <code>null</code>)
+     * @return the corresponding class name
+     */
+    public static String nullSafeClassName(Object obj) {
+        return (obj != null ? obj.getClass().getName() : NULL_STRING);
+    }
+
+    /**
+     * Return a String representation of the specified Object.
+     * <p>Builds a String representation of the contents in case of an array.
+     * Returns <code>"null"</code> if <code>obj</code> is <code>null</code>.
+     *
+     * @param obj the object to build a String representation for
+     * @return a String representation of <code>obj</code>
+     */
+    public static String nullSafeToString(Object obj) {
+        if (obj == null) {
+            return NULL_STRING;
+        }
+        if (obj instanceof String) {
+            return (String) obj;
+        }
+        if (obj instanceof Object[]) {
+            return nullSafeToString((Object[]) obj);
+        }
+        if (obj instanceof boolean[]) {
+            return nullSafeToString((boolean[]) obj);
+        }
+        if (obj instanceof byte[]) {
+            return nullSafeToString((byte[]) obj);
+        }
+        if (obj instanceof char[]) {
+            return nullSafeToString((char[]) obj);
+        }
+        if (obj instanceof double[]) {
+            return nullSafeToString((double[]) obj);
+        }
+        if (obj instanceof float[]) {
+            return nullSafeToString((float[]) obj);
+        }
+        if (obj instanceof int[]) {
+            return nullSafeToString((int[]) obj);
+        }
+        if (obj instanceof long[]) {
+            return nullSafeToString((long[]) obj);
+        }
+        if (obj instanceof short[]) {
+            return nullSafeToString((short[]) obj);
+        }
+        String str = obj.toString();
+        return (str != null ? str : EMPTY_STRING);
+    }
+
+    /**
+     * Return a String representation of the contents of the specified array.
+     * <p>The String representation consists of a list of the array's elements,
+     * enclosed in curly braces (<code>"{}"</code>). Adjacent elements are separated
+     * by the characters <code>", "</code> (a comma followed by a space). Returns
+     * <code>"null"</code> if <code>array</code> is <code>null</code>.
+     *
+     * @param array the array to build a String representation for
+     * @return a String representation of <code>array</code>
+     */
+    public static String nullSafeToString(Object[] array) {
+        if (array == null) {
+            return NULL_STRING;
+        }
+        int length = array.length;
+        if (length == 0) {
+            return EMPTY_ARRAY;
+        }
+        StringBuilder sb = new StringBuilder();
+        for (int i = 0; i < length; i++) {
+            if (i == 0) {
+                sb.append(ARRAY_START);
+            } else {
+                sb.append(ARRAY_ELEMENT_SEPARATOR);
+            }
+            sb.append(String.valueOf(array[i]));
+        }
+        sb.append(ARRAY_END);
+        return sb.toString();
+    }
+
+    /**
+     * Return a String representation of the contents of the specified array.
+     * <p>The String representation consists of a list of the array's elements,
+     * enclosed in curly braces (<code>"{}"</code>). Adjacent elements are separated
+     * by the characters <code>", "</code> (a comma followed by a space). Returns
+     * <code>"null"</code> if <code>array</code> is <code>null</code>.
+     *
+     * @param array the array to build a String representation for
+     * @return a String representation of <code>array</code>
+     */
+    public static String nullSafeToString(boolean[] array) {
+        if (array == null) {
+            return NULL_STRING;
+        }
+        int length = array.length;
+        if (length == 0) {
+            return EMPTY_ARRAY;
+        }
+        StringBuilder sb = new StringBuilder();
+        for (int i = 0; i < length; i++) {
+            if (i == 0) {
+                sb.append(ARRAY_START);
+            } else {
+                sb.append(ARRAY_ELEMENT_SEPARATOR);
+            }
+
+            sb.append(array[i]);
+        }
+        sb.append(ARRAY_END);
+        return sb.toString();
+    }
+
+    /**
+     * Return a String representation of the contents of the specified array.
+     * <p>The String representation consists of a list of the array's elements,
+     * enclosed in curly braces (<code>"{}"</code>). Adjacent elements are separated
+     * by the characters <code>", "</code> (a comma followed by a space). Returns
+     * <code>"null"</code> if <code>array</code> is <code>null</code>.
+     *
+     * @param array the array to build a String representation for
+     * @return a String representation of <code>array</code>
+     */
+    public static String nullSafeToString(byte[] array) {
+        if (array == null) {
+            return NULL_STRING;
+        }
+        int length = array.length;
+        if (length == 0) {
+            return EMPTY_ARRAY;
+        }
+        StringBuilder sb = new StringBuilder();
+        for (int i = 0; i < length; i++) {
+            if (i == 0) {
+                sb.append(ARRAY_START);
+            } else {
+                sb.append(ARRAY_ELEMENT_SEPARATOR);
+            }
+            sb.append(array[i]);
+        }
+        sb.append(ARRAY_END);
+        return sb.toString();
+    }
+
+    /**
+     * Return a String representation of the contents of the specified array.
+     * <p>The String representation consists of a list of the array's elements,
+     * enclosed in curly braces (<code>"{}"</code>). Adjacent elements are separated
+     * by the characters <code>", "</code> (a comma followed by a space). Returns
+     * <code>"null"</code> if <code>array</code> is <code>null</code>.
+     *
+     * @param array the array to build a String representation for
+     * @return a String representation of <code>array</code>
+     */
+    public static String nullSafeToString(char[] array) {
+        if (array == null) {
+            return NULL_STRING;
+        }
+        int length = array.length;
+        if (length == 0) {
+            return EMPTY_ARRAY;
+        }
+        StringBuilder sb = new StringBuilder();
+        for (int i = 0; i < length; i++) {
+            if (i == 0) {
+                sb.append(ARRAY_START);
+            } else {
+                sb.append(ARRAY_ELEMENT_SEPARATOR);
+            }
+            sb.append("'").append(array[i]).append("'");
+        }
+        sb.append(ARRAY_END);
+        return sb.toString();
+    }
+
+    /**
+     * Return a String representation of the contents of the specified array.
+     * <p>The String representation consists of a list of the array's elements,
+     * enclosed in curly braces (<code>"{}"</code>). Adjacent elements are separated
+     * by the characters <code>", "</code> (a comma followed by a space). Returns
+     * <code>"null"</code> if <code>array</code> is <code>null</code>.
+     *
+     * @param array the array to build a String representation for
+     * @return a String representation of <code>array</code>
+     */
+    public static String nullSafeToString(double[] array) {
+        if (array == null) {
+            return NULL_STRING;
+        }
+        int length = array.length;
+        if (length == 0) {
+            return EMPTY_ARRAY;
+        }
+        StringBuilder sb = new StringBuilder();
+        for (int i = 0; i < length; i++) {
+            if (i == 0) {
+                sb.append(ARRAY_START);
+            } else {
+                sb.append(ARRAY_ELEMENT_SEPARATOR);
+            }
+
+            sb.append(array[i]);
+        }
+        sb.append(ARRAY_END);
+        return sb.toString();
+    }
+
+    /**
+     * Return a String representation of the contents of the specified array.
+     * <p>The String representation consists of a list of the array's elements,
+     * enclosed in curly braces (<code>"{}"</code>). Adjacent elements are separated
+     * by the characters <code>", "</code> (a comma followed by a space). Returns
+     * <code>"null"</code> if <code>array</code> is <code>null</code>.
+     *
+     * @param array the array to build a String representation for
+     * @return a String representation of <code>array</code>
+     */
+    public static String nullSafeToString(float[] array) {
+        if (array == null) {
+            return NULL_STRING;
+        }
+        int length = array.length;
+        if (length == 0) {
+            return EMPTY_ARRAY;
+        }
+        StringBuilder sb = new StringBuilder();
+        for (int i = 0; i < length; i++) {
+            if (i == 0) {
+                sb.append(ARRAY_START);
+            } else {
+                sb.append(ARRAY_ELEMENT_SEPARATOR);
+            }
+
+            sb.append(array[i]);
+        }
+        sb.append(ARRAY_END);
+        return sb.toString();
+    }
+
+    /**
+     * Return a String representation of the contents of the specified array.
+     * <p>The String representation consists of a list of the array's elements,
+     * enclosed in curly braces (<code>"{}"</code>). Adjacent elements are separated
+     * by the characters <code>", "</code> (a comma followed by a space). Returns
+     * <code>"null"</code> if <code>array</code> is <code>null</code>.
+     *
+     * @param array the array to build a String representation for
+     * @return a String representation of <code>array</code>
+     */
+    public static String nullSafeToString(int[] array) {
+        if (array == null) {
+            return NULL_STRING;
+        }
+        int length = array.length;
+        if (length == 0) {
+            return EMPTY_ARRAY;
+        }
+        StringBuilder sb = new StringBuilder();
+        for (int i = 0; i < length; i++) {
+            if (i == 0) {
+                sb.append(ARRAY_START);
+            } else {
+                sb.append(ARRAY_ELEMENT_SEPARATOR);
+            }
+            sb.append(array[i]);
+        }
+        sb.append(ARRAY_END);
+        return sb.toString();
+    }
+
+    /**
+     * Return a String representation of the contents of the specified array.
+     * <p>The String representation consists of a list of the array's elements,
+     * enclosed in curly braces (<code>"{}"</code>). Adjacent elements are separated
+     * by the characters <code>", "</code> (a comma followed by a space). Returns
+     * <code>"null"</code> if <code>array</code> is <code>null</code>.
+     *
+     * @param array the array to build a String representation for
+     * @return a String representation of <code>array</code>
+     */
+    public static String nullSafeToString(long[] array) {
+        if (array == null) {
+            return NULL_STRING;
+        }
+        int length = array.length;
+        if (length == 0) {
+            return EMPTY_ARRAY;
+        }
+        StringBuilder sb = new StringBuilder();
+        for (int i = 0; i < length; i++) {
+            if (i == 0) {
+                sb.append(ARRAY_START);
+            } else {
+                sb.append(ARRAY_ELEMENT_SEPARATOR);
+            }
+            sb.append(array[i]);
+        }
+        sb.append(ARRAY_END);
+        return sb.toString();
+    }
+
+    /**
+     * Return a String representation of the contents of the specified array.
+     * <p>The String representation consists of a list of the array's elements,
+     * enclosed in curly braces (<code>"{}"</code>). Adjacent elements are separated
+     * by the characters <code>", "</code> (a comma followed by a space). Returns
+     * <code>"null"</code> if <code>array</code> is <code>null</code>.
+     *
+     * @param array the array to build a String representation for
+     * @return a String representation of <code>array</code>
+     */
+    public static String nullSafeToString(short[] array) {
+        if (array == null) {
+            return NULL_STRING;
+        }
+        int length = array.length;
+        if (length == 0) {
+            return EMPTY_ARRAY;
+        }
+        StringBuilder sb = new StringBuilder();
+        for (int i = 0; i < length; i++) {
+            if (i == 0) {
+                sb.append(ARRAY_START);
+            } else {
+                sb.append(ARRAY_ELEMENT_SEPARATOR);
+            }
+            sb.append(array[i]);
+        }
+        sb.append(ARRAY_END);
+        return sb.toString();
+    }
+
+    public static void nullSafeClose(Closeable... closeables) {
+        if (closeables == null) {
+            return;
+        }
+
+        for (Closeable closeable : closeables) {
+            if (closeable != null) {
+                try {
+                    closeable.close();
+                } catch (IOException e) {
+                    //Ignore the exception during close.
+                }
+            }
+        }
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/RuntimeEnvironment.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/RuntimeEnvironment.java
new file mode 100644
index 00000000000..df5b8c7c7ae
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/RuntimeEnvironment.java
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.lang;
+
+import java.security.Provider;
+import java.security.Security;
+import java.util.concurrent.atomic.AtomicBoolean;
+
+public final class RuntimeEnvironment {
+
+    private RuntimeEnvironment(){} //prevent instantiation
+
+    private static final String BC_PROVIDER_CLASS_NAME = "org.bouncycastle.jce.provider.BouncyCastleProvider";
+
+    private static final AtomicBoolean bcLoaded = new AtomicBoolean(false);
+
+    public static final boolean BOUNCY_CASTLE_AVAILABLE = Classes.isAvailable(BC_PROVIDER_CLASS_NAME);
+
+    public static void enableBouncyCastleIfPossible() {
+
+        if (!BOUNCY_CASTLE_AVAILABLE || bcLoaded.get()) {
+            return;
+        }
+
+        try {
+            Class clazz = Classes.forName(BC_PROVIDER_CLASS_NAME);
+
+            //check to see if the user has already registered the BC provider:
+
+            Provider[] providers = Security.getProviders();
+
+            for(Provider provider : providers) {
+                if (clazz.isInstance(provider)) {
+                    bcLoaded.set(true);
+                    return;
+                }
+            }
+
+            //bc provider not enabled - add it:
+            Security.addProvider((Provider)Classes.newInstance(clazz));
+            bcLoaded.set(true);
+
+        } catch (UnknownClassException e) {
+            //not available
+        }
+    }
+
+    static {
+        enableBouncyCastleIfPossible();
+    }
+
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Strings.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Strings.java
new file mode 100644
index 00000000000..065bb2512bc
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Strings.java
@@ -0,0 +1,1147 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.lang;
+
+import java.nio.charset.Charset;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Enumeration;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Locale;
+import java.util.Properties;
+import java.util.Set;
+import java.util.StringTokenizer;
+import java.util.TreeSet;
+
+public final class Strings {
+
+    private static final String FOLDER_SEPARATOR = "/";
+
+    private static final String WINDOWS_FOLDER_SEPARATOR = "\\";
+
+    private static final String TOP_PATH = "..";
+
+    private static final String CURRENT_PATH = ".";
+
+    private static final char EXTENSION_SEPARATOR = '.';
+
+    public static final Charset UTF_8 = Charset.forName("UTF-8");
+
+    private Strings(){} //prevent instantiation
+
+    //---------------------------------------------------------------------
+    // General convenience methods for working with Strings
+    //---------------------------------------------------------------------
+
+    /**
+     * Check that the given CharSequence is neither <code>null</code> nor of length 0.
+     * Note: Will return <code>true</code> for a CharSequence that purely consists of whitespace.
+     * <p><pre>
+     * Strings.hasLength(null) = false
+     * Strings.hasLength("") = false
+     * Strings.hasLength(" ") = true
+     * Strings.hasLength("Hello") = true
+     * </pre>
+     * @param str the CharSequence to check (may be <code>null</code>)
+     * @return <code>true</code> if the CharSequence is not null and has length
+     * @see #hasText(String)
+     */
+    public static boolean hasLength(CharSequence str) {
+        return (str != null && str.length() > 0);
+    }
+
+    /**
+     * Check that the given String is neither <code>null</code> nor of length 0.
+     * Note: Will return <code>true</code> for a String that purely consists of whitespace.
+     * @param str the String to check (may be <code>null</code>)
+     * @return <code>true</code> if the String is not null and has length
+     * @see #hasLength(CharSequence)
+     */
+    public static boolean hasLength(String str) {
+        return hasLength((CharSequence) str);
+    }
+
+    /**
+     * Check whether the given CharSequence has actual text.
+     * More specifically, returns <code>true</code> if the string not <code>null</code>,
+     * its length is greater than 0, and it contains at least one non-whitespace character.
+     * <p><pre>
+     * Strings.hasText(null) = false
+     * Strings.hasText("") = false
+     * Strings.hasText(" ") = false
+     * Strings.hasText("12345") = true
+     * Strings.hasText(" 12345 ") = true
+     * </pre>
+     * @param str the CharSequence to check (may be <code>null</code>)
+     * @return <code>true</code> if the CharSequence is not <code>null</code>,
+     * its length is greater than 0, and it does not contain whitespace only
+     * @see java.lang.Character#isWhitespace
+     */
+    public static boolean hasText(CharSequence str) {
+        if (!hasLength(str)) {
+            return false;
+        }
+        int strLen = str.length();
+        for (int i = 0; i < strLen; i++) {
+            if (!Character.isWhitespace(str.charAt(i))) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Check whether the given String has actual text.
+     * More specifically, returns <code>true</code> if the string not <code>null</code>,
+     * its length is greater than 0, and it contains at least one non-whitespace character.
+     * @param str the String to check (may be <code>null</code>)
+     * @return <code>true</code> if the String is not <code>null</code>, its length is
+     * greater than 0, and it does not contain whitespace only
+     * @see #hasText(CharSequence)
+     */
+    public static boolean hasText(String str) {
+        return hasText((CharSequence) str);
+    }
+
+    /**
+     * Check whether the given CharSequence contains any whitespace characters.
+     * @param str the CharSequence to check (may be <code>null</code>)
+     * @return <code>true</code> if the CharSequence is not empty and
+     * contains at least 1 whitespace character
+     * @see java.lang.Character#isWhitespace
+     */
+    public static boolean containsWhitespace(CharSequence str) {
+        if (!hasLength(str)) {
+            return false;
+        }
+        int strLen = str.length();
+        for (int i = 0; i < strLen; i++) {
+            if (Character.isWhitespace(str.charAt(i))) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Check whether the given String contains any whitespace characters.
+     * @param str the String to check (may be <code>null</code>)
+     * @return <code>true</code> if the String is not empty and
+     * contains at least 1 whitespace character
+     * @see #containsWhitespace(CharSequence)
+     */
+    public static boolean containsWhitespace(String str) {
+        return containsWhitespace((CharSequence) str);
+    }
+
+    /**
+     * Trim leading and trailing whitespace from the given String.
+     * @param str the String to check
+     * @return the trimmed String
+     * @see java.lang.Character#isWhitespace
+     */
+    public static String trimWhitespace(String str) {
+        return (String) trimWhitespace((CharSequence)str);
+    }
+    
+    
+    private static CharSequence trimWhitespace(CharSequence str) {
+        if (!hasLength(str)) {
+            return str;
+        }
+        final int length = str.length();
+
+        int start = 0;
+		while (start < length && Character.isWhitespace(str.charAt(start))) {
+            start++;
+        }
+        
+		int end = length;
+        while (start < length && Character.isWhitespace(str.charAt(end - 1))) {
+            end--;
+        }
+        
+        return ((start > 0) || (end < length)) ? str.subSequence(start, end) : str;
+    }
+
+    public static String clean(String str) {
+    	CharSequence result = clean((CharSequence) str);
+        
+        return result!=null?result.toString():null;
+    }
+    
+    public static CharSequence clean(CharSequence str) {
+        str = trimWhitespace(str);
+        if (!hasLength(str)) {
+            return null;
+        }
+        return str;
+    }
+
+    /**
+     * Trim <i>all</i> whitespace from the given String:
+     * leading, trailing, and inbetween characters.
+     * @param str the String to check
+     * @return the trimmed String
+     * @see java.lang.Character#isWhitespace
+     */
+    public static String trimAllWhitespace(String str) {
+        if (!hasLength(str)) {
+            return str;
+        }
+        StringBuilder sb = new StringBuilder(str);
+        int index = 0;
+        while (sb.length() > index) {
+            if (Character.isWhitespace(sb.charAt(index))) {
+                sb.deleteCharAt(index);
+            }
+            else {
+                index++;
+            }
+        }
+        return sb.toString();
+    }
+
+    /**
+     * Trim leading whitespace from the given String.
+     * @param str the String to check
+     * @return the trimmed String
+     * @see java.lang.Character#isWhitespace
+     */
+    public static String trimLeadingWhitespace(String str) {
+        if (!hasLength(str)) {
+            return str;
+        }
+        StringBuilder sb = new StringBuilder(str);
+        while (sb.length() > 0 && Character.isWhitespace(sb.charAt(0))) {
+            sb.deleteCharAt(0);
+        }
+        return sb.toString();
+    }
+
+    /**
+     * Trim trailing whitespace from the given String.
+     * @param str the String to check
+     * @return the trimmed String
+     * @see java.lang.Character#isWhitespace
+     */
+    public static String trimTrailingWhitespace(String str) {
+        if (!hasLength(str)) {
+            return str;
+        }
+        StringBuilder sb = new StringBuilder(str);
+        while (sb.length() > 0 && Character.isWhitespace(sb.charAt(sb.length() - 1))) {
+            sb.deleteCharAt(sb.length() - 1);
+        }
+        return sb.toString();
+    }
+
+    /**
+     * Trim all occurences of the supplied leading character from the given String.
+     * @param str the String to check
+     * @param leadingCharacter the leading character to be trimmed
+     * @return the trimmed String
+     */
+    public static String trimLeadingCharacter(String str, char leadingCharacter) {
+        if (!hasLength(str)) {
+            return str;
+        }
+        StringBuilder sb = new StringBuilder(str);
+        while (sb.length() > 0 && sb.charAt(0) == leadingCharacter) {
+            sb.deleteCharAt(0);
+        }
+        return sb.toString();
+    }
+
+    /**
+     * Trim all occurences of the supplied trailing character from the given String.
+     * @param str the String to check
+     * @param trailingCharacter the trailing character to be trimmed
+     * @return the trimmed String
+     */
+    public static String trimTrailingCharacter(String str, char trailingCharacter) {
+        if (!hasLength(str)) {
+            return str;
+        }
+        StringBuilder sb = new StringBuilder(str);
+        while (sb.length() > 0 && sb.charAt(sb.length() - 1) == trailingCharacter) {
+            sb.deleteCharAt(sb.length() - 1);
+        }
+        return sb.toString();
+    }
+
+
+    /**
+     * Test if the given String starts with the specified prefix,
+     * ignoring upper/lower case.
+     * @param str the String to check
+     * @param prefix the prefix to look for
+     * @see java.lang.String#startsWith
+     */
+    public static boolean startsWithIgnoreCase(String str, String prefix) {
+        if (str == null || prefix == null) {
+            return false;
+        }
+        if (str.startsWith(prefix)) {
+            return true;
+        }
+        if (str.length() < prefix.length()) {
+            return false;
+        }
+        String lcStr = str.substring(0, prefix.length()).toLowerCase();
+        String lcPrefix = prefix.toLowerCase();
+        return lcStr.equals(lcPrefix);
+    }
+
+    /**
+     * Test if the given String ends with the specified suffix,
+     * ignoring upper/lower case.
+     * @param str the String to check
+     * @param suffix the suffix to look for
+     * @see java.lang.String#endsWith
+     */
+    public static boolean endsWithIgnoreCase(String str, String suffix) {
+        if (str == null || suffix == null) {
+            return false;
+        }
+        if (str.endsWith(suffix)) {
+            return true;
+        }
+        if (str.length() < suffix.length()) {
+            return false;
+        }
+
+        String lcStr = str.substring(str.length() - suffix.length()).toLowerCase();
+        String lcSuffix = suffix.toLowerCase();
+        return lcStr.equals(lcSuffix);
+    }
+
+    /**
+     * Test whether the given string matches the given substring
+     * at the given index.
+     * @param str the original string (or StringBuilder)
+     * @param index the index in the original string to start matching against
+     * @param substring the substring to match at the given index
+     */
+    public static boolean substringMatch(CharSequence str, int index, CharSequence substring) {
+        for (int j = 0; j < substring.length(); j++) {
+            int i = index + j;
+            if (i >= str.length() || str.charAt(i) != substring.charAt(j)) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    /**
+     * Count the occurrences of the substring in string s.
+     * @param str string to search in. Return 0 if this is null.
+     * @param sub string to search for. Return 0 if this is null.
+     */
+    public static int countOccurrencesOf(String str, String sub) {
+        if (str == null || sub == null || str.length() == 0 || sub.length() == 0) {
+            return 0;
+        }
+        int count = 0;
+        int pos = 0;
+        int idx;
+        while ((idx = str.indexOf(sub, pos)) != -1) {
+            ++count;
+            pos = idx + sub.length();
+        }
+        return count;
+    }
+
+    /**
+     * Replace all occurences of a substring within a string with
+     * another string.
+     * @param inString String to examine
+     * @param oldPattern String to replace
+     * @param newPattern String to insert
+     * @return a String with the replacements
+     */
+    public static String replace(String inString, String oldPattern, String newPattern) {
+        if (!hasLength(inString) || !hasLength(oldPattern) || newPattern == null) {
+            return inString;
+        }
+        StringBuilder sb = new StringBuilder();
+        int pos = 0; // our position in the old string
+        int index = inString.indexOf(oldPattern);
+        // the index of an occurrence we've found, or -1
+        int patLen = oldPattern.length();
+        while (index >= 0) {
+            sb.append(inString.substring(pos, index));
+            sb.append(newPattern);
+            pos = index + patLen;
+            index = inString.indexOf(oldPattern, pos);
+        }
+        sb.append(inString.substring(pos));
+        // remember to append any characters to the right of a match
+        return sb.toString();
+    }
+
+    /**
+     * Delete all occurrences of the given substring.
+     * @param inString the original String
+     * @param pattern the pattern to delete all occurrences of
+     * @return the resulting String
+     */
+    public static String delete(String inString, String pattern) {
+        return replace(inString, pattern, "");
+    }
+
+    /**
+     * Delete any character in a given String.
+     * @param inString the original String
+     * @param charsToDelete a set of characters to delete.
+     * E.g. "az\n" will delete 'a's, 'z's and new lines.
+     * @return the resulting String
+     */
+    public static String deleteAny(String inString, String charsToDelete) {
+        if (!hasLength(inString) || !hasLength(charsToDelete)) {
+            return inString;
+        }
+        StringBuilder sb = new StringBuilder();
+        for (int i = 0; i < inString.length(); i++) {
+            char c = inString.charAt(i);
+            if (charsToDelete.indexOf(c) == -1) {
+                sb.append(c);
+            }
+        }
+        return sb.toString();
+    }
+
+
+    //---------------------------------------------------------------------
+    // Convenience methods for working with formatted Strings
+    //---------------------------------------------------------------------
+
+    /**
+     * Quote the given String with single quotes.
+     * @param str the input String (e.g. "myString")
+     * @return the quoted String (e.g. "'myString'"),
+     * or <code>null</code> if the input was <code>null</code>
+     */
+    public static String quote(String str) {
+        return (str != null ? "'" + str + "'" : null);
+    }
+
+    /**
+     * Turn the given Object into a String with single quotes
+     * if it is a String; keeping the Object as-is else.
+     * @param obj the input Object (e.g. "myString")
+     * @return the quoted String (e.g. "'myString'"),
+     * or the input object as-is if not a String
+     */
+    public static Object quoteIfString(Object obj) {
+        return (obj instanceof String ? quote((String) obj) : obj);
+    }
+
+    /**
+     * Unqualify a string qualified by a '.' dot character. For example,
+     * "this.name.is.qualified", returns "qualified".
+     * @param qualifiedName the qualified name
+     */
+    public static String unqualify(String qualifiedName) {
+        return unqualify(qualifiedName, '.');
+    }
+
+    /**
+     * Unqualify a string qualified by a separator character. For example,
+     * "this:name:is:qualified" returns "qualified" if using a ':' separator.
+     * @param qualifiedName the qualified name
+     * @param separator the separator
+     */
+    public static String unqualify(String qualifiedName, char separator) {
+        return qualifiedName.substring(qualifiedName.lastIndexOf(separator) + 1);
+    }
+
+    /**
+     * Capitalize a <code>String</code>, changing the first letter to
+     * upper case as per {@link Character#toUpperCase(char)}.
+     * No other letters are changed.
+     * @param str the String to capitalize, may be <code>null</code>
+     * @return the capitalized String, <code>null</code> if null
+     */
+    public static String capitalize(String str) {
+        return changeFirstCharacterCase(str, true);
+    }
+
+    /**
+     * Uncapitalize a <code>String</code>, changing the first letter to
+     * lower case as per {@link Character#toLowerCase(char)}.
+     * No other letters are changed.
+     * @param str the String to uncapitalize, may be <code>null</code>
+     * @return the uncapitalized String, <code>null</code> if null
+     */
+    public static String uncapitalize(String str) {
+        return changeFirstCharacterCase(str, false);
+    }
+
+    private static String changeFirstCharacterCase(String str, boolean capitalize) {
+        if (str == null || str.length() == 0) {
+            return str;
+        }
+        StringBuilder sb = new StringBuilder(str.length());
+        if (capitalize) {
+            sb.append(Character.toUpperCase(str.charAt(0)));
+        }
+        else {
+            sb.append(Character.toLowerCase(str.charAt(0)));
+        }
+        sb.append(str.substring(1));
+        return sb.toString();
+    }
+
+    /**
+     * Extract the filename from the given path,
+     * e.g. "mypath/myfile.txt" -&gt; "myfile.txt".
+     * @param path the file path (may be <code>null</code>)
+     * @return the extracted filename, or <code>null</code> if none
+     */
+    public static String getFilename(String path) {
+        if (path == null) {
+            return null;
+        }
+        int separatorIndex = path.lastIndexOf(FOLDER_SEPARATOR);
+        return (separatorIndex != -1 ? path.substring(separatorIndex + 1) : path);
+    }
+
+    /**
+     * Extract the filename extension from the given path,
+     * e.g. "mypath/myfile.txt" -&gt; "txt".
+     * @param path the file path (may be <code>null</code>)
+     * @return the extracted filename extension, or <code>null</code> if none
+     */
+    public static String getFilenameExtension(String path) {
+        if (path == null) {
+            return null;
+        }
+        int extIndex = path.lastIndexOf(EXTENSION_SEPARATOR);
+        if (extIndex == -1) {
+            return null;
+        }
+        int folderIndex = path.lastIndexOf(FOLDER_SEPARATOR);
+        if (folderIndex > extIndex) {
+            return null;
+        }
+        return path.substring(extIndex + 1);
+    }
+
+    /**
+     * Strip the filename extension from the given path,
+     * e.g. "mypath/myfile.txt" -&gt; "mypath/myfile".
+     * @param path the file path (may be <code>null</code>)
+     * @return the path with stripped filename extension,
+     * or <code>null</code> if none
+     */
+    public static String stripFilenameExtension(String path) {
+        if (path == null) {
+            return null;
+        }
+        int extIndex = path.lastIndexOf(EXTENSION_SEPARATOR);
+        if (extIndex == -1) {
+            return path;
+        }
+        int folderIndex = path.lastIndexOf(FOLDER_SEPARATOR);
+        if (folderIndex > extIndex) {
+            return path;
+        }
+        return path.substring(0, extIndex);
+    }
+
+    /**
+     * Apply the given relative path to the given path,
+     * assuming standard Java folder separation (i.e. "/" separators).
+     * @param path the path to start from (usually a full file path)
+     * @param relativePath the relative path to apply
+     * (relative to the full file path above)
+     * @return the full file path that results from applying the relative path
+     */
+    public static String applyRelativePath(String path, String relativePath) {
+        int separatorIndex = path.lastIndexOf(FOLDER_SEPARATOR);
+        if (separatorIndex != -1) {
+            String newPath = path.substring(0, separatorIndex);
+            if (!relativePath.startsWith(FOLDER_SEPARATOR)) {
+                newPath += FOLDER_SEPARATOR;
+            }
+            return newPath + relativePath;
+        }
+        else {
+            return relativePath;
+        }
+    }
+
+    /**
+     * Normalize the path by suppressing sequences like "path/.." and
+     * inner simple dots.
+     * <p>The result is convenient for path comparison. For other uses,
+     * notice that Windows separators ("\") are replaced by simple slashes.
+     * @param path the original path
+     * @return the normalized path
+     */
+    public static String cleanPath(String path) {
+        if (path == null) {
+            return null;
+        }
+        String pathToUse = replace(path, WINDOWS_FOLDER_SEPARATOR, FOLDER_SEPARATOR);
+
+        // Strip prefix from path to analyze, to not treat it as part of the
+        // first path element. This is necessary to correctly parse paths like
+        // "file:core/../core/io/Resource.class", where the ".." should just
+        // strip the first "core" directory while keeping the "file:" prefix.
+        int prefixIndex = pathToUse.indexOf(":");
+        String prefix = "";
+        if (prefixIndex != -1) {
+            prefix = pathToUse.substring(0, prefixIndex + 1);
+            pathToUse = pathToUse.substring(prefixIndex + 1);
+        }
+        if (pathToUse.startsWith(FOLDER_SEPARATOR)) {
+            prefix = prefix + FOLDER_SEPARATOR;
+            pathToUse = pathToUse.substring(1);
+        }
+
+        String[] pathArray = delimitedListToStringArray(pathToUse, FOLDER_SEPARATOR);
+        List<String> pathElements = new LinkedList<String>();
+        int tops = 0;
+
+        for (int i = pathArray.length - 1; i >= 0; i--) {
+            String element = pathArray[i];
+            if (CURRENT_PATH.equals(element)) {
+                // Points to current directory - drop it.
+            }
+            else if (TOP_PATH.equals(element)) {
+                // Registering top path found.
+                tops++;
+            }
+            else {
+                if (tops > 0) {
+                    // Merging path element with element corresponding to top path.
+                    tops--;
+                }
+                else {
+                    // Normal path element found.
+                    pathElements.add(0, element);
+                }
+            }
+        }
+
+        // Remaining top paths need to be retained.
+        for (int i = 0; i < tops; i++) {
+            pathElements.add(0, TOP_PATH);
+        }
+
+        return prefix + collectionToDelimitedString(pathElements, FOLDER_SEPARATOR);
+    }
+
+    /**
+     * Compare two paths after normalization of them.
+     * @param path1 first path for comparison
+     * @param path2 second path for comparison
+     * @return whether the two paths are equivalent after normalization
+     */
+    public static boolean pathEquals(String path1, String path2) {
+        return cleanPath(path1).equals(cleanPath(path2));
+    }
+
+    /**
+     * Parse the given <code>localeString</code> value into a {@link java.util.Locale}.
+     * <p>This is the inverse operation of {@link java.util.Locale#toString Locale's toString}.
+     * @param localeString the locale string, following <code>Locale's</code>
+     * <code>toString()</code> format ("en", "en_UK", etc);
+     * also accepts spaces as separators, as an alternative to underscores
+     * @return a corresponding <code>Locale</code> instance
+     */
+    public static Locale parseLocaleString(String localeString) {
+        String[] parts = tokenizeToStringArray(localeString, "_ ", false, false);
+        String language = (parts.length > 0 ? parts[0] : "");
+        String country = (parts.length > 1 ? parts[1] : "");
+        validateLocalePart(language);
+        validateLocalePart(country);
+        String variant = "";
+        if (parts.length >= 2) {
+            // There is definitely a variant, and it is everything after the country
+            // code sans the separator between the country code and the variant.
+            int endIndexOfCountryCode = localeString.indexOf(country) + country.length();
+            // Strip off any leading '_' and whitespace, what's left is the variant.
+            variant = trimLeadingWhitespace(localeString.substring(endIndexOfCountryCode));
+            if (variant.startsWith("_")) {
+                variant = trimLeadingCharacter(variant, '_');
+            }
+        }
+        return (language.length() > 0 ? new Locale(language, country, variant) : null);
+    }
+
+    private static void validateLocalePart(String localePart) {
+        for (int i = 0; i < localePart.length(); i++) {
+            char ch = localePart.charAt(i);
+            if (ch != '_' && ch != ' ' && !Character.isLetterOrDigit(ch)) {
+                throw new IllegalArgumentException(
+                    "Locale part \"" + localePart + "\" contains invalid characters");
+            }
+        }
+    }
+
+    /**
+     * Determine the RFC 3066 compliant language tag,
+     * as used for the HTTP "Accept-Language" header.
+     * @param locale the Locale to transform to a language tag
+     * @return the RFC 3066 compliant language tag as String
+     */
+    public static String toLanguageTag(Locale locale) {
+        return locale.getLanguage() + (hasText(locale.getCountry()) ? "-" + locale.getCountry() : "");
+    }
+
+
+    //---------------------------------------------------------------------
+    // Convenience methods for working with String arrays
+    //---------------------------------------------------------------------
+
+    /**
+     * Append the given String to the given String array, returning a new array
+     * consisting of the input array contents plus the given String.
+     * @param array the array to append to (can be <code>null</code>)
+     * @param str the String to append
+     * @return the new array (never <code>null</code>)
+     */
+    public static String[] addStringToArray(String[] array, String str) {
+        if (Objects.isEmpty(array)) {
+            return new String[] {str};
+        }
+        String[] newArr = new String[array.length + 1];
+        System.arraycopy(array, 0, newArr, 0, array.length);
+        newArr[array.length] = str;
+        return newArr;
+    }
+
+    /**
+     * Concatenate the given String arrays into one,
+     * with overlapping array elements included twice.
+     * <p>The order of elements in the original arrays is preserved.
+     * @param array1 the first array (can be <code>null</code>)
+     * @param array2 the second array (can be <code>null</code>)
+     * @return the new array (<code>null</code> if both given arrays were <code>null</code>)
+     */
+    public static String[] concatenateStringArrays(String[] array1, String[] array2) {
+        if (Objects.isEmpty(array1)) {
+            return array2;
+        }
+        if (Objects.isEmpty(array2)) {
+            return array1;
+        }
+        String[] newArr = new String[array1.length + array2.length];
+        System.arraycopy(array1, 0, newArr, 0, array1.length);
+        System.arraycopy(array2, 0, newArr, array1.length, array2.length);
+        return newArr;
+    }
+
+    /**
+     * Merge the given String arrays into one, with overlapping
+     * array elements only included once.
+     * <p>The order of elements in the original arrays is preserved
+     * (with the exception of overlapping elements, which are only
+     * included on their first occurrence).
+     * @param array1 the first array (can be <code>null</code>)
+     * @param array2 the second array (can be <code>null</code>)
+     * @return the new array (<code>null</code> if both given arrays were <code>null</code>)
+     */
+    public static String[] mergeStringArrays(String[] array1, String[] array2) {
+        if (Objects.isEmpty(array1)) {
+            return array2;
+        }
+        if (Objects.isEmpty(array2)) {
+            return array1;
+        }
+        List<String> result = new ArrayList<String>();
+        result.addAll(Arrays.asList(array1));
+        for (String str : array2) {
+            if (!result.contains(str)) {
+                result.add(str);
+            }
+        }
+        return toStringArray(result);
+    }
+
+    /**
+     * Turn given source String array into sorted array.
+     * @param array the source array
+     * @return the sorted array (never <code>null</code>)
+     */
+    public static String[] sortStringArray(String[] array) {
+        if (Objects.isEmpty(array)) {
+            return new String[0];
+        }
+        Arrays.sort(array);
+        return array;
+    }
+
+    /**
+     * Copy the given Collection into a String array.
+     * The Collection must contain String elements only.
+     * @param collection the Collection to copy
+     * @return the String array (<code>null</code> if the passed-in
+     * Collection was <code>null</code>)
+     */
+    public static String[] toStringArray(Collection<String> collection) {
+        if (collection == null) {
+            return null;
+        }
+        return collection.toArray(new String[collection.size()]);
+    }
+
+    /**
+     * Copy the given Enumeration into a String array.
+     * The Enumeration must contain String elements only.
+     * @param enumeration the Enumeration to copy
+     * @return the String array (<code>null</code> if the passed-in
+     * Enumeration was <code>null</code>)
+     */
+    public static String[] toStringArray(Enumeration<String> enumeration) {
+        if (enumeration == null) {
+            return null;
+        }
+        List<String> list = java.util.Collections.list(enumeration);
+        return list.toArray(new String[list.size()]);
+    }
+
+    /**
+     * Trim the elements of the given String array,
+     * calling <code>String.trim()</code> on each of them.
+     * @param array the original String array
+     * @return the resulting array (of the same size) with trimmed elements
+     */
+    public static String[] trimArrayElements(String[] array) {
+        if (Objects.isEmpty(array)) {
+            return new String[0];
+        }
+        String[] result = new String[array.length];
+        for (int i = 0; i < array.length; i++) {
+            String element = array[i];
+            result[i] = (element != null ? element.trim() : null);
+        }
+        return result;
+    }
+
+    /**
+     * Remove duplicate Strings from the given array.
+     * Also sorts the array, as it uses a TreeSet.
+     * @param array the String array
+     * @return an array without duplicates, in natural sort order
+     */
+    public static String[] removeDuplicateStrings(String[] array) {
+        if (Objects.isEmpty(array)) {
+            return array;
+        }
+        Set<String> set = new TreeSet<String>();
+        for (String element : array) {
+            set.add(element);
+        }
+        return toStringArray(set);
+    }
+
+    /**
+     * Split a String at the first occurrence of the delimiter.
+     * Does not include the delimiter in the result.
+     * @param toSplit the string to split
+     * @param delimiter to split the string up with
+     * @return a two element array with index 0 being before the delimiter, and
+     * index 1 being after the delimiter (neither element includes the delimiter);
+     * or <code>null</code> if the delimiter wasn't found in the given input String
+     */
+    public static String[] split(String toSplit, String delimiter) {
+        if (!hasLength(toSplit) || !hasLength(delimiter)) {
+            return null;
+        }
+        int offset = toSplit.indexOf(delimiter);
+        if (offset < 0) {
+            return null;
+        }
+        String beforeDelimiter = toSplit.substring(0, offset);
+        String afterDelimiter = toSplit.substring(offset + delimiter.length());
+        return new String[] {beforeDelimiter, afterDelimiter};
+    }
+
+    /**
+     * Take an array Strings and split each element based on the given delimiter.
+     * A <code>Properties</code> instance is then generated, with the left of the
+     * delimiter providing the key, and the right of the delimiter providing the value.
+     * <p>Will trim both the key and value before adding them to the
+     * <code>Properties</code> instance.
+     * @param array the array to process
+     * @param delimiter to split each element using (typically the equals symbol)
+     * @return a <code>Properties</code> instance representing the array contents,
+     * or <code>null</code> if the array to process was null or empty
+     */
+    public static Properties splitArrayElementsIntoProperties(String[] array, String delimiter) {
+        return splitArrayElementsIntoProperties(array, delimiter, null);
+    }
+
+    /**
+     * Take an array Strings and split each element based on the given delimiter.
+     * A <code>Properties</code> instance is then generated, with the left of the
+     * delimiter providing the key, and the right of the delimiter providing the value.
+     * <p>Will trim both the key and value before adding them to the
+     * <code>Properties</code> instance.
+     * @param array the array to process
+     * @param delimiter to split each element using (typically the equals symbol)
+     * @param charsToDelete one or more characters to remove from each element
+     * prior to attempting the split operation (typically the quotation mark
+     * symbol), or <code>null</code> if no removal should occur
+     * @return a <code>Properties</code> instance representing the array contents,
+     * or <code>null</code> if the array to process was <code>null</code> or empty
+     */
+    public static Properties splitArrayElementsIntoProperties(
+        String[] array, String delimiter, String charsToDelete) {
+
+        if (Objects.isEmpty(array)) {
+            return null;
+        }
+        Properties result = new Properties();
+        for (String element : array) {
+            if (charsToDelete != null) {
+                element = deleteAny(element, charsToDelete);
+            }
+            String[] splittedElement = split(element, delimiter);
+            if (splittedElement == null) {
+                continue;
+            }
+            result.setProperty(splittedElement[0].trim(), splittedElement[1].trim());
+        }
+        return result;
+    }
+
+    /**
+     * Tokenize the given String into a String array via a StringTokenizer.
+     * Trims tokens and omits empty tokens.
+     * <p>The given delimiters string is supposed to consist of any number of
+     * delimiter characters. Each of those characters can be used to separate
+     * tokens. A delimiter is always a single character; for multi-character
+     * delimiters, consider using <code>delimitedListToStringArray</code>
+     * @param str the String to tokenize
+     * @param delimiters the delimiter characters, assembled as String
+     * (each of those characters is individually considered as delimiter).
+     * @return an array of the tokens
+     * @see java.util.StringTokenizer
+     * @see java.lang.String#trim()
+     * @see #delimitedListToStringArray
+     */
+    public static String[] tokenizeToStringArray(String str, String delimiters) {
+        return tokenizeToStringArray(str, delimiters, true, true);
+    }
+
+    /**
+     * Tokenize the given String into a String array via a StringTokenizer.
+     * <p>The given delimiters string is supposed to consist of any number of
+     * delimiter characters. Each of those characters can be used to separate
+     * tokens. A delimiter is always a single character; for multi-character
+     * delimiters, consider using <code>delimitedListToStringArray</code>
+     * @param str the String to tokenize
+     * @param delimiters the delimiter characters, assembled as String
+     * (each of those characters is individually considered as delimiter)
+     * @param trimTokens trim the tokens via String's <code>trim</code>
+     * @param ignoreEmptyTokens omit empty tokens from the result array
+     * (only applies to tokens that are empty after trimming; StringTokenizer
+     * will not consider subsequent delimiters as token in the first place).
+     * @return an array of the tokens (<code>null</code> if the input String
+     * was <code>null</code>)
+     * @see java.util.StringTokenizer
+     * @see java.lang.String#trim()
+     * @see #delimitedListToStringArray
+     */
+    public static String[] tokenizeToStringArray(
+        String str, String delimiters, boolean trimTokens, boolean ignoreEmptyTokens) {
+
+        if (str == null) {
+            return null;
+        }
+        StringTokenizer st = new StringTokenizer(str, delimiters);
+        List<String> tokens = new ArrayList<String>();
+        while (st.hasMoreTokens()) {
+            String token = st.nextToken();
+            if (trimTokens) {
+                token = token.trim();
+            }
+            if (!ignoreEmptyTokens || token.length() > 0) {
+                tokens.add(token);
+            }
+        }
+        return toStringArray(tokens);
+    }
+
+    /**
+     * Take a String which is a delimited list and convert it to a String array.
+     * <p>A single delimiter can consists of more than one character: It will still
+     * be considered as single delimiter string, rather than as bunch of potential
+     * delimiter characters - in contrast to <code>tokenizeToStringArray</code>.
+     * @param str the input String
+     * @param delimiter the delimiter between elements (this is a single delimiter,
+     * rather than a bunch individual delimiter characters)
+     * @return an array of the tokens in the list
+     * @see #tokenizeToStringArray
+     */
+    public static String[] delimitedListToStringArray(String str, String delimiter) {
+        return delimitedListToStringArray(str, delimiter, null);
+    }
+
+    /**
+     * Take a String which is a delimited list and convert it to a String array.
+     * <p>A single delimiter can consists of more than one character: It will still
+     * be considered as single delimiter string, rather than as bunch of potential
+     * delimiter characters - in contrast to <code>tokenizeToStringArray</code>.
+     * @param str the input String
+     * @param delimiter the delimiter between elements (this is a single delimiter,
+     * rather than a bunch individual delimiter characters)
+     * @param charsToDelete a set of characters to delete. Useful for deleting unwanted
+     * line breaks: e.g. "\r\n\f" will delete all new lines and line feeds in a String.
+     * @return an array of the tokens in the list
+     * @see #tokenizeToStringArray
+     */
+    public static String[] delimitedListToStringArray(String str, String delimiter, String charsToDelete) {
+        if (str == null) {
+            return new String[0];
+        }
+        if (delimiter == null) {
+            return new String[] {str};
+        }
+        List<String> result = new ArrayList<String>();
+        if ("".equals(delimiter)) {
+            for (int i = 0; i < str.length(); i++) {
+                result.add(deleteAny(str.substring(i, i + 1), charsToDelete));
+            }
+        }
+        else {
+            int pos = 0;
+            int delPos;
+            while ((delPos = str.indexOf(delimiter, pos)) != -1) {
+                result.add(deleteAny(str.substring(pos, delPos), charsToDelete));
+                pos = delPos + delimiter.length();
+            }
+            if (str.length() > 0 && pos <= str.length()) {
+                // Add rest of String, but not in case of empty input.
+                result.add(deleteAny(str.substring(pos), charsToDelete));
+            }
+        }
+        return toStringArray(result);
+    }
+
+    /**
+     * Convert a CSV list into an array of Strings.
+     * @param str the input String
+     * @return an array of Strings, or the empty array in case of empty input
+     */
+    public static String[] commaDelimitedListToStringArray(String str) {
+        return delimitedListToStringArray(str, ",");
+    }
+
+    /**
+     * Convenience method to convert a CSV string list to a set.
+     * Note that this will suppress duplicates.
+     * @param str the input String
+     * @return a Set of String entries in the list
+     */
+    public static Set<String> commaDelimitedListToSet(String str) {
+        Set<String> set = new TreeSet<String>();
+        String[] tokens = commaDelimitedListToStringArray(str);
+        for (String token : tokens) {
+            set.add(token);
+        }
+        return set;
+    }
+
+    /**
+     * Convenience method to return a Collection as a delimited (e.g. CSV)
+     * String. E.g. useful for <code>toString()</code> implementations.
+     * @param coll the Collection to display
+     * @param delim the delimiter to use (probably a ",")
+     * @param prefix the String to start each element with
+     * @param suffix the String to end each element with
+     * @return the delimited String
+     */
+    public static String collectionToDelimitedString(Collection<?> coll, String delim, String prefix, String suffix) {
+        if (Collections.isEmpty(coll)) {
+            return "";
+        }
+        StringBuilder sb = new StringBuilder();
+        Iterator<?> it = coll.iterator();
+        while (it.hasNext()) {
+            sb.append(prefix).append(it.next()).append(suffix);
+            if (it.hasNext()) {
+                sb.append(delim);
+            }
+        }
+        return sb.toString();
+    }
+
+    /**
+     * Convenience method to return a Collection as a delimited (e.g. CSV)
+     * String. E.g. useful for <code>toString()</code> implementations.
+     * @param coll the Collection to display
+     * @param delim the delimiter to use (probably a ",")
+     * @return the delimited String
+     */
+    public static String collectionToDelimitedString(Collection<?> coll, String delim) {
+        return collectionToDelimitedString(coll, delim, "", "");
+    }
+
+    /**
+     * Convenience method to return a Collection as a CSV String.
+     * E.g. useful for <code>toString()</code> implementations.
+     * @param coll the Collection to display
+     * @return the delimited String
+     */
+    public static String collectionToCommaDelimitedString(Collection<?> coll) {
+        return collectionToDelimitedString(coll, ",");
+    }
+
+    /**
+     * Convenience method to return a String array as a delimited (e.g. CSV)
+     * String. E.g. useful for <code>toString()</code> implementations.
+     * @param arr the array to display
+     * @param delim the delimiter to use (probably a ",")
+     * @return the delimited String
+     */
+    public static String arrayToDelimitedString(Object[] arr, String delim) {
+        if (Objects.isEmpty(arr)) {
+            return "";
+        }
+        if (arr.length == 1) {
+            return Objects.nullSafeToString(arr[0]);
+        }
+        StringBuilder sb = new StringBuilder();
+        for (int i = 0; i < arr.length; i++) {
+            if (i > 0) {
+                sb.append(delim);
+            }
+            sb.append(arr[i]);
+        }
+        return sb.toString();
+    }
+
+    /**
+     * Convenience method to return a String array as a CSV String.
+     * E.g. useful for <code>toString()</code> implementations.
+     * @param arr the array to display
+     * @return the delimited String
+     */
+    public static String arrayToCommaDelimitedString(Object[] arr) {
+        return arrayToDelimitedString(arr, ",");
+    }
+
+}
+
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/UnknownClassException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/UnknownClassException.java
new file mode 100644
index 00000000000..07b44d9fcab
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/UnknownClassException.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.lang;
+
+/**
+ * A <code>RuntimeException</code> equivalent of the JDK's
+ * <code>ClassNotFoundException</code>, to maintain a RuntimeException paradigm.
+ *
+ * @since 0.1
+ */
+public class UnknownClassException extends RuntimeException {
+
+    /*
+    /**
+     * Creates a new UnknownClassException.
+     *
+    public UnknownClassException() {
+        super();
+    }*/
+
+    /**
+     * Constructs a new UnknownClassException.
+     *
+     * @param message the reason for the exception
+     */
+    public UnknownClassException(String message) {
+        super(message);
+    }
+
+    /*
+     * Constructs a new UnknownClassException.
+     *
+     * @param cause the underlying Throwable that caused this exception to be thrown.
+     *
+    public UnknownClassException(Throwable cause) {
+        super(cause);
+    }
+    */
+
+    /**
+     * Constructs a new UnknownClassException.
+     *
+     * @param message the reason for the exception
+     * @param cause   the underlying Throwable that caused this exception to be thrown.
+     */
+    public UnknownClassException(String message, Throwable cause) {
+        // TODO: remove in v1.0, this constructor is only exposed to allow for backward compatible behavior
+        super(message, cause);
+    }
+
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/InvalidKeyException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/InvalidKeyException.java
new file mode 100644
index 00000000000..2e3b84b8af1
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/InvalidKeyException.java
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.security;
+
+/**
+ * @since 0.10.0
+ */
+public class InvalidKeyException extends KeyException {
+
+    public InvalidKeyException(String message) {
+        super(message);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/KeyException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/KeyException.java
new file mode 100644
index 00000000000..0db21924573
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/KeyException.java
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.security;
+
+/**
+ * @since 0.10.0
+ */
+public class KeyException extends SecurityException {
+
+    public KeyException(String message) {
+        super(message);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/Keys.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/Keys.java
new file mode 100644
index 00000000000..cb478424893
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/Keys.java
@@ -0,0 +1,231 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.security;
+
+import io.jsonwebtoken.SignatureAlgorithm;
+import io.jsonwebtoken.lang.Assert;
+import io.jsonwebtoken.lang.Classes;
+
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+import java.security.KeyPair;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * Utility class for securely generating {@link SecretKey}s and {@link KeyPair}s.
+ *
+ * @since 0.10.0
+ */
+public final class Keys {
+
+    private static final String MAC = "io.jsonwebtoken.impl.crypto.MacProvider";
+    private static final String RSA = "io.jsonwebtoken.impl.crypto.RsaProvider";
+    private static final String EC = "io.jsonwebtoken.impl.crypto.EllipticCurveProvider";
+
+    private static final Class[] SIG_ARG_TYPES = new Class[]{SignatureAlgorithm.class};
+
+    //purposefully ordered higher to lower:
+    private static final List<SignatureAlgorithm> PREFERRED_HMAC_ALGS = Collections.unmodifiableList(Arrays.asList(
+        SignatureAlgorithm.HS512, SignatureAlgorithm.HS384, SignatureAlgorithm.HS256));
+
+    //prevent instantiation
+    private Keys() {
+    }
+
+    /*
+    public static final int bitLength(Key key) throws IllegalArgumentException {
+        Assert.notNull(key, "Key cannot be null.");
+        if (key instanceof SecretKey) {
+            byte[] encoded = key.getEncoded();
+            return Arrays.length(encoded) * 8;
+        } else if (key instanceof RSAKey) {
+            return ((RSAKey)key).getModulus().bitLength();
+        } else if (key instanceof ECKey) {
+            return ((ECKey)key).getParams().getOrder().bitLength();
+        }
+
+        throw new IllegalArgumentException("Unsupported key type: " + key.getClass().getName());
+    }
+    */
+
+    /**
+     * Creates a new SecretKey instance for use with HMAC-SHA algorithms based on the specified key byte array.
+     *
+     * @param bytes the key byte array
+     * @return a new SecretKey instance for use with HMAC-SHA algorithms based on the specified key byte array.
+     * @throws WeakKeyException if the key byte array length is less than 256 bits (32 bytes) as mandated by the
+     *                          <a href="https://tools.ietf.org/html/rfc7518#section-3.2">JWT JWA Specification
+     *                          (RFC 7518, Section 3.2)</a>
+     */
+    public static SecretKey hmacShaKeyFor(byte[] bytes) throws WeakKeyException {
+
+        if (bytes == null) {
+            throw new InvalidKeyException("SecretKey byte array cannot be null.");
+        }
+
+        int bitLength = bytes.length * 8;
+
+        for (SignatureAlgorithm alg : PREFERRED_HMAC_ALGS) {
+            if (bitLength >= alg.getMinKeyLength()) {
+                return new SecretKeySpec(bytes, alg.getJcaName());
+            }
+        }
+
+        String msg = "The specified key byte array is " + bitLength + " bits which " +
+            "is not secure enough for any JWT HMAC-SHA algorithm.  The JWT " +
+            "JWA Specification (RFC 7518, Section 3.2) states that keys used with HMAC-SHA algorithms MUST have a " +
+            "size >= 256 bits (the key size must be greater than or equal to the hash " +
+            "output size).  Consider using the " + Keys.class.getName() + "#secretKeyFor(SignatureAlgorithm) method " +
+            "to create a key guaranteed to be secure enough for your preferred HMAC-SHA algorithm.  See " +
+            "https://tools.ietf.org/html/rfc7518#section-3.2 for more information.";
+        throw new WeakKeyException(msg);
+    }
+
+    /**
+     * Returns a new {@link SecretKey} with a key length suitable for use with the specified {@link SignatureAlgorithm}.
+     *
+     * <p><a href="https://tools.ietf.org/html/rfc7518#section-3.2">JWA Specification (RFC 7518), Section 3.2</a>
+     * requires minimum key lengths to be used for each respective Signature Algorithm.  This method returns a
+     * secure-random generated SecretKey that adheres to the required minimum key length.  The lengths are:</p>
+     *
+     * <table>
+     * <tr>
+     * <th>Algorithm</th>
+     * <th>Key Length</th>
+     * </tr>
+     * <tr>
+     * <td>HS256</td>
+     * <td>256 bits (32 bytes)</td>
+     * </tr>
+     * <tr>
+     * <td>HS384</td>
+     * <td>384 bits (48 bytes)</td>
+     * </tr>
+     * <tr>
+     * <td>HS512</td>
+     * <td>512 bits (64 bytes)</td>
+     * </tr>
+     * </table>
+     *
+     * @param alg the {@code SignatureAlgorithm} to inspect to determine which key length to use.
+     * @return a new {@link SecretKey} instance suitable for use with the specified {@link SignatureAlgorithm}.
+     * @throws IllegalArgumentException for any input value other than {@link SignatureAlgorithm#HS256},
+     *                                  {@link SignatureAlgorithm#HS384}, or {@link SignatureAlgorithm#HS512}
+     */
+    public static SecretKey secretKeyFor(SignatureAlgorithm alg) throws IllegalArgumentException {
+        Assert.notNull(alg, "SignatureAlgorithm cannot be null.");
+        switch (alg) {
+            case HS256:
+            case HS384:
+            case HS512:
+                return Classes.invokeStatic(MAC, "generateKey", SIG_ARG_TYPES, alg);
+            default:
+                String msg = "The " + alg.name() + " algorithm does not support shared secret keys.";
+                throw new IllegalArgumentException(msg);
+        }
+    }
+
+    /**
+     * Returns a new {@link KeyPair} suitable for use with the specified asymmetric algorithm.
+     *
+     * <p>If the {@code alg} argument is an RSA algorithm, a KeyPair is generated based on the following:</p>
+     *
+     * <table>
+     * <tr>
+     * <th>JWA Algorithm</th>
+     * <th>Key Size</th>
+     * </tr>
+     * <tr>
+     * <td>RS256</td>
+     * <td>2048 bits</td>
+     * </tr>
+     * <tr>
+     * <td>PS256</td>
+     * <td>2048 bits</td>
+     * </tr>
+     * <tr>
+     * <td>RS384</td>
+     * <td>3072 bits</td>
+     * </tr>
+     * <tr>
+     * <td>PS384</td>
+     * <td>3072 bits</td>
+     * </tr>
+     * <tr>
+     * <td>RS512</td>
+     * <td>4096 bits</td>
+     * </tr>
+     * <tr>
+     * <td>PS512</td>
+     * <td>4096 bits</td>
+     * </tr>
+     * </table>
+     *
+     * <p>If the {@code alg} argument is an Elliptic Curve algorithm, a KeyPair is generated based on the following:</p>
+     *
+     * <table>
+     * <tr>
+     * <th>JWA Algorithm</th>
+     * <th>Key Size</th>
+     * <th><a href="https://tools.ietf.org/html/rfc7518#section-7.6.2">JWA Curve Name</a></th>
+     * <th><a href="https://tools.ietf.org/html/rfc5480#section-2.1.1.1">ASN1 OID Curve Name</a></th>
+     * </tr>
+     * <tr>
+     * <td>EC256</td>
+     * <td>256 bits</td>
+     * <td>{@code P-256}</td>
+     * <td>{@code secp256r1}</td>
+     * </tr>
+     * <tr>
+     * <td>EC384</td>
+     * <td>384 bits</td>
+     * <td>{@code P-384}</td>
+     * <td>{@code secp384r1}</td>
+     * </tr>
+     * <tr>
+     * <td>EC512</td>
+     * <td>512 bits</td>
+     * <td>{@code P-521}</td>
+     * <td>{@code secp521r1}</td>
+     * </tr>
+     * </table>
+     *
+     * @param alg the {@code SignatureAlgorithm} to inspect to determine which asymmetric algorithm to use.
+     * @return a new {@link KeyPair} suitable for use with the specified asymmetric algorithm.
+     * @throws IllegalArgumentException if {@code alg} is not an asymmetric algorithm
+     */
+    public static KeyPair keyPairFor(SignatureAlgorithm alg) throws IllegalArgumentException {
+        Assert.notNull(alg, "SignatureAlgorithm cannot be null.");
+        switch (alg) {
+            case RS256:
+            case PS256:
+            case RS384:
+            case PS384:
+            case RS512:
+            case PS512:
+                return Classes.invokeStatic(RSA, "generateKeyPair", SIG_ARG_TYPES, alg);
+            case ES256:
+            case ES384:
+            case ES512:
+                return Classes.invokeStatic(EC, "generateKeyPair", SIG_ARG_TYPES, alg);
+            default:
+                String msg = "The " + alg.name() + " algorithm does not support Key Pairs.";
+                throw new IllegalArgumentException(msg);
+        }
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/SecurityException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/SecurityException.java
new file mode 100644
index 00000000000..8b5f8abd87e
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/SecurityException.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.security;
+
+import io.jsonwebtoken.JwtException;
+
+/**
+ * @since 0.10.0
+ */
+public class SecurityException extends JwtException {
+
+    public SecurityException(String message) {
+        super(message);
+    }
+
+    public SecurityException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/SignatureException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/SignatureException.java
new file mode 100644
index 00000000000..7cddb2cac36
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/SignatureException.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.security;
+
+/**
+ * @since 0.10.0
+ */
+public class SignatureException extends io.jsonwebtoken.SignatureException {
+
+    public SignatureException(String message) {
+        super(message);
+    }
+
+    public SignatureException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/WeakKeyException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/WeakKeyException.java
new file mode 100644
index 00000000000..8a7688fed8b
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/WeakKeyException.java
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.security;
+
+/**
+ * @since 0.10.0
+ */
+public class WeakKeyException extends InvalidKeyException {
+
+    public WeakKeyException(String message) {
+        super(message);
+    }
+}

From 885044e3317d3644ddeab5f5f6c4d9dc920f8c36 Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Tue, 6 Apr 2021 01:01:57 +0200
Subject: [PATCH 0155/1429] [Java] Add tests for jwt signature check query.

---
 .../CWE-347/MissingJWTSignatureCheck.expected |   8 +
 .../CWE-347/MissingJWTSignatureCheck.java     | 164 ++++++++++++++++++
 .../CWE-347/MissingJWTSignatureCheck.qlref    |   1 +
 3 files changed, 173 insertions(+)
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-347/MissingJWTSignatureCheck.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-347/MissingJWTSignatureCheck.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-347/MissingJWTSignatureCheck.qlref

diff --git a/java/ql/test/experimental/query-tests/security/CWE-347/MissingJWTSignatureCheck.expected b/java/ql/test/experimental/query-tests/security/CWE-347/MissingJWTSignatureCheck.expected
new file mode 100644
index 00000000000..e93720fcea8
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-347/MissingJWTSignatureCheck.expected
@@ -0,0 +1,8 @@
+| MissingJWTSignatureCheck.java:96:9:96:27 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:18:16:18:66 | setSigningKey(...) | here |
+| MissingJWTSignatureCheck.java:96:9:96:27 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:22:16:22:73 | setSigningKey(...) | here |
+| MissingJWTSignatureCheck.java:96:9:96:27 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:26:16:26:75 | setSigningKey(...) | here |
+| MissingJWTSignatureCheck.java:100:9:105:22 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:18:16:18:66 | setSigningKey(...) | here |
+| MissingJWTSignatureCheck.java:100:9:105:22 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:22:16:22:73 | setSigningKey(...) | here |
+| MissingJWTSignatureCheck.java:100:9:105:22 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:26:16:26:75 | setSigningKey(...) | here |
+| MissingJWTSignatureCheck.java:127:9:129:33 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:127:9:128:58 | setSigningKey(...) | here |
+| MissingJWTSignatureCheck.java:133:9:140:22 | parse(...) | A signing key is set $@, but the signature is not verified. | MissingJWTSignatureCheck.java:133:9:134:58 | setSigningKey(...) | here |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-347/MissingJWTSignatureCheck.java b/java/ql/test/experimental/query-tests/security/CWE-347/MissingJWTSignatureCheck.java
new file mode 100644
index 00000000000..624dbb1d48d
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-347/MissingJWTSignatureCheck.java
@@ -0,0 +1,164 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jwtk-jjwt-0.11.2
+
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.JwtParser;
+import io.jsonwebtoken.Jwt;
+import io.jsonwebtoken.Jws;
+import io.jsonwebtoken.Header;
+import io.jsonwebtoken.JwtParserBuilder;
+import io.jsonwebtoken.JwtHandlerAdapter;
+import io.jsonwebtoken.impl.DefaultJwtParser;
+
+public class MissingJWTSignatureCheck {
+
+
+    // SIGNED
+
+    private JwtParser getASignedParser() {
+        return Jwts.parser().setSigningKey("someBase64EncodedKey");
+    }
+
+    private JwtParser getASignedParserFromParserBuilder() {
+        return Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build();
+    }
+
+    private JwtParser getASignedNewParser() {
+        return new DefaultJwtParser().setSigningKey("someBase64EncodedKey");
+    }
+
+    private void callSignedParsers() {
+        JwtParser parser1 = getASignedParser();
+        badJwtOnParserBuilder(parser1, "");
+        badJwtHandlerOnParserBuilder(parser1, "");
+        goodJwtOnParserBuilder(parser1, "");
+        goodJwtHandler(parser1, "");
+
+        JwtParser parser2 = getASignedParserFromParserBuilder();
+        badJwtOnParserBuilder(parser2, "");
+        badJwtHandlerOnParserBuilder(parser2, "");
+        goodJwtOnParserBuilder(parser2, "");
+        goodJwtHandler(parser2, "");
+
+        JwtParser parser3 = getASignedNewParser();
+        badJwtOnParserBuilder(parser3, "");
+        badJwtHandlerOnParserBuilder(parser3, "");
+        goodJwtOnParserBuilder(parser3, "");
+        goodJwtHandler(parser3, "");
+    }
+
+    // SIGNED END
+
+    // UNSIGNED
+
+    private JwtParser getAnUnsignedParser() {
+        return Jwts.parser();
+    }
+
+    private JwtParser getAnUnsignedParserFromParserBuilder() {
+        return Jwts.parserBuilder().build();
+    }
+
+    private JwtParser getAnUnsignedNewParser() {
+        return new DefaultJwtParser();
+    }
+
+    private void callUnsignedParsers() {
+        JwtParser parser1 = getAnUnsignedParser();
+        badJwtOnParserBuilder(parser1, "");
+        badJwtHandlerOnParserBuilder(parser1, "");
+        goodJwtOnParserBuilder(parser1, "");
+        goodJwtHandler(parser1, "");
+
+        JwtParser parser2 = getAnUnsignedParserFromParserBuilder();
+        badJwtOnParserBuilder(parser2, "");
+        badJwtHandlerOnParserBuilder(parser2, "");
+        goodJwtOnParserBuilder(parser2, "");
+        goodJwtHandler(parser2, "");
+
+        JwtParser parser3 = getAnUnsignedNewParser();
+        badJwtOnParserBuilder(parser3, "");
+        badJwtHandlerOnParserBuilder(parser3, "");
+        goodJwtOnParserBuilder(parser3, "");
+        goodJwtHandler(parser3, "");
+    }
+
+    private void signParserAfterParseCall() {
+        JwtParser parser = getAnUnsignedParser();
+        parser.parse(""); // Should not be detected
+        parser.setSigningKey("someBase64EncodedKey");
+    }
+
+    // UNSIGNED END
+
+    // INDIRECT
+
+    private void badJwtOnParserBuilder(JwtParser parser, String token) {
+        parser.parse(token); // BAD: Does not verify the signature
+    }
+
+    private void badJwtHandlerOnParserBuilder(JwtParser parser, String token) {
+        parser.parse(token, new JwtHandlerAdapter<Jwt<Header, String>>() { // BAD: The handler is called on an unverified JWT
+                        @Override
+                        public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {
+                            return jwt;
+                        }
+                    });
+    }
+
+    private void goodJwtOnParserBuilder(JwtParser parser, String token) {
+        parser.parseClaimsJws(token) // GOOD: Verify the signature
+                    .getBody();
+    }
+
+    private void goodJwtHandler(JwtParser parser, String token) {
+        parser.parse(token, new JwtHandlerAdapter<Jws<String>>() { // GOOD: The handler is called on a verified JWS
+                        @Override
+                        public Jws<String> onPlaintextJws(Jws<String> jws) {
+                            return jws;
+                        }
+                    });
+    }
+
+    // INDIRECT END
+
+    // DIRECT
+
+    private void badJwtOnParserBuilder(String token) {
+        Jwts.parserBuilder()
+                    .setSigningKey("someBase64EncodedKey").build()
+                    .parse(token); // BAD: Does not verify the signature
+    }
+
+    private void badJwtHandlerOnParser(String token) {
+        Jwts.parser()
+                    .setSigningKey("someBase64EncodedKey")
+                    .parse(token, new JwtHandlerAdapter<Jwt<Header, String>>() {  // BAD: The handler is called on an unverified JWT
+                        @Override
+                        public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {
+                            return jwt;
+                        }
+                    });
+    }
+
+    private void goodJwtOnParser(String token) {
+        Jwts.parser()
+                    .setSigningKey("someBase64EncodedKey")
+                    .parseClaimsJws(token) // GOOD: Verify the signature
+                    .getBody();
+    }
+
+    private void goodJwtHandlerOnParserBuilder(String token) {
+        Jwts.parserBuilder()
+                    .setSigningKey("someBase64EncodedKey").build()
+                    .parse(token, new JwtHandlerAdapter<Jws<String>>() { // GOOD: The handler is called on a verified JWS
+                        @Override
+                        public Jws<String> onPlaintextJws(Jws<String> jws) {
+                            return jws;
+                        }
+                    });
+    }
+
+    // DIRECT END
+
+
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-347/MissingJWTSignatureCheck.qlref b/java/ql/test/experimental/query-tests/security/CWE-347/MissingJWTSignatureCheck.qlref
new file mode 100644
index 00000000000..67e7bf3e158
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-347/MissingJWTSignatureCheck.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
\ No newline at end of file

From 32a8b9a857eb66a5b471de771dff380a61654e7b Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 6 Apr 2021 08:56:14 +0200
Subject: [PATCH 0156/1429] C++: Move copy constructor to its own line and
 accept test changes.

---
 .../dataflow/taint-tests/localTaint.expected  | 238 +++++++++---------
 .../library-tests/dataflow/taint-tests/stl.h  |   3 +-
 2 files changed, 121 insertions(+), 120 deletions(-)

diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index 9b1ad0d4f10..e1001427818 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -3410,125 +3410,125 @@
 | stl.h:292:30:292:40 | call to allocator | stl.h:292:21:292:41 | noexcept(...) | TAINT |
 | stl.h:292:30:292:40 | call to allocator | stl.h:292:21:292:41 | noexcept(...) | TAINT |
 | stl.h:292:53:292:63 | 0 | stl.h:292:46:292:64 | (no string representation) | TAINT |
-| stl.h:388:9:388:9 | Unknown literal | stl.h:388:9:388:9 | constructor init of field first | TAINT |
-| stl.h:388:9:388:9 | Unknown literal | stl.h:388:9:388:9 | constructor init of field first | TAINT |
-| stl.h:388:9:388:9 | Unknown literal | stl.h:388:9:388:9 | constructor init of field first | TAINT |
-| stl.h:388:9:388:9 | Unknown literal | stl.h:388:9:388:9 | constructor init of field first | TAINT |
-| stl.h:388:9:388:9 | Unknown literal | stl.h:388:9:388:9 | constructor init of field first | TAINT |
-| stl.h:388:9:388:9 | Unknown literal | stl.h:388:9:388:9 | constructor init of field second | TAINT |
-| stl.h:388:9:388:9 | Unknown literal | stl.h:388:9:388:9 | constructor init of field second | TAINT |
-| stl.h:388:9:388:9 | Unknown literal | stl.h:388:9:388:9 | constructor init of field second | TAINT |
-| stl.h:388:9:388:9 | Unknown literal | stl.h:388:9:388:9 | constructor init of field second | TAINT |
-| stl.h:388:9:388:9 | Unknown literal | stl.h:388:9:388:9 | constructor init of field second | TAINT |
-| stl.h:388:9:388:9 | constructor init of field first [post-this] | stl.h:388:9:388:9 | constructor init of field second [pre-this] |  |
-| stl.h:388:9:388:9 | constructor init of field first [post-this] | stl.h:388:9:388:9 | constructor init of field second [pre-this] |  |
-| stl.h:388:9:388:9 | constructor init of field first [post-this] | stl.h:388:9:388:9 | constructor init of field second [pre-this] |  |
-| stl.h:388:9:388:9 | constructor init of field first [post-this] | stl.h:388:9:388:9 | constructor init of field second [pre-this] |  |
-| stl.h:388:9:388:9 | constructor init of field first [post-this] | stl.h:388:9:388:9 | constructor init of field second [pre-this] |  |
-| stl.h:388:9:388:9 | constructor init of field first [pre-this] | stl.h:388:9:388:9 | constructor init of field second [pre-this] |  |
-| stl.h:388:9:388:9 | constructor init of field first [pre-this] | stl.h:388:9:388:9 | constructor init of field second [pre-this] |  |
-| stl.h:388:9:388:9 | constructor init of field first [pre-this] | stl.h:388:9:388:9 | constructor init of field second [pre-this] |  |
-| stl.h:388:9:388:9 | constructor init of field first [pre-this] | stl.h:388:9:388:9 | constructor init of field second [pre-this] |  |
-| stl.h:388:9:388:9 | constructor init of field first [pre-this] | stl.h:388:9:388:9 | constructor init of field second [pre-this] |  |
-| stl.h:388:9:388:9 | this | stl.h:388:9:388:9 | constructor init of field first [pre-this] |  |
-| stl.h:388:9:388:9 | this | stl.h:388:9:388:9 | constructor init of field first [pre-this] |  |
-| stl.h:388:9:388:9 | this | stl.h:388:9:388:9 | constructor init of field first [pre-this] |  |
-| stl.h:388:9:388:9 | this | stl.h:388:9:388:9 | constructor init of field first [pre-this] |  |
-| stl.h:388:9:388:9 | this | stl.h:388:9:388:9 | constructor init of field first [pre-this] |  |
-| stl.h:395:3:395:3 | this | stl.h:395:36:395:43 | constructor init of field first [pre-this] |  |
-| stl.h:395:3:395:3 | this | stl.h:395:36:395:43 | constructor init of field first [pre-this] |  |
-| stl.h:395:3:395:3 | this | stl.h:395:36:395:43 | constructor init of field first [pre-this] |  |
-| stl.h:395:3:395:3 | this | stl.h:395:36:395:43 | constructor init of field first [pre-this] |  |
-| stl.h:395:3:395:3 | this | stl.h:395:36:395:43 | constructor init of field first [pre-this] |  |
-| stl.h:395:3:395:6 | this | stl.h:395:36:395:43 | constructor init of field first [pre-this] |  |
-| stl.h:395:18:395:18 | x | stl.h:395:42:395:42 | x |  |
-| stl.h:395:18:395:18 | x | stl.h:395:42:395:42 | x |  |
-| stl.h:395:18:395:18 | x | stl.h:395:42:395:42 | x |  |
-| stl.h:395:18:395:18 | x | stl.h:395:42:395:42 | x |  |
-| stl.h:395:18:395:18 | x | stl.h:395:42:395:42 | x |  |
-| stl.h:395:18:395:18 | x | stl.h:395:42:395:42 | x |  |
-| stl.h:395:31:395:31 | y | stl.h:395:53:395:53 | y |  |
-| stl.h:395:31:395:31 | y | stl.h:395:53:395:53 | y |  |
-| stl.h:395:31:395:31 | y | stl.h:395:53:395:53 | y |  |
-| stl.h:395:31:395:31 | y | stl.h:395:53:395:53 | y |  |
-| stl.h:395:31:395:31 | y | stl.h:395:53:395:53 | y |  |
-| stl.h:395:31:395:31 | y | stl.h:395:53:395:53 | y |  |
-| stl.h:395:36:395:43 | call to unknown function | stl.h:395:36:395:43 | constructor init of field first | TAINT |
-| stl.h:395:36:395:43 | constructor init of field first [post-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] |  |
-| stl.h:395:36:395:43 | constructor init of field first [post-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] |  |
-| stl.h:395:36:395:43 | constructor init of field first [post-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] |  |
-| stl.h:395:36:395:43 | constructor init of field first [post-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] |  |
-| stl.h:395:36:395:43 | constructor init of field first [post-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] |  |
-| stl.h:395:36:395:43 | constructor init of field first [post-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] |  |
-| stl.h:395:36:395:43 | constructor init of field first [pre-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] |  |
-| stl.h:395:36:395:43 | constructor init of field first [pre-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] |  |
-| stl.h:395:36:395:43 | constructor init of field first [pre-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] |  |
-| stl.h:395:36:395:43 | constructor init of field first [pre-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] |  |
-| stl.h:395:36:395:43 | constructor init of field first [pre-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] |  |
-| stl.h:395:36:395:43 | constructor init of field first [pre-this] | stl.h:395:46:395:54 | constructor init of field second [pre-this] |  |
-| stl.h:395:42:395:42 | x | stl.h:395:36:395:43 | constructor init of field first | TAINT |
-| stl.h:395:42:395:42 | x | stl.h:395:36:395:43 | constructor init of field first | TAINT |
-| stl.h:395:42:395:42 | x | stl.h:395:36:395:43 | constructor init of field first | TAINT |
-| stl.h:395:42:395:42 | x | stl.h:395:36:395:43 | constructor init of field first | TAINT |
-| stl.h:395:42:395:42 | x | stl.h:395:36:395:43 | constructor init of field first | TAINT |
-| stl.h:395:46:395:54 | call to unknown function | stl.h:395:46:395:54 | constructor init of field second | TAINT |
-| stl.h:395:53:395:53 | y | stl.h:395:46:395:54 | constructor init of field second | TAINT |
-| stl.h:395:53:395:53 | y | stl.h:395:46:395:54 | constructor init of field second | TAINT |
-| stl.h:395:53:395:53 | y | stl.h:395:46:395:54 | constructor init of field second | TAINT |
-| stl.h:395:53:395:53 | y | stl.h:395:46:395:54 | constructor init of field second | TAINT |
-| stl.h:395:53:395:53 | y | stl.h:395:46:395:54 | constructor init of field second | TAINT |
-| stl.h:401:87:401:87 | x | stl.h:401:87:401:87 | x |  |
-| stl.h:401:87:401:87 | x | stl.h:401:87:401:87 | x |  |
-| stl.h:401:87:401:87 | x | stl.h:401:87:401:87 | x |  |
-| stl.h:401:87:401:87 | x | stl.h:401:87:401:87 | x |  |
-| stl.h:401:87:401:87 | x | stl.h:401:87:401:87 | x |  |
-| stl.h:401:87:401:87 | x | stl.h:401:87:401:87 | x |  |
-| stl.h:401:87:401:87 | x | stl.h:401:87:401:87 | x |  |
-| stl.h:401:87:401:87 | x | stl.h:402:58:402:58 | x |  |
-| stl.h:401:87:401:87 | x | stl.h:402:58:402:58 | x |  |
-| stl.h:401:87:401:87 | x | stl.h:402:58:402:58 | x |  |
-| stl.h:401:87:401:87 | x | stl.h:402:58:402:58 | x |  |
-| stl.h:401:87:401:87 | x | stl.h:402:58:402:58 | x |  |
-| stl.h:401:87:401:87 | x | stl.h:402:58:402:58 | x |  |
-| stl.h:401:87:401:87 | x | stl.h:402:58:402:58 | x |  |
-| stl.h:401:95:401:95 | y | stl.h:401:95:401:95 | y |  |
-| stl.h:401:95:401:95 | y | stl.h:401:95:401:95 | y |  |
-| stl.h:401:95:401:95 | y | stl.h:401:95:401:95 | y |  |
-| stl.h:401:95:401:95 | y | stl.h:401:95:401:95 | y |  |
-| stl.h:401:95:401:95 | y | stl.h:401:95:401:95 | y |  |
-| stl.h:401:95:401:95 | y | stl.h:401:95:401:95 | y |  |
-| stl.h:401:95:401:95 | y | stl.h:401:95:401:95 | y |  |
-| stl.h:401:95:401:95 | y | stl.h:402:79:402:79 | y |  |
-| stl.h:401:95:401:95 | y | stl.h:402:79:402:79 | y |  |
-| stl.h:401:95:401:95 | y | stl.h:402:79:402:79 | y |  |
-| stl.h:401:95:401:95 | y | stl.h:402:79:402:79 | y |  |
-| stl.h:401:95:401:95 | y | stl.h:402:79:402:79 | y |  |
-| stl.h:401:95:401:95 | y | stl.h:402:79:402:79 | y |  |
-| stl.h:401:95:401:95 | y | stl.h:402:79:402:79 | y |  |
-| stl.h:402:58:402:58 | x | stl.h:402:41:402:56 | call to forward |  |
-| stl.h:402:58:402:58 | x | stl.h:402:41:402:56 | call to forward |  |
-| stl.h:402:58:402:58 | x | stl.h:402:41:402:56 | call to forward |  |
-| stl.h:402:58:402:58 | x | stl.h:402:41:402:56 | call to forward |  |
-| stl.h:402:58:402:58 | x | stl.h:402:41:402:56 | call to forward |  |
-| stl.h:402:58:402:58 | x | stl.h:402:41:402:56 | call to forward |  |
-| stl.h:402:62:402:77 | call to forward | stl.h:402:3:402:82 | call to pair | TAINT |
-| stl.h:402:62:402:77 | call to forward | stl.h:402:3:402:82 | call to pair | TAINT |
-| stl.h:402:62:402:77 | call to forward | stl.h:402:3:402:82 | call to pair | TAINT |
-| stl.h:402:62:402:77 | call to forward | stl.h:402:3:402:82 | call to pair | TAINT |
-| stl.h:402:62:402:77 | call to forward | stl.h:402:3:402:82 | call to pair | TAINT |
-| stl.h:402:62:402:77 | call to forward | stl.h:402:3:402:82 | call to pair | TAINT |
-| stl.h:402:79:402:79 | y | stl.h:402:3:402:82 | call to pair | TAINT |
-| stl.h:402:79:402:79 | y | stl.h:402:3:402:82 | call to pair | TAINT |
-| stl.h:402:79:402:79 | y | stl.h:402:3:402:82 | call to pair | TAINT |
-| stl.h:402:79:402:79 | y | stl.h:402:3:402:82 | call to pair | TAINT |
-| stl.h:402:79:402:79 | y | stl.h:402:3:402:82 | call to pair | TAINT |
-| stl.h:402:79:402:79 | y | stl.h:402:3:402:82 | call to pair | TAINT |
-| stl.h:402:79:402:79 | y | stl.h:402:62:402:77 | call to forward |  |
-| stl.h:402:79:402:79 | y | stl.h:402:62:402:77 | call to forward |  |
-| stl.h:402:79:402:79 | y | stl.h:402:62:402:77 | call to forward |  |
-| stl.h:402:79:402:79 | y | stl.h:402:62:402:77 | call to forward |  |
-| stl.h:402:79:402:79 | y | stl.h:402:62:402:77 | call to forward |  |
-| stl.h:402:79:402:79 | y | stl.h:402:62:402:77 | call to forward |  |
+| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field first | TAINT |
+| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field first | TAINT |
+| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field first | TAINT |
+| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field first | TAINT |
+| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field first | TAINT |
+| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field second | TAINT |
+| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field second | TAINT |
+| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field second | TAINT |
+| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field second | TAINT |
+| stl.h:389:9:389:9 | Unknown literal | stl.h:389:9:389:9 | constructor init of field second | TAINT |
+| stl.h:389:9:389:9 | constructor init of field first [post-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
+| stl.h:389:9:389:9 | constructor init of field first [post-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
+| stl.h:389:9:389:9 | constructor init of field first [post-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
+| stl.h:389:9:389:9 | constructor init of field first [post-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
+| stl.h:389:9:389:9 | constructor init of field first [post-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
+| stl.h:389:9:389:9 | constructor init of field first [pre-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
+| stl.h:389:9:389:9 | constructor init of field first [pre-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
+| stl.h:389:9:389:9 | constructor init of field first [pre-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
+| stl.h:389:9:389:9 | constructor init of field first [pre-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
+| stl.h:389:9:389:9 | constructor init of field first [pre-this] | stl.h:389:9:389:9 | constructor init of field second [pre-this] |  |
+| stl.h:389:9:389:9 | this | stl.h:389:9:389:9 | constructor init of field first [pre-this] |  |
+| stl.h:389:9:389:9 | this | stl.h:389:9:389:9 | constructor init of field first [pre-this] |  |
+| stl.h:389:9:389:9 | this | stl.h:389:9:389:9 | constructor init of field first [pre-this] |  |
+| stl.h:389:9:389:9 | this | stl.h:389:9:389:9 | constructor init of field first [pre-this] |  |
+| stl.h:389:9:389:9 | this | stl.h:389:9:389:9 | constructor init of field first [pre-this] |  |
+| stl.h:396:3:396:3 | this | stl.h:396:36:396:43 | constructor init of field first [pre-this] |  |
+| stl.h:396:3:396:3 | this | stl.h:396:36:396:43 | constructor init of field first [pre-this] |  |
+| stl.h:396:3:396:3 | this | stl.h:396:36:396:43 | constructor init of field first [pre-this] |  |
+| stl.h:396:3:396:3 | this | stl.h:396:36:396:43 | constructor init of field first [pre-this] |  |
+| stl.h:396:3:396:3 | this | stl.h:396:36:396:43 | constructor init of field first [pre-this] |  |
+| stl.h:396:3:396:6 | this | stl.h:396:36:396:43 | constructor init of field first [pre-this] |  |
+| stl.h:396:18:396:18 | x | stl.h:396:42:396:42 | x |  |
+| stl.h:396:18:396:18 | x | stl.h:396:42:396:42 | x |  |
+| stl.h:396:18:396:18 | x | stl.h:396:42:396:42 | x |  |
+| stl.h:396:18:396:18 | x | stl.h:396:42:396:42 | x |  |
+| stl.h:396:18:396:18 | x | stl.h:396:42:396:42 | x |  |
+| stl.h:396:18:396:18 | x | stl.h:396:42:396:42 | x |  |
+| stl.h:396:31:396:31 | y | stl.h:396:53:396:53 | y |  |
+| stl.h:396:31:396:31 | y | stl.h:396:53:396:53 | y |  |
+| stl.h:396:31:396:31 | y | stl.h:396:53:396:53 | y |  |
+| stl.h:396:31:396:31 | y | stl.h:396:53:396:53 | y |  |
+| stl.h:396:31:396:31 | y | stl.h:396:53:396:53 | y |  |
+| stl.h:396:31:396:31 | y | stl.h:396:53:396:53 | y |  |
+| stl.h:396:36:396:43 | call to unknown function | stl.h:396:36:396:43 | constructor init of field first | TAINT |
+| stl.h:396:36:396:43 | constructor init of field first [post-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] |  |
+| stl.h:396:36:396:43 | constructor init of field first [post-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] |  |
+| stl.h:396:36:396:43 | constructor init of field first [post-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] |  |
+| stl.h:396:36:396:43 | constructor init of field first [post-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] |  |
+| stl.h:396:36:396:43 | constructor init of field first [post-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] |  |
+| stl.h:396:36:396:43 | constructor init of field first [post-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] |  |
+| stl.h:396:36:396:43 | constructor init of field first [pre-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] |  |
+| stl.h:396:36:396:43 | constructor init of field first [pre-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] |  |
+| stl.h:396:36:396:43 | constructor init of field first [pre-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] |  |
+| stl.h:396:36:396:43 | constructor init of field first [pre-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] |  |
+| stl.h:396:36:396:43 | constructor init of field first [pre-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] |  |
+| stl.h:396:36:396:43 | constructor init of field first [pre-this] | stl.h:396:46:396:54 | constructor init of field second [pre-this] |  |
+| stl.h:396:42:396:42 | x | stl.h:396:36:396:43 | constructor init of field first | TAINT |
+| stl.h:396:42:396:42 | x | stl.h:396:36:396:43 | constructor init of field first | TAINT |
+| stl.h:396:42:396:42 | x | stl.h:396:36:396:43 | constructor init of field first | TAINT |
+| stl.h:396:42:396:42 | x | stl.h:396:36:396:43 | constructor init of field first | TAINT |
+| stl.h:396:42:396:42 | x | stl.h:396:36:396:43 | constructor init of field first | TAINT |
+| stl.h:396:46:396:54 | call to unknown function | stl.h:396:46:396:54 | constructor init of field second | TAINT |
+| stl.h:396:53:396:53 | y | stl.h:396:46:396:54 | constructor init of field second | TAINT |
+| stl.h:396:53:396:53 | y | stl.h:396:46:396:54 | constructor init of field second | TAINT |
+| stl.h:396:53:396:53 | y | stl.h:396:46:396:54 | constructor init of field second | TAINT |
+| stl.h:396:53:396:53 | y | stl.h:396:46:396:54 | constructor init of field second | TAINT |
+| stl.h:396:53:396:53 | y | stl.h:396:46:396:54 | constructor init of field second | TAINT |
+| stl.h:402:87:402:87 | x | stl.h:402:87:402:87 | x |  |
+| stl.h:402:87:402:87 | x | stl.h:402:87:402:87 | x |  |
+| stl.h:402:87:402:87 | x | stl.h:402:87:402:87 | x |  |
+| stl.h:402:87:402:87 | x | stl.h:402:87:402:87 | x |  |
+| stl.h:402:87:402:87 | x | stl.h:402:87:402:87 | x |  |
+| stl.h:402:87:402:87 | x | stl.h:402:87:402:87 | x |  |
+| stl.h:402:87:402:87 | x | stl.h:402:87:402:87 | x |  |
+| stl.h:402:87:402:87 | x | stl.h:403:58:403:58 | x |  |
+| stl.h:402:87:402:87 | x | stl.h:403:58:403:58 | x |  |
+| stl.h:402:87:402:87 | x | stl.h:403:58:403:58 | x |  |
+| stl.h:402:87:402:87 | x | stl.h:403:58:403:58 | x |  |
+| stl.h:402:87:402:87 | x | stl.h:403:58:403:58 | x |  |
+| stl.h:402:87:402:87 | x | stl.h:403:58:403:58 | x |  |
+| stl.h:402:87:402:87 | x | stl.h:403:58:403:58 | x |  |
+| stl.h:402:95:402:95 | y | stl.h:402:95:402:95 | y |  |
+| stl.h:402:95:402:95 | y | stl.h:402:95:402:95 | y |  |
+| stl.h:402:95:402:95 | y | stl.h:402:95:402:95 | y |  |
+| stl.h:402:95:402:95 | y | stl.h:402:95:402:95 | y |  |
+| stl.h:402:95:402:95 | y | stl.h:402:95:402:95 | y |  |
+| stl.h:402:95:402:95 | y | stl.h:402:95:402:95 | y |  |
+| stl.h:402:95:402:95 | y | stl.h:402:95:402:95 | y |  |
+| stl.h:402:95:402:95 | y | stl.h:403:79:403:79 | y |  |
+| stl.h:402:95:402:95 | y | stl.h:403:79:403:79 | y |  |
+| stl.h:402:95:402:95 | y | stl.h:403:79:403:79 | y |  |
+| stl.h:402:95:402:95 | y | stl.h:403:79:403:79 | y |  |
+| stl.h:402:95:402:95 | y | stl.h:403:79:403:79 | y |  |
+| stl.h:402:95:402:95 | y | stl.h:403:79:403:79 | y |  |
+| stl.h:402:95:402:95 | y | stl.h:403:79:403:79 | y |  |
+| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward |  |
+| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward |  |
+| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward |  |
+| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward |  |
+| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward |  |
+| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward |  |
+| stl.h:403:62:403:77 | call to forward | stl.h:403:3:403:82 | call to pair | TAINT |
+| stl.h:403:62:403:77 | call to forward | stl.h:403:3:403:82 | call to pair | TAINT |
+| stl.h:403:62:403:77 | call to forward | stl.h:403:3:403:82 | call to pair | TAINT |
+| stl.h:403:62:403:77 | call to forward | stl.h:403:3:403:82 | call to pair | TAINT |
+| stl.h:403:62:403:77 | call to forward | stl.h:403:3:403:82 | call to pair | TAINT |
+| stl.h:403:62:403:77 | call to forward | stl.h:403:3:403:82 | call to pair | TAINT |
+| stl.h:403:79:403:79 | y | stl.h:403:3:403:82 | call to pair | TAINT |
+| stl.h:403:79:403:79 | y | stl.h:403:3:403:82 | call to pair | TAINT |
+| stl.h:403:79:403:79 | y | stl.h:403:3:403:82 | call to pair | TAINT |
+| stl.h:403:79:403:79 | y | stl.h:403:3:403:82 | call to pair | TAINT |
+| stl.h:403:79:403:79 | y | stl.h:403:3:403:82 | call to pair | TAINT |
+| stl.h:403:79:403:79 | y | stl.h:403:3:403:82 | call to pair | TAINT |
+| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward |  |
+| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward |  |
+| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward |  |
+| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward |  |
+| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward |  |
+| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward |  |
 | string.cpp:25:12:25:17 | call to source | string.cpp:29:7:29:7 | a |  |
 | string.cpp:26:16:26:20 | 123 | string.cpp:26:16:26:21 | call to basic_string | TAINT |
 | string.cpp:26:16:26:21 | call to basic_string | string.cpp:30:7:30:7 | b |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h b/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
index 1382552bdca..44550c3df76 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/stl.h
@@ -348,7 +348,8 @@ namespace std {
 	class shared_ptr {
 	public:
 		shared_ptr() noexcept;
-		explicit shared_ptr(T*); shared_ptr(const shared_ptr&) noexcept;
+		explicit shared_ptr(T*);
+		shared_ptr(const shared_ptr&) noexcept;
 		template<class U> shared_ptr(const shared_ptr<U>&) noexcept;
 		template<class U> shared_ptr(shared_ptr<U>&&) noexcept;
 

From e852540254a6679d93f4ee35992a998dd1b94c1b Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Tue, 6 Apr 2021 09:56:09 +0200
Subject: [PATCH 0157/1429] C#: Remove `unique` wrappers from
 `DataFlow::Node::get(EnclosingCallable|ControlFlowNode)`

---
 .../semmle/code/csharp/dataflow/internal/DataFlowPublic.qll   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll
index 40853f7316a..dd6e72d54f6 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll
@@ -47,14 +47,14 @@ class Node extends TNode {
   cached
   final DataFlowCallable getEnclosingCallable() {
     Stages::DataFlowStage::forceCachingInSameStage() and
-    result = unique(DataFlowCallable c | c = this.(NodeImpl).getEnclosingCallableImpl() | c)
+    result = this.(NodeImpl).getEnclosingCallableImpl()
   }
 
   /** Gets the control flow node corresponding to this node, if any. */
   cached
   final ControlFlow::Node getControlFlowNode() {
     Stages::DataFlowStage::forceCachingInSameStage() and
-    result = unique(ControlFlow::Node n | n = this.(NodeImpl).getControlFlowNodeImpl() | n)
+    result = this.(NodeImpl).getControlFlowNodeImpl()
   }
 
   /** Gets a textual representation of this node. */

From c194598d37e4bb1bda07d2491f98f2c773c0136a Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 25 Mar 2021 12:59:12 +0100
Subject: [PATCH 0158/1429] recognize headers/url from the HTTP request to a
 server WebSocket.

---
 .../javascript/frameworks/WebSocket.qll       | 62 ++++++++++++++++---
 .../Security/CWE-918/RequestForgery.expected  | 10 +++
 .../test/query-tests/Security/CWE-918/tst.js  | 10 +++
 3 files changed, 74 insertions(+), 8 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/WebSocket.qll b/javascript/ql/src/semmle/javascript/frameworks/WebSocket.qll
index fc3f1135d06..f40011ef105 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/WebSocket.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/WebSocket.qll
@@ -200,20 +200,21 @@ module ServerWebSocket {
     result = DataFlow::moduleImport("sockjs").getAMemberCall("createServer")
   }
 
+  /**
+   * Gets a `socket.on("connection", (msg, req) => {})` call.
+   */
+  private DataFlow::CallNode getAConnectionCall(LibraryName library) {
+    result = getAServer(library).getAMemberCall(EventEmitter::on()) and
+    result.getArgument(0).mayHaveStringValue("connection")
+  }
+
   /**
    * A server WebSocket instance.
    */
   class ServerSocket extends EventEmitter::Range, DataFlow::SourceNode {
     LibraryName library;
 
-    ServerSocket() {
-      exists(DataFlow::CallNode onCall |
-        onCall = getAServer(library).getAMemberCall(EventEmitter::on()) and
-        onCall.getArgument(0).mayHaveStringValue("connection")
-      |
-        this = onCall.getCallback(1).getParameter(0)
-      )
-    }
+    ServerSocket() { this = getAConnectionCall(library).getCallback(1).getParameter(0) }
 
     /**
      * Gets the name of the library that created this server socket.
@@ -221,6 +222,51 @@ module ServerWebSocket {
     LibraryName getLibrary() { result = library }
   }
 
+  /**
+   * A `socket.on("connection", (msg, req) => {})` call seen as a HTTP route handler.
+   * `req` is a `HTTP::IncomingMessage` instance.
+   */
+  class ConnectionCallAsRouteHandler extends HTTP::RouteHandler, DataFlow::CallNode {
+    ConnectionCallAsRouteHandler() { this = getAConnectionCall(_) }
+
+    override HTTP::HeaderDefinition getAResponseHeader(string name) { none() }
+  }
+
+  /**
+   * The `req` parameter of a `socket.on("connection", (msg, req) => {})` call.
+   */
+  class ServerHTTPRequest extends HTTP::Servers::RequestSource {
+    ConnectionCallAsRouteHandler handler;
+
+    ServerHTTPRequest() { this = handler.getCallback(1).getParameter(1) }
+
+    override HTTP::RouteHandler getRouteHandler() { result = handler }
+  }
+
+  /**
+   * An access user-controlled HTTP request input in a request to a WebSocket server.
+   */
+  class WebSocketRequestInput extends HTTP::RequestInputAccess {
+    ServerHTTPRequest request;
+    string kind;
+
+    WebSocketRequestInput() {
+      kind = "url" and
+      this = request.ref().getAPropertyRead("url")
+      or
+      kind = "header" and
+      this = request.ref().getAPropertyRead(["headers", "rawHeaders"]).getAPropertyRead()
+      or
+      // req.headers.cookie
+      kind = "cookie" and
+      this = request.ref().getAPropertyRead("headers").getAPropertyRead("cookie")
+    }
+
+    override string getKind() { result = kind }
+
+    override HTTP::RouteHandler getRouteHandler() { result = request.getRouteHandler() }
+  }
+
   /**
    * A message sent from a WebSocket server.
    */
diff --git a/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
index ebb15e74f04..194dad881ab 100644
--- a/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
@@ -77,6 +77,11 @@ nodes
 | tst.js:98:29:98:35 | req.url |
 | tst.js:100:19:100:25 | tainted |
 | tst.js:100:19:100:25 | tainted |
+| tst.js:108:11:108:27 | url |
+| tst.js:108:17:108:27 | request.url |
+| tst.js:108:17:108:27 | request.url |
+| tst.js:109:27:109:29 | url |
+| tst.js:109:27:109:29 | url |
 edges
 | tst.js:14:9:14:52 | tainted | tst.js:18:13:18:19 | tainted |
 | tst.js:14:9:14:52 | tainted | tst.js:18:13:18:19 | tainted |
@@ -152,6 +157,10 @@ edges
 | tst.js:98:19:98:52 | url.par ... ery.url | tst.js:98:9:98:52 | tainted |
 | tst.js:98:29:98:35 | req.url | tst.js:98:19:98:42 | url.par ... , true) |
 | tst.js:98:29:98:35 | req.url | tst.js:98:19:98:42 | url.par ... , true) |
+| tst.js:108:11:108:27 | url | tst.js:109:27:109:29 | url |
+| tst.js:108:11:108:27 | url | tst.js:109:27:109:29 | url |
+| tst.js:108:17:108:27 | request.url | tst.js:108:11:108:27 | url |
+| tst.js:108:17:108:27 | request.url | tst.js:108:11:108:27 | url |
 #select
 | tst.js:18:5:18:20 | request(tainted) | tst.js:14:29:14:35 | req.url | tst.js:18:13:18:19 | tainted | The $@ of this request depends on $@. | tst.js:18:13:18:19 | tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
 | tst.js:20:5:20:24 | request.get(tainted) | tst.js:14:29:14:35 | req.url | tst.js:20:17:20:23 | tainted | The $@ of this request depends on $@. | tst.js:20:17:20:23 | tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
@@ -173,3 +182,4 @@ edges
 | tst.js:90:5:90:33 | JSDOM.f ... ms.foo) | tst.js:90:19:90:28 | ctx.params | tst.js:90:19:90:32 | ctx.params.foo | The $@ of this request depends on $@. | tst.js:90:19:90:32 | ctx.params.foo | URL | tst.js:90:19:90:28 | ctx.params | a user-provided value |
 | tst.js:92:5:92:33 | JSDOM.f ... ms.foo) | tst.js:92:19:92:28 | ctx.params | tst.js:92:19:92:32 | ctx.params.foo | The $@ of this request depends on $@. | tst.js:92:19:92:32 | ctx.params.foo | URL | tst.js:92:19:92:28 | ctx.params | a user-provided value |
 | tst.js:100:5:100:26 | new Web ... ainted) | tst.js:98:29:98:35 | req.url | tst.js:100:19:100:25 | tainted | The $@ of this request depends on $@. | tst.js:100:19:100:25 | tainted | URL | tst.js:98:29:98:35 | req.url | a user-provided value |
+| tst.js:109:20:109:30 | new ws(url) | tst.js:108:17:108:27 | request.url | tst.js:109:27:109:29 | url | The $@ of this request depends on $@. | tst.js:109:27:109:29 | url | URL | tst.js:108:17:108:27 | request.url | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-918/tst.js b/javascript/ql/test/query-tests/Security/CWE-918/tst.js
index 3ce7feb531c..afa4e69213b 100644
--- a/javascript/ql/test/query-tests/Security/CWE-918/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-918/tst.js
@@ -99,3 +99,13 @@ var server = http.createServer(async function(req, res) {
 
     new WebSocket(tainted); // NOT OK
 });
+
+
+import * as ws from 'ws';
+
+new ws.Server({ port: 8080 }).on('connection', function(socket, request) {
+  socket.on('message', function(message) {
+    const url = request.url;
+    const socket = new ws(url);
+  });
+});

From 7045597139cc7930e527a33ab7cbec8061f4d2ab Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 6 Apr 2021 10:58:15 +0200
Subject: [PATCH 0159/1429] C++: Add testcase with false positive from #5318.

---
 .../AssignWhereCompareMeant.expected           |  8 ++++++++
 .../AssignWhereCompareMeant/test.cpp           | 18 ++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/AssignWhereCompareMeant.expected b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/AssignWhereCompareMeant.expected
index 6c4dfaea0a7..2c82c1dd70f 100644
--- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/AssignWhereCompareMeant.expected	
+++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/AssignWhereCompareMeant.expected	
@@ -19,3 +19,11 @@
 | test.cpp:144:32:144:36 | ... = ... | Use of '=' where '==' may have been intended. |
 | test.cpp:150:32:150:36 | ... = ... | Use of '=' where '==' may have been intended. |
 | test.cpp:153:46:153:50 | ... = ... | Use of '=' where '==' may have been intended. |
+| test.cpp:160:7:160:12 | ... = ... | Use of '=' where '==' may have been intended. |
+| test.cpp:162:7:162:12 | ... = ... | Use of '=' where '==' may have been intended. |
+| test.cpp:163:7:163:12 | ... = ... | Use of '=' where '==' may have been intended. |
+| test.cpp:164:7:164:12 | ... = ... | Use of '=' where '==' may have been intended. |
+| test.cpp:166:22:166:27 | ... = ... | Use of '=' where '==' may have been intended. |
+| test.cpp:168:24:168:29 | ... = ... | Use of '=' where '==' may have been intended. |
+| test.cpp:169:23:169:28 | ... = ... | Use of '=' where '==' may have been intended. |
+| test.cpp:171:7:171:12 | ... = ... | Use of '=' where '==' may have been intended. |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/test.cpp
index 63cac141cc6..b2aea02b2d8 100644
--- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/test.cpp	
+++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/test.cpp	
@@ -153,3 +153,21 @@ void f3(int x, int y) {
   if((x == 10) || ((z == z) && (x == 1)) && (y = 2)) { // BAD
   }
 }
+
+bool use(int);
+
+void f4(int x, bool b) {
+  if((x = 10) && use(x)) {} // GOOD [FALSE POSITIVE]: This is likely just a short-hand way of writing an assignment
+                            // followed by a boolean check.
+  if((x = 10) && b && use(x)) {} // GOOD [FALSE POSITIVE]: Same reason as above
+  if((x = 10) && use(x) && b) {} // GOOD [FALSE POSITIVE]: Same reason as above
+  if((x = 10) && (use(x) && b)) {} // GOOD [FALSE POSITIVE]: Same reason as above
+
+  if(use(x) && b && (x = 10)) {} // BAD: The assignment is the last thing that happens in the comparison.
+                                 // This doesn't match the usual pattern.
+  if((use(x) && b) && (x = 10)) {} // BAD: Same reason as above
+  if(use(x) && (b && (x = 10))) {} // BAD: Same reason as above
+
+  if((x = 10) || use(x)) {} // BAD: This doesn't follow the usual style of writing an assignment in
+                            // a boolean check.
+}

From a5f4d43d61ce7cc1fd1771ba4d5597f281f9dec4 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 6 Apr 2021 11:01:38 +0200
Subject: [PATCH 0160/1429] C++: Fix false positive by adding another
 allow-list pattern in AssignWhereCompareMeant.

---
 .../Likely Typos/AssignWhereCompareMeant.ql     | 17 ++++++++++++++++-
 .../AssignWhereCompareMeant.expected            |  4 ----
 .../AssignWhereCompareMeant/test.cpp            |  8 ++++----
 3 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/cpp/ql/src/Likely Bugs/Likely Typos/AssignWhereCompareMeant.ql b/cpp/ql/src/Likely Bugs/Likely Typos/AssignWhereCompareMeant.ql
index ca116a8609c..e60b763bc53 100644
--- a/cpp/ql/src/Likely Bugs/Likely Typos/AssignWhereCompareMeant.ql	
+++ b/cpp/ql/src/Likely Bugs/Likely Typos/AssignWhereCompareMeant.ql	
@@ -54,7 +54,7 @@ class BooleanControllingAssignmentInExpr extends BooleanControllingAssignment {
   override predicate isWhitelisted() {
     this.getConversion().(ParenthesisExpr).isParenthesised()
     or
-    // whitelist this assignment if all comparison operations in the expression that this
+    // Allow this assignment if all comparison operations in the expression that this
     // assignment is part of, are not parenthesized. In that case it seems like programmer
     // is fine with unparenthesized comparison operands to binary logical operators, and
     // the parenthesis around this assignment was used to call it out as an assignment.
@@ -62,6 +62,21 @@ class BooleanControllingAssignmentInExpr extends BooleanControllingAssignment {
     forex(ComparisonOperation op | op = getComparisonOperand*(this.getParent+()) |
       not op.isParenthesised()
     )
+    or
+    // Match a pattern like:
+    // ```
+    // if((a = b) && use_value(a)) { ... }
+    // ```
+    // where the assignment is meant to update the value of `a` before it's used in some other boolean
+    // subexpression that is guarenteed to be evaluate _after_ the assignment.
+    this.isParenthesised() and
+    exists(LogicalAndExpr parent, Variable var, VariableAccess access |
+      var = this.getLValue().(VariableAccess).getTarget() and
+      access = var.getAnAccess() and
+      not access.isUsedAsLValue() and
+      parent.getRightOperand() = access.getParent*() and
+      parent.getLeftOperand() = this.getParent*()
+    )
   }
 }
 
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/AssignWhereCompareMeant.expected b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/AssignWhereCompareMeant.expected
index 2c82c1dd70f..a5a1a6ca0bd 100644
--- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/AssignWhereCompareMeant.expected	
+++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/AssignWhereCompareMeant.expected	
@@ -19,10 +19,6 @@
 | test.cpp:144:32:144:36 | ... = ... | Use of '=' where '==' may have been intended. |
 | test.cpp:150:32:150:36 | ... = ... | Use of '=' where '==' may have been intended. |
 | test.cpp:153:46:153:50 | ... = ... | Use of '=' where '==' may have been intended. |
-| test.cpp:160:7:160:12 | ... = ... | Use of '=' where '==' may have been intended. |
-| test.cpp:162:7:162:12 | ... = ... | Use of '=' where '==' may have been intended. |
-| test.cpp:163:7:163:12 | ... = ... | Use of '=' where '==' may have been intended. |
-| test.cpp:164:7:164:12 | ... = ... | Use of '=' where '==' may have been intended. |
 | test.cpp:166:22:166:27 | ... = ... | Use of '=' where '==' may have been intended. |
 | test.cpp:168:24:168:29 | ... = ... | Use of '=' where '==' may have been intended. |
 | test.cpp:169:23:169:28 | ... = ... | Use of '=' where '==' may have been intended. |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/test.cpp
index b2aea02b2d8..3cd18125467 100644
--- a/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/test.cpp	
+++ b/cpp/ql/test/query-tests/Likely Bugs/Likely Typos/AssignWhereCompareMeant/test.cpp	
@@ -157,11 +157,11 @@ void f3(int x, int y) {
 bool use(int);
 
 void f4(int x, bool b) {
-  if((x = 10) && use(x)) {} // GOOD [FALSE POSITIVE]: This is likely just a short-hand way of writing an assignment
+  if((x = 10) && use(x)) {} // GOOD: This is likely just a short-hand way of writing an assignment
                             // followed by a boolean check.
-  if((x = 10) && b && use(x)) {} // GOOD [FALSE POSITIVE]: Same reason as above
-  if((x = 10) && use(x) && b) {} // GOOD [FALSE POSITIVE]: Same reason as above
-  if((x = 10) && (use(x) && b)) {} // GOOD [FALSE POSITIVE]: Same reason as above
+  if((x = 10) && b && use(x)) {} // GOOD: Same reason as above
+  if((x = 10) && use(x) && b) {} // GOOD: Same reason as above
+  if((x = 10) && (use(x) && b)) {} // GOOD: Same reason as above
 
   if(use(x) && b && (x = 10)) {} // BAD: The assignment is the last thing that happens in the comparison.
                                  // This doesn't match the usual pattern.

From 5eb1f8abbdb3dd16cfa0af204371482cfcf23504 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 6 Apr 2021 11:47:57 +0200
Subject: [PATCH 0161/1429] C++: Add change-note.

---
 cpp/change-notes/2021-04-06-assign-where-compare-meant.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 cpp/change-notes/2021-04-06-assign-where-compare-meant.md

diff --git a/cpp/change-notes/2021-04-06-assign-where-compare-meant.md b/cpp/change-notes/2021-04-06-assign-where-compare-meant.md
new file mode 100644
index 00000000000..e540593b15a
--- /dev/null
+++ b/cpp/change-notes/2021-04-06-assign-where-compare-meant.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The 'Assignment where comparison was intended' (cpp/assign-where-compare-meant) query has been improved to flag fewer benign assignments in conditionals.

From b11703cc74a70937ab78da40755859ad5075cc9c Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 6 Apr 2021 11:49:55 +0200
Subject: [PATCH 0162/1429] Python: all_dybamic2 => all_indirect

---
 .../modules/__all__/{all_dynamic2.py => all_indirect.py}  | 0
 python/ql/test/library-tests/modules/__all__/main.py      | 8 ++++----
 2 files changed, 4 insertions(+), 4 deletions(-)
 rename python/ql/test/library-tests/modules/__all__/{all_dynamic2.py => all_indirect.py} (100%)

diff --git a/python/ql/test/library-tests/modules/__all__/all_dynamic2.py b/python/ql/test/library-tests/modules/__all__/all_indirect.py
similarity index 100%
rename from python/ql/test/library-tests/modules/__all__/all_dynamic2.py
rename to python/ql/test/library-tests/modules/__all__/all_indirect.py
diff --git a/python/ql/test/library-tests/modules/__all__/main.py b/python/ql/test/library-tests/modules/__all__/main.py
index a36afae0ed4..a1b553fe087 100644
--- a/python/ql/test/library-tests/modules/__all__/main.py
+++ b/python/ql/test/library-tests/modules/__all__/main.py
@@ -49,8 +49,8 @@ except NameError:
     print("  baz not imported")
 del foo, bar
 
-from all_dynamic2 import *
-print("all_dynamic2.py")
+from all_indirect import *
+print("all_indirect.py")
 print("  foo={!r}".format(foo))
 print("  bar={!r}".format(bar))
 try:
@@ -74,10 +74,10 @@ import no_all
 import all_list
 import all_tuple
 import all_dynamic
-import all_dynamic2
+import all_indirect
 import all_set
 
-for mod in [no_all, all_list, all_tuple, all_dynamic, all_dynamic2, all_set]:
+for mod in [no_all, all_list, all_tuple, all_dynamic, all_indirect, all_set]:
     print("{}.py".format(mod.__name__))
     print("  foo={!r}".format(mod.foo))
     print("  bar={!r}".format(mod.bar))

From 224d3790b5547c654b05aba4d85785b4d3ad8f1c Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 6 Apr 2021 11:50:04 +0200
Subject: [PATCH 0163/1429] Python: Highlight all_indirect.py is not super
 important

At least not in my mind
---
 python/ql/test/library-tests/modules/__all__/all_indirect.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/python/ql/test/library-tests/modules/__all__/all_indirect.py b/python/ql/test/library-tests/modules/__all__/all_indirect.py
index 88c0ddaeacc..ddc4ec94a16 100644
--- a/python/ql/test/library-tests/modules/__all__/all_indirect.py
+++ b/python/ql/test/library-tests/modules/__all__/all_indirect.py
@@ -1,3 +1,5 @@
+# I (@RasmusWL) have not seen anyone use this pattern in real code,
+# so this example is only included for completeness.
 foo = "foo"
 bar = "bar"
 baz = "baz"

From bc49bc709584bc1db39620040a9b57ed311d4f6c Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 6 Apr 2021 11:54:25 +0200
Subject: [PATCH 0164/1429] Python: Add variable with underscore to __all__
 tests

---
 python/ql/test/library-tests/modules/__all__/main.py   | 6 ++++++
 python/ql/test/library-tests/modules/__all__/no_all.py | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/python/ql/test/library-tests/modules/__all__/main.py b/python/ql/test/library-tests/modules/__all__/main.py
index a1b553fe087..85a642ebc21 100644
--- a/python/ql/test/library-tests/modules/__all__/main.py
+++ b/python/ql/test/library-tests/modules/__all__/main.py
@@ -17,6 +17,10 @@ print("no_all.py")
 print("  foo={!r}".format(foo))
 print("  bar={!r}".format(bar))
 print("  baz={!r}".format(baz))
+try:
+    print("  _qux={!r}".format(_qux))
+except NameError:
+    print("  _qux not imported")
 del foo, bar, baz
 
 from all_list import *
@@ -82,3 +86,5 @@ for mod in [no_all, all_list, all_tuple, all_dynamic, all_indirect, all_set]:
     print("  foo={!r}".format(mod.foo))
     print("  bar={!r}".format(mod.bar))
     print("  baz={!r}".format(mod.baz))
+
+print("\nspecial: no_all._qux={!r}".format(no_all._qux))
diff --git a/python/ql/test/library-tests/modules/__all__/no_all.py b/python/ql/test/library-tests/modules/__all__/no_all.py
index ca059c60687..d295c9c8af4 100644
--- a/python/ql/test/library-tests/modules/__all__/no_all.py
+++ b/python/ql/test/library-tests/modules/__all__/no_all.py
@@ -1,3 +1,5 @@
 foo = "foo"
 bar = "bar"
 baz = "baz"
+# When `__all__` is not defined, names starting with underscore is not imported with `from <module> import *`
+_qux = "qux"

From 98001c494f26b76faf325a83bb319a5d25f549c3 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 6 Apr 2021 13:30:31 +0200
Subject: [PATCH 0165/1429] C#: Add Dapper stub and new SqlInjection test cases

---
 .../Security Features/CWE-089/SqlInjection.cs |  2 +-
 .../CWE-089/SqlInjectionDapper.cs             | 84 +++++++++++++++++++
 csharp/ql/test/resources/stubs/Dapper.cs      | 34 ++++++++
 3 files changed, 119 insertions(+), 1 deletion(-)
 create mode 100644 csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjectionDapper.cs
 create mode 100644 csharp/ql/test/resources/stubs/Dapper.cs

diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.cs
index 09a01281f79..f3593096e1e 100644
--- a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.cs	
+++ b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.cs	
@@ -1,4 +1,4 @@
-// semmle-extractor-options: /r:System.ComponentModel.Primitives.dll /r:System.ComponentModel.TypeConverter.dll /r:System.Data.Common.dll ${testdir}/../../../resources/stubs/EntityFramework.cs ${testdir}/../../../resources/stubs/System.Data.cs ${testdir}/../../../resources/stubs/System.Windows.cs
+// semmle-extractor-options: /r:System.ComponentModel.Primitives.dll /r:System.ComponentModel.TypeConverter.dll /r:System.Data.Common.dll ${testdir}/../../../resources/stubs/EntityFramework.cs ${testdir}/../../../resources/stubs/System.Data.cs ${testdir}/../../../resources/stubs/System.Windows.cs ${testdir}/../../../resources/stubs/Dapper.cs /r:System.Linq.Expressions.dll
 
 using System;
 
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjectionDapper.cs b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjectionDapper.cs
new file mode 100644
index 00000000000..e2413663c4b
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjectionDapper.cs	
@@ -0,0 +1,84 @@
+using System;
+
+namespace Test
+{
+    using System.Data;
+    using System.Data.Entity;
+    using System.Data.SqlClient;
+    using System.Web.UI.WebControls;
+    using System.Threading.Tasks;
+    using Dapper;
+
+    class SqlInjectionDapper
+    {
+        string connectionString;
+
+        public void Bad01()
+        {
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
+                var result = connection.Query<object>(query);
+            }
+        }
+
+        public async Task Bad02()
+        {
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
+                var result = await connection.QueryAsync<object>(query);
+            }
+        }
+
+        public async Task Bad03()
+        {
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
+                var result = await connection.QueryFirstAsync(query);
+            }
+        }
+
+        public async Task Bad04()
+        {
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
+
+                await connection.ExecuteAsync(query);
+            }
+        }
+
+        public void Bad05()
+        {
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
+                connection.ExecuteScalar(query);
+            }
+        }
+
+        public void Bad06()
+        {
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
+                connection.ExecuteReader(query);
+            }
+        }
+
+        public async Task Bad07()
+        {
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
+
+                var comDef = new CommandDefinition(query);
+                var result = await connection.QueryFirstAsync(comDef);
+            }
+        }
+
+        System.Windows.Forms.TextBox box1;
+    }
+}
diff --git a/csharp/ql/test/resources/stubs/Dapper.cs b/csharp/ql/test/resources/stubs/Dapper.cs
new file mode 100644
index 00000000000..d96f1cd4ee6
--- /dev/null
+++ b/csharp/ql/test/resources/stubs/Dapper.cs
@@ -0,0 +1,34 @@
+// This file contains auto-generated code.
+// original-extractor-options: /r:Dapper.dll /r:System.Data.SqlClient.dll ...
+
+namespace Dapper
+{
+    // Generated from `Dapper.CommandDefinition` in `Dapper, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null`
+    public struct CommandDefinition
+    {
+        public CommandDefinition(string commandText, object parameters = null, System.Data.IDbTransaction transaction = null, int? commandTimeout = null, System.Data.CommandType? commandType = null, Dapper.CommandFlags flags = CommandFlags.Buffered, System.Threading.CancellationToken cancellationToken = default) => throw null;
+    }
+
+    // Generated from `Dapper.CommandFlags` in `Dapper, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null`
+    [System.Flags]
+    public enum CommandFlags
+    {
+        None = 0x0,
+        Buffered = 0x1,
+        Pipelined = 0x2,
+        NoCache = 0x4
+    }
+
+    // Generated from `Dapper.SqlMapper` in `Dapper, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null`
+    static public class SqlMapper
+    {
+        public static System.Collections.Generic.IEnumerable<T> Query<T>(this System.Data.IDbConnection cnn, string sql, object param = null, System.Data.IDbTransaction transaction = null, bool buffered = true, int? commandTimeout = null, System.Data.CommandType? commandType = null) => throw null;
+        public static System.Data.IDataReader ExecuteReader(this System.Data.IDbConnection cnn, string sql, object param = null, System.Data.IDbTransaction transaction = null, int? commandTimeout = null, System.Data.CommandType? commandType = null) => throw null;
+        public static System.Threading.Tasks.Task<System.Collections.Generic.IEnumerable<T>> QueryAsync<T>(this System.Data.IDbConnection cnn, string sql, object param = null, System.Data.IDbTransaction transaction = null, int? commandTimeout = null, System.Data.CommandType? commandType = null) => throw null;
+        public static System.Threading.Tasks.Task<dynamic> QueryFirstAsync(this System.Data.IDbConnection cnn, Dapper.CommandDefinition command) => throw null;
+        public static System.Threading.Tasks.Task<dynamic> QueryFirstAsync(this System.Data.IDbConnection cnn, string sql, object param = null, System.Data.IDbTransaction transaction = null, int? commandTimeout = null, System.Data.CommandType? commandType = null) => throw null;
+        public static System.Threading.Tasks.Task<int> ExecuteAsync(this System.Data.IDbConnection cnn, string sql, object param = null, System.Data.IDbTransaction transaction = null, int? commandTimeout = null, System.Data.CommandType? commandType = null) => throw null;
+        public static object ExecuteScalar(this System.Data.IDbConnection cnn, string sql, object param = null, System.Data.IDbTransaction transaction = null, int? commandTimeout = null, System.Data.CommandType? commandType = null) => throw null;
+    }
+}
+

From f07d84436225734ee7391fc5e49819c568063391 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 6 Apr 2021 13:59:27 +0200
Subject: [PATCH 0166/1429] C++: Add a test containing missing read/store
 dataflow steps for smart pointers.

---
 .../dataflow/taint-tests/localTaint.expected  | 20 +++++++++++++++++++
 .../dataflow/taint-tests/smart_pointer.cpp    | 19 +++++++++++++++++-
 2 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index 4444ea13267..c660a0fe97a 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -3269,6 +3269,26 @@
 | smart_pointer.cpp:65:48:65:53 | call to source | smart_pointer.cpp:65:28:65:46 | call to make_unique | TAINT |
 | smart_pointer.cpp:65:58:65:58 | 0 | smart_pointer.cpp:65:28:65:46 | call to make_unique | TAINT |
 | smart_pointer.cpp:66:10:66:10 | ref arg p | smart_pointer.cpp:67:10:67:10 | p |  |
+| smart_pointer.cpp:76:45:76:45 | p | smart_pointer.cpp:77:5:77:5 | p |  |
+| smart_pointer.cpp:76:45:76:45 | p | smart_pointer.cpp:78:10:78:10 | p |  |
+| smart_pointer.cpp:76:45:76:45 | p | smart_pointer.cpp:79:10:79:10 | p |  |
+| smart_pointer.cpp:76:67:76:67 | q | smart_pointer.cpp:81:5:81:5 | q |  |
+| smart_pointer.cpp:76:67:76:67 | q | smart_pointer.cpp:82:10:82:10 | q |  |
+| smart_pointer.cpp:76:67:76:67 | q | smart_pointer.cpp:83:10:83:10 | q |  |
+| smart_pointer.cpp:76:67:76:67 | q | smart_pointer.cpp:84:10:84:10 | q |  |
+| smart_pointer.cpp:77:5:77:5 | ref arg p | smart_pointer.cpp:78:10:78:10 | p |  |
+| smart_pointer.cpp:77:5:77:5 | ref arg p | smart_pointer.cpp:79:10:79:10 | p |  |
+| smart_pointer.cpp:77:5:77:19 | ... = ... | smart_pointer.cpp:77:8:77:8 | x [post update] |  |
+| smart_pointer.cpp:77:12:77:17 | call to source | smart_pointer.cpp:77:5:77:19 | ... = ... |  |
+| smart_pointer.cpp:78:10:78:10 | ref arg p | smart_pointer.cpp:79:10:79:10 | p |  |
+| smart_pointer.cpp:81:5:81:5 | ref arg q | smart_pointer.cpp:82:10:82:10 | q |  |
+| smart_pointer.cpp:81:5:81:5 | ref arg q | smart_pointer.cpp:83:10:83:10 | q |  |
+| smart_pointer.cpp:81:5:81:5 | ref arg q | smart_pointer.cpp:84:10:84:10 | q |  |
+| smart_pointer.cpp:81:5:81:22 | ... = ... | smart_pointer.cpp:81:11:81:11 | x [post update] |  |
+| smart_pointer.cpp:81:15:81:20 | call to source | smart_pointer.cpp:81:5:81:22 | ... = ... |  |
+| smart_pointer.cpp:82:10:82:10 | ref arg q | smart_pointer.cpp:83:10:83:10 | q |  |
+| smart_pointer.cpp:82:10:82:10 | ref arg q | smart_pointer.cpp:84:10:84:10 | q |  |
+| smart_pointer.cpp:83:10:83:10 | ref arg q | smart_pointer.cpp:84:10:84:10 | q |  |
 | standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:39:45:39:51 | source1 |  |
 | standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:40:11:40:17 | source1 |  |
 | standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:41:12:41:18 | source1 |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
index f45260228e8..1247a58b008 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
@@ -65,4 +65,21 @@ void test_shared_field_member() {
     std::unique_ptr<A> p = std::make_unique<A>(source(), 0);
     sink(p->x); // $ MISSING: ast,ir
     sink(p->y); // not tainted
-}
\ No newline at end of file
+}
+
+struct B {
+  A a1;
+  A a2;
+  int z;
+};
+
+void test_operator_arrow(std::unique_ptr<A> p, std::unique_ptr<B> q) {
+  p->x = source();
+  sink(p->x); // $ MISSING: ast,ir
+  sink(p->y);
+
+  q->a1.x = source();
+  sink(q->a1.x); // $ MISSING: ast,ir
+  sink(q->a1.y);
+  sink(q->a2.x);
+}

From 8382e85901aa33dabb76a66f3d784146eb8a2310 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 6 Apr 2021 14:05:55 +0200
Subject: [PATCH 0167/1429] C++: Add flow into the source of read step and out
 of the target of a store step for smart pointers in AST dataflow.

---
 .../cpp/dataflow/internal/DataFlowUtil.qll    | 19 +++++
 .../dataflow/taint-tests/localTaint.expected  | 79 ++++++++++++-------
 .../dataflow/taint-tests/smart_pointer.cpp    | 12 +--
 3 files changed, 74 insertions(+), 36 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
index 0a6d459ec79..923075cbe2e 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -7,6 +7,7 @@ private import semmle.code.cpp.dataflow.internal.FlowVar
 private import semmle.code.cpp.models.interfaces.DataFlow
 private import semmle.code.cpp.controlflow.Guards
 private import semmle.code.cpp.dataflow.internal.AddressFlow
+private import semmle.code.cpp.models.interfaces.PointerWrapper
 
 cached
 private newtype TNode =
@@ -520,6 +521,22 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) {
   FieldFlow::fieldFlow(nodeFrom, nodeTo)
 }
 
+private predicate pointerWrapperFlow(Node nodeFrom, Node nodeTo) {
+  // post-update-smart-pointer-`operator->` -> `post-update`-qualifier
+  exists(PointerWrapper wrapper, Call call |
+    call = wrapper.getAnUnwrapperFunction().getACallToThisFunction() and
+    nodeFrom.(PostUpdateNode).getPreUpdateNode().asExpr() = call and
+    nodeTo.asDefiningArgument() = call.getQualifier()
+  )
+  or
+  // smart-pointer-qualifier -> smart-pointer-`operator->`
+  exists(PointerWrapper wrapper, Call call |
+    call = wrapper.getAnUnwrapperFunction().getACallToThisFunction() and
+    nodeFrom.asExpr() = call.getQualifier() and
+    nodeTo.asExpr() = call
+  )
+}
+
 /**
  * INTERNAL: do not use.
  *
@@ -585,6 +602,8 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
     nodeFrom.(PostUpdateNode).getPreUpdateNode().asExpr() = call and
     nodeTo.asDefiningArgument() = call.getQualifier()
   )
+  or
+  pointerWrapperFlow(nodeFrom, nodeTo)
 }
 
 /**
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index c660a0fe97a..bf9618014b0 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -3223,72 +3223,91 @@
 | smart_pointer.cpp:11:30:11:50 | call to make_shared | smart_pointer.cpp:12:11:12:11 | p |  |
 | smart_pointer.cpp:11:30:11:50 | call to make_shared | smart_pointer.cpp:13:10:13:10 | p |  |
 | smart_pointer.cpp:11:52:11:57 | call to source | smart_pointer.cpp:11:30:11:50 | call to make_shared | TAINT |
-| smart_pointer.cpp:12:11:12:11 | p | smart_pointer.cpp:12:10:12:10 | call to operator* | TAINT |
+| smart_pointer.cpp:12:11:12:11 | p | smart_pointer.cpp:12:10:12:10 | call to operator* |  |
 | smart_pointer.cpp:12:11:12:11 | ref arg p | smart_pointer.cpp:13:10:13:10 | p |  |
 | smart_pointer.cpp:17:32:17:54 | call to make_shared | smart_pointer.cpp:18:11:18:11 | p |  |
 | smart_pointer.cpp:17:32:17:54 | call to make_shared | smart_pointer.cpp:19:10:19:10 | p |  |
-| smart_pointer.cpp:18:11:18:11 | p | smart_pointer.cpp:18:10:18:10 | call to operator* | TAINT |
+| smart_pointer.cpp:18:10:18:10 | ref arg call to operator* | smart_pointer.cpp:18:11:18:11 | ref arg p |  |
+| smart_pointer.cpp:18:11:18:11 | p | smart_pointer.cpp:18:10:18:10 | call to operator* |  |
 | smart_pointer.cpp:18:11:18:11 | ref arg p | smart_pointer.cpp:19:10:19:10 | p |  |
 | smart_pointer.cpp:23:30:23:50 | call to make_unique | smart_pointer.cpp:24:11:24:11 | p |  |
 | smart_pointer.cpp:23:30:23:50 | call to make_unique | smart_pointer.cpp:25:10:25:10 | p |  |
 | smart_pointer.cpp:23:52:23:57 | call to source | smart_pointer.cpp:23:30:23:50 | call to make_unique | TAINT |
-| smart_pointer.cpp:24:11:24:11 | p | smart_pointer.cpp:24:10:24:10 | call to operator* | TAINT |
+| smart_pointer.cpp:24:11:24:11 | p | smart_pointer.cpp:24:10:24:10 | call to operator* |  |
 | smart_pointer.cpp:24:11:24:11 | ref arg p | smart_pointer.cpp:25:10:25:10 | p |  |
 | smart_pointer.cpp:29:32:29:54 | call to make_unique | smart_pointer.cpp:30:11:30:11 | p |  |
 | smart_pointer.cpp:29:32:29:54 | call to make_unique | smart_pointer.cpp:31:10:31:10 | p |  |
-| smart_pointer.cpp:30:11:30:11 | p | smart_pointer.cpp:30:10:30:10 | call to operator* | TAINT |
+| smart_pointer.cpp:30:10:30:10 | ref arg call to operator* | smart_pointer.cpp:30:11:30:11 | ref arg p |  |
+| smart_pointer.cpp:30:11:30:11 | p | smart_pointer.cpp:30:10:30:10 | call to operator* |  |
 | smart_pointer.cpp:30:11:30:11 | ref arg p | smart_pointer.cpp:31:10:31:10 | p |  |
 | smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:37:6:37:6 | p |  |
 | smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:38:10:38:10 | p |  |
 | smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:39:11:39:11 | p |  |
+| smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:37:6:37:6 | ref arg p |  |
 | smart_pointer.cpp:37:5:37:17 | ... = ... | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] |  |
-| smart_pointer.cpp:37:6:37:6 | p | smart_pointer.cpp:37:5:37:5 | call to operator* | TAINT |
+| smart_pointer.cpp:37:6:37:6 | p | smart_pointer.cpp:37:5:37:5 | call to operator* |  |
 | smart_pointer.cpp:37:6:37:6 | ref arg p | smart_pointer.cpp:38:10:38:10 | p |  |
 | smart_pointer.cpp:37:6:37:6 | ref arg p | smart_pointer.cpp:39:11:39:11 | p |  |
 | smart_pointer.cpp:37:10:37:15 | call to source | smart_pointer.cpp:37:5:37:17 | ... = ... |  |
 | smart_pointer.cpp:38:10:38:10 | ref arg p | smart_pointer.cpp:39:11:39:11 | p |  |
-| smart_pointer.cpp:39:11:39:11 | p | smart_pointer.cpp:39:10:39:10 | call to operator* | TAINT |
+| smart_pointer.cpp:39:11:39:11 | p | smart_pointer.cpp:39:10:39:10 | call to operator* |  |
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:45:6:45:6 | p |  |
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:46:10:46:10 | p |  |
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:47:11:47:11 | p |  |
+| smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:45:6:45:6 | ref arg p |  |
 | smart_pointer.cpp:45:5:45:17 | ... = ... | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] |  |
-| smart_pointer.cpp:45:6:45:6 | p | smart_pointer.cpp:45:5:45:5 | call to operator* | TAINT |
+| smart_pointer.cpp:45:6:45:6 | p | smart_pointer.cpp:45:5:45:5 | call to operator* |  |
 | smart_pointer.cpp:45:6:45:6 | ref arg p | smart_pointer.cpp:46:10:46:10 | p |  |
 | smart_pointer.cpp:45:6:45:6 | ref arg p | smart_pointer.cpp:47:11:47:11 | p |  |
 | smart_pointer.cpp:45:10:45:15 | call to source | smart_pointer.cpp:45:5:45:17 | ... = ... |  |
 | smart_pointer.cpp:46:10:46:10 | ref arg p | smart_pointer.cpp:47:11:47:11 | p |  |
-| smart_pointer.cpp:47:11:47:11 | p | smart_pointer.cpp:47:10:47:10 | call to operator* | TAINT |
+| smart_pointer.cpp:47:11:47:11 | p | smart_pointer.cpp:47:10:47:10 | call to operator* |  |
 | smart_pointer.cpp:51:30:51:50 | call to make_shared | smart_pointer.cpp:52:10:52:10 | p |  |
 | smart_pointer.cpp:51:52:51:57 | call to source | smart_pointer.cpp:51:30:51:50 | call to make_shared | TAINT |
-| smart_pointer.cpp:52:10:52:10 | p | smart_pointer.cpp:52:12:52:14 | call to get | TAINT |
+| smart_pointer.cpp:52:10:52:10 | p | smart_pointer.cpp:52:12:52:14 | call to get |  |
+| smart_pointer.cpp:52:12:52:14 | ref arg call to get | smart_pointer.cpp:52:10:52:10 | ref arg p |  |
 | smart_pointer.cpp:56:30:56:50 | call to make_unique | smart_pointer.cpp:57:10:57:10 | p |  |
 | smart_pointer.cpp:56:52:56:57 | call to source | smart_pointer.cpp:56:30:56:50 | call to make_unique | TAINT |
-| smart_pointer.cpp:57:10:57:10 | p | smart_pointer.cpp:57:12:57:14 | call to get | TAINT |
+| smart_pointer.cpp:57:10:57:10 | p | smart_pointer.cpp:57:12:57:14 | call to get |  |
+| smart_pointer.cpp:57:12:57:14 | ref arg call to get | smart_pointer.cpp:57:10:57:10 | ref arg p |  |
 | smart_pointer.cpp:65:28:65:46 | call to make_unique | smart_pointer.cpp:66:10:66:10 | p |  |
 | smart_pointer.cpp:65:28:65:46 | call to make_unique | smart_pointer.cpp:67:10:67:10 | p |  |
 | smart_pointer.cpp:65:48:65:53 | call to source | smart_pointer.cpp:65:28:65:46 | call to make_unique | TAINT |
 | smart_pointer.cpp:65:58:65:58 | 0 | smart_pointer.cpp:65:28:65:46 | call to make_unique | TAINT |
+| smart_pointer.cpp:66:10:66:10 | p | smart_pointer.cpp:66:11:66:11 | call to operator-> |  |
 | smart_pointer.cpp:66:10:66:10 | ref arg p | smart_pointer.cpp:67:10:67:10 | p |  |
-| smart_pointer.cpp:76:45:76:45 | p | smart_pointer.cpp:77:5:77:5 | p |  |
-| smart_pointer.cpp:76:45:76:45 | p | smart_pointer.cpp:78:10:78:10 | p |  |
-| smart_pointer.cpp:76:45:76:45 | p | smart_pointer.cpp:79:10:79:10 | p |  |
-| smart_pointer.cpp:76:67:76:67 | q | smart_pointer.cpp:81:5:81:5 | q |  |
-| smart_pointer.cpp:76:67:76:67 | q | smart_pointer.cpp:82:10:82:10 | q |  |
-| smart_pointer.cpp:76:67:76:67 | q | smart_pointer.cpp:83:10:83:10 | q |  |
-| smart_pointer.cpp:76:67:76:67 | q | smart_pointer.cpp:84:10:84:10 | q |  |
-| smart_pointer.cpp:77:5:77:5 | ref arg p | smart_pointer.cpp:78:10:78:10 | p |  |
-| smart_pointer.cpp:77:5:77:5 | ref arg p | smart_pointer.cpp:79:10:79:10 | p |  |
-| smart_pointer.cpp:77:5:77:19 | ... = ... | smart_pointer.cpp:77:8:77:8 | x [post update] |  |
-| smart_pointer.cpp:77:12:77:17 | call to source | smart_pointer.cpp:77:5:77:19 | ... = ... |  |
-| smart_pointer.cpp:78:10:78:10 | ref arg p | smart_pointer.cpp:79:10:79:10 | p |  |
-| smart_pointer.cpp:81:5:81:5 | ref arg q | smart_pointer.cpp:82:10:82:10 | q |  |
-| smart_pointer.cpp:81:5:81:5 | ref arg q | smart_pointer.cpp:83:10:83:10 | q |  |
-| smart_pointer.cpp:81:5:81:5 | ref arg q | smart_pointer.cpp:84:10:84:10 | q |  |
-| smart_pointer.cpp:81:5:81:22 | ... = ... | smart_pointer.cpp:81:11:81:11 | x [post update] |  |
-| smart_pointer.cpp:81:15:81:20 | call to source | smart_pointer.cpp:81:5:81:22 | ... = ... |  |
-| smart_pointer.cpp:82:10:82:10 | ref arg q | smart_pointer.cpp:83:10:83:10 | q |  |
-| smart_pointer.cpp:82:10:82:10 | ref arg q | smart_pointer.cpp:84:10:84:10 | q |  |
-| smart_pointer.cpp:83:10:83:10 | ref arg q | smart_pointer.cpp:84:10:84:10 | q |  |
+| smart_pointer.cpp:67:10:67:10 | p | smart_pointer.cpp:67:11:67:11 | call to operator-> |  |
+| smart_pointer.cpp:76:45:76:45 | p | smart_pointer.cpp:77:3:77:3 | p |  |
+| smart_pointer.cpp:76:45:76:45 | p | smart_pointer.cpp:78:8:78:8 | p |  |
+| smart_pointer.cpp:76:45:76:45 | p | smart_pointer.cpp:79:8:79:8 | p |  |
+| smart_pointer.cpp:76:67:76:67 | q | smart_pointer.cpp:81:3:81:3 | q |  |
+| smart_pointer.cpp:76:67:76:67 | q | smart_pointer.cpp:82:8:82:8 | q |  |
+| smart_pointer.cpp:76:67:76:67 | q | smart_pointer.cpp:83:8:83:8 | q |  |
+| smart_pointer.cpp:76:67:76:67 | q | smart_pointer.cpp:84:8:84:8 | q |  |
+| smart_pointer.cpp:77:3:77:3 | p | smart_pointer.cpp:77:4:77:4 | call to operator-> |  |
+| smart_pointer.cpp:77:3:77:3 | ref arg p | smart_pointer.cpp:78:8:78:8 | p |  |
+| smart_pointer.cpp:77:3:77:3 | ref arg p | smart_pointer.cpp:79:8:79:8 | p |  |
+| smart_pointer.cpp:77:3:77:17 | ... = ... | smart_pointer.cpp:77:6:77:6 | x [post update] |  |
+| smart_pointer.cpp:77:3:77:17 | ... = ... | smart_pointer.cpp:78:11:78:11 | x |  |
+| smart_pointer.cpp:77:4:77:4 | call to operator-> [post update] | smart_pointer.cpp:77:3:77:3 | ref arg p |  |
+| smart_pointer.cpp:77:10:77:15 | call to source | smart_pointer.cpp:77:3:77:17 | ... = ... |  |
+| smart_pointer.cpp:78:8:78:8 | p | smart_pointer.cpp:78:9:78:9 | call to operator-> |  |
+| smart_pointer.cpp:78:8:78:8 | ref arg p | smart_pointer.cpp:79:8:79:8 | p |  |
+| smart_pointer.cpp:79:8:79:8 | p | smart_pointer.cpp:79:9:79:9 | call to operator-> |  |
+| smart_pointer.cpp:81:3:81:3 | q | smart_pointer.cpp:81:4:81:4 | call to operator-> |  |
+| smart_pointer.cpp:81:3:81:3 | ref arg q | smart_pointer.cpp:82:8:82:8 | q |  |
+| smart_pointer.cpp:81:3:81:3 | ref arg q | smart_pointer.cpp:83:8:83:8 | q |  |
+| smart_pointer.cpp:81:3:81:3 | ref arg q | smart_pointer.cpp:84:8:84:8 | q |  |
+| smart_pointer.cpp:81:3:81:20 | ... = ... | smart_pointer.cpp:81:9:81:9 | x [post update] |  |
+| smart_pointer.cpp:81:3:81:20 | ... = ... | smart_pointer.cpp:82:14:82:14 | x |  |
+| smart_pointer.cpp:81:4:81:4 | call to operator-> [post update] | smart_pointer.cpp:81:3:81:3 | ref arg q |  |
+| smart_pointer.cpp:81:13:81:18 | call to source | smart_pointer.cpp:81:3:81:20 | ... = ... |  |
+| smart_pointer.cpp:82:8:82:8 | q | smart_pointer.cpp:82:9:82:9 | call to operator-> |  |
+| smart_pointer.cpp:82:8:82:8 | ref arg q | smart_pointer.cpp:83:8:83:8 | q |  |
+| smart_pointer.cpp:82:8:82:8 | ref arg q | smart_pointer.cpp:84:8:84:8 | q |  |
+| smart_pointer.cpp:83:8:83:8 | q | smart_pointer.cpp:83:9:83:9 | call to operator-> |  |
+| smart_pointer.cpp:83:8:83:8 | ref arg q | smart_pointer.cpp:84:8:84:8 | q |  |
+| smart_pointer.cpp:84:8:84:8 | q | smart_pointer.cpp:84:9:84:9 | call to operator-> |  |
 | standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:39:45:39:51 | source1 |  |
 | standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:40:11:40:17 | source1 |  |
 | standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:41:12:41:18 | source1 |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
index 1247a58b008..631614aa37d 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
@@ -35,16 +35,16 @@ void test_reverse_taint_shared() {
     std::shared_ptr<int> p = std::make_shared<int>();
 
     *p = source();
-    sink(p); // $ MISSING: ast,ir
-    sink(*p); // $ MISSING: ast,ir
+    sink(p); // $ ast MISSING: ir
+    sink(*p); // $ ast MISSING: ir
 }
 
 void test_reverse_taint_unique() {
     std::unique_ptr<int> p = std::unique_ptr<int>();
 
     *p = source();
-    sink(p); // $ MISSING: ast,ir
-    sink(*p); // $ MISSING: ast,ir
+    sink(p); // $ ast MISSING: ir
+    sink(*p); // $ ast MISSING: ir
 }
 
 void test_shared_get() {
@@ -75,11 +75,11 @@ struct B {
 
 void test_operator_arrow(std::unique_ptr<A> p, std::unique_ptr<B> q) {
   p->x = source();
-  sink(p->x); // $ MISSING: ast,ir
+  sink(p->x); // $ ast MISSING: ir
   sink(p->y);
 
   q->a1.x = source();
-  sink(q->a1.x); // $ MISSING: ast,ir
+  sink(q->a1.x); // $ ast MISSING: ir
   sink(q->a1.y);
   sink(q->a2.x);
 }

From 1bcb9cd7c0f9be99c8c30e7bf4d4fea93722efb7 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Tue, 6 Apr 2021 15:42:56 +0200
Subject: [PATCH 0168/1429] Simplify query

---
 .../Security/CWE-090/LDAPInjection.ql         | 12 ++++-------
 .../experimental/semmle/python/Concepts.qll   |  5 -----
 .../semmle/python/frameworks/Stdlib.qll       | 19 ++++-------------
 .../security/injection/LDAPInjection.qll      | 21 +------------------
 4 files changed, 9 insertions(+), 48 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
index 8d01fc173d4..945a7b94473 100644
--- a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
+++ b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
@@ -14,11 +14,7 @@ import python
 import experimental.semmle.python.security.injection.LDAPInjection
 import DataFlow::PathGraph
 
-from
-  LDAPInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
-  LDAPInjectionSink castedSink
-where
-  config.hasFlowPath(source, sink) and
-  castedSink.getLDAPNode() = sink.getNode()
-select sink.getNode(), source, sink, "$@ LDAP query executes $@ as a $@.", castedSink, "This",
-  source.getNode(), "a user-provided value", castedSink.getLDAPNode(), castedSink.getLDAPPart()
+from LDAPInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "$@ LDAP query parameter comes from $@.", sink.getNode(),
+  "This", source.getNode(), "a user-provided value"
diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index e62d9680665..9022f9c3818 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -13,13 +13,10 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
 private import experimental.semmle.python.Frameworks
-private import semmle.python.ApiGraphs
 
 module LDAPQuery {
   abstract class Range extends DataFlow::Node {
     abstract DataFlow::Node getLDAPNode();
-
-    abstract string getLDAPPart();
   }
 }
 
@@ -29,8 +26,6 @@ class LDAPQuery extends DataFlow::Node {
   LDAPQuery() { this = range }
 
   DataFlow::Node getLDAPNode() { result = range.getLDAPNode() }
-
-  string getLDAPPart() { result = range.getLDAPPart() }
 }
 
 module LDAPEscape {
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index cfd02b8b5a5..5a7984fab43 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -20,7 +20,6 @@ private module LDAP {
 
     private class LDAP2Query extends DataFlow::CallCfgNode, LDAPQuery::Range {
       DataFlow::Node ldapNode;
-      string ldapPart;
 
       LDAP2Query() {
         exists(DataFlow::AttrRead searchMethod, DataFlow::CallCfgNode initCall |
@@ -29,21 +28,17 @@ private module LDAP {
           initCall = searchMethod.getObject().getALocalSource() and
           searchMethod.getAttributeName() instanceof LDAP2QueryMethods and
           (
-            ldapNode = this.getArg(0) and
-            ldapPart = "DN"
+            ldapNode = this.getArg(0)
             or
             (
               ldapNode = this.getArg(2) or
               ldapNode = this.getArgByName("filterstr")
-            ) and
-            ldapPart = "search_filter"
+            )
           )
         )
       }
 
       override DataFlow::Node getLDAPNode() { result = ldapNode }
-
-      override string getLDAPPart() { result = ldapPart }
     }
 
     private class LDAP2EscapeDNCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
@@ -71,7 +66,6 @@ private module LDAP {
 
     private class LDAP3Query extends DataFlow::CallCfgNode, LDAPQuery::Range {
       DataFlow::Node ldapNode;
-      string ldapPart;
 
       LDAP3Query() {
         exists(DataFlow::AttrRead searchMethod, DataFlow::CallCfgNode connCall |
@@ -80,18 +74,13 @@ private module LDAP {
           connCall = searchMethod.getObject().getALocalSource() and
           searchMethod.getAttributeName() instanceof LDAP3QueryMethods and
           (
-            ldapNode = this.getArg(0) and
-            ldapPart = "DN"
+            ldapNode = this.getArg(0) or
+            ldapNode = this.getArg(1)
           )
-          or
-          ldapNode = this.getArg(1) and
-          ldapPart = "search_filter"
         )
       }
 
       override DataFlow::Node getLDAPNode() { result = ldapNode }
-
-      override string getLDAPPart() { result = ldapPart }
     }
 
     private class LDAP3EscapeDNCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
diff --git a/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll b/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll
index da71f38457a..febebe0a8fd 100644
--- a/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll
@@ -8,23 +8,6 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
 
-class LDAPInjectionSink extends DataFlow::Node {
-  DataFlow::Node ldapNode;
-  string ldapPart;
-
-  LDAPInjectionSink() {
-    exists(LDAPQuery ldapQuery |
-      this = ldapQuery and
-      ldapNode = ldapQuery.getLDAPNode() and
-      ldapPart = ldapQuery.getLDAPPart()
-    )
-  }
-
-  DataFlow::Node getLDAPNode() { result = ldapNode }
-
-  string getLDAPPart() { result = ldapPart }
-}
-
 /**
  * A taint-tracking configuration for detecting regular expression injections.
  */
@@ -33,9 +16,7 @@ class LDAPInjectionFlowConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink = any(LDAPInjectionSink ldapInjSink).getLDAPNode()
-  }
+  override predicate isSink(DataFlow::Node sink) { sink = any(LDAPQuery ldapQuery).getLDAPNode() }
 
   override predicate isSanitizer(DataFlow::Node sanitizer) {
     sanitizer = any(LDAPEscape ldapEsc).getEscapeNode()

From ffcb345916a6f54b53420746770149fd8863463b Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 6 Apr 2021 15:42:24 +0200
Subject: [PATCH 0169/1429] C#: Add Dapper support to SQL injection queries

---
 .../semmle/code/csharp/frameworks/Dapper.qll  | 42 +++++++++++++++++++
 .../src/semmle/code/csharp/frameworks/Sql.qll | 36 ++++++++++++++++
 .../CWE-089/SqlInjection.expected             | 28 +++++++++++++
 .../CWE-089/SqlInjectionDapper.cs             | 11 +++++
 4 files changed, 117 insertions(+)
 create mode 100644 csharp/ql/src/semmle/code/csharp/frameworks/Dapper.qll

diff --git a/csharp/ql/src/semmle/code/csharp/frameworks/Dapper.qll b/csharp/ql/src/semmle/code/csharp/frameworks/Dapper.qll
new file mode 100644
index 00000000000..f5872226347
--- /dev/null
+++ b/csharp/ql/src/semmle/code/csharp/frameworks/Dapper.qll
@@ -0,0 +1,42 @@
+/**
+ * Classes for modelling Dapper.
+ */
+
+import csharp
+private import semmle.code.csharp.frameworks.system.Data
+
+/** Definitions relating to the `Dapper` package. */
+module Dapper {
+  /** The namespace `Dapper`. */
+  class DapperNamespace extends Namespace {
+    DapperNamespace() { this.hasQualifiedName("Dapper") }
+  }
+
+  /** A class in `Dapper`. */
+  class DapperClass extends Class {
+    DapperClass() { this.getParent() instanceof DapperNamespace }
+  }
+
+  /** A struct in `Dapper`. */
+  class DapperStruct extends Struct {
+    DapperStruct() { this.getParent() instanceof DapperNamespace }
+  }
+
+  /** The `Dapper.SqlMapper` class. */
+  class SqlMapperClass extends DapperClass {
+    SqlMapperClass() { this.hasName("SqlMapper") }
+
+    /** Gets a DB query method. */
+    ExtensionMethod getAQueryMethod() {
+      result = this.getAMethod() and
+      result.getName().regexpMatch("Query.*|Execute.*") and
+      result.getExtendedType() instanceof SystemDataIDbConnectionInterface and
+      result.isPublic()
+    }
+  }
+
+  /** The `Dapper.CommandDefinition` struct. */
+  class CommandDefinitionStruct extends DapperStruct {
+    CommandDefinitionStruct() { this.hasName("CommandDefinition") }
+  }
+}
diff --git a/csharp/ql/src/semmle/code/csharp/frameworks/Sql.qll b/csharp/ql/src/semmle/code/csharp/frameworks/Sql.qll
index 5774b22a631..76d24403524 100644
--- a/csharp/ql/src/semmle/code/csharp/frameworks/Sql.qll
+++ b/csharp/ql/src/semmle/code/csharp/frameworks/Sql.qll
@@ -5,6 +5,8 @@ private import semmle.code.csharp.frameworks.system.Data
 private import semmle.code.csharp.frameworks.system.data.SqlClient
 private import semmle.code.csharp.frameworks.EntityFramework
 private import semmle.code.csharp.frameworks.NHibernate
+private import semmle.code.csharp.frameworks.Dapper
+private import semmle.code.csharp.dataflow.DataFlow3
 
 /** An expression containing a SQL command. */
 abstract class SqlExpr extends Expr {
@@ -83,3 +85,37 @@ class MicrosoftSqlHelperMethodCallSqlExpr extends SqlExpr, MethodCall {
     )
   }
 }
+
+/** A `Dapper.SqlMapper` method that is taking a SQL string argument. */
+class DapperSqlMethodCallSqlExpr extends SqlExpr, MethodCall {
+  DapperSqlMethodCallSqlExpr() {
+    this.getTarget() = any(Dapper::SqlMapperClass c).getAQueryMethod()
+  }
+
+  override Expr getSql() { result = this.getArgumentForName("sql") }
+}
+
+/** A `Dapper.CommandDefinition` creation that is taking a SQL string argument and is passed to a `Dapper.SqlMapper` method. */
+class DapperCommandDefinitionMethodCallSqlExpr extends SqlExpr, ObjectCreation {
+  DapperCommandDefinitionMethodCallSqlExpr() {
+    this.getObjectType() instanceof Dapper::CommandDefinitionStruct and
+    exists(Conf c | c.hasFlow(DataFlow::exprNode(this), _))
+  }
+
+  override Expr getSql() { result = this.getArgumentForName("commandText") }
+}
+
+private class Conf extends DataFlow3::Configuration {
+  Conf() { this = "DapperCommandDefinitionFlowConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    node.asExpr().(ObjectCreation).getObjectType() instanceof Dapper::CommandDefinitionStruct
+  }
+
+  override predicate isSink(DataFlow::Node node) {
+    exists(MethodCall mc |
+      mc.getTarget() = any(Dapper::SqlMapperClass c).getAQueryMethod() and
+      node.asExpr() = mc.getArgumentForName("command")
+    )
+  }
+}
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected
index 61dffee741f..2ad651f8c0e 100644
--- a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected	
+++ b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected	
@@ -5,6 +5,13 @@ edges
 | SqlInjection.cs:73:33:73:52 | access to property Text : String | SqlInjection.cs:74:56:74:61 | access to local variable query1 |
 | SqlInjection.cs:73:33:73:52 | access to property Text : String | SqlInjection.cs:75:55:75:60 | access to local variable query1 |
 | SqlInjection.cs:87:21:87:29 | access to property Text : String | SqlInjection.cs:88:50:88:55 | access to local variable query1 |
+| SqlInjectionDapper.cs:20:86:20:94 | access to property Text : String | SqlInjectionDapper.cs:21:55:21:59 | access to local variable query |
+| SqlInjectionDapper.cs:29:86:29:94 | access to property Text : String | SqlInjectionDapper.cs:30:66:30:70 | access to local variable query |
+| SqlInjectionDapper.cs:38:86:38:94 | access to property Text : String | SqlInjectionDapper.cs:39:63:39:67 | access to local variable query |
+| SqlInjectionDapper.cs:47:86:47:94 | access to property Text : String | SqlInjectionDapper.cs:49:47:49:51 | access to local variable query |
+| SqlInjectionDapper.cs:57:86:57:94 | access to property Text : String | SqlInjectionDapper.cs:58:42:58:46 | access to local variable query |
+| SqlInjectionDapper.cs:66:86:66:94 | access to property Text : String | SqlInjectionDapper.cs:67:42:67:46 | access to local variable query |
+| SqlInjectionDapper.cs:75:86:75:94 | access to property Text : String | SqlInjectionDapper.cs:77:52:77:56 | access to local variable query |
 nodes
 | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox : TextBox | semmle.label | access to field categoryTextBox : TextBox |
 | SqlInjection.cs:38:21:38:40 | access to property Text : String | semmle.label | access to property Text : String |
@@ -15,8 +22,29 @@ nodes
 | SqlInjection.cs:75:55:75:60 | access to local variable query1 | semmle.label | access to local variable query1 |
 | SqlInjection.cs:87:21:87:29 | access to property Text : String | semmle.label | access to property Text : String |
 | SqlInjection.cs:88:50:88:55 | access to local variable query1 | semmle.label | access to local variable query1 |
+| SqlInjectionDapper.cs:20:86:20:94 | access to property Text : String | semmle.label | access to property Text : String |
+| SqlInjectionDapper.cs:21:55:21:59 | access to local variable query | semmle.label | access to local variable query |
+| SqlInjectionDapper.cs:29:86:29:94 | access to property Text : String | semmle.label | access to property Text : String |
+| SqlInjectionDapper.cs:30:66:30:70 | access to local variable query | semmle.label | access to local variable query |
+| SqlInjectionDapper.cs:38:86:38:94 | access to property Text : String | semmle.label | access to property Text : String |
+| SqlInjectionDapper.cs:39:63:39:67 | access to local variable query | semmle.label | access to local variable query |
+| SqlInjectionDapper.cs:47:86:47:94 | access to property Text : String | semmle.label | access to property Text : String |
+| SqlInjectionDapper.cs:49:47:49:51 | access to local variable query | semmle.label | access to local variable query |
+| SqlInjectionDapper.cs:57:86:57:94 | access to property Text : String | semmle.label | access to property Text : String |
+| SqlInjectionDapper.cs:58:42:58:46 | access to local variable query | semmle.label | access to local variable query |
+| SqlInjectionDapper.cs:66:86:66:94 | access to property Text : String | semmle.label | access to property Text : String |
+| SqlInjectionDapper.cs:67:42:67:46 | access to local variable query | semmle.label | access to local variable query |
+| SqlInjectionDapper.cs:75:86:75:94 | access to property Text : String | semmle.label | access to property Text : String |
+| SqlInjectionDapper.cs:77:52:77:56 | access to local variable query | semmle.label | access to local variable query |
 #select
 | SqlInjection.cs:39:50:39:55 | access to local variable query1 | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox : TextBox | SqlInjection.cs:39:50:39:55 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:38:21:38:35 | access to field categoryTextBox : TextBox | this ASP.NET user input |
 | SqlInjection.cs:74:56:74:61 | access to local variable query1 | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox : TextBox | SqlInjection.cs:74:56:74:61 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox : TextBox | this ASP.NET user input |
 | SqlInjection.cs:75:55:75:60 | access to local variable query1 | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox : TextBox | SqlInjection.cs:75:55:75:60 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:73:33:73:47 | access to field categoryTextBox : TextBox | this ASP.NET user input |
 | SqlInjection.cs:88:50:88:55 | access to local variable query1 | SqlInjection.cs:87:21:87:29 | access to property Text : String | SqlInjection.cs:88:50:88:55 | access to local variable query1 | Query might include code from $@. | SqlInjection.cs:87:21:87:29 | access to property Text : String | this TextBox text |
+| SqlInjectionDapper.cs:21:55:21:59 | access to local variable query | SqlInjectionDapper.cs:20:86:20:94 | access to property Text : String | SqlInjectionDapper.cs:21:55:21:59 | access to local variable query | Query might include code from $@. | SqlInjectionDapper.cs:20:86:20:94 | access to property Text : String | this TextBox text |
+| SqlInjectionDapper.cs:30:66:30:70 | access to local variable query | SqlInjectionDapper.cs:29:86:29:94 | access to property Text : String | SqlInjectionDapper.cs:30:66:30:70 | access to local variable query | Query might include code from $@. | SqlInjectionDapper.cs:29:86:29:94 | access to property Text : String | this TextBox text |
+| SqlInjectionDapper.cs:39:63:39:67 | access to local variable query | SqlInjectionDapper.cs:38:86:38:94 | access to property Text : String | SqlInjectionDapper.cs:39:63:39:67 | access to local variable query | Query might include code from $@. | SqlInjectionDapper.cs:38:86:38:94 | access to property Text : String | this TextBox text |
+| SqlInjectionDapper.cs:49:47:49:51 | access to local variable query | SqlInjectionDapper.cs:47:86:47:94 | access to property Text : String | SqlInjectionDapper.cs:49:47:49:51 | access to local variable query | Query might include code from $@. | SqlInjectionDapper.cs:47:86:47:94 | access to property Text : String | this TextBox text |
+| SqlInjectionDapper.cs:58:42:58:46 | access to local variable query | SqlInjectionDapper.cs:57:86:57:94 | access to property Text : String | SqlInjectionDapper.cs:58:42:58:46 | access to local variable query | Query might include code from $@. | SqlInjectionDapper.cs:57:86:57:94 | access to property Text : String | this TextBox text |
+| SqlInjectionDapper.cs:67:42:67:46 | access to local variable query | SqlInjectionDapper.cs:66:86:66:94 | access to property Text : String | SqlInjectionDapper.cs:67:42:67:46 | access to local variable query | Query might include code from $@. | SqlInjectionDapper.cs:66:86:66:94 | access to property Text : String | this TextBox text |
+| SqlInjectionDapper.cs:77:52:77:56 | access to local variable query | SqlInjectionDapper.cs:75:86:75:94 | access to property Text : String | SqlInjectionDapper.cs:77:52:77:56 | access to local variable query | Query might include code from $@. | SqlInjectionDapper.cs:75:86:75:94 | access to property Text : String | this TextBox text |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjectionDapper.cs b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjectionDapper.cs
index e2413663c4b..ec54c70ddeb 100644
--- a/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjectionDapper.cs	
+++ b/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjectionDapper.cs	
@@ -79,6 +79,17 @@ namespace Test
             }
         }
 
+        public async Task Ok07()
+        {
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
+
+                var comDef = new CommandDefinition(query);
+                // no call to any query method
+            }
+        }
+
         System.Windows.Forms.TextBox box1;
     }
 }

From 8e11abca40b0b60a590bc9e245917d5796b72fd3 Mon Sep 17 00:00:00 2001
From: Taus Brock-Nannestad <tausbn@github.com>
Date: Tue, 6 Apr 2021 17:39:41 +0200
Subject: [PATCH 0170/1429] Revert "Merge pull request #5552 from
 RasmusWL/revert-import-change"

This reverts commit 49d1937dc42ed2afe51a82191deec05e9f58ac12, reversing
changes made to d4877a9038ae9d94b35d4a543d38599802b3f934.
---
 python/ql/src/semmle/python/Files.qll         | 30 +++++++++++++++++++
 python/ql/src/semmle/python/Module.qll        |  7 ++++-
 .../modules/entry_point/hash_bang/main.py     |  7 +++++
 .../modules/entry_point/hash_bang/module.py   |  2 ++
 .../namespace_package_main.py                 |  2 ++
 .../namespace_package_module.py               |  1 +
 .../entry_point/hash_bang/package/__init__.py |  2 ++
 .../hash_bang/package/package_main.py         |  2 ++
 .../hash_bang/package/package_module.py       |  1 +
 .../modules/entry_point/modules.expected      | 16 ++++++++++
 .../modules/entry_point/modules.ql            |  4 +++
 .../modules/entry_point/name_main/main.py     |  8 +++++
 .../modules/entry_point/name_main/module.py   |  2 ++
 .../namespace_package_main.py                 |  2 ++
 .../namespace_package_module.py               |  1 +
 .../entry_point/name_main/package/__init__.py |  2 ++
 .../name_main/package/package_main.py         |  2 ++
 .../name_main/package/package_module.py       |  1 +
 .../entry_point/no_py_extension/main.secretpy |  6 ++++
 .../entry_point/no_py_extension/module.py     |  2 ++
 .../namespace_package_main.py                 |  2 ++
 .../namespace_package_module.py               |  1 +
 .../no_py_extension/package/__init__.py       |  2 ++
 .../no_py_extension/package/package_main.py   |  2 ++
 .../no_py_extension/package/package_module.py |  1 +
 .../library-tests/modules/entry_point/options |  1 +
 26 files changed, 108 insertions(+), 1 deletion(-)
 create mode 100755 python/ql/test/3/library-tests/modules/entry_point/hash_bang/main.py
 create mode 100644 python/ql/test/3/library-tests/modules/entry_point/hash_bang/module.py
 create mode 100644 python/ql/test/3/library-tests/modules/entry_point/hash_bang/namespace_package/namespace_package_main.py
 create mode 100644 python/ql/test/3/library-tests/modules/entry_point/hash_bang/namespace_package/namespace_package_module.py
 create mode 100644 python/ql/test/3/library-tests/modules/entry_point/hash_bang/package/__init__.py
 create mode 100644 python/ql/test/3/library-tests/modules/entry_point/hash_bang/package/package_main.py
 create mode 100644 python/ql/test/3/library-tests/modules/entry_point/hash_bang/package/package_module.py
 create mode 100644 python/ql/test/3/library-tests/modules/entry_point/modules.expected
 create mode 100644 python/ql/test/3/library-tests/modules/entry_point/modules.ql
 create mode 100755 python/ql/test/3/library-tests/modules/entry_point/name_main/main.py
 create mode 100644 python/ql/test/3/library-tests/modules/entry_point/name_main/module.py
 create mode 100644 python/ql/test/3/library-tests/modules/entry_point/name_main/namespace_package/namespace_package_main.py
 create mode 100644 python/ql/test/3/library-tests/modules/entry_point/name_main/namespace_package/namespace_package_module.py
 create mode 100644 python/ql/test/3/library-tests/modules/entry_point/name_main/package/__init__.py
 create mode 100644 python/ql/test/3/library-tests/modules/entry_point/name_main/package/package_main.py
 create mode 100644 python/ql/test/3/library-tests/modules/entry_point/name_main/package/package_module.py
 create mode 100755 python/ql/test/3/library-tests/modules/entry_point/no_py_extension/main.secretpy
 create mode 100644 python/ql/test/3/library-tests/modules/entry_point/no_py_extension/module.py
 create mode 100644 python/ql/test/3/library-tests/modules/entry_point/no_py_extension/namespace_package/namespace_package_main.py
 create mode 100644 python/ql/test/3/library-tests/modules/entry_point/no_py_extension/namespace_package/namespace_package_module.py
 create mode 100644 python/ql/test/3/library-tests/modules/entry_point/no_py_extension/package/__init__.py
 create mode 100644 python/ql/test/3/library-tests/modules/entry_point/no_py_extension/package/package_main.py
 create mode 100644 python/ql/test/3/library-tests/modules/entry_point/no_py_extension/package/package_module.py
 create mode 100644 python/ql/test/3/library-tests/modules/entry_point/options

diff --git a/python/ql/src/semmle/python/Files.qll b/python/ql/src/semmle/python/Files.qll
index ef6484fbdc6..83ba92f0abc 100644
--- a/python/ql/src/semmle/python/Files.qll
+++ b/python/ql/src/semmle/python/Files.qll
@@ -72,6 +72,33 @@ class File extends Container {
    * are specified to be extracted.
    */
   string getContents() { file_contents(this, result) }
+
+  /** Holds if this file is likely to get executed directly, and thus act as an entry point for execution. */
+  predicate maybeExecutedDirectly() {
+    // Only consider files in the source code, and not things like the standard library
+    exists(this.getRelativePath()) and
+    (
+      // The file doesn't have the extension `.py` but still contains Python statements
+      not this.getExtension().matches("py%") and
+      exists(Stmt s | s.getLocation().getFile() = this)
+      or
+      // The file contains the usual `if __name__ == '__main__':` construction
+      exists(If i, Name name, StrConst main, Cmpop op |
+        i.getScope().(Module).getFile() = this and
+        op instanceof Eq and
+        i.getTest().(Compare).compares(name, op, main) and
+        name.getId() = "__name__" and
+        main.getText() = "__main__"
+      )
+      or
+      // The file contains a `#!` line referencing the python interpreter
+      exists(Comment c |
+        c.getLocation().getFile() = this and
+        c.getLocation().getStartLine() = 1 and
+        c.getText().regexpMatch("^#! */.*python(2|3)?[ \\\\t]*$")
+      )
+    )
+  }
 }
 
 private predicate occupied_line(File f, int n) {
@@ -121,6 +148,9 @@ class Folder extends Container {
     this.getBaseName().regexpMatch("[^\\d\\W]\\w*") and
     result = this.getParent().getImportRoot(n)
   }
+
+  /** Holds if execution may start in a file in this directory. */
+  predicate mayContainEntryPoint() { any(File f | f.getParent() = this).maybeExecutedDirectly() }
 }
 
 /**
diff --git a/python/ql/src/semmle/python/Module.qll b/python/ql/src/semmle/python/Module.qll
index fcf1c0b2925..8a420a800ea 100644
--- a/python/ql/src/semmle/python/Module.qll
+++ b/python/ql/src/semmle/python/Module.qll
@@ -204,8 +204,13 @@ private string moduleNameFromBase(Container file) {
 string moduleNameFromFile(Container file) {
   exists(string basename |
     basename = moduleNameFromBase(file) and
-    legalShortName(basename) and
+    legalShortName(basename)
+  |
     result = moduleNameFromFile(file.getParent()) + "." + basename
+    or
+    // If execution can start in the folder containing this module, then we will assume `file` can
+    // be imported as an absolute import, and hence return `basename` as a possible name.
+    file.getParent().(Folder).mayContainEntryPoint() and result = basename
   )
   or
   isPotentialSourcePackage(file) and
diff --git a/python/ql/test/3/library-tests/modules/entry_point/hash_bang/main.py b/python/ql/test/3/library-tests/modules/entry_point/hash_bang/main.py
new file mode 100755
index 00000000000..ad619e5cbd8
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/hash_bang/main.py
@@ -0,0 +1,7 @@
+#! /usr/bin/python3
+print(__file__)
+import module
+import package
+import namespace_package
+import namespace_package.namespace_package_main
+print(module.message)
diff --git a/python/ql/test/3/library-tests/modules/entry_point/hash_bang/module.py b/python/ql/test/3/library-tests/modules/entry_point/hash_bang/module.py
new file mode 100644
index 00000000000..36206ca60b7
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/hash_bang/module.py
@@ -0,0 +1,2 @@
+print(__file__.split("entry_point")[1])
+message = "Hello world!"
diff --git a/python/ql/test/3/library-tests/modules/entry_point/hash_bang/namespace_package/namespace_package_main.py b/python/ql/test/3/library-tests/modules/entry_point/hash_bang/namespace_package/namespace_package_main.py
new file mode 100644
index 00000000000..5db80f18a27
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/hash_bang/namespace_package/namespace_package_main.py
@@ -0,0 +1,2 @@
+print(__file__.split("entry_point")[1])
+import namespace_package.namespace_package_module
diff --git a/python/ql/test/3/library-tests/modules/entry_point/hash_bang/namespace_package/namespace_package_module.py b/python/ql/test/3/library-tests/modules/entry_point/hash_bang/namespace_package/namespace_package_module.py
new file mode 100644
index 00000000000..567a23d59ce
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/hash_bang/namespace_package/namespace_package_module.py
@@ -0,0 +1 @@
+print(__file__.split("entry_point")[1])
diff --git a/python/ql/test/3/library-tests/modules/entry_point/hash_bang/package/__init__.py b/python/ql/test/3/library-tests/modules/entry_point/hash_bang/package/__init__.py
new file mode 100644
index 00000000000..ca14a9f5804
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/hash_bang/package/__init__.py
@@ -0,0 +1,2 @@
+print(__file__.split("entry_point")[1])
+from . import package_main
diff --git a/python/ql/test/3/library-tests/modules/entry_point/hash_bang/package/package_main.py b/python/ql/test/3/library-tests/modules/entry_point/hash_bang/package/package_main.py
new file mode 100644
index 00000000000..158b12678e3
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/hash_bang/package/package_main.py
@@ -0,0 +1,2 @@
+print(__file__.split("entry_point")[1])
+from . import package_module
diff --git a/python/ql/test/3/library-tests/modules/entry_point/hash_bang/package/package_module.py b/python/ql/test/3/library-tests/modules/entry_point/hash_bang/package/package_module.py
new file mode 100644
index 00000000000..567a23d59ce
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/hash_bang/package/package_module.py
@@ -0,0 +1 @@
+print(__file__.split("entry_point")[1])
diff --git a/python/ql/test/3/library-tests/modules/entry_point/modules.expected b/python/ql/test/3/library-tests/modules/entry_point/modules.expected
new file mode 100644
index 00000000000..e5f6b300074
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/modules.expected
@@ -0,0 +1,16 @@
+| main | hash_bang/main.py:0:0:0:0 | Script main |
+| main | name_main/main.py:0:0:0:0 | Module main |
+| module | hash_bang/module.py:0:0:0:0 | Module module |
+| module | name_main/module.py:0:0:0:0 | Module module |
+| package | hash_bang/package:0:0:0:0 | Package package |
+| package | name_main/package:0:0:0:0 | Package package |
+| package | no_py_extension/package:0:0:0:0 | Package package |
+| package.__init__ | hash_bang/package/__init__.py:0:0:0:0 | Module package.__init__ |
+| package.__init__ | name_main/package/__init__.py:0:0:0:0 | Module package.__init__ |
+| package.__init__ | no_py_extension/package/__init__.py:0:0:0:0 | Module package.__init__ |
+| package.package_main | hash_bang/package/package_main.py:0:0:0:0 | Module package.package_main |
+| package.package_main | name_main/package/package_main.py:0:0:0:0 | Module package.package_main |
+| package.package_main | no_py_extension/package/package_main.py:0:0:0:0 | Module package.package_main |
+| package.package_module | hash_bang/package/package_module.py:0:0:0:0 | Module package.package_module |
+| package.package_module | name_main/package/package_module.py:0:0:0:0 | Module package.package_module |
+| package.package_module | no_py_extension/package/package_module.py:0:0:0:0 | Module package.package_module |
diff --git a/python/ql/test/3/library-tests/modules/entry_point/modules.ql b/python/ql/test/3/library-tests/modules/entry_point/modules.ql
new file mode 100644
index 00000000000..10c390e8616
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/modules.ql
@@ -0,0 +1,4 @@
+import python
+
+from Module m
+select m.getName(), m
diff --git a/python/ql/test/3/library-tests/modules/entry_point/name_main/main.py b/python/ql/test/3/library-tests/modules/entry_point/name_main/main.py
new file mode 100755
index 00000000000..08ec212383b
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/name_main/main.py
@@ -0,0 +1,8 @@
+print(__file__)
+import module
+import package
+import namespace_package
+import namespace_package.namespace_package_main
+
+if __name__ == '__main__':
+   print(module.message)
diff --git a/python/ql/test/3/library-tests/modules/entry_point/name_main/module.py b/python/ql/test/3/library-tests/modules/entry_point/name_main/module.py
new file mode 100644
index 00000000000..36206ca60b7
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/name_main/module.py
@@ -0,0 +1,2 @@
+print(__file__.split("entry_point")[1])
+message = "Hello world!"
diff --git a/python/ql/test/3/library-tests/modules/entry_point/name_main/namespace_package/namespace_package_main.py b/python/ql/test/3/library-tests/modules/entry_point/name_main/namespace_package/namespace_package_main.py
new file mode 100644
index 00000000000..5db80f18a27
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/name_main/namespace_package/namespace_package_main.py
@@ -0,0 +1,2 @@
+print(__file__.split("entry_point")[1])
+import namespace_package.namespace_package_module
diff --git a/python/ql/test/3/library-tests/modules/entry_point/name_main/namespace_package/namespace_package_module.py b/python/ql/test/3/library-tests/modules/entry_point/name_main/namespace_package/namespace_package_module.py
new file mode 100644
index 00000000000..567a23d59ce
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/name_main/namespace_package/namespace_package_module.py
@@ -0,0 +1 @@
+print(__file__.split("entry_point")[1])
diff --git a/python/ql/test/3/library-tests/modules/entry_point/name_main/package/__init__.py b/python/ql/test/3/library-tests/modules/entry_point/name_main/package/__init__.py
new file mode 100644
index 00000000000..ca14a9f5804
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/name_main/package/__init__.py
@@ -0,0 +1,2 @@
+print(__file__.split("entry_point")[1])
+from . import package_main
diff --git a/python/ql/test/3/library-tests/modules/entry_point/name_main/package/package_main.py b/python/ql/test/3/library-tests/modules/entry_point/name_main/package/package_main.py
new file mode 100644
index 00000000000..158b12678e3
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/name_main/package/package_main.py
@@ -0,0 +1,2 @@
+print(__file__.split("entry_point")[1])
+from . import package_module
diff --git a/python/ql/test/3/library-tests/modules/entry_point/name_main/package/package_module.py b/python/ql/test/3/library-tests/modules/entry_point/name_main/package/package_module.py
new file mode 100644
index 00000000000..567a23d59ce
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/name_main/package/package_module.py
@@ -0,0 +1 @@
+print(__file__.split("entry_point")[1])
diff --git a/python/ql/test/3/library-tests/modules/entry_point/no_py_extension/main.secretpy b/python/ql/test/3/library-tests/modules/entry_point/no_py_extension/main.secretpy
new file mode 100755
index 00000000000..e2673d4da78
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/no_py_extension/main.secretpy
@@ -0,0 +1,6 @@
+print(__file__)
+import module
+import package
+import namespace_package
+import namespace_package.namespace_package_main
+print(module.message)
diff --git a/python/ql/test/3/library-tests/modules/entry_point/no_py_extension/module.py b/python/ql/test/3/library-tests/modules/entry_point/no_py_extension/module.py
new file mode 100644
index 00000000000..36206ca60b7
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/no_py_extension/module.py
@@ -0,0 +1,2 @@
+print(__file__.split("entry_point")[1])
+message = "Hello world!"
diff --git a/python/ql/test/3/library-tests/modules/entry_point/no_py_extension/namespace_package/namespace_package_main.py b/python/ql/test/3/library-tests/modules/entry_point/no_py_extension/namespace_package/namespace_package_main.py
new file mode 100644
index 00000000000..5db80f18a27
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/no_py_extension/namespace_package/namespace_package_main.py
@@ -0,0 +1,2 @@
+print(__file__.split("entry_point")[1])
+import namespace_package.namespace_package_module
diff --git a/python/ql/test/3/library-tests/modules/entry_point/no_py_extension/namespace_package/namespace_package_module.py b/python/ql/test/3/library-tests/modules/entry_point/no_py_extension/namespace_package/namespace_package_module.py
new file mode 100644
index 00000000000..567a23d59ce
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/no_py_extension/namespace_package/namespace_package_module.py
@@ -0,0 +1 @@
+print(__file__.split("entry_point")[1])
diff --git a/python/ql/test/3/library-tests/modules/entry_point/no_py_extension/package/__init__.py b/python/ql/test/3/library-tests/modules/entry_point/no_py_extension/package/__init__.py
new file mode 100644
index 00000000000..ca14a9f5804
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/no_py_extension/package/__init__.py
@@ -0,0 +1,2 @@
+print(__file__.split("entry_point")[1])
+from . import package_main
diff --git a/python/ql/test/3/library-tests/modules/entry_point/no_py_extension/package/package_main.py b/python/ql/test/3/library-tests/modules/entry_point/no_py_extension/package/package_main.py
new file mode 100644
index 00000000000..158b12678e3
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/no_py_extension/package/package_main.py
@@ -0,0 +1,2 @@
+print(__file__.split("entry_point")[1])
+from . import package_module
diff --git a/python/ql/test/3/library-tests/modules/entry_point/no_py_extension/package/package_module.py b/python/ql/test/3/library-tests/modules/entry_point/no_py_extension/package/package_module.py
new file mode 100644
index 00000000000..567a23d59ce
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/no_py_extension/package/package_module.py
@@ -0,0 +1 @@
+print(__file__.split("entry_point")[1])
diff --git a/python/ql/test/3/library-tests/modules/entry_point/options b/python/ql/test/3/library-tests/modules/entry_point/options
new file mode 100644
index 00000000000..6beceeb08ed
--- /dev/null
+++ b/python/ql/test/3/library-tests/modules/entry_point/options
@@ -0,0 +1 @@
+semmle-extractor-options: --lang=3 --path bogus -R . --filter=include:**/*.secretpy

From b44db460f613164309f6d8f0726f8b1f2658edb6 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@gmail.com>
Date: Tue, 6 Apr 2021 19:55:43 +0000
Subject: [PATCH 0171/1429] Python: Only track modules that are imported

---
 python/ql/src/semmle/python/Module.qll        | 21 ++++++++++++++++---
 .../modules/entry_point/modules.expected      |  2 --
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/python/ql/src/semmle/python/Module.qll b/python/ql/src/semmle/python/Module.qll
index 8a420a800ea..48d0e9e1a3d 100644
--- a/python/ql/src/semmle/python/Module.qll
+++ b/python/ql/src/semmle/python/Module.qll
@@ -201,6 +201,20 @@ private string moduleNameFromBase(Container file) {
   file instanceof File and result = file.getStem()
 }
 
+/**
+ * Holds if `file` may be transitively imported from a file that may serve as the entry point of
+ * the execution.
+ */
+private predicate transitively_imported_from_entry_point(File file) {
+  file.getExtension().matches("%py%") and
+  exists(File importer |
+    importer.getParent() = file.getParent() and
+    exists(ImportExpr i | i.getLocation().getFile() = importer and i.getName() = file.getStem())
+  |
+    importer.maybeExecutedDirectly() or transitively_imported_from_entry_point(importer)
+  )
+}
+
 string moduleNameFromFile(Container file) {
   exists(string basename |
     basename = moduleNameFromBase(file) and
@@ -208,9 +222,10 @@ string moduleNameFromFile(Container file) {
   |
     result = moduleNameFromFile(file.getParent()) + "." + basename
     or
-    // If execution can start in the folder containing this module, then we will assume `file` can
-    // be imported as an absolute import, and hence return `basename` as a possible name.
-    file.getParent().(Folder).mayContainEntryPoint() and result = basename
+    // If `file` is a transitive import of a file that's executed directly, we allow references
+    // to it by its `basename`.
+    transitively_imported_from_entry_point(file) and
+    result = basename
   )
   or
   isPotentialSourcePackage(file) and
diff --git a/python/ql/test/3/library-tests/modules/entry_point/modules.expected b/python/ql/test/3/library-tests/modules/entry_point/modules.expected
index e5f6b300074..cdc743a360d 100644
--- a/python/ql/test/3/library-tests/modules/entry_point/modules.expected
+++ b/python/ql/test/3/library-tests/modules/entry_point/modules.expected
@@ -1,5 +1,3 @@
-| main | hash_bang/main.py:0:0:0:0 | Script main |
-| main | name_main/main.py:0:0:0:0 | Module main |
 | module | hash_bang/module.py:0:0:0:0 | Module module |
 | module | name_main/module.py:0:0:0:0 | Module module |
 | package | hash_bang/package:0:0:0:0 | Package package |

From 43ae7462b44b4fc9561ee1cc6c246507e32b04c0 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@gmail.com>
Date: Tue, 6 Apr 2021 19:55:43 +0000
Subject: [PATCH 0172/1429] Python: Only track modules that are imported

This greatly restricts the set of modules that have a new name under
this scheme.

One change to the tests was needed, which reflects the fact that the
two `main.py` files no longer have the name `main` (which makes sense,
since they're never imported under this name).
---
 python/ql/src/semmle/python/Module.qll        | 21 ++++++++++++++++---
 .../modules/entry_point/modules.expected      |  2 --
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/python/ql/src/semmle/python/Module.qll b/python/ql/src/semmle/python/Module.qll
index 8a420a800ea..48d0e9e1a3d 100644
--- a/python/ql/src/semmle/python/Module.qll
+++ b/python/ql/src/semmle/python/Module.qll
@@ -201,6 +201,20 @@ private string moduleNameFromBase(Container file) {
   file instanceof File and result = file.getStem()
 }
 
+/**
+ * Holds if `file` may be transitively imported from a file that may serve as the entry point of
+ * the execution.
+ */
+private predicate transitively_imported_from_entry_point(File file) {
+  file.getExtension().matches("%py%") and
+  exists(File importer |
+    importer.getParent() = file.getParent() and
+    exists(ImportExpr i | i.getLocation().getFile() = importer and i.getName() = file.getStem())
+  |
+    importer.maybeExecutedDirectly() or transitively_imported_from_entry_point(importer)
+  )
+}
+
 string moduleNameFromFile(Container file) {
   exists(string basename |
     basename = moduleNameFromBase(file) and
@@ -208,9 +222,10 @@ string moduleNameFromFile(Container file) {
   |
     result = moduleNameFromFile(file.getParent()) + "." + basename
     or
-    // If execution can start in the folder containing this module, then we will assume `file` can
-    // be imported as an absolute import, and hence return `basename` as a possible name.
-    file.getParent().(Folder).mayContainEntryPoint() and result = basename
+    // If `file` is a transitive import of a file that's executed directly, we allow references
+    // to it by its `basename`.
+    transitively_imported_from_entry_point(file) and
+    result = basename
   )
   or
   isPotentialSourcePackage(file) and
diff --git a/python/ql/test/3/library-tests/modules/entry_point/modules.expected b/python/ql/test/3/library-tests/modules/entry_point/modules.expected
index e5f6b300074..cdc743a360d 100644
--- a/python/ql/test/3/library-tests/modules/entry_point/modules.expected
+++ b/python/ql/test/3/library-tests/modules/entry_point/modules.expected
@@ -1,5 +1,3 @@
-| main | hash_bang/main.py:0:0:0:0 | Script main |
-| main | name_main/main.py:0:0:0:0 | Module main |
 | module | hash_bang/module.py:0:0:0:0 | Module module |
 | module | name_main/module.py:0:0:0:0 | Module module |
 | package | hash_bang/package:0:0:0:0 | Package package |

From acf8fd0f038aaafed40c7d3e8643024dcc2a8f97 Mon Sep 17 00:00:00 2001
From: yoff <lerchedahl@gmail.com>
Date: Tue, 6 Apr 2021 22:45:03 +0200
Subject: [PATCH 0173/1429] Apply suggestions from code review

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
---
 .../src/Security/CWE-327/FluentApiModel.qll   | 22 ++++++++----------
 python/ql/src/Security/CWE-327/Ssl.qll        | 23 ++++---------------
 .../src/Security/CWE-327/TlsLibraryModel.qll  |  2 +-
 3 files changed, 16 insertions(+), 31 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/FluentApiModel.qll b/python/ql/src/Security/CWE-327/FluentApiModel.qll
index 803b7adab40..c6836ba6057 100644
--- a/python/ql/src/Security/CWE-327/FluentApiModel.qll
+++ b/python/ql/src/Security/CWE-327/FluentApiModel.qll
@@ -3,7 +3,8 @@ import TlsLibraryModel
 
 /**
  * Configuration to determine the state of a context being used to create
- * a conection.
+ * a conection. There is one configuration for each pair of `TlsLibrary` and `ProtocolVersion`,
+ * such that a single configuration only tracks contexts where a specific `ProtocolVersion` is allowed.
  *
  * The state is in terms of whether a specific protocol is allowed. This is
  * either true or false when the context is created and can then be modified
@@ -72,20 +73,18 @@ predicate unsafe_connection_creation_with_context(
   boolean specific
 ) {
   // Connection created from a context allowing `insecure_version`.
-  exists(InsecureContextConfiguration c, ProtocolUnrestriction co |
-    c.hasFlow(co, connectionCreation)
+  exists(InsecureContextConfiguration c |
+    c.hasFlow(contextOrigin, connectionCreation)
   |
     insecure_version = c.getTrackedVersion() and
-    contextOrigin = co and
+    contextOrigin instanceof ProtocolUnrestriction and
     specific = false
   )
   or
   // Connection created from a context specifying `insecure_version`.
-  exists(TlsLibrary l, DataFlow::CfgNode cc |
-    cc = l.insecure_connection_creation(insecure_version)
-  |
-    connectionCreation = cc and
-    contextOrigin = cc and
+  exists(TlsLibrary l |
+    connectionCreation = l.insecure_connection_creation(insecure_version) and
+    contextOrigin = connectionCreation and
     specific = true
   )
 }
@@ -105,7 +104,6 @@ predicate unsafe_connection_creation_without_context(
 
 /** Holds if `contextCreation` is creating a context ties to a specific insecure version. */
 predicate unsafe_context_creation(DataFlow::CallCfgNode contextCreation, string insecure_version) {
-  exists(TlsLibrary l, ContextCreation cc | cc = l.insecure_context_creation(insecure_version) |
-    contextCreation = cc
-  )
+  contextCreation instanceof ContextCreation and
+  exists(TlsLibrary l | contextCreation = l.insecure_context_creation(insecure_version))
 }
diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index 928a5f74e2d..9def499fb11 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -23,30 +23,17 @@ class SSLDefaultContextCreation extends ContextCreation {
 }
 
 /** Gets a reference to an `ssl.Context` instance. */
-private DataFlow::LocalSourceNode sslContextInstance(DataFlow::TypeTracker t) {
-  t.start() and
-  result = API::moduleImport("ssl").getMember(["SSLContext", "create_default_context"]).getACall()
-  or
-  exists(DataFlow::TypeTracker t2 | result = sslContextInstance(t2).track(t2, t))
+API::Node sslContextInstance() {
+  result = API::moduleImport("ssl").getMember(["SSLContext", "create_default_context"]).getReturn()
 }
 
-/** Gets a reference to an `ssl.Context` instance. */
-DataFlow::Node sslContextInstance() {
-  sslContextInstance(DataFlow::TypeTracker::end()).flowsTo(result)
-}
-
-class WrapSocketCall extends ConnectionCreation {
-  override CallNode node;
-
+class WrapSocketCall extends ConnectionCreation, DataFlow::CallCfgNode {
   WrapSocketCall() {
-    exists(DataFlow::AttrRead call | node.getFunction() = call.asCfgNode() |
-      call.getAttributeName() = "wrap_socket" and
-      call.getObject() = sslContextInstance()
-    )
+    this = sslContextInstance().getMember("wrap_socket").getACall()
   }
 
   override DataFlow::CfgNode getContext() {
-    result.getNode() = node.getFunction().(AttrNode).getObject()
+    result = this.getFunction().(DataFlow::AttrRead).getObject()
   }
 }
 
diff --git a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
index 245a60b0295..73ab52be807 100644
--- a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
+++ b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
@@ -84,7 +84,7 @@ abstract class UnspecificContextCreation extends ContextCreation, ProtocolUnrest
   }
 }
 
-/** A model of a TLS library. */
+/** A model of a SSL/TLS library. */
 abstract class TlsLibrary extends string {
   TlsLibrary() { this in ["ssl", "pyOpenSSL"] }
 

From 062668444220f9b00476c92df3dd1c6b52b33148 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Tue, 6 Apr 2021 22:55:32 +0200
Subject: [PATCH 0174/1429] Python: small cleanups enabled by review

---
 python/ql/src/Security/CWE-327/FluentApiModel.qll | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/FluentApiModel.qll b/python/ql/src/Security/CWE-327/FluentApiModel.qll
index c6836ba6057..652a4bae2a1 100644
--- a/python/ql/src/Security/CWE-327/FluentApiModel.qll
+++ b/python/ql/src/Security/CWE-327/FluentApiModel.qll
@@ -3,7 +3,7 @@ import TlsLibraryModel
 
 /**
  * Configuration to determine the state of a context being used to create
- * a conection. There is one configuration for each pair of `TlsLibrary` and `ProtocolVersion`,
+ * a connection. There is one configuration for each pair of `TlsLibrary` and `ProtocolVersion`,
  * such that a single configuration only tracks contexts where a specific `ProtocolVersion` is allowed.
  *
  * The state is in terms of whether a specific protocol is allowed. This is
@@ -73,11 +73,8 @@ predicate unsafe_connection_creation_with_context(
   boolean specific
 ) {
   // Connection created from a context allowing `insecure_version`.
-  exists(InsecureContextConfiguration c |
-    c.hasFlow(contextOrigin, connectionCreation)
-  |
+  exists(InsecureContextConfiguration c | c.hasFlow(contextOrigin, connectionCreation) |
     insecure_version = c.getTrackedVersion() and
-    contextOrigin instanceof ProtocolUnrestriction and
     specific = false
   )
   or
@@ -104,6 +101,5 @@ predicate unsafe_connection_creation_without_context(
 
 /** Holds if `contextCreation` is creating a context ties to a specific insecure version. */
 predicate unsafe_context_creation(DataFlow::CallCfgNode contextCreation, string insecure_version) {
-  contextCreation instanceof ContextCreation and
   exists(TlsLibrary l | contextCreation = l.insecure_context_creation(insecure_version))
 }

From a44490b47053f6b7339a1c26b01070dfa878d73c Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Tue, 6 Apr 2021 22:56:07 +0200
Subject: [PATCH 0175/1429] Python: remove unused file

---
 .../src/Security/CWE-327/examples/secure_protocol.py  | 11 -----------
 1 file changed, 11 deletions(-)
 delete mode 100644 python/ql/src/Security/CWE-327/examples/secure_protocol.py

diff --git a/python/ql/src/Security/CWE-327/examples/secure_protocol.py b/python/ql/src/Security/CWE-327/examples/secure_protocol.py
deleted file mode 100644
index e349bdae832..00000000000
--- a/python/ql/src/Security/CWE-327/examples/secure_protocol.py
+++ /dev/null
@@ -1,11 +0,0 @@
-import socket
-import ssl
-
-hostname = 'www.python.org'
-context = ssl.SSLContext(ssl.PROTOCOL_TLS)
-context.options |= ssl.OP_NO_TLSv1
-context.options |= ssl.OP_NO_TLSv1_1
-
-with socket.create_connection((hostname, 443)) as sock:
-    with context.wrap_socket(sock, server_hostname=hostname) as ssock:
-        print(ssock.version())

From 094d2f3b7d3d628b7e1a8e7d3999f6ce235bb642 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Tue, 6 Apr 2021 22:59:58 +0200
Subject: [PATCH 0176/1429] Python: clean up tests

---
 .../Security/CWE-327/ssl_fluent.py            | 59 ++-----------------
 1 file changed, 6 insertions(+), 53 deletions(-)

diff --git a/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py b/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
index ceddaa32f09..0f7620f21ea 100644
--- a/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
+++ b/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
@@ -56,58 +56,11 @@ def test_fluent_ssl():
             print(ssock.version())
 
 
-def test_fluent_ssl_no_TLSv1():
-    hostname = 'www.python.org'
-    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
-    context.options |= ssl.OP_NO_TLSv1
-
-    with socket.create_connection((hostname, 443)) as sock:
-        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
-            print(ssock.version())
-
-def test_fluent_ssl_safe():
-    hostname = 'www.python.org'
-    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
-    context.options |= ssl.OP_NO_TLSv1
-    context.options |= ssl.OP_NO_TLSv1_1
-
-    with socket.create_connection((hostname, 443)) as sock:
-        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
-            print(ssock.version())
-
-def test_fluent_ssl_safe_combined():
-    hostname = 'www.python.org'
-    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
-    context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
-
-    with socket.create_connection((hostname, 443)) as sock:
-        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
-            print(ssock.version())
-
-def test_fluent_ssl_unsafe_combined_wrongly():
-    hostname = 'www.python.org'
-    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
-    context.options |= ssl.OP_NO_TLSv1 & ssl.OP_NO_TLSv1_1
-
-    with socket.create_connection((hostname, 443)) as sock:
-        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
-            print(ssock.version())
-
-def test_fluent_ssl_safe_combined_multiple():
-    hostname = 'www.python.org'
-    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
-    context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2
-
-    with socket.create_connection((hostname, 443)) as sock:
-        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
-            print(ssock.version())
-
-
 def create_relaxed_context():
-    return ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    return ssl.SSLContext(ssl.PROTOCOL_TLS)
 
 def create_secure_context():
-    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    context = ssl.SSLContext(ssl.PROTOCOL_TLS)
     context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
     return context
 
@@ -143,21 +96,21 @@ def test_delegated_context_made_unsafe():
             print(ssock.version())
 
 def test_delegated_connection_unsafe():
-    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    context = ssl.SSLContext(ssl.PROTOCOL_TLS)
     create_connection(context)
 
 def test_delegated_connection_safe():
-    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    context = ssl.SSLContext(ssl.PROTOCOL_TLS)
     context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
     create_connection(context)
 
 def test_delegated_connection_made_safe():
-    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    context = ssl.SSLContext(ssl.PROTOCOL_TLS)
     context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
     create_connection(context)
 
 def test_delegated_connection_made_unsafe():
-    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+    context = ssl.SSLContext(ssl.PROTOCOL_TLS)
     context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
     context.options &= ~ssl.OP_NO_TLSv1_1
     create_connection(context)

From 59ff3f315b34bdb4989ea17d9c8f9387bdc821d5 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 31 Mar 2021 19:11:28 +0100
Subject: [PATCH 0177/1429] C++: Add test cases exploring issues and potential
 issues with the query (especially related to simple range analysis).

---
 ...dDifferenceExpressionComparedZero.expected |  18 ++
 .../test.cpp                                  | 192 +++++++++++++++++-
 2 files changed, 209 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
index 2d28795d126..447d98c1fd7 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
@@ -8,3 +8,21 @@
 | test.cpp:62:5:62:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:69:5:69:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:75:8:75:16 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:83:6:83:14 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:92:6:92:14 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:101:6:101:14 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:110:6:110:14 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:119:6:119:14 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:128:6:128:14 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:137:6:137:14 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:146:7:146:15 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:152:7:152:15 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:156:7:156:15 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:169:6:169:14 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:182:6:182:14 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:195:6:195:14 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:208:6:208:14 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:219:7:219:15 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:226:8:226:16 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:252:10:252:18 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:266:10:266:24 | ... > ... | Unsigned subtraction can never be negative. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
index 11de69e8c62..c16608ef0f8 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
@@ -74,4 +74,194 @@ void test(unsigned x, unsigned y, bool unknown) {
   	y += n; // NOTE: `n` is at most `x - y` at this point.
   	if (x - y > 0) {} // GOOD [FALSE POSITIVE]
 	}
-}
\ No newline at end of file
+}
+
+void test2() {
+	unsigned int a = getAnInt();
+	unsigned int b = a;
+
+	if (a - b > 0) { // GOOD (as a = b) [FALSE POSITIVE]
+		// ...
+	}
+}
+
+void test3() {
+	unsigned int a = getAnInt();
+	unsigned int b = a - 1;
+
+	if (a - b > 0) { // GOOD (as a >= b) [FALSE POSITIVE]
+		// ...
+	}
+}
+
+void test4() {
+	unsigned int a = getAnInt();
+	unsigned int b = a + 1;
+
+	if (a - b > 0) { // BAD
+		// ...
+	}
+}
+
+void test5() {
+	unsigned int b = getAnInt();
+	unsigned int a = b;
+
+	if (a - b > 0) { // GOOD (as a = b) [FALSE POSITIVE]
+		// ...
+	}
+}
+
+void test6() {
+	unsigned int b = getAnInt();
+	unsigned int a = b + 1;
+
+	if (a - b > 0) { // GOOD (as a >= b) [FALSE POSITIVE]
+		// ...
+	}
+}
+
+void test7() {
+	unsigned int b = getAnInt();
+	unsigned int a = b - 1;
+
+	if (a - b > 0) { // BAD
+		// ...
+	}
+}
+
+void test8() {
+	unsigned int a = getAnInt();
+	unsigned int b = getAnInt();
+
+	if (a - b > 0) { // BAD
+		// ...
+	}
+
+	if (a >= b) { // GOOD
+		if (a - b > 0) { // GOOD (as a >= b)
+			// ...
+		}
+	} else {
+		if (a - b > 0) { // BAD
+			// ...
+		}
+	}
+
+	if (b >= a) { // GOOD
+		if (a - b > 0) { // BAD
+			// ...
+		}
+	} else {
+		if (a - b > 0) { // GOOD (as a > b) [FALSE POSITIVE]
+			// ...
+		}
+	}
+
+	while (a >= b) { // GOOD
+		if (a - b > 0) { // GOOD (as a >= b)
+			// ...
+		}
+	}
+
+	if (a < b) return;
+
+	if (a - b > 0) { // GOOD (as a >= b) [FALSE POSITIVE]
+		// ...
+	}
+}
+
+void test9() {
+	unsigned int a = getAnInt();
+	unsigned int b = getAnInt();
+
+	if (a < b) {
+		b = 0;
+	}
+
+	if (a - b > 0) { // GOOD (as a >= b) [FALSE POSITIVE]
+		// ...
+	}
+}
+
+void test10() {
+	unsigned int a = getAnInt();
+	unsigned int b = getAnInt();
+
+	if (a < b) {
+		a = b;
+	}
+
+	if (a - b > 0) { // GOOD (as a >= b) [FALSE POSITIVE]
+		// ...
+	}
+}
+
+void test11() {
+	unsigned int a = getAnInt();
+	unsigned int b = getAnInt();
+
+	if (a < b) return;
+
+	b = getAnInt();
+
+	if (a - b > 0) { // BAD
+		// ...
+	}
+}
+
+void test12() {
+	unsigned int a = getAnInt();
+	unsigned int b = getAnInt();
+	unsigned int c;
+
+	if ((b <= c) && (c <= a)) {
+		if (a - b > 0) { // GOOD (as b <= a) [FALSE POSITIVE]
+			// ...
+		}
+	}
+
+	if (b <= c) {
+		if (c <= a) {
+			if (a - b > 0) { // GOOD (as b <= a) [FALSE POSITIVE]
+				// ...
+			}
+		}
+	}
+}
+
+int test13() {
+	unsigned int a = getAnInt();
+	unsigned int b = getAnInt();
+
+	if (b != 0) {
+		return 0;
+	}
+
+	return (a - b > 0); // GOOD (as b = 0)
+}
+
+int test14() {
+	unsigned int a = getAnInt();
+	unsigned int b = getAnInt();
+
+	if (!b) {
+		return 0;
+	}
+
+	return (a - b > 0); // GOOD (as b = 0) [FALSE POSITIVE]
+}
+
+struct Numbers
+{
+	unsigned int a, b;
+};
+
+int test15(Numbers *n) {
+
+	if (!n) {
+		return 0;
+	}
+
+	return (n->a - n->b > 0); // BAD
+}

From 3ecd13531f7be2d4ee5c7bd5733bde6be1217439 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 6 Apr 2021 17:59:22 +0100
Subject: [PATCH 0178/1429] C++: Improve isGuarded.

---
 .../UnsignedDifferenceExpressionComparedZero.ql      | 12 ++++++++----
 ...UnsignedDifferenceExpressionComparedZero.expected |  2 --
 .../test.cpp                                         |  4 ++--
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
index 007a4fd746d..0b30cc7e213 100644
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -16,12 +16,16 @@ import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import semmle.code.cpp.controlflow.Guards
 
-/** Holds if `sub` is guarded by a condition which ensures that `left >= right`. */
+/**
+ *  Holds if `sub` is guarded by a condition which ensures that
+ * `left >= right`.
+ */
 pragma[noinline]
 predicate isGuarded(SubExpr sub, Expr left, Expr right) {
-  exists(GuardCondition guard |
-    guard.controls(sub.getBasicBlock(), true) and
-    guard.ensuresLt(left, right, 0, sub.getBasicBlock(), false)
+  exists(GuardCondition guard, int k |
+    guard.controls(sub.getBasicBlock(), _) and
+    guard.ensuresLt(left, right, k, sub.getBasicBlock(), false) and
+    k >= 0
   )
 }
 
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
index 447d98c1fd7..36dc7cf4c5b 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
@@ -17,8 +17,6 @@
 | test.cpp:137:6:137:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:146:7:146:15 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:152:7:152:15 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:156:7:156:15 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:169:6:169:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:182:6:182:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:195:6:195:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:208:6:208:14 | ... > ... | Unsigned subtraction can never be negative. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
index c16608ef0f8..bf2b2eb5dad 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
@@ -153,7 +153,7 @@ void test8() {
 			// ...
 		}
 	} else {
-		if (a - b > 0) { // GOOD (as a > b) [FALSE POSITIVE]
+		if (a - b > 0) { // GOOD (as a > b)
 			// ...
 		}
 	}
@@ -166,7 +166,7 @@ void test8() {
 
 	if (a < b) return;
 
-	if (a - b > 0) { // GOOD (as a >= b) [FALSE POSITIVE]
+	if (a - b > 0) { // GOOD (as a >= b)
 		// ...
 	}
 }

From 48ff8e237c1aba54368196193c2fa09b109e771e Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 6 Apr 2021 15:57:58 +0100
Subject: [PATCH 0179/1429] C++: Rewrite the range analysis exclusion to be
 recursive and more robust.

---
 ...nsignedDifferenceExpressionComparedZero.ql | 26 ++++++++++++-------
 ...dDifferenceExpressionComparedZero.expected |  5 +---
 .../test.cpp                                  | 10 +++----
 3 files changed, 22 insertions(+), 19 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
index 0b30cc7e213..26c2c6ae869 100644
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -29,16 +29,22 @@ predicate isGuarded(SubExpr sub, Expr left, Expr right) {
   )
 }
 
-/** Holds if `sub` will never be negative. */
-predicate nonNegative(SubExpr sub) {
-  not exprMightOverflowNegatively(sub.getFullyConverted())
+/**
+ * Holds if `e` is known to be less than or equal to `sub.getLeftOperand()`.
+ */
+predicate exprIsSubLeftOrLess(SubExpr sub, Expr e) {
+  e = sub.getLeftOperand()
   or
-  // The subtraction is guarded by a check of the form `left >= right`.
-  exists(GVN left, GVN right |
-    // This is basically a poor man's version of a directional unbind operator.
-    strictcount([left, globalValueNumber(sub.getLeftOperand())]) = 1 and
-    strictcount([right, globalValueNumber(sub.getRightOperand())]) = 1 and
-    isGuarded(sub, left.getAnExpr(), right.getAnExpr())
+  exists(Expr other |
+    // GVN equality
+    exprIsSubLeftOrLess(sub, other) and
+    globalValueNumber(e) = globalValueNumber(other)
+  )
+  or
+  exists(Expr other |
+    // guard constraining `sub`
+    exprIsSubLeftOrLess(sub, other) and
+    isGuarded(sub, other, e) // left >= right
   )
 }
 
@@ -49,5 +55,5 @@ where
   ro.getLesserOperand().getValue().toInt() = 0 and
   ro.getGreaterOperand() = sub and
   sub.getFullyConverted().getUnspecifiedType().(IntegralType).isUnsigned() and
-  not nonNegative(sub)
+  not exprIsSubLeftOrLess(sub, sub.getRightOperand())
 select ro, "Unsigned subtraction can never be negative."
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
index 36dc7cf4c5b..0acb75de56f 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
@@ -8,10 +8,8 @@
 | test.cpp:62:5:62:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:69:5:69:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:75:8:75:16 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:83:6:83:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:92:6:92:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:101:6:101:14 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:110:6:110:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:119:6:119:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:128:6:128:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:137:6:137:14 | ... > ... | Unsigned subtraction can never be negative. |
@@ -20,7 +18,6 @@
 | test.cpp:182:6:182:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:195:6:195:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:208:6:208:14 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:219:7:219:15 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:226:8:226:16 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:241:10:241:18 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:252:10:252:18 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:266:10:266:24 | ... > ... | Unsigned subtraction can never be negative. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
index bf2b2eb5dad..e42ffd8d326 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
@@ -80,7 +80,7 @@ void test2() {
 	unsigned int a = getAnInt();
 	unsigned int b = a;
 
-	if (a - b > 0) { // GOOD (as a = b) [FALSE POSITIVE]
+	if (a - b > 0) { // GOOD (as a = b)
 		// ...
 	}
 }
@@ -107,7 +107,7 @@ void test5() {
 	unsigned int b = getAnInt();
 	unsigned int a = b;
 
-	if (a - b > 0) { // GOOD (as a = b) [FALSE POSITIVE]
+	if (a - b > 0) { // GOOD (as a = b)
 		// ...
 	}
 }
@@ -216,14 +216,14 @@ void test12() {
 	unsigned int c;
 
 	if ((b <= c) && (c <= a)) {
-		if (a - b > 0) { // GOOD (as b <= a) [FALSE POSITIVE]
+		if (a - b > 0) { // GOOD (as b <= a)
 			// ...
 		}
 	}
 
 	if (b <= c) {
 		if (c <= a) {
-			if (a - b > 0) { // GOOD (as b <= a) [FALSE POSITIVE]
+			if (a - b > 0) { // GOOD (as b <= a)
 				// ...
 			}
 		}
@@ -238,7 +238,7 @@ int test13() {
 		return 0;
 	}
 
-	return (a - b > 0); // GOOD (as b = 0)
+	return (a - b > 0); // GOOD (as b = 0) [FALSE POSITIVE]
 }
 
 int test14() {

From 60e4faba4c24686ad74ba45197ccd38c289b91f5 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 6 Apr 2021 18:30:18 +0100
Subject: [PATCH 0180/1429] C++: Add linear expression logic.

---
 .../UnsignedDifferenceExpressionComparedZero.ql | 17 +++++++++++++++++
 ...nedDifferenceExpressionComparedZero.expected |  2 --
 .../test.cpp                                    |  4 ++--
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
index 26c2c6ae869..8073a3567d2 100644
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -14,6 +14,7 @@ import cpp
 import semmle.code.cpp.commons.Exclusions
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
 import semmle.code.cpp.controlflow.Guards
 
 /**
@@ -46,6 +47,22 @@ predicate exprIsSubLeftOrLess(SubExpr sub, Expr e) {
     exprIsSubLeftOrLess(sub, other) and
     isGuarded(sub, other, e) // left >= right
   )
+  or
+  exists(Expr other, float p, float q |
+    // linear access of `other`
+    exprIsSubLeftOrLess(sub, other) and
+    linearAccess(e, other, p, q) and // e = p * other + q
+    p <= 1 and
+    q <= 0
+  )
+  or
+  exists(Expr other, float p, float q |
+    // linear access of `e`
+    exprIsSubLeftOrLess(sub, other) and
+    linearAccess(other, e, p, q) and // other = p * e + q
+    p >= 1 and
+    q >= 0
+  )
 }
 
 from RelationalOperation ro, SubExpr sub
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
index 0acb75de56f..06fcf0ebb72 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
@@ -8,9 +8,7 @@
 | test.cpp:62:5:62:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:69:5:69:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:75:8:75:16 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:92:6:92:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:101:6:101:14 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:119:6:119:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:128:6:128:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:137:6:137:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:146:7:146:15 | ... > ... | Unsigned subtraction can never be negative. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
index e42ffd8d326..c0a4d38d14a 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
@@ -89,7 +89,7 @@ void test3() {
 	unsigned int a = getAnInt();
 	unsigned int b = a - 1;
 
-	if (a - b > 0) { // GOOD (as a >= b) [FALSE POSITIVE]
+	if (a - b > 0) { // GOOD (as a >= b)
 		// ...
 	}
 }
@@ -116,7 +116,7 @@ void test6() {
 	unsigned int b = getAnInt();
 	unsigned int a = b + 1;
 
-	if (a - b > 0) { // GOOD (as a >= b) [FALSE POSITIVE]
+	if (a - b > 0) { // GOOD (as a >= b)
 		// ...
 	}
 }

From a8193dac087f12d487eef9091dfe57135fe7690f Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 6 Apr 2021 22:35:04 +0100
Subject: [PATCH 0181/1429] C++: Reintroduce the exprMightOverflowNegatively
 bit.

---
 .../CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql    | 3 ++-
 .../UnsignedDifferenceExpressionComparedZero.expected          | 1 -
 .../CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
index 8073a3567d2..bca77f99a72 100644
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -72,5 +72,6 @@ where
   ro.getLesserOperand().getValue().toInt() = 0 and
   ro.getGreaterOperand() = sub and
   sub.getFullyConverted().getUnspecifiedType().(IntegralType).isUnsigned() and
-  not exprIsSubLeftOrLess(sub, sub.getRightOperand())
+  exprMightOverflowNegatively(sub.getFullyConverted()) and // generally catches false positives involving constants
+  not exprIsSubLeftOrLess(sub, sub.getRightOperand()) // generally catches false positives where there's a relation between the left and right operands
 select ro, "Unsigned subtraction can never be negative."
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
index 06fcf0ebb72..46bf57ee52a 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
@@ -16,6 +16,5 @@
 | test.cpp:182:6:182:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:195:6:195:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:208:6:208:14 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:241:10:241:18 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:252:10:252:18 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:266:10:266:24 | ... > ... | Unsigned subtraction can never be negative. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
index c0a4d38d14a..dfaedbb9d2b 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
@@ -238,7 +238,7 @@ int test13() {
 		return 0;
 	}
 
-	return (a - b > 0); // GOOD (as b = 0) [FALSE POSITIVE]
+	return (a - b > 0); // GOOD (as b = 0)
 }
 
 int test14() {

From fb95c488e8854e816ef8da12450ad262b47867a7 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Wed, 7 Apr 2021 08:20:52 +0200
Subject: [PATCH 0182/1429] Python: format

---
 python/ql/src/Security/CWE-327/Ssl.qll | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index 9def499fb11..26928e31cb0 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -28,9 +28,7 @@ API::Node sslContextInstance() {
 }
 
 class WrapSocketCall extends ConnectionCreation, DataFlow::CallCfgNode {
-  WrapSocketCall() {
-    this = sslContextInstance().getMember("wrap_socket").getACall()
-  }
+  WrapSocketCall() { this = sslContextInstance().getMember("wrap_socket").getACall() }
 
   override DataFlow::CfgNode getContext() {
     result = this.getFunction().(DataFlow::AttrRead).getObject()

From a0e3e3afaf2456f9ad80c9fd9d639c2daecb1373 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Wed, 7 Apr 2021 08:22:36 +0200
Subject: [PATCH 0183/1429] Python: adjust test expectations

---
 .../CWE-327/InsecureProtocol.expected         | 29 +++++++++----------
 1 file changed, 13 insertions(+), 16 deletions(-)

diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
index f4cd96eb82e..57b19cef0b1 100644
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
@@ -24,19 +24,16 @@
 | ssl_fluent.py:37:14:37:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:33:15:33:53 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | ssl_fluent.py:55:14:55:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:52:15:52:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | ssl_fluent.py:55:14:55:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:52:15:52:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:65:14:65:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:61:15:61:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:93:14:93:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:89:15:89:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:93:14:93:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:89:15:89:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:116:14:116:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:107:12:107:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:116:14:116:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:146:15:146:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:116:14:116:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:107:12:107:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:116:14:116:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:146:15:146:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:116:14:116:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:162:5:162:11 | ControlFlowNode for context | context modification |
-| ssl_fluent.py:116:14:116:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:180:5:180:11 | ControlFlowNode for context | context modification |
-| ssl_fluent.py:122:14:122:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:107:12:107:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:122:14:122:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:107:12:107:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:142:14:142:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:140:5:140:11 | ControlFlowNode for context | context modification |
-| ssl_fluent.py:191:14:191:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:188:5:188:11 | ControlFlowNode for context | context modification |
-| ssl_fluent.py:210:14:210:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv3 allowed by $@  | ssl_fluent.py:207:5:207:11 | ControlFlowNode for context | context modification |
-| ssl_fluent.py:210:14:210:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:206:15:206:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
-| ssl_fluent.py:210:14:210:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:206:15:206:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
+| ssl_fluent.py:69:14:69:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:60:12:60:43 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:69:14:69:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:99:15:99:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:69:14:69:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:60:12:60:43 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:69:14:69:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:99:15:99:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:69:14:69:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:115:5:115:11 | ControlFlowNode for context | context modification |
+| ssl_fluent.py:69:14:69:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:133:5:133:11 | ControlFlowNode for context | context modification |
+| ssl_fluent.py:75:14:75:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:60:12:60:43 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:75:14:75:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:60:12:60:43 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:95:14:95:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:93:5:93:11 | ControlFlowNode for context | context modification |
+| ssl_fluent.py:144:14:144:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:141:5:141:11 | ControlFlowNode for context | context modification |
+| ssl_fluent.py:163:14:163:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv3 allowed by $@  | ssl_fluent.py:160:5:160:11 | ControlFlowNode for context | context modification |
+| ssl_fluent.py:163:14:163:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:159:15:159:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
+| ssl_fluent.py:163:14:163:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:159:15:159:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |

From f22db2a30b305ba15019fb77463e42c2022cfe86 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Wed, 7 Apr 2021 08:32:21 +0200
Subject: [PATCH 0184/1429] Python: One family to rule them all...

---
 python/ql/src/Security/CWE-327/TlsLibraryModel.qll | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
index 73ab52be807..82c251f3f81 100644
--- a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
+++ b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
@@ -71,15 +71,10 @@ abstract class UnspecificContextCreation extends ContextCreation, ProtocolUnrest
   override DataFlow::CfgNode getContext() { result = this }
 
   override ProtocolVersion getUnrestriction() {
-    // see https://www.openssl.org/docs/man1.1.0/man3/TLS_method.html
-    family = "TLS" and
-    result in ["SSLv3", "TLSv1", "TLSv1_1", "TLSv1_2", "TLSv1_3"]
-    or
-    // This can negotiate a TLS 1.3 connection (!)
-    // see
-    // - https://docs.python.org/3/library/ssl.html#ssl-contexts
-    // - https://www.openssl.org/docs/man1.0.2/man3/TLSv1_method.html
-    family = "SSLv23" and
+    // There is only one family, the two names are aliases in OpenSSL.
+    // see https://github.com/openssl/openssl/blob/13888e797c5a3193e91d71e5f5a196a2d68d266f/include/openssl/ssl.h.in#L1953-L1955
+    family in ["SSLv23", "TLS"] and
+    // see https://docs.python.org/3/library/ssl.html#ssl-contexts
     result in ["SSLv2", "SSLv3", "TLSv1", "TLSv1_1", "TLSv1_2", "TLSv1_3"]
   }
 }

From a006a92f8dd93e5503108e02762188f63fad288b Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Wed, 7 Apr 2021 08:32:40 +0200
Subject: [PATCH 0185/1429] Python: Expand commentary

---
 python/ql/src/Security/CWE-327/Ssl.qll | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index 26928e31cb0..fc4d13bffae 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -141,13 +141,15 @@ class UnspecificSSLContextCreation extends SSLContextCreation, UnspecificContext
   UnspecificSSLContextCreation() { library = "ssl" }
 
   override ProtocolVersion getUnrestriction() {
+    // Case: A protocol argument is present.
     result = UnspecificContextCreation.super.getUnrestriction() and
     // These are turned off by default
     // see https://docs.python.org/3/library/ssl.html#ssl-contexts
     not result in ["SSLv2", "SSLv3"]
     or
-    // The default argument is TLS and the SSL versions are turned off by default.
+    // Case: No protocol arguemnt is present.
     not exists(this.getProtocol()) and
+    // The default argument is TLS and the SSL versions are turned off by default.
     result in ["TLSv1", "TLSv1_1", "TLSv1_2", "TLSv1_3"]
   }
 }

From 9c3b7e81c7c8b6ed00ef22f3e43485e777e9d7f3 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Tue, 6 Apr 2021 10:31:06 +0300
Subject: [PATCH 0186/1429] Add files via upload

---
 ...trolFlowManagementWhenUsingBitOperations.c |  4 +
 ...FlowManagementWhenUsingBitOperations.qhelp | 28 +++++++
 ...rolFlowManagementWhenUsingBitOperations.ql | 80 +++++++++++++++++++
 3 files changed, 112 insertions(+)
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.c
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.qhelp
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.c b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.c
new file mode 100644
index 00000000000..27631843118
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.c
@@ -0,0 +1,4 @@
+if(len>0 & memset(buf,0,len)) return 1; // BAD: `memset` will be called regardless of the value of the `len` variable. moreover, one cannot be sure that it will happen after verification
+...
+if(len>0 && memset(buf,0,len)) return 1; // GOOD: `memset` will be called after the `len` variable has been checked.
+...
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.qhelp
new file mode 100644
index 00000000000..f49d5a4fe78
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.qhelp
@@ -0,0 +1,28 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Using bitwise operations can be a mistake in some situations. For example, if parameters are evaluated in an expression and the function should be called only upon certain test results. These bitwise operations look suspicious and require developer attention.</p>
+
+
+</overview>
+<recommendation>
+
+<p>We recommend that you evaluate the correctness of using the specified bit operations.</p>
+
+</recommendation>
+<example>
+<p>The following example demonstrates the erroneous and fixed use of bit and logical operations.</p>
+<sample src="InsufficientControlFlowManagementWhenUsingBitOperations.c" />
+
+</example>
+<references>
+
+<li>
+  CWE Common Weakness Enumeration:
+  <a href="https://cwe.mitre.org/data/definitions/691.html"> CWE-691: Insufficient Control Flow Management</a>.
+</li>
+
+</references>
+</qhelp>
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
new file mode 100644
index 00000000000..a599fc19fde
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
@@ -0,0 +1,80 @@
+/**
+ * @name Errors When Using Bit Operations
+ * @description --Using bitwise operations can be a mistake in some situations.
+ *              --For example, if parameters are evaluated in an expression and the function should be called only upon certain test results.
+ *              --These bitwise operations look suspicious and require developer attention.
+ * @kind problem
+ * @id cpp/errors-when-using-bit-operations
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-691
+ */
+
+import cpp
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+
+/**
+ * Dangerous uses of bit operations.
+ * For example: `if(intA>0 & intA<10 & charBuf&myFunc(charBuf[intA]))`.
+ * In this case, the function will be called in any case, and even the sequence of the call is not guaranteed.
+ */
+class DangerousBitOperations extends Expr {
+  FunctionCall bfc;
+
+  /**
+   * The assignment indicates the conscious use of the bit operator.
+   * Use in comparison, conversion, or return value indicates conscious use of the bit operator.
+   * The use of shifts and bitwise operations on any element of an expression indicates a conscious use of the bitwise operator.
+   */
+  DangerousBitOperations() {
+    bfc = this.(BinaryBitwiseOperation).getRightOperand() and
+    not this.getParent*() instanceof AssignExpr and
+    not this.getParent*() instanceof Initializer and
+    not this.getParent*() instanceof ReturnStmt and
+    not this.getParent*() instanceof EqualityOperation and
+    not this.getParent*() instanceof UnaryLogicalOperation and
+    not this.getParent*() instanceof BinaryLogicalOperation and
+    not this.(BinaryBitwiseOperation).getAChild*() instanceof BitwiseXorExpr and
+    not this.(BinaryBitwiseOperation).getAChild*() instanceof LShiftExpr and
+    not this.(BinaryBitwiseOperation).getAChild*() instanceof RShiftExpr
+  }
+
+  /** Holds when part of a bit expression is used in a logical operation. */
+  predicate useInLogicalOperations() {
+    exists(BinaryLogicalOperation blop, Expr exp |
+      blop.getAChild*() = exp and
+      exp.(FunctionCall).getTarget() = bfc.getTarget() and
+      not exp.getParent() instanceof ComparisonOperation and
+      not exp.getParent() instanceof BinaryBitwiseOperation
+    )
+  }
+
+  /** Holds when part of a bit expression is used as part of another supply. For example, as an argument to another function. */
+  predicate useInOtherCalls() {
+    bfc.hasQualifier() or
+    bfc.getTarget() instanceof Operator or
+    exists(FunctionCall fc | fc.getAnArgument().getAChild*() = this) or
+    bfc.getTarget() instanceof BuiltInFunction
+  }
+
+  /** Holds when the bit expression contains both arguments and a function call. */
+  predicate dangerousArgumentChecking() {
+    not this.(BinaryBitwiseOperation).getLeftOperand() instanceof Call and
+    globalValueNumber(this.(BinaryBitwiseOperation).getLeftOperand().getAChild*()) =
+      globalValueNumber(bfc.getAnArgument())
+  }
+
+  /** Holds when function calls are present in the bit expression. */
+  predicate functionCallsInBitsExpression() {
+    this.(BinaryBitwiseOperation).getLeftOperand().getAChild*() instanceof FunctionCall
+  }
+}
+
+from DangerousBitOperations dbo
+where
+  not dbo.useInOtherCalls() and
+  dbo.useInLogicalOperations() and
+  (not dbo.functionCallsInBitsExpression() or dbo.dangerousArgumentChecking())
+select dbo, "this bit expression needs your attention"

From ed2a8db8c9e4b5e60032b97ad2028e4342459200 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Tue, 6 Apr 2021 10:32:05 +0300
Subject: [PATCH 0187/1429] Add files via upload

---
 ...wManagementWhenUsingBitOperations.expected |  2 ++
 ...FlowManagementWhenUsingBitOperations.qlref |  1 +
 .../Security/CWE/CWE-691/semmle/tests/test.c  | 28 +++++++++++++++++++
 3 files changed, 31 insertions(+)
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.expected
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.qlref
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.expected
new file mode 100644
index 00000000000..6aa02a61eaf
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.expected
@@ -0,0 +1,2 @@
+| test.c:8:6:8:51 | ... & ... | this bit expression needs your attention |
+| test.c:10:6:10:30 | ... & ... | this bit expression needs your attention |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.qlref
new file mode 100644
index 00000000000..9bf28db3c8a
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c
new file mode 100644
index 00000000000..fc30f7a6e97
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c
@@ -0,0 +1,28 @@
+int tmpFunction(){
+  return 5;
+}
+void workFunction_0(char *s) {
+  int intSize;
+  char buf[80];
+  if(intSize>0 && intSize<80 && memset(buf,0,intSize)) return; // GOOD
+  if(intSize>0 & intSize<80 & memset(buf,0,intSize)) return; // BAD
+  if(intSize>0 && tmpFunction()) return;
+  if(intSize<0 & tmpFunction()) return; // BAD
+}
+void workFunction_1(char *s) {
+  int intA,intB;
+
+  if(intA + intB) return; // BAD
+  if(intA + intB>4) return; // GOOD
+  if(intA>0 && (intA + intB)) return; // BAD
+  while(intA>0)
+  {
+    if(intB - intA<10) break;
+    intA--;
+  }while(intA>0); // BAD
+  while(intA>0)
+  {
+    if(intB - intA<10) break;
+    intA--;
+  } // GOOD
+}

From 36de496d47b6fb95058920cb3cf7412a5001af95 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Tue, 6 Apr 2021 10:35:28 +0300
Subject: [PATCH 0188/1429] Add files via upload

---
 ...rolFlowManagementAfterRefactoringTheCode.c |  17 +++
 ...lowManagementAfterRefactoringTheCode.qhelp |  28 +++++
 ...olFlowManagementAfterRefactoringTheCode.ql | 118 ++++++++++++++++++
 3 files changed, 163 insertions(+)
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.c
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.qhelp
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.c b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.c
new file mode 100644
index 00000000000..3ba47068244
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.c
@@ -0,0 +1,17 @@
+while(flagsLoop)
+{
+  ...
+  if(flagsIf) break;
+  ...
+}while(flagsLoop); // BAD: when exiting through `break`, it is possible to get into an eternal loop.
+...
+while(flagsLoop)
+{
+  ...
+  if(flagsIf) break;
+  ...
+} // GOOD: coreten cycle
+...
+if(intA+intB) return 1; // BAD: possibly no comparison
+...
+if(intA+intB>intC) return 1; // GOOD: correct comparison
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.qhelp
new file mode 100644
index 00000000000..2c485dfd0cf
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.qhelp
@@ -0,0 +1,28 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>In some situations, after code refactoring, parts of the old constructs may remain. They are correctly accepted by the compiler, but can critically affect program execution. For example, if you switch from `do {...} while ();` to `while () {...}` with errors, you run the risk of running out of resources. These code snippets look suspicious and require the developer's attention.</p>
+
+
+</overview>
+<recommendation>
+
+<p>We recommend that you use more explicit code transformations.</p>
+
+</recommendation>
+<example>
+<p>The following example demonstrates the erroneous and corrected sections of the code.</p>
+<sample src="InsufficientControlFlowManagementAfterRefactoringTheCode.c" />
+
+</example>
+<references>
+
+<li>
+  CWE Common Weakness Enumeration:
+  <a href="https://cwe.mitre.org/data/definitions/691.html"> CWE-691: Insufficient Control Flow Management</a>.
+</li>
+
+</references>
+</qhelp>
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
new file mode 100644
index 00000000000..6b9639fe8b9
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
@@ -0,0 +1,118 @@
+/**
+ * @name Errors After Refactoring
+ * @description --In some situations, after code refactoring, parts of the old constructs may remain.
+ *              --They are correctly accepted by the compiler, but can critically affect program execution.
+ *              --For example, if you switch from `do {...} while ();` to `while () {...}` with errors, you run the risk of running out of resources.
+ *              --These code snippets look suspicious and require the developer's attention.
+ * @kind problem
+ * @id cpp/errors-after-refactoring
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-691
+ */
+
+import cpp
+import semmle.code.cpp.valuenumbering.HashCons
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+
+/**
+ * Using `while` directly after the body of another` while`.
+ */
+class UsingWhileAfterWhile extends WhileStmt {
+  /**
+   * Using a loop call after another loop has finished running can result in an eternal loop.
+   * For example, perhaps as a result of refactoring, the `do ... while ()` loop was incorrectly corrected.
+   * Even in the case of deliberate use of such an expression, it is better to correct it.
+   */
+  UsingWhileAfterWhile() {
+    exists(WhileStmt wh1 |
+      wh1.getStmt().getAChild*().(BreakStmt).(ControlFlowNode).getASuccessor().getASuccessor() =
+        this and
+      hashCons(wh1.getCondition()) = hashCons(this.getCondition()) and
+      this.getStmt() instanceof EmptyStmt
+    )
+    or
+    exists(ForStmt fr1 |
+      fr1.getStmt().getAChild*().(BreakStmt).(ControlFlowNode).getASuccessor().getASuccessor() =
+        this and
+      hashCons(fr1.getCondition()) = hashCons(this.getCondition()) and
+      this.getStmt() instanceof EmptyStmt
+    )
+  }
+}
+
+/**
+ * Using arithmetic in comparison.
+ */
+class UsingArithmeticInComparison extends BinaryArithmeticOperation {
+  /**
+   * Using arithmetic operations in a comparison operation can be dangerous.
+   * For example, part of the comparison may have been lost as a result of refactoring.
+   * Even if you deliberately use such an expression, it is better to add an explicit comparison.
+   */
+  UsingArithmeticInComparison() {
+    this.getParent*() instanceof IfStmt and
+    not this.getAChild*().isConstant() and
+    not this.getParent*() instanceof Call and
+    not this.getParent*() instanceof AssignExpr and
+    not this.getParent*() instanceof RemExpr and
+    not this.getParent*() instanceof AssignBitwiseOperation and
+    not this.getParent*() instanceof AssignArithmeticOperation and
+    not this.getParent*() instanceof EqualityOperation and
+    not this.getParent*() instanceof RelationalOperation
+  }
+
+  /** Holds when the expression is inside the loop body. */
+  predicate insideTheLoop() { exists(Loop lp | lp.getStmt().getAChild*() = this.getParent*()) }
+
+  /** Holds when the expression is used in binary operations. */
+  predicate workingWithValue() {
+    this.getParent*() instanceof BinaryBitwiseOperation or
+    this.getParent*() instanceof NotExpr
+  }
+
+  /** Holds when the expression contains a pointer. */
+  predicate workingWithPointer() {
+    this.getAChild*().getFullyConverted().getType() instanceof DerivedType
+  }
+
+  /** Holds when a null comparison expression exists. */
+  predicate compareWithZero() {
+    exists(Expr exp |
+      exp instanceof ComparisonOperation and
+      (
+        globalValueNumber(exp.getAChild*()) = globalValueNumber(this) or
+        hashCons(exp.getAChild*()) = hashCons(this)
+      ) and
+      (
+        exp.(ComparisonOperation).getLeftOperand().getValue() = "0" or
+        exp.(ComparisonOperation).getRightOperand().getValue() = "0"
+      )
+    )
+  }
+
+  /** Holds when a comparison expression exists. */
+  predicate compareWithOutZero() {
+    exists(Expr exp |
+      exp instanceof ComparisonOperation and
+      (
+        globalValueNumber(exp.getAChild*()) = globalValueNumber(this) or
+        hashCons(exp.getAChild*()) = hashCons(this)
+      )
+    )
+  }
+}
+
+from Expr exp, WhileStmt wst
+where
+  exp instanceof UsingArithmeticInComparison and
+  not exp.(UsingArithmeticInComparison).workingWithValue() and
+  not exp.(UsingArithmeticInComparison).workingWithPointer() and
+  not exp.(UsingArithmeticInComparison).insideTheLoop() and
+  not exp.(UsingArithmeticInComparison).compareWithZero() and
+  exp.(UsingArithmeticInComparison).compareWithOutZero()
+  or
+  wst instanceof UsingWhileAfterWhile and exp = wst.getCondition()
+select exp, "this expression needs your attention"

From cbf158ea6bbd4f5f98c5e1ad997fe6a58902e993 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Tue, 6 Apr 2021 10:36:22 +0300
Subject: [PATCH 0189/1429] Add files via upload

---
 ...ManagementAfterRefactoringTheCode.expected |  3 ++
 ...lowManagementAfterRefactoringTheCode.qlref |  1 +
 .../Security/CWE/CWE-691/semmle/tests/test.c  | 28 +++++++++++++++++++
 3 files changed, 32 insertions(+)
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.expected
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.qlref
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.expected
new file mode 100644
index 00000000000..cc1b5cf46d8
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.expected
@@ -0,0 +1,3 @@
+| test.c:15:6:15:16 | ... + ... | this expression needs your attention |
+| test.c:17:17:17:27 | ... + ... | this expression needs your attention |
+| test.c:22:10:22:15 | ... > ... | this expression needs your attention |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.qlref
new file mode 100644
index 00000000000..496d5f1b7be
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c
new file mode 100644
index 00000000000..fc30f7a6e97
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c
@@ -0,0 +1,28 @@
+int tmpFunction(){
+  return 5;
+}
+void workFunction_0(char *s) {
+  int intSize;
+  char buf[80];
+  if(intSize>0 && intSize<80 && memset(buf,0,intSize)) return; // GOOD
+  if(intSize>0 & intSize<80 & memset(buf,0,intSize)) return; // BAD
+  if(intSize>0 && tmpFunction()) return;
+  if(intSize<0 & tmpFunction()) return; // BAD
+}
+void workFunction_1(char *s) {
+  int intA,intB;
+
+  if(intA + intB) return; // BAD
+  if(intA + intB>4) return; // GOOD
+  if(intA>0 && (intA + intB)) return; // BAD
+  while(intA>0)
+  {
+    if(intB - intA<10) break;
+    intA--;
+  }while(intA>0); // BAD
+  while(intA>0)
+  {
+    if(intB - intA<10) break;
+    intA--;
+  } // GOOD
+}

From 69973d0fa24aaa8e8475532dbeb1d6a97f8ddfce Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Wed, 7 Apr 2021 11:24:11 +0100
Subject: [PATCH 0190/1429] JS: Autoformat

---
 javascript/ql/test/library-tests/TypeScript/BaseUrl/test.ql | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/javascript/ql/test/library-tests/TypeScript/BaseUrl/test.ql b/javascript/ql/test/library-tests/TypeScript/BaseUrl/test.ql
index cfb4c9400e7..659ccda1dea 100644
--- a/javascript/ql/test/library-tests/TypeScript/BaseUrl/test.ql
+++ b/javascript/ql/test/library-tests/TypeScript/BaseUrl/test.ql
@@ -1,5 +1,3 @@
 import javascript
 
-query Module getImportedModule(Import imprt) {
-  result = imprt.getImportedModule()
-}
+query Module getImportedModule(Import imprt) { result = imprt.getImportedModule() }

From 6c69c1aeeb10737bd63bc95ed8c7759342116cdb Mon Sep 17 00:00:00 2001
From: Taus <tausbn@gmail.com>
Date: Wed, 7 Apr 2021 10:47:21 +0000
Subject: [PATCH 0191/1429] Python: Minor cleanup

---
 python/ql/src/semmle/python/Files.qll  | 5 +----
 python/ql/src/semmle/python/Module.qll | 2 +-
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/python/ql/src/semmle/python/Files.qll b/python/ql/src/semmle/python/Files.qll
index 83ba92f0abc..6eb6b2a18ac 100644
--- a/python/ql/src/semmle/python/Files.qll
+++ b/python/ql/src/semmle/python/Files.qll
@@ -74,7 +74,7 @@ class File extends Container {
   string getContents() { file_contents(this, result) }
 
   /** Holds if this file is likely to get executed directly, and thus act as an entry point for execution. */
-  predicate maybeExecutedDirectly() {
+  predicate isPossibleEntryPoint() {
     // Only consider files in the source code, and not things like the standard library
     exists(this.getRelativePath()) and
     (
@@ -148,9 +148,6 @@ class Folder extends Container {
     this.getBaseName().regexpMatch("[^\\d\\W]\\w*") and
     result = this.getParent().getImportRoot(n)
   }
-
-  /** Holds if execution may start in a file in this directory. */
-  predicate mayContainEntryPoint() { any(File f | f.getParent() = this).maybeExecutedDirectly() }
 }
 
 /**
diff --git a/python/ql/src/semmle/python/Module.qll b/python/ql/src/semmle/python/Module.qll
index 48d0e9e1a3d..753be2605d2 100644
--- a/python/ql/src/semmle/python/Module.qll
+++ b/python/ql/src/semmle/python/Module.qll
@@ -211,7 +211,7 @@ private predicate transitively_imported_from_entry_point(File file) {
     importer.getParent() = file.getParent() and
     exists(ImportExpr i | i.getLocation().getFile() = importer and i.getName() = file.getStem())
   |
-    importer.maybeExecutedDirectly() or transitively_imported_from_entry_point(importer)
+    importer.isPossibleEntryPoint() or transitively_imported_from_entry_point(importer)
   )
 }
 

From 26cddc7d047a5024fa31bf14db5c18d2c37bbb3b Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Wed, 7 Apr 2021 12:28:45 +0100
Subject: [PATCH 0192/1429] JS: Update test output

---
 .../TypeScript/RegressionTests/ImportSelf/test.expected   | 8 --------
 .../RegressionTests/TraceResolution/test.expected         | 1 -
 .../test/library-tests/frameworks/Electron/tests.expected | 2 --
 3 files changed, 11 deletions(-)

diff --git a/javascript/ql/test/library-tests/TypeScript/RegressionTests/ImportSelf/test.expected b/javascript/ql/test/library-tests/TypeScript/RegressionTests/ImportSelf/test.expected
index 200517fd84d..6e38d3a0038 100644
--- a/javascript/ql/test/library-tests/TypeScript/RegressionTests/ImportSelf/test.expected
+++ b/javascript/ql/test/library-tests/TypeScript/RegressionTests/ImportSelf/test.expected
@@ -2,11 +2,3 @@
 | bar.ts:1:10:1:10 | A | any |
 | bar.ts:1:19:1:29 | "@blah/foo" | any |
 | bar.ts:3:5:3:5 | x | any |
-| node_modules/@blah/foo/index.d.ts:1:8:1:15 | FooArray | typeof FooArray in library-tests/TypeScript/RegressionTests/ImportSelf/node_modules/@blah/foo/index.d.ts |
-| node_modules/@blah/foo/index.d.ts:1:20:1:20 | A | any |
-| node_modules/@blah/foo/index.d.ts:1:20:1:20 | A | any |
-| node_modules/@blah/foo/index.d.ts:1:29:1:39 | '@blah/foo' | any |
-| node_modules/@blah/foo/index.d.ts:3:11:3:18 | FooArray | typeof FooArray in library-tests/TypeScript/RegressionTests/ImportSelf/node_modules/@blah/foo/index.d.ts |
-| node_modules/@blah/foo/index.d.ts:4:12:4:15 | blah | () => void |
-| node_modules/@blah/foo/index.d.ts:8:10:8:10 | A | any |
-| node_modules/@blah/foo/index.d.ts:8:10:8:10 | A | any |
diff --git a/javascript/ql/test/library-tests/TypeScript/RegressionTests/TraceResolution/test.expected b/javascript/ql/test/library-tests/TypeScript/RegressionTests/TraceResolution/test.expected
index ec7a2343e6b..dc21f343569 100644
--- a/javascript/ql/test/library-tests/TypeScript/RegressionTests/TraceResolution/test.expected
+++ b/javascript/ql/test/library-tests/TypeScript/RegressionTests/TraceResolution/test.expected
@@ -1,4 +1,3 @@
-| node_modules/@types/foo/index.d.ts:1:17:1:19 | foo | () => any |
 | test.ts:1:10:1:12 | foo | () => any |
 | test.ts:1:10:1:12 | foo | () => any |
 | test.ts:1:21:1:25 | "foo" | any |
diff --git a/javascript/ql/test/library-tests/frameworks/Electron/tests.expected b/javascript/ql/test/library-tests/frameworks/Electron/tests.expected
index 4741bea1469..3050fb8fa53 100644
--- a/javascript/ql/test/library-tests/frameworks/Electron/tests.expected
+++ b/javascript/ql/test/library-tests/frameworks/Electron/tests.expected
@@ -15,8 +15,6 @@ browserObject
 | electron.js:62:13:62:59 | new Bro ... 1500 }) |
 | electron.js:63:3:63:5 | win |
 | electron.js:65:18:65:20 | win |
-| electronTs.d.ts:2:16:2:28 | BrowserWindow |
-| electronTs.d.ts:3:16:3:26 | BrowserView |
 | electronTs.ts:3:12:3:13 | bw |
 | electronTs.ts:3:40:3:41 | bv |
 | electronTs.ts:4:3:4:4 | bw |

From ee13ff71d60f4c3afd74ff14806a5c432137cb78 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Wed, 7 Apr 2021 12:29:06 +0100
Subject: [PATCH 0193/1429] JS: Add another change note

---
 .../change-notes/2021-04-01-tsconfig-file-inclusion-handling.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/javascript/change-notes/2021-04-01-tsconfig-file-inclusion-handling.md b/javascript/change-notes/2021-04-01-tsconfig-file-inclusion-handling.md
index a1d61f71723..7eacc308c9a 100644
--- a/javascript/change-notes/2021-04-01-tsconfig-file-inclusion-handling.md
+++ b/javascript/change-notes/2021-04-01-tsconfig-file-inclusion-handling.md
@@ -1,3 +1,5 @@
 lgtm,codescanning
 * Fixed a bug which caused some imports to be resolved incorrectly
   for projects containing multiple `tsconfig.json` files.
+* Fixed a bug which could cause some files in the `node_modules` folder
+  to be extracted even though they should be excluded.

From 903f364dab78bf076c6ea129dbe7aaa529f90b02 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Wed, 7 Apr 2021 13:29:51 +0000
Subject: [PATCH 0194/1429] Python: Improve `CallCfgNode` interface

Call nodes are always local sources (specifically sources of the return
value of the call), and so inheriting from `LocalSourceNode` will have
no effect on results, but _should_ make it a bit more smooth to use the
API.
---
 .../src/semmle/python/dataflow/new/internal/DataFlowPublic.qll  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
index 36db37a0a0f..6a397175ab1 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
@@ -180,7 +180,7 @@ class CfgNode extends Node, TCfgNode {
 }
 
 /** A data-flow node corresponding to a `CallNode` in the control-flow graph. */
-class CallCfgNode extends CfgNode {
+class CallCfgNode extends CfgNode, LocalSourceNode {
   override CallNode node;
 
   /**

From 365b4d722d37c8b015f67f7760952f8c302f77b7 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 7 Apr 2021 15:33:06 +0200
Subject: [PATCH 0195/1429] backtrack string-concatenations from
 shell-execution sinks

---
 .../UnsafeShellCommandConstructionCustomizations.qll     | 6 ++++++
 .../CWE-078/UnsafeShellCommandConstruction.expected      | 9 +++++++++
 .../ql/test/query-tests/Security/CWE-078/lib/lib.js      | 6 ++++++
 3 files changed, 21 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
index 5e7ab7f5c42..e38e2776bbc 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
@@ -70,6 +70,12 @@ module UnsafeShellCommandConstruction {
     exists(DataFlow::TypeBackTracker t2 |
       t2 = t.smallstep(result, isExecutedAsShellCommand(t2, sys))
     )
+    or
+    exists(DataFlow::TypeBackTracker t2, StringOps::ConcatenationRoot prev |
+      t = t2.continue() and
+      isExecutedAsShellCommand(t2, sys) = prev and
+      result = prev.getALeaf()
+    )
   }
 
   /**
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected
index 2f2d9fc484a..195be99582a 100644
--- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected
@@ -242,6 +242,10 @@ nodes
 | lib/lib.js:478:27:478:32 | config |
 | lib/lib.js:478:27:478:46 | config.installedPath |
 | lib/lib.js:478:27:478:46 | config.installedPath |
+| lib/lib.js:482:40:482:43 | name |
+| lib/lib.js:482:40:482:43 | name |
+| lib/lib.js:483:30:483:33 | name |
+| lib/lib.js:483:30:483:33 | name |
 | lib/subLib/index.js:3:28:3:31 | name |
 | lib/subLib/index.js:3:28:3:31 | name |
 | lib/subLib/index.js:4:22:4:25 | name |
@@ -538,6 +542,10 @@ edges
 | lib/lib.js:477:33:477:38 | config | lib/lib.js:478:27:478:32 | config |
 | lib/lib.js:478:27:478:32 | config | lib/lib.js:478:27:478:46 | config.installedPath |
 | lib/lib.js:478:27:478:32 | config | lib/lib.js:478:27:478:46 | config.installedPath |
+| lib/lib.js:482:40:482:43 | name | lib/lib.js:483:30:483:33 | name |
+| lib/lib.js:482:40:482:43 | name | lib/lib.js:483:30:483:33 | name |
+| lib/lib.js:482:40:482:43 | name | lib/lib.js:483:30:483:33 | name |
+| lib/lib.js:482:40:482:43 | name | lib/lib.js:483:30:483:33 | name |
 | lib/subLib/index.js:3:28:3:31 | name | lib/subLib/index.js:4:22:4:25 | name |
 | lib/subLib/index.js:3:28:3:31 | name | lib/subLib/index.js:4:22:4:25 | name |
 | lib/subLib/index.js:3:28:3:31 | name | lib/subLib/index.js:4:22:4:25 | name |
@@ -615,5 +623,6 @@ edges
 | lib/lib.js:442:12:442:27 | "rm -rf " + name | lib/lib.js:441:39:441:42 | name | lib/lib.js:442:24:442:27 | name | $@ based on $@ is later used in $@. | lib/lib.js:442:12:442:27 | "rm -rf " + name | String concatenation | lib/lib.js:441:39:441:42 | name | library input | lib/lib.js:442:2:442:28 | asyncEx ... + name) | shell command |
 | lib/lib.js:447:13:447:28 | "rm -rf " + name | lib/lib.js:446:20:446:23 | name | lib/lib.js:447:25:447:28 | name | $@ based on $@ is later used in $@. | lib/lib.js:447:13:447:28 | "rm -rf " + name | String concatenation | lib/lib.js:446:20:446:23 | name | library input | lib/lib.js:447:3:447:29 | asyncEx ... + name) | shell command |
 | lib/lib.js:478:27:478:46 | config.installedPath | lib/lib.js:477:33:477:38 | config | lib/lib.js:478:27:478:46 | config.installedPath | $@ based on $@ is later used in $@. | lib/lib.js:478:27:478:46 | config.installedPath | Path concatenation | lib/lib.js:477:33:477:38 | config | library input | lib/lib.js:479:12:479:20 | exec(cmd) | shell command |
+| lib/lib.js:483:13:483:33 | ' my na ...  + name | lib/lib.js:482:40:482:43 | name | lib/lib.js:483:30:483:33 | name | $@ based on $@ is later used in $@. | lib/lib.js:483:13:483:33 | ' my na ...  + name | String concatenation | lib/lib.js:482:40:482:43 | name | library input | lib/lib.js:485:2:485:20 | cp.exec(cmd + args) | shell command |
 | lib/subLib/index.js:4:10:4:25 | "rm -rf " + name | lib/subLib/index.js:3:28:3:31 | name | lib/subLib/index.js:4:22:4:25 | name | $@ based on $@ is later used in $@. | lib/subLib/index.js:4:10:4:25 | "rm -rf " + name | String concatenation | lib/subLib/index.js:3:28:3:31 | name | library input | lib/subLib/index.js:4:2:4:26 | cp.exec ... + name) | shell command |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | lib/subLib/index.js:7:32:7:35 | name | lib/subLib/index.js:8:22:8:25 | name | $@ based on $@ is later used in $@. | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | String concatenation | lib/subLib/index.js:7:32:7:35 | name | library input | lib/subLib/index.js:8:2:8:26 | cp.exec ... + name) | shell command |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
index 344ce6ccc60..9c848024fc5 100644
--- a/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
+++ b/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
@@ -477,4 +477,10 @@ const exec = promisify(require('child_process').exec);
 module.exports = function check(config) {
     const cmd = path.join(config.installedPath, 'myBinary -v'); // NOT OK
     return exec(cmd);
+}
+
+module.exports.splitConcat = function (name) {
+	let args = ' my name is ' + name; // NOT OK
+	let cmd = 'echo';
+	cp.exec(cmd + args);
 }
\ No newline at end of file

From 03b12dbc6dd1bccf5a22b2b00d3bab5d806b4127 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 7 Apr 2021 15:45:08 +0200
Subject: [PATCH 0196/1429] C++: Inline Location::isBefore.

---
 cpp/ql/src/semmle/code/cpp/Location.qll | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cpp/ql/src/semmle/code/cpp/Location.qll b/cpp/ql/src/semmle/code/cpp/Location.qll
index dc37d4009c0..8d3653ea1c0 100644
--- a/cpp/ql/src/semmle/code/cpp/Location.qll
+++ b/cpp/ql/src/semmle/code/cpp/Location.qll
@@ -72,6 +72,7 @@ class Location extends @location {
   }
 
   /** Holds if `this` comes on a line strictly before `l`. */
+  pragma[inline]
   predicate isBefore(Location l) {
     this.getFile() = l.getFile() and this.getEndLine() < l.getStartLine()
   }

From 38daeb4df23057c160c744387316c012ea80f92a Mon Sep 17 00:00:00 2001
From: yoff <lerchedahl@gmail.com>
Date: Wed, 7 Apr 2021 15:50:51 +0200
Subject: [PATCH 0197/1429] Apply suggestions from code review

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
---
 python/ql/src/Security/CWE-327/FluentApiModel.qll         | 4 ++--
 python/ql/src/Security/CWE-327/Ssl.qll                    | 3 ++-
 python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py | 2 ++
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/FluentApiModel.qll b/python/ql/src/Security/CWE-327/FluentApiModel.qll
index 652a4bae2a1..b5d6823c44c 100644
--- a/python/ql/src/Security/CWE-327/FluentApiModel.qll
+++ b/python/ql/src/Security/CWE-327/FluentApiModel.qll
@@ -65,8 +65,8 @@ class InsecureContextConfiguration extends DataFlow::Configuration {
  * Holds if `conectionCreation` marks the creation of a connetion based on the contex
  * found at `contextOrigin` and allowing `insecure_version`.
  *
- * `specific` is true iff the context is configured for a specific protocol version rather
- * than for a family of protocols.
+ * `specific` is true iff the context is configured for a specific protocol version (`ssl.PROTOCOL_TLSv1_2`) rather
+ * than for a family of protocols (`ssl.PROTOCOL_TLS`).
  */
 predicate unsafe_connection_creation_with_context(
   DataFlow::Node connectionCreation, ProtocolVersion insecure_version, DataFlow::Node contextOrigin,
diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index fc4d13bffae..2ca7dcce1f9 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -149,7 +149,8 @@ class UnspecificSSLContextCreation extends SSLContextCreation, UnspecificContext
     or
     // Case: No protocol arguemnt is present.
     not exists(this.getProtocol()) and
-    // The default argument is TLS and the SSL versions are turned off by default.
+    // The default argument is TLS and the SSL versions are turned off by default since Python 3.6
+    // see https://docs.python.org/3.6/library/ssl.html#ssl.SSLContext
     result in ["TLSv1", "TLSv1_1", "TLSv1_2", "TLSv1_3"]
   }
 }
diff --git a/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py b/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
index 0f7620f21ea..a8e491a42f1 100644
--- a/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
+++ b/python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py
@@ -49,6 +49,8 @@ def test_fluent_tls_safe():
 
 def test_fluent_ssl():
     hostname = 'www.python.org'
+    # notice that `ssl.PROTOCOL_SSLv23` is just a deprecated alias for `ssl.PROTOCOL_TLS`.
+    # Therefore, we only have this one test using PROTOCOL_SSLv23, to show that we handle this alias correctly.
     context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
 
     with socket.create_connection((hostname, 443)) as sock:

From 1cf30d2a9e917a072c9df4cac4872bee5d3f4265 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Wed, 7 Apr 2021 14:27:47 +0200
Subject: [PATCH 0198/1429] C#: Compute enclosing callable as a transitive
 closure

---
 .../ql/src/semmle/code/csharp/Enclosing.qll   | 83 -------------------
 .../semmle/code/csharp/ExprOrStmtParent.qll   | 48 +++++++++++
 csharp/ql/src/semmle/code/csharp/Stmt.qll     |  2 +-
 .../ql/src/semmle/code/csharp/exprs/Expr.qll  |  4 +-
 4 files changed, 51 insertions(+), 86 deletions(-)
 delete mode 100644 csharp/ql/src/semmle/code/csharp/Enclosing.qll

diff --git a/csharp/ql/src/semmle/code/csharp/Enclosing.qll b/csharp/ql/src/semmle/code/csharp/Enclosing.qll
deleted file mode 100644
index ab106421196..00000000000
--- a/csharp/ql/src/semmle/code/csharp/Enclosing.qll
+++ /dev/null
@@ -1,83 +0,0 @@
-/**
- * INTERNAL: Do not use.
- *
- * Provides efficient cached predicates for finding enclosing statements and callables.
- *
- * There are a number of difficulties. There can be expressions without
- * enclosing statements (for example initialisers for fields and constructors)
- * or enclosing callables (even if we consider constructor initialisers
- * to be enclosed by constructors, field initialisers don't have callables).
- *
- * The only cases where a `Stmt` has an `Expr` parent are delegate and lambda
- * expressions, which are both callable.
- */
-
-import Stmt
-private import semmle.code.csharp.ExprOrStmtParent
-
-/**
- * INTERNAL: Do not use.
- */
-cached
-module Internal {
-  /**
-   * INTERNAL: Do not use.
-   *
-   * Holds if `c` is the enclosing callable of statement `s`.
-   */
-  cached
-  predicate enclosingCallable(Stmt s, Callable c) {
-    // Compute the enclosing callable for a statement. This walks up through
-    // enclosing statements until it hits a callable. It's unambiguous, since
-    // if a statement has no parent statement, it's either the method body
-    // or the body of an anonymous function declaration, in each of which cases the
-    // non-statement parent is in fact the enclosing callable.
-    c.getAChildStmt+() = s
-  }
-
-  private Expr getAChildExpr(ExprOrStmtParent p) {
-    result = p.getAChildExpr() or
-    result = p.(AssignOperation).getExpandedAssignment()
-  }
-
-  /**
-   * INTERNAL: Do not use.
-   *
-   * Holds if `s` is the enclosing statement of expression `e`.
-   */
-  cached
-  predicate enclosingStmt(Expr e, Stmt s) {
-    // Compute the enclosing statement for an expression. Note that this need
-    // not exist, since expressions can occur in contexts where they have no
-    // enclosing statement (examples include field initialisers, both inline
-    // and explicit on constructor definitions, and annotation arguments).
-    getAChildExpr+(s) = e
-  }
-
-  private predicate childExprOfCallable(Callable parent, Expr child) {
-    child = getAChildExpr(parent)
-    or
-    exists(Expr mid | childExprOfCallable(parent, mid) |
-      not mid instanceof Callable and
-      child = getAChildExpr(mid)
-    )
-  }
-
-  /**
-   * INTERNAL: Do not use.
-   *
-   * Holds if `c` is the enclosing callable of expression `e`.
-   */
-  cached
-  predicate exprEnclosingCallable(Expr e, Callable c) {
-    // Compute the enclosing callable of an expression. Note that expressions in
-    // lambda functions should have the lambdas as enclosing callables, and their
-    // enclosing statement may be the same as the enclosing statement of the
-    // lambda; thus, it is *not* safe to go up to the enclosing statement and
-    // take its own enclosing callable.
-    childExprOfCallable(c, e)
-    or
-    not childExprOfCallable(_, e) and
-    exists(Stmt s | enclosingStmt(e, s) | enclosingCallable(s, c))
-  }
-}
diff --git a/csharp/ql/src/semmle/code/csharp/ExprOrStmtParent.qll b/csharp/ql/src/semmle/code/csharp/ExprOrStmtParent.qll
index c7c7bfe00e8..b6501477117 100644
--- a/csharp/ql/src/semmle/code/csharp/ExprOrStmtParent.qll
+++ b/csharp/ql/src/semmle/code/csharp/ExprOrStmtParent.qll
@@ -138,6 +138,54 @@ private module Cached {
         )
     else expr_parent(child, i, parent)
   }
+
+  private Expr getAChildExpr(ExprOrStmtParent parent) {
+    result = parent.getAChildExpr() or
+    result = parent.(AssignOperation).getExpandedAssignment()
+  }
+
+  private ControlFlowElement getAChild(ExprOrStmtParent parent) {
+    result = getAChildExpr(parent)
+    or
+    result = parent.getAChildStmt()
+  }
+
+  pragma[inline]
+  private ControlFlowElement enclosingStart(ControlFlowElement cfe) {
+    result = cfe
+    or
+    getAChild(result).(AnonymousFunctionExpr) = cfe
+  }
+
+  private predicate parent(ControlFlowElement child, ExprOrStmtParent parent) {
+    child = getAChild(parent) and
+    not child instanceof Callable
+  }
+
+  /** Holds if the enclosing body of `cfe` is `body`. */
+  cached
+  predicate enclosingBody(ControlFlowElement cfe, ControlFlowElement body) {
+    body = any(Callable c).getBody() and
+    parent*(enclosingStart(cfe), body)
+  }
+
+  /** Holds if the enclosing callable of `cfe` is `c`. */
+  cached
+  predicate enclosingCallable(ControlFlowElement cfe, Callable c) {
+    enclosingBody(cfe, c.getBody())
+    or
+    parent*(enclosingStart(cfe), c.(Constructor).getInitializer())
+  }
+
+  /** Holds if the enclosing statement of expression `e` is `s`. */
+  cached
+  predicate enclosingStmt(Expr e, Stmt s) {
+    // Compute the enclosing statement for an expression. Note that this need
+    // not exist, since expressions can occur in contexts where they have no
+    // enclosing statement (examples include field initialisers, both inline
+    // and explicit on constructor definitions, and annotation arguments).
+    getAChildExpr+(s) = e
+  }
 }
 
 import Cached
diff --git a/csharp/ql/src/semmle/code/csharp/Stmt.qll b/csharp/ql/src/semmle/code/csharp/Stmt.qll
index 375e698d1cb..2ccd57078db 100644
--- a/csharp/ql/src/semmle/code/csharp/Stmt.qll
+++ b/csharp/ql/src/semmle/code/csharp/Stmt.qll
@@ -8,7 +8,7 @@ import Element
 import Location
 import Member
 import exprs.Expr
-private import semmle.code.csharp.Enclosing::Internal
+private import semmle.code.csharp.ExprOrStmtParent
 private import semmle.code.csharp.frameworks.System
 private import TypeRef
 
diff --git a/csharp/ql/src/semmle/code/csharp/exprs/Expr.qll b/csharp/ql/src/semmle/code/csharp/exprs/Expr.qll
index 6006e165470..0988bb84340 100644
--- a/csharp/ql/src/semmle/code/csharp/exprs/Expr.qll
+++ b/csharp/ql/src/semmle/code/csharp/exprs/Expr.qll
@@ -20,7 +20,7 @@ import semmle.code.csharp.Location
 import semmle.code.csharp.Stmt
 import semmle.code.csharp.Type
 private import dotnet
-private import semmle.code.csharp.Enclosing::Internal
+private import semmle.code.csharp.ExprOrStmtParent
 private import semmle.code.csharp.frameworks.System
 private import semmle.code.csharp.TypeRef
 
@@ -55,7 +55,7 @@ class Expr extends DotNet::Expr, ControlFlowElement, @expr {
   final Stmt getEnclosingStmt() { enclosingStmt(this, result) }
 
   /** Gets the enclosing callable of this expression, if any. */
-  override Callable getEnclosingCallable() { exprEnclosingCallable(this, result) }
+  override Callable getEnclosingCallable() { enclosingCallable(this, result) }
 
   /**
    * Holds if this expression is generated by the compiler and does not appear

From 2373bf2dfb9b38f4c9508f483464cd7e7c6e4acf Mon Sep 17 00:00:00 2001
From: Shati Patel <42641846+shati-patel@users.noreply.github.com>
Date: Wed, 7 Apr 2021 17:55:05 +0100
Subject: [PATCH 0199/1429] Docs: Link to CodeQL CLI manual from the sidebar

---
 docs/codeql/codeql-cli/codeql-cli-reference.rst | 8 --------
 docs/codeql/codeql-cli/index.rst                | 2 +-
 2 files changed, 1 insertion(+), 9 deletions(-)

diff --git a/docs/codeql/codeql-cli/codeql-cli-reference.rst b/docs/codeql/codeql-cli/codeql-cli-reference.rst
index 75513a06b54..0c53121d379 100644
--- a/docs/codeql/codeql-cli/codeql-cli-reference.rst
+++ b/docs/codeql/codeql-cli/codeql-cli-reference.rst
@@ -21,11 +21,3 @@ Learn more about the files you can use when running CodeQL processes and the res
 - :doc:`SARIF output <sarif-output>`: CodeQL supports SARIF as an output format for sharing static analysis results.
 - :doc:`Exit codes <exit-codes>`: The CodeQL CLI reports the status of each command it runs as an exit code.
   This exit code provides information for subsequent commands or for other tools that rely on the CodeQL CLI.
-
-.. _cli-commands:
-
-CodeQL CLI manual
------------------
-
-To view detailed information about each CodeQL CLI command,
-including its usage and options, add the ``--help`` flag or visit the "`CodeQL CLI manual <../manual>`__."
diff --git a/docs/codeql/codeql-cli/index.rst b/docs/codeql/codeql-cli/index.rst
index 07ec8431235..d7a8a407364 100644
--- a/docs/codeql/codeql-cli/index.rst
+++ b/docs/codeql/codeql-cli/index.rst
@@ -18,4 +18,4 @@ CodeQL CLI
 
    using-the-codeql-cli
    codeql-cli-reference
-   
+   CodeQL CLI manual <https://codeql.github.com/docs/codeql-cli/manual>

From f3722748573eb6a508be6a47edbc35943c097314 Mon Sep 17 00:00:00 2001
From: Shati Patel <42641846+shati-patel@users.noreply.github.com>
Date: Wed, 7 Apr 2021 18:02:29 +0100
Subject: [PATCH 0200/1429] Docs: Fix broken links

---
 .../data-flow-cheat-sheet-for-javascript.rst                    | 2 +-
 ...specifying-additional-remote-flow-sources-for-javascript.rst | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst b/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst
index 09b821ad9e7..1b2e5ca450b 100644
--- a/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst
+++ b/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst
@@ -130,7 +130,7 @@ System and Network
     - `FileSystemWriteAccess <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/Concepts.qll/type.Concepts$FileSystemWriteAccess.html>`__ -- writing to the contents of a file
 - `PersistentReadAccess <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/Concepts.qll/type.Concepts$PersistentReadAccess.html>`__ -- reading from persistent storage, like cookies
 - `PersistentWriteAccess <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/Concepts.qll/type.Concepts$PersistentWriteAccess.html>`__ -- writing to persistent storage
-- `RemoteFlowSource <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/security/dataflow/RemoteFlowSources.qll/type.RemoteFlowSources$RemoteFlowSource.html>`__ -- source of untrusted user input
+- `RemoteFlowSource <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/security/dataflow/RemoteFlowSources.qll/type.RemoteFlowSources$Cached$RemoteFlowSource.html>`__ -- source of untrusted user input
 - `SystemCommandExecution <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/Concepts.qll/type.Concepts$SystemCommandExecution.html>`__ -- execution of a system command
 
 Files
diff --git a/docs/codeql/codeql-language-guides/specifying-additional-remote-flow-sources-for-javascript.rst b/docs/codeql/codeql-language-guides/specifying-additional-remote-flow-sources-for-javascript.rst
index fabe58bf5c9..082a7e3fcb7 100644
--- a/docs/codeql/codeql-language-guides/specifying-additional-remote-flow-sources-for-javascript.rst
+++ b/docs/codeql/codeql-language-guides/specifying-additional-remote-flow-sources-for-javascript.rst
@@ -12,7 +12,7 @@ You can model potential sources of untrusted user input in your code without mak
    Specifying remote flow sources in external files is currently in beta and subject to change.
 
 As mentioned in the :doc:`Data flow cheat sheet for JavaScript <data-flow-cheat-sheet-for-javascript>`, the CodeQL libraries for JavaScript
-provide a class `RemoteFlowSource <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/security/dataflow/RemoteFlowSources.qll/type.RemoteFlowSources$RemoteFlowSource.html>`__ to represent sources of untrusted user input, sometimes also referred to as remote flow
+provide a class `RemoteFlowSource <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/security/dataflow/RemoteFlowSources.qll/type.RemoteFlowSources$Cached$RemoteFlowSource.html>`__ to represent sources of untrusted user input, sometimes also referred to as remote flow
 sources.
 
 To model a new source of untrusted input, such as a previously unmodelled library API, you can

From 80ac2aff268cd11501e8aaea05842c63bbc7afb4 Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Wed, 7 Apr 2021 20:55:03 +0300
Subject: [PATCH 0201/1429] Fixed typos

Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
---
 .../CWE-094/JakartaExpressionInjection.qhelp   | 18 +++++++++---------
 .../SaferExpressionEvaluationWithJuel.java     |  4 ++--
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.qhelp
index 6e6b5f63394..8a9e4e7276f 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.qhelp
@@ -4,22 +4,22 @@
 <overview>
 <p>
 Jakarta Expression Language (EL) is an expression language for Java applications.
-There are a single language specification and multiple implementations
+There is a single language specification and multiple implementations
 such as Glassfish, Juel, Apache Commons EL, etc.
 The language allows invocation of methods available in the JVM.
 If an expression is built using attacker-controlled data,
-and then evaluated, then it may allow the attacker to run arbitrary code.
+and then evaluated, it may allow the attacker to run arbitrary code.
 </p>
 </overview>
 
 <recommendation>
 <p>
 It is generally recommended to avoid using untrusted data in an EL expression.
-Before using untrusted data to build an EL expressoin, the data should be validated
-to ensure it is not evaluated as expression language. If the EL implementaion offers
-configuring a sandbox for EL expression, they should be run in a restircitive sandbox
+Before using untrusted data to build an EL expression, the data should be validated
+to ensure it is not evaluated as expression language. If the EL implementation offers
+configuring a sandbox for EL expressions, they should be run in a restrictive sandbox
 that allows accessing only explicitly allowed classes. If the EL implementation
-does not allow sandboxing, consider using other expressiong language implementations
+does not support sandboxing, consider using other expression language implementations
 with sandboxing capabilities such as Apache Commons JEXL or the Spring Expression Language.
 </p>
 </recommendation>
@@ -32,9 +32,9 @@ using the JUEL interpreter:
 <sample src="UnsafeExpressionEvaluationWithJUEL.java" />
 
 <p>
-JUEL does not allow to run expression in a sandbox. To prevent running arbitrary code,
-incoming data has to be checked before including to an expression. The next example
-uses a Regex pattern to check whether a user tries to run an allowed exression or not:
+JUEL does not support to run expressions in a sandbox. To prevent running arbitrary code,
+incoming data has to be checked before including it in an expression. The next example
+uses a Regex pattern to check whether a user tries to run an allowed expression or not:
 </p>
 <sample src="SaferExpressionEvaluationWithJUEL.java" />
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/SaferExpressionEvaluationWithJuel.java b/java/ql/src/experimental/Security/CWE/CWE-094/SaferExpressionEvaluationWithJuel.java
index 54fb9a0ed36..3dfaaead68a 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/SaferExpressionEvaluationWithJuel.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/SaferExpressionEvaluationWithJuel.java
@@ -1,10 +1,10 @@
 String input = getRemoteUserInput();
 String pattern = "(inside|outside)\\.(temperature|humidity)";
 if (!input.matches(pattern)) {
-    throw new IllegalArgumentException("Unexpected exression");
+    throw new IllegalArgumentException("Unexpected expression");
 }
 String expression = "${" + input + "}";
 ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();
 ValueExpression e = factory.createValueExpression(context, expression, Object.class);
 SimpleContext context = getContext();
-Object result = e.getValue(context);
\ No newline at end of file
+Object result = e.getValue(context);

From 3d8e173c5770a32804cbffb798ce63cfaddb795d Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Wed, 7 Apr 2021 20:59:07 +0300
Subject: [PATCH 0202/1429] Removed a reference to Apache Commons EL

---
 .../Security/CWE/CWE-094/JakartaExpressionInjection.qhelp     | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.qhelp
index 8a9e4e7276f..a6d66c1d1d1 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.qhelp
@@ -57,9 +57,5 @@ uses a Regex pattern to check whether a user tries to run an allowed expression
   JUEL:
   <a href="http://juel.sourceforge.net">Home page</a>
 </li>
-<li>
-  Apache Foundation:
-  <a href="https://commons.apache.org/dormant/commons-el/">Apache Commons EL</a>
-</li>
 </references>
 </qhelp>

From c13ee0859acb4222aae8d4071d039494edfc782a Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Wed, 7 Apr 2021 21:02:21 +0300
Subject: [PATCH 0203/1429] LambdaExpression should extend JakartaType

---
 .../Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
index 22f421b8bf8..5b652d3d8e6 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
@@ -97,6 +97,6 @@ private class MethodExpression extends JakartaType {
   MethodExpression() { hasName("MethodExpression") }
 }
 
-private class LambdaExpression extends RefType {
+private class LambdaExpression extends JakartaType {
   LambdaExpression() { hasName("LambdaExpression") }
 }

From a764a79090e17ce22b7e1a3d8927dc80f0effd1b Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Wed, 7 Apr 2021 21:12:21 +0300
Subject: [PATCH 0204/1429] Always bind arguments in TaintPropagatingCall

---
 .../CWE-094/JakartaExpressionInjectionLib.qll | 20 ++++++++++---------
 .../JakartaExpressionInjection.expected       | 18 -----------------
 2 files changed, 11 insertions(+), 27 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
index 5b652d3d8e6..e3a3994c881 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
@@ -56,15 +56,17 @@ private class TaintPropagatingCall extends Call {
 
   TaintPropagatingCall() {
     taintFromExpr = this.getArgument(1) and
-    exists(Method m | this.(MethodAccess).getMethod() = m |
-      m.getDeclaringType() instanceof ExpressionFactory and
-      m.hasName(["createValueExpression", "createMethodExpression"]) and
-      taintFromExpr.getType() instanceof TypeString
-    )
-    or
-    exists(Constructor c | this.(ConstructorCall).getConstructor() = c |
-      c.getDeclaringType() instanceof LambdaExpression and
-      taintFromExpr.getType() instanceof ValueExpression
+    (
+      exists(Method m | this.(MethodAccess).getMethod() = m |
+        m.getDeclaringType() instanceof ExpressionFactory and
+        m.hasName(["createValueExpression", "createMethodExpression"]) and
+        taintFromExpr.getType() instanceof TypeString
+      )
+      or
+      exists(Constructor c | this.(ConstructorCall).getConstructor() = c |
+        c.getDeclaringType() instanceof LambdaExpression and
+        taintFromExpr.getType() instanceof ValueExpression
+      )
     )
   }
 
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected
index 111cc81541c..e0d699b14e3 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected
@@ -10,22 +10,9 @@ edges
 | JakartaExpressionInjection.java:30:24:30:33 | expression : String | JakartaExpressionInjection.java:32:28:32:37 | expression |
 | JakartaExpressionInjection.java:37:24:37:33 | expression : String | JakartaExpressionInjection.java:39:32:39:41 | expression |
 | JakartaExpressionInjection.java:44:24:44:33 | expression : String | JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression |
-| JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression | JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression |
 | JakartaExpressionInjection.java:54:24:54:33 | expression : String | JakartaExpressionInjection.java:56:32:56:41 | expression |
-| JakartaExpressionInjection.java:61:24:61:33 | expression : String | JakartaExpressionInjection.java:64:33:64:96 | createValueExpression(...) : ValueExpression |
 | JakartaExpressionInjection.java:61:24:61:33 | expression : String | JakartaExpressionInjection.java:65:13:65:13 | e |
-| JakartaExpressionInjection.java:61:24:61:33 | expression : String | JakartaExpressionInjection.java:65:13:65:13 | e : ValueExpression |
-| JakartaExpressionInjection.java:64:33:64:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression |
-| JakartaExpressionInjection.java:64:33:64:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:65:13:65:13 | e |
-| JakartaExpressionInjection.java:64:33:64:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:65:13:65:13 | e : ValueExpression |
-| JakartaExpressionInjection.java:65:13:65:13 | e : ValueExpression | JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression |
-| JakartaExpressionInjection.java:70:24:70:33 | expression : String | JakartaExpressionInjection.java:73:33:73:96 | createValueExpression(...) : ValueExpression |
 | JakartaExpressionInjection.java:70:24:70:33 | expression : String | JakartaExpressionInjection.java:74:13:74:13 | e |
-| JakartaExpressionInjection.java:70:24:70:33 | expression : String | JakartaExpressionInjection.java:74:13:74:13 | e : ValueExpression |
-| JakartaExpressionInjection.java:73:33:73:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression |
-| JakartaExpressionInjection.java:73:33:73:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:74:13:74:13 | e |
-| JakartaExpressionInjection.java:73:33:73:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:74:13:74:13 | e : ValueExpression |
-| JakartaExpressionInjection.java:74:13:74:13 | e : ValueExpression | JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression |
 | JakartaExpressionInjection.java:79:24:79:33 | expression : String | JakartaExpressionInjection.java:83:13:83:13 | e |
 nodes
 | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
@@ -35,18 +22,13 @@ nodes
 | JakartaExpressionInjection.java:37:24:37:33 | expression : String | semmle.label | expression : String |
 | JakartaExpressionInjection.java:39:32:39:41 | expression | semmle.label | expression |
 | JakartaExpressionInjection.java:44:24:44:33 | expression : String | semmle.label | expression : String |
-| JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression | semmle.label | new LambdaExpression(...) : LambdaExpression |
 | JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression | semmle.label | lambdaExpression |
 | JakartaExpressionInjection.java:54:24:54:33 | expression : String | semmle.label | expression : String |
 | JakartaExpressionInjection.java:56:32:56:41 | expression | semmle.label | expression |
 | JakartaExpressionInjection.java:61:24:61:33 | expression : String | semmle.label | expression : String |
-| JakartaExpressionInjection.java:64:33:64:96 | createValueExpression(...) : ValueExpression | semmle.label | createValueExpression(...) : ValueExpression |
 | JakartaExpressionInjection.java:65:13:65:13 | e | semmle.label | e |
-| JakartaExpressionInjection.java:65:13:65:13 | e : ValueExpression | semmle.label | e : ValueExpression |
 | JakartaExpressionInjection.java:70:24:70:33 | expression : String | semmle.label | expression : String |
-| JakartaExpressionInjection.java:73:33:73:96 | createValueExpression(...) : ValueExpression | semmle.label | createValueExpression(...) : ValueExpression |
 | JakartaExpressionInjection.java:74:13:74:13 | e | semmle.label | e |
-| JakartaExpressionInjection.java:74:13:74:13 | e : ValueExpression | semmle.label | e : ValueExpression |
 | JakartaExpressionInjection.java:79:24:79:33 | expression : String | semmle.label | expression : String |
 | JakartaExpressionInjection.java:83:13:83:13 | e | semmle.label | e |
 #select

From eb9b41acab71dc9d72a835af2a100ed80b16292d Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Wed, 7 Apr 2021 21:31:12 +0300
Subject: [PATCH 0205/1429] Apply suggestions from code review

Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
---
 ...ufficientControlFlowManagementWhenUsingBitOperations.ql | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
index a599fc19fde..7b441da9288 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
@@ -1,8 +1,7 @@
 /**
  * @name Errors When Using Bit Operations
- * @description --Using bitwise operations can be a mistake in some situations.
- *              --For example, if parameters are evaluated in an expression and the function should be called only upon certain test results.
- *              --These bitwise operations look suspicious and require developer attention.
+ * @description Unlike the binary operations `||` and `&&`, there is no sequence point after evaluating an
+ *              operand of a bitwise operation like `|` or `&`. If left-to-right evaluation is expected this may be confusing.
  * @kind problem
  * @id cpp/errors-when-using-bit-operations
  * @problem.severity warning
@@ -77,4 +76,4 @@ where
   not dbo.useInOtherCalls() and
   dbo.useInLogicalOperations() and
   (not dbo.functionCallsInBitsExpression() or dbo.dangerousArgumentChecking())
-select dbo, "this bit expression needs your attention"
+select dbo, "This bitwise operation appears in a context where a Boolean operation is expected."

From ed34c96357e95fa58b19b5f5c5759e0a7053810f Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Wed, 7 Apr 2021 21:40:49 +0300
Subject: [PATCH 0206/1429] Update
 InsufficientControlFlowManagementWhenUsingBitOperations.ql

---
 .../InsufficientControlFlowManagementWhenUsingBitOperations.ql  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
index 7b441da9288..c387fb923be 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
@@ -29,7 +29,7 @@ class DangerousBitOperations extends Expr {
    */
   DangerousBitOperations() {
     bfc = this.(BinaryBitwiseOperation).getRightOperand() and
-    not this.getParent*() instanceof AssignExpr and
+    not this.getParent*() instanceof Assignment and
     not this.getParent*() instanceof Initializer and
     not this.getParent*() instanceof ReturnStmt and
     not this.getParent*() instanceof EqualityOperation and

From 675de07c3e7698d5137b520f870107e642c9b05d Mon Sep 17 00:00:00 2001
From: Dilan <dbhalla21@berkeley.edu>
Date: Wed, 7 Apr 2021 15:04:18 -0700
Subject: [PATCH 0207/1429] autoformat ql

---
 python/ql/src/experimental/Classes/NamingConventionsClasses.ql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/experimental/Classes/NamingConventionsClasses.ql b/python/ql/src/experimental/Classes/NamingConventionsClasses.ql
index f16d242eadf..0ab11b4197c 100644
--- a/python/ql/src/experimental/Classes/NamingConventionsClasses.ql
+++ b/python/ql/src/experimental/Classes/NamingConventionsClasses.ql
@@ -10,7 +10,7 @@
 import python
 
 predicate lower_case_class(Class c) {
-  exists(string first_char | 
+  exists(string first_char |
     first_char = c.getName().prefix(1) and
     not first_char = first_char.toUpperCase()
   )

From 33423eaef3386b3e6e782c35fb2fb99c8a4cf150 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 8 Apr 2021 00:31:53 +0200
Subject: [PATCH 0208/1429] Optimize calls

---
 .../experimental/semmle/python/frameworks/Stdlib.qll | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index 5a7984fab43..24def6be277 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -22,10 +22,10 @@ private module LDAP {
       DataFlow::Node ldapNode;
 
       LDAP2Query() {
-        exists(DataFlow::AttrRead searchMethod, DataFlow::CallCfgNode initCall |
+        exists(DataFlow::AttrRead searchMethod |
           this.getFunction() = searchMethod and
-          initCall = API::moduleImport("ldap").getMember("initialize").getACall() and
-          initCall = searchMethod.getObject().getALocalSource() and
+          API::moduleImport("ldap").getMember("initialize").getACall() =
+            searchMethod.getObject().getALocalSource() and
           searchMethod.getAttributeName() instanceof LDAP2QueryMethods and
           (
             ldapNode = this.getArg(0)
@@ -68,10 +68,10 @@ private module LDAP {
       DataFlow::Node ldapNode;
 
       LDAP3Query() {
-        exists(DataFlow::AttrRead searchMethod, DataFlow::CallCfgNode connCall |
+        exists(DataFlow::AttrRead searchMethod |
           this.getFunction() = searchMethod and
-          connCall = API::moduleImport("ldap3").getMember("Connection").getACall() and
-          connCall = searchMethod.getObject().getALocalSource() and
+          API::moduleImport("ldap3").getMember("Connection").getACall() =
+            searchMethod.getObject().getALocalSource() and
           searchMethod.getAttributeName() instanceof LDAP3QueryMethods and
           (
             ldapNode = this.getArg(0) or

From 2faf52b6bd814171d42999af3305c5a7376a7327 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Thu, 8 Apr 2021 10:07:19 +0200
Subject: [PATCH 0209/1429] Java: Remove `unique` wrapper from
 DataFlow::Node::getEnclosingCallable()`

---
 .../code/java/dataflow/internal/DataFlowUtil.qll       | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
index 53f6e08bc90..828f2624ea6 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
@@ -80,19 +80,15 @@ class Node extends TNode {
     result = this.(ImplicitPostUpdateNode).getPreUpdateNode().getType()
   }
 
-  private Callable getEnclosingCallableImpl() {
+  /** Gets the callable in which this node occurs. */
+  Callable getEnclosingCallable() {
     result = this.asExpr().getEnclosingCallable() or
     result = this.asParameter().getCallable() or
     result = this.(ImplicitVarargsArray).getCall().getEnclosingCallable() or
     result = this.(InstanceParameterNode).getCallable() or
     result = this.(ImplicitInstanceAccess).getInstanceAccess().getEnclosingCallable() or
     result = this.(MallocNode).getClassInstanceExpr().getEnclosingCallable() or
-    result = this.(ImplicitPostUpdateNode).getPreUpdateNode().getEnclosingCallableImpl()
-  }
-
-  /** Gets the callable in which this node occurs. */
-  Callable getEnclosingCallable() {
-    result = unique(DataFlowCallable c | c = this.getEnclosingCallableImpl() | c)
+    result = this.(ImplicitPostUpdateNode).getPreUpdateNode().getEnclosingCallable()
   }
 
   private Type getImprovedTypeBound() {

From 517fd23ca59aa75899be0efb1a582436791ca8d8 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 8 Apr 2021 09:42:53 +0100
Subject: [PATCH 0210/1429] C++: Correct and add to test cases.

---
 ...dDifferenceExpressionComparedZero.expected |  2 +
 .../test.cpp                                  | 39 +++++++++++++++++--
 2 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
index 46bf57ee52a..64a1aa0ab89 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
@@ -18,3 +18,5 @@
 | test.cpp:208:6:208:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:252:10:252:18 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:266:10:266:24 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:276:11:276:19 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:288:10:288:18 | ... > ... | Unsigned subtraction can never be negative. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
index dfaedbb9d2b..f151c593a2d 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
@@ -236,7 +236,7 @@ int test13() {
 
 	if (b != 0) {
 		return 0;
-	}
+	} // b = 0
 
 	return (a - b > 0); // GOOD (as b = 0)
 }
@@ -247,9 +247,9 @@ int test14() {
 
 	if (!b) {
 		return 0;
-	}
+	} // b != 0
 
-	return (a - b > 0); // GOOD (as b = 0) [FALSE POSITIVE]
+	return (a - b > 0); // BAD
 }
 
 struct Numbers
@@ -265,3 +265,36 @@ int test15(Numbers *n) {
 
 	return (n->a - n->b > 0); // BAD
 }
+
+int test16() {
+	unsigned int a = getAnInt();
+	unsigned int b = getAnInt();
+
+	if (!b) {
+		return 0;
+	} else {
+		return (a - b > 0); // BAD
+	}
+}
+
+int test17() {
+	unsigned int a = getAnInt();
+	unsigned int b = getAnInt();
+
+	if (b == 0) {
+		return 0;
+	} // b != 0
+
+	return (a - b > 0); // BAD
+}
+
+int test18() {
+	unsigned int a = getAnInt();
+	unsigned int b = getAnInt();
+
+	if (b) {
+		return 0;
+	} // b == 0
+
+	return (a - b > 0); // GOOD (as b = 0)
+}

From 99dd5330c26e701467680624f638f154a02d0649 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 25 Mar 2021 13:41:47 +0100
Subject: [PATCH 0211/1429] add taint-step for URL construction in
 js/request-forgery

---
 .../javascript/security/dataflow/RequestForgery.qll  |  4 ++++
 .../dataflow/RequestForgeryCustomizations.qll        | 10 ++++++++++
 .../Security/CWE-918/RequestForgery.expected         | 12 ++++++++++++
 .../ql/test/query-tests/Security/CWE-918/tst.js      |  8 ++++++++
 4 files changed, 34 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/RequestForgery.qll b/javascript/ql/src/semmle/javascript/security/dataflow/RequestForgery.qll
index 5aa37c83e0b..99c5300469b 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/RequestForgery.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/RequestForgery.qll
@@ -31,5 +31,9 @@ module RequestForgery {
     override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {
       sanitizingPrefixEdge(source, sink)
     }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+      isAdditionalRequestForgeryStep(pred, succ)
+    }
   }
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
index 52d75ad450a..b3c1a539082 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
@@ -59,4 +59,14 @@ module RequestForgery {
 
     override string getKind() { result = kind }
   }
+
+  /**
+   * Holds if there is a taint step from `pred` to `succ` for request forgery.
+   */
+  predicate isAdditionalRequestForgeryStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::NewNode url | url = DataFlow::globalVarRef("URL").getAnInstantiation() |
+      succ = url and
+      pred = url.getArgument(0)
+    )
+  }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
index 194dad881ab..cdad8e001ac 100644
--- a/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
@@ -82,6 +82,12 @@ nodes
 | tst.js:108:17:108:27 | request.url |
 | tst.js:109:27:109:29 | url |
 | tst.js:109:27:109:29 | url |
+| tst.js:115:11:115:42 | url |
+| tst.js:115:17:115:42 | new URL ... , base) |
+| tst.js:115:25:115:35 | request.url |
+| tst.js:115:25:115:35 | request.url |
+| tst.js:117:27:117:29 | url |
+| tst.js:117:27:117:29 | url |
 edges
 | tst.js:14:9:14:52 | tainted | tst.js:18:13:18:19 | tainted |
 | tst.js:14:9:14:52 | tainted | tst.js:18:13:18:19 | tainted |
@@ -161,6 +167,11 @@ edges
 | tst.js:108:11:108:27 | url | tst.js:109:27:109:29 | url |
 | tst.js:108:17:108:27 | request.url | tst.js:108:11:108:27 | url |
 | tst.js:108:17:108:27 | request.url | tst.js:108:11:108:27 | url |
+| tst.js:115:11:115:42 | url | tst.js:117:27:117:29 | url |
+| tst.js:115:11:115:42 | url | tst.js:117:27:117:29 | url |
+| tst.js:115:17:115:42 | new URL ... , base) | tst.js:115:11:115:42 | url |
+| tst.js:115:25:115:35 | request.url | tst.js:115:17:115:42 | new URL ... , base) |
+| tst.js:115:25:115:35 | request.url | tst.js:115:17:115:42 | new URL ... , base) |
 #select
 | tst.js:18:5:18:20 | request(tainted) | tst.js:14:29:14:35 | req.url | tst.js:18:13:18:19 | tainted | The $@ of this request depends on $@. | tst.js:18:13:18:19 | tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
 | tst.js:20:5:20:24 | request.get(tainted) | tst.js:14:29:14:35 | req.url | tst.js:20:17:20:23 | tainted | The $@ of this request depends on $@. | tst.js:20:17:20:23 | tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
@@ -183,3 +194,4 @@ edges
 | tst.js:92:5:92:33 | JSDOM.f ... ms.foo) | tst.js:92:19:92:28 | ctx.params | tst.js:92:19:92:32 | ctx.params.foo | The $@ of this request depends on $@. | tst.js:92:19:92:32 | ctx.params.foo | URL | tst.js:92:19:92:28 | ctx.params | a user-provided value |
 | tst.js:100:5:100:26 | new Web ... ainted) | tst.js:98:29:98:35 | req.url | tst.js:100:19:100:25 | tainted | The $@ of this request depends on $@. | tst.js:100:19:100:25 | tainted | URL | tst.js:98:29:98:35 | req.url | a user-provided value |
 | tst.js:109:20:109:30 | new ws(url) | tst.js:108:17:108:27 | request.url | tst.js:109:27:109:29 | url | The $@ of this request depends on $@. | tst.js:109:27:109:29 | url | URL | tst.js:108:17:108:27 | request.url | a user-provided value |
+| tst.js:117:20:117:30 | new ws(url) | tst.js:115:25:115:35 | request.url | tst.js:117:27:117:29 | url | The $@ of this request depends on $@. | tst.js:117:27:117:29 | url | URL | tst.js:115:25:115:35 | request.url | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-918/tst.js b/javascript/ql/test/query-tests/Security/CWE-918/tst.js
index afa4e69213b..23f1e5b4dc7 100644
--- a/javascript/ql/test/query-tests/Security/CWE-918/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-918/tst.js
@@ -109,3 +109,11 @@ new ws.Server({ port: 8080 }).on('connection', function(socket, request) {
     const socket = new ws(url);
   });
 });
+
+new ws.Server({ port: 8080 }).on('connection', function (socket, request) {
+  socket.on('message', function (message) {
+    const url = new URL(request.url, base);
+    const target = new URL(url.pathname, base);
+    const socket = new ws(url);
+  });
+});

From 3f0a3266aa61617fb374c0d49e006dfabe429fc0 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Thu, 8 Apr 2021 17:14:03 +0800
Subject: [PATCH 0212/1429] [Java] CWE-348: Use of less trusted source

---
 .../CWE/CWE-348/UseOfLessTrustedSource.java   |  74 +++++++
 .../CWE/CWE-348/UseOfLessTrustedSource.qhelp  |  38 ++++
 .../CWE/CWE-348/UseOfLessTrustedSource.ql     |  44 ++++
 .../CWE/CWE-348/UseOfLessTrustedSourceLib.qll |  88 ++++++++
 .../CWE-348/UseOfLessTrustedSource.expected   |  14 ++
 .../CWE-348/UseOfLessTrustedSource.java       |  74 +++++++
 .../CWE-348/UseOfLessTrustedSource.qlref      |   1 +
 .../query-tests/security/CWE-348/options      |   2 +
 .../slf4j-api-1.6.4/org/slf4j/Logger.java     | 127 +++++++++++
 .../org/slf4j/LoggerFactory.java              |  21 ++
 .../slf4j-api-1.6.4/org/slf4j/Marker.java     |  30 +++
 .../core/annotation/AliasFor.java             |  21 ++
 .../stereotype/Controller.java                |  15 +-
 .../org/springframework/util/ObjectUtils.java | 202 ++++++++++++++++++
 .../org/springframework/util/StringUtils.java |  30 +++
 .../web/bind/annotation/GetMapping.java       |  51 +++++
 .../web/bind/annotation/Mapping.java          |   4 +
 .../web/bind/annotation/RequestMapping.java   |  23 +-
 .../web/bind/annotation/RequestParam.java     |  23 +-
 .../web/bind/annotation/ResponseBody.java     |  13 ++
 20 files changed, 885 insertions(+), 10 deletions(-)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.qlref
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-348/options
 create mode 100644 java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/Logger.java
 create mode 100644 java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/LoggerFactory.java
 create mode 100644 java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/Marker.java
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/core/annotation/AliasFor.java
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/util/ObjectUtils.java
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/util/StringUtils.java
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/GetMapping.java
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/Mapping.java
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/ResponseBody.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java
new file mode 100644
index 00000000000..d338134ed3e
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java
@@ -0,0 +1,74 @@
+import javax.servlet.http.HttpServletRequest;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+@Controller
+public class UseOfLessTrustedSource {
+
+    private static final Logger log = LoggerFactory.getLogger(UseOfLessTrustedSource.class);
+
+    @GetMapping(value = "bad1")
+    @ResponseBody
+    public String bad1(HttpServletRequest request) {
+        String remoteAddr = "";
+        if (request != null) {
+            remoteAddr = request.getHeader("X-FORWARDED-FOR");
+            remoteAddr = remoteAddr.split(",")[0];
+            if (remoteAddr == null || "".equals(remoteAddr)) {
+                remoteAddr = request.getRemoteAddr();
+            }
+        }
+        return remoteAddr;
+    }
+
+    @GetMapping(value = "bad2")
+    public void bad2(HttpServletRequest request) {
+        String ip = request.getHeader("X-Forwarded-For");
+        
+        log.debug("getClientIP header X-Forwarded-For:{}", ip);
+
+        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
+            ip = request.getHeader("Proxy-Client-IP");
+            log.debug("getClientIP header Proxy-Client-IP:{}", ip);
+        }
+        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
+            ip = request.getHeader("WL-Proxy-Client-IP");
+            log.debug("getClientIP header WL-Proxy-Client-IP:{}", ip);
+        }
+        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
+            ip = request.getHeader("HTTP_CLIENT_IP");
+            log.debug("getClientIP header HTTP_CLIENT_IP:{}", ip);
+        }
+        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
+            ip = request.getHeader("HTTP_X_FORWARDED_FOR");
+            log.debug("getClientIP header HTTP_X_FORWARDED_FOR:{}", ip);
+        }
+        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
+            ip = request.getHeader("X-Real-IP");
+            log.debug("getClientIP header X-Real-IP:{}", ip);
+        }
+        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
+            ip = request.getRemoteAddr();
+            log.debug("getRemoteAddr IP:{}", ip);
+        }
+        System.out.println("client ip is: " + ip);
+    }
+
+    @GetMapping(value = "good1")
+    @ResponseBody
+    public String good1(HttpServletRequest request) {
+        String remoteAddr = "";
+        if (request != null) {
+            remoteAddr = request.getHeader("X-FORWARDED-FOR");
+            remoteAddr = remoteAddr.split(",")[remoteAddr.split(",").length - 1]; // good
+            if (remoteAddr == null || "".equals(remoteAddr)) {
+                remoteAddr = request.getRemoteAddr();
+            }
+        }
+        return remoteAddr;
+    }
+}
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
new file mode 100644
index 00000000000..1c3a4485cbd
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
@@ -0,0 +1,38 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The software obtains the original client IP address through the http header <code>X-Forwarded-For</code>, which is used to ensure 
+security or track it in the log for statistical or other reasons. Attackers can use <code>X-Forwarded-For </code> Spoofing software.</p>
+
+</overview>
+<recommendation>
+
+<p>When the software is not using a proxy server, get the last ip.</p>
+
+</recommendation>
+<example>
+
+<p>The following examples show the bad case and the good case respectively. Bad case, such as <code>bad1</code> to <code>bad2</code>. 
+In the <code>bad1</code> method, the value of <code>X-Forwarded-For</code> in <code>header</code> is split, and the first value of 
+the split array is obtained. Good case, such as <code>good1</code>, split the value of <code>X-Forwarded-For</code> in <code>header</code> 
+and get the last value of the split array.</p>
+
+<sample src="UseOfLessTrustedSource.java" />
+
+</example>
+<references>
+
+<li>Prevent IP address spoofing with X-Forwarded-For header when using AWS ELB and Clojure Ring: 
+<a href="https://www.dennis-schneider.com/blog/prevent-ip-address-spoofing-with-x-forwarded-for-header-and-aws-elb-in-clojure-ring/">
+Prevent IP address spoofing with...</a>
+</li>
+
+<li>Security Rule Zero: A Warning about X-Forwarded-For: 
+<a href="https://www.f5.com/company/blog/security-rule-zero-a-warning-about-x-forwarded-for">
+Security Rule Zero: A Warning about X-Forwarded-For</a>
+</li>
+
+</references>
+</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
new file mode 100644
index 00000000000..15d665d37ab
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
@@ -0,0 +1,44 @@
+/**
+ * @name X-Forwarded-For spoofing
+ * @description The software obtains the client ip through `X-Forwarded-For`,
+ *              and the attacker can modify the value of `X-Forwarded-For` to forge the ip.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/use-of-less-trusted-source
+ * @tags security
+ *       external/cwe/cwe-348
+ */
+
+import java
+import UseOfLessTrustedSourceLib
+import semmle.code.java.dataflow.FlowSources
+import DataFlow::PathGraph
+
+class UseOfLessTrustedSourceConfig extends TaintTracking::Configuration {
+  UseOfLessTrustedSourceConfig() { this = "UseOfLessTrustedSourceConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof UseOfLessTrustedSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof UseOfLessTrustedSink }
+
+  /**
+   * When using `,` split request data and not taking the first value of
+   *  the array, it is considered as `good`.
+   */
+  override predicate isSanitizer(DataFlow::Node node) {
+    exists(ArrayAccess aa, MethodAccess ma | aa.getArray() = ma |
+      ma.getQualifier() = node.asExpr() and
+      ma.getMethod() instanceof SplitMethod and
+      not aa.getIndexExpr().toString() = "0"
+    )
+  }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, UseOfLessTrustedSourceConfig conf
+where
+  conf.hasFlowPath(source, sink) and
+  source.getNode().getEnclosingCallable() = sink.getNode().getEnclosingCallable() and
+  xffIsFirstGet(source.getNode())
+select sink.getNode(), source, sink, "X-Forwarded-For spoofing might include code from $@.",
+  source.getNode(), "this user input"
diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
new file mode 100644
index 00000000000..0598f843840
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
@@ -0,0 +1,88 @@
+import java
+import DataFlow
+import semmle.code.java.dataflow.DataFlow
+import experimental.semmle.code.java.Logging
+
+/** A data flow source of the value of the `x-forwarded-for` field in the `header`. */
+class UseOfLessTrustedSource extends DataFlow::Node {
+  UseOfLessTrustedSource() {
+    exists(MethodAccess ma |
+      ma.getMethod().hasName("getHeader") and
+      ma.getArgument(0).toString().toLowerCase() = "\"x-forwarded-for\"" and
+      ma = this.asExpr()
+    )
+  }
+}
+
+/** A data flow sink of method return or log output or local print. */
+class UseOfLessTrustedSink extends DataFlow::Node {
+  UseOfLessTrustedSink() {
+    exists(ReturnStmt rs | rs.getResult() = this.asExpr())
+    or
+    exists(MethodAccess ma |
+      ma.getMethod().getName() in ["print", "println"] and
+      (
+        ma.getMethod().getDeclaringType().hasQualifiedName("java.io", "PrintWriter") or
+        ma.getMethod().getDeclaringType().hasQualifiedName("java.io", "PrintStream")
+      ) and
+      ma.getAnArgument() = this.asExpr()
+    )
+    or
+    exists(LoggingCall lc | lc.getAnArgument() = this.asExpr())
+  }
+}
+
+/** A method that split string. */
+class SplitMethod extends Method {
+  SplitMethod() {
+    this.getNumberOfParameters() = 1 and
+    this.hasQualifiedName("java.lang", "String", "split")
+  }
+}
+
+/**
+ * A call to the ServletRequest.getHeader method and the argument are
+ * `wl-proxy-client-ip`/`proxy-client-ip`/`http_client_ip`/`http_x_forwarded_for`/`x-real-ip`.
+ */
+class HeaderIpCall extends MethodAccess {
+  HeaderIpCall() {
+    this.getMethod().hasName("getHeader") and
+    this.getMethod()
+        .getDeclaringType()
+        .getASupertype*()
+        .hasQualifiedName("javax.servlet", "ServletRequest") and
+    this.getArgument(0).toString().toLowerCase() in [
+        "\"wl-proxy-client-ip\"", "\"proxy-client-ip\"", "\"http_client_ip\"",
+        "\"http_x_forwarded_for\"", "\"x-real-ip\""
+      ]
+  }
+}
+
+/** A call to `ServletRequest.getRemoteAddr` method. */
+class RemoteAddrCall extends MethodAccess {
+  RemoteAddrCall() {
+    this.getMethod().hasName("getRemoteAddr") and
+    this.getMethod()
+        .getDeclaringType()
+        .getASupertype*()
+        .hasQualifiedName("javax.servlet", "ServletRequest")
+  }
+}
+
+/** The first one in the method to get the ip value through `x-forwarded-for`. */
+predicate xffIsFirstGet(Node node) {
+  exists(HeaderIpCall hic |
+    node.getEnclosingCallable() = hic.getEnclosingCallable() and
+    node.getLocation().getEndLine() < hic.getLocation().getEndLine()
+  )
+  or
+  exists(RemoteAddrCall rac |
+    node.getEnclosingCallable() = rac.getEnclosingCallable() and
+    node.getLocation().getEndLine() < rac.getLocation().getEndLine()
+  )
+  or
+  not exists(HeaderIpCall hic, RemoteAddrCall rac |
+    node.getEnclosingCallable() = hic.getEnclosingCallable() and
+    node.getEnclosingCallable() = rac.getEnclosingCallable()
+  )
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected
new file mode 100644
index 00000000000..a71ad9629ce
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected
@@ -0,0 +1,14 @@
+edges
+| UseOfLessTrustedSource.java:19:26:19:61 | getHeader(...) : String | UseOfLessTrustedSource.java:25:16:25:25 | remoteAddr |
+| UseOfLessTrustedSource.java:30:21:30:56 | getHeader(...) : String | UseOfLessTrustedSource.java:32:60:32:61 | ip |
+| UseOfLessTrustedSource.java:30:21:30:56 | getHeader(...) : String | UseOfLessTrustedSource.java:58:28:58:48 | ... + ... |
+nodes
+| UseOfLessTrustedSource.java:19:26:19:61 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| UseOfLessTrustedSource.java:25:16:25:25 | remoteAddr | semmle.label | remoteAddr |
+| UseOfLessTrustedSource.java:30:21:30:56 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| UseOfLessTrustedSource.java:32:60:32:61 | ip | semmle.label | ip |
+| UseOfLessTrustedSource.java:58:28:58:48 | ... + ... | semmle.label | ... + ... |
+#select
+| UseOfLessTrustedSource.java:25:16:25:25 | remoteAddr | UseOfLessTrustedSource.java:19:26:19:61 | getHeader(...) : String | UseOfLessTrustedSource.java:25:16:25:25 | remoteAddr | X-Forwarded-For spoofing might include code from $@. | UseOfLessTrustedSource.java:19:26:19:61 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:32:60:32:61 | ip | UseOfLessTrustedSource.java:30:21:30:56 | getHeader(...) : String | UseOfLessTrustedSource.java:32:60:32:61 | ip | X-Forwarded-For spoofing might include code from $@. | UseOfLessTrustedSource.java:30:21:30:56 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:58:28:58:48 | ... + ... | UseOfLessTrustedSource.java:30:21:30:56 | getHeader(...) : String | UseOfLessTrustedSource.java:58:28:58:48 | ... + ... | X-Forwarded-For spoofing might include code from $@. | UseOfLessTrustedSource.java:30:21:30:56 | getHeader(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java
new file mode 100644
index 00000000000..d338134ed3e
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java
@@ -0,0 +1,74 @@
+import javax.servlet.http.HttpServletRequest;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+@Controller
+public class UseOfLessTrustedSource {
+
+    private static final Logger log = LoggerFactory.getLogger(UseOfLessTrustedSource.class);
+
+    @GetMapping(value = "bad1")
+    @ResponseBody
+    public String bad1(HttpServletRequest request) {
+        String remoteAddr = "";
+        if (request != null) {
+            remoteAddr = request.getHeader("X-FORWARDED-FOR");
+            remoteAddr = remoteAddr.split(",")[0];
+            if (remoteAddr == null || "".equals(remoteAddr)) {
+                remoteAddr = request.getRemoteAddr();
+            }
+        }
+        return remoteAddr;
+    }
+
+    @GetMapping(value = "bad2")
+    public void bad2(HttpServletRequest request) {
+        String ip = request.getHeader("X-Forwarded-For");
+        
+        log.debug("getClientIP header X-Forwarded-For:{}", ip);
+
+        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
+            ip = request.getHeader("Proxy-Client-IP");
+            log.debug("getClientIP header Proxy-Client-IP:{}", ip);
+        }
+        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
+            ip = request.getHeader("WL-Proxy-Client-IP");
+            log.debug("getClientIP header WL-Proxy-Client-IP:{}", ip);
+        }
+        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
+            ip = request.getHeader("HTTP_CLIENT_IP");
+            log.debug("getClientIP header HTTP_CLIENT_IP:{}", ip);
+        }
+        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
+            ip = request.getHeader("HTTP_X_FORWARDED_FOR");
+            log.debug("getClientIP header HTTP_X_FORWARDED_FOR:{}", ip);
+        }
+        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
+            ip = request.getHeader("X-Real-IP");
+            log.debug("getClientIP header X-Real-IP:{}", ip);
+        }
+        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
+            ip = request.getRemoteAddr();
+            log.debug("getRemoteAddr IP:{}", ip);
+        }
+        System.out.println("client ip is: " + ip);
+    }
+
+    @GetMapping(value = "good1")
+    @ResponseBody
+    public String good1(HttpServletRequest request) {
+        String remoteAddr = "";
+        if (request != null) {
+            remoteAddr = request.getHeader("X-FORWARDED-FOR");
+            remoteAddr = remoteAddr.split(",")[remoteAddr.split(",").length - 1]; // good
+            if (remoteAddr == null || "".equals(remoteAddr)) {
+                remoteAddr = request.getRemoteAddr();
+            }
+        }
+        return remoteAddr;
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.qlref b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.qlref
new file mode 100644
index 00000000000..3c547a2c871
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-348/options b/java/ql/test/experimental/query-tests/security/CWE-348/options
new file mode 100644
index 00000000000..40bcee8c133
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-348/options
@@ -0,0 +1,2 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.2.3/:${tes
+tdir}/../../../../stubs/slf4j-api-1.6.4/:${testdir}/../../../../stubs/apache-commons-lang3-3.7/
\ No newline at end of file
diff --git a/java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/Logger.java b/java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/Logger.java
new file mode 100644
index 00000000000..1d8b7ea2318
--- /dev/null
+++ b/java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/Logger.java
@@ -0,0 +1,127 @@
+package org.slf4j;
+
+public interface Logger {
+    String ROOT_LOGGER_NAME = "ROOT";
+
+    String getName();
+
+    boolean isTraceEnabled();
+
+    void trace(String var1);
+
+    void trace(String var1, Object var2);
+
+    void trace(String var1, Object var2, Object var3);
+
+    void trace(String var1, Object[] var2);
+
+    void trace(String var1, Throwable var2);
+
+    boolean isTraceEnabled(Marker var1);
+
+    void trace(Marker var1, String var2);
+
+    void trace(Marker var1, String var2, Object var3);
+
+    void trace(Marker var1, String var2, Object var3, Object var4);
+
+    void trace(Marker var1, String var2, Object[] var3);
+
+    void trace(Marker var1, String var2, Throwable var3);
+
+    boolean isDebugEnabled();
+
+    void debug(String var1);
+
+    void debug(String var1, Object var2);
+
+    void debug(String var1, Object var2, Object var3);
+
+    void debug(String var1, Object[] var2);
+
+    void debug(String var1, Throwable var2);
+
+    boolean isDebugEnabled(Marker var1);
+
+    void debug(Marker var1, String var2);
+
+    void debug(Marker var1, String var2, Object var3);
+
+    void debug(Marker var1, String var2, Object var3, Object var4);
+
+    void debug(Marker var1, String var2, Object[] var3);
+
+    void debug(Marker var1, String var2, Throwable var3);
+
+    boolean isInfoEnabled();
+
+    void info(String var1);
+
+    void info(String var1, Object var2);
+
+    void info(String var1, Object var2, Object var3);
+
+    void info(String var1, Object[] var2);
+
+    void info(String var1, Throwable var2);
+
+    boolean isInfoEnabled(Marker var1);
+
+    void info(Marker var1, String var2);
+
+    void info(Marker var1, String var2, Object var3);
+
+    void info(Marker var1, String var2, Object var3, Object var4);
+
+    void info(Marker var1, String var2, Object[] var3);
+
+    void info(Marker var1, String var2, Throwable var3);
+
+    boolean isWarnEnabled();
+
+    void warn(String var1);
+
+    void warn(String var1, Object var2);
+
+    void warn(String var1, Object[] var2);
+
+    void warn(String var1, Object var2, Object var3);
+
+    void warn(String var1, Throwable var2);
+
+    boolean isWarnEnabled(Marker var1);
+
+    void warn(Marker var1, String var2);
+
+    void warn(Marker var1, String var2, Object var3);
+
+    void warn(Marker var1, String var2, Object var3, Object var4);
+
+    void warn(Marker var1, String var2, Object[] var3);
+
+    void warn(Marker var1, String var2, Throwable var3);
+
+    boolean isErrorEnabled();
+
+    void error(String var1);
+
+    void error(String var1, Object var2);
+
+    void error(String var1, Object var2, Object var3);
+
+    void error(String var1, Object[] var2);
+
+    void error(String var1, Throwable var2);
+
+    boolean isErrorEnabled(Marker var1);
+
+    void error(Marker var1, String var2);
+
+    void error(Marker var1, String var2, Object var3);
+
+    void error(Marker var1, String var2, Object var3, Object var4);
+
+    void error(Marker var1, String var2, Object[] var3);
+
+    void error(Marker var1, String var2, Throwable var3);
+}
\ No newline at end of file
diff --git a/java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/LoggerFactory.java b/java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/LoggerFactory.java
new file mode 100644
index 00000000000..21ef158130a
--- /dev/null
+++ b/java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/LoggerFactory.java
@@ -0,0 +1,21 @@
+package org.slf4j;
+
+import java.io.IOException;
+import java.net.URL;
+import java.util.Arrays;
+import java.util.Enumeration;
+import java.util.Iterator;
+import java.util.LinkedHashSet;
+import java.util.List;
+
+public final class LoggerFactory {
+
+    public static Logger getLogger(String name) {
+        return null;
+    }
+
+    public static Logger getLogger(Class clazz) {
+        return null;
+    }
+
+}
\ No newline at end of file
diff --git a/java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/Marker.java b/java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/Marker.java
new file mode 100644
index 00000000000..e6ac4846a79
--- /dev/null
+++ b/java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/Marker.java
@@ -0,0 +1,30 @@
+package org.slf4j;
+
+import java.io.Serializable;
+import java.util.Iterator;
+
+public interface Marker extends Serializable {
+    String ANY_MARKER = "*";
+    String ANY_NON_NULL_MARKER = "+";
+
+    String getName();
+
+    void add(Marker var1);
+
+    boolean remove(Marker var1);
+
+    /** @deprecated */
+    boolean hasChildren();
+
+    boolean hasReferences();
+
+    Iterator iterator();
+
+    boolean contains(Marker var1);
+
+    boolean contains(String var1);
+
+    boolean equals(Object var1);
+
+    int hashCode();
+}
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/core/annotation/AliasFor.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/core/annotation/AliasFor.java
new file mode 100644
index 00000000000..edfe917400b
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/core/annotation/AliasFor.java
@@ -0,0 +1,21 @@
+package org.springframework.core.annotation;
+
+import java.lang.annotation.Annotation;
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Retention(RetentionPolicy.RUNTIME)
+@Target({ElementType.METHOD})
+@Documented
+public @interface AliasFor {
+    @AliasFor("attribute")
+    String value() default "";
+
+    @AliasFor("value")
+    String attribute() default "";
+ 
+    Class<? extends Annotation> annotation() default Annotation.class;
+}
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/stereotype/Controller.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/stereotype/Controller.java
index 0bfb67d99c1..9b1751fa2ae 100644
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/stereotype/Controller.java
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/stereotype/Controller.java
@@ -1,9 +1,14 @@
 package org.springframework.stereotype;
 
-import java.lang.annotation.*;
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
 
-@Target(value=ElementType.TYPE)
-@Retention(value=RetentionPolicy.RUNTIME)
+@Target({ElementType.TYPE})
+@Retention(RetentionPolicy.RUNTIME)
 @Documented
-@Component
-public @interface Controller { }
+public @interface Controller {
+    String value() default "";
+}
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/ObjectUtils.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/ObjectUtils.java
new file mode 100644
index 00000000000..a5a51786d20
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/ObjectUtils.java
@@ -0,0 +1,202 @@
+package org.springframework.util;
+
+import java.lang.reflect.Array;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Map;
+import java.util.Optional;
+import java.util.StringJoiner;
+import org.springframework.lang.Nullable;
+
+public abstract class ObjectUtils {
+
+    private static final int INITIAL_HASH = 7;
+    private static final int MULTIPLIER = 31;
+    private static final String EMPTY_STRING = "";
+    private static final String NULL_STRING = "null";
+    private static final String ARRAY_START = "{";
+    private static final String ARRAY_END = "}";
+    private static final String EMPTY_ARRAY = "{}";
+    private static final String ARRAY_ELEMENT_SEPARATOR = ", ";
+    private static final Object[] EMPTY_OBJECT_ARRAY = new Object[0];
+
+    public ObjectUtils() {
+    }
+
+    public static boolean isCheckedException(Throwable ex) {
+        return false;
+    }
+
+    public static boolean isCompatibleWithThrowsClause(Throwable ex, @Nullable Class<?>... declaredExceptions) {
+        return false;
+    }
+
+    public static boolean isArray(@Nullable Object obj) {
+        return false;
+    }
+
+    public static boolean isEmpty(@Nullable Object[] array) {
+        return false;
+    }
+
+    public static boolean isEmpty(@Nullable Object obj) {
+        return false;
+    }
+
+    @Nullable
+    public static Object unwrapOptional(@Nullable Object obj) {
+        return null;
+    }
+
+    public static boolean containsElement(@Nullable Object[] array, Object element) {
+        return true;
+    }
+
+    public static boolean containsConstant(Enum<?>[] enumValues, String constant) {
+        return true;
+    }
+
+    public static boolean containsConstant(Enum<?>[] enumValues, String constant, boolean caseSensitive) {  
+        return true;
+    }
+
+    public static <E extends Enum<?>> E caseInsensitiveValueOf(E[] enumValues, String constant) {
+        return null;
+    }
+
+    public static <A, O extends A> A[] addObjectToArray(@Nullable A[] array, @Nullable O obj) {
+        return null;
+    }
+
+    public static Object[] toObjectArray(@Nullable Object source) {
+        return null;
+    }
+
+    public static boolean nullSafeEquals(@Nullable Object o1, @Nullable Object o2) {
+        return false;
+    }
+
+    private static boolean arrayEquals(Object o1, Object o2) {
+        return false;
+    }
+
+    public static int nullSafeHashCode(@Nullable Object obj) {
+        return 1;
+    }
+
+    public static int nullSafeHashCode(@Nullable Object[] array) {
+        return 1;
+    }
+
+    public static int nullSafeHashCode(@Nullable boolean[] array) {
+        return 1;
+    }
+
+    public static int nullSafeHashCode(@Nullable byte[] array) {
+        return 1;
+    }
+
+    public static int nullSafeHashCode(@Nullable char[] array) {
+        return 1;
+    }
+
+    public static int nullSafeHashCode(@Nullable double[] array) {
+        return 1;
+    }
+
+    public static int nullSafeHashCode(@Nullable float[] array) {
+        return 1;
+    }
+
+    public static int nullSafeHashCode(@Nullable int[] array) {
+        return 1;
+    }
+
+    public static int nullSafeHashCode(@Nullable long[] array) {
+        return 1;
+    }
+
+    public static int nullSafeHashCode(@Nullable short[] array) {
+        return 1;
+    }
+
+    /** @deprecated */
+    @Deprecated
+    public static int hashCode(boolean bool) {
+        return 1;
+    }
+
+    /** @deprecated */
+    @Deprecated
+    public static int hashCode(double dbl) {
+        return 1;
+    }
+
+    /** @deprecated */
+    @Deprecated
+    public static int hashCode(float flt) {
+        return 1;
+    }
+
+    /** @deprecated */
+    @Deprecated
+    public static int hashCode(long lng) {
+        return 1;
+    }
+
+    public static String identityToString(@Nullable Object obj) {
+        return "";
+    }
+
+    public static String getIdentityHexString(Object obj) {
+        return "";
+    }
+
+    public static String getDisplayString(@Nullable Object obj) {
+        return "";
+    }
+
+    public static String nullSafeClassName(@Nullable Object obj) {
+        return "";
+    }
+
+    public static String nullSafeToString(@Nullable Object obj) {
+        return "";
+    }
+
+    public static String nullSafeToString(@Nullable Object[] array) {
+        return "";
+    }
+
+    public static String nullSafeToString(@Nullable boolean[] array) {
+        return "";
+    }
+
+    public static String nullSafeToString(@Nullable byte[] array) {
+        return "";
+    }
+
+    public static String nullSafeToString(@Nullable char[] array) {
+        return "";
+    }
+
+    public static String nullSafeToString(@Nullable double[] array) {
+        return "";
+    }
+
+    public static String nullSafeToString(@Nullable float[] array) {
+        return "";
+    }
+
+    public static String nullSafeToString(@Nullable int[] array) {
+        return "";
+    }
+
+    public static String nullSafeToString(@Nullable long[] array) {
+        return "";
+    }
+
+    public static String nullSafeToString(@Nullable short[] array) {
+        return "";
+    }
+}
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/StringUtils.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/StringUtils.java
new file mode 100644
index 00000000000..a78d47e44c6
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/StringUtils.java
@@ -0,0 +1,30 @@
+package org.springframework.util;
+
+import java.io.ByteArrayOutputStream;
+import java.nio.charset.Charset;
+import java.util.ArrayDeque;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Deque;
+import java.util.Enumeration;
+import java.util.Iterator;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Locale;
+import java.util.Properties;
+import java.util.Set;
+import java.util.StringJoiner;
+import java.util.StringTokenizer;
+import java.util.TimeZone;
+import org.springframework.lang.Nullable;
+
+public abstract class StringUtils {
+  
+    @Deprecated
+    public static boolean isEmpty(@Nullable Object str) {
+        return true;
+    }
+
+}
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/GetMapping.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/GetMapping.java
new file mode 100644
index 00000000000..541c7cd4e21
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/GetMapping.java
@@ -0,0 +1,51 @@
+package org.springframework.web.bind.annotation;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import org.springframework.core.annotation.AliasFor;
+
+@Target({ElementType.METHOD})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+@RequestMapping(
+    method = {RequestMethod.GET}
+)
+public @interface GetMapping {
+    @AliasFor(
+        annotation = RequestMapping.class
+    )
+    String name() default "";
+
+    @AliasFor(
+        annotation = RequestMapping.class
+    )
+    String[] value() default {};
+
+    @AliasFor(
+        annotation = RequestMapping.class
+    )
+    String[] path() default {};
+
+    @AliasFor(
+        annotation = RequestMapping.class
+    )
+    String[] params() default {};
+
+    @AliasFor(
+        annotation = RequestMapping.class
+    )
+    String[] headers() default {};
+
+    @AliasFor(
+        annotation = RequestMapping.class
+    )
+    String[] consumes() default {};
+
+    @AliasFor(
+        annotation = RequestMapping.class
+    )
+    String[] produces() default {};
+}
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/Mapping.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/Mapping.java
new file mode 100644
index 00000000000..5f269bbcbb8
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/Mapping.java
@@ -0,0 +1,4 @@
+package org.springframework.web.bind.annotation;
+
+public @interface Mapping {
+}
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/RequestMapping.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/RequestMapping.java
index 73ff8d1b03a..093065ca5f1 100644
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/RequestMapping.java
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/RequestMapping.java
@@ -1,11 +1,32 @@
 package org.springframework.web.bind.annotation;
 
-import java.lang.annotation.*;
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import org.springframework.core.annotation.AliasFor;
 
 @Target(value={ElementType.METHOD,ElementType.TYPE})
 @Retention(value=RetentionPolicy.RUNTIME)
 @Documented
+@Mapping
 public @interface RequestMapping {
+    String name() default "";
+
+    @AliasFor("path")
+    String[] value() default {};
+
+    @AliasFor("value")
+    String[] path() default {};
 
     RequestMethod[] method() default {};
+
+    String[] params() default {};
+
+    String[] headers() default {};
+
+    String[] consumes() default {};
+
+    String[] produces() default {};
 }
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/RequestParam.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/RequestParam.java
index 5ae52ad123f..56094811c37 100644
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/RequestParam.java
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/RequestParam.java
@@ -1,8 +1,23 @@
 package org.springframework.web.bind.annotation;
 
-import java.lang.annotation.*;
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import org.springframework.core.annotation.AliasFor;
 
-@Target(value=ElementType.PARAMETER)
-@Retention(value=RetentionPolicy.RUNTIME)
+@Target({ElementType.PARAMETER})
+@Retention(RetentionPolicy.RUNTIME)
 @Documented
-public @interface RequestParam { }
+public @interface RequestParam {
+    @AliasFor("name")
+    String value() default "";
+
+    @AliasFor("value")
+    String name() default "";
+
+    boolean required() default true;
+
+    String defaultValue() default "\n\t\t\n\t\t\n\ue000\ue001\ue002\n\t\t\t\t\n";
+}
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/ResponseBody.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/ResponseBody.java
new file mode 100644
index 00000000000..4f21b6daaaf
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/ResponseBody.java
@@ -0,0 +1,13 @@
+package org.springframework.web.bind.annotation;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target({ElementType.TYPE, ElementType.METHOD})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface ResponseBody {
+}

From 86ef2588f1599cbf0c1ed578676b0e51728823d6 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Thu, 8 Apr 2021 17:55:29 +0800
Subject: [PATCH 0213/1429] Restore @Component annotation

---
 .../org/springframework/stereotype/Controller.java               | 1 +
 1 file changed, 1 insertion(+)

diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/stereotype/Controller.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/stereotype/Controller.java
index 9b1751fa2ae..a4a49fffb90 100644
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/stereotype/Controller.java
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/stereotype/Controller.java
@@ -9,6 +9,7 @@ import java.lang.annotation.Target;
 @Target({ElementType.TYPE})
 @Retention(RetentionPolicy.RUNTIME)
 @Documented
+@Component
 public @interface Controller {
     String value() default "";
 }

From 2ac1e604065d37121a780ab12c1e58061bdbfeb6 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 8 Apr 2021 11:58:01 +0200
Subject: [PATCH 0214/1429] C#: Add parameter default value tests

---
 .../library-tests/parameters/Parameters.cs    |  13 ++++++
 .../library-tests/parameters/Parameters.cs_   |  13 ++++++
 .../library-tests/parameters/Parameters.dll   | Bin 0 -> 4608 bytes
 .../parameters/Parameters.expected            |  44 ++++++++++++++++++
 .../library-tests/parameters/Parameters.ql    |  19 ++++++++
 5 files changed, 89 insertions(+)
 create mode 100644 csharp/ql/test/library-tests/parameters/Parameters.cs
 create mode 100644 csharp/ql/test/library-tests/parameters/Parameters.cs_
 create mode 100644 csharp/ql/test/library-tests/parameters/Parameters.dll
 create mode 100644 csharp/ql/test/library-tests/parameters/Parameters.expected
 create mode 100644 csharp/ql/test/library-tests/parameters/Parameters.ql

diff --git a/csharp/ql/test/library-tests/parameters/Parameters.cs b/csharp/ql/test/library-tests/parameters/Parameters.cs
new file mode 100644
index 00000000000..76847f26c32
--- /dev/null
+++ b/csharp/ql/test/library-tests/parameters/Parameters.cs
@@ -0,0 +1,13 @@
+public class Parameters
+{
+    public void M1(int a, object b, string c) => throw null;
+    public void M2(int a, object b = null, string c = "default string") => throw null;
+    public void M3(int a = 1, object b = null, string c = "null") => throw null;
+    public void M4(int a = default, object b = default) => throw null;
+    public void M5(int a = new int(), object b = default) => throw null;
+    public void M6(MyStruct s1, MyStruct s2 = default(MyStruct), MyStruct s3 = new MyStruct()) => throw null;
+    public void M7(MyEnum e1, MyEnum e2 = default(MyEnum), MyEnum e3 = new MyEnum(), MyEnum e4 = MyEnum.A, MyEnum e5 = (MyEnum)5) => throw null;
+
+    public struct MyStruct { }
+    public enum MyEnum { A = 1, B = 2 }
+}
\ No newline at end of file
diff --git a/csharp/ql/test/library-tests/parameters/Parameters.cs_ b/csharp/ql/test/library-tests/parameters/Parameters.cs_
new file mode 100644
index 00000000000..300c03bd854
--- /dev/null
+++ b/csharp/ql/test/library-tests/parameters/Parameters.cs_
@@ -0,0 +1,13 @@
+public class ParametersDll
+{
+    public void M1(int a, object b, string c) => throw null;
+    public void M2(int a, object b = null, string c = "default string") => throw null;
+    public void M3(int a = 1, object b = null, string c = "null") => throw null;
+    public void M4(int a = default, object b = default) => throw null;
+    public void M5(int a = new int(), object b = default) => throw null;
+    public void M6(MyStruct s1, MyStruct s2 = default(MyStruct), MyStruct s3 = new MyStruct()) => throw null;
+    public void M7(MyEnum e1, MyEnum e2 = default(MyEnum), MyEnum e3 = new MyEnum(), MyEnum e4 = MyEnum.A, MyEnum e5 = (MyEnum)5) => throw null;
+
+    public struct MyStruct { }
+    public enum MyEnum { A = 1, B = 2 }
+}
\ No newline at end of file
diff --git a/csharp/ql/test/library-tests/parameters/Parameters.dll b/csharp/ql/test/library-tests/parameters/Parameters.dll
new file mode 100644
index 0000000000000000000000000000000000000000..8a0980cf5620d4f2fdc70c9c7c0272be13f0e341
GIT binary patch
literal 4608
zcmeHKO>7&-75<i_Xo|6A%73+6H(6UTD%Z(MvLq+YuP9TFl$y3;(n{hqkeAe$UVFJq
z>@F241sWala|#l)*A&emC{mzka%c;oMNYXk&7ld<W0O;h0`0AU8z9d2W|tx@*)Gsa
zfgq2XZ|1!>^X9!bvooXe#W#@#kYTxT16XG*G^O#*utxR3J-;8oZ~8wvv~HaF=uq{F
z6Pm5SZv=MJtlOUFM`lf#LEAGO&n%s*m`#64Svz**?@dh4&j4qPG>V^p_Uq1Uf5l<*
zE@KqPQ<9CP!7yu+Wr_tT=yodhTLj|2rZpnvLTOxjMY_sgw@z3Qkxbe>Cygm!R1&e7
zE&<yqoBbY8-K@J4Zvwd<eUAKW4{t?kB_h8fov72XCVrFCWCEA0APnl{v~N>vNTA|S
z4^7c~D^RY_j#_nzO0lKmW}VO!Fx_c)>MG+G65mqjL(2sI!kil-{2wU4=f$mmhf~9M
zNrd001C=MIjl{b6x;$ZxTH~YRV<%;@KDfjT*J0?#K#TPR;~1($f#Wqo>G4iqoPwbX
z6}-!~ggErXg}D;zb@C=1ADVXknsg>{xbgJQfPOacA7dQ*;@AerN-8;pUZ=gR=_3YN
zWZOynogzblw~aU_S>%kr8ChJ^Si`5rPUP4ni`TJ2dC~ZQ_;(2YLgR-ThqZiJw-2Y@
zqxKmHt{d-Z!<L>!a$_*6pHMcY+j*maqqILst{*ANf5&oCbJ^^}w6d`F0G=bBB+i>+
z=2dDJSt<#aCzruO!tExv4bLXrL0o3UKTNp8<hElm;fA>$1E?k3F)TAbD(3coOy8MI
z&T@*F!VEEuClX1aAd*5sB!z<XxxJ*T6>Hmc&w?I%KwHab$qp^qN6g?JVjqq$A0Km7
z28mf5Am(wDSYYM^Piib`oYVM}#%DF!M6M-&ce8BA5O!fNh8gbx+)v4ODc^-dT5<$W
zQgW2-UDOS;J*L}}8XwhI)bcrvWsOg1%NJ0A#l7`1aX0sfh40{3#3B5acntp_j^hjB
z!^j#IGqs!e11+x*<9(P$W-V?}kkGfdE4bx1XfNh;JI&R|$j%okk3o$g97Fjy)NzEz
zQ67gHM>vl11k?n|lTec=pFsHmJW}?T+OB#GMV=JPw%b;Vi?C5c9hKEEQcdf8+l!p0
z!h$HPt1X3+s<j&pyXLB5#P77$jueVvsG2o*wdzE@;;J1qRCJn`gL=Uau5Imq+Huu_
z3PQ*Cwkqem%YM+bBPwn8w!KdI-esrJ4s^e+kyC!N<+xgSUb*&)ZiQWa$K&~c8K_5F
z6=J~lR=bKM6IvcQHOF<L9_`KPvJ!WBiecWC_#;MHa@`)zS|S?{LwR+^Yd1G?t}eT(
zE^))EM}E+emmIs{`C;VL!;UC%%8J8PK}7}2PF;n`Dsg_UFxjpXI9Iz$<D8PGEF+J1
z4X)Sg&wsf7@7XsVd8mBxmp}h0GNxhV(k6^PHU<ZU9mu`^_~J{0pXMLR$O)E_9Vcfh
z4lY6Q9I?^n`4PcHNDSb>LjyTai(O=7@20Z3bat?iHPc4!;6R_5V%1M(aJ&3=n0>}z
zq4Ucb{P2YCmNT-N+V^x|x6b<B%t~FgBt6wDf&W5iu-`Uu2$Kf(TW4pgr~E(_Tdn(&
zRd{rH(i)|Kfjt{rvE+m;*Iqr#mBCH}`JVhBZ=g?aa^9}AJjM%)KVB1*YeuFL%Dubr
zXBg#q$;0z3Z}H9WR=;Rs5}$UnP>kz@>peQ@vFW<T`AVts?N@(vRTa)m|KZI)4!2+Q
zUlto97eelyk;rb^;j(@8+Q^bx9^uE?8tJ+{;@7T@Xs<^+6*1l(oz+^Zp)y-MK6wHi
z`(GsXC5Ao6?jO2#{hxn&?WO5gW|Q}U_*av*DXp#4c}K*WMP{74yKFlinqi&kS9*Jk
z_Qny~*c|FsgWpL04;he`2e2PlyLoc?-uMQ+g<Sf{+wqwx;FILa5!olH3E~3pzD42;
z&a*Ygm-bombHvl}s~aC={`F;iugMHTas7DA=<}q<td^E^uLYhj0qr<EV-#(AJaK%j
zzgLf{QfpHhQg8G8aj5kYtM6yzUCH-R&$+bK5}z>aGrIAc;6=zB-~?}Td9(OvqNV3p
zWkfbPrR~qNEprPWu>|x%=rKL6Gf#<{kQb|*i>;gdyWRLv9)HG0#0!b#Zd_x0LyT?|
znQtfiOJ-s(Jo@DJczUaOEG)5)yu!gZOp4>raGr)9DG|4@sy%Mt3ax^lGU$=ab1sp~
zDKGPM;uJ2<%zv9N&g(qw`1GR9+(bRz0=F8^=^1mD^WQvfb9TD90Up$OEHe8cV{39%
jT}EYcpT=v|$!K?s<n?PxX8b>6^x)StzHh?1V+Otgd2T!f

literal 0
HcmV?d00001

diff --git a/csharp/ql/test/library-tests/parameters/Parameters.expected b/csharp/ql/test/library-tests/parameters/Parameters.expected
new file mode 100644
index 00000000000..6f01d38ed8f
--- /dev/null
+++ b/csharp/ql/test/library-tests/parameters/Parameters.expected
@@ -0,0 +1,44 @@
+noDefaultValue
+| Parameters.cs:3:17:3:18 | M1 | Parameters.cs:3:24:3:24 | a | 0 |
+| Parameters.cs:3:17:3:18 | M1 | Parameters.cs:3:34:3:34 | b | 1 |
+| Parameters.cs:3:17:3:18 | M1 | Parameters.cs:3:44:3:44 | c | 2 |
+| Parameters.cs:4:17:4:18 | M2 | Parameters.cs:4:24:4:24 | a | 0 |
+| Parameters.cs:8:17:8:18 | M6 | Parameters.cs:8:29:8:30 | s1 | 0 |
+| Parameters.cs:9:17:9:18 | M7 | Parameters.cs:9:27:9:28 | e1 | 0 |
+| Parameters.dll:0:0:0:0 | M1 | Parameters.dll:0:0:0:0 | a | 0 |
+| Parameters.dll:0:0:0:0 | M1 | Parameters.dll:0:0:0:0 | b | 1 |
+| Parameters.dll:0:0:0:0 | M1 | Parameters.dll:0:0:0:0 | c | 2 |
+| Parameters.dll:0:0:0:0 | M2 | Parameters.dll:0:0:0:0 | a | 0 |
+| Parameters.dll:0:0:0:0 | M2 | Parameters.dll:0:0:0:0 | b | 1 |
+| Parameters.dll:0:0:0:0 | M2 | Parameters.dll:0:0:0:0 | c | 2 |
+| Parameters.dll:0:0:0:0 | M3 | Parameters.dll:0:0:0:0 | a | 0 |
+| Parameters.dll:0:0:0:0 | M3 | Parameters.dll:0:0:0:0 | b | 1 |
+| Parameters.dll:0:0:0:0 | M3 | Parameters.dll:0:0:0:0 | c | 2 |
+| Parameters.dll:0:0:0:0 | M4 | Parameters.dll:0:0:0:0 | a | 0 |
+| Parameters.dll:0:0:0:0 | M4 | Parameters.dll:0:0:0:0 | b | 1 |
+| Parameters.dll:0:0:0:0 | M5 | Parameters.dll:0:0:0:0 | a | 0 |
+| Parameters.dll:0:0:0:0 | M5 | Parameters.dll:0:0:0:0 | b | 1 |
+| Parameters.dll:0:0:0:0 | M6 | Parameters.dll:0:0:0:0 | s1 | 0 |
+| Parameters.dll:0:0:0:0 | M6 | Parameters.dll:0:0:0:0 | s2 | 1 |
+| Parameters.dll:0:0:0:0 | M6 | Parameters.dll:0:0:0:0 | s3 | 2 |
+| Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e1 | 0 |
+| Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e2 | 1 |
+| Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e3 | 2 |
+| Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e4 | 3 |
+| Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e5 | 4 |
+withDefaultValue
+| Parameters.cs:4:17:4:18 | M2 | Parameters.cs:4:34:4:34 | b | 1 | Parameters.cs:4:38:4:41 | null | null |
+| Parameters.cs:4:17:4:18 | M2 | Parameters.cs:4:51:4:51 | c | 2 | Parameters.cs:4:55:4:70 | "default string" | default string |
+| Parameters.cs:5:17:5:18 | M3 | Parameters.cs:5:24:5:24 | a | 0 | Parameters.cs:5:28:5:28 | 1 | 1 |
+| Parameters.cs:5:17:5:18 | M3 | Parameters.cs:5:38:5:38 | b | 1 | Parameters.cs:5:42:5:45 | null | null |
+| Parameters.cs:5:17:5:18 | M3 | Parameters.cs:5:55:5:55 | c | 2 | Parameters.cs:5:59:5:64 | "null" | null |
+| Parameters.cs:6:17:6:18 | M4 | Parameters.cs:6:24:6:24 | a | 0 | Parameters.cs:6:28:6:34 | (...) ... | 0 |
+| Parameters.cs:6:17:6:18 | M4 | Parameters.cs:6:44:6:44 | b | 1 | Parameters.cs:6:48:6:54 | default | null |
+| Parameters.cs:7:17:7:18 | M5 | Parameters.cs:7:24:7:24 | a | 0 | Parameters.cs:7:28:7:36 | object creation of type Int32 | 0 |
+| Parameters.cs:7:17:7:18 | M5 | Parameters.cs:7:46:7:46 | b | 1 | Parameters.cs:7:50:7:56 | default | null |
+| Parameters.cs:8:17:8:18 | M6 | Parameters.cs:8:42:8:43 | s2 | 1 | Parameters.cs:8:47:8:63 | default(...) | - |
+| Parameters.cs:8:17:8:18 | M6 | Parameters.cs:8:75:8:76 | s3 | 2 | Parameters.cs:8:80:8:93 | object creation of type MyStruct | - |
+| Parameters.cs:9:17:9:18 | M7 | Parameters.cs:9:38:9:39 | e2 | 1 | Parameters.cs:9:43:9:57 | default(...) | 0 |
+| Parameters.cs:9:17:9:18 | M7 | Parameters.cs:9:67:9:68 | e3 | 2 | Parameters.cs:9:72:9:83 | object creation of type MyEnum | 0 |
+| Parameters.cs:9:17:9:18 | M7 | Parameters.cs:9:93:9:94 | e4 | 3 | Parameters.cs:9:98:9:105 | access to constant A | 1 |
+| Parameters.cs:9:17:9:18 | M7 | Parameters.cs:9:115:9:116 | e5 | 4 | Parameters.cs:9:120:9:128 | (...) ... | 5 |
diff --git a/csharp/ql/test/library-tests/parameters/Parameters.ql b/csharp/ql/test/library-tests/parameters/Parameters.ql
new file mode 100644
index 00000000000..dca5c2d9006
--- /dev/null
+++ b/csharp/ql/test/library-tests/parameters/Parameters.ql
@@ -0,0 +1,19 @@
+import csharp
+
+private predicate fromTestLocation(Element e) {
+  e.fromSource() or e.getFile().getStem() = "Parameters"
+}
+
+query predicate noDefaultValue(Parameterizable container, Parameter p, int i) {
+  fromTestLocation(container) and
+  not p.hasDefaultValue() and
+  container.getParameter(i) = p
+}
+
+query predicate withDefaultValue(Parameterizable container, Parameter p, int i, Expr e, string value) {
+  fromTestLocation(container) and
+  p.hasDefaultValue() and
+  container.getParameter(i) = p and
+  p.getDefaultValue() = e and
+  if exists(e.getValue()) then value = e.getValue() else value = "-"
+}

From cb9a9db356268c9bcb5251f28225abe822da7851 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 7 Apr 2021 13:33:14 +0200
Subject: [PATCH 0215/1429] C# Improve default argument value extraction

---
 .../Entities/Expression.cs                    | 33 +++++++++++
 .../Entities/Expressions/Default.cs           | 15 +++++
 .../Entities/Parameter.cs                     | 56 ++++++++++---------
 .../parameters/Parameters.expected            | 30 +++++-----
 4 files changed, 94 insertions(+), 40 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
index cdf17311440..3324de4c8a8 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
@@ -164,6 +164,39 @@ namespace Semmle.Extraction.CSharp.Entities
             }
         }
 
+        /// <summary>
+        /// Creates a generated expression for a default argument value.
+        /// </summary>
+        public static Expression? CreateGenerated(Context cx, IParameterSymbol parameter, IExpressionParentEntity parent,
+            int childIndex, Extraction.Entities.Location location)
+        {
+            if (!parameter.HasExplicitDefaultValue)
+            {
+                return null;
+            }
+
+            var defaultValue = parameter.ExplicitDefaultValue;
+
+            if (parameter.Type is INamedTypeSymbol nt && nt.EnumUnderlyingType is not null)
+            {
+                // = (MyEnum)1, = MyEnum.Value1, = default(MyEnum), = new MyEnum()
+                // we're generating a (MyEnum)value cast expression:
+                defaultValue ??= 0;
+                Action<Expression, int> createChild = (parent, index) => Literal.CreateGenerated(cx, parent, index, nt.EnumUnderlyingType, defaultValue, location);
+                return Cast.CreateGenerated(cx, parent, childIndex, parameter.Type, defaultValue, createChild, location);
+            }
+
+            if (defaultValue is null)
+            {
+                // = null, = default, = default(T), = new MyStruct()
+                // we're generating a default expression:
+                return Default.CreateGenerated(cx, parent, childIndex, location);
+            }
+
+            // const literal:
+            return Literal.CreateGenerated(cx, parent, childIndex, parameter.Type, defaultValue, location);
+        }
+
         /// <summary>
         /// Adapt the operator kind depending on whether it's a dynamic call or a user-operator call.
         /// </summary>
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Default.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Default.cs
index 9e1b42834b1..5ae94e33c44 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Default.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Default.cs
@@ -14,5 +14,20 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
         {
             TypeAccess.Create(Context, Syntax.Type, this, 0);
         }
+
+        public static Expression CreateGenerated(Context cx, IExpressionParentEntity parent, int childIndex, Extraction.Entities.Location location)
+        {
+            var info = new ExpressionInfo(
+                cx,
+                null,
+                location,
+                ExprKind.DEFAULT,
+                parent,
+                childIndex,
+                true,
+                ValueAsString(null));
+
+            return new Expression(info);
+        }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
index 3bbf38a71eb..9ec428eefe1 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
@@ -4,6 +4,7 @@ using System.Linq;
 using Microsoft.CodeAnalysis.CSharp.Syntax;
 using Semmle.Extraction.Entities;
 using System.IO;
+using System;
 
 namespace Semmle.Extraction.CSharp.Entities
 {
@@ -124,6 +125,17 @@ namespace Semmle.Extraction.CSharp.Entities
                 trapFile.param_location(this, Context.CreateLocation());
             }
 
+            if (Symbol.HasExplicitDefaultValue && Context.Defines(Symbol))
+            {
+                var defaultValueSyntax = GetDefaultValueFromSyntax(Symbol);
+
+                Action defaultValueExpressionCreation = defaultValueSyntax is not null
+                    ? () => Expression.Create(Context, defaultValueSyntax.Value, this, 0)
+                    : () => Expression.CreateGenerated(Context, Symbol, this, 0, Location);
+
+                Context.PopulateLater(defaultValueExpressionCreation);
+            }
+
             if (!IsSourceDeclaration || !Symbol.FromSource())
                 return;
 
@@ -139,36 +151,30 @@ namespace Semmle.Extraction.CSharp.Entities
                     TypeMention.Create(Context, syntax.Type!, this, type);
                 }
             }
+        }
 
-            if (Symbol.HasExplicitDefaultValue && Context.Defines(Symbol))
+        private static EqualsValueClauseSyntax? GetDefaultValueFromSyntax(IParameterSymbol symbol)
+        {
+            // This is a slight bug in the dbscheme
+            // We should really define param_default(param, string)
+            // And use parameter child #0 to encode the default expression.
+            var defaultValue = GetParameterDefaultValue(symbol);
+            if (defaultValue is null)
             {
-                // This is a slight bug in the dbscheme
-                // We should really define param_default(param, string)
-                // And use parameter child #0 to encode the default expression.
-                var defaultValue = GetParameterDefaultValue(Symbol);
-                if (defaultValue is null)
+                // In case this parameter belongs to an accessor of an indexer, we need
+                // to get the default value from the corresponding parameter belonging
+                // to the indexer itself
+                var method = (IMethodSymbol)symbol.ContainingSymbol;
+                if (method is not null)
                 {
-                    // In case this parameter belongs to an accessor of an indexer, we need
-                    // to get the default value from the corresponding parameter belonging
-                    // to the indexer itself
-                    var method = (IMethodSymbol)Symbol.ContainingSymbol;
-                    if (method is not null)
-                    {
-                        var i = method.Parameters.IndexOf(Symbol);
-                        var indexer = (IPropertySymbol?)method.AssociatedSymbol;
-                        if (indexer is not null)
-                            defaultValue = GetParameterDefaultValue(indexer.Parameters[i]);
-                    }
-                }
-
-                if (defaultValue is not null)
-                {
-                    Context.PopulateLater(() =>
-                    {
-                        Expression.Create(Context, defaultValue.Value, this, 0);
-                    });
+                    var i = method.Parameters.IndexOf(symbol);
+                    var indexer = (IPropertySymbol?)method.AssociatedSymbol;
+                    if (indexer is not null)
+                        defaultValue = GetParameterDefaultValue(indexer.Parameters[i]);
                 }
             }
+
+            return defaultValue;
         }
 
         public override bool IsSourceDeclaration => Symbol.IsSourceDeclaration();
diff --git a/csharp/ql/test/library-tests/parameters/Parameters.expected b/csharp/ql/test/library-tests/parameters/Parameters.expected
index 6f01d38ed8f..c676e435297 100644
--- a/csharp/ql/test/library-tests/parameters/Parameters.expected
+++ b/csharp/ql/test/library-tests/parameters/Parameters.expected
@@ -9,23 +9,8 @@ noDefaultValue
 | Parameters.dll:0:0:0:0 | M1 | Parameters.dll:0:0:0:0 | b | 1 |
 | Parameters.dll:0:0:0:0 | M1 | Parameters.dll:0:0:0:0 | c | 2 |
 | Parameters.dll:0:0:0:0 | M2 | Parameters.dll:0:0:0:0 | a | 0 |
-| Parameters.dll:0:0:0:0 | M2 | Parameters.dll:0:0:0:0 | b | 1 |
-| Parameters.dll:0:0:0:0 | M2 | Parameters.dll:0:0:0:0 | c | 2 |
-| Parameters.dll:0:0:0:0 | M3 | Parameters.dll:0:0:0:0 | a | 0 |
-| Parameters.dll:0:0:0:0 | M3 | Parameters.dll:0:0:0:0 | b | 1 |
-| Parameters.dll:0:0:0:0 | M3 | Parameters.dll:0:0:0:0 | c | 2 |
-| Parameters.dll:0:0:0:0 | M4 | Parameters.dll:0:0:0:0 | a | 0 |
-| Parameters.dll:0:0:0:0 | M4 | Parameters.dll:0:0:0:0 | b | 1 |
-| Parameters.dll:0:0:0:0 | M5 | Parameters.dll:0:0:0:0 | a | 0 |
-| Parameters.dll:0:0:0:0 | M5 | Parameters.dll:0:0:0:0 | b | 1 |
 | Parameters.dll:0:0:0:0 | M6 | Parameters.dll:0:0:0:0 | s1 | 0 |
-| Parameters.dll:0:0:0:0 | M6 | Parameters.dll:0:0:0:0 | s2 | 1 |
-| Parameters.dll:0:0:0:0 | M6 | Parameters.dll:0:0:0:0 | s3 | 2 |
 | Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e1 | 0 |
-| Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e2 | 1 |
-| Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e3 | 2 |
-| Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e4 | 3 |
-| Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e5 | 4 |
 withDefaultValue
 | Parameters.cs:4:17:4:18 | M2 | Parameters.cs:4:34:4:34 | b | 1 | Parameters.cs:4:38:4:41 | null | null |
 | Parameters.cs:4:17:4:18 | M2 | Parameters.cs:4:51:4:51 | c | 2 | Parameters.cs:4:55:4:70 | "default string" | default string |
@@ -42,3 +27,18 @@ withDefaultValue
 | Parameters.cs:9:17:9:18 | M7 | Parameters.cs:9:67:9:68 | e3 | 2 | Parameters.cs:9:72:9:83 | object creation of type MyEnum | 0 |
 | Parameters.cs:9:17:9:18 | M7 | Parameters.cs:9:93:9:94 | e4 | 3 | Parameters.cs:9:98:9:105 | access to constant A | 1 |
 | Parameters.cs:9:17:9:18 | M7 | Parameters.cs:9:115:9:116 | e5 | 4 | Parameters.cs:9:120:9:128 | (...) ... | 5 |
+| Parameters.dll:0:0:0:0 | M2 | Parameters.dll:0:0:0:0 | b | 1 | Parameters.dll:0:0:0:0 | default | null |
+| Parameters.dll:0:0:0:0 | M2 | Parameters.dll:0:0:0:0 | c | 2 | Parameters.dll:0:0:0:0 | "default string" | default string |
+| Parameters.dll:0:0:0:0 | M3 | Parameters.dll:0:0:0:0 | a | 0 | Parameters.dll:0:0:0:0 | 1 | 1 |
+| Parameters.dll:0:0:0:0 | M3 | Parameters.dll:0:0:0:0 | b | 1 | Parameters.dll:0:0:0:0 | default | null |
+| Parameters.dll:0:0:0:0 | M3 | Parameters.dll:0:0:0:0 | c | 2 | Parameters.dll:0:0:0:0 | "null" | null |
+| Parameters.dll:0:0:0:0 | M4 | Parameters.dll:0:0:0:0 | a | 0 | Parameters.dll:0:0:0:0 | 0 | 0 |
+| Parameters.dll:0:0:0:0 | M4 | Parameters.dll:0:0:0:0 | b | 1 | Parameters.dll:0:0:0:0 | default | null |
+| Parameters.dll:0:0:0:0 | M5 | Parameters.dll:0:0:0:0 | a | 0 | Parameters.dll:0:0:0:0 | 0 | 0 |
+| Parameters.dll:0:0:0:0 | M5 | Parameters.dll:0:0:0:0 | b | 1 | Parameters.dll:0:0:0:0 | default | null |
+| Parameters.dll:0:0:0:0 | M6 | Parameters.dll:0:0:0:0 | s2 | 1 | Parameters.dll:0:0:0:0 | default | null |
+| Parameters.dll:0:0:0:0 | M6 | Parameters.dll:0:0:0:0 | s3 | 2 | Parameters.dll:0:0:0:0 | default | null |
+| Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e2 | 1 | Parameters.dll:0:0:0:0 | (...) ... | 0 |
+| Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e3 | 2 | Parameters.dll:0:0:0:0 | (...) ... | 0 |
+| Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e4 | 3 | Parameters.dll:0:0:0:0 | (...) ... | 1 |
+| Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e5 | 4 | Parameters.dll:0:0:0:0 | (...) ... | 5 |

From c069c3384ed336d2741750a4a69c4e1afa65385b Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 7 Apr 2021 15:56:01 +0200
Subject: [PATCH 0216/1429] Fix tests

---
 .../Semmle.Extraction.CSharp/Entities/Parameter.cs    |  6 ++----
 csharp/ql/src/semmle/code/csharp/Element.qll          |  3 ---
 csharp/ql/src/semmle/code/dotnet/Element.qll          |  3 +++
 .../library-tests/controlflow/graph/BasicBlock.ql     |  1 +
 .../test/library-tests/controlflow/graph/Dominance.ql | 11 +++++++++--
 .../test/library-tests/controlflow/graph/NodeGraph.ql |  1 +
 .../controlflow/splits/SplittingStressTest.ql         |  1 +
 .../test/library-tests/csharp7.1/DefaultLiterals.ql   |  1 +
 .../ql/test/library-tests/csharp7/LocalTaintFlow.ql   |  4 +++-
 .../test/library-tests/dataflow/local/DataFlowStep.ql |  2 +-
 .../library-tests/dataflow/local/TaintTrackingStep.ql |  4 +++-
 .../dataflow/modulusanalysis/ModulusAnalysis.ql       |  4 +++-
 .../dataflow/signanalysis/SignAnalysis.ql             |  1 +
 .../library-tests/dataflow/tuples/DataFlowStep.ql     |  2 +-
 .../test/library-tests/exprorstmtparent/Parameter.ql  |  1 +
 csharp/ql/test/library-tests/goto/Goto1.ql            |  1 +
 .../test/library-tests/standalone/controlflow/cfg.ql  |  4 +++-
 .../query-tests/Stubs/MinimalStubsFromSource.expected |  2 +-
 18 files changed, 36 insertions(+), 16 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
index 9ec428eefe1..462c8bbb297 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
@@ -164,12 +164,10 @@ namespace Semmle.Extraction.CSharp.Entities
                 // In case this parameter belongs to an accessor of an indexer, we need
                 // to get the default value from the corresponding parameter belonging
                 // to the indexer itself
-                var method = (IMethodSymbol)symbol.ContainingSymbol;
-                if (method is not null)
+                if (symbol.ContainingSymbol is IMethodSymbol method)
                 {
                     var i = method.Parameters.IndexOf(symbol);
-                    var indexer = (IPropertySymbol?)method.AssociatedSymbol;
-                    if (indexer is not null)
+                    if (method.AssociatedSymbol is IPropertySymbol indexer)
                         defaultValue = GetParameterDefaultValue(indexer.Parameters[i]);
                 }
             }
diff --git a/csharp/ql/src/semmle/code/csharp/Element.qll b/csharp/ql/src/semmle/code/csharp/Element.qll
index 521138db1b5..fbd96f6086d 100644
--- a/csharp/ql/src/semmle/code/csharp/Element.qll
+++ b/csharp/ql/src/semmle/code/csharp/Element.qll
@@ -27,9 +27,6 @@ class Element extends DotNet::Element, @element {
   /** Gets a location of this element, including sources and assemblies. */
   override Location getALocation() { none() }
 
-  /** Holds if this element is from an assembly. */
-  predicate fromLibrary() { this.getFile().fromLibrary() }
-
   /** Gets the parent of this element, if any. */
   Element getParent() { result.getAChild() = this }
 
diff --git a/csharp/ql/src/semmle/code/dotnet/Element.qll b/csharp/ql/src/semmle/code/dotnet/Element.qll
index 956a5f2c052..c38b09ce270 100644
--- a/csharp/ql/src/semmle/code/dotnet/Element.qll
+++ b/csharp/ql/src/semmle/code/dotnet/Element.qll
@@ -28,6 +28,9 @@ class Element extends @dotnet_element {
   /** Holds if this element is from source code. */
   predicate fromSource() { this.getFile().fromSource() }
 
+  /** Holds if this element is from an assembly. */
+  predicate fromLibrary() { this.getFile().fromLibrary() }
+
   /**
    * Gets the "language" of this program element, as defined by the extension of the filename.
    * For example, C# has language "cs", and Visual Basic has language "vb".
diff --git a/csharp/ql/test/library-tests/controlflow/graph/BasicBlock.ql b/csharp/ql/test/library-tests/controlflow/graph/BasicBlock.ql
index b63f597f181..8fe56d22ca7 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/BasicBlock.ql
+++ b/csharp/ql/test/library-tests/controlflow/graph/BasicBlock.ql
@@ -2,4 +2,5 @@ import csharp
 import Common
 
 from SourceBasicBlock bb
+where not bb.getFirstNode().getElement().fromLibrary()
 select bb.getFirstNode(), bb.getLastNode(), bb.length()
diff --git a/csharp/ql/test/library-tests/controlflow/graph/Dominance.ql b/csharp/ql/test/library-tests/controlflow/graph/Dominance.ql
index 0fbf5f551c9..fa76e629aeb 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/Dominance.ql
+++ b/csharp/ql/test/library-tests/controlflow/graph/Dominance.ql
@@ -1,18 +1,25 @@
 import csharp
 import Common
 
+/** Holds if `node` is not from a library. */
+private predicate isSourceBased(SourceControlFlowNode node) { not node.getElement().fromLibrary() }
+
 query predicate dominance(SourceControlFlowNode dom, SourceControlFlowNode node) {
+  isSourceBased(dom) and
   dom.strictlyDominates(node) and
   dom.getASuccessor() = node
 }
 
 query predicate postDominance(SourceControlFlowNode dom, SourceControlFlowNode node) {
+  isSourceBased(dom) and
   dom.strictlyPostDominates(node) and
   dom.getAPredecessor() = node
 }
 
-query predicate blockDominance(SourceBasicBlock dom, SourceBasicBlock bb) { dom.dominates(bb) }
+query predicate blockDominance(SourceBasicBlock dom, SourceBasicBlock bb) {
+  isSourceBased(dom.getFirstNode()) and dom.dominates(bb)
+}
 
 query predicate postBlockDominance(SourceBasicBlock dom, SourceBasicBlock bb) {
-  dom.postDominates(bb)
+  isSourceBased(dom.getFirstNode()) and dom.postDominates(bb)
 }
diff --git a/csharp/ql/test/library-tests/controlflow/graph/NodeGraph.ql b/csharp/ql/test/library-tests/controlflow/graph/NodeGraph.ql
index 4a1cf5b5880..51d15294516 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/NodeGraph.ql
+++ b/csharp/ql/test/library-tests/controlflow/graph/NodeGraph.ql
@@ -4,6 +4,7 @@ import Common
 query predicate edges(
   SourceControlFlowNode node, SourceControlFlowNode successor, string attr, string val
 ) {
+  not node.getElement().fromLibrary() and
   exists(ControlFlow::SuccessorType t | successor = node.getASuccessorByType(t) |
     attr = "semmle.label" and
     val = t.toString()
diff --git a/csharp/ql/test/library-tests/controlflow/splits/SplittingStressTest.ql b/csharp/ql/test/library-tests/controlflow/splits/SplittingStressTest.ql
index 4a07618c373..2c637ff0db1 100644
--- a/csharp/ql/test/library-tests/controlflow/splits/SplittingStressTest.ql
+++ b/csharp/ql/test/library-tests/controlflow/splits/SplittingStressTest.ql
@@ -1,6 +1,7 @@
 import csharp
 
 query predicate countSplits(ControlFlowElement cfe, int i) {
+  not cfe.fromLibrary() and
   i = strictcount(ControlFlow::Nodes::ElementNode n | n.getElement() = cfe)
 }
 
diff --git a/csharp/ql/test/library-tests/csharp7.1/DefaultLiterals.ql b/csharp/ql/test/library-tests/csharp7.1/DefaultLiterals.ql
index 63e5a69b6e5..578b7e7fef4 100644
--- a/csharp/ql/test/library-tests/csharp7.1/DefaultLiterals.ql
+++ b/csharp/ql/test/library-tests/csharp7.1/DefaultLiterals.ql
@@ -1,4 +1,5 @@
 import csharp
 
 from DefaultValueExpr l
+where l.fromSource()
 select l, l.getValue()
diff --git a/csharp/ql/test/library-tests/csharp7/LocalTaintFlow.ql b/csharp/ql/test/library-tests/csharp7/LocalTaintFlow.ql
index 22f61aacdd8..ed293efc2ba 100644
--- a/csharp/ql/test/library-tests/csharp7/LocalTaintFlow.ql
+++ b/csharp/ql/test/library-tests/csharp7/LocalTaintFlow.ql
@@ -2,5 +2,7 @@ import csharp
 import semmle.code.csharp.dataflow.TaintTracking
 
 from DataFlow::Node pred, DataFlow::Node succ
-where TaintTracking::localTaintStep(pred, succ)
+where
+  TaintTracking::localTaintStep(pred, succ) and
+  not pred.asExpr().fromLibrary()
 select pred, succ
diff --git a/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.ql b/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.ql
index f1fc98c459b..8f820cfea48 100644
--- a/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.ql
+++ b/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.ql
@@ -1,5 +1,5 @@
 import csharp
 
 from DataFlow::Node pred, DataFlow::Node succ
-where DataFlow::localFlowStep(pred, succ)
+where not pred.asExpr().fromLibrary() and DataFlow::localFlowStep(pred, succ)
 select pred, succ
diff --git a/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.ql b/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.ql
index 1866acfcda8..ffbdcd4dddf 100644
--- a/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.ql
+++ b/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.ql
@@ -1,5 +1,7 @@
 import csharp
 
 from DataFlow::Node pred, DataFlow::Node succ
-where TaintTracking::localTaintStep(pred, succ)
+where
+  not pred.asExpr().fromLibrary() and
+  TaintTracking::localTaintStep(pred, succ)
 select pred, succ
diff --git a/csharp/ql/test/library-tests/dataflow/modulusanalysis/ModulusAnalysis.ql b/csharp/ql/test/library-tests/dataflow/modulusanalysis/ModulusAnalysis.ql
index b07608ea009..02ffbc535ce 100644
--- a/csharp/ql/test/library-tests/dataflow/modulusanalysis/ModulusAnalysis.ql
+++ b/csharp/ql/test/library-tests/dataflow/modulusanalysis/ModulusAnalysis.ql
@@ -4,5 +4,7 @@ import semmle.code.csharp.dataflow.ModulusAnalysis
 import semmle.code.csharp.dataflow.Bound
 
 from ControlFlow::Nodes::ExprNode e, Bound b, int delta, int mod
-where exprModulus(e, b, delta, mod)
+where
+  not e.getExpr().fromLibrary() and
+  exprModulus(e, b, delta, mod)
 select e, b.toString(), delta, mod
diff --git a/csharp/ql/test/library-tests/dataflow/signanalysis/SignAnalysis.ql b/csharp/ql/test/library-tests/dataflow/signanalysis/SignAnalysis.ql
index 5427cdc631d..650d0f6bed4 100644
--- a/csharp/ql/test/library-tests/dataflow/signanalysis/SignAnalysis.ql
+++ b/csharp/ql/test/library-tests/dataflow/signanalysis/SignAnalysis.ql
@@ -18,4 +18,5 @@ string getASignString(ControlFlow::Nodes::ExprNode e) {
 }
 
 from ControlFlow::Nodes::ExprNode e
+where not e.getExpr().fromLibrary()
 select e, strictconcat(string s | s = getASignString(e) | s, " ")
diff --git a/csharp/ql/test/library-tests/dataflow/tuples/DataFlowStep.ql b/csharp/ql/test/library-tests/dataflow/tuples/DataFlowStep.ql
index f1fc98c459b..8f820cfea48 100644
--- a/csharp/ql/test/library-tests/dataflow/tuples/DataFlowStep.ql
+++ b/csharp/ql/test/library-tests/dataflow/tuples/DataFlowStep.ql
@@ -1,5 +1,5 @@
 import csharp
 
 from DataFlow::Node pred, DataFlow::Node succ
-where DataFlow::localFlowStep(pred, succ)
+where not pred.asExpr().fromLibrary() and DataFlow::localFlowStep(pred, succ)
 select pred, succ
diff --git a/csharp/ql/test/library-tests/exprorstmtparent/Parameter.ql b/csharp/ql/test/library-tests/exprorstmtparent/Parameter.ql
index 3c12d5b870f..33f6eeb2b9d 100644
--- a/csharp/ql/test/library-tests/exprorstmtparent/Parameter.ql
+++ b/csharp/ql/test/library-tests/exprorstmtparent/Parameter.ql
@@ -1,4 +1,5 @@
 import csharp
 
 from Parameter p
+where p.fromSource()
 select p, p.getDefaultValue()
diff --git a/csharp/ql/test/library-tests/goto/Goto1.ql b/csharp/ql/test/library-tests/goto/Goto1.ql
index e7ee0b3ff8a..97dd1fa2af0 100644
--- a/csharp/ql/test/library-tests/goto/Goto1.ql
+++ b/csharp/ql/test/library-tests/goto/Goto1.ql
@@ -1,6 +1,7 @@
 import csharp
 
 query predicate edges(ControlFlow::Node node, ControlFlow::Node successor, string attr, string val) {
+  not node.getElement().fromLibrary() and
   exists(ControlFlow::SuccessorType t | successor = node.getASuccessorByType(t) |
     attr = "semmle.label" and
     val = t.toString()
diff --git a/csharp/ql/test/library-tests/standalone/controlflow/cfg.ql b/csharp/ql/test/library-tests/standalone/controlflow/cfg.ql
index 88a0a00c632..4936dc9b4cd 100644
--- a/csharp/ql/test/library-tests/standalone/controlflow/cfg.ql
+++ b/csharp/ql/test/library-tests/standalone/controlflow/cfg.ql
@@ -17,4 +17,6 @@ class UnknownLocalVariableDeclExpr extends LocalVariableDeclAndInitExpr {
   override string toString() { result = "(unknown type) " + this.getName() }
 }
 
-query predicate edges(ControlFlow::Node n1, ControlFlow::Node n2) { n2 = n1.getASuccessor() }
+query predicate edges(ControlFlow::Node n1, ControlFlow::Node n2) {
+  not n1.getElement().fromLibrary() and n2 = n1.getASuccessor()
+}
diff --git a/csharp/ql/test/query-tests/Stubs/MinimalStubsFromSource.expected b/csharp/ql/test/query-tests/Stubs/MinimalStubsFromSource.expected
index d2dd3037e3c..d4a68c97906 100644
--- a/csharp/ql/test/query-tests/Stubs/MinimalStubsFromSource.expected
+++ b/csharp/ql/test/query-tests/Stubs/MinimalStubsFromSource.expected
@@ -1 +1 @@
-| // This file contains auto-generated code.\n// original-extractor-options: /r:System.Text.RegularExpressions.dll /r:System.Collections.Specialized.dll /r:System.Net.dll /r:System.Web.dll /r:System.Net.HttpListener.dll /r:System.Collections.Specialized.dll /r:System.Private.Uri.dll /r:System.Runtime.Extensions.dll /r:System.Linq.Parallel.dll /r:System.Collections.Concurrent.dll /r:System.Linq.Expressions.dll /r:System.Collections.dll /r:System.Linq.Queryable.dll /r:System.Linq.dll /r:System.Collections.NonGeneric.dll /r:System.ObjectModel.dll /r:System.ComponentModel.TypeConverter.dll /r:System.IO.Compression.dll /r:System.IO.Pipes.dll /r:System.Net.Primitives.dll /r:System.Net.Security.dll /r:System.Security.Cryptography.Primitives.dll /r:System.Text.RegularExpressions.dll ${testdir}/../../resources/stubs/System.Web.cs /r:System.Runtime.Serialization.Primitives.dll\n\nnamespace System\n{\n// Generated from `System.Uri` in `System.Private.Uri, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Uri : System.Runtime.Serialization.ISerializable\n{\n    public override bool Equals(object comparand) => throw null;\n    public override int GetHashCode() => throw null;\n    public override string ToString() => throw null;\n    void System.Runtime.Serialization.ISerializable.GetObjectData(System.Runtime.Serialization.SerializationInfo serializationInfo, System.Runtime.Serialization.StreamingContext streamingContext) => throw null;\n}\n\nnamespace Collections\n{\n// Generated from `System.Collections.Queue` in `System.Collections.NonGeneric, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Queue : System.ICloneable, System.Collections.IEnumerable, System.Collections.ICollection\n{\n    public virtual System.Collections.IEnumerator GetEnumerator() => throw null;\n    public virtual bool IsSynchronized { get => throw null; }\n    public virtual int Count { get => throw null; }\n    public virtual object Clone() => throw null;\n    public virtual object SyncRoot { get => throw null; }\n    public virtual void CopyTo(System.Array array, int index) => throw null;\n}\n\n// Generated from `System.Collections.SortedList` in `System.Collections.NonGeneric, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class SortedList : System.ICloneable, System.Collections.IEnumerable, System.Collections.IDictionary, System.Collections.ICollection\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public virtual System.Collections.ICollection Keys { get => throw null; }\n    public virtual System.Collections.ICollection Values { get => throw null; }\n    public virtual System.Collections.IDictionaryEnumerator GetEnumerator() => throw null;\n    public virtual bool Contains(object key) => throw null;\n    public virtual bool IsFixedSize { get => throw null; }\n    public virtual bool IsReadOnly { get => throw null; }\n    public virtual bool IsSynchronized { get => throw null; }\n    public virtual int Count { get => throw null; }\n    public virtual object Clone() => throw null;\n    public virtual object GetByIndex(int index) => throw null;\n    public virtual object SyncRoot { get => throw null; }\n    public virtual object this[object key] { get => throw null; set => throw null; }\n    public virtual void Add(object key, object value) => throw null;\n    public virtual void Clear() => throw null;\n    public virtual void CopyTo(System.Array array, int arrayIndex) => throw null;\n    public virtual void Remove(object key) => throw null;\n}\n\n// Generated from `System.Collections.Stack` in `System.Collections.NonGeneric, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Stack : System.ICloneable, System.Collections.IEnumerable, System.Collections.ICollection\n{\n    public virtual System.Collections.IEnumerator GetEnumerator() => throw null;\n    public virtual bool IsSynchronized { get => throw null; }\n    public virtual int Count { get => throw null; }\n    public virtual object Clone() => throw null;\n    public virtual object SyncRoot { get => throw null; }\n    public virtual void CopyTo(System.Array array, int index) => throw null;\n}\n\nnamespace Concurrent\n{\n// Generated from `System.Collections.Concurrent.BlockingCollection<>` in `System.Collections.Concurrent, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class BlockingCollection<T> : System.IDisposable, System.Collections.IEnumerable, System.Collections.ICollection, System.Collections.Generic.IReadOnlyCollection<T>, System.Collections.Generic.IEnumerable<T>\n{\n    System.Collections.Generic.IEnumerator<T> System.Collections.Generic.IEnumerable<T>.GetEnumerator() => throw null;\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    bool System.Collections.ICollection.IsSynchronized { get => throw null; }\n    object System.Collections.ICollection.SyncRoot { get => throw null; }\n    public int Count { get => throw null; }\n    public void Dispose() => throw null;\n    void System.Collections.ICollection.CopyTo(System.Array array, int index) => throw null;\n}\n\n// Generated from `System.Collections.Concurrent.BlockingCollectionDebugView<>` in `System.Collections.Concurrent, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass BlockingCollectionDebugView<T>\n{\n}\n\n// Generated from `System.Collections.Concurrent.IDictionaryDebugView<,>` in `System.Collections.Concurrent, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass IDictionaryDebugView<TKey,TValue>\n{\n}\n\n}\nnamespace Generic\n{\n// Generated from `System.Collections.Generic.CollectionDebugView<>` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass CollectionDebugView<T>\n{\n}\n\n// Generated from `System.Collections.Generic.DictionaryDebugView<,>` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass DictionaryDebugView<K,V>\n{\n}\n\n// Generated from `System.Collections.Generic.QueueDebugView<>` in `System.Collections, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass QueueDebugView<T>\n{\n}\n\n// Generated from `System.Collections.Generic.SortedSet<>` in `System.Collections, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class SortedSet<T> : System.Runtime.Serialization.ISerializable, System.Runtime.Serialization.IDeserializationCallback, System.Collections.IEnumerable, System.Collections.ICollection, System.Collections.Generic.ISet<T>, System.Collections.Generic.IReadOnlySet<T>, System.Collections.Generic.IReadOnlyCollection<T>, System.Collections.Generic.IEnumerable<T>, System.Collections.Generic.ICollection<T>\n{\n    System.Collections.Generic.IEnumerator<T> System.Collections.Generic.IEnumerable<T>.GetEnumerator() => throw null;\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    bool System.Collections.Generic.ICollection<T>.IsReadOnly { get => throw null; }\n    bool System.Collections.ICollection.IsSynchronized { get => throw null; }\n    object System.Collections.ICollection.SyncRoot { get => throw null; }\n    public bool Add(T item) => throw null;\n    public bool IsProperSubsetOf(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public bool IsProperSupersetOf(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public bool IsSubsetOf(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public bool IsSupersetOf(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public bool Overlaps(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public bool Remove(T item) => throw null;\n    public bool SetEquals(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public int Count { get => throw null; }\n    public virtual bool Contains(T item) => throw null;\n    public virtual void Clear() => throw null;\n    public virtual void IntersectWith(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public void CopyTo(T[] array, int index) => throw null;\n    public void ExceptWith(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public void SymmetricExceptWith(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public void UnionWith(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    void System.Collections.Generic.ICollection<T>.Add(T item) => throw null;\n    void System.Collections.ICollection.CopyTo(System.Array array, int index) => throw null;\n    void System.Runtime.Serialization.IDeserializationCallback.OnDeserialization(object sender) => throw null;\n    void System.Runtime.Serialization.ISerializable.GetObjectData(System.Runtime.Serialization.SerializationInfo info, System.Runtime.Serialization.StreamingContext context) => throw null;\n}\n\n// Generated from `System.Collections.Generic.Stack<>` in `System.Collections, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Stack<T> : System.Collections.IEnumerable, System.Collections.ICollection, System.Collections.Generic.IReadOnlyCollection<T>, System.Collections.Generic.IEnumerable<T>\n{\n    System.Collections.Generic.IEnumerator<T> System.Collections.Generic.IEnumerable<T>.GetEnumerator() => throw null;\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    bool System.Collections.ICollection.IsSynchronized { get => throw null; }\n    object System.Collections.ICollection.SyncRoot { get => throw null; }\n    public T Peek() => throw null;\n    public int Count { get => throw null; }\n    void System.Collections.ICollection.CopyTo(System.Array array, int arrayIndex) => throw null;\n}\n\n// Generated from `System.Collections.Generic.StackDebugView<>` in `System.Collections, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass StackDebugView<T>\n{\n}\n\n}\nnamespace Specialized\n{\n// Generated from `System.Collections.Specialized.NameObjectCollectionBase` in `System.Collections.Specialized, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class NameObjectCollectionBase : System.Runtime.Serialization.ISerializable, System.Runtime.Serialization.IDeserializationCallback, System.Collections.IEnumerable, System.Collections.ICollection\n{\n    bool System.Collections.ICollection.IsSynchronized { get => throw null; }\n    object System.Collections.ICollection.SyncRoot { get => throw null; }\n    public virtual System.Collections.IEnumerator GetEnumerator() => throw null;\n    public virtual int Count { get => throw null; }\n    public virtual void GetObjectData(System.Runtime.Serialization.SerializationInfo info, System.Runtime.Serialization.StreamingContext context) => throw null;\n    public virtual void OnDeserialization(object sender) => throw null;\n    void System.Collections.ICollection.CopyTo(System.Array array, int index) => throw null;\n}\n\n// Generated from `System.Collections.Specialized.NameValueCollection` in `System.Collections.Specialized, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class NameValueCollection : System.Collections.Specialized.NameObjectCollectionBase\n{\n    public string this[string name] { get => throw null; set => throw null; }\n}\n\n}\n}\nnamespace ComponentModel\n{\n// Generated from `System.ComponentModel.ComponentConverter` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ComponentConverter : System.ComponentModel.ReferenceConverter\n{\n}\n\n// Generated from `System.ComponentModel.DefaultEventAttribute` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class DefaultEventAttribute : System.Attribute\n{\n    public DefaultEventAttribute(string name) => throw null;\n    public override bool Equals(object obj) => throw null;\n    public override int GetHashCode() => throw null;\n}\n\n// Generated from `System.ComponentModel.DefaultPropertyAttribute` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class DefaultPropertyAttribute : System.Attribute\n{\n    public DefaultPropertyAttribute(string name) => throw null;\n    public override bool Equals(object obj) => throw null;\n    public override int GetHashCode() => throw null;\n}\n\n// Generated from `System.ComponentModel.INotifyPropertyChanged` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface INotifyPropertyChanged\n{\n}\n\n// Generated from `System.ComponentModel.ReferenceConverter` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ReferenceConverter : System.ComponentModel.TypeConverter\n{\n}\n\n// Generated from `System.ComponentModel.TypeConverterAttribute` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class TypeConverterAttribute : System.Attribute\n{\n    public TypeConverterAttribute() => throw null;\n    public TypeConverterAttribute(System.Type type) => throw null;\n    public TypeConverterAttribute(string typeName) => throw null;\n    public override bool Equals(object obj) => throw null;\n    public override int GetHashCode() => throw null;\n}\n\n// Generated from `System.ComponentModel.TypeConverter` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class TypeConverter\n{\n}\n\n// Generated from `System.ComponentModel.TypeDescriptionProviderAttribute` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class TypeDescriptionProviderAttribute : System.Attribute\n{\n    public TypeDescriptionProviderAttribute(System.Type type) => throw null;\n    public TypeDescriptionProviderAttribute(string typeName) => throw null;\n}\n\n// Generated from `System.ComponentModel.TypeDescriptionProvider` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class TypeDescriptionProvider\n{\n}\n\n// Generated from `System.ComponentModel.TypeDescriptor` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class TypeDescriptor\n{\n}\n\nnamespace Design\n{\n// Generated from `System.ComponentModel.Design.DesignerOptionService` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class DesignerOptionService : System.ComponentModel.Design.IDesignerOptionService\n{\n}\n\n// Generated from `System.ComponentModel.Design.IDesignerOptionService` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface IDesignerOptionService\n{\n}\n\n}\n}\nnamespace Dynamic\n{\n// Generated from `System.Dynamic.DynamicMetaObject` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class DynamicMetaObject\n{\n}\n\n// Generated from `System.Dynamic.ExpandoObject` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ExpandoObject : System.Dynamic.IDynamicMetaObjectProvider, System.ComponentModel.INotifyPropertyChanged, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<System.Collections.Generic.KeyValuePair<string,object>>, System.Collections.Generic.IDictionary<string,object>, System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>\n{\n    System.Collections.Generic.ICollection<object> System.Collections.Generic.IDictionary<string,object>.Values { get => throw null; }\n    System.Collections.Generic.ICollection<string> System.Collections.Generic.IDictionary<string,object>.Keys { get => throw null; }\n    System.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<string,object>> System.Collections.Generic.IEnumerable<System.Collections.Generic.KeyValuePair<string,object>>.GetEnumerator() => throw null;\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    bool System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.Contains(System.Collections.Generic.KeyValuePair<string,object> item) => throw null;\n    bool System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.IsReadOnly { get => throw null; }\n    bool System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.Remove(System.Collections.Generic.KeyValuePair<string,object> item) => throw null;\n    bool System.Collections.Generic.IDictionary<string,object>.ContainsKey(string key) => throw null;\n    bool System.Collections.Generic.IDictionary<string,object>.Remove(string key) => throw null;\n    bool System.Collections.Generic.IDictionary<string,object>.TryGetValue(string key, out object value) => throw null;\n    int System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.Count { get => throw null; }\n    object this[string key] { get => throw null; set => throw null; }\n    void System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.Add(System.Collections.Generic.KeyValuePair<string,object> item) => throw null;\n    void System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.Clear() => throw null;\n    void System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.CopyTo(System.Collections.Generic.KeyValuePair<string,object>[] array, int arrayIndex) => throw null;\n    void System.Collections.Generic.IDictionary<string,object>.Add(string key, object value) => throw null;\n}\n\n// Generated from `System.Dynamic.IDynamicMetaObjectProvider` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface IDynamicMetaObjectProvider\n{\n}\n\nnamespace Utils\n{\n// Generated from `System.Dynamic.Utils.ListProvider<>` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract class ListProvider<T> : System.Collections.IEnumerable, System.Collections.Generic.IList<T>, System.Collections.Generic.IEnumerable<T>, System.Collections.Generic.ICollection<T> where T: class\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<T> GetEnumerator() => throw null;\n    public T this[int index] { get => throw null; set => throw null; }\n    public bool Contains(T item) => throw null;\n    public bool IsReadOnly { get => throw null; }\n    public bool Remove(T item) => throw null;\n    public int Count { get => throw null; }\n    public int IndexOf(T item) => throw null;\n    public void Add(T item) => throw null;\n    public void Clear() => throw null;\n    public void CopyTo(T[] array, int index) => throw null;\n    public void Insert(int index, T item) => throw null;\n    public void RemoveAt(int index) => throw null;\n}\n\n}\n}\nnamespace IO\n{\nnamespace Compression\n{\n// Generated from `System.IO.Compression.DeflateStream` in `System.IO.Compression, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089`\npublic class DeflateStream : System.IO.Stream\n{\n    protected override void Dispose(bool disposing) => throw null;\n    public override System.IAsyncResult BeginRead(System.Byte[] buffer, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.IAsyncResult BeginWrite(System.Byte[] array, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.Int64 Length { get => throw null; }\n    public override System.Int64 Position { get => throw null; set => throw null; }\n    public override System.Int64 Seek(System.Int64 offset, System.IO.SeekOrigin origin) => throw null;\n    public override System.Threading.Tasks.Task CopyToAsync(System.IO.Stream destination, int bufferSize, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task FlushAsync(System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task WriteAsync(System.Byte[] array, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task<int> ReadAsync(System.Byte[] array, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.ValueTask DisposeAsync() => throw null;\n    public override System.Threading.Tasks.ValueTask WriteAsync(System.ReadOnlyMemory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.ValueTask<int> ReadAsync(System.Memory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override bool CanRead { get => throw null; }\n    public override bool CanSeek { get => throw null; }\n    public override bool CanWrite { get => throw null; }\n    public override int EndRead(System.IAsyncResult asyncResult) => throw null;\n    public override int Read(System.Byte[] array, int offset, int count) => throw null;\n    public override int Read(System.Span<System.Byte> buffer) => throw null;\n    public override int ReadByte() => throw null;\n    public override void CopyTo(System.IO.Stream destination, int bufferSize) => throw null;\n    public override void EndWrite(System.IAsyncResult asyncResult) => throw null;\n    public override void Flush() => throw null;\n    public override void SetLength(System.Int64 value) => throw null;\n    public override void Write(System.Byte[] array, int offset, int count) => throw null;\n    public override void Write(System.ReadOnlySpan<System.Byte> buffer) => throw null;\n}\n\n}\n}\nnamespace Linq\n{\n// Generated from `System.Linq.Enumerable` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstatic public class Enumerable\n{\n    public static System.Collections.Generic.IEnumerable<TResult> Select<TSource,TResult>(this System.Collections.Generic.IEnumerable<TSource> source, System.Func<TSource,TResult> selector) => throw null;\n}\n\n// Generated from `System.Linq.Grouping<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Grouping<TKey,TElement> : System.Linq.IGrouping<TKey,TElement>, System.Collections.IEnumerable, System.Collections.Generic.IList<TElement>, System.Collections.Generic.IEnumerable<TElement>, System.Collections.Generic.ICollection<TElement>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    TElement this[int index] { get => throw null; set => throw null; }\n    bool System.Collections.Generic.ICollection<TElement>.Contains(TElement item) => throw null;\n    bool System.Collections.Generic.ICollection<TElement>.IsReadOnly { get => throw null; }\n    bool System.Collections.Generic.ICollection<TElement>.Remove(TElement item) => throw null;\n    int System.Collections.Generic.ICollection<TElement>.Count { get => throw null; }\n    int System.Collections.Generic.IList<TElement>.IndexOf(TElement item) => throw null;\n    public System.Collections.Generic.IEnumerator<TElement> GetEnumerator() => throw null;\n    void System.Collections.Generic.ICollection<TElement>.Add(TElement item) => throw null;\n    void System.Collections.Generic.ICollection<TElement>.Clear() => throw null;\n    void System.Collections.Generic.ICollection<TElement>.CopyTo(TElement[] array, int arrayIndex) => throw null;\n    void System.Collections.Generic.IList<TElement>.Insert(int index, TElement item) => throw null;\n    void System.Collections.Generic.IList<TElement>.RemoveAt(int index) => throw null;\n}\n\n// Generated from `System.Linq.IGrouping<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface IGrouping<TKey,TElement> : System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TElement>\n{\n}\n\n// Generated from `System.Linq.IIListProvider<>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\ninterface IIListProvider<TElement> : System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TElement>\n{\n}\n\n// Generated from `System.Linq.ILookup<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface ILookup<TKey,TElement> : System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<System.Linq.IGrouping<TKey,TElement>>\n{\n}\n\n// Generated from `System.Linq.IOrderedEnumerable<>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface IOrderedEnumerable<TElement> : System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TElement>\n{\n}\n\n// Generated from `System.Linq.IPartition<>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\ninterface IPartition<TElement> : System.Linq.IIListProvider<TElement>, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TElement>\n{\n}\n\n// Generated from `System.Linq.IQueryable` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface IQueryable : System.Collections.IEnumerable\n{\n}\n\n// Generated from `System.Linq.Lookup<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Lookup<TKey,TElement> : System.Linq.ILookup<TKey,TElement>, System.Linq.IIListProvider<System.Linq.IGrouping<TKey,TElement>>, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<System.Linq.IGrouping<TKey,TElement>>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<System.Linq.IGrouping<TKey,TElement>> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.OrderedEnumerable<>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract class OrderedEnumerable<TElement> : System.Linq.IPartition<TElement>, System.Linq.IOrderedEnumerable<TElement>, System.Linq.IIListProvider<TElement>, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TElement>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<TElement> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.ParallelEnumerable` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstatic public class ParallelEnumerable\n{\n    public static System.Linq.ParallelQuery AsParallel(this System.Collections.IEnumerable source) => throw null;\n}\n\n// Generated from `System.Linq.ParallelQuery<>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ParallelQuery<TSource> : System.Linq.ParallelQuery, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TSource>\n{\n    public virtual System.Collections.Generic.IEnumerator<TSource> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.ParallelQuery` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ParallelQuery : System.Collections.IEnumerable\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.Queryable` in `System.Linq.Queryable, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstatic public class Queryable\n{\n    public static System.Linq.IQueryable AsQueryable(this System.Collections.IEnumerable source) => throw null;\n}\n\n// Generated from `System.Linq.SystemLinq_GroupingDebugView<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass SystemLinq_GroupingDebugView<TKey,TElement>\n{\n}\n\n// Generated from `System.Linq.SystemLinq_LookupDebugView<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass SystemLinq_LookupDebugView<TKey,TElement>\n{\n}\n\nnamespace Expressions\n{\n// Generated from `System.Linq.Expressions.BlockExpressionList` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass BlockExpressionList : System.Collections.IEnumerable, System.Collections.Generic.IList<System.Linq.Expressions.Expression>, System.Collections.Generic.IEnumerable<System.Linq.Expressions.Expression>, System.Collections.Generic.ICollection<System.Linq.Expressions.Expression>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<System.Linq.Expressions.Expression> GetEnumerator() => throw null;\n    public System.Linq.Expressions.Expression this[int index] { get => throw null; set => throw null; }\n    public bool Contains(System.Linq.Expressions.Expression item) => throw null;\n    public bool IsReadOnly { get => throw null; }\n    public bool Remove(System.Linq.Expressions.Expression item) => throw null;\n    public int Count { get => throw null; }\n    public int IndexOf(System.Linq.Expressions.Expression item) => throw null;\n    public void Add(System.Linq.Expressions.Expression item) => throw null;\n    public void Clear() => throw null;\n    public void CopyTo(System.Linq.Expressions.Expression[] array, int index) => throw null;\n    public void Insert(int index, System.Linq.Expressions.Expression item) => throw null;\n    public void RemoveAt(int index) => throw null;\n}\n\n// Generated from `System.Linq.Expressions.Expression` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class Expression\n{\n    public override string ToString() => throw null;\n}\n\n// Generated from `System.Linq.Expressions.ParameterExpression` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ParameterExpression : System.Linq.Expressions.Expression\n{\n}\n\nnamespace Compiler\n{\n// Generated from `System.Linq.Expressions.Compiler.ParameterList` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass ParameterList : System.Collections.IEnumerable, System.Collections.Generic.IReadOnlyList<System.Linq.Expressions.ParameterExpression>, System.Collections.Generic.IReadOnlyCollection<System.Linq.Expressions.ParameterExpression>, System.Collections.Generic.IEnumerable<System.Linq.Expressions.ParameterExpression>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<System.Linq.Expressions.ParameterExpression> GetEnumerator() => throw null;\n    public System.Linq.Expressions.ParameterExpression this[int index] { get => throw null; }\n    public int Count { get => throw null; }\n}\n\n}\nnamespace Interpreter\n{\n// Generated from `System.Linq.Expressions.Interpreter.InstructionArray` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstruct InstructionArray\n{\n}\n\n// Generated from `System.Linq.Expressions.Interpreter.InstructionList` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass InstructionList\n{\n}\n\n// Generated from `System.Linq.Expressions.Interpreter.InterpretedFrameInfo` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstruct InterpretedFrameInfo\n{\n    public override string ToString() => throw null;\n}\n\n// Generated from `System.Linq.Expressions.Interpreter.InterpretedFrame` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass InterpretedFrame\n{\n}\n\n}\n}\nnamespace Parallel\n{\n// Generated from `System.Linq.Parallel.ListChunk<>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass ListChunk<TInputOutput> : System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TInputOutput>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<TInputOutput> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.Parallel.Lookup<,>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass Lookup<TKey,TElement> : System.Linq.ILookup<TKey,TElement>, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<System.Linq.IGrouping<TKey,TElement>>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<System.Linq.IGrouping<TKey,TElement>> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.Parallel.PartitionerQueryOperator<>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass PartitionerQueryOperator<TElement> : System.Linq.Parallel.QueryOperator<TElement>\n{\n}\n\n// Generated from `System.Linq.Parallel.QueryOperator<>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract class QueryOperator<TOutput> : System.Linq.ParallelQuery<TOutput>\n{\n    public override System.Collections.Generic.IEnumerator<TOutput> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.Parallel.QueryResults<>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract class QueryResults<T> : System.Collections.IEnumerable, System.Collections.Generic.IList<T>, System.Collections.Generic.IEnumerable<T>, System.Collections.Generic.ICollection<T>\n{\n    System.Collections.Generic.IEnumerator<T> System.Collections.Generic.IEnumerable<T>.GetEnumerator() => throw null;\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    bool System.Collections.Generic.ICollection<T>.Contains(T item) => throw null;\n    bool System.Collections.Generic.ICollection<T>.IsReadOnly { get => throw null; }\n    bool System.Collections.Generic.ICollection<T>.Remove(T item) => throw null;\n    int System.Collections.Generic.IList<T>.IndexOf(T item) => throw null;\n    public T this[int index] { get => throw null; set => throw null; }\n    public int Count { get => throw null; }\n    void System.Collections.Generic.ICollection<T>.Add(T item) => throw null;\n    void System.Collections.Generic.ICollection<T>.Clear() => throw null;\n    void System.Collections.Generic.ICollection<T>.CopyTo(T[] array, int arrayIndex) => throw null;\n    void System.Collections.Generic.IList<T>.Insert(int index, T item) => throw null;\n    void System.Collections.Generic.IList<T>.RemoveAt(int index) => throw null;\n}\n\n// Generated from `System.Linq.Parallel.ZipQueryOperator<,,>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass ZipQueryOperator<TLeftInput,TRightInput,TOutput> : System.Linq.Parallel.QueryOperator<TOutput>\n{\n}\n\n}\n}\nnamespace Net\n{\n// Generated from `System.Net.CookieCollection` in `System.Net.Primitives, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class CookieCollection : System.Collections.IEnumerable, System.Collections.ICollection, System.Collections.Generic.IReadOnlyCollection<System.Net.Cookie>, System.Collections.Generic.IEnumerable<System.Net.Cookie>, System.Collections.Generic.ICollection<System.Net.Cookie>\n{\n    System.Collections.Generic.IEnumerator<System.Net.Cookie> System.Collections.Generic.IEnumerable<System.Net.Cookie>.GetEnumerator() => throw null;\n    public System.Collections.IEnumerator GetEnumerator() => throw null;\n    public bool Contains(System.Net.Cookie cookie) => throw null;\n    public bool IsReadOnly { get => throw null; }\n    public bool IsSynchronized { get => throw null; }\n    public bool Remove(System.Net.Cookie cookie) => throw null;\n    public int Count { get => throw null; }\n    public object SyncRoot { get => throw null; }\n    public void Add(System.Net.Cookie cookie) => throw null;\n    public void Clear() => throw null;\n    public void CopyTo(System.Array array, int index) => throw null;\n    public void CopyTo(System.Net.Cookie[] array, int index) => throw null;\n}\n\n// Generated from `System.Net.Cookie` in `System.Net.Primitives, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Cookie\n{\n    public override bool Equals(object comparand) => throw null;\n    public override int GetHashCode() => throw null;\n    public override string ToString() => throw null;\n}\n\n// Generated from `System.Net.StreamFramer` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass StreamFramer\n{\n}\n\nnamespace Security\n{\n// Generated from `System.Net.Security.AuthenticatedStream` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class AuthenticatedStream : System.IO.Stream\n{\n    protected override void Dispose(bool disposing) => throw null;\n    public override System.Threading.Tasks.ValueTask DisposeAsync() => throw null;\n}\n\n// Generated from `System.Net.Security.CipherSuitesPolicy` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class CipherSuitesPolicy\n{\n}\n\n// Generated from `System.Net.Security.NegotiateStream` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class NegotiateStream : System.Net.Security.AuthenticatedStream\n{\n    protected override void Dispose(bool disposing) => throw null;\n    public override System.IAsyncResult BeginRead(System.Byte[] buffer, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.IAsyncResult BeginWrite(System.Byte[] buffer, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.Int64 Length { get => throw null; }\n    public override System.Int64 Position { get => throw null; set => throw null; }\n    public override System.Int64 Seek(System.Int64 offset, System.IO.SeekOrigin origin) => throw null;\n    public override System.Threading.Tasks.Task FlushAsync(System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task WriteAsync(System.Byte[] buffer, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task<int> ReadAsync(System.Byte[] buffer, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.ValueTask DisposeAsync() => throw null;\n    public override System.Threading.Tasks.ValueTask WriteAsync(System.ReadOnlyMemory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.ValueTask<int> ReadAsync(System.Memory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override bool CanRead { get => throw null; }\n    public override bool CanSeek { get => throw null; }\n    public override bool CanTimeout { get => throw null; }\n    public override bool CanWrite { get => throw null; }\n    public override int EndRead(System.IAsyncResult asyncResult) => throw null;\n    public override int Read(System.Byte[] buffer, int offset, int count) => throw null;\n    public override int ReadTimeout { get => throw null; set => throw null; }\n    public override int WriteTimeout { get => throw null; set => throw null; }\n    public override void EndWrite(System.IAsyncResult asyncResult) => throw null;\n    public override void Flush() => throw null;\n    public override void SetLength(System.Int64 value) => throw null;\n    public override void Write(System.Byte[] buffer, int offset, int count) => throw null;\n}\n\n// Generated from `System.Net.Security.SslStream` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class SslStream : System.Net.Security.AuthenticatedStream\n{\n    protected override void Dispose(bool disposing) => throw null;\n    public override System.IAsyncResult BeginRead(System.Byte[] buffer, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.IAsyncResult BeginWrite(System.Byte[] buffer, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.Int64 Length { get => throw null; }\n    public override System.Int64 Position { get => throw null; set => throw null; }\n    public override System.Int64 Seek(System.Int64 offset, System.IO.SeekOrigin origin) => throw null;\n    public override System.Threading.Tasks.Task FlushAsync(System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task WriteAsync(System.Byte[] buffer, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task<int> ReadAsync(System.Byte[] buffer, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.ValueTask DisposeAsync() => throw null;\n    public override System.Threading.Tasks.ValueTask WriteAsync(System.ReadOnlyMemory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.ValueTask<int> ReadAsync(System.Memory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override bool CanRead { get => throw null; }\n    public override bool CanSeek { get => throw null; }\n    public override bool CanTimeout { get => throw null; }\n    public override bool CanWrite { get => throw null; }\n    public override int EndRead(System.IAsyncResult asyncResult) => throw null;\n    public override int Read(System.Byte[] buffer, int offset, int count) => throw null;\n    public override int ReadByte() => throw null;\n    public override int ReadTimeout { get => throw null; set => throw null; }\n    public override int WriteTimeout { get => throw null; set => throw null; }\n    public override void EndWrite(System.IAsyncResult asyncResult) => throw null;\n    public override void Flush() => throw null;\n    public override void SetLength(System.Int64 value) => throw null;\n    public override void Write(System.Byte[] buffer, int offset, int count) => throw null;\n}\n\n// Generated from `System.Net.Security.TlsCipherSuite` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic enum TlsCipherSuite\n{\n}\n\n}\n}\nnamespace Runtime\n{\nnamespace Serialization\n{\n// Generated from `System.Runtime.Serialization.DataContractAttribute` in `System.Runtime.Serialization.Primitives, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class DataContractAttribute : System.Attribute\n{\n    public DataContractAttribute() => throw null;\n}\n\n// Generated from `System.Runtime.Serialization.DataMemberAttribute` in `System.Runtime.Serialization.Primitives, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class DataMemberAttribute : System.Attribute\n{\n    public DataMemberAttribute() => throw null;\n}\n\n}\n}\nnamespace Text\n{\nnamespace RegularExpressions\n{\n// Generated from `System.Text.RegularExpressions.Capture` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Capture\n{\n    public override string ToString() => throw null;\n}\n\n// Generated from `System.Text.RegularExpressions.CollectionDebuggerProxy<>` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass CollectionDebuggerProxy<T>\n{\n}\n\n// Generated from `System.Text.RegularExpressions.GroupCollection` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class GroupCollection : System.Collections.IList, System.Collections.IEnumerable, System.Collections.ICollection, System.Collections.Generic.IReadOnlyList<System.Text.RegularExpressions.Group>, System.Collections.Generic.IReadOnlyDictionary<string,System.Text.RegularExpressions.Group>, System.Collections.Generic.IReadOnlyCollection<System.Text.RegularExpressions.Group>, System.Collections.Generic.IReadOnlyCollection<System.Collections.Generic.KeyValuePair<string,System.Text.RegularExpressions.Group>>, System.Collections.Generic.IList<System.Text.RegularExpressions.Group>, System.Collections.Generic.IEnumerable<System.Text.RegularExpressions.Group>, System.Collections.Generic.IEnumerable<System.Collections.Generic.KeyValuePair<string,System.Text.RegularExpressions.Group>>, System.Collections.Generic.ICollection<System.Text.RegularExpressions.Group>\n{\n    System.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<string,System.Text.RegularExpressions.Group>> System.Collections.Generic.IEnumerable<System.Collections.Generic.KeyValuePair<string,System.Text.RegularExpressions.Group>>.GetEnumerator() => throw null;\n    System.Collections.Generic.IEnumerator<System.Text.RegularExpressions.Group> System.Collections.Generic.IEnumerable<System.Text.RegularExpressions.Group>.GetEnumerator() => throw null;\n    System.Text.RegularExpressions.Group this[int index] { get => throw null; set => throw null; }\n    bool System.Collections.Generic.ICollection<System.Text.RegularExpressions.Group>.Contains(System.Text.RegularExpressions.Group item) => throw null;\n    bool System.Collections.Generic.ICollection<System.Text.RegularExpressions.Group>.Remove(System.Text.RegularExpressions.Group item) => throw null;\n    bool System.Collections.IList.Contains(object value) => throw null;\n    bool System.Collections.IList.IsFixedSize { get => throw null; }\n    int System.Collections.Generic.IList<System.Text.RegularExpressions.Group>.IndexOf(System.Text.RegularExpressions.Group item) => throw null;\n    int System.Collections.IList.Add(object value) => throw null;\n    int System.Collections.IList.IndexOf(object value) => throw null;\n    object this[int index] { get => throw null; set => throw null; }\n    public System.Collections.Generic.IEnumerable<System.Text.RegularExpressions.Group> Values { get => throw null; }\n    public System.Collections.Generic.IEnumerable<string> Keys { get => throw null; }\n    public System.Collections.IEnumerator GetEnumerator() => throw null;\n    public System.Text.RegularExpressions.Group this[string groupname] { get => throw null; }\n    public bool ContainsKey(string key) => throw null;\n    public bool IsReadOnly { get => throw null; }\n    public bool IsSynchronized { get => throw null; }\n    public bool TryGetValue(string key, out System.Text.RegularExpressions.Group value) => throw null;\n    public int Count { get => throw null; }\n    public object SyncRoot { get => throw null; }\n    public void CopyTo(System.Array array, int arrayIndex) => throw null;\n    public void CopyTo(System.Text.RegularExpressions.Group[] array, int arrayIndex) => throw null;\n    void System.Collections.Generic.ICollection<System.Text.RegularExpressions.Group>.Add(System.Text.RegularExpressions.Group item) => throw null;\n    void System.Collections.Generic.ICollection<System.Text.RegularExpressions.Group>.Clear() => throw null;\n    void System.Collections.Generic.IList<System.Text.RegularExpressions.Group>.Insert(int index, System.Text.RegularExpressions.Group item) => throw null;\n    void System.Collections.Generic.IList<System.Text.RegularExpressions.Group>.RemoveAt(int index) => throw null;\n    void System.Collections.IList.Clear() => throw null;\n    void System.Collections.IList.Insert(int index, object value) => throw null;\n    void System.Collections.IList.Remove(object value) => throw null;\n    void System.Collections.IList.RemoveAt(int index) => throw null;\n}\n\n// Generated from `System.Text.RegularExpressions.Group` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Group : System.Text.RegularExpressions.Capture\n{\n}\n\n// Generated from `System.Text.RegularExpressions.Match` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Match : System.Text.RegularExpressions.Group\n{\n}\n\n// Generated from `System.Text.RegularExpressions.RegexOptions` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\n[System.Flags]\npublic enum RegexOptions\n{\n    IgnoreCase,\n}\n\n// Generated from `System.Text.RegularExpressions.Regex` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Regex : System.Runtime.Serialization.ISerializable\n{\n    public Regex(string pattern) => throw null;\n    public Regex(string pattern, System.Text.RegularExpressions.RegexOptions options, System.TimeSpan matchTimeout) => throw null;\n    public System.Text.RegularExpressions.Match Match(string input) => throw null;\n    public override string ToString() => throw null;\n    public static System.Text.RegularExpressions.Match Match(string input, string pattern) => throw null;\n    public static System.Text.RegularExpressions.Match Match(string input, string pattern, System.Text.RegularExpressions.RegexOptions options, System.TimeSpan matchTimeout) => throw null;\n    public string Replace(string input, string replacement) => throw null;\n    void System.Runtime.Serialization.ISerializable.GetObjectData(System.Runtime.Serialization.SerializationInfo si, System.Runtime.Serialization.StreamingContext context) => throw null;\n}\n\n}\n}\nnamespace Timers\n{\n// Generated from `System.Timers.TimersDescriptionAttribute` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class TimersDescriptionAttribute\n{\n    public TimersDescriptionAttribute(string description) => throw null;\n}\n\n}\nnamespace Windows\n{\nnamespace Markup\n{\n// Generated from `System.Windows.Markup.ValueSerializerAttribute` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ValueSerializerAttribute : System.Attribute\n{\n    public ValueSerializerAttribute(System.Type valueSerializerType) => throw null;\n    public ValueSerializerAttribute(string valueSerializerTypeName) => throw null;\n}\n\n}\n}\n}\n |
+| // This file contains auto-generated code.\n// original-extractor-options: /r:System.Text.RegularExpressions.dll /r:System.Collections.Specialized.dll /r:System.Net.dll /r:System.Web.dll /r:System.Net.HttpListener.dll /r:System.Collections.Specialized.dll /r:System.Private.Uri.dll /r:System.Runtime.Extensions.dll /r:System.Linq.Parallel.dll /r:System.Collections.Concurrent.dll /r:System.Linq.Expressions.dll /r:System.Collections.dll /r:System.Linq.Queryable.dll /r:System.Linq.dll /r:System.Collections.NonGeneric.dll /r:System.ObjectModel.dll /r:System.ComponentModel.TypeConverter.dll /r:System.IO.Compression.dll /r:System.IO.Pipes.dll /r:System.Net.Primitives.dll /r:System.Net.Security.dll /r:System.Security.Cryptography.Primitives.dll /r:System.Text.RegularExpressions.dll ${testdir}/../../resources/stubs/System.Web.cs /r:System.Runtime.Serialization.Primitives.dll\n\nnamespace System\n{\n// Generated from `System.Uri` in `System.Private.Uri, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Uri : System.Runtime.Serialization.ISerializable\n{\n    public override bool Equals(object comparand) => throw null;\n    public override int GetHashCode() => throw null;\n    public override string ToString() => throw null;\n    void System.Runtime.Serialization.ISerializable.GetObjectData(System.Runtime.Serialization.SerializationInfo serializationInfo, System.Runtime.Serialization.StreamingContext streamingContext) => throw null;\n}\n\nnamespace Collections\n{\n// Generated from `System.Collections.Queue` in `System.Collections.NonGeneric, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Queue : System.ICloneable, System.Collections.IEnumerable, System.Collections.ICollection\n{\n    public virtual System.Collections.IEnumerator GetEnumerator() => throw null;\n    public virtual bool IsSynchronized { get => throw null; }\n    public virtual int Count { get => throw null; }\n    public virtual object Clone() => throw null;\n    public virtual object SyncRoot { get => throw null; }\n    public virtual void CopyTo(System.Array array, int index) => throw null;\n}\n\n// Generated from `System.Collections.SortedList` in `System.Collections.NonGeneric, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class SortedList : System.ICloneable, System.Collections.IEnumerable, System.Collections.IDictionary, System.Collections.ICollection\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public virtual System.Collections.ICollection Keys { get => throw null; }\n    public virtual System.Collections.ICollection Values { get => throw null; }\n    public virtual System.Collections.IDictionaryEnumerator GetEnumerator() => throw null;\n    public virtual bool Contains(object key) => throw null;\n    public virtual bool IsFixedSize { get => throw null; }\n    public virtual bool IsReadOnly { get => throw null; }\n    public virtual bool IsSynchronized { get => throw null; }\n    public virtual int Count { get => throw null; }\n    public virtual object Clone() => throw null;\n    public virtual object GetByIndex(int index) => throw null;\n    public virtual object SyncRoot { get => throw null; }\n    public virtual object this[object key] { get => throw null; set => throw null; }\n    public virtual void Add(object key, object value) => throw null;\n    public virtual void Clear() => throw null;\n    public virtual void CopyTo(System.Array array, int arrayIndex) => throw null;\n    public virtual void Remove(object key) => throw null;\n}\n\n// Generated from `System.Collections.Stack` in `System.Collections.NonGeneric, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Stack : System.ICloneable, System.Collections.IEnumerable, System.Collections.ICollection\n{\n    public virtual System.Collections.IEnumerator GetEnumerator() => throw null;\n    public virtual bool IsSynchronized { get => throw null; }\n    public virtual int Count { get => throw null; }\n    public virtual object Clone() => throw null;\n    public virtual object SyncRoot { get => throw null; }\n    public virtual void CopyTo(System.Array array, int index) => throw null;\n}\n\nnamespace Concurrent\n{\n// Generated from `System.Collections.Concurrent.BlockingCollection<>` in `System.Collections.Concurrent, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class BlockingCollection<T> : System.IDisposable, System.Collections.IEnumerable, System.Collections.ICollection, System.Collections.Generic.IReadOnlyCollection<T>, System.Collections.Generic.IEnumerable<T>\n{\n    System.Collections.Generic.IEnumerator<T> System.Collections.Generic.IEnumerable<T>.GetEnumerator() => throw null;\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    bool System.Collections.ICollection.IsSynchronized { get => throw null; }\n    object System.Collections.ICollection.SyncRoot { get => throw null; }\n    public int Count { get => throw null; }\n    public void Dispose() => throw null;\n    void System.Collections.ICollection.CopyTo(System.Array array, int index) => throw null;\n}\n\n// Generated from `System.Collections.Concurrent.BlockingCollectionDebugView<>` in `System.Collections.Concurrent, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass BlockingCollectionDebugView<T>\n{\n}\n\n// Generated from `System.Collections.Concurrent.IDictionaryDebugView<,>` in `System.Collections.Concurrent, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass IDictionaryDebugView<TKey,TValue>\n{\n}\n\n}\nnamespace Generic\n{\n// Generated from `System.Collections.Generic.CollectionDebugView<>` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass CollectionDebugView<T>\n{\n}\n\n// Generated from `System.Collections.Generic.DictionaryDebugView<,>` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass DictionaryDebugView<K,V>\n{\n}\n\n// Generated from `System.Collections.Generic.QueueDebugView<>` in `System.Collections, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass QueueDebugView<T>\n{\n}\n\n// Generated from `System.Collections.Generic.SortedSet<>` in `System.Collections, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class SortedSet<T> : System.Runtime.Serialization.ISerializable, System.Runtime.Serialization.IDeserializationCallback, System.Collections.IEnumerable, System.Collections.ICollection, System.Collections.Generic.ISet<T>, System.Collections.Generic.IReadOnlySet<T>, System.Collections.Generic.IReadOnlyCollection<T>, System.Collections.Generic.IEnumerable<T>, System.Collections.Generic.ICollection<T>\n{\n    System.Collections.Generic.IEnumerator<T> System.Collections.Generic.IEnumerable<T>.GetEnumerator() => throw null;\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    bool System.Collections.Generic.ICollection<T>.IsReadOnly { get => throw null; }\n    bool System.Collections.ICollection.IsSynchronized { get => throw null; }\n    object System.Collections.ICollection.SyncRoot { get => throw null; }\n    public bool Add(T item) => throw null;\n    public bool IsProperSubsetOf(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public bool IsProperSupersetOf(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public bool IsSubsetOf(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public bool IsSupersetOf(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public bool Overlaps(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public bool Remove(T item) => throw null;\n    public bool SetEquals(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public int Count { get => throw null; }\n    public virtual bool Contains(T item) => throw null;\n    public virtual void Clear() => throw null;\n    public virtual void IntersectWith(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public void CopyTo(T[] array, int index) => throw null;\n    public void ExceptWith(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public void SymmetricExceptWith(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public void UnionWith(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    void System.Collections.Generic.ICollection<T>.Add(T item) => throw null;\n    void System.Collections.ICollection.CopyTo(System.Array array, int index) => throw null;\n    void System.Runtime.Serialization.IDeserializationCallback.OnDeserialization(object sender) => throw null;\n    void System.Runtime.Serialization.ISerializable.GetObjectData(System.Runtime.Serialization.SerializationInfo info, System.Runtime.Serialization.StreamingContext context) => throw null;\n}\n\n// Generated from `System.Collections.Generic.Stack<>` in `System.Collections, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Stack<T> : System.Collections.IEnumerable, System.Collections.ICollection, System.Collections.Generic.IReadOnlyCollection<T>, System.Collections.Generic.IEnumerable<T>\n{\n    System.Collections.Generic.IEnumerator<T> System.Collections.Generic.IEnumerable<T>.GetEnumerator() => throw null;\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    bool System.Collections.ICollection.IsSynchronized { get => throw null; }\n    object System.Collections.ICollection.SyncRoot { get => throw null; }\n    public T Peek() => throw null;\n    public int Count { get => throw null; }\n    void System.Collections.ICollection.CopyTo(System.Array array, int arrayIndex) => throw null;\n}\n\n// Generated from `System.Collections.Generic.StackDebugView<>` in `System.Collections, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass StackDebugView<T>\n{\n}\n\n}\nnamespace Specialized\n{\n// Generated from `System.Collections.Specialized.NameObjectCollectionBase` in `System.Collections.Specialized, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class NameObjectCollectionBase : System.Runtime.Serialization.ISerializable, System.Runtime.Serialization.IDeserializationCallback, System.Collections.IEnumerable, System.Collections.ICollection\n{\n    bool System.Collections.ICollection.IsSynchronized { get => throw null; }\n    object System.Collections.ICollection.SyncRoot { get => throw null; }\n    public virtual System.Collections.IEnumerator GetEnumerator() => throw null;\n    public virtual int Count { get => throw null; }\n    public virtual void GetObjectData(System.Runtime.Serialization.SerializationInfo info, System.Runtime.Serialization.StreamingContext context) => throw null;\n    public virtual void OnDeserialization(object sender) => throw null;\n    void System.Collections.ICollection.CopyTo(System.Array array, int index) => throw null;\n}\n\n// Generated from `System.Collections.Specialized.NameValueCollection` in `System.Collections.Specialized, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class NameValueCollection : System.Collections.Specialized.NameObjectCollectionBase\n{\n    public string this[string name] { get => throw null; set => throw null; }\n}\n\n}\n}\nnamespace ComponentModel\n{\n// Generated from `System.ComponentModel.ComponentConverter` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ComponentConverter : System.ComponentModel.ReferenceConverter\n{\n}\n\n// Generated from `System.ComponentModel.DefaultEventAttribute` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class DefaultEventAttribute : System.Attribute\n{\n    public DefaultEventAttribute(string name) => throw null;\n    public override bool Equals(object obj) => throw null;\n    public override int GetHashCode() => throw null;\n}\n\n// Generated from `System.ComponentModel.DefaultPropertyAttribute` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class DefaultPropertyAttribute : System.Attribute\n{\n    public DefaultPropertyAttribute(string name) => throw null;\n    public override bool Equals(object obj) => throw null;\n    public override int GetHashCode() => throw null;\n}\n\n// Generated from `System.ComponentModel.INotifyPropertyChanged` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface INotifyPropertyChanged\n{\n}\n\n// Generated from `System.ComponentModel.ReferenceConverter` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ReferenceConverter : System.ComponentModel.TypeConverter\n{\n}\n\n// Generated from `System.ComponentModel.TypeConverterAttribute` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class TypeConverterAttribute : System.Attribute\n{\n    public TypeConverterAttribute() => throw null;\n    public TypeConverterAttribute(System.Type type) => throw null;\n    public TypeConverterAttribute(string typeName) => throw null;\n    public override bool Equals(object obj) => throw null;\n    public override int GetHashCode() => throw null;\n}\n\n// Generated from `System.ComponentModel.TypeConverter` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class TypeConverter\n{\n}\n\n// Generated from `System.ComponentModel.TypeDescriptionProviderAttribute` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class TypeDescriptionProviderAttribute : System.Attribute\n{\n    public TypeDescriptionProviderAttribute(System.Type type) => throw null;\n    public TypeDescriptionProviderAttribute(string typeName) => throw null;\n}\n\n// Generated from `System.ComponentModel.TypeDescriptionProvider` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class TypeDescriptionProvider\n{\n}\n\n// Generated from `System.ComponentModel.TypeDescriptor` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class TypeDescriptor\n{\n}\n\nnamespace Design\n{\n// Generated from `System.ComponentModel.Design.DesignerOptionService` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class DesignerOptionService : System.ComponentModel.Design.IDesignerOptionService\n{\n}\n\n// Generated from `System.ComponentModel.Design.IDesignerOptionService` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface IDesignerOptionService\n{\n}\n\n}\n}\nnamespace Dynamic\n{\n// Generated from `System.Dynamic.DynamicMetaObject` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class DynamicMetaObject\n{\n}\n\n// Generated from `System.Dynamic.ExpandoObject` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ExpandoObject : System.Dynamic.IDynamicMetaObjectProvider, System.ComponentModel.INotifyPropertyChanged, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<System.Collections.Generic.KeyValuePair<string,object>>, System.Collections.Generic.IDictionary<string,object>, System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>\n{\n    System.Collections.Generic.ICollection<object> System.Collections.Generic.IDictionary<string,object>.Values { get => throw null; }\n    System.Collections.Generic.ICollection<string> System.Collections.Generic.IDictionary<string,object>.Keys { get => throw null; }\n    System.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<string,object>> System.Collections.Generic.IEnumerable<System.Collections.Generic.KeyValuePair<string,object>>.GetEnumerator() => throw null;\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    bool System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.Contains(System.Collections.Generic.KeyValuePair<string,object> item) => throw null;\n    bool System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.IsReadOnly { get => throw null; }\n    bool System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.Remove(System.Collections.Generic.KeyValuePair<string,object> item) => throw null;\n    bool System.Collections.Generic.IDictionary<string,object>.ContainsKey(string key) => throw null;\n    bool System.Collections.Generic.IDictionary<string,object>.Remove(string key) => throw null;\n    bool System.Collections.Generic.IDictionary<string,object>.TryGetValue(string key, out object value) => throw null;\n    int System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.Count { get => throw null; }\n    object this[string key] { get => throw null; set => throw null; }\n    void System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.Add(System.Collections.Generic.KeyValuePair<string,object> item) => throw null;\n    void System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.Clear() => throw null;\n    void System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.CopyTo(System.Collections.Generic.KeyValuePair<string,object>[] array, int arrayIndex) => throw null;\n    void System.Collections.Generic.IDictionary<string,object>.Add(string key, object value) => throw null;\n}\n\n// Generated from `System.Dynamic.IDynamicMetaObjectProvider` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface IDynamicMetaObjectProvider\n{\n}\n\nnamespace Utils\n{\n// Generated from `System.Dynamic.Utils.ListProvider<>` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract class ListProvider<T> : System.Collections.IEnumerable, System.Collections.Generic.IList<T>, System.Collections.Generic.IEnumerable<T>, System.Collections.Generic.ICollection<T> where T: class\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<T> GetEnumerator() => throw null;\n    public T this[int index] { get => throw null; set => throw null; }\n    public bool Contains(T item) => throw null;\n    public bool IsReadOnly { get => throw null; }\n    public bool Remove(T item) => throw null;\n    public int Count { get => throw null; }\n    public int IndexOf(T item) => throw null;\n    public void Add(T item) => throw null;\n    public void Clear() => throw null;\n    public void CopyTo(T[] array, int index) => throw null;\n    public void Insert(int index, T item) => throw null;\n    public void RemoveAt(int index) => throw null;\n}\n\n}\n}\nnamespace IO\n{\nnamespace Compression\n{\n// Generated from `System.IO.Compression.DeflateStream` in `System.IO.Compression, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089`\npublic class DeflateStream : System.IO.Stream\n{\n    protected override void Dispose(bool disposing) => throw null;\n    public override System.IAsyncResult BeginRead(System.Byte[] buffer, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.IAsyncResult BeginWrite(System.Byte[] array, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.Int64 Length { get => throw null; }\n    public override System.Int64 Position { get => throw null; set => throw null; }\n    public override System.Int64 Seek(System.Int64 offset, System.IO.SeekOrigin origin) => throw null;\n    public override System.Threading.Tasks.Task CopyToAsync(System.IO.Stream destination, int bufferSize, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task FlushAsync(System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task WriteAsync(System.Byte[] array, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task<int> ReadAsync(System.Byte[] array, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.ValueTask DisposeAsync() => throw null;\n    public override System.Threading.Tasks.ValueTask WriteAsync(System.ReadOnlyMemory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.ValueTask<int> ReadAsync(System.Memory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) => throw null;\n    public override bool CanRead { get => throw null; }\n    public override bool CanSeek { get => throw null; }\n    public override bool CanWrite { get => throw null; }\n    public override int EndRead(System.IAsyncResult asyncResult) => throw null;\n    public override int Read(System.Byte[] array, int offset, int count) => throw null;\n    public override int Read(System.Span<System.Byte> buffer) => throw null;\n    public override int ReadByte() => throw null;\n    public override void CopyTo(System.IO.Stream destination, int bufferSize) => throw null;\n    public override void EndWrite(System.IAsyncResult asyncResult) => throw null;\n    public override void Flush() => throw null;\n    public override void SetLength(System.Int64 value) => throw null;\n    public override void Write(System.Byte[] array, int offset, int count) => throw null;\n    public override void Write(System.ReadOnlySpan<System.Byte> buffer) => throw null;\n}\n\n}\n}\nnamespace Linq\n{\n// Generated from `System.Linq.Enumerable` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstatic public class Enumerable\n{\n    public static System.Collections.Generic.IEnumerable<TResult> Select<TSource,TResult>(this System.Collections.Generic.IEnumerable<TSource> source, System.Func<TSource,TResult> selector) => throw null;\n}\n\n// Generated from `System.Linq.Grouping<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Grouping<TKey,TElement> : System.Linq.IGrouping<TKey,TElement>, System.Collections.IEnumerable, System.Collections.Generic.IList<TElement>, System.Collections.Generic.IEnumerable<TElement>, System.Collections.Generic.ICollection<TElement>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    TElement this[int index] { get => throw null; set => throw null; }\n    bool System.Collections.Generic.ICollection<TElement>.Contains(TElement item) => throw null;\n    bool System.Collections.Generic.ICollection<TElement>.IsReadOnly { get => throw null; }\n    bool System.Collections.Generic.ICollection<TElement>.Remove(TElement item) => throw null;\n    int System.Collections.Generic.ICollection<TElement>.Count { get => throw null; }\n    int System.Collections.Generic.IList<TElement>.IndexOf(TElement item) => throw null;\n    public System.Collections.Generic.IEnumerator<TElement> GetEnumerator() => throw null;\n    void System.Collections.Generic.ICollection<TElement>.Add(TElement item) => throw null;\n    void System.Collections.Generic.ICollection<TElement>.Clear() => throw null;\n    void System.Collections.Generic.ICollection<TElement>.CopyTo(TElement[] array, int arrayIndex) => throw null;\n    void System.Collections.Generic.IList<TElement>.Insert(int index, TElement item) => throw null;\n    void System.Collections.Generic.IList<TElement>.RemoveAt(int index) => throw null;\n}\n\n// Generated from `System.Linq.IGrouping<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface IGrouping<TKey,TElement> : System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TElement>\n{\n}\n\n// Generated from `System.Linq.IIListProvider<>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\ninterface IIListProvider<TElement> : System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TElement>\n{\n}\n\n// Generated from `System.Linq.ILookup<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface ILookup<TKey,TElement> : System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<System.Linq.IGrouping<TKey,TElement>>\n{\n}\n\n// Generated from `System.Linq.IOrderedEnumerable<>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface IOrderedEnumerable<TElement> : System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TElement>\n{\n}\n\n// Generated from `System.Linq.IPartition<>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\ninterface IPartition<TElement> : System.Linq.IIListProvider<TElement>, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TElement>\n{\n}\n\n// Generated from `System.Linq.IQueryable` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface IQueryable : System.Collections.IEnumerable\n{\n}\n\n// Generated from `System.Linq.Lookup<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Lookup<TKey,TElement> : System.Linq.ILookup<TKey,TElement>, System.Linq.IIListProvider<System.Linq.IGrouping<TKey,TElement>>, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<System.Linq.IGrouping<TKey,TElement>>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<System.Linq.IGrouping<TKey,TElement>> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.OrderedEnumerable<>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract class OrderedEnumerable<TElement> : System.Linq.IPartition<TElement>, System.Linq.IOrderedEnumerable<TElement>, System.Linq.IIListProvider<TElement>, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TElement>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<TElement> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.ParallelEnumerable` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstatic public class ParallelEnumerable\n{\n    public static System.Linq.ParallelQuery AsParallel(this System.Collections.IEnumerable source) => throw null;\n}\n\n// Generated from `System.Linq.ParallelQuery<>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ParallelQuery<TSource> : System.Linq.ParallelQuery, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TSource>\n{\n    public virtual System.Collections.Generic.IEnumerator<TSource> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.ParallelQuery` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ParallelQuery : System.Collections.IEnumerable\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.Queryable` in `System.Linq.Queryable, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstatic public class Queryable\n{\n    public static System.Linq.IQueryable AsQueryable(this System.Collections.IEnumerable source) => throw null;\n}\n\n// Generated from `System.Linq.SystemLinq_GroupingDebugView<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass SystemLinq_GroupingDebugView<TKey,TElement>\n{\n}\n\n// Generated from `System.Linq.SystemLinq_LookupDebugView<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass SystemLinq_LookupDebugView<TKey,TElement>\n{\n}\n\nnamespace Expressions\n{\n// Generated from `System.Linq.Expressions.BlockExpressionList` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass BlockExpressionList : System.Collections.IEnumerable, System.Collections.Generic.IList<System.Linq.Expressions.Expression>, System.Collections.Generic.IEnumerable<System.Linq.Expressions.Expression>, System.Collections.Generic.ICollection<System.Linq.Expressions.Expression>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<System.Linq.Expressions.Expression> GetEnumerator() => throw null;\n    public System.Linq.Expressions.Expression this[int index] { get => throw null; set => throw null; }\n    public bool Contains(System.Linq.Expressions.Expression item) => throw null;\n    public bool IsReadOnly { get => throw null; }\n    public bool Remove(System.Linq.Expressions.Expression item) => throw null;\n    public int Count { get => throw null; }\n    public int IndexOf(System.Linq.Expressions.Expression item) => throw null;\n    public void Add(System.Linq.Expressions.Expression item) => throw null;\n    public void Clear() => throw null;\n    public void CopyTo(System.Linq.Expressions.Expression[] array, int index) => throw null;\n    public void Insert(int index, System.Linq.Expressions.Expression item) => throw null;\n    public void RemoveAt(int index) => throw null;\n}\n\n// Generated from `System.Linq.Expressions.Expression` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class Expression\n{\n    public override string ToString() => throw null;\n}\n\n// Generated from `System.Linq.Expressions.ParameterExpression` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ParameterExpression : System.Linq.Expressions.Expression\n{\n}\n\nnamespace Compiler\n{\n// Generated from `System.Linq.Expressions.Compiler.ParameterList` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass ParameterList : System.Collections.IEnumerable, System.Collections.Generic.IReadOnlyList<System.Linq.Expressions.ParameterExpression>, System.Collections.Generic.IReadOnlyCollection<System.Linq.Expressions.ParameterExpression>, System.Collections.Generic.IEnumerable<System.Linq.Expressions.ParameterExpression>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<System.Linq.Expressions.ParameterExpression> GetEnumerator() => throw null;\n    public System.Linq.Expressions.ParameterExpression this[int index] { get => throw null; }\n    public int Count { get => throw null; }\n}\n\n}\nnamespace Interpreter\n{\n// Generated from `System.Linq.Expressions.Interpreter.InstructionArray` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstruct InstructionArray\n{\n}\n\n// Generated from `System.Linq.Expressions.Interpreter.InstructionList` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass InstructionList\n{\n}\n\n// Generated from `System.Linq.Expressions.Interpreter.InterpretedFrameInfo` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstruct InterpretedFrameInfo\n{\n    public override string ToString() => throw null;\n}\n\n// Generated from `System.Linq.Expressions.Interpreter.InterpretedFrame` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass InterpretedFrame\n{\n}\n\n}\n}\nnamespace Parallel\n{\n// Generated from `System.Linq.Parallel.ListChunk<>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass ListChunk<TInputOutput> : System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TInputOutput>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<TInputOutput> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.Parallel.Lookup<,>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass Lookup<TKey,TElement> : System.Linq.ILookup<TKey,TElement>, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<System.Linq.IGrouping<TKey,TElement>>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<System.Linq.IGrouping<TKey,TElement>> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.Parallel.PartitionerQueryOperator<>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass PartitionerQueryOperator<TElement> : System.Linq.Parallel.QueryOperator<TElement>\n{\n}\n\n// Generated from `System.Linq.Parallel.QueryOperator<>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract class QueryOperator<TOutput> : System.Linq.ParallelQuery<TOutput>\n{\n    public override System.Collections.Generic.IEnumerator<TOutput> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.Parallel.QueryResults<>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract class QueryResults<T> : System.Collections.IEnumerable, System.Collections.Generic.IList<T>, System.Collections.Generic.IEnumerable<T>, System.Collections.Generic.ICollection<T>\n{\n    System.Collections.Generic.IEnumerator<T> System.Collections.Generic.IEnumerable<T>.GetEnumerator() => throw null;\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    bool System.Collections.Generic.ICollection<T>.Contains(T item) => throw null;\n    bool System.Collections.Generic.ICollection<T>.IsReadOnly { get => throw null; }\n    bool System.Collections.Generic.ICollection<T>.Remove(T item) => throw null;\n    int System.Collections.Generic.IList<T>.IndexOf(T item) => throw null;\n    public T this[int index] { get => throw null; set => throw null; }\n    public int Count { get => throw null; }\n    void System.Collections.Generic.ICollection<T>.Add(T item) => throw null;\n    void System.Collections.Generic.ICollection<T>.Clear() => throw null;\n    void System.Collections.Generic.ICollection<T>.CopyTo(T[] array, int arrayIndex) => throw null;\n    void System.Collections.Generic.IList<T>.Insert(int index, T item) => throw null;\n    void System.Collections.Generic.IList<T>.RemoveAt(int index) => throw null;\n}\n\n// Generated from `System.Linq.Parallel.ZipQueryOperator<,,>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass ZipQueryOperator<TLeftInput,TRightInput,TOutput> : System.Linq.Parallel.QueryOperator<TOutput>\n{\n}\n\n}\n}\nnamespace Net\n{\n// Generated from `System.Net.CookieCollection` in `System.Net.Primitives, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class CookieCollection : System.Collections.IEnumerable, System.Collections.ICollection, System.Collections.Generic.IReadOnlyCollection<System.Net.Cookie>, System.Collections.Generic.IEnumerable<System.Net.Cookie>, System.Collections.Generic.ICollection<System.Net.Cookie>\n{\n    System.Collections.Generic.IEnumerator<System.Net.Cookie> System.Collections.Generic.IEnumerable<System.Net.Cookie>.GetEnumerator() => throw null;\n    public System.Collections.IEnumerator GetEnumerator() => throw null;\n    public bool Contains(System.Net.Cookie cookie) => throw null;\n    public bool IsReadOnly { get => throw null; }\n    public bool IsSynchronized { get => throw null; }\n    public bool Remove(System.Net.Cookie cookie) => throw null;\n    public int Count { get => throw null; }\n    public object SyncRoot { get => throw null; }\n    public void Add(System.Net.Cookie cookie) => throw null;\n    public void Clear() => throw null;\n    public void CopyTo(System.Array array, int index) => throw null;\n    public void CopyTo(System.Net.Cookie[] array, int index) => throw null;\n}\n\n// Generated from `System.Net.Cookie` in `System.Net.Primitives, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Cookie\n{\n    public override bool Equals(object comparand) => throw null;\n    public override int GetHashCode() => throw null;\n    public override string ToString() => throw null;\n}\n\n// Generated from `System.Net.StreamFramer` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass StreamFramer\n{\n}\n\nnamespace Security\n{\n// Generated from `System.Net.Security.AuthenticatedStream` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class AuthenticatedStream : System.IO.Stream\n{\n    protected override void Dispose(bool disposing) => throw null;\n    public override System.Threading.Tasks.ValueTask DisposeAsync() => throw null;\n}\n\n// Generated from `System.Net.Security.CipherSuitesPolicy` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class CipherSuitesPolicy\n{\n}\n\n// Generated from `System.Net.Security.NegotiateStream` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class NegotiateStream : System.Net.Security.AuthenticatedStream\n{\n    protected override void Dispose(bool disposing) => throw null;\n    public override System.IAsyncResult BeginRead(System.Byte[] buffer, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.IAsyncResult BeginWrite(System.Byte[] buffer, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.Int64 Length { get => throw null; }\n    public override System.Int64 Position { get => throw null; set => throw null; }\n    public override System.Int64 Seek(System.Int64 offset, System.IO.SeekOrigin origin) => throw null;\n    public override System.Threading.Tasks.Task FlushAsync(System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task WriteAsync(System.Byte[] buffer, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task<int> ReadAsync(System.Byte[] buffer, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.ValueTask DisposeAsync() => throw null;\n    public override System.Threading.Tasks.ValueTask WriteAsync(System.ReadOnlyMemory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) => throw null;\n    public override System.Threading.Tasks.ValueTask<int> ReadAsync(System.Memory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) => throw null;\n    public override bool CanRead { get => throw null; }\n    public override bool CanSeek { get => throw null; }\n    public override bool CanTimeout { get => throw null; }\n    public override bool CanWrite { get => throw null; }\n    public override int EndRead(System.IAsyncResult asyncResult) => throw null;\n    public override int Read(System.Byte[] buffer, int offset, int count) => throw null;\n    public override int ReadTimeout { get => throw null; set => throw null; }\n    public override int WriteTimeout { get => throw null; set => throw null; }\n    public override void EndWrite(System.IAsyncResult asyncResult) => throw null;\n    public override void Flush() => throw null;\n    public override void SetLength(System.Int64 value) => throw null;\n    public override void Write(System.Byte[] buffer, int offset, int count) => throw null;\n}\n\n// Generated from `System.Net.Security.SslStream` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class SslStream : System.Net.Security.AuthenticatedStream\n{\n    protected override void Dispose(bool disposing) => throw null;\n    public override System.IAsyncResult BeginRead(System.Byte[] buffer, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.IAsyncResult BeginWrite(System.Byte[] buffer, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.Int64 Length { get => throw null; }\n    public override System.Int64 Position { get => throw null; set => throw null; }\n    public override System.Int64 Seek(System.Int64 offset, System.IO.SeekOrigin origin) => throw null;\n    public override System.Threading.Tasks.Task FlushAsync(System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task WriteAsync(System.Byte[] buffer, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task<int> ReadAsync(System.Byte[] buffer, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.ValueTask DisposeAsync() => throw null;\n    public override System.Threading.Tasks.ValueTask WriteAsync(System.ReadOnlyMemory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) => throw null;\n    public override System.Threading.Tasks.ValueTask<int> ReadAsync(System.Memory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) => throw null;\n    public override bool CanRead { get => throw null; }\n    public override bool CanSeek { get => throw null; }\n    public override bool CanTimeout { get => throw null; }\n    public override bool CanWrite { get => throw null; }\n    public override int EndRead(System.IAsyncResult asyncResult) => throw null;\n    public override int Read(System.Byte[] buffer, int offset, int count) => throw null;\n    public override int ReadByte() => throw null;\n    public override int ReadTimeout { get => throw null; set => throw null; }\n    public override int WriteTimeout { get => throw null; set => throw null; }\n    public override void EndWrite(System.IAsyncResult asyncResult) => throw null;\n    public override void Flush() => throw null;\n    public override void SetLength(System.Int64 value) => throw null;\n    public override void Write(System.Byte[] buffer, int offset, int count) => throw null;\n}\n\n// Generated from `System.Net.Security.TlsCipherSuite` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic enum TlsCipherSuite\n{\n}\n\n// Generated from `System.Net.Security.TlsFrameHelper` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass TlsFrameHelper\n{\n}\n\n}\n}\nnamespace Runtime\n{\nnamespace Serialization\n{\n// Generated from `System.Runtime.Serialization.DataContractAttribute` in `System.Runtime.Serialization.Primitives, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class DataContractAttribute : System.Attribute\n{\n    public DataContractAttribute() => throw null;\n}\n\n// Generated from `System.Runtime.Serialization.DataMemberAttribute` in `System.Runtime.Serialization.Primitives, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class DataMemberAttribute : System.Attribute\n{\n    public DataMemberAttribute() => throw null;\n}\n\n}\n}\nnamespace Text\n{\nnamespace RegularExpressions\n{\n// Generated from `System.Text.RegularExpressions.Capture` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Capture\n{\n    public override string ToString() => throw null;\n}\n\n// Generated from `System.Text.RegularExpressions.CollectionDebuggerProxy<>` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass CollectionDebuggerProxy<T>\n{\n}\n\n// Generated from `System.Text.RegularExpressions.GroupCollection` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class GroupCollection : System.Collections.IList, System.Collections.IEnumerable, System.Collections.ICollection, System.Collections.Generic.IReadOnlyList<System.Text.RegularExpressions.Group>, System.Collections.Generic.IReadOnlyDictionary<string,System.Text.RegularExpressions.Group>, System.Collections.Generic.IReadOnlyCollection<System.Text.RegularExpressions.Group>, System.Collections.Generic.IReadOnlyCollection<System.Collections.Generic.KeyValuePair<string,System.Text.RegularExpressions.Group>>, System.Collections.Generic.IList<System.Text.RegularExpressions.Group>, System.Collections.Generic.IEnumerable<System.Text.RegularExpressions.Group>, System.Collections.Generic.IEnumerable<System.Collections.Generic.KeyValuePair<string,System.Text.RegularExpressions.Group>>, System.Collections.Generic.ICollection<System.Text.RegularExpressions.Group>\n{\n    System.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<string,System.Text.RegularExpressions.Group>> System.Collections.Generic.IEnumerable<System.Collections.Generic.KeyValuePair<string,System.Text.RegularExpressions.Group>>.GetEnumerator() => throw null;\n    System.Collections.Generic.IEnumerator<System.Text.RegularExpressions.Group> System.Collections.Generic.IEnumerable<System.Text.RegularExpressions.Group>.GetEnumerator() => throw null;\n    System.Text.RegularExpressions.Group this[int index] { get => throw null; set => throw null; }\n    bool System.Collections.Generic.ICollection<System.Text.RegularExpressions.Group>.Contains(System.Text.RegularExpressions.Group item) => throw null;\n    bool System.Collections.Generic.ICollection<System.Text.RegularExpressions.Group>.Remove(System.Text.RegularExpressions.Group item) => throw null;\n    bool System.Collections.IList.Contains(object value) => throw null;\n    bool System.Collections.IList.IsFixedSize { get => throw null; }\n    int System.Collections.Generic.IList<System.Text.RegularExpressions.Group>.IndexOf(System.Text.RegularExpressions.Group item) => throw null;\n    int System.Collections.IList.Add(object value) => throw null;\n    int System.Collections.IList.IndexOf(object value) => throw null;\n    object this[int index] { get => throw null; set => throw null; }\n    public System.Collections.Generic.IEnumerable<System.Text.RegularExpressions.Group> Values { get => throw null; }\n    public System.Collections.Generic.IEnumerable<string> Keys { get => throw null; }\n    public System.Collections.IEnumerator GetEnumerator() => throw null;\n    public System.Text.RegularExpressions.Group this[string groupname] { get => throw null; }\n    public bool ContainsKey(string key) => throw null;\n    public bool IsReadOnly { get => throw null; }\n    public bool IsSynchronized { get => throw null; }\n    public bool TryGetValue(string key, out System.Text.RegularExpressions.Group value) => throw null;\n    public int Count { get => throw null; }\n    public object SyncRoot { get => throw null; }\n    public void CopyTo(System.Array array, int arrayIndex) => throw null;\n    public void CopyTo(System.Text.RegularExpressions.Group[] array, int arrayIndex) => throw null;\n    void System.Collections.Generic.ICollection<System.Text.RegularExpressions.Group>.Add(System.Text.RegularExpressions.Group item) => throw null;\n    void System.Collections.Generic.ICollection<System.Text.RegularExpressions.Group>.Clear() => throw null;\n    void System.Collections.Generic.IList<System.Text.RegularExpressions.Group>.Insert(int index, System.Text.RegularExpressions.Group item) => throw null;\n    void System.Collections.Generic.IList<System.Text.RegularExpressions.Group>.RemoveAt(int index) => throw null;\n    void System.Collections.IList.Clear() => throw null;\n    void System.Collections.IList.Insert(int index, object value) => throw null;\n    void System.Collections.IList.Remove(object value) => throw null;\n    void System.Collections.IList.RemoveAt(int index) => throw null;\n}\n\n// Generated from `System.Text.RegularExpressions.Group` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Group : System.Text.RegularExpressions.Capture\n{\n}\n\n// Generated from `System.Text.RegularExpressions.Match` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Match : System.Text.RegularExpressions.Group\n{\n}\n\n// Generated from `System.Text.RegularExpressions.RegexOptions` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\n[System.Flags]\npublic enum RegexOptions\n{\n    IgnoreCase,\n}\n\n// Generated from `System.Text.RegularExpressions.Regex` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Regex : System.Runtime.Serialization.ISerializable\n{\n    public Regex(string pattern) => throw null;\n    public Regex(string pattern, System.Text.RegularExpressions.RegexOptions options, System.TimeSpan matchTimeout) => throw null;\n    public System.Text.RegularExpressions.Match Match(string input) => throw null;\n    public override string ToString() => throw null;\n    public static System.Text.RegularExpressions.Match Match(string input, string pattern) => throw null;\n    public static System.Text.RegularExpressions.Match Match(string input, string pattern, System.Text.RegularExpressions.RegexOptions options, System.TimeSpan matchTimeout) => throw null;\n    public string Replace(string input, string replacement) => throw null;\n    void System.Runtime.Serialization.ISerializable.GetObjectData(System.Runtime.Serialization.SerializationInfo si, System.Runtime.Serialization.StreamingContext context) => throw null;\n}\n\n}\n}\nnamespace Timers\n{\n// Generated from `System.Timers.TimersDescriptionAttribute` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class TimersDescriptionAttribute\n{\n    public TimersDescriptionAttribute(string description) => throw null;\n}\n\n}\nnamespace Windows\n{\nnamespace Markup\n{\n// Generated from `System.Windows.Markup.ValueSerializerAttribute` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ValueSerializerAttribute : System.Attribute\n{\n    public ValueSerializerAttribute(System.Type valueSerializerType) => throw null;\n    public ValueSerializerAttribute(string valueSerializerTypeName) => throw null;\n}\n\n}\n}\n}\n |

From 551a7ce9e556cb231e7ecc9ebfec7b851c075be7 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 8 Apr 2021 12:14:53 +0200
Subject: [PATCH 0217/1429] Fix expression value of struct default argument
 values

---
 .../extractor/Semmle.Extraction.CSharp/Entities/Expression.cs | 2 +-
 .../Semmle.Extraction.CSharp/Entities/Expressions/Default.cs  | 4 ++--
 csharp/ql/test/library-tests/parameters/Parameters.expected   | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
index 3324de4c8a8..6438e0fa1b7 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
@@ -190,7 +190,7 @@ namespace Semmle.Extraction.CSharp.Entities
             {
                 // = null, = default, = default(T), = new MyStruct()
                 // we're generating a default expression:
-                return Default.CreateGenerated(cx, parent, childIndex, location);
+                return Default.CreateGenerated(cx, parent, childIndex, location, parameter.Type.IsValueType ? null : ValueAsString(null));
             }
 
             // const literal:
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Default.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Default.cs
index 5ae94e33c44..9fdfd18d3bd 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Default.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Default.cs
@@ -15,7 +15,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
             TypeAccess.Create(Context, Syntax.Type, this, 0);
         }
 
-        public static Expression CreateGenerated(Context cx, IExpressionParentEntity parent, int childIndex, Extraction.Entities.Location location)
+        public static Expression CreateGenerated(Context cx, IExpressionParentEntity parent, int childIndex, Extraction.Entities.Location location, string? value)
         {
             var info = new ExpressionInfo(
                 cx,
@@ -25,7 +25,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                 parent,
                 childIndex,
                 true,
-                ValueAsString(null));
+                value);
 
             return new Expression(info);
         }
diff --git a/csharp/ql/test/library-tests/parameters/Parameters.expected b/csharp/ql/test/library-tests/parameters/Parameters.expected
index c676e435297..0eb53367c9d 100644
--- a/csharp/ql/test/library-tests/parameters/Parameters.expected
+++ b/csharp/ql/test/library-tests/parameters/Parameters.expected
@@ -36,8 +36,8 @@ withDefaultValue
 | Parameters.dll:0:0:0:0 | M4 | Parameters.dll:0:0:0:0 | b | 1 | Parameters.dll:0:0:0:0 | default | null |
 | Parameters.dll:0:0:0:0 | M5 | Parameters.dll:0:0:0:0 | a | 0 | Parameters.dll:0:0:0:0 | 0 | 0 |
 | Parameters.dll:0:0:0:0 | M5 | Parameters.dll:0:0:0:0 | b | 1 | Parameters.dll:0:0:0:0 | default | null |
-| Parameters.dll:0:0:0:0 | M6 | Parameters.dll:0:0:0:0 | s2 | 1 | Parameters.dll:0:0:0:0 | default | null |
-| Parameters.dll:0:0:0:0 | M6 | Parameters.dll:0:0:0:0 | s3 | 2 | Parameters.dll:0:0:0:0 | default | null |
+| Parameters.dll:0:0:0:0 | M6 | Parameters.dll:0:0:0:0 | s2 | 1 | Parameters.dll:0:0:0:0 | default | - |
+| Parameters.dll:0:0:0:0 | M6 | Parameters.dll:0:0:0:0 | s3 | 2 | Parameters.dll:0:0:0:0 | default | - |
 | Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e2 | 1 | Parameters.dll:0:0:0:0 | (...) ... | 0 |
 | Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e3 | 2 | Parameters.dll:0:0:0:0 | (...) ... | 0 |
 | Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e4 | 3 | Parameters.dll:0:0:0:0 | (...) ... | 1 |

From a8cbdc92b94f36df5c4d3487f072be75fd5e2720 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 8 Apr 2021 12:17:19 +0200
Subject: [PATCH 0218/1429] Add more test cases

---
 .../library-tests/parameters/Parameters.cs    |   4 ++++
 .../library-tests/parameters/Parameters.cs_   |   4 ++++
 .../library-tests/parameters/Parameters.dll   | Bin 4608 -> 4608 bytes
 .../parameters/Parameters.expected            |   6 ++++++
 4 files changed, 14 insertions(+)

diff --git a/csharp/ql/test/library-tests/parameters/Parameters.cs b/csharp/ql/test/library-tests/parameters/Parameters.cs
index 76847f26c32..b7cc3b001a9 100644
--- a/csharp/ql/test/library-tests/parameters/Parameters.cs
+++ b/csharp/ql/test/library-tests/parameters/Parameters.cs
@@ -8,6 +8,10 @@ public class Parameters
     public void M6(MyStruct s1, MyStruct s2 = default(MyStruct), MyStruct s3 = new MyStruct()) => throw null;
     public void M7(MyEnum e1, MyEnum e2 = default(MyEnum), MyEnum e3 = new MyEnum(), MyEnum e4 = MyEnum.A, MyEnum e5 = (MyEnum)5) => throw null;
 
+    public void M8<T>(T t = default) => throw null;
+    public void M9<T>(T t = default) where T : struct => throw null;
+    public void M10<T>(T t = default) where T : class => throw null;
+
     public struct MyStruct { }
     public enum MyEnum { A = 1, B = 2 }
 }
\ No newline at end of file
diff --git a/csharp/ql/test/library-tests/parameters/Parameters.cs_ b/csharp/ql/test/library-tests/parameters/Parameters.cs_
index 300c03bd854..062c4b98b18 100644
--- a/csharp/ql/test/library-tests/parameters/Parameters.cs_
+++ b/csharp/ql/test/library-tests/parameters/Parameters.cs_
@@ -8,6 +8,10 @@ public class ParametersDll
     public void M6(MyStruct s1, MyStruct s2 = default(MyStruct), MyStruct s3 = new MyStruct()) => throw null;
     public void M7(MyEnum e1, MyEnum e2 = default(MyEnum), MyEnum e3 = new MyEnum(), MyEnum e4 = MyEnum.A, MyEnum e5 = (MyEnum)5) => throw null;
 
+    public void M8<T>(T t = default) => throw null;
+    public void M9<T>(T t = default) where T : struct => throw null;
+    public void M10<T>(T t = default) where T : class => throw null;
+
     public struct MyStruct { }
     public enum MyEnum { A = 1, B = 2 }
 }
\ No newline at end of file
diff --git a/csharp/ql/test/library-tests/parameters/Parameters.dll b/csharp/ql/test/library-tests/parameters/Parameters.dll
index 8a0980cf5620d4f2fdc70c9c7c0272be13f0e341..cd48ebef015977599fcad91d31e3a24f0a115a57 100644
GIT binary patch
delta 1099
zcmZXTTS!zv9LB#nyL;55*;!q4)2z+4+-|0+)TTvhr4mcZdZj`XyOAiAMHIMZb^#-j
ziJ*`!z6Cy13%wXUL=fRa2)^yh3PI3AffPiL_04#?Km+sp&-cxo|J=?D7Y!HPy6&zj
zT{AO&W0hDOf7~vnq!7iPxniJ2t~EBxPEl;Q)8vR4TA2(%mj=>+2j>I8;S@l~OV)PT
zWaP*$!_2UJ7YdC~I$&X=95B}H8gv1{At1@P$6z};c=}}j@iQt{zy#ck!PY2>*tS)>
zzO`{LV+D0c&KiEPLVh&zmN6y#tSb7X*OeP%LI_r1N-RYaKJi7EIHuW;d9fTm&S~N<
zM(IbyTk<OupJ~3+tkC|5ZkHI-?Cpi(YcZ`8@6fXd&L+6V`}E2nVicCJQOOA^+0KB$
zj#sQ<txU5X9cUY_!6CAaYznA6S9x|_91(R?CY2j)j>@G<L8qevIL3oK?5Oor8R&9U
zY%}_hi5^F8#W{F!)KS|oiWNBFs7k6_oN|<)@}qxA`4imdN~n`ONE&D+U5Gl4Z7avN
zm1Em#%pWKApY^v}rAyaCefr}9oi0^7UhU+OZUjjWHjo0<#=lHMf|u$g)$$U;;-~~q
zyG%1o7TBoKqEWM1vs1Gh3Hif)GLnT(gph?Jn%!gxmo-La<2IR(I2ptXauXKFa$aHy
zs<4c#LmqiR`%x^&N1puJATQg)&HOGoXw^*@PtMJ%iWmDxKj%=<jT}aUzX(gDtW+jF
zCBDcGM8c?!4D_DuJGz_us6|UW&s-Gt;LA6cZ$9YQ|9tMm=(ma4RWg)1nqrm;Ayz|9
zr9LdjwU(}Vh)9!~><DX!?=obm>`O)cvDvJA!??n}E0!EeE3}`^yq~BVOVo@^HhlkZ
zXCW$|q&01E%(CAmb9dkC?HRuKbFzKs?0ChT^X66NPjZWuFOu;_D=gxf8Q)z7!f~(t
JS&Wya`~v-Iw~GJ(

delta 1020
zcmZ{jPe@cz6vn^%X68Bboa&j)lqoejiX+xgS(qt-Ryb0^g#Yp%(wIdhDyAj{j)YkY
zBd5EyauJ~*xsXDLR&FB~A+)VkA=oY$h3dPvXRW%!`MvXf@7{CYocrE*;dtTnLwEI;
z&#zKbd15d%-y%X%h+<Ey7-*FF#v$1%ij7gPyeGzT8Y9pnMjG&7AOw6e0U@(8%VpdM
z$Uei8w~eBt+XaNjfB{~Q8_XMq2Cw&ByQP-D@BnUJ!%YpCV{WUwwyEwcuglaSL0!|^
zpP*KQ%SFpmz{doeq6|SAOm{L=9c}?HBf!XHWC2N7Ow^?9P-}r%p)_E^E4~U7ZJG(J
ziCyq=iit-UrC%-Hk>8;BQgcN!qWuw_7Z{7YdkKomVo?{4>gobX!HsP^p?Q><fF*2{
zaDx-feK6?1VN_^knw2cmJYJ4=vVx3<RGmrQ?P4@I%A#_k*-_b48EAD>9<K5)cQ~pb
zN$E$IBO~Z#vl5Of#Ryx}^GEGl<<qmD+~y2v;2h~ft>f6Xa%@{Uwyoy;-}!f!{TF;T
zHPzOOb96bkc6MkdNV;*5^q`0xS>?fGktT9T3niq@-YHgSR%_O2Ues*WyiD>q`8&Yy
zBaGb$$aYUlWt4Bj1ft01p+=F51u~4+WGU9kGHj8RFh!JqESo&9{RXVdU!L5;y*w|z
zj(<l0bvk#kO>Xs8a>x!d>aVKrzcSq0a~jpCS$byv6n471yK`mvN9=Lcsrt70=Ta_s
zCuF&AHt3ye{s>VYSF1Z2GyKeEd~(AVG}BDeK51D6_WsGcH+t*~HE*ZiM~3h8Psl1O
zer(&^a!gffPwC<C&Gg2H2g#cIG3Vn{kCjk)D3u=+jZ14*g^;1lsimF%O_woraw*IH
JE>cG_egh}5ql5qe

diff --git a/csharp/ql/test/library-tests/parameters/Parameters.expected b/csharp/ql/test/library-tests/parameters/Parameters.expected
index 0eb53367c9d..24a1af2f6d5 100644
--- a/csharp/ql/test/library-tests/parameters/Parameters.expected
+++ b/csharp/ql/test/library-tests/parameters/Parameters.expected
@@ -27,6 +27,9 @@ withDefaultValue
 | Parameters.cs:9:17:9:18 | M7 | Parameters.cs:9:67:9:68 | e3 | 2 | Parameters.cs:9:72:9:83 | object creation of type MyEnum | 0 |
 | Parameters.cs:9:17:9:18 | M7 | Parameters.cs:9:93:9:94 | e4 | 3 | Parameters.cs:9:98:9:105 | access to constant A | 1 |
 | Parameters.cs:9:17:9:18 | M7 | Parameters.cs:9:115:9:116 | e5 | 4 | Parameters.cs:9:120:9:128 | (...) ... | 5 |
+| Parameters.cs:11:17:11:21 | M8 | Parameters.cs:11:25:11:25 | t | 0 | Parameters.cs:11:29:11:35 | (...) ... | - |
+| Parameters.cs:12:17:12:21 | M9 | Parameters.cs:12:25:12:25 | t | 0 | Parameters.cs:12:29:12:35 | (...) ... | - |
+| Parameters.cs:13:17:13:22 | M10 | Parameters.cs:13:26:13:26 | t | 0 | Parameters.cs:13:30:13:36 | (...) ... | null |
 | Parameters.dll:0:0:0:0 | M2 | Parameters.dll:0:0:0:0 | b | 1 | Parameters.dll:0:0:0:0 | default | null |
 | Parameters.dll:0:0:0:0 | M2 | Parameters.dll:0:0:0:0 | c | 2 | Parameters.dll:0:0:0:0 | "default string" | default string |
 | Parameters.dll:0:0:0:0 | M3 | Parameters.dll:0:0:0:0 | a | 0 | Parameters.dll:0:0:0:0 | 1 | 1 |
@@ -42,3 +45,6 @@ withDefaultValue
 | Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e3 | 2 | Parameters.dll:0:0:0:0 | (...) ... | 0 |
 | Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e4 | 3 | Parameters.dll:0:0:0:0 | (...) ... | 1 |
 | Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e5 | 4 | Parameters.dll:0:0:0:0 | (...) ... | 5 |
+| Parameters.dll:0:0:0:0 | M8 | Parameters.dll:0:0:0:0 | t | 0 | Parameters.dll:0:0:0:0 | default | null |
+| Parameters.dll:0:0:0:0 | M9 | Parameters.dll:0:0:0:0 | t | 0 | Parameters.dll:0:0:0:0 | default | - |
+| Parameters.dll:0:0:0:0 | M10 | Parameters.dll:0:0:0:0 | t | 0 | Parameters.dll:0:0:0:0 | default | null |

From a790eb8110e735724916844f99c94bb9c2a51350 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 8 Apr 2021 12:20:01 +0200
Subject: [PATCH 0219/1429] Fix for unconstrained generic types

---
 .../extractor/Semmle.Extraction.CSharp/Entities/Expression.cs   | 2 +-
 csharp/ql/test/library-tests/parameters/Parameters.expected     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
index 6438e0fa1b7..6d36dded801 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
@@ -190,7 +190,7 @@ namespace Semmle.Extraction.CSharp.Entities
             {
                 // = null, = default, = default(T), = new MyStruct()
                 // we're generating a default expression:
-                return Default.CreateGenerated(cx, parent, childIndex, location, parameter.Type.IsValueType ? null : ValueAsString(null));
+                return Default.CreateGenerated(cx, parent, childIndex, location, parameter.Type.IsReferenceType ? ValueAsString(null) : null);
             }
 
             // const literal:
diff --git a/csharp/ql/test/library-tests/parameters/Parameters.expected b/csharp/ql/test/library-tests/parameters/Parameters.expected
index 24a1af2f6d5..864464167b9 100644
--- a/csharp/ql/test/library-tests/parameters/Parameters.expected
+++ b/csharp/ql/test/library-tests/parameters/Parameters.expected
@@ -45,6 +45,6 @@ withDefaultValue
 | Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e3 | 2 | Parameters.dll:0:0:0:0 | (...) ... | 0 |
 | Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e4 | 3 | Parameters.dll:0:0:0:0 | (...) ... | 1 |
 | Parameters.dll:0:0:0:0 | M7 | Parameters.dll:0:0:0:0 | e5 | 4 | Parameters.dll:0:0:0:0 | (...) ... | 5 |
-| Parameters.dll:0:0:0:0 | M8 | Parameters.dll:0:0:0:0 | t | 0 | Parameters.dll:0:0:0:0 | default | null |
+| Parameters.dll:0:0:0:0 | M8 | Parameters.dll:0:0:0:0 | t | 0 | Parameters.dll:0:0:0:0 | default | - |
 | Parameters.dll:0:0:0:0 | M9 | Parameters.dll:0:0:0:0 | t | 0 | Parameters.dll:0:0:0:0 | default | - |
 | Parameters.dll:0:0:0:0 | M10 | Parameters.dll:0:0:0:0 | t | 0 | Parameters.dll:0:0:0:0 | default | null |

From 8ce5c46e05dbf11bb3581490601ff9fc04dd3631 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Sat, 27 Mar 2021 18:57:46 +0100
Subject: [PATCH 0220/1429] Python: Minor refactor

modName/clsName _is_ shorter, but also looks way worse :D
---
 .../ql/src/semmle/python/frameworks/Django.qll  | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index 02d5030bb1e..ebc1d1bdfa2 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -2081,20 +2081,21 @@ private module Django {
     module Field {
       /** Gets a reference to the `django.forms.fields.Field` class or any subclass. */
       API::Node subclassRef() {
-        exists(string modName, string clsName |
+        exists(string moduleName, string className |
           // canonical definition
           result =
             API::moduleImport("django")
                 .getMember("forms")
-                .getMember(modName)
-                .getMember(clsName)
+                .getMember(moduleName)
+                .getMember(className)
                 .getASubclass*()
           or
           // alias from `django.forms`
-          result = API::moduleImport("django").getMember("forms").getMember(clsName).getASubclass*()
+          result =
+            API::moduleImport("django").getMember("forms").getMember(className).getASubclass*()
         |
-          modName = "fields" and
-          clsName in [
+          moduleName = "fields" and
+          className in [
               "Field",
               // Known subclasses
               "BooleanField", "IntegerField", "CharField", "SlugField", "DateTimeField",
@@ -2106,8 +2107,8 @@ private module Django {
             ]
           or
           // Known subclasses from `django.forms.models`
-          modName = "models" and
-          clsName in ["ModelChoiceField", "ModelMultipleChoiceField", "InlineForeignKeyField"]
+          moduleName = "models" and
+          className in ["ModelChoiceField", "ModelMultipleChoiceField", "InlineForeignKeyField"]
         )
         or
         // other Field subclasses defined in Django

From 322bdcb7034c9ccd10747c991f4c66bfa7a4c1b5 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Sat, 27 Mar 2021 18:58:37 +0100
Subject: [PATCH 0221/1429] Python: Port Django view modeling to API graphs

---
 .../src/semmle/python/frameworks/Django.qll   | 430 ++----------------
 1 file changed, 41 insertions(+), 389 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index ebc1d1bdfa2..77cb337d2f6 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -1519,402 +1519,54 @@ private module Django {
     /** Provides models for the `django.views` module */
     module views {
       /**
-       * Gets a reference to the attribute `attr_name` of the `django.views` module.
-       * WARNING: Only holds for a few predefined attributes.
+       * Provides models for the `django.views.generic.View` class and subclasses.
+       *
+       * See
+       *  - https://docs.djangoproject.com/en/3.1/topics/class-based-views/
+       *  - https://docs.djangoproject.com/en/3.1/ref/class-based-views/
        */
-      private DataFlow::Node views_attr(DataFlow::TypeTracker t, string attr_name) {
-        // for 1.11.x, see: https://github.com/django/django/blob/stable/1.11.x/django/views/__init__.py
-        attr_name in ["generic", "View"] and
-        (
-          t.start() and
-          result = DataFlow::importNode("django.views" + "." + attr_name)
-          or
-          t.startInAttr(attr_name) and
-          result = views()
-        )
-        or
-        // Due to bad performance when using normal setup with `views_attr(t2, attr_name).track(t2, t)`
-        // we have inlined that code and forced a join
-        exists(DataFlow::TypeTracker t2 |
-          exists(DataFlow::StepSummary summary |
-            views_attr_first_join(t2, attr_name, result, summary) and
-            t = t2.append(summary)
-          )
-        )
-      }
-
-      pragma[nomagic]
-      private predicate views_attr_first_join(
-        DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-        DataFlow::StepSummary summary
-      ) {
-        DataFlow::StepSummary::step(views_attr(t2, attr_name), res, summary)
-      }
-
-      /**
-       * Gets a reference to the attribute `attr_name` of the `django.views` module.
-       * WARNING: Only holds for a few predefined attributes.
-       */
-      private DataFlow::Node views_attr(string attr_name) {
-        result = views_attr(DataFlow::TypeTracker::end(), attr_name)
-      }
-
-      // -------------------------------------------------------------------------
-      // django.views.generic
-      // -------------------------------------------------------------------------
-      /** Gets a reference to the `django.views.generic` module. */
-      DataFlow::Node generic() { result = views_attr("generic") }
-
-      /** Provides models for the `django.views.generic` module */
-      module generic {
-        /**
-         * Gets a reference to the attribute `attr_name` of the `django.views.generic` module.
-         * WARNING: Only holds for a few predefined attributes.
-         */
-        private DataFlow::Node generic_attr(DataFlow::TypeTracker t, string attr_name) {
-          // for 3.1.x see: https://github.com/django/django/blob/stable/3.1.x/django/views/generic/__init__.py
-          // same for 1.11.x see: https://github.com/django/django/blob/stable/1.11.x/django/views/generic/__init__.py
-          attr_name in [
-              "View", "TemplateView", "RedirectView", "ArchiveIndexView", "YearArchiveView",
-              "MonthArchiveView", "WeekArchiveView", "DayArchiveView", "TodayArchiveView",
-              "DateDetailView", "DetailView", "FormView", "CreateView", "UpdateView", "DeleteView",
-              "ListView", "GenericViewError",
-              // modules
-              "base", "dates", "detail", "edit", "list"
-            ] and
-          (
-            t.start() and
-            result = DataFlow::importNode("django.views.generic" + "." + attr_name)
+      module View {
+        /** Gets a reference to the `django.views.generic.View` class or any subclass. */
+        API::Node subclassRef() {
+          exists(string moduleName, string className |
+            // canonical definition
+            result =
+              API::moduleImport("django")
+                  .getMember("views")
+                  .getMember("generic")
+                  .getMember(moduleName)
+                  .getMember(className)
+                  .getASubclass*()
             or
-            t.startInAttr(attr_name) and
-            result = generic()
-          )
-          or
-          // Due to bad performance when using normal setup with `generic_attr(t2, attr_name).track(t2, t)`
-          // we have inlined that code and forced a join
-          exists(DataFlow::TypeTracker t2 |
-            exists(DataFlow::StepSummary summary |
-              generic_attr_first_join(t2, attr_name, result, summary) and
-              t = t2.append(summary)
-            )
-          )
-        }
-
-        pragma[nomagic]
-        private predicate generic_attr_first_join(
-          DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-          DataFlow::StepSummary summary
-        ) {
-          DataFlow::StepSummary::step(generic_attr(t2, attr_name), res, summary)
-        }
-
-        /**
-         * Gets a reference to the attribute `attr_name` of the `django.views.generic` module.
-         * WARNING: Only holds for a few predefined attributes.
-         */
-        private DataFlow::Node generic_attr(string attr_name) {
-          result = generic_attr(DataFlow::TypeTracker::end(), attr_name)
-        }
-
-        // -------------------------------------------------------------------------
-        // django.views.generic.base
-        // -------------------------------------------------------------------------
-        /** Gets a reference to the `django.views.generic.base` module. */
-        DataFlow::Node base() { result = generic_attr("base") }
-
-        /** Provides models for the `django.views.generic.base` module */
-        module base {
-          /**
-           * Gets a reference to the attribute `attr_name` of the `django.views.generic.base` module.
-           * WARNING: Only holds for a few predefined attributes.
-           */
-          private DataFlow::Node base_attr(DataFlow::TypeTracker t, string attr_name) {
-            attr_name in ["RedirectView", "TemplateView", "View"] and
-            (
-              t.start() and
-              result = DataFlow::importNode("django.views.generic.base" + "." + attr_name)
-              or
-              t.startInAttr(attr_name) and
-              result = base()
-            )
+            // alias from `django.view.generic`
+            result =
+              API::moduleImport("django")
+                  .getMember("view")
+                  .getMember("generic")
+                  .getMember(className)
+                  .getASubclass*()
+          |
+            moduleName = "base" and
+            className in ["RedirectView", "TemplateView", "View"]
             or
-            // Due to bad performance when using normal setup with `base_attr(t2, attr_name).track(t2, t)`
-            // we have inlined that code and forced a join
-            exists(DataFlow::TypeTracker t2 |
-              exists(DataFlow::StepSummary summary |
-                base_attr_first_join(t2, attr_name, result, summary) and
-                t = t2.append(summary)
-              )
-            )
-          }
-
-          pragma[nomagic]
-          private predicate base_attr_first_join(
-            DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-            DataFlow::StepSummary summary
-          ) {
-            DataFlow::StepSummary::step(base_attr(t2, attr_name), res, summary)
-          }
-
-          /**
-           * Gets a reference to the attribute `attr_name` of the `django.views.generic.base` module.
-           * WARNING: Only holds for a few predefined attributes.
-           */
-          DataFlow::Node base_attr(string attr_name) {
-            result = base_attr(DataFlow::TypeTracker::end(), attr_name)
-          }
-        }
-
-        // -------------------------------------------------------------------------
-        // django.views.generic.dates
-        // -------------------------------------------------------------------------
-        /** Gets a reference to the `django.views.generic.dates` module. */
-        DataFlow::Node dates() { result = generic_attr("dates") }
-
-        /** Provides models for the `django.views.generic.dates` module */
-        module dates {
-          /**
-           * Gets a reference to the attribute `attr_name` of the `django.views.generic.dates` module.
-           * WARNING: Only holds for a few predefined attributes.
-           */
-          private DataFlow::Node dates_attr(DataFlow::TypeTracker t, string attr_name) {
-            attr_name in [
+            moduleName = "dates" and
+            className in [
                 "ArchiveIndexView", "DateDetailView", "DayArchiveView", "MonthArchiveView",
                 "TodayArchiveView", "WeekArchiveView", "YearArchiveView"
-              ] and
-            (
-              t.start() and
-              result = DataFlow::importNode("django.views.generic.dates" + "." + attr_name)
-              or
-              t.startInAttr(attr_name) and
-              result = dates()
-            )
+              ]
             or
-            // Due to bad performance when using normal setup with `dates_attr(t2, attr_name).track(t2, t)`
-            // we have inlined that code and forced a join
-            exists(DataFlow::TypeTracker t2 |
-              exists(DataFlow::StepSummary summary |
-                dates_attr_first_join(t2, attr_name, result, summary) and
-                t = t2.append(summary)
-              )
-            )
-          }
-
-          pragma[nomagic]
-          private predicate dates_attr_first_join(
-            DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-            DataFlow::StepSummary summary
-          ) {
-            DataFlow::StepSummary::step(dates_attr(t2, attr_name), res, summary)
-          }
-
-          /**
-           * Gets a reference to the attribute `attr_name` of the `django.views.generic.dates` module.
-           * WARNING: Only holds for a few predefined attributes.
-           */
-          DataFlow::Node dates_attr(string attr_name) {
-            result = dates_attr(DataFlow::TypeTracker::end(), attr_name)
-          }
-        }
-
-        // -------------------------------------------------------------------------
-        // django.views.generic.detail
-        // -------------------------------------------------------------------------
-        /** Gets a reference to the `django.views.generic.detail` module. */
-        DataFlow::Node detail() { result = generic_attr("detail") }
-
-        /** Provides models for the `django.views.generic.detail` module */
-        module detail {
-          /**
-           * Gets a reference to the attribute `attr_name` of the `django.views.generic.detail` module.
-           * WARNING: Only holds for a few predefined attributes.
-           */
-          private DataFlow::Node detail_attr(DataFlow::TypeTracker t, string attr_name) {
-            attr_name in ["DetailView"] and
-            (
-              t.start() and
-              result = DataFlow::importNode("django.views.generic.detail" + "." + attr_name)
-              or
-              t.startInAttr(attr_name) and
-              result = detail()
-            )
+            moduleName = "detail" and
+            className = "DetailView"
             or
-            // Due to bad performance when using normal setup with `detail_attr(t2, attr_name).track(t2, t)`
-            // we have inlined that code and forced a join
-            exists(DataFlow::TypeTracker t2 |
-              exists(DataFlow::StepSummary summary |
-                detail_attr_first_join(t2, attr_name, result, summary) and
-                t = t2.append(summary)
-              )
-            )
-          }
-
-          pragma[nomagic]
-          private predicate detail_attr_first_join(
-            DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-            DataFlow::StepSummary summary
-          ) {
-            DataFlow::StepSummary::step(detail_attr(t2, attr_name), res, summary)
-          }
-
-          /**
-           * Gets a reference to the attribute `attr_name` of the `django.views.generic.detail` module.
-           * WARNING: Only holds for a few predefined attributes.
-           */
-          DataFlow::Node detail_attr(string attr_name) {
-            result = detail_attr(DataFlow::TypeTracker::end(), attr_name)
-          }
-        }
-
-        // -------------------------------------------------------------------------
-        // django.views.generic.edit
-        // -------------------------------------------------------------------------
-        /** Gets a reference to the `django.views.generic.edit` module. */
-        DataFlow::Node edit() { result = generic_attr("edit") }
-
-        /** Provides models for the `django.views.generic.edit` module */
-        module edit {
-          /**
-           * Gets a reference to the attribute `attr_name` of the `django.views.generic.edit` module.
-           * WARNING: Only holds for a few predefined attributes.
-           */
-          private DataFlow::Node edit_attr(DataFlow::TypeTracker t, string attr_name) {
-            attr_name in ["CreateView", "DeleteView", "FormView", "UpdateView"] and
-            (
-              t.start() and
-              result = DataFlow::importNode("django.views.generic.edit" + "." + attr_name)
-              or
-              t.startInAttr(attr_name) and
-              result = edit()
-            )
+            moduleName = "edit" and
+            className in ["CreateView", "DeleteView", "FormView", "UpdateView"]
             or
-            // Due to bad performance when using normal setup with `edit_attr(t2, attr_name).track(t2, t)`
-            // we have inlined that code and forced a join
-            exists(DataFlow::TypeTracker t2 |
-              exists(DataFlow::StepSummary summary |
-                edit_attr_first_join(t2, attr_name, result, summary) and
-                t = t2.append(summary)
-              )
-            )
-          }
-
-          pragma[nomagic]
-          private predicate edit_attr_first_join(
-            DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-            DataFlow::StepSummary summary
-          ) {
-            DataFlow::StepSummary::step(edit_attr(t2, attr_name), res, summary)
-          }
-
-          /**
-           * Gets a reference to the attribute `attr_name` of the `django.views.generic.edit` module.
-           * WARNING: Only holds for a few predefined attributes.
-           */
-          DataFlow::Node edit_attr(string attr_name) {
-            result = edit_attr(DataFlow::TypeTracker::end(), attr_name)
-          }
-        }
-
-        // -------------------------------------------------------------------------
-        // django.views.generic.list
-        // -------------------------------------------------------------------------
-        /** Gets a reference to the `django.views.generic.list` module. */
-        DataFlow::Node list() { result = generic_attr("list") }
-
-        /** Provides models for the `django.views.generic.list` module */
-        module list {
-          /**
-           * Gets a reference to the attribute `attr_name` of the `django.views.generic.list` module.
-           * WARNING: Only holds for a few predefined attributes.
-           */
-          private DataFlow::Node list_attr(DataFlow::TypeTracker t, string attr_name) {
-            attr_name in ["ListView"] and
-            (
-              t.start() and
-              result = DataFlow::importNode("django.views.generic.list" + "." + attr_name)
-              or
-              t.startInAttr(attr_name) and
-              result = list()
-            )
-            or
-            // Due to bad performance when using normal setup with `list_attr(t2, attr_name).track(t2, t)`
-            // we have inlined that code and forced a join
-            exists(DataFlow::TypeTracker t2 |
-              exists(DataFlow::StepSummary summary |
-                list_attr_first_join(t2, attr_name, result, summary) and
-                t = t2.append(summary)
-              )
-            )
-          }
-
-          pragma[nomagic]
-          private predicate list_attr_first_join(
-            DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-            DataFlow::StepSummary summary
-          ) {
-            DataFlow::StepSummary::step(list_attr(t2, attr_name), res, summary)
-          }
-
-          /**
-           * Gets a reference to the attribute `attr_name` of the `django.views.generic.list` module.
-           * WARNING: Only holds for a few predefined attributes.
-           */
-          DataFlow::Node list_attr(string attr_name) {
-            result = list_attr(DataFlow::TypeTracker::end(), attr_name)
-          }
-        }
-
-        /**
-         * Provides models for the `django.views.generic.View` class and subclasses.
-         *
-         * See
-         *  - https://docs.djangoproject.com/en/3.1/topics/class-based-views/
-         *  - https://docs.djangoproject.com/en/3.1/ref/class-based-views/
-         */
-        module View {
-          /** Gets a reference to the `django.views.generic.View` class or any subclass. */
-          private DataFlow::Node subclassRef(DataFlow::TypeTracker t) {
-            t.start() and
-            result =
-              generic_attr([
-                  "View",
-                  // Known Views
-                  "TemplateView", "RedirectView", "ArchiveIndexView", "YearArchiveView",
-                  "MonthArchiveView", "WeekArchiveView", "DayArchiveView", "TodayArchiveView",
-                  "DateDetailView", "DetailView", "FormView", "CreateView", "UpdateView",
-                  "DeleteView", "ListView"
-                ])
-            or
-            // aliases
-            t.start() and
-            (
-              // django.views.View
-              result = views_attr("View")
-              or
-              // django.views.generic.base.*
-              result = base::base_attr(_)
-              or
-              // django.views.generic.dates.*
-              result = dates::dates_attr(_)
-              or
-              // django.views.generic.detail.*
-              result = detail::detail_attr(_)
-              or
-              // django.views.generic.edit.*
-              result = edit::edit_attr(_)
-              or
-              // django.views.generic.list.*
-              result = list::list_attr(_)
-            )
-            or
-            // subclasses in project code
-            result.asExpr().(ClassExpr).getABase() = subclassRef(t.continue()).asExpr()
-            or
-            exists(DataFlow::TypeTracker t2 | result = subclassRef(t2).track(t2, t))
-          }
-
-          /** Gets a reference to the `django.views.generic.View` class or any subclass. */
-          DataFlow::Node subclassRef() { result = subclassRef(DataFlow::TypeTracker::end()) }
+            moduleName = "list" and
+            className = "ListView"
+          )
+          or
+          // `django.views.View` alias
+          result = API::moduleImport("django").getMember("views").getMember("View").getASubclass*()
         }
       }
     }
@@ -2389,7 +2041,7 @@ private module Django {
    */
   class DjangoViewClassFromSuperClass extends DjangoViewClass {
     DjangoViewClassFromSuperClass() {
-      this.getABase() = django::views::generic::View::subclassRef().asExpr()
+      this.getABase() = django::views::View::subclassRef().getAUse().asExpr()
     }
   }
 

From b7483a539430ddb05012044db1a6d36ee43b9fcb Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 6 Apr 2021 10:46:36 +0200
Subject: [PATCH 0222/1429] Python: Add modeledSubclassRef for Django
 views/fields/forms

---
 .../src/semmle/python/frameworks/Django.qll   | 54 +++++++++----------
 1 file changed, 26 insertions(+), 28 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index 77cb337d2f6..c22f06c9a95 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -1526,8 +1526,11 @@ private module Django {
        *  - https://docs.djangoproject.com/en/3.1/ref/class-based-views/
        */
       module View {
-        /** Gets a reference to the `django.views.generic.View` class or any subclass. */
-        API::Node subclassRef() {
+        /**
+         * Get a references to: the `django.views.generic.View` class, or any subclass
+         * that has explicitly been modeled in the CodeQL libraries.
+         */
+        API::Node modeledSubclassRef() {
           exists(string moduleName, string className |
             // canonical definition
             result =
@@ -1536,7 +1539,6 @@ private module Django {
                   .getMember("generic")
                   .getMember(moduleName)
                   .getMember(className)
-                  .getASubclass*()
             or
             // alias from `django.view.generic`
             result =
@@ -1544,7 +1546,6 @@ private module Django {
                   .getMember("view")
                   .getMember("generic")
                   .getMember(className)
-                  .getASubclass*()
           |
             moduleName = "base" and
             className in ["RedirectView", "TemplateView", "View"]
@@ -1566,8 +1567,11 @@ private module Django {
           )
           or
           // `django.views.View` alias
-          result = API::moduleImport("django").getMember("views").getMember("View").getASubclass*()
+          result = API::moduleImport("django").getMember("views").getMember("View")
         }
+
+        /** Gets a reference to the `django.views.generic.View` class or any subclass. */
+        API::Node subclassRef() { result = modeledSubclassRef().getASubclass*() }
       }
     }
 
@@ -1638,29 +1642,29 @@ private module Django {
      * See https://docs.djangoproject.com/en/3.1/ref/forms/api/
      */
     module Form {
-      /** Gets a reference to the `django.forms.forms.BaseForm` class or any subclass. */
-      API::Node subclassRef() {
+      /**
+       * Get a references to: the `django.forms.forms.BaseForm` class, or any subclass
+       * that has explicitly been modeled in the CodeQL libraries.
+       */
+      API::Node modeledSubclassRef() {
         // canonical definition
         result =
           API::moduleImport("django")
               .getMember("forms")
               .getMember("forms")
               .getMember(["BaseForm", "Form"])
-              .getASubclass*()
         or
         result =
           API::moduleImport("django")
               .getMember("forms")
               .getMember("models")
               .getMember(["BaseModelForm", "ModelForm"])
-              .getASubclass*()
         or
         // aliases from `django.forms`
         result =
           API::moduleImport("django")
               .getMember("forms")
               .getMember(["BaseForm", "Form", "BaseModelForm", "ModelForm"])
-              .getASubclass*()
         or
         // other Form subclasses defined in Django
         result =
@@ -1669,7 +1673,6 @@ private module Django {
               .getMember("admin")
               .getMember("forms")
               .getMember(["AdminAuthenticationForm", "AdminPasswordChangeForm"])
-              .getASubclass*()
         or
         result =
           API::moduleImport("django")
@@ -1677,7 +1680,6 @@ private module Django {
               .getMember("admin")
               .getMember("helpers")
               .getMember("ActionForm")
-              .getASubclass*()
         or
         result =
           API::moduleImport("django")
@@ -1686,7 +1688,6 @@ private module Django {
               .getMember("views")
               .getMember("main")
               .getMember("ChangeListSearchForm")
-              .getASubclass*()
         or
         result =
           API::moduleImport("django")
@@ -1698,7 +1699,6 @@ private module Django {
                   "AdminPasswordChangeForm", "PasswordChangeForm", "AuthenticationForm",
                   "UserCreationForm"
                 ])
-              .getASubclass*()
         or
         result =
           API::moduleImport("django")
@@ -1706,22 +1706,22 @@ private module Django {
               .getMember("flatpages")
               .getMember("forms")
               .getMember("FlatpageForm")
-              .getASubclass*()
         or
         result =
           API::moduleImport("django")
               .getMember("forms")
               .getMember("formsets")
               .getMember("ManagementForm")
-              .getASubclass*()
         or
         result =
           API::moduleImport("django")
               .getMember("forms")
               .getMember("models")
               .getMember(["ModelForm", "BaseModelForm"])
-              .getASubclass*()
       }
+
+      /** Gets a reference to the `django.forms.forms.BaseForm` class or any subclass. */
+      API::Node subclassRef() { result = modeledSubclassRef().getASubclass*() }
     }
 
     /**
@@ -1731,8 +1731,11 @@ private module Django {
      * See https://docs.djangoproject.com/en/3.1/ref/forms/fields/
      */
     module Field {
-      /** Gets a reference to the `django.forms.fields.Field` class or any subclass. */
-      API::Node subclassRef() {
+      /**
+       * Get a references to: the `django.forms.fields.Field` class, or any subclass
+       * that has explicitly been modeled in the CodeQL libraries.
+       */
+      API::Node modeledSubclassRef() {
         exists(string moduleName, string className |
           // canonical definition
           result =
@@ -1740,11 +1743,9 @@ private module Django {
                 .getMember("forms")
                 .getMember(moduleName)
                 .getMember(className)
-                .getASubclass*()
           or
           // alias from `django.forms`
-          result =
-            API::moduleImport("django").getMember("forms").getMember(className).getASubclass*()
+          result = API::moduleImport("django").getMember("forms").getMember(className)
         |
           moduleName = "fields" and
           className in [
@@ -1770,7 +1771,6 @@ private module Django {
               .getMember("auth")
               .getMember("forms")
               .getMember(["ReadOnlyPasswordHashField", "UsernameField"])
-              .getASubclass*()
         or
         result =
           API::moduleImport("django")
@@ -1783,7 +1783,6 @@ private module Django {
                   "MultiLineStringField", "MultiPointField", "MultiPolygonField", "PointField",
                   "PolygonField"
                 ])
-              .getASubclass*()
         or
         result =
           API::moduleImport("django")
@@ -1792,7 +1791,6 @@ private module Django {
               .getMember("forms")
               .getMember("array")
               .getMember(["SimpleArrayField", "SplitArrayField"])
-              .getASubclass*()
         or
         result =
           API::moduleImport("django")
@@ -1801,7 +1799,6 @@ private module Django {
               .getMember("forms")
               .getMember("hstore")
               .getMember("HStoreField")
-              .getASubclass*()
         or
         result =
           API::moduleImport("django")
@@ -1813,15 +1810,16 @@ private module Django {
                   "BaseRangeField", "DateRangeField", "DateTimeRangeField", "DecimalRangeField",
                   "IntegerRangeField"
                 ])
-              .getASubclass*()
         or
         result =
           API::moduleImport("django")
               .getMember("forms")
               .getMember("models")
               .getMember(["InlineForeignKeyField", "ModelChoiceField", "ModelMultipleChoiceField"])
-              .getASubclass*()
       }
+
+      /** Gets a reference to the `django.forms.fields.Field` class or any subclass. */
+      API::Node subclassRef() { result = modeledSubclassRef().getASubclass*() }
     }
   }
 

From 83477439a1a94af960d8edc5c5c2818da2614bcf Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Sun, 28 Mar 2021 14:13:32 +0200
Subject: [PATCH 0223/1429] Python: Make django views/fields/forms class
 modeling extensible

This also requires that we make this part of the modeling public, which I guess
is step we want to take eventually anyway!

I'm not quite sure whether the modules `Django::Views` and `Django::Forms` are
actually helpful, or whether we should just have their modules available as
`Django::View`, `Django::Form`, and `Django::Field`...
---
 .../src/semmle/python/frameworks/Django.qll   | 537 +++++++++---------
 1 file changed, 279 insertions(+), 258 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index c22f06c9a95..f41920c86b8 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -16,7 +16,284 @@ private import semmle.python.regex
  * Provides models for the `django` PyPI package.
  * See https://www.djangoproject.com/.
  */
-private module Django {
+module Django {
+  /** Provides models for the `django.views` module */
+  module Views {
+    /**
+     * Provides models for the `django.views.generic.View` class and subclasses.
+     *
+     * See
+     *  - https://docs.djangoproject.com/en/3.1/topics/class-based-views/
+     *  - https://docs.djangoproject.com/en/3.1/ref/class-based-views/
+     */
+    module View {
+      /**
+       * An `API::Node` for references to `django.views.generic.View` or any subclass
+       * that has explicitly been modeled in the CodeQL libraries.
+       */
+      abstract class ModeledSubclass extends API::Node {
+        override string toString() { result = this.(API::Node).toString() }
+      }
+
+      /** A Django view subclass in the `django` package. */
+      private class DjangoViewSubclassesInDjango extends ModeledSubclass {
+        DjangoViewSubclassesInDjango() {
+          exists(string moduleName, string className |
+            // canonical definition
+            this =
+              API::moduleImport("django")
+                  .getMember("views")
+                  .getMember("generic")
+                  .getMember(moduleName)
+                  .getMember(className)
+            or
+            // aliases from `django.views.generic`
+            this =
+              API::moduleImport("django")
+                  .getMember("views")
+                  .getMember("generic")
+                  .getMember(className)
+          |
+            moduleName = "base" and
+            className in ["RedirectView", "TemplateView", "View"]
+            or
+            moduleName = "dates" and
+            className in [
+                "ArchiveIndexView", "DateDetailView", "DayArchiveView", "MonthArchiveView",
+                "TodayArchiveView", "WeekArchiveView", "YearArchiveView"
+              ]
+            or
+            moduleName = "detail" and
+            className = "DetailView"
+            or
+            moduleName = "edit" and
+            className in ["CreateView", "DeleteView", "FormView", "UpdateView"]
+            or
+            moduleName = "list" and
+            className = "ListView"
+          )
+          or
+          // `django.views.View` alias
+          this = API::moduleImport("django").getMember("views").getMember("View")
+        }
+      }
+
+      /** Gets a reference to the `django.views.generic.View` class or any subclass. */
+      API::Node subclassRef() { result = any(ModeledSubclass subclass).getASubclass*() }
+    }
+  }
+
+  /** Provides models for django forms (defined in the `django.forms` module) */
+  module Forms {
+    /**
+     * Provides models for the `django.forms.forms.BaseForm` class and subclasses. This
+     * is usually used by the `django.forms.forms.Form` class, which is also available
+     * under the more commonly used alias `django.forms.Form`.
+     *
+     * See https://docs.djangoproject.com/en/3.1/ref/forms/api/
+     */
+    module Form {
+      /**
+       * An `API::Node` for references to `django.forms.forms.BaseForm` or any subclass
+       * that has explicitly been modeled in the CodeQL libraries.
+       */
+      abstract class ModeledSubclass extends API::Node {
+        override string toString() { result = this.(API::Node).toString() }
+      }
+
+      /** A Django form subclass in the `django` package. */
+      private class DjangoFormSubclassesInDjango extends ModeledSubclass {
+        DjangoFormSubclassesInDjango() {
+          // canonical definition
+          this =
+            API::moduleImport("django")
+                .getMember("forms")
+                .getMember("forms")
+                .getMember(["BaseForm", "Form"])
+          or
+          this =
+            API::moduleImport("django")
+                .getMember("forms")
+                .getMember("models")
+                .getMember(["BaseModelForm", "ModelForm"])
+          or
+          // aliases from `django.forms`
+          this =
+            API::moduleImport("django")
+                .getMember("forms")
+                .getMember(["BaseForm", "Form", "BaseModelForm", "ModelForm"])
+          or
+          // other Form subclasses defined in Django
+          this =
+            API::moduleImport("django")
+                .getMember("contrib")
+                .getMember("admin")
+                .getMember("forms")
+                .getMember(["AdminAuthenticationForm", "AdminPasswordChangeForm"])
+          or
+          this =
+            API::moduleImport("django")
+                .getMember("contrib")
+                .getMember("admin")
+                .getMember("helpers")
+                .getMember("ActionForm")
+          or
+          this =
+            API::moduleImport("django")
+                .getMember("contrib")
+                .getMember("admin")
+                .getMember("views")
+                .getMember("main")
+                .getMember("ChangeListSearchForm")
+          or
+          this =
+            API::moduleImport("django")
+                .getMember("contrib")
+                .getMember("auth")
+                .getMember("forms")
+                .getMember([
+                    "PasswordResetForm", "UserChangeForm", "SetPasswordForm",
+                    "AdminPasswordChangeForm", "PasswordChangeForm", "AuthenticationForm",
+                    "UserCreationForm"
+                  ])
+          or
+          this =
+            API::moduleImport("django")
+                .getMember("contrib")
+                .getMember("flatpages")
+                .getMember("forms")
+                .getMember("FlatpageForm")
+          or
+          this =
+            API::moduleImport("django")
+                .getMember("forms")
+                .getMember("formsets")
+                .getMember("ManagementForm")
+          or
+          this =
+            API::moduleImport("django")
+                .getMember("forms")
+                .getMember("models")
+                .getMember(["ModelForm", "BaseModelForm"])
+        }
+      }
+
+      /** Gets a reference to the `django.forms.forms.BaseForm` class or any subclass. */
+      API::Node subclassRef() { result = any(ModeledSubclass subclass).getASubclass*() }
+    }
+
+    /**
+     * Provides models for the `django.forms.fields.Field` class and subclasses. This is
+     * also available under the more commonly used alias `django.forms.Field`.
+     *
+     * See https://docs.djangoproject.com/en/3.1/ref/forms/fields/
+     */
+    module Field {
+      /**
+       * An `API::Node` for references to `django.forms.fields.Field` or any subclass
+       * that has explicitly been modeled in the CodeQL libraries.
+       */
+      abstract class ModeledSubclass extends API::Node {
+        override string toString() { result = this.(API::Node).toString() }
+      }
+
+      /** A Django field subclass in the `django` package. */
+      private class DjangoFieldSubclassesInDjango extends ModeledSubclass {
+        DjangoFieldSubclassesInDjango() {
+          exists(string moduleName, string className |
+            // canonical definition
+            this =
+              API::moduleImport("django")
+                  .getMember("forms")
+                  .getMember(moduleName)
+                  .getMember(className)
+            or
+            // aliases from `django.forms`
+            this = API::moduleImport("django").getMember("forms").getMember(className)
+          |
+            moduleName = "fields" and
+            className in [
+                "Field",
+                // Known subclasses
+                "BooleanField", "IntegerField", "CharField", "SlugField", "DateTimeField",
+                "EmailField", "DateField", "TimeField", "DurationField", "DecimalField",
+                "FloatField", "GenericIPAddressField", "UUIDField", "JSONField", "FilePathField",
+                "NullBooleanField", "URLField", "TypedChoiceField", "FileField", "ImageField",
+                "RegexField", "ChoiceField", "MultipleChoiceField", "ComboField", "MultiValueField",
+                "SplitDateTimeField", "TypedMultipleChoiceField", "BaseTemporalField"
+              ]
+            or
+            // Known subclasses from `django.forms.models`
+            moduleName = "models" and
+            className in ["ModelChoiceField", "ModelMultipleChoiceField", "InlineForeignKeyField"]
+          )
+          or
+          // other Field subclasses defined in Django
+          this =
+            API::moduleImport("django")
+                .getMember("contrib")
+                .getMember("auth")
+                .getMember("forms")
+                .getMember(["ReadOnlyPasswordHashField", "UsernameField"])
+          or
+          this =
+            API::moduleImport("django")
+                .getMember("contrib")
+                .getMember("gis")
+                .getMember("forms")
+                .getMember("fields")
+                .getMember([
+                    "GeometryCollectionField", "GeometryField", "LineStringField",
+                    "MultiLineStringField", "MultiPointField", "MultiPolygonField", "PointField",
+                    "PolygonField"
+                  ])
+          or
+          this =
+            API::moduleImport("django")
+                .getMember("contrib")
+                .getMember("postgres")
+                .getMember("forms")
+                .getMember("array")
+                .getMember(["SimpleArrayField", "SplitArrayField"])
+          or
+          this =
+            API::moduleImport("django")
+                .getMember("contrib")
+                .getMember("postgres")
+                .getMember("forms")
+                .getMember("hstore")
+                .getMember("HStoreField")
+          or
+          this =
+            API::moduleImport("django")
+                .getMember("contrib")
+                .getMember("postgres")
+                .getMember("forms")
+                .getMember("ranges")
+                .getMember([
+                    "BaseRangeField", "DateRangeField", "DateTimeRangeField", "DecimalRangeField",
+                    "IntegerRangeField"
+                  ])
+          or
+          this =
+            API::moduleImport("django")
+                .getMember("forms")
+                .getMember("models")
+                .getMember(["InlineForeignKeyField", "ModelChoiceField", "ModelMultipleChoiceField"])
+        }
+      }
+
+      /** Gets a reference to the `django.forms.fields.Field` class or any subclass. */
+      API::Node subclassRef() { result = any(ModeledSubclass subclass).getASubclass*() }
+    }
+  }
+}
+
+/**
+ * Provides models for the `django` PyPI package (that we are not quite ready to publicly expose yet).
+ * See https://www.djangoproject.com/.
+ */
+private module PrivateDjango {
   // ---------------------------------------------------------------------------
   // django
   // ---------------------------------------------------------------------------
@@ -1510,71 +1787,6 @@ private module Django {
       }
     }
 
-    // -------------------------------------------------------------------------
-    // django.views
-    // -------------------------------------------------------------------------
-    /** Gets a reference to the `django.views` module. */
-    DataFlow::Node views() { result = django_attr("views") }
-
-    /** Provides models for the `django.views` module */
-    module views {
-      /**
-       * Provides models for the `django.views.generic.View` class and subclasses.
-       *
-       * See
-       *  - https://docs.djangoproject.com/en/3.1/topics/class-based-views/
-       *  - https://docs.djangoproject.com/en/3.1/ref/class-based-views/
-       */
-      module View {
-        /**
-         * Get a references to: the `django.views.generic.View` class, or any subclass
-         * that has explicitly been modeled in the CodeQL libraries.
-         */
-        API::Node modeledSubclassRef() {
-          exists(string moduleName, string className |
-            // canonical definition
-            result =
-              API::moduleImport("django")
-                  .getMember("views")
-                  .getMember("generic")
-                  .getMember(moduleName)
-                  .getMember(className)
-            or
-            // alias from `django.view.generic`
-            result =
-              API::moduleImport("django")
-                  .getMember("view")
-                  .getMember("generic")
-                  .getMember(className)
-          |
-            moduleName = "base" and
-            className in ["RedirectView", "TemplateView", "View"]
-            or
-            moduleName = "dates" and
-            className in [
-                "ArchiveIndexView", "DateDetailView", "DayArchiveView", "MonthArchiveView",
-                "TodayArchiveView", "WeekArchiveView", "YearArchiveView"
-              ]
-            or
-            moduleName = "detail" and
-            className = "DetailView"
-            or
-            moduleName = "edit" and
-            className in ["CreateView", "DeleteView", "FormView", "UpdateView"]
-            or
-            moduleName = "list" and
-            className = "ListView"
-          )
-          or
-          // `django.views.View` alias
-          result = API::moduleImport("django").getMember("views").getMember("View")
-        }
-
-        /** Gets a reference to the `django.views.generic.View` class or any subclass. */
-        API::Node subclassRef() { result = modeledSubclassRef().getASubclass*() }
-      }
-    }
-
     // -------------------------------------------------------------------------
     // django.shortcuts
     // -------------------------------------------------------------------------
@@ -1632,197 +1844,6 @@ private module Django {
     }
   }
 
-  /** Provides models for django forms (defined in the `django.forms` module) */
-  module Forms {
-    /**
-     * Provides models for the `django.forms.forms.BaseForm` class and subclasses. This
-     * is usually used by the `django.forms.forms.Form` class, which is also available
-     * under the more commonly used alias `django.forms.Form`.
-     *
-     * See https://docs.djangoproject.com/en/3.1/ref/forms/api/
-     */
-    module Form {
-      /**
-       * Get a references to: the `django.forms.forms.BaseForm` class, or any subclass
-       * that has explicitly been modeled in the CodeQL libraries.
-       */
-      API::Node modeledSubclassRef() {
-        // canonical definition
-        result =
-          API::moduleImport("django")
-              .getMember("forms")
-              .getMember("forms")
-              .getMember(["BaseForm", "Form"])
-        or
-        result =
-          API::moduleImport("django")
-              .getMember("forms")
-              .getMember("models")
-              .getMember(["BaseModelForm", "ModelForm"])
-        or
-        // aliases from `django.forms`
-        result =
-          API::moduleImport("django")
-              .getMember("forms")
-              .getMember(["BaseForm", "Form", "BaseModelForm", "ModelForm"])
-        or
-        // other Form subclasses defined in Django
-        result =
-          API::moduleImport("django")
-              .getMember("contrib")
-              .getMember("admin")
-              .getMember("forms")
-              .getMember(["AdminAuthenticationForm", "AdminPasswordChangeForm"])
-        or
-        result =
-          API::moduleImport("django")
-              .getMember("contrib")
-              .getMember("admin")
-              .getMember("helpers")
-              .getMember("ActionForm")
-        or
-        result =
-          API::moduleImport("django")
-              .getMember("contrib")
-              .getMember("admin")
-              .getMember("views")
-              .getMember("main")
-              .getMember("ChangeListSearchForm")
-        or
-        result =
-          API::moduleImport("django")
-              .getMember("contrib")
-              .getMember("auth")
-              .getMember("forms")
-              .getMember([
-                  "PasswordResetForm", "UserChangeForm", "SetPasswordForm",
-                  "AdminPasswordChangeForm", "PasswordChangeForm", "AuthenticationForm",
-                  "UserCreationForm"
-                ])
-        or
-        result =
-          API::moduleImport("django")
-              .getMember("contrib")
-              .getMember("flatpages")
-              .getMember("forms")
-              .getMember("FlatpageForm")
-        or
-        result =
-          API::moduleImport("django")
-              .getMember("forms")
-              .getMember("formsets")
-              .getMember("ManagementForm")
-        or
-        result =
-          API::moduleImport("django")
-              .getMember("forms")
-              .getMember("models")
-              .getMember(["ModelForm", "BaseModelForm"])
-      }
-
-      /** Gets a reference to the `django.forms.forms.BaseForm` class or any subclass. */
-      API::Node subclassRef() { result = modeledSubclassRef().getASubclass*() }
-    }
-
-    /**
-     * Provides models for the `django.forms.fields.Field` class and subclasses. This is
-     * also available under the more commonly used alias `django.forms.Field`.
-     *
-     * See https://docs.djangoproject.com/en/3.1/ref/forms/fields/
-     */
-    module Field {
-      /**
-       * Get a references to: the `django.forms.fields.Field` class, or any subclass
-       * that has explicitly been modeled in the CodeQL libraries.
-       */
-      API::Node modeledSubclassRef() {
-        exists(string moduleName, string className |
-          // canonical definition
-          result =
-            API::moduleImport("django")
-                .getMember("forms")
-                .getMember(moduleName)
-                .getMember(className)
-          or
-          // alias from `django.forms`
-          result = API::moduleImport("django").getMember("forms").getMember(className)
-        |
-          moduleName = "fields" and
-          className in [
-              "Field",
-              // Known subclasses
-              "BooleanField", "IntegerField", "CharField", "SlugField", "DateTimeField",
-              "EmailField", "DateField", "TimeField", "DurationField", "DecimalField", "FloatField",
-              "GenericIPAddressField", "UUIDField", "JSONField", "FilePathField",
-              "NullBooleanField", "URLField", "TypedChoiceField", "FileField", "ImageField",
-              "RegexField", "ChoiceField", "MultipleChoiceField", "ComboField", "MultiValueField",
-              "SplitDateTimeField", "TypedMultipleChoiceField", "BaseTemporalField"
-            ]
-          or
-          // Known subclasses from `django.forms.models`
-          moduleName = "models" and
-          className in ["ModelChoiceField", "ModelMultipleChoiceField", "InlineForeignKeyField"]
-        )
-        or
-        // other Field subclasses defined in Django
-        result =
-          API::moduleImport("django")
-              .getMember("contrib")
-              .getMember("auth")
-              .getMember("forms")
-              .getMember(["ReadOnlyPasswordHashField", "UsernameField"])
-        or
-        result =
-          API::moduleImport("django")
-              .getMember("contrib")
-              .getMember("gis")
-              .getMember("forms")
-              .getMember("fields")
-              .getMember([
-                  "GeometryCollectionField", "GeometryField", "LineStringField",
-                  "MultiLineStringField", "MultiPointField", "MultiPolygonField", "PointField",
-                  "PolygonField"
-                ])
-        or
-        result =
-          API::moduleImport("django")
-              .getMember("contrib")
-              .getMember("postgres")
-              .getMember("forms")
-              .getMember("array")
-              .getMember(["SimpleArrayField", "SplitArrayField"])
-        or
-        result =
-          API::moduleImport("django")
-              .getMember("contrib")
-              .getMember("postgres")
-              .getMember("forms")
-              .getMember("hstore")
-              .getMember("HStoreField")
-        or
-        result =
-          API::moduleImport("django")
-              .getMember("contrib")
-              .getMember("postgres")
-              .getMember("forms")
-              .getMember("ranges")
-              .getMember([
-                  "BaseRangeField", "DateRangeField", "DateTimeRangeField", "DecimalRangeField",
-                  "IntegerRangeField"
-                ])
-        or
-        result =
-          API::moduleImport("django")
-              .getMember("forms")
-              .getMember("models")
-              .getMember(["InlineForeignKeyField", "ModelChoiceField", "ModelMultipleChoiceField"])
-      }
-
-      /** Gets a reference to the `django.forms.fields.Field` class or any subclass. */
-      API::Node subclassRef() { result = modeledSubclassRef().getASubclass*() }
-    }
-  }
-
   // ---------------------------------------------------------------------------
   // Helpers
   // ---------------------------------------------------------------------------
@@ -2039,7 +2060,7 @@ private module Django {
    */
   class DjangoViewClassFromSuperClass extends DjangoViewClass {
     DjangoViewClassFromSuperClass() {
-      this.getABase() = django::views::View::subclassRef().getAUse().asExpr()
+      this.getABase() = Django::Views::View::subclassRef().getAUse().asExpr()
     }
   }
 

From 21004006d652b82213ff502bc3609b57afa626a9 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Thu, 8 Apr 2021 19:17:04 +0800
Subject: [PATCH 0224/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
index 0598f843840..a3204dc109a 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
@@ -41,7 +41,7 @@ class SplitMethod extends Method {
 }
 
 /**
- * A call to the ServletRequest.getHeader method and the argument are
+ * A call to the ServletRequest.getHeader method with an argument
  * `wl-proxy-client-ip`/`proxy-client-ip`/`http_client_ip`/`http_x_forwarded_for`/`x-real-ip`.
  */
 class HeaderIpCall extends MethodAccess {

From bfbfe7af13617476188fa08f69d5f670727c721f Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Thu, 8 Apr 2021 19:21:58 +0800
Subject: [PATCH 0225/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp        | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
index 1c3a4485cbd..031aa0d11fd 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
@@ -24,9 +24,8 @@ and get the last value of the split array.</p>
 </example>
 <references>
 
-<li>Prevent IP address spoofing with X-Forwarded-For header when using AWS ELB and Clojure Ring: 
-<a href="https://www.dennis-schneider.com/blog/prevent-ip-address-spoofing-with-x-forwarded-for-header-and-aws-elb-in-clojure-ring/">
-Prevent IP address spoofing with...</a>
+<li>Dennis Schneider: <a href="https://www.dennis-schneider.com/blog/prevent-ip-address-spoofing-with-x-forwarded-for-header-and-aws-elb-in-clojure-ring/">
+Prevent IP address spoofing with X-Forwarded-For header when using AWS ELB and Clojure Ring</a>
 </li>
 
 <li>Security Rule Zero: A Warning about X-Forwarded-For: 

From 1da48ed4d10b1ed7ed9585c647db3094f1d813e3 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Thu, 8 Apr 2021 19:22:14 +0800
Subject: [PATCH 0226/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp         | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
index 031aa0d11fd..6b2eb2e7eed 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
@@ -28,9 +28,7 @@ and get the last value of the split array.</p>
 Prevent IP address spoofing with X-Forwarded-For header when using AWS ELB and Clojure Ring</a>
 </li>
 
-<li>Security Rule Zero: A Warning about X-Forwarded-For: 
-<a href="https://www.f5.com/company/blog/security-rule-zero-a-warning-about-x-forwarded-for">
-Security Rule Zero: A Warning about X-Forwarded-For</a>
+<li>Security Rule Zero: <a href="https://www.f5.com/company/blog/security-rule-zero-a-warning-about-x-forwarded-for">A Warning about X-Forwarded-For</a>
 </li>
 
 </references>

From 52a2260dc7f09d94f2e8084800898610e7743715 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Thu, 8 Apr 2021 12:52:23 +0100
Subject: [PATCH 0227/1429] JS: Rename change note file

---
 .../change-notes/{2021-02-18-redux.md => 2021-04-08-redux.md}     | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename javascript/change-notes/{2021-02-18-redux.md => 2021-04-08-redux.md} (100%)

diff --git a/javascript/change-notes/2021-02-18-redux.md b/javascript/change-notes/2021-04-08-redux.md
similarity index 100%
rename from javascript/change-notes/2021-02-18-redux.md
rename to javascript/change-notes/2021-04-08-redux.md

From 036e181bc1dbeb2c39bbc0232c677cf1be00544f Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Wed, 7 Apr 2021 14:28:17 +0200
Subject: [PATCH 0228/1429] C#: Improve performance of
 `Dispatch::SimpleTypeDataFlow::getASourceType()`

---
 .../semmle/code/csharp/dispatch/Dispatch.qll  | 86 ++++++++++++-------
 1 file changed, 55 insertions(+), 31 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dispatch/Dispatch.qll b/csharp/ql/src/semmle/code/csharp/dispatch/Dispatch.qll
index 1e0eaaf8017..e436fb2b99a 100644
--- a/csharp/ql/src/semmle/code/csharp/dispatch/Dispatch.qll
+++ b/csharp/ql/src/semmle/code/csharp/dispatch/Dispatch.qll
@@ -636,31 +636,41 @@ private module Internal {
       )
     }
 
-    private predicate stepExpr0(Expr succ, Expr pred) {
-      Steps::stepOpen(pred, succ)
-      or
-      exists(Assignable a |
-        a instanceof Field or
-        a instanceof Property
-      |
-        succ.(AssignableRead) = a.getAnAccess() and
-        pred = a.getAnAssignedValue() and
-        a = any(Modifiable m | not m.isEffectivelyPublic())
-      )
-    }
-
-    private predicate stepExpr(Expr succ, Expr pred) {
-      stepExpr0(succ, pred) and
+    private predicate stepExpr(Expr pred, Expr succ) {
+      Steps::stepOpen(pred, succ) and
       // Do not step through down casts
       not downCast(succ) and
       // Only step when we may learn more about the actual type
       typeMayBeImprecise(succ.getType())
     }
 
-    private predicate stepTC(Expr succ, Expr pred) = fastTC(stepExpr/2)(succ, pred)
+    private class AnalyzableFieldOrProperty extends Assignable, Modifiable {
+      AnalyzableFieldOrProperty() {
+        (
+          this instanceof Field or
+          this instanceof Property
+        ) and
+        not this.isEffectivelyPublic() and
+        exists(this.getAnAssignedValue())
+      }
+
+      AssignableRead getARead() { result = this.getAnAccess() }
+    }
 
     private class Source extends Expr {
-      Source() { not stepExpr(this, _) }
+      Source() {
+        not stepExpr(_, this) and
+        not this = any(AnalyzableFieldOrProperty a).getARead()
+      }
+
+      Type getType(boolean isExact) {
+        result = this.getType() and
+        if
+          this instanceof ObjectCreation or
+          this instanceof BaseAccess
+        then isExact = true
+        else isExact = false
+      }
     }
 
     private class Sink extends Expr {
@@ -680,24 +690,38 @@ private module Internal {
         this = any(DispatchCallImpl c).getArgument(_)
       }
 
-      Source getASource() { stepTC(this, result) }
+      pragma[nomagic]
+      Expr getAPred() { stepExpr*(result, this) }
+
+      pragma[nomagic]
+      AnalyzableFieldOrProperty getAPredRead() { this.getAPred() = result.getARead() }
     }
 
-    /** Holds if the expression `e` has an exact type. */
-    private predicate hasExactType(Expr e) {
-      e instanceof ObjectCreation or
-      e instanceof BaseAccess
+    /** Gets a source type for sink expression `e`, using simple data flow. */
+    Type getASourceType(Sink sink, boolean isExact) {
+      result = sink.getAPred().(Source).getType(isExact)
+      or
+      result = sink.getAPredRead().(RelevantFieldOrProperty).getASourceType(isExact)
     }
 
-    /** Gets a source type for expression `e`, using simple data flow. */
-    Type getASourceType(Sink e, boolean isExact) {
-      exists(Source s |
-        s = e.getASource() or
-        s = e
-      |
-        result = s.getType() and
-        if hasExactType(s) then isExact = true else isExact = false
-      )
+    private class RelevantFieldOrProperty extends AnalyzableFieldOrProperty {
+      RelevantFieldOrProperty() {
+        this = any(Sink s).getAPredRead()
+        or
+        this = any(RelevantFieldOrProperty a).getAPredRead()
+      }
+
+      pragma[nomagic]
+      Expr getAPred() { stepExpr*(result, this.getAnAssignedValue()) }
+
+      pragma[nomagic]
+      AnalyzableFieldOrProperty getAPredRead() { this.getAPred() = result.getARead() }
+
+      Type getASourceType(boolean isExact) {
+        result = this.getAPred().(Source).getType(isExact)
+        or
+        result = this.getAPredRead().(RelevantFieldOrProperty).getASourceType(isExact)
+      }
     }
   }
 

From 30ba69d9911f0edc3338bc4de2aaa52bc314d291 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 8 Apr 2021 14:42:12 +0200
Subject: [PATCH 0229/1429] treat "files" in a package.json as main modules, if
 "main" is not present

---
 javascript/ql/src/semmle/javascript/NPM.qll   |  2 +-
 .../javascript/NodeModuleResolutionImpl.qll   | 67 ++++++++++++++++++-
 .../UnsafeShellCommandConstruction.expected   | 27 ++++++++
 .../CWE-078/lib/subLib2/compiled-file.ts      |  5 ++
 .../Security/CWE-078/lib/subLib2/package.json |  9 +++
 .../CWE-078/lib/subLib2/special-file.js       |  5 ++
 .../Security/CWE-078/lib/subLib3/my-file.ts   |  5 ++
 .../Security/CWE-078/lib/subLib3/package.json |  5 ++
 8 files changed, 122 insertions(+), 3 deletions(-)
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-078/lib/subLib2/compiled-file.ts
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-078/lib/subLib2/package.json
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-078/lib/subLib2/special-file.js
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-078/lib/subLib3/my-file.ts
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-078/lib/subLib3/package.json

diff --git a/javascript/ql/src/semmle/javascript/NPM.qll b/javascript/ql/src/semmle/javascript/NPM.qll
index 24d3072fae1..8351c4266cf 100644
--- a/javascript/ql/src/semmle/javascript/NPM.qll
+++ b/javascript/ql/src/semmle/javascript/NPM.qll
@@ -51,7 +51,7 @@ class PackageJSON extends JSONObject {
   string getAFile() { result = getFiles().getElementStringValue(_) }
 
   /** Gets the main module of this package. */
-  string getMain() { result = getPropStringValue("main") }
+  string getMain() { result = MainModulePath::of(this).getValue() }
 
   /** Gets the path of a command defined for this package. */
   string getBin(string cmd) {
diff --git a/javascript/ql/src/semmle/javascript/NodeModuleResolutionImpl.qll b/javascript/ql/src/semmle/javascript/NodeModuleResolutionImpl.qll
index 84538e9925a..cc6f76d0b93 100644
--- a/javascript/ql/src/semmle/javascript/NodeModuleResolutionImpl.qll
+++ b/javascript/ql/src/semmle/javascript/NodeModuleResolutionImpl.qll
@@ -80,6 +80,18 @@ File tryExtensions(Folder dir, string basename, int priority) {
   )
 }
 
+/**
+ * Gets `name` without a file extension.
+ * Or `name`, if `name` has no file extension.
+ */
+bindingset[name]
+private string maybeRemoveExtension(string name) {
+  result = name.regexpCapture("^(.+)\\.[^.]+$", 1)
+  or
+  not name.regexpMatch(".+\\..+") and
+  result = name
+}
+
 /**
  * Gets the main module described by `pkg` with the given `priority`.
  */
@@ -90,9 +102,10 @@ File resolveMainModule(PackageJSON pkg, int priority) {
     result = tryExtensions(main.resolve(), "index", priority)
     or
     not exists(main.resolve()) and
-    not exists(main.getExtension()) and
     exists(int n | n = main.getNumComponent() |
-      result = tryExtensions(main.resolveUpTo(n - 1), main.getComponent(n - 1), priority)
+      result =
+        tryExtensions(main.resolveUpTo(n - 1), maybeRemoveExtension(main.getComponent(n - 1)),
+          priority)
     )
   )
   or
@@ -101,6 +114,28 @@ File resolveMainModule(PackageJSON pkg, int priority) {
       tryExtensions([folder, folder.getChildContainer(["src", "lib"])], "index",
         priority - prioritiesPerCandidate())
   )
+  or
+  // if there is no main module, then we look for files that are explicitly included in the published package.
+  exists(PathExpr file |
+    // `FilesPath` only exists if there is no main module for a given package.
+    file = FilesPath::of(pkg) and priority = 100 // fixing the priority, because there might be multiple files in the package.
+  |
+    result = file.resolve()
+    or
+    result = min(int i, File f | f = tryExtensions(file.resolve(), "index", i) | f order by i)
+    or
+    // resolve "file.js" to e.g. "file.ts".
+    not exists(file.resolve()) and
+    exists(int n | n = file.getNumComponent() |
+      result =
+        min(int i, File res |
+          res =
+            tryExtensions(file.resolveUpTo(n - 1), maybeRemoveExtension(file.getComponent(n - 1)), i)
+        |
+          res order by i
+        )
+    )
+  )
 }
 
 /**
@@ -126,3 +161,31 @@ class MainModulePath extends PathExpr, @json_string {
 module MainModulePath {
   MainModulePath of(PackageJSON pkg) { result.getPackageJSON() = pkg }
 }
+
+/**
+ * A JSON string in a `package.json` file specifying a file that should be included in the published package.
+ * These files are often imported directly from a client when a "main" module is not specified.
+ * For performance reasons this only exists if there is no "main" field in the `package.json` file.
+ */
+private class FilesPath extends PathExpr, @json_string {
+  PackageJSON pkg;
+
+  FilesPath() {
+    this = pkg.getPropValue("files").(JSONArray).getElementValue(_) and
+    not exists(MainModulePath::of(pkg))
+  }
+
+  /** Gets the `package.json` file in which this path occurs. */
+  PackageJSON getPackageJSON() { result = pkg }
+
+  override string getValue() { result = this.(JSONString).getValue() }
+
+  override Folder getAdditionalSearchRoot(int priority) {
+    priority = 0 and
+    result = pkg.getFile().getParentContainer()
+  }
+}
+
+private module FilesPath {
+  FilesPath of(PackageJSON pkg) { result.getPackageJSON() = pkg }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected
index 195be99582a..421e24aed71 100644
--- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected
@@ -246,6 +246,18 @@ nodes
 | lib/lib.js:482:40:482:43 | name |
 | lib/lib.js:483:30:483:33 | name |
 | lib/lib.js:483:30:483:33 | name |
+| lib/subLib2/compiled-file.ts:3:26:3:29 | name |
+| lib/subLib2/compiled-file.ts:3:26:3:29 | name |
+| lib/subLib2/compiled-file.ts:4:25:4:28 | name |
+| lib/subLib2/compiled-file.ts:4:25:4:28 | name |
+| lib/subLib2/special-file.js:3:28:3:31 | name |
+| lib/subLib2/special-file.js:3:28:3:31 | name |
+| lib/subLib2/special-file.js:4:22:4:25 | name |
+| lib/subLib2/special-file.js:4:22:4:25 | name |
+| lib/subLib3/my-file.ts:3:28:3:31 | name |
+| lib/subLib3/my-file.ts:3:28:3:31 | name |
+| lib/subLib3/my-file.ts:4:22:4:25 | name |
+| lib/subLib3/my-file.ts:4:22:4:25 | name |
 | lib/subLib/index.js:3:28:3:31 | name |
 | lib/subLib/index.js:3:28:3:31 | name |
 | lib/subLib/index.js:4:22:4:25 | name |
@@ -546,6 +558,18 @@ edges
 | lib/lib.js:482:40:482:43 | name | lib/lib.js:483:30:483:33 | name |
 | lib/lib.js:482:40:482:43 | name | lib/lib.js:483:30:483:33 | name |
 | lib/lib.js:482:40:482:43 | name | lib/lib.js:483:30:483:33 | name |
+| lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name |
+| lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name |
+| lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name |
+| lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name |
+| lib/subLib2/special-file.js:3:28:3:31 | name | lib/subLib2/special-file.js:4:22:4:25 | name |
+| lib/subLib2/special-file.js:3:28:3:31 | name | lib/subLib2/special-file.js:4:22:4:25 | name |
+| lib/subLib2/special-file.js:3:28:3:31 | name | lib/subLib2/special-file.js:4:22:4:25 | name |
+| lib/subLib2/special-file.js:3:28:3:31 | name | lib/subLib2/special-file.js:4:22:4:25 | name |
+| lib/subLib3/my-file.ts:3:28:3:31 | name | lib/subLib3/my-file.ts:4:22:4:25 | name |
+| lib/subLib3/my-file.ts:3:28:3:31 | name | lib/subLib3/my-file.ts:4:22:4:25 | name |
+| lib/subLib3/my-file.ts:3:28:3:31 | name | lib/subLib3/my-file.ts:4:22:4:25 | name |
+| lib/subLib3/my-file.ts:3:28:3:31 | name | lib/subLib3/my-file.ts:4:22:4:25 | name |
 | lib/subLib/index.js:3:28:3:31 | name | lib/subLib/index.js:4:22:4:25 | name |
 | lib/subLib/index.js:3:28:3:31 | name | lib/subLib/index.js:4:22:4:25 | name |
 | lib/subLib/index.js:3:28:3:31 | name | lib/subLib/index.js:4:22:4:25 | name |
@@ -624,5 +648,8 @@ edges
 | lib/lib.js:447:13:447:28 | "rm -rf " + name | lib/lib.js:446:20:446:23 | name | lib/lib.js:447:25:447:28 | name | $@ based on $@ is later used in $@. | lib/lib.js:447:13:447:28 | "rm -rf " + name | String concatenation | lib/lib.js:446:20:446:23 | name | library input | lib/lib.js:447:3:447:29 | asyncEx ... + name) | shell command |
 | lib/lib.js:478:27:478:46 | config.installedPath | lib/lib.js:477:33:477:38 | config | lib/lib.js:478:27:478:46 | config.installedPath | $@ based on $@ is later used in $@. | lib/lib.js:478:27:478:46 | config.installedPath | Path concatenation | lib/lib.js:477:33:477:38 | config | library input | lib/lib.js:479:12:479:20 | exec(cmd) | shell command |
 | lib/lib.js:483:13:483:33 | ' my na ...  + name | lib/lib.js:482:40:482:43 | name | lib/lib.js:483:30:483:33 | name | $@ based on $@ is later used in $@. | lib/lib.js:483:13:483:33 | ' my na ...  + name | String concatenation | lib/lib.js:482:40:482:43 | name | library input | lib/lib.js:485:2:485:20 | cp.exec(cmd + args) | shell command |
+| lib/subLib2/compiled-file.ts:4:13:4:28 | "rm -rf " + name | lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name | $@ based on $@ is later used in $@. | lib/subLib2/compiled-file.ts:4:13:4:28 | "rm -rf " + name | String concatenation | lib/subLib2/compiled-file.ts:3:26:3:29 | name | library input | lib/subLib2/compiled-file.ts:4:5:4:29 | cp.exec ... + name) | shell command |
+| lib/subLib2/special-file.js:4:10:4:25 | "rm -rf " + name | lib/subLib2/special-file.js:3:28:3:31 | name | lib/subLib2/special-file.js:4:22:4:25 | name | $@ based on $@ is later used in $@. | lib/subLib2/special-file.js:4:10:4:25 | "rm -rf " + name | String concatenation | lib/subLib2/special-file.js:3:28:3:31 | name | library input | lib/subLib2/special-file.js:4:2:4:26 | cp.exec ... + name) | shell command |
+| lib/subLib3/my-file.ts:4:10:4:25 | "rm -rf " + name | lib/subLib3/my-file.ts:3:28:3:31 | name | lib/subLib3/my-file.ts:4:22:4:25 | name | $@ based on $@ is later used in $@. | lib/subLib3/my-file.ts:4:10:4:25 | "rm -rf " + name | String concatenation | lib/subLib3/my-file.ts:3:28:3:31 | name | library input | lib/subLib3/my-file.ts:4:2:4:26 | cp.exec ... + name) | shell command |
 | lib/subLib/index.js:4:10:4:25 | "rm -rf " + name | lib/subLib/index.js:3:28:3:31 | name | lib/subLib/index.js:4:22:4:25 | name | $@ based on $@ is later used in $@. | lib/subLib/index.js:4:10:4:25 | "rm -rf " + name | String concatenation | lib/subLib/index.js:3:28:3:31 | name | library input | lib/subLib/index.js:4:2:4:26 | cp.exec ... + name) | shell command |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | lib/subLib/index.js:7:32:7:35 | name | lib/subLib/index.js:8:22:8:25 | name | $@ based on $@ is later used in $@. | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | String concatenation | lib/subLib/index.js:7:32:7:35 | name | library input | lib/subLib/index.js:8:2:8:26 | cp.exec ... + name) | shell command |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/lib/subLib2/compiled-file.ts b/javascript/ql/test/query-tests/Security/CWE-078/lib/subLib2/compiled-file.ts
new file mode 100644
index 00000000000..1e945f15e72
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-078/lib/subLib2/compiled-file.ts
@@ -0,0 +1,5 @@
+var cp = require("child_process")
+
+export default function (name) {
+    cp.exec("rm -rf " + name); // NOT OK - the "files" directory points to this file.
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/lib/subLib2/package.json b/javascript/ql/test/query-tests/Security/CWE-078/lib/subLib2/package.json
new file mode 100644
index 00000000000..45c7a0534f4
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-078/lib/subLib2/package.json
@@ -0,0 +1,9 @@
+{
+  "name": "my-sub-lib2",
+  "version": "0.0.7",
+  "files": [
+    "special-file.js",
+    "compiled-file.js",
+    "compiled-file"
+  ]
+}
\ No newline at end of file
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/lib/subLib2/special-file.js b/javascript/ql/test/query-tests/Security/CWE-078/lib/subLib2/special-file.js
new file mode 100644
index 00000000000..c46fed33181
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-078/lib/subLib2/special-file.js
@@ -0,0 +1,5 @@
+var cp = require("child_process")
+
+module.exports = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK - the "files" directory points to this file.
+};
\ No newline at end of file
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/lib/subLib3/my-file.ts b/javascript/ql/test/query-tests/Security/CWE-078/lib/subLib3/my-file.ts
new file mode 100644
index 00000000000..9fa88413cc8
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-078/lib/subLib3/my-file.ts
@@ -0,0 +1,5 @@
+var cp = require("child_process")
+
+module.exports = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK - functions exported as part of a submodule are also flagged.
+};
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/lib/subLib3/package.json b/javascript/ql/test/query-tests/Security/CWE-078/lib/subLib3/package.json
new file mode 100644
index 00000000000..2804217e9ba
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-078/lib/subLib3/package.json
@@ -0,0 +1,5 @@
+{
+  "name": "my-sub-lib",
+  "version": "0.0.7",
+  "main": "./my-file.js"
+}
\ No newline at end of file

From e5160929eb95989f50ee7c90a799ae9246d49446 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 8 Apr 2021 15:04:02 +0200
Subject: [PATCH 0230/1429] Remove ODASA reference from make_stubs.py

---
 csharp/ql/src/Stubs/make_stubs.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csharp/ql/src/Stubs/make_stubs.py b/csharp/ql/src/Stubs/make_stubs.py
index dcdd9e87cfe..7d2ce9f7ed7 100644
--- a/csharp/ql/src/Stubs/make_stubs.py
+++ b/csharp/ql/src/Stubs/make_stubs.py
@@ -120,7 +120,7 @@ if subprocess.check_call(cmd):
 
 print("\nStub generation successful! Next steps:")
 print('1. Edit "semmle-extractor-options" in the .cs files to remove unused references')
-print('2. Re-run odasa qltest --optimize "' + testDir + '"')
+print('2. Re-run codeql test run "' + testDir + '"')
 print('3. git add "' + outputFile + '"')
 print('4. Commit your changes.')
 

From d42a01cb3ae622ecdd434df0e33a1e95a4eb3e11 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
Date: Thu, 8 Apr 2021 15:45:21 +0200
Subject: [PATCH 0231/1429] qldoc fixup

---
 java/ql/src/semmle/code/java/Expr.qll | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/java/ql/src/semmle/code/java/Expr.qll b/java/ql/src/semmle/code/java/Expr.qll
index 2e90075c1eb..b7fef39aba2 100755
--- a/java/ql/src/semmle/code/java/Expr.qll
+++ b/java/ql/src/semmle/code/java/Expr.qll
@@ -645,9 +645,10 @@ class BooleanLiteral extends Literal, @booleanliteral {
  * - It is written in binary, octal or hexadecimal notation
  * - It is written in decimal notation, has the value `2147483648` and is preceded
  *   by a minus; in this case the value of the IntegerLiteral is -2147483648 and
- *   the preceding minus will *not* be modeled as `MinusExpr`.<br/>
- *   In all other cases the preceding minus, if any, will be modeled as separate
- *   `MinusExpr`.
+ *   the preceding minus will *not* be modeled as `MinusExpr`.
+ *
+ * In all other cases the preceding minus, if any, will be modeled as a separate
+ * `MinusExpr`.
  *
  * The last exception is necessary because `2147483648` on its own would not be
  * a valid integer literal (and could also not be parsed as CodeQL `int`).
@@ -667,10 +668,11 @@ class IntegerLiteral extends Literal, @integerliteral {
  * - It is written in decimal notation, has the value `9223372036854775808` and
  *   is preceded by a minus; in this case the value of the LongLiteral is
  *   -9223372036854775808 and the preceding minus will *not* be modeled as
- *   `MinusExpr`.<br/>
- *   In all other cases the preceding minus, if any, will be modeled as separate
  *   `MinusExpr`.
  *
+ * In all other cases the preceding minus, if any, will be modeled as a separate
+ * `MinusExpr`.
+ *
  * The last exception is necessary because `9223372036854775808` on its own
  * would not be a valid long literal.
  */

From 7d300b53d71a48e4a506e88ce09b5157d3279dde Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Thu, 8 Apr 2021 15:06:48 +0100
Subject: [PATCH 0232/1429] JS: Autoformat

---
 javascript/ql/src/semmle/javascript/frameworks/Redux.qll | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Redux.qll b/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
index 0986d1079e0..ad3f985c397 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Redux.qll
@@ -985,9 +985,7 @@ module Redux {
   }
 
   private class StateStepAsFlowStep extends DataFlow::SharedFlowStep {
-    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-      stateStep(pred, succ)
-    }
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) { stateStep(pred, succ) }
   }
 
   /**

From b39a3ab12ccd57ec76fc22b58d2fde78aadf38c7 Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Thu, 8 Apr 2021 20:32:10 +0300
Subject: [PATCH 0233/1429] Added setVariable() sink

---
 .../CWE-094/JakartaExpressionInjectionLib.qll |  4 +++
 .../JakartaExpressionInjection.expected       | 31 +++++++++++--------
 .../CWE-094/JakartaExpressionInjection.java   |  7 +++++
 .../java-ee-el/javax/el/ELProcessor.java      |  1 +
 4 files changed, 30 insertions(+), 13 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
index e3a3994c881..b1c5d1e8ae2 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
@@ -44,6 +44,10 @@ private class ExpressionEvaluationSink extends DataFlow::ExprNode {
       m.getDeclaringType() instanceof ELProcessor and
       m.hasName(["eval", "getValue", "setValue"]) and
       ma.getArgument(0) = taintFrom
+      or
+      m.getDeclaringType() instanceof ELProcessor and
+      m.hasName("setVariable") and
+      ma.getArgument(1) = taintFrom
     )
   }
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected
index e0d699b14e3..ef002aefdf5 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected
@@ -5,15 +5,17 @@ edges
 | JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:44:24:44:33 | expression : String |
 | JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:54:24:54:33 | expression : String |
 | JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:61:24:61:33 | expression : String |
-| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:70:24:70:33 | expression : String |
-| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:79:24:79:33 | expression : String |
+| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:68:24:68:33 | expression : String |
+| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:77:24:77:33 | expression : String |
+| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:86:24:86:33 | expression : String |
 | JakartaExpressionInjection.java:30:24:30:33 | expression : String | JakartaExpressionInjection.java:32:28:32:37 | expression |
 | JakartaExpressionInjection.java:37:24:37:33 | expression : String | JakartaExpressionInjection.java:39:32:39:41 | expression |
 | JakartaExpressionInjection.java:44:24:44:33 | expression : String | JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression |
 | JakartaExpressionInjection.java:54:24:54:33 | expression : String | JakartaExpressionInjection.java:56:32:56:41 | expression |
-| JakartaExpressionInjection.java:61:24:61:33 | expression : String | JakartaExpressionInjection.java:65:13:65:13 | e |
-| JakartaExpressionInjection.java:70:24:70:33 | expression : String | JakartaExpressionInjection.java:74:13:74:13 | e |
-| JakartaExpressionInjection.java:79:24:79:33 | expression : String | JakartaExpressionInjection.java:83:13:83:13 | e |
+| JakartaExpressionInjection.java:61:24:61:33 | expression : String | JakartaExpressionInjection.java:63:43:63:52 | expression |
+| JakartaExpressionInjection.java:68:24:68:33 | expression : String | JakartaExpressionInjection.java:72:13:72:13 | e |
+| JakartaExpressionInjection.java:77:24:77:33 | expression : String | JakartaExpressionInjection.java:81:13:81:13 | e |
+| JakartaExpressionInjection.java:86:24:86:33 | expression : String | JakartaExpressionInjection.java:90:13:90:13 | e |
 nodes
 | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | JakartaExpressionInjection.java:24:31:24:40 | expression : String | semmle.label | expression : String |
@@ -26,16 +28,19 @@ nodes
 | JakartaExpressionInjection.java:54:24:54:33 | expression : String | semmle.label | expression : String |
 | JakartaExpressionInjection.java:56:32:56:41 | expression | semmle.label | expression |
 | JakartaExpressionInjection.java:61:24:61:33 | expression : String | semmle.label | expression : String |
-| JakartaExpressionInjection.java:65:13:65:13 | e | semmle.label | e |
-| JakartaExpressionInjection.java:70:24:70:33 | expression : String | semmle.label | expression : String |
-| JakartaExpressionInjection.java:74:13:74:13 | e | semmle.label | e |
-| JakartaExpressionInjection.java:79:24:79:33 | expression : String | semmle.label | expression : String |
-| JakartaExpressionInjection.java:83:13:83:13 | e | semmle.label | e |
+| JakartaExpressionInjection.java:63:43:63:52 | expression | semmle.label | expression |
+| JakartaExpressionInjection.java:68:24:68:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:72:13:72:13 | e | semmle.label | e |
+| JakartaExpressionInjection.java:77:24:77:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:81:13:81:13 | e | semmle.label | e |
+| JakartaExpressionInjection.java:86:24:86:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:90:13:90:13 | e | semmle.label | e |
 #select
 | JakartaExpressionInjection.java:32:28:32:37 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:32:28:32:37 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
 | JakartaExpressionInjection.java:39:32:39:41 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:39:32:39:41 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
 | JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
 | JakartaExpressionInjection.java:56:32:56:41 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:56:32:56:41 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
-| JakartaExpressionInjection.java:65:13:65:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:65:13:65:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
-| JakartaExpressionInjection.java:74:13:74:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:74:13:74:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
-| JakartaExpressionInjection.java:83:13:83:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:83:13:83:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:63:43:63:52 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:63:43:63:52 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:72:13:72:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:72:13:72:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:81:13:81:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:81:13:81:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:90:13:90:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:90:13:90:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.java b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.java
index a9fb2d45d6f..2e1d1e55b02 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.java
@@ -57,6 +57,13 @@ public class JakartaExpressionInjection {
         });
     }
 
+    private static void testWithELProcessorSetVariable() throws IOException {
+        testWithSocket(expression -> {
+            ELProcessor processor = new ELProcessor();
+            processor.setVariable("test", expression);
+        });
+    }
+
     private static void testWithJuelValueExpressionGetValue() throws IOException {
         testWithSocket(expression -> {
             ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();
diff --git a/java/ql/test/stubs/java-ee-el/javax/el/ELProcessor.java b/java/ql/test/stubs/java-ee-el/javax/el/ELProcessor.java
index 3c523e685c5..95895fabc64 100644
--- a/java/ql/test/stubs/java-ee-el/javax/el/ELProcessor.java
+++ b/java/ql/test/stubs/java-ee-el/javax/el/ELProcessor.java
@@ -4,4 +4,5 @@ public class ELProcessor {
     public Object eval(String expression) { return null; }
     public Object getValue(String expression, Class<?> expectedType) { return null; }
     public void setValue(String expression, Object value) {}
+    public void setVariable(String var, String expression) {}
 }

From d73ba13b28b42b6e0c3d2ef6f1072ff52c00dc58 Mon Sep 17 00:00:00 2001
From: Dilan <dbhalla21@berkeley.edu>
Date: Thu, 8 Apr 2021 11:41:58 -0700
Subject: [PATCH 0234/1429] autoformat fix

---
 .../ql/src/experimental/Functions/NamingConventionsFunctions.ql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/experimental/Functions/NamingConventionsFunctions.ql b/python/ql/src/experimental/Functions/NamingConventionsFunctions.ql
index d2868af22c9..dcfe280c0bf 100644
--- a/python/ql/src/experimental/Functions/NamingConventionsFunctions.ql
+++ b/python/ql/src/experimental/Functions/NamingConventionsFunctions.ql
@@ -10,7 +10,7 @@
 import python
 
 predicate upper_case_function(Function func) {
-  exists(string first_char | 
+  exists(string first_char |
     first_char = func.getName().prefix(1) and
     not first_char = first_char.toLowerCase()
   )

From a6b486a448ca621a3567ef5c4bd87067702e79b4 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Thu, 8 Apr 2021 22:01:43 +0300
Subject: [PATCH 0235/1429] Update
 InsufficientControlFlowManagementWhenUsingBitOperations.ql

---
 ...ontrolFlowManagementWhenUsingBitOperations.ql | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
index c387fb923be..8a7a3fff1d0 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
@@ -19,7 +19,7 @@ import semmle.code.cpp.valuenumbering.GlobalValueNumbering
  * For example: `if(intA>0 & intA<10 & charBuf&myFunc(charBuf[intA]))`.
  * In this case, the function will be called in any case, and even the sequence of the call is not guaranteed.
  */
-class DangerousBitOperations extends Expr {
+class DangerousBitOperations extends BinaryBitwiseOperation {
   FunctionCall bfc;
 
   /**
@@ -28,16 +28,16 @@ class DangerousBitOperations extends Expr {
    * The use of shifts and bitwise operations on any element of an expression indicates a conscious use of the bitwise operator.
    */
   DangerousBitOperations() {
-    bfc = this.(BinaryBitwiseOperation).getRightOperand() and
+    bfc = this.getRightOperand() and
     not this.getParent*() instanceof Assignment and
     not this.getParent*() instanceof Initializer and
     not this.getParent*() instanceof ReturnStmt and
     not this.getParent*() instanceof EqualityOperation and
     not this.getParent*() instanceof UnaryLogicalOperation and
     not this.getParent*() instanceof BinaryLogicalOperation and
-    not this.(BinaryBitwiseOperation).getAChild*() instanceof BitwiseXorExpr and
-    not this.(BinaryBitwiseOperation).getAChild*() instanceof LShiftExpr and
-    not this.(BinaryBitwiseOperation).getAChild*() instanceof RShiftExpr
+    not this.getAChild*() instanceof BitwiseXorExpr and
+    not this.getAChild*() instanceof LShiftExpr and
+    not this.getAChild*() instanceof RShiftExpr
   }
 
   /** Holds when part of a bit expression is used in a logical operation. */
@@ -60,14 +60,14 @@ class DangerousBitOperations extends Expr {
 
   /** Holds when the bit expression contains both arguments and a function call. */
   predicate dangerousArgumentChecking() {
-    not this.(BinaryBitwiseOperation).getLeftOperand() instanceof Call and
-    globalValueNumber(this.(BinaryBitwiseOperation).getLeftOperand().getAChild*()) =
+    not this.getLeftOperand() instanceof Call and
+    globalValueNumber(this.getLeftOperand().getAChild*()) =
       globalValueNumber(bfc.getAnArgument())
   }
 
   /** Holds when function calls are present in the bit expression. */
   predicate functionCallsInBitsExpression() {
-    this.(BinaryBitwiseOperation).getLeftOperand().getAChild*() instanceof FunctionCall
+    this.getLeftOperand().getAChild*() instanceof FunctionCall
   }
 }
 

From 02eb447a359cba04c6d29b49957fbe095235d3e6 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Thu, 8 Apr 2021 22:04:08 +0300
Subject: [PATCH 0236/1429] Update
 InsufficientControlFlowManagementWhenUsingBitOperations.expected

---
 ...icientControlFlowManagementWhenUsingBitOperations.expected | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.expected
index 6aa02a61eaf..d11bbd446a6 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementWhenUsingBitOperations.expected
@@ -1,2 +1,2 @@
-| test.c:8:6:8:51 | ... & ... | this bit expression needs your attention |
-| test.c:10:6:10:30 | ... & ... | this bit expression needs your attention |
+| test.c:8:6:8:51 | ... & ... | This bitwise operation appears in a context where a Boolean operation is expected. |
+| test.c:10:6:10:30 | ... & ... | This bitwise operation appears in a context where a Boolean operation is expected. |

From 3d117243e4acd9c3fd48bc13807e5e22dbf4aebc Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Thu, 8 Apr 2021 22:05:31 +0300
Subject: [PATCH 0237/1429] Update test.c

---
 .../query-tests/Security/CWE/CWE-691/semmle/tests/test.c      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c
index fc30f7a6e97..e2fccf58736 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c
@@ -5,9 +5,9 @@ void workFunction_0(char *s) {
   int intSize;
   char buf[80];
   if(intSize>0 && intSize<80 && memset(buf,0,intSize)) return; // GOOD
-  if(intSize>0 & intSize<80 & memset(buf,0,intSize)) return; // BAD
+  if(intSize>0 & intSize<80 & memset(buf,0,intSize)) return; // BAD [NOT DETECTED]
   if(intSize>0 && tmpFunction()) return;
-  if(intSize<0 & tmpFunction()) return; // BAD
+  if(intSize<0 & tmpFunction()) return; // BAD [NOT DETECTED]
 }
 void workFunction_1(char *s) {
   int intA,intB;

From 9b3ccade439293370532322017df0605449d7b62 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Thu, 8 Apr 2021 22:06:35 +0300
Subject: [PATCH 0238/1429] Update test.c

---
 .../query-tests/Security/CWE/CWE-691/semmle/tests/test.c    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c
index fc30f7a6e97..1db60826b60 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c
@@ -12,14 +12,14 @@ void workFunction_0(char *s) {
 void workFunction_1(char *s) {
   int intA,intB;
 
-  if(intA + intB) return; // BAD
+  if(intA + intB) return; // BAD [NOT DETECTED]
   if(intA + intB>4) return; // GOOD
-  if(intA>0 && (intA + intB)) return; // BAD
+  if(intA>0 && (intA + intB)) return; // BAD [NOT DETECTED]
   while(intA>0)
   {
     if(intB - intA<10) break;
     intA--;
-  }while(intA>0); // BAD
+  }while(intA>0); // BAD [NOT DETECTED]
   while(intA>0)
   {
     if(intB - intA<10) break;

From 956311457db86b5aeb1f22ffd458df154c31c20f Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 8 Apr 2021 21:15:50 +0200
Subject: [PATCH 0239/1429] fixed bad SourceNode X SourceNode join in HTTP
 model

---
 javascript/ql/src/semmle/javascript/frameworks/Express.qll | 3 +--
 javascript/ql/src/semmle/javascript/frameworks/Fastify.qll | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Express.qll b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
index bd1249e9268..17bfed8afda 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Express.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
@@ -688,8 +688,7 @@ module Express {
     override RouteHandler getRouteHandler() { result = rh }
 
     override Expr getNameExpr() {
-      exists(DataFlow::PropWrite write |
-        getAHeaderSource().flowsTo(write.getBase()) and
+      exists(DataFlow::PropWrite write | getAHeaderSource().getAPropertyWrite() = write |
         result = write.getPropertyNameExpr()
       )
     }
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Fastify.qll b/javascript/ql/src/semmle/javascript/frameworks/Fastify.qll
index cca2ec8122b..3e96cea462c 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Fastify.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Fastify.qll
@@ -283,8 +283,7 @@ module Fastify {
     override RouteHandler getRouteHandler() { result = rh }
 
     override Expr getNameExpr() {
-      exists(DataFlow::PropWrite write |
-        this.getAHeaderSource().flowsTo(write.getBase()) and
+      exists(DataFlow::PropWrite write | getAHeaderSource().getAPropertyWrite() = write |
         result = write.getPropertyNameExpr()
       )
     }

From a1850ddad47a07e93e9c2f94b10db2827fc5d863 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 8 Apr 2021 22:55:48 +0200
Subject: [PATCH 0240/1429] Change LDAP config (qll) filename

---
 python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql    | 2 +-
 .../python/security/injection/{LDAPInjection.qll => LDAP.qll}   | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename python/ql/src/experimental/semmle/python/security/injection/{LDAPInjection.qll => LDAP.qll} (100%)

diff --git a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
index 945a7b94473..28748595c46 100644
--- a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
+++ b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
@@ -11,7 +11,7 @@
 
 // Determine precision above
 import python
-import experimental.semmle.python.security.injection.LDAPInjection
+import experimental.semmle.python.security.injection.LDAP
 import DataFlow::PathGraph
 
 from LDAPInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
diff --git a/python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll b/python/ql/src/experimental/semmle/python/security/injection/LDAP.qll
similarity index 100%
rename from python/ql/src/experimental/semmle/python/security/injection/LDAPInjection.qll
rename to python/ql/src/experimental/semmle/python/security/injection/LDAP.qll

From 8661cb071948d0311660ff720842f4e42d85d399 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 8 Apr 2021 22:56:12 +0200
Subject: [PATCH 0241/1429] Polish LDAP3Query

---
 .../ql/src/experimental/semmle/python/frameworks/Stdlib.qll | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index 24def6be277..76d4f326878 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -60,10 +60,6 @@ private module LDAP {
   }
 
   private module LDAP3 {
-    private class LDAP3QueryMethods extends string {
-      LDAP3QueryMethods() { this in ["search"] }
-    }
-
     private class LDAP3Query extends DataFlow::CallCfgNode, LDAPQuery::Range {
       DataFlow::Node ldapNode;
 
@@ -72,7 +68,7 @@ private module LDAP {
           this.getFunction() = searchMethod and
           API::moduleImport("ldap3").getMember("Connection").getACall() =
             searchMethod.getObject().getALocalSource() and
-          searchMethod.getAttributeName() instanceof LDAP3QueryMethods and
+          searchMethod.getAttributeName() = "search" and
           (
             ldapNode = this.getArg(0) or
             ldapNode = this.getArg(1)

From 7296879bc9f1b40a508d69e74c6f047c6395e009 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 8 Apr 2021 23:11:20 +0200
Subject: [PATCH 0242/1429] Polish tests

---
 .../Security/CWE-090/unit_tests/ldap3_bad.py  | 21 +++++-----
 .../Security/CWE-090/unit_tests/ldap3_good.py | 28 ++++++--------
 .../Security/CWE-090/unit_tests/ldap_bad.py   | 34 +++++++----------
 .../Security/CWE-090/unit_tests/ldap_good.py  | 38 +++++++------------
 4 files changed, 47 insertions(+), 74 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_bad.py b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_bad.py
index 76b7f309bd1..a5b4748c146 100644
--- a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_bad.py
+++ b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_bad.py
@@ -6,17 +6,10 @@ app = Flask(__name__)
 
 @app.route("/normal")
 def normal():
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    """
+    A RemoteFlowSource is used directly as DN and search filter
+    """
 
-    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True)
-    conn.search(unsafe_dn, unsafe_filter, attributes=[
-                "testAttr1", "testAttr2"])
-
-
-@app.route("/normal_noAttrs")
-def normal_noAttrs():
     unsafe_dn = "dc=%s" % request.args['dc']
     unsafe_filter = "(user=%s)" % request.args['username']
 
@@ -27,12 +20,16 @@ def normal_noAttrs():
 
 @app.route("/direct")
 def direct():
+    """
+    A RemoteFlowSource is used directly as DN and search filter using a oneline call to .search
+    """
+
     unsafe_dn = "dc=%s" % request.args['dc']
     unsafe_filter = "(user=%s)" % request.args['username']
 
     srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True).search(unsafe_dn, unsafe_filter, attributes=[
-        "testAttr1", "testAttr2"])
+    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True).search(
+        unsafe_dn, unsafe_filter)
 
 # if __name__ == "__main__":
 #     app.run(debug=True)
diff --git a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_good.py b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_good.py
index c3cc1272ea7..a4fbb718c5b 100644
--- a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_good.py
+++ b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_good.py
@@ -8,6 +8,10 @@ app = Flask(__name__)
 
 @app.route("/normal")
 def normal():
+    """
+    A RemoteFlowSource is sanitized and used as DN and search filter
+    """
+
     unsafe_dn = "dc=%s" % request.args['dc']
     unsafe_filter = "(user=%s)" % request.args['username']
 
@@ -15,26 +19,16 @@ def normal():
     safe_filter = escape_filter_chars(unsafe_filter)
 
     srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True)
-    conn.search(safe_dn, safe_filter, attributes=[
-                "testAttr1", "testAttr2"])
-
-
-@app.route("/normal_noAttrs")
-def normal_noAttrs():
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
-
-    safe_dn = escape_rdn(unsafe_dn)
-    safe_filter = escape_filter_chars(unsafe_filter)
-
-    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True)
+    conn = ldap3.Connection(srv, user=safe_dn, auto_bind=True)
     conn.search(safe_dn, safe_filter)
 
 
 @app.route("/direct")
 def direct():
+    """
+    A RemoteFlowSource is sanitized and used as DN and search filter using a oneline call to .search
+    """
+
     unsafe_dn = "dc=%s" % request.args['dc']
     unsafe_filter = "(user=%s)" % request.args['username']
 
@@ -42,8 +36,8 @@ def direct():
     safe_filter = escape_filter_chars(unsafe_filter)
 
     srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True).search(safe_dn, safe_filter, attributes=[
-        "testAttr1", "testAttr2"])
+    conn = ldap3.Connection(srv, user=safe_dn, auto_bind=True).search(
+        safe_dn, safe_filter)
 
 # if __name__ == "__main__":
 #     app.run(debug=True)
diff --git a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_bad.py b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_bad.py
index 011f3b82865..728a9179c7a 100644
--- a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_bad.py
+++ b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_bad.py
@@ -6,16 +6,10 @@ app = Flask(__name__)
 
 @app.route("/normal")
 def normal():
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    """
+    A RemoteFlowSource is used directly as DN and search filter
+    """
 
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
-    user = ldap_connection.search_s(
-        unsafe_dn, ldap.SCOPE_SUBTREE, unsafe_filter, ["testAttr1", "testAttr2"])
-
-
-@app.route("/normal_noAttrs")
-def normal_noAttrs():
     unsafe_dn = "dc=%s" % request.args['dc']
     unsafe_filter = "(user=%s)" % request.args['username']
 
@@ -26,30 +20,30 @@ def normal_noAttrs():
 
 @app.route("/direct")
 def direct():
+    """
+    A RemoteFlowSource is used directly as DN and search filter using a oneline call to .search_s
+    """
+
     unsafe_dn = "dc=%s" % request.args['dc']
     unsafe_filter = "(user=%s)" % request.args['username']
 
     user = ldap.initialize("ldap://127.0.0.1:1337").search_s(
-        unsafe_dn, ldap.SCOPE_SUBTREE, unsafe_filter, ["testAttr1", "testAttr2"])
+        unsafe_dn, ldap.SCOPE_SUBTREE, unsafe_filter)
 
 
 @app.route("/normal_argbyname")
 def normal_argbyname():
+    """
+    A RemoteFlowSource is used directly as DN and search filter, while the search filter is specified as
+    an argument by name
+    """
+
     unsafe_dn = "dc=%s" % request.args['dc']
     unsafe_filter = "(user=%s)" % request.args['username']
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
     user = ldap_connection.search_s(
-        unsafe_dn, ldap.SCOPE_SUBTREE, attrlist=["testAttr1", "testAttr2"], filterstr=unsafe_filter)
-
-
-@app.route("/direct_argbyname")
-def direct_argbyname():
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
-
-    user = ldap.initialize("ldap://127.0.0.1:1337").search_s(
-        unsafe_dn, ldap.SCOPE_SUBTREE, attrlist=["testAttr1", "testAttr2"], filterstr=unsafe_filter)
+        unsafe_dn, ldap.SCOPE_SUBTREE, filterstr=unsafe_filter)
 
 
 # if __name__ == "__main__":
diff --git a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_good.py b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_good.py
index eda3883da6d..b2c00cc04cb 100644
--- a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_good.py
+++ b/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_good.py
@@ -8,19 +8,10 @@ app = Flask(__name__)
 
 @app.route("/normal")
 def normal():
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    """
+    A RemoteFlowSource is sanitized and used as DN and search filter
+    """
 
-    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
-    safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
-
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
-    user = ldap_connection.search_s(
-        safe_dn, ldap.SCOPE_SUBTREE, safe_filter, ["testAttr1", "testAttr2"])
-
-
-@app.route("/normal_noAttrs")
-def normal_noAttrs():
     unsafe_dn = "dc=%s" % request.args['dc']
     unsafe_filter = "(user=%s)" % request.args['username']
 
@@ -34,6 +25,10 @@ def normal_noAttrs():
 
 @app.route("/direct")
 def direct():
+    """
+    A RemoteFlowSource is sanitized and used as DN and search filter using a oneline call to .search_s
+    """
+
     unsafe_dn = "dc=%s" % request.args['dc']
     unsafe_filter = "(user=%s)" % request.args['username']
 
@@ -46,6 +41,11 @@ def direct():
 
 @app.route("/normal_argbyname")
 def normal_argbyname():
+    """
+    A RemoteFlowSource is sanitized and used as DN and search filter, while the search filter is specified as
+    an argument by name
+    """
+
     unsafe_dn = "dc=%s" % request.args['dc']
     unsafe_filter = "(user=%s)" % request.args['username']
 
@@ -54,19 +54,7 @@ def normal_argbyname():
 
     ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
     user = ldap_connection.search_s(
-        safe_dn, ldap.SCOPE_SUBTREE, attrlist=["testAttr1", "testAttr2"], filterstr=safe_filter)
-
-
-@app.route("/direct_argbyname")
-def direct_argbyname():
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
-
-    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
-    safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
-
-    user = ldap.initialize("ldap://127.0.0.1:1337").search_s(
-        safe_dn, ldap.SCOPE_SUBTREE, attrlist=["testAttr1", "testAttr2"], filterstr=safe_filter)
+        safe_dn, ldap.SCOPE_SUBTREE, filterstr=safe_filter)
 
 
 # if __name__ == "__main__":

From 3c1ca7232469c71e96732e0fbbc4b8a825e3884a Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 8 Apr 2021 23:44:30 +0200
Subject: [PATCH 0243/1429] Improve qhelp

---
 .../Security/CWE-090/LDAPInjection.qhelp      | 66 ++++++++++++-------
 1 file changed, 44 insertions(+), 22 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.qhelp b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.qhelp
index a570549abfc..0c6c4b9ca20 100644
--- a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.qhelp
+++ b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.qhelp
@@ -1,28 +1,50 @@
-<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
-
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
 <qhelp>
-  <overview>
-    <p>If an LDAP query is built by a not sanitized user-provided value, a user is likely to be able to run malicious LDAP queries.</p>
-  </overview>
+<overview>
+<p>If an LDAP query or DN is built using string concatenation or string formatting, and the
+components of the concatenation include user input without any proper sanitization, a user 
+is likely to be able to run malicious LDAP queries.</p>
+</overview>
 
-  <recommendation>
-    <p>In case user input must compose an LDAP query, it should be escaped in order to avoid a malicious user supplying special characters that change the actual purpose of the query. To do so, functions that ldap frameworks provide such as <code>escape_filter_chars</code> should be applied to that user input.
-  <recommendation>
+<recommendation>
+<p>If user input must be included in an LDAP query or DN, it should be escaped to
+avoid a malicious user providing special characters that change the meaning
+of the query. In Python2, user input should be escaped with <code>ldap.dn.escape_dn_chars</code> 
+or <code>ldap.filter.escape_filter_chars</code>, while in Python3, user input should be escaped with 
+<code>ldap3.utils.dn.escape_rdn</code> or <code>ldap3.utils.conv.escape_filter_chars</code>
+depending on the component tainted by the user. A good practice is to escape filter characters 
+that could change the meaning of the query (https://tools.ietf.org/search/rfc4515#section-3).</p>
+</recommendation>
 
+<example>
+<p>In the following examples, the code accepts both <code>username</code> and <code>dc</code> from the user, 
+which it then uses to build a LDAP query and DN.</p>
 
-  <references>
-    <li>
-      OWASP
-      <a href="https://owasp.org/www-community/attacks/LDAP_Injection">LDAP Injection</a>
-    </li>
-    <li>
-      SonarSource
-      <a href="https://rules.sonarsource.com/python/RSPEC-2078">RSPEC-2078</a>
-    </li>
-    <li>
-      Python
-      <a href="https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html">LDAP Documentation</a>
-    </li>
-  </references>
+<p>The first and the second example uses the unsanitized user input directly
+in the search filter and DN for the LDAP query.
+A malicious user could provide special characters to change the meaning of these
+components, and search for a completely different set of values.</p>
 
+<sample src="examples/example_bad1.js" />
+<sample src="examples/example_bad2.js" />
+
+<p>In the third and four example, the input provided by the user is sanitized before it is included in the search filter or DN. 
+This ensures the meaning of the query cannot be changed by a malicious user.</p>
+
+<sample src="examples/example_good1.js" />
+<sample src="examples/example_good2.js" />
+</example>
+
+<references>
+<li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html">LDAP Injection Prevention Cheat Sheet</a>.</li>
+<li>OWASP: <a href="https://owasp.org/www-community/attacks/LDAP_Injection">LDAP Injection</a>.</li>
+<li>SonarSource: <a href="https://rules.sonarsource.com/python/RSPEC-2078">RSPEC-2078</a>.</li>
+<li>Python2: <a href="https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html">LDAP Documentation</a>.</li>
+<li>Python3: <a href="https://ldap3.readthedocs.io/en/latest/">LDAP Documentation</a>.</li>
+<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/LDAP_injection">LDAP injection</a>.</li>
+<li>BlackHat: <a href="https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf">LDAP Injection and Blind LDAP Injection</a>.</li>
+<li>LDAP: <a href="https://ldap.com/2018/05/04/understanding-and-defending-against-ldap-injection-attacks/">Understanding and Defending Against LDAP Injection Attacks</a>.</li>
+</references>
 </qhelp>
\ No newline at end of file

From 1554f4f48d04e89c78783f2ec54c4f878fff60fe Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 8 Apr 2021 23:44:46 +0200
Subject: [PATCH 0244/1429] Create qhelp examples

---
 .../Security/CWE-090/examples/example_bad1.py   | 12 ++++++++++++
 .../Security/CWE-090/examples/example_bad2.py   | 12 ++++++++++++
 .../Security/CWE-090/examples/example_good1.py  | 17 +++++++++++++++++
 .../Security/CWE-090/examples/example_good2.py  | 17 +++++++++++++++++
 4 files changed, 58 insertions(+)
 create mode 100644 python/ql/src/experimental/Security/CWE-090/examples/example_bad1.py
 create mode 100644 python/ql/src/experimental/Security/CWE-090/examples/example_bad2.py
 create mode 100644 python/ql/src/experimental/Security/CWE-090/examples/example_good1.py
 create mode 100644 python/ql/src/experimental/Security/CWE-090/examples/example_good2.py

diff --git a/python/ql/src/experimental/Security/CWE-090/examples/example_bad1.py b/python/ql/src/experimental/Security/CWE-090/examples/example_bad1.py
new file mode 100644
index 00000000000..4a1f86fd981
--- /dev/null
+++ b/python/ql/src/experimental/Security/CWE-090/examples/example_bad1.py
@@ -0,0 +1,12 @@
+from flask import request, Flask
+import ldap
+
+
+@app.route("/normal")
+def normal():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s(
+        unsafe_dn, ldap.SCOPE_SUBTREE, unsafe_filter)
diff --git a/python/ql/src/experimental/Security/CWE-090/examples/example_bad2.py b/python/ql/src/experimental/Security/CWE-090/examples/example_bad2.py
new file mode 100644
index 00000000000..87cb4a65b8b
--- /dev/null
+++ b/python/ql/src/experimental/Security/CWE-090/examples/example_bad2.py
@@ -0,0 +1,12 @@
+from flask import request, Flask
+import ldap3
+
+
+@app.route("/normal")
+def normal():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
+    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True)
+    conn.search(unsafe_dn, unsafe_filter)
diff --git a/python/ql/src/experimental/Security/CWE-090/examples/example_good1.py b/python/ql/src/experimental/Security/CWE-090/examples/example_good1.py
new file mode 100644
index 00000000000..ad9e9fe84f5
--- /dev/null
+++ b/python/ql/src/experimental/Security/CWE-090/examples/example_good1.py
@@ -0,0 +1,17 @@
+from flask import request, Flask
+import ldap
+import ldap.filter
+import ldap.dn
+
+
+@app.route("/normal")
+def normal():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
+    safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    user = ldap_connection.search_s(
+        safe_dn, ldap.SCOPE_SUBTREE, safe_filter)
diff --git a/python/ql/src/experimental/Security/CWE-090/examples/example_good2.py b/python/ql/src/experimental/Security/CWE-090/examples/example_good2.py
new file mode 100644
index 00000000000..c86db178040
--- /dev/null
+++ b/python/ql/src/experimental/Security/CWE-090/examples/example_good2.py
@@ -0,0 +1,17 @@
+from flask import request, Flask
+import ldap3
+from ldap3.utils.dn import escape_rdn
+from ldap3.utils.conv import escape_filter_chars
+
+
+@app.route("/normal")
+def normal():
+    unsafe_dn = "dc=%s" % request.args['dc']
+    unsafe_filter = "(user=%s)" % request.args['username']
+
+    safe_dn = escape_rdn(unsafe_dn)
+    safe_filter = escape_filter_chars(unsafe_filter)
+
+    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
+    conn = ldap3.Connection(srv, user=safe_dn, auto_bind=True)
+    conn.search(safe_dn, safe_filter)

From 95bfdc49558f3fdee343fd9b018e45922a24678f Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 8 Apr 2021 23:45:03 +0200
Subject: [PATCH 0245/1429] Move tests to /test

---
 .../experimental/query-tests/Security/CWE-090}/ldap3_bad.py       | 0
 .../experimental/query-tests/Security/CWE-090}/ldap3_good.py      | 0
 .../experimental/query-tests/Security/CWE-090}/ldap_bad.py        | 0
 .../experimental/query-tests/Security/CWE-090}/ldap_good.py       | 0
 4 files changed, 0 insertions(+), 0 deletions(-)
 rename python/ql/{src/experimental/Security/CWE-090/unit_tests => test/experimental/query-tests/Security/CWE-090}/ldap3_bad.py (100%)
 rename python/ql/{src/experimental/Security/CWE-090/unit_tests => test/experimental/query-tests/Security/CWE-090}/ldap3_good.py (100%)
 rename python/ql/{src/experimental/Security/CWE-090/unit_tests => test/experimental/query-tests/Security/CWE-090}/ldap_bad.py (100%)
 rename python/ql/{src/experimental/Security/CWE-090/unit_tests => test/experimental/query-tests/Security/CWE-090}/ldap_good.py (100%)

diff --git a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_bad.py b/python/ql/test/experimental/query-tests/Security/CWE-090/ldap3_bad.py
similarity index 100%
rename from python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_bad.py
rename to python/ql/test/experimental/query-tests/Security/CWE-090/ldap3_bad.py
diff --git a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_good.py b/python/ql/test/experimental/query-tests/Security/CWE-090/ldap3_good.py
similarity index 100%
rename from python/ql/src/experimental/Security/CWE-090/unit_tests/ldap3_good.py
rename to python/ql/test/experimental/query-tests/Security/CWE-090/ldap3_good.py
diff --git a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_bad.py b/python/ql/test/experimental/query-tests/Security/CWE-090/ldap_bad.py
similarity index 100%
rename from python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_bad.py
rename to python/ql/test/experimental/query-tests/Security/CWE-090/ldap_bad.py
diff --git a/python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_good.py b/python/ql/test/experimental/query-tests/Security/CWE-090/ldap_good.py
similarity index 100%
rename from python/ql/src/experimental/Security/CWE-090/unit_tests/ldap_good.py
rename to python/ql/test/experimental/query-tests/Security/CWE-090/ldap_good.py

From 4f85de87debf91ace22bdea6cffc4c5f9788c4c0 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 8 Apr 2021 23:45:12 +0200
Subject: [PATCH 0246/1429] Add qlref

---
 .../query-tests/Security/CWE-090/LDAPInjection.qlref             | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-090/LDAPInjection.qlref

diff --git a/python/ql/test/experimental/query-tests/Security/CWE-090/LDAPInjection.qlref b/python/ql/test/experimental/query-tests/Security/CWE-090/LDAPInjection.qlref
new file mode 100644
index 00000000000..98b37bfdcf6
--- /dev/null
+++ b/python/ql/test/experimental/query-tests/Security/CWE-090/LDAPInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-090/LDAPInjection.ql

From 7819d1a30b856d15c1ec3d7c051a0ec890d80b9f Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 8 Apr 2021 23:45:26 +0200
Subject: [PATCH 0247/1429] Generate .expected

---
 .../Security/CWE-090/LDAPInjection.expected   | 98 +++++++++++++++++++
 1 file changed, 98 insertions(+)
 create mode 100644 python/ql/test/experimental/query-tests/Security/CWE-090/LDAPInjection.expected

diff --git a/python/ql/test/experimental/query-tests/Security/CWE-090/LDAPInjection.expected b/python/ql/test/experimental/query-tests/Security/CWE-090/LDAPInjection.expected
new file mode 100644
index 00000000000..07f46fbecdc
--- /dev/null
+++ b/python/ql/test/experimental/query-tests/Security/CWE-090/LDAPInjection.expected
@@ -0,0 +1,98 @@
+edges
+| ldap3_bad.py:13:27:13:33 | ControlFlowNode for request | ldap3_bad.py:13:27:13:38 | ControlFlowNode for Attribute |
+| ldap3_bad.py:13:27:13:33 | ControlFlowNode for request | ldap3_bad.py:14:35:14:41 | ControlFlowNode for request |
+| ldap3_bad.py:13:27:13:33 | ControlFlowNode for request | ldap3_bad.py:14:35:14:46 | ControlFlowNode for Attribute |
+| ldap3_bad.py:13:27:13:38 | ControlFlowNode for Attribute | ldap3_bad.py:13:27:13:44 | ControlFlowNode for Subscript |
+| ldap3_bad.py:13:27:13:44 | ControlFlowNode for Subscript | ldap3_bad.py:18:17:18:25 | ControlFlowNode for unsafe_dn |
+| ldap3_bad.py:14:35:14:41 | ControlFlowNode for request | ldap3_bad.py:14:35:14:46 | ControlFlowNode for Attribute |
+| ldap3_bad.py:14:35:14:46 | ControlFlowNode for Attribute | ldap3_bad.py:14:35:14:58 | ControlFlowNode for Subscript |
+| ldap3_bad.py:14:35:14:58 | ControlFlowNode for Subscript | ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter |
+| ldap3_bad.py:27:27:27:33 | ControlFlowNode for request | ldap3_bad.py:27:27:27:38 | ControlFlowNode for Attribute |
+| ldap3_bad.py:27:27:27:33 | ControlFlowNode for request | ldap3_bad.py:28:35:28:41 | ControlFlowNode for request |
+| ldap3_bad.py:27:27:27:33 | ControlFlowNode for request | ldap3_bad.py:28:35:28:46 | ControlFlowNode for Attribute |
+| ldap3_bad.py:27:27:27:38 | ControlFlowNode for Attribute | ldap3_bad.py:27:27:27:44 | ControlFlowNode for Subscript |
+| ldap3_bad.py:27:27:27:44 | ControlFlowNode for Subscript | ldap3_bad.py:32:9:32:17 | ControlFlowNode for unsafe_dn |
+| ldap3_bad.py:28:35:28:41 | ControlFlowNode for request | ldap3_bad.py:28:35:28:46 | ControlFlowNode for Attribute |
+| ldap3_bad.py:28:35:28:46 | ControlFlowNode for Attribute | ldap3_bad.py:28:35:28:58 | ControlFlowNode for Subscript |
+| ldap3_bad.py:28:35:28:58 | ControlFlowNode for Subscript | ldap3_bad.py:32:20:32:32 | ControlFlowNode for unsafe_filter |
+| ldap_bad.py:13:27:13:33 | ControlFlowNode for request | ldap_bad.py:13:27:13:38 | ControlFlowNode for Attribute |
+| ldap_bad.py:13:27:13:33 | ControlFlowNode for request | ldap_bad.py:14:35:14:41 | ControlFlowNode for request |
+| ldap_bad.py:13:27:13:33 | ControlFlowNode for request | ldap_bad.py:14:35:14:46 | ControlFlowNode for Attribute |
+| ldap_bad.py:13:27:13:38 | ControlFlowNode for Attribute | ldap_bad.py:13:27:13:44 | ControlFlowNode for Subscript |
+| ldap_bad.py:13:27:13:44 | ControlFlowNode for Subscript | ldap_bad.py:18:9:18:17 | ControlFlowNode for unsafe_dn |
+| ldap_bad.py:14:35:14:41 | ControlFlowNode for request | ldap_bad.py:14:35:14:46 | ControlFlowNode for Attribute |
+| ldap_bad.py:14:35:14:46 | ControlFlowNode for Attribute | ldap_bad.py:14:35:14:58 | ControlFlowNode for Subscript |
+| ldap_bad.py:14:35:14:58 | ControlFlowNode for Subscript | ldap_bad.py:18:40:18:52 | ControlFlowNode for unsafe_filter |
+| ldap_bad.py:27:27:27:33 | ControlFlowNode for request | ldap_bad.py:27:27:27:38 | ControlFlowNode for Attribute |
+| ldap_bad.py:27:27:27:33 | ControlFlowNode for request | ldap_bad.py:28:35:28:41 | ControlFlowNode for request |
+| ldap_bad.py:27:27:27:33 | ControlFlowNode for request | ldap_bad.py:28:35:28:46 | ControlFlowNode for Attribute |
+| ldap_bad.py:27:27:27:38 | ControlFlowNode for Attribute | ldap_bad.py:27:27:27:44 | ControlFlowNode for Subscript |
+| ldap_bad.py:27:27:27:44 | ControlFlowNode for Subscript | ldap_bad.py:31:9:31:17 | ControlFlowNode for unsafe_dn |
+| ldap_bad.py:28:35:28:41 | ControlFlowNode for request | ldap_bad.py:28:35:28:46 | ControlFlowNode for Attribute |
+| ldap_bad.py:28:35:28:46 | ControlFlowNode for Attribute | ldap_bad.py:28:35:28:58 | ControlFlowNode for Subscript |
+| ldap_bad.py:28:35:28:58 | ControlFlowNode for Subscript | ldap_bad.py:31:40:31:52 | ControlFlowNode for unsafe_filter |
+| ldap_bad.py:41:27:41:33 | ControlFlowNode for request | ldap_bad.py:41:27:41:38 | ControlFlowNode for Attribute |
+| ldap_bad.py:41:27:41:33 | ControlFlowNode for request | ldap_bad.py:42:35:42:41 | ControlFlowNode for request |
+| ldap_bad.py:41:27:41:33 | ControlFlowNode for request | ldap_bad.py:42:35:42:46 | ControlFlowNode for Attribute |
+| ldap_bad.py:41:27:41:38 | ControlFlowNode for Attribute | ldap_bad.py:41:27:41:44 | ControlFlowNode for Subscript |
+| ldap_bad.py:41:27:41:44 | ControlFlowNode for Subscript | ldap_bad.py:46:9:46:17 | ControlFlowNode for unsafe_dn |
+| ldap_bad.py:42:35:42:41 | ControlFlowNode for request | ldap_bad.py:42:35:42:46 | ControlFlowNode for Attribute |
+| ldap_bad.py:42:35:42:46 | ControlFlowNode for Attribute | ldap_bad.py:42:35:42:58 | ControlFlowNode for Subscript |
+| ldap_bad.py:42:35:42:58 | ControlFlowNode for Subscript | ldap_bad.py:46:50:46:62 | ControlFlowNode for unsafe_filter |
+nodes
+| ldap3_bad.py:13:27:13:33 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap3_bad.py:13:27:13:38 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| ldap3_bad.py:13:27:13:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| ldap3_bad.py:14:35:14:41 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap3_bad.py:14:35:14:46 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| ldap3_bad.py:14:35:14:58 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| ldap3_bad.py:18:17:18:25 | ControlFlowNode for unsafe_dn | semmle.label | ControlFlowNode for unsafe_dn |
+| ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | semmle.label | ControlFlowNode for unsafe_filter |
+| ldap3_bad.py:27:27:27:33 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap3_bad.py:27:27:27:38 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| ldap3_bad.py:27:27:27:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| ldap3_bad.py:28:35:28:41 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap3_bad.py:28:35:28:46 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| ldap3_bad.py:28:35:28:58 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| ldap3_bad.py:32:9:32:17 | ControlFlowNode for unsafe_dn | semmle.label | ControlFlowNode for unsafe_dn |
+| ldap3_bad.py:32:20:32:32 | ControlFlowNode for unsafe_filter | semmle.label | ControlFlowNode for unsafe_filter |
+| ldap_bad.py:13:27:13:33 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap_bad.py:13:27:13:38 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| ldap_bad.py:13:27:13:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| ldap_bad.py:14:35:14:41 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap_bad.py:14:35:14:46 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| ldap_bad.py:14:35:14:58 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| ldap_bad.py:18:9:18:17 | ControlFlowNode for unsafe_dn | semmle.label | ControlFlowNode for unsafe_dn |
+| ldap_bad.py:18:40:18:52 | ControlFlowNode for unsafe_filter | semmle.label | ControlFlowNode for unsafe_filter |
+| ldap_bad.py:27:27:27:33 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap_bad.py:27:27:27:38 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| ldap_bad.py:27:27:27:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| ldap_bad.py:28:35:28:41 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap_bad.py:28:35:28:46 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| ldap_bad.py:28:35:28:58 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| ldap_bad.py:31:9:31:17 | ControlFlowNode for unsafe_dn | semmle.label | ControlFlowNode for unsafe_dn |
+| ldap_bad.py:31:40:31:52 | ControlFlowNode for unsafe_filter | semmle.label | ControlFlowNode for unsafe_filter |
+| ldap_bad.py:41:27:41:33 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap_bad.py:41:27:41:38 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| ldap_bad.py:41:27:41:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| ldap_bad.py:42:35:42:41 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap_bad.py:42:35:42:46 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| ldap_bad.py:42:35:42:58 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| ldap_bad.py:46:9:46:17 | ControlFlowNode for unsafe_dn | semmle.label | ControlFlowNode for unsafe_dn |
+| ldap_bad.py:46:50:46:62 | ControlFlowNode for unsafe_filter | semmle.label | ControlFlowNode for unsafe_filter |
+#select
+| ldap3_bad.py:18:17:18:25 | ControlFlowNode for unsafe_dn | ldap3_bad.py:13:27:13:33 | ControlFlowNode for request | ldap3_bad.py:18:17:18:25 | ControlFlowNode for unsafe_dn | $@ LDAP query parameter comes from $@. | ldap3_bad.py:18:17:18:25 | ControlFlowNode for unsafe_dn | This | ldap3_bad.py:13:27:13:33 | ControlFlowNode for request | a user-provided value |
+| ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | ldap3_bad.py:13:27:13:33 | ControlFlowNode for request | ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | This | ldap3_bad.py:13:27:13:33 | ControlFlowNode for request | a user-provided value |
+| ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | ldap3_bad.py:14:35:14:41 | ControlFlowNode for request | ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | This | ldap3_bad.py:14:35:14:41 | ControlFlowNode for request | a user-provided value |
+| ldap3_bad.py:32:9:32:17 | ControlFlowNode for unsafe_dn | ldap3_bad.py:27:27:27:33 | ControlFlowNode for request | ldap3_bad.py:32:9:32:17 | ControlFlowNode for unsafe_dn | $@ LDAP query parameter comes from $@. | ldap3_bad.py:32:9:32:17 | ControlFlowNode for unsafe_dn | This | ldap3_bad.py:27:27:27:33 | ControlFlowNode for request | a user-provided value |
+| ldap3_bad.py:32:20:32:32 | ControlFlowNode for unsafe_filter | ldap3_bad.py:27:27:27:33 | ControlFlowNode for request | ldap3_bad.py:32:20:32:32 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap3_bad.py:32:20:32:32 | ControlFlowNode for unsafe_filter | This | ldap3_bad.py:27:27:27:33 | ControlFlowNode for request | a user-provided value |
+| ldap3_bad.py:32:20:32:32 | ControlFlowNode for unsafe_filter | ldap3_bad.py:28:35:28:41 | ControlFlowNode for request | ldap3_bad.py:32:20:32:32 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap3_bad.py:32:20:32:32 | ControlFlowNode for unsafe_filter | This | ldap3_bad.py:28:35:28:41 | ControlFlowNode for request | a user-provided value |
+| ldap_bad.py:18:9:18:17 | ControlFlowNode for unsafe_dn | ldap_bad.py:13:27:13:33 | ControlFlowNode for request | ldap_bad.py:18:9:18:17 | ControlFlowNode for unsafe_dn | $@ LDAP query parameter comes from $@. | ldap_bad.py:18:9:18:17 | ControlFlowNode for unsafe_dn | This | ldap_bad.py:13:27:13:33 | ControlFlowNode for request | a user-provided value |
+| ldap_bad.py:18:40:18:52 | ControlFlowNode for unsafe_filter | ldap_bad.py:13:27:13:33 | ControlFlowNode for request | ldap_bad.py:18:40:18:52 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap_bad.py:18:40:18:52 | ControlFlowNode for unsafe_filter | This | ldap_bad.py:13:27:13:33 | ControlFlowNode for request | a user-provided value |
+| ldap_bad.py:18:40:18:52 | ControlFlowNode for unsafe_filter | ldap_bad.py:14:35:14:41 | ControlFlowNode for request | ldap_bad.py:18:40:18:52 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap_bad.py:18:40:18:52 | ControlFlowNode for unsafe_filter | This | ldap_bad.py:14:35:14:41 | ControlFlowNode for request | a user-provided value |
+| ldap_bad.py:31:9:31:17 | ControlFlowNode for unsafe_dn | ldap_bad.py:27:27:27:33 | ControlFlowNode for request | ldap_bad.py:31:9:31:17 | ControlFlowNode for unsafe_dn | $@ LDAP query parameter comes from $@. | ldap_bad.py:31:9:31:17 | ControlFlowNode for unsafe_dn | This | ldap_bad.py:27:27:27:33 | ControlFlowNode for request | a user-provided value |
+| ldap_bad.py:31:40:31:52 | ControlFlowNode for unsafe_filter | ldap_bad.py:27:27:27:33 | ControlFlowNode for request | ldap_bad.py:31:40:31:52 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap_bad.py:31:40:31:52 | ControlFlowNode for unsafe_filter | This | ldap_bad.py:27:27:27:33 | ControlFlowNode for request | a user-provided value |
+| ldap_bad.py:31:40:31:52 | ControlFlowNode for unsafe_filter | ldap_bad.py:28:35:28:41 | ControlFlowNode for request | ldap_bad.py:31:40:31:52 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap_bad.py:31:40:31:52 | ControlFlowNode for unsafe_filter | This | ldap_bad.py:28:35:28:41 | ControlFlowNode for request | a user-provided value |
+| ldap_bad.py:46:9:46:17 | ControlFlowNode for unsafe_dn | ldap_bad.py:41:27:41:33 | ControlFlowNode for request | ldap_bad.py:46:9:46:17 | ControlFlowNode for unsafe_dn | $@ LDAP query parameter comes from $@. | ldap_bad.py:46:9:46:17 | ControlFlowNode for unsafe_dn | This | ldap_bad.py:41:27:41:33 | ControlFlowNode for request | a user-provided value |
+| ldap_bad.py:46:50:46:62 | ControlFlowNode for unsafe_filter | ldap_bad.py:41:27:41:33 | ControlFlowNode for request | ldap_bad.py:46:50:46:62 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap_bad.py:46:50:46:62 | ControlFlowNode for unsafe_filter | This | ldap_bad.py:41:27:41:33 | ControlFlowNode for request | a user-provided value |
+| ldap_bad.py:46:50:46:62 | ControlFlowNode for unsafe_filter | ldap_bad.py:42:35:42:41 | ControlFlowNode for request | ldap_bad.py:46:50:46:62 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap_bad.py:46:50:46:62 | ControlFlowNode for unsafe_filter | This | ldap_bad.py:42:35:42:41 | ControlFlowNode for request | a user-provided value |

From b405c675c2bb7a62faac778b968b827ef9b8b9f7 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 8 Apr 2021 23:49:33 +0200
Subject: [PATCH 0248/1429] Add qhelp last newline

---
 python/ql/src/experimental/Security/CWE-090/LDAPInjection.qhelp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.qhelp b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.qhelp
index 0c6c4b9ca20..e3b47f23b0f 100644
--- a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.qhelp
+++ b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.qhelp
@@ -47,4 +47,4 @@ This ensures the meaning of the query cannot be changed by a malicious user.</p>
 <li>BlackHat: <a href="https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf">LDAP Injection and Blind LDAP Injection</a>.</li>
 <li>LDAP: <a href="https://ldap.com/2018/05/04/understanding-and-defending-against-ldap-injection-attacks/">Understanding and Defending Against LDAP Injection Attacks</a>.</li>
 </references>
-</qhelp>
\ No newline at end of file
+</qhelp>

From 82f47f85715f8d92839b820ccb5bd4b8cc48b41c Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 8 Apr 2021 23:55:34 +0200
Subject: [PATCH 0249/1429] Polish metadata

---
 .../ql/src/experimental/Security/CWE-090/LDAPInjection.ql  | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
index 28748595c46..50c89248318 100644
--- a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
+++ b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.ql
@@ -1,9 +1,10 @@
 /**
- * @name Python LDAP Injection
- * @description Python LDAP Injection through search filter
+ * @name LDAP query built from user-controlled sources
+ * @description Building an LDAP query from user-controlled sources is vulnerable to insertion of
+ *              malicious LDAP code by the user.
  * @kind path-problem
  * @problem.severity error
- * @id python/ldap-injection
+ * @id py/ldap-injection
  * @tags experimental	
  *       security	
  *       external/cwe/cwe-090

From e5bce548de872e4257ab1ff4896d10c6836f21c3 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 8 Apr 2021 21:37:32 +0200
Subject: [PATCH 0250/1429] add nomagic on mayHaveStringValue

---
 javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll | 1 +
 1 file changed, 1 insertion(+)

diff --git a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
index 8835b14af05..aafbc4c81a9 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -96,6 +96,7 @@ module DataFlow {
     predicate accessesGlobal(string g) { globalVarRef(g).flowsTo(this) }
 
     /** Holds if this node may evaluate to the string `s`, possibly through local data flow. */
+    pragma[nomagic]
     predicate mayHaveStringValue(string s) {
       getAPredecessor().mayHaveStringValue(s)
       or

From cd75433e3945fd6ffa4166d4c09108b489e37587 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Fri, 9 Apr 2021 00:52:50 +0200
Subject: [PATCH 0251/1429] Fix qhelp examples extension

---
 .../src/experimental/Security/CWE-090/LDAPInjection.qhelp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.qhelp b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.qhelp
index e3b47f23b0f..bda9b75da99 100644
--- a/python/ql/src/experimental/Security/CWE-090/LDAPInjection.qhelp
+++ b/python/ql/src/experimental/Security/CWE-090/LDAPInjection.qhelp
@@ -27,14 +27,14 @@ in the search filter and DN for the LDAP query.
 A malicious user could provide special characters to change the meaning of these
 components, and search for a completely different set of values.</p>
 
-<sample src="examples/example_bad1.js" />
-<sample src="examples/example_bad2.js" />
+<sample src="examples/example_bad1.py" />
+<sample src="examples/example_bad2.py" />
 
 <p>In the third and four example, the input provided by the user is sanitized before it is included in the search filter or DN. 
 This ensures the meaning of the query cannot be changed by a malicious user.</p>
 
-<sample src="examples/example_good1.js" />
-<sample src="examples/example_good2.js" />
+<sample src="examples/example_good1.py" />
+<sample src="examples/example_good2.py" />
 </example>
 
 <references>

From 7f01586bf130494ea9eeb65d05d8ae9c58b63737 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Fri, 9 Apr 2021 01:15:46 +0200
Subject: [PATCH 0252/1429] fix bad join order in `getDocumentedParameter`

---
 javascript/ql/src/semmle/javascript/JSDoc.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/JSDoc.qll b/javascript/ql/src/semmle/javascript/JSDoc.qll
index bee65bc9ab3..e7fb681da2a 100644
--- a/javascript/ql/src/semmle/javascript/JSDoc.qll
+++ b/javascript/ql/src/semmle/javascript/JSDoc.qll
@@ -144,7 +144,7 @@ class JSDocParamTag extends JSDocTag {
   /** Gets the parameter this tag refers to, if it can be determined. */
   Variable getDocumentedParameter() {
     exists(Parameterized parm | parm.getDocumentation() = getParent() |
-      result = parm.getParameterVariable(getName())
+      result = pragma[only_bind_out](parm).getParameterVariable(getName())
     )
   }
 }

From a2e8d88a07df14cf22bbca4e3039b54107f8983a Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Fri, 9 Apr 2021 01:47:44 +0200
Subject: [PATCH 0253/1429] Write documentation

---
 .../experimental/semmle/python/Concepts.qll   | 32 +++++++++++++
 .../semmle/python/frameworks/Stdlib.qll       | 46 +++++++++++++++++++
 .../semmle/python/security/injection/LDAP.qll |  2 +-
 3 files changed, 79 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index 9022f9c3818..9d0dddc3f14 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -14,12 +14,28 @@ private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
 private import experimental.semmle.python.Frameworks
 
+/** Provides classes for modeling LDAP-related APIs. */
 module LDAPQuery {
+  /**
+   * A data-flow node that collects methods executing a LDAP query.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `LDAPQuery` instead.
+   */
   abstract class Range extends DataFlow::Node {
+    /**
+     * Gets the argument containing the executed expression.
+     */
     abstract DataFlow::Node getLDAPNode();
   }
 }
 
+/**
+ * A data-flow node that collect methods executing a LDAP query.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `LDAPQuery::Range` instead.
+ */
 class LDAPQuery extends DataFlow::Node {
   LDAPQuery::Range range;
 
@@ -28,12 +44,28 @@ class LDAPQuery extends DataFlow::Node {
   DataFlow::Node getLDAPNode() { result = range.getLDAPNode() }
 }
 
+/** Provides classes for modeling LDAP components escape-related APIs. */
 module LDAPEscape {
+  /**
+   * A data-flow node that collects functions escaping LDAP components.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `LDAPEscape` instead.
+   */
   abstract class Range extends DataFlow::Node {
+    /**
+     * Gets the argument containing the escaped expression.
+     */
     abstract DataFlow::Node getEscapeNode();
   }
 }
 
+/**
+ * A data-flow node that collects functions escaping LDAP components.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `RegexEscape::Range` instead.
+ */
 class LDAPEscape extends DataFlow::Node {
   LDAPEscape::Range range;
 
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index 76d4f326878..2bbca55f820 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -10,14 +10,32 @@ private import semmle.python.dataflow.new.RemoteFlowSources
 private import experimental.semmle.python.Concepts
 private import semmle.python.ApiGraphs
 
+/**
+ * Provides models for Python's ldap-related libraries.
+ */
 private module LDAP {
+  /**
+   * Provides models for Python's `ldap` library.
+   *
+   * See https://www.python-ldap.org/en/python-ldap-3.3.0/index.html
+   */
   private module LDAP2 {
+    /**
+     * List of `ldap` methods used to execute a query.
+     *
+     * See https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#functions
+     */
     private class LDAP2QueryMethods extends string {
       LDAP2QueryMethods() {
         this in ["search", "search_s", "search_st", "search_ext", "search_ext_s"]
       }
     }
 
+    /**
+     * A class to find `ldap` methods executing a query.
+     *
+     * See `LDAP2QueryMethods`
+     */
     private class LDAP2Query extends DataFlow::CallCfgNode, LDAPQuery::Range {
       DataFlow::Node ldapNode;
 
@@ -41,6 +59,11 @@ private module LDAP {
       override DataFlow::Node getLDAPNode() { result = ldapNode }
     }
 
+    /**
+     * A class to find calls to `ldap.dn.escape_dn_chars`.
+     *
+     * See https://github.com/python-ldap/python-ldap/blob/7ce471e238cdd9a4dd8d17baccd1c9e05e6f894a/Lib/ldap/dn.py#L17
+     */
     private class LDAP2EscapeDNCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
       LDAP2EscapeDNCall() {
         this = API::moduleImport("ldap").getMember("dn").getMember("escape_dn_chars").getACall()
@@ -49,6 +72,11 @@ private module LDAP {
       override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
     }
 
+    /**
+     * A class to find calls to `ldap.filter.escape_filter_chars`.
+     *
+     * See https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap-filter.html#ldap.filter.escape_filter_chars
+     */
     private class LDAP2EscapeFilterCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
       LDAP2EscapeFilterCall() {
         this =
@@ -59,7 +87,15 @@ private module LDAP {
     }
   }
 
+  /**
+   * Provides models for Python's `ldap3` library.
+   *
+   * See https://pypi.org/project/ldap3/
+   */
   private module LDAP3 {
+    /**
+     * A class to find `ldap3` methods executing a query.
+     */
     private class LDAP3Query extends DataFlow::CallCfgNode, LDAPQuery::Range {
       DataFlow::Node ldapNode;
 
@@ -79,6 +115,11 @@ private module LDAP {
       override DataFlow::Node getLDAPNode() { result = ldapNode }
     }
 
+    /**
+     * A class to find calls to `ldap3.utils.dn.escape_rdn`.
+     *
+     * See https://github.com/cannatag/ldap3/blob/4d33166f0869b929f59c6e6825a1b9505eb99967/ldap3/utils/dn.py#L390
+     */
     private class LDAP3EscapeDNCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
       LDAP3EscapeDNCall() {
         this =
@@ -92,6 +133,11 @@ private module LDAP {
       override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
     }
 
+    /**
+     * A class to find calls to `ldap3.utils.conv.escape_filter_chars`.
+     *
+     * See https://github.com/cannatag/ldap3/blob/4d33166f0869b929f59c6e6825a1b9505eb99967/ldap3/utils/conv.py#L91
+     */
     private class LDAP3EscapeFilterCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
       LDAP3EscapeFilterCall() {
         this =
diff --git a/python/ql/src/experimental/semmle/python/security/injection/LDAP.qll b/python/ql/src/experimental/semmle/python/security/injection/LDAP.qll
index febebe0a8fd..9f91f91b321 100644
--- a/python/ql/src/experimental/semmle/python/security/injection/LDAP.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/LDAP.qll
@@ -9,7 +9,7 @@ import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
 
 /**
- * A taint-tracking configuration for detecting regular expression injections.
+ * A taint-tracking configuration for detecting LDAP injections.
  */
 class LDAPInjectionFlowConfig extends TaintTracking::Configuration {
   LDAPInjectionFlowConfig() { this = "LDAPInjectionFlowConfig" }

From b020ea6e3aef0c0716cb931d9e22bd4f48c5bd18 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Fri, 9 Apr 2021 01:50:23 +0200
Subject: [PATCH 0254/1429] Polish documentation

---
 python/ql/src/experimental/semmle/python/Concepts.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index 9d0dddc3f14..89a82fff87c 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -14,7 +14,7 @@ private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
 private import experimental.semmle.python.Frameworks
 
-/** Provides classes for modeling LDAP-related APIs. */
+/** Provides classes for modeling LDAP query execution-related APIs. */
 module LDAPQuery {
   /**
    * A data-flow node that collects methods executing a LDAP query.

From 1c34230efbab719f332e1feb35ef7460edc3ae39 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Fri, 9 Apr 2021 01:58:18 +0200
Subject: [PATCH 0255/1429] Fix documentation typo

---
 python/ql/src/experimental/semmle/python/Concepts.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index 89a82fff87c..cb90a465a54 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -64,7 +64,7 @@ module LDAPEscape {
  * A data-flow node that collects functions escaping LDAP components.
  *
  * Extend this class to refine existing API models. If you want to model new APIs,
- * extend `RegexEscape::Range` instead.
+ * extend `LDAPEscape::Range` instead.
  */
 class LDAPEscape extends DataFlow::Node {
   LDAPEscape::Range range;

From 11304b2ae15fed18f1452bd1e01720351d84e1a4 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Fri, 9 Apr 2021 02:21:59 +0000
Subject: [PATCH 0256/1429] Update qldoc and change the wrapper method
 implementation

---
 .../CWE-1004/SensitiveCookieNotHttpOnly.ql    | 42 +++++++++----------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
index f1bc7879b8a..d566bd53945 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -1,6 +1,8 @@
 /**
  * @name Sensitive cookies without the HttpOnly response header set
- * @description Sensitive cookies without 'HttpOnly' leaves session cookies vulnerable to an XSS attack.
+ * @description Sensitive cookies without the 'HttpOnly' flag set leaves session cookies vulnerable to
+ *              an XSS attack. This query checks whether 'HttpOnly' is not set in a Java Cookie object
+ *              or the 'Set-Cookie' HTTP header.
  * @kind path-problem
  * @id java/sensitive-cookie-not-httponly
  * @tags security
@@ -25,14 +27,14 @@ string getCsrfCookieNameRegex() { result = "(?i).*(csrf).*" }
  * they are special cookies implementing the Synchronizer Token Pattern that can be used in JavaScript.
  */
 predicate isSensitiveCookieNameExpr(Expr expr) {
-  exists(string s | s = expr.(CompileTimeConstantExpr).getStringValue().toLowerCase() |
+  exists(string s | s = expr.(CompileTimeConstantExpr).getStringValue() |
     s.regexpMatch(getSensitiveCookieNameRegex()) and not s.regexpMatch(getCsrfCookieNameRegex())
   )
   or
   isSensitiveCookieNameExpr(expr.(AddExpr).getAnOperand())
 }
 
-/** The method call `Set-Cookie` of `addHeader` or `setHeader`. */
+/** A method call that sets a `Set-Cookie` header. */
 class SetCookieMethodAccess extends MethodAccess {
   SetCookieMethodAccess() {
     (
@@ -59,7 +61,7 @@ class MatchesHttpOnlyConfiguration extends TaintTracking2::Configuration {
   }
 }
 
-/** The cookie class of Java EE. */
+/** A class descended from `javax.servlet.http.Cookie` or `javax/jakarta.ws.rs.core.Cookie`. */
 class CookieClass extends RefType {
   CookieClass() {
     this.getASupertype*()
@@ -67,25 +69,23 @@ class CookieClass extends RefType {
   }
 }
 
-/** Holds if the `Expr` expr is evaluated to boolean true. */
-predicate isBooleanTrue(Expr expr) {
+/** Holds if the `expr` is `true` or a variable that is ever assigned `true`. */
+predicate mayBeBooleanTrue(Expr expr) {
   expr.(CompileTimeConstantExpr).getBooleanValue() = true or
   expr.(VarAccess).getVariable().getAnAssignedValue().(CompileTimeConstantExpr).getBooleanValue() =
     true
 }
 
 /** Holds if the method call sets the `HttpOnly` flag. */
-predicate setHttpOnlyInCookie(MethodAccess ma) {
+predicate setsCookieHttpOnly(MethodAccess ma) {
   ma.getMethod().getName() = "setHttpOnly" and
   (
-    isBooleanTrue(ma.getArgument(0)) // boolean literal true
+    ma.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = true
     or
-    exists(
-      MethodAccess mpa, int i // runtime assignment of boolean value true
-    |
-      TaintTracking::localTaint(DataFlow::parameterNode(mpa.getMethod().getParameter(i)),
-        DataFlow::exprNode(ma.getArgument(0))) and
-      isBooleanTrue(mpa.getArgument(i))
+    // any use of setHttpOnly(x) where x isn't false is probably safe
+    not exists(VarAccess va |
+      ma.getArgument(0).(VarAccess).getVariable().getAnAccess() = va and
+      va.getVariable().getAnAssignedValue().(CompileTimeConstantExpr).getBooleanValue() = false
     )
   )
 }
@@ -99,7 +99,7 @@ class SetHttpOnlyInCookieConfiguration extends TaintTracking2::Configuration {
 
   override predicate isSource(DataFlow::Node source) {
     source.asExpr() =
-      any(MethodAccess ma | setHttpOnlyInCookie(ma) or removeCookie(ma)).getQualifier()
+      any(MethodAccess ma | setsCookieHttpOnly(ma) or removeCookie(ma)).getQualifier()
   }
 
   override predicate isSink(DataFlow::Node sink) {
@@ -108,18 +108,18 @@ class SetHttpOnlyInCookieConfiguration extends TaintTracking2::Configuration {
   }
 }
 
-/** Holds if the method call removes a cookie. */
+/** Holds if `ma` removes a cookie. */
 predicate removeCookie(MethodAccess ma) {
   ma.getMethod().getName() = "setMaxAge" and
   ma.getArgument(0).(IntegerLiteral).getIntValue() = 0
 }
 
-/** Sensitive cookie name used in a `Cookie` constructor or a `Set-Cookie` call. */
+/** A sensitive cookie name. */
 class SensitiveCookieNameExpr extends Expr {
   SensitiveCookieNameExpr() { isSensitiveCookieNameExpr(this) }
 }
 
-/** Sink of adding a cookie to the HTTP response. */
+/** A cookie that is added to an HTTP response, used as a sink in `MissingHttpOnlyConfiguration`. */
 class CookieResponseSink extends DataFlow::ExprNode {
   CookieResponseSink() {
     exists(MethodAccess ma |
@@ -145,14 +145,14 @@ predicate setHttpOnlyInNewCookie(ClassInstanceExpr cie) {
   cie.getConstructedType().hasQualifiedName(["javax.ws.rs.core", "jakarta.ws.rs.core"], "NewCookie") and
   (
     cie.getNumArgument() = 6 and
-    isBooleanTrue(cie.getArgument(5)) // NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
+    mayBeBooleanTrue(cie.getArgument(5)) // NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
     or
     cie.getNumArgument() = 8 and
     cie.getArgument(6).getType() instanceof BooleanType and
-    isBooleanTrue(cie.getArgument(7)) // NewCookie(String name, String value, String path, String domain, String comment, int maxAge, boolean secure, boolean httpOnly)
+    mayBeBooleanTrue(cie.getArgument(7)) // NewCookie(String name, String value, String path, String domain, String comment, int maxAge, boolean secure, boolean httpOnly)
     or
     cie.getNumArgument() = 10 and
-    isBooleanTrue(cie.getArgument(9)) // NewCookie(String name, String value, String path, String domain, int version, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
+    mayBeBooleanTrue(cie.getArgument(9)) // NewCookie(String name, String value, String path, String domain, int version, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
   )
 }
 

From 53daa7c43685304e6e7463890bcf4d8b77d59ee6 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 17 Mar 2021 12:10:19 +0100
Subject: [PATCH 0257/1429] Java: Migrate LDAP injection sinks to CSV format

---
 .../code/java/dataflow/ExternalFlow.qll       |   1 +
 .../code/java/security/LdapInjection.qll      | 109 ++++++++----------
 2 files changed, 49 insertions(+), 61 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index 4bb79e84ead..94bca372bb0 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -76,6 +76,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.ApacheHttp
   private import semmle.code.java.frameworks.apache.Lang
   private import semmle.code.java.frameworks.guava.Guava
+  private import semmle.code.java.security.LdapInjection
 }
 
 private predicate sourceModelCsv(string row) {
diff --git a/java/ql/src/semmle/code/java/security/LdapInjection.qll b/java/ql/src/semmle/code/java/security/LdapInjection.qll
index 2c1f493c691..f5e0994c68f 100644
--- a/java/ql/src/semmle/code/java/security/LdapInjection.qll
+++ b/java/ql/src/semmle/code/java/security/LdapInjection.qll
@@ -6,6 +6,7 @@ import semmle.code.java.frameworks.Jndi
 import semmle.code.java.frameworks.UnboundId
 import semmle.code.java.frameworks.SpringLdap
 import semmle.code.java.frameworks.ApacheLdap
+private import semmle.code.java.dataflow.ExternalFlow
 
 /** A data flow sink for unvalidated user input that is used to construct LDAP queries. */
 abstract class LdapInjectionSink extends DataFlow::Node { }
@@ -28,70 +29,56 @@ class LdapInjectionAdditionalTaintStep extends Unit {
 
 /** Default sink for LDAP injection vulnerabilities. */
 private class DefaultLdapInjectionSink extends LdapInjectionSink {
-  DefaultLdapInjectionSink() {
-    exists(MethodAccess ma, Method m, int index |
-      ma.getMethod() = m and
-      ma.getArgument(index) = this.asExpr() and
-      ldapInjectionSinkMethod(m, index)
-    )
+  DefaultLdapInjectionSink() { sinkNode(this, "ldap") }
+}
+
+private class DefaultLdapInjectionSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // jndi
+        "javax.naming.directory;DirContext;true;search;;;Argument[0..1];ldap",
+        // apache
+        "org.apache.directory.ldap.client.api;LdapConnection;true;search;;;Argument[0..2];ldap",
+        // UnboundID: search
+        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(ReadOnlySearchRequest);;Argument[0];ldap",
+        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(SearchRequest);;Argument[0];ldap",
+        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(SearchResultListener,String,SearchScope,DereferencePolicy,int,int,boolean,Filter,String[]);;Argument[0..7];ldap",
+        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(SearchResultListener,String,SearchScope,DereferencePolicy,int,int,boolean,String,String[]);;Argument[0..7];ldap",
+        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(SearchResultListener,String,SearchScope,Filter,String[]]);;Argument[0..3];ldap",
+        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(SearchResultListener,String,SearchScope,String,String[]]);;Argument[0..3];ldap",
+        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(String,SearchScope,DereferencePolicy,int,int,boolean,Filter,String[]]);;Argument[0..6];ldap",
+        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(String,SearchScope,DereferencePolicy,int,int,boolean,String,String[]]);;Argument[0..6];ldap",
+        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(String,SearchScope,Filter,String[]]);;Argument[0..2];ldap",
+        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(String,SearchScope,String,String[]]);;Argument[0..2];ldap",
+        // UnboundID: searchForEntry
+        "com.unboundid.ldap.sdk;LDAPConnection;false;searchForEntry;(ReadOnlySearchRequest);;Argument[0];ldap",
+        "com.unboundid.ldap.sdk;LDAPConnection;false;searchForEntry;(SearchRequest);;Argument[0];ldap",
+        "com.unboundid.ldap.sdk;LDAPConnection;false;searchForEntry;(String,SearchScope,DereferencePolicy,int,boolean,Filter,String[]);;Argument[0..5];ldap",
+        "com.unboundid.ldap.sdk;LDAPConnection;false;searchForEntry;(String,SearchScope,DereferencePolicy,int,boolean,String,String[]);;Argument[0..5];ldap",
+        "com.unboundid.ldap.sdk;LDAPConnection;false;searchForEntry;(String,SearchScope,Filter,String[]);;Argument[0..2];ldap",
+        "com.unboundid.ldap.sdk;LDAPConnection;false;searchForEntry;(String,SearchScope,String,String[]);;Argument[0..2];ldap",
+        // UnboundID: asyncSearch
+        "com.unboundid.ldap.sdk;LDAPConnection;false;asyncSearch;;;Argument[0];ldap",
+        // Spring
+        "org.springframework.ldap.core;LdapTemplate;false;find;;;Argument[0..1];ldap",
+        "org.springframework.ldap.core;LdapTemplate;false;findOne;;;Argument[0..1];ldap",
+        "org.springframework.ldap.core;LdapTemplate;false;search;;;Argument[0..1];ldap",
+        "org.springframework.ldap.core;LdapTemplate;false;searchForContext;;;Argument[0..1];ldap",
+        "org.springframework.ldap.core;LdapTemplate;false;searchForObject;;;Argument[0..1];ldap",
+        "org.springframework.ldap.core;LdapTemplate;false;authenticate;;;Argument[0];ldap",
+        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(Name,String,String);;Argument[1];ldap",
+        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(Name,String,String,AuthenticatedLdapEntryContextCallback);;Argument[1];ldap",
+        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(Name,String,String,AuthenticatedLdapEntryContextCallback,AuthenticationErrorCallback);;Argument[1];ldap",
+        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(Name,String,String,AuthenticationErrorCallback);;Argument[1];ldap",
+        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(String,String,String);;Argument[1];ldap",
+        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(String,String,String,AuthenticatedLdapEntryContextCallback);;Argument[1];ldap",
+        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(String,String,String,AuthenticatedLdapEntryContextCallback,AuthenticationErrorCallback);;Argument[1];ldap",
+        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(String,String,String,AuthenticationErrorCallback);;Argument[1];ldap"
+      ]
   }
 }
 
-/** Holds if the method parameter at `index` is susceptible to an LDAP injection attack. */
-private predicate ldapInjectionSinkMethod(Method m, int index) {
-  jndiLdapInjectionSinkMethod(m, index) or
-  unboundIdLdapInjectionSinkMethod(m, index) or
-  springLdapInjectionSinkMethod(m, index) or
-  apacheLdapInjectionSinkMethod(m, index)
-}
-
-/** Holds if the JNDI method parameter at `index` is susceptible to an LDAP injection attack. */
-private predicate jndiLdapInjectionSinkMethod(Method m, int index) {
-  m.getDeclaringType().getAnAncestor() instanceof TypeDirContext and
-  m.hasName("search") and
-  index in [0 .. 1]
-}
-
-/** Holds if the UnboundID method parameter at `index` is susceptible to an LDAP injection attack. */
-private predicate unboundIdLdapInjectionSinkMethod(Method m, int index) {
-  exists(Parameter param | m.getParameter(index) = param and not param.isVarargs() |
-    m instanceof MethodUnboundIdLDAPConnectionSearch or
-    m instanceof MethodUnboundIdLDAPConnectionAsyncSearch or
-    m instanceof MethodUnboundIdLDAPConnectionSearchForEntry
-  )
-}
-
-/** Holds if the Spring method parameter at `index` is susceptible to an LDAP injection attack. */
-private predicate springLdapInjectionSinkMethod(Method m, int index) {
-  // LdapTemplate.authenticate, LdapTemplate.find* or LdapTemplate.search* method
-  (
-    m instanceof MethodSpringLdapTemplateAuthenticate or
-    m instanceof MethodSpringLdapTemplateFind or
-    m instanceof MethodSpringLdapTemplateFindOne or
-    m instanceof MethodSpringLdapTemplateSearch or
-    m instanceof MethodSpringLdapTemplateSearchForContext or
-    m instanceof MethodSpringLdapTemplateSearchForObject
-  ) and
-  (
-    // Parameter index is 1 (DN or query) or 2 (filter) if method is not authenticate
-    index in [0 .. 1] and
-    not m instanceof MethodSpringLdapTemplateAuthenticate
-    or
-    // But it's not the last parameter in case of authenticate method (last param is password)
-    index in [0 .. 1] and
-    index < m.getNumberOfParameters() - 1 and
-    m instanceof MethodSpringLdapTemplateAuthenticate
-  )
-}
-
-/** Holds if the Apache LDAP API method parameter at `index` is susceptible to an LDAP injection attack. */
-private predicate apacheLdapInjectionSinkMethod(Method m, int index) {
-  exists(Parameter param | m.getParameter(index) = param and not param.isVarargs() |
-    m.getDeclaringType().getAnAncestor() instanceof TypeApacheLdapConnection and
-    m.hasName("search")
-  )
-}
-
 /** A sanitizer that clears the taint on (boxed) primitive types. */
 private class DefaultLdapSanitizer extends LdapInjectionSanitizer {
   DefaultLdapSanitizer() {

From dbb3d3dc175cd29f1efb573c3744c131653be1b2 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 9 Apr 2021 09:50:55 +0200
Subject: [PATCH 0258/1429] Add change note

---
 csharp/change-notes/2021-04-09-default-argument-values.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 csharp/change-notes/2021-04-09-default-argument-values.md

diff --git a/csharp/change-notes/2021-04-09-default-argument-values.md b/csharp/change-notes/2021-04-09-default-argument-values.md
new file mode 100644
index 00000000000..ef34dca4f6a
--- /dev/null
+++ b/csharp/change-notes/2021-04-09-default-argument-values.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The extractor has been improved to store default argument values for parameters that are extracted from referenced assemblies.
\ No newline at end of file

From 749db379ca17c1ad297218d2bd2e0e407636a1d1 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 9 Apr 2021 09:55:37 +0200
Subject: [PATCH 0259/1429] Address code review findings

---
 csharp/ql/src/semmle/code/csharp/frameworks/Dapper.qll | 2 +-
 csharp/ql/src/semmle/code/csharp/frameworks/Sql.qll    | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/frameworks/Dapper.qll b/csharp/ql/src/semmle/code/csharp/frameworks/Dapper.qll
index f5872226347..3d25f4389fd 100644
--- a/csharp/ql/src/semmle/code/csharp/frameworks/Dapper.qll
+++ b/csharp/ql/src/semmle/code/csharp/frameworks/Dapper.qll
@@ -1,5 +1,5 @@
 /**
- * Classes for modelling Dapper.
+ * Classes for modeling Dapper.
  */
 
 import csharp
diff --git a/csharp/ql/src/semmle/code/csharp/frameworks/Sql.qll b/csharp/ql/src/semmle/code/csharp/frameworks/Sql.qll
index 76d24403524..1a727030bea 100644
--- a/csharp/ql/src/semmle/code/csharp/frameworks/Sql.qll
+++ b/csharp/ql/src/semmle/code/csharp/frameworks/Sql.qll
@@ -6,7 +6,7 @@ private import semmle.code.csharp.frameworks.system.data.SqlClient
 private import semmle.code.csharp.frameworks.EntityFramework
 private import semmle.code.csharp.frameworks.NHibernate
 private import semmle.code.csharp.frameworks.Dapper
-private import semmle.code.csharp.dataflow.DataFlow3
+private import semmle.code.csharp.dataflow.DataFlow4
 
 /** An expression containing a SQL command. */
 abstract class SqlExpr extends Expr {
@@ -105,7 +105,7 @@ class DapperCommandDefinitionMethodCallSqlExpr extends SqlExpr, ObjectCreation {
   override Expr getSql() { result = this.getArgumentForName("commandText") }
 }
 
-private class Conf extends DataFlow3::Configuration {
+private class Conf extends DataFlow4::Configuration {
   Conf() { this = "DapperCommandDefinitionFlowConfig" }
 
   override predicate isSource(DataFlow::Node node) {

From d7f0b9a7fa103102e80a8be026d5510821721d8b Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 9 Apr 2021 09:58:37 +0200
Subject: [PATCH 0260/1429] Add change note

---
 csharp/change-notes/2021-04-09-dapper-support.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 csharp/change-notes/2021-04-09-dapper-support.md

diff --git a/csharp/change-notes/2021-04-09-dapper-support.md b/csharp/change-notes/2021-04-09-dapper-support.md
new file mode 100644
index 00000000000..a7db9d045d2
--- /dev/null
+++ b/csharp/change-notes/2021-04-09-dapper-support.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Support for the Dapper ORM library has been added to the SQL injection checks.
\ No newline at end of file

From b9ce1aefc09f72f53a3ecc1940fe396a679433be Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 30 Mar 2021 09:31:38 +0200
Subject: [PATCH 0261/1429] Java: Convert unsafe URL opening sinks to CSV
 format

---
 java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql   | 17 ++---------------
 .../semmle/code/java/dataflow/ExternalFlow.qll  |  9 ++++++++-
 2 files changed, 10 insertions(+), 16 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql b/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
index 306bf27ab9c..d1bce930054 100644
--- a/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
+++ b/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
@@ -13,6 +13,7 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.frameworks.Networking
 import DataFlow::PathGraph
+private import semmle.code.java.dataflow.ExternalFlow
 
 class HTTPString extends StringLiteral {
   HTTPString() {
@@ -30,26 +31,12 @@ class HTTPString extends StringLiteral {
   }
 }
 
-class URLOpenMethod extends Method {
-  URLOpenMethod() {
-    this.getDeclaringType().getQualifiedName() = "java.net.URL" and
-    (
-      this.getName() = "openConnection" or
-      this.getName() = "openStream"
-    )
-  }
-}
-
 class HTTPStringToURLOpenMethodFlowConfig extends TaintTracking::Configuration {
   HTTPStringToURLOpenMethodFlowConfig() { this = "HttpsUrls::HTTPStringToURLOpenMethodFlowConfig" }
 
   override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof HTTPString }
 
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess m |
-      sink.asExpr() = m.getQualifier() and m.getMethod() instanceof URLOpenMethod
-    )
-  }
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "open-url") }
 
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(UrlConstructorCall u |
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index 4bb79e84ead..ece2c7cff74 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -184,7 +184,14 @@ private predicate sourceModelCsv(string row) {
     ]
 }
 
-private predicate sinkModelCsv(string row) { none() }
+private predicate sinkModelCsv(string row) {
+  row =
+    [
+      // Open URL
+      "java.net;URL;false;openConnection;;;Argument[-1];open-url",
+      "java.net;URL;false;openStream;;;Argument[-1];open-url"
+    ]
+}
 
 private predicate summaryModelCsv(string row) {
   row =

From 9e2832a82d7e3f51c7967c8aafee2d48c01b8b2c Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 30 Mar 2021 16:24:32 +0200
Subject: [PATCH 0262/1429] Java: Convert zipslip sinks to CSV format

---
 java/ql/src/Security/CWE/CWE-022/ZipSlip.ql   | 31 ++-----------------
 .../code/java/dataflow/ExternalFlow.qll       | 16 +++++++++-
 2 files changed, 17 insertions(+), 30 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql b/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
index 7d74f8b79ac..80de02d7067 100644
--- a/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
+++ b/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
@@ -17,6 +17,7 @@ import semmle.code.java.dataflow.SSA
 import semmle.code.java.dataflow.TaintTracking
 import DataFlow
 import PathGraph
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A method that returns the name of an archive entry.
@@ -33,34 +34,6 @@ class ArchiveEntryNameMethod extends Method {
   }
 }
 
-/**
- * An expression that will be treated as the destination of a write.
- */
-class WrittenFileName extends Expr {
-  WrittenFileName() {
-    // Constructors that write to their first argument.
-    exists(ConstructorCall ctr | this = ctr.getArgument(0) |
-      exists(Class c | ctr.getConstructor() = c.getAConstructor() |
-        c.hasQualifiedName("java.io", "FileOutputStream") or
-        c.hasQualifiedName("java.io", "RandomAccessFile") or
-        c.hasQualifiedName("java.io", "FileWriter")
-      )
-    )
-    or
-    // Methods that write to their n'th argument
-    exists(MethodAccess call, int n | this = call.getArgument(n) |
-      call.getMethod().getDeclaringType().hasQualifiedName("java.nio.file", "Files") and
-      (
-        call.getMethod().getName().regexpMatch("new.*Reader|newOutputStream|create.*") and n = 0
-        or
-        call.getMethod().hasName("copy") and n = 1
-        or
-        call.getMethod().hasName("move") and n = 1
-      )
-    )
-  }
-}
-
 /**
  * Holds if `n1` to `n2` is a dataflow step that converts between `String`,
  * `File`, and `Path`.
@@ -151,7 +124,7 @@ class ZipSlipConfiguration extends TaintTracking::Configuration {
     source.asExpr().(MethodAccess).getMethod() instanceof ArchiveEntryNameMethod
   }
 
-  override predicate isSink(Node sink) { sink.asExpr() instanceof WrittenFileName }
+  override predicate isSink(Node sink) { sinkNode(sink, "create-file") }
 
   override predicate isAdditionalTaintStep(Node n1, Node n2) {
     filePathStep(n1, n2) or fileTaintStep(n1, n2)
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index ece2c7cff74..2aa0b1d14e4 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -189,7 +189,21 @@ private predicate sinkModelCsv(string row) {
     [
       // Open URL
       "java.net;URL;false;openConnection;;;Argument[-1];open-url",
-      "java.net;URL;false;openStream;;;Argument[-1];open-url"
+      "java.net;URL;false;openStream;;;Argument[-1];open-url",
+      // Create file
+      "java.io;FileOutputStream;false;FileOutputStream;;;Argument[0];create-file",
+      "java.io;RandomAccessFile;false;RandomAccessFile;;;Argument[0];create-file",
+      "java.io;FileWriter;false;FileWriter;;;Argument[0];create-file",
+      "java.nio.file;Files;false;move;;;Argument[1];create-file",
+      "java.nio.file;Files;false;copy;;;Argument[1];create-file",
+      "java.nio.file;Files;false;newOutputStream;;;Argument[0];create-file",
+      "java.nio.file;Files;false;newBufferedReader;;;Argument[0];create-file",
+      "java.nio.file;Files;false;createDirectory;;;Argument[0];create-file",
+      "java.nio.file;Files;false;createFile;;;Argument[0];create-file",
+      "java.nio.file;Files;false;createLink;;;Argument[0];create-file",
+      "java.nio.file;Files;false;createSymbolicLink;;;Argument[0];create-file",
+      "java.nio.file;Files;false;createTempDirectory;;;Argument[0];create-file",
+      "java.nio.file;Files;false;createTempFile;;;Argument[0];create-file"
     ]
 }
 

From 0a6aef71a2f957386f895d594f227a0c67c387be Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 9 Apr 2021 12:29:13 +0200
Subject: [PATCH 0263/1429] C++: Respond to review comments.

---
 .../cpp/dataflow/internal/DataFlowUtil.qll    |  4 +-
 .../code/cpp/dataflow/internal/FlowVar.qll    | 76 +++++++++----------
 .../dataflow/taint-tests/localTaint.expected  |  2 -
 3 files changed, 37 insertions(+), 45 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
index baf5f72b75b..810c74e3e69 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -326,7 +326,7 @@ private class VariablePartialDefinitionNode extends PartialDefinitionNode {
  * A synthetic data flow node used for flow into a collection when an iterator
  * write occurs in a callee.
  */
-class IteratorPartialDefinitionNode extends PartialDefinitionNode {
+private class IteratorPartialDefinitionNode extends PartialDefinitionNode {
   override IteratorPartialDefinition pd;
 
   override Node getPreUpdateNode() { pd.definesExpressions(_, result.asExpr()) }
@@ -338,7 +338,7 @@ class IteratorPartialDefinitionNode extends PartialDefinitionNode {
  * A synthetic data flow node used for flow into a collection when a smart pointer
  * write occurs in a callee.
  */
-class SmartPointerPartialDefinitionNode extends PartialDefinitionNode {
+private class SmartPointerPartialDefinitionNode extends PartialDefinitionNode {
   override SmartPointerPartialDefinition pd;
 
   override Node getPreUpdateNode() { pd.definesExpressions(_, result.asExpr()) }
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
index 29b6cd691a4..0e5d6ea5fa7 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
@@ -159,18 +159,14 @@ private module PartialDefinitions {
     Expr innerDefinedExpr;
 
     IteratorPartialDefinition() {
-      exists(Expr convertedInner |
-        not this instanceof Conversion and
-        valueToUpdate(convertedInner, this.getFullyConverted(), node) and
-        innerDefinedExpr = convertedInner.getUnconverted() and
-        (
-          innerDefinedExpr.(Call).getQualifier() = getAnIteratorAccess(collection)
-          or
-          innerDefinedExpr.(Call).getQualifier() = collection.getAnAccess() and
-          collection instanceof IteratorParameter
-        ) and
-        innerDefinedExpr.(Call).getTarget() instanceof IteratorPointerDereferenceMemberOperator
-      )
+      innerDefinedExpr = getInnerDefinedExpr(this, node) and
+      (
+        innerDefinedExpr.(Call).getQualifier() = getAnIteratorAccess(collection)
+        or
+        innerDefinedExpr.(Call).getQualifier() = collection.getAnAccess() and
+        collection instanceof IteratorParameter
+      ) and
+      innerDefinedExpr.(Call).getTarget() instanceof IteratorPointerDereferenceMemberOperator
       or
       // iterators passed by value without a copy constructor
       exists(Call call |
@@ -208,16 +204,18 @@ private module PartialDefinitions {
     }
   }
 
+  private Expr getInnerDefinedExpr(Expr e, ControlFlowNode node) {
+    not e instanceof Conversion and
+    exists(Expr convertedInner |
+      valueToUpdate(convertedInner, e.getFullyConverted(), node) and
+      result = convertedInner.getUnconverted()
+    )
+  }
+
   class VariablePartialDefinition extends PartialDefinition {
     Expr innerDefinedExpr;
 
-    VariablePartialDefinition() {
-      not this instanceof Conversion and
-      exists(Expr convertedInner |
-        valueToUpdate(convertedInner, this.getFullyConverted(), node) and
-        innerDefinedExpr = convertedInner.getUnconverted()
-      )
-    }
+    VariablePartialDefinition() { innerDefinedExpr = getInnerDefinedExpr(this, node) }
 
     deprecated override predicate partiallyDefines(Variable v) {
       innerDefinedExpr = v.getAnAccess()
@@ -249,30 +247,15 @@ private module PartialDefinitions {
     Expr innerDefinedExpr;
 
     SmartPointerPartialDefinition() {
-      exists(Expr convertedInner |
-        not this instanceof Conversion and
-        valueToUpdate(convertedInner, this.getFullyConverted(), node) and
-        innerDefinedExpr = convertedInner.getUnconverted() and
-        innerDefinedExpr = getAPointerWrapperAccess(pointer)
-      )
+      innerDefinedExpr = pragma[only_bind_out](getInnerDefinedExpr(this, node)) and
+      innerDefinedExpr = getAPointerWrapperAccess(pointer, -1)
       or
-      // pointer wrappers passed by value without a copy constructor
+      // Pointer wrappers passed to a function by value.
       exists(Call call |
         call = node and
         call.getAnArgument() = innerDefinedExpr and
         innerDefinedExpr = this and
-        this = getAPointerWrapperAccess(pointer) and
-        not call instanceof OverloadedPointerDereferenceExpr
-      )
-      or
-      // pointer wrappers passed by value with a copy constructor
-      exists(Call call, ConstructorCall copy |
-        copy.getTarget() instanceof CopyConstructor and
-        call = node and
-        call.getAnArgument() = copy and
-        copy.getArgument(0) = getAPointerWrapperAccess(pointer) and
-        innerDefinedExpr = this and
-        this = copy and
+        this = getAPointerWrapperAccess(pointer, 0) and
         not call instanceof OverloadedPointerDereferenceExpr
       )
     }
@@ -893,9 +876,20 @@ module FlowVar_internal {
     )
   }
 
-  Call getAPointerWrapperAccess(Variable pointer) {
-    pointer.getUnspecifiedType() instanceof PointerWrapper and
-    [result.getQualifier(), result.getAnArgument()] = pointer.getAnAccess()
+  /**
+   * Gets either:
+   * - A call to an unwrapper function, where an access to `pointer` is the qualifier, or
+   * - A call to the `CopyConstructor` that copies the value of an access to `pointer`.
+   */
+  Call getAPointerWrapperAccess(Variable pointer, int n) {
+    exists(PointerWrapper wrapper | wrapper = pointer.getUnspecifiedType().stripType() |
+      n = -1 and
+      result.getQualifier() = pointer.getAnAccess() and
+      result.getTarget() = wrapper.getAnUnwrapperFunction()
+      or
+      result.getArgument(n) = pointer.getAnAccess() and
+      result.getTarget() instanceof CopyConstructor
+    )
   }
 
   class IteratorParameter extends Parameter {
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index e1001427818..a5c8f00ecab 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -3223,7 +3223,6 @@
 | smart_pointer.cpp:11:30:11:50 | call to make_shared | smart_pointer.cpp:12:11:12:11 | p |  |
 | smart_pointer.cpp:11:30:11:50 | call to make_shared | smart_pointer.cpp:13:10:13:10 | p |  |
 | smart_pointer.cpp:11:52:11:57 | call to source | smart_pointer.cpp:11:30:11:50 | call to make_shared | TAINT |
-| smart_pointer.cpp:12:10:12:10 | call to operator* [post update] | smart_pointer.cpp:13:10:13:10 | p |  |
 | smart_pointer.cpp:12:11:12:11 | p | smart_pointer.cpp:12:10:12:10 | call to operator* | TAINT |
 | smart_pointer.cpp:12:11:12:11 | ref arg p | smart_pointer.cpp:13:10:13:10 | p |  |
 | smart_pointer.cpp:17:32:17:54 | call to make_shared | smart_pointer.cpp:18:11:18:11 | p |  |
@@ -3234,7 +3233,6 @@
 | smart_pointer.cpp:23:30:23:50 | call to make_unique | smart_pointer.cpp:24:11:24:11 | p |  |
 | smart_pointer.cpp:23:30:23:50 | call to make_unique | smart_pointer.cpp:25:10:25:10 | p |  |
 | smart_pointer.cpp:23:52:23:57 | call to source | smart_pointer.cpp:23:30:23:50 | call to make_unique | TAINT |
-| smart_pointer.cpp:24:10:24:10 | call to operator* [post update] | smart_pointer.cpp:25:10:25:10 | p |  |
 | smart_pointer.cpp:24:11:24:11 | p | smart_pointer.cpp:24:10:24:10 | call to operator* | TAINT |
 | smart_pointer.cpp:24:11:24:11 | ref arg p | smart_pointer.cpp:25:10:25:10 | p |  |
 | smart_pointer.cpp:29:32:29:54 | call to make_unique | smart_pointer.cpp:30:11:30:11 | p |  |

From f329c3fdab6064ffd82b2a3a54de826395c08c9e Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 31 Mar 2021 10:09:58 +0200
Subject: [PATCH 0264/1429] Java: Convert insecure bean validation sink to CSV
 format

---
 .../CWE/CWE-094/InsecureBeanValidation.ql     | 21 ++-----------------
 .../code/java/dataflow/ExternalFlow.qll       |  4 +++-
 2 files changed, 5 insertions(+), 20 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql b/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
index 6b8ab085132..e4ee42008a1 100644
--- a/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
+++ b/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
@@ -13,6 +13,7 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
 import DataFlow::PathGraph
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A message interpolator Type that perform Expression Language (EL) evaluations
@@ -50,19 +51,6 @@ class SetMessageInterpolatorCall extends MethodAccess {
   predicate isSafe() { not this.getAnArgument().getType() instanceof ELMessageInterpolatorType }
 }
 
-/**
- * A method named `buildConstraintViolationWithTemplate` declared on a subtype
- * of `javax.validation.ConstraintValidatorContext`.
- */
-class BuildConstraintViolationWithTemplateMethod extends Method {
-  BuildConstraintViolationWithTemplateMethod() {
-    this.getDeclaringType()
-        .getASupertype*()
-        .hasQualifiedName("javax.validation", "ConstraintValidatorContext") and
-    this.hasName("buildConstraintViolationWithTemplate")
-  }
-}
-
 /**
  * Taint tracking BeanValidationConfiguration describing the flow of data from user input
  * to the argument of a method that builds constraint error messages.
@@ -72,12 +60,7 @@ class BeanValidationConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma |
-      ma.getMethod() instanceof BuildConstraintViolationWithTemplateMethod and
-      sink.asExpr() = ma.getArgument(0)
-    )
-  }
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "bean-validation") }
 }
 
 from BeanValidationConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index 2aa0b1d14e4..337f26d82c6 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -203,7 +203,9 @@ private predicate sinkModelCsv(string row) {
       "java.nio.file;Files;false;createLink;;;Argument[0];create-file",
       "java.nio.file;Files;false;createSymbolicLink;;;Argument[0];create-file",
       "java.nio.file;Files;false;createTempDirectory;;;Argument[0];create-file",
-      "java.nio.file;Files;false;createTempFile;;;Argument[0];create-file"
+      "java.nio.file;Files;false;createTempFile;;;Argument[0];create-file",
+      // Bean validation
+      "javax.validation;ConstraintValidatorContext;true;buildConstraintViolationWithTemplate;;;Argument[0];bean-validation"
     ]
 }
 

From 0b7a6671dd75b8cd1ab54cac2b7d0cbd8604dd2a Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 31 Mar 2021 10:16:14 +0200
Subject: [PATCH 0265/1429] Java: Convert header splitting sinks to CSV format

---
 .../code/java/dataflow/ExternalFlow.qll       |  1 +
 .../code/java/security/ResponseSplitting.qll  | 43 +++++++------------
 2 files changed, 17 insertions(+), 27 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index 337f26d82c6..f728c0f9fca 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -76,6 +76,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.ApacheHttp
   private import semmle.code.java.frameworks.apache.Lang
   private import semmle.code.java.frameworks.guava.Guava
+  private import semmle.code.java.security.ResponseSplitting
 }
 
 private predicate sourceModelCsv(string row) {
diff --git a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll
index d09e6567b15..040174d50b5 100644
--- a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll
+++ b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll
@@ -5,41 +5,30 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.Servlets
 import semmle.code.java.frameworks.JaxWS
+private import semmle.code.java.dataflow.ExternalFlow
 
 /** A sink that is vulnerable to an HTTP header splitting attack. */
-abstract class HeaderSplittingSink extends DataFlow::Node { }
+class HeaderSplittingSink extends DataFlow::Node {
+  HeaderSplittingSink() { sinkNode(this, "header-splitting") }
+}
+
+private class HeaderSplittingSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.servlet.http;HttpServletResponse;false;addCookie;;;Argument[0];header-splitting",
+        "javax.servlet.http;HttpServletResponse;false;addHeader;;;Argument;header-splitting",
+        "javax.servlet.http;HttpServletResponse;false;setHeader;;;Argument;header-splitting",
+        "javax.ws.rs.core;ResponseBuilder;false;header;;;Argument[1];header-splitting"
+      ]
+  }
+}
 
 /** A source that introduces data considered safe to use by a header splitting source. */
 abstract class SafeHeaderSplittingSource extends DataFlow::Node {
   SafeHeaderSplittingSource() { this instanceof RemoteFlowSource }
 }
 
-/** A sink that identifies a Java Servlet or JaxWs method that is vulnerable to an HTTP header splitting attack. */
-private class ServletHeaderSplittingSink extends HeaderSplittingSink {
-  ServletHeaderSplittingSink() {
-    exists(ResponseAddCookieMethod m, MethodAccess ma |
-      ma.getMethod() = m and
-      this.asExpr() = ma.getArgument(0)
-    )
-    or
-    exists(ResponseAddHeaderMethod m, MethodAccess ma |
-      ma.getMethod() = m and
-      this.asExpr() = ma.getAnArgument()
-    )
-    or
-    exists(ResponseSetHeaderMethod m, MethodAccess ma |
-      ma.getMethod() = m and
-      this.asExpr() = ma.getAnArgument()
-    )
-    or
-    exists(JaxRsResponseBuilder builder, Method m |
-      m = builder.getAMethod() and m.getName() = "header"
-    |
-      this.asExpr() = m.getAReference().getArgument(1)
-    )
-  }
-}
-
 /** A default source that introduces data considered safe to use by a header splitting source. */
 private class DefaultSafeHeaderSplittingSource extends SafeHeaderSplittingSource {
   DefaultSafeHeaderSplittingSource() {

From 595bdedb22089786fbaec1f7ce23a6ad1b763bf9 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Fri, 9 Apr 2021 13:02:19 +0200
Subject: [PATCH 0266/1429] rename predicate to `getStem`, and update regexp

---
 .../semmle/javascript/NodeModuleResolutionImpl.qll | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/NodeModuleResolutionImpl.qll b/javascript/ql/src/semmle/javascript/NodeModuleResolutionImpl.qll
index cc6f76d0b93..a8d56b63c58 100644
--- a/javascript/ql/src/semmle/javascript/NodeModuleResolutionImpl.qll
+++ b/javascript/ql/src/semmle/javascript/NodeModuleResolutionImpl.qll
@@ -85,12 +85,7 @@ File tryExtensions(Folder dir, string basename, int priority) {
  * Or `name`, if `name` has no file extension.
  */
 bindingset[name]
-private string maybeRemoveExtension(string name) {
-  result = name.regexpCapture("^(.+)\\.[^.]+$", 1)
-  or
-  not name.regexpMatch(".+\\..+") and
-  result = name
-}
+private string getStem(string name) { result = name.regexpCapture("(.+?)(?:\\.([^.]+))?", 1) }
 
 /**
  * Gets the main module described by `pkg` with the given `priority`.
@@ -103,9 +98,7 @@ File resolveMainModule(PackageJSON pkg, int priority) {
     or
     not exists(main.resolve()) and
     exists(int n | n = main.getNumComponent() |
-      result =
-        tryExtensions(main.resolveUpTo(n - 1), maybeRemoveExtension(main.getComponent(n - 1)),
-          priority)
+      result = tryExtensions(main.resolveUpTo(n - 1), getStem(main.getComponent(n - 1)), priority)
     )
   )
   or
@@ -129,8 +122,7 @@ File resolveMainModule(PackageJSON pkg, int priority) {
     exists(int n | n = file.getNumComponent() |
       result =
         min(int i, File res |
-          res =
-            tryExtensions(file.resolveUpTo(n - 1), maybeRemoveExtension(file.getComponent(n - 1)), i)
+          res = tryExtensions(file.resolveUpTo(n - 1), getStem(file.getComponent(n - 1)), i)
         |
           res order by i
         )

From 17fd758df1ec1c600ef8aef4454485b6c2bf5123 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 31 Mar 2021 10:31:21 +0200
Subject: [PATCH 0267/1429] Java: Convert XSS sinks to CSV format

---
 .../code/java/dataflow/ExternalFlow.qll       |  1 +
 java/ql/src/semmle/code/java/security/XSS.qll | 28 ++++++++-----------
 2 files changed, 13 insertions(+), 16 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index f728c0f9fca..402bb7fd747 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -77,6 +77,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.apache.Lang
   private import semmle.code.java.frameworks.guava.Guava
   private import semmle.code.java.security.ResponseSplitting
+  private import semmle.code.java.security.XSS
 }
 
 private predicate sourceModelCsv(string row) {
diff --git a/java/ql/src/semmle/code/java/security/XSS.qll b/java/ql/src/semmle/code/java/security/XSS.qll
index f51bc0bbdf5..9791eed203b 100644
--- a/java/ql/src/semmle/code/java/security/XSS.qll
+++ b/java/ql/src/semmle/code/java/security/XSS.qll
@@ -29,33 +29,29 @@ class XssAdditionalTaintStep extends Unit {
   abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
 }
 
+private class DefaultXssSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.servlet.http;HttpServletResponse;false;sendError;(int,String);;Argument[1];xss",
+        "android.webkit;WebView;false;loadData;;;Argument[0];xss",
+        "android.webkit;WebView;false;loadUrl;;;Argument[0];xss",
+        "android.webkit;WebView;false;loadDataWithBaseURL;;;Argument[1];xss"
+      ]
+  }
+}
+
 /** A default sink representing methods susceptible to XSS attacks. */
 private class DefaultXssSink extends XssSink {
   DefaultXssSink() {
     sinkNode(this, "xss")
     or
-    exists(HttpServletResponseSendErrorMethod m, MethodAccess ma |
-      ma.getMethod() = m and
-      this.asExpr() = ma.getArgument(1)
-    )
-    or
     exists(ServletWriterSourceToWritingMethodFlowConfig writer, MethodAccess ma |
       ma.getMethod() instanceof WritingMethod and
       writer.hasFlowToExpr(ma.getQualifier()) and
       this.asExpr() = ma.getArgument(_)
     )
     or
-    exists(Method m |
-      m.getDeclaringType() instanceof TypeWebView and
-      (
-        m.getAReference().getArgument(0) = this.asExpr() and m.getName() = "loadData"
-        or
-        m.getAReference().getArgument(0) = this.asExpr() and m.getName() = "loadUrl"
-        or
-        m.getAReference().getArgument(1) = this.asExpr() and m.getName() = "loadDataWithBaseURL"
-      )
-    )
-    or
     exists(SpringRequestMappingMethod requestMappingMethod, ReturnStmt rs |
       requestMappingMethod = rs.getEnclosingCallable() and
       this.asExpr() = rs.getResult() and

From e544faed6de23be9821771087b22c7ffb87a5005 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 1 Apr 2021 09:11:47 +0200
Subject: [PATCH 0268/1429] Java: Convert unsafe hostname verification sinks to
 CSV format

---
 .../Security/CWE/CWE-297/UnsafeHostnameVerification.ql | 10 ++--------
 java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll |  5 ++++-
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql b/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
index 9c060565f28..058a1f9e169 100644
--- a/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
+++ b/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
@@ -15,6 +15,7 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.Encryption
 import DataFlow::PathGraph
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * Holds if `m` always returns `true` ignoring any exceptional flow.
@@ -49,14 +50,7 @@ class TrustAllHostnameVerifierConfiguration extends DataFlow::Configuration {
     source.asExpr().(ClassInstanceExpr).getConstructedType() instanceof TrustAllHostnameVerifier
   }
 
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma, Method m |
-      (m instanceof SetDefaultHostnameVerifierMethod or m instanceof SetHostnameVerifierMethod) and
-      ma.getMethod() = m
-    |
-      ma.getArgument(0) = sink.asExpr()
-    )
-  }
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "set-hostname") }
 
   override predicate isBarrier(DataFlow::Node barrier) {
     // ignore nodes that are in functions that intentionally disable hostname verification
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index 402bb7fd747..ba329d99f21 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -207,7 +207,10 @@ private predicate sinkModelCsv(string row) {
       "java.nio.file;Files;false;createTempDirectory;;;Argument[0];create-file",
       "java.nio.file;Files;false;createTempFile;;;Argument[0];create-file",
       // Bean validation
-      "javax.validation;ConstraintValidatorContext;true;buildConstraintViolationWithTemplate;;;Argument[0];bean-validation"
+      "javax.validation;ConstraintValidatorContext;true;buildConstraintViolationWithTemplate;;;Argument[0];bean-validation",
+      // Set hostname
+      "javax.net.ssl;HttpsURLConnection;true;setDefaultHostnameVerifier;;;Argument[0];set-hostname",
+      "javax.net.ssl;HttpsURLConnection;true;setHostnameVerifier;;;Argument[0];set-hostname"
     ]
 }
 

From 3e53484bb3b942c58f2bf1b90301a9779ebc34aa Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 1 Apr 2021 09:21:49 +0200
Subject: [PATCH 0269/1429] Java: Convert Google HTTP client API parseAs  sink
 to CSV format

---
 .../code/java/dataflow/ExternalFlow.qll       |  1 +
 .../frameworks/google/GoogleHttpClientApi.qll | 22 +++++++------------
 2 files changed, 9 insertions(+), 14 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index ba329d99f21..154ec98f2ad 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -76,6 +76,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.ApacheHttp
   private import semmle.code.java.frameworks.apache.Lang
   private import semmle.code.java.frameworks.guava.Guava
+  private import semmle.code.java.frameworks.google.GoogleHttpClientApi
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.XSS
 }
diff --git a/java/ql/src/semmle/code/java/frameworks/google/GoogleHttpClientApi.qll b/java/ql/src/semmle/code/java/frameworks/google/GoogleHttpClientApi.qll
index ccc446892f1..07e30711b44 100644
--- a/java/ql/src/semmle/code/java/frameworks/google/GoogleHttpClientApi.qll
+++ b/java/ql/src/semmle/code/java/frameworks/google/GoogleHttpClientApi.qll
@@ -2,14 +2,7 @@ import java
 import semmle.code.java.Serializability
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.DataFlow5
-
-/** The method `parseAs` in `com.google.api.client.http.HttpResponse`. */
-private class ParseAsMethod extends Method {
-  ParseAsMethod() {
-    this.getDeclaringType().hasQualifiedName("com.google.api.client.http", "HttpResponse") and
-    this.hasName("parseAs")
-  }
-}
+private import semmle.code.java.dataflow.ExternalFlow
 
 private class TypeLiteralToParseAsFlowConfiguration extends DataFlow5::Configuration {
   TypeLiteralToParseAsFlowConfiguration() {
@@ -18,16 +11,17 @@ private class TypeLiteralToParseAsFlowConfiguration extends DataFlow5::Configura
 
   override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof TypeLiteral }
 
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma |
-      ma.getAnArgument() = sink.asExpr() and
-      ma.getMethod() instanceof ParseAsMethod
-    )
-  }
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "google-parse-as") }
 
   TypeLiteral getSourceWithFlowToParseAs() { hasFlow(DataFlow::exprNode(result), _) }
 }
 
+private class ParseAsSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row = ["com.google.api.client.http;HttpResponse;false;parseAs;;;Argument;google-parse-as"]
+  }
+}
+
 /** A field that is deserialized by `HttpResponse.parseAs`. */
 class HttpResponseParseAsDeserializableField extends DeserializableField {
   HttpResponseParseAsDeserializableField() {

From 87d42b02c0c49ff717c941d6ea5290b6ca3c40df Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 31 Mar 2021 10:21:12 +0200
Subject: [PATCH 0270/1429] Java: Convert other sinks

---
 .../CWE/CWE-209/StackTraceExposure.ql         |  11 +-
 .../Security/CWE/CWE-036/OpenStream.ql        |  15 +-
 .../Security/CWE/CWE-074/XsltInjectionLib.qll |  41 +++--
 .../Security/CWE/CWE-094/JexlInjectionLib.qll | 139 +++++++-------
 .../Security/CWE/CWE-094/MvelInjectionLib.qll |  56 +++---
 .../CWE/CWE-326/InsufficientKeySize.ql        |  23 +--
 .../Security/CWE/CWE-327/SslLib.qll           |  20 ++-
 .../Security/CWE/CWE-346/UnvalidatedCors.ql   |  29 ++-
 .../Security/CWE/CWE-522/InsecureLdapAuth.ql  |  26 +--
 .../Security/CWE/CWE-643/XPathInjection.ql    |  23 +--
 .../Security/CWE/CWE-652/XQueryInjection.ql   |   7 +-
 .../CWE/CWE-652/XQueryInjectionLib.qll        |  12 ++
 .../Security/CWE/CWE-917/OgnlInjectionLib.qll |  26 ++-
 .../Security/CWE/CWE-918/RequestForgery.ql    |   5 +-
 .../Security/CWE/CWE-918/RequestForgery.qll   | 170 ++++--------------
 .../code/java/dataflow/ExternalFlow.qll       |  23 ++-
 .../java/security/UnsafeDeserialization.qll   |  32 ++--
 17 files changed, 303 insertions(+), 355 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
index c9c1e2917c0..1f49d5cb06a 100644
--- a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
+++ b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
@@ -16,6 +16,7 @@ import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.XSS
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * One of the `printStackTrace()` overloads on `Throwable`.
@@ -37,10 +38,12 @@ class ServletWriterSourceToPrintStackTraceMethodFlowConfig extends TaintTracking
 
   override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof ServletWriterSource }
 
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma |
-      sink.asExpr() = ma.getAnArgument() and ma.getMethod() instanceof PrintStackTraceMethod
-    )
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "print-stack-trace") }
+}
+
+private class PrintStackTraceSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row = ["java.lang;Throwable;true;printStackTrace;;;Argument;print-stack-trace"]
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql b/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql
index 871d6bb4737..6f75b3fc8ae 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql
@@ -15,6 +15,7 @@ import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.ExternalFlow
 import DataFlow::PathGraph
+private import semmle.code.java.dataflow.ExternalFlow
 
 class URLConstructor extends ClassInstanceExpr {
   URLConstructor() { this.getConstructor().getDeclaringType() instanceof TypeUrl }
@@ -39,13 +40,7 @@ class RemoteURLToOpenStreamFlowConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess m |
-      sink.asExpr() = m.getQualifier() and m.getMethod() instanceof URLOpenStreamMethod
-    )
-    or
-    sinkNode(sink, "url-open-stream")
-  }
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "url-open-stream") }
 
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(URLConstructor u |
@@ -55,6 +50,12 @@ class RemoteURLToOpenStreamFlowConfig extends TaintTracking::Configuration {
   }
 }
 
+private class URLOpenStreamSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row = ["java.net;URL;false;openStream;;;Argument[-1];url-open-stream"]
+  }
+}
+
 from DataFlow::PathNode source, DataFlow::PathNode sink, MethodAccess call
 where
   sink.getNode().asExpr() = call.getQualifier() and
diff --git a/java/ql/src/experimental/Security/CWE/CWE-074/XsltInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-074/XsltInjectionLib.qll
index 4ba0eb6d0b1..bc0c8352a20 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-074/XsltInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-074/XsltInjectionLib.qll
@@ -2,6 +2,7 @@ import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.XmlParsers
 import DataFlow
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A taint-tracking configuration for unvalidated user input that is used in XSLT transformation.
@@ -103,15 +104,20 @@ class TypeXsltPackage extends Class {
 
 /** A data flow sink for unvalidated user input that is used in XSLT transformation. */
 class XsltInjectionSink extends DataFlow::ExprNode {
-  XsltInjectionSink() {
-    exists(MethodAccess ma, Method m | m = ma.getMethod() and ma.getQualifier() = this.getExpr() |
-      ma instanceof TransformerTransform or
-      m instanceof XsltTransformerTransformMethod or
-      m instanceof Xslt30TransformerTransformMethod or
-      m instanceof Xslt30TransformerApplyTemplatesMethod or
-      m instanceof Xslt30TransformerCallFunctionMethod or
-      m instanceof Xslt30TransformerCallTemplateMethod
-    )
+  XsltInjectionSink() { sinkNode(this, "xslt") }
+}
+
+private class XsltInjectionSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "net.sf.saxon.s9api;XsltTransformer;false;transform;;;Argument[-1];xslt",
+        "net.sf.saxon.s9api;Xslt30Transformer;false;transform;;;Argument[-1];xslt",
+        "net.sf.saxon.s9api;Xslt30Transformer;false;applyTemplates;;;Argument[-1];xslt",
+        "net.sf.saxon.s9api;Xslt30Transformer;false;callFunction;;;Argument[-1];xslt",
+        "net.sf.saxon.s9api;Xslt30Transformer;false;callTemplate;;;Argument[-1];xslt",
+        "javax.xml.transform;Transformer;false;transform;;;Argument[-1];xslt"
+      ]
   }
 }
 
@@ -186,16 +192,21 @@ private class TransformerFactoryWithSecureProcessingFeatureFlowConfig extends Da
     )
   }
 
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma |
-      sink.asExpr() = ma.getQualifier() and
-      ma.getMethod().getDeclaringType() instanceof TransformerFactory
-    )
-  }
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "xslt-transformer") }
 
   override int fieldFlowBranchLimit() { result = 0 }
 }
 
+private class TransformerFactorySinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.xml.transform;TransformerFactory;false;;;;Argument[-1];xslt-transformer",
+        "javax.xml.transform.sax;SAXTransformerFactory;false;;;;Argument[-1];xslt-transformer"
+      ]
+  }
+}
+
 /** A `ParserConfig` specific to `TransformerFactory`. */
 private class TransformerFactoryFeatureConfig extends ParserConfig {
   TransformerFactoryFeatureConfig() {
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
index 561d7e46ae9..8fcde750e54 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
@@ -1,6 +1,7 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A taint-tracking configuration for unsafe user input
@@ -21,7 +22,7 @@ class JexlInjectionConfig extends TaintTracking::Configuration {
 }
 
 /**
- * A sink for Expresssion Language injection vulnerabilities via Jexl,
+ * A sink for Expression Language injection vulnerabilities via Jexl,
  * i.e. method calls that run evaluation of a JEXL expression.
  *
  * Creating a `Callable` from a tainted JEXL expression or script is considered as a sink
@@ -30,18 +31,41 @@ class JexlInjectionConfig extends TaintTracking::Configuration {
  * maybe stored in an object field and then reached by a different flow.
  */
 private class JexlEvaluationSink extends DataFlow::ExprNode {
-  JexlEvaluationSink() {
-    exists(MethodAccess ma, Method m, Expr taintFrom |
-      ma.getMethod() = m and taintFrom = this.asExpr()
-    |
-      m instanceof DirectJexlEvaluationMethod and ma.getQualifier() = taintFrom
-      or
-      m instanceof CreateJexlCallableMethod and ma.getQualifier() = taintFrom
-      or
-      m instanceof JexlEngineGetSetPropertyMethod and
-      taintFrom.getType() instanceof TypeString and
-      ma.getAnArgument() = taintFrom
-    )
+  JexlEvaluationSink() { sinkNode(this, "jexl") }
+}
+
+private class JexlEvaluationSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // Direct JEXL evaluation
+        "org.apache.commons.jexl2;Expression;false;evaluate;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;JexlExpression;false;evaluate;;;Argument[-1];jexl",
+        "org.apache.commons.jexl2;Script;false;execute;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;JexlScript;false;execute;;;Argument[-1];jexl",
+        "org.apache.commons.jexl2;JxltEngine$Expression;false;evaluate;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;JxltEngine$Expression;false;evaluate;;;Argument[-1];jexl",
+        "org.apache.commons.jexl2;JxltEngine$Expression;false;prepare;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;JxltEngine$Expression;false;prepare;;;Argument[-1];jexl",
+        "org.apache.commons.jexl2;JxltEngine$Template;false;evaluate;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;JxltEngine$Template;false;evaluate;;;Argument[-1];jexl",
+        "org.apache.commons.jexl2;UnifiedJEXL$Expression;false;evaluate;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;UnifiedJEXL$Expression;false;evaluate;;;Argument[-1];jexl",
+        "org.apache.commons.jexl2;UnifiedJEXL$Expression;false;prepare;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;UnifiedJEXL$Expression;false;prepare;;;Argument[-1];jexl",
+        "org.apache.commons.jexl2;UnifiedJEXL$Template;false;evaluate;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;UnifiedJEXL$Template;false;evaluate;;;Argument[-1];jexl",
+        // JEXL callable
+        "org.apache.commons.jexl2;Expression;false;callable;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;JexlExpression;false;callable;;;Argument[-1];jexl",
+        "org.apache.commons.jexl2;Script;false;callable;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;JexlScript;false;callable;;;Argument[-1];jexl",
+        // Methods in the `JexlEngine` class that gets or sets a property with a JEXL expression.
+        "org.apache.commons.jexl2;JexlEngine;false;getProperty;;;Argument[1..2];jexl",
+        "org.apache.commons.jexl3;JexlEngine;false;getProperty;;;Argument[1..2];jexl",
+        "org.apache.commons.jexl2;JexlEngine;false;setProperty;;;Argument[1];jexl",
+        "org.apache.commons.jexl3;JexlEngine;false;setProperty;;;Argument[1];jexl"
+      ]
   }
 }
 
@@ -98,22 +122,36 @@ private class SandboxedJexlFlowConfig extends DataFlow2::Configuration {
 
   override predicate isSource(DataFlow::Node node) { node instanceof SandboxedJexlSource }
 
-  override predicate isSink(DataFlow::Node node) {
-    exists(MethodAccess ma, Method m | ma.getMethod() = m |
-      (
-        m instanceof CreateJexlScriptMethod or
-        m instanceof CreateJexlExpressionMethod or
-        m instanceof CreateJexlTemplateMethod
-      ) and
-      ma.getQualifier() = node.asExpr()
-    )
-  }
+  override predicate isSink(DataFlow::Node node) { sinkNode(node, "sandboxed-jexl") }
 
   override predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
     createsJexlEngine(fromNode, toNode)
   }
 }
 
+private class SandboxedJexlEvaluationSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // CreateJexlScriptMethod
+        "org.apache.commons.jexl2;JexlEngine;false;createScript;;;Argument[-1];sandboxed-jexl",
+        "org.apache.commons.jexl3;JexlEngine;false;createScript;;;Argument[-1];sandboxed-jexl",
+        // CreateJexlExpressionMethod
+        "org.apache.commons.jexl2;UnifiedJEXL;false;parse;;;Argument[-1];sandboxed-jexl",
+        "org.apache.commons.jexl3;UnifiedJEXL;false;parse;;;Argument[-1];sandboxed-jexl",
+        "org.apache.commons.jexl2;JxltEngine;false;createExpression;;;Argument[-1];sandboxed-jexl",
+        "org.apache.commons.jexl3;JxltEngine;false;createExpression;;;Argument[-1];sandboxed-jexl",
+        "org.apache.commons.jexl2;JexlEngine;false;createExpression;;;Argument[-1];sandboxed-jexl",
+        "org.apache.commons.jexl3;JexlEngine;false;createExpression;;;Argument[-1];sandboxed-jexl",
+        // CreateJexlTemplateMethod
+        "org.apache.commons.jexl2;JxltEngine;false;createTemplate;;;Argument[-1];sandboxed-jexl",
+        "org.apache.commons.jexl3;JxltEngine;false;createTemplate;;;Argument[-1];sandboxed-jexl",
+        "org.apache.commons.jexl2;UnifiedJEXL;false;createTemplate;;;Argument[-1];sandboxed-jexl",
+        "org.apache.commons.jexl3;UnifiedJEXL;false;createTemplate;;;Argument[-1];sandboxed-jexl"
+      ]
+  }
+}
+
 /**
  * Defines a data flow source for JEXL engines configured with a sandbox.
  */
@@ -164,35 +202,6 @@ private predicate returnsDataFromBean(DataFlow::Node fromNode, DataFlow::Node to
   )
 }
 
-/**
- * A methods in the `JexlEngine` class that gets or sets a property with a JEXL expression.
- */
-private class JexlEngineGetSetPropertyMethod extends Method {
-  JexlEngineGetSetPropertyMethod() {
-    getDeclaringType() instanceof JexlEngine and
-    hasName(["getProperty", "setProperty"])
-  }
-}
-
-/**
- * A method that triggers direct evaluation of JEXL expressions.
- */
-private class DirectJexlEvaluationMethod extends Method {
-  DirectJexlEvaluationMethod() {
-    getDeclaringType() instanceof JexlExpression and hasName("evaluate")
-    or
-    getDeclaringType() instanceof JexlScript and hasName("execute")
-    or
-    getDeclaringType() instanceof JxltEngineExpression and hasName(["evaluate", "prepare"])
-    or
-    getDeclaringType() instanceof JxltEngineTemplate and hasName("evaluate")
-    or
-    getDeclaringType() instanceof UnifiedJexlExpression and hasName(["evaluate", "prepare"])
-    or
-    getDeclaringType() instanceof UnifiedJexlTemplate and hasName("evaluate")
-  }
-}
-
 /**
  * A method that creates a JEXL script.
  */
@@ -200,16 +209,6 @@ private class CreateJexlScriptMethod extends Method {
   CreateJexlScriptMethod() { getDeclaringType() instanceof JexlEngine and hasName("createScript") }
 }
 
-/**
- * A method that creates a `Callable` for a JEXL expression or script.
- */
-private class CreateJexlCallableMethod extends Method {
-  CreateJexlCallableMethod() {
-    (getDeclaringType() instanceof JexlExpression or getDeclaringType() instanceof JexlScript) and
-    hasName("callable")
-  }
-}
-
 /**
  * A method that creates a JEXL template.
  */
@@ -267,22 +266,6 @@ private class JexlUberspect extends Interface {
   }
 }
 
-private class JxltEngineExpression extends NestedType {
-  JxltEngineExpression() { getEnclosingType() instanceof JxltEngine and hasName("Expression") }
-}
-
-private class JxltEngineTemplate extends NestedType {
-  JxltEngineTemplate() { getEnclosingType() instanceof JxltEngine and hasName("Template") }
-}
-
-private class UnifiedJexlExpression extends NestedType {
-  UnifiedJexlExpression() { getEnclosingType() instanceof UnifiedJexl and hasName("Expression") }
-}
-
-private class UnifiedJexlTemplate extends NestedType {
-  UnifiedJexlTemplate() { getEnclosingType() instanceof UnifiedJexl and hasName("Template") }
-}
-
 private class Reader extends RefType {
   Reader() { hasQualifiedName("java.io", "Reader") }
 }
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/MvelInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/MvelInjectionLib.qll
index a6cf891330f..dec268a2a4b 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/MvelInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/MvelInjectionLib.qll
@@ -1,6 +1,7 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A taint-tracking configuration for unsafe user input
@@ -30,36 +31,31 @@ class MvelInjectionConfig extends TaintTracking::Configuration {
  * i.e. methods that run evaluation of a MVEL expression.
  */
 class MvelEvaluationSink extends DataFlow::ExprNode {
-  MvelEvaluationSink() {
-    exists(StaticMethodAccess ma, Method m | m = ma.getMethod() |
-      (
-        m instanceof MvelEvalMethod or
-        m instanceof TemplateRuntimeEvaluationMethod
-      ) and
-      ma.getArgument(0) = asExpr()
-    )
-    or
-    exists(MethodAccess ma, Method m | m = ma.getMethod() |
-      m instanceof MvelScriptEngineEvaluationMethod and
-      ma.getArgument(0) = asExpr()
-    )
-    or
-    exists(MethodAccess ma, Method m | m = ma.getMethod() |
-      (
-        m instanceof ExecutableStatementEvaluationMethod or
-        m instanceof CompiledExpressionEvaluationMethod or
-        m instanceof CompiledAccExpressionEvaluationMethod or
-        m instanceof AccessorEvaluationMethod or
-        m instanceof CompiledScriptEvaluationMethod or
-        m instanceof MvelCompiledScriptEvaluationMethod
-      ) and
-      ma.getQualifier() = asExpr()
-    )
-    or
-    exists(StaticMethodAccess ma, Method m | m = ma.getMethod() |
-      m instanceof MvelRuntimeEvaluationMethod and
-      ma.getArgument(1) = asExpr()
-    )
+  MvelEvaluationSink() { sinkNode(this, "mvel") }
+}
+
+private class MvelEvaluationSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "org.mvel2.jsr223;MvelScriptEngine;false;evaluate;;;Argument[0];mvel",
+        "org.mvel2.jsr223;MvelScriptEngine;false;eval;;;Argument[0];mvel",
+        "org.mvel2.compiler;ExecutableStatement;false;getValue;;;Argument[-1];mvel",
+        "org.mvel2.compiler;CompiledExpression;false;getDirectValue;;;Argument[-1];mvel",
+        "org.mvel2.compiler;CompiledAccExpression;false;getValue;;;Argument[-1];mvel",
+        "org.mvel2.compiler;Accessor;false;getValue;;;Argument[-1];mvel",
+        "javax.script;CompiledScript;false;eval;;;Argument[-1];mvel",
+        "org.mvel2.jsr223;MvelCompiledScript;false;eval;;;Argument[-1];mvel",
+        "org.mvel2;MVEL;false;eval;;;Argument[0];mvel",
+        "org.mvel2;MVEL;false;executeExpression;;;Argument[0];mvel",
+        "org.mvel2;MVEL;false;evalToBoolean;;;Argument[0];mvel",
+        "org.mvel2;MVEL;false;evalToString;;;Argument[0];mvel",
+        "org.mvel2;MVEL;false;executeAllExpression;;;Argument[0];mvel",
+        "org.mvel2;MVEL;false;executeSetExpression;;;Argument[0];mvel",
+        "org.mvel2.templates;TemplateRuntime;false;eval;;;Argument[0];mvel",
+        "org.mvel2.templates;TemplateRuntime;false;execute;;;Argument[0];mvel",
+        "org.mvel2;MVELRuntime;false;execute;;;Argument[1];mvel"
+      ]
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
index 155d05abfae..ca86f42c561 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
@@ -12,6 +12,7 @@
 import java
 import semmle.code.java.security.Encryption
 import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.dataflow.ExternalFlow
 
 /** The Java class `java.security.spec.ECGenParameterSpec`. */
 class ECGenParameterSpec extends RefType {
@@ -55,11 +56,12 @@ class KeyGeneratorInitConfiguration extends TaintTracking::Configuration {
     exists(JavaxCryptoKeyGenerator jcg | jcg = source.asExpr())
   }
 
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma |
-      ma.getMethod() instanceof KeyGeneratorInitMethod and
-      sink.asExpr() = ma.getQualifier()
-    )
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "keygen") }
+}
+
+private class KeyGeneratorInitSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row = ["javax.crypto;KeyGenerator;false;init;;;Argument[-1];keygen"]
   }
 }
 
@@ -71,11 +73,12 @@ class KeyPairGeneratorInitConfiguration extends TaintTracking::Configuration {
     exists(JavaSecurityKeyPairGenerator jkg | jkg = source.asExpr())
   }
 
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma |
-      ma.getMethod() instanceof KeyPairGeneratorInitMethod and
-      sink.asExpr() = ma.getQualifier()
-    )
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "keypairgen") }
+}
+
+private class KeyPairGeneratorInitSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row = ["java.security;KeyPairGenerator;false;initialize;;;Argument[-1];keypairgen"]
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-327/SslLib.qll b/java/ql/src/experimental/Security/CWE/CWE-327/SslLib.qll
index bfa2530b07e..3845953f0aa 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-327/SslLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-327/SslLib.qll
@@ -3,6 +3,7 @@ import semmle.code.java.security.Encryption
 import semmle.code.java.dataflow.TaintTracking
 import DataFlow
 import PathGraph
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A taint-tracking configuration for unsafe SSL and TLS versions.
@@ -12,11 +13,20 @@ class UnsafeTlsVersionConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof UnsafeTlsVersion }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink instanceof SslContextGetInstanceSink or
-    sink instanceof CreateSslParametersSink or
-    sink instanceof SslParametersSetProtocolsSink or
-    sink instanceof SetEnabledProtocolsSink
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "ssl") }
+}
+
+private class UnsafeTlsVersionSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.net.ssl;SSLContext;false;getInstance;;;Argument[0];ssl",
+        "javax.net.ssl;SSLParameters;false;SSLParameters;;;Argument[1];ssl",
+        "javax.net.ssl;SSLParameters;false;setProtocols;;;Argument[0];ssl",
+        "javax.net.ssl;SSLSocket;false;setEnabledProtocols;;;Argument[0];ssl",
+        "javax.net.ssl;SSLServerSocket;false;setEnabledProtocols;;;Argument[0];ssl",
+        "javax.net.ssl;SSLEngine;false;setEnabledProtocols;;;Argument[0];ssl"
+      ]
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql b/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
index c5a6c36d6a6..2fe6569318f 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
@@ -15,6 +15,7 @@ import semmle.code.java.frameworks.Servlets
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.TaintTracking2
 import DataFlow::PathGraph
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  *  Holds if `header` sets `Access-Control-Allow-Credentials` to `true`. This ensures fair chances of exploitability.
@@ -29,33 +30,29 @@ private predicate setsAllowCredentials(MethodAccess header) {
   header.getArgument(1).(CompileTimeConstantExpr).getStringValue().toLowerCase() = "true"
 }
 
-private class CorsProbableCheckAccess extends MethodAccess {
-  CorsProbableCheckAccess() {
-    getMethod().hasName("contains") and
-    getMethod().getDeclaringType().getASourceSupertype*() instanceof CollectionType
-    or
-    getMethod().hasName("containsKey") and
-    getMethod().getDeclaringType().getASourceSupertype*() instanceof MapType
-    or
-    getMethod().hasName("equals") and
-    getQualifier().getType() instanceof TypeString
-  }
-}
-
 private Expr getAccessControlAllowOriginHeaderName() {
   result.(CompileTimeConstantExpr).getStringValue().toLowerCase() = "access-control-allow-origin"
 }
 
 /**
- * This taintflow2 configuration checks if there is a flow from source node towards CorsProbableCheckAccess methods.
+ * This taintflow2 configuration checks if there is a flow from source node towards probably CORS checking methods.
  */
 class CorsSourceReachesCheckConfig extends TaintTracking2::Configuration {
   CorsSourceReachesCheckConfig() { this = "CorsOriginConfig" }
 
   override predicate isSource(DataFlow::Node source) { any(CorsOriginConfig c).hasFlow(source, _) }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() = any(CorsProbableCheckAccess check).getAnArgument()
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "cors") }
+}
+
+private class CorsProbableCheckAccessSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "java.util;Collection;true;contains;;;Argument;cors",
+        "java.util;Map;true;containsKey;;;Argument;cors",
+        "java.lang;String;true;equals;;;Argument;cors"
+      ]
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
index 4ce2b8b7134..3c445934ad3 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
@@ -16,6 +16,7 @@ import semmle.code.java.frameworks.Jndi
 import semmle.code.java.frameworks.Networking
 import semmle.code.java.dataflow.TaintTracking
 import DataFlow::PathGraph
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * Insecure (non-SSL, non-private) LDAP URL string literal.
@@ -145,12 +146,7 @@ class InsecureUrlFlowConfig extends TaintTracking::Configuration {
   override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof InsecureLdapUrl }
 
   /** Sink of directory context creation. */
-  override predicate isSink(DataFlow::Node sink) {
-    exists(ConstructorCall cc |
-      cc.getConstructedType().getASupertype*() instanceof TypeDirContext and
-      sink.asExpr() = cc.getArgument(0)
-    )
-  }
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "ldap") }
 
   /** Method call of `env.put()`. */
   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
@@ -176,11 +172,12 @@ class BasicAuthFlowConfig extends DataFlow::Configuration {
   }
 
   /** Sink of directory context creation. */
-  override predicate isSink(DataFlow::Node sink) {
-    exists(ConstructorCall cc |
-      cc.getConstructedType().getASupertype*() instanceof TypeDirContext and
-      sink.asExpr() = cc.getArgument(0)
-    )
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "ldap") }
+}
+
+private class LdapSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row = ["javax.naming.directory;DirContext;true;.ctor;;;Argument[0];ldap"]
   }
 }
 
@@ -198,12 +195,7 @@ class SSLFlowConfig extends DataFlow::Configuration {
   }
 
   /** Sink of directory context creation. */
-  override predicate isSink(DataFlow::Node sink) {
-    exists(ConstructorCall cc |
-      cc.getConstructedType().getASupertype*() instanceof TypeDirContext and
-      sink.asExpr() = cc.getArgument(0)
-    )
-  }
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "ldap") }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, InsecureUrlFlowConfig config
diff --git a/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql
index e5a29df46d5..598f42b0c70 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql
@@ -15,6 +15,7 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.XmlParsers
 import DataFlow::PathGraph
+private import semmle.code.java.dataflow.ExternalFlow
 
 class XPathInjectionConfiguration extends TaintTracking::Configuration {
   XPathInjectionConfiguration() { this = "XPathInjection" }
@@ -25,16 +26,18 @@ class XPathInjectionConfiguration extends TaintTracking::Configuration {
 }
 
 class XPathInjectionSink extends DataFlow::ExprNode {
-  XPathInjectionSink() {
-    exists(Method m, MethodAccess ma | ma.getMethod() = m |
-      m.getDeclaringType().hasQualifiedName("javax.xml.xpath", "XPath") and
-      (m.hasName("evaluate") or m.hasName("compile")) and
-      ma.getArgument(0) = this.getExpr()
-      or
-      m.getDeclaringType().hasQualifiedName("org.dom4j", "Node") and
-      (m.hasName("selectNodes") or m.hasName("selectSingleNode")) and
-      ma.getArgument(0) = this.getExpr()
-    )
+  XPathInjectionSink() { sinkNode(this, "xpath") }
+}
+
+private class XPathInjectionSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.xml.xpath;XPath;false;compile;;;Argument[0];xpath",
+        "javax.xml.xpath;XPath;false;evaluate;;;Argument[0];xpath",
+        "org.dom4j;Node;false;selectNodes;;;Argument[0];xpath",
+        "org.dom4j;Node;false;selectSingleNode;;;Argument[0];xpath"
+      ]
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql
index 0bb85272f08..3b8e43c5d7d 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql
@@ -14,6 +14,7 @@ import java
 import semmle.code.java.dataflow.FlowSources
 import XQueryInjectionLib
 import DataFlow::PathGraph
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A taint-tracking configuration tracing flow from remote sources, through an XQuery parser, to its eventual execution.
@@ -23,11 +24,7 @@ class XQueryInjectionConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() = any(XQueryPreparedExecuteCall xpec).getPreparedExpression() or
-    sink.asExpr() = any(XQueryExecuteCall xec).getExecuteQueryArgument() or
-    sink.asExpr() = any(XQueryExecuteCommandCall xecc).getExecuteCommandArgument()
-  }
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "xquery") }
 
   /**
    * Holds if taint from the input `pred` to a `prepareExpression` call flows to the returned prepared expression `succ`.
diff --git a/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjectionLib.qll
index 2a4019f2c9a..13452e4e55d 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjectionLib.qll
@@ -1,4 +1,5 @@
 import java
+private import semmle.code.java.dataflow.ExternalFlow
 
 /** A call to `XQConnection.prepareExpression`. */
 class XQueryParserCall extends MethodAccess {
@@ -66,3 +67,14 @@ class XQueryExecuteCommandCall extends MethodAccess {
   /** Return this execute command argument. */
   Expr getExecuteCommandArgument() { result = this.getArgument(0) }
 }
+
+private class XQuerySinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.xml.xquery;XQPreparedExpression;true;executeQuery;;;Argument[-1];xquery",
+        "javax.xml.xquery;XQExpression;true;executeQuery;;;Argument[0];xquery",
+        "javax.xml.xquery;XQExpression;true;executeCommand;;;Argument[0];xquery"
+      ]
+  }
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-917/OgnlInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-917/OgnlInjectionLib.qll
index 569e18a29c3..002e06aaafd 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-917/OgnlInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-917/OgnlInjectionLib.qll
@@ -2,6 +2,7 @@ import java
 import semmle.code.java.dataflow.FlowSources
 import DataFlow
 import DataFlow::PathGraph
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A taint-tracking configuration for unvalidated user input that is used in OGNL EL evaluation.
@@ -82,12 +83,25 @@ predicate ognlInjectionSinkMethod(Method m, int index) {
 
 /** A data flow sink for unvalidated user input that is used in OGNL EL evaluation. */
 class OgnlInjectionSink extends DataFlow::ExprNode {
-  OgnlInjectionSink() {
-    exists(MethodAccess ma, Method m, int index |
-      ma.getMethod() = m and
-      (ma.getArgument(index) = this.getExpr() or ma.getQualifier() = this.getExpr()) and
-      ognlInjectionSinkMethod(m, index)
-    )
+  OgnlInjectionSink() { sinkNode(this, "ognl") }
+}
+
+private class OgnlInjectionSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "org.apache.commons.ognl;Ognl;false;setValue;;;Argument[-1..0];ognl",
+        "org.apache.commons.ognl;Ognl;false;getValue;;;Argument[-1..0];ognl",
+        "ognl;Ognl;false;setValue;;;Argument[-1..0];ognl",
+        "ognl;Ognl;false;getValue;;;Argument[-1..0];ognl",
+        "org.apache.commons.ognl;Node;true;setValue;;;Argument[-1..0];ognl",
+        "org.apache.commons.ognl;Node;true;getValue;;;Argument[-1..0];ognl",
+        "ognl;Node;true;setValue;;;Argument[-1..0];ognl",
+        "ognl;Node;true;getValue;;;Argument[-1..0];ognl",
+        "com.opensymphony.xwork2.ognl;OgnlUtil;false;setValue;;;Argument[-1..0];ognl",
+        "com.opensymphony.xwork2.ognl;OgnlUtil;false;getValue;;;Argument[-1..0];ognl",
+        "com.opensymphony.xwork2.ognl;OgnlUtil;false;callMethod;;;Argument[-1..0];ognl"
+      ]
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.ql b/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.ql
index c3bf787881f..6b0333da470 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.ql
@@ -14,13 +14,16 @@ import java
 import semmle.code.java.dataflow.FlowSources
 import RequestForgery
 import DataFlow::PathGraph
+private import semmle.code.java.dataflow.ExternalFlow
 
 class RequestForgeryConfiguration extends TaintTracking::Configuration {
   RequestForgeryConfiguration() { this = "Server Side Request Forgery" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
+  override predicate isSink(DataFlow::Node sink) {
+    sink instanceof RequestForgerySink or sinkNode(sink, "request-forgery-sink")
+  }
 
   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
     requestForgeryStep(pred, succ)
diff --git a/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.qll b/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.qll
index 3fc52ddca76..fa784baa7f2 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.qll
@@ -5,6 +5,7 @@ import semmle.code.java.frameworks.spring.Spring
 import semmle.code.java.frameworks.JaxWS
 import semmle.code.java.frameworks.javase.Http
 import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.ExternalFlow
 
 predicate requestForgeryStep(DataFlow::Node pred, DataFlow::Node succ) {
   // propagate to a URI when its host is assigned to
@@ -38,120 +39,43 @@ predicate requestForgeryStep(DataFlow::Node pred, DataFlow::Node succ) {
   )
 }
 
+private class RequestForgerySinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "java.net;URL;false;openConnection;;;Argument[-1];request-forgery-sink",
+        "java.net;URL;false;openStream;;;Argument[-1];request-forgery-sink",
+        "org.apache.http.client.methods;HttpRequestBase;true;setURI;;;Argument[0];request-forgery-sink",
+        "org.apache.http.message;BasicHttpRequest;true;setURI;;;Argument[0];request-forgery-sink",
+        "org.apache.http.client.methods;HttpRequestBase;true;.ctor;;;Argument[0];request-forgery-sink",
+        "org.apache.http.message;BasicHttpRequest;true;.ctor;;;Argument[0];request-forgery-sink",
+        "org.apache.http.client.methods;RequestBuilder;false;setURI;;;Argument[0];request-forgery-sink",
+        "org.apache.http.client.methods;RequestBuilder;false;get;;;Argument[0];request-forgery-sink",
+        "org.apache.http.client.methods;RequestBuilder;false;post;;;Argument[0];request-forgery-sink",
+        "org.apache.http.client.methods;RequestBuilder;false;put;;;Argument[0];request-forgery-sink",
+        "org.apache.http.client.methods;RequestBuilder;false;options;;;Argument[0];request-forgery-sink",
+        "org.apache.http.client.methods;RequestBuilder;false;head;;;Argument[0];request-forgery-sink",
+        "org.apache.http.client.methods;RequestBuilder;false;delete;;;Argument[0];request-forgery-sink",
+        "java.net.http;HttpRequest$Builder;false;uri;;;Argument[0];request-forgery-sink",
+        "org.springframework.web.client;RestTemplate;false;patchForObject;;;Argument[0];request-forgery-sink",
+        "org.springframework.web.client;RestTemplate;false;getForObject;;;Argument[0];request-forgery-sink",
+        "org.springframework.web.client;RestTemplate;false;getForEntity;;;Argument[0];request-forgery-sink",
+        "org.springframework.web.client;RestTemplate;false;execute;;;Argument[0];request-forgery-sink",
+        "org.springframework.web.client;RestTemplate;false;exchange;;;Argument[0];request-forgery-sink",
+        "org.springframework.web.client;RestTemplate;false;put;;;Argument[0];request-forgery-sink",
+        "org.springframework.web.client;RestTemplate;false;postForObject;;;Argument[0];request-forgery-sink",
+        "org.springframework.web.client;RestTemplate;false;postForLocation;;;Argument[0];request-forgery-sink",
+        "org.springframework.web.client;RestTemplate;false;postForEntity;;;Argument[0];request-forgery-sink",
+        "org.springframework.web.client;RestTemplate;false;doExecute;;;Argument[0];request-forgery-sink",
+        "javax.ws.rs.client;Client;false;target;;;Argument[0];request-forgery-sink",
+        "java.net.http;HttpRequest;false;newBuilder;;;Argument[0];request-forgery-sink" // todo: this might be stricter than before. Previously the package name was not checked.
+      ]
+  }
+}
+
 /** A data flow sink for request forgery vulnerabilities. */
 abstract class RequestForgerySink extends DataFlow::Node { }
 
-/**
- * An argument to an url `openConnection` or `openStream` call
- *  taken as a sink for request forgery vulnerabilities.
- */
-private class UrlOpen extends RequestForgerySink {
-  UrlOpen() {
-    exists(MethodAccess ma |
-      ma.getMethod() instanceof UrlOpenConnectionMethod or
-      ma.getMethod() instanceof UrlOpenStreamMethod
-    |
-      this.asExpr() = ma.getQualifier()
-    )
-  }
-}
-
-/**
- * An argument to an Apache `setURI` call taken as a
- *   sink for request forgery vulnerabilities.
- */
-private class ApacheSetUri extends RequestForgerySink {
-  ApacheSetUri() {
-    exists(MethodAccess ma |
-      ma.getReceiverType() instanceof ApacheHttpRequest and
-      ma.getMethod().hasName("setURI")
-    |
-      this.asExpr() = ma.getArgument(0)
-    )
-  }
-}
-
-/**
- * An argument to any Apache Request Instantiation call taken as a
- *   sink for request forgery vulnerabilities.
- */
-private class ApacheHttpRequestInstantiation extends RequestForgerySink {
-  ApacheHttpRequestInstantiation() {
-    exists(ClassInstanceExpr c | c.getConstructedType() instanceof ApacheHttpRequest |
-      this.asExpr() = c.getArgument(0)
-    )
-  }
-}
-
-/**
- * An argument to a Apache RequestBuilder method call taken as a
- *   sink for request forgery vulnerabilities.
- */
-private class ApacheHttpRequestBuilderArgument extends RequestForgerySink {
-  ApacheHttpRequestBuilderArgument() {
-    exists(MethodAccess ma |
-      ma.getReceiverType() instanceof TypeApacheHttpRequestBuilder and
-      ma.getMethod().hasName(["setURI", "get", "post", "put", "optons", "head", "delete"])
-    |
-      this.asExpr() = ma.getArgument(0)
-    )
-  }
-}
-
-/**
- * An argument to any Java.net.http.request Instantiation call taken as a
- *   sink for request forgery vulnerabilities.
- */
-private class HttpRequestNewBuilder extends RequestForgerySink {
-  HttpRequestNewBuilder() {
-    exists(MethodAccess call |
-      call.getCallee().hasName("newBuilder") and
-      call.getMethod().getDeclaringType().getName() = "HttpRequest"
-    |
-      this.asExpr() = call.getArgument(0)
-    )
-  }
-}
-
-/**
- * An argument to an Http Builder `uri` call taken as a
- *   sink for request forgery vulnerabilities.
- */
-private class HttpBuilderUriArgument extends RequestForgerySink {
-  HttpBuilderUriArgument() {
-    exists(MethodAccess ma | ma.getMethod() instanceof HttpBuilderUri |
-      this.asExpr() = ma.getArgument(0)
-    )
-  }
-}
-
-/**
- * An argument to a Spring Rest Template method call taken as a
- *   sink for request forgery vulnerabilities.
- */
-private class SpringRestTemplateArgument extends RequestForgerySink {
-  SpringRestTemplateArgument() {
-    exists(MethodAccess ma |
-      this.asExpr() = ma.getMethod().(SpringRestTemplateUrlMethods).getUrlArgument(ma)
-    )
-  }
-}
-
-/**
- * An argument to `javax.ws.rs.Client`s `target` method call taken as a
- *   sink for request forgery vulnerabilities.
- */
-private class JaxRsClientTarget extends RequestForgerySink {
-  JaxRsClientTarget() {
-    exists(MethodAccess ma |
-      ma.getMethod().getDeclaringType() instanceof JaxRsClient and
-      ma.getMethod().hasName("target")
-    |
-      this.asExpr() = ma.getArgument(0)
-    )
-  }
-}
-
 /**
  * An argument to `org.springframework.http.RequestEntity`s constructor call
  *   which is an URI taken as a sink for request forgery vulnerabilities.
@@ -166,27 +90,3 @@ private class RequestEntityUriArg extends RequestForgerySink {
     )
   }
 }
-
-/**
- * A class representing all Spring Rest Template methods
- * which take an URL as an argument.
- */
-private class SpringRestTemplateUrlMethods extends Method {
-  SpringRestTemplateUrlMethods() {
-    this.getDeclaringType() instanceof SpringRestTemplate and
-    this.hasName([
-        "doExecute", "postForEntity", "postForLocation", "postForObject", "put", "exchange",
-        "execute", "getForEntity", "getForObject", "patchForObject"
-      ])
-  }
-
-  /**
-   * Gets the argument which corresponds to a URL argument
-   * passed as a `java.net.URL` object or as a string or the like
-   */
-  Argument getUrlArgument(MethodAccess ma) {
-    // doExecute(URI url, HttpMethod method, RequestCallback requestCallback,
-    //  ResponseExtractor<T> responseExtractor)
-    result = ma.getArgument(0)
-  }
-}
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index 154ec98f2ad..3cda09c1488 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -472,7 +472,7 @@ module CsvValidation {
       not type.regexpMatch("[a-zA-Z0-9_\\$]+") and
       msg = "Dubious type \"" + type + "\" in " + pred + " model."
       or
-      not name.regexpMatch("[a-zA-Z0-9_]*") and
+      not (name.regexpMatch("[a-zA-Z0-9_]*") or name = ".ctor") and
       msg = "Dubious name \"" + name + "\" in " + pred + " model."
       or
       not signature.regexpMatch("|\\([a-zA-Z0-9_\\.\\$<>,\\[\\]]*\\)") and
@@ -562,23 +562,34 @@ private string paramsString(Callable c) {
 }
 
 private Element interpretElement0(
-  string namespace, string type, boolean subtypes, string name, string signature
+  string namespace, string type, boolean subtypes, string name, string signature, string ext
 ) {
   elementSpec(namespace, type, subtypes, name, signature, _) and
   exists(RefType t | t = interpretType(namespace, type, subtypes) |
     exists(Member m |
       result = m and
       m.getDeclaringType() = t and
-      m.hasName(name)
+      (
+        m.hasName(name)
+        or
+        name = ".ctor" and m.hasName(t.getName())
+      )
     |
       signature = "" or
       m.(Callable).getSignature() = any(string nameprefix) + signature or
       paramsString(m) = signature
-    )
+    ) and
+    ext = ""
     or
     result = t and
     name = "" and
-    signature = ""
+    signature = "" and
+    ext = "Annotated"
+    or
+    result = t.getAMember() and
+    name = "" and
+    signature = "" and
+    ext = ""
   )
 }
 
@@ -586,7 +597,7 @@ private Element interpretElement(
   string namespace, string type, boolean subtypes, string name, string signature, string ext
 ) {
   elementSpec(namespace, type, subtypes, name, signature, ext) and
-  exists(Element e | e = interpretElement0(namespace, type, subtypes, name, signature) |
+  exists(Element e | e = interpretElement0(namespace, type, subtypes, name, signature, ext) |
     ext = "" and result = e
     or
     ext = "Annotated" and result.(Annotatable).getAnAnnotation().getType() = e
diff --git a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
index ab809f07d6d..d84ee67bca5 100644
--- a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
+++ b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
@@ -3,6 +3,7 @@ import semmle.code.java.frameworks.XStream
 import semmle.code.java.frameworks.SnakeYaml
 import semmle.code.java.frameworks.FastJson
 import semmle.code.java.frameworks.apache.Lang
+private import semmle.code.java.dataflow.ExternalFlow
 
 class ObjectInputStreamReadObjectMethod extends Method {
   ObjectInputStreamReadObjectMethod() {
@@ -26,11 +27,16 @@ class SafeXStream extends DataFlow2::Configuration {
       src.asExpr()
   }
 
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma |
-      sink.asExpr() = ma.getQualifier() and
-      ma.getMethod() instanceof XStreamReadObjectMethod
-    )
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "safe-xstream") }
+}
+
+private class SafeXStreamSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "com.thoughtworks.xstream;XStream;false;unmarshal;;;Argument[-1];safe-xstream",
+        "com.thoughtworks.xstream;XStream;false;fromXML;;;Argument[-1];safe-xstream"
+      ]
   }
 }
 
@@ -42,11 +48,17 @@ class SafeKryo extends DataFlow2::Configuration {
       src.asExpr()
   }
 
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma |
-      sink.asExpr() = ma.getQualifier() and
-      ma.getMethod() instanceof KryoReadObjectMethod
-    )
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "safe-kryo") }
+}
+
+private class SafeKryoSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "com.esotericsoftware.kryo;Kryo;false;readObjectOrNull;;;Argument[-1];safe-kryo",
+        "com.esotericsoftware.kryo;Kryo;false;readObject;;;Argument[-1];safe-kryo",
+        "com.esotericsoftware.kryo;Kryo;false;readClassAndObject;;;Argument[-1];safe-kryo"
+      ]
   }
 }
 

From 351f35d9bce68e79b921511ba91f9f17172de7c5 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 9 Apr 2021 13:13:49 +0200
Subject: [PATCH 0271/1429] Revert "Java: Convert other sinks"

This reverts commit 87d42b02c0c49ff717c941d6ea5290b6ca3c40df.
---
 .../CWE/CWE-209/StackTraceExposure.ql         |  11 +-
 .../Security/CWE/CWE-036/OpenStream.ql        |  15 +-
 .../Security/CWE/CWE-074/XsltInjectionLib.qll |  41 ++---
 .../Security/CWE/CWE-094/JexlInjectionLib.qll | 139 ++++++++-------
 .../Security/CWE/CWE-094/MvelInjectionLib.qll |  56 +++---
 .../CWE/CWE-326/InsufficientKeySize.ql        |  23 ++-
 .../Security/CWE/CWE-327/SslLib.qll           |  20 +--
 .../Security/CWE/CWE-346/UnvalidatedCors.ql   |  29 +--
 .../Security/CWE/CWE-522/InsecureLdapAuth.ql  |  26 ++-
 .../Security/CWE/CWE-643/XPathInjection.ql    |  23 ++-
 .../Security/CWE/CWE-652/XQueryInjection.ql   |   7 +-
 .../CWE/CWE-652/XQueryInjectionLib.qll        |  12 --
 .../Security/CWE/CWE-917/OgnlInjectionLib.qll |  26 +--
 .../Security/CWE/CWE-918/RequestForgery.ql    |   5 +-
 .../Security/CWE/CWE-918/RequestForgery.qll   | 168 ++++++++++++++----
 .../code/java/dataflow/ExternalFlow.qll       |  23 +--
 .../java/security/UnsafeDeserialization.qll   |  32 ++--
 17 files changed, 354 insertions(+), 302 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
index 1f49d5cb06a..c9c1e2917c0 100644
--- a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
+++ b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
@@ -16,7 +16,6 @@ import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.XSS
-private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * One of the `printStackTrace()` overloads on `Throwable`.
@@ -38,12 +37,10 @@ class ServletWriterSourceToPrintStackTraceMethodFlowConfig extends TaintTracking
 
   override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof ServletWriterSource }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "print-stack-trace") }
-}
-
-private class PrintStackTraceSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row = ["java.lang;Throwable;true;printStackTrace;;;Argument;print-stack-trace"]
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma |
+      sink.asExpr() = ma.getAnArgument() and ma.getMethod() instanceof PrintStackTraceMethod
+    )
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql b/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql
index 6f75b3fc8ae..871d6bb4737 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql
@@ -15,7 +15,6 @@ import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.ExternalFlow
 import DataFlow::PathGraph
-private import semmle.code.java.dataflow.ExternalFlow
 
 class URLConstructor extends ClassInstanceExpr {
   URLConstructor() { this.getConstructor().getDeclaringType() instanceof TypeUrl }
@@ -40,7 +39,13 @@ class RemoteURLToOpenStreamFlowConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "url-open-stream") }
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess m |
+      sink.asExpr() = m.getQualifier() and m.getMethod() instanceof URLOpenStreamMethod
+    )
+    or
+    sinkNode(sink, "url-open-stream")
+  }
 
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(URLConstructor u |
@@ -50,12 +55,6 @@ class RemoteURLToOpenStreamFlowConfig extends TaintTracking::Configuration {
   }
 }
 
-private class URLOpenStreamSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row = ["java.net;URL;false;openStream;;;Argument[-1];url-open-stream"]
-  }
-}
-
 from DataFlow::PathNode source, DataFlow::PathNode sink, MethodAccess call
 where
   sink.getNode().asExpr() = call.getQualifier() and
diff --git a/java/ql/src/experimental/Security/CWE/CWE-074/XsltInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-074/XsltInjectionLib.qll
index bc0c8352a20..4ba0eb6d0b1 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-074/XsltInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-074/XsltInjectionLib.qll
@@ -2,7 +2,6 @@ import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.XmlParsers
 import DataFlow
-private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A taint-tracking configuration for unvalidated user input that is used in XSLT transformation.
@@ -104,20 +103,15 @@ class TypeXsltPackage extends Class {
 
 /** A data flow sink for unvalidated user input that is used in XSLT transformation. */
 class XsltInjectionSink extends DataFlow::ExprNode {
-  XsltInjectionSink() { sinkNode(this, "xslt") }
-}
-
-private class XsltInjectionSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "net.sf.saxon.s9api;XsltTransformer;false;transform;;;Argument[-1];xslt",
-        "net.sf.saxon.s9api;Xslt30Transformer;false;transform;;;Argument[-1];xslt",
-        "net.sf.saxon.s9api;Xslt30Transformer;false;applyTemplates;;;Argument[-1];xslt",
-        "net.sf.saxon.s9api;Xslt30Transformer;false;callFunction;;;Argument[-1];xslt",
-        "net.sf.saxon.s9api;Xslt30Transformer;false;callTemplate;;;Argument[-1];xslt",
-        "javax.xml.transform;Transformer;false;transform;;;Argument[-1];xslt"
-      ]
+  XsltInjectionSink() {
+    exists(MethodAccess ma, Method m | m = ma.getMethod() and ma.getQualifier() = this.getExpr() |
+      ma instanceof TransformerTransform or
+      m instanceof XsltTransformerTransformMethod or
+      m instanceof Xslt30TransformerTransformMethod or
+      m instanceof Xslt30TransformerApplyTemplatesMethod or
+      m instanceof Xslt30TransformerCallFunctionMethod or
+      m instanceof Xslt30TransformerCallTemplateMethod
+    )
   }
 }
 
@@ -192,21 +186,16 @@ private class TransformerFactoryWithSecureProcessingFeatureFlowConfig extends Da
     )
   }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "xslt-transformer") }
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma |
+      sink.asExpr() = ma.getQualifier() and
+      ma.getMethod().getDeclaringType() instanceof TransformerFactory
+    )
+  }
 
   override int fieldFlowBranchLimit() { result = 0 }
 }
 
-private class TransformerFactorySinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "javax.xml.transform;TransformerFactory;false;;;;Argument[-1];xslt-transformer",
-        "javax.xml.transform.sax;SAXTransformerFactory;false;;;;Argument[-1];xslt-transformer"
-      ]
-  }
-}
-
 /** A `ParserConfig` specific to `TransformerFactory`. */
 private class TransformerFactoryFeatureConfig extends ParserConfig {
   TransformerFactoryFeatureConfig() {
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
index 8fcde750e54..561d7e46ae9 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
@@ -1,7 +1,6 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
-private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A taint-tracking configuration for unsafe user input
@@ -22,7 +21,7 @@ class JexlInjectionConfig extends TaintTracking::Configuration {
 }
 
 /**
- * A sink for Expression Language injection vulnerabilities via Jexl,
+ * A sink for Expresssion Language injection vulnerabilities via Jexl,
  * i.e. method calls that run evaluation of a JEXL expression.
  *
  * Creating a `Callable` from a tainted JEXL expression or script is considered as a sink
@@ -31,41 +30,18 @@ class JexlInjectionConfig extends TaintTracking::Configuration {
  * maybe stored in an object field and then reached by a different flow.
  */
 private class JexlEvaluationSink extends DataFlow::ExprNode {
-  JexlEvaluationSink() { sinkNode(this, "jexl") }
-}
-
-private class JexlEvaluationSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        // Direct JEXL evaluation
-        "org.apache.commons.jexl2;Expression;false;evaluate;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;JexlExpression;false;evaluate;;;Argument[-1];jexl",
-        "org.apache.commons.jexl2;Script;false;execute;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;JexlScript;false;execute;;;Argument[-1];jexl",
-        "org.apache.commons.jexl2;JxltEngine$Expression;false;evaluate;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;JxltEngine$Expression;false;evaluate;;;Argument[-1];jexl",
-        "org.apache.commons.jexl2;JxltEngine$Expression;false;prepare;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;JxltEngine$Expression;false;prepare;;;Argument[-1];jexl",
-        "org.apache.commons.jexl2;JxltEngine$Template;false;evaluate;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;JxltEngine$Template;false;evaluate;;;Argument[-1];jexl",
-        "org.apache.commons.jexl2;UnifiedJEXL$Expression;false;evaluate;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;UnifiedJEXL$Expression;false;evaluate;;;Argument[-1];jexl",
-        "org.apache.commons.jexl2;UnifiedJEXL$Expression;false;prepare;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;UnifiedJEXL$Expression;false;prepare;;;Argument[-1];jexl",
-        "org.apache.commons.jexl2;UnifiedJEXL$Template;false;evaluate;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;UnifiedJEXL$Template;false;evaluate;;;Argument[-1];jexl",
-        // JEXL callable
-        "org.apache.commons.jexl2;Expression;false;callable;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;JexlExpression;false;callable;;;Argument[-1];jexl",
-        "org.apache.commons.jexl2;Script;false;callable;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;JexlScript;false;callable;;;Argument[-1];jexl",
-        // Methods in the `JexlEngine` class that gets or sets a property with a JEXL expression.
-        "org.apache.commons.jexl2;JexlEngine;false;getProperty;;;Argument[1..2];jexl",
-        "org.apache.commons.jexl3;JexlEngine;false;getProperty;;;Argument[1..2];jexl",
-        "org.apache.commons.jexl2;JexlEngine;false;setProperty;;;Argument[1];jexl",
-        "org.apache.commons.jexl3;JexlEngine;false;setProperty;;;Argument[1];jexl"
-      ]
+  JexlEvaluationSink() {
+    exists(MethodAccess ma, Method m, Expr taintFrom |
+      ma.getMethod() = m and taintFrom = this.asExpr()
+    |
+      m instanceof DirectJexlEvaluationMethod and ma.getQualifier() = taintFrom
+      or
+      m instanceof CreateJexlCallableMethod and ma.getQualifier() = taintFrom
+      or
+      m instanceof JexlEngineGetSetPropertyMethod and
+      taintFrom.getType() instanceof TypeString and
+      ma.getAnArgument() = taintFrom
+    )
   }
 }
 
@@ -122,36 +98,22 @@ private class SandboxedJexlFlowConfig extends DataFlow2::Configuration {
 
   override predicate isSource(DataFlow::Node node) { node instanceof SandboxedJexlSource }
 
-  override predicate isSink(DataFlow::Node node) { sinkNode(node, "sandboxed-jexl") }
+  override predicate isSink(DataFlow::Node node) {
+    exists(MethodAccess ma, Method m | ma.getMethod() = m |
+      (
+        m instanceof CreateJexlScriptMethod or
+        m instanceof CreateJexlExpressionMethod or
+        m instanceof CreateJexlTemplateMethod
+      ) and
+      ma.getQualifier() = node.asExpr()
+    )
+  }
 
   override predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
     createsJexlEngine(fromNode, toNode)
   }
 }
 
-private class SandboxedJexlEvaluationSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        // CreateJexlScriptMethod
-        "org.apache.commons.jexl2;JexlEngine;false;createScript;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl3;JexlEngine;false;createScript;;;Argument[-1];sandboxed-jexl",
-        // CreateJexlExpressionMethod
-        "org.apache.commons.jexl2;UnifiedJEXL;false;parse;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl3;UnifiedJEXL;false;parse;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl2;JxltEngine;false;createExpression;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl3;JxltEngine;false;createExpression;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl2;JexlEngine;false;createExpression;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl3;JexlEngine;false;createExpression;;;Argument[-1];sandboxed-jexl",
-        // CreateJexlTemplateMethod
-        "org.apache.commons.jexl2;JxltEngine;false;createTemplate;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl3;JxltEngine;false;createTemplate;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl2;UnifiedJEXL;false;createTemplate;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl3;UnifiedJEXL;false;createTemplate;;;Argument[-1];sandboxed-jexl"
-      ]
-  }
-}
-
 /**
  * Defines a data flow source for JEXL engines configured with a sandbox.
  */
@@ -202,6 +164,35 @@ private predicate returnsDataFromBean(DataFlow::Node fromNode, DataFlow::Node to
   )
 }
 
+/**
+ * A methods in the `JexlEngine` class that gets or sets a property with a JEXL expression.
+ */
+private class JexlEngineGetSetPropertyMethod extends Method {
+  JexlEngineGetSetPropertyMethod() {
+    getDeclaringType() instanceof JexlEngine and
+    hasName(["getProperty", "setProperty"])
+  }
+}
+
+/**
+ * A method that triggers direct evaluation of JEXL expressions.
+ */
+private class DirectJexlEvaluationMethod extends Method {
+  DirectJexlEvaluationMethod() {
+    getDeclaringType() instanceof JexlExpression and hasName("evaluate")
+    or
+    getDeclaringType() instanceof JexlScript and hasName("execute")
+    or
+    getDeclaringType() instanceof JxltEngineExpression and hasName(["evaluate", "prepare"])
+    or
+    getDeclaringType() instanceof JxltEngineTemplate and hasName("evaluate")
+    or
+    getDeclaringType() instanceof UnifiedJexlExpression and hasName(["evaluate", "prepare"])
+    or
+    getDeclaringType() instanceof UnifiedJexlTemplate and hasName("evaluate")
+  }
+}
+
 /**
  * A method that creates a JEXL script.
  */
@@ -209,6 +200,16 @@ private class CreateJexlScriptMethod extends Method {
   CreateJexlScriptMethod() { getDeclaringType() instanceof JexlEngine and hasName("createScript") }
 }
 
+/**
+ * A method that creates a `Callable` for a JEXL expression or script.
+ */
+private class CreateJexlCallableMethod extends Method {
+  CreateJexlCallableMethod() {
+    (getDeclaringType() instanceof JexlExpression or getDeclaringType() instanceof JexlScript) and
+    hasName("callable")
+  }
+}
+
 /**
  * A method that creates a JEXL template.
  */
@@ -266,6 +267,22 @@ private class JexlUberspect extends Interface {
   }
 }
 
+private class JxltEngineExpression extends NestedType {
+  JxltEngineExpression() { getEnclosingType() instanceof JxltEngine and hasName("Expression") }
+}
+
+private class JxltEngineTemplate extends NestedType {
+  JxltEngineTemplate() { getEnclosingType() instanceof JxltEngine and hasName("Template") }
+}
+
+private class UnifiedJexlExpression extends NestedType {
+  UnifiedJexlExpression() { getEnclosingType() instanceof UnifiedJexl and hasName("Expression") }
+}
+
+private class UnifiedJexlTemplate extends NestedType {
+  UnifiedJexlTemplate() { getEnclosingType() instanceof UnifiedJexl and hasName("Template") }
+}
+
 private class Reader extends RefType {
   Reader() { hasQualifiedName("java.io", "Reader") }
 }
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/MvelInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/MvelInjectionLib.qll
index dec268a2a4b..a6cf891330f 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/MvelInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/MvelInjectionLib.qll
@@ -1,7 +1,6 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
-private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A taint-tracking configuration for unsafe user input
@@ -31,31 +30,36 @@ class MvelInjectionConfig extends TaintTracking::Configuration {
  * i.e. methods that run evaluation of a MVEL expression.
  */
 class MvelEvaluationSink extends DataFlow::ExprNode {
-  MvelEvaluationSink() { sinkNode(this, "mvel") }
-}
-
-private class MvelEvaluationSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "org.mvel2.jsr223;MvelScriptEngine;false;evaluate;;;Argument[0];mvel",
-        "org.mvel2.jsr223;MvelScriptEngine;false;eval;;;Argument[0];mvel",
-        "org.mvel2.compiler;ExecutableStatement;false;getValue;;;Argument[-1];mvel",
-        "org.mvel2.compiler;CompiledExpression;false;getDirectValue;;;Argument[-1];mvel",
-        "org.mvel2.compiler;CompiledAccExpression;false;getValue;;;Argument[-1];mvel",
-        "org.mvel2.compiler;Accessor;false;getValue;;;Argument[-1];mvel",
-        "javax.script;CompiledScript;false;eval;;;Argument[-1];mvel",
-        "org.mvel2.jsr223;MvelCompiledScript;false;eval;;;Argument[-1];mvel",
-        "org.mvel2;MVEL;false;eval;;;Argument[0];mvel",
-        "org.mvel2;MVEL;false;executeExpression;;;Argument[0];mvel",
-        "org.mvel2;MVEL;false;evalToBoolean;;;Argument[0];mvel",
-        "org.mvel2;MVEL;false;evalToString;;;Argument[0];mvel",
-        "org.mvel2;MVEL;false;executeAllExpression;;;Argument[0];mvel",
-        "org.mvel2;MVEL;false;executeSetExpression;;;Argument[0];mvel",
-        "org.mvel2.templates;TemplateRuntime;false;eval;;;Argument[0];mvel",
-        "org.mvel2.templates;TemplateRuntime;false;execute;;;Argument[0];mvel",
-        "org.mvel2;MVELRuntime;false;execute;;;Argument[1];mvel"
-      ]
+  MvelEvaluationSink() {
+    exists(StaticMethodAccess ma, Method m | m = ma.getMethod() |
+      (
+        m instanceof MvelEvalMethod or
+        m instanceof TemplateRuntimeEvaluationMethod
+      ) and
+      ma.getArgument(0) = asExpr()
+    )
+    or
+    exists(MethodAccess ma, Method m | m = ma.getMethod() |
+      m instanceof MvelScriptEngineEvaluationMethod and
+      ma.getArgument(0) = asExpr()
+    )
+    or
+    exists(MethodAccess ma, Method m | m = ma.getMethod() |
+      (
+        m instanceof ExecutableStatementEvaluationMethod or
+        m instanceof CompiledExpressionEvaluationMethod or
+        m instanceof CompiledAccExpressionEvaluationMethod or
+        m instanceof AccessorEvaluationMethod or
+        m instanceof CompiledScriptEvaluationMethod or
+        m instanceof MvelCompiledScriptEvaluationMethod
+      ) and
+      ma.getQualifier() = asExpr()
+    )
+    or
+    exists(StaticMethodAccess ma, Method m | m = ma.getMethod() |
+      m instanceof MvelRuntimeEvaluationMethod and
+      ma.getArgument(1) = asExpr()
+    )
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
index ca86f42c561..155d05abfae 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
@@ -12,7 +12,6 @@
 import java
 import semmle.code.java.security.Encryption
 import semmle.code.java.dataflow.TaintTracking
-private import semmle.code.java.dataflow.ExternalFlow
 
 /** The Java class `java.security.spec.ECGenParameterSpec`. */
 class ECGenParameterSpec extends RefType {
@@ -56,12 +55,11 @@ class KeyGeneratorInitConfiguration extends TaintTracking::Configuration {
     exists(JavaxCryptoKeyGenerator jcg | jcg = source.asExpr())
   }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "keygen") }
-}
-
-private class KeyGeneratorInitSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row = ["javax.crypto;KeyGenerator;false;init;;;Argument[-1];keygen"]
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof KeyGeneratorInitMethod and
+      sink.asExpr() = ma.getQualifier()
+    )
   }
 }
 
@@ -73,12 +71,11 @@ class KeyPairGeneratorInitConfiguration extends TaintTracking::Configuration {
     exists(JavaSecurityKeyPairGenerator jkg | jkg = source.asExpr())
   }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "keypairgen") }
-}
-
-private class KeyPairGeneratorInitSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row = ["java.security;KeyPairGenerator;false;initialize;;;Argument[-1];keypairgen"]
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof KeyPairGeneratorInitMethod and
+      sink.asExpr() = ma.getQualifier()
+    )
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-327/SslLib.qll b/java/ql/src/experimental/Security/CWE/CWE-327/SslLib.qll
index 3845953f0aa..bfa2530b07e 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-327/SslLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-327/SslLib.qll
@@ -3,7 +3,6 @@ import semmle.code.java.security.Encryption
 import semmle.code.java.dataflow.TaintTracking
 import DataFlow
 import PathGraph
-private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A taint-tracking configuration for unsafe SSL and TLS versions.
@@ -13,20 +12,11 @@ class UnsafeTlsVersionConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof UnsafeTlsVersion }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "ssl") }
-}
-
-private class UnsafeTlsVersionSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "javax.net.ssl;SSLContext;false;getInstance;;;Argument[0];ssl",
-        "javax.net.ssl;SSLParameters;false;SSLParameters;;;Argument[1];ssl",
-        "javax.net.ssl;SSLParameters;false;setProtocols;;;Argument[0];ssl",
-        "javax.net.ssl;SSLSocket;false;setEnabledProtocols;;;Argument[0];ssl",
-        "javax.net.ssl;SSLServerSocket;false;setEnabledProtocols;;;Argument[0];ssl",
-        "javax.net.ssl;SSLEngine;false;setEnabledProtocols;;;Argument[0];ssl"
-      ]
+  override predicate isSink(DataFlow::Node sink) {
+    sink instanceof SslContextGetInstanceSink or
+    sink instanceof CreateSslParametersSink or
+    sink instanceof SslParametersSetProtocolsSink or
+    sink instanceof SetEnabledProtocolsSink
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql b/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
index 2fe6569318f..c5a6c36d6a6 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
@@ -15,7 +15,6 @@ import semmle.code.java.frameworks.Servlets
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.TaintTracking2
 import DataFlow::PathGraph
-private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  *  Holds if `header` sets `Access-Control-Allow-Credentials` to `true`. This ensures fair chances of exploitability.
@@ -30,29 +29,33 @@ private predicate setsAllowCredentials(MethodAccess header) {
   header.getArgument(1).(CompileTimeConstantExpr).getStringValue().toLowerCase() = "true"
 }
 
+private class CorsProbableCheckAccess extends MethodAccess {
+  CorsProbableCheckAccess() {
+    getMethod().hasName("contains") and
+    getMethod().getDeclaringType().getASourceSupertype*() instanceof CollectionType
+    or
+    getMethod().hasName("containsKey") and
+    getMethod().getDeclaringType().getASourceSupertype*() instanceof MapType
+    or
+    getMethod().hasName("equals") and
+    getQualifier().getType() instanceof TypeString
+  }
+}
+
 private Expr getAccessControlAllowOriginHeaderName() {
   result.(CompileTimeConstantExpr).getStringValue().toLowerCase() = "access-control-allow-origin"
 }
 
 /**
- * This taintflow2 configuration checks if there is a flow from source node towards probably CORS checking methods.
+ * This taintflow2 configuration checks if there is a flow from source node towards CorsProbableCheckAccess methods.
  */
 class CorsSourceReachesCheckConfig extends TaintTracking2::Configuration {
   CorsSourceReachesCheckConfig() { this = "CorsOriginConfig" }
 
   override predicate isSource(DataFlow::Node source) { any(CorsOriginConfig c).hasFlow(source, _) }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "cors") }
-}
-
-private class CorsProbableCheckAccessSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "java.util;Collection;true;contains;;;Argument;cors",
-        "java.util;Map;true;containsKey;;;Argument;cors",
-        "java.lang;String;true;equals;;;Argument;cors"
-      ]
+  override predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() = any(CorsProbableCheckAccess check).getAnArgument()
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
index 3c445934ad3..4ce2b8b7134 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
@@ -16,7 +16,6 @@ import semmle.code.java.frameworks.Jndi
 import semmle.code.java.frameworks.Networking
 import semmle.code.java.dataflow.TaintTracking
 import DataFlow::PathGraph
-private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * Insecure (non-SSL, non-private) LDAP URL string literal.
@@ -146,7 +145,12 @@ class InsecureUrlFlowConfig extends TaintTracking::Configuration {
   override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof InsecureLdapUrl }
 
   /** Sink of directory context creation. */
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "ldap") }
+  override predicate isSink(DataFlow::Node sink) {
+    exists(ConstructorCall cc |
+      cc.getConstructedType().getASupertype*() instanceof TypeDirContext and
+      sink.asExpr() = cc.getArgument(0)
+    )
+  }
 
   /** Method call of `env.put()`. */
   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
@@ -172,12 +176,11 @@ class BasicAuthFlowConfig extends DataFlow::Configuration {
   }
 
   /** Sink of directory context creation. */
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "ldap") }
-}
-
-private class LdapSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row = ["javax.naming.directory;DirContext;true;.ctor;;;Argument[0];ldap"]
+  override predicate isSink(DataFlow::Node sink) {
+    exists(ConstructorCall cc |
+      cc.getConstructedType().getASupertype*() instanceof TypeDirContext and
+      sink.asExpr() = cc.getArgument(0)
+    )
   }
 }
 
@@ -195,7 +198,12 @@ class SSLFlowConfig extends DataFlow::Configuration {
   }
 
   /** Sink of directory context creation. */
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "ldap") }
+  override predicate isSink(DataFlow::Node sink) {
+    exists(ConstructorCall cc |
+      cc.getConstructedType().getASupertype*() instanceof TypeDirContext and
+      sink.asExpr() = cc.getArgument(0)
+    )
+  }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, InsecureUrlFlowConfig config
diff --git a/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql
index 598f42b0c70..e5a29df46d5 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql
@@ -15,7 +15,6 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.XmlParsers
 import DataFlow::PathGraph
-private import semmle.code.java.dataflow.ExternalFlow
 
 class XPathInjectionConfiguration extends TaintTracking::Configuration {
   XPathInjectionConfiguration() { this = "XPathInjection" }
@@ -26,18 +25,16 @@ class XPathInjectionConfiguration extends TaintTracking::Configuration {
 }
 
 class XPathInjectionSink extends DataFlow::ExprNode {
-  XPathInjectionSink() { sinkNode(this, "xpath") }
-}
-
-private class XPathInjectionSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "javax.xml.xpath;XPath;false;compile;;;Argument[0];xpath",
-        "javax.xml.xpath;XPath;false;evaluate;;;Argument[0];xpath",
-        "org.dom4j;Node;false;selectNodes;;;Argument[0];xpath",
-        "org.dom4j;Node;false;selectSingleNode;;;Argument[0];xpath"
-      ]
+  XPathInjectionSink() {
+    exists(Method m, MethodAccess ma | ma.getMethod() = m |
+      m.getDeclaringType().hasQualifiedName("javax.xml.xpath", "XPath") and
+      (m.hasName("evaluate") or m.hasName("compile")) and
+      ma.getArgument(0) = this.getExpr()
+      or
+      m.getDeclaringType().hasQualifiedName("org.dom4j", "Node") and
+      (m.hasName("selectNodes") or m.hasName("selectSingleNode")) and
+      ma.getArgument(0) = this.getExpr()
+    )
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql
index 3b8e43c5d7d..0bb85272f08 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql
@@ -14,7 +14,6 @@ import java
 import semmle.code.java.dataflow.FlowSources
 import XQueryInjectionLib
 import DataFlow::PathGraph
-private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A taint-tracking configuration tracing flow from remote sources, through an XQuery parser, to its eventual execution.
@@ -24,7 +23,11 @@ class XQueryInjectionConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "xquery") }
+  override predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() = any(XQueryPreparedExecuteCall xpec).getPreparedExpression() or
+    sink.asExpr() = any(XQueryExecuteCall xec).getExecuteQueryArgument() or
+    sink.asExpr() = any(XQueryExecuteCommandCall xecc).getExecuteCommandArgument()
+  }
 
   /**
    * Holds if taint from the input `pred` to a `prepareExpression` call flows to the returned prepared expression `succ`.
diff --git a/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjectionLib.qll
index 13452e4e55d..2a4019f2c9a 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjectionLib.qll
@@ -1,5 +1,4 @@
 import java
-private import semmle.code.java.dataflow.ExternalFlow
 
 /** A call to `XQConnection.prepareExpression`. */
 class XQueryParserCall extends MethodAccess {
@@ -67,14 +66,3 @@ class XQueryExecuteCommandCall extends MethodAccess {
   /** Return this execute command argument. */
   Expr getExecuteCommandArgument() { result = this.getArgument(0) }
 }
-
-private class XQuerySinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "javax.xml.xquery;XQPreparedExpression;true;executeQuery;;;Argument[-1];xquery",
-        "javax.xml.xquery;XQExpression;true;executeQuery;;;Argument[0];xquery",
-        "javax.xml.xquery;XQExpression;true;executeCommand;;;Argument[0];xquery"
-      ]
-  }
-}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-917/OgnlInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-917/OgnlInjectionLib.qll
index 002e06aaafd..569e18a29c3 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-917/OgnlInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-917/OgnlInjectionLib.qll
@@ -2,7 +2,6 @@ import java
 import semmle.code.java.dataflow.FlowSources
 import DataFlow
 import DataFlow::PathGraph
-private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A taint-tracking configuration for unvalidated user input that is used in OGNL EL evaluation.
@@ -83,25 +82,12 @@ predicate ognlInjectionSinkMethod(Method m, int index) {
 
 /** A data flow sink for unvalidated user input that is used in OGNL EL evaluation. */
 class OgnlInjectionSink extends DataFlow::ExprNode {
-  OgnlInjectionSink() { sinkNode(this, "ognl") }
-}
-
-private class OgnlInjectionSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "org.apache.commons.ognl;Ognl;false;setValue;;;Argument[-1..0];ognl",
-        "org.apache.commons.ognl;Ognl;false;getValue;;;Argument[-1..0];ognl",
-        "ognl;Ognl;false;setValue;;;Argument[-1..0];ognl",
-        "ognl;Ognl;false;getValue;;;Argument[-1..0];ognl",
-        "org.apache.commons.ognl;Node;true;setValue;;;Argument[-1..0];ognl",
-        "org.apache.commons.ognl;Node;true;getValue;;;Argument[-1..0];ognl",
-        "ognl;Node;true;setValue;;;Argument[-1..0];ognl",
-        "ognl;Node;true;getValue;;;Argument[-1..0];ognl",
-        "com.opensymphony.xwork2.ognl;OgnlUtil;false;setValue;;;Argument[-1..0];ognl",
-        "com.opensymphony.xwork2.ognl;OgnlUtil;false;getValue;;;Argument[-1..0];ognl",
-        "com.opensymphony.xwork2.ognl;OgnlUtil;false;callMethod;;;Argument[-1..0];ognl"
-      ]
+  OgnlInjectionSink() {
+    exists(MethodAccess ma, Method m, int index |
+      ma.getMethod() = m and
+      (ma.getArgument(index) = this.getExpr() or ma.getQualifier() = this.getExpr()) and
+      ognlInjectionSinkMethod(m, index)
+    )
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.ql b/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.ql
index 6b0333da470..c3bf787881f 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.ql
@@ -14,16 +14,13 @@ import java
 import semmle.code.java.dataflow.FlowSources
 import RequestForgery
 import DataFlow::PathGraph
-private import semmle.code.java.dataflow.ExternalFlow
 
 class RequestForgeryConfiguration extends TaintTracking::Configuration {
   RequestForgeryConfiguration() { this = "Server Side Request Forgery" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink instanceof RequestForgerySink or sinkNode(sink, "request-forgery-sink")
-  }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
 
   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
     requestForgeryStep(pred, succ)
diff --git a/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.qll b/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.qll
index fa784baa7f2..3fc52ddca76 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.qll
@@ -5,7 +5,6 @@ import semmle.code.java.frameworks.spring.Spring
 import semmle.code.java.frameworks.JaxWS
 import semmle.code.java.frameworks.javase.Http
 import semmle.code.java.dataflow.DataFlow
-private import semmle.code.java.dataflow.ExternalFlow
 
 predicate requestForgeryStep(DataFlow::Node pred, DataFlow::Node succ) {
   // propagate to a URI when its host is assigned to
@@ -39,42 +38,119 @@ predicate requestForgeryStep(DataFlow::Node pred, DataFlow::Node succ) {
   )
 }
 
-private class RequestForgerySinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "java.net;URL;false;openConnection;;;Argument[-1];request-forgery-sink",
-        "java.net;URL;false;openStream;;;Argument[-1];request-forgery-sink",
-        "org.apache.http.client.methods;HttpRequestBase;true;setURI;;;Argument[0];request-forgery-sink",
-        "org.apache.http.message;BasicHttpRequest;true;setURI;;;Argument[0];request-forgery-sink",
-        "org.apache.http.client.methods;HttpRequestBase;true;.ctor;;;Argument[0];request-forgery-sink",
-        "org.apache.http.message;BasicHttpRequest;true;.ctor;;;Argument[0];request-forgery-sink",
-        "org.apache.http.client.methods;RequestBuilder;false;setURI;;;Argument[0];request-forgery-sink",
-        "org.apache.http.client.methods;RequestBuilder;false;get;;;Argument[0];request-forgery-sink",
-        "org.apache.http.client.methods;RequestBuilder;false;post;;;Argument[0];request-forgery-sink",
-        "org.apache.http.client.methods;RequestBuilder;false;put;;;Argument[0];request-forgery-sink",
-        "org.apache.http.client.methods;RequestBuilder;false;options;;;Argument[0];request-forgery-sink",
-        "org.apache.http.client.methods;RequestBuilder;false;head;;;Argument[0];request-forgery-sink",
-        "org.apache.http.client.methods;RequestBuilder;false;delete;;;Argument[0];request-forgery-sink",
-        "java.net.http;HttpRequest$Builder;false;uri;;;Argument[0];request-forgery-sink",
-        "org.springframework.web.client;RestTemplate;false;patchForObject;;;Argument[0];request-forgery-sink",
-        "org.springframework.web.client;RestTemplate;false;getForObject;;;Argument[0];request-forgery-sink",
-        "org.springframework.web.client;RestTemplate;false;getForEntity;;;Argument[0];request-forgery-sink",
-        "org.springframework.web.client;RestTemplate;false;execute;;;Argument[0];request-forgery-sink",
-        "org.springframework.web.client;RestTemplate;false;exchange;;;Argument[0];request-forgery-sink",
-        "org.springframework.web.client;RestTemplate;false;put;;;Argument[0];request-forgery-sink",
-        "org.springframework.web.client;RestTemplate;false;postForObject;;;Argument[0];request-forgery-sink",
-        "org.springframework.web.client;RestTemplate;false;postForLocation;;;Argument[0];request-forgery-sink",
-        "org.springframework.web.client;RestTemplate;false;postForEntity;;;Argument[0];request-forgery-sink",
-        "org.springframework.web.client;RestTemplate;false;doExecute;;;Argument[0];request-forgery-sink",
-        "javax.ws.rs.client;Client;false;target;;;Argument[0];request-forgery-sink",
-        "java.net.http;HttpRequest;false;newBuilder;;;Argument[0];request-forgery-sink" // todo: this might be stricter than before. Previously the package name was not checked.
-      ]
+/** A data flow sink for request forgery vulnerabilities. */
+abstract class RequestForgerySink extends DataFlow::Node { }
+
+/**
+ * An argument to an url `openConnection` or `openStream` call
+ *  taken as a sink for request forgery vulnerabilities.
+ */
+private class UrlOpen extends RequestForgerySink {
+  UrlOpen() {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof UrlOpenConnectionMethod or
+      ma.getMethod() instanceof UrlOpenStreamMethod
+    |
+      this.asExpr() = ma.getQualifier()
+    )
   }
 }
 
-/** A data flow sink for request forgery vulnerabilities. */
-abstract class RequestForgerySink extends DataFlow::Node { }
+/**
+ * An argument to an Apache `setURI` call taken as a
+ *   sink for request forgery vulnerabilities.
+ */
+private class ApacheSetUri extends RequestForgerySink {
+  ApacheSetUri() {
+    exists(MethodAccess ma |
+      ma.getReceiverType() instanceof ApacheHttpRequest and
+      ma.getMethod().hasName("setURI")
+    |
+      this.asExpr() = ma.getArgument(0)
+    )
+  }
+}
+
+/**
+ * An argument to any Apache Request Instantiation call taken as a
+ *   sink for request forgery vulnerabilities.
+ */
+private class ApacheHttpRequestInstantiation extends RequestForgerySink {
+  ApacheHttpRequestInstantiation() {
+    exists(ClassInstanceExpr c | c.getConstructedType() instanceof ApacheHttpRequest |
+      this.asExpr() = c.getArgument(0)
+    )
+  }
+}
+
+/**
+ * An argument to a Apache RequestBuilder method call taken as a
+ *   sink for request forgery vulnerabilities.
+ */
+private class ApacheHttpRequestBuilderArgument extends RequestForgerySink {
+  ApacheHttpRequestBuilderArgument() {
+    exists(MethodAccess ma |
+      ma.getReceiverType() instanceof TypeApacheHttpRequestBuilder and
+      ma.getMethod().hasName(["setURI", "get", "post", "put", "optons", "head", "delete"])
+    |
+      this.asExpr() = ma.getArgument(0)
+    )
+  }
+}
+
+/**
+ * An argument to any Java.net.http.request Instantiation call taken as a
+ *   sink for request forgery vulnerabilities.
+ */
+private class HttpRequestNewBuilder extends RequestForgerySink {
+  HttpRequestNewBuilder() {
+    exists(MethodAccess call |
+      call.getCallee().hasName("newBuilder") and
+      call.getMethod().getDeclaringType().getName() = "HttpRequest"
+    |
+      this.asExpr() = call.getArgument(0)
+    )
+  }
+}
+
+/**
+ * An argument to an Http Builder `uri` call taken as a
+ *   sink for request forgery vulnerabilities.
+ */
+private class HttpBuilderUriArgument extends RequestForgerySink {
+  HttpBuilderUriArgument() {
+    exists(MethodAccess ma | ma.getMethod() instanceof HttpBuilderUri |
+      this.asExpr() = ma.getArgument(0)
+    )
+  }
+}
+
+/**
+ * An argument to a Spring Rest Template method call taken as a
+ *   sink for request forgery vulnerabilities.
+ */
+private class SpringRestTemplateArgument extends RequestForgerySink {
+  SpringRestTemplateArgument() {
+    exists(MethodAccess ma |
+      this.asExpr() = ma.getMethod().(SpringRestTemplateUrlMethods).getUrlArgument(ma)
+    )
+  }
+}
+
+/**
+ * An argument to `javax.ws.rs.Client`s `target` method call taken as a
+ *   sink for request forgery vulnerabilities.
+ */
+private class JaxRsClientTarget extends RequestForgerySink {
+  JaxRsClientTarget() {
+    exists(MethodAccess ma |
+      ma.getMethod().getDeclaringType() instanceof JaxRsClient and
+      ma.getMethod().hasName("target")
+    |
+      this.asExpr() = ma.getArgument(0)
+    )
+  }
+}
 
 /**
  * An argument to `org.springframework.http.RequestEntity`s constructor call
@@ -90,3 +166,27 @@ private class RequestEntityUriArg extends RequestForgerySink {
     )
   }
 }
+
+/**
+ * A class representing all Spring Rest Template methods
+ * which take an URL as an argument.
+ */
+private class SpringRestTemplateUrlMethods extends Method {
+  SpringRestTemplateUrlMethods() {
+    this.getDeclaringType() instanceof SpringRestTemplate and
+    this.hasName([
+        "doExecute", "postForEntity", "postForLocation", "postForObject", "put", "exchange",
+        "execute", "getForEntity", "getForObject", "patchForObject"
+      ])
+  }
+
+  /**
+   * Gets the argument which corresponds to a URL argument
+   * passed as a `java.net.URL` object or as a string or the like
+   */
+  Argument getUrlArgument(MethodAccess ma) {
+    // doExecute(URI url, HttpMethod method, RequestCallback requestCallback,
+    //  ResponseExtractor<T> responseExtractor)
+    result = ma.getArgument(0)
+  }
+}
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index 3cda09c1488..154ec98f2ad 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -472,7 +472,7 @@ module CsvValidation {
       not type.regexpMatch("[a-zA-Z0-9_\\$]+") and
       msg = "Dubious type \"" + type + "\" in " + pred + " model."
       or
-      not (name.regexpMatch("[a-zA-Z0-9_]*") or name = ".ctor") and
+      not name.regexpMatch("[a-zA-Z0-9_]*") and
       msg = "Dubious name \"" + name + "\" in " + pred + " model."
       or
       not signature.regexpMatch("|\\([a-zA-Z0-9_\\.\\$<>,\\[\\]]*\\)") and
@@ -562,34 +562,23 @@ private string paramsString(Callable c) {
 }
 
 private Element interpretElement0(
-  string namespace, string type, boolean subtypes, string name, string signature, string ext
+  string namespace, string type, boolean subtypes, string name, string signature
 ) {
   elementSpec(namespace, type, subtypes, name, signature, _) and
   exists(RefType t | t = interpretType(namespace, type, subtypes) |
     exists(Member m |
       result = m and
       m.getDeclaringType() = t and
-      (
-        m.hasName(name)
-        or
-        name = ".ctor" and m.hasName(t.getName())
-      )
+      m.hasName(name)
     |
       signature = "" or
       m.(Callable).getSignature() = any(string nameprefix) + signature or
       paramsString(m) = signature
-    ) and
-    ext = ""
+    )
     or
     result = t and
     name = "" and
-    signature = "" and
-    ext = "Annotated"
-    or
-    result = t.getAMember() and
-    name = "" and
-    signature = "" and
-    ext = ""
+    signature = ""
   )
 }
 
@@ -597,7 +586,7 @@ private Element interpretElement(
   string namespace, string type, boolean subtypes, string name, string signature, string ext
 ) {
   elementSpec(namespace, type, subtypes, name, signature, ext) and
-  exists(Element e | e = interpretElement0(namespace, type, subtypes, name, signature, ext) |
+  exists(Element e | e = interpretElement0(namespace, type, subtypes, name, signature) |
     ext = "" and result = e
     or
     ext = "Annotated" and result.(Annotatable).getAnAnnotation().getType() = e
diff --git a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
index d84ee67bca5..ab809f07d6d 100644
--- a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
+++ b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
@@ -3,7 +3,6 @@ import semmle.code.java.frameworks.XStream
 import semmle.code.java.frameworks.SnakeYaml
 import semmle.code.java.frameworks.FastJson
 import semmle.code.java.frameworks.apache.Lang
-private import semmle.code.java.dataflow.ExternalFlow
 
 class ObjectInputStreamReadObjectMethod extends Method {
   ObjectInputStreamReadObjectMethod() {
@@ -27,16 +26,11 @@ class SafeXStream extends DataFlow2::Configuration {
       src.asExpr()
   }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "safe-xstream") }
-}
-
-private class SafeXStreamSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "com.thoughtworks.xstream;XStream;false;unmarshal;;;Argument[-1];safe-xstream",
-        "com.thoughtworks.xstream;XStream;false;fromXML;;;Argument[-1];safe-xstream"
-      ]
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma |
+      sink.asExpr() = ma.getQualifier() and
+      ma.getMethod() instanceof XStreamReadObjectMethod
+    )
   }
 }
 
@@ -48,17 +42,11 @@ class SafeKryo extends DataFlow2::Configuration {
       src.asExpr()
   }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "safe-kryo") }
-}
-
-private class SafeKryoSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "com.esotericsoftware.kryo;Kryo;false;readObjectOrNull;;;Argument[-1];safe-kryo",
-        "com.esotericsoftware.kryo;Kryo;false;readObject;;;Argument[-1];safe-kryo",
-        "com.esotericsoftware.kryo;Kryo;false;readClassAndObject;;;Argument[-1];safe-kryo"
-      ]
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma |
+      sink.asExpr() = ma.getQualifier() and
+      ma.getMethod() instanceof KryoReadObjectMethod
+    )
   }
 }
 

From 46197e6e6960ed82a6e1871e6226ee31652a0761 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 9 Apr 2021 13:39:37 +0200
Subject: [PATCH 0272/1429] Address review comments

---
 .../library-tests/controlflow/graph/BasicBlock.ql     |  1 -
 .../test/library-tests/controlflow/graph/Common.qll   | 10 ++++++++--
 .../test/library-tests/controlflow/graph/Dominance.ql | 11 ++---------
 .../test/library-tests/controlflow/graph/NodeGraph.ql |  1 -
 4 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/csharp/ql/test/library-tests/controlflow/graph/BasicBlock.ql b/csharp/ql/test/library-tests/controlflow/graph/BasicBlock.ql
index 8fe56d22ca7..b63f597f181 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/BasicBlock.ql
+++ b/csharp/ql/test/library-tests/controlflow/graph/BasicBlock.ql
@@ -2,5 +2,4 @@ import csharp
 import Common
 
 from SourceBasicBlock bb
-where not bb.getFirstNode().getElement().fromLibrary()
 select bb.getFirstNode(), bb.getLastNode(), bb.length()
diff --git a/csharp/ql/test/library-tests/controlflow/graph/Common.qll b/csharp/ql/test/library-tests/controlflow/graph/Common.qll
index 5945d2003b2..f6f9b26f1cd 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/Common.qll
+++ b/csharp/ql/test/library-tests/controlflow/graph/Common.qll
@@ -11,9 +11,15 @@ class SourceControlFlowElement extends ControlFlowElement {
 }
 
 class SourceControlFlowNode extends ControlFlow::Node {
-  SourceControlFlowNode() { not this.getLocation().getFile() instanceof StubFile }
+  SourceControlFlowNode() {
+    not this.getLocation().getFile() instanceof StubFile and
+    not this.getLocation().getFile().fromLibrary()
+  }
 }
 
 class SourceBasicBlock extends ControlFlow::BasicBlock {
-  SourceBasicBlock() { not this.getLocation().getFile() instanceof StubFile }
+  SourceBasicBlock() {
+    not this.getLocation().getFile() instanceof StubFile and
+    not this.getLocation().getFile().fromLibrary()
+  }
 }
diff --git a/csharp/ql/test/library-tests/controlflow/graph/Dominance.ql b/csharp/ql/test/library-tests/controlflow/graph/Dominance.ql
index fa76e629aeb..0fbf5f551c9 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/Dominance.ql
+++ b/csharp/ql/test/library-tests/controlflow/graph/Dominance.ql
@@ -1,25 +1,18 @@
 import csharp
 import Common
 
-/** Holds if `node` is not from a library. */
-private predicate isSourceBased(SourceControlFlowNode node) { not node.getElement().fromLibrary() }
-
 query predicate dominance(SourceControlFlowNode dom, SourceControlFlowNode node) {
-  isSourceBased(dom) and
   dom.strictlyDominates(node) and
   dom.getASuccessor() = node
 }
 
 query predicate postDominance(SourceControlFlowNode dom, SourceControlFlowNode node) {
-  isSourceBased(dom) and
   dom.strictlyPostDominates(node) and
   dom.getAPredecessor() = node
 }
 
-query predicate blockDominance(SourceBasicBlock dom, SourceBasicBlock bb) {
-  isSourceBased(dom.getFirstNode()) and dom.dominates(bb)
-}
+query predicate blockDominance(SourceBasicBlock dom, SourceBasicBlock bb) { dom.dominates(bb) }
 
 query predicate postBlockDominance(SourceBasicBlock dom, SourceBasicBlock bb) {
-  isSourceBased(dom.getFirstNode()) and dom.postDominates(bb)
+  dom.postDominates(bb)
 }
diff --git a/csharp/ql/test/library-tests/controlflow/graph/NodeGraph.ql b/csharp/ql/test/library-tests/controlflow/graph/NodeGraph.ql
index 51d15294516..4a1cf5b5880 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/NodeGraph.ql
+++ b/csharp/ql/test/library-tests/controlflow/graph/NodeGraph.ql
@@ -4,7 +4,6 @@ import Common
 query predicate edges(
   SourceControlFlowNode node, SourceControlFlowNode successor, string attr, string val
 ) {
-  not node.getElement().fromLibrary() and
   exists(ControlFlow::SuccessorType t | successor = node.getASuccessorByType(t) |
     attr = "semmle.label" and
     val = t.toString()

From affdedd840743f7ad814e08d0a9ccb5a4b659725 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@gmail.com>
Date: Fri, 9 Apr 2021 12:02:07 +0000
Subject: [PATCH 0273/1429] Python: Add missing builtins to `API::builtin`

We were missing out on `None`, `True`, and `False` as these do not
appear as actual attributes of the `builtins` module in Python 3
(because they are elevated to the status of keywords there)

The simple solution, then, is to just always include them directly.
---
 python/ql/src/semmle/python/ApiGraphs.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 5aab059d58e..5f1fbbb9626 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -363,7 +363,7 @@ module API {
           n.isGlobal() and
           n.isLoad() and
           name = n.getId() and
-          name = any(Builtins::Builtin b).getName()
+          name in [any(Builtins::Builtin b).getName(), "None", "True", "False"]
         )
     }
 

From cae0060a890f2d30ac2c3acfa577fc9aaa1b453f Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 9 Apr 2021 14:06:58 +0200
Subject: [PATCH 0274/1429] C++: Replace the new rules in DataFlowUtil with a
 dataflow model for pointer wrapper classes.

---
 .../cpp/dataflow/internal/DataFlowUtil.qll     | 18 ------------------
 .../models/implementations/SmartPointer.qll    | 15 +++++++++++++++
 .../dataflow/taint-tests/localTaint.expected   |  9 +++++++++
 .../dataflow/taint-tests/smart_pointer.cpp     | 14 ++++++++++++--
 4 files changed, 36 insertions(+), 20 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
index 923075cbe2e..5878d974b31 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -521,22 +521,6 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) {
   FieldFlow::fieldFlow(nodeFrom, nodeTo)
 }
 
-private predicate pointerWrapperFlow(Node nodeFrom, Node nodeTo) {
-  // post-update-smart-pointer-`operator->` -> `post-update`-qualifier
-  exists(PointerWrapper wrapper, Call call |
-    call = wrapper.getAnUnwrapperFunction().getACallToThisFunction() and
-    nodeFrom.(PostUpdateNode).getPreUpdateNode().asExpr() = call and
-    nodeTo.asDefiningArgument() = call.getQualifier()
-  )
-  or
-  // smart-pointer-qualifier -> smart-pointer-`operator->`
-  exists(PointerWrapper wrapper, Call call |
-    call = wrapper.getAnUnwrapperFunction().getACallToThisFunction() and
-    nodeFrom.asExpr() = call.getQualifier() and
-    nodeTo.asExpr() = call
-  )
-}
-
 /**
  * INTERNAL: do not use.
  *
@@ -602,8 +586,6 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
     nodeFrom.(PostUpdateNode).getPreUpdateNode().asExpr() = call and
     nodeTo.asDefiningArgument() = call.getQualifier()
   )
-  or
-  pointerWrapperFlow(nodeFrom, nodeTo)
 }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
index 7a1ad0403f7..525582fb74d 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
@@ -1,4 +1,5 @@
 import semmle.code.cpp.models.interfaces.Taint
+import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.PointerWrapper
 
 /**
@@ -14,6 +15,20 @@ private class UniqueOrSharedPtr extends Class, PointerWrapper {
   }
 }
 
+/** Any function that unwraps a pointer wrapper class to reveal the underlying pointer. */
+private class PointerWrapperDataFlow extends DataFlowFunction {
+  PointerWrapperDataFlow() { this = any(PointerWrapper wrapper).getAnUnwrapperFunction() }
+
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierAddress() and output.isReturnValue()
+    or
+    input.isQualifierObject() and output.isReturnValueDeref()
+    or
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
+  }
+}
+
 /**
  * The `std::make_shared` and `std::make_unique` template functions.
  */
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index bf9618014b0..0b981788bc0 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -3308,6 +3308,15 @@
 | smart_pointer.cpp:83:8:83:8 | q | smart_pointer.cpp:83:9:83:9 | call to operator-> |  |
 | smart_pointer.cpp:83:8:83:8 | ref arg q | smart_pointer.cpp:84:8:84:8 | q |  |
 | smart_pointer.cpp:84:8:84:8 | q | smart_pointer.cpp:84:9:84:9 | call to operator-> |  |
+| smart_pointer.cpp:87:17:87:18 | pa | smart_pointer.cpp:88:5:88:6 | pa |  |
+| smart_pointer.cpp:88:5:88:20 | ... = ... | smart_pointer.cpp:88:9:88:9 | x [post update] |  |
+| smart_pointer.cpp:88:13:88:18 | call to source | smart_pointer.cpp:88:5:88:20 | ... = ... |  |
+| smart_pointer.cpp:92:25:92:50 | call to unique_ptr | smart_pointer.cpp:93:11:93:11 | p |  |
+| smart_pointer.cpp:92:25:92:50 | call to unique_ptr | smart_pointer.cpp:94:8:94:8 | p |  |
+| smart_pointer.cpp:93:11:93:11 | p | smart_pointer.cpp:93:13:93:15 | call to get |  |
+| smart_pointer.cpp:93:11:93:11 | ref arg p | smart_pointer.cpp:94:8:94:8 | p |  |
+| smart_pointer.cpp:93:13:93:15 | ref arg call to get | smart_pointer.cpp:93:11:93:11 | ref arg p |  |
+| smart_pointer.cpp:94:8:94:8 | p | smart_pointer.cpp:94:9:94:9 | call to operator-> |  |
 | standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:39:45:39:51 | source1 |  |
 | standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:40:11:40:17 | source1 |  |
 | standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:41:12:41:18 | source1 |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
index 631614aa37d..26b1f329d25 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
@@ -9,7 +9,7 @@ template<typename T> void sink(std::unique_ptr<T>&);
 
 void test_make_shared() {
     std::shared_ptr<int> p = std::make_shared<int>(source());
-    sink(*p); // $ ast MISSING: ir
+    sink(*p); // $ ast,ir
     sink(p); // $ ast,ir
 }
 
@@ -21,7 +21,7 @@ void test_make_shared_array() {
 
 void test_make_unique() {
     std::unique_ptr<int> p = std::make_unique<int>(source());
-    sink(*p); // $ ast MISSING: ir
+    sink(*p); // $ ast,ir
     sink(p); // $ ast,ir
 }
 
@@ -83,3 +83,13 @@ void test_operator_arrow(std::unique_ptr<A> p, std::unique_ptr<B> q) {
   sink(q->a1.y);
   sink(q->a2.x);
 }
+
+void taint_x(A* pa) {
+    pa->x = source();
+}
+
+void reverse_taint_smart_pointer() {
+  std::unique_ptr<A> p = std::unique_ptr<A>(new A);
+  taint_x(p.get());
+  sink(p->x); // $ ast MISSING: ir
+}
\ No newline at end of file

From 80d5b17900ebf200de067e0a7cc7466606bfea7b Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 9 Apr 2021 14:20:51 +0200
Subject: [PATCH 0275/1429] C++: Remove the dataflow rule for smart_ptr ->
 *smart_ptr.

---
 .../models/implementations/SmartPointer.qll   |  5 ++++-
 .../dataflow/taint-tests/localTaint.expected  | 20 ++++++++-----------
 .../dataflow/taint-tests/smart_pointer.cpp    | 12 +++++------
 3 files changed, 18 insertions(+), 19 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
index 525582fb74d..4bcf5aa3575 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
@@ -17,7 +17,10 @@ private class UniqueOrSharedPtr extends Class, PointerWrapper {
 
 /** Any function that unwraps a pointer wrapper class to reveal the underlying pointer. */
 private class PointerWrapperDataFlow extends DataFlowFunction {
-  PointerWrapperDataFlow() { this = any(PointerWrapper wrapper).getAnUnwrapperFunction() }
+  PointerWrapperDataFlow() {
+    this = any(PointerWrapper wrapper).getAnUnwrapperFunction() and
+    not this.getUnspecifiedType() instanceof ReferenceType
+  }
 
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierAddress() and output.isReturnValue()
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index 0b981788bc0..5b654ddb9ad 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -3223,45 +3223,41 @@
 | smart_pointer.cpp:11:30:11:50 | call to make_shared | smart_pointer.cpp:12:11:12:11 | p |  |
 | smart_pointer.cpp:11:30:11:50 | call to make_shared | smart_pointer.cpp:13:10:13:10 | p |  |
 | smart_pointer.cpp:11:52:11:57 | call to source | smart_pointer.cpp:11:30:11:50 | call to make_shared | TAINT |
-| smart_pointer.cpp:12:11:12:11 | p | smart_pointer.cpp:12:10:12:10 | call to operator* |  |
+| smart_pointer.cpp:12:11:12:11 | p | smart_pointer.cpp:12:10:12:10 | call to operator* | TAINT |
 | smart_pointer.cpp:12:11:12:11 | ref arg p | smart_pointer.cpp:13:10:13:10 | p |  |
 | smart_pointer.cpp:17:32:17:54 | call to make_shared | smart_pointer.cpp:18:11:18:11 | p |  |
 | smart_pointer.cpp:17:32:17:54 | call to make_shared | smart_pointer.cpp:19:10:19:10 | p |  |
-| smart_pointer.cpp:18:10:18:10 | ref arg call to operator* | smart_pointer.cpp:18:11:18:11 | ref arg p |  |
-| smart_pointer.cpp:18:11:18:11 | p | smart_pointer.cpp:18:10:18:10 | call to operator* |  |
+| smart_pointer.cpp:18:11:18:11 | p | smart_pointer.cpp:18:10:18:10 | call to operator* | TAINT |
 | smart_pointer.cpp:18:11:18:11 | ref arg p | smart_pointer.cpp:19:10:19:10 | p |  |
 | smart_pointer.cpp:23:30:23:50 | call to make_unique | smart_pointer.cpp:24:11:24:11 | p |  |
 | smart_pointer.cpp:23:30:23:50 | call to make_unique | smart_pointer.cpp:25:10:25:10 | p |  |
 | smart_pointer.cpp:23:52:23:57 | call to source | smart_pointer.cpp:23:30:23:50 | call to make_unique | TAINT |
-| smart_pointer.cpp:24:11:24:11 | p | smart_pointer.cpp:24:10:24:10 | call to operator* |  |
+| smart_pointer.cpp:24:11:24:11 | p | smart_pointer.cpp:24:10:24:10 | call to operator* | TAINT |
 | smart_pointer.cpp:24:11:24:11 | ref arg p | smart_pointer.cpp:25:10:25:10 | p |  |
 | smart_pointer.cpp:29:32:29:54 | call to make_unique | smart_pointer.cpp:30:11:30:11 | p |  |
 | smart_pointer.cpp:29:32:29:54 | call to make_unique | smart_pointer.cpp:31:10:31:10 | p |  |
-| smart_pointer.cpp:30:10:30:10 | ref arg call to operator* | smart_pointer.cpp:30:11:30:11 | ref arg p |  |
-| smart_pointer.cpp:30:11:30:11 | p | smart_pointer.cpp:30:10:30:10 | call to operator* |  |
+| smart_pointer.cpp:30:11:30:11 | p | smart_pointer.cpp:30:10:30:10 | call to operator* | TAINT |
 | smart_pointer.cpp:30:11:30:11 | ref arg p | smart_pointer.cpp:31:10:31:10 | p |  |
 | smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:37:6:37:6 | p |  |
 | smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:38:10:38:10 | p |  |
 | smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:39:11:39:11 | p |  |
-| smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:37:6:37:6 | ref arg p |  |
 | smart_pointer.cpp:37:5:37:17 | ... = ... | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] |  |
-| smart_pointer.cpp:37:6:37:6 | p | smart_pointer.cpp:37:5:37:5 | call to operator* |  |
+| smart_pointer.cpp:37:6:37:6 | p | smart_pointer.cpp:37:5:37:5 | call to operator* | TAINT |
 | smart_pointer.cpp:37:6:37:6 | ref arg p | smart_pointer.cpp:38:10:38:10 | p |  |
 | smart_pointer.cpp:37:6:37:6 | ref arg p | smart_pointer.cpp:39:11:39:11 | p |  |
 | smart_pointer.cpp:37:10:37:15 | call to source | smart_pointer.cpp:37:5:37:17 | ... = ... |  |
 | smart_pointer.cpp:38:10:38:10 | ref arg p | smart_pointer.cpp:39:11:39:11 | p |  |
-| smart_pointer.cpp:39:11:39:11 | p | smart_pointer.cpp:39:10:39:10 | call to operator* |  |
+| smart_pointer.cpp:39:11:39:11 | p | smart_pointer.cpp:39:10:39:10 | call to operator* | TAINT |
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:45:6:45:6 | p |  |
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:46:10:46:10 | p |  |
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:47:11:47:11 | p |  |
-| smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:45:6:45:6 | ref arg p |  |
 | smart_pointer.cpp:45:5:45:17 | ... = ... | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] |  |
-| smart_pointer.cpp:45:6:45:6 | p | smart_pointer.cpp:45:5:45:5 | call to operator* |  |
+| smart_pointer.cpp:45:6:45:6 | p | smart_pointer.cpp:45:5:45:5 | call to operator* | TAINT |
 | smart_pointer.cpp:45:6:45:6 | ref arg p | smart_pointer.cpp:46:10:46:10 | p |  |
 | smart_pointer.cpp:45:6:45:6 | ref arg p | smart_pointer.cpp:47:11:47:11 | p |  |
 | smart_pointer.cpp:45:10:45:15 | call to source | smart_pointer.cpp:45:5:45:17 | ... = ... |  |
 | smart_pointer.cpp:46:10:46:10 | ref arg p | smart_pointer.cpp:47:11:47:11 | p |  |
-| smart_pointer.cpp:47:11:47:11 | p | smart_pointer.cpp:47:10:47:10 | call to operator* |  |
+| smart_pointer.cpp:47:11:47:11 | p | smart_pointer.cpp:47:10:47:10 | call to operator* | TAINT |
 | smart_pointer.cpp:51:30:51:50 | call to make_shared | smart_pointer.cpp:52:10:52:10 | p |  |
 | smart_pointer.cpp:51:52:51:57 | call to source | smart_pointer.cpp:51:30:51:50 | call to make_shared | TAINT |
 | smart_pointer.cpp:52:10:52:10 | p | smart_pointer.cpp:52:12:52:14 | call to get |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
index 26b1f329d25..2ac33271011 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
@@ -9,7 +9,7 @@ template<typename T> void sink(std::unique_ptr<T>&);
 
 void test_make_shared() {
     std::shared_ptr<int> p = std::make_shared<int>(source());
-    sink(*p); // $ ast,ir
+    sink(*p); // $ MISSING: ast,ir
     sink(p); // $ ast,ir
 }
 
@@ -21,7 +21,7 @@ void test_make_shared_array() {
 
 void test_make_unique() {
     std::unique_ptr<int> p = std::make_unique<int>(source());
-    sink(*p); // $ ast,ir
+    sink(*p); // $ MISSING: ast,ir
     sink(p); // $ ast,ir
 }
 
@@ -35,16 +35,16 @@ void test_reverse_taint_shared() {
     std::shared_ptr<int> p = std::make_shared<int>();
 
     *p = source();
-    sink(p); // $ ast MISSING: ir
-    sink(*p); // $ ast MISSING: ir
+    sink(p); // $ MISSING: ast,ir
+    sink(*p); // $ MISSING: ast,ir
 }
 
 void test_reverse_taint_unique() {
     std::unique_ptr<int> p = std::unique_ptr<int>();
 
     *p = source();
-    sink(p); // $ ast MISSING: ir
-    sink(*p); // $ ast MISSING: ir
+    sink(p); // $ MISSING: ast,ir
+    sink(*p); // $ MISSING: ast,ir
 }
 
 void test_shared_get() {

From 6874b8d4b3a899cb38db47fb460f4f93c256f272 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Fri, 9 Apr 2021 14:23:10 +0200
Subject: [PATCH 0276/1429] Data flow: Prevent bad join-order in `pathStep`

---
 .../code/cpp/dataflow/internal/DataFlowImpl.qll       | 11 ++++-------
 .../code/cpp/dataflow/internal/DataFlowImpl2.qll      | 11 ++++-------
 .../code/cpp/dataflow/internal/DataFlowImpl3.qll      | 11 ++++-------
 .../code/cpp/dataflow/internal/DataFlowImpl4.qll      | 11 ++++-------
 .../code/cpp/dataflow/internal/DataFlowImplLocal.qll  | 11 ++++-------
 .../code/cpp/ir/dataflow/internal/DataFlowImpl.qll    | 11 ++++-------
 .../code/cpp/ir/dataflow/internal/DataFlowImpl2.qll   | 11 ++++-------
 .../code/cpp/ir/dataflow/internal/DataFlowImpl3.qll   | 11 ++++-------
 .../code/cpp/ir/dataflow/internal/DataFlowImpl4.qll   | 11 ++++-------
 .../code/csharp/dataflow/internal/DataFlowImpl.qll    | 11 ++++-------
 .../code/csharp/dataflow/internal/DataFlowImpl2.qll   | 11 ++++-------
 .../code/csharp/dataflow/internal/DataFlowImpl3.qll   | 11 ++++-------
 .../code/csharp/dataflow/internal/DataFlowImpl4.qll   | 11 ++++-------
 .../code/csharp/dataflow/internal/DataFlowImpl5.qll   | 11 ++++-------
 .../code/java/dataflow/internal/DataFlowImpl.qll      | 11 ++++-------
 .../code/java/dataflow/internal/DataFlowImpl2.qll     | 11 ++++-------
 .../code/java/dataflow/internal/DataFlowImpl3.qll     | 11 ++++-------
 .../code/java/dataflow/internal/DataFlowImpl4.qll     | 11 ++++-------
 .../code/java/dataflow/internal/DataFlowImpl5.qll     | 11 ++++-------
 .../python/dataflow/new/internal/DataFlowImpl.qll     | 11 ++++-------
 .../python/dataflow/new/internal/DataFlowImpl2.qll    | 11 ++++-------
 .../python/dataflow/new/internal/DataFlowImpl3.qll    | 11 ++++-------
 .../python/dataflow/new/internal/DataFlowImpl4.qll    | 11 ++++-------
 23 files changed, 92 insertions(+), 161 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
index 8b446d28b86..ab29838988d 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
index 8b446d28b86..ab29838988d 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
index 8b446d28b86..ab29838988d 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
index 8b446d28b86..ab29838988d 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
index 8b446d28b86..ab29838988d 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
index 8b446d28b86..ab29838988d 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
index 8b446d28b86..ab29838988d 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
index 8b446d28b86..ab29838988d 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
index 8b446d28b86..ab29838988d 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
index 8b446d28b86..ab29838988d 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
index 8b446d28b86..ab29838988d 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
index 8b446d28b86..ab29838988d 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
index 8b446d28b86..ab29838988d 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
index 8b446d28b86..ab29838988d 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
index 8b446d28b86..ab29838988d 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
index 8b446d28b86..ab29838988d 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
index 8b446d28b86..ab29838988d 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
index 8b446d28b86..ab29838988d 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
index 8b446d28b86..ab29838988d 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
index 8b446d28b86..ab29838988d 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
index 8b446d28b86..ab29838988d 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
index 8b446d28b86..ab29838988d 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
index 8b446d28b86..ab29838988d 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
@@ -2132,12 +2132,9 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
-    exists(Cc cc0 |
-      cc = pragma[only_bind_into](cc0) and
-      localFlowEntry(node, config) and
-      result = getLocalCallContext(cc0, getNodeEnclosingCallable(node))
-    )
+  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
 
   private predicate localStep(
@@ -3132,7 +3129,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
     conf = mid.getConfiguration() and
     cc = mid.getCallContext() and
     sc = mid.getSummaryCtx() and
-    localCC = getLocalCallContext(cc, getNodeEnclosingCallable(midnode)) and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
     ap0 = mid.getAp()
   |
     localFlowBigStep(midnode, node, true, _, conf, localCC) and

From 996cda9b97a92e736e6301fff1ef68476e725f52 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 9 Apr 2021 14:46:46 +0200
Subject: [PATCH 0277/1429] C++: Fix incorrect test annotation.

---
 .../test/library-tests/dataflow/taint-tests/smart_pointer.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
index 2ac33271011..cf43c3a6c1c 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
@@ -9,7 +9,7 @@ template<typename T> void sink(std::unique_ptr<T>&);
 
 void test_make_shared() {
     std::shared_ptr<int> p = std::make_shared<int>(source());
-    sink(*p); // $ MISSING: ast,ir
+    sink(*p); // $ ast MISSING: ir
     sink(p); // $ ast,ir
 }
 
@@ -21,7 +21,7 @@ void test_make_shared_array() {
 
 void test_make_unique() {
     std::unique_ptr<int> p = std::make_unique<int>(source());
-    sink(*p); // $ MISSING: ast,ir
+    sink(*p); // $ ast MISSING: ir
     sink(p); // $ ast,ir
 }
 

From cd310eb9d5bae6e73fea21f1b7e8a062add9c9e3 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 9 Apr 2021 15:08:48 +0200
Subject: [PATCH 0278/1429] C++: Remove unused import.

---
 cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll | 1 -
 1 file changed, 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
index 5878d974b31..0a6d459ec79 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -7,7 +7,6 @@ private import semmle.code.cpp.dataflow.internal.FlowVar
 private import semmle.code.cpp.models.interfaces.DataFlow
 private import semmle.code.cpp.controlflow.Guards
 private import semmle.code.cpp.dataflow.internal.AddressFlow
-private import semmle.code.cpp.models.interfaces.PointerWrapper
 
 cached
 private newtype TNode =

From d2b874f21764b93dad29e2f950b3e0f95f882bad Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Fri, 9 Apr 2021 14:19:00 +0000
Subject: [PATCH 0279/1429] Python: Use API graphs in PEP249 support

Because the replacement extension point now extends `API::Node`, I
modified the `toString` method of the latter to have an empty body.
The alternative would be to require everyone to provide a `toString`
predicate for their extensions, but seeing as these will usually be
pointing to already existing API graph nodes, this seems silly.

(This may be the reason why the equivalent method in the JS libs has
such an implementation.)
---
 python/ql/src/semmle/python/ApiGraphs.qll     |  2 +-
 .../src/semmle/python/frameworks/Django.qll   |  7 ++-
 .../src/semmle/python/frameworks/MySQLdb.qll  | 16 +-----
 .../frameworks/MysqlConnectorPython.qll       | 55 +------------------
 .../src/semmle/python/frameworks/PEP249.qll   | 37 ++++++-------
 .../src/semmle/python/frameworks/Psycopg2.qll | 16 +-----
 .../src/semmle/python/frameworks/PyMySQL.qll  | 16 +-----
 .../src/semmle/python/frameworks/Stdlib.qll   | 15 +----
 8 files changed, 38 insertions(+), 126 deletions(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 5aab059d58e..9689fb06a77 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -157,7 +157,7 @@ module API {
     /**
      * Gets a textual representation of this element.
      */
-    abstract string toString();
+    string toString() { none() }
 
     /**
      * Gets a path of the given `length` from the root to this node.
diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index 02d5030bb1e..56dc12edbf4 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -78,8 +78,11 @@ private module Django {
     /** Gets a reference to the `django.db` module. */
     DataFlow::Node db() { result = django_attr("db") }
 
-    class DjangoDb extends PEP249Module {
-      DjangoDb() { this = db() }
+    /**
+     * `django.db` implements PEP249, providing ways to execute SQL statements against a database.
+     */
+    private class DjangoDb extends PEP249ModuleApiNode {
+      DjangoDb() { this = API::moduleImport("django").getMember("db") }
     }
 
     /** Provides models for the `django.db` module. */
diff --git a/python/ql/src/semmle/python/frameworks/MySQLdb.qll b/python/ql/src/semmle/python/frameworks/MySQLdb.qll
index 7013c6f5d02..b36bf87c7d9 100644
--- a/python/ql/src/semmle/python/frameworks/MySQLdb.qll
+++ b/python/ql/src/semmle/python/frameworks/MySQLdb.qll
@@ -9,6 +9,7 @@ private import python
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
 private import PEP249
 
 /**
@@ -21,19 +22,8 @@ private module MySQLdb {
   // ---------------------------------------------------------------------------
   // MySQLdb
   // ---------------------------------------------------------------------------
-  /** Gets a reference to the `MySQLdb` module. */
-  private DataFlow::Node moduleMySQLdb(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("MySQLdb")
-    or
-    exists(DataFlow::TypeTracker t2 | result = moduleMySQLdb(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `MySQLdb` module. */
-  DataFlow::Node moduleMySQLdb() { result = moduleMySQLdb(DataFlow::TypeTracker::end()) }
-
   /** MySQLdb implements PEP 249, providing ways to execute SQL statements against a database. */
-  class MySQLdb extends PEP249Module {
-    MySQLdb() { this = moduleMySQLdb() }
+  class MySQLdb extends PEP249ModuleApiNode {
+    MySQLdb() { this = API::moduleImport("MySQLdb") }
   }
 }
diff --git a/python/ql/src/semmle/python/frameworks/MysqlConnectorPython.qll b/python/ql/src/semmle/python/frameworks/MysqlConnectorPython.qll
index 1722bdcb51e..97cd4fd162c 100644
--- a/python/ql/src/semmle/python/frameworks/MysqlConnectorPython.qll
+++ b/python/ql/src/semmle/python/frameworks/MysqlConnectorPython.qll
@@ -9,6 +9,7 @@ private import python
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
 private import PEP249
 
 /**
@@ -21,64 +22,14 @@ private module MysqlConnectorPython {
   // ---------------------------------------------------------------------------
   // mysql
   // ---------------------------------------------------------------------------
-  /** Gets a reference to the `mysql` module. */
-  private DataFlow::Node mysql(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("mysql")
-    or
-    exists(DataFlow::TypeTracker t2 | result = mysql(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `mysql` module. */
-  DataFlow::Node mysql() { result = mysql(DataFlow::TypeTracker::end()) }
-
-  /**
-   * Gets a reference to the attribute `attr_name` of the `mysql` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private DataFlow::Node mysql_attr(DataFlow::TypeTracker t, string attr_name) {
-    attr_name in ["connector"] and
-    (
-      t.start() and
-      result = DataFlow::importNode("mysql" + "." + attr_name)
-      or
-      t.startInAttr(attr_name) and
-      result = mysql()
-    )
-    or
-    // Due to bad performance when using normal setup with `mysql_attr(t2, attr_name).track(t2, t)`
-    // we have inlined that code and forced a join
-    exists(DataFlow::TypeTracker t2 |
-      exists(DataFlow::StepSummary summary |
-        mysql_attr_first_join(t2, attr_name, result, summary) and
-        t = t2.append(summary)
-      )
-    )
-  }
-
-  pragma[nomagic]
-  private predicate mysql_attr_first_join(
-    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
-  ) {
-    DataFlow::StepSummary::step(mysql_attr(t2, attr_name), res, summary)
-  }
-
-  /**
-   * Gets a reference to the attribute `attr_name` of the `mysql` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private DataFlow::Node mysql_attr(string attr_name) {
-    result = mysql_attr(DataFlow::TypeTracker::end(), attr_name)
-  }
-
   /** Provides models for the `mysql` module. */
   module mysql {
     /**
      * The mysql.connector module
      * See https://dev.mysql.com/doc/connector-python/en/connector-python-example-connecting.html
      */
-    class MysqlConnector extends PEP249Module {
-      MysqlConnector() { this = mysql_attr("connector") }
+    class MysqlConnector extends PEP249ModuleApiNode {
+      MysqlConnector() { this = API::moduleImport("mysql").getMember("connector") }
     }
   }
 }
diff --git a/python/ql/src/semmle/python/frameworks/PEP249.qll b/python/ql/src/semmle/python/frameworks/PEP249.qll
index 1a5d888949f..c449ae92bf2 100644
--- a/python/ql/src/semmle/python/frameworks/PEP249.qll
+++ b/python/ql/src/semmle/python/frameworks/PEP249.qll
@@ -7,20 +7,23 @@ private import python
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
 
-/** A module implementing PEP 249. Extend this class for implementations. */
-abstract class PEP249Module extends DataFlow::Node { }
+/**
+ * A module implementing PEP 249. Extend this class for implementations.
+ *
+ * DEPRECATED: Extend `PEP249ModuleApiNode` instead.
+ */
+abstract deprecated class PEP249Module extends DataFlow::Node { }
+
+/**
+ * An abstract class encompassing API graph nodes that implement PEP 249.
+ * Extend this class for implementations.
+ */
+abstract class PEP249ModuleApiNode extends API::Node { }
 
 /** Gets a reference to a connect call. */
-private DataFlow::Node connect(DataFlow::TypeTracker t) {
-  t.startInAttr("connect") and
-  result instanceof PEP249Module
-  or
-  exists(DataFlow::TypeTracker t2 | result = connect(t2).track(t2, t))
-}
-
-/** Gets a reference to a connect call. */
-DataFlow::Node connect() { result = connect(DataFlow::TypeTracker::end()) }
+DataFlow::Node connect() { result = any(PEP249ModuleApiNode a).getMember("connect").getAUse() }
 
 /**
  * Provides models for the `db.Connection` class
@@ -43,10 +46,8 @@ module Connection {
   abstract class InstanceSource extends DataFlow::Node { }
 
   /** A direct instantiation of `db.Connection`. */
-  private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
-    override CallNode node;
-
-    ClassInstantiation() { node.getFunction() = connect().asCfgNode() }
+  private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
+    ClassInstantiation() { this.getFunction() = connect() }
   }
 
   /** Gets a reference to an instance of `db.Connection`. */
@@ -115,10 +116,8 @@ private DataFlow::Node execute(DataFlow::TypeTracker t) {
 DataFlow::Node execute() { result = execute(DataFlow::TypeTracker::end()) }
 
 /** A call to the `execute` method on a cursor (or on a connection). */
-private class ExecuteCall extends SqlExecution::Range, DataFlow::CfgNode {
-  override CallNode node;
-
-  ExecuteCall() { node.getFunction() = execute().asCfgNode() }
+private class ExecuteCall extends SqlExecution::Range, DataFlow::CallCfgNode {
+  ExecuteCall() { this.getFunction() = execute() }
 
   override DataFlow::Node getSql() {
     result.asCfgNode() in [node.getArg(0), node.getArgByName("sql")]
diff --git a/python/ql/src/semmle/python/frameworks/Psycopg2.qll b/python/ql/src/semmle/python/frameworks/Psycopg2.qll
index 96beee3f011..1cc20026801 100644
--- a/python/ql/src/semmle/python/frameworks/Psycopg2.qll
+++ b/python/ql/src/semmle/python/frameworks/Psycopg2.qll
@@ -9,6 +9,7 @@ private import python
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
 private import PEP249
 
 /**
@@ -21,19 +22,8 @@ private module Psycopg2 {
   // ---------------------------------------------------------------------------
   // Psycopg
   // ---------------------------------------------------------------------------
-  /** Gets a reference to the `psycopg2` module. */
-  private DataFlow::Node psycopg2(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("psycopg2")
-    or
-    exists(DataFlow::TypeTracker t2 | result = psycopg2(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `psycopg2` module. */
-  DataFlow::Node psycopg2() { result = psycopg2(DataFlow::TypeTracker::end()) }
-
   /** psycopg2 implements PEP 249, providing ways to execute SQL statements against a database. */
-  class Psycopg2 extends PEP249Module {
-    Psycopg2() { this = psycopg2() }
+  class Psycopg2 extends PEP249ModuleApiNode {
+    Psycopg2() { this = API::moduleImport("psycopg2") }
   }
 }
diff --git a/python/ql/src/semmle/python/frameworks/PyMySQL.qll b/python/ql/src/semmle/python/frameworks/PyMySQL.qll
index 954d2f690dd..c078302b73f 100644
--- a/python/ql/src/semmle/python/frameworks/PyMySQL.qll
+++ b/python/ql/src/semmle/python/frameworks/PyMySQL.qll
@@ -7,6 +7,7 @@ private import python
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
 private import PEP249
 
 /**
@@ -14,19 +15,8 @@ private import PEP249
  * See https://pypi.org/project/PyMySQL/
  */
 private module PyMySQL {
-  /** Gets a reference to the `pymysql` module. */
-  private DataFlow::Node pymysql(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("pymysql")
-    or
-    exists(DataFlow::TypeTracker t2 | result = pymysql(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `pymysql` module. */
-  DataFlow::Node pymysql() { result = pymysql(DataFlow::TypeTracker::end()) }
-
   /** PyMySQL implements PEP 249, providing ways to execute SQL statements against a database. */
-  class PyMySQLPEP249 extends PEP249Module {
-    PyMySQLPEP249() { this = pymysql() }
+  class PyMySQLPEP249 extends PEP249ModuleApiNode {
+    PyMySQLPEP249() { this = API::moduleImport("pymysql") }
   }
 }
diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index 2626d1585ff..718da24aa88 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -1523,24 +1523,13 @@ private module Stdlib {
   // ---------------------------------------------------------------------------
   // sqlite3
   // ---------------------------------------------------------------------------
-  /** Gets a reference to the `sqlite3` module. */
-  private DataFlow::Node sqlite3(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("sqlite3")
-    or
-    exists(DataFlow::TypeTracker t2 | result = sqlite3(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `sqlite3` module. */
-  DataFlow::Node sqlite3() { result = sqlite3(DataFlow::TypeTracker::end()) }
-
   /**
    * sqlite3 implements PEP 249, providing ways to execute SQL statements against a database.
    *
    * See https://devdocs.io/python~3.9/library/sqlite3
    */
-  class Sqlite3 extends PEP249Module {
-    Sqlite3() { this = sqlite3() }
+  class Sqlite3 extends PEP249ModuleApiNode {
+    Sqlite3() { this = API::moduleImport("sqlite3") }
   }
 }
 

From 3b437fe6cf1e4d9cee9b807869ddd0272e35d732 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 8 Apr 2021 15:52:41 +0100
Subject: [PATCH 0280/1429] C++: Replace GVN with some other libraries.

---
 ...nsignedDifferenceExpressionComparedZero.ql | 20 +++++++++++++++----
 ...dDifferenceExpressionComparedZero.expected |  7 -------
 .../test.cpp                                  | 14 ++++++-------
 3 files changed, 23 insertions(+), 18 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
index bca77f99a72..cbdae0b6651 100644
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -12,10 +12,10 @@
 
 import cpp
 import semmle.code.cpp.commons.Exclusions
-import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
 import semmle.code.cpp.controlflow.Guards
+import semmle.code.cpp.dataflow.DataFlow
 
 /**
  *  Holds if `sub` is guarded by a condition which ensures that
@@ -37,15 +37,27 @@ predicate exprIsSubLeftOrLess(SubExpr sub, Expr e) {
   e = sub.getLeftOperand()
   or
   exists(Expr other |
-    // GVN equality
+    // use-use
     exprIsSubLeftOrLess(sub, other) and
-    globalValueNumber(e) = globalValueNumber(other)
+    (
+      useUsePair(_, other, e) or
+      useUsePair(_, e, other)
+    )
+  )
+  or
+  exists(Expr other |
+    // dataflow
+    exprIsSubLeftOrLess(sub, other) and
+    (
+      DataFlow::localFlowStep(DataFlow::exprNode(e), DataFlow::exprNode(other)) or
+      DataFlow::localFlowStep(DataFlow::exprNode(other), DataFlow::exprNode(e))
+    )
   )
   or
   exists(Expr other |
     // guard constraining `sub`
     exprIsSubLeftOrLess(sub, other) and
-    isGuarded(sub, other, e) // left >= right
+    isGuarded(sub, other, e) // other >= e
   )
   or
   exists(Expr other, float p, float q |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
index 64a1aa0ab89..85938f15499 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
@@ -1,12 +1,6 @@
 | test.cpp:6:5:6:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:10:8:10:24 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:15:9:15:25 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:32:12:32:20 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:39:12:39:20 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:47:5:47:13 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:55:5:55:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:62:5:62:13 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:69:5:69:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:75:8:75:16 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:101:6:101:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:128:6:128:14 | ... > ... | Unsigned subtraction can never be negative. |
@@ -14,7 +8,6 @@
 | test.cpp:146:7:146:15 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:152:7:152:15 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:182:6:182:14 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:195:6:195:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:208:6:208:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:252:10:252:18 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:266:10:266:24 | ... > ... | Unsigned subtraction can never be negative. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
index f151c593a2d..1a6aaa618e5 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/test.cpp
@@ -12,7 +12,7 @@ void test(unsigned x, unsigned y, bool unknown) {
 	}
 
 	if(total <= limit) {
-		while(limit - total > 0) { // GOOD [FALSE POSITIVE]
+		while(limit - total > 0) { // GOOD
 			total += getAnInt();
 			if(total > limit) break;
 		}
@@ -29,14 +29,14 @@ void test(unsigned x, unsigned y, bool unknown) {
 	} else {
 		y = x;
 	}
-	bool b1 = x - y > 0; // GOOD [FALSE POSITIVE]
+	bool b1 = x - y > 0; // GOOD
 
 	x = getAnInt();
 	y = getAnInt();
 	if(y > x) {
 		y = x - 1;
 	}
-	bool b2 = x - y > 0; // GOOD [FALSE POSITIVE]
+	bool b2 = x - y > 0; // GOOD
 
 	int N = getAnInt();
 	y = x;
@@ -44,7 +44,7 @@ void test(unsigned x, unsigned y, bool unknown) {
 		if(unknown) { y--; }
 	}
 	
-	if(x - y > 0) { } // GOOD [FALSE POSITIVE]
+	if(x - y > 0) { } // GOOD
 
 	x = y;
 	while(cond()) {
@@ -52,7 +52,7 @@ void test(unsigned x, unsigned y, bool unknown) {
 		y--;
 	}
 
-	if(x - y > 0) { } // GOOD [FALSE POSITIVE]
+	if(x - y > 0) { } // GOOD
 
 	y = 0;
 	for(int i = 0; i < x; ++i) {
@@ -66,7 +66,7 @@ void test(unsigned x, unsigned y, bool unknown) {
 		if(unknown) { x++; }
 	}
 
-	if(x - y > 0) { } // GOOD [FALSE POSITIVE]
+	if(x - y > 0) { } // GOOD
 
 	int n = getAnInt();
 	if (n > x - y) { n = x - y; }
@@ -192,7 +192,7 @@ void test10() {
 		a = b;
 	}
 
-	if (a - b > 0) { // GOOD (as a >= b) [FALSE POSITIVE]
+	if (a - b > 0) { // GOOD (as a >= b)
 		// ...
 	}
 }

From f1306163692e580df95f0bbc65fa0821729d7132 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Fri, 9 Apr 2021 16:22:58 +0200
Subject: [PATCH 0281/1429] Data flow: Make `getLocalCc` private again

---
 cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll   | 2 +-
 cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll  | 2 +-
 cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll  | 2 +-
 cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll  | 2 +-
 .../src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll | 2 +-
 .../src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll   | 2 +-
 .../src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll  | 2 +-
 .../src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll  | 2 +-
 .../src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll  | 2 +-
 .../src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll   | 2 +-
 .../src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll  | 2 +-
 .../src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll  | 2 +-
 .../src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll  | 2 +-
 .../src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll  | 2 +-
 java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll | 2 +-
 .../ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll | 2 +-
 .../ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll | 2 +-
 .../ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll | 2 +-
 .../ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll | 2 +-
 .../ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll | 2 +-
 .../src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll   | 2 +-
 .../src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll   | 2 +-
 .../src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll   | 2 +-
 23 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
index ab29838988d..9498e51e7e6 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
index ab29838988d..9498e51e7e6 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
index ab29838988d..9498e51e7e6 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
index ab29838988d..9498e51e7e6 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
index ab29838988d..9498e51e7e6 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
index ab29838988d..9498e51e7e6 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
index ab29838988d..9498e51e7e6 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
index ab29838988d..9498e51e7e6 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
index ab29838988d..9498e51e7e6 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
index ab29838988d..9498e51e7e6 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
index ab29838988d..9498e51e7e6 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
index ab29838988d..9498e51e7e6 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
index ab29838988d..9498e51e7e6 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
index ab29838988d..9498e51e7e6 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
index ab29838988d..9498e51e7e6 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
index ab29838988d..9498e51e7e6 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
index ab29838988d..9498e51e7e6 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
index ab29838988d..9498e51e7e6 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
index ab29838988d..9498e51e7e6 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
index ab29838988d..9498e51e7e6 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
index ab29838988d..9498e51e7e6 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
index ab29838988d..9498e51e7e6 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
index ab29838988d..9498e51e7e6 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
@@ -2132,7 +2132,7 @@ private module Stage4 {
   }
 
   bindingset[node, cc, config]
-  LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
     localFlowEntry(node, config) and
     result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
   }

From fd8f745468736006884dcabceebf9377567209d7 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Wed, 17 Mar 2021 13:35:44 +0100
Subject: [PATCH 0282/1429] Java: Adopt shared flow summary library and
 refactor data-flow nodes.

---
 config/identical-files.json                   |   4 +
 .../semmle/code/java/dataflow/FlowSummary.qll |  49 ++
 .../dataflow/internal/DataFlowDispatch.qll    |  24 +-
 .../java/dataflow/internal/DataFlowNodes.qll  | 445 ++++++++++++
 .../dataflow/internal/DataFlowPrivate.qll     |  80 +--
 .../java/dataflow/internal/DataFlowUtil.qll   | 310 +-------
 .../dataflow/internal/FlowSummaryImpl.qll     | 674 ++++++++++++++++++
 .../internal/FlowSummaryImplSpecific.qll      |  51 ++
 .../dataflow/internal/TaintTrackingUtil.qll   |   8 +-
 .../localAdditionalTaintStep.ql               |   4 +-
 10 files changed, 1285 insertions(+), 364 deletions(-)
 create mode 100644 java/ql/src/semmle/code/java/dataflow/FlowSummary.qll
 create mode 100644 java/ql/src/semmle/code/java/dataflow/internal/DataFlowNodes.qll
 create mode 100644 java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
 create mode 100644 java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll

diff --git a/config/identical-files.json b/config/identical-files.json
index 6c1c0c7409d..3916e95a0cf 100644
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -56,6 +56,10 @@
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll",
     "python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll"
   ],
+  "DataFlow Java/C# Flow Summaries": [
+    "java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll",
+    "csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll"
+  ],
   "SsaReadPosition Java/C#": [
     "java/ql/src/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
     "csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
diff --git a/java/ql/src/semmle/code/java/dataflow/FlowSummary.qll b/java/ql/src/semmle/code/java/dataflow/FlowSummary.qll
new file mode 100644
index 00000000000..02e9548c544
--- /dev/null
+++ b/java/ql/src/semmle/code/java/dataflow/FlowSummary.qll
@@ -0,0 +1,49 @@
+/**
+ * Provides classes and predicates for definining flow summaries.
+ */
+
+import java
+private import internal.FlowSummaryImpl as Impl
+private import internal.DataFlowDispatch
+private import internal.DataFlowPrivate
+
+// import all instances below
+private module Summaries { }
+
+class SummaryComponent = Impl::Public::SummaryComponent;
+
+/** Provides predicates for constructing summary components. */
+module SummaryComponent {
+  import Impl::Public::SummaryComponent
+
+  /** Gets a summary component that represents a qualifier. */
+  SummaryComponent qualifier() { result = argument(-1) }
+
+  /** Gets a summary component for field `f`. */
+  SummaryComponent field(Field f) { result = content(any(FieldContent c | c.getField() = f)) }
+
+  /** Gets a summary component that represents the return value of a call. */
+  SummaryComponent return() { result = return(_) }
+}
+
+class SummaryComponentStack = Impl::Public::SummaryComponentStack;
+
+/** Provides predicates for constructing stacks of summary components. */
+module SummaryComponentStack {
+  import Impl::Public::SummaryComponentStack
+
+  /** Gets a singleton stack representing a qualifier. */
+  SummaryComponentStack qualifier() { result = singleton(SummaryComponent::qualifier()) }
+
+  /** Gets a stack representing a field `f` of `object`. */
+  SummaryComponentStack fieldOf(Field f, SummaryComponentStack object) {
+    result = push(SummaryComponent::field(f), object)
+  }
+
+  /** Gets a singleton stack representing a (normal) return. */
+  SummaryComponentStack return() { result = singleton(SummaryComponent::return()) }
+}
+
+class SummarizedCallable = Impl::Public::SummarizedCallable;
+
+class RequiredSummaryComponentStack = Impl::Public::RequiredSummaryComponentStack;
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowDispatch.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowDispatch.qll
index 223af728fe4..3a98ed62847 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowDispatch.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowDispatch.qll
@@ -2,9 +2,17 @@ private import java
 private import DataFlowPrivate
 private import DataFlowUtil
 private import semmle.code.java.dataflow.InstanceAccess
-import semmle.code.java.dispatch.VirtualDispatch
+private import semmle.code.java.dataflow.FlowSummary
+private import semmle.code.java.dispatch.VirtualDispatch as VirtualDispatch
 
 private module DispatchImpl {
+  /** Gets a viable implementation of the target of the given `Call`. */
+  Callable viableCallable(Call c) {
+    result = VirtualDispatch::viableCallable(c)
+    or
+    result.(SummarizedCallable) = c.getCallee().getSourceDeclaration()
+  }
+
   /**
    * Holds if the set of viable implementations that can be called by `ma`
    * might be improved by knowing the call context. This is the case if the
@@ -12,7 +20,7 @@ private module DispatchImpl {
    */
   private predicate mayBenefitFromCallContext(MethodAccess ma, Callable c, int i) {
     exists(Parameter p |
-      2 <= strictcount(viableImpl(ma)) and
+      2 <= strictcount(VirtualDispatch::viableImpl(ma)) and
       ma.getQualifier().(VarAccess).getVariable() = p and
       p.getPosition() = i and
       c.getAParameter() = p and
@@ -21,7 +29,7 @@ private module DispatchImpl {
     )
     or
     exists(OwnInstanceAccess ia |
-      2 <= strictcount(viableImpl(ma)) and
+      2 <= strictcount(VirtualDispatch::viableImpl(ma)) and
       (ia.isExplicit(ma.getQualifier()) or ia.isImplicitMethodQualifier(ma)) and
       i = -1 and
       c = ma.getEnclosingCallable()
@@ -60,7 +68,7 @@ private module DispatchImpl {
         or
         ctx.getArgument(i) = arg
       |
-        src = variableTrack(arg) and
+        src = VirtualDispatch::variableTrack(arg) and
         srctype = getPreciseType(src) and
         if src instanceof ClassInstanceExpr then exact = true else exact = false
       )
@@ -93,18 +101,18 @@ private module DispatchImpl {
    * restricted to those `ma`s for which a context might make a difference.
    */
   Method viableImplInCallContext(MethodAccess ma, Call ctx) {
-    result = viableImpl(ma) and
+    result = VirtualDispatch::viableImpl(ma) and
     exists(int i, Callable c, Method def, RefType t, boolean exact |
       mayBenefitFromCallContext(ma, c, i) and
       c = viableCallable(ctx) and
       contextArgHasType(ctx, i, t, exact) and
       ma.getMethod() = def
     |
-      exact = true and result = exactMethodImpl(def, t.getSourceDeclaration())
+      exact = true and result = VirtualDispatch::exactMethodImpl(def, t.getSourceDeclaration())
       or
       exact = false and
       exists(RefType t2 |
-        result = viableMethodImpl(def, t.getSourceDeclaration(), t2) and
+        result = VirtualDispatch::viableMethodImpl(def, t.getSourceDeclaration(), t2) and
         not failsUnification(t, t2)
       )
     )
@@ -117,7 +125,7 @@ private module DispatchImpl {
 
   pragma[noinline]
   private predicate unificationTargetRight(ParameterizedType t2, GenericType g) {
-    exists(viableMethodImpl(_, _, t2)) and t2.getGenericType() = g
+    exists(VirtualDispatch::viableMethodImpl(_, _, t2)) and t2.getGenericType() = g
   }
 
   private predicate unificationTargets(Type t1, Type t2) {
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowNodes.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowNodes.qll
new file mode 100644
index 00000000000..552849c2c34
--- /dev/null
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowNodes.qll
@@ -0,0 +1,445 @@
+private import java
+private import semmle.code.java.dataflow.InstanceAccess
+private import semmle.code.java.dataflow.FlowSummary
+private import semmle.code.java.dataflow.TypeFlow
+private import DataFlowPrivate
+private import FlowSummaryImpl as FlowSummaryImpl
+
+cached
+private module Cached {
+  cached
+  newtype TNode =
+    TExprNode(Expr e) {
+      not e.getType() instanceof VoidType and
+      not e.getParent*() instanceof Annotation
+    } or
+    TExplicitParameterNode(Parameter p) {
+      exists(p.getCallable().getBody()) or p.getCallable() instanceof SummarizedCallable
+    } or
+    TImplicitVarargsArray(Call c) {
+      c.getCallee().isVarargs() and
+      not exists(Argument arg | arg.getCall() = c and arg.isExplicitVarargsArray())
+    } or
+    TInstanceParameterNode(Callable c) {
+      (exists(c.getBody()) or c instanceof SummarizedCallable) and
+      not c.isStatic()
+    } or
+    TImplicitInstanceAccess(InstanceAccessExt ia) { not ia.isExplicit(_) } or
+    TMallocNode(ClassInstanceExpr cie) or
+    TExplicitExprPostUpdate(Expr e) {
+      explicitInstanceArgument(_, e)
+      or
+      e instanceof Argument and not e.getType() instanceof ImmutableType
+      or
+      exists(FieldAccess fa | fa.getField() instanceof InstanceField and e = fa.getQualifier())
+      or
+      exists(ArrayAccess aa | e = aa.getArray())
+    } or
+    TImplicitExprPostUpdate(InstanceAccessExt ia) {
+      implicitInstanceArgument(_, ia)
+      or
+      exists(FieldAccess fa |
+        fa.getField() instanceof InstanceField and ia.isImplicitFieldQualifier(fa)
+      )
+    } or
+    TSummaryInternalNode(SummarizedCallable c, FlowSummaryImpl::Private::SummaryNodeState state) {
+      FlowSummaryImpl::Private::summaryNodeRange(c, state)
+    }
+
+  cached
+  predicate summaryOutNodeCached(DataFlowCall c, Node out) {
+    FlowSummaryImpl::Private::summaryOutNode(c, out, _)
+  }
+
+  cached
+  predicate summaryArgumentNodeCached(DataFlowCall c, Node arg, int i) {
+    FlowSummaryImpl::Private::summaryArgumentNode(c, arg, i)
+  }
+
+  cached
+  predicate summaryPostUpdateNodeCached(Node post, ParameterNode pre) {
+    FlowSummaryImpl::Private::summaryPostUpdateNode(post, pre)
+  }
+
+  cached
+  predicate summaryReturnNodeCached(Node ret) {
+    FlowSummaryImpl::Private::summaryReturnNode(ret, _)
+  }
+}
+
+private import Cached
+
+private predicate explicitInstanceArgument(Call call, Expr instarg) {
+  call instanceof MethodAccess and
+  instarg = call.getQualifier() and
+  not call.getCallee().isStatic()
+}
+
+private predicate implicitInstanceArgument(Call call, InstanceAccessExt ia) {
+  ia.isImplicitMethodQualifier(call) or
+  ia.isImplicitThisConstructorArgument(call)
+}
+
+module Public {
+  /**
+   * An element, viewed as a node in a data flow graph. Either an expression,
+   * a parameter, or an implicit varargs array creation.
+   */
+  class Node extends TNode {
+    /** Gets a textual representation of this element. */
+    string toString() { none() }
+
+    /** Gets the source location for this element. */
+    Location getLocation() { none() }
+
+    /** Gets the expression corresponding to this node, if any. */
+    Expr asExpr() { result = this.(ExprNode).getExpr() }
+
+    /** Gets the parameter corresponding to this node, if any. */
+    Parameter asParameter() { result = this.(ExplicitParameterNode).getParameter() }
+
+    /** Gets the type of this node. */
+    Type getType() {
+      result = this.asExpr().getType()
+      or
+      result = this.asParameter().getType()
+      or
+      exists(Parameter p |
+        result = p.getType() and
+        p.isVarargs() and
+        p = this.(ImplicitVarargsArray).getCall().getCallee().getAParameter()
+      )
+      or
+      result = this.(InstanceParameterNode).getCallable().getDeclaringType()
+      or
+      result = this.(ImplicitInstanceAccess).getInstanceAccess().getType()
+      or
+      result = this.(MallocNode).getClassInstanceExpr().getType()
+      or
+      result = this.(ImplicitPostUpdateNode).getPreUpdateNode().getType()
+    }
+
+    /** Gets the callable in which this node occurs. */
+    Callable getEnclosingCallable() {
+      result = this.asExpr().getEnclosingCallable() or
+      result = this.asParameter().getCallable() or
+      result = this.(ImplicitVarargsArray).getCall().getEnclosingCallable() or
+      result = this.(InstanceParameterNode).getCallable() or
+      result = this.(ImplicitInstanceAccess).getInstanceAccess().getEnclosingCallable() or
+      result = this.(MallocNode).getClassInstanceExpr().getEnclosingCallable() or
+      result = this.(ImplicitPostUpdateNode).getPreUpdateNode().getEnclosingCallable() or
+      this = TSummaryInternalNode(result, _)
+    }
+
+    private Type getImprovedTypeBound() {
+      exprTypeFlow(this.asExpr(), result, _) or
+      result = this.(ImplicitPostUpdateNode).getPreUpdateNode().getImprovedTypeBound()
+    }
+
+    /**
+     * Gets an upper bound on the type of this node.
+     */
+    Type getTypeBound() {
+      result = getImprovedTypeBound()
+      or
+      result = getType() and not exists(getImprovedTypeBound())
+    }
+
+    /**
+     * Holds if this element is at the specified location.
+     * The location spans column `startcolumn` of line `startline` to
+     * column `endcolumn` of line `endline` in file `filepath`.
+     * For more information, see
+     * [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
+     */
+    predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    }
+  }
+
+  /**
+   * An expression, viewed as a node in a data flow graph.
+   */
+  class ExprNode extends Node, TExprNode {
+    Expr expr;
+
+    ExprNode() { this = TExprNode(expr) }
+
+    override string toString() { result = expr.toString() }
+
+    override Location getLocation() { result = expr.getLocation() }
+
+    /** Gets the expression corresponding to this node. */
+    Expr getExpr() { result = expr }
+  }
+
+  /** Gets the node corresponding to `e`. */
+  ExprNode exprNode(Expr e) { result.getExpr() = e }
+
+  /** An explicit or implicit parameter. */
+  abstract class ParameterNode extends Node {
+    /**
+     * Holds if this node is the parameter of `c` at the specified (zero-based)
+     * position. The implicit `this` parameter is considered to have index `-1`.
+     */
+    abstract predicate isParameterOf(Callable c, int pos);
+  }
+
+  /**
+   * A parameter, viewed as a node in a data flow graph.
+   */
+  class ExplicitParameterNode extends ParameterNode, TExplicitParameterNode {
+    Parameter param;
+
+    ExplicitParameterNode() { this = TExplicitParameterNode(param) }
+
+    override string toString() { result = param.toString() }
+
+    override Location getLocation() { result = param.getLocation() }
+
+    /** Gets the parameter corresponding to this node. */
+    Parameter getParameter() { result = param }
+
+    override predicate isParameterOf(Callable c, int pos) { c.getParameter(pos) = param }
+  }
+
+  /** Gets the node corresponding to `p`. */
+  ExplicitParameterNode parameterNode(Parameter p) { result.getParameter() = p }
+
+  /**
+   * An implicit varargs array creation expression.
+   *
+   * A call `f(x1, x2)` to a method `f(A... xs)` desugars to `f(new A[]{x1, x2})`,
+   * and this node corresponds to such an implicit array creation.
+   */
+  class ImplicitVarargsArray extends Node, TImplicitVarargsArray {
+    Call call;
+
+    ImplicitVarargsArray() { this = TImplicitVarargsArray(call) }
+
+    override string toString() { result = "new ..[] { .. }" }
+
+    override Location getLocation() { result = call.getLocation() }
+
+    /** Gets the call containing this varargs array creation argument. */
+    Call getCall() { result = call }
+  }
+
+  /**
+   * An instance parameter for an instance method or constructor.
+   */
+  class InstanceParameterNode extends ParameterNode, TInstanceParameterNode {
+    Callable callable;
+
+    InstanceParameterNode() { this = TInstanceParameterNode(callable) }
+
+    override string toString() { result = "parameter this" }
+
+    override Location getLocation() { result = callable.getLocation() }
+
+    /** Gets the callable containing this `this` parameter. */
+    Callable getCallable() { result = callable }
+
+    override predicate isParameterOf(Callable c, int pos) { callable = c and pos = -1 }
+  }
+
+  /**
+   * An implicit read of `this` or `A.this`.
+   */
+  class ImplicitInstanceAccess extends Node, TImplicitInstanceAccess {
+    InstanceAccessExt ia;
+
+    ImplicitInstanceAccess() { this = TImplicitInstanceAccess(ia) }
+
+    override string toString() { result = ia.toString() }
+
+    override Location getLocation() { result = ia.getLocation() }
+
+    /** Gets the instance access corresponding to this node. */
+    InstanceAccessExt getInstanceAccess() { result = ia }
+  }
+
+  /**
+   * A node associated with an object after an operation that might have
+   * changed its state.
+   *
+   * This can be either the argument to a callable after the callable returns
+   * (which might have mutated the argument), or the qualifier of a field after
+   * an update to the field.
+   *
+   * Nodes corresponding to AST elements, for example `ExprNode`, usually refer
+   * to the value before the update with the exception of `ClassInstanceExpr`,
+   * which represents the value after the constructor has run.
+   */
+  abstract class PostUpdateNode extends Node {
+    /**
+     * Gets the node before the state update.
+     */
+    abstract Node getPreUpdateNode();
+  }
+
+  /**
+   * Gets the node that occurs as the qualifier of `fa`.
+   */
+  Node getFieldQualifier(FieldAccess fa) {
+    fa.getField() instanceof InstanceField and
+    (
+      result.asExpr() = fa.getQualifier() or
+      result.(ImplicitInstanceAccess).getInstanceAccess().isImplicitFieldQualifier(fa)
+    )
+  }
+
+  /** Gets the instance argument of a non-static call. */
+  Node getInstanceArgument(Call call) {
+    result.(MallocNode).getClassInstanceExpr() = call or
+    explicitInstanceArgument(call, result.asExpr()) or
+    implicitInstanceArgument(call, result.(ImplicitInstanceAccess).getInstanceAccess())
+  }
+}
+
+private import Public
+
+private class NewExpr extends PostUpdateNode, TExprNode {
+  NewExpr() { exists(ClassInstanceExpr cie | this = TExprNode(cie)) }
+
+  override Node getPreUpdateNode() { this = TExprNode(result.(MallocNode).getClassInstanceExpr()) }
+}
+
+/**
+ * A `PostUpdateNode` that is not a `ClassInstanceExpr`.
+ */
+abstract private class ImplicitPostUpdateNode extends PostUpdateNode {
+  override Location getLocation() { result = getPreUpdateNode().getLocation() }
+
+  override string toString() { result = getPreUpdateNode().toString() + " [post update]" }
+}
+
+private class ExplicitExprPostUpdate extends ImplicitPostUpdateNode, TExplicitExprPostUpdate {
+  override Node getPreUpdateNode() { this = TExplicitExprPostUpdate(result.asExpr()) }
+}
+
+private class ImplicitExprPostUpdate extends ImplicitPostUpdateNode, TImplicitExprPostUpdate {
+  override Node getPreUpdateNode() {
+    this = TImplicitExprPostUpdate(result.(ImplicitInstanceAccess).getInstanceAccess())
+  }
+}
+
+module Private {
+  /**
+   * A data flow node that occurs as the argument of a call and is passed as-is
+   * to the callable. Arguments that are wrapped in an implicit varargs array
+   * creation are not included, but the implicitly created array is.
+   * Instance arguments are also included.
+   */
+  class ArgumentNode extends Node {
+    ArgumentNode() {
+      exists(Argument arg | this.asExpr() = arg | not arg.isVararg())
+      or
+      this instanceof ImplicitVarargsArray
+      or
+      this = getInstanceArgument(_)
+      or
+      this.(SummaryNode).isArgumentOf(_, _)
+    }
+
+    /**
+     * Holds if this argument occurs at the given position in the given call.
+     * The instance argument is considered to have index `-1`.
+     */
+    predicate argumentOf(DataFlowCall call, int pos) {
+      exists(Argument arg | this.asExpr() = arg | call = arg.getCall() and pos = arg.getPosition())
+      or
+      call = this.(ImplicitVarargsArray).getCall() and
+      pos = call.getCallee().getNumberOfParameters() - 1
+      or
+      pos = -1 and this = getInstanceArgument(call)
+      or
+      this.(SummaryNode).isArgumentOf(call, pos)
+    }
+
+    /** Gets the call in which this node is an argument. */
+    DataFlowCall getCall() { this.argumentOf(result, _) }
+  }
+
+  /** A data flow node that occurs as the result of a `ReturnStmt`. */
+  class ReturnNode extends Node {
+    ReturnNode() {
+      exists(ReturnStmt ret | this.asExpr() = ret.getResult()) or
+      this.(SummaryNode).isReturn()
+    }
+
+    /** Gets the kind of this returned value. */
+    ReturnKind getKind() { any() }
+  }
+
+  /** A data flow node that represents the output of a call. */
+  class OutNode extends Node {
+    OutNode() {
+      this.asExpr() instanceof MethodAccess
+      or
+      this.(SummaryNode).isOut(_)
+    }
+
+    /** Gets the underlying call. */
+    DataFlowCall getCall() {
+      result = this.asExpr()
+      or
+      this.(SummaryNode).isOut(result)
+    }
+  }
+
+  /**
+   * A data-flow node used to model flow summaries.
+   */
+  class SummaryNode extends Node, TSummaryInternalNode {
+    private SummarizedCallable c;
+    private FlowSummaryImpl::Private::SummaryNodeState state;
+
+    SummaryNode() { this = TSummaryInternalNode(c, state) }
+
+    override Location getLocation() { result = c.getLocation() }
+
+    override string toString() { result = "[summary] " + state + " in " + c }
+
+    /** Holds if this summary node is the `i`th argument of `call`. */
+    predicate isArgumentOf(DataFlowCall call, int i) { summaryArgumentNodeCached(call, this, i) }
+
+    /** Holds if this summary node is a return node. */
+    predicate isReturn() { summaryReturnNodeCached(this) }
+
+    /** Holds if this summary node is an out node for `call`. */
+    predicate isOut(DataFlowCall call) { summaryOutNodeCached(call, this) }
+  }
+
+  SummaryNode getSummaryNode(SummarizedCallable c, FlowSummaryImpl::Private::SummaryNodeState state) {
+    result = TSummaryInternalNode(c, state)
+  }
+}
+
+private import Private
+
+/**
+ * A node that corresponds to the value of a `ClassInstanceExpr` before the
+ * constructor has run.
+ */
+private class MallocNode extends Node, TMallocNode {
+  ClassInstanceExpr cie;
+
+  MallocNode() { this = TMallocNode(cie) }
+
+  override string toString() { result = cie.toString() + " [pre constructor]" }
+
+  override Location getLocation() { result = cie.getLocation() }
+
+  ClassInstanceExpr getClassInstanceExpr() { result = cie }
+}
+
+private class SummaryPostUpdateNode extends SummaryNode, PostUpdateNode {
+  private Node pre;
+
+  SummaryPostUpdateNode() { summaryPostUpdateNodeCached(this, pre) }
+
+  override Node getPreUpdateNode() { result = pre }
+}
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
index f49ca8d75d9..c425eaa1185 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
@@ -4,7 +4,8 @@ private import DataFlowImplCommon
 private import DataFlowDispatch
 private import semmle.code.java.controlflow.Guards
 private import semmle.code.java.dataflow.SSA
-private import semmle.code.java.dataflow.TypeFlow
+private import FlowSummaryImpl as FlowSummaryImpl
+import DataFlowNodes::Private
 
 private newtype TReturnKind = TNormalReturnKind()
 
@@ -26,54 +27,6 @@ OutNode getAnOutNode(DataFlowCall call, ReturnKind kind) {
   kind = TNormalReturnKind()
 }
 
-/**
- * A data flow node that occurs as the argument of a call and is passed as-is
- * to the callable. Arguments that are wrapped in an implicit varargs array
- * creation are not included, but the implicitly created array is.
- * Instance arguments are also included.
- */
-class ArgumentNode extends Node {
-  ArgumentNode() {
-    exists(Argument arg | this.asExpr() = arg | not arg.isVararg())
-    or
-    this instanceof ImplicitVarargsArray
-    or
-    this = getInstanceArgument(_)
-  }
-
-  /**
-   * Holds if this argument occurs at the given position in the given call.
-   * The instance argument is considered to have index `-1`.
-   */
-  predicate argumentOf(DataFlowCall call, int pos) {
-    exists(Argument arg | this.asExpr() = arg | call = arg.getCall() and pos = arg.getPosition())
-    or
-    call = this.(ImplicitVarargsArray).getCall() and
-    pos = call.getCallee().getNumberOfParameters() - 1
-    or
-    pos = -1 and this = getInstanceArgument(call)
-  }
-
-  /** Gets the call in which this node is an argument. */
-  DataFlowCall getCall() { this.argumentOf(result, _) }
-}
-
-/** A data flow node that occurs as the result of a `ReturnStmt`. */
-class ReturnNode extends ExprNode {
-  ReturnNode() { exists(ReturnStmt ret | this.getExpr() = ret.getResult()) }
-
-  /** Gets the kind of this returned value. */
-  ReturnKind getKind() { any() }
-}
-
-/** A data flow node that represents the output of a call. */
-class OutNode extends ExprNode {
-  OutNode() { this.getExpr() instanceof MethodAccess }
-
-  /** Gets the underlying call. */
-  DataFlowCall getCall() { result = this.getExpr() }
-}
-
 /**
  * Holds if data can flow from `node1` to `node2` through a static field.
  */
@@ -147,7 +100,7 @@ class Content extends TContent {
   }
 }
 
-private class FieldContent extends Content, TFieldContent {
+class FieldContent extends Content, TFieldContent {
   InstanceField f;
 
   FieldContent() { this = TFieldContent(f) }
@@ -161,11 +114,11 @@ private class FieldContent extends Content, TFieldContent {
   }
 }
 
-private class CollectionContent extends Content, TCollectionContent {
+class CollectionContent extends Content, TCollectionContent {
   override string toString() { result = "collection" }
 }
 
-private class ArrayContent extends Content, TArrayContent {
+class ArrayContent extends Content, TArrayContent {
   override string toString() { result = "array" }
 }
 
@@ -180,6 +133,8 @@ predicate storeStep(Node node1, Content f, PostUpdateNode node2) {
     node2.getPreUpdateNode() = getFieldQualifier(fa) and
     f.(FieldContent).getField() = fa.getField()
   )
+  or
+  FlowSummaryImpl::Private::Steps::summaryStoreStep(node1, f, node2)
 }
 
 /**
@@ -205,6 +160,8 @@ predicate readStep(Node node1, Content f, Node node2) {
     node1.asExpr() = get.getQualifier() and
     node2.asExpr() = get
   )
+  or
+  FlowSummaryImpl::Private::Steps::summaryReadStep(node1, f, node2)
 }
 
 /**
@@ -213,7 +170,14 @@ predicate readStep(Node node1, Content f, Node node2) {
  * in `x.f = newValue`.
  */
 predicate clearsContent(Node n, Content c) {
-  n = any(PostUpdateNode pun | storeStep(_, c, pun)).getPreUpdateNode()
+  c instanceof FieldContent and
+  (
+    n = any(PostUpdateNode pun | storeStep(_, c, pun)).getPreUpdateNode()
+    or
+    FlowSummaryImpl::Private::Steps::summaryStoresIntoArg(c, n)
+  )
+  or
+  FlowSummaryImpl::Private::Steps::summaryClearsContent(n, c)
 }
 
 /**
@@ -221,7 +185,7 @@ predicate clearsContent(Node n, Content c) {
  * possible flow. A single type is used for all numeric types to account for
  * numeric conversions, and otherwise the erasure is used.
  */
-private DataFlowType getErasedRepr(Type t) {
+DataFlowType getErasedRepr(Type t) {
   exists(Type e | e = t.getErasure() |
     if e instanceof NumericOrCharType
     then result.(BoxedType).getPrimitiveType().getName() = "double"
@@ -235,7 +199,11 @@ private DataFlowType getErasedRepr(Type t) {
 }
 
 pragma[noinline]
-DataFlowType getNodeType(Node n) { result = getErasedRepr(n.getTypeBound()) }
+DataFlowType getNodeType(Node n) {
+  result = getErasedRepr(n.getTypeBound())
+  or
+  result = FlowSummaryImpl::Private::summaryNodeType(n)
+}
 
 /** Gets a string representation of a type returned by `getErasedRepr`. */
 string ppReprType(Type t) {
@@ -337,7 +305,7 @@ predicate isImmutableOrUnobservable(Node n) {
 }
 
 /** Holds if `n` should be hidden from path explanations. */
-predicate nodeIsHidden(Node n) { none() }
+predicate nodeIsHidden(Node n) { n instanceof SummaryNode }
 
 class LambdaCallKind = Unit;
 
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
index 828f2624ea6..030bf30bd49 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
@@ -5,280 +5,13 @@
 private import java
 private import DataFlowPrivate
 private import semmle.code.java.dataflow.SSA
-private import semmle.code.java.dataflow.TypeFlow
 private import semmle.code.java.controlflow.Guards
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSteps
+private import semmle.code.java.dataflow.FlowSummary
 import semmle.code.java.dataflow.InstanceAccess
-
-cached
-private newtype TNode =
-  TExprNode(Expr e) {
-    not e.getType() instanceof VoidType and
-    not e.getParent*() instanceof Annotation
-  } or
-  TExplicitParameterNode(Parameter p) { exists(p.getCallable().getBody()) } or
-  TImplicitVarargsArray(Call c) {
-    c.getCallee().isVarargs() and
-    not exists(Argument arg | arg.getCall() = c and arg.isExplicitVarargsArray())
-  } or
-  TInstanceParameterNode(Callable c) { exists(c.getBody()) and not c.isStatic() } or
-  TImplicitInstanceAccess(InstanceAccessExt ia) { not ia.isExplicit(_) } or
-  TMallocNode(ClassInstanceExpr cie) or
-  TExplicitExprPostUpdate(Expr e) {
-    explicitInstanceArgument(_, e)
-    or
-    e instanceof Argument and not e.getType() instanceof ImmutableType
-    or
-    exists(FieldAccess fa | fa.getField() instanceof InstanceField and e = fa.getQualifier())
-    or
-    exists(ArrayAccess aa | e = aa.getArray())
-  } or
-  TImplicitExprPostUpdate(InstanceAccessExt ia) {
-    implicitInstanceArgument(_, ia)
-    or
-    exists(FieldAccess fa |
-      fa.getField() instanceof InstanceField and ia.isImplicitFieldQualifier(fa)
-    )
-  }
-
-/**
- * An element, viewed as a node in a data flow graph. Either an expression,
- * a parameter, or an implicit varargs array creation.
- */
-class Node extends TNode {
-  /** Gets a textual representation of this element. */
-  string toString() { none() }
-
-  /** Gets the source location for this element. */
-  Location getLocation() { none() }
-
-  /** Gets the expression corresponding to this node, if any. */
-  Expr asExpr() { result = this.(ExprNode).getExpr() }
-
-  /** Gets the parameter corresponding to this node, if any. */
-  Parameter asParameter() { result = this.(ExplicitParameterNode).getParameter() }
-
-  /** Gets the type of this node. */
-  Type getType() {
-    result = this.asExpr().getType()
-    or
-    result = this.asParameter().getType()
-    or
-    exists(Parameter p |
-      result = p.getType() and
-      p.isVarargs() and
-      p = this.(ImplicitVarargsArray).getCall().getCallee().getAParameter()
-    )
-    or
-    result = this.(InstanceParameterNode).getCallable().getDeclaringType()
-    or
-    result = this.(ImplicitInstanceAccess).getInstanceAccess().getType()
-    or
-    result = this.(MallocNode).getClassInstanceExpr().getType()
-    or
-    result = this.(ImplicitPostUpdateNode).getPreUpdateNode().getType()
-  }
-
-  /** Gets the callable in which this node occurs. */
-  Callable getEnclosingCallable() {
-    result = this.asExpr().getEnclosingCallable() or
-    result = this.asParameter().getCallable() or
-    result = this.(ImplicitVarargsArray).getCall().getEnclosingCallable() or
-    result = this.(InstanceParameterNode).getCallable() or
-    result = this.(ImplicitInstanceAccess).getInstanceAccess().getEnclosingCallable() or
-    result = this.(MallocNode).getClassInstanceExpr().getEnclosingCallable() or
-    result = this.(ImplicitPostUpdateNode).getPreUpdateNode().getEnclosingCallable()
-  }
-
-  private Type getImprovedTypeBound() {
-    exprTypeFlow(this.asExpr(), result, _) or
-    result = this.(ImplicitPostUpdateNode).getPreUpdateNode().getImprovedTypeBound()
-  }
-
-  /**
-   * Gets an upper bound on the type of this node.
-   */
-  Type getTypeBound() {
-    result = getImprovedTypeBound()
-    or
-    result = getType() and not exists(getImprovedTypeBound())
-  }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-}
-
-/**
- * An expression, viewed as a node in a data flow graph.
- */
-class ExprNode extends Node, TExprNode {
-  Expr expr;
-
-  ExprNode() { this = TExprNode(expr) }
-
-  override string toString() { result = expr.toString() }
-
-  override Location getLocation() { result = expr.getLocation() }
-
-  /** Gets the expression corresponding to this node. */
-  Expr getExpr() { result = expr }
-}
-
-/** Gets the node corresponding to `e`. */
-ExprNode exprNode(Expr e) { result.getExpr() = e }
-
-/** An explicit or implicit parameter. */
-abstract class ParameterNode extends Node {
-  /**
-   * Holds if this node is the parameter of `c` at the specified (zero-based)
-   * position. The implicit `this` parameter is considered to have index `-1`.
-   */
-  abstract predicate isParameterOf(Callable c, int pos);
-}
-
-/**
- * A parameter, viewed as a node in a data flow graph.
- */
-class ExplicitParameterNode extends ParameterNode, TExplicitParameterNode {
-  Parameter param;
-
-  ExplicitParameterNode() { this = TExplicitParameterNode(param) }
-
-  override string toString() { result = param.toString() }
-
-  override Location getLocation() { result = param.getLocation() }
-
-  /** Gets the parameter corresponding to this node. */
-  Parameter getParameter() { result = param }
-
-  override predicate isParameterOf(Callable c, int pos) { c.getParameter(pos) = param }
-}
-
-/** Gets the node corresponding to `p`. */
-ExplicitParameterNode parameterNode(Parameter p) { result.getParameter() = p }
-
-/**
- * An implicit varargs array creation expression.
- *
- * A call `f(x1, x2)` to a method `f(A... xs)` desugars to `f(new A[]{x1, x2})`,
- * and this node corresponds to such an implicit array creation.
- */
-class ImplicitVarargsArray extends Node, TImplicitVarargsArray {
-  Call call;
-
-  ImplicitVarargsArray() { this = TImplicitVarargsArray(call) }
-
-  override string toString() { result = "new ..[] { .. }" }
-
-  override Location getLocation() { result = call.getLocation() }
-
-  /** Gets the call containing this varargs array creation argument. */
-  Call getCall() { result = call }
-}
-
-/**
- * An instance parameter for an instance method or constructor.
- */
-class InstanceParameterNode extends ParameterNode, TInstanceParameterNode {
-  Callable callable;
-
-  InstanceParameterNode() { this = TInstanceParameterNode(callable) }
-
-  override string toString() { result = "parameter this" }
-
-  override Location getLocation() { result = callable.getLocation() }
-
-  /** Gets the callable containing this `this` parameter. */
-  Callable getCallable() { result = callable }
-
-  override predicate isParameterOf(Callable c, int pos) { callable = c and pos = -1 }
-}
-
-/**
- * An implicit read of `this` or `A.this`.
- */
-class ImplicitInstanceAccess extends Node, TImplicitInstanceAccess {
-  InstanceAccessExt ia;
-
-  ImplicitInstanceAccess() { this = TImplicitInstanceAccess(ia) }
-
-  override string toString() { result = ia.toString() }
-
-  override Location getLocation() { result = ia.getLocation() }
-
-  InstanceAccessExt getInstanceAccess() { result = ia }
-}
-
-/**
- * A node that corresponds to the value of a `ClassInstanceExpr` before the
- * constructor has run.
- */
-private class MallocNode extends Node, TMallocNode {
-  ClassInstanceExpr cie;
-
-  MallocNode() { this = TMallocNode(cie) }
-
-  override string toString() { result = cie.toString() + " [pre constructor]" }
-
-  override Location getLocation() { result = cie.getLocation() }
-
-  ClassInstanceExpr getClassInstanceExpr() { result = cie }
-}
-
-/**
- * A node associated with an object after an operation that might have
- * changed its state.
- *
- * This can be either the argument to a callable after the callable returns
- * (which might have mutated the argument), or the qualifier of a field after
- * an update to the field.
- *
- * Nodes corresponding to AST elements, for example `ExprNode`, usually refer
- * to the value before the update with the exception of `ClassInstanceExpr`,
- * which represents the value after the constructor has run.
- */
-abstract class PostUpdateNode extends Node {
-  /**
-   * Gets the node before the state update.
-   */
-  abstract Node getPreUpdateNode();
-}
-
-private class NewExpr extends PostUpdateNode, TExprNode {
-  NewExpr() { exists(ClassInstanceExpr cie | this = TExprNode(cie)) }
-
-  override Node getPreUpdateNode() { this = TExprNode(result.(MallocNode).getClassInstanceExpr()) }
-}
-
-/**
- * A `PostUpdateNode` that is not a `ClassInstanceExpr`.
- */
-abstract private class ImplicitPostUpdateNode extends PostUpdateNode {
-  override Location getLocation() { result = getPreUpdateNode().getLocation() }
-
-  override string toString() { result = getPreUpdateNode().toString() + " [post update]" }
-}
-
-private class ExplicitExprPostUpdate extends ImplicitPostUpdateNode, TExplicitExprPostUpdate {
-  override Node getPreUpdateNode() { this = TExplicitExprPostUpdate(result.asExpr()) }
-}
-
-private class ImplicitExprPostUpdate extends ImplicitPostUpdateNode, TImplicitExprPostUpdate {
-  override Node getPreUpdateNode() {
-    this = TImplicitExprPostUpdate(result.(ImplicitInstanceAccess).getInstanceAccess())
-  }
-}
+private import FlowSummaryImpl as FlowSummaryImpl
+import DataFlowNodes::Public
 
 /** Holds if `n` is an access to an unqualified `this` at `cfgnode`. */
 private predicate thisAccess(Node n, ControlFlowNode cfgnode) {
@@ -363,7 +96,13 @@ predicate hasNonlocalValue(FieldRead fr) {
 /**
  * Holds if data can flow from `node1` to `node2` in one local step.
  */
-predicate localFlowStep(Node node1, Node node2) { simpleLocalFlowStep(node1, node2) }
+predicate localFlowStep(Node node1, Node node2) {
+  simpleLocalFlowStep(node1, node2)
+  or
+  // Simple flow through library code is included in the exposed local
+  // step relation, even though flow is technically inter-procedural
+  FlowSummaryImpl::Private::Steps::summaryThroughStep(node1, node2, true)
+}
 
 /**
  * INTERNAL: do not use.
@@ -411,33 +150,8 @@ predicate simpleLocalFlowStep(Node node1, Node node2) {
     node2.asExpr() = ma and
     node1.(ArgumentNode).argumentOf(ma, argNo)
   )
-}
-
-/**
- * Gets the node that occurs as the qualifier of `fa`.
- */
-Node getFieldQualifier(FieldAccess fa) {
-  fa.getField() instanceof InstanceField and
-  (
-    result.asExpr() = fa.getQualifier() or
-    result.(ImplicitInstanceAccess).getInstanceAccess().isImplicitFieldQualifier(fa)
-  )
-}
-
-private predicate explicitInstanceArgument(Call call, Expr instarg) {
-  call instanceof MethodAccess and instarg = call.getQualifier() and not call.getCallee().isStatic()
-}
-
-private predicate implicitInstanceArgument(Call call, InstanceAccessExt ia) {
-  ia.isImplicitMethodQualifier(call) or
-  ia.isImplicitThisConstructorArgument(call)
-}
-
-/** Gets the instance argument of a non-static call. */
-Node getInstanceArgument(Call call) {
-  result.(MallocNode).getClassInstanceExpr() = call or
-  explicitInstanceArgument(call, result.asExpr()) or
-  implicitInstanceArgument(call, result.(ImplicitInstanceAccess).getInstanceAccess())
+  or
+  FlowSummaryImpl::Private::Steps::summaryLocalStep(node1, node2, true)
 }
 
 /**
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
new file mode 100644
index 00000000000..3c8c94c913c
--- /dev/null
+++ b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
@@ -0,0 +1,674 @@
+/**
+ * Provides classes and predicates for defining flow summaries.
+ *
+ * The definitions in this file are language-independent, and language-specific
+ * definitions are passed in via the `DataFlowImplSpecific` and
+ * `FlowSummaryImplSpecific` modules.
+ */
+
+private import FlowSummaryImplSpecific
+private import DataFlowImplSpecific::Private
+private import DataFlowImplSpecific::Public
+
+/** Provides classes and predicates for defining flow summaries. */
+module Public {
+  private import Private
+
+  /**
+   * A component used in a flow summary.
+   *
+   * Either a parameter or an argument at a given position, a specific
+   * content type, or a return kind.
+   */
+  class SummaryComponent extends TSummaryComponent {
+    /** Gets a textual representation of this summary component. */
+    string toString() {
+      exists(Content c | this = TContentSummaryComponent(c) and result = c.toString())
+      or
+      exists(int i | this = TParameterSummaryComponent(i) and result = "parameter " + i)
+      or
+      exists(int i | this = TArgumentSummaryComponent(i) and result = "argument " + i)
+      or
+      exists(ReturnKind rk | this = TReturnSummaryComponent(rk) and result = "return (" + rk + ")")
+    }
+  }
+
+  /** Provides predicates for constructing summary components. */
+  module SummaryComponent {
+    /** Gets a summary component for content `c`. */
+    SummaryComponent content(Content c) { result = TContentSummaryComponent(c) }
+
+    /** Gets a summary component for parameter `i`. */
+    SummaryComponent parameter(int i) { result = TParameterSummaryComponent(i) }
+
+    /** Gets a summary component for argument `i`. */
+    SummaryComponent argument(int i) { result = TArgumentSummaryComponent(i) }
+
+    /** Gets a summary component for a return of kind `rk`. */
+    SummaryComponent return(ReturnKind rk) { result = TReturnSummaryComponent(rk) }
+  }
+
+  /**
+   * A (non-empty) stack of summary components.
+   *
+   * A stack is used to represent where data is read from (input) or where it
+   * is written to (output). For example, an input stack `[Field f, Argument 0]`
+   * means that data is read from field `f` from the `0`th argument, while an
+   * output stack `[Field g, Return]` means that data is written to the field
+   * `g` of the returned object.
+   */
+  class SummaryComponentStack extends TSummaryComponentStack {
+    /** Gets the head of this stack. */
+    SummaryComponent head() {
+      this = TSingletonSummaryComponentStack(result) or
+      this = TConsSummaryComponentStack(result, _)
+    }
+
+    /** Gets the tail of this stack, if any. */
+    SummaryComponentStack tail() { this = TConsSummaryComponentStack(_, result) }
+
+    /** Gets the length of this stack. */
+    int length() {
+      this = TSingletonSummaryComponentStack(_) and result = 1
+      or
+      result = 1 + this.tail().length()
+    }
+
+    /** Gets the stack obtained by dropping the first `i` elements, if any. */
+    SummaryComponentStack drop(int i) {
+      i = 0 and result = this
+      or
+      result = this.tail().drop(i - 1)
+    }
+
+    /** Holds if this stack contains summary component `c`. */
+    predicate contains(SummaryComponent c) { c = this.drop(_).head() }
+
+    /** Gets a textual representation of this stack. */
+    string toString() {
+      exists(SummaryComponent head, SummaryComponentStack tail |
+        head = this.head() and
+        tail = this.tail() and
+        result = head + " of " + tail
+      )
+      or
+      exists(SummaryComponent c |
+        this = TSingletonSummaryComponentStack(c) and
+        result = c.toString()
+      )
+    }
+  }
+
+  /** Provides predicates for constructing stacks of summary components. */
+  module SummaryComponentStack {
+    /** Gets a singleton stack containing `c`. */
+    SummaryComponentStack singleton(SummaryComponent c) {
+      result = TSingletonSummaryComponentStack(c)
+    }
+
+    /**
+     * Gets the stack obtained by pushing `head` onto `tail`.
+     *
+     * Make sure to override `RequiredSummaryComponentStack::required()` in order
+     * to ensure that the constructed stack exists.
+     */
+    SummaryComponentStack push(SummaryComponent head, SummaryComponentStack tail) {
+      result = TConsSummaryComponentStack(head, tail)
+    }
+
+    /** Gets a singleton stack for argument `i`. */
+    SummaryComponentStack argument(int i) { result = singleton(SummaryComponent::argument(i)) }
+
+    /** Gets a singleton stack representing a return of kind `rk`. */
+    SummaryComponentStack return(ReturnKind rk) { result = singleton(SummaryComponent::return(rk)) }
+  }
+
+  /**
+   * A class that exists for QL technical reasons only (the IPA type used
+   * to represent component stacks needs to be bounded).
+   */
+  abstract class RequiredSummaryComponentStack extends SummaryComponentStack {
+    /**
+     * Holds if the stack obtained by pushing `head` onto `tail` is required.
+     */
+    abstract predicate required(SummaryComponent c);
+  }
+
+  /** A callable with a flow summary. */
+  abstract class SummarizedCallable extends DataFlowCallable {
+    /**
+     * Holds if data may flow from `input` to `output` through this callable.
+     *
+     * `preservesValue` indicates whether this is a value-preserving step
+     * or a taint-step.
+     *
+     * Input specifications are restricted to stacks that end with
+     * `SummaryComponent::argument(_)`, preceded by zero or more
+     * `SummaryComponent::return(_)` or `SummaryComponent::content(_)` components.
+     *
+     * Output specifications are restricted to stacks that end with
+     * `SummaryComponent::return(_)` or `SummaryComponent::argument(_)`.
+     *
+     * Output stacks ending with `SummaryComponent::return(_)` can be preceded by zero
+     * or more `SummaryComponent::content(_)` components.
+     *
+     * Output stacks ending with `SummaryComponent::argument(_)` can be preceded by an
+     * optional `SummaryComponent::parameter(_)` component, which in turn can be preceded
+     * by zero or more `SummaryComponent::content(_)` components.
+     */
+    pragma[nomagic]
+    predicate propagatesFlow(
+      SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
+    ) {
+      none()
+    }
+
+    /**
+     * Holds if values stored inside `content` are cleared on objects passed as
+     * the `i`th argument to this callable.
+     */
+    pragma[nomagic]
+    predicate clearsContent(int i, Content content) { none() }
+  }
+}
+
+/**
+ * Provides predicates for compiling flow summaries down to atomic local steps,
+ * read steps, and store steps.
+ */
+module Private {
+  private import Public
+  private import DataFlowImplCommon as DataFlowImplCommon
+
+  newtype TSummaryComponent =
+    TContentSummaryComponent(Content c) or
+    TParameterSummaryComponent(int i) { parameterPosition(i) } or
+    TArgumentSummaryComponent(int i) { parameterPosition(i) } or
+    TReturnSummaryComponent(ReturnKind rk)
+
+  newtype TSummaryComponentStack =
+    TSingletonSummaryComponentStack(SummaryComponent c) or
+    TConsSummaryComponentStack(SummaryComponent head, SummaryComponentStack tail) {
+      tail.(RequiredSummaryComponentStack).required(head)
+    }
+
+  pragma[nomagic]
+  private predicate summary(
+    SummarizedCallable c, SummaryComponentStack input, SummaryComponentStack output,
+    boolean preservesValue
+  ) {
+    c.propagatesFlow(input, output, preservesValue)
+  }
+
+  private newtype TSummaryNodeState =
+    TSummaryNodeInputState(SummaryComponentStack s) {
+      exists(SummaryComponentStack input |
+        summary(_, input, _, _) and
+        s = input.drop(_)
+      )
+    } or
+    TSummaryNodeOutputState(SummaryComponentStack s) {
+      exists(SummaryComponentStack output |
+        summary(_, _, output, _) and
+        s = output.drop(_)
+      )
+    }
+
+  /**
+   * A state used to break up (complex) flow summaries into atomic flow steps.
+   * For a flow summary
+   *
+   * ```ql
+   * propagatesFlow(
+   *   SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
+   * )
+   * ```
+   *
+   * the following states are used:
+   *
+   * - `TSummaryNodeInputState(SummaryComponentStack s)`:
+   *   this state represents that the components in `s` _have been read_ from the
+   *   input.
+   * - `TSummaryNodeOutputState(SummaryComponentStack s)`:
+   *   this state represents that the components in `s` _remain to be written_ to
+   *   the output.
+   */
+  class SummaryNodeState extends TSummaryNodeState {
+    /** Holds if this state is a valid input state for `c`. */
+    pragma[nomagic]
+    predicate isInputState(SummarizedCallable c, SummaryComponentStack s) {
+      this = TSummaryNodeInputState(s) and
+      exists(SummaryComponentStack input |
+        summary(c, input, _, _) and
+        s = input.drop(_)
+      )
+    }
+
+    /** Holds if this state is a valid output state for `c`. */
+    pragma[nomagic]
+    predicate isOutputState(SummarizedCallable c, SummaryComponentStack s) {
+      this = TSummaryNodeOutputState(s) and
+      exists(SummaryComponentStack output |
+        summary(c, _, output, _) and
+        s = output.drop(_)
+      )
+    }
+
+    /** Gets a textual representation of this state. */
+    string toString() {
+      exists(SummaryComponentStack s |
+        this = TSummaryNodeInputState(s) and
+        result = "read: " + s
+      )
+      or
+      exists(SummaryComponentStack s |
+        this = TSummaryNodeOutputState(s) and
+        result = "to write: " + s
+      )
+    }
+  }
+
+  /**
+   * Holds if `state` represents having read the `i`th argument for `c`. In this case
+   * we are not synthesizing a data-flow node, but instead assume that a relevant
+   * parameter node already exists.
+   */
+  private predicate parameterReadState(SummarizedCallable c, SummaryNodeState state, int i) {
+    state.isInputState(c, SummaryComponentStack::argument(i))
+  }
+
+  /**
+   * Holds if a synthesized summary node is needed for the state `state` in summarized
+   * callable `c`.
+   */
+  predicate summaryNodeRange(SummarizedCallable c, SummaryNodeState state) {
+    state.isInputState(c, _) and
+    not parameterReadState(c, state, _)
+    or
+    state.isOutputState(c, _)
+  }
+
+  pragma[noinline]
+  private Node summaryNodeInputState(SummarizedCallable c, SummaryComponentStack s) {
+    exists(SummaryNodeState state | state.isInputState(c, s) |
+      result = summaryNode(c, state)
+      or
+      exists(int i |
+        parameterReadState(c, state, i) and
+        result.(ParameterNode).isParameterOf(c, i)
+      )
+    )
+  }
+
+  pragma[noinline]
+  private Node summaryNodeOutputState(SummarizedCallable c, SummaryComponentStack s) {
+    exists(SummaryNodeState state |
+      state.isOutputState(c, s) and
+      result = summaryNode(c, state)
+    )
+  }
+
+  /**
+   * Holds if a write targets `post`, which is a post-update node for the `i`th
+   * parameter of `c`.
+   */
+  private predicate isParameterPostUpdate(Node post, SummarizedCallable c, int i) {
+    post = summaryNodeOutputState(c, SummaryComponentStack::argument(i))
+  }
+
+  /** Holds if a parameter node is required for the `i`th parameter of `c`. */
+  predicate summaryParameterNodeRange(SummarizedCallable c, int i) {
+    parameterReadState(c, _, i)
+    or
+    isParameterPostUpdate(_, c, i)
+  }
+
+  private predicate callbackOutput(
+    SummarizedCallable c, SummaryComponentStack s, Node receiver, ReturnKind rk
+  ) {
+    any(SummaryNodeState state).isInputState(c, s) and
+    s.head() = TReturnSummaryComponent(rk) and
+    receiver = summaryNodeInputState(c, s.drop(1))
+  }
+
+  private Node pre(Node post) {
+    summaryPostUpdateNode(post, result)
+    or
+    not summaryPostUpdateNode(post, _) and
+    result = post
+  }
+
+  private predicate callbackInput(
+    SummarizedCallable c, SummaryComponentStack s, Node receiver, int i
+  ) {
+    any(SummaryNodeState state).isOutputState(c, s) and
+    s.head() = TParameterSummaryComponent(i) and
+    receiver = pre(summaryNodeOutputState(c, s.drop(1)))
+  }
+
+  /** Holds if a call targeting `receiver` should be synthesized inside `c`. */
+  predicate summaryCallbackRange(SummarizedCallable c, Node receiver) {
+    callbackOutput(c, _, receiver, _)
+    or
+    callbackInput(c, _, receiver, _)
+  }
+
+  /**
+   * Gets the type of synthesized summary node `n`.
+   *
+   * The type is computed based on the language-specific predicates
+   * `getContentType()`, `getReturnType()`, `getCallbackParameterType()`, and
+   * `getCallbackReturnType()`.
+   */
+  DataFlowType summaryNodeType(Node n) {
+    exists(Node pre |
+      summaryPostUpdateNode(n, pre) and
+      result = getNodeType(pre)
+    )
+    or
+    exists(SummarizedCallable c, SummaryComponentStack s, SummaryComponent head | head = s.head() |
+      n = summaryNodeInputState(c, s) and
+      (
+        exists(Content cont |
+          head = TContentSummaryComponent(cont) and result = getContentType(cont)
+        )
+        or
+        exists(ReturnKind rk |
+          head = TReturnSummaryComponent(rk) and
+          result = getCallbackReturnType(getNodeType(summaryNodeInputState(c, s.drop(1))), rk)
+        )
+      )
+      or
+      n = summaryNodeOutputState(c, s) and
+      (
+        exists(Content cont |
+          head = TContentSummaryComponent(cont) and result = getContentType(cont)
+        )
+        or
+        s.length() = 1 and
+        exists(ReturnKind rk |
+          head = TReturnSummaryComponent(rk) and
+          result = getReturnType(c, rk)
+        )
+        or
+        exists(int i | head = TParameterSummaryComponent(i) |
+          result = getCallbackParameterType(getNodeType(summaryNodeOutputState(c, s.drop(1))), i)
+        )
+      )
+    )
+  }
+
+  /** Holds if summary node `out` contains output of kind `rk` from call `c`. */
+  predicate summaryOutNode(DataFlowCall c, Node out, ReturnKind rk) {
+    exists(SummarizedCallable callable, SummaryComponentStack s, Node receiver |
+      callbackOutput(callable, s, receiver, rk) and
+      out = summaryNodeInputState(callable, s) and
+      c = summaryDataFlowCall(receiver)
+    )
+  }
+
+  /** Holds if summary node `arg` is the `i`th argument of call `c`. */
+  predicate summaryArgumentNode(DataFlowCall c, Node arg, int i) {
+    exists(SummarizedCallable callable, SummaryComponentStack s, Node receiver |
+      callbackInput(callable, s, receiver, i) and
+      arg = summaryNodeOutputState(callable, s) and
+      c = summaryDataFlowCall(receiver)
+    )
+  }
+
+  /** Holds if summary node `post` is a post-update node with pre-update node `pre`. */
+  predicate summaryPostUpdateNode(Node post, ParameterNode pre) {
+    exists(SummarizedCallable c, int i |
+      isParameterPostUpdate(post, c, i) and
+      pre.isParameterOf(c, i)
+    )
+  }
+
+  /** Holds if summary node `ret` is a return node of kind `rk`. */
+  predicate summaryReturnNode(Node ret, ReturnKind rk) {
+    exists(SummarizedCallable callable, SummaryComponentStack s |
+      ret = summaryNodeOutputState(callable, s) and
+      s = TSingletonSummaryComponentStack(TReturnSummaryComponent(rk))
+    )
+  }
+
+  /** Provides a compilation of flow summaries to atomic data-flow steps. */
+  module Steps {
+    /**
+     * Holds if there is a local step from `pred` to `succ`, which is synthesized
+     * from a flow summary.
+     */
+    predicate summaryLocalStep(Node pred, Node succ, boolean preservesValue) {
+      exists(
+        SummarizedCallable c, SummaryComponentStack inputContents,
+        SummaryComponentStack outputContents
+      |
+        summary(c, inputContents, outputContents, preservesValue) and
+        pred = summaryNodeInputState(c, inputContents) and
+        succ = summaryNodeOutputState(c, outputContents)
+      )
+    }
+
+    /**
+     * Holds if there is a read step of content `c` from `pred` to `succ`, which
+     * is synthesized from a flow summary.
+     */
+    predicate summaryReadStep(Node pred, Content c, Node succ) {
+      exists(SummarizedCallable sc, SummaryComponentStack s |
+        pred = summaryNodeInputState(sc, s.drop(1)) and
+        succ = summaryNodeInputState(sc, s) and
+        SummaryComponent::content(c) = s.head()
+      )
+    }
+
+    /**
+     * Holds if there is a store step of content `c` from `pred` to `succ`, which
+     * is synthesized from a flow summary.
+     */
+    predicate summaryStoreStep(Node pred, Content c, Node succ) {
+      exists(SummarizedCallable sc, SummaryComponentStack s |
+        pred = summaryNodeOutputState(sc, s) and
+        succ = summaryNodeOutputState(sc, s.drop(1)) and
+        SummaryComponent::content(c) = s.head()
+      )
+    }
+
+    /**
+     * Holds if values stored inside content `c` are cleared when passed as
+     * input of type `input` in `call`.
+     */
+    predicate summaryClearsContent(ArgumentNode arg, Content c) {
+      exists(DataFlowCall call, int i |
+        viableCallable(call).(SummarizedCallable).clearsContent(i, c) and
+        arg.argumentOf(call, i)
+      )
+    }
+
+    pragma[nomagic]
+    private ParameterNode summaryArgParam(
+      ArgumentNode arg, DataFlowImplCommon::ReturnKindExt rk, DataFlowImplCommon::OutNodeExt out
+    ) {
+      exists(DataFlowCall call, int pos, SummarizedCallable callable |
+        arg.argumentOf(call, pos) and
+        viableCallable(call) = callable and
+        result.isParameterOf(callable, pos) and
+        out = rk.getAnOutNode(call)
+      )
+    }
+
+    /**
+     * Holds if `arg` flows to `out` using a simple flow summary, that is, a flow
+     * summary without reads and stores.
+     *
+     * NOTE: This step should not be used in global data-flow/taint-tracking, but may
+     * be useful to include in the exposed local data-flow/taint-tracking relations.
+     */
+    predicate summaryThroughStep(ArgumentNode arg, Node out, boolean preservesValue) {
+      exists(DataFlowImplCommon::ReturnKindExt rk, DataFlowImplCommon::ReturnNodeExt ret |
+        summaryLocalStep(summaryArgParam(arg, rk, out), ret, preservesValue) and
+        ret.getKind() = rk
+      )
+    }
+
+    /**
+     * Holds if there is a read(+taint) of `c` from `arg` to `out` using a
+     * flow summary.
+     *
+     * NOTE: This step should not be used in global data-flow/taint-tracking, but may
+     * be useful to include in the exposed local data-flow/taint-tracking relations.
+     */
+    predicate summaryGetterStep(ArgumentNode arg, Content c, Node out) {
+      exists(DataFlowImplCommon::ReturnKindExt rk, Node mid, DataFlowImplCommon::ReturnNodeExt ret |
+        summaryReadStep(summaryArgParam(arg, rk, out), c, mid) and
+        summaryLocalStep(mid, ret, _) and
+        ret.getKind() = rk
+      )
+    }
+
+    /**
+     * Holds if there is a (taint+)store of `arg` into content `c` of `out` using a
+     * flow summary.
+     *
+     * NOTE: This step should not be used in global data-flow/taint-tracking, but may
+     * be useful to include in the exposed local data-flow/taint-tracking relations.
+     */
+    predicate summarySetterStep(ArgumentNode arg, Content c, Node out) {
+      exists(DataFlowImplCommon::ReturnKindExt rk, Node mid, DataFlowImplCommon::ReturnNodeExt ret |
+        summaryLocalStep(summaryArgParam(arg, rk, out), mid, _) and
+        summaryStoreStep(mid, c, ret) and
+        ret.getKind() = rk
+      )
+    }
+
+    /**
+     * Holds if data is written into content `c` of argument `arg` using a flow summary.
+     *
+     * Depending on the type of `c`, this predicate may be relevant to include in the
+     * definition of `clearsContent()`.
+     */
+    predicate summaryStoresIntoArg(Content c, Node arg) {
+      exists(
+        DataFlowImplCommon::ParamUpdateReturnKind rk, DataFlowImplCommon::ReturnNodeExt ret,
+        PostUpdateNode out
+      |
+        exists(DataFlowCall call, SummarizedCallable callable |
+          DataFlowImplCommon::getNodeEnclosingCallable(ret) = callable and
+          viableCallable(call) = callable and
+          summaryStoreStep(_, c, ret) and
+          ret.getKind() = pragma[only_bind_into](rk) and
+          out = rk.getAnOutNode(call) and
+          arg = out.getPreUpdateNode()
+        )
+      )
+    }
+  }
+
+  /**
+   * Provides a means of translating externally (e.g., CSV) defined flow
+   * summaries into a `SummarizedCallable`s.
+   */
+  module External {
+    /**
+     * Provides a means of translating an externally (e.g., CSV) defined flow
+     * summary into a `SummarizedCallable`.
+     */
+    abstract class ExternalSummaryCompilation extends string {
+      bindingset[this]
+      ExternalSummaryCompilation() { any() }
+
+      /** Holds if this flow summary is for callable `c`. */
+      abstract predicate callable(DataFlowCallable c, boolean preservesValue);
+
+      /** Holds if the `i`th input component is `c`. */
+      abstract predicate input(int i, SummaryComponent c);
+
+      /** Holds if the `i`th output component is `c`. */
+      abstract predicate output(int i, SummaryComponent c);
+
+      /**
+       * Holds if the input components starting from index `i` translate into `suffix`.
+       */
+      final predicate translateInput(int i, SummaryComponentStack suffix) {
+        exists(SummaryComponent comp | this.input(i, comp) |
+          i = max(int j | this.input(j, _)) and
+          suffix = TSingletonSummaryComponentStack(comp)
+          or
+          exists(TSummaryComponent head, SummaryComponentStack tail |
+            this.translateInputCons(i, head, tail) and
+            suffix = TConsSummaryComponentStack(head, tail)
+          )
+        )
+      }
+
+      final predicate translateInputCons(int i, SummaryComponent head, SummaryComponentStack tail) {
+        this.input(i, head) and
+        this.translateInput(i + 1, tail)
+      }
+
+      /**
+       * Holds if the output components starting from index `i` translate into `suffix`.
+       */
+      predicate translateOutput(int i, SummaryComponentStack suffix) {
+        exists(SummaryComponent comp | this.output(i, comp) |
+          i = max(int j | this.output(j, _)) and
+          suffix = TSingletonSummaryComponentStack(comp)
+          or
+          exists(TSummaryComponent head, SummaryComponentStack tail |
+            this.translateOutputCons(i, head, tail) and
+            suffix = TConsSummaryComponentStack(head, tail)
+          )
+        )
+      }
+
+      predicate translateOutputCons(int i, SummaryComponent head, SummaryComponentStack tail) {
+        this.output(i, head) and
+        this.translateOutput(i + 1, tail)
+      }
+    }
+
+    private class ExternalRequiredSummaryComponentStack extends RequiredSummaryComponentStack {
+      private SummaryComponent head;
+
+      ExternalRequiredSummaryComponentStack() {
+        any(ExternalSummaryCompilation s).translateInputCons(_, head, this) or
+        any(ExternalSummaryCompilation s).translateOutputCons(_, head, this)
+      }
+
+      override predicate required(SummaryComponent c) { c = head }
+    }
+
+    class ExternalSummarizedCallableAdaptor extends SummarizedCallable {
+      ExternalSummarizedCallableAdaptor() { any(ExternalSummaryCompilation s).callable(this, _) }
+
+      override predicate propagatesFlow(
+        SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
+      ) {
+        exists(ExternalSummaryCompilation s |
+          s.callable(this, preservesValue) and
+          s.translateInput(0, input) and
+          s.translateOutput(0, output)
+        )
+      }
+    }
+  }
+
+  /** Provides a query predicate for outputting a set of relevant flow summaries. */
+  module TestOutput {
+    /** A flow summary to include in the `summary/3` query predicate. */
+    abstract class RelevantSummarizedCallable extends SummarizedCallable {
+      /** Gets the string representation of this callable used by `summary/3`. */
+      string getFullString() { result = this.toString() }
+    }
+
+    /** A query predicate for outputting flow summaries in QL tests. */
+    query predicate summary(string callable, string flow, boolean preservesValue) {
+      exists(
+        RelevantSummarizedCallable c, SummaryComponentStack input, SummaryComponentStack output
+      |
+        callable = c.getFullString() and
+        c.propagatesFlow(input, output, preservesValue) and
+        flow = input + " -> " + output
+      )
+    }
+  }
+}
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
new file mode 100644
index 00000000000..dae0571f0fa
--- /dev/null
+++ b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
@@ -0,0 +1,51 @@
+/**
+ * Provides Java specific classes and predicates for definining flow summaries.
+ */
+
+private import java
+private import DataFlowPrivate
+private import DataFlowUtil
+private import FlowSummaryImpl::Private
+private import FlowSummaryImpl::Public
+
+private module FlowSummaries {
+  private import semmle.code.java.dataflow.FlowSummary as F
+}
+
+/** Holds is `i` is a valid parameter position. */
+predicate parameterPosition(int i) { i in [-1 .. any(Parameter p).getPosition()] }
+
+/** Gets the synthesized summary data-flow node for the given values. */
+Node summaryNode(SummarizedCallable c, SummaryNodeState state) { result = getSummaryNode(c, state) }
+
+/** Gets the synthesized data-flow call for `receiver`. */
+DataFlowCall summaryDataFlowCall(Node receiver) { none() }
+
+/** Gets the type of content `c`. */
+DataFlowType getContentType(Content c) {
+  result = getErasedRepr(c.(FieldContent).getField().getType())
+  or
+  c instanceof CollectionContent and
+  result instanceof TypeObject
+  or
+  c instanceof ArrayContent and
+  result instanceof TypeObject
+}
+
+/** Gets the return type of kind `rk` for callable `c`. */
+DataFlowType getReturnType(SummarizedCallable c, ReturnKind rk) {
+  result = getErasedRepr(c.getReturnType()) and
+  exists(rk)
+}
+
+/**
+ * Gets the type of the `i`th parameter in a synthesized call that targets a
+ * callback of type `t`.
+ */
+DataFlowType getCallbackParameterType(DataFlowType t, int i) { none() }
+
+/**
+ * Gets the return type of kind `rk` in a synthesized call that targets a
+ * callback of type `t`.
+ */
+DataFlowType getCallbackReturnType(DataFlowType t, ReturnKind rk) { none() }
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
index d7cf0a8440a..0f20ffe62db 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -13,6 +13,7 @@ private import semmle.code.java.frameworks.Networking
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.internal.DataFlowPrivate
 import semmle.code.java.dataflow.FlowSteps
+private import FlowSummaryImpl as FlowSummaryImpl
 
 /**
  * Holds if taint can flow from `src` to `sink` in zero or more
@@ -33,7 +34,10 @@ predicate localExprTaint(Expr src, Expr sink) {
  */
 predicate localTaintStep(DataFlow::Node src, DataFlow::Node sink) {
   DataFlow::localFlowStep(src, sink) or
-  localAdditionalTaintStep(src, sink)
+  localAdditionalTaintStep(src, sink) or
+  // Simple flow through library code is included in the exposed local
+  // step relation, even though flow is technically inter-procedural
+  FlowSummaryImpl::Private::Steps::summaryThroughStep(src, sink, false)
 }
 
 /**
@@ -61,6 +65,8 @@ private predicate localAdditionalBasicTaintStep(DataFlow::Node src, DataFlow::No
     arg.isVararg() and
     sink.(DataFlow::ImplicitVarargsArray).getCall() = arg.getCall()
   )
+  or
+  FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, false)
 }
 
 /**
diff --git a/java/ql/test/library-tests/dataflow/local-additional-taint/localAdditionalTaintStep.ql b/java/ql/test/library-tests/dataflow/local-additional-taint/localAdditionalTaintStep.ql
index e8cd912e58a..41b5a413386 100644
--- a/java/ql/test/library-tests/dataflow/local-additional-taint/localAdditionalTaintStep.ql
+++ b/java/ql/test/library-tests/dataflow/local-additional-taint/localAdditionalTaintStep.ql
@@ -2,5 +2,7 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.internal.TaintTrackingUtil
 
 from DataFlow::Node src, DataFlow::Node sink
-where localAdditionalTaintStep(src, sink)
+where
+  localAdditionalTaintStep(src, sink) and
+  src.getLocation().getFile().getExtension() = "java"
 select src, sink

From 04b0682bbf9dd698f02a20946a310a9531e65921 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Fri, 9 Apr 2021 16:14:51 +0000
Subject: [PATCH 0283/1429] Use isAdditionalTaintStep and make the query more
 readable

---
 .../CWE-1004/SensitiveCookieNotHttpOnly.ql    | 194 +++++++++---------
 1 file changed, 99 insertions(+), 95 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
index d566bd53945..cb8f7412014 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -1,14 +1,22 @@
 /**
  * @name Sensitive cookies without the HttpOnly response header set
  * @description Sensitive cookies without the 'HttpOnly' flag set leaves session cookies vulnerable to
- *              an XSS attack. This query checks whether 'HttpOnly' is not set in a Java Cookie object
- *              or the 'Set-Cookie' HTTP header.
+ *              an XSS attack.
  * @kind path-problem
  * @id java/sensitive-cookie-not-httponly
  * @tags security
  *       external/cwe/cwe-1004
  */
 
+/*
+ * Sketch of the structure of this query: we track cookie names that appear to be sensitive
+ * (e.g. `session` or `token`) to a `ServletResponse.addHeader(...)` or `.addCookie(...)`
+ * method that does not set the `httpOnly` flag. Subsidiary configurations
+ * `MatchesHttpOnlyConfiguration` and `SetHttpOnlyInCookieConfiguration` are used to establish
+ * when the `httpOnly` flag is likely to have been set, before configuration
+ * `MissingHttpOnlyConfiguration` establishes that a non-`httpOnly` cookie has a sensitive-seeming name.
+ */
+
 import java
 import semmle.code.java.dataflow.FlowSteps
 import semmle.code.java.frameworks.Servlets
@@ -34,6 +42,11 @@ predicate isSensitiveCookieNameExpr(Expr expr) {
   isSensitiveCookieNameExpr(expr.(AddExpr).getAnOperand())
 }
 
+/** A sensitive cookie name. */
+class SensitiveCookieNameExpr extends Expr {
+  SensitiveCookieNameExpr() { isSensitiveCookieNameExpr(this) }
+}
+
 /** A method call that sets a `Set-Cookie` header. */
 class SetCookieMethodAccess extends MethodAccess {
   SetCookieMethodAccess() {
@@ -70,109 +83,26 @@ class CookieClass extends RefType {
 }
 
 /** Holds if the `expr` is `true` or a variable that is ever assigned `true`. */
+// This could be a very large result set if computed out of context
+pragma[inline]
 predicate mayBeBooleanTrue(Expr expr) {
-  expr.(CompileTimeConstantExpr).getBooleanValue() = true or
-  expr.(VarAccess).getVariable().getAnAssignedValue().(CompileTimeConstantExpr).getBooleanValue() =
-    true
+  expr.getType() instanceof BooleanType and
+  not expr.(CompileTimeConstantExpr).getBooleanValue() = false
 }
 
-/** Holds if the method call sets the `HttpOnly` flag. */
+/** Holds if the method call may set the `HttpOnly` flag. */
 predicate setsCookieHttpOnly(MethodAccess ma) {
   ma.getMethod().getName() = "setHttpOnly" and
-  (
-    ma.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = true
-    or
-    // any use of setHttpOnly(x) where x isn't false is probably safe
-    not exists(VarAccess va |
-      ma.getArgument(0).(VarAccess).getVariable().getAnAccess() = va and
-      va.getVariable().getAnAssignedValue().(CompileTimeConstantExpr).getBooleanValue() = false
-    )
-  )
-}
-
-/**
- * A taint configuration tracking flow of a method or a wrapper method that sets
- * the `HttpOnly` flag.
- */
-class SetHttpOnlyInCookieConfiguration extends TaintTracking2::Configuration {
-  SetHttpOnlyInCookieConfiguration() { this = "SetHttpOnlyInCookieConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) {
-    source.asExpr() =
-      any(MethodAccess ma | setsCookieHttpOnly(ma) or removeCookie(ma)).getQualifier()
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() =
-      any(MethodAccess ma | ma.getMethod() instanceof ResponseAddCookieMethod).getArgument(0)
-  }
+  // any use of setHttpOnly(x) where x isn't false is probably safe
+  mayBeBooleanTrue(ma.getArgument(0))
 }
 
 /** Holds if `ma` removes a cookie. */
-predicate removeCookie(MethodAccess ma) {
+predicate removesCookie(MethodAccess ma) {
   ma.getMethod().getName() = "setMaxAge" and
   ma.getArgument(0).(IntegerLiteral).getIntValue() = 0
 }
 
-/** A sensitive cookie name. */
-class SensitiveCookieNameExpr extends Expr {
-  SensitiveCookieNameExpr() { isSensitiveCookieNameExpr(this) }
-}
-
-/** A cookie that is added to an HTTP response, used as a sink in `MissingHttpOnlyConfiguration`. */
-class CookieResponseSink extends DataFlow::ExprNode {
-  CookieResponseSink() {
-    exists(MethodAccess ma |
-      (
-        ma.getMethod() instanceof ResponseAddCookieMethod and
-        this.getExpr() = ma.getArgument(0) and
-        not exists(SetHttpOnlyInCookieConfiguration cc | cc.hasFlowTo(this))
-        or
-        ma instanceof SetCookieMethodAccess and
-        this.getExpr() = ma.getArgument(1) and
-        not exists(MatchesHttpOnlyConfiguration cc | cc.hasFlowTo(this)) // response.addHeader("Set-Cookie", "token=" +authId + ";HttpOnly;Secure")
-      ) and
-      not isTestMethod(ma) // Test class or method
-    )
-  }
-}
-
-/**
- * Holds if `ClassInstanceExpr` cie is an invocation of a JAX-RS `NewCookie` constructor
- * that sets `HttpOnly` to true.
- */
-predicate setHttpOnlyInNewCookie(ClassInstanceExpr cie) {
-  cie.getConstructedType().hasQualifiedName(["javax.ws.rs.core", "jakarta.ws.rs.core"], "NewCookie") and
-  (
-    cie.getNumArgument() = 6 and
-    mayBeBooleanTrue(cie.getArgument(5)) // NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
-    or
-    cie.getNumArgument() = 8 and
-    cie.getArgument(6).getType() instanceof BooleanType and
-    mayBeBooleanTrue(cie.getArgument(7)) // NewCookie(String name, String value, String path, String domain, String comment, int maxAge, boolean secure, boolean httpOnly)
-    or
-    cie.getNumArgument() = 10 and
-    mayBeBooleanTrue(cie.getArgument(9)) // NewCookie(String name, String value, String path, String domain, int version, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
-  )
-}
-
-/** The cookie constructor. */
-class CookieTaintPreservingConstructor extends Constructor, TaintPreservingCallable {
-  CookieTaintPreservingConstructor() { this.getDeclaringType() instanceof CookieClass }
-
-  override predicate returnsTaintFrom(int arg) { arg = 0 }
-}
-
-/** The method call `toString` to get a stringified cookie representation. */
-class CookieToString extends TaintPreservingCallable {
-  CookieToString() {
-    this.getDeclaringType() instanceof CookieClass and
-    this.hasName("toString")
-  }
-
-  override predicate returnsTaintFrom(int arg) { arg = -1 }
-}
-
 /**
  * Holds if the MethodAccess `ma` is a test method call indicated by:
  *    a) in a test directory such as `src/test/java`
@@ -192,6 +122,61 @@ predicate isTestMethod(MethodAccess ma) {
   )
 }
 
+/**
+ * A taint configuration tracking flow of a method or a wrapper method that sets the `HttpOnly`
+ * flag, or one that removes a cookie, to a `ServletResponse.addCookie` call.
+ */
+class SetHttpOnlyInCookieConfiguration extends TaintTracking2::Configuration {
+  SetHttpOnlyInCookieConfiguration() { this = "SetHttpOnlyInCookieConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr() =
+      any(MethodAccess ma | setsCookieHttpOnly(ma) or removesCookie(ma)).getQualifier()
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() =
+      any(MethodAccess ma | ma.getMethod() instanceof ResponseAddCookieMethod).getArgument(0)
+  }
+}
+
+/**
+ * A cookie that is added to an HTTP response and which doesn't have `httpOnly` set, used as a sink
+ * in `MissingHttpOnlyConfiguration`.
+ */
+class CookieResponseSink extends DataFlow::ExprNode {
+  CookieResponseSink() {
+    exists(MethodAccess ma |
+      (
+        ma.getMethod() instanceof ResponseAddCookieMethod and
+        this.getExpr() = ma.getArgument(0) and
+        not exists(SetHttpOnlyInCookieConfiguration cc | cc.hasFlowTo(this))
+        or
+        ma instanceof SetCookieMethodAccess and
+        this.getExpr() = ma.getArgument(1) and
+        not exists(MatchesHttpOnlyConfiguration cc | cc.hasFlowTo(this)) // response.addHeader("Set-Cookie", "token=" +authId + ";HttpOnly;Secure")
+      ) and
+      not isTestMethod(ma) // Test class or method
+    )
+  }
+}
+
+/** Holds if `cie` is an invocation of a JAX-RS `NewCookie` constructor that sets `HttpOnly` to true. */
+predicate setsHttpOnlyInNewCookie(ClassInstanceExpr cie) {
+  cie.getConstructedType().hasQualifiedName(["javax.ws.rs.core", "jakarta.ws.rs.core"], "NewCookie") and
+  (
+    cie.getNumArgument() = 6 and
+    mayBeBooleanTrue(cie.getArgument(5)) // NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
+    or
+    cie.getNumArgument() = 8 and
+    cie.getArgument(6).getType() instanceof BooleanType and
+    mayBeBooleanTrue(cie.getArgument(7)) // NewCookie(String name, String value, String path, String domain, String comment, int maxAge, boolean secure, boolean httpOnly)
+    or
+    cie.getNumArgument() = 10 and
+    mayBeBooleanTrue(cie.getArgument(9)) // NewCookie(String name, String value, String path, String domain, int version, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly)
+  )
+}
+
 /**
  * A taint configuration tracking flow from a sensitive cookie without the `HttpOnly` flag
  * set to its HTTP response.
@@ -206,8 +191,27 @@ class MissingHttpOnlyConfiguration extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof CookieResponseSink }
 
   override predicate isSanitizer(DataFlow::Node node) {
-    // new NewCookie("session-access-key", accessKey, "/", null, null, 0, true, true)
-    setHttpOnlyInNewCookie(node.asExpr())
+    // JAX-RS's `new NewCookie("session-access-key", accessKey, "/", null, null, 0, true, true)` and similar
+    setsHttpOnlyInNewCookie(node.asExpr())
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(
+      ConstructorCall cc // new Cookie(...)
+    |
+      cc.getConstructedType() instanceof CookieClass and
+      pred.asExpr() = cc.getAnArgument() and
+      succ.asExpr() = cc
+    )
+    or
+    exists(
+      MethodAccess ma // cookie.toString()
+    |
+      ma.getMethod().getName() = "toString" and
+      ma.getQualifier().getType() instanceof CookieClass and
+      pred.asExpr() = ma.getQualifier() and
+      succ.asExpr() = ma
+    )
   }
 }
 

From cc4827600bf8c1a77c342c7f82548fd910d159ea Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Fri, 9 Apr 2021 17:11:47 +0000
Subject: [PATCH 0284/1429] Python: Use API graphs in `Stdlib.qll`

Eliminates _almost_ all of the bespoke type trackers found here. The
ones that remain do not fit easily inside the framework of API graphs
(at least, not yet), and I did not see any easy ways to clean them up.
They have, however, been rewritten to use `LocalSourceNode` internally,
which was the primary goal of this exercise.

I'm sure we could also clean up many of the inner modules given the more
lean presentation we have now, but this can wait for a different PR.
---
 .../src/semmle/python/frameworks/Stdlib.qll   | 857 +++---------------
 1 file changed, 143 insertions(+), 714 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index 2626d1585ff..3441c670fde 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -17,57 +17,7 @@ private module Stdlib {
   // os
   // ---------------------------------------------------------------------------
   /** Gets a reference to the `os` module. */
-  private DataFlow::Node os(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("os")
-    or
-    exists(DataFlow::TypeTracker t2 | result = os(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `os` module. */
-  DataFlow::Node os() { result = os(DataFlow::TypeTracker::end()) }
-
-  /**
-   * Gets a reference to the attribute `attr_name` of the `os` module.
-   * WARNING: Only holds for a few predefined attributes.
-   *
-   * For example, using `attr_name = "system"` will get all uses of `os.system`.
-   */
-  private DataFlow::Node os_attr(DataFlow::TypeTracker t, string attr_name) {
-    attr_name in [
-        "system", "popen", "popen2", "popen3", "popen4",
-        // exec
-        "execl", "execle", "execlp", "execlpe", "execv", "execve", "execvp", "execvpe",
-        // spawn
-        "spawnl", "spawnle", "spawnlp", "spawnlpe", "spawnv", "spawnve", "spawnvp", "spawnvpe",
-        "posix_spawn", "posix_spawnp",
-        // modules
-        "path"
-      ] and
-    (
-      t.start() and
-      result = DataFlow::importNode("os." + attr_name)
-      or
-      t.startInAttr(attr_name) and
-      result = DataFlow::importNode("os")
-    )
-    or
-    // Due to bad performance when using normal setup with `os_attr(t2, attr_name).track(t2, t)`
-    // we have inlined that code and forced a join
-    exists(DataFlow::TypeTracker t2 |
-      exists(DataFlow::StepSummary summary |
-        os_attr_first_join(t2, attr_name, result, summary) and
-        t = t2.append(summary)
-      )
-    )
-  }
-
-  pragma[nomagic]
-  private predicate os_attr_first_join(
-    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
-  ) {
-    DataFlow::StepSummary::step(os_attr(t2, attr_name), res, summary)
-  }
+  API::Node os() { result = API::moduleImport("os") }
 
   /**
    * Gets a reference to the attribute `attr_name` of the `os` module.
@@ -75,14 +25,12 @@ private module Stdlib {
    *
    * For example, using `"system"` will get all uses of `os.system`.
    */
-  private DataFlow::Node os_attr(string attr_name) {
-    result = os_attr(DataFlow::TypeTracker::end(), attr_name)
-  }
+  private API::Node os_attr(string attr_name) { result = os().getMember(attr_name) }
 
   /** Provides models for the `os` module. */
   module os {
     /** Gets a reference to the `os.path` module. */
-    DataFlow::Node path() { result = os_attr("path") }
+    API::Node path() { result = os_attr("path") }
 
     /** Provides models for the `os.path` module */
     module path {
@@ -92,46 +40,10 @@ private module Stdlib {
        *
        * For example, using `attr_name = "join"` will get all uses of `os.path.join`.
        */
-      private DataFlow::Node path_attr(DataFlow::TypeTracker t, string attr_name) {
-        attr_name in ["join", "normpath", "realpath", "abspath"] and
-        (
-          t.start() and
-          result = DataFlow::importNode("os.path." + attr_name)
-          or
-          t.startInAttr(attr_name) and
-          result = os::path()
-        )
-        or
-        // Due to bad performance when using normal setup with `path_attr(t2, attr_name).track(t2, t)`
-        // we have inlined that code and forced a join
-        exists(DataFlow::TypeTracker t2 |
-          exists(DataFlow::StepSummary summary |
-            path_attr_first_join(t2, attr_name, result, summary) and
-            t = t2.append(summary)
-          )
-        )
-      }
-
-      pragma[nomagic]
-      private predicate path_attr_first_join(
-        DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-        DataFlow::StepSummary summary
-      ) {
-        DataFlow::StepSummary::step(path_attr(t2, attr_name), res, summary)
-      }
-
-      /**
-       * Gets a reference to the attribute `attr_name` of the `os.path` module.
-       * WARNING: Only holds for a few predefined attributes.
-       *
-       * For example, using `attr_name = "join"` will get all uses of `os.path.join`.
-       */
-      DataFlow::Node path_attr(string attr_name) {
-        result = path_attr(DataFlow::TypeTracker::end(), attr_name)
-      }
+      API::Node path_attr(string attr_name) { result = path().getMember(attr_name) }
 
       /** Gets a reference to the `os.path.join` function. */
-      DataFlow::Node join() { result = path_attr("join") }
+      API::Node join() { result = path_attr("join") }
     }
   }
 
@@ -139,10 +51,8 @@ private module Stdlib {
    * A call to `os.path.normpath`.
    * See https://docs.python.org/3/library/os.path.html#os.path.normpath
    */
-  private class OsPathNormpathCall extends Path::PathNormalization::Range, DataFlow::CfgNode {
-    override CallNode node;
-
-    OsPathNormpathCall() { node.getFunction() = os::path::path_attr("normpath").asCfgNode() }
+  private class OsPathNormpathCall extends Path::PathNormalization::Range, DataFlow::CallCfgNode {
+    OsPathNormpathCall() { this = os::path::path_attr("normpath").getACall() }
 
     DataFlow::Node getPathArg() {
       result.asCfgNode() in [node.getArg(0), node.getArgByName("path")]
@@ -166,7 +76,7 @@ private module Stdlib {
   private class OsPathAbspathCall extends Path::PathNormalization::Range, DataFlow::CfgNode {
     override CallNode node;
 
-    OsPathAbspathCall() { node.getFunction() = os::path::path_attr("abspath").asCfgNode() }
+    OsPathAbspathCall() { this = os::path::path_attr("abspath").getACall() }
 
     DataFlow::Node getPathArg() {
       result.asCfgNode() in [node.getArg(0), node.getArgByName("path")]
@@ -190,7 +100,7 @@ private module Stdlib {
   private class OsPathRealpathCall extends Path::PathNormalization::Range, DataFlow::CfgNode {
     override CallNode node;
 
-    OsPathRealpathCall() { node.getFunction() = os::path::path_attr("realpath").asCfgNode() }
+    OsPathRealpathCall() { this = os::path::path_attr("realpath").getACall() }
 
     DataFlow::Node getPathArg() {
       result.asCfgNode() in [node.getArg(0), node.getArgByName("path")]
@@ -214,7 +124,7 @@ private module Stdlib {
   private class OsSystemCall extends SystemCommandExecution::Range, DataFlow::CfgNode {
     override CallNode node;
 
-    OsSystemCall() { node.getFunction() = os_attr("system").asCfgNode() }
+    OsSystemCall() { this = os_attr("system").getACall() }
 
     override DataFlow::Node getCommand() { result.asCfgNode() = node.getArg(0) }
   }
@@ -233,7 +143,7 @@ private module Stdlib {
 
     OsPopenCall() {
       name in ["popen", "popen2", "popen3", "popen4"] and
-      node.getFunction() = os_attr(name).asCfgNode()
+      this = os_attr(name).getACall()
     }
 
     override DataFlow::Node getCommand() {
@@ -254,7 +164,7 @@ private module Stdlib {
     OsExecCall() {
       exists(string name |
         name in ["execl", "execle", "execlp", "execlpe", "execv", "execve", "execvp", "execvpe"] and
-        node.getFunction() = os_attr(name).asCfgNode()
+        this = os_attr(name).getACall()
       )
     }
 
@@ -273,7 +183,7 @@ private module Stdlib {
         name in [
             "spawnl", "spawnle", "spawnlp", "spawnlpe", "spawnv", "spawnve", "spawnvp", "spawnvpe"
           ] and
-        node.getFunction() = os_attr(name).asCfgNode()
+        this = os_attr(name).getACall()
       )
     }
 
@@ -287,7 +197,7 @@ private module Stdlib {
   private class OsPosixSpawnCall extends SystemCommandExecution::Range, DataFlow::CfgNode {
     override CallNode node;
 
-    OsPosixSpawnCall() { node.getFunction() = os_attr(["posix_spawn", "posix_spawnp"]).asCfgNode() }
+    OsPosixSpawnCall() { this = os_attr(["posix_spawn", "posix_spawnp"]).getACall() }
 
     override DataFlow::Node getCommand() { result.asCfgNode() = node.getArg(0) }
   }
@@ -297,7 +207,7 @@ private module Stdlib {
     override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
       exists(CallNode call |
         nodeTo.asCfgNode() = call and
-        call.getFunction() = os::path::join().asCfgNode() and
+        call = os::path::join().getACall().asCfgNode() and
         call.getAnArg() = nodeFrom.asCfgNode()
       )
       // TODO: Handle pathlib (like we do for os.path.join)
@@ -308,48 +218,7 @@ private module Stdlib {
   // subprocess
   // ---------------------------------------------------------------------------
   /** Gets a reference to the `subprocess` module. */
-  private DataFlow::Node subprocess(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("subprocess")
-    or
-    exists(DataFlow::TypeTracker t2 | result = subprocess(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `subprocess` module. */
-  DataFlow::Node subprocess() { result = subprocess(DataFlow::TypeTracker::end()) }
-
-  /**
-   * Gets a reference to the attribute `attr_name` of the `subprocess` module.
-   * WARNING: Only holds for a few predefined attributes.
-   *
-   * For example, using `attr_name = "Popen"` will get all uses of `subprocess.Popen`.
-   */
-  private DataFlow::Node subprocess_attr(DataFlow::TypeTracker t, string attr_name) {
-    attr_name in ["Popen", "call", "check_call", "check_output", "run"] and
-    (
-      t.start() and
-      result = DataFlow::importNode("subprocess." + attr_name)
-      or
-      t.startInAttr(attr_name) and
-      result = subprocess()
-    )
-    or
-    // Due to bad performance when using normal setup with `subprocess_attr(t2, attr_name).track(t2, t)`
-    // we have inlined that code and forced a join
-    exists(DataFlow::TypeTracker t2 |
-      exists(DataFlow::StepSummary summary |
-        subprocess_attr_first_join(t2, attr_name, result, summary) and
-        t = t2.append(summary)
-      )
-    )
-  }
-
-  pragma[nomagic]
-  private predicate subprocess_attr_first_join(
-    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
-  ) {
-    DataFlow::StepSummary::step(subprocess_attr(t2, attr_name), res, summary)
-  }
+  deprecated DataFlow::Node subprocess() { result = API::moduleImport("subprocess").getAUse() }
 
   /**
    * Gets a reference to the attribute `attr_name` of the `subprocess` module.
@@ -358,7 +227,7 @@ private module Stdlib {
    * For example, using `attr_name = "Popen"` will get all uses of `subprocess.Popen`.
    */
   private DataFlow::Node subprocess_attr(string attr_name) {
-    result = subprocess_attr(DataFlow::TypeTracker::end(), attr_name)
+    result = API::moduleImport("subprocess").getMember(attr_name).getAUse()
   }
 
   /**
@@ -443,45 +312,26 @@ private module Stdlib {
   // marshal
   // ---------------------------------------------------------------------------
   /** Gets a reference to the `marshal` module. */
-  private DataFlow::Node marshal(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("marshal")
-    or
-    exists(DataFlow::TypeTracker t2 | result = marshal(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `marshal` module. */
-  DataFlow::Node marshal() { result = marshal(DataFlow::TypeTracker::end()) }
+  deprecated DataFlow::Node marshal() { result = API::moduleImport("marshal").getAUse() }
 
   /** Provides models for the `marshal` module. */
   module marshal {
     /** Gets a reference to the `marshal.loads` function. */
-    private DataFlow::Node loads(DataFlow::TypeTracker t) {
-      t.start() and
-      result = DataFlow::importNode("marshal.loads")
-      or
-      t.startInAttr("loads") and
-      result = marshal()
-      or
-      exists(DataFlow::TypeTracker t2 | result = loads(t2).track(t2, t))
+    deprecated DataFlow::Node loads() {
+      result = API::moduleImport("marshal").getMember("loads").getAUse()
     }
-
-    /** Gets a reference to the `marshal.loads` function. */
-    DataFlow::Node loads() { result = loads(DataFlow::TypeTracker::end()) }
   }
 
   /**
    * A call to `marshal.loads`
    * See https://docs.python.org/3/library/marshal.html#marshal.loads
    */
-  private class MarshalLoadsCall extends Decoding::Range, DataFlow::CfgNode {
-    override CallNode node;
-
-    MarshalLoadsCall() { node.getFunction() = marshal::loads().asCfgNode() }
+  private class MarshalLoadsCall extends Decoding::Range, DataFlow::CallCfgNode {
+    MarshalLoadsCall() { this = API::moduleImport("marshal").getMember("loads").getACall() }
 
     override predicate mayExecuteInput() { any() }
 
-    override DataFlow::Node getAnInput() { result.asCfgNode() = node.getArg(0) }
+    override DataFlow::Node getAnInput() { result = this.getArg(0) }
 
     override DataFlow::Node getOutput() { result = this }
 
@@ -494,45 +344,28 @@ private module Stdlib {
   private string pickleModuleName() { result in ["pickle", "cPickle", "_pickle"] }
 
   /** Gets a reference to the `pickle` module. */
-  private DataFlow::Node pickle(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode(pickleModuleName())
-    or
-    exists(DataFlow::TypeTracker t2 | result = pickle(t2).track(t2, t))
+  deprecated DataFlow::Node pickle() {
+    result = API::moduleImport(["pickle", "cPickle", "_pickle"]).getAUse()
   }
 
-  /** Gets a reference to the `pickle` module. */
-  DataFlow::Node pickle() { result = pickle(DataFlow::TypeTracker::end()) }
-
   /** Provides models for the `pickle` module. */
   module pickle {
     /** Gets a reference to the `pickle.loads` function. */
-    private DataFlow::Node loads(DataFlow::TypeTracker t) {
-      t.start() and
-      result = DataFlow::importNode(pickleModuleName() + ".loads")
-      or
-      t.startInAttr("loads") and
-      result = pickle()
-      or
-      exists(DataFlow::TypeTracker t2 | result = loads(t2).track(t2, t))
+    DataFlow::Node loads() {
+      result = API::moduleImport(["pickle", "cPickle", "_pickle"]).getMember("loads").getAUse()
     }
-
-    /** Gets a reference to the `pickle.loads` function. */
-    DataFlow::Node loads() { result = loads(DataFlow::TypeTracker::end()) }
   }
 
   /**
    * A call to `pickle.loads`
    * See https://docs.python.org/3/library/pickle.html#pickle.loads
    */
-  private class PickleLoadsCall extends Decoding::Range, DataFlow::CfgNode {
-    override CallNode node;
-
-    PickleLoadsCall() { node.getFunction() = pickle::loads().asCfgNode() }
+  private class PickleLoadsCall extends Decoding::Range, DataFlow::CallCfgNode {
+    PickleLoadsCall() { this.getFunction() = pickle::loads() }
 
     override predicate mayExecuteInput() { any() }
 
-    override DataFlow::Node getAnInput() { result.asCfgNode() = node.getArg(0) }
+    override DataFlow::Node getAnInput() { result = this.getArg(0) }
 
     override DataFlow::Node getOutput() { result = this }
 
@@ -543,57 +376,14 @@ private module Stdlib {
   // popen2
   // ---------------------------------------------------------------------------
   /** Gets a reference to the `popen2` module (only available in Python 2). */
-  private DataFlow::Node popen2(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("popen2")
-    or
-    exists(DataFlow::TypeTracker t2 | result = popen2(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `popen2` module (only available in Python 2). */
-  DataFlow::Node popen2() { result = popen2(DataFlow::TypeTracker::end()) }
+  API::Node popen2() { result = API::moduleImport("popen2") }
 
   /**
    * Gets a reference to the attribute `attr_name` of the `popen2` module.
    * WARNING: Only holds for a few predefined attributes.
    */
-  private DataFlow::Node popen2_attr(DataFlow::TypeTracker t, string attr_name) {
-    attr_name in [
-        "popen2", "popen3", "popen4",
-        // classes
-        "Popen3", "Popen4"
-      ] and
-    (
-      t.start() and
-      result = DataFlow::importNode("popen2." + attr_name)
-      or
-      t.startInAttr(attr_name) and
-      result = DataFlow::importNode("popen2")
-    )
-    or
-    // Due to bad performance when using normal setup with `popen2_attr(t2, attr_name).track(t2, t)`
-    // we have inlined that code and forced a join
-    exists(DataFlow::TypeTracker t2 |
-      exists(DataFlow::StepSummary summary |
-        popen2_attr_first_join(t2, attr_name, result, summary) and
-        t = t2.append(summary)
-      )
-    )
-  }
-
-  pragma[nomagic]
-  private predicate popen2_attr_first_join(
-    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
-  ) {
-    DataFlow::StepSummary::step(popen2_attr(t2, attr_name), res, summary)
-  }
-
-  /**
-   * Gets a reference to the attribute `attr_name` of the `popen2` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private DataFlow::Node popen2_attr(string attr_name) {
-    result = popen2_attr(DataFlow::TypeTracker::end(), attr_name)
+  private API::Node popen2_attr(string attr_name) {
+    result = API::moduleImport("popen2").getMember(attr_name)
   }
 
   /**
@@ -606,7 +396,7 @@ private module Stdlib {
     Popen2PopenCall() {
       exists(string name |
         name in ["popen2", "popen3", "popen4", "Popen3", "Popen4"] and
-        node.getFunction() = popen2_attr(name).asCfgNode()
+        this = popen2_attr(name).getACall()
       )
     }
 
@@ -619,63 +409,20 @@ private module Stdlib {
   // platform
   // ---------------------------------------------------------------------------
   /** Gets a reference to the `platform` module. */
-  private DataFlow::Node platform(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("platform")
-    or
-    exists(DataFlow::TypeTracker t2 | result = platform(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `platform` module. */
-  DataFlow::Node platform() { result = platform(DataFlow::TypeTracker::end()) }
+  API::Node platform() { result = API::moduleImport("platform") }
 
   /**
    * Gets a reference to the attribute `attr_name` of the `platform` module.
    * WARNING: Only holds for a few predefined attributes.
    */
-  private DataFlow::Node platform_attr(DataFlow::TypeTracker t, string attr_name) {
-    attr_name in ["popen"] and
-    (
-      t.start() and
-      result = DataFlow::importNode("platform." + attr_name)
-      or
-      t.startInAttr(attr_name) and
-      result = DataFlow::importNode("platform")
-    )
-    or
-    // Due to bad performance when using normal setup with `platform_attr(t2, attr_name).track(t2, t)`
-    // we have inlined that code and forced a join
-    exists(DataFlow::TypeTracker t2 |
-      exists(DataFlow::StepSummary summary |
-        platform_attr_first_join(t2, attr_name, result, summary) and
-        t = t2.append(summary)
-      )
-    )
-  }
-
-  pragma[nomagic]
-  private predicate platform_attr_first_join(
-    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
-  ) {
-    DataFlow::StepSummary::step(platform_attr(t2, attr_name), res, summary)
-  }
-
-  /**
-   * Gets a reference to the attribute `attr_name` of the `platform` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private DataFlow::Node platform_attr(string attr_name) {
-    result = platform_attr(DataFlow::TypeTracker::end(), attr_name)
-  }
+  private API::Node platform_attr(string attr_name) { result = platform().getMember(attr_name) }
 
   /**
    * A call to the `platform.popen` function.
    * See https://docs.python.org/2.7/library/platform.html#platform.popen
    */
-  private class PlatformPopenCall extends SystemCommandExecution::Range, DataFlow::CfgNode {
-    override CallNode node;
-
-    PlatformPopenCall() { node.getFunction() = platform_attr("popen").asCfgNode() }
+  private class PlatformPopenCall extends SystemCommandExecution::Range, DataFlow::CallCfgNode {
+    PlatformPopenCall() { this = platform_attr("popen").getACall() }
 
     override DataFlow::Node getCommand() {
       result.asCfgNode() in [node.getArg(0), node.getArgByName("cmd")]
@@ -753,72 +500,24 @@ private module Stdlib {
   // base64
   // ---------------------------------------------------------------------------
   /** Gets a reference to the `base64` module. */
-  private DataFlow::Node base64(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("base64")
-    or
-    exists(DataFlow::TypeTracker t2 | result = base64(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `base64` module. */
-  DataFlow::Node base64() { result = base64(DataFlow::TypeTracker::end()) }
+  API::Node base64() { result = API::moduleImport("base64") }
 
   /**
    * Gets a reference to the attribute `attr_name` of the `base64` module.
    * WARNING: Only holds for a few predefined attributes.
    */
-  private DataFlow::Node base64_attr(DataFlow::TypeTracker t, string attr_name) {
-    attr_name in [
-        "b64encode", "b64decode", "standard_b64encode", "standard_b64decode", "urlsafe_b64encode",
-        "urlsafe_b64decode", "b32encode", "b32decode", "b16encode", "b16decode", "encodestring",
-        "decodestring", "a85encode", "a85decode", "b85encode", "b85decode", "encodebytes",
-        "decodebytes"
-      ] and
-    (
-      t.start() and
-      result = DataFlow::importNode("base64" + "." + attr_name)
-      or
-      t.startInAttr(attr_name) and
-      result = base64()
-    )
-    or
-    // Due to bad performance when using normal setup with `base64_attr(t2, attr_name).track(t2, t)`
-    // we have inlined that code and forced a join
-    exists(DataFlow::TypeTracker t2 |
-      exists(DataFlow::StepSummary summary |
-        base64_attr_first_join(t2, attr_name, result, summary) and
-        t = t2.append(summary)
-      )
-    )
-  }
-
-  pragma[nomagic]
-  private predicate base64_attr_first_join(
-    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
-  ) {
-    DataFlow::StepSummary::step(base64_attr(t2, attr_name), res, summary)
-  }
-
-  /**
-   * Gets a reference to the attribute `attr_name` of the `base64` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private DataFlow::Node base64_attr(string attr_name) {
-    result = base64_attr(DataFlow::TypeTracker::end(), attr_name)
-  }
+  private API::Node base64_attr(string attr_name) { result = base64().getMember(attr_name) }
 
   /** A call to any of the encode functions in the `base64` module. */
-  private class Base64EncodeCall extends Encoding::Range, DataFlow::CfgNode {
-    override CallNode node;
+  private class Base64EncodeCall extends Encoding::Range, DataFlow::CallCfgNode {
+    string name;
 
     Base64EncodeCall() {
-      exists(string name |
-        name in [
-            "b64encode", "standard_b64encode", "urlsafe_b64encode", "b32encode", "b16encode",
-            "encodestring", "a85encode", "b85encode", "encodebytes"
-          ] and
-        node.getFunction() = base64_attr(name).asCfgNode()
-      )
+      name in [
+          "b64encode", "standard_b64encode", "urlsafe_b64encode", "b32encode", "b16encode",
+          "encodestring", "a85encode", "b85encode", "encodebytes"
+        ] and
+      this = base64_attr(name).getACall()
     }
 
     override DataFlow::Node getAnInput() { result.asCfgNode() = node.getArg(0) }
@@ -826,35 +525,31 @@ private module Stdlib {
     override DataFlow::Node getOutput() { result = this }
 
     override string getFormat() {
-      exists(string name | node.getFunction() = base64_attr(name).asCfgNode() |
-        name in [
-            "b64encode", "standard_b64encode", "urlsafe_b64encode", "encodestring", "encodebytes"
-          ] and
-        result = "Base64"
-        or
-        name = "b32encode" and result = "Base32"
-        or
-        name = "b16encode" and result = "Base16"
-        or
-        name = "a85encode" and result = "Ascii85"
-        or
-        name = "b85encode" and result = "Base85"
-      )
+      name in [
+          "b64encode", "standard_b64encode", "urlsafe_b64encode", "encodestring", "encodebytes"
+        ] and
+      result = "Base64"
+      or
+      name = "b32encode" and result = "Base32"
+      or
+      name = "b16encode" and result = "Base16"
+      or
+      name = "a85encode" and result = "Ascii85"
+      or
+      name = "b85encode" and result = "Base85"
     }
   }
 
   /** A call to any of the decode functions in the `base64` module. */
-  private class Base64DecodeCall extends Decoding::Range, DataFlow::CfgNode {
-    override CallNode node;
+  private class Base64DecodeCall extends Decoding::Range, DataFlow::CallCfgNode {
+    string name;
 
     Base64DecodeCall() {
-      exists(string name |
-        name in [
-            "b64decode", "standard_b64decode", "urlsafe_b64decode", "b32decode", "b16decode",
-            "decodestring", "a85decode", "b85decode", "decodebytes"
-          ] and
-        node.getFunction() = base64_attr(name).asCfgNode()
-      )
+      name in [
+          "b64decode", "standard_b64decode", "urlsafe_b64decode", "b32decode", "b16decode",
+          "decodestring", "a85decode", "b85decode", "decodebytes"
+        ] and
+      this = base64_attr(name).getACall()
     }
 
     override predicate mayExecuteInput() { none() }
@@ -864,20 +559,18 @@ private module Stdlib {
     override DataFlow::Node getOutput() { result = this }
 
     override string getFormat() {
-      exists(string name | node.getFunction() = base64_attr(name).asCfgNode() |
-        name in [
-            "b64decode", "standard_b64decode", "urlsafe_b64decode", "decodestring", "decodebytes"
-          ] and
-        result = "Base64"
-        or
-        name = "b32decode" and result = "Base32"
-        or
-        name = "b16decode" and result = "Base16"
-        or
-        name = "a85decode" and result = "Ascii85"
-        or
-        name = "b85decode" and result = "Base85"
-      )
+      name in [
+          "b64decode", "standard_b64decode", "urlsafe_b64decode", "decodestring", "decodebytes"
+        ] and
+      result = "Base64"
+      or
+      name = "b32decode" and result = "Base32"
+      or
+      name = "b16decode" and result = "Base16"
+      or
+      name = "a85decode" and result = "Ascii85"
+      or
+      name = "b85decode" and result = "Base85"
     }
   }
 
@@ -885,63 +578,20 @@ private module Stdlib {
   // json
   // ---------------------------------------------------------------------------
   /** Gets a reference to the `json` module. */
-  private DataFlow::Node json(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("json")
-    or
-    exists(DataFlow::TypeTracker t2 | result = json(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `json` module. */
-  DataFlow::Node json() { result = json(DataFlow::TypeTracker::end()) }
+  API::Node json() { result = API::moduleImport("node") }
 
   /**
    * Gets a reference to the attribute `attr_name` of the `json` module.
    * WARNING: Only holds for a few predefined attributes.
    */
-  private DataFlow::Node json_attr(DataFlow::TypeTracker t, string attr_name) {
-    attr_name in ["loads", "dumps"] and
-    (
-      t.start() and
-      result = DataFlow::importNode("json" + "." + attr_name)
-      or
-      t.startInAttr(attr_name) and
-      result = json()
-    )
-    or
-    // Due to bad performance when using normal setup with `json_attr(t2, attr_name).track(t2, t)`
-    // we have inlined that code and forced a join
-    exists(DataFlow::TypeTracker t2 |
-      exists(DataFlow::StepSummary summary |
-        json_attr_first_join(t2, attr_name, result, summary) and
-        t = t2.append(summary)
-      )
-    )
-  }
-
-  pragma[nomagic]
-  private predicate json_attr_first_join(
-    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
-  ) {
-    DataFlow::StepSummary::step(json_attr(t2, attr_name), res, summary)
-  }
-
-  /**
-   * Gets a reference to the attribute `attr_name` of the `json` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private DataFlow::Node json_attr(string attr_name) {
-    result = json_attr(DataFlow::TypeTracker::end(), attr_name)
-  }
+  private API::Node json_attr(string attr_name) { result = json().getMember(attr_name) }
 
   /**
    * A call to `json.loads`
    * See https://docs.python.org/3/library/json.html#json.loads
    */
-  private class JsonLoadsCall extends Decoding::Range, DataFlow::CfgNode {
-    override CallNode node;
-
-    JsonLoadsCall() { node.getFunction() = json_attr("loads").asCfgNode() }
+  private class JsonLoadsCall extends Decoding::Range, DataFlow::CallCfgNode {
+    JsonLoadsCall() { this = json_attr("loads").getACall() }
 
     override predicate mayExecuteInput() { none() }
 
@@ -956,10 +606,8 @@ private module Stdlib {
    * A call to `json.dumps`
    * See https://docs.python.org/3/library/json.html#json.dumps
    */
-  private class JsonDumpsCall extends Encoding::Range, DataFlow::CfgNode {
-    override CallNode node;
-
-    JsonDumpsCall() { node.getFunction() = json_attr("dumps").asCfgNode() }
+  private class JsonDumpsCall extends Encoding::Range, DataFlow::CallCfgNode {
+    JsonDumpsCall() { this = json_attr("dumps").getACall() }
 
     override DataFlow::Node getAnInput() { result.asCfgNode() = node.getArg(0) }
 
@@ -972,15 +620,7 @@ private module Stdlib {
   // cgi
   // ---------------------------------------------------------------------------
   /** Gets a reference to the `cgi` module. */
-  private DataFlow::Node cgi(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("cgi")
-    or
-    exists(DataFlow::TypeTracker t2 | result = cgi(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `cgi` module. */
-  DataFlow::Node cgi() { result = cgi(DataFlow::TypeTracker::end()) }
+  API::Node cgi() { result = API::moduleImport("cgi") }
 
   /** Provides models for the `cgi` module. */
   module cgi {
@@ -991,15 +631,7 @@ private module Stdlib {
      */
     module FieldStorage {
       /** Gets a reference to the `cgi.FieldStorage` class. */
-      private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-        t.startInAttr("FieldStorage") and
-        result = cgi()
-        or
-        exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
-      }
-
-      /** Gets a reference to the `cgi.FieldStorage` class. */
-      DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+      API::Node classRef() { result = cgi().getMember("FieldStorage") }
 
       /**
        * A source of instances of `cgi.FieldStorage`, extend this class to model new instances.
@@ -1020,145 +652,86 @@ private module Stdlib {
        * if it turns out to be a problem, we'll have to refine.
        */
       private class ClassInstantiation extends InstanceSource, RemoteFlowSource::Range,
-        DataFlow::CfgNode {
-        override CallNode node;
-
-        ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+        DataFlow::CallCfgNode {
+        ClassInstantiation() { this = classRef().getACall() }
 
         override string getSourceType() { result = "cgi.FieldStorage" }
       }
 
       /** Gets a reference to an instance of `cgi.FieldStorage`. */
-      private DataFlow::Node instance(DataFlow::TypeTracker t) {
-        t.start() and
-        result instanceof InstanceSource
-        or
-        exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
-      }
-
-      /** Gets a reference to an instance of `cgi.FieldStorage`. */
-      DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+      API::Node instance() { result = classRef().getReturn() }
 
       /** Gets a reference to the `getvalue` method on a `cgi.FieldStorage` instance. */
-      private DataFlow::Node getvalueRef(DataFlow::TypeTracker t) {
-        t.startInAttr("getvalue") and
-        result = instance()
-        or
-        exists(DataFlow::TypeTracker t2 | result = getvalueRef(t2).track(t2, t))
-      }
-
-      /** Gets a reference to the `getvalue` method on a `cgi.FieldStorage` instance. */
-      DataFlow::Node getvalueRef() { result = getvalueRef(DataFlow::TypeTracker::end()) }
+      API::Node getvalueRef() { result = instance().getMember("getvalue") }
 
       /** Gets a reference to the result of calling the `getvalue` method on a `cgi.FieldStorage` instance. */
-      private DataFlow::Node getvalueResult(DataFlow::TypeTracker t) {
-        t.start() and
-        result.asCfgNode().(CallNode).getFunction() = getvalueRef().asCfgNode()
-        or
-        exists(DataFlow::TypeTracker t2 | result = getvalueResult(t2).track(t2, t))
-      }
-
-      /** Gets a reference to the result of calling the `getvalue` method on a `cgi.FieldStorage` instance. */
-      DataFlow::Node getvalueResult() { result = getvalueResult(DataFlow::TypeTracker::end()) }
+      API::Node getvalueResult() { result = getvalueRef().getReturn() }
 
       /** Gets a reference to the `getfirst` method on a `cgi.FieldStorage` instance. */
-      private DataFlow::Node getfirstRef(DataFlow::TypeTracker t) {
-        t.startInAttr("getfirst") and
-        result = instance()
-        or
-        exists(DataFlow::TypeTracker t2 | result = getfirstRef(t2).track(t2, t))
-      }
-
-      /** Gets a reference to the `getfirst` method on a `cgi.FieldStorage` instance. */
-      DataFlow::Node getfirstRef() { result = getfirstRef(DataFlow::TypeTracker::end()) }
+      API::Node getfirstRef() { result = instance().getMember("getfirst") }
 
       /** Gets a reference to the result of calling the `getfirst` method on a `cgi.FieldStorage` instance. */
-      private DataFlow::Node getfirstResult(DataFlow::TypeTracker t) {
-        t.start() and
-        result.asCfgNode().(CallNode).getFunction() = getfirstRef().asCfgNode()
-        or
-        exists(DataFlow::TypeTracker t2 | result = getfirstResult(t2).track(t2, t))
-      }
-
-      /** Gets a reference to the result of calling the `getfirst` method on a `cgi.FieldStorage` instance. */
-      DataFlow::Node getfirstResult() { result = getfirstResult(DataFlow::TypeTracker::end()) }
+      API::Node getfirstResult() { result = getfirstRef().getReturn() }
 
       /** Gets a reference to the `getlist` method on a `cgi.FieldStorage` instance. */
-      private DataFlow::Node getlistRef(DataFlow::TypeTracker t) {
-        t.startInAttr("getlist") and
-        result = instance()
-        or
-        exists(DataFlow::TypeTracker t2 | result = getlistRef(t2).track(t2, t))
-      }
-
-      /** Gets a reference to the `getlist` method on a `cgi.FieldStorage` instance. */
-      DataFlow::Node getlistRef() { result = getlistRef(DataFlow::TypeTracker::end()) }
+      API::Node getlistRef() { result = instance().getMember("getlist") }
 
       /** Gets a reference to the result of calling the `getlist` method on a `cgi.FieldStorage` instance. */
-      private DataFlow::Node getlistResult(DataFlow::TypeTracker t) {
-        t.start() and
-        result.asCfgNode().(CallNode).getFunction() = getlistRef().asCfgNode()
-        or
-        exists(DataFlow::TypeTracker t2 | result = getlistResult(t2).track(t2, t))
-      }
-
-      /** Gets a reference to the result of calling the `getlist` method on a `cgi.FieldStorage` instance. */
-      DataFlow::Node getlistResult() { result = getlistResult(DataFlow::TypeTracker::end()) }
+      API::Node getlistResult() { result = getlistRef().getReturn() }
 
       /** Gets a reference to a list of fields. */
-      private DataFlow::Node fieldList(DataFlow::TypeTracker t) {
+      private DataFlow::LocalSourceNode fieldList(DataFlow::TypeTracker t) {
         t.start() and
-        (
-          result = getlistResult()
-          or
-          result = getvalueResult()
-          or
-          // TODO: Should have better handling of subscripting
-          result.asCfgNode().(SubscriptNode).getObject() = instance().asCfgNode()
-        )
+        // TODO: Should have better handling of subscripting
+        result.asCfgNode().(SubscriptNode).getObject() = instance().getAUse().asCfgNode()
         or
         exists(DataFlow::TypeTracker t2 | result = fieldList(t2).track(t2, t))
       }
 
       /** Gets a reference to a list of fields. */
-      DataFlow::Node fieldList() { result = fieldList(DataFlow::TypeTracker::end()) }
+      DataFlow::Node fieldList() {
+        result = getlistResult().getAUse() or
+        result = getvalueResult().getAUse() or
+        fieldList(DataFlow::TypeTracker::end()).flowsTo(result)
+      }
 
       /** Gets a reference to a field. */
-      private DataFlow::Node field(DataFlow::TypeTracker t) {
+      private DataFlow::LocalSourceNode field(DataFlow::TypeTracker t) {
         t.start() and
-        (
-          result = getfirstResult()
-          or
-          result = getvalueResult()
-          or
-          // TODO: Should have better handling of subscripting
-          result.asCfgNode().(SubscriptNode).getObject() = [instance(), fieldList()].asCfgNode()
-        )
+        // TODO: Should have better handling of subscripting
+        result.asCfgNode().(SubscriptNode).getObject() =
+          [instance().getAUse(), fieldList()].asCfgNode()
         or
         exists(DataFlow::TypeTracker t2 | result = field(t2).track(t2, t))
       }
 
       /** Gets a reference to a field. */
-      DataFlow::Node field() { result = field(DataFlow::TypeTracker::end()) }
+      DataFlow::Node field() {
+        result = getfirstResult().getAUse()
+        or
+        result = getvalueResult().getAUse()
+        or
+        field(DataFlow::TypeTracker::end()).flowsTo(result)
+      }
 
       private class AdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
         override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
           // Methods
           nodeFrom = nodeTo.(DataFlow::AttrRead).getObject() and
-          nodeFrom = instance() and
-          nodeTo in [getvalueRef(), getfirstRef(), getlistRef()]
+          nodeFrom = instance().getAUse() and
+          nodeTo = [getvalueRef(), getfirstRef(), getlistRef()].getAUse()
           or
           nodeFrom.asCfgNode() = nodeTo.asCfgNode().(CallNode).getFunction() and
           (
-            nodeFrom = getvalueRef() and nodeTo = getvalueResult()
+            nodeFrom = getvalueRef().getAUse() and nodeTo = getvalueResult().getAnImmediateUse()
             or
-            nodeFrom = getfirstRef() and nodeTo = getfirstResult()
+            nodeFrom = getfirstRef().getAUse() and nodeTo = getfirstResult().getAnImmediateUse()
             or
-            nodeFrom = getlistRef() and nodeTo = getlistResult()
+            nodeFrom = getlistRef().getAUse() and nodeTo = getlistResult().getAnImmediateUse()
           )
           or
           // Indexing
-          nodeFrom in [instance(), fieldList()] and
+          nodeFrom in [instance().getAUse(), fieldList()] and
           nodeTo.asCfgNode().(SubscriptNode).getObject() = nodeFrom.asCfgNode()
           or
           // Attributes on Field
@@ -1175,15 +748,7 @@ private module Stdlib {
   // BaseHTTPServer (Python 2 only)
   // ---------------------------------------------------------------------------
   /** Gets a reference to the `BaseHTTPServer` module. */
-  private DataFlow::Node baseHTTPServer(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("BaseHTTPServer")
-    or
-    exists(DataFlow::TypeTracker t2 | result = baseHTTPServer(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `BaseHTTPServer` module. */
-  DataFlow::Node baseHTTPServer() { result = baseHTTPServer(DataFlow::TypeTracker::end()) }
+  API::Node baseHTTPServer() { result = API::moduleImport("BaseHTTPServer") }
 
   /** Provides models for the `BaseHTTPServer` module. */
   module BaseHTTPServer {
@@ -1192,18 +757,7 @@ private module Stdlib {
      */
     module BaseHTTPRequestHandler {
       /** Gets a reference to the `BaseHTTPServer.BaseHTTPRequestHandler` class. */
-      private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-        t.start() and
-        result = DataFlow::importNode("BaseHTTPServer" + "." + "BaseHTTPRequestHandler")
-        or
-        t.startInAttr("BaseHTTPRequestHandler") and
-        result = baseHTTPServer()
-        or
-        exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
-      }
-
-      /** Gets a reference to the `BaseHTTPServer.BaseHTTPRequestHandler` class. */
-      DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+      API::Node classRef() { result = baseHTTPServer().getMember("BaseHTTPRequestHandler") }
     }
   }
 
@@ -1211,15 +765,7 @@ private module Stdlib {
   // SimpleHTTPServer (Python 2 only)
   // ---------------------------------------------------------------------------
   /** Gets a reference to the `SimpleHTTPServer` module. */
-  private DataFlow::Node simpleHTTPServer(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("SimpleHTTPServer")
-    or
-    exists(DataFlow::TypeTracker t2 | result = simpleHTTPServer(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `SimpleHTTPServer` module. */
-  DataFlow::Node simpleHTTPServer() { result = simpleHTTPServer(DataFlow::TypeTracker::end()) }
+  API::Node simpleHTTPServer() { result = API::moduleImport("SimpleHTTPServer") }
 
   /** Provides models for the `SimpleHTTPServer` module. */
   module SimpleHTTPServer {
@@ -1228,18 +774,7 @@ private module Stdlib {
      */
     module SimpleHTTPRequestHandler {
       /** Gets a reference to the `SimpleHTTPServer.SimpleHTTPRequestHandler` class. */
-      private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-        t.start() and
-        result = DataFlow::importNode("SimpleHTTPServer" + "." + "SimpleHTTPRequestHandler")
-        or
-        t.startInAttr("SimpleHTTPRequestHandler") and
-        result = simpleHTTPServer()
-        or
-        exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
-      }
-
-      /** Gets a reference to the `SimpleHTTPServer.SimpleHTTPRequestHandler` class. */
-      DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+      API::Node classRef() { result = simpleHTTPServer().getMember("SimpleHTTPRequestHandler") }
     }
   }
 
@@ -1247,15 +782,7 @@ private module Stdlib {
   // CGIHTTPServer (Python 2 only)
   // ---------------------------------------------------------------------------
   /** Gets a reference to the `CGIHTTPServer` module. */
-  private DataFlow::Node cgiHTTPServer(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("CGIHTTPServer")
-    or
-    exists(DataFlow::TypeTracker t2 | result = cgiHTTPServer(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `CGIHTTPServer` module. */
-  DataFlow::Node cgiHTTPServer() { result = cgiHTTPServer(DataFlow::TypeTracker::end()) }
+  API::Node cgiHTTPServer() { result = API::moduleImport("CGIHTTPServer") }
 
   /** Provides models for the `CGIHTTPServer` module. */
   module CGIHTTPServer {
@@ -1264,18 +791,7 @@ private module Stdlib {
      */
     module CGIHTTPRequestHandler {
       /** Gets a reference to the `CGIHTTPServer.CGIHTTPRequestHandler` class. */
-      private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-        t.start() and
-        result = DataFlow::importNode("CGIHTTPServer" + "." + "CGIHTTPRequestHandler")
-        or
-        t.startInAttr("CGIHTTPRequestHandler") and
-        result = cgiHTTPServer()
-        or
-        exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
-      }
-
-      /** Gets a reference to the `CGIHTTPServer.CGIHTTPRequestHandler` class. */
-      DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+      API::Node classRef() { result = cgiHTTPServer().getMember("CGIHTTPRequestHandler") }
     }
   }
 
@@ -1283,54 +799,13 @@ private module Stdlib {
   // http (Python 3 only)
   // ---------------------------------------------------------------------------
   /** Gets a reference to the `http` module. */
-  private DataFlow::Node http(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("http")
-    or
-    exists(DataFlow::TypeTracker t2 | result = http(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `http` module. */
-  DataFlow::Node http() { result = http(DataFlow::TypeTracker::end()) }
+  API::Node http() { result = API::moduleImport("http") }
 
   /**
    * Gets a reference to the attribute `attr_name` of the `http` module.
    * WARNING: Only holds for a few predefined attributes.
    */
-  private DataFlow::Node http_attr(DataFlow::TypeTracker t, string attr_name) {
-    attr_name in ["server"] and
-    (
-      t.start() and
-      result = DataFlow::importNode("http" + "." + attr_name)
-      or
-      t.startInAttr(attr_name) and
-      result = http()
-    )
-    or
-    // Due to bad performance when using normal setup with `http_attr(t2, attr_name).track(t2, t)`
-    // we have inlined that code and forced a join
-    exists(DataFlow::TypeTracker t2 |
-      exists(DataFlow::StepSummary summary |
-        http_attr_first_join(t2, attr_name, result, summary) and
-        t = t2.append(summary)
-      )
-    )
-  }
-
-  pragma[nomagic]
-  private predicate http_attr_first_join(
-    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
-  ) {
-    DataFlow::StepSummary::step(http_attr(t2, attr_name), res, summary)
-  }
-
-  /**
-   * Gets a reference to the attribute `attr_name` of the `http` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private DataFlow::Node http_attr(string attr_name) {
-    result = http_attr(DataFlow::TypeTracker::end(), attr_name)
-  }
+  private API::Node http_attr(string attr_name) { result = http().getMember(attr_name) }
 
   /** Provides models for the `http` module. */
   module http {
@@ -1338,7 +813,7 @@ private module Stdlib {
     // http.server
     // -------------------------------------------------------------------------
     /** Gets a reference to the `http.server` module. */
-    DataFlow::Node server() { result = http_attr("server") }
+    API::Node server() { result = http_attr("server") }
 
     /** Provides models for the `http.server` module */
     module server {
@@ -1346,41 +821,7 @@ private module Stdlib {
        * Gets a reference to the attribute `attr_name` of the `http.server` module.
        * WARNING: Only holds for a few predefined attributes.
        */
-      private DataFlow::Node server_attr(DataFlow::TypeTracker t, string attr_name) {
-        attr_name in ["BaseHTTPRequestHandler", "SimpleHTTPRequestHandler", "CGIHTTPRequestHandler"] and
-        (
-          t.start() and
-          result = DataFlow::importNode("http.server" + "." + attr_name)
-          or
-          t.startInAttr(attr_name) and
-          result = server()
-        )
-        or
-        // Due to bad performance when using normal setup with `server_attr(t2, attr_name).track(t2, t)`
-        // we have inlined that code and forced a join
-        exists(DataFlow::TypeTracker t2 |
-          exists(DataFlow::StepSummary summary |
-            server_attr_first_join(t2, attr_name, result, summary) and
-            t = t2.append(summary)
-          )
-        )
-      }
-
-      pragma[nomagic]
-      private predicate server_attr_first_join(
-        DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-        DataFlow::StepSummary summary
-      ) {
-        DataFlow::StepSummary::step(server_attr(t2, attr_name), res, summary)
-      }
-
-      /**
-       * Gets a reference to the attribute `attr_name` of the `http.server` module.
-       * WARNING: Only holds for a few predefined attributes.
-       */
-      private DataFlow::Node server_attr(string attr_name) {
-        result = server_attr(DataFlow::TypeTracker::end(), attr_name)
-      }
+      private API::Node server_attr(string attr_name) { result = server().getMember(attr_name) }
 
       /**
        * Provides models for the `http.server.BaseHTTPRequestHandler` class (Python 3 only).
@@ -1389,7 +830,7 @@ private module Stdlib {
        */
       module BaseHTTPRequestHandler {
         /** Gets a reference to the `http.server.BaseHTTPRequestHandler` class. */
-        DataFlow::Node classRef() { result = server_attr("BaseHTTPRequestHandler") }
+        API::Node classRef() { result = server_attr("BaseHTTPRequestHandler") }
       }
 
       /**
@@ -1399,7 +840,7 @@ private module Stdlib {
        */
       module SimpleHTTPRequestHandler {
         /** Gets a reference to the `http.server.SimpleHTTPRequestHandler` class. */
-        DataFlow::Node classRef() { result = server_attr("SimpleHTTPRequestHandler") }
+        API::Node classRef() { result = server_attr("SimpleHTTPRequestHandler") }
       }
 
       /**
@@ -1409,7 +850,7 @@ private module Stdlib {
        */
       module CGIHTTPRequestHandler {
         /** Gets a reference to the `http.server.CGIHTTPRequestHandler` class. */
-        DataFlow::Node classRef() { result = server_attr("CGIHTTPRequestHandler") }
+        API::Node classRef() { result = server_attr("CGIHTTPRequestHandler") }
       }
     }
   }
@@ -1423,35 +864,23 @@ private module Stdlib {
    */
   private module HTTPRequestHandler {
     /** Gets a reference to the `BaseHTTPRequestHandler` class or any subclass. */
-    private DataFlow::Node subclassRef(DataFlow::TypeTracker t) {
-      // Python 2
-      t.start() and
-      result in [
+    API::Node subclassRef() {
+      result =
+        [
+          // Python 2
           BaseHTTPServer::BaseHTTPRequestHandler::classRef(),
           SimpleHTTPServer::SimpleHTTPRequestHandler::classRef(),
-          CGIHTTPServer::CGIHTTPRequestHandler::classRef()
-        ]
-      or
-      // Python 3
-      t.start() and
-      result in [
+          CGIHTTPServer::CGIHTTPRequestHandler::classRef(),
+          // Python 3
           http::server::BaseHTTPRequestHandler::classRef(),
           http::server::SimpleHTTPRequestHandler::classRef(),
           http::server::CGIHTTPRequestHandler::classRef()
-        ]
-      or
-      // subclasses in project code
-      result.asExpr().(ClassExpr).getABase() = subclassRef(t.continue()).asExpr()
-      or
-      exists(DataFlow::TypeTracker t2 | result = subclassRef(t2).track(t2, t))
+        ].getASubclass*()
     }
 
-    /** Gets a reference to the `BaseHTTPRequestHandler` class or any subclass. */
-    DataFlow::Node subclassRef() { result = subclassRef(DataFlow::TypeTracker::end()) }
-
     /** A HTTPRequestHandler class definition (most likely in project code). */
     class HTTPRequestHandlerClassDef extends Class {
-      HTTPRequestHandlerClassDef() { this.getParent() = subclassRef().asExpr() }
+      HTTPRequestHandlerClassDef() { this.getParent() = subclassRef().getAUse().asExpr() }
     }
 
     /**
@@ -1475,7 +904,7 @@ private module Stdlib {
     }
 
     /** Gets a reference to an instance of the `BaseHTTPRequestHandler` class or any subclass. */
-    private DataFlow::Node instance(DataFlow::TypeTracker t) {
+    private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
       t.start() and
       result instanceof InstanceSource
       or
@@ -1483,7 +912,7 @@ private module Stdlib {
     }
 
     /** Gets a reference to an instance of the `BaseHTTPRequestHandler` class or any subclass. */
-    DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+    DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
 
     private class AdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
       override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {

From 0818c1d7038a84c39a04d2282f023d56ff280f4a Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 9 Apr 2021 18:11:48 +0100
Subject: [PATCH 0285/1429] C++: Update QLDoc.

---
 .../CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql    | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
index cbdae0b6651..074ecfc821e 100644
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -31,7 +31,8 @@ predicate isGuarded(SubExpr sub, Expr left, Expr right) {
 }
 
 /**
- * Holds if `e` is known to be less than or equal to `sub.getLeftOperand()`.
+ * Holds if `e` is known or suspected to be less than or equal to
+ * `sub.getLeftOperand()`.
  */
 predicate exprIsSubLeftOrLess(SubExpr sub, Expr e) {
   e = sub.getLeftOperand()

From 40637c18ceb1684c16db25f2e59275497f287871 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 9 Apr 2021 18:14:12 +0100
Subject: [PATCH 0286/1429] C++: Add change note.

---
 .../2021-04-09-unsigned-difference-expression-compared-zero.md  | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 cpp/change-notes/2021-04-09-unsigned-difference-expression-compared-zero.md

diff --git a/cpp/change-notes/2021-04-09-unsigned-difference-expression-compared-zero.md b/cpp/change-notes/2021-04-09-unsigned-difference-expression-compared-zero.md
new file mode 100644
index 00000000000..3297dfce9a9
--- /dev/null
+++ b/cpp/change-notes/2021-04-09-unsigned-difference-expression-compared-zero.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The 'Unsigned difference expression compared to zero' (cpp/unsigned-difference-expression-compared-zero) query has been improved to produce fewer false positive results.
\ No newline at end of file

From 2329b3160105fd2b7bfc34af13563f740ae41df9 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 9 Apr 2021 20:49:45 +0200
Subject: [PATCH 0287/1429] C++: Replace the new SmartPointerPartialDefinition
 with additional steps in AddressFlow.qll

---
 .../cpp/dataflow/internal/AddressFlow.qll     |  29 +++++
 .../cpp/dataflow/internal/DataFlowUtil.qll    |  14 ---
 .../code/cpp/dataflow/internal/FlowVar.qll    |  58 ---------
 .../models/implementations/SmartPointer.qll   |   2 +
 .../cpp/models/interfaces/PointerWrapper.qll  |   3 +
 .../dataflow/taint-tests/localTaint.expected  | 119 +++++++++++++++---
 .../dataflow/taint-tests/smart_pointer.cpp    |  33 +++++
 7 files changed, 169 insertions(+), 89 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll
index 7024f9d8598..70af0b25c23 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll
@@ -15,6 +15,7 @@
  */
 
 private import cpp
+private import semmle.code.cpp.models.interfaces.PointerWrapper
 
 /**
  * Holds if `f` is an instantiation of the `std::move` or `std::forward`
@@ -58,6 +59,8 @@ private predicate pointerToLvalueStep(Expr pointerIn, Expr lvalueOut) {
   pointerIn = lvalueOut.(ArrayExpr).getArrayBase().getFullyConverted()
   or
   pointerIn = lvalueOut.(PointerDereferenceExpr).getOperand().getFullyConverted()
+  or
+  pointerIn = lvalueOut.(OverloadedPointerDereferenceExpr).getQualifier().getFullyConverted()
 }
 
 private predicate lvalueToPointerStep(Expr lvalueIn, Expr pointerOut) {
@@ -94,6 +97,12 @@ private predicate pointerToPointerStep(Expr pointerIn, Expr pointerOut) {
 
 private predicate lvalueToReferenceStep(Expr lvalueIn, Expr referenceOut) {
   lvalueIn.getConversion() = referenceOut.(ReferenceToExpr)
+  or
+  exists(PointerWrapper wrapper, Call call | call = referenceOut |
+    referenceOut.getUnspecifiedType() instanceof ReferenceType and
+    call = wrapper.getAnUnwrapperFunction().getACallToThisFunction() and
+    lvalueIn = call.getQualifier().getFullyConverted()
+  )
 }
 
 private predicate referenceToLvalueStep(Expr referenceIn, Expr lvalueOut) {
@@ -106,6 +115,13 @@ private predicate referenceToPointerStep(Expr referenceIn, Expr pointerOut) {
       stdAddressOf(call.getTarget()) and
       referenceIn = call.getArgument(0).getFullyConverted()
     )
+  or
+  exists(CopyConstructor copy, Call call | call = pointerOut |
+    copy.getDeclaringType() instanceof PointerWrapper and
+    call.getTarget() = copy and
+    // The 0'th argument is the value being copied.
+    referenceIn = call.getArgument(0).getFullyConverted()
+  )
 }
 
 private predicate referenceToReferenceStep(Expr referenceIn, Expr referenceOut) {
@@ -190,6 +206,19 @@ private predicate pointerToUpdate(Expr pointer, Expr outer, ControlFlowNode node
         // See the `lvalueToUpdate` case for an explanation of this conjunct.
         call.getType().isDeeplyConstBelow()
       )
+      or
+      // Pointer wrappers behave as raw pointers for dataflow purposes.
+      outer = call.getAnArgument().getFullyConverted() and
+      exists(PointerWrapper wrapper | wrapper = outer.getType().stripTopLevelSpecifiers() |
+        not wrapper.pointsToConst()
+      )
+      or
+      outer = call.getQualifier().getFullyConverted() and
+      outer.getUnspecifiedType() instanceof PointerWrapper and
+      not (
+        call.getTarget().hasSpecifier("const") and
+        call.getType().isDeeplyConstBelow()
+      )
     )
     or
     exists(PointerFieldAccess fa |
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
index 810c74e3e69..fd91638b7aa 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -199,8 +199,6 @@ class DefinitionByReferenceOrIteratorNode extends PartialDefinitionNode {
       this.getPartialDefinition() instanceof DefinitionByReference
       or
       this.getPartialDefinition() instanceof DefinitionByIterator
-      or
-      this.getPartialDefinition() instanceof DefinitionBySmartPointer
     )
   }
 
@@ -332,18 +330,6 @@ private class IteratorPartialDefinitionNode extends PartialDefinitionNode {
   override Node getPreUpdateNode() { pd.definesExpressions(_, result.asExpr()) }
 }
 
-/**
- * INTERNAL: do not use.
- *
- * A synthetic data flow node used for flow into a collection when a smart pointer
- * write occurs in a callee.
- */
-private class SmartPointerPartialDefinitionNode extends PartialDefinitionNode {
-  override SmartPointerPartialDefinition pd;
-
-  override Node getPreUpdateNode() { pd.definesExpressions(_, result.asExpr()) }
-}
-
 /**
  * A post-update node on the `e->f` in `f(&e->f)` (and other forms).
  */
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
index 0e5d6ea5fa7..79728629a9a 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
@@ -242,39 +242,6 @@ private module PartialDefinitions {
     }
   }
 
-  class SmartPointerPartialDefinition extends PartialDefinition {
-    Variable pointer;
-    Expr innerDefinedExpr;
-
-    SmartPointerPartialDefinition() {
-      innerDefinedExpr = pragma[only_bind_out](getInnerDefinedExpr(this, node)) and
-      innerDefinedExpr = getAPointerWrapperAccess(pointer, -1)
-      or
-      // Pointer wrappers passed to a function by value.
-      exists(Call call |
-        call = node and
-        call.getAnArgument() = innerDefinedExpr and
-        innerDefinedExpr = this and
-        this = getAPointerWrapperAccess(pointer, 0) and
-        not call instanceof OverloadedPointerDereferenceExpr
-      )
-    }
-
-    deprecated override predicate partiallyDefines(Variable v) { v = pointer }
-
-    deprecated override predicate partiallyDefinesThis(ThisExpr e) { none() }
-
-    override predicate definesExpressions(Expr inner, Expr outer) {
-      inner = innerDefinedExpr and
-      outer = this
-    }
-
-    override predicate partiallyDefinesVariableAt(Variable v, ControlFlowNode cfn) {
-      v = pointer and
-      cfn = node
-    }
-  }
-
   /**
    * A partial definition that's a definition via an output iterator.
    */
@@ -288,15 +255,6 @@ private module PartialDefinitions {
   class DefinitionByReference extends VariablePartialDefinition {
     DefinitionByReference() { exists(Call c | this = c.getAnArgument() or this = c.getQualifier()) }
   }
-
-  /**
-   * A partial definition that's a definition via a smart pointer being passed into a function.
-   */
-  class DefinitionBySmartPointer extends SmartPointerPartialDefinition {
-    DefinitionBySmartPointer() {
-      exists(Call c | this = c.getAnArgument() or this = c.getQualifier())
-    }
-  }
 }
 
 import PartialDefinitions
@@ -876,22 +834,6 @@ module FlowVar_internal {
     )
   }
 
-  /**
-   * Gets either:
-   * - A call to an unwrapper function, where an access to `pointer` is the qualifier, or
-   * - A call to the `CopyConstructor` that copies the value of an access to `pointer`.
-   */
-  Call getAPointerWrapperAccess(Variable pointer, int n) {
-    exists(PointerWrapper wrapper | wrapper = pointer.getUnspecifiedType().stripType() |
-      n = -1 and
-      result.getQualifier() = pointer.getAnAccess() and
-      result.getTarget() = wrapper.getAnUnwrapperFunction()
-      or
-      result.getArgument(n) = pointer.getAnAccess() and
-      result.getTarget() instanceof CopyConstructor
-    )
-  }
-
   class IteratorParameter extends Parameter {
     IteratorParameter() { this.getUnspecifiedType() instanceof Iterator }
   }
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
index 4bcf5aa3575..4b060c234f8 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
@@ -13,6 +13,8 @@ private class UniqueOrSharedPtr extends Class, PointerWrapper {
     or
     result.getClassAndName(["operator->", "get"]) = this
   }
+
+  override predicate pointsToConst() { this.getTemplateArgument(0).(Type).isConst() }
 }
 
 /** Any function that unwraps a pointer wrapper class to reveal the underlying pointer. */
diff --git a/cpp/ql/src/semmle/code/cpp/models/interfaces/PointerWrapper.qll b/cpp/ql/src/semmle/code/cpp/models/interfaces/PointerWrapper.qll
index 447e7f7cede..8948aee424b 100644
--- a/cpp/ql/src/semmle/code/cpp/models/interfaces/PointerWrapper.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/interfaces/PointerWrapper.qll
@@ -11,4 +11,7 @@ abstract class PointerWrapper extends Class {
    * that return a reference to the pointed-to object.
    */
   abstract MemberFunction getAnUnwrapperFunction();
+
+  /** Holds if the type of the data that is pointed to by this pointer wrapper is `const`. */
+  abstract predicate pointsToConst();
 }
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index ad8b5bbb98e..dd15fa7cd98 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -3223,47 +3223,55 @@
 | smart_pointer.cpp:11:30:11:50 | call to make_shared | smart_pointer.cpp:12:11:12:11 | p |  |
 | smart_pointer.cpp:11:30:11:50 | call to make_shared | smart_pointer.cpp:13:10:13:10 | p |  |
 | smart_pointer.cpp:11:52:11:57 | call to source | smart_pointer.cpp:11:30:11:50 | call to make_shared | TAINT |
-| smart_pointer.cpp:12:11:12:11 | p | smart_pointer.cpp:12:10:12:10 | call to operator* | TAINT |
+| smart_pointer.cpp:12:11:12:11 | p | smart_pointer.cpp:12:10:12:10 | call to operator* |  |
 | smart_pointer.cpp:12:11:12:11 | ref arg p | smart_pointer.cpp:13:10:13:10 | p |  |
 | smart_pointer.cpp:17:32:17:54 | call to make_shared | smart_pointer.cpp:18:11:18:11 | p |  |
 | smart_pointer.cpp:17:32:17:54 | call to make_shared | smart_pointer.cpp:19:10:19:10 | p |  |
+| smart_pointer.cpp:18:10:18:10 | ref arg call to operator* | smart_pointer.cpp:18:11:18:11 | p [inner post update] |  |
 | smart_pointer.cpp:18:10:18:10 | ref arg call to operator* | smart_pointer.cpp:19:10:19:10 | p |  |
 | smart_pointer.cpp:18:11:18:11 | p | smart_pointer.cpp:18:10:18:10 | call to operator* | TAINT |
+| smart_pointer.cpp:18:11:18:11 | ref arg p | smart_pointer.cpp:18:11:18:11 | p [inner post update] |  |
 | smart_pointer.cpp:18:11:18:11 | ref arg p | smart_pointer.cpp:19:10:19:10 | p |  |
 | smart_pointer.cpp:23:30:23:50 | call to make_unique | smart_pointer.cpp:24:11:24:11 | p |  |
 | smart_pointer.cpp:23:30:23:50 | call to make_unique | smart_pointer.cpp:25:10:25:10 | p |  |
 | smart_pointer.cpp:23:52:23:57 | call to source | smart_pointer.cpp:23:30:23:50 | call to make_unique | TAINT |
-| smart_pointer.cpp:24:11:24:11 | p | smart_pointer.cpp:24:10:24:10 | call to operator* | TAINT |
+| smart_pointer.cpp:24:11:24:11 | p | smart_pointer.cpp:24:10:24:10 | call to operator* |  |
 | smart_pointer.cpp:24:11:24:11 | ref arg p | smart_pointer.cpp:25:10:25:10 | p |  |
 | smart_pointer.cpp:29:32:29:54 | call to make_unique | smart_pointer.cpp:30:11:30:11 | p |  |
 | smart_pointer.cpp:29:32:29:54 | call to make_unique | smart_pointer.cpp:31:10:31:10 | p |  |
+| smart_pointer.cpp:30:10:30:10 | ref arg call to operator* | smart_pointer.cpp:30:11:30:11 | p [inner post update] |  |
 | smart_pointer.cpp:30:10:30:10 | ref arg call to operator* | smart_pointer.cpp:31:10:31:10 | p |  |
 | smart_pointer.cpp:30:11:30:11 | p | smart_pointer.cpp:30:10:30:10 | call to operator* | TAINT |
+| smart_pointer.cpp:30:11:30:11 | ref arg p | smart_pointer.cpp:30:11:30:11 | p [inner post update] |  |
 | smart_pointer.cpp:30:11:30:11 | ref arg p | smart_pointer.cpp:31:10:31:10 | p |  |
 | smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:37:6:37:6 | p |  |
 | smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:38:10:38:10 | p |  |
 | smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:39:11:39:11 | p |  |
+| smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:37:6:37:6 | p [inner post update] |  |
 | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:38:10:38:10 | p |  |
 | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:39:11:39:11 | p |  |
 | smart_pointer.cpp:37:5:37:17 | ... = ... | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] |  |
-| smart_pointer.cpp:37:6:37:6 | p | smart_pointer.cpp:37:5:37:5 | call to operator* | TAINT |
+| smart_pointer.cpp:37:6:37:6 | p | smart_pointer.cpp:37:5:37:5 | call to operator* |  |
+| smart_pointer.cpp:37:6:37:6 | ref arg p | smart_pointer.cpp:37:6:37:6 | p [inner post update] |  |
 | smart_pointer.cpp:37:6:37:6 | ref arg p | smart_pointer.cpp:38:10:38:10 | p |  |
 | smart_pointer.cpp:37:6:37:6 | ref arg p | smart_pointer.cpp:39:11:39:11 | p |  |
 | smart_pointer.cpp:37:10:37:15 | call to source | smart_pointer.cpp:37:5:37:17 | ... = ... |  |
 | smart_pointer.cpp:38:10:38:10 | ref arg p | smart_pointer.cpp:39:11:39:11 | p |  |
-| smart_pointer.cpp:39:11:39:11 | p | smart_pointer.cpp:39:10:39:10 | call to operator* | TAINT |
+| smart_pointer.cpp:39:11:39:11 | p | smart_pointer.cpp:39:10:39:10 | call to operator* |  |
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:45:6:45:6 | p |  |
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:46:10:46:10 | p |  |
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:47:11:47:11 | p |  |
+| smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:45:6:45:6 | p [inner post update] |  |
 | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:46:10:46:10 | p |  |
 | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:47:11:47:11 | p |  |
 | smart_pointer.cpp:45:5:45:17 | ... = ... | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] |  |
-| smart_pointer.cpp:45:6:45:6 | p | smart_pointer.cpp:45:5:45:5 | call to operator* | TAINT |
+| smart_pointer.cpp:45:6:45:6 | p | smart_pointer.cpp:45:5:45:5 | call to operator* |  |
+| smart_pointer.cpp:45:6:45:6 | ref arg p | smart_pointer.cpp:45:6:45:6 | p [inner post update] |  |
 | smart_pointer.cpp:45:6:45:6 | ref arg p | smart_pointer.cpp:46:10:46:10 | p |  |
 | smart_pointer.cpp:45:6:45:6 | ref arg p | smart_pointer.cpp:47:11:47:11 | p |  |
 | smart_pointer.cpp:45:10:45:15 | call to source | smart_pointer.cpp:45:5:45:17 | ... = ... |  |
 | smart_pointer.cpp:46:10:46:10 | ref arg p | smart_pointer.cpp:47:11:47:11 | p |  |
-| smart_pointer.cpp:47:11:47:11 | p | smart_pointer.cpp:47:10:47:10 | call to operator* | TAINT |
+| smart_pointer.cpp:47:11:47:11 | p | smart_pointer.cpp:47:10:47:10 | call to operator* |  |
 | smart_pointer.cpp:51:30:51:50 | call to make_shared | smart_pointer.cpp:52:10:52:10 | p |  |
 | smart_pointer.cpp:51:52:51:57 | call to source | smart_pointer.cpp:51:30:51:50 | call to make_shared | TAINT |
 | smart_pointer.cpp:52:10:52:10 | p | smart_pointer.cpp:52:12:52:14 | call to get |  |
@@ -3282,15 +3290,18 @@
 | smart_pointer.cpp:70:37:70:39 | ptr | smart_pointer.cpp:70:37:70:39 | ptr |  |
 | smart_pointer.cpp:70:37:70:39 | ptr | smart_pointer.cpp:71:4:71:6 | ptr |  |
 | smart_pointer.cpp:71:3:71:3 | call to operator* [post update] | smart_pointer.cpp:70:37:70:39 | ptr |  |
+| smart_pointer.cpp:71:3:71:3 | call to operator* [post update] | smart_pointer.cpp:71:4:71:6 | ptr [inner post update] |  |
 | smart_pointer.cpp:71:3:71:17 | ... = ... | smart_pointer.cpp:71:3:71:3 | call to operator* [post update] |  |
-| smart_pointer.cpp:71:4:71:6 | ptr | smart_pointer.cpp:71:3:71:3 | call to operator* | TAINT |
+| smart_pointer.cpp:71:4:71:6 | ptr | smart_pointer.cpp:71:3:71:3 | call to operator* |  |
 | smart_pointer.cpp:71:4:71:6 | ref arg ptr | smart_pointer.cpp:70:37:70:39 | ptr |  |
+| smart_pointer.cpp:71:4:71:6 | ref arg ptr | smart_pointer.cpp:71:4:71:6 | ptr [inner post update] |  |
 | smart_pointer.cpp:71:10:71:15 | call to source | smart_pointer.cpp:71:3:71:17 | ... = ... |  |
 | smart_pointer.cpp:75:26:75:33 | call to shared_ptr | smart_pointer.cpp:76:13:76:13 | p |  |
 | smart_pointer.cpp:75:26:75:33 | call to shared_ptr | smart_pointer.cpp:77:9:77:9 | p |  |
-| smart_pointer.cpp:76:13:76:13 | call to shared_ptr [post update] | smart_pointer.cpp:77:9:77:9 | p |  |
 | smart_pointer.cpp:76:13:76:13 | p | smart_pointer.cpp:76:13:76:13 | call to shared_ptr |  |
-| smart_pointer.cpp:77:9:77:9 | p | smart_pointer.cpp:77:8:77:8 | call to operator* | TAINT |
+| smart_pointer.cpp:76:13:76:13 | ref arg call to shared_ptr | smart_pointer.cpp:76:13:76:13 | p [inner post update] |  |
+| smart_pointer.cpp:76:13:76:13 | ref arg call to shared_ptr | smart_pointer.cpp:77:9:77:9 | p |  |
+| smart_pointer.cpp:77:9:77:9 | p | smart_pointer.cpp:77:8:77:8 | call to operator* |  |
 | smart_pointer.cpp:86:45:86:45 | p | smart_pointer.cpp:86:45:86:45 | p |  |
 | smart_pointer.cpp:86:45:86:45 | p | smart_pointer.cpp:87:3:87:3 | p |  |
 | smart_pointer.cpp:86:45:86:45 | p | smart_pointer.cpp:88:8:88:8 | p |  |
@@ -3306,10 +3317,7 @@
 | smart_pointer.cpp:87:3:87:3 | ref arg p | smart_pointer.cpp:89:8:89:8 | p |  |
 | smart_pointer.cpp:87:3:87:17 | ... = ... | smart_pointer.cpp:87:6:87:6 | x [post update] |  |
 | smart_pointer.cpp:87:3:87:17 | ... = ... | smart_pointer.cpp:88:11:88:11 | x |  |
-| smart_pointer.cpp:87:4:87:4 | call to operator-> [post update] | smart_pointer.cpp:86:45:86:45 | p |  |
 | smart_pointer.cpp:87:4:87:4 | call to operator-> [post update] | smart_pointer.cpp:87:3:87:3 | ref arg p |  |
-| smart_pointer.cpp:87:4:87:4 | call to operator-> [post update] | smart_pointer.cpp:88:8:88:8 | p |  |
-| smart_pointer.cpp:87:4:87:4 | call to operator-> [post update] | smart_pointer.cpp:89:8:89:8 | p |  |
 | smart_pointer.cpp:87:10:87:15 | call to source | smart_pointer.cpp:87:3:87:17 | ... = ... |  |
 | smart_pointer.cpp:88:8:88:8 | p | smart_pointer.cpp:88:9:88:9 | call to operator-> |  |
 | smart_pointer.cpp:88:8:88:8 | ref arg p | smart_pointer.cpp:86:45:86:45 | p |  |
@@ -3323,11 +3331,7 @@
 | smart_pointer.cpp:91:3:91:3 | ref arg q | smart_pointer.cpp:94:8:94:8 | q |  |
 | smart_pointer.cpp:91:3:91:20 | ... = ... | smart_pointer.cpp:91:9:91:9 | x [post update] |  |
 | smart_pointer.cpp:91:3:91:20 | ... = ... | smart_pointer.cpp:92:14:92:14 | x |  |
-| smart_pointer.cpp:91:4:91:4 | call to operator-> [post update] | smart_pointer.cpp:86:67:86:67 | q |  |
 | smart_pointer.cpp:91:4:91:4 | call to operator-> [post update] | smart_pointer.cpp:91:3:91:3 | ref arg q |  |
-| smart_pointer.cpp:91:4:91:4 | call to operator-> [post update] | smart_pointer.cpp:92:8:92:8 | q |  |
-| smart_pointer.cpp:91:4:91:4 | call to operator-> [post update] | smart_pointer.cpp:93:8:93:8 | q |  |
-| smart_pointer.cpp:91:4:91:4 | call to operator-> [post update] | smart_pointer.cpp:94:8:94:8 | q |  |
 | smart_pointer.cpp:91:13:91:18 | call to source | smart_pointer.cpp:91:3:91:20 | ... = ... |  |
 | smart_pointer.cpp:92:8:92:8 | q | smart_pointer.cpp:92:9:92:9 | call to operator-> |  |
 | smart_pointer.cpp:92:8:92:8 | ref arg q | smart_pointer.cpp:86:67:86:67 | q |  |
@@ -3346,8 +3350,80 @@
 | smart_pointer.cpp:103:11:103:11 | p | smart_pointer.cpp:103:13:103:15 | call to get |  |
 | smart_pointer.cpp:103:11:103:11 | ref arg p | smart_pointer.cpp:104:8:104:8 | p |  |
 | smart_pointer.cpp:103:13:103:15 | ref arg call to get | smart_pointer.cpp:103:11:103:11 | ref arg p |  |
-| smart_pointer.cpp:103:13:103:15 | ref arg call to get | smart_pointer.cpp:104:8:104:8 | p |  |
 | smart_pointer.cpp:104:8:104:8 | p | smart_pointer.cpp:104:9:104:9 | call to operator-> |  |
+| smart_pointer.cpp:112:40:112:42 | ptr | smart_pointer.cpp:112:40:112:42 | ptr |  |
+| smart_pointer.cpp:112:40:112:42 | ptr | smart_pointer.cpp:113:2:113:4 | ptr |  |
+| smart_pointer.cpp:113:2:113:4 | ptr | smart_pointer.cpp:113:5:113:5 | call to operator-> |  |
+| smart_pointer.cpp:113:2:113:4 | ref arg ptr | smart_pointer.cpp:112:40:112:42 | ptr |  |
+| smart_pointer.cpp:113:2:113:18 | ... = ... | smart_pointer.cpp:113:7:113:7 | x [post update] |  |
+| smart_pointer.cpp:113:5:113:5 | call to operator-> [post update] | smart_pointer.cpp:113:2:113:4 | ref arg ptr |  |
+| smart_pointer.cpp:113:11:113:16 | call to source | smart_pointer.cpp:113:2:113:18 | ... = ... |  |
+| smart_pointer.cpp:116:52:116:54 | ptr | smart_pointer.cpp:117:2:117:4 | ptr |  |
+| smart_pointer.cpp:117:2:117:4 | ptr | smart_pointer.cpp:117:5:117:5 | call to operator-> |  |
+| smart_pointer.cpp:117:2:117:18 | ... = ... | smart_pointer.cpp:117:7:117:7 | x [post update] |  |
+| smart_pointer.cpp:117:5:117:5 | call to operator-> [post update] | smart_pointer.cpp:117:2:117:4 | ref arg ptr |  |
+| smart_pointer.cpp:117:11:117:16 | call to source | smart_pointer.cpp:117:2:117:18 | ... = ... |  |
+| smart_pointer.cpp:120:48:120:50 | ptr | smart_pointer.cpp:121:4:121:6 | ptr |  |
+| smart_pointer.cpp:121:3:121:3 | call to operator* [post update] | smart_pointer.cpp:121:4:121:6 | ptr [inner post update] |  |
+| smart_pointer.cpp:121:3:121:17 | ... = ... | smart_pointer.cpp:121:3:121:3 | call to operator* [post update] |  |
+| smart_pointer.cpp:121:4:121:6 | ptr | smart_pointer.cpp:121:3:121:3 | call to operator* |  |
+| smart_pointer.cpp:121:4:121:6 | ref arg ptr | smart_pointer.cpp:121:4:121:6 | ptr [inner post update] |  |
+| smart_pointer.cpp:121:10:121:15 | call to source | smart_pointer.cpp:121:3:121:17 | ... = ... |  |
+| smart_pointer.cpp:124:48:124:49 | p1 | smart_pointer.cpp:124:48:124:49 | p1 |  |
+| smart_pointer.cpp:124:48:124:49 | p1 | smart_pointer.cpp:125:18:125:19 | p1 |  |
+| smart_pointer.cpp:124:48:124:49 | p1 | smart_pointer.cpp:126:8:126:9 | p1 |  |
+| smart_pointer.cpp:124:90:124:91 | p2 | smart_pointer.cpp:124:90:124:91 | p2 |  |
+| smart_pointer.cpp:124:90:124:91 | p2 | smart_pointer.cpp:128:14:128:15 | p2 |  |
+| smart_pointer.cpp:124:90:124:91 | p2 | smart_pointer.cpp:129:10:129:11 | p2 |  |
+| smart_pointer.cpp:125:18:125:19 | p1 | smart_pointer.cpp:125:20:125:20 | call to operator-> |  |
+| smart_pointer.cpp:125:18:125:19 | ref arg p1 | smart_pointer.cpp:124:48:124:49 | p1 |  |
+| smart_pointer.cpp:125:18:125:19 | ref arg p1 | smart_pointer.cpp:126:8:126:9 | p1 |  |
+| smart_pointer.cpp:125:18:125:22 | ref arg call to shared_ptr | smart_pointer.cpp:125:22:125:22 | q [inner post update] |  |
+| smart_pointer.cpp:125:20:125:20 | call to operator-> [post update] | smart_pointer.cpp:125:18:125:19 | ref arg p1 |  |
+| smart_pointer.cpp:125:22:125:22 | q | smart_pointer.cpp:125:18:125:22 | call to shared_ptr |  |
+| smart_pointer.cpp:126:8:126:9 | p1 | smart_pointer.cpp:126:10:126:10 | call to operator-> |  |
+| smart_pointer.cpp:126:8:126:9 | ref arg p1 | smart_pointer.cpp:124:48:124:49 | p1 |  |
+| smart_pointer.cpp:126:10:126:10 | call to operator-> [post update] | smart_pointer.cpp:126:8:126:9 | ref arg p1 |  |
+| smart_pointer.cpp:126:12:126:12 | q | smart_pointer.cpp:126:13:126:13 | call to operator-> |  |
+| smart_pointer.cpp:128:13:128:13 | call to operator* | smart_pointer.cpp:128:13:128:15 | call to shared_ptr | TAINT |
+| smart_pointer.cpp:128:13:128:15 | ref arg call to shared_ptr | smart_pointer.cpp:124:90:124:91 | p2 |  |
+| smart_pointer.cpp:128:13:128:15 | ref arg call to shared_ptr | smart_pointer.cpp:128:13:128:13 | call to operator* [inner post update] |  |
+| smart_pointer.cpp:128:13:128:15 | ref arg call to shared_ptr | smart_pointer.cpp:128:14:128:15 | p2 [inner post update] |  |
+| smart_pointer.cpp:128:13:128:15 | ref arg call to shared_ptr | smart_pointer.cpp:129:10:129:11 | p2 |  |
+| smart_pointer.cpp:128:14:128:15 | p2 | smart_pointer.cpp:128:13:128:13 | call to operator* | TAINT |
+| smart_pointer.cpp:128:14:128:15 | ref arg p2 | smart_pointer.cpp:124:90:124:91 | p2 |  |
+| smart_pointer.cpp:128:14:128:15 | ref arg p2 | smart_pointer.cpp:128:14:128:15 | p2 [inner post update] |  |
+| smart_pointer.cpp:128:14:128:15 | ref arg p2 | smart_pointer.cpp:129:10:129:11 | p2 |  |
+| smart_pointer.cpp:129:9:129:9 | call to operator* | smart_pointer.cpp:129:8:129:8 | call to operator* | TAINT |
+| smart_pointer.cpp:129:9:129:9 | ref arg call to operator* | smart_pointer.cpp:124:90:124:91 | p2 |  |
+| smart_pointer.cpp:129:9:129:9 | ref arg call to operator* | smart_pointer.cpp:129:10:129:11 | p2 [inner post update] |  |
+| smart_pointer.cpp:129:10:129:11 | p2 | smart_pointer.cpp:129:8:129:8 | call to operator* |  |
+| smart_pointer.cpp:129:10:129:11 | p2 | smart_pointer.cpp:129:9:129:9 | call to operator* | TAINT |
+| smart_pointer.cpp:129:10:129:11 | ref arg p2 | smart_pointer.cpp:124:90:124:91 | p2 |  |
+| smart_pointer.cpp:129:10:129:11 | ref arg p2 | smart_pointer.cpp:129:10:129:11 | p2 [inner post update] |  |
+| smart_pointer.cpp:132:53:132:54 | p1 | smart_pointer.cpp:132:53:132:54 | p1 |  |
+| smart_pointer.cpp:132:53:132:54 | p1 | smart_pointer.cpp:133:23:133:24 | p1 |  |
+| smart_pointer.cpp:132:53:132:54 | p1 | smart_pointer.cpp:134:8:134:9 | p1 |  |
+| smart_pointer.cpp:132:95:132:96 | p2 | smart_pointer.cpp:132:95:132:96 | p2 |  |
+| smart_pointer.cpp:132:95:132:96 | p2 | smart_pointer.cpp:136:18:136:19 | p2 |  |
+| smart_pointer.cpp:132:95:132:96 | p2 | smart_pointer.cpp:137:10:137:11 | p2 |  |
+| smart_pointer.cpp:133:23:133:24 | p1 | smart_pointer.cpp:133:25:133:25 | call to operator-> |  |
+| smart_pointer.cpp:133:23:133:24 | ref arg p1 | smart_pointer.cpp:132:53:132:54 | p1 |  |
+| smart_pointer.cpp:133:23:133:24 | ref arg p1 | smart_pointer.cpp:134:8:134:9 | p1 |  |
+| smart_pointer.cpp:134:8:134:9 | p1 | smart_pointer.cpp:134:10:134:10 | call to operator-> |  |
+| smart_pointer.cpp:134:8:134:9 | ref arg p1 | smart_pointer.cpp:132:53:132:54 | p1 |  |
+| smart_pointer.cpp:134:10:134:10 | call to operator-> [post update] | smart_pointer.cpp:134:8:134:9 | ref arg p1 |  |
+| smart_pointer.cpp:134:12:134:12 | q | smart_pointer.cpp:134:13:134:13 | call to operator-> |  |
+| smart_pointer.cpp:136:18:136:19 | p2 | smart_pointer.cpp:136:17:136:17 | call to operator* | TAINT |
+| smart_pointer.cpp:136:18:136:19 | ref arg p2 | smart_pointer.cpp:132:95:132:96 | p2 |  |
+| smart_pointer.cpp:136:18:136:19 | ref arg p2 | smart_pointer.cpp:137:10:137:11 | p2 |  |
+| smart_pointer.cpp:137:9:137:9 | call to operator* | smart_pointer.cpp:137:8:137:8 | call to operator* | TAINT |
+| smart_pointer.cpp:137:9:137:9 | ref arg call to operator* | smart_pointer.cpp:132:95:132:96 | p2 |  |
+| smart_pointer.cpp:137:9:137:9 | ref arg call to operator* | smart_pointer.cpp:137:10:137:11 | p2 [inner post update] |  |
+| smart_pointer.cpp:137:10:137:11 | p2 | smart_pointer.cpp:137:8:137:8 | call to operator* |  |
+| smart_pointer.cpp:137:10:137:11 | p2 | smart_pointer.cpp:137:9:137:9 | call to operator* | TAINT |
+| smart_pointer.cpp:137:10:137:11 | ref arg p2 | smart_pointer.cpp:132:95:132:96 | p2 |  |
+| smart_pointer.cpp:137:10:137:11 | ref arg p2 | smart_pointer.cpp:137:10:137:11 | p2 [inner post update] |  |
 | standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:39:45:39:51 | source1 |  |
 | standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:40:11:40:17 | source1 |  |
 | standalone_iterators.cpp:39:45:39:51 | source1 | standalone_iterators.cpp:41:12:41:18 | source1 |  |
@@ -3383,20 +3459,26 @@
 | standalone_iterators.cpp:85:35:85:36 | c1 | standalone_iterators.cpp:85:38:85:42 | call to begin | TAINT |
 | standalone_iterators.cpp:85:35:85:36 | ref arg c1 | standalone_iterators.cpp:87:10:87:11 | c1 |  |
 | standalone_iterators.cpp:85:38:85:42 | call to begin | standalone_iterators.cpp:86:6:86:7 | i1 |  |
+| standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | standalone_iterators.cpp:86:8:86:8 | call to operator-- [inner post update] |  |
 | standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | standalone_iterators.cpp:86:8:86:8 | ref arg call to operator-- | TAINT |
 | standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | standalone_iterators.cpp:87:10:87:11 | c1 |  |
 | standalone_iterators.cpp:86:6:86:7 | i1 | standalone_iterators.cpp:86:8:86:8 | call to operator-- |  |
 | standalone_iterators.cpp:86:8:86:8 | call to operator-- | standalone_iterators.cpp:86:5:86:5 | call to operator* | TAINT |
+| standalone_iterators.cpp:86:8:86:8 | call to operator-- [inner post update] | standalone_iterators.cpp:86:6:86:7 | ref arg i1 |  |
 | standalone_iterators.cpp:86:8:86:8 | ref arg call to operator-- | standalone_iterators.cpp:86:6:86:7 | ref arg i1 |  |
+| standalone_iterators.cpp:86:8:86:8 | ref arg call to operator-- | standalone_iterators.cpp:86:8:86:8 | call to operator-- [inner post update] |  |
 | standalone_iterators.cpp:86:13:86:18 | call to source | standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | TAINT |
 | standalone_iterators.cpp:89:35:89:36 | c2 | standalone_iterators.cpp:89:38:89:42 | call to begin | TAINT |
 | standalone_iterators.cpp:89:35:89:36 | ref arg c2 | standalone_iterators.cpp:91:10:91:11 | c2 |  |
 | standalone_iterators.cpp:89:38:89:42 | call to begin | standalone_iterators.cpp:90:6:90:7 | i2 |  |
+| standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | standalone_iterators.cpp:90:8:90:8 | call to operator-- [inner post update] |  |
 | standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | standalone_iterators.cpp:90:8:90:8 | ref arg call to operator-- | TAINT |
 | standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | standalone_iterators.cpp:91:10:91:11 | c2 |  |
 | standalone_iterators.cpp:90:6:90:7 | i2 | standalone_iterators.cpp:90:8:90:8 | call to operator-- |  |
 | standalone_iterators.cpp:90:8:90:8 | call to operator-- | standalone_iterators.cpp:90:5:90:5 | call to operator* | TAINT |
+| standalone_iterators.cpp:90:8:90:8 | call to operator-- [inner post update] | standalone_iterators.cpp:90:6:90:7 | ref arg i2 |  |
 | standalone_iterators.cpp:90:8:90:8 | ref arg call to operator-- | standalone_iterators.cpp:90:6:90:7 | ref arg i2 |  |
+| standalone_iterators.cpp:90:8:90:8 | ref arg call to operator-- | standalone_iterators.cpp:90:8:90:8 | call to operator-- [inner post update] |  |
 | standalone_iterators.cpp:90:13:90:13 | 0 | standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | TAINT |
 | standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:101:6:101:7 | c1 |  |
 | standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:102:6:102:7 | c1 |  |
@@ -3414,10 +3496,13 @@
 | standalone_iterators.cpp:102:6:102:7 | ref arg c1 | standalone_iterators.cpp:109:7:109:8 | c1 |  |
 | standalone_iterators.cpp:102:9:102:13 | call to begin | standalone_iterators.cpp:102:2:102:15 | ... = ... |  |
 | standalone_iterators.cpp:102:9:102:13 | call to begin | standalone_iterators.cpp:107:7:107:7 | b |  |
+| standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:103:3:103:3 | a [inner post update] |  |
 | standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:103:3:103:3 | ref arg a | TAINT |
+| standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:104:7:104:7 | a |  |
 | standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:106:6:106:7 | c1 |  |
 | standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:109:7:109:8 | c1 |  |
 | standalone_iterators.cpp:103:3:103:3 | a | standalone_iterators.cpp:103:2:103:2 | call to operator* | TAINT |
+| standalone_iterators.cpp:103:3:103:3 | ref arg a | standalone_iterators.cpp:103:3:103:3 | a [inner post update] |  |
 | standalone_iterators.cpp:103:3:103:3 | ref arg a | standalone_iterators.cpp:104:7:104:7 | a |  |
 | standalone_iterators.cpp:103:7:103:12 | call to source | standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | TAINT |
 | standalone_iterators.cpp:104:7:104:7 | a [post update] | standalone_iterators.cpp:106:6:106:7 | c1 |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
index 51718510b0a..6ab09046c4e 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
@@ -102,4 +102,37 @@ void reverse_taint_smart_pointer() {
   std::unique_ptr<A> p = std::unique_ptr<A>(new A);
   taint_x(p.get());
   sink(p->x); // $ ast MISSING: ir
+}
+
+struct C {
+	int z;
+	std::shared_ptr<A> q;
+};
+
+void taint_x_shared(std::shared_ptr<A> ptr) {
+	ptr->x = source();
+}
+
+void taint_x_shared_cref(const std::shared_ptr<A>& ptr) {
+	ptr->x = source();
+}
+
+void getNumberCRef(const std::shared_ptr<int>& ptr) {
+  *ptr = source();
+}
+
+int nested_shared_ptr_taint(std::shared_ptr<C> p1, std::unique_ptr<std::shared_ptr<int>> p2) {
+  taint_x_shared(p1->q);
+  sink(p1->q->x); // $ ast MISSING: ir
+
+  getNumber(*p2);
+  sink(**p2); // $ ast MISSING: ir
+}
+
+int nested_shared_ptr_taint_cref(std::shared_ptr<C> p1, std::unique_ptr<std::shared_ptr<int>> p2) {
+  taint_x_shared_cref(p1->q);
+  sink(p1->q->x); // $ MISSING: ast,ir
+
+  getNumberCRef(*p2);
+  sink(**p2); // $ MISSING: ast,ir
 }
\ No newline at end of file

From 1510fe370df737f6e7593203bbad4fff72f4e438 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 9 Apr 2021 20:58:05 +0200
Subject: [PATCH 0288/1429] C++: Add cases for const pointer wrapper references
 to AddressFlow and FlowVar.

---
 .../code/cpp/dataflow/internal/AddressFlow.qll  |  4 +++-
 .../code/cpp/dataflow/internal/FlowVar.qll      |  9 ++++++++-
 .../dataflow/taint-tests/localTaint.expected    | 17 +++++++++++++++++
 .../dataflow/taint-tests/smart_pointer.cpp      |  4 ++--
 4 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll
index 70af0b25c23..7e76c1540e3 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll
@@ -247,7 +247,9 @@ private predicate referenceToUpdate(Expr reference, Expr outer, ControlFlowNode
     not stdIdentityFunction(call.getTarget()) and
     not stdAddressOf(call.getTarget()) and
     exists(ReferenceType rt | rt = outer.getType().stripTopLevelSpecifiers() |
-      not rt.getBaseType().isConst()
+      not rt.getBaseType().isConst() or
+      rt.getBaseType().getUnspecifiedType() =
+        any(PointerWrapper wrapper | not wrapper.pointsToConst())
     )
   ) and
   reference = outer
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
index 79728629a9a..e3f8b6f68fb 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/FlowVar.qll
@@ -644,7 +644,14 @@ module FlowVar_internal {
   predicate parameterIsNonConstReference(Parameter p) {
     exists(ReferenceType refType |
       refType = p.getUnderlyingType() and
-      not refType.getBaseType().isConst()
+      (
+        not refType.getBaseType().isConst()
+        or
+        // A field of a parameter of type `const std::shared_ptr<A>& p` can still be changed even though
+        // the base type of the reference is `const`.
+        refType.getBaseType().getUnspecifiedType() =
+          any(PointerWrapper wrapper | not wrapper.pointsToConst())
+      )
     )
     or
     p instanceof IteratorParameter
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index dd15fa7cd98..50d5070a144 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -3301,6 +3301,8 @@
 | smart_pointer.cpp:76:13:76:13 | p | smart_pointer.cpp:76:13:76:13 | call to shared_ptr |  |
 | smart_pointer.cpp:76:13:76:13 | ref arg call to shared_ptr | smart_pointer.cpp:76:13:76:13 | p [inner post update] |  |
 | smart_pointer.cpp:76:13:76:13 | ref arg call to shared_ptr | smart_pointer.cpp:77:9:77:9 | p |  |
+| smart_pointer.cpp:76:13:76:13 | ref arg p | smart_pointer.cpp:76:13:76:13 | p [inner post update] |  |
+| smart_pointer.cpp:76:13:76:13 | ref arg p | smart_pointer.cpp:77:9:77:9 | p |  |
 | smart_pointer.cpp:77:9:77:9 | p | smart_pointer.cpp:77:8:77:8 | call to operator* |  |
 | smart_pointer.cpp:86:45:86:45 | p | smart_pointer.cpp:86:45:86:45 | p |  |
 | smart_pointer.cpp:86:45:86:45 | p | smart_pointer.cpp:87:3:87:3 | p |  |
@@ -3358,15 +3360,20 @@
 | smart_pointer.cpp:113:2:113:18 | ... = ... | smart_pointer.cpp:113:7:113:7 | x [post update] |  |
 | smart_pointer.cpp:113:5:113:5 | call to operator-> [post update] | smart_pointer.cpp:113:2:113:4 | ref arg ptr |  |
 | smart_pointer.cpp:113:11:113:16 | call to source | smart_pointer.cpp:113:2:113:18 | ... = ... |  |
+| smart_pointer.cpp:116:52:116:54 | ptr | smart_pointer.cpp:116:52:116:54 | ptr |  |
 | smart_pointer.cpp:116:52:116:54 | ptr | smart_pointer.cpp:117:2:117:4 | ptr |  |
 | smart_pointer.cpp:117:2:117:4 | ptr | smart_pointer.cpp:117:5:117:5 | call to operator-> |  |
+| smart_pointer.cpp:117:2:117:4 | ref arg ptr | smart_pointer.cpp:116:52:116:54 | ptr |  |
 | smart_pointer.cpp:117:2:117:18 | ... = ... | smart_pointer.cpp:117:7:117:7 | x [post update] |  |
 | smart_pointer.cpp:117:5:117:5 | call to operator-> [post update] | smart_pointer.cpp:117:2:117:4 | ref arg ptr |  |
 | smart_pointer.cpp:117:11:117:16 | call to source | smart_pointer.cpp:117:2:117:18 | ... = ... |  |
+| smart_pointer.cpp:120:48:120:50 | ptr | smart_pointer.cpp:120:48:120:50 | ptr |  |
 | smart_pointer.cpp:120:48:120:50 | ptr | smart_pointer.cpp:121:4:121:6 | ptr |  |
+| smart_pointer.cpp:121:3:121:3 | call to operator* [post update] | smart_pointer.cpp:120:48:120:50 | ptr |  |
 | smart_pointer.cpp:121:3:121:3 | call to operator* [post update] | smart_pointer.cpp:121:4:121:6 | ptr [inner post update] |  |
 | smart_pointer.cpp:121:3:121:17 | ... = ... | smart_pointer.cpp:121:3:121:3 | call to operator* [post update] |  |
 | smart_pointer.cpp:121:4:121:6 | ptr | smart_pointer.cpp:121:3:121:3 | call to operator* |  |
+| smart_pointer.cpp:121:4:121:6 | ref arg ptr | smart_pointer.cpp:120:48:120:50 | ptr |  |
 | smart_pointer.cpp:121:4:121:6 | ref arg ptr | smart_pointer.cpp:121:4:121:6 | ptr [inner post update] |  |
 | smart_pointer.cpp:121:10:121:15 | call to source | smart_pointer.cpp:121:3:121:17 | ... = ... |  |
 | smart_pointer.cpp:124:48:124:49 | p1 | smart_pointer.cpp:124:48:124:49 | p1 |  |
@@ -3381,11 +3388,16 @@
 | smart_pointer.cpp:125:18:125:22 | ref arg call to shared_ptr | smart_pointer.cpp:125:22:125:22 | q [inner post update] |  |
 | smart_pointer.cpp:125:20:125:20 | call to operator-> [post update] | smart_pointer.cpp:125:18:125:19 | ref arg p1 |  |
 | smart_pointer.cpp:125:22:125:22 | q | smart_pointer.cpp:125:18:125:22 | call to shared_ptr |  |
+| smart_pointer.cpp:125:22:125:22 | ref arg q | smart_pointer.cpp:125:22:125:22 | q [inner post update] |  |
 | smart_pointer.cpp:126:8:126:9 | p1 | smart_pointer.cpp:126:10:126:10 | call to operator-> |  |
 | smart_pointer.cpp:126:8:126:9 | ref arg p1 | smart_pointer.cpp:124:48:124:49 | p1 |  |
 | smart_pointer.cpp:126:10:126:10 | call to operator-> [post update] | smart_pointer.cpp:126:8:126:9 | ref arg p1 |  |
 | smart_pointer.cpp:126:12:126:12 | q | smart_pointer.cpp:126:13:126:13 | call to operator-> |  |
 | smart_pointer.cpp:128:13:128:13 | call to operator* | smart_pointer.cpp:128:13:128:15 | call to shared_ptr | TAINT |
+| smart_pointer.cpp:128:13:128:13 | ref arg call to operator* | smart_pointer.cpp:124:90:124:91 | p2 |  |
+| smart_pointer.cpp:128:13:128:13 | ref arg call to operator* | smart_pointer.cpp:128:13:128:13 | call to operator* [inner post update] |  |
+| smart_pointer.cpp:128:13:128:13 | ref arg call to operator* | smart_pointer.cpp:128:14:128:15 | p2 [inner post update] |  |
+| smart_pointer.cpp:128:13:128:13 | ref arg call to operator* | smart_pointer.cpp:129:10:129:11 | p2 |  |
 | smart_pointer.cpp:128:13:128:15 | ref arg call to shared_ptr | smart_pointer.cpp:124:90:124:91 | p2 |  |
 | smart_pointer.cpp:128:13:128:15 | ref arg call to shared_ptr | smart_pointer.cpp:128:13:128:13 | call to operator* [inner post update] |  |
 | smart_pointer.cpp:128:13:128:15 | ref arg call to shared_ptr | smart_pointer.cpp:128:14:128:15 | p2 [inner post update] |  |
@@ -3410,12 +3422,17 @@
 | smart_pointer.cpp:133:23:133:24 | p1 | smart_pointer.cpp:133:25:133:25 | call to operator-> |  |
 | smart_pointer.cpp:133:23:133:24 | ref arg p1 | smart_pointer.cpp:132:53:132:54 | p1 |  |
 | smart_pointer.cpp:133:23:133:24 | ref arg p1 | smart_pointer.cpp:134:8:134:9 | p1 |  |
+| smart_pointer.cpp:133:25:133:25 | call to operator-> [post update] | smart_pointer.cpp:133:23:133:24 | ref arg p1 |  |
 | smart_pointer.cpp:134:8:134:9 | p1 | smart_pointer.cpp:134:10:134:10 | call to operator-> |  |
 | smart_pointer.cpp:134:8:134:9 | ref arg p1 | smart_pointer.cpp:132:53:132:54 | p1 |  |
 | smart_pointer.cpp:134:10:134:10 | call to operator-> [post update] | smart_pointer.cpp:134:8:134:9 | ref arg p1 |  |
 | smart_pointer.cpp:134:12:134:12 | q | smart_pointer.cpp:134:13:134:13 | call to operator-> |  |
+| smart_pointer.cpp:136:17:136:17 | ref arg call to operator* | smart_pointer.cpp:132:95:132:96 | p2 |  |
+| smart_pointer.cpp:136:17:136:17 | ref arg call to operator* | smart_pointer.cpp:136:18:136:19 | p2 [inner post update] |  |
+| smart_pointer.cpp:136:17:136:17 | ref arg call to operator* | smart_pointer.cpp:137:10:137:11 | p2 |  |
 | smart_pointer.cpp:136:18:136:19 | p2 | smart_pointer.cpp:136:17:136:17 | call to operator* | TAINT |
 | smart_pointer.cpp:136:18:136:19 | ref arg p2 | smart_pointer.cpp:132:95:132:96 | p2 |  |
+| smart_pointer.cpp:136:18:136:19 | ref arg p2 | smart_pointer.cpp:136:18:136:19 | p2 [inner post update] |  |
 | smart_pointer.cpp:136:18:136:19 | ref arg p2 | smart_pointer.cpp:137:10:137:11 | p2 |  |
 | smart_pointer.cpp:137:9:137:9 | call to operator* | smart_pointer.cpp:137:8:137:8 | call to operator* | TAINT |
 | smart_pointer.cpp:137:9:137:9 | ref arg call to operator* | smart_pointer.cpp:132:95:132:96 | p2 |  |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
index 6ab09046c4e..39cff39e3ed 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
@@ -131,8 +131,8 @@ int nested_shared_ptr_taint(std::shared_ptr<C> p1, std::unique_ptr<std::shared_p
 
 int nested_shared_ptr_taint_cref(std::shared_ptr<C> p1, std::unique_ptr<std::shared_ptr<int>> p2) {
   taint_x_shared_cref(p1->q);
-  sink(p1->q->x); // $ MISSING: ast,ir
+  sink(p1->q->x); // $ ast MISSING: ir
 
   getNumberCRef(*p2);
-  sink(**p2); // $ MISSING: ast,ir
+  sink(**p2); // $ ast MISSING: ir
 }
\ No newline at end of file

From 720fbaf301445e2f05138292cc0ed5e902ff6da4 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Fri, 9 Apr 2021 19:04:49 +0000
Subject: [PATCH 0289/1429] Python: Fix test error.

Somehow, having to type "Node" all day long made me turn "json" into
"node"...

Also removes some bits that weren't needed after all.
---
 python/ql/src/semmle/python/frameworks/Stdlib.qll | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index 3441c670fde..1941f0c4d5b 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -341,10 +341,8 @@ private module Stdlib {
   // ---------------------------------------------------------------------------
   // pickle
   // ---------------------------------------------------------------------------
-  private string pickleModuleName() { result in ["pickle", "cPickle", "_pickle"] }
-
   /** Gets a reference to the `pickle` module. */
-  deprecated DataFlow::Node pickle() {
+  DataFlow::Node pickle() {
     result = API::moduleImport(["pickle", "cPickle", "_pickle"]).getAUse()
   }
 
@@ -578,7 +576,7 @@ private module Stdlib {
   // json
   // ---------------------------------------------------------------------------
   /** Gets a reference to the `json` module. */
-  API::Node json() { result = API::moduleImport("node") }
+  API::Node json() { result = API::moduleImport("json") }
 
   /**
    * Gets a reference to the attribute `attr_name` of the `json` module.

From 4e3791dc0d05702cda6d86bc1a61562d80e2b0ed Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Fri, 9 Apr 2021 19:36:35 +0000
Subject: [PATCH 0290/1429] Remove LoadCredentialsConfiguration and update
 qldoc

---
 .../CredentialsInPropertiesFile.qll           | 50 ++-----------------
 .../CredentialsInPropertiesFile.expected      | 10 ++--
 2 files changed, 8 insertions(+), 52 deletions(-)

diff --git a/java/ql/src/experimental/semmle/code/java/frameworks/CredentialsInPropertiesFile.qll b/java/ql/src/experimental/semmle/code/java/frameworks/CredentialsInPropertiesFile.qll
index 9577789ce0c..1190e13a9a1 100644
--- a/java/ql/src/experimental/semmle/code/java/frameworks/CredentialsInPropertiesFile.qll
+++ b/java/ql/src/experimental/semmle/code/java/frameworks/CredentialsInPropertiesFile.qll
@@ -40,7 +40,7 @@ predicate isNotCleartextCredentials(string value) {
   value.toLowerCase().matches(possibleSecretName())
 }
 
-/** The credentials configuration property. */
+/** A configuration property that appears to contain a cleartext secret. */
 class CredentialsConfig extends ConfigPair {
   CredentialsConfig() {
     this.getNameElement().getName().trim().toLowerCase().matches(possibleSecretName()) and
@@ -48,60 +48,16 @@ class CredentialsConfig extends ConfigPair {
     not isNotCleartextCredentials(this.getValueElement().getValue().trim())
   }
 
+  /** Gets the whitespace-trimmed name of this property. */
   string getName() { result = this.getNameElement().getName().trim() }
 
+  /** Gets the whitespace-trimmed value of this property. */
   string getValue() { result = this.getValueElement().getValue().trim() }
 
   /** Returns a description of this vulnerability. */
   string getConfigDesc() {
-    exists(
-      // getProperty(...)
-      LoadCredentialsConfiguration cc, DataFlow::Node source, DataFlow::Node sink, MethodAccess ma
-    |
-      this.getName() = source.asExpr().(CompileTimeConstantExpr).getStringValue() and
-      cc.hasFlow(source, sink) and
-      ma.getArgument(0) = sink.asExpr() and
-      result = "Plaintext credentials " + this.getName() + " are loaded in Java Properties " + ma
-    )
-    or
-    exists(
-      // @Value("${mail.password}")
-      Annotation a
-    |
-      a.getType().hasQualifiedName("org.springframework.beans.factory.annotation", "Value") and
-      a.getAValue().(CompileTimeConstantExpr).getStringValue() = "${" + this.getName() + "}" and
-      result = "Plaintext credentials " + this.getName() + " are loaded in Spring annotation " + a
-    )
-    or
-    not exists(LoadCredentialsConfiguration cc, DataFlow::Node source, DataFlow::Node sink |
-      this.getName() = source.asExpr().(CompileTimeConstantExpr).getStringValue() and
-      cc.hasFlow(source, sink)
-    ) and
-    not exists(Annotation a |
-      a.getType().hasQualifiedName("org.springframework.beans.factory.annotation", "Value") and
-      a.getAValue().(CompileTimeConstantExpr).getStringValue() = "${" + this.getName() + "}"
-    ) and
     result =
       "Plaintext credentials " + this.getName() + " have cleartext value " + this.getValue() +
         " in properties file"
   }
 }
-
-/**
- * A dataflow configuration tracking flow of cleartext credentials stored in a properties file
- *  to a `Properties.getProperty(...)` method call.
- */
-class LoadCredentialsConfiguration extends DataFlow::Configuration {
-  LoadCredentialsConfiguration() { this = "LoadCredentialsConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) {
-    exists(CredentialsConfig cc |
-      source.asExpr().(CompileTimeConstantExpr).getStringValue() = cc.getName()
-    )
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() =
-      any(MethodAccess ma | ma.getMethod() instanceof PropertiesGetPropertyMethod).getArgument(0)
-  }
-}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.expected b/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.expected
index 371a4765c53..b857d58634b 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.expected
@@ -1,5 +1,5 @@
-| configuration.properties:6:1:6:25 | ldap.password=mysecpass | Plaintext credentials ldap.password are loaded in Java Properties getProperty(...) |
-| configuration.properties:18:1:18:35 | datasource1.password=Passw0rd@123 | Plaintext credentials datasource1.password are loaded in Java Properties getProperty(...) |
-| configuration.properties:25:1:25:31 | mail.password=MysecPWxWa@1993 | Plaintext credentials mail.password are loaded in Spring annotation Value |
-| configuration.properties:33:1:33:50 | com.example.aws.s3.access_key=AKMAMQPBYMCD6YSAYCBA | Plaintext credentials com.example.aws.s3.access_key are loaded in Java Properties getProperty(...) |
-| configuration.properties:34:1:34:70 | com.example.aws.s3.secret_key=8lMPSfWzZq+wcWtck5+QPLOJDZzE783pS09/IO3k | Plaintext credentials com.example.aws.s3.secret_key are loaded in Java Properties getProperty(...) |
+| configuration.properties:6:1:6:25 | ldap.password=mysecpass | Plaintext credentials ldap.password have cleartext value mysecpass in properties file |
+| configuration.properties:18:1:18:35 | datasource1.password=Passw0rd@123 | Plaintext credentials datasource1.password have cleartext value Passw0rd@123 in properties file |
+| configuration.properties:25:1:25:31 | mail.password=MysecPWxWa@1993 | Plaintext credentials mail.password have cleartext value MysecPWxWa@1993 in properties file |
+| configuration.properties:33:1:33:50 | com.example.aws.s3.access_key=AKMAMQPBYMCD6YSAYCBA | Plaintext credentials com.example.aws.s3.access_key have cleartext value AKMAMQPBYMCD6YSAYCBA in properties file |
+| configuration.properties:34:1:34:70 | com.example.aws.s3.secret_key=8lMPSfWzZq+wcWtck5+QPLOJDZzE783pS09/IO3k | Plaintext credentials com.example.aws.s3.secret_key have cleartext value 8lMPSfWzZq+wcWtck5+QPLOJDZzE783pS09/IO3k in properties file |

From 0a866420563094129f0b63d7b0cddad227b520f6 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Fri, 9 Apr 2021 16:14:03 -0400
Subject: [PATCH 0291/1429] C++: Refactor some side effect generation code

This change was necessary for my upcoming changes to introduce side effect instructions for indirections of smart pointers. The code to decide which parameters have which side effects appeared in both the IPA constructor for `TTranslatedSideEffect` and in `TranslatedCall`. These two versions didn't quite agree, especially once the `SideEffectFunction` model provides its own side effects instead of the defaults.
The relevant code has now been factored out into `SideEffects.qll`. This queries the model if one exists, and provides default side effects if no model exists. This fixes at least one existing issue, where we were emitting a buffer read side effect for `*this` instead of an indirect read side effect. This accounts for all of the IR diffs in the tests.
---
 .../raw/internal/SideEffects.qll              | 109 ++++++
 .../raw/internal/TranslatedCall.qll           | 114 ++----
 .../raw/internal/TranslatedElement.qll        |  48 +--
 .../test/library-tests/ir/ir/raw_ir.expected  | 337 +++++++++---------
 .../ir/ssa/aliased_ssa_ir.expected            |   6 +-
 .../ir/ssa/aliased_ssa_ir_unsound.expected    |   6 +-
 .../ir/ssa/unaliased_ssa_ir.expected          |   6 +-
 .../ir/ssa/unaliased_ssa_ir_unsound.expected  |   6 +-
 8 files changed, 334 insertions(+), 298 deletions(-)
 create mode 100644 cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll
new file mode 100644
index 00000000000..350127a58d1
--- /dev/null
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll
@@ -0,0 +1,109 @@
+/**
+ * Predicates to compute the modeled side effects of calls during IR construction.
+ *
+ * These are used in `TranslatedElement.qll` to generate the `TTranslatedSideEffect` instances, and
+ * also in `TranslatedCall.qll` to inject the actual side effect instructions.
+ */
+
+private import cpp
+private import semmle.code.cpp.ir.implementation.Opcode
+private import semmle.code.cpp.models.interfaces.SideEffect
+
+/**
+ * Holds if the specified call has a side effect that does not come from a `SideEffectFunction`
+ * model.
+ */
+private predicate hasDefaultSideEffect(Call call, ParameterIndex i, boolean buffer, boolean isWrite) {
+  not call.getTarget() instanceof SideEffectFunction and
+  (
+    exists(MemberFunction mfunc |
+      // A non-static member function, including a constructor or destructor, may write to `*this`,
+      // and may also read from `*this` if it is not a constructor.
+      i = -1 and
+      mfunc = call.getTarget() and
+      not mfunc.isStatic() and
+      buffer = false and
+      (
+        isWrite = false and not mfunc instanceof Constructor
+        or
+        isWrite = true and not mfunc instanceof ConstMemberFunction
+      )
+    )
+    or
+    exists(Expr expr |
+      // A pointer-like argument is assumed to read from the pointed-to buffer, and may write to the
+      // buffer as well unless the pointer points to a `const` value.
+      i >= 0 and
+      buffer = true and
+      expr = call.getArgument(i).getFullyConverted() and
+      exists(Type t | t = expr.getUnspecifiedType() |
+        t instanceof ArrayType or
+        t instanceof PointerType or
+        t instanceof ReferenceType
+      ) and
+      (
+        isWrite = true and
+        not call.getTarget().getParameter(i).getType().isDeeplyConstBelow()
+        or
+        isWrite = false
+      )
+    )
+  )
+}
+
+/**
+ * Returns a side effect opcode for parameter index `i` of the specified call.
+ *
+ * This predicate will return at most two results: one read side effect, and one write side effect.
+ */
+Opcode getASideEffectOpcode(Call call, ParameterIndex i) {
+  exists(boolean buffer |
+    (
+      call.getTarget().(SideEffectFunction).hasSpecificReadSideEffect(i, buffer)
+      or
+      not call.getTarget() instanceof SideEffectFunction and
+      hasDefaultSideEffect(call, i, buffer, false)
+    ) and
+    if exists(call.getTarget().(SideEffectFunction).getParameterSizeIndex(i))
+    then (
+      buffer = true and
+      result instanceof Opcode::SizedBufferReadSideEffect
+    ) else (
+      buffer = false and result instanceof Opcode::IndirectReadSideEffect
+      or
+      buffer = true and result instanceof Opcode::BufferReadSideEffect
+    )
+  )
+  or
+  exists(boolean buffer, boolean mustWrite |
+    (
+      call.getTarget().(SideEffectFunction).hasSpecificWriteSideEffect(i, buffer, mustWrite)
+      or
+      not call.getTarget() instanceof SideEffectFunction and
+      hasDefaultSideEffect(call, i, buffer, true) and
+      mustWrite = false
+    ) and
+    if exists(call.getTarget().(SideEffectFunction).getParameterSizeIndex(i))
+    then (
+      buffer = true and
+      mustWrite = false and
+      result instanceof Opcode::SizedBufferMayWriteSideEffect
+      or
+      buffer = true and
+      mustWrite = true and
+      result instanceof Opcode::SizedBufferMustWriteSideEffect
+    ) else (
+      buffer = false and
+      mustWrite = false and
+      result instanceof Opcode::IndirectMayWriteSideEffect
+      or
+      buffer = false and
+      mustWrite = true and
+      result instanceof Opcode::IndirectMustWriteSideEffect
+      or
+      buffer = true and mustWrite = false and result instanceof Opcode::BufferMayWriteSideEffect
+      or
+      buffer = true and mustWrite = true and result instanceof Opcode::BufferMustWriteSideEffect
+    )
+  )
+}
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
index 7ad1dd2c01e..0b52937f1cb 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
@@ -4,6 +4,7 @@ private import semmle.code.cpp.ir.implementation.internal.OperandTag
 private import semmle.code.cpp.ir.internal.CppType
 private import semmle.code.cpp.models.interfaces.SideEffect
 private import InstructionTag
+private import SideEffects
 private import TranslatedElement
 private import TranslatedExpr
 private import TranslatedFunction
@@ -424,12 +425,15 @@ class TranslatedCallSideEffects extends TranslatedSideEffects, TTranslatedCallSi
 }
 
 class TranslatedStructorCallSideEffects extends TranslatedCallSideEffects {
-  TranslatedStructorCallSideEffects() { getParent().(TranslatedStructorCall).hasQualifier() }
+  TranslatedStructorCallSideEffects() {
+    getParent().(TranslatedStructorCall).hasQualifier() and
+    getASideEffectOpcode(expr, -1) instanceof WriteSideEffectOpcode
+  }
 
   override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType t) {
-    opcode instanceof Opcode::IndirectMayWriteSideEffect and
     tag instanceof OnlyInstructionTag and
-    t = getTypeForPRValue(expr.getTarget().getDeclaringType())
+    t = getTypeForPRValue(expr.getTarget().getDeclaringType()) and
+    opcode = getASideEffectOpcode(expr, -1).(WriteSideEffectOpcode)
   }
 
   override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
@@ -460,9 +464,11 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff
   Call call;
   Expr arg;
   int index;
-  boolean write;
+  SideEffectOpcode sideEffectOpcode;
 
-  TranslatedSideEffect() { this = TTranslatedArgumentSideEffect(call, arg, index, write) }
+  TranslatedSideEffect() {
+    this = TTranslatedArgumentSideEffect(call, arg, index, sideEffectOpcode)
+  }
 
   override Locatable getAST() { result = arg }
 
@@ -472,13 +478,13 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff
 
   int getArgumentIndex() { result = index }
 
-  predicate isWrite() { write = true }
+  predicate isWrite() { sideEffectOpcode instanceof WriteSideEffectOpcode }
 
   override string toString() {
-    write = true and
+    isWrite() and
     result = "(write side effect for " + arg.toString() + ")"
     or
-    write = false and
+    not isWrite() and
     result = "(read side effect for " + arg.toString() + ")"
   }
 
@@ -489,29 +495,31 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff
   override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) }
 
   override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType type) {
-    isWrite() and
-    hasSpecificWriteSideEffect(opcode) and
-    tag = OnlyInstructionTag() and
     (
-      opcode instanceof BufferAccessOpcode and
-      type = getUnknownType()
-      or
-      not opcode instanceof BufferAccessOpcode and
-      exists(Type baseType | baseType = arg.getUnspecifiedType().(DerivedType).getBaseType() |
-        if baseType instanceof VoidType
-        then type = getUnknownType()
-        else type = getTypeForPRValueOrUnknown(baseType)
+      tag = OnlyInstructionTag() and
+      opcode = sideEffectOpcode
+    ) and
+    (
+      isWrite() and
+      (
+        opcode instanceof BufferAccessOpcode and
+        type = getUnknownType()
+        or
+        not opcode instanceof BufferAccessOpcode and
+        exists(Type baseType | baseType = arg.getUnspecifiedType().(DerivedType).getBaseType() |
+          if baseType instanceof VoidType
+          then type = getUnknownType()
+          else type = getTypeForPRValueOrUnknown(baseType)
+        )
+        or
+        index = -1 and
+        not arg.getUnspecifiedType() instanceof DerivedType and
+        type = getTypeForPRValueOrUnknown(arg.getUnspecifiedType())
       )
       or
-      index = -1 and
-      not arg.getUnspecifiedType() instanceof DerivedType and
-      type = getTypeForPRValueOrUnknown(arg.getUnspecifiedType())
+      not isWrite() and
+      type = getVoidType()
     )
-    or
-    not isWrite() and
-    hasSpecificReadSideEffect(opcode) and
-    tag = OnlyInstructionTag() and
-    type = getVoidType()
   }
 
   override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
@@ -535,7 +543,7 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff
 
   override CppType getInstructionMemoryOperandType(InstructionTag tag, TypedOperandTag operandTag) {
     not isWrite() and
-    if hasSpecificReadSideEffect(any(BufferAccessOpcode op))
+    if sideEffectOpcode instanceof BufferAccessOpcode
     then
       result = getUnknownType() and
       tag instanceof OnlyInstructionTag and
@@ -557,56 +565,6 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff
       )
   }
 
-  predicate hasSpecificWriteSideEffect(Opcode op) {
-    exists(boolean buffer, boolean mustWrite |
-      if exists(call.getTarget().(SideEffectFunction).getParameterSizeIndex(index))
-      then
-        call.getTarget().(SideEffectFunction).hasSpecificWriteSideEffect(index, true, mustWrite) and
-        buffer = true and
-        (
-          mustWrite = false and op instanceof Opcode::SizedBufferMayWriteSideEffect
-          or
-          mustWrite = true and op instanceof Opcode::SizedBufferMustWriteSideEffect
-        )
-      else (
-        call.getTarget().(SideEffectFunction).hasSpecificWriteSideEffect(index, buffer, mustWrite) and
-        (
-          buffer = true and mustWrite = false and op instanceof Opcode::BufferMayWriteSideEffect
-          or
-          buffer = false and mustWrite = false and op instanceof Opcode::IndirectMayWriteSideEffect
-          or
-          buffer = true and mustWrite = true and op instanceof Opcode::BufferMustWriteSideEffect
-          or
-          buffer = false and mustWrite = true and op instanceof Opcode::IndirectMustWriteSideEffect
-        )
-      )
-    )
-    or
-    not call.getTarget() instanceof SideEffectFunction and
-    getArgumentIndex() != -1 and
-    op instanceof Opcode::BufferMayWriteSideEffect
-    or
-    not call.getTarget() instanceof SideEffectFunction and
-    getArgumentIndex() = -1 and
-    op instanceof Opcode::IndirectMayWriteSideEffect
-  }
-
-  predicate hasSpecificReadSideEffect(Opcode op) {
-    exists(boolean buffer |
-      call.getTarget().(SideEffectFunction).hasSpecificReadSideEffect(index, buffer) and
-      if exists(call.getTarget().(SideEffectFunction).getParameterSizeIndex(index))
-      then buffer = true and op instanceof Opcode::SizedBufferReadSideEffect
-      else (
-        buffer = true and op instanceof Opcode::BufferReadSideEffect
-        or
-        buffer = false and op instanceof Opcode::IndirectReadSideEffect
-      )
-    )
-    or
-    not call.getTarget() instanceof SideEffectFunction and
-    op instanceof Opcode::BufferReadSideEffect
-  }
-
   override Instruction getPrimaryInstructionForSideEffect(InstructionTag tag) {
     tag = OnlyInstructionTag() and
     result = getTranslatedCallInstruction(call)
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
index 1de9936ae1f..eca659914b0 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
@@ -12,6 +12,7 @@ private import TranslatedStmt
 private import TranslatedExpr
 private import IRConstruction
 private import semmle.code.cpp.models.interfaces.SideEffect
+private import SideEffects
 
 /**
  * Gets the "real" parent of `expr`. This predicate treats conversions as if
@@ -635,46 +636,15 @@ newtype TTranslatedElement =
   // The side effects of an allocation, i.e. `new`, `new[]` or `malloc`
   TTranslatedAllocationSideEffects(AllocationExpr expr) { not ignoreExpr(expr) } or
   // A precise side effect of an argument to a `Call`
-  TTranslatedArgumentSideEffect(Call call, Expr expr, int n, boolean isWrite) {
-    (
-      expr = call.getArgument(n).getFullyConverted()
-      or
-      expr = call.getQualifier().getFullyConverted() and
-      n = -1 and
-      // Exclude calls to static member functions. They don't modify the qualifier
-      not exists(MemberFunction func | func = call.getTarget() and func.isStatic())
-    ) and
-    (
-      call.getTarget().(SideEffectFunction).hasSpecificReadSideEffect(n, _) and
-      isWrite = false
-      or
-      call.getTarget().(SideEffectFunction).hasSpecificWriteSideEffect(n, _, _) and
-      isWrite = true
-      or
-      not call.getTarget() instanceof SideEffectFunction and
-      exists(Type t | t = expr.getUnspecifiedType() |
-        t instanceof ArrayType or
-        t instanceof PointerType or
-        t instanceof ReferenceType
-      ) and
-      (
-        isWrite = true and
-        not call.getTarget().getParameter(n).getType().isDeeplyConstBelow()
-        or
-        isWrite = false
-      )
-      or
-      not call.getTarget() instanceof SideEffectFunction and
-      n = -1 and
-      (
-        isWrite = true and
-        not call.getTarget() instanceof ConstMemberFunction
-        or
-        isWrite = false
-      )
-    ) and
+  TTranslatedArgumentSideEffect(Call call, Expr expr, int n, SideEffectOpcode opcode) {
     not ignoreExpr(expr) and
-    not ignoreExpr(call)
+    not ignoreExpr(call) and
+    (
+      n >= 0 and expr = call.getArgument(n).getFullyConverted()
+      or
+      n = -1 and expr = call.getQualifier().getFullyConverted()
+    ) and
+    opcode = getASideEffectOpcode(call, n)
   }
 
 /**
diff --git a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
index a7dac56cc96..e008e2de659 100644
--- a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
@@ -42,7 +42,7 @@ bad_asts.cpp:
 #   16|     r16_3(int)            = Constant[1]                     : 
 #   16|     r16_4(int)            = Call[MemberFunction]            : func:r16_2, this:r16_1, 0:r16_3
 #   16|     mu16_5(unknown)       = ^CallSideEffect                 : ~m?
-#   16|     v16_6(void)           = ^BufferReadSideEffect[-1]       : &:r16_1, ~m?
+#   16|     v16_6(void)           = ^IndirectReadSideEffect[-1]     : &:r16_1, ~m?
 #   16|     mu16_7(S)             = ^IndirectMayWriteSideEffect[-1] : &:r16_1
 #   17|     v17_1(void)           = NoOp                            : 
 #   14|     v14_4(void)           = ReturnVoid                      : 
@@ -3385,47 +3385,46 @@ ir.cpp:
 
 #  622| void CallMethods(String&, String*, String)
 #  622|   Block 0
-#  622|     v622_1(void)            = EnterFunction                   : 
-#  622|     mu622_2(unknown)        = AliasedDefinition               : 
-#  622|     mu622_3(unknown)        = InitializeNonLocal              : 
-#  622|     r622_4(glval<String &>) = VariableAddress[r]              : 
-#  622|     mu622_5(String &)       = InitializeParameter[r]          : &:r622_4
-#  622|     r622_6(String &)        = Load[r]                         : &:r622_4, ~m?
-#  622|     mu622_7(unknown)        = InitializeIndirection[r]        : &:r622_6
-#  622|     r622_8(glval<String *>) = VariableAddress[p]              : 
-#  622|     mu622_9(String *)       = InitializeParameter[p]          : &:r622_8
-#  622|     r622_10(String *)       = Load[p]                         : &:r622_8, ~m?
-#  622|     mu622_11(unknown)       = InitializeIndirection[p]        : &:r622_10
-#  622|     r622_12(glval<String>)  = VariableAddress[s]              : 
-#  622|     mu622_13(String)        = InitializeParameter[s]          : &:r622_12
-#  623|     r623_1(glval<String &>) = VariableAddress[r]              : 
-#  623|     r623_2(String &)        = Load[r]                         : &:r623_1, ~m?
-#  623|     r623_3(glval<String>)   = CopyValue                       : r623_2
-#  623|     r623_4(glval<String>)   = Convert                         : r623_3
-#  623|     r623_5(glval<unknown>)  = FunctionAddress[c_str]          : 
-#  623|     r623_6(char *)          = Call[c_str]                     : func:r623_5, this:r623_4
-#  623|     mu623_7(unknown)        = ^CallSideEffect                 : ~m?
-#  623|     v623_8(void)            = ^BufferReadSideEffect[-1]       : &:r623_4, ~m?
-#  624|     r624_1(glval<String *>) = VariableAddress[p]              : 
-#  624|     r624_2(String *)        = Load[p]                         : &:r624_1, ~m?
-#  624|     r624_3(String *)        = Convert                         : r624_2
-#  624|     r624_4(glval<unknown>)  = FunctionAddress[c_str]          : 
-#  624|     r624_5(char *)          = Call[c_str]                     : func:r624_4, this:r624_3
-#  624|     mu624_6(unknown)        = ^CallSideEffect                 : ~m?
-#  624|     v624_7(void)            = ^BufferReadSideEffect[-1]       : &:r624_3, ~m?
-#  624|     mu624_8(String)         = ^IndirectMayWriteSideEffect[-1] : &:r624_3
-#  625|     r625_1(glval<String>)   = VariableAddress[s]              : 
-#  625|     r625_2(glval<String>)   = Convert                         : r625_1
-#  625|     r625_3(glval<unknown>)  = FunctionAddress[c_str]          : 
-#  625|     r625_4(char *)          = Call[c_str]                     : func:r625_3, this:r625_2
-#  625|     mu625_5(unknown)        = ^CallSideEffect                 : ~m?
-#  625|     v625_6(void)            = ^BufferReadSideEffect[-1]       : &:r625_2, ~m?
-#  626|     v626_1(void)            = NoOp                            : 
-#  622|     v622_14(void)           = ReturnIndirection[r]            : &:r622_6, ~m?
-#  622|     v622_15(void)           = ReturnIndirection[p]            : &:r622_10, ~m?
-#  622|     v622_16(void)           = ReturnVoid                      : 
-#  622|     v622_17(void)           = AliasedUse                      : ~m?
-#  622|     v622_18(void)           = ExitFunction                    : 
+#  622|     v622_1(void)            = EnterFunction               : 
+#  622|     mu622_2(unknown)        = AliasedDefinition           : 
+#  622|     mu622_3(unknown)        = InitializeNonLocal          : 
+#  622|     r622_4(glval<String &>) = VariableAddress[r]          : 
+#  622|     mu622_5(String &)       = InitializeParameter[r]      : &:r622_4
+#  622|     r622_6(String &)        = Load[r]                     : &:r622_4, ~m?
+#  622|     mu622_7(unknown)        = InitializeIndirection[r]    : &:r622_6
+#  622|     r622_8(glval<String *>) = VariableAddress[p]          : 
+#  622|     mu622_9(String *)       = InitializeParameter[p]      : &:r622_8
+#  622|     r622_10(String *)       = Load[p]                     : &:r622_8, ~m?
+#  622|     mu622_11(unknown)       = InitializeIndirection[p]    : &:r622_10
+#  622|     r622_12(glval<String>)  = VariableAddress[s]          : 
+#  622|     mu622_13(String)        = InitializeParameter[s]      : &:r622_12
+#  623|     r623_1(glval<String &>) = VariableAddress[r]          : 
+#  623|     r623_2(String &)        = Load[r]                     : &:r623_1, ~m?
+#  623|     r623_3(glval<String>)   = CopyValue                   : r623_2
+#  623|     r623_4(glval<String>)   = Convert                     : r623_3
+#  623|     r623_5(glval<unknown>)  = FunctionAddress[c_str]      : 
+#  623|     r623_6(char *)          = Call[c_str]                 : func:r623_5, this:r623_4
+#  623|     mu623_7(unknown)        = ^CallSideEffect             : ~m?
+#  623|     v623_8(void)            = ^IndirectReadSideEffect[-1] : &:r623_4, ~m?
+#  624|     r624_1(glval<String *>) = VariableAddress[p]          : 
+#  624|     r624_2(String *)        = Load[p]                     : &:r624_1, ~m?
+#  624|     r624_3(String *)        = Convert                     : r624_2
+#  624|     r624_4(glval<unknown>)  = FunctionAddress[c_str]      : 
+#  624|     r624_5(char *)          = Call[c_str]                 : func:r624_4, this:r624_3
+#  624|     mu624_6(unknown)        = ^CallSideEffect             : ~m?
+#  624|     v624_7(void)            = ^IndirectReadSideEffect[-1] : &:r624_3, ~m?
+#  625|     r625_1(glval<String>)   = VariableAddress[s]          : 
+#  625|     r625_2(glval<String>)   = Convert                     : r625_1
+#  625|     r625_3(glval<unknown>)  = FunctionAddress[c_str]      : 
+#  625|     r625_4(char *)          = Call[c_str]                 : func:r625_3, this:r625_2
+#  625|     mu625_5(unknown)        = ^CallSideEffect             : ~m?
+#  625|     v625_6(void)            = ^IndirectReadSideEffect[-1] : &:r625_2, ~m?
+#  626|     v626_1(void)            = NoOp                        : 
+#  622|     v622_14(void)           = ReturnIndirection[r]        : &:r622_6, ~m?
+#  622|     v622_15(void)           = ReturnIndirection[p]        : &:r622_10, ~m?
+#  622|     v622_16(void)           = ReturnVoid                  : 
+#  622|     v622_17(void)           = AliasedUse                  : ~m?
+#  622|     v622_18(void)           = ExitFunction                : 
 
 #  628| void C::~C()
 #  628|   Block 0
@@ -3575,7 +3574,7 @@ ir.cpp:
 #  653|     r653_4(int)            = Constant[0]                             : 
 #  653|     r653_5(int)            = Call[InstanceMemberFunction]            : func:r653_3, this:r653_2, 0:r653_4
 #  653|     mu653_6(unknown)       = ^CallSideEffect                         : ~m?
-#  653|     v653_7(void)           = ^BufferReadSideEffect[-1]               : &:r653_2, ~m?
+#  653|     v653_7(void)           = ^IndirectReadSideEffect[-1]             : &:r653_2, ~m?
 #  653|     mu653_8(C)             = ^IndirectMayWriteSideEffect[-1]         : &:r653_2
 #  654|     r654_1(glval<unknown>) = VariableAddress[#this]                  : 
 #  654|     r654_2(C *)            = Load[#this]                             : &:r654_1, ~m?
@@ -3584,7 +3583,7 @@ ir.cpp:
 #  654|     r654_5(int)            = Constant[1]                             : 
 #  654|     r654_6(int)            = Call[InstanceMemberFunction]            : func:r654_4, this:r654_3, 0:r654_5
 #  654|     mu654_7(unknown)       = ^CallSideEffect                         : ~m?
-#  654|     v654_8(void)           = ^BufferReadSideEffect[-1]               : &:r654_3, ~m?
+#  654|     v654_8(void)           = ^IndirectReadSideEffect[-1]             : &:r654_3, ~m?
 #  654|     mu654_9(C)             = ^IndirectMayWriteSideEffect[-1]         : &:r654_3
 #  655|     r655_1(glval<unknown>) = VariableAddress[#this]                  : 
 #  655|     r655_2(C *)            = Load[#this]                             : &:r655_1, ~m?
@@ -3592,7 +3591,7 @@ ir.cpp:
 #  655|     r655_4(int)            = Constant[2]                             : 
 #  655|     r655_5(int)            = Call[InstanceMemberFunction]            : func:r655_3, this:r655_2, 0:r655_4
 #  655|     mu655_6(unknown)       = ^CallSideEffect                         : ~m?
-#  655|     v655_7(void)           = ^BufferReadSideEffect[-1]               : &:r655_2, ~m?
+#  655|     v655_7(void)           = ^IndirectReadSideEffect[-1]             : &:r655_2, ~m?
 #  655|     mu655_8(C)             = ^IndirectMayWriteSideEffect[-1]         : &:r655_2
 #  656|     v656_1(void)           = NoOp                                    : 
 #  652|     v652_8(void)           = ReturnIndirection[#this]                : &:r652_6, ~m?
@@ -4006,7 +4005,7 @@ ir.cpp:
 #-----|     r0_6(String &)          = CopyValue                                    : r745_15
 #  745|     r745_16(String &)       = Call[operator=]                              : func:r745_12, this:r745_11, 0:r0_6
 #  745|     mu745_17(unknown)       = ^CallSideEffect                              : ~m?
-#  745|     v745_18(void)           = ^BufferReadSideEffect[-1]                    : &:r745_11, ~m?
+#  745|     v745_18(void)           = ^IndirectReadSideEffect[-1]                  : &:r745_11, ~m?
 #-----|     v0_7(void)              = ^BufferReadSideEffect[0]                     : &:r0_6, ~m?
 #  745|     mu745_19(String)        = ^IndirectMayWriteSideEffect[-1]              : &:r745_11
 #-----|     r0_8(glval<String>)     = CopyValue                                    : r745_16
@@ -4113,7 +4112,7 @@ ir.cpp:
 #-----|     r0_8(Base &)             = CopyValue                                    : r754_14
 #  754|     r754_15(Base &)          = Call[operator=]                              : func:r754_10, this:r0_5, 0:r0_8
 #  754|     mu754_16(unknown)        = ^CallSideEffect                              : ~m?
-#-----|     v0_9(void)               = ^BufferReadSideEffect[-1]                    : &:r0_5, ~m?
+#-----|     v0_9(void)               = ^IndirectReadSideEffect[-1]                  : &:r0_5, ~m?
 #-----|     v0_10(void)              = ^BufferReadSideEffect[0]                     : &:r0_8, ~m?
 #-----|     mu0_11(Base)             = ^IndirectMayWriteSideEffect[-1]              : &:r0_5
 #-----|     r0_12(glval<Base>)       = CopyValue                                    : r754_15
@@ -4129,7 +4128,7 @@ ir.cpp:
 #-----|     r0_14(String &)          = CopyValue                                    : r754_24
 #  754|     r754_25(String &)        = Call[operator=]                              : func:r754_21, this:r754_20, 0:r0_14
 #  754|     mu754_26(unknown)        = ^CallSideEffect                              : ~m?
-#  754|     v754_27(void)            = ^BufferReadSideEffect[-1]                    : &:r754_20, ~m?
+#  754|     v754_27(void)            = ^IndirectReadSideEffect[-1]                  : &:r754_20, ~m?
 #-----|     v0_15(void)              = ^BufferReadSideEffect[0]                     : &:r0_14, ~m?
 #  754|     mu754_28(String)         = ^IndirectMayWriteSideEffect[-1]              : &:r754_20
 #-----|     r0_16(glval<String>)     = CopyValue                                    : r754_25
@@ -4220,7 +4219,7 @@ ir.cpp:
 #-----|     r0_8(Middle &)            = CopyValue                                    : r763_14
 #  763|     r763_15(Middle &)         = Call[operator=]                              : func:r763_10, this:r0_5, 0:r0_8
 #  763|     mu763_16(unknown)         = ^CallSideEffect                              : ~m?
-#-----|     v0_9(void)                = ^BufferReadSideEffect[-1]                    : &:r0_5, ~m?
+#-----|     v0_9(void)                = ^IndirectReadSideEffect[-1]                  : &:r0_5, ~m?
 #-----|     v0_10(void)               = ^BufferReadSideEffect[0]                     : &:r0_8, ~m?
 #-----|     mu0_11(Middle)            = ^IndirectMayWriteSideEffect[-1]              : &:r0_5
 #-----|     r0_12(glval<Middle>)      = CopyValue                                    : r763_15
@@ -4236,7 +4235,7 @@ ir.cpp:
 #-----|     r0_14(String &)           = CopyValue                                    : r763_24
 #  763|     r763_25(String &)         = Call[operator=]                              : func:r763_21, this:r763_20, 0:r0_14
 #  763|     mu763_26(unknown)         = ^CallSideEffect                              : ~m?
-#  763|     v763_27(void)             = ^BufferReadSideEffect[-1]                    : &:r763_20, ~m?
+#  763|     v763_27(void)             = ^IndirectReadSideEffect[-1]                  : &:r763_20, ~m?
 #-----|     v0_15(void)               = ^BufferReadSideEffect[0]                     : &:r0_14, ~m?
 #  763|     mu763_28(String)          = ^IndirectMayWriteSideEffect[-1]              : &:r763_20
 #-----|     r0_16(glval<String>)      = CopyValue                                    : r763_25
@@ -4505,7 +4504,7 @@ ir.cpp:
 #  808|     r808_5(Base &)             = CopyValue                                 : r808_4
 #  808|     r808_6(Base &)             = Call[operator=]                           : func:r808_2, this:r808_1, 0:r808_5
 #  808|     mu808_7(unknown)           = ^CallSideEffect                           : ~m?
-#  808|     v808_8(void)               = ^BufferReadSideEffect[-1]                 : &:r808_1, ~m?
+#  808|     v808_8(void)               = ^IndirectReadSideEffect[-1]               : &:r808_1, ~m?
 #  808|     v808_9(void)               = ^BufferReadSideEffect[0]                  : &:r808_5, ~m?
 #  808|     mu808_10(Base)             = ^IndirectMayWriteSideEffect[-1]           : &:r808_1
 #  808|     r808_11(glval<Base>)       = CopyValue                                 : r808_6
@@ -4525,7 +4524,7 @@ ir.cpp:
 #  809|     r809_14(Base &)            = CopyValue                                 : r809_13
 #  809|     r809_15(Base &)            = Call[operator=]                           : func:r809_2, this:r809_1, 0:r809_14
 #  809|     mu809_16(unknown)          = ^CallSideEffect                           : ~m?
-#  809|     v809_17(void)              = ^BufferReadSideEffect[-1]                 : &:r809_1, ~m?
+#  809|     v809_17(void)              = ^IndirectReadSideEffect[-1]               : &:r809_1, ~m?
 #  809|     v809_18(void)              = ^BufferReadSideEffect[0]                  : &:r809_14, ~m?
 #  809|     mu809_19(Base)             = ^IndirectMayWriteSideEffect[-1]           : &:r809_1
 #  809|     r809_20(glval<Base>)       = CopyValue                                 : r809_15
@@ -4545,7 +4544,7 @@ ir.cpp:
 #  810|     r810_14(Base &)            = CopyValue                                 : r810_13
 #  810|     r810_15(Base &)            = Call[operator=]                           : func:r810_2, this:r810_1, 0:r810_14
 #  810|     mu810_16(unknown)          = ^CallSideEffect                           : ~m?
-#  810|     v810_17(void)              = ^BufferReadSideEffect[-1]                 : &:r810_1, ~m?
+#  810|     v810_17(void)              = ^IndirectReadSideEffect[-1]               : &:r810_1, ~m?
 #  810|     v810_18(void)              = ^BufferReadSideEffect[0]                  : &:r810_14, ~m?
 #  810|     mu810_19(Base)             = ^IndirectMayWriteSideEffect[-1]           : &:r810_1
 #  810|     r810_20(glval<Base>)       = CopyValue                                 : r810_15
@@ -4577,7 +4576,7 @@ ir.cpp:
 #  816|     r816_6(Middle &)           = CopyValue                                 : r816_5
 #  816|     r816_7(Middle &)           = Call[operator=]                           : func:r816_2, this:r816_1, 0:r816_6
 #  816|     mu816_8(unknown)           = ^CallSideEffect                           : ~m?
-#  816|     v816_9(void)               = ^BufferReadSideEffect[-1]                 : &:r816_1, ~m?
+#  816|     v816_9(void)               = ^IndirectReadSideEffect[-1]               : &:r816_1, ~m?
 #  816|     v816_10(void)              = ^BufferReadSideEffect[0]                  : &:r816_6, ~m?
 #  816|     mu816_11(Middle)           = ^IndirectMayWriteSideEffect[-1]           : &:r816_1
 #  816|     r816_12(glval<Middle>)     = CopyValue                                 : r816_7
@@ -4589,7 +4588,7 @@ ir.cpp:
 #  817|     r817_6(Middle &)           = CopyValue                                 : r817_5
 #  817|     r817_7(Middle &)           = Call[operator=]                           : func:r817_2, this:r817_1, 0:r817_6
 #  817|     mu817_8(unknown)           = ^CallSideEffect                           : ~m?
-#  817|     v817_9(void)               = ^BufferReadSideEffect[-1]                 : &:r817_1, ~m?
+#  817|     v817_9(void)               = ^IndirectReadSideEffect[-1]               : &:r817_1, ~m?
 #  817|     v817_10(void)              = ^BufferReadSideEffect[0]                  : &:r817_6, ~m?
 #  817|     mu817_11(Middle)           = ^IndirectMayWriteSideEffect[-1]           : &:r817_1
 #  817|     r817_12(glval<Middle>)     = CopyValue                                 : r817_7
@@ -4616,7 +4615,7 @@ ir.cpp:
 #  822|     r822_6(Base &)             = CopyValue                                 : r822_5
 #  822|     r822_7(Base &)             = Call[operator=]                           : func:r822_2, this:r822_1, 0:r822_6
 #  822|     mu822_8(unknown)           = ^CallSideEffect                           : ~m?
-#  822|     v822_9(void)               = ^BufferReadSideEffect[-1]                 : &:r822_1, ~m?
+#  822|     v822_9(void)               = ^IndirectReadSideEffect[-1]               : &:r822_1, ~m?
 #  822|     v822_10(void)              = ^BufferReadSideEffect[0]                  : &:r822_6, ~m?
 #  822|     mu822_11(Base)             = ^IndirectMayWriteSideEffect[-1]           : &:r822_1
 #  822|     r822_12(glval<Base>)       = CopyValue                                 : r822_7
@@ -4637,7 +4636,7 @@ ir.cpp:
 #  823|     r823_15(Base &)            = CopyValue                                 : r823_14
 #  823|     r823_16(Base &)            = Call[operator=]                           : func:r823_2, this:r823_1, 0:r823_15
 #  823|     mu823_17(unknown)          = ^CallSideEffect                           : ~m?
-#  823|     v823_18(void)              = ^BufferReadSideEffect[-1]                 : &:r823_1, ~m?
+#  823|     v823_18(void)              = ^IndirectReadSideEffect[-1]               : &:r823_1, ~m?
 #  823|     v823_19(void)              = ^BufferReadSideEffect[0]                  : &:r823_15, ~m?
 #  823|     mu823_20(Base)             = ^IndirectMayWriteSideEffect[-1]           : &:r823_1
 #  823|     r823_21(glval<Base>)       = CopyValue                                 : r823_16
@@ -4658,7 +4657,7 @@ ir.cpp:
 #  824|     r824_15(Base &)            = CopyValue                                 : r824_14
 #  824|     r824_16(Base &)            = Call[operator=]                           : func:r824_2, this:r824_1, 0:r824_15
 #  824|     mu824_17(unknown)          = ^CallSideEffect                           : ~m?
-#  824|     v824_18(void)              = ^BufferReadSideEffect[-1]                 : &:r824_1, ~m?
+#  824|     v824_18(void)              = ^IndirectReadSideEffect[-1]               : &:r824_1, ~m?
 #  824|     v824_19(void)              = ^BufferReadSideEffect[0]                  : &:r824_15, ~m?
 #  824|     mu824_20(Base)             = ^IndirectMayWriteSideEffect[-1]           : &:r824_1
 #  824|     r824_21(glval<Base>)       = CopyValue                                 : r824_16
@@ -4694,7 +4693,7 @@ ir.cpp:
 #  830|     r830_7(Derived &)          = CopyValue                                 : r830_6
 #  830|     r830_8(Derived &)          = Call[operator=]                           : func:r830_2, this:r830_1, 0:r830_7
 #  830|     mu830_9(unknown)           = ^CallSideEffect                           : ~m?
-#  830|     v830_10(void)              = ^BufferReadSideEffect[-1]                 : &:r830_1, ~m?
+#  830|     v830_10(void)              = ^IndirectReadSideEffect[-1]               : &:r830_1, ~m?
 #  830|     v830_11(void)              = ^BufferReadSideEffect[0]                  : &:r830_7, ~m?
 #  830|     mu830_12(Derived)          = ^IndirectMayWriteSideEffect[-1]           : &:r830_1
 #  830|     r830_13(glval<Derived>)    = CopyValue                                 : r830_8
@@ -4707,7 +4706,7 @@ ir.cpp:
 #  831|     r831_7(Derived &)          = CopyValue                                 : r831_6
 #  831|     r831_8(Derived &)          = Call[operator=]                           : func:r831_2, this:r831_1, 0:r831_7
 #  831|     mu831_9(unknown)           = ^CallSideEffect                           : ~m?
-#  831|     v831_10(void)              = ^BufferReadSideEffect[-1]                 : &:r831_1, ~m?
+#  831|     v831_10(void)              = ^IndirectReadSideEffect[-1]               : &:r831_1, ~m?
 #  831|     v831_11(void)              = ^BufferReadSideEffect[0]                  : &:r831_7, ~m?
 #  831|     mu831_12(Derived)          = ^IndirectMayWriteSideEffect[-1]           : &:r831_1
 #  831|     r831_13(glval<Derived>)    = CopyValue                                 : r831_8
@@ -5688,7 +5687,7 @@ ir.cpp:
 # 1044|     r1044_4(float)                            = Constant[1.0]                          : 
 # 1044|     r1044_5(char)                             = Call[operator()]                       : func:r1044_3, this:r1044_2, 0:r1044_4
 # 1044|     mu1044_6(unknown)                         = ^CallSideEffect                        : ~m?
-# 1044|     v1044_7(void)                             = ^BufferReadSideEffect[-1]              : &:r1044_2, ~m?
+# 1044|     v1044_7(void)                             = ^IndirectReadSideEffect[-1]            : &:r1044_2, ~m?
 # 1045|     r1045_1(glval<decltype([...](...){...})>) = VariableAddress[lambda_val]            : 
 # 1045|     r1045_2(glval<decltype([...](...){...})>) = VariableAddress[#temp1045:20]          : 
 # 1045|     mu1045_3(decltype([...](...){...}))       = Uninitialized[#temp1045:20]            : &:r1045_2
@@ -5709,7 +5708,7 @@ ir.cpp:
 # 1046|     r1046_4(float)                            = Constant[2.0]                          : 
 # 1046|     r1046_5(char)                             = Call[operator()]                       : func:r1046_3, this:r1046_2, 0:r1046_4
 # 1046|     mu1046_6(unknown)                         = ^CallSideEffect                        : ~m?
-# 1046|     v1046_7(void)                             = ^BufferReadSideEffect[-1]              : &:r1046_2, ~m?
+# 1046|     v1046_7(void)                             = ^IndirectReadSideEffect[-1]            : &:r1046_2, ~m?
 # 1047|     r1047_1(glval<decltype([...](...){...})>) = VariableAddress[lambda_ref_explicit]   : 
 # 1047|     r1047_2(glval<decltype([...](...){...})>) = VariableAddress[#temp1047:29]          : 
 # 1047|     mu1047_3(decltype([...](...){...}))       = Uninitialized[#temp1047:29]            : &:r1047_2
@@ -5727,7 +5726,7 @@ ir.cpp:
 # 1048|     r1048_4(float)                            = Constant[3.0]                          : 
 # 1048|     r1048_5(char)                             = Call[operator()]                       : func:r1048_3, this:r1048_2, 0:r1048_4
 # 1048|     mu1048_6(unknown)                         = ^CallSideEffect                        : ~m?
-# 1048|     v1048_7(void)                             = ^BufferReadSideEffect[-1]              : &:r1048_2, ~m?
+# 1048|     v1048_7(void)                             = ^IndirectReadSideEffect[-1]            : &:r1048_2, ~m?
 # 1049|     r1049_1(glval<decltype([...](...){...})>) = VariableAddress[lambda_val_explicit]   : 
 # 1049|     r1049_2(glval<decltype([...](...){...})>) = VariableAddress[#temp1049:29]          : 
 # 1049|     mu1049_3(decltype([...](...){...}))       = Uninitialized[#temp1049:29]            : &:r1049_2
@@ -5744,7 +5743,7 @@ ir.cpp:
 # 1050|     r1050_4(float)                            = Constant[4.0]                          : 
 # 1050|     r1050_5(char)                             = Call[operator()]                       : func:r1050_3, this:r1050_2, 0:r1050_4
 # 1050|     mu1050_6(unknown)                         = ^CallSideEffect                        : ~m?
-# 1050|     v1050_7(void)                             = ^BufferReadSideEffect[-1]              : &:r1050_2, ~m?
+# 1050|     v1050_7(void)                             = ^IndirectReadSideEffect[-1]            : &:r1050_2, ~m?
 # 1051|     r1051_1(glval<decltype([...](...){...})>) = VariableAddress[lambda_mixed_explicit] : 
 # 1051|     r1051_2(glval<decltype([...](...){...})>) = VariableAddress[#temp1051:31]          : 
 # 1051|     mu1051_3(decltype([...](...){...}))       = Uninitialized[#temp1051:31]            : &:r1051_2
@@ -5766,7 +5765,7 @@ ir.cpp:
 # 1052|     r1052_4(float)                            = Constant[5.0]                          : 
 # 1052|     r1052_5(char)                             = Call[operator()]                       : func:r1052_3, this:r1052_2, 0:r1052_4
 # 1052|     mu1052_6(unknown)                         = ^CallSideEffect                        : ~m?
-# 1052|     v1052_7(void)                             = ^BufferReadSideEffect[-1]              : &:r1052_2, ~m?
+# 1052|     v1052_7(void)                             = ^IndirectReadSideEffect[-1]            : &:r1052_2, ~m?
 # 1053|     r1053_1(glval<int>)                       = VariableAddress[r]                     : 
 # 1053|     r1053_2(glval<int>)                       = VariableAddress[x]                     : 
 # 1053|     r1053_3(int)                              = Load[x]                                : &:r1053_2, ~m?
@@ -5804,7 +5803,7 @@ ir.cpp:
 # 1055|     r1055_4(float)                            = Constant[6.0]                          : 
 # 1055|     r1055_5(char)                             = Call[operator()]                       : func:r1055_3, this:r1055_2, 0:r1055_4
 # 1055|     mu1055_6(unknown)                         = ^CallSideEffect                        : ~m?
-# 1055|     v1055_7(void)                             = ^BufferReadSideEffect[-1]              : &:r1055_2, ~m?
+# 1055|     v1055_7(void)                             = ^IndirectReadSideEffect[-1]            : &:r1055_2, ~m?
 # 1056|     v1056_1(void)                             = NoOp                                   : 
 # 1040|     v1040_10(void)                            = ReturnIndirection[s]                   : &:r1040_8, ~m?
 # 1040|     v1040_11(void)                            = ReturnVoid                             : 
@@ -5869,7 +5868,7 @@ ir.cpp:
 # 1043|     r1043_16(glval<unknown>)                         = FunctionAddress[c_str]       : 
 # 1043|     r1043_17(char *)                                 = Call[c_str]                  : func:r1043_16, this:r1043_15
 # 1043|     mu1043_18(unknown)                               = ^CallSideEffect              : ~m?
-# 1043|     v1043_19(void)                                   = ^BufferReadSideEffect[-1]    : &:r1043_15, ~m?
+# 1043|     v1043_19(void)                                   = ^IndirectReadSideEffect[-1]  : &:r1043_15, ~m?
 # 1043|     r1043_20(glval<unknown>)                         = VariableAddress[#this]       : 
 # 1043|     r1043_21(lambda [] type at line 1043, col. 21 *) = Load[#this]                  : &:r1043_20, ~m?
 # 1043|     r1043_22(glval<int &>)                           = FieldAddress[x]              : r1043_21
@@ -5921,7 +5920,7 @@ ir.cpp:
 # 1045|     r1045_14(glval<unknown>)                         = FunctionAddress[c_str]       : 
 # 1045|     r1045_15(char *)                                 = Call[c_str]                  : func:r1045_14, this:r1045_13
 # 1045|     mu1045_16(unknown)                               = ^CallSideEffect              : ~m?
-# 1045|     v1045_17(void)                                   = ^BufferReadSideEffect[-1]    : &:r1045_13, ~m?
+# 1045|     v1045_17(void)                                   = ^IndirectReadSideEffect[-1]  : &:r1045_13, ~m?
 # 1045|     r1045_18(glval<unknown>)                         = VariableAddress[#this]       : 
 # 1045|     r1045_19(lambda [] type at line 1045, col. 21 *) = Load[#this]                  : &:r1045_18, ~m?
 # 1045|     r1045_20(glval<int>)                             = FieldAddress[x]              : r1045_19
@@ -5955,7 +5954,7 @@ ir.cpp:
 # 1047|     r1047_16(glval<unknown>)                         = FunctionAddress[c_str]       : 
 # 1047|     r1047_17(char *)                                 = Call[c_str]                  : func:r1047_16, this:r1047_15
 # 1047|     mu1047_18(unknown)                               = ^CallSideEffect              : ~m?
-# 1047|     v1047_19(void)                                   = ^BufferReadSideEffect[-1]    : &:r1047_15, ~m?
+# 1047|     v1047_19(void)                                   = ^IndirectReadSideEffect[-1]  : &:r1047_15, ~m?
 # 1047|     r1047_20(int)                                    = Constant[0]                  : 
 # 1047|     r1047_21(glval<char>)                            = PointerAdd[1]                : r1047_17, r1047_20
 # 1047|     r1047_22(char)                                   = Load[?]                      : &:r1047_21, ~m?
@@ -6003,7 +6002,7 @@ ir.cpp:
 # 1049|     r1049_14(glval<unknown>)                         = FunctionAddress[c_str]       : 
 # 1049|     r1049_15(char *)                                 = Call[c_str]                  : func:r1049_14, this:r1049_13
 # 1049|     mu1049_16(unknown)                               = ^CallSideEffect              : ~m?
-# 1049|     v1049_17(void)                                   = ^BufferReadSideEffect[-1]    : &:r1049_13, ~m?
+# 1049|     v1049_17(void)                                   = ^IndirectReadSideEffect[-1]  : &:r1049_13, ~m?
 # 1049|     r1049_18(int)                                    = Constant[0]                  : 
 # 1049|     r1049_19(glval<char>)                            = PointerAdd[1]                : r1049_15, r1049_18
 # 1049|     r1049_20(char)                                   = Load[?]                      : &:r1049_19, ~m?
@@ -6034,7 +6033,7 @@ ir.cpp:
 # 1051|     r1051_16(glval<unknown>)                         = FunctionAddress[c_str]       : 
 # 1051|     r1051_17(char *)                                 = Call[c_str]                  : func:r1051_16, this:r1051_15
 # 1051|     mu1051_18(unknown)                               = ^CallSideEffect              : ~m?
-# 1051|     v1051_19(void)                                   = ^BufferReadSideEffect[-1]    : &:r1051_15, ~m?
+# 1051|     v1051_19(void)                                   = ^IndirectReadSideEffect[-1]  : &:r1051_15, ~m?
 # 1051|     r1051_20(glval<unknown>)                         = VariableAddress[#this]       : 
 # 1051|     r1051_21(lambda [] type at line 1051, col. 32 *) = Load[#this]                  : &:r1051_20, ~m?
 # 1051|     r1051_22(glval<int>)                             = FieldAddress[x]              : r1051_21
@@ -6068,7 +6067,7 @@ ir.cpp:
 # 1054|     r1054_16(glval<unknown>)                         = FunctionAddress[c_str]       : 
 # 1054|     r1054_17(char *)                                 = Call[c_str]                  : func:r1054_16, this:r1054_15
 # 1054|     mu1054_18(unknown)                               = ^CallSideEffect              : ~m?
-# 1054|     v1054_19(void)                                   = ^BufferReadSideEffect[-1]    : &:r1054_15, ~m?
+# 1054|     v1054_19(void)                                   = ^IndirectReadSideEffect[-1]  : &:r1054_15, ~m?
 # 1054|     r1054_20(glval<unknown>)                         = VariableAddress[#this]       : 
 # 1054|     r1054_21(lambda [] type at line 1054, col. 23 *) = Load[#this]                  : &:r1054_20, ~m?
 # 1054|     r1054_22(glval<int>)                             = FieldAddress[x]              : r1054_21
@@ -6095,37 +6094,37 @@ ir.cpp:
 
 # 1077| void RangeBasedFor(vector<int> const&)
 # 1077|   Block 0
-# 1077|     v1077_1(void)                  = EnterFunction              : 
-# 1077|     mu1077_2(unknown)              = AliasedDefinition          : 
-# 1077|     mu1077_3(unknown)              = InitializeNonLocal         : 
-# 1077|     r1077_4(glval<vector<int> &>)  = VariableAddress[v]         : 
-# 1077|     mu1077_5(vector<int> &)        = InitializeParameter[v]     : &:r1077_4
-# 1077|     r1077_6(vector<int> &)         = Load[v]                    : &:r1077_4, ~m?
-# 1077|     mu1077_7(unknown)              = InitializeIndirection[v]   : &:r1077_6
-# 1078|     r1078_1(glval<vector<int> &>)  = VariableAddress[(__range)] : 
-# 1078|     r1078_2(glval<vector<int> &>)  = VariableAddress[v]         : 
-# 1078|     r1078_3(vector<int> &)         = Load[v]                    : &:r1078_2, ~m?
-# 1078|     r1078_4(glval<vector<int>>)    = CopyValue                  : r1078_3
-# 1078|     r1078_5(vector<int> &)         = CopyValue                  : r1078_4
-# 1078|     mu1078_6(vector<int> &)        = Store[(__range)]           : &:r1078_1, r1078_5
-# 1078|     r1078_7(glval<iterator>)       = VariableAddress[(__begin)] : 
-# 1078|     r1078_8(glval<vector<int> &>)  = VariableAddress[(__range)] : 
-# 1078|     r1078_9(vector<int> &)         = Load[(__range)]            : &:r1078_8, ~m?
-#-----|     r0_1(glval<vector<int>>)       = CopyValue                  : r1078_9
-# 1078|     r1078_10(glval<unknown>)       = FunctionAddress[begin]     : 
-# 1078|     r1078_11(iterator)             = Call[begin]                : func:r1078_10, this:r0_1
-# 1078|     mu1078_12(unknown)             = ^CallSideEffect            : ~m?
-#-----|     v0_2(void)                     = ^BufferReadSideEffect[-1]  : &:r0_1, ~m?
-# 1078|     mu1078_13(iterator)            = Store[(__begin)]           : &:r1078_7, r1078_11
-# 1078|     r1078_14(glval<iterator>)      = VariableAddress[(__end)]   : 
-# 1078|     r1078_15(glval<vector<int> &>) = VariableAddress[(__range)] : 
-# 1078|     r1078_16(vector<int> &)        = Load[(__range)]            : &:r1078_15, ~m?
-#-----|     r0_3(glval<vector<int>>)       = CopyValue                  : r1078_16
-# 1078|     r1078_17(glval<unknown>)       = FunctionAddress[end]       : 
-# 1078|     r1078_18(iterator)             = Call[end]                  : func:r1078_17, this:r0_3
-# 1078|     mu1078_19(unknown)             = ^CallSideEffect            : ~m?
-#-----|     v0_4(void)                     = ^BufferReadSideEffect[-1]  : &:r0_3, ~m?
-# 1078|     mu1078_20(iterator)            = Store[(__end)]             : &:r1078_14, r1078_18
+# 1077|     v1077_1(void)                  = EnterFunction               : 
+# 1077|     mu1077_2(unknown)              = AliasedDefinition           : 
+# 1077|     mu1077_3(unknown)              = InitializeNonLocal          : 
+# 1077|     r1077_4(glval<vector<int> &>)  = VariableAddress[v]          : 
+# 1077|     mu1077_5(vector<int> &)        = InitializeParameter[v]      : &:r1077_4
+# 1077|     r1077_6(vector<int> &)         = Load[v]                     : &:r1077_4, ~m?
+# 1077|     mu1077_7(unknown)              = InitializeIndirection[v]    : &:r1077_6
+# 1078|     r1078_1(glval<vector<int> &>)  = VariableAddress[(__range)]  : 
+# 1078|     r1078_2(glval<vector<int> &>)  = VariableAddress[v]          : 
+# 1078|     r1078_3(vector<int> &)         = Load[v]                     : &:r1078_2, ~m?
+# 1078|     r1078_4(glval<vector<int>>)    = CopyValue                   : r1078_3
+# 1078|     r1078_5(vector<int> &)         = CopyValue                   : r1078_4
+# 1078|     mu1078_6(vector<int> &)        = Store[(__range)]            : &:r1078_1, r1078_5
+# 1078|     r1078_7(glval<iterator>)       = VariableAddress[(__begin)]  : 
+# 1078|     r1078_8(glval<vector<int> &>)  = VariableAddress[(__range)]  : 
+# 1078|     r1078_9(vector<int> &)         = Load[(__range)]             : &:r1078_8, ~m?
+#-----|     r0_1(glval<vector<int>>)       = CopyValue                   : r1078_9
+# 1078|     r1078_10(glval<unknown>)       = FunctionAddress[begin]      : 
+# 1078|     r1078_11(iterator)             = Call[begin]                 : func:r1078_10, this:r0_1
+# 1078|     mu1078_12(unknown)             = ^CallSideEffect             : ~m?
+#-----|     v0_2(void)                     = ^IndirectReadSideEffect[-1] : &:r0_1, ~m?
+# 1078|     mu1078_13(iterator)            = Store[(__begin)]            : &:r1078_7, r1078_11
+# 1078|     r1078_14(glval<iterator>)      = VariableAddress[(__end)]    : 
+# 1078|     r1078_15(glval<vector<int> &>) = VariableAddress[(__range)]  : 
+# 1078|     r1078_16(vector<int> &)        = Load[(__range)]             : &:r1078_15, ~m?
+#-----|     r0_3(glval<vector<int>>)       = CopyValue                   : r1078_16
+# 1078|     r1078_17(glval<unknown>)       = FunctionAddress[end]        : 
+# 1078|     r1078_18(iterator)             = Call[end]                   : func:r1078_17, this:r0_3
+# 1078|     mu1078_19(unknown)             = ^CallSideEffect             : ~m?
+#-----|     v0_4(void)                     = ^IndirectReadSideEffect[-1] : &:r0_3, ~m?
+# 1078|     mu1078_20(iterator)            = Store[(__end)]              : &:r1078_14, r1078_18
 #-----|   Goto -> Block 1
 
 # 1078|   Block 1
@@ -6136,26 +6135,26 @@ ir.cpp:
 # 1078|     r1078_24(iterator)        = Load[(__end)]               : &:r1078_23, ~m?
 # 1078|     r1078_25(bool)            = Call[operator!=]            : func:r1078_22, this:r0_5, 0:r1078_24
 # 1078|     mu1078_26(unknown)        = ^CallSideEffect             : ~m?
-#-----|     v0_6(void)                = ^BufferReadSideEffect[-1]   : &:r0_5, ~m?
+#-----|     v0_6(void)                = ^IndirectReadSideEffect[-1] : &:r0_5, ~m?
 # 1078|     v1078_27(void)            = ConditionalBranch           : r1078_25
 #-----|   False -> Block 5
 #-----|   True -> Block 2
 
 # 1078|   Block 2
-# 1078|     r1078_28(glval<int>)      = VariableAddress[e]         : 
-# 1078|     r1078_29(glval<iterator>) = VariableAddress[(__begin)] : 
-#-----|     r0_7(glval<iterator>)     = Convert                    : r1078_29
-# 1078|     r1078_30(glval<unknown>)  = FunctionAddress[operator*] : 
-# 1078|     r1078_31(int &)           = Call[operator*]            : func:r1078_30, this:r0_7
-# 1078|     mu1078_32(unknown)        = ^CallSideEffect            : ~m?
-#-----|     v0_8(void)                = ^BufferReadSideEffect[-1]  : &:r0_7, ~m?
-# 1078|     r1078_33(int)             = Load[?]                    : &:r1078_31, ~m?
-# 1078|     mu1078_34(int)            = Store[e]                   : &:r1078_28, r1078_33
-# 1079|     r1079_1(glval<int>)       = VariableAddress[e]         : 
-# 1079|     r1079_2(int)              = Load[e]                    : &:r1079_1, ~m?
-# 1079|     r1079_3(int)              = Constant[0]                : 
-# 1079|     r1079_4(bool)             = CompareGT                  : r1079_2, r1079_3
-# 1079|     v1079_5(void)             = ConditionalBranch          : r1079_4
+# 1078|     r1078_28(glval<int>)      = VariableAddress[e]          : 
+# 1078|     r1078_29(glval<iterator>) = VariableAddress[(__begin)]  : 
+#-----|     r0_7(glval<iterator>)     = Convert                     : r1078_29
+# 1078|     r1078_30(glval<unknown>)  = FunctionAddress[operator*]  : 
+# 1078|     r1078_31(int &)           = Call[operator*]             : func:r1078_30, this:r0_7
+# 1078|     mu1078_32(unknown)        = ^CallSideEffect             : ~m?
+#-----|     v0_8(void)                = ^IndirectReadSideEffect[-1] : &:r0_7, ~m?
+# 1078|     r1078_33(int)             = Load[?]                     : &:r1078_31, ~m?
+# 1078|     mu1078_34(int)            = Store[e]                    : &:r1078_28, r1078_33
+# 1079|     r1079_1(glval<int>)       = VariableAddress[e]          : 
+# 1079|     r1079_2(int)              = Load[e]                     : &:r1079_1, ~m?
+# 1079|     r1079_3(int)              = Constant[0]                 : 
+# 1079|     r1079_4(bool)             = CompareGT                   : r1079_2, r1079_3
+# 1079|     v1079_5(void)             = ConditionalBranch           : r1079_4
 #-----|   False -> Block 4
 #-----|   True -> Block 3
 
@@ -6169,36 +6168,36 @@ ir.cpp:
 # 1078|     r1078_37(glval<unknown>)  = FunctionAddress[operator++]     : 
 # 1078|     r1078_38(iterator &)      = Call[operator++]                : func:r1078_37, this:r1078_36
 # 1078|     mu1078_39(unknown)        = ^CallSideEffect                 : ~m?
-# 1078|     v1078_40(void)            = ^BufferReadSideEffect[-1]       : &:r1078_36, ~m?
+# 1078|     v1078_40(void)            = ^IndirectReadSideEffect[-1]     : &:r1078_36, ~m?
 # 1078|     mu1078_41(iterator)       = ^IndirectMayWriteSideEffect[-1] : &:r1078_36
 # 1078|     r1078_42(glval<iterator>) = CopyValue                       : r1078_38
 #-----|   Goto (back edge) -> Block 1
 
 # 1084|   Block 5
-# 1084|     r1084_1(glval<vector<int> &>)  = VariableAddress[(__range)] : 
-# 1084|     r1084_2(glval<vector<int> &>)  = VariableAddress[v]         : 
-# 1084|     r1084_3(vector<int> &)         = Load[v]                    : &:r1084_2, ~m?
-# 1084|     r1084_4(glval<vector<int>>)    = CopyValue                  : r1084_3
-# 1084|     r1084_5(vector<int> &)         = CopyValue                  : r1084_4
-# 1084|     mu1084_6(vector<int> &)        = Store[(__range)]           : &:r1084_1, r1084_5
-# 1084|     r1084_7(glval<iterator>)       = VariableAddress[(__begin)] : 
-# 1084|     r1084_8(glval<vector<int> &>)  = VariableAddress[(__range)] : 
-# 1084|     r1084_9(vector<int> &)         = Load[(__range)]            : &:r1084_8, ~m?
-#-----|     r0_9(glval<vector<int>>)       = CopyValue                  : r1084_9
-# 1084|     r1084_10(glval<unknown>)       = FunctionAddress[begin]     : 
-# 1084|     r1084_11(iterator)             = Call[begin]                : func:r1084_10, this:r0_9
-# 1084|     mu1084_12(unknown)             = ^CallSideEffect            : ~m?
-#-----|     v0_10(void)                    = ^BufferReadSideEffect[-1]  : &:r0_9, ~m?
-# 1084|     mu1084_13(iterator)            = Store[(__begin)]           : &:r1084_7, r1084_11
-# 1084|     r1084_14(glval<iterator>)      = VariableAddress[(__end)]   : 
-# 1084|     r1084_15(glval<vector<int> &>) = VariableAddress[(__range)] : 
-# 1084|     r1084_16(vector<int> &)        = Load[(__range)]            : &:r1084_15, ~m?
-#-----|     r0_11(glval<vector<int>>)      = CopyValue                  : r1084_16
-# 1084|     r1084_17(glval<unknown>)       = FunctionAddress[end]       : 
-# 1084|     r1084_18(iterator)             = Call[end]                  : func:r1084_17, this:r0_11
-# 1084|     mu1084_19(unknown)             = ^CallSideEffect            : ~m?
-#-----|     v0_12(void)                    = ^BufferReadSideEffect[-1]  : &:r0_11, ~m?
-# 1084|     mu1084_20(iterator)            = Store[(__end)]             : &:r1084_14, r1084_18
+# 1084|     r1084_1(glval<vector<int> &>)  = VariableAddress[(__range)]  : 
+# 1084|     r1084_2(glval<vector<int> &>)  = VariableAddress[v]          : 
+# 1084|     r1084_3(vector<int> &)         = Load[v]                     : &:r1084_2, ~m?
+# 1084|     r1084_4(glval<vector<int>>)    = CopyValue                   : r1084_3
+# 1084|     r1084_5(vector<int> &)         = CopyValue                   : r1084_4
+# 1084|     mu1084_6(vector<int> &)        = Store[(__range)]            : &:r1084_1, r1084_5
+# 1084|     r1084_7(glval<iterator>)       = VariableAddress[(__begin)]  : 
+# 1084|     r1084_8(glval<vector<int> &>)  = VariableAddress[(__range)]  : 
+# 1084|     r1084_9(vector<int> &)         = Load[(__range)]             : &:r1084_8, ~m?
+#-----|     r0_9(glval<vector<int>>)       = CopyValue                   : r1084_9
+# 1084|     r1084_10(glval<unknown>)       = FunctionAddress[begin]      : 
+# 1084|     r1084_11(iterator)             = Call[begin]                 : func:r1084_10, this:r0_9
+# 1084|     mu1084_12(unknown)             = ^CallSideEffect             : ~m?
+#-----|     v0_10(void)                    = ^IndirectReadSideEffect[-1] : &:r0_9, ~m?
+# 1084|     mu1084_13(iterator)            = Store[(__begin)]            : &:r1084_7, r1084_11
+# 1084|     r1084_14(glval<iterator>)      = VariableAddress[(__end)]    : 
+# 1084|     r1084_15(glval<vector<int> &>) = VariableAddress[(__range)]  : 
+# 1084|     r1084_16(vector<int> &)        = Load[(__range)]             : &:r1084_15, ~m?
+#-----|     r0_11(glval<vector<int>>)      = CopyValue                   : r1084_16
+# 1084|     r1084_17(glval<unknown>)       = FunctionAddress[end]        : 
+# 1084|     r1084_18(iterator)             = Call[end]                   : func:r1084_17, this:r0_11
+# 1084|     mu1084_19(unknown)             = ^CallSideEffect             : ~m?
+#-----|     v0_12(void)                    = ^IndirectReadSideEffect[-1] : &:r0_11, ~m?
+# 1084|     mu1084_20(iterator)            = Store[(__end)]              : &:r1084_14, r1084_18
 #-----|   Goto -> Block 6
 
 # 1084|   Block 6
@@ -6209,7 +6208,7 @@ ir.cpp:
 # 1084|     r1084_24(iterator)        = Load[(__end)]               : &:r1084_23, ~m?
 # 1084|     r1084_25(bool)            = Call[operator!=]            : func:r1084_22, this:r0_13, 0:r1084_24
 # 1084|     mu1084_26(unknown)        = ^CallSideEffect             : ~m?
-#-----|     v0_14(void)               = ^BufferReadSideEffect[-1]   : &:r0_13, ~m?
+#-----|     v0_14(void)               = ^IndirectReadSideEffect[-1] : &:r0_13, ~m?
 # 1084|     v1084_27(void)            = ConditionalBranch           : r1084_25
 #-----|   False -> Block 10
 #-----|   True -> Block 8
@@ -6219,29 +6218,29 @@ ir.cpp:
 # 1084|     r1084_29(glval<unknown>)  = FunctionAddress[operator++]     : 
 # 1084|     r1084_30(iterator &)      = Call[operator++]                : func:r1084_29, this:r1084_28
 # 1084|     mu1084_31(unknown)        = ^CallSideEffect                 : ~m?
-# 1084|     v1084_32(void)            = ^BufferReadSideEffect[-1]       : &:r1084_28, ~m?
+# 1084|     v1084_32(void)            = ^IndirectReadSideEffect[-1]     : &:r1084_28, ~m?
 # 1084|     mu1084_33(iterator)       = ^IndirectMayWriteSideEffect[-1] : &:r1084_28
 # 1084|     r1084_34(glval<iterator>) = CopyValue                       : r1084_30
 #-----|   Goto (back edge) -> Block 6
 
 # 1084|   Block 8
-# 1084|     r1084_35(glval<int &>)    = VariableAddress[e]         : 
-# 1084|     r1084_36(glval<iterator>) = VariableAddress[(__begin)] : 
-#-----|     r0_15(glval<iterator>)    = Convert                    : r1084_36
-# 1084|     r1084_37(glval<unknown>)  = FunctionAddress[operator*] : 
-# 1084|     r1084_38(int &)           = Call[operator*]            : func:r1084_37, this:r0_15
-# 1084|     mu1084_39(unknown)        = ^CallSideEffect            : ~m?
-#-----|     v0_16(void)               = ^BufferReadSideEffect[-1]  : &:r0_15, ~m?
-# 1084|     r1084_40(glval<int>)      = CopyValue                  : r1084_38
-# 1084|     r1084_41(glval<int>)      = Convert                    : r1084_40
-# 1084|     r1084_42(int &)           = CopyValue                  : r1084_41
-# 1084|     mu1084_43(int &)          = Store[e]                   : &:r1084_35, r1084_42
-# 1085|     r1085_1(glval<int &>)     = VariableAddress[e]         : 
-# 1085|     r1085_2(int &)            = Load[e]                    : &:r1085_1, ~m?
-# 1085|     r1085_3(int)              = Load[?]                    : &:r1085_2, ~m?
-# 1085|     r1085_4(int)              = Constant[5]                : 
-# 1085|     r1085_5(bool)             = CompareLT                  : r1085_3, r1085_4
-# 1085|     v1085_6(void)             = ConditionalBranch          : r1085_5
+# 1084|     r1084_35(glval<int &>)    = VariableAddress[e]          : 
+# 1084|     r1084_36(glval<iterator>) = VariableAddress[(__begin)]  : 
+#-----|     r0_15(glval<iterator>)    = Convert                     : r1084_36
+# 1084|     r1084_37(glval<unknown>)  = FunctionAddress[operator*]  : 
+# 1084|     r1084_38(int &)           = Call[operator*]             : func:r1084_37, this:r0_15
+# 1084|     mu1084_39(unknown)        = ^CallSideEffect             : ~m?
+#-----|     v0_16(void)               = ^IndirectReadSideEffect[-1] : &:r0_15, ~m?
+# 1084|     r1084_40(glval<int>)      = CopyValue                   : r1084_38
+# 1084|     r1084_41(glval<int>)      = Convert                     : r1084_40
+# 1084|     r1084_42(int &)           = CopyValue                   : r1084_41
+# 1084|     mu1084_43(int &)          = Store[e]                    : &:r1084_35, r1084_42
+# 1085|     r1085_1(glval<int &>)     = VariableAddress[e]          : 
+# 1085|     r1085_2(int &)            = Load[e]                     : &:r1085_1, ~m?
+# 1085|     r1085_3(int)              = Load[?]                     : &:r1085_2, ~m?
+# 1085|     r1085_4(int)              = Constant[5]                 : 
+# 1085|     r1085_5(bool)             = CompareLT                   : r1085_3, r1085_4
+# 1085|     v1085_6(void)             = ConditionalBranch           : r1085_5
 #-----|   False -> Block 7
 #-----|   True -> Block 9
 
@@ -7525,7 +7524,7 @@ ir.cpp:
 # 1373|     r1373_8(glval<unknown>)  = FunctionAddress[c_str]            : 
 # 1373|     r1373_9(char *)          = Call[c_str]                       : func:r1373_8, this:r1373_7
 # 1373|     mu1373_10(unknown)       = ^CallSideEffect                   : ~m?
-# 1373|     v1373_11(void)           = ^BufferReadSideEffect[-1]         : &:r1373_7, ~m?
+# 1373|     v1373_11(void)           = ^IndirectReadSideEffect[-1]       : &:r1373_7, ~m?
 # 1374|     r1374_1(glval<String>)   = VariableAddress[#temp1374:5]      : 
 # 1374|     r1374_2(glval<unknown>)  = FunctionAddress[returnValue]      : 
 # 1374|     r1374_3(String)          = Call[returnValue]                 : func:r1374_2
@@ -7535,7 +7534,7 @@ ir.cpp:
 # 1374|     r1374_7(glval<unknown>)  = FunctionAddress[c_str]            : 
 # 1374|     r1374_8(char *)          = Call[c_str]                       : func:r1374_7, this:r1374_6
 # 1374|     mu1374_9(unknown)        = ^CallSideEffect                   : ~m?
-# 1374|     v1374_10(void)           = ^BufferReadSideEffect[-1]         : &:r1374_6, ~m?
+# 1374|     v1374_10(void)           = ^IndirectReadSideEffect[-1]       : &:r1374_6, ~m?
 # 1376|     r1376_1(glval<String>)   = VariableAddress[#temp1376:5]      : 
 # 1376|     r1376_2(glval<unknown>)  = FunctionAddress[defaultConstruct] : 
 # 1376|     r1376_3(String)          = Call[defaultConstruct]            : func:r1376_2
@@ -7589,7 +7588,7 @@ ir.cpp:
 # 1385|     r1385_4(glval<unknown>)           = FunctionAddress[method]           : 
 # 1385|     v1385_5(void)                     = Call[method]                      : func:r1385_4, this:r1385_1
 # 1385|     mu1385_6(unknown)                 = ^CallSideEffect                   : ~m?
-# 1385|     v1385_7(void)                     = ^BufferReadSideEffect[-1]         : &:r1385_1, ~m?
+# 1385|     v1385_7(void)                     = ^IndirectReadSideEffect[-1]       : &:r1385_1, ~m?
 # 1385|     mu1385_8(destructor_only)         = ^IndirectMayWriteSideEffect[-1]   : &:r1385_1
 # 1386|     r1386_1(glval<destructor_only>)   = VariableAddress[#temp1386:5]      : 
 # 1386|     r1386_2(glval<unknown>)           = FunctionAddress[returnValue]      : 
@@ -7599,7 +7598,7 @@ ir.cpp:
 # 1386|     r1386_6(glval<unknown>)           = FunctionAddress[method]           : 
 # 1386|     v1386_7(void)                     = Call[method]                      : func:r1386_6, this:r1386_1
 # 1386|     mu1386_8(unknown)                 = ^CallSideEffect                   : ~m?
-# 1386|     v1386_9(void)                     = ^BufferReadSideEffect[-1]         : &:r1386_1, ~m?
+# 1386|     v1386_9(void)                     = ^IndirectReadSideEffect[-1]       : &:r1386_1, ~m?
 # 1386|     mu1386_10(destructor_only)        = ^IndirectMayWriteSideEffect[-1]   : &:r1386_1
 # 1388|     r1388_1(glval<destructor_only>)   = VariableAddress[#temp1388:5]      : 
 # 1388|     r1388_2(glval<unknown>)           = FunctionAddress[defaultConstruct] : 
@@ -7667,7 +7666,7 @@ ir.cpp:
 # 1397|     r1397_7(glval<unknown>)            = FunctionAddress[method]           : 
 # 1397|     v1397_8(void)                      = Call[method]                      : func:r1397_7, this:r1397_1
 # 1397|     mu1397_9(unknown)                  = ^CallSideEffect                   : ~m?
-# 1397|     v1397_10(void)                     = ^BufferReadSideEffect[-1]         : &:r1397_1, ~m?
+# 1397|     v1397_10(void)                     = ^IndirectReadSideEffect[-1]       : &:r1397_1, ~m?
 # 1397|     mu1397_11(copy_constructor)        = ^IndirectMayWriteSideEffect[-1]   : &:r1397_1
 # 1398|     r1398_1(glval<copy_constructor>)   = VariableAddress[#temp1398:5]      : 
 # 1398|     r1398_2(glval<unknown>)            = FunctionAddress[returnValue]      : 
@@ -7677,7 +7676,7 @@ ir.cpp:
 # 1398|     r1398_6(glval<unknown>)            = FunctionAddress[method]           : 
 # 1398|     v1398_7(void)                      = Call[method]                      : func:r1398_6, this:r1398_1
 # 1398|     mu1398_8(unknown)                  = ^CallSideEffect                   : ~m?
-# 1398|     v1398_9(void)                      = ^BufferReadSideEffect[-1]         : &:r1398_1, ~m?
+# 1398|     v1398_9(void)                      = ^IndirectReadSideEffect[-1]       : &:r1398_1, ~m?
 # 1398|     mu1398_10(copy_constructor)        = ^IndirectMayWriteSideEffect[-1]   : &:r1398_1
 # 1399|     r1399_1(glval<copy_constructor>)   = VariableAddress[#temp1399:5]      : 
 # 1399|     r1399_2(glval<unknown>)            = FunctionAddress[defaultConstruct] : 
@@ -7851,7 +7850,7 @@ ir.cpp:
 # 1447|     r1447_9(glval<unknown>)     = FunctionAddress[f]                                : 
 # 1447|     r1447_10(float)             = Call[f]                                           : func:r1447_9, this:r1447_8
 # 1447|     mu1447_11(unknown)          = ^CallSideEffect                                   : ~m?
-# 1447|     v1447_12(void)              = ^BufferReadSideEffect[-1]                         : &:r1447_8, ~m?
+# 1447|     v1447_12(void)              = ^IndirectReadSideEffect[-1]                       : &:r1447_8, ~m?
 # 1447|     mu1447_13(float)            = Store[f]                                          : &:r1447_1, r1447_10
 # 1448|     v1448_1(void)               = NoOp                                              : 
 # 1443|     v1443_4(void)               = ReturnVoid                                        : 
diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
index c4019a38251..76de50dd792 100644
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
@@ -1059,7 +1059,7 @@ ssa.cpp:
 #  241|     v241_3(void)                 = Call[g]                         : func:r241_2, this:r241_1
 #  241|     m241_4(unknown)              = ^CallSideEffect                 : ~m240_7
 #  241|     m241_5(unknown)              = Chi                             : total:m240_7, partial:m241_4
-#  241|     v241_6(void)                 = ^BufferReadSideEffect[-1]       : &:r241_1, ~m240_9
+#  241|     v241_6(void)                 = ^IndirectReadSideEffect[-1]     : &:r241_1, m240_9
 #  241|     m241_7(Constructible)        = ^IndirectMayWriteSideEffect[-1] : &:r241_1
 #  241|     m241_8(Constructible)        = Chi                             : total:m240_9, partial:m241_7
 #  242|     r242_1(glval<Constructible>) = VariableAddress[c]              : 
@@ -1067,7 +1067,7 @@ ssa.cpp:
 #  242|     v242_3(void)                 = Call[g]                         : func:r242_2, this:r242_1
 #  242|     m242_4(unknown)              = ^CallSideEffect                 : ~m241_5
 #  242|     m242_5(unknown)              = Chi                             : total:m241_5, partial:m242_4
-#  242|     v242_6(void)                 = ^BufferReadSideEffect[-1]       : &:r242_1, ~m241_8
+#  242|     v242_6(void)                 = ^IndirectReadSideEffect[-1]     : &:r242_1, m241_8
 #  242|     m242_7(Constructible)        = ^IndirectMayWriteSideEffect[-1] : &:r242_1
 #  242|     m242_8(Constructible)        = Chi                             : total:m241_8, partial:m242_7
 #  243|     r243_1(glval<Constructible>) = VariableAddress[c2]             : 
@@ -1084,7 +1084,7 @@ ssa.cpp:
 #  244|     v244_3(void)                 = Call[g]                         : func:r244_2, this:r244_1
 #  244|     m244_4(unknown)              = ^CallSideEffect                 : ~m243_7
 #  244|     m244_5(unknown)              = Chi                             : total:m243_7, partial:m244_4
-#  244|     v244_6(void)                 = ^BufferReadSideEffect[-1]       : &:r244_1, ~m243_9
+#  244|     v244_6(void)                 = ^IndirectReadSideEffect[-1]     : &:r244_1, m243_9
 #  244|     m244_7(Constructible)        = ^IndirectMayWriteSideEffect[-1] : &:r244_1
 #  244|     m244_8(Constructible)        = Chi                             : total:m243_9, partial:m244_7
 #  245|     v245_1(void)                 = NoOp                            : 
diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
index a101e638cd0..ab79d20214a 100644
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
@@ -1054,7 +1054,7 @@ ssa.cpp:
 #  241|     v241_3(void)                 = Call[g]                         : func:r241_2, this:r241_1
 #  241|     m241_4(unknown)              = ^CallSideEffect                 : ~m240_7
 #  241|     m241_5(unknown)              = Chi                             : total:m240_7, partial:m241_4
-#  241|     v241_6(void)                 = ^BufferReadSideEffect[-1]       : &:r241_1, ~m240_9
+#  241|     v241_6(void)                 = ^IndirectReadSideEffect[-1]     : &:r241_1, m240_9
 #  241|     m241_7(Constructible)        = ^IndirectMayWriteSideEffect[-1] : &:r241_1
 #  241|     m241_8(Constructible)        = Chi                             : total:m240_9, partial:m241_7
 #  242|     r242_1(glval<Constructible>) = VariableAddress[c]              : 
@@ -1062,7 +1062,7 @@ ssa.cpp:
 #  242|     v242_3(void)                 = Call[g]                         : func:r242_2, this:r242_1
 #  242|     m242_4(unknown)              = ^CallSideEffect                 : ~m241_5
 #  242|     m242_5(unknown)              = Chi                             : total:m241_5, partial:m242_4
-#  242|     v242_6(void)                 = ^BufferReadSideEffect[-1]       : &:r242_1, ~m241_8
+#  242|     v242_6(void)                 = ^IndirectReadSideEffect[-1]     : &:r242_1, m241_8
 #  242|     m242_7(Constructible)        = ^IndirectMayWriteSideEffect[-1] : &:r242_1
 #  242|     m242_8(Constructible)        = Chi                             : total:m241_8, partial:m242_7
 #  243|     r243_1(glval<Constructible>) = VariableAddress[c2]             : 
@@ -1079,7 +1079,7 @@ ssa.cpp:
 #  244|     v244_3(void)                 = Call[g]                         : func:r244_2, this:r244_1
 #  244|     m244_4(unknown)              = ^CallSideEffect                 : ~m243_7
 #  244|     m244_5(unknown)              = Chi                             : total:m243_7, partial:m244_4
-#  244|     v244_6(void)                 = ^BufferReadSideEffect[-1]       : &:r244_1, ~m243_9
+#  244|     v244_6(void)                 = ^IndirectReadSideEffect[-1]     : &:r244_1, m243_9
 #  244|     m244_7(Constructible)        = ^IndirectMayWriteSideEffect[-1] : &:r244_1
 #  244|     m244_8(Constructible)        = Chi                             : total:m243_9, partial:m244_7
 #  245|     v245_1(void)                 = NoOp                            : 
diff --git a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected
index 8b6cf17dbbb..0b257db98a4 100644
--- a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected
@@ -983,13 +983,13 @@ ssa.cpp:
 #  241|     r241_2(glval<unknown>)       = FunctionAddress[g]              : 
 #  241|     v241_3(void)                 = Call[g]                         : func:r241_2, this:r241_1
 #  241|     mu241_4(unknown)             = ^CallSideEffect                 : ~m?
-#  241|     v241_5(void)                 = ^BufferReadSideEffect[-1]       : &:r241_1, ~m?
+#  241|     v241_5(void)                 = ^IndirectReadSideEffect[-1]     : &:r241_1, ~m?
 #  241|     mu241_6(Constructible)       = ^IndirectMayWriteSideEffect[-1] : &:r241_1
 #  242|     r242_1(glval<Constructible>) = VariableAddress[c]              : 
 #  242|     r242_2(glval<unknown>)       = FunctionAddress[g]              : 
 #  242|     v242_3(void)                 = Call[g]                         : func:r242_2, this:r242_1
 #  242|     mu242_4(unknown)             = ^CallSideEffect                 : ~m?
-#  242|     v242_5(void)                 = ^BufferReadSideEffect[-1]       : &:r242_1, ~m?
+#  242|     v242_5(void)                 = ^IndirectReadSideEffect[-1]     : &:r242_1, ~m?
 #  242|     mu242_6(Constructible)       = ^IndirectMayWriteSideEffect[-1] : &:r242_1
 #  243|     r243_1(glval<Constructible>) = VariableAddress[c2]             : 
 #  243|     mu243_2(Constructible)       = Uninitialized[c2]               : &:r243_1
@@ -1002,7 +1002,7 @@ ssa.cpp:
 #  244|     r244_2(glval<unknown>)       = FunctionAddress[g]              : 
 #  244|     v244_3(void)                 = Call[g]                         : func:r244_2, this:r244_1
 #  244|     mu244_4(unknown)             = ^CallSideEffect                 : ~m?
-#  244|     v244_5(void)                 = ^BufferReadSideEffect[-1]       : &:r244_1, ~m?
+#  244|     v244_5(void)                 = ^IndirectReadSideEffect[-1]     : &:r244_1, ~m?
 #  244|     mu244_6(Constructible)       = ^IndirectMayWriteSideEffect[-1] : &:r244_1
 #  245|     v245_1(void)                 = NoOp                            : 
 #  239|     v239_4(void)                 = ReturnVoid                      : 
diff --git a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected
index 8b6cf17dbbb..0b257db98a4 100644
--- a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected
@@ -983,13 +983,13 @@ ssa.cpp:
 #  241|     r241_2(glval<unknown>)       = FunctionAddress[g]              : 
 #  241|     v241_3(void)                 = Call[g]                         : func:r241_2, this:r241_1
 #  241|     mu241_4(unknown)             = ^CallSideEffect                 : ~m?
-#  241|     v241_5(void)                 = ^BufferReadSideEffect[-1]       : &:r241_1, ~m?
+#  241|     v241_5(void)                 = ^IndirectReadSideEffect[-1]     : &:r241_1, ~m?
 #  241|     mu241_6(Constructible)       = ^IndirectMayWriteSideEffect[-1] : &:r241_1
 #  242|     r242_1(glval<Constructible>) = VariableAddress[c]              : 
 #  242|     r242_2(glval<unknown>)       = FunctionAddress[g]              : 
 #  242|     v242_3(void)                 = Call[g]                         : func:r242_2, this:r242_1
 #  242|     mu242_4(unknown)             = ^CallSideEffect                 : ~m?
-#  242|     v242_5(void)                 = ^BufferReadSideEffect[-1]       : &:r242_1, ~m?
+#  242|     v242_5(void)                 = ^IndirectReadSideEffect[-1]     : &:r242_1, ~m?
 #  242|     mu242_6(Constructible)       = ^IndirectMayWriteSideEffect[-1] : &:r242_1
 #  243|     r243_1(glval<Constructible>) = VariableAddress[c2]             : 
 #  243|     mu243_2(Constructible)       = Uninitialized[c2]               : &:r243_1
@@ -1002,7 +1002,7 @@ ssa.cpp:
 #  244|     r244_2(glval<unknown>)       = FunctionAddress[g]              : 
 #  244|     v244_3(void)                 = Call[g]                         : func:r244_2, this:r244_1
 #  244|     mu244_4(unknown)             = ^CallSideEffect                 : ~m?
-#  244|     v244_5(void)                 = ^BufferReadSideEffect[-1]       : &:r244_1, ~m?
+#  244|     v244_5(void)                 = ^IndirectReadSideEffect[-1]     : &:r244_1, ~m?
 #  244|     mu244_6(Constructible)       = ^IndirectMayWriteSideEffect[-1] : &:r244_1
 #  245|     v245_1(void)                 = NoOp                            : 
 #  239|     v239_4(void)                 = ReturnVoid                      : 

From b8c11503f0fcc66c07169a0d9cb413726af347ff Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Sat, 10 Apr 2021 04:21:49 +0800
Subject: [PATCH 0292/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
index 2712f30a3f2..f4910008902 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
@@ -4,7 +4,7 @@
 <qhelp>
 <overview>
 <p>The software uses external input as the function name to wrap JSON data and returns it to the client as a request response. 
-When there is a cross-domain problem, the problem of sensitive information leakage may occur.</p>
+When there is a cross-domain problem, this could lead to information leakage.</p>
 
 </overview>
 <recommendation>

From ebd38eaf3bd0d5f4cb15bf4724fb2bb90ad1f8a6 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Sat, 10 Apr 2021 04:22:08 +0800
Subject: [PATCH 0293/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
index f4910008902..e3d61a0342e 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
@@ -14,7 +14,7 @@ When there is a cross-domain problem, this could lead to information leakage.</p
 </recommendation>
 <example>
 
-<p>The following examples show the bad case and the good case respectively. Bad case, such as <code>bad1</code> to <code>bad8</code>, 
+<p>The following examples show the bad case and the good case respectively. Bad cases, such as <code>bad1</code> to <code>bad8</code>, 
 will cause information leakage problems when there are cross-domain problems. In a good case, for example, in the <code>good1</code> 
 method and the <code>good2</code> method, use the <code>verifToken</code> method to do the random <code>token</code> Verification can 
 solve the problem of information leakage caused by cross-domain.</p>

From d8165145c71e1c21c8e274fca2d807ad34b0001d Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Sat, 10 Apr 2021 04:22:44 +0800
Subject: [PATCH 0294/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
index e3d61a0342e..f8c01cf5a32 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
@@ -15,7 +15,7 @@ When there is a cross-domain problem, this could lead to information leakage.</p
 <example>
 
 <p>The following examples show the bad case and the good case respectively. Bad cases, such as <code>bad1</code> to <code>bad8</code>, 
-will cause information leakage problems when there are cross-domain problems. In a good case, for example, in the <code>good1</code> 
+will cause information leakage when there are cross-domain problems. In a good case, for example, in the <code>good1</code> 
 method and the <code>good2</code> method, use the <code>verifToken</code> method to do the random <code>token</code> Verification can 
 solve the problem of information leakage caused by cross-domain.</p>
 

From 1510048f7afb17ae4e63b38c7e83c2ef05c9aa11 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Sat, 10 Apr 2021 04:23:13 +0800
Subject: [PATCH 0295/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
index f8c01cf5a32..10c6aa056ad 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
@@ -16,7 +16,7 @@ When there is a cross-domain problem, this could lead to information leakage.</p
 
 <p>The following examples show the bad case and the good case respectively. Bad cases, such as <code>bad1</code> to <code>bad8</code>, 
 will cause information leakage when there are cross-domain problems. In a good case, for example, in the <code>good1</code> 
-method and the <code>good2</code> method, use the <code>verifToken</code> method to do the random <code>token</code> Verification can 
+method and the <code>good2</code> method, using the <code>verifToken</code> method to do random <code>token</code> verification
 solve the problem of information leakage caused by cross-domain.</p>
 
 <sample src="JsonpInjection.java" />

From 79c1374925f72b59ac9ad6f41ad2ad0b759c0eb5 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Sat, 10 Apr 2021 04:24:49 +0800
Subject: [PATCH 0296/1429] Update
 java/ql/src/semmle/code/java/frameworks/Servlets.qll

Co-authored-by: Chris Smowton <smowton@github.com>
---
 java/ql/src/semmle/code/java/frameworks/Servlets.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/Servlets.qll b/java/ql/src/semmle/code/java/frameworks/Servlets.qll
index 21f55d39685..a99df9816f1 100644
--- a/java/ql/src/semmle/code/java/frameworks/Servlets.qll
+++ b/java/ql/src/semmle/code/java/frameworks/Servlets.qll
@@ -354,7 +354,7 @@ class FilterChain extends Interface {
 
 /** Holds if `m` is a filter handler method (for example `doFilter`). */
 predicate isDoFilterMethod(Method m) {
-  m.getName().matches("doFilter") and
+  m.getName() ="doFilter" and
   m.getDeclaringType() instanceof FilterClass and
   m.getNumberOfParameters() = 3 and
   m.getParameter(0).getType() instanceof ServletRequest and

From 157e4670fd5ec92f9f86b2fc23eae3eda103375d Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Sat, 10 Apr 2021 04:25:11 +0800
Subject: [PATCH 0297/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
index 10c6aa056ad..2a3f0861cdf 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
@@ -17,7 +17,7 @@ When there is a cross-domain problem, this could lead to information leakage.</p
 <p>The following examples show the bad case and the good case respectively. Bad cases, such as <code>bad1</code> to <code>bad8</code>, 
 will cause information leakage when there are cross-domain problems. In a good case, for example, in the <code>good1</code> 
 method and the <code>good2</code> method, using the <code>verifToken</code> method to do random <code>token</code> verification
-solve the problem of information leakage caused by cross-domain.</p>
+solves the problem of information leakage even in the presence of cross-domain access issues.</p>
 
 <sample src="JsonpInjection.java" />
 

From 837f20108ddabb25c4c04f45c1c1324b456d2ce0 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Sat, 10 Apr 2021 04:25:43 +0800
Subject: [PATCH 0298/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index bf90926f72f..507a93454d7 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -7,7 +7,7 @@ import semmle.code.java.dataflow.DataFlow3
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.spring.SpringController
 
-/** A data flow configuration is tracing flow from the access to the authentication method of token/auth/referer/origin to if condition. */
+/** A data flow configuration tracing flow from the result of a method whose name includes token/auth/referer/origin to an if-statement condition. */
 class VerificationMethodToIfFlowConfig extends DataFlow3::Configuration {
   VerificationMethodToIfFlowConfig() { this = "VerificationMethodToIfFlowConfig" }
 

From c77c7b0a982bfe6eb88911bc7ac5cfb26b58d245 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Sat, 10 Apr 2021 04:27:16 +0800
Subject: [PATCH 0299/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../Security/CWE/CWE-352/JsonpInjectionLib.qll             | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index 507a93454d7..f30a31f4133 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -27,7 +27,12 @@ class VerificationMethodToIfFlowConfig extends DataFlow3::Configuration {
   }
 }
 
-/** Taint-tracking configuration tracing flow from untrusted inputs to verification of remote user input. */
+/** Taint-tracking configuration tracing flow from untrusted inputs to an argument of a function whose result is used as an if-statement condition.
+* 
+* For example, in the context `String userControlled = request.getHeader("xyz"); boolean isGood = checkToken(userControlled); if(isGood) { ...`,
+* the flow from `checkToken`'s result to the condition of `if(isGood)` matches the configuration `VerificationMethodToIfFlowConfig` above,
+* and so the flow from `getHeader(...)` to the argument to `checkToken` matches this configuration.
+ */
 class VerificationMethodFlowConfig extends TaintTracking2::Configuration {
   VerificationMethodFlowConfig() { this = "VerificationMethodFlowConfig" }
 

From 760231c0046b559279eefe79c60de6e0092a96ba Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Sat, 10 Apr 2021 04:28:17 +0800
Subject: [PATCH 0300/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll    | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index f30a31f4133..c63473cafa8 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -60,6 +60,9 @@ Callable getACallingCallableOrSelf(Callable call) {
   result = getACallingCallableOrSelf(call.getAReference().getEnclosingCallable())
 }
 
+/**
+ * A method that is called to handle an HTTP GET request.
+ */
 abstract class RequestGetMethod extends Method { }
 
 /** Override method of `doGet` of `Servlet` subclass. */

From 9635a36044677ba4b3849f61480a16934b99bf76 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Sat, 10 Apr 2021 04:29:06 +0800
Subject: [PATCH 0301/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../src/experimental/Security/CWE/CWE-352/JsonpInjection.ql  | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
index 6e333d83993..9e210dd0e7b 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
@@ -16,7 +16,10 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.deadcode.WebEntryPoints
 import DataFlow::PathGraph
 
-/** Determine whether there is a verification method for the remote streaming source data flow path method. */
+/** 
+ * Holds if some `Filter.doFilter` method exists in the whole program that takes some user-controlled
+ * input and tests it with what appears to be a token- or authentication-checking function.
+ */
 predicate existsFilterVerificationMethod() {
   exists(DataFlow::Node source, DataFlow::Node sink, VerificationMethodFlowConfig vmfc, Method m |
     vmfc.hasFlow(source, sink) and

From 4c21980d4f34ab44bb684ff23c8c113028b355f0 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Sat, 10 Apr 2021 04:29:30 +0800
Subject: [PATCH 0302/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index c63473cafa8..3ba559a81c0 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -141,7 +141,7 @@ class JsonDataFlowConfig extends DataFlow2::Configuration {
   }
 }
 
-/** Taint-tracking configuration tracing flow from user-controllable function name jsonp data to output jsonp data. */
+/** Taint-tracking configuration tracing flow from probable jsonp data with a user-controlled function name to an outgoing HTTP entity. */
 class JsonpInjectionFlowConfig extends TaintTracking::Configuration {
   JsonpInjectionFlowConfig() { this = "JsonpInjectionFlowConfig" }
 

From 8a7d28a2ed8f235a82b20803da94f4f6828f26e5 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Sat, 10 Apr 2021 04:29:49 +0800
Subject: [PATCH 0303/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index 3ba559a81c0..5e9b447f51c 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -130,7 +130,7 @@ class RemoteFlowConfig extends DataFlow2::Configuration {
   }
 }
 
-/** A data flow configuration tracing flow from json data to splicing jsonp data. */
+/** A data flow configuration tracing flow from json data into the argument `json` of JSONP-like string `someFunctionName + "(" + json + ")"`. */
 class JsonDataFlowConfig extends DataFlow2::Configuration {
   JsonDataFlowConfig() { this = "JsonDataFlowConfig" }
 

From 8687c5c14533ac35859cedca383217c65bce5539 Mon Sep 17 00:00:00 2001
From: porcupineyhairs <61983466+porcupineyhairs@users.noreply.github.com>
Date: Sat, 10 Apr 2021 04:18:35 +0530
Subject: [PATCH 0304/1429] Apply suggestions from code review

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../Security/CWE/CWE-094/InsecureDexLoading.qhelp    | 12 ++++++------
 .../Security/CWE/CWE-094/InsecureDexLoading.ql       |  8 ++++----
 .../Security/CWE/CWE-094/InsecureDexLoading.qll      |  4 ++--
 .../Security/CWE/CWE-094/InsecureDexLoadingBad.java  |  4 ++--
 4 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qhelp
index feda3af3fc2..4a5555c1390 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qhelp
@@ -2,29 +2,29 @@
 <qhelp>
   <overview>
     <p>
-Shared world writable storage spaces are not secure to load Dex libraries from. A malicious actor can replace a dex file with a maliciously crafted file 
+It is dangerous to load Dex libraries from shared world-writable storage spaces. A malicious actor can replace a dex file with a maliciously crafted file 
 which when loaded by the app can lead to code execution. 
 </p>
   </overview>
 
   <recommendation>
     <p>
-      Loading a file from private storage instead of a world writable one can prevent this issue.
-      As the attacker cannot access files stored by the app in its private storage. 
+      Loading a file from private storage instead of a world-writable one can prevent this issue,
+      because the attacker cannot access files stored there. 
     </p>
   </recommendation>
 
   <example>
     <p>
-      The following example loads a Dex file from a shared world writable location. in this case, 
-      since the `/sdcard` directory is on external storage, any one can read/write to the location. 
+      The following example loads a Dex file from a shared world-writable location. in this case, 
+      since the `/sdcard` directory is on external storage, anyone can read/write to the location. 
       bypassing all Android security policies. Hence, this is insecure.
     </p>
     <sample src="InsecureDexLoadingBad.java" />
 
     <p>
     The next example loads a Dex file stored inside the app's private storage. 
-    This is not exploitable as nobody else except the app can access the data stored here.
+    This is not exploitable as nobody else except the app can access the data stored there.
     </p>
     <sample src="InsecureDexLoadingGood.java" />
   </example>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.ql b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.ql
index 58d9844d38a..bae3ed63d70 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.ql
@@ -1,7 +1,7 @@
 /**
  * @name Insecure loading of an Android Dex File
- * @description Loading a DEX library located in a world-readable/ writable location such as
- * a SD card can cause arbitary code execution vulnerabilities.
+ * @description Loading a DEX library located in a world-writable location such as
+ * an SD card can lead to arbitrary code execution vulnerabilities.
  * @kind path-problem
  * @problem.severity error
  * @precision high
@@ -16,5 +16,5 @@ import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, InsecureDexConfiguration conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Potential arbitary code execution due to $@.",
-  source.getNode(), "a value loaded from a world readable/writable source."
+select sink.getNode(), source, sink, "Potential arbitrary code execution due to $@.",
+  source.getNode(), "a value loaded from a world-writable source."
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qll b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qll
index 2a4b387be7e..0ee0954216e 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qll
@@ -2,7 +2,7 @@ import java
 import semmle.code.java.dataflow.FlowSources
 
 /**
- * A taint-tracking configuration fordetecting unsafe use of a
+ * A taint-tracking configuration detecting unsafe use of a
  * `DexClassLoader` by an Android app.
  */
 class InsecureDexConfiguration extends TaintTracking::Configuration {
@@ -63,7 +63,7 @@ private class DexClassLoader extends InsecureDexSink {
 }
 
 /**
- * An `File` instance which reads from an SD card
+ * A `File` instance which reads from an SD card
  * taken as a source for insecure Dex class loading vulnerabilities.
  */
 private class ExternalFile extends InsecureDexSource {
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoadingBad.java b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoadingBad.java
index d8fdd828f4f..869b6bc571c 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoadingBad.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoadingBad.java
@@ -22,11 +22,11 @@ public class InsecureDexLoading extends Application {
 						getClassLoader());
 				int version = (int) cl.loadClass("my.package.class").getDeclaredMethod("myMethod").invoke(null);
 				if (Build.VERSION.SDK_INT < version) {
-					Toast.makeText(this, "Securely loaded Dex!", Toast.LENGTH_LONG).show();
+					Toast.makeText(this, "Loaded Dex!", Toast.LENGTH_LONG).show();
 				}
 			}
 		} catch (Exception e) {
 			// ignore
 		}
 	}
-}
\ No newline at end of file
+}

From a5ebe8c60055b44c2e522019df2eb14e0a7b03d5 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Sat, 10 Apr 2021 09:26:08 +0800
Subject: [PATCH 0305/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index 5e9b447f51c..da1e17fd75c 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -12,7 +12,7 @@ class VerificationMethodToIfFlowConfig extends DataFlow3::Configuration {
   VerificationMethodToIfFlowConfig() { this = "VerificationMethodToIfFlowConfig" }
 
   override predicate isSource(DataFlow::Node src) {
-    exists(MethodAccess ma, BarrierGuard bg | ma = bg |
+    exists(MethodAccess ma | ma instanceof BarrierGuard |
       (
         ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
         or

From 650446f761fc943d7a5d7c891402ea22b46b202d Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Sat, 10 Apr 2021 09:26:32 +0800
Subject: [PATCH 0306/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index da1e17fd75c..c5b0de71fad 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -39,8 +39,8 @@ class VerificationMethodFlowConfig extends TaintTracking2::Configuration {
   override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma, BarrierGuard bg, int i, VerificationMethodToIfFlowConfig vmtifc |
-      ma = bg
+    exists(MethodAccess ma, int i, VerificationMethodToIfFlowConfig vmtifc |
+      ma instanceof BarrierGuard
     |
       (
         ma.getMethod().getParameter(i).getName().regexpMatch("(?i).*(token|auth|referer|origin).*")

From 8b756d7f1bcf090b0a890df81fe85dd712e56e05 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Sat, 10 Apr 2021 09:27:03 +0800
Subject: [PATCH 0307/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../src/experimental/Security/CWE/CWE-352/JsonpInjection.ql | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
index 9e210dd0e7b..aa046e7cd2c 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
@@ -28,7 +28,11 @@ predicate existsFilterVerificationMethod() {
   )
 }
 
-/** Determine whether there is a verification method for the remote streaming source data flow path method. */
+/** 
+ * Holds if somewhere in the whole program some user-controlled
+ * input is tested with what appears to be a token- or authentication-checking function,
+ * and `checkNode` is reachable from any function that can reach the user-controlled input source.
+ */
 predicate existsServletVerificationMethod(Node checkNode) {
   exists(DataFlow::Node source, DataFlow::Node sink, VerificationMethodFlowConfig vmfc |
     vmfc.hasFlow(source, sink) and

From 046aeaa38cd5478670e711357d965a30077ef89f Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Sat, 10 Apr 2021 09:37:29 +0800
Subject: [PATCH 0308/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index c5b0de71fad..1a1d8487149 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -98,7 +98,7 @@ class SpringControllerRequestMappingGetMethod extends SpringControllerGetMethod
 }
 
 /** A concatenate expression using `(` and `)` or `);`. */
-class JsonpInjectionExpr extends AddExpr {
+class JsonpBuilderExpr extends AddExpr {
   JsonpInjectionExpr() {
     getRightOperand().toString().regexpMatch("\"\\)\"|\"\\);\"") and
     getLeftOperand()

From eeae91e62012dce68650e2a2d696adbded055218 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Sat, 10 Apr 2021 09:48:55 +0800
Subject: [PATCH 0309/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index 1a1d8487149..589a565c590 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -100,7 +100,7 @@ class SpringControllerRequestMappingGetMethod extends SpringControllerGetMethod
 /** A concatenate expression using `(` and `)` or `);`. */
 class JsonpBuilderExpr extends AddExpr {
   JsonpInjectionExpr() {
-    getRightOperand().toString().regexpMatch("\"\\)\"|\"\\);\"") and
+    getRightOperand().toString().regexpMatch("\"\\);?\"") and
     getLeftOperand()
         .(AddExpr)
         .getLeftOperand()

From 9349e6922d50c36926a4cdf56a9bbc46c712a2c1 Mon Sep 17 00:00:00 2001
From: Marcono1234 <Marcono1234@users.noreply.github.com>
Date: Thu, 8 Apr 2021 21:37:03 +0200
Subject: [PATCH 0310/1429] Java: Add ToStringMethod

---
 .../Security/CWE/CWE-209/StackTraceExposure.ql    |  3 +--
 .../CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql     |  3 +--
 .../CWE/CWE-798/HardcodedCredentialsApiCall.ql    |  4 ++--
 .../Undesirable Calls/CallsToStringToString.ql    |  3 +--
 .../Undesirable Calls/DefaultToString.ql          | 15 ++++-----------
 .../Security/CWE/CWE-297/InsecureLdapEndpoint.ql  |  2 +-
 java/ql/src/semmle/code/java/JDK.qll              | 10 +++++++++-
 java/ql/src/semmle/code/java/dispatch/ObjFlow.qll |  2 +-
 .../code/java/security/ControlledString.qll       |  9 ++++-----
 9 files changed, 24 insertions(+), 27 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
index c9c1e2917c0..3426d9f6f62 100644
--- a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
+++ b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
@@ -79,8 +79,7 @@ predicate stackTraceExpr(Expr exception, MethodAccess stackTraceString) {
     printStackCall.getAnArgument() = printWriter and
     printStackCall.getQualifier() = exception and
     stackTraceString.getQualifier() = stringWriterVar.getAnAccess() and
-    stackTraceString.getMethod().getName() = "toString" and
-    stackTraceString.getMethod().getNumberOfParameters() = 0
+    stackTraceString.getMethod() instanceof ToStringMethod
   )
 }
 
diff --git a/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql b/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
index c84abe1ff75..7b026efb7ae 100644
--- a/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
+++ b/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
@@ -33,9 +33,8 @@ class InsecureAlgoLiteral extends ShortStringLiteral {
 }
 
 predicate objectToString(MethodAccess ma) {
-  exists(Method m |
+  exists(ToStringMethod m |
     m = ma.getMethod() and
-    m.hasName("toString") and
     m.getDeclaringType() instanceof TypeObject and
     variableTrack(ma.getQualifier()).getType().getErasure() instanceof TypeObject
   )
diff --git a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
index 4fb3f14c993..c76527bc538 100644
--- a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
+++ b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
@@ -19,14 +19,14 @@ class HardcodedCredentialApiCallConfiguration extends DataFlow::Configuration {
 
   override predicate isSource(DataFlow::Node n) {
     n.asExpr() instanceof HardcodedExpr and
-    not n.asExpr().getEnclosingCallable().getName() = "toString"
+    not n.asExpr().getEnclosingCallable() instanceof ToStringMethod
   }
 
   override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof CredentialsApiSink }
 
   override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     node1.asExpr().getType() instanceof TypeString and
-    exists(MethodAccess ma | ma.getMethod().getName().regexpMatch("getBytes|toCharArray") |
+    exists(MethodAccess ma | ma.getMethod().hasName(["getBytes", "toCharArray"]) |
       node2.asExpr() = ma and
       ma.getQualifier() = node1.asExpr()
     )
diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToStringToString.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToStringToString.ql
index 40a4e36d70c..c1395669405 100644
--- a/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToStringToString.ql	
+++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToStringToString.ql	
@@ -10,9 +10,8 @@
 
 import java
 
-from MethodAccess ma, Method tostring
+from MethodAccess ma, ToStringMethod tostring
 where
-  tostring.hasName("toString") and
   tostring.getDeclaringType() instanceof TypeString and
   ma.getMethod() = tostring
 select ma, "Redundant call to 'toString' on a String object."
diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DefaultToString.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DefaultToString.ql
index 7d9ef5b85f9..c6eaf5af2cb 100644
--- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DefaultToString.ql	
+++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DefaultToString.ql	
@@ -14,20 +14,13 @@ import java
 import semmle.code.java.StringFormat
 
 predicate explicitToStringCall(Expr e) {
-  exists(MethodAccess ma, Method toString | toString = ma.getMethod() |
-    e = ma.getQualifier() and
-    toString.getName() = "toString" and
-    toString.getNumberOfParameters() = 0 and
-    not toString.isStatic()
+  exists(MethodAccess ma |
+    ma.getMethod() instanceof ToStringMethod and
+    e = ma.getQualifier()
   )
 }
 
-predicate directlyDeclaresToString(Class c) {
-  exists(Method m | m.getDeclaringType() = c |
-    m.getName() = "toString" and
-    m.getNumberOfParameters() = 0
-  )
-}
+predicate directlyDeclaresToString(Class c) { any(ToStringMethod m).getDeclaringType() = c }
 
 predicate inheritsObjectToString(Class t) {
   not directlyDeclaresToString(t.getSourceDeclaration()) and
diff --git a/java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql b/java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql
index 467d78ae1c4..9fa2fe596fd 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql
@@ -68,7 +68,7 @@ predicate isBooleanTrue(Expr expr) {
   or
   exists(MethodAccess ma |
     expr = ma and
-    ma.getMethod().hasName("toString") and
+    ma.getMethod() instanceof ToStringMethod and
     ma.getQualifier().(FieldAccess).getField().hasName("TRUE") and
     ma.getQualifier()
         .(FieldAccess)
diff --git a/java/ql/src/semmle/code/java/JDK.qll b/java/ql/src/semmle/code/java/JDK.qll
index cf2ae1ab207..7bc072e177c 100644
--- a/java/ql/src/semmle/code/java/JDK.qll
+++ b/java/ql/src/semmle/code/java/JDK.qll
@@ -353,7 +353,7 @@ class EqualsMethod extends Method {
 class HashCodeMethod extends Method {
   HashCodeMethod() {
     this.hasName("hashCode") and
-    this.getNumberOfParameters() = 0
+    this.hasNoParameters()
   }
 }
 
@@ -365,6 +365,14 @@ class CloneMethod extends Method {
   }
 }
 
+/** A method with the same signature as `java.lang.Object.toString`. */
+class ToStringMethod extends Method {
+  ToStringMethod() {
+    this.hasName("toString") and
+    this.hasNoParameters()
+  }
+}
+
 /**
  * The public static `main` method, with a single formal parameter
  * of type `String[]` and return type `void`.
diff --git a/java/ql/src/semmle/code/java/dispatch/ObjFlow.qll b/java/ql/src/semmle/code/java/dispatch/ObjFlow.qll
index 52ee910ae1d..9ec77acf2c7 100644
--- a/java/ql/src/semmle/code/java/dispatch/ObjFlow.qll
+++ b/java/ql/src/semmle/code/java/dispatch/ObjFlow.qll
@@ -194,7 +194,7 @@ private predicate source(RefType t, ObjNode n) {
 private predicate sink(ObjNode n) {
   exists(MethodAccess toString |
     toString.getQualifier() = n.asExpr() and
-    toString.getMethod().hasName("toString")
+    toString.getMethod() instanceof ToStringMethod
   ) and
   n.getTypeBound().getErasure() instanceof TypeObject
 }
diff --git a/java/ql/src/semmle/code/java/security/ControlledString.qll b/java/ql/src/semmle/code/java/security/ControlledString.qll
index c9f036b0ea6..3779c2c1009 100644
--- a/java/ql/src/semmle/code/java/security/ControlledString.qll
+++ b/java/ql/src/semmle/code/java/security/ControlledString.qll
@@ -8,7 +8,8 @@ import semmle.code.java.Expr
 import semmle.code.java.security.Validation
 
 /**
- * Holds if `method` is a `toString()` method on a boxed type. These never return special characters.
+ * Holds if `method` is a `toString()` method on a boxed type, with or without parameters.
+ * These never return special characters.
  */
 private predicate boxedToString(Method method) {
   method.getDeclaringType() instanceof BoxedType and
@@ -44,11 +45,9 @@ private predicate controlledStringProp(Expr src, Expr dest) {
   exists(AddExpr concatOp | concatOp = dest | src = concatOp.getAnOperand())
   or
   // `toString()` on a safe string is safe.
-  exists(MethodAccess toStringCall, Method toString |
+  exists(MethodAccess toStringCall |
     src = toStringCall.getQualifier() and
-    toString = toStringCall.getMethod() and
-    toString.hasName("toString") and
-    toString.getNumberOfParameters() = 0 and
+    toStringCall.getMethod() instanceof ToStringMethod and
     dest = toStringCall
   )
 }

From d90527bead69c90f6a2f2ce12bce0cd82dd44ebd Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Sat, 10 Apr 2021 10:33:21 +0800
Subject: [PATCH 0311/1429] JsonpInjectionExpr updated to JsonpBuilderExpr

---
 .../Security/CWE/CWE-352/JsonpInjectionLib.qll            | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index 589a565c590..380087cdd05 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -99,7 +99,7 @@ class SpringControllerRequestMappingGetMethod extends SpringControllerGetMethod
 
 /** A concatenate expression using `(` and `)` or `);`. */
 class JsonpBuilderExpr extends AddExpr {
-  JsonpInjectionExpr() {
+  JsonpBuilderExpr() {
     getRightOperand().toString().regexpMatch("\"\\);?\"") and
     getLeftOperand()
         .(AddExpr)
@@ -126,7 +126,7 @@ class RemoteFlowConfig extends DataFlow2::Configuration {
   override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(JsonpInjectionExpr jhe | jhe.getFunctionName() = sink.asExpr())
+    exists(JsonpBuilderExpr jhe | jhe.getFunctionName() = sink.asExpr())
   }
 }
 
@@ -137,7 +137,7 @@ class JsonDataFlowConfig extends DataFlow2::Configuration {
   override predicate isSource(DataFlow::Node src) { src instanceof JsonpStringSource }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(JsonpInjectionExpr jhe | jhe.getJsonExpr() = sink.asExpr())
+    exists(JsonpBuilderExpr jhe | jhe.getJsonExpr() = sink.asExpr())
   }
 }
 
@@ -146,7 +146,7 @@ class JsonpInjectionFlowConfig extends TaintTracking::Configuration {
   JsonpInjectionFlowConfig() { this = "JsonpInjectionFlowConfig" }
 
   override predicate isSource(DataFlow::Node src) {
-    exists(JsonpInjectionExpr jhe, JsonDataFlowConfig jdfc, RemoteFlowConfig rfc |
+    exists(JsonpBuilderExpr jhe, JsonDataFlowConfig jdfc, RemoteFlowConfig rfc |
       jhe = src.asExpr() and
       jdfc.hasFlowTo(DataFlow::exprNode(jhe.getJsonExpr())) and
       rfc.hasFlowTo(DataFlow::exprNode(jhe.getFunctionName()))

From 8d11bc97ca60523f671fb2706caf27cacde65467 Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Tue, 6 Apr 2021 23:49:21 +0200
Subject: [PATCH 0312/1429] [Java] Add "missing jwt signature check" qhelp.

---
 .../CWE/CWE-347/MissingJWTSignatureCheck.java | 34 ++++++++++++++++
 .../CWE-347/MissingJWTSignatureCheck.qhelp    | 39 +++++++++++++++++++
 2 files changed, 73 insertions(+)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.java
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.qhelp

diff --git a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.java b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.java
new file mode 100644
index 00000000000..1760b4d6097
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.java
@@ -0,0 +1,34 @@
+public void badJwt(String token) {
+    Jwts.parserBuilder()
+                .setSigningKey("someBase64EncodedKey").build()
+                .parse(token); // BAD: Does not verify the signature
+}
+
+public void badJwtHandler(String token) {
+    Jwts.parserBuilder()
+                .setSigningKey("someBase64EncodedKey").build()
+                .parse(plaintextJwt, new JwtHandlerAdapter<Jwt<Header, String>>() {
+                    @Override
+                    public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {
+                        return jwt;
+                    }
+                }); // BAD: The handler is called on an unverified JWT
+}
+
+public void goodJwt(String token) {
+    Jwts.parserBuilder()
+                .setSigningKey("someBase64EncodedKey").build()
+                .parseClaimsJws(token) // GOOD: Verify the signature
+                .getBody();
+}
+
+public void goodJwtHandler(String token) {
+    Jwts.parserBuilder()
+                .setSigningKey("someBase64EncodedKey").build()
+                .parse(plaintextJwt, new JwtHandlerAdapter<Jws<String>>() {
+                    @Override
+                    public Jws<String> onPlaintextJws(Jws<String> jws) {
+                        return jws;
+                    }
+                }); // GOOD: The handler is called on a verified JWS
+}
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.qhelp b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.qhelp
new file mode 100644
index 00000000000..4a5398f1ac5
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.qhelp
@@ -0,0 +1,39 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p> A JWT consists of three parts: header, payload, and signature.
+The <code>io.jsonwebtoken.jjwt</code> library is one of many libraries used for working with JWTs.
+It offers different methods for parsing tokens like <code>parse</code>, <code>parseClaimsJws</code>, and <code>parsePlaintextJws</code>.
+The last two correctly verify that the JWT is properly signed.
+This is done by computing the signature of the combination of header and payload and
+comparing the locally computed signature with the signature part of the JWT.
+</p>
+<p>
+Therefore it is necessary to provide the <code>JwtParser</code> with a key that is used for signature validation.
+Unfortunately the <code>parse</code> method <b>accepts</b> a JWT whose signature is empty although a signing key has been set for the parser.
+This means that an attacker can create arbitrary JWTs that will be accepted.
+</p>
+</overview>
+<recommendation>
+
+<p>Always verify the signature by using either the <code>parseClaimsJws</code> and <code>parsePlaintextJws</code> methods or
+by overriding the <code>onPlaintextJws</code> or <code>onClaimsJws</code> of <code>JwtHandlerAdapter</code>.
+</p>
+
+</recommendation>
+<example>
+
+<p>The following example shows four cases where a signing key is set for a parser.
+In the first bad case the <code>parse</code> method is used which will not validate the signature.
+The second bad case uses a <code>JwtHandlerAdapter</code> where the <code>onPlaintextJwt</code> method is overriden so it will not validate the signature.
+The third and fourth good cases use <code>parseClaimsJws</code> method or override the <code>onPlaintextJws</code> method.
+</p>
+
+<sample src="MissingJWTSignatureCheck.java" />
+
+</example>
+<references>
+<li>zofrex: <a href="https://www.zofrex.com/blog/2020/10/20/alg-none-jwt-nhs-contact-tracing-app/">How I Found An alg=none JWT Vulnerability in the NHS Contact Tracing App</a>.</li>
+</references>
+</qhelp>
\ No newline at end of file

From 10be2735ec49bf10b451858863247229608e7a1e Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Sat, 10 Apr 2021 12:12:18 +0000
Subject: [PATCH 0313/1429] Python: Get rid of `_attr` predicates

Also changes all `CfgNode`s representing calls to `CallCfgNode`s.
---
 .../src/semmle/python/frameworks/Stdlib.qll   | 158 ++++--------------
 1 file changed, 32 insertions(+), 126 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index 1941f0c4d5b..326ae8b647c 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -19,31 +19,15 @@ private module Stdlib {
   /** Gets a reference to the `os` module. */
   API::Node os() { result = API::moduleImport("os") }
 
-  /**
-   * Gets a reference to the attribute `attr_name` of the `os` module.
-   * WARNING: Only holds for a few predefined attributes.
-   *
-   * For example, using `"system"` will get all uses of `os.system`.
-   */
-  private API::Node os_attr(string attr_name) { result = os().getMember(attr_name) }
-
   /** Provides models for the `os` module. */
   module os {
     /** Gets a reference to the `os.path` module. */
-    API::Node path() { result = os_attr("path") }
+    API::Node path() { result = os().getMember("path") }
 
     /** Provides models for the `os.path` module */
     module path {
-      /**
-       * Gets a reference to the attribute `attr_name` of the `os.path` module.
-       * WARNING: Only holds for a few predefined attributes.
-       *
-       * For example, using `attr_name = "join"` will get all uses of `os.path.join`.
-       */
-      API::Node path_attr(string attr_name) { result = path().getMember(attr_name) }
-
       /** Gets a reference to the `os.path.join` function. */
-      API::Node join() { result = path_attr("join") }
+      API::Node join() { result = path().getMember("join") }
     }
   }
 
@@ -52,7 +36,7 @@ private module Stdlib {
    * See https://docs.python.org/3/library/os.path.html#os.path.normpath
    */
   private class OsPathNormpathCall extends Path::PathNormalization::Range, DataFlow::CallCfgNode {
-    OsPathNormpathCall() { this = os::path::path_attr("normpath").getACall() }
+    OsPathNormpathCall() { this = os::path().getMember("normpath").getACall() }
 
     DataFlow::Node getPathArg() {
       result.asCfgNode() in [node.getArg(0), node.getArgByName("path")]
@@ -73,10 +57,8 @@ private module Stdlib {
    * A call to `os.path.abspath`.
    * See https://docs.python.org/3/library/os.path.html#os.path.abspath
    */
-  private class OsPathAbspathCall extends Path::PathNormalization::Range, DataFlow::CfgNode {
-    override CallNode node;
-
-    OsPathAbspathCall() { this = os::path::path_attr("abspath").getACall() }
+  private class OsPathAbspathCall extends Path::PathNormalization::Range, DataFlow::CallCfgNode {
+    OsPathAbspathCall() { this = os::path().getMember("abspath").getACall() }
 
     DataFlow::Node getPathArg() {
       result.asCfgNode() in [node.getArg(0), node.getArgByName("path")]
@@ -97,10 +79,8 @@ private module Stdlib {
    * A call to `os.path.realpath`.
    * See https://docs.python.org/3/library/os.path.html#os.path.realpath
    */
-  private class OsPathRealpathCall extends Path::PathNormalization::Range, DataFlow::CfgNode {
-    override CallNode node;
-
-    OsPathRealpathCall() { this = os::path::path_attr("realpath").getACall() }
+  private class OsPathRealpathCall extends Path::PathNormalization::Range, DataFlow::CallCfgNode {
+    OsPathRealpathCall() { this = os::path().getMember("realpath").getACall() }
 
     DataFlow::Node getPathArg() {
       result.asCfgNode() in [node.getArg(0), node.getArgByName("path")]
@@ -121,10 +101,8 @@ private module Stdlib {
    * A call to `os.system`.
    * See https://docs.python.org/3/library/os.html#os.system
    */
-  private class OsSystemCall extends SystemCommandExecution::Range, DataFlow::CfgNode {
-    override CallNode node;
-
-    OsSystemCall() { this = os_attr("system").getACall() }
+  private class OsSystemCall extends SystemCommandExecution::Range, DataFlow::CallCfgNode {
+    OsSystemCall() { this = os().getMember("system").getACall() }
 
     override DataFlow::Node getCommand() { result.asCfgNode() = node.getArg(0) }
   }
@@ -137,13 +115,12 @@ private module Stdlib {
    * Although deprecated since version 2.6, they still work in 2.7.
    * See https://docs.python.org/2.7/library/os.html#os.popen2
    */
-  private class OsPopenCall extends SystemCommandExecution::Range, DataFlow::CfgNode {
-    override CallNode node;
+  private class OsPopenCall extends SystemCommandExecution::Range, DataFlow::CallCfgNode {
     string name;
 
     OsPopenCall() {
       name in ["popen", "popen2", "popen3", "popen4"] and
-      this = os_attr(name).getACall()
+      this = os().getMember(name).getACall()
     }
 
     override DataFlow::Node getCommand() {
@@ -158,13 +135,11 @@ private module Stdlib {
    * A call to any of the `os.exec*` functions
    * See https://docs.python.org/3.8/library/os.html#os.execl
    */
-  private class OsExecCall extends SystemCommandExecution::Range, DataFlow::CfgNode {
-    override CallNode node;
-
+  private class OsExecCall extends SystemCommandExecution::Range, DataFlow::CallCfgNode {
     OsExecCall() {
       exists(string name |
         name in ["execl", "execle", "execlp", "execlpe", "execv", "execve", "execvp", "execvpe"] and
-        this = os_attr(name).getACall()
+        this = os().getMember(name).getACall()
       )
     }
 
@@ -175,15 +150,13 @@ private module Stdlib {
    * A call to any of the `os.spawn*` functions
    * See https://docs.python.org/3.8/library/os.html#os.spawnl
    */
-  private class OsSpawnCall extends SystemCommandExecution::Range, DataFlow::CfgNode {
-    override CallNode node;
-
+  private class OsSpawnCall extends SystemCommandExecution::Range, DataFlow::CallCfgNode {
     OsSpawnCall() {
       exists(string name |
         name in [
             "spawnl", "spawnle", "spawnlp", "spawnlpe", "spawnv", "spawnve", "spawnvp", "spawnvpe"
           ] and
-        this = os_attr(name).getACall()
+        this = os().getMember(name).getACall()
       )
     }
 
@@ -194,10 +167,8 @@ private module Stdlib {
    * A call to any of the `os.posix_spawn*` functions
    * See https://docs.python.org/3.8/library/os.html#os.posix_spawn
    */
-  private class OsPosixSpawnCall extends SystemCommandExecution::Range, DataFlow::CfgNode {
-    override CallNode node;
-
-    OsPosixSpawnCall() { this = os_attr(["posix_spawn", "posix_spawnp"]).getACall() }
+  private class OsPosixSpawnCall extends SystemCommandExecution::Range, DataFlow::CallCfgNode {
+    OsPosixSpawnCall() { this = os().getMember(["posix_spawn", "posix_spawnp"]).getACall() }
 
     override DataFlow::Node getCommand() { result.asCfgNode() = node.getArg(0) }
   }
@@ -218,29 +189,17 @@ private module Stdlib {
   // subprocess
   // ---------------------------------------------------------------------------
   /** Gets a reference to the `subprocess` module. */
-  deprecated DataFlow::Node subprocess() { result = API::moduleImport("subprocess").getAUse() }
-
-  /**
-   * Gets a reference to the attribute `attr_name` of the `subprocess` module.
-   * WARNING: Only holds for a few predefined attributes.
-   *
-   * For example, using `attr_name = "Popen"` will get all uses of `subprocess.Popen`.
-   */
-  private DataFlow::Node subprocess_attr(string attr_name) {
-    result = API::moduleImport("subprocess").getMember(attr_name).getAUse()
-  }
+  API::Node subprocess() { result = API::moduleImport("subprocess") }
 
   /**
    * A call to `subprocess.Popen` or helper functions (call, check_call, check_output, run)
    * See https://docs.python.org/3.8/library/subprocess.html#subprocess.Popen
    */
-  private class SubprocessPopenCall extends SystemCommandExecution::Range, DataFlow::CfgNode {
-    override CallNode node;
-
+  private class SubprocessPopenCall extends SystemCommandExecution::Range, DataFlow::CallCfgNode {
     SubprocessPopenCall() {
       exists(string name |
         name in ["Popen", "call", "check_call", "check_output", "run"] and
-        node.getFunction() = subprocess_attr(name).asCfgNode()
+        this = subprocess().getMember(name).getACall()
       )
     }
 
@@ -311,17 +270,6 @@ private module Stdlib {
   // ---------------------------------------------------------------------------
   // marshal
   // ---------------------------------------------------------------------------
-  /** Gets a reference to the `marshal` module. */
-  deprecated DataFlow::Node marshal() { result = API::moduleImport("marshal").getAUse() }
-
-  /** Provides models for the `marshal` module. */
-  module marshal {
-    /** Gets a reference to the `marshal.loads` function. */
-    deprecated DataFlow::Node loads() {
-      result = API::moduleImport("marshal").getMember("loads").getAUse()
-    }
-  }
-
   /**
    * A call to `marshal.loads`
    * See https://docs.python.org/3/library/marshal.html#marshal.loads
@@ -342,9 +290,7 @@ private module Stdlib {
   // pickle
   // ---------------------------------------------------------------------------
   /** Gets a reference to the `pickle` module. */
-  DataFlow::Node pickle() {
-    result = API::moduleImport(["pickle", "cPickle", "_pickle"]).getAUse()
-  }
+  DataFlow::Node pickle() { result = API::moduleImport(["pickle", "cPickle", "_pickle"]).getAUse() }
 
   /** Provides models for the `pickle` module. */
   module pickle {
@@ -376,25 +322,15 @@ private module Stdlib {
   /** Gets a reference to the `popen2` module (only available in Python 2). */
   API::Node popen2() { result = API::moduleImport("popen2") }
 
-  /**
-   * Gets a reference to the attribute `attr_name` of the `popen2` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private API::Node popen2_attr(string attr_name) {
-    result = API::moduleImport("popen2").getMember(attr_name)
-  }
-
   /**
    * A call to any of the `popen.popen*` functions, or instantiation of a `popen.Popen*` class.
    * See https://docs.python.org/2.7/library/popen2.html
    */
-  private class Popen2PopenCall extends SystemCommandExecution::Range, DataFlow::CfgNode {
-    override CallNode node;
-
+  private class Popen2PopenCall extends SystemCommandExecution::Range, DataFlow::CallCfgNode {
     Popen2PopenCall() {
       exists(string name |
         name in ["popen2", "popen3", "popen4", "Popen3", "Popen4"] and
-        this = popen2_attr(name).getACall()
+        this = popen2().getMember(name).getACall()
       )
     }
 
@@ -409,18 +345,12 @@ private module Stdlib {
   /** Gets a reference to the `platform` module. */
   API::Node platform() { result = API::moduleImport("platform") }
 
-  /**
-   * Gets a reference to the attribute `attr_name` of the `platform` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private API::Node platform_attr(string attr_name) { result = platform().getMember(attr_name) }
-
   /**
    * A call to the `platform.popen` function.
    * See https://docs.python.org/2.7/library/platform.html#platform.popen
    */
   private class PlatformPopenCall extends SystemCommandExecution::Range, DataFlow::CallCfgNode {
-    PlatformPopenCall() { this = platform_attr("popen").getACall() }
+    PlatformPopenCall() { this = platform().getMember("popen").getACall() }
 
     override DataFlow::Node getCommand() {
       result.asCfgNode() in [node.getArg(0), node.getArgByName("cmd")]
@@ -500,12 +430,6 @@ private module Stdlib {
   /** Gets a reference to the `base64` module. */
   API::Node base64() { result = API::moduleImport("base64") }
 
-  /**
-   * Gets a reference to the attribute `attr_name` of the `base64` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private API::Node base64_attr(string attr_name) { result = base64().getMember(attr_name) }
-
   /** A call to any of the encode functions in the `base64` module. */
   private class Base64EncodeCall extends Encoding::Range, DataFlow::CallCfgNode {
     string name;
@@ -515,7 +439,7 @@ private module Stdlib {
           "b64encode", "standard_b64encode", "urlsafe_b64encode", "b32encode", "b16encode",
           "encodestring", "a85encode", "b85encode", "encodebytes"
         ] and
-      this = base64_attr(name).getACall()
+      this = base64().getMember(name).getACall()
     }
 
     override DataFlow::Node getAnInput() { result.asCfgNode() = node.getArg(0) }
@@ -547,7 +471,7 @@ private module Stdlib {
           "b64decode", "standard_b64decode", "urlsafe_b64decode", "b32decode", "b16decode",
           "decodestring", "a85decode", "b85decode", "decodebytes"
         ] and
-      this = base64_attr(name).getACall()
+      this = base64().getMember(name).getACall()
     }
 
     override predicate mayExecuteInput() { none() }
@@ -578,18 +502,12 @@ private module Stdlib {
   /** Gets a reference to the `json` module. */
   API::Node json() { result = API::moduleImport("json") }
 
-  /**
-   * Gets a reference to the attribute `attr_name` of the `json` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private API::Node json_attr(string attr_name) { result = json().getMember(attr_name) }
-
   /**
    * A call to `json.loads`
    * See https://docs.python.org/3/library/json.html#json.loads
    */
   private class JsonLoadsCall extends Decoding::Range, DataFlow::CallCfgNode {
-    JsonLoadsCall() { this = json_attr("loads").getACall() }
+    JsonLoadsCall() { this = json().getMember("loads").getACall() }
 
     override predicate mayExecuteInput() { none() }
 
@@ -605,7 +523,7 @@ private module Stdlib {
    * See https://docs.python.org/3/library/json.html#json.dumps
    */
   private class JsonDumpsCall extends Encoding::Range, DataFlow::CallCfgNode {
-    JsonDumpsCall() { this = json_attr("dumps").getACall() }
+    JsonDumpsCall() { this = json().getMember("dumps").getACall() }
 
     override DataFlow::Node getAnInput() { result.asCfgNode() = node.getArg(0) }
 
@@ -799,28 +717,16 @@ private module Stdlib {
   /** Gets a reference to the `http` module. */
   API::Node http() { result = API::moduleImport("http") }
 
-  /**
-   * Gets a reference to the attribute `attr_name` of the `http` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private API::Node http_attr(string attr_name) { result = http().getMember(attr_name) }
-
   /** Provides models for the `http` module. */
   module http {
     // -------------------------------------------------------------------------
     // http.server
     // -------------------------------------------------------------------------
     /** Gets a reference to the `http.server` module. */
-    API::Node server() { result = http_attr("server") }
+    API::Node server() { result = http().getMember("server") }
 
     /** Provides models for the `http.server` module */
     module server {
-      /**
-       * Gets a reference to the attribute `attr_name` of the `http.server` module.
-       * WARNING: Only holds for a few predefined attributes.
-       */
-      private API::Node server_attr(string attr_name) { result = server().getMember(attr_name) }
-
       /**
        * Provides models for the `http.server.BaseHTTPRequestHandler` class (Python 3 only).
        *
@@ -828,7 +734,7 @@ private module Stdlib {
        */
       module BaseHTTPRequestHandler {
         /** Gets a reference to the `http.server.BaseHTTPRequestHandler` class. */
-        API::Node classRef() { result = server_attr("BaseHTTPRequestHandler") }
+        API::Node classRef() { result = server().getMember("BaseHTTPRequestHandler") }
       }
 
       /**
@@ -838,7 +744,7 @@ private module Stdlib {
        */
       module SimpleHTTPRequestHandler {
         /** Gets a reference to the `http.server.SimpleHTTPRequestHandler` class. */
-        API::Node classRef() { result = server_attr("SimpleHTTPRequestHandler") }
+        API::Node classRef() { result = server().getMember("SimpleHTTPRequestHandler") }
       }
 
       /**
@@ -848,7 +754,7 @@ private module Stdlib {
        */
       module CGIHTTPRequestHandler {
         /** Gets a reference to the `http.server.CGIHTTPRequestHandler` class. */
-        API::Node classRef() { result = server_attr("CGIHTTPRequestHandler") }
+        API::Node classRef() { result = server().getMember("CGIHTTPRequestHandler") }
       }
     }
   }

From 17d1c77a144bd2dff785bdd9950f9668b3d1f7ab Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Mon, 12 Apr 2021 08:14:17 +0300
Subject: [PATCH 0314/1429] Update
 InsufficientControlFlowManagementAfterRefactoringTheCode.ql

---
 .../InsufficientControlFlowManagementAfterRefactoringTheCode.ql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
index 6b9639fe8b9..fa8780d6e45 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
@@ -44,7 +44,7 @@ class UsingWhileAfterWhile extends WhileStmt {
 }
 
 /**
- * Using arithmetic in comparison.
+ * Using arithmetic in a condition.
  */
 class UsingArithmeticInComparison extends BinaryArithmeticOperation {
   /**

From 3da88f2103406da69d287ef8880ca001e7efc084 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Mon, 12 Apr 2021 08:15:36 +0300
Subject: [PATCH 0315/1429] Update
 InsufficientControlFlowManagementAfterRefactoringTheCode.c

---
 .../InsufficientControlFlowManagementAfterRefactoringTheCode.c  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.c b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.c
index 3ba47068244..1f1f10b89cc 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.c
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.c
@@ -10,7 +10,7 @@ while(flagsLoop)
   ...
   if(flagsIf) break;
   ...
-} // GOOD: coreten cycle
+} // GOOD: correct cycle
 ...
 if(intA+intB) return 1; // BAD: possibly no comparison
 ...

From 6924c6c51c4fd8235dab112580bd5c1faa40802f Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Mon, 12 Apr 2021 08:23:06 +0300
Subject: [PATCH 0316/1429] Update test.c

---
 .../query-tests/Security/CWE/CWE-691/semmle/tests/test.c      | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c
index e2fccf58736..230b027b39b 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/test.c
@@ -20,6 +20,10 @@ void workFunction_1(char *s) {
     if(intB - intA<10) break;
     intA--;
   }while(intA>0); // BAD
+  for(intA=100; intA>0; intA--)
+  {
+    if(intB - intA<10) break;
+  }while(intA>0); // BAD
   while(intA>0)
   {
     if(intB - intA<10) break;

From feb3a8deb10231e6e042da3d33dec445a251d3e4 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Mon, 12 Apr 2021 08:23:41 +0300
Subject: [PATCH 0317/1429] Update
 InsufficientControlFlowManagementAfterRefactoringTheCode.expected

---
 ...fficientControlFlowManagementAfterRefactoringTheCode.expected | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.expected
index cc1b5cf46d8..1eca77a526f 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-691/semmle/tests/InsufficientControlFlowManagementAfterRefactoringTheCode.expected
@@ -1,3 +1,4 @@
 | test.c:15:6:15:16 | ... + ... | this expression needs your attention |
 | test.c:17:17:17:27 | ... + ... | this expression needs your attention |
 | test.c:22:10:22:15 | ... > ... | this expression needs your attention |
+| test.c:26:10:26:15 | ... > ... | this expression needs your attention |

From 02d6de81a7e5e4cee907d5b67b7757e51178294e Mon Sep 17 00:00:00 2001
From: yoff <lerchedahl@gmail.com>
Date: Mon, 12 Apr 2021 08:16:36 +0200
Subject: [PATCH 0318/1429] Apply suggestions from code review

Co-authored-by: Taus <tausbn@github.com>
---
 python/ql/src/Security/CWE-327/README.md           | 2 +-
 python/ql/src/Security/CWE-327/TlsLibraryModel.qll | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/README.md b/python/ql/src/Security/CWE-327/README.md
index 680ae56f493..f80dfd0a296 100644
--- a/python/ql/src/Security/CWE-327/README.md
+++ b/python/ql/src/Security/CWE-327/README.md
@@ -12,7 +12,7 @@ This should be kept up to date; the world is moving fast and protocols are being
 
 - `ssl.wrap_socket` is creating insecure connections, use `SSLContext.wrap_socket` instead. [link](https://docs.python.org/3/library/ssl.html#ssl.wrap_socket)
     > Deprecated since version 3.7: Since Python 3.2 and 2.7.9, it is recommended to use the `SSLContext.wrap_socket()` instead of `wrap_socket()`. The top-level function is limited and creates an insecure client socket without server name indication or hostname matching.
-- Default consteructors are fine, a fluent api is used to constrain possible protocols later.
+- Default constructors are fine, a fluent API is used to constrain possible protocols later.
 
 ## Current recomendation
 
diff --git a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
index 82c251f3f81..dfbc989150b 100644
--- a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
+++ b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
@@ -116,7 +116,7 @@ abstract class TlsLibrary extends string {
   }
 
   /** The creation of a context with an unspecific protocol version, say TLS, known to have insecure instances. */
-  DataFlow::CfgNode unspecific_context_creation(ProtocolFamily family) {
+  ContextCreation unspecific_context_creation(ProtocolFamily family) {
     result = default_context_creation()
     or
     result = specific_context_creation() and

From 036fddfdb53cdaf356422a9bdc277d024bd69ae1 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Mon, 12 Apr 2021 08:18:24 +0200
Subject: [PATCH 0319/1429] Python: `Namable` -> `Nameable`

---
 python/ql/src/Security/CWE-327/InsecureProtocol.ql | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.ql b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
index 19f6acf5512..e31bf78443b 100644
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
@@ -33,19 +33,19 @@ class ProtocolConfiguration extends DataFlow::Node {
 //
 // Note that AstNode is abstract and AstNode_ is a library class, so
 // we have to extend @py_ast_node.
-class Namable extends @py_ast_node {
-  Namable() {
+class Nameable extends @py_ast_node {
+  Nameable() {
     exists(ProtocolConfiguration protocolConfiguration |
       this = protocolConfiguration.asCfgNode().(CallNode).getFunction().getNode()
     )
     or
-    exists(Namable attr | this = attr.(Attribute).getObject())
+    exists(Nameable attr | this = attr.(Attribute).getObject())
   }
 
   string toString() { result = "AstNode" }
 }
 
-string callName(Namable call) {
+string callName(Nameable call) {
   result = call.(Name).getId()
   or
   exists(Attribute a | a = call | result = callName(a.getObject()) + "." + a.getName())

From 1b948ac2e2e44cc95d8340755f2d51bb8d4ec1c9 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Mon, 12 Apr 2021 15:44:39 +0800
Subject: [PATCH 0320/1429] Combine two Configurations into one

---
 .../Security/CWE/CWE-352/JsonpInjection.ql    |  6 +--
 .../CWE/CWE-352/JsonpInjectionLib.qll         | 51 ++++++++-----------
 2 files changed, 23 insertions(+), 34 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
index aa046e7cd2c..a02891e8a56 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
@@ -16,7 +16,7 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.deadcode.WebEntryPoints
 import DataFlow::PathGraph
 
-/** 
+/**
  * Holds if some `Filter.doFilter` method exists in the whole program that takes some user-controlled
  * input and tests it with what appears to be a token- or authentication-checking function.
  */
@@ -28,7 +28,7 @@ predicate existsFilterVerificationMethod() {
   )
 }
 
-/** 
+/**
  * Holds if somewhere in the whole program some user-controlled
  * input is tested with what appears to be a token- or authentication-checking function,
  * and `checkNode` is reachable from any function that can reach the user-controlled input source.
@@ -69,4 +69,4 @@ where
   conf.hasFlowPath(source, sink) and
   exists(JsonpInjectionFlowConfig jhfc | jhfc.hasFlowTo(sink.getNode()))
 select sink.getNode(), source, sink, "Jsonp response might include code from $@.", source.getNode(),
-  "this user input"
+  "this user input"
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index 380087cdd05..f0a1a9de81c 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -7,31 +7,11 @@ import semmle.code.java.dataflow.DataFlow3
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.spring.SpringController
 
-/** A data flow configuration tracing flow from the result of a method whose name includes token/auth/referer/origin to an if-statement condition. */
-class VerificationMethodToIfFlowConfig extends DataFlow3::Configuration {
-  VerificationMethodToIfFlowConfig() { this = "VerificationMethodToIfFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) {
-    exists(MethodAccess ma | ma instanceof BarrierGuard |
-      (
-        ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
-        or
-        ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
-      ) and
-      ma = src.asExpr()
-    )
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(IfStmt is | is.getCondition() = sink.asExpr())
-  }
-}
-
-/** Taint-tracking configuration tracing flow from untrusted inputs to an argument of a function whose result is used as an if-statement condition.
-* 
-* For example, in the context `String userControlled = request.getHeader("xyz"); boolean isGood = checkToken(userControlled); if(isGood) { ...`,
-* the flow from `checkToken`'s result to the condition of `if(isGood)` matches the configuration `VerificationMethodToIfFlowConfig` above,
-* and so the flow from `getHeader(...)` to the argument to `checkToken` matches this configuration.
+/**
+ * Taint-tracking configuration tracing flow from untrusted inputs to an argument of a function whose result is used as an if-statement condition.
+ *
+ * For example, in the context `String userControlled = request.getHeader("xyz"); boolean isGood = checkToken(userControlled); if(isGood) { ...`,
+ * the flow from `getHeader(...)` to the argument to `checkToken`, and then the flow from `checkToken`'s result to the condition of `if(isGood)`.
  */
 class VerificationMethodFlowConfig extends TaintTracking2::Configuration {
   VerificationMethodFlowConfig() { this = "VerificationMethodFlowConfig" }
@@ -39,16 +19,25 @@ class VerificationMethodFlowConfig extends TaintTracking2::Configuration {
   override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma, int i, VerificationMethodToIfFlowConfig vmtifc |
-      ma instanceof BarrierGuard
-    |
+    exists(IfStmt is, Method m | is.getEnclosingCallable() = m |
       (
-        ma.getMethod().getParameter(i).getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
+        not m.getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
+        or
+        not m.getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
+      ) and
+      sink.asExpr() = is.getCondition()
+    )
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node prod, DataFlow::Node succ) {
+    exists(MethodAccess ma |
+      (
+        ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
         or
         ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
       ) and
-      ma.getArgument(i) = sink.asExpr() and
-      vmtifc.hasFlow(exprNode(ma), _)
+      ma.getAnArgument() = prod.asExpr() and
+      ma = succ.asExpr()
     )
   }
 }

From 17c4bbbc4e80d5e4015593ef3c46347957e84c07 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 12 Apr 2021 09:57:40 +0200
Subject: [PATCH 0321/1429] allow parameters that end with "Command" in
 js/shell-command-constructed-from-input

---
 .../UnsafeShellCommandConstructionCustomizations.qll       | 7 ++++++-
 javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js | 5 +++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
index e38e2776bbc..20b69168474 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
@@ -53,7 +53,12 @@ module UnsafeShellCommandConstruction {
   class ExternalInputSource extends Source, DataFlow::ParameterNode {
     ExternalInputSource() {
       this = Exports::getALibraryInputParameter() and
-      not this.getName() = ["cmd", "command"] // looks to be on purpose.
+      not (
+        // looks to be on purpose.
+        this.getName() = ["cmd", "command"]
+        or
+        this.getName().regexpMatch(".*(Cmd|Command)$") // ends with "Cmd" or "Command"
+      )
     }
   }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
index 9c848024fc5..6b053d64366 100644
--- a/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
+++ b/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
@@ -483,4 +483,9 @@ module.exports.splitConcat = function (name) {
 	let args = ' my name is ' + name; // NOT OK
 	let cmd = 'echo';
 	cp.exec(cmd + args);
+}
+
+module.exports.myCommand = function (myCommand) {
+	let cmd = `cd ${cwd} ; ${myCommand}`; // OK - the parameter name suggests that it is purposely a shell command.
+	cp.exec(cmd);
 }
\ No newline at end of file

From 9f91dde76fb55ecea5b6fdbb81d3e837f7dfa4e7 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Mon, 12 Apr 2021 09:58:06 +0200
Subject: [PATCH 0322/1429] Python: Update test expectation after comment

---
 .../CWE-327/InsecureProtocol.expected         | 30 +++++++++----------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
index 57b19cef0b1..359a8d28ba1 100644
--- a/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
+++ b/python/ql/test/query-tests/Security/CWE-327/InsecureProtocol.expected
@@ -22,18 +22,18 @@
 | ssl_fluent.py:19:14:19:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:15:15:15:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | ssl_fluent.py:28:14:28:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:24:15:24:53 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
 | ssl_fluent.py:37:14:37:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:33:15:33:53 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:55:14:55:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:52:15:52:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:55:14:55:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:52:15:52:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:69:14:69:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:60:12:60:43 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:69:14:69:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:99:15:99:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:69:14:69:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:60:12:60:43 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:69:14:69:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:99:15:99:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:69:14:69:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:115:5:115:11 | ControlFlowNode for context | context modification |
-| ssl_fluent.py:69:14:69:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:133:5:133:11 | ControlFlowNode for context | context modification |
-| ssl_fluent.py:75:14:75:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:60:12:60:43 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:75:14:75:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:60:12:60:43 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
-| ssl_fluent.py:95:14:95:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:93:5:93:11 | ControlFlowNode for context | context modification |
-| ssl_fluent.py:144:14:144:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:141:5:141:11 | ControlFlowNode for context | context modification |
-| ssl_fluent.py:163:14:163:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv3 allowed by $@  | ssl_fluent.py:160:5:160:11 | ControlFlowNode for context | context modification |
-| ssl_fluent.py:163:14:163:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:159:15:159:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
-| ssl_fluent.py:163:14:163:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:159:15:159:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
+| ssl_fluent.py:57:14:57:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:54:15:54:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:57:14:57:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:54:15:54:49 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:71:14:71:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:62:12:62:43 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:71:14:71:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:101:15:101:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:71:14:71:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:62:12:62:43 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:71:14:71:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:101:15:101:46 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:71:14:71:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:117:5:117:11 | ControlFlowNode for context | context modification |
+| ssl_fluent.py:71:14:71:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:135:5:135:11 | ControlFlowNode for context | context modification |
+| ssl_fluent.py:77:14:77:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:62:12:62:43 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:77:14:77:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:62:12:62:43 | ControlFlowNode for Attribute() | call to ssl.SSLContext |
+| ssl_fluent.py:97:14:97:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:95:5:95:11 | ControlFlowNode for context | context modification |
+| ssl_fluent.py:146:14:146:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:143:5:143:11 | ControlFlowNode for context | context modification |
+| ssl_fluent.py:165:14:165:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version SSLv3 allowed by $@  | ssl_fluent.py:162:5:162:11 | ControlFlowNode for context | context modification |
+| ssl_fluent.py:165:14:165:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1 allowed by $@  | ssl_fluent.py:161:15:161:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |
+| ssl_fluent.py:165:14:165:20 | ControlFlowNode for context | Insecure SSL/TLS protocol version TLSv1_1 allowed by $@  | ssl_fluent.py:161:15:161:65 | ControlFlowNode for Attribute() | call to ssl.create_default_context |

From 3ff8e010b292598e7422f294907d950e9bfb6ad2 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Mon, 12 Apr 2021 10:00:07 +0200
Subject: [PATCH 0323/1429] Python: Refactor based on review - more natural
 handling of default arguments - do not assume default construction gives a
 family - simplifies `UnspecificSSLContextCreation`

---
 python/ql/src/Security/CWE-327/PyOpenSSL.qll  |  8 ++++--
 python/ql/src/Security/CWE-327/Ssl.qll        | 25 ++++++++++---------
 .../src/Security/CWE-327/TlsLibraryModel.qll  | 22 ++++++++--------
 3 files changed, 29 insertions(+), 26 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/PyOpenSSL.qll b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
index d2cfb74b3ab..55b77386f2f 100644
--- a/python/ql/src/Security/CWE-327/PyOpenSSL.qll
+++ b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
@@ -9,8 +9,12 @@ class PyOpenSSLContextCreation extends ContextCreation {
     this = API::moduleImport("OpenSSL").getMember("SSL").getMember("Context").getACall()
   }
 
-  override DataFlow::CfgNode getProtocol() {
-    result.getNode() in [node.getArg(0), node.getArgByName("method")]
+  override string getProtocol() {
+    exists(ControlFlowNode protocolArg, PyOpenSSL pyo |
+      protocolArg in [node.getArg(0), node.getArgByName("method")]
+    |
+      protocolArg = [pyo.specific_version(result), pyo.unspecific_version(result)].asCfgNode()
+    )
   }
 }
 
diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index 2ca7dcce1f9..cb19fb8f11f 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -7,8 +7,15 @@ class SSLContextCreation extends ContextCreation {
 
   SSLContextCreation() { this = API::moduleImport("ssl").getMember("SSLContext").getACall() }
 
-  override DataFlow::CfgNode getProtocol() {
-    result.getNode() in [node.getArg(0), node.getArgByName("protocol")]
+  override string getProtocol() {
+    exists(ControlFlowNode protocolArg, Ssl ssl |
+      protocolArg in [node.getArg(0), node.getArgByName("protocol")]
+    |
+      protocolArg = [ssl.specific_version(result), ssl.unspecific_version(result)].asCfgNode()
+    )
+    or
+    not exists(node.getAnArg()) and
+    result = "TLS"
   }
 }
 
@@ -19,7 +26,7 @@ class SSLDefaultContextCreation extends ContextCreation {
 
   // Allowed insecure versions are "TLSv1" and "TLSv1_1"
   // see https://docs.python.org/3/library/ssl.html#context-creation
-  override DataFlow::CfgNode getProtocol() { none() }
+  override string getProtocol() { result = "TLS" }
 }
 
 /** Gets a reference to an `ssl.Context` instance. */
@@ -141,17 +148,10 @@ class UnspecificSSLContextCreation extends SSLContextCreation, UnspecificContext
   UnspecificSSLContextCreation() { library = "ssl" }
 
   override ProtocolVersion getUnrestriction() {
-    // Case: A protocol argument is present.
     result = UnspecificContextCreation.super.getUnrestriction() and
     // These are turned off by default
     // see https://docs.python.org/3/library/ssl.html#ssl-contexts
     not result in ["SSLv2", "SSLv3"]
-    or
-    // Case: No protocol arguemnt is present.
-    not exists(this.getProtocol()) and
-    // The default argument is TLS and the SSL versions are turned off by default since Python 3.6
-    // see https://docs.python.org/3.6/library/ssl.html#ssl.SSLContext
-    result in ["TLSv1", "TLSv1_1", "TLSv1_2", "TLSv1_3"]
   }
 }
 
@@ -185,8 +185,9 @@ class Ssl extends TlsLibrary {
 
   override DataFlow::CfgNode insecure_connection_creation(ProtocolVersion version) {
     result = API::moduleImport("ssl").getMember("wrap_socket").getACall() and
-    insecure_version(version).asCfgNode() =
-      result.asCfgNode().(CallNode).getArgByName("ssl_version")
+    specific_version(version).asCfgNode() =
+      result.asCfgNode().(CallNode).getArgByName("ssl_version") and
+    version.isInsecure()
   }
 
   override ConnectionCreation connection_creation() { result instanceof WrapSocketCall }
diff --git a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
index dfbc989150b..685485004b2 100644
--- a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
+++ b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
@@ -30,8 +30,8 @@ class ProtocolFamily extends string {
 
 /** The creation of a context. */
 abstract class ContextCreation extends DataFlow::CfgNode {
-  /** Gets the requested protocol if any. */
-  abstract DataFlow::CfgNode getProtocol();
+  /** Gets the protocol version or family for this context. */
+  abstract string getProtocol();
 }
 
 /** The creation of a connection from a context. */
@@ -66,7 +66,7 @@ abstract class UnspecificContextCreation extends ContextCreation, ProtocolUnrest
   TlsLibrary library;
   ProtocolFamily family;
 
-  UnspecificContextCreation() { this.getProtocol() = library.unspecific_version(family) }
+  UnspecificContextCreation() { this.getProtocol() = family }
 
   override DataFlow::CfgNode getContext() { result = this }
 
@@ -92,9 +92,8 @@ abstract class TlsLibrary extends string {
   /** The module or class holding the version constants. */
   abstract API::Node version_constants();
 
-  /** A dataflow node representing a specific protocol version, known to be insecure. */
-  DataFlow::Node insecure_version(ProtocolVersion version) {
-    version.isInsecure() and
+  /** A dataflow node representing a specific protocol version. */
+  DataFlow::Node specific_version(ProtocolVersion version) {
     result = version_constants().getMember(specific_version_name(version)).getAUse()
   }
 
@@ -111,16 +110,15 @@ abstract class TlsLibrary extends string {
 
   /** The creation of a context with a specific protocol version, known to be insecure. */
   ContextCreation insecure_context_creation(ProtocolVersion version) {
-    result = specific_context_creation() and
-    result.getProtocol() = insecure_version(version)
+    result in [specific_context_creation(), default_context_creation()] and
+    result.getProtocol() = version and
+    version.isInsecure()
   }
 
   /** The creation of a context with an unspecific protocol version, say TLS, known to have insecure instances. */
   ContextCreation unspecific_context_creation(ProtocolFamily family) {
-    result = default_context_creation()
-    or
-    result = specific_context_creation() and
-    result.(ContextCreation).getProtocol() = unspecific_version(family)
+    result in [specific_context_creation(), default_context_creation()] and
+    result.getProtocol() = family
   }
 
   /** A connection is created in an insecure manner, not from a context. */

From 91d28fb8b0f3591207ece13ae88fddbd85477f18 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Fri, 19 Mar 2021 19:32:21 +0100
Subject: [PATCH 0324/1429] cleanup in API-graphs

---
 .../ql/src/semmle/javascript/ApiGraphs.qll    | 20 ++-----------------
 1 file changed, 2 insertions(+), 18 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/ApiGraphs.qll b/javascript/ql/src/semmle/javascript/ApiGraphs.qll
index a363e472e15..96e2e93fa0b 100644
--- a/javascript/ql/src/semmle/javascript/ApiGraphs.qll
+++ b/javascript/ql/src/semmle/javascript/ApiGraphs.qll
@@ -374,15 +374,13 @@ module API {
             exists(SSA::implicitInit([nm.getModuleVariable(), nm.getExportsVariable()]))
           )
         )
-        or
-        m = any(CanonicalName n | isDefined(n)).getExternalModuleName()
       } or
       MkModuleImport(string m) {
         imports(_, m)
         or
-        m = any(CanonicalName n | isUsed(n)).getExternalModuleName()
-        or
         any(TypeAnnotation n).hasQualifiedName(m, _)
+        or
+        any(Type t).hasUnderlyingType(m, _)
       } or
       MkClassInstance(DataFlow::ClassNode cls) { cls = trackDefNode(_) and hasSemantics(cls) } or
       MkAsyncFuncResult(DataFlow::FunctionNode f) {
@@ -431,20 +429,6 @@ module API {
       )
     }
 
-    private predicate isUsed(CanonicalName n) {
-      exists(n.(TypeName).getAnAccess()) or
-      exists(n.(Namespace).getAnAccess())
-    }
-
-    private predicate isDefined(CanonicalName n) {
-      exists(ASTNode def |
-        def = n.(TypeName).getADefinition() or
-        def = n.(Namespace).getADefinition()
-      |
-        not def.isAmbient()
-      )
-    }
-
     /**
      * Holds if `rhs` is the right-hand side of a definition of a node that should have an
      * incoming edge from `base` labeled `lbl` in the API graph.

From cd57e61f658c6ada8043145d65d5b8b3fe53c901 Mon Sep 17 00:00:00 2001
From: Max Schaefer <max-schaefer@github.com>
Date: Mon, 22 Mar 2021 15:21:30 +0000
Subject: [PATCH 0325/1429] Rename `MkHasUnderlyingType` to `MkTypeUse`.

---
 javascript/ql/src/semmle/javascript/ApiGraphs.qll | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/ApiGraphs.qll b/javascript/ql/src/semmle/javascript/ApiGraphs.qll
index 96e2e93fa0b..c0d28d913f7 100644
--- a/javascript/ql/src/semmle/javascript/ApiGraphs.qll
+++ b/javascript/ql/src/semmle/javascript/ApiGraphs.qll
@@ -313,7 +313,7 @@ module API {
   module Node {
     /** Gets a node whose type has the given qualified name. */
     Node ofType(string moduleName, string exportedName) {
-      result = Impl::MkHasUnderlyingType(moduleName, exportedName).(Node).getInstance()
+      result = Impl::MkTypeUse(moduleName, exportedName).(Node).getInstance()
     }
   }
 
@@ -388,11 +388,8 @@ module API {
       } or
       MkDef(DataFlow::Node nd) { rhs(_, _, nd) } or
       MkUse(DataFlow::Node nd) { use(_, _, nd) } or
-      /**
-       * A TypeScript type, identified by name of the type-annotation.
-       * This API node is exclusively used by `API::Node::ofType`.
-       */
-      MkHasUnderlyingType(string moduleName, string exportName) {
+      /** A use of a TypeScript type. */
+      MkTypeUse(string moduleName, string exportName) {
         any(TypeAnnotation n).hasQualifiedName(moduleName, exportName)
         or
         any(Type t).hasUnderlyingType(moduleName, exportName)
@@ -406,7 +403,7 @@ module API {
     class TNonModuleDef =
       MkModuleExport or MkClassInstance or MkAsyncFuncResult or MkDef or MkSyntheticCallbackArg;
 
-    class TUse = MkModuleUse or MkModuleImport or MkUse or MkHasUnderlyingType;
+    class TUse = MkModuleUse or MkModuleImport or MkUse or MkTypeUse;
 
     private predicate hasSemantics(DataFlow::Node nd) { not nd.getTopLevel().isExterns() }
 
@@ -584,7 +581,7 @@ module API {
         )
         or
         exists(string moduleName, string exportName |
-          base = MkHasUnderlyingType(moduleName, exportName) and
+          base = MkTypeUse(moduleName, exportName) and
           lbl = Label::instance() and
           ref.(DataFlow::SourceNode).hasUnderlyingType(moduleName, exportName)
         )
@@ -823,7 +820,7 @@ module API {
       exists(string moduleName, string exportName |
         pred = MkModuleImport(moduleName) and
         lbl = Label::member(exportName) and
-        succ = MkHasUnderlyingType(moduleName, exportName)
+        succ = MkTypeUse(moduleName, exportName)
       )
       or
       exists(DataFlow::Node nd, DataFlow::FunctionNode f |

From cf5f838b13c6f8aa6f7eb7a24eed1752cc4d1a6f Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Mon, 12 Apr 2021 12:04:23 +0200
Subject: [PATCH 0326/1429] Data flow: Remove recommendation to use `unique` in
 `Node::getEnclosingCallable()`

---
 docs/ql-libraries/dataflow/dataflow.md | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/docs/ql-libraries/dataflow/dataflow.md b/docs/ql-libraries/dataflow/dataflow.md
index 3c46436a87a..ea3379f3967 100644
--- a/docs/ql-libraries/dataflow/dataflow.md
+++ b/docs/ql-libraries/dataflow/dataflow.md
@@ -98,10 +98,6 @@ Recommendations:
   also work, but the upside of `use-use` steps is that sources defined in terms
   of variable reads just work out of the box. It also makes certain
   barrier-implementations simpler.
-* A predicate `DataFlowCallable Node::getEnclosingCallable()` is required, and in
-  order to ensure appropriate join-orders, it is important that the QL compiler knows
-  that this predicate is functional. It can therefore be necessary to enclose the body
-  of this predicate in a `unique` aggregate.
 
 The shared library does not use `localFlowStep` nor `localFlow` but users of
 `DataFlow.qll` may expect the existence of `DataFlow::localFlowStep` and

From c7686b18388731b9a624b58bd36750863a672955 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Mon, 12 Apr 2021 13:01:14 +0200
Subject: [PATCH 0327/1429] C#: First try `pwsh` and then `powershell` when
 calling `dotnet-install.ps1`

---
 .../autobuilder/Semmle.Autobuild.CSharp/DotNetRule.cs  | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/csharp/autobuilder/Semmle.Autobuild.CSharp/DotNetRule.cs b/csharp/autobuilder/Semmle.Autobuild.CSharp/DotNetRule.cs
index 8787406c104..1b440aaa196 100644
--- a/csharp/autobuilder/Semmle.Autobuild.CSharp/DotNetRule.cs
+++ b/csharp/autobuilder/Semmle.Autobuild.CSharp/DotNetRule.cs
@@ -209,8 +209,9 @@ Invoke-Command -ScriptBlock $ScriptBlock";
                         var psScriptFile = builder.Actions.PathCombine(builder.Options.RootDirectory, "install-dotnet.ps1");
                         builder.Actions.WriteAllText(psScriptFile, psScript);
 
-                        var install = new CommandBuilder(builder.Actions).
-                            RunCommand("powershell").
+                        BuildScript GetInstall(string pwsh) =>
+                            new CommandBuilder(builder.Actions).
+                            RunCommand(pwsh).
                             Argument("-NoProfile").
                             Argument("-ExecutionPolicy").
                             Argument("unrestricted").
@@ -219,13 +220,14 @@ Invoke-Command -ScriptBlock $ScriptBlock";
                             Argument("-Version").
                             Argument(version).
                             Argument("-InstallDir").
-                            Argument(path);
+                            Argument(path).
+                            Script;
 
                         var removeScript = new CommandBuilder(builder.Actions).
                             RunCommand("del").
                             Argument(psScriptFile);
 
-                        return install.Script & BuildScript.Try(removeScript.Script);
+                        return (GetInstall("pwsh") | GetInstall("powershell")) & BuildScript.Try(removeScript.Script);
                     }
                     else
                     {

From 5446532e1d7de60cb4f05045fc6f37e2f323221b Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Mon, 12 Apr 2021 14:01:55 +0200
Subject: [PATCH 0328/1429] C#: Update auto-builder tests

---
 .../BuildScripts.cs                           | 35 ++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BuildScripts.cs b/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BuildScripts.cs
index 7b9f2e78881..f74e9829bc5 100644
--- a/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BuildScripts.cs
+++ b/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BuildScripts.cs
@@ -981,7 +981,7 @@ Microsoft.NETCore.App 2.1.4 [/usr/local/share/dotnet/shared/Microsoft.NETCore.Ap
         {
             actions.RunProcess["cmd.exe /C dotnet --list-sdks"] = 0;
             actions.RunProcessOut["cmd.exe /C dotnet --list-sdks"] = "2.1.3 [C:\\Program Files\\dotnet\\sdks]\n2.1.4 [C:\\Program Files\\dotnet\\sdks]";
-            actions.RunProcess[@"cmd.exe /C powershell -NoProfile -ExecutionPolicy unrestricted -file C:\Project\install-dotnet.ps1 -Version 2.1.3 -InstallDir C:\Project\.dotnet"] = 0;
+            actions.RunProcess[@"cmd.exe /C pwsh -NoProfile -ExecutionPolicy unrestricted -file C:\Project\install-dotnet.ps1 -Version 2.1.3 -InstallDir C:\Project\.dotnet"] = 0;
             actions.RunProcess[@"cmd.exe /C del C:\Project\install-dotnet.ps1"] = 0;
             actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet --info"] = 0;
             actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet clean C:\Project\test.csproj"] = 0;
@@ -1008,6 +1008,39 @@ Microsoft.NETCore.App 2.1.4 [/usr/local/share/dotnet/shared/Microsoft.NETCore.Ap
             TestAutobuilderScript(autobuilder, 0, 7);
         }
 
+        [Fact]
+        public void TestDotnetVersionWindowsNoPwsh()
+        {
+            actions.RunProcess["cmd.exe /C dotnet --list-sdks"] = 0;
+            actions.RunProcessOut["cmd.exe /C dotnet --list-sdks"] = "2.1.3 [C:\\Program Files\\dotnet\\sdks]\n2.1.4 [C:\\Program Files\\dotnet\\sdks]";
+            actions.RunProcess[@"cmd.exe /C pwsh -NoProfile -ExecutionPolicy unrestricted -file C:\Project\install-dotnet.ps1 -Version 2.1.3 -InstallDir C:\Project\.dotnet"] = 1;
+            actions.RunProcess[@"cmd.exe /C powershell -NoProfile -ExecutionPolicy unrestricted -file C:\Project\install-dotnet.ps1 -Version 2.1.3 -InstallDir C:\Project\.dotnet"] = 0;
+            actions.RunProcess[@"cmd.exe /C del C:\Project\install-dotnet.ps1"] = 0;
+            actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet --info"] = 0;
+            actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet clean C:\Project\test.csproj"] = 0;
+            actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet restore C:\Project\test.csproj"] = 0;
+            actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --auto C:\Project\.dotnet\dotnet build --no-incremental C:\Project\test.csproj"] = 0;
+            actions.FileExists["csharp.log"] = true;
+            actions.FileExists[@"C:\Project\test.csproj"] = true;
+            actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = "";
+            actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = "";
+            actions.GetEnvironmentVariable["PATH"] = "/bin:/usr/bin";
+            actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.cs\ntest.csproj";
+            actions.EnumerateDirectories[@"C:\Project"] = "";
+            var xml = new XmlDocument();
+            xml.LoadXml(@"<Project Sdk=""Microsoft.NET.Sdk"">
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>netcoreapp2.1</TargetFramework>
+  </PropertyGroup>
+
+</Project>");
+            actions.LoadXml[@"C:\Project\test.csproj"] = xml;
+
+            var autobuilder = CreateAutoBuilder(true, dotnetVersion: "2.1.3");
+            TestAutobuilderScript(autobuilder, 0, 8);
+        }
+
         [Fact]
         public void TestDirsProjWindows()
         {

From b4d35b52c386072c1eb8561cf4e68cc87d292b87 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 2 Mar 2021 13:22:21 +0100
Subject: [PATCH 0329/1429] C#: Add Console.Read* to local flow sources

---
 .../csharp/security/dataflow/flowsources/Local.qll | 14 ++++++++++++++
 .../CWE-134/ConsoleUncontrolledFormatString.cs     | 13 +++++++++++++
 .../CWE-134/UncontrolledFormatString.expected      |  4 ++++
 3 files changed, 31 insertions(+)
 create mode 100644 csharp/ql/test/query-tests/Security Features/CWE-134/ConsoleUncontrolledFormatString.cs

diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsources/Local.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsources/Local.qll
index e867c9be3dd..b1b0bf8df85 100644
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsources/Local.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsources/Local.qll
@@ -20,3 +20,17 @@ class TextFieldSource extends LocalUserInputSource {
 
   override string getSourceType() { result = "TextBox text" }
 }
+
+/** A call to any `System.Console.Read*` method. */
+class SystemConsoleReadSource extends LocalUserInputSource {
+  SystemConsoleReadSource() {
+    this.asExpr() =
+      any(MethodCall call |
+        call.getTarget().hasQualifiedName("System.Console", "ReadLine") or
+        call.getTarget().hasQualifiedName("System.Console", "Read") or
+        call.getTarget().hasQualifiedName("System.Console", "ReadKey")
+      )
+  }
+
+  override string getSourceType() { result = "TextBox text" }
+}
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-134/ConsoleUncontrolledFormatString.cs b/csharp/ql/test/query-tests/Security Features/CWE-134/ConsoleUncontrolledFormatString.cs
new file mode 100644
index 00000000000..c9d4440cf78
--- /dev/null
+++ b/csharp/ql/test/query-tests/Security Features/CWE-134/ConsoleUncontrolledFormatString.cs	
@@ -0,0 +1,13 @@
+using System;
+using System;
+
+public class Program
+{
+    public static void Main()
+    {
+        var format = Console.ReadLine();
+
+        // BAD: Uncontrolled format string.
+        var x = string.Format(format, 1, 2);
+    }
+}
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatString.expected b/csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatString.expected
index bc87c96b194..4923cd34e70 100644
--- a/csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatString.expected	
+++ b/csharp/ql/test/query-tests/Security Features/CWE-134/UncontrolledFormatString.expected	
@@ -1,8 +1,11 @@
 edges
+| ConsoleUncontrolledFormatString.cs:8:22:8:39 | call to method ReadLine : String | ConsoleUncontrolledFormatString.cs:11:31:11:36 | access to local variable format |
 | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString : NameValueCollection | UncontrolledFormatString.cs:14:23:14:26 | access to local variable path |
 | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString : NameValueCollection | UncontrolledFormatString.cs:17:46:17:49 | access to local variable path |
 | UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString : NameValueCollection | UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format |
 nodes
+| ConsoleUncontrolledFormatString.cs:8:22:8:39 | call to method ReadLine : String | semmle.label | call to method ReadLine : String |
+| ConsoleUncontrolledFormatString.cs:11:31:11:36 | access to local variable format | semmle.label | access to local variable format |
 | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
 | UncontrolledFormatString.cs:14:23:14:26 | access to local variable path | semmle.label | access to local variable path |
 | UncontrolledFormatString.cs:17:46:17:49 | access to local variable path | semmle.label | access to local variable path |
@@ -10,6 +13,7 @@ nodes
 | UncontrolledFormatStringBad.cs:9:25:9:47 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
 | UncontrolledFormatStringBad.cs:12:39:12:44 | access to local variable format | semmle.label | access to local variable format |
 #select
+| ConsoleUncontrolledFormatString.cs:11:31:11:36 | access to local variable format | ConsoleUncontrolledFormatString.cs:8:22:8:39 | call to method ReadLine : String | ConsoleUncontrolledFormatString.cs:11:31:11:36 | access to local variable format | $@ flows to here and is used as a format string. | ConsoleUncontrolledFormatString.cs:8:22:8:39 | call to method ReadLine | call to method ReadLine |
 | UncontrolledFormatString.cs:14:23:14:26 | access to local variable path | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString : NameValueCollection | UncontrolledFormatString.cs:14:23:14:26 | access to local variable path | $@ flows to here and is used as a format string. | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | access to property QueryString |
 | UncontrolledFormatString.cs:17:46:17:49 | access to local variable path | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString : NameValueCollection | UncontrolledFormatString.cs:17:46:17:49 | access to local variable path | $@ flows to here and is used as a format string. | UncontrolledFormatString.cs:11:23:11:45 | access to property QueryString | access to property QueryString |
 | UncontrolledFormatString.cs:34:23:34:31 | access to property Text | UncontrolledFormatString.cs:34:23:34:31 | access to property Text | UncontrolledFormatString.cs:34:23:34:31 | access to property Text | $@ flows to here and is used as a format string. | UncontrolledFormatString.cs:34:23:34:31 | access to property Text | access to property Text |

From 57016ddbde804691b73bb62519bd6884a2a76d51 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Thu, 8 Apr 2021 10:10:41 +0200
Subject: [PATCH 0330/1429] C++: Remove `unique` wrapper from
 `DataFlow::Node::getEnclosingCallable()`

---
 .../src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll   | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
index 0a6d459ec79..c644c3dd268 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -46,7 +46,7 @@ class Node extends TNode {
   /**
    * INTERNAL: Do not use. Alternative name for `getFunction`.
    */
-  final Function getEnclosingCallable() { result = unique(Function f | f = this.getFunction() | f) }
+  final Function getEnclosingCallable() { result = this.getFunction() }
 
   /** Gets the type of this node. */
   Type getType() { none() } // overridden in subclasses
@@ -715,6 +715,7 @@ private predicate exprToDefinitionByReferenceStep(Expr exprIn, Expr argOut) {
 }
 
 private module FieldFlow {
+  private import DataFlowImplCommon
   private import DataFlowImplLocal
   private import DataFlowPrivate
 
@@ -747,7 +748,7 @@ private module FieldFlow {
     exists(FieldConfiguration cfg | cfg.hasFlow(node1, node2)) and
     // This configuration should not be able to cross function boundaries, but
     // we double-check here just to be sure.
-    node1.getEnclosingCallable() = node2.getEnclosingCallable()
+    getNodeEnclosingCallable(node1) = getNodeEnclosingCallable(node2)
   }
 }
 

From c281e54d22038c0d3dc28b6b344da4c954aa7747 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Mon, 12 Apr 2021 13:05:01 +0000
Subject: [PATCH 0331/1429] Remove unused files and update qldoc

---
 .../CWE-555/CredentialsInPropertiesFile.ql    | 18 +------
 .../security/CWE-555/MailConfig.java          | 11 -----
 .../security/CWE-555/PropertiesUtils.java     | 47 -------------------
 .../query-tests/security/CWE-555/options      |  1 -
 .../beans/factory/annotation/Value.java       | 11 -----
 5 files changed, 2 insertions(+), 86 deletions(-)
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-555/MailConfig.java
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-555/PropertiesUtils.java
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-555/options
 delete mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/beans/factory/annotation/Value.java

diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.ql b/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.ql
index f085317218c..d72743f3799 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.ql
+++ b/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.ql
@@ -1,20 +1,6 @@
-/**
- * @name Cleartext Credentials in Properties File
- * @description Finds cleartext credentials in Java properties files.
- * @kind problem
- * @id java/credentials-in-properties
- * @tags security
- *       external/cwe/cwe-555
- *       external/cwe/cwe-256
- *       external/cwe/cwe-260
- */
-
 /*
- * Note this query requires properties files to be indexed before it can produce results.
- * If creating your own database with the CodeQL CLI, you should run
- * `codeql database index-files --language=properties ...`
- * If using lgtm.com, you should add `properties_files: true` to the index block of your
- * lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction#customizing-index)
+ * Note this is similar to src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql
+ * except we do not filter out test files.
  */
 
 import java
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/MailConfig.java b/java/ql/test/experimental/query-tests/security/CWE-555/MailConfig.java
deleted file mode 100644
index bef99dac3ea..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-555/MailConfig.java
+++ /dev/null
@@ -1,11 +0,0 @@
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.context.annotation.Configuration;
-
-@Configuration
-public class MailConfig {
-    @Value("${mail.password}")
-    private String mailPassword;
-
-    @Value("${mail.username}")
-    private String mailUserName;
-}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/PropertiesUtils.java b/java/ql/test/experimental/query-tests/security/CWE-555/PropertiesUtils.java
deleted file mode 100644
index f33ef39ee07..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-555/PropertiesUtils.java
+++ /dev/null
@@ -1,47 +0,0 @@
-import java.io.IOException;
-import java.util.Properties;
-
-public class PropertiesUtils {
-	/* Properties declaration. */ 
-	private static Properties properties;  
-
-    /** Static block to initializing the properties. */
-	static {
-		properties = new Properties();
-		try {
-			properties.load(PropertiesUtils.class.getClassLoader().getResourceAsStream("configuration.properties"));
-		} catch (IOException e) {
-			e.printStackTrace();
-		}
-	}
-
-	/** Returns the LDAP DN property value. */
-	public static String getLdapDN() {
-		return properties.getProperty("ldap.loginDN");
-	}
-    
-	/** Returns the LDAP password property value. */
-	public static String getLdapPassword() {
-		return properties.getProperty("ldap.password");
-	}
-
-	/** Returns the SQL Server username property value. */
-	public static String getMSDataSourceUserName() {
-		return properties.getProperty("datasource1.username");
-	}
-
-	/** Returns the SQL Server password property value. */
-	public static String getMSDataSourcePassword() {
-		return properties.getProperty("datasource1.password");
-	}
-    
-	/** Returns the AWS Access Key property value. */
-	public static String getAWSAccessKey() {
-		return properties.getProperty("com.example.aws.s3.access_key");
-	}
-
-	/** Returns the AWS Secret Key property value. */
-	public static String getAWSSecretKey() {
-		return properties.getProperty("com.example.aws.s3.secret_key");
-	}
-}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/options b/java/ql/test/experimental/query-tests/security/CWE-555/options
deleted file mode 100644
index cf3d60de0e5..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-555/options
+++ /dev/null
@@ -1 +0,0 @@
-// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3
\ No newline at end of file
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/beans/factory/annotation/Value.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/beans/factory/annotation/Value.java
deleted file mode 100644
index 67c38cf5d20..00000000000
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/beans/factory/annotation/Value.java
+++ /dev/null
@@ -1,11 +0,0 @@
-package org.springframework.beans.factory.annotation;
-
-public @interface Value {
-
-	/**
-	 * The actual value expression such as <code>#{systemProperties.myProp}</code>
-	 * or property placeholder such as <code>${my.app.myProp}</code>.
-	 */
-	String value();
-
-}
\ No newline at end of file

From 172d6139e206969bb2b3030910cae5bd3a19ed34 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 12 Apr 2021 15:06:10 +0200
Subject: [PATCH 0332/1429] support all ClientRequests in
 js/disabling-certificate-validation

---
 .../CWE-295/DisablingCertificateValidation.ql |  2 +-
 .../DisablingCertificateValidation.expected   |  1 +
 .../test/query-tests/Security/CWE-295/tst2.js | 24 +++++++++++++++++++
 3 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-295/tst2.js

diff --git a/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql b/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql
index 6855ec2519d..f18ff4a3535 100644
--- a/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql
+++ b/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql
@@ -16,7 +16,7 @@ import javascript
  */
 DataFlow::ObjectLiteralNode tlsOptions() {
   exists(DataFlow::InvokeNode invk | result.flowsTo(invk.getAnArgument()) |
-    invk instanceof NodeJSLib::NodeJSClientRequest
+    invk instanceof ClientRequest
     or
     invk = DataFlow::moduleMember("https", "Agent").getAnInstantiation()
     or
diff --git a/javascript/ql/test/query-tests/Security/CWE-295/DisablingCertificateValidation.expected b/javascript/ql/test/query-tests/Security/CWE-295/DisablingCertificateValidation.expected
index d028c5b3b30..9b21e2f5d8b 100644
--- a/javascript/ql/test/query-tests/Security/CWE-295/DisablingCertificateValidation.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-295/DisablingCertificateValidation.expected
@@ -1,3 +1,4 @@
+| tst2.js:8:5:8:29 | rejectU ... : false | Disabling certificate validation is strongly discouraged. |
 | tst.js:15:3:15:27 | rejectU ... : false | Disabling certificate validation is strongly discouraged. |
 | tst.js:18:1:18:40 | process ... HORIZED | Disabling certificate validation is strongly discouraged. |
 | tst.js:21:3:21:27 | rejectU ... : false | Disabling certificate validation is strongly discouraged. |
diff --git a/javascript/ql/test/query-tests/Security/CWE-295/tst2.js b/javascript/ql/test/query-tests/Security/CWE-295/tst2.js
new file mode 100644
index 00000000000..50f5ae27714
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-295/tst2.js
@@ -0,0 +1,24 @@
+const request = require('request');
+
+let requestOptions = {
+    headers: {
+        "content-type": "application/json",
+        "accept": "application/json"
+    },
+    rejectUnauthorized: false,
+    requestCert: true,
+    agent: false
+}
+
+module.exports.post = (url, requestBody, apiContext) => {
+    Object.assign(requestOptions, {
+        body: JSON.stringify(requestBody),
+        headers : Object.assign(requestOptions.headers, apiContext)
+    })
+
+    return request.post(url, requestOptions).then((res) => {
+        return Promise.resolve(res.body);
+    }).catch((err) => {
+        return Promise.resolve(err);
+    })
+}
\ No newline at end of file

From 32737a17fb64fb1b4f57b8a4b65398607da39d30 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 12 Apr 2021 15:09:13 +0200
Subject: [PATCH 0333/1429] add change note

---
 .../change-notes/2021-04-12-disabling-certificate-validation.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 javascript/change-notes/2021-04-12-disabling-certificate-validation.md

diff --git a/javascript/change-notes/2021-04-12-disabling-certificate-validation.md b/javascript/change-notes/2021-04-12-disabling-certificate-validation.md
new file mode 100644
index 00000000000..e289c5f7276
--- /dev/null
+++ b/javascript/change-notes/2021-04-12-disabling-certificate-validation.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Disabling certificate validation" (`js/disabling-certificate-validation`) has been improved to recognize many more request libraries.

From 24de826133e685ad1bede8549661cdb4e11eef0f Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 12 Apr 2021 13:23:12 +0100
Subject: [PATCH 0334/1429] JS: Add file diagnostics errors

---
 .../ql/src/Diagnostics/ExtractionErrors.ql     | 18 ++++++++++++++++++
 .../Diagnostics/SuccessfullyExtractedFiles.ql  | 14 ++++++++++++++
 javascript/ql/src/semmle/javascript/Errors.qll |  5 +++++
 javascript/ql/src/semmle/javascript/Regexp.qll |  2 ++
 4 files changed, 39 insertions(+)
 create mode 100644 javascript/ql/src/Diagnostics/ExtractionErrors.ql
 create mode 100644 javascript/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql

diff --git a/javascript/ql/src/Diagnostics/ExtractionErrors.ql b/javascript/ql/src/Diagnostics/ExtractionErrors.ql
new file mode 100644
index 00000000000..d68fe6a2423
--- /dev/null
+++ b/javascript/ql/src/Diagnostics/ExtractionErrors.ql
@@ -0,0 +1,18 @@
+/**
+ * @name Extraction errors
+ * @description List all extraction errors for files in the source code directory.
+ * @kind diagnostic
+ * @id js/diagnostics/extraction-errors
+ */
+
+import javascript
+
+/** Gets the SARIF severity to associate an error. */
+int getSeverity() { result = 2 }
+
+from Error error
+where
+  exists(error.getFile().getRelativePath()) and
+  error.isFatal()
+select error, "Extraction failed in " + error.getFile() + " with error " + error.getMessage(),
+  getSeverity()
diff --git a/javascript/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql b/javascript/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
new file mode 100644
index 00000000000..78fb74799e2
--- /dev/null
+++ b/javascript/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
@@ -0,0 +1,14 @@
+/**
+ * @name Successfully extracted files
+ * @description Lists all files in the source code directory that were extracted without encountering an error in the file.
+ * @kind diagnostic
+ * @id js/diagnostics/successfully-extracted-files
+ */
+
+import javascript
+
+from File f
+where
+  not exists(Error e | e.isFatal() and e.getFile() = f) and
+  exists(f.getRelativePath())
+select f, ""
diff --git a/javascript/ql/src/semmle/javascript/Errors.qll b/javascript/ql/src/semmle/javascript/Errors.qll
index f4836e53c06..271a8f9b186 100644
--- a/javascript/ql/src/semmle/javascript/Errors.qll
+++ b/javascript/ql/src/semmle/javascript/Errors.qll
@@ -10,6 +10,9 @@ abstract class Error extends Locatable {
   abstract string getMessage();
 
   override string toString() { result = getMessage() }
+
+  /** Holds if this error prevented the file from being extracted. */
+  predicate isFatal() { any() }
 }
 
 /** A JavaScript parse error encountered during extraction. */
@@ -21,4 +24,6 @@ class JSParseError extends @js_parse_error, Error {
 
   /** Gets the source text of the line this error occurs on. */
   string getLine() { js_parse_errors(this, _, _, result) }
+
+  override predicate isFatal() { not getTopLevel() instanceof Angular2::TemplateTopLevel }
 }
diff --git a/javascript/ql/src/semmle/javascript/Regexp.qll b/javascript/ql/src/semmle/javascript/Regexp.qll
index 842cf0705c7..c2e1c787303 100644
--- a/javascript/ql/src/semmle/javascript/Regexp.qll
+++ b/javascript/ql/src/semmle/javascript/Regexp.qll
@@ -827,6 +827,8 @@ class RegExpParseError extends Error, @regexp_parse_error {
   override string getMessage() { regexp_parse_errors(this, _, result) }
 
   override string toString() { result = getMessage() }
+
+  override predicate isFatal() { none() }
 }
 
 /**

From 11bf9827289b1103ead2af9f3d7c0ccc30e235c1 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Mon, 12 Apr 2021 14:36:42 +0100
Subject: [PATCH 0335/1429] Remove superfluous linebreaks in qhelp file

---
 .../Security/CWE/CWE-094/InsecureDexLoading.qhelp           | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qhelp
index 4a5555c1390..216bdeaebf3 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qhelp
@@ -32,13 +32,11 @@ which when loaded by the app can lead to code execution.
   <references>
     <li>
       Android Documentation:
-      <a href="https://developer.android.com/training/data-storage/">Data and file storage overview</a>
-      .
+      <a href="https://developer.android.com/training/data-storage/">Data and file storage overview</a>.
     </li>
     <li>
       Android Documentation:
-      <a href="https://developer.android.com/reference/dalvik/system/DexClassLoader">DexClassLoader</a>
-      .
+      <a href="https://developer.android.com/reference/dalvik/system/DexClassLoader">DexClassLoader</a>.
     </li>
   </references>
 </qhelp>

From d7c14775bf607f92ca473d34c79bbc540b8defbc Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Mon, 12 Apr 2021 16:56:48 +0300
Subject: [PATCH 0336/1429] Update
 InsufficientControlFlowManagementAfterRefactoringTheCode.qhelp

---
 ...sufficientControlFlowManagementAfterRefactoringTheCode.qhelp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.qhelp
index 2c485dfd0cf..4167ce57d65 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.qhelp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.qhelp
@@ -3,7 +3,7 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>In some situations, after code refactoring, parts of the old constructs may remain. They are correctly accepted by the compiler, but can critically affect program execution. For example, if you switch from `do {...} while ();` to `while () {...}` with errors, you run the risk of running out of resources. These code snippets look suspicious and require the developer's attention.</p>
+<p>In some situations, after code refactoring, parts of the old constructs may remain. They are correctly accepted by the compiler, but can critically affect program execution. For example, if you switch from `do {...} while ();` to `while () {...}` forgetting to remove the old construct completely, you get `while(){...}while();` which may be vulnerable. These code snippets look suspicious and require the developer's attention.</p>
 
 
 </overview>

From 58d5ad48d56fb7556b4aae4dd8e9a97946532bf8 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Mon, 12 Apr 2021 17:00:34 +0300
Subject: [PATCH 0337/1429] Update
 InsufficientControlFlowManagementAfterRefactoringTheCode.ql

---
 ...nsufficientControlFlowManagementAfterRefactoringTheCode.ql | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
index fa8780d6e45..dc5b2225a62 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
@@ -105,7 +105,7 @@ class UsingArithmeticInComparison extends BinaryArithmeticOperation {
   }
 }
 
-from Expr exp, WhileStmt wst
+from Expr exp
 where
   exp instanceof UsingArithmeticInComparison and
   not exp.(UsingArithmeticInComparison).workingWithValue() and
@@ -114,5 +114,5 @@ where
   not exp.(UsingArithmeticInComparison).compareWithZero() and
   exp.(UsingArithmeticInComparison).compareWithOutZero()
   or
-  wst instanceof UsingWhileAfterWhile and exp = wst.getCondition()
+  exists(WhileStmt wst | wst instanceof UsingWhileAfterWhile and exp = wst.getCondition())
 select exp, "this expression needs your attention"

From 5aeaab7c6d7ff786c970b41f1bebce8c6040d838 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Mon, 12 Apr 2021 16:01:01 +0200
Subject: [PATCH 0338/1429] C++: As response to the review comments this commit
 adds a reference-to-pointer state to AddressFlow. A call to an unwrapper
 function now adds a pointer -> reference-to-pointer transition, and a
 ReferenceDereference adds a reference-to-pointer -> pointer transition.

---
 .../cpp/dataflow/internal/AddressFlow.qll     | 105 +++++++++++++++---
 .../dataflow/taint-tests/localTaint.expected  |  49 ++++----
 2 files changed, 116 insertions(+), 38 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll
index 7e76c1540e3..e179f7e8717 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll
@@ -59,8 +59,6 @@ private predicate pointerToLvalueStep(Expr pointerIn, Expr lvalueOut) {
   pointerIn = lvalueOut.(ArrayExpr).getArrayBase().getFullyConverted()
   or
   pointerIn = lvalueOut.(PointerDereferenceExpr).getOperand().getFullyConverted()
-  or
-  pointerIn = lvalueOut.(OverloadedPointerDereferenceExpr).getQualifier().getFullyConverted()
 }
 
 private predicate lvalueToPointerStep(Expr lvalueIn, Expr pointerOut) {
@@ -69,6 +67,19 @@ private predicate lvalueToPointerStep(Expr lvalueIn, Expr pointerOut) {
   lvalueIn = pointerOut.(AddressOfExpr).getOperand().getFullyConverted()
 }
 
+/**
+ * Since pointer wrappers behave as raw pointers, we treat the conversions from `lvalueToLvalueStepPure`
+ * as pointer-to-pointer steps when they involve pointer wrappers.
+ */
+private predicate pointerWrapperToPointerWrapperStep(Expr pointerIn, Expr pointerOut) {
+  pointerIn.getUnspecifiedType() instanceof PointerWrapper and
+  pointerIn.getConversion() = pointerOut and
+  pointerOut.(CStyleCast).isImplicit()
+  or
+  pointerOut.getUnspecifiedType() instanceof PointerWrapper and
+  pointerIn.getConversion() = pointerOut.(ReferenceDereferenceExpr)
+}
+
 private predicate pointerToPointerStep(Expr pointerIn, Expr pointerOut) {
   (
     pointerOut instanceof PointerAddExpr
@@ -93,35 +104,60 @@ private predicate pointerToPointerStep(Expr pointerIn, Expr pointerOut) {
   pointerIn = pointerOut.(CommaExpr).getRightOperand().getFullyConverted()
   or
   pointerIn = pointerOut.(StmtExpr).getResultExpr().getFullyConverted()
+  or
+  pointerWrapperToPointerWrapperStep(pointerIn, pointerOut)
 }
 
 private predicate lvalueToReferenceStep(Expr lvalueIn, Expr referenceOut) {
   lvalueIn.getConversion() = referenceOut.(ReferenceToExpr)
-  or
-  exists(PointerWrapper wrapper, Call call | call = referenceOut |
-    referenceOut.getUnspecifiedType() instanceof ReferenceType and
-    call = wrapper.getAnUnwrapperFunction().getACallToThisFunction() and
-    lvalueIn = call.getQualifier().getFullyConverted()
-  )
 }
 
 private predicate referenceToLvalueStep(Expr referenceIn, Expr lvalueOut) {
   referenceIn.getConversion() = lvalueOut.(ReferenceDereferenceExpr)
 }
 
+private predicate referenceToPointerToPointerStep(Expr referenceToPointerIn, Expr pointerOut) {
+  exists(CopyConstructor copy, Call call | call = pointerOut |
+    copy.getDeclaringType() instanceof PointerWrapper and
+    call.getTarget() = copy and
+    // The 0'th argument is the value being copied.
+    referenceToPointerIn = call.getArgument(0).getFullyConverted()
+  )
+  or
+  referenceToPointerIn.getConversion() = pointerOut.(ReferenceDereferenceExpr)
+}
+
+/**
+ * This predicate exists only to support "fake pointer" objects like
+ * smart pointers. We treat these as raw pointers for dataflow purposes.
+ */
+private predicate referenceToPointerToUpdate(
+  Expr referenceToPointer, Expr outer, ControlFlowNode node
+) {
+  exists(Call call |
+    node = call and
+    outer = call.getAnArgument().getFullyConverted() and
+    not stdIdentityFunction(call.getTarget()) and
+    not stdAddressOf(call.getTarget()) and
+    exists(ReferenceType rt | rt = outer.getType().stripTopLevelSpecifiers() |
+      rt.getBaseType().getUnspecifiedType() =
+        any(PointerWrapper wrapper | not wrapper.pointsToConst())
+    )
+  ) and
+  referenceToPointer = outer
+  or
+  exists(Expr pointerMid |
+    referenceToPointerToPointerStep(referenceToPointer, pointerMid) and
+    pointerToUpdate(pointerMid, outer, node)
+  )
+}
+
 private predicate referenceToPointerStep(Expr referenceIn, Expr pointerOut) {
   pointerOut =
     any(FunctionCall call |
       stdAddressOf(call.getTarget()) and
       referenceIn = call.getArgument(0).getFullyConverted()
     )
-  or
-  exists(CopyConstructor copy, Call call | call = pointerOut |
-    copy.getDeclaringType() instanceof PointerWrapper and
-    call.getTarget() = copy and
-    // The 0'th argument is the value being copied.
-    referenceIn = call.getArgument(0).getFullyConverted()
-  )
 }
 
 private predicate referenceToReferenceStep(Expr referenceIn, Expr referenceOut) {
@@ -238,6 +274,16 @@ private predicate pointerToUpdate(Expr pointer, Expr outer, ControlFlowNode node
     pointerToPointerStep(pointer, pointerMid) and
     pointerToUpdate(pointerMid, outer, node)
   )
+  or
+  exists(Expr referenceMid |
+    pointerToReferenceStep(pointer, referenceMid) and
+    referenceToUpdate(referenceMid, outer, node)
+  )
+  or
+  exists(Expr referenceToPointerMid |
+    pointerToReferenceToPointerStep(pointer, referenceToPointerMid) and
+    referenceToPointerToUpdate(referenceToPointerMid, outer, node)
+  )
 }
 
 private predicate referenceToUpdate(Expr reference, Expr outer, ControlFlowNode node) {
@@ -247,9 +293,7 @@ private predicate referenceToUpdate(Expr reference, Expr outer, ControlFlowNode
     not stdIdentityFunction(call.getTarget()) and
     not stdAddressOf(call.getTarget()) and
     exists(ReferenceType rt | rt = outer.getType().stripTopLevelSpecifiers() |
-      not rt.getBaseType().isConst() or
-      rt.getBaseType().getUnspecifiedType() =
-        any(PointerWrapper wrapper | not wrapper.pointsToConst())
+      not rt.getBaseType().isConst()
     )
   ) and
   reference = outer
@@ -270,6 +314,14 @@ private predicate referenceToUpdate(Expr reference, Expr outer, ControlFlowNode
   )
 }
 
+private predicate pointerToReferenceStep(Expr pointerIn, Expr referenceOut) {
+  exists(PointerWrapper wrapper, Call call | call = referenceOut |
+    referenceOut.getUnspecifiedType() instanceof ReferenceType and
+    call = wrapper.getAnUnwrapperFunction().getACallToThisFunction() and
+    pointerIn = call.getQualifier().getFullyConverted()
+  )
+}
+
 private predicate lvalueFromVariableAccess(VariableAccess va, Expr lvalue) {
   // Base case for non-reference types.
   lvalue = va and
@@ -331,6 +383,21 @@ private predicate referenceFromVariableAccess(VariableAccess va, Expr reference)
     lvalueFromVariableAccess(va, prev) and
     lvalueToReferenceStep(prev, reference)
   )
+  or
+  exists(Expr prev |
+    pointerFromVariableAccess(va, prev) and
+    pointerToReferenceStep(prev, reference)
+  )
+}
+
+private predicate pointerToReferenceToPointerStep(Expr pointerIn, Expr referenceToPointerOut) {
+  pointerIn.getConversion() = referenceToPointerOut.(ReferenceToExpr)
+  or
+  exists(PointerWrapper wrapper, Call call | call = referenceToPointerOut |
+    referenceToPointerOut.getUnspecifiedType() instanceof ReferenceType and
+    call = wrapper.getAnUnwrapperFunction().getACallToThisFunction() and
+    pointerIn = call.getQualifier().getFullyConverted()
+  )
 }
 
 /**
@@ -351,6 +418,8 @@ predicate valueToUpdate(Expr inner, Expr outer, ControlFlowNode node) {
     pointerToUpdate(inner, outer, node)
     or
     referenceToUpdate(inner, outer, node)
+    or
+    referenceToPointerToUpdate(inner, outer, node)
   ) and
   (
     inner instanceof VariableAccess and
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index 50d5070a144..90a494de6f8 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -948,12 +948,16 @@
 | map.cpp:170:23:170:28 | call to source | map.cpp:170:7:170:30 | ... = ... |  |
 | map.cpp:171:7:171:9 | m10 | map.cpp:171:10:171:10 | call to operator[] | TAINT |
 | map.cpp:171:7:171:9 | ref arg m10 | map.cpp:252:1:252:1 | m10 |  |
+| map.cpp:171:10:171:10 | ref arg call to operator[] | map.cpp:171:7:171:9 | ref arg m10 | TAINT |
 | map.cpp:172:7:172:9 | m11 | map.cpp:172:10:172:10 | call to operator[] | TAINT |
 | map.cpp:172:7:172:9 | ref arg m11 | map.cpp:252:1:252:1 | m11 |  |
+| map.cpp:172:10:172:10 | ref arg call to operator[] | map.cpp:172:7:172:9 | ref arg m11 | TAINT |
 | map.cpp:173:7:173:9 | m12 | map.cpp:173:10:173:10 | call to operator[] | TAINT |
 | map.cpp:173:7:173:9 | ref arg m12 | map.cpp:252:1:252:1 | m12 |  |
+| map.cpp:173:10:173:10 | ref arg call to operator[] | map.cpp:173:7:173:9 | ref arg m12 | TAINT |
 | map.cpp:174:7:174:9 | m13 | map.cpp:174:10:174:10 | call to operator[] | TAINT |
 | map.cpp:174:7:174:9 | ref arg m13 | map.cpp:252:1:252:1 | m13 |  |
+| map.cpp:174:10:174:10 | ref arg call to operator[] | map.cpp:174:7:174:9 | ref arg m13 | TAINT |
 | map.cpp:177:27:177:29 | call to map | map.cpp:178:2:178:4 | m14 |  |
 | map.cpp:177:27:177:29 | call to map | map.cpp:179:2:179:4 | m14 |  |
 | map.cpp:177:27:177:29 | call to map | map.cpp:180:2:180:4 | m14 |  |
@@ -1651,12 +1655,16 @@
 | map.cpp:322:23:322:28 | call to source | map.cpp:322:7:322:30 | ... = ... |  |
 | map.cpp:323:7:323:9 | m10 | map.cpp:323:10:323:10 | call to operator[] | TAINT |
 | map.cpp:323:7:323:9 | ref arg m10 | map.cpp:438:1:438:1 | m10 |  |
+| map.cpp:323:10:323:10 | ref arg call to operator[] | map.cpp:323:7:323:9 | ref arg m10 | TAINT |
 | map.cpp:324:7:324:9 | m11 | map.cpp:324:10:324:10 | call to operator[] | TAINT |
 | map.cpp:324:7:324:9 | ref arg m11 | map.cpp:438:1:438:1 | m11 |  |
+| map.cpp:324:10:324:10 | ref arg call to operator[] | map.cpp:324:7:324:9 | ref arg m11 | TAINT |
 | map.cpp:325:7:325:9 | m12 | map.cpp:325:10:325:10 | call to operator[] | TAINT |
 | map.cpp:325:7:325:9 | ref arg m12 | map.cpp:438:1:438:1 | m12 |  |
+| map.cpp:325:10:325:10 | ref arg call to operator[] | map.cpp:325:7:325:9 | ref arg m12 | TAINT |
 | map.cpp:326:7:326:9 | m13 | map.cpp:326:10:326:10 | call to operator[] | TAINT |
 | map.cpp:326:7:326:9 | ref arg m13 | map.cpp:438:1:438:1 | m13 |  |
+| map.cpp:326:10:326:10 | ref arg call to operator[] | map.cpp:326:7:326:9 | ref arg m13 | TAINT |
 | map.cpp:329:37:329:39 | call to unordered_map | map.cpp:330:2:330:4 | m14 |  |
 | map.cpp:329:37:329:39 | call to unordered_map | map.cpp:331:2:331:4 | m14 |  |
 | map.cpp:329:37:329:39 | call to unordered_map | map.cpp:332:2:332:4 | m14 |  |
@@ -2447,6 +2455,9 @@
 | set.cpp:55:40:55:41 | ref arg i1 | set.cpp:55:24:55:25 | i1 |  |
 | set.cpp:55:40:55:41 | ref arg i1 | set.cpp:55:40:55:41 | i1 |  |
 | set.cpp:55:40:55:41 | ref arg i1 | set.cpp:57:9:57:10 | i1 |  |
+| set.cpp:57:8:57:8 | ref arg call to operator* | set.cpp:55:30:55:31 | s1 |  |
+| set.cpp:57:8:57:8 | ref arg call to operator* | set.cpp:57:9:57:10 | ref arg i1 | TAINT |
+| set.cpp:57:8:57:8 | ref arg call to operator* | set.cpp:126:1:126:1 | s1 |  |
 | set.cpp:57:9:57:10 | i1 | set.cpp:57:8:57:8 | call to operator* | TAINT |
 | set.cpp:57:9:57:10 | ref arg i1 | set.cpp:55:24:55:25 | i1 |  |
 | set.cpp:57:9:57:10 | ref arg i1 | set.cpp:55:40:55:41 | i1 |  |
@@ -2465,6 +2476,9 @@
 | set.cpp:59:40:59:41 | ref arg i2 | set.cpp:59:24:59:25 | i2 |  |
 | set.cpp:59:40:59:41 | ref arg i2 | set.cpp:59:40:59:41 | i2 |  |
 | set.cpp:59:40:59:41 | ref arg i2 | set.cpp:61:9:61:10 | i2 |  |
+| set.cpp:61:8:61:8 | ref arg call to operator* | set.cpp:59:30:59:31 | s2 |  |
+| set.cpp:61:8:61:8 | ref arg call to operator* | set.cpp:61:9:61:10 | ref arg i2 | TAINT |
+| set.cpp:61:8:61:8 | ref arg call to operator* | set.cpp:126:1:126:1 | s2 |  |
 | set.cpp:61:9:61:10 | i2 | set.cpp:61:8:61:8 | call to operator* | TAINT |
 | set.cpp:61:9:61:10 | ref arg i2 | set.cpp:59:24:59:25 | i2 |  |
 | set.cpp:61:9:61:10 | ref arg i2 | set.cpp:59:40:59:41 | i2 |  |
@@ -2951,6 +2965,9 @@
 | set.cpp:169:40:169:41 | ref arg i1 | set.cpp:169:24:169:25 | i1 |  |
 | set.cpp:169:40:169:41 | ref arg i1 | set.cpp:169:40:169:41 | i1 |  |
 | set.cpp:169:40:169:41 | ref arg i1 | set.cpp:171:9:171:10 | i1 |  |
+| set.cpp:171:8:171:8 | ref arg call to operator* | set.cpp:169:30:169:31 | s1 |  |
+| set.cpp:171:8:171:8 | ref arg call to operator* | set.cpp:171:9:171:10 | ref arg i1 | TAINT |
+| set.cpp:171:8:171:8 | ref arg call to operator* | set.cpp:238:1:238:1 | s1 |  |
 | set.cpp:171:9:171:10 | i1 | set.cpp:171:8:171:8 | call to operator* | TAINT |
 | set.cpp:171:9:171:10 | ref arg i1 | set.cpp:169:24:169:25 | i1 |  |
 | set.cpp:171:9:171:10 | ref arg i1 | set.cpp:169:40:169:41 | i1 |  |
@@ -2969,6 +2986,9 @@
 | set.cpp:173:40:173:41 | ref arg i2 | set.cpp:173:24:173:25 | i2 |  |
 | set.cpp:173:40:173:41 | ref arg i2 | set.cpp:173:40:173:41 | i2 |  |
 | set.cpp:173:40:173:41 | ref arg i2 | set.cpp:175:9:175:10 | i2 |  |
+| set.cpp:175:8:175:8 | ref arg call to operator* | set.cpp:173:30:173:31 | s2 |  |
+| set.cpp:175:8:175:8 | ref arg call to operator* | set.cpp:175:9:175:10 | ref arg i2 | TAINT |
+| set.cpp:175:8:175:8 | ref arg call to operator* | set.cpp:238:1:238:1 | s2 |  |
 | set.cpp:175:9:175:10 | i2 | set.cpp:175:8:175:8 | call to operator* | TAINT |
 | set.cpp:175:9:175:10 | ref arg i2 | set.cpp:173:24:173:25 | i2 |  |
 | set.cpp:175:9:175:10 | ref arg i2 | set.cpp:173:40:173:41 | i2 |  |
@@ -3223,7 +3243,7 @@
 | smart_pointer.cpp:11:30:11:50 | call to make_shared | smart_pointer.cpp:12:11:12:11 | p |  |
 | smart_pointer.cpp:11:30:11:50 | call to make_shared | smart_pointer.cpp:13:10:13:10 | p |  |
 | smart_pointer.cpp:11:52:11:57 | call to source | smart_pointer.cpp:11:30:11:50 | call to make_shared | TAINT |
-| smart_pointer.cpp:12:11:12:11 | p | smart_pointer.cpp:12:10:12:10 | call to operator* |  |
+| smart_pointer.cpp:12:11:12:11 | p | smart_pointer.cpp:12:10:12:10 | call to operator* | TAINT |
 | smart_pointer.cpp:12:11:12:11 | ref arg p | smart_pointer.cpp:13:10:13:10 | p |  |
 | smart_pointer.cpp:17:32:17:54 | call to make_shared | smart_pointer.cpp:18:11:18:11 | p |  |
 | smart_pointer.cpp:17:32:17:54 | call to make_shared | smart_pointer.cpp:19:10:19:10 | p |  |
@@ -3235,7 +3255,7 @@
 | smart_pointer.cpp:23:30:23:50 | call to make_unique | smart_pointer.cpp:24:11:24:11 | p |  |
 | smart_pointer.cpp:23:30:23:50 | call to make_unique | smart_pointer.cpp:25:10:25:10 | p |  |
 | smart_pointer.cpp:23:52:23:57 | call to source | smart_pointer.cpp:23:30:23:50 | call to make_unique | TAINT |
-| smart_pointer.cpp:24:11:24:11 | p | smart_pointer.cpp:24:10:24:10 | call to operator* |  |
+| smart_pointer.cpp:24:11:24:11 | p | smart_pointer.cpp:24:10:24:10 | call to operator* | TAINT |
 | smart_pointer.cpp:24:11:24:11 | ref arg p | smart_pointer.cpp:25:10:25:10 | p |  |
 | smart_pointer.cpp:29:32:29:54 | call to make_unique | smart_pointer.cpp:30:11:30:11 | p |  |
 | smart_pointer.cpp:29:32:29:54 | call to make_unique | smart_pointer.cpp:31:10:31:10 | p |  |
@@ -3251,13 +3271,13 @@
 | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:38:10:38:10 | p |  |
 | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:39:11:39:11 | p |  |
 | smart_pointer.cpp:37:5:37:17 | ... = ... | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] |  |
-| smart_pointer.cpp:37:6:37:6 | p | smart_pointer.cpp:37:5:37:5 | call to operator* |  |
+| smart_pointer.cpp:37:6:37:6 | p | smart_pointer.cpp:37:5:37:5 | call to operator* | TAINT |
 | smart_pointer.cpp:37:6:37:6 | ref arg p | smart_pointer.cpp:37:6:37:6 | p [inner post update] |  |
 | smart_pointer.cpp:37:6:37:6 | ref arg p | smart_pointer.cpp:38:10:38:10 | p |  |
 | smart_pointer.cpp:37:6:37:6 | ref arg p | smart_pointer.cpp:39:11:39:11 | p |  |
 | smart_pointer.cpp:37:10:37:15 | call to source | smart_pointer.cpp:37:5:37:17 | ... = ... |  |
 | smart_pointer.cpp:38:10:38:10 | ref arg p | smart_pointer.cpp:39:11:39:11 | p |  |
-| smart_pointer.cpp:39:11:39:11 | p | smart_pointer.cpp:39:10:39:10 | call to operator* |  |
+| smart_pointer.cpp:39:11:39:11 | p | smart_pointer.cpp:39:10:39:10 | call to operator* | TAINT |
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:45:6:45:6 | p |  |
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:46:10:46:10 | p |  |
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:47:11:47:11 | p |  |
@@ -3265,13 +3285,13 @@
 | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:46:10:46:10 | p |  |
 | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:47:11:47:11 | p |  |
 | smart_pointer.cpp:45:5:45:17 | ... = ... | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] |  |
-| smart_pointer.cpp:45:6:45:6 | p | smart_pointer.cpp:45:5:45:5 | call to operator* |  |
+| smart_pointer.cpp:45:6:45:6 | p | smart_pointer.cpp:45:5:45:5 | call to operator* | TAINT |
 | smart_pointer.cpp:45:6:45:6 | ref arg p | smart_pointer.cpp:45:6:45:6 | p [inner post update] |  |
 | smart_pointer.cpp:45:6:45:6 | ref arg p | smart_pointer.cpp:46:10:46:10 | p |  |
 | smart_pointer.cpp:45:6:45:6 | ref arg p | smart_pointer.cpp:47:11:47:11 | p |  |
 | smart_pointer.cpp:45:10:45:15 | call to source | smart_pointer.cpp:45:5:45:17 | ... = ... |  |
 | smart_pointer.cpp:46:10:46:10 | ref arg p | smart_pointer.cpp:47:11:47:11 | p |  |
-| smart_pointer.cpp:47:11:47:11 | p | smart_pointer.cpp:47:10:47:10 | call to operator* |  |
+| smart_pointer.cpp:47:11:47:11 | p | smart_pointer.cpp:47:10:47:10 | call to operator* | TAINT |
 | smart_pointer.cpp:51:30:51:50 | call to make_shared | smart_pointer.cpp:52:10:52:10 | p |  |
 | smart_pointer.cpp:51:52:51:57 | call to source | smart_pointer.cpp:51:30:51:50 | call to make_shared | TAINT |
 | smart_pointer.cpp:52:10:52:10 | p | smart_pointer.cpp:52:12:52:14 | call to get |  |
@@ -3292,7 +3312,7 @@
 | smart_pointer.cpp:71:3:71:3 | call to operator* [post update] | smart_pointer.cpp:70:37:70:39 | ptr |  |
 | smart_pointer.cpp:71:3:71:3 | call to operator* [post update] | smart_pointer.cpp:71:4:71:6 | ptr [inner post update] |  |
 | smart_pointer.cpp:71:3:71:17 | ... = ... | smart_pointer.cpp:71:3:71:3 | call to operator* [post update] |  |
-| smart_pointer.cpp:71:4:71:6 | ptr | smart_pointer.cpp:71:3:71:3 | call to operator* |  |
+| smart_pointer.cpp:71:4:71:6 | ptr | smart_pointer.cpp:71:3:71:3 | call to operator* | TAINT |
 | smart_pointer.cpp:71:4:71:6 | ref arg ptr | smart_pointer.cpp:70:37:70:39 | ptr |  |
 | smart_pointer.cpp:71:4:71:6 | ref arg ptr | smart_pointer.cpp:71:4:71:6 | ptr [inner post update] |  |
 | smart_pointer.cpp:71:10:71:15 | call to source | smart_pointer.cpp:71:3:71:17 | ... = ... |  |
@@ -3303,7 +3323,7 @@
 | smart_pointer.cpp:76:13:76:13 | ref arg call to shared_ptr | smart_pointer.cpp:77:9:77:9 | p |  |
 | smart_pointer.cpp:76:13:76:13 | ref arg p | smart_pointer.cpp:76:13:76:13 | p [inner post update] |  |
 | smart_pointer.cpp:76:13:76:13 | ref arg p | smart_pointer.cpp:77:9:77:9 | p |  |
-| smart_pointer.cpp:77:9:77:9 | p | smart_pointer.cpp:77:8:77:8 | call to operator* |  |
+| smart_pointer.cpp:77:9:77:9 | p | smart_pointer.cpp:77:8:77:8 | call to operator* | TAINT |
 | smart_pointer.cpp:86:45:86:45 | p | smart_pointer.cpp:86:45:86:45 | p |  |
 | smart_pointer.cpp:86:45:86:45 | p | smart_pointer.cpp:87:3:87:3 | p |  |
 | smart_pointer.cpp:86:45:86:45 | p | smart_pointer.cpp:88:8:88:8 | p |  |
@@ -3372,7 +3392,7 @@
 | smart_pointer.cpp:121:3:121:3 | call to operator* [post update] | smart_pointer.cpp:120:48:120:50 | ptr |  |
 | smart_pointer.cpp:121:3:121:3 | call to operator* [post update] | smart_pointer.cpp:121:4:121:6 | ptr [inner post update] |  |
 | smart_pointer.cpp:121:3:121:17 | ... = ... | smart_pointer.cpp:121:3:121:3 | call to operator* [post update] |  |
-| smart_pointer.cpp:121:4:121:6 | ptr | smart_pointer.cpp:121:3:121:3 | call to operator* |  |
+| smart_pointer.cpp:121:4:121:6 | ptr | smart_pointer.cpp:121:3:121:3 | call to operator* | TAINT |
 | smart_pointer.cpp:121:4:121:6 | ref arg ptr | smart_pointer.cpp:120:48:120:50 | ptr |  |
 | smart_pointer.cpp:121:4:121:6 | ref arg ptr | smart_pointer.cpp:121:4:121:6 | ptr [inner post update] |  |
 | smart_pointer.cpp:121:10:121:15 | call to source | smart_pointer.cpp:121:3:121:17 | ... = ... |  |
@@ -3409,7 +3429,6 @@
 | smart_pointer.cpp:129:9:129:9 | call to operator* | smart_pointer.cpp:129:8:129:8 | call to operator* | TAINT |
 | smart_pointer.cpp:129:9:129:9 | ref arg call to operator* | smart_pointer.cpp:124:90:124:91 | p2 |  |
 | smart_pointer.cpp:129:9:129:9 | ref arg call to operator* | smart_pointer.cpp:129:10:129:11 | p2 [inner post update] |  |
-| smart_pointer.cpp:129:10:129:11 | p2 | smart_pointer.cpp:129:8:129:8 | call to operator* |  |
 | smart_pointer.cpp:129:10:129:11 | p2 | smart_pointer.cpp:129:9:129:9 | call to operator* | TAINT |
 | smart_pointer.cpp:129:10:129:11 | ref arg p2 | smart_pointer.cpp:124:90:124:91 | p2 |  |
 | smart_pointer.cpp:129:10:129:11 | ref arg p2 | smart_pointer.cpp:129:10:129:11 | p2 [inner post update] |  |
@@ -3437,7 +3456,6 @@
 | smart_pointer.cpp:137:9:137:9 | call to operator* | smart_pointer.cpp:137:8:137:8 | call to operator* | TAINT |
 | smart_pointer.cpp:137:9:137:9 | ref arg call to operator* | smart_pointer.cpp:132:95:132:96 | p2 |  |
 | smart_pointer.cpp:137:9:137:9 | ref arg call to operator* | smart_pointer.cpp:137:10:137:11 | p2 [inner post update] |  |
-| smart_pointer.cpp:137:10:137:11 | p2 | smart_pointer.cpp:137:8:137:8 | call to operator* |  |
 | smart_pointer.cpp:137:10:137:11 | p2 | smart_pointer.cpp:137:9:137:9 | call to operator* | TAINT |
 | smart_pointer.cpp:137:10:137:11 | ref arg p2 | smart_pointer.cpp:132:95:132:96 | p2 |  |
 | smart_pointer.cpp:137:10:137:11 | ref arg p2 | smart_pointer.cpp:137:10:137:11 | p2 [inner post update] |  |
@@ -3476,26 +3494,20 @@
 | standalone_iterators.cpp:85:35:85:36 | c1 | standalone_iterators.cpp:85:38:85:42 | call to begin | TAINT |
 | standalone_iterators.cpp:85:35:85:36 | ref arg c1 | standalone_iterators.cpp:87:10:87:11 | c1 |  |
 | standalone_iterators.cpp:85:38:85:42 | call to begin | standalone_iterators.cpp:86:6:86:7 | i1 |  |
-| standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | standalone_iterators.cpp:86:8:86:8 | call to operator-- [inner post update] |  |
 | standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | standalone_iterators.cpp:86:8:86:8 | ref arg call to operator-- | TAINT |
 | standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | standalone_iterators.cpp:87:10:87:11 | c1 |  |
 | standalone_iterators.cpp:86:6:86:7 | i1 | standalone_iterators.cpp:86:8:86:8 | call to operator-- |  |
 | standalone_iterators.cpp:86:8:86:8 | call to operator-- | standalone_iterators.cpp:86:5:86:5 | call to operator* | TAINT |
-| standalone_iterators.cpp:86:8:86:8 | call to operator-- [inner post update] | standalone_iterators.cpp:86:6:86:7 | ref arg i1 |  |
 | standalone_iterators.cpp:86:8:86:8 | ref arg call to operator-- | standalone_iterators.cpp:86:6:86:7 | ref arg i1 |  |
-| standalone_iterators.cpp:86:8:86:8 | ref arg call to operator-- | standalone_iterators.cpp:86:8:86:8 | call to operator-- [inner post update] |  |
 | standalone_iterators.cpp:86:13:86:18 | call to source | standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | TAINT |
 | standalone_iterators.cpp:89:35:89:36 | c2 | standalone_iterators.cpp:89:38:89:42 | call to begin | TAINT |
 | standalone_iterators.cpp:89:35:89:36 | ref arg c2 | standalone_iterators.cpp:91:10:91:11 | c2 |  |
 | standalone_iterators.cpp:89:38:89:42 | call to begin | standalone_iterators.cpp:90:6:90:7 | i2 |  |
-| standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | standalone_iterators.cpp:90:8:90:8 | call to operator-- [inner post update] |  |
 | standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | standalone_iterators.cpp:90:8:90:8 | ref arg call to operator-- | TAINT |
 | standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | standalone_iterators.cpp:91:10:91:11 | c2 |  |
 | standalone_iterators.cpp:90:6:90:7 | i2 | standalone_iterators.cpp:90:8:90:8 | call to operator-- |  |
 | standalone_iterators.cpp:90:8:90:8 | call to operator-- | standalone_iterators.cpp:90:5:90:5 | call to operator* | TAINT |
-| standalone_iterators.cpp:90:8:90:8 | call to operator-- [inner post update] | standalone_iterators.cpp:90:6:90:7 | ref arg i2 |  |
 | standalone_iterators.cpp:90:8:90:8 | ref arg call to operator-- | standalone_iterators.cpp:90:6:90:7 | ref arg i2 |  |
-| standalone_iterators.cpp:90:8:90:8 | ref arg call to operator-- | standalone_iterators.cpp:90:8:90:8 | call to operator-- [inner post update] |  |
 | standalone_iterators.cpp:90:13:90:13 | 0 | standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | TAINT |
 | standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:101:6:101:7 | c1 |  |
 | standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:102:6:102:7 | c1 |  |
@@ -3513,13 +3525,10 @@
 | standalone_iterators.cpp:102:6:102:7 | ref arg c1 | standalone_iterators.cpp:109:7:109:8 | c1 |  |
 | standalone_iterators.cpp:102:9:102:13 | call to begin | standalone_iterators.cpp:102:2:102:15 | ... = ... |  |
 | standalone_iterators.cpp:102:9:102:13 | call to begin | standalone_iterators.cpp:107:7:107:7 | b |  |
-| standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:103:3:103:3 | a [inner post update] |  |
 | standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:103:3:103:3 | ref arg a | TAINT |
-| standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:104:7:104:7 | a |  |
 | standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:106:6:106:7 | c1 |  |
 | standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:109:7:109:8 | c1 |  |
 | standalone_iterators.cpp:103:3:103:3 | a | standalone_iterators.cpp:103:2:103:2 | call to operator* | TAINT |
-| standalone_iterators.cpp:103:3:103:3 | ref arg a | standalone_iterators.cpp:103:3:103:3 | a [inner post update] |  |
 | standalone_iterators.cpp:103:3:103:3 | ref arg a | standalone_iterators.cpp:104:7:104:7 | a |  |
 | standalone_iterators.cpp:103:7:103:12 | call to source | standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | TAINT |
 | standalone_iterators.cpp:104:7:104:7 | a [post update] | standalone_iterators.cpp:106:6:106:7 | c1 |  |

From d2fad180f88aaad1bcb3a27055653a6f67838458 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 12 Apr 2021 15:07:45 +0100
Subject: [PATCH 0339/1429] JS: Add test

---
 .../ql/test/query-tests/Diagnostics/ExtractionErrors.expected | 4 ++++
 .../ql/test/query-tests/Diagnostics/ExtractionErrors.qlref    | 1 +
 .../Diagnostics/SuccessfullyExtractedFiles.expected           | 4 ++++
 .../query-tests/Diagnostics/SuccessfullyExtractedFiles.qlref  | 1 +
 javascript/ql/test/query-tests/Diagnostics/bad1.js            | 1 +
 javascript/ql/test/query-tests/Diagnostics/bad2.ts            | 1 +
 javascript/ql/test/query-tests/Diagnostics/bad3.html          | 3 +++
 .../ql/test/query-tests/Diagnostics/contains-template.js      | 4 ++++
 javascript/ql/test/query-tests/Diagnostics/good1.js           | 1 +
 javascript/ql/test/query-tests/Diagnostics/good2.ts           | 1 +
 javascript/ql/test/query-tests/Diagnostics/good3.html         | 3 +++
 javascript/ql/test/query-tests/Diagnostics/options            | 1 +
 12 files changed, 25 insertions(+)
 create mode 100644 javascript/ql/test/query-tests/Diagnostics/ExtractionErrors.expected
 create mode 100644 javascript/ql/test/query-tests/Diagnostics/ExtractionErrors.qlref
 create mode 100644 javascript/ql/test/query-tests/Diagnostics/SuccessfullyExtractedFiles.expected
 create mode 100644 javascript/ql/test/query-tests/Diagnostics/SuccessfullyExtractedFiles.qlref
 create mode 100644 javascript/ql/test/query-tests/Diagnostics/bad1.js
 create mode 100644 javascript/ql/test/query-tests/Diagnostics/bad2.ts
 create mode 100644 javascript/ql/test/query-tests/Diagnostics/bad3.html
 create mode 100644 javascript/ql/test/query-tests/Diagnostics/contains-template.js
 create mode 100644 javascript/ql/test/query-tests/Diagnostics/good1.js
 create mode 100644 javascript/ql/test/query-tests/Diagnostics/good2.ts
 create mode 100644 javascript/ql/test/query-tests/Diagnostics/good3.html
 create mode 100644 javascript/ql/test/query-tests/Diagnostics/options

diff --git a/javascript/ql/test/query-tests/Diagnostics/ExtractionErrors.expected b/javascript/ql/test/query-tests/Diagnostics/ExtractionErrors.expected
new file mode 100644
index 00000000000..b9f23c1be79
--- /dev/null
+++ b/javascript/ql/test/query-tests/Diagnostics/ExtractionErrors.expected
@@ -0,0 +1,4 @@
+| bad1.js:1:7:1:7 | Error: Unexpected token | Extraction failed in bad1.js with error Error: Unexpected token | 2 |
+| bad2.ts:1:11:1:11 | Error: Expression expected. | Extraction failed in bad2.ts with error Error: Expression expected. | 2 |
+| bad2.ts:1:13:1:13 | Error: Expression expected. | Extraction failed in bad2.ts with error Error: Expression expected. | 2 |
+| bad3.html:2:11:2:11 | Error: Unexpected token | Extraction failed in bad3.html with error Error: Unexpected token | 2 |
diff --git a/javascript/ql/test/query-tests/Diagnostics/ExtractionErrors.qlref b/javascript/ql/test/query-tests/Diagnostics/ExtractionErrors.qlref
new file mode 100644
index 00000000000..5e501b2469d
--- /dev/null
+++ b/javascript/ql/test/query-tests/Diagnostics/ExtractionErrors.qlref
@@ -0,0 +1 @@
+Diagnostics/ExtractionErrors.ql
\ No newline at end of file
diff --git a/javascript/ql/test/query-tests/Diagnostics/SuccessfullyExtractedFiles.expected b/javascript/ql/test/query-tests/Diagnostics/SuccessfullyExtractedFiles.expected
new file mode 100644
index 00000000000..493e7abac8b
--- /dev/null
+++ b/javascript/ql/test/query-tests/Diagnostics/SuccessfullyExtractedFiles.expected
@@ -0,0 +1,4 @@
+| contains-template.js:0:0:0:0 | contains-template.js |  |
+| good1.js:0:0:0:0 | good1.js |  |
+| good2.ts:0:0:0:0 | good2.ts |  |
+| good3.html:0:0:0:0 | good3.html |  |
diff --git a/javascript/ql/test/query-tests/Diagnostics/SuccessfullyExtractedFiles.qlref b/javascript/ql/test/query-tests/Diagnostics/SuccessfullyExtractedFiles.qlref
new file mode 100644
index 00000000000..c797180b20f
--- /dev/null
+++ b/javascript/ql/test/query-tests/Diagnostics/SuccessfullyExtractedFiles.qlref
@@ -0,0 +1 @@
+Diagnostics/SuccessfullyExtractedFiles.ql
\ No newline at end of file
diff --git a/javascript/ql/test/query-tests/Diagnostics/bad1.js b/javascript/ql/test/query-tests/Diagnostics/bad1.js
new file mode 100644
index 00000000000..e0fad94a6c1
--- /dev/null
+++ b/javascript/ql/test/query-tests/Diagnostics/bad1.js
@@ -0,0 +1 @@
+let x x x;
diff --git a/javascript/ql/test/query-tests/Diagnostics/bad2.ts b/javascript/ql/test/query-tests/Diagnostics/bad2.ts
new file mode 100644
index 00000000000..bc65d7f91b2
--- /dev/null
+++ b/javascript/ql/test/query-tests/Diagnostics/bad2.ts
@@ -0,0 +1 @@
+const z = ??;
diff --git a/javascript/ql/test/query-tests/Diagnostics/bad3.html b/javascript/ql/test/query-tests/Diagnostics/bad3.html
new file mode 100644
index 00000000000..7ed5ed66f72
--- /dev/null
+++ b/javascript/ql/test/query-tests/Diagnostics/bad3.html
@@ -0,0 +1,3 @@
+<script>
+    let q q q q ; // error
+</script>
diff --git a/javascript/ql/test/query-tests/Diagnostics/contains-template.js b/javascript/ql/test/query-tests/Diagnostics/contains-template.js
new file mode 100644
index 00000000000..6ab50e09c78
--- /dev/null
+++ b/javascript/ql/test/query-tests/Diagnostics/contains-template.js
@@ -0,0 +1,4 @@
+const obj = {
+    // Template where we can't parse `x x x` but surrounding file still OK
+    template: '<b [foo]="x x x"></a>'
+};
diff --git a/javascript/ql/test/query-tests/Diagnostics/good1.js b/javascript/ql/test/query-tests/Diagnostics/good1.js
new file mode 100644
index 00000000000..7e41af70a46
--- /dev/null
+++ b/javascript/ql/test/query-tests/Diagnostics/good1.js
@@ -0,0 +1 @@
+let x = 123;
diff --git a/javascript/ql/test/query-tests/Diagnostics/good2.ts b/javascript/ql/test/query-tests/Diagnostics/good2.ts
new file mode 100644
index 00000000000..40bb197bf72
--- /dev/null
+++ b/javascript/ql/test/query-tests/Diagnostics/good2.ts
@@ -0,0 +1 @@
+const y: string = "dfg";
diff --git a/javascript/ql/test/query-tests/Diagnostics/good3.html b/javascript/ql/test/query-tests/Diagnostics/good3.html
new file mode 100644
index 00000000000..1b3c248897b
--- /dev/null
+++ b/javascript/ql/test/query-tests/Diagnostics/good3.html
@@ -0,0 +1,3 @@
+<script>
+    let qwe = 123;
+</script>
diff --git a/javascript/ql/test/query-tests/Diagnostics/options b/javascript/ql/test/query-tests/Diagnostics/options
new file mode 100644
index 00000000000..096355709a6
--- /dev/null
+++ b/javascript/ql/test/query-tests/Diagnostics/options
@@ -0,0 +1 @@
+semmle-extractor-options: --tolerate-parse-errors --experimental

From a43698802f669f94b74aedd4d4c22d60ef232263 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Mon, 12 Apr 2021 17:36:50 +0300
Subject: [PATCH 0340/1429] Update
 InsufficientControlFlowManagementWhenUsingBitOperations.ql

---
 .../InsufficientControlFlowManagementWhenUsingBitOperations.ql | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
index 8a7a3fff1d0..72d7625b517 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
@@ -61,8 +61,7 @@ class DangerousBitOperations extends BinaryBitwiseOperation {
   /** Holds when the bit expression contains both arguments and a function call. */
   predicate dangerousArgumentChecking() {
     not this.getLeftOperand() instanceof Call and
-    globalValueNumber(this.getLeftOperand().getAChild*()) =
-      globalValueNumber(bfc.getAnArgument())
+    globalValueNumber(this.getLeftOperand().getAChild*()) = globalValueNumber(bfc.getAnArgument())
   }
 
   /** Holds when function calls are present in the bit expression. */

From bb23866cec93bda0bf1e132facd78344fb7a7fe4 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Mon, 12 Apr 2021 16:33:01 +0100
Subject: [PATCH 0341/1429] Add missing doc comments

---
 .../Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql      | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
index 772ac6cd209..e6965959d13 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
@@ -52,10 +52,13 @@ class ApplicationProperties extends ConfigPair {
 class ManagementSecurityConfig extends ApplicationProperties {
   ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" }
 
+  /** Gets the whitespace-trimmed value of this property. */
   string getValue() { result = this.getValueElement().getValue().trim() }
 
+  /** Holds if `management.security.enabled` is set to `false`. */
   predicate hasSecurityDisabled() { getValue() = "false" }
 
+  /** Holds if `management.security.enabled` is set to `true`. */
   predicate hasSecurityEnabled() { getValue() = "true" }
 }
 
@@ -65,6 +68,7 @@ class ManagementEndPointInclude extends ApplicationProperties {
     this.getNameElement().getName() = "management.endpoints.web.exposure.include"
   }
 
+  /** Gets the whitespace-trimmed value of this property. */
   string getValue() { result = this.getValueElement().getValue().trim() }
 }
 

From dfc91b8331199ff8780aeb8b0a1ef5c14d06a6ba Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Mon, 12 Apr 2021 17:33:33 +0200
Subject: [PATCH 0342/1429] C#: Simplify `dotnet-install.ps1` invocation

Using the pattern from https://docs.microsoft.com/en-us/dotnet/core/tools/dotnet-install-script.
---
 .../BuildScripts.cs                           | 68 +++++++++----------
 .../Semmle.Autobuild.CSharp/DotNetRule.cs     | 43 ++----------
 2 files changed, 37 insertions(+), 74 deletions(-)

diff --git a/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BuildScripts.cs b/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BuildScripts.cs
index f74e9829bc5..9334181fe5a 100644
--- a/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BuildScripts.cs
+++ b/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BuildScripts.cs
@@ -981,8 +981,39 @@ Microsoft.NETCore.App 2.1.4 [/usr/local/share/dotnet/shared/Microsoft.NETCore.Ap
         {
             actions.RunProcess["cmd.exe /C dotnet --list-sdks"] = 0;
             actions.RunProcessOut["cmd.exe /C dotnet --list-sdks"] = "2.1.3 [C:\\Program Files\\dotnet\\sdks]\n2.1.4 [C:\\Program Files\\dotnet\\sdks]";
-            actions.RunProcess[@"cmd.exe /C pwsh -NoProfile -ExecutionPolicy unrestricted -file C:\Project\install-dotnet.ps1 -Version 2.1.3 -InstallDir C:\Project\.dotnet"] = 0;
-            actions.RunProcess[@"cmd.exe /C del C:\Project\install-dotnet.ps1"] = 0;
+            actions.RunProcess[@"cmd.exe /C pwsh -NoProfile -ExecutionPolicy unrestricted -Command ""[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; &([scriptblock]::Create((Invoke-WebRequest -UseBasicParsing 'https://dot.net/v1/dotnet-install.ps1'))) -Version 2.1.3 -InstallDir C:\Project\.dotnet"""] = 0;
+            actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet --info"] = 0;
+            actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet clean C:\Project\test.csproj"] = 0;
+            actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet restore C:\Project\test.csproj"] = 0;
+            actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --auto C:\Project\.dotnet\dotnet build --no-incremental C:\Project\test.csproj"] = 0;
+            actions.FileExists["csharp.log"] = true;
+            actions.FileExists[@"C:\Project\test.csproj"] = true;
+            actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = "";
+            actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = "";
+            actions.GetEnvironmentVariable["PATH"] = "/bin:/usr/bin";
+            actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.cs\ntest.csproj";
+            actions.EnumerateDirectories[@"C:\Project"] = "";
+            var xml = new XmlDocument();
+            xml.LoadXml(@"<Project Sdk=""Microsoft.NET.Sdk"">
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>netcoreapp2.1</TargetFramework>
+  </PropertyGroup>
+
+</Project>");
+            actions.LoadXml[@"C:\Project\test.csproj"] = xml;
+
+            var autobuilder = CreateAutoBuilder(true, dotnetVersion: "2.1.3");
+            TestAutobuilderScript(autobuilder, 0, 6);
+        }
+
+        [Fact]
+        public void TestDotnetVersionWindowsNoPwsh()
+        {
+            actions.RunProcess["cmd.exe /C dotnet --list-sdks"] = 0;
+            actions.RunProcessOut["cmd.exe /C dotnet --list-sdks"] = "2.1.3 [C:\\Program Files\\dotnet\\sdks]\n2.1.4 [C:\\Program Files\\dotnet\\sdks]";
+            actions.RunProcess[@"cmd.exe /C pwsh -NoProfile -ExecutionPolicy unrestricted -Command ""[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; &([scriptblock]::Create((Invoke-WebRequest -UseBasicParsing 'https://dot.net/v1/dotnet-install.ps1'))) -Version 2.1.3 -InstallDir C:\Project\.dotnet"""] = 1;
+            actions.RunProcess[@"cmd.exe /C powershell -NoProfile -ExecutionPolicy unrestricted -Command ""[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; &([scriptblock]::Create((Invoke-WebRequest -UseBasicParsing 'https://dot.net/v1/dotnet-install.ps1'))) -Version 2.1.3 -InstallDir C:\Project\.dotnet"""] = 0;
             actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet --info"] = 0;
             actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet clean C:\Project\test.csproj"] = 0;
             actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet restore C:\Project\test.csproj"] = 0;
@@ -1008,39 +1039,6 @@ Microsoft.NETCore.App 2.1.4 [/usr/local/share/dotnet/shared/Microsoft.NETCore.Ap
             TestAutobuilderScript(autobuilder, 0, 7);
         }
 
-        [Fact]
-        public void TestDotnetVersionWindowsNoPwsh()
-        {
-            actions.RunProcess["cmd.exe /C dotnet --list-sdks"] = 0;
-            actions.RunProcessOut["cmd.exe /C dotnet --list-sdks"] = "2.1.3 [C:\\Program Files\\dotnet\\sdks]\n2.1.4 [C:\\Program Files\\dotnet\\sdks]";
-            actions.RunProcess[@"cmd.exe /C pwsh -NoProfile -ExecutionPolicy unrestricted -file C:\Project\install-dotnet.ps1 -Version 2.1.3 -InstallDir C:\Project\.dotnet"] = 1;
-            actions.RunProcess[@"cmd.exe /C powershell -NoProfile -ExecutionPolicy unrestricted -file C:\Project\install-dotnet.ps1 -Version 2.1.3 -InstallDir C:\Project\.dotnet"] = 0;
-            actions.RunProcess[@"cmd.exe /C del C:\Project\install-dotnet.ps1"] = 0;
-            actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet --info"] = 0;
-            actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet clean C:\Project\test.csproj"] = 0;
-            actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet restore C:\Project\test.csproj"] = 0;
-            actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --auto C:\Project\.dotnet\dotnet build --no-incremental C:\Project\test.csproj"] = 0;
-            actions.FileExists["csharp.log"] = true;
-            actions.FileExists[@"C:\Project\test.csproj"] = true;
-            actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = "";
-            actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = "";
-            actions.GetEnvironmentVariable["PATH"] = "/bin:/usr/bin";
-            actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.cs\ntest.csproj";
-            actions.EnumerateDirectories[@"C:\Project"] = "";
-            var xml = new XmlDocument();
-            xml.LoadXml(@"<Project Sdk=""Microsoft.NET.Sdk"">
-  <PropertyGroup>
-    <OutputType>Exe</OutputType>
-    <TargetFramework>netcoreapp2.1</TargetFramework>
-  </PropertyGroup>
-
-</Project>");
-            actions.LoadXml[@"C:\Project\test.csproj"] = xml;
-
-            var autobuilder = CreateAutoBuilder(true, dotnetVersion: "2.1.3");
-            TestAutobuilderScript(autobuilder, 0, 8);
-        }
-
         [Fact]
         public void TestDirsProjWindows()
         {
diff --git a/csharp/autobuilder/Semmle.Autobuild.CSharp/DotNetRule.cs b/csharp/autobuilder/Semmle.Autobuild.CSharp/DotNetRule.cs
index 1b440aaa196..a456c9407db 100644
--- a/csharp/autobuilder/Semmle.Autobuild.CSharp/DotNetRule.cs
+++ b/csharp/autobuilder/Semmle.Autobuild.CSharp/DotNetRule.cs
@@ -179,35 +179,8 @@ namespace Semmle.Autobuild.CSharp
 
                     if (builder.Actions.IsWindows())
                     {
-                        var psScript = @"param([string]$Version, [string]$InstallDir)
 
-add-type @""
-using System.Net;
-using System.Security.Cryptography.X509Certificates;
-public class TrustAllCertsPolicy : ICertificatePolicy
-{
-    public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem)
-    {
-        return true;
-    }
-}
-""@
-$AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
-[System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols
-[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
-$Script = Invoke-WebRequest -useb 'https://dot.net/v1/dotnet-install.ps1'
-
-$arguments = @{
-  Channel = 'release'
-  Version = $Version
-  InstallDir = $InstallDir
-}
-
-$ScriptBlock = [scriptblock]::create("".{$($Script)} $(&{$args} @arguments)"")
-
-Invoke-Command -ScriptBlock $ScriptBlock";
-                        var psScriptFile = builder.Actions.PathCombine(builder.Options.RootDirectory, "install-dotnet.ps1");
-                        builder.Actions.WriteAllText(psScriptFile, psScript);
+                        var psCommand = $"[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; &([scriptblock]::Create((Invoke-WebRequest -UseBasicParsing 'https://dot.net/v1/dotnet-install.ps1'))) -Version {version} -InstallDir {path}";
 
                         BuildScript GetInstall(string pwsh) =>
                             new CommandBuilder(builder.Actions).
@@ -215,19 +188,11 @@ Invoke-Command -ScriptBlock $ScriptBlock";
                             Argument("-NoProfile").
                             Argument("-ExecutionPolicy").
                             Argument("unrestricted").
-                            Argument("-file").
-                            Argument(psScriptFile).
-                            Argument("-Version").
-                            Argument(version).
-                            Argument("-InstallDir").
-                            Argument(path).
+                            Argument("-Command").
+                            Argument("\"" + psCommand + "\"").
                             Script;
 
-                        var removeScript = new CommandBuilder(builder.Actions).
-                            RunCommand("del").
-                            Argument(psScriptFile);
-
-                        return (GetInstall("pwsh") | GetInstall("powershell")) & BuildScript.Try(removeScript.Script);
+                        return GetInstall("pwsh") | GetInstall("powershell");
                     }
                     else
                     {

From d7f26dfc183f3e8c1a220c1aa7d7092f9bfb09e1 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Mon, 12 Apr 2021 16:19:23 +0000
Subject: [PATCH 0343/1429] Update stub classes and qldoc

---
 .../CWE-1004/SensitiveCookieNotHttpOnly.ql    | 14 ++---
 .../CWE-1004/SensitiveCookieNotHttpOnly.java  |  2 +-
 .../javax/ws/rs/core/Cookie.java              | 10 +--
 .../javax/servlet/http/Cookie.java            | 62 +++----------------
 4 files changed, 22 insertions(+), 66 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
index cb8f7412014..4c0dc624d07 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -82,8 +82,8 @@ class CookieClass extends RefType {
   }
 }
 
-/** Holds if the `expr` is `true` or a variable that is ever assigned `true`. */
-// This could be a very large result set if computed out of context
+/** Holds if `expr` is any boolean-typed expression other than literal `false`. */
+// Inlined because this could be a very large result set if computed out of context
 pragma[inline]
 predicate mayBeBooleanTrue(Expr expr) {
   expr.getType() instanceof BooleanType and
@@ -123,11 +123,11 @@ predicate isTestMethod(MethodAccess ma) {
 }
 
 /**
- * A taint configuration tracking flow of a method or a wrapper method that sets the `HttpOnly`
- * flag, or one that removes a cookie, to a `ServletResponse.addCookie` call.
+ * A taint configuration tracking flow of a method that sets the `HttpOnly` flag,
+ * or one that removes a cookie, to a `ServletResponse.addCookie` call.
  */
-class SetHttpOnlyInCookieConfiguration extends TaintTracking2::Configuration {
-  SetHttpOnlyInCookieConfiguration() { this = "SetHttpOnlyInCookieConfiguration" }
+class SetHttpOnlyOrRemovesCookieConfiguration extends TaintTracking2::Configuration {
+  SetHttpOnlyOrRemovesCookieConfiguration() { this = "SetHttpOnlyOrRemovesCookieConfiguration" }
 
   override predicate isSource(DataFlow::Node source) {
     source.asExpr() =
@@ -150,7 +150,7 @@ class CookieResponseSink extends DataFlow::ExprNode {
       (
         ma.getMethod() instanceof ResponseAddCookieMethod and
         this.getExpr() = ma.getArgument(0) and
-        not exists(SetHttpOnlyInCookieConfiguration cc | cc.hasFlowTo(this))
+        not exists(SetHttpOnlyOrRemovesCookieConfiguration cc | cc.hasFlowTo(this))
         or
         ma instanceof SetCookieMethodAccess and
         this.getExpr() = ma.getArgument(1) and
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
index 0bb912f6ce6..4ad7aa5dd95 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
@@ -137,7 +137,7 @@ class SensitiveCookieNotHttpOnly {
         response.addCookie(createCookie("refresh_token", refreshToken, true));
     }
 
-    // BAD - Tests set a sensitive cookie header with the `HttpOnly` flag not set through a boolean variable using a wrapper method.
+    // GOOD - Tests set a sensitive cookie header with the `HttpOnly` flag not set through a boolean variable using a wrapper method.
     public void addCookie15(HttpServletRequest request, HttpServletResponse response, String refreshToken) {
         response.addCookie(createCookie("refresh_token", refreshToken, false));
     }
diff --git a/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/Cookie.java b/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/Cookie.java
index f810600a766..2726c3d27dd 100644
--- a/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/Cookie.java
+++ b/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/Cookie.java
@@ -125,7 +125,7 @@ public class Cookie {
      * @return the cookie name.
      */
     public String getName() {
-        return name;
+        return null;
     }
 
     /**
@@ -134,7 +134,7 @@ public class Cookie {
      * @return the cookie value.
      */
     public String getValue() {
-        return value;
+        return null;
     }
 
     /**
@@ -143,7 +143,7 @@ public class Cookie {
      * @return the cookie version.
      */
     public int getVersion() {
-        return version;
+        return -1;
     }
 
     /**
@@ -152,7 +152,7 @@ public class Cookie {
      * @return the cookie domain.
      */
     public String getDomain() {
-        return domain;
+        return null;
     }
 
     /**
@@ -161,6 +161,6 @@ public class Cookie {
      * @return the cookie path.
      */
     public String getPath() {
-        return path;
+        return null;
     }
 }
diff --git a/java/ql/test/stubs/servlet-api-2.4/javax/servlet/http/Cookie.java b/java/ql/test/stubs/servlet-api-2.4/javax/servlet/http/Cookie.java
index 47b1d883e47..53d3058f921 100644
--- a/java/ql/test/stubs/servlet-api-2.4/javax/servlet/http/Cookie.java
+++ b/java/ql/test/stubs/servlet-api-2.4/javax/servlet/http/Cookie.java
@@ -24,95 +24,51 @@
 package javax.servlet.http;
 
 public class Cookie implements Cloneable {
-    private String name; // NAME= ... "$Name" style is reserved
-    private String value; // value of NAME
-    private String comment; // ;Comment=VALUE ... describes cookie's use
-    private String domain; // ;Domain=VALUE ... domain that sees cookie
-    private int maxAge = -1; // ;Max-Age=VALUE ... cookies auto-expire
-    private String path; // ;Path=VALUE ... URLs that see the cookie
-    private boolean secure; // ;Secure ... e.g. use SSL
-    private int version = 0; // ;Version=1 ... means RFC 2109++ style
-    private boolean isHttpOnly = false;
 
     public Cookie(String name, String value) {
-        this.name = name;
-        this.value = value;
     }
     public void setComment(String purpose) {
-        comment = purpose;
     }
     public String getComment() {
-        return comment;
+        return null;
     }
     public void setDomain(String pattern) {
-        domain = pattern.toLowerCase(); // IE allegedly needs this
     }
     public String getDomain() {
-        return domain;
+        return null;
     }
     public void setMaxAge(int expiry) {
-        maxAge = expiry;
     }
     public int getMaxAge() {
-        return maxAge;
+        return -1;
     }
     public void setPath(String uri) {
-        path = uri;
     }
     public String getPath() {
-        return path;
+        return null;
     }
     public void setSecure(boolean flag) {
-        secure = flag;
     }
     public boolean getSecure() {
-        return secure;
+        return false;
     }
     public String getName() {
-        return name;
+        return null;
     }
     public void setValue(String newValue) {
-        value = newValue;
     }
     public String getValue() {
-        return value;
+        return null;
     }
     public int getVersion() {
-        return version;
+        return -1;
     }
     public void setVersion(int v) {
     }
-
-    /**
-     * Marks or unmarks this Cookie as <i>HttpOnly</i>.
-     *
-     * <p>If <tt>isHttpOnly</tt> is set to <tt>true</tt>, this cookie is
-     * marked as <i>HttpOnly</i>, by adding the <tt>HttpOnly</tt> attribute
-     * to it.
-     *
-     * <p><i>HttpOnly</i> cookies are not supposed to be exposed to
-     * client-side scripting code, and may therefore help mitigate certain
-     * kinds of cross-site scripting attacks.
-     *
-     * @param isHttpOnly true if this cookie is to be marked as
-     * <i>HttpOnly</i>, false otherwise
-     *
-     * @since Servlet 3.0
-     */
     public void setHttpOnly(boolean isHttpOnly) {
-        this.isHttpOnly = isHttpOnly;
     }
- 
-    /**
-     * Checks whether this Cookie has been marked as <i>HttpOnly</i>.
-     *
-     * @return true if this Cookie has been marked as <i>HttpOnly</i>,
-     * false otherwise
-     *
-     * @since Servlet 3.0
-     */
     public boolean isHttpOnly() {
-        return isHttpOnly;
+        return false;
     }
 
     /**

From 037e6369ce657381a15fe2df4ea0b09ed24d9802 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Mon, 12 Apr 2021 18:27:21 +0200
Subject: [PATCH 0344/1429] C++: Ensure all values are bound in both
 disjunctions.

---
 .../dataflow/fields/partial-definition-diff.ql | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.ql b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.ql
index d8b6b4e0e69..fae4b06da5a 100644
--- a/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.ql
+++ b/cpp/ql/test/library-tests/dataflow/fields/partial-definition-diff.ql
@@ -19,15 +19,19 @@ class IRPartialDefNode extends IRNode {
   override string toString() { result = n.asPartialDefinition().toString() }
 }
 
-from Node node, AST::Node astNode, IR::Node irNode, string msg
+from Node node, string msg
 where
-  node.asIR() = irNode and
-  exists(irNode.asPartialDefinition()) and
-  not exists(AST::Node otherNode | otherNode.asPartialDefinition() = irNode.asPartialDefinition()) and
+  exists(IR::Node irNode, Expr partial |
+    node.asIR() = irNode and
+    partial = irNode.asPartialDefinition() and
+    not exists(AST::Node otherNode | otherNode.asPartialDefinition() = partial)
+  ) and
   msg = "IR only"
   or
-  node.asAST() = astNode and
-  exists(astNode.asPartialDefinition()) and
-  not exists(IR::Node otherNode | otherNode.asPartialDefinition() = astNode.asPartialDefinition()) and
+  exists(AST::Node astNode, Expr partial |
+    node.asAST() = astNode and
+    partial = astNode.asPartialDefinition() and
+    not exists(IR::Node otherNode | otherNode.asPartialDefinition() = partial)
+  ) and
   msg = "AST only"
 select node, msg

From b96b6652626cbeb232748ac782130b884335725d Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Mon, 12 Apr 2021 21:40:49 +0300
Subject: [PATCH 0345/1429] Renaming in
 java/ql/src/experimental/Security/CWE/CWE-094

---
 .../CWE/CWE-094/{InjectionLib.qll => FlowUtils.qll}         | 2 +-
 .../Security/CWE/CWE-094/JakartaExpressionInjection.qhelp   | 6 +++---
 .../Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll  | 4 ++--
 .../experimental/Security/CWE/CWE-094/JexlInjectionLib.qll  | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)
 rename java/ql/src/experimental/Security/CWE/CWE-094/{InjectionLib.qll => FlowUtils.qll} (81%)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/InjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/FlowUtils.qll
similarity index 81%
rename from java/ql/src/experimental/Security/CWE/CWE-094/InjectionLib.qll
rename to java/ql/src/experimental/Security/CWE/CWE-094/FlowUtils.qll
index adab79d6f5c..5371c51aa8f 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/InjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/FlowUtils.qll
@@ -5,7 +5,7 @@ import semmle.code.java.dataflow.FlowSources
  * Holds if `fromNode` to `toNode` is a dataflow step that returns data from
  * a bean by calling one of its getters.
  */
-predicate returnsDataFromBean(DataFlow::Node fromNode, DataFlow::Node toNode) {
+predicate hasGetterFlow(DataFlow::Node fromNode, DataFlow::Node toNode) {
   exists(MethodAccess ma, Method m | ma.getMethod() = m |
     m instanceof GetterMethod and
     ma.getQualifier() = fromNode.asExpr() and
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.qhelp
index a6d66c1d1d1..a8d3cd0fe70 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.qhelp
@@ -29,14 +29,14 @@ with sandboxing capabilities such as Apache Commons JEXL or the Spring Expressio
 The following example shows how untrusted data is used to build and run an expression
 using the JUEL interpreter:
 </p>
-<sample src="UnsafeExpressionEvaluationWithJUEL.java" />
+<sample src="UnsafeExpressionEvaluationWithJuel.java" />
 
 <p>
-JUEL does not support to run expressions in a sandbox. To prevent running arbitrary code,
+JUEL does not support running expressions in a sandbox. To prevent running arbitrary code,
 incoming data has to be checked before including it in an expression. The next example
 uses a Regex pattern to check whether a user tries to run an allowed expression or not:
 </p>
-<sample src="SaferExpressionEvaluationWithJUEL.java" />
+<sample src="SaferExpressionEvaluationWithJuel.java" />
 
 </example>
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
index b1c5d1e8ae2..43090974364 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
@@ -1,5 +1,5 @@
 import java
-import InjectionLib
+import FlowUtils
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 
@@ -16,7 +16,7 @@ class JakartaExpressionInjectionConfig extends TaintTracking::Configuration {
 
   override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
     any(TaintPropagatingCall c).taintFlow(fromNode, toNode) or
-    returnsDataFromBean(fromNode, toNode)
+    hasGetterFlow(fromNode, toNode)
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
index 51084a9862c..89d7cb496a4 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
@@ -1,5 +1,5 @@
 import java
-import InjectionLib
+import FlowUtils
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 
@@ -17,7 +17,7 @@ class JexlInjectionConfig extends TaintTracking::Configuration {
 
   override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
     any(TaintPropagatingJexlMethodCall c).taintFlow(fromNode, toNode) or
-    returnsDataFromBean(fromNode, toNode)
+    hasGetterFlow(fromNode, toNode)
   }
 }
 

From e0fcb1573987e27b831aa294f3c0b368d019bc3f Mon Sep 17 00:00:00 2001
From: Andrew Eisenberg <aeisenberg@github.com>
Date: Mon, 12 Apr 2021 11:49:07 -0700
Subject: [PATCH 0346/1429] Actions: Add workflow for marking stale questions

This PR adds a workflow for marking and closing issues as stale. Issues must be labeled as _question_. PRs are never marked as stale.
---
 .github/workflows/close-stale.yml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 .github/workflows/close-stale.yml

diff --git a/.github/workflows/close-stale.yml b/.github/workflows/close-stale.yml
new file mode 100644
index 00000000000..6065f79aa7c
--- /dev/null
+++ b/.github/workflows/close-stale.yml
@@ -0,0 +1,30 @@
+name: Mark stale issues
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "30 1 * * *"
+
+jobs:
+  stale:
+    if: github.repository == 'github/codeql'
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/stale@v3
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `stale` label in order to avoid having this issue closed in 7 days.'
+        close-issue-message: 'This issue was closed because it has been inactive for 7 days.'
+        days-before-stale: 14
+        days-before-close: 7
+        only-labels: question
+        
+        # do not mark PRs as stale
+        days-before-pr-stale: -1
+        days-before-pr-close: -1
+        
+        # Dry-run only. remove this when we are ready to actually change issues
+        debug-only: true
+        operations-per-run: 1000

From e4d74cf0986c59a3cec6f09687e81da7c4f7f0ed Mon Sep 17 00:00:00 2001
From: yoff <lerchedahl@gmail.com>
Date: Mon, 12 Apr 2021 23:47:54 +0200
Subject: [PATCH 0347/1429] Apply suggestions from code review

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
---
 .../src/Security/CWE-327/FluentApiModel.qll   |  7 ++-----
 python/ql/src/Security/CWE-327/PyOpenSSL.qll  | 10 +++++++---
 python/ql/src/Security/CWE-327/Ssl.qll        | 18 ++++++++++-------
 .../src/Security/CWE-327/TlsLibraryModel.qll  | 20 ++++++++++---------
 4 files changed, 31 insertions(+), 24 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/FluentApiModel.qll b/python/ql/src/Security/CWE-327/FluentApiModel.qll
index b5d6823c44c..6010417b68d 100644
--- a/python/ql/src/Security/CWE-327/FluentApiModel.qll
+++ b/python/ql/src/Security/CWE-327/FluentApiModel.qll
@@ -1,4 +1,4 @@
-import python
+private import python
 import TlsLibraryModel
 
 /**
@@ -89,9 +89,6 @@ predicate unsafe_connection_creation_with_context(
 /**
  * Holds if `conectionCreation` marks the creation of a connetion witout reference to a context
  * and allowing `insecure_version`.
- *
- * `specific` is true iff the context is configured for a specific protocol version rather
- * than for a family of protocols.
  */
 predicate unsafe_connection_creation_without_context(
   DataFlow::CallCfgNode connectionCreation, string insecure_version
@@ -99,7 +96,7 @@ predicate unsafe_connection_creation_without_context(
   exists(TlsLibrary l | connectionCreation = l.insecure_connection_creation(insecure_version))
 }
 
-/** Holds if `contextCreation` is creating a context ties to a specific insecure version. */
+/** Holds if `contextCreation` is creating a context tied to a specific insecure version. */
 predicate unsafe_context_creation(DataFlow::CallCfgNode contextCreation, string insecure_version) {
   exists(TlsLibrary l | contextCreation = l.insecure_context_creation(insecure_version))
 }
diff --git a/python/ql/src/Security/CWE-327/PyOpenSSL.qll b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
index 55b77386f2f..3cd9b064e24 100644
--- a/python/ql/src/Security/CWE-327/PyOpenSSL.qll
+++ b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
@@ -1,5 +1,9 @@
-import python
-import semmle.python.ApiGraphs
+/**
+ * Provides modeling of SSL/TLS functionality of the `OpenSSL` module from the `pyOpenSSL` PyPI package.
+ * See https://www.pyopenssl.org/en/stable/
+ */
+private import python
+private import semmle.python.ApiGraphs
 import TlsLibraryModel
 
 class PyOpenSSLContextCreation extends ContextCreation {
@@ -49,7 +53,7 @@ class SetOptionsCall extends ProtocolRestriction {
 }
 
 class UnspecificPyOpenSSLContextCreation extends PyOpenSSLContextCreation, UnspecificContextCreation {
-  UnspecificPyOpenSSLContextCreation() { library = "pyOpenSSL" }
+  UnspecificPyOpenSSLContextCreation() { library instanceof PyOpenSSL }
 }
 
 class PyOpenSSL extends TlsLibrary {
diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index cb19fb8f11f..b44ae181415 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -1,5 +1,9 @@
-import python
-import semmle.python.ApiGraphs
+/**
+ * Provides modeling of SSL/TLS functionality of the `ssl` module from the standard library.
+ * See https://docs.python.org/3.9/library/ssl.html
+ */
+private import python
+private import semmle.python.ApiGraphs
 import TlsLibraryModel
 
 class SSLContextCreation extends ContextCreation {
@@ -145,12 +149,12 @@ class ContextSetVersion extends ProtocolRestriction, ProtocolUnrestriction {
 }
 
 class UnspecificSSLContextCreation extends SSLContextCreation, UnspecificContextCreation {
-  UnspecificSSLContextCreation() { library = "ssl" }
+  UnspecificSSLContextCreation() { library instanceof Ssl }
 
   override ProtocolVersion getUnrestriction() {
     result = UnspecificContextCreation.super.getUnrestriction() and
-    // These are turned off by default
-    // see https://docs.python.org/3/library/ssl.html#ssl-contexts
+    // These are turned off by default since Python 3.6
+    // see https://docs.python.org/3.6/library/ssl.html#ssl.SSLContext
     not result in ["SSLv2", "SSLv3"]
   }
 }
@@ -185,8 +189,8 @@ class Ssl extends TlsLibrary {
 
   override DataFlow::CfgNode insecure_connection_creation(ProtocolVersion version) {
     result = API::moduleImport("ssl").getMember("wrap_socket").getACall() and
-    specific_version(version).asCfgNode() =
-      result.asCfgNode().(CallNode).getArgByName("ssl_version") and
+    this.specific_version(version) =
+      result.(DataFlow::CallCfgNode).getArgByName("ssl_version") and
     version.isInsecure()
   }
 
diff --git a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
index 685485004b2..c49113f8f68 100644
--- a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
+++ b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
@@ -1,15 +1,15 @@
-import python
-import semmle.python.ApiGraphs
+private import python
+private import semmle.python.ApiGraphs
 import Ssl
 import PyOpenSSL
 
 /**
- * A specific protocol version.
- * We use this to identify a protocol.
+ * A specific protocol version of SSL or TLS.
  */
 class ProtocolVersion extends string {
   ProtocolVersion() { this in ["SSLv2", "SSLv3", "TLSv1", "TLSv1_1", "TLSv1_2", "TLSv1_3"] }
 
+  /** Gets a `ProtocolVersion` that is less than this `ProtocolVersion`, if any. */
   predicate lessThan(ProtocolVersion version) {
     this = "SSLv2" and version = "SSLv3"
     or
@@ -20,6 +20,7 @@ class ProtocolVersion extends string {
     this = ["TLSv1", "TLSv1_1", "TLSv1_2"] and version = "TLSv1_3"
   }
 
+  /** Holds if this protocol version is known to be insecure. */
   predicate isInsecure() { this in ["SSLv2", "SSLv3", "TLSv1", "TLSv1_1"] }
 }
 
@@ -81,12 +82,13 @@ abstract class UnspecificContextCreation extends ContextCreation, ProtocolUnrest
 
 /** A model of a SSL/TLS library. */
 abstract class TlsLibrary extends string {
-  TlsLibrary() { this in ["ssl", "pyOpenSSL"] }
+  bindingset[this]
+  TlsLibrary() { any() }
 
   /** The name of a specific protocol version. */
   abstract string specific_version_name(ProtocolVersion version);
 
-  /** The name of an unspecific protocol version, say TLS, known to have insecure instances. */
+  /** Gets a name, which is a member of `version_constants`,  that can be used to specify the protocol family `family`. */
   abstract string unspecific_version_name(ProtocolFamily family);
 
   /** The module or class holding the version constants. */
@@ -97,12 +99,12 @@ abstract class TlsLibrary extends string {
     result = version_constants().getMember(specific_version_name(version)).getAUse()
   }
 
-  /** A dataflow node representing an unspecific protocol version, say TLS, known to have insecure instances. */
+  /** Gets a dataflow node representing the protocol family `family`. */
   DataFlow::Node unspecific_version(ProtocolFamily family) {
     result = version_constants().getMember(unspecific_version_name(family)).getAUse()
   }
 
-  /** The creation of a context with a deafult protocol. */
+  /** The creation of a context with a default protocol. */
   abstract ContextCreation default_context_creation();
 
   /** The creation of a context with a specific protocol. */
@@ -115,7 +117,7 @@ abstract class TlsLibrary extends string {
     version.isInsecure()
   }
 
-  /** The creation of a context with an unspecific protocol version, say TLS, known to have insecure instances. */
+  /** Gets a context that was created using `family`, known to have insecure instances. */
   ContextCreation unspecific_context_creation(ProtocolFamily family) {
     result in [specific_context_creation(), default_context_creation()] and
     result.getProtocol() = family

From b6bd782746b59aedde860320c6700320de1b395e Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Mon, 12 Apr 2021 23:55:59 +0200
Subject: [PATCH 0348/1429] Python: Modernize via `CallCfgNode`

---
 python/ql/src/Security/CWE-327/PyOpenSSL.qll       | 13 ++++---------
 python/ql/src/Security/CWE-327/Ssl.qll             | 14 ++++++--------
 python/ql/src/Security/CWE-327/TlsLibraryModel.qll | 14 +++++++-------
 3 files changed, 17 insertions(+), 24 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/PyOpenSSL.qll b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
index 3cd9b064e24..9f42b83572e 100644
--- a/python/ql/src/Security/CWE-327/PyOpenSSL.qll
+++ b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
@@ -2,13 +2,12 @@
  * Provides modeling of SSL/TLS functionality of the `OpenSSL` module from the `pyOpenSSL` PyPI package.
  * See https://www.pyopenssl.org/en/stable/
  */
+
 private import python
 private import semmle.python.ApiGraphs
 import TlsLibraryModel
 
-class PyOpenSSLContextCreation extends ContextCreation {
-  override CallNode node;
-
+class PyOpenSSLContextCreation extends ContextCreation, DataFlow::CallCfgNode {
   PyOpenSSLContextCreation() {
     this = API::moduleImport("OpenSSL").getMember("SSL").getMember("Context").getACall()
   }
@@ -22,9 +21,7 @@ class PyOpenSSLContextCreation extends ContextCreation {
   }
 }
 
-class ConnectionCall extends ConnectionCreation {
-  override CallNode node;
-
+class ConnectionCall extends ConnectionCreation, DataFlow::CallCfgNode {
   ConnectionCall() {
     this = API::moduleImport("OpenSSL").getMember("SSL").getMember("Connection").getACall()
   }
@@ -36,9 +33,7 @@ class ConnectionCall extends ConnectionCreation {
 
 // This cannot be used to unrestrict,
 // see https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_options
-class SetOptionsCall extends ProtocolRestriction {
-  override CallNode node;
-
+class SetOptionsCall extends ProtocolRestriction, DataFlow::CallCfgNode {
   SetOptionsCall() { node.getFunction().(AttrNode).getName() = "set_options" }
 
   override DataFlow::CfgNode getContext() {
diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index b44ae181415..99bb24b7076 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -2,13 +2,12 @@
  * Provides modeling of SSL/TLS functionality of the `ssl` module from the standard library.
  * See https://docs.python.org/3.9/library/ssl.html
  */
+
 private import python
 private import semmle.python.ApiGraphs
 import TlsLibraryModel
 
-class SSLContextCreation extends ContextCreation {
-  override CallNode node;
-
+class SSLContextCreation extends ContextCreation, DataFlow::CallCfgNode {
   SSLContextCreation() { this = API::moduleImport("ssl").getMember("SSLContext").getACall() }
 
   override string getProtocol() {
@@ -46,7 +45,7 @@ class WrapSocketCall extends ConnectionCreation, DataFlow::CallCfgNode {
   }
 }
 
-class OptionsAugOr extends ProtocolRestriction {
+class OptionsAugOr extends ProtocolRestriction, DataFlow::CallCfgNode {
   ProtocolVersion restriction;
 
   OptionsAugOr() {
@@ -69,7 +68,7 @@ class OptionsAugOr extends ProtocolRestriction {
   override ProtocolVersion getRestriction() { result = restriction }
 }
 
-class OptionsAugAndNot extends ProtocolUnrestriction {
+class OptionsAugAndNot extends ProtocolUnrestriction, DataFlow::CallCfgNode {
   ProtocolVersion restriction;
 
   OptionsAugAndNot() {
@@ -127,7 +126,7 @@ predicate impliesBitSet(BinaryExpr whole, Expr part, boolean partHasBitSet, bool
   )
 }
 
-class ContextSetVersion extends ProtocolRestriction, ProtocolUnrestriction {
+class ContextSetVersion extends ProtocolRestriction, ProtocolUnrestriction, DataFlow::CallCfgNode {
   ProtocolVersion restriction;
 
   ContextSetVersion() {
@@ -189,8 +188,7 @@ class Ssl extends TlsLibrary {
 
   override DataFlow::CfgNode insecure_connection_creation(ProtocolVersion version) {
     result = API::moduleImport("ssl").getMember("wrap_socket").getACall() and
-    this.specific_version(version) =
-      result.(DataFlow::CallCfgNode).getArgByName("ssl_version") and
+    this.specific_version(version) = result.(DataFlow::CallCfgNode).getArgByName("ssl_version") and
     version.isInsecure()
   }
 
diff --git a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
index c49113f8f68..cd38ad4ab5e 100644
--- a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
+++ b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
@@ -30,30 +30,30 @@ class ProtocolFamily extends string {
 }
 
 /** The creation of a context. */
-abstract class ContextCreation extends DataFlow::CfgNode {
+abstract class ContextCreation extends DataFlow::Node {
   /** Gets the protocol version or family for this context. */
   abstract string getProtocol();
 }
 
 /** The creation of a connection from a context. */
-abstract class ConnectionCreation extends DataFlow::CfgNode {
+abstract class ConnectionCreation extends DataFlow::Node {
   /** Gets the context used to create the connection. */
-  abstract DataFlow::CfgNode getContext();
+  abstract DataFlow::Node getContext();
 }
 
 /** A context is being restricted on which protocols it can accepts. */
-abstract class ProtocolRestriction extends DataFlow::CfgNode {
+abstract class ProtocolRestriction extends DataFlow::Node {
   /** Gets the context being restricted. */
-  abstract DataFlow::CfgNode getContext();
+  abstract DataFlow::Node getContext();
 
   /** Gets the protocol version being disallowed. */
   abstract ProtocolVersion getRestriction();
 }
 
 /** A context is being relaxed on which protocols it can accepts. */
-abstract class ProtocolUnrestriction extends DataFlow::CfgNode {
+abstract class ProtocolUnrestriction extends DataFlow::Node {
   /** Gets the context being relaxed. */
-  abstract DataFlow::CfgNode getContext();
+  abstract DataFlow::Node getContext();
 
   /** Gets the protocol version being allowed. */
   abstract ProtocolVersion getUnrestriction();

From 697b2dcde8faafcc585c41a08dd1036f2ab53e09 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Mon, 12 Apr 2021 18:11:10 -0400
Subject: [PATCH 0349/1429] C++: Add missing store step for single-field struct
 use

We have special code to handle field flow for single-field structs, but that special case was too specific. Some `Store`s to single-field structs have no `Chi` instruction, which is the case that we handled already. However, it is possible for the `Store` to have a `Chi` instruction (e.g. for `{AllAliased}`), but still have a use of the result of the `Store` directly. We now add a `PostUpdateNode` for the result of the `Store` itself in those cases, just like we already did if the `Store` had no `Chi`.
---
 .../cpp/ir/dataflow/internal/DataFlowUtil.qll | 15 +++++--
 .../ir/dataflow/internal/PrintIRLocalFlow.qll | 29 +-------------
 .../dataflow/internal/PrintIRStoreSteps.qll   | 33 ++++++++++++++++
 .../ir/dataflow/internal/PrintIRUtilities.qll | 39 +++++++++++++++++++
 .../dataflow-ir-consistency.expected          |  2 +
 .../fields/dataflow-ir-consistency.expected   |  4 ++
 .../dataflow/fields/ir-path-flow.expected     |  6 +--
 7 files changed, 93 insertions(+), 35 deletions(-)
 create mode 100644 cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/PrintIRStoreSteps.qll
 create mode 100644 cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/PrintIRUtilities.qll

diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
index 76ca7b215dc..81a07ad9d04 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -362,15 +362,22 @@ private class ExplicitFieldStoreQualifierNode extends PartialDefinitionNode {
 
 /**
  * Not every store instruction generates a chi instruction that we can attach a PostUpdateNode to.
- * For instance, an update to a field of a struct containing only one field. For these cases we
- * attach the PostUpdateNode to the store instruction. There's no obvious pre update node for this case
- * (as the entire memory is updated), so `getPreUpdateNode` is implemented as `none()`.
+ * For instance, an update to a field of a struct containing only one field. Even if the store does 
+ * have a chi instruction, a subsequent use of the result of the store may be linked directly to the
+ * result of the store as an inexact definition if the store totally overlaps the use. For these
+ * cases we attach the PostUpdateNode to the store instruction. There's no obvious pre update node
+ * for this case (as the entire memory is updated), so `getPreUpdateNode` is implemented as
+ * `none()`.
  */
 private class ExplicitSingleFieldStoreQualifierNode extends PartialDefinitionNode {
   override StoreInstruction instr;
 
   ExplicitSingleFieldStoreQualifierNode() {
-    not exists(ChiInstruction chi | chi.getPartial() = instr) and
+    (
+      instr.getAUse().isDefinitionInexact()
+      or
+      not exists(ChiInstruction chi | chi.getPartial() = instr)
+    ) and
     // Without this condition any store would create a `PostUpdateNode`.
     instr.getDestinationAddress() instanceof FieldAddressInstruction
   }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/PrintIRLocalFlow.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/PrintIRLocalFlow.qll
index 337dc71a3ca..16182296e40 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/PrintIRLocalFlow.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/PrintIRLocalFlow.qll
@@ -6,34 +6,7 @@ private import semmle.code.cpp.ir.ValueNumbering
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.DataFlow
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
-
-/**
- * Gets a short ID for an IR dataflow node.
- * - For `Instruction`s, this is just the result ID of the instruction (e.g. `m128`).
- * - For `Operand`s, this is the label of the operand, prefixed with the result ID of the
- *   instruction and a dot (e.g. `m128.left`).
- * - For `Variable`s, this is the qualified name of the variable.
- */
-private string nodeId(DataFlow::Node node, int order1, int order2) {
-  exists(Instruction instruction | instruction = node.asInstruction() |
-    result = instruction.getResultId() and
-    order1 = instruction.getBlock().getDisplayIndex() and
-    order2 = instruction.getDisplayIndexInBlock()
-  )
-  or
-  exists(Operand operand, Instruction instruction |
-    operand = node.asOperand() and
-    instruction = operand.getUse()
-  |
-    result = instruction.getResultId() + "." + operand.getDumpId() and
-    order1 = instruction.getBlock().getDisplayIndex() and
-    order2 = instruction.getDisplayIndexInBlock()
-  )
-  or
-  result = "var(" + node.asVariable().getQualifiedName() + ")" and
-  order1 = 1000000 and
-  order2 = 0
-}
+private import PrintIRUtilities
 
 /**
  * Gets the local dataflow from other nodes in the same function to this node.
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/PrintIRStoreSteps.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/PrintIRStoreSteps.qll
new file mode 100644
index 00000000000..8c318216217
--- /dev/null
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/PrintIRStoreSteps.qll
@@ -0,0 +1,33 @@
+/**
+ * Print the dataflow local store steps in IR dumps.
+ */
+
+private import cpp
+// The `ValueNumbering` library has to be imported right after `cpp` to ensure
+// that the cached IR gets the same checksum here as it does in queries that use
+// `ValueNumbering` without `DataFlow`.
+private import semmle.code.cpp.ir.ValueNumbering
+private import semmle.code.cpp.ir.IR
+private import semmle.code.cpp.ir.dataflow.DataFlow
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+private import PrintIRUtilities
+
+/**
+ * Property provider for local IR dataflow store steps.
+ */
+class LocalFlowPropertyProvider extends IRPropertyProvider {
+  override string getInstructionProperty(Instruction instruction, string key) {
+    exists(DataFlow::Node objectNode, Content content |
+      key = "content[" + content.toString() + "]" and
+      instruction = objectNode.asInstruction() and
+      result =
+        strictconcat(string element, DataFlow::Node fieldNode |
+          storeStep(fieldNode, content, objectNode) and
+          element = nodeId(fieldNode, _, _)
+        |
+          element, ", "
+        )
+    )
+  }
+}
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/PrintIRUtilities.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/PrintIRUtilities.qll
new file mode 100644
index 00000000000..5fc15cf986c
--- /dev/null
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/PrintIRUtilities.qll
@@ -0,0 +1,39 @@
+/**
+ * Shared utilities used when printing dataflow annotations in IR dumps.
+ */
+
+private import cpp
+// The `ValueNumbering` library has to be imported right after `cpp` to ensure
+// that the cached IR gets the same checksum here as it does in queries that use
+// `ValueNumbering` without `DataFlow`.
+private import semmle.code.cpp.ir.ValueNumbering
+private import semmle.code.cpp.ir.IR
+private import semmle.code.cpp.ir.dataflow.DataFlow
+
+/**
+ * Gets a short ID for an IR dataflow node.
+ * - For `Instruction`s, this is just the result ID of the instruction (e.g. `m128`).
+ * - For `Operand`s, this is the label of the operand, prefixed with the result ID of the
+ *   instruction and a dot (e.g. `m128.left`).
+ * - For `Variable`s, this is the qualified name of the variable.
+ */
+string nodeId(DataFlow::Node node, int order1, int order2) {
+  exists(Instruction instruction | instruction = node.asInstruction() |
+    result = instruction.getResultId() and
+    order1 = instruction.getBlock().getDisplayIndex() and
+    order2 = instruction.getDisplayIndexInBlock()
+  )
+  or
+  exists(Operand operand, Instruction instruction |
+    operand = node.asOperand() and
+    instruction = operand.getUse()
+  |
+    result = instruction.getResultId() + "." + operand.getDumpId() and
+    order1 = instruction.getBlock().getDisplayIndex() and
+    order2 = instruction.getDisplayIndexInBlock()
+  )
+  or
+  result = "var(" + node.asVariable().getQualifiedName() + ")" and
+  order1 = 1000000 and
+  order2 = 0
+}
diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
index fc6c97aa2a6..db9a86fbb57 100644
--- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
+++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
@@ -26,6 +26,7 @@ unreachableNodeCCtx
 localCallNodes
 postIsNotPre
 postHasUniquePre
+| test.cpp:373:5:373:20 | Store | PostUpdateNode should have one pre-update node but has 0. |
 uniquePostUpdate
 postIsInSameCallable
 reverseRead
@@ -82,4 +83,5 @@ postWithInFlow
 | test.cpp:125:3:125:11 | Chi | PostUpdateNode should not be the target of local flow. |
 | test.cpp:359:5:359:20 | Chi | PostUpdateNode should not be the target of local flow. |
 | test.cpp:373:5:373:20 | Chi | PostUpdateNode should not be the target of local flow. |
+| test.cpp:373:5:373:20 | Store | PostUpdateNode should not be the target of local flow. |
 | test.cpp:465:3:465:15 | Chi | PostUpdateNode should not be the target of local flow. |
diff --git a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected
index 63d3b2c0f48..fe7d8360403 100644
--- a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected
@@ -20,7 +20,9 @@ unreachableNodeCCtx
 localCallNodes
 postIsNotPre
 postHasUniquePre
+| D.cpp:57:5:57:42 | Store | PostUpdateNode should have one pre-update node but has 0. |
 | simple.cpp:65:5:65:22 | Store | PostUpdateNode should have one pre-update node but has 0. |
+| simple.cpp:83:9:83:28 | Store | PostUpdateNode should have one pre-update node but has 0. |
 | simple.cpp:92:5:92:22 | Store | PostUpdateNode should have one pre-update node but has 0. |
 uniquePostUpdate
 postIsInSameCallable
@@ -54,6 +56,7 @@ postWithInFlow
 | D.cpp:49:15:49:24 | Chi | PostUpdateNode should not be the target of local flow. |
 | D.cpp:56:15:56:24 | Chi | PostUpdateNode should not be the target of local flow. |
 | D.cpp:57:5:57:42 | Chi | PostUpdateNode should not be the target of local flow. |
+| D.cpp:57:5:57:42 | Store | PostUpdateNode should not be the target of local flow. |
 | aliasing.cpp:9:3:9:22 | Chi | PostUpdateNode should not be the target of local flow. |
 | aliasing.cpp:13:3:13:21 | Chi | PostUpdateNode should not be the target of local flow. |
 | aliasing.cpp:17:3:17:21 | Chi | PostUpdateNode should not be the target of local flow. |
@@ -150,6 +153,7 @@ postWithInFlow
 | simple.cpp:23:35:23:35 | Chi | PostUpdateNode should not be the target of local flow. |
 | simple.cpp:65:5:65:22 | Store | PostUpdateNode should not be the target of local flow. |
 | simple.cpp:83:9:83:28 | Chi | PostUpdateNode should not be the target of local flow. |
+| simple.cpp:83:9:83:28 | Store | PostUpdateNode should not be the target of local flow. |
 | simple.cpp:92:5:92:22 | Store | PostUpdateNode should not be the target of local flow. |
 | struct_init.c:20:20:20:29 | Chi | PostUpdateNode should not be the target of local flow. |
 | struct_init.c:20:34:20:34 | Chi | PostUpdateNode should not be the target of local flow. |
diff --git a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
index 37a0dc3832a..e6234ca17f7 100644
--- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
@@ -228,8 +228,8 @@ edges
 | simple.cpp:65:5:65:22 | Store [i] | simple.cpp:66:12:66:12 | Store [i] |
 | simple.cpp:65:11:65:20 | call to user_input | simple.cpp:65:5:65:22 | Store [i] |
 | simple.cpp:66:12:66:12 | Store [i] | simple.cpp:67:13:67:13 | i |
-| simple.cpp:83:9:83:28 | Chi [f1] | simple.cpp:84:14:84:20 | this indirection [f1] |
-| simple.cpp:83:17:83:26 | call to user_input | simple.cpp:83:9:83:28 | Chi [f1] |
+| simple.cpp:83:9:83:28 | Store [f1] | simple.cpp:84:14:84:20 | this indirection [f1] |
+| simple.cpp:83:17:83:26 | call to user_input | simple.cpp:83:9:83:28 | Store [f1] |
 | simple.cpp:84:14:84:20 | this indirection [f1] | simple.cpp:84:14:84:20 | call to getf2f1 |
 | simple.cpp:92:5:92:22 | Store [i] | simple.cpp:93:20:93:20 | Store [i] |
 | simple.cpp:92:11:92:20 | call to user_input | simple.cpp:92:5:92:22 | Store [i] |
@@ -494,7 +494,7 @@ nodes
 | simple.cpp:65:11:65:20 | call to user_input | semmle.label | call to user_input |
 | simple.cpp:66:12:66:12 | Store [i] | semmle.label | Store [i] |
 | simple.cpp:67:13:67:13 | i | semmle.label | i |
-| simple.cpp:83:9:83:28 | Chi [f1] | semmle.label | Chi [f1] |
+| simple.cpp:83:9:83:28 | Store [f1] | semmle.label | Store [f1] |
 | simple.cpp:83:17:83:26 | call to user_input | semmle.label | call to user_input |
 | simple.cpp:84:14:84:20 | call to getf2f1 | semmle.label | call to getf2f1 |
 | simple.cpp:84:14:84:20 | this indirection [f1] | semmle.label | this indirection [f1] |

From afd2f58f9fa6a75a390b818a5ea33cc1ae2b63fb Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Mon, 12 Apr 2021 18:21:05 -0400
Subject: [PATCH 0350/1429] C++: Fix PR feedback

---
 .../cpp/ir/implementation/raw/internal/TranslatedCall.qll   | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
index 0b52937f1cb..56d4c807ac8 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedCall.qll
@@ -495,10 +495,8 @@ class TranslatedSideEffect extends TranslatedElement, TTranslatedArgumentSideEff
   override Instruction getFirstInstruction() { result = getInstruction(OnlyInstructionTag()) }
 
   override predicate hasInstruction(Opcode opcode, InstructionTag tag, CppType type) {
-    (
-      tag = OnlyInstructionTag() and
-      opcode = sideEffectOpcode
-    ) and
+    tag = OnlyInstructionTag() and
+    opcode = sideEffectOpcode and
     (
       isWrite() and
       (

From be39883166a410baabd3c24e9d7c575962ac7a86 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Tue, 13 Apr 2021 14:10:10 +0800
Subject: [PATCH 0351/1429] Change the class name and comment,Use
 .(CompileTimeConstantExpr).getStringValue()

---
 .../Security/CWE/CWE-352/JsonStringLib.qll    | 29 ++++++++++++++-----
 .../Security/CWE/CWE-352/JsonpInjection.ql    |  2 +-
 .../CWE/CWE-352/JsonpInjectionLib.qll         | 14 +++++----
 3 files changed, 32 insertions(+), 13 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonStringLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonStringLib.qll
index 5cc52e97e33..b8f1a13b119 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonStringLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonStringLib.qll
@@ -4,10 +4,15 @@ import semmle.code.java.dataflow.FlowSources
 import DataFlow::PathGraph
 
 /** Json string type data. */
-abstract class JsonpStringSource extends DataFlow::Node { }
+abstract class JsonStringSource extends DataFlow::Node { }
 
-/** Convert to String using Gson library. */
-private class GsonString extends JsonpStringSource {
+/**
+ * Convert to String using Gson library. *
+ *
+ * For example, in the method access `Gson.toJson(...)`,
+ * the `Object` type data is converted to the `String` type data.
+ */
+private class GsonString extends JsonStringSource {
   GsonString() {
     exists(MethodAccess ma, Method m | ma.getMethod() = m |
       m.hasName("toJson") and
@@ -17,8 +22,13 @@ private class GsonString extends JsonpStringSource {
   }
 }
 
-/** Convert to String using Fastjson library. */
-private class FastjsonString extends JsonpStringSource {
+/**
+ * Convert to String using Fastjson library.
+ *
+ * For example, in the method access `JSON.toJSONString(...)`,
+ * the `Object` type data is converted to the `String` type data.
+ */
+private class FastjsonString extends JsonStringSource {
   FastjsonString() {
     exists(MethodAccess ma, Method m | ma.getMethod() = m |
       m.hasName("toJSONString") and
@@ -28,8 +38,13 @@ private class FastjsonString extends JsonpStringSource {
   }
 }
 
-/** Convert to String using Jackson library. */
-private class JacksonString extends JsonpStringSource {
+/**
+ * Convert to String using Jackson library.
+ *
+ * For example, in the method access `ObjectMapper.writeValueAsString(...)`,
+ * the `Object` type data is converted to the `String` type data.
+ */
+private class JacksonString extends JsonStringSource {
   JacksonString() {
     exists(MethodAccess ma, Method m | ma.getMethod() = m |
       m.hasName("writeValueAsString") and
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
index a02891e8a56..927c3db03d2 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
@@ -69,4 +69,4 @@ where
   conf.hasFlowPath(source, sink) and
   exists(JsonpInjectionFlowConfig jhfc | jhfc.hasFlowTo(sink.getNode()))
 select sink.getNode(), source, sink, "Jsonp response might include code from $@.", source.getNode(),
-  "this user input"
\ No newline at end of file
+  "this user input"
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index f0a1a9de81c..6a21ce8ff3a 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -86,17 +86,21 @@ class SpringControllerRequestMappingGetMethod extends SpringControllerGetMethod
   }
 }
 
-/** A concatenate expression using `(` and `)` or `);`. */
+/**
+ * A concatenate expression using `(` and `)` or `);`.
+ *
+ * E.g: `functionName + "(" + json + ")"` or `functionName + "(" + json + ");"`
+ */
 class JsonpBuilderExpr extends AddExpr {
   JsonpBuilderExpr() {
-    getRightOperand().toString().regexpMatch("\"\\);?\"") and
+    getRightOperand().(CompileTimeConstantExpr).getStringValue().regexpMatch("\\);?") and
     getLeftOperand()
         .(AddExpr)
         .getLeftOperand()
         .(AddExpr)
         .getRightOperand()
-        .toString()
-        .regexpMatch("\"\\(\"")
+        .(CompileTimeConstantExpr)
+        .getStringValue() = "("
   }
 
   /** Get the jsonp function name of this expression. */
@@ -123,7 +127,7 @@ class RemoteFlowConfig extends DataFlow2::Configuration {
 class JsonDataFlowConfig extends DataFlow2::Configuration {
   JsonDataFlowConfig() { this = "JsonDataFlowConfig" }
 
-  override predicate isSource(DataFlow::Node src) { src instanceof JsonpStringSource }
+  override predicate isSource(DataFlow::Node src) { src instanceof JsonStringSource }
 
   override predicate isSink(DataFlow::Node sink) {
     exists(JsonpBuilderExpr jhe | jhe.getJsonExpr() = sink.asExpr())

From c37dbb2e68c4d25c4f0702333c08f1b57c072ab2 Mon Sep 17 00:00:00 2001
From: Marcono1234 <Marcono1234@users.noreply.github.com>
Date: Sat, 10 Apr 2021 03:17:50 +0200
Subject: [PATCH 0352/1429] Java: Override getAPrimaryQlClass() for more
 classes

---
 java/ql/src/semmle/code/FileSystem.qll     | 6 ++++++
 java/ql/src/semmle/code/java/Exception.qll | 2 ++
 java/ql/src/semmle/code/java/Modifier.qll  | 2 ++
 java/ql/src/semmle/code/java/Package.qll   | 2 ++
 java/ql/src/semmle/code/java/Variable.qll  | 2 ++
 java/ql/src/semmle/code/xml/XML.qll        | 2 ++
 6 files changed, 16 insertions(+)

diff --git a/java/ql/src/semmle/code/FileSystem.qll b/java/ql/src/semmle/code/FileSystem.qll
index 28015d3ba4d..13908d547dc 100755
--- a/java/ql/src/semmle/code/FileSystem.qll
+++ b/java/ql/src/semmle/code/FileSystem.qll
@@ -159,6 +159,8 @@ class Folder extends Container, @folder {
 
   /** Gets the URL of this folder. */
   override string getURL() { result = "folder://" + getAbsolutePath() }
+
+  override string getAPrimaryQlClass() { result = "Folder" }
 }
 
 /**
@@ -171,6 +173,8 @@ class File extends Container, @file {
 
   /** Gets the URL of this file. */
   override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" }
+
+  override string getAPrimaryQlClass() { result = "File" }
 }
 
 /**
@@ -204,4 +208,6 @@ class JarFile extends File {
   string getManifestEntryAttribute(string entry, string key) {
     jarManifestEntries(this, entry, key, result)
   }
+
+  override string getAPrimaryQlClass() { result = "JarFile" }
 }
diff --git a/java/ql/src/semmle/code/java/Exception.qll b/java/ql/src/semmle/code/java/Exception.qll
index 242478aa6c8..1e6cb54be0f 100755
--- a/java/ql/src/semmle/code/java/Exception.qll
+++ b/java/ql/src/semmle/code/java/Exception.qll
@@ -27,4 +27,6 @@ class Exception extends Element, @exception {
   override predicate hasName(string name) { this.getType().hasName(name) }
 
   override string toString() { result = this.getType().toString() }
+
+  override string getAPrimaryQlClass() { result = "Exception" }
 }
diff --git a/java/ql/src/semmle/code/java/Modifier.qll b/java/ql/src/semmle/code/java/Modifier.qll
index 8c48ffb117a..7fb9f982616 100755
--- a/java/ql/src/semmle/code/java/Modifier.qll
+++ b/java/ql/src/semmle/code/java/Modifier.qll
@@ -8,6 +8,8 @@ import Element
 class Modifier extends Element, @modifier {
   /** Gets the element to which this modifier applies. */
   Element getElement() { hasModifier(result, this) }
+
+  override string getAPrimaryQlClass() { result = "Modifier" }
 }
 
 /** An element of the Java syntax tree that may have a modifier. */
diff --git a/java/ql/src/semmle/code/java/Package.qll b/java/ql/src/semmle/code/java/Package.qll
index 6cb41ca559f..466c97e561d 100755
--- a/java/ql/src/semmle/code/java/Package.qll
+++ b/java/ql/src/semmle/code/java/Package.qll
@@ -29,4 +29,6 @@ class Package extends Element, Annotatable, @package {
    * since packages do not have locations.
    */
   string getURL() { result = "file://:0:0:0:0" }
+
+  override string getAPrimaryQlClass() { result = "Package" }
 }
diff --git a/java/ql/src/semmle/code/java/Variable.qll b/java/ql/src/semmle/code/java/Variable.qll
index e038f98beaf..439ee5d3f6b 100755
--- a/java/ql/src/semmle/code/java/Variable.qll
+++ b/java/ql/src/semmle/code/java/Variable.qll
@@ -53,6 +53,8 @@ class LocalVariableDecl extends @localvar, LocalScopeVariable {
 
   /** Gets the initializer expression of this local variable declaration. */
   override Expr getInitializer() { result = getDeclExpr().getInit() }
+
+  override string getAPrimaryQlClass() { result = "LocalVariableDecl" }
 }
 
 /** A formal parameter of a callable. */
diff --git a/java/ql/src/semmle/code/xml/XML.qll b/java/ql/src/semmle/code/xml/XML.qll
index 5871fed0ddd..7833f1bdb68 100755
--- a/java/ql/src/semmle/code/xml/XML.qll
+++ b/java/ql/src/semmle/code/xml/XML.qll
@@ -149,6 +149,8 @@ class XMLFile extends XMLParent, File {
 
   /** Gets a DTD associated with this XML file. */
   XMLDTD getADTD() { xmlDTDs(result, _, _, _, this) }
+
+  override string getAPrimaryQlClass() { result = "XMLFile" }
 }
 
 /**

From dee974ff2d9ab9e442b03d8ece4520d0ffbcc5a8 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Tue, 13 Apr 2021 09:13:47 +0100
Subject: [PATCH 0353/1429] Make Call a subclass of ExprParent. All of its
 subclasses are in any case (via Expr or Stmt)

---
 java/ql/src/semmle/code/java/Expr.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/Expr.qll b/java/ql/src/semmle/code/java/Expr.qll
index a1a1412221b..46186b4ee70 100755
--- a/java/ql/src/semmle/code/java/Expr.qll
+++ b/java/ql/src/semmle/code/java/Expr.qll
@@ -1808,7 +1808,7 @@ class WildcardTypeAccess extends Expr, @wildcardtypeaccess {
  * This includes method calls, constructor and super constructor invocations,
  * and constructors invoked through class instantiation.
  */
-class Call extends Top, @caller {
+class Call extends ExprParent, @caller {
   /** Gets an argument supplied in this call. */
   /*abstract*/ Expr getAnArgument() { none() }
 

From 15c103e42d25b79ec8e9e8d782052d31ec567be4 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Tue, 13 Apr 2021 10:57:15 +0200
Subject: [PATCH 0354/1429] C#: Remove code duplication in `BuildScripts.cs`

---
 .../BuildScripts.cs                           | 50 +++++++------------
 1 file changed, 19 insertions(+), 31 deletions(-)

diff --git a/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BuildScripts.cs b/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BuildScripts.cs
index 9334181fe5a..99ad4c8f963 100644
--- a/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BuildScripts.cs
+++ b/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BuildScripts.cs
@@ -976,12 +976,11 @@ Microsoft.NETCore.App 2.1.4 [/usr/local/share/dotnet/shared/Microsoft.NETCore.Ap
             TestAutobuilderScript(autobuilder, 0, 9);
         }
 
-        [Fact]
-        public void TestDotnetVersionWindows()
+        private void TestDotnetVersionWindows(Action action, int commandsRun)
         {
             actions.RunProcess["cmd.exe /C dotnet --list-sdks"] = 0;
             actions.RunProcessOut["cmd.exe /C dotnet --list-sdks"] = "2.1.3 [C:\\Program Files\\dotnet\\sdks]\n2.1.4 [C:\\Program Files\\dotnet\\sdks]";
-            actions.RunProcess[@"cmd.exe /C pwsh -NoProfile -ExecutionPolicy unrestricted -Command ""[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; &([scriptblock]::Create((Invoke-WebRequest -UseBasicParsing 'https://dot.net/v1/dotnet-install.ps1'))) -Version 2.1.3 -InstallDir C:\Project\.dotnet"""] = 0;
+            action();
             actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet --info"] = 0;
             actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet clean C:\Project\test.csproj"] = 0;
             actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet restore C:\Project\test.csproj"] = 0;
@@ -1004,39 +1003,28 @@ Microsoft.NETCore.App 2.1.4 [/usr/local/share/dotnet/shared/Microsoft.NETCore.Ap
             actions.LoadXml[@"C:\Project\test.csproj"] = xml;
 
             var autobuilder = CreateAutoBuilder(true, dotnetVersion: "2.1.3");
-            TestAutobuilderScript(autobuilder, 0, 6);
+            TestAutobuilderScript(autobuilder, 0, commandsRun);
         }
 
         [Fact]
-        public void TestDotnetVersionWindowsNoPwsh()
+        public void TestDotnetVersionWindowsWithPwsh()
         {
-            actions.RunProcess["cmd.exe /C dotnet --list-sdks"] = 0;
-            actions.RunProcessOut["cmd.exe /C dotnet --list-sdks"] = "2.1.3 [C:\\Program Files\\dotnet\\sdks]\n2.1.4 [C:\\Program Files\\dotnet\\sdks]";
-            actions.RunProcess[@"cmd.exe /C pwsh -NoProfile -ExecutionPolicy unrestricted -Command ""[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; &([scriptblock]::Create((Invoke-WebRequest -UseBasicParsing 'https://dot.net/v1/dotnet-install.ps1'))) -Version 2.1.3 -InstallDir C:\Project\.dotnet"""] = 1;
-            actions.RunProcess[@"cmd.exe /C powershell -NoProfile -ExecutionPolicy unrestricted -Command ""[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; &([scriptblock]::Create((Invoke-WebRequest -UseBasicParsing 'https://dot.net/v1/dotnet-install.ps1'))) -Version 2.1.3 -InstallDir C:\Project\.dotnet"""] = 0;
-            actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet --info"] = 0;
-            actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet clean C:\Project\test.csproj"] = 0;
-            actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet restore C:\Project\test.csproj"] = 0;
-            actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --auto C:\Project\.dotnet\dotnet build --no-incremental C:\Project\test.csproj"] = 0;
-            actions.FileExists["csharp.log"] = true;
-            actions.FileExists[@"C:\Project\test.csproj"] = true;
-            actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = "";
-            actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = "";
-            actions.GetEnvironmentVariable["PATH"] = "/bin:/usr/bin";
-            actions.EnumerateFiles[@"C:\Project"] = "foo.cs\ntest.cs\ntest.csproj";
-            actions.EnumerateDirectories[@"C:\Project"] = "";
-            var xml = new XmlDocument();
-            xml.LoadXml(@"<Project Sdk=""Microsoft.NET.Sdk"">
-  <PropertyGroup>
-    <OutputType>Exe</OutputType>
-    <TargetFramework>netcoreapp2.1</TargetFramework>
-  </PropertyGroup>
+            TestDotnetVersionWindows(() =>
+            {
+                actions.RunProcess[@"cmd.exe /C pwsh -NoProfile -ExecutionPolicy unrestricted -Command ""[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; &([scriptblock]::Create((Invoke-WebRequest -UseBasicParsing 'https://dot.net/v1/dotnet-install.ps1'))) -Version 2.1.3 -InstallDir C:\Project\.dotnet"""] = 0;
+            },
+            6);
+        }
 
-</Project>");
-            actions.LoadXml[@"C:\Project\test.csproj"] = xml;
-
-            var autobuilder = CreateAutoBuilder(true, dotnetVersion: "2.1.3");
-            TestAutobuilderScript(autobuilder, 0, 7);
+        [Fact]
+        public void TestDotnetVersionWindowsWithoutPwsh()
+        {
+            TestDotnetVersionWindows(() =>
+            {
+                actions.RunProcess[@"cmd.exe /C pwsh -NoProfile -ExecutionPolicy unrestricted -Command ""[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; &([scriptblock]::Create((Invoke-WebRequest -UseBasicParsing 'https://dot.net/v1/dotnet-install.ps1'))) -Version 2.1.3 -InstallDir C:\Project\.dotnet"""] = 1;
+                actions.RunProcess[@"cmd.exe /C powershell -NoProfile -ExecutionPolicy unrestricted -Command ""[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; &([scriptblock]::Create((Invoke-WebRequest -UseBasicParsing 'https://dot.net/v1/dotnet-install.ps1'))) -Version 2.1.3 -InstallDir C:\Project\.dotnet"""] = 0;
+            },
+            7);
         }
 
         [Fact]

From 7c0b0642c89efb06eca443ba46bb7e2738807aac Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Tue, 13 Apr 2021 11:09:27 +0200
Subject: [PATCH 0355/1429] Python: Add imports to make code compile

---
 python/ql/src/Security/CWE-327/FluentApiModel.qll  | 1 +
 python/ql/src/Security/CWE-327/InsecureProtocol.ql | 1 +
 2 files changed, 2 insertions(+)

diff --git a/python/ql/src/Security/CWE-327/FluentApiModel.qll b/python/ql/src/Security/CWE-327/FluentApiModel.qll
index 6010417b68d..a66f949e72d 100644
--- a/python/ql/src/Security/CWE-327/FluentApiModel.qll
+++ b/python/ql/src/Security/CWE-327/FluentApiModel.qll
@@ -1,4 +1,5 @@
 private import python
+private import semmle.python.dataflow.new.DataFlow
 import TlsLibraryModel
 
 /**
diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.ql b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
index e31bf78443b..99e2d83420d 100644
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
@@ -10,6 +10,7 @@
  */
 
 import python
+import semmle.python.dataflow.new.DataFlow
 import FluentApiModel
 
 // Helper for pretty printer `configName`.

From 178cb6c90faa726331b5b6658863b22d156130c2 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Tue, 13 Apr 2021 11:26:05 +0200
Subject: [PATCH 0356/1429] Python: Bit too eager with the modernisation...
 Lift type restrictions to recover results.

---
 python/ql/src/Security/CWE-327/Ssl.qll | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index 99bb24b7076..c1c6d65402c 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -45,7 +45,7 @@ class WrapSocketCall extends ConnectionCreation, DataFlow::CallCfgNode {
   }
 }
 
-class OptionsAugOr extends ProtocolRestriction, DataFlow::CallCfgNode {
+class OptionsAugOr extends ProtocolRestriction, DataFlow::CfgNode {
   ProtocolVersion restriction;
 
   OptionsAugOr() {
@@ -68,7 +68,7 @@ class OptionsAugOr extends ProtocolRestriction, DataFlow::CallCfgNode {
   override ProtocolVersion getRestriction() { result = restriction }
 }
 
-class OptionsAugAndNot extends ProtocolUnrestriction, DataFlow::CallCfgNode {
+class OptionsAugAndNot extends ProtocolUnrestriction, DataFlow::CfgNode {
   ProtocolVersion restriction;
 
   OptionsAugAndNot() {
@@ -126,7 +126,7 @@ predicate impliesBitSet(BinaryExpr whole, Expr part, boolean partHasBitSet, bool
   )
 }
 
-class ContextSetVersion extends ProtocolRestriction, ProtocolUnrestriction, DataFlow::CallCfgNode {
+class ContextSetVersion extends ProtocolRestriction, ProtocolUnrestriction, DataFlow::CfgNode {
   ProtocolVersion restriction;
 
   ContextSetVersion() {

From 7c13163413f3167355ec449d08579c704675c7f5 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Thu, 1 Apr 2021 11:49:17 +0100
Subject: [PATCH 0357/1429] JS: Lift JSON accessors to JSONValue

---
 javascript/ql/src/semmle/javascript/JSON.qll | 29 +++++++++++++-------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/JSON.qll b/javascript/ql/src/semmle/javascript/JSON.qll
index f0f4f59e98e..ed3f6f69637 100644
--- a/javascript/ql/src/semmle/javascript/JSON.qll
+++ b/javascript/ql/src/semmle/javascript/JSON.qll
@@ -41,6 +41,21 @@ class JSONValue extends @json_value, Locatable {
     )
   }
 
+  /** If this is an object, gets the value of property `name`. */
+  JSONValue getPropValue(string name) { json_properties(this, name, result) }
+
+  /** If this is an array, gets the value of the `i`th element. */
+  JSONValue getElementValue(int i) { result = this.(JSONArray).getChild(i) }
+
+  /** If this is a string constant, gets the value of the string. */
+  string getStringValue() { result = this.(JSONString).getValue() }
+
+  /** If this is an integer constant, gets its numeric value. */
+  int getIntValue() { result = this.(JSONNumber).getValue().toInt() }
+
+  /** If this is a boolean constant, gets its boolean value. */
+  boolean getBooleanValue() { result.toString() = this.(JSONBoolean).getValue() }
+
   override string getAPrimaryQlClass() { result = "JSONValue" }
 }
 
@@ -129,13 +144,10 @@ class JSONString extends @json_string, JSONPrimitiveValue {
  * ```
  */
 class JSONArray extends @json_array, JSONValue {
-  /** Gets the value of the `i`th element of this array. */
-  JSONValue getElementValue(int i) { result = getChild(i) }
+  override string getAPrimaryQlClass() { result = "JSONArray" }
 
   /** Gets the string value of the `i`th element of this array. */
-  string getElementStringValue(int i) { result = getElementValue(i).(JSONString).getValue() }
-
-  override string getAPrimaryQlClass() { result = "JSONArray" }
+  string getElementStringValue(int i) { result = getElementValue(i).getStringValue() }
 }
 
 /**
@@ -148,13 +160,10 @@ class JSONArray extends @json_array, JSONValue {
  * ```
  */
 class JSONObject extends @json_object, JSONValue {
-  /** Gets the value of property `name` of this object. */
-  JSONValue getPropValue(string name) { json_properties(this, name, result) }
+  override string getAPrimaryQlClass() { result = "JSONObject" }
 
   /** Gets the string value of property `name` of this object. */
-  string getPropStringValue(string name) { result = getPropValue(name).(JSONString).getValue() }
-
-  override string getAPrimaryQlClass() { result = "JSONObject" }
+  string getPropStringValue(string name) { result = getPropValue(name).getStringValue() }
 }
 
 /**

From 929d9da4b4c9d9830689ad01960eb1ce22dda406 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Fri, 9 Apr 2021 11:37:57 +0100
Subject: [PATCH 0358/1429] JS: Migrate to new JSON API

---
 .../ql/src/Declarations/UnusedVariable.ql     |  4 ++--
 javascript/ql/src/semmle/javascript/NPM.qll   | 22 +++++++++----------
 javascript/ql/src/semmle/javascript/Paths.qll | 12 +++-------
 .../semmle/javascript/frameworks/Babel.qll    |  8 +++----
 .../security/dataflow/RemoteFlowSources.qll   |  2 +-
 5 files changed, 21 insertions(+), 27 deletions(-)

diff --git a/javascript/ql/src/Declarations/UnusedVariable.ql b/javascript/ql/src/Declarations/UnusedVariable.ql
index 90c3948b634..73879557159 100644
--- a/javascript/ql/src/Declarations/UnusedVariable.ql
+++ b/javascript/ql/src/Declarations/UnusedVariable.ql
@@ -65,8 +65,8 @@ predicate isReactForJSX(UnusedLocal v) {
       v.getName() =
         tsconfig
             .getPropValue("compilerOptions")
-            .(JSONObject)
-            .getPropStringValue(["jsxFactory", "jsxFragmentFactory"])
+            .getPropValue(["jsxFactory", "jsxFragmentFactory"])
+            .getStringValue()
     )
   )
 }
diff --git a/javascript/ql/src/semmle/javascript/NPM.qll b/javascript/ql/src/semmle/javascript/NPM.qll
index 8351c4266cf..abea13b9d72 100644
--- a/javascript/ql/src/semmle/javascript/NPM.qll
+++ b/javascript/ql/src/semmle/javascript/NPM.qll
@@ -41,7 +41,7 @@ class PackageJSON extends JSONObject {
 
   /** Gets information for a contributor to this package. */
   ContributorInfo getAContributor() {
-    result = getPropValue("contributors").(JSONArray).getElementValue(_)
+    result = getPropValue("contributors").getElementValue(_)
   }
 
   /** Gets the array of files for this package. */
@@ -57,13 +57,13 @@ class PackageJSON extends JSONObject {
   string getBin(string cmd) {
     cmd = getPackageName() and result = getPropStringValue("bin")
     or
-    result = getPropValue("bin").(JSONObject).getPropStringValue(cmd)
+    result = getPropValue("bin").getPropValue(cmd).getStringValue()
   }
 
   /** Gets a manual page for this package. */
   string getAManFile() {
     result = getPropStringValue("man") or
-    result = getPropValue("man").(JSONArray).getElementStringValue(_)
+    result = getPropValue("man").getElementValue(_).getStringValue()
   }
 
   /** Gets information about the directories of this package. */
@@ -191,12 +191,12 @@ class BugTrackerInfo extends JSONValue {
 
   /** Gets the bug tracker URL. */
   string getUrl() {
-    result = this.(JSONObject).getPropStringValue("url") or
-    result = this.(JSONString).getValue()
+    result = this.getPropValue("url").getStringValue() or
+    result = this.getStringValue()
   }
 
   /** Gets the bug reporting email address. */
-  string getEmail() { result = this.(JSONObject).getPropStringValue("email") }
+  string getEmail() { result = this.getPropValue("email").getStringValue() }
 }
 
 /**
@@ -206,7 +206,7 @@ class ContributorInfo extends JSONValue {
   ContributorInfo() {
     exists(PackageJSON pkg |
       this = pkg.getPropValue("author") or
-      this = pkg.getPropValue("contributors").(JSONArray).getElementValue(_)
+      this = pkg.getPropValue("contributors").getElementValue(_)
     ) and
     (this instanceof JSONObject or this instanceof JSONString)
   }
@@ -217,24 +217,24 @@ class ContributorInfo extends JSONValue {
    * homepage URL.
    */
   private string parseInfo(int group) {
-    result = this.(JSONString).getValue().regexpCapture("(.*?)(?: <(.*?)>)?(?: \\((.*)?\\))", group)
+    result = this.getStringValue().regexpCapture("(.*?)(?: <(.*?)>)?(?: \\((.*)?\\))", group)
   }
 
   /** Gets the contributor's name. */
   string getName() {
-    result = this.(JSONObject).getPropStringValue("name") or
+    result = this.getPropValue("name").getStringValue() or
     result = parseInfo(1)
   }
 
   /** Gets the contributor's email address. */
   string getEmail() {
-    result = this.(JSONObject).getPropStringValue("email") or
+    result = this.getPropValue("email").getStringValue() or
     result = parseInfo(2)
   }
 
   /** Gets the contributor's homepage URL. */
   string getUrl() {
-    result = this.(JSONObject).getPropStringValue("url") or
+    result = this.getPropValue("url").getStringValue() or
     result = parseInfo(3)
   }
 }
diff --git a/javascript/ql/src/semmle/javascript/Paths.qll b/javascript/ql/src/semmle/javascript/Paths.qll
index 37098fc130f..a166b0d2d94 100644
--- a/javascript/ql/src/semmle/javascript/Paths.qll
+++ b/javascript/ql/src/semmle/javascript/Paths.qll
@@ -236,10 +236,8 @@ private module TypeScriptOutDir {
     result =
       tsconfig
           .getPropValue("compilerOptions")
-          .(JSONObject)
           .getPropValue("outDir")
-          .(JSONString)
-          .getValue()
+          .getStringValue()
   }
 
   /**
@@ -283,10 +281,8 @@ private module TypeScriptOutDir {
     result =
       getRootFolderFromPath(tsconfig
             .getPropValue("include")
-            .(JSONArray)
             .getElementValue(_)
-            .(JSONString)
-            .getValue())
+            .getStringValue())
   }
 
   /**
@@ -297,10 +293,8 @@ private module TypeScriptOutDir {
     result =
       tsconfig
           .getPropValue("compilerOptions")
-          .(JSONObject)
           .getPropValue("rootDir")
-          .(JSONString)
-          .getValue()
+          .getStringValue()
   }
 }
 
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Babel.qll b/javascript/ql/src/semmle/javascript/frameworks/Babel.qll
index 9e112f05776..bdacce9142b 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Babel.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Babel.qll
@@ -24,9 +24,9 @@ module Babel {
         plugins = getPropValue("plugins") and
         result = plugins.getElementValue(_)
       |
-        result.(JSONString).getValue() = pluginName
+        result.getStringValue() = pluginName
         or
-        result.(JSONArray).getElementStringValue(0) = pluginName
+        result.getElementValue(0).getStringValue() = pluginName
       )
     }
 
@@ -67,7 +67,7 @@ module Babel {
     JSONValue getOptions() { result = this.(JSONArray).getElementValue(1) }
 
     /** Gets a named option from the option object, if present. */
-    JSONValue getOption(string name) { result = getOptions().(JSONObject).getPropValue(name) }
+    JSONValue getOption(string name) { result = getOptions().getPropValue(name) }
 
     /** Holds if this plugin applies to `tl`. */
     predicate appliesTo(TopLevel tl) { cfg.appliesTo(tl) }
@@ -186,7 +186,7 @@ module Babel {
     TransformReactJsxConfig() { pluginName = "transform-react-jsx" }
 
     /** Gets the name of the variable used to create JSX elements. */
-    string getJsxFactoryVariableName() { result = getOption("pragma").(JSONString).getValue() }
+    string getJsxFactoryVariableName() { result = getOption("pragma").getStringValue() }
   }
 
   /**
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/RemoteFlowSources.qll b/javascript/ql/src/semmle/javascript/security/dataflow/RemoteFlowSources.qll
index c5a39772cf4..89574f4886b 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/RemoteFlowSources.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/RemoteFlowSources.qll
@@ -108,7 +108,7 @@ private class RemoteFlowSourceAccessPath extends JSONString {
     exists(JSONObject specs |
       specs.isTopLevel() and
       this.getFile().getBaseName() = "codeql-javascript-remote-flow-sources.json" and
-      this = specs.getPropValue(sourceType).(JSONArray).getElementValue(_) and
+      this = specs.getPropValue(sourceType).getElementValue(_) and
       this.getValue().regexpMatch("window(\\.\\w+)+")
     )
   }

From e77117f902a7bc62771d6900fbd615cb54e1ab54 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Tue, 13 Apr 2021 10:16:41 +0100
Subject: [PATCH 0359/1429] JS: Autoformat

---
 javascript/ql/src/semmle/javascript/NPM.qll   |  4 +---
 javascript/ql/src/semmle/javascript/Paths.qll | 17 +++--------------
 2 files changed, 4 insertions(+), 17 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/NPM.qll b/javascript/ql/src/semmle/javascript/NPM.qll
index abea13b9d72..8c46cd5901b 100644
--- a/javascript/ql/src/semmle/javascript/NPM.qll
+++ b/javascript/ql/src/semmle/javascript/NPM.qll
@@ -40,9 +40,7 @@ class PackageJSON extends JSONObject {
   ContributorInfo getAuthor() { result = getPropValue("author") }
 
   /** Gets information for a contributor to this package. */
-  ContributorInfo getAContributor() {
-    result = getPropValue("contributors").getElementValue(_)
-  }
+  ContributorInfo getAContributor() { result = getPropValue("contributors").getElementValue(_) }
 
   /** Gets the array of files for this package. */
   JSONArray getFiles() { result = getPropValue("files") }
diff --git a/javascript/ql/src/semmle/javascript/Paths.qll b/javascript/ql/src/semmle/javascript/Paths.qll
index a166b0d2d94..64ff25c3220 100644
--- a/javascript/ql/src/semmle/javascript/Paths.qll
+++ b/javascript/ql/src/semmle/javascript/Paths.qll
@@ -233,11 +233,7 @@ private module TypeScriptOutDir {
     tsconfig.getFile().getBaseName().regexpMatch("tsconfig.*\\.json") and
     tsconfig.isTopLevel() and
     tsconfig.getFile().getParentContainer() = parent and
-    result =
-      tsconfig
-          .getPropValue("compilerOptions")
-          .getPropValue("outDir")
-          .getStringValue()
+    result = tsconfig.getPropValue("compilerOptions").getPropValue("outDir").getStringValue()
   }
 
   /**
@@ -279,10 +275,7 @@ private module TypeScriptOutDir {
   pragma[inline]
   private string getARootDirFromInclude(JSONObject tsconfig) {
     result =
-      getRootFolderFromPath(tsconfig
-            .getPropValue("include")
-            .getElementValue(_)
-            .getStringValue())
+      getRootFolderFromPath(tsconfig.getPropValue("include").getElementValue(_).getStringValue())
   }
 
   /**
@@ -290,11 +283,7 @@ private module TypeScriptOutDir {
    */
   pragma[inline]
   private string getRootDir(JSONObject tsconfig) {
-    result =
-      tsconfig
-          .getPropValue("compilerOptions")
-          .getPropValue("rootDir")
-          .getStringValue()
+    result = tsconfig.getPropValue("compilerOptions").getPropValue("rootDir").getStringValue()
   }
 }
 

From 30fbb8f1e7993ba509378c65e78d391aaa604791 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Tue, 13 Apr 2021 11:34:47 +0200
Subject: [PATCH 0360/1429] Python: clean up interface

---
 python/ql/src/Security/CWE-327/PyOpenSSL.qll       |  2 +-
 python/ql/src/Security/CWE-327/Ssl.qll             | 14 +++++++-------
 python/ql/src/Security/CWE-327/TlsLibraryModel.qll |  2 +-
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/PyOpenSSL.qll b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
index 9f42b83572e..d886d46efef 100644
--- a/python/ql/src/Security/CWE-327/PyOpenSSL.qll
+++ b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
@@ -69,7 +69,7 @@ class PyOpenSSL extends TlsLibrary {
     result instanceof PyOpenSSLContextCreation
   }
 
-  override DataFlow::CfgNode insecure_connection_creation(ProtocolVersion version) { none() }
+  override DataFlow::Node insecure_connection_creation(ProtocolVersion version) { none() }
 
   override ConnectionCreation connection_creation() { result instanceof ConnectionCall }
 
diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index c1c6d65402c..e943470e917 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -40,7 +40,7 @@ API::Node sslContextInstance() {
 class WrapSocketCall extends ConnectionCreation, DataFlow::CallCfgNode {
   WrapSocketCall() { this = sslContextInstance().getMember("wrap_socket").getACall() }
 
-  override DataFlow::CfgNode getContext() {
+  override DataFlow::Node getContext() {
     result = this.getFunction().(DataFlow::AttrRead).getObject()
   }
 }
@@ -63,7 +63,7 @@ class OptionsAugOr extends ProtocolRestriction, DataFlow::CfgNode {
     )
   }
 
-  override DataFlow::CfgNode getContext() { result = this }
+  override DataFlow::Node getContext() { result = this }
 
   override ProtocolVersion getRestriction() { result = restriction }
 }
@@ -88,7 +88,7 @@ class OptionsAugAndNot extends ProtocolUnrestriction, DataFlow::CfgNode {
     )
   }
 
-  override DataFlow::CfgNode getContext() { result = this }
+  override DataFlow::Node getContext() { result = this }
 
   override ProtocolVersion getUnrestriction() { result = restriction }
 }
@@ -138,7 +138,7 @@ class ContextSetVersion extends ProtocolRestriction, ProtocolUnrestriction, Data
     )
   }
 
-  override DataFlow::CfgNode getContext() { result = this }
+  override DataFlow::Node getContext() { result = this }
 
   override ProtocolVersion getRestriction() { result.lessThan(restriction) }
 
@@ -159,7 +159,7 @@ class UnspecificSSLContextCreation extends SSLContextCreation, UnspecificContext
 }
 
 class UnspecificSSLDefaultContextCreation extends SSLDefaultContextCreation, ProtocolUnrestriction {
-  override DataFlow::CfgNode getContext() { result = this }
+  override DataFlow::Node getContext() { result = this }
 
   // see https://docs.python.org/3/library/ssl.html#ssl.create_default_context
   override ProtocolVersion getUnrestriction() {
@@ -186,9 +186,9 @@ class Ssl extends TlsLibrary {
 
   override ContextCreation specific_context_creation() { result instanceof SSLContextCreation }
 
-  override DataFlow::CfgNode insecure_connection_creation(ProtocolVersion version) {
+  override DataFlow::CallCfgNode insecure_connection_creation(ProtocolVersion version) {
     result = API::moduleImport("ssl").getMember("wrap_socket").getACall() and
-    this.specific_version(version) = result.(DataFlow::CallCfgNode).getArgByName("ssl_version") and
+    this.specific_version(version) = result.getArgByName("ssl_version") and
     version.isInsecure()
   }
 
diff --git a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
index cd38ad4ab5e..ba54ea3ccd4 100644
--- a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
+++ b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
@@ -124,7 +124,7 @@ abstract class TlsLibrary extends string {
   }
 
   /** A connection is created in an insecure manner, not from a context. */
-  abstract DataFlow::CfgNode insecure_connection_creation(ProtocolVersion version);
+  abstract DataFlow::Node insecure_connection_creation(ProtocolVersion version);
 
   /** A connection is created from a context. */
   abstract ConnectionCreation connection_creation();

From 45e1a61d7bc8996af158130449763b00bedd7a69 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Tue, 13 Apr 2021 10:11:37 +0100
Subject: [PATCH 0361/1429] Mark test as bad-but-missed

This test ought ideally to be caught, but isn't by the current version of the query.
---
 .../security/CWE-1004/SensitiveCookieNotHttpOnly.java         | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
index 4ad7aa5dd95..627575c8403 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.java
@@ -137,7 +137,9 @@ class SensitiveCookieNotHttpOnly {
         response.addCookie(createCookie("refresh_token", refreshToken, true));
     }
 
-    // GOOD - Tests set a sensitive cookie header with the `HttpOnly` flag not set through a boolean variable using a wrapper method.
+    // BAD (but not detected) - Tests set a sensitive cookie header with the `HttpOnly` flag not set through a boolean variable using a wrapper method.
+    // This example is missed because the `cookie.setHttpOnly` call in `createCookie` is thought to maybe set the HTTP-only flag, and the `cookie`
+    // object flows to this `addCookie` call.
     public void addCookie15(HttpServletRequest request, HttpServletResponse response, String refreshToken) {
         response.addCookie(createCookie("refresh_token", refreshToken, false));
     }

From f22b11881e080e49a39773fe9c34d516e6a99b65 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Tue, 13 Apr 2021 10:28:15 +0100
Subject: [PATCH 0362/1429] Minimise stubs

By removing all business logic from the stubs, we better test that our analysis treats them as opaque and does not rely on their internal structure
---
 .../javax/ws/rs/core/Cookie.java              | 12 -------
 .../javax/ws/rs/core/NewCookie.java           | 36 +++++--------------
 2 files changed, 8 insertions(+), 40 deletions(-)

diff --git a/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/Cookie.java b/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/Cookie.java
index 2726c3d27dd..6853f72ecd8 100644
--- a/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/Cookie.java
+++ b/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/Cookie.java
@@ -56,11 +56,6 @@ public class Cookie {
      * Cookies using the default version correspond to RFC 2109.
      */
     public static final int DEFAULT_VERSION = 1;
-    private final String name;
-    private final String value;
-    private final int version;
-    private final String path;
-    private final String domain;
 
     /**
      * Create a new instance.
@@ -74,11 +69,6 @@ public class Cookie {
      */
     public Cookie(final String name, final String value, final String path, final String domain, final int version)
             throws IllegalArgumentException {
-        this.name = name;
-        this.value = value;
-        this.version = version;
-        this.domain = domain;
-        this.path = path;
     }
 
     /**
@@ -92,7 +82,6 @@ public class Cookie {
      */
     public Cookie(final String name, final String value, final String path, final String domain)
             throws IllegalArgumentException {
-        this(name, value, path, domain, DEFAULT_VERSION);
     }
 
     /**
@@ -104,7 +93,6 @@ public class Cookie {
      */
     public Cookie(final String name, final String value)
             throws IllegalArgumentException {
-        this(name, value, null, null);
     }
 
     /**
diff --git a/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/NewCookie.java b/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/NewCookie.java
index 26279d7fe0a..046bb15da12 100644
--- a/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/NewCookie.java
+++ b/java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/NewCookie.java
@@ -57,12 +57,6 @@ public class NewCookie extends Cookie {
      */
     public static final int DEFAULT_MAX_AGE = -1;
 
-    private final String comment;
-    private final int maxAge;
-    private final Date expiry;
-    private final boolean secure;
-    private final boolean httpOnly;
-
     /**
      * Create a new instance.
      *
@@ -71,7 +65,7 @@ public class NewCookie extends Cookie {
      * @throws IllegalArgumentException if name is {@code null}.
      */
     public NewCookie(String name, String value) {
-        this(name, value, null, null, DEFAULT_VERSION, null, DEFAULT_MAX_AGE, null, false, false);
+        super("", "");
     }
 
     /**
@@ -93,7 +87,7 @@ public class NewCookie extends Cookie {
                      String comment,
                      int maxAge,
                      boolean secure) {
-        this(name, value, path, domain, DEFAULT_VERSION, comment, maxAge, null, secure, false);                  
+        super("", "");
     }
 
     /**
@@ -118,7 +112,7 @@ public class NewCookie extends Cookie {
                      int maxAge,
                      boolean secure,
                      boolean httpOnly) {
-        this(name, value, path, domain, DEFAULT_VERSION, comment, maxAge, null, secure, httpOnly);
+        super("", "");
     }
 
     /**
@@ -142,7 +136,7 @@ public class NewCookie extends Cookie {
                      String comment,
                      int maxAge,
                      boolean secure) {
-        this(name, value, path, domain, version, comment, maxAge, null, secure, false);                 
+        super("", "");
     }
 
     /**
@@ -171,12 +165,7 @@ public class NewCookie extends Cookie {
                      Date expiry,
                      boolean secure,
                      boolean httpOnly) {
-            super(name, value, path, domain, version);
-            this.comment = comment;
-            this.maxAge = maxAge;
-            this.expiry = expiry;
-            this.secure = secure;
-            this.httpOnly = httpOnly;
+        super("", "");
     }
 
     /**
@@ -186,7 +175,7 @@ public class NewCookie extends Cookie {
      * @throws IllegalArgumentException if cookie is {@code null}.
      */
     public NewCookie(Cookie cookie) {
-        this(cookie, null, DEFAULT_MAX_AGE, null, false, false);
+        super("", "");
     }
 
     /**
@@ -199,7 +188,7 @@ public class NewCookie extends Cookie {
      * @throws IllegalArgumentException if cookie is {@code null}.
      */
     public NewCookie(Cookie cookie, String comment, int maxAge, boolean secure) {
-        this(cookie, comment, maxAge, null, secure, false);
+        super("", "");
     }
 
     /**
@@ -215,16 +204,7 @@ public class NewCookie extends Cookie {
      * @since 2.0
      */
     public NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly) {
-        super(cookie == null ? null : cookie.getName(),
-        cookie == null ? null : cookie.getValue(),
-        cookie == null ? null : cookie.getPath(),
-        cookie == null ? null : cookie.getDomain(),
-        cookie == null ? Cookie.DEFAULT_VERSION : cookie.getVersion());
-        this.comment = comment;
-        this.maxAge = maxAge;
-        this.expiry = expiry;
-        this.secure = secure;
-        this.httpOnly = httpOnly;        
+        super("", "");
     }
 
     /**

From 98d936d8b3e8a232355b4dacce7f4971273aba0a Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 13 Apr 2021 11:43:00 +0000
Subject: [PATCH 0363/1429] Python: Tornado cleanup using API graphs

I wasn't able to roll out API graphs as widely in Tornado as I had
hoped, since we're lacking the "def" part. This means most of the
`InstanceSource` machinery will have to stay.
---
 .../src/semmle/python/frameworks/Tornado.qll  | 195 +++---------------
 1 file changed, 32 insertions(+), 163 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Tornado.qll b/python/ql/src/semmle/python/frameworks/Tornado.qll
index a43edcaca90..6268c9f0a4d 100644
--- a/python/ql/src/semmle/python/frameworks/Tornado.qll
+++ b/python/ql/src/semmle/python/frameworks/Tornado.qll
@@ -8,6 +8,7 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
 private import semmle.python.regex
 
 /**
@@ -19,54 +20,13 @@ private module Tornado {
   // tornado
   // ---------------------------------------------------------------------------
   /** Gets a reference to the `tornado` module. */
-  private DataFlow::Node tornado(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("tornado")
-    or
-    exists(DataFlow::TypeTracker t2 | result = tornado(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `tornado` module. */
-  DataFlow::Node tornado() { result = tornado(DataFlow::TypeTracker::end()) }
+  API::Node tornado() { result = API::moduleImport("tornado") }
 
   /**
    * Gets a reference to the attribute `attr_name` of the `tornado` module.
    * WARNING: Only holds for a few predefined attributes.
    */
-  private DataFlow::Node tornado_attr(DataFlow::TypeTracker t, string attr_name) {
-    attr_name in ["web", "httputil"] and
-    (
-      t.start() and
-      result = DataFlow::importNode("tornado" + "." + attr_name)
-      or
-      t.startInAttr(attr_name) and
-      result = tornado()
-    )
-    or
-    // Due to bad performance when using normal setup with `tornado_attr(t2, attr_name).track(t2, t)`
-    // we have inlined that code and forced a join
-    exists(DataFlow::TypeTracker t2 |
-      exists(DataFlow::StepSummary summary |
-        tornado_attr_first_join(t2, attr_name, result, summary) and
-        t = t2.append(summary)
-      )
-    )
-  }
-
-  pragma[nomagic]
-  private predicate tornado_attr_first_join(
-    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
-  ) {
-    DataFlow::StepSummary::step(tornado_attr(t2, attr_name), res, summary)
-  }
-
-  /**
-   * Gets a reference to the attribute `attr_name` of the `tornado` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private DataFlow::Node tornado_attr(string attr_name) {
-    result = tornado_attr(DataFlow::TypeTracker::end(), attr_name)
-  }
+  private API::Node tornado_attr(string attr_name) { result = tornado().getMember(attr_name) }
 
   /** Provides models for the `tornado` module. */
   module tornado {
@@ -74,7 +34,7 @@ private module Tornado {
     // tornado.web
     // -------------------------------------------------------------------------
     /** Gets a reference to the `tornado.web` module. */
-    DataFlow::Node web() { result = tornado_attr("web") }
+    API::Node web() { result = tornado_attr("web") }
 
     /** Provides models for the `tornado.web` module */
     module web {
@@ -82,41 +42,7 @@ private module Tornado {
        * Gets a reference to the attribute `attr_name` of the `tornado.web` module.
        * WARNING: Only holds for a few predefined attributes.
        */
-      private DataFlow::Node web_attr(DataFlow::TypeTracker t, string attr_name) {
-        attr_name in ["RequestHandler", "Application"] and
-        (
-          t.start() and
-          result = DataFlow::importNode("tornado.web" + "." + attr_name)
-          or
-          t.startInAttr(attr_name) and
-          result = web()
-        )
-        or
-        // Due to bad performance when using normal setup with `web_attr(t2, attr_name).track(t2, t)`
-        // we have inlined that code and forced a join
-        exists(DataFlow::TypeTracker t2 |
-          exists(DataFlow::StepSummary summary |
-            web_attr_first_join(t2, attr_name, result, summary) and
-            t = t2.append(summary)
-          )
-        )
-      }
-
-      pragma[nomagic]
-      private predicate web_attr_first_join(
-        DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-        DataFlow::StepSummary summary
-      ) {
-        DataFlow::StepSummary::step(web_attr(t2, attr_name), res, summary)
-      }
-
-      /**
-       * Gets a reference to the attribute `attr_name` of the `tornado.web` module.
-       * WARNING: Only holds for a few predefined attributes.
-       */
-      private DataFlow::Node web_attr(string attr_name) {
-        result = web_attr(DataFlow::TypeTracker::end(), attr_name)
-      }
+      private API::Node web_attr(string attr_name) { result = web().getMember(attr_name) }
 
       /**
        * Provides models for the `tornado.web.RequestHandler` class and subclasses.
@@ -125,22 +51,11 @@ private module Tornado {
        */
       module RequestHandler {
         /** Gets a reference to the `tornado.web.RequestHandler` class or any subclass. */
-        private DataFlow::Node subclassRef(DataFlow::TypeTracker t) {
-          t.start() and
-          result = web_attr("RequestHandler")
-          or
-          // subclasses in project code
-          result.asExpr().(ClassExpr).getABase() = subclassRef(t.continue()).asExpr()
-          or
-          exists(DataFlow::TypeTracker t2 | result = subclassRef(t2).track(t2, t))
-        }
-
-        /** Gets a reference to the `tornado.web.RequestHandler` class or any subclass. */
-        DataFlow::Node subclassRef() { result = subclassRef(DataFlow::TypeTracker::end()) }
+        API::Node subclassRef() { result = web_attr("RequestHandler").getASubclass*() }
 
         /** A RequestHandler class (most likely in project code). */
         class RequestHandlerClass extends Class {
-          RequestHandlerClass() { this.getParent() = subclassRef().asExpr() }
+          RequestHandlerClass() { this.getParent() = subclassRef().getAUse().asExpr() }
 
           /** Gets a function that could handle incoming requests, if any. */
           Function getARequestHandler() {
@@ -151,7 +66,7 @@ private module Tornado {
           }
 
           /** Gets a reference to this class. */
-          private DataFlow::Node getARef(DataFlow::TypeTracker t) {
+          private DataFlow::LocalSourceNode getARef(DataFlow::TypeTracker t) {
             t.start() and
             result.asExpr().(ClassExpr) = this.getParent()
             or
@@ -159,7 +74,7 @@ private module Tornado {
           }
 
           /** Gets a reference to this class. */
-          DataFlow::Node getARef() { result = this.getARef(DataFlow::TypeTracker::end()) }
+          DataFlow::Node getARef() { this.getARef(DataFlow::TypeTracker::end()).flowsTo(result) }
         }
 
         /**
@@ -184,7 +99,7 @@ private module Tornado {
         }
 
         /** Gets a reference to an instance of the `tornado.web.RequestHandler` class or any subclass. */
-        private DataFlow::Node instance(DataFlow::TypeTracker t) {
+        private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
           t.start() and
           result instanceof InstanceSource
           or
@@ -192,10 +107,10 @@ private module Tornado {
         }
 
         /** Gets a reference to an instance of the `tornado.web.RequestHandler` class or any subclass. */
-        DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+        DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
 
         /** Gets a reference to one of the methods `get_argument`, `get_body_argument`, `get_query_argument`. */
-        private DataFlow::Node argumentMethod(DataFlow::TypeTracker t) {
+        private DataFlow::LocalSourceNode argumentMethod(DataFlow::TypeTracker t) {
           t.startInAttr(["get_argument", "get_body_argument", "get_query_argument"]) and
           result = instance()
           or
@@ -203,10 +118,12 @@ private module Tornado {
         }
 
         /** Gets a reference to one of the methods `get_argument`, `get_body_argument`, `get_query_argument`. */
-        DataFlow::Node argumentMethod() { result = argumentMethod(DataFlow::TypeTracker::end()) }
+        DataFlow::Node argumentMethod() {
+          argumentMethod(DataFlow::TypeTracker::end()).flowsTo(result)
+        }
 
         /** Gets a reference to one of the methods `get_arguments`, `get_body_arguments`, `get_query_arguments`. */
-        private DataFlow::Node argumentsMethod(DataFlow::TypeTracker t) {
+        private DataFlow::LocalSourceNode argumentsMethod(DataFlow::TypeTracker t) {
           t.startInAttr(["get_arguments", "get_body_arguments", "get_query_arguments"]) and
           result = instance()
           or
@@ -217,7 +134,7 @@ private module Tornado {
         DataFlow::Node argumentsMethod() { result = argumentsMethod(DataFlow::TypeTracker::end()) }
 
         /** Gets a reference the `redirect` method. */
-        private DataFlow::Node redirectMethod(DataFlow::TypeTracker t) {
+        private DataFlow::LocalSourceNode redirectMethod(DataFlow::TypeTracker t) {
           t.startInAttr("redirect") and
           result = instance()
           or
@@ -225,10 +142,12 @@ private module Tornado {
         }
 
         /** Gets a reference the `redirect` method. */
-        DataFlow::Node redirectMethod() { result = redirectMethod(DataFlow::TypeTracker::end()) }
+        DataFlow::Node redirectMethod() {
+          redirectMethod(DataFlow::TypeTracker::end()).flowsTo(result)
+        }
 
         /** Gets a reference to the `write` method. */
-        private DataFlow::Node writeMethod(DataFlow::TypeTracker t) {
+        private DataFlow::LocalSourceNode writeMethod(DataFlow::TypeTracker t) {
           t.startInAttr("write") and
           result = instance()
           or
@@ -236,7 +155,7 @@ private module Tornado {
         }
 
         /** Gets a reference to the `write` method. */
-        DataFlow::Node writeMethod() { result = writeMethod(DataFlow::TypeTracker::end()) }
+        DataFlow::Node writeMethod() { writeMethod(DataFlow::TypeTracker::end()).flowsTo(result) }
 
         private class AdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
           override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
@@ -279,15 +198,7 @@ private module Tornado {
        */
       module Application {
         /** Gets a reference to the `tornado.web.Application` class. */
-        private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-          t.start() and
-          result = web_attr("Application")
-          or
-          exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
-        }
-
-        /** Gets a reference to the `tornado.web.Application` class. */
-        DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+        API::Node classRef() { result = web_attr("Application") }
 
         /**
          * A source of instances of `tornado.web.Application`, extend this class to model new instances.
@@ -304,11 +215,11 @@ private module Tornado {
         class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
           override CallNode node;
 
-          ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+          ClassInstantiation() { this = classRef().getACall() }
         }
 
         /** Gets a reference to an instance of `tornado.web.Application`. */
-        private DataFlow::Node instance(DataFlow::TypeTracker t) {
+        private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
           t.start() and
           result instanceof InstanceSource
           or
@@ -316,10 +227,10 @@ private module Tornado {
         }
 
         /** Gets a reference to an instance of `tornado.web.Application`. */
-        DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+        DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
 
         /** Gets a reference to the `add_handlers` method. */
-        private DataFlow::Node add_handlers(DataFlow::TypeTracker t) {
+        private DataFlow::LocalSourceNode add_handlers(DataFlow::TypeTracker t) {
           t.startInAttr("add_handlers") and
           result = instance()
           or
@@ -327,7 +238,7 @@ private module Tornado {
         }
 
         /** Gets a reference to the `add_handlers` method. */
-        DataFlow::Node add_handlers() { result = add_handlers(DataFlow::TypeTracker::end()) }
+        DataFlow::Node add_handlers() { add_handlers(DataFlow::TypeTracker::end()).flowsTo(result) }
       }
     }
 
@@ -335,7 +246,7 @@ private module Tornado {
     // tornado.httputil
     // -------------------------------------------------------------------------
     /** Gets a reference to the `tornado.httputil` module. */
-    DataFlow::Node httputil() { result = tornado_attr("httputil") }
+    API::Node httputil() { result = tornado_attr("httputil") }
 
     /** Provides models for the `tornado.httputil` module */
     module httputil {
@@ -343,41 +254,7 @@ private module Tornado {
        * Gets a reference to the attribute `attr_name` of the `tornado.httputil` module.
        * WARNING: Only holds for a few predefined attributes.
        */
-      private DataFlow::Node httputil_attr(DataFlow::TypeTracker t, string attr_name) {
-        attr_name in ["HTTPServerRequest"] and
-        (
-          t.start() and
-          result = DataFlow::importNode("tornado.httputil" + "." + attr_name)
-          or
-          t.startInAttr(attr_name) and
-          result = httputil()
-        )
-        or
-        // Due to bad performance when using normal setup with `httputil_attr(t2, attr_name).track(t2, t)`
-        // we have inlined that code and forced a join
-        exists(DataFlow::TypeTracker t2 |
-          exists(DataFlow::StepSummary summary |
-            httputil_attr_first_join(t2, attr_name, result, summary) and
-            t = t2.append(summary)
-          )
-        )
-      }
-
-      pragma[nomagic]
-      private predicate httputil_attr_first_join(
-        DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-        DataFlow::StepSummary summary
-      ) {
-        DataFlow::StepSummary::step(httputil_attr(t2, attr_name), res, summary)
-      }
-
-      /**
-       * Gets a reference to the attribute `attr_name` of the `tornado.httputil` module.
-       * WARNING: Only holds for a few predefined attributes.
-       */
-      private DataFlow::Node httputil_attr(string attr_name) {
-        result = httputil_attr(DataFlow::TypeTracker::end(), attr_name)
-      }
+      private API::Node httputil_attr(string attr_name) { result = httputil().getMember(attr_name) }
 
       /**
        * Provides models for the `tornado.httputil.HttpServerRequest` class
@@ -386,15 +263,7 @@ private module Tornado {
        */
       module HttpServerRequest {
         /** Gets a reference to the `tornado.httputil.HttpServerRequest` class. */
-        private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-          t.start() and
-          result = httputil_attr("HttpServerRequest")
-          or
-          exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
-        }
-
-        /** Gets a reference to the `tornado.httputil.HttpServerRequest` class. */
-        DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+        API::Node classRef() { result = httputil_attr("HttpServerRequest") }
 
         /**
          * A source of instances of `tornado.httputil.HttpServerRequest`, extend this class to model new instances.
@@ -411,7 +280,7 @@ private module Tornado {
         private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
           override CallNode node;
 
-          ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+          ClassInstantiation() { this = classRef().getACall() }
         }
 
         /** Gets a reference to an instance of `tornado.httputil.HttpServerRequest`. */

From f93b68d4dc2683186a9c6513417c1a38e1fadf0a Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 13 Apr 2021 11:57:59 +0000
Subject: [PATCH 0364/1429] Python: Get rid of `_attr` methods

---
 .../src/semmle/python/frameworks/Tornado.qll  | 35 ++++++-------------
 1 file changed, 10 insertions(+), 25 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Tornado.qll b/python/ql/src/semmle/python/frameworks/Tornado.qll
index 6268c9f0a4d..509193c5160 100644
--- a/python/ql/src/semmle/python/frameworks/Tornado.qll
+++ b/python/ql/src/semmle/python/frameworks/Tornado.qll
@@ -22,27 +22,16 @@ private module Tornado {
   /** Gets a reference to the `tornado` module. */
   API::Node tornado() { result = API::moduleImport("tornado") }
 
-  /**
-   * Gets a reference to the attribute `attr_name` of the `tornado` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private API::Node tornado_attr(string attr_name) { result = tornado().getMember(attr_name) }
-
   /** Provides models for the `tornado` module. */
   module tornado {
     // -------------------------------------------------------------------------
     // tornado.web
     // -------------------------------------------------------------------------
     /** Gets a reference to the `tornado.web` module. */
-    API::Node web() { result = tornado_attr("web") }
+    API::Node web() { result = tornado().getMember("web") }
 
     /** Provides models for the `tornado.web` module */
     module web {
-      /**
-       * Gets a reference to the attribute `attr_name` of the `tornado.web` module.
-       * WARNING: Only holds for a few predefined attributes.
-       */
-      private API::Node web_attr(string attr_name) { result = web().getMember(attr_name) }
 
       /**
        * Provides models for the `tornado.web.RequestHandler` class and subclasses.
@@ -51,7 +40,7 @@ private module Tornado {
        */
       module RequestHandler {
         /** Gets a reference to the `tornado.web.RequestHandler` class or any subclass. */
-        API::Node subclassRef() { result = web_attr("RequestHandler").getASubclass*() }
+        API::Node subclassRef() { result = web().getMember("RequestHandler").getASubclass*() }
 
         /** A RequestHandler class (most likely in project code). */
         class RequestHandlerClass extends Class {
@@ -198,7 +187,7 @@ private module Tornado {
        */
       module Application {
         /** Gets a reference to the `tornado.web.Application` class. */
-        API::Node classRef() { result = web_attr("Application") }
+        API::Node classRef() { result = web().getMember("Application") }
 
         /**
          * A source of instances of `tornado.web.Application`, extend this class to model new instances.
@@ -246,15 +235,10 @@ private module Tornado {
     // tornado.httputil
     // -------------------------------------------------------------------------
     /** Gets a reference to the `tornado.httputil` module. */
-    API::Node httputil() { result = tornado_attr("httputil") }
+    API::Node httputil() { result = tornado().getMember("httputil") }
 
     /** Provides models for the `tornado.httputil` module */
     module httputil {
-      /**
-       * Gets a reference to the attribute `attr_name` of the `tornado.httputil` module.
-       * WARNING: Only holds for a few predefined attributes.
-       */
-      private API::Node httputil_attr(string attr_name) { result = httputil().getMember(attr_name) }
 
       /**
        * Provides models for the `tornado.httputil.HttpServerRequest` class
@@ -263,7 +247,7 @@ private module Tornado {
        */
       module HttpServerRequest {
         /** Gets a reference to the `tornado.httputil.HttpServerRequest` class. */
-        API::Node classRef() { result = httputil_attr("HttpServerRequest") }
+        API::Node classRef() { result = httputil().getMember("HttpServerRequest") }
 
         /**
          * A source of instances of `tornado.httputil.HttpServerRequest`, extend this class to model new instances.
@@ -284,7 +268,7 @@ private module Tornado {
         }
 
         /** Gets a reference to an instance of `tornado.httputil.HttpServerRequest`. */
-        private DataFlow::Node instance(DataFlow::TypeTracker t) {
+        private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
           t.start() and
           result instanceof InstanceSource
           or
@@ -292,10 +276,11 @@ private module Tornado {
         }
 
         /** Gets a reference to an instance of `tornado.httputil.HttpServerRequest`. */
-        DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+        DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
+        
 
         /** Gets a reference to the `full_url` method. */
-        private DataFlow::Node full_url(DataFlow::TypeTracker t) {
+        private DataFlow::LocalSourceNode full_url(DataFlow::TypeTracker t) {
           t.startInAttr("full_url") and
           result = instance()
           or
@@ -303,7 +288,7 @@ private module Tornado {
         }
 
         /** Gets a reference to the `full_url` method. */
-        DataFlow::Node full_url() { result = full_url(DataFlow::TypeTracker::end()) }
+        DataFlow::Node full_url() { full_url(DataFlow::TypeTracker::end()).flowsTo(result) }
 
         private class AdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
           override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {

From 1a4845f4174e51bc439b521bf42cf3ba67f5dbca Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 13 Apr 2021 12:20:08 +0000
Subject: [PATCH 0365/1429] Python: Restrict types a bit

The `CallCfgNode` restrictions are familiar and useful.

Restricting `InstanceSource` to extend `LocalSourceNode` is novel, but I
think it makes sense. It will act as a good reminder to anyone extending
`InstanceSource` that the node in question is a `LocalSourceNode`, which
will be enforced by the return type of the internal type tracker anyway.
---
 .../src/semmle/python/frameworks/Tornado.qll  | 33 +++++++------------
 1 file changed, 12 insertions(+), 21 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Tornado.qll b/python/ql/src/semmle/python/frameworks/Tornado.qll
index 509193c5160..f82e093cb94 100644
--- a/python/ql/src/semmle/python/frameworks/Tornado.qll
+++ b/python/ql/src/semmle/python/frameworks/Tornado.qll
@@ -32,7 +32,6 @@ private module Tornado {
 
     /** Provides models for the `tornado.web` module */
     module web {
-
       /**
        * Provides models for the `tornado.web.RequestHandler` class and subclasses.
        *
@@ -75,7 +74,7 @@ private module Tornado {
          *
          * Use the predicate `RequestHandler::instance()` to get references to instances of the `tornado.web.RequestHandler` class or any subclass.
          */
-        abstract class InstanceSource extends DataFlow::Node { }
+        abstract class InstanceSource extends DataFlow::LocalSourceNode { }
 
         /** The `self` parameter in a method on the `tornado.web.RequestHandler` class or any subclass. */
         private class SelfParam extends InstanceSource, RemoteFlowSource::Range,
@@ -120,7 +119,9 @@ private module Tornado {
         }
 
         /** Gets a reference to one of the methods `get_arguments`, `get_body_arguments`, `get_query_arguments`. */
-        DataFlow::Node argumentsMethod() { result = argumentsMethod(DataFlow::TypeTracker::end()) }
+        DataFlow::Node argumentsMethod() {
+          argumentsMethod(DataFlow::TypeTracker::end()).flowsTo(result)
+        }
 
         /** Gets a reference the `redirect` method. */
         private DataFlow::LocalSourceNode redirectMethod(DataFlow::TypeTracker t) {
@@ -198,12 +199,10 @@ private module Tornado {
          *
          * Use the predicate `Application::instance()` to get references to instances of `tornado.web.Application`.
          */
-        abstract class InstanceSource extends DataFlow::Node { }
+        abstract class InstanceSource extends DataFlow::LocalSourceNode { }
 
         /** A direct instantiation of `tornado.web.Application`. */
-        class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
-          override CallNode node;
-
+        class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
           ClassInstantiation() { this = classRef().getACall() }
         }
 
@@ -239,7 +238,6 @@ private module Tornado {
 
     /** Provides models for the `tornado.httputil` module */
     module httputil {
-
       /**
        * Provides models for the `tornado.httputil.HttpServerRequest` class
        *
@@ -258,12 +256,10 @@ private module Tornado {
          *
          * Use the predicate `HttpServerRequest::instance()` to get references to instances of `tornado.httputil.HttpServerRequest`.
          */
-        abstract class InstanceSource extends DataFlow::Node { }
+        abstract class InstanceSource extends DataFlow::LocalSourceNode { }
 
         /** A direct instantiation of `tornado.httputil.HttpServerRequest`. */
-        private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
-          override CallNode node;
-
+        private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
           ClassInstantiation() { this = classRef().getACall() }
         }
 
@@ -277,7 +273,6 @@ private module Tornado {
 
         /** Gets a reference to an instance of `tornado.httputil.HttpServerRequest`. */
         DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
-        
 
         /** Gets a reference to the `full_url` method. */
         private DataFlow::LocalSourceNode full_url(DataFlow::TypeTracker t) {
@@ -430,11 +425,9 @@ private module Tornado {
    * See https://www.tornadoweb.org/en/stable/web.html?highlight=write#tornado.web.RequestHandler.redirect
    */
   private class TornadoRequestHandlerRedirectCall extends HTTP::Server::HttpRedirectResponse::Range,
-    DataFlow::CfgNode {
-    override CallNode node;
-
+    DataFlow::CallCfgNode {
     TornadoRequestHandlerRedirectCall() {
-      node.getFunction() = tornado::web::RequestHandler::redirectMethod().asCfgNode()
+      this.getFunction() = tornado::web::RequestHandler::redirectMethod()
     }
 
     override DataFlow::Node getRedirectLocation() {
@@ -454,11 +447,9 @@ private module Tornado {
    * See https://www.tornadoweb.org/en/stable/web.html?highlight=write#tornado.web.RequestHandler.write
    */
   private class TornadoRequestHandlerWriteCall extends HTTP::Server::HttpResponse::Range,
-    DataFlow::CfgNode {
-    override CallNode node;
-
+    DataFlow::CallCfgNode {
     TornadoRequestHandlerWriteCall() {
-      node.getFunction() = tornado::web::RequestHandler::writeMethod().asCfgNode()
+      this.getFunction() = tornado::web::RequestHandler::writeMethod()
     }
 
     override DataFlow::Node getBody() {

From 7825a2cdfcc99c940cae55acc95058df534c48e4 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 13 Apr 2021 12:48:45 +0000
Subject: [PATCH 0366/1429] Python: Add change note

---
 python/change-notes/2021-04-13-pep249-api-graphs.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 python/change-notes/2021-04-13-pep249-api-graphs.md

diff --git a/python/change-notes/2021-04-13-pep249-api-graphs.md b/python/change-notes/2021-04-13-pep249-api-graphs.md
new file mode 100644
index 00000000000..d06b2bffd0c
--- /dev/null
+++ b/python/change-notes/2021-04-13-pep249-api-graphs.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Modelling of libraries supporting PEP249 has been changed to use API graphs. When defining new
+  models, the relevant extension point is now `PEP249ModuleApiNode` in the `PEP249` module, instead
+  of `PEP249Module`. The latter class has now been deprecated.

From a404faa302b634a77fb220118d906f9e240fc02f Mon Sep 17 00:00:00 2001
From: Taus <tausbn@gmail.com>
Date: Tue, 13 Apr 2021 15:05:44 +0200
Subject: [PATCH 0367/1429] Python: Use American English in change note

Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
---
 python/change-notes/2021-04-13-pep249-api-graphs.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/change-notes/2021-04-13-pep249-api-graphs.md b/python/change-notes/2021-04-13-pep249-api-graphs.md
index d06b2bffd0c..fb8e2f0b1fb 100644
--- a/python/change-notes/2021-04-13-pep249-api-graphs.md
+++ b/python/change-notes/2021-04-13-pep249-api-graphs.md
@@ -1,4 +1,4 @@
 lgtm,codescanning
-* Modelling of libraries supporting PEP249 has been changed to use API graphs. When defining new
+* Modeling of libraries supporting PEP249 has been changed to use API graphs. When defining new
   models, the relevant extension point is now `PEP249ModuleApiNode` in the `PEP249` module, instead
   of `PEP249Module`. The latter class has now been deprecated.

From b0ad927fddd2a874f7b08acd6fc89e7cc44650a6 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 13 Apr 2021 15:03:06 +0100
Subject: [PATCH 0368/1429] C++: Remove useUsePair.

---
 .../CWE-191/UnsignedDifferenceExpressionComparedZero.ql  | 9 ---------
 .../UnsignedDifferenceExpressionComparedZero.expected    | 4 ++++
 2 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
index 074ecfc821e..3e2d49f4987 100644
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -37,15 +37,6 @@ predicate isGuarded(SubExpr sub, Expr left, Expr right) {
 predicate exprIsSubLeftOrLess(SubExpr sub, Expr e) {
   e = sub.getLeftOperand()
   or
-  exists(Expr other |
-    // use-use
-    exprIsSubLeftOrLess(sub, other) and
-    (
-      useUsePair(_, other, e) or
-      useUsePair(_, e, other)
-    )
-  )
-  or
   exists(Expr other |
     // dataflow
     exprIsSubLeftOrLess(sub, other) and
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
index 85938f15499..7f03b7bcdc7 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
@@ -1,5 +1,7 @@
 | test.cpp:6:5:6:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:10:8:10:24 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:22:12:22:20 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:32:12:32:20 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:62:5:62:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:75:8:75:16 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:101:6:101:14 | ... > ... | Unsigned subtraction can never be negative. |
@@ -9,6 +11,8 @@
 | test.cpp:152:7:152:15 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:182:6:182:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:208:6:208:14 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:219:7:219:15 | ... > ... | Unsigned subtraction can never be negative. |
+| test.cpp:226:8:226:16 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:252:10:252:18 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:266:10:266:24 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:276:11:276:19 | ... > ... | Unsigned subtraction can never be negative. |

From 4879104568879fe39c6c1c324f6e91f3df40c41a Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 13 Apr 2021 14:50:13 +0100
Subject: [PATCH 0369/1429] C++: Add more dataflow cases to replace the loss.

---
 ...nsignedDifferenceExpressionComparedZero.ql | 20 ++++++++++++++++++-
 ...dDifferenceExpressionComparedZero.expected |  4 ----
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
index 3e2d49f4987..682341ed4b2 100644
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -34,7 +34,7 @@ predicate isGuarded(SubExpr sub, Expr left, Expr right) {
  * Holds if `e` is known or suspected to be less than or equal to
  * `sub.getLeftOperand()`.
  */
-predicate exprIsSubLeftOrLess(SubExpr sub, Expr e) {
+predicate exprIsSubLeftOrLess(SubExpr sub, Element e) {
   e = sub.getLeftOperand()
   or
   exists(Expr other |
@@ -46,6 +46,24 @@ predicate exprIsSubLeftOrLess(SubExpr sub, Expr e) {
     )
   )
   or
+  exists(Element other |
+    // dataflow (via parameter)
+    exprIsSubLeftOrLess(sub, other) and
+    (
+      DataFlow::localFlowStep(DataFlow::parameterNode(e), DataFlow::exprNode(other)) or
+      DataFlow::localFlowStep(DataFlow::parameterNode(other), DataFlow::exprNode(e))
+    )
+  )
+  or
+  exists(Element other |
+    // dataflow (via uninitialized)
+    exprIsSubLeftOrLess(sub, other) and
+    (
+      DataFlow::localFlowStep(DataFlow::uninitializedNode(e), DataFlow::exprNode(other)) or
+      DataFlow::localFlowStep(DataFlow::uninitializedNode(other), DataFlow::exprNode(e))
+    )
+  )
+  or
   exists(Expr other |
     // guard constraining `sub`
     exprIsSubLeftOrLess(sub, other) and
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
index 7f03b7bcdc7..85938f15499 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero/UnsignedDifferenceExpressionComparedZero.expected
@@ -1,7 +1,5 @@
 | test.cpp:6:5:6:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:10:8:10:24 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:22:12:22:20 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:32:12:32:20 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:62:5:62:13 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:75:8:75:16 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:101:6:101:14 | ... > ... | Unsigned subtraction can never be negative. |
@@ -11,8 +9,6 @@
 | test.cpp:152:7:152:15 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:182:6:182:14 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:208:6:208:14 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:219:7:219:15 | ... > ... | Unsigned subtraction can never be negative. |
-| test.cpp:226:8:226:16 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:252:10:252:18 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:266:10:266:24 | ... > ... | Unsigned subtraction can never be negative. |
 | test.cpp:276:11:276:19 | ... > ... | Unsigned subtraction can never be negative. |

From 8daca01c87336be802e4470d84ee0de676cdd998 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 13 Apr 2021 15:13:11 +0100
Subject: [PATCH 0370/1429] C++: Cleaner use of DataFlow::Node in
 exprIsSubLeftOrLess.

---
 ...nsignedDifferenceExpressionComparedZero.ql | 44 ++++++-------------
 1 file changed, 13 insertions(+), 31 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
index 682341ed4b2..b002cd3631e 100644
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -31,57 +31,39 @@ predicate isGuarded(SubExpr sub, Expr left, Expr right) {
 }
 
 /**
- * Holds if `e` is known or suspected to be less than or equal to
+ * Holds if `n` is known or suspected to be less than or equal to
  * `sub.getLeftOperand()`.
  */
-predicate exprIsSubLeftOrLess(SubExpr sub, Element e) {
-  e = sub.getLeftOperand()
+predicate exprIsSubLeftOrLess(SubExpr sub, DataFlow::Node n) {
+  n = DataFlow::exprNode(sub.getLeftOperand())
   or
-  exists(Expr other |
+  exists(DataFlow::Node other |
     // dataflow
     exprIsSubLeftOrLess(sub, other) and
     (
-      DataFlow::localFlowStep(DataFlow::exprNode(e), DataFlow::exprNode(other)) or
-      DataFlow::localFlowStep(DataFlow::exprNode(other), DataFlow::exprNode(e))
+      DataFlow::localFlowStep(n, other) or
+      DataFlow::localFlowStep(other, n)
     )
   )
   or
-  exists(Element other |
-    // dataflow (via parameter)
-    exprIsSubLeftOrLess(sub, other) and
-    (
-      DataFlow::localFlowStep(DataFlow::parameterNode(e), DataFlow::exprNode(other)) or
-      DataFlow::localFlowStep(DataFlow::parameterNode(other), DataFlow::exprNode(e))
-    )
-  )
-  or
-  exists(Element other |
-    // dataflow (via uninitialized)
-    exprIsSubLeftOrLess(sub, other) and
-    (
-      DataFlow::localFlowStep(DataFlow::uninitializedNode(e), DataFlow::exprNode(other)) or
-      DataFlow::localFlowStep(DataFlow::uninitializedNode(other), DataFlow::exprNode(e))
-    )
-  )
-  or
-  exists(Expr other |
+  exists(DataFlow::Node other |
     // guard constraining `sub`
     exprIsSubLeftOrLess(sub, other) and
-    isGuarded(sub, other, e) // other >= e
+    isGuarded(sub, other.asExpr(), n.asExpr()) // other >= e
   )
   or
-  exists(Expr other, float p, float q |
+  exists(DataFlow::Node other, float p, float q |
     // linear access of `other`
     exprIsSubLeftOrLess(sub, other) and
-    linearAccess(e, other, p, q) and // e = p * other + q
+    linearAccess(n.asExpr(), other.asExpr(), p, q) and // e = p * other + q
     p <= 1 and
     q <= 0
   )
   or
-  exists(Expr other, float p, float q |
+  exists(DataFlow::Node other, float p, float q |
     // linear access of `e`
     exprIsSubLeftOrLess(sub, other) and
-    linearAccess(other, e, p, q) and // other = p * e + q
+    linearAccess(other.asExpr(), n.asExpr(), p, q) and // other = p * e + q
     p >= 1 and
     q >= 0
   )
@@ -95,5 +77,5 @@ where
   ro.getGreaterOperand() = sub and
   sub.getFullyConverted().getUnspecifiedType().(IntegralType).isUnsigned() and
   exprMightOverflowNegatively(sub.getFullyConverted()) and // generally catches false positives involving constants
-  not exprIsSubLeftOrLess(sub, sub.getRightOperand()) // generally catches false positives where there's a relation between the left and right operands
+  not exprIsSubLeftOrLess(sub, DataFlow::exprNode(sub.getRightOperand())) // generally catches false positives where there's a relation between the left and right operands
 select ro, "Unsigned subtraction can never be negative."

From d1457995dd9fd565e18ec0c28fa5f1aa7199115b Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 13 Apr 2021 16:15:37 +0200
Subject: [PATCH 0371/1429] C++: Use range analysis in Overflow.qll

---
 cpp/ql/src/semmle/code/cpp/security/Overflow.qll           | 7 +++++--
 .../semmle/extreme/ArithmeticWithExtremeValues.expected    | 2 --
 .../query-tests/Security/CWE/CWE-190/semmle/extreme/test.c | 4 ++--
 .../CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected  | 3 ---
 4 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/security/Overflow.qll b/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
index e7ad1c559e6..3f7a7b17b05 100644
--- a/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
@@ -5,6 +5,7 @@
 
 import cpp
 import semmle.code.cpp.controlflow.Dominance
+import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 
 /**
  * Holds if the value of `use` is guarded using `abs`.
@@ -94,9 +95,10 @@ predicate guardedGreater(Operation e, Expr use) {
 VariableAccess varUse(LocalScopeVariable v) { result = v.getAnAccess() }
 
 /**
- * Holds if `e` is not guarded against overflow by `use`.
+ * Holds if `e` potentially overflows and `use` is an operand of `e` that is not guarded.
  */
 predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {
+  convertedExprMightOverflow(e) and
   use = e.getAnOperand() and
   exists(LocalScopeVariable v | use.getTarget() = v |
     // overflow possible if large
@@ -115,9 +117,10 @@ predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {
 }
 
 /**
- * Holds if `e` is not guarded against underflow by `use`.
+ * Holds if `e` potentially underflows and `use` is an operand of `e` that is not guarded.
  */
 predicate missingGuardAgainstUnderflow(Operation e, VariableAccess use) {
+  convertedExprMightOverflowNegatively(e) and
   use = e.getAnOperand() and
   exists(LocalScopeVariable v | use.getTarget() = v |
     // underflow possible if use is left operand and small
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/ArithmeticWithExtremeValues.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/ArithmeticWithExtremeValues.expected
index a46371f36b6..cbaf5d63079 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/ArithmeticWithExtremeValues.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/ArithmeticWithExtremeValues.expected
@@ -3,6 +3,4 @@
 | test.c:50:3:50:5 | sc3 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:49:9:49:16 | 127 | Extreme value |
 | test.c:59:3:59:5 | sc6 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:58:9:58:16 | 127 | Extreme value |
 | test.c:63:3:63:5 | sc8 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:62:9:62:16 | - ... | Extreme value |
-| test.c:75:3:75:5 | sc1 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:74:9:74:16 | 127 | Extreme value |
-| test.c:76:3:76:5 | sc1 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:74:9:74:16 | 127 | Extreme value |
 | test.c:124:9:124:9 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:118:17:118:23 | 2147483647 | Extreme value |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/test.c
index 8c40d984ee0..8760641c8e2 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/test.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/test.c
@@ -72,8 +72,8 @@ void test_negatives() {
   signed char sc1, sc2, sc3, sc4, sc5, sc6, sc7, sc8;
 
   sc1 = CHAR_MAX;
-  sc1 += 0; // GOOD [FALSE POSITIVE]
-  sc1 += -1; // GOOD [FALSE POSITIVE]
+  sc1 += 0; // GOOD
+  sc1 += -1; // GOOD
   sc2 = CHAR_MIN;
   sc2 += -1; // BAD [NOT DETECTED]
   sc3 = CHAR_MIN;
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
index 8bb25025b86..bdf00e0a5df 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
@@ -1,8 +1,5 @@
 | test2.cpp:14:11:14:11 | v | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
 | test2.cpp:14:11:14:11 | v | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
-| test3.c:15:10:15:10 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test3.c:11:15:11:18 | argv | User-provided value |
-| test3.c:15:14:15:14 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test3.c:11:15:11:18 | argv | User-provided value |
-| test3.c:15:18:15:18 | z | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test3.c:11:15:11:18 | argv | User-provided value |
 | test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
 | test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
 | test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |

From 10084115947e610724e8b6fd2d42e1f4ea7d7327 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 13 Apr 2021 14:49:44 +0000
Subject: [PATCH 0372/1429] Python: Use API graphs in Fabric model

---
 .../src/semmle/python/frameworks/Fabric.qll   | 360 ++----------------
 1 file changed, 41 insertions(+), 319 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Fabric.qll b/python/ql/src/semmle/python/frameworks/Fabric.qll
index 764dce0de80..6e92cddfdfd 100644
--- a/python/ql/src/semmle/python/frameworks/Fabric.qll
+++ b/python/ql/src/semmle/python/frameworks/Fabric.qll
@@ -11,6 +11,7 @@ private import python
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
 
 /**
  * Provides classes modeling security-relevant aspects of the `fabric` PyPI package, for
@@ -20,54 +21,13 @@ private import semmle.python.Concepts
  */
 private module FabricV1 {
   /** Gets a reference to the `fabric` module. */
-  private DataFlow::Node fabric(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("fabric")
-    or
-    exists(DataFlow::TypeTracker t2 | result = fabric(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `fabric` module. */
-  DataFlow::Node fabric() { result = fabric(DataFlow::TypeTracker::end()) }
+  API::Node fabric() { result = API::moduleImport("fabric") }
 
   /**
    * Gets a reference to the attribute `attr_name` of the `fabric` module.
    * WARNING: Only holds for a few predefined attributes.
    */
-  private DataFlow::Node fabric_attr(DataFlow::TypeTracker t, string attr_name) {
-    attr_name in ["api"] and
-    (
-      t.start() and
-      result = DataFlow::importNode("fabric" + "." + attr_name)
-      or
-      t.startInAttr(attr_name) and
-      result = fabric()
-    )
-    or
-    // Due to bad performance when using normal setup with `fabric_attr(t2, attr_name).track(t2, t)`
-    // we have inlined that code and forced a join
-    exists(DataFlow::TypeTracker t2 |
-      exists(DataFlow::StepSummary summary |
-        fabric_attr_first_join(t2, attr_name, result, summary) and
-        t = t2.append(summary)
-      )
-    )
-  }
-
-  pragma[nomagic]
-  private predicate fabric_attr_first_join(
-    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
-  ) {
-    DataFlow::StepSummary::step(fabric_attr(t2, attr_name), res, summary)
-  }
-
-  /**
-   * Gets a reference to the attribute `attr_name` of the `fabric` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private DataFlow::Node fabric_attr(string attr_name) {
-    result = fabric_attr(DataFlow::TypeTracker::end(), attr_name)
-  }
+  private API::Node fabric_attr(string attr_name) { result = fabric().getMember(attr_name) }
 
   /** Provides models for the `fabric` module. */
   module fabric {
@@ -75,7 +35,7 @@ private module FabricV1 {
     // fabric.api
     // -------------------------------------------------------------------------
     /** Gets a reference to the `fabric.api` module. */
-    DataFlow::Node api() { result = fabric_attr("api") }
+    API::Node api() { result = fabric_attr("api") }
 
     /** Provides models for the `fabric.api` module */
     module api {
@@ -83,41 +43,7 @@ private module FabricV1 {
        * Gets a reference to the attribute `attr_name` of the `fabric.api` module.
        * WARNING: Only holds for a few predefined attributes.
        */
-      private DataFlow::Node api_attr(DataFlow::TypeTracker t, string attr_name) {
-        attr_name in ["run", "local", "sudo"] and
-        (
-          t.start() and
-          result = DataFlow::importNode("fabric.api" + "." + attr_name)
-          or
-          t.startInAttr(attr_name) and
-          result = api()
-        )
-        or
-        // Due to bad performance when using normal setup with `api_attr(t2, attr_name).track(t2, t)`
-        // we have inlined that code and forced a join
-        exists(DataFlow::TypeTracker t2 |
-          exists(DataFlow::StepSummary summary |
-            api_attr_first_join(t2, attr_name, result, summary) and
-            t = t2.append(summary)
-          )
-        )
-      }
-
-      pragma[nomagic]
-      private predicate api_attr_first_join(
-        DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-        DataFlow::StepSummary summary
-      ) {
-        DataFlow::StepSummary::step(api_attr(t2, attr_name), res, summary)
-      }
-
-      /**
-       * Gets a reference to the attribute `attr_name` of the `fabric.api` module.
-       * WARNING: Only holds for a few predefined attributes.
-       */
-      private DataFlow::Node api_attr(string attr_name) {
-        result = api_attr(DataFlow::TypeTracker::end(), attr_name)
-      }
+      private API::Node api_attr(string attr_name) { result = api().getMember(attr_name) }
 
       /**
        * A call to either
@@ -130,12 +56,8 @@ private module FabricV1 {
        * - https://docs.fabfile.org/en/1.14/api/core/operations.html#fabric.operations.sudo
        */
       private class FabricApiLocalRunSudoCall extends SystemCommandExecution::Range,
-        DataFlow::CfgNode {
-        override CallNode node;
-
-        FabricApiLocalRunSudoCall() {
-          node.getFunction() = api_attr(["local", "run", "sudo"]).asCfgNode()
-        }
+        DataFlow::CallCfgNode {
+        FabricApiLocalRunSudoCall() { this = api_attr(["local", "run", "sudo"]).getACall() }
 
         override DataFlow::Node getCommand() {
           result.asCfgNode() = [node.getArg(0), node.getArgByName("command")]
@@ -153,61 +75,13 @@ private module FabricV1 {
  */
 private module FabricV2 {
   /** Gets a reference to the `fabric` module. */
-  private DataFlow::Node fabric(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("fabric")
-    or
-    exists(DataFlow::TypeTracker t2 | result = fabric(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `fabric` module. */
-  DataFlow::Node fabric() { result = fabric(DataFlow::TypeTracker::end()) }
+  API::Node fabric() { result = API::moduleImport("fabric") }
 
   /**
    * Gets a reference to the attribute `attr_name` of the `fabric` module.
    * WARNING: Only holds for a few predefined attributes.
    */
-  private DataFlow::Node fabric_attr(DataFlow::TypeTracker t, string attr_name) {
-    attr_name in [
-        // connection.py
-        "connection", "Connection",
-        // group.py
-        "group", "SerialGroup", "ThreadingGroup",
-        // tasks.py
-        "tasks", "task"
-      ] and
-    (
-      t.start() and
-      result = DataFlow::importNode("fabric" + "." + attr_name)
-      or
-      t.startInAttr(attr_name) and
-      result = fabric()
-    )
-    or
-    // Due to bad performance when using normal setup with `fabric_attr(t2, attr_name).track(t2, t)`
-    // we have inlined that code and forced a join
-    exists(DataFlow::TypeTracker t2 |
-      exists(DataFlow::StepSummary summary |
-        fabric_attr_first_join(t2, attr_name, result, summary) and
-        t = t2.append(summary)
-      )
-    )
-  }
-
-  pragma[nomagic]
-  private predicate fabric_attr_first_join(
-    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
-  ) {
-    DataFlow::StepSummary::step(fabric_attr(t2, attr_name), res, summary)
-  }
-
-  /**
-   * Gets a reference to the attribute `attr_name` of the `fabric` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private DataFlow::Node fabric_attr(string attr_name) {
-    result = fabric_attr(DataFlow::TypeTracker::end(), attr_name)
-  }
+  private API::Node fabric_attr(string attr_name) { result = fabric().getMember(attr_name) }
 
   /** Provides models for the `fabric` module. */
   module fabric {
@@ -215,7 +89,7 @@ private module FabricV2 {
     // fabric.connection
     // -------------------------------------------------------------------------
     /** Gets a reference to the `fabric.connection` module. */
-    DataFlow::Node connection() { result = fabric_attr("connection") }
+    API::Node connection() { result = fabric_attr("connection") }
 
     /** Provides models for the `fabric.connection` module */
     module connection {
@@ -223,40 +97,8 @@ private module FabricV2 {
        * Gets a reference to the attribute `attr_name` of the `fabric.connection` module.
        * WARNING: Only holds for a few predefined attributes.
        */
-      private DataFlow::Node connection_attr(DataFlow::TypeTracker t, string attr_name) {
-        attr_name in ["Connection"] and
-        (
-          t.start() and
-          result = DataFlow::importNode("fabric.connection" + "." + attr_name)
-          or
-          t.startInAttr(attr_name) and
-          result = connection()
-        )
-        or
-        // Due to bad performance when using normal setup with `connection_attr(t2, attr_name).track(t2, t)`
-        // we have inlined that code and forced a join
-        exists(DataFlow::TypeTracker t2 |
-          exists(DataFlow::StepSummary summary |
-            connection_attr_first_join(t2, attr_name, result, summary) and
-            t = t2.append(summary)
-          )
-        )
-      }
-
-      pragma[nomagic]
-      private predicate connection_attr_first_join(
-        DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-        DataFlow::StepSummary summary
-      ) {
-        DataFlow::StepSummary::step(connection_attr(t2, attr_name), res, summary)
-      }
-
-      /**
-       * Gets a reference to the attribute `attr_name` of the `fabric.connection` module.
-       * WARNING: Only holds for a few predefined attributes.
-       */
-      private DataFlow::Node connection_attr(string attr_name) {
-        result = connection_attr(DataFlow::TypeTracker::end(), attr_name)
+      private API::Node connection_attr(string attr_name) {
+        result = connection().getMember(attr_name)
       }
 
       /**
@@ -266,20 +108,10 @@ private module FabricV2 {
        */
       module Connection {
         /** Gets a reference to the `fabric.connection.Connection` class. */
-        private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-          t.start() and
-          result = connection_attr("Connection")
-          or
-          // handle `fabric.Connection` alias
-          t.start() and
-          result = fabric_attr("Connection")
-          or
-          exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
+        API::Node classRef() {
+          result in [fabric_attr("Connection"), connection_attr("Connection")]
         }
 
-        /** Gets a reference to the `fabric.connection.Connection` class. */
-        DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
-
         /**
          * A source of instances of `fabric.connection.Connection`, extend this class to model new instances.
          *
@@ -289,16 +121,14 @@ private module FabricV2 {
          *
          * Use the predicate `Connection::instance()` to get references to instances of `fabric.connection.Connection`.
          */
-        abstract class InstanceSource extends DataFlow::Node { }
+        abstract class InstanceSource extends DataFlow::LocalSourceNode { }
 
-        private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
-          override CallNode node;
-
-          ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+        private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
+          ClassInstantiation() { this = classRef().getACall() }
         }
 
         /** Gets a reference to an instance of `fabric.connection.Connection`. */
-        private DataFlow::Node instance(DataFlow::TypeTracker t) {
+        private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
           t.start() and
           result instanceof InstanceSource
           or
@@ -306,7 +136,7 @@ private module FabricV2 {
         }
 
         /** Gets a reference to an instance of `fabric.connection.Connection`. */
-        DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+        DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
 
         /**
          * Gets a reference to either `run`, `sudo`, or `local` method on a
@@ -317,7 +147,7 @@ private module FabricV2 {
          * - https://docs.fabfile.org/en/2.5/api/connection.html#fabric.connection.Connection.sudo
          * - https://docs.fabfile.org/en/2.5/api/connection.html#fabric.connection.Connection.local
          */
-        private DataFlow::Node instanceRunMethods(DataFlow::TypeTracker t) {
+        private DataFlow::LocalSourceNode instanceRunMethods(DataFlow::TypeTracker t) {
           t.startInAttr(["run", "sudo", "local"]) and
           result = instance()
           or
@@ -334,7 +164,7 @@ private module FabricV2 {
          * - https://docs.fabfile.org/en/2.5/api/connection.html#fabric.connection.Connection.local
          */
         DataFlow::Node instanceRunMethods() {
-          result = instanceRunMethods(DataFlow::TypeTracker::end())
+          instanceRunMethods(DataFlow::TypeTracker::end()).flowsTo(result)
         }
       }
     }
@@ -347,11 +177,9 @@ private module FabricV2 {
      * - https://docs.fabfile.org/en/2.5/api/connection.html#fabric.connection.Connection.local
      */
     private class FabricConnectionRunSudoLocalCall extends SystemCommandExecution::Range,
-      DataFlow::CfgNode {
-      override CallNode node;
-
+      DataFlow::CallCfgNode {
       FabricConnectionRunSudoLocalCall() {
-        node.getFunction() = fabric::connection::Connection::instanceRunMethods().asCfgNode()
+        this.getFunction() = fabric::connection::Connection::instanceRunMethods()
       }
 
       override DataFlow::Node getCommand() {
@@ -363,34 +191,19 @@ private module FabricV2 {
     // fabric.tasks
     // -------------------------------------------------------------------------
     /** Gets a reference to the `fabric.tasks` module. */
-    DataFlow::Node tasks() { result = fabric_attr("tasks") }
+    API::Node tasks() { result = fabric_attr("tasks") }
 
     /** Provides models for the `fabric.tasks` module */
     module tasks {
       /** Gets a reference to the `fabric.tasks.task` decorator. */
-      private DataFlow::Node task(DataFlow::TypeTracker t) {
-        t.start() and
-        result = DataFlow::importNode("fabric.tasks.task")
-        or
-        t.startInAttr("task") and
-        result = tasks()
-        or
-        // Handle `fabric.task` alias
-        t.startInAttr("task") and
-        result = fabric()
-        or
-        exists(DataFlow::TypeTracker t2 | result = task(t2).track(t2, t))
-      }
-
-      /** Gets a reference to the `fabric.tasks.task` decorator. */
-      DataFlow::Node task() { result = task(DataFlow::TypeTracker::end()) }
+      API::Node task() { result in [tasks().getMember("task"), fabric().getMember("task")] }
     }
 
     class FabricTaskFirstParamConnectionInstance extends fabric::connection::Connection::InstanceSource,
       DataFlow::ParameterNode {
       FabricTaskFirstParamConnectionInstance() {
         exists(Function func |
-          func.getADecorator() = fabric::tasks::task().asExpr() and
+          func.getADecorator() = fabric::tasks::task().getAUse().asExpr() and
           this.getParameter() = func.getArg(0)
         )
       }
@@ -400,7 +213,7 @@ private module FabricV2 {
     // fabric.group
     // -------------------------------------------------------------------------
     /** Gets a reference to the `fabric.group` module. */
-    DataFlow::Node group() { result = fabric_attr("group") }
+    API::Node group() { result = fabric_attr("group") }
 
     /** Provides models for the `fabric.group` module */
     module group {
@@ -408,41 +221,7 @@ private module FabricV2 {
        * Gets a reference to the attribute `attr_name` of the `fabric.group` module.
        * WARNING: Only holds for a few predefined attributes.
        */
-      private DataFlow::Node group_attr(DataFlow::TypeTracker t, string attr_name) {
-        attr_name in ["SerialGroup", "ThreadingGroup"] and
-        (
-          t.start() and
-          result = DataFlow::importNode("fabric.group" + "." + attr_name)
-          or
-          t.startInAttr(attr_name) and
-          result = group()
-        )
-        or
-        // Due to bad performance when using normal setup with `group_attr(t2, attr_name).track(t2, t)`
-        // we have inlined that code and forced a join
-        exists(DataFlow::TypeTracker t2 |
-          exists(DataFlow::StepSummary summary |
-            group_attr_first_join(t2, attr_name, result, summary) and
-            t = t2.append(summary)
-          )
-        )
-      }
-
-      pragma[nomagic]
-      private predicate group_attr_first_join(
-        DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-        DataFlow::StepSummary summary
-      ) {
-        DataFlow::StepSummary::step(group_attr(t2, attr_name), res, summary)
-      }
-
-      /**
-       * Gets a reference to the attribute `attr_name` of the `fabric.group` module.
-       * WARNING: Only holds for a few predefined attributes.
-       */
-      private DataFlow::Node group_attr(string attr_name) {
-        result = group_attr(DataFlow::TypeTracker::end(), attr_name)
-      }
+      private API::Node group_attr(string attr_name) { result = group().getMember(attr_name) }
 
       /**
        * Provides models for the `fabric.group.Group` class and its subclasses.
@@ -465,41 +244,20 @@ private module FabricV2 {
          *
          * Use `Group::subclassInstance()` predicate to get references to an instance of a subclass of `fabric.group.Group`.
          */
-        abstract class SubclassInstanceSource extends DataFlow::Node { }
-
-        /** Gets a reference to an instance of a subclass of `fabric.group.Group`. */
-        private DataFlow::Node subclassInstance(DataFlow::TypeTracker t) {
-          t.start() and
-          result instanceof SubclassInstanceSource
-          or
-          exists(DataFlow::TypeTracker t2 | result = subclassInstance(t2).track(t2, t))
+        abstract class ModeledSubclass extends API::Node {
+          /** Gets a string representation of this element. */
+          override string toString() { result = this.(API::Node).toString() }
         }
 
         /** Gets a reference to an instance of a subclass of `fabric.group.Group`. */
-        DataFlow::Node subclassInstance() {
-          result = subclassInstance(DataFlow::TypeTracker::end())
-        }
+        API::Node subclassInstance() { result = any(ModeledSubclass m).getASubclass*().getReturn() }
 
         /**
          * Gets a reference to the `run` method on an instance of a subclass of `fabric.group.Group`.
          *
          * See https://docs.fabfile.org/en/2.5/api/group.html#fabric.group.Group.run
          */
-        private DataFlow::Node subclassInstanceRunMethod(DataFlow::TypeTracker t) {
-          t.startInAttr("run") and
-          result = subclassInstance()
-          or
-          exists(DataFlow::TypeTracker t2 | result = subclassInstanceRunMethod(t2).track(t2, t))
-        }
-
-        /**
-         * Gets a reference to the `run` method on an instance of a subclass of `fabric.group.Group`.
-         *
-         * See https://docs.fabfile.org/en/2.5/api/group.html#fabric.group.Group.run
-         */
-        DataFlow::Node subclassInstanceRunMethod() {
-          result = subclassInstanceRunMethod(DataFlow::TypeTracker::end())
-        }
+        API::Node subclassInstanceRunMethod() { result = subclassInstance().getMember("run") }
       }
 
       /**
@@ -507,12 +265,8 @@ private module FabricV2 {
        *
        * See https://docs.fabfile.org/en/2.5/api/group.html#fabric.group.Group.run
        */
-      private class FabricGroupRunCall extends SystemCommandExecution::Range, DataFlow::CfgNode {
-        override CallNode node;
-
-        FabricGroupRunCall() {
-          node.getFunction() = fabric::group::Group::subclassInstanceRunMethod().asCfgNode()
-        }
+      private class FabricGroupRunCall extends SystemCommandExecution::Range, DataFlow::CallCfgNode {
+        FabricGroupRunCall() { this = fabric::group::Group::subclassInstanceRunMethod().getACall() }
 
         override DataFlow::Node getCommand() {
           result.asCfgNode() = [node.getArg(0), node.getArgByName("command")]
@@ -525,25 +279,8 @@ private module FabricV2 {
        * See https://docs.fabfile.org/en/2.5/api/group.html#fabric.group.SerialGroup.
        */
       module SerialGroup {
-        /** Gets a reference to the `fabric.group.SerialGroup` class. */
-        private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-          t.start() and
-          result = group_attr("SerialGroup")
-          or
-          // Handle `fabric.SerialGroup` alias
-          t.start() and
-          result = fabric_attr("SerialGroup")
-          or
-          exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
-        }
-
-        /** Gets a reference to the `fabric.group.SerialGroup` class. */
-        private DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
-
-        private class ClassInstantiation extends Group::SubclassInstanceSource, DataFlow::CfgNode {
-          override CallNode node;
-
-          ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+        private class ClassInstantiation extends Group::ModeledSubclass {
+          ClassInstantiation() { this in [group_attr("SerialGroup"), fabric_attr("SerialGroup")] }
         }
       }
 
@@ -553,25 +290,10 @@ private module FabricV2 {
        * See https://docs.fabfile.org/en/2.5/api/group.html#fabric.group.ThreadingGroup.
        */
       module ThreadingGroup {
-        /** Gets a reference to the `fabric.group.ThreadingGroup` class. */
-        private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-          t.start() and
-          result = group_attr("ThreadingGroup")
-          or
-          // Handle `fabric.ThreadingGroup` alias
-          t.start() and
-          result = fabric_attr("ThreadingGroup")
-          or
-          exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
-        }
-
-        /** Gets a reference to the `fabric.group.ThreadingGroup` class. */
-        DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
-
-        private class ClassInstantiation extends Group::SubclassInstanceSource, DataFlow::CfgNode {
-          override CallNode node;
-
-          ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+        private class ClassInstantiation extends Group::ModeledSubclass {
+          ClassInstantiation() {
+            this in [group_attr("ThreadingGroup"), fabric_attr("ThreadingGroup")]
+          }
         }
       }
     }

From 7f131c1f352e7829fff6fab17fa38a51dd65dee7 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 13 Apr 2021 14:55:44 +0000
Subject: [PATCH 0373/1429] Python: Get rid of `_attr` predicates

---
 .../src/semmle/python/frameworks/Fabric.qll   | 52 ++++---------------
 1 file changed, 11 insertions(+), 41 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Fabric.qll b/python/ql/src/semmle/python/frameworks/Fabric.qll
index 6e92cddfdfd..177f5592f66 100644
--- a/python/ql/src/semmle/python/frameworks/Fabric.qll
+++ b/python/ql/src/semmle/python/frameworks/Fabric.qll
@@ -23,28 +23,16 @@ private module FabricV1 {
   /** Gets a reference to the `fabric` module. */
   API::Node fabric() { result = API::moduleImport("fabric") }
 
-  /**
-   * Gets a reference to the attribute `attr_name` of the `fabric` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private API::Node fabric_attr(string attr_name) { result = fabric().getMember(attr_name) }
-
   /** Provides models for the `fabric` module. */
   module fabric {
     // -------------------------------------------------------------------------
     // fabric.api
     // -------------------------------------------------------------------------
     /** Gets a reference to the `fabric.api` module. */
-    API::Node api() { result = fabric_attr("api") }
+    API::Node api() { result = fabric().getMember("api") }
 
     /** Provides models for the `fabric.api` module */
     module api {
-      /**
-       * Gets a reference to the attribute `attr_name` of the `fabric.api` module.
-       * WARNING: Only holds for a few predefined attributes.
-       */
-      private API::Node api_attr(string attr_name) { result = api().getMember(attr_name) }
-
       /**
        * A call to either
        * - `fabric.api.local`
@@ -57,7 +45,7 @@ private module FabricV1 {
        */
       private class FabricApiLocalRunSudoCall extends SystemCommandExecution::Range,
         DataFlow::CallCfgNode {
-        FabricApiLocalRunSudoCall() { this = api_attr(["local", "run", "sudo"]).getACall() }
+        FabricApiLocalRunSudoCall() { this = api().getMember(["local", "run", "sudo"]).getACall() }
 
         override DataFlow::Node getCommand() {
           result.asCfgNode() = [node.getArg(0), node.getArgByName("command")]
@@ -77,30 +65,16 @@ private module FabricV2 {
   /** Gets a reference to the `fabric` module. */
   API::Node fabric() { result = API::moduleImport("fabric") }
 
-  /**
-   * Gets a reference to the attribute `attr_name` of the `fabric` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private API::Node fabric_attr(string attr_name) { result = fabric().getMember(attr_name) }
-
   /** Provides models for the `fabric` module. */
   module fabric {
     // -------------------------------------------------------------------------
     // fabric.connection
     // -------------------------------------------------------------------------
     /** Gets a reference to the `fabric.connection` module. */
-    API::Node connection() { result = fabric_attr("connection") }
+    API::Node connection() { result = fabric().getMember("connection") }
 
     /** Provides models for the `fabric.connection` module */
     module connection {
-      /**
-       * Gets a reference to the attribute `attr_name` of the `fabric.connection` module.
-       * WARNING: Only holds for a few predefined attributes.
-       */
-      private API::Node connection_attr(string attr_name) {
-        result = connection().getMember(attr_name)
-      }
-
       /**
        * Provides models for the `fabric.connection.Connection` class
        *
@@ -109,7 +83,7 @@ private module FabricV2 {
       module Connection {
         /** Gets a reference to the `fabric.connection.Connection` class. */
         API::Node classRef() {
-          result in [fabric_attr("Connection"), connection_attr("Connection")]
+          result in [fabric().getMember("Connection"), connection().getMember("Connection")]
         }
 
         /**
@@ -136,7 +110,7 @@ private module FabricV2 {
         }
 
         /** Gets a reference to an instance of `fabric.connection.Connection`. */
-        DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
+        DataFlow::LocalSourceNode instance() { result = instance(DataFlow::TypeTracker::end()) }
 
         /**
          * Gets a reference to either `run`, `sudo`, or `local` method on a
@@ -191,7 +165,7 @@ private module FabricV2 {
     // fabric.tasks
     // -------------------------------------------------------------------------
     /** Gets a reference to the `fabric.tasks` module. */
-    API::Node tasks() { result = fabric_attr("tasks") }
+    API::Node tasks() { result = fabric().getMember("tasks") }
 
     /** Provides models for the `fabric.tasks` module */
     module tasks {
@@ -213,16 +187,10 @@ private module FabricV2 {
     // fabric.group
     // -------------------------------------------------------------------------
     /** Gets a reference to the `fabric.group` module. */
-    API::Node group() { result = fabric_attr("group") }
+    API::Node group() { result = fabric().getMember("group") }
 
     /** Provides models for the `fabric.group` module */
     module group {
-      /**
-       * Gets a reference to the attribute `attr_name` of the `fabric.group` module.
-       * WARNING: Only holds for a few predefined attributes.
-       */
-      private API::Node group_attr(string attr_name) { result = group().getMember(attr_name) }
-
       /**
        * Provides models for the `fabric.group.Group` class and its subclasses.
        *
@@ -280,7 +248,9 @@ private module FabricV2 {
        */
       module SerialGroup {
         private class ClassInstantiation extends Group::ModeledSubclass {
-          ClassInstantiation() { this in [group_attr("SerialGroup"), fabric_attr("SerialGroup")] }
+          ClassInstantiation() {
+            this in [group().getMember("SerialGroup"), fabric().getMember("SerialGroup")]
+          }
         }
       }
 
@@ -292,7 +262,7 @@ private module FabricV2 {
       module ThreadingGroup {
         private class ClassInstantiation extends Group::ModeledSubclass {
           ClassInstantiation() {
-            this in [group_attr("ThreadingGroup"), fabric_attr("ThreadingGroup")]
+            this in [group().getMember("ThreadingGroup"), fabric().getMember("ThreadingGroup")]
           }
         }
       }

From 89a5acf6e884f2f897c068ebe8272798d0013d4d Mon Sep 17 00:00:00 2001
From: Marcono1234 <Marcono1234@users.noreply.github.com>
Date: Tue, 13 Apr 2021 17:03:45 +0200
Subject: [PATCH 0374/1429] Java: Revert overriding
 XMLFile.getAPrimaryQlClass()

Library file has to be kept in sync with the other languages, however except
cpp none of them have the getAPrimaryQlClass() predicate declared in a
superclass. Therefore for simplicity revert the change for Java.
---
 java/ql/src/semmle/code/xml/XML.qll | 2 --
 1 file changed, 2 deletions(-)

diff --git a/java/ql/src/semmle/code/xml/XML.qll b/java/ql/src/semmle/code/xml/XML.qll
index 7833f1bdb68..5871fed0ddd 100755
--- a/java/ql/src/semmle/code/xml/XML.qll
+++ b/java/ql/src/semmle/code/xml/XML.qll
@@ -149,8 +149,6 @@ class XMLFile extends XMLParent, File {
 
   /** Gets a DTD associated with this XML file. */
   XMLDTD getADTD() { xmlDTDs(result, _, _, _, this) }
-
-  override string getAPrimaryQlClass() { result = "XMLFile" }
 }
 
 /**

From aa5258512048c2d6404acc221b6c4f66e98eab81 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 13 Apr 2021 17:17:05 +0200
Subject: [PATCH 0375/1429] C++: Add change-note.

---
 cpp/change-notes/2021-04-13-arithmetic-queries.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 cpp/change-notes/2021-04-13-arithmetic-queries.md

diff --git a/cpp/change-notes/2021-04-13-arithmetic-queries.md b/cpp/change-notes/2021-04-13-arithmetic-queries.md
new file mode 100644
index 00000000000..4d0f8833adc
--- /dev/null
+++ b/cpp/change-notes/2021-04-13-arithmetic-queries.md
@@ -0,0 +1,2 @@
+lgtm
+* The queries cpp/tainted-arithmetic, cpp/uncontrolled-arithmetic, and cpp/arithmetic-with-extreme-values have been improved to produce fewer false positives.

From 7ed09904b48867367a3f6445d9187ad75c72b8d2 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 13 Apr 2021 15:21:19 +0000
Subject: [PATCH 0376/1429] Python: Use API graphs for Invoke

A few stragglers remain, as they are modelling the use of decorators.

They will be dealt with at a later date.
---
 .../src/semmle/python/frameworks/Invoke.qll   | 104 ++++--------------
 1 file changed, 21 insertions(+), 83 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Invoke.qll b/python/ql/src/semmle/python/frameworks/Invoke.qll
index 02db1cb5db2..5b5a5e6e7f0 100644
--- a/python/ql/src/semmle/python/frameworks/Invoke.qll
+++ b/python/ql/src/semmle/python/frameworks/Invoke.qll
@@ -6,6 +6,7 @@
 private import python
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
 
 /**
  * Provides models for the `invoke` PyPI package.
@@ -16,102 +17,44 @@ private module Invoke {
   // invoke
   // ---------------------------------------------------------------------------
   /** Gets a reference to the `invoke` module. */
-  private DataFlow::Node invoke(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("invoke")
-    or
-    exists(DataFlow::TypeTracker t2 | result = invoke(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `invoke` module. */
-  DataFlow::Node invoke() { result = invoke(DataFlow::TypeTracker::end()) }
-
-  /**
-   * Gets a reference to the attribute `attr_name` of the `invoke` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private DataFlow::Node invoke_attr(DataFlow::TypeTracker t, string attr_name) {
-    attr_name in ["run", "sudo", "context", "Context", "task"] and
-    (
-      t.start() and
-      result = DataFlow::importNode("invoke." + attr_name)
-      or
-      t.startInAttr(attr_name) and
-      result = DataFlow::importNode("invoke")
-    )
-    or
-    // Due to bad performance when using normal setup with `invoke_attr(t2, attr_name).track(t2, t)`
-    // we have inlined that code and forced a join
-    exists(DataFlow::TypeTracker t2 |
-      exists(DataFlow::StepSummary summary |
-        invoke_attr_first_join(t2, attr_name, result, summary) and
-        t = t2.append(summary)
-      )
-    )
-  }
-
-  pragma[nomagic]
-  private predicate invoke_attr_first_join(
-    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
-  ) {
-    DataFlow::StepSummary::step(invoke_attr(t2, attr_name), res, summary)
-  }
-
-  /**
-   * Gets a reference to the attribute `attr_name` of the `invoke` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private DataFlow::Node invoke_attr(string attr_name) {
-    result = invoke_attr(DataFlow::TypeTracker::end(), attr_name)
-  }
+  API::Node invoke() { result = API::moduleImport("invoke") }
 
   /** Provides models for the `invoke` module. */
   module invoke {
     /** Gets a reference to the `invoke.context` module. */
-    DataFlow::Node context() { result = invoke_attr("context") }
+    API::Node context() { result = invoke().getMember("context") }
 
     /** Provides models for the `invoke.context` module */
     module context {
       /** Provides models for the `invoke.context.Context` class */
       module Context {
         /** Gets a reference to the `invoke.context.Context` class. */
-        private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-          t.start() and
-          result = DataFlow::importNode("invoke.context.Context")
-          or
-          t.startInAttr("Context") and
-          result = invoke::context()
-          or
-          // handle invoke.Context alias
-          t.start() and
-          result = invoke_attr("Context")
-          or
-          exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
+        API::Node classRef() {
+          result =
+            [API::moduleImport("invoke").getMember("context"), API::moduleImport("invoke")]
+                .getMember("Context")
         }
 
-        /** Gets a reference to the `invoke.context.Context` class. */
-        DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
-
         /** Gets a reference to an instance of `invoke.context.Context`. */
-        private DataFlow::Node instance(DataFlow::TypeTracker t) {
+        private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
           t.start() and
-          result.asCfgNode().(CallNode).getFunction() =
-            invoke::context::Context::classRef().asCfgNode()
-          or
-          t.start() and
-          exists(Function func |
-            func.getADecorator() = invoke_attr("task").asExpr() and
-            result.(DataFlow::ParameterNode).getParameter() = func.getArg(0)
+          (
+            result = invoke::context::Context::classRef().getACall()
+            or
+            exists(Function func |
+              func.getADecorator() = invoke().getMember("task").getAUse().asExpr() and
+              result.(DataFlow::ParameterNode).getParameter() = func.getArg(0)
+            )
           )
           or
           exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
         }
 
         /** Gets a reference to an instance of `invoke.context.Context`. */
-        DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+        DataFlow::LocalSourceNode instance() { result = instance(DataFlow::TypeTracker::end()) }
 
         /** Gets a reference to the `run` or `sudo` methods on a `invoke.context.Context` instance. */
-        private DataFlow::Node instanceRunMethods(DataFlow::TypeTracker t) {
+        private DataFlow::LocalSourceNode instanceRunMethods(DataFlow::TypeTracker t) {
           t.startInAttr(["run", "sudo"]) and
           result = invoke::context::Context::instance()
           or
@@ -120,7 +63,7 @@ private module Invoke {
 
         /** Gets a reference to the `run` or `sudo` methods on a `invoke.context.Context` instance. */
         DataFlow::Node instanceRunMethods() {
-          result = instanceRunMethods(DataFlow::TypeTracker::end())
+          instanceRunMethods(DataFlow::TypeTracker::end()).flowsTo(result)
         }
       }
     }
@@ -131,15 +74,10 @@ private module Invoke {
    * - `invoke.run` or `invoke.sudo` functions (http://docs.pyinvoke.org/en/stable/api/__init__.html)
    * - `run` or `sudo` methods on a `invoke.context.Context` instance (http://docs.pyinvoke.org/en/stable/api/context.html#invoke.context.Context.run)
    */
-  private class InvokeRunCommandCall extends SystemCommandExecution::Range, DataFlow::CfgNode {
-    override CallNode node;
-
+  private class InvokeRunCommandCall extends SystemCommandExecution::Range, DataFlow::CallCfgNode {
     InvokeRunCommandCall() {
-      exists(DataFlow::Node callFunction | node.getFunction() = callFunction.asCfgNode() |
-        callFunction = invoke_attr(["run", "sudo"])
-        or
-        callFunction = invoke::context::Context::instanceRunMethods()
-      )
+      this = invoke().getMember(["run", "sudo"]).getACall() or
+      this.getFunction() = invoke::context::Context::instanceRunMethods()
     }
 
     override DataFlow::Node getCommand() {

From 2890fe6d61566c8adce3ad63fcdaf102239f48ff Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 13 Apr 2021 15:26:54 +0000
Subject: [PATCH 0377/1429] Python: Use API graphs in Dill model

If only all rewrites were this smooth...
---
 .../ql/src/semmle/python/frameworks/Dill.qll  | 38 ++-----------------
 1 file changed, 4 insertions(+), 34 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Dill.qll b/python/ql/src/semmle/python/frameworks/Dill.qll
index d105bd47603..1985b7f84cf 100644
--- a/python/ql/src/semmle/python/frameworks/Dill.qll
+++ b/python/ql/src/semmle/python/frameworks/Dill.qll
@@ -7,50 +7,20 @@ private import python
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.Concepts
-
-private module Dill {
-  /** Gets a reference to the `dill` module. */
-  private DataFlow::Node dill(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("dill")
-    or
-    exists(DataFlow::TypeTracker t2 | result = dill(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `dill` module. */
-  DataFlow::Node dill() { result = dill(DataFlow::TypeTracker::end()) }
-
-  /** Provides models for the `dill` module. */
-  module dill {
-    /** Gets a reference to the `dill.loads` function. */
-    private DataFlow::Node loads(DataFlow::TypeTracker t) {
-      t.start() and
-      result = DataFlow::importNode("dill.loads")
-      or
-      t.startInAttr("loads") and
-      result = dill()
-      or
-      exists(DataFlow::TypeTracker t2 | result = loads(t2).track(t2, t))
-    }
-
-    /** Gets a reference to the `dill.loads` function. */
-    DataFlow::Node loads() { result = loads(DataFlow::TypeTracker::end()) }
-  }
-}
+private import semmle.python.ApiGraphs
 
 /**
  * A call to `dill.loads`
  * See https://pypi.org/project/dill/ (which currently refers you
  * to https://docs.python.org/3/library/pickle.html#pickle.loads)
  */
-private class DillLoadsCall extends Decoding::Range, DataFlow::CfgNode {
-  override CallNode node;
+private class DillLoadsCall extends Decoding::Range, DataFlow::CallCfgNode {
 
-  DillLoadsCall() { node.getFunction() = Dill::dill::loads().asCfgNode() }
+  DillLoadsCall() { this = API::moduleImport("dill").getMember("loads").getACall()}
 
   override predicate mayExecuteInput() { any() }
 
-  override DataFlow::Node getAnInput() { result.asCfgNode() = node.getArg(0) }
+  override DataFlow::Node getAnInput() { result = this.getArg(0) }
 
   override DataFlow::Node getOutput() { result = this }
 

From 6e73d136702f882c7582da0dffd9ee635d53c739 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Tue, 13 Apr 2021 23:48:45 +0800
Subject: [PATCH 0378/1429] Update
 java/ql/src/semmle/code/java/frameworks/Servlets.qll

Co-authored-by: Chris Smowton <smowton@github.com>
---
 java/ql/src/semmle/code/java/frameworks/Servlets.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/Servlets.qll b/java/ql/src/semmle/code/java/frameworks/Servlets.qll
index a99df9816f1..3c57b8b7c82 100644
--- a/java/ql/src/semmle/code/java/frameworks/Servlets.qll
+++ b/java/ql/src/semmle/code/java/frameworks/Servlets.qll
@@ -354,7 +354,7 @@ class FilterChain extends Interface {
 
 /** Holds if `m` is a filter handler method (for example `doFilter`). */
 predicate isDoFilterMethod(Method m) {
-  m.getName() ="doFilter" and
+  m.getName() = "doFilter" and
   m.getDeclaringType() instanceof FilterClass and
   m.getNumberOfParameters() = 3 and
   m.getParameter(0).getType() instanceof ServletRequest and

From 7be45e7c5e450129253458072b766d9717d8b0ce Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Tue, 13 Apr 2021 23:56:17 +0800
Subject: [PATCH 0379/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql

Co-authored-by: Chris Smowton <smowton@github.com>
---
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
index 927c3db03d2..f9c16a546ca 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
@@ -52,7 +52,7 @@ class RequestResponseFlowConfig extends TaintTracking::Configuration {
 
   override predicate isSink(DataFlow::Node sink) {
     sink instanceof XssSink and
-    getACallingCallableOrSelf(sink.getEnclosingCallable()) instanceof RequestGetMethod
+    any(RequestGetMethod m).polyCalls*(source.getEnclosingCallable())
   }
 
   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {

From 5f7d3d0d36869014be58ae28d0a034b92b31b2c2 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 13 Apr 2021 15:57:21 +0000
Subject: [PATCH 0380/1429] Python: Use API graphs in Werkzeug

---
 .../ql/src/semmle/python/frameworks/Flask.qll |  6 ++-
 .../src/semmle/python/frameworks/Werkzeug.qll | 46 +++++--------------
 2 files changed, 16 insertions(+), 36 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Flask.qll b/python/ql/src/semmle/python/frameworks/Flask.qll
index 8b045c2ee83..b4c5b5dcf8b 100644
--- a/python/ql/src/semmle/python/frameworks/Flask.qll
+++ b/python/ql/src/semmle/python/frameworks/Flask.qll
@@ -401,13 +401,15 @@ module Flask {
     }
   }
 
-  private class RequestAttrMultiDict extends Werkzeug::werkzeug::datastructures::MultiDict::InstanceSource {
+  private class RequestAttrMultiDict extends Werkzeug::werkzeug::datastructures::MultiDict::InstanceSourceApiNode {
     string attr_name;
 
     RequestAttrMultiDict() {
       attr_name in ["args", "values", "form", "files"] and
-      this = request().getMember(attr_name).getAnImmediateUse()
+      this = request().getMember(attr_name)
     }
+
+    override string toString() { result = this.(API::Node).toString() }
   }
 
   private class RequestAttrFiles extends RequestAttrMultiDict {
diff --git a/python/ql/src/semmle/python/frameworks/Werkzeug.qll b/python/ql/src/semmle/python/frameworks/Werkzeug.qll
index 172c9468252..63b8067b266 100644
--- a/python/ql/src/semmle/python/frameworks/Werkzeug.qll
+++ b/python/ql/src/semmle/python/frameworks/Werkzeug.qll
@@ -5,6 +5,7 @@
 private import python
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.ApiGraphs
 
 /**
  * Provides models for the `Werkzeug` PyPI package.
@@ -23,6 +24,9 @@ module Werkzeug {
        * See https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.MultiDict.
        */
       module MultiDict {
+        /** DEPRECATED. Use `InstanceSourceApiNode` instead. */
+        abstract deprecated class InstanceSource extends DataFlow::Node { }
+
         /**
          * A source of instances of `werkzeug.datastructures.MultiDict`, extend this class to model new instances.
          *
@@ -32,37 +36,16 @@ module Werkzeug {
          *
          * Use the predicate `MultiDict::instance()` to get references to instances of `werkzeug.datastructures.MultiDict`.
          */
-        abstract class InstanceSource extends DataFlow::Node { }
-
-        /** Gets a reference to an instance of `werkzeug.datastructures.MultiDict`. */
-        private DataFlow::Node instance(DataFlow::TypeTracker t) {
-          t.start() and
-          result instanceof InstanceSource
-          or
-          exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
-        }
-
-        /** Gets a reference to an instance of `werkzeug.datastructures.MultiDict`. */
-        DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+        abstract class InstanceSourceApiNode extends API::Node { }
 
         /**
          * Gets a reference to the `getlist` method on an instance of `werkzeug.datastructures.MultiDict`.
          *
          * See https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.Headers.getlist
          */
-        private DataFlow::Node getlist(DataFlow::TypeTracker t) {
-          t.startInAttr("getlist") and
-          result = instance()
-          or
-          exists(DataFlow::TypeTracker t2 | result = getlist(t2).track(t2, t))
+        DataFlow::Node getlist() {
+          result = any(InstanceSourceApiNode a).getMember("getlist").getAUse()
         }
-
-        /**
-         * Gets a reference to the `getlist` method on an instance of `werkzeug.datastructures.MultiDict`.
-         *
-         * See https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.Headers.getlist
-         */
-        DataFlow::Node getlist() { result = getlist(DataFlow::TypeTracker::end()) }
       }
 
       /**
@@ -71,6 +54,9 @@ module Werkzeug {
        * See https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.FileStorage.
        */
       module FileStorage {
+        /** DEPRECATED. Use `InstanceSourceApiNode` instead. */
+        abstract deprecated class InstanceSource extends DataFlow::Node { }
+
         /**
          * A source of instances of `werkzeug.datastructures.FileStorage`, extend this class to model new instances.
          *
@@ -80,18 +66,10 @@ module Werkzeug {
          *
          * Use the predicate `FileStorage::instance()` to get references to instances of `werkzeug.datastructures.FileStorage`.
          */
-        abstract class InstanceSource extends DataFlow::Node { }
+        abstract class InstanceSourceApiNode extends API::Node { }
 
         /** Gets a reference to an instance of `werkzeug.datastructures.FileStorage`. */
-        private DataFlow::Node instance(DataFlow::TypeTracker t) {
-          t.start() and
-          result instanceof InstanceSource
-          or
-          exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
-        }
-
-        /** Gets a reference to an instance of `werkzeug.datastructures.FileStorage`. */
-        DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+        DataFlow::Node instance() { result = any(InstanceSourceApiNode a).getAUse() }
       }
     }
   }

From 25b012db48c7b67f8801770d5056ac39681e3622 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Tue, 13 Apr 2021 23:58:28 +0800
Subject: [PATCH 0381/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql

Co-authored-by: Chris Smowton <smowton@github.com>
---
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
index f9c16a546ca..e3673e50410 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
@@ -47,7 +47,7 @@ class RequestResponseFlowConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) {
     source instanceof RemoteFlowSource and
-    getACallingCallableOrSelf(source.getEnclosingCallable()) instanceof RequestGetMethod
+    any(RequestGetMethod m).polyCalls*(source.getEnclosingCallable())
   }
 
   override predicate isSink(DataFlow::Node sink) {

From 00235ed3b39a51adbbeadc42f97cdc5cd5d5c780 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Tue, 13 Apr 2021 23:58:52 +0800
Subject: [PATCH 0382/1429] Update
 java/ql/src/semmle/code/java/frameworks/Servlets.qll

Co-authored-by: Chris Smowton <smowton@github.com>
---
 java/ql/src/semmle/code/java/frameworks/Servlets.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/Servlets.qll b/java/ql/src/semmle/code/java/frameworks/Servlets.qll
index 3c57b8b7c82..c733023bbdc 100644
--- a/java/ql/src/semmle/code/java/frameworks/Servlets.qll
+++ b/java/ql/src/semmle/code/java/frameworks/Servlets.qll
@@ -352,7 +352,7 @@ class FilterChain extends Interface {
   FilterChain() { hasQualifiedName("javax.servlet", "FilterChain") }
 }
 
-/** Holds if `m` is a filter handler method (for example `doFilter`). */
+/** Holds if `m` is an implementation of `javax.servlet.Filter.doFilter`. */
 predicate isDoFilterMethod(Method m) {
   m.getName() = "doFilter" and
   m.getDeclaringType() instanceof FilterClass and

From 273e8ce4efb3646a3f449ed61ac73e37e8c6e1bf Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 13 Apr 2021 16:04:07 +0000
Subject: [PATCH 0383/1429] Python: Add change note

---
 python/change-notes/2021-04-13-werkzeug-api-graphs.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 python/change-notes/2021-04-13-werkzeug-api-graphs.md

diff --git a/python/change-notes/2021-04-13-werkzeug-api-graphs.md b/python/change-notes/2021-04-13-werkzeug-api-graphs.md
new file mode 100644
index 00000000000..041e5a31a2b
--- /dev/null
+++ b/python/change-notes/2021-04-13-werkzeug-api-graphs.md
@@ -0,0 +1,5 @@
+lgtm,codescanning
+* The Werkzeug model has been changed to use API graphs. When defining new models for classes based
+  on the `MultiDict` and `FileStorage` classes in `werkzeug.datastructures`, the relevant extension
+  points are now the two `InstanceSourceApiNode` classes in the `semmle.python.frameworks.Werkzeug`
+  module, instead of `InstanceSource`. The latter classes have now been deprecated.

From 079c7e089df9cada5406147468abb5d3a4645a44 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 13 Apr 2021 16:05:45 +0000
Subject: [PATCH 0384/1429] Python: Autoformat

---
 python/ql/src/semmle/python/frameworks/Dill.qll | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Dill.qll b/python/ql/src/semmle/python/frameworks/Dill.qll
index 1985b7f84cf..94af905756b 100644
--- a/python/ql/src/semmle/python/frameworks/Dill.qll
+++ b/python/ql/src/semmle/python/frameworks/Dill.qll
@@ -15,8 +15,7 @@ private import semmle.python.ApiGraphs
  * to https://docs.python.org/3/library/pickle.html#pickle.loads)
  */
 private class DillLoadsCall extends Decoding::Range, DataFlow::CallCfgNode {
-
-  DillLoadsCall() { this = API::moduleImport("dill").getMember("loads").getACall()}
+  DillLoadsCall() { this = API::moduleImport("dill").getMember("loads").getACall() }
 
   override predicate mayExecuteInput() { any() }
 

From a6bb9ebb9ff619fea60d77cd54fe44d186bb49b8 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 13 Apr 2021 16:08:41 +0000
Subject: [PATCH 0385/1429] Python: Re-introduce `abstract toString`

This seems like the easier solution in the short run.
---
 python/ql/src/semmle/python/ApiGraphs.qll         | 2 +-
 python/ql/src/semmle/python/frameworks/PEP249.qll | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 9689fb06a77..5aab059d58e 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -157,7 +157,7 @@ module API {
     /**
      * Gets a textual representation of this element.
      */
-    string toString() { none() }
+    abstract string toString();
 
     /**
      * Gets a path of the given `length` from the root to this node.
diff --git a/python/ql/src/semmle/python/frameworks/PEP249.qll b/python/ql/src/semmle/python/frameworks/PEP249.qll
index c449ae92bf2..f2b21d08e7c 100644
--- a/python/ql/src/semmle/python/frameworks/PEP249.qll
+++ b/python/ql/src/semmle/python/frameworks/PEP249.qll
@@ -20,7 +20,10 @@ abstract deprecated class PEP249Module extends DataFlow::Node { }
  * An abstract class encompassing API graph nodes that implement PEP 249.
  * Extend this class for implementations.
  */
-abstract class PEP249ModuleApiNode extends API::Node { }
+abstract class PEP249ModuleApiNode extends API::Node {
+  /** Gets a string representation of this element. */
+  override string toString() { result = this.(API::Node).toString() }
+}
 
 /** Gets a reference to a connect call. */
 DataFlow::Node connect() { result = any(PEP249ModuleApiNode a).getMember("connect").getAUse() }

From d853f0c40028958a292d483c3ace880e6cd5dd00 Mon Sep 17 00:00:00 2001
From: Marcono1234 <Marcono1234@users.noreply.github.com>
Date: Fri, 2 Apr 2021 18:51:02 +0200
Subject: [PATCH 0386/1429] Java: Add MemberType

---
 .../Performance/InnerClassCouldBeStatic.ql    |  3 +-
 java/ql/src/semmle/code/java/PrintAst.qll     |  4 +-
 java/ql/src/semmle/code/java/Type.qll         | 42 ++++++++++++++++---
 .../semmle/code/java/frameworks/play/Play.qll | 10 +----
 4 files changed, 41 insertions(+), 18 deletions(-)

diff --git a/java/ql/src/Performance/InnerClassCouldBeStatic.ql b/java/ql/src/Performance/InnerClassCouldBeStatic.ql
index a18d801549d..5dba77761c6 100644
--- a/java/ql/src/Performance/InnerClassCouldBeStatic.ql
+++ b/java/ql/src/Performance/InnerClassCouldBeStatic.ql
@@ -100,8 +100,7 @@ predicate potentiallyStatic(InnerClass c) {
     m = a.getEnclosingCallable() and
     m.getDeclaringType() = c
   ) and
-  not c instanceof AnonymousClass and
-  not c instanceof LocalClass and
+  c instanceof MemberType and
   forall(
     InnerClass other // If nested and non-static, ...
   |
diff --git a/java/ql/src/semmle/code/java/PrintAst.qll b/java/ql/src/semmle/code/java/PrintAst.qll
index 4e219603024..6a74c15316c 100644
--- a/java/ql/src/semmle/code/java/PrintAst.qll
+++ b/java/ql/src/semmle/code/java/PrintAst.qll
@@ -433,9 +433,7 @@ final class ClassInterfaceNode extends ElementNode {
     or
     result.(FieldDeclaration).getAField().getDeclaringType() = ty
     or
-    result.(NestedType).getEnclosingType().getSourceDeclaration() = ty and
-    not result instanceof AnonymousClass and
-    not result instanceof LocalClass
+    result.(MemberType).getEnclosingType().getSourceDeclaration() = ty
     or
     isInitBlock(ty, result)
   }
diff --git a/java/ql/src/semmle/code/java/Type.qll b/java/ql/src/semmle/code/java/Type.qll
index 10d9b8b3a31..e81f64e4616 100755
--- a/java/ql/src/semmle/code/java/Type.qll
+++ b/java/ql/src/semmle/code/java/Type.qll
@@ -517,7 +517,12 @@ class RefType extends Type, Annotatable, Modifiable, @reftype {
   /** Holds if this is a top-level type, which is not nested inside any other types. */
   predicate isTopLevel() { this instanceof TopLevelType }
 
-  /** Holds if this type is declared in a specified package with the specified name. */
+  /**
+   * Holds if this type is declared in a specified package with the specified name.
+   *
+   * For nested types the name of the nested type is prefixed with a `$` and appended
+   * to the name of the enclosing type, which might be a nested type as well.
+   */
   predicate hasQualifiedName(string package, string type) {
     this.getPackage().hasName(package) and type = this.nestedName()
   }
@@ -532,7 +537,12 @@ class RefType extends Type, Annotatable, Modifiable, @reftype {
   }
 
   /**
-   * Gets the qualified name of this type.
+   * Gets the qualified name of this type, consisting of the package name followed by
+   * a `.` and the name of this type.
+   *
+   * For nested types the name of the nested type is prefixed with a `$` and appended
+   * to the name of the enclosing type, which might be a nested type as well. For example:
+   * `java.util.Map$Entry`.
    */
   string getQualifiedName() {
     exists(string pkgName | pkgName = getPackage().getName() |
@@ -540,7 +550,13 @@ class RefType extends Type, Annotatable, Modifiable, @reftype {
     )
   }
 
-  /** Gets the nested name of this type. */
+  /**
+   * Gets the nested name of this type.
+   *
+   * If this type is not a nested type, the result is the same as `getName()`.
+   * Otherwise the name of the nested type is prefixed with a `$` and appended to
+   * the name of the enclosing type, which might be a nested type as well.
+   */
   string nestedName() {
     not this instanceof NestedType and result = this.getName()
     or
@@ -788,6 +804,21 @@ class NestedType extends RefType {
   }
 }
 
+/**
+ * A nested type which is a direct member of the enclosing type,
+ * that is, neither an anonymous nor local class.
+ */
+class MemberType extends NestedType, Member {
+  /**
+   * Gets the qualified name of this member type.
+   *
+   * The qualified name consists of the package name, a `.`, the name of the declaring
+   * type (which might be a nested or member type as well), followed by a `$` and the
+   * name of this member type. For example: `java.util.Map$Entry`.
+   */
+  override string getQualifiedName() { result = NestedType.super.getQualifiedName() }
+}
+
 /**
  * A class declared within another type.
  *
@@ -797,8 +828,9 @@ class NestedType extends RefType {
 class NestedClass extends NestedType, Class { }
 
 /**
- * An inner class is a nested class that is neither
- * explicitly nor implicitly declared static.
+ * An inner class is a nested class that is neither explicitly nor
+ * implicitly declared static. This includes anonymous and local
+ * classes.
  */
 class InnerClass extends NestedClass {
   InnerClass() { not this.isStatic() }
diff --git a/java/ql/src/semmle/code/java/frameworks/play/Play.qll b/java/ql/src/semmle/code/java/frameworks/play/Play.qll
index 0498ba9317c..96c45cb2244 100644
--- a/java/ql/src/semmle/code/java/frameworks/play/Play.qll
+++ b/java/ql/src/semmle/code/java/frameworks/play/Play.qll
@@ -44,14 +44,8 @@ class PlayAddCsrfTokenAnnotation extends Annotation {
 /**
  * The type `play.libs.F.Promise<Result>`.
  */
-class PlayAsyncResultPromise extends Member {
-  PlayAsyncResultPromise() {
-    exists(Class c |
-      c.hasQualifiedName("play.libs", "F") and
-      this = c.getAMember() and
-      this.getQualifiedName() = "F.Promise<Result>"
-    )
-  }
+class PlayAsyncResultPromise extends MemberType {
+  PlayAsyncResultPromise() { hasQualifiedName("play.libs", "F$Promise<Result>") }
 }
 
 /**

From 37dae67a0d57589a6fd97c842d05f2b5c9cf830d Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Wed, 14 Apr 2021 09:55:24 +0800
Subject: [PATCH 0387/1429] Fix RequestResponseFlowConfig.isSink error

---
 .../experimental/Security/CWE/CWE-352/JsonpInjection.ql    | 2 +-
 .../Security/CWE/CWE-352/JsonpInjectionLib.qll             | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
index e3673e50410..f6f87648812 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
@@ -52,7 +52,7 @@ class RequestResponseFlowConfig extends TaintTracking::Configuration {
 
   override predicate isSink(DataFlow::Node sink) {
     sink instanceof XssSink and
-    any(RequestGetMethod m).polyCalls*(source.getEnclosingCallable())
+    any(RequestGetMethod m).polyCalls*(sink.getEnclosingCallable())
   }
 
   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index 6a21ce8ff3a..5f2ad8e8532 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -77,10 +77,13 @@ class SpringControllerRequestMappingGetMethod extends SpringControllerGetMethod
     this.getAnAnnotation()
         .getType()
         .hasQualifiedName("org.springframework.web.bind.annotation", "RequestMapping") and
-    this.getAnAnnotation().getValue("method").toString().regexpMatch("RequestMethod.GET|\\{...\\}") and
+    (
+      this.getAnAnnotation().getValue("method").(VarAccess).getVariable().getName() = "GET" or
+      this.getAnAnnotation().getValue("method").(ArrayInit).getSize() = 0 //Java code example: @RequestMapping(value = "test")
+    ) and
     not exists(MethodAccess ma |
       ma.getMethod() instanceof ServletRequestGetBodyMethod and
-      this = getACallingCallableOrSelf(ma.getEnclosingCallable())
+      any(this).polyCalls*(ma.getEnclosingCallable())
     ) and
     not this.getAParamType().getName() = "MultipartFile"
   }

From e2ed0d02b0182dee63b7f0ab855dd3d145c13209 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Wed, 14 Apr 2021 12:34:52 +0800
Subject: [PATCH 0388/1429] Delete existsFilterVerificationMethod and
 existsServletVerificationMethod, add from get handler to filter

---
 .../Security/CWE/CWE-352/JsonpInjection.ql    |  27 ---
 .../CWE/CWE-352/JsonpInjectionLib.qll         |  24 +-
 .../JsonpController.java                      | 218 ------------------
 .../JsonpInjection.expected                   |  81 -------
 .../JsonpInjection.qlref                      |   1 -
 .../JsonpInjectionServlet1.java               |  64 -----
 .../JsonpInjectionServlet2.java               |  50 ----
 .../RefererFilter.java                        |  43 ----
 .../CWE-352/JsonpInjectionWithFilter/options  |   1 -
 .../JsonpInjection.expected                   |   6 -
 .../JsonpInjection.expected                   |   9 -
 11 files changed, 12 insertions(+), 512 deletions(-)
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpController.java
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.expected
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.qlref
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet1.java
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet2.java
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/RefererFilter.java
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/options

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
index f6f87648812..c28af8aaa15 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
@@ -16,31 +16,6 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.deadcode.WebEntryPoints
 import DataFlow::PathGraph
 
-/**
- * Holds if some `Filter.doFilter` method exists in the whole program that takes some user-controlled
- * input and tests it with what appears to be a token- or authentication-checking function.
- */
-predicate existsFilterVerificationMethod() {
-  exists(DataFlow::Node source, DataFlow::Node sink, VerificationMethodFlowConfig vmfc, Method m |
-    vmfc.hasFlow(source, sink) and
-    m = getACallingCallableOrSelf(source.getEnclosingCallable()) and
-    isDoFilterMethod(m)
-  )
-}
-
-/**
- * Holds if somewhere in the whole program some user-controlled
- * input is tested with what appears to be a token- or authentication-checking function,
- * and `checkNode` is reachable from any function that can reach the user-controlled input source.
- */
-predicate existsServletVerificationMethod(Node checkNode) {
-  exists(DataFlow::Node source, DataFlow::Node sink, VerificationMethodFlowConfig vmfc |
-    vmfc.hasFlow(source, sink) and
-    getACallingCallableOrSelf(source.getEnclosingCallable()) =
-      getACallingCallableOrSelf(checkNode.getEnclosingCallable())
-  )
-}
-
 /** Taint-tracking configuration tracing flow from get method request sources to output jsonp data. */
 class RequestResponseFlowConfig extends TaintTracking::Configuration {
   RequestResponseFlowConfig() { this = "RequestResponseFlowConfig" }
@@ -64,8 +39,6 @@ class RequestResponseFlowConfig extends TaintTracking::Configuration {
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, RequestResponseFlowConfig conf
 where
-  not existsServletVerificationMethod(source.getNode()) and
-  not existsFilterVerificationMethod() and
   conf.hasFlowPath(source, sink) and
   exists(JsonpInjectionFlowConfig jhfc | jhfc.hasFlowTo(sink.getNode()))
 select sink.getNode(), source, sink, "Jsonp response might include code from $@.", source.getNode(),
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index 5f2ad8e8532..af9cebb865c 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -42,17 +42,21 @@ class VerificationMethodFlowConfig extends TaintTracking2::Configuration {
   }
 }
 
-/** Get Callable by recursive method. */
-Callable getACallingCallableOrSelf(Callable call) {
-  result = call
-  or
-  result = getACallingCallableOrSelf(call.getAReference().getEnclosingCallable())
-}
-
 /**
  * A method that is called to handle an HTTP GET request.
  */
-abstract class RequestGetMethod extends Method { }
+abstract class RequestGetMethod extends Method {
+  RequestGetMethod() {
+    not exists(DataFlow::Node source, DataFlow::Node sink, VerificationMethodFlowConfig vmfc |
+      vmfc.hasFlow(source, sink) and
+      any(this).polyCalls*(source.getEnclosingCallable())
+    ) and
+    not exists(MethodAccess ma |
+      ma.getMethod() instanceof ServletRequestGetBodyMethod and
+      any(this).polyCalls*(ma.getEnclosingCallable())
+    )
+  }
+}
 
 /** Override method of `doGet` of `Servlet` subclass. */
 private class ServletGetMethod extends RequestGetMethod {
@@ -81,10 +85,6 @@ class SpringControllerRequestMappingGetMethod extends SpringControllerGetMethod
       this.getAnAnnotation().getValue("method").(VarAccess).getVariable().getName() = "GET" or
       this.getAnAnnotation().getValue("method").(ArrayInit).getSize() = 0 //Java code example: @RequestMapping(value = "test")
     ) and
-    not exists(MethodAccess ma |
-      ma.getMethod() instanceof ServletRequestGetBodyMethod and
-      any(this).polyCalls*(ma.getEnclosingCallable())
-    ) and
     not this.getAParamType().getName() = "MultipartFile"
   }
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpController.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpController.java
deleted file mode 100644
index e875da2f699..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpController.java
+++ /dev/null
@@ -1,218 +0,0 @@
-import com.alibaba.fastjson.JSONObject;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.google.gson.Gson;
-import java.io.BufferedReader;
-import java.io.IOException;
-import java.io.InputStreamReader;
-import java.io.PrintWriter;
-import java.util.HashMap;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
-import org.springframework.web.multipart.MultipartFile;
-
-@Controller
-public class JsonpController {
-
-    private static HashMap hashMap = new HashMap();
-
-    static {
-        hashMap.put("username","admin");
-        hashMap.put("password","123456");
-    }
-
-    @GetMapping(value = "jsonp1")
-    @ResponseBody
-    public String bad1(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        Gson gson = new Gson();
-        String result = gson.toJson(hashMap);
-        resultStr = jsonpCallback + "(" + result + ")";
-        return resultStr;
-    }
-
-    @GetMapping(value = "jsonp2")
-    @ResponseBody
-    public String bad2(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")";
-        return resultStr;
-    }
-
-    @GetMapping(value = "jsonp3")
-    @ResponseBody
-    public String bad3(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
-        return resultStr;
-    }
-
-    @GetMapping(value = "jsonp4")
-    @ResponseBody
-    public String bad4(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String restr = JSONObject.toJSONString(hashMap);
-        resultStr = jsonpCallback + "(" + restr + ");";
-        return resultStr;
-    }
-
-    @GetMapping(value = "jsonp5")
-    @ResponseBody
-    public void bad5(HttpServletRequest request,
-            HttpServletResponse response) throws Exception {
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        PrintWriter pw = null;
-        Gson gson = new Gson();
-        String result = gson.toJson(hashMap);
-        String resultStr = null;
-        pw = response.getWriter();
-        resultStr = jsonpCallback + "(" + result + ")";
-        pw.println(resultStr);
-    }
-
-    @GetMapping(value = "jsonp6")
-    @ResponseBody
-    public void bad6(HttpServletRequest request,
-            HttpServletResponse response) throws Exception {
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        PrintWriter pw = null;
-        ObjectMapper mapper = new ObjectMapper();
-        String result = mapper.writeValueAsString(hashMap);
-        String resultStr = null;
-        pw = response.getWriter();
-        resultStr = jsonpCallback + "(" + result + ")";
-        pw.println(resultStr);
-    }
-
-    @RequestMapping(value = "jsonp7", method = RequestMethod.GET)
-    @ResponseBody
-    public String bad7(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        Gson gson = new Gson();
-        String result = gson.toJson(hashMap);
-        resultStr = jsonpCallback + "(" + result + ")";
-        return resultStr;
-    }
-
-    @GetMapping(value = "jsonp8")
-    @ResponseBody
-    public String bad8(HttpServletRequest request) {
-        String resultStr = null;
-        String token = request.getParameter("token");
-        boolean result = verifToken(token); //Just check.
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
-        return resultStr;
-    }
-
-
-    @GetMapping(value = "jsonp9")
-    @ResponseBody
-    public String good1(HttpServletRequest request) {
-        String resultStr = null;
-        String referer = request.getParameter("referer");
-        if (verifReferer(referer)){
-            String jsonpCallback = request.getParameter("jsonpCallback");
-            String jsonStr = getJsonStr(hashMap);
-            resultStr = jsonpCallback + "(" + jsonStr + ")";
-            return resultStr;
-        }
-        return "error";
-    }
-
-
-    @GetMapping(value = "jsonp10")
-    @ResponseBody
-    public String good2(HttpServletRequest request) {
-        String resultStr = null;
-        String token = request.getParameter("token");
-        boolean result = verifToken(token);
-        if (result){
-            return "";
-        }
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
-        return resultStr;
-    }
-
-    @RequestMapping(value = "jsonp11")
-    @ResponseBody
-    public String good3(HttpServletRequest request) {
-        JSONObject parameterObj = readToJSONObect(request);
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String restr = JSONObject.toJSONString(hashMap);
-        resultStr = jsonpCallback + "(" + restr + ");";
-        return resultStr;
-    }
-
-    @RequestMapping(value = "jsonp12")
-    @ResponseBody
-    public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
-        if(null == file){
-            return "upload file error";
-        }
-        String fileName = file.getOriginalFilename();
-        System.out.println("file operations");
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String restr = JSONObject.toJSONString(hashMap);
-        resultStr = jsonpCallback + "(" + restr + ");";
-        return resultStr;
-    }
-
-    public static JSONObject readToJSONObect(HttpServletRequest request){
-        String jsonText = readPostContent(request);
-        JSONObject jsonObj = JSONObject.parseObject(jsonText, JSONObject.class);
-        return jsonObj;
-    }
-
-    public static String readPostContent(HttpServletRequest request){
-        BufferedReader in= null;
-        String content = null;
-        String line = null;
-        try {
-            in = new BufferedReader(new InputStreamReader(request.getInputStream(),"UTF-8"));
-            StringBuilder buf = new StringBuilder();
-            while ((line = in.readLine()) != null) {
-                buf.append(line);
-            }
-            content = buf.toString();
-        } catch (IOException e) {
-            e.printStackTrace();
-        }
-        String uri = request.getRequestURI();
-        return content;
-    }
-
-    public static String getJsonStr(Object result) {
-        return JSONObject.toJSONString(result);
-    }
-
-    public static boolean verifToken(String token){
-        if (token != "xxxx"){
-            return false;
-        }
-        return true;
-    }
-
-    public static boolean verifReferer(String str){
-        if (str != "xxxx"){
-            return false;
-        }
-        return true;
-    }
-}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.expected
deleted file mode 100644
index 3da805c6a69..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.expected
+++ /dev/null
@@ -1,81 +0,0 @@
-edges
-| JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr |
-| JsonpController.java:36:21:36:54 | ... + ... : String | JsonpController.java:37:16:37:24 | resultStr |
-| JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr |
-| JsonpController.java:45:21:45:80 | ... + ... : String | JsonpController.java:46:16:46:24 | resultStr |
-| JsonpController.java:53:32:53:68 | getParameter(...) : String | JsonpController.java:56:16:56:24 | resultStr |
-| JsonpController.java:55:21:55:55 | ... + ... : String | JsonpController.java:56:16:56:24 | resultStr |
-| JsonpController.java:63:32:63:68 | getParameter(...) : String | JsonpController.java:66:16:66:24 | resultStr |
-| JsonpController.java:65:21:65:54 | ... + ... : String | JsonpController.java:66:16:66:24 | resultStr |
-| JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr |
-| JsonpController.java:79:21:79:54 | ... + ... : String | JsonpController.java:80:20:80:28 | resultStr |
-| JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr |
-| JsonpController.java:93:21:93:54 | ... + ... : String | JsonpController.java:94:20:94:28 | resultStr |
-| JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr |
-| JsonpController.java:104:21:104:54 | ... + ... : String | JsonpController.java:105:16:105:24 | resultStr |
-| JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr |
-| JsonpController.java:116:21:116:55 | ... + ... : String | JsonpController.java:117:16:117:24 | resultStr |
-| JsonpController.java:127:36:127:72 | getParameter(...) : String | JsonpController.java:130:20:130:28 | resultStr |
-| JsonpController.java:129:25:129:59 | ... + ... : String | JsonpController.java:130:20:130:28 | resultStr |
-| JsonpController.java:145:32:145:68 | getParameter(...) : String | JsonpController.java:148:16:148:24 | resultStr |
-| JsonpController.java:147:21:147:55 | ... + ... : String | JsonpController.java:148:16:148:24 | resultStr |
-| JsonpController.java:158:21:158:54 | ... + ... : String | JsonpController.java:159:16:159:24 | resultStr |
-| JsonpController.java:173:21:173:54 | ... + ... : String | JsonpController.java:174:16:174:24 | resultStr |
-| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
-| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
-| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
-| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
-nodes
-| JsonpController.java:33:32:33:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:36:21:36:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:37:16:37:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:37:16:37:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:44:32:44:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:45:21:45:80 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:46:16:46:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:46:16:46:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:53:32:53:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:55:21:55:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:56:16:56:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:56:16:56:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:63:32:63:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:65:21:65:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:66:16:66:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:66:16:66:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:73:32:73:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:79:21:79:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:80:20:80:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:80:20:80:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:87:32:87:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:93:21:93:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:94:20:94:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:94:20:94:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:101:32:101:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:104:21:104:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:114:32:114:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:116:21:116:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:127:36:127:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:129:25:129:59 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:145:32:145:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:147:21:147:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:158:21:158:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:159:16:159:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:173:21:173:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:174:16:174:24 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
-#select
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.qlref
deleted file mode 100644
index 3f5fc450669..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.qlref
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-352/JsonpInjection.ql
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet1.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet1.java
deleted file mode 100644
index 14ef76275b1..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet1.java
+++ /dev/null
@@ -1,64 +0,0 @@
-import com.google.gson.Gson;
-import java.io.IOException;
-import java.io.PrintWriter;
-import java.util.HashMap;
-import javax.servlet.ServletConfig;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-public class JsonpInjectionServlet1 extends HttpServlet {
-
-    private static HashMap hashMap = new HashMap();
-
-    static {
-        hashMap.put("username","admin");
-        hashMap.put("password","123456");
-    }
-
-    private static final long serialVersionUID = 1L;
-
-    private String key = "test";
-    @Override
-    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
-        doPost(req, resp);
-    }
-
-    @Override
-    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
-        resp.setContentType("application/json");
-        String jsonpCallback = req.getParameter("jsonpCallback");
-        PrintWriter pw = null;
-        Gson gson = new Gson();
-        String jsonResult = gson.toJson(hashMap);
-
-        String referer = req.getHeader("Referer");
-
-        boolean result = verifReferer(referer);
-
-        // good
-        if (result){
-            String resultStr = null;
-            pw = resp.getWriter();
-            resultStr = jsonpCallback + "(" + jsonResult + ")";
-            pw.println(resultStr);
-            pw.flush();
-        }
-    }
-
-    public static boolean verifReferer(String referer){
-        if (!referer.startsWith("http://test.com/")){
-            return false;
-        }
-        return true;
-    }
-
-    @Override
-    public void init(ServletConfig config) throws ServletException {
-        this.key = config.getInitParameter("key");
-        System.out.println("�始化" + this.key);
-        super.init(config);
-    }
-
-}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet2.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet2.java
deleted file mode 100644
index bbfbc2dc436..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjectionServlet2.java
+++ /dev/null
@@ -1,50 +0,0 @@
-import com.google.gson.Gson;
-import java.io.IOException;
-import java.io.PrintWriter;
-import java.util.HashMap;
-import javax.servlet.ServletConfig;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-public class JsonpInjectionServlet2  extends HttpServlet {
-
-    private static HashMap hashMap = new HashMap();
-
-    static {
-        hashMap.put("username","admin");
-        hashMap.put("password","123456");
-    }
-
-    private static final long serialVersionUID = 1L;
-
-    private String key = "test";
-    @Override
-    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
-        doPost(req, resp);
-    }
-
-    @Override
-    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
-        resp.setContentType("application/json");
-        String jsonpCallback = req.getParameter("jsonpCallback");
-        PrintWriter pw = null;
-        Gson gson = new Gson();
-        String result = gson.toJson(hashMap);
-
-        String resultStr = null;
-        pw = resp.getWriter();
-        resultStr = jsonpCallback + "(" + result + ")";
-        pw.println(resultStr);
-        pw.flush();
-    }
-
-    @Override
-    public void init(ServletConfig config) throws ServletException {
-        this.key = config.getInitParameter("key");
-        System.out.println("�始化" + this.key);
-        super.init(config);
-    }
-
-}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/RefererFilter.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/RefererFilter.java
deleted file mode 100644
index 97444932ae1..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/RefererFilter.java
+++ /dev/null
@@ -1,43 +0,0 @@
-import java.io.IOException;
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import org.springframework.util.StringUtils;
-
-public class RefererFilter implements Filter {
-
-    @Override
-    public void init(FilterConfig filterConfig) throws ServletException {
-    }
-
-    @Override
-    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
-        HttpServletRequest request = (HttpServletRequest) servletRequest;
-        HttpServletResponse response = (HttpServletResponse) servletResponse;
-        String refefer = request.getHeader("Referer");
-        boolean result = verifReferer(refefer);
-        if (result){
-            filterChain.doFilter(servletRequest, servletResponse);
-        }
-        response.sendError(444, "Referer xxx.");
-    }
-
-    @Override
-    public void destroy() {
-    }
-
-    public static boolean verifReferer(String referer){
-        if (StringUtils.isEmpty(referer)){
-            return false;
-        }
-        if (referer.startsWith("http://www.baidu.com/")){
-            return true;
-        }
-        return false;
-    }
-}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/options b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/options
deleted file mode 100644
index c53e31e467f..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/options
+++ /dev/null
@@ -1 +0,0 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../../stubs/gson-2.8.6/:${testdir}/../../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../../stubs/spring-context-5.3.2/:${testdir}/../../../../../stubs/spring-web-5.3.2/:${testdir}/../../../../../stubs/spring-core-5.3.2/:${testdir}/../../../../../stubs/tomcat-embed-core-9.0.41/
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected
index 2e4bc97ff97..83f2b7f206a 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected
@@ -15,9 +15,7 @@ edges
 | JsonpController.java:104:21:104:54 | ... + ... : String | JsonpController.java:105:16:105:24 | resultStr |
 | JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr |
 | JsonpController.java:116:21:116:55 | ... + ... : String | JsonpController.java:117:16:117:24 | resultStr |
-| JsonpController.java:127:36:127:72 | getParameter(...) : String | JsonpController.java:130:20:130:28 | resultStr |
 | JsonpController.java:129:25:129:59 | ... + ... : String | JsonpController.java:130:20:130:28 | resultStr |
-| JsonpController.java:145:32:145:68 | getParameter(...) : String | JsonpController.java:148:16:148:24 | resultStr |
 | JsonpController.java:147:21:147:55 | ... + ... : String | JsonpController.java:148:16:148:24 | resultStr |
 | JsonpController.java:158:21:158:54 | ... + ... : String | JsonpController.java:159:16:159:24 | resultStr |
 | JsonpController.java:173:21:173:54 | ... + ... : String | JsonpController.java:174:16:174:24 | resultStr |
@@ -54,14 +52,10 @@ nodes
 | JsonpController.java:116:21:116:55 | ... + ... : String | semmle.label | ... + ... : String |
 | JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
 | JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:127:36:127:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JsonpController.java:129:25:129:59 | ... + ... : String | semmle.label | ... + ... : String |
 | JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:145:32:145:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JsonpController.java:147:21:147:55 | ... + ... : String | semmle.label | ... + ... : String |
 | JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr |
 | JsonpController.java:158:21:158:54 | ... + ... : String | semmle.label | ... + ... : String |
 | JsonpController.java:159:16:159:24 | resultStr | semmle.label | resultStr |
 | JsonpController.java:173:21:173:54 | ... + ... : String | semmle.label | ... + ... : String |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected
index d90d51ab552..dfbe0628760 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected
@@ -15,13 +15,10 @@ edges
 | JsonpController.java:104:21:104:54 | ... + ... : String | JsonpController.java:105:16:105:24 | resultStr |
 | JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr |
 | JsonpController.java:116:21:116:55 | ... + ... : String | JsonpController.java:117:16:117:24 | resultStr |
-| JsonpController.java:127:36:127:72 | getParameter(...) : String | JsonpController.java:130:20:130:28 | resultStr |
 | JsonpController.java:129:25:129:59 | ... + ... : String | JsonpController.java:130:20:130:28 | resultStr |
-| JsonpController.java:145:32:145:68 | getParameter(...) : String | JsonpController.java:148:16:148:24 | resultStr |
 | JsonpController.java:147:21:147:55 | ... + ... : String | JsonpController.java:148:16:148:24 | resultStr |
 | JsonpController.java:158:21:158:54 | ... + ... : String | JsonpController.java:159:16:159:24 | resultStr |
 | JsonpController.java:173:21:173:54 | ... + ... : String | JsonpController.java:174:16:174:24 | resultStr |
-| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
 | JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
 | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
 | JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
@@ -58,22 +55,16 @@ nodes
 | JsonpController.java:116:21:116:55 | ... + ... : String | semmle.label | ... + ... : String |
 | JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
 | JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:127:36:127:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JsonpController.java:129:25:129:59 | ... + ... : String | semmle.label | ... + ... : String |
 | JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:145:32:145:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JsonpController.java:147:21:147:55 | ... + ... : String | semmle.label | ... + ... : String |
 | JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr |
 | JsonpController.java:158:21:158:54 | ... + ... : String | semmle.label | ... + ... : String |
 | JsonpController.java:159:16:159:24 | resultStr | semmle.label | resultStr |
 | JsonpController.java:173:21:173:54 | ... + ... : String | semmle.label | ... + ... : String |
 | JsonpController.java:174:16:174:24 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | semmle.label | ... + ... : String |
 | JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
 | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | semmle.label | ... + ... : String |
 | JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |

From 77208bcc91d7dfc0d53a8eb2f429b1deebded47b Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Wed, 14 Apr 2021 13:14:43 +0800
Subject: [PATCH 0389/1429] Fix the error that there is no
 VerificationMethodToIfFlowConfig

---
 .../CWE/CWE-352/JsonpInjectionLib.qll         | 44 ++++++++++++-------
 1 file changed, 28 insertions(+), 16 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index af9cebb865c..6b989c3c0cf 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -7,11 +7,32 @@ import semmle.code.java.dataflow.DataFlow3
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.spring.SpringController
 
+/** A data flow configuration tracing flow from the result of a method whose name includes token/auth/referer/origin to an if-statement condition. */
+class VerificationMethodToIfFlowConfig extends DataFlow3::Configuration {
+  VerificationMethodToIfFlowConfig() { this = "VerificationMethodToIfFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) {
+    exists(MethodAccess ma | ma instanceof BarrierGuard |
+      (
+        ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
+        or
+        ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
+      ) and
+      ma = src.asExpr()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(IfStmt is | is.getCondition() = sink.asExpr())
+  }
+}
+
 /**
  * Taint-tracking configuration tracing flow from untrusted inputs to an argument of a function whose result is used as an if-statement condition.
  *
  * For example, in the context `String userControlled = request.getHeader("xyz"); boolean isGood = checkToken(userControlled); if(isGood) { ...`,
- * the flow from `getHeader(...)` to the argument to `checkToken`, and then the flow from `checkToken`'s result to the condition of `if(isGood)`.
+ * the flow from `checkToken`'s result to the condition of `if(isGood)` matches the configuration `VerificationMethodToIfFlowConfig` above,
+ * and so the flow from `getHeader(...)` to the argument to `checkToken` matches this configuration.
  */
 class VerificationMethodFlowConfig extends TaintTracking2::Configuration {
   VerificationMethodFlowConfig() { this = "VerificationMethodFlowConfig" }
@@ -19,25 +40,16 @@ class VerificationMethodFlowConfig extends TaintTracking2::Configuration {
   override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(IfStmt is, Method m | is.getEnclosingCallable() = m |
+    exists(MethodAccess ma, int i, VerificationMethodToIfFlowConfig vmtifc |
+      ma instanceof BarrierGuard
+    |
       (
-        not m.getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
-        or
-        not m.getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
-      ) and
-      sink.asExpr() = is.getCondition()
-    )
-  }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node prod, DataFlow::Node succ) {
-    exists(MethodAccess ma |
-      (
-        ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
+        ma.getMethod().getParameter(i).getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
         or
         ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
       ) and
-      ma.getAnArgument() = prod.asExpr() and
-      ma = succ.asExpr()
+      ma.getArgument(i) = sink.asExpr() and
+      vmtifc.hasFlow(exprNode(ma), _)
     )
   }
 }

From 4810308b16d9c6af09f2bababb64992482a328bc Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Wed, 14 Apr 2021 09:16:31 +0200
Subject: [PATCH 0390/1429] C#: Add `Customizations.qll`

---
 csharp/ql/src/Customizations.qll | 12 ++++++++++++
 csharp/ql/src/csharp.qll         |  1 +
 2 files changed, 13 insertions(+)
 create mode 100644 csharp/ql/src/Customizations.qll

diff --git a/csharp/ql/src/Customizations.qll b/csharp/ql/src/Customizations.qll
new file mode 100644
index 00000000000..d5378a44f0d
--- /dev/null
+++ b/csharp/ql/src/Customizations.qll
@@ -0,0 +1,12 @@
+/**
+ * Contains customizations to the standard library.
+ *
+ * This module is imported by `csharp.qll`, so any customizations defined here automatically
+ * apply to all queries.
+ *
+ * Typical examples of customizations include adding new subclasses of abstract classes such as
+ * the `RemoteFlowSource` and `SummarizedCallable` classes associated with the security queries
+ * to model frameworks that are not covered by the standard library.
+ */
+
+import csharp
diff --git a/csharp/ql/src/csharp.qll b/csharp/ql/src/csharp.qll
index 3c821c9a443..dc187fc8d92 100644
--- a/csharp/ql/src/csharp.qll
+++ b/csharp/ql/src/csharp.qll
@@ -2,6 +2,7 @@
  * The default C# QL library.
  */
 
+import Customizations
 import semmle.code.csharp.Attribute
 import semmle.code.csharp.Callable
 import semmle.code.csharp.Comments

From 36fe72246b9dc5d19397fab44c86187e81feaf1a Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Wed, 14 Apr 2021 09:22:16 +0200
Subject: [PATCH 0391/1429] C#: Add change note

---
 csharp/change-notes/2021-04-14-customizations.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 csharp/change-notes/2021-04-14-customizations.md

diff --git a/csharp/change-notes/2021-04-14-customizations.md b/csharp/change-notes/2021-04-14-customizations.md
new file mode 100644
index 00000000000..a2f957ca923
--- /dev/null
+++ b/csharp/change-notes/2021-04-14-customizations.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* A new library, `Customizations.qll`, has been added, which allows for global customizations that affect all queries.
\ No newline at end of file

From 5158e7964eb51236ed6ea9308c285af55594d9cd Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Wed, 14 Apr 2021 08:25:12 +0100
Subject: [PATCH 0392/1429] Add change note

---
 java/change-notes/2021-04-14-membertype.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 java/change-notes/2021-04-14-membertype.md

diff --git a/java/change-notes/2021-04-14-membertype.md b/java/change-notes/2021-04-14-membertype.md
new file mode 100644
index 00000000000..910a5c91423
--- /dev/null
+++ b/java/change-notes/2021-04-14-membertype.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* A CodeQL class `MemberType` is introduced to describe nested classes. Its `getQualifiedName` method returns `$`-delimited nested type names (for example, `mypackage.Outer$Middle$Inner`), where previously the same type would be named differently depending on whether it was addressed as a `NestedType` or a `Member`.

From 2965a1f204a908738f56b475ae60928b9efc504d Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Wed, 14 Apr 2021 08:43:05 +0100
Subject: [PATCH 0393/1429] Use Thread$State as an inner-class example

Map<>$Entry currently has odd generic notation that may be about to change.
---
 java/ql/src/semmle/code/java/Type.qll | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/semmle/code/java/Type.qll b/java/ql/src/semmle/code/java/Type.qll
index e81f64e4616..5eaa52ee548 100755
--- a/java/ql/src/semmle/code/java/Type.qll
+++ b/java/ql/src/semmle/code/java/Type.qll
@@ -542,7 +542,7 @@ class RefType extends Type, Annotatable, Modifiable, @reftype {
    *
    * For nested types the name of the nested type is prefixed with a `$` and appended
    * to the name of the enclosing type, which might be a nested type as well. For example:
-   * `java.util.Map$Entry`.
+   * `java.lang.Thread$State`.
    */
   string getQualifiedName() {
     exists(string pkgName | pkgName = getPackage().getName() |
@@ -814,7 +814,7 @@ class MemberType extends NestedType, Member {
    *
    * The qualified name consists of the package name, a `.`, the name of the declaring
    * type (which might be a nested or member type as well), followed by a `$` and the
-   * name of this member type. For example: `java.util.Map$Entry`.
+   * name of this member type. For example: `java.lang.Thread$State`.
    */
   override string getQualifiedName() { result = NestedType.super.getQualifiedName() }
 }

From 55723618a9041e18221cbce243a81f1972fbd96b Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
Date: Wed, 14 Apr 2021 10:05:50 +0200
Subject: [PATCH 0394/1429] Python: Apply suggestions from code review

Co-authored-by: Taus <tausbn@github.com>
---
 python/ql/src/semmle/python/frameworks/Django.qll | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index f41920c86b8..4ef93e5cb60 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -16,7 +16,7 @@ private import semmle.python.regex
  * Provides models for the `django` PyPI package.
  * See https://www.djangoproject.com/.
  */
-module Django {
+private module Django {
   /** Provides models for the `django.views` module */
   module Views {
     /**
@@ -28,7 +28,7 @@ module Django {
      */
     module View {
       /**
-       * An `API::Node` for references to `django.views.generic.View` or any subclass
+       * An `API::Node` representing the `django.views.generic.View` class or any subclass
        * that has explicitly been modeled in the CodeQL libraries.
        */
       abstract class ModeledSubclass extends API::Node {
@@ -94,7 +94,7 @@ module Django {
      */
     module Form {
       /**
-       * An `API::Node` for references to `django.forms.forms.BaseForm` or any subclass
+       * An `API::Node` representing the `django.forms.forms.BaseForm` class or any subclass
        * that has explicitly been modeled in the CodeQL libraries.
        */
       abstract class ModeledSubclass extends API::Node {
@@ -190,7 +190,7 @@ module Django {
      */
     module Field {
       /**
-       * An `API::Node` for references to `django.forms.fields.Field` or any subclass
+       * An `API::Node` representing the `django.forms.fields.Field` class or any subclass
        * that has explicitly been modeled in the CodeQL libraries.
        */
       abstract class ModeledSubclass extends API::Node {

From fd23e0bdda63169e2ca2c4dd86ecd3e796b8da57 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 14 Apr 2021 11:47:15 +0200
Subject: [PATCH 0395/1429] use more API nodes in XmlParsers, and recognize
 more results from parsing XML

---
 .../ql/src/semmle/javascript/ApiGraphs.qll    |   2 +-
 .../javascript/frameworks/XmlParsers.qll      | 155 +++++++++++++-----
 .../TaintTracking/BasicTaintTracking.expected |   4 +
 .../test/library-tests/TaintTracking/xml.js   |  25 ++-
 4 files changed, 139 insertions(+), 47 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/ApiGraphs.qll b/javascript/ql/src/semmle/javascript/ApiGraphs.qll
index c0d28d913f7..385dc1e76d3 100644
--- a/javascript/ql/src/semmle/javascript/ApiGraphs.qll
+++ b/javascript/ql/src/semmle/javascript/ApiGraphs.qll
@@ -924,7 +924,7 @@ private module Label {
       result = member(pn) and
       // only consider properties with alphanumeric(-ish) names, excluding special properties
       // and properties whose names look like they are meant to be internal
-      pn.regexpMatch("(?!prototype$|__)[a-zA-Z_$][\\w\\-.$]*")
+      pn.regexpMatch("(?!prototype$|__)[\\w_$][\\w\\-.$]*")
     )
     or
     not exists(pr.getPropertyName()) and
diff --git a/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll b/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll
index 1e6677ff9e1..94bf5b09363 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll
@@ -2,7 +2,9 @@
  * Provides classes for working with XML parser APIs.
  */
 
-import javascript as js
+private import javascript as js
+private import js::DataFlow as DataFlow
+private import js::API as API
 
 module XML {
   /**
@@ -12,9 +14,9 @@ module XML {
     /** Internal general entity. */
     InternalEntity() or
     /** External general entity, either parsed or unparsed. */
-    ExternalEntity(boolean parsed) { parsed = true or parsed = false } or
+    ExternalEntity(boolean parsed) { parsed = [true, false] } or
     /** Parameter entity, either internal or external. */
-    ParameterEntity(boolean external) { external = true or external = false }
+    ParameterEntity(boolean external) { external = [true, false] }
 
   /**
    * A call to an XML parsing function.
@@ -27,16 +29,19 @@ module XML {
     abstract predicate resolvesEntities(EntityKind kind);
 
     /** Gets a reference to a value resulting from parsing the XML. */
-    js::DataFlow::Node getAResult() { none() }
+    DataFlow::Node getAResult() { none() }
   }
 
   /**
    * An invocation of `libxmljs.parseXml` or `libxmljs.parseXmlString`.
    */
   class LibXmlJsParserInvocation extends ParserInvocation {
+    API::CallNode call;
+
     LibXmlJsParserInvocation() {
       exists(string m |
-        this = js::DataFlow::moduleMember("libxmljs", m).getACall().asExpr() and
+        call = API::moduleImport("libxmljs").getMember(m).getACall() and
+        this = call.asExpr() and
         m.matches("parseXml%")
       )
     }
@@ -53,24 +58,67 @@ module XML {
         noent.mayHaveBooleanValue(true)
       )
     }
-  }
 
-  /**
-   * Gets a call to method `methodName` on an instance of class `className` from module `modName`.
-   */
-  private js::MethodCallExpr moduleMethodCall(string modName, string className, string methodName) {
-    exists(js::DataFlow::ModuleImportNode mod |
-      mod.getPath() = modName and
-      result = mod.getAConstructorInvocation(className).getAMethodCall(methodName).asExpr()
-    )
+    /**
+     * A document from the `libxmljs` library.
+     * The API is based on https://github.com/DefinitelyTyped/DefinitelyTyped/blob/master/types/libxmljs/index.d.ts
+     */
+    private API::Node doc() {
+      result = call.getReturn()
+      or
+      result = doc().getMember("encoding").getReturn()
+      or
+      result = element().getMember("doc").getReturn()
+      or
+      result = element().getMember("parent").getReturn()
+    }
+
+    /**
+     * An `Element` from the `libxmljs` library.
+     */
+    private API::Node element() {
+      result = doc().getMember(["child", "get", "node", "root"]).getReturn()
+      or
+      result = [doc(), element()].getMember(["childNodes", "find"]).getReturn().getAMember()
+      or
+      result =
+        element()
+            .getMember([
+                "parent", "prevSibling", "nextSibling", "remove", "clone", "node", "child",
+                "prevElement", "nextElement"
+              ])
+            .getReturn()
+    }
+
+    /**
+     * An `Attr` from the `libxmljs` library.
+     */
+    private API::Node attr() {
+      result = element().getMember("attr").getReturn()
+      or
+      result = element().getMember("attrs").getReturn().getAMember()
+    }
+
+    override DataFlow::Node getAResult() {
+      result = [doc(), element(), attr()].getAnImmediateUse()
+      or
+      result = element().getMember(["name", "text"]).getACall()
+      or
+      result = attr().getMember(["name", "value"]).getACall()
+      or
+      result = element().getMember("namespace").getReturn().getMember(["href", "prefix"]).getACall()
+    }
   }
 
   /**
    * An invocation of `libxmljs.SaxParser.parseString`.
    */
   class LibXmlJsSaxParserInvocation extends ParserInvocation {
+    API::Node parser;
+
     LibXmlJsSaxParserInvocation() {
-      this = moduleMethodCall("libxmljs", "SaxParser", "parseString")
+      parser = API::moduleImport("libxmljs").getMember("SaxParser").getInstance() and
+      this = parser.getMember("parseString").getACall().asExpr()
     }
 
     override js::Expr getSourceArgument() { result = getArgument(0) }
@@ -79,14 +127,21 @@ module XML {
       // entities are resolved by default
       any()
     }
+
+    override DataFlow::Node getAResult() {
+      result = parser.getMember("on").getACall().getABoundCallbackParameter(1, _)
+    }
   }
 
   /**
    * An invocation of `libxmljs.SaxPushParser.push`.
    */
   class LibXmlJsSaxPushParserInvocation extends ParserInvocation {
+    API::Node parser;
+
     LibXmlJsSaxPushParserInvocation() {
-      this = moduleMethodCall("libxmljs", "SaxPushParser", "push")
+      parser = API::moduleImport("libxmljs").getMember("SaxPushParser").getInstance() and
+      this = parser.getMember("push").getACall().asExpr()
     }
 
     override js::Expr getSourceArgument() { result = getArgument(0) }
@@ -95,17 +150,21 @@ module XML {
       // entities are resolved by default
       any()
     }
+
+    override DataFlow::Node getAResult() {
+      result = parser.getMember("on").getACall().getABoundCallbackParameter(1, _)
+    }
   }
 
   /**
    * An invocation of `expat.Parser.parse` or `expat.Parser.write`.
    */
   class ExpatParserInvocation extends ParserInvocation {
-    js::DataFlow::NewNode parser;
+    API::Node parser;
 
     ExpatParserInvocation() {
-      parser = js::DataFlow::moduleMember("node-expat", "Parser").getAnInstantiation() and
-      this = parser.getAMemberCall(["parse", "write"]).asExpr()
+      parser = API::moduleImport("node-expat").getMember("Parser").getInstance() and
+      this = parser.getMember(["parse", "write"]).getACall().asExpr()
     }
 
     override js::Expr getSourceArgument() { result = getArgument(0) }
@@ -115,8 +174,8 @@ module XML {
       kind = InternalEntity()
     }
 
-    override js::DataFlow::Node getAResult() {
-      result = parser.getAMemberCall("on").getABoundCallbackParameter(1, _)
+    override DataFlow::Node getAResult() {
+      result = parser.getMember("on").getACall().getABoundCallbackParameter(1, _)
     }
   }
 
@@ -125,17 +184,22 @@ module XML {
    */
   private class DOMParserXmlParserInvocation extends XML::ParserInvocation {
     DOMParserXmlParserInvocation() {
-      exists(js::DataFlow::GlobalVarRefNode domparser |
-        domparser.getName() = "DOMParser" and
-        this = domparser.getAnInstantiation().getAMethodCall("parseFromString").asExpr() and
-        // type contains the string `xml`, that is, it's not `text/html`
-        getArgument(1).mayHaveStringValue(any(string tp | tp.matches("%xml%")))
-      )
+      this =
+        DataFlow::globalVarRef("DOMParser")
+            .getAnInstantiation()
+            .getAMethodCall("parseFromString")
+            .asExpr() and
+      // type contains the string `xml`, that is, it's not `text/html`
+      getArgument(1).mayHaveStringValue(any(string tp | tp.matches("%xml%")))
     }
 
     override js::Expr getSourceArgument() { result = getArgument(0) }
 
     override predicate resolvesEntities(XML::EntityKind kind) { kind = InternalEntity() }
+
+    // The result is an XMLDocument (https://developer.mozilla.org/en-US/docs/Web/API/XMLDocument).
+    // The API of the XMLDocument is not modelled.
+    override DataFlow::Node getAResult() { result.asExpr() = this }
   }
 
   /**
@@ -143,8 +207,8 @@ module XML {
    */
   private class IELegacyXmlParserInvocation extends XML::ParserInvocation {
     IELegacyXmlParserInvocation() {
-      exists(js::DataFlow::NewNode activeXObject, string activeXType |
-        activeXObject = js::DataFlow::globalVarRef("ActiveXObject").getAnInstantiation() and
+      exists(DataFlow::NewNode activeXObject, string activeXType |
+        activeXObject = DataFlow::globalVarRef("ActiveXObject").getAnInstantiation() and
         activeXObject.getArgument(0).asExpr().mayHaveStringValue(activeXType) and
         activeXType.regexpMatch("Microsoft\\.XMLDOM|Msxml.*\\.DOMDocument.*") and
         this = activeXObject.getAMethodCall("loadXML").asExpr()
@@ -173,10 +237,10 @@ module XML {
    * An invocation of `xml2js`.
    */
   private class Xml2JSInvocation extends XML::ParserInvocation {
-    js::DataFlow::CallNode call;
+    API::CallNode call;
 
     Xml2JSInvocation() {
-      exists(js::API::Node imp | imp = js::API::moduleImport("xml2js") |
+      exists(API::Node imp | imp = API::moduleImport("xml2js") |
         call = [imp, imp.getMember("Parser").getInstance()].getMember("parseString").getACall() and
         this = call.asExpr()
       )
@@ -189,7 +253,7 @@ module XML {
       none()
     }
 
-    override js::DataFlow::Node getAResult() {
+    override DataFlow::Node getAResult() {
       result = call.getABoundCallbackParameter(call.getNumArgument() - 1, 1)
     }
   }
@@ -198,10 +262,10 @@ module XML {
    * An invocation of `sax`.
    */
   private class SaxInvocation extends XML::ParserInvocation {
-    js::DataFlow::InvokeNode parser;
+    API::InvokeNode parser;
 
     SaxInvocation() {
-      exists(js::API::Node imp | imp = js::API::moduleImport("sax") |
+      exists(API::Node imp | imp = API::moduleImport("sax") |
         parser = imp.getMember("parser").getACall()
         or
         parser = imp.getMember("SAXParser").getAnInstantiation()
@@ -216,13 +280,13 @@ module XML {
       none()
     }
 
-    override js::DataFlow::Node getAResult() {
+    override DataFlow::Node getAResult() {
       result =
         parser
-            .getAPropertyWrite(any(string s | s.matches("on%")))
-            .getRhs()
-            .getAFunctionValue()
+            .getReturn()
+            .getMember(any(string s | s.matches("on%")))
             .getAParameter()
+            .getAnImmediateUse()
     }
   }
 
@@ -232,7 +296,8 @@ module XML {
   private class XmlJSInvocation extends XML::ParserInvocation {
     XmlJSInvocation() {
       this =
-        js::DataFlow::moduleMember("xml-js", ["xml2json", "xml2js", "json2xml", "js2xml"])
+        API::moduleImport("xml-js")
+            .getMember(["xml2json", "xml2js", "json2xml", "js2xml"])
             .getACall()
             .asExpr()
     }
@@ -244,18 +309,18 @@ module XML {
       none()
     }
 
-    override js::DataFlow::Node getAResult() { result.asExpr() = this }
+    override DataFlow::Node getAResult() { result.asExpr() = this }
   }
 
   /**
    * An invocation of `htmlparser2`.
    */
   private class HtmlParser2Invocation extends XML::ParserInvocation {
-    js::DataFlow::NewNode parser;
+    API::NewNode parser;
 
     HtmlParser2Invocation() {
-      parser = js::DataFlow::moduleMember("htmlparser2", "Parser").getAnInstantiation() and
-      this = parser.getAMemberCall("write").asExpr()
+      parser = API::moduleImport("htmlparser2").getMember("Parser").getAnInstantiation() and
+      this = parser.getReturn().getMember("write").getACall().asExpr()
     }
 
     override js::Expr getSourceArgument() { result = getArgument(0) }
@@ -265,7 +330,7 @@ module XML {
       none()
     }
 
-    override js::DataFlow::Node getAResult() {
+    override DataFlow::Node getAResult() {
       result =
         parser
             .getArgument(0)
@@ -277,7 +342,7 @@ module XML {
   }
 
   private class XMLParserTaintStep extends js::TaintTracking::SharedTaintStep {
-    override predicate deserializeStep(js::DataFlow::Node pred, js::DataFlow::Node succ) {
+    override predicate deserializeStep(DataFlow::Node pred, DataFlow::Node succ) {
       exists(XML::ParserInvocation parser |
         pred.asExpr() = parser.getSourceArgument() and
         succ = parser.getAResult()
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
index fe0663b2ada..8eae0bb62aa 100644
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -166,3 +166,7 @@ typeInferenceMismatch
 | xml.js:23:18:23:25 | source() | xml.js:20:14:20:17 | attr |
 | xml.js:26:27:26:34 | source() | xml.js:26:10:26:39 | convert ... (), {}) |
 | xml.js:34:18:34:25 | source() | xml.js:31:18:31:21 | name |
+| xml.js:41:15:41:22 | source() | xml.js:44:10:44:22 | gchild.text() |
+| xml.js:41:15:41:22 | source() | xml.js:49:10:49:34 | child.a ... value() |
+| xml.js:41:15:41:22 | source() | xml.js:52:10:52:34 | child2. ... .name() |
+| xml.js:41:15:41:22 | source() | xml.js:58:12:58:14 | str |
diff --git a/javascript/ql/test/library-tests/TaintTracking/xml.js b/javascript/ql/test/library-tests/TaintTracking/xml.js
index 8e3785d4a2b..b1c6ab37ad3 100644
--- a/javascript/ql/test/library-tests/TaintTracking/xml.js
+++ b/javascript/ql/test/library-tests/TaintTracking/xml.js
@@ -34,4 +34,27 @@
     parser.write(source());
     parser.end();
 
-})();
\ No newline at end of file
+})();
+
+(function () {
+    var libxml = require("libxmljs");
+    var xml = source();
+    var xmlDoc = libxml.parseXmlString(xml);
+    var gchild = xmlDoc.get('//grandchild');
+    sink(gchild.text()); // NOT OK
+
+    var children = xmlDoc.root().childNodes();
+    var child = children[0];
+
+    sink(child.attr('foo').value()); // NOT OK
+
+    var child2 = xmlDoc.root().child()
+    sink(child2.attr('foo').name()); // NOT OK
+
+    const SaxPushParser = libxml.SaxPushParser;
+    var parser = new SaxPushParser();
+    parser.push(xml);
+    parser.on('characters', function (str) {
+      sink(str); // NOT OK
+    })    
+});
\ No newline at end of file

From 2e40d013973f8439bcc9085ff9e651b3c1af2e5c Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 14 Apr 2021 13:01:31 +0200
Subject: [PATCH 0396/1429] Update
 cpp/ql/src/semmle/code/cpp/security/Overflow.qll

Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
---
 cpp/ql/src/semmle/code/cpp/security/Overflow.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/security/Overflow.qll b/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
index 3f7a7b17b05..74b61c37925 100644
--- a/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
@@ -98,7 +98,7 @@ VariableAccess varUse(LocalScopeVariable v) { result = v.getAnAccess() }
  * Holds if `e` potentially overflows and `use` is an operand of `e` that is not guarded.
  */
 predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {
-  convertedExprMightOverflow(e) and
+  convertedExprMightOverflowPositively(e) and
   use = e.getAnOperand() and
   exists(LocalScopeVariable v | use.getTarget() = v |
     // overflow possible if large

From da3650871454fa367245cd852abc552f37fd2b45 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 14 Apr 2021 14:41:22 +0200
Subject: [PATCH 0397/1429] Revert "C++: As response to the review comments
 this commit adds a reference-to-pointer state to AddressFlow. A call to an
 unwrapper function now adds a pointer -> reference-to-pointer transition, and
 a ReferenceDereference adds a reference-to-pointer -> pointer transition."

This reverts commit 5aeaab7c6d7ff786c970b41f1bebce8c6040d838.
---
 .../cpp/dataflow/internal/AddressFlow.qll     | 105 +++---------------
 .../dataflow/taint-tests/localTaint.expected  |  49 ++++----
 2 files changed, 38 insertions(+), 116 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll
index e179f7e8717..7e76c1540e3 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll
@@ -59,6 +59,8 @@ private predicate pointerToLvalueStep(Expr pointerIn, Expr lvalueOut) {
   pointerIn = lvalueOut.(ArrayExpr).getArrayBase().getFullyConverted()
   or
   pointerIn = lvalueOut.(PointerDereferenceExpr).getOperand().getFullyConverted()
+  or
+  pointerIn = lvalueOut.(OverloadedPointerDereferenceExpr).getQualifier().getFullyConverted()
 }
 
 private predicate lvalueToPointerStep(Expr lvalueIn, Expr pointerOut) {
@@ -67,19 +69,6 @@ private predicate lvalueToPointerStep(Expr lvalueIn, Expr pointerOut) {
   lvalueIn = pointerOut.(AddressOfExpr).getOperand().getFullyConverted()
 }
 
-/**
- * Since pointer wrappers behave as raw pointers, we treat the conversions from `lvalueToLvalueStepPure`
- * as pointer-to-pointer steps when they involve pointer wrappers.
- */
-private predicate pointerWrapperToPointerWrapperStep(Expr pointerIn, Expr pointerOut) {
-  pointerIn.getUnspecifiedType() instanceof PointerWrapper and
-  pointerIn.getConversion() = pointerOut and
-  pointerOut.(CStyleCast).isImplicit()
-  or
-  pointerOut.getUnspecifiedType() instanceof PointerWrapper and
-  pointerIn.getConversion() = pointerOut.(ReferenceDereferenceExpr)
-}
-
 private predicate pointerToPointerStep(Expr pointerIn, Expr pointerOut) {
   (
     pointerOut instanceof PointerAddExpr
@@ -104,60 +93,35 @@ private predicate pointerToPointerStep(Expr pointerIn, Expr pointerOut) {
   pointerIn = pointerOut.(CommaExpr).getRightOperand().getFullyConverted()
   or
   pointerIn = pointerOut.(StmtExpr).getResultExpr().getFullyConverted()
-  or
-  pointerWrapperToPointerWrapperStep(pointerIn, pointerOut)
 }
 
 private predicate lvalueToReferenceStep(Expr lvalueIn, Expr referenceOut) {
   lvalueIn.getConversion() = referenceOut.(ReferenceToExpr)
+  or
+  exists(PointerWrapper wrapper, Call call | call = referenceOut |
+    referenceOut.getUnspecifiedType() instanceof ReferenceType and
+    call = wrapper.getAnUnwrapperFunction().getACallToThisFunction() and
+    lvalueIn = call.getQualifier().getFullyConverted()
+  )
 }
 
 private predicate referenceToLvalueStep(Expr referenceIn, Expr lvalueOut) {
   referenceIn.getConversion() = lvalueOut.(ReferenceDereferenceExpr)
 }
 
-private predicate referenceToPointerToPointerStep(Expr referenceToPointerIn, Expr pointerOut) {
-  exists(CopyConstructor copy, Call call | call = pointerOut |
-    copy.getDeclaringType() instanceof PointerWrapper and
-    call.getTarget() = copy and
-    // The 0'th argument is the value being copied.
-    referenceToPointerIn = call.getArgument(0).getFullyConverted()
-  )
-  or
-  referenceToPointerIn.getConversion() = pointerOut.(ReferenceDereferenceExpr)
-}
-
-/**
- * This predicate exists only to support "fake pointer" objects like
- * smart pointers. We treat these as raw pointers for dataflow purposes.
- */
-private predicate referenceToPointerToUpdate(
-  Expr referenceToPointer, Expr outer, ControlFlowNode node
-) {
-  exists(Call call |
-    node = call and
-    outer = call.getAnArgument().getFullyConverted() and
-    not stdIdentityFunction(call.getTarget()) and
-    not stdAddressOf(call.getTarget()) and
-    exists(ReferenceType rt | rt = outer.getType().stripTopLevelSpecifiers() |
-      rt.getBaseType().getUnspecifiedType() =
-        any(PointerWrapper wrapper | not wrapper.pointsToConst())
-    )
-  ) and
-  referenceToPointer = outer
-  or
-  exists(Expr pointerMid |
-    referenceToPointerToPointerStep(referenceToPointer, pointerMid) and
-    pointerToUpdate(pointerMid, outer, node)
-  )
-}
-
 private predicate referenceToPointerStep(Expr referenceIn, Expr pointerOut) {
   pointerOut =
     any(FunctionCall call |
       stdAddressOf(call.getTarget()) and
       referenceIn = call.getArgument(0).getFullyConverted()
     )
+  or
+  exists(CopyConstructor copy, Call call | call = pointerOut |
+    copy.getDeclaringType() instanceof PointerWrapper and
+    call.getTarget() = copy and
+    // The 0'th argument is the value being copied.
+    referenceIn = call.getArgument(0).getFullyConverted()
+  )
 }
 
 private predicate referenceToReferenceStep(Expr referenceIn, Expr referenceOut) {
@@ -274,16 +238,6 @@ private predicate pointerToUpdate(Expr pointer, Expr outer, ControlFlowNode node
     pointerToPointerStep(pointer, pointerMid) and
     pointerToUpdate(pointerMid, outer, node)
   )
-  or
-  exists(Expr referenceMid |
-    pointerToReferenceStep(pointer, referenceMid) and
-    referenceToUpdate(referenceMid, outer, node)
-  )
-  or
-  exists(Expr referenceToPointerMid |
-    pointerToReferenceToPointerStep(pointer, referenceToPointerMid) and
-    referenceToPointerToUpdate(referenceToPointerMid, outer, node)
-  )
 }
 
 private predicate referenceToUpdate(Expr reference, Expr outer, ControlFlowNode node) {
@@ -293,7 +247,9 @@ private predicate referenceToUpdate(Expr reference, Expr outer, ControlFlowNode
     not stdIdentityFunction(call.getTarget()) and
     not stdAddressOf(call.getTarget()) and
     exists(ReferenceType rt | rt = outer.getType().stripTopLevelSpecifiers() |
-      not rt.getBaseType().isConst()
+      not rt.getBaseType().isConst() or
+      rt.getBaseType().getUnspecifiedType() =
+        any(PointerWrapper wrapper | not wrapper.pointsToConst())
     )
   ) and
   reference = outer
@@ -314,14 +270,6 @@ private predicate referenceToUpdate(Expr reference, Expr outer, ControlFlowNode
   )
 }
 
-private predicate pointerToReferenceStep(Expr pointerIn, Expr referenceOut) {
-  exists(PointerWrapper wrapper, Call call | call = referenceOut |
-    referenceOut.getUnspecifiedType() instanceof ReferenceType and
-    call = wrapper.getAnUnwrapperFunction().getACallToThisFunction() and
-    pointerIn = call.getQualifier().getFullyConverted()
-  )
-}
-
 private predicate lvalueFromVariableAccess(VariableAccess va, Expr lvalue) {
   // Base case for non-reference types.
   lvalue = va and
@@ -383,21 +331,6 @@ private predicate referenceFromVariableAccess(VariableAccess va, Expr reference)
     lvalueFromVariableAccess(va, prev) and
     lvalueToReferenceStep(prev, reference)
   )
-  or
-  exists(Expr prev |
-    pointerFromVariableAccess(va, prev) and
-    pointerToReferenceStep(prev, reference)
-  )
-}
-
-private predicate pointerToReferenceToPointerStep(Expr pointerIn, Expr referenceToPointerOut) {
-  pointerIn.getConversion() = referenceToPointerOut.(ReferenceToExpr)
-  or
-  exists(PointerWrapper wrapper, Call call | call = referenceToPointerOut |
-    referenceToPointerOut.getUnspecifiedType() instanceof ReferenceType and
-    call = wrapper.getAnUnwrapperFunction().getACallToThisFunction() and
-    pointerIn = call.getQualifier().getFullyConverted()
-  )
 }
 
 /**
@@ -418,8 +351,6 @@ predicate valueToUpdate(Expr inner, Expr outer, ControlFlowNode node) {
     pointerToUpdate(inner, outer, node)
     or
     referenceToUpdate(inner, outer, node)
-    or
-    referenceToPointerToUpdate(inner, outer, node)
   ) and
   (
     inner instanceof VariableAccess and
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index 90a494de6f8..50d5070a144 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -948,16 +948,12 @@
 | map.cpp:170:23:170:28 | call to source | map.cpp:170:7:170:30 | ... = ... |  |
 | map.cpp:171:7:171:9 | m10 | map.cpp:171:10:171:10 | call to operator[] | TAINT |
 | map.cpp:171:7:171:9 | ref arg m10 | map.cpp:252:1:252:1 | m10 |  |
-| map.cpp:171:10:171:10 | ref arg call to operator[] | map.cpp:171:7:171:9 | ref arg m10 | TAINT |
 | map.cpp:172:7:172:9 | m11 | map.cpp:172:10:172:10 | call to operator[] | TAINT |
 | map.cpp:172:7:172:9 | ref arg m11 | map.cpp:252:1:252:1 | m11 |  |
-| map.cpp:172:10:172:10 | ref arg call to operator[] | map.cpp:172:7:172:9 | ref arg m11 | TAINT |
 | map.cpp:173:7:173:9 | m12 | map.cpp:173:10:173:10 | call to operator[] | TAINT |
 | map.cpp:173:7:173:9 | ref arg m12 | map.cpp:252:1:252:1 | m12 |  |
-| map.cpp:173:10:173:10 | ref arg call to operator[] | map.cpp:173:7:173:9 | ref arg m12 | TAINT |
 | map.cpp:174:7:174:9 | m13 | map.cpp:174:10:174:10 | call to operator[] | TAINT |
 | map.cpp:174:7:174:9 | ref arg m13 | map.cpp:252:1:252:1 | m13 |  |
-| map.cpp:174:10:174:10 | ref arg call to operator[] | map.cpp:174:7:174:9 | ref arg m13 | TAINT |
 | map.cpp:177:27:177:29 | call to map | map.cpp:178:2:178:4 | m14 |  |
 | map.cpp:177:27:177:29 | call to map | map.cpp:179:2:179:4 | m14 |  |
 | map.cpp:177:27:177:29 | call to map | map.cpp:180:2:180:4 | m14 |  |
@@ -1655,16 +1651,12 @@
 | map.cpp:322:23:322:28 | call to source | map.cpp:322:7:322:30 | ... = ... |  |
 | map.cpp:323:7:323:9 | m10 | map.cpp:323:10:323:10 | call to operator[] | TAINT |
 | map.cpp:323:7:323:9 | ref arg m10 | map.cpp:438:1:438:1 | m10 |  |
-| map.cpp:323:10:323:10 | ref arg call to operator[] | map.cpp:323:7:323:9 | ref arg m10 | TAINT |
 | map.cpp:324:7:324:9 | m11 | map.cpp:324:10:324:10 | call to operator[] | TAINT |
 | map.cpp:324:7:324:9 | ref arg m11 | map.cpp:438:1:438:1 | m11 |  |
-| map.cpp:324:10:324:10 | ref arg call to operator[] | map.cpp:324:7:324:9 | ref arg m11 | TAINT |
 | map.cpp:325:7:325:9 | m12 | map.cpp:325:10:325:10 | call to operator[] | TAINT |
 | map.cpp:325:7:325:9 | ref arg m12 | map.cpp:438:1:438:1 | m12 |  |
-| map.cpp:325:10:325:10 | ref arg call to operator[] | map.cpp:325:7:325:9 | ref arg m12 | TAINT |
 | map.cpp:326:7:326:9 | m13 | map.cpp:326:10:326:10 | call to operator[] | TAINT |
 | map.cpp:326:7:326:9 | ref arg m13 | map.cpp:438:1:438:1 | m13 |  |
-| map.cpp:326:10:326:10 | ref arg call to operator[] | map.cpp:326:7:326:9 | ref arg m13 | TAINT |
 | map.cpp:329:37:329:39 | call to unordered_map | map.cpp:330:2:330:4 | m14 |  |
 | map.cpp:329:37:329:39 | call to unordered_map | map.cpp:331:2:331:4 | m14 |  |
 | map.cpp:329:37:329:39 | call to unordered_map | map.cpp:332:2:332:4 | m14 |  |
@@ -2455,9 +2447,6 @@
 | set.cpp:55:40:55:41 | ref arg i1 | set.cpp:55:24:55:25 | i1 |  |
 | set.cpp:55:40:55:41 | ref arg i1 | set.cpp:55:40:55:41 | i1 |  |
 | set.cpp:55:40:55:41 | ref arg i1 | set.cpp:57:9:57:10 | i1 |  |
-| set.cpp:57:8:57:8 | ref arg call to operator* | set.cpp:55:30:55:31 | s1 |  |
-| set.cpp:57:8:57:8 | ref arg call to operator* | set.cpp:57:9:57:10 | ref arg i1 | TAINT |
-| set.cpp:57:8:57:8 | ref arg call to operator* | set.cpp:126:1:126:1 | s1 |  |
 | set.cpp:57:9:57:10 | i1 | set.cpp:57:8:57:8 | call to operator* | TAINT |
 | set.cpp:57:9:57:10 | ref arg i1 | set.cpp:55:24:55:25 | i1 |  |
 | set.cpp:57:9:57:10 | ref arg i1 | set.cpp:55:40:55:41 | i1 |  |
@@ -2476,9 +2465,6 @@
 | set.cpp:59:40:59:41 | ref arg i2 | set.cpp:59:24:59:25 | i2 |  |
 | set.cpp:59:40:59:41 | ref arg i2 | set.cpp:59:40:59:41 | i2 |  |
 | set.cpp:59:40:59:41 | ref arg i2 | set.cpp:61:9:61:10 | i2 |  |
-| set.cpp:61:8:61:8 | ref arg call to operator* | set.cpp:59:30:59:31 | s2 |  |
-| set.cpp:61:8:61:8 | ref arg call to operator* | set.cpp:61:9:61:10 | ref arg i2 | TAINT |
-| set.cpp:61:8:61:8 | ref arg call to operator* | set.cpp:126:1:126:1 | s2 |  |
 | set.cpp:61:9:61:10 | i2 | set.cpp:61:8:61:8 | call to operator* | TAINT |
 | set.cpp:61:9:61:10 | ref arg i2 | set.cpp:59:24:59:25 | i2 |  |
 | set.cpp:61:9:61:10 | ref arg i2 | set.cpp:59:40:59:41 | i2 |  |
@@ -2965,9 +2951,6 @@
 | set.cpp:169:40:169:41 | ref arg i1 | set.cpp:169:24:169:25 | i1 |  |
 | set.cpp:169:40:169:41 | ref arg i1 | set.cpp:169:40:169:41 | i1 |  |
 | set.cpp:169:40:169:41 | ref arg i1 | set.cpp:171:9:171:10 | i1 |  |
-| set.cpp:171:8:171:8 | ref arg call to operator* | set.cpp:169:30:169:31 | s1 |  |
-| set.cpp:171:8:171:8 | ref arg call to operator* | set.cpp:171:9:171:10 | ref arg i1 | TAINT |
-| set.cpp:171:8:171:8 | ref arg call to operator* | set.cpp:238:1:238:1 | s1 |  |
 | set.cpp:171:9:171:10 | i1 | set.cpp:171:8:171:8 | call to operator* | TAINT |
 | set.cpp:171:9:171:10 | ref arg i1 | set.cpp:169:24:169:25 | i1 |  |
 | set.cpp:171:9:171:10 | ref arg i1 | set.cpp:169:40:169:41 | i1 |  |
@@ -2986,9 +2969,6 @@
 | set.cpp:173:40:173:41 | ref arg i2 | set.cpp:173:24:173:25 | i2 |  |
 | set.cpp:173:40:173:41 | ref arg i2 | set.cpp:173:40:173:41 | i2 |  |
 | set.cpp:173:40:173:41 | ref arg i2 | set.cpp:175:9:175:10 | i2 |  |
-| set.cpp:175:8:175:8 | ref arg call to operator* | set.cpp:173:30:173:31 | s2 |  |
-| set.cpp:175:8:175:8 | ref arg call to operator* | set.cpp:175:9:175:10 | ref arg i2 | TAINT |
-| set.cpp:175:8:175:8 | ref arg call to operator* | set.cpp:238:1:238:1 | s2 |  |
 | set.cpp:175:9:175:10 | i2 | set.cpp:175:8:175:8 | call to operator* | TAINT |
 | set.cpp:175:9:175:10 | ref arg i2 | set.cpp:173:24:173:25 | i2 |  |
 | set.cpp:175:9:175:10 | ref arg i2 | set.cpp:173:40:173:41 | i2 |  |
@@ -3243,7 +3223,7 @@
 | smart_pointer.cpp:11:30:11:50 | call to make_shared | smart_pointer.cpp:12:11:12:11 | p |  |
 | smart_pointer.cpp:11:30:11:50 | call to make_shared | smart_pointer.cpp:13:10:13:10 | p |  |
 | smart_pointer.cpp:11:52:11:57 | call to source | smart_pointer.cpp:11:30:11:50 | call to make_shared | TAINT |
-| smart_pointer.cpp:12:11:12:11 | p | smart_pointer.cpp:12:10:12:10 | call to operator* | TAINT |
+| smart_pointer.cpp:12:11:12:11 | p | smart_pointer.cpp:12:10:12:10 | call to operator* |  |
 | smart_pointer.cpp:12:11:12:11 | ref arg p | smart_pointer.cpp:13:10:13:10 | p |  |
 | smart_pointer.cpp:17:32:17:54 | call to make_shared | smart_pointer.cpp:18:11:18:11 | p |  |
 | smart_pointer.cpp:17:32:17:54 | call to make_shared | smart_pointer.cpp:19:10:19:10 | p |  |
@@ -3255,7 +3235,7 @@
 | smart_pointer.cpp:23:30:23:50 | call to make_unique | smart_pointer.cpp:24:11:24:11 | p |  |
 | smart_pointer.cpp:23:30:23:50 | call to make_unique | smart_pointer.cpp:25:10:25:10 | p |  |
 | smart_pointer.cpp:23:52:23:57 | call to source | smart_pointer.cpp:23:30:23:50 | call to make_unique | TAINT |
-| smart_pointer.cpp:24:11:24:11 | p | smart_pointer.cpp:24:10:24:10 | call to operator* | TAINT |
+| smart_pointer.cpp:24:11:24:11 | p | smart_pointer.cpp:24:10:24:10 | call to operator* |  |
 | smart_pointer.cpp:24:11:24:11 | ref arg p | smart_pointer.cpp:25:10:25:10 | p |  |
 | smart_pointer.cpp:29:32:29:54 | call to make_unique | smart_pointer.cpp:30:11:30:11 | p |  |
 | smart_pointer.cpp:29:32:29:54 | call to make_unique | smart_pointer.cpp:31:10:31:10 | p |  |
@@ -3271,13 +3251,13 @@
 | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:38:10:38:10 | p |  |
 | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:39:11:39:11 | p |  |
 | smart_pointer.cpp:37:5:37:17 | ... = ... | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] |  |
-| smart_pointer.cpp:37:6:37:6 | p | smart_pointer.cpp:37:5:37:5 | call to operator* | TAINT |
+| smart_pointer.cpp:37:6:37:6 | p | smart_pointer.cpp:37:5:37:5 | call to operator* |  |
 | smart_pointer.cpp:37:6:37:6 | ref arg p | smart_pointer.cpp:37:6:37:6 | p [inner post update] |  |
 | smart_pointer.cpp:37:6:37:6 | ref arg p | smart_pointer.cpp:38:10:38:10 | p |  |
 | smart_pointer.cpp:37:6:37:6 | ref arg p | smart_pointer.cpp:39:11:39:11 | p |  |
 | smart_pointer.cpp:37:10:37:15 | call to source | smart_pointer.cpp:37:5:37:17 | ... = ... |  |
 | smart_pointer.cpp:38:10:38:10 | ref arg p | smart_pointer.cpp:39:11:39:11 | p |  |
-| smart_pointer.cpp:39:11:39:11 | p | smart_pointer.cpp:39:10:39:10 | call to operator* | TAINT |
+| smart_pointer.cpp:39:11:39:11 | p | smart_pointer.cpp:39:10:39:10 | call to operator* |  |
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:45:6:45:6 | p |  |
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:46:10:46:10 | p |  |
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:47:11:47:11 | p |  |
@@ -3285,13 +3265,13 @@
 | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:46:10:46:10 | p |  |
 | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:47:11:47:11 | p |  |
 | smart_pointer.cpp:45:5:45:17 | ... = ... | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] |  |
-| smart_pointer.cpp:45:6:45:6 | p | smart_pointer.cpp:45:5:45:5 | call to operator* | TAINT |
+| smart_pointer.cpp:45:6:45:6 | p | smart_pointer.cpp:45:5:45:5 | call to operator* |  |
 | smart_pointer.cpp:45:6:45:6 | ref arg p | smart_pointer.cpp:45:6:45:6 | p [inner post update] |  |
 | smart_pointer.cpp:45:6:45:6 | ref arg p | smart_pointer.cpp:46:10:46:10 | p |  |
 | smart_pointer.cpp:45:6:45:6 | ref arg p | smart_pointer.cpp:47:11:47:11 | p |  |
 | smart_pointer.cpp:45:10:45:15 | call to source | smart_pointer.cpp:45:5:45:17 | ... = ... |  |
 | smart_pointer.cpp:46:10:46:10 | ref arg p | smart_pointer.cpp:47:11:47:11 | p |  |
-| smart_pointer.cpp:47:11:47:11 | p | smart_pointer.cpp:47:10:47:10 | call to operator* | TAINT |
+| smart_pointer.cpp:47:11:47:11 | p | smart_pointer.cpp:47:10:47:10 | call to operator* |  |
 | smart_pointer.cpp:51:30:51:50 | call to make_shared | smart_pointer.cpp:52:10:52:10 | p |  |
 | smart_pointer.cpp:51:52:51:57 | call to source | smart_pointer.cpp:51:30:51:50 | call to make_shared | TAINT |
 | smart_pointer.cpp:52:10:52:10 | p | smart_pointer.cpp:52:12:52:14 | call to get |  |
@@ -3312,7 +3292,7 @@
 | smart_pointer.cpp:71:3:71:3 | call to operator* [post update] | smart_pointer.cpp:70:37:70:39 | ptr |  |
 | smart_pointer.cpp:71:3:71:3 | call to operator* [post update] | smart_pointer.cpp:71:4:71:6 | ptr [inner post update] |  |
 | smart_pointer.cpp:71:3:71:17 | ... = ... | smart_pointer.cpp:71:3:71:3 | call to operator* [post update] |  |
-| smart_pointer.cpp:71:4:71:6 | ptr | smart_pointer.cpp:71:3:71:3 | call to operator* | TAINT |
+| smart_pointer.cpp:71:4:71:6 | ptr | smart_pointer.cpp:71:3:71:3 | call to operator* |  |
 | smart_pointer.cpp:71:4:71:6 | ref arg ptr | smart_pointer.cpp:70:37:70:39 | ptr |  |
 | smart_pointer.cpp:71:4:71:6 | ref arg ptr | smart_pointer.cpp:71:4:71:6 | ptr [inner post update] |  |
 | smart_pointer.cpp:71:10:71:15 | call to source | smart_pointer.cpp:71:3:71:17 | ... = ... |  |
@@ -3323,7 +3303,7 @@
 | smart_pointer.cpp:76:13:76:13 | ref arg call to shared_ptr | smart_pointer.cpp:77:9:77:9 | p |  |
 | smart_pointer.cpp:76:13:76:13 | ref arg p | smart_pointer.cpp:76:13:76:13 | p [inner post update] |  |
 | smart_pointer.cpp:76:13:76:13 | ref arg p | smart_pointer.cpp:77:9:77:9 | p |  |
-| smart_pointer.cpp:77:9:77:9 | p | smart_pointer.cpp:77:8:77:8 | call to operator* | TAINT |
+| smart_pointer.cpp:77:9:77:9 | p | smart_pointer.cpp:77:8:77:8 | call to operator* |  |
 | smart_pointer.cpp:86:45:86:45 | p | smart_pointer.cpp:86:45:86:45 | p |  |
 | smart_pointer.cpp:86:45:86:45 | p | smart_pointer.cpp:87:3:87:3 | p |  |
 | smart_pointer.cpp:86:45:86:45 | p | smart_pointer.cpp:88:8:88:8 | p |  |
@@ -3392,7 +3372,7 @@
 | smart_pointer.cpp:121:3:121:3 | call to operator* [post update] | smart_pointer.cpp:120:48:120:50 | ptr |  |
 | smart_pointer.cpp:121:3:121:3 | call to operator* [post update] | smart_pointer.cpp:121:4:121:6 | ptr [inner post update] |  |
 | smart_pointer.cpp:121:3:121:17 | ... = ... | smart_pointer.cpp:121:3:121:3 | call to operator* [post update] |  |
-| smart_pointer.cpp:121:4:121:6 | ptr | smart_pointer.cpp:121:3:121:3 | call to operator* | TAINT |
+| smart_pointer.cpp:121:4:121:6 | ptr | smart_pointer.cpp:121:3:121:3 | call to operator* |  |
 | smart_pointer.cpp:121:4:121:6 | ref arg ptr | smart_pointer.cpp:120:48:120:50 | ptr |  |
 | smart_pointer.cpp:121:4:121:6 | ref arg ptr | smart_pointer.cpp:121:4:121:6 | ptr [inner post update] |  |
 | smart_pointer.cpp:121:10:121:15 | call to source | smart_pointer.cpp:121:3:121:17 | ... = ... |  |
@@ -3429,6 +3409,7 @@
 | smart_pointer.cpp:129:9:129:9 | call to operator* | smart_pointer.cpp:129:8:129:8 | call to operator* | TAINT |
 | smart_pointer.cpp:129:9:129:9 | ref arg call to operator* | smart_pointer.cpp:124:90:124:91 | p2 |  |
 | smart_pointer.cpp:129:9:129:9 | ref arg call to operator* | smart_pointer.cpp:129:10:129:11 | p2 [inner post update] |  |
+| smart_pointer.cpp:129:10:129:11 | p2 | smart_pointer.cpp:129:8:129:8 | call to operator* |  |
 | smart_pointer.cpp:129:10:129:11 | p2 | smart_pointer.cpp:129:9:129:9 | call to operator* | TAINT |
 | smart_pointer.cpp:129:10:129:11 | ref arg p2 | smart_pointer.cpp:124:90:124:91 | p2 |  |
 | smart_pointer.cpp:129:10:129:11 | ref arg p2 | smart_pointer.cpp:129:10:129:11 | p2 [inner post update] |  |
@@ -3456,6 +3437,7 @@
 | smart_pointer.cpp:137:9:137:9 | call to operator* | smart_pointer.cpp:137:8:137:8 | call to operator* | TAINT |
 | smart_pointer.cpp:137:9:137:9 | ref arg call to operator* | smart_pointer.cpp:132:95:132:96 | p2 |  |
 | smart_pointer.cpp:137:9:137:9 | ref arg call to operator* | smart_pointer.cpp:137:10:137:11 | p2 [inner post update] |  |
+| smart_pointer.cpp:137:10:137:11 | p2 | smart_pointer.cpp:137:8:137:8 | call to operator* |  |
 | smart_pointer.cpp:137:10:137:11 | p2 | smart_pointer.cpp:137:9:137:9 | call to operator* | TAINT |
 | smart_pointer.cpp:137:10:137:11 | ref arg p2 | smart_pointer.cpp:132:95:132:96 | p2 |  |
 | smart_pointer.cpp:137:10:137:11 | ref arg p2 | smart_pointer.cpp:137:10:137:11 | p2 [inner post update] |  |
@@ -3494,20 +3476,26 @@
 | standalone_iterators.cpp:85:35:85:36 | c1 | standalone_iterators.cpp:85:38:85:42 | call to begin | TAINT |
 | standalone_iterators.cpp:85:35:85:36 | ref arg c1 | standalone_iterators.cpp:87:10:87:11 | c1 |  |
 | standalone_iterators.cpp:85:38:85:42 | call to begin | standalone_iterators.cpp:86:6:86:7 | i1 |  |
+| standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | standalone_iterators.cpp:86:8:86:8 | call to operator-- [inner post update] |  |
 | standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | standalone_iterators.cpp:86:8:86:8 | ref arg call to operator-- | TAINT |
 | standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | standalone_iterators.cpp:87:10:87:11 | c1 |  |
 | standalone_iterators.cpp:86:6:86:7 | i1 | standalone_iterators.cpp:86:8:86:8 | call to operator-- |  |
 | standalone_iterators.cpp:86:8:86:8 | call to operator-- | standalone_iterators.cpp:86:5:86:5 | call to operator* | TAINT |
+| standalone_iterators.cpp:86:8:86:8 | call to operator-- [inner post update] | standalone_iterators.cpp:86:6:86:7 | ref arg i1 |  |
 | standalone_iterators.cpp:86:8:86:8 | ref arg call to operator-- | standalone_iterators.cpp:86:6:86:7 | ref arg i1 |  |
+| standalone_iterators.cpp:86:8:86:8 | ref arg call to operator-- | standalone_iterators.cpp:86:8:86:8 | call to operator-- [inner post update] |  |
 | standalone_iterators.cpp:86:13:86:18 | call to source | standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | TAINT |
 | standalone_iterators.cpp:89:35:89:36 | c2 | standalone_iterators.cpp:89:38:89:42 | call to begin | TAINT |
 | standalone_iterators.cpp:89:35:89:36 | ref arg c2 | standalone_iterators.cpp:91:10:91:11 | c2 |  |
 | standalone_iterators.cpp:89:38:89:42 | call to begin | standalone_iterators.cpp:90:6:90:7 | i2 |  |
+| standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | standalone_iterators.cpp:90:8:90:8 | call to operator-- [inner post update] |  |
 | standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | standalone_iterators.cpp:90:8:90:8 | ref arg call to operator-- | TAINT |
 | standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | standalone_iterators.cpp:91:10:91:11 | c2 |  |
 | standalone_iterators.cpp:90:6:90:7 | i2 | standalone_iterators.cpp:90:8:90:8 | call to operator-- |  |
 | standalone_iterators.cpp:90:8:90:8 | call to operator-- | standalone_iterators.cpp:90:5:90:5 | call to operator* | TAINT |
+| standalone_iterators.cpp:90:8:90:8 | call to operator-- [inner post update] | standalone_iterators.cpp:90:6:90:7 | ref arg i2 |  |
 | standalone_iterators.cpp:90:8:90:8 | ref arg call to operator-- | standalone_iterators.cpp:90:6:90:7 | ref arg i2 |  |
+| standalone_iterators.cpp:90:8:90:8 | ref arg call to operator-- | standalone_iterators.cpp:90:8:90:8 | call to operator-- [inner post update] |  |
 | standalone_iterators.cpp:90:13:90:13 | 0 | standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | TAINT |
 | standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:101:6:101:7 | c1 |  |
 | standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:102:6:102:7 | c1 |  |
@@ -3525,10 +3513,13 @@
 | standalone_iterators.cpp:102:6:102:7 | ref arg c1 | standalone_iterators.cpp:109:7:109:8 | c1 |  |
 | standalone_iterators.cpp:102:9:102:13 | call to begin | standalone_iterators.cpp:102:2:102:15 | ... = ... |  |
 | standalone_iterators.cpp:102:9:102:13 | call to begin | standalone_iterators.cpp:107:7:107:7 | b |  |
+| standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:103:3:103:3 | a [inner post update] |  |
 | standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:103:3:103:3 | ref arg a | TAINT |
+| standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:104:7:104:7 | a |  |
 | standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:106:6:106:7 | c1 |  |
 | standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:109:7:109:8 | c1 |  |
 | standalone_iterators.cpp:103:3:103:3 | a | standalone_iterators.cpp:103:2:103:2 | call to operator* | TAINT |
+| standalone_iterators.cpp:103:3:103:3 | ref arg a | standalone_iterators.cpp:103:3:103:3 | a [inner post update] |  |
 | standalone_iterators.cpp:103:3:103:3 | ref arg a | standalone_iterators.cpp:104:7:104:7 | a |  |
 | standalone_iterators.cpp:103:7:103:12 | call to source | standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | TAINT |
 | standalone_iterators.cpp:104:7:104:7 | a [post update] | standalone_iterators.cpp:106:6:106:7 | c1 |  |

From bc7cc2f7ceb9bf07e9ddf634435322396668d821 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 14 Apr 2021 14:50:27 +0200
Subject: [PATCH 0398/1429] C++: Remove rule that wasn't needed.

---
 .../semmle/code/cpp/dataflow/internal/AddressFlow.qll    | 2 --
 .../dataflow/taint-tests/localTaint.expected             | 9 ---------
 2 files changed, 11 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll
index 7e76c1540e3..f6072763e1a 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/AddressFlow.qll
@@ -59,8 +59,6 @@ private predicate pointerToLvalueStep(Expr pointerIn, Expr lvalueOut) {
   pointerIn = lvalueOut.(ArrayExpr).getArrayBase().getFullyConverted()
   or
   pointerIn = lvalueOut.(PointerDereferenceExpr).getOperand().getFullyConverted()
-  or
-  pointerIn = lvalueOut.(OverloadedPointerDereferenceExpr).getQualifier().getFullyConverted()
 }
 
 private predicate lvalueToPointerStep(Expr lvalueIn, Expr pointerOut) {
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index 50d5070a144..59ba0948d85 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -3476,26 +3476,20 @@
 | standalone_iterators.cpp:85:35:85:36 | c1 | standalone_iterators.cpp:85:38:85:42 | call to begin | TAINT |
 | standalone_iterators.cpp:85:35:85:36 | ref arg c1 | standalone_iterators.cpp:87:10:87:11 | c1 |  |
 | standalone_iterators.cpp:85:38:85:42 | call to begin | standalone_iterators.cpp:86:6:86:7 | i1 |  |
-| standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | standalone_iterators.cpp:86:8:86:8 | call to operator-- [inner post update] |  |
 | standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | standalone_iterators.cpp:86:8:86:8 | ref arg call to operator-- | TAINT |
 | standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | standalone_iterators.cpp:87:10:87:11 | c1 |  |
 | standalone_iterators.cpp:86:6:86:7 | i1 | standalone_iterators.cpp:86:8:86:8 | call to operator-- |  |
 | standalone_iterators.cpp:86:8:86:8 | call to operator-- | standalone_iterators.cpp:86:5:86:5 | call to operator* | TAINT |
-| standalone_iterators.cpp:86:8:86:8 | call to operator-- [inner post update] | standalone_iterators.cpp:86:6:86:7 | ref arg i1 |  |
 | standalone_iterators.cpp:86:8:86:8 | ref arg call to operator-- | standalone_iterators.cpp:86:6:86:7 | ref arg i1 |  |
-| standalone_iterators.cpp:86:8:86:8 | ref arg call to operator-- | standalone_iterators.cpp:86:8:86:8 | call to operator-- [inner post update] |  |
 | standalone_iterators.cpp:86:13:86:18 | call to source | standalone_iterators.cpp:86:5:86:5 | ref arg call to operator* | TAINT |
 | standalone_iterators.cpp:89:35:89:36 | c2 | standalone_iterators.cpp:89:38:89:42 | call to begin | TAINT |
 | standalone_iterators.cpp:89:35:89:36 | ref arg c2 | standalone_iterators.cpp:91:10:91:11 | c2 |  |
 | standalone_iterators.cpp:89:38:89:42 | call to begin | standalone_iterators.cpp:90:6:90:7 | i2 |  |
-| standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | standalone_iterators.cpp:90:8:90:8 | call to operator-- [inner post update] |  |
 | standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | standalone_iterators.cpp:90:8:90:8 | ref arg call to operator-- | TAINT |
 | standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | standalone_iterators.cpp:91:10:91:11 | c2 |  |
 | standalone_iterators.cpp:90:6:90:7 | i2 | standalone_iterators.cpp:90:8:90:8 | call to operator-- |  |
 | standalone_iterators.cpp:90:8:90:8 | call to operator-- | standalone_iterators.cpp:90:5:90:5 | call to operator* | TAINT |
-| standalone_iterators.cpp:90:8:90:8 | call to operator-- [inner post update] | standalone_iterators.cpp:90:6:90:7 | ref arg i2 |  |
 | standalone_iterators.cpp:90:8:90:8 | ref arg call to operator-- | standalone_iterators.cpp:90:6:90:7 | ref arg i2 |  |
-| standalone_iterators.cpp:90:8:90:8 | ref arg call to operator-- | standalone_iterators.cpp:90:8:90:8 | call to operator-- [inner post update] |  |
 | standalone_iterators.cpp:90:13:90:13 | 0 | standalone_iterators.cpp:90:5:90:5 | ref arg call to operator* | TAINT |
 | standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:101:6:101:7 | c1 |  |
 | standalone_iterators.cpp:98:15:98:16 | call to container | standalone_iterators.cpp:102:6:102:7 | c1 |  |
@@ -3513,13 +3507,10 @@
 | standalone_iterators.cpp:102:6:102:7 | ref arg c1 | standalone_iterators.cpp:109:7:109:8 | c1 |  |
 | standalone_iterators.cpp:102:9:102:13 | call to begin | standalone_iterators.cpp:102:2:102:15 | ... = ... |  |
 | standalone_iterators.cpp:102:9:102:13 | call to begin | standalone_iterators.cpp:107:7:107:7 | b |  |
-| standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:103:3:103:3 | a [inner post update] |  |
 | standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:103:3:103:3 | ref arg a | TAINT |
-| standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:104:7:104:7 | a |  |
 | standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:106:6:106:7 | c1 |  |
 | standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | standalone_iterators.cpp:109:7:109:8 | c1 |  |
 | standalone_iterators.cpp:103:3:103:3 | a | standalone_iterators.cpp:103:2:103:2 | call to operator* | TAINT |
-| standalone_iterators.cpp:103:3:103:3 | ref arg a | standalone_iterators.cpp:103:3:103:3 | a [inner post update] |  |
 | standalone_iterators.cpp:103:3:103:3 | ref arg a | standalone_iterators.cpp:104:7:104:7 | a |  |
 | standalone_iterators.cpp:103:7:103:12 | call to source | standalone_iterators.cpp:103:2:103:2 | ref arg call to operator* | TAINT |
 | standalone_iterators.cpp:104:7:104:7 | a [post update] | standalone_iterators.cpp:106:6:106:7 | c1 |  |

From bb447d7174141dc518e6ce90367121280fec1d80 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 14 Apr 2021 16:30:43 +0200
Subject: [PATCH 0399/1429] C++: Make sure missingGuardAgainstOverflow (and
 underflow) holds when range analysis fails to deduce a bound.

---
 cpp/ql/src/semmle/code/cpp/security/Overflow.qll | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/security/Overflow.qll b/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
index 74b61c37925..465e64b9b6c 100644
--- a/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
@@ -6,6 +6,7 @@
 import cpp
 import semmle.code.cpp.controlflow.Dominance
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
 
 /**
  * Holds if the value of `use` is guarded using `abs`.
@@ -98,7 +99,12 @@ VariableAccess varUse(LocalScopeVariable v) { result = v.getAnAccess() }
  * Holds if `e` potentially overflows and `use` is an operand of `e` that is not guarded.
  */
 predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {
-  convertedExprMightOverflowPositively(e) and
+  (
+    convertedExprMightOverflowPositively(e)
+    or
+    // Ensure that the predicate holds when range analysis cannot determine an upper bound
+    upperBound(e.getFullyConverted()) = exprMaxVal(e.getFullyConverted())
+  ) and
   use = e.getAnOperand() and
   exists(LocalScopeVariable v | use.getTarget() = v |
     // overflow possible if large
@@ -120,7 +126,12 @@ predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {
  * Holds if `e` potentially underflows and `use` is an operand of `e` that is not guarded.
  */
 predicate missingGuardAgainstUnderflow(Operation e, VariableAccess use) {
-  convertedExprMightOverflowNegatively(e) and
+  (
+    convertedExprMightOverflowNegatively(e)
+    or
+    // Ensure that the predicate holds when range analysis cannot determine a lower bound
+    lowerBound(e.getFullyConverted()) = exprMinVal(e.getFullyConverted())
+  ) and
   use = e.getAnOperand() and
   exists(LocalScopeVariable v | use.getTarget() = v |
     // underflow possible if use is left operand and small

From 53a320a810536ae59a37c45042e712b2863a377d Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 14 Apr 2021 16:33:18 +0200
Subject: [PATCH 0400/1429] C++: Fix duplicate names.

---
 .../AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql        | 2 +-
 .../AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
index 012109074e9..e4577968730 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
@@ -3,7 +3,7 @@
  * @description The expression `buffer [strlen (buffer)] = 0` is potentially dangerous, if the variable `buffer` does not have a terminal zero, then access beyond the bounds of the allocated memory is possible, which will lead to undefined behavior.
  *              If terminal zero is present, then the specified expression is meaningless.
  * @kind problem
- * @id cpp/access-memory-location-after-end-buffer
+ * @id cpp/access-memory-location-after-end-buffer-strlen
  * @problem.severity warning
  * @precision medium
  * @tags correctness
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql
index 5311ffe2708..e7021bda1ce 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql
@@ -2,7 +2,7 @@
  * @name Access Of Memory Location After The End Of A Buffer Using Strncat
  * @description Calls of the form `strncat(dest, source, sizeof (dest) - strlen (dest))` set the third argument to one more than possible. So when `dest` is full, the expression `sizeof(dest) - strlen (dest)` will be equal to one, and not zero as the programmer might think. Making a call of this type may result in a zero byte being written just outside the `dest` buffer.
  * @kind problem
- * @id cpp/access-memory-location-after-end-buffer
+ * @id cpp/access-memory-location-after-end-buffer-strncat
  * @problem.severity warning
  * @precision medium
  * @tags correctness

From ed64ed3d8d64cb27f18488cef355fa23911ba302 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 14 Apr 2021 16:45:27 +0200
Subject: [PATCH 0401/1429] C++: Make
 exprMightOverflowPositively/exprMightOverFlowNegatively hold for unanalyzable
 expressions. This hopefully means that expressions that do not satisfy these
 predicates will never overflow/underflow.

---
 .../semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll   | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll b/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
index f3bbbddd97e..d22a7f96a45 100644
--- a/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
@@ -1630,6 +1630,9 @@ private module SimpleRangeAnalysisCached {
     // bound of `x`, so the standard logic (above) does not work for
     // detecting whether it might overflow.
     getLowerBoundsImpl(expr.(PostfixDecrExpr)) = exprMinVal(expr)
+    or
+    // Expressions we cannot analyze could potentially overflow
+    not analyzableExpr(expr)
   }
 
   /**
@@ -1657,6 +1660,9 @@ private module SimpleRangeAnalysisCached {
     // bound of `x`, so the standard logic (above) does not work for
     // detecting whether it might overflow.
     getUpperBoundsImpl(expr.(PostfixIncrExpr)) = exprMaxVal(expr)
+    or
+    // Expressions we cannot analyze could potentially overflow
+    not analyzableExpr(expr)
   }
 
   /**

From b29f35f564f7f657a6f1fed4e63b5396d3d64220 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Wed, 14 Apr 2021 11:15:16 -0400
Subject: [PATCH 0402/1429] Fix formatting

---
 .../src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
index 81a07ad9d04..f5fb7309cff 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -362,7 +362,7 @@ private class ExplicitFieldStoreQualifierNode extends PartialDefinitionNode {
 
 /**
  * Not every store instruction generates a chi instruction that we can attach a PostUpdateNode to.
- * For instance, an update to a field of a struct containing only one field. Even if the store does 
+ * For instance, an update to a field of a struct containing only one field. Even if the store does
  * have a chi instruction, a subsequent use of the result of the store may be linked directly to the
  * result of the store as an inexact definition if the store totally overlaps the use. For these
  * cases we attach the PostUpdateNode to the store instruction. There's no obvious pre update node

From 392adf2a2576ac86cb66364625742cc3c562482d Mon Sep 17 00:00:00 2001
From: Andrew Eisenberg <aeisenberg@github.com>
Date: Wed, 14 Apr 2021 08:25:34 -0700
Subject: [PATCH 0403/1429] Workflows: Remove dry-run flag for labeller

---
 .github/workflows/close-stale.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/close-stale.yml b/.github/workflows/close-stale.yml
index 6065f79aa7c..746a13317b2 100644
--- a/.github/workflows/close-stale.yml
+++ b/.github/workflows/close-stale.yml
@@ -25,6 +25,6 @@ jobs:
         days-before-pr-stale: -1
         days-before-pr-close: -1
         
-        # Dry-run only. remove this when we are ready to actually change issues
-        debug-only: true
-        operations-per-run: 1000
+        # Uncomment for dry-run
+        # debug-only: true
+        # operations-per-run: 1000

From a7fcf52267604a257937f2a18ba2be321debea9e Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Wed, 14 Apr 2021 15:36:01 +0000
Subject: [PATCH 0404/1429] Python: Fix bad join in `total_cost`

The recent change to `appliesTo` lead to a perturbation in the join
order of this predicate, which resulted in a cartesian product between
`call` and `ctx` being created (before being filtered by `appliesTo`).

By splitting the intermediate result into its own helper predicate,
suitably marked to prevent inlining/magic, we prevent this from
happening again.
---
 python/ql/src/semmle/python/pointsto/PointsToContext.qll | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/semmle/python/pointsto/PointsToContext.qll b/python/ql/src/semmle/python/pointsto/PointsToContext.qll
index 15b28d9cdb0..e85761e3916 100644
--- a/python/ql/src/semmle/python/pointsto/PointsToContext.qll
+++ b/python/ql/src/semmle/python/pointsto/PointsToContext.qll
@@ -100,10 +100,14 @@ private int total_call_cost(CallNode call) {
   if call_to_init_or_del(call) then result = 1 else result = call_cost(call) + splay_cost(call)
 }
 
+pragma[nomagic]
+private int relevant_call_cost(PointsToContext ctx, CallNode call) {
+  ctx.appliesTo(call) and result = total_call_cost(call)
+}
+
 pragma[noinline]
 private int total_cost(CallNode call, PointsToContext ctx) {
-  ctx.appliesTo(call) and
-  result = total_call_cost(call) + context_cost(ctx)
+  result = relevant_call_cost(ctx, call) + context_cost(ctx)
 }
 
 cached

From 97186b3d30bcfc095cd4f30cc407330c094687a6 Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Wed, 14 Apr 2021 19:30:58 +0300
Subject: [PATCH 0405/1429] Added comments for tests

---
 .../JakartaExpressionInjection.expected       | 86 +++++++++----------
 .../CWE-094/JakartaExpressionInjection.java   |  9 ++
 2 files changed, 52 insertions(+), 43 deletions(-)

diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected
index ef002aefdf5..390871b54cf 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected
@@ -1,46 +1,46 @@
 edges
-| JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:24:31:24:40 | expression : String |
-| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:30:24:30:33 | expression : String |
-| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:37:24:37:33 | expression : String |
-| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:44:24:44:33 | expression : String |
-| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:54:24:54:33 | expression : String |
-| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:61:24:61:33 | expression : String |
-| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:68:24:68:33 | expression : String |
-| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:77:24:77:33 | expression : String |
-| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:86:24:86:33 | expression : String |
-| JakartaExpressionInjection.java:30:24:30:33 | expression : String | JakartaExpressionInjection.java:32:28:32:37 | expression |
-| JakartaExpressionInjection.java:37:24:37:33 | expression : String | JakartaExpressionInjection.java:39:32:39:41 | expression |
-| JakartaExpressionInjection.java:44:24:44:33 | expression : String | JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression |
-| JakartaExpressionInjection.java:54:24:54:33 | expression : String | JakartaExpressionInjection.java:56:32:56:41 | expression |
-| JakartaExpressionInjection.java:61:24:61:33 | expression : String | JakartaExpressionInjection.java:63:43:63:52 | expression |
-| JakartaExpressionInjection.java:68:24:68:33 | expression : String | JakartaExpressionInjection.java:72:13:72:13 | e |
-| JakartaExpressionInjection.java:77:24:77:33 | expression : String | JakartaExpressionInjection.java:81:13:81:13 | e |
-| JakartaExpressionInjection.java:86:24:86:33 | expression : String | JakartaExpressionInjection.java:90:13:90:13 | e |
+| JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:25:31:25:40 | expression : String |
+| JakartaExpressionInjection.java:25:31:25:40 | expression : String | JakartaExpressionInjection.java:32:24:32:33 | expression : String |
+| JakartaExpressionInjection.java:25:31:25:40 | expression : String | JakartaExpressionInjection.java:40:24:40:33 | expression : String |
+| JakartaExpressionInjection.java:25:31:25:40 | expression : String | JakartaExpressionInjection.java:48:24:48:33 | expression : String |
+| JakartaExpressionInjection.java:25:31:25:40 | expression : String | JakartaExpressionInjection.java:59:24:59:33 | expression : String |
+| JakartaExpressionInjection.java:25:31:25:40 | expression : String | JakartaExpressionInjection.java:67:24:67:33 | expression : String |
+| JakartaExpressionInjection.java:25:31:25:40 | expression : String | JakartaExpressionInjection.java:75:24:75:33 | expression : String |
+| JakartaExpressionInjection.java:25:31:25:40 | expression : String | JakartaExpressionInjection.java:85:24:85:33 | expression : String |
+| JakartaExpressionInjection.java:25:31:25:40 | expression : String | JakartaExpressionInjection.java:95:24:95:33 | expression : String |
+| JakartaExpressionInjection.java:32:24:32:33 | expression : String | JakartaExpressionInjection.java:34:28:34:37 | expression |
+| JakartaExpressionInjection.java:40:24:40:33 | expression : String | JakartaExpressionInjection.java:42:32:42:41 | expression |
+| JakartaExpressionInjection.java:48:24:48:33 | expression : String | JakartaExpressionInjection.java:53:13:53:28 | lambdaExpression |
+| JakartaExpressionInjection.java:59:24:59:33 | expression : String | JakartaExpressionInjection.java:61:32:61:41 | expression |
+| JakartaExpressionInjection.java:67:24:67:33 | expression : String | JakartaExpressionInjection.java:69:43:69:52 | expression |
+| JakartaExpressionInjection.java:75:24:75:33 | expression : String | JakartaExpressionInjection.java:79:13:79:13 | e |
+| JakartaExpressionInjection.java:85:24:85:33 | expression : String | JakartaExpressionInjection.java:89:13:89:13 | e |
+| JakartaExpressionInjection.java:95:24:95:33 | expression : String | JakartaExpressionInjection.java:99:13:99:13 | e |
 nodes
-| JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
-| JakartaExpressionInjection.java:24:31:24:40 | expression : String | semmle.label | expression : String |
-| JakartaExpressionInjection.java:30:24:30:33 | expression : String | semmle.label | expression : String |
-| JakartaExpressionInjection.java:32:28:32:37 | expression | semmle.label | expression |
-| JakartaExpressionInjection.java:37:24:37:33 | expression : String | semmle.label | expression : String |
-| JakartaExpressionInjection.java:39:32:39:41 | expression | semmle.label | expression |
-| JakartaExpressionInjection.java:44:24:44:33 | expression : String | semmle.label | expression : String |
-| JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression | semmle.label | lambdaExpression |
-| JakartaExpressionInjection.java:54:24:54:33 | expression : String | semmle.label | expression : String |
-| JakartaExpressionInjection.java:56:32:56:41 | expression | semmle.label | expression |
-| JakartaExpressionInjection.java:61:24:61:33 | expression : String | semmle.label | expression : String |
-| JakartaExpressionInjection.java:63:43:63:52 | expression | semmle.label | expression |
-| JakartaExpressionInjection.java:68:24:68:33 | expression : String | semmle.label | expression : String |
-| JakartaExpressionInjection.java:72:13:72:13 | e | semmle.label | e |
-| JakartaExpressionInjection.java:77:24:77:33 | expression : String | semmle.label | expression : String |
-| JakartaExpressionInjection.java:81:13:81:13 | e | semmle.label | e |
-| JakartaExpressionInjection.java:86:24:86:33 | expression : String | semmle.label | expression : String |
-| JakartaExpressionInjection.java:90:13:90:13 | e | semmle.label | e |
+| JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| JakartaExpressionInjection.java:25:31:25:40 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:32:24:32:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:34:28:34:37 | expression | semmle.label | expression |
+| JakartaExpressionInjection.java:40:24:40:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:42:32:42:41 | expression | semmle.label | expression |
+| JakartaExpressionInjection.java:48:24:48:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:53:13:53:28 | lambdaExpression | semmle.label | lambdaExpression |
+| JakartaExpressionInjection.java:59:24:59:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:61:32:61:41 | expression | semmle.label | expression |
+| JakartaExpressionInjection.java:67:24:67:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:69:43:69:52 | expression | semmle.label | expression |
+| JakartaExpressionInjection.java:75:24:75:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:79:13:79:13 | e | semmle.label | e |
+| JakartaExpressionInjection.java:85:24:85:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:89:13:89:13 | e | semmle.label | e |
+| JakartaExpressionInjection.java:95:24:95:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:99:13:99:13 | e | semmle.label | e |
 #select
-| JakartaExpressionInjection.java:32:28:32:37 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:32:28:32:37 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
-| JakartaExpressionInjection.java:39:32:39:41 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:39:32:39:41 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
-| JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
-| JakartaExpressionInjection.java:56:32:56:41 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:56:32:56:41 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
-| JakartaExpressionInjection.java:63:43:63:52 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:63:43:63:52 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
-| JakartaExpressionInjection.java:72:13:72:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:72:13:72:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
-| JakartaExpressionInjection.java:81:13:81:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:81:13:81:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
-| JakartaExpressionInjection.java:90:13:90:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:90:13:90:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:34:28:34:37 | expression | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:34:28:34:37 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:42:32:42:41 | expression | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:42:32:42:41 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:53:13:53:28 | lambdaExpression | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:53:13:53:28 | lambdaExpression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:61:32:61:41 | expression | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:61:32:61:41 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:69:43:69:52 | expression | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:69:43:69:52 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:79:13:79:13 | e | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:79:13:79:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:89:13:89:13 | e | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:89:13:89:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
+| JakartaExpressionInjection.java:99:13:99:13 | e | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:99:13:99:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.java b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.java
index 2e1d1e55b02..ae5b6a8d5e4 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.java
@@ -15,6 +15,7 @@ import javax.el.ValueExpression;
 
 public class JakartaExpressionInjection {
     
+    // calls a consumer with a string received from a socket
     private static void testWithSocket(Consumer<String> action) throws IOException {
         try (ServerSocket serverSocket = new ServerSocket(0)) {
             try (Socket socket = serverSocket.accept()) {
@@ -26,6 +27,7 @@ public class JakartaExpressionInjection {
         }
     }
 
+    // BAD (untrusted input to ELProcessor.eval)
     private static void testWithELProcessorEval() throws IOException {
         testWithSocket(expression -> {
             ELProcessor processor = new ELProcessor();
@@ -33,6 +35,7 @@ public class JakartaExpressionInjection {
         });
     }
 
+    // BAD (untrusted input to ELProcessor.getValue)
     private static void testWithELProcessorGetValue() throws IOException {
         testWithSocket(expression -> {   
             ELProcessor processor = new ELProcessor();
@@ -40,6 +43,7 @@ public class JakartaExpressionInjection {
         });
     }
 
+    // BAD (untrusted input to LambdaExpression.invoke)
     private static void testWithLambdaExpressionInvoke() throws IOException {
         testWithSocket(expression -> {
             ExpressionFactory factory = ELManager.getExpressionFactory();
@@ -50,6 +54,7 @@ public class JakartaExpressionInjection {
         });
     }
 
+    // BAD (untrusted input to ELProcessor.setValue)
     private static void testWithELProcessorSetValue() throws IOException {
         testWithSocket(expression -> {
             ELProcessor processor = new ELProcessor();
@@ -57,6 +62,7 @@ public class JakartaExpressionInjection {
         });
     }
 
+    // BAD (untrusted input to ELProcessor.setVariable)
     private static void testWithELProcessorSetVariable() throws IOException {
         testWithSocket(expression -> {
             ELProcessor processor = new ELProcessor();
@@ -64,6 +70,7 @@ public class JakartaExpressionInjection {
         });
     }
 
+    // BAD (untrusted input to ValueExpression.getValue when it was created by JUEL)
     private static void testWithJuelValueExpressionGetValue() throws IOException {
         testWithSocket(expression -> {
             ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();
@@ -73,6 +80,7 @@ public class JakartaExpressionInjection {
         });
     }
 
+    // BAD (untrusted input to ValueExpression.setValue when it was created by JUEL)
     private static void testWithJuelValueExpressionSetValue() throws IOException {
         testWithSocket(expression -> {
             ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();
@@ -82,6 +90,7 @@ public class JakartaExpressionInjection {
         });
     }
 
+    // BAD (untrusted input to MethodExpression.invoke when it was created by JUEL)
     private static void testWithJuelMethodExpressionInvoke() throws IOException {
         testWithSocket(expression -> {
             ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();

From 897d12420b6fa5f22b0716af82af65a5db00bb56 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Wed, 14 Apr 2021 16:49:12 +0000
Subject: [PATCH 0406/1429] Python: Prevent bad join in `isinstanceEvaluatesTo`

In some cases, we were joining the result of `val.getClass()` against
the first argument of `Types::improperSubclass` before filtering out the
vast majority of tuples by the call to `isinstance_call`.

To fix this, we let `isinstance_call` take care of figuring out the
class of the value being tested. As a bonus, this cleans up the only
other place where `isinstance_call` is used, where we _also_ want to
know the class of the value being tested in the `isinstance` call.
---
 python/ql/src/semmle/python/pointsto/PointsTo.qll | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/python/ql/src/semmle/python/pointsto/PointsTo.qll b/python/ql/src/semmle/python/pointsto/PointsTo.qll
index 9706c6846f3..48bbb283d07 100644
--- a/python/ql/src/semmle/python/pointsto/PointsTo.qll
+++ b/python/ql/src/semmle/python/pointsto/PointsTo.qll
@@ -1853,8 +1853,10 @@ module Expressions {
   private boolean isinstanceEvaluatesTo(
     CallNode call, PointsToContext context, ControlFlowNode use, ObjectInternal val
   ) {
-    exists(ObjectInternal cls | isinstance_call(call, use, context, val, cls) |
-      result = Types::improperSubclass(val.getClass(), cls)
+    exists(ObjectInternal cls, ObjectInternal val_cls |
+      isinstance_call(call, use, context, val, val_cls, cls)
+    |
+      result = Types::improperSubclass(val_cls, cls)
       or
       val = ObjectInternal::unknown() and result = maybe()
       or
@@ -1866,12 +1868,13 @@ module Expressions {
 
   private predicate isinstance_call(
     CallNode call, ControlFlowNode use, PointsToContext context, ObjectInternal val,
-    ObjectInternal cls
+    ObjectInternal val_cls, ObjectInternal cls
   ) {
     exists(ControlFlowNode func, ControlFlowNode arg1 |
       call2(call, func, use, arg1) and
       points_to_isinstance(func, context) and
       PointsToInternal::pointsTo(use, context, val, _) and
+      val_cls = val.getClass() and
       PointsToInternal::pointsTo(arg1, context, cls, _)
     )
   }
@@ -1993,10 +1996,7 @@ module Expressions {
     exists(ObjectInternal sup_or_tuple |
       issubclass_call(_, _, _, sub, sup_or_tuple) and sub.isClass() = true
       or
-      exists(ObjectInternal val |
-        isinstance_call(_, _, _, val, sup_or_tuple) and
-        sub = val.getClass()
-      )
+      exists(ObjectInternal val | isinstance_call(_, _, _, val, sub, sup_or_tuple))
     |
       sup = sup_or_tuple
       or

From b30ae3980c0a067d525e5c957497a69498bb6b0b Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Wed, 14 Apr 2021 20:48:20 +0300
Subject: [PATCH 0407/1429] Update
 InsufficientControlFlowManagementAfterRefactoringTheCode.ql

---
 .../InsufficientControlFlowManagementAfterRefactoringTheCode.ql  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
index dc5b2225a62..163305dd039 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
@@ -57,6 +57,7 @@ class UsingArithmeticInComparison extends BinaryArithmeticOperation {
     not this.getAChild*().isConstant() and
     not this.getParent*() instanceof Call and
     not this.getParent*() instanceof AssignExpr and
+    not this.getParent*() instanceof ArrayExpr and
     not this.getParent*() instanceof RemExpr and
     not this.getParent*() instanceof AssignBitwiseOperation and
     not this.getParent*() instanceof AssignArithmeticOperation and

From b3bdf89fc2230f8e280036166a249c6303106d61 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Thu, 15 Apr 2021 10:25:40 +0800
Subject: [PATCH 0408/1429] rm VerificationMethodFlowConfig, use
 springframework-5.2.3 stub

---
 .../Security/CWE/CWE-352/JsonpInjection.java  |  61 +----
 .../Security/CWE/CWE-352/JsonpInjection.qhelp |   5 +-
 .../CWE/CWE-352/JsonpInjectionLib.qll         |  51 ----
 .../JsonpController.java                      |  61 +----
 .../JsonpInjection.expected                   |  25 +-
 .../JsonpInjection.qlref                      |   0
 .../options                                   |   1 -
 .../JsonpController.java                      | 218 ------------------
 .../JsonpInjection.expected                   |  81 -------
 .../JsonpInjection.qlref                      |   1 -
 .../JsonpInjectionServlet1.java               |  64 -----
 .../JsonpInjectionServlet2.java               |  50 ----
 .../options                                   |   1 -
 .../query-tests/security/CWE-352/options      |   1 +
 .../stereotype/Controller.java                |  14 --
 .../core/io/InputStreamSource.java            |   8 -
 .../org/springframework/core/io/Resource.java |  46 ----
 .../org/springframework/lang/Nullable.java    |  13 --
 .../springframework/util/FileCopyUtils.java   |  53 -----
 .../org/springframework/util/StringUtils.java |   8 -
 .../web/bind/annotation/RequestMapping.java   |  32 ---
 .../web/bind/annotation/RequestMethod.java    |  15 --
 .../web/bind/annotation/RequestParam.java     |  23 --
 .../web/multipart/MultipartFile.java          |  38 ---
 java/ql/test/stubs/springframework-5.2.3.zip  | Bin 0 -> 57066 bytes
 .../boot/SpringBootConfiguration.java         |  10 +
 .../autoconfigure/SpringBootApplication.java  |  12 +
 .../context/annotation/Bean.java              |  10 +
 .../context/annotation/Configuration.java     |   7 +
 .../core/annotation/AliasFor.java             |   0
 .../HttpInvokerServiceExporter.java           |   8 +
 .../RemoteInvocationSerializingExporter.java  |   3 +
 .../stereotype/Controller.java                |  14 +-
 .../org/springframework/util/ObjectUtils.java | 202 ++++++++++++++++
 .../org/springframework/util/StringUtils.java |  30 +++
 .../web/bind/annotation/GetMapping.java       |   0
 .../web/bind/annotation/Mapping.java          |   0
 .../web/bind/annotation/RequestMapping.java   |  23 +-
 .../web/bind/annotation/RequestParam.java     |  23 +-
 .../web/bind/annotation/ResponseBody.java     |   0
 40 files changed, 346 insertions(+), 866 deletions(-)
 rename java/ql/test/experimental/query-tests/security/CWE-352/{JsonpInjectionWithSpringController => }/JsonpController.java (76%)
 rename java/ql/test/experimental/query-tests/security/CWE-352/{JsonpInjectionWithSpringController => }/JsonpInjection.expected (76%)
 rename java/ql/test/experimental/query-tests/security/CWE-352/{JsonpInjectionWithSpringController => }/JsonpInjection.qlref (100%)
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/options
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpController.java
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.qlref
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjectionServlet1.java
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjectionServlet2.java
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/options
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-352/options
 delete mode 100644 java/ql/test/stubs/spring-context-5.3.2/org/springframework/stereotype/Controller.java
 delete mode 100644 java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/io/InputStreamSource.java
 delete mode 100644 java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/io/Resource.java
 delete mode 100644 java/ql/test/stubs/spring-core-5.3.2/org/springframework/lang/Nullable.java
 delete mode 100644 java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/FileCopyUtils.java
 delete mode 100644 java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/StringUtils.java
 delete mode 100644 java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMapping.java
 delete mode 100644 java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMethod.java
 delete mode 100644 java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestParam.java
 delete mode 100644 java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/multipart/MultipartFile.java
 create mode 100644 java/ql/test/stubs/springframework-5.2.3.zip
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/boot/SpringBootConfiguration.java
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/boot/autoconfigure/SpringBootApplication.java
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/context/annotation/Bean.java
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/context/annotation/Configuration.java
 rename java/ql/test/stubs/{spring-core-5.3.2 => springframework-5.2.3}/org/springframework/core/annotation/AliasFor.java (100%)
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.java
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.java
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/util/ObjectUtils.java
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/util/StringUtils.java
 rename java/ql/test/stubs/{spring-web-5.3.2 => springframework-5.2.3}/org/springframework/web/bind/annotation/GetMapping.java (100%)
 rename java/ql/test/stubs/{spring-web-5.3.2 => springframework-5.2.3}/org/springframework/web/bind/annotation/Mapping.java (100%)
 rename java/ql/test/stubs/{spring-web-5.3.2 => springframework-5.2.3}/org/springframework/web/bind/annotation/ResponseBody.java (100%)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java
index 8e2a0c9005f..8f39efbc2b6 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java
@@ -105,52 +105,9 @@ public class JsonpInjection {
         return resultStr;
     }
 
-    @GetMapping(value = "jsonp8")
-    @ResponseBody
-    public String bad8(HttpServletRequest request) {
-        String resultStr = null;
-        String token = request.getParameter("token");
-        boolean result = verifToken(token); //Just check.
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
-        return resultStr;
-    }
-
-
-    @GetMapping(value = "jsonp9")
-    @ResponseBody
-    public String good1(HttpServletRequest request) {
-        String resultStr = null;
-        String referer = request.getParameter("referer");
-        if (verifReferer(referer)){
-            String jsonpCallback = request.getParameter("jsonpCallback");
-            String jsonStr = getJsonStr(hashMap);
-            resultStr = jsonpCallback + "(" + jsonStr + ")";
-            return resultStr;
-        }
-        return "error";
-    }
-
-
-    @GetMapping(value = "jsonp10")
-    @ResponseBody
-    public String good2(HttpServletRequest request) {
-        String resultStr = null;
-        String token = request.getParameter("token");
-        boolean result = verifToken(token);
-        if (result){
-            return "";
-        }
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
-        return resultStr;
-    }
-
     @RequestMapping(value = "jsonp11")
     @ResponseBody
-    public String good3(HttpServletRequest request) {
+    public String good1(HttpServletRequest request) {
         JSONObject parameterObj = readToJSONObect(request);
         String resultStr = null;
         String jsonpCallback = request.getParameter("jsonpCallback");
@@ -161,7 +118,7 @@ public class JsonpInjection {
 
     @RequestMapping(value = "jsonp12")
     @ResponseBody
-    public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
+    public String good2(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
         if(null == file){
             return "upload file error";
         }
@@ -201,18 +158,4 @@ public class JsonpInjection {
     public static String getJsonStr(Object result) {
         return JSONObject.toJSONString(result);
     }
-
-    public static boolean verifToken(String token){
-        if (token != "xxxx"){
-            return false;
-        }
-        return true;
-    }
-
-    public static boolean verifReferer(String str){
-        if (str != "xxxx"){
-            return false;
-        }
-        return true;
-    }
 }
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
index 2a3f0861cdf..e8fb89d3989 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
@@ -14,10 +14,9 @@ When there is a cross-domain problem, this could lead to information leakage.</p
 </recommendation>
 <example>
 
-<p>The following examples show the bad case and the good case respectively. Bad cases, such as <code>bad1</code> to <code>bad8</code>, 
+<p>The following examples show the bad case and the good case respectively. Bad cases, such as <code>bad1</code> to <code>bad7</code>, 
 will cause information leakage when there are cross-domain problems. In a good case, for example, in the <code>good1</code> 
-method and the <code>good2</code> method, using the <code>verifToken</code> method to do random <code>token</code> verification
-solves the problem of information leakage even in the presence of cross-domain access issues.</p>
+method and the <code>good2</code> method, When these two methods process the request, there must be a request body in the request, which does not meet the conditions of Jsonp injection.</p>
 
 <sample src="JsonpInjection.java" />
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index 6b989c3c0cf..8220745e667 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -7,62 +7,11 @@ import semmle.code.java.dataflow.DataFlow3
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.spring.SpringController
 
-/** A data flow configuration tracing flow from the result of a method whose name includes token/auth/referer/origin to an if-statement condition. */
-class VerificationMethodToIfFlowConfig extends DataFlow3::Configuration {
-  VerificationMethodToIfFlowConfig() { this = "VerificationMethodToIfFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) {
-    exists(MethodAccess ma | ma instanceof BarrierGuard |
-      (
-        ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
-        or
-        ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
-      ) and
-      ma = src.asExpr()
-    )
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(IfStmt is | is.getCondition() = sink.asExpr())
-  }
-}
-
-/**
- * Taint-tracking configuration tracing flow from untrusted inputs to an argument of a function whose result is used as an if-statement condition.
- *
- * For example, in the context `String userControlled = request.getHeader("xyz"); boolean isGood = checkToken(userControlled); if(isGood) { ...`,
- * the flow from `checkToken`'s result to the condition of `if(isGood)` matches the configuration `VerificationMethodToIfFlowConfig` above,
- * and so the flow from `getHeader(...)` to the argument to `checkToken` matches this configuration.
- */
-class VerificationMethodFlowConfig extends TaintTracking2::Configuration {
-  VerificationMethodFlowConfig() { this = "VerificationMethodFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma, int i, VerificationMethodToIfFlowConfig vmtifc |
-      ma instanceof BarrierGuard
-    |
-      (
-        ma.getMethod().getParameter(i).getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
-        or
-        ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
-      ) and
-      ma.getArgument(i) = sink.asExpr() and
-      vmtifc.hasFlow(exprNode(ma), _)
-    )
-  }
-}
-
 /**
  * A method that is called to handle an HTTP GET request.
  */
 abstract class RequestGetMethod extends Method {
   RequestGetMethod() {
-    not exists(DataFlow::Node source, DataFlow::Node sink, VerificationMethodFlowConfig vmfc |
-      vmfc.hasFlow(source, sink) and
-      any(this).polyCalls*(source.getEnclosingCallable())
-    ) and
     not exists(MethodAccess ma |
       ma.getMethod() instanceof ServletRequestGetBodyMethod and
       any(this).polyCalls*(ma.getEnclosingCallable())
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpController.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpController.java
similarity index 76%
rename from java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpController.java
rename to java/ql/test/experimental/query-tests/security/CWE-352/JsonpController.java
index 4c60b356cfb..c7fd850bb09 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpController.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpController.java
@@ -105,52 +105,9 @@ public class JsonpController {
         return resultStr;
     }
 
-    @GetMapping(value = "jsonp8")
-    @ResponseBody
-    public String bad8(HttpServletRequest request) {
-        String resultStr = null;
-        String token = request.getParameter("token");
-        boolean result = verifToken(token); //Just check.
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
-        return resultStr;
-    }
-
-
-    @GetMapping(value = "jsonp9")
-    @ResponseBody
-    public String good1(HttpServletRequest request) {
-        String resultStr = null;
-        String referer = request.getParameter("referer");
-        if (verifReferer(referer)){
-            String jsonpCallback = request.getParameter("jsonpCallback");
-            String jsonStr = getJsonStr(hashMap);
-            resultStr = jsonpCallback + "(" + jsonStr + ")";
-            return resultStr;
-        }
-        return "error";
-    }
-
-
-    @GetMapping(value = "jsonp10")
-    @ResponseBody
-    public String good2(HttpServletRequest request) {
-        String resultStr = null;
-        String token = request.getParameter("token");
-        boolean result = verifToken(token);
-        if (result){
-            return "";
-        }
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
-        return resultStr;
-    }
-
     @RequestMapping(value = "jsonp11")
     @ResponseBody
-    public String good3(HttpServletRequest request) {
+    public String good1(HttpServletRequest request) {
         JSONObject parameterObj = readToJSONObect(request);
         String resultStr = null;
         String jsonpCallback = request.getParameter("jsonpCallback");
@@ -161,7 +118,7 @@ public class JsonpController {
 
     @RequestMapping(value = "jsonp12")
     @ResponseBody
-    public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
+    public String good2(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
         if(null == file){
             return "upload file error";
         }
@@ -201,18 +158,4 @@ public class JsonpController {
     public static String getJsonStr(Object result) {
         return JSONObject.toJSONString(result);
     }
-
-    public static boolean verifToken(String token){
-        if (token != "xxxx"){
-            return false;
-        }
-        return true;
-    }
-
-    public static boolean verifReferer(String str){
-        if (str != "xxxx"){
-            return false;
-        }
-        return true;
-    }
 }
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected
similarity index 76%
rename from java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected
rename to java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected
index 83f2b7f206a..14912328a1e 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected
@@ -13,12 +13,8 @@ edges
 | JsonpController.java:93:21:93:54 | ... + ... : String | JsonpController.java:94:20:94:28 | resultStr |
 | JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr |
 | JsonpController.java:104:21:104:54 | ... + ... : String | JsonpController.java:105:16:105:24 | resultStr |
-| JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr |
-| JsonpController.java:116:21:116:55 | ... + ... : String | JsonpController.java:117:16:117:24 | resultStr |
-| JsonpController.java:129:25:129:59 | ... + ... : String | JsonpController.java:130:20:130:28 | resultStr |
-| JsonpController.java:147:21:147:55 | ... + ... : String | JsonpController.java:148:16:148:24 | resultStr |
-| JsonpController.java:158:21:158:54 | ... + ... : String | JsonpController.java:159:16:159:24 | resultStr |
-| JsonpController.java:173:21:173:54 | ... + ... : String | JsonpController.java:174:16:174:24 | resultStr |
+| JsonpController.java:115:21:115:54 | ... + ... : String | JsonpController.java:116:16:116:24 | resultStr |
+| JsonpController.java:130:21:130:54 | ... + ... : String | JsonpController.java:131:16:131:24 | resultStr |
 nodes
 | JsonpController.java:33:32:33:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JsonpController.java:36:21:36:54 | ... + ... : String | semmle.label | ... + ... : String |
@@ -48,18 +44,10 @@ nodes
 | JsonpController.java:104:21:104:54 | ... + ... : String | semmle.label | ... + ... : String |
 | JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
 | JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:114:32:114:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:116:21:116:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:129:25:129:59 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:147:21:147:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:158:21:158:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:159:16:159:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:173:21:173:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:174:16:174:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:115:21:115:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:116:16:116:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:130:21:130:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:131:16:131:24 | resultStr | semmle.label | resultStr |
 #select
 | JsonpController.java:37:16:37:24 | resultStr | JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:33:32:33:68 | getParameter(...) | this user input |
 | JsonpController.java:46:16:46:24 | resultStr | JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:44:32:44:68 | getParameter(...) | this user input |
@@ -68,4 +56,3 @@ nodes
 | JsonpController.java:80:20:80:28 | resultStr | JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:73:32:73:68 | getParameter(...) | this user input |
 | JsonpController.java:94:20:94:28 | resultStr | JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:87:32:87:68 | getParameter(...) | this user input |
 | JsonpController.java:105:16:105:24 | resultStr | JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:101:32:101:68 | getParameter(...) | this user input |
-| JsonpController.java:117:16:117:24 | resultStr | JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:114:32:114:68 | getParameter(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.qlref
similarity index 100%
rename from java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.qlref
rename to java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.qlref
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/options b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/options
deleted file mode 100644
index c53e31e467f..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/options
+++ /dev/null
@@ -1 +0,0 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../../stubs/gson-2.8.6/:${testdir}/../../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../../stubs/spring-context-5.3.2/:${testdir}/../../../../../stubs/spring-web-5.3.2/:${testdir}/../../../../../stubs/spring-core-5.3.2/:${testdir}/../../../../../stubs/tomcat-embed-core-9.0.41/
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpController.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpController.java
deleted file mode 100644
index 4c60b356cfb..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpController.java
+++ /dev/null
@@ -1,218 +0,0 @@
-import com.alibaba.fastjson.JSONObject;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.google.gson.Gson;
-import java.io.BufferedReader;
-import java.io.IOException;
-import java.io.InputStreamReader;
-import java.io.PrintWriter;
-import java.util.HashMap;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
-import org.springframework.web.multipart.MultipartFile;
-
-@Controller
-public class JsonpController {
-
-    private static HashMap hashMap = new HashMap();
-
-    static {
-        hashMap.put("username","admin");
-        hashMap.put("password","123456");
-    }
-
-    @GetMapping(value = "jsonp1")
-    @ResponseBody
-    public String bad1(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        Gson gson = new Gson();
-        String result = gson.toJson(hashMap);
-        resultStr = jsonpCallback + "(" + result + ")";
-        return resultStr;
-    }
-
-    @GetMapping(value = "jsonp2")
-    @ResponseBody
-    public String bad2(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")";
-        return resultStr;
-    }
-
-    @GetMapping(value = "jsonp3")
-    @ResponseBody
-    public String bad3(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
-        return resultStr;
-    }
-
-    @GetMapping(value = "jsonp4")
-    @ResponseBody
-    public String bad4(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String restr = JSONObject.toJSONString(hashMap);
-        resultStr = jsonpCallback + "(" + restr + ");";
-        return resultStr;
-    }
-
-    @GetMapping(value = "jsonp5")
-    @ResponseBody
-    public void bad5(HttpServletRequest request,
-            HttpServletResponse response) throws Exception {
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        PrintWriter pw = null;
-        Gson gson = new Gson();
-        String result = gson.toJson(hashMap);
-        String resultStr = null;
-        pw = response.getWriter();
-        resultStr = jsonpCallback + "(" + result + ")";
-        pw.println(resultStr);
-    }
-
-    @GetMapping(value = "jsonp6")
-    @ResponseBody
-    public void bad6(HttpServletRequest request,
-            HttpServletResponse response) throws Exception {
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        PrintWriter pw = null;
-        ObjectMapper mapper = new ObjectMapper();
-        String result = mapper.writeValueAsString(hashMap);
-        String resultStr = null;
-        pw = response.getWriter();
-        resultStr = jsonpCallback + "(" + result + ")";
-        pw.println(resultStr);
-    }
-
-    @RequestMapping(value = "jsonp7", method = RequestMethod.GET)
-    @ResponseBody
-    public String bad7(HttpServletRequest request) {
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        Gson gson = new Gson();
-        String result = gson.toJson(hashMap);
-        resultStr = jsonpCallback + "(" + result + ")";
-        return resultStr;
-    }
-
-    @GetMapping(value = "jsonp8")
-    @ResponseBody
-    public String bad8(HttpServletRequest request) {
-        String resultStr = null;
-        String token = request.getParameter("token");
-        boolean result = verifToken(token); //Just check.
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
-        return resultStr;
-    }
-
-
-    @GetMapping(value = "jsonp9")
-    @ResponseBody
-    public String good1(HttpServletRequest request) {
-        String resultStr = null;
-        String referer = request.getParameter("referer");
-        if (verifReferer(referer)){
-            String jsonpCallback = request.getParameter("jsonpCallback");
-            String jsonStr = getJsonStr(hashMap);
-            resultStr = jsonpCallback + "(" + jsonStr + ")";
-            return resultStr;
-        }
-        return "error";
-    }
-
-
-    @GetMapping(value = "jsonp10")
-    @ResponseBody
-    public String good2(HttpServletRequest request) {
-        String resultStr = null;
-        String token = request.getParameter("token");
-        boolean result = verifToken(token);
-        if (result){
-            return "";
-        }
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
-        return resultStr;
-    }
-
-    @RequestMapping(value = "jsonp11")
-    @ResponseBody
-    public String good3(HttpServletRequest request) {
-        JSONObject parameterObj = readToJSONObect(request);
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String restr = JSONObject.toJSONString(hashMap);
-        resultStr = jsonpCallback + "(" + restr + ");";
-        return resultStr;
-    }
-
-    @RequestMapping(value = "jsonp12")
-    @ResponseBody
-    public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
-        if(null == file){
-            return "upload file error";
-        }
-        String fileName = file.getOriginalFilename();
-        System.out.println("file operations");
-        String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String restr = JSONObject.toJSONString(hashMap);
-        resultStr = jsonpCallback + "(" + restr + ");";
-        return resultStr;
-    }
-
-    public static JSONObject readToJSONObect(HttpServletRequest request){
-        String jsonText = readPostContent(request);
-        JSONObject jsonObj = JSONObject.parseObject(jsonText, JSONObject.class);
-        return jsonObj;
-    }
-
-    public static String readPostContent(HttpServletRequest request){
-        BufferedReader in= null;
-        String content = null;
-        String line = null;
-        try {
-            in = new BufferedReader(new InputStreamReader(request.getInputStream(),"UTF-8"));
-            StringBuilder buf = new StringBuilder();
-            while ((line = in.readLine()) != null) {
-                buf.append(line);
-            }
-            content = buf.toString();
-        } catch (IOException e) {
-            e.printStackTrace();
-        }
-        String uri = request.getRequestURI();
-        return content;
-    }
-
-    public static String getJsonStr(Object result) {
-        return JSONObject.toJSONString(result);
-    }
-
-    public static boolean verifToken(String token){
-        if (token != "xxxx"){
-            return false;
-        }
-        return true;
-    }
-
-    public static boolean verifReferer(String str){
-        if (str != "xxxx"){
-            return false;
-        }
-        return true;
-    }
-}
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected
deleted file mode 100644
index dfbe0628760..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected
+++ /dev/null
@@ -1,81 +0,0 @@
-edges
-| JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr |
-| JsonpController.java:36:21:36:54 | ... + ... : String | JsonpController.java:37:16:37:24 | resultStr |
-| JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr |
-| JsonpController.java:45:21:45:80 | ... + ... : String | JsonpController.java:46:16:46:24 | resultStr |
-| JsonpController.java:53:32:53:68 | getParameter(...) : String | JsonpController.java:56:16:56:24 | resultStr |
-| JsonpController.java:55:21:55:55 | ... + ... : String | JsonpController.java:56:16:56:24 | resultStr |
-| JsonpController.java:63:32:63:68 | getParameter(...) : String | JsonpController.java:66:16:66:24 | resultStr |
-| JsonpController.java:65:21:65:54 | ... + ... : String | JsonpController.java:66:16:66:24 | resultStr |
-| JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr |
-| JsonpController.java:79:21:79:54 | ... + ... : String | JsonpController.java:80:20:80:28 | resultStr |
-| JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr |
-| JsonpController.java:93:21:93:54 | ... + ... : String | JsonpController.java:94:20:94:28 | resultStr |
-| JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr |
-| JsonpController.java:104:21:104:54 | ... + ... : String | JsonpController.java:105:16:105:24 | resultStr |
-| JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr |
-| JsonpController.java:116:21:116:55 | ... + ... : String | JsonpController.java:117:16:117:24 | resultStr |
-| JsonpController.java:129:25:129:59 | ... + ... : String | JsonpController.java:130:20:130:28 | resultStr |
-| JsonpController.java:147:21:147:55 | ... + ... : String | JsonpController.java:148:16:148:24 | resultStr |
-| JsonpController.java:158:21:158:54 | ... + ... : String | JsonpController.java:159:16:159:24 | resultStr |
-| JsonpController.java:173:21:173:54 | ... + ... : String | JsonpController.java:174:16:174:24 | resultStr |
-| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
-| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
-| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
-nodes
-| JsonpController.java:33:32:33:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:36:21:36:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:37:16:37:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:37:16:37:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:44:32:44:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:45:21:45:80 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:46:16:46:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:46:16:46:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:53:32:53:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:55:21:55:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:56:16:56:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:56:16:56:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:63:32:63:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:65:21:65:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:66:16:66:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:66:16:66:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:73:32:73:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:79:21:79:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:80:20:80:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:80:20:80:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:87:32:87:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:93:21:93:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:94:20:94:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:94:20:94:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:101:32:101:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:104:21:104:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:114:32:114:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:116:21:116:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:129:25:129:59 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:147:21:147:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:158:21:158:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:159:16:159:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:173:21:173:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:174:16:174:24 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
-| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
-#select
-| JsonpController.java:37:16:37:24 | resultStr | JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:33:32:33:68 | getParameter(...) | this user input |
-| JsonpController.java:46:16:46:24 | resultStr | JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:44:32:44:68 | getParameter(...) | this user input |
-| JsonpController.java:56:16:56:24 | resultStr | JsonpController.java:53:32:53:68 | getParameter(...) : String | JsonpController.java:56:16:56:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:53:32:53:68 | getParameter(...) | this user input |
-| JsonpController.java:66:16:66:24 | resultStr | JsonpController.java:63:32:63:68 | getParameter(...) : String | JsonpController.java:66:16:66:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:63:32:63:68 | getParameter(...) | this user input |
-| JsonpController.java:80:20:80:28 | resultStr | JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:73:32:73:68 | getParameter(...) | this user input |
-| JsonpController.java:94:20:94:28 | resultStr | JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:87:32:87:68 | getParameter(...) | this user input |
-| JsonpController.java:105:16:105:24 | resultStr | JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:101:32:101:68 | getParameter(...) | this user input |
-| JsonpController.java:117:16:117:24 | resultStr | JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:114:32:114:68 | getParameter(...) | this user input |
-| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr | Jsonp response might include code from $@. | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.qlref
deleted file mode 100644
index 3f5fc450669..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.qlref
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-352/JsonpInjection.ql
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjectionServlet1.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjectionServlet1.java
deleted file mode 100644
index 14ef76275b1..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjectionServlet1.java
+++ /dev/null
@@ -1,64 +0,0 @@
-import com.google.gson.Gson;
-import java.io.IOException;
-import java.io.PrintWriter;
-import java.util.HashMap;
-import javax.servlet.ServletConfig;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-public class JsonpInjectionServlet1 extends HttpServlet {
-
-    private static HashMap hashMap = new HashMap();
-
-    static {
-        hashMap.put("username","admin");
-        hashMap.put("password","123456");
-    }
-
-    private static final long serialVersionUID = 1L;
-
-    private String key = "test";
-    @Override
-    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
-        doPost(req, resp);
-    }
-
-    @Override
-    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
-        resp.setContentType("application/json");
-        String jsonpCallback = req.getParameter("jsonpCallback");
-        PrintWriter pw = null;
-        Gson gson = new Gson();
-        String jsonResult = gson.toJson(hashMap);
-
-        String referer = req.getHeader("Referer");
-
-        boolean result = verifReferer(referer);
-
-        // good
-        if (result){
-            String resultStr = null;
-            pw = resp.getWriter();
-            resultStr = jsonpCallback + "(" + jsonResult + ")";
-            pw.println(resultStr);
-            pw.flush();
-        }
-    }
-
-    public static boolean verifReferer(String referer){
-        if (!referer.startsWith("http://test.com/")){
-            return false;
-        }
-        return true;
-    }
-
-    @Override
-    public void init(ServletConfig config) throws ServletException {
-        this.key = config.getInitParameter("key");
-        System.out.println("�始化" + this.key);
-        super.init(config);
-    }
-
-}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjectionServlet2.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjectionServlet2.java
deleted file mode 100644
index bbfbc2dc436..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjectionServlet2.java
+++ /dev/null
@@ -1,50 +0,0 @@
-import com.google.gson.Gson;
-import java.io.IOException;
-import java.io.PrintWriter;
-import java.util.HashMap;
-import javax.servlet.ServletConfig;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-public class JsonpInjectionServlet2  extends HttpServlet {
-
-    private static HashMap hashMap = new HashMap();
-
-    static {
-        hashMap.put("username","admin");
-        hashMap.put("password","123456");
-    }
-
-    private static final long serialVersionUID = 1L;
-
-    private String key = "test";
-    @Override
-    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
-        doPost(req, resp);
-    }
-
-    @Override
-    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
-        resp.setContentType("application/json");
-        String jsonpCallback = req.getParameter("jsonpCallback");
-        PrintWriter pw = null;
-        Gson gson = new Gson();
-        String result = gson.toJson(hashMap);
-
-        String resultStr = null;
-        pw = resp.getWriter();
-        resultStr = jsonpCallback + "(" + result + ")";
-        pw.println(resultStr);
-        pw.flush();
-    }
-
-    @Override
-    public void init(ServletConfig config) throws ServletException {
-        this.key = config.getInitParameter("key");
-        System.out.println("�始化" + this.key);
-        super.init(config);
-    }
-
-}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/options b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/options
deleted file mode 100644
index c53e31e467f..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/options
+++ /dev/null
@@ -1 +0,0 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../../stubs/servlet-api-2.4:${testdir}/../../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../../stubs/gson-2.8.6/:${testdir}/../../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../../stubs/spring-context-5.3.2/:${testdir}/../../../../../stubs/spring-web-5.3.2/:${testdir}/../../../../../stubs/spring-core-5.3.2/:${testdir}/../../../../../stubs/tomcat-embed-core-9.0.41/
diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/options b/java/ql/test/experimental/query-tests/security/CWE-352/options
new file mode 100644
index 00000000000..5e5f10f6945
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/options
@@ -0,0 +1 @@
+  //semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../stubs/gson-2.8.6/:${testdir}/../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../stubs/springframework-5.2.3/
diff --git a/java/ql/test/stubs/spring-context-5.3.2/org/springframework/stereotype/Controller.java b/java/ql/test/stubs/spring-context-5.3.2/org/springframework/stereotype/Controller.java
deleted file mode 100644
index 9b1751fa2ae..00000000000
--- a/java/ql/test/stubs/spring-context-5.3.2/org/springframework/stereotype/Controller.java
+++ /dev/null
@@ -1,14 +0,0 @@
-package org.springframework.stereotype;
-
-import java.lang.annotation.Documented;
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-
-@Target({ElementType.TYPE})
-@Retention(RetentionPolicy.RUNTIME)
-@Documented
-public @interface Controller {
-    String value() default "";
-}
diff --git a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/io/InputStreamSource.java b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/io/InputStreamSource.java
deleted file mode 100644
index 372d06cc738..00000000000
--- a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/io/InputStreamSource.java
+++ /dev/null
@@ -1,8 +0,0 @@
-package org.springframework.core.io;
-
-import java.io.IOException;
-import java.io.InputStream;
-
-public interface InputStreamSource {
-    InputStream getInputStream() throws IOException;
-}
diff --git a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/io/Resource.java b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/io/Resource.java
deleted file mode 100644
index 6bd357f2228..00000000000
--- a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/io/Resource.java
+++ /dev/null
@@ -1,46 +0,0 @@
-package org.springframework.core.io;
-
-import java.io.File;
-import java.io.IOException;
-import java.net.URI;
-import java.net.URL;
-import java.nio.channels.Channels;
-import java.nio.channels.ReadableByteChannel;
-import org.springframework.lang.Nullable;
-
-public interface Resource extends InputStreamSource {
-    boolean exists();
-
-    default boolean isReadable() {
-        return this.exists();
-    }
-
-    default boolean isOpen() {
-        return false;
-    }
-
-    default boolean isFile() {
-        return false;
-    }
-
-    URL getURL() throws IOException;
-
-    URI getURI() throws IOException;
-
-    File getFile() throws IOException;
-
-    default ReadableByteChannel readableChannel() throws IOException {
-        return null;
-    }
-
-    long contentLength() throws IOException;
-
-    long lastModified() throws IOException;
-
-    Resource createRelative(String var1) throws IOException;
-
-    @Nullable
-    String getFilename();
-
-    String getDescription();
-}
diff --git a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/lang/Nullable.java b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/lang/Nullable.java
deleted file mode 100644
index 44bdae10fda..00000000000
--- a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/lang/Nullable.java
+++ /dev/null
@@ -1,13 +0,0 @@
-package org.springframework.lang;
-
-import java.lang.annotation.Documented;
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-
-@Target({ElementType.METHOD, ElementType.PARAMETER, ElementType.FIELD})
-@Retention(RetentionPolicy.RUNTIME)
-@Documented
-public @interface Nullable {
-}
diff --git a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/FileCopyUtils.java b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/FileCopyUtils.java
deleted file mode 100644
index 78d384d7266..00000000000
--- a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/FileCopyUtils.java
+++ /dev/null
@@ -1,53 +0,0 @@
-package org.springframework.util;
-
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.Closeable;
-import java.io.File;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.io.Reader;
-import java.io.StringWriter;
-import java.io.Writer;
-import java.nio.file.Files;
-import org.springframework.lang.Nullable;
-
-public abstract class FileCopyUtils {
-    public static final int BUFFER_SIZE = 4096;
-
-    public FileCopyUtils() {
-    }
-
-    public static int copy(File in, File out) throws IOException {
-        return 1;
-    }
-
-    public static void copy(byte[] in, File out) throws IOException {}
-
-    public static byte[] copyToByteArray(File in) throws IOException {
-        return null;
-    }
-
-    public static int copy(InputStream in, OutputStream out) throws IOException {
-        return 1;
-    }
-
-    public static void copy(byte[] in, OutputStream out) throws IOException {}
-
-    public static byte[] copyToByteArray(@Nullable InputStream in) throws IOException {
-        return null;    
-    }
-
-    public static int copy(Reader in, Writer out) throws IOException {
-        return 1;
-    }
-
-    public static void copy(String in, Writer out) throws IOException {}
-
-    public static String copyToString(@Nullable Reader in) throws IOException {
-        return null;
-    }
-
-    private static void close(Closeable closeable) {}
-}
diff --git a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/StringUtils.java b/java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/StringUtils.java
deleted file mode 100644
index 6ea27bbffa2..00000000000
--- a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/util/StringUtils.java
+++ /dev/null
@@ -1,8 +0,0 @@
-package org.springframework.util;
-
-public abstract class StringUtils {
-
-    public static boolean isEmpty(Object str) {
-        return str == null || "".equals(str);
-    }
-}
diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMapping.java b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMapping.java
deleted file mode 100644
index ed692a03063..00000000000
--- a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMapping.java
+++ /dev/null
@@ -1,32 +0,0 @@
-package org.springframework.web.bind.annotation;
-
-import java.lang.annotation.Documented;
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-import org.springframework.core.annotation.AliasFor;
-
-@Target({ElementType.TYPE, ElementType.METHOD})
-@Retention(RetentionPolicy.RUNTIME)
-@Documented
-@Mapping
-public @interface RequestMapping {
-    String name() default "";
-
-    @AliasFor("path")
-    String[] value() default {};
-    
-    @AliasFor("value")
-    String[] path() default {};
-
-    RequestMethod[] method() default {};
-
-    String[] params() default {};
-
-    String[] headers() default {};
-
-    String[] consumes() default {};
-
-    String[] produces() default {};
-}
diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMethod.java b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMethod.java
deleted file mode 100644
index 78c90a6ef75..00000000000
--- a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMethod.java
+++ /dev/null
@@ -1,15 +0,0 @@
-package org.springframework.web.bind.annotation;
-
-public enum RequestMethod {
-    GET,
-    HEAD,
-    POST,
-    PUT,
-    PATCH,
-    DELETE,
-    OPTIONS,
-    TRACE;
-
-    private RequestMethod() {
-    }
-}
diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestParam.java b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestParam.java
deleted file mode 100644
index 56094811c37..00000000000
--- a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestParam.java
+++ /dev/null
@@ -1,23 +0,0 @@
-package org.springframework.web.bind.annotation;
-
-import java.lang.annotation.Documented;
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-import org.springframework.core.annotation.AliasFor;
-
-@Target({ElementType.PARAMETER})
-@Retention(RetentionPolicy.RUNTIME)
-@Documented
-public @interface RequestParam {
-    @AliasFor("name")
-    String value() default "";
-
-    @AliasFor("value")
-    String name() default "";
-
-    boolean required() default true;
-
-    String defaultValue() default "\n\t\t\n\t\t\n\ue000\ue001\ue002\n\t\t\t\t\n";
-}
diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/multipart/MultipartFile.java b/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/multipart/MultipartFile.java
deleted file mode 100644
index 93ea3439fed..00000000000
--- a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/multipart/MultipartFile.java
+++ /dev/null
@@ -1,38 +0,0 @@
-package org.springframework.web.multipart;
-
-import java.io.File;
-import java.io.IOException;
-import java.io.InputStream;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import org.springframework.core.io.InputStreamSource;
-import org.springframework.core.io.Resource;
-import org.springframework.lang.Nullable;
-import org.springframework.util.FileCopyUtils;
-
-public interface MultipartFile extends InputStreamSource {
-    String getName();
-
-    @Nullable
-    String getOriginalFilename();
-
-    @Nullable
-    String getContentType();
-
-    boolean isEmpty();
-
-    long getSize();
-
-    byte[] getBytes() throws IOException;
-
-    InputStream getInputStream() throws IOException;
-
-    default Resource getResource() {
-        return null;
-    }
-
-    void transferTo(File var1) throws IOException, IllegalStateException;
-
-    default void transferTo(Path dest) throws IOException, IllegalStateException {
-    }
-}
diff --git a/java/ql/test/stubs/springframework-5.2.3.zip b/java/ql/test/stubs/springframework-5.2.3.zip
new file mode 100644
index 0000000000000000000000000000000000000000..b54730e4bbcd561f20961940fb62c54dcee1225f
GIT binary patch
literal 57066
zcmcG$1yont);>&kcT0Ckr*wCxbW68%H%NDPr*tFT9nvKrT>>Kb{m>I0zjM$3dhdN5
zW63$g!Q6X2GuE8XoNLQVfr7yRJ^k5H2vhv_AHV&D0r=@)Yj19CYGSW%W$a>O|B8;4
zo{65BK_2isXn=o(0%AzAQ`8*NqvJya0@9-e0wVgCzauRnBqFOMLhtD6xT>iYx7>j4
zbyLO9I&*LWN5^eG%{D&M-)cR}r8!~olKl-5v}Cb>AMoH@ZOWIMOjv%O*m>t7o7Ldn
z*bs+Kk3FA>-o3|4E{&4}*D|R&x9gI<uQ}-p4d}WIx)@tFwfOnCeG3e_UY9#Lp6f1;
zbK#i5@ARocC#G9gVc)fV2{(1Uc>Hiu6xpPy8@|wZcsTd)(YYPj#`?7PeoThw#CmOY
zRj1QCQWx`T_S(Y1yYcfTua^*5hi2F-l|$7V!VKLPuv@f#lCYaM(^ylKOJM}c#|f|6
zqOHgzmsLF^XXit^%LF;*IJMx(yk3GS-dYxTo?bb3od#az3MQ7KEGt+l4+(dGd>%(=
zZNHUW#Cc)nI-V$$_x@3x{!kW-#)_S*efg$`Kyw!?1Ps!N4~Fx~{qU+YR5#n<M7T4l
z9jK6-VpFd*FW3*C33yf($4)3;E&xkYIXYiWFj1IH64=DY6cig45e&HgViX7NJ@+dZ
zqKvR-aL_Na*=~;~Rc*`P$`~&5Q}IwDw5&7Zn>3->l#_6_bUR@XlWREHyIxHZ%WFha
z>uB#wy|6$WM&Eb=sUt|_IP#TV*hYk^``}hPyN53ZJl)KQ#swxL*yBO|#9uFv;|RS3
zagCxQ)@(14(=38K+dk)-taaejDLCHZr9Uh8t|Y1F`SHlQE(-UdGNT76%T)(tSsr4S
zjO?8_vbePhtSDtYi^Ip1^r2n8Wql(0@;vY6KI0RorC1pPM^-{Qii=w)uvrrEGF})E
zd-nJ4Fs@<D7Ywbtq_b>Y70R&ERUbH}xr!`y(@Sp`QfVKNHCP&^vs3fS!w}}J%psV-
zNpsAs7$U4$>>>Hwv~D2b806r(sS>CQS4aeX;rQfxzf@gY+g@=u^%a+UtXO{q&#|R$
zu@rkmSb2^${O0`<gct2iEqIBcAHVWjf~@%G+55PtFXjbd*brlAKEOcWh*=1}cf>&*
zj<ppS!xskG&n|85nX(m_fuvt2IIuloE1g!nGE6Fa=x%vKA+iai8{4ZK%s8zGv(Hxg
zoD3+9zIbjB24={AR@7Q%^lLdiy1LABASrA?2?(Z=7GLa*&62j7f(?BclLXH<?SZst
z1@NTw{J__gY2%bUPz4VH!Tz^9DhpH_U!aDJjy9PzHZ?gPfK)x?LEyJA2atVu#+M1r
zo>A7o=Wb{nOueQnFbL#P7MXfi52F#&%7}^J{_>>G0BHPU4x~7!?@jhl0#=`1YBYtQ
zZ(v1uR(ZJfcpVkeJNhCXVHgcv5aw5uR2#`_2db&eFZe13YGmi?t{8f2?)<J9Q~ggv
zJoa&9Srz5(O1KUv6({NQMf1{`NOlD7W8fO+==vmRaGkI-DszyUH4|q^4fZD@+=$UM
z#g@2UKh#?l5qQsUJGdKBrJbk2VWA*QjPCFoFlWibsR4%yOD0+g6_vXy-V#fN5tMa+
z&yy!w@mc0L2W%nRL5g5X$ZiEH^OtH5$mxk(G1a%qIfvsFU$IpWxUN$(n!p#j;<R~a
zG-8HJ6p3W_J$O-%*otF|^PA>iVeSW3u%L-S2JdN>=Z;N69Kw$Jt?W}{!yM1v$I}{l
z>w46pgDW}^G>jSfg%!gSumMqd#x#~g!`w~Xl%Bta4$kDJv?L<C9y|kUea8JPF9G`1
zt|&t-6H~a~=zBBvuBP3Mk`dH_ppV8rG0%#(3g+_(@{m8Y^t*zocodCvBM`(k#+;BO
zzDSx>2+$rrd?{70+qgrL|M~?=jXK@Do(<K7_DgzMrCTUnIg0_fFSI*D@FCYVoCegN
z2uD=~cz}(Rm4_O)Bjh9ntGuuYz2Iu;=oZtKSwYrlADWOn+tIv5)B`Pb<vxlTk+Ff+
zCt;PD2B*-DU6ht*ONEW{gGdcJ8=;9c0d?g>hn#WE`5PPD3LG%c36RX2S>31eoL+-^
zdLR@J9NXH~=CM57wmHMRFb8r*Z0HsAnjU-iB^Yk|EjR_?09V9zoMh7QYj(@ca_r~w
z+$00Uo}f$)W!G2mG(2g`_Q`y61|TC8coT0OO6iWW`AiVpC~Ec}pSkXVM3qzyfceMd
z?HQ2*^CAi-<r=<ZJ_Xi>G;qJmhT0YJHH&I+isYE+d2JYWrdv!oe|?l(f&i9Xu1(FX
zz{~=CPidd<($se4Z3XtyuzIVXSwT$8`R0;z^YNgt{h_Q=UEtBR4wuZ526yobyIcjX
zPaQnx3}471x*Jq-ND>=>g_&~PxSTx*qoGmhUxjWl52nFls^d+f*DTQWm5P3a<Z8KY
zKY3nAQFP@tKs=byn^iIx*!@7vS`MwnefZ$OgjK5W9{3#98)8CAf2SL<MNB2~{iZ^#
zI@$|;zr51h5|CgGB(NL(Sy{*7o%H9W=nqp!ir`FeeIH`5h?MX|g$jEGNOrM4*anq0
zaqETU-WZgNKLgexyQjJ(KeUi@Fz74TNGoVkx-&78D97b29Cp?Ylw3Xtu_B(C$l<Yv
z?h(~vV*wwCak}#6cG|gHl=jFfH4?!I93-TAi&L;TQqRhWnzOBR?1p}S6xe1Y0~zub
ze>i;WybaiTE}Iym0`Ifz4AEl-C3OiOo*c@09t!G&Reu~NJG5k3*q)2dM-Dh5tY?m8
z?>TrsNAM;#QRT;wN1bpp1sQNTj2rhal@Oqmhct2GZYsFN@2fXQocA(<3;SXxwiqJk
zwszI3Q}xP-K#-rweWF_Rvu2^qh}&z*55u<K{)lbvW7}R#>(x*1Z;{K%xviarlLQ6z
zs6N#^RVr08{N))0pX0TGr+cTHXPwWE`_a%^va>Iw;7NpB=1UD|4inGu+MTKhWjtQ8
zTY1&RXSLZ%rek3u5?h(<B&cCHDiEpx%9I_wmDnkl7%yI_!LViP$6s;C?!I!<dS*-m
zM56bZI*ckWVrYIyu&($bD}M7{{ET$)qAimlJD^f2qdT#ggjjB}v67>{HbR|Y+1_fP
zs9gD(F$^$NGSHF+|D?)<!jRpCO!z&gp(q%JWDk;C=N=W@;X+9Yvp1^ihJu^sg#_wA
ziI4n;En7I-J_CHg3@IxiRrJT@&9*o(BT=$20@^FG6#44w_DYi+p-Z$%_EO3Exk=$g
zuJB}a_2Mw;6P`+Qqm8EC=no!DQw=aC<o&?b98r91qe?dzrZOyZGC>ts?!Z8JbRA4;
zgfZD-^h}jIEV=V=TInKZzN2?EB;;|c=u4j?SVSb#QiJ-=LlsEZ$3>Qzd5!SJN5MIo
zD~8|m2esHGSvrQ~@k2cuAy3GY(EAW=W4;K@4m?OK=IceZ);KA`%PGSPlBc+RD}`1E
z8{36>JuxwnqyY`V*WLmX&_H6xqqD;}yZm8!@2d$5EMs`@C`gcmdXj>A(B-S;?VN*8
zL7zwFFXV&FTl3Ck8wFVS__@zYiPQVdqnk+?4IH~+r*#Tq%=XYAAF-GM$eFH-hs%5O
zIEDyikMl`}WKG`KVxCb@1|s{o(uQM4Rnn@AXA-$MlLQ1IVp_oIf;g<qeukUcn3rmX
zTsa7SL#Py@@5KRO70)3miKCS9*?4mE6BKSsBVE0tJr#@B^2P&;B&aIHih`eCH@Yu|
zjfLE&y60&<?`m+<&4DdT_!#=?Ke2Fa7Ff}}5D#|7E+S19UX9}En%;>dQKbgm5y8=!
z#wbsoebamzSByzXLk|z)I~063)6|j9d4qDJDSv^fhFkNVwii(?ZH^r0=H17~f#sW<
zt#@;)t8<^doa&GpUGD0?9OK&6KWcpOtnYwm%DaQOMQ+S{VV+x3sl1fRVvKYwVO*}1
z$5CBkMrdC|h7s|)v&Gw8$!Bh1LhX><rR-YQ#;ZkR9doNFt#yIVFJ6tWe68}tyAa8(
zu0?m<^7h)djDLG|4xi)bVY!U^{N!P^b$JZlMXQ63#kCIT!lg@jrUG<z^h`OqCy-~>
zSA)9<IWw+@RT%Sy;CT|Ybpyk$Ro;z|P@N?0!h0p-n}*q$<WUjcmAYv*woWr%d=t)3
zkF{tv6meTQjhfc=IU|?o&N{$nMaL2dg}}Pln$CU^jOJnsrtBI>{GJ_5W^?0a{JI4#
zw1vyoOg9qv&tBl3V#1->7TH`S0^vh9zVqyLv_aPRbPM5Ew0wSf*FEPj|H76E^`!~R
za})lq%7n<3F_&9ct`3xF9fY%tp4RK5Pa0}amUq;^z;LII=YsS|k?1%s)`aYpW%%nU
zhM0%}xAV8IlVq<Dlp?WjaaSQsO`KSxH&M<?!b2pem6z2K7BlMS1kyZQZjn=KkGVp%
z1be|iVRWRdAO=>&Q{Bu^n_`ad*aglofc)7TA(>SlYqL3oeZ1O2U|9-{TgnMoUdGmv
z0ZF;zM<D51L+x;ac4&o_p}2!+5~=F!cqHIBC89n11hu+%km~e)g3cfeIxx}w)oWPE
zwDB*6K`xa(%N8QnV3PO}l*@`WDEL(ZLf5!dC(1KhWn@Y=Fea=D&iakymN`(3ZC$ng
zgGp7I{Le;{7<CWS1&V;T#oW6jLd1rK^o%AVY^UF>nVHKt<1*==*wXox_E*(J7cxm+
zpiE0NQkLWv$tYkzz-gJAOtVh!1c=>3EYHSSQLDUb>Y)I_Rx?%In`TuGC2q<rPo92l
zOTU_^a8sBHr_@}!g;LM4ifc0f#1<<^qDi>q2yz)ri^IIgG1LR>QP<Jm;da8x@%iE7
zDz~fA^@Q5K;9E#l<xGOT)00gb(qa7;sh)+yjx&B_oxEflRFIg8z;Zjrpc}g~g?x#Q
z`C(-pet#dMz1+?|ElKd0=G*H=SD8aJD{{d`Tth|$6?i3GHVKBlzIv;#jO`53yJn=1
ztx^IrT#+RN8-XQATXOaR2ZXPdeW6sS2hsTidA-x=1<i|1fwN`11h&up!m<$Dr`7uo
zG@@`%p=%Ubm`0Bbn4{Fnv=VeQa&V_9LkIj}k)kjb)cr9RX+F1edESBd1$52KczRT8
zV^Phxk<)SJ)7-ckj&(=Vqk7|Sp0c0Q3|Sp+Yt66kpCgf~bio&GD(%<=gu!~~x$RwC
zxRWC9A=84bbo6}Y>2X~RdLA#iji!LwJ5=b^T40ruUU6hVIP$nu$KbJdMdx#K{ow=W
zptNZRSS}y<iykS{i3`@<Q9Xqh$EJup;N4%vzTn5OFInZyN(W%=2D~CP<F9vS=kEn3
z_vzqQXBSJ?e;EtZ$~X7w?uhTH`u_Wh9p_(G-!}H9->UZSzt^qs<}Z~#^*{dJPaMDx
za(-qE7=KBQfw8`|!#_yl_z$F+=o>oP*uVaXp?K~Xup|bMCJk8P|AkaRz#EHxe*(RQ
zzOz1!xb(QJw4BNygX97YJ>~GIlpKxZs0`f%!|=S6q|7MIyp)tQ{SZUx+YejRlrqCZ
z(yD`_G!k?mVTIHj!01f^`RJvunt}dGr%>O(#%lsz(h{(g|BIIuH#fG|w>LC1H`KTM
z`Nd_1pCkAX!U1(<s9k}3bd7c2Mk>;<5l8ze7=CFbrLRmH5vOqr%3n(?M|mi3I*)Oz
zk9v;5O){6SW-7h*5(y+Up`Pj;WqI*iDE)mcf({rD)hH$3&eb=sf&aRfw!{1&S->9T
z0ZZn;*o%a<xudzhrMVk`jC$J3H}v60y5Rwv;Gg1Fas<IR`!Mz#hAJOeQi)MCvUTKo
z&$CaR5!G?TtGH&zXmS6ess~~GCTjoE@ml%}vvO1y(~v3|M*xN4uBp|1&zaXZulkeI
zDqIUXQ3t%R*>5lZlMnpHgFSiGPyfR3-Ku}LLuqpdM|}fJ<Nv1uhUCy_1407dVzKsj
zN^NbqHHUfiiOZ8}R>X2ZbVo)JmpKKLvt`?eRCXt~w5IcrT9dwn{*Vv<van|0;1$0q
zi4NMMGv5dBKVw7JPd?7@Yw+9HIR1lcvj4g;fZI6fI~xCkP?7&!sJ@e<jiHUTiMgqh
z{Xae8$rgW7*gvWA354I@`>&61FgA3uH+TFVX#PGJtNzcQ<zQ^@Y-#*mFMpaUaZzK!
z7r?VzL4bfP{?DE%Vr^t=V{YxJXl&<X?BMv#0V88-WP2Img7!X8@eoMqWJ8q*M$j@c
zwszA^?Z$3!xTMQ^x+vBg?<e?^)oy+L`b8_s?9(DD*ojk^rRVx{f_*gCs%0eMyqE|<
zoH{U657Yb6eAJXt)$xLjJd%=x+F&eoFUShIme45;e*=GSIGuedoqcAdSW~o10qu3c
z%;Gr{`vZ21Dh)D)QLDRvaW_Xjyh1R!M_!1-BnexExpGOx6%)GTJfDF6tfaLQ>nj!M
z*d_mo@i`bh`Q1AT%Ny!#F3nfj8gXpdbMnz@v$*%PsKbweY1!s+jHyodOvc9Uv`OIU
zBCy`XHd<0WA0ZzH9!}U#FBoN?&9eV%N8|kubnyQ(-|y<Zit|-e%&rX12Z$601_Dz1
zZ$&G8qw@s;b}e9QYY8|R9L;UM2UE|e=LkKFa3VM9#3Z!M{7E1myMlx<McJE(Cf~={
z2|(Gol=@LhwQ792e`N6O<mVqjSz(pPmxq1pYTDcsrh)G`oLLf;gE|@!YGt6{9)#Nj
zLCHaA03In_2?kxfM61NINNj#5&Vgus5P*XI#_%A2$4kBP-tJNb-|K4V%l6ybGN)aA
zHCmZR8pb=}wfstp+{V|WA|>5<_(Lj^4^|sTm)8(~V*YdD@r$X#lVATE9?bviaQ`9o
z?|n6JHYz?4Aax3`jQ<DHf6$_kjkTk(>+k+4qwi>FW^Dh>O|4|4U_hS3txizc`|0o_
z8_ip{31}M7&9Jdb;ES}if(u~T-aJ<6t23fh3m3^KMq+jg(u{2J)NvL}k}Wv^HJjG1
zvJ_0KAKC0C=?t}6Q?>eGRFa-ZH_BQRG2qiw+^2(NtD(X{5am(hY2i|9ZgDxVx-B*|
zWg#*?GNYFkR<mwiXTJC|FL*L)vIlVU7{LC)07fnK>p1*r#(-Ua3;I78@|zl%9!8{~
z8y*qSmlq%}!=_(Whi|iL3t75hj=xgrb!nU>1GnS3eLUS}x&;Q&Ox&>6AP&^g>*XHV
z;4-O*2sJcOa1X@R27y5cQ5PVIdxa7u{{98Cs&_XAsh<A*+@*9FBAuyN;fo-N`BxeX
zx)YWAEuZWyJ{7KIlgqsfTbs92kVGUneqDi|n8lXw+5SVi{_~N{^h-MjoNrGG{^0=q
zS>CTjp5Nu^TU*;We#7sFtocbvr$_lLMSxel04&k}=v99Z{YTd3DL3+@AD*<T#XP?q
zNH>L=Y)GwcZDHa07WkTD^4@EagHEmU>9|IHol!7a>bGDoG(BObYUoJVuC8jP15I<1
z%#1$yZShb@Hk02{+V(+y#92a6&X}J?3V#hL`G^BADmC3W=4G~mkn0wgs?w3(6P;$N
zVg11*!<3?Ky>L}H@V?m@d{mo{DN!AX77AOlK$QEAfD_O6o@N_bySUe#ZqhmQ<4^Wl
z&3}jB1Aw3vu;l(*DE`J~quQT>Z@`nyssn76I_CsV150K{xG)qSJLwtGS_Vv_tR=;&
zXI7<9YECvL-RAp*CZoV0mnlwC{dd9OdKjQ2o86oiFK54iTO(21F1^(+U5uuC!HwV@
zjQlpcqTxIVz!db(*u8J<NT(s=oBk}oOnL>mDQ!Ge)zi85>`&)>>gVbTbcxOYHn|9J
zPKp0$v;Y6F^jp3lU=0XFA`7Eb9zK+qdUM33^qSC9sIGq4v?fP`<I-9xD;aQ>)ac3>
zI=wZWS)I&<B+g(KFRv_VSJ!N_<?0QksRKKPYt3B;Ep|;5q$mk)lEdD+co;Lib=(Me
zaCms#{2}QLO<N77rMuf(?h*yklr2qiwglh&a>faiuQxTK&n~r58+W)gbKw&O$uH}&
z20vcBwse>6nu9Bg2b1Gm0K-t#cuD7nL&_c8i3DtIiMA1?kfTAnHq@TEv+alKC8s5)
z;=;Ur>r2~(Z*t4YYWi2?LbxqII|2}k1gxi$=ig5?e|N?okP~q>wsw?vGO#pv_&t)d
z4s#>)@WY8rt(DnA%dka5z(g18!A98y5p^4K#=SwSabY4Hc3ETHit^LDkca=EAar;Y
z%lTT(ZkkrA5*T4mfpZ{#R+sHEQN63b@J+-yqASa?kEBbg@MQ(qJ0UzZ{&dB*yoY`F
z)5<X=j=cDqs!jNxY=dl#hwLd9JXO)c|IrR*j2#^GO^uaooa_yaznR59R?*`VG!hk*
zHGkI6U>D)jC~->Y9!lZizVH1mrNVvMK5Ei`E26(A;y;JQU#ol!ZT?b0{49*?7dH(M
z_Cpl>(_Exf>=bDwA~ik(<VgWC_a}PdSIp(Fas@2S^&LcQzMuDjG2OBOfD`c4GYp!d
z=?a{2xW8{-f3Ex%sLt5zV`5@_ZOhV8s}>`Oeb*ZKrRU6J21Fk+nXgl9W2BO(D#EMJ
zZ%+mToqDIR4yR~dDfTO`s_$)r$_=vOa2{Ta!D(+ds5-J@%k6R{z4}<QwKB=oL?QR#
ztGn3IoCVqVp{=iMEMjP#LO3Sq?c+nU>-$~k5wHDQCU>Uw-M;OSPdF_~dh?FK*@A_F
zyVPi4xE0l&)d=)(JwslH9D=7AT#lK!MrQ4IUfi~Vs|xA-66ntFh0qEtOAtnNt<oFh
z^?goQ8;-~DC)GmK8yJr-FbZ{3N>IB*P79BQJHC+*e_xC-|2n+J*3Lg1h);nL)CFBf
z5+LZQihTO{i~4#JC}QnwZf|341#oR4ecLBy;F}A8cYmWYfV%j;Q5oiV`7D7f;>*gt
z!FDdEcqN90)n<1WNLH-2XNFVE8nz}cwIscgl%Rwu#6%1@93_$w=9}{jIkDFm9-b`h
z?;-frYy)6n<~BbeP~FGJhy(@%)B^RZMA|pE0?3oFwsmq;a<n(rxB4LjIH}0kEOQ|7
zigg-9OT~4?tm^rKrxJ#wkr%(Od?|c@!8<)YXd)D&85?GR_IS!IB+;N<^g;vYV$9v<
z1<Q-@4LEC=`Ud;v3)|-@+UdH|Yme|=fqMG|vx2_G55wwiCy&h>ezuq4qw?INIrE(F
zZOt`9EdxD`z`o`>O`A1^P}ufBMzv0!ACL)^%fJ_?`?C>P1P2h|qbU+?NChQ8mJl%;
z7vxW33z9rg?;OY{Lx0(49PNSSqTd%3k?T7ngj$b5=uEgtaAzlAmq88Z=VWu{R6W*b
ze~evO8=G!*$X$JTUx>~HiSf0pfNUt7H6+Z;*g(K2!OV|ODje-H$edl(tt5%Ww(u;n
zdXTZ%acx-S_(uCsLbB1t#{(57s)&m8;CWkCp#+yf^y$#{z+I!*?F&!W<Z*(yR<sX@
zw%l2s;skMb5t%3YT=&3PaZAC-gs(+kpB2=W`<O|7LcP?}32PF|VWcBd(<g^biD79k
z??cfy&z!PQ1VewX$W>WJ;>Y=pQbUr#!__G}95pg8#KX&g(4NaVfh@l#3<cLPYim?J
zqM$i~nAo&DIBQE|GMpo2Jy4WzXT(3b(jv<(JU2glyH371el8~AeIA|gJT+5zR`P4H
z`~XO5@VWd3>=q=_H{Pq1C0TkvO$TXTN?W{k3ghX;HKA^}U2)#F*~!O3T`a|!+(q#2
zgEkDYwY~y9atE<>e7VVa(+NAYx{of(ogRV35WPos3RaG7B_W|9X=1;URGYWh-J$EA
zu1Pb`J&BL-W}WkJ)V+GOM9(_3rQ(_Zb+c#xU^I6i#5UhKv&b1tkZQ(u4=a)fzn2=(
zI!IOF6~dGZ)3^%)zXlCMbF@w(78^nUQ~Vb6%U1FRXZy!oRbSx9Q9nZA4=y3T?zW|9
ziqGTEGJ`UmniQZm!u5<j^{rbnZc0R3NtO6;lwqu(6zZXl4N&CP`rkhPYN1QqF`u}s
ze!B6gZ(~y6D4R>)tJF>4&?MUpD5e3$TVx9PO*b+TZ+2D1qmYBmK-<kAnuonS!g4`W
zUS5L&>I4bDRsaO_rE_ewbUuMRO!0mXiAz^P8~y&pM+@4jRs-wjg5a&_!ylLp$jXy6
zD!|BsoV&n9Qqe!2IS~fQUI-F-%~U}*acP0`lzyT(r+v(cjoNP_rA}?A+J?x>gmZtr
z_^OIcbr5yK4@7mGm&r03t0zKHQ*nSf75cGus4H{!Qx+HoUbOSP<93}eALG{@#~C*h
zp}@sDy~Ruob}L4tB#*{$YuFpfl8yZG48*Ky@K4Q76|*1S_Fd7u!f8C7aZkNWIll?2
zZjiz-Iv4x0l09Q1z6|S`|A{c}4!FzaGCf6emzP~Br#~IJe`=~L6|`srDU0oa{PRyq
zhc&hF)jLQapcBAEBHypaT|m@PG<Nti-xyQZvcYXe_e%5v-{et-iC5Sn?lQm!o9BYg
zwX(pBozZ(%l0p*tJUBfTZ%8ov>zacrcBFL;rj_sKp{?CBk7u0@n{c|$OH$5xWs%6?
z1%^pgy1E@L9uFTdKO}asAi(sIZP#mA_;+r5vmG*ZUWN|}Xi%zGz%Y8v6mQ+3Opp3J
zphlo;){Gpn9!~j%b2v?P5~Je2tc$fto{pNsm<+16q$g!`9nG<qrc6AnjrA+TThweS
z;G@tal3RQ>6_m*tHNt6Ke74Zm9&Lx2@yT0ikNW=5wn?Xo`Q+vJTMam4b<1Gge)eZJ
zMbC6|mhG0+$htL6HgxM5p<XxWw+S}dzYsDd({=a4fUq4mw|BP+K(%<Tr#i8kic82G
zSUn!1ar{YLN*1QI5$N@H*vp7QOP+SU&d9>;1D^;F+;#7cd$);>Nb<O;<A>Yr_*I$3
zvDM??^M~6L3~x_^yk)+{_5Q|Z5OC4VJdgx5LQs=30v>{!LunvK&5R4(WLg6BABe@w
zEEF!ms{?g>6+%K(^d$8Ubm+L$qp_(ZH=8bn#G3ZA^&7)^_@ar7xatxFq#WK!slU36
z-hIzcex=eFK5o9f=+d#p5$!2Rr;U#gb^5~1X~S;7p|o^$7JFm&F&!kyGb2I{-is4U
znE5W227KCt{X8p+HU)@59HP?-uXmT5uxJvcXvvC>?6{}kU6PKW;cnOHYXWQEyv6cL
z_($5V52DKB>+miS6Y``yE?Cr}NtqU3R2(E!R|-KCJ3Aqob6}-{AV%l!V(r=*kc`Y2
zlkij&>>4c-3vRvC+MiL)6UXls4`5rD@e6FWgQ4}A?3E-lZ({M}hS5O)Ym_A7hU*iX
zzvk4VwBo_%EP8j~jLoDfe%8>rFh2zhp>4H=Y(xUNZOENr$n3oC(+@AzfkJ9|SPxHD
zOxUj`(GNZCByG~UpofvYXbP|B$G80+M)G-5r;!akvvi<0yg$}628<0&+N;m*%uu^#
zMjniU99lx_jI5J$a>VH-TcUYj1glfGY9u!Uwh@+@xLMZa{uhfptJi#IrEg5cTSyFV
zKbRGQx3RJxsb0g?JwuH&nW0_l099H1G;W@JH+AeReu&TV2#i;N3~t#DmX+giBFBz*
zs%q_Q@Lo-E{unHDZKeT5X5Wtqbu6X>HW@Y$+ZDVUWOCOacj6g@Be9z?m2F$XDo6zG
zxR>@`%Odc5@<5Bg6FnvtJONPr+AT%2HDMazcNVAX)ypa7biQR!c?+Euc8sdvTXx(q
zXp$Ji!&cQno7lrk@&oUCd$ELpz_p-H;2)Y21$pscotCSwWW-_O1IAKt8i<x`s3#6W
zjSPhv&NJP)i3AzDN<?>MtqrJZB0-^d6E!Gf$YZqnc|#hP(l$mboRQ!L&LZV`iHB8{
zM=D6X_q4^gAP%z~dSTJJ`%T*mdzqos<nP_X2R~?Q29P7L5Q5AlqqYHizt|mvaJ~RJ
zC@>*q!i(aL19w(}c5ZXvNm`h$alGj%M437?L~`UJ>a1s(T6&bmxCde6Pgn`}7pn>E
z5249QNx4RVSQxl$r+MZ&NrwgLsuAi1E1feMigMJoyb;!aY>f=RqqsbIc$R?CH_j{k
zMQ`GOer;T-XJj1ZbuiG4#1%OrmIrn7k-|Prj{E`Np@S(9BUfyaX$;o9h41IaYXji;
zOgH5Pn8+M{OE!tzP9@wo0@Kt`T1L+fG*HFVQyhE@_$r{KTHflZrYqC3L-H74;!sHn
zUL$|TSe_pb{p=7m%lLp+632)h<}$mg{Y)PB!B#47A+a8Z)dKz#XeAj>*)9ysFq#>6
zh^$dG{xPzzPDf8K|E4gvb8YDDV7qeCQVoe(5mDsV;OPFZ$oYlLLu+hM1GLxJ6C&a+
zU!+5h*Kq5uDIzO&vcT{!`r*8{rO12H>y!OW?QO9l_iXq#@8%&X8yxfuUc|7DAt;ID
zZ~+FAP>1kRu4!3;FSV@=^|D+ck6_Lgk)=HX1!Qen<u%TCu@(8FbU4-(+fYyU_CH>%
z%D0)GhfYbtM1wqL&qUHWD22|{?FRZeed$~PSy^|B8*|5zBTaLARHm`RA3sks31Mzt
z<iV5U;Z~neds7^n+>Q3ayWxSas#WO|)oE$xTkeD`;a5ugdE3pE#xd!z3~3I{SLK$|
z8R_ys%yzVoFG@<CKgzHt)mxvOEj})}Er?PI(5+l_rcHjC&x8Uo6Dj`sML%VZEOwvf
z#DDrwbz*HX|Hgbv#sFRB#Or+R1-9e8{JFrkPC`o;I{{jbsa;$7<LUFbb?-OUe9(9O
z6v3Y$fkCI)!DhWO{516M71+x5`}RC-8t(SIPRkP>6^e^e9$=<xlQDQ?F1v#;)<s(0
z6Dua@=so9^-C83E5(xQ<-?2ABj)u`Ug6hOLU$mGyER*-#22{golNST)3#$k4>z(*e
z$fMkq=-pA?mT+=Ixzx99BW}L1`e|~k?x7KiG3)I+Wetrb6dkh9qFOQrh04|57BBE=
zWGe~@VA{dGuX0MQ%x*Ynje34H*66Hq+=Cj?p*>}OoVs~)D!HN~(qmvU>21#Xu86gA
zC;Uvu%!tg=tm@(MicBiGaBd!Wovq_U%ciDv$%QtLVLFT)@f7N=TIh&#$@we%pLO(8
zU1o<;l=VbNJdstu)<pchD)~J>khak``i(XJUXme!b@8cagR|(tb{uW+U<%4d(V{%-
zU&}bKP+{&(+1{t6qxcv&ppnOk9L_*=)tuFr{}xx;A{zc31$@~d@bG=$w^Ziu3$p)!
zN&uuX4o<eVHugU^0WF^AE?5J$UjSIY)_D9Kg5Tx-4u!nFqoc9C_0#`aI{$`=XN15L
zPYHJVI#4$n@eCXx<QbL=u7;K2hy)PyxyyS{Nct6L)w)AkSj=dVp)sLXDgNv{w28DB
zgBH#3F5zC15{)EZ5~|GD1Z~+ek?#8ktW=09@SoTDbo2+_>&$^JaQmGd6)WYfL%Oxk
zK>k(9^aEj(*MQym1IUtJYvX=rbo8I@umE;s?q+PH{My!7(b&Y;-q`v#4k|%$#QGf}
zQrkVvr+sbt)6n-qFS1qQo~fU`C(qfSl`4HZ+=;oOeA0blh)65QT=%Za=R*j-z=mv}
zZ^fx*Kc*YJhcY>1MVW>8dkxUyJVqSgZAMYo9zRrrd(p8+rb*`d-W_<WPd8^e0+qOz
zKBmeDo<+%;Vxr33LSl+;?JYS{&m{~HUvM@OAXd$}km380T=5qL(9g%6<-IU^2{ny6
zv0slZ<KQ<BdxdpxWo81Hi;F3&;id}p4VW17u0#PRYebn>{Pb}zV!6xE3-(-6=W!?a
z7(1{7PR3&SVmvLFXYjMh(lGtOx!5eT^o-WR7lW<O|3H_p0)YPa*$rb?TYCVj2WTb!
zL>KHHuUtO0cb@e1Yi*t%M2a};TLLBr0MY@(`BMkv8)E`L^fO};D~J=#1|Hwr)ar4H
zCe$xXnCPLjotnET@<#m=%Um&QVhd-{HZ7jdD~fO|s3_c#t`6s<z`A$$-zbwm+v)MZ
zoR&|0)~EK|uZ^ty?K_LO8XDXF(Pb4G8hIL70h)XoS;0IT1+kW|LFuV77m$c(Eu*ku
zcpX8XOHsT<VGP}O>X$N3ZI|0ESelc#gmv-?20>d;r5ds@>KLCJ?;J9Fs@M`nih<7P
z^LEQm<q~r_(|sP`?c)Ia{jYJfKkncUoqmHm<4x<g_OR&%Izf2AXHY_{(s9}lUU+LL
zI;Wi`z}TfrnC7q#m?A~z32#F?TVMlJFB?MUOJj$5HOtU&Eba*`zdVbI_^P^TY}*9F
zz4wIqGiWE0bf1>MBYi|TKi2k}LED>Hfac5SzB+I+H=P{uxu5nng1+YF0%q>@&d#4D
zvUFaCc4~SZ@uAt|*;F*Qfa_PL$9`d^d>Sk*2KL7w-ps#-i+wB^K0N>kUV!y$T;1P-
zAg^x^=;;2x>FNqfN=Z8U@zII8KN;(%i7!bhX;~H9z!3;i4D=!lDrE;dDoRSiP#QEJ
zQY4Sa4U}kbm_9wpnbb0jABgOqyWGEaVEnKT2U}yyZ?5_G2ayl}qyNa;zsUs*I9VI%
z+Z+Al`#GHWW3d3ir~oU}{@*-639t>3KkV`cl>|od!n|XI6LrZFG<@HUIk?gujanRq
zBmE`VXh!gCbvs}hO|uw-sN;q=esYupSvd18X@h<Xvzwc6CMz#$Tu5Y&$j)0MIFgG+
z8e`9}^sn{fk<z;#%7M4#!Ga2#+b(Hpk%SyLFVJec)EX$kt#o2_uTQ|FR&(SovI(sg
z?OcS`9>JH?Xh4<d@d(lO+=@#p|1}LO_}^jix2M0vedAd*K&}P=Yn}gzd?j-$TTA1=
z550kZjEeM-FkXRJg3|+m)}^(m%(8^yK~k%<bDIN0LsRo;JbvZ#MwfS4L~*qa$69P^
z&_6mjX{IrQl75bJS}WWTLIpNat2TUfdBN~@WIUSs6^mK;^B%H2+6-$mR7q#NHdGw2
zL<c!pVvq1V#ppfouvigzW2Of3p#IC0>W*4uu3SBH?Tkaq21bxLQs<4>diP|ELB#30
zr8IW>D8vQLT?>Tr_LSMHpT;X?O-w&n0Wc~AEWQ5?R=+vGzd$SEIRc>R33l%;ViD%y
zgK`d{qi0VZHeN%w>>G#V-6^j$S;4|wCeK!!+-u=n-+!$?c}~_~yfQc04lNfD?^zty
z_gX{qYn1ntc`Db*tRywq$pJ<e&7zwp2z<zab^z#&_+@l8NpO+w?IYg5HoISIf|)rw
z+WtepVEZN9z6mq5GzauNeu@#fb(+;>09hUYyZyDZ_D7jQ-$aW8UKx<A+S*t<eDA3g
zMDacyS%Ej{Jx>!&VgX>NiX-4Fvob<bcw{GU0-Ct3u%nS^H-_Hbtlfj8V$cDLl_`ac
zFLP}rh(=Xd3;VHUkT9eu<}h%Z0*#O&NBUd})`$vKYsI{i-irsh7q(S``QSd`@lvBF
zF#8IccIa~1P9%*^9QC!dZ8vbep(oEVg^&Q={n6zhZA1JH$Kyg>EWTSAtVX=9iD~Li
zQorv@@WO4Dd!vt!KUt`#|Ag@s02O3VAfOk&j`R}{BG!(8;lyvpRl8!%Q`3F*l!nJI
zAoqkYNHsxSJ~*@G{zMuDN+Oj*8S4C0#;sUnpVGL5V#MoocbAM{8D0_uGe6{o8I2ln
z<JD%5D5VKs1$7oqo|YMWKU6r6dqeqazOp^rV(P(Ne?yCumbz;*xZtYY^MC`DaUfQf
z%H{O{cuuMENOkgepW$V4$v!XPxKP4rQt34NP}p*&_!A#d_VRJ1b$R1^(s?NG(7BO|
zZz<j5Tb1yq`+=uLq#%ed1l}auI3SkTjU#EwV^t}rnGrwq7u>`X<z<oTq&hv4Y^W<V
ziOFlxi_XR!nhg%ULprzs_IbI!61I5@{nu2WUav-41AwD0VEr0>{LRXq@Dw+GstX;y
zXP$%I@cxW&;FIo!XJ8sW;7u-ma*QS6LbTjyp{1>jr?+s%V#XhJ9Fj*A*u}QX?lZFt
z7vp0y!X<NZL$dF@nGKB*V@-x5-ymQ0;A*&eRl_P<(+*!rtpAk7<t25%+X3D<6|nw8
zE08gEG_x`Ke<m#>lvGsJf21qoV>DwbXFxD_g^5NxMU+pO3XpH>s}O{M-OZ2tAjS~4
zkne;+1vhC2kW3LNm;2@hSbNcj&k>={uWn$2E(HDXGJKipe=_N6WT>7FK;Z@jVDbOM
z%_sq8l$^e6AX0hAewh)j{hsCvF#cD524ivYo@8PydL6gT;*!I{C7!4m0<MP}!7}uM
zio>{TejvnUZe@0tIWKl^t`p3O;O*n>$B`Ph#RpfeHM)*W+2EVHrOn-$hvPAio7)RU
z2CR#sk5?BwUpdpp?kI-9SdiE1v%De&Fw8ED@WEsAJxw=lpx5e3K#hRy&7o!Xfiyp1
zKoa|W><Eb0o5%{1MtP35!x-X2BW}iIPxh69xlMwV0ZWkk42e7$oj!XK^=$-~-US}l
zr_n%@7Zz!F>h`9@>V^9Pkq_lTq_BeYZ-dRjsWtSxg5vhAf=$t6PCsvIUAJqlsJ*!l
ze2*X1n)dPSJ<kP#yuHDu?b#=wP(k3R&Sf_tY6<-yTTaTj%HX;K|Le^|5Ol6+Pa24M
zrFRMPa4*Hqcu{27W8Z)R(=-?#y5lctzz4R{D8r0~d~U)fv&BoWP&bn~?5+_=RY6i~
z(QPb@GQsCSA2xw3#O5xf(t}2G@8`Le-j-LCEqqhby_1tHTBFT}9VindolSsQ8p@3l
z5{p3}9FDq=J(vEDO$I;j9R^9<SC?`=4w3CVD>b$R9)Xyi`JThd>LKVjp&8qWhfD0J
z&#<^7hL|?t{iMUazyj(pm=eUyLrn4N3;~UTf)*cksJLD?>#oYqg5|b;(YAYOra7Iu
zV^4@LLm}uC`0|E(rp(2vK*AUNT^jYhn3K0a(<WTrScZJ`3ZJU6L7C8*g4O-~c^ny?
zx_KAb3!{oJ%VUfNeJePhJ;Wu1#zFc&?hIYUM9+<42k|zc2ZQXHm7}WHO3o!gTR4t$
z!k%cRU-wn0_fAvlnjWmlM3q2wlgoZM3_B!!x8;PWTCUSGOL0tvJs6t6-j#CU$_o-c
zC0|2c%M$`*Ke|xNO5LFlNp^v4Me5^5hE@%&CyErn+Pu3SxV2#O*Wjd9#l>a<IR2hN
z0|5yDT>anA!@mWm-^Q_ji1){;Qx-jpXr8BPD+4fOeA%~zaCkxxm4LErp#f)xwt0zs
ztCPVhfi-Oy&j6biQNm1aobzVQHgsz!%oM6%JXxV7dP(q-wIji;&z^V=5yW^eSDX-e
z1uJ<gTtvtv7Un(N7SRTGj`WxW2%EDKXs{KM53al58)_bRFTeOCs`5iJKQixKY2uot
zD}r(i-o^ReR^~6yM@Jk{yLBf+LChjQS8XsE;$VWH8k~y~MW=Zg>?b2j1?r*F6uW-t
z*$OD@E*eHv*?{Ws!WN9;5wY@cXZ03?et5IpVkexW%l3v?DAgR9AbM_6TvaMsHRLg7
zJBXv%*yeMqIYY4J4iiUhpsm8GVN<@1t2viSPnkOby9n2!GZjqhbmhs&aqn`UVnMV1
zVrK2JWU^AMi|R)-a1>{9U21AcbFYGR9u|+D?ssQqH|Et9Z`I^tAzVw5)j~>9gWp^h
z9NJuWG+L!C;U69OA^uf~agGR5Edb@^0~Gmd`TcK7{GPV_pv8jd3BZ&jTt8rj2M;~p
z-6xd2J1yJY*Rp@9qM<<M!T)IW*pZm{V>cd(c*mCxq+peBR^RJ-xN#aK8{U%xGfx_q
zQF_dtKE*N^>PVulFuywT$(8D@%eTqE8OfvM9;AaJk}jOu0X}FN5E8EZ<crk)I5<4n
zvt|~}w78{MAS46Pe7iTeI;&#3bPMdg{5bD+eLs5f!%`l9;PLg|0BwF&H0^!xVAFtK
zPH^byy0s6VT<qla${D1E=6{ufT38#I|CBDm5o6XrO$^@v7XL5#$~R$>0Ex=RfVu{7
z4dvUR7#ZDd@s1Hmc;b^9E$5Q_6)1gyy!`<YUGHQau?^nRh2%>KXUW0N1?$z`w*^<E
zlZ?zZ0}^w?INkPiZH6+}na08XyQ(b82gEW?d$f>dMhqfw??X%*5ID`Q`V@I!Vpp*U
z*`7^&E}jIpGLNveGkptUoPTr1(Vw`;NdnqKC1YZDm$7ThRn#f9;LQJ#RqJDPPZ6-5
zGtV)OGH^t_mE)3597{F)%xgwL1BA^k=d&|-rydC`AtR6;{ivY}Vj1%Edn?DNse8;J
zmd_pyVfhHfn&ql@;5Q9z{ugELQ*NM$GeB{pw>YeZDjm(<-A2ZbsFcktpH$U0o|jko
zf2p70^!!G${yi)3YZZf~zV-JThJP|?*!~!h)_@%LJp>RC&o8O#n=n}?OUpk7q#~8S
z4G6U#s=?Vyf@(R}?d!Am^;jHbOQKR#r+=Rhl8Vvx>YalC%m?L{_l|=Icrpd&vD*-=
zkM7g@GB+u=uzIxH*}fpiLYx>l{R-A7Adj{a3$3?i6`ynYm?eW6qPup6QqTv}RzBJL
zhG}dV{u4XsZCJlO*(MMEJ9BZ4CEbj+Rw$&3i^*z?eESVL6o^K72Vb8~$ytP^07X_!
zTXLxYI+rwc(>Ex|T{pZznw+8s5icekOA%3hn|TjzmpO`#b@Qg2TV*uz)2ZtSLg|;H
ztS?5E+LGZzKRwn#QcY?y-oDuj($uN%Vws{|3LAuJi2Pg*Kb@iE`)S^GVAl;ub<TPO
z4k9^B%k*}*m1NE>c7=c}+FH6tLX}@9y{o8vFkAq{^o&l|tHWKrr_r)z@WY6QYS$_V
z{pp7pkCgSX14r<sFWeqOdo#d<=Auq#No+ZwxkLV$>LTYby(BR8A1O5=$*NvUR1DRd
zz6z*!6DBDknKZ+(e%Go=tPYOVjeC+Dp7Zq@9VRk1!0{2=NBm&cLP)$`AKp6QE+vQ>
zQ$lbw-tNqww-!q>CBF2XOi}3-yd=tpt+BS0uIL6!){cxO{$Qpr_hWC}MJ84|GTMwx
zBBQvlGenk+y4&G-jgWDJl4dtzVWb552`iEhtExecxT@u+FRPF;$qP!6@-Yn-N^r9)
zERZCv#nBIY9Ip)T6ux@;U#aHT2Ob(c|6=$B7{}4_R&mvtykfAkQpkjczUh^}Lsdzg
z?YaVDv@Df=>%k###exC^6Mymw2eNKFs<!haYbuGh$_<Xu%^mQZL0((2U>b5@z$EQr
zPY(8E6Q>O+57VX{lGGd?m6p6WaiCVdr*ceDiPk#_V%%<!T7gJ>45}p>jubIL5Eom@
zz*Cbnyk(R(@b1Dm?^1F24}{&ju49KxbM<G`%OnW|xU4cqD6y%HQ%`%^+F^79F^-~)
zV5%op-gPOfGc({-2yw={SL)U18+9@5zlU^JjC-)Bx9uz6rqq`_Isdw~xmz!0Ul1?>
z6SzOhT*GrTgLu%yJ%!;)^uRTX?1djG#Crhe{n?Sx>EJlx6RK6_yG752LCP0ec)?W{
zOJj~V^eH@YO9y4Ir7#gMjlH<@(v#q$%{p_Xl5M$CQWa<(W_pxrr5-{5jNw1u6#lh2
zN_%4~8%MyE&2Mr1dzATE;I9>Ae+Ya!H_fe`ZC)AM|8Ph=-CF2Xo2$$LL>olFA@OTm
z*xw3&s{SOtKS&91{m$Ib7{EXR`ftB?#NNmt`0+oH47pOPqu|;&s2VBz(ET}j;3ni5
zVPHM0bbNLaE>%^huXNs4HlPb`4CfE-l*L+wuXok!Tl(+!w+R#9(a#PR(S~Q43L$74
zD*2UZ-dXTQbKAQf80rZ?9D#ere41K`ZJq!z4XYFErU|hW^8f6;m~5O~_izG&9xdOH
z6uf*HDN9&!0k!?sCDWZOQPp9uz@H5}h>Ydo2R8X<<bUlB=O5tMTm5(}KOz30cO|L^
zK->(lo@(rWKZX5^P{k)>F@D1O`?WLx+`nJ>{R`yiBj0YSiEi>1ok80Jn?R^?_`XUR
zv_KK_Uh(5!X*c%#yr!qoOvx#k2|7Q5x^lIv&iwXuI$7QlSwRimT!3o|a3Wy|55?+N
zaT`yUO~zBiK)d>hyO-<lkYPSQPX9w!?AMI{kE>vRdeeVL=>H)Qa9IFw>FEcj`dRL;
zHNk(D`?vGzPkr{R{!#`{fP$Y=-B-V)=zn;GfPsUfJ>Zh<@3&%%jg)@7TPx^fZuxsR
z-Z(<w>DG|Q!Wh*DpjcQ+@Izp2S3h$mc%kilX>w)cQ+n~%j~ADZ?yy1Fr~*?vhq<)o
ziXPLNj-L_)l^PlmMaX3dM8b0HV(J{EaG4>yYElgtp|D>C9<teZ=TY?yU|{3yiMure
zrc>RpCCY7mJWpG!i`<WH{U#Q^`_P|h%`)ywkEh*-1D5{(8il{xyA|M`JD?WepZZ2P
zWkW$@Y)nFHZ;Ps;Qq<xT1uSMry}|3ueB|e<W^|-k3Jy(Ntv)YXj>#}j?d4Wlcqu75
zM}Rf$Bw;>U0RwDJ5QN5$zPjoB!L9O!>UzlewYI?f;uZCGn{T{24t{F6r_rEzJP~Jl
zfc5nA-*@bP(D&c%kZ$;oW-cQzteHoX4<bczeKdrnL?D*o%Ice&4wz)37&WQQ^8VP|
zZh<6C1PXn2YZv~6K`NgRHnVaj4z+t#EM6&+aG#w8?}>~NSvLAOZ=IW;zDD4MauWTd
zIbXo~wU*Ssv7bNe_j{L+7qBIO(tx_W3(tTkVSPSRf}ZJtY;(oT8Hh!Z@Q17-L!EcL
z5~opxxJ-3-n9{_n@?h3=FvX!iA2ia;H&L$dLYncEw9;lHLW2L~*K7NDyv>ei%9rlU
z2)gd?bl{y8Y&im11f5xR_3c{hpXMo7nbz>M!8*V)1g!t5(*E3}fRVoK?}wmO#LK5*
z)hBB~X$NQ;mJ)Oi*aJX~CM8tU)0q#Wou6zWd7R(fQ(<95fNA7aiD+z<H%%uxoj<u|
zFrtP@6oE)>j$LA&LqTLH=my}^hgbmt^*zUF+MjZ%4qo>d<QE+RLu9wcNb^~lr57R|
zxi2`iB?{AoKHMMq6J#>n{KLiIU%S8d4{CNXHuxdYc#4LMtmRb|0Dy%6iN@2nI{qg>
zKRxF6i1-_~^V?NkMPpOIw<PSpllq>K-*0R0eLy47KL_U*FJ_jq*$^cc&X=&m%YgxO
zC-?cWv3NZ0ANFF767Ymjf?uOOTh%bzaF3-iX%K0XHB;ho4@NUoRLmk?YhK6R4t^f`
zc&dsL{@Dk#q`g{ips`0oE=!%x@W8*3-&2*SOb>JyZh)-vJSwB=-h7>4Lmw#78Wyc6
zaK&;R6G)#9g(wlp+3ESho%Nt(I{Tqm$gNacn@n9TTV2W+>c2k!6#tj78GJu3zJF2X
zPk&&a4RA>YsAvUHh5pa{;Ym$@Jntz*{5`6D;}t66R}}$=RbbU}(ID9<$7|r^amtVT
z;OrbP_@SiIh-5yRkQ8sX;(AfTFZykf$$VPo-LotX&<?>%?n`flNf_FrlvLN$wuPL|
z%VnppNGVH)HKc`BoIfLzzMG}t1$FdiQ86}-@q%s6<Psz@f6I9eRadmSn?~n$CU(ZB
zKTrHDq?B)SzORuHQ%C8gcNGh86im+O9h{uxrD8NK&>ff#4+l>8*o5u@&TFv-<<q1k
zqQm0J^H!C>4Q&oLQP1O&>f$wawNB9XVzqXHntkXUY7cK%Ew#H6)!4BF<Wvc|bi=VG
zta7N)(V94SHcP~h)Pg4Fv0wr?l8ifxcgdC`oU|c}M<g<F8HM7Iq7YXGd<e4lzOkfG
zJ5!9*%B~qhrm$*9O#b*&*MjD?y78Nw&;vL)Qs-uVuF&X#@44O{HSKl0^j^(?c`G$=
zqIx*Ye~@^23i`MqfmP;CyIp@`%Q-%9jq}(qaUwR35QanGbUy{bgOj^XmwlJtUsX&0
z3h?#cit8S+fOS8)>6WiRTr10t_tKp|<ibBEOe+6NL;Rke0X{@x|FbPdgT<LV%|ze;
z>@oQN>XE;PkMFTsz|qm(+`!2ZFz@#5!ySJYO)~zBCY%EFK!T-Qb+(`sP2Co0V9N?6
zNG?U$wL}o}MK|jVNDv`r%wiOQRDGHHJ)D;tU_!>zeSzt2VF-%DFp`|j*bkyKBqQTk
zsgfoSMKf*+LD>{-s%X4^L9iFlBo!VSGX<Yx`~t`7^udttQ=CrC%7%B!wr++yxYgUJ
z3hR;!?;dXLPZ2M{o<hc-E{p@XjMWZ+>kt5&?f*4wPu~3JG55`%Gorhn&bOe66ROWZ
z)0nn!>BMW-;I;H=-R~1wjKgkEtg8?DeBB0#hO!vEQM%G|M0T6!o-;N#=r`%@-IbH1
z_L8z&wY@5y+epVmx{!5IkDTirv`a8{gwEVm8`rnA(kXX>7l>B#27xqmk74v35pH<I
zV287*@ij6|U5`0lwUp(r<YUSoj#ZEs(Pzw!2*jFmlMZe_6}rglDa$U~1D8_4@N9E@
z7O`inU=-e$pZuWq;?#XH_vFpdPrXo#FptC`0EF8BC|&=rp_BlO>j5tL+B&M(TmB5`
z_ZbqPy$|TGfrcTAsez@i)nRzL;K_yKNjai`h#qBqOF;?w;Rq}<#xePAy0fp0l;Mmr
zG*FMuHq6V2KME(xNxC;Si26EY`c}An^l@^L2|x=LTzq-f`_)zQ1LJA5UF{f5$+ZA}
z3V+=!d@rTgDwk74{`0fgREcNNa-;;<s~@>JqK&6yCpzyklSGJWkCt3XvSco3YoAHd
zur#!1UX*^l$HpBLvBQmNcjmzn9W^@aRo{G}zk^-9MtB|8*M3Y)zXkJGONH;KhW`YB
z)f~|4^!mSo_s<b10ImW~fF3VksP*>&$!}l7_>G*%cq8z{Z;LF<Q@yn$+6Q?K(TKKU
zC51>hV(1b=8#)z2O4s3zZkWUpz~)#om36ZYX65V#bYL$39H}LTg12XFMplF|H2Tf3
z>%w;STZc^6JQoYZV<s6ev_`=VES__34tNLGm&AzBR*><piRv*TkEYCNBIlkD7YPxD
zJU?xZsX*;??|GAQd0U~#hJpZB8GZrNXjv+W)|XnmJeUv9#|^=R#NjX@-*~NpyQF-f
zgcg2YaLD-u9AY$KVD5P<8hb<Wt6G|>FYVSOYV?k;d6s3jdTzyb;?+C9a*zQ<4%XMZ
z++3;(bcLon4!yVXk}Il|@c1d`R~GbAjt6K$0$}j}Uv1|BPi6bYaU`-Op==Tg8D($T
zdxns`_g>j#BqKs0GnEQiAu=<f%oLGLksTWHf6me2IXZcx{_p!apXYO4@8>+<=XYQC
zb&uz|ugl<Hwg`CC2d`A)uZiFWKt#6>Pfa7P&Q~&e;}wuDH(k$e6JpU$GRK1T7GK`^
z+od1ALV*>c!q-o{VZ?HnN1=Tw{m51HLeR3UuAyQLij#_xjJ4U!t@1l;^c}txlU#ko
z;Rj@vx>{+9B$t&k9<3h{7w6IObN>=6OWAyEgl=gF*l701>~lf03+I=+ZPEYe>7)D1
z>$Y}nqgtB--?lq-V$D;7OjsdH`M;YVi@7*C+t~mS)thUcb4^e`iPY{@MI%|cjDC{l
zP{8WCaHIuBe{5{Y5%O<tie8NuXyn;AZcZviL`;l13`cz-Jf-Sp@m~0j^dgeImvi>X
zI}SdUMv5^cGQMr143a~Yy`~Z0-<%me$|bBLKPV-6Tf%x0*>w%HMY(e<-`l>{)|CI(
z34W;^&pXHtq8ISlTTDINkDfO%HE^+ZhRqNqEUW>qC}wV8v6*<uW_#@m$zpfU0h#`8
zmcEflr|4C-+1bXNxr%Uu#`E^(iyHB=;o(Uy#oX)&%N;AeOHU8!e9E==YdUx^AnlkO
zVS(($D(=Fwoep9w)n%9_r`m?1<{B&E-BUP0t1l!LTNU{1EsY7>6aDT{c1z@NT0x$L
zxrOOo_i07>$6LWB&}@j%*w{lMEfppcNWsY*1RP6*u&juid&WCkcyBM0;Lu&1Eq059
z-CMZyufJ@wnRaQ%N|Etgsv=~Dc@g+PLd*BDQiND1lpS^l_~{&UnnKr7f#U}RCRGcn
z8l#-4#y)GU{~$qsLE4@SvPl$>oA>xZ^5F;*%bw+?X7@&Q>uj_ScYL~nlgg(h_$rw4
zse}3^<>@{S=hp{t56_qj{-71KTia#Mytgv~PJq#y*f|3SFLsEtieJQ;4v5kOe8l!9
z&h}4=+1UVre?WjCR0x5WP(Oq=<aIkk@^d>eetH_;OxjgtJPM<P_;O}OT`uyGihh50
z*+pNW6Mmnn)5oT|NiyhrB}nF*3sjA2Lz8d#c~O7I=RWzx@0c3i7$Lqxz*tf@%VeLh
zb0R0l@)3$~3iK>v#|udp)vbdcu~9$#F8RZ&p|UjMejc%E>IDx&zK1r}K`i%bE>P4u
zzml=M{i@(##A4GI+7`L0aY^tHReUW}<pvvm(F@?o!+{}cj|K=<z}DH(&f5B?D~^mV
zP^c5e4q5fW%vCLahh-e5#?I<@p8!qbI&V%U@wYKvarGXzNfZJ#avJ{i8$#<Vb63}q
z5BQtUH$I4|OXKd$nW~|TjH`c{WH~vKD2^jIA0$YP9@T1SuKY$wN+_~k;+toT)sZ&M
z)lW}QXPZLJJ}X+EW?Y#xc_M~mOeejRdH+QlPnB1HNpG>04|6V`(=)HjvlO@cYQHzQ
zv`MtcutdJ-@)}MHGf6wJf=X(jDji11f-6(`=DR+(!Ogqcb*X5{u{D<J6}jI~;9b}%
z-?5SeKrG05KxDt>B5iAI;%>4T87B|{%@-!T>Mbte(u5b<UV}?c$mn3t-(?kQb7t7{
zA<@Enc@Z+oxk}VW2cmc%a~X{YSDBE^A1mX?q%w-58`itWn$?s+$r|{<|0!|?0~K}b
zTa!zg`caRQ(r?czt#DI?wdEC*%9g2%M+Ov4JR5tJ@CLm!@vCP^j|Fp7hx~M8q)eB9
ztZtCpy8tm=<-jx6%NKpSi6KwD>HT)Tx7pi!`7MXHIsQ+F`m0O?C`_0GwuZ#IS9^p0
z7>lBzrHPTVI^an+!|_<0-0VN~RVdW45~2;Mnx?619m8(r&VCo75Q=f48@ae*w4B<8
zAgAPo_#qOH!+HnM1`nhjyh4PUe&F=-M%Jaq=7LH|9)nCT=h~GoxE|-eE*Hrd7r8ED
zsjPN044+DP%2jnWSV8=Gw!({Vwh>r?&9iMBDfd6{l7u=PUi%p5;_ourj>gI5K=e6M
zswbGUu1$Avtlytgx$MYQ-DK2H_GwwuYuV!sHmFD@vMHY?G%_`99^@6odqNiA`ah7W
zzdL#a&wA@73Z7B0%2oq(8QK8;;`fEt^Zct9=U?<RZ)`-(ZCu#+KC(2mG~_hLvH0QZ
z%(s~@-IpzUK4>AWIRXDS64FF34qHp30fFpE(dnzv*P733zNo@ZEVRntZYy?pKyq%f
z0f|@0r9tg$!8HyOZK3{8?;3cIG+%uk)@1fnpj$e_*uh+4shY&W<QW%1jQG2|J`R?T
z)5YVkcnD(*`_4Z-%eCR78Zo#dtn!kOlWgw+BqS`rQufvvpe-p6OiL^@fYVhb@&@*s
zJ69UIP9vOzmrHybY`%)JKS+1}+HOjZ(`IUxWGqc@{PwM+!KFX~+Ok+|1NQH$gQs8A
zoOs*ndR(viD>v`tJ11sONj9>YBo;1-m&CYe>pzAD(l%bq4G|r>iIz=pFtmlaD1CDN
z#YwiclmvEh6ShDZ6Z7wP3>Z5Pa&qV<W)!HLCOL6=YCa&4)y3Yu6`xeMM#Wm#0zF>5
zHk!y$i)!d{c=myNR6Q>qM~h}3vid;uBiXN3Zs=llI|sdaSsD(V!1$+NDjlj%LRgbB
z-z4)&_41AkGt&39dWl!QSz(bhn;dQa!k0l_a#{JHHWu2(y)5eHLY&Z8^K3&2W2}Oe
zAFVi@$z5_@Hd)s#2M^{tl@g&HJ9+)}F`nFasa81B7OO<jcA_;k_9&Un$luQ;Up=Xd
z_Jz0ni}UAkv?|=Zyep%(I=-MjdNe#^`Q5;oqx^VRmn6xxXEhDx-_x<AQagCuFCEtq
zK1=s4EQ!l5;E5!4?>V}QhNqm8V$Yt-t0yyfbitgEF@T^=Mf*`MUBIzALPy3Fd!MN!
z7Qws3jblsX2V%Oym~p7bC72u@w&|+yXpuFtv2{JKd8mmY6sHqQ-uUW@P=sUYS2}*v
zl&iTJLyPU5gE4s{Un<4M4;&j=u)p~c+kd`9jpNEmVn$LLGR>T3R!xoI>vTQtbm5qk
zg}%qj4b5$pYu=YTx-xzbicjvoblGvJh_D`G@KW;H=&bz#TUA3ZOKn9D_iB`cyE=t;
zi4%IRioPCMN%|t^!4~7=E5huG()5@e%OFUe_RSIZ(9zI%N#}Rx%3BzG)mS23hO6%k
zI+ckwe2?Ysi&^rv8vLB^K~9&2#xdA2{@`HX(f9zem-jl3va6lBrf}<PeFx#hlpwqQ
zWI!neMQI{l;RErQnG~*`A%)STBK8p7(^A|QN?3aEEUYYYuN;`qaH+qlN2wK}HB{Nj
zKI(tdl9<A!x@d6eY9&KBd4@>{pLXgJ>C~I24D}_iF4JU(eYBI_2zzXxe0Ie9#t(0~
zH_Ipd*6AauQN20_1dk3Z_x4M>-&5Dq->}z~azPhzlFl<NO)O{Wet+eGbw9y~o9ZL=
z0{_n_(-NBD1niMF&J+k#tDUZjnK@|7i=$6s<zJ=D>ZXAmaP-(j0GZ$OSY^RvEyu6l
z%Cd<i2$iq9`dF$?`aH;?DQTLsaikFM=k6<MO-}o!S2#Nxyph|VVU=);!uJ93YIBeB
zU5iSJim_%3L7hDDQ%|iM2G<wYCbK_J6v<Of#WSj}uTD1DVxY<&cslt&q^e)Jhs%Dz
ztJ9J7zyi5e4!w`rfp-Rj{cD%Dhfs!af0gtu%szF%YgioFYdk#EYwUFYl?fN^`dA4Y
z-+v(_QhXr#p<H0b|B;nMW=(x|fOFSb^>}IAq1SJcKE-8(&k6DovoI&LpB)Qs5}aHW
zTH$HLMP8wpKZH+AD~lG8-=Q>wAy?*}FDh>SP>trgA6D?}0&NL{DXnaEbU+T%#Y6nL
z58Fr++;wad?>bqMVVIGg?B{;N+J|$M=ML$euPs5}t{*`&WUI6wS8h*<R^d-eBPI+w
zAj2Pou7WYcIHt@*_Yrs2#hU9TQ-{;Npyf=SC{5&8%+sG(Pw?WOPZVua=(6d1SP?Q{
zmzFmrYg6j+?anx7-bMMGoJgVDpYpHu1|_c)f17+Xw{kOuvM*a_aIUk=qF94JQO_3b
zOhs>DWb}YjWUrGcagLJ-*~IvRh_H7wkshuwH@aMTXLa9~m3Wo(pX<NyC`0#$1JTCd
z$@>FyLMi1H_-3r~%z}fjV^1{p<j4MKL0=}5Z|h|uNI{+?WEDIAx^YOrZ;sysU)`dC
z982(=c*qc=Nus15=0PzrIl6B4m@g;V#cnR&y6X@W?-DMCVRc;HIqAl^`?qKWH(U+0
zh!#Z>iZsLICc;mCoNQ4!HF&BXeYGtA<q4&{0$!IlQ{xhoq3**^L{5kVTc5IzPF2v#
zmb+l8>DQQ48zg<D7B#W2T(U<E$FL43Tqelg&rr8FyjHu@VEFun>l!HQD_C9l#^*jM
zoGIWf(R29_MYrrPozX-)#fs0%8to*x8ig_;8z*&%ioTXJNv=kjWWb=|E&1!=Fu_un
zk3`6Ch?_VWKd*DAu=u`pSYaPMT|8exb1^P@WMTTo$_;)(il>#Kky?~^HD8E7qV=~^
zo2f5*&a2)*yX>%>6Wc*V=Xv@R`r}>=qepYjbT~|nF0*2<ZG~RE7;q$-Fs83i$M?RI
zM)H{Jc?QYjSH&(O%6N>82ghUb1FGW+mD!AWfVvJz9Xa&$Q=M0Y{c>&%NYdwY%#ZgN
zn#-b&s__Vrw9XwK8xa-#F+^ghZ1Ul&iex+cQGW(fa!s6O0cr1b8`198@rCM@B`0!S
zmN~O1;d4j452O<O@KVYP#b!vY^sTq>I!`%6zD`+u$o=re%7n_y0;k36f-Fk<tHtrx
zt0q6TNJlBAjI4EtsFJ1TqYO_Bow`;v$9r*PGJ9jY$I1ac_EN7w1~o7<83wi$_ZBb(
z?Xf_*H6RFUd%|{Er3RR+VOOr6_70Nu(NC!1#AvUN=45&IuGLwqi<=wQJZ+ut6PoCC
zl?<tvrPSNEN6!~AbD}auN-OJ_>mB6#s&65$F-fmJUfz_E-{^MsTH7a)4-%+&xewT;
zwS)6->Ew$l7V^cNw=|txie+WEb-gKhkUi30HbLTuDsp1Ms&S9Q8ZlG$wJ(}M?_!2R
zCn|ACWRbPY+dEfqyKHr5e6mXEE-us2D%QrFCy#%ZAp5{2aq>WgFgvE*lk6eEh^vv)
zQ^9q&Q##KqkQ`r1tZejT)oal4GDDuu3ec$Wl*4%0km}Wgdg-X}Gvqr?;i5$GB{^&K
z=PWh`i7ZVONvgBOi9g$)TW3be^?a}Rc(VDk^vu(sv$9C>2GMm51^2J@fRcOf+<IUE
zrh0$Ae248RA>PK|*z<20TG(zLv)%l`+8rtW1^4%Z2;+S+v>a4)gP*Gi0A}Zly4T}*
z(D$PdSkP}vnm7Z~Odx8{3_8^;j(q_bA-?$P56s+L<59}H(E;5`nuJOir|S(r%BiR}
za+Y-64_}<)X1u&`H(I80zSe0nwTzZ@2#X=c@*=z010@rK^xF6mtdiPew=m*4lw`c-
zMRTdCGuZn)zoN<N6R3G8nb5XPW5zdnyQ?I~%oxAz8?qQC6u6JGrubNr`QWA7L}vQ3
z%Y1E$&1EHTO1(>TWRYhj`tgO{7D={=pm9nU_FqvZy>84Uy=-!l^K#Xz*^?ISGo{@h
z-dj2Qpga%4pb@RR*Z#^yA<w+<;R>F0vMF;|*gdnF=#w<uZ&0{9*=%vlyZBD@`*Vd1
zyv@OQ-l+DRj=T5t=ntR80p7cq)1ihpjgX6%ommepL=C*M_w~q@js8rXX0dThzxvgg
zX-c1~-%{)a4X#CJRx$)wjn}$8WvJ6k>HSWcNe4PA7OUo<aySU>Fy#2867Z4vYa0MJ
z612ny>meYDB}X6FoE$~L6*+Aqb@b5dWrKIRbG{1Msz7E+caPAL<IamkQ`|g8L<2Eu
zHtqObbac;_s1Is%)F|I$wI2H+>E3w@lu{WIK2cPU7gPYi+5!f)x4lS2#sy?6G1o8v
z0tR6jH6x>HAlvZg=hnk17CI@1P{PRg^$*<}EY0u6ENas}QNK24C>7^UHE7ClrjUc;
zKG9i6N$q$1$8t#nC?q8xk|<-CSTk2^6H}3x89kSqBR}X9%omFLK(EYj?tZ!?Y5p~?
zvIlisC+Va5^}~=qEv}t;V4rgDj*TXY1@=;`v2w@#NQO@KHjbotz8l^unYX=_Q?D&X
zn{h1Zwti1Dy-sghb=M!$19{jHjXjNb4DWgBj$JWjv(b!UK%FOmI(y4@f>0ehC%C>B
z8Pf(C02=2!Fe&?i!VRJy4dRECG;GF$xSu>Et?fKv{PK=PU&VEHwv)I=1sh(z^7ZwY
zal3m+N6B$6u*4FZyQ3pGg<pl9&jvm0HLt|$mqemd%@x)2{^)UN56i#BpYCl8W9m|3
za*R(uW~G>VqXviVt<|uvK_o}H5OW<fnt1X_#=N|lN2FR8K8<?DM=YL9T0fj{D`9fw
z-Xnq~zS&k^i9V;u!5li%BMTLzL&!cO@2jj|_j3{px=Lfnq^Q(|3W$u_-m@n{iM8>l
zdOl4`)_%Ulk;J^-oaAMKs7}?6W%6iMzB^=tE$W|$`E%!0)XsP_7AG>A%@z<-eDWjV
z@f305rV-T7?bPB_PtentwUuZiFvZTX1`Jl7LMakK&m?W$m~VcCJ&M6^X=uliB(`{@
z?&^h+>t!SQA<@bHaZ<u4*$-6=Ue;&4A3h)#G)AemBxjVwhEe|MRIm8==U?eYdCiqs
z2Z%SY_*Ae*ALFi8Q)HjCm{VV}kK~!1nQi}^GH`dLvG~iV-AupLhU3(!rCXZg>}txT
z>8|`Wp?xD|L*grAM3+@RT2O@_l6Fc#m*}-Fs>6^WWY+n3S`hr6C_cttCH1o1RTe<9
zBfwfg`LEr|)`s==5D*z74|zWsyviFq-{PNvl^B5KU_opl_K`*AgCR{6`MHv;7DrLm
zDle1C92&Me+F?m^k%OcbLl+sMPpRf>lTt^#6Atz=DY1^SDj{MwqRM`(9~^s_I-|2i
z^D7RYK3!Ao^y9J-`QT1NB6&yYFo7EsXB7fZ7coTPZD3uzuQFeEHaUQ?T`#d<Oy}4#
z9bUHISLI{GLV_)I<Z(EIrFsM<Qk^-yUs5i~2;Gq8qFrbhl6Esmd^mWib5eYy>Dkd(
zcVun8OXs<)Bs(;pJZ|=<)g4w0EEYg6qU%oK>d#5*%symxwvOy(XD3x?Q~R}7jJ3jn
z1E?H|%U{INjZz<dvUNG&#5{8)^21At4qLT}CzemH#tbs79{habu}D+99EVPGAG5>p
zP6-p7Xa2m4Sld%Vi2L;Pe)rlNXp~^!1M&NNo0LE&5}>ge);QY-hL1i6;uon1k=hI8
z7SO4fhQf;KZ{Ce2LibyV$YQ1nUe<r7Tlw^<@$<LbL5bx3Dl0VtkF^}4JWTntO)n=V
zVo(#QdSgq9suV|1B8%y!H(qFXs8hf{ifSi{OP|i@98gLaN9J>3RY-@6JXk{~h=?$&
z)69dEVJej?z`JVuNgo1c7-}e}LJF8+7%=($`+?%;lLE;@3~ZqD5TN_o1p-Fswt*Re
zK@{O?LalPIoBC)*k?M^DxMR=XbiWD9VA!Y($%@N3)Ke$D@@;T{&rNAIUF5!V-B$&t
zx829J`A=1vNiu2Hm^28>m{i--(TckFGulkillfspx5=3(-Y;U72~;m?p+iAu5^{Nh
zYih2fhrWR&8$UE|LH<&N%lzcT;6!#Ocd0e%l^<Fbr9R%kD)TKa(}3|Un^^j{bW{t3
z&o9**zWrwP<FP#1(l_O-!r&totpoDCN;GZrFAVKe>^-KEl-x#cqgK)DN}VCO^u87U
z7KO0p@&RoF91W6>9*4EcB_{H0%$;AUGtl9m=wU(Y)odflWR@@<9J}MqL_0I~a;8;{
zImCeb^_2p_!8m1?z%yf{+wIT@%m%$@?(&xbmgWnz#lL8W%`=Z6H@X>Q1DtrIIGS~4
z$fOC)Q>pPTdemDYSr=KEUY_Uk11X1i`LXS!f8bS}zzruQiJOVEOfEHMp|G5J^Iq*r
zSqpPKW+=CCzMK`c^`|%J9>IKfF`ML6jyiR`mO_5<nJGbSt=4(Yo}!hNs<Oe?fbl}f
z)T9B<pgzf&u)!X~#0QznJn|Zjyl?3}y{=Nq9=?1wf-=2D0ll)Ho_6W7zrBrM2>WBB
z$uml6t@#deIJQq_#;GVqpaC|BC-{4NLk1bR5oXCS46<8>L`p*5LGSH-J?JNY+P#>8
zwY8yvkrmYRaay;+t|70UKcLyRa|WNK(Ptb6W_Nae(@pfI{-!+FY_*-(pBkUz8zl(W
zQM+$Py(}$$EINerai9jVY!k|rcd8+CnwaaP{KGpV<%_M{>LAdN_nxxAXKz00rxviB
z9^&rMV*)>O+><wh3)l&dPK-_9$*5u=Td1-ol5E(HJj{_gMjNQPEYIBIPLj%B|Co}D
zKfb<L@#Tl3GBnlg<<u@x#f9Wj*nC{^eeRVThi{c0q*(RYHh74OO&K??tpKq30fXOL
zb`m(<ot!rll)z^KONrvc17ga8faOmVl?ZBv(y4k>Y$>^?u3U-uhoq09hX<|A1zqV5
z4kLY4^{R?s9OJ0}l8pU_Vs)=5v-`<HVd0q6ktazdq*e4VGwGxPTk}ugUSBnKy{?A#
ziK(4AdVsC_rGPZmDV02uL)`kIL6s%u)!ey$%~oeGE|T?fEiqnAPjL;gP!p7^2-LfQ
z_f@Ne<g&<ZVjnU)vW4*4G<CzHdUQjr_c2!8W)?1#A1tmAbiZI=z;NTiy(oHkmAu=(
zX7vEBnTTnxRbqCi1a~y|lV-o|2rK^O$<yDT#7Fz4g<1w{7I$jsD!aaq<e+0Y`Lgf2
zs9TTkrAZWd8NV#7G9(YG0*B{LFOv%z7mnR7V8qYP>0Z-z@1k#;$XD`|AZAV1!JMBj
z?^*~9BTTk$zDiBY${kX6<`~MC{tx(GbO$^~1&>{49OBBRJo&16;RT16ff~D=3?*B#
zKdQECv)3F|(XpzWnza@VR-ez*0#qepjKy~0m*lWGWAq>Ko^VOe?Wvuq5fN)d?-;dj
zu8~aVpWbK*LBlSRd@9^BeRt^-cRTwv$-o1Iv4b4XRy*_)-Ypm2oj(5&x$|~rg(!m+
zhGObv;*Olm`oi=pD3|Ke*~*`!P&Q)wxwaJB3d&5CyDVp2PsctNZ#=JIT)Hwzlz5;I
zzju)NZdMZI^2CR)`t8S`Vf!ApkhvLug?`j8PcD)3{ZX^@_yB@J)$h0u@OTdQ(bcbH
zS|$Ei3DjLLJ7O*$tUY4yFJsd+{;J#FMYfQl8|V6r1_35x@n>-x6#iN6c1y2}&$c~k
z@ltUsY!{d+TJklTEf+F^jBan3r92S*e#N<*<=AYklGxFh3M<yJ*<%{m>UAvCHJ)1L
z7H#-+2?q%9Ws*OfmS0~VjK`Obe|bmoHG1ka`3kMR-Q?R1igxvD14Xn}&s$b<<1Axd
znTg?b#8WY+XK*4b=H?GK&@h!*SzJLme7YJvNwRcywxD^2YrW?<xm)sE<ec%=1gQay
zgEa9KIJmVv;_VG(t%cR`XkP<^ZBUti_#Nrw4WMrya(KeT6?ye#$<*1Z$K1hmACUYl
z<zopmJ>pJUU9YT+Sko$SAkaR3QN<7a;;ZL$?ChgI^q$e4M3-y980E+){1jUf%Y8<f
z<C;uPn64YAa~&V$kBbG_mk&vLX7Z*esWCV|Y&Sj5jZt>(xZaciT4jfuSVbuhfrbJ_
z(#TY0{kJzu?M;@8=T1+zMm{|pJ}6-A6Yu?Pm$TNKd-sl@YEavuUFTM{l8u4i$^kxm
zpA`au%g_o_7l7gf+vVYa$jz;+i#8DjkPs8pZ*s#JkCBcV9<roQY(g=7f$9%Lm=K1d
zg`fE`r^lv{c&I-1QV(}dhkd%P^&;OvN;+a*nNhMcr!;&TBo`lkY(0!6J3DyWHvL+4
zaert`TF(5@^pM5;T0Gt}Zo5Qw?XAii#J$)+-f-F*{E{x!q`~rO5|E2#0FZ9)J0{z|
z3VnkL`F$X&Ycr=nF_2uopOet%n(x65!B$2x9$7Yh-EbPMn`wg$EQWRstTX<x*KAmd
z?#9IF=1uv&=eZI`^Y&#d&P6@Lu(2}lNj_rBwG4W_(9^2654D*px%mVH_;~o%7p;a9
zsIaTlg1bdEd@Ps*8!xeZz!3Zr*pg-+9dW;@W-<MRimB|~3uq%|`3gy*$#gjxilnIx
z*=CKCCk(Al6~tatCOLBook5I;?ZR<X@7A<s(W5jRxhki%jHx(V&S)vdiQWjkl!1NS
zGpwJEf?>g8aF8J@N@D4K=eN$w9Avhfx6VIq4l9UA$GtT$f2E`6v%BZz0MkYzp`*u>
zj}ZO18z-L7^)Q<5W_&YYWRGLr8WYpdO)le==cn?*8-%$zR!J@V>&IF=aywhxlyW20
z9u*=xTn~14<vE)9fn(v*xbs=^=xDsmw-wEb91FvXD=Uutq`Ha?V;Va0&+Q}&JB+U?
za*a5Ck680L>%)idmzYkmrm4M%)TS0hKZZR>m}XS_4)wYYM$*k(Y~9mD@j8B*iRa#+
z2oTV{iFYKta0PARghX!qV&_t>z%!|i{9du-IVpUalqa1TS!MC3-;j7ESX0Ss#IM|s
zdwqM=(>$X<?>kE`yYk605sBovDl+*;NwjyJeIGKM7WzyycE3Vnh-M)|yd3@YpzO1!
zTqDtyNd@_tW|pUJ)qGJ^7zpt4=0LuE_4LCq1M{}|gGUw!c%)*2Xolp^OWsh+=48LZ
ze<CUvyZiWUZp!2ONmWDMDb;x|xC-flXp<QETk1o#@A8a3Ef8tK)Oc<i#!t~?Y!N?5
zAQF@3CYPnGe7og@iC_aIM<2nxj&}q}=_=%hBrs&oe?0ZPDCR^nveWeWy5nc>G2IL0
z?jvL(i1ncF))^aOAU`7F(|yOrgH$Cl%O>tMjrh6aCwOQDZlQ@QG>HqJw~&{xj1Z4(
z6KC>zudYw56zYangcc#&*4bKne4|o6KjbE#o<n#`_uJgDW%YpZWfOM{MXJk-M(fk$
zL^+IaiqU*YTfcFsgc^Caq2YO%#2enL752<`3M1m|w-tRTZtq0D@`g$9v!~?wr?f>w
zMBXM?5_!VoF2UlAYh#R^1_f*(hLtjFGr^Z<?4MQJUtIV=!@)BvGU$8fjgi#)N}@5g
zm!$de4pU^Gt2tjAC$BuT;w4^)C>DRg&g2!mLE}tPDlQ|w#C<q!lvC6@OHjq|aCP9A
zm{bv&%=s{ERuLV`wh)qQXJ4T+p--16N#)ywMT$(@=u@8Kn$>w+ojgpoAlv#DgW%%q
zXrb8;;rfhL{m@X9$In=)gKs3_Gg3(xX4lkK6X2l*(z#HXGE!W=l^dXaZCtYKM)<VC
z++F#~H>V1y^H@{LG(yVjdYpso1?>#G_&j+nto$zw`(8<YMZUJGHaBzJmWC<@m)OO{
zn!|{oBX?D>DOS^sK@*3(Idk2w$W1VWigK3po02td<M`Sfe>vtyv;M_=j$3r+6>1bn
zl~|NQ?z6oX7{6(eW<nm}*<E`xz(MhHBC5E1?39@0RW##L$KI?8HV<OooF6ko3Z7jL
z(Mu`)1|E_Hsfwl!M1&V(xXbt4j*=KCZV2`Xh<qiJN=lhOlAifAMLt$sPTBM5cyS~l
zv5)jQu_6iLRQqhB4Pyy;DZgTFlZYxz&vF}_&xW?;H`%g2^uBNUWY>K4N5Pv54oH|<
zMG*qUdf#sg%}l(z>3Z+`t=ErmT$BZm<%_ZNzFu@bU-yG0Yj|J-XR-nHR<t_LNqthv
zpwiE4#?j&eQ{;(n*Y0%Pb3R)?RDrFlaBN6P4j)gvoKecymr0PJ?^XLzW&!V$S=v^V
zRFxwdt4X-SV^KUW9)FYx$#$q&XP7jSza5t>*2bJWzGOS^8cEEakd2o>$=m0yaOz>J
z_uQ0^;MY@M*hdDeFZ$*Ax;eR-nhZ}AJU!>ctfiByJw*EP<;z@}YT4XxkpefWjt&~}
zis$?wM+-n!%&8#N)bu)nGCOvBMBn={YKq%QE#7Blu_SGz1{D#Z0@*`Eb-{%!uaAs-
zcv7*9`4v)m*`(N!k%|k-CM&Kh6jIYKiM@0f!^WY=;)xa|>aJE<bg`K=m(ZIR_nfU6
zX*lP`uXnNf`}0oOKzaPY!2Zs$kyT7|^FW7(lek7-P|Q(_zkX|`#~pWPs{0^W_AOwM
z_cBLn>!W8L0&?#|ODl|s-qWAEL}D*@$;h#<#$W5Uv2vp7T}keIdIQtCG^$kbJGoCE
z$ustZlFi{J<wW4bvtT94T2>NMT(}f+_*j6*GPTx;nmq2Dh=gW~T!Rd+G70&{nmW?^
zMvT`+-E-#-QOq2SCQCzq@g)&YjO^Z58cNaJs#Tp^OgD~LPvv)<t+-)M=jzdN=z-hg
z;#(F2bXszj6t!>j1B;HXfAc7D9bIGmoS^1FX0y(A;`PX^!BY+9tW-mbpc{$8vmrgj
z!>co<)Lz(l#A3ZEhG9OZAANqOJaUKv>xB@7Lo@MImyuOdHr^r1Bg9kD?W@^i0xHzD
zxOF-M#;+yDBflmYC|~`WUd7Ih-R`SHBfX(R<Nsw8|G`a#@hKjH7w0q^uXTTzPU)l&
z_NeOTx+u%{gL1Xrz<%mts}TC6)7*~z^>&5GSB$`GEqAQ_tnCm?0Di8oq3h}%4SA=2
zPJDq|&kP&s`7)KR@qS8w>HMJYrRGCgHzv9yGHOT0nvg?;NX%C3U*`r6iu9dTUma~v
z`ig%G)pfP9^xKVNRnkK^$ySBMKus%FUY=u><S9?TA%Djd>5|pLJeaX~+U5h#kMT}a
z(XryzeCI?l^$Bya_BWx{!EMb*f|)KV39K@TL!oELo@dsLswx!p9DUG0B=afVQHm!k
zQ1lcq{<phF(;0i(#1Wc=<j43N{aDX*6}9R)ndk69U1CE0seA4|hl8Th>Rz>Yjrx$`
za@~?Yg)*krKd#i1Ffi}w=);quTSfPVZASH8J5T<a7ag;*p0x-`Kz!Iie|5tn%Uar5
z9C^o9p39thF^-hX@?Ao6>@2jZ)i~e%b5z;WI#dJaF|LdrlQX?CzvRxDgu~sO(ER=5
zL>F1rRXe-Jt}kPbXk4ZCJ{*;at@K=~o?nqhKU`RIVXq`XiZxY3r;Ic~Lsfm8nuxw&
z8cKdB_z^WvU=owDM0bk`-Hk)C>wYCCB=p-KWsg?zq9i&Ur|a#+qSX8B?vQQ}8~t)M
zIW$for6BHJzF{P(&0H4_OQ%cr)3dc-yG~Gt_IW-zf=Bc4soID7%%gh!T|YX`NtaB1
zmNZBu_>|k++G&wZSUSI4e9J{JWK|1zhu2!iWxzVYU-0;ZdvF>?TR}8kx$rYO!sloy
z=rJbg=x8>CFY-_;OZev`t|xHQtqL1g5!}CBo6Wkw&#*RC&^j&s-Sv*K2Oj0E7Z=VB
zaunfVuG^58Sn+!i4Sbgkb`7J`u~5VOw3Jy;nHl)rd3-=S=m7m&@66?I&V<?)_Ycbd
z;CO8_u8CVk*NlwiEIeE~b(&OyXJp3BrO`FTLnFo7`%04A*huVpYo1hVbn_uwj0R!p
zXS$;c^fB&EMKOtmICT<XBiY@|&MqvklLN8BPR&iwuJ_t!ja}B^rW3&WtTsT7S6geT
zUwkX}Men^%dwWx>kI6+B{T&wL4IJCe=c^_*jxcrjrY$j|lab$Ei66smJuDmBd^fxV
zt-MvHj<$hL>SGH7vpfHjZdr1)!<^?%bnzI_9+?p)q7oQ8uB(3~YAm;jRtb+#`0VBT
zT=kqQlj3$OrFZCMBG^0c`9H^HjTtmAWUt_+Rjw|4Ue_!#sZBekjN1C-M|?6l^T6$J
z>HDL7Ys}1IlN*Yb?1N)N%~S8Q>6Nwh9?tQV_Afa5(&bL|rw~of+9j13_2DXt-1b~D
z<XT<{u(yx8$TgIwI^EfOk}-&X-qub>S}BtnJ^vC?xx@0QxtHjp&nB5a@^m){nY^bA
z#JzsO7{hMG(y4}__xw^>f3=-FU;ly-Sz;-rtiphU+}i4M&KCu`x$>B}Q%R!SIUJ1q
z6Df}aFHc8BYWr3%J;I;+ntMkh-K4Gf)%15KnfHmK2aR7FCwvEvDj}m#A|c*9Btkj?
zEaD*l;BQ`jvwen%L<RjjG7<?=-f1nhJmy~Hr}PE~QrLQtVc$3Jv%O5zZq{cO!UMuz
zfjt}Qt@}WJ=Pd9+yiF%3Ehes@D$e5U?hL*q5(bYd8EG%_eFa3fMEq#Sw{8h}w8sDl
z;#=A|nw<gP>*m#q(8nuQC_10~%j0d{YiG3dDY$!m-1S~NDB$khv_ggqk+hzi9D0SZ
z?AC;=aQ9{h9(Knan9s4Wvv8b&Jm-$ToG~;puyukXfZY-H^sw){5pcs1`0azh6iCft
z=jgEql5I0%a}Ihd3AC^r@R8agp#r|W{tFUFC25IGD(Gknwh)*#>Rd8}b^v&dw#iPd
zV#R3#9FSvhYH(zMhxgt}FpZ=vOdJgyjm#~K46Ofzl1$oYSIVc;Ss{>@|4P6|9*$Cx
zVE>fTwieE?#7bLLxe<wY1lxF5ygP#-vzh=JB=3_F9Nr-yvUG<*|EH<LM3e)vTtK2Y
z{zSm8&xi;&9l_4Ry=S%v0oy}*xi>;PJ7>5a5PDn#3E~ZIi)>!u?F_Nk<AMVq1&nbI
z5<vg}n+NKkn81O+Zk+A1=@MbzcXJBja3J>k2QhGQwgdJIH;)|uHI@P#R@cA6+B&2M
zHgT9tdy!28j!)?5zS|F8wk<xOzKE-}3A~-bIBzE-YTj*sMw3$-{~a)Eci=^g<rXIu
z@Lvl5Z=B+`#`bm=w$9*{4_ITEFZOt1g20U+?xX@+?2t~%MZ9;7e`}JqLE6wRi_WG4
zy~4UMcy0vAW~Y+&=t>rFb1C4h--Rt4h?KE^i=%1}iNh5I`Z8#H{g*L}H|ZnC$jM%0
z7%=R*TbG6(=W|K+tlO3qf?IHR>qG42gtsJvv>@`a{gdq0AByUB?+?M<*Ww_NF&)6i
zWQ&Lj_;%?Z5P@3n=gX0wec)$um0y|^))f@IOc8X2&29{_J-YRS7BK)MB+0QX9Jbl<
zJqx*QZ2%<HM?-T&`~nBFw}2d3XvYZA+Ps48ZRcRhz6A$qWdqW^zyTu$^eq$E(m3R8
zq4$PeVV1WW1H7*&*cSsR1PY8pD&+>nfn8x(JAK96Ox9V*tF}epBe5k374Qw4Y(J8K
za1hSSU`-{i>ICIeW!}8*<jNQRg6juRK%y5E;kby&|B~y^Y)RD)UO+G)B(&m^NVP;4
z0QUwkbZIz1REqro{@NpdF>_cSJY{0`+dc?E3+1!^>I|So0w4HUtsv!JqKUf#C)AZ(
z46QAk%zvKK23sABkU-IVS3<f$emV(&4pQ>+Je+t`RQn;62Ws~jn3<?<SI9<0_3V-b
z0xHDAIQ(3@X^&Kn@KfBF1aGLZV^(fn|HL=&Zpi}iPe-ZuCJO)n>WN@6YHs;MSzuQf
z8`!>O)g4rrq$9Py0(X`L=3|muEPxJ3Hh;w;Vr^mIB=Iu_3Jiwy?LB?(@m^#Y80@+U
zhIpvv*aCxy)Jn5wkxXn|5zhMmYji%~c2rLWxFuw5E3*Yb1$-l?-4}$ot*eEjovjVf
zy~GUcx6S~-3G{QHikQRdw`RQaun+tw_iFEKK)F^h!>d_c=>FAz>670e#EK8RoG3rE
zbKis#*c1HoRU@pltF*1Xi!*Qt%*4RvKRS7*m^A`*w$~Z9r%aaXfVhcSBFI5B*ajt}
z<>DFkLk0x*?e29rO>B1sf-n6G1}bL#8z4|2U~mh<T=a&E9TW@JqPul7cweN?wjV55
zab7SB?A|bIf_(@3BFKOSUm6%J(UZSofwdi?Lcw58m}YsG>=9_TZCmgKe!-kK+4rm&
zG`{=y<$e+IrPEj<Fg3)k^W2v0LtN)K;3VIl_eztk3YNP%hu<|Pd`(@jObTcBiGjFq
zAtH@j?HzV)L-^vkU^o;Y7<ykCZNtF_&?3TP)ppz!556)k7_WZccw4Rc+ZpE<GN)as
z;7iqlshWYf!2OA~MFn&OU?Kfmwgxn31Z;?n9^R3~aP5-~S~M2idN4~z?8p$ah{1Kh
z4}Zl1>^E-~u>EtWZLbAi<`&#|GC;WEz8Vj{s_t)#-hydiKGt{s&zn;ePC^ZyzoPwF
zmKMykd$VpU2w%JwtYFDMVcM;fEtnUkp+uhxf-bSm3tvDM%saySFEmu$wVW&>V&r;P
z1jL9t4*b%rjc+f+=0Iv(gkx6J$Ib0HSd;HI9pZ#DyW{+O2Kad{1S|yXzKA)tn-0F-
zEV$`x_sy|+xC4?66n0YOx6amN`Z9uc+Qx$~{0hbk64<j$5F$`PIj~$XOMe;Swkr>O
z;Z!hBH;`)J&wU%zZXi71GOCDx!V=tf1%j`M3I+-X(qilb2vi{z5s!+t$F4l^Wlh06
z7lil41N41ZkyAuGSXQ39^1v691oJqE?V0E2p7wv(P_LTTu1N5u5y42DK$V(3HW{pk
z{RdOTRc{1Lf8r07fPJ+;XM$E01h><l`XTs2hG0=r_73n%Swk=ptg8=o`|MMa4IqN!
z&n1CY?gInBBym4n42{`=ec!oCg)bHemP8KN=iDOzT<JhC4NQ)^RldKKV`l^r{5BaO
z5X|!DG+PC(zz}>zC!rxkuq!OI2s~=;gxKC}fh;&p_6Gs+!?2=hV4$!CIw;VcM-0%b
z8w&;W3T`9F>nZrsYT!1i{d*wD_^?Z%H83yiHHaz6rjRiH-2{Y>zIYFu=iEmtLTaCZ
zL8@4ophCf}uom4Z9DIc|uyALAJ<xrE{As;3FfdHHQgwK6uyQ+hLE-KHu;N~T5x!PN
zQ`U!WgCcebh}|^&+S71<5Wt&9;5{f@3&PydURdDcXUhMI<u~scc9&>-#t2`L4QyEC
zO8aW3pAvzv;LC{sRZS4qX9F7<%*h@Z@<-rgx8dOnse$2XmH#okDuR-7h>+jS2keRr
zUl9$Aj02p||MQN#)h~Y4`%h70`T}=Fg)epnMjiOqsIYg!yX-Tm)dxXoVTKL%kdRGk
z_^M@K+FI3rEbKNdxP}=bYdHKU7y&e52ethc8!|xGtNkNr$RSoR8caW!zk+?=sV97K
zGO(Vf)&C(H%sIfvzo>vqm4WGDp5b*u$R7)<0=Hja2;`IaC*2Gp>{bOYFe6OS|56yf
zt{7P1&i@M|WPSwm4Zq!C(2EWIV`0_dgq;Q=dH<QPn_g|R0u~}|9l19b12C<3S}%N^
zEU>nETK^|Zm?dv|hd-&B1%5D?VIT1hL!kfmkOyDM3jAR4KsfsUMSs|XLF{MS_5Id@
zl=ZLf`ULO=q`*%wbn*ZE1iO@zLev(74w1V)34E<4@RJDX{-2)Yk1IDJdY%{B*LHm#
z_)16M=jqV<htC7{L*Tkch>(;0uk4BpUx^5eJa*}CkayH2LWHKU;s-^8EdX{~0l}{w
zOZE4K_Pde%zkDHl6(X=k*arIs`Hz}Jhy-(wjoP&>;cE+lIS2R82^;Ws7EM9~$n71C
z01)wPjUR68OETQIkkI_fU>ewvhPYV~(`*OvLFSH2e@O$Y5QK<ID5DIz3kRdzIq<?)
zDgrm6y3yZh1fznVDgJgC3Kfd^<Hm#!#-KFb6X<pY9YlIvyS6|8Ip^~`z2J)%f%S6S
zF9v)mBQO+fk}<##i$I&rNye}BguqbFCi~O|m^gr|3xTOZ>X7hsnR<~ud9MGK3bMk3
zFWdvBN;lmn6}XHK7zrkn5N#X+q|H9KbAuKBy=a2jUXXrq0!2rjK=%b<S0Q63=#Ce-
zyZu^;2dv51-T@HS<pIm$M|{ENHE^)xh}C^49X9gj6-)(bDfp@~V5&zJdzJ;7AqlR=
z3>XR4Qa?E2p)G|-s9#G~fRV;*_KdW%fCU)HPtN#NFQ8GrbrDn}*cGhNuNnElKsOxr
z474*pKOB(6%qj#3W=gQ@CJ^HBgavMNBXrse(9UVfSiK9>bk8(zjvVkUg!umOJI4BZ
zzCScOEm#EDO?QL%H5opvRUm_E!TumX`=DT+19zsO)&aZ1_`p{3YXW^34;8?J<Gj~K
z*_pC;M>>5l9@0>YLq8A<-mKXG#Wca(yn^w5%^MHKD|Y!?Ja86yIJVd<t=9nC`qLMi
z65iOng4rNW2tGYLn9b7lZ`poH77qvbGf@1=`5V7=Nf1Ez4DDdRP`AGZ+>x&x5ub^7
z!mfPqNzcK2J??+Y_j3}rmAe-apOjGIZ~1=BE)M3y_WVbDzq3KV+r5$R0iQbIn)F*l
zNE5^7*ajos^ZHka+ZneJi5UIp=5Gmq&5aEvyzc#v2%(YGzs%G9E+4)Nkx)MI)^7oS
zO&SdbB=z}wz#S>1!3z4NkR?NWV0;_AtKMzggkMOA`0f=DL1fzQ!{_$KAbgHzuugIN
z#rWAt;W9ph6@tyZ-dUymwh1A<06vQ|7){=9p9*co@xbMDMg*7Zow_R=e2!)?9Jc@d
z;SgqQMuaC4d3#qp_~gi7JobRUz=KPbjED;}H4VxIGr!%e9zGz`3OF|X=ljr**&?vn
z|I2w^*nMFWHrV%_qda`RTChIP_RVqOx7lkEDV6y>{g0J`KV=^ivR9?H)5d{GVA}kb
zR`5A%!CFoJ1<9`&Y{6_WA7MO^fk35g_XVF$56m`oZT~85vHf&qzl=gKykhU{9e4-P
UfJruz5Ad%hka^zwI^^5`0C;tDe*gdg

literal 0
HcmV?d00001

diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/boot/SpringBootConfiguration.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/boot/SpringBootConfiguration.java
new file mode 100644
index 00000000000..483c5cc5606
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/boot/SpringBootConfiguration.java
@@ -0,0 +1,10 @@
+package org.springframework.boot;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Target;
+
+import org.springframework.context.annotation.Configuration;
+
+@Target(ElementType.TYPE)
+@Configuration
+public @interface SpringBootConfiguration {}
\ No newline at end of file
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/boot/autoconfigure/SpringBootApplication.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/boot/autoconfigure/SpringBootApplication.java
new file mode 100644
index 00000000000..38bbc35733e
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/boot/autoconfigure/SpringBootApplication.java
@@ -0,0 +1,12 @@
+package org.springframework.boot.autoconfigure;
+
+import java.lang.annotation.Target;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Inherited;
+
+import org.springframework.boot.SpringBootConfiguration;
+
+@Target(ElementType.TYPE)
+@Inherited
+@SpringBootConfiguration
+public @interface SpringBootApplication {}
\ No newline at end of file
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/context/annotation/Bean.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/context/annotation/Bean.java
new file mode 100644
index 00000000000..24d7be0f817
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/context/annotation/Bean.java
@@ -0,0 +1,10 @@
+package org.springframework.context.annotation;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Target;
+
+@Target({ElementType.METHOD, ElementType.ANNOTATION_TYPE})
+public @interface Bean {
+
+	String[] name() default {};
+}
\ No newline at end of file
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/context/annotation/Configuration.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/context/annotation/Configuration.java
new file mode 100644
index 00000000000..0024b3ba833
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/context/annotation/Configuration.java
@@ -0,0 +1,7 @@
+package org.springframework.context.annotation;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Target;
+
+@Target(ElementType.TYPE)
+public @interface Configuration {}
\ No newline at end of file
diff --git a/java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/annotation/AliasFor.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/core/annotation/AliasFor.java
similarity index 100%
rename from java/ql/test/stubs/spring-core-5.3.2/org/springframework/core/annotation/AliasFor.java
rename to java/ql/test/stubs/springframework-5.2.3/org/springframework/core/annotation/AliasFor.java
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.java
new file mode 100644
index 00000000000..5eb56c0897b
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.java
@@ -0,0 +1,8 @@
+package org.springframework.remoting.httpinvoker;
+
+public class HttpInvokerServiceExporter extends org.springframework.remoting.rmi.RemoteInvocationSerializingExporter {
+
+    public void setService(Object service) {}
+
+    public void setServiceInterface(Class clazz) {}
+}
\ No newline at end of file
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.java
new file mode 100644
index 00000000000..5449b83ba86
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.java
@@ -0,0 +1,3 @@
+package org.springframework.remoting.rmi;
+
+public abstract class RemoteInvocationSerializingExporter {}
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/stereotype/Controller.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/stereotype/Controller.java
index 0bfb67d99c1..a4a49fffb90 100644
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/stereotype/Controller.java
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/stereotype/Controller.java
@@ -1,9 +1,15 @@
 package org.springframework.stereotype;
 
-import java.lang.annotation.*;
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
 
-@Target(value=ElementType.TYPE)
-@Retention(value=RetentionPolicy.RUNTIME)
+@Target({ElementType.TYPE})
+@Retention(RetentionPolicy.RUNTIME)
 @Documented
 @Component
-public @interface Controller { }
+public @interface Controller {
+    String value() default "";
+}
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/ObjectUtils.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/ObjectUtils.java
new file mode 100644
index 00000000000..a5a51786d20
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/ObjectUtils.java
@@ -0,0 +1,202 @@
+package org.springframework.util;
+
+import java.lang.reflect.Array;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Map;
+import java.util.Optional;
+import java.util.StringJoiner;
+import org.springframework.lang.Nullable;
+
+public abstract class ObjectUtils {
+
+    private static final int INITIAL_HASH = 7;
+    private static final int MULTIPLIER = 31;
+    private static final String EMPTY_STRING = "";
+    private static final String NULL_STRING = "null";
+    private static final String ARRAY_START = "{";
+    private static final String ARRAY_END = "}";
+    private static final String EMPTY_ARRAY = "{}";
+    private static final String ARRAY_ELEMENT_SEPARATOR = ", ";
+    private static final Object[] EMPTY_OBJECT_ARRAY = new Object[0];
+
+    public ObjectUtils() {
+    }
+
+    public static boolean isCheckedException(Throwable ex) {
+        return false;
+    }
+
+    public static boolean isCompatibleWithThrowsClause(Throwable ex, @Nullable Class<?>... declaredExceptions) {
+        return false;
+    }
+
+    public static boolean isArray(@Nullable Object obj) {
+        return false;
+    }
+
+    public static boolean isEmpty(@Nullable Object[] array) {
+        return false;
+    }
+
+    public static boolean isEmpty(@Nullable Object obj) {
+        return false;
+    }
+
+    @Nullable
+    public static Object unwrapOptional(@Nullable Object obj) {
+        return null;
+    }
+
+    public static boolean containsElement(@Nullable Object[] array, Object element) {
+        return true;
+    }
+
+    public static boolean containsConstant(Enum<?>[] enumValues, String constant) {
+        return true;
+    }
+
+    public static boolean containsConstant(Enum<?>[] enumValues, String constant, boolean caseSensitive) {  
+        return true;
+    }
+
+    public static <E extends Enum<?>> E caseInsensitiveValueOf(E[] enumValues, String constant) {
+        return null;
+    }
+
+    public static <A, O extends A> A[] addObjectToArray(@Nullable A[] array, @Nullable O obj) {
+        return null;
+    }
+
+    public static Object[] toObjectArray(@Nullable Object source) {
+        return null;
+    }
+
+    public static boolean nullSafeEquals(@Nullable Object o1, @Nullable Object o2) {
+        return false;
+    }
+
+    private static boolean arrayEquals(Object o1, Object o2) {
+        return false;
+    }
+
+    public static int nullSafeHashCode(@Nullable Object obj) {
+        return 1;
+    }
+
+    public static int nullSafeHashCode(@Nullable Object[] array) {
+        return 1;
+    }
+
+    public static int nullSafeHashCode(@Nullable boolean[] array) {
+        return 1;
+    }
+
+    public static int nullSafeHashCode(@Nullable byte[] array) {
+        return 1;
+    }
+
+    public static int nullSafeHashCode(@Nullable char[] array) {
+        return 1;
+    }
+
+    public static int nullSafeHashCode(@Nullable double[] array) {
+        return 1;
+    }
+
+    public static int nullSafeHashCode(@Nullable float[] array) {
+        return 1;
+    }
+
+    public static int nullSafeHashCode(@Nullable int[] array) {
+        return 1;
+    }
+
+    public static int nullSafeHashCode(@Nullable long[] array) {
+        return 1;
+    }
+
+    public static int nullSafeHashCode(@Nullable short[] array) {
+        return 1;
+    }
+
+    /** @deprecated */
+    @Deprecated
+    public static int hashCode(boolean bool) {
+        return 1;
+    }
+
+    /** @deprecated */
+    @Deprecated
+    public static int hashCode(double dbl) {
+        return 1;
+    }
+
+    /** @deprecated */
+    @Deprecated
+    public static int hashCode(float flt) {
+        return 1;
+    }
+
+    /** @deprecated */
+    @Deprecated
+    public static int hashCode(long lng) {
+        return 1;
+    }
+
+    public static String identityToString(@Nullable Object obj) {
+        return "";
+    }
+
+    public static String getIdentityHexString(Object obj) {
+        return "";
+    }
+
+    public static String getDisplayString(@Nullable Object obj) {
+        return "";
+    }
+
+    public static String nullSafeClassName(@Nullable Object obj) {
+        return "";
+    }
+
+    public static String nullSafeToString(@Nullable Object obj) {
+        return "";
+    }
+
+    public static String nullSafeToString(@Nullable Object[] array) {
+        return "";
+    }
+
+    public static String nullSafeToString(@Nullable boolean[] array) {
+        return "";
+    }
+
+    public static String nullSafeToString(@Nullable byte[] array) {
+        return "";
+    }
+
+    public static String nullSafeToString(@Nullable char[] array) {
+        return "";
+    }
+
+    public static String nullSafeToString(@Nullable double[] array) {
+        return "";
+    }
+
+    public static String nullSafeToString(@Nullable float[] array) {
+        return "";
+    }
+
+    public static String nullSafeToString(@Nullable int[] array) {
+        return "";
+    }
+
+    public static String nullSafeToString(@Nullable long[] array) {
+        return "";
+    }
+
+    public static String nullSafeToString(@Nullable short[] array) {
+        return "";
+    }
+}
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/StringUtils.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/StringUtils.java
new file mode 100644
index 00000000000..a78d47e44c6
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/StringUtils.java
@@ -0,0 +1,30 @@
+package org.springframework.util;
+
+import java.io.ByteArrayOutputStream;
+import java.nio.charset.Charset;
+import java.util.ArrayDeque;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Deque;
+import java.util.Enumeration;
+import java.util.Iterator;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Locale;
+import java.util.Properties;
+import java.util.Set;
+import java.util.StringJoiner;
+import java.util.StringTokenizer;
+import java.util.TimeZone;
+import org.springframework.lang.Nullable;
+
+public abstract class StringUtils {
+  
+    @Deprecated
+    public static boolean isEmpty(@Nullable Object str) {
+        return true;
+    }
+
+}
diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/GetMapping.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/GetMapping.java
similarity index 100%
rename from java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/GetMapping.java
rename to java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/GetMapping.java
diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/Mapping.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/Mapping.java
similarity index 100%
rename from java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/Mapping.java
rename to java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/Mapping.java
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/RequestMapping.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/RequestMapping.java
index 73ff8d1b03a..093065ca5f1 100644
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/RequestMapping.java
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/RequestMapping.java
@@ -1,11 +1,32 @@
 package org.springframework.web.bind.annotation;
 
-import java.lang.annotation.*;
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import org.springframework.core.annotation.AliasFor;
 
 @Target(value={ElementType.METHOD,ElementType.TYPE})
 @Retention(value=RetentionPolicy.RUNTIME)
 @Documented
+@Mapping
 public @interface RequestMapping {
+    String name() default "";
+
+    @AliasFor("path")
+    String[] value() default {};
+
+    @AliasFor("value")
+    String[] path() default {};
 
     RequestMethod[] method() default {};
+
+    String[] params() default {};
+
+    String[] headers() default {};
+
+    String[] consumes() default {};
+
+    String[] produces() default {};
 }
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/RequestParam.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/RequestParam.java
index 5ae52ad123f..56094811c37 100644
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/RequestParam.java
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/RequestParam.java
@@ -1,8 +1,23 @@
 package org.springframework.web.bind.annotation;
 
-import java.lang.annotation.*;
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import org.springframework.core.annotation.AliasFor;
 
-@Target(value=ElementType.PARAMETER)
-@Retention(value=RetentionPolicy.RUNTIME)
+@Target({ElementType.PARAMETER})
+@Retention(RetentionPolicy.RUNTIME)
 @Documented
-public @interface RequestParam { }
+public @interface RequestParam {
+    @AliasFor("name")
+    String value() default "";
+
+    @AliasFor("value")
+    String name() default "";
+
+    boolean required() default true;
+
+    String defaultValue() default "\n\t\t\n\t\t\n\ue000\ue001\ue002\n\t\t\t\t\n";
+}
diff --git a/java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/ResponseBody.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/ResponseBody.java
similarity index 100%
rename from java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/ResponseBody.java
rename to java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/ResponseBody.java

From 848940305122bb268b9baed789bc4ea2cc9e82e0 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Thu, 8 Apr 2021 16:18:03 +0200
Subject: [PATCH 0409/1429] Python: Add some tests for pathlib

---
 .../frameworks/stdlib/FileSystemAccess.py         | 15 +++++++++++++++
 .../frameworks/stdlib/SafeAccessCheck.py          |  4 ++--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/python/ql/test/library-tests/frameworks/stdlib/FileSystemAccess.py b/python/ql/test/library-tests/frameworks/stdlib/FileSystemAccess.py
index 109af9bd4fd..95824aa1e9e 100644
--- a/python/ql/test/library-tests/frameworks/stdlib/FileSystemAccess.py
+++ b/python/ql/test/library-tests/frameworks/stdlib/FileSystemAccess.py
@@ -16,3 +16,18 @@ builtins.open(file="filepath")  # $getAPathArgument="filepath"
 
 io.open("filepath")  # $getAPathArgument="filepath"
 io.open(file="filepath")  # $getAPathArgument="filepath"
+
+from pathlib import Path, PosixPath, WindowsPath
+
+p = Path("filepath")
+posix = PosixPath("posix/filepath")
+windows = WindowsPath("windows/filepath")
+
+p.chmod(0o777)  # MISSING: $getAPathArgument=p
+posix.chmod(0o777)  # MISSING: $getAPathArgument=posix
+windows.chmod(0o777)  # MISSING: $getAPathArgument=windows
+
+with p.open() as f:  # MISSING: $getAPathArgument=p
+    f.read()
+
+p.write_bytes(b"hello")  # MISSING: $getAPathArgument=p
diff --git a/python/ql/test/library-tests/frameworks/stdlib/SafeAccessCheck.py b/python/ql/test/library-tests/frameworks/stdlib/SafeAccessCheck.py
index d5a727311ff..69839c6dea9 100644
--- a/python/ql/test/library-tests/frameworks/stdlib/SafeAccessCheck.py
+++ b/python/ql/test/library-tests/frameworks/stdlib/SafeAccessCheck.py
@@ -3,6 +3,6 @@ s = "taintedString"
 if s.startswith("tainted"):  # $checks=s branch=true
     pass
 
-sw = s.startswith  # $ MISSING: checks=s branch=true
-if sw("safe"):
+sw = s.startswith
+if sw("safe"):  # $ MISSING: checks=s branch=true
     pass

From 2387dc640cb7d7aedf89250246d190057524595f Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Mon, 12 Apr 2021 07:51:11 +0200
Subject: [PATCH 0410/1429] Python: Attempts at modelling `pathlib`-`Path`s

---
 .../src/semmle/python/frameworks/Stdlib.qll   | 213 ++++++++++++++++++
 1 file changed, 213 insertions(+)

diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index 01df130d0db..cb508723fba 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -864,6 +864,219 @@ private module Stdlib {
   class Sqlite3 extends PEP249ModuleApiNode {
     Sqlite3() { this = API::moduleImport("sqlite3") }
   }
+
+  // ---------------------------------------------------------------------------
+  // pathlib
+  // ---------------------------------------------------------------------------
+  /** Gets a reference to the `pathlib` module. */
+  private API::Node pathlib() { result = API::moduleImport("pathlib") }
+
+  /**
+   * Gets a name of a constructor for a `pathlib.Path` object.
+   * We include the pure paths, as they can be "exported" (say with `as_posix`) and then used to acces the underlying file system.
+   */
+  private string pathlibPathConstructor() {
+    result in ["Path", "PurePath", "PurePosixPath", "PureWindowsPath", "PosixPath", "WindowsPath"]
+  }
+
+  /**
+   * Gets a name of an attribute of a `pathlib.Path` object that is also a `pathlib.Path` object.
+   */
+  private string pathlibPathAttribute() { result in ["parent"] }
+
+  /**
+   * Gets a name of a method of a `pathlib.Path` object that returns a `pathlib.Path` object.
+   */
+  private string pathlibPathMethod() { result in ["absolute", "relative_to"] }
+
+  /**
+   * Gets a name of a method of a `pathlib.Path` object that modifies a `pathlib.Path` object based on new data.
+   */
+  private string pathlibPathInjection() {
+    result in ["joinpath", "with_name", "with_stem", "with_suffix"]
+  }
+
+  /**
+   * Gets a name of an attribute of a `pathlib.Path` object that exports information about the `pathlib.Path` object.
+   */
+  private string pathlibPathAttributeExport() {
+    result in ["drive", "root", "anchor", "name", "suffix", "stem"]
+  }
+
+  /**
+   * Gets a name of a method of a `pathlib.Path` object that exports information about the `pathlib.Path` object.
+   */
+  private string pathlibPathMethodExport() { result in ["as_posix", "as_uri"] }
+
+  /**
+   * Gets a reference to a `pathlib.Path` object.
+   * This type tracker makes the monomorphic API use assumption.
+   */
+  private DataFlow::LocalSourceNode pathlibPath(DataFlow::TypeTracker t) {
+    // Type construction
+    t.start() and
+    result = pathlib().getMember(pathlibPathConstructor()).getACall()
+    or
+    // Type-preserving call
+    exists(DataFlow::AttrRead returnsPath, DataFlow::TypeTracker t2 |
+      returnsPath.getAttributeName() = pathlibPathMethod() and
+      returnsPath.getObject().getALocalSource() = pathlibPath(t2) and
+      t2.end()
+    |
+      t.start() and
+      result.(DataFlow::CallCfgNode).getFunction() = returnsPath
+    )
+    or
+    // Type-preserving attribute
+    exists(DataFlow::AttrRead isPath, DataFlow::TypeTracker t2 |
+      isPath.getAttributeName() = pathlibPathAttribute() and
+      isPath.getObject().getALocalSource() = pathlibPath(t2) and
+      t2.end()
+    |
+      t.start() and
+      result = isPath
+    )
+    or
+    // Data injection
+    exists(
+      BinaryExprNode slash, DataFlow::Node right, DataFlow::Node left, DataFlow::TypeTracker t2
+    |
+      slash.getOp() instanceof Div and
+      right.asCfgNode() = slash.getRight() and
+      left.asCfgNode() = slash.getLeft() and
+      left.getALocalSource() = pathlibPath(t2) and
+      t2.end()
+    |
+      t.start() and
+      result.asCfgNode() = slash
+    )
+    or
+    exists(DataFlow::AttrRead returnsPath, DataFlow::TypeTracker t2 |
+      returnsPath.getAttributeName() = pathlibPathInjection() and
+      returnsPath.getObject().getALocalSource() = pathlibPath(t2) and
+      t2.end()
+    |
+      t.start() and
+      result.(DataFlow::CallCfgNode).getFunction() = returnsPath
+    )
+    or
+    // Due to bad performance when using normal setup with `path(t2).track(t2, t)`
+    // we have inlined that code and forced a join
+    exists(DataFlow::TypeTracker t2 |
+      exists(DataFlow::StepSummary summary |
+        pathlibPath_first_join(t2, result, summary) and
+        t = t2.append(summary)
+      )
+    )
+  }
+
+  pragma[nomagic]
+  private predicate pathlibPath_first_join(
+    DataFlow::TypeTracker t2, DataFlow::Node res, DataFlow::StepSummary summary
+  ) {
+    DataFlow::StepSummary::step(pathlibPath(t2), res, summary)
+  }
+
+  /** Gets a reference to a `pathlib.Path` object. */
+  DataFlow::LocalSourceNode pathlibPath() { result = pathlibPath(DataFlow::TypeTracker::end()) }
+
+  private class PathlibFileAccess extends FileSystemAccess::Range, DataFlow::CallCfgNode {
+    DataFlow::AttrRead fileAccess;
+
+    PathlibFileAccess() {
+      fileAccess.getAttributeName() in [
+          "stat", "chmod", "exists", "expanduser", "glob", "group", "is_dir", "is_file", "is_mount",
+          "is_symlink", "is_socket", "is_fifo", "is_block_device", "is_char_device", "iter_dir",
+          "lchmod", "lstat", "mkdir", "open", "owner", "read_bytes", "read_text", "readlink",
+          "rename", "replace", "resolve", "rglob", "rmdir", "samefile", "symlink_to", "touch",
+          "unlink", "link_to", "write_bytes", "write_text"
+        ] and
+      fileAccess.getObject().getALocalSource() = pathlibPath() and
+      this.getFunction() = fileAccess
+    }
+
+    override DataFlow::Node getAPathArgument() { result = fileAccess.getObject() }
+  }
+
+  /** An additional taint steps for objects of type `pathlib.Path` */
+  private class PathlibPathTaintStep extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+      // Type construction
+      nodeTo = pathlib().getMember(pathlibPathConstructor()).getACall() and
+      nodeFrom = nodeTo.(DataFlow::CallCfgNode).getArg(_)
+      or
+      // Type preservation
+      nodeFrom.getALocalSource() = pathlibPath() and
+      nodeTo.getALocalSource() = pathlibPath() and
+      (
+        // Type-preserving call
+        exists(DataFlow::AttrRead returnsPath |
+          returnsPath.getAttributeName() = pathlibPathMethod()
+        |
+          nodeTo.(DataFlow::CallCfgNode).getFunction() = returnsPath and
+          nodeFrom = returnsPath.getObject()
+        )
+        or
+        // Type-preserving attribute
+        exists(DataFlow::AttrRead isPath | isPath.getAttributeName() = pathlibPathAttribute() |
+          nodeTo = isPath and
+          nodeFrom = isPath.getObject()
+        )
+      )
+      or
+      // Data injection
+      nodeTo.getALocalSource() = pathlibPath() and
+      (
+        // Special handling of the `/` operator
+        exists(BinaryExprNode slash, DataFlow::Node left |
+          slash.getOp() instanceof Div and
+          left.asCfgNode() = slash.getLeft() and
+          left.getALocalSource() = pathlibPath()
+        |
+          nodeTo.asCfgNode() = slash and
+          (
+            // type-preserving call
+            nodeFrom = left
+            or
+            // data injection
+            nodeFrom.asCfgNode() = slash.getRight()
+          )
+        )
+        or
+        // standard case
+        exists(DataFlow::AttrRead augmentsPath |
+          augmentsPath.getAttributeName() = pathlibPathInjection()
+        |
+          nodeTo.(DataFlow::CallCfgNode).getFunction() = augmentsPath and
+          (
+            // type-preserving call
+            nodeFrom = augmentsPath.getObject()
+            or
+            // data injection
+            nodeFrom = nodeTo.(DataFlow::CallCfgNode).getArg(_)
+          )
+        )
+      )
+      or
+      // Export data from type
+      nodeFrom.getALocalSource() = pathlibPath() and
+      (
+        // exporting attribute
+        exists(DataFlow::AttrRead export |
+          export.getAttributeName() = pathlibPathAttributeExport()
+        |
+          nodeTo = export and
+          nodeFrom = export.getObject()
+        )
+        or
+        // exporting call
+        exists(DataFlow::AttrRead export | export.getAttributeName() = pathlibPathMethodExport() |
+          nodeTo.(DataFlow::CallCfgNode).getFunction() = export and
+          nodeFrom = export.getObject()
+        )
+      )
+    }
+  }
 }
 
 // ---------------------------------------------------------------------------

From 52a9040d73af7310dcbd8338b60f909ed72408ee Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Thu, 15 Apr 2021 09:46:53 +0200
Subject: [PATCH 0411/1429] Python update tests

---
 .../frameworks/stdlib/FileSystemAccess.py           | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/python/ql/test/library-tests/frameworks/stdlib/FileSystemAccess.py b/python/ql/test/library-tests/frameworks/stdlib/FileSystemAccess.py
index 95824aa1e9e..1703869d4f4 100644
--- a/python/ql/test/library-tests/frameworks/stdlib/FileSystemAccess.py
+++ b/python/ql/test/library-tests/frameworks/stdlib/FileSystemAccess.py
@@ -23,11 +23,14 @@ p = Path("filepath")
 posix = PosixPath("posix/filepath")
 windows = WindowsPath("windows/filepath")
 
-p.chmod(0o777)  # MISSING: $getAPathArgument=p
-posix.chmod(0o777)  # MISSING: $getAPathArgument=posix
-windows.chmod(0o777)  # MISSING: $getAPathArgument=windows
+p.chmod(0o777)  # $getAPathArgument=p
+posix.chmod(0o777)  # $getAPathArgument=posix
+windows.chmod(0o777)  # $getAPathArgument=windows
 
-with p.open() as f:  # MISSING: $getAPathArgument=p
+with p.open() as f:  # $getAPathArgument=p
     f.read()
 
-p.write_bytes(b"hello")  # MISSING: $getAPathArgument=p
+p.write_bytes(b"hello")  # $getAPathArgument=p
+
+name = windows.parent.name
+o(name)  # $getAPathArgument=name

From c9b2c7885ef3b33cb2e1639d217beb8048b0ff12 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Thu, 15 Apr 2021 10:14:35 +0200
Subject: [PATCH 0412/1429] Python: add changenote

---
 python/change-notes/2021-04-15-pathlib-Paths.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 python/change-notes/2021-04-15-pathlib-Paths.md

diff --git a/python/change-notes/2021-04-15-pathlib-Paths.md b/python/change-notes/2021-04-15-pathlib-Paths.md
new file mode 100644
index 00000000000..d92212c10f2
--- /dev/null
+++ b/python/change-notes/2021-04-15-pathlib-Paths.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added modeling of `pathlib` from the standard library to recognize `Path` objects constructed in various ways and resulting file accesses. This can lead to new results for `py/path-injection`.

From bd3b3178ba2a914567d831518490967676bfb0b0 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Thu, 15 Apr 2021 09:16:51 +0100
Subject: [PATCH 0413/1429] Fix documentation of Modifier.qll

---
 java/ql/src/semmle/code/java/Modifier.qll | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/Modifier.qll b/java/ql/src/semmle/code/java/Modifier.qll
index 7fb9f982616..39cbe5a3c29 100755
--- a/java/ql/src/semmle/code/java/Modifier.qll
+++ b/java/ql/src/semmle/code/java/Modifier.qll
@@ -18,7 +18,9 @@ abstract class Modifiable extends Element {
    * Holds if this element has modifier `m`.
    *
    * For most purposes, the more specialized predicates `isAbstract`, `isPublic`, etc.
-   * should be used, which also take implicit modifiers into account.
+   * should be used.
+   *
+   * Both this method and those specialized predicates take implicit modifiers into account.
    * For instance, non-default instance methods in interfaces are implicitly
    * abstract, so `isAbstract()` will hold for them even if `hasModifier("abstract")`
    * does not.

From b4a2a9db255d64b1aa1da203e78326768b1153d5 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Thu, 15 Apr 2021 09:23:45 +0100
Subject: [PATCH 0414/1429] JS: Fix extraction of non-substitution template
 literal types

---
 .../ts/extractor/TypeScriptASTConverter.java      | 15 +++++++++------
 .../TemplateTypes/TemplateTypes.expected          |  6 ++++++
 .../TemplateTypes/TemplateTypes.ql                |  3 +++
 .../RegressionTests/TemplateTypes/tsconfig.json   |  3 +++
 .../RegressionTests/TemplateTypes/tst.ts          |  7 +++++++
 5 files changed, 28 insertions(+), 6 deletions(-)
 create mode 100644 javascript/ql/test/library-tests/TypeScript/RegressionTests/TemplateTypes/TemplateTypes.expected
 create mode 100644 javascript/ql/test/library-tests/TypeScript/RegressionTests/TemplateTypes/TemplateTypes.ql
 create mode 100644 javascript/ql/test/library-tests/TypeScript/RegressionTests/TemplateTypes/tsconfig.json
 create mode 100644 javascript/ql/test/library-tests/TypeScript/RegressionTests/TemplateTypes/tst.ts

diff --git a/javascript/extractor/src/com/semmle/ts/extractor/TypeScriptASTConverter.java b/javascript/extractor/src/com/semmle/ts/extractor/TypeScriptASTConverter.java
index 36d4f888618..f8ad99915c9 100644
--- a/javascript/extractor/src/com/semmle/ts/extractor/TypeScriptASTConverter.java
+++ b/javascript/extractor/src/com/semmle/ts/extractor/TypeScriptASTConverter.java
@@ -5,7 +5,6 @@ import java.util.Collections;
 import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
-import java.util.stream.Collectors;
 
 import com.google.gson.JsonArray;
 import com.google.gson.JsonElement;
@@ -1001,10 +1000,10 @@ public class TypeScriptASTConverter {
   private Node convertConditionalType(JsonObject node, SourceLocation loc) throws ParseError {
     return new ConditionalTypeExpr(
         loc,
-        convertChild(node, "checkType"),
-        convertChild(node, "extendsType"),
-        convertChild(node, "trueType"),
-        convertChild(node, "falseType"));
+        convertChildAsType(node, "checkType"),
+        convertChildAsType(node, "extendsType"),
+        convertChildAsType(node, "trueType"),
+        convertChildAsType(node, "falseType"));
   }
 
   private SourceLocation getSourceRange(Position from, Position to) {
@@ -1613,6 +1612,10 @@ public class TypeScriptASTConverter {
         literal = new Literal(loc, arg.getTokenType(), "-" + arg.getValue());
       }
     }
+    if (literal instanceof TemplateLiteral) {
+      // A LiteralType containing a NoSubstitutionTemplateLiteral must produce a TemplateLiteralTypeExpr
+      return new TemplateLiteralTypeExpr(literal.getLoc(), new ArrayList<>(), ((TemplateLiteral)literal).getQuasis());
+    }
     return literal;
   }
 
@@ -1842,7 +1845,7 @@ public class TypeScriptASTConverter {
   }
 
   private Node convertOptionalType(JsonObject node, SourceLocation loc) throws ParseError {
-    return new OptionalTypeExpr(loc, convertChild(node, "type"));
+    return new OptionalTypeExpr(loc, convertChildAsType(node, "type"));
   }
 
   private ITypeExpression asType(Node node) {
diff --git a/javascript/ql/test/library-tests/TypeScript/RegressionTests/TemplateTypes/TemplateTypes.expected b/javascript/ql/test/library-tests/TypeScript/RegressionTests/TemplateTypes/TemplateTypes.expected
new file mode 100644
index 00000000000..e713b3e4804
--- /dev/null
+++ b/javascript/ql/test/library-tests/TypeScript/RegressionTests/TemplateTypes/TemplateTypes.expected
@@ -0,0 +1,6 @@
+| tst.ts:2:11:2:21 | `foo ${T1}` |
+| tst.ts:4:45:4:49 | `foo` |
+| tst.ts:4:53:4:57 | `bar` |
+| tst.ts:5:46:5:50 | `foo` |
+| tst.ts:5:54:5:63 | `bar ${K}` |
+| tst.ts:7:15:7:19 | `foo` |
diff --git a/javascript/ql/test/library-tests/TypeScript/RegressionTests/TemplateTypes/TemplateTypes.ql b/javascript/ql/test/library-tests/TypeScript/RegressionTests/TemplateTypes/TemplateTypes.ql
new file mode 100644
index 00000000000..f08f5a201dd
--- /dev/null
+++ b/javascript/ql/test/library-tests/TypeScript/RegressionTests/TemplateTypes/TemplateTypes.ql
@@ -0,0 +1,3 @@
+import javascript
+
+query TemplateLiteralTypeExpr literalType() { any() }
diff --git a/javascript/ql/test/library-tests/TypeScript/RegressionTests/TemplateTypes/tsconfig.json b/javascript/ql/test/library-tests/TypeScript/RegressionTests/TemplateTypes/tsconfig.json
new file mode 100644
index 00000000000..82194fc7ab0
--- /dev/null
+++ b/javascript/ql/test/library-tests/TypeScript/RegressionTests/TemplateTypes/tsconfig.json
@@ -0,0 +1,3 @@
+{
+    "include": ["."]
+}
diff --git a/javascript/ql/test/library-tests/TypeScript/RegressionTests/TemplateTypes/tst.ts b/javascript/ql/test/library-tests/TypeScript/RegressionTests/TemplateTypes/tst.ts
new file mode 100644
index 00000000000..21718ea3b34
--- /dev/null
+++ b/javascript/ql/test/library-tests/TypeScript/RegressionTests/TemplateTypes/tst.ts
@@ -0,0 +1,7 @@
+type T1 = 'foo' | 'bar';
+type T2 = `foo ${T1}`;
+
+type FooToBar<K extends string> = K extends `foo` ? `bar` : K;
+type FooToBar2<K extends string> = K extends `foo` ? `bar ${K}` : K;
+
+type Tuple = [`foo`?];

From cb736c8c82b0a8f91e18e9dfd2b3a16f3b5194a2 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Thu, 15 Apr 2021 09:37:57 +0100
Subject: [PATCH 0415/1429] JS: Change note

---
 .../2021-04-15-typescript-template-literal-type-crash.md       | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 javascript/change-notes/2021-04-15-typescript-template-literal-type-crash.md

diff --git a/javascript/change-notes/2021-04-15-typescript-template-literal-type-crash.md b/javascript/change-notes/2021-04-15-typescript-template-literal-type-crash.md
new file mode 100644
index 00000000000..e08dbd54dd6
--- /dev/null
+++ b/javascript/change-notes/2021-04-15-typescript-template-literal-type-crash.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Fixed a bug that could cause extraction to fail when extracting a TypeScript
+  code base containing a template literal type without substitutions.

From 3eb18135847693e0e7d0494642aa4c12048c031b Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Thu, 15 Apr 2021 10:47:49 +0200
Subject: [PATCH 0416/1429] Python: update test expectations

---
 .../TestTaint.expected                        | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/TestTaint.expected b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/TestTaint.expected
index 2a48c5b5604..7ff94f218a3 100644
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/TestTaint.expected
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/TestTaint.expected
@@ -1,18 +1,18 @@
 | test_collections.py:16 | ok   | test_access | tainted_list.copy() |
 | test_collections.py:24 | ok   | list_clear | tainted_list |
 | test_collections.py:27 | fail | list_clear | tainted_list |
-| test_pathlib.py:26 | fail | test_basic | tainted_path |
-| test_pathlib.py:28 | fail | test_basic | tainted_pure_path |
-| test_pathlib.py:29 | fail | test_basic | tainted_pure_posix_path |
-| test_pathlib.py:30 | fail | test_basic | tainted_pure_windows_path |
-| test_pathlib.py:32 | fail | test_basic | BinaryExpr |
+| test_pathlib.py:26 | ok   | test_basic | tainted_path |
+| test_pathlib.py:28 | ok   | test_basic | tainted_pure_path |
+| test_pathlib.py:29 | ok   | test_basic | tainted_pure_posix_path |
+| test_pathlib.py:30 | ok   | test_basic | tainted_pure_windows_path |
+| test_pathlib.py:32 | ok   | test_basic | BinaryExpr |
 | test_pathlib.py:33 | fail | test_basic | BinaryExpr |
-| test_pathlib.py:35 | fail | test_basic | tainted_path.joinpath(..) |
-| test_pathlib.py:36 | fail | test_basic | pathlib.Path(..).joinpath(..) |
-| test_pathlib.py:37 | fail | test_basic | pathlib.Path(..).joinpath(..) |
-| test_pathlib.py:39 | fail | test_basic | str(..) |
-| test_pathlib.py:49 | fail | test_basic | tainted_posix_path |
-| test_pathlib.py:55 | fail | test_basic | tainted_windows_path |
+| test_pathlib.py:35 | ok   | test_basic | tainted_path.joinpath(..) |
+| test_pathlib.py:36 | ok   | test_basic | pathlib.Path(..).joinpath(..) |
+| test_pathlib.py:37 | ok   | test_basic | pathlib.Path(..).joinpath(..) |
+| test_pathlib.py:39 | ok   | test_basic | str(..) |
+| test_pathlib.py:49 | ok   | test_basic | tainted_posix_path |
+| test_pathlib.py:55 | ok   | test_basic | tainted_windows_path |
 | test_string.py:17 | ok   | str_methods | ts.casefold() |
 | test_string.py:19 | ok   | str_methods | ts.format_map(..) |
 | test_string.py:20 | ok   | str_methods | "{unsafe}".format_map(..) |

From 02e41d8018180dd0248c9fae5db610c213934298 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Thu, 15 Apr 2021 10:49:22 +0200
Subject: [PATCH 0417/1429] Python: update annotations This because `resolve`
 accesses the file system, I am open to not include that fact in the
 modelling.

---
 .../library-tests/frameworks/django-v2-v3/testproj/settings.py  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/test/library-tests/frameworks/django-v2-v3/testproj/settings.py b/python/ql/test/library-tests/frameworks/django-v2-v3/testproj/settings.py
index 4e34a751a6f..1339a14312c 100644
--- a/python/ql/test/library-tests/frameworks/django-v2-v3/testproj/settings.py
+++ b/python/ql/test/library-tests/frameworks/django-v2-v3/testproj/settings.py
@@ -13,7 +13,7 @@ https://docs.djangoproject.com/en/3.1/ref/settings/
 from pathlib import Path
 
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
-BASE_DIR = Path(__file__).resolve().parent.parent
+BASE_DIR = Path(__file__).resolve().parent.parent  #$ getAPathArgument=Path()
 
 
 # Quick-start development settings - unsuitable for production

From d361d999b7ad57a0f0d87a25f762bbd9d0b0d21f Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Thu, 15 Apr 2021 10:55:09 +0200
Subject: [PATCH 0418/1429] Python: add some path returning functions that were
 only listed as file sytem accesses.

---
 python/ql/src/semmle/python/frameworks/Stdlib.qll | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index cb508723fba..739872e4483 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -887,7 +887,9 @@ private module Stdlib {
   /**
    * Gets a name of a method of a `pathlib.Path` object that returns a `pathlib.Path` object.
    */
-  private string pathlibPathMethod() { result in ["absolute", "relative_to"] }
+  private string pathlibPathMethod() {
+    result in ["absolute", "relative_to", "rename", "replace", "resolve"]
+  }
 
   /**
    * Gets a name of a method of a `pathlib.Path` object that modifies a `pathlib.Path` object based on new data.

From f8570bb293b257444413398aa073ee263203afd3 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Thu, 15 Apr 2021 10:16:46 +0100
Subject: [PATCH 0419/1429] JS: Update TRAP

---
 .../ts/output/trap/importNonStrings.ts.trap   | 273 ++++++++++++++++--
 1 file changed, 244 insertions(+), 29 deletions(-)

diff --git a/javascript/extractor/tests/ts/output/trap/importNonStrings.ts.trap b/javascript/extractor/tests/ts/output/trap/importNonStrings.ts.trap
index c5fc95ddcb8..af044be98c8 100644
--- a/javascript/extractor/tests/ts/output/trap/importNonStrings.ts.trap
+++ b/javascript/extractor/tests/ts/output/trap/importNonStrings.ts.trap
@@ -9,34 +9,249 @@ hasLocation(#10000,#10002)
 #20000=@"global_scope"
 scopes(#20000,0)
 #20001=@"script;{#10000},1,1"
+#20002=*
+lines(#20002,#20001,"type X = import(3);","
+")
+#20003=@"loc,{#10000},1,1,1,19"
+locations_default(#20003,#10000,1,1,1,19)
+hasLocation(#20002,#20003)
+#20004=*
+lines(#20004,#20001,"type Y = import(`Foo`);","
+")
+#20005=@"loc,{#10000},2,1,2,23"
+locations_default(#20005,#10000,2,1,2,23)
+hasLocation(#20004,#20005)
+#20006=*
+lines(#20006,#20001,"type Z = import(Y);","
+")
+#20007=@"loc,{#10000},3,1,3,19"
+locations_default(#20007,#10000,3,1,3,19)
+hasLocation(#20006,#20007)
+numlines(#20001,3,3,0)
+#20008=*
+tokeninfo(#20008,7,#20001,0,"type")
+#20009=@"loc,{#10000},1,1,1,4"
+locations_default(#20009,#10000,1,1,1,4)
+hasLocation(#20008,#20009)
+#20010=*
+tokeninfo(#20010,6,#20001,1,"X")
+#20011=@"loc,{#10000},1,6,1,6"
+locations_default(#20011,#10000,1,6,1,6)
+hasLocation(#20010,#20011)
+#20012=*
+tokeninfo(#20012,8,#20001,2,"=")
+#20013=@"loc,{#10000},1,8,1,8"
+locations_default(#20013,#10000,1,8,1,8)
+hasLocation(#20012,#20013)
+#20014=*
+tokeninfo(#20014,7,#20001,3,"import")
+#20015=@"loc,{#10000},1,10,1,15"
+locations_default(#20015,#10000,1,10,1,15)
+hasLocation(#20014,#20015)
+#20016=*
+tokeninfo(#20016,8,#20001,4,"(")
+#20017=@"loc,{#10000},1,16,1,16"
+locations_default(#20017,#10000,1,16,1,16)
+hasLocation(#20016,#20017)
+#20018=*
+tokeninfo(#20018,3,#20001,5,"3")
+#20019=@"loc,{#10000},1,17,1,17"
+locations_default(#20019,#10000,1,17,1,17)
+hasLocation(#20018,#20019)
+#20020=*
+tokeninfo(#20020,8,#20001,6,")")
+#20021=@"loc,{#10000},1,18,1,18"
+locations_default(#20021,#10000,1,18,1,18)
+hasLocation(#20020,#20021)
+#20022=*
+tokeninfo(#20022,8,#20001,7,";")
+#20023=@"loc,{#10000},1,19,1,19"
+locations_default(#20023,#10000,1,19,1,19)
+hasLocation(#20022,#20023)
+#20024=*
+tokeninfo(#20024,7,#20001,8,"type")
+#20025=@"loc,{#10000},2,1,2,4"
+locations_default(#20025,#10000,2,1,2,4)
+hasLocation(#20024,#20025)
+#20026=*
+tokeninfo(#20026,6,#20001,9,"Y")
+#20027=@"loc,{#10000},2,6,2,6"
+locations_default(#20027,#10000,2,6,2,6)
+hasLocation(#20026,#20027)
+#20028=*
+tokeninfo(#20028,8,#20001,10,"=")
+#20029=@"loc,{#10000},2,8,2,8"
+locations_default(#20029,#10000,2,8,2,8)
+hasLocation(#20028,#20029)
+#20030=*
+tokeninfo(#20030,7,#20001,11,"import")
+#20031=@"loc,{#10000},2,10,2,15"
+locations_default(#20031,#10000,2,10,2,15)
+hasLocation(#20030,#20031)
+#20032=*
+tokeninfo(#20032,8,#20001,12,"(")
+#20033=@"loc,{#10000},2,16,2,16"
+locations_default(#20033,#10000,2,16,2,16)
+hasLocation(#20032,#20033)
+#20034=*
+tokeninfo(#20034,4,#20001,13,"`Foo`")
+#20035=@"loc,{#10000},2,17,2,21"
+locations_default(#20035,#10000,2,17,2,21)
+hasLocation(#20034,#20035)
+#20036=*
+tokeninfo(#20036,8,#20001,14,")")
+#20037=@"loc,{#10000},2,22,2,22"
+locations_default(#20037,#10000,2,22,2,22)
+hasLocation(#20036,#20037)
+#20038=*
+tokeninfo(#20038,8,#20001,15,";")
+#20039=@"loc,{#10000},2,23,2,23"
+locations_default(#20039,#10000,2,23,2,23)
+hasLocation(#20038,#20039)
+#20040=*
+tokeninfo(#20040,7,#20001,16,"type")
+#20041=@"loc,{#10000},3,1,3,4"
+locations_default(#20041,#10000,3,1,3,4)
+hasLocation(#20040,#20041)
+#20042=*
+tokeninfo(#20042,6,#20001,17,"Z")
+#20043=@"loc,{#10000},3,6,3,6"
+locations_default(#20043,#10000,3,6,3,6)
+hasLocation(#20042,#20043)
+#20044=*
+tokeninfo(#20044,8,#20001,18,"=")
+#20045=@"loc,{#10000},3,8,3,8"
+locations_default(#20045,#10000,3,8,3,8)
+hasLocation(#20044,#20045)
+#20046=*
+tokeninfo(#20046,7,#20001,19,"import")
+#20047=@"loc,{#10000},3,10,3,15"
+locations_default(#20047,#10000,3,10,3,15)
+hasLocation(#20046,#20047)
+#20048=*
+tokeninfo(#20048,8,#20001,20,"(")
+#20049=@"loc,{#10000},3,16,3,16"
+locations_default(#20049,#10000,3,16,3,16)
+hasLocation(#20048,#20049)
+#20050=*
+tokeninfo(#20050,6,#20001,21,"Y")
+#20051=@"loc,{#10000},3,17,3,17"
+locations_default(#20051,#10000,3,17,3,17)
+hasLocation(#20050,#20051)
+#20052=*
+tokeninfo(#20052,8,#20001,22,")")
+#20053=@"loc,{#10000},3,18,3,18"
+locations_default(#20053,#10000,3,18,3,18)
+hasLocation(#20052,#20053)
+#20054=*
+tokeninfo(#20054,8,#20001,23,";")
+#20055=@"loc,{#10000},3,19,3,19"
+locations_default(#20055,#10000,3,19,3,19)
+hasLocation(#20054,#20055)
+#20056=*
+tokeninfo(#20056,0,#20001,24,"")
+#20057=@"loc,{#10000},4,1,4,0"
+locations_default(#20057,#10000,4,1,4,0)
+hasLocation(#20056,#20057)
 toplevels(#20001,0)
-#20002=@"loc,{#10000},1,1,1,1"
-locations_default(#20002,#10000,1,1,1,1)
-hasLocation(#20001,#20002)
-#20003=*
-js_parse_errors(#20003,#20001,"Error: Unsupported syntax in import","type Y = import(`Foo`);
-")
-#20004=@"loc,{#10000},2,10,2,10"
-locations_default(#20004,#10000,2,10,2,10)
-hasLocation(#20003,#20004)
-#20005=*
-lines(#20005,#20001,"type X = import(3);","
-")
-#20006=@"loc,{#10000},1,1,1,19"
-locations_default(#20006,#10000,1,1,1,19)
-hasLocation(#20005,#20006)
-#20007=*
-lines(#20007,#20001,"type Y = import(`Foo`);","
-")
-#20008=@"loc,{#10000},2,1,2,23"
-locations_default(#20008,#10000,2,1,2,23)
-hasLocation(#20007,#20008)
-#20009=*
-lines(#20009,#20001,"type Z = import(Y);","
-")
-#20010=@"loc,{#10000},3,1,3,19"
-locations_default(#20010,#10000,3,1,3,19)
-hasLocation(#20009,#20010)
-numlines(#20001,3,0,0)
-numlines(#10000,3,0,0)
+#20058=@"loc,{#10000},1,1,4,0"
+locations_default(#20058,#10000,1,1,4,0)
+hasLocation(#20001,#20058)
+#20059=@"local_type_name;{X};{#20000}"
+local_type_names(#20059,"X",#20000)
+#20060=@"local_type_name;{Y};{#20000}"
+local_type_names(#20060,"Y",#20000)
+#20061=@"local_type_name;{Z};{#20000}"
+local_type_names(#20061,"Z",#20000)
+#20062=*
+stmts(#20062,35,#20001,0,"type X = import(3);")
+hasLocation(#20062,#20003)
+stmt_containers(#20062,#20001)
+#20063=*
+typeexprs(#20063,1,#20062,0,"X")
+hasLocation(#20063,#20011)
+enclosing_stmt(#20063,#20062)
+expr_containers(#20063,#20001)
+literals("X","X",#20063)
+typedecl(#20063,#20059)
+#20064=*
+typeexprs(#20064,30,#20062,1,"import(3)")
+#20065=@"loc,{#10000},1,10,1,18"
+locations_default(#20065,#10000,1,10,1,18)
+hasLocation(#20064,#20065)
+enclosing_stmt(#20064,#20062)
+expr_containers(#20064,#20001)
+#20066=*
+typeexprs(#20066,4,#20064,0,"3")
+hasLocation(#20066,#20019)
+enclosing_stmt(#20066,#20062)
+expr_containers(#20066,#20001)
+literals("3","3",#20066)
+#20067=*
+stmts(#20067,35,#20001,1,"type Y  ... `Foo`);")
+hasLocation(#20067,#20005)
+stmt_containers(#20067,#20001)
+#20068=*
+typeexprs(#20068,1,#20067,0,"Y")
+hasLocation(#20068,#20027)
+enclosing_stmt(#20068,#20067)
+expr_containers(#20068,#20001)
+literals("Y","Y",#20068)
+typedecl(#20068,#20060)
+#20069=*
+typeexprs(#20069,30,#20067,1,"import(`Foo`)")
+#20070=@"loc,{#10000},2,10,2,22"
+locations_default(#20070,#10000,2,10,2,22)
+hasLocation(#20069,#20070)
+enclosing_stmt(#20069,#20067)
+expr_containers(#20069,#20001)
+#20071=*
+typeexprs(#20071,37,#20069,0,"`Foo`")
+hasLocation(#20071,#20035)
+enclosing_stmt(#20071,#20067)
+expr_containers(#20071,#20001)
+#20072=*
+typeexprs(#20072,3,#20071,0,"`Foo`")
+hasLocation(#20072,#20035)
+enclosing_stmt(#20072,#20067)
+expr_containers(#20072,#20001)
+literals("Foo","Foo",#20072)
+#20073=*
+stmts(#20073,35,#20001,2,"type Z = import(Y);")
+hasLocation(#20073,#20007)
+stmt_containers(#20073,#20001)
+#20074=*
+typeexprs(#20074,1,#20073,0,"Z")
+hasLocation(#20074,#20043)
+enclosing_stmt(#20074,#20073)
+expr_containers(#20074,#20001)
+literals("Z","Z",#20074)
+typedecl(#20074,#20061)
+#20075=*
+typeexprs(#20075,30,#20073,1,"import(Y)")
+#20076=@"loc,{#10000},3,10,3,18"
+locations_default(#20076,#10000,3,10,3,18)
+hasLocation(#20075,#20076)
+enclosing_stmt(#20075,#20073)
+expr_containers(#20075,#20001)
+#20077=*
+typeexprs(#20077,0,#20075,0,"Y")
+hasLocation(#20077,#20051)
+enclosing_stmt(#20077,#20073)
+expr_containers(#20077,#20001)
+literals("Y","Y",#20077)
+typebind(#20077,#20060)
+#20078=*
+entry_cfg_node(#20078,#20001)
+#20079=@"loc,{#10000},1,1,1,0"
+locations_default(#20079,#10000,1,1,1,0)
+hasLocation(#20078,#20079)
+#20080=*
+exit_cfg_node(#20080,#20001)
+hasLocation(#20080,#20057)
+successor(#20073,#20080)
+successor(#20067,#20073)
+successor(#20062,#20067)
+successor(#20078,#20062)
+numlines(#10000,3,3,0)
 filetype(#10000,"typescript")

From 0f24db8759b822f8db969bf71f95e4c184e72c40 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Mon, 12 Apr 2021 14:41:28 +0200
Subject: [PATCH 0420/1429] C#: Improve performance of
 `SsaImpl::CallGraph::SimpleDelegateAnalysis`

---
 .../code/csharp/dataflow/internal/SsaImpl.qll | 152 ++++++++++++++----
 1 file changed, 121 insertions(+), 31 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImpl.qll
index 41da2b8f0b5..63d6c902fed 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImpl.qll
@@ -268,56 +268,146 @@ private module CallGraph {
         )
     }
 
+    /**
+     * A simple flow step that does not take flow through fields or flow out
+     * of callables into account.
+     */
+    pragma[nomagic]
     private predicate delegateFlowStep(Expr pred, Expr succ) {
       Steps::stepClosed(pred, succ)
       or
-      exists(Call call, Callable callable |
-        callable.getUnboundDeclaration().canReturn(pred) and
-        call = succ
-      |
-        callable = call.getTarget() or
-        callable = call.getTarget().(Method).getAnOverrider+() or
-        callable = call.getTarget().(Method).getAnUltimateImplementor() or
-        callable = getARuntimeDelegateTarget(call, false)
-      )
-      or
       pred = succ.(DelegateCreation).getArgument()
       or
-      exists(AssignableDefinition def, Assignable a |
-        a instanceof Field or
-        a instanceof Property
-      |
-        a = def.getTarget() and
-        succ.(AssignableRead) = a.getAnAccess() and
-        pred = def.getSource()
-      )
-      or
       exists(AddEventExpr ae | succ.(EventAccess).getTarget() = ae.getTarget() |
         pred = ae.getRValue()
       )
     }
 
-    private predicate reachesDelegateCall(Expr e) {
-      delegateCall(_, e, _)
+    private predicate delegateCreationReaches(Callable c, Expr e) {
+      delegateCreation(e, c, _)
       or
-      exists(Expr mid | reachesDelegateCall(mid) | delegateFlowStep(e, mid))
+      exists(Expr mid |
+        delegateCreationReaches(c, mid) and
+        delegateFlowStep(mid, e)
+      )
     }
 
-    pragma[nomagic]
-    private predicate delegateFlowStepReaches(Expr pred, Expr succ) {
-      delegateFlowStep(pred, succ) and
-      reachesDelegateCall(succ)
+    private predicate reachesDelegateCall(Expr e, Call c, boolean libraryDelegateCall) {
+      delegateCall(c, e, libraryDelegateCall)
+      or
+      exists(Expr mid |
+        reachesDelegateCall(mid, c, libraryDelegateCall) and
+        delegateFlowStep(e, mid)
+      )
     }
 
-    private Expr delegateCallSource(Callable c) {
-      delegateCreation(result, c, _)
-      or
-      delegateFlowStepReaches(delegateCallSource(c), result)
+    /**
+     * A "busy" flow element, that is, a node in the data-flow graph that typically
+     * has a large fan-in or a large fan-out (or both).
+     *
+     * For such busy elements, we do not track flow directly from all delegate
+     * creations, but instead we first perform a flow analysis between busy elements,
+     * and then only in the end join up with delegate creations and delegate calls.
+     */
+    abstract private class BusyFlowElement extends Element {
+      pragma[nomagic]
+      abstract Expr getAnInput();
+
+      pragma[nomagic]
+      abstract Expr getAnOutput();
+
+      /** Holds if this element can be reached from expression `e`. */
+      pragma[nomagic]
+      private predicate exprReaches(Expr e) {
+        this.reachesCall(_) and
+        e = this.getAnInput()
+        or
+        exists(Expr mid |
+          this.exprReaches(mid) and
+          delegateFlowStep(e, mid)
+        )
+      }
+
+      /**
+       * Holds if this element can reach a delegate call `c` directly without
+       * passing through another busy element.
+       */
+      pragma[nomagic]
+      predicate delegateCall(Call c, boolean libraryDelegateCall) {
+        reachesDelegateCall(this.getAnOutput(), c, libraryDelegateCall)
+      }
+
+      pragma[nomagic]
+      private BusyFlowElement getASuccessor() { result.exprReaches(this.getAnOutput()) }
+
+      /**
+       * Holds if this element reaches another busy element `other`,
+       * which can reach a delegate call directly without passing
+       * through another busy element.
+       */
+      pragma[nomagic]
+      private predicate reachesCall(BusyFlowElement other) {
+        this = other and
+        other.delegateCall(_, _)
+        or
+        this.getASuccessor().reachesCall(other)
+      }
+
+      /** Holds if this element is reached by a delegate creation for `c`. */
+      pragma[nomagic]
+      predicate isReachedBy(Callable c) {
+        exists(BusyFlowElement pred |
+          pred.reachesCall(this) and
+          delegateCreationReaches(c, pred.getAnInput())
+        )
+      }
+    }
+
+    private class TFieldOrProperty = @field or @property;
+
+    private class FieldOrPropertyFlow extends BusyFlowElement, Assignable, TFieldOrProperty {
+      final override Expr getAnInput() {
+        exists(Assignable target |
+          target = this.getUnboundDeclaration() and
+          result = target.getAnAssignedValue()
+        )
+      }
+
+      final override AssignableRead getAnOutput() {
+        exists(Assignable target |
+          target = this.getUnboundDeclaration() and
+          result = target.getAnAccess()
+        )
+      }
+    }
+
+    private class CallOutputFlow extends BusyFlowElement, Callable {
+      final override Expr getAnInput() { this.canReturn(result) }
+
+      final override Call getAnOutput() {
+        exists(Callable target | this = target.getUnboundDeclaration() |
+          target = result.getTarget() or
+          target = result.getTarget().(Method).getAnOverrider+() or
+          target = result.getTarget().(Method).getAnUltimateImplementor() or
+          target = getARuntimeDelegateTarget(result, false)
+        )
+      }
     }
 
     /** Gets a run-time target for the delegate call `c`. */
+    pragma[nomagic]
     Callable getARuntimeDelegateTarget(Call c, boolean libraryDelegateCall) {
-      delegateCall(c, delegateCallSource(result), libraryDelegateCall)
+      // directly resolvable without going through a "busy" element
+      exists(Expr e |
+        delegateCreationReaches(result, e) and
+        delegateCall(c, e, libraryDelegateCall)
+      )
+      or
+      // resolvable by going through one or more "busy" elements
+      exists(BusyFlowElement busy |
+        busy.isReachedBy(result) and
+        busy.delegateCall(c, libraryDelegateCall)
+      )
     }
   }
 

From 5d05e4d22413e5e78b0e1834fddf73deaa3c8016 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Thu, 15 Apr 2021 17:28:53 +0800
Subject: [PATCH 0421/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index 8220745e667..07ed446dcdf 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -21,7 +21,7 @@ abstract class RequestGetMethod extends Method {
 
 /** Override method of `doGet` of `Servlet` subclass. */
 private class ServletGetMethod extends RequestGetMethod {
-  ServletGetMethod() { this instanceof DoGetServletMethod }
+  ServletGetMethod() { isServletRequestMethod(this) and m.getName() = "doGet" }
 }
 
 /** The method of SpringController class processing `get` request. */

From 583d0889e257be00ee2d60b15d0a3ac401fbb644 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Thu, 15 Apr 2021 17:40:51 +0800
Subject: [PATCH 0422/1429] delete tomcat-embed-core stub, update the
 ServletGetMethod class

---
 .../CWE/CWE-352/JsonpInjectionLib.qll         |   2 +-
 .../semmle/code/java/frameworks/Servlets.qll  |  10 --
 .../javax/servlet/Filter.java                 |  13 --
 .../javax/servlet/FilterChain.java            |   8 --
 .../javax/servlet/FilterConfig.java           |   3 -
 .../javax/servlet/ServletException.java       |   8 --
 .../javax/servlet/ServletRequest.java         |  87 -------------
 .../javax/servlet/ServletResponse.java        |  39 ------
 .../javax/servlet/annotation/WebServlet.java  |  30 -----
 .../servlet/http/HttpServletRequest.java      | 116 ------------------
 .../servlet/http/HttpServletResponse.java     | 106 ----------------
 11 files changed, 1 insertion(+), 421 deletions(-)
 delete mode 100644 java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/Filter.java
 delete mode 100644 java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/FilterChain.java
 delete mode 100644 java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/FilterConfig.java
 delete mode 100644 java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletException.java
 delete mode 100644 java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletRequest.java
 delete mode 100644 java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletResponse.java
 delete mode 100644 java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/annotation/WebServlet.java
 delete mode 100644 java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/http/HttpServletRequest.java
 delete mode 100644 java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/http/HttpServletResponse.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index 07ed446dcdf..8c7433fd1b6 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -21,7 +21,7 @@ abstract class RequestGetMethod extends Method {
 
 /** Override method of `doGet` of `Servlet` subclass. */
 private class ServletGetMethod extends RequestGetMethod {
-  ServletGetMethod() { isServletRequestMethod(this) and m.getName() = "doGet" }
+  ServletGetMethod() { isServletRequestMethod(this) and this.getName() = "doGet" }
 }
 
 /** The method of SpringController class processing `get` request. */
diff --git a/java/ql/src/semmle/code/java/frameworks/Servlets.qll b/java/ql/src/semmle/code/java/frameworks/Servlets.qll
index c733023bbdc..08d5a80dd81 100644
--- a/java/ql/src/semmle/code/java/frameworks/Servlets.qll
+++ b/java/ql/src/semmle/code/java/frameworks/Servlets.qll
@@ -361,13 +361,3 @@ predicate isDoFilterMethod(Method m) {
   m.getParameter(1).getType() instanceof ServletResponse and
   m.getParameter(2).getType() instanceof FilterChain
 }
-
-/** Holds if `m` is a method of some override of `HttpServlet.doGet`. */
-predicate isGetServletMethod(Method m) {
-  isServletRequestMethod(m) and m.getName() = "doGet"
-}
-
-/** The `doGet` method of `HttpServlet`. */
-class DoGetServletMethod extends Method {
-  DoGetServletMethod() { isGetServletMethod(this) }
-}
diff --git a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/Filter.java b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/Filter.java
deleted file mode 100644
index 5833e3c909d..00000000000
--- a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/Filter.java
+++ /dev/null
@@ -1,13 +0,0 @@
-package javax.servlet;
-
-import java.io.IOException;
-
-public interface Filter {
-    default void init(FilterConfig filterConfig) throws ServletException {
-    }
-
-    void doFilter(ServletRequest var1, ServletResponse var2, FilterChain var3) throws IOException, ServletException;
-
-    default void destroy() {
-    }
-}
diff --git a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/FilterChain.java b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/FilterChain.java
deleted file mode 100644
index 6a1dfc588b6..00000000000
--- a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/FilterChain.java
+++ /dev/null
@@ -1,8 +0,0 @@
-package javax.servlet;
-
-import java.io.IOException;
-
-public interface FilterChain {
-    void doFilter(ServletRequest var1, ServletResponse var2) throws IOException, ServletException;
-}
-
diff --git a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/FilterConfig.java b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/FilterConfig.java
deleted file mode 100644
index 66c13eb54f0..00000000000
--- a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/FilterConfig.java
+++ /dev/null
@@ -1,3 +0,0 @@
-package javax.servlet;
-
-public interface FilterConfig {}
diff --git a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletException.java b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletException.java
deleted file mode 100644
index ce5f7c4465a..00000000000
--- a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletException.java
+++ /dev/null
@@ -1,8 +0,0 @@
-package javax.servlet;
-
-public class ServletException extends Exception {
-    private static final long serialVersionUID = 1L;
-
-    public ServletException() {
-    }
-}
diff --git a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletRequest.java b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletRequest.java
deleted file mode 100644
index 4ee0026d066..00000000000
--- a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletRequest.java
+++ /dev/null
@@ -1,87 +0,0 @@
-package javax.servlet;
-
-import java.io.BufferedReader;
-import java.io.IOException;
-import java.io.UnsupportedEncodingException;
-import java.util.Enumeration;
-import java.util.Locale;
-import java.util.Map;
-
-public interface ServletRequest {
-    Object getAttribute(String var1);
-
-    Enumeration<String> getAttributeNames();
-
-    String getCharacterEncoding();
-
-    void setCharacterEncoding(String var1) throws UnsupportedEncodingException;
-
-    int getContentLength();
-
-    long getContentLengthLong();
-
-    String getContentType();
-
-    ServletInputStream getInputStream() throws IOException;
-
-    String getParameter(String var1);
-
-    Enumeration<String> getParameterNames();
-
-    String[] getParameterValues(String var1);
-
-    Map<String, String[]> getParameterMap();
-
-    String getProtocol();
-
-    String getScheme();
-
-    String getServerName();
-
-    int getServerPort();
-
-    BufferedReader getReader() throws IOException;
-
-    String getRemoteAddr();
-
-    String getRemoteHost();
-
-    void setAttribute(String var1, Object var2);
-
-    void removeAttribute(String var1);
-
-    Locale getLocale();
-
-    Enumeration<Locale> getLocales();
-
-    boolean isSecure();
-
-    RequestDispatcher getRequestDispatcher(String var1);
-
-    /** @deprecated */
-    @Deprecated
-    String getRealPath(String var1);
-
-    int getRemotePort();
-
-    String getLocalName();
-
-    String getLocalAddr();
-
-    int getLocalPort();
-
-    ServletContext getServletContext();
-
-    AsyncContext startAsync() throws IllegalStateException;
-
-    AsyncContext startAsync(ServletRequest var1, ServletResponse var2) throws IllegalStateException;
-
-    boolean isAsyncStarted();
-
-    boolean isAsyncSupported();
-
-    AsyncContext getAsyncContext();
-
-    DispatcherType getDispatcherType();
-}
-
diff --git a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletResponse.java b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletResponse.java
deleted file mode 100644
index 0aa6121e686..00000000000
--- a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/ServletResponse.java
+++ /dev/null
@@ -1,39 +0,0 @@
-package javax.servlet;
-
-import java.io.IOException;
-import java.io.PrintWriter;
-import java.util.Locale;
-
-public interface ServletResponse {
-    String getCharacterEncoding();
-
-    String getContentType();
-
-    ServletOutputStream getOutputStream() throws IOException;
-
-    PrintWriter getWriter() throws IOException;
-
-    void setCharacterEncoding(String var1);
-
-    void setContentLength(int var1);
-
-    void setContentLengthLong(long var1);
-
-    void setContentType(String var1);
-
-    void setBufferSize(int var1);
-
-    int getBufferSize();
-
-    void flushBuffer() throws IOException;
-
-    void resetBuffer();
-
-    boolean isCommitted();
-
-    void reset();
-
-    void setLocale(Locale var1);
-
-    Locale getLocale();
-}
diff --git a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/annotation/WebServlet.java b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/annotation/WebServlet.java
deleted file mode 100644
index cc255efc00f..00000000000
--- a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/annotation/WebServlet.java
+++ /dev/null
@@ -1,30 +0,0 @@
-package javax.servlet.annotation;
-
-import java.lang.annotation.Documented;
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-
-@Target({ElementType.TYPE})
-@Retention(RetentionPolicy.RUNTIME)
-@Documented
-public @interface WebServlet {
-    String name() default "";
-
-    String[] value() default {};
-
-    String[] urlPatterns() default {};
-
-    int loadOnStartup() default -1;
-
-    boolean asyncSupported() default false;
-
-    String smallIcon() default "";
-
-    String largeIcon() default "";
-
-    String description() default "";
-
-    String displayName() default "";
-}
diff --git a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/http/HttpServletRequest.java b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/http/HttpServletRequest.java
deleted file mode 100644
index 02d53a96a33..00000000000
--- a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/http/HttpServletRequest.java
+++ /dev/null
@@ -1,116 +0,0 @@
-package javax.servlet.http;
-
-import java.io.IOException;
-import java.security.Principal;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Enumeration;
-import java.util.Map;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-
-public interface HttpServletRequest extends ServletRequest {
-    String BASIC_AUTH = "BASIC";
-    String FORM_AUTH = "FORM";
-    String CLIENT_CERT_AUTH = "CLIENT_CERT";
-    String DIGEST_AUTH = "DIGEST";
-
-    String getAuthType();
-
-    Cookie[] getCookies();
-
-    long getDateHeader(String var1);
-
-    String getHeader(String var1);
-
-    Enumeration<String> getHeaders(String var1);
-
-    Enumeration<String> getHeaderNames();
-
-    int getIntHeader(String var1);
-
-    default HttpServletMapping getHttpServletMapping() {
-        return new HttpServletMapping() {
-            public String getMatchValue() {
-                return "";
-            }
-
-            public String getPattern() {
-                return "";
-            }
-
-            public String getServletName() {
-                return "";
-            }
-
-            public MappingMatch getMappingMatch() {
-                return null;
-            }
-        };
-    }
-
-    String getMethod();
-
-    String getPathInfo();
-
-    String getPathTranslated();
-
-    default PushBuilder newPushBuilder() {
-        return null;
-    }
-
-    String getContextPath();
-
-    String getQueryString();
-
-    String getRemoteUser();
-
-    boolean isUserInRole(String var1);
-
-    Principal getUserPrincipal();
-
-    String getRequestedSessionId();
-
-    String getRequestURI();
-
-    StringBuffer getRequestURL();
-
-    String getServletPath();
-
-    HttpSession getSession(boolean var1);
-
-    HttpSession getSession();
-
-    String changeSessionId();
-
-    boolean isRequestedSessionIdValid();
-
-    boolean isRequestedSessionIdFromCookie();
-
-    boolean isRequestedSessionIdFromURL();
-
-    /** @deprecated */
-    @Deprecated
-    boolean isRequestedSessionIdFromUrl();
-
-    boolean authenticate(HttpServletResponse var1) throws IOException, ServletException;
-
-    void login(String var1, String var2) throws ServletException;
-
-    void logout() throws ServletException;
-
-    Collection<Part> getParts() throws IOException, ServletException;
-
-    Part getPart(String var1) throws IOException, ServletException;
-
-    <T extends HttpUpgradeHandler> T upgrade(Class<T> var1) throws IOException, ServletException;
-
-    default Map<String, String> getTrailerFields() {
-        return Collections.emptyMap();
-    }
-
-    default boolean isTrailerFieldsReady() {
-        return false;
-    }
-}
-
diff --git a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/http/HttpServletResponse.java b/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/http/HttpServletResponse.java
deleted file mode 100644
index 0a2c6af0913..00000000000
--- a/java/ql/test/stubs/tomcat-embed-core-9.0.41/javax/servlet/http/HttpServletResponse.java
+++ /dev/null
@@ -1,106 +0,0 @@
-package javax.servlet.http;
-
-import java.io.IOException;
-import java.util.Collection;
-import java.util.Map;
-import java.util.function.Supplier;
-import javax.servlet.ServletResponse;
-
-public interface HttpServletResponse extends ServletResponse {
-    int SC_CONTINUE = 100;
-    int SC_SWITCHING_PROTOCOLS = 101;
-    int SC_OK = 200;
-    int SC_CREATED = 201;
-    int SC_ACCEPTED = 202;
-    int SC_NON_AUTHORITATIVE_INFORMATION = 203;
-    int SC_NO_CONTENT = 204;
-    int SC_RESET_CONTENT = 205;
-    int SC_PARTIAL_CONTENT = 206;
-    int SC_MULTIPLE_CHOICES = 300;
-    int SC_MOVED_PERMANENTLY = 301;
-    int SC_MOVED_TEMPORARILY = 302;
-    int SC_FOUND = 302;
-    int SC_SEE_OTHER = 303;
-    int SC_NOT_MODIFIED = 304;
-    int SC_USE_PROXY = 305;
-    int SC_TEMPORARY_REDIRECT = 307;
-    int SC_BAD_REQUEST = 400;
-    int SC_UNAUTHORIZED = 401;
-    int SC_PAYMENT_REQUIRED = 402;
-    int SC_FORBIDDEN = 403;
-    int SC_NOT_FOUND = 404;
-    int SC_METHOD_NOT_ALLOWED = 405;
-    int SC_NOT_ACCEPTABLE = 406;
-    int SC_PROXY_AUTHENTICATION_REQUIRED = 407;
-    int SC_REQUEST_TIMEOUT = 408;
-    int SC_CONFLICT = 409;
-    int SC_GONE = 410;
-    int SC_LENGTH_REQUIRED = 411;
-    int SC_PRECONDITION_FAILED = 412;
-    int SC_REQUEST_ENTITY_TOO_LARGE = 413;
-    int SC_REQUEST_URI_TOO_LONG = 414;
-    int SC_UNSUPPORTED_MEDIA_TYPE = 415;
-    int SC_REQUESTED_RANGE_NOT_SATISFIABLE = 416;
-    int SC_EXPECTATION_FAILED = 417;
-    int SC_INTERNAL_SERVER_ERROR = 500;
-    int SC_NOT_IMPLEMENTED = 501;
-    int SC_BAD_GATEWAY = 502;
-    int SC_SERVICE_UNAVAILABLE = 503;
-    int SC_GATEWAY_TIMEOUT = 504;
-    int SC_HTTP_VERSION_NOT_SUPPORTED = 505;
-
-    void addCookie(Cookie var1);
-
-    boolean containsHeader(String var1);
-
-    String encodeURL(String var1);
-
-    String encodeRedirectURL(String var1);
-
-    /** @deprecated */
-    @Deprecated
-    String encodeUrl(String var1);
-
-    /** @deprecated */
-    @Deprecated
-    String encodeRedirectUrl(String var1);
-
-    void sendError(int var1, String var2) throws IOException;
-
-    void sendError(int var1) throws IOException;
-
-    void sendRedirect(String var1) throws IOException;
-
-    void setDateHeader(String var1, long var2);
-
-    void addDateHeader(String var1, long var2);
-
-    void setHeader(String var1, String var2);
-
-    void addHeader(String var1, String var2);
-
-    void setIntHeader(String var1, int var2);
-
-    void addIntHeader(String var1, int var2);
-
-    void setStatus(int var1);
-
-    /** @deprecated */
-    @Deprecated
-    void setStatus(int var1, String var2);
-
-    int getStatus();
-
-    String getHeader(String var1);
-
-    Collection<String> getHeaders(String var1);
-
-    Collection<String> getHeaderNames();
-
-    default void setTrailerFields(Supplier<Map<String, String>> supplier) {
-    }
-
-    default Supplier<Map<String, String>> getTrailerFields() {
-        return null;
-    }
-}

From 216f204438bdd65961609081c00f71ce3b2b67c0 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Thu, 15 Apr 2021 19:28:25 +0800
Subject: [PATCH 0423/1429] delete FilterClass

---
 .../semmle/code/java/frameworks/Servlets.qll  |  24 ------------------
 java/ql/test/stubs/springframework-5.2.3.zip  | Bin 57066 -> 0 bytes
 2 files changed, 24 deletions(-)
 delete mode 100644 java/ql/test/stubs/springframework-5.2.3.zip

diff --git a/java/ql/src/semmle/code/java/frameworks/Servlets.qll b/java/ql/src/semmle/code/java/frameworks/Servlets.qll
index 08d5a80dd81..1dd4373fb54 100644
--- a/java/ql/src/semmle/code/java/frameworks/Servlets.qll
+++ b/java/ql/src/semmle/code/java/frameworks/Servlets.qll
@@ -337,27 +337,3 @@ predicate isRequestGetParamMethod(MethodAccess ma) {
   ma.getMethod() instanceof ServletRequestGetParameterMapMethod or
   ma.getMethod() instanceof HttpServletRequestGetQueryStringMethod
 }
-
-/**
- * A class that has `javax.servlet.Filter` as an ancestor.
- */
-class FilterClass extends Class {
-  FilterClass() { getAnAncestor().hasQualifiedName("javax.servlet", "Filter") }
-}
-
-/**
- * The interface `javax.servlet.FilterChain`
- */
-class FilterChain extends Interface {
-  FilterChain() { hasQualifiedName("javax.servlet", "FilterChain") }
-}
-
-/** Holds if `m` is an implementation of `javax.servlet.Filter.doFilter`. */
-predicate isDoFilterMethod(Method m) {
-  m.getName() = "doFilter" and
-  m.getDeclaringType() instanceof FilterClass and
-  m.getNumberOfParameters() = 3 and
-  m.getParameter(0).getType() instanceof ServletRequest and
-  m.getParameter(1).getType() instanceof ServletResponse and
-  m.getParameter(2).getType() instanceof FilterChain
-}
diff --git a/java/ql/test/stubs/springframework-5.2.3.zip b/java/ql/test/stubs/springframework-5.2.3.zip
deleted file mode 100644
index b54730e4bbcd561f20961940fb62c54dcee1225f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 57066
zcmcG$1yont);>&kcT0Ckr*wCxbW68%H%NDPr*tFT9nvKrT>>Kb{m>I0zjM$3dhdN5
zW63$g!Q6X2GuE8XoNLQVfr7yRJ^k5H2vhv_AHV&D0r=@)Yj19CYGSW%W$a>O|B8;4
zo{65BK_2isXn=o(0%AzAQ`8*NqvJya0@9-e0wVgCzauRnBqFOMLhtD6xT>iYx7>j4
zbyLO9I&*LWN5^eG%{D&M-)cR}r8!~olKl-5v}Cb>AMoH@ZOWIMOjv%O*m>t7o7Ldn
z*bs+Kk3FA>-o3|4E{&4}*D|R&x9gI<uQ}-p4d}WIx)@tFwfOnCeG3e_UY9#Lp6f1;
zbK#i5@ARocC#G9gVc)fV2{(1Uc>Hiu6xpPy8@|wZcsTd)(YYPj#`?7PeoThw#CmOY
zRj1QCQWx`T_S(Y1yYcfTua^*5hi2F-l|$7V!VKLPuv@f#lCYaM(^ylKOJM}c#|f|6
zqOHgzmsLF^XXit^%LF;*IJMx(yk3GS-dYxTo?bb3od#az3MQ7KEGt+l4+(dGd>%(=
zZNHUW#Cc)nI-V$$_x@3x{!kW-#)_S*efg$`Kyw!?1Ps!N4~Fx~{qU+YR5#n<M7T4l
z9jK6-VpFd*FW3*C33yf($4)3;E&xkYIXYiWFj1IH64=DY6cig45e&HgViX7NJ@+dZ
zqKvR-aL_Na*=~;~Rc*`P$`~&5Q}IwDw5&7Zn>3->l#_6_bUR@XlWREHyIxHZ%WFha
z>uB#wy|6$WM&Eb=sUt|_IP#TV*hYk^``}hPyN53ZJl)KQ#swxL*yBO|#9uFv;|RS3
zagCxQ)@(14(=38K+dk)-taaejDLCHZr9Uh8t|Y1F`SHlQE(-UdGNT76%T)(tSsr4S
zjO?8_vbePhtSDtYi^Ip1^r2n8Wql(0@;vY6KI0RorC1pPM^-{Qii=w)uvrrEGF})E
zd-nJ4Fs@<D7Ywbtq_b>Y70R&ERUbH}xr!`y(@Sp`QfVKNHCP&^vs3fS!w}}J%psV-
zNpsAs7$U4$>>>Hwv~D2b806r(sS>CQS4aeX;rQfxzf@gY+g@=u^%a+UtXO{q&#|R$
zu@rkmSb2^${O0`<gct2iEqIBcAHVWjf~@%G+55PtFXjbd*brlAKEOcWh*=1}cf>&*
zj<ppS!xskG&n|85nX(m_fuvt2IIuloE1g!nGE6Fa=x%vKA+iai8{4ZK%s8zGv(Hxg
zoD3+9zIbjB24={AR@7Q%^lLdiy1LABASrA?2?(Z=7GLa*&62j7f(?BclLXH<?SZst
z1@NTw{J__gY2%bUPz4VH!Tz^9DhpH_U!aDJjy9PzHZ?gPfK)x?LEyJA2atVu#+M1r
zo>A7o=Wb{nOueQnFbL#P7MXfi52F#&%7}^J{_>>G0BHPU4x~7!?@jhl0#=`1YBYtQ
zZ(v1uR(ZJfcpVkeJNhCXVHgcv5aw5uR2#`_2db&eFZe13YGmi?t{8f2?)<J9Q~ggv
zJoa&9Srz5(O1KUv6({NQMf1{`NOlD7W8fO+==vmRaGkI-DszyUH4|q^4fZD@+=$UM
z#g@2UKh#?l5qQsUJGdKBrJbk2VWA*QjPCFoFlWibsR4%yOD0+g6_vXy-V#fN5tMa+
z&yy!w@mc0L2W%nRL5g5X$ZiEH^OtH5$mxk(G1a%qIfvsFU$IpWxUN$(n!p#j;<R~a
zG-8HJ6p3W_J$O-%*otF|^PA>iVeSW3u%L-S2JdN>=Z;N69Kw$Jt?W}{!yM1v$I}{l
z>w46pgDW}^G>jSfg%!gSumMqd#x#~g!`w~Xl%Bta4$kDJv?L<C9y|kUea8JPF9G`1
zt|&t-6H~a~=zBBvuBP3Mk`dH_ppV8rG0%#(3g+_(@{m8Y^t*zocodCvBM`(k#+;BO
zzDSx>2+$rrd?{70+qgrL|M~?=jXK@Do(<K7_DgzMrCTUnIg0_fFSI*D@FCYVoCegN
z2uD=~cz}(Rm4_O)Bjh9ntGuuYz2Iu;=oZtKSwYrlADWOn+tIv5)B`Pb<vxlTk+Ff+
zCt;PD2B*-DU6ht*ONEW{gGdcJ8=;9c0d?g>hn#WE`5PPD3LG%c36RX2S>31eoL+-^
zdLR@J9NXH~=CM57wmHMRFb8r*Z0HsAnjU-iB^Yk|EjR_?09V9zoMh7QYj(@ca_r~w
z+$00Uo}f$)W!G2mG(2g`_Q`y61|TC8coT0OO6iWW`AiVpC~Ec}pSkXVM3qzyfceMd
z?HQ2*^CAi-<r=<ZJ_Xi>G;qJmhT0YJHH&I+isYE+d2JYWrdv!oe|?l(f&i9Xu1(FX
zz{~=CPidd<($se4Z3XtyuzIVXSwT$8`R0;z^YNgt{h_Q=UEtBR4wuZ526yobyIcjX
zPaQnx3}471x*Jq-ND>=>g_&~PxSTx*qoGmhUxjWl52nFls^d+f*DTQWm5P3a<Z8KY
zKY3nAQFP@tKs=byn^iIx*!@7vS`MwnefZ$OgjK5W9{3#98)8CAf2SL<MNB2~{iZ^#
zI@$|;zr51h5|CgGB(NL(Sy{*7o%H9W=nqp!ir`FeeIH`5h?MX|g$jEGNOrM4*anq0
zaqETU-WZgNKLgexyQjJ(KeUi@Fz74TNGoVkx-&78D97b29Cp?Ylw3Xtu_B(C$l<Yv
z?h(~vV*wwCak}#6cG|gHl=jFfH4?!I93-TAi&L;TQqRhWnzOBR?1p}S6xe1Y0~zub
ze>i;WybaiTE}Iym0`Ifz4AEl-C3OiOo*c@09t!G&Reu~NJG5k3*q)2dM-Dh5tY?m8
z?>TrsNAM;#QRT;wN1bpp1sQNTj2rhal@Oqmhct2GZYsFN@2fXQocA(<3;SXxwiqJk
zwszI3Q}xP-K#-rweWF_Rvu2^qh}&z*55u<K{)lbvW7}R#>(x*1Z;{K%xviarlLQ6z
zs6N#^RVr08{N))0pX0TGr+cTHXPwWE`_a%^va>Iw;7NpB=1UD|4inGu+MTKhWjtQ8
zTY1&RXSLZ%rek3u5?h(<B&cCHDiEpx%9I_wmDnkl7%yI_!LViP$6s;C?!I!<dS*-m
zM56bZI*ckWVrYIyu&($bD}M7{{ET$)qAimlJD^f2qdT#ggjjB}v67>{HbR|Y+1_fP
zs9gD(F$^$NGSHF+|D?)<!jRpCO!z&gp(q%JWDk;C=N=W@;X+9Yvp1^ihJu^sg#_wA
ziI4n;En7I-J_CHg3@IxiRrJT@&9*o(BT=$20@^FG6#44w_DYi+p-Z$%_EO3Exk=$g
zuJB}a_2Mw;6P`+Qqm8EC=no!DQw=aC<o&?b98r91qe?dzrZOyZGC>ts?!Z8JbRA4;
zgfZD-^h}jIEV=V=TInKZzN2?EB;;|c=u4j?SVSb#QiJ-=LlsEZ$3>Qzd5!SJN5MIo
zD~8|m2esHGSvrQ~@k2cuAy3GY(EAW=W4;K@4m?OK=IceZ);KA`%PGSPlBc+RD}`1E
z8{36>JuxwnqyY`V*WLmX&_H6xqqD;}yZm8!@2d$5EMs`@C`gcmdXj>A(B-S;?VN*8
zL7zwFFXV&FTl3Ck8wFVS__@zYiPQVdqnk+?4IH~+r*#Tq%=XYAAF-GM$eFH-hs%5O
zIEDyikMl`}WKG`KVxCb@1|s{o(uQM4Rnn@AXA-$MlLQ1IVp_oIf;g<qeukUcn3rmX
zTsa7SL#Py@@5KRO70)3miKCS9*?4mE6BKSsBVE0tJr#@B^2P&;B&aIHih`eCH@Yu|
zjfLE&y60&<?`m+<&4DdT_!#=?Ke2Fa7Ff}}5D#|7E+S19UX9}En%;>dQKbgm5y8=!
z#wbsoebamzSByzXLk|z)I~063)6|j9d4qDJDSv^fhFkNVwii(?ZH^r0=H17~f#sW<
zt#@;)t8<^doa&GpUGD0?9OK&6KWcpOtnYwm%DaQOMQ+S{VV+x3sl1fRVvKYwVO*}1
z$5CBkMrdC|h7s|)v&Gw8$!Bh1LhX><rR-YQ#;ZkR9doNFt#yIVFJ6tWe68}tyAa8(
zu0?m<^7h)djDLG|4xi)bVY!U^{N!P^b$JZlMXQ63#kCIT!lg@jrUG<z^h`OqCy-~>
zSA)9<IWw+@RT%Sy;CT|Ybpyk$Ro;z|P@N?0!h0p-n}*q$<WUjcmAYv*woWr%d=t)3
zkF{tv6meTQjhfc=IU|?o&N{$nMaL2dg}}Pln$CU^jOJnsrtBI>{GJ_5W^?0a{JI4#
zw1vyoOg9qv&tBl3V#1->7TH`S0^vh9zVqyLv_aPRbPM5Ew0wSf*FEPj|H76E^`!~R
za})lq%7n<3F_&9ct`3xF9fY%tp4RK5Pa0}amUq;^z;LII=YsS|k?1%s)`aYpW%%nU
zhM0%}xAV8IlVq<Dlp?WjaaSQsO`KSxH&M<?!b2pem6z2K7BlMS1kyZQZjn=KkGVp%
z1be|iVRWRdAO=>&Q{Bu^n_`ad*aglofc)7TA(>SlYqL3oeZ1O2U|9-{TgnMoUdGmv
z0ZF;zM<D51L+x;ac4&o_p}2!+5~=F!cqHIBC89n11hu+%km~e)g3cfeIxx}w)oWPE
zwDB*6K`xa(%N8QnV3PO}l*@`WDEL(ZLf5!dC(1KhWn@Y=Fea=D&iakymN`(3ZC$ng
zgGp7I{Le;{7<CWS1&V;T#oW6jLd1rK^o%AVY^UF>nVHKt<1*==*wXox_E*(J7cxm+
zpiE0NQkLWv$tYkzz-gJAOtVh!1c=>3EYHSSQLDUb>Y)I_Rx?%In`TuGC2q<rPo92l
zOTU_^a8sBHr_@}!g;LM4ifc0f#1<<^qDi>q2yz)ri^IIgG1LR>QP<Jm;da8x@%iE7
zDz~fA^@Q5K;9E#l<xGOT)00gb(qa7;sh)+yjx&B_oxEflRFIg8z;Zjrpc}g~g?x#Q
z`C(-pet#dMz1+?|ElKd0=G*H=SD8aJD{{d`Tth|$6?i3GHVKBlzIv;#jO`53yJn=1
ztx^IrT#+RN8-XQATXOaR2ZXPdeW6sS2hsTidA-x=1<i|1fwN`11h&up!m<$Dr`7uo
zG@@`%p=%Ubm`0Bbn4{Fnv=VeQa&V_9LkIj}k)kjb)cr9RX+F1edESBd1$52KczRT8
zV^Phxk<)SJ)7-ckj&(=Vqk7|Sp0c0Q3|Sp+Yt66kpCgf~bio&GD(%<=gu!~~x$RwC
zxRWC9A=84bbo6}Y>2X~RdLA#iji!LwJ5=b^T40ruUU6hVIP$nu$KbJdMdx#K{ow=W
zptNZRSS}y<iykS{i3`@<Q9Xqh$EJup;N4%vzTn5OFInZyN(W%=2D~CP<F9vS=kEn3
z_vzqQXBSJ?e;EtZ$~X7w?uhTH`u_Wh9p_(G-!}H9->UZSzt^qs<}Z~#^*{dJPaMDx
za(-qE7=KBQfw8`|!#_yl_z$F+=o>oP*uVaXp?K~Xup|bMCJk8P|AkaRz#EHxe*(RQ
zzOz1!xb(QJw4BNygX97YJ>~GIlpKxZs0`f%!|=S6q|7MIyp)tQ{SZUx+YejRlrqCZ
z(yD`_G!k?mVTIHj!01f^`RJvunt}dGr%>O(#%lsz(h{(g|BIIuH#fG|w>LC1H`KTM
z`Nd_1pCkAX!U1(<s9k}3bd7c2Mk>;<5l8ze7=CFbrLRmH5vOqr%3n(?M|mi3I*)Oz
zk9v;5O){6SW-7h*5(y+Up`Pj;WqI*iDE)mcf({rD)hH$3&eb=sf&aRfw!{1&S->9T
z0ZZn;*o%a<xudzhrMVk`jC$J3H}v60y5Rwv;Gg1Fas<IR`!Mz#hAJOeQi)MCvUTKo
z&$CaR5!G?TtGH&zXmS6ess~~GCTjoE@ml%}vvO1y(~v3|M*xN4uBp|1&zaXZulkeI
zDqIUXQ3t%R*>5lZlMnpHgFSiGPyfR3-Ku}LLuqpdM|}fJ<Nv1uhUCy_1407dVzKsj
zN^NbqHHUfiiOZ8}R>X2ZbVo)JmpKKLvt`?eRCXt~w5IcrT9dwn{*Vv<van|0;1$0q
zi4NMMGv5dBKVw7JPd?7@Yw+9HIR1lcvj4g;fZI6fI~xCkP?7&!sJ@e<jiHUTiMgqh
z{Xae8$rgW7*gvWA354I@`>&61FgA3uH+TFVX#PGJtNzcQ<zQ^@Y-#*mFMpaUaZzK!
z7r?VzL4bfP{?DE%Vr^t=V{YxJXl&<X?BMv#0V88-WP2Img7!X8@eoMqWJ8q*M$j@c
zwszA^?Z$3!xTMQ^x+vBg?<e?^)oy+L`b8_s?9(DD*ojk^rRVx{f_*gCs%0eMyqE|<
zoH{U657Yb6eAJXt)$xLjJd%=x+F&eoFUShIme45;e*=GSIGuedoqcAdSW~o10qu3c
z%;Gr{`vZ21Dh)D)QLDRvaW_Xjyh1R!M_!1-BnexExpGOx6%)GTJfDF6tfaLQ>nj!M
z*d_mo@i`bh`Q1AT%Ny!#F3nfj8gXpdbMnz@v$*%PsKbweY1!s+jHyodOvc9Uv`OIU
zBCy`XHd<0WA0ZzH9!}U#FBoN?&9eV%N8|kubnyQ(-|y<Zit|-e%&rX12Z$601_Dz1
zZ$&G8qw@s;b}e9QYY8|R9L;UM2UE|e=LkKFa3VM9#3Z!M{7E1myMlx<McJE(Cf~={
z2|(Gol=@LhwQ792e`N6O<mVqjSz(pPmxq1pYTDcsrh)G`oLLf;gE|@!YGt6{9)#Nj
zLCHaA03In_2?kxfM61NINNj#5&Vgus5P*XI#_%A2$4kBP-tJNb-|K4V%l6ybGN)aA
zHCmZR8pb=}wfstp+{V|WA|>5<_(Lj^4^|sTm)8(~V*YdD@r$X#lVATE9?bviaQ`9o
z?|n6JHYz?4Aax3`jQ<DHf6$_kjkTk(>+k+4qwi>FW^Dh>O|4|4U_hS3txizc`|0o_
z8_ip{31}M7&9Jdb;ES}if(u~T-aJ<6t23fh3m3^KMq+jg(u{2J)NvL}k}Wv^HJjG1
zvJ_0KAKC0C=?t}6Q?>eGRFa-ZH_BQRG2qiw+^2(NtD(X{5am(hY2i|9ZgDxVx-B*|
zWg#*?GNYFkR<mwiXTJC|FL*L)vIlVU7{LC)07fnK>p1*r#(-Ua3;I78@|zl%9!8{~
z8y*qSmlq%}!=_(Whi|iL3t75hj=xgrb!nU>1GnS3eLUS}x&;Q&Ox&>6AP&^g>*XHV
z;4-O*2sJcOa1X@R27y5cQ5PVIdxa7u{{98Cs&_XAsh<A*+@*9FBAuyN;fo-N`BxeX
zx)YWAEuZWyJ{7KIlgqsfTbs92kVGUneqDi|n8lXw+5SVi{_~N{^h-MjoNrGG{^0=q
zS>CTjp5Nu^TU*;We#7sFtocbvr$_lLMSxel04&k}=v99Z{YTd3DL3+@AD*<T#XP?q
zNH>L=Y)GwcZDHa07WkTD^4@EagHEmU>9|IHol!7a>bGDoG(BObYUoJVuC8jP15I<1
z%#1$yZShb@Hk02{+V(+y#92a6&X}J?3V#hL`G^BADmC3W=4G~mkn0wgs?w3(6P;$N
zVg11*!<3?Ky>L}H@V?m@d{mo{DN!AX77AOlK$QEAfD_O6o@N_bySUe#ZqhmQ<4^Wl
z&3}jB1Aw3vu;l(*DE`J~quQT>Z@`nyssn76I_CsV150K{xG)qSJLwtGS_Vv_tR=;&
zXI7<9YECvL-RAp*CZoV0mnlwC{dd9OdKjQ2o86oiFK54iTO(21F1^(+U5uuC!HwV@
zjQlpcqTxIVz!db(*u8J<NT(s=oBk}oOnL>mDQ!Ge)zi85>`&)>>gVbTbcxOYHn|9J
zPKp0$v;Y6F^jp3lU=0XFA`7Eb9zK+qdUM33^qSC9sIGq4v?fP`<I-9xD;aQ>)ac3>
zI=wZWS)I&<B+g(KFRv_VSJ!N_<?0QksRKKPYt3B;Ep|;5q$mk)lEdD+co;Lib=(Me
zaCms#{2}QLO<N77rMuf(?h*yklr2qiwglh&a>faiuQxTK&n~r58+W)gbKw&O$uH}&
z20vcBwse>6nu9Bg2b1Gm0K-t#cuD7nL&_c8i3DtIiMA1?kfTAnHq@TEv+alKC8s5)
z;=;Ur>r2~(Z*t4YYWi2?LbxqII|2}k1gxi$=ig5?e|N?okP~q>wsw?vGO#pv_&t)d
z4s#>)@WY8rt(DnA%dka5z(g18!A98y5p^4K#=SwSabY4Hc3ETHit^LDkca=EAar;Y
z%lTT(ZkkrA5*T4mfpZ{#R+sHEQN63b@J+-yqASa?kEBbg@MQ(qJ0UzZ{&dB*yoY`F
z)5<X=j=cDqs!jNxY=dl#hwLd9JXO)c|IrR*j2#^GO^uaooa_yaznR59R?*`VG!hk*
zHGkI6U>D)jC~->Y9!lZizVH1mrNVvMK5Ei`E26(A;y;JQU#ol!ZT?b0{49*?7dH(M
z_Cpl>(_Exf>=bDwA~ik(<VgWC_a}PdSIp(Fas@2S^&LcQzMuDjG2OBOfD`c4GYp!d
z=?a{2xW8{-f3Ex%sLt5zV`5@_ZOhV8s}>`Oeb*ZKrRU6J21Fk+nXgl9W2BO(D#EMJ
zZ%+mToqDIR4yR~dDfTO`s_$)r$_=vOa2{Ta!D(+ds5-J@%k6R{z4}<QwKB=oL?QR#
ztGn3IoCVqVp{=iMEMjP#LO3Sq?c+nU>-$~k5wHDQCU>Uw-M;OSPdF_~dh?FK*@A_F
zyVPi4xE0l&)d=)(JwslH9D=7AT#lK!MrQ4IUfi~Vs|xA-66ntFh0qEtOAtnNt<oFh
z^?goQ8;-~DC)GmK8yJr-FbZ{3N>IB*P79BQJHC+*e_xC-|2n+J*3Lg1h);nL)CFBf
z5+LZQihTO{i~4#JC}QnwZf|341#oR4ecLBy;F}A8cYmWYfV%j;Q5oiV`7D7f;>*gt
z!FDdEcqN90)n<1WNLH-2XNFVE8nz}cwIscgl%Rwu#6%1@93_$w=9}{jIkDFm9-b`h
z?;-frYy)6n<~BbeP~FGJhy(@%)B^RZMA|pE0?3oFwsmq;a<n(rxB4LjIH}0kEOQ|7
zigg-9OT~4?tm^rKrxJ#wkr%(Od?|c@!8<)YXd)D&85?GR_IS!IB+;N<^g;vYV$9v<
z1<Q-@4LEC=`Ud;v3)|-@+UdH|Yme|=fqMG|vx2_G55wwiCy&h>ezuq4qw?INIrE(F
zZOt`9EdxD`z`o`>O`A1^P}ufBMzv0!ACL)^%fJ_?`?C>P1P2h|qbU+?NChQ8mJl%;
z7vxW33z9rg?;OY{Lx0(49PNSSqTd%3k?T7ngj$b5=uEgtaAzlAmq88Z=VWu{R6W*b
ze~evO8=G!*$X$JTUx>~HiSf0pfNUt7H6+Z;*g(K2!OV|ODje-H$edl(tt5%Ww(u;n
zdXTZ%acx-S_(uCsLbB1t#{(57s)&m8;CWkCp#+yf^y$#{z+I!*?F&!W<Z*(yR<sX@
zw%l2s;skMb5t%3YT=&3PaZAC-gs(+kpB2=W`<O|7LcP?}32PF|VWcBd(<g^biD79k
z??cfy&z!PQ1VewX$W>WJ;>Y=pQbUr#!__G}95pg8#KX&g(4NaVfh@l#3<cLPYim?J
zqM$i~nAo&DIBQE|GMpo2Jy4WzXT(3b(jv<(JU2glyH371el8~AeIA|gJT+5zR`P4H
z`~XO5@VWd3>=q=_H{Pq1C0TkvO$TXTN?W{k3ghX;HKA^}U2)#F*~!O3T`a|!+(q#2
zgEkDYwY~y9atE<>e7VVa(+NAYx{of(ogRV35WPos3RaG7B_W|9X=1;URGYWh-J$EA
zu1Pb`J&BL-W}WkJ)V+GOM9(_3rQ(_Zb+c#xU^I6i#5UhKv&b1tkZQ(u4=a)fzn2=(
zI!IOF6~dGZ)3^%)zXlCMbF@w(78^nUQ~Vb6%U1FRXZy!oRbSx9Q9nZA4=y3T?zW|9
ziqGTEGJ`UmniQZm!u5<j^{rbnZc0R3NtO6;lwqu(6zZXl4N&CP`rkhPYN1QqF`u}s
ze!B6gZ(~y6D4R>)tJF>4&?MUpD5e3$TVx9PO*b+TZ+2D1qmYBmK-<kAnuonS!g4`W
zUS5L&>I4bDRsaO_rE_ewbUuMRO!0mXiAz^P8~y&pM+@4jRs-wjg5a&_!ylLp$jXy6
zD!|BsoV&n9Qqe!2IS~fQUI-F-%~U}*acP0`lzyT(r+v(cjoNP_rA}?A+J?x>gmZtr
z_^OIcbr5yK4@7mGm&r03t0zKHQ*nSf75cGus4H{!Qx+HoUbOSP<93}eALG{@#~C*h
zp}@sDy~Ruob}L4tB#*{$YuFpfl8yZG48*Ky@K4Q76|*1S_Fd7u!f8C7aZkNWIll?2
zZjiz-Iv4x0l09Q1z6|S`|A{c}4!FzaGCf6emzP~Br#~IJe`=~L6|`srDU0oa{PRyq
zhc&hF)jLQapcBAEBHypaT|m@PG<Nti-xyQZvcYXe_e%5v-{et-iC5Sn?lQm!o9BYg
zwX(pBozZ(%l0p*tJUBfTZ%8ov>zacrcBFL;rj_sKp{?CBk7u0@n{c|$OH$5xWs%6?
z1%^pgy1E@L9uFTdKO}asAi(sIZP#mA_;+r5vmG*ZUWN|}Xi%zGz%Y8v6mQ+3Opp3J
zphlo;){Gpn9!~j%b2v?P5~Je2tc$fto{pNsm<+16q$g!`9nG<qrc6AnjrA+TThweS
z;G@tal3RQ>6_m*tHNt6Ke74Zm9&Lx2@yT0ikNW=5wn?Xo`Q+vJTMam4b<1Gge)eZJ
zMbC6|mhG0+$htL6HgxM5p<XxWw+S}dzYsDd({=a4fUq4mw|BP+K(%<Tr#i8kic82G
zSUn!1ar{YLN*1QI5$N@H*vp7QOP+SU&d9>;1D^;F+;#7cd$);>Nb<O;<A>Yr_*I$3
zvDM??^M~6L3~x_^yk)+{_5Q|Z5OC4VJdgx5LQs=30v>{!LunvK&5R4(WLg6BABe@w
zEEF!ms{?g>6+%K(^d$8Ubm+L$qp_(ZH=8bn#G3ZA^&7)^_@ar7xatxFq#WK!slU36
z-hIzcex=eFK5o9f=+d#p5$!2Rr;U#gb^5~1X~S;7p|o^$7JFm&F&!kyGb2I{-is4U
znE5W227KCt{X8p+HU)@59HP?-uXmT5uxJvcXvvC>?6{}kU6PKW;cnOHYXWQEyv6cL
z_($5V52DKB>+miS6Y``yE?Cr}NtqU3R2(E!R|-KCJ3Aqob6}-{AV%l!V(r=*kc`Y2
zlkij&>>4c-3vRvC+MiL)6UXls4`5rD@e6FWgQ4}A?3E-lZ({M}hS5O)Ym_A7hU*iX
zzvk4VwBo_%EP8j~jLoDfe%8>rFh2zhp>4H=Y(xUNZOENr$n3oC(+@AzfkJ9|SPxHD
zOxUj`(GNZCByG~UpofvYXbP|B$G80+M)G-5r;!akvvi<0yg$}628<0&+N;m*%uu^#
zMjniU99lx_jI5J$a>VH-TcUYj1glfGY9u!Uwh@+@xLMZa{uhfptJi#IrEg5cTSyFV
zKbRGQx3RJxsb0g?JwuH&nW0_l099H1G;W@JH+AeReu&TV2#i;N3~t#DmX+giBFBz*
zs%q_Q@Lo-E{unHDZKeT5X5Wtqbu6X>HW@Y$+ZDVUWOCOacj6g@Be9z?m2F$XDo6zG
zxR>@`%Odc5@<5Bg6FnvtJONPr+AT%2HDMazcNVAX)ypa7biQR!c?+Euc8sdvTXx(q
zXp$Ji!&cQno7lrk@&oUCd$ELpz_p-H;2)Y21$pscotCSwWW-_O1IAKt8i<x`s3#6W
zjSPhv&NJP)i3AzDN<?>MtqrJZB0-^d6E!Gf$YZqnc|#hP(l$mboRQ!L&LZV`iHB8{
zM=D6X_q4^gAP%z~dSTJJ`%T*mdzqos<nP_X2R~?Q29P7L5Q5AlqqYHizt|mvaJ~RJ
zC@>*q!i(aL19w(}c5ZXvNm`h$alGj%M437?L~`UJ>a1s(T6&bmxCde6Pgn`}7pn>E
z5249QNx4RVSQxl$r+MZ&NrwgLsuAi1E1feMigMJoyb;!aY>f=RqqsbIc$R?CH_j{k
zMQ`GOer;T-XJj1ZbuiG4#1%OrmIrn7k-|Prj{E`Np@S(9BUfyaX$;o9h41IaYXji;
zOgH5Pn8+M{OE!tzP9@wo0@Kt`T1L+fG*HFVQyhE@_$r{KTHflZrYqC3L-H74;!sHn
zUL$|TSe_pb{p=7m%lLp+632)h<}$mg{Y)PB!B#47A+a8Z)dKz#XeAj>*)9ysFq#>6
zh^$dG{xPzzPDf8K|E4gvb8YDDV7qeCQVoe(5mDsV;OPFZ$oYlLLu+hM1GLxJ6C&a+
zU!+5h*Kq5uDIzO&vcT{!`r*8{rO12H>y!OW?QO9l_iXq#@8%&X8yxfuUc|7DAt;ID
zZ~+FAP>1kRu4!3;FSV@=^|D+ck6_Lgk)=HX1!Qen<u%TCu@(8FbU4-(+fYyU_CH>%
z%D0)GhfYbtM1wqL&qUHWD22|{?FRZeed$~PSy^|B8*|5zBTaLARHm`RA3sks31Mzt
z<iV5U;Z~neds7^n+>Q3ayWxSas#WO|)oE$xTkeD`;a5ugdE3pE#xd!z3~3I{SLK$|
z8R_ys%yzVoFG@<CKgzHt)mxvOEj})}Er?PI(5+l_rcHjC&x8Uo6Dj`sML%VZEOwvf
z#DDrwbz*HX|Hgbv#sFRB#Or+R1-9e8{JFrkPC`o;I{{jbsa;$7<LUFbb?-OUe9(9O
z6v3Y$fkCI)!DhWO{516M71+x5`}RC-8t(SIPRkP>6^e^e9$=<xlQDQ?F1v#;)<s(0
z6Dua@=so9^-C83E5(xQ<-?2ABj)u`Ug6hOLU$mGyER*-#22{golNST)3#$k4>z(*e
z$fMkq=-pA?mT+=Ixzx99BW}L1`e|~k?x7KiG3)I+Wetrb6dkh9qFOQrh04|57BBE=
zWGe~@VA{dGuX0MQ%x*Ynje34H*66Hq+=Cj?p*>}OoVs~)D!HN~(qmvU>21#Xu86gA
zC;Uvu%!tg=tm@(MicBiGaBd!Wovq_U%ciDv$%QtLVLFT)@f7N=TIh&#$@we%pLO(8
zU1o<;l=VbNJdstu)<pchD)~J>khak``i(XJUXme!b@8cagR|(tb{uW+U<%4d(V{%-
zU&}bKP+{&(+1{t6qxcv&ppnOk9L_*=)tuFr{}xx;A{zc31$@~d@bG=$w^Ziu3$p)!
zN&uuX4o<eVHugU^0WF^AE?5J$UjSIY)_D9Kg5Tx-4u!nFqoc9C_0#`aI{$`=XN15L
zPYHJVI#4$n@eCXx<QbL=u7;K2hy)PyxyyS{Nct6L)w)AkSj=dVp)sLXDgNv{w28DB
zgBH#3F5zC15{)EZ5~|GD1Z~+ek?#8ktW=09@SoTDbo2+_>&$^JaQmGd6)WYfL%Oxk
zK>k(9^aEj(*MQym1IUtJYvX=rbo8I@umE;s?q+PH{My!7(b&Y;-q`v#4k|%$#QGf}
zQrkVvr+sbt)6n-qFS1qQo~fU`C(qfSl`4HZ+=;oOeA0blh)65QT=%Za=R*j-z=mv}
zZ^fx*Kc*YJhcY>1MVW>8dkxUyJVqSgZAMYo9zRrrd(p8+rb*`d-W_<WPd8^e0+qOz
zKBmeDo<+%;Vxr33LSl+;?JYS{&m{~HUvM@OAXd$}km380T=5qL(9g%6<-IU^2{ny6
zv0slZ<KQ<BdxdpxWo81Hi;F3&;id}p4VW17u0#PRYebn>{Pb}zV!6xE3-(-6=W!?a
z7(1{7PR3&SVmvLFXYjMh(lGtOx!5eT^o-WR7lW<O|3H_p0)YPa*$rb?TYCVj2WTb!
zL>KHHuUtO0cb@e1Yi*t%M2a};TLLBr0MY@(`BMkv8)E`L^fO};D~J=#1|Hwr)ar4H
zCe$xXnCPLjotnET@<#m=%Um&QVhd-{HZ7jdD~fO|s3_c#t`6s<z`A$$-zbwm+v)MZ
zoR&|0)~EK|uZ^ty?K_LO8XDXF(Pb4G8hIL70h)XoS;0IT1+kW|LFuV77m$c(Eu*ku
zcpX8XOHsT<VGP}O>X$N3ZI|0ESelc#gmv-?20>d;r5ds@>KLCJ?;J9Fs@M`nih<7P
z^LEQm<q~r_(|sP`?c)Ia{jYJfKkncUoqmHm<4x<g_OR&%Izf2AXHY_{(s9}lUU+LL
zI;Wi`z}TfrnC7q#m?A~z32#F?TVMlJFB?MUOJj$5HOtU&Eba*`zdVbI_^P^TY}*9F
zz4wIqGiWE0bf1>MBYi|TKi2k}LED>Hfac5SzB+I+H=P{uxu5nng1+YF0%q>@&d#4D
zvUFaCc4~SZ@uAt|*;F*Qfa_PL$9`d^d>Sk*2KL7w-ps#-i+wB^K0N>kUV!y$T;1P-
zAg^x^=;;2x>FNqfN=Z8U@zII8KN;(%i7!bhX;~H9z!3;i4D=!lDrE;dDoRSiP#QEJ
zQY4Sa4U}kbm_9wpnbb0jABgOqyWGEaVEnKT2U}yyZ?5_G2ayl}qyNa;zsUs*I9VI%
z+Z+Al`#GHWW3d3ir~oU}{@*-639t>3KkV`cl>|od!n|XI6LrZFG<@HUIk?gujanRq
zBmE`VXh!gCbvs}hO|uw-sN;q=esYupSvd18X@h<Xvzwc6CMz#$Tu5Y&$j)0MIFgG+
z8e`9}^sn{fk<z;#%7M4#!Ga2#+b(Hpk%SyLFVJec)EX$kt#o2_uTQ|FR&(SovI(sg
z?OcS`9>JH?Xh4<d@d(lO+=@#p|1}LO_}^jix2M0vedAd*K&}P=Yn}gzd?j-$TTA1=
z550kZjEeM-FkXRJg3|+m)}^(m%(8^yK~k%<bDIN0LsRo;JbvZ#MwfS4L~*qa$69P^
z&_6mjX{IrQl75bJS}WWTLIpNat2TUfdBN~@WIUSs6^mK;^B%H2+6-$mR7q#NHdGw2
zL<c!pVvq1V#ppfouvigzW2Of3p#IC0>W*4uu3SBH?Tkaq21bxLQs<4>diP|ELB#30
zr8IW>D8vQLT?>Tr_LSMHpT;X?O-w&n0Wc~AEWQ5?R=+vGzd$SEIRc>R33l%;ViD%y
zgK`d{qi0VZHeN%w>>G#V-6^j$S;4|wCeK!!+-u=n-+!$?c}~_~yfQc04lNfD?^zty
z_gX{qYn1ntc`Db*tRywq$pJ<e&7zwp2z<zab^z#&_+@l8NpO+w?IYg5HoISIf|)rw
z+WtepVEZN9z6mq5GzauNeu@#fb(+;>09hUYyZyDZ_D7jQ-$aW8UKx<A+S*t<eDA3g
zMDacyS%Ej{Jx>!&VgX>NiX-4Fvob<bcw{GU0-Ct3u%nS^H-_Hbtlfj8V$cDLl_`ac
zFLP}rh(=Xd3;VHUkT9eu<}h%Z0*#O&NBUd})`$vKYsI{i-irsh7q(S``QSd`@lvBF
zF#8IccIa~1P9%*^9QC!dZ8vbep(oEVg^&Q={n6zhZA1JH$Kyg>EWTSAtVX=9iD~Li
zQorv@@WO4Dd!vt!KUt`#|Ag@s02O3VAfOk&j`R}{BG!(8;lyvpRl8!%Q`3F*l!nJI
zAoqkYNHsxSJ~*@G{zMuDN+Oj*8S4C0#;sUnpVGL5V#MoocbAM{8D0_uGe6{o8I2ln
z<JD%5D5VKs1$7oqo|YMWKU6r6dqeqazOp^rV(P(Ne?yCumbz;*xZtYY^MC`DaUfQf
z%H{O{cuuMENOkgepW$V4$v!XPxKP4rQt34NP}p*&_!A#d_VRJ1b$R1^(s?NG(7BO|
zZz<j5Tb1yq`+=uLq#%ed1l}auI3SkTjU#EwV^t}rnGrwq7u>`X<z<oTq&hv4Y^W<V
ziOFlxi_XR!nhg%ULprzs_IbI!61I5@{nu2WUav-41AwD0VEr0>{LRXq@Dw+GstX;y
zXP$%I@cxW&;FIo!XJ8sW;7u-ma*QS6LbTjyp{1>jr?+s%V#XhJ9Fj*A*u}QX?lZFt
z7vp0y!X<NZL$dF@nGKB*V@-x5-ymQ0;A*&eRl_P<(+*!rtpAk7<t25%+X3D<6|nw8
zE08gEG_x`Ke<m#>lvGsJf21qoV>DwbXFxD_g^5NxMU+pO3XpH>s}O{M-OZ2tAjS~4
zkne;+1vhC2kW3LNm;2@hSbNcj&k>={uWn$2E(HDXGJKipe=_N6WT>7FK;Z@jVDbOM
z%_sq8l$^e6AX0hAewh)j{hsCvF#cD524ivYo@8PydL6gT;*!I{C7!4m0<MP}!7}uM
zio>{TejvnUZe@0tIWKl^t`p3O;O*n>$B`Ph#RpfeHM)*W+2EVHrOn-$hvPAio7)RU
z2CR#sk5?BwUpdpp?kI-9SdiE1v%De&Fw8ED@WEsAJxw=lpx5e3K#hRy&7o!Xfiyp1
zKoa|W><Eb0o5%{1MtP35!x-X2BW}iIPxh69xlMwV0ZWkk42e7$oj!XK^=$-~-US}l
zr_n%@7Zz!F>h`9@>V^9Pkq_lTq_BeYZ-dRjsWtSxg5vhAf=$t6PCsvIUAJqlsJ*!l
ze2*X1n)dPSJ<kP#yuHDu?b#=wP(k3R&Sf_tY6<-yTTaTj%HX;K|Le^|5Ol6+Pa24M
zrFRMPa4*Hqcu{27W8Z)R(=-?#y5lctzz4R{D8r0~d~U)fv&BoWP&bn~?5+_=RY6i~
z(QPb@GQsCSA2xw3#O5xf(t}2G@8`Le-j-LCEqqhby_1tHTBFT}9VindolSsQ8p@3l
z5{p3}9FDq=J(vEDO$I;j9R^9<SC?`=4w3CVD>b$R9)Xyi`JThd>LKVjp&8qWhfD0J
z&#<^7hL|?t{iMUazyj(pm=eUyLrn4N3;~UTf)*cksJLD?>#oYqg5|b;(YAYOra7Iu
zV^4@LLm}uC`0|E(rp(2vK*AUNT^jYhn3K0a(<WTrScZJ`3ZJU6L7C8*g4O-~c^ny?
zx_KAb3!{oJ%VUfNeJePhJ;Wu1#zFc&?hIYUM9+<42k|zc2ZQXHm7}WHO3o!gTR4t$
z!k%cRU-wn0_fAvlnjWmlM3q2wlgoZM3_B!!x8;PWTCUSGOL0tvJs6t6-j#CU$_o-c
zC0|2c%M$`*Ke|xNO5LFlNp^v4Me5^5hE@%&CyErn+Pu3SxV2#O*Wjd9#l>a<IR2hN
z0|5yDT>anA!@mWm-^Q_ji1){;Qx-jpXr8BPD+4fOeA%~zaCkxxm4LErp#f)xwt0zs
ztCPVhfi-Oy&j6biQNm1aobzVQHgsz!%oM6%JXxV7dP(q-wIji;&z^V=5yW^eSDX-e
z1uJ<gTtvtv7Un(N7SRTGj`WxW2%EDKXs{KM53al58)_bRFTeOCs`5iJKQixKY2uot
zD}r(i-o^ReR^~6yM@Jk{yLBf+LChjQS8XsE;$VWH8k~y~MW=Zg>?b2j1?r*F6uW-t
z*$OD@E*eHv*?{Ws!WN9;5wY@cXZ03?et5IpVkexW%l3v?DAgR9AbM_6TvaMsHRLg7
zJBXv%*yeMqIYY4J4iiUhpsm8GVN<@1t2viSPnkOby9n2!GZjqhbmhs&aqn`UVnMV1
zVrK2JWU^AMi|R)-a1>{9U21AcbFYGR9u|+D?ssQqH|Et9Z`I^tAzVw5)j~>9gWp^h
z9NJuWG+L!C;U69OA^uf~agGR5Edb@^0~Gmd`TcK7{GPV_pv8jd3BZ&jTt8rj2M;~p
z-6xd2J1yJY*Rp@9qM<<M!T)IW*pZm{V>cd(c*mCxq+peBR^RJ-xN#aK8{U%xGfx_q
zQF_dtKE*N^>PVulFuywT$(8D@%eTqE8OfvM9;AaJk}jOu0X}FN5E8EZ<crk)I5<4n
zvt|~}w78{MAS46Pe7iTeI;&#3bPMdg{5bD+eLs5f!%`l9;PLg|0BwF&H0^!xVAFtK
zPH^byy0s6VT<qla${D1E=6{ufT38#I|CBDm5o6XrO$^@v7XL5#$~R$>0Ex=RfVu{7
z4dvUR7#ZDd@s1Hmc;b^9E$5Q_6)1gyy!`<YUGHQau?^nRh2%>KXUW0N1?$z`w*^<E
zlZ?zZ0}^w?INkPiZH6+}na08XyQ(b82gEW?d$f>dMhqfw??X%*5ID`Q`V@I!Vpp*U
z*`7^&E}jIpGLNveGkptUoPTr1(Vw`;NdnqKC1YZDm$7ThRn#f9;LQJ#RqJDPPZ6-5
zGtV)OGH^t_mE)3597{F)%xgwL1BA^k=d&|-rydC`AtR6;{ivY}Vj1%Edn?DNse8;J
zmd_pyVfhHfn&ql@;5Q9z{ugELQ*NM$GeB{pw>YeZDjm(<-A2ZbsFcktpH$U0o|jko
zf2p70^!!G${yi)3YZZf~zV-JThJP|?*!~!h)_@%LJp>RC&o8O#n=n}?OUpk7q#~8S
z4G6U#s=?Vyf@(R}?d!Am^;jHbOQKR#r+=Rhl8Vvx>YalC%m?L{_l|=Icrpd&vD*-=
zkM7g@GB+u=uzIxH*}fpiLYx>l{R-A7Adj{a3$3?i6`ynYm?eW6qPup6QqTv}RzBJL
zhG}dV{u4XsZCJlO*(MMEJ9BZ4CEbj+Rw$&3i^*z?eESVL6o^K72Vb8~$ytP^07X_!
zTXLxYI+rwc(>Ex|T{pZznw+8s5icekOA%3hn|TjzmpO`#b@Qg2TV*uz)2ZtSLg|;H
ztS?5E+LGZzKRwn#QcY?y-oDuj($uN%Vws{|3LAuJi2Pg*Kb@iE`)S^GVAl;ub<TPO
z4k9^B%k*}*m1NE>c7=c}+FH6tLX}@9y{o8vFkAq{^o&l|tHWKrr_r)z@WY6QYS$_V
z{pp7pkCgSX14r<sFWeqOdo#d<=Auq#No+ZwxkLV$>LTYby(BR8A1O5=$*NvUR1DRd
zz6z*!6DBDknKZ+(e%Go=tPYOVjeC+Dp7Zq@9VRk1!0{2=NBm&cLP)$`AKp6QE+vQ>
zQ$lbw-tNqww-!q>CBF2XOi}3-yd=tpt+BS0uIL6!){cxO{$Qpr_hWC}MJ84|GTMwx
zBBQvlGenk+y4&G-jgWDJl4dtzVWb552`iEhtExecxT@u+FRPF;$qP!6@-Yn-N^r9)
zERZCv#nBIY9Ip)T6ux@;U#aHT2Ob(c|6=$B7{}4_R&mvtykfAkQpkjczUh^}Lsdzg
z?YaVDv@Df=>%k###exC^6Mymw2eNKFs<!haYbuGh$_<Xu%^mQZL0((2U>b5@z$EQr
zPY(8E6Q>O+57VX{lGGd?m6p6WaiCVdr*ceDiPk#_V%%<!T7gJ>45}p>jubIL5Eom@
zz*Cbnyk(R(@b1Dm?^1F24}{&ju49KxbM<G`%OnW|xU4cqD6y%HQ%`%^+F^79F^-~)
zV5%op-gPOfGc({-2yw={SL)U18+9@5zlU^JjC-)Bx9uz6rqq`_Isdw~xmz!0Ul1?>
z6SzOhT*GrTgLu%yJ%!;)^uRTX?1djG#Crhe{n?Sx>EJlx6RK6_yG752LCP0ec)?W{
zOJj~V^eH@YO9y4Ir7#gMjlH<@(v#q$%{p_Xl5M$CQWa<(W_pxrr5-{5jNw1u6#lh2
zN_%4~8%MyE&2Mr1dzATE;I9>Ae+Ya!H_fe`ZC)AM|8Ph=-CF2Xo2$$LL>olFA@OTm
z*xw3&s{SOtKS&91{m$Ib7{EXR`ftB?#NNmt`0+oH47pOPqu|;&s2VBz(ET}j;3ni5
zVPHM0bbNLaE>%^huXNs4HlPb`4CfE-l*L+wuXok!Tl(+!w+R#9(a#PR(S~Q43L$74
zD*2UZ-dXTQbKAQf80rZ?9D#ere41K`ZJq!z4XYFErU|hW^8f6;m~5O~_izG&9xdOH
z6uf*HDN9&!0k!?sCDWZOQPp9uz@H5}h>Ydo2R8X<<bUlB=O5tMTm5(}KOz30cO|L^
zK->(lo@(rWKZX5^P{k)>F@D1O`?WLx+`nJ>{R`yiBj0YSiEi>1ok80Jn?R^?_`XUR
zv_KK_Uh(5!X*c%#yr!qoOvx#k2|7Q5x^lIv&iwXuI$7QlSwRimT!3o|a3Wy|55?+N
zaT`yUO~zBiK)d>hyO-<lkYPSQPX9w!?AMI{kE>vRdeeVL=>H)Qa9IFw>FEcj`dRL;
zHNk(D`?vGzPkr{R{!#`{fP$Y=-B-V)=zn;GfPsUfJ>Zh<@3&%%jg)@7TPx^fZuxsR
z-Z(<w>DG|Q!Wh*DpjcQ+@Izp2S3h$mc%kilX>w)cQ+n~%j~ADZ?yy1Fr~*?vhq<)o
ziXPLNj-L_)l^PlmMaX3dM8b0HV(J{EaG4>yYElgtp|D>C9<teZ=TY?yU|{3yiMure
zrc>RpCCY7mJWpG!i`<WH{U#Q^`_P|h%`)ywkEh*-1D5{(8il{xyA|M`JD?WepZZ2P
zWkW$@Y)nFHZ;Ps;Qq<xT1uSMry}|3ueB|e<W^|-k3Jy(Ntv)YXj>#}j?d4Wlcqu75
zM}Rf$Bw;>U0RwDJ5QN5$zPjoB!L9O!>UzlewYI?f;uZCGn{T{24t{F6r_rEzJP~Jl
zfc5nA-*@bP(D&c%kZ$;oW-cQzteHoX4<bczeKdrnL?D*o%Ice&4wz)37&WQQ^8VP|
zZh<6C1PXn2YZv~6K`NgRHnVaj4z+t#EM6&+aG#w8?}>~NSvLAOZ=IW;zDD4MauWTd
zIbXo~wU*Ssv7bNe_j{L+7qBIO(tx_W3(tTkVSPSRf}ZJtY;(oT8Hh!Z@Q17-L!EcL
z5~opxxJ-3-n9{_n@?h3=FvX!iA2ia;H&L$dLYncEw9;lHLW2L~*K7NDyv>ei%9rlU
z2)gd?bl{y8Y&im11f5xR_3c{hpXMo7nbz>M!8*V)1g!t5(*E3}fRVoK?}wmO#LK5*
z)hBB~X$NQ;mJ)Oi*aJX~CM8tU)0q#Wou6zWd7R(fQ(<95fNA7aiD+z<H%%uxoj<u|
zFrtP@6oE)>j$LA&LqTLH=my}^hgbmt^*zUF+MjZ%4qo>d<QE+RLu9wcNb^~lr57R|
zxi2`iB?{AoKHMMq6J#>n{KLiIU%S8d4{CNXHuxdYc#4LMtmRb|0Dy%6iN@2nI{qg>
zKRxF6i1-_~^V?NkMPpOIw<PSpllq>K-*0R0eLy47KL_U*FJ_jq*$^cc&X=&m%YgxO
zC-?cWv3NZ0ANFF767Ymjf?uOOTh%bzaF3-iX%K0XHB;ho4@NUoRLmk?YhK6R4t^f`
zc&dsL{@Dk#q`g{ips`0oE=!%x@W8*3-&2*SOb>JyZh)-vJSwB=-h7>4Lmw#78Wyc6
zaK&;R6G)#9g(wlp+3ESho%Nt(I{Tqm$gNacn@n9TTV2W+>c2k!6#tj78GJu3zJF2X
zPk&&a4RA>YsAvUHh5pa{;Ym$@Jntz*{5`6D;}t66R}}$=RbbU}(ID9<$7|r^amtVT
z;OrbP_@SiIh-5yRkQ8sX;(AfTFZykf$$VPo-LotX&<?>%?n`flNf_FrlvLN$wuPL|
z%VnppNGVH)HKc`BoIfLzzMG}t1$FdiQ86}-@q%s6<Psz@f6I9eRadmSn?~n$CU(ZB
zKTrHDq?B)SzORuHQ%C8gcNGh86im+O9h{uxrD8NK&>ff#4+l>8*o5u@&TFv-<<q1k
zqQm0J^H!C>4Q&oLQP1O&>f$wawNB9XVzqXHntkXUY7cK%Ew#H6)!4BF<Wvc|bi=VG
zta7N)(V94SHcP~h)Pg4Fv0wr?l8ifxcgdC`oU|c}M<g<F8HM7Iq7YXGd<e4lzOkfG
zJ5!9*%B~qhrm$*9O#b*&*MjD?y78Nw&;vL)Qs-uVuF&X#@44O{HSKl0^j^(?c`G$=
zqIx*Ye~@^23i`MqfmP;CyIp@`%Q-%9jq}(qaUwR35QanGbUy{bgOj^XmwlJtUsX&0
z3h?#cit8S+fOS8)>6WiRTr10t_tKp|<ibBEOe+6NL;Rke0X{@x|FbPdgT<LV%|ze;
z>@oQN>XE;PkMFTsz|qm(+`!2ZFz@#5!ySJYO)~zBCY%EFK!T-Qb+(`sP2Co0V9N?6
zNG?U$wL}o}MK|jVNDv`r%wiOQRDGHHJ)D;tU_!>zeSzt2VF-%DFp`|j*bkyKBqQTk
zsgfoSMKf*+LD>{-s%X4^L9iFlBo!VSGX<Yx`~t`7^udttQ=CrC%7%B!wr++yxYgUJ
z3hR;!?;dXLPZ2M{o<hc-E{p@XjMWZ+>kt5&?f*4wPu~3JG55`%Gorhn&bOe66ROWZ
z)0nn!>BMW-;I;H=-R~1wjKgkEtg8?DeBB0#hO!vEQM%G|M0T6!o-;N#=r`%@-IbH1
z_L8z&wY@5y+epVmx{!5IkDTirv`a8{gwEVm8`rnA(kXX>7l>B#27xqmk74v35pH<I
zV287*@ij6|U5`0lwUp(r<YUSoj#ZEs(Pzw!2*jFmlMZe_6}rglDa$U~1D8_4@N9E@
z7O`inU=-e$pZuWq;?#XH_vFpdPrXo#FptC`0EF8BC|&=rp_BlO>j5tL+B&M(TmB5`
z_ZbqPy$|TGfrcTAsez@i)nRzL;K_yKNjai`h#qBqOF;?w;Rq}<#xePAy0fp0l;Mmr
zG*FMuHq6V2KME(xNxC;Si26EY`c}An^l@^L2|x=LTzq-f`_)zQ1LJA5UF{f5$+ZA}
z3V+=!d@rTgDwk74{`0fgREcNNa-;;<s~@>JqK&6yCpzyklSGJWkCt3XvSco3YoAHd
zur#!1UX*^l$HpBLvBQmNcjmzn9W^@aRo{G}zk^-9MtB|8*M3Y)zXkJGONH;KhW`YB
z)f~|4^!mSo_s<b10ImW~fF3VksP*>&$!}l7_>G*%cq8z{Z;LF<Q@yn$+6Q?K(TKKU
zC51>hV(1b=8#)z2O4s3zZkWUpz~)#om36ZYX65V#bYL$39H}LTg12XFMplF|H2Tf3
z>%w;STZc^6JQoYZV<s6ev_`=VES__34tNLGm&AzBR*><piRv*TkEYCNBIlkD7YPxD
zJU?xZsX*;??|GAQd0U~#hJpZB8GZrNXjv+W)|XnmJeUv9#|^=R#NjX@-*~NpyQF-f
zgcg2YaLD-u9AY$KVD5P<8hb<Wt6G|>FYVSOYV?k;d6s3jdTzyb;?+C9a*zQ<4%XMZ
z++3;(bcLon4!yVXk}Il|@c1d`R~GbAjt6K$0$}j}Uv1|BPi6bYaU`-Op==Tg8D($T
zdxns`_g>j#BqKs0GnEQiAu=<f%oLGLksTWHf6me2IXZcx{_p!apXYO4@8>+<=XYQC
zb&uz|ugl<Hwg`CC2d`A)uZiFWKt#6>Pfa7P&Q~&e;}wuDH(k$e6JpU$GRK1T7GK`^
z+od1ALV*>c!q-o{VZ?HnN1=Tw{m51HLeR3UuAyQLij#_xjJ4U!t@1l;^c}txlU#ko
z;Rj@vx>{+9B$t&k9<3h{7w6IObN>=6OWAyEgl=gF*l701>~lf03+I=+ZPEYe>7)D1
z>$Y}nqgtB--?lq-V$D;7OjsdH`M;YVi@7*C+t~mS)thUcb4^e`iPY{@MI%|cjDC{l
zP{8WCaHIuBe{5{Y5%O<tie8NuXyn;AZcZviL`;l13`cz-Jf-Sp@m~0j^dgeImvi>X
zI}SdUMv5^cGQMr143a~Yy`~Z0-<%me$|bBLKPV-6Tf%x0*>w%HMY(e<-`l>{)|CI(
z34W;^&pXHtq8ISlTTDINkDfO%HE^+ZhRqNqEUW>qC}wV8v6*<uW_#@m$zpfU0h#`8
zmcEflr|4C-+1bXNxr%Uu#`E^(iyHB=;o(Uy#oX)&%N;AeOHU8!e9E==YdUx^AnlkO
zVS(($D(=Fwoep9w)n%9_r`m?1<{B&E-BUP0t1l!LTNU{1EsY7>6aDT{c1z@NT0x$L
zxrOOo_i07>$6LWB&}@j%*w{lMEfppcNWsY*1RP6*u&juid&WCkcyBM0;Lu&1Eq059
z-CMZyufJ@wnRaQ%N|Etgsv=~Dc@g+PLd*BDQiND1lpS^l_~{&UnnKr7f#U}RCRGcn
z8l#-4#y)GU{~$qsLE4@SvPl$>oA>xZ^5F;*%bw+?X7@&Q>uj_ScYL~nlgg(h_$rw4
zse}3^<>@{S=hp{t56_qj{-71KTia#Mytgv~PJq#y*f|3SFLsEtieJQ;4v5kOe8l!9
z&h}4=+1UVre?WjCR0x5WP(Oq=<aIkk@^d>eetH_;OxjgtJPM<P_;O}OT`uyGihh50
z*+pNW6Mmnn)5oT|NiyhrB}nF*3sjA2Lz8d#c~O7I=RWzx@0c3i7$Lqxz*tf@%VeLh
zb0R0l@)3$~3iK>v#|udp)vbdcu~9$#F8RZ&p|UjMejc%E>IDx&zK1r}K`i%bE>P4u
zzml=M{i@(##A4GI+7`L0aY^tHReUW}<pvvm(F@?o!+{}cj|K=<z}DH(&f5B?D~^mV
zP^c5e4q5fW%vCLahh-e5#?I<@p8!qbI&V%U@wYKvarGXzNfZJ#avJ{i8$#<Vb63}q
z5BQtUH$I4|OXKd$nW~|TjH`c{WH~vKD2^jIA0$YP9@T1SuKY$wN+_~k;+toT)sZ&M
z)lW}QXPZLJJ}X+EW?Y#xc_M~mOeejRdH+QlPnB1HNpG>04|6V`(=)HjvlO@cYQHzQ
zv`MtcutdJ-@)}MHGf6wJf=X(jDji11f-6(`=DR+(!Ogqcb*X5{u{D<J6}jI~;9b}%
z-?5SeKrG05KxDt>B5iAI;%>4T87B|{%@-!T>Mbte(u5b<UV}?c$mn3t-(?kQb7t7{
zA<@Enc@Z+oxk}VW2cmc%a~X{YSDBE^A1mX?q%w-58`itWn$?s+$r|{<|0!|?0~K}b
zTa!zg`caRQ(r?czt#DI?wdEC*%9g2%M+Ov4JR5tJ@CLm!@vCP^j|Fp7hx~M8q)eB9
ztZtCpy8tm=<-jx6%NKpSi6KwD>HT)Tx7pi!`7MXHIsQ+F`m0O?C`_0GwuZ#IS9^p0
z7>lBzrHPTVI^an+!|_<0-0VN~RVdW45~2;Mnx?619m8(r&VCo75Q=f48@ae*w4B<8
zAgAPo_#qOH!+HnM1`nhjyh4PUe&F=-M%Jaq=7LH|9)nCT=h~GoxE|-eE*Hrd7r8ED
zsjPN044+DP%2jnWSV8=Gw!({Vwh>r?&9iMBDfd6{l7u=PUi%p5;_ourj>gI5K=e6M
zswbGUu1$Avtlytgx$MYQ-DK2H_GwwuYuV!sHmFD@vMHY?G%_`99^@6odqNiA`ah7W
zzdL#a&wA@73Z7B0%2oq(8QK8;;`fEt^Zct9=U?<RZ)`-(ZCu#+KC(2mG~_hLvH0QZ
z%(s~@-IpzUK4>AWIRXDS64FF34qHp30fFpE(dnzv*P733zNo@ZEVRntZYy?pKyq%f
z0f|@0r9tg$!8HyOZK3{8?;3cIG+%uk)@1fnpj$e_*uh+4shY&W<QW%1jQG2|J`R?T
z)5YVkcnD(*`_4Z-%eCR78Zo#dtn!kOlWgw+BqS`rQufvvpe-p6OiL^@fYVhb@&@*s
zJ69UIP9vOzmrHybY`%)JKS+1}+HOjZ(`IUxWGqc@{PwM+!KFX~+Ok+|1NQH$gQs8A
zoOs*ndR(viD>v`tJ11sONj9>YBo;1-m&CYe>pzAD(l%bq4G|r>iIz=pFtmlaD1CDN
z#YwiclmvEh6ShDZ6Z7wP3>Z5Pa&qV<W)!HLCOL6=YCa&4)y3Yu6`xeMM#Wm#0zF>5
zHk!y$i)!d{c=myNR6Q>qM~h}3vid;uBiXN3Zs=llI|sdaSsD(V!1$+NDjlj%LRgbB
z-z4)&_41AkGt&39dWl!QSz(bhn;dQa!k0l_a#{JHHWu2(y)5eHLY&Z8^K3&2W2}Oe
zAFVi@$z5_@Hd)s#2M^{tl@g&HJ9+)}F`nFasa81B7OO<jcA_;k_9&Un$luQ;Up=Xd
z_Jz0ni}UAkv?|=Zyep%(I=-MjdNe#^`Q5;oqx^VRmn6xxXEhDx-_x<AQagCuFCEtq
zK1=s4EQ!l5;E5!4?>V}QhNqm8V$Yt-t0yyfbitgEF@T^=Mf*`MUBIzALPy3Fd!MN!
z7Qws3jblsX2V%Oym~p7bC72u@w&|+yXpuFtv2{JKd8mmY6sHqQ-uUW@P=sUYS2}*v
zl&iTJLyPU5gE4s{Un<4M4;&j=u)p~c+kd`9jpNEmVn$LLGR>T3R!xoI>vTQtbm5qk
zg}%qj4b5$pYu=YTx-xzbicjvoblGvJh_D`G@KW;H=&bz#TUA3ZOKn9D_iB`cyE=t;
zi4%IRioPCMN%|t^!4~7=E5huG()5@e%OFUe_RSIZ(9zI%N#}Rx%3BzG)mS23hO6%k
zI+ckwe2?Ysi&^rv8vLB^K~9&2#xdA2{@`HX(f9zem-jl3va6lBrf}<PeFx#hlpwqQ
zWI!neMQI{l;RErQnG~*`A%)STBK8p7(^A|QN?3aEEUYYYuN;`qaH+qlN2wK}HB{Nj
zKI(tdl9<A!x@d6eY9&KBd4@>{pLXgJ>C~I24D}_iF4JU(eYBI_2zzXxe0Ie9#t(0~
zH_Ipd*6AauQN20_1dk3Z_x4M>-&5Dq->}z~azPhzlFl<NO)O{Wet+eGbw9y~o9ZL=
z0{_n_(-NBD1niMF&J+k#tDUZjnK@|7i=$6s<zJ=D>ZXAmaP-(j0GZ$OSY^RvEyu6l
z%Cd<i2$iq9`dF$?`aH;?DQTLsaikFM=k6<MO-}o!S2#Nxyph|VVU=);!uJ93YIBeB
zU5iSJim_%3L7hDDQ%|iM2G<wYCbK_J6v<Of#WSj}uTD1DVxY<&cslt&q^e)Jhs%Dz
ztJ9J7zyi5e4!w`rfp-Rj{cD%Dhfs!af0gtu%szF%YgioFYdk#EYwUFYl?fN^`dA4Y
z-+v(_QhXr#p<H0b|B;nMW=(x|fOFSb^>}IAq1SJcKE-8(&k6DovoI&LpB)Qs5}aHW
zTH$HLMP8wpKZH+AD~lG8-=Q>wAy?*}FDh>SP>trgA6D?}0&NL{DXnaEbU+T%#Y6nL
z58Fr++;wad?>bqMVVIGg?B{;N+J|$M=ML$euPs5}t{*`&WUI6wS8h*<R^d-eBPI+w
zAj2Pou7WYcIHt@*_Yrs2#hU9TQ-{;Npyf=SC{5&8%+sG(Pw?WOPZVua=(6d1SP?Q{
zmzFmrYg6j+?anx7-bMMGoJgVDpYpHu1|_c)f17+Xw{kOuvM*a_aIUk=qF94JQO_3b
zOhs>DWb}YjWUrGcagLJ-*~IvRh_H7wkshuwH@aMTXLa9~m3Wo(pX<NyC`0#$1JTCd
z$@>FyLMi1H_-3r~%z}fjV^1{p<j4MKL0=}5Z|h|uNI{+?WEDIAx^YOrZ;sysU)`dC
z982(=c*qc=Nus15=0PzrIl6B4m@g;V#cnR&y6X@W?-DMCVRc;HIqAl^`?qKWH(U+0
zh!#Z>iZsLICc;mCoNQ4!HF&BXeYGtA<q4&{0$!IlQ{xhoq3**^L{5kVTc5IzPF2v#
zmb+l8>DQQ48zg<D7B#W2T(U<E$FL43Tqelg&rr8FyjHu@VEFun>l!HQD_C9l#^*jM
zoGIWf(R29_MYrrPozX-)#fs0%8to*x8ig_;8z*&%ioTXJNv=kjWWb=|E&1!=Fu_un
zk3`6Ch?_VWKd*DAu=u`pSYaPMT|8exb1^P@WMTTo$_;)(il>#Kky?~^HD8E7qV=~^
zo2f5*&a2)*yX>%>6Wc*V=Xv@R`r}>=qepYjbT~|nF0*2<ZG~RE7;q$-Fs83i$M?RI
zM)H{Jc?QYjSH&(O%6N>82ghUb1FGW+mD!AWfVvJz9Xa&$Q=M0Y{c>&%NYdwY%#ZgN
zn#-b&s__Vrw9XwK8xa-#F+^ghZ1Ul&iex+cQGW(fa!s6O0cr1b8`198@rCM@B`0!S
zmN~O1;d4j452O<O@KVYP#b!vY^sTq>I!`%6zD`+u$o=re%7n_y0;k36f-Fk<tHtrx
zt0q6TNJlBAjI4EtsFJ1TqYO_Bow`;v$9r*PGJ9jY$I1ac_EN7w1~o7<83wi$_ZBb(
z?Xf_*H6RFUd%|{Er3RR+VOOr6_70Nu(NC!1#AvUN=45&IuGLwqi<=wQJZ+ut6PoCC
zl?<tvrPSNEN6!~AbD}auN-OJ_>mB6#s&65$F-fmJUfz_E-{^MsTH7a)4-%+&xewT;
zwS)6->Ew$l7V^cNw=|txie+WEb-gKhkUi30HbLTuDsp1Ms&S9Q8ZlG$wJ(}M?_!2R
zCn|ACWRbPY+dEfqyKHr5e6mXEE-us2D%QrFCy#%ZAp5{2aq>WgFgvE*lk6eEh^vv)
zQ^9q&Q##KqkQ`r1tZejT)oal4GDDuu3ec$Wl*4%0km}Wgdg-X}Gvqr?;i5$GB{^&K
z=PWh`i7ZVONvgBOi9g$)TW3be^?a}Rc(VDk^vu(sv$9C>2GMm51^2J@fRcOf+<IUE
zrh0$Ae248RA>PK|*z<20TG(zLv)%l`+8rtW1^4%Z2;+S+v>a4)gP*Gi0A}Zly4T}*
z(D$PdSkP}vnm7Z~Odx8{3_8^;j(q_bA-?$P56s+L<59}H(E;5`nuJOir|S(r%BiR}
za+Y-64_}<)X1u&`H(I80zSe0nwTzZ@2#X=c@*=z010@rK^xF6mtdiPew=m*4lw`c-
zMRTdCGuZn)zoN<N6R3G8nb5XPW5zdnyQ?I~%oxAz8?qQC6u6JGrubNr`QWA7L}vQ3
z%Y1E$&1EHTO1(>TWRYhj`tgO{7D={=pm9nU_FqvZy>84Uy=-!l^K#Xz*^?ISGo{@h
z-dj2Qpga%4pb@RR*Z#^yA<w+<;R>F0vMF;|*gdnF=#w<uZ&0{9*=%vlyZBD@`*Vd1
zyv@OQ-l+DRj=T5t=ntR80p7cq)1ihpjgX6%ommepL=C*M_w~q@js8rXX0dThzxvgg
zX-c1~-%{)a4X#CJRx$)wjn}$8WvJ6k>HSWcNe4PA7OUo<aySU>Fy#2867Z4vYa0MJ
z612ny>meYDB}X6FoE$~L6*+Aqb@b5dWrKIRbG{1Msz7E+caPAL<IamkQ`|g8L<2Eu
zHtqObbac;_s1Is%)F|I$wI2H+>E3w@lu{WIK2cPU7gPYi+5!f)x4lS2#sy?6G1o8v
z0tR6jH6x>HAlvZg=hnk17CI@1P{PRg^$*<}EY0u6ENas}QNK24C>7^UHE7ClrjUc;
zKG9i6N$q$1$8t#nC?q8xk|<-CSTk2^6H}3x89kSqBR}X9%omFLK(EYj?tZ!?Y5p~?
zvIlisC+Va5^}~=qEv}t;V4rgDj*TXY1@=;`v2w@#NQO@KHjbotz8l^unYX=_Q?D&X
zn{h1Zwti1Dy-sghb=M!$19{jHjXjNb4DWgBj$JWjv(b!UK%FOmI(y4@f>0ehC%C>B
z8Pf(C02=2!Fe&?i!VRJy4dRECG;GF$xSu>Et?fKv{PK=PU&VEHwv)I=1sh(z^7ZwY
zal3m+N6B$6u*4FZyQ3pGg<pl9&jvm0HLt|$mqemd%@x)2{^)UN56i#BpYCl8W9m|3
za*R(uW~G>VqXviVt<|uvK_o}H5OW<fnt1X_#=N|lN2FR8K8<?DM=YL9T0fj{D`9fw
z-Xnq~zS&k^i9V;u!5li%BMTLzL&!cO@2jj|_j3{px=Lfnq^Q(|3W$u_-m@n{iM8>l
zdOl4`)_%Ulk;J^-oaAMKs7}?6W%6iMzB^=tE$W|$`E%!0)XsP_7AG>A%@z<-eDWjV
z@f305rV-T7?bPB_PtentwUuZiFvZTX1`Jl7LMakK&m?W$m~VcCJ&M6^X=uliB(`{@
z?&^h+>t!SQA<@bHaZ<u4*$-6=Ue;&4A3h)#G)AemBxjVwhEe|MRIm8==U?eYdCiqs
z2Z%SY_*Ae*ALFi8Q)HjCm{VV}kK~!1nQi}^GH`dLvG~iV-AupLhU3(!rCXZg>}txT
z>8|`Wp?xD|L*grAM3+@RT2O@_l6Fc#m*}-Fs>6^WWY+n3S`hr6C_cttCH1o1RTe<9
zBfwfg`LEr|)`s==5D*z74|zWsyviFq-{PNvl^B5KU_opl_K`*AgCR{6`MHv;7DrLm
zDle1C92&Me+F?m^k%OcbLl+sMPpRf>lTt^#6Atz=DY1^SDj{MwqRM`(9~^s_I-|2i
z^D7RYK3!Ao^y9J-`QT1NB6&yYFo7EsXB7fZ7coTPZD3uzuQFeEHaUQ?T`#d<Oy}4#
z9bUHISLI{GLV_)I<Z(EIrFsM<Qk^-yUs5i~2;Gq8qFrbhl6Esmd^mWib5eYy>Dkd(
zcVun8OXs<)Bs(;pJZ|=<)g4w0EEYg6qU%oK>d#5*%symxwvOy(XD3x?Q~R}7jJ3jn
z1E?H|%U{INjZz<dvUNG&#5{8)^21At4qLT}CzemH#tbs79{habu}D+99EVPGAG5>p
zP6-p7Xa2m4Sld%Vi2L;Pe)rlNXp~^!1M&NNo0LE&5}>ge);QY-hL1i6;uon1k=hI8
z7SO4fhQf;KZ{Ce2LibyV$YQ1nUe<r7Tlw^<@$<LbL5bx3Dl0VtkF^}4JWTntO)n=V
zVo(#QdSgq9suV|1B8%y!H(qFXs8hf{ifSi{OP|i@98gLaN9J>3RY-@6JXk{~h=?$&
z)69dEVJej?z`JVuNgo1c7-}e}LJF8+7%=($`+?%;lLE;@3~ZqD5TN_o1p-Fswt*Re
zK@{O?LalPIoBC)*k?M^DxMR=XbiWD9VA!Y($%@N3)Ke$D@@;T{&rNAIUF5!V-B$&t
zx829J`A=1vNiu2Hm^28>m{i--(TckFGulkillfspx5=3(-Y;U72~;m?p+iAu5^{Nh
zYih2fhrWR&8$UE|LH<&N%lzcT;6!#Ocd0e%l^<Fbr9R%kD)TKa(}3|Un^^j{bW{t3
z&o9**zWrwP<FP#1(l_O-!r&totpoDCN;GZrFAVKe>^-KEl-x#cqgK)DN}VCO^u87U
z7KO0p@&RoF91W6>9*4EcB_{H0%$;AUGtl9m=wU(Y)odflWR@@<9J}MqL_0I~a;8;{
zImCeb^_2p_!8m1?z%yf{+wIT@%m%$@?(&xbmgWnz#lL8W%`=Z6H@X>Q1DtrIIGS~4
z$fOC)Q>pPTdemDYSr=KEUY_Uk11X1i`LXS!f8bS}zzruQiJOVEOfEHMp|G5J^Iq*r
zSqpPKW+=CCzMK`c^`|%J9>IKfF`ML6jyiR`mO_5<nJGbSt=4(Yo}!hNs<Oe?fbl}f
z)T9B<pgzf&u)!X~#0QznJn|Zjyl?3}y{=Nq9=?1wf-=2D0ll)Ho_6W7zrBrM2>WBB
z$uml6t@#deIJQq_#;GVqpaC|BC-{4NLk1bR5oXCS46<8>L`p*5LGSH-J?JNY+P#>8
zwY8yvkrmYRaay;+t|70UKcLyRa|WNK(Ptb6W_Nae(@pfI{-!+FY_*-(pBkUz8zl(W
zQM+$Py(}$$EINerai9jVY!k|rcd8+CnwaaP{KGpV<%_M{>LAdN_nxxAXKz00rxviB
z9^&rMV*)>O+><wh3)l&dPK-_9$*5u=Td1-ol5E(HJj{_gMjNQPEYIBIPLj%B|Co}D
zKfb<L@#Tl3GBnlg<<u@x#f9Wj*nC{^eeRVThi{c0q*(RYHh74OO&K??tpKq30fXOL
zb`m(<ot!rll)z^KONrvc17ga8faOmVl?ZBv(y4k>Y$>^?u3U-uhoq09hX<|A1zqV5
z4kLY4^{R?s9OJ0}l8pU_Vs)=5v-`<HVd0q6ktazdq*e4VGwGxPTk}ugUSBnKy{?A#
ziK(4AdVsC_rGPZmDV02uL)`kIL6s%u)!ey$%~oeGE|T?fEiqnAPjL;gP!p7^2-LfQ
z_f@Ne<g&<ZVjnU)vW4*4G<CzHdUQjr_c2!8W)?1#A1tmAbiZI=z;NTiy(oHkmAu=(
zX7vEBnTTnxRbqCi1a~y|lV-o|2rK^O$<yDT#7Fz4g<1w{7I$jsD!aaq<e+0Y`Lgf2
zs9TTkrAZWd8NV#7G9(YG0*B{LFOv%z7mnR7V8qYP>0Z-z@1k#;$XD`|AZAV1!JMBj
z?^*~9BTTk$zDiBY${kX6<`~MC{tx(GbO$^~1&>{49OBBRJo&16;RT16ff~D=3?*B#
zKdQECv)3F|(XpzWnza@VR-ez*0#qepjKy~0m*lWGWAq>Ko^VOe?Wvuq5fN)d?-;dj
zu8~aVpWbK*LBlSRd@9^BeRt^-cRTwv$-o1Iv4b4XRy*_)-Ypm2oj(5&x$|~rg(!m+
zhGObv;*Olm`oi=pD3|Ke*~*`!P&Q)wxwaJB3d&5CyDVp2PsctNZ#=JIT)Hwzlz5;I
zzju)NZdMZI^2CR)`t8S`Vf!ApkhvLug?`j8PcD)3{ZX^@_yB@J)$h0u@OTdQ(bcbH
zS|$Ei3DjLLJ7O*$tUY4yFJsd+{;J#FMYfQl8|V6r1_35x@n>-x6#iN6c1y2}&$c~k
z@ltUsY!{d+TJklTEf+F^jBan3r92S*e#N<*<=AYklGxFh3M<yJ*<%{m>UAvCHJ)1L
z7H#-+2?q%9Ws*OfmS0~VjK`Obe|bmoHG1ka`3kMR-Q?R1igxvD14Xn}&s$b<<1Axd
znTg?b#8WY+XK*4b=H?GK&@h!*SzJLme7YJvNwRcywxD^2YrW?<xm)sE<ec%=1gQay
zgEa9KIJmVv;_VG(t%cR`XkP<^ZBUti_#Nrw4WMrya(KeT6?ye#$<*1Z$K1hmACUYl
z<zopmJ>pJUU9YT+Sko$SAkaR3QN<7a;;ZL$?ChgI^q$e4M3-y980E+){1jUf%Y8<f
z<C;uPn64YAa~&V$kBbG_mk&vLX7Z*esWCV|Y&Sj5jZt>(xZaciT4jfuSVbuhfrbJ_
z(#TY0{kJzu?M;@8=T1+zMm{|pJ}6-A6Yu?Pm$TNKd-sl@YEavuUFTM{l8u4i$^kxm
zpA`au%g_o_7l7gf+vVYa$jz;+i#8DjkPs8pZ*s#JkCBcV9<roQY(g=7f$9%Lm=K1d
zg`fE`r^lv{c&I-1QV(}dhkd%P^&;OvN;+a*nNhMcr!;&TBo`lkY(0!6J3DyWHvL+4
zaert`TF(5@^pM5;T0Gt}Zo5Qw?XAii#J$)+-f-F*{E{x!q`~rO5|E2#0FZ9)J0{z|
z3VnkL`F$X&Ycr=nF_2uopOet%n(x65!B$2x9$7Yh-EbPMn`wg$EQWRstTX<x*KAmd
z?#9IF=1uv&=eZI`^Y&#d&P6@Lu(2}lNj_rBwG4W_(9^2654D*px%mVH_;~o%7p;a9
zsIaTlg1bdEd@Ps*8!xeZz!3Zr*pg-+9dW;@W-<MRimB|~3uq%|`3gy*$#gjxilnIx
z*=CKCCk(Al6~tatCOLBook5I;?ZR<X@7A<s(W5jRxhki%jHx(V&S)vdiQWjkl!1NS
zGpwJEf?>g8aF8J@N@D4K=eN$w9Avhfx6VIq4l9UA$GtT$f2E`6v%BZz0MkYzp`*u>
zj}ZO18z-L7^)Q<5W_&YYWRGLr8WYpdO)le==cn?*8-%$zR!J@V>&IF=aywhxlyW20
z9u*=xTn~14<vE)9fn(v*xbs=^=xDsmw-wEb91FvXD=Uutq`Ha?V;Va0&+Q}&JB+U?
za*a5Ck680L>%)idmzYkmrm4M%)TS0hKZZR>m}XS_4)wYYM$*k(Y~9mD@j8B*iRa#+
z2oTV{iFYKta0PARghX!qV&_t>z%!|i{9du-IVpUalqa1TS!MC3-;j7ESX0Ss#IM|s
zdwqM=(>$X<?>kE`yYk605sBovDl+*;NwjyJeIGKM7WzyycE3Vnh-M)|yd3@YpzO1!
zTqDtyNd@_tW|pUJ)qGJ^7zpt4=0LuE_4LCq1M{}|gGUw!c%)*2Xolp^OWsh+=48LZ
ze<CUvyZiWUZp!2ONmWDMDb;x|xC-flXp<QETk1o#@A8a3Ef8tK)Oc<i#!t~?Y!N?5
zAQF@3CYPnGe7og@iC_aIM<2nxj&}q}=_=%hBrs&oe?0ZPDCR^nveWeWy5nc>G2IL0
z?jvL(i1ncF))^aOAU`7F(|yOrgH$Cl%O>tMjrh6aCwOQDZlQ@QG>HqJw~&{xj1Z4(
z6KC>zudYw56zYangcc#&*4bKne4|o6KjbE#o<n#`_uJgDW%YpZWfOM{MXJk-M(fk$
zL^+IaiqU*YTfcFsgc^Caq2YO%#2enL752<`3M1m|w-tRTZtq0D@`g$9v!~?wr?f>w
zMBXM?5_!VoF2UlAYh#R^1_f*(hLtjFGr^Z<?4MQJUtIV=!@)BvGU$8fjgi#)N}@5g
zm!$de4pU^Gt2tjAC$BuT;w4^)C>DRg&g2!mLE}tPDlQ|w#C<q!lvC6@OHjq|aCP9A
zm{bv&%=s{ERuLV`wh)qQXJ4T+p--16N#)ywMT$(@=u@8Kn$>w+ojgpoAlv#DgW%%q
zXrb8;;rfhL{m@X9$In=)gKs3_Gg3(xX4lkK6X2l*(z#HXGE!W=l^dXaZCtYKM)<VC
z++F#~H>V1y^H@{LG(yVjdYpso1?>#G_&j+nto$zw`(8<YMZUJGHaBzJmWC<@m)OO{
zn!|{oBX?D>DOS^sK@*3(Idk2w$W1VWigK3po02td<M`Sfe>vtyv;M_=j$3r+6>1bn
zl~|NQ?z6oX7{6(eW<nm}*<E`xz(MhHBC5E1?39@0RW##L$KI?8HV<OooF6ko3Z7jL
z(Mu`)1|E_Hsfwl!M1&V(xXbt4j*=KCZV2`Xh<qiJN=lhOlAifAMLt$sPTBM5cyS~l
zv5)jQu_6iLRQqhB4Pyy;DZgTFlZYxz&vF}_&xW?;H`%g2^uBNUWY>K4N5Pv54oH|<
zMG*qUdf#sg%}l(z>3Z+`t=ErmT$BZm<%_ZNzFu@bU-yG0Yj|J-XR-nHR<t_LNqthv
zpwiE4#?j&eQ{;(n*Y0%Pb3R)?RDrFlaBN6P4j)gvoKecymr0PJ?^XLzW&!V$S=v^V
zRFxwdt4X-SV^KUW9)FYx$#$q&XP7jSza5t>*2bJWzGOS^8cEEakd2o>$=m0yaOz>J
z_uQ0^;MY@M*hdDeFZ$*Ax;eR-nhZ}AJU!>ctfiByJw*EP<;z@}YT4XxkpefWjt&~}
zis$?wM+-n!%&8#N)bu)nGCOvBMBn={YKq%QE#7Blu_SGz1{D#Z0@*`Eb-{%!uaAs-
zcv7*9`4v)m*`(N!k%|k-CM&Kh6jIYKiM@0f!^WY=;)xa|>aJE<bg`K=m(ZIR_nfU6
zX*lP`uXnNf`}0oOKzaPY!2Zs$kyT7|^FW7(lek7-P|Q(_zkX|`#~pWPs{0^W_AOwM
z_cBLn>!W8L0&?#|ODl|s-qWAEL}D*@$;h#<#$W5Uv2vp7T}keIdIQtCG^$kbJGoCE
z$ustZlFi{J<wW4bvtT94T2>NMT(}f+_*j6*GPTx;nmq2Dh=gW~T!Rd+G70&{nmW?^
zMvT`+-E-#-QOq2SCQCzq@g)&YjO^Z58cNaJs#Tp^OgD~LPvv)<t+-)M=jzdN=z-hg
z;#(F2bXszj6t!>j1B;HXfAc7D9bIGmoS^1FX0y(A;`PX^!BY+9tW-mbpc{$8vmrgj
z!>co<)Lz(l#A3ZEhG9OZAANqOJaUKv>xB@7Lo@MImyuOdHr^r1Bg9kD?W@^i0xHzD
zxOF-M#;+yDBflmYC|~`WUd7Ih-R`SHBfX(R<Nsw8|G`a#@hKjH7w0q^uXTTzPU)l&
z_NeOTx+u%{gL1Xrz<%mts}TC6)7*~z^>&5GSB$`GEqAQ_tnCm?0Di8oq3h}%4SA=2
zPJDq|&kP&s`7)KR@qS8w>HMJYrRGCgHzv9yGHOT0nvg?;NX%C3U*`r6iu9dTUma~v
z`ig%G)pfP9^xKVNRnkK^$ySBMKus%FUY=u><S9?TA%Djd>5|pLJeaX~+U5h#kMT}a
z(XryzeCI?l^$Bya_BWx{!EMb*f|)KV39K@TL!oELo@dsLswx!p9DUG0B=afVQHm!k
zQ1lcq{<phF(;0i(#1Wc=<j43N{aDX*6}9R)ndk69U1CE0seA4|hl8Th>Rz>Yjrx$`
za@~?Yg)*krKd#i1Ffi}w=);quTSfPVZASH8J5T<a7ag;*p0x-`Kz!Iie|5tn%Uar5
z9C^o9p39thF^-hX@?Ao6>@2jZ)i~e%b5z;WI#dJaF|LdrlQX?CzvRxDgu~sO(ER=5
zL>F1rRXe-Jt}kPbXk4ZCJ{*;at@K=~o?nqhKU`RIVXq`XiZxY3r;Ic~Lsfm8nuxw&
z8cKdB_z^WvU=owDM0bk`-Hk)C>wYCCB=p-KWsg?zq9i&Ur|a#+qSX8B?vQQ}8~t)M
zIW$for6BHJzF{P(&0H4_OQ%cr)3dc-yG~Gt_IW-zf=Bc4soID7%%gh!T|YX`NtaB1
zmNZBu_>|k++G&wZSUSI4e9J{JWK|1zhu2!iWxzVYU-0;ZdvF>?TR}8kx$rYO!sloy
z=rJbg=x8>CFY-_;OZev`t|xHQtqL1g5!}CBo6Wkw&#*RC&^j&s-Sv*K2Oj0E7Z=VB
zaunfVuG^58Sn+!i4Sbgkb`7J`u~5VOw3Jy;nHl)rd3-=S=m7m&@66?I&V<?)_Ycbd
z;CO8_u8CVk*NlwiEIeE~b(&OyXJp3BrO`FTLnFo7`%04A*huVpYo1hVbn_uwj0R!p
zXS$;c^fB&EMKOtmICT<XBiY@|&MqvklLN8BPR&iwuJ_t!ja}B^rW3&WtTsT7S6geT
zUwkX}Men^%dwWx>kI6+B{T&wL4IJCe=c^_*jxcrjrY$j|lab$Ei66smJuDmBd^fxV
zt-MvHj<$hL>SGH7vpfHjZdr1)!<^?%bnzI_9+?p)q7oQ8uB(3~YAm;jRtb+#`0VBT
zT=kqQlj3$OrFZCMBG^0c`9H^HjTtmAWUt_+Rjw|4Ue_!#sZBekjN1C-M|?6l^T6$J
z>HDL7Ys}1IlN*Yb?1N)N%~S8Q>6Nwh9?tQV_Afa5(&bL|rw~of+9j13_2DXt-1b~D
z<XT<{u(yx8$TgIwI^EfOk}-&X-qub>S}BtnJ^vC?xx@0QxtHjp&nB5a@^m){nY^bA
z#JzsO7{hMG(y4}__xw^>f3=-FU;ly-Sz;-rtiphU+}i4M&KCu`x$>B}Q%R!SIUJ1q
z6Df}aFHc8BYWr3%J;I;+ntMkh-K4Gf)%15KnfHmK2aR7FCwvEvDj}m#A|c*9Btkj?
zEaD*l;BQ`jvwen%L<RjjG7<?=-f1nhJmy~Hr}PE~QrLQtVc$3Jv%O5zZq{cO!UMuz
zfjt}Qt@}WJ=Pd9+yiF%3Ehes@D$e5U?hL*q5(bYd8EG%_eFa3fMEq#Sw{8h}w8sDl
z;#=A|nw<gP>*m#q(8nuQC_10~%j0d{YiG3dDY$!m-1S~NDB$khv_ggqk+hzi9D0SZ
z?AC;=aQ9{h9(Knan9s4Wvv8b&Jm-$ToG~;puyukXfZY-H^sw){5pcs1`0azh6iCft
z=jgEql5I0%a}Ihd3AC^r@R8agp#r|W{tFUFC25IGD(Gknwh)*#>Rd8}b^v&dw#iPd
zV#R3#9FSvhYH(zMhxgt}FpZ=vOdJgyjm#~K46Ofzl1$oYSIVc;Ss{>@|4P6|9*$Cx
zVE>fTwieE?#7bLLxe<wY1lxF5ygP#-vzh=JB=3_F9Nr-yvUG<*|EH<LM3e)vTtK2Y
z{zSm8&xi;&9l_4Ry=S%v0oy}*xi>;PJ7>5a5PDn#3E~ZIi)>!u?F_Nk<AMVq1&nbI
z5<vg}n+NKkn81O+Zk+A1=@MbzcXJBja3J>k2QhGQwgdJIH;)|uHI@P#R@cA6+B&2M
zHgT9tdy!28j!)?5zS|F8wk<xOzKE-}3A~-bIBzE-YTj*sMw3$-{~a)Eci=^g<rXIu
z@Lvl5Z=B+`#`bm=w$9*{4_ITEFZOt1g20U+?xX@+?2t~%MZ9;7e`}JqLE6wRi_WG4
zy~4UMcy0vAW~Y+&=t>rFb1C4h--Rt4h?KE^i=%1}iNh5I`Z8#H{g*L}H|ZnC$jM%0
z7%=R*TbG6(=W|K+tlO3qf?IHR>qG42gtsJvv>@`a{gdq0AByUB?+?M<*Ww_NF&)6i
zWQ&Lj_;%?Z5P@3n=gX0wec)$um0y|^))f@IOc8X2&29{_J-YRS7BK)MB+0QX9Jbl<
zJqx*QZ2%<HM?-T&`~nBFw}2d3XvYZA+Ps48ZRcRhz6A$qWdqW^zyTu$^eq$E(m3R8
zq4$PeVV1WW1H7*&*cSsR1PY8pD&+>nfn8x(JAK96Ox9V*tF}epBe5k374Qw4Y(J8K
za1hSSU`-{i>ICIeW!}8*<jNQRg6juRK%y5E;kby&|B~y^Y)RD)UO+G)B(&m^NVP;4
z0QUwkbZIz1REqro{@NpdF>_cSJY{0`+dc?E3+1!^>I|So0w4HUtsv!JqKUf#C)AZ(
z46QAk%zvKK23sABkU-IVS3<f$emV(&4pQ>+Je+t`RQn;62Ws~jn3<?<SI9<0_3V-b
z0xHDAIQ(3@X^&Kn@KfBF1aGLZV^(fn|HL=&Zpi}iPe-ZuCJO)n>WN@6YHs;MSzuQf
z8`!>O)g4rrq$9Py0(X`L=3|muEPxJ3Hh;w;Vr^mIB=Iu_3Jiwy?LB?(@m^#Y80@+U
zhIpvv*aCxy)Jn5wkxXn|5zhMmYji%~c2rLWxFuw5E3*Yb1$-l?-4}$ot*eEjovjVf
zy~GUcx6S~-3G{QHikQRdw`RQaun+tw_iFEKK)F^h!>d_c=>FAz>670e#EK8RoG3rE
zbKis#*c1HoRU@pltF*1Xi!*Qt%*4RvKRS7*m^A`*w$~Z9r%aaXfVhcSBFI5B*ajt}
z<>DFkLk0x*?e29rO>B1sf-n6G1}bL#8z4|2U~mh<T=a&E9TW@JqPul7cweN?wjV55
zab7SB?A|bIf_(@3BFKOSUm6%J(UZSofwdi?Lcw58m}YsG>=9_TZCmgKe!-kK+4rm&
zG`{=y<$e+IrPEj<Fg3)k^W2v0LtN)K;3VIl_eztk3YNP%hu<|Pd`(@jObTcBiGjFq
zAtH@j?HzV)L-^vkU^o;Y7<ykCZNtF_&?3TP)ppz!556)k7_WZccw4Rc+ZpE<GN)as
z;7iqlshWYf!2OA~MFn&OU?Kfmwgxn31Z;?n9^R3~aP5-~S~M2idN4~z?8p$ah{1Kh
z4}Zl1>^E-~u>EtWZLbAi<`&#|GC;WEz8Vj{s_t)#-hydiKGt{s&zn;ePC^ZyzoPwF
zmKMykd$VpU2w%JwtYFDMVcM;fEtnUkp+uhxf-bSm3tvDM%saySFEmu$wVW&>V&r;P
z1jL9t4*b%rjc+f+=0Iv(gkx6J$Ib0HSd;HI9pZ#DyW{+O2Kad{1S|yXzKA)tn-0F-
zEV$`x_sy|+xC4?66n0YOx6amN`Z9uc+Qx$~{0hbk64<j$5F$`PIj~$XOMe;Swkr>O
z;Z!hBH;`)J&wU%zZXi71GOCDx!V=tf1%j`M3I+-X(qilb2vi{z5s!+t$F4l^Wlh06
z7lil41N41ZkyAuGSXQ39^1v691oJqE?V0E2p7wv(P_LTTu1N5u5y42DK$V(3HW{pk
z{RdOTRc{1Lf8r07fPJ+;XM$E01h><l`XTs2hG0=r_73n%Swk=ptg8=o`|MMa4IqN!
z&n1CY?gInBBym4n42{`=ec!oCg)bHemP8KN=iDOzT<JhC4NQ)^RldKKV`l^r{5BaO
z5X|!DG+PC(zz}>zC!rxkuq!OI2s~=;gxKC}fh;&p_6Gs+!?2=hV4$!CIw;VcM-0%b
z8w&;W3T`9F>nZrsYT!1i{d*wD_^?Z%H83yiHHaz6rjRiH-2{Y>zIYFu=iEmtLTaCZ
zL8@4ophCf}uom4Z9DIc|uyALAJ<xrE{As;3FfdHHQgwK6uyQ+hLE-KHu;N~T5x!PN
zQ`U!WgCcebh}|^&+S71<5Wt&9;5{f@3&PydURdDcXUhMI<u~scc9&>-#t2`L4QyEC
zO8aW3pAvzv;LC{sRZS4qX9F7<%*h@Z@<-rgx8dOnse$2XmH#okDuR-7h>+jS2keRr
zUl9$Aj02p||MQN#)h~Y4`%h70`T}=Fg)epnMjiOqsIYg!yX-Tm)dxXoVTKL%kdRGk
z_^M@K+FI3rEbKNdxP}=bYdHKU7y&e52ethc8!|xGtNkNr$RSoR8caW!zk+?=sV97K
zGO(Vf)&C(H%sIfvzo>vqm4WGDp5b*u$R7)<0=Hja2;`IaC*2Gp>{bOYFe6OS|56yf
zt{7P1&i@M|WPSwm4Zq!C(2EWIV`0_dgq;Q=dH<QPn_g|R0u~}|9l19b12C<3S}%N^
zEU>nETK^|Zm?dv|hd-&B1%5D?VIT1hL!kfmkOyDM3jAR4KsfsUMSs|XLF{MS_5Id@
zl=ZLf`ULO=q`*%wbn*ZE1iO@zLev(74w1V)34E<4@RJDX{-2)Yk1IDJdY%{B*LHm#
z_)16M=jqV<htC7{L*Tkch>(;0uk4BpUx^5eJa*}CkayH2LWHKU;s-^8EdX{~0l}{w
zOZE4K_Pde%zkDHl6(X=k*arIs`Hz}Jhy-(wjoP&>;cE+lIS2R82^;Ws7EM9~$n71C
z01)wPjUR68OETQIkkI_fU>ewvhPYV~(`*OvLFSH2e@O$Y5QK<ID5DIz3kRdzIq<?)
zDgrm6y3yZh1fznVDgJgC3Kfd^<Hm#!#-KFb6X<pY9YlIvyS6|8Ip^~`z2J)%f%S6S
zF9v)mBQO+fk}<##i$I&rNye}BguqbFCi~O|m^gr|3xTOZ>X7hsnR<~ud9MGK3bMk3
zFWdvBN;lmn6}XHK7zrkn5N#X+q|H9KbAuKBy=a2jUXXrq0!2rjK=%b<S0Q63=#Ce-
zyZu^;2dv51-T@HS<pIm$M|{ENHE^)xh}C^49X9gj6-)(bDfp@~V5&zJdzJ;7AqlR=
z3>XR4Qa?E2p)G|-s9#G~fRV;*_KdW%fCU)HPtN#NFQ8GrbrDn}*cGhNuNnElKsOxr
z474*pKOB(6%qj#3W=gQ@CJ^HBgavMNBXrse(9UVfSiK9>bk8(zjvVkUg!umOJI4BZ
zzCScOEm#EDO?QL%H5opvRUm_E!TumX`=DT+19zsO)&aZ1_`p{3YXW^34;8?J<Gj~K
z*_pC;M>>5l9@0>YLq8A<-mKXG#Wca(yn^w5%^MHKD|Y!?Ja86yIJVd<t=9nC`qLMi
z65iOng4rNW2tGYLn9b7lZ`poH77qvbGf@1=`5V7=Nf1Ez4DDdRP`AGZ+>x&x5ub^7
z!mfPqNzcK2J??+Y_j3}rmAe-apOjGIZ~1=BE)M3y_WVbDzq3KV+r5$R0iQbIn)F*l
zNE5^7*ajos^ZHka+ZneJi5UIp=5Gmq&5aEvyzc#v2%(YGzs%G9E+4)Nkx)MI)^7oS
zO&SdbB=z}wz#S>1!3z4NkR?NWV0;_AtKMzggkMOA`0f=DL1fzQ!{_$KAbgHzuugIN
z#rWAt;W9ph6@tyZ-dUymwh1A<06vQ|7){=9p9*co@xbMDMg*7Zow_R=e2!)?9Jc@d
z;SgqQMuaC4d3#qp_~gi7JobRUz=KPbjED;}H4VxIGr!%e9zGz`3OF|X=ljr**&?vn
z|I2w^*nMFWHrV%_qda`RTChIP_RVqOx7lkEDV6y>{g0J`KV=^ivR9?H)5d{GVA}kb
zR`5A%!CFoJ1<9`&Y{6_WA7MO^fk35g_XVF$56m`oZT~85vHf&qzl=gKykhU{9e4-P
UfJruz5Ad%hka^zwI^^5`0C;tDe*gdg


From d269a7e717c343c34a82e0d366ab8547cb1a873e Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Thu, 15 Apr 2021 19:33:15 +0800
Subject: [PATCH 0424/1429] CWE-598 reduction

---
 .../Security/CWE/CWE-598/SensitiveGetQuery.ql      | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql b/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
index c381595af14..f0f2fe905f7 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
@@ -2,6 +2,8 @@
  * @name Sensitive GET Query
  * @description Use of GET request method with sensitive query strings.
  * @kind path-problem
+ * @problem.severity warning
+ * @precision medium
  * @id java/sensitive-query-with-get
  * @tags security
  *       external/cwe-598
@@ -23,6 +25,16 @@ class SensitiveInfoExpr extends Expr {
   }
 }
 
+/** Holds if `m` is a method of some override of `HttpServlet.doGet`. */
+private predicate isGetServletMethod(Method m) {
+  isServletRequestMethod(m) and m.getName() = "doGet"
+}
+
+/** The `doGet` method of `HttpServlet`. */
+class DoGetServletMethod extends Method {
+  DoGetServletMethod() { isGetServletMethod(this) }
+}
+
 /** Holds if `ma` is (perhaps indirectly) called from the `doGet` method of `HttpServlet`. */
 predicate isReachableFromServletDoGet(MethodAccess ma) {
   ma.getEnclosingCallable() instanceof DoGetServletMethod
@@ -64,4 +76,4 @@ from DataFlow::PathNode source, DataFlow::PathNode sink, SensitiveGetQueryConfig
 where c.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
   "$@ uses the GET request method to transmit sensitive information.", source.getNode(),
-  "This request"
+  "This request"
\ No newline at end of file

From 0e183ab4a48acc09add7ef400b535b0159a807cc Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Thu, 15 Apr 2021 19:49:06 +0800
Subject: [PATCH 0425/1429] Finish comment

---
 .../experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll    | 3 ++-
 .../src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index 8c7433fd1b6..1bef46f99d0 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -13,8 +13,9 @@ import semmle.code.java.frameworks.spring.SpringController
 abstract class RequestGetMethod extends Method {
   RequestGetMethod() {
     not exists(MethodAccess ma |
+      // Exclude apparent GET handlers that read a request entity, because this is the principle of JSONP.
       ma.getMethod() instanceof ServletRequestGetBodyMethod and
-      any(this).polyCalls*(ma.getEnclosingCallable())
+      this.polyCalls*(ma.getEnclosingCallable())
     )
   }
 }
diff --git a/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql b/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
index f0f2fe905f7..a9528ee2f9b 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
@@ -76,4 +76,4 @@ from DataFlow::PathNode source, DataFlow::PathNode sink, SensitiveGetQueryConfig
 where c.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
   "$@ uses the GET request method to transmit sensitive information.", source.getNode(),
-  "This request"
\ No newline at end of file
+  "This request"

From 7fbc62358e11ba18c4c5bbbe4f471e665c112125 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 15 Apr 2021 13:57:44 +0200
Subject: [PATCH 0426/1429] C++: Accept test changes after making the
 exprMightOverFlow predicates more sound.

---
 .../CWE-190/semmle/extreme/ArithmeticWithExtremeValues.expected | 1 +
 .../test/query-tests/Security/CWE/CWE-190/semmle/extreme/test.c | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/ArithmeticWithExtremeValues.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/ArithmeticWithExtremeValues.expected
index cbaf5d63079..77b08e62d83 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/ArithmeticWithExtremeValues.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/ArithmeticWithExtremeValues.expected
@@ -3,4 +3,5 @@
 | test.c:50:3:50:5 | sc3 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:49:9:49:16 | 127 | Extreme value |
 | test.c:59:3:59:5 | sc6 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:58:9:58:16 | 127 | Extreme value |
 | test.c:63:3:63:5 | sc8 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:62:9:62:16 | - ... | Extreme value |
+| test.c:75:3:75:5 | sc1 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:74:9:74:16 | 127 | Extreme value |
 | test.c:124:9:124:9 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:118:17:118:23 | 2147483647 | Extreme value |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/test.c
index 8760641c8e2..ee2e041db3c 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/test.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/test.c
@@ -72,7 +72,7 @@ void test_negatives() {
   signed char sc1, sc2, sc3, sc4, sc5, sc6, sc7, sc8;
 
   sc1 = CHAR_MAX;
-  sc1 += 0; // GOOD
+  sc1 += 0; // GOOD [FALSE POSITIVE]
   sc1 += -1; // GOOD
   sc2 = CHAR_MIN;
   sc2 += -1; // BAD [NOT DETECTED]

From b359205d17c6fa39c3ad36c41df9f69d237cde76 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 15 Apr 2021 13:37:11 +0200
Subject: [PATCH 0427/1429] Python: Add taint tests for .get() in flask

---
 .../frameworks/flask/TestTaint.expected       | 162 +++++++++---------
 .../frameworks/flask/taint_test.py            |   8 +
 2 files changed, 93 insertions(+), 77 deletions(-)

diff --git a/python/ql/test/library-tests/frameworks/flask/TestTaint.expected b/python/ql/test/library-tests/frameworks/flask/TestTaint.expected
index 8c3b4ea57c9..1d514b934e2 100644
--- a/python/ql/test/library-tests/frameworks/flask/TestTaint.expected
+++ b/python/ql/test/library-tests/frameworks/flask/TestTaint.expected
@@ -19,80 +19,88 @@
 | taint_test.py:36 | ok   | test_taint | request.access_route[0] |
 | taint_test.py:39 | ok   | test_taint | request.args |
 | taint_test.py:40 | ok   | test_taint | request.args['key'] |
-| taint_test.py:41 | ok   | test_taint | request.args.getlist(..) |
-| taint_test.py:44 | ok   | test_taint | request.authorization |
-| taint_test.py:45 | ok   | test_taint | request.authorization['username'] |
-| taint_test.py:46 | fail | test_taint | request.authorization.username |
-| taint_test.py:49 | ok   | test_taint | request.cache_control |
-| taint_test.py:51 | fail | test_taint | request.cache_control.max_age |
-| taint_test.py:52 | fail | test_taint | request.cache_control.max_stale |
-| taint_test.py:53 | fail | test_taint | request.cache_control.min_fresh |
-| taint_test.py:55 | ok   | test_taint | request.content_encoding |
-| taint_test.py:57 | ok   | test_taint | request.content_md5 |
-| taint_test.py:59 | ok   | test_taint | request.content_type |
-| taint_test.py:62 | ok   | test_taint | request.cookies |
-| taint_test.py:63 | ok   | test_taint | request.cookies['key'] |
-| taint_test.py:65 | ok   | test_taint | request.data |
-| taint_test.py:68 | ok   | test_taint | request.files |
-| taint_test.py:69 | ok   | test_taint | request.files['key'] |
-| taint_test.py:70 | fail | test_taint | request.files['key'].filename |
-| taint_test.py:71 | fail | test_taint | request.files['key'].stream |
-| taint_test.py:72 | ok   | test_taint | request.files.getlist(..) |
-| taint_test.py:73 | fail | test_taint | request.files.getlist(..)[0].filename |
-| taint_test.py:74 | fail | test_taint | request.files.getlist(..)[0].stream |
-| taint_test.py:77 | ok   | test_taint | request.form |
-| taint_test.py:78 | ok   | test_taint | request.form['key'] |
-| taint_test.py:79 | ok   | test_taint | request.form.getlist(..) |
-| taint_test.py:81 | ok   | test_taint | request.get_data() |
-| taint_test.py:83 | ok   | test_taint | request.get_json() |
-| taint_test.py:84 | ok   | test_taint | request.get_json()['foo'] |
-| taint_test.py:85 | ok   | test_taint | request.get_json()['foo']['bar'] |
-| taint_test.py:89 | ok   | test_taint | request.headers |
-| taint_test.py:90 | ok   | test_taint | request.headers['key'] |
-| taint_test.py:91 | fail | test_taint | request.headers.get_all(..) |
-| taint_test.py:92 | fail | test_taint | request.headers.getlist(..) |
-| taint_test.py:93 | ok   | test_taint | list(..) |
-| taint_test.py:94 | fail | test_taint | request.headers.to_wsgi_list() |
-| taint_test.py:96 | ok   | test_taint | request.json |
-| taint_test.py:97 | ok   | test_taint | request.json['foo'] |
-| taint_test.py:98 | ok   | test_taint | request.json['foo']['bar'] |
-| taint_test.py:100 | ok   | test_taint | request.method |
-| taint_test.py:102 | ok   | test_taint | request.mimetype |
-| taint_test.py:104 | ok   | test_taint | request.mimetype_params |
-| taint_test.py:106 | ok   | test_taint | request.origin |
-| taint_test.py:109 | ok   | test_taint | request.pragma |
-| taint_test.py:111 | ok   | test_taint | request.query_string |
-| taint_test.py:113 | ok   | test_taint | request.referrer |
-| taint_test.py:115 | ok   | test_taint | request.remote_addr |
-| taint_test.py:117 | ok   | test_taint | request.remote_user |
-| taint_test.py:120 | ok   | test_taint | request.stream |
-| taint_test.py:121 | ok   | test_taint | request.input_stream |
-| taint_test.py:123 | ok   | test_taint | request.url |
-| taint_test.py:125 | ok   | test_taint | request.user_agent |
-| taint_test.py:128 | ok   | test_taint | request.values |
-| taint_test.py:129 | ok   | test_taint | request.values['key'] |
-| taint_test.py:130 | ok   | test_taint | request.values.getlist(..) |
-| taint_test.py:133 | ok   | test_taint | request.view_args |
-| taint_test.py:134 | ok   | test_taint | request.view_args['key'] |
-| taint_test.py:138 | ok   | test_taint | request.script_root |
-| taint_test.py:139 | ok   | test_taint | request.url_root |
-| taint_test.py:143 | ok   | test_taint | request.charset |
-| taint_test.py:144 | ok   | test_taint | request.url_charset |
-| taint_test.py:148 | ok   | test_taint | request.date |
-| taint_test.py:151 | ok   | test_taint | request.endpoint |
-| taint_test.py:156 | ok   | test_taint | request.host |
-| taint_test.py:157 | ok   | test_taint | request.host_url |
-| taint_test.py:159 | ok   | test_taint | request.scheme |
-| taint_test.py:161 | ok   | test_taint | request.script_root |
-| taint_test.py:169 | ok   | test_taint | request.args |
-| taint_test.py:170 | ok   | test_taint | a |
-| taint_test.py:171 | ok   | test_taint | b |
-| taint_test.py:173 | ok   | test_taint | request.args['key'] |
-| taint_test.py:174 | ok   | test_taint | a['key'] |
-| taint_test.py:175 | ok   | test_taint | b['key'] |
-| taint_test.py:177 | ok   | test_taint | request.args.getlist(..) |
-| taint_test.py:178 | ok   | test_taint | a.getlist(..) |
-| taint_test.py:179 | ok   | test_taint | b.getlist(..) |
-| taint_test.py:180 | ok   | test_taint | gl(..) |
-| taint_test.py:187 | ok   | test_taint | req.path |
-| taint_test.py:188 | ok   | test_taint | gd() |
+| taint_test.py:41 | ok   | test_taint | request.args.get(..) |
+| taint_test.py:42 | ok   | test_taint | request.args.getlist(..) |
+| taint_test.py:45 | ok   | test_taint | request.authorization |
+| taint_test.py:46 | ok   | test_taint | request.authorization['username'] |
+| taint_test.py:47 | fail | test_taint | request.authorization.username |
+| taint_test.py:50 | ok   | test_taint | request.cache_control |
+| taint_test.py:52 | fail | test_taint | request.cache_control.max_age |
+| taint_test.py:53 | fail | test_taint | request.cache_control.max_stale |
+| taint_test.py:54 | fail | test_taint | request.cache_control.min_fresh |
+| taint_test.py:56 | ok   | test_taint | request.content_encoding |
+| taint_test.py:58 | ok   | test_taint | request.content_md5 |
+| taint_test.py:60 | ok   | test_taint | request.content_type |
+| taint_test.py:63 | ok   | test_taint | request.cookies |
+| taint_test.py:64 | ok   | test_taint | request.cookies['key'] |
+| taint_test.py:66 | ok   | test_taint | request.data |
+| taint_test.py:69 | ok   | test_taint | request.files |
+| taint_test.py:70 | ok   | test_taint | request.files['key'] |
+| taint_test.py:71 | fail | test_taint | request.files['key'].filename |
+| taint_test.py:72 | fail | test_taint | request.files['key'].stream |
+| taint_test.py:73 | ok   | test_taint | request.files.get(..) |
+| taint_test.py:74 | fail | test_taint | request.files.get(..).filename |
+| taint_test.py:75 | fail | test_taint | request.files.get(..).stream |
+| taint_test.py:76 | ok   | test_taint | request.files.getlist(..) |
+| taint_test.py:77 | fail | test_taint | request.files.getlist(..)[0].filename |
+| taint_test.py:78 | fail | test_taint | request.files.getlist(..)[0].stream |
+| taint_test.py:81 | ok   | test_taint | request.form |
+| taint_test.py:82 | ok   | test_taint | request.form['key'] |
+| taint_test.py:83 | ok   | test_taint | request.form.get(..) |
+| taint_test.py:84 | ok   | test_taint | request.form.getlist(..) |
+| taint_test.py:86 | ok   | test_taint | request.get_data() |
+| taint_test.py:88 | ok   | test_taint | request.get_json() |
+| taint_test.py:89 | ok   | test_taint | request.get_json()['foo'] |
+| taint_test.py:90 | ok   | test_taint | request.get_json()['foo']['bar'] |
+| taint_test.py:94 | ok   | test_taint | request.headers |
+| taint_test.py:95 | ok   | test_taint | request.headers['key'] |
+| taint_test.py:96 | ok   | test_taint | request.headers.get(..) |
+| taint_test.py:97 | fail | test_taint | request.headers.get_all(..) |
+| taint_test.py:98 | fail | test_taint | request.headers.getlist(..) |
+| taint_test.py:99 | ok   | test_taint | list(..) |
+| taint_test.py:100 | fail | test_taint | request.headers.to_wsgi_list() |
+| taint_test.py:102 | ok   | test_taint | request.json |
+| taint_test.py:103 | ok   | test_taint | request.json['foo'] |
+| taint_test.py:104 | ok   | test_taint | request.json['foo']['bar'] |
+| taint_test.py:106 | ok   | test_taint | request.method |
+| taint_test.py:108 | ok   | test_taint | request.mimetype |
+| taint_test.py:110 | ok   | test_taint | request.mimetype_params |
+| taint_test.py:112 | ok   | test_taint | request.origin |
+| taint_test.py:115 | ok   | test_taint | request.pragma |
+| taint_test.py:117 | ok   | test_taint | request.query_string |
+| taint_test.py:119 | ok   | test_taint | request.referrer |
+| taint_test.py:121 | ok   | test_taint | request.remote_addr |
+| taint_test.py:123 | ok   | test_taint | request.remote_user |
+| taint_test.py:126 | ok   | test_taint | request.stream |
+| taint_test.py:127 | ok   | test_taint | request.input_stream |
+| taint_test.py:129 | ok   | test_taint | request.url |
+| taint_test.py:131 | ok   | test_taint | request.user_agent |
+| taint_test.py:134 | ok   | test_taint | request.values |
+| taint_test.py:135 | ok   | test_taint | request.values['key'] |
+| taint_test.py:136 | ok   | test_taint | request.values.get(..) |
+| taint_test.py:137 | ok   | test_taint | request.values.getlist(..) |
+| taint_test.py:140 | ok   | test_taint | request.view_args |
+| taint_test.py:141 | ok   | test_taint | request.view_args['key'] |
+| taint_test.py:142 | ok   | test_taint | request.view_args.get(..) |
+| taint_test.py:146 | ok   | test_taint | request.script_root |
+| taint_test.py:147 | ok   | test_taint | request.url_root |
+| taint_test.py:151 | ok   | test_taint | request.charset |
+| taint_test.py:152 | ok   | test_taint | request.url_charset |
+| taint_test.py:156 | ok   | test_taint | request.date |
+| taint_test.py:159 | ok   | test_taint | request.endpoint |
+| taint_test.py:164 | ok   | test_taint | request.host |
+| taint_test.py:165 | ok   | test_taint | request.host_url |
+| taint_test.py:167 | ok   | test_taint | request.scheme |
+| taint_test.py:169 | ok   | test_taint | request.script_root |
+| taint_test.py:177 | ok   | test_taint | request.args |
+| taint_test.py:178 | ok   | test_taint | a |
+| taint_test.py:179 | ok   | test_taint | b |
+| taint_test.py:181 | ok   | test_taint | request.args['key'] |
+| taint_test.py:182 | ok   | test_taint | a['key'] |
+| taint_test.py:183 | ok   | test_taint | b['key'] |
+| taint_test.py:185 | ok   | test_taint | request.args.getlist(..) |
+| taint_test.py:186 | ok   | test_taint | a.getlist(..) |
+| taint_test.py:187 | ok   | test_taint | b.getlist(..) |
+| taint_test.py:188 | ok   | test_taint | gl(..) |
+| taint_test.py:195 | ok   | test_taint | req.path |
+| taint_test.py:196 | ok   | test_taint | gd() |
diff --git a/python/ql/test/library-tests/frameworks/flask/taint_test.py b/python/ql/test/library-tests/frameworks/flask/taint_test.py
index 31c0c7e6121..986bbcfec79 100644
--- a/python/ql/test/library-tests/frameworks/flask/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/flask/taint_test.py
@@ -38,6 +38,7 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
         # By default werkzeug.datastructures.ImmutableMultiDict -- although can be changed :\
         request.args,
         request.args['key'],
+        request.args.get('key'),
         request.args.getlist('key'),
 
         # werkzeug.datastructures.Authorization (a dict, with some properties)
@@ -69,6 +70,9 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
         request.files['key'],
         request.files['key'].filename,
         request.files['key'].stream,
+        request.files.get('key'),
+        request.files.get('key').filename,
+        request.files.get('key').stream,
         request.files.getlist('key'),
         request.files.getlist('key')[0].filename,
         request.files.getlist('key')[0].stream,
@@ -76,6 +80,7 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
         # By default werkzeug.datastructures.ImmutableMultiDict -- although can be changed :\
         request.form,
         request.form['key'],
+        request.form.get('key'),
         request.form.getlist('key'),
 
         request.get_data(),
@@ -88,6 +93,7 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
         # which has same interface as werkzeug.datastructures.Headers
         request.headers,
         request.headers['key'],
+        request.headers.get('key'),
         request.headers.get_all('key'),
         request.headers.getlist('key'),
         list(request.headers), # (k, v) list
@@ -127,11 +133,13 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
         # werkzeug.datastructures.CombinedMultiDict, which is basically just a werkzeug.datastructures.MultiDict
         request.values,
         request.values['key'],
+        request.values.get('key'),
         request.values.getlist('key'),
 
         # dict
         request.view_args,
         request.view_args['key'],
+        request.view_args.get('key'),
     )
 
     ensure_not_tainted(

From 42ae5f4f7d99f1f18e8821a0d4520f969a023943 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Thu, 15 Apr 2021 16:07:35 +0200
Subject: [PATCH 0428/1429] Python: support / from the right Will also support
 both operands being paths

---
 .../src/semmle/python/frameworks/Stdlib.qll   | 31 ++++++++++++-------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index 739872e4483..9fb704e1c02 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -946,7 +946,11 @@ private module Stdlib {
       slash.getOp() instanceof Div and
       right.asCfgNode() = slash.getRight() and
       left.asCfgNode() = slash.getLeft() and
-      left.getALocalSource() = pathlibPath(t2) and
+      (
+        left.getALocalSource() = pathlibPath(t2)
+        or
+        right.getALocalSource() = pathlibPath(t2)
+      ) and
       t2.end()
     |
       t.start() and
@@ -1030,19 +1034,24 @@ private module Stdlib {
       nodeTo.getALocalSource() = pathlibPath() and
       (
         // Special handling of the `/` operator
-        exists(BinaryExprNode slash, DataFlow::Node left |
+        exists(BinaryExprNode slash, DataFlow::Node path_operand, DataFlow::Node data_operand |
           slash.getOp() instanceof Div and
-          left.asCfgNode() = slash.getLeft() and
-          left.getALocalSource() = pathlibPath()
+          (
+            path_operand.asCfgNode() = slash.getLeft() and
+            data_operand.asCfgNode() = slash.getRight()
+            or
+            path_operand.asCfgNode() = slash.getRight() and
+            data_operand.asCfgNode() = slash.getLeft()
+          ) and
+          path_operand.getALocalSource() = pathlibPath()
         |
           nodeTo.asCfgNode() = slash and
-          (
-            // type-preserving call
-            nodeFrom = left
-            or
-            // data injection
-            nodeFrom.asCfgNode() = slash.getRight()
-          )
+          nodeFrom in [
+              // type-preserving call
+              path_operand,
+              // data injection
+              data_operand
+            ]
         )
         or
         // standard case

From dedf7655422036df96a3c1ffdd58e5017189d81f Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Thu, 15 Apr 2021 22:59:22 +0800
Subject: [PATCH 0429/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll  | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
index 1bef46f99d0..6da4f87294a 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -13,7 +13,10 @@ import semmle.code.java.frameworks.spring.SpringController
 abstract class RequestGetMethod extends Method {
   RequestGetMethod() {
     not exists(MethodAccess ma |
-      // Exclude apparent GET handlers that read a request entity, because this is the principle of JSONP.
+      // Exclude apparent GET handlers that read a request entity, because this likely indicates this is not in fact a GET handler.
+      // This is particularly a problem with Spring handlers, which can sometimes neglect to specify a request method.
+      // Even if it is in fact a GET handler, such a request method will be unusable in the context `<script src="...">`,
+      // which is the typical use-case for JSONP but cannot supply a request body.
       ma.getMethod() instanceof ServletRequestGetBodyMethod and
       this.polyCalls*(ma.getEnclosingCallable())
     )

From 254de76078cbc7825565b4e75481b0cf22c1fa8f Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Thu, 15 Apr 2021 16:20:27 +0100
Subject: [PATCH 0430/1429] Remove unnecessary stubs

---
 .../boot/SpringBootConfiguration.java         |  10 -
 .../autoconfigure/SpringBootApplication.java  |  12 --
 .../context/annotation/Bean.java              |  10 -
 .../HttpInvokerServiceExporter.java           |   8 -
 .../RemoteInvocationSerializingExporter.java  |   3 -
 .../org/springframework/util/ObjectUtils.java | 202 ------------------
 .../org/springframework/util/StringUtils.java |  30 ---
 7 files changed, 275 deletions(-)
 delete mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/boot/SpringBootConfiguration.java
 delete mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/boot/autoconfigure/SpringBootApplication.java
 delete mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/context/annotation/Bean.java
 delete mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.java
 delete mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.java
 delete mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/util/ObjectUtils.java
 delete mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/util/StringUtils.java

diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/boot/SpringBootConfiguration.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/boot/SpringBootConfiguration.java
deleted file mode 100644
index 483c5cc5606..00000000000
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/boot/SpringBootConfiguration.java
+++ /dev/null
@@ -1,10 +0,0 @@
-package org.springframework.boot;
-
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Target;
-
-import org.springframework.context.annotation.Configuration;
-
-@Target(ElementType.TYPE)
-@Configuration
-public @interface SpringBootConfiguration {}
\ No newline at end of file
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/boot/autoconfigure/SpringBootApplication.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/boot/autoconfigure/SpringBootApplication.java
deleted file mode 100644
index 38bbc35733e..00000000000
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/boot/autoconfigure/SpringBootApplication.java
+++ /dev/null
@@ -1,12 +0,0 @@
-package org.springframework.boot.autoconfigure;
-
-import java.lang.annotation.Target;
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Inherited;
-
-import org.springframework.boot.SpringBootConfiguration;
-
-@Target(ElementType.TYPE)
-@Inherited
-@SpringBootConfiguration
-public @interface SpringBootApplication {}
\ No newline at end of file
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/context/annotation/Bean.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/context/annotation/Bean.java
deleted file mode 100644
index 24d7be0f817..00000000000
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/context/annotation/Bean.java
+++ /dev/null
@@ -1,10 +0,0 @@
-package org.springframework.context.annotation;
-
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Target;
-
-@Target({ElementType.METHOD, ElementType.ANNOTATION_TYPE})
-public @interface Bean {
-
-	String[] name() default {};
-}
\ No newline at end of file
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.java
deleted file mode 100644
index 5eb56c0897b..00000000000
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.java
+++ /dev/null
@@ -1,8 +0,0 @@
-package org.springframework.remoting.httpinvoker;
-
-public class HttpInvokerServiceExporter extends org.springframework.remoting.rmi.RemoteInvocationSerializingExporter {
-
-    public void setService(Object service) {}
-
-    public void setServiceInterface(Class clazz) {}
-}
\ No newline at end of file
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.java
deleted file mode 100644
index 5449b83ba86..00000000000
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.java
+++ /dev/null
@@ -1,3 +0,0 @@
-package org.springframework.remoting.rmi;
-
-public abstract class RemoteInvocationSerializingExporter {}
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/ObjectUtils.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/ObjectUtils.java
deleted file mode 100644
index a5a51786d20..00000000000
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/ObjectUtils.java
+++ /dev/null
@@ -1,202 +0,0 @@
-package org.springframework.util;
-
-import java.lang.reflect.Array;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Map;
-import java.util.Optional;
-import java.util.StringJoiner;
-import org.springframework.lang.Nullable;
-
-public abstract class ObjectUtils {
-
-    private static final int INITIAL_HASH = 7;
-    private static final int MULTIPLIER = 31;
-    private static final String EMPTY_STRING = "";
-    private static final String NULL_STRING = "null";
-    private static final String ARRAY_START = "{";
-    private static final String ARRAY_END = "}";
-    private static final String EMPTY_ARRAY = "{}";
-    private static final String ARRAY_ELEMENT_SEPARATOR = ", ";
-    private static final Object[] EMPTY_OBJECT_ARRAY = new Object[0];
-
-    public ObjectUtils() {
-    }
-
-    public static boolean isCheckedException(Throwable ex) {
-        return false;
-    }
-
-    public static boolean isCompatibleWithThrowsClause(Throwable ex, @Nullable Class<?>... declaredExceptions) {
-        return false;
-    }
-
-    public static boolean isArray(@Nullable Object obj) {
-        return false;
-    }
-
-    public static boolean isEmpty(@Nullable Object[] array) {
-        return false;
-    }
-
-    public static boolean isEmpty(@Nullable Object obj) {
-        return false;
-    }
-
-    @Nullable
-    public static Object unwrapOptional(@Nullable Object obj) {
-        return null;
-    }
-
-    public static boolean containsElement(@Nullable Object[] array, Object element) {
-        return true;
-    }
-
-    public static boolean containsConstant(Enum<?>[] enumValues, String constant) {
-        return true;
-    }
-
-    public static boolean containsConstant(Enum<?>[] enumValues, String constant, boolean caseSensitive) {  
-        return true;
-    }
-
-    public static <E extends Enum<?>> E caseInsensitiveValueOf(E[] enumValues, String constant) {
-        return null;
-    }
-
-    public static <A, O extends A> A[] addObjectToArray(@Nullable A[] array, @Nullable O obj) {
-        return null;
-    }
-
-    public static Object[] toObjectArray(@Nullable Object source) {
-        return null;
-    }
-
-    public static boolean nullSafeEquals(@Nullable Object o1, @Nullable Object o2) {
-        return false;
-    }
-
-    private static boolean arrayEquals(Object o1, Object o2) {
-        return false;
-    }
-
-    public static int nullSafeHashCode(@Nullable Object obj) {
-        return 1;
-    }
-
-    public static int nullSafeHashCode(@Nullable Object[] array) {
-        return 1;
-    }
-
-    public static int nullSafeHashCode(@Nullable boolean[] array) {
-        return 1;
-    }
-
-    public static int nullSafeHashCode(@Nullable byte[] array) {
-        return 1;
-    }
-
-    public static int nullSafeHashCode(@Nullable char[] array) {
-        return 1;
-    }
-
-    public static int nullSafeHashCode(@Nullable double[] array) {
-        return 1;
-    }
-
-    public static int nullSafeHashCode(@Nullable float[] array) {
-        return 1;
-    }
-
-    public static int nullSafeHashCode(@Nullable int[] array) {
-        return 1;
-    }
-
-    public static int nullSafeHashCode(@Nullable long[] array) {
-        return 1;
-    }
-
-    public static int nullSafeHashCode(@Nullable short[] array) {
-        return 1;
-    }
-
-    /** @deprecated */
-    @Deprecated
-    public static int hashCode(boolean bool) {
-        return 1;
-    }
-
-    /** @deprecated */
-    @Deprecated
-    public static int hashCode(double dbl) {
-        return 1;
-    }
-
-    /** @deprecated */
-    @Deprecated
-    public static int hashCode(float flt) {
-        return 1;
-    }
-
-    /** @deprecated */
-    @Deprecated
-    public static int hashCode(long lng) {
-        return 1;
-    }
-
-    public static String identityToString(@Nullable Object obj) {
-        return "";
-    }
-
-    public static String getIdentityHexString(Object obj) {
-        return "";
-    }
-
-    public static String getDisplayString(@Nullable Object obj) {
-        return "";
-    }
-
-    public static String nullSafeClassName(@Nullable Object obj) {
-        return "";
-    }
-
-    public static String nullSafeToString(@Nullable Object obj) {
-        return "";
-    }
-
-    public static String nullSafeToString(@Nullable Object[] array) {
-        return "";
-    }
-
-    public static String nullSafeToString(@Nullable boolean[] array) {
-        return "";
-    }
-
-    public static String nullSafeToString(@Nullable byte[] array) {
-        return "";
-    }
-
-    public static String nullSafeToString(@Nullable char[] array) {
-        return "";
-    }
-
-    public static String nullSafeToString(@Nullable double[] array) {
-        return "";
-    }
-
-    public static String nullSafeToString(@Nullable float[] array) {
-        return "";
-    }
-
-    public static String nullSafeToString(@Nullable int[] array) {
-        return "";
-    }
-
-    public static String nullSafeToString(@Nullable long[] array) {
-        return "";
-    }
-
-    public static String nullSafeToString(@Nullable short[] array) {
-        return "";
-    }
-}
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/StringUtils.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/StringUtils.java
deleted file mode 100644
index a78d47e44c6..00000000000
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/StringUtils.java
+++ /dev/null
@@ -1,30 +0,0 @@
-package org.springframework.util;
-
-import java.io.ByteArrayOutputStream;
-import java.nio.charset.Charset;
-import java.util.ArrayDeque;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Deque;
-import java.util.Enumeration;
-import java.util.Iterator;
-import java.util.LinkedHashSet;
-import java.util.List;
-import java.util.Locale;
-import java.util.Properties;
-import java.util.Set;
-import java.util.StringJoiner;
-import java.util.StringTokenizer;
-import java.util.TimeZone;
-import org.springframework.lang.Nullable;
-
-public abstract class StringUtils {
-  
-    @Deprecated
-    public static boolean isEmpty(@Nullable Object str) {
-        return true;
-    }
-
-}

From c37994089c24e1b89a6fe7d70df9a9d5c6efdd90 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Thu, 15 Apr 2021 16:24:29 +0100
Subject: [PATCH 0431/1429] Revert changes to unrelated query

---
 .../src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql  | 2 --
 1 file changed, 2 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql b/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
index a9528ee2f9b..bc9850cfddb 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
@@ -2,8 +2,6 @@
  * @name Sensitive GET Query
  * @description Use of GET request method with sensitive query strings.
  * @kind path-problem
- * @problem.severity warning
- * @precision medium
  * @id java/sensitive-query-with-get
  * @tags security
  *       external/cwe-598

From 3e7dc12246981518b36d2b3ea36340f1dca04d45 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 15 Apr 2021 18:00:33 +0200
Subject: [PATCH 0432/1429] Python: Port taint tests to use inline expectations

The meat of this PR is described in the new python/ql/test/experimental/meta/InlineTaintTest.qll file:

> Defines a InlineExpectationsTest for checking whether any arguments in
> `ensure_tainted` and `ensure_not_tainted` calls are tainted.
>
> Also defines query predicates to ensure that:
> - if any arguments to `ensure_not_tainted` are tainted, their annotation is marked with `SPURIOUS`.
> - if any arguments to `ensure_tainted` are not tainted, their annotation is marked with `MISSING`.
>
> The functionality of this module is tested in `ql/test/experimental/meta/inline-taint-test-demo`.
---
 .../commonSanitizer/InlineTaintTest.expected  |   3 +
 .../{TestTaint.ql => InlineTaintTest.ql}      |   2 +-
 .../commonSanitizer/TestTaint.expected        |  27 ---
 .../test_string_const_compare.py              |  42 ++---
 .../customSanitizer/InlineTaintTest.expected  |  20 ++
 .../{TestTaint.ql => InlineTaintTest.ql}      |   2 +-
 .../customSanitizer/TestTaint.expected        |  61 ------
 .../tainttracking/customSanitizer/test.py     |   4 +-
 .../customSanitizer/test_logical.py           |  62 +++---
 .../customSanitizer/test_reference.py         |  12 +-
 .../InlineTaintTest.expected                  |   3 +
 .../InlineTaintTest.ql                        |   1 +
 .../TestTaint.expected                        |  34 ----
 .../TestTaint.ql                              |   1 -
 .../test_collections.py                       |   6 +-
 .../test_pathlib.py                           |  24 +--
 .../test_string.py                            |  20 +-
 .../test_unpacking.py                         |   8 +-
 .../InlineTaintTest.expected                  |   3 +
 .../InlineTaintTest.ql                        |   1 +
 .../TestTaint.expected                        | 176 ------------------
 .../defaultAdditionalTaintStep/TestTaint.ql   |   1 -
 .../test_collections.py                       | 104 +++++------
 .../defaultAdditionalTaintStep/test_json.py   |  18 +-
 .../defaultAdditionalTaintStep/test_string.py | 134 ++++++-------
 .../test_unpacking.py                         |  18 +-
 .../InlineTaintTest.expected                  |   3 +
 .../unwanted-global-flow/InlineTaintTest.ql   |   1 +
 .../unwanted-global-flow/test.py              |   8 +-
 .../unwanted-global-flow/testTaint.expected   |   6 -
 .../unwanted-global-flow/testTaint.ql         |   1 -
 .../experimental/meta/InlineTaintTest.qll     |  91 +++++++++
 .../InlineTaintTest.expected                  |   5 +
 .../inline-taint-test-demo/InlineTaintTest.ql |   1 +
 .../meta/inline-taint-test-demo/taint_test.py |  37 ++++
 .../django-v2-v3/InlineTaintTest.expected     |   3 +
 .../django-v2-v3/InlineTaintTest.ql           |   1 +
 .../django-v2-v3/TestTaint.expected           | 100 ----------
 .../frameworks/django-v2-v3/TestTaint.ql      |   6 -
 .../frameworks/django-v2-v3/response_test.py  |   2 +-
 .../frameworks/django-v2-v3/taint_forms.py    |  22 +--
 .../frameworks/django-v2-v3/taint_test.py     | 159 ++++++++--------
 .../fabric/InlineTaintTest.expected           |   3 +
 .../frameworks/fabric/InlineTaintTest.ql      |   1 +
 .../frameworks/fabric/TestTaint.expected      |  10 -
 .../frameworks/fabric/TestTaint.ql            |   1 -
 .../frameworks/fabric/fabric_v1_execute.py    |   6 +-
 .../frameworks/flask/InlineTaintTest.expected |   3 +
 .../frameworks/flask/InlineTaintTest.ql       |   1 +
 .../frameworks/flask/TestTaint.expected       |  98 ----------
 .../frameworks/flask/TestTaint.ql             |   6 -
 .../frameworks/flask/taint_test.py            | 173 ++++++++---------
 .../frameworks/stdlib/CodeExecution.py        |   8 +-
 .../stdlib/InlineTaintTest.expected           |   3 +
 .../frameworks/stdlib/InlineTaintTest.ql      |   1 +
 .../frameworks/stdlib/TestTaint.expected      |  37 ----
 .../frameworks/stdlib/TestTaint.ql            |   9 -
 .../frameworks/stdlib/http_server.py          |  68 +++----
 .../tornado/InlineTaintTest.expected          |   3 +
 .../frameworks/tornado/InlineTaintTest.ql     |   1 +
 .../frameworks/tornado/TestTaint.expected     |  41 ----
 .../frameworks/tornado/TestTaint.ql           |   6 -
 .../frameworks/tornado/taint_test.py          |  78 ++++----
 63 files changed, 689 insertions(+), 1101 deletions(-)
 create mode 100644 python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/InlineTaintTest.expected
 rename python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/{TestTaint.ql => InlineTaintTest.ql} (80%)
 delete mode 100644 python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/TestTaint.expected
 create mode 100644 python/ql/test/experimental/dataflow/tainttracking/customSanitizer/InlineTaintTest.expected
 rename python/ql/test/experimental/dataflow/tainttracking/customSanitizer/{TestTaint.ql => InlineTaintTest.ql} (95%)
 delete mode 100644 python/ql/test/experimental/dataflow/tainttracking/customSanitizer/TestTaint.expected
 create mode 100644 python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/InlineTaintTest.expected
 create mode 100644 python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/InlineTaintTest.ql
 delete mode 100644 python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/TestTaint.expected
 delete mode 100644 python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/TestTaint.ql
 create mode 100644 python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/InlineTaintTest.expected
 create mode 100644 python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/InlineTaintTest.ql
 delete mode 100644 python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/TestTaint.expected
 delete mode 100644 python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/TestTaint.ql
 create mode 100644 python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/InlineTaintTest.expected
 create mode 100644 python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/InlineTaintTest.ql
 delete mode 100644 python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/testTaint.expected
 delete mode 100644 python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/testTaint.ql
 create mode 100644 python/ql/test/experimental/meta/InlineTaintTest.qll
 create mode 100644 python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.expected
 create mode 100644 python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.ql
 create mode 100644 python/ql/test/experimental/meta/inline-taint-test-demo/taint_test.py
 create mode 100644 python/ql/test/library-tests/frameworks/django-v2-v3/InlineTaintTest.expected
 create mode 100644 python/ql/test/library-tests/frameworks/django-v2-v3/InlineTaintTest.ql
 delete mode 100644 python/ql/test/library-tests/frameworks/django-v2-v3/TestTaint.expected
 delete mode 100644 python/ql/test/library-tests/frameworks/django-v2-v3/TestTaint.ql
 create mode 100644 python/ql/test/library-tests/frameworks/fabric/InlineTaintTest.expected
 create mode 100644 python/ql/test/library-tests/frameworks/fabric/InlineTaintTest.ql
 delete mode 100644 python/ql/test/library-tests/frameworks/fabric/TestTaint.expected
 delete mode 100644 python/ql/test/library-tests/frameworks/fabric/TestTaint.ql
 create mode 100644 python/ql/test/library-tests/frameworks/flask/InlineTaintTest.expected
 create mode 100644 python/ql/test/library-tests/frameworks/flask/InlineTaintTest.ql
 delete mode 100644 python/ql/test/library-tests/frameworks/flask/TestTaint.expected
 delete mode 100644 python/ql/test/library-tests/frameworks/flask/TestTaint.ql
 create mode 100644 python/ql/test/library-tests/frameworks/stdlib/InlineTaintTest.expected
 create mode 100644 python/ql/test/library-tests/frameworks/stdlib/InlineTaintTest.ql
 delete mode 100644 python/ql/test/library-tests/frameworks/stdlib/TestTaint.expected
 delete mode 100644 python/ql/test/library-tests/frameworks/stdlib/TestTaint.ql
 create mode 100644 python/ql/test/library-tests/frameworks/tornado/InlineTaintTest.expected
 create mode 100644 python/ql/test/library-tests/frameworks/tornado/InlineTaintTest.ql
 delete mode 100644 python/ql/test/library-tests/frameworks/tornado/TestTaint.expected
 delete mode 100644 python/ql/test/library-tests/frameworks/tornado/TestTaint.ql

diff --git a/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/InlineTaintTest.expected b/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/InlineTaintTest.expected
new file mode 100644
index 00000000000..79d760d87f4
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/InlineTaintTest.expected
@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
diff --git a/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/TestTaint.ql b/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/InlineTaintTest.ql
similarity index 80%
rename from python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/TestTaint.ql
rename to python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/InlineTaintTest.ql
index 9aec6dc21d8..8e122f44fb6 100644
--- a/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/TestTaint.ql
+++ b/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/InlineTaintTest.ql
@@ -1,4 +1,4 @@
-import experimental.dataflow.tainttracking.TestTaintLib
+import experimental.meta.InlineTaintTest
 import semmle.python.dataflow.new.BarrierGuards
 
 class CustomSanitizerOverrides extends TestTaintTrackingConfiguration {
diff --git a/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/TestTaint.expected b/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/TestTaint.expected
deleted file mode 100644
index cf4e56bee5d..00000000000
--- a/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/TestTaint.expected
+++ /dev/null
@@ -1,27 +0,0 @@
-| test_string_const_compare.py:16 | ok   | test_eq | ts |
-| test_string_const_compare.py:18 | ok   | test_eq | ts |
-| test_string_const_compare.py:20 | ok   | test_eq | ts |
-| test_string_const_compare.py:27 | ok   | test_eq_unsafe | ts |
-| test_string_const_compare.py:29 | ok   | test_eq_unsafe | ts |
-| test_string_const_compare.py:35 | fail | test_eq_with_or | ts |
-| test_string_const_compare.py:37 | ok   | test_eq_with_or | ts |
-| test_string_const_compare.py:43 | ok   | test_non_eq1 | ts |
-| test_string_const_compare.py:45 | ok   | test_non_eq1 | ts |
-| test_string_const_compare.py:51 | ok   | test_non_eq2 | ts |
-| test_string_const_compare.py:53 | fail | test_non_eq2 | ts |
-| test_string_const_compare.py:59 | ok   | test_in_list | ts |
-| test_string_const_compare.py:61 | ok   | test_in_list | ts |
-| test_string_const_compare.py:67 | ok   | test_in_tuple | ts |
-| test_string_const_compare.py:69 | ok   | test_in_tuple | ts |
-| test_string_const_compare.py:75 | ok   | test_in_set | ts |
-| test_string_const_compare.py:77 | ok   | test_in_set | ts |
-| test_string_const_compare.py:83 | ok   | test_in_unsafe1 | ts |
-| test_string_const_compare.py:85 | ok   | test_in_unsafe1 | ts |
-| test_string_const_compare.py:91 | ok   | test_in_unsafe2 | ts |
-| test_string_const_compare.py:93 | ok   | test_in_unsafe2 | ts |
-| test_string_const_compare.py:99 | ok   | test_not_in1 | ts |
-| test_string_const_compare.py:101 | ok   | test_not_in1 | ts |
-| test_string_const_compare.py:107 | ok   | test_not_in2 | ts |
-| test_string_const_compare.py:109 | fail | test_not_in2 | ts |
-| test_string_const_compare.py:119 | fail | test_eq_thorugh_func | ts |
-| test_string_const_compare.py:121 | ok   | test_eq_thorugh_func | ts |
diff --git a/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/test_string_const_compare.py b/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/test_string_const_compare.py
index fe5d53563fd..17860c519a8 100644
--- a/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/test_string_const_compare.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/test_string_const_compare.py
@@ -15,32 +15,32 @@ def test_eq():
     if ts == "safe":
         ensure_not_tainted(ts)
     else:
-        ensure_tainted(ts)
+        ensure_tainted(ts) # $ tainted
     # ts should still be tainted after exiting the if block
-    ensure_tainted(ts)
+    ensure_tainted(ts) # $ tainted
 
 
 def test_eq_unsafe(x="foo"):
     """This test-case might seem strange, but it was a FP in our old points-to based analysis."""
     ts = TAINTED_STRING
     if ts == ts:
-        ensure_tainted(ts)
+        ensure_tainted(ts) # $ tainted
     if ts == x:
-        ensure_tainted(ts)
+        ensure_tainted(ts) # $ tainted
 
 
 def test_eq_with_or():
     ts = TAINTED_STRING
     if ts == "safe" or ts == "also_safe":
-        ensure_not_tainted(ts)
+        ensure_not_tainted(ts) # $ SPURIOUS: tainted
     else:
-        ensure_tainted(ts)
+        ensure_tainted(ts) # $ tainted
 
 
 def test_non_eq1():
     ts = TAINTED_STRING
     if ts != "safe":
-        ensure_tainted(ts)
+        ensure_tainted(ts) # $ tainted
     else:
         ensure_not_tainted(ts)
 
@@ -48,9 +48,9 @@ def test_non_eq1():
 def test_non_eq2():
     ts = TAINTED_STRING
     if not ts == "safe":
-        ensure_tainted(ts)
+        ensure_tainted(ts) # $ tainted
     else:
-        ensure_not_tainted(ts)
+        ensure_not_tainted(ts) # $ SPURIOUS: tainted
 
 
 def test_in_list():
@@ -58,7 +58,7 @@ def test_in_list():
     if ts in ["safe", "also_safe"]:
         ensure_not_tainted(ts)
     else:
-        ensure_tainted(ts)
+        ensure_tainted(ts) # $ tainted
 
 
 def test_in_tuple():
@@ -66,7 +66,7 @@ def test_in_tuple():
     if ts in ("safe", "also_safe"):
         ensure_not_tainted(ts)
     else:
-        ensure_tainted(ts)
+        ensure_tainted(ts) # $ tainted
 
 
 def test_in_set():
@@ -74,29 +74,29 @@ def test_in_set():
     if ts in {"safe", "also_safe"}:
         ensure_not_tainted(ts)
     else:
-        ensure_tainted(ts)
+        ensure_tainted(ts) # $ tainted
 
 
 def test_in_unsafe1(xs):
     ts = TAINTED_STRING
     if ts in xs:
-        ensure_tainted(ts)
+        ensure_tainted(ts) # $ tainted
     else:
-        ensure_tainted(ts)
+        ensure_tainted(ts) # $ tainted
 
 
 def test_in_unsafe2(x):
     ts = TAINTED_STRING
     if ts in ["safe", x]:
-        ensure_tainted(ts)
+        ensure_tainted(ts) # $ tainted
     else:
-        ensure_tainted(ts)
+        ensure_tainted(ts) # $ tainted
 
 
 def test_not_in1():
     ts = TAINTED_STRING
     if ts not in ["safe", "also_safe"]:
-        ensure_tainted(ts)
+        ensure_tainted(ts) # $ tainted
     else:
         ensure_not_tainted(ts)
 
@@ -104,9 +104,9 @@ def test_not_in1():
 def test_not_in2():
     ts = TAINTED_STRING
     if not ts in ["safe", "also_safe"]:
-        ensure_tainted(ts)
+        ensure_tainted(ts) # $ tainted
     else:
-        ensure_not_tainted(ts)
+        ensure_not_tainted(ts) # $ SPURIOUS: tainted
 
 
 def is_safe(x):
@@ -116,9 +116,9 @@ def is_safe(x):
 def test_eq_thorugh_func():
     ts = TAINTED_STRING
     if is_safe(ts):
-        ensure_not_tainted(ts)
+        ensure_not_tainted(ts) # $ SPURIOUS: tainted
     else:
-        ensure_tainted(ts)
+        ensure_tainted(ts) # $ tainted
 
 
 # Make tests runable
diff --git a/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/InlineTaintTest.expected b/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/InlineTaintTest.expected
new file mode 100644
index 00000000000..6c58f210429
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/InlineTaintTest.expected
@@ -0,0 +1,20 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
+isSanitizer
+| TestTaintTrackingConfiguration | test.py:21:39:21:39 | ControlFlowNode for s |
+| TestTaintTrackingConfiguration | test.py:50:10:50:29 | ControlFlowNode for emulated_escaping() |
+isSanitizerGuard
+| TestTaintTrackingConfiguration | test.py:35:8:35:26 | ControlFlowNode for emulated_is_safe() |
+| TestTaintTrackingConfiguration | test_logical.py:29:8:29:17 | ControlFlowNode for is_safe() |
+| TestTaintTrackingConfiguration | test_logical.py:44:8:44:17 | ControlFlowNode for is_safe() |
+| TestTaintTrackingConfiguration | test_logical.py:52:12:52:21 | ControlFlowNode for is_safe() |
+| TestTaintTrackingConfiguration | test_logical.py:72:8:72:17 | ControlFlowNode for is_safe() |
+| TestTaintTrackingConfiguration | test_logical.py:80:12:80:21 | ControlFlowNode for is_safe() |
+| TestTaintTrackingConfiguration | test_logical.py:104:8:104:17 | ControlFlowNode for is_safe() |
+| TestTaintTrackingConfiguration | test_logical.py:127:12:127:21 | ControlFlowNode for is_safe() |
+| TestTaintTrackingConfiguration | test_logical.py:132:16:132:25 | ControlFlowNode for is_safe() |
+| TestTaintTrackingConfiguration | test_logical.py:137:20:137:29 | ControlFlowNode for is_safe() |
+| TestTaintTrackingConfiguration | test_reference.py:30:8:30:17 | ControlFlowNode for is_safe() |
+| TestTaintTrackingConfiguration | test_reference.py:40:8:40:25 | ControlFlowNode for is_safe() |
+| TestTaintTrackingConfiguration | test_reference.py:55:8:55:21 | ControlFlowNode for is_safe() |
diff --git a/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/TestTaint.ql b/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/InlineTaintTest.ql
similarity index 95%
rename from python/ql/test/experimental/dataflow/tainttracking/customSanitizer/TestTaint.ql
rename to python/ql/test/experimental/dataflow/tainttracking/customSanitizer/InlineTaintTest.ql
index 7f3582727a0..8d3299dccbc 100644
--- a/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/TestTaint.ql
+++ b/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/InlineTaintTest.ql
@@ -1,4 +1,4 @@
-import experimental.dataflow.tainttracking.TestTaintLib
+import experimental.meta.InlineTaintTest
 
 class IsSafeCheck extends DataFlow::BarrierGuard {
   IsSafeCheck() {
diff --git a/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/TestTaint.expected b/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/TestTaint.expected
deleted file mode 100644
index 648ccf975b1..00000000000
--- a/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/TestTaint.expected
+++ /dev/null
@@ -1,61 +0,0 @@
-test_taint
-| test.py:22 | ok   | test_custom_sanitizer | s |
-| test.py:36 | ok   | test_custom_sanitizer_guard | s |
-| test.py:38 | ok   | test_custom_sanitizer_guard | s |
-| test.py:40 | ok   | test_custom_sanitizer_guard | s |
-| test.py:51 | ok   | test_escape | s2 |
-| test_logical.py:30 | ok   | test_basic | s |
-| test_logical.py:32 | ok   | test_basic | s |
-| test_logical.py:35 | ok   | test_basic | s |
-| test_logical.py:37 | fail | test_basic | s |
-| test_logical.py:45 | ok   | test_or | s |
-| test_logical.py:47 | ok   | test_or | s |
-| test_logical.py:51 | ok   | test_or | s |
-| test_logical.py:53 | ok   | test_or | s |
-| test_logical.py:57 | ok   | test_or | s |
-| test_logical.py:59 | ok   | test_or | s |
-| test_logical.py:67 | ok   | test_and | s |
-| test_logical.py:69 | ok   | test_and | s |
-| test_logical.py:73 | ok   | test_and | s |
-| test_logical.py:75 | ok   | test_and | s |
-| test_logical.py:79 | ok   | test_and | s |
-| test_logical.py:81 | fail | test_and | s |
-| test_logical.py:89 | fail | test_tricky | s |
-| test_logical.py:93 | fail | test_tricky | s_ |
-| test_logical.py:100 | fail | test_nesting_not | s |
-| test_logical.py:102 | ok   | test_nesting_not | s |
-| test_logical.py:105 | ok   | test_nesting_not | s |
-| test_logical.py:107 | fail | test_nesting_not | s |
-| test_logical.py:116 | ok   | test_nesting_not_with_and_true | s |
-| test_logical.py:118 | ok   | test_nesting_not_with_and_true | s |
-| test_logical.py:121 | ok   | test_nesting_not_with_and_true | s |
-| test_logical.py:123 | ok   | test_nesting_not_with_and_true | s |
-| test_logical.py:126 | ok   | test_nesting_not_with_and_true | s |
-| test_logical.py:128 | ok   | test_nesting_not_with_and_true | s |
-| test_logical.py:137 | fail | test_with_return | s |
-| test_logical.py:146 | fail | test_with_exception | s |
-| test_reference.py:31 | fail | test_basic | s2 |
-| test_reference.py:31 | ok   | test_basic | s |
-| test_reference.py:33 | ok   | test_basic | s |
-| test_reference.py:33 | ok   | test_basic | s2 |
-| test_reference.py:41 | fail | test_identical_call | s.strip() |
-| test_reference.py:43 | ok   | test_identical_call | s.strip() |
-| test_reference.py:56 | fail | test_class_attribute_access | c.foo |
-| test_reference.py:58 | ok   | test_class_attribute_access | c.foo |
-isSanitizer
-| TestTaintTrackingConfiguration | test.py:21:39:21:39 | ControlFlowNode for s |
-| TestTaintTrackingConfiguration | test.py:50:10:50:29 | ControlFlowNode for emulated_escaping() |
-isSanitizerGuard
-| TestTaintTrackingConfiguration | test.py:35:8:35:26 | ControlFlowNode for emulated_is_safe() |
-| TestTaintTrackingConfiguration | test_logical.py:29:8:29:17 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_logical.py:44:8:44:17 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_logical.py:50:12:50:21 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_logical.py:66:8:66:17 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_logical.py:72:12:72:21 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_logical.py:92:8:92:17 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_logical.py:115:12:115:21 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_logical.py:120:16:120:25 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_logical.py:125:20:125:29 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_reference.py:30:8:30:17 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_reference.py:40:8:40:25 | ControlFlowNode for is_safe() |
-| TestTaintTrackingConfiguration | test_reference.py:55:8:55:21 | ControlFlowNode for is_safe() |
diff --git a/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/test.py b/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/test.py
index fcc32fc9b0f..91c39cb7313 100644
--- a/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/test.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/test.py
@@ -35,9 +35,9 @@ def test_custom_sanitizer_guard():
     if emulated_is_safe(s):
         ensure_not_tainted(s)
         s = TAINTED_STRING
-        ensure_tainted(s)
+        ensure_tainted(s) # $ tainted
     else:
-        ensure_tainted(s)
+        ensure_tainted(s) # $ tainted
 
 
 def emulated_escaping(arg):
diff --git a/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/test_logical.py b/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/test_logical.py
index 0b06aa3fef2..df7b1c547e3 100644
--- a/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/test_logical.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/test_logical.py
@@ -29,12 +29,12 @@ def test_basic():
     if is_safe(s):
         ensure_not_tainted(s)
     else:
-        ensure_tainted(s)
+        ensure_tainted(s) # $ tainted
 
     if not is_safe(s):
-        ensure_tainted(s)
+        ensure_tainted(s) # $ tainted
     else:
-        ensure_not_tainted(s)
+        ensure_not_tainted(s) # $ SPURIOUS: tainted
 
 
 def test_or():
@@ -42,21 +42,27 @@ def test_or():
 
     # x or y
     if is_safe(s) or random_choice():
-        ensure_tainted(s) # might be tainted
+        # might be tainted
+        ensure_tainted(s) # $ tainted
     else:
-        ensure_tainted(s) # must be tainted
+        # must be tainted
+        ensure_tainted(s) # $ tainted
 
     # not (x or y)
     if not(is_safe(s) or random_choice()):
-        ensure_tainted(s) # must be tainted
+        # must be tainted
+        ensure_tainted(s) # $ tainted
     else:
-        ensure_tainted(s) # might be tainted
+        # might be tainted
+        ensure_tainted(s) # $ tainted
 
     # not (x or y) == not x and not y   [de Morgan's laws]
     if not is_safe(s) and not random_choice():
-        ensure_tainted(s) # must be tainted
+        # must be tainted
+        ensure_tainted(s) # $ tainted
     else:
-        ensure_tainted(s) # might be tainted
+        # might be tainted
+        ensure_tainted(s) # $ tainted
 
 
 def test_and():
@@ -64,21 +70,27 @@ def test_and():
 
     # x and y
     if is_safe(s) and random_choice():
-        ensure_not_tainted(s) # must not be tainted
+        # cannot be tainted
+        ensure_not_tainted(s)
     else:
-        ensure_tainted(s) # might be tainted
+        # might be tainted
+        ensure_tainted(s) # $ tainted
 
     # not (x and y)
     if not(is_safe(s) and random_choice()):
-        ensure_tainted(s) # might be tainted
+        # might be tainted
+        ensure_tainted(s) # $ tainted
     else:
+        # cannot be tainted
         ensure_not_tainted(s)
 
     # not (x and y) == not x or not y   [de Morgan's laws]
     if not is_safe(s) or not random_choice():
-        ensure_tainted(s) # might be tainted
+        # might be tainted
+        ensure_tainted(s) # $ tainted
     else:
-        ensure_not_tainted(s)
+        # cannot be tainted
+        ensure_not_tainted(s) # $ SPURIOUS: tainted
 
 
 def test_tricky():
@@ -86,25 +98,25 @@ def test_tricky():
 
     x = is_safe(s)
     if x:
-        ensure_not_tainted(s) # FP
+        ensure_not_tainted(s) # $ SPURIOUS: tainted
 
     s_ = s
     if is_safe(s):
-        ensure_not_tainted(s_) # FP
+        ensure_not_tainted(s_) # $ SPURIOUS: tainted
 
 
 def test_nesting_not():
     s = TAINTED_STRING
 
     if not(not(is_safe(s))):
-        ensure_not_tainted(s)
+        ensure_not_tainted(s) # $ SPURIOUS: tainted
     else:
-        ensure_tainted(s)
+        ensure_tainted(s) # $ tainted
 
     if not(not(not(is_safe(s)))):
-        ensure_tainted(s)
+        ensure_tainted(s) # $ tainted
     else:
-        ensure_not_tainted(s)
+        ensure_not_tainted(s) # $ SPURIOUS: tainted
 
 
 # Adding `and True` makes the sanitizer trigger when it would otherwise not. See output in
@@ -113,17 +125,17 @@ def test_nesting_not_with_and_true():
     s = TAINTED_STRING
 
     if not(is_safe(s) and True):
-        ensure_tainted(s)
+        ensure_tainted(s) # $ tainted
     else:
         ensure_not_tainted(s)
 
     if not(not(is_safe(s) and True)):
         ensure_not_tainted(s)
     else:
-        ensure_tainted(s)
+        ensure_tainted(s) # $ tainted
 
     if not(not(not(is_safe(s) and True))):
-        ensure_tainted(s)
+        ensure_tainted(s) # $ tainted
     else:
         ensure_not_tainted(s)
 
@@ -134,7 +146,7 @@ def test_with_return():
     if not is_safe(s):
         return
 
-    ensure_not_tainted(s)
+    ensure_not_tainted(s) # $ SPURIOUS: tainted
 
 
 def test_with_exception():
@@ -143,7 +155,7 @@ def test_with_exception():
     if not is_safe(s):
         raise Exception("unsafe")
 
-    ensure_not_tainted(s)
+    ensure_not_tainted(s) # $ SPURIOUS: tainted
 
 # Make tests runable
 
diff --git a/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/test_reference.py b/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/test_reference.py
index 641f1171797..83f8565286b 100644
--- a/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/test_reference.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/test_reference.py
@@ -28,9 +28,9 @@ def test_basic():
     s2 = s
 
     if is_safe(s):
-        ensure_not_tainted(s, s2)
+        ensure_not_tainted(s, s2) # $ SPURIOUS: tainted
     else:
-        ensure_tainted(s, s2)
+        ensure_tainted(s, s2) # $ tainted
 
 
 def test_identical_call():
@@ -38,9 +38,9 @@ def test_identical_call():
     s = TAINTED_STRING
 
     if is_safe(s.strip()):
-        ensure_not_tainted(s.strip())
+        ensure_not_tainted(s.strip()) # $ SPURIOUS: tainted
     else:
-        ensure_tainted(s.strip())
+        ensure_tainted(s.strip()) # $ tainted
 
 
 class C(object):
@@ -53,9 +53,9 @@ def test_class_attribute_access():
     c = C(s)
 
     if is_safe(c.foo):
-        ensure_not_tainted(c.foo)
+        ensure_not_tainted(c.foo) # $ SPURIOUS: tainted
     else:
-        ensure_tainted(c.foo)
+        ensure_tainted(c.foo) # $ tainted
 
 
 # Make tests runable
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/InlineTaintTest.expected b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/InlineTaintTest.expected
new file mode 100644
index 00000000000..79d760d87f4
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/InlineTaintTest.expected
@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/InlineTaintTest.ql b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/InlineTaintTest.ql
new file mode 100644
index 00000000000..027ad8667be
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/TestTaint.expected b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/TestTaint.expected
deleted file mode 100644
index 2a48c5b5604..00000000000
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/TestTaint.expected
+++ /dev/null
@@ -1,34 +0,0 @@
-| test_collections.py:16 | ok   | test_access | tainted_list.copy() |
-| test_collections.py:24 | ok   | list_clear | tainted_list |
-| test_collections.py:27 | fail | list_clear | tainted_list |
-| test_pathlib.py:26 | fail | test_basic | tainted_path |
-| test_pathlib.py:28 | fail | test_basic | tainted_pure_path |
-| test_pathlib.py:29 | fail | test_basic | tainted_pure_posix_path |
-| test_pathlib.py:30 | fail | test_basic | tainted_pure_windows_path |
-| test_pathlib.py:32 | fail | test_basic | BinaryExpr |
-| test_pathlib.py:33 | fail | test_basic | BinaryExpr |
-| test_pathlib.py:35 | fail | test_basic | tainted_path.joinpath(..) |
-| test_pathlib.py:36 | fail | test_basic | pathlib.Path(..).joinpath(..) |
-| test_pathlib.py:37 | fail | test_basic | pathlib.Path(..).joinpath(..) |
-| test_pathlib.py:39 | fail | test_basic | str(..) |
-| test_pathlib.py:49 | fail | test_basic | tainted_posix_path |
-| test_pathlib.py:55 | fail | test_basic | tainted_windows_path |
-| test_string.py:17 | ok   | str_methods | ts.casefold() |
-| test_string.py:19 | ok   | str_methods | ts.format_map(..) |
-| test_string.py:20 | ok   | str_methods | "{unsafe}".format_map(..) |
-| test_string.py:31 | ok   | binary_decode_encode | base64.a85encode(..) |
-| test_string.py:32 | ok   | binary_decode_encode | base64.a85decode(..) |
-| test_string.py:35 | ok   | binary_decode_encode | base64.b85encode(..) |
-| test_string.py:36 | ok   | binary_decode_encode | base64.b85decode(..) |
-| test_string.py:39 | ok   | binary_decode_encode | base64.encodebytes(..) |
-| test_string.py:40 | ok   | binary_decode_encode | base64.decodebytes(..) |
-| test_string.py:48 | ok   | f_strings | Fstring |
-| test_unpacking.py:18 | ok   | extended_unpacking | first |
-| test_unpacking.py:18 | ok   | extended_unpacking | last |
-| test_unpacking.py:18 | ok   | extended_unpacking | rest |
-| test_unpacking.py:23 | ok   | also_allowed | a |
-| test_unpacking.py:31 | ok   | also_allowed | b |
-| test_unpacking.py:31 | ok   | also_allowed | c |
-| test_unpacking.py:39 | ok   | nested | x |
-| test_unpacking.py:39 | ok   | nested | xs |
-| test_unpacking.py:39 | ok   | nested | ys |
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/TestTaint.ql b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/TestTaint.ql
deleted file mode 100644
index 80625505fa2..00000000000
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/TestTaint.ql
+++ /dev/null
@@ -1 +0,0 @@
-import experimental.dataflow.tainttracking.TestTaintLib
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_collections.py b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_collections.py
index c2391f419d6..9398ce1638f 100644
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_collections.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_collections.py
@@ -13,7 +13,7 @@ def test_access():
     tainted_list = TAINTED_LIST
 
     ensure_tainted(
-        tainted_list.copy(),
+        tainted_list.copy(), # $ tainted
     )
 
 
@@ -21,10 +21,10 @@ def list_clear():
     tainted_string = TAINTED_STRING
     tainted_list = [tainted_string]
 
-    ensure_tainted(tainted_list)
+    ensure_tainted(tainted_list) # $ tainted
 
     tainted_list.clear()
-    ensure_not_tainted(tainted_list)
+    ensure_not_tainted(tainted_list) # $ SPURIOUS: tainted
 
 # Make tests runable
 
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_pathlib.py b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_pathlib.py
index 802bfd98b12..2d4133436e4 100644
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_pathlib.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_pathlib.py
@@ -23,20 +23,20 @@ def test_basic():
     tainted_pure_windows_path = pathlib.PureWindowsPath(ts)
 
     ensure_tainted(
-        tainted_path,
+        tainted_path, # $ MISSING: tainted
 
-        tainted_pure_path,
-        tainted_pure_posix_path,
-        tainted_pure_windows_path,
+        tainted_pure_path, # $ MISSING: tainted
+        tainted_pure_posix_path, # $ MISSING: tainted
+        tainted_pure_windows_path, # $ MISSING: tainted
 
-        pathlib.Path("foo") / ts,
-        ts / pathlib.Path("foo"),
+        pathlib.Path("foo") / ts, # $ MISSING: tainted
+        ts / pathlib.Path("foo"), # $ MISSING: tainted
 
-        tainted_path.joinpath("foo", "bar"),
-        pathlib.Path("foo").joinpath(tainted_path, "bar"),
-        pathlib.Path("foo").joinpath("bar", tainted_path),
+        tainted_path.joinpath("foo", "bar"), # $ MISSING: tainted
+        pathlib.Path("foo").joinpath(tainted_path, "bar"), # $ MISSING: tainted
+        pathlib.Path("foo").joinpath("bar", tainted_path), # $ MISSING: tainted
 
-        str(tainted_path),
+        str(tainted_path), # $ MISSING: tainted
 
         # TODO: Tainted methods and attributes
         # https://docs.python.org/3.8/library/pathlib.html#methods-and-properties
@@ -46,13 +46,13 @@ def test_basic():
         tainted_posix_path = pathlib.PosixPath(ts)
 
         ensure_tainted(
-            tainted_posix_path,
+            tainted_posix_path, # $ MISSING: tainted
         )
 
     if os.name == "nt":
         tainted_windows_path = pathlib.WindowsPath(ts)
         ensure_tainted(
-            tainted_windows_path,
+            tainted_windows_path, # $ MISSING: tainted
         )
 
 # Make tests runable
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_string.py b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_string.py
index 2f63f8af460..41a14e73a27 100644
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_string.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_string.py
@@ -14,10 +14,10 @@ def str_methods():
     ts = TAINTED_STRING
     tb = TAINTED_BYTES
     ensure_tainted(
-        ts.casefold(),
+        ts.casefold(), # $ tainted
 
-        ts.format_map({}),
-        "{unsafe}".format_map({"unsafe": ts}),
+        ts.format_map({}), # $ tainted
+        "{unsafe}".format_map({"unsafe": ts}), # $ tainted
     )
 
 
@@ -28,16 +28,16 @@ def binary_decode_encode():
 
     ensure_tainted(
         # New in Python 3.4
-        base64.a85encode(tb),
-        base64.a85decode(base64.a85encode(tb)),
+        base64.a85encode(tb), # $ tainted
+        base64.a85decode(base64.a85encode(tb)), # $ tainted
 
         # New in Python 3.4
-        base64.b85encode(tb),
-        base64.b85decode(base64.b85encode(tb)),
+        base64.b85encode(tb), # $ tainted
+        base64.b85decode(base64.b85encode(tb)), # $ tainted
 
         # New in Python 3.1
-        base64.encodebytes(tb),
-        base64.decodebytes(base64.encodebytes(tb)),
+        base64.encodebytes(tb), # $ tainted
+        base64.decodebytes(base64.encodebytes(tb)), # $ tainted
     )
 
 
@@ -45,7 +45,7 @@ def f_strings():
     print("\n# f_strings")
     ts = TAINTED_STRING
 
-    ensure_tainted(f"foo {ts} bar")
+    ensure_tainted(f"foo {ts} bar") # $ tainted
 
 
 # Make tests runable
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_unpacking.py b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_unpacking.py
index a9484bcfca6..c4844866304 100644
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_unpacking.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_unpacking.py
@@ -15,12 +15,12 @@ if TYPE_CHECKING:
 
 def extended_unpacking():
     first, *rest, last = TAINTED_LIST
-    ensure_tainted(first, rest, last)
+    ensure_tainted(first, rest, last) # $ tainted
 
 
 def also_allowed():
     *a, = TAINTED_LIST
-    ensure_tainted(a)
+    ensure_tainted(a) # $ tainted
 
     # for b, *c in [(1, 2, 3), (4, 5, 6, 7)]:
         # print(c)
@@ -28,7 +28,7 @@ def also_allowed():
         # i=1; c=[5,6,7]
 
     for b, *c in [TAINTED_LIST, TAINTED_LIST]:
-        ensure_tainted(b, c)
+        ensure_tainted(b, c) # $ tainted
 
 
 def nested():
@@ -36,7 +36,7 @@ def nested():
     ll = [l,l]
 
     [[x, *xs], ys] = ll
-    ensure_tainted(x, xs, ys)
+    ensure_tainted(x, xs, ys) # $ tainted
 
 
 # Make tests runable
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/InlineTaintTest.expected b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/InlineTaintTest.expected
new file mode 100644
index 00000000000..79d760d87f4
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/InlineTaintTest.expected
@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/InlineTaintTest.ql b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/InlineTaintTest.ql
new file mode 100644
index 00000000000..027ad8667be
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/TestTaint.expected b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/TestTaint.expected
deleted file mode 100644
index c68e83b9784..00000000000
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/TestTaint.expected
+++ /dev/null
@@ -1,176 +0,0 @@
-| test_collections.py:23 | ok   | test_construction | tainted_string |
-| test_collections.py:24 | ok   | test_construction | tainted_list |
-| test_collections.py:25 | ok   | test_construction | tainted_tuple |
-| test_collections.py:26 | ok   | test_construction | tainted_set |
-| test_collections.py:27 | ok   | test_construction | tainted_dict |
-| test_collections.py:31 | ok   | test_construction | list(..) |
-| test_collections.py:32 | ok   | test_construction | list(..) |
-| test_collections.py:33 | ok   | test_construction | list(..) |
-| test_collections.py:34 | ok   | test_construction | list(..) |
-| test_collections.py:35 | ok   | test_construction | list(..) |
-| test_collections.py:37 | ok   | test_construction | tuple(..) |
-| test_collections.py:38 | ok   | test_construction | set(..) |
-| test_collections.py:39 | ok   | test_construction | frozenset(..) |
-| test_collections.py:47 | ok   | test_access | tainted_list[0] |
-| test_collections.py:48 | ok   | test_access | tainted_list[x] |
-| test_collections.py:49 | ok   | test_access | tainted_list[Slice] |
-| test_collections.py:51 | ok   | test_access | sorted(..) |
-| test_collections.py:52 | ok   | test_access | reversed(..) |
-| test_collections.py:53 | ok   | test_access | iter(..) |
-| test_collections.py:54 | ok   | test_access | next(..) |
-| test_collections.py:58 | ok   | test_access | a |
-| test_collections.py:58 | ok   | test_access | b |
-| test_collections.py:58 | ok   | test_access | c |
-| test_collections.py:61 | ok   | test_access | h |
-| test_collections.py:63 | ok   | test_access | i |
-| test_collections.py:70 | ok   | test_dict_access | tainted_dict["name"] |
-| test_collections.py:71 | ok   | test_dict_access | tainted_dict.get(..) |
-| test_collections.py:72 | ok   | test_dict_access | tainted_dict[x] |
-| test_collections.py:73 | ok   | test_dict_access | tainted_dict.copy() |
-| test_collections.py:77 | ok   | test_dict_access | v |
-| test_collections.py:79 | ok   | test_dict_access | v |
-| test_collections.py:87 | fail | test_named_tuple | point[0] |
-| test_collections.py:88 | fail | test_named_tuple | point.x |
-| test_collections.py:92 | ok   | test_named_tuple | point[1] |
-| test_collections.py:93 | ok   | test_named_tuple | point.y |
-| test_collections.py:97 | fail | test_named_tuple | a |
-| test_collections.py:98 | ok   | test_named_tuple | b |
-| test_collections.py:106 | fail | test_defaultdict | tainted_default_dict["name"] |
-| test_collections.py:107 | fail | test_defaultdict | tainted_default_dict.get(..) |
-| test_collections.py:108 | fail | test_defaultdict | tainted_default_dict[x] |
-| test_collections.py:109 | fail | test_defaultdict | tainted_default_dict.copy() |
-| test_collections.py:112 | fail | test_defaultdict | v |
-| test_collections.py:114 | fail | test_defaultdict | v |
-| test_collections.py:121 | ok   | test_copy_1 | copy(..) |
-| test_collections.py:122 | ok   | test_copy_1 | deepcopy(..) |
-| test_collections.py:130 | ok   | test_copy_2 | copy.copy(..) |
-| test_collections.py:131 | ok   | test_copy_2 | copy.deepcopy(..) |
-| test_collections.py:139 | ok   | list_index_assign | my_list |
-| test_collections.py:142 | fail | list_index_assign | my_list |
-| test_collections.py:149 | ok   | list_index_aug_assign | my_list |
-| test_collections.py:152 | fail | list_index_aug_assign | my_list |
-| test_collections.py:159 | ok   | list_append | my_list |
-| test_collections.py:162 | ok   | list_append | my_list |
-| test_collections.py:169 | ok   | list_extend | my_list |
-| test_collections.py:172 | fail | list_extend | my_list |
-| test_collections.py:179 | ok   | dict_update_dict | my_dict |
-| test_collections.py:182 | fail | dict_update_dict | my_dict |
-| test_collections.py:189 | ok   | dict_update_kv_list | my_dict |
-| test_collections.py:192 | fail | dict_update_kv_list | my_dict |
-| test_collections.py:198 | ok   | dict_update_kv_arg | my_dict |
-| test_collections.py:201 | fail | dict_update_kv_arg | my_dict |
-| test_collections.py:208 | ok   | dict_manual_update | my_dict |
-| test_collections.py:212 | fail | dict_manual_update | my_dict |
-| test_collections.py:220 | fail | dict_merge | merged |
-| test_collections.py:227 | ok   | set_add | my_set |
-| test_collections.py:230 | ok   | set_add | my_set |
-| test_json.py:26 | ok   | test | json.dumps(..) |
-| test_json.py:27 | ok   | test | json.loads(..) |
-| test_json.py:34 | fail | test | tainted_filelike |
-| test_json.py:35 | fail | test | json.load(..) |
-| test_json.py:48 | ok   | non_syntacical | dumps(..) |
-| test_json.py:49 | ok   | non_syntacical | dumps_alias(..) |
-| test_json.py:50 | ok   | non_syntacical | loads(..) |
-| test_json.py:57 | fail | non_syntacical | tainted_filelike |
-| test_json.py:58 | fail | non_syntacical | load(..) |
-| test_string.py:25 | ok   | str_operations | ts |
-| test_string.py:26 | ok   | str_operations | BinaryExpr |
-| test_string.py:27 | ok   | str_operations | BinaryExpr |
-| test_string.py:28 | ok   | str_operations | BinaryExpr |
-| test_string.py:29 | ok   | str_operations | ts[Slice] |
-| test_string.py:30 | ok   | str_operations | ts[Slice] |
-| test_string.py:31 | ok   | str_operations | ts[Slice] |
-| test_string.py:32 | ok   | str_operations | ts[0] |
-| test_string.py:33 | ok   | str_operations | str(..) |
-| test_string.py:34 | ok   | str_operations | bytes(..) |
-| test_string.py:35 | ok   | str_operations | unicode(..) |
-| test_string.py:39 | ok   | str_operations | aug_assignment |
-| test_string.py:41 | ok   | str_operations | aug_assignment |
-| test_string.py:49 | ok   | str_methods | ts.capitalize() |
-| test_string.py:50 | ok   | str_methods | ts.center(..) |
-| test_string.py:51 | ok   | str_methods | ts.expandtabs() |
-| test_string.py:53 | ok   | str_methods | ts.format() |
-| test_string.py:54 | ok   | str_methods | "{}".format(..) |
-| test_string.py:55 | ok   | str_methods | "{unsafe}".format(..) |
-| test_string.py:57 | ok   | str_methods | ts.join(..) |
-| test_string.py:58 | ok   | str_methods | "".join(..) |
-| test_string.py:60 | ok   | str_methods | ts.ljust(..) |
-| test_string.py:61 | ok   | str_methods | ts.lstrip() |
-| test_string.py:62 | ok   | str_methods | ts.lower() |
-| test_string.py:64 | ok   | str_methods | ts.replace(..) |
-| test_string.py:65 | ok   | str_methods | "safe".replace(..) |
-| test_string.py:67 | ok   | str_methods | ts.rjust(..) |
-| test_string.py:68 | ok   | str_methods | ts.rstrip() |
-| test_string.py:69 | ok   | str_methods | ts.strip() |
-| test_string.py:70 | ok   | str_methods | ts.swapcase() |
-| test_string.py:71 | ok   | str_methods | ts.title() |
-| test_string.py:72 | ok   | str_methods | ts.upper() |
-| test_string.py:73 | ok   | str_methods | ts.zfill(..) |
-| test_string.py:75 | ok   | str_methods | ts.encode(..) |
-| test_string.py:76 | ok   | str_methods | ts.encode(..).decode(..) |
-| test_string.py:78 | ok   | str_methods | tb.decode(..) |
-| test_string.py:79 | ok   | str_methods | tb.decode(..).encode(..) |
-| test_string.py:82 | ok   | str_methods | ts.partition(..) |
-| test_string.py:83 | ok   | str_methods | ts.rpartition(..) |
-| test_string.py:84 | ok   | str_methods | ts.rsplit(..) |
-| test_string.py:85 | ok   | str_methods | ts.split(..) |
-| test_string.py:86 | ok   | str_methods | ts.splitlines() |
-| test_string.py:91 | ok   | str_methods | "safe".replace(..) |
-| test_string.py:93 | fail | str_methods | ts.join(..) |
-| test_string.py:94 | fail | str_methods | ts.join(..) |
-| test_string.py:104 | fail | non_syntactic | meth() |
-| test_string.py:105 | fail | non_syntactic | _str(..) |
-| test_string.py:114 | ok   | percent_fmt | BinaryExpr |
-| test_string.py:115 | ok   | percent_fmt | BinaryExpr |
-| test_string.py:116 | ok   | percent_fmt | BinaryExpr |
-| test_string.py:126 | ok   | binary_decode_encode | base64.b64encode(..) |
-| test_string.py:127 | ok   | binary_decode_encode | base64.b64decode(..) |
-| test_string.py:129 | ok   | binary_decode_encode | base64.standard_b64encode(..) |
-| test_string.py:130 | ok   | binary_decode_encode | base64.standard_b64decode(..) |
-| test_string.py:132 | ok   | binary_decode_encode | base64.urlsafe_b64encode(..) |
-| test_string.py:133 | ok   | binary_decode_encode | base64.urlsafe_b64decode(..) |
-| test_string.py:135 | ok   | binary_decode_encode | base64.b32encode(..) |
-| test_string.py:136 | ok   | binary_decode_encode | base64.b32decode(..) |
-| test_string.py:138 | ok   | binary_decode_encode | base64.b16encode(..) |
-| test_string.py:139 | ok   | binary_decode_encode | base64.b16decode(..) |
-| test_string.py:142 | ok   | binary_decode_encode | base64.encodestring(..) |
-| test_string.py:143 | ok   | binary_decode_encode | base64.decodestring(..) |
-| test_string.py:148 | fail | binary_decode_encode | quopri.encodestring(..) |
-| test_string.py:149 | fail | binary_decode_encode | quopri.decodestring(..) |
-| test_string.py:159 | ok   | test_os_path_join | os.path.join(..) |
-| test_string.py:160 | ok   | test_os_path_join | os.path.join(..) |
-| test_string.py:161 | ok   | test_os_path_join | os.path.join(..) |
-| test_string.py:162 | ok   | test_os_path_join | ospath_alias.join(..) |
-| test_unpacking.py:16 | ok   | unpacking | a |
-| test_unpacking.py:16 | ok   | unpacking | b |
-| test_unpacking.py:16 | ok   | unpacking | c |
-| test_unpacking.py:22 | ok   | unpacking_to_list | a |
-| test_unpacking.py:22 | ok   | unpacking_to_list | b |
-| test_unpacking.py:22 | ok   | unpacking_to_list | c |
-| test_unpacking.py:31 | ok   | nested | a1 |
-| test_unpacking.py:31 | ok   | nested | a2 |
-| test_unpacking.py:31 | ok   | nested | a3 |
-| test_unpacking.py:31 | ok   | nested | b |
-| test_unpacking.py:31 | ok   | nested | c |
-| test_unpacking.py:35 | ok   | nested | a1 |
-| test_unpacking.py:35 | ok   | nested | a2 |
-| test_unpacking.py:35 | ok   | nested | a3 |
-| test_unpacking.py:35 | ok   | nested | b |
-| test_unpacking.py:35 | ok   | nested | c |
-| test_unpacking.py:39 | ok   | nested | a1 |
-| test_unpacking.py:39 | ok   | nested | a2 |
-| test_unpacking.py:39 | ok   | nested | a3 |
-| test_unpacking.py:39 | ok   | nested | b |
-| test_unpacking.py:39 | ok   | nested | c |
-| test_unpacking.py:46 | ok   | unpack_from_set | a |
-| test_unpacking.py:46 | ok   | unpack_from_set | b |
-| test_unpacking.py:46 | ok   | unpack_from_set | c |
-| test_unpacking.py:55 | ok   | contrived_1 | a |
-| test_unpacking.py:55 | ok   | contrived_1 | b |
-| test_unpacking.py:55 | ok   | contrived_1 | c |
-| test_unpacking.py:56 | fail | contrived_1 | d |
-| test_unpacking.py:56 | fail | contrived_1 | e |
-| test_unpacking.py:56 | fail | contrived_1 | f |
-| test_unpacking.py:65 | ok   | contrived_2 | a |
-| test_unpacking.py:65 | ok   | contrived_2 | b |
-| test_unpacking.py:65 | ok   | contrived_2 | c |
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/TestTaint.ql b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/TestTaint.ql
deleted file mode 100644
index 80625505fa2..00000000000
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/TestTaint.ql
+++ /dev/null
@@ -1 +0,0 @@
-import experimental.dataflow.tainttracking.TestTaintLib
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_collections.py b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_collections.py
index e8ad3af05a8..f8a59ad37ea 100644
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_collections.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_collections.py
@@ -20,23 +20,23 @@ def test_construction():
     tainted_dict = {'key': tainted_string}
 
     ensure_tainted(
-        tainted_string,
-        tainted_list,
-        tainted_tuple,
-        tainted_set,
-        tainted_dict,
+        tainted_string, # $ tainted
+        tainted_list, # $ tainted
+        tainted_tuple, # $ tainted
+        tainted_set, # $ tainted
+        tainted_dict, # $ tainted
     )
 
     ensure_tainted(
-        list(tainted_list),
-        list(tainted_tuple),
-        list(tainted_set),
-        list(tainted_dict.values()),
-        list(tainted_dict.items()),
+        list(tainted_list), # $ tainted
+        list(tainted_tuple), # $ tainted
+        list(tainted_set), # $ tainted
+        list(tainted_dict.values()), # $ tainted
+        list(tainted_dict.items()), # $ tainted
 
-        tuple(tainted_list),
-        set(tainted_list),
-        frozenset(tainted_list),
+        tuple(tainted_list), # $ tainted
+        set(tainted_list), # $ tainted
+        frozenset(tainted_list), # $ tainted
     )
 
 
@@ -44,39 +44,39 @@ def test_access(x, y, z):
     tainted_list = TAINTED_LIST
 
     ensure_tainted(
-        tainted_list[0],
-        tainted_list[x],
-        tainted_list[y:z],
+        tainted_list[0], # $ tainted
+        tainted_list[x], # $ tainted
+        tainted_list[y:z], # $ tainted
 
-        sorted(tainted_list),
-        reversed(tainted_list),
-        iter(tainted_list),
-        next(iter(tainted_list)),
+        sorted(tainted_list), # $ tainted
+        reversed(tainted_list), # $ tainted
+        iter(tainted_list), # $ tainted
+        next(iter(tainted_list)), # $ tainted
     )
 
     a, b, c = tainted_list[0:3]
-    ensure_tainted(a, b, c)
+    ensure_tainted(a, b, c) # $ tainted
 
     for h in tainted_list:
-        ensure_tainted(h)
+        ensure_tainted(h) # $ tainted
     for i in reversed(tainted_list):
-        ensure_tainted(i)
+        ensure_tainted(i) # $ tainted
 
 
 def test_dict_access(x):
     tainted_dict = TAINTED_DICT
 
     ensure_tainted(
-        tainted_dict["name"],
-        tainted_dict.get("name"),
-        tainted_dict[x],
-        tainted_dict.copy(),
+        tainted_dict["name"], # $ tainted
+        tainted_dict.get("name"), # $ tainted
+        tainted_dict[x], # $ tainted
+        tainted_dict.copy(), # $ tainted
     )
 
     for v in tainted_dict.values():
-        ensure_tainted(v)
+        ensure_tainted(v) # $ tainted
     for k, v in tainted_dict.items():
-        ensure_tainted(v)
+        ensure_tainted(v) # $ tainted
 
 
 def test_named_tuple(): # TODO: namedtuple currently not handled
@@ -84,8 +84,8 @@ def test_named_tuple(): # TODO: namedtuple currently not handled
     point = Point(TAINTED_STRING, 'safe')
 
     ensure_tainted(
-        point[0],
-        point.x,
+        point[0], # $ MISSING: tainted
+        point.x, # $ MISSING: tainted
     )
 
     ensure_not_tainted(
@@ -94,7 +94,7 @@ def test_named_tuple(): # TODO: namedtuple currently not handled
     )
 
     a, b = point
-    ensure_tainted(a)
+    ensure_tainted(a) # $ MISSING: tainted
     ensure_not_tainted(b)
 
 
@@ -103,23 +103,23 @@ def test_defaultdict(key, x): # TODO: defaultdict currently not handled
     tainted_default_dict[key] += TAINTED_STRING
 
     ensure_tainted(
-        tainted_default_dict["name"],
-        tainted_default_dict.get("name"),
-        tainted_default_dict[x],
-        tainted_default_dict.copy(),
+        tainted_default_dict["name"], # $ MISSING: tainted
+        tainted_default_dict.get("name"), # $ MISSING: tainted
+        tainted_default_dict[x], # $ MISSING: tainted
+        tainted_default_dict.copy(), # $ MISSING: tainted
     )
     for v in tainted_default_dict.values():
-        ensure_tainted(v)
+        ensure_tainted(v) # $ MISSING: tainted
     for k, v in tainted_default_dict.items():
-        ensure_tainted(v)
+        ensure_tainted(v) # $ MISSING: tainted
 
 
 def test_copy_1():
     from copy import copy, deepcopy
 
     ensure_tainted(
-        copy(TAINTED_LIST),
-        deepcopy(TAINTED_LIST),
+        copy(TAINTED_LIST), # $ tainted
+        deepcopy(TAINTED_LIST), # $ tainted
     )
 
 
@@ -127,8 +127,8 @@ def test_copy_2():
     import copy
 
     ensure_tainted(
-        copy.copy(TAINTED_LIST),
-        copy.deepcopy(TAINTED_LIST),
+        copy.copy(TAINTED_LIST), # $ tainted
+        copy.deepcopy(TAINTED_LIST), # $ tainted
     )
 
 
@@ -139,7 +139,7 @@ def list_index_assign():
     ensure_not_tainted(my_list)
 
     my_list[0] = tainted_string
-    ensure_tainted(my_list)
+    ensure_tainted(my_list) # $ MISSING: tainted
 
 
 def list_index_aug_assign():
@@ -149,7 +149,7 @@ def list_index_aug_assign():
     ensure_not_tainted(my_list)
 
     my_list[0] += tainted_string
-    ensure_tainted(my_list)
+    ensure_tainted(my_list) # $ MISSING: tainted
 
 
 def list_append():
@@ -159,7 +159,7 @@ def list_append():
     ensure_not_tainted(my_list)
 
     my_list.append(tainted_string)
-    ensure_tainted(my_list)
+    ensure_tainted(my_list) # $ tainted
 
 
 def list_extend():
@@ -169,7 +169,7 @@ def list_extend():
     ensure_not_tainted(my_list)
 
     my_list.extend(tainted_list)
-    ensure_tainted(my_list)
+    ensure_tainted(my_list) # $ MISSING: tainted
 
 
 def dict_update_dict():
@@ -179,7 +179,7 @@ def dict_update_dict():
     ensure_not_tainted(my_dict)
 
     my_dict.update(tainted_dict)
-    ensure_tainted(my_dict)
+    ensure_tainted(my_dict) # $ MISSING: tainted
 
 
 def dict_update_kv_list():
@@ -189,7 +189,7 @@ def dict_update_kv_list():
     ensure_not_tainted(my_dict)
 
     my_dict.update(tainted_kv_list)
-    ensure_tainted(my_dict)
+    ensure_tainted(my_dict) # $ MISSING: tainted
 
 
 def dict_update_kv_arg():
@@ -198,7 +198,7 @@ def dict_update_kv_arg():
     ensure_not_tainted(my_dict)
 
     my_dict.update(key2=TAINTED_STRING)
-    ensure_tainted(my_dict)
+    ensure_tainted(my_dict) # $ MISSING: tainted
 
 
 def dict_manual_update():
@@ -209,7 +209,7 @@ def dict_manual_update():
 
     for k in tainted_dict:
         my_dict[k] = tainted_dict[k]
-    ensure_tainted(my_dict)
+    ensure_tainted(my_dict) # $ MISSING: tainted
 
 
 def dict_merge():
@@ -217,7 +217,7 @@ def dict_merge():
     tainted_dict = {"key2": TAINTED_STRING}
 
     merged = {**my_dict, **tainted_dict}
-    ensure_tainted(merged)
+    ensure_tainted(merged) # $ MISSING: tainted
 
 
 def set_add():
@@ -227,7 +227,7 @@ def set_add():
     ensure_not_tainted(my_set)
 
     my_set.add(tainted_string)
-    ensure_tainted(my_set)
+    ensure_tainted(my_set) # $ tainted
 
 
 # Make tests runable
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py
index dbf1b042e44..a7398b4d001 100644
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py
@@ -23,16 +23,16 @@ def test():
     import json
 
     ensure_tainted(
-        json.dumps(ts),
-        json.loads(json.dumps(ts)),
+        json.dumps(ts), # $ tainted
+        json.loads(json.dumps(ts)), # $ tainted
     )
 
     # For Python2, need to convert to unicode for StringIO to work
     tainted_filelike = StringIO(unicode(json.dumps(ts)))
 
     ensure_tainted(
-        tainted_filelike,
-        json.load(tainted_filelike),
+        tainted_filelike, # $ MISSING: tainted
+        json.load(tainted_filelike), # $ MISSING: tainted
     )
 
 def non_syntacical():
@@ -45,17 +45,17 @@ def non_syntacical():
     dumps_alias = dumps
 
     ensure_tainted(
-        dumps(ts),
-        dumps_alias(ts),
-        loads(dumps(ts)),
+        dumps(ts), # $ tainted
+        dumps_alias(ts), # $ tainted
+        loads(dumps(ts)), # $ tainted
     )
 
     # For Python2, need to convert to unicode for StringIO to work
     tainted_filelike = StringIO(unicode(dumps(ts)))
 
     ensure_tainted(
-        tainted_filelike,
-        load(tainted_filelike),
+        tainted_filelike, # $ MISSING: tainted
+        load(tainted_filelike), # $ MISSING: tainted
     )
 
 # Make tests runable
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_string.py b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_string.py
index 5c80a8212f3..eed3543bc17 100644
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_string.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_string.py
@@ -22,23 +22,23 @@ def str_operations():
     tb = TAINTED_BYTES
 
     ensure_tainted(
-        ts,
-        ts + "foo",
-        "foo" + ts,
-        ts * 5,
-        ts[0 : len(ts)],
-        ts[:],
-        ts[0:1000],
-        ts[0],
-        str(ts),
-        bytes(tb),
-        unicode(ts),
+        ts, # $ tainted
+        ts + "foo", # $ tainted
+        "foo" + ts, # $ tainted
+        ts * 5, # $ tainted
+        ts[0 : len(ts)], # $ tainted
+        ts[:], # $ tainted
+        ts[0:1000], # $ tainted
+        ts[0], # $ tainted
+        str(ts), # $ tainted
+        bytes(tb), # $ tainted
+        unicode(ts), # $ tainted
     )
 
     aug_assignment = "safe"
     ensure_not_tainted(aug_assignment)
     aug_assignment += TAINTED_STRING
-    ensure_tainted(aug_assignment)
+    ensure_tainted(aug_assignment) # $ tainted
 
 
 def str_methods():
@@ -46,52 +46,54 @@ def str_methods():
     ts = TAINTED_STRING
     tb = TAINTED_BYTES
     ensure_tainted(
-        ts.capitalize(),
-        ts.center(100),
-        ts.expandtabs(),
+        ts.capitalize(), # $ tainted
+        ts.center(100), # $ tainted
+        ts.expandtabs(), # $ tainted
 
-        ts.format(),
-        "{}".format(ts),
-        "{unsafe}".format(unsafe=ts),
+        ts.format(), # $ tainted
+        "{}".format(ts), # $ tainted
+        "{unsafe}".format(unsafe=ts), # $ tainted
 
-        ts.join(["", ""]),
-        "".join([ts]),
+        ts.join(["", ""]), # $ tainted
+        "".join([ts]), # $ tainted
 
-        ts.ljust(100),
-        ts.lstrip(),
-        ts.lower(),
+        ts.ljust(100), # $ tainted
+        ts.lstrip(), # $ tainted
+        ts.lower(), # $ tainted
 
-        ts.replace("old", "new"),
-        "safe".replace("safe", ts),
+        ts.replace("old", "new"), # $ tainted
+        "safe".replace("safe", ts), # $ tainted
 
-        ts.rjust(100),
-        ts.rstrip(),
-        ts.strip(),
-        ts.swapcase(),
-        ts.title(),
-        ts.upper(),
-        ts.zfill(100),
+        ts.rjust(100), # $ tainted
+        ts.rstrip(), # $ tainted
+        ts.strip(), # $ tainted
+        ts.swapcase(), # $ tainted
+        ts.title(), # $ tainted
+        ts.upper(), # $ tainted
+        ts.zfill(100), # $ tainted
 
-        ts.encode("utf-8"),
-        ts.encode("utf-8").decode("utf-8"),
+        ts.encode("utf-8"), # $ tainted
+        ts.encode("utf-8").decode("utf-8"), # $ tainted
 
-        tb.decode("utf-8"),
-        tb.decode("utf-8").encode("utf-8"),
+        tb.decode("utf-8"), # $ tainted
+        tb.decode("utf-8").encode("utf-8"), # $ tainted
 
         # string methods that return a list
-        ts.partition("_"),
-        ts.rpartition("_"),
-        ts.rsplit("_"),
-        ts.split("_"),
-        ts.splitlines(),
+        ts.partition("_"), # $ tainted
+        ts.rpartition("_"), # $ tainted
+        ts.rsplit("_"), # $ tainted
+        ts.split("_"), # $ tainted
+        ts.splitlines(), # $ tainted
     )
 
     ensure_not_tainted(
         # Intuitively I think this should be safe, but better discuss it
         "safe".replace(ts, "also-safe"),
 
-        ts.join([]),  # FP due to separator not being used with zero/one elements
-        ts.join(["safe"]),  # FP due to separator not being used with zero/one elements
+        # FPs due to separator (`ts`) not ending up in result, when the list only has
+        # zero/one elements
+        ts.join([]), # $ SPURIOUS: tainted
+        ts.join(["safe"]),  # $ SPURIOUS: tainted
     )
 
 
@@ -101,8 +103,8 @@ def non_syntactic():
     meth = ts.upper
     _str = str
     ensure_tainted(
-        meth(),
-        _str(ts),
+        meth(), # $ MISSING: tainted
+        _str(ts), # $ MISSING: tainted
     )
 
 
@@ -111,9 +113,9 @@ def percent_fmt():
     ts = TAINTED_STRING
     tainted_fmt = ts + " %s %s"
     ensure_tainted(
-        tainted_fmt % (1, 2),
-        "%s foo bar" % ts,
-        "%s %s %s" % (1, 2, ts),
+        tainted_fmt % (1, 2), # $ tainted
+        "%s foo bar" % ts, # $ tainted
+        "%s %s %s" % (1, 2, ts), # $ tainted
     )
 
 
@@ -123,30 +125,30 @@ def binary_decode_encode():
     import base64
 
     ensure_tainted(
-        base64.b64encode(tb),
-        base64.b64decode(base64.b64encode(tb)),
+        base64.b64encode(tb), # $ tainted
+        base64.b64decode(base64.b64encode(tb)), # $ tainted
 
-        base64.standard_b64encode(tb),
-        base64.standard_b64decode(base64.standard_b64encode(tb)),
+        base64.standard_b64encode(tb), # $ tainted
+        base64.standard_b64decode(base64.standard_b64encode(tb)), # $ tainted
 
-        base64.urlsafe_b64encode(tb),
-        base64.urlsafe_b64decode(base64.urlsafe_b64encode(tb)),
+        base64.urlsafe_b64encode(tb), # $ tainted
+        base64.urlsafe_b64decode(base64.urlsafe_b64encode(tb)), # $ tainted
 
-        base64.b32encode(tb),
-        base64.b32decode(base64.b32encode(tb)),
+        base64.b32encode(tb), # $ tainted
+        base64.b32decode(base64.b32encode(tb)), # $ tainted
 
-        base64.b16encode(tb),
-        base64.b16decode(base64.b16encode(tb)),
+        base64.b16encode(tb), # $ tainted
+        base64.b16decode(base64.b16encode(tb)), # $ tainted
 
         # deprecated since Python 3.1, but still works
-        base64.encodestring(tb),
-        base64.decodestring(base64.encodestring(tb)),
+        base64.encodestring(tb), # $ tainted
+        base64.decodestring(base64.encodestring(tb)), # $ tainted
     )
 
     import quopri
     ensure_tainted(
-        quopri.encodestring(tb),
-        quopri.decodestring(quopri.encodestring(tb)),
+        quopri.encodestring(tb), # $ MISSING: tainted
+        quopri.decodestring(quopri.encodestring(tb)), # $ MISSING: tainted
     )
 
 
@@ -156,10 +158,10 @@ def test_os_path_join():
     print("\n# test_os_path_join")
     ts = TAINTED_STRING
     ensure_tainted(
-        os.path.join(ts, "foo", "bar"),
-        os.path.join(ts),
-        os.path.join("foo", "bar", ts),
-        ospath_alias.join("foo", "bar", ts),
+        os.path.join(ts, "foo", "bar"), # $ tainted
+        os.path.join(ts), # $ tainted
+        os.path.join("foo", "bar", ts), # $ tainted
+        ospath_alias.join("foo", "bar", ts), # $ tainted
     )
 
 
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_unpacking.py b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_unpacking.py
index b6403a6e37a..d8bfe71dbc4 100644
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_unpacking.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_unpacking.py
@@ -13,13 +13,13 @@ if TYPE_CHECKING:
 def unpacking():
     l = TAINTED_LIST[0:3]
     a, b, c = l
-    ensure_tainted(a, b, c)
+    ensure_tainted(a, b, c) # $ tainted
 
 
 def unpacking_to_list():
     l = TAINTED_LIST[0:3]
     [a, b, c] = l
-    ensure_tainted(a, b, c)
+    ensure_tainted(a, b, c) # $ tainted
 
 
 def nested():
@@ -28,22 +28,22 @@ def nested():
 
     # list
     [[a1, a2, a3], b, c] = ll
-    ensure_tainted(a1, a2, a3, b, c)
+    ensure_tainted(a1, a2, a3, b, c) # $ tainted
 
     # tuple
     ((a1, a2, a3), b, c) = ll
-    ensure_tainted(a1, a2, a3, b, c)
+    ensure_tainted(a1, a2, a3, b, c) # $ tainted
 
     # mixed
     [(a1, a2, a3), b, c] = ll
-    ensure_tainted(a1, a2, a3, b, c)
+    ensure_tainted(a1, a2, a3, b, c) # $ tainted
 
 
 def unpack_from_set():
     # no guarantee on ordering ... don't know why you would ever do this
     a, b, c = {"foo", "bar", TAINTED_STRING}
     # either all should be tainted, or none of them
-    ensure_tainted(a, b, c)
+    ensure_tainted(a, b, c) # $ tainted
 
 
 def contrived_1():
@@ -52,8 +52,8 @@ def contrived_1():
     no_taint_list = [1,2,3]
 
     (a, b, c), (d, e, f) = tainted_list, no_taint_list
-    ensure_tainted(a, b, c)
-    ensure_not_tainted(d, e, f) # FP: we mark `d`, `e` and `f` as tainted.
+    ensure_tainted(a, b, c) # $ tainted
+    ensure_not_tainted(d, e, f) # $ SPURIOUS: tainted
 
 
 def contrived_2():
@@ -62,7 +62,7 @@ def contrived_2():
     # Old taint tracking was only able to handle taint nested 2 levels in sequences,
     # so would not mark a, b, c as tainted
     [[[ (a, b, c) ]]] = [[[ TAINTED_LIST[0:3] ]]]
-    ensure_tainted(a, b, c)
+    ensure_tainted(a, b, c) # $ tainted
 
 
 # Make tests runable
diff --git a/python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/InlineTaintTest.expected b/python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/InlineTaintTest.expected
new file mode 100644
index 00000000000..79d760d87f4
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/InlineTaintTest.expected
@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
diff --git a/python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/InlineTaintTest.ql b/python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/InlineTaintTest.ql
new file mode 100644
index 00000000000..027ad8667be
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
diff --git a/python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/test.py b/python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/test.py
index 09fdaeb8c0b..d4f9bda2eec 100644
--- a/python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/test.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/test.py
@@ -25,14 +25,14 @@ initially_tainted = NOT_TAINTED
 ensure_not_tainted(initially_tainted)
 
 def use_of_initially_tainted():
-    ensure_not_tainted(initially_tainted) # FP
+    ensure_not_tainted(initially_tainted) # $ SPURIOUS: tainted
 
 
 # A very similar case to the above, but here we _do_ want taint flow, because the initially tainted
-# value is actually used before it gets reassigned to an untainted value. 
+# value is actually used before it gets reassigned to an untainted value.
 
 def use_of_initially_tainted2():
-    ensure_tainted(initially_tainted2)
+    ensure_tainted(initially_tainted2) # $ tainted
 
 initially_tainted2 = TAINTED_STRING
 use_of_initially_tainted2()
@@ -47,7 +47,7 @@ def write_tainted():
     g = TAINTED_STRING
 
 def sink_global():
-    ensure_tainted(g)
+    ensure_tainted(g) # $ tainted
 
 write_global()
 write_tainted()
diff --git a/python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/testTaint.expected b/python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/testTaint.expected
deleted file mode 100644
index 275ca11f34b..00000000000
--- a/python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/testTaint.expected
+++ /dev/null
@@ -1,6 +0,0 @@
-| test.py:12 | ok   | test | tainted_later |
-| test.py:25 | ok   | test | initially_tainted |
-| test.py:28 | fail | use_of_initially_tainted | initially_tainted |
-| test.py:35 | ok   | use_of_initially_tainted2 | initially_tainted2 |
-| test.py:40 | ok   | test | initially_tainted2 |
-| test.py:50 | ok   | sink_global | g |
diff --git a/python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/testTaint.ql b/python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/testTaint.ql
deleted file mode 100644
index 80625505fa2..00000000000
--- a/python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/testTaint.ql
+++ /dev/null
@@ -1 +0,0 @@
-import experimental.dataflow.tainttracking.TestTaintLib
diff --git a/python/ql/test/experimental/meta/InlineTaintTest.qll b/python/ql/test/experimental/meta/InlineTaintTest.qll
new file mode 100644
index 00000000000..b45029477d4
--- /dev/null
+++ b/python/ql/test/experimental/meta/InlineTaintTest.qll
@@ -0,0 +1,91 @@
+/**
+ * Defines a InlineExpectationsTest for checking whether any arguments in
+ * `ensure_tainted` and `ensure_not_tainted` calls are tainted.
+ *
+ * Also defines query predicates to ensure that:
+ * - if any arguments to `ensure_not_tainted` are tainted, their annotation is marked with `SPURIOUS`.
+ * - if any arguments to `ensure_tainted` are not tainted, their annotation is marked with `MISSING`.
+ *
+ * The functionality of this module is tested in `ql/test/experimental/meta/inline-taint-test-demo`.
+ */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.dataflow.new.RemoteFlowSources
+import TestUtilities.InlineExpectationsTest
+import experimental.dataflow.TestUtil.PrintNode
+
+DataFlow::Node shouldBeTainted() {
+  exists(DataFlow::CallCfgNode call |
+    call.getFunction().asCfgNode().(NameNode).getId() = "ensure_tainted" and
+    result in [call.getArg(_), call.getArgByName(_)]
+  )
+}
+
+DataFlow::Node shouldNotBeTainted() {
+  exists(DataFlow::CallCfgNode call |
+    call.getFunction().asCfgNode().(NameNode).getId() = "ensure_not_tainted" and
+    result in [call.getArg(_), call.getArgByName(_)]
+  )
+}
+
+class TestTaintTrackingConfiguration extends TaintTracking::Configuration {
+  TestTaintTrackingConfiguration() { this = "TestTaintTrackingConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asCfgNode().(NameNode).getId() in [
+        "TAINTED_STRING", "TAINTED_BYTES", "TAINTED_LIST", "TAINTED_DICT"
+      ]
+    or
+    source instanceof RemoteFlowSource
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = shouldBeTainted()
+    or
+    sink = shouldNotBeTainted()
+  }
+}
+
+class InlineTaintTest extends InlineExpectationsTest {
+  InlineTaintTest() { this = "InlineTaintTest" }
+
+  override string getARelevantTag() { result = "tainted" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(DataFlow::Node sink |
+      any(TestTaintTrackingConfiguration config).hasFlow(_, sink) and
+      location = sink.getLocation() and
+      element = prettyExp(sink.asExpr()) and
+      value = "" and
+      tag = "tainted"
+    )
+  }
+}
+
+query predicate argumentToEnsureNotTaintedNotMarkedAsSpurious(
+  string error, Location location, string element
+) {
+  error = "ERROR, you should add `SPURIOUS:` to this annotation" and
+  location = shouldNotBeTainted().getLocation() and
+  any(InlineTaintTest test).hasActualResult(location, element, "tainted", _) and
+  exists(GoodExpectation good, ActualResult actualResult |
+    good.matchesActualResult(actualResult) and
+    actualResult.getLocation() = location and
+    actualResult.toString() = element
+  )
+}
+
+query predicate untaintedArgumentToEnsureTaintedNotMarkedAsMissing(string error, Location location) {
+  error = "ERROR, you should add `# $ MISSING: tainted` annotation" and
+  exists(DataFlow::Node sink |
+    sink = shouldBeTainted() and
+    not any(TestTaintTrackingConfiguration config).hasFlow(_, sink) and
+    location = sink.getLocation() and
+    not exists(FalseNegativeExpectation missingResult |
+      missingResult.getLocation().getStartLine() = location.getStartLine()
+    )
+  )
+}
diff --git a/python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.expected b/python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.expected
new file mode 100644
index 00000000000..1b9dcc764be
--- /dev/null
+++ b/python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.expected
@@ -0,0 +1,5 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+| ERROR, you should add `SPURIOUS:` to this annotation | taint_test.py:36:9:36:29 | taint_test.py:36 | should_not_be_tainted |
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+| ERROR, you should add `# $ MISSING: tainted` annotation | taint_test.py:28:9:28:25 | taint_test.py:28 |
+failures
diff --git a/python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.ql b/python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.ql
new file mode 100644
index 00000000000..027ad8667be
--- /dev/null
+++ b/python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
diff --git a/python/ql/test/experimental/meta/inline-taint-test-demo/taint_test.py b/python/ql/test/experimental/meta/inline-taint-test-demo/taint_test.py
new file mode 100644
index 00000000000..c5c64b05ff1
--- /dev/null
+++ b/python/ql/test/experimental/meta/inline-taint-test-demo/taint_test.py
@@ -0,0 +1,37 @@
+def expected_usage():
+    ts = TAINTED_STRING
+
+    # simulating handling something we _want_ to treat at tainted, but we currently treat as untainted
+    should_be_tainted = "pretend this is unsafe"
+
+    ensure_tainted(
+        ts, # $ tainted
+        should_be_tainted, # $ MISSING: tainted
+    )
+
+    # simulating handling something we _want_ to treat at untainted, but we currently treat as tainted
+    should_not_be_tainted = "pretend this is now safe" + ts
+    ensure_not_tainted(
+        should_not_be_tainted, # $ SPURIOUS: tainted
+        "FOO"
+    )
+
+
+def bad_usage():
+    ts = TAINTED_STRING
+
+    # simulating handling something we _want_ to treat at tainted, but we currently treat as untainted
+    should_be_tainted = "pretend this is unsafe"
+
+    # This element _should_ have a `$ MISSING: tainted` annotation, which will be alerted in the .expected output
+    ensure_tainted(
+        should_be_tainted,
+    )
+
+    # simulating handling something we _want_ to treat at untainted, but we currently treat as tainted
+    should_not_be_tainted = "pretend this is now safe" + ts
+
+    # This annotation _should_ have used `SPURIOUS`, which will be alerted on in the .expected output
+    ensure_not_tainted(
+        should_not_be_tainted # $ tainted
+    )
diff --git a/python/ql/test/library-tests/frameworks/django-v2-v3/InlineTaintTest.expected b/python/ql/test/library-tests/frameworks/django-v2-v3/InlineTaintTest.expected
new file mode 100644
index 00000000000..79d760d87f4
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/django-v2-v3/InlineTaintTest.expected
@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
diff --git a/python/ql/test/library-tests/frameworks/django-v2-v3/InlineTaintTest.ql b/python/ql/test/library-tests/frameworks/django-v2-v3/InlineTaintTest.ql
new file mode 100644
index 00000000000..027ad8667be
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/django-v2-v3/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
diff --git a/python/ql/test/library-tests/frameworks/django-v2-v3/TestTaint.expected b/python/ql/test/library-tests/frameworks/django-v2-v3/TestTaint.expected
deleted file mode 100644
index 0888473f41c..00000000000
--- a/python/ql/test/library-tests/frameworks/django-v2-v3/TestTaint.expected
+++ /dev/null
@@ -1,100 +0,0 @@
-| response_test.py:61 | ok   | get_redirect_url | foo |
-| taint_forms.py:6 | ok   | to_python | value |
-| taint_forms.py:9 | ok   | validate | value |
-| taint_forms.py:12 | ok   | run_validators | value |
-| taint_forms.py:15 | ok   | clean | value |
-| taint_forms.py:33 | ok   | clean | cleaned_data |
-| taint_forms.py:34 | ok   | clean | cleaned_data["key"] |
-| taint_forms.py:35 | ok   | clean | cleaned_data.get(..) |
-| taint_forms.py:39 | ok   | clean | self.cleaned_data |
-| taint_forms.py:40 | ok   | clean | self.cleaned_data["key"] |
-| taint_forms.py:41 | ok   | clean | self.cleaned_data.get(..) |
-| taint_forms.py:46 | ok   | clean_foo | self.cleaned_data |
-| taint_test.py:8 | ok   | test_taint | bar |
-| taint_test.py:8 | ok   | test_taint | foo |
-| taint_test.py:9 | ok   | test_taint | baz |
-| taint_test.py:15 | ok   | test_taint | request |
-| taint_test.py:17 | ok   | test_taint | request.body |
-| taint_test.py:18 | ok   | test_taint | request.path |
-| taint_test.py:19 | ok   | test_taint | request.path_info |
-| taint_test.py:23 | ok   | test_taint | request.method |
-| taint_test.py:25 | ok   | test_taint | request.encoding |
-| taint_test.py:26 | ok   | test_taint | request.content_type |
-| taint_test.py:29 | ok   | test_taint | request.content_params |
-| taint_test.py:30 | ok   | test_taint | request.content_params["key"] |
-| taint_test.py:31 | ok   | test_taint | request.content_params.get(..) |
-| taint_test.py:35 | ok   | test_taint | request.GET |
-| taint_test.py:36 | ok   | test_taint | request.GET["key"] |
-| taint_test.py:37 | ok   | test_taint | request.GET.get(..) |
-| taint_test.py:38 | fail | test_taint | request.GET.getlist(..) |
-| taint_test.py:39 | fail | test_taint | request.GET.getlist(..)[0] |
-| taint_test.py:40 | ok   | test_taint | request.GET.pop(..) |
-| taint_test.py:41 | ok   | test_taint | request.GET.pop(..)[0] |
-| taint_test.py:42 | ok   | test_taint | request.GET.popitem()[0] |
-| taint_test.py:43 | ok   | test_taint | request.GET.popitem()[1] |
-| taint_test.py:44 | ok   | test_taint | request.GET.popitem()[1][0] |
-| taint_test.py:45 | fail | test_taint | request.GET.dict() |
-| taint_test.py:46 | fail | test_taint | request.GET.dict()["key"] |
-| taint_test.py:47 | fail | test_taint | request.GET.urlencode() |
-| taint_test.py:50 | ok   | test_taint | request.POST |
-| taint_test.py:53 | ok   | test_taint | request.COOKIES |
-| taint_test.py:54 | ok   | test_taint | request.COOKIES["key"] |
-| taint_test.py:55 | ok   | test_taint | request.COOKIES.get(..) |
-| taint_test.py:58 | ok   | test_taint | request.FILES |
-| taint_test.py:59 | ok   | test_taint | request.FILES["key"] |
-| taint_test.py:60 | fail | test_taint | request.FILES["key"].content_type |
-| taint_test.py:61 | fail | test_taint | request.FILES["key"].content_type_extra |
-| taint_test.py:62 | fail | test_taint | request.FILES["key"].content_type_extra["key"] |
-| taint_test.py:63 | fail | test_taint | request.FILES["key"].charset |
-| taint_test.py:64 | fail | test_taint | request.FILES["key"].name |
-| taint_test.py:65 | fail | test_taint | request.FILES["key"].file |
-| taint_test.py:66 | fail | test_taint | request.FILES["key"].file.read() |
-| taint_test.py:68 | ok   | test_taint | request.FILES.get(..) |
-| taint_test.py:69 | fail | test_taint | request.FILES.get(..).name |
-| taint_test.py:70 | fail | test_taint | request.FILES.getlist(..) |
-| taint_test.py:71 | fail | test_taint | request.FILES.getlist(..)[0] |
-| taint_test.py:72 | fail | test_taint | request.FILES.getlist(..)[0].name |
-| taint_test.py:73 | fail | test_taint | request.FILES.dict() |
-| taint_test.py:74 | fail | test_taint | request.FILES.dict()["key"] |
-| taint_test.py:75 | fail | test_taint | request.FILES.dict()["key"].name |
-| taint_test.py:78 | ok   | test_taint | request.META |
-| taint_test.py:79 | ok   | test_taint | request.META["HTTP_USER_AGENT"] |
-| taint_test.py:80 | ok   | test_taint | request.META.get(..) |
-| taint_test.py:83 | ok   | test_taint | request.headers |
-| taint_test.py:84 | ok   | test_taint | request.headers["user-agent"] |
-| taint_test.py:85 | ok   | test_taint | request.headers["USER_AGENT"] |
-| taint_test.py:88 | ok   | test_taint | request.resolver_match |
-| taint_test.py:89 | fail | test_taint | request.resolver_match.args |
-| taint_test.py:90 | fail | test_taint | request.resolver_match.args[0] |
-| taint_test.py:91 | fail | test_taint | request.resolver_match.kwargs |
-| taint_test.py:92 | fail | test_taint | request.resolver_match.kwargs["key"] |
-| taint_test.py:94 | fail | test_taint | request.get_full_path() |
-| taint_test.py:95 | fail | test_taint | request.get_full_path_info() |
-| taint_test.py:99 | fail | test_taint | request.read() |
-| taint_test.py:100 | fail | test_taint | request.readline() |
-| taint_test.py:101 | fail | test_taint | request.readlines() |
-| taint_test.py:102 | fail | test_taint | request.readlines()[0] |
-| taint_test.py:103 | fail | test_taint | ListComp |
-| taint_test.py:109 | ok   | test_taint | args |
-| taint_test.py:110 | ok   | test_taint | args[0] |
-| taint_test.py:111 | ok   | test_taint | kwargs |
-| taint_test.py:112 | ok   | test_taint | kwargs["key"] |
-| taint_test.py:116 | ok   | test_taint | request.current_app |
-| taint_test.py:121 | ok   | test_taint | request.get_host() |
-| taint_test.py:122 | ok   | test_taint | request.get_port() |
-| taint_test.py:129 | fail | test_taint | request.build_absolute_uri() |
-| taint_test.py:130 | fail | test_taint | request.build_absolute_uri(..) |
-| taint_test.py:131 | fail | test_taint | request.build_absolute_uri(..) |
-| taint_test.py:134 | ok   | test_taint | request.build_absolute_uri(..) |
-| taint_test.py:135 | ok   | test_taint | request.build_absolute_uri(..) |
-| taint_test.py:143 | ok   | test_taint | request.get_signed_cookie(..) |
-| taint_test.py:144 | ok   | test_taint | request.get_signed_cookie(..) |
-| taint_test.py:145 | ok   | test_taint | request.get_signed_cookie(..) |
-| taint_test.py:149 | fail | test_taint | request.get_signed_cookie(..) |
-| taint_test.py:150 | fail | test_taint | request.get_signed_cookie(..) |
-| taint_test.py:157 | ok   | some_method | self.request |
-| taint_test.py:158 | ok   | some_method | self.request.GET["key"] |
-| taint_test.py:160 | ok   | some_method | self.args |
-| taint_test.py:161 | ok   | some_method | self.args[0] |
-| taint_test.py:163 | ok   | some_method | self.kwargs |
-| taint_test.py:164 | ok   | some_method | self.kwargs["key"] |
diff --git a/python/ql/test/library-tests/frameworks/django-v2-v3/TestTaint.ql b/python/ql/test/library-tests/frameworks/django-v2-v3/TestTaint.ql
deleted file mode 100644
index 08783404ddd..00000000000
--- a/python/ql/test/library-tests/frameworks/django-v2-v3/TestTaint.ql
+++ /dev/null
@@ -1,6 +0,0 @@
-import experimental.dataflow.tainttracking.TestTaintLib
-import semmle.python.dataflow.new.RemoteFlowSources
-
-class RemoteFlowTestTaintConfiguration extends TestTaintTrackingConfiguration {
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-}
diff --git a/python/ql/test/library-tests/frameworks/django-v2-v3/response_test.py b/python/ql/test/library-tests/frameworks/django-v2-v3/response_test.py
index 91252378677..1b98a735465 100644
--- a/python/ql/test/library-tests/frameworks/django-v2-v3/response_test.py
+++ b/python/ql/test/library-tests/frameworks/django-v2-v3/response_test.py
@@ -58,7 +58,7 @@ def redirect_shortcut(request):
 class CustomRedirectView(RedirectView):
 
     def get_redirect_url(self, foo): # $ requestHandler routedParameter=foo
-        ensure_tainted(foo)
+        ensure_tainted(foo) # $ tainted
         next = "https://example.com/{}".format(foo)
         return next # $ HttpResponse HttpRedirectResponse redirectLocation=next
 
diff --git a/python/ql/test/library-tests/frameworks/django-v2-v3/taint_forms.py b/python/ql/test/library-tests/frameworks/django-v2-v3/taint_forms.py
index 5cc9c830e7c..66021b64d29 100644
--- a/python/ql/test/library-tests/frameworks/django-v2-v3/taint_forms.py
+++ b/python/ql/test/library-tests/frameworks/django-v2-v3/taint_forms.py
@@ -3,16 +3,16 @@ import django.forms
 
 class MyField(django.forms.Field):
     def to_python(self, value):
-        ensure_tainted(value)
+        ensure_tainted(value) # $ tainted
 
     def validate(self, value):
-        ensure_tainted(value)
+        ensure_tainted(value) # $ tainted
 
     def run_validators(self, value):
-        ensure_tainted(value)
+        ensure_tainted(value) # $ tainted
 
     def clean(self, value):
-        ensure_tainted(value)
+        ensure_tainted(value) # $ tainted
 
         # # Base definition of `clean` looks like the following, so there is actually
         # # _data flow_ from the methods, but we will ignore for simplicity.
@@ -30,17 +30,17 @@ class MyForm(django.forms.Form):
         cleaned_data = super().clean()
 
         ensure_tainted(
-            cleaned_data,
-            cleaned_data["key"],
-            cleaned_data.get("key"),
+            cleaned_data, # $ tainted
+            cleaned_data["key"], # $ tainted
+            cleaned_data.get("key"), # $ tainted
         )
 
         ensure_tainted(
-            self.cleaned_data,
-            self.cleaned_data["key"],
-            self.cleaned_data.get("key"),
+            self.cleaned_data, # $ tainted
+            self.cleaned_data["key"], # $ tainted
+            self.cleaned_data.get("key"), # $ tainted
         )
 
     def clean_foo(self):
         # This method is supposed to clean the `foo` field in context of this form.
-        ensure_tainted(self.cleaned_data)
+        ensure_tainted(self.cleaned_data) # $ tainted
diff --git a/python/ql/test/library-tests/frameworks/django-v2-v3/taint_test.py b/python/ql/test/library-tests/frameworks/django-v2-v3/taint_test.py
index 9c21e59e2e3..a2999ce63b9 100644
--- a/python/ql/test/library-tests/frameworks/django-v2-v3/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/django-v2-v3/taint_test.py
@@ -5,111 +5,114 @@ from django.views import View
 
 
 def test_taint(request: HttpRequest, foo, bar, baz=None):  # $requestHandler routedParameter=foo routedParameter=bar
-    ensure_tainted(foo, bar)
+    ensure_tainted(foo, bar) # $ tainted
     ensure_not_tainted(baz)
 
     # Manually inspected all fields of the HttpRequest object
     # https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects
 
     ensure_tainted(
-        request,
+        request, # $ tainted
 
-        request.body,
-        request.path,
-        request.path_info,
+        request.body, # $ tainted
+        request.path, # $ tainted
+        request.path_info, # $ tainted
 
         # With CSRF middleware disabled, it's possible to use custom methods,
         # for example by `curl -X FOO <url>`
-        request.method,
+        request.method, # $ tainted
 
-        request.encoding,
-        request.content_type,
+        request.encoding, # $ tainted
+        request.content_type, # $ tainted
 
         # Dict[str, str]
-        request.content_params,
-        request.content_params["key"],
-        request.content_params.get("key"),
+        request.content_params, # $ tainted
+        request.content_params["key"], # $ tainted
+        request.content_params.get("key"), # $ tainted
 
         # django.http.QueryDict
         # see https://docs.djangoproject.com/en/3.0/ref/request-response/#querydict-objects
-        request.GET,
-        request.GET["key"],
-        request.GET.get("key"),
-        request.GET.getlist("key"),
-        request.GET.getlist("key")[0],
-        request.GET.pop("key"),
-        request.GET.pop("key")[0],
-        request.GET.popitem()[0], # key
-        request.GET.popitem()[1], # values
-        request.GET.popitem()[1][0], # values[0]
-        request.GET.dict(),
-        request.GET.dict()["key"],
-        request.GET.urlencode(),
+        request.GET, # $ tainted
+        request.GET["key"], # $ tainted
+        request.GET.get("key"), # $ tainted
+        request.GET.getlist("key"), # $ MISSING: tainted
+        request.GET.getlist("key")[0], # $ MISSING: tainted
+        request.GET.pop("key"), # $ tainted
+        request.GET.pop("key")[0], # $ tainted
+        # key
+        request.GET.popitem()[0], # $ tainted
+        # values
+        request.GET.popitem()[1], # $ tainted
+        # values[0]
+        request.GET.popitem()[1][0], # $ tainted
+        request.GET.dict(), # $ MISSING: tainted
+        request.GET.dict()["key"], # $ MISSING: tainted
+        request.GET.urlencode(), # $ MISSING: tainted
 
         # django.http.QueryDict (same as above, did not duplicate tests)
-        request.POST,
+        request.POST, # $ tainted
 
         # Dict[str, str]
-        request.COOKIES,
-        request.COOKIES["key"],
-        request.COOKIES.get("key"),
+        request.COOKIES, # $ tainted
+        request.COOKIES["key"], # $ tainted
+        request.COOKIES.get("key"), # $ tainted
 
         # MultiValueDict[str, UploadedFile]
-        request.FILES,
-        request.FILES["key"],
-        request.FILES["key"].content_type,
-        request.FILES["key"].content_type_extra,
-        request.FILES["key"].content_type_extra["key"],
-        request.FILES["key"].charset,
-        request.FILES["key"].name,
-        request.FILES["key"].file,
-        request.FILES["key"].file.read(),
+        request.FILES, # $ tainted
+        request.FILES["key"], # $ tainted
+        request.FILES["key"].content_type, # $ MISSING: tainted
+        request.FILES["key"].content_type_extra, # $ MISSING: tainted
+        request.FILES["key"].content_type_extra["key"], # $ MISSING: tainted
+        request.FILES["key"].charset, # $ MISSING: tainted
+        request.FILES["key"].name, # $ MISSING: tainted
+        request.FILES["key"].file, # $ MISSING: tainted
+        request.FILES["key"].file.read(), # $ MISSING: tainted
 
-        request.FILES.get("key"),
-        request.FILES.get("key").name,
-        request.FILES.getlist("key"),
-        request.FILES.getlist("key")[0],
-        request.FILES.getlist("key")[0].name,
-        request.FILES.dict(),
-        request.FILES.dict()["key"],
-        request.FILES.dict()["key"].name,
+        request.FILES.get("key"), # $ tainted
+        request.FILES.get("key").name, # $ MISSING: tainted
+        request.FILES.getlist("key"), # $ MISSING: tainted
+        request.FILES.getlist("key")[0], # $ MISSING: tainted
+        request.FILES.getlist("key")[0].name, # $ MISSING: tainted
+        request.FILES.dict(), # $ MISSING: tainted
+        request.FILES.dict()["key"], # $ MISSING: tainted
+        request.FILES.dict()["key"].name, # $ MISSING: tainted
 
         # Dict[str, Any]
-        request.META,
-        request.META["HTTP_USER_AGENT"],
-        request.META.get("HTTP_USER_AGENT"),
+        request.META, # $ tainted
+        request.META["HTTP_USER_AGENT"], # $ tainted
+        request.META.get("HTTP_USER_AGENT"), # $ tainted
 
         # HttpHeaders (case insensitive dict-like)
-        request.headers,
-        request.headers["user-agent"],
-        request.headers["USER_AGENT"],
+        request.headers, # $ tainted
+        request.headers["user-agent"], # $ tainted
+        request.headers["USER_AGENT"], # $ tainted
 
         # django.urls.ResolverMatch
-        request.resolver_match,
-        request.resolver_match.args,
-        request.resolver_match.args[0],
-        request.resolver_match.kwargs,
-        request.resolver_match.kwargs["key"],
+        request.resolver_match, # $ tainted
+        request.resolver_match.args, # $ MISSING: tainted
+        request.resolver_match.args[0], # $ MISSING: tainted
+        request.resolver_match.kwargs, # $ MISSING: tainted
+        request.resolver_match.kwargs["key"], # $ MISSING: tainted
 
-        request.get_full_path(),
-        request.get_full_path_info(),
+        request.get_full_path(), # $ MISSING: tainted
+        request.get_full_path_info(), # $ MISSING: tainted
         # build_absolute_uri handled below
         # get_signed_cookie handled below
 
-        request.read(),
-        request.readline(),
-        request.readlines(),
-        request.readlines()[0],
-        [line for line in request],
+        request.read(), # $ MISSING: tainted
+        request.readline(), # $ MISSING: tainted
+        request.readlines(), # $ MISSING: tainted
+        request.readlines()[0], # $ MISSING: tainted
+        [line for line in request], # $ MISSING: tainted
     )
 
     # django.urls.ResolverMatch also supports iterable unpacking
     _view, args, kwargs = request.resolver_match
     ensure_tainted(
-        args,
-        args[0],
-        kwargs,
-        kwargs["key"],
+        args, # $ tainted
+        args[0], # $ tainted
+        kwargs, # $ tainted
+        kwargs["key"], # $ tainted
     )
 
     ensure_not_tainted(
@@ -126,9 +129,9 @@ def test_taint(request: HttpRequest, foo, bar, baz=None):  # $requestHandler rou
     # build_absolute_uri
     ####################################
     ensure_tainted(
-        request.build_absolute_uri(),
-        request.build_absolute_uri(request.GET["key"]),
-        request.build_absolute_uri(location=request.GET["key"]),
+        request.build_absolute_uri(), # $ MISSING: tainted
+        request.build_absolute_uri(request.GET["key"]), # $ MISSING: tainted
+        request.build_absolute_uri(location=request.GET["key"]), # $ MISSING: tainted
     )
     ensure_not_tainted(
         request.build_absolute_uri("/hardcoded/"),
@@ -146,22 +149,22 @@ def test_taint(request: HttpRequest, foo, bar, baz=None):  # $requestHandler rou
     )
     # However, providing tainted default value might result in taint
     ensure_tainted(
-        request.get_signed_cookie("key", request.COOKIES["key"]),
-        request.get_signed_cookie("key", default=request.COOKIES["key"]),
+        request.get_signed_cookie("key", request.COOKIES["key"]), # $ MISSING: tainted
+        request.get_signed_cookie("key", default=request.COOKIES["key"]), # $ MISSING: tainted
     )
 
 
 class ClassView(View):
     def some_method(self):
         ensure_tainted(
-            self.request,
-            self.request.GET["key"],
+            self.request, # $ tainted
+            self.request.GET["key"], # $ tainted
 
-            self.args,
-            self.args[0],
+            self.args, # $ tainted
+            self.args[0], # $ tainted
 
-            self.kwargs,
-            self.kwargs["key"],
+            self.kwargs, # $ tainted
+            self.kwargs["key"], # $ tainted
         )
 
 
diff --git a/python/ql/test/library-tests/frameworks/fabric/InlineTaintTest.expected b/python/ql/test/library-tests/frameworks/fabric/InlineTaintTest.expected
new file mode 100644
index 00000000000..79d760d87f4
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/fabric/InlineTaintTest.expected
@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
diff --git a/python/ql/test/library-tests/frameworks/fabric/InlineTaintTest.ql b/python/ql/test/library-tests/frameworks/fabric/InlineTaintTest.ql
new file mode 100644
index 00000000000..027ad8667be
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/fabric/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
diff --git a/python/ql/test/library-tests/frameworks/fabric/TestTaint.expected b/python/ql/test/library-tests/frameworks/fabric/TestTaint.expected
deleted file mode 100644
index d9e8db9dd5e..00000000000
--- a/python/ql/test/library-tests/frameworks/fabric/TestTaint.expected
+++ /dev/null
@@ -1,10 +0,0 @@
-| fabric_v1_execute.py:7 | fail | unsafe | cmd |
-| fabric_v1_execute.py:7 | fail | unsafe | cmd2 |
-| fabric_v1_execute.py:8 | ok   | unsafe | safe_arg |
-| fabric_v1_execute.py:8 | ok   | unsafe | safe_optional |
-| fabric_v1_execute.py:14 | fail | unsafe | cmd |
-| fabric_v1_execute.py:14 | fail | unsafe | cmd2 |
-| fabric_v1_execute.py:15 | ok   | unsafe | safe_arg |
-| fabric_v1_execute.py:15 | ok   | unsafe | safe_optional |
-| fabric_v1_execute.py:21 | ok   | some_http_handler | cmd |
-| fabric_v1_execute.py:21 | ok   | some_http_handler | cmd2 |
diff --git a/python/ql/test/library-tests/frameworks/fabric/TestTaint.ql b/python/ql/test/library-tests/frameworks/fabric/TestTaint.ql
deleted file mode 100644
index 80625505fa2..00000000000
--- a/python/ql/test/library-tests/frameworks/fabric/TestTaint.ql
+++ /dev/null
@@ -1 +0,0 @@
-import experimental.dataflow.tainttracking.TestTaintLib
diff --git a/python/ql/test/library-tests/frameworks/fabric/fabric_v1_execute.py b/python/ql/test/library-tests/frameworks/fabric/fabric_v1_execute.py
index 165a873b631..8750fff1703 100644
--- a/python/ql/test/library-tests/frameworks/fabric/fabric_v1_execute.py
+++ b/python/ql/test/library-tests/frameworks/fabric/fabric_v1_execute.py
@@ -4,21 +4,21 @@ from fabric.api import run, execute
 
 
 def unsafe(cmd, safe_arg, cmd2=None, safe_optional=5):
-    ensure_tainted(cmd, cmd2)
+    ensure_tainted(cmd, cmd2)  # $ MISSING: tainted
     ensure_not_tainted(safe_arg, safe_optional)
 
 
 class Foo(object):
 
     def unsafe(self, cmd, safe_arg, cmd2=None, safe_optional=5):
-        ensure_tainted(cmd, cmd2)
+        ensure_tainted(cmd, cmd2)  # $ MISSING: tainted
         ensure_not_tainted(safe_arg, safe_optional)
 
 
 def some_http_handler():
     cmd = TAINTED_STRING
     cmd2 = TAINTED_STRING
-    ensure_tainted(cmd, cmd2)
+    ensure_tainted(cmd, cmd2) # $ tainted
 
     execute(unsafe, cmd=cmd, safe_arg='safe_arg', cmd2=cmd2)
 
diff --git a/python/ql/test/library-tests/frameworks/flask/InlineTaintTest.expected b/python/ql/test/library-tests/frameworks/flask/InlineTaintTest.expected
new file mode 100644
index 00000000000..79d760d87f4
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/flask/InlineTaintTest.expected
@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
diff --git a/python/ql/test/library-tests/frameworks/flask/InlineTaintTest.ql b/python/ql/test/library-tests/frameworks/flask/InlineTaintTest.ql
new file mode 100644
index 00000000000..027ad8667be
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/flask/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
diff --git a/python/ql/test/library-tests/frameworks/flask/TestTaint.expected b/python/ql/test/library-tests/frameworks/flask/TestTaint.expected
deleted file mode 100644
index 8c3b4ea57c9..00000000000
--- a/python/ql/test/library-tests/frameworks/flask/TestTaint.expected
+++ /dev/null
@@ -1,98 +0,0 @@
-| taint_test.py:6 | ok   | test_taint | name |
-| taint_test.py:6 | ok   | test_taint | number |
-| taint_test.py:7 | ok   | test_taint | foo |
-| taint_test.py:14 | ok   | test_taint | request.environ |
-| taint_test.py:15 | ok   | test_taint | request.environ.get(..) |
-| taint_test.py:17 | ok   | test_taint | request.path |
-| taint_test.py:18 | ok   | test_taint | request.full_path |
-| taint_test.py:19 | ok   | test_taint | request.base_url |
-| taint_test.py:20 | ok   | test_taint | request.url |
-| taint_test.py:23 | fail | test_taint | request.accept_charsets.best |
-| taint_test.py:24 | fail | test_taint | request.accept_charsets.best_match(..) |
-| taint_test.py:25 | ok   | test_taint | request.accept_charsets[0] |
-| taint_test.py:26 | ok   | test_taint | request.accept_encodings |
-| taint_test.py:27 | ok   | test_taint | request.accept_languages |
-| taint_test.py:28 | ok   | test_taint | request.accept_mimetypes |
-| taint_test.py:31 | ok   | test_taint | request.access_control_request_headers |
-| taint_test.py:33 | ok   | test_taint | request.access_control_request_method |
-| taint_test.py:35 | ok   | test_taint | request.access_route |
-| taint_test.py:36 | ok   | test_taint | request.access_route[0] |
-| taint_test.py:39 | ok   | test_taint | request.args |
-| taint_test.py:40 | ok   | test_taint | request.args['key'] |
-| taint_test.py:41 | ok   | test_taint | request.args.getlist(..) |
-| taint_test.py:44 | ok   | test_taint | request.authorization |
-| taint_test.py:45 | ok   | test_taint | request.authorization['username'] |
-| taint_test.py:46 | fail | test_taint | request.authorization.username |
-| taint_test.py:49 | ok   | test_taint | request.cache_control |
-| taint_test.py:51 | fail | test_taint | request.cache_control.max_age |
-| taint_test.py:52 | fail | test_taint | request.cache_control.max_stale |
-| taint_test.py:53 | fail | test_taint | request.cache_control.min_fresh |
-| taint_test.py:55 | ok   | test_taint | request.content_encoding |
-| taint_test.py:57 | ok   | test_taint | request.content_md5 |
-| taint_test.py:59 | ok   | test_taint | request.content_type |
-| taint_test.py:62 | ok   | test_taint | request.cookies |
-| taint_test.py:63 | ok   | test_taint | request.cookies['key'] |
-| taint_test.py:65 | ok   | test_taint | request.data |
-| taint_test.py:68 | ok   | test_taint | request.files |
-| taint_test.py:69 | ok   | test_taint | request.files['key'] |
-| taint_test.py:70 | fail | test_taint | request.files['key'].filename |
-| taint_test.py:71 | fail | test_taint | request.files['key'].stream |
-| taint_test.py:72 | ok   | test_taint | request.files.getlist(..) |
-| taint_test.py:73 | fail | test_taint | request.files.getlist(..)[0].filename |
-| taint_test.py:74 | fail | test_taint | request.files.getlist(..)[0].stream |
-| taint_test.py:77 | ok   | test_taint | request.form |
-| taint_test.py:78 | ok   | test_taint | request.form['key'] |
-| taint_test.py:79 | ok   | test_taint | request.form.getlist(..) |
-| taint_test.py:81 | ok   | test_taint | request.get_data() |
-| taint_test.py:83 | ok   | test_taint | request.get_json() |
-| taint_test.py:84 | ok   | test_taint | request.get_json()['foo'] |
-| taint_test.py:85 | ok   | test_taint | request.get_json()['foo']['bar'] |
-| taint_test.py:89 | ok   | test_taint | request.headers |
-| taint_test.py:90 | ok   | test_taint | request.headers['key'] |
-| taint_test.py:91 | fail | test_taint | request.headers.get_all(..) |
-| taint_test.py:92 | fail | test_taint | request.headers.getlist(..) |
-| taint_test.py:93 | ok   | test_taint | list(..) |
-| taint_test.py:94 | fail | test_taint | request.headers.to_wsgi_list() |
-| taint_test.py:96 | ok   | test_taint | request.json |
-| taint_test.py:97 | ok   | test_taint | request.json['foo'] |
-| taint_test.py:98 | ok   | test_taint | request.json['foo']['bar'] |
-| taint_test.py:100 | ok   | test_taint | request.method |
-| taint_test.py:102 | ok   | test_taint | request.mimetype |
-| taint_test.py:104 | ok   | test_taint | request.mimetype_params |
-| taint_test.py:106 | ok   | test_taint | request.origin |
-| taint_test.py:109 | ok   | test_taint | request.pragma |
-| taint_test.py:111 | ok   | test_taint | request.query_string |
-| taint_test.py:113 | ok   | test_taint | request.referrer |
-| taint_test.py:115 | ok   | test_taint | request.remote_addr |
-| taint_test.py:117 | ok   | test_taint | request.remote_user |
-| taint_test.py:120 | ok   | test_taint | request.stream |
-| taint_test.py:121 | ok   | test_taint | request.input_stream |
-| taint_test.py:123 | ok   | test_taint | request.url |
-| taint_test.py:125 | ok   | test_taint | request.user_agent |
-| taint_test.py:128 | ok   | test_taint | request.values |
-| taint_test.py:129 | ok   | test_taint | request.values['key'] |
-| taint_test.py:130 | ok   | test_taint | request.values.getlist(..) |
-| taint_test.py:133 | ok   | test_taint | request.view_args |
-| taint_test.py:134 | ok   | test_taint | request.view_args['key'] |
-| taint_test.py:138 | ok   | test_taint | request.script_root |
-| taint_test.py:139 | ok   | test_taint | request.url_root |
-| taint_test.py:143 | ok   | test_taint | request.charset |
-| taint_test.py:144 | ok   | test_taint | request.url_charset |
-| taint_test.py:148 | ok   | test_taint | request.date |
-| taint_test.py:151 | ok   | test_taint | request.endpoint |
-| taint_test.py:156 | ok   | test_taint | request.host |
-| taint_test.py:157 | ok   | test_taint | request.host_url |
-| taint_test.py:159 | ok   | test_taint | request.scheme |
-| taint_test.py:161 | ok   | test_taint | request.script_root |
-| taint_test.py:169 | ok   | test_taint | request.args |
-| taint_test.py:170 | ok   | test_taint | a |
-| taint_test.py:171 | ok   | test_taint | b |
-| taint_test.py:173 | ok   | test_taint | request.args['key'] |
-| taint_test.py:174 | ok   | test_taint | a['key'] |
-| taint_test.py:175 | ok   | test_taint | b['key'] |
-| taint_test.py:177 | ok   | test_taint | request.args.getlist(..) |
-| taint_test.py:178 | ok   | test_taint | a.getlist(..) |
-| taint_test.py:179 | ok   | test_taint | b.getlist(..) |
-| taint_test.py:180 | ok   | test_taint | gl(..) |
-| taint_test.py:187 | ok   | test_taint | req.path |
-| taint_test.py:188 | ok   | test_taint | gd() |
diff --git a/python/ql/test/library-tests/frameworks/flask/TestTaint.ql b/python/ql/test/library-tests/frameworks/flask/TestTaint.ql
deleted file mode 100644
index 08783404ddd..00000000000
--- a/python/ql/test/library-tests/frameworks/flask/TestTaint.ql
+++ /dev/null
@@ -1,6 +0,0 @@
-import experimental.dataflow.tainttracking.TestTaintLib
-import semmle.python.dataflow.new.RemoteFlowSources
-
-class RemoteFlowTestTaintConfiguration extends TestTaintTrackingConfiguration {
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-}
diff --git a/python/ql/test/library-tests/frameworks/flask/taint_test.py b/python/ql/test/library-tests/frameworks/flask/taint_test.py
index 31c0c7e6121..74b0738fc1b 100644
--- a/python/ql/test/library-tests/frameworks/flask/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/flask/taint_test.py
@@ -3,7 +3,7 @@ app = Flask(__name__)
 
 @app.route("/test_taint/<name>/<int:number>")  # $routeSetup="/test_taint/<name>/<int:number>"
 def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler routedParameter=name routedParameter=number
-    ensure_tainted(name, number)
+    ensure_tainted(name, number) # $ tainted
     ensure_not_tainted(foo)
 
     # Manually inspected all fields of the Request object
@@ -11,127 +11,128 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
 
     ensure_tainted(
 
-        request.environ,
-        request.environ.get('HTTP_AUTHORIZATION'),
+        request.environ, # $ tainted
+        request.environ.get('HTTP_AUTHORIZATION'), # $ tainted
 
-        request.path,
-        request.full_path,
-        request.base_url,
-        request.url,
+        request.path, # $ tainted
+        request.full_path, # $ tainted
+        request.base_url, # $ tainted
+        request.url, # $ tainted
 
         # These request.accept_* properties are instances of subclasses of werkzeug.datastructures.Accept
-        request.accept_charsets.best,
-        request.accept_charsets.best_match(["utf-8", "utf-16"]),
-        request.accept_charsets[0],
-        request.accept_encodings,
-        request.accept_languages,
-        request.accept_mimetypes,
+        request.accept_charsets.best, # $ MISSING: tainted
+        request.accept_charsets.best_match(["utf-8", "utf-16"]), # $ MISSING: tainted
+        request.accept_charsets[0], # $ tainted
+        request.accept_encodings, # $ tainted
+        request.accept_languages, # $ tainted
+        request.accept_mimetypes, # $ tainted
 
         # werkzeug.datastructures.HeaderSet (subclass of collections_abc.MutableSet)
-        request.access_control_request_headers,
+        request.access_control_request_headers, # $ tainted
 
-        request.access_control_request_method,
+        request.access_control_request_method, # $ tainted
 
-        request.access_route,
-        request.access_route[0],
+        request.access_route, # $ tainted
+        request.access_route[0], # $ tainted
 
         # By default werkzeug.datastructures.ImmutableMultiDict -- although can be changed :\
-        request.args,
-        request.args['key'],
-        request.args.getlist('key'),
+        request.args, # $ tainted
+        request.args['key'], # $ tainted
+        request.args.getlist('key'), # $ tainted
 
         # werkzeug.datastructures.Authorization (a dict, with some properties)
-        request.authorization,
-        request.authorization['username'],
-        request.authorization.username,
+        request.authorization, # $ tainted
+        request.authorization['username'], # $ tainted
+        request.authorization.username, # $ MISSING: tainted
 
         # werkzeug.datastructures.RequestCacheControl
-        request.cache_control,
+        request.cache_control, # $ tainted
         # These should be `int`s, but can be strings... see debug method below
-        request.cache_control.max_age,
-        request.cache_control.max_stale,
-        request.cache_control.min_fresh,
+        request.cache_control.max_age, # $ MISSING: tainted
+        request.cache_control.max_stale, # $ MISSING: tainted
+        request.cache_control.min_fresh, # $ MISSING: tainted
 
-        request.content_encoding,
+        request.content_encoding, # $ tainted
 
-        request.content_md5,
+        request.content_md5, # $ tainted
 
-        request.content_type,
+        request.content_type, # $ tainted
 
         # werkzeug.datastructures.ImmutableTypeConversionDict (which is basically just a dict)
-        request.cookies,
-        request.cookies['key'],
+        request.cookies, # $ tainted
+        request.cookies['key'], # $ tainted
 
-        request.data,
+        request.data, # $ tainted
 
         # a werkzeug.datastructures.MultiDict, mapping [str, werkzeug.datastructures.FileStorage]
-        request.files,
-        request.files['key'],
-        request.files['key'].filename,
-        request.files['key'].stream,
-        request.files.getlist('key'),
-        request.files.getlist('key')[0].filename,
-        request.files.getlist('key')[0].stream,
+        request.files, # $ tainted
+        request.files['key'], # $ tainted
+        request.files['key'].filename, # $ MISSING: tainted
+        request.files['key'].stream, # $ MISSING: tainted
+        request.files.getlist('key'), # $ tainted
+        request.files.getlist('key')[0].filename, # $ MISSING: tainted
+        request.files.getlist('key')[0].stream, # $ MISSING: tainted
 
         # By default werkzeug.datastructures.ImmutableMultiDict -- although can be changed :\
-        request.form,
-        request.form['key'],
-        request.form.getlist('key'),
+        request.form, # $ tainted
+        request.form['key'], # $ tainted
+        request.form.getlist('key'), # $ tainted
 
-        request.get_data(),
+        request.get_data(), # $ tainted
 
-        request.get_json(),
-        request.get_json()['foo'],
-        request.get_json()['foo']['bar'],
+        request.get_json(), # $ tainted
+        request.get_json()['foo'], # $ tainted
+        request.get_json()['foo']['bar'], # $ tainted
 
         # werkzeug.datastructures.EnvironHeaders,
         # which has same interface as werkzeug.datastructures.Headers
-        request.headers,
-        request.headers['key'],
-        request.headers.get_all('key'),
-        request.headers.getlist('key'),
-        list(request.headers), # (k, v) list
-        request.headers.to_wsgi_list(), # (k, v) list
+        request.headers, # $ tainted
+        request.headers['key'], # $ tainted
+        request.headers.get_all('key'), # $ MISSING: tainted
+        request.headers.getlist('key'), # $ MISSING: tainted
+        # two ways to get (k, v) lists
+        list(request.headers), # $ tainted
+        request.headers.to_wsgi_list(), # $ MISSING: tainted
 
-        request.json,
-        request.json['foo'],
-        request.json['foo']['bar'],
+        request.json, # $ tainted
+        request.json['foo'], # $ tainted
+        request.json['foo']['bar'], # $ tainted
 
-        request.method,
+        request.method, # $ tainted
 
-        request.mimetype,
+        request.mimetype, # $ tainted
 
-        request.mimetype_params,
+        request.mimetype_params, # $ tainted
 
-        request.origin,
+        request.origin, # $ tainted
 
         # werkzeug.datastructures.HeaderSet (subclass of collections_abc.MutableSet)
-        request.pragma,
+        request.pragma, # $ tainted
 
-        request.query_string,
+        request.query_string, # $ tainted
 
-        request.referrer,
+        request.referrer, # $ tainted
 
-        request.remote_addr,
+        request.remote_addr, # $ tainted
 
-        request.remote_user,
+        request.remote_user, # $ tainted
 
         # file-like object
-        request.stream,
-        request.input_stream,
+        request.stream, # $ tainted
+        request.input_stream, # $ tainted
 
-        request.url,
+        request.url, # $ tainted
 
-        request.user_agent,
+        request.user_agent, # $ tainted
 
         # werkzeug.datastructures.CombinedMultiDict, which is basically just a werkzeug.datastructures.MultiDict
-        request.values,
-        request.values['key'],
-        request.values.getlist('key'),
+        request.values, # $ tainted
+        request.values['key'], # $ tainted
+        request.values.getlist('key'), # $ tainted
 
         # dict
-        request.view_args,
-        request.view_args['key'],
+        request.view_args, # $ tainted
+        request.view_args['key'], # $ tainted
     )
 
     ensure_not_tainted(
@@ -166,26 +167,26 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
     b = a
     gl = b.getlist
     ensure_tainted(
-        request.args,
-        a,
-        b,
+        request.args, # $ tainted
+        a, # $ tainted
+        b, # $ tainted
 
-        request.args['key'],
-        a['key'],
-        b['key'],
+        request.args['key'], # $ tainted
+        a['key'], # $ tainted
+        b['key'], # $ tainted
 
-        request.args.getlist('key'),
-        a.getlist('key'),
-        b.getlist('key'),
-        gl('key'),
+        request.args.getlist('key'), # $ tainted
+        a.getlist('key'), # $ tainted
+        b.getlist('key'), # $ tainted
+        gl('key'), # $ tainted
     )
 
     # aliasing tests
     req = request
     gd = request.get_data
     ensure_tainted(
-        req.path,
-        gd(),
+        req.path, # $ tainted
+        gd(), # $ tainted
     )
 
 
diff --git a/python/ql/test/library-tests/frameworks/stdlib/CodeExecution.py b/python/ql/test/library-tests/frameworks/stdlib/CodeExecution.py
index 0e996e001dc..771978cb1c8 100644
--- a/python/ql/test/library-tests/frameworks/stdlib/CodeExecution.py
+++ b/python/ql/test/library-tests/frameworks/stdlib/CodeExecution.py
@@ -32,8 +32,8 @@ def test_additional_taint():
     cmd3 = builtins.compile(src, "<filename>", "exec")
 
     ensure_tainted(
-        src,
-        cmd1,
-        cmd2,
-        cmd3,
+        src, # $ tainted
+        cmd1, # $ tainted
+        cmd2, # $ tainted
+        cmd3, # $ tainted
     )
diff --git a/python/ql/test/library-tests/frameworks/stdlib/InlineTaintTest.expected b/python/ql/test/library-tests/frameworks/stdlib/InlineTaintTest.expected
new file mode 100644
index 00000000000..79d760d87f4
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/stdlib/InlineTaintTest.expected
@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
diff --git a/python/ql/test/library-tests/frameworks/stdlib/InlineTaintTest.ql b/python/ql/test/library-tests/frameworks/stdlib/InlineTaintTest.ql
new file mode 100644
index 00000000000..027ad8667be
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/stdlib/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
diff --git a/python/ql/test/library-tests/frameworks/stdlib/TestTaint.expected b/python/ql/test/library-tests/frameworks/stdlib/TestTaint.expected
deleted file mode 100644
index 6fa63675317..00000000000
--- a/python/ql/test/library-tests/frameworks/stdlib/TestTaint.expected
+++ /dev/null
@@ -1,37 +0,0 @@
-| CodeExecution.py:35 | ok   | test_additional_taint | src |
-| CodeExecution.py:36 | ok   | test_additional_taint | cmd1 |
-| CodeExecution.py:37 | ok   | test_additional_taint | cmd2 |
-| CodeExecution.py:38 | ok   | test_additional_taint | cmd3 |
-| http_server.py:22 | ok   | test_cgi_FieldStorage_taint | form |
-| http_server.py:24 | ok   | test_cgi_FieldStorage_taint | form['key'] |
-| http_server.py:25 | ok   | test_cgi_FieldStorage_taint | form['key'].value |
-| http_server.py:26 | ok   | test_cgi_FieldStorage_taint | form['key'].file |
-| http_server.py:27 | ok   | test_cgi_FieldStorage_taint | form['key'].filename |
-| http_server.py:28 | ok   | test_cgi_FieldStorage_taint | form['key'][0] |
-| http_server.py:29 | ok   | test_cgi_FieldStorage_taint | form['key'][0].value |
-| http_server.py:30 | ok   | test_cgi_FieldStorage_taint | form['key'][0].file |
-| http_server.py:31 | ok   | test_cgi_FieldStorage_taint | form['key'][0].filename |
-| http_server.py:32 | fail | test_cgi_FieldStorage_taint | ListComp |
-| http_server.py:34 | ok   | test_cgi_FieldStorage_taint | form.getvalue(..) |
-| http_server.py:35 | ok   | test_cgi_FieldStorage_taint | form.getvalue(..)[0] |
-| http_server.py:37 | ok   | test_cgi_FieldStorage_taint | form.getfirst(..) |
-| http_server.py:39 | ok   | test_cgi_FieldStorage_taint | form.getlist(..) |
-| http_server.py:40 | ok   | test_cgi_FieldStorage_taint | form.getlist(..)[0] |
-| http_server.py:41 | fail | test_cgi_FieldStorage_taint | ListComp |
-| http_server.py:50 | ok   | taint_sources | self |
-| http_server.py:52 | ok   | taint_sources | self.requestline |
-| http_server.py:54 | ok   | taint_sources | self.path |
-| http_server.py:56 | ok   | taint_sources | self.headers |
-| http_server.py:57 | ok   | taint_sources | self.headers['Foo'] |
-| http_server.py:58 | ok   | taint_sources | self.headers.get(..) |
-| http_server.py:59 | fail | taint_sources | self.headers.get_all(..) |
-| http_server.py:60 | fail | taint_sources | self.headers.keys() |
-| http_server.py:61 | ok   | taint_sources | self.headers.values() |
-| http_server.py:62 | ok   | taint_sources | self.headers.items() |
-| http_server.py:63 | fail | taint_sources | self.headers.as_bytes() |
-| http_server.py:64 | fail | taint_sources | self.headers.as_string() |
-| http_server.py:65 | ok   | taint_sources | str(..) |
-| http_server.py:66 | ok   | taint_sources | bytes(..) |
-| http_server.py:68 | ok   | taint_sources | self.rfile |
-| http_server.py:69 | fail | taint_sources | self.rfile.read() |
-| http_server.py:78 | ok   | taint_sources | form |
diff --git a/python/ql/test/library-tests/frameworks/stdlib/TestTaint.ql b/python/ql/test/library-tests/frameworks/stdlib/TestTaint.ql
deleted file mode 100644
index 37faa83aa2d..00000000000
--- a/python/ql/test/library-tests/frameworks/stdlib/TestTaint.ql
+++ /dev/null
@@ -1,9 +0,0 @@
-import experimental.dataflow.tainttracking.TestTaintLib
-import semmle.python.dataflow.new.RemoteFlowSources
-
-class WithRemoteFlowSources extends TestTaintTrackingConfiguration {
-  override predicate isSource(DataFlow::Node source) {
-    super.isSource(source) or
-    source instanceof RemoteFlowSource
-  }
-}
diff --git a/python/ql/test/library-tests/frameworks/stdlib/http_server.py b/python/ql/test/library-tests/frameworks/stdlib/http_server.py
index 8d996acb41d..f91bf8fb957 100644
--- a/python/ql/test/library-tests/frameworks/stdlib/http_server.py
+++ b/python/ql/test/library-tests/frameworks/stdlib/http_server.py
@@ -19,26 +19,28 @@ def test_cgi_FieldStorage_taint():
     form = cgi.FieldStorage()
 
     ensure_tainted(
-        form,
+        form, # $ tainted
 
-        form['key'], # will be a list, if multiple fields named "key" are provided
-        form['key'].value,
-        form['key'].file,
-        form['key'].filename,
-        form['key'][0],
-        form['key'][0].value,
-        form['key'][0].file,
-        form['key'][0].filename,
-        [field.value for field in form['key']],
+        # `form['key']` will be a list, if multiple fields named "key" are provided
+        form['key'], # $ tainted
+        form['key'].value, # $ tainted
+        form['key'].file, # $ tainted
+        form['key'].filename, # $ tainted
+        form['key'][0], # $ tainted
+        form['key'][0].value, # $ tainted
+        form['key'][0].file, # $ tainted
+        form['key'][0].filename, # $ tainted
+        [field.value for field in form['key']], # $ MISSING: tainted
 
-        form.getvalue('key'), # will be a list, if multiple fields named "key" are provided
-        form.getvalue('key')[0],
+        # `form.getvalue('key')` will be a list, if multiple fields named "key" are provided
+        form.getvalue('key'), # $ tainted
+        form.getvalue('key')[0], # $ tainted
 
-        form.getfirst('key'),
+        form.getfirst('key'), # $ tainted
 
-        form.getlist('key'),
-        form.getlist('key')[0],
-        [field.value for field in form.getlist('key')],
+        form.getlist('key'), # $ tainted
+        form.getlist('key')[0], # $ tainted
+        [field.value for field in form.getlist('key')], # $ MISSING: tainted
     )
 
 
@@ -47,26 +49,26 @@ class MyHandler(BaseHTTPRequestHandler):
     def taint_sources(self):
 
         ensure_tainted(
-            self,
+            self, # $ tainted
 
-            self.requestline,
+            self.requestline, # $ tainted
 
-            self.path,
+            self.path, # $ tainted
 
-            self.headers,
-            self.headers['Foo'],
-            self.headers.get('Foo'),
-            self.headers.get_all('Foo'),
-            self.headers.keys(),
-            self.headers.values(),
-            self.headers.items(),
-            self.headers.as_bytes(),
-            self.headers.as_string(),
-            str(self.headers),
-            bytes(self.headers),
+            self.headers, # $ tainted
+            self.headers['Foo'], # $ tainted
+            self.headers.get('Foo'), # $ tainted
+            self.headers.get_all('Foo'), # $ MISSING: tainted
+            self.headers.keys(), # $ MISSING: tainted
+            self.headers.values(), # $ tainted
+            self.headers.items(), # $ tainted
+            self.headers.as_bytes(), # $ MISSING: tainted
+            self.headers.as_string(), # $ MISSING: tainted
+            str(self.headers), # $ tainted
+            bytes(self.headers), # $ tainted
 
-            self.rfile,
-            self.rfile.read(),
+            self.rfile, # $ tainted
+            self.rfile.read(), # $ MISSING: tainted
         )
 
         form = cgi.FieldStorage(
@@ -75,7 +77,7 @@ class MyHandler(BaseHTTPRequestHandler):
             environ={'REQUEST_METHOD': 'POST', 'CONTENT_TYPE': self.headers.get('content-type')},
         )
 
-        ensure_tainted(form)
+        ensure_tainted(form) # $ tainted
 
 
     def do_GET(self): # $ requestHandler
diff --git a/python/ql/test/library-tests/frameworks/tornado/InlineTaintTest.expected b/python/ql/test/library-tests/frameworks/tornado/InlineTaintTest.expected
new file mode 100644
index 00000000000..79d760d87f4
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/tornado/InlineTaintTest.expected
@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
diff --git a/python/ql/test/library-tests/frameworks/tornado/InlineTaintTest.ql b/python/ql/test/library-tests/frameworks/tornado/InlineTaintTest.ql
new file mode 100644
index 00000000000..027ad8667be
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/tornado/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
diff --git a/python/ql/test/library-tests/frameworks/tornado/TestTaint.expected b/python/ql/test/library-tests/frameworks/tornado/TestTaint.expected
deleted file mode 100644
index 2952218d16f..00000000000
--- a/python/ql/test/library-tests/frameworks/tornado/TestTaint.expected
+++ /dev/null
@@ -1,41 +0,0 @@
-| taint_test.py:6 | ok   | get | name |
-| taint_test.py:6 | ok   | get | number |
-| taint_test.py:7 | ok   | get | foo |
-| taint_test.py:11 | ok   | get | self.get_argument(..) |
-| taint_test.py:12 | ok   | get | self.get_arguments(..) |
-| taint_test.py:13 | ok   | get | self.get_arguments(..)[0] |
-| taint_test.py:15 | ok   | get | self.get_body_argument(..) |
-| taint_test.py:16 | ok   | get | self.get_body_arguments(..) |
-| taint_test.py:17 | ok   | get | self.get_body_arguments(..)[0] |
-| taint_test.py:19 | ok   | get | self.get_query_argument(..) |
-| taint_test.py:20 | ok   | get | self.get_query_arguments(..) |
-| taint_test.py:21 | ok   | get | self.get_query_arguments(..)[0] |
-| taint_test.py:23 | ok   | get | self.path_args |
-| taint_test.py:24 | ok   | get | self.path_args[0] |
-| taint_test.py:26 | ok   | get | self.path_kwargs |
-| taint_test.py:27 | ok   | get | self.path_kwargs["name"] |
-| taint_test.py:34 | ok   | get | request |
-| taint_test.py:40 | ok   | get | request.uri |
-| taint_test.py:41 | ok   | get | request.path |
-| taint_test.py:42 | ok   | get | request.query |
-| taint_test.py:43 | ok   | get | request.full_url() |
-| taint_test.py:45 | ok   | get | request.remote_ip |
-| taint_test.py:47 | ok   | get | request.body |
-| taint_test.py:49 | ok   | get | request.arguments |
-| taint_test.py:50 | ok   | get | request.arguments["name"] |
-| taint_test.py:51 | ok   | get | request.arguments["name"][0] |
-| taint_test.py:53 | ok   | get | request.query_arguments |
-| taint_test.py:54 | ok   | get | request.query_arguments["name"] |
-| taint_test.py:55 | ok   | get | request.query_arguments["name"][0] |
-| taint_test.py:57 | ok   | get | request.body_arguments |
-| taint_test.py:58 | ok   | get | request.body_arguments["name"] |
-| taint_test.py:59 | ok   | get | request.body_arguments["name"][0] |
-| taint_test.py:62 | ok   | get | request.headers |
-| taint_test.py:63 | ok   | get | request.headers["header-name"] |
-| taint_test.py:64 | fail | get | request.headers.get_list(..) |
-| taint_test.py:65 | fail | get | request.headers.get_all() |
-| taint_test.py:66 | fail | get | ListComp |
-| taint_test.py:69 | ok   | get | request.cookies |
-| taint_test.py:70 | ok   | get | request.cookies["cookie-name"] |
-| taint_test.py:71 | fail | get | request.cookies["cookie-name"].key |
-| taint_test.py:72 | fail | get | request.cookies["cookie-name"].value |
diff --git a/python/ql/test/library-tests/frameworks/tornado/TestTaint.ql b/python/ql/test/library-tests/frameworks/tornado/TestTaint.ql
deleted file mode 100644
index 08783404ddd..00000000000
--- a/python/ql/test/library-tests/frameworks/tornado/TestTaint.ql
+++ /dev/null
@@ -1,6 +0,0 @@
-import experimental.dataflow.tainttracking.TestTaintLib
-import semmle.python.dataflow.new.RemoteFlowSources
-
-class RemoteFlowTestTaintConfiguration extends TestTaintTrackingConfiguration {
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-}
diff --git a/python/ql/test/library-tests/frameworks/tornado/taint_test.py b/python/ql/test/library-tests/frameworks/tornado/taint_test.py
index e3297a1d2f9..1153b6d92bc 100644
--- a/python/ql/test/library-tests/frameworks/tornado/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/tornado/taint_test.py
@@ -3,73 +3,73 @@ import tornado.web
 
 class TaintTest(tornado.web.RequestHandler):
     def get(self, name = "World!", number="0", foo="foo"):  # $ requestHandler routedParameter=name routedParameter=number
-        ensure_tainted(name, number)
+        ensure_tainted(name, number) # $ tainted
         ensure_not_tainted(foo)
 
         ensure_tainted(
             # see https://www.tornadoweb.org/en/stable/web.html#input
-            self.get_argument("name"),
-            self.get_arguments("name"),
-            self.get_arguments("name")[0],
+            self.get_argument("name"), # $ tainted
+            self.get_arguments("name"), # $ tainted
+            self.get_arguments("name")[0], # $ tainted
 
-            self.get_body_argument("name"),
-            self.get_body_arguments("name"),
-            self.get_body_arguments("name")[0],
+            self.get_body_argument("name"), # $ tainted
+            self.get_body_arguments("name"), # $ tainted
+            self.get_body_arguments("name")[0], # $ tainted
 
-            self.get_query_argument("name"),
-            self.get_query_arguments("name"),
-            self.get_query_arguments("name")[0],
+            self.get_query_argument("name"), # $ tainted
+            self.get_query_arguments("name"), # $ tainted
+            self.get_query_arguments("name")[0], # $ tainted
 
-            self.path_args,
-            self.path_args[0],
+            self.path_args, # $ tainted
+            self.path_args[0], # $ tainted
 
-            self.path_kwargs,
-            self.path_kwargs["name"],
+            self.path_kwargs, # $ tainted
+            self.path_kwargs["name"], # $ tainted
         )
 
         request = self.request
 
         ensure_tainted(
             # see https://www.tornadoweb.org/en/stable/httputil.html#tornado.httputil.HTTPServerRequest
-            request,
+            request, # $ tainted
 
             # For the URL https:://example.com/foo/bar?baz=42
             # request.uri="/foo/bar?baz=42"
             # request.path="/foo/bar"
             # request.query="baz=42"
-            request.uri,
-            request.path,
-            request.query,
-            request.full_url(),
+            request.uri, # $ tainted
+            request.path, # $ tainted
+            request.query, # $ tainted
+            request.full_url(), # $ tainted
 
-            request.remote_ip,
+            request.remote_ip, # $ tainted
 
-            request.body,
+            request.body, # $ tainted
 
-            request.arguments,
-            request.arguments["name"],
-            request.arguments["name"][0],
+            request.arguments, # $ tainted
+            request.arguments["name"], # $ tainted
+            request.arguments["name"][0], # $ tainted
 
-            request.query_arguments,
-            request.query_arguments["name"],
-            request.query_arguments["name"][0],
+            request.query_arguments, # $ tainted
+            request.query_arguments["name"], # $ tainted
+            request.query_arguments["name"][0], # $ tainted
 
-            request.body_arguments,
-            request.body_arguments["name"],
-            request.body_arguments["name"][0],
+            request.body_arguments, # $ tainted
+            request.body_arguments["name"], # $ tainted
+            request.body_arguments["name"][0], # $ tainted
 
             # dict-like, see https://www.tornadoweb.org/en/stable/httputil.html#tornado.httputil.HTTPHeaders
-            request.headers,
-            request.headers["header-name"],
-            request.headers.get_list("header-name"),
-            request.headers.get_all(),
-            [(k, v) for (k, v) in request.headers.get_all()],
+            request.headers, # $ tainted
+            request.headers["header-name"], # $ tainted
+            request.headers.get_list("header-name"), # $ MISSING: tainted
+            request.headers.get_all(), # $ MISSING: tainted
+            [(k, v) for (k, v) in request.headers.get_all()], # $ MISSING: tainted
 
             # Dict[str, http.cookies.Morsel]
-            request.cookies,
-            request.cookies["cookie-name"],
-            request.cookies["cookie-name"].key,
-            request.cookies["cookie-name"].value,
+            request.cookies, # $ tainted
+            request.cookies["cookie-name"], # $ tainted
+            request.cookies["cookie-name"].key, # $ MISSING: tainted
+            request.cookies["cookie-name"].value, # $ MISSING: tainted
         )
 
 

From 5d827b6fc80e378dc3f6cbf6195999ae0cb527ef Mon Sep 17 00:00:00 2001
From: Andrew Eisenberg <aeisenberg@github.com>
Date: Thu, 15 Apr 2021 09:31:42 -0700
Subject: [PATCH 0433/1429] Actions: Change staleness calculation

Calculate staleness on issues that have the
`Stale` label. Leave all other issues untouched.
---
 .github/workflows/close-stale.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/close-stale.yml b/.github/workflows/close-stale.yml
index 746a13317b2..c63a6be690c 100644
--- a/.github/workflows/close-stale.yml
+++ b/.github/workflows/close-stale.yml
@@ -15,16 +15,16 @@ jobs:
     - uses: actions/stale@v3
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
-        stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `stale` label in order to avoid having this issue closed in 7 days.'
+        stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'
         close-issue-message: 'This issue was closed because it has been inactive for 7 days.'
         days-before-stale: 14
         days-before-close: 7
-        only-labels: question
-        
+        only-labels: awaiting-response
+
         # do not mark PRs as stale
         days-before-pr-stale: -1
         days-before-pr-close: -1
-        
+
         # Uncomment for dry-run
         # debug-only: true
         # operations-per-run: 1000

From c9c8259ed0adf666cc4906e90bd73c2297bc9102 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Thu, 15 Apr 2021 17:56:14 +0000
Subject: [PATCH 0434/1429] Python: Disallow `PostUpdateNode` as
 `LocalSourceNode`

Previously, in cases like

```python
def foo(x):
    x.bar()
    x.baz()
    x.quux()
```

we would have flow from the first `x` to each use _and_ flow from the
post-update node for each method call to each subsequent use, and all
of these would be `LocalSourceNode`s. For large functions with the above
pattern, this would lead to a quadratic blowup in `hasLocalSource`.

With this commit, only the first of these will count as a
`LocalSourceNode`, and the blowup disappears.
---
 .../src/semmle/python/dataflow/new/internal/LocalSources.qll   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll b/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll
index 26e04aaaefb..2bd822c298c 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll
@@ -26,7 +26,8 @@ class LocalSourceNode extends Node {
   cached
   LocalSourceNode() {
     not comes_from_cfgnode(this) and
-    not this instanceof ModuleVariableNode
+    not this instanceof ModuleVariableNode and
+    not this instanceof PostUpdateNode
     or
     this = any(ModuleVariableNode mvn).getARead()
   }

From 451d36dc97ba24c057c0584dfb783c8ab5635e6e Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Thu, 15 Apr 2021 21:26:12 +0000
Subject: [PATCH 0435/1429] Python: Allow _some_ `PostUpdateNode`s

Specifically, allow the ones arising from calls, but not reads or
writes. This should fix the tests.
---
 .../src/semmle/python/dataflow/new/internal/LocalSources.qll  | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll b/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll
index 2bd822c298c..ae7d3fabb7f 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll
@@ -27,7 +27,9 @@ class LocalSourceNode extends Node {
   LocalSourceNode() {
     not comes_from_cfgnode(this) and
     not this instanceof ModuleVariableNode and
-    not this instanceof PostUpdateNode
+    not this.(PostUpdateNode).getPreUpdateNode() in [
+        syntheticPostUpdateNode::storePreUpdateNode(), syntheticPostUpdateNode::readPreUpdateNode()
+      ]
     or
     this = any(ModuleVariableNode mvn).getARead()
   }

From 8aa6b1a87ca8f805f3c2d9a4879ce101b3d6b87f Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 16 Apr 2021 07:36:04 +0200
Subject: [PATCH 0436/1429] Python: use standard tracking construction

---
 .../ql/src/semmle/python/frameworks/Stdlib.qll  | 17 ++---------------
 1 file changed, 2 insertions(+), 15 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index 9fb704e1c02..bfeaed381ac 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -966,21 +966,8 @@ private module Stdlib {
       result.(DataFlow::CallCfgNode).getFunction() = returnsPath
     )
     or
-    // Due to bad performance when using normal setup with `path(t2).track(t2, t)`
-    // we have inlined that code and forced a join
-    exists(DataFlow::TypeTracker t2 |
-      exists(DataFlow::StepSummary summary |
-        pathlibPath_first_join(t2, result, summary) and
-        t = t2.append(summary)
-      )
-    )
-  }
-
-  pragma[nomagic]
-  private predicate pathlibPath_first_join(
-    DataFlow::TypeTracker t2, DataFlow::Node res, DataFlow::StepSummary summary
-  ) {
-    DataFlow::StepSummary::step(pathlibPath(t2), res, summary)
+    // Track further
+    exists(DataFlow::TypeTracker t2 | result = pathlibPath(t2).track(t2, t))
   }
 
   /** Gets a reference to a `pathlib.Path` object. */

From 341dbcef2eb12f46d70e1481368e1c2150793833 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 16 Apr 2021 07:41:00 +0200
Subject: [PATCH 0437/1429] Python: simplify code following review suggestion
 also standardise on camelCase.

---
 .../src/semmle/python/frameworks/Stdlib.qll   | 29 +++++++------------
 1 file changed, 11 insertions(+), 18 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index bfeaed381ac..420f205ae84 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -940,17 +940,10 @@ private module Stdlib {
     )
     or
     // Data injection
-    exists(
-      BinaryExprNode slash, DataFlow::Node right, DataFlow::Node left, DataFlow::TypeTracker t2
-    |
+    exists(BinaryExprNode slash, DataFlow::Node pathOperand, DataFlow::TypeTracker t2 |
       slash.getOp() instanceof Div and
-      right.asCfgNode() = slash.getRight() and
-      left.asCfgNode() = slash.getLeft() and
-      (
-        left.getALocalSource() = pathlibPath(t2)
-        or
-        right.getALocalSource() = pathlibPath(t2)
-      ) and
+      pathOperand.asCfgNode() = slash.getAnOperand() and
+      pathOperand.getALocalSource() = pathlibPath(t2) and
       t2.end()
     |
       t.start() and
@@ -1021,23 +1014,23 @@ private module Stdlib {
       nodeTo.getALocalSource() = pathlibPath() and
       (
         // Special handling of the `/` operator
-        exists(BinaryExprNode slash, DataFlow::Node path_operand, DataFlow::Node data_operand |
+        exists(BinaryExprNode slash, DataFlow::Node pathOperand, DataFlow::Node dataOperand |
           slash.getOp() instanceof Div and
           (
-            path_operand.asCfgNode() = slash.getLeft() and
-            data_operand.asCfgNode() = slash.getRight()
+            pathOperand.asCfgNode() = slash.getLeft() and
+            dataOperand.asCfgNode() = slash.getRight()
             or
-            path_operand.asCfgNode() = slash.getRight() and
-            data_operand.asCfgNode() = slash.getLeft()
+            pathOperand.asCfgNode() = slash.getRight() and
+            dataOperand.asCfgNode() = slash.getLeft()
           ) and
-          path_operand.getALocalSource() = pathlibPath()
+          pathOperand.getALocalSource() = pathlibPath()
         |
           nodeTo.asCfgNode() = slash and
           nodeFrom in [
               // type-preserving call
-              path_operand,
+              pathOperand,
               // data injection
-              data_operand
+              dataOperand
             ]
         )
         or

From 067874567751844ca8078d80c914a8b90fc85ab9 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 16 Apr 2021 08:22:00 +0200
Subject: [PATCH 0438/1429] Python: refactor based on review suggestion

---
 .../src/semmle/python/frameworks/Stdlib.qll   | 48 ++++++++++++-------
 1 file changed, 30 insertions(+), 18 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index 420f205ae84..bc8a1c4c12c 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -910,6 +910,26 @@ private module Stdlib {
    */
   private string pathlibPathMethodExport() { result in ["as_posix", "as_uri"] }
 
+  /**
+   * Flow for type presering mehtods.
+   */
+  private predicate typePreservingCall(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    exists(DataFlow::AttrRead returnsPath | returnsPath.getAttributeName() = pathlibPathMethod() |
+      nodeTo.(DataFlow::CallCfgNode).getFunction() = returnsPath and
+      nodeFrom = returnsPath.getObject()
+    )
+  }
+
+  /**
+   * Flow for type presering attributes.
+   */
+  private predicate typePreservingAttribute(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    exists(DataFlow::AttrRead isPath | isPath.getAttributeName() = pathlibPathAttribute() |
+      nodeTo = isPath and
+      nodeFrom = isPath.getObject()
+    )
+  }
+
   /**
    * Gets a reference to a `pathlib.Path` object.
    * This type tracker makes the monomorphic API use assumption.
@@ -920,26 +940,25 @@ private module Stdlib {
     result = pathlib().getMember(pathlibPathConstructor()).getACall()
     or
     // Type-preserving call
-    exists(DataFlow::AttrRead returnsPath, DataFlow::TypeTracker t2 |
-      returnsPath.getAttributeName() = pathlibPathMethod() and
-      returnsPath.getObject().getALocalSource() = pathlibPath(t2) and
+    exists(DataFlow::Node nodeFrom, DataFlow::TypeTracker t2 |
+      nodeFrom.getALocalSource() = pathlibPath(t2) and
       t2.end()
     |
       t.start() and
-      result.(DataFlow::CallCfgNode).getFunction() = returnsPath
+      typePreservingCall(nodeFrom, result)
     )
     or
     // Type-preserving attribute
-    exists(DataFlow::AttrRead isPath, DataFlow::TypeTracker t2 |
-      isPath.getAttributeName() = pathlibPathAttribute() and
-      isPath.getObject().getALocalSource() = pathlibPath(t2) and
+    exists(DataFlow::Node nodeFrom, DataFlow::TypeTracker t2 |
+      nodeFrom.getALocalSource() = pathlibPath(t2) and
       t2.end()
     |
       t.start() and
-      result = isPath
+      typePreservingAttribute(nodeFrom, result)
     )
     or
     // Data injection
+    //   Special handling of the `/` operator
     exists(BinaryExprNode slash, DataFlow::Node pathOperand, DataFlow::TypeTracker t2 |
       slash.getOp() instanceof Div and
       pathOperand.asCfgNode() = slash.getAnOperand() and
@@ -950,6 +969,7 @@ private module Stdlib {
       result.asCfgNode() = slash
     )
     or
+    //   standard case
     exists(DataFlow::AttrRead returnsPath, DataFlow::TypeTracker t2 |
       returnsPath.getAttributeName() = pathlibPathInjection() and
       returnsPath.getObject().getALocalSource() = pathlibPath(t2) and
@@ -996,18 +1016,10 @@ private module Stdlib {
       nodeTo.getALocalSource() = pathlibPath() and
       (
         // Type-preserving call
-        exists(DataFlow::AttrRead returnsPath |
-          returnsPath.getAttributeName() = pathlibPathMethod()
-        |
-          nodeTo.(DataFlow::CallCfgNode).getFunction() = returnsPath and
-          nodeFrom = returnsPath.getObject()
-        )
+        typePreservingCall(nodeFrom, nodeTo)
         or
         // Type-preserving attribute
-        exists(DataFlow::AttrRead isPath | isPath.getAttributeName() = pathlibPathAttribute() |
-          nodeTo = isPath and
-          nodeFrom = isPath.getObject()
-        )
+        typePreservingAttribute(nodeFrom, nodeTo)
       )
       or
       // Data injection

From a8280f9b12c114801620043080e1d164ecc5d0e2 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 16 Apr 2021 08:25:29 +0200
Subject: [PATCH 0439/1429] Python: update test expectation

---
 .../defaultAdditionalTaintStep-py3/TestTaint.expected           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/TestTaint.expected b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/TestTaint.expected
index 7ff94f218a3..27a70201357 100644
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/TestTaint.expected
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/TestTaint.expected
@@ -6,7 +6,7 @@
 | test_pathlib.py:29 | ok   | test_basic | tainted_pure_posix_path |
 | test_pathlib.py:30 | ok   | test_basic | tainted_pure_windows_path |
 | test_pathlib.py:32 | ok   | test_basic | BinaryExpr |
-| test_pathlib.py:33 | fail | test_basic | BinaryExpr |
+| test_pathlib.py:33 | ok   | test_basic | BinaryExpr |
 | test_pathlib.py:35 | ok   | test_basic | tainted_path.joinpath(..) |
 | test_pathlib.py:36 | ok   | test_basic | pathlib.Path(..).joinpath(..) |
 | test_pathlib.py:37 | ok   | test_basic | pathlib.Path(..).joinpath(..) |

From b0975bb3ea6e514704205bb538eb5f9fe63cbcae Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 16 Apr 2021 09:15:43 +0200
Subject: [PATCH 0440/1429] Update supported C#/.NET versions

---
 docs/codeql/support/reusables/versions-compilers.rst | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/docs/codeql/support/reusables/versions-compilers.rst b/docs/codeql/support/reusables/versions-compilers.rst
index a338791953b..ff49b01a441 100644
--- a/docs/codeql/support/reusables/versions-compilers.rst
+++ b/docs/codeql/support/reusables/versions-compilers.rst
@@ -11,9 +11,11 @@
    Microsoft extensions (up to VS 2019),
 
    Arm Compiler 5 [2]_","``.cpp``, ``.c++``, ``.cxx``, ``.hpp``, ``.hh``, ``.h++``, ``.hxx``, ``.c``, ``.cc``, ``.h``"
-   C#,C# up to 8.0,"Microsoft Visual Studio up to 2019 with .NET up to 4.8,
+   C#,C# up to 9.0,"Microsoft Visual Studio up to 2019 with .NET up to 4.8,
 
-   .NET Core up to 3.1","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
+   .NET Core up to 3.1
+
+   .NET 5","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
    Go (aka Golang), "Go up to 1.16", "Go 1.11 or more recent", ``.go``
    Java,"Java 7 to 15 [3]_","javac (OpenJDK and Oracle JDK),
 
@@ -28,5 +30,5 @@
     .. [2] Support for the Arm Compiler (armcc) is preliminary.
     .. [3] Builds that execute on Java 7 to 15 can be analyzed. The analysis understands Java 15 standard language features.
     .. [4] ECJ is supported when the build invokes it via the Maven Compiler plugin or the Takari Lifecycle plugin.
-    .. [5] JSX and Flow code, YAML, JSON, HTML, and XML files may also be analyzed with JavaScript files. 
-    .. [6] TypeScript analysis is performed by running the JavaScript extractor with TypeScript enabled. This is the default for LGTM.   
+    .. [5] JSX and Flow code, YAML, JSON, HTML, and XML files may also be analyzed with JavaScript files.
+    .. [6] TypeScript analysis is performed by running the JavaScript extractor with TypeScript enabled. This is the default for LGTM.

From 946fcf1c82e5314f2da7e86420b2eefee8786f9d Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Wed, 14 Apr 2021 15:17:34 +0200
Subject: [PATCH 0441/1429] C#: Speedup
 `DispatchMethodOrAccessorCall::getAViableOverrider()`

In addition to improved performance, the analysis no longer applies a closed-world
assumption to type parameters. That is, if the type of a receiver is a type parameter,
then the call may target any method of a compatible receiver type, not just the
types that actually instantiate the type parameter.
---
 .../semmle/code/csharp/dispatch/Dispatch.qll  | 193 +++++++++++-------
 1 file changed, 114 insertions(+), 79 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dispatch/Dispatch.qll b/csharp/ql/src/semmle/code/csharp/dispatch/Dispatch.qll
index e436fb2b99a..cca858d69ba 100644
--- a/csharp/ql/src/semmle/code/csharp/dispatch/Dispatch.qll
+++ b/csharp/ql/src/semmle/code/csharp/dispatch/Dispatch.qll
@@ -233,71 +233,61 @@ private module Internal {
   }
 
   pragma[noinline]
-  private predicate hasOverrider(OverridableCallable oc, ValueOrRefType t) {
-    exists(oc.getAnOverrider(t))
+  private predicate hasOverrider(OverridableCallable oc, Gvn::GvnType t) {
+    exists(oc.getAnOverrider(any(ValueOrRefType t0 | Gvn::getGlobalValueNumber(t0) = t)))
   }
 
   pragma[noinline]
-  private predicate hasCallable(OverridableCallable source, ValueOrRefType t, OverridableCallable c) {
+  private predicate hasCallable(OverridableCallable source, Gvn::GvnType t, OverridableCallable c) {
     c.getUnboundDeclaration() = source and
-    t.hasCallable(c) and
+    any(ValueOrRefType t0 | Gvn::getGlobalValueNumber(t0) = t).hasCallable(c) and
     hasOverrider(c, t) and
-    hasQualifierTypeOverridden0(t, _) and
-    hasQualifierTypeOverridden1(source, _)
-  }
-
-  pragma[noinline]
-  private Unification::ConstrainedTypeParameter getAConstrainedTypeParameterQualifierType(
-    DispatchMethodOrAccessorCall call
-  ) {
-    result = getAPossibleType(call.getQualifier(), false)
-  }
-
-  pragma[noinline]
-  private predicate constrainedTypeParameterQualifierTypeSubsumes(
-    ValueOrRefType t, Unification::ConstrainedTypeParameter tp
-  ) {
-    tp = getAConstrainedTypeParameterQualifierType(_) and
-    tp.subsumes(t)
-  }
-
-  pragma[noinline]
-  private predicate hasQualifierTypeOverridden0(ValueOrRefType t, DispatchMethodOrAccessorCall call) {
-    hasOverrider(_, t) and
-    (
-      exists(Type t0, Type t1 |
-        t0 = getAPossibleType(call.getQualifier(), false) and
-        t1 = [t0, t0.(Unification::UnconstrainedTypeParameter).getAnUltimatelySuppliedType()]
-      |
-        t = t1
-        or
-        Unification::subsumes(t1, t)
-      )
-      or
-      constrainedTypeParameterQualifierTypeSubsumes(t,
-        getAConstrainedTypeParameterQualifierType(call))
-    )
-  }
-
-  pragma[noinline]
-  private predicate hasQualifierTypeOverridden1(
-    OverridableCallable c, DispatchMethodOrAccessorCall call
-  ) {
-    exists(OverridableCallable target | call.getAStaticTarget() = target |
-      c = target.getUnboundDeclaration()
-      or
-      c = target.getAnUltimateImplementor().getUnboundDeclaration()
-    )
+    source = any(DispatchMethodOrAccessorCall call).getAStaticTargetExt()
   }
 
   abstract private class DispatchMethodOrAccessorCall extends DispatchCallImpl {
+    pragma[noinline]
+    OverridableCallable getAStaticTargetExt() {
+      exists(OverridableCallable target | this.getAStaticTarget() = target |
+        result = target.getUnboundDeclaration()
+        or
+        result = target.getAnUltimateImplementor().getUnboundDeclaration()
+      )
+    }
+
     pragma[nomagic]
     predicate hasQualifierTypeInherited(Type t) { t = getAPossibleType(this.getQualifier(), _) }
 
+    pragma[noinline]
+    private predicate hasSubsumedQualifierType(Gvn::GvnType t) {
+      hasOverrider(_, t) and
+      exists(Type t0 |
+        t0 = getAPossibleType(this.getQualifier(), false) and
+        not t0 instanceof TypeParameter
+      |
+        t = Gvn::getGlobalValueNumber(t0)
+        or
+        Gvn::subsumes(Gvn::getGlobalValueNumber(t0), t)
+      )
+    }
+
+    pragma[noinline]
+    private predicate hasConstrainedTypeParameterQualifierType(
+      Unification::ConstrainedTypeParameter tp
+    ) {
+      tp = getAPossibleType(this.getQualifier(), false)
+    }
+
+    pragma[noinline]
+    private predicate hasUnconstrainedTypeParameterQualifierType() {
+      getAPossibleType(this.getQualifier(), false) instanceof
+        Unification::UnconstrainedTypeParameter
+    }
+
     pragma[nomagic]
-    predicate hasQualifierTypeOverridden(ValueOrRefType t, OverridableCallable c) {
-      hasQualifierTypeOverridden0(t, this) and
-      hasCallable(any(OverridableCallable oc | hasQualifierTypeOverridden1(oc, this)), t, c)
+    predicate hasSubsumedQualifierTypeOverridden(Gvn::GvnType t, OverridableCallable c) {
+      this.hasSubsumedQualifierType(t) and
+      hasCallable(any(OverridableCallable oc | oc = this.getAStaticTargetExt()), t, c)
     }
 
     /**
@@ -357,12 +347,33 @@ private module Internal {
     }
 
     pragma[nomagic]
-    private Callable getASubsumedStaticTarget0(Type t) {
+    private predicate contextArgHasConstrainedTypeParameterType(
+      DispatchCall ctx, Unification::ConstrainedTypeParameter tp
+    ) {
+      this.contextArgHasType(ctx, tp, false)
+    }
+
+    pragma[nomagic]
+    private predicate contextArgHasUnconstrainedTypeParameterType(DispatchCall ctx) {
+      this.contextArgHasType(ctx, any(Unification::UnconstrainedTypeParameter t), false)
+    }
+
+    pragma[nomagic]
+    private predicate contextArgHasNonTypeParameterType(DispatchCall ctx, Gvn::GvnType t) {
+      exists(Type t0 |
+        this.contextArgHasType(ctx, t0, false) and
+        not t0 instanceof TypeParameter and
+        t = Gvn::getGlobalValueNumber(t0)
+      )
+    }
+
+    pragma[nomagic]
+    private Callable getASubsumedStaticTarget0(Gvn::GvnType t) {
       exists(Callable staticTarget, Type declType |
         staticTarget = this.getAStaticTarget() and
         declType = staticTarget.getDeclaringType() and
         result = staticTarget.getUnboundDeclaration() and
-        Unification::subsumes(declType, t)
+        Gvn::subsumes(Gvn::getGlobalValueNumber(declType), t)
       )
     }
 
@@ -375,7 +386,8 @@ private module Internal {
     private Callable getASubsumedStaticTarget() {
       result = this.getAStaticTarget()
       or
-      result.getUnboundDeclaration() = this.getASubsumedStaticTarget0(result.getDeclaringType())
+      result.getUnboundDeclaration() =
+        this.getASubsumedStaticTarget0(Gvn::getGlobalValueNumber(result.getDeclaringType()))
     }
 
     /**
@@ -426,6 +438,12 @@ private module Internal {
       )
     }
 
+    pragma[noinline]
+    NonConstructedOverridableCallable getAViableOverrider0() {
+      getAPossibleType(this.getQualifier(), false) instanceof TypeParameter and
+      result.getAConstructingCallableOrSelf() = this.getAStaticTargetExt()
+    }
+
     /**
      * Gets a callable that is defined in a subtype of the qualifier type of this
      * call, and which overrides a static target of this call.
@@ -468,9 +486,22 @@ private module Internal {
      */
     private RuntimeCallable getAViableOverrider() {
       exists(ValueOrRefType t, NonConstructedOverridableCallable c |
-        this.hasQualifierTypeOverridden(t, c.getAConstructingCallableOrSelf()) and
+        this.hasSubsumedQualifierTypeOverridden(Gvn::getGlobalValueNumber(t),
+          c.getAConstructingCallableOrSelf()) and
         result = c.getAnOverrider(t)
       )
+      or
+      exists(NonConstructedOverridableCallable c |
+        c = this.getAViableOverrider0() and
+        result = c.getAnOverrider(_)
+      |
+        this.hasUnconstrainedTypeParameterQualifierType()
+        or
+        exists(Unification::ConstrainedTypeParameter tp |
+          this.hasConstrainedTypeParameterQualifierType(tp) and
+          tp.subsumes(result.getDeclaringType())
+        )
+      )
     }
 
     override RuntimeCallable getADynamicTarget() {
@@ -510,36 +541,40 @@ private module Internal {
     }
 
     pragma[nomagic]
-    private RuntimeCallable getAViableOverriderInCallContext0(
-      NonConstructedOverridableCallable c, ValueOrRefType t
-    ) {
-      result = this.getAViableOverrider() and
-      this.contextArgHasType(_, _, false) and
-      result = c.getAnOverrider(t)
+    private RuntimeCallable getAViableOverriderInCallContext0(Gvn::GvnType t) {
+      exists(NonConstructedOverridableCallable c |
+        result = this.getAViableOverrider() and
+        this.contextArgHasType(_, _, false) and
+        result = c.getAnOverrider(any(Type t0 | t = Gvn::getGlobalValueNumber(t0))) and
+        this.getAStaticTarget() = c.getAConstructingCallableOrSelf()
+      )
     }
 
     pragma[nomagic]
-    private RuntimeCallable getAViableOverriderInCallContext1(
-      NonConstructedOverridableCallable c, DispatchCall ctx
-    ) {
-      exists(ValueOrRefType t |
-        result = this.getAViableOverriderInCallContext0(c, t) and
-        exists(Type t0, Type t1 |
-          this.contextArgHasType(ctx, t0, false) and
-          t1 = [t0, t0.(Unification::UnconstrainedTypeParameter).getAnUltimatelySuppliedType()]
-        |
-          t = t1
-          or
-          Unification::subsumes(t1, t)
-        )
+    private predicate contextArgHasSubsumedType(DispatchCall ctx, Gvn::GvnType t) {
+      hasOverrider(_, t) and
+      exists(Gvn::GvnType t0 | this.contextArgHasNonTypeParameterType(ctx, t0) |
+        t = t0
+        or
+        Gvn::subsumes(t0, t)
       )
     }
 
     pragma[nomagic]
     private RuntimeCallable getAViableOverriderInCallContext(DispatchCall ctx) {
-      exists(NonConstructedOverridableCallable c |
-        result = this.getAViableOverriderInCallContext1(c, ctx) and
-        this.getAStaticTarget() = c.getAConstructingCallableOrSelf()
+      exists(Gvn::GvnType t |
+        result = this.getAViableOverriderInCallContext0(t) and
+        this.contextArgHasSubsumedType(ctx, t)
+      )
+      or
+      result = this.getAViableOverrider() and
+      (
+        this.contextArgHasUnconstrainedTypeParameterType(ctx)
+        or
+        exists(Unification::ConstrainedTypeParameter tp |
+          this.contextArgHasConstrainedTypeParameterType(ctx, tp) and
+          tp.subsumes(result.getDeclaringType())
+        )
       )
     }
 

From af0c32c01d630f607d4a737b2f3e8b89faf371f3 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@gmail.com>
Date: Fri, 16 Apr 2021 11:35:12 +0200
Subject: [PATCH 0442/1429] Python: Apply suggestions from code review

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
---
 python/ql/src/semmle/python/frameworks/Fabric.qll | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Fabric.qll b/python/ql/src/semmle/python/frameworks/Fabric.qll
index 177f5592f66..2319b9e1d70 100644
--- a/python/ql/src/semmle/python/frameworks/Fabric.qll
+++ b/python/ql/src/semmle/python/frameworks/Fabric.qll
@@ -83,7 +83,9 @@ private module FabricV2 {
       module Connection {
         /** Gets a reference to the `fabric.connection.Connection` class. */
         API::Node classRef() {
-          result in [fabric().getMember("Connection"), connection().getMember("Connection")]
+          result = fabric().getMember("Connection")
+          or
+          result = connection().getMember("Connection")
         }
 
         /**
@@ -110,7 +112,7 @@ private module FabricV2 {
         }
 
         /** Gets a reference to an instance of `fabric.connection.Connection`. */
-        DataFlow::LocalSourceNode instance() { result = instance(DataFlow::TypeTracker::end()) }
+        DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
 
         /**
          * Gets a reference to either `run`, `sudo`, or `local` method on a
@@ -249,7 +251,9 @@ private module FabricV2 {
       module SerialGroup {
         private class ClassInstantiation extends Group::ModeledSubclass {
           ClassInstantiation() {
-            this in [group().getMember("SerialGroup"), fabric().getMember("SerialGroup")]
+            this = group().getMember("SerialGroup")
+            or
+            this = fabric().getMember("SerialGroup")
           }
         }
       }
@@ -262,7 +266,9 @@ private module FabricV2 {
       module ThreadingGroup {
         private class ClassInstantiation extends Group::ModeledSubclass {
           ClassInstantiation() {
-            this in [group().getMember("ThreadingGroup"), fabric().getMember("ThreadingGroup")]
+            this = group().getMember("ThreadingGroup")
+            or
+            this = fabric().getMember("ThreadingGroup")
           }
         }
       }

From 5c79ad2412e7f588408dba9c9c16bce4dfba3cd0 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@gmail.com>
Date: Fri, 16 Apr 2021 11:38:29 +0200
Subject: [PATCH 0443/1429] Python: Apply suggestions from code review

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
---
 python/ql/src/semmle/python/frameworks/Invoke.qll | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Invoke.qll b/python/ql/src/semmle/python/frameworks/Invoke.qll
index 5b5a5e6e7f0..6330d0c631f 100644
--- a/python/ql/src/semmle/python/frameworks/Invoke.qll
+++ b/python/ql/src/semmle/python/frameworks/Invoke.qll
@@ -30,9 +30,9 @@ private module Invoke {
       module Context {
         /** Gets a reference to the `invoke.context.Context` class. */
         API::Node classRef() {
-          result =
-            [API::moduleImport("invoke").getMember("context"), API::moduleImport("invoke")]
-                .getMember("Context")
+          result = API::moduleImport("invoke").getMember("context").getMember("Context")
+          or
+          result = API::moduleImport("invoke").getMember("Context")
         }
 
         /** Gets a reference to an instance of `invoke.context.Context`. */
@@ -51,7 +51,7 @@ private module Invoke {
         }
 
         /** Gets a reference to an instance of `invoke.context.Context`. */
-        DataFlow::LocalSourceNode instance() { result = instance(DataFlow::TypeTracker::end()) }
+        DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
 
         /** Gets a reference to the `run` or `sudo` methods on a `invoke.context.Context` instance. */
         private DataFlow::LocalSourceNode instanceRunMethods(DataFlow::TypeTracker t) {

From 92b4eb7f02b23066cbffd2b351a79e28ed138495 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Fri, 16 Apr 2021 11:54:20 +0000
Subject: [PATCH 0444/1429] Python: Cleanup and more explanation

Goes into some detail about the intended semantics of local source nodes
and `flowsTo`.
---
 .../dataflow/new/internal/LocalSources.qll    | 25 ++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll b/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll
index ae7d3fabb7f..7aa311df76b 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll
@@ -21,15 +21,34 @@ private predicate comes_from_cfgnode(Node node) {
  * A data flow node that is a source of local flow. This includes things like
  * - Expressions
  * - Function parameters
+ *
+ *
+ * Local source nodes and the `flowsTo` relation should be thought of in terms of the reference
+ * semantics of the underlying object. For instance, in the following snippet of code
+ *
+ * ```python
+ *     x = []
+ *     x.append(1)
+ *     x.append(2)
+ * ```
+ *
+ * the local source node corresponding to the occurrences of `x` is the empty list that is assigned to `x`
+ * originally. Even though the two `append` calls modify the value of `x`, they do not change the fact that
+ * `x` still points to the same object. If, however, we next do `x = x + [3]`, then the expression `x + [3]`
+ * will be the new local source of what `x` now points to.
  */
 class LocalSourceNode extends Node {
   cached
   LocalSourceNode() {
     not comes_from_cfgnode(this) and
     not this instanceof ModuleVariableNode and
-    not this.(PostUpdateNode).getPreUpdateNode() in [
-        syntheticPostUpdateNode::storePreUpdateNode(), syntheticPostUpdateNode::readPreUpdateNode()
-      ]
+    // Currently, we create synthetic post-update nodes for
+    // - arguments to calls that may modify said argument
+    // - direct reads a writes of object attributes
+    // Both of these preserve the identity of the underlying pointer, and hence we exclude these as
+    // local source nodes.
+    // We do, however, allow the post-update nodes that arise from object creation (which are non-synthetic).
+    not this instanceof SyntheticPostUpdateNode
     or
     this = any(ModuleVariableNode mvn).getARead()
   }

From 40b74167e073326319195473f2968d64083392f8 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Fri, 16 Apr 2021 14:34:16 +0200
Subject: [PATCH 0445/1429] C#: Improve performance of
 `DisposeNotCalledOnException.ql`

---
 .../API Abuse/DisposeNotCalledOnException.ql  | 107 ++++++++++++------
 1 file changed, 71 insertions(+), 36 deletions(-)

diff --git a/csharp/ql/src/API Abuse/DisposeNotCalledOnException.ql b/csharp/ql/src/API Abuse/DisposeNotCalledOnException.ql
index 7469cbc59e7..abb962449b9 100644
--- a/csharp/ql/src/API Abuse/DisposeNotCalledOnException.ql	
+++ b/csharp/ql/src/API Abuse/DisposeNotCalledOnException.ql	
@@ -18,36 +18,6 @@ import csharp
 import Dispose
 import semmle.code.csharp.frameworks.System
 
-/**
- * Gets an exception type that may be thrown during the execution of method `m`.
- * Assumes any exception may be thrown by library types.
- */
-Class getAThrownException(Method m) {
-  m.fromLibrary() and
-  result = any(SystemExceptionClass sc)
-  or
-  exists(ControlFlowElement cfe |
-    cfe = any(ThrowElement te | result = te.getExpr().getType()) or
-    cfe = any(MethodCall mc | result = getAThrownException(mc.getARuntimeTarget()))
-  |
-    cfe.getEnclosingCallable() = m and
-    not isTriedAgainstException(cfe, result)
-  )
-}
-
-/**
- * Holds if control flow element is tried against throwing an exception of type
- * `ec`.
- */
-pragma[noinline]
-predicate isTriedAgainstException(ControlFlowElement cfe, ExceptionClass ec) {
-  (cfe instanceof ThrowElement or cfe instanceof MethodCall) and
-  exists(TryStmt ts |
-    ts.getATriedElement() = cfe and
-    exists(ts.getAnExceptionHandler(ec))
-  )
-}
-
 private class DisposeCall extends MethodCall {
   DisposeCall() { this.getTarget() instanceof DisposeMethod }
 }
@@ -78,8 +48,17 @@ predicate disposeReachableFromDisposableCreation(DisposeCall disposeCall, Expr d
   reachesDisposeCall(disposeCall, DataFlow::exprNode(disposableCreation))
 }
 
-class MethodCallThatMayThrow extends MethodCall {
-  MethodCallThatMayThrow() { exists(getAThrownException(this.getARuntimeTarget())) }
+/**
+ * Holds if control flow element is tried against throwing an exception of type
+ * `ec`.
+ */
+pragma[noinline]
+predicate isTriedAgainstException(ControlFlowElement cfe, ExceptionClass ec) {
+  (cfe instanceof ThrowElement or cfe instanceof MethodCall) and
+  exists(TryStmt ts |
+    ts.getATriedElement() = cfe and
+    exists(ts.getAnExceptionHandler(ec))
+  )
 }
 
 ControlFlowElement getACatchOrFinallyClauseChild() {
@@ -88,15 +67,71 @@ ControlFlowElement getACatchOrFinallyClauseChild() {
   result = getACatchOrFinallyClauseChild().getAChild()
 }
 
-from DisposeCall disposeCall, Expr disposableCreation, MethodCallThatMayThrow callThatThrows
-where
+private predicate candidate(DisposeCall disposeCall, Call call, Expr disposableCreation) {
   disposeReachableFromDisposableCreation(disposeCall, disposableCreation) and
   // The dispose call is not, itself, within a dispose method.
   not disposeCall.getEnclosingCallable() instanceof DisposeMethod and
   // Dispose call not within a finally or catch block
   not getACatchOrFinallyClauseChild() = disposeCall and
   // At least one method call exists between the allocation and disposal that could throw
-  disposableCreation.getAReachableElement() = callThatThrows and
-  callThatThrows.getAReachableElement() = disposeCall
+  disposableCreation.getAReachableElement() = call and
+  call.getAReachableElement() = disposeCall
+}
+
+private class RelevantMethod extends Method {
+  RelevantMethod() {
+    exists(Call call |
+      candidate(_, call, _) and
+      this = call.getARuntimeTarget()
+    )
+    or
+    exists(RelevantMethod other | other.calls(this))
+  }
+
+  pragma[noinline]
+  private RelevantMethod callsNoTry() {
+    exists(MethodCall mc |
+      result = mc.getARuntimeTarget() and
+      not isTriedAgainstException(mc, _) and
+      mc.getEnclosingCallable() = this
+    )
+  }
+
+  pragma[noinline]
+  private RelevantMethod callsInTry(MethodCall mc) {
+    result = mc.getARuntimeTarget() and
+    isTriedAgainstException(mc, _) and
+    mc.getEnclosingCallable() = this
+  }
+
+  /**
+   * Gets an exception type that may be thrown during the execution of this method.
+   * Assumes any exception may be thrown by library types.
+   */
+  Class getAThrownException() {
+    this.fromLibrary() and
+    result instanceof SystemExceptionClass
+    or
+    exists(ControlFlowElement cfe |
+      result = cfe.(ThrowElement).getExpr().getType() and
+      cfe.getEnclosingCallable() = this
+      or
+      result = this.callsInTry(cfe).getAThrownException()
+    |
+      not isTriedAgainstException(cfe, result)
+    )
+    or
+    result = this.callsNoTry().getAThrownException()
+  }
+}
+
+class MethodCallThatMayThrow extends MethodCall {
+  MethodCallThatMayThrow() {
+    exists(this.getARuntimeTarget().(RelevantMethod).getAThrownException())
+  }
+}
+
+from DisposeCall disposeCall, Expr disposableCreation, MethodCallThatMayThrow callThatThrows
+where candidate(disposeCall, callThatThrows, disposableCreation)
 select disposeCall, "Dispose missed if exception is thrown by $@.", callThatThrows,
   callThatThrows.toString()

From f8d45f04edd76bbfe22f371ca2280e74afa09b2a Mon Sep 17 00:00:00 2001
From: Jonas Jensen <jbj@github.com>
Date: Fri, 16 Apr 2021 16:44:58 +0200
Subject: [PATCH 0446/1429] Revert "Revert "C++: Work around extractor issue
 CPP-383""

**Revert the revert** of the workaround for CFG issues when a
`FunctionCall` has a `getTarget` that does not exist. While we've fixed
the main cause of the problem, it can apparently still happen in rare
cases as a result of extractor crashes.

This reverts commit ee5eaef5e48ba3802fb118c56bd9aae0ef2ac805.
---
 .../controlflow/internal/ConstantExprs.qll    | 35 ++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/controlflow/internal/ConstantExprs.qll b/cpp/ql/src/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
index 77e0f05ed02..dc08f588e43 100644
--- a/cpp/ql/src/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
+++ b/cpp/ql/src/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
@@ -104,9 +104,42 @@ private predicate loopConditionAlwaysUponEntry(ControlFlowNode loop, Expr condit
   )
 }
 
+/**
+ * This relation is the same as the `el instanceof Function`, only obfuscated
+ * so the optimizer will not understand that any `FunctionCall.getTarget()`
+ * should be in this relation.
+ */
+pragma[noinline]
+private predicate isFunction(Element el) {
+  el instanceof Function
+  or
+  el.(Expr).getParent() = el
+}
+
+/**
+ * Holds if `fc` is a `FunctionCall` with no return value for `getTarget`. This
+ * can happen due to extractor issue CPP-383.
+ */
+pragma[noopt]
+private predicate callHasNoTarget(@funbindexpr fc) {
+  exists(Function f |
+    funbind(fc, f) and
+    not isFunction(f)
+  )
+}
+
+// This base case is pulled out to work around QL-796
+private predicate potentiallyReturningFunctionCall_base(FunctionCall fc) {
+  fc.isVirtual()
+  or
+  callHasNoTarget(fc)
+}
+
 /** A function call that *may* return; if in doubt, we assume it may. */
 private predicate potentiallyReturningFunctionCall(FunctionCall fc) {
-  potentiallyReturningFunction(fc.getTarget()) or fc.isVirtual()
+  potentiallyReturningFunctionCall_base(fc)
+  or
+  potentiallyReturningFunction(fc.getTarget())
 }
 
 /** A function that *may* return; if in doubt, we assume it may. */

From 50abb6e3a118415c23d29427868674633a822428 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 16 Apr 2021 17:32:44 +0200
Subject: [PATCH 0447/1429] C++: Cleanup test.c

---
 ...ationAfterEndOfBufferUsingStrncat.expected |  6 +-
 .../Security/CWE/CWE-788/semmle/tests/test.c  | 93 ++++++++++---------
 2 files changed, 53 insertions(+), 46 deletions(-)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.expected
index af52dac0144..c332bd1422f 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.expected
@@ -1,3 +1,3 @@
-| test.c:4:3:4:9 | call to strncat | if the used buffer is full, writing out of the buffer is possible |
-| test.c:11:3:11:9 | call to strncat | if the used buffer is full, writing out of the buffer is possible |
-| test.c:19:3:19:9 | call to strncat | if the used buffer is full, writing out of the buffer is possible |
+| test.c:8:3:8:9 | call to strncat | if the used buffer is full, writing out of the buffer is possible |
+| test.c:17:3:17:9 | call to strncat | if the used buffer is full, writing out of the buffer is possible |
+| test.c:25:3:25:9 | call to strncat | if the used buffer is full, writing out of the buffer is possible |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
index d986bb3b13c..145501d5c16 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
@@ -1,70 +1,77 @@
-void workFunction_0(char *s) {
+char * strncat(char*, const char*, unsigned);
+unsigned strlen(const char*);
+void* malloc(unsigned);
+
+void strncat_test1(char *s) {
   char buf[80];
-  strncat(buf, s, sizeof(buf)-strlen(buf)-1); // GOOD
-  strncat(buf, s, sizeof(buf)-strlen(buf));  // BAD
-  strncat(buf, "fix", sizeof(buf)-strlen(buf)); // BAD [NOT DETECTED] 
+  strncat(buf, s, sizeof(buf) - strlen(buf) - 1); // GOOD
+  strncat(buf, s, sizeof(buf) - strlen(buf));  // BAD
+  strncat(buf, "fix", sizeof(buf)-strlen(buf)); // BAD [NOT DETECTED]
 }
-void workFunction_1(char *s) {
+
 #define MAX_SIZE 80
+
+void strncat_test2(char *s) {
   char buf[MAX_SIZE];
-  strncat(buf, s, MAX_SIZE-strlen(buf)-1); // GOOD
-  strncat(buf, s, MAX_SIZE-strlen(buf));  // BAD
-  strncat(buf, "fix", MAX_SIZE-strlen(buf)); // BAD [NOT DETECTED]
+  strncat(buf, s, MAX_SIZE - strlen(buf) - 1); // GOOD
+  strncat(buf, s, MAX_SIZE - strlen(buf));  // BAD
+  strncat(buf, "fix", MAX_SIZE - strlen(buf)); // BAD [NOT DETECTED]
 }
-void workFunction_2_0(char *s) {
-  char * buf;
-  int len=80;
-  buf = (char *) malloc(len);
-  strncat(buf, s, len-strlen(buf)-1); // GOOD
-  strncat(buf, s, len-strlen(buf));  // BAD
-  strncat(buf, "fix", len-strlen(buf)); // BAD [NOT DETECTED]
+
+void strncat_test3(char *s) {
+  int len = 80;
+  char* buf = (char *) malloc(len);
+  strncat(buf, s, len - strlen(buf) - 1); // GOOD
+  strncat(buf, s, len - strlen(buf));  // BAD
+  strncat(buf, "fix", len - strlen(buf)); // BAD [NOT DETECTED]
 }
-void workFunction_2_1(char *s) {
-  char * buf;
-  int len=80;
-  buf = (char *) malloc(len+1);
-  strncat(buf, s, len-strlen(buf)-1); // GOOD
-  strncat(buf, s, len-strlen(buf));  // GOOD
+
+void strncat_test4(char *s) {
+  int len = 80;
+  char* buf = (char *) malloc(len + 1);
+  strncat(buf, s, len - strlen(buf) - 1); // GOOD
+  strncat(buf, s, len - strlen(buf)); // GOOD
 }
 
 struct buffers
 {
-    unsigned char buff1[50];
-    unsigned char *buff2;
+    unsigned char array[50];
+    unsigned char *pointer;
 } globalBuff1,*globalBuff2,globalBuff1_c,*globalBuff2_c;
 
-
-void badFunc0(){
+void strlen_test1(){
   unsigned char buff1[12];
   struct buffers buffAll;
   struct buffers * buffAll1;
   
   buff1[strlen(buff1)]=0; // BAD
-  buffAll.buff1[strlen(buffAll.buff1)]=0; // BAD
-  buffAll.buff2[strlen(buffAll.buff2)]=0; // BAD
-  buffAll1->buff1[strlen(buffAll1->buff1)]=0; // BAD
-  buffAll1->buff2[strlen(buffAll1->buff2)]=0; // BAD
-  globalBuff1.buff1[strlen(globalBuff1.buff1)]=0; // BAD
-  globalBuff1.buff2[strlen(globalBuff1.buff2)]=0; // BAD
-  globalBuff2->buff1[strlen(globalBuff2->buff1)]=0; // BAD
-  globalBuff2->buff2[strlen(globalBuff2->buff2)]=0; // BAD
+  buffAll.array[strlen(buffAll.array)]=0; // BAD
+  buffAll.pointer[strlen(buffAll.pointer)]=0; // BAD
+  buffAll1->array[strlen(buffAll1->array)]=0; // BAD
+  buffAll1->pointer[strlen(buffAll1->pointer)]=0; // BAD
+  globalBuff1.array[strlen(globalBuff1.array)]=0; // BAD
+  globalBuff1.pointer[strlen(globalBuff1.pointer)]=0; // BAD
+  globalBuff2->array[strlen(globalBuff2->array)]=0; // BAD
+  globalBuff2->pointer[strlen(globalBuff2->pointer)]=0; // BAD
 }
-void noBadFunc0(){
+
+void strlen_test2(){
   unsigned char buff1[12],buff1_c[12];
   struct buffers buffAll,buffAll_c;
   struct buffers * buffAll1,*buffAll1_c;
   
   buff1[strlen(buff1_c)]=0; // GOOD
-  buffAll.buff1[strlen(buffAll_c.buff1)]=0; // GOOD
-  buffAll.buff2[strlen(buffAll.buff1)]=0; // GOOD
-  buffAll1->buff1[strlen(buffAll1_c->buff1)]=0; // GOOD
-  buffAll1->buff2[strlen(buffAll1->buff1)]=0; // GOOD
-  globalBuff1.buff1[strlen(globalBuff1_c.buff1)]=0; // GOOD
-  globalBuff1.buff2[strlen(globalBuff1.buff1)]=0; // GOOD
-  globalBuff2->buff1[strlen(globalBuff2_c->buff1)]=0; // GOOD
-  globalBuff2->buff2[strlen(globalBuff2->buff1)]=0; // GOOD
+  buffAll.array[strlen(buffAll_c.array)]=0; // GOOD
+  buffAll.pointer[strlen(buffAll.array)]=0; // GOOD
+  buffAll1->array[strlen(buffAll1_c->array)]=0; // GOOD
+  buffAll1->pointer[strlen(buffAll1->array)]=0; // GOOD
+  globalBuff1.array[strlen(globalBuff1_c.array)]=0; // GOOD
+  globalBuff1.pointer[strlen(globalBuff1.array)]=0; // GOOD
+  globalBuff2->array[strlen(globalBuff2_c->array)]=0; // GOOD
+  globalBuff2->pointer[strlen(globalBuff2->array)]=0; // GOOD
 }
-void goodFunc0(){
+
+void strlen_test3(){
   unsigned char buffer[12];
   int i;
   for(i = 0; i < 6; i++)

From 1e327289b2e43e4f9afa103e5161f3a6c1e450a8 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 16 Apr 2021 17:34:12 +0200
Subject: [PATCH 0448/1429] C++: Add false negative test.

---
 .../query-tests/Security/CWE/CWE-788/semmle/tests/test.c   | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
index 145501d5c16..5557daf54ca 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
@@ -39,6 +39,13 @@ struct buffers
     unsigned char *pointer;
 } globalBuff1,*globalBuff2,globalBuff1_c,*globalBuff2_c;
 
+void strncat_test5(char* s, struct buffers* buffers) {
+  unsigned len_array = strlen(buffers->array);
+  unsigned max_size = sizeof(buffers->array);
+  unsigned free_size = max_size - len_array;
+  strncat(buffers->array, s, free_size); // BAD [NOT DETECTED]
+}
+
 void strlen_test1(){
   unsigned char buff1[12];
   struct buffers buffAll;

From 64f8316a6dfbad88939b7c9f0b69d91c6713c032 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 16 Apr 2021 18:45:08 +0200
Subject: [PATCH 0449/1429] C++: Tidy up the ql file and accept test changes.

---
 ...oryLocationAfterEndOfBufferUsingStrncat.ql | 66 +++++++------------
 ...ationAfterEndOfBufferUsingStrncat.expected |  8 ++-
 .../Security/CWE/CWE-788/semmle/tests/test.c  |  8 +--
 3 files changed, 31 insertions(+), 51 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql
index e7021bda1ce..f68395f29bf 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql
@@ -11,54 +11,32 @@
  */
 
 import cpp
+import semmle.code.cpp.models.implementations.Strcat
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 
 /**
- * A call to `strncat` of the form `strncat(buff, str, someExpr - strlen(buf))`, for some expression `someExpr` equal to `sizeof(buff)`.
+ * Holds if `call` is a call to `strncat` such that `sizeArg` and `destArg` are the size and
+ * destination arguments, respectively.
  */
-class WrongCallStrncat extends FunctionCall {
-  Expr leftsomeExpr;
-
-  WrongCallStrncat() {
-    this.getTarget().hasGlobalOrStdName("strncat") and
-    // the expression of the first argument in `strncat` and `strnlen` is identical
-    globalValueNumber(this.getArgument(0)) =
-      globalValueNumber(this.getArgument(2).(SubExpr).getRightOperand().(StrlenCall).getStringExpr()) and
-    // using a string constant often speaks of manually calculating the length of the required buffer.
-    (
-      not this.getArgument(1) instanceof StringLiteral and
-      not this.getArgument(1) instanceof CharLiteral
-    ) and
-    // for use in predicates
-    leftsomeExpr = this.getArgument(2).(SubExpr).getLeftOperand()
-  }
-
-  /**
-   * Holds if the left side of the expression `someExpr` equal to `sizeof(buf)`.
-   */
-  predicate isExpressionEqualSizeof() {
-    // the left side of the expression `someExpr` is `sizeof(buf)`.
-    globalValueNumber(this.getArgument(0)) =
-      globalValueNumber(leftsomeExpr.(SizeofExprOperator).getExprOperand())
-    or
-    // value of the left side of the expression `someExpr` equal  `sizeof(buf)` value, and `buf` is array.
-    leftsomeExpr.getValue().toInt() = this.getArgument(0).getType().getSize()
-  }
-
-  /**
-   * Holds if the left side of the expression `someExpr` equal to variable containing the length of the memory allocated for the buffer.
-   */
-  predicate isVariableEqualValueSizegBuffer() {
-    // the left side of expression `someExpr` is the variable that was used in the function of allocating memory for the buffer`.
-    exists(AllocationExpr alc |
-      leftsomeExpr.(VariableAccess).getTarget() =
-        alc.(FunctionCall).getArgument(0).(VariableAccess).getTarget()
-    )
-  }
+predicate interestringCallWithArgs(Call call, Expr sizeArg, Expr destArg) {
+  exists(StrcatFunction strcat |
+    strcat = call.getTarget() and
+    sizeArg = call.getArgument(strcat.getParamSize()) and
+    destArg = call.getArgument(strcat.getParamDest())
+  )
 }
 
-from WrongCallStrncat sc
+from FunctionCall call, Expr sizeArg, Expr destArg, SubExpr sub, int n
 where
-  sc.isExpressionEqualSizeof() or
-  sc.isVariableEqualValueSizegBuffer()
-select sc, "if the used buffer is full, writing out of the buffer is possible"
+  interestringCallWithArgs(call, sizeArg, destArg) and
+  // The destination buffer is an array of size n
+  destArg.getUnspecifiedType().(ArrayType).getSize() = n and
+  // The size argument is equivalent to a subtraction
+  globalValueNumber(sizeArg).getAnExpr() = sub and
+  // ... where the left side of the subtraction is the constant n
+  globalValueNumber(sub.getLeftOperand()).getAnExpr().getValue().toInt() = n and
+  // ... and the right side of the subtraction is a call to `strlen` where the argument is the
+  // destination buffer.
+  globalValueNumber(sub.getRightOperand()).getAnExpr().(StrlenCall).getStringExpr() =
+    globalValueNumber(destArg).getAnExpr()
+select call, "Possible out-of-bounds write due to incorrect size argument."
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.expected
index c332bd1422f..3e9791e1024 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.expected
@@ -1,3 +1,5 @@
-| test.c:8:3:8:9 | call to strncat | if the used buffer is full, writing out of the buffer is possible |
-| test.c:17:3:17:9 | call to strncat | if the used buffer is full, writing out of the buffer is possible |
-| test.c:25:3:25:9 | call to strncat | if the used buffer is full, writing out of the buffer is possible |
+| test.c:8:3:8:9 | call to strncat | Possible out-of-bounds write due to incorrect size argument. |
+| test.c:9:3:9:9 | call to strncat | Possible out-of-bounds write due to incorrect size argument. |
+| test.c:17:3:17:9 | call to strncat | Possible out-of-bounds write due to incorrect size argument. |
+| test.c:18:3:18:9 | call to strncat | Possible out-of-bounds write due to incorrect size argument. |
+| test.c:46:3:46:9 | call to strncat | Possible out-of-bounds write due to incorrect size argument. |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
index 5557daf54ca..6d310875630 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
@@ -6,7 +6,7 @@ void strncat_test1(char *s) {
   char buf[80];
   strncat(buf, s, sizeof(buf) - strlen(buf) - 1); // GOOD
   strncat(buf, s, sizeof(buf) - strlen(buf));  // BAD
-  strncat(buf, "fix", sizeof(buf)-strlen(buf)); // BAD [NOT DETECTED]
+  strncat(buf, "fix", sizeof(buf)-strlen(buf)); // BAD
 }
 
 #define MAX_SIZE 80
@@ -15,14 +15,14 @@ void strncat_test2(char *s) {
   char buf[MAX_SIZE];
   strncat(buf, s, MAX_SIZE - strlen(buf) - 1); // GOOD
   strncat(buf, s, MAX_SIZE - strlen(buf));  // BAD
-  strncat(buf, "fix", MAX_SIZE - strlen(buf)); // BAD [NOT DETECTED]
+  strncat(buf, "fix", MAX_SIZE - strlen(buf)); // BAD
 }
 
 void strncat_test3(char *s) {
   int len = 80;
   char* buf = (char *) malloc(len);
   strncat(buf, s, len - strlen(buf) - 1); // GOOD
-  strncat(buf, s, len - strlen(buf));  // BAD
+  strncat(buf, s, len - strlen(buf));  // BAD [NOT DETECTED]
   strncat(buf, "fix", len - strlen(buf)); // BAD [NOT DETECTED]
 }
 
@@ -43,7 +43,7 @@ void strncat_test5(char* s, struct buffers* buffers) {
   unsigned len_array = strlen(buffers->array);
   unsigned max_size = sizeof(buffers->array);
   unsigned free_size = max_size - len_array;
-  strncat(buffers->array, s, free_size); // BAD [NOT DETECTED]
+  strncat(buffers->array, s, free_size); // BAD
 }
 
 void strlen_test1(){

From 95742aec693be629542aa176ff5bad2deba4212a Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 16 Apr 2021 21:29:17 +0200
Subject: [PATCH 0450/1429] C++: Accept test changes for the other experimental
 query in the directory. This is only a change in line numbers.

---
 ...ocationAfterEndOfBufferUsingStrlen.expected | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
index 103afd8ffd9..cd160a70638 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
@@ -1,9 +1,9 @@
-| test.c:42:3:42:24 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:43:3:43:40 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:44:3:44:40 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:45:3:45:44 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:46:3:46:44 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:47:3:47:48 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:48:3:48:48 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:49:3:49:50 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:50:3:50:50 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:54:3:54:24 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:55:3:55:40 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:56:3:56:44 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:57:3:57:44 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:58:3:58:48 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:59:3:59:48 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:60:3:60:52 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:61:3:61:50 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:62:3:62:54 | ... = ... | potential unsafe or redundant assignment. |

From f3661c34eee2a565c3affe34d3376a56eb5664b2 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Fri, 16 Apr 2021 19:49:55 +0000
Subject: [PATCH 0451/1429] Python: Clean up Django models using API graphs

First sweep. Takes care of most of the models.
---
 .../src/semmle/python/frameworks/Django.qll   | 713 ++++--------------
 1 file changed, 143 insertions(+), 570 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index 0566eab8651..b2dd77642d5 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -298,54 +298,13 @@ private module PrivateDjango {
   // django
   // ---------------------------------------------------------------------------
   /** Gets a reference to the `django` module. */
-  private DataFlow::Node django(DataFlow::TypeTracker t) {
-    t.start() and
-    result = DataFlow::importNode("django")
-    or
-    exists(DataFlow::TypeTracker t2 | result = django(t2).track(t2, t))
-  }
-
-  /** Gets a reference to the `django` module. */
-  DataFlow::Node django() { result = django(DataFlow::TypeTracker::end()) }
+  API::Node django() { result = API::moduleImport("django") }
 
   /**
    * Gets a reference to the attribute `attr_name` of the `django` module.
    * WARNING: Only holds for a few predefined attributes.
    */
-  private DataFlow::Node django_attr(DataFlow::TypeTracker t, string attr_name) {
-    attr_name in ["db", "urls", "http", "conf", "views", "shortcuts"] and
-    (
-      t.start() and
-      result = DataFlow::importNode("django" + "." + attr_name)
-      or
-      t.startInAttr(attr_name) and
-      result = DataFlow::importNode("django")
-    )
-    or
-    // Due to bad performance when using normal setup with `django_attr(t2, attr_name).track(t2, t)`
-    // we have inlined that code and forced a join
-    exists(DataFlow::TypeTracker t2 |
-      exists(DataFlow::StepSummary summary |
-        django_attr_first_join(t2, attr_name, result, summary) and
-        t = t2.append(summary)
-      )
-    )
-  }
-
-  pragma[nomagic]
-  private predicate django_attr_first_join(
-    DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
-  ) {
-    DataFlow::StepSummary::step(django_attr(t2, attr_name), res, summary)
-  }
-
-  /**
-   * Gets a reference to the attribute `attr_name` of the `django` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private DataFlow::Node django_attr(string attr_name) {
-    result = django_attr(DataFlow::TypeTracker::end(), attr_name)
-  }
+  private API::Node django_attr(string attr_name) { result = django().getMember(attr_name) }
 
   /** Provides models for the `django` module. */
   module django {
@@ -353,7 +312,7 @@ private module PrivateDjango {
     // django.db
     // -------------------------------------------------------------------------
     /** Gets a reference to the `django.db` module. */
-    DataFlow::Node db() { result = django_attr("db") }
+    API::Node db() { result = django_attr("db") }
 
     /**
      * `django.db` implements PEP249, providing ways to execute SQL statements against a database.
@@ -365,39 +324,17 @@ private module PrivateDjango {
     /** Provides models for the `django.db` module. */
     module db {
       /** Gets a reference to the `django.db.connection` object. */
-      private DataFlow::Node connection(DataFlow::TypeTracker t) {
-        t.start() and
-        result = DataFlow::importNode("django.db.connection")
-        or
-        t.startInAttr("connection") and
-        result = db()
-        or
-        exists(DataFlow::TypeTracker t2 | result = connection(t2).track(t2, t))
-      }
-
-      /** Gets a reference to the `django.db.connection` object. */
-      DataFlow::Node connection() { result = connection(DataFlow::TypeTracker::end()) }
+      API::Node connection() { result = db().getMember("connection") }
 
       class DjangoDbConnection extends Connection::InstanceSource {
-        DjangoDbConnection() { this = connection() }
+        DjangoDbConnection() { this = connection().getAUse() }
       }
 
       // -------------------------------------------------------------------------
       // django.db.models
       // -------------------------------------------------------------------------
       /** Gets a reference to the `django.db.models` module. */
-      private DataFlow::Node models(DataFlow::TypeTracker t) {
-        t.start() and
-        result = DataFlow::importNode("django.db.models")
-        or
-        t.startInAttr("models") and
-        result = django()
-        or
-        exists(DataFlow::TypeTracker t2 | result = models(t2).track(t2, t))
-      }
-
-      /** Gets a reference to the `django.db.models` module. */
-      DataFlow::Node models() { result = models(DataFlow::TypeTracker::end()) }
+      API::Node models() { result = db().getMember("models") }
 
       /** Provides models for the `django.db.models` module. */
       module models {
@@ -448,48 +385,28 @@ private module PrivateDjango {
         API::Node querySet() { result = querySetReturningMethod(_).getReturn() }
 
         /** Gets a reference to the `django.db.models.expressions` module. */
-        private DataFlow::Node expressions(DataFlow::TypeTracker t) {
-          t.start() and
-          result = DataFlow::importNode("django.db.models.expressions")
-          or
-          t.startInAttr("expressions") and
-          result = models()
-          or
-          exists(DataFlow::TypeTracker t2 | result = expressions(t2).track(t2, t))
-        }
-
-        /** Gets a reference to the `django.db.models.expressions` module. */
-        DataFlow::Node expressions() { result = expressions(DataFlow::TypeTracker::end()) }
+        API::Node expressions() { result = models().getMember("expressions") }
 
         /** Provides models for the `django.db.models.expressions` module. */
         module expressions {
           /** Provides models for the `django.db.models.expressions.RawSQL` class. */
           module RawSQL {
-            /** Gets a reference to the `django.db.models.expressions.RawSQL` class. */
-            private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-              t.start() and
-              result = DataFlow::importNode("django.db.models.expressions.RawSQL")
-              or
-              t.start() and
-              result = DataFlow::importNode("django.db.models.RawSQL") // Commonly used alias
-              or
-              t.startInAttr("RawSQL") and
-              result = expressions()
-              or
-              exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
-            }
-
             /**
              * Gets a reference to the `django.db.models.expressions.RawSQL` class.
              */
-            DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+            API::Node classRef() {
+              result = expressions().getMember("RawSQL")
+              or
+              // Commonly used alias
+              result = models().getMember("RawSQL")
+            }
 
             /** Gets an instance of the `django.db.models.expressions.RawSQL` class. */
-            private DataFlow::Node instance(DataFlow::TypeTracker t, ControlFlowNode sql) {
+            private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t, ControlFlowNode sql) {
               t.start() and
-              exists(CallNode c | result.asCfgNode() = c |
-                c.getFunction() = classRef().asCfgNode() and
-                c.getArg(0) = sql
+              exists(DataFlow::CallCfgNode c | result = c |
+                c = classRef().getACall() and
+                c.getArg(0).asCfgNode() = sql
               )
               or
               exists(DataFlow::TypeTracker t2 | result = instance(t2, sql).track(t2, t))
@@ -497,7 +414,7 @@ private module PrivateDjango {
 
             /** Gets an instance of the `django.db.models.expressions.RawSQL` class. */
             DataFlow::Node instance(ControlFlowNode sql) {
-              result = instance(DataFlow::TypeTracker::end(), sql)
+              instance(DataFlow::TypeTracker::end(), sql).flowsTo(result)
             }
           }
         }
@@ -556,7 +473,7 @@ private module PrivateDjango {
     // django.urls
     // -------------------------------------------------------------------------
     /** Gets a reference to the `django.urls` module. */
-    DataFlow::Node urls() { result = django_attr("urls") }
+    API::Node urls() { result = django_attr("urls") }
 
     /** Provides models for the `django.urls` module */
     module urls {
@@ -564,104 +481,43 @@ private module PrivateDjango {
        * Gets a reference to the attribute `attr_name` of the `urls` module.
        * WARNING: Only holds for a few predefined attributes.
        */
-      private DataFlow::Node urls_attr(DataFlow::TypeTracker t, string attr_name) {
-        attr_name in ["path", "re_path"] and
-        (
-          t.start() and
-          result = DataFlow::importNode("django.urls" + "." + attr_name)
-          or
-          t.startInAttr(attr_name) and
-          result = DataFlow::importNode("django.urls")
-          or
-          t.startInAttr(attr_name) and
-          result = django::urls()
-        )
-        or
-        // Due to bad performance when using normal setup with `urls_attr(t2, attr_name).track(t2, t)`
-        // we have inlined that code and forced a join
-        exists(DataFlow::TypeTracker t2 |
-          exists(DataFlow::StepSummary summary |
-            urls_attr_first_join(t2, attr_name, result, summary) and
-            t = t2.append(summary)
-          )
-        )
-      }
-
-      pragma[nomagic]
-      private predicate urls_attr_first_join(
-        DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-        DataFlow::StepSummary summary
-      ) {
-        DataFlow::StepSummary::step(urls_attr(t2, attr_name), res, summary)
-      }
-
-      /**
-       * Gets a reference to the attribute `attr_name` of the `urls` module.
-       * WARNING: Only holds for a few predefined attributes.
-       */
-      private DataFlow::Node urls_attr(string attr_name) {
-        result = urls_attr(DataFlow::TypeTracker::end(), attr_name)
-      }
+      private API::Node urls_attr(string attr_name) { result = urls().getMember(attr_name) }
 
       /**
        * Gets a reference to the `django.urls.path` function.
        * See https://docs.djangoproject.com/en/3.0/ref/urls/#path
        */
-      DataFlow::Node path() { result = urls_attr("path") }
+      API::Node path() { result = urls_attr("path") }
 
       /**
        * Gets a reference to the `django.urls.re_path` function.
        * See https://docs.djangoproject.com/en/3.0/ref/urls/#re_path
        */
-      DataFlow::Node re_path() { result = urls_attr("re_path") }
+      API::Node re_path() { result = urls_attr("re_path") }
     }
 
     // -------------------------------------------------------------------------
     // django.conf
     // -------------------------------------------------------------------------
     /** Gets a reference to the `django.conf` module. */
-    DataFlow::Node conf() { result = django_attr("conf") }
+    API::Node conf() { result = django_attr("conf") }
 
     /** Provides models for the `django.conf` module */
     module conf {
-      // -------------------------------------------------------------------------
-      // django.conf.urls
-      // -------------------------------------------------------------------------
-      /** Gets a reference to the `django.conf.urls` module. */
-      private DataFlow::Node urls(DataFlow::TypeTracker t) {
-        t.start() and
-        result = DataFlow::importNode("django.conf.urls")
-        or
-        t.startInAttr("urls") and
-        result = conf()
-        or
-        exists(DataFlow::TypeTracker t2 | result = urls(t2).track(t2, t))
-      }
-
-      // NOTE: had to rename due to shadowing rules in QL
-      /** Gets a reference to the `django.conf.urls` module. */
-      DataFlow::Node conf_urls() { result = urls(DataFlow::TypeTracker::end()) }
-
-      // NOTE: had to rename due to shadowing rules in QL
-      /** Provides models for the `django.conf.urls` module */
       module conf_urls {
-        /** Gets a reference to the `django.conf.urls.url` function. */
-        private DataFlow::Node url(DataFlow::TypeTracker t) {
-          t.start() and
-          result = DataFlow::importNode("django.conf.urls.url")
-          or
-          t.startInAttr("url") and
-          result = conf_urls()
-          or
-          exists(DataFlow::TypeTracker t2 | result = url(t2).track(t2, t))
-        }
+        // -------------------------------------------------------------------------
+        // django.conf.urls
+        // -------------------------------------------------------------------------
+        // NOTE: had to rename due to shadowing rules in QL
+        /** Gets a reference to the `django.conf.urls` module. */
+        API::Node conf_urls() { result = conf().getMember("urls") }
 
         /**
          * Gets a reference to the `django.conf.urls.url` function.
          *
          * See https://docs.djangoproject.com/en/1.11/ref/urls/#django.conf.urls.url
          */
-        DataFlow::Node url() { result = url(DataFlow::TypeTracker::end()) }
+        API::Node url() { result = conf_urls().getMember("url") }
       }
     }
 
@@ -669,7 +525,7 @@ private module PrivateDjango {
     // django.http
     // -------------------------------------------------------------------------
     /** Gets a reference to the `django.http` module. */
-    DataFlow::Node http() { result = django_attr("http") }
+    API::Node http() { result = django_attr("http") }
 
     /** Provides models for the `django.http` module */
     module http {
@@ -677,58 +533,13 @@ private module PrivateDjango {
        * Gets a reference to the attribute `attr_name` of the `django.http` module.
        * WARNING: Only holds for a few predefined attributes.
        */
-      private DataFlow::Node http_attr(DataFlow::TypeTracker t, string attr_name) {
-        attr_name in [
-            // request
-            "request", "HttpRequest",
-            // response
-            "response", "HttpResponse",
-            // HttpResponse subclasses
-            "HttpResponseRedirect", "HttpResponsePermanentRedirect", "HttpResponseNotModified",
-            "HttpResponseBadRequest", "HttpResponseNotFound", "HttpResponseForbidden",
-            "HttpResponseNotAllowed", "HttpResponseGone", "HttpResponseServerError", "JsonResponse",
-            // HttpResponse-like classes
-            "StreamingHttpResponse", "FileResponse"
-          ] and
-        (
-          t.start() and
-          result = DataFlow::importNode("django.http" + "." + attr_name)
-          or
-          t.startInAttr(attr_name) and
-          result = django::http()
-        )
-        or
-        // Due to bad performance when using normal setup with `http_attr(t2, attr_name).track(t2, t)`
-        // we have inlined that code and forced a join
-        exists(DataFlow::TypeTracker t2 |
-          exists(DataFlow::StepSummary summary |
-            http_attr_first_join(t2, attr_name, result, summary) and
-            t = t2.append(summary)
-          )
-        )
-      }
-
-      pragma[nomagic]
-      private predicate http_attr_first_join(
-        DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-        DataFlow::StepSummary summary
-      ) {
-        DataFlow::StepSummary::step(http_attr(t2, attr_name), res, summary)
-      }
-
-      /**
-       * Gets a reference to the attribute `attr_name` of the `django.http` module.
-       * WARNING: Only holds for a few predefined attributes.
-       */
-      private DataFlow::Node http_attr(string attr_name) {
-        result = http_attr(DataFlow::TypeTracker::end(), attr_name)
-      }
+      private API::Node http_attr(string attr_name) { result = http().getMember(attr_name) }
 
       // ---------------------------------------------------------------------------
       // django.http.request
       // ---------------------------------------------------------------------------
       /** Gets a reference to the `django.http.request` module. */
-      DataFlow::Node request() { result = http_attr("request") }
+      API::Node request() { result = http_attr("request") }
 
       /** Provides models for the `django.http.request` module. */
       module request {
@@ -736,41 +547,7 @@ private module PrivateDjango {
          * Gets a reference to the attribute `attr_name` of the `django.http.request` module.
          * WARNING: Only holds for a few predefined attributes.
          */
-        private DataFlow::Node request_attr(DataFlow::TypeTracker t, string attr_name) {
-          attr_name in ["HttpRequest"] and
-          (
-            t.start() and
-            result = DataFlow::importNode("django.http.request" + "." + attr_name)
-            or
-            t.startInAttr(attr_name) and
-            result = django::http::request()
-          )
-          or
-          // Due to bad performance when using normal setup with `request_attr(t2, attr_name).track(t2, t)`
-          // we have inlined that code and forced a join
-          exists(DataFlow::TypeTracker t2 |
-            exists(DataFlow::StepSummary summary |
-              request_attr_first_join(t2, attr_name, result, summary) and
-              t = t2.append(summary)
-            )
-          )
-        }
-
-        pragma[nomagic]
-        private predicate request_attr_first_join(
-          DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-          DataFlow::StepSummary summary
-        ) {
-          DataFlow::StepSummary::step(request_attr(t2, attr_name), res, summary)
-        }
-
-        /**
-         * Gets a reference to the attribute `attr_name` of the `django.http.request` module.
-         * WARNING: Only holds for a few predefined attributes.
-         */
-        private DataFlow::Node request_attr(string attr_name) {
-          result = request_attr(DataFlow::TypeTracker::end(), attr_name)
-        }
+        private API::Node request_attr(string attr_name) { result = request().getMember(attr_name) }
 
         /**
          * Provides models for the `django.http.request.HttpRequest` class
@@ -779,20 +556,13 @@ private module PrivateDjango {
          */
         module HttpRequest {
           /** Gets a reference to the `django.http.request.HttpRequest` class. */
-          private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-            t.start() and
+          API::Node classRef() {
             result = request_attr("HttpRequest")
             or
             // handle django.http.HttpRequest alias
-            t.start() and
             result = http_attr("HttpRequest")
-            or
-            exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
-          /** Gets a reference to the `django.http.request.HttpRequest` class. */
-          DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
-
           /**
            * A source of instances of `django.http.request.HttpRequest`, extend this class to model new instances.
            *
@@ -806,7 +576,7 @@ private module PrivateDjango {
           abstract class InstanceSource extends DataFlow::Node { }
 
           /** Gets a reference to an instance of `django.http.request.HttpRequest`. */
-          private DataFlow::Node instance(DataFlow::TypeTracker t) {
+          private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
             t.start() and
             result instanceof InstanceSource
             or
@@ -814,7 +584,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.request.HttpRequest`. */
-          DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+          DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
         }
       }
 
@@ -822,7 +592,7 @@ private module PrivateDjango {
       // django.http.response
       // -------------------------------------------------------------------------
       /** Gets a reference to the `django.http.response` module. */
-      DataFlow::Node response() { result = http_attr("response") }
+      API::Node response() { result = http_attr("response") }
 
       /** Provides models for the `django.http.response` module */
       module response {
@@ -830,49 +600,8 @@ private module PrivateDjango {
          * Gets a reference to the attribute `attr_name` of the `django.http.response` module.
          * WARNING: Only holds for a few predefined attributes.
          */
-        private DataFlow::Node response_attr(DataFlow::TypeTracker t, string attr_name) {
-          attr_name in [
-              "HttpResponse",
-              // HttpResponse subclasses
-              "HttpResponseRedirect", "HttpResponsePermanentRedirect", "HttpResponseNotModified",
-              "HttpResponseBadRequest", "HttpResponseNotFound", "HttpResponseForbidden",
-              "HttpResponseNotAllowed", "HttpResponseGone", "HttpResponseServerError",
-              "JsonResponse",
-              // HttpResponse-like classes
-              "StreamingHttpResponse", "FileResponse"
-            ] and
-          (
-            t.start() and
-            result = DataFlow::importNode("django.http.response" + "." + attr_name)
-            or
-            t.startInAttr(attr_name) and
-            result = response()
-          )
-          or
-          // Due to bad performance when using normal setup with `response_attr(t2, attr_name).track(t2, t)`
-          // we have inlined that code and forced a join
-          exists(DataFlow::TypeTracker t2 |
-            exists(DataFlow::StepSummary summary |
-              response_attr_first_join(t2, attr_name, result, summary) and
-              t = t2.append(summary)
-            )
-          )
-        }
-
-        pragma[nomagic]
-        private predicate response_attr_first_join(
-          DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-          DataFlow::StepSummary summary
-        ) {
-          DataFlow::StepSummary::step(response_attr(t2, attr_name), res, summary)
-        }
-
-        /**
-         * Gets a reference to the attribute `attr_name` of the `django.http.response` module.
-         * WARNING: Only holds for a few predefined attributes.
-         */
-        private DataFlow::Node response_attr(string attr_name) {
-          result = response_attr(DataFlow::TypeTracker::end(), attr_name)
+        private API::Node response_attr(string attr_name) {
+          result = response().getMember(attr_name)
         }
 
         /**
@@ -881,23 +610,15 @@ private module PrivateDjango {
          * See https://docs.djangoproject.com/en/3.1/ref/request-response/#django.http.HttpResponse.
          */
         module HttpResponse {
-          /** Gets a reference to the `django.http.response.HttpResponse` class. */
-          private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-            t.start() and
+          API::Node baseClassRef() {
             result = response_attr("HttpResponse")
             or
             // Handle `django.http.HttpResponse` alias
-            t.start() and
             result = http_attr("HttpResponse")
-            or
-            // subclass
-            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
-            or
-            exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
           /** Gets a reference to the `django.http.response.HttpResponse` class. */
-          DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+          API::Node classRef() { result = baseClassRef().getASubclass*() }
 
           /**
            * A source of instances of `django.http.response.HttpResponse`, extend this class to model new instances.
@@ -912,10 +633,8 @@ private module PrivateDjango {
           }
 
           /** A direct instantiation of `django.http.response.HttpResponse`. */
-          private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
-            override CallNode node;
-
-            ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+          private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
+            ClassInstantiation() { this = classRef().getACall() }
 
             override DataFlow::Node getBody() {
               result.asCfgNode() in [node.getArg(0), node.getArgByName("content")]
@@ -930,7 +649,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponse`. */
-          private DataFlow::Node instance(DataFlow::TypeTracker t) {
+          private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
             t.start() and
             result instanceof InstanceSource
             or
@@ -938,7 +657,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponse`. */
-          DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+          DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
         }
 
         // ---------------------------------------------------------------------------
@@ -952,22 +671,15 @@ private module PrivateDjango {
          */
         module HttpResponseRedirect {
           /** Gets a reference to the `django.http.response.HttpResponseRedirect` class. */
-          private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-            t.start() and
+          API::Node baseClassRef() {
             result = response_attr("HttpResponseRedirect")
             or
             // Handle `django.http.HttpResponseRedirect` alias
-            t.start() and
             result = http_attr("HttpResponseRedirect")
-            or
-            // subclass
-            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
-            or
-            exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
-          /** Gets a reference to the `django.http.response.HttpResponseRedirect` class. */
-          DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+          /** Gets a reference a subclass of the `django.http.response.HttpResponseRedirect` class. */
+          API::Node classRef() { result = baseClassRef().getASubclass*() }
 
           /**
            * A source of instances of `django.http.response.HttpResponseRedirect`, extend this class to model new instances.
@@ -982,10 +694,8 @@ private module PrivateDjango {
             HTTP::Server::HttpRedirectResponse::Range, DataFlow::Node { }
 
           /** A direct instantiation of `django.http.response.HttpResponseRedirect`. */
-          private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
-            override CallNode node;
-
-            ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+          private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
+            ClassInstantiation() { this = classRef().getACall() }
 
             override DataFlow::Node getBody() {
               // note that even though browsers like Chrome usually doesn't fetch the
@@ -1005,7 +715,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseRedirect`. */
-          private DataFlow::Node instance(DataFlow::TypeTracker t) {
+          private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
             t.start() and
             result instanceof InstanceSource
             or
@@ -1013,7 +723,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseRedirect`. */
-          DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+          DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
         }
 
         /**
@@ -1023,22 +733,15 @@ private module PrivateDjango {
          */
         module HttpResponsePermanentRedirect {
           /** Gets a reference to the `django.http.response.HttpResponsePermanentRedirect` class. */
-          private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-            t.start() and
+          API::Node baseClassRef() {
             result = response_attr("HttpResponsePermanentRedirect")
             or
             // Handle `django.http.HttpResponsePermanentRedirect` alias
-            t.start() and
             result = http_attr("HttpResponsePermanentRedirect")
-            or
-            // subclass
-            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
-            or
-            exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
           /** Gets a reference to the `django.http.response.HttpResponsePermanentRedirect` class. */
-          DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+          API::Node classRef() { result = baseClassRef().getASubclass*() }
 
           /**
            * A source of instances of `django.http.response.HttpResponsePermanentRedirect`, extend this class to model new instances.
@@ -1053,10 +756,8 @@ private module PrivateDjango {
             HTTP::Server::HttpRedirectResponse::Range, DataFlow::Node { }
 
           /** A direct instantiation of `django.http.response.HttpResponsePermanentRedirect`. */
-          private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
-            override CallNode node;
-
-            ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+          private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
+            ClassInstantiation() { this = classRef().getACall() }
 
             override DataFlow::Node getBody() {
               // note that even though browsers like Chrome usually doesn't fetch the
@@ -1076,7 +777,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponsePermanentRedirect`. */
-          private DataFlow::Node instance(DataFlow::TypeTracker t) {
+          private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
             t.start() and
             result instanceof InstanceSource
             or
@@ -1084,7 +785,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponsePermanentRedirect`. */
-          DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+          DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
         }
 
         /**
@@ -1094,23 +795,16 @@ private module PrivateDjango {
          */
         module HttpResponseNotModified {
           /** Gets a reference to the `django.http.response.HttpResponseNotModified` class. */
-          private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-            t.start() and
+          API::Node baseClassRef() {
             result = response_attr("HttpResponseNotModified")
             or
             // TODO: remove/expand this part of the template as needed
             // Handle `django.http.HttpResponseNotModified` alias
-            t.start() and
             result = http_attr("HttpResponseNotModified")
-            or
-            // subclass
-            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
-            or
-            exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
           /** Gets a reference to the `django.http.response.HttpResponseNotModified` class. */
-          DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+          API::Node classRef() { result = baseClassRef().getASubclass*() }
 
           /**
            * A source of instances of `django.http.response.HttpResponseNotModified`, extend this class to model new instances.
@@ -1124,10 +818,8 @@ private module PrivateDjango {
           abstract class InstanceSource extends HttpResponse::InstanceSource, DataFlow::Node { }
 
           /** A direct instantiation of `django.http.response.HttpResponseNotModified`. */
-          private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
-            override CallNode node;
-
-            ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+          private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
+            ClassInstantiation() { this = classRef().getACall() }
 
             override DataFlow::Node getBody() { none() }
 
@@ -1138,7 +830,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseNotModified`. */
-          private DataFlow::Node instance(DataFlow::TypeTracker t) {
+          private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
             t.start() and
             result instanceof InstanceSource
             or
@@ -1146,7 +838,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseNotModified`. */
-          DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+          DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
         }
 
         /**
@@ -1156,22 +848,15 @@ private module PrivateDjango {
          */
         module HttpResponseBadRequest {
           /** Gets a reference to the `django.http.response.HttpResponseBadRequest` class. */
-          private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-            t.start() and
+          API::Node baseClassRef() {
             result = response_attr("HttpResponseBadRequest")
             or
             // Handle `django.http.HttpResponseBadRequest` alias
-            t.start() and
             result = http_attr("HttpResponseBadRequest")
-            or
-            // subclass
-            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
-            or
-            exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
           /** Gets a reference to the `django.http.response.HttpResponseBadRequest` class. */
-          DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+          API::Node classRef() { result = baseClassRef().getASubclass*() }
 
           /**
            * A source of instances of `django.http.response.HttpResponseBadRequest`, extend this class to model new instances.
@@ -1185,10 +870,8 @@ private module PrivateDjango {
           abstract class InstanceSource extends HttpResponse::InstanceSource, DataFlow::Node { }
 
           /** A direct instantiation of `django.http.response.HttpResponseBadRequest`. */
-          private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
-            override CallNode node;
-
-            ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+          private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
+            ClassInstantiation() { this = classRef().getACall() }
 
             override DataFlow::Node getBody() {
               result.asCfgNode() in [node.getArg(0), node.getArgByName("content")]
@@ -1201,7 +884,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseBadRequest`. */
-          private DataFlow::Node instance(DataFlow::TypeTracker t) {
+          private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
             t.start() and
             result instanceof InstanceSource
             or
@@ -1209,7 +892,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseBadRequest`. */
-          DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+          DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
         }
 
         /**
@@ -1219,22 +902,15 @@ private module PrivateDjango {
          */
         module HttpResponseNotFound {
           /** Gets a reference to the `django.http.response.HttpResponseNotFound` class. */
-          private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-            t.start() and
+          API::Node baseClassRef() {
             result = response_attr("HttpResponseNotFound")
             or
             // Handle `django.http.HttpResponseNotFound` alias
-            t.start() and
             result = http_attr("HttpResponseNotFound")
-            or
-            // subclass
-            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
-            or
-            exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
           /** Gets a reference to the `django.http.response.HttpResponseNotFound` class. */
-          DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+          API::Node classRef() { result = baseClassRef().getASubclass*() }
 
           /**
            * A source of instances of `django.http.response.HttpResponseNotFound`, extend this class to model new instances.
@@ -1248,10 +924,8 @@ private module PrivateDjango {
           abstract class InstanceSource extends HttpResponse::InstanceSource, DataFlow::Node { }
 
           /** A direct instantiation of `django.http.response.HttpResponseNotFound`. */
-          private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
-            override CallNode node;
-
-            ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+          private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
+            ClassInstantiation() { this = classRef().getACall() }
 
             override DataFlow::Node getBody() {
               result.asCfgNode() in [node.getArg(0), node.getArgByName("content")]
@@ -1264,7 +938,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseNotFound`. */
-          private DataFlow::Node instance(DataFlow::TypeTracker t) {
+          private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
             t.start() and
             result instanceof InstanceSource
             or
@@ -1272,7 +946,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseNotFound`. */
-          DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+          DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
         }
 
         /**
@@ -1282,22 +956,15 @@ private module PrivateDjango {
          */
         module HttpResponseForbidden {
           /** Gets a reference to the `django.http.response.HttpResponseForbidden` class. */
-          private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-            t.start() and
+          API::Node baseClassRef() {
             result = response_attr("HttpResponseForbidden")
             or
             // Handle `django.http.HttpResponseForbidden` alias
-            t.start() and
             result = http_attr("HttpResponseForbidden")
-            or
-            // subclass
-            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
-            or
-            exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
           /** Gets a reference to the `django.http.response.HttpResponseForbidden` class. */
-          DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+          API::Node classRef() { result = baseClassRef().getASubclass*() }
 
           /**
            * A source of instances of `django.http.response.HttpResponseForbidden`, extend this class to model new instances.
@@ -1311,10 +978,8 @@ private module PrivateDjango {
           abstract class InstanceSource extends HttpResponse::InstanceSource, DataFlow::Node { }
 
           /** A direct instantiation of `django.http.response.HttpResponseForbidden`. */
-          private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
-            override CallNode node;
-
-            ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+          private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
+            ClassInstantiation() { this = classRef().getACall() }
 
             override DataFlow::Node getBody() {
               result.asCfgNode() in [node.getArg(0), node.getArgByName("content")]
@@ -1327,7 +992,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseForbidden`. */
-          private DataFlow::Node instance(DataFlow::TypeTracker t) {
+          private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
             t.start() and
             result instanceof InstanceSource
             or
@@ -1335,7 +1000,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseForbidden`. */
-          DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+          DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
         }
 
         /**
@@ -1345,22 +1010,15 @@ private module PrivateDjango {
          */
         module HttpResponseNotAllowed {
           /** Gets a reference to the `django.http.response.HttpResponseNotAllowed` class. */
-          private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-            t.start() and
+          API::Node baseClassRef() {
             result = response_attr("HttpResponseNotAllowed")
             or
             // Handle `django.http.HttpResponseNotAllowed` alias
-            t.start() and
             result = http_attr("HttpResponseNotAllowed")
-            or
-            // subclass
-            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
-            or
-            exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
           /** Gets a reference to the `django.http.response.HttpResponseNotAllowed` class. */
-          DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+          API::Node classRef() { result = baseClassRef().getASubclass*() }
 
           /**
            * A source of instances of `django.http.response.HttpResponseNotAllowed`, extend this class to model new instances.
@@ -1374,10 +1032,8 @@ private module PrivateDjango {
           abstract class InstanceSource extends HttpResponse::InstanceSource, DataFlow::Node { }
 
           /** A direct instantiation of `django.http.response.HttpResponseNotAllowed`. */
-          private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
-            override CallNode node;
-
-            ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+          private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
+            ClassInstantiation() { this = classRef().getACall() }
 
             override DataFlow::Node getBody() {
               // First argument is permitted methods
@@ -1391,7 +1047,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseNotAllowed`. */
-          private DataFlow::Node instance(DataFlow::TypeTracker t) {
+          private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
             t.start() and
             result instanceof InstanceSource
             or
@@ -1399,7 +1055,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseNotAllowed`. */
-          DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+          DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
         }
 
         /**
@@ -1409,22 +1065,15 @@ private module PrivateDjango {
          */
         module HttpResponseGone {
           /** Gets a reference to the `django.http.response.HttpResponseGone` class. */
-          private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-            t.start() and
+          API::Node baseClassRef() {
             result = response_attr("HttpResponseGone")
             or
             // Handle `django.http.HttpResponseGone` alias
-            t.start() and
             result = http_attr("HttpResponseGone")
-            or
-            // subclass
-            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
-            or
-            exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
           /** Gets a reference to the `django.http.response.HttpResponseGone` class. */
-          DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+          API::Node classRef() { result = baseClassRef().getASubclass*() }
 
           /**
            * A source of instances of `django.http.response.HttpResponseGone`, extend this class to model new instances.
@@ -1438,10 +1087,8 @@ private module PrivateDjango {
           abstract class InstanceSource extends HttpResponse::InstanceSource, DataFlow::Node { }
 
           /** A direct instantiation of `django.http.response.HttpResponseGone`. */
-          private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
-            override CallNode node;
-
-            ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+          private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
+            ClassInstantiation() { this = classRef().getACall() }
 
             override DataFlow::Node getBody() {
               result.asCfgNode() in [node.getArg(0), node.getArgByName("content")]
@@ -1454,7 +1101,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseGone`. */
-          private DataFlow::Node instance(DataFlow::TypeTracker t) {
+          private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
             t.start() and
             result instanceof InstanceSource
             or
@@ -1462,7 +1109,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseGone`. */
-          DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+          DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
         }
 
         /**
@@ -1472,22 +1119,15 @@ private module PrivateDjango {
          */
         module HttpResponseServerError {
           /** Gets a reference to the `django.http.response.HttpResponseServerError` class. */
-          private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-            t.start() and
+          API::Node baseClassRef() {
             result = response_attr("HttpResponseServerError")
             or
             // Handle `django.http.HttpResponseServerError` alias
-            t.start() and
             result = http_attr("HttpResponseServerError")
-            or
-            // subclass
-            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
-            or
-            exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
           /** Gets a reference to the `django.http.response.HttpResponseServerError` class. */
-          DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+          API::Node classRef() { result = baseClassRef().getASubclass*() }
 
           /**
            * A source of instances of `django.http.response.HttpResponseServerError`, extend this class to model new instances.
@@ -1501,10 +1141,8 @@ private module PrivateDjango {
           abstract class InstanceSource extends HttpResponse::InstanceSource, DataFlow::Node { }
 
           /** A direct instantiation of `django.http.response.HttpResponseServerError`. */
-          private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
-            override CallNode node;
-
-            ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+          private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
+            ClassInstantiation() { this = classRef().getACall() }
 
             override DataFlow::Node getBody() {
               result.asCfgNode() in [node.getArg(0), node.getArgByName("content")]
@@ -1517,7 +1155,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseServerError`. */
-          private DataFlow::Node instance(DataFlow::TypeTracker t) {
+          private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
             t.start() and
             result instanceof InstanceSource
             or
@@ -1525,7 +1163,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.HttpResponseServerError`. */
-          DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+          DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
         }
 
         /**
@@ -1535,22 +1173,15 @@ private module PrivateDjango {
          */
         module JsonResponse {
           /** Gets a reference to the `django.http.response.JsonResponse` class. */
-          private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-            t.start() and
+          API::Node baseClassRef() {
             result = response_attr("JsonResponse")
             or
             // Handle `django.http.JsonResponse` alias
-            t.start() and
             result = http_attr("JsonResponse")
-            or
-            // subclass
-            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
-            or
-            exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
           /** Gets a reference to the `django.http.response.JsonResponse` class. */
-          DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+          API::Node classRef() { result = baseClassRef().getASubclass*() }
 
           /**
            * A source of instances of `django.http.response.JsonResponse`, extend this class to model new instances.
@@ -1564,10 +1195,8 @@ private module PrivateDjango {
           abstract class InstanceSource extends HttpResponse::InstanceSource, DataFlow::Node { }
 
           /** A direct instantiation of `django.http.response.JsonResponse`. */
-          private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
-            override CallNode node;
-
-            ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+          private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
+            ClassInstantiation() { this = classRef().getACall() }
 
             override DataFlow::Node getBody() {
               result.asCfgNode() in [node.getArg(0), node.getArgByName("data")]
@@ -1580,7 +1209,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.JsonResponse`. */
-          private DataFlow::Node instance(DataFlow::TypeTracker t) {
+          private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
             t.start() and
             result instanceof InstanceSource
             or
@@ -1588,7 +1217,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.JsonResponse`. */
-          DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+          DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
         }
 
         // ---------------------------------------------------------------------------
@@ -1601,22 +1230,15 @@ private module PrivateDjango {
          */
         module StreamingHttpResponse {
           /** Gets a reference to the `django.http.response.StreamingHttpResponse` class. */
-          private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-            t.start() and
+          API::Node baseClassRef() {
             result = response_attr("StreamingHttpResponse")
             or
             // Handle `django.http.StreamingHttpResponse` alias
-            t.start() and
             result = http_attr("StreamingHttpResponse")
-            or
-            // subclass
-            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
-            or
-            exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
           /** Gets a reference to the `django.http.response.StreamingHttpResponse` class. */
-          DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+          API::Node classRef() { result = baseClassRef().getASubclass*() }
 
           /**
            * A source of instances of `django.http.response.StreamingHttpResponse`, extend this class to model new instances.
@@ -1630,10 +1252,8 @@ private module PrivateDjango {
           abstract class InstanceSource extends HttpResponse::InstanceSource, DataFlow::Node { }
 
           /** A direct instantiation of `django.http.response.StreamingHttpResponse`. */
-          private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
-            override CallNode node;
-
-            ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+          private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
+            ClassInstantiation() { this = classRef().getACall() }
 
             override DataFlow::Node getBody() {
               result.asCfgNode() in [node.getArg(0), node.getArgByName("streaming_content")]
@@ -1646,7 +1266,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.StreamingHttpResponse`. */
-          private DataFlow::Node instance(DataFlow::TypeTracker t) {
+          private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
             t.start() and
             result instanceof InstanceSource
             or
@@ -1654,7 +1274,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.StreamingHttpResponse`. */
-          DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+          DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
         }
 
         /**
@@ -1664,22 +1284,15 @@ private module PrivateDjango {
          */
         module FileResponse {
           /** Gets a reference to the `django.http.response.FileResponse` class. */
-          private DataFlow::Node classRef(DataFlow::TypeTracker t) {
-            t.start() and
+          API::Node baseClassRef() {
             result = response_attr("FileResponse")
             or
             // Handle `django.http.FileResponse` alias
-            t.start() and
             result = http_attr("FileResponse")
-            or
-            // subclass
-            result.asExpr().(ClassExpr).getABase() = classRef(t.continue()).asExpr()
-            or
-            exists(DataFlow::TypeTracker t2 | result = classRef(t2).track(t2, t))
           }
 
           /** Gets a reference to the `django.http.response.FileResponse` class. */
-          DataFlow::Node classRef() { result = classRef(DataFlow::TypeTracker::end()) }
+          API::Node classRef() { result = baseClassRef().getASubclass*() }
 
           /**
            * A source of instances of `django.http.response.FileResponse`, extend this class to model new instances.
@@ -1693,10 +1306,8 @@ private module PrivateDjango {
           abstract class InstanceSource extends HttpResponse::InstanceSource, DataFlow::Node { }
 
           /** A direct instantiation of `django.http.response.FileResponse`. */
-          private class ClassInstantiation extends InstanceSource, DataFlow::CfgNode {
-            override CallNode node;
-
-            ClassInstantiation() { node.getFunction() = classRef().asCfgNode() }
+          private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
+            ClassInstantiation() { this = classRef().getACall() }
 
             override DataFlow::Node getBody() {
               result.asCfgNode() in [node.getArg(0), node.getArgByName("streaming_content")]
@@ -1712,7 +1323,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.FileResponse`. */
-          private DataFlow::Node instance(DataFlow::TypeTracker t) {
+          private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
             t.start() and
             result instanceof InstanceSource
             or
@@ -1720,7 +1331,7 @@ private module PrivateDjango {
           }
 
           /** Gets a reference to an instance of `django.http.response.FileResponse`. */
-          DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+          DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
         }
 
         /** Gets a reference to the `django.http.response.HttpResponse.write` function. */
@@ -1767,7 +1378,7 @@ private module PrivateDjango {
     // django.shortcuts
     // -------------------------------------------------------------------------
     /** Gets a reference to the `django.shortcuts` module. */
-    DataFlow::Node shortcuts() { result = django_attr("shortcuts") }
+    API::Node shortcuts() { result = django_attr("shortcuts") }
 
     /** Provides models for the `django.shortcuts` module */
     module shortcuts {
@@ -1775,40 +1386,8 @@ private module PrivateDjango {
        * Gets a reference to the attribute `attr_name` of the `django.shortcuts` module.
        * WARNING: Only holds for a few predefined attributes.
        */
-      private DataFlow::Node shortcuts_attr(DataFlow::TypeTracker t, string attr_name) {
-        attr_name in ["redirect"] and
-        (
-          t.start() and
-          result = DataFlow::importNode("django.shortcuts" + "." + attr_name)
-          or
-          t.startInAttr(attr_name) and
-          result = shortcuts()
-        )
-        or
-        // Due to bad performance when using normal setup with `shortcuts_attr(t2, attr_name).track(t2, t)`
-        // we have inlined that code and forced a join
-        exists(DataFlow::TypeTracker t2 |
-          exists(DataFlow::StepSummary summary |
-            shortcuts_attr_first_join(t2, attr_name, result, summary) and
-            t = t2.append(summary)
-          )
-        )
-      }
-
-      pragma[nomagic]
-      private predicate shortcuts_attr_first_join(
-        DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res,
-        DataFlow::StepSummary summary
-      ) {
-        DataFlow::StepSummary::step(shortcuts_attr(t2, attr_name), res, summary)
-      }
-
-      /**
-       * Gets a reference to the attribute `attr_name` of the `django.shortcuts` module.
-       * WARNING: Only holds for a few predefined attributes.
-       */
-      private DataFlow::Node shortcuts_attr(string attr_name) {
-        result = shortcuts_attr(DataFlow::TypeTracker::end(), attr_name)
+      private API::Node shortcuts_attr(string attr_name) {
+        result = shortcuts().getMember(attr_name)
       }
 
       /**
@@ -1816,7 +1395,7 @@ private module PrivateDjango {
        *
        * See https://docs.djangoproject.com/en/3.1/topics/http/shortcuts/#redirect
        */
-      DataFlow::Node redirect() { result = shortcuts_attr("redirect") }
+      API::Node redirect() { result = shortcuts_attr("redirect") }
     }
   }
 
@@ -1840,7 +1419,7 @@ private module PrivateDjango {
      * Note: TODO: This doesn't take MRO into account
      * Note: TODO: This doesn't take staticmethod/classmethod into account
      */
-    private DataFlow::Node getASelfRef(DataFlow::TypeTracker t) {
+    private DataFlow::LocalSourceNode getASelfRef(DataFlow::TypeTracker t) {
       t.start() and
       result.(DataFlow::ParameterNode).getParameter() = this.getAMethod().getArg(0)
       or
@@ -1854,7 +1433,7 @@ private module PrivateDjango {
      * Note: TODO: This doesn't take MRO into account
      * Note: TODO: This doesn't take staticmethod/classmethod into account
      */
-    DataFlow::Node getASelfRef() { result = this.getASelfRef(DataFlow::TypeTracker::end()) }
+    DataFlow::Node getASelfRef() { this.getASelfRef(DataFlow::TypeTracker::end()).flowsTo(result) }
   }
 
   // ---------------------------------------------------------------------------
@@ -1931,7 +1510,9 @@ private module PrivateDjango {
    * route, but currently it just tracks all functions, since we can't do type-tracking
    * backwards yet (TODO).
    */
-  private DataFlow::Node djangoRouteHandlerFunctionTracker(DataFlow::TypeTracker t, Function func) {
+  private DataFlow::LocalSourceNode djangoRouteHandlerFunctionTracker(
+    DataFlow::TypeTracker t, Function func
+  ) {
     t.start() and
     (
       not exists(func.getADecorator()) and
@@ -1959,7 +1540,7 @@ private module PrivateDjango {
    * backwards yet (TODO).
    */
   private DataFlow::Node djangoRouteHandlerFunctionTracker(Function func) {
-    result = djangoRouteHandlerFunctionTracker(DataFlow::TypeTracker::end(), func)
+    djangoRouteHandlerFunctionTracker(DataFlow::TypeTracker::end(), func).flowsTo(result)
   }
 
   /**
@@ -1972,7 +1553,7 @@ private module PrivateDjango {
    */
   class DjangoViewClassHelper extends Class {
     /** Gets a reference to this class. */
-    private DataFlow::Node getARef(DataFlow::TypeTracker t) {
+    private DataFlow::LocalSourceNode getARef(DataFlow::TypeTracker t) {
       t.start() and
       result.asExpr().(ClassExpr) = this.getParent()
       or
@@ -1980,10 +1561,10 @@ private module PrivateDjango {
     }
 
     /** Gets a reference to this class. */
-    DataFlow::Node getARef() { result = this.getARef(DataFlow::TypeTracker::end()) }
+    DataFlow::Node getARef() { this.getARef(DataFlow::TypeTracker::end()).flowsTo(result) }
 
     /** Gets a reference to the `as_view` classmethod of this class. */
-    private DataFlow::Node asViewRef(DataFlow::TypeTracker t) {
+    private DataFlow::LocalSourceNode asViewRef(DataFlow::TypeTracker t) {
       t.startInAttr("as_view") and
       result = this.getARef()
       or
@@ -1991,10 +1572,10 @@ private module PrivateDjango {
     }
 
     /** Gets a reference to the `as_view` classmethod of this class. */
-    DataFlow::Node asViewRef() { result = this.asViewRef(DataFlow::TypeTracker::end()) }
+    DataFlow::Node asViewRef() { this.asViewRef(DataFlow::TypeTracker::end()).flowsTo(result) }
 
     /** Gets a reference to the result of calling the `as_view` classmethod of this class. */
-    private DataFlow::Node asViewResult(DataFlow::TypeTracker t) {
+    private DataFlow::LocalSourceNode asViewResult(DataFlow::TypeTracker t) {
       t.start() and
       result.asCfgNode().(CallNode).getFunction() = this.asViewRef().asCfgNode()
       or
@@ -2002,7 +1583,7 @@ private module PrivateDjango {
     }
 
     /** Gets a reference to the result of calling the `as_view` classmethod of this class. */
-    DataFlow::Node asViewResult() { result = asViewResult(DataFlow::TypeTracker::end()) }
+    DataFlow::Node asViewResult() { asViewResult(DataFlow::TypeTracker::end()).flowsTo(result) }
   }
 
   /** A class that we consider a django View class. */
@@ -2142,10 +1723,8 @@ private module PrivateDjango {
    *
    * See https://docs.djangoproject.com/en/3.0/ref/urls/#path
    */
-  private class DjangoUrlsPathCall extends DjangoRouteSetup {
-    override CallNode node;
-
-    DjangoUrlsPathCall() { node.getFunction() = django::urls::path().asCfgNode() }
+  private class DjangoUrlsPathCall extends DjangoRouteSetup, DataFlow::CallCfgNode {
+    DjangoUrlsPathCall() { this = django::urls::path().getACall() }
 
     override DataFlow::Node getUrlPatternArg() {
       result.asCfgNode() = [node.getArg(0), node.getArgByName("route")]
@@ -2228,11 +1807,9 @@ private module PrivateDjango {
    *
    * See https://docs.djangoproject.com/en/3.0/ref/urls/#re_path
    */
-  private class DjangoUrlsRePathCall extends DjangoRegexRouteSetup {
-    override CallNode node;
-
+  private class DjangoUrlsRePathCall extends DjangoRegexRouteSetup, DataFlow::CallCfgNode {
     DjangoUrlsRePathCall() {
-      node.getFunction() = django::urls::re_path().asCfgNode() and
+      this = django::urls::re_path().getACall() and
       // `django.conf.urls.url` (which we support directly with
       // `DjangoConfUrlsUrlCall`), is implemented in Django 2+ as backward compatibility
       // using `django.urls.re_path`. See
@@ -2263,10 +1840,8 @@ private module PrivateDjango {
    *
    * See https://docs.djangoproject.com/en/1.11/ref/urls/#django.conf.urls.url
    */
-  private class DjangoConfUrlsUrlCall extends DjangoRegexRouteSetup {
-    override CallNode node;
-
-    DjangoConfUrlsUrlCall() { node.getFunction() = django::conf::conf_urls::url().asCfgNode() }
+  private class DjangoConfUrlsUrlCall extends DjangoRegexRouteSetup, DataFlow::CallCfgNode {
+    DjangoConfUrlsUrlCall() { this = django::conf::conf_urls::url().getACall() }
 
     override DataFlow::Node getUrlPatternArg() {
       result.asCfgNode() = [node.getArg(0), node.getArgByName("regex")]
@@ -2374,10 +1949,8 @@ private module PrivateDjango {
    * See https://docs.djangoproject.com/en/3.1/topics/http/shortcuts/#redirect
    */
   private class DjangoShortcutsRedirectCall extends HTTP::Server::HttpRedirectResponse::Range,
-    DataFlow::CfgNode {
-    override CallNode node;
-
-    DjangoShortcutsRedirectCall() { node.getFunction() = django::shortcuts::redirect().asCfgNode() }
+    DataFlow::CallCfgNode {
+    DjangoShortcutsRedirectCall() { this = django::shortcuts::redirect().getACall() }
 
     /**
      * Gets the data-flow node that specifies the location of this HTTP redirect response.

From 29e320627fcf1e34126f0070e021b4edd9e5a72a Mon Sep 17 00:00:00 2001
From: edvraa <80588099+edvraa@users.noreply.github.com>
Date: Fri, 16 Apr 2021 23:19:29 +0300
Subject: [PATCH 0452/1429] Regex injection

---
 .../Security/CWE/CWE-730/RegexInjection.java  | 38 ++++++++
 .../Security/CWE/CWE-730/RegexInjection.qhelp | 48 +++++++++++
 .../Security/CWE/CWE-730/RegexInjection.ql    | 72 ++++++++++++++++
 .../security/CWE-730/RegexInjection.expected  | 39 +++++++++
 .../security/CWE-730/RegexInjection.java      | 86 +++++++++++++++++++
 .../security/CWE-730/RegexInjection.qlref     |  1 +
 .../query-tests/security/CWE-730/options      |  1 +
 7 files changed, 285 insertions(+)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.java
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.qhelp
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.qlref
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-730/options

diff --git a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.java b/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.java
new file mode 100644
index 00000000000..387648a443e
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.java
@@ -0,0 +1,38 @@
+package com.example.demo;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class DemoApplication {
+
+    @GetMapping("/string1")
+    public String string1(@RequestParam(value = "input", defaultValue = "test") String input,
+                          @RequestParam(value = "pattern", defaultValue = ".*") String pattern) {
+        // BAD: Unsanitized user input is used to construct a regular expression
+        if (input.matches("^" + pattern + "=.*$"))
+            return "match!";
+
+        return "doesn't match!";
+    }
+
+    @GetMapping("/string2")
+    public String string2(@RequestParam(value = "input", defaultValue = "test") String input,
+                          @RequestParam(value = "pattern", defaultValue = ".*") String pattern) {
+        // GOOD: User input is sanitized before constructing the regex
+        if (input.matches("^" + escapeSpecialRegexChars(pattern) + "=.*$"))
+            return "match!";
+
+        return "doesn't match!";
+    }
+
+    Pattern SPECIAL_REGEX_CHARS = Pattern.compile("[{}()\\[\\]><-=!.+*?^$\\\\|]");
+
+    String escapeSpecialRegexChars(String str) {
+        return SPECIAL_REGEX_CHARS.matcher(str).replaceAll("\\\\$0");
+    }
+}
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.qhelp
new file mode 100644
index 00000000000..6cd80b52f75
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.qhelp
@@ -0,0 +1,48 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Constructing a regular expression with unsanitized user input is dangerous as a malicious user may
+be able to modify the meaning of the expression. In particular, such a user may be able to provide
+a regular expression fragment that takes exponential time in the worst case, and use that to
+perform a Denial of Service attack.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Before embedding user input into a regular expression, use a sanitization function
+to escape meta-characters that have special meaning.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example shows a HTTP request parameter that is used to construct a regular expression:
+</p>
+<sample src="RegexInjection.java" />
+<p>
+In the first case the user-provided regex is not escaped.
+If a malicious user provides a regex that has exponential worst case performance,
+then this could lead to a Denial of Service.
+</p>
+<p>
+In the second case, the user input is escaped using <code>escapeSpecialRegexChars</code> before being included
+in the regular expression. This ensures that the user cannot insert characters which have a special
+meaning in regular expressions.
+</p>
+</example>
+
+<references>
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS">Regular expression Denial of Service - ReDoS</a>.
+</li>
+<li>
+Wikipedia: <a href="https://en.wikipedia.org/wiki/ReDoS">ReDoS</a>.
+</li>
+</references>
+</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
new file mode 100644
index 00000000000..58d0d81d615
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
@@ -0,0 +1,72 @@
+/**
+ * @name Regular expression injection
+ * @description User input should not be used in regular expressions without first being sanitized,
+ *              otherwise a malicious user may be able to provide a regex that could require
+ *              exponential time on certain inputs.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/regex-injection
+ * @tags security
+ *       external/cwe/cwe-730
+ *       external/cwe/cwe-400
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+import DataFlow::PathGraph
+
+class RegexSink extends DataFlow::ExprNode {
+  RegexSink() {
+    exists(MethodAccess ma, Method m | m = ma.getMethod() |
+      (
+        ma.getArgument(0) = this.asExpr() and
+        (
+          m.getDeclaringType().hasQualifiedName("java.lang", "String") and
+          (
+            m.hasName("matches") or
+            m.hasName("split") or
+            m.hasName("replaceFirst") or
+            m.hasName("replaceAll")
+          )
+          or
+          m.getDeclaringType().hasQualifiedName("java.util.regex", "Pattern") and
+          (
+            m.hasName("compile") or
+            m.hasName("matches")
+          )
+        )
+      )
+    )
+  }
+}
+
+abstract class Sanitizer extends DataFlow::ExprNode { }
+
+class RegExpSanitizationCall extends Sanitizer {
+  RegExpSanitizationCall() {
+    exists(string calleeName, string sanitize, string regexp |
+      calleeName = this.asExpr().(Call).getCallee().getName() and
+      sanitize = "(?:escape|saniti[sz]e)" and
+      regexp = "regexp?"
+    |
+      calleeName.regexpMatch("(?i)(" + sanitize + ".*" + regexp + ".*)" + "|(" + regexp + ".*" + sanitize + ".*)")
+    )
+  }
+}
+
+class RegexInjectionConfiguration extends TaintTracking::Configuration {
+  RegexInjectionConfiguration() { this = "RegexInjectionConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof RegexSink }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, RegexInjectionConfiguration c
+where c.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "$@ is user controlled.", source.getNode(),
+  "This regular expression pattern"
diff --git a/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.expected
new file mode 100644
index 00000000000..521a45d3d47
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.expected
@@ -0,0 +1,39 @@
+edges
+| RegexInjection.java:11:22:11:52 | getParameter(...) : String | RegexInjection.java:14:26:14:47 | ... + ... |
+| RegexInjection.java:18:22:18:52 | getParameter(...) : String | RegexInjection.java:21:24:21:30 | pattern |
+| RegexInjection.java:25:22:25:52 | getParameter(...) : String | RegexInjection.java:28:31:28:37 | pattern |
+| RegexInjection.java:32:22:32:52 | getParameter(...) : String | RegexInjection.java:35:29:35:35 | pattern |
+| RegexInjection.java:39:22:39:52 | getParameter(...) : String | RegexInjection.java:42:34:42:40 | pattern |
+| RegexInjection.java:49:22:49:52 | getParameter(...) : String | RegexInjection.java:52:28:52:34 | pattern |
+| RegexInjection.java:56:22:56:52 | getParameter(...) : String | RegexInjection.java:59:28:59:34 | pattern |
+| RegexInjection.java:63:22:63:52 | getParameter(...) : String | RegexInjection.java:66:36:66:42 | pattern : String |
+| RegexInjection.java:66:32:66:43 | foo(...) : String | RegexInjection.java:66:26:66:52 | ... + ... |
+| RegexInjection.java:66:36:66:42 | pattern : String | RegexInjection.java:66:32:66:43 | foo(...) : String |
+nodes
+| RegexInjection.java:11:22:11:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:14:26:14:47 | ... + ... | semmle.label | ... + ... |
+| RegexInjection.java:18:22:18:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:21:24:21:30 | pattern | semmle.label | pattern |
+| RegexInjection.java:25:22:25:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:28:31:28:37 | pattern | semmle.label | pattern |
+| RegexInjection.java:32:22:32:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:35:29:35:35 | pattern | semmle.label | pattern |
+| RegexInjection.java:39:22:39:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:42:34:42:40 | pattern | semmle.label | pattern |
+| RegexInjection.java:49:22:49:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:52:28:52:34 | pattern | semmle.label | pattern |
+| RegexInjection.java:56:22:56:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:59:28:59:34 | pattern | semmle.label | pattern |
+| RegexInjection.java:63:22:63:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:66:26:66:52 | ... + ... | semmle.label | ... + ... |
+| RegexInjection.java:66:32:66:43 | foo(...) : String | semmle.label | foo(...) : String |
+| RegexInjection.java:66:36:66:42 | pattern : String | semmle.label | pattern : String |
+#select
+| RegexInjection.java:14:26:14:47 | ... + ... | RegexInjection.java:11:22:11:52 | getParameter(...) : String | RegexInjection.java:14:26:14:47 | ... + ... | $@ is user controlled. | RegexInjection.java:11:22:11:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:21:24:21:30 | pattern | RegexInjection.java:18:22:18:52 | getParameter(...) : String | RegexInjection.java:21:24:21:30 | pattern | $@ is user controlled. | RegexInjection.java:18:22:18:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:28:31:28:37 | pattern | RegexInjection.java:25:22:25:52 | getParameter(...) : String | RegexInjection.java:28:31:28:37 | pattern | $@ is user controlled. | RegexInjection.java:25:22:25:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:35:29:35:35 | pattern | RegexInjection.java:32:22:32:52 | getParameter(...) : String | RegexInjection.java:35:29:35:35 | pattern | $@ is user controlled. | RegexInjection.java:32:22:32:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:42:34:42:40 | pattern | RegexInjection.java:39:22:39:52 | getParameter(...) : String | RegexInjection.java:42:34:42:40 | pattern | $@ is user controlled. | RegexInjection.java:39:22:39:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:52:28:52:34 | pattern | RegexInjection.java:49:22:49:52 | getParameter(...) : String | RegexInjection.java:52:28:52:34 | pattern | $@ is user controlled. | RegexInjection.java:49:22:49:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:59:28:59:34 | pattern | RegexInjection.java:56:22:56:52 | getParameter(...) : String | RegexInjection.java:59:28:59:34 | pattern | $@ is user controlled. | RegexInjection.java:56:22:56:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:66:26:66:52 | ... + ... | RegexInjection.java:63:22:63:52 | getParameter(...) : String | RegexInjection.java:66:26:66:52 | ... + ... | $@ is user controlled. | RegexInjection.java:63:22:63:52 | getParameter(...) | This regular expression pattern |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.java b/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.java
new file mode 100644
index 00000000000..c203360e105
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.java
@@ -0,0 +1,86 @@
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.ServletException;
+
+public class RegexInjection extends HttpServlet {
+  public boolean string1(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    return input.matches("^" + pattern + "=.*$");  // BAD
+  }
+
+  public boolean string2(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    return input.split(pattern).length > 0;  // BAD
+  }
+
+  public boolean string3(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    return input.replaceFirst(pattern, "").length() > 0;  // BAD
+  }
+
+  public boolean string4(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    return input.replaceAll(pattern, "").length() > 0;  // BAD
+  }
+
+  public boolean pattern1(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    Pattern pt = Pattern.compile(pattern);
+    Matcher matcher = pt.matcher(input);
+
+    return matcher.find();  // BAD
+  }
+
+  public boolean pattern2(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    return Pattern.compile(pattern).matcher(input).matches();  // BAD
+  }
+
+  public boolean pattern3(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    return Pattern.matches(pattern, input);  // BAD
+  }
+
+  public boolean pattern4(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    return input.matches("^" + foo(pattern) + "=.*$"); // BAD
+  }
+
+  String foo(String str) {
+    return str;
+  }
+
+  public boolean pattern5(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    // GOOD: User input is sanitized before constructing the regex
+    return input.matches("^" + escapeSpecialRegexChars(pattern) + "=.*$");
+  }
+
+  Pattern SPECIAL_REGEX_CHARS = Pattern.compile("[{}()\\[\\]><-=!.+*?^$\\\\|]");
+
+  String escapeSpecialRegexChars(String str) {
+    return SPECIAL_REGEX_CHARS.matcher(str).replaceAll("\\\\$0");
+  }
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.qlref
new file mode 100644
index 00000000000..dca594b38d2
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-730/RegexInjection.ql
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-730/options b/java/ql/test/experimental/query-tests/security/CWE-730/options
new file mode 100644
index 00000000000..dd125ad0f4e
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-730/options
@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4
\ No newline at end of file

From e36b42a03f3cd7797b548d94ebb5736957804340 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Sat, 17 Apr 2021 09:47:15 +0200
Subject: [PATCH 0453/1429] Java: Fix invalid id in experimental query

The invalid id broke CI here: https://github.com/github/codeql/pull/5703 (see https://github.slack.com/archives/CPSEA0G22/p1618602834224600)
---
 java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
index c28af8aaa15..71ee842f162 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
@@ -5,7 +5,7 @@
  * @kind path-problem
  * @problem.severity error
  * @precision high
- * @id java/JSONP-Injection
+ * @id java/jsonp-injection
  * @tags security
  *       external/cwe/cwe-352
  */

From daad62c4e0d996cc463dd69ac55192989f42836d Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Fri, 16 Apr 2021 14:52:00 +0200
Subject: [PATCH 0454/1429] Java: Add TaintedPath test.

---
 .../CWE-022/semmle/tests/TaintedPath.expected |  7 +++++++
 .../security/CWE-022/semmle/tests/Test.java   | 19 ++++++++++++++++---
 .../security/CWE-022/semmle/tests/options     |  1 +
 3 files changed, 24 insertions(+), 3 deletions(-)
 create mode 100644 java/ql/test/query-tests/security/CWE-022/semmle/tests/options

diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
index 2f761c646ea..1586ee69824 100644
--- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
+++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
@@ -2,12 +2,19 @@ edges
 | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp |
 | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:27:21:27:24 | temp |
 | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:30:44:30:47 | temp |
+| Test.java:19:18:19:38 | getHostName(...) : String | Test.java:34:21:34:24 | temp |
+| Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:81:67:81:81 | ... + ... |
 nodes
 | Test.java:19:18:19:38 | getHostName(...) : String | semmle.label | getHostName(...) : String |
 | Test.java:24:20:24:23 | temp | semmle.label | temp |
 | Test.java:27:21:27:24 | temp | semmle.label | temp |
 | Test.java:30:44:30:47 | temp | semmle.label | temp |
+| Test.java:34:21:34:24 | temp | semmle.label | temp |
+| Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
+| Test.java:81:67:81:81 | ... + ... | semmle.label | ... + ... |
 #select
 | Test.java:24:11:24:24 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
 | Test.java:27:11:27:25 | get(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:27:21:27:24 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
 | Test.java:30:11:30:48 | getPath(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:30:44:30:47 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
+| Test.java:34:12:34:25 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:34:21:34:24 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
+| Test.java:81:52:81:88 | new FileWriter(...) | Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:81:67:81:81 | ... + ... | $@ flows to here and is used in a path. | Test.java:79:74:79:97 | getInputStream(...) | User-provided value |
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
index 21f218eca05..72926a61df5 100644
--- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
+++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
@@ -3,10 +3,10 @@
 package test.cwe22.semmle.tests;
 
 
+import javax.servlet.http.*;
+import javax.servlet.ServletException;
 
-
-import java.io.IOException;
-import java.io.File;
+import java.io.*;
 import java.net.InetAddress;
 import java.nio.file.Path;
 import java.nio.file.Paths;
@@ -28,6 +28,11 @@ class Test {
 					
 			// BAD: construct a path with user input
 			path = FileSystems.getDefault().getPath(temp);
+
+			// BAD: insufficient check
+			if (temp.startsWith("/some_safe_dir/")) {
+				file = new File(temp);
+			}
 	}
 	
 	void doGet2(InetAddress address)
@@ -68,4 +73,12 @@ class Test {
 			return false;
 		return true;
 	}
+
+    public class MyServlet extends HttpServlet {
+        public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+            BufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream()));
+            String filename = br.readLine();
+            BufferedWriter bw = new BufferedWriter(new FileWriter("dir/"+filename, true));
+        }
+    }
 }
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/options b/java/ql/test/query-tests/security/CWE-022/semmle/tests/options
new file mode 100644
index 00000000000..a41b28dc245
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/options
@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/servlet-api-2.4

From 06514159be9624539659b0960e727c4092434cb7 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Mon, 19 Apr 2021 10:58:21 +0200
Subject: [PATCH 0455/1429] Java: Add XXE tests.

---
 .../security/CWE-611/SAXSourceTests.java      | 41 ++++++++++
 .../security/CWE-611/UnmarshallerTests.java   | 30 ++++++++
 .../query-tests/security/CWE-611/XXE.expected |  6 ++
 .../test/query-tests/security/CWE-611/options |  2 +-
 .../javax/xml/bind/JAXBContext.java           | 33 ++++++++
 .../javax/xml/bind/Unmarshaller.java          | 76 +++++++++++++++++++
 6 files changed, 187 insertions(+), 1 deletion(-)
 create mode 100644 java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java
 create mode 100644 java/ql/test/query-tests/security/CWE-611/UnmarshallerTests.java
 create mode 100644 java/ql/test/stubs/jaxb-api-2.3.1/javax/xml/bind/JAXBContext.java
 create mode 100644 java/ql/test/stubs/jaxb-api-2.3.1/javax/xml/bind/Unmarshaller.java

diff --git a/java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java b/java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java
new file mode 100644
index 00000000000..f4a361c518b
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java
@@ -0,0 +1,41 @@
+import java.net.Socket;
+
+import javax.xml.parsers.SAXParser;
+import javax.xml.parsers.SAXParserFactory;
+import javax.xml.transform.sax.SAXSource;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.Unmarshaller;
+
+import org.xml.sax.InputSource;
+import org.xml.sax.XMLReader;
+import org.xml.sax.helpers.XMLReaderFactory;
+
+public class SAXSourceTests {
+
+  public void unsafeSource(Socket sock) throws Exception {
+    XMLReader reader = XMLReaderFactory.createXMLReader();
+    SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream()));
+    JAXBContext jc = JAXBContext.newInstance(Object.class);
+    Unmarshaller um = jc.createUnmarshaller();
+    um.unmarshal(source); //unsafe
+  }
+
+  public void explicitlySafeSource1(Socket sock) throws Exception {
+    XMLReader reader = XMLReaderFactory.createXMLReader();
+    reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+    reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+    reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
+    SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); //safe
+  }
+
+  public void createdSafeSource(Socket sock) throws Exception {
+    SAXParserFactory factory = SAXParserFactory.newInstance();
+    factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+    factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+    factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+    SAXParser parser = factory.newSAXParser();
+    XMLReader reader = parser.getXMLReader();
+    SAXSource source = new SAXSource(parser.getXMLReader(), new InputSource(sock.getInputStream())); //safe
+    SAXSource source2 = new SAXSource(reader, new InputSource(sock.getInputStream())); //safe
+  }
+}
diff --git a/java/ql/test/query-tests/security/CWE-611/UnmarshallerTests.java b/java/ql/test/query-tests/security/CWE-611/UnmarshallerTests.java
new file mode 100644
index 00000000000..f29018d599a
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-611/UnmarshallerTests.java
@@ -0,0 +1,30 @@
+import java.net.Socket;
+
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.Unmarshaller;
+import javax.xml.parsers.SAXParserFactory;
+import javax.xml.transform.Source;
+import javax.xml.transform.sax.SAXSource;
+
+import org.xml.sax.InputSource;
+
+public class UnmarshallerTests {
+
+  public void safeUnmarshal(Socket sock) throws Exception {
+    SAXParserFactory spf = SAXParserFactory.newInstance();
+    spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+    spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+    spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+    JAXBContext jc = JAXBContext.newInstance(Object.class);
+    Source xmlSource = new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(sock.getInputStream()));
+    Unmarshaller um = jc.createUnmarshaller();
+    um.unmarshal(xmlSource); //safe
+  }
+
+  public void unsafeUnmarshal(Socket sock) throws Exception {
+    SAXParserFactory spf = SAXParserFactory.newInstance();
+    JAXBContext jc = JAXBContext.newInstance(Object.class);
+    Unmarshaller um = jc.createUnmarshaller();
+    um.unmarshal(sock.getInputStream()); //unsafe
+  }
+}
diff --git a/java/ql/test/query-tests/security/CWE-611/XXE.expected b/java/ql/test/query-tests/security/CWE-611/XXE.expected
index 4cdedb8d0aa..5a73087602f 100644
--- a/java/ql/test/query-tests/security/CWE-611/XXE.expected
+++ b/java/ql/test/query-tests/security/CWE-611/XXE.expected
@@ -2,6 +2,7 @@ edges
 | DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) : InputStream | DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) |
 | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) |
 | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) |
+| SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | SAXSourceTests.java:20:18:20:23 | source |
 | SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | SchemaTests.java:12:39:12:77 | new StreamSource(...) |
 | SchemaTests.java:25:56:25:76 | getInputStream(...) : InputStream | SchemaTests.java:25:39:25:77 | new StreamSource(...) |
 | SchemaTests.java:31:56:31:76 | getInputStream(...) : InputStream | SchemaTests.java:31:39:31:77 | new StreamSource(...) |
@@ -78,6 +79,8 @@ nodes
 | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | semmle.label | getInputStream(...) |
 | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | semmle.label | getInputStream(...) |
 | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | semmle.label | getInputStream(...) |
+| SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SAXSourceTests.java:20:18:20:23 | source | semmle.label | source |
 | SchemaTests.java:12:39:12:77 | new StreamSource(...) | semmle.label | new StreamSource(...) |
 | SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | SchemaTests.java:25:39:25:77 | new StreamSource(...) | semmle.label | new StreamSource(...) |
@@ -163,6 +166,7 @@ nodes
 | TransformerTests.java:136:38:136:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | TransformerTests.java:141:18:141:70 | new SAXSource(...) | semmle.label | new SAXSource(...) |
 | TransformerTests.java:141:48:141:68 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | semmle.label | getInputStream(...) |
 | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | semmle.label | new InputSource(...) |
 | XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | semmle.label | new InputSource(...) |
@@ -220,6 +224,7 @@ nodes
 | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | user input |
 | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | user input |
 | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | user input |
+| SAXSourceTests.java:20:18:20:23 | source | SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | SAXSourceTests.java:20:18:20:23 | source | Unsafe parsing of XML file from $@. | SAXSourceTests.java:17:62:17:82 | getInputStream(...) | user input |
 | SchemaTests.java:12:39:12:77 | new StreamSource(...) | SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | SchemaTests.java:12:39:12:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:12:56:12:76 | getInputStream(...) | user input |
 | SchemaTests.java:25:39:25:77 | new StreamSource(...) | SchemaTests.java:25:56:25:76 | getInputStream(...) : InputStream | SchemaTests.java:25:39:25:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:25:56:25:76 | getInputStream(...) | user input |
 | SchemaTests.java:31:39:31:77 | new StreamSource(...) | SchemaTests.java:31:56:31:76 | getInputStream(...) : InputStream | SchemaTests.java:31:39:31:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:31:56:31:76 | getInputStream(...) | user input |
@@ -267,6 +272,7 @@ nodes
 | TransformerTests.java:129:21:129:59 | new StreamSource(...) | TransformerTests.java:129:38:129:58 | getInputStream(...) : InputStream | TransformerTests.java:129:21:129:59 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:129:38:129:58 | getInputStream(...) | user input |
 | TransformerTests.java:136:21:136:59 | new StreamSource(...) | TransformerTests.java:136:38:136:58 | getInputStream(...) : InputStream | TransformerTests.java:136:21:136:59 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:136:38:136:58 | getInputStream(...) | user input |
 | TransformerTests.java:141:18:141:70 | new SAXSource(...) | TransformerTests.java:141:48:141:68 | getInputStream(...) : InputStream | TransformerTests.java:141:18:141:70 | new SAXSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:141:48:141:68 | getInputStream(...) | user input |
+| UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | user input |
 | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:16:34:16:54 | getInputStream(...) | user input |
 | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | XMLReaderTests.java:56:34:56:54 | getInputStream(...) : InputStream | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:56:34:56:54 | getInputStream(...) | user input |
 | XMLReaderTests.java:63:18:63:55 | new InputSource(...) | XMLReaderTests.java:63:34:63:54 | getInputStream(...) : InputStream | XMLReaderTests.java:63:18:63:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:63:34:63:54 | getInputStream(...) | user input |
diff --git a/java/ql/test/query-tests/security/CWE-611/options b/java/ql/test/query-tests/security/CWE-611/options
index 6bfedccfc25..89b9a39f7ce 100644
--- a/java/ql/test/query-tests/security/CWE-611/options
+++ b/java/ql/test/query-tests/security/CWE-611/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1
diff --git a/java/ql/test/stubs/jaxb-api-2.3.1/javax/xml/bind/JAXBContext.java b/java/ql/test/stubs/jaxb-api-2.3.1/javax/xml/bind/JAXBContext.java
new file mode 100644
index 00000000000..b588264557d
--- /dev/null
+++ b/java/ql/test/stubs/jaxb-api-2.3.1/javax/xml/bind/JAXBContext.java
@@ -0,0 +1,33 @@
+package javax.xml.bind;
+
+import java.util.Map;
+
+abstract public class JAXBContext {
+  protected JAXBContext() { }
+
+//  public static final String JAXB_CONTEXT_FACTORY;
+//
+//  public Binder<Node> createBinder() { return null; }
+//
+//  public Binder<T> createBinder(Class<T> p0) { return null; }
+//
+//  public JAXBIntrospector createJAXBIntrospector() { return null; }
+//
+//  abstract public Marshaller createMarshaller();
+
+  abstract public Unmarshaller createUnmarshaller();
+
+//  abstract public Validator createValidator();
+//
+//  public void generateSchema(SchemaOutputResolver p0) { }
+
+  public static JAXBContext newInstance(Class... p0) { return null; }
+
+  public static JAXBContext newInstance(Class<?>[] p0, Map<String,?> p1) { return null; }
+
+  public static JAXBContext newInstance(String p0) { return null; }
+
+  public static JAXBContext newInstance(String p0, ClassLoader p1) { return null; }
+
+  public static JAXBContext newInstance(String p0, ClassLoader p1, Map<String,?> p2) { return null; }
+}
diff --git a/java/ql/test/stubs/jaxb-api-2.3.1/javax/xml/bind/Unmarshaller.java b/java/ql/test/stubs/jaxb-api-2.3.1/javax/xml/bind/Unmarshaller.java
new file mode 100644
index 00000000000..6781205fe89
--- /dev/null
+++ b/java/ql/test/stubs/jaxb-api-2.3.1/javax/xml/bind/Unmarshaller.java
@@ -0,0 +1,76 @@
+package javax.xml.bind;
+
+import java.net.URL;
+import java.io.Reader;
+import java.io.InputStream;
+import java.io.File;
+import javax.xml.transform.Source;
+
+abstract public interface Unmarshaller {
+  abstract public static class Listener {
+    public Listener() { }
+  
+    public void afterUnmarshal(Object p0, Object p1) { }
+  
+    public void beforeUnmarshal(Object p0, Object p1) { }
+  }
+
+//  abstract public A getAdapter(Class<A> p0);
+//
+//  abstract public AttachmentUnmarshaller getAttachmentUnmarshaller();
+//
+//  abstract public ValidationEventHandler getEventHandler();
+//
+//  abstract public Listener getListener();
+
+  abstract public Object getProperty(String p0);
+
+//  abstract public Schema getSchema();
+//
+//  abstract public UnmarshallerHandler getUnmarshallerHandler();
+
+  abstract public boolean isValidating();
+
+//  abstract public void setAdapter(Class<A> p0, A p1);
+//
+//  abstract public void setAdapter(XmlAdapter p0);
+//
+//  abstract public void setAttachmentUnmarshaller(AttachmentUnmarshaller p0);
+//
+//  abstract public void setEventHandler(ValidationEventHandler p0);
+//
+//  abstract public void setListener(Listener p0);
+//
+//  abstract public void setProperty(String p0, Object p1);
+//
+//  abstract public void setSchema(Schema p0);
+
+  abstract public void setValidating(boolean p0);
+
+  abstract public Object unmarshal(File p0);
+
+  abstract public Object unmarshal(InputStream p0);
+
+  abstract public Object unmarshal(Reader p0);
+
+  abstract public Object unmarshal(URL p0);
+
+//  abstract public Object unmarshal(XMLEventReader p0);
+//
+//  abstract public JAXBElement<T> unmarshal(XMLEventReader p0, Class<T> p1);
+//
+//  abstract public Object unmarshal(XMLStreamReader p0);
+//
+//  abstract public JAXBElement<T> unmarshal(XMLStreamReader p0, Class<T> p1);
+
+  abstract public Object unmarshal(Source p0);
+
+//  abstract public JAXBElement<T> unmarshal(Source p0, Class<T> p1);
+//
+//  abstract public Object unmarshal(Node p0);
+//
+//  abstract public JAXBElement<T> unmarshal(Node p0, Class<T> p1);
+//
+//  abstract public Object unmarshal(InputSource p0);
+}
+

From c5193cf03f1824d2a8af82394b2839c5e6ef314e Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
Date: Mon, 19 Apr 2021 13:14:56 +0200
Subject: [PATCH 0456/1429] Apply suggestions from code review

---
 .../query-tests/security/CWE-022/semmle/tests/Test.java   | 1 +
 .../test/query-tests/security/CWE-611/SAXSourceTests.java | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
index 72926a61df5..a0a6694c061 100644
--- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
+++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java
@@ -78,6 +78,7 @@ class Test {
         public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
             BufferedReader br = new BufferedReader(new InputStreamReader(request.getInputStream()));
             String filename = br.readLine();
+            // BAD: construct a file path with user input
             BufferedWriter bw = new BufferedWriter(new FileWriter("dir/"+filename, true));
         }
     }
diff --git a/java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java b/java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java
index f4a361c518b..06a4b5a43f3 100644
--- a/java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java
+++ b/java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java
@@ -17,7 +17,7 @@ public class SAXSourceTests {
     SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream()));
     JAXBContext jc = JAXBContext.newInstance(Object.class);
     Unmarshaller um = jc.createUnmarshaller();
-    um.unmarshal(source); //unsafe
+    um.unmarshal(source); // BAD
   }
 
   public void explicitlySafeSource1(Socket sock) throws Exception {
@@ -25,7 +25,7 @@ public class SAXSourceTests {
     reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
     reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
     reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
-    SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); //safe
+    SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); // GOOD
   }
 
   public void createdSafeSource(Socket sock) throws Exception {
@@ -35,7 +35,7 @@ public class SAXSourceTests {
     factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
     SAXParser parser = factory.newSAXParser();
     XMLReader reader = parser.getXMLReader();
-    SAXSource source = new SAXSource(parser.getXMLReader(), new InputSource(sock.getInputStream())); //safe
-    SAXSource source2 = new SAXSource(reader, new InputSource(sock.getInputStream())); //safe
+    SAXSource source = new SAXSource(parser.getXMLReader(), new InputSource(sock.getInputStream())); // GOOD
+    SAXSource source2 = new SAXSource(reader, new InputSource(sock.getInputStream())); // GOOD
   }
 }

From 29aec0d770b3a28682d95f9044e724b123b86140 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Mon, 19 Apr 2021 13:16:46 +0200
Subject: [PATCH 0457/1429] Java: Adjust expected output.

---
 .../security/CWE-022/semmle/tests/TaintedPath.expected      | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
index 1586ee69824..bf3e3f665f9 100644
--- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
+++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
@@ -3,7 +3,7 @@ edges
 | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:27:21:27:24 | temp |
 | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:30:44:30:47 | temp |
 | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:34:21:34:24 | temp |
-| Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:81:67:81:81 | ... + ... |
+| Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:82:67:82:81 | ... + ... |
 nodes
 | Test.java:19:18:19:38 | getHostName(...) : String | semmle.label | getHostName(...) : String |
 | Test.java:24:20:24:23 | temp | semmle.label | temp |
@@ -11,10 +11,10 @@ nodes
 | Test.java:30:44:30:47 | temp | semmle.label | temp |
 | Test.java:34:21:34:24 | temp | semmle.label | temp |
 | Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
-| Test.java:81:67:81:81 | ... + ... | semmle.label | ... + ... |
+| Test.java:82:67:82:81 | ... + ... | semmle.label | ... + ... |
 #select
 | Test.java:24:11:24:24 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
 | Test.java:27:11:27:25 | get(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:27:21:27:24 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
 | Test.java:30:11:30:48 | getPath(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:30:44:30:47 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
 | Test.java:34:12:34:25 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:34:21:34:24 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
-| Test.java:81:52:81:88 | new FileWriter(...) | Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:81:67:81:81 | ... + ... | $@ flows to here and is used in a path. | Test.java:79:74:79:97 | getInputStream(...) | User-provided value |
+| Test.java:82:52:82:88 | new FileWriter(...) | Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:82:67:82:81 | ... + ... | $@ flows to here and is used in a path. | Test.java:79:74:79:97 | getInputStream(...) | User-provided value |

From 9e6f28e335bc0561ee079ef5488b1f580cfa7255 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 19 Apr 2021 13:17:49 +0200
Subject: [PATCH 0458/1429] fix bad join order in Xss.qll

---
 javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
index bf8ad71ec99..6a7bd111a9f 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
@@ -211,7 +211,7 @@ module DomBasedXss {
       exists(JQuery::MethodCall call |
         call.interpretsArgumentAsHtml(this) and
         call.interpretsArgumentAsSelector(this) and
-        analyze().getAType() = TTString()
+        pragma[only_bind_out](analyze()).getAType() = TTString()
       )
     }
 

From 9acc71a7cba716c59444357b857c4151ba0352fd Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Mon, 19 Apr 2021 11:54:10 +0000
Subject: [PATCH 0459/1429] Python: Get rid of all `_attr` methods in
 `Django.qll`

---
 .../src/semmle/python/frameworks/Django.qll   | 116 ++++++------------
 1 file changed, 38 insertions(+), 78 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index b2dd77642d5..4c9bbddd474 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -300,19 +300,13 @@ private module PrivateDjango {
   /** Gets a reference to the `django` module. */
   API::Node django() { result = API::moduleImport("django") }
 
-  /**
-   * Gets a reference to the attribute `attr_name` of the `django` module.
-   * WARNING: Only holds for a few predefined attributes.
-   */
-  private API::Node django_attr(string attr_name) { result = django().getMember(attr_name) }
-
   /** Provides models for the `django` module. */
   module django {
     // -------------------------------------------------------------------------
     // django.db
     // -------------------------------------------------------------------------
     /** Gets a reference to the `django.db` module. */
-    API::Node db() { result = django_attr("db") }
+    API::Node db() { result = django().getMember("db") }
 
     /**
      * `django.db` implements PEP249, providing ways to execute SQL statements against a database.
@@ -473,34 +467,28 @@ private module PrivateDjango {
     // django.urls
     // -------------------------------------------------------------------------
     /** Gets a reference to the `django.urls` module. */
-    API::Node urls() { result = django_attr("urls") }
+    API::Node urls() { result = django().getMember("urls") }
 
     /** Provides models for the `django.urls` module */
     module urls {
-      /**
-       * Gets a reference to the attribute `attr_name` of the `urls` module.
-       * WARNING: Only holds for a few predefined attributes.
-       */
-      private API::Node urls_attr(string attr_name) { result = urls().getMember(attr_name) }
-
       /**
        * Gets a reference to the `django.urls.path` function.
        * See https://docs.djangoproject.com/en/3.0/ref/urls/#path
        */
-      API::Node path() { result = urls_attr("path") }
+      API::Node path() { result = urls().getMember("path") }
 
       /**
        * Gets a reference to the `django.urls.re_path` function.
        * See https://docs.djangoproject.com/en/3.0/ref/urls/#re_path
        */
-      API::Node re_path() { result = urls_attr("re_path") }
+      API::Node re_path() { result = urls().getMember("re_path") }
     }
 
     // -------------------------------------------------------------------------
     // django.conf
     // -------------------------------------------------------------------------
     /** Gets a reference to the `django.conf` module. */
-    API::Node conf() { result = django_attr("conf") }
+    API::Node conf() { result = django().getMember("conf") }
 
     /** Provides models for the `django.conf` module */
     module conf {
@@ -525,30 +513,18 @@ private module PrivateDjango {
     // django.http
     // -------------------------------------------------------------------------
     /** Gets a reference to the `django.http` module. */
-    API::Node http() { result = django_attr("http") }
+    API::Node http() { result = django().getMember("http") }
 
     /** Provides models for the `django.http` module */
     module http {
-      /**
-       * Gets a reference to the attribute `attr_name` of the `django.http` module.
-       * WARNING: Only holds for a few predefined attributes.
-       */
-      private API::Node http_attr(string attr_name) { result = http().getMember(attr_name) }
-
       // ---------------------------------------------------------------------------
       // django.http.request
       // ---------------------------------------------------------------------------
       /** Gets a reference to the `django.http.request` module. */
-      API::Node request() { result = http_attr("request") }
+      API::Node request() { result = http().getMember("request") }
 
       /** Provides models for the `django.http.request` module. */
       module request {
-        /**
-         * Gets a reference to the attribute `attr_name` of the `django.http.request` module.
-         * WARNING: Only holds for a few predefined attributes.
-         */
-        private API::Node request_attr(string attr_name) { result = request().getMember(attr_name) }
-
         /**
          * Provides models for the `django.http.request.HttpRequest` class
          *
@@ -557,10 +533,10 @@ private module PrivateDjango {
         module HttpRequest {
           /** Gets a reference to the `django.http.request.HttpRequest` class. */
           API::Node classRef() {
-            result = request_attr("HttpRequest")
+            result = request().getMember("HttpRequest")
             or
             // handle django.http.HttpRequest alias
-            result = http_attr("HttpRequest")
+            result = http().getMember("HttpRequest")
           }
 
           /**
@@ -592,18 +568,10 @@ private module PrivateDjango {
       // django.http.response
       // -------------------------------------------------------------------------
       /** Gets a reference to the `django.http.response` module. */
-      API::Node response() { result = http_attr("response") }
+      API::Node response() { result = http().getMember("response") }
 
       /** Provides models for the `django.http.response` module */
       module response {
-        /**
-         * Gets a reference to the attribute `attr_name` of the `django.http.response` module.
-         * WARNING: Only holds for a few predefined attributes.
-         */
-        private API::Node response_attr(string attr_name) {
-          result = response().getMember(attr_name)
-        }
-
         /**
          * Provides models for the `django.http.response.HttpResponse` class
          *
@@ -611,10 +579,10 @@ private module PrivateDjango {
          */
         module HttpResponse {
           API::Node baseClassRef() {
-            result = response_attr("HttpResponse")
+            result = response().getMember("HttpResponse")
             or
             // Handle `django.http.HttpResponse` alias
-            result = http_attr("HttpResponse")
+            result = http().getMember("HttpResponse")
           }
 
           /** Gets a reference to the `django.http.response.HttpResponse` class. */
@@ -672,10 +640,10 @@ private module PrivateDjango {
         module HttpResponseRedirect {
           /** Gets a reference to the `django.http.response.HttpResponseRedirect` class. */
           API::Node baseClassRef() {
-            result = response_attr("HttpResponseRedirect")
+            result = response().getMember("HttpResponseRedirect")
             or
             // Handle `django.http.HttpResponseRedirect` alias
-            result = http_attr("HttpResponseRedirect")
+            result = http().getMember("HttpResponseRedirect")
           }
 
           /** Gets a reference a subclass of the `django.http.response.HttpResponseRedirect` class. */
@@ -734,10 +702,10 @@ private module PrivateDjango {
         module HttpResponsePermanentRedirect {
           /** Gets a reference to the `django.http.response.HttpResponsePermanentRedirect` class. */
           API::Node baseClassRef() {
-            result = response_attr("HttpResponsePermanentRedirect")
+            result = response().getMember("HttpResponsePermanentRedirect")
             or
             // Handle `django.http.HttpResponsePermanentRedirect` alias
-            result = http_attr("HttpResponsePermanentRedirect")
+            result = http().getMember("HttpResponsePermanentRedirect")
           }
 
           /** Gets a reference to the `django.http.response.HttpResponsePermanentRedirect` class. */
@@ -796,11 +764,11 @@ private module PrivateDjango {
         module HttpResponseNotModified {
           /** Gets a reference to the `django.http.response.HttpResponseNotModified` class. */
           API::Node baseClassRef() {
-            result = response_attr("HttpResponseNotModified")
+            result = response().getMember("HttpResponseNotModified")
             or
             // TODO: remove/expand this part of the template as needed
             // Handle `django.http.HttpResponseNotModified` alias
-            result = http_attr("HttpResponseNotModified")
+            result = http().getMember("HttpResponseNotModified")
           }
 
           /** Gets a reference to the `django.http.response.HttpResponseNotModified` class. */
@@ -849,10 +817,10 @@ private module PrivateDjango {
         module HttpResponseBadRequest {
           /** Gets a reference to the `django.http.response.HttpResponseBadRequest` class. */
           API::Node baseClassRef() {
-            result = response_attr("HttpResponseBadRequest")
+            result = response().getMember("HttpResponseBadRequest")
             or
             // Handle `django.http.HttpResponseBadRequest` alias
-            result = http_attr("HttpResponseBadRequest")
+            result = http().getMember("HttpResponseBadRequest")
           }
 
           /** Gets a reference to the `django.http.response.HttpResponseBadRequest` class. */
@@ -903,10 +871,10 @@ private module PrivateDjango {
         module HttpResponseNotFound {
           /** Gets a reference to the `django.http.response.HttpResponseNotFound` class. */
           API::Node baseClassRef() {
-            result = response_attr("HttpResponseNotFound")
+            result = response().getMember("HttpResponseNotFound")
             or
             // Handle `django.http.HttpResponseNotFound` alias
-            result = http_attr("HttpResponseNotFound")
+            result = http().getMember("HttpResponseNotFound")
           }
 
           /** Gets a reference to the `django.http.response.HttpResponseNotFound` class. */
@@ -957,10 +925,10 @@ private module PrivateDjango {
         module HttpResponseForbidden {
           /** Gets a reference to the `django.http.response.HttpResponseForbidden` class. */
           API::Node baseClassRef() {
-            result = response_attr("HttpResponseForbidden")
+            result = response().getMember("HttpResponseForbidden")
             or
             // Handle `django.http.HttpResponseForbidden` alias
-            result = http_attr("HttpResponseForbidden")
+            result = http().getMember("HttpResponseForbidden")
           }
 
           /** Gets a reference to the `django.http.response.HttpResponseForbidden` class. */
@@ -1011,10 +979,10 @@ private module PrivateDjango {
         module HttpResponseNotAllowed {
           /** Gets a reference to the `django.http.response.HttpResponseNotAllowed` class. */
           API::Node baseClassRef() {
-            result = response_attr("HttpResponseNotAllowed")
+            result = response().getMember("HttpResponseNotAllowed")
             or
             // Handle `django.http.HttpResponseNotAllowed` alias
-            result = http_attr("HttpResponseNotAllowed")
+            result = http().getMember("HttpResponseNotAllowed")
           }
 
           /** Gets a reference to the `django.http.response.HttpResponseNotAllowed` class. */
@@ -1066,10 +1034,10 @@ private module PrivateDjango {
         module HttpResponseGone {
           /** Gets a reference to the `django.http.response.HttpResponseGone` class. */
           API::Node baseClassRef() {
-            result = response_attr("HttpResponseGone")
+            result = response().getMember("HttpResponseGone")
             or
             // Handle `django.http.HttpResponseGone` alias
-            result = http_attr("HttpResponseGone")
+            result = http().getMember("HttpResponseGone")
           }
 
           /** Gets a reference to the `django.http.response.HttpResponseGone` class. */
@@ -1120,10 +1088,10 @@ private module PrivateDjango {
         module HttpResponseServerError {
           /** Gets a reference to the `django.http.response.HttpResponseServerError` class. */
           API::Node baseClassRef() {
-            result = response_attr("HttpResponseServerError")
+            result = response().getMember("HttpResponseServerError")
             or
             // Handle `django.http.HttpResponseServerError` alias
-            result = http_attr("HttpResponseServerError")
+            result = http().getMember("HttpResponseServerError")
           }
 
           /** Gets a reference to the `django.http.response.HttpResponseServerError` class. */
@@ -1174,10 +1142,10 @@ private module PrivateDjango {
         module JsonResponse {
           /** Gets a reference to the `django.http.response.JsonResponse` class. */
           API::Node baseClassRef() {
-            result = response_attr("JsonResponse")
+            result = response().getMember("JsonResponse")
             or
             // Handle `django.http.JsonResponse` alias
-            result = http_attr("JsonResponse")
+            result = http().getMember("JsonResponse")
           }
 
           /** Gets a reference to the `django.http.response.JsonResponse` class. */
@@ -1231,10 +1199,10 @@ private module PrivateDjango {
         module StreamingHttpResponse {
           /** Gets a reference to the `django.http.response.StreamingHttpResponse` class. */
           API::Node baseClassRef() {
-            result = response_attr("StreamingHttpResponse")
+            result = response().getMember("StreamingHttpResponse")
             or
             // Handle `django.http.StreamingHttpResponse` alias
-            result = http_attr("StreamingHttpResponse")
+            result = http().getMember("StreamingHttpResponse")
           }
 
           /** Gets a reference to the `django.http.response.StreamingHttpResponse` class. */
@@ -1285,10 +1253,10 @@ private module PrivateDjango {
         module FileResponse {
           /** Gets a reference to the `django.http.response.FileResponse` class. */
           API::Node baseClassRef() {
-            result = response_attr("FileResponse")
+            result = response().getMember("FileResponse")
             or
             // Handle `django.http.FileResponse` alias
-            result = http_attr("FileResponse")
+            result = http().getMember("FileResponse")
           }
 
           /** Gets a reference to the `django.http.response.FileResponse` class. */
@@ -1378,24 +1346,16 @@ private module PrivateDjango {
     // django.shortcuts
     // -------------------------------------------------------------------------
     /** Gets a reference to the `django.shortcuts` module. */
-    API::Node shortcuts() { result = django_attr("shortcuts") }
+    API::Node shortcuts() { result = django().getMember("shortcuts") }
 
     /** Provides models for the `django.shortcuts` module */
     module shortcuts {
-      /**
-       * Gets a reference to the attribute `attr_name` of the `django.shortcuts` module.
-       * WARNING: Only holds for a few predefined attributes.
-       */
-      private API::Node shortcuts_attr(string attr_name) {
-        result = shortcuts().getMember(attr_name)
-      }
-
       /**
        * Gets a reference to the `django.shortcuts.redirect` function
        *
        * See https://docs.djangoproject.com/en/3.1/topics/http/shortcuts/#redirect
        */
-      API::Node redirect() { result = shortcuts_attr("redirect") }
+      API::Node redirect() { result = shortcuts().getMember("redirect") }
     }
   }
 

From a27dac029f0c742cfb0c76a93703a54a0f5d214e Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Fri, 19 Mar 2021 15:16:57 +0100
Subject: [PATCH 0460/1429] Java: Use shared flow summary library for csv
 models.

---
 .../code/java/dataflow/ExternalFlow.qll       | 88 ++++++++++++++++---
 .../semmle/code/java/dataflow/FlowSummary.qll |  4 +-
 .../java/dataflow/internal/DataFlowUtil.qll   |  2 -
 .../dataflow/internal/TaintTrackingUtil.qll   |  6 +-
 4 files changed, 79 insertions(+), 21 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index 4bb79e84ead..c1ad6eb4ecf 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -67,6 +67,7 @@
 import java
 private import semmle.code.java.dataflow.DataFlow::DataFlow
 private import internal.DataFlowPrivate
+private import FlowSummary
 
 /**
  * A module importing the frameworks that provide external flow data,
@@ -459,7 +460,8 @@ module CsvValidation {
       summaryModel(_, _, _, _, _, _, input, _, _) and pred = "summary"
     |
       specSplit(input, part, _) and
-      not part.regexpMatch("|Argument|ReturnValue") and
+      not part.regexpMatch("|ReturnValue|ArrayElement|Element") and
+      not (part = "Argument" and pred = "sink") and
       not parseArg(part, _) and
       msg = "Unrecognized input specification \"" + part + "\" in " + pred + " model."
     )
@@ -470,7 +472,8 @@ module CsvValidation {
       summaryModel(_, _, _, _, _, _, _, output, _) and pred = "summary"
     |
       specSplit(output, part, _) and
-      not part.regexpMatch("|Argument|Parameter|ReturnValue") and
+      not part.regexpMatch("|ReturnValue|ArrayElement|Element") and
+      not (part = ["Argument", "Parameter"] and pred = "source") and
       not parseArg(part, _) and
       not parseParam(part, _) and
       msg = "Unrecognized output specification \"" + part + "\" in " + pred + " model."
@@ -675,6 +678,75 @@ private predicate summaryElementRef(Top ref, string input, string output, string
   )
 }
 
+private SummaryComponent interpretComponent(string c) {
+  specSplit(_, c, _) and
+  (
+    exists(int pos | parseArg(c, pos) and result = SummaryComponent::argument(pos))
+    or
+    exists(int pos | parseParam(c, pos) and result = SummaryComponent::parameter(pos))
+    or
+    c = "ReturnValue" and result = SummaryComponent::return()
+    or
+    c = "ArrayElement" and result = SummaryComponent::content(any(ArrayContent c0))
+    or
+    c = "Element" and result = SummaryComponent::content(any(CollectionContent c0))
+    // or
+    // c = "MapKey" and result = SummaryComponent::content(any(MapKeyContent c0))
+    // or
+    // c = "MapValue" and result = SummaryComponent::content(any(MapValueContent c0))
+  )
+}
+
+private predicate interpretSpec(string spec, int idx, SummaryComponentStack stack) {
+  exists(string c |
+    summaryElement(_, spec, _, _) or
+    summaryElement(_, _, spec, _)
+  |
+    len(spec, idx + 1) and
+    specSplit(spec, c, idx) and
+    stack = SummaryComponentStack::singleton(interpretComponent(c))
+  )
+  or
+  exists(SummaryComponent head, SummaryComponentStack tail |
+    interpretSpec(spec, idx, head, tail) and
+    stack = SummaryComponentStack::push(head, tail)
+  )
+}
+
+private predicate interpretSpec(
+  string output, int idx, SummaryComponent head, SummaryComponentStack tail
+) {
+  exists(string c |
+    interpretSpec(output, idx + 1, tail) and
+    specSplit(output, c, idx) and
+    head = interpretComponent(c)
+  )
+}
+
+private class MkStack extends RequiredSummaryComponentStack {
+  MkStack() { interpretSpec(_, _, _, this) }
+
+  override predicate required(SummaryComponent c) { interpretSpec(_, _, c, this) }
+}
+
+private class SummarizedCallableExternal extends SummarizedCallable {
+  SummarizedCallableExternal() { summaryElement(this, _, _, _) }
+
+  override predicate propagatesFlow(
+    SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
+  ) {
+    exists(string inSpec, string outSpec, string kind |
+      summaryElement(this, inSpec, outSpec, kind) and
+      interpretSpec(inSpec, 0, input) and
+      interpretSpec(outSpec, 0, output)
+    |
+      kind = "value" and preservesValue = true
+      or
+      kind = "taint" and preservesValue = false
+    )
+  }
+}
+
 private newtype TAstOrNode =
   TAst(Top t) or
   TNode(Node n)
@@ -761,15 +833,3 @@ predicate sinkNode(Node node, string kind) {
     interpretInput(input, 0, ref, TNode(node))
   )
 }
-
-/**
- * Holds if `node1` to `node2` is specified as a flow step with the given kind
- * in a CSV flow model.
- */
-predicate summaryStep(Node node1, Node node2, string kind) {
-  exists(Top ref, string input, string output |
-    summaryElementRef(ref, input, output, kind) and
-    interpretInput(input, 0, ref, TNode(node1)) and
-    interpretOutput(output, 0, ref, TNode(node2))
-  )
-}
diff --git a/java/ql/src/semmle/code/java/dataflow/FlowSummary.qll b/java/ql/src/semmle/code/java/dataflow/FlowSummary.qll
index 02e9548c544..e53a4fc5630 100644
--- a/java/ql/src/semmle/code/java/dataflow/FlowSummary.qll
+++ b/java/ql/src/semmle/code/java/dataflow/FlowSummary.qll
@@ -8,7 +8,9 @@ private import internal.DataFlowDispatch
 private import internal.DataFlowPrivate
 
 // import all instances below
-private module Summaries { }
+private module Summaries {
+  private import semmle.code.java.dataflow.ExternalFlow
+}
 
 class SummaryComponent = Impl::Public::SummaryComponent;
 
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
index 030bf30bd49..2ad09574015 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
@@ -142,8 +142,6 @@ predicate simpleLocalFlowStep(Node node1, Node node2) {
   or
   node2.asExpr().(AssignExpr).getSource() = node1.asExpr()
   or
-  summaryStep(node1, node2, "value")
-  or
   exists(MethodAccess ma, ValuePreservingMethod m, int argNo |
     ma.getCallee().getSourceDeclaration() = m and m.returnsValue(argNo)
   |
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
index 0f20ffe62db..d684ebb5275 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -57,16 +57,14 @@ private predicate localAdditionalBasicTaintStep(DataFlow::Node src, DataFlow::No
   localAdditionalTaintUpdateStep(src.asExpr(),
     sink.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr())
   or
-  summaryStep(src, sink, "taint") and
-  not summaryStep(src, sink, "value")
-  or
   exists(Argument arg |
     src.asExpr() = arg and
     arg.isVararg() and
     sink.(DataFlow::ImplicitVarargsArray).getCall() = arg.getCall()
   )
   or
-  FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, false)
+  FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, false) and
+  not FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, true)
 }
 
 /**

From 60965b0d8c4c407f8c681d76472ec12ae0365505 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Fri, 19 Mar 2021 15:17:50 +0100
Subject: [PATCH 0461/1429] Java: Adjust some csv models.

---
 .../src/semmle/code/java/frameworks/ApacheHttp.qll  | 13 ++++++-------
 .../src/semmle/code/java/frameworks/apache/Lang.qll | 10 +++++-----
 .../src/semmle/code/java/frameworks/guava/Base.qll  | 11 ++++++-----
 .../ql/src/semmle/code/java/frameworks/guava/IO.qll |  2 +-
 4 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll b/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll
index 2dc1077cb4e..8378f1e7260 100644
--- a/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll
+++ b/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll
@@ -149,9 +149,8 @@ private class ApacheHttpFlowStep extends SummaryModelCsv {
         "org.apache.hc.core5.http.message;RequestLine;true;getMethod;();;Argument[-1];ReturnValue;taint",
         "org.apache.hc.core5.http.message;RequestLine;true;getUri;();;Argument[-1];ReturnValue;taint",
         "org.apache.hc.core5.http.message;RequestLine;true;toString;();;Argument[-1];ReturnValue;taint",
-        "org.apache.hc.core5.http.message;RequestLine;true;RequestLine;(HttpRequest);;Argument[0];ReturnValue;taint",
-        "org.apache.hc.core5.http.message;RequestLine;true;RequestLine;(String,String,ProtocolVersion);;Argument[1];ReturnValue;taint",
-        "org.apache.hc.core5.http.message;RequestLine;true;RequestLine;(String,String,ProtocolVersion);;Argument[1];ReturnValue;taint",
+        "org.apache.hc.core5.http.message;RequestLine;true;RequestLine;(HttpRequest);;Argument[0];Argument[-1];taint",
+        "org.apache.hc.core5.http.message;RequestLine;true;RequestLine;(String,String,ProtocolVersion);;Argument[1];Argument[-1];taint",
         "org.apache.hc.core5.function;Supplier;true;get;();;Argument[-1];ReturnValue;taint",
         "org.apache.hc.core5.net;URIAuthority;true;getHostName;();;Argument[-1];ReturnValue;taint",
         "org.apache.hc.core5.net;URIAuthority;true;toString;();;Argument[-1];ReturnValue;taint",
@@ -181,16 +180,16 @@ private class ApacheHttpFlowStep extends SummaryModelCsv {
         "org.apache.hc.core5.http.io.entity;HttpEntities;true;withTrailers;;;Argument[0];ReturnValue;taint",
         "org.apache.http.entity;BasicHttpEntity;true;setContent;(InputStream);;Argument[0];Argument[-1];taint",
         "org.apache.http.entity;BufferedHttpEntity;true;BufferedHttpEntity;(HttpEntity);;Argument[0];ReturnValue;taint",
-        "org.apache.http.entity;ByteArrayEntity;true;ByteArrayEntity;;;Argument[0];ReturnValue;taint",
+        "org.apache.http.entity;ByteArrayEntity;true;ByteArrayEntity;;;Argument[0];Argument[-1];taint",
         "org.apache.http.entity;HttpEntityWrapper;true;HttpEntityWrapper;(HttpEntity);;Argument[0];ReturnValue;taint",
         "org.apache.http.entity;InputStreamEntity;true;InputStreamEntity;;;Argument[0];ReturnValue;taint",
-        "org.apache.http.entity;StringEntity;true;StringEntity;;;Argument[0];ReturnValue;taint",
+        "org.apache.http.entity;StringEntity;true;StringEntity;;;Argument[0];Argument[-1];taint",
         "org.apache.hc.core5.http.io.entity;BasicHttpEntity;true;BasicHttpEntity;;;Argument[0];ReturnValue;taint",
         "org.apache.hc.core5.http.io.entity;BufferedHttpEntity;true;BufferedHttpEntity;(HttpEntity);;Argument[0];ReturnValue;taint",
-        "org.apache.hc.core5.http.io.entity;ByteArrayEntity;true;ByteArrayEntity;;;Argument[0];ReturnValue;taint",
+        "org.apache.hc.core5.http.io.entity;ByteArrayEntity;true;ByteArrayEntity;;;Argument[0];Argument[-1];taint",
         "org.apache.hc.core5.http.io.entity;HttpEntityWrapper;true;HttpEntityWrapper;(HttpEntity);;Argument[0];ReturnValue;taint",
         "org.apache.hc.core5.http.io.entity;InputStreamEntity;true;InputStreamEntity;;;Argument[0];ReturnValue;taint",
-        "org.apache.hc.core5.http.io.entity;StringEntity;true;StringEntity;;;Argument[0];ReturnValue;taint",
+        "org.apache.hc.core5.http.io.entity;StringEntity;true;StringEntity;;;Argument[0];Argument[-1];taint",
         "org.apache.http.util;ByteArrayBuffer;true;append;(byte[],int,int);;Argument[0];Argument[-1];taint",
         "org.apache.http.util;ByteArrayBuffer;true;append;(char[],int,int);;Argument[0];Argument[-1];taint",
         "org.apache.http.util;ByteArrayBuffer;true;append;(CharArrayBuffer,int,int);;Argument[0];Argument[-1];taint",
diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
index deab8f4a692..670014e0f8f 100644
--- a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
+++ b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
@@ -626,12 +626,12 @@ private class ApacheObjectUtilsModel extends SummaryModelCsv {
         "org.apache.commons.lang3;ObjectUtils;false;CONST_BYTE;;;Argument[0];ReturnValue;value",
         "org.apache.commons.lang3;ObjectUtils;false;CONST_SHORT;;;Argument[0];ReturnValue;value",
         "org.apache.commons.lang3;ObjectUtils;false;defaultIfNull;;;Argument[0..1];ReturnValue;value",
-        "org.apache.commons.lang3;ObjectUtils;false;firstNonNull;;;Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3;ObjectUtils;false;firstNonNull;;;ArrayElement of Argument[0];ReturnValue;value",
         "org.apache.commons.lang3;ObjectUtils;false;getIfNull;;;Argument[0];ReturnValue;value",
-        "org.apache.commons.lang3;ObjectUtils;false;max;;;Argument[0];ReturnValue;taint",
-        "org.apache.commons.lang3;ObjectUtils;false;median;;;Argument[0];ReturnValue;taint",
-        "org.apache.commons.lang3;ObjectUtils;false;min;;;Argument[0];ReturnValue;taint",
-        "org.apache.commons.lang3;ObjectUtils;false;mode;;;Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3;ObjectUtils;false;max;;;ArrayElement of Argument[0];ReturnValue;value",
+        "org.apache.commons.lang3;ObjectUtils;false;median;;;ArrayElement of Argument[0];ReturnValue;value",
+        "org.apache.commons.lang3;ObjectUtils;false;min;;;ArrayElement of Argument[0];ReturnValue;value",
+        "org.apache.commons.lang3;ObjectUtils;false;mode;;;ArrayElement of Argument[0];ReturnValue;value",
         "org.apache.commons.lang3;ObjectUtils;false;requireNonEmpty;;;Argument[0];ReturnValue;value",
         "org.apache.commons.lang3;ObjectUtils;false;toString;(Object,String);;Argument[1];ReturnValue;value"
       ]
diff --git a/java/ql/src/semmle/code/java/frameworks/guava/Base.qll b/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
index ebcfe35a6b9..194d723caf5 100644
--- a/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
+++ b/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
@@ -13,7 +13,8 @@ private class GuavaBaseCsv extends SummaryModelCsv {
         "com.google.common.base;Strings;false;padStart;(String,int,char);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Strings;false;padEnd;(String,int,char);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Strings;false;repeat;(String,int);;Argument[0];ReturnValue;taint",
-        "com.google.common.base;Strings;false;lenientFormat;(String,Object[]);;Argument;ReturnValue;taint",
+        "com.google.common.base;Strings;false;lenientFormat;(String,Object[]);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Strings;false;lenientFormat;(String,Object[]);;ArrayElement of Argument[1];ReturnValue;taint",
         "com.google.common.base;Joiner;false;on;(String);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Joiner;false;skipNulls;();;Argument[-1];ReturnValue;taint",
         "com.google.common.base;Joiner;false;useForNull;(String);;Argument[-1];ReturnValue;taint",
@@ -22,14 +23,14 @@ private class GuavaBaseCsv extends SummaryModelCsv {
         "com.google.common.base;Joiner;false;withKeyValueSeparator;(String);;Argument[-1];ReturnValue;taint",
         "com.google.common.base;Joiner;false;withKeyValueSeparator;(char);;Argument[-1];ReturnValue;taint",
         // Note: The signatures of some of the appendTo methods involve collection flow
-        "com.google.common.base;Joiner;false;appendTo;;;Argument;Argument[0];taint",
+        "com.google.common.base;Joiner;false;appendTo;;;Argument[-1..3];Argument[0];taint",
         "com.google.common.base;Joiner;false;appendTo;;;Argument[0];ReturnValue;value",
-        "com.google.common.base;Joiner;false;join;;;Argument;ReturnValue;taint",
+        "com.google.common.base;Joiner;false;join;;;Argument[-1..2];ReturnValue;taint",
         "com.google.common.base;Joiner$MapJoiner;false;useForNull;(String);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Joiner$MapJoiner;false;useForNull;(String);;Argument[-1];ReturnValue;taint",
-        "com.google.common.base;Joiner$MapJoiner;false;appendTo;;;Argument;Argument[0];taint",
+        "com.google.common.base;Joiner$MapJoiner;false;appendTo;;;Argument[1];Argument[0];taint",
         "com.google.common.base;Joiner$MapJoiner;false;appendTo;;;Argument[0];ReturnValue;value",
-        "com.google.common.base;Joiner$MapJoiner;false;join;;;Argument;ReturnValue;taint",
+        "com.google.common.base;Joiner$MapJoiner;false;join;;;Argument[-1..0];ReturnValue;taint",
         "com.google.common.base;Splitter;false;split;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Splitter;false;splitToList;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Splitter;false;splitToStream;(CharSequence);;Argument[0];ReturnValue;taint",
diff --git a/java/ql/src/semmle/code/java/frameworks/guava/IO.qll b/java/ql/src/semmle/code/java/frameworks/guava/IO.qll
index 2a4a0342808..fac9ab9d48d 100644
--- a/java/ql/src/semmle/code/java/frameworks/guava/IO.qll
+++ b/java/ql/src/semmle/code/java/frameworks/guava/IO.qll
@@ -61,7 +61,7 @@ private class GuavaIoCsv extends SummaryModelCsv {
         "com.google.common.io;Files;false;simplifyPath;(String);;Argument[0];ReturnValue;taint",
         "com.google.common.io;MoreFiles;false;getFileExtension;(Path);;Argument[0];ReturnValue;taint",
         "com.google.common.io;MoreFiles;false;getNameWithoutExtension;(Path);;Argument[0];ReturnValue;taint",
-        "com.google.common.io;LineReader;false;LineReader;(Readable);;Argument[0];ReturnValue;taint",
+        "com.google.common.io;LineReader;false;LineReader;(Readable);;Argument[0];Argument[-1];taint",
         "com.google.common.io;LineReader;true;readLine;();;Argument[-1];ReturnValue;taint",
         "com.google.common.io;ByteArrayDataOutput;true;toByteArray;();;Argument[-1];ReturnValue;taint",
         "com.google.common.io;ByteArrayDataOutput;true;write;(byte[]);;Argument[0];Argument[-1];taint",

From 175c71221a8934c9a7d6dddb876aef278d3b379b Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Tue, 13 Apr 2021 14:26:15 +0200
Subject: [PATCH 0462/1429] Java: Adjust some test output with more
 edges/nodes.

---
 .../security/CWE-074/XsltInjection.expected   | 78 ++++++++++++++-----
 .../JakartaExpressionInjection.expected       |  4 +-
 .../security/CWE-094/JexlInjection.expected   |  8 +-
 .../security/CWE-094/MvelInjection.expected   |  6 +-
 .../security/CWE-094/SpelInjection.expected   | 36 +++++++--
 .../SensitiveCookieNotHttpOnly.expected       | 10 +++
 .../CWE-522/InsecureBasicAuth.expected        | 10 +++
 .../security/CWE-652/XQueryInjection.expected | 24 +++++-
 .../security/CWE-918/RequestForgery.expected  | 13 ++++
 .../CWE-022/semmle/tests/TaintedPath.expected | 10 ++-
 .../CWE-022/semmle/tests/ZipSlip.expected     |  7 ++
 .../semmle/tests/ResponseSplitting.expected   |  4 +-
 .../tests/ArithmeticTaintedLocal.expected     | 38 ++++++---
 .../CWE-502/UnsafeDeserialization.expected    | 75 ++++++++++++++----
 .../query-tests/security/CWE-611/XXE.expected | 60 ++++++++++----
 .../tests/NumericCastTaintedLocal.expected    | 10 ++-
 16 files changed, 320 insertions(+), 73 deletions(-)

diff --git a/java/ql/test/experimental/query-tests/security/CWE-074/XsltInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-074/XsltInjection.expected
index ece3ed7d17f..680252d4d37 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-074/XsltInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-074/XsltInjection.expected
@@ -1,48 +1,81 @@
 edges
-| XsltInjection.java:30:44:30:66 | getInputStream(...) : InputStream | XsltInjection.java:31:5:31:59 | newTransformer(...) |
-| XsltInjection.java:35:66:35:88 | getInputStream(...) : InputStream | XsltInjection.java:36:5:36:74 | newTransformer(...) |
-| XsltInjection.java:40:45:40:70 | param : String | XsltInjection.java:43:5:43:59 | newTransformer(...) |
-| XsltInjection.java:47:54:47:76 | getInputStream(...) : InputStream | XsltInjection.java:48:5:48:74 | newTransformer(...) |
-| XsltInjection.java:52:82:52:104 | getInputStream(...) : InputStream | XsltInjection.java:53:5:53:59 | newTransformer(...) |
+| XsltInjection.java:30:27:30:67 | new StreamSource(...) : StreamSource | XsltInjection.java:31:5:31:59 | newTransformer(...) |
+| XsltInjection.java:30:44:30:66 | getInputStream(...) : InputStream | XsltInjection.java:30:27:30:67 | new StreamSource(...) : StreamSource |
+| XsltInjection.java:35:27:35:90 | new StreamSource(...) : StreamSource | XsltInjection.java:36:5:36:74 | newTransformer(...) |
+| XsltInjection.java:35:44:35:89 | new InputStreamReader(...) : InputStreamReader | XsltInjection.java:35:27:35:90 | new StreamSource(...) : StreamSource |
+| XsltInjection.java:35:66:35:88 | getInputStream(...) : InputStream | XsltInjection.java:35:44:35:89 | new InputStreamReader(...) : InputStreamReader |
+| XsltInjection.java:40:45:40:70 | param : String | XsltInjection.java:42:61:42:64 | xslt : String |
+| XsltInjection.java:42:27:42:66 | new StreamSource(...) : StreamSource | XsltInjection.java:43:5:43:59 | newTransformer(...) |
+| XsltInjection.java:42:44:42:65 | new StringReader(...) : StringReader | XsltInjection.java:42:27:42:66 | new StreamSource(...) : StreamSource |
+| XsltInjection.java:42:61:42:64 | xslt : String | XsltInjection.java:42:44:42:65 | new StringReader(...) : StringReader |
+| XsltInjection.java:47:24:47:78 | new SAXSource(...) : SAXSource | XsltInjection.java:48:5:48:74 | newTransformer(...) |
+| XsltInjection.java:47:38:47:77 | new InputSource(...) : InputSource | XsltInjection.java:47:24:47:78 | new SAXSource(...) : SAXSource |
+| XsltInjection.java:47:54:47:76 | getInputStream(...) : InputStream | XsltInjection.java:47:38:47:77 | new InputSource(...) : InputSource |
+| XsltInjection.java:52:24:52:107 | new SAXSource(...) : SAXSource | XsltInjection.java:53:5:53:59 | newTransformer(...) |
+| XsltInjection.java:52:44:52:106 | new InputSource(...) : InputSource | XsltInjection.java:52:24:52:107 | new SAXSource(...) : SAXSource |
+| XsltInjection.java:52:60:52:105 | new InputStreamReader(...) : InputStreamReader | XsltInjection.java:52:44:52:106 | new InputSource(...) : InputSource |
+| XsltInjection.java:52:82:52:104 | getInputStream(...) : InputStream | XsltInjection.java:52:60:52:105 | new InputStreamReader(...) : InputStreamReader |
 | XsltInjection.java:57:91:57:113 | getInputStream(...) : InputStream | XsltInjection.java:58:5:58:59 | newTransformer(...) |
-| XsltInjection.java:62:120:62:142 | getInputStream(...) : InputStream | XsltInjection.java:63:5:63:74 | newTransformer(...) |
+| XsltInjection.java:62:98:62:143 | new InputStreamReader(...) : InputStreamReader | XsltInjection.java:63:5:63:74 | newTransformer(...) |
+| XsltInjection.java:62:120:62:142 | getInputStream(...) : InputStream | XsltInjection.java:62:98:62:143 | new InputStreamReader(...) : InputStreamReader |
 | XsltInjection.java:67:102:67:124 | getInputStream(...) : InputStream | XsltInjection.java:68:5:68:59 | newTransformer(...) |
-| XsltInjection.java:72:44:72:66 | getInputStream(...) : InputStream | XsltInjection.java:76:5:76:34 | newTransformer(...) |
-| XsltInjection.java:80:44:80:66 | getInputStream(...) : InputStream | XsltInjection.java:83:5:83:34 | newTransformer(...) |
-| XsltInjection.java:87:44:87:66 | getInputStream(...) : InputStream | XsltInjection.java:90:5:90:35 | load(...) |
-| XsltInjection.java:87:44:87:66 | getInputStream(...) : InputStream | XsltInjection.java:91:5:91:37 | load30(...) |
-| XsltInjection.java:87:44:87:66 | getInputStream(...) : InputStream | XsltInjection.java:92:5:92:37 | load30(...) |
-| XsltInjection.java:87:44:87:66 | getInputStream(...) : InputStream | XsltInjection.java:93:5:93:37 | load30(...) |
-| XsltInjection.java:87:44:87:66 | getInputStream(...) : InputStream | XsltInjection.java:94:5:94:37 | load30(...) |
-| XsltInjection.java:87:44:87:66 | getInputStream(...) : InputStream | XsltInjection.java:95:5:95:37 | load30(...) |
-| XsltInjection.java:87:44:87:66 | getInputStream(...) : InputStream | XsltInjection.java:96:5:96:37 | load30(...) |
-| XsltInjection.java:87:44:87:66 | getInputStream(...) : InputStream | XsltInjection.java:97:5:97:37 | load30(...) |
-| XsltInjection.java:87:44:87:66 | getInputStream(...) : InputStream | XsltInjection.java:98:5:98:37 | load30(...) |
-| XsltInjection.java:87:44:87:66 | getInputStream(...) : InputStream | XsltInjection.java:99:5:99:37 | load30(...) |
-| XsltInjection.java:103:36:103:61 | param : String | XsltInjection.java:108:5:108:46 | load(...) |
-| XsltInjection.java:103:36:103:61 | param : String | XsltInjection.java:110:5:110:50 | load(...) |
-| XsltInjection.java:105:44:105:66 | getInputStream(...) : InputStream | XsltInjection.java:109:5:109:49 | load(...) |
+| XsltInjection.java:72:27:72:67 | new StreamSource(...) : StreamSource | XsltInjection.java:76:5:76:34 | newTransformer(...) |
+| XsltInjection.java:72:44:72:66 | getInputStream(...) : InputStream | XsltInjection.java:72:27:72:67 | new StreamSource(...) : StreamSource |
+| XsltInjection.java:80:27:80:67 | new StreamSource(...) : StreamSource | XsltInjection.java:83:5:83:34 | newTransformer(...) |
+| XsltInjection.java:80:44:80:66 | getInputStream(...) : InputStream | XsltInjection.java:80:27:80:67 | new StreamSource(...) : StreamSource |
+| XsltInjection.java:87:27:87:67 | new StreamSource(...) : StreamSource | XsltInjection.java:90:5:90:35 | load(...) |
+| XsltInjection.java:87:27:87:67 | new StreamSource(...) : StreamSource | XsltInjection.java:91:5:91:37 | load30(...) |
+| XsltInjection.java:87:27:87:67 | new StreamSource(...) : StreamSource | XsltInjection.java:92:5:92:37 | load30(...) |
+| XsltInjection.java:87:27:87:67 | new StreamSource(...) : StreamSource | XsltInjection.java:93:5:93:37 | load30(...) |
+| XsltInjection.java:87:27:87:67 | new StreamSource(...) : StreamSource | XsltInjection.java:94:5:94:37 | load30(...) |
+| XsltInjection.java:87:27:87:67 | new StreamSource(...) : StreamSource | XsltInjection.java:95:5:95:37 | load30(...) |
+| XsltInjection.java:87:27:87:67 | new StreamSource(...) : StreamSource | XsltInjection.java:96:5:96:37 | load30(...) |
+| XsltInjection.java:87:27:87:67 | new StreamSource(...) : StreamSource | XsltInjection.java:97:5:97:37 | load30(...) |
+| XsltInjection.java:87:27:87:67 | new StreamSource(...) : StreamSource | XsltInjection.java:98:5:98:37 | load30(...) |
+| XsltInjection.java:87:27:87:67 | new StreamSource(...) : StreamSource | XsltInjection.java:99:5:99:37 | load30(...) |
+| XsltInjection.java:87:44:87:66 | getInputStream(...) : InputStream | XsltInjection.java:87:27:87:67 | new StreamSource(...) : StreamSource |
+| XsltInjection.java:103:36:103:61 | param : String | XsltInjection.java:104:23:104:27 | param : String |
+| XsltInjection.java:104:15:104:28 | new URI(...) : URI | XsltInjection.java:108:5:108:46 | load(...) |
+| XsltInjection.java:104:15:104:28 | new URI(...) : URI | XsltInjection.java:110:5:110:50 | load(...) |
+| XsltInjection.java:104:23:104:27 | param : String | XsltInjection.java:104:15:104:28 | new URI(...) : URI |
+| XsltInjection.java:105:27:105:67 | new StreamSource(...) : StreamSource | XsltInjection.java:109:5:109:49 | load(...) |
+| XsltInjection.java:105:44:105:66 | getInputStream(...) : InputStream | XsltInjection.java:105:27:105:67 | new StreamSource(...) : StreamSource |
 nodes
+| XsltInjection.java:30:27:30:67 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
 | XsltInjection.java:30:44:30:66 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | XsltInjection.java:31:5:31:59 | newTransformer(...) | semmle.label | newTransformer(...) |
+| XsltInjection.java:35:27:35:90 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
+| XsltInjection.java:35:44:35:89 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
 | XsltInjection.java:35:66:35:88 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | XsltInjection.java:36:5:36:74 | newTransformer(...) | semmle.label | newTransformer(...) |
 | XsltInjection.java:40:45:40:70 | param : String | semmle.label | param : String |
+| XsltInjection.java:42:27:42:66 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
+| XsltInjection.java:42:44:42:65 | new StringReader(...) : StringReader | semmle.label | new StringReader(...) : StringReader |
+| XsltInjection.java:42:61:42:64 | xslt : String | semmle.label | xslt : String |
 | XsltInjection.java:43:5:43:59 | newTransformer(...) | semmle.label | newTransformer(...) |
+| XsltInjection.java:47:24:47:78 | new SAXSource(...) : SAXSource | semmle.label | new SAXSource(...) : SAXSource |
+| XsltInjection.java:47:38:47:77 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource |
 | XsltInjection.java:47:54:47:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | XsltInjection.java:48:5:48:74 | newTransformer(...) | semmle.label | newTransformer(...) |
+| XsltInjection.java:52:24:52:107 | new SAXSource(...) : SAXSource | semmle.label | new SAXSource(...) : SAXSource |
+| XsltInjection.java:52:44:52:106 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource |
+| XsltInjection.java:52:60:52:105 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
 | XsltInjection.java:52:82:52:104 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | XsltInjection.java:53:5:53:59 | newTransformer(...) | semmle.label | newTransformer(...) |
 | XsltInjection.java:57:91:57:113 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | XsltInjection.java:58:5:58:59 | newTransformer(...) | semmle.label | newTransformer(...) |
+| XsltInjection.java:62:98:62:143 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
 | XsltInjection.java:62:120:62:142 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | XsltInjection.java:63:5:63:74 | newTransformer(...) | semmle.label | newTransformer(...) |
 | XsltInjection.java:67:102:67:124 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | XsltInjection.java:68:5:68:59 | newTransformer(...) | semmle.label | newTransformer(...) |
+| XsltInjection.java:72:27:72:67 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
 | XsltInjection.java:72:44:72:66 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | XsltInjection.java:76:5:76:34 | newTransformer(...) | semmle.label | newTransformer(...) |
+| XsltInjection.java:80:27:80:67 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
 | XsltInjection.java:80:44:80:66 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | XsltInjection.java:83:5:83:34 | newTransformer(...) | semmle.label | newTransformer(...) |
+| XsltInjection.java:87:27:87:67 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
 | XsltInjection.java:87:44:87:66 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | XsltInjection.java:90:5:90:35 | load(...) | semmle.label | load(...) |
 | XsltInjection.java:91:5:91:37 | load30(...) | semmle.label | load30(...) |
@@ -55,6 +88,9 @@ nodes
 | XsltInjection.java:98:5:98:37 | load30(...) | semmle.label | load30(...) |
 | XsltInjection.java:99:5:99:37 | load30(...) | semmle.label | load30(...) |
 | XsltInjection.java:103:36:103:61 | param : String | semmle.label | param : String |
+| XsltInjection.java:104:15:104:28 | new URI(...) : URI | semmle.label | new URI(...) : URI |
+| XsltInjection.java:104:23:104:27 | param : String | semmle.label | param : String |
+| XsltInjection.java:105:27:105:67 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
 | XsltInjection.java:105:44:105:66 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | XsltInjection.java:108:5:108:46 | load(...) | semmle.label | load(...) |
 | XsltInjection.java:109:5:109:49 | load(...) | semmle.label | load(...) |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected
index 390871b54cf..b4f4e1f696b 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected
@@ -1,5 +1,6 @@
 edges
-| JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:25:31:25:40 | expression : String |
+| JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:23:54:23:58 | bytes [post update] : byte[] |
+| JakartaExpressionInjection.java:23:54:23:58 | bytes [post update] : byte[] | JakartaExpressionInjection.java:25:31:25:40 | expression : String |
 | JakartaExpressionInjection.java:25:31:25:40 | expression : String | JakartaExpressionInjection.java:32:24:32:33 | expression : String |
 | JakartaExpressionInjection.java:25:31:25:40 | expression : String | JakartaExpressionInjection.java:40:24:40:33 | expression : String |
 | JakartaExpressionInjection.java:25:31:25:40 | expression : String | JakartaExpressionInjection.java:48:24:48:33 | expression : String |
@@ -18,6 +19,7 @@ edges
 | JakartaExpressionInjection.java:95:24:95:33 | expression : String | JakartaExpressionInjection.java:99:13:99:13 | e |
 nodes
 | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| JakartaExpressionInjection.java:23:54:23:58 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
 | JakartaExpressionInjection.java:25:31:25:40 | expression : String | semmle.label | expression : String |
 | JakartaExpressionInjection.java:32:24:32:33 | expression : String | semmle.label | expression : String |
 | JakartaExpressionInjection.java:34:28:34:37 | expression | semmle.label | expression |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JexlInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/JexlInjection.expected
index 8140928cf21..f42f083578e 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JexlInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JexlInjection.expected
@@ -8,7 +8,8 @@ edges
 | Jexl2Injection.java:54:73:54:87 | jexlExpr : String | Jexl2Injection.java:57:9:57:35 | parse(...) |
 | Jexl2Injection.java:60:72:60:86 | jexlExpr : String | Jexl2Injection.java:63:9:63:35 | parse(...) |
 | Jexl2Injection.java:66:73:66:87 | jexlExpr : String | Jexl2Injection.java:69:9:69:44 | createTemplate(...) |
-| Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:78:31:78:38 | jexlExpr : String |
+| Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:76:54:76:58 | bytes [post update] : byte[] |
+| Jexl2Injection.java:76:54:76:58 | bytes [post update] : byte[] | Jexl2Injection.java:78:31:78:38 | jexlExpr : String |
 | Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:86:24:86:56 | jexlExpr : String |
 | Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:90:24:90:68 | jexlExpr : String |
 | Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:94:24:94:52 | jexlExpr : String |
@@ -46,7 +47,8 @@ edges
 | Jexl3Injection.java:66:73:66:87 | jexlExpr : String | Jexl3Injection.java:69:9:69:39 | createExpression(...) |
 | Jexl3Injection.java:72:72:72:86 | jexlExpr : String | Jexl3Injection.java:75:9:75:37 | createTemplate(...) |
 | Jexl3Injection.java:78:54:78:68 | jexlExpr : String | Jexl3Injection.java:84:13:84:13 | e |
-| Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:96:31:96:38 | jexlExpr : String |
+| Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:94:54:94:58 | bytes [post update] : byte[] |
+| Jexl3Injection.java:94:54:94:58 | bytes [post update] : byte[] | Jexl3Injection.java:96:31:96:38 | jexlExpr : String |
 | Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:104:24:104:56 | jexlExpr : String |
 | Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:108:24:108:68 | jexlExpr : String |
 | Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:112:24:112:52 | jexlExpr : String |
@@ -103,6 +105,7 @@ nodes
 | Jexl2Injection.java:66:73:66:87 | jexlExpr : String | semmle.label | jexlExpr : String |
 | Jexl2Injection.java:69:9:69:44 | createTemplate(...) | semmle.label | createTemplate(...) |
 | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Jexl2Injection.java:76:54:76:58 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
 | Jexl2Injection.java:78:31:78:38 | jexlExpr : String | semmle.label | jexlExpr : String |
 | Jexl2Injection.java:86:24:86:56 | jexlExpr : String | semmle.label | jexlExpr : String |
 | Jexl2Injection.java:86:24:86:56 | jexlExpr : String | semmle.label | jexlExpr : String |
@@ -143,6 +146,7 @@ nodes
 | Jexl3Injection.java:78:54:78:68 | jexlExpr : String | semmle.label | jexlExpr : String |
 | Jexl3Injection.java:84:13:84:13 | e | semmle.label | e |
 | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Jexl3Injection.java:94:54:94:58 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
 | Jexl3Injection.java:96:31:96:38 | jexlExpr : String | semmle.label | jexlExpr : String |
 | Jexl3Injection.java:104:24:104:56 | jexlExpr : String | semmle.label | jexlExpr : String |
 | Jexl3Injection.java:104:24:104:56 | jexlExpr : String | semmle.label | jexlExpr : String |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/MvelInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/MvelInjection.expected
index b2325fa78a4..545da956f8e 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/MvelInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/MvelInjection.expected
@@ -10,7 +10,9 @@ edges
 | MvelInjection.java:77:40:77:51 | read(...) : String | MvelInjection.java:77:7:77:52 | compileTemplate(...) |
 | MvelInjection.java:81:54:81:65 | read(...) : String | MvelInjection.java:82:29:82:46 | compile(...) |
 | MvelInjection.java:86:58:86:69 | read(...) : String | MvelInjection.java:88:32:88:41 | expression |
-| MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:95:14:95:36 | new String(...) : String |
+| MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:94:15:94:16 | is : InputStream |
+| MvelInjection.java:94:15:94:16 | is : InputStream | MvelInjection.java:94:23:94:27 | bytes [post update] : byte[] |
+| MvelInjection.java:94:23:94:27 | bytes [post update] : byte[] | MvelInjection.java:95:14:95:36 | new String(...) : String |
 | MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:25:15:25:26 | read(...) |
 | MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:29:54:29:65 | read(...) : String |
 | MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:34:58:34:69 | read(...) : String |
@@ -46,6 +48,8 @@ nodes
 | MvelInjection.java:86:58:86:69 | read(...) : String | semmle.label | read(...) : String |
 | MvelInjection.java:88:32:88:41 | expression | semmle.label | expression |
 | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| MvelInjection.java:94:15:94:16 | is : InputStream | semmle.label | is : InputStream |
+| MvelInjection.java:94:23:94:27 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
 | MvelInjection.java:95:14:95:36 | new String(...) : String | semmle.label | new String(...) : String |
 #select
 | MvelInjection.java:25:15:25:26 | read(...) | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:25:15:25:26 | read(...) | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/SpelInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/SpelInjection.expected
index 263d6be6c32..83d1725237a 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/SpelInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/SpelInjection.expected
@@ -1,22 +1,46 @@
 edges
-| SpelInjection.java:15:22:15:44 | getInputStream(...) : InputStream | SpelInjection.java:23:5:23:14 | expression |
-| SpelInjection.java:27:22:27:44 | getInputStream(...) : InputStream | SpelInjection.java:34:5:34:14 | expression |
-| SpelInjection.java:38:22:38:44 | getInputStream(...) : InputStream | SpelInjection.java:48:5:48:14 | expression |
-| SpelInjection.java:52:22:52:44 | getInputStream(...) : InputStream | SpelInjection.java:59:5:59:14 | expression |
-| SpelInjection.java:63:22:63:44 | getInputStream(...) : InputStream | SpelInjection.java:70:5:70:14 | expression |
-| SpelInjection.java:74:22:74:44 | getInputStream(...) : InputStream | SpelInjection.java:83:5:83:14 | expression |
+| SpelInjection.java:15:22:15:44 | getInputStream(...) : InputStream | SpelInjection.java:18:13:18:14 | in : InputStream |
+| SpelInjection.java:18:13:18:14 | in : InputStream | SpelInjection.java:18:21:18:25 | bytes [post update] : byte[] |
+| SpelInjection.java:18:21:18:25 | bytes [post update] : byte[] | SpelInjection.java:23:5:23:14 | expression |
+| SpelInjection.java:27:22:27:44 | getInputStream(...) : InputStream | SpelInjection.java:30:13:30:14 | in : InputStream |
+| SpelInjection.java:30:13:30:14 | in : InputStream | SpelInjection.java:30:21:30:25 | bytes [post update] : byte[] |
+| SpelInjection.java:30:21:30:25 | bytes [post update] : byte[] | SpelInjection.java:34:5:34:14 | expression |
+| SpelInjection.java:38:22:38:44 | getInputStream(...) : InputStream | SpelInjection.java:41:13:41:14 | in : InputStream |
+| SpelInjection.java:41:13:41:14 | in : InputStream | SpelInjection.java:41:21:41:25 | bytes [post update] : byte[] |
+| SpelInjection.java:41:21:41:25 | bytes [post update] : byte[] | SpelInjection.java:48:5:48:14 | expression |
+| SpelInjection.java:52:22:52:44 | getInputStream(...) : InputStream | SpelInjection.java:55:13:55:14 | in : InputStream |
+| SpelInjection.java:55:13:55:14 | in : InputStream | SpelInjection.java:55:21:55:25 | bytes [post update] : byte[] |
+| SpelInjection.java:55:21:55:25 | bytes [post update] : byte[] | SpelInjection.java:59:5:59:14 | expression |
+| SpelInjection.java:63:22:63:44 | getInputStream(...) : InputStream | SpelInjection.java:66:13:66:14 | in : InputStream |
+| SpelInjection.java:66:13:66:14 | in : InputStream | SpelInjection.java:66:21:66:25 | bytes [post update] : byte[] |
+| SpelInjection.java:66:21:66:25 | bytes [post update] : byte[] | SpelInjection.java:70:5:70:14 | expression |
+| SpelInjection.java:74:22:74:44 | getInputStream(...) : InputStream | SpelInjection.java:77:13:77:14 | in : InputStream |
+| SpelInjection.java:77:13:77:14 | in : InputStream | SpelInjection.java:77:21:77:25 | bytes [post update] : byte[] |
+| SpelInjection.java:77:21:77:25 | bytes [post update] : byte[] | SpelInjection.java:83:5:83:14 | expression |
 nodes
 | SpelInjection.java:15:22:15:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SpelInjection.java:18:13:18:14 | in : InputStream | semmle.label | in : InputStream |
+| SpelInjection.java:18:21:18:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
 | SpelInjection.java:23:5:23:14 | expression | semmle.label | expression |
 | SpelInjection.java:27:22:27:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SpelInjection.java:30:13:30:14 | in : InputStream | semmle.label | in : InputStream |
+| SpelInjection.java:30:21:30:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
 | SpelInjection.java:34:5:34:14 | expression | semmle.label | expression |
 | SpelInjection.java:38:22:38:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SpelInjection.java:41:13:41:14 | in : InputStream | semmle.label | in : InputStream |
+| SpelInjection.java:41:21:41:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
 | SpelInjection.java:48:5:48:14 | expression | semmle.label | expression |
 | SpelInjection.java:52:22:52:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SpelInjection.java:55:13:55:14 | in : InputStream | semmle.label | in : InputStream |
+| SpelInjection.java:55:21:55:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
 | SpelInjection.java:59:5:59:14 | expression | semmle.label | expression |
 | SpelInjection.java:63:22:63:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SpelInjection.java:66:13:66:14 | in : InputStream | semmle.label | in : InputStream |
+| SpelInjection.java:66:21:66:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
 | SpelInjection.java:70:5:70:14 | expression | semmle.label | expression |
 | SpelInjection.java:74:22:74:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SpelInjection.java:77:13:77:14 | in : InputStream | semmle.label | in : InputStream |
+| SpelInjection.java:77:21:77:25 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
 | SpelInjection.java:83:5:83:14 | expression | semmle.label | expression |
 #select
 | SpelInjection.java:23:5:23:14 | expression | SpelInjection.java:15:22:15:44 | getInputStream(...) : InputStream | SpelInjection.java:23:5:23:14 | expression | SpEL injection from $@. | SpelInjection.java:15:22:15:44 | getInputStream(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
index a9d126ca4a9..6c23f5d44e9 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
@@ -1,5 +1,8 @@
 edges
+| SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:25:39:25:52 | tokenCookieStr : String |
 | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie |
+| SensitiveCookieNotHttpOnly.java:25:28:25:64 | new Cookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie |
+| SensitiveCookieNotHttpOnly.java:25:39:25:52 | tokenCookieStr : String | SensitiveCookieNotHttpOnly.java:25:28:25:64 | new Cookie(...) : Cookie |
 | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... |
 | SensitiveCookieNotHttpOnly.java:42:42:42:57 | ... + ... : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... |
 | SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) |
@@ -7,11 +10,16 @@ edges
 | SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString |
 | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString |
 | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString |
+| SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" : String | SensitiveCookieNotHttpOnly.java:89:36:89:51 | PRESTO_UI_COOKIE : String |
 | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" : String | SensitiveCookieNotHttpOnly.java:91:16:91:21 | cookie : Cookie |
+| SensitiveCookieNotHttpOnly.java:89:25:89:57 | new Cookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:91:16:91:21 | cookie : Cookie |
+| SensitiveCookieNotHttpOnly.java:89:36:89:51 | PRESTO_UI_COOKIE : String | SensitiveCookieNotHttpOnly.java:89:25:89:57 | new Cookie(...) : Cookie |
 | SensitiveCookieNotHttpOnly.java:91:16:91:21 | cookie : Cookie | SensitiveCookieNotHttpOnly.java:110:25:110:64 | createAuthenticationCookie(...) : Cookie |
 | SensitiveCookieNotHttpOnly.java:110:25:110:64 | createAuthenticationCookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:111:28:111:33 | cookie |
 nodes
 | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" : String | semmle.label | "jwt_token" : String |
+| SensitiveCookieNotHttpOnly.java:25:28:25:64 | new Cookie(...) : Cookie | semmle.label | new Cookie(...) : Cookie |
+| SensitiveCookieNotHttpOnly.java:25:39:25:52 | tokenCookieStr : String | semmle.label | tokenCookieStr : String |
 | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie | semmle.label | jwtCookie |
 | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" : String | semmle.label | "token=" : String |
 | SensitiveCookieNotHttpOnly.java:42:42:42:57 | ... + ... : String | semmle.label | ... + ... : String |
@@ -25,6 +33,8 @@ nodes
 | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... : String | semmle.label | ... + ... : String |
 | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString | semmle.label | secString |
 | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" : String | semmle.label | "Presto-UI-Token" : String |
+| SensitiveCookieNotHttpOnly.java:89:25:89:57 | new Cookie(...) : Cookie | semmle.label | new Cookie(...) : Cookie |
+| SensitiveCookieNotHttpOnly.java:89:36:89:51 | PRESTO_UI_COOKIE : String | semmle.label | PRESTO_UI_COOKIE : String |
 | SensitiveCookieNotHttpOnly.java:91:16:91:21 | cookie : Cookie | semmle.label | cookie : Cookie |
 | SensitiveCookieNotHttpOnly.java:110:25:110:64 | createAuthenticationCookie(...) : Cookie | semmle.label | createAuthenticationCookie(...) : Cookie |
 | SensitiveCookieNotHttpOnly.java:111:28:111:33 | cookie | semmle.label | cookie |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.expected b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.expected
index 92cf245968e..6a4ee5fdddd 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.expected
@@ -1,8 +1,14 @@
 edges
 | InsecureBasicAuth.java:20:39:20:52 | ... + ... : String | InsecureBasicAuth.java:28:3:28:6 | post |
 | InsecureBasicAuth.java:35:19:35:64 | "http://www.example.com:8000/payment/retrieve" : String | InsecureBasicAuth.java:38:3:38:5 | get |
+| InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:46:50:46:55 | uriStr : String |
 | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:54:3:54:6 | post |
+| InsecureBasicAuth.java:46:39:46:56 | create(...) : URI | InsecureBasicAuth.java:54:3:54:6 | post |
+| InsecureBasicAuth.java:46:50:46:55 | uriStr : String | InsecureBasicAuth.java:46:39:46:56 | create(...) : URI |
+| InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:62:21:62:26 | uriStr : String |
 | InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:71:3:71:6 | post |
+| InsecureBasicAuth.java:62:13:62:27 | new URI(...) : URI | InsecureBasicAuth.java:71:3:71:6 | post |
+| InsecureBasicAuth.java:62:21:62:26 | uriStr : String | InsecureBasicAuth.java:62:13:62:27 | new URI(...) : URI |
 | InsecureBasicAuth.java:78:47:78:52 | "http" : String | InsecureBasicAuth.java:86:3:86:6 | post |
 | InsecureBasicAuth.java:93:19:93:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:102:3:102:6 | post |
 | InsecureBasicAuth.java:109:19:109:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:119:3:119:6 | post |
@@ -16,8 +22,12 @@ nodes
 | InsecureBasicAuth.java:35:19:35:64 | "http://www.example.com:8000/payment/retrieve" : String | semmle.label | "http://www.example.com:8000/payment/retrieve" : String |
 | InsecureBasicAuth.java:38:3:38:5 | get | semmle.label | get |
 | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String |
+| InsecureBasicAuth.java:46:39:46:56 | create(...) : URI | semmle.label | create(...) : URI |
+| InsecureBasicAuth.java:46:50:46:55 | uriStr : String | semmle.label | uriStr : String |
 | InsecureBasicAuth.java:54:3:54:6 | post | semmle.label | post |
 | InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String |
+| InsecureBasicAuth.java:62:13:62:27 | new URI(...) : URI | semmle.label | new URI(...) : URI |
+| InsecureBasicAuth.java:62:21:62:26 | uriStr : String | semmle.label | uriStr : String |
 | InsecureBasicAuth.java:71:3:71:6 | post | semmle.label | post |
 | InsecureBasicAuth.java:78:47:78:52 | "http" : String | semmle.label | "http" : String |
 | InsecureBasicAuth.java:86:3:86:6 | post | semmle.label | post |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.expected
index b3ae0ff90fb..919bc3c58d1 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.expected
@@ -5,10 +5,19 @@ edges
 | XQueryInjection.java:86:33:86:60 | nameStr : String | XQueryInjection.java:92:53:92:57 | query |
 | XQueryInjection.java:100:28:100:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:104:35:104:38 | xqpe |
 | XQueryInjection.java:112:28:112:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:116:53:116:56 | name |
-| XQueryInjection.java:124:28:124:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:129:35:129:38 | xqpe |
-| XQueryInjection.java:137:28:137:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:142:53:142:54 | br |
+| XQueryInjection.java:124:28:124:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:125:70:125:73 | name : ServletInputStream |
+| XQueryInjection.java:125:29:125:75 | new BufferedReader(...) : BufferedReader | XQueryInjection.java:129:35:129:38 | xqpe |
+| XQueryInjection.java:125:48:125:74 | new InputStreamReader(...) : InputStreamReader | XQueryInjection.java:125:29:125:75 | new BufferedReader(...) : BufferedReader |
+| XQueryInjection.java:125:70:125:73 | name : ServletInputStream | XQueryInjection.java:125:48:125:74 | new InputStreamReader(...) : InputStreamReader |
+| XQueryInjection.java:137:28:137:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:138:70:138:73 | name : ServletInputStream |
+| XQueryInjection.java:138:29:138:75 | new BufferedReader(...) : BufferedReader | XQueryInjection.java:142:53:142:54 | br |
+| XQueryInjection.java:138:48:138:74 | new InputStreamReader(...) : InputStreamReader | XQueryInjection.java:138:29:138:75 | new BufferedReader(...) : BufferedReader |
+| XQueryInjection.java:138:70:138:73 | name : ServletInputStream | XQueryInjection.java:138:48:138:74 | new InputStreamReader(...) : InputStreamReader |
 | XQueryInjection.java:150:23:150:50 | getParameter(...) : String | XQueryInjection.java:155:29:155:32 | name |
-| XQueryInjection.java:157:26:157:49 | getInputStream(...) : ServletInputStream | XQueryInjection.java:159:29:159:30 | br |
+| XQueryInjection.java:157:26:157:49 | getInputStream(...) : ServletInputStream | XQueryInjection.java:158:70:158:71 | is : ServletInputStream |
+| XQueryInjection.java:158:29:158:73 | new BufferedReader(...) : BufferedReader | XQueryInjection.java:159:29:159:30 | br |
+| XQueryInjection.java:158:48:158:72 | new InputStreamReader(...) : InputStreamReader | XQueryInjection.java:158:29:158:73 | new BufferedReader(...) : BufferedReader |
+| XQueryInjection.java:158:70:158:71 | is : ServletInputStream | XQueryInjection.java:158:48:158:72 | new InputStreamReader(...) : InputStreamReader |
 nodes
 | XQueryInjection.java:45:23:45:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | XQueryInjection.java:51:35:51:38 | xqpe | semmle.label | xqpe |
@@ -23,12 +32,21 @@ nodes
 | XQueryInjection.java:112:28:112:51 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
 | XQueryInjection.java:116:53:116:56 | name | semmle.label | name |
 | XQueryInjection.java:124:28:124:51 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
+| XQueryInjection.java:125:29:125:75 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
+| XQueryInjection.java:125:48:125:74 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
+| XQueryInjection.java:125:70:125:73 | name : ServletInputStream | semmle.label | name : ServletInputStream |
 | XQueryInjection.java:129:35:129:38 | xqpe | semmle.label | xqpe |
 | XQueryInjection.java:137:28:137:51 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
+| XQueryInjection.java:138:29:138:75 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
+| XQueryInjection.java:138:48:138:74 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
+| XQueryInjection.java:138:70:138:73 | name : ServletInputStream | semmle.label | name : ServletInputStream |
 | XQueryInjection.java:142:53:142:54 | br | semmle.label | br |
 | XQueryInjection.java:150:23:150:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | XQueryInjection.java:155:29:155:32 | name | semmle.label | name |
 | XQueryInjection.java:157:26:157:49 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
+| XQueryInjection.java:158:29:158:73 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
+| XQueryInjection.java:158:48:158:72 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
+| XQueryInjection.java:158:70:158:71 | is : ServletInputStream | semmle.label | is : ServletInputStream |
 | XQueryInjection.java:159:29:159:30 | br | semmle.label | br |
 #select
 | XQueryInjection.java:51:35:51:38 | xqpe | XQueryInjection.java:45:23:45:50 | getParameter(...) : String | XQueryInjection.java:51:35:51:38 | xqpe | XQuery query might include code from $@. | XQueryInjection.java:45:23:45:50 | getParameter(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.expected b/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.expected
index 1d2cae77dfe..f6c7072a519 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.expected
@@ -1,5 +1,6 @@
 edges
 | JaxWsSSRF.java:21:22:21:48 | getParameter(...) : String | JaxWsSSRF.java:22:23:22:25 | url |
+| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:25:31:25:34 | sink : String |
 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:55:32:55:35 | url1 |
 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:58:32:58:35 | url1 |
 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:59:30:59:33 | url1 |
@@ -7,6 +8,12 @@ edges
 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:64:59:64:61 | uri |
 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:67:43:67:45 | uri |
 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:69:29:69:32 | uri2 |
+| RequestForgery2.java:25:23:25:35 | new URI(...) : URI | RequestForgery2.java:64:59:64:61 | uri |
+| RequestForgery2.java:25:23:25:35 | new URI(...) : URI | RequestForgery2.java:67:43:67:45 | uri |
+| RequestForgery2.java:25:31:25:34 | sink : String | RequestForgery2.java:25:23:25:35 | new URI(...) : URI |
+| RequestForgery.java:19:23:19:58 | new URI(...) : URI | RequestForgery.java:22:52:22:54 | uri |
+| RequestForgery.java:19:23:19:58 | new URI(...) : URI | RequestForgery.java:27:57:27:59 | uri |
+| RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:19:23:19:58 | new URI(...) : URI |
 | RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:22:52:22:54 | uri |
 | RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:27:57:27:59 | uri |
 | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:32:47:32:67 | ... + ... |
@@ -15,13 +22,17 @@ edges
 | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:45:47:45:60 | fooResourceUrl |
 | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:54:59:54:72 | fooResourceUrl |
 | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:58:74:58:96 | new URI(...) |
+| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:58:82:58:95 | fooResourceUrl : String |
 | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:62:57:62:70 | fooResourceUrl |
 | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:66:48:66:61 | fooResourceUrl |
 | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:69:30:69:43 | fooResourceUrl |
+| SpringSSRF.java:58:82:58:95 | fooResourceUrl : String | SpringSSRF.java:58:74:58:96 | new URI(...) |
 nodes
 | JaxWsSSRF.java:21:22:21:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JaxWsSSRF.java:22:23:22:25 | url | semmle.label | url |
 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RequestForgery2.java:25:23:25:35 | new URI(...) : URI | semmle.label | new URI(...) : URI |
+| RequestForgery2.java:25:31:25:34 | sink : String | semmle.label | sink : String |
 | RequestForgery2.java:55:32:55:35 | url1 | semmle.label | url1 |
 | RequestForgery2.java:58:32:58:35 | url1 | semmle.label | url1 |
 | RequestForgery2.java:59:30:59:33 | url1 | semmle.label | url1 |
@@ -29,6 +40,7 @@ nodes
 | RequestForgery2.java:64:59:64:61 | uri | semmle.label | uri |
 | RequestForgery2.java:67:43:67:45 | uri | semmle.label | uri |
 | RequestForgery2.java:69:29:69:32 | uri2 | semmle.label | uri2 |
+| RequestForgery.java:19:23:19:58 | new URI(...) : URI | semmle.label | new URI(...) : URI |
 | RequestForgery.java:19:31:19:57 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | RequestForgery.java:22:52:22:54 | uri | semmle.label | uri |
 | RequestForgery.java:27:57:27:59 | uri | semmle.label | uri |
@@ -39,6 +51,7 @@ nodes
 | SpringSSRF.java:45:47:45:60 | fooResourceUrl | semmle.label | fooResourceUrl |
 | SpringSSRF.java:54:59:54:72 | fooResourceUrl | semmle.label | fooResourceUrl |
 | SpringSSRF.java:58:74:58:96 | new URI(...) | semmle.label | new URI(...) |
+| SpringSSRF.java:58:82:58:95 | fooResourceUrl : String | semmle.label | fooResourceUrl : String |
 | SpringSSRF.java:62:57:62:70 | fooResourceUrl | semmle.label | fooResourceUrl |
 | SpringSSRF.java:66:48:66:61 | fooResourceUrl | semmle.label | fooResourceUrl |
 | SpringSSRF.java:69:30:69:43 | fooResourceUrl | semmle.label | fooResourceUrl |
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
index bf3e3f665f9..138f05d2986 100644
--- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
+++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
@@ -3,14 +3,22 @@ edges
 | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:27:21:27:24 | temp |
 | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:30:44:30:47 | temp |
 | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:34:21:34:24 | temp |
-| Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:82:67:82:81 | ... + ... |
+| Test.java:79:33:79:99 | new BufferedReader(...) : BufferedReader | Test.java:80:31:80:32 | br : BufferedReader |
+| Test.java:79:52:79:98 | new InputStreamReader(...) : InputStreamReader | Test.java:79:33:79:99 | new BufferedReader(...) : BufferedReader |
+| Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | Test.java:79:52:79:98 | new InputStreamReader(...) : InputStreamReader |
+| Test.java:80:31:80:32 | br : BufferedReader | Test.java:80:31:80:43 | readLine(...) : String |
+| Test.java:80:31:80:43 | readLine(...) : String | Test.java:82:67:82:81 | ... + ... |
 nodes
 | Test.java:19:18:19:38 | getHostName(...) : String | semmle.label | getHostName(...) : String |
 | Test.java:24:20:24:23 | temp | semmle.label | temp |
 | Test.java:27:21:27:24 | temp | semmle.label | temp |
 | Test.java:30:44:30:47 | temp | semmle.label | temp |
 | Test.java:34:21:34:24 | temp | semmle.label | temp |
+| Test.java:79:33:79:99 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
+| Test.java:79:52:79:98 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
 | Test.java:79:74:79:97 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
+| Test.java:80:31:80:32 | br : BufferedReader | semmle.label | br : BufferedReader |
+| Test.java:80:31:80:43 | readLine(...) : String | semmle.label | readLine(...) : String |
 | Test.java:82:67:82:81 | ... + ... | semmle.label | ... + ... |
 #select
 | Test.java:24:11:24:24 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp | $@ flows to here and is used in a path. | Test.java:19:18:19:38 | getHostName(...) | User-provided value |
diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipSlip.expected b/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipSlip.expected
index 6b27b1ec84c..59e4d879d23 100644
--- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipSlip.expected
+++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipSlip.expected
@@ -1,9 +1,16 @@
 edges
+| ZipTest.java:7:19:7:33 | getName(...) : String | ZipTest.java:8:31:8:34 | name : String |
 | ZipTest.java:7:19:7:33 | getName(...) : String | ZipTest.java:9:48:9:51 | file |
 | ZipTest.java:7:19:7:33 | getName(...) : String | ZipTest.java:10:49:10:52 | file |
 | ZipTest.java:7:19:7:33 | getName(...) : String | ZipTest.java:11:36:11:39 | file |
+| ZipTest.java:8:17:8:35 | new File(...) : File | ZipTest.java:9:48:9:51 | file |
+| ZipTest.java:8:17:8:35 | new File(...) : File | ZipTest.java:10:49:10:52 | file |
+| ZipTest.java:8:17:8:35 | new File(...) : File | ZipTest.java:11:36:11:39 | file |
+| ZipTest.java:8:31:8:34 | name : String | ZipTest.java:8:17:8:35 | new File(...) : File |
 nodes
 | ZipTest.java:7:19:7:33 | getName(...) : String | semmle.label | getName(...) : String |
+| ZipTest.java:8:17:8:35 | new File(...) : File | semmle.label | new File(...) : File |
+| ZipTest.java:8:31:8:34 | name : String | semmle.label | name : String |
 | ZipTest.java:9:48:9:51 | file | semmle.label | file |
 | ZipTest.java:10:49:10:52 | file | semmle.label | file |
 | ZipTest.java:11:36:11:39 | file | semmle.label | file |
diff --git a/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.expected b/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.expected
index 4a1a172bbf5..1b4efe7781e 100644
--- a/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.expected
+++ b/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.expected
@@ -1,6 +1,8 @@
 edges
-| ResponseSplitting.java:22:39:22:66 | getParameter(...) : String | ResponseSplitting.java:23:23:23:28 | cookie |
+| ResponseSplitting.java:22:20:22:67 | new Cookie(...) : Cookie | ResponseSplitting.java:23:23:23:28 | cookie |
+| ResponseSplitting.java:22:39:22:66 | getParameter(...) : String | ResponseSplitting.java:22:20:22:67 | new Cookie(...) : Cookie |
 nodes
+| ResponseSplitting.java:22:20:22:67 | new Cookie(...) : Cookie | semmle.label | new Cookie(...) : Cookie |
 | ResponseSplitting.java:22:39:22:66 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | ResponseSplitting.java:23:23:23:28 | cookie | semmle.label | cookie |
 | ResponseSplitting.java:28:38:28:72 | getParameter(...) | semmle.label | getParameter(...) |
diff --git a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTaintedLocal.expected b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTaintedLocal.expected
index 178de2e3dcd..637b605a06f 100644
--- a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTaintedLocal.expected
+++ b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTaintedLocal.expected
@@ -1,13 +1,23 @@
 edges
-| ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:32:17:32:20 | data |
-| ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:40:17:40:20 | data |
-| ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:50:17:50:20 | data |
-| ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:64:20:64:23 | data : Number |
-| ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:95:37:95:40 | data |
-| ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:118:9:118:12 | data : Number |
-| ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:119:10:119:13 | data : Number |
-| ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:120:10:120:13 | data : Number |
-| ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:121:10:121:13 | data : Number |
+| ArithmeticTainted.java:17:24:17:64 | new InputStreamReader(...) : InputStreamReader | ArithmeticTainted.java:18:40:18:56 | readerInputStream : InputStreamReader |
+| ArithmeticTainted.java:17:24:17:64 | new InputStreamReader(...) : InputStreamReader | ArithmeticTainted.java:18:40:18:56 | readerInputStream : InputStreamReader |
+| ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:17:24:17:64 | new InputStreamReader(...) : InputStreamReader |
+| ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | ArithmeticTainted.java:17:24:17:64 | new InputStreamReader(...) : InputStreamReader |
+| ArithmeticTainted.java:18:21:18:57 | new BufferedReader(...) : BufferedReader | ArithmeticTainted.java:19:26:19:39 | readerBuffered : BufferedReader |
+| ArithmeticTainted.java:18:21:18:57 | new BufferedReader(...) : BufferedReader | ArithmeticTainted.java:19:26:19:39 | readerBuffered : BufferedReader |
+| ArithmeticTainted.java:18:40:18:56 | readerInputStream : InputStreamReader | ArithmeticTainted.java:18:21:18:57 | new BufferedReader(...) : BufferedReader |
+| ArithmeticTainted.java:18:40:18:56 | readerInputStream : InputStreamReader | ArithmeticTainted.java:18:21:18:57 | new BufferedReader(...) : BufferedReader |
+| ArithmeticTainted.java:19:26:19:39 | readerBuffered : BufferedReader | ArithmeticTainted.java:19:26:19:50 | readLine(...) : String |
+| ArithmeticTainted.java:19:26:19:39 | readerBuffered : BufferedReader | ArithmeticTainted.java:19:26:19:50 | readLine(...) : String |
+| ArithmeticTainted.java:19:26:19:50 | readLine(...) : String | ArithmeticTainted.java:32:17:32:20 | data |
+| ArithmeticTainted.java:19:26:19:50 | readLine(...) : String | ArithmeticTainted.java:40:17:40:20 | data |
+| ArithmeticTainted.java:19:26:19:50 | readLine(...) : String | ArithmeticTainted.java:50:17:50:20 | data |
+| ArithmeticTainted.java:19:26:19:50 | readLine(...) : String | ArithmeticTainted.java:64:20:64:23 | data : Number |
+| ArithmeticTainted.java:19:26:19:50 | readLine(...) : String | ArithmeticTainted.java:95:37:95:40 | data |
+| ArithmeticTainted.java:19:26:19:50 | readLine(...) : String | ArithmeticTainted.java:118:9:118:12 | data : Number |
+| ArithmeticTainted.java:19:26:19:50 | readLine(...) : String | ArithmeticTainted.java:119:10:119:13 | data : Number |
+| ArithmeticTainted.java:19:26:19:50 | readLine(...) : String | ArithmeticTainted.java:120:10:120:13 | data : Number |
+| ArithmeticTainted.java:19:26:19:50 | readLine(...) : String | ArithmeticTainted.java:121:10:121:13 | data : Number |
 | ArithmeticTainted.java:64:4:64:10 | tainted [post update] [dat] : Number | ArithmeticTainted.java:66:18:66:24 | tainted [dat] : Number |
 | ArithmeticTainted.java:64:20:64:23 | data : Number | ArithmeticTainted.java:64:4:64:10 | tainted [post update] [dat] : Number |
 | ArithmeticTainted.java:66:18:66:24 | tainted [dat] : Number | ArithmeticTainted.java:66:18:66:34 | getData(...) : Number |
@@ -21,8 +31,18 @@ edges
 | ArithmeticTainted.java:133:27:133:34 | data : Number | ArithmeticTainted.java:135:3:135:6 | data |
 | ArithmeticTainted.java:137:27:137:34 | data : Number | ArithmeticTainted.java:139:5:139:8 | data |
 nodes
+| ArithmeticTainted.java:17:24:17:64 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
+| ArithmeticTainted.java:17:24:17:64 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
 | ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | semmle.label | System.in : InputStream |
 | ArithmeticTainted.java:17:46:17:54 | System.in : InputStream | semmle.label | System.in : InputStream |
+| ArithmeticTainted.java:18:21:18:57 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
+| ArithmeticTainted.java:18:21:18:57 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
+| ArithmeticTainted.java:18:40:18:56 | readerInputStream : InputStreamReader | semmle.label | readerInputStream : InputStreamReader |
+| ArithmeticTainted.java:18:40:18:56 | readerInputStream : InputStreamReader | semmle.label | readerInputStream : InputStreamReader |
+| ArithmeticTainted.java:19:26:19:39 | readerBuffered : BufferedReader | semmle.label | readerBuffered : BufferedReader |
+| ArithmeticTainted.java:19:26:19:39 | readerBuffered : BufferedReader | semmle.label | readerBuffered : BufferedReader |
+| ArithmeticTainted.java:19:26:19:50 | readLine(...) : String | semmle.label | readLine(...) : String |
+| ArithmeticTainted.java:19:26:19:50 | readLine(...) : String | semmle.label | readLine(...) : String |
 | ArithmeticTainted.java:32:17:32:20 | data | semmle.label | data |
 | ArithmeticTainted.java:40:17:40:20 | data | semmle.label | data |
 | ArithmeticTainted.java:50:17:50:20 | data | semmle.label | data |
diff --git a/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected b/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected
index f575a093d6e..2af8369c111 100644
--- a/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected
+++ b/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected
@@ -1,40 +1,74 @@
 edges
+| A.java:13:31:13:51 | getInputStream(...) : InputStream | A.java:14:50:14:60 | inputStream : InputStream |
 | A.java:13:31:13:51 | getInputStream(...) : InputStream | A.java:15:12:15:13 | in |
+| A.java:14:28:14:61 | new ObjectInputStream(...) : ObjectInputStream | A.java:15:12:15:13 | in |
+| A.java:14:50:14:60 | inputStream : InputStream | A.java:14:28:14:61 | new ObjectInputStream(...) : ObjectInputStream |
+| A.java:19:31:19:51 | getInputStream(...) : InputStream | A.java:20:50:20:60 | inputStream : InputStream |
 | A.java:19:31:19:51 | getInputStream(...) : InputStream | A.java:21:12:21:13 | in |
-| A.java:25:31:25:51 | getInputStream(...) : InputStream | A.java:27:12:27:12 | d |
-| A.java:32:31:32:51 | getInputStream(...) : InputStream | A.java:34:23:34:28 | reader |
-| A.java:39:29:39:49 | getInputStream(...) : InputStream | A.java:40:28:40:32 | input |
-| A.java:39:29:39:49 | getInputStream(...) : InputStream | A.java:41:34:41:38 | input |
-| A.java:39:29:39:49 | getInputStream(...) : InputStream | A.java:42:40:42:44 | input |
+| A.java:20:28:20:61 | new ObjectInputStream(...) : ObjectInputStream | A.java:21:12:21:13 | in |
+| A.java:20:50:20:60 | inputStream : InputStream | A.java:20:28:20:61 | new ObjectInputStream(...) : ObjectInputStream |
+| A.java:25:31:25:51 | getInputStream(...) : InputStream | A.java:26:35:26:45 | inputStream : InputStream |
+| A.java:26:20:26:46 | new XMLDecoder(...) : XMLDecoder | A.java:27:12:27:12 | d |
+| A.java:26:35:26:45 | inputStream : InputStream | A.java:26:20:26:46 | new XMLDecoder(...) : XMLDecoder |
+| A.java:32:31:32:51 | getInputStream(...) : InputStream | A.java:33:43:33:53 | inputStream : InputStream |
+| A.java:33:21:33:54 | new InputStreamReader(...) : InputStreamReader | A.java:34:23:34:28 | reader |
+| A.java:33:43:33:53 | inputStream : InputStream | A.java:33:21:33:54 | new InputStreamReader(...) : InputStreamReader |
+| A.java:39:19:39:50 | new Input(...) : Input | A.java:40:28:40:32 | input |
+| A.java:39:19:39:50 | new Input(...) : Input | A.java:41:34:41:38 | input |
+| A.java:39:19:39:50 | new Input(...) : Input | A.java:42:40:42:44 | input |
+| A.java:39:29:39:49 | getInputStream(...) : InputStream | A.java:39:19:39:50 | new Input(...) : Input |
 | A.java:60:25:60:45 | getInputStream(...) : InputStream | A.java:61:26:61:30 | input |
 | A.java:60:25:60:45 | getInputStream(...) : InputStream | A.java:62:30:62:34 | input |
-| A.java:60:25:60:45 | getInputStream(...) : InputStream | A.java:63:28:63:55 | new InputStreamReader(...) |
+| A.java:60:25:60:45 | getInputStream(...) : InputStream | A.java:63:50:63:54 | input : InputStream |
 | A.java:60:25:60:45 | getInputStream(...) : InputStream | A.java:64:24:64:28 | input |
-| A.java:60:25:60:45 | getInputStream(...) : InputStream | A.java:65:24:65:51 | new InputStreamReader(...) |
+| A.java:60:25:60:45 | getInputStream(...) : InputStream | A.java:65:46:65:50 | input : InputStream |
+| A.java:63:50:63:54 | input : InputStream | A.java:63:28:63:55 | new InputStreamReader(...) |
+| A.java:65:46:65:50 | input : InputStream | A.java:65:24:65:51 | new InputStreamReader(...) |
 | A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:71:26:71:30 | input |
 | A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:72:30:72:34 | input |
-| A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:73:28:73:55 | new InputStreamReader(...) |
+| A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:73:50:73:54 | input : InputStream |
 | A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:74:24:74:28 | input |
-| A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:75:24:75:51 | new InputStreamReader(...) |
+| A.java:70:25:70:45 | getInputStream(...) : InputStream | A.java:75:46:75:50 | input : InputStream |
+| A.java:73:50:73:54 | input : InputStream | A.java:73:28:73:55 | new InputStreamReader(...) |
+| A.java:75:46:75:50 | input : InputStream | A.java:75:24:75:51 | new InputStreamReader(...) |
 | A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:91:26:91:30 | input |
 | A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:92:30:92:34 | input |
-| A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:93:28:93:55 | new InputStreamReader(...) |
+| A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:93:50:93:54 | input : InputStream |
 | A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:94:24:94:28 | input |
-| A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:95:24:95:51 | new InputStreamReader(...) |
+| A.java:90:25:90:45 | getInputStream(...) : InputStream | A.java:95:46:95:50 | input : InputStream |
+| A.java:93:50:93:54 | input : InputStream | A.java:93:28:93:55 | new InputStreamReader(...) |
+| A.java:95:46:95:50 | input : InputStream | A.java:95:24:95:51 | new InputStreamReader(...) |
 | B.java:7:31:7:51 | getInputStream(...) : InputStream | B.java:8:29:8:39 | inputStream |
-| B.java:12:31:12:51 | getInputStream(...) : InputStream | B.java:15:23:15:27 | bytes |
-| B.java:19:31:19:51 | getInputStream(...) : InputStream | B.java:23:29:23:29 | s |
-| B.java:27:31:27:51 | getInputStream(...) : InputStream | B.java:31:23:31:23 | s |
+| B.java:12:31:12:51 | getInputStream(...) : InputStream | B.java:14:5:14:15 | inputStream : InputStream |
+| B.java:14:5:14:15 | inputStream : InputStream | B.java:14:22:14:26 | bytes [post update] : byte[] |
+| B.java:14:22:14:26 | bytes [post update] : byte[] | B.java:15:23:15:27 | bytes |
+| B.java:19:31:19:51 | getInputStream(...) : InputStream | B.java:21:5:21:15 | inputStream : InputStream |
+| B.java:21:5:21:15 | inputStream : InputStream | B.java:21:22:21:26 | bytes [post update] : byte[] |
+| B.java:21:22:21:26 | bytes [post update] : byte[] | B.java:23:29:23:29 | s |
+| B.java:27:31:27:51 | getInputStream(...) : InputStream | B.java:29:5:29:15 | inputStream : InputStream |
+| B.java:29:5:29:15 | inputStream : InputStream | B.java:29:22:29:26 | bytes [post update] : byte[] |
+| B.java:29:22:29:26 | bytes [post update] : byte[] | B.java:31:23:31:23 | s |
 | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) |
+| TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream |
+| TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) |
 nodes
 | A.java:13:31:13:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| A.java:14:28:14:61 | new ObjectInputStream(...) : ObjectInputStream | semmle.label | new ObjectInputStream(...) : ObjectInputStream |
+| A.java:14:50:14:60 | inputStream : InputStream | semmle.label | inputStream : InputStream |
 | A.java:15:12:15:13 | in | semmle.label | in |
 | A.java:19:31:19:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| A.java:20:28:20:61 | new ObjectInputStream(...) : ObjectInputStream | semmle.label | new ObjectInputStream(...) : ObjectInputStream |
+| A.java:20:50:20:60 | inputStream : InputStream | semmle.label | inputStream : InputStream |
 | A.java:21:12:21:13 | in | semmle.label | in |
 | A.java:25:31:25:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| A.java:26:20:26:46 | new XMLDecoder(...) : XMLDecoder | semmle.label | new XMLDecoder(...) : XMLDecoder |
+| A.java:26:35:26:45 | inputStream : InputStream | semmle.label | inputStream : InputStream |
 | A.java:27:12:27:12 | d | semmle.label | d |
 | A.java:32:31:32:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| A.java:33:21:33:54 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
+| A.java:33:43:33:53 | inputStream : InputStream | semmle.label | inputStream : InputStream |
 | A.java:34:23:34:28 | reader | semmle.label | reader |
+| A.java:39:19:39:50 | new Input(...) : Input | semmle.label | new Input(...) : Input |
 | A.java:39:29:39:49 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | A.java:40:28:40:32 | input | semmle.label | input |
 | A.java:41:34:41:38 | input | semmle.label | input |
@@ -43,30 +77,43 @@ nodes
 | A.java:61:26:61:30 | input | semmle.label | input |
 | A.java:62:30:62:34 | input | semmle.label | input |
 | A.java:63:28:63:55 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
+| A.java:63:50:63:54 | input : InputStream | semmle.label | input : InputStream |
 | A.java:64:24:64:28 | input | semmle.label | input |
 | A.java:65:24:65:51 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
+| A.java:65:46:65:50 | input : InputStream | semmle.label | input : InputStream |
 | A.java:70:25:70:45 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | A.java:71:26:71:30 | input | semmle.label | input |
 | A.java:72:30:72:34 | input | semmle.label | input |
 | A.java:73:28:73:55 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
+| A.java:73:50:73:54 | input : InputStream | semmle.label | input : InputStream |
 | A.java:74:24:74:28 | input | semmle.label | input |
 | A.java:75:24:75:51 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
+| A.java:75:46:75:50 | input : InputStream | semmle.label | input : InputStream |
 | A.java:90:25:90:45 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | A.java:91:26:91:30 | input | semmle.label | input |
 | A.java:92:30:92:34 | input | semmle.label | input |
 | A.java:93:28:93:55 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
+| A.java:93:50:93:54 | input : InputStream | semmle.label | input : InputStream |
 | A.java:94:24:94:28 | input | semmle.label | input |
 | A.java:95:24:95:51 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
+| A.java:95:46:95:50 | input : InputStream | semmle.label | input : InputStream |
 | B.java:7:31:7:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | B.java:8:29:8:39 | inputStream | semmle.label | inputStream |
 | B.java:12:31:12:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| B.java:14:5:14:15 | inputStream : InputStream | semmle.label | inputStream : InputStream |
+| B.java:14:22:14:26 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
 | B.java:15:23:15:27 | bytes | semmle.label | bytes |
 | B.java:19:31:19:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| B.java:21:5:21:15 | inputStream : InputStream | semmle.label | inputStream : InputStream |
+| B.java:21:22:21:26 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
 | B.java:23:29:23:29 | s | semmle.label | s |
 | B.java:27:31:27:51 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| B.java:29:5:29:15 | inputStream : InputStream | semmle.label | inputStream : InputStream |
+| B.java:29:22:29:26 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
 | B.java:31:23:31:23 | s | semmle.label | s |
 | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | semmle.label | entityStream : InputStream |
 | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | semmle.label | new ObjectInputStream(...) |
+| TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream | semmle.label | entityStream : InputStream |
 #select
 | A.java:15:12:15:26 | readObject(...) | A.java:13:31:13:51 | getInputStream(...) : InputStream | A.java:15:12:15:13 | in | Unsafe deserialization of $@. | A.java:13:31:13:51 | getInputStream(...) | user input |
 | A.java:21:12:21:28 | readUnshared(...) | A.java:19:31:19:51 | getInputStream(...) : InputStream | A.java:21:12:21:13 | in | Unsafe deserialization of $@. | A.java:19:31:19:51 | getInputStream(...) | user input |
diff --git a/java/ql/test/query-tests/security/CWE-611/XXE.expected b/java/ql/test/query-tests/security/CWE-611/XXE.expected
index 5a73087602f..e2fcffee125 100644
--- a/java/ql/test/query-tests/security/CWE-611/XXE.expected
+++ b/java/ql/test/query-tests/security/CWE-611/XXE.expected
@@ -1,30 +1,46 @@
 edges
-| DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) : InputStream | DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) |
-| DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) |
-| DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) |
-| SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | SAXSourceTests.java:20:18:20:23 | source |
+| DocumentBuilderTests.java:93:21:93:73 | new SAXSource(...) : SAXSource | DocumentBuilderTests.java:94:16:94:21 | source : SAXSource |
+| DocumentBuilderTests.java:93:35:93:72 | new InputSource(...) : InputSource | DocumentBuilderTests.java:93:21:93:73 | new SAXSource(...) : SAXSource |
+| DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) : InputStream | DocumentBuilderTests.java:93:35:93:72 | new InputSource(...) : InputSource |
+| DocumentBuilderTests.java:94:16:94:21 | source : SAXSource | DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) |
+| DocumentBuilderTests.java:100:24:100:62 | new StreamSource(...) : StreamSource | DocumentBuilderTests.java:101:46:101:51 | source : StreamSource |
+| DocumentBuilderTests.java:100:24:100:62 | new StreamSource(...) : StreamSource | DocumentBuilderTests.java:102:16:102:21 | source : StreamSource |
+| DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | DocumentBuilderTests.java:100:24:100:62 | new StreamSource(...) : StreamSource |
+| DocumentBuilderTests.java:101:46:101:51 | source : StreamSource | DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) |
+| DocumentBuilderTests.java:102:16:102:21 | source : StreamSource | DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) |
+| SAXSourceTests.java:17:24:17:84 | new SAXSource(...) : SAXSource | SAXSourceTests.java:20:18:20:23 | source |
+| SAXSourceTests.java:17:46:17:83 | new InputSource(...) : InputSource | SAXSourceTests.java:17:24:17:84 | new SAXSource(...) : SAXSource |
+| SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | SAXSourceTests.java:17:46:17:83 | new InputSource(...) : InputSource |
 | SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | SchemaTests.java:12:39:12:77 | new StreamSource(...) |
 | SchemaTests.java:25:56:25:76 | getInputStream(...) : InputStream | SchemaTests.java:25:39:25:77 | new StreamSource(...) |
 | SchemaTests.java:31:56:31:76 | getInputStream(...) : InputStream | SchemaTests.java:31:39:31:77 | new StreamSource(...) |
 | SchemaTests.java:38:56:38:76 | getInputStream(...) : InputStream | SchemaTests.java:38:39:38:77 | new StreamSource(...) |
 | SchemaTests.java:45:56:45:76 | getInputStream(...) : InputStream | SchemaTests.java:45:39:45:77 | new StreamSource(...) |
 | SimpleXMLTests.java:24:63:24:83 | getInputStream(...) : InputStream | SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) |
-| SimpleXMLTests.java:30:5:30:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:31:41:31:53 | new String(...) |
-| SimpleXMLTests.java:37:5:37:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:38:41:38:53 | new String(...) |
+| SimpleXMLTests.java:30:5:30:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:30:32:30:32 | b [post update] : byte[] |
+| SimpleXMLTests.java:30:32:30:32 | b [post update] : byte[] | SimpleXMLTests.java:31:41:31:53 | new String(...) |
+| SimpleXMLTests.java:37:5:37:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:37:32:37:32 | b [post update] : byte[] |
+| SimpleXMLTests.java:37:32:37:32 | b [post update] : byte[] | SimpleXMLTests.java:38:41:38:53 | new String(...) |
 | SimpleXMLTests.java:43:63:43:83 | getInputStream(...) : InputStream | SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) |
 | SimpleXMLTests.java:68:59:68:79 | getInputStream(...) : InputStream | SimpleXMLTests.java:68:37:68:80 | new InputStreamReader(...) |
 | SimpleXMLTests.java:73:59:73:79 | getInputStream(...) : InputStream | SimpleXMLTests.java:73:37:73:80 | new InputStreamReader(...) |
 | SimpleXMLTests.java:78:48:78:68 | getInputStream(...) : InputStream | SimpleXMLTests.java:78:26:78:69 | new InputStreamReader(...) |
 | SimpleXMLTests.java:83:48:83:68 | getInputStream(...) : InputStream | SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) |
-| SimpleXMLTests.java:89:5:89:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:90:37:90:49 | new String(...) |
-| SimpleXMLTests.java:96:5:96:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:97:37:97:49 | new String(...) |
-| SimpleXMLTests.java:103:5:103:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:104:26:104:38 | new String(...) |
-| SimpleXMLTests.java:110:5:110:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:111:26:111:38 | new String(...) |
+| SimpleXMLTests.java:89:5:89:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:89:32:89:32 | b [post update] : byte[] |
+| SimpleXMLTests.java:89:32:89:32 | b [post update] : byte[] | SimpleXMLTests.java:90:37:90:49 | new String(...) |
+| SimpleXMLTests.java:96:5:96:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:96:32:96:32 | b [post update] : byte[] |
+| SimpleXMLTests.java:96:32:96:32 | b [post update] : byte[] | SimpleXMLTests.java:97:37:97:49 | new String(...) |
+| SimpleXMLTests.java:103:5:103:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:103:32:103:32 | b [post update] : byte[] |
+| SimpleXMLTests.java:103:32:103:32 | b [post update] : byte[] | SimpleXMLTests.java:104:26:104:38 | new String(...) |
+| SimpleXMLTests.java:110:5:110:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:110:32:110:32 | b [post update] : byte[] |
+| SimpleXMLTests.java:110:32:110:32 | b [post update] : byte[] | SimpleXMLTests.java:111:26:111:38 | new String(...) |
 | SimpleXMLTests.java:119:44:119:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) |
 | SimpleXMLTests.java:129:44:129:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:129:22:129:65 | new InputStreamReader(...) |
 | SimpleXMLTests.java:139:44:139:64 | getInputStream(...) : InputStream | SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) |
-| SimpleXMLTests.java:145:5:145:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:146:22:146:34 | new String(...) |
-| SimpleXMLTests.java:152:5:152:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:153:22:153:34 | new String(...) |
+| SimpleXMLTests.java:145:5:145:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:145:32:145:32 | b [post update] : byte[] |
+| SimpleXMLTests.java:145:32:145:32 | b [post update] : byte[] | SimpleXMLTests.java:146:22:146:34 | new String(...) |
+| SimpleXMLTests.java:152:5:152:25 | getInputStream(...) : InputStream | SimpleXMLTests.java:152:32:152:32 | b [post update] : byte[] |
+| SimpleXMLTests.java:152:32:152:32 | b [post update] : byte[] | SimpleXMLTests.java:153:22:153:34 | new String(...) |
 | TransformerTests.java:20:44:20:64 | getInputStream(...) : InputStream | TransformerTests.java:20:27:20:65 | new StreamSource(...) |
 | TransformerTests.java:21:40:21:60 | getInputStream(...) : InputStream | TransformerTests.java:21:23:21:61 | new StreamSource(...) |
 | TransformerTests.java:71:44:71:64 | getInputStream(...) : InputStream | TransformerTests.java:71:27:71:65 | new StreamSource(...) |
@@ -40,7 +56,8 @@ edges
 | TransformerTests.java:122:38:122:58 | getInputStream(...) : InputStream | TransformerTests.java:122:21:122:59 | new StreamSource(...) |
 | TransformerTests.java:129:38:129:58 | getInputStream(...) : InputStream | TransformerTests.java:129:21:129:59 | new StreamSource(...) |
 | TransformerTests.java:136:38:136:58 | getInputStream(...) : InputStream | TransformerTests.java:136:21:136:59 | new StreamSource(...) |
-| TransformerTests.java:141:48:141:68 | getInputStream(...) : InputStream | TransformerTests.java:141:18:141:70 | new SAXSource(...) |
+| TransformerTests.java:141:32:141:69 | new InputSource(...) : InputSource | TransformerTests.java:141:18:141:70 | new SAXSource(...) |
+| TransformerTests.java:141:48:141:68 | getInputStream(...) : InputStream | TransformerTests.java:141:32:141:69 | new InputSource(...) : InputSource |
 | XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | XMLReaderTests.java:16:18:16:55 | new InputSource(...) |
 | XMLReaderTests.java:56:34:56:54 | getInputStream(...) : InputStream | XMLReaderTests.java:56:18:56:55 | new InputSource(...) |
 | XMLReaderTests.java:63:34:63:54 | getInputStream(...) : InputStream | XMLReaderTests.java:63:18:63:55 | new InputSource(...) |
@@ -58,10 +75,16 @@ nodes
 | DocumentBuilderTests.java:71:19:71:39 | getInputStream(...) | semmle.label | getInputStream(...) |
 | DocumentBuilderTests.java:79:19:79:39 | getInputStream(...) | semmle.label | getInputStream(...) |
 | DocumentBuilderTests.java:87:19:87:39 | getInputStream(...) | semmle.label | getInputStream(...) |
+| DocumentBuilderTests.java:93:21:93:73 | new SAXSource(...) : SAXSource | semmle.label | new SAXSource(...) : SAXSource |
+| DocumentBuilderTests.java:93:35:93:72 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource |
 | DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| DocumentBuilderTests.java:94:16:94:21 | source : SAXSource | semmle.label | source : SAXSource |
 | DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) | semmle.label | getInputSource(...) |
+| DocumentBuilderTests.java:100:24:100:62 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
 | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) | semmle.label | sourceToInputSource(...) |
+| DocumentBuilderTests.java:101:46:101:51 | source : StreamSource | semmle.label | source : StreamSource |
+| DocumentBuilderTests.java:102:16:102:21 | source : StreamSource | semmle.label | source : StreamSource |
 | DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) | semmle.label | getInputStream(...) |
 | SAXBuilderTests.java:8:19:8:39 | getInputStream(...) | semmle.label | getInputStream(...) |
 | SAXBuilderTests.java:20:19:20:39 | getInputStream(...) | semmle.label | getInputStream(...) |
@@ -79,6 +102,8 @@ nodes
 | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | semmle.label | getInputStream(...) |
 | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | semmle.label | getInputStream(...) |
 | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | semmle.label | getInputStream(...) |
+| SAXSourceTests.java:17:24:17:84 | new SAXSource(...) : SAXSource | semmle.label | new SAXSource(...) : SAXSource |
+| SAXSourceTests.java:17:46:17:83 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource |
 | SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | SAXSourceTests.java:20:18:20:23 | source | semmle.label | source |
 | SchemaTests.java:12:39:12:77 | new StreamSource(...) | semmle.label | new StreamSource(...) |
@@ -96,8 +121,10 @@ nodes
 | SimpleXMLTests.java:24:41:24:84 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
 | SimpleXMLTests.java:24:63:24:83 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | SimpleXMLTests.java:30:5:30:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SimpleXMLTests.java:30:32:30:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
 | SimpleXMLTests.java:31:41:31:53 | new String(...) | semmle.label | new String(...) |
 | SimpleXMLTests.java:37:5:37:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SimpleXMLTests.java:37:32:37:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
 | SimpleXMLTests.java:38:41:38:53 | new String(...) | semmle.label | new String(...) |
 | SimpleXMLTests.java:43:41:43:84 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
 | SimpleXMLTests.java:43:63:43:83 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
@@ -114,12 +141,16 @@ nodes
 | SimpleXMLTests.java:83:26:83:69 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
 | SimpleXMLTests.java:83:48:83:68 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | SimpleXMLTests.java:89:5:89:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SimpleXMLTests.java:89:32:89:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
 | SimpleXMLTests.java:90:37:90:49 | new String(...) | semmle.label | new String(...) |
 | SimpleXMLTests.java:96:5:96:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SimpleXMLTests.java:96:32:96:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
 | SimpleXMLTests.java:97:37:97:49 | new String(...) | semmle.label | new String(...) |
 | SimpleXMLTests.java:103:5:103:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SimpleXMLTests.java:103:32:103:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
 | SimpleXMLTests.java:104:26:104:38 | new String(...) | semmle.label | new String(...) |
 | SimpleXMLTests.java:110:5:110:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SimpleXMLTests.java:110:32:110:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
 | SimpleXMLTests.java:111:26:111:38 | new String(...) | semmle.label | new String(...) |
 | SimpleXMLTests.java:115:22:115:42 | getInputStream(...) | semmle.label | getInputStream(...) |
 | SimpleXMLTests.java:119:22:119:65 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
@@ -131,8 +162,10 @@ nodes
 | SimpleXMLTests.java:139:22:139:65 | new InputStreamReader(...) | semmle.label | new InputStreamReader(...) |
 | SimpleXMLTests.java:139:44:139:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | SimpleXMLTests.java:145:5:145:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SimpleXMLTests.java:145:32:145:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
 | SimpleXMLTests.java:146:22:146:34 | new String(...) | semmle.label | new String(...) |
 | SimpleXMLTests.java:152:5:152:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SimpleXMLTests.java:152:32:152:32 | b [post update] : byte[] | semmle.label | b [post update] : byte[] |
 | SimpleXMLTests.java:153:22:153:34 | new String(...) | semmle.label | new String(...) |
 | TransformerTests.java:20:27:20:65 | new StreamSource(...) | semmle.label | new StreamSource(...) |
 | TransformerTests.java:20:44:20:64 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
@@ -165,6 +198,7 @@ nodes
 | TransformerTests.java:136:21:136:59 | new StreamSource(...) | semmle.label | new StreamSource(...) |
 | TransformerTests.java:136:38:136:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | TransformerTests.java:141:18:141:70 | new SAXSource(...) | semmle.label | new SAXSource(...) |
+| TransformerTests.java:141:32:141:69 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource |
 | TransformerTests.java:141:48:141:68 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | semmle.label | getInputStream(...) |
 | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | semmle.label | new InputSource(...) |
diff --git a/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTaintedLocal.expected b/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTaintedLocal.expected
index 0be574cad70..90e1b421f97 100644
--- a/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTaintedLocal.expected
+++ b/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTaintedLocal.expected
@@ -1,7 +1,15 @@
 edges
-| Test.java:11:28:11:36 | System.in : InputStream | Test.java:21:22:21:25 | data |
+| Test.java:10:36:11:47 | new BufferedReader(...) : BufferedReader | Test.java:12:26:12:39 | readerBuffered : BufferedReader |
+| Test.java:11:6:11:46 | new InputStreamReader(...) : InputStreamReader | Test.java:10:36:11:47 | new BufferedReader(...) : BufferedReader |
+| Test.java:11:28:11:36 | System.in : InputStream | Test.java:11:6:11:46 | new InputStreamReader(...) : InputStreamReader |
+| Test.java:12:26:12:39 | readerBuffered : BufferedReader | Test.java:12:26:12:50 | readLine(...) : String |
+| Test.java:12:26:12:50 | readLine(...) : String | Test.java:21:22:21:25 | data |
 nodes
+| Test.java:10:36:11:47 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
+| Test.java:11:6:11:46 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
 | Test.java:11:28:11:36 | System.in : InputStream | semmle.label | System.in : InputStream |
+| Test.java:12:26:12:39 | readerBuffered : BufferedReader | semmle.label | readerBuffered : BufferedReader |
+| Test.java:12:26:12:50 | readLine(...) : String | semmle.label | readLine(...) : String |
 | Test.java:21:22:21:25 | data | semmle.label | data |
 #select
 | Test.java:21:17:21:25 | (...)... | Test.java:11:28:11:36 | System.in : InputStream | Test.java:21:22:21:25 | data | $@ flows to here and is cast to a narrower type, potentially causing truncation. | Test.java:11:28:11:36 | System.in | User-provided value |

From 579c9558929e8242b19174123f49e19617b15d1d Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Wed, 14 Apr 2021 13:37:30 +0200
Subject: [PATCH 0463/1429] Java: Adjust some tests.

---
 .../dataflow/external-models/steps.expected   | 16 +++++-----
 .../dataflow/external-models/steps.ql         | 17 ++++++-----
 .../localAdditionalTaintStep.ql               |  8 +++--
 .../apache-commons-lang3/ObjectUtilsTest.java | 30 +++++++++----------
 .../frameworks/guava/TestBase.java            |  4 +--
 5 files changed, 40 insertions(+), 35 deletions(-)

diff --git a/java/ql/test/library-tests/dataflow/external-models/steps.expected b/java/ql/test/library-tests/dataflow/external-models/steps.expected
index f7e0c0fb23e..02548a949c8 100644
--- a/java/ql/test/library-tests/dataflow/external-models/steps.expected
+++ b/java/ql/test/library-tests/dataflow/external-models/steps.expected
@@ -1,10 +1,10 @@
 invalidModelRow
 #select
-| C.java:6:16:6:19 | arg1 | C.java:6:5:6:20 | stepArgRes(...) | qltest |
-| C.java:10:16:10:21 | argIn1 | C.java:10:24:10:30 | argOut1 [post update] | qltest |
-| C.java:13:16:13:21 | argIn2 | C.java:13:24:13:30 | argOut2 [post update] | qltest |
-| C.java:16:17:16:20 | arg2 | C.java:16:5:16:21 | this <.method> [post update] | qltest |
-| C.java:18:22:18:25 | arg3 | C.java:18:5:18:8 | this [post update] | qltest |
-| C.java:20:5:20:8 | this | C.java:20:5:20:22 | stepQualRes(...) | qltest |
-| C.java:21:5:21:17 | this <.method> | C.java:21:5:21:17 | stepQualRes(...) | qltest |
-| C.java:24:5:24:23 | this <.method> | C.java:24:17:24:22 | argOut [post update] | qltest |
+| C.java:6:16:6:19 | arg1 | C.java:6:5:6:20 | stepArgRes(...) |
+| C.java:10:16:10:21 | argIn1 | C.java:10:24:10:30 | argOut1 [post update] |
+| C.java:13:16:13:21 | argIn2 | C.java:13:24:13:30 | argOut2 [post update] |
+| C.java:16:17:16:20 | arg2 | C.java:16:5:16:21 | this <.method> [post update] |
+| C.java:18:22:18:25 | arg3 | C.java:18:5:18:8 | this [post update] |
+| C.java:20:5:20:8 | this | C.java:20:5:20:22 | stepQualRes(...) |
+| C.java:21:5:21:17 | this <.method> | C.java:21:5:21:17 | stepQualRes(...) |
+| C.java:24:5:24:23 | this <.method> | C.java:24:17:24:22 | argOut [post update] |
diff --git a/java/ql/test/library-tests/dataflow/external-models/steps.ql b/java/ql/test/library-tests/dataflow/external-models/steps.ql
index 441d5eeca2b..58edd018587 100644
--- a/java/ql/test/library-tests/dataflow/external-models/steps.ql
+++ b/java/ql/test/library-tests/dataflow/external-models/steps.ql
@@ -1,6 +1,7 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.ExternalFlow
+import semmle.code.java.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 import CsvValidation
 
 class SummaryModelTest extends SummaryModelCsv {
@@ -8,15 +9,15 @@ class SummaryModelTest extends SummaryModelCsv {
     row =
       [
         //"package;type;overrides;name;signature;ext;inputspec;outputspec;kind",
-        "my.qltest;C;false;stepArgRes;(Object);;Argument[0];ReturnValue;qltest",
-        "my.qltest;C;false;stepArgArg;(Object,Object);;Argument[0];Argument[1];qltest",
-        "my.qltest;C;false;stepArgQual;(Object);;Argument[0];Argument[-1];qltest",
-        "my.qltest;C;false;stepQualRes;();;Argument[-1];ReturnValue;qltest",
-        "my.qltest;C;false;stepQualArg;(Object);;Argument[-1];Argument[0];qltest"
+        "my.qltest;C;false;stepArgRes;(Object);;Argument[0];ReturnValue;taint",
+        "my.qltest;C;false;stepArgArg;(Object,Object);;Argument[0];Argument[1];taint",
+        "my.qltest;C;false;stepArgQual;(Object);;Argument[0];Argument[-1];taint",
+        "my.qltest;C;false;stepQualRes;();;Argument[-1];ReturnValue;taint",
+        "my.qltest;C;false;stepQualArg;(Object);;Argument[-1];Argument[0];taint"
       ]
   }
 }
 
-from DataFlow::Node node1, DataFlow::Node node2, string kind
-where summaryStep(node1, node2, kind)
-select node1, node2, kind
+from DataFlow::Node node1, DataFlow::Node node2
+where FlowSummaryImpl::Private::Steps::summaryThroughStep(node1, node2, false)
+select node1, node2
diff --git a/java/ql/test/library-tests/dataflow/local-additional-taint/localAdditionalTaintStep.ql b/java/ql/test/library-tests/dataflow/local-additional-taint/localAdditionalTaintStep.ql
index 41b5a413386..1520ea7347d 100644
--- a/java/ql/test/library-tests/dataflow/local-additional-taint/localAdditionalTaintStep.ql
+++ b/java/ql/test/library-tests/dataflow/local-additional-taint/localAdditionalTaintStep.ql
@@ -1,8 +1,12 @@
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.internal.TaintTrackingUtil
+import semmle.code.java.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 
 from DataFlow::Node src, DataFlow::Node sink
 where
-  localAdditionalTaintStep(src, sink) and
-  src.getLocation().getFile().getExtension() = "java"
+  (
+    localAdditionalTaintStep(src, sink) or
+    FlowSummaryImpl::Private::Steps::summaryThroughStep(src, sink, false)
+  ) and
+  not FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, false)
 select src, sink
diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/ObjectUtilsTest.java b/java/ql/test/library-tests/frameworks/apache-commons-lang3/ObjectUtilsTest.java
index d586b887290..58ee4d262e6 100644
--- a/java/ql/test/library-tests/frameworks/apache-commons-lang3/ObjectUtilsTest.java
+++ b/java/ql/test/library-tests/frameworks/apache-commons-lang3/ObjectUtilsTest.java
@@ -17,22 +17,22 @@ public class ObjectUtilsTest {
     sink(ObjectUtils.CONST_BYTE(IntSource.taint())); // $hasValueFlow
     sink(ObjectUtils.defaultIfNull(taint(), null)); // $hasValueFlow
     sink(ObjectUtils.defaultIfNull(null, taint())); // $hasValueFlow
-    sink(ObjectUtils.firstNonNull(taint(), null, null)); // $hasTaintFlow $MISSING:hasValueFlow
-    sink(ObjectUtils.firstNonNull(null, taint(), null)); // $hasTaintFlow $MISSING:hasValueFlow
-    sink(ObjectUtils.firstNonNull(null, null, taint())); // $hasTaintFlow $MISSING:hasValueFlow
+    sink(ObjectUtils.firstNonNull(taint(), null, null)); // $ MISSING:hasValueFlow
+    sink(ObjectUtils.firstNonNull(null, taint(), null)); // $ MISSING:hasValueFlow
+    sink(ObjectUtils.firstNonNull(null, null, taint())); // $ MISSING:hasValueFlow
     sink(ObjectUtils.getIfNull(taint(), null)); // $hasValueFlow
-    sink(ObjectUtils.max(taint(), null, null)); // $hasTaintFlow $MISSING:hasValueFlow
-    sink(ObjectUtils.max(null, taint(), null)); // $hasTaintFlow $MISSING:hasValueFlow
-    sink(ObjectUtils.max(null, null, taint())); // $hasTaintFlow $MISSING:hasValueFlow
-    sink(ObjectUtils.median(taint(), null, null)); // $hasTaintFlow $MISSING:hasValueFlow
-    sink(ObjectUtils.median((String)null, taint(), null)); // $hasTaintFlow $MISSING:hasValueFlow
-    sink(ObjectUtils.median((String)null, null, taint())); // $hasTaintFlow $MISSING:hasValueFlow
-    sink(ObjectUtils.min(taint(), null, null)); // $hasTaintFlow $MISSING:hasValueFlow
-    sink(ObjectUtils.min(null, taint(), null)); // $hasTaintFlow $MISSING:hasValueFlow
-    sink(ObjectUtils.min(null, null, taint())); // $hasTaintFlow $MISSING:hasValueFlow
-    sink(ObjectUtils.mode(taint(), null, null)); // $hasTaintFlow $MISSING:hasValueFlow
-    sink(ObjectUtils.mode(null, taint(), null)); // $hasTaintFlow $MISSING:hasValueFlow
-    sink(ObjectUtils.mode(null, null, taint())); // $hasTaintFlow $MISSING:hasValueFlow
+    sink(ObjectUtils.max(taint(), null, null)); // $ MISSING:hasValueFlow
+    sink(ObjectUtils.max(null, taint(), null)); // $ MISSING:hasValueFlow
+    sink(ObjectUtils.max(null, null, taint())); // $ MISSING:hasValueFlow
+    sink(ObjectUtils.median(taint(), null, null)); // $ MISSING:hasValueFlow
+    sink(ObjectUtils.median((String)null, taint(), null)); // $ MISSING:hasValueFlow
+    sink(ObjectUtils.median((String)null, null, taint())); // $ MISSING:hasValueFlow
+    sink(ObjectUtils.min(taint(), null, null)); // $ MISSING:hasValueFlow
+    sink(ObjectUtils.min(null, taint(), null)); // $ MISSING:hasValueFlow
+    sink(ObjectUtils.min(null, null, taint())); // $ MISSING:hasValueFlow
+    sink(ObjectUtils.mode(taint(), null, null)); // $ MISSING:hasValueFlow
+    sink(ObjectUtils.mode(null, taint(), null)); // $ MISSING:hasValueFlow
+    sink(ObjectUtils.mode(null, null, taint())); // $ MISSING:hasValueFlow
     sink(ObjectUtils.requireNonEmpty(taint(), "message")); // $hasValueFlow
     sink(ObjectUtils.requireNonEmpty("not null", taint())); // GOOD (message doesn't propagate to the return)
     sink(ObjectUtils.toString(taint(), "default string")); // GOOD (first argument is stringified)
diff --git a/java/ql/test/library-tests/frameworks/guava/TestBase.java b/java/ql/test/library-tests/frameworks/guava/TestBase.java
index c2c3beecdf2..9ce907f4551 100644
--- a/java/ql/test/library-tests/frameworks/guava/TestBase.java
+++ b/java/ql/test/library-tests/frameworks/guava/TestBase.java
@@ -18,7 +18,7 @@ class TestBase {
         sink(Strings.lenientFormat(x, 3)); // $numTaintFlow=1
         sink(Strings.commonPrefix(x, "abc")); 
         sink(Strings.commonSuffix(x, "cde")); 
-        sink(Strings.lenientFormat("%s = %s", x, 3)); // $numTaintFlow=1
+        sink(Strings.lenientFormat("%s = %s", x, 3)); // $ MISSING:numTaintFlow=1
     }
 
     void test2() {
@@ -60,4 +60,4 @@ class TestBase {
     void test4() {
         sink(Preconditions.checkNotNull(taint())); // $numTaintFlow=1
     }
-}
\ No newline at end of file
+}

From 39862740e051d09d3e45af8b70afb8930709b02d Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Thu, 15 Apr 2021 16:12:40 +0200
Subject: [PATCH 0464/1429] Java: Convert support for fluent interfaces.

---
 .../java/dataflow/internal/DataFlowUtil.qll   |  8 ++++++
 .../dataflow/internal/TaintTrackingUtil.qll   | 26 -------------------
 2 files changed, 8 insertions(+), 26 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
index 2ad09574015..64e245e1c60 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
@@ -150,6 +150,14 @@ predicate simpleLocalFlowStep(Node node1, Node node2) {
   )
   or
   FlowSummaryImpl::Private::Steps::summaryLocalStep(node1, node2, true)
+  or
+  // If flow through a method updates a parameter from some input A, and that
+  // parameter also is returned through B, then we'd like a combined flow from A
+  // to B as well. As an example, this simplifies modeling of fluent methods:
+  // for `StringBuilder.append(x)` with a specified value flow from qualifier to
+  // return value and taint flow from argument 0 to the qualifier, then this
+  // allows the inferral of taint flow from argument 0 to the return value.
+  node1.(SummaryNode).(PostUpdateNode).getPreUpdateNode().(ParameterNode) = node2
 }
 
 /**
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
index d684ebb5275..9dc5d8f24b7 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -46,12 +46,6 @@ predicate localTaintStep(DataFlow::Node src, DataFlow::Node sink) {
  * different objects.
  */
 predicate localAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
-  localAdditionalBasicTaintStep(src, sink)
-  or
-  composedValueAndTaintModelStep(src, sink)
-}
-
-private predicate localAdditionalBasicTaintStep(DataFlow::Node src, DataFlow::Node sink) {
   localAdditionalTaintExprStep(src.asExpr(), sink.asExpr())
   or
   localAdditionalTaintUpdateStep(src.asExpr(),
@@ -67,26 +61,6 @@ private predicate localAdditionalBasicTaintStep(DataFlow::Node src, DataFlow::No
   not FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, true)
 }
 
-/**
- * Holds if an additional step from `src` to `sink` through a call can be inferred from the
- * combination of a value-preserving step providing an alias between an input and the output
- * and a taint step from `src` to one the aliased nodes. For example, if we know that `f(a, b)` returns
- * the exact value of `a` and also propagates taint from `b` to `a`, then we also know that
- * the return value is tainted after `f` completes.
- */
-private predicate composedValueAndTaintModelStep(ArgumentNode src, DataFlow::Node sink) {
-  exists(Call call, ArgumentNode valueSource, DataFlow::PostUpdateNode valueSourcePost |
-    src.argumentOf(call, _) and
-    valueSource.argumentOf(call, _) and
-    src != valueSource and
-    valueSourcePost.getPreUpdateNode() = valueSource and
-    // in-x -value-> out-y and in-z -taint-> in-x ==> in-z -taint-> out-y
-    localAdditionalBasicTaintStep(src, valueSourcePost) and
-    DataFlow::localFlowStep(valueSource, DataFlow::exprNode(call)) and
-    sink = DataFlow::exprNode(call)
-  )
-}
-
 /**
  * Holds if the additional step from `src` to `sink` should be included in all
  * global taint flow configurations.

From 7d84cfacefe2682b414951fe1fbb48efa8d7ac8a Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Thu, 15 Apr 2021 16:22:51 +0200
Subject: [PATCH 0465/1429] Java: Add MapKeyContent and MapValueContent.

---
 .../code/java/dataflow/ExternalFlow.qll       | 12 +++++------
 .../dataflow/internal/DataFlowPrivate.qll     | 20 ++++++++++++++-----
 2 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index c1ad6eb4ecf..7d70017c6d8 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -460,7 +460,7 @@ module CsvValidation {
       summaryModel(_, _, _, _, _, _, input, _, _) and pred = "summary"
     |
       specSplit(input, part, _) and
-      not part.regexpMatch("|ReturnValue|ArrayElement|Element") and
+      not part.regexpMatch("|ReturnValue|ArrayElement|Element|MapKey|MapValue") and
       not (part = "Argument" and pred = "sink") and
       not parseArg(part, _) and
       msg = "Unrecognized input specification \"" + part + "\" in " + pred + " model."
@@ -472,7 +472,7 @@ module CsvValidation {
       summaryModel(_, _, _, _, _, _, _, output, _) and pred = "summary"
     |
       specSplit(output, part, _) and
-      not part.regexpMatch("|ReturnValue|ArrayElement|Element") and
+      not part.regexpMatch("|ReturnValue|ArrayElement|Element|MapKey|MapValue") and
       not (part = ["Argument", "Parameter"] and pred = "source") and
       not parseArg(part, _) and
       not parseParam(part, _) and
@@ -690,10 +690,10 @@ private SummaryComponent interpretComponent(string c) {
     c = "ArrayElement" and result = SummaryComponent::content(any(ArrayContent c0))
     or
     c = "Element" and result = SummaryComponent::content(any(CollectionContent c0))
-    // or
-    // c = "MapKey" and result = SummaryComponent::content(any(MapKeyContent c0))
-    // or
-    // c = "MapValue" and result = SummaryComponent::content(any(MapValueContent c0))
+    or
+    c = "MapKey" and result = SummaryComponent::content(any(MapKeyContent c0))
+    or
+    c = "MapValue" and result = SummaryComponent::content(any(MapValueContent c0))
   )
 }
 
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
index c425eaa1185..23d84c10c9f 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
@@ -84,8 +84,10 @@ private predicate instanceFieldAssign(Expr src, FieldAccess fa) {
 
 private newtype TContent =
   TFieldContent(InstanceField f) or
+  TArrayContent() or
   TCollectionContent() or
-  TArrayContent()
+  TMapKeyContent() or
+  TMapValueContent()
 
 /**
  * A reference contained in an object. Examples include instance fields, the
@@ -114,12 +116,20 @@ class FieldContent extends Content, TFieldContent {
   }
 }
 
-class CollectionContent extends Content, TCollectionContent {
-  override string toString() { result = "collection" }
+class ArrayContent extends Content, TArrayContent {
+  override string toString() { result = "[]" }
 }
 
-class ArrayContent extends Content, TArrayContent {
-  override string toString() { result = "array" }
+class CollectionContent extends Content, TCollectionContent {
+  override string toString() { result = "<element>" }
+}
+
+class MapKeyContent extends Content, TMapKeyContent {
+  override string toString() { result = "<map.key>" }
+}
+
+class MapValueContent extends Content, TMapValueContent {
+  override string toString() { result = "<map.value>" }
 }
 
 /**

From b2cb284ff273c8197209c25510ebff60e1ba1cbe Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 19 Apr 2021 14:56:20 +0200
Subject: [PATCH 0466/1429] Python: Add more examples of what is ok with new
 taint tests

---
 .../inline-taint-test-demo/InlineTaintTest.expected  |  6 ++++--
 .../meta/inline-taint-test-demo/taint_test.py        | 12 ++++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.expected b/python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.expected
index 1b9dcc764be..cb60ce49355 100644
--- a/python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.expected
+++ b/python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.expected
@@ -1,5 +1,7 @@
 argumentToEnsureNotTaintedNotMarkedAsSpurious
-| ERROR, you should add `SPURIOUS:` to this annotation | taint_test.py:36:9:36:29 | taint_test.py:36 | should_not_be_tainted |
+| ERROR, you should add `SPURIOUS:` to this annotation | taint_test.py:48:9:48:29 | taint_test.py:48 | should_not_be_tainted |
 untaintedArgumentToEnsureTaintedNotMarkedAsMissing
-| ERROR, you should add `# $ MISSING: tainted` annotation | taint_test.py:28:9:28:25 | taint_test.py:28 |
+| ERROR, you should add `# $ MISSING: tainted` annotation | taint_test.py:32:9:32:25 | taint_test.py:32 |
+| ERROR, you should add `# $ MISSING: tainted` annotation | taint_test.py:37:24:37:40 | taint_test.py:37 |
 failures
+| taint_test.py:41:20:41:21 | ts | Fixed missing result:tainted= |
diff --git a/python/ql/test/experimental/meta/inline-taint-test-demo/taint_test.py b/python/ql/test/experimental/meta/inline-taint-test-demo/taint_test.py
index c5c64b05ff1..f25b61bcf3a 100644
--- a/python/ql/test/experimental/meta/inline-taint-test-demo/taint_test.py
+++ b/python/ql/test/experimental/meta/inline-taint-test-demo/taint_test.py
@@ -9,6 +9,10 @@ def expected_usage():
         should_be_tainted, # $ MISSING: tainted
     )
 
+    # having one annotation for multiple arguments is OK, as long as all arguments
+    # fulfil the same annotation
+    ensure_tainted(ts, ts) # $ tainted
+
     # simulating handling something we _want_ to treat at untainted, but we currently treat as tainted
     should_not_be_tainted = "pretend this is now safe" + ts
     ensure_not_tainted(
@@ -28,6 +32,14 @@ def bad_usage():
         should_be_tainted,
     )
 
+    # using one annotation for multiple arguments i not OK when it's mixed whether our
+    # taint-tracking works as expected
+    ensure_tainted(ts, should_be_tainted) # $ tainted
+
+    # if you try to get around it by adding BOTH annotations, that results in a problem
+    # from the default set of inline-test-expectation rules
+    ensure_tainted(ts, should_be_tainted) # $ tainted MISSING: tainted
+
     # simulating handling something we _want_ to treat at untainted, but we currently treat as tainted
     should_not_be_tainted = "pretend this is now safe" + ts
 

From 9585390941d16c35c667665be3803d56d83f5844 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 19 Apr 2021 14:59:47 +0200
Subject: [PATCH 0467/1429] Python: Taint tests, report error location first

To better match the standard output from inline expectation tests
---
 python/ql/test/experimental/meta/InlineTaintTest.qll        | 4 ++--
 .../meta/inline-taint-test-demo/InlineTaintTest.expected    | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/python/ql/test/experimental/meta/InlineTaintTest.qll b/python/ql/test/experimental/meta/InlineTaintTest.qll
index b45029477d4..a5e5d14994f 100644
--- a/python/ql/test/experimental/meta/InlineTaintTest.qll
+++ b/python/ql/test/experimental/meta/InlineTaintTest.qll
@@ -66,7 +66,7 @@ class InlineTaintTest extends InlineExpectationsTest {
 }
 
 query predicate argumentToEnsureNotTaintedNotMarkedAsSpurious(
-  string error, Location location, string element
+  Location location, string error, string element
 ) {
   error = "ERROR, you should add `SPURIOUS:` to this annotation" and
   location = shouldNotBeTainted().getLocation() and
@@ -78,7 +78,7 @@ query predicate argumentToEnsureNotTaintedNotMarkedAsSpurious(
   )
 }
 
-query predicate untaintedArgumentToEnsureTaintedNotMarkedAsMissing(string error, Location location) {
+query predicate untaintedArgumentToEnsureTaintedNotMarkedAsMissing(Location location, string error) {
   error = "ERROR, you should add `# $ MISSING: tainted` annotation" and
   exists(DataFlow::Node sink |
     sink = shouldBeTainted() and
diff --git a/python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.expected b/python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.expected
index cb60ce49355..a547545f38a 100644
--- a/python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.expected
+++ b/python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.expected
@@ -1,7 +1,7 @@
 argumentToEnsureNotTaintedNotMarkedAsSpurious
-| ERROR, you should add `SPURIOUS:` to this annotation | taint_test.py:48:9:48:29 | taint_test.py:48 | should_not_be_tainted |
+| taint_test.py:48:9:48:29 | taint_test.py:48 | ERROR, you should add `SPURIOUS:` to this annotation | should_not_be_tainted |
 untaintedArgumentToEnsureTaintedNotMarkedAsMissing
-| ERROR, you should add `# $ MISSING: tainted` annotation | taint_test.py:32:9:32:25 | taint_test.py:32 |
-| ERROR, you should add `# $ MISSING: tainted` annotation | taint_test.py:37:24:37:40 | taint_test.py:37 |
+| taint_test.py:32:9:32:25 | taint_test.py:32 | ERROR, you should add `# $ MISSING: tainted` annotation |
+| taint_test.py:37:24:37:40 | taint_test.py:37 | ERROR, you should add `# $ MISSING: tainted` annotation |
 failures
 | taint_test.py:41:20:41:21 | ts | Fixed missing result:tainted= |

From 8296abcea84e89166608fa603025101c4c8eca47 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Mon, 19 Apr 2021 20:59:47 +0800
Subject: [PATCH 0468/1429] Fix Modify the ql query (the qhelp part is not
 modified).

---
 .../CWE/CWE-348/UseOfLessTrustedSource.java   |  38 +++--
 .../CWE/CWE-348/UseOfLessTrustedSource.qhelp  |   9 +-
 .../CWE/CWE-348/UseOfLessTrustedSource.ql     |  27 ++--
 .../CWE/CWE-348/UseOfLessTrustedSourceLib.qll | 146 +++++++++++-------
 .../CWE-348/UseOfLessTrustedSource.expected   |  56 +++++--
 .../CWE-348/UseOfLessTrustedSource.java       |  38 +++--
 .../query-tests/security/CWE-348/options      |   3 +-
 .../beans/factory/annotation/Autowired.java   |  14 ++
 8 files changed, 213 insertions(+), 118 deletions(-)
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/beans/factory/annotation/Autowired.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java
index d338134ed3e..22d7100223c 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java
@@ -2,6 +2,7 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -11,24 +12,13 @@ public class UseOfLessTrustedSource {
 
     private static final Logger log = LoggerFactory.getLogger(UseOfLessTrustedSource.class);
 
-    @GetMapping(value = "bad1")
-    @ResponseBody
-    public String bad1(HttpServletRequest request) {
-        String remoteAddr = "";
-        if (request != null) {
-            remoteAddr = request.getHeader("X-FORWARDED-FOR");
-            remoteAddr = remoteAddr.split(",")[0];
-            if (remoteAddr == null || "".equals(remoteAddr)) {
-                remoteAddr = request.getRemoteAddr();
-            }
-        }
-        return remoteAddr;
-    }
+    @Autowired
+    private HttpServletRequest request;
 
-    @GetMapping(value = "bad2")
-    public void bad2(HttpServletRequest request) {
+    @GetMapping(value = "bad1")
+    public void bad1(HttpServletRequest request) {
         String ip = request.getHeader("X-Forwarded-For");
-        
+
         log.debug("getClientIP header X-Forwarded-For:{}", ip);
 
         if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
@@ -58,6 +48,14 @@ public class UseOfLessTrustedSource {
         System.out.println("client ip is: " + ip);
     }
 
+    @GetMapping(value = "bad2")
+    public void bad2(HttpServletRequest request) {
+        String ip = getClientIP();
+        if (!StringUtils.startsWith(ip, "192.168.")) {
+            new Exception("ip illegal");
+        }
+    }
+
     @GetMapping(value = "good1")
     @ResponseBody
     public String good1(HttpServletRequest request) {
@@ -71,4 +69,12 @@ public class UseOfLessTrustedSource {
         }
         return remoteAddr;
     }
+
+    protected String getClientIP() {
+        String xfHeader = request.getHeader("X-Forwarded-For");
+        if (xfHeader == null) {
+            return request.getRemoteAddr();
+        }
+        return xfHeader.split(",")[0];
+    }
 }
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
index 1c3a4485cbd..6b2eb2e7eed 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
@@ -24,14 +24,11 @@ and get the last value of the split array.</p>
 </example>
 <references>
 
-<li>Prevent IP address spoofing with X-Forwarded-For header when using AWS ELB and Clojure Ring: 
-<a href="https://www.dennis-schneider.com/blog/prevent-ip-address-spoofing-with-x-forwarded-for-header-and-aws-elb-in-clojure-ring/">
-Prevent IP address spoofing with...</a>
+<li>Dennis Schneider: <a href="https://www.dennis-schneider.com/blog/prevent-ip-address-spoofing-with-x-forwarded-for-header-and-aws-elb-in-clojure-ring/">
+Prevent IP address spoofing with X-Forwarded-For header when using AWS ELB and Clojure Ring</a>
 </li>
 
-<li>Security Rule Zero: A Warning about X-Forwarded-For: 
-<a href="https://www.f5.com/company/blog/security-rule-zero-a-warning-about-x-forwarded-for">
-Security Rule Zero: A Warning about X-Forwarded-For</a>
+<li>Security Rule Zero: <a href="https://www.f5.com/company/blog/security-rule-zero-a-warning-about-x-forwarded-for">A Warning about X-Forwarded-For</a>
 </li>
 
 </references>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
index 15d665d37ab..3c3feeb8f03 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
@@ -1,20 +1,23 @@
 /**
- * @name X-Forwarded-For spoofing
+ * @name IP address spoofing
  * @description The software obtains the client ip through `X-Forwarded-For`,
  *              and the attacker can modify the value of `X-Forwarded-For` to forge the ip.
  * @kind path-problem
  * @problem.severity error
  * @precision high
- * @id java/use-of-less-trusted-source
+ * @id java/ip-address-spoofing
  * @tags security
  *       external/cwe/cwe-348
  */
 
 import java
 import UseOfLessTrustedSourceLib
+import semmle.code.java.dataflow.DataFlow2
+import semmle.code.java.dataflow.TaintTracking2
 import semmle.code.java.dataflow.FlowSources
 import DataFlow::PathGraph
 
+/** Taint-tracking configuration tracing flow from get method request sources to output jsonp data. */
 class UseOfLessTrustedSourceConfig extends TaintTracking::Configuration {
   UseOfLessTrustedSourceConfig() { this = "UseOfLessTrustedSourceConfig" }
 
@@ -23,22 +26,26 @@ class UseOfLessTrustedSourceConfig extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof UseOfLessTrustedSink }
 
   /**
-   * When using `,` split request data and not taking the first value of
-   *  the array, it is considered as `good`.
+   * When using `,` split request data and not taking the first value of the array, it is considered as `good`.
    */
   override predicate isSanitizer(DataFlow::Node node) {
     exists(ArrayAccess aa, MethodAccess ma | aa.getArray() = ma |
       ma.getQualifier() = node.asExpr() and
       ma.getMethod() instanceof SplitMethod and
-      not aa.getIndexExpr().toString() = "0"
+      not aa.getIndexExpr().(CompileTimeConstantExpr).getIntValue() = 0
+    )
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node prod, DataFlow::Node succ) {
+    exists(MethodAccess ma |
+      ma.getAnArgument() = prod.asExpr() and
+      ma = succ.asExpr() and
+      ma.getMethod().getReturnType() instanceof BooleanType
     )
   }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, UseOfLessTrustedSourceConfig conf
-where
-  conf.hasFlowPath(source, sink) and
-  source.getNode().getEnclosingCallable() = sink.getNode().getEnclosingCallable() and
-  xffIsFirstGet(source.getNode())
-select sink.getNode(), source, sink, "X-Forwarded-For spoofing might include code from $@.",
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "IP address spoofing might include code from $@.",
   source.getNode(), "this user input"
diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
index 0598f843840..ac72be64f5d 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
@@ -1,24 +1,105 @@
 import java
 import DataFlow
-import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.TaintTracking2
+import semmle.code.java.security.QueryInjection
 import experimental.semmle.code.java.Logging
 
-/** A data flow source of the value of the `x-forwarded-for` field in the `header`. */
+/**
+ * A data flow source of the client ip obtained according to the remote endpoint identifier specified
+ * in the header (`X-Forwarded-For`, `X-Real-IP`, `Proxy-Client-IP`, etc.).
+ *
+ * For example: `ServletRequest.getHeader("X-Forwarded-For")`.
+ */
 class UseOfLessTrustedSource extends DataFlow::Node {
   UseOfLessTrustedSource() {
     exists(MethodAccess ma |
       ma.getMethod().hasName("getHeader") and
-      ma.getArgument(0).toString().toLowerCase() = "\"x-forwarded-for\"" and
+      ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
+          "x-forwarded-for", "x-real-ip", "proxy-client-ip", "wl-proxy-client-ip",
+          "http_x_forwarded_for", "http_x_forwarded", "http_x_cluster_client_ip", "http_client_ip",
+          "http_forwarded_for", "http_forwarded", "http_via", "remote_addr"
+        ] and
       ma = this.asExpr()
     )
   }
 }
 
-/** A data flow sink of method return or log output or local print. */
-class UseOfLessTrustedSink extends DataFlow::Node {
-  UseOfLessTrustedSink() {
-    exists(ReturnStmt rs | rs.getResult() = this.asExpr())
-    or
+/** A data flow sink for ip address forgery vulnerabilities. */
+abstract class UseOfLessTrustedSink extends DataFlow::Node { }
+
+/**
+ * A data flow sink for the if condition, which does not include the null judgment of the remote client ip address.
+ *
+ * For example: `if (!StringUtils.startsWith(ipAddr, "192.168.")){...` determine whether the client ip starts
+ * with `192.168.`, and the program can be deceived by forging the ip address.
+ * `if (remoteAddr == null || "".equals(remoteAddr)) {...` judging whether the client ip is a null value,
+ * it needs to be excluded
+ */
+private class IfConditionSink extends UseOfLessTrustedSink {
+  IfConditionSink() {
+    exists(IfStmt is |
+      is.getCondition() = this.asExpr() and
+      not exists(EQExpr eqe |
+        eqe.getAnOperand() instanceof NullLiteral and
+        is.getCondition() = eqe.getParent*()
+      ) and
+      not exists(NEExpr nee |
+        nee.getAnOperand() instanceof NullLiteral and
+        is.getCondition() = nee.getParent*()
+      ) and
+      not exists(MethodAccess ma |
+        ma.getMethod().hasName("equals") and
+        ma.getMethod().getNumberOfParameters() = 1 and
+        (
+          ma.getQualifier().(CompileTimeConstantExpr).getStringValue() = "" or
+          ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = ""
+        ) and
+        is.getCondition() = ma.getParent*()
+      ) and
+      not exists(MethodAccess ma |
+        ma.getMethod().hasName("equalsIgnoreCase") and
+        ma.getMethod().getNumberOfParameters() = 1 and
+        (
+          ma.getQualifier().(CompileTimeConstantExpr).getStringValue() = "unknown" or
+          ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "unknown"
+        ) and
+        is.getCondition() = ma.getParent*()
+      ) and
+      not exists(MethodAccess ma |
+        ma.getMethod().getName() in ["isEmpty", "isNotEmpty"] and
+        ma.getMethod().getNumberOfParameters() = 1 and
+        is.getCondition() = ma.getParent*()
+      ) and
+      not exists(MethodAccess ma |
+        (
+          ma.getMethod().hasQualifiedName("org.apache.commons.lang3", "StringUtils", "isBlank") or
+          ma.getMethod().hasQualifiedName("org.apache.commons.lang3", "StringUtils", "isNotBlank")
+        ) and
+        is.getCondition() = ma.getParent*()
+      ) and
+      not exists(MethodAccess ma |
+        ma.getMethod()
+            .hasQualifiedName("org.apache.commons.lang3", "StringUtils", "equalsIgnoreCase") and
+        ma.getAnArgument().(CompileTimeConstantExpr).getStringValue() = "unknown" and
+        is.getCondition() = ma.getParent*()
+      )
+    )
+  }
+}
+
+/** A data flow sink for sql operation. */
+private class SqlOperationSink extends UseOfLessTrustedSink {
+  SqlOperationSink() { this instanceof QueryInjectionSink }
+}
+
+/** A data flow sink for log operation. */
+private class LogOperationSink extends UseOfLessTrustedSink {
+  LogOperationSink() { exists(LoggingCall lc | lc.getAnArgument() = this.asExpr()) }
+}
+
+/** A data flow sink for local output. */
+private class PrintSink extends UseOfLessTrustedSink {
+  PrintSink() {
     exists(MethodAccess ma |
       ma.getMethod().getName() in ["print", "println"] and
       (
@@ -27,8 +108,6 @@ class UseOfLessTrustedSink extends DataFlow::Node {
       ) and
       ma.getAnArgument() = this.asExpr()
     )
-    or
-    exists(LoggingCall lc | lc.getAnArgument() = this.asExpr())
   }
 }
 
@@ -39,50 +118,3 @@ class SplitMethod extends Method {
     this.hasQualifiedName("java.lang", "String", "split")
   }
 }
-
-/**
- * A call to the ServletRequest.getHeader method and the argument are
- * `wl-proxy-client-ip`/`proxy-client-ip`/`http_client_ip`/`http_x_forwarded_for`/`x-real-ip`.
- */
-class HeaderIpCall extends MethodAccess {
-  HeaderIpCall() {
-    this.getMethod().hasName("getHeader") and
-    this.getMethod()
-        .getDeclaringType()
-        .getASupertype*()
-        .hasQualifiedName("javax.servlet", "ServletRequest") and
-    this.getArgument(0).toString().toLowerCase() in [
-        "\"wl-proxy-client-ip\"", "\"proxy-client-ip\"", "\"http_client_ip\"",
-        "\"http_x_forwarded_for\"", "\"x-real-ip\""
-      ]
-  }
-}
-
-/** A call to `ServletRequest.getRemoteAddr` method. */
-class RemoteAddrCall extends MethodAccess {
-  RemoteAddrCall() {
-    this.getMethod().hasName("getRemoteAddr") and
-    this.getMethod()
-        .getDeclaringType()
-        .getASupertype*()
-        .hasQualifiedName("javax.servlet", "ServletRequest")
-  }
-}
-
-/** The first one in the method to get the ip value through `x-forwarded-for`. */
-predicate xffIsFirstGet(Node node) {
-  exists(HeaderIpCall hic |
-    node.getEnclosingCallable() = hic.getEnclosingCallable() and
-    node.getLocation().getEndLine() < hic.getLocation().getEndLine()
-  )
-  or
-  exists(RemoteAddrCall rac |
-    node.getEnclosingCallable() = rac.getEnclosingCallable() and
-    node.getLocation().getEndLine() < rac.getLocation().getEndLine()
-  )
-  or
-  not exists(HeaderIpCall hic, RemoteAddrCall rac |
-    node.getEnclosingCallable() = hic.getEnclosingCallable() and
-    node.getEnclosingCallable() = rac.getEnclosingCallable()
-  )
-}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected
index a71ad9629ce..65bbc8d218b 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected
@@ -1,14 +1,48 @@
 edges
-| UseOfLessTrustedSource.java:19:26:19:61 | getHeader(...) : String | UseOfLessTrustedSource.java:25:16:25:25 | remoteAddr |
-| UseOfLessTrustedSource.java:30:21:30:56 | getHeader(...) : String | UseOfLessTrustedSource.java:32:60:32:61 | ip |
-| UseOfLessTrustedSource.java:30:21:30:56 | getHeader(...) : String | UseOfLessTrustedSource.java:58:28:58:48 | ... + ... |
+| UseOfLessTrustedSource.java:20:21:20:56 | getHeader(...) : String | UseOfLessTrustedSource.java:22:60:22:61 | ip |
+| UseOfLessTrustedSource.java:20:21:20:56 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
+| UseOfLessTrustedSource.java:25:18:25:53 | getHeader(...) : String | UseOfLessTrustedSource.java:26:64:26:65 | ip |
+| UseOfLessTrustedSource.java:25:18:25:53 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
+| UseOfLessTrustedSource.java:29:18:29:56 | getHeader(...) : String | UseOfLessTrustedSource.java:30:67:30:68 | ip |
+| UseOfLessTrustedSource.java:29:18:29:56 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
+| UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) : String | UseOfLessTrustedSource.java:34:63:34:64 | ip |
+| UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
+| UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) : String | UseOfLessTrustedSource.java:38:69:38:70 | ip |
+| UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
+| UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) : String | UseOfLessTrustedSource.java:42:58:42:59 | ip |
+| UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
+| UseOfLessTrustedSource.java:53:21:53:33 | getClientIP(...) : String | UseOfLessTrustedSource.java:54:13:54:51 | !... |
+| UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) : String | UseOfLessTrustedSource.java:78:16:78:37 | ...[...] : String |
+| UseOfLessTrustedSource.java:78:16:78:37 | ...[...] : String | UseOfLessTrustedSource.java:53:21:53:33 | getClientIP(...) : String |
 nodes
-| UseOfLessTrustedSource.java:19:26:19:61 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| UseOfLessTrustedSource.java:25:16:25:25 | remoteAddr | semmle.label | remoteAddr |
-| UseOfLessTrustedSource.java:30:21:30:56 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| UseOfLessTrustedSource.java:32:60:32:61 | ip | semmle.label | ip |
-| UseOfLessTrustedSource.java:58:28:58:48 | ... + ... | semmle.label | ... + ... |
+| UseOfLessTrustedSource.java:20:21:20:56 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| UseOfLessTrustedSource.java:22:60:22:61 | ip | semmle.label | ip |
+| UseOfLessTrustedSource.java:25:18:25:53 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| UseOfLessTrustedSource.java:26:64:26:65 | ip | semmle.label | ip |
+| UseOfLessTrustedSource.java:29:18:29:56 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| UseOfLessTrustedSource.java:30:67:30:68 | ip | semmle.label | ip |
+| UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| UseOfLessTrustedSource.java:34:63:34:64 | ip | semmle.label | ip |
+| UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| UseOfLessTrustedSource.java:38:69:38:70 | ip | semmle.label | ip |
+| UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| UseOfLessTrustedSource.java:42:58:42:59 | ip | semmle.label | ip |
+| UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | semmle.label | ... + ... |
+| UseOfLessTrustedSource.java:53:21:53:33 | getClientIP(...) : String | semmle.label | getClientIP(...) : String |
+| UseOfLessTrustedSource.java:54:13:54:51 | !... | semmle.label | !... |
+| UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| UseOfLessTrustedSource.java:78:16:78:37 | ...[...] : String | semmle.label | ...[...] : String |
 #select
-| UseOfLessTrustedSource.java:25:16:25:25 | remoteAddr | UseOfLessTrustedSource.java:19:26:19:61 | getHeader(...) : String | UseOfLessTrustedSource.java:25:16:25:25 | remoteAddr | X-Forwarded-For spoofing might include code from $@. | UseOfLessTrustedSource.java:19:26:19:61 | getHeader(...) | this user input |
-| UseOfLessTrustedSource.java:32:60:32:61 | ip | UseOfLessTrustedSource.java:30:21:30:56 | getHeader(...) : String | UseOfLessTrustedSource.java:32:60:32:61 | ip | X-Forwarded-For spoofing might include code from $@. | UseOfLessTrustedSource.java:30:21:30:56 | getHeader(...) | this user input |
-| UseOfLessTrustedSource.java:58:28:58:48 | ... + ... | UseOfLessTrustedSource.java:30:21:30:56 | getHeader(...) : String | UseOfLessTrustedSource.java:58:28:58:48 | ... + ... | X-Forwarded-For spoofing might include code from $@. | UseOfLessTrustedSource.java:30:21:30:56 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:22:60:22:61 | ip | UseOfLessTrustedSource.java:20:21:20:56 | getHeader(...) : String | UseOfLessTrustedSource.java:22:60:22:61 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:20:21:20:56 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:26:64:26:65 | ip | UseOfLessTrustedSource.java:25:18:25:53 | getHeader(...) : String | UseOfLessTrustedSource.java:26:64:26:65 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:25:18:25:53 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:30:67:30:68 | ip | UseOfLessTrustedSource.java:29:18:29:56 | getHeader(...) : String | UseOfLessTrustedSource.java:30:67:30:68 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:29:18:29:56 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:34:63:34:64 | ip | UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) : String | UseOfLessTrustedSource.java:34:63:34:64 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:38:69:38:70 | ip | UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) : String | UseOfLessTrustedSource.java:38:69:38:70 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:42:58:42:59 | ip | UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) : String | UseOfLessTrustedSource.java:42:58:42:59 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:20:21:20:56 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:20:21:20:56 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:25:18:25:53 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:25:18:25:53 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:29:18:29:56 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:29:18:29:56 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:54:13:54:51 | !... | UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) : String | UseOfLessTrustedSource.java:54:13:54:51 | !... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java
index d338134ed3e..22d7100223c 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java
@@ -2,6 +2,7 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -11,24 +12,13 @@ public class UseOfLessTrustedSource {
 
     private static final Logger log = LoggerFactory.getLogger(UseOfLessTrustedSource.class);
 
-    @GetMapping(value = "bad1")
-    @ResponseBody
-    public String bad1(HttpServletRequest request) {
-        String remoteAddr = "";
-        if (request != null) {
-            remoteAddr = request.getHeader("X-FORWARDED-FOR");
-            remoteAddr = remoteAddr.split(",")[0];
-            if (remoteAddr == null || "".equals(remoteAddr)) {
-                remoteAddr = request.getRemoteAddr();
-            }
-        }
-        return remoteAddr;
-    }
+    @Autowired
+    private HttpServletRequest request;
 
-    @GetMapping(value = "bad2")
-    public void bad2(HttpServletRequest request) {
+    @GetMapping(value = "bad1")
+    public void bad1(HttpServletRequest request) {
         String ip = request.getHeader("X-Forwarded-For");
-        
+
         log.debug("getClientIP header X-Forwarded-For:{}", ip);
 
         if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
@@ -58,6 +48,14 @@ public class UseOfLessTrustedSource {
         System.out.println("client ip is: " + ip);
     }
 
+    @GetMapping(value = "bad2")
+    public void bad2(HttpServletRequest request) {
+        String ip = getClientIP();
+        if (!StringUtils.startsWith(ip, "192.168.")) {
+            new Exception("ip illegal");
+        }
+    }
+
     @GetMapping(value = "good1")
     @ResponseBody
     public String good1(HttpServletRequest request) {
@@ -71,4 +69,12 @@ public class UseOfLessTrustedSource {
         }
         return remoteAddr;
     }
+
+    protected String getClientIP() {
+        String xfHeader = request.getHeader("X-Forwarded-For");
+        if (xfHeader == null) {
+            return request.getRemoteAddr();
+        }
+        return xfHeader.split(",")[0];
+    }
 }
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-348/options b/java/ql/test/experimental/query-tests/security/CWE-348/options
index 40bcee8c133..7edf075ba8e 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-348/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-348/options
@@ -1,2 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.2.3/:${tes
-tdir}/../../../../stubs/slf4j-api-1.6.4/:${testdir}/../../../../stubs/apache-commons-lang3-3.7/
\ No newline at end of file
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.2.3/:${testdir}/../../../../stubs/slf4j-api-1.6.4/:${testdir}/../../../../stubs/apache-commons-lang3-3.7/
\ No newline at end of file
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/beans/factory/annotation/Autowired.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/beans/factory/annotation/Autowired.java
new file mode 100644
index 00000000000..8fcef979360
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/beans/factory/annotation/Autowired.java
@@ -0,0 +1,14 @@
+package org.springframework.beans.factory.annotation;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target({ElementType.CONSTRUCTOR, ElementType.METHOD, ElementType.PARAMETER, ElementType.FIELD, ElementType.ANNOTATION_TYPE})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface Autowired {
+    boolean required() default true;
+}
\ No newline at end of file

From d607c13ab61a7de905c6ebc91c27644c553b259a Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 19 Apr 2021 15:01:10 +0200
Subject: [PATCH 0469/1429] Python: Taint tests: include elment for forgotten
 MISSING

---
 python/ql/test/experimental/meta/InlineTaintTest.qll         | 5 ++++-
 .../meta/inline-taint-test-demo/InlineTaintTest.expected     | 4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/python/ql/test/experimental/meta/InlineTaintTest.qll b/python/ql/test/experimental/meta/InlineTaintTest.qll
index a5e5d14994f..dd0865adc4b 100644
--- a/python/ql/test/experimental/meta/InlineTaintTest.qll
+++ b/python/ql/test/experimental/meta/InlineTaintTest.qll
@@ -78,10 +78,13 @@ query predicate argumentToEnsureNotTaintedNotMarkedAsSpurious(
   )
 }
 
-query predicate untaintedArgumentToEnsureTaintedNotMarkedAsMissing(Location location, string error) {
+query predicate untaintedArgumentToEnsureTaintedNotMarkedAsMissing(
+  Location location, string error, string element
+) {
   error = "ERROR, you should add `# $ MISSING: tainted` annotation" and
   exists(DataFlow::Node sink |
     sink = shouldBeTainted() and
+    element = prettyExp(sink.asExpr()) and
     not any(TestTaintTrackingConfiguration config).hasFlow(_, sink) and
     location = sink.getLocation() and
     not exists(FalseNegativeExpectation missingResult |
diff --git a/python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.expected b/python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.expected
index a547545f38a..745561a5e65 100644
--- a/python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.expected
+++ b/python/ql/test/experimental/meta/inline-taint-test-demo/InlineTaintTest.expected
@@ -1,7 +1,7 @@
 argumentToEnsureNotTaintedNotMarkedAsSpurious
 | taint_test.py:48:9:48:29 | taint_test.py:48 | ERROR, you should add `SPURIOUS:` to this annotation | should_not_be_tainted |
 untaintedArgumentToEnsureTaintedNotMarkedAsMissing
-| taint_test.py:32:9:32:25 | taint_test.py:32 | ERROR, you should add `# $ MISSING: tainted` annotation |
-| taint_test.py:37:24:37:40 | taint_test.py:37 | ERROR, you should add `# $ MISSING: tainted` annotation |
+| taint_test.py:32:9:32:25 | taint_test.py:32 | ERROR, you should add `# $ MISSING: tainted` annotation | should_be_tainted |
+| taint_test.py:37:24:37:40 | taint_test.py:37 | ERROR, you should add `# $ MISSING: tainted` annotation | should_be_tainted |
 failures
 | taint_test.py:41:20:41:21 | ts | Fixed missing result:tainted= |

From 15e4b7f95d68d56c4ffef29111f5b69e16219e39 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Mon, 19 Apr 2021 13:34:02 +0200
Subject: [PATCH 0470/1429] C#: Remove CP from
 `HardcodedCredentials::getCredentialSink`

---
 .../dataflow/HardcodedCredentials.qll         | 37 ++++++++++++-------
 1 file changed, 23 insertions(+), 14 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/HardcodedCredentials.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/HardcodedCredentials.qll
index 4538f09e2c0..0ffabe60588 100644
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/HardcodedCredentials.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/HardcodedCredentials.qll
@@ -111,13 +111,24 @@ module HardcodedCredentials {
   }
 
   /**
-   * Gets a regular expression for matching names of locations (variables, parameters, keys) that
-   * indicate the value being held is a credential.
+   * An assignable whose name indicates that the value being held is a credential.
    */
-  private string getACredentialRegex() {
-    result = "(?i).*pass(wd|word|code|phrase)(?!.*question).*" or
-    result = "(?i).*(puid|username|userid).*" or
-    result = "(?i).*(cert)(?!.*(format|name)).*"
+  private class CredentialVar extends Assignable {
+    pragma[noinline]
+    CredentialVar() {
+      exists(string name | name = this.getName() |
+        name.regexpMatch("(?i).*pass(wd|word|code|phrase)(?!.*question).*")
+        or
+        name.regexpMatch("(?i).*(puid|username|userid).*")
+        or
+        name.regexpMatch("(?i).*(cert)(?!.*(format|name)).*")
+      )
+    }
+  }
+
+  private class CredentialVariableAccess extends VariableAccess {
+    pragma[noinline]
+    CredentialVariableAccess() { this.getTarget() instanceof CredentialVar }
   }
 
   /**
@@ -128,11 +139,11 @@ module HardcodedCredentials {
   ) {
     // An argument to a library call that looks like a credential
     // "...flows to the [Username] parameter in [call to method CreateUser]"
-    exists(Call call |
+    exists(Call call, CredentialVar param |
       supplementaryElement = call and
       description = "the $@ parameter in $@" and
-      sink = call.getArgumentForName(sinkName) and
-      sinkName.regexpMatch(getACredentialRegex()) and
+      sink = call.getArgumentForParameter(param) and
+      sinkName = param.getName() and
       call.getTarget().fromLibrary()
     )
     or
@@ -144,22 +155,20 @@ module HardcodedCredentials {
       description = "the $@ in $@" and
       sink = call.getArgument(0) and
       sinkName = "setter call argument" and
-      p.getName().regexpMatch(getACredentialRegex()) and
+      p instanceof CredentialVar and
       p.fromLibrary()
     )
     or
     // Sink compared to password variable
     // "...flows to [] which is compared against [access of UserName]"
-    exists(ComparisonTest ct, VariableAccess credentialAccess, string varName |
+    exists(ComparisonTest ct, CredentialVariableAccess credentialAccess |
       sinkName = sink.toString() and
       supplementaryElement = credentialAccess and
       description = "$@ which is compared against $@" and
       ct.getAnArgument() = credentialAccess and
       ct.getAnArgument() = sink and
       ct.getComparisonKind().isEquality() and
-      not sink = credentialAccess and
-      varName = credentialAccess.getTarget().getName() and
-      varName.regexpMatch(getACredentialRegex())
+      not sink = credentialAccess
     )
   }
 

From 80eb0a2df680c52929241d30a6d4223b5c97a0d9 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
Date: Mon, 19 Apr 2021 15:45:58 +0200
Subject: [PATCH 0471/1429] Apply suggestions from code review

Co-authored-by: Chris Smowton <smowton@github.com>
---
 java/ql/src/semmle/code/java/dataflow/FlowSummary.qll           | 2 +-
 java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/FlowSummary.qll b/java/ql/src/semmle/code/java/dataflow/FlowSummary.qll
index e53a4fc5630..0f222d5caa2 100644
--- a/java/ql/src/semmle/code/java/dataflow/FlowSummary.qll
+++ b/java/ql/src/semmle/code/java/dataflow/FlowSummary.qll
@@ -7,7 +7,7 @@ private import internal.FlowSummaryImpl as Impl
 private import internal.DataFlowDispatch
 private import internal.DataFlowPrivate
 
-// import all instances below
+// import all instances of SummarizedCallable below
 private module Summaries {
   private import semmle.code.java.dataflow.ExternalFlow
 }
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
index 64e245e1c60..47743caf668 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
@@ -156,7 +156,7 @@ predicate simpleLocalFlowStep(Node node1, Node node2) {
   // to B as well. As an example, this simplifies modeling of fluent methods:
   // for `StringBuilder.append(x)` with a specified value flow from qualifier to
   // return value and taint flow from argument 0 to the qualifier, then this
-  // allows the inferral of taint flow from argument 0 to the return value.
+  // allows us to infer taint flow from argument 0 to the return value.
   node1.(SummaryNode).(PostUpdateNode).getPreUpdateNode().(ParameterNode) = node2
 }
 

From 9128ec72ad6ce2b22fa6467fc5c5800ae97417e2 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Mon, 19 Apr 2021 12:51:28 +0200
Subject: [PATCH 0472/1429] C#: A few minor SSA performance tweaks

---
 .../code/cil/internal/SsaImplCommon.qll       | 42 +++++++++++++------
 .../internal/pressa/SsaImplCommon.qll         | 42 +++++++++++++------
 .../dataflow/internal/SsaImplCommon.qll       | 42 +++++++++++++------
 .../internal/basessa/SsaImplCommon.qll        | 42 +++++++++++++------
 4 files changed, 120 insertions(+), 48 deletions(-)

diff --git a/csharp/ql/src/semmle/code/cil/internal/SsaImplCommon.qll b/csharp/ql/src/semmle/code/cil/internal/SsaImplCommon.qll
index f828419a440..f37a4f2d074 100644
--- a/csharp/ql/src/semmle/code/cil/internal/SsaImplCommon.qll
+++ b/csharp/ql/src/semmle/code/cil/internal/SsaImplCommon.qll
@@ -316,6 +316,15 @@ private module SsaDefReaches {
     )
   }
 
+  /**
+   * Holds if the reference to `def` at index `i` in basic block `bb` is the
+   * last reference to `v` inside `bb`.
+   */
+  pragma[noinline]
+  predicate lastSsaRef(Definition def, SourceVariable v, BasicBlock bb, int i) {
+    ssaDefRank(def, v, bb, i, _) = maxSsaRefRank(bb, v)
+  }
+
   predicate defOccursInBlock(Definition def, BasicBlock bb, SourceVariable v) {
     exists(ssaDefRank(def, v, bb, _, _))
   }
@@ -351,8 +360,7 @@ private module SsaDefReaches {
    */
   predicate defAdjacentRead(Definition def, BasicBlock bb1, BasicBlock bb2, int i2) {
     varBlockReaches(def, bb1, bb2) and
-    ssaRefRank(bb2, i2, def.getSourceVariable(), SsaRead()) = 1 and
-    variableRead(bb2, i2, _, _)
+    ssaRefRank(bb2, i2, def.getSourceVariable(), SsaRead()) = 1
   }
 }
 
@@ -434,15 +442,22 @@ predicate adjacentDefRead(Definition def, BasicBlock bb1, int i1, BasicBlock bb2
     bb2 = bb1
   )
   or
-  exists(SourceVariable v | ssaDefRank(def, v, bb1, i1, _) = maxSsaRefRank(bb1, v)) and
+  lastSsaRef(def, _, bb1, i1) and
   defAdjacentRead(def, bb1, bb2, i2)
 }
 
+pragma[noinline]
+private predicate adjacentDefRead(
+  Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2, SourceVariable v
+) {
+  adjacentDefRead(def, bb1, i1, bb2, i2) and
+  v = def.getSourceVariable()
+}
+
 private predicate adjacentDefReachesRead(
   Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2
 ) {
-  adjacentDefRead(def, bb1, i1, bb2, i2) and
-  exists(SourceVariable v | v = def.getSourceVariable() |
+  exists(SourceVariable v | adjacentDefRead(def, bb1, i1, bb2, i2, v) |
     ssaRef(bb1, i1, v, SsaDef())
     or
     variableRead(bb1, i1, v, true)
@@ -475,17 +490,19 @@ predicate adjacentDefNoUncertainReads(Definition def, BasicBlock bb1, int i1, Ba
  */
 pragma[nomagic]
 predicate lastRefRedef(Definition def, BasicBlock bb, int i, Definition next) {
-  exists(int rnk, SourceVariable v, int j | rnk = ssaDefRank(def, v, bb, i, _) |
+  exists(SourceVariable v |
     // Next reference to `v` inside `bb` is a write
-    next.definesAt(v, bb, j) and
-    rnk + 1 = ssaRefRank(bb, j, v, SsaDef())
+    exists(int rnk, int j |
+      rnk = ssaDefRank(def, v, bb, i, _) and
+      next.definesAt(v, bb, j) and
+      rnk + 1 = ssaRefRank(bb, j, v, SsaDef())
+    )
     or
     // Can reach a write using one or more steps
-    rnk = maxSsaRefRank(bb, v) and
+    lastSsaRef(def, v, bb, i) and
     exists(BasicBlock bb2 |
       varBlockReaches(def, bb, bb2) and
-      next.definesAt(v, bb2, j) and
-      1 = ssaRefRank(bb2, j, v, SsaDef())
+      1 = ssaDefRank(next, v, bb2, _, SsaDef())
     )
   )
 }
@@ -539,7 +556,8 @@ pragma[nomagic]
 predicate lastRef(Definition def, BasicBlock bb, int i) {
   lastRefRedef(def, bb, i, _)
   or
-  exists(SourceVariable v | ssaDefRank(def, v, bb, i, _) = maxSsaRefRank(bb, v) |
+  lastSsaRef(def, _, bb, i) and
+  (
     // Can reach exit directly
     bb instanceof ExitBasicBlock
     or
diff --git a/csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll b/csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll
index f828419a440..f37a4f2d074 100644
--- a/csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll
+++ b/csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplCommon.qll
@@ -316,6 +316,15 @@ private module SsaDefReaches {
     )
   }
 
+  /**
+   * Holds if the reference to `def` at index `i` in basic block `bb` is the
+   * last reference to `v` inside `bb`.
+   */
+  pragma[noinline]
+  predicate lastSsaRef(Definition def, SourceVariable v, BasicBlock bb, int i) {
+    ssaDefRank(def, v, bb, i, _) = maxSsaRefRank(bb, v)
+  }
+
   predicate defOccursInBlock(Definition def, BasicBlock bb, SourceVariable v) {
     exists(ssaDefRank(def, v, bb, _, _))
   }
@@ -351,8 +360,7 @@ private module SsaDefReaches {
    */
   predicate defAdjacentRead(Definition def, BasicBlock bb1, BasicBlock bb2, int i2) {
     varBlockReaches(def, bb1, bb2) and
-    ssaRefRank(bb2, i2, def.getSourceVariable(), SsaRead()) = 1 and
-    variableRead(bb2, i2, _, _)
+    ssaRefRank(bb2, i2, def.getSourceVariable(), SsaRead()) = 1
   }
 }
 
@@ -434,15 +442,22 @@ predicate adjacentDefRead(Definition def, BasicBlock bb1, int i1, BasicBlock bb2
     bb2 = bb1
   )
   or
-  exists(SourceVariable v | ssaDefRank(def, v, bb1, i1, _) = maxSsaRefRank(bb1, v)) and
+  lastSsaRef(def, _, bb1, i1) and
   defAdjacentRead(def, bb1, bb2, i2)
 }
 
+pragma[noinline]
+private predicate adjacentDefRead(
+  Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2, SourceVariable v
+) {
+  adjacentDefRead(def, bb1, i1, bb2, i2) and
+  v = def.getSourceVariable()
+}
+
 private predicate adjacentDefReachesRead(
   Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2
 ) {
-  adjacentDefRead(def, bb1, i1, bb2, i2) and
-  exists(SourceVariable v | v = def.getSourceVariable() |
+  exists(SourceVariable v | adjacentDefRead(def, bb1, i1, bb2, i2, v) |
     ssaRef(bb1, i1, v, SsaDef())
     or
     variableRead(bb1, i1, v, true)
@@ -475,17 +490,19 @@ predicate adjacentDefNoUncertainReads(Definition def, BasicBlock bb1, int i1, Ba
  */
 pragma[nomagic]
 predicate lastRefRedef(Definition def, BasicBlock bb, int i, Definition next) {
-  exists(int rnk, SourceVariable v, int j | rnk = ssaDefRank(def, v, bb, i, _) |
+  exists(SourceVariable v |
     // Next reference to `v` inside `bb` is a write
-    next.definesAt(v, bb, j) and
-    rnk + 1 = ssaRefRank(bb, j, v, SsaDef())
+    exists(int rnk, int j |
+      rnk = ssaDefRank(def, v, bb, i, _) and
+      next.definesAt(v, bb, j) and
+      rnk + 1 = ssaRefRank(bb, j, v, SsaDef())
+    )
     or
     // Can reach a write using one or more steps
-    rnk = maxSsaRefRank(bb, v) and
+    lastSsaRef(def, v, bb, i) and
     exists(BasicBlock bb2 |
       varBlockReaches(def, bb, bb2) and
-      next.definesAt(v, bb2, j) and
-      1 = ssaRefRank(bb2, j, v, SsaDef())
+      1 = ssaDefRank(next, v, bb2, _, SsaDef())
     )
   )
 }
@@ -539,7 +556,8 @@ pragma[nomagic]
 predicate lastRef(Definition def, BasicBlock bb, int i) {
   lastRefRedef(def, bb, i, _)
   or
-  exists(SourceVariable v | ssaDefRank(def, v, bb, i, _) = maxSsaRefRank(bb, v) |
+  lastSsaRef(def, _, bb, i) and
+  (
     // Can reach exit directly
     bb instanceof ExitBasicBlock
     or
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll
index f828419a440..f37a4f2d074 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/SsaImplCommon.qll
@@ -316,6 +316,15 @@ private module SsaDefReaches {
     )
   }
 
+  /**
+   * Holds if the reference to `def` at index `i` in basic block `bb` is the
+   * last reference to `v` inside `bb`.
+   */
+  pragma[noinline]
+  predicate lastSsaRef(Definition def, SourceVariable v, BasicBlock bb, int i) {
+    ssaDefRank(def, v, bb, i, _) = maxSsaRefRank(bb, v)
+  }
+
   predicate defOccursInBlock(Definition def, BasicBlock bb, SourceVariable v) {
     exists(ssaDefRank(def, v, bb, _, _))
   }
@@ -351,8 +360,7 @@ private module SsaDefReaches {
    */
   predicate defAdjacentRead(Definition def, BasicBlock bb1, BasicBlock bb2, int i2) {
     varBlockReaches(def, bb1, bb2) and
-    ssaRefRank(bb2, i2, def.getSourceVariable(), SsaRead()) = 1 and
-    variableRead(bb2, i2, _, _)
+    ssaRefRank(bb2, i2, def.getSourceVariable(), SsaRead()) = 1
   }
 }
 
@@ -434,15 +442,22 @@ predicate adjacentDefRead(Definition def, BasicBlock bb1, int i1, BasicBlock bb2
     bb2 = bb1
   )
   or
-  exists(SourceVariable v | ssaDefRank(def, v, bb1, i1, _) = maxSsaRefRank(bb1, v)) and
+  lastSsaRef(def, _, bb1, i1) and
   defAdjacentRead(def, bb1, bb2, i2)
 }
 
+pragma[noinline]
+private predicate adjacentDefRead(
+  Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2, SourceVariable v
+) {
+  adjacentDefRead(def, bb1, i1, bb2, i2) and
+  v = def.getSourceVariable()
+}
+
 private predicate adjacentDefReachesRead(
   Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2
 ) {
-  adjacentDefRead(def, bb1, i1, bb2, i2) and
-  exists(SourceVariable v | v = def.getSourceVariable() |
+  exists(SourceVariable v | adjacentDefRead(def, bb1, i1, bb2, i2, v) |
     ssaRef(bb1, i1, v, SsaDef())
     or
     variableRead(bb1, i1, v, true)
@@ -475,17 +490,19 @@ predicate adjacentDefNoUncertainReads(Definition def, BasicBlock bb1, int i1, Ba
  */
 pragma[nomagic]
 predicate lastRefRedef(Definition def, BasicBlock bb, int i, Definition next) {
-  exists(int rnk, SourceVariable v, int j | rnk = ssaDefRank(def, v, bb, i, _) |
+  exists(SourceVariable v |
     // Next reference to `v` inside `bb` is a write
-    next.definesAt(v, bb, j) and
-    rnk + 1 = ssaRefRank(bb, j, v, SsaDef())
+    exists(int rnk, int j |
+      rnk = ssaDefRank(def, v, bb, i, _) and
+      next.definesAt(v, bb, j) and
+      rnk + 1 = ssaRefRank(bb, j, v, SsaDef())
+    )
     or
     // Can reach a write using one or more steps
-    rnk = maxSsaRefRank(bb, v) and
+    lastSsaRef(def, v, bb, i) and
     exists(BasicBlock bb2 |
       varBlockReaches(def, bb, bb2) and
-      next.definesAt(v, bb2, j) and
-      1 = ssaRefRank(bb2, j, v, SsaDef())
+      1 = ssaDefRank(next, v, bb2, _, SsaDef())
     )
   )
 }
@@ -539,7 +556,8 @@ pragma[nomagic]
 predicate lastRef(Definition def, BasicBlock bb, int i) {
   lastRefRedef(def, bb, i, _)
   or
-  exists(SourceVariable v | ssaDefRank(def, v, bb, i, _) = maxSsaRefRank(bb, v) |
+  lastSsaRef(def, _, bb, i) and
+  (
     // Can reach exit directly
     bb instanceof ExitBasicBlock
     or
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll
index f828419a440..f37a4f2d074 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/basessa/SsaImplCommon.qll
@@ -316,6 +316,15 @@ private module SsaDefReaches {
     )
   }
 
+  /**
+   * Holds if the reference to `def` at index `i` in basic block `bb` is the
+   * last reference to `v` inside `bb`.
+   */
+  pragma[noinline]
+  predicate lastSsaRef(Definition def, SourceVariable v, BasicBlock bb, int i) {
+    ssaDefRank(def, v, bb, i, _) = maxSsaRefRank(bb, v)
+  }
+
   predicate defOccursInBlock(Definition def, BasicBlock bb, SourceVariable v) {
     exists(ssaDefRank(def, v, bb, _, _))
   }
@@ -351,8 +360,7 @@ private module SsaDefReaches {
    */
   predicate defAdjacentRead(Definition def, BasicBlock bb1, BasicBlock bb2, int i2) {
     varBlockReaches(def, bb1, bb2) and
-    ssaRefRank(bb2, i2, def.getSourceVariable(), SsaRead()) = 1 and
-    variableRead(bb2, i2, _, _)
+    ssaRefRank(bb2, i2, def.getSourceVariable(), SsaRead()) = 1
   }
 }
 
@@ -434,15 +442,22 @@ predicate adjacentDefRead(Definition def, BasicBlock bb1, int i1, BasicBlock bb2
     bb2 = bb1
   )
   or
-  exists(SourceVariable v | ssaDefRank(def, v, bb1, i1, _) = maxSsaRefRank(bb1, v)) and
+  lastSsaRef(def, _, bb1, i1) and
   defAdjacentRead(def, bb1, bb2, i2)
 }
 
+pragma[noinline]
+private predicate adjacentDefRead(
+  Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2, SourceVariable v
+) {
+  adjacentDefRead(def, bb1, i1, bb2, i2) and
+  v = def.getSourceVariable()
+}
+
 private predicate adjacentDefReachesRead(
   Definition def, BasicBlock bb1, int i1, BasicBlock bb2, int i2
 ) {
-  adjacentDefRead(def, bb1, i1, bb2, i2) and
-  exists(SourceVariable v | v = def.getSourceVariable() |
+  exists(SourceVariable v | adjacentDefRead(def, bb1, i1, bb2, i2, v) |
     ssaRef(bb1, i1, v, SsaDef())
     or
     variableRead(bb1, i1, v, true)
@@ -475,17 +490,19 @@ predicate adjacentDefNoUncertainReads(Definition def, BasicBlock bb1, int i1, Ba
  */
 pragma[nomagic]
 predicate lastRefRedef(Definition def, BasicBlock bb, int i, Definition next) {
-  exists(int rnk, SourceVariable v, int j | rnk = ssaDefRank(def, v, bb, i, _) |
+  exists(SourceVariable v |
     // Next reference to `v` inside `bb` is a write
-    next.definesAt(v, bb, j) and
-    rnk + 1 = ssaRefRank(bb, j, v, SsaDef())
+    exists(int rnk, int j |
+      rnk = ssaDefRank(def, v, bb, i, _) and
+      next.definesAt(v, bb, j) and
+      rnk + 1 = ssaRefRank(bb, j, v, SsaDef())
+    )
     or
     // Can reach a write using one or more steps
-    rnk = maxSsaRefRank(bb, v) and
+    lastSsaRef(def, v, bb, i) and
     exists(BasicBlock bb2 |
       varBlockReaches(def, bb, bb2) and
-      next.definesAt(v, bb2, j) and
-      1 = ssaRefRank(bb2, j, v, SsaDef())
+      1 = ssaDefRank(next, v, bb2, _, SsaDef())
     )
   )
 }
@@ -539,7 +556,8 @@ pragma[nomagic]
 predicate lastRef(Definition def, BasicBlock bb, int i) {
   lastRefRedef(def, bb, i, _)
   or
-  exists(SourceVariable v | ssaDefRank(def, v, bb, i, _) = maxSsaRefRank(bb, v) |
+  lastSsaRef(def, _, bb, i) and
+  (
     // Can reach exit directly
     bb instanceof ExitBasicBlock
     or

From bc6685aa3f3f7cd2a6c9c3ace67e1466016070e4 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@gmail.com>
Date: Mon, 19 Apr 2021 19:57:35 +0200
Subject: [PATCH 0473/1429] Python: Fix typo

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
---
 python/ql/src/semmle/python/frameworks/Django.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index 4c9bbddd474..23c0a814a7a 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -646,7 +646,7 @@ private module PrivateDjango {
             result = http().getMember("HttpResponseRedirect")
           }
 
-          /** Gets a reference a subclass of the `django.http.response.HttpResponseRedirect` class. */
+          /** Gets a reference to a subclass of the `django.http.response.HttpResponseRedirect` class. */
           API::Node classRef() { result = baseClassRef().getASubclass*() }
 
           /**

From 87cd72496c40debd31d754bbfdfb7584a9dfb67a Mon Sep 17 00:00:00 2001
From: yo-h <55373593+yo-h@users.noreply.github.com>
Date: Mon, 19 Apr 2021 14:58:56 -0400
Subject: [PATCH 0474/1429] Java: add extractor `diagnostic` queries

---
 .../src/Diagnostics/DiagnosticsReporting.qll  | 70 +++++++++++++++++++
 java/ql/src/Diagnostics/ExtractionErrors.ql   | 13 ++++
 .../Diagnostics/SuccessfullyExtractedFiles.ql | 14 ++++
 3 files changed, 97 insertions(+)
 create mode 100644 java/ql/src/Diagnostics/DiagnosticsReporting.qll
 create mode 100644 java/ql/src/Diagnostics/ExtractionErrors.ql
 create mode 100644 java/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql

diff --git a/java/ql/src/Diagnostics/DiagnosticsReporting.qll b/java/ql/src/Diagnostics/DiagnosticsReporting.qll
new file mode 100644
index 00000000000..76ce4cdfd50
--- /dev/null
+++ b/java/ql/src/Diagnostics/DiagnosticsReporting.qll
@@ -0,0 +1,70 @@
+/**
+ * Provides classes and predicates for reporting extractor diagnostics to end users.
+ */
+
+import java
+
+/** Gets the SARIF severity level that indicates an error. */
+private int getErrorSeverity() { result = 2 }
+
+/** Gets the SARIF severity level that indicates a warning. */
+private int getWarnSeverity() { result = 1 }
+
+private predicate knownWarnings(@diagnostic d, string msg, int sev) {
+  exists(string filename |
+    diagnostics(d, 2, _, "Skipping Lombok-ed source file: " + filename, _, _) and
+    msg = "Use of Lombok detected. Skipping file: " + filename and
+    sev = getWarnSeverity()
+  )
+}
+
+private predicate knownErrors(@diagnostic d, string msg, int sev) {
+  exists(string numErr, Location l |
+    diagnostics(d, 6, _, numErr, _, l) and
+    msg = "Frontend errors in file: " + l.getFile().getAbsolutePath() + " (" + numErr + ")" and
+    sev = getErrorSeverity()
+  )
+  or
+  exists(string filename, Location l |
+    diagnostics(d, 7, _, "Exception compiling file " + filename, _, l) and
+    msg = "Extraction incomplete in file: " + filename and
+    sev = getErrorSeverity()
+  )
+  or
+  exists(string errMsg, Location l |
+    diagnostics(d, 8, _, errMsg, _, l) and
+    msg = "Severe error: " + errMsg and
+    sev = getErrorSeverity()
+  )
+}
+
+private predicate unknownErrors(@diagnostic d, string msg, int sev) {
+  not knownErrors(d, _, _) and
+  exists(Location l, File f, int diagSev |
+    diagnostics(d, diagSev, _, _, _, l) and l.getFile() = f and diagSev > 3
+  |
+    exists(f.getRelativePath()) and
+    msg = "Unknown errors in file: " + f.getAbsolutePath() + " (" + diagSev + ")" and
+    sev = getErrorSeverity()
+  )
+}
+
+/**
+ * Holds if an extraction error or warning occurred that should be reported to end users,
+ * with the error message `msg` and SARIF severity `sev`.
+ */
+predicate reportableDiagnostics(@diagnostic d, string msg, int sev) {
+  knownWarnings(d, msg, sev) or knownErrors(d, msg, sev) or unknownErrors(d, msg, sev)
+}
+
+/**
+ * Holds if compilation unit `f` is a source file that has
+ * no relevant extraction diagnostics associated with it.
+ */
+predicate successfullyExtracted(CompilationUnit f) {
+  not exists(@diagnostic d, Location l |
+    reportableDiagnostics(d, _, _) and diagnostics(d, _, _, _, _, l) and l.getFile() = f
+  ) and
+  exists(f.getRelativePath()) and
+  f.fromSource()
+}
diff --git a/java/ql/src/Diagnostics/ExtractionErrors.ql b/java/ql/src/Diagnostics/ExtractionErrors.ql
new file mode 100644
index 00000000000..8b045df256e
--- /dev/null
+++ b/java/ql/src/Diagnostics/ExtractionErrors.ql
@@ -0,0 +1,13 @@
+/**
+ * @name Extraction errors
+ * @description A list of extraction errors for files in the source code directory.
+ * @kind diagnostic
+ * @id java/diagnostics/extraction-errors
+ */
+
+import java
+import DiagnosticsReporting
+
+from string msg, int sev
+where reportableDiagnostics(_, msg, sev)
+select msg, sev
diff --git a/java/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql b/java/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
new file mode 100644
index 00000000000..161c9f17e42
--- /dev/null
+++ b/java/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
@@ -0,0 +1,14 @@
+/**
+ * @name Successfully extracted files
+ * @description A list of all files in the source code directory that
+ *              were extracted without encountering an error in the file.
+ * @kind diagnostic
+ * @id java/diagnostics/successfully-extracted-files
+ */
+
+import java
+import DiagnosticsReporting
+
+from CompilationUnit f
+where successfullyExtracted(f)
+select f, ""

From 00531588840481bfa6f67692e555d1203f09b359 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Tue, 20 Apr 2021 10:58:54 +0800
Subject: [PATCH 0475/1429] update qhelp file and ql comments

---
 .../CWE/CWE-348/UseOfLessTrustedSource.qhelp         | 12 +++++++-----
 .../Security/CWE/CWE-348/UseOfLessTrustedSource.ql   | 11 ++++++-----
 .../CWE/CWE-348/UseOfLessTrustedSourceLib.qll        |  3 +--
 3 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
index 6b2eb2e7eed..48923b85f02 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
@@ -3,8 +3,9 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>The software obtains the original client IP address through the http header <code>X-Forwarded-For</code>, which is used to ensure 
-security or track it in the log for statistical or other reasons. Attackers can use <code>X-Forwarded-For </code> Spoofing software.</p>
+<p>The software obtains the original client IP address through the http header (<code>X-Forwarded-For</code> or <code>X-Real-IP</code> or <code>Proxy-Client-IP</code> 
+etc.), which is used to ensure security or track it in the log for statistical or other reasons. Attackers can forge the value of these identifiers to attack the 
+software.</p>
 
 </overview>
 <recommendation>
@@ -15,9 +16,10 @@ security or track it in the log for statistical or other reasons. Attackers can
 <example>
 
 <p>The following examples show the bad case and the good case respectively. Bad case, such as <code>bad1</code> to <code>bad2</code>. 
-In the <code>bad1</code> method, the value of <code>X-Forwarded-For</code> in <code>header</code> is split, and the first value of 
-the split array is obtained. Good case, such as <code>good1</code>, split the value of <code>X-Forwarded-For</code> in <code>header</code> 
-and get the last value of the split array.</p>
+In the <code>bad1</code> method, obtain the client ip according to the specified identifier from the <code>header</code> for local 
+output and logging. In the <code>bad2</code> method, the client ip is obtained and judged according to the specified identifier 
+from the <code>header</code>. When used for permission verification, it can be bypassed by forging the ip. Good case, such as 
+<code>good1</code>, split the value of <code>X-Forwarded-For</code> in <code>header</code> and get the last value of the split array.</p>
 
 <sample src="UseOfLessTrustedSource.java" />
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
index 3c3feeb8f03..df019a7c765 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
@@ -1,7 +1,8 @@
 /**
  * @name IP address spoofing
- * @description The software obtains the client ip through `X-Forwarded-For`,
- *              and the attacker can modify the value of `X-Forwarded-For` to forge the ip.
+ * @description The software obtains the client ip from the remote endpoint identifier specified (`X-Forwarded-For`,
+ *              `X-Real-IP`, `Proxy-Client-IP`, etc.) in the header and uses it. Attackers can modify these The value
+ *              of the identifier to forge the client ip.
  * @kind path-problem
  * @problem.severity error
  * @precision high
@@ -12,12 +13,12 @@
 
 import java
 import UseOfLessTrustedSourceLib
-import semmle.code.java.dataflow.DataFlow2
-import semmle.code.java.dataflow.TaintTracking2
 import semmle.code.java.dataflow.FlowSources
 import DataFlow::PathGraph
 
-/** Taint-tracking configuration tracing flow from get method request sources to output jsonp data. */
+/**
+ * Taint-tracking configuration tracing flow from obtain client ip to use the client ip.
+ */
 class UseOfLessTrustedSourceConfig extends TaintTracking::Configuration {
   UseOfLessTrustedSourceConfig() { this = "UseOfLessTrustedSourceConfig" }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
index ac72be64f5d..64bf8438092 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
@@ -1,12 +1,11 @@
 import java
 import DataFlow
-import semmle.code.java.dataflow.TaintTracking2
 import semmle.code.java.security.QueryInjection
 import experimental.semmle.code.java.Logging
 
 /**
  * A data flow source of the client ip obtained according to the remote endpoint identifier specified
- * in the header (`X-Forwarded-For`, `X-Real-IP`, `Proxy-Client-IP`, etc.).
+ * (`X-Forwarded-For`, `X-Real-IP`, `Proxy-Client-IP`, etc.) in the header.
  *
  * For example: `ServletRequest.getHeader("X-Forwarded-For")`.
  */

From 408954e4d8d8155720e4588cde9f96c9af572366 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tam=C3=A1s=20Vajk?= <tamasvajk@github.com>
Date: Tue, 20 Apr 2021 09:30:47 +0200
Subject: [PATCH 0476/1429] C#: Add Dapper to supported frameworks

---
 docs/codeql/support/reusables/frameworks.rst | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/codeql/support/reusables/frameworks.rst b/docs/codeql/support/reusables/frameworks.rst
index 22569cbdcc6..2dfebad4919 100644
--- a/docs/codeql/support/reusables/frameworks.rst
+++ b/docs/codeql/support/reusables/frameworks.rst
@@ -28,6 +28,7 @@ C# built-in support
    Json.NET, Serialization
    NHibernate, Database ORM
    WinForms, User interface
+   Dapper, Database ORM
 
 Go built-in support
 ================================

From 61d4d17225f14af4d8ccc053e518aa5a3f94ad76 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 20 Apr 2021 09:57:58 +0200
Subject: [PATCH 0477/1429] C++: Simplify smart pointer model and accept test
 changes.

---
 .../models/implementations/SmartPointer.qll   | 14 ++++++------
 .../dataflow/taint-tests/localTaint.expected  | 22 +++++++++----------
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
index 4b060c234f8..adef44a1125 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
@@ -18,20 +18,20 @@ private class UniqueOrSharedPtr extends Class, PointerWrapper {
 }
 
 /** Any function that unwraps a pointer wrapper class to reveal the underlying pointer. */
-private class PointerWrapperDataFlow extends DataFlowFunction {
-  PointerWrapperDataFlow() {
+private class PointerWrapperFlow extends TaintFunction, DataFlowFunction {
+  PointerWrapperFlow() {
     this = any(PointerWrapper wrapper).getAnUnwrapperFunction() and
     not this.getUnspecifiedType() instanceof ReferenceType
   }
 
-  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierAddress() and output.isReturnValue()
-    or
-    input.isQualifierObject() and output.isReturnValueDeref()
-    or
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isReturnValueDeref() and
     output.isQualifierObject()
   }
+
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and output.isReturnValue()
+  }
 }
 
 /**
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index 59ba0948d85..b003dc5a12b 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -3275,11 +3275,11 @@
 | smart_pointer.cpp:51:30:51:50 | call to make_shared | smart_pointer.cpp:52:10:52:10 | p |  |
 | smart_pointer.cpp:51:52:51:57 | call to source | smart_pointer.cpp:51:30:51:50 | call to make_shared | TAINT |
 | smart_pointer.cpp:52:10:52:10 | p | smart_pointer.cpp:52:12:52:14 | call to get |  |
-| smart_pointer.cpp:52:12:52:14 | ref arg call to get | smart_pointer.cpp:52:10:52:10 | ref arg p |  |
+| smart_pointer.cpp:52:12:52:14 | ref arg call to get | smart_pointer.cpp:52:10:52:10 | ref arg p | TAINT |
 | smart_pointer.cpp:56:30:56:50 | call to make_unique | smart_pointer.cpp:57:10:57:10 | p |  |
 | smart_pointer.cpp:56:52:56:57 | call to source | smart_pointer.cpp:56:30:56:50 | call to make_unique | TAINT |
 | smart_pointer.cpp:57:10:57:10 | p | smart_pointer.cpp:57:12:57:14 | call to get |  |
-| smart_pointer.cpp:57:12:57:14 | ref arg call to get | smart_pointer.cpp:57:10:57:10 | ref arg p |  |
+| smart_pointer.cpp:57:12:57:14 | ref arg call to get | smart_pointer.cpp:57:10:57:10 | ref arg p | TAINT |
 | smart_pointer.cpp:65:28:65:46 | call to make_unique | smart_pointer.cpp:66:10:66:10 | p |  |
 | smart_pointer.cpp:65:28:65:46 | call to make_unique | smart_pointer.cpp:67:10:67:10 | p |  |
 | smart_pointer.cpp:65:48:65:53 | call to source | smart_pointer.cpp:65:28:65:46 | call to make_unique | TAINT |
@@ -3319,7 +3319,7 @@
 | smart_pointer.cpp:87:3:87:3 | ref arg p | smart_pointer.cpp:89:8:89:8 | p |  |
 | smart_pointer.cpp:87:3:87:17 | ... = ... | smart_pointer.cpp:87:6:87:6 | x [post update] |  |
 | smart_pointer.cpp:87:3:87:17 | ... = ... | smart_pointer.cpp:88:11:88:11 | x |  |
-| smart_pointer.cpp:87:4:87:4 | call to operator-> [post update] | smart_pointer.cpp:87:3:87:3 | ref arg p |  |
+| smart_pointer.cpp:87:4:87:4 | call to operator-> [post update] | smart_pointer.cpp:87:3:87:3 | ref arg p | TAINT |
 | smart_pointer.cpp:87:10:87:15 | call to source | smart_pointer.cpp:87:3:87:17 | ... = ... |  |
 | smart_pointer.cpp:88:8:88:8 | p | smart_pointer.cpp:88:9:88:9 | call to operator-> |  |
 | smart_pointer.cpp:88:8:88:8 | ref arg p | smart_pointer.cpp:86:45:86:45 | p |  |
@@ -3333,7 +3333,7 @@
 | smart_pointer.cpp:91:3:91:3 | ref arg q | smart_pointer.cpp:94:8:94:8 | q |  |
 | smart_pointer.cpp:91:3:91:20 | ... = ... | smart_pointer.cpp:91:9:91:9 | x [post update] |  |
 | smart_pointer.cpp:91:3:91:20 | ... = ... | smart_pointer.cpp:92:14:92:14 | x |  |
-| smart_pointer.cpp:91:4:91:4 | call to operator-> [post update] | smart_pointer.cpp:91:3:91:3 | ref arg q |  |
+| smart_pointer.cpp:91:4:91:4 | call to operator-> [post update] | smart_pointer.cpp:91:3:91:3 | ref arg q | TAINT |
 | smart_pointer.cpp:91:13:91:18 | call to source | smart_pointer.cpp:91:3:91:20 | ... = ... |  |
 | smart_pointer.cpp:92:8:92:8 | q | smart_pointer.cpp:92:9:92:9 | call to operator-> |  |
 | smart_pointer.cpp:92:8:92:8 | ref arg q | smart_pointer.cpp:86:67:86:67 | q |  |
@@ -3351,21 +3351,21 @@
 | smart_pointer.cpp:102:25:102:50 | call to unique_ptr | smart_pointer.cpp:104:8:104:8 | p |  |
 | smart_pointer.cpp:103:11:103:11 | p | smart_pointer.cpp:103:13:103:15 | call to get |  |
 | smart_pointer.cpp:103:11:103:11 | ref arg p | smart_pointer.cpp:104:8:104:8 | p |  |
-| smart_pointer.cpp:103:13:103:15 | ref arg call to get | smart_pointer.cpp:103:11:103:11 | ref arg p |  |
+| smart_pointer.cpp:103:13:103:15 | ref arg call to get | smart_pointer.cpp:103:11:103:11 | ref arg p | TAINT |
 | smart_pointer.cpp:104:8:104:8 | p | smart_pointer.cpp:104:9:104:9 | call to operator-> |  |
 | smart_pointer.cpp:112:40:112:42 | ptr | smart_pointer.cpp:112:40:112:42 | ptr |  |
 | smart_pointer.cpp:112:40:112:42 | ptr | smart_pointer.cpp:113:2:113:4 | ptr |  |
 | smart_pointer.cpp:113:2:113:4 | ptr | smart_pointer.cpp:113:5:113:5 | call to operator-> |  |
 | smart_pointer.cpp:113:2:113:4 | ref arg ptr | smart_pointer.cpp:112:40:112:42 | ptr |  |
 | smart_pointer.cpp:113:2:113:18 | ... = ... | smart_pointer.cpp:113:7:113:7 | x [post update] |  |
-| smart_pointer.cpp:113:5:113:5 | call to operator-> [post update] | smart_pointer.cpp:113:2:113:4 | ref arg ptr |  |
+| smart_pointer.cpp:113:5:113:5 | call to operator-> [post update] | smart_pointer.cpp:113:2:113:4 | ref arg ptr | TAINT |
 | smart_pointer.cpp:113:11:113:16 | call to source | smart_pointer.cpp:113:2:113:18 | ... = ... |  |
 | smart_pointer.cpp:116:52:116:54 | ptr | smart_pointer.cpp:116:52:116:54 | ptr |  |
 | smart_pointer.cpp:116:52:116:54 | ptr | smart_pointer.cpp:117:2:117:4 | ptr |  |
 | smart_pointer.cpp:117:2:117:4 | ptr | smart_pointer.cpp:117:5:117:5 | call to operator-> |  |
 | smart_pointer.cpp:117:2:117:4 | ref arg ptr | smart_pointer.cpp:116:52:116:54 | ptr |  |
 | smart_pointer.cpp:117:2:117:18 | ... = ... | smart_pointer.cpp:117:7:117:7 | x [post update] |  |
-| smart_pointer.cpp:117:5:117:5 | call to operator-> [post update] | smart_pointer.cpp:117:2:117:4 | ref arg ptr |  |
+| smart_pointer.cpp:117:5:117:5 | call to operator-> [post update] | smart_pointer.cpp:117:2:117:4 | ref arg ptr | TAINT |
 | smart_pointer.cpp:117:11:117:16 | call to source | smart_pointer.cpp:117:2:117:18 | ... = ... |  |
 | smart_pointer.cpp:120:48:120:50 | ptr | smart_pointer.cpp:120:48:120:50 | ptr |  |
 | smart_pointer.cpp:120:48:120:50 | ptr | smart_pointer.cpp:121:4:121:6 | ptr |  |
@@ -3386,12 +3386,12 @@
 | smart_pointer.cpp:125:18:125:19 | ref arg p1 | smart_pointer.cpp:124:48:124:49 | p1 |  |
 | smart_pointer.cpp:125:18:125:19 | ref arg p1 | smart_pointer.cpp:126:8:126:9 | p1 |  |
 | smart_pointer.cpp:125:18:125:22 | ref arg call to shared_ptr | smart_pointer.cpp:125:22:125:22 | q [inner post update] |  |
-| smart_pointer.cpp:125:20:125:20 | call to operator-> [post update] | smart_pointer.cpp:125:18:125:19 | ref arg p1 |  |
+| smart_pointer.cpp:125:20:125:20 | call to operator-> [post update] | smart_pointer.cpp:125:18:125:19 | ref arg p1 | TAINT |
 | smart_pointer.cpp:125:22:125:22 | q | smart_pointer.cpp:125:18:125:22 | call to shared_ptr |  |
 | smart_pointer.cpp:125:22:125:22 | ref arg q | smart_pointer.cpp:125:22:125:22 | q [inner post update] |  |
 | smart_pointer.cpp:126:8:126:9 | p1 | smart_pointer.cpp:126:10:126:10 | call to operator-> |  |
 | smart_pointer.cpp:126:8:126:9 | ref arg p1 | smart_pointer.cpp:124:48:124:49 | p1 |  |
-| smart_pointer.cpp:126:10:126:10 | call to operator-> [post update] | smart_pointer.cpp:126:8:126:9 | ref arg p1 |  |
+| smart_pointer.cpp:126:10:126:10 | call to operator-> [post update] | smart_pointer.cpp:126:8:126:9 | ref arg p1 | TAINT |
 | smart_pointer.cpp:126:12:126:12 | q | smart_pointer.cpp:126:13:126:13 | call to operator-> |  |
 | smart_pointer.cpp:128:13:128:13 | call to operator* | smart_pointer.cpp:128:13:128:15 | call to shared_ptr | TAINT |
 | smart_pointer.cpp:128:13:128:13 | ref arg call to operator* | smart_pointer.cpp:124:90:124:91 | p2 |  |
@@ -3422,10 +3422,10 @@
 | smart_pointer.cpp:133:23:133:24 | p1 | smart_pointer.cpp:133:25:133:25 | call to operator-> |  |
 | smart_pointer.cpp:133:23:133:24 | ref arg p1 | smart_pointer.cpp:132:53:132:54 | p1 |  |
 | smart_pointer.cpp:133:23:133:24 | ref arg p1 | smart_pointer.cpp:134:8:134:9 | p1 |  |
-| smart_pointer.cpp:133:25:133:25 | call to operator-> [post update] | smart_pointer.cpp:133:23:133:24 | ref arg p1 |  |
+| smart_pointer.cpp:133:25:133:25 | call to operator-> [post update] | smart_pointer.cpp:133:23:133:24 | ref arg p1 | TAINT |
 | smart_pointer.cpp:134:8:134:9 | p1 | smart_pointer.cpp:134:10:134:10 | call to operator-> |  |
 | smart_pointer.cpp:134:8:134:9 | ref arg p1 | smart_pointer.cpp:132:53:132:54 | p1 |  |
-| smart_pointer.cpp:134:10:134:10 | call to operator-> [post update] | smart_pointer.cpp:134:8:134:9 | ref arg p1 |  |
+| smart_pointer.cpp:134:10:134:10 | call to operator-> [post update] | smart_pointer.cpp:134:8:134:9 | ref arg p1 | TAINT |
 | smart_pointer.cpp:134:12:134:12 | q | smart_pointer.cpp:134:13:134:13 | call to operator-> |  |
 | smart_pointer.cpp:136:17:136:17 | ref arg call to operator* | smart_pointer.cpp:132:95:132:96 | p2 |  |
 | smart_pointer.cpp:136:17:136:17 | ref arg call to operator* | smart_pointer.cpp:136:18:136:19 | p2 [inner post update] |  |

From dd1bb18938404a76283317189a693571e2d46d8b Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Tue, 20 Apr 2021 11:56:25 +0200
Subject: [PATCH 0478/1429] C#: Various data-flow performance tweaks

- Cache `DataFlowCall::getEnclosingCallable()`.
- Cache `ParameterNode`.
- Cache `ArgumentNode`.
- Force proper join-orders for uses of `getNodeType()`.
- Inline `localFlow` to prevent calculating full TC.
---
 csharp/ql/src/semmle/code/csharp/Caching.qll  |  3 +
 .../dataflow/internal/DataFlowDispatch.qll    |  9 ++-
 .../dataflow/internal/DataFlowPrivate.qll     | 79 ++++++++++++-------
 .../dataflow/internal/DataFlowPublic.qll      | 39 +++------
 4 files changed, 69 insertions(+), 61 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/Caching.qll b/csharp/ql/src/semmle/code/csharp/Caching.qll
index 95ffbf9ffc9..374ecaaa183 100644
--- a/csharp/ql/src/semmle/code/csharp/Caching.qll
+++ b/csharp/ql/src/semmle/code/csharp/Caching.qll
@@ -49,6 +49,7 @@ module Stages {
 
   cached
   module DataFlowStage {
+    private import semmle.code.csharp.dataflow.internal.DataFlowDispatch
     private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
     private import semmle.code.csharp.dataflow.internal.DataFlowImplCommon
     private import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate
@@ -78,6 +79,8 @@ module Stages {
       or
       exists(CallContext cc)
       or
+      exists(any(DataFlowCall c).getEnclosingCallable())
+      or
       forceCachingInSameStageRev()
     }
   }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
index 4eac274b04f..0a7cf4acc41 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
@@ -4,6 +4,7 @@ private import dotnet
 private import DataFlowPublic
 private import DataFlowPrivate
 private import FlowSummaryImpl as FlowSummaryImpl
+private import semmle.code.csharp.Caching
 private import semmle.code.csharp.dataflow.FlowSummary
 private import semmle.code.csharp.dispatch.Dispatch
 private import semmle.code.csharp.frameworks.system.Collections
@@ -69,8 +70,6 @@ private predicate transitiveCapturedCallTarget(ControlFlow::Nodes::ElementNode c
 
 cached
 private module Cached {
-  private import semmle.code.csharp.Caching
-
   cached
   newtype TReturnKind =
     TNormalReturnKind() { Stages::DataFlowStage::forceCachingInSameStage() } or
@@ -247,6 +246,7 @@ abstract class DataFlowCall extends TDataFlowCall {
   abstract DataFlow::Node getNode();
 
   /** Gets the enclosing callable of this call. */
+  cached
   abstract DataFlowCallable getEnclosingCallable();
 
   /** Gets the underlying expression, if any. */
@@ -280,7 +280,10 @@ class NonDelegateDataFlowCall extends DataFlowCall, TNonDelegateCall {
 
   override DataFlow::ExprNode getNode() { result.getControlFlowNode() = cfn }
 
-  override DataFlowCallable getEnclosingCallable() { result = cfn.getEnclosingCallable() }
+  override DataFlowCallable getEnclosingCallable() {
+    Stages::DataFlowStage::forceCachingInSameStage() and
+    result = cfn.getEnclosingCallable()
+  }
 
   override string toString() { result = cfn.toString() }
 
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
index 3b646973e28..f42410ca3a5 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -21,9 +21,11 @@ private import semmle.code.csharp.frameworks.system.threading.Tasks
 
 abstract class NodeImpl extends Node {
   /** Do not call: use `getEnclosingCallable()` instead. */
+  cached
   abstract DataFlowCallable getEnclosingCallableImpl();
 
   /** Do not call: use `getType()` instead. */
+  cached
   abstract DotNet::Type getTypeImpl();
 
   /** Gets the type of this node used for type pruning. */
@@ -39,27 +41,39 @@ abstract class NodeImpl extends Node {
   }
 
   /** Do not call: use `getControlFlowNode()` instead. */
+  cached
   abstract ControlFlow::Node getControlFlowNodeImpl();
 
   /** Do not call: use `getLocation()` instead. */
+  cached
   abstract Location getLocationImpl();
 
   /** Do not call: use `toString()` instead. */
+  cached
   abstract string toStringImpl();
 }
 
 private class ExprNodeImpl extends ExprNode, NodeImpl {
   override DataFlowCallable getEnclosingCallableImpl() {
+    Stages::DataFlowStage::forceCachingInSameStage() and
     result = this.getExpr().getEnclosingCallable()
   }
 
-  override DotNet::Type getTypeImpl() { result = this.getExpr().getType() }
+  override DotNet::Type getTypeImpl() {
+    Stages::DataFlowStage::forceCachingInSameStage() and
+    result = this.getExpr().getType()
+  }
 
-  override ControlFlow::Nodes::ElementNode getControlFlowNodeImpl() { this = TExprNode(result) }
+  override ControlFlow::Nodes::ElementNode getControlFlowNodeImpl() {
+    Stages::DataFlowStage::forceCachingInSameStage() and this = TExprNode(result)
+  }
 
-  override Location getLocationImpl() { result = this.getExpr().getLocation() }
+  override Location getLocationImpl() {
+    Stages::DataFlowStage::forceCachingInSameStage() and result = this.getExpr().getLocation()
+  }
 
   override string toStringImpl() {
+    Stages::DataFlowStage::forceCachingInSameStage() and
     result = this.getControlFlowNode().toString()
     or
     exists(CIL::Expr e |
@@ -967,6 +981,16 @@ private module Cached {
     or
     n.asExpr() = any(WithExpr we).getInitializer()
   }
+
+  cached
+  predicate parameterNode(Node n, DataFlowCallable c, int i) {
+    n.(ParameterNodeImpl).isParameterOf(c, i)
+  }
+
+  cached
+  predicate argumentNode(Node n, DataFlowCall call, int pos) {
+    n.(ArgumentNodeImpl).argumentOf(call, pos)
+  }
 }
 
 import Cached
@@ -992,8 +1016,6 @@ class SsaDefinitionNode extends NodeImpl, TSsaDefinitionNode {
 }
 
 abstract class ParameterNodeImpl extends NodeImpl {
-  abstract DotNet::Parameter getParameter();
-
   abstract predicate isParameterOf(DataFlowCallable c, int i);
 }
 
@@ -1010,11 +1032,9 @@ private module ParameterNodes {
     /** Gets the SSA definition corresponding to this parameter, if any. */
     Ssa::ExplicitDefinition getSsaDefinition() {
       result.getADefinition().(AssignableDefinitions::ImplicitParameterDefinition).getParameter() =
-        this.getParameter()
+        parameter
     }
 
-    override DotNet::Parameter getParameter() { result = parameter }
-
     override predicate isParameterOf(DataFlowCallable c, int i) { c.getParameter(i) = parameter }
 
     override DataFlowCallable getEnclosingCallableImpl() { result = parameter.getCallable() }
@@ -1037,8 +1057,6 @@ private module ParameterNodes {
     /** Gets the callable containing this implicit instance parameter. */
     Callable getCallable() { result = callable }
 
-    override DotNet::Parameter getParameter() { none() }
-
     override predicate isParameterOf(DataFlowCallable c, int pos) { callable = c and pos = -1 }
 
     override DataFlowCallable getEnclosingCallableImpl() { result = callable }
@@ -1113,8 +1131,6 @@ private module ParameterNodes {
     /** Gets the captured variable that this implicit parameter models. */
     LocalScopeVariable getVariable() { result = def.getVariable() }
 
-    override DotNet::Parameter getParameter() { none() }
-
     override predicate isParameterOf(DataFlowCallable c, int i) {
       i = getParameterPosition(def) and
       c = this.getEnclosingCallable()
@@ -1125,13 +1141,15 @@ private module ParameterNodes {
 import ParameterNodes
 
 /** A data-flow node that represents a call argument. */
-abstract class ArgumentNode extends Node {
-  /** Holds if this argument occurs at the given position in the given call. */
-  cached
-  abstract predicate argumentOf(DataFlowCall call, int pos);
+class ArgumentNode extends Node {
+  ArgumentNode() { argumentNode(this, _, _) }
 
-  /** Gets the call in which this node is an argument. */
-  final DataFlowCall getCall() { this.argumentOf(result, _) }
+  /** Holds if this argument occurs at the given position in the given call. */
+  final predicate argumentOf(DataFlowCall call, int pos) { argumentNode(this, call, pos) }
+}
+
+abstract private class ArgumentNodeImpl extends Node {
+  abstract predicate argumentOf(DataFlowCall call, int pos);
 }
 
 private module ArgumentNodes {
@@ -1149,7 +1167,7 @@ private module ArgumentNodes {
   }
 
   /** A data-flow node that represents an explicit call argument. */
-  class ExplicitArgumentNode extends ArgumentNode {
+  class ExplicitArgumentNode extends ArgumentNodeImpl {
     ExplicitArgumentNode() {
       this.asExpr() instanceof Argument
       or
@@ -1157,7 +1175,6 @@ private module ArgumentNodes {
     }
 
     override predicate argumentOf(DataFlowCall call, int pos) {
-      Stages::DataFlowStage::forceCachingInSameStage() and
       exists(ArgumentConfiguration x, Expr c, Argument arg |
         arg = this.asExpr() and
         c = call.getExpr() and
@@ -1189,7 +1206,8 @@ private module ArgumentNodes {
    * }                                }
    * ```
    */
-  class ImplicitCapturedArgumentNode extends ArgumentNode, NodeImpl, TImplicitCapturedArgumentNode {
+  class ImplicitCapturedArgumentNode extends ArgumentNodeImpl, NodeImpl,
+    TImplicitCapturedArgumentNode {
     private LocalScopeVariable v;
     private ControlFlow::Nodes::ElementNode cfn;
 
@@ -1231,7 +1249,7 @@ private module ArgumentNodes {
    * A node that corresponds to the value of an object creation (`new C()`) before
    * the constructor has run.
    */
-  class MallocNode extends ArgumentNode, NodeImpl, TMallocNode {
+  class MallocNode extends ArgumentNodeImpl, NodeImpl, TMallocNode {
     private ControlFlow::Nodes::ElementNode cfn;
 
     MallocNode() { this = TMallocNode(cfn) }
@@ -1266,7 +1284,7 @@ private module ArgumentNodes {
    * and that argument is itself a compatible array, for example
    * `Foo(new[] { "a", "b", "c" })`.
    */
-  class ParamsArgumentNode extends ArgumentNode, NodeImpl, TParamsArgumentNode {
+  class ParamsArgumentNode extends ArgumentNodeImpl, NodeImpl, TParamsArgumentNode {
     private ControlFlow::Node callCfn;
 
     ParamsArgumentNode() { this = TParamsArgumentNode(callCfn) }
@@ -1291,7 +1309,7 @@ private module ArgumentNodes {
     override string toStringImpl() { result = "[implicit array creation] " + callCfn }
   }
 
-  private class SummaryArgumentNode extends SummaryNode, ArgumentNode {
+  private class SummaryArgumentNode extends SummaryNode, ArgumentNodeImpl {
     private DataFlowCall c;
     private int i;
 
@@ -1324,10 +1342,7 @@ private module ReturnNodes {
       )
     }
 
-    override NormalReturnKind getKind() {
-      any(DotNet::Callable c).canReturn(this.getExpr()) and
-      exists(result)
-    }
+    override NormalReturnKind getKind() { exists(result) }
   }
 
   /**
@@ -1744,7 +1759,10 @@ class DataFlowType extends Gvn::GvnType {
 }
 
 /** Gets the type of `n` used for type pruning. */
-DataFlowType getNodeType(NodeImpl n) { result = n.getDataFlowType() }
+pragma[inline]
+Gvn::GvnType getNodeType(NodeImpl n) {
+  pragma[only_bind_into](result) = pragma[only_bind_out](n).getDataFlowType()
+}
 
 /** Gets a string representation of a `DataFlowType`. */
 string ppReprType(DataFlowType t) { result = t.toString() }
@@ -1819,7 +1837,8 @@ private module PostUpdateNodes {
    * Such a node acts as both a post-update node for the `MallocNode`, as well as
    * a pre-update node for the `ObjectCreationNode`.
    */
-  class ObjectInitializerNode extends PostUpdateNode, NodeImpl, ArgumentNode, TObjectInitializerNode {
+  class ObjectInitializerNode extends PostUpdateNode, NodeImpl, ArgumentNodeImpl,
+    TObjectInitializerNode {
     private ObjectCreation oc;
     private ControlFlow::Nodes::ElementNode cfn;
 
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll
index dd6e72d54f6..12a62faf387 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll
@@ -3,7 +3,6 @@ private import cil
 private import dotnet
 private import DataFlowDispatch
 private import DataFlowPrivate
-private import semmle.code.csharp.Caching
 private import semmle.code.csharp.controlflow.Guards
 private import semmle.code.csharp.Unification
 
@@ -38,38 +37,21 @@ class Node extends TNode {
   }
 
   /** Gets the type of this node. */
-  cached
-  final DotNet::Type getType() {
-    Stages::DataFlowStage::forceCachingInSameStage() and result = this.(NodeImpl).getTypeImpl()
-  }
+  final DotNet::Type getType() { result = this.(NodeImpl).getTypeImpl() }
 
   /** Gets the enclosing callable of this node. */
-  cached
   final DataFlowCallable getEnclosingCallable() {
-    Stages::DataFlowStage::forceCachingInSameStage() and
     result = this.(NodeImpl).getEnclosingCallableImpl()
   }
 
   /** Gets the control flow node corresponding to this node, if any. */
-  cached
-  final ControlFlow::Node getControlFlowNode() {
-    Stages::DataFlowStage::forceCachingInSameStage() and
-    result = this.(NodeImpl).getControlFlowNodeImpl()
-  }
+  final ControlFlow::Node getControlFlowNode() { result = this.(NodeImpl).getControlFlowNodeImpl() }
 
   /** Gets a textual representation of this node. */
-  cached
-  final string toString() {
-    Stages::DataFlowStage::forceCachingInSameStage() and
-    result = this.(NodeImpl).toStringImpl()
-  }
+  final string toString() { result = this.(NodeImpl).toStringImpl() }
 
   /** Gets the location of this node. */
-  cached
-  final Location getLocation() {
-    Stages::DataFlowStage::forceCachingInSameStage() and
-    result = this.(NodeImpl).getLocationImpl()
-  }
+  final Location getLocation() { result = this.(NodeImpl).getLocationImpl() }
 
   /**
    * Holds if this element is at the specified location.
@@ -81,7 +63,7 @@ class Node extends TNode {
   predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
-    getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
   }
 }
 
@@ -117,18 +99,18 @@ class ExprNode extends Node {
  * flow graph.
  */
 class ParameterNode extends Node {
-  private ParameterNodeImpl p;
-
-  ParameterNode() { this = p }
+  ParameterNode() { parameterNode(this, _, _) }
 
   /** Gets the parameter corresponding to this node, if any. */
-  DotNet::Parameter getParameter() { result = p.getParameter() }
+  DotNet::Parameter getParameter() {
+    exists(DataFlowCallable c, int i | this.isParameterOf(c, i) and result = c.getParameter(i))
+  }
 
   /**
    * Holds if this node is the parameter of callable `c` at the specified
    * (zero-based) position.
    */
-  predicate isParameterOf(DataFlowCallable c, int i) { p.isParameterOf(c, i) }
+  predicate isParameterOf(DataFlowCallable c, int i) { parameterNode(this, c, i) }
 }
 
 /** A definition, viewed as a node in a data flow graph. */
@@ -166,6 +148,7 @@ predicate localFlowStep = localFlowStepImpl/2;
  * Holds if data flows from `source` to `sink` in zero or more local
  * (intra-procedural) steps.
  */
+pragma[inline]
 predicate localFlow(Node source, Node sink) { localFlowStep*(source, sink) }
 
 /**

From b60bffaf83fb8cbd87ea87e76751d783a8a6275a Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Tue, 20 Apr 2021 19:31:59 +0800
Subject: [PATCH 0479/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll         | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
index 64bf8438092..98c754c7727 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
@@ -102,8 +102,7 @@ private class PrintSink extends UseOfLessTrustedSink {
     exists(MethodAccess ma |
       ma.getMethod().getName() in ["print", "println"] and
       (
-        ma.getMethod().getDeclaringType().hasQualifiedName("java.io", "PrintWriter") or
-        ma.getMethod().getDeclaringType().hasQualifiedName("java.io", "PrintStream")
+        ma.getMethod().getDeclaringType().hasQualifiedName("java.io", ["PrintWriter", "PrintStream"])
       ) and
       ma.getAnArgument() = this.asExpr()
     )

From 0b1637a4099416de032b701bd20d812bfaa7560e Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Tue, 20 Apr 2021 19:32:39 +0800
Subject: [PATCH 0480/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
index 48923b85f02..3b56a9650bd 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
@@ -3,7 +3,7 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>The software obtains the original client IP address through the http header (<code>X-Forwarded-For</code> or <code>X-Real-IP</code> or <code>Proxy-Client-IP</code> 
+<p>An original client IP address is retrieved from an http header (<code>X-Forwarded-For</code> or <code>X-Real-IP</code> or <code>Proxy-Client-IP</code> 
 etc.), which is used to ensure security or track it in the log for statistical or other reasons. Attackers can forge the value of these identifiers to attack the 
 software.</p>
 

From d82878ac3b833bfbc006836f01895fa34bd00542 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Tue, 20 Apr 2021 19:33:06 +0800
Subject: [PATCH 0481/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
index 3b56a9650bd..e195cda1cdd 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
@@ -4,8 +4,8 @@
 <qhelp>
 <overview>
 <p>An original client IP address is retrieved from an http header (<code>X-Forwarded-For</code> or <code>X-Real-IP</code> or <code>Proxy-Client-IP</code> 
-etc.), which is used to ensure security or track it in the log for statistical or other reasons. Attackers can forge the value of these identifiers to attack the 
-software.</p>
+etc.), which is used to ensure security or track it in the log for statistical or other reasons. Attackers can forge the value of these identifiers to
+bypass a ban-list, for example.</p>
 
 </overview>
 <recommendation>

From 9ece4dac0ff03b68d84e639517686b0721dcba09 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Tue, 20 Apr 2021 19:33:47 +0800
Subject: [PATCH 0482/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
index e195cda1cdd..c060eaf3e51 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
@@ -10,7 +10,7 @@ bypass a ban-list, for example.</p>
 </overview>
 <recommendation>
 
-<p>When the software is not using a proxy server, get the last ip.</p>
+<p>Do not trust the values of HTTP headers allegedly identifying the originating IP. If you are aware your application will run behind some reverse proxies then the last entry of a <code>X-Forwarded-For</code> header value may be more trustworthy than the rest of it because some reverse proxies append the IP address they observed to the end of any remote-supplied header.</p>
 
 </recommendation>
 <example>

From 408dd31d3cf2b35bf524648e621553f6028c0a30 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Tue, 20 Apr 2021 19:34:37 +0800
Subject: [PATCH 0483/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp    | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
index c060eaf3e51..15508f04977 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
@@ -15,11 +15,10 @@ bypass a ban-list, for example.</p>
 </recommendation>
 <example>
 
-<p>The following examples show the bad case and the good case respectively. Bad case, such as <code>bad1</code> to <code>bad2</code>. 
-In the <code>bad1</code> method, obtain the client ip according to the specified identifier from the <code>header</code> for local 
-output and logging. In the <code>bad2</code> method, the client ip is obtained and judged according to the specified identifier 
-from the <code>header</code>. When used for permission verification, it can be bypassed by forging the ip. Good case, such as 
-<code>good1</code>, split the value of <code>X-Forwarded-For</code> in <code>header</code> and get the last value of the split array.</p>
+<p>The following examples show the bad case and the good case respectively.
+In the <code>bad1</code> method, the client ip is obtained from an HTTP header for local 
+output and logging. In the <code>bad2</code> method, the client ip the <code>X-Forwarded-For</code> is split into comma-separated values, but the less-trustworthy first one is used. Both of these examples could be deceived by providing a forged HTTP header. The method
+<code>good1</code> similarly splits an <code>X-Forwarded-For</code> value, but uses the last, more-trustworthy entry.</p>
 
 <sample src="UseOfLessTrustedSource.java" />
 

From 9e87f4ec4e1e97baafa7b2677aeb87e8dd7d82e7 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Tue, 20 Apr 2021 19:35:34 +0800
Subject: [PATCH 0484/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../Security/CWE/CWE-348/UseOfLessTrustedSource.ql             | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
index df019a7c765..89c0dbd615a 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
@@ -27,7 +27,8 @@ class UseOfLessTrustedSourceConfig extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof UseOfLessTrustedSink }
 
   /**
-   * When using `,` split request data and not taking the first value of the array, it is considered as `good`.
+   * Splitting a header value by `,` and taking an entry other than the first is sanitizing, because
+   * later entries may originate from more-trustworthy intermediate proxies, not the original client.
    */
   override predicate isSanitizer(DataFlow::Node node) {
     exists(ArrayAccess aa, MethodAccess ma | aa.getArray() = ma |

From b1ee864ad94a24a36245e1796a0c03e13adedfe3 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Tue, 20 Apr 2021 19:35:52 +0800
Subject: [PATCH 0485/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../Security/CWE/CWE-348/UseOfLessTrustedSource.ql             | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
index 89c0dbd615a..80b5deec578 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
@@ -1,7 +1,6 @@
 /**
  * @name IP address spoofing
- * @description The software obtains the client ip from the remote endpoint identifier specified (`X-Forwarded-For`,
- *              `X-Real-IP`, `Proxy-Client-IP`, etc.) in the header and uses it. Attackers can modify these The value
+ * @description A remote endpoint identifier is read from an HTTP header. Attackers can modify the value
  *              of the identifier to forge the client ip.
  * @kind path-problem
  * @problem.severity error

From 3e376f95c49bdbc9d313d33f268c121f821a1abb Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Tue, 20 Apr 2021 19:36:16 +0800
Subject: [PATCH 0486/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
index 80b5deec578..e1d2a28c939 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
@@ -16,7 +16,7 @@ import semmle.code.java.dataflow.FlowSources
 import DataFlow::PathGraph
 
 /**
- * Taint-tracking configuration tracing flow from obtain client ip to use the client ip.
+ * Taint-tracking configuration tracing flow from obtaining a client ip from an HTTP header to a sensitive use.
  */
 class UseOfLessTrustedSourceConfig extends TaintTracking::Configuration {
   UseOfLessTrustedSourceConfig() { this = "UseOfLessTrustedSourceConfig" }

From f2de44088691f46331b08ab9a68157bae582f109 Mon Sep 17 00:00:00 2001
From: p0wn4j <p0wn4j@github.com>
Date: Sun, 21 Mar 2021 22:30:43 +0400
Subject: [PATCH 0487/1429] [Java] CWE-094: Query to detect Groovy Code
 Injections

---
 .../CWE/CWE-094/GroovyInjection.qhelp         |  81 +++++++++
 .../Security/CWE/CWE-094/GroovyInjection.ql   |  20 +++
 .../CWE/CWE-094/GroovyInjectionBad.java       |  27 +++
 .../CWE/CWE-094/GroovyInjectionBlocklist.java |  17 ++
 .../CWE/CWE-094/GroovyInjectionLib.qll        | 162 ++++++++++++++++++
 .../CWE-094/GroovyClassLoaderTest.java        |  39 +++++
 .../security/CWE-094/GroovyEvalTest.java      |  41 +++++
 .../security/CWE-094/GroovyInjection.expected |  73 ++++++++
 .../security/CWE-094/GroovyInjection.qlref    |   1 +
 .../security/CWE-094/GroovyShellTest.java     |  63 +++++++
 .../query-tests/security/CWE-094/options      |   3 +-
 .../groovy/lang/GroovyClassLoader.java        |  32 ++++
 .../groovy/lang/GroovyCodeSource.java         |  23 +++
 .../groovy/lang/GroovyObject.java             |  21 +++
 .../groovy/lang/GroovyShell.java              |  66 +++++++
 .../groovy-all-3.0.7/groovy/lang/Script.java  |  22 +++
 .../groovy-all-3.0.7/groovy/util/Eval.java    |  41 +++++
 17 files changed, 731 insertions(+), 1 deletion(-)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjection.qhelp
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjection.ql
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjectionBad.java
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjectionBlocklist.java
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjectionLib.qll
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/GroovyClassLoaderTest.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/GroovyEvalTest.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/GroovyInjection.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/GroovyInjection.qlref
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/GroovyShellTest.java
 create mode 100644 java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/GroovyClassLoader.java
 create mode 100644 java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/GroovyCodeSource.java
 create mode 100644 java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/GroovyObject.java
 create mode 100644 java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/GroovyShell.java
 create mode 100644 java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/Script.java
 create mode 100644 java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/util/Eval.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjection.qhelp
new file mode 100644
index 00000000000..2329a6b08f5
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjection.qhelp
@@ -0,0 +1,81 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Apache Groovy is a powerful, optionally typed and dynamic language, 
+with static-typing and static compilation capabilities.
+
+It integrates smoothly with any Java program, 
+and immediately delivers to your application powerful features, 
+including scripting capabilities, Domain-Specific Language authoring, 
+runtime and compile-time meta-programming and functional programming.
+
+If a Groovy script is built using attacker-controlled data, 
+and then evaluated, then it may allow the attacker to achieve RCE.
+</p>
+</overview>
+
+<recommendation>
+<p>
+It is generally recommended to avoid using untrusted input in a Groovy evaluation.
+If this is not possible, use a sandbox solution. Developers must also take care that Groovy
+compile-time metaprogramming can also lead to RCE: it is possible to achieve RCE by compiling
+a Groovy script (see the article "Abusing Meta Programming for Unauthenticated RCE!" linked below).
+
+Groovy's <code>SecureASTCustomizer</code> allows securing source code by controlling what code constructs are permitted. 
+This is typically done when using Groovy for its scripting or domain specific language (DSL) features.
+The fundamental problem is that Groovy is a dynamic language, yet SecureASTCustomizer works by looking at Groovy AST statically.
+
+This makes it very easy for an attacker to bypass many of the intended checks
+(see https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/).
+Therefore, besides SecureASTCustomizer, runtime checks are also necessary before calling Groovy methods
+(see https://melix.github.io/blog/2015/03/sandboxing.html).
+
+It is also possible to use a block-list method, excluding unwanted classes from being loaded by the JVM. 
+This method is not always recommended, because block-lists can be bypassed by unexpected values.
+
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example uses untrusted data to evaluate a Groovy script.
+</p>
+<sample src="GroovyInjectionBad.java" />
+
+<p>
+The following example uses classloader block-list approach to exclude loading dangerous classes.
+</p>
+<sample src="GroovyInjectionBlocklist.java" />
+
+</example>
+
+<references>
+<li>
+  Orange Tsai:
+  <a href="https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html">Abusing Meta Programming for Unauthenticated RCE!</a>.
+</li>
+<li>
+  Cédric Champeau:
+  <a href="https://melix.github.io/blog/2015/03/sandboxing.html">Improved sandboxing of Groovy scripts</a>.
+</li>
+<li>
+  Kohsuke Kawaguchi:
+  <a href="https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/">Groovy SecureASTCustomizer is harmful</a>.
+</li>
+<li>
+  Welk1n:
+  <a href="https://github.com/welk1n/exploiting-groovy-in-Java/">Groovy Injection payloads</a>.
+</li>
+<li>
+  Charles Chan:
+  <a href="https://levelup.gitconnected.com/secure-groovy-script-execution-in-a-sandbox-ea39f80ee87/">Secure Groovy Script Execution in a Sandbox</a>.
+</li>
+<li>
+  Eugene:
+  <a href="https://stringconcat.com/en/scripting-and-sandboxing/">Scripting and sandboxing in a JVM environment</a>.
+</li>
+</references>
+
+</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjection.ql
new file mode 100644
index 00000000000..0622c9cd7e3
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjection.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Groovy Language injection
+ * @description Evaluation of a user-controlled Groovy script
+ *              may lead to arbitrary code execution.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/groovy-injection
+ * @tags security
+ *       external/cwe/cwe-094
+ */
+
+import java
+import DataFlow::PathGraph
+import GroovyInjectionLib
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, GroovyInjectionConfig conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Groovy Injection from $@.", source.getNode(),
+  "this user input"
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjectionBad.java b/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjectionBad.java
new file mode 100644
index 00000000000..8afe77d2a39
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjectionBad.java
@@ -0,0 +1,27 @@
+public class GroovyInjection {
+    void injectionViaClassLoader(HttpServletRequest request) {    
+        String script = request.getParameter("script");
+        final GroovyClassLoader classLoader = new GroovyClassLoader();
+        Class groovy = classLoader.parseClass(script);
+        GroovyObject groovyObj = (GroovyObject) groovy.newInstance();
+    }
+
+    void injectionViaEval(HttpServletRequest request) {
+        String script = request.getParameter("script");
+        Eval.me(script);
+    }
+
+    void injectionViaGroovyShell(HttpServletRequest request) {
+        GroovyShell shell = new GroovyShell();
+        String script = request.getParameter("script");
+        shell.evaluate(script);
+    }
+
+    void injectionViaGroovyShellGroovyCodeSource(HttpServletRequest request) {
+        GroovyShell shell = new GroovyShell();
+        String script = request.getParameter("script");
+        GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
+        shell.evaluate(gcs);
+    }
+}
+
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjectionBlocklist.java b/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjectionBlocklist.java
new file mode 100644
index 00000000000..61159a3137f
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjectionBlocklist.java
@@ -0,0 +1,17 @@
+public class SandboxGroovyClassLoader extends ClassLoader {
+    public SandboxGroovyClassLoader(ClassLoader parent) {
+        super(parent);
+    }
+
+    /* override `loadClass` here to prevent loading sensitive classes, such as `java.lang.Runtime`, `java.lang.ProcessBuilder`, `java.lang.System`, etc.  */
+    /* Note we must also block `groovy.transform.ASTTest`, `groovy.lang.GrabConfig` and `org.buildobjects.process.ProcBuilder` to prevent compile-time RCE. */
+
+    static void runWithSandboxGroovyClassLoader() throws Exception {
+        // GOOD: route all class-loading via sand-boxing classloader.
+        SandboxGroovyClassLoader classLoader = new GroovyClassLoader(new SandboxGroovyClassLoader());
+        
+        Class<?> scriptClass = classLoader.parseClass(untrusted.getQueryString());
+        Object scriptInstance = scriptClass.newInstance();
+        Object result = scriptClass.getDeclaredMethod("bar", new Class[]{}).invoke(scriptInstance, new Object[]{});
+    }
+}
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjectionLib.qll
new file mode 100644
index 00000000000..b6bdcc228c7
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjectionLib.qll
@@ -0,0 +1,162 @@
+/**
+ * Provides classes and predicates for Groovy Code Injection
+ * taint-tracking configuration.
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+
+/** A data flow sink for Groovy expression injection vulnerabilities. */
+abstract private class GroovyInjectionSink extends DataFlow::ExprNode { }
+
+/**
+ * A taint-tracking configuration for unsafe user input
+ * that is used to evaluate a Groovy expression.
+ */
+class GroovyInjectionConfig extends TaintTracking::Configuration {
+  GroovyInjectionConfig() { this = "GroovyInjectionConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof GroovyInjectionSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
+    groovyCodeSourceTaintStep(fromNode, toNode)
+  }
+}
+
+/** The class `groovy.lang.GroovyShell`. */
+private class TypeGroovyShell extends RefType {
+  TypeGroovyShell() { this.hasQualifiedName("groovy.lang", "GroovyShell") }
+}
+
+/** The class `groovy.lang.GroovyCodeSource`. */
+private class TypeGroovyCodeSource extends RefType {
+  TypeGroovyCodeSource() { this.hasQualifiedName("groovy.lang", "GroovyCodeSource") }
+}
+
+/**
+ * Methods in the `GroovyShell` class that evaluate a Groovy expression.
+ */
+private class GroovyShellMethod extends Method {
+  GroovyShellMethod() {
+    this.getDeclaringType() instanceof TypeGroovyShell and
+    this.getName() in ["evaluate", "parse", "run"]
+  }
+}
+
+private class GroovyShellMethodAccess extends MethodAccess {
+  GroovyShellMethodAccess() { this.getMethod() instanceof GroovyShellMethod }
+}
+
+/**
+ * Holds if `fromNode` to `toNode` is a dataflow step from a tainted string to
+ * a `GroovyCodeSource` instance, i.e. `new GroovyCodeSource(tainted, ...)`.
+ */
+private predicate groovyCodeSourceTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
+  exists(ConstructorCall gcscc |
+    gcscc.getConstructedType() instanceof TypeGroovyCodeSource and
+    gcscc = toNode.asExpr() and
+    gcscc.getArgument(0) = fromNode.asExpr()
+  )
+}
+
+/**
+ * A sink for Groovy Injection via the `GroovyShell` class.
+ *
+ * ```
+ * GroovyShell gs = new GroovyShell();
+ * gs.evaluate(sink, ....)
+ * gs.run(sink, ....)
+ * gs.parse(sink,...)
+ * ```
+ */
+private class GroovyShellSink extends GroovyInjectionSink {
+  GroovyShellSink() {
+    exists(GroovyShellMethodAccess ma, Argument firstArg |
+      ma.getArgument(0) = firstArg and
+      firstArg = this.asExpr() and
+      (
+        firstArg.getType() instanceof TypeString or
+        firstArg.getType() instanceof TypeGroovyCodeSource
+      )
+    )
+  }
+}
+
+/** The class `groovy.util.Eval`. */
+private class TypeEval extends RefType {
+  TypeEval() { this.hasQualifiedName("groovy.util", "Eval") }
+}
+
+/**
+ * Methods in the `Eval` class that evaluate a Groovy expression.
+ */
+private class EvalMethod extends Method {
+  EvalMethod() {
+    this.getDeclaringType() instanceof TypeEval and
+    this.getName() in ["me", "x", "xy", "xyz"]
+  }
+}
+
+private class EvalMethodAccess extends MethodAccess {
+  EvalMethodAccess() { this.getMethod() instanceof EvalMethod }
+
+  Expr getArgumentExpr() {
+    result = this.getArgument(this.getNumArgument() - 1)
+  }
+}
+
+/**
+ * A sink for Groovy Injection via the `Eval` class.
+ *
+ * ```
+ * Eval.me(sink)
+ * Eval.me("p1", "p2", sink)
+ * Eval.x("p1", sink)
+ * Eval.xy("p1", "p2" sink)
+ * Eval.xyz("p1", "p2", "p3", sink)
+ * ```
+ */
+private class EvalSink extends GroovyInjectionSink {
+  EvalSink() { exists(EvalMethodAccess ma | ma.getArgumentExpr() = this.asExpr()) }
+}
+
+/** The class `groovy.lang.GroovyClassLoader`. */
+private class TypeGroovyClassLoader extends RefType {
+  TypeGroovyClassLoader() { this.hasQualifiedName("groovy.lang", "GroovyClassLoader") }
+}
+
+/**
+ * A method in the `GroovyClassLoader` class that evaluates a Groovy expression.
+ */
+private class GroovyClassLoaderParseClassMethod extends Method {
+  GroovyClassLoaderParseClassMethod() {
+    this.getDeclaringType() instanceof TypeGroovyClassLoader and
+    this.hasName("parseClass")
+  }
+}
+
+private class GroovyClassLoaderParseClassMethodAccess extends MethodAccess {
+  GroovyClassLoaderParseClassMethodAccess() {
+    this.getMethod() instanceof GroovyClassLoaderParseClassMethod
+  }
+}
+
+/**
+ * A sink for Groovy Injection via the `GroovyClassLoader` class.
+ *
+ * ```
+ * GroovyClassLoader classLoader = new GroovyClassLoader();
+ * Class groovy = classLoader.parseClass(script);
+ * ```
+ *
+ * Groovy supports compile-time metaprogramming, so just calling the `parseClass`
+ * method is enough to achieve RCE.
+ */
+private class GroovyClassLoadParseClassSink extends GroovyInjectionSink {
+  GroovyClassLoadParseClassSink() {
+    exists(GroovyClassLoaderParseClassMethodAccess ma | ma.getArgument(0) = this.asExpr())
+  }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/GroovyClassLoaderTest.java b/java/ql/test/experimental/query-tests/security/CWE-094/GroovyClassLoaderTest.java
new file mode 100644
index 00000000000..6e3ccab34fd
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/GroovyClassLoaderTest.java
@@ -0,0 +1,39 @@
+import groovy.lang.GroovyClassLoader;
+import groovy.lang.GroovyCodeSource;
+import groovy.lang.GroovyObject;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class GroovyClassLoaderTest extends HttpServlet {
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+            String script = request.getParameter("script");
+            final GroovyClassLoader classLoader = new GroovyClassLoader();
+            Class groovy = classLoader.parseClass(script);
+            GroovyObject groovyObj = (GroovyObject) groovy.newInstance();
+
+        } catch (Exception e) {
+            // Ignore
+        }
+    }
+
+    protected void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+            String script = request.getParameter("script");
+            final GroovyClassLoader classLoader = new GroovyClassLoader();
+            GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
+            Class groovy = classLoader.parseClass(gcs);
+            GroovyObject groovyObj = (GroovyObject) groovy.newInstance();
+        } catch (Exception e) {
+            // Ignore
+        }
+    }
+}
+
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/GroovyEvalTest.java b/java/ql/test/experimental/query-tests/security/CWE-094/GroovyEvalTest.java
new file mode 100644
index 00000000000..ff76af2d3fd
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/GroovyEvalTest.java
@@ -0,0 +1,41 @@
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import groovy.util.Eval;
+
+public class GroovyEvalTest extends HttpServlet {
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        String script = request.getParameter("script");
+        Eval.me(script);
+    }
+
+    protected void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        String script = request.getParameter("script");
+        Eval.me("test", "result", script);
+    }
+
+    protected void doPut(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        String script = request.getParameter("script");
+        Eval.x("result2", script);
+
+    }
+
+    protected void doDelete(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        String script = request.getParameter("script");
+        Eval.xy("result3", "result4", script);
+    }
+
+    protected void doPatch(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        String script = request.getParameter("script");
+        Eval.xyz("result3", "result4", "aaa", script);
+    }
+}
+
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/GroovyInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/GroovyInjection.expected
new file mode 100644
index 00000000000..12593ae32c5
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/GroovyInjection.expected
@@ -0,0 +1,73 @@
+edges
+| ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:22:29:22:51 | expression : String | ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:23:31:23:40 | expression |
+| ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:30:44:30:66 | expression : String | ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:31:27:31:36 | expression |
+| GroovyClassLoaderTest.java:16:29:16:58 | getParameter(...) : String | GroovyClassLoaderTest.java:18:51:18:56 | script |
+| GroovyClassLoaderTest.java:29:29:29:58 | getParameter(...) : String | GroovyClassLoaderTest.java:32:51:32:53 | gcs |
+| GroovyEvalTest.java:12:25:12:54 | getParameter(...) : String | GroovyEvalTest.java:13:17:13:22 | script |
+| GroovyEvalTest.java:12:25:12:54 | getParameter(...) : String | GroovyEvalTest.java:13:17:13:22 | script : String |
+| GroovyEvalTest.java:13:17:13:22 | script : String | ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:22:29:22:51 | expression : String |
+| GroovyEvalTest.java:18:25:18:54 | getParameter(...) : String | GroovyEvalTest.java:19:35:19:40 | script |
+| GroovyEvalTest.java:24:25:24:54 | getParameter(...) : String | GroovyEvalTest.java:25:27:25:32 | script |
+| GroovyEvalTest.java:24:25:24:54 | getParameter(...) : String | GroovyEvalTest.java:25:27:25:32 | script : String |
+| GroovyEvalTest.java:25:27:25:32 | script : String | ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:30:44:30:66 | expression : String |
+| GroovyEvalTest.java:31:25:31:54 | getParameter(...) : String | GroovyEvalTest.java:32:39:32:44 | script |
+| GroovyEvalTest.java:37:25:37:54 | getParameter(...) : String | GroovyEvalTest.java:38:47:38:52 | script |
+| GroovyShellTest.java:15:25:15:54 | getParameter(...) : String | GroovyShellTest.java:16:24:16:29 | script |
+| GroovyShellTest.java:22:25:22:54 | getParameter(...) : String | GroovyShellTest.java:23:24:23:29 | script |
+| GroovyShellTest.java:29:25:29:54 | getParameter(...) : String | GroovyShellTest.java:30:24:30:29 | script |
+| GroovyShellTest.java:36:25:36:54 | getParameter(...) : String | GroovyShellTest.java:37:19:37:24 | script |
+| GroovyShellTest.java:43:25:43:54 | getParameter(...) : String | GroovyShellTest.java:45:19:45:21 | gcs |
+| GroovyShellTest.java:51:25:51:54 | getParameter(...) : String | GroovyShellTest.java:53:24:53:26 | gcs |
+| GroovyShellTest.java:59:25:59:54 | getParameter(...) : String | GroovyShellTest.java:60:21:60:26 | script |
+nodes
+| ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:22:29:22:51 | expression : String | semmle.label | expression : String |
+| ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:23:31:23:40 | expression | semmle.label | expression |
+| ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:30:44:30:66 | expression : String | semmle.label | expression : String |
+| ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:31:27:31:36 | expression | semmle.label | expression |
+| GroovyClassLoaderTest.java:16:29:16:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyClassLoaderTest.java:18:51:18:56 | script | semmle.label | script |
+| GroovyClassLoaderTest.java:29:29:29:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyClassLoaderTest.java:32:51:32:53 | gcs | semmle.label | gcs |
+| GroovyEvalTest.java:12:25:12:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyEvalTest.java:13:17:13:22 | script | semmle.label | script |
+| GroovyEvalTest.java:13:17:13:22 | script : String | semmle.label | script : String |
+| GroovyEvalTest.java:18:25:18:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyEvalTest.java:19:35:19:40 | script | semmle.label | script |
+| GroovyEvalTest.java:24:25:24:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyEvalTest.java:25:27:25:32 | script | semmle.label | script |
+| GroovyEvalTest.java:25:27:25:32 | script : String | semmle.label | script : String |
+| GroovyEvalTest.java:31:25:31:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyEvalTest.java:32:39:32:44 | script | semmle.label | script |
+| GroovyEvalTest.java:37:25:37:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyEvalTest.java:38:47:38:52 | script | semmle.label | script |
+| GroovyShellTest.java:15:25:15:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:16:24:16:29 | script | semmle.label | script |
+| GroovyShellTest.java:22:25:22:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:23:24:23:29 | script | semmle.label | script |
+| GroovyShellTest.java:29:25:29:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:30:24:30:29 | script | semmle.label | script |
+| GroovyShellTest.java:36:25:36:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:37:19:37:24 | script | semmle.label | script |
+| GroovyShellTest.java:43:25:43:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:45:19:45:21 | gcs | semmle.label | gcs |
+| GroovyShellTest.java:51:25:51:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:53:24:53:26 | gcs | semmle.label | gcs |
+| GroovyShellTest.java:59:25:59:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| GroovyShellTest.java:60:21:60:26 | script | semmle.label | script |
+#select
+| ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:23:31:23:40 | expression | GroovyEvalTest.java:12:25:12:54 | getParameter(...) : String | ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:23:31:23:40 | expression | Groovy Injection from $@. | GroovyEvalTest.java:12:25:12:54 | getParameter(...) | this user input |
+| ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:31:27:31:36 | expression | GroovyEvalTest.java:24:25:24:54 | getParameter(...) : String | ../../../stubs/groovy-all-3.0.7/groovy/util/Eval.java:31:27:31:36 | expression | Groovy Injection from $@. | GroovyEvalTest.java:24:25:24:54 | getParameter(...) | this user input |
+| GroovyClassLoaderTest.java:18:51:18:56 | script | GroovyClassLoaderTest.java:16:29:16:58 | getParameter(...) : String | GroovyClassLoaderTest.java:18:51:18:56 | script | Groovy Injection from $@. | GroovyClassLoaderTest.java:16:29:16:58 | getParameter(...) | this user input |
+| GroovyClassLoaderTest.java:32:51:32:53 | gcs | GroovyClassLoaderTest.java:29:29:29:58 | getParameter(...) : String | GroovyClassLoaderTest.java:32:51:32:53 | gcs | Groovy Injection from $@. | GroovyClassLoaderTest.java:29:29:29:58 | getParameter(...) | this user input |
+| GroovyEvalTest.java:13:17:13:22 | script | GroovyEvalTest.java:12:25:12:54 | getParameter(...) : String | GroovyEvalTest.java:13:17:13:22 | script | Groovy Injection from $@. | GroovyEvalTest.java:12:25:12:54 | getParameter(...) | this user input |
+| GroovyEvalTest.java:19:35:19:40 | script | GroovyEvalTest.java:18:25:18:54 | getParameter(...) : String | GroovyEvalTest.java:19:35:19:40 | script | Groovy Injection from $@. | GroovyEvalTest.java:18:25:18:54 | getParameter(...) | this user input |
+| GroovyEvalTest.java:25:27:25:32 | script | GroovyEvalTest.java:24:25:24:54 | getParameter(...) : String | GroovyEvalTest.java:25:27:25:32 | script | Groovy Injection from $@. | GroovyEvalTest.java:24:25:24:54 | getParameter(...) | this user input |
+| GroovyEvalTest.java:32:39:32:44 | script | GroovyEvalTest.java:31:25:31:54 | getParameter(...) : String | GroovyEvalTest.java:32:39:32:44 | script | Groovy Injection from $@. | GroovyEvalTest.java:31:25:31:54 | getParameter(...) | this user input |
+| GroovyEvalTest.java:38:47:38:52 | script | GroovyEvalTest.java:37:25:37:54 | getParameter(...) : String | GroovyEvalTest.java:38:47:38:52 | script | Groovy Injection from $@. | GroovyEvalTest.java:37:25:37:54 | getParameter(...) | this user input |
+| GroovyShellTest.java:16:24:16:29 | script | GroovyShellTest.java:15:25:15:54 | getParameter(...) : String | GroovyShellTest.java:16:24:16:29 | script | Groovy Injection from $@. | GroovyShellTest.java:15:25:15:54 | getParameter(...) | this user input |
+| GroovyShellTest.java:23:24:23:29 | script | GroovyShellTest.java:22:25:22:54 | getParameter(...) : String | GroovyShellTest.java:23:24:23:29 | script | Groovy Injection from $@. | GroovyShellTest.java:22:25:22:54 | getParameter(...) | this user input |
+| GroovyShellTest.java:30:24:30:29 | script | GroovyShellTest.java:29:25:29:54 | getParameter(...) : String | GroovyShellTest.java:30:24:30:29 | script | Groovy Injection from $@. | GroovyShellTest.java:29:25:29:54 | getParameter(...) | this user input |
+| GroovyShellTest.java:37:19:37:24 | script | GroovyShellTest.java:36:25:36:54 | getParameter(...) : String | GroovyShellTest.java:37:19:37:24 | script | Groovy Injection from $@. | GroovyShellTest.java:36:25:36:54 | getParameter(...) | this user input |
+| GroovyShellTest.java:45:19:45:21 | gcs | GroovyShellTest.java:43:25:43:54 | getParameter(...) : String | GroovyShellTest.java:45:19:45:21 | gcs | Groovy Injection from $@. | GroovyShellTest.java:43:25:43:54 | getParameter(...) | this user input |
+| GroovyShellTest.java:53:24:53:26 | gcs | GroovyShellTest.java:51:25:51:54 | getParameter(...) : String | GroovyShellTest.java:53:24:53:26 | gcs | Groovy Injection from $@. | GroovyShellTest.java:51:25:51:54 | getParameter(...) | this user input |
+| GroovyShellTest.java:60:21:60:26 | script | GroovyShellTest.java:59:25:59:54 | getParameter(...) : String | GroovyShellTest.java:60:21:60:26 | script | Groovy Injection from $@. | GroovyShellTest.java:59:25:59:54 | getParameter(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/GroovyInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-094/GroovyInjection.qlref
new file mode 100644
index 00000000000..0ec7e1bc543
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/GroovyInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-094/GroovyInjection.ql
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/GroovyShellTest.java b/java/ql/test/experimental/query-tests/security/CWE-094/GroovyShellTest.java
new file mode 100644
index 00000000000..541aaf40250
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/GroovyShellTest.java
@@ -0,0 +1,63 @@
+import groovy.lang.GroovyCodeSource;
+import groovy.lang.GroovyShell;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class GroovyShellTest extends HttpServlet {
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        GroovyShell shell = new GroovyShell();
+        String script = request.getParameter("script");
+        shell.evaluate(script);
+    }
+
+    protected void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        GroovyShell shell = new GroovyShell();
+        String script = request.getParameter("script");
+        shell.evaluate(script, "test");
+    }
+
+    protected void doPut(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        GroovyShell shell = new GroovyShell();
+        String script = request.getParameter("script");
+        shell.evaluate(script, "test", "test2");
+    }
+
+    protected void doOptions(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        GroovyShell shell = new GroovyShell();
+        String script = request.getParameter("script");
+        shell.run(script, "_", new String[]{});
+    }
+
+    protected void doHead(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        GroovyShell shell = new GroovyShell();
+        String script = request.getParameter("script");
+        GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
+        shell.run(gcs, new String[]{});
+    }
+
+    protected void doDelete(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        GroovyShell shell = new GroovyShell();
+        String script = request.getParameter("script");
+        GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
+        shell.evaluate(gcs);
+    }
+
+    protected void doPatch(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        GroovyShell shell = new GroovyShell();
+        String script = request.getParameter("script");
+        shell.parse(script);
+    }
+}
+
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/options b/java/ql/test/experimental/query-tests/security/CWE-094/options
index ec3354ea41c..18e3518fc97 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/options
@@ -1 +1,2 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2
\ No newline at end of file
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4
+
diff --git a/java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/GroovyClassLoader.java b/java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/GroovyClassLoader.java
new file mode 100644
index 00000000000..aed97667742
--- /dev/null
+++ b/java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/GroovyClassLoader.java
@@ -0,0 +1,32 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ */
+package groovy.lang;
+
+public class GroovyClassLoader {
+    public GroovyClassLoader() {
+    }
+
+    public Class parseClass(String text) {
+        return null;
+    }
+
+    public Class parseClass(GroovyCodeSource gcs) {
+        return null;
+    }
+}
diff --git a/java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/GroovyCodeSource.java b/java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/GroovyCodeSource.java
new file mode 100644
index 00000000000..901043e5046
--- /dev/null
+++ b/java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/GroovyCodeSource.java
@@ -0,0 +1,23 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ */
+package groovy.lang;
+
+public class GroovyCodeSource {
+    public GroovyCodeSource(String script, String param1, String param2) {}
+}
diff --git a/java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/GroovyObject.java b/java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/GroovyObject.java
new file mode 100644
index 00000000000..1302502a091
--- /dev/null
+++ b/java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/GroovyObject.java
@@ -0,0 +1,21 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ */
+package groovy.lang;
+
+public interface GroovyObject {}
diff --git a/java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/GroovyShell.java b/java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/GroovyShell.java
new file mode 100644
index 00000000000..13df0777e03
--- /dev/null
+++ b/java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/GroovyShell.java
@@ -0,0 +1,66 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ */
+package groovy.lang;
+
+import java.util.*;
+
+public class GroovyShell {
+
+    public GroovyShell() {}
+
+    public Object evaluate(GroovyCodeSource codeSource) {
+        return null;
+    }
+
+    public Object evaluate(String scriptText) {
+        return null;
+    }
+
+    public Object evaluate(String scriptText, String fileName) {
+        return null;
+    }
+
+    public Object evaluate(String scriptText, final String fileName, final String codeBase) {
+        return null;
+    }
+
+    public Object run(String scriptText, String fileName, List<String> list) {
+        return null;
+    }
+
+    public Object run(String scriptText, String fileName, String[] args) {
+        return null;
+    }
+
+    public Object run(GroovyCodeSource source, List<String> args) {
+        return null;
+    }
+
+    public Object run(GroovyCodeSource source, String[] args) {
+        return null;
+    }
+
+    public Script parse(String scriptText) {
+        return null;
+    }
+
+    public Script parse(final String scriptText, final String fileName) {
+        return null;
+    }
+}
diff --git a/java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/Script.java b/java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/Script.java
new file mode 100644
index 00000000000..4a49fc4f904
--- /dev/null
+++ b/java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/lang/Script.java
@@ -0,0 +1,22 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ */
+package groovy.lang;
+
+public abstract class Script {
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/util/Eval.java b/java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/util/Eval.java
new file mode 100644
index 00000000000..857ec361e1a
--- /dev/null
+++ b/java/ql/test/experimental/stubs/groovy-all-3.0.7/groovy/util/Eval.java
@@ -0,0 +1,41 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ */
+package groovy.util;
+
+public class Eval {
+    public static Object me(final String expression) {
+        return me(null, null, expression);
+    }
+
+    public static Object me(final String symbol, final Object object, final String expression) {
+        return null;
+    }
+
+    public static Object x(final Object x, final String expression) {
+        return me("x", x, expression);
+    }
+
+    public static Object xy(final Object x, final Object y, final String expression) {
+        return null;
+    }
+
+    public static Object xyz(final Object x, final Object y, final Object z, final String expression) {
+        return null;
+    }
+}

From bb58a505038d4134b1c13e389f0b483ec65a417f Mon Sep 17 00:00:00 2001
From: Hayk Andriasyan <77549590+p0wn4j@users.noreply.github.com>
Date: Tue, 20 Apr 2021 15:41:58 +0400
Subject: [PATCH 0488/1429] Update GroovyInjection.qhelp

---
 .../src/experimental/Security/CWE/CWE-094/GroovyInjection.qhelp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjection.qhelp
index 2329a6b08f5..8f1f715482c 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjection.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjection.qhelp
@@ -29,7 +29,7 @@ The fundamental problem is that Groovy is a dynamic language, yet SecureASTCusto
 
 This makes it very easy for an attacker to bypass many of the intended checks
 (see https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/).
-Therefore, besides SecureASTCustomizer, runtime checks are also necessary before calling Groovy methods
+Therefore, besides <code>SecureASTCustomizer</code>, runtime checks are also necessary before calling Groovy methods
 (see https://melix.github.io/blog/2015/03/sandboxing.html).
 
 It is also possible to use a block-list method, excluding unwanted classes from being loaded by the JVM. 

From 0ec3ee29e4dc75a8b2252c30be40e77bb672b9df Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Tue, 20 Apr 2021 12:44:49 +0100
Subject: [PATCH 0489/1429] Style last use of `SecureASTCustomizer`

---
 .../src/experimental/Security/CWE/CWE-094/GroovyInjection.qhelp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjection.qhelp
index 8f1f715482c..9bf84f710dc 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjection.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjection.qhelp
@@ -25,7 +25,7 @@ a Groovy script (see the article "Abusing Meta Programming for Unauthenticated R
 
 Groovy's <code>SecureASTCustomizer</code> allows securing source code by controlling what code constructs are permitted. 
 This is typically done when using Groovy for its scripting or domain specific language (DSL) features.
-The fundamental problem is that Groovy is a dynamic language, yet SecureASTCustomizer works by looking at Groovy AST statically.
+The fundamental problem is that Groovy is a dynamic language, yet <code>SecureASTCustomizer</code> works by looking at Groovy AST statically.
 
 This makes it very easy for an attacker to bypass many of the intended checks
 (see https://kohsuke.org/2012/04/27/groovy-secureastcustomizer-is-harmful/).

From 581f4ed757eeebd1de472e30be9e03e87904b837 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Tue, 20 Apr 2021 12:12:20 +0100
Subject: [PATCH 0490/1429] JS: Generalize handling of route handler wrapper
 functions

---
 .../semmle/javascript/dataflow/DataFlow.qll   | 71 ++++++++++++++++++-
 .../semmle/javascript/frameworks/Express.qll  |  8 ++-
 .../src/semmle/javascript/frameworks/HTTP.qll | 56 +--------------
 .../CWE-770/MissingRateLimiting.expected      |  3 +
 .../test/query-tests/Security/CWE-770/tst.js  |  6 ++
 5 files changed, 88 insertions(+), 56 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
index 7e43df8382b..a7256b351fb 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -1685,6 +1685,18 @@ module DataFlow {
 
   predicate localTaintStep = TaintTracking::localTaintStep/2;
 
+  private predicate forwardsParameter(
+    DataFlow::FunctionNode function, int i, DataFlow::CallNode call
+  ) {
+    exists(DataFlow::ParameterNode parameter | parameter = function.getParameter(i) |
+      not parameter.isRestParameter() and
+      parameter.flowsTo(call.getArgument(i))
+      or
+      parameter.isRestParameter() and
+      parameter.flowsTo(call.asExpr().(CallExpr).getArgument(i).(SpreadElement).getOperand().flow())
+    )
+  }
+
   /**
    * Holds if the function in `succ` forwards all its arguments to a call to `pred` and returns
    * its result. This can thus be seen as a step `pred -> succ` used for tracking function values
@@ -1722,7 +1734,7 @@ module DataFlow {
     exists(DataFlow::FunctionNode function, DataFlow::CallNode call |
       call.flowsTo(function.getReturnNode()) and
       forall(int i | exists([call.getArgument(i), function.getParameter(i)]) |
-        function.getParameter(i).flowsTo(call.getArgument(i))
+        forwardsParameter(function, i, call)
       ) and
       pred = call.getCalleeNode() and
       succ = function
@@ -1739,4 +1751,61 @@ module DataFlow {
       functionForwardingStep(paramUse, wrapperFunction.getReturnNode().getALocalSource())
     )
   }
+
+  /**
+   * Holds if the function in `succ` forwards all its arguments to a call to `pred`.
+   * This can thus be seen as a step `pred -> succ` used for tracking function values
+   * through "wrapper functions", since the `succ` function partially replicates behavior of `pred`.
+   *
+   * This is similar to `functionForwardingStep` except the innermost forwarding call does not
+   * need flow to the return value; this can be useful for tracking callback-style functions
+   * where the result tends to be unused.
+   *
+   * Examples:
+   * ```js
+   * function f(x, callback) {
+   *   g(x, callback); // step: g -> f
+   * }
+   *
+   * function doExec(x, callback) {
+   *   console.log(x);
+   *   exec(x, callback); // step: exec -> doExec
+   * }
+   *
+   * function doEither(x, y) {
+   *   if (x > y) {
+   *     return foo(x, y); // step: foo -> doEither
+   *   } else {
+   *     return bar(x, y); // step: bar -> doEither
+   *   }
+   * }
+   *
+   * function wrapWithLogging(f) {
+   *   return (x) => {
+   *     console.log(x);
+   *     return f(x); // step: f -> anonymous function
+   *   }
+   * }
+   * wrapWithLogging(g); // step: g -> wrapWithLogging(g)
+   * ```
+   */
+  predicate functionOneWayForwardingStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::FunctionNode function, DataFlow::CallNode call |
+      call.getContainer() = function.getFunction() and
+      forall(int i | exists(function.getParameter(i)) | forwardsParameter(function, i, call)) and
+      pred = call.getCalleeNode() and
+      succ = function
+    )
+    or
+    // Given a generic wrapper function like,
+    //
+    //   function wrap(f) { return (x, y) => f(x, y) };
+    //
+    // add steps through calls to that function: `g -> wrap(g)`
+    exists(DataFlow::FunctionNode wrapperFunction, SourceNode param, Node paramUse |
+      FlowSteps::argumentPassing(succ, pred, wrapperFunction.getFunction(), param) and
+      param.flowsTo(paramUse) and
+      functionOneWayForwardingStep(paramUse, wrapperFunction.getReturnNode().getALocalSource())
+    )
+  }
 }
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Express.qll b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
index 17bfed8afda..0a618c7f125 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Express.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
@@ -224,7 +224,13 @@ module Express {
     /**
      * Gets the function body of this handler, if it is defined locally.
      */
-    RouteHandler getBody() { result.(DataFlow::SourceNode).flowsToExpr(this) }
+    RouteHandler getBody() {
+      exists(DataFlow::SourceNode source | source = flow().getALocalSource() |
+        result = source
+        or
+        DataFlow::functionOneWayForwardingStep(result.(DataFlow::SourceNode).getALocalUse(), source)
+      )
+    }
 
     /**
      * Holds if this is not followed by more handlers.
diff --git a/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll b/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll
index 435ea94fd72..9475c32eeab 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll
@@ -235,64 +235,12 @@ module HTTP {
     ResponseExpr getAResponseExpr() { result.getRouteHandler() = this }
   }
 
-  /**
-   * Holds if `call` decorates the function `pred`.
-   * This means that `call` returns a function that forwards its arguments to `pred`.
-   * Only holds when the decorator looks like it is decorating a route-handler.
-   *
-   * Below is a code example relating `call`, `decoratee`, `outer`, `inner`.
-   * ```
-   * function outer(method) {
-   *    return function inner(req, res) {
-   *      return method.call(this, req, res);
-   *    };
-   *  }
-   *  var route = outer(function decoratee(req, res) { // <- call
-   *    res.end("foo");
-   *  });
-   * ```
-   */
-  private predicate isDecoratedCall(DataFlow::CallNode call, DataFlow::FunctionNode decoratee) {
-    // indirect route-handler `result` is given to function `outer`, which returns function `inner` which calls the function `pred`.
-    exists(int i, DataFlow::FunctionNode outer, HTTP::RouteHandlerCandidate inner |
-      inner = outer.getAReturn().getALocalSource() and
-      decoratee = call.getArgument(i).getALocalSource() and
-      outer.getFunction() = call.getACallee() and
-      hasForwardingHandlerParameter(i, outer, inner)
-    )
-  }
-
-  /**
-   * Holds if the `i`th parameter of `outer` has a call that `inner` forwards its parameters to.
-   */
-  private predicate hasForwardingHandlerParameter(
-    int i, DataFlow::FunctionNode outer, HTTP::RouteHandlerCandidate inner
-  ) {
-    isAForwardingRouteHandlerCall(outer.getParameter(i), inner)
-  }
-
-  /**
-   * Holds if `f` looks like a route-handler and a call to `callee` inside `f` forwards all of the parameters from `f` to that call.
-   */
-  private predicate isAForwardingRouteHandlerCall(
-    DataFlow::SourceNode callee, HTTP::RouteHandlerCandidate f
-  ) {
-    exists(DataFlow::CallNode call | call = callee.getACall() |
-      forall(int arg | arg = [0 .. f.getNumParameter() - 1] |
-        f.getParameter(arg).flowsTo(call.getArgument(arg))
-      ) and
-      call.getContainer() = f.getFunction()
-    )
-  }
-
   /**
    * Holds if there exists a step from `pred` to `succ` for a RouteHandler - beyond the usual steps defined by TypeTracking.
    */
   predicate routeHandlerStep(DataFlow::SourceNode pred, DataFlow::SourceNode succ) {
-    isDecoratedCall(succ, pred)
-    or
     // A forwarding call
-    isAForwardingRouteHandlerCall(pred, succ)
+    DataFlow::functionOneWayForwardingStep(pred.getALocalUse(), succ)
     or
     // a container containing route-handlers.
     exists(HTTP::RouteHandlerCandidateContainer container | pred = container.getRouteHandler(succ))
@@ -687,7 +635,7 @@ module HTTP {
     DataFlow::SourceNode getAPossiblyDecoratedHandler(RouteHandlerCandidate candidate) {
       result = candidate
       or
-      isDecoratedCall(result, candidate)
+      DataFlow::functionOneWayForwardingStep(candidate, result)
     }
 
     private string mapValueProp() {
diff --git a/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimiting.expected b/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimiting.expected
index 560be8bbb86..49f77eeb7ab 100644
--- a/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimiting.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimiting.expected
@@ -7,3 +7,6 @@
 | tst.js:37:20:37:36 | expensiveHandler3 | This route handler performs $@, but is not rate-limited. | tst.js:16:40:16:70 | child_p ... /true") | a system command |
 | tst.js:38:20:38:36 | expensiveHandler4 | This route handler performs $@, but is not rate-limited. | tst.js:17:40:17:83 | connect ... ution') | a database access |
 | tst.js:64:25:64:63 | functio ... req); } | This route handler performs $@, but is not rate-limited. | tst.js:64:46:64:60 | verifyUser(req) | authorization |
+| tst.js:76:25:76:53 | catchAs ... ndler1) | This route handler performs $@, but is not rate-limited. | tst.js:14:40:14:46 | login() | authorization |
+| tst.js:78:60:78:76 | expensiveHandler1 | This route handler performs $@, but is not rate-limited. | tst.js:14:40:14:46 | login() | authorization |
+| tst.js:79:60:79:88 | catchAs ... ndler1) | This route handler performs $@, but is not rate-limited. | tst.js:14:40:14:46 | login() | authorization |
diff --git a/javascript/ql/test/query-tests/Security/CWE-770/tst.js b/javascript/ql/test/query-tests/Security/CWE-770/tst.js
index 3d00cf59844..d6d8db6524a 100644
--- a/javascript/ql/test/query-tests/Security/CWE-770/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-770/tst.js
@@ -71,3 +71,9 @@ const rateLimiterMiddleware = (req, res, next) => {
   rateLimiter.consume(req.ip).then(next).catch(res.status(429).send('rate limited'));
 };
 express().get('/:path', rateLimiterMiddleware, expensiveHandler1);
+
+const catchAsync = fn => (...args) => fn(...args).catch(args[2]);
+express().get('/:path', catchAsync(expensiveHandler1)); // NOT OK
+express().get('/:path', rateLimiterMiddleware, catchAsync(expensiveHandler1)); // OK
+express().get('/:path', catchAsync(rateLimiterMiddleware), expensiveHandler1); // OK
+express().get('/:path', catchAsync(rateLimiterMiddleware), catchAsync(expensiveHandler1)); // OK

From 1797b6c7f93f4d2ed672092f59c9e0b02af01cce Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 20 Apr 2021 10:39:26 +0200
Subject: [PATCH 0491/1429] C++: Add FP test from the work on smart pointers in
 dataflow.

---
 .../ReturnStackAllocatedMemory.expected       |  1 +
 .../ReturnStackAllocatedMemory/test.cpp       | 27 +++++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected
index 59a9ee1322c..d84bde030cf 100644
--- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected	
+++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected	
@@ -6,3 +6,4 @@
 | test.cpp:112:2:112:12 | return ... | May return stack-allocated memory from $@. | test.cpp:112:9:112:11 | arr | arr |
 | test.cpp:119:2:119:19 | return ... | May return stack-allocated memory from $@. | test.cpp:119:11:119:13 | arr | arr |
 | test.cpp:171:3:171:24 | return ... | May return stack-allocated memory from $@. | test.cpp:170:35:170:41 | myLocal | myLocal |
+| test.cpp:217:3:217:13 | return ... | May return stack-allocated memory from $@. | test.cpp:216:14:216:17 | port | port |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp
index 03b202817ca..d39b7d1ee28 100644
--- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp	
+++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp	
@@ -189,3 +189,30 @@ int *&conversionInFlow() {
   int *&pRef = p; // has conversion in the middle of data flow
   return pRef; // BAD [NOT DETECTED]
 }
+
+namespace std {
+	template<typename T>
+	class shared_ptr {
+	public:
+		shared_ptr() noexcept;
+		explicit shared_ptr(T*);
+		shared_ptr(const shared_ptr&) noexcept;
+		template<class U> shared_ptr(const shared_ptr<U>&) noexcept;
+		template<class U> shared_ptr(shared_ptr<U>&&) noexcept;
+
+		shared_ptr<T>& operator=(const shared_ptr<T>&) noexcept;
+		shared_ptr<T>& operator=(shared_ptr<T>&&) noexcept;
+
+		T& operator*() const noexcept;
+		T* operator->() const noexcept;
+
+		T* get() const noexcept;
+	};
+}
+
+auto make_read_port()
+{
+  auto port = std::shared_ptr<int>(new int);
+  auto ptr = port.get();
+  return ptr; // GOOD [FALSE POSITIVE]
+}
\ No newline at end of file

From 93e55e2631f5f661def6a0877c9b463276e11526 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 20 Apr 2021 13:58:12 +0200
Subject: [PATCH 0492/1429] C++: Fix FP in cpp/return-stack-allocated-memory.

---
 .../Memory Management/ReturnStackAllocatedMemory.ql          | 5 +++++
 .../ReturnStackAllocatedMemory.expected                      | 1 -
 .../Memory Management/ReturnStackAllocatedMemory/test.cpp    | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql b/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
index fc06ed0a500..f5dda53d484 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql	
@@ -13,6 +13,7 @@
 
 import cpp
 import semmle.code.cpp.dataflow.EscapesTree
+import semmle.code.cpp.models.interfaces.PointerWrapper
 import semmle.code.cpp.dataflow.DataFlow
 
 /**
@@ -39,6 +40,10 @@ predicate hasNontrivialConversion(Expr e) {
     e instanceof ParenthesisExpr
   )
   or
+  // A smart pointer can be stack-allocated while the data it points to is heap-allocated.
+  // So we exclude such "conversions" from this predicate.
+  e = any(PointerWrapper wrapper).getAnUnwrapperFunction().getACallToThisFunction()
+  or
   hasNontrivialConversion(e.getConversion())
 }
 
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected
index d84bde030cf..59a9ee1322c 100644
--- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected	
+++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected	
@@ -6,4 +6,3 @@
 | test.cpp:112:2:112:12 | return ... | May return stack-allocated memory from $@. | test.cpp:112:9:112:11 | arr | arr |
 | test.cpp:119:2:119:19 | return ... | May return stack-allocated memory from $@. | test.cpp:119:11:119:13 | arr | arr |
 | test.cpp:171:3:171:24 | return ... | May return stack-allocated memory from $@. | test.cpp:170:35:170:41 | myLocal | myLocal |
-| test.cpp:217:3:217:13 | return ... | May return stack-allocated memory from $@. | test.cpp:216:14:216:17 | port | port |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp
index d39b7d1ee28..1ce2558a34f 100644
--- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp	
+++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp	
@@ -214,5 +214,5 @@ auto make_read_port()
 {
   auto port = std::shared_ptr<int>(new int);
   auto ptr = port.get();
-  return ptr; // GOOD [FALSE POSITIVE]
+  return ptr; // GOOD
 }
\ No newline at end of file

From f8d428cb2ddef3dc83f331b04d822533b6e44ef3 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Tue, 20 Apr 2021 13:00:42 +0100
Subject: [PATCH 0493/1429] JS: Use function-forwarding steps when tracking
 rate limiters

---
 .../security/dataflow/MissingRateLimiting.qll | 42 ++++++++++++++-----
 .../CWE-770/MissingRateLimiting.expected      |  2 -
 2 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/MissingRateLimiting.qll b/javascript/ql/src/semmle/javascript/security/dataflow/MissingRateLimiting.qll
index 9b26660c6f0..b9cb1b5059a 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/MissingRateLimiting.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/MissingRateLimiting.qll
@@ -113,29 +113,53 @@ class DatabaseAccessAsExpensiveAction extends ExpensiveAction {
  * A route handler expression that is rate-limited by a rate-limiting middleware.
  */
 class RouteHandlerExpressionWithRateLimiter extends RateLimitedRouteHandlerExpr {
-  RouteHandlerExpressionWithRateLimiter() { getAMatchingAncestor() instanceof RateLimiter }
+  RouteHandlerExpressionWithRateLimiter() {
+    any(RateLimitingMiddleware m).ref().flowsToExpr(getAMatchingAncestor())
+  }
 }
 
 /**
+ * DEPRECATED. Use `RateLimitingMiddleware` instead.
+ *
  * A middleware that acts as a rate limiter.
  */
-abstract class RateLimiter extends Express::RouteHandlerExpr { }
+deprecated class RateLimiter extends Express::RouteHandlerExpr {
+  RateLimiter() { any(RateLimitingMiddleware m).ref().flowsToExpr(this) }
+}
+
+/**
+ * Creation of a middleware function that acts as a rate limiter.
+ */
+abstract class RateLimitingMiddleware extends DataFlow::SourceNode {
+  /** Gets a data flow node referring to this middleware. */
+  private DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
+    t.start() and
+    result = this
+    or
+    DataFlow::functionOneWayForwardingStep(ref(t.continue()).getALocalUse(), result)
+    or
+    exists(DataFlow::TypeTracker t2 | result = ref(t2).track(t2, t))
+  }
+
+  /** Gets a data flow node referring to this middleware. */
+  DataFlow::SourceNode ref() { result = ref(DataFlow::TypeTracker::end()) }
+}
 
 /**
  * A rate limiter constructed using the `express-rate-limit` package.
  */
-class ExpressRateLimit extends RateLimiter {
+class ExpressRateLimit extends RateLimitingMiddleware {
   ExpressRateLimit() {
-    this = API::moduleImport("express-rate-limit").getReturn().getAUse().asExpr()
+    this = API::moduleImport("express-rate-limit").getReturn().getAnImmediateUse()
   }
 }
 
 /**
  * A rate limiter constructed using the `express-brute` package.
  */
-class BruteForceRateLimit extends RateLimiter {
+class BruteForceRateLimit extends RateLimitingMiddleware {
   BruteForceRateLimit() {
-    this = API::moduleImport("express-brute").getInstance().getMember("prevent").getAUse().asExpr()
+    this = API::moduleImport("express-brute").getInstance().getMember("prevent").getAnImmediateUse()
   }
 }
 
@@ -183,8 +207,6 @@ class RateLimiterFlexibleRateLimiter extends DataFlow::FunctionNode {
 /**
  * A route-handler expression that is rate-limited by the `rate-limiter-flexible` package.
  */
-class RouteHandlerLimitedByRateLimiterFlexible extends RateLimiter {
-  RouteHandlerLimitedByRateLimiterFlexible() {
-    any(RateLimiterFlexibleRateLimiter rl).flowsToExpr(this)
-  }
+class RouteHandlerLimitedByRateLimiterFlexible extends RateLimitingMiddleware {
+  RouteHandlerLimitedByRateLimiterFlexible() { this instanceof RateLimiterFlexibleRateLimiter }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimiting.expected b/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimiting.expected
index 49f77eeb7ab..220ece00a41 100644
--- a/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimiting.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimiting.expected
@@ -8,5 +8,3 @@
 | tst.js:38:20:38:36 | expensiveHandler4 | This route handler performs $@, but is not rate-limited. | tst.js:17:40:17:83 | connect ... ution') | a database access |
 | tst.js:64:25:64:63 | functio ... req); } | This route handler performs $@, but is not rate-limited. | tst.js:64:46:64:60 | verifyUser(req) | authorization |
 | tst.js:76:25:76:53 | catchAs ... ndler1) | This route handler performs $@, but is not rate-limited. | tst.js:14:40:14:46 | login() | authorization |
-| tst.js:78:60:78:76 | expensiveHandler1 | This route handler performs $@, but is not rate-limited. | tst.js:14:40:14:46 | login() | authorization |
-| tst.js:79:60:79:88 | catchAs ... ndler1) | This route handler performs $@, but is not rate-limited. | tst.js:14:40:14:46 | login() | authorization |

From 7046f1a9028cf74046e6ffa38da5f65cd0572184 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 15 Apr 2021 16:24:48 +0200
Subject: [PATCH 0494/1429] add taint-step for markdown-it when the HTML flag
 is set

---
 .../semmle/javascript/frameworks/Markdown.qll   | 17 +++++++++++++++++
 .../CWE-079/ReflectedXss/ReflectedXss.expected  | 14 ++++++++++++++
 .../CWE-079/ReflectedXss/ReflectedXss.js        | 11 +++++++++++
 .../ReflectedXssWithCustomSanitizer.expected    |  2 ++
 4 files changed, 44 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
index 768e4f202ac..dd3171ae605 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
@@ -118,3 +118,20 @@ private class SnarkdownStep extends TaintTracking::SharedTaintStep {
     )
   }
 }
+
+/**
+ * A taint step for the `markdown-it` library.
+ */
+private class MarkdownItStep extends TaintTracking::SharedTaintStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::CallNode renderer, API::CallNode call |
+      renderer = API::moduleImport("markdown-it").getACall() and
+      renderer.getParameter(0).getMember("html").getARhs().asExpr().(BooleanLiteral).getValue() =
+        "true" and
+      call = renderer.getReturn().getMember(["render", "renderInline"]).getACall()
+    |
+      succ = call and
+      pred = call.getArgument(0)
+    )
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
index 93a1061b3d3..6cc8088e7b1 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
@@ -66,6 +66,13 @@ nodes
 | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) |
 | ReflectedXss.js:85:23:85:30 | req.body |
 | ReflectedXss.js:85:23:85:30 | req.body |
+| ReflectedXss.js:94:12:94:19 | req.body |
+| ReflectedXss.js:94:12:94:19 | req.body |
+| ReflectedXss.js:94:12:94:19 | req.body |
+| ReflectedXss.js:95:12:95:38 | markdow ... q.body) |
+| ReflectedXss.js:95:12:95:38 | markdow ... q.body) |
+| ReflectedXss.js:95:30:95:37 | req.body |
+| ReflectedXss.js:95:30:95:37 | req.body |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id |
@@ -212,6 +219,11 @@ edges
 | ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) |
 | ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) |
 | ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) |
+| ReflectedXss.js:94:12:94:19 | req.body | ReflectedXss.js:94:12:94:19 | req.body |
+| ReflectedXss.js:95:30:95:37 | req.body | ReflectedXss.js:95:12:95:38 | markdow ... q.body) |
+| ReflectedXss.js:95:30:95:37 | req.body | ReflectedXss.js:95:12:95:38 | markdow ... q.body) |
+| ReflectedXss.js:95:30:95:37 | req.body | ReflectedXss.js:95:12:95:38 | markdow ... q.body) |
+| ReflectedXss.js:95:30:95:37 | req.body | ReflectedXss.js:95:12:95:38 | markdow ... q.body) |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
@@ -307,6 +319,8 @@ edges
 | ReflectedXss.js:83:12:83:19 | req.body | ReflectedXss.js:83:12:83:19 | req.body | ReflectedXss.js:83:12:83:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:83:12:83:19 | req.body | user-provided value |
 | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | ReflectedXss.js:84:22:84:29 | req.body | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:84:22:84:29 | req.body | user-provided value |
 | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:85:23:85:30 | req.body | user-provided value |
+| ReflectedXss.js:94:12:94:19 | req.body | ReflectedXss.js:94:12:94:19 | req.body | ReflectedXss.js:94:12:94:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:94:12:94:19 | req.body | user-provided value |
+| ReflectedXss.js:95:12:95:38 | markdow ... q.body) | ReflectedXss.js:95:30:95:37 | req.body | ReflectedXss.js:95:12:95:38 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:95:30:95:37 | req.body | user-provided value |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
index 7e531bdd4e1..003d807a8bd 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
@@ -84,3 +84,14 @@ app.get('/user/:id', function (req, res) {
   res.send(snarkdown(req.body)); // NOT OK
   res.send(snarkdown2(req.body)); // NOT OK
 });
+
+const markdownIt = require('markdown-it')({
+  html: true
+});
+const markdownIt2 = require('markdown-it')({});
+
+app.get('/user/:id', function (req, res) {
+  res.send(req.body); // NOT OK
+  res.send(markdownIt.render(req.body)); // NOT OK
+  res.send(markdownIt2.render(req.body)); // OK - no html
+});
\ No newline at end of file
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
index f690572c899..c96f7c39754 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
@@ -14,6 +14,8 @@
 | ReflectedXss.js:83:12:83:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:83:12:83:19 | req.body | user-provided value |
 | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:84:22:84:29 | req.body | user-provided value |
 | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:85:23:85:30 | req.body | user-provided value |
+| ReflectedXss.js:94:12:94:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:94:12:94:19 | req.body | user-provided value |
+| ReflectedXss.js:95:12:95:38 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:95:30:95:37 | req.body | user-provided value |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |

From 13d915927bd9e5bad1f541c3a0fa2551f1d2856d Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 15 Apr 2021 16:26:52 +0200
Subject: [PATCH 0495/1429] add change note

---
 javascript/change-notes/2021-04-15-markdownit.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 javascript/change-notes/2021-04-15-markdownit.md

diff --git a/javascript/change-notes/2021-04-15-markdownit.md b/javascript/change-notes/2021-04-15-markdownit.md
new file mode 100644
index 00000000000..90127a4293d
--- /dev/null
+++ b/javascript/change-notes/2021-04-15-markdownit.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The security queries now track taint through markdown-it.
+  Affected packages are
+    [markdown-it](https://npmjs.com/package/markdown-it)
\ No newline at end of file

From 19c5889775eb2d1a9bdbdc8053acf816fdc1b5f0 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 15 Apr 2021 20:06:21 +0200
Subject: [PATCH 0496/1429] use `mayHaveBooleanValue`

---
 javascript/ql/src/semmle/javascript/frameworks/Markdown.qll | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
index dd3171ae605..2b5d15ab1f4 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
@@ -126,8 +126,7 @@ private class MarkdownItStep extends TaintTracking::SharedTaintStep {
   override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
     exists(API::CallNode renderer, API::CallNode call |
       renderer = API::moduleImport("markdown-it").getACall() and
-      renderer.getParameter(0).getMember("html").getARhs().asExpr().(BooleanLiteral).getValue() =
-        "true" and
+      renderer.getParameter(0).getMember("html").getARhs().mayHaveBooleanValue(true) and
       call = renderer.getReturn().getMember(["render", "renderInline"]).getACall()
     |
       succ = call and

From 9bfb0d93caabbc222a6d7ce192c2b476245c1a0d Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Tue, 20 Apr 2021 13:59:09 +0100
Subject: [PATCH 0497/1429] Autoformat QL

---
 .../experimental/Security/CWE/CWE-094/GroovyInjectionLib.qll  | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjectionLib.qll
index b6bdcc228c7..61ddb9b9a1a 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/GroovyInjectionLib.qll
@@ -103,9 +103,7 @@ private class EvalMethod extends Method {
 private class EvalMethodAccess extends MethodAccess {
   EvalMethodAccess() { this.getMethod() instanceof EvalMethod }
 
-  Expr getArgumentExpr() {
-    result = this.getArgument(this.getNumArgument() - 1)
-  }
+  Expr getArgumentExpr() { result = this.getArgument(this.getNumArgument() - 1) }
 }
 
 /**

From 31bd701bd53a6b30f3bbfd88b0e6da3c02f5738a Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 20 Apr 2021 12:29:26 +0000
Subject: [PATCH 0498/1429] Python: Final `LocalSourceNode` fixes

---
 .../ql/src/semmle/python/frameworks/PEP249.qll   | 16 ++++++++--------
 .../frameworks/modeling-example/SharedCode.qll   |  4 ++--
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/PEP249.qll b/python/ql/src/semmle/python/frameworks/PEP249.qll
index f2b21d08e7c..6100076d0ad 100644
--- a/python/ql/src/semmle/python/frameworks/PEP249.qll
+++ b/python/ql/src/semmle/python/frameworks/PEP249.qll
@@ -54,7 +54,7 @@ module Connection {
   }
 
   /** Gets a reference to an instance of `db.Connection`. */
-  private DataFlow::Node instance(DataFlow::TypeTracker t) {
+  private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
     t.start() and
     result instanceof InstanceSource
     or
@@ -62,7 +62,7 @@ module Connection {
   }
 
   /** Gets a reference to an instance of `db.Connection`. */
-  DataFlow::Node instance() { result = instance(DataFlow::TypeTracker::end()) }
+  DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
 }
 
 /**
@@ -71,7 +71,7 @@ module Connection {
  */
 module cursor {
   /** Gets a reference to the `cursor` method on a connection. */
-  private DataFlow::Node methodRef(DataFlow::TypeTracker t) {
+  private DataFlow::LocalSourceNode methodRef(DataFlow::TypeTracker t) {
     t.startInAttr("cursor") and
     result = Connection::instance()
     or
@@ -79,10 +79,10 @@ module cursor {
   }
 
   /** Gets a reference to the `cursor` method on a connection. */
-  DataFlow::Node methodRef() { result = methodRef(DataFlow::TypeTracker::end()) }
+  DataFlow::Node methodRef() { methodRef(DataFlow::TypeTracker::end()).flowsTo(result) }
 
   /** Gets a reference to a result of calling the `cursor` method on a connection. */
-  private DataFlow::Node methodResult(DataFlow::TypeTracker t) {
+  private DataFlow::LocalSourceNode methodResult(DataFlow::TypeTracker t) {
     t.start() and
     result.asCfgNode().(CallNode).getFunction() = methodRef().asCfgNode()
     or
@@ -90,7 +90,7 @@ module cursor {
   }
 
   /** Gets a reference to a result of calling the `cursor` method on a connection. */
-  DataFlow::Node methodResult() { result = methodResult(DataFlow::TypeTracker::end()) }
+  DataFlow::Node methodResult() { methodResult(DataFlow::TypeTracker::end()).flowsTo(result) }
 }
 
 /**
@@ -101,7 +101,7 @@ module cursor {
  *
  * See https://www.python.org/dev/peps/pep-0249/#id15.
  */
-private DataFlow::Node execute(DataFlow::TypeTracker t) {
+private DataFlow::LocalSourceNode execute(DataFlow::TypeTracker t) {
   t.startInAttr("execute") and
   result in [cursor::methodResult(), Connection::instance()]
   or
@@ -116,7 +116,7 @@ private DataFlow::Node execute(DataFlow::TypeTracker t) {
  *
  * See https://www.python.org/dev/peps/pep-0249/#id15.
  */
-DataFlow::Node execute() { result = execute(DataFlow::TypeTracker::end()) }
+DataFlow::Node execute() { execute(DataFlow::TypeTracker::end()).flowsTo(result) }
 
 /** A call to the `execute` method on a cursor (or on a connection). */
 private class ExecuteCall extends SqlExecution::Range, DataFlow::CallCfgNode {
diff --git a/python/ql/test/library-tests/frameworks/modeling-example/SharedCode.qll b/python/ql/test/library-tests/frameworks/modeling-example/SharedCode.qll
index feb310f38c2..ae562f83064 100644
--- a/python/ql/test/library-tests/frameworks/modeling-example/SharedCode.qll
+++ b/python/ql/test/library-tests/frameworks/modeling-example/SharedCode.qll
@@ -6,7 +6,7 @@ private import semmle.python.dataflow.new.TaintTracking
 /** A data-flow Node representing an instance of MyClass. */
 abstract class MyClass extends DataFlow::Node { }
 
-private DataFlow::Node myClassGetValue(MyClass qualifier, DataFlow::TypeTracker t) {
+private DataFlow::LocalSourceNode myClassGetValue(MyClass qualifier, DataFlow::TypeTracker t) {
   t.startInAttr("get_value") and
   result = qualifier
   or
@@ -14,7 +14,7 @@ private DataFlow::Node myClassGetValue(MyClass qualifier, DataFlow::TypeTracker
 }
 
 DataFlow::Node myClassGetValue(MyClass qualifier) {
-  result = myClassGetValue(qualifier, DataFlow::TypeTracker::end())
+  myClassGetValue(qualifier, DataFlow::TypeTracker::end()).flowsTo(result)
 }
 
 // Config

From a55b43b67e2aebb466ff74372875cf61ee3fff55 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 20 Apr 2021 12:35:55 +0000
Subject: [PATCH 0499/1429] Python: Use `LocalSourceNode` throughout `step`

This commit does a lot of stuff all at once, so here are the main
highlights:

In `TypeTracker.qll`, we change `StepSummary::step` to step only between
source nodes. Because reads and writes of global variables happen in two
different (jump) steps, this requires the intermediate
`ModuleVariableNode` to _also_ be a `LocalSourceNode`, and we therefore
modify the charpred for that class accordingly. (This also means
changing a few of the tests to account for these new source nodes.)

In addition, we change `TypeTracker::step` to likewise step between
local source nodes.

Next, to enable the use of the `track` convenience method on nodes, we
add some pragmas to `TypeTracker::step` that prevent bad joins from
occurring. With this, we can eliminate all of the manual type tracker
join predicates.

Next, we observe that because `StepSummary::step` now uses `flowsTo`, it
automatically encapsulates all local-flow steps. In particular this
means we do not have to use `typePreservingStep` in `smallstep`, but can
use `jumpStep` directly. A similar observation applies to
`TypeTracker::smallstep`.

Having done this, we no longer need `typePreservingStep`, so we get rid
of it.
---
 .../CVE-2018-1281/BindToAllInterfaces.ql      | 32 ++-----------------
 python/ql/src/semmle/python/ApiGraphs.qll     | 13 +-------
 python/ql/src/semmle/python/Concepts.qll      | 16 +---------
 .../python/dataflow/new/TypeTracker.qll       | 22 +++++--------
 .../dataflow/new/internal/LocalSources.qll    |  1 -
 .../semmle/python/frameworks/Cryptography.qll | 14 +-------
 python/ql/src/semmle/python/regex.qll         | 16 +---------
 .../experimental/dataflow/ApiGraphs/use.ql    |  6 +++-
 .../dataflow/typetracking/moduleattr.expected |  1 +
 9 files changed, 20 insertions(+), 101 deletions(-)

diff --git a/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql b/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql
index dc5633863d2..069f255f198 100644
--- a/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql
+++ b/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql
@@ -32,21 +32,7 @@ private DataFlow::LocalSourceNode vulnerableHostnameRef(DataFlow::TypeTracker t,
     result.asExpr() = allInterfacesStrConst
   )
   or
-  // Due to bad performance when using normal setup with `vulnerableHostnameRef(t2, hostname).track(t2, t)`
-  // we have inlined that code and forced a join
-  exists(DataFlow::TypeTracker t2 |
-    exists(DataFlow::StepSummary summary |
-      vulnerableHostnameRef_first_join(t2, hostname, result, summary) and
-      t = t2.append(summary)
-    )
-  )
-}
-
-pragma[nomagic]
-private predicate vulnerableHostnameRef_first_join(
-  DataFlow::TypeTracker t2, string hostname, DataFlow::Node res, DataFlow::StepSummary summary
-) {
-  DataFlow::StepSummary::step(vulnerableHostnameRef(t2, hostname), res, summary)
+  exists(DataFlow::TypeTracker t2 | result = vulnerableHostnameRef(t2, hostname).track(t2, t))
 }
 
 /** Gets a reference to a hostname that can be used to bind to all interfaces. */
@@ -59,21 +45,7 @@ private DataFlow::LocalSourceNode vulnerableAddressTuple(DataFlow::TypeTracker t
   t.start() and
   result.asExpr() = any(Tuple tup | tup.getElt(0) = vulnerableHostnameRef(hostname).asExpr())
   or
-  // Due to bad performance when using normal setup with `vulnerableAddressTuple(t2, hostname).track(t2, t)`
-  // we have inlined that code and forced a join
-  exists(DataFlow::TypeTracker t2 |
-    exists(DataFlow::StepSummary summary |
-      vulnerableAddressTuple_first_join(t2, hostname, result, summary) and
-      t = t2.append(summary)
-    )
-  )
-}
-
-pragma[nomagic]
-private predicate vulnerableAddressTuple_first_join(
-  DataFlow::TypeTracker t2, string hostname, DataFlow::Node res, DataFlow::StepSummary summary
-) {
-  DataFlow::StepSummary::step(vulnerableAddressTuple(t2, hostname), res, summary)
+  exists(DataFlow::TypeTracker t2 | result = vulnerableAddressTuple(t2, hostname).track(t2, t))
 }
 
 /** Gets a reference to a tuple for which the first element is a hostname that can be used to bind to all interfaces. */
diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 5f1fbbb9626..48f30308170 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -433,18 +433,7 @@ module API {
       use(_, src) and
       result = src
       or
-      // Due to bad performance when using `trackUseNode(t2, attr_name).track(t2, t)`
-      // we have inlined that code and forced a join
-      exists(DataFlow::StepSummary summary |
-        t = trackUseNode_first_join(src, result, summary).append(summary)
-      )
-    }
-
-    pragma[nomagic]
-    private DataFlow::TypeTracker trackUseNode_first_join(
-      DataFlow::LocalSourceNode src, DataFlow::LocalSourceNode res, DataFlow::StepSummary summary
-    ) {
-      DataFlow::StepSummary::step(trackUseNode(src, result), res, summary)
+      exists(DataFlow::TypeTracker t2 | result = trackUseNode(src, t2).track(t2, t))
     }
 
     cached
diff --git a/python/ql/src/semmle/python/Concepts.qll b/python/ql/src/semmle/python/Concepts.qll
index d8e65cb2e09..4be00ba5bf9 100644
--- a/python/ql/src/semmle/python/Concepts.qll
+++ b/python/ql/src/semmle/python/Concepts.qll
@@ -570,21 +570,7 @@ module Cryptography {
         arg = any(KeyGeneration::Range r).getKeySizeArg() and
         result = arg.getALocalSource()
         or
-        // Due to bad performance when using normal setup with we have inlined that code and forced a join
-        exists(DataFlow::TypeBackTracker t2 |
-          exists(DataFlow::StepSummary summary |
-            keysizeBacktracker_first_join(t2, arg, result, summary) and
-            t = t2.prepend(summary)
-          )
-        )
-      }
-
-      pragma[nomagic]
-      private predicate keysizeBacktracker_first_join(
-        DataFlow::TypeBackTracker t2, DataFlow::Node arg, DataFlow::Node res,
-        DataFlow::StepSummary summary
-      ) {
-        DataFlow::StepSummary::step(res, keysizeBacktracker(t2, arg), summary)
+        exists(DataFlow::TypeBackTracker t2 | result = keysizeBacktracker(t2, arg).backtrack(t2, t))
       }
 
       /** Gets a back-reference to the keysize argument `arg` that was used to generate a new key-pair. */
diff --git a/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll b/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll
index d4ce5f606ac..bba7ecf367b 100644
--- a/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll
+++ b/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll
@@ -51,8 +51,8 @@ module StepSummary {
    * heap and/or inter-procedural step from `nodeFrom` to `nodeTo`.
    */
   cached
-  predicate step(LocalSourceNode nodeFrom, Node nodeTo, StepSummary summary) {
-    exists(Node mid | typePreservingStep*(nodeFrom, mid) and smallstep(mid, nodeTo, summary))
+  predicate step(LocalSourceNode nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {
+    exists(Node mid | nodeFrom.flowsTo(mid) and smallstep(mid, nodeTo, summary))
   }
 
   /**
@@ -63,7 +63,7 @@ module StepSummary {
    * type-preserving steps.
    */
   predicate smallstep(Node nodeFrom, Node nodeTo, StepSummary summary) {
-    typePreservingStep(nodeFrom, nodeTo) and
+    jumpStep(nodeFrom, nodeTo) and
     summary = LevelStep()
     or
     callStep(nodeFrom, nodeTo) and summary = CallStep()
@@ -80,12 +80,6 @@ module StepSummary {
   }
 }
 
-/** Holds if it's reasonable to expect the data flow step from `nodeFrom` to `nodeTo` to preserve types. */
-private predicate typePreservingStep(Node nodeFrom, Node nodeTo) {
-  simpleLocalFlowStep(nodeFrom, nodeTo) or
-  jumpStep(nodeFrom, nodeTo)
-}
-
 /**
  * Gets a callable for the call where `nodeFrom` is used as the `i`'th argument.
  *
@@ -274,10 +268,10 @@ class TypeTracker extends TTypeTracker {
    * heap and/or inter-procedural step from `nodeFrom` to `nodeTo`.
    */
   pragma[inline]
-  TypeTracker step(LocalSourceNode nodeFrom, Node nodeTo) {
+  TypeTracker step(LocalSourceNode nodeFrom, LocalSourceNode nodeTo) {
     exists(StepSummary summary |
-      StepSummary::step(nodeFrom, nodeTo, summary) and
-      result = this.append(summary)
+      StepSummary::step(nodeFrom, pragma[only_bind_out](nodeTo), pragma[only_bind_into](summary)) and
+      result = this.append(pragma[only_bind_into](summary))
     )
   }
 
@@ -312,7 +306,7 @@ class TypeTracker extends TTypeTracker {
       result = this.append(summary)
     )
     or
-    typePreservingStep(nodeFrom, nodeTo) and
+    simpleLocalFlowStep(nodeFrom, nodeTo) and
     result = this
   }
 }
@@ -453,7 +447,7 @@ class TypeBackTracker extends TTypeBackTracker {
       this = result.prepend(summary)
     )
     or
-    typePreservingStep(nodeFrom, nodeTo) and
+    simpleLocalFlowStep(nodeFrom, nodeTo) and
     this = result
   }
 }
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll b/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll
index 7aa311df76b..134507add94 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll
@@ -41,7 +41,6 @@ class LocalSourceNode extends Node {
   cached
   LocalSourceNode() {
     not comes_from_cfgnode(this) and
-    not this instanceof ModuleVariableNode and
     // Currently, we create synthetic post-update nodes for
     // - arguments to calls that may modify said argument
     // - direct reads a writes of object attributes
diff --git a/python/ql/src/semmle/python/frameworks/Cryptography.qll b/python/ql/src/semmle/python/frameworks/Cryptography.qll
index 3396d7dfa55..266d41897d3 100644
--- a/python/ql/src/semmle/python/frameworks/Cryptography.qll
+++ b/python/ql/src/semmle/python/frameworks/Cryptography.qll
@@ -83,23 +83,11 @@ private module CryptographyModel {
       result.(DataFlow::CallCfgNode).getFunction() = curveClassWithKeySize(keySize) and
       origin = result
       or
-      // Due to bad performance when using normal setup with we have inlined that code and forced a join
       exists(DataFlow::TypeTracker t2 |
-        exists(DataFlow::StepSummary summary |
-          curveClassInstanceWithKeySize_first_join(t2, keySize, origin, result, summary) and
-          t = t2.append(summary)
-        )
+        result = curveClassInstanceWithKeySize(t2, keySize, origin).track(t2, t)
       )
     }
 
-    pragma[nomagic]
-    private predicate curveClassInstanceWithKeySize_first_join(
-      DataFlow::TypeTracker t2, int keySize, DataFlow::Node origin, DataFlow::Node res,
-      DataFlow::StepSummary summary
-    ) {
-      DataFlow::StepSummary::step(curveClassInstanceWithKeySize(t2, keySize, origin), res, summary)
-    }
-
     /** Gets a reference to a predefined curve class instance with a specific key size (in bits), as well as the origin of the class. */
     DataFlow::Node curveClassInstanceWithKeySize(int keySize, DataFlow::Node origin) {
       curveClassInstanceWithKeySize(DataFlow::TypeTracker::end(), keySize, origin).flowsTo(result)
diff --git a/python/ql/src/semmle/python/regex.qll b/python/ql/src/semmle/python/regex.qll
index f558669ce32..365c36d0d2f 100644
--- a/python/ql/src/semmle/python/regex.qll
+++ b/python/ql/src/semmle/python/regex.qll
@@ -82,21 +82,7 @@ private DataFlow::LocalSourceNode re_flag_tracker(string flag_name, DataFlow::Ty
     result.asCfgNode() = binop
   )
   or
-  // Due to bad performance when using normal setup with `re_flag_tracker(t2, attr_name).track(t2, t)`
-  // we have inlined that code and forced a join
-  exists(DataFlow::TypeTracker t2 |
-    exists(DataFlow::StepSummary summary |
-      re_flag_tracker_first_join(t2, flag_name, result, summary) and
-      t = t2.append(summary)
-    )
-  )
-}
-
-pragma[nomagic]
-private predicate re_flag_tracker_first_join(
-  DataFlow::TypeTracker t2, string flag_name, DataFlow::Node res, DataFlow::StepSummary summary
-) {
-  DataFlow::StepSummary::step(re_flag_tracker(flag_name, t2), res, summary)
+  exists(DataFlow::TypeTracker t2 | result = re_flag_tracker(flag_name, t2).track(t2, t))
 }
 
 /**
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/use.ql b/python/ql/test/experimental/dataflow/ApiGraphs/use.ql
index f02bb048c58..2bcc05d443b 100644
--- a/python/ql/test/experimental/dataflow/ApiGraphs/use.ql
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/use.ql
@@ -9,7 +9,11 @@ class ApiUseTest extends InlineExpectationsTest {
   override string getARelevantTag() { result = "use" }
 
   private predicate relevant_node(API::Node a, DataFlow::Node n, Location l) {
-    n = a.getAUse() and l = n.getLocation()
+    n = a.getAUse() and
+    l = n.getLocation() and
+    // Module variable nodes have no suitable location, so it's best to simply exclude them entirely
+    // from the inline tests.
+    not n instanceof DataFlow::ModuleVariableNode
   }
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
diff --git a/python/ql/test/experimental/dataflow/typetracking/moduleattr.expected b/python/ql/test/experimental/dataflow/typetracking/moduleattr.expected
index 82aa6e99c3c..adfc8c5a379 100644
--- a/python/ql/test/experimental/dataflow/typetracking/moduleattr.expected
+++ b/python/ql/test/experimental/dataflow/typetracking/moduleattr.expected
@@ -1,6 +1,7 @@
 module_tracker
 | import_as_attr.py:1:6:1:11 | ControlFlowNode for ImportExpr |
 module_attr_tracker
+| import_as_attr.py:0:0:0:0 | ModuleVariableNode for Global Variable attr_ref in Module import_as_attr |
 | import_as_attr.py:1:20:1:35 | ControlFlowNode for ImportMember |
 | import_as_attr.py:1:28:1:35 | GSSA Variable attr_ref |
 | import_as_attr.py:3:1:3:1 | GSSA Variable x |

From 038bf612be2e8308d4c8d4f82089aa9675844901 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 20 Apr 2021 13:06:30 +0000
Subject: [PATCH 0500/1429] Python: Add change note

---
 .../change-notes/2021-04-20-stepsummary-localsourcenode.md   | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 python/change-notes/2021-04-20-stepsummary-localsourcenode.md

diff --git a/python/change-notes/2021-04-20-stepsummary-localsourcenode.md b/python/change-notes/2021-04-20-stepsummary-localsourcenode.md
new file mode 100644
index 00000000000..630dfc4e44a
--- /dev/null
+++ b/python/change-notes/2021-04-20-stepsummary-localsourcenode.md
@@ -0,0 +1,5 @@
+lgtm,codescanning
+* The predicates `StepSummary::step` and `TypeTracker::step` in `TypeTracker.qll` have been changed
+  to use the more restrictive type `LocalSourceNode` for their second argument. For cases where
+  stepping between non-`LocalSourceNode`s is required, the `StepSummary::smallstep` predicate may be
+  used instead.

From 38548c9acdd246b265b16f2ee3605c686cca56a7 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 20 Apr 2021 13:15:50 +0000
Subject: [PATCH 0501/1429] Python: Simplify charpred for `LocalSourceNode`

The somewhat convoluted `comes_from_cfgnode` was originally introduced
in order to have local sources for instances of global variables. This
was needed because global variables have an implicit "scope entry" SSA
definition that flows to the first actual use of the variable (and so
would not fit the strict "has no incoming flow" definition of a local
source node).

However, a subsequent change means that we include all global variable
reads anyway, and so the old definition is no longer needed.

(See commit 3fafb47b1680fc7fb42418a1ca6816986262ab05 for further
context.)
---
 .../semmle/python/dataflow/new/internal/LocalSources.qll | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll b/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll
index 134507add94..808aa4cf48b 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll
@@ -10,13 +10,6 @@ import python
 import DataFlowPublic
 private import DataFlowPrivate
 
-private predicate comes_from_cfgnode(Node node) {
-  exists(CfgNode first, Node second |
-    simpleLocalFlowStep(first, second) and
-    simpleLocalFlowStep*(second, node)
-  )
-}
-
 /**
  * A data flow node that is a source of local flow. This includes things like
  * - Expressions
@@ -40,7 +33,7 @@ private predicate comes_from_cfgnode(Node node) {
 class LocalSourceNode extends Node {
   cached
   LocalSourceNode() {
-    not comes_from_cfgnode(this) and
+    not simpleLocalFlowStep(_, this) and
     // Currently, we create synthetic post-update nodes for
     // - arguments to calls that may modify said argument
     // - direct reads a writes of object attributes

From 62dfd1fa7ddeea093047255f5da191f0bdf12cb4 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 20 Apr 2021 15:23:03 +0200
Subject: [PATCH 0502/1429] improve the `markdown-it` model

---
 .../semmle/javascript/frameworks/Markdown.qll | 42 +++++++++++++----
 .../ReflectedXss/ReflectedXss.expected        | 46 +++++++++++++------
 .../CWE-079/ReflectedXss/ReflectedXss.js      |  7 +++
 .../ReflectedXssWithCustomSanitizer.expected  |  6 ++-
 4 files changed, 76 insertions(+), 25 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
index 2b5d15ab1f4..76c90aa2ef3 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
@@ -120,17 +120,41 @@ private class SnarkdownStep extends TaintTracking::SharedTaintStep {
 }
 
 /**
- * A taint step for the `markdown-it` library.
+ * Classes and predicates for modelling taint steps the `markdown-it` library.
  */
-private class MarkdownItStep extends TaintTracking::SharedTaintStep {
-  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(API::CallNode renderer, API::CallNode call |
-      renderer = API::moduleImport("markdown-it").getACall() and
-      renderer.getParameter(0).getMember("html").getARhs().mayHaveBooleanValue(true) and
-      call = renderer.getReturn().getMember(["render", "renderInline"]).getACall()
+private module MarkdownIt {
+  /**
+   * The creation of a parser from `markdown-it`.
+   */
+  private API::Node markdownIt() {
+    exists(API::InvokeNode call |
+      call = API::moduleImport("markdown-it").getAnInvocation()
+      or
+      call = API::moduleImport("markdown-it").getMember("Markdown").getAnInvocation()
     |
-      succ = call and
-      pred = call.getArgument(0)
+      call.getParameter(0).getMember("html").getARhs().mayHaveBooleanValue(true) and
+      result = call.getReturn()
+    )
+    or
+    exists(API::CallNode call |
+      call = markdownIt().getMember(["use", "set", "configure", "enable", "disable"]).getACall() and
+      result = call.getReturn() and
+      not call.getParameter(0).getARhs().getALocalSource() =
+        DataFlow::moduleImport("markdown-it-sanitizer")
     )
   }
+
+  /**
+   * A taint step for the `markdown-it` library.
+   */
+  private class MarkdownItStep extends TaintTracking::SharedTaintStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(API::CallNode call |
+        call = markdownIt().getMember(["render", "renderInline"]).getACall()
+      |
+        succ = call and
+        pred = call.getArgument(0)
+      )
+    }
+  }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
index 6cc8088e7b1..f8ceeb45b62 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
@@ -66,13 +66,21 @@ nodes
 | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) |
 | ReflectedXss.js:85:23:85:30 | req.body |
 | ReflectedXss.js:85:23:85:30 | req.body |
-| ReflectedXss.js:94:12:94:19 | req.body |
-| ReflectedXss.js:94:12:94:19 | req.body |
-| ReflectedXss.js:94:12:94:19 | req.body |
-| ReflectedXss.js:95:12:95:38 | markdow ... q.body) |
-| ReflectedXss.js:95:12:95:38 | markdow ... q.body) |
-| ReflectedXss.js:95:30:95:37 | req.body |
-| ReflectedXss.js:95:30:95:37 | req.body |
+| ReflectedXss.js:97:12:97:19 | req.body |
+| ReflectedXss.js:97:12:97:19 | req.body |
+| ReflectedXss.js:97:12:97:19 | req.body |
+| ReflectedXss.js:98:12:98:38 | markdow ... q.body) |
+| ReflectedXss.js:98:12:98:38 | markdow ... q.body) |
+| ReflectedXss.js:98:30:98:37 | req.body |
+| ReflectedXss.js:98:30:98:37 | req.body |
+| ReflectedXss.js:100:12:100:39 | markdow ... q.body) |
+| ReflectedXss.js:100:12:100:39 | markdow ... q.body) |
+| ReflectedXss.js:100:31:100:38 | req.body |
+| ReflectedXss.js:100:31:100:38 | req.body |
+| ReflectedXss.js:103:12:103:84 | markdow ... q.body) |
+| ReflectedXss.js:103:12:103:84 | markdow ... q.body) |
+| ReflectedXss.js:103:76:103:83 | req.body |
+| ReflectedXss.js:103:76:103:83 | req.body |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id |
@@ -219,11 +227,19 @@ edges
 | ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) |
 | ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) |
 | ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) |
-| ReflectedXss.js:94:12:94:19 | req.body | ReflectedXss.js:94:12:94:19 | req.body |
-| ReflectedXss.js:95:30:95:37 | req.body | ReflectedXss.js:95:12:95:38 | markdow ... q.body) |
-| ReflectedXss.js:95:30:95:37 | req.body | ReflectedXss.js:95:12:95:38 | markdow ... q.body) |
-| ReflectedXss.js:95:30:95:37 | req.body | ReflectedXss.js:95:12:95:38 | markdow ... q.body) |
-| ReflectedXss.js:95:30:95:37 | req.body | ReflectedXss.js:95:12:95:38 | markdow ... q.body) |
+| ReflectedXss.js:97:12:97:19 | req.body | ReflectedXss.js:97:12:97:19 | req.body |
+| ReflectedXss.js:98:30:98:37 | req.body | ReflectedXss.js:98:12:98:38 | markdow ... q.body) |
+| ReflectedXss.js:98:30:98:37 | req.body | ReflectedXss.js:98:12:98:38 | markdow ... q.body) |
+| ReflectedXss.js:98:30:98:37 | req.body | ReflectedXss.js:98:12:98:38 | markdow ... q.body) |
+| ReflectedXss.js:98:30:98:37 | req.body | ReflectedXss.js:98:12:98:38 | markdow ... q.body) |
+| ReflectedXss.js:100:31:100:38 | req.body | ReflectedXss.js:100:12:100:39 | markdow ... q.body) |
+| ReflectedXss.js:100:31:100:38 | req.body | ReflectedXss.js:100:12:100:39 | markdow ... q.body) |
+| ReflectedXss.js:100:31:100:38 | req.body | ReflectedXss.js:100:12:100:39 | markdow ... q.body) |
+| ReflectedXss.js:100:31:100:38 | req.body | ReflectedXss.js:100:12:100:39 | markdow ... q.body) |
+| ReflectedXss.js:103:76:103:83 | req.body | ReflectedXss.js:103:12:103:84 | markdow ... q.body) |
+| ReflectedXss.js:103:76:103:83 | req.body | ReflectedXss.js:103:12:103:84 | markdow ... q.body) |
+| ReflectedXss.js:103:76:103:83 | req.body | ReflectedXss.js:103:12:103:84 | markdow ... q.body) |
+| ReflectedXss.js:103:76:103:83 | req.body | ReflectedXss.js:103:12:103:84 | markdow ... q.body) |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
@@ -319,8 +335,10 @@ edges
 | ReflectedXss.js:83:12:83:19 | req.body | ReflectedXss.js:83:12:83:19 | req.body | ReflectedXss.js:83:12:83:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:83:12:83:19 | req.body | user-provided value |
 | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | ReflectedXss.js:84:22:84:29 | req.body | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:84:22:84:29 | req.body | user-provided value |
 | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:85:23:85:30 | req.body | user-provided value |
-| ReflectedXss.js:94:12:94:19 | req.body | ReflectedXss.js:94:12:94:19 | req.body | ReflectedXss.js:94:12:94:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:94:12:94:19 | req.body | user-provided value |
-| ReflectedXss.js:95:12:95:38 | markdow ... q.body) | ReflectedXss.js:95:30:95:37 | req.body | ReflectedXss.js:95:12:95:38 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:95:30:95:37 | req.body | user-provided value |
+| ReflectedXss.js:97:12:97:19 | req.body | ReflectedXss.js:97:12:97:19 | req.body | ReflectedXss.js:97:12:97:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:97:12:97:19 | req.body | user-provided value |
+| ReflectedXss.js:98:12:98:38 | markdow ... q.body) | ReflectedXss.js:98:30:98:37 | req.body | ReflectedXss.js:98:12:98:38 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:98:30:98:37 | req.body | user-provided value |
+| ReflectedXss.js:100:12:100:39 | markdow ... q.body) | ReflectedXss.js:100:31:100:38 | req.body | ReflectedXss.js:100:12:100:39 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:100:31:100:38 | req.body | user-provided value |
+| ReflectedXss.js:103:12:103:84 | markdow ... q.body) | ReflectedXss.js:103:76:103:83 | req.body | ReflectedXss.js:103:12:103:84 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:103:76:103:83 | req.body | user-provided value |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
index 003d807a8bd..6a85c0ec1b0 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
@@ -90,8 +90,15 @@ const markdownIt = require('markdown-it')({
 });
 const markdownIt2 = require('markdown-it')({});
 
+const markdownIt3 = require('markdown-it')({html: true})
+  .use(require('markdown-it-highlightjs'));
+
 app.get('/user/:id', function (req, res) {
   res.send(req.body); // NOT OK
   res.send(markdownIt.render(req.body)); // NOT OK
   res.send(markdownIt2.render(req.body)); // OK - no html
+  res.send(markdownIt3.render(req.body)); // NOT OK
+
+  res.send(markdownIt.use(require('markdown-it-sanitizer')).render(req.body)); // OK - HTML is sanitized. 
+  res.send(markdownIt.use(require('markdown-it-abbr')).use(unknown).render(req.body)); // NOT OK
 });
\ No newline at end of file
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
index c96f7c39754..719a82171a8 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
@@ -14,8 +14,10 @@
 | ReflectedXss.js:83:12:83:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:83:12:83:19 | req.body | user-provided value |
 | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:84:22:84:29 | req.body | user-provided value |
 | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:85:23:85:30 | req.body | user-provided value |
-| ReflectedXss.js:94:12:94:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:94:12:94:19 | req.body | user-provided value |
-| ReflectedXss.js:95:12:95:38 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:95:30:95:37 | req.body | user-provided value |
+| ReflectedXss.js:97:12:97:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:97:12:97:19 | req.body | user-provided value |
+| ReflectedXss.js:98:12:98:38 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:98:30:98:37 | req.body | user-provided value |
+| ReflectedXss.js:100:12:100:39 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:100:31:100:38 | req.body | user-provided value |
+| ReflectedXss.js:103:12:103:84 | markdow ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:103:76:103:83 | req.body | user-provided value |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |

From 43ca8ea5f79541d53c2b80a6b85e0568a8258436 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Tue, 20 Apr 2021 15:15:12 +0100
Subject: [PATCH 0503/1429] JS: Fix perf issue in forwardsParameter

---
 javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
index a7256b351fb..76c42cd16cf 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -1693,7 +1693,7 @@ module DataFlow {
       parameter.flowsTo(call.getArgument(i))
       or
       parameter.isRestParameter() and
-      parameter.flowsTo(call.asExpr().(CallExpr).getArgument(i).(SpreadElement).getOperand().flow())
+      parameter.flowsTo(call.getASpreadArgument())
     )
   }
 

From 583513bafd427a2ba1626e361b7f04bcefed9db1 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 20 Apr 2021 16:28:47 +0200
Subject: [PATCH 0504/1429] Fix review findings

---
 .../code/java/security/LdapInjection.qll      | 30 +++++++++----------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/java/ql/src/semmle/code/java/security/LdapInjection.qll b/java/ql/src/semmle/code/java/security/LdapInjection.qll
index f5e0994c68f..6907bb49387 100644
--- a/java/ql/src/semmle/code/java/security/LdapInjection.qll
+++ b/java/ql/src/semmle/code/java/security/LdapInjection.qll
@@ -45,12 +45,12 @@ private class DefaultLdapInjectionSinkModel extends SinkModelCsv {
         "com.unboundid.ldap.sdk;LDAPConnection;false;search;(SearchRequest);;Argument[0];ldap",
         "com.unboundid.ldap.sdk;LDAPConnection;false;search;(SearchResultListener,String,SearchScope,DereferencePolicy,int,int,boolean,Filter,String[]);;Argument[0..7];ldap",
         "com.unboundid.ldap.sdk;LDAPConnection;false;search;(SearchResultListener,String,SearchScope,DereferencePolicy,int,int,boolean,String,String[]);;Argument[0..7];ldap",
-        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(SearchResultListener,String,SearchScope,Filter,String[]]);;Argument[0..3];ldap",
-        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(SearchResultListener,String,SearchScope,String,String[]]);;Argument[0..3];ldap",
-        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(String,SearchScope,DereferencePolicy,int,int,boolean,Filter,String[]]);;Argument[0..6];ldap",
-        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(String,SearchScope,DereferencePolicy,int,int,boolean,String,String[]]);;Argument[0..6];ldap",
-        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(String,SearchScope,Filter,String[]]);;Argument[0..2];ldap",
-        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(String,SearchScope,String,String[]]);;Argument[0..2];ldap",
+        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(SearchResultListener,String,SearchScope,Filter,String[]);;Argument[0..3];ldap",
+        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(SearchResultListener,String,SearchScope,String,String[]);;Argument[0..3];ldap",
+        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(String,SearchScope,DereferencePolicy,int,int,boolean,Filter,String[]);;Argument[0..6];ldap",
+        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(String,SearchScope,DereferencePolicy,int,int,boolean,String,String[]);;Argument[0..6];ldap",
+        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(String,SearchScope,Filter,String[]);;Argument[0..2];ldap",
+        "com.unboundid.ldap.sdk;LDAPConnection;false;search;(String,SearchScope,String,String[]);;Argument[0..2];ldap",
         // UnboundID: searchForEntry
         "com.unboundid.ldap.sdk;LDAPConnection;false;searchForEntry;(ReadOnlySearchRequest);;Argument[0];ldap",
         "com.unboundid.ldap.sdk;LDAPConnection;false;searchForEntry;(SearchRequest);;Argument[0];ldap",
@@ -66,15 +66,15 @@ private class DefaultLdapInjectionSinkModel extends SinkModelCsv {
         "org.springframework.ldap.core;LdapTemplate;false;search;;;Argument[0..1];ldap",
         "org.springframework.ldap.core;LdapTemplate;false;searchForContext;;;Argument[0..1];ldap",
         "org.springframework.ldap.core;LdapTemplate;false;searchForObject;;;Argument[0..1];ldap",
-        "org.springframework.ldap.core;LdapTemplate;false;authenticate;;;Argument[0];ldap",
-        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(Name,String,String);;Argument[1];ldap",
-        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(Name,String,String,AuthenticatedLdapEntryContextCallback);;Argument[1];ldap",
-        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(Name,String,String,AuthenticatedLdapEntryContextCallback,AuthenticationErrorCallback);;Argument[1];ldap",
-        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(Name,String,String,AuthenticationErrorCallback);;Argument[1];ldap",
-        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(String,String,String);;Argument[1];ldap",
-        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(String,String,String,AuthenticatedLdapEntryContextCallback);;Argument[1];ldap",
-        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(String,String,String,AuthenticatedLdapEntryContextCallback,AuthenticationErrorCallback);;Argument[1];ldap",
-        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(String,String,String,AuthenticationErrorCallback);;Argument[1];ldap"
+        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(LdapQuery,String);;Argument[0];ldap",
+        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(Name,String,String);;Argument[0..1];ldap",
+        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(Name,String,String,AuthenticatedLdapEntryContextCallback);;Argument[0..1];ldap",
+        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(Name,String,String,AuthenticatedLdapEntryContextCallback,AuthenticationErrorCallback);;Argument[0..1];ldap",
+        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(Name,String,String,AuthenticationErrorCallback);;Argument[0..1];ldap",
+        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(String,String,String);;Argument[0..1];ldap",
+        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(String,String,String,AuthenticatedLdapEntryContextCallback);;Argument[0..1];ldap",
+        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(String,String,String,AuthenticatedLdapEntryContextCallback,AuthenticationErrorCallback);;Argument[0..1];ldap",
+        "org.springframework.ldap.core;LdapTemplate;false;authenticate;(String,String,String,AuthenticationErrorCallback);;Argument[0..1];ldap"
       ]
   }
 }

From 7581cbade64b922d6482cc16f7e9e472af25110a Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 20 Apr 2021 14:32:56 +0000
Subject: [PATCH 0505/1429] Python: Fix forgotten type tracker

This was the last remaining type tracker that did not use
`LocalSourceNode`.
---
 python/ql/src/semmle/python/frameworks/Django.qll | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index 23c0a814a7a..efc4aebc49e 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -1303,7 +1303,7 @@ private module PrivateDjango {
         }
 
         /** Gets a reference to the `django.http.response.HttpResponse.write` function. */
-        private DataFlow::Node write(
+        private DataFlow::LocalSourceNode write(
           django::http::response::HttpResponse::InstanceSource instance, DataFlow::TypeTracker t
         ) {
           t.startInAttr("write") and
@@ -1315,7 +1315,7 @@ private module PrivateDjango {
 
         /** Gets a reference to the `django.http.response.HttpResponse.write` function. */
         DataFlow::Node write(django::http::response::HttpResponse::InstanceSource instance) {
-          result = write(instance, DataFlow::TypeTracker::end())
+          write(instance, DataFlow::TypeTracker::end()).flowsTo(result)
         }
 
         /**

From 2a07441c19c2a80fdc08a13100f27956df1aba3e Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 20 Apr 2021 14:33:42 +0000
Subject: [PATCH 0506/1429] Python: `ModuleVariableNode`s are not API uses

This caused some suprising test changes, where suddenly we had flow from
a `ModuleVariableNode` (as a `RemoteFlowSource`) to a sink. This of
course makes little sense, so instead we simply exclude these nodes as
uses in the first place.
---
 python/ql/src/semmle/python/ApiGraphs.qll | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 48f30308170..5f71d9d1c40 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -422,9 +422,9 @@ module API {
     }
 
     /**
-     * Gets a data-flow node to which `nd`, which is a use of an API-graph node, flows.
+     * Gets a data-flow node to which `src`, which is a use of an API-graph node, flows.
      *
-     * The flow from `nd` to that node may be inter-procedural.
+     * The flow from `src` to that node may be inter-procedural.
      */
     private DataFlow::LocalSourceNode trackUseNode(
       DataFlow::LocalSourceNode src, DataFlow::TypeTracker t
@@ -436,9 +436,16 @@ module API {
       exists(DataFlow::TypeTracker t2 | result = trackUseNode(src, t2).track(t2, t))
     }
 
+    /**
+     * Gets a data-flow node to which `src`, which is a use of an API-graph node, flows.
+     *
+     * The flow from `src` to that node may be inter-procedural.
+     */
     cached
     DataFlow::LocalSourceNode trackUseNode(DataFlow::LocalSourceNode src) {
-      result = trackUseNode(src, DataFlow::TypeTracker::end())
+      result = trackUseNode(src, DataFlow::TypeTracker::end()) and
+      // We exclude module variable nodes, as these do not correspond to real uses.
+      not result instanceof DataFlow::ModuleVariableNode
     }
 
     /**

From c0569da65c01c9cdc8a554209f5761e2bef91978 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 20 Apr 2021 14:35:11 +0000
Subject: [PATCH 0507/1429] Python: Move `track`/`backtrack` to
 `LocalSourceNode`

This is merely making explicit what was implicitly enforced. The move
to change the return type of `step` already meant that `this` and
`result` had to be `LocalSourceNode`. By moving these methods to their
rightful place, we should hopefully avoid a bit of suprising behaviour.
---
 .../2021-04-20-stepsummary-localsourcenode.md    |  2 ++
 .../dataflow/new/internal/DataFlowPublic.qll     | 16 ----------------
 .../dataflow/new/internal/LocalSources.qll       | 16 ++++++++++++++++
 3 files changed, 18 insertions(+), 16 deletions(-)

diff --git a/python/change-notes/2021-04-20-stepsummary-localsourcenode.md b/python/change-notes/2021-04-20-stepsummary-localsourcenode.md
index 630dfc4e44a..2cfda02b8fb 100644
--- a/python/change-notes/2021-04-20-stepsummary-localsourcenode.md
+++ b/python/change-notes/2021-04-20-stepsummary-localsourcenode.md
@@ -3,3 +3,5 @@ lgtm,codescanning
   to use the more restrictive type `LocalSourceNode` for their second argument. For cases where
   stepping between non-`LocalSourceNode`s is required, the `StepSummary::smallstep` predicate may be
   used instead.
+* The methods `Node::track` and `Node::backtrack` have been moved to the class `LocalSourceNode`. If
+  the old behavior is required, one can use `LocalSourceNode::flowsTo` to add back the missing flow.
\ No newline at end of file
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
index 6a397175ab1..03912ca1b86 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll
@@ -119,22 +119,6 @@ class Node extends TNode {
   /** Gets the expression corresponding to this node, if any. */
   Expr asExpr() { none() }
 
-  /**
-   * Gets a node that this node may flow to using one heap and/or interprocedural step.
-   *
-   * See `TypeTracker` for more details about how to use this.
-   */
-  pragma[inline]
-  Node track(TypeTracker t2, TypeTracker t) { t = t2.step(this, result) }
-
-  /**
-   * Gets a node that may flow into this one using one heap and/or interprocedural step.
-   *
-   * See `TypeBackTracker` for more details about how to use this.
-   */
-  pragma[inline]
-  LocalSourceNode backtrack(TypeBackTracker t2, TypeBackTracker t) { t2 = t.step(result, this) }
-
   /**
    * Gets a local source node from which data may flow to this node in zero or more local data-flow steps.
    */
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll b/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll
index 808aa4cf48b..c3df5b4841c 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/LocalSources.qll
@@ -77,6 +77,22 @@ class LocalSourceNode extends Node {
    * Gets a call to this node.
    */
   CallCfgNode getACall() { Cached::call(this, result) }
+
+  /**
+   * Gets a node that this node may flow to using one heap and/or interprocedural step.
+   *
+   * See `TypeTracker` for more details about how to use this.
+   */
+  pragma[inline]
+  LocalSourceNode track(TypeTracker t2, TypeTracker t) { t = t2.step(this, result) }
+
+  /**
+   * Gets a node that may flow into this one using one heap and/or interprocedural step.
+   *
+   * See `TypeBackTracker` for more details about how to use this.
+   */
+  pragma[inline]
+  LocalSourceNode backtrack(TypeBackTracker t2, TypeBackTracker t) { t2 = t.step(result, this) }
 }
 
 cached

From 890f96d9b5947cc264597c1bb63852745432fb7e Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 20 Apr 2021 15:01:04 +0000
Subject: [PATCH 0508/1429] Python: Prevent bad joins in `TypeBackTracker`

Perhaps unsurprisingly, the join orderer was eager and willing to find
the wrong join order in this predicate as well. Applying a similar
fix to the one used in `TypeTracker::step` fixes the problem.
---
 python/ql/src/semmle/python/dataflow/new/TypeTracker.qll | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll b/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll
index bba7ecf367b..5dc7bb85b06 100644
--- a/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll
+++ b/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll
@@ -411,8 +411,8 @@ class TypeBackTracker extends TTypeBackTracker {
   pragma[inline]
   TypeBackTracker step(LocalSourceNode nodeFrom, LocalSourceNode nodeTo) {
     exists(StepSummary summary |
-      StepSummary::step(nodeFrom, nodeTo, summary) and
-      this = result.prepend(summary)
+      StepSummary::step(pragma[only_bind_out](nodeFrom), nodeTo, pragma[only_bind_into](summary)) and
+      this = result.prepend(pragma[only_bind_into](summary))
     )
   }
 

From 9f8a9b9cadb8f1811e52f0de523467058629c54c Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Tue, 20 Apr 2021 17:10:09 +0100
Subject: [PATCH 0509/1429] JS: Add taint source/sink summary queries

---
 javascript/ql/src/Summary/TaintSinks.ql   | 15 +++++++++++++++
 javascript/ql/src/Summary/TaintSources.ql | 16 ++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 javascript/ql/src/Summary/TaintSinks.ql
 create mode 100644 javascript/ql/src/Summary/TaintSources.ql

diff --git a/javascript/ql/src/Summary/TaintSinks.ql b/javascript/ql/src/Summary/TaintSinks.ql
new file mode 100644
index 00000000000..24f6579efec
--- /dev/null
+++ b/javascript/ql/src/Summary/TaintSinks.ql
@@ -0,0 +1,15 @@
+/**
+ * @name Taint sinks
+ * @description Expressions that are vulnerable if containing untrusted data.
+ * @kind problem
+ * @problem.severity informational
+ * @id js/summary/taint-sinks
+ * @tags summary
+ * @precision medium
+ */
+
+import javascript
+import meta.internal.TaintMetrics
+
+from string kind
+select relevantTaintSink(kind), kind + " sink"
diff --git a/javascript/ql/src/Summary/TaintSources.ql b/javascript/ql/src/Summary/TaintSources.ql
new file mode 100644
index 00000000000..7178a76dde9
--- /dev/null
+++ b/javascript/ql/src/Summary/TaintSources.ql
@@ -0,0 +1,16 @@
+/**
+ * @name Taint sources
+ * @description Sources of untrusted input.
+ * @kind problem
+ * @problem.severity informational
+ * @id js/summary/taint-sources
+ * @tags summary
+ * @precision medium
+ */
+
+import javascript
+import meta.internal.TaintMetrics
+
+from RemoteFlowSource node
+where node = relevantTaintSource()
+select node, node.getSourceType()

From fc2c62350ed68fdbc32e2600065c265216339645 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Tue, 20 Apr 2021 18:54:03 +0200
Subject: [PATCH 0510/1429] Python: Fix bad join Also fixed up the QLDoc

---
 python/ql/src/Security/CWE-327/PyOpenSSL.qll  |  4 ++-
 python/ql/src/Security/CWE-327/Ssl.qll        |  6 ++--
 .../src/Security/CWE-327/TlsLibraryModel.qll  | 28 +++++++++----------
 3 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/PyOpenSSL.qll b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
index d886d46efef..77dde78a75a 100644
--- a/python/ql/src/Security/CWE-327/PyOpenSSL.qll
+++ b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
@@ -16,7 +16,9 @@ class PyOpenSSLContextCreation extends ContextCreation, DataFlow::CallCfgNode {
     exists(ControlFlowNode protocolArg, PyOpenSSL pyo |
       protocolArg in [node.getArg(0), node.getArgByName("method")]
     |
-      protocolArg = [pyo.specific_version(result), pyo.unspecific_version(result)].asCfgNode()
+      protocolArg =
+        [pyo.specific_version(result).getAUse(), pyo.unspecific_version(result).getAUse()]
+            .asCfgNode()
     )
   }
 }
diff --git a/python/ql/src/Security/CWE-327/Ssl.qll b/python/ql/src/Security/CWE-327/Ssl.qll
index e943470e917..73041e3393f 100644
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -14,7 +14,9 @@ class SSLContextCreation extends ContextCreation, DataFlow::CallCfgNode {
     exists(ControlFlowNode protocolArg, Ssl ssl |
       protocolArg in [node.getArg(0), node.getArgByName("protocol")]
     |
-      protocolArg = [ssl.specific_version(result), ssl.unspecific_version(result)].asCfgNode()
+      protocolArg =
+        [ssl.specific_version(result).getAUse(), ssl.unspecific_version(result).getAUse()]
+            .asCfgNode()
     )
     or
     not exists(node.getAnArg()) and
@@ -188,7 +190,7 @@ class Ssl extends TlsLibrary {
 
   override DataFlow::CallCfgNode insecure_connection_creation(ProtocolVersion version) {
     result = API::moduleImport("ssl").getMember("wrap_socket").getACall() and
-    this.specific_version(version) = result.getArgByName("ssl_version") and
+    this.specific_version(version).getAUse() = result.getArgByName("ssl_version") and
     version.isInsecure()
   }
 
diff --git a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
index ba54ea3ccd4..3bac0e2299d 100644
--- a/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
+++ b/python/ql/src/Security/CWE-327/TlsLibraryModel.qll
@@ -91,26 +91,26 @@ abstract class TlsLibrary extends string {
   /** Gets a name, which is a member of `version_constants`,  that can be used to specify the protocol family `family`. */
   abstract string unspecific_version_name(ProtocolFamily family);
 
-  /** The module or class holding the version constants. */
+  /** Gets an API node representing the module or class holding the version constants. */
   abstract API::Node version_constants();
 
-  /** A dataflow node representing a specific protocol version. */
-  DataFlow::Node specific_version(ProtocolVersion version) {
-    result = version_constants().getMember(specific_version_name(version)).getAUse()
+  /** Gets an API node representing a specific protocol version. */
+  API::Node specific_version(ProtocolVersion version) {
+    result = version_constants().getMember(specific_version_name(version))
   }
 
-  /** Gets a dataflow node representing the protocol family `family`. */
-  DataFlow::Node unspecific_version(ProtocolFamily family) {
-    result = version_constants().getMember(unspecific_version_name(family)).getAUse()
+  /** Gets an API node representing the protocol family `family`. */
+  API::Node unspecific_version(ProtocolFamily family) {
+    result = version_constants().getMember(unspecific_version_name(family))
   }
 
-  /** The creation of a context with a default protocol. */
+  /** Gets a creation of a context with a default protocol. */
   abstract ContextCreation default_context_creation();
 
-  /** The creation of a context with a specific protocol. */
+  /** Gets a creation of a context with a specific protocol. */
   abstract ContextCreation specific_context_creation();
 
-  /** The creation of a context with a specific protocol version, known to be insecure. */
+  /** Gets a creation of a context with a specific protocol version, known to be insecure. */
   ContextCreation insecure_context_creation(ProtocolVersion version) {
     result in [specific_context_creation(), default_context_creation()] and
     result.getProtocol() = version and
@@ -123,15 +123,15 @@ abstract class TlsLibrary extends string {
     result.getProtocol() = family
   }
 
-  /** A connection is created in an insecure manner, not from a context. */
+  /** Gets a dataflow node representing a connection being created in an insecure manner, not from a context. */
   abstract DataFlow::Node insecure_connection_creation(ProtocolVersion version);
 
-  /** A connection is created from a context. */
+  /** Gets a dataflow node representing a connection being created from a context. */
   abstract ConnectionCreation connection_creation();
 
-  /** A context is being restricted on which protocols it can accepts. */
+  /** Gets a dataflow node representing a context being restricted on which protocols it can accepts. */
   abstract ProtocolRestriction protocol_restriction();
 
-  /** A context is being relaxed on which protocols it can accepts. */
+  /** Gets a dataflow node representing a context being relaxed on which protocols it can accepts. */
   abstract ProtocolUnrestriction protocol_unrestriction();
 }

From 98a0959784d0b9229dcfcb533ddf27ad740da845 Mon Sep 17 00:00:00 2001
From: Shati Patel <42641846+shati-patel@users.noreply.github.com>
Date: Tue, 20 Apr 2021 18:12:35 +0100
Subject: [PATCH 0511/1429] Docs: New "directional binding" pragmas

---
 .../ql-language-reference/annotations.rst     | 41 +++++++++++++++++--
 1 file changed, 37 insertions(+), 4 deletions(-)

diff --git a/docs/codeql/ql-language-reference/annotations.rst b/docs/codeql/ql-language-reference/annotations.rst
index ec60e55bf9b..e801f0a95aa 100644
--- a/docs/codeql/ql-language-reference/annotations.rst
+++ b/docs/codeql/ql-language-reference/annotations.rst
@@ -259,8 +259,6 @@ This means that it is part of the output of the QL program.
 Compiler pragmas
 ================
 
-**Available for**: |characteristic predicates|, |member predicates|, |non-member predicates|
-
 The following compiler pragmas affect the compilation and optimization of queries. You
 should avoid using these annotations unless you experience significant performance issues.
 
@@ -284,6 +282,8 @@ predicates.
 ``pragma[inline]``
 ------------------
 
+**Available for**: |characteristic predicates|, |member predicates|, |non-member predicates|
+
 The ``pragma[inline]`` annotation tells the QL optimizer to always inline the annotated predicate
 into the places where it is called. This can be useful when a predicate body is very expensive to 
 compute entirely, as it ensures that the predicate is evaluated with the other contextual information
@@ -292,6 +292,8 @@ at the places where it is called.
 ``pragma[noinline]``
 --------------------
 
+**Available for**: |characteristic predicates|, |member predicates|, |non-member predicates|
+
 The ``pragma[noinline]`` annotation is used to prevent a predicate from being inlined into the
 place where it is called. In practice, this annotation is useful when you've already grouped 
 certain variables together in a "helper" predicate, to ensure that the relation is evaluated 
@@ -301,6 +303,8 @@ work of the helper predicate, so it's a good idea to annotate it with ``pragma[n
 ``pragma[nomagic]``
 -------------------
 
+**Available for**: |characteristic predicates|, |member predicates|, |non-member predicates|
+
 The ``pragma[nomagic]`` annotation is used to prevent the QL optimizer from performing the "magic sets"
 optimization on a predicate. 
 
@@ -314,6 +318,8 @@ Note that ``nomagic`` implies ``noinline``.
 ``pragma[noopt]``
 -----------------
 
+**Available for**: |characteristic predicates|, |member predicates|, |non-member predicates|
+
 The ``pragma[noopt]`` annotation is used to prevent the QL optimizer from optimizing a
 predicate, except when it's absolutely necessary for compilation and evaluation to work.
 
@@ -364,7 +370,33 @@ When you use this annotation, be aware of the following issues:
            succ.getSucc() = 3
          )
        }
-   
+
+``pragma[only_bind_out]``
+-------------------------
+
+**Available for**: |expressions|
+
+The ``pragma[only_bind_out]`` annotation lets you specify the direction in which the QL compiler should bind expressions.
+This can be useful to improve performance in rare cases where the QL optimizer orders parts of the QL program in an inefficient way.
+
+For example, ``x = pragma[only_bind_out](y)`` is semantically equivalent to ``x = y``, but has different binding behavior. 
+``x = y`` binds ``x`` from ``y`` and vice versa, while ``x = pragma[only_bind_out](y)`` only binds ``x`` from ``y``.
+
+For more information, see ":ref:`Binding <binding>`."
+
+``pragma[only_bind_into]``
+--------------------------
+
+**Available for**: |expressions|
+
+The ``pragma[only_bind_into]`` annotation lets you specify the direction in which the QL compiler should bind expressions.
+This can be useful to improve performance in rare cases where the QL optimizer orders parts of the QL program in an inefficient way.
+
+For example, ``x = pragma[only_bind_into](y)`` is semantically equivalent to ``x = y``, but has different binding behavior. 
+``x = y`` binds ``x`` from ``y`` and vice versa, while ``x = pragma[only_bind_into](y)`` only binds ``y`` from ``x``.
+
+For more information, see ":ref:`Binding <binding>`."
+
 .. _language:
 
 Language pragmas
@@ -413,4 +445,5 @@ The ``bindingset`` annotation takes a comma-separated list of variables.
 .. |fields|                    replace:: :ref:`fields <fields>`
 .. |modules|                   replace:: :ref:`modules <modules>`
 .. |aliases|                   replace:: :ref:`aliases <aliases>`
-.. |algebraic datatypes|       replace:: :ref:`algebraic datatypes <algebraic-datatypes>`
\ No newline at end of file
+.. |algebraic datatypes|       replace:: :ref:`algebraic datatypes <algebraic-datatypes>`
+.. |expressions|               replace:: :ref:`expressions <expressions>`

From 357e1c08025da77deaee293d05fde3eb7c01b2a6 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 20 Apr 2021 19:57:47 +0200
Subject: [PATCH 0512/1429] Update
 javascript/ql/src/semmle/javascript/frameworks/Markdown.qll

Co-authored-by: Asger F <asgerf@github.com>
---
 javascript/ql/src/semmle/javascript/frameworks/Markdown.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
index 76c90aa2ef3..743341325a7 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
@@ -139,7 +139,7 @@ private module MarkdownIt {
     exists(API::CallNode call |
       call = markdownIt().getMember(["use", "set", "configure", "enable", "disable"]).getACall() and
       result = call.getReturn() and
-      not call.getParameter(0).getARhs().getALocalSource() =
+      not call.getParameter(0).getAValueReachingRhs() =
         DataFlow::moduleImport("markdown-it-sanitizer")
     )
   }

From 6408ee2eaf9d00f6c0166a277bdc922e9d5db2db Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Tue, 20 Apr 2021 20:03:06 +0200
Subject: [PATCH 0513/1429] Python: Fix bad join

---
 python/ql/src/Security/CWE-327/InsecureProtocol.ql | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.ql b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
index 99e2d83420d..e1d64dca0a7 100644
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
@@ -25,6 +25,8 @@ class ProtocolConfiguration extends DataFlow::Node {
     or
     unsafe_context_creation(this, _)
   }
+
+  AstNode getNode() { result = this.asCfgNode().(CallNode).getFunction().getNode() }
 }
 
 // Helper for pretty printer `callName`.
@@ -36,9 +38,7 @@ class ProtocolConfiguration extends DataFlow::Node {
 // we have to extend @py_ast_node.
 class Nameable extends @py_ast_node {
   Nameable() {
-    exists(ProtocolConfiguration protocolConfiguration |
-      this = protocolConfiguration.asCfgNode().(CallNode).getFunction().getNode()
-    )
+    this = any(ProtocolConfiguration pc).getNode()
     or
     exists(Nameable attr | this = attr.(Attribute).getObject())
   }

From 01a95316c2d8830b6af5a621dbc8c57c672a909b Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Tue, 20 Apr 2021 14:03:48 -0400
Subject: [PATCH 0514/1429] C++: Add `Instruction::getAParameterSideEffect()`.

---
 .../ir/implementation/aliased_ssa/Instruction.qll   | 13 +++++++++++++
 .../code/cpp/ir/implementation/raw/Instruction.qll  | 13 +++++++++++++
 .../ir/implementation/unaliased_ssa/Instruction.qll | 13 +++++++++++++
 .../ir/implementation/raw/Instruction.qll           | 13 +++++++++++++
 .../ir/implementation/unaliased_ssa/Instruction.qll | 13 +++++++++++++
 5 files changed, 65 insertions(+)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
index af6f3d81982..13c38401737 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
@@ -1645,6 +1645,19 @@ class CallInstruction extends Instruction {
    * Gets the number of arguments of the call, including the `this` pointer, if any.
    */
   final int getNumberOfArguments() { result = count(this.getAnArgumentOperand()) }
+
+  /**
+   * Holds if the result is a side effect for the argument at the specified index, or `this` if
+   * `index` is `-1`.
+   *
+   * This helper predicate makes it easy to join on both of these columns at once, avoiding
+   * pathological join orders in case the argument index should get joined first.
+   */
+  pragma[noinline]
+  final SideEffectInstruction getAParameterSideEffect(int index) {
+    this = result.getPrimaryInstruction() and
+    index = result.(IndexedInstruction).getIndex()
+  }
 }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
index af6f3d81982..13c38401737 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
@@ -1645,6 +1645,19 @@ class CallInstruction extends Instruction {
    * Gets the number of arguments of the call, including the `this` pointer, if any.
    */
   final int getNumberOfArguments() { result = count(this.getAnArgumentOperand()) }
+
+  /**
+   * Holds if the result is a side effect for the argument at the specified index, or `this` if
+   * `index` is `-1`.
+   *
+   * This helper predicate makes it easy to join on both of these columns at once, avoiding
+   * pathological join orders in case the argument index should get joined first.
+   */
+  pragma[noinline]
+  final SideEffectInstruction getAParameterSideEffect(int index) {
+    this = result.getPrimaryInstruction() and
+    index = result.(IndexedInstruction).getIndex()
+  }
 }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
index af6f3d81982..13c38401737 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
@@ -1645,6 +1645,19 @@ class CallInstruction extends Instruction {
    * Gets the number of arguments of the call, including the `this` pointer, if any.
    */
   final int getNumberOfArguments() { result = count(this.getAnArgumentOperand()) }
+
+  /**
+   * Holds if the result is a side effect for the argument at the specified index, or `this` if
+   * `index` is `-1`.
+   *
+   * This helper predicate makes it easy to join on both of these columns at once, avoiding
+   * pathological join orders in case the argument index should get joined first.
+   */
+  pragma[noinline]
+  final SideEffectInstruction getAParameterSideEffect(int index) {
+    this = result.getPrimaryInstruction() and
+    index = result.(IndexedInstruction).getIndex()
+  }
 }
 
 /**
diff --git a/csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll b/csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll
index af6f3d81982..13c38401737 100644
--- a/csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll
+++ b/csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll
@@ -1645,6 +1645,19 @@ class CallInstruction extends Instruction {
    * Gets the number of arguments of the call, including the `this` pointer, if any.
    */
   final int getNumberOfArguments() { result = count(this.getAnArgumentOperand()) }
+
+  /**
+   * Holds if the result is a side effect for the argument at the specified index, or `this` if
+   * `index` is `-1`.
+   *
+   * This helper predicate makes it easy to join on both of these columns at once, avoiding
+   * pathological join orders in case the argument index should get joined first.
+   */
+  pragma[noinline]
+  final SideEffectInstruction getAParameterSideEffect(int index) {
+    this = result.getPrimaryInstruction() and
+    index = result.(IndexedInstruction).getIndex()
+  }
 }
 
 /**
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll
index af6f3d81982..13c38401737 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll
@@ -1645,6 +1645,19 @@ class CallInstruction extends Instruction {
    * Gets the number of arguments of the call, including the `this` pointer, if any.
    */
   final int getNumberOfArguments() { result = count(this.getAnArgumentOperand()) }
+
+  /**
+   * Holds if the result is a side effect for the argument at the specified index, or `this` if
+   * `index` is `-1`.
+   *
+   * This helper predicate makes it easy to join on both of these columns at once, avoiding
+   * pathological join orders in case the argument index should get joined first.
+   */
+  pragma[noinline]
+  final SideEffectInstruction getAParameterSideEffect(int index) {
+    this = result.getPrimaryInstruction() and
+    index = result.(IndexedInstruction).getIndex()
+  }
 }
 
 /**

From 5085e462b0f52c2611e64f9bb51061511ce8870e Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Tue, 20 Apr 2021 14:09:41 -0400
Subject: [PATCH 0515/1429] C++: Allow alias propagation to/from side effects
 (part 1)

---
 .../aliased_ssa/internal/AliasAnalysis.qll    | 135 +++++++++---------
 .../unaliased_ssa/internal/AliasAnalysis.qll  | 135 +++++++++---------
 .../unaliased_ssa/internal/AliasAnalysis.qll  | 135 +++++++++---------
 3 files changed, 204 insertions(+), 201 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
index 19fb0490f80..6105187cc1f 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
@@ -34,7 +34,7 @@ private predicate operandIsConsumedWithoutEscaping(Operand operand) {
 
 private predicate operandEscapesDomain(Operand operand) {
   not operandIsConsumedWithoutEscaping(operand) and
-  not operandIsPropagated(operand, _) and
+  not operandIsPropagated(operand, _, _) and
   not isArgumentForParameter(_, operand, _) and
   not isOnlyEscapesViaReturnArgument(operand) and
   not operand.getUse() instanceof ReturnValueInstruction and
@@ -69,67 +69,66 @@ IntValue getPointerBitOffset(PointerOffsetInstruction instr) {
 }
 
 /**
- * Holds if any address held in operand `tag` of instruction `instr` is
- * propagated to the result of `instr`, offset by the number of bits in
- * `bitOffset`. If the address is propagated, but the offset is not known to be
- * a constant, then `bitOffset` is unknown.
+ * Holds if any address held in operand `operand` is propagated to the result of `instr`, offset by
+ * the number of bits in `bitOffset`. If the address is propagated, but the offset is not known to
+ * be a constant, then `bitOffset` is `unknown()`.
  */
-private predicate operandIsPropagated(Operand operand, IntValue bitOffset) {
-  exists(Instruction instr |
-    instr = operand.getUse() and
-    (
-      // Converting to a non-virtual base class adds the offset of the base class.
-      exists(ConvertToNonVirtualBaseInstruction convert |
-        convert = instr and
-        bitOffset = Ints::mul(convert.getDerivation().getByteOffset(), 8)
-      )
-      or
-      // Conversion using dynamic_cast results in an unknown offset
-      instr instanceof CheckedConvertOrNullInstruction and
-      bitOffset = Ints::unknown()
-      or
-      // Converting to a derived class subtracts the offset of the base class.
-      exists(ConvertToDerivedInstruction convert |
-        convert = instr and
-        bitOffset = Ints::neg(Ints::mul(convert.getDerivation().getByteOffset(), 8))
-      )
-      or
-      // Converting to a virtual base class adds an unknown offset.
-      instr instanceof ConvertToVirtualBaseInstruction and
-      bitOffset = Ints::unknown()
-      or
-      // Conversion to another pointer type propagates the source address.
-      exists(ConvertInstruction convert, IRType resultType |
-        convert = instr and
-        resultType = convert.getResultIRType() and
-        resultType instanceof IRAddressType and
-        bitOffset = 0
-      )
-      or
-      // Adding an integer to or subtracting an integer from a pointer propagates
-      // the address with an offset.
-      exists(PointerOffsetInstruction ptrOffset |
-        ptrOffset = instr and
-        operand = ptrOffset.getLeftOperand() and
-        bitOffset = getPointerBitOffset(ptrOffset)
-      )
-      or
-      // Computing a field address from a pointer propagates the address plus the
-      // offset of the field.
-      bitOffset = Language::getFieldBitOffset(instr.(FieldAddressInstruction).getField())
-      or
-      // A copy propagates the source value.
-      operand = instr.(CopyInstruction).getSourceValueOperand() and bitOffset = 0
-      or
-      // Some functions are known to propagate an argument
-      isAlwaysReturnedArgument(operand) and bitOffset = 0
+private predicate operandIsPropagated(Operand operand, IntValue bitOffset, Instruction instr) {
+  instr = operand.getUse() and
+  (
+    // Converting to a non-virtual base class adds the offset of the base class.
+    exists(ConvertToNonVirtualBaseInstruction convert |
+      convert = instr and
+      bitOffset = Ints::mul(convert.getDerivation().getByteOffset(), 8)
     )
+    or
+    // Conversion using dynamic_cast results in an unknown offset
+    instr instanceof CheckedConvertOrNullInstruction and
+    bitOffset = Ints::unknown()
+    or
+    // Converting to a derived class subtracts the offset of the base class.
+    exists(ConvertToDerivedInstruction convert |
+      convert = instr and
+      bitOffset = Ints::neg(Ints::mul(convert.getDerivation().getByteOffset(), 8))
+    )
+    or
+    // Converting to a virtual base class adds an unknown offset.
+    instr instanceof ConvertToVirtualBaseInstruction and
+    bitOffset = Ints::unknown()
+    or
+    // Conversion to another pointer type propagates the source address.
+    exists(ConvertInstruction convert, IRType resultType |
+      convert = instr and
+      resultType = convert.getResultIRType() and
+      resultType instanceof IRAddressType and
+      bitOffset = 0
+    )
+    or
+    // Adding an integer to or subtracting an integer from a pointer propagates
+    // the address with an offset.
+    exists(PointerOffsetInstruction ptrOffset |
+      ptrOffset = instr and
+      operand = ptrOffset.getLeftOperand() and
+      bitOffset = getPointerBitOffset(ptrOffset)
+    )
+    or
+    // Computing a field address from a pointer propagates the address plus the
+    // offset of the field.
+    bitOffset = Language::getFieldBitOffset(instr.(FieldAddressInstruction).getField())
+    or
+    // A copy propagates the source value.
+    operand = instr.(CopyInstruction).getSourceValueOperand() and bitOffset = 0
+    or
+    // Some functions are known to propagate an argument
+    isAlwaysReturnedArgument(operand) and bitOffset = 0
   )
 }
 
 private predicate operandEscapesNonReturn(Operand operand) {
-  // The address is propagated to the result of the instruction, and that result itself is returned
-  operandIsPropagated(operand, _) and resultEscapesNonReturn(operand.getUse())
+  exists(Instruction instr |
+    // The address is propagated to the result of the instruction, and that result itself is returned
+    operandIsPropagated(operand, _, instr) and resultEscapesNonReturn(instr)
+  )
   or
   // The operand is used in a function call which returns it, and the return value is then returned
   exists(CallInstruction ci, Instruction init |
@@ -151,9 +150,11 @@ private predicate operandEscapesNonReturn(Operand operand) {
 }
 
 private predicate operandMayReachReturn(Operand operand) {
-  // The address is propagated to the result of the instruction, and that result itself is returned
-  operandIsPropagated(operand, _) and
-  resultMayReachReturn(operand.getUse())
+  exists(Instruction instr |
+    // The address is propagated to the result of the instruction, and that result itself is returned
+    operandIsPropagated(operand, _, instr) and
+    resultMayReachReturn(instr)
+  )
   or
   // The operand is used in a function call which returns it, and the return value is then returned
   exists(CallInstruction ci, Instruction init |
@@ -173,9 +174,9 @@ private predicate operandMayReachReturn(Operand operand) {
 
 private predicate operandReturned(Operand operand, IntValue bitOffset) {
   // The address is propagated to the result of the instruction, and that result itself is returned
-  exists(IntValue bitOffset1, IntValue bitOffset2 |
-    operandIsPropagated(operand, bitOffset1) and
-    resultReturned(operand.getUse(), bitOffset2) and
+  exists(Instruction instr, IntValue bitOffset1, IntValue bitOffset2 |
+    operandIsPropagated(operand, bitOffset1, instr) and
+    resultReturned(instr, bitOffset2) and
     bitOffset = Ints::add(bitOffset1, bitOffset2)
   )
   or
@@ -270,12 +271,13 @@ predicate allocationEscapes(Configuration::Allocation allocation) {
 /**
  * Equivalent to `operandIsPropagated()`, but includes interprocedural propagation.
  */
-private predicate operandIsPropagatedIncludingByCall(Operand operand, IntValue bitOffset) {
-  operandIsPropagated(operand, bitOffset)
+private predicate operandIsPropagatedIncludingByCall(Operand operand, IntValue bitOffset, Instruction instr) {
+  operandIsPropagated(operand, bitOffset, instr)
   or
   exists(CallInstruction call, Instruction init |
     isArgumentForParameter(call, operand, init) and
-    resultReturned(init, bitOffset)
+    resultReturned(init, bitOffset) and
+    instr = call
   )
 }
 
@@ -292,8 +294,7 @@ private predicate hasBaseAndOffset(AddressOperand addrOperand, Instruction base,
     // We already have an offset from `middle`.
     hasBaseAndOffset(addrOperand, middle, previousBitOffset) and
     // `middle` is propagated from `base`.
-    middleOperand = middle.getAnOperand() and
-    operandIsPropagatedIncludingByCall(middleOperand, additionalBitOffset) and
+    operandIsPropagatedIncludingByCall(middleOperand, additionalBitOffset, middle) and
     base = middleOperand.getDef() and
     bitOffset = Ints::add(previousBitOffset, additionalBitOffset)
   )
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
index 19fb0490f80..6105187cc1f 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -34,7 +34,7 @@ private predicate operandIsConsumedWithoutEscaping(Operand operand) {
 
 private predicate operandEscapesDomain(Operand operand) {
   not operandIsConsumedWithoutEscaping(operand) and
-  not operandIsPropagated(operand, _) and
+  not operandIsPropagated(operand, _, _) and
   not isArgumentForParameter(_, operand, _) and
   not isOnlyEscapesViaReturnArgument(operand) and
   not operand.getUse() instanceof ReturnValueInstruction and
@@ -69,67 +69,66 @@ IntValue getPointerBitOffset(PointerOffsetInstruction instr) {
 }
 
 /**
- * Holds if any address held in operand `tag` of instruction `instr` is
- * propagated to the result of `instr`, offset by the number of bits in
- * `bitOffset`. If the address is propagated, but the offset is not known to be
- * a constant, then `bitOffset` is unknown.
+ * Holds if any address held in operand `operand` is propagated to the result of `instr`, offset by
+ * the number of bits in `bitOffset`. If the address is propagated, but the offset is not known to
+ * be a constant, then `bitOffset` is `unknown()`.
  */
-private predicate operandIsPropagated(Operand operand, IntValue bitOffset) {
-  exists(Instruction instr |
-    instr = operand.getUse() and
-    (
-      // Converting to a non-virtual base class adds the offset of the base class.
-      exists(ConvertToNonVirtualBaseInstruction convert |
-        convert = instr and
-        bitOffset = Ints::mul(convert.getDerivation().getByteOffset(), 8)
-      )
-      or
-      // Conversion using dynamic_cast results in an unknown offset
-      instr instanceof CheckedConvertOrNullInstruction and
-      bitOffset = Ints::unknown()
-      or
-      // Converting to a derived class subtracts the offset of the base class.
-      exists(ConvertToDerivedInstruction convert |
-        convert = instr and
-        bitOffset = Ints::neg(Ints::mul(convert.getDerivation().getByteOffset(), 8))
-      )
-      or
-      // Converting to a virtual base class adds an unknown offset.
-      instr instanceof ConvertToVirtualBaseInstruction and
-      bitOffset = Ints::unknown()
-      or
-      // Conversion to another pointer type propagates the source address.
-      exists(ConvertInstruction convert, IRType resultType |
-        convert = instr and
-        resultType = convert.getResultIRType() and
-        resultType instanceof IRAddressType and
-        bitOffset = 0
-      )
-      or
-      // Adding an integer to or subtracting an integer from a pointer propagates
-      // the address with an offset.
-      exists(PointerOffsetInstruction ptrOffset |
-        ptrOffset = instr and
-        operand = ptrOffset.getLeftOperand() and
-        bitOffset = getPointerBitOffset(ptrOffset)
-      )
-      or
-      // Computing a field address from a pointer propagates the address plus the
-      // offset of the field.
-      bitOffset = Language::getFieldBitOffset(instr.(FieldAddressInstruction).getField())
-      or
-      // A copy propagates the source value.
-      operand = instr.(CopyInstruction).getSourceValueOperand() and bitOffset = 0
-      or
-      // Some functions are known to propagate an argument
-      isAlwaysReturnedArgument(operand) and bitOffset = 0
+private predicate operandIsPropagated(Operand operand, IntValue bitOffset, Instruction instr) {
+  instr = operand.getUse() and
+  (
+    // Converting to a non-virtual base class adds the offset of the base class.
+    exists(ConvertToNonVirtualBaseInstruction convert |
+      convert = instr and
+      bitOffset = Ints::mul(convert.getDerivation().getByteOffset(), 8)
     )
+    or
+    // Conversion using dynamic_cast results in an unknown offset
+    instr instanceof CheckedConvertOrNullInstruction and
+    bitOffset = Ints::unknown()
+    or
+    // Converting to a derived class subtracts the offset of the base class.
+    exists(ConvertToDerivedInstruction convert |
+      convert = instr and
+      bitOffset = Ints::neg(Ints::mul(convert.getDerivation().getByteOffset(), 8))
+    )
+    or
+    // Converting to a virtual base class adds an unknown offset.
+    instr instanceof ConvertToVirtualBaseInstruction and
+    bitOffset = Ints::unknown()
+    or
+    // Conversion to another pointer type propagates the source address.
+    exists(ConvertInstruction convert, IRType resultType |
+      convert = instr and
+      resultType = convert.getResultIRType() and
+      resultType instanceof IRAddressType and
+      bitOffset = 0
+    )
+    or
+    // Adding an integer to or subtracting an integer from a pointer propagates
+    // the address with an offset.
+    exists(PointerOffsetInstruction ptrOffset |
+      ptrOffset = instr and
+      operand = ptrOffset.getLeftOperand() and
+      bitOffset = getPointerBitOffset(ptrOffset)
+    )
+    or
+    // Computing a field address from a pointer propagates the address plus the
+    // offset of the field.
+    bitOffset = Language::getFieldBitOffset(instr.(FieldAddressInstruction).getField())
+    or
+    // A copy propagates the source value.
+    operand = instr.(CopyInstruction).getSourceValueOperand() and bitOffset = 0
+    or
+    // Some functions are known to propagate an argument
+    isAlwaysReturnedArgument(operand) and bitOffset = 0
   )
 }
 
 private predicate operandEscapesNonReturn(Operand operand) {
-  // The address is propagated to the result of the instruction, and that result itself is returned
-  operandIsPropagated(operand, _) and resultEscapesNonReturn(operand.getUse())
+  exists(Instruction instr |
+    // The address is propagated to the result of the instruction, and that result itself is returned
+    operandIsPropagated(operand, _, instr) and resultEscapesNonReturn(instr)
+  )
   or
   // The operand is used in a function call which returns it, and the return value is then returned
   exists(CallInstruction ci, Instruction init |
@@ -151,9 +150,11 @@ private predicate operandEscapesNonReturn(Operand operand) {
 }
 
 private predicate operandMayReachReturn(Operand operand) {
-  // The address is propagated to the result of the instruction, and that result itself is returned
-  operandIsPropagated(operand, _) and
-  resultMayReachReturn(operand.getUse())
+  exists(Instruction instr |
+    // The address is propagated to the result of the instruction, and that result itself is returned
+    operandIsPropagated(operand, _, instr) and
+    resultMayReachReturn(instr)
+  )
   or
   // The operand is used in a function call which returns it, and the return value is then returned
   exists(CallInstruction ci, Instruction init |
@@ -173,9 +174,9 @@ private predicate operandMayReachReturn(Operand operand) {
 
 private predicate operandReturned(Operand operand, IntValue bitOffset) {
   // The address is propagated to the result of the instruction, and that result itself is returned
-  exists(IntValue bitOffset1, IntValue bitOffset2 |
-    operandIsPropagated(operand, bitOffset1) and
-    resultReturned(operand.getUse(), bitOffset2) and
+  exists(Instruction instr, IntValue bitOffset1, IntValue bitOffset2 |
+    operandIsPropagated(operand, bitOffset1, instr) and
+    resultReturned(instr, bitOffset2) and
     bitOffset = Ints::add(bitOffset1, bitOffset2)
   )
   or
@@ -270,12 +271,13 @@ predicate allocationEscapes(Configuration::Allocation allocation) {
 /**
  * Equivalent to `operandIsPropagated()`, but includes interprocedural propagation.
  */
-private predicate operandIsPropagatedIncludingByCall(Operand operand, IntValue bitOffset) {
-  operandIsPropagated(operand, bitOffset)
+private predicate operandIsPropagatedIncludingByCall(Operand operand, IntValue bitOffset, Instruction instr) {
+  operandIsPropagated(operand, bitOffset, instr)
   or
   exists(CallInstruction call, Instruction init |
     isArgumentForParameter(call, operand, init) and
-    resultReturned(init, bitOffset)
+    resultReturned(init, bitOffset) and
+    instr = call
   )
 }
 
@@ -292,8 +294,7 @@ private predicate hasBaseAndOffset(AddressOperand addrOperand, Instruction base,
     // We already have an offset from `middle`.
     hasBaseAndOffset(addrOperand, middle, previousBitOffset) and
     // `middle` is propagated from `base`.
-    middleOperand = middle.getAnOperand() and
-    operandIsPropagatedIncludingByCall(middleOperand, additionalBitOffset) and
+    operandIsPropagatedIncludingByCall(middleOperand, additionalBitOffset, middle) and
     base = middleOperand.getDef() and
     bitOffset = Ints::add(previousBitOffset, additionalBitOffset)
   )
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
index 19fb0490f80..6105187cc1f 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -34,7 +34,7 @@ private predicate operandIsConsumedWithoutEscaping(Operand operand) {
 
 private predicate operandEscapesDomain(Operand operand) {
   not operandIsConsumedWithoutEscaping(operand) and
-  not operandIsPropagated(operand, _) and
+  not operandIsPropagated(operand, _, _) and
   not isArgumentForParameter(_, operand, _) and
   not isOnlyEscapesViaReturnArgument(operand) and
   not operand.getUse() instanceof ReturnValueInstruction and
@@ -69,67 +69,66 @@ IntValue getPointerBitOffset(PointerOffsetInstruction instr) {
 }
 
 /**
- * Holds if any address held in operand `tag` of instruction `instr` is
- * propagated to the result of `instr`, offset by the number of bits in
- * `bitOffset`. If the address is propagated, but the offset is not known to be
- * a constant, then `bitOffset` is unknown.
+ * Holds if any address held in operand `operand` is propagated to the result of `instr`, offset by
+ * the number of bits in `bitOffset`. If the address is propagated, but the offset is not known to
+ * be a constant, then `bitOffset` is `unknown()`.
  */
-private predicate operandIsPropagated(Operand operand, IntValue bitOffset) {
-  exists(Instruction instr |
-    instr = operand.getUse() and
-    (
-      // Converting to a non-virtual base class adds the offset of the base class.
-      exists(ConvertToNonVirtualBaseInstruction convert |
-        convert = instr and
-        bitOffset = Ints::mul(convert.getDerivation().getByteOffset(), 8)
-      )
-      or
-      // Conversion using dynamic_cast results in an unknown offset
-      instr instanceof CheckedConvertOrNullInstruction and
-      bitOffset = Ints::unknown()
-      or
-      // Converting to a derived class subtracts the offset of the base class.
-      exists(ConvertToDerivedInstruction convert |
-        convert = instr and
-        bitOffset = Ints::neg(Ints::mul(convert.getDerivation().getByteOffset(), 8))
-      )
-      or
-      // Converting to a virtual base class adds an unknown offset.
-      instr instanceof ConvertToVirtualBaseInstruction and
-      bitOffset = Ints::unknown()
-      or
-      // Conversion to another pointer type propagates the source address.
-      exists(ConvertInstruction convert, IRType resultType |
-        convert = instr and
-        resultType = convert.getResultIRType() and
-        resultType instanceof IRAddressType and
-        bitOffset = 0
-      )
-      or
-      // Adding an integer to or subtracting an integer from a pointer propagates
-      // the address with an offset.
-      exists(PointerOffsetInstruction ptrOffset |
-        ptrOffset = instr and
-        operand = ptrOffset.getLeftOperand() and
-        bitOffset = getPointerBitOffset(ptrOffset)
-      )
-      or
-      // Computing a field address from a pointer propagates the address plus the
-      // offset of the field.
-      bitOffset = Language::getFieldBitOffset(instr.(FieldAddressInstruction).getField())
-      or
-      // A copy propagates the source value.
-      operand = instr.(CopyInstruction).getSourceValueOperand() and bitOffset = 0
-      or
-      // Some functions are known to propagate an argument
-      isAlwaysReturnedArgument(operand) and bitOffset = 0
+private predicate operandIsPropagated(Operand operand, IntValue bitOffset, Instruction instr) {
+  instr = operand.getUse() and
+  (
+    // Converting to a non-virtual base class adds the offset of the base class.
+    exists(ConvertToNonVirtualBaseInstruction convert |
+      convert = instr and
+      bitOffset = Ints::mul(convert.getDerivation().getByteOffset(), 8)
     )
+    or
+    // Conversion using dynamic_cast results in an unknown offset
+    instr instanceof CheckedConvertOrNullInstruction and
+    bitOffset = Ints::unknown()
+    or
+    // Converting to a derived class subtracts the offset of the base class.
+    exists(ConvertToDerivedInstruction convert |
+      convert = instr and
+      bitOffset = Ints::neg(Ints::mul(convert.getDerivation().getByteOffset(), 8))
+    )
+    or
+    // Converting to a virtual base class adds an unknown offset.
+    instr instanceof ConvertToVirtualBaseInstruction and
+    bitOffset = Ints::unknown()
+    or
+    // Conversion to another pointer type propagates the source address.
+    exists(ConvertInstruction convert, IRType resultType |
+      convert = instr and
+      resultType = convert.getResultIRType() and
+      resultType instanceof IRAddressType and
+      bitOffset = 0
+    )
+    or
+    // Adding an integer to or subtracting an integer from a pointer propagates
+    // the address with an offset.
+    exists(PointerOffsetInstruction ptrOffset |
+      ptrOffset = instr and
+      operand = ptrOffset.getLeftOperand() and
+      bitOffset = getPointerBitOffset(ptrOffset)
+    )
+    or
+    // Computing a field address from a pointer propagates the address plus the
+    // offset of the field.
+    bitOffset = Language::getFieldBitOffset(instr.(FieldAddressInstruction).getField())
+    or
+    // A copy propagates the source value.
+    operand = instr.(CopyInstruction).getSourceValueOperand() and bitOffset = 0
+    or
+    // Some functions are known to propagate an argument
+    isAlwaysReturnedArgument(operand) and bitOffset = 0
   )
 }
 
 private predicate operandEscapesNonReturn(Operand operand) {
-  // The address is propagated to the result of the instruction, and that result itself is returned
-  operandIsPropagated(operand, _) and resultEscapesNonReturn(operand.getUse())
+  exists(Instruction instr |
+    // The address is propagated to the result of the instruction, and that result itself is returned
+    operandIsPropagated(operand, _, instr) and resultEscapesNonReturn(instr)
+  )
   or
   // The operand is used in a function call which returns it, and the return value is then returned
   exists(CallInstruction ci, Instruction init |
@@ -151,9 +150,11 @@ private predicate operandEscapesNonReturn(Operand operand) {
 }
 
 private predicate operandMayReachReturn(Operand operand) {
-  // The address is propagated to the result of the instruction, and that result itself is returned
-  operandIsPropagated(operand, _) and
-  resultMayReachReturn(operand.getUse())
+  exists(Instruction instr |
+    // The address is propagated to the result of the instruction, and that result itself is returned
+    operandIsPropagated(operand, _, instr) and
+    resultMayReachReturn(instr)
+  )
   or
   // The operand is used in a function call which returns it, and the return value is then returned
   exists(CallInstruction ci, Instruction init |
@@ -173,9 +174,9 @@ private predicate operandMayReachReturn(Operand operand) {
 
 private predicate operandReturned(Operand operand, IntValue bitOffset) {
   // The address is propagated to the result of the instruction, and that result itself is returned
-  exists(IntValue bitOffset1, IntValue bitOffset2 |
-    operandIsPropagated(operand, bitOffset1) and
-    resultReturned(operand.getUse(), bitOffset2) and
+  exists(Instruction instr, IntValue bitOffset1, IntValue bitOffset2 |
+    operandIsPropagated(operand, bitOffset1, instr) and
+    resultReturned(instr, bitOffset2) and
     bitOffset = Ints::add(bitOffset1, bitOffset2)
   )
   or
@@ -270,12 +271,13 @@ predicate allocationEscapes(Configuration::Allocation allocation) {
 /**
  * Equivalent to `operandIsPropagated()`, but includes interprocedural propagation.
  */
-private predicate operandIsPropagatedIncludingByCall(Operand operand, IntValue bitOffset) {
-  operandIsPropagated(operand, bitOffset)
+private predicate operandIsPropagatedIncludingByCall(Operand operand, IntValue bitOffset, Instruction instr) {
+  operandIsPropagated(operand, bitOffset, instr)
   or
   exists(CallInstruction call, Instruction init |
     isArgumentForParameter(call, operand, init) and
-    resultReturned(init, bitOffset)
+    resultReturned(init, bitOffset) and
+    instr = call
   )
 }
 
@@ -292,8 +294,7 @@ private predicate hasBaseAndOffset(AddressOperand addrOperand, Instruction base,
     // We already have an offset from `middle`.
     hasBaseAndOffset(addrOperand, middle, previousBitOffset) and
     // `middle` is propagated from `base`.
-    middleOperand = middle.getAnOperand() and
-    operandIsPropagatedIncludingByCall(middleOperand, additionalBitOffset) and
+    operandIsPropagatedIncludingByCall(middleOperand, additionalBitOffset, middle) and
     base = middleOperand.getDef() and
     bitOffset = Ints::add(previousBitOffset, additionalBitOffset)
   )

From 02707f0777d42601511f3ad6cd22927baed41fae Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Tue, 20 Apr 2021 19:51:16 +0100
Subject: [PATCH 0516/1429] JS: informational -> info

---
 javascript/ql/src/Summary/TaintSinks.ql   | 2 +-
 javascript/ql/src/Summary/TaintSources.ql | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/Summary/TaintSinks.ql b/javascript/ql/src/Summary/TaintSinks.ql
index 24f6579efec..2da65398935 100644
--- a/javascript/ql/src/Summary/TaintSinks.ql
+++ b/javascript/ql/src/Summary/TaintSinks.ql
@@ -2,7 +2,7 @@
  * @name Taint sinks
  * @description Expressions that are vulnerable if containing untrusted data.
  * @kind problem
- * @problem.severity informational
+ * @problem.severity info
  * @id js/summary/taint-sinks
  * @tags summary
  * @precision medium
diff --git a/javascript/ql/src/Summary/TaintSources.ql b/javascript/ql/src/Summary/TaintSources.ql
index 7178a76dde9..78e544f0bd5 100644
--- a/javascript/ql/src/Summary/TaintSources.ql
+++ b/javascript/ql/src/Summary/TaintSources.ql
@@ -2,7 +2,7 @@
  * @name Taint sources
  * @description Sources of untrusted input.
  * @kind problem
- * @problem.severity informational
+ * @problem.severity info
  * @id js/summary/taint-sources
  * @tags summary
  * @precision medium

From 0c4181178de559731064e80ce26f2d4b75089d94 Mon Sep 17 00:00:00 2001
From: yoff <lerchedahl@gmail.com>
Date: Tue, 20 Apr 2021 22:15:09 +0200
Subject: [PATCH 0517/1429] Update
 python/ql/src/semmle/python/frameworks/Stdlib.qll

Co-authored-by: Taus <tausbn@github.com>
---
 python/ql/src/semmle/python/frameworks/Stdlib.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index bc8a1c4c12c..01d35704ec7 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -948,7 +948,7 @@ private module Stdlib {
       typePreservingCall(nodeFrom, result)
     )
     or
-    // Type-preserving attribute
+    // Type-preserving attribute access
     exists(DataFlow::Node nodeFrom, DataFlow::TypeTracker t2 |
       nodeFrom.getALocalSource() = pathlibPath(t2) and
       t2.end()

From 26502881d78b7bcd98212cae695fd7d3d2c27e2f Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Tue, 20 Apr 2021 22:56:58 +0200
Subject: [PATCH 0518/1429] Java: Consistently use this in charpred.

---
 .../CWE/CWE-347/MissingJWTSignatureCheck.ql   | 36 +++++++++----------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
index cd8f079f7fe..c456231f0ca 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
@@ -14,57 +14,57 @@ import semmle.code.java.dataflow.DataFlow
 
 /** The interface `io.jsonwebtoken.JwtParser`. */
 class TypeJwtParser extends Interface {
-  TypeJwtParser() { hasQualifiedName("io.jsonwebtoken", "JwtParser") }
+  TypeJwtParser() { this.hasQualifiedName("io.jsonwebtoken", "JwtParser") }
 }
 
 /** The interface `io.jsonwebtoken.JwtParserBuilder`. */
 class TypeJwtParserBuilder extends Interface {
-  TypeJwtParserBuilder() { hasQualifiedName("io.jsonwebtoken", "JwtParserBuilder") }
+  TypeJwtParserBuilder() { this.hasQualifiedName("io.jsonwebtoken", "JwtParserBuilder") }
 }
 
 /** The interface `io.jsonwebtoken.JwtHandler`. */
 class TypeJwtHandler extends Interface {
-  TypeJwtHandler() { hasQualifiedName("io.jsonwebtoken", "JwtHandler") }
+  TypeJwtHandler() { this.hasQualifiedName("io.jsonwebtoken", "JwtHandler") }
 }
 
 /** The class `io.jsonwebtoken.JwtHandlerAdapter`. */
 class TypeJwtHandlerAdapter extends Class {
-  TypeJwtHandlerAdapter() { hasQualifiedName("io.jsonwebtoken", "JwtHandlerAdapter") }
+  TypeJwtHandlerAdapter() { this.hasQualifiedName("io.jsonwebtoken", "JwtHandlerAdapter") }
 }
 
 /** The `parse(token, handler)` method defined in `TypeJwtParser`. */
 private class JwtParserParseHandlerMethod extends Method {
   JwtParserParseHandlerMethod() {
-    hasName("parse") and
-    getDeclaringType() instanceof TypeJwtParser and
-    getNumberOfParameters() = 2
+    this.hasName("parse") and
+    this.getDeclaringType() instanceof TypeJwtParser and
+    this.getNumberOfParameters() = 2
   }
 }
 
 /** The `parse(token)`, `parseClaimsJwt(token)` and `parsePlaintextJwt(token)` methods defined in `TypeJwtParser`. */
 private class JwtParserInsecureParseMethods extends Method {
   JwtParserInsecureParseMethods() {
-    hasName(["parse", "parseClaimsJwt", "parsePlaintextJwt"]) and
-    getNumberOfParameters() = 1 and
-    getDeclaringType() instanceof TypeJwtParser
+    this.hasName(["parse", "parseClaimsJwt", "parsePlaintextJwt"]) and
+    this.getNumberOfParameters() = 1 and
+    this.getDeclaringType() instanceof TypeJwtParser
   }
 }
 
 /** The `onClaimsJwt(jwt)` and `onPlaintextJwt(jwt)` methods defined in `TypeJwtHandler`. */
 private class JwtHandlerOnJwtMethods extends Method {
   JwtHandlerOnJwtMethods() {
-    hasName(["onClaimsJwt", "onPlaintextJwt"]) and
-    getNumberOfParameters() = 1 and
-    getDeclaringType() instanceof TypeJwtHandler
+    this.hasName(["onClaimsJwt", "onPlaintextJwt"]) and
+    this.getNumberOfParameters() = 1 and
+    this.getDeclaringType() instanceof TypeJwtHandler
   }
 }
 
 /** The `onClaimsJwt(jwt)` and `onPlaintextJwt(jwt)` methods defined in `TypeJwtHandlerAdapter`. */
 private class JwtHandlerAdapterOnJwtMethods extends Method {
   JwtHandlerAdapterOnJwtMethods() {
-    hasName(["onClaimsJwt", "onPlaintextJwt"]) and
-    getNumberOfParameters() = 1 and
-    getDeclaringType() instanceof TypeJwtHandlerAdapter
+    this.hasName(["onClaimsJwt", "onPlaintextJwt"]) and
+    this.getNumberOfParameters() = 1 and
+    this.getDeclaringType() instanceof TypeJwtHandlerAdapter
   }
 }
 
@@ -92,9 +92,9 @@ private predicate isInsecureParseHandler(Expr parseHandlerExpr) {
  */
 private class JwtParserInsecureParseMethodAccess extends MethodAccess {
   JwtParserInsecureParseMethodAccess() {
-    getMethod().getASourceOverriddenMethod*() instanceof JwtParserInsecureParseMethods
+    this.getMethod().getASourceOverriddenMethod*() instanceof JwtParserInsecureParseMethods
     or
-    getMethod().getASourceOverriddenMethod*() instanceof JwtParserParseHandlerMethod and
+    this.getMethod().getASourceOverriddenMethod*() instanceof JwtParserParseHandlerMethod and
     isInsecureParseHandler(this.getArgument(1))
   }
 }

From 9e4fa90f6eadeb16c2f002b20099bba393d94d16 Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Tue, 20 Apr 2021 23:02:18 +0200
Subject: [PATCH 0519/1429] Java: Refer to Java types in qldoc instead of ql
 types.

---
 .../CWE/CWE-347/MissingJWTSignatureCheck.ql   | 26 +++++++++----------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
index c456231f0ca..24a23b74256 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
@@ -32,7 +32,7 @@ class TypeJwtHandlerAdapter extends Class {
   TypeJwtHandlerAdapter() { this.hasQualifiedName("io.jsonwebtoken", "JwtHandlerAdapter") }
 }
 
-/** The `parse(token, handler)` method defined in `TypeJwtParser`. */
+/** The `parse(token, handler)` method defined in `JwtParser`. */
 private class JwtParserParseHandlerMethod extends Method {
   JwtParserParseHandlerMethod() {
     this.hasName("parse") and
@@ -41,7 +41,7 @@ private class JwtParserParseHandlerMethod extends Method {
   }
 }
 
-/** The `parse(token)`, `parseClaimsJwt(token)` and `parsePlaintextJwt(token)` methods defined in `TypeJwtParser`. */
+/** The `parse(token)`, `parseClaimsJwt(token)` and `parsePlaintextJwt(token)` methods defined in `JwtParser`. */
 private class JwtParserInsecureParseMethods extends Method {
   JwtParserInsecureParseMethods() {
     this.hasName(["parse", "parseClaimsJwt", "parsePlaintextJwt"]) and
@@ -50,7 +50,7 @@ private class JwtParserInsecureParseMethods extends Method {
   }
 }
 
-/** The `onClaimsJwt(jwt)` and `onPlaintextJwt(jwt)` methods defined in `TypeJwtHandler`. */
+/** The `onClaimsJwt(jwt)` and `onPlaintextJwt(jwt)` methods defined in `JwtHandler`. */
 private class JwtHandlerOnJwtMethods extends Method {
   JwtHandlerOnJwtMethods() {
     this.hasName(["onClaimsJwt", "onPlaintextJwt"]) and
@@ -59,7 +59,7 @@ private class JwtHandlerOnJwtMethods extends Method {
   }
 }
 
-/** The `onClaimsJwt(jwt)` and `onPlaintextJwt(jwt)` methods defined in `TypeJwtHandlerAdapter`. */
+/** The `onClaimsJwt(jwt)` and `onPlaintextJwt(jwt)` methods defined in `JwtHandlerAdapter`. */
 private class JwtHandlerAdapterOnJwtMethods extends Method {
   JwtHandlerAdapterOnJwtMethods() {
     this.hasName(["onClaimsJwt", "onPlaintextJwt"]) and
@@ -100,24 +100,24 @@ private class JwtParserInsecureParseMethodAccess extends MethodAccess {
 }
 
 /**
- * Holds if `signingMa` directly or indirectly sets a signing key for `expr`, which is a `TypeJwtParser`.
- * The `setSigningKey` and `setSigningKeyResolver` methods set a signing key for a `TypeJwtParser`.
+ * Holds if `signingMa` directly or indirectly sets a signing key for `expr`, which is a `JwtParser`.
+ * The `setSigningKey` and `setSigningKeyResolver` methods set a signing key for a `JwtParser`.
  * Directly means code like this:
  * ```java
  * Jwts.parser().setSigningKey(key).parse(token);
  * ```
- * Here the signing key is set directly on a `TypeJwtParser`.
+ * Here the signing key is set directly on a `JwtParser`.
  * Indirectly means code like this:
  * ```java
  * Jwts.parserBuilder().setSigningKey(key).build().parse(token);
  * ```
- * In this case, the signing key is set on a `TypeJwtParserBuilder` indirectly setting the key of `TypeJwtParser` that is created by the call to `build`.
+ * In this case, the signing key is set on a `JwtParserBuilder` indirectly setting the key of `JwtParser` that is created by the call to `build`.
  */
 private predicate isSigningKeySet(Expr expr, MethodAccess signingMa) {
   any(SigningToExprDataFlow s).hasFlow(DataFlow::exprNode(signingMa), DataFlow::exprNode(expr))
 }
 
-/** An expr that is a `TypeJwtParser` for which a signing key has been set. */
+/** An expr that is a `JwtParser` for which a signing key has been set. */
 private class JwtParserWithSigningKeyExpr extends Expr {
   MethodAccess signingMa;
 
@@ -131,8 +131,8 @@ private class JwtParserWithSigningKeyExpr extends Expr {
 }
 
 /**
- * Models flow from `SigningKeyMethodAccess`es to expressions that are a (sub-type of) `TypeJwtParser`.
- * This is used to determine whether a `TypeJwtParser` has a signing key set.
+ * Models flow from `SigningKeyMethodAccess`es to expressions that are a (sub-type of) `JwtParser`.
+ * This is used to determine whether a `JwtParser` has a signing key set.
  */
 private class SigningToExprDataFlow extends DataFlow::Configuration {
   SigningToExprDataFlow() { this = "SigningToExprDataFlow" }
@@ -145,7 +145,7 @@ private class SigningToExprDataFlow extends DataFlow::Configuration {
     sink.asExpr().getType().(RefType).getASourceSupertype*() instanceof TypeJwtParser
   }
 
-  /** Models the builder style of `TypeJwtParser` and `TypeJwtParserBuilder`. */
+  /** Models the builder style of `JwtParser` and `JwtParserBuilder`. */
   override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
     (
       pred.asExpr().getType().(RefType).getASourceSupertype*() instanceof TypeJwtParser or
@@ -155,7 +155,7 @@ private class SigningToExprDataFlow extends DataFlow::Configuration {
   }
 }
 
-/** An access to the `setSigningKey` or `setSigningKeyResolver` method (or an overriden method) defined in `TypeJwtParser` and `TypeJwtParserBuilder`. */
+/** An access to the `setSigningKey` or `setSigningKeyResolver` method (or an overriden method) defined in `JwtParser` and `JwtParserBuilder`. */
 private class SigningKeyMethodAccess extends MethodAccess {
   SigningKeyMethodAccess() {
     exists(Method m |

From 149c4491cea4777a4e4e75348d726ef0d6089d59 Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Tue, 20 Apr 2021 23:03:10 +0200
Subject: [PATCH 0520/1429] Java: Simplify qldoc.

---
 .../Security/CWE/CWE-347/MissingJWTSignatureCheck.ql          | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
index 24a23b74256..e0cd34ba53d 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
@@ -50,7 +50,7 @@ private class JwtParserInsecureParseMethods extends Method {
   }
 }
 
-/** The `onClaimsJwt(jwt)` and `onPlaintextJwt(jwt)` methods defined in `JwtHandler`. */
+/** The `on(Claims|Plaintext)Jwt` methods defined in `JwtHandler`. */
 private class JwtHandlerOnJwtMethods extends Method {
   JwtHandlerOnJwtMethods() {
     this.hasName(["onClaimsJwt", "onPlaintextJwt"]) and
@@ -59,7 +59,7 @@ private class JwtHandlerOnJwtMethods extends Method {
   }
 }
 
-/** The `onClaimsJwt(jwt)` and `onPlaintextJwt(jwt)` methods defined in `JwtHandlerAdapter`. */
+/** The `on(Claims|Plaintext)Jwt` methods defined in `JwtHandlerAdapter`. */
 private class JwtHandlerAdapterOnJwtMethods extends Method {
   JwtHandlerAdapterOnJwtMethods() {
     this.hasName(["onClaimsJwt", "onPlaintextJwt"]) and

From 3acec947733e0fb6a2e460db412b27f78bd080ac Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Tue, 20 Apr 2021 23:04:06 +0200
Subject: [PATCH 0521/1429] Java: Fix typos.

---
 .../Security/CWE/CWE-347/MissingJWTSignatureCheck.ql        | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
index e0cd34ba53d..8e1cb8fc432 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
@@ -70,8 +70,8 @@ private class JwtHandlerAdapterOnJwtMethods extends Method {
 
 /**
  * Holds if `parseHandlerExpr` is an insecure `JwtHandler`.
- * That is, it overrides a method from `JwtHandlerOnJwtMethods` and the overriden method is not a method from `JwtHandlerAdapterOnJwtMethods`.
- * A overriden method which is a method from `JwtHandlerAdapterOnJwtMethods` is safe, because these always throw an exception.
+ * That is, it overrides a method from `JwtHandlerOnJwtMethods` and the overridden method is not a method from `JwtHandlerAdapterOnJwtMethods`.
+ * A overridden method which is a method from `JwtHandlerAdapterOnJwtMethods` is safe, because these always throw an exception.
  */
 private predicate isInsecureParseHandler(Expr parseHandlerExpr) {
   exists(RefType t |
@@ -155,7 +155,7 @@ private class SigningToExprDataFlow extends DataFlow::Configuration {
   }
 }
 
-/** An access to the `setSigningKey` or `setSigningKeyResolver` method (or an overriden method) defined in `JwtParser` and `JwtParserBuilder`. */
+/** An access to the `setSigningKey` or `setSigningKeyResolver` method (or an overridden method) defined in `JwtParser` and `JwtParserBuilder`. */
 private class SigningKeyMethodAccess extends MethodAccess {
   SigningKeyMethodAccess() {
     exists(Method m |

From fcaf5e76572fc0d5b5a7ad8464fe1637548e246c Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Tue, 20 Apr 2021 23:09:44 +0200
Subject: [PATCH 0522/1429] Java: Plural type name -> singular type name.

---
 .../CWE/CWE-347/MissingJWTSignatureCheck.ql   | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
index 8e1cb8fc432..2fcb09e4778 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
@@ -42,8 +42,8 @@ private class JwtParserParseHandlerMethod extends Method {
 }
 
 /** The `parse(token)`, `parseClaimsJwt(token)` and `parsePlaintextJwt(token)` methods defined in `JwtParser`. */
-private class JwtParserInsecureParseMethods extends Method {
-  JwtParserInsecureParseMethods() {
+private class JwtParserInsecureParseMethod extends Method {
+  JwtParserInsecureParseMethod() {
     this.hasName(["parse", "parseClaimsJwt", "parsePlaintextJwt"]) and
     this.getNumberOfParameters() = 1 and
     this.getDeclaringType() instanceof TypeJwtParser
@@ -51,8 +51,8 @@ private class JwtParserInsecureParseMethods extends Method {
 }
 
 /** The `on(Claims|Plaintext)Jwt` methods defined in `JwtHandler`. */
-private class JwtHandlerOnJwtMethods extends Method {
-  JwtHandlerOnJwtMethods() {
+private class JwtHandlerOnJwtMethod extends Method {
+  JwtHandlerOnJwtMethod() {
     this.hasName(["onClaimsJwt", "onPlaintextJwt"]) and
     this.getNumberOfParameters() = 1 and
     this.getDeclaringType() instanceof TypeJwtHandler
@@ -60,8 +60,8 @@ private class JwtHandlerOnJwtMethods extends Method {
 }
 
 /** The `on(Claims|Plaintext)Jwt` methods defined in `JwtHandlerAdapter`. */
-private class JwtHandlerAdapterOnJwtMethods extends Method {
-  JwtHandlerAdapterOnJwtMethods() {
+private class JwtHandlerAdapterOnJwtMethod extends Method {
+  JwtHandlerAdapterOnJwtMethod() {
     this.hasName(["onClaimsJwt", "onPlaintextJwt"]) and
     this.getNumberOfParameters() = 1 and
     this.getDeclaringType() instanceof TypeJwtHandlerAdapter
@@ -70,8 +70,8 @@ private class JwtHandlerAdapterOnJwtMethods extends Method {
 
 /**
  * Holds if `parseHandlerExpr` is an insecure `JwtHandler`.
- * That is, it overrides a method from `JwtHandlerOnJwtMethods` and the overridden method is not a method from `JwtHandlerAdapterOnJwtMethods`.
- * A overridden method which is a method from `JwtHandlerAdapterOnJwtMethods` is safe, because these always throw an exception.
+ * That is, it overrides a method from `JwtHandlerOnJwtMethod` and the overridden method is not a method from `JwtHandlerAdapterOnJwtMethod`.
+ * A overridden method which is a method from `JwtHandlerAdapterOnJwtMethod` is safe, because these always throw an exception.
  */
 private predicate isInsecureParseHandler(Expr parseHandlerExpr) {
   exists(RefType t |
@@ -79,8 +79,8 @@ private predicate isInsecureParseHandler(Expr parseHandlerExpr) {
     t.getASourceSupertype*() instanceof TypeJwtHandler and
     exists(Method m |
       m = t.getAMethod() and
-      m.getASourceOverriddenMethod+() instanceof JwtHandlerOnJwtMethods and
-      not m.getSourceDeclaration() instanceof JwtHandlerAdapterOnJwtMethods
+      m.getASourceOverriddenMethod+() instanceof JwtHandlerOnJwtMethod and
+      not m.getSourceDeclaration() instanceof JwtHandlerAdapterOnJwtMethod
     )
   )
 }
@@ -92,7 +92,7 @@ private predicate isInsecureParseHandler(Expr parseHandlerExpr) {
  */
 private class JwtParserInsecureParseMethodAccess extends MethodAccess {
   JwtParserInsecureParseMethodAccess() {
-    this.getMethod().getASourceOverriddenMethod*() instanceof JwtParserInsecureParseMethods
+    this.getMethod().getASourceOverriddenMethod*() instanceof JwtParserInsecureParseMethod
     or
     this.getMethod().getASourceOverriddenMethod*() instanceof JwtParserParseHandlerMethod and
     isInsecureParseHandler(this.getArgument(1))

From 231b07795c9b75a3dfa87e6f74db72c39750aa36 Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Tue, 20 Apr 2021 23:25:13 +0200
Subject: [PATCH 0523/1429] Java: Ignore results in test directories.

---
 .../CWE/CWE-347/MissingJWTSignatureCheck.ql      | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
index 2fcb09e4778..fafbf288b1f 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
@@ -171,7 +171,21 @@ private class SigningKeyMethodAccess extends MethodAccess {
   }
 }
 
+/**
+ * Holds if the `MethodAccess` `ma` occurs in a test file. A test file is any file that
+ * is a direct or indirect child of a directory named `test`, ignoring case.
+ */
+private predicate isInTestFile(MethodAccess ma) {
+  exists(string lowerCasedAbsolutePath |
+    lowerCasedAbsolutePath = ma.getLocation().getFile().getAbsolutePath().toLowerCase()
+  |
+    lowerCasedAbsolutePath.matches("%/test/%") and
+    not lowerCasedAbsolutePath
+        .matches("%/ql/test/experimental/query-tests/security/CWE-347/%".toLowerCase())
+  )
+}
+
 from JwtParserInsecureParseMethodAccess ma, JwtParserWithSigningKeyExpr parserExpr
-where ma.getQualifier() = parserExpr
+where ma.getQualifier() = parserExpr and not isInTestFile(ma)
 select ma, "A signing key is set $@, but the signature is not verified.",
   parserExpr.getSigningMethodAccess(), "here"

From 45968efd283d185b89103fa2a3cf7868d22928e8 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Tue, 20 Apr 2021 18:21:50 -0400
Subject: [PATCH 0524/1429] C++: Add shared test headers to emulate standard
 library types

---
 cpp/ql/test/include/memory.h      | 137 ++++++++++++++++++++++++++++++
 cpp/ql/test/include/type_traits.h |  21 +++++
 cpp/ql/test/include/utility.h     |  13 +++
 3 files changed, 171 insertions(+)
 create mode 100644 cpp/ql/test/include/memory.h
 create mode 100644 cpp/ql/test/include/type_traits.h
 create mode 100644 cpp/ql/test/include/utility.h

diff --git a/cpp/ql/test/include/memory.h b/cpp/ql/test/include/memory.h
new file mode 100644
index 00000000000..5d5c55ed989
--- /dev/null
+++ b/cpp/ql/test/include/memory.h
@@ -0,0 +1,137 @@
+#if !defined(CODEQL_MEMORY_H)
+#define CODEQL_MEMORY_H
+
+namespace std {
+  namespace detail {
+    template<typename T>
+    class compressed_pair_element {
+      T element;
+
+    public:
+      compressed_pair_element() = default;
+      compressed_pair_element(const T& t) : element(t) {}
+      
+      T& get() { return element; }
+
+      const T& get() const { return element; }
+    };
+
+    template<typename T, typename U>
+    struct compressed_pair : private compressed_pair_element<T>, private compressed_pair_element<U> {
+      compressed_pair() = default;
+      compressed_pair(T& t) : compressed_pair_element<T>(t), compressed_pair_element<U>() {}
+      compressed_pair(const compressed_pair&) = delete;
+      compressed_pair(compressed_pair<T, U>&&) noexcept = default;
+
+      T& first() { return static_cast<compressed_pair_element<T>&>(*this).get(); }
+      U& second() { return static_cast<compressed_pair_element<U>&>(*this).get(); }
+
+      const T& first() const { return static_cast<const compressed_pair_element<T>&>(*this).get(); }
+      const U& second() const { return static_cast<const compressed_pair_element<U>&>(*this).get(); }
+    };
+  }
+
+  template<class T>
+  struct default_delete {
+    void operator()(T* ptr) const { delete ptr; }
+  };
+
+  template<class T>
+  struct default_delete<T[]> {
+    template<class U>
+    void operator()(U* ptr) const { delete[] ptr; }
+  };
+
+  template<class T, class Deleter = default_delete<T> >
+  class unique_ptr {
+  private:
+    detail::compressed_pair<T*, Deleter> data;
+  public:
+    constexpr unique_ptr() noexcept {}
+    explicit unique_ptr(T* ptr) noexcept : data(ptr) {}
+    unique_ptr(const unique_ptr& ptr) = delete;
+    unique_ptr(unique_ptr&& ptr) noexcept = default;
+
+    unique_ptr& operator=(unique_ptr&& ptr) noexcept = default;
+
+    T& operator*() const { return *get(); }
+    T* operator->() const noexcept { return get(); }
+
+    T* get() const noexcept { return data.first(); }
+    T* release() noexcept { 
+        Deleter& d = data.second();
+        d(data.first());
+        data.first() = nullptr;
+    }
+
+    ~unique_ptr() {
+      Deleter& d = data.second();
+      d(data.first());
+    }
+  };
+  
+  template<typename T, class... Args> unique_ptr<T> make_unique(Args&&... args) {
+    return unique_ptr<T>(new T(args...)); // std::forward calls elided for simplicity.
+  }
+
+  class ctrl_block {
+    unsigned uses;
+
+  public:
+    ctrl_block() : uses(1) {}
+
+    void inc() { ++uses; }
+    bool dec() { return --uses == 0; }
+
+    virtual void destroy() = 0;
+    virtual ~ctrl_block() {}
+  };
+
+  template<typename T, class Deleter = default_delete<T> >
+  struct ctrl_block_impl: public ctrl_block {
+    T* ptr;
+    Deleter d;
+
+    ctrl_block_impl(T* ptr, Deleter d) : ptr(ptr), d(d) {}
+    virtual void destroy() override { d(ptr); }
+  };
+
+  template<class T>
+  class shared_ptr {
+  private:
+    ctrl_block* ctrl;
+    T* ptr;
+
+    void dec() {
+      if(ctrl->dec()) {
+        ctrl->destroy();
+        delete ctrl;
+      }
+    }
+
+    void inc() {
+      ctrl->inc();
+    }
+
+  public:
+    constexpr shared_ptr() noexcept = default;
+    shared_ptr(T* ptr) : ctrl(new ctrl_block_impl<T>(ptr, default_delete<T>())) {}
+    shared_ptr(const shared_ptr& s) noexcept : ptr(s.ptr), ctrl(s.ctrl) {
+      inc();
+    }
+    shared_ptr(shared_ptr&& s) noexcept = default;
+    shared_ptr(unique_ptr<T>&& s) : shared_ptr(s.release()) {
+    }
+    T* operator->() const { return ptr; }
+
+    T& operator*() const { return *ptr; }
+
+    ~shared_ptr() { dec(); }
+  };
+
+  template<typename T, class... Args> shared_ptr<T> make_shared(Args&&... args) {
+    return shared_ptr<T>(new T(args...)); // std::forward calls elided for simplicity.
+  }
+}
+
+#endif
\ No newline at end of file
diff --git a/cpp/ql/test/include/type_traits.h b/cpp/ql/test/include/type_traits.h
new file mode 100644
index 00000000000..19bdd46906b
--- /dev/null
+++ b/cpp/ql/test/include/type_traits.h
@@ -0,0 +1,21 @@
+#if !defined(CODEQL_TYPE_TRAITS_H)
+#define CODEQL_TYPE_TRAITS_H
+
+namespace std {
+    template<typename T>
+    struct remove_reference {
+        typedef T type;
+    };
+
+    template<typename T>
+    struct remove_reference<T&> {
+        typedef T type;
+    };
+
+    template<typename T>
+    struct remove_reference<T&&> {
+        typedef T type;
+    };
+}
+
+#endif
diff --git a/cpp/ql/test/include/utility.h b/cpp/ql/test/include/utility.h
new file mode 100644
index 00000000000..24c8572886d
--- /dev/null
+++ b/cpp/ql/test/include/utility.h
@@ -0,0 +1,13 @@
+#if !defined(CODEQL_UTILITY_H)
+#define CODEQL_UTILITY_H
+
+#include "type_traits.h"
+
+namespace std {
+    template<typename T>
+    typename remove_reference<T>::type&& move(T&& src) {
+        return static_cast<typename remove_reference<T>::type&&>(src);
+    }
+}
+
+#endif

From 078d2522d29566f99c2e41f51f2dd06e318eb400 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Tue, 20 Apr 2021 19:40:36 -0400
Subject: [PATCH 0525/1429] C++: Add missing `shared_ptr<T>` members

---
 cpp/ql/test/include/memory.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cpp/ql/test/include/memory.h b/cpp/ql/test/include/memory.h
index 5d5c55ed989..fdd09a7d43b 100644
--- a/cpp/ql/test/include/memory.h
+++ b/cpp/ql/test/include/memory.h
@@ -126,6 +126,8 @@ namespace std {
 
     T& operator*() const { return *ptr; }
 
+    T* get() const noexcept { return ptr; }
+
     ~shared_ptr() { dec(); }
   };
 

From 63fe4fb317c7f73e159831b92a82cf851681bafe Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Tue, 20 Apr 2021 19:41:15 -0400
Subject: [PATCH 0526/1429] C++: More general model for pointer flow

---
 .../src/semmle/code/cpp/models/interfaces/Alias.qll | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/interfaces/Alias.qll b/cpp/ql/src/semmle/code/cpp/models/interfaces/Alias.qll
index 083bbf55c38..e947a93fc90 100644
--- a/cpp/ql/src/semmle/code/cpp/models/interfaces/Alias.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/interfaces/Alias.qll
@@ -50,5 +50,16 @@ abstract class AliasFunction extends Function {
   /**
    * Holds if the function always returns the value of the parameter at the specified index.
    */
-  abstract predicate parameterIsAlwaysReturned(int index);
+  predicate parameterIsAlwaysReturned(int index) { none() }
+
+  /**
+   * Holds if the address passed in via `input` is always propagated to `output`.
+   */
+  predicate hasAddressFlow(FunctionInput input, FunctionOutput output) {
+    exists(int index |
+      // By default, just use the old `parameterIsAlwaysReturned` predicate to detect flow from the
+      // parameter to the return value.
+      input.isParameter(index) and output.isReturnValue() and this.parameterIsAlwaysReturned(index)
+    )
+  }
 }

From a447b049fc9a46e5c8d23e3176eeab469a169cc9 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Tue, 20 Apr 2021 19:42:06 -0400
Subject: [PATCH 0527/1429] C++: Impoved alias analysis of smart pointers

---
 .../aliased_ssa/internal/AliasAnalysis.qll    |  83 +++++++++--
 .../internal/AliasConfiguration.qll           |  16 ++-
 .../unaliased_ssa/internal/AliasAnalysis.qll  |  83 +++++++++--
 .../models/implementations/SmartPointer.qll   | 135 ++++++++++++++----
 .../library-tests/ir/points_to/points_to.ql   |  19 ++-
 .../ir/points_to/smart_pointer.cpp            |  33 +++++
 .../unaliased_ssa/internal/AliasAnalysis.qll  |  83 +++++++++--
 7 files changed, 387 insertions(+), 65 deletions(-)
 create mode 100644 cpp/ql/test/library-tests/ir/points_to/smart_pointer.cpp

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
index 6105187cc1f..b745554f8df 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
@@ -4,6 +4,71 @@ private import AliasAnalysisImports
 
 private class IntValue = Ints::IntValue;
 
+/**
+ * If `instr` is a `SideEffectInstruction`, gets the primary `CallInstruction` that caused the side
+ * effect. If `instr` is a `CallInstruction`, gets that same `CallInstruction`.
+ */
+private CallInstruction getPrimaryCall(Instruction instr) {
+  result = instr.(CallInstruction)
+  or
+  result = instr.(SideEffectInstruction).getPrimaryInstruction()
+}
+
+/**
+ * Holds if `operand` serves as an input argument (or indirection) to `call`, in the position
+ * specified by `input`.
+ */
+private predicate isCallInput(
+  CallInstruction call, Operand operand, AliasModels::FunctionInput input
+) {
+  call = getPrimaryCall(operand.getUse()) and
+  (
+    exists(int index |
+      input.isParameterOrQualifierAddress(index) and
+      operand = call.getArgumentOperand(index)
+    )
+    or
+    exists(int index, ReadSideEffectInstruction read |
+      input.isParameterDerefOrQualifierObject(index) and
+      read = call.getAParameterSideEffect(index) and
+      operand = read.getSideEffectOperand()
+    )
+  )
+}
+
+/**
+ * Holds if `instr` serves as a return value or output argument indirection for `call`, in the
+ * position specified by `output`.
+ */
+private predicate isCallOutput(
+  CallInstruction call, Instruction instr, AliasModels::FunctionOutput output
+) {
+  call = getPrimaryCall(instr) and
+  (
+    output.isReturnValue() and instr = call
+    or
+    exists(int index, WriteSideEffectInstruction write |
+      output.isParameterDerefOrQualifierObject(index) and
+      write = call.getAParameterSideEffect(index) and
+      instr = write
+    )
+  )
+}
+
+/**
+ * Holds if the address in `operand` flows directly to the result of `resultInstr` due to modeled
+ * address flow through a function call.
+ */
+private predicate hasAddressFlowThroughCall(Operand operand, Instruction resultInstr) {
+  exists(
+    CallInstruction call, AliasModels::FunctionInput input, AliasModels::FunctionOutput output
+  |
+    call.getStaticCallTarget().(AliasModels::AliasFunction).hasAddressFlow(input, output) and
+    isCallInput(call, operand, input) and
+    isCallOutput(call, resultInstr, output)
+  )
+}
+
 /**
  * Holds if the operand `tag` of instruction `instr` is used in a way that does
  * not result in any address held in that operand from escaping beyond the
@@ -74,6 +139,10 @@ IntValue getPointerBitOffset(PointerOffsetInstruction instr) {
  * be a constant, then `bitOffset` is `unknown()`.
  */
 private predicate operandIsPropagated(Operand operand, IntValue bitOffset, Instruction instr) {
+  // Some functions are known to propagate an argument
+  hasAddressFlowThroughCall(operand, instr) and
+  bitOffset = 0
+  or
   instr = operand.getUse() and
   (
     // Converting to a non-virtual base class adds the offset of the base class.
@@ -118,9 +187,6 @@ private predicate operandIsPropagated(Operand operand, IntValue bitOffset, Instr
     or
     // A copy propagates the source value.
     operand = instr.(CopyInstruction).getSourceValueOperand() and bitOffset = 0
-    or
-    // Some functions are known to propagate an argument
-    isAlwaysReturnedArgument(operand) and bitOffset = 0
   )
 }
 
@@ -215,13 +281,6 @@ private predicate isArgumentForParameter(
   )
 }
 
-private predicate isAlwaysReturnedArgument(Operand operand) {
-  exists(AliasModels::AliasFunction f |
-    f = operand.getUse().(CallInstruction).getStaticCallTarget() and
-    f.parameterIsAlwaysReturned(operand.(PositionalArgumentOperand).getIndex())
-  )
-}
-
 private predicate isOnlyEscapesViaReturnArgument(Operand operand) {
   exists(AliasModels::AliasFunction f |
     f = operand.getUse().(CallInstruction).getStaticCallTarget() and
@@ -271,7 +330,9 @@ predicate allocationEscapes(Configuration::Allocation allocation) {
 /**
  * Equivalent to `operandIsPropagated()`, but includes interprocedural propagation.
  */
-private predicate operandIsPropagatedIncludingByCall(Operand operand, IntValue bitOffset, Instruction instr) {
+private predicate operandIsPropagatedIncludingByCall(
+  Operand operand, IntValue bitOffset, Instruction instr
+) {
   operandIsPropagated(operand, bitOffset, instr)
   or
   exists(CallInstruction call, Instruction init |
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll
index 69cd6e6dc29..866afb64b31 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll
@@ -105,7 +105,21 @@ class DynamicAllocation extends Allocation, TDynamicAllocation {
   DynamicAllocation() { this = TDynamicAllocation(call) }
 
   final override string toString() {
-    result = call.toString() + " at " + call.getLocation() // This isn't performant, but it's only used in test/dump code right now.
+    // This isn't performant, but it's only used in test/dump code right now.
+    // Dynamic allocations within a function are numbered in the order by start
+    // line number. This keeps them stable when the function moves within the
+    // file, or when non-allocating lines are added and removed within the
+    // function.
+    exists(int i |
+      result = "dynamic{" + i.toString() + "}" and
+      call =
+        rank[i](CallInstruction rangeCall |
+          exists(TDynamicAllocation(rangeCall)) and
+          rangeCall.getEnclosingIRFunction() = call.getEnclosingIRFunction()
+        |
+          rangeCall order by rangeCall.getLocation().getStartLine()
+        )
+    )
   }
 
   final override CallInstruction getABaseInstruction() { result = call }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
index 6105187cc1f..b745554f8df 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -4,6 +4,71 @@ private import AliasAnalysisImports
 
 private class IntValue = Ints::IntValue;
 
+/**
+ * If `instr` is a `SideEffectInstruction`, gets the primary `CallInstruction` that caused the side
+ * effect. If `instr` is a `CallInstruction`, gets that same `CallInstruction`.
+ */
+private CallInstruction getPrimaryCall(Instruction instr) {
+  result = instr.(CallInstruction)
+  or
+  result = instr.(SideEffectInstruction).getPrimaryInstruction()
+}
+
+/**
+ * Holds if `operand` serves as an input argument (or indirection) to `call`, in the position
+ * specified by `input`.
+ */
+private predicate isCallInput(
+  CallInstruction call, Operand operand, AliasModels::FunctionInput input
+) {
+  call = getPrimaryCall(operand.getUse()) and
+  (
+    exists(int index |
+      input.isParameterOrQualifierAddress(index) and
+      operand = call.getArgumentOperand(index)
+    )
+    or
+    exists(int index, ReadSideEffectInstruction read |
+      input.isParameterDerefOrQualifierObject(index) and
+      read = call.getAParameterSideEffect(index) and
+      operand = read.getSideEffectOperand()
+    )
+  )
+}
+
+/**
+ * Holds if `instr` serves as a return value or output argument indirection for `call`, in the
+ * position specified by `output`.
+ */
+private predicate isCallOutput(
+  CallInstruction call, Instruction instr, AliasModels::FunctionOutput output
+) {
+  call = getPrimaryCall(instr) and
+  (
+    output.isReturnValue() and instr = call
+    or
+    exists(int index, WriteSideEffectInstruction write |
+      output.isParameterDerefOrQualifierObject(index) and
+      write = call.getAParameterSideEffect(index) and
+      instr = write
+    )
+  )
+}
+
+/**
+ * Holds if the address in `operand` flows directly to the result of `resultInstr` due to modeled
+ * address flow through a function call.
+ */
+private predicate hasAddressFlowThroughCall(Operand operand, Instruction resultInstr) {
+  exists(
+    CallInstruction call, AliasModels::FunctionInput input, AliasModels::FunctionOutput output
+  |
+    call.getStaticCallTarget().(AliasModels::AliasFunction).hasAddressFlow(input, output) and
+    isCallInput(call, operand, input) and
+    isCallOutput(call, resultInstr, output)
+  )
+}
+
 /**
  * Holds if the operand `tag` of instruction `instr` is used in a way that does
  * not result in any address held in that operand from escaping beyond the
@@ -74,6 +139,10 @@ IntValue getPointerBitOffset(PointerOffsetInstruction instr) {
  * be a constant, then `bitOffset` is `unknown()`.
  */
 private predicate operandIsPropagated(Operand operand, IntValue bitOffset, Instruction instr) {
+  // Some functions are known to propagate an argument
+  hasAddressFlowThroughCall(operand, instr) and
+  bitOffset = 0
+  or
   instr = operand.getUse() and
   (
     // Converting to a non-virtual base class adds the offset of the base class.
@@ -118,9 +187,6 @@ private predicate operandIsPropagated(Operand operand, IntValue bitOffset, Instr
     or
     // A copy propagates the source value.
     operand = instr.(CopyInstruction).getSourceValueOperand() and bitOffset = 0
-    or
-    // Some functions are known to propagate an argument
-    isAlwaysReturnedArgument(operand) and bitOffset = 0
   )
 }
 
@@ -215,13 +281,6 @@ private predicate isArgumentForParameter(
   )
 }
 
-private predicate isAlwaysReturnedArgument(Operand operand) {
-  exists(AliasModels::AliasFunction f |
-    f = operand.getUse().(CallInstruction).getStaticCallTarget() and
-    f.parameterIsAlwaysReturned(operand.(PositionalArgumentOperand).getIndex())
-  )
-}
-
 private predicate isOnlyEscapesViaReturnArgument(Operand operand) {
   exists(AliasModels::AliasFunction f |
     f = operand.getUse().(CallInstruction).getStaticCallTarget() and
@@ -271,7 +330,9 @@ predicate allocationEscapes(Configuration::Allocation allocation) {
 /**
  * Equivalent to `operandIsPropagated()`, but includes interprocedural propagation.
  */
-private predicate operandIsPropagatedIncludingByCall(Operand operand, IntValue bitOffset, Instruction instr) {
+private predicate operandIsPropagatedIncludingByCall(
+  Operand operand, IntValue bitOffset, Instruction instr
+) {
   operandIsPropagated(operand, bitOffset, instr)
   or
   exists(CallInstruction call, Instruction init |
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
index 4b060c234f8..ea60bd9d546 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
@@ -1,12 +1,14 @@
+import semmle.code.cpp.models.interfaces.Alias
+import semmle.code.cpp.models.interfaces.SideEffect
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.DataFlow
 import semmle.code.cpp.models.interfaces.PointerWrapper
 
 /**
- * The `std::shared_ptr` and `std::unique_ptr` template classes.
+ * The `std::shared_ptr`, `std::weak_ptr`, and `std::unique_ptr` template classes.
  */
-private class UniqueOrSharedPtr extends Class, PointerWrapper {
-  UniqueOrSharedPtr() { this.hasQualifiedName(["std", "bsl"], ["shared_ptr", "unique_ptr"]) }
+private class SmartPtr extends Class, PointerWrapper {
+  SmartPtr() { this.hasQualifiedName(["std", "bsl"], ["shared_ptr", "weak_ptr", "unique_ptr"]) }
 
   override MemberFunction getAnUnwrapperFunction() {
     result.(OverloadedPointerDereferenceFunction).getDeclaringType() = this
@@ -17,11 +19,36 @@ private class UniqueOrSharedPtr extends Class, PointerWrapper {
   override predicate pointsToConst() { this.getTemplateArgument(0).(Type).isConst() }
 }
 
-/** Any function that unwraps a pointer wrapper class to reveal the underlying pointer. */
-private class PointerWrapperDataFlow extends DataFlowFunction {
-  PointerWrapperDataFlow() {
-    this = any(PointerWrapper wrapper).getAnUnwrapperFunction() and
-    not this.getUnspecifiedType() instanceof ReferenceType
+/**
+ * Any function that returns the address wrapped by a `PointerWrapper`, whether as a pointer or a
+ * reference.
+ *
+ * Examples:
+ * - `std::unique_ptr<T>::get()`
+ * - `std::shared_ptr<T>::operator->()`
+ * - `std::weak_ptr<T>::operator*()`
+ */
+private class PointerUnwrapperFunction extends MemberFunction, AliasFunction, DataFlowFunction,
+  SideEffectFunction, TaintFunction {
+  PointerUnwrapperFunction() {
+    exists(PointerWrapper wrapper | wrapper.getAnUnwrapperFunction() = this)
+  }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    // Only reads from `*this`.
+    i = -1 and buffer = false
+  }
+
+  override predicate parameterNeverEscapes(int index) { index = -1 }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate hasAddressFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and output.isReturnValue()
   }
 
   override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
@@ -32,6 +59,11 @@ private class PointerWrapperDataFlow extends DataFlowFunction {
     input.isReturnValueDeref() and
     output.isQualifierObject()
   }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and
+    output.isReturnValue()
+  }
 }
 
 /**
@@ -62,31 +94,80 @@ private class MakeUniqueOrShared extends TaintFunction {
 }
 
 /**
- * A prefix `operator*` member function for a `shared_ptr` or `unique_ptr` type.
+ * A function that sets the value of a smart pointer.
+ *
+ * This could be a constructor, an assignment operator, or a named member function like `reset()`.
  */
-private class UniqueOrSharedDereferenceMemberOperator extends MemberFunction, TaintFunction {
-  UniqueOrSharedDereferenceMemberOperator() {
-    this.hasName("operator*") and
-    this.getDeclaringType() instanceof UniqueOrSharedPtr
+private class SmartPtrSetterFunction extends MemberFunction, AliasFunction, SideEffectFunction {
+  SmartPtrSetterFunction() {
+    this.getDeclaringType() instanceof SmartPtr and
+    not this.isStatic() and
+    (
+      this instanceof Constructor
+      or
+      this.hasName("operator=")
+      or
+      this.hasName("reset")
+    )
   }
 
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and
-    output.isReturnValueDeref()
-  }
-}
+  override predicate hasOnlySpecificReadSideEffects() { this instanceof Constructor }
 
-/**
- * The `std::shared_ptr` or `std::unique_ptr` function `get`.
- */
-private class UniqueOrSharedGet extends TaintFunction {
-  UniqueOrSharedGet() {
-    this.hasName("get") and
-    this.getDeclaringType() instanceof UniqueOrSharedPtr
+  override predicate hasOnlySpecificWriteSideEffects() { this instanceof ConstMemberFunction }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    // Always write to the destination smart pointer itself.
+    i = -1 and buffer = false and mustWrite = true
+    or
+    // When taking ownership of a smart pointer via an rvalue reference, always overwrite the input
+    // smart pointer.
+    getPointerInput().isParameterDeref(i) and
+    this.getParameter(i).getUnspecifiedType() instanceof RValueReferenceType and
+    buffer = false and
+    mustWrite = true
   }
 
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    getPointerInput().isParameterDeref(i) and
+    buffer = false
+    or
+    not this instanceof Constructor and
+    i = -1 and
+    buffer = false
+  }
+
+  override predicate parameterNeverEscapes(int index) { index = -1 }
+
+  override predicate parameterEscapesOnlyViaReturn(int index) { none() }
+
+  override predicate hasAddressFlow(FunctionInput input, FunctionOutput output) {
+    input = getPointerInput() and
+    output.isQualifierObject()
+    or
+    // Assignment operator always returns a reference to `*this`.
+    this.hasName("operator=") and
+    input.isQualifierAddress() and
     output.isReturnValue()
   }
+
+  private FunctionInput getPointerInput() {
+    exists(Parameter param0 |
+      param0 = this.getParameter(0) and
+      (
+        param0.getUnspecifiedType().(ReferenceType).getBaseType() instanceof SmartPtr and
+        if this.getParameter(1).getUnspecifiedType() instanceof PointerType
+        then
+          // This is one of the constructors of `std::shared_ptr<T>` that creates a smart pointer that
+          // wraps a raw pointer with ownership controlled by an unrelated smart pointer. We propagate
+          // the raw pointer in the second parameter, rather than the smart pointer in the first
+          // parameter.
+          result.isParameter(1)
+        else result.isParameterDeref(0)
+      )
+      or
+      // One of the functions that takes ownership of a raw pointer.
+      param0.getUnspecifiedType() instanceof PointerType and
+      result.isParameter(0)
+    )
+  }
 }
diff --git a/cpp/ql/test/library-tests/ir/points_to/points_to.ql b/cpp/ql/test/library-tests/ir/points_to/points_to.ql
index 89d1e31e119..da090c5552e 100644
--- a/cpp/ql/test/library-tests/ir/points_to/points_to.ql
+++ b/cpp/ql/test/library-tests/ir/points_to/points_to.ql
@@ -5,7 +5,16 @@ private import semmle.code.cpp.ir.internal.IntegerConstant as Ints
 private predicate ignoreAllocation(string name) {
   name = "i" or
   name = "p" or
-  name = "q"
+  name = "q" or
+  name = "s" or
+  name = "t" or
+  name = "?{AllAliased}"
+}
+
+private predicate ignoreFile(File file) {
+  // Ignore standard headers.
+  file.getBaseName() = ["memory.h", "type_traits.h", "utility.h"] or
+  not file.fromSource()
 }
 
 module Raw {
@@ -29,7 +38,8 @@ module Raw {
         not ignoreAllocation(memLocation.getAllocation().getAllocationString()) and
         value = memLocation.toString() and
         element = instr.toString() and
-        location = instr.getLocation()
+        location = instr.getLocation() and
+        not ignoreFile(location.getFile())
       )
     }
   }
@@ -52,13 +62,14 @@ module UnaliasedSSA {
     override predicate hasActualResult(Location location, string element, string tag, string value) {
       exists(Instruction instr, MemoryLocation memLocation |
         memLocation = getAMemoryAccess(instr) and
-        not memLocation instanceof AliasedVirtualVariable and
+        not memLocation.getVirtualVariable() instanceof AliasedVirtualVariable and
         not memLocation instanceof AllNonLocalMemory and
         tag = "ussa" and
         not ignoreAllocation(memLocation.getAllocation().getAllocationString()) and
         value = memLocation.toString() and
         element = instr.toString() and
-        location = instr.getLocation()
+        location = instr.getLocation() and
+        not ignoreFile(location.getFile())
       )
     }
   }
diff --git a/cpp/ql/test/library-tests/ir/points_to/smart_pointer.cpp b/cpp/ql/test/library-tests/ir/points_to/smart_pointer.cpp
new file mode 100644
index 00000000000..de4cbc96e5f
--- /dev/null
+++ b/cpp/ql/test/library-tests/ir/points_to/smart_pointer.cpp
@@ -0,0 +1,33 @@
+#include "../../../include/memory.h"
+#include "../../../include/utility.h"
+
+using std::shared_ptr;
+using std::unique_ptr;
+
+struct S {
+    int x;
+};
+
+void unique_ptr_init(S s) {
+    unique_ptr<S> p(new S); //$ussa=dynamic{1}
+    int i = (*p).x; //$ussa=dynamic{1}[0..4)<int>
+    *p = s;  //$ussa=dynamic{1}[0..4)<S>
+    unique_ptr<S> q = std::move(p);
+    *(q.get()) = s;  //$ussa=dynamic{1}[0..4)<S>
+    shared_ptr<S> t(std::move(q));
+    t->x = 5; //$ussa=dynamic{1}[0..4)<int>
+    *t = s; //$ussa=dynamic{1}[0..4)<S>
+    *(t.get()) = s; //$ussa=dynamic{1}[0..4)<S>
+}
+
+void shared_ptr_init(S s) {
+    shared_ptr<S> p(new S); //$ussa=dynamic{1}
+    int i = (*p).x; //$ussa=dynamic{1}[0..4)<int>
+    *p = s;  //$ussa=dynamic{1}[0..4)<S>
+    shared_ptr<S> q = std::move(p);
+    *(q.get()) = s;  //$ussa=dynamic{1}[0..4)<S>
+    shared_ptr<S> t(q);
+    t->x = 5; //$ussa=dynamic{1}[0..4)<int>
+    *t = s; //$ussa=dynamic{1}[0..4)<S>
+    *(t.get()) = s; //$ussa=dynamic{1}[0..4)<S>
+}
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
index 6105187cc1f..b745554f8df 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -4,6 +4,71 @@ private import AliasAnalysisImports
 
 private class IntValue = Ints::IntValue;
 
+/**
+ * If `instr` is a `SideEffectInstruction`, gets the primary `CallInstruction` that caused the side
+ * effect. If `instr` is a `CallInstruction`, gets that same `CallInstruction`.
+ */
+private CallInstruction getPrimaryCall(Instruction instr) {
+  result = instr.(CallInstruction)
+  or
+  result = instr.(SideEffectInstruction).getPrimaryInstruction()
+}
+
+/**
+ * Holds if `operand` serves as an input argument (or indirection) to `call`, in the position
+ * specified by `input`.
+ */
+private predicate isCallInput(
+  CallInstruction call, Operand operand, AliasModels::FunctionInput input
+) {
+  call = getPrimaryCall(operand.getUse()) and
+  (
+    exists(int index |
+      input.isParameterOrQualifierAddress(index) and
+      operand = call.getArgumentOperand(index)
+    )
+    or
+    exists(int index, ReadSideEffectInstruction read |
+      input.isParameterDerefOrQualifierObject(index) and
+      read = call.getAParameterSideEffect(index) and
+      operand = read.getSideEffectOperand()
+    )
+  )
+}
+
+/**
+ * Holds if `instr` serves as a return value or output argument indirection for `call`, in the
+ * position specified by `output`.
+ */
+private predicate isCallOutput(
+  CallInstruction call, Instruction instr, AliasModels::FunctionOutput output
+) {
+  call = getPrimaryCall(instr) and
+  (
+    output.isReturnValue() and instr = call
+    or
+    exists(int index, WriteSideEffectInstruction write |
+      output.isParameterDerefOrQualifierObject(index) and
+      write = call.getAParameterSideEffect(index) and
+      instr = write
+    )
+  )
+}
+
+/**
+ * Holds if the address in `operand` flows directly to the result of `resultInstr` due to modeled
+ * address flow through a function call.
+ */
+private predicate hasAddressFlowThroughCall(Operand operand, Instruction resultInstr) {
+  exists(
+    CallInstruction call, AliasModels::FunctionInput input, AliasModels::FunctionOutput output
+  |
+    call.getStaticCallTarget().(AliasModels::AliasFunction).hasAddressFlow(input, output) and
+    isCallInput(call, operand, input) and
+    isCallOutput(call, resultInstr, output)
+  )
+}
+
 /**
  * Holds if the operand `tag` of instruction `instr` is used in a way that does
  * not result in any address held in that operand from escaping beyond the
@@ -74,6 +139,10 @@ IntValue getPointerBitOffset(PointerOffsetInstruction instr) {
  * be a constant, then `bitOffset` is `unknown()`.
  */
 private predicate operandIsPropagated(Operand operand, IntValue bitOffset, Instruction instr) {
+  // Some functions are known to propagate an argument
+  hasAddressFlowThroughCall(operand, instr) and
+  bitOffset = 0
+  or
   instr = operand.getUse() and
   (
     // Converting to a non-virtual base class adds the offset of the base class.
@@ -118,9 +187,6 @@ private predicate operandIsPropagated(Operand operand, IntValue bitOffset, Instr
     or
     // A copy propagates the source value.
     operand = instr.(CopyInstruction).getSourceValueOperand() and bitOffset = 0
-    or
-    // Some functions are known to propagate an argument
-    isAlwaysReturnedArgument(operand) and bitOffset = 0
   )
 }
 
@@ -215,13 +281,6 @@ private predicate isArgumentForParameter(
   )
 }
 
-private predicate isAlwaysReturnedArgument(Operand operand) {
-  exists(AliasModels::AliasFunction f |
-    f = operand.getUse().(CallInstruction).getStaticCallTarget() and
-    f.parameterIsAlwaysReturned(operand.(PositionalArgumentOperand).getIndex())
-  )
-}
-
 private predicate isOnlyEscapesViaReturnArgument(Operand operand) {
   exists(AliasModels::AliasFunction f |
     f = operand.getUse().(CallInstruction).getStaticCallTarget() and
@@ -271,7 +330,9 @@ predicate allocationEscapes(Configuration::Allocation allocation) {
 /**
  * Equivalent to `operandIsPropagated()`, but includes interprocedural propagation.
  */
-private predicate operandIsPropagatedIncludingByCall(Operand operand, IntValue bitOffset, Instruction instr) {
+private predicate operandIsPropagatedIncludingByCall(
+  Operand operand, IntValue bitOffset, Instruction instr
+) {
   operandIsPropagated(operand, bitOffset, instr)
   or
   exists(CallInstruction call, Instruction init |

From b9da6ce04ad0a968d9ed074867603b54fc5b4123 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Tue, 20 Apr 2021 23:12:05 -0400
Subject: [PATCH 0528/1429] C++: Prepare for merge of smart pointer models

---
 .../models/implementations/SmartPointer.qll   | 27 ++++++++-----------
 1 file changed, 11 insertions(+), 16 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
index ea60bd9d546..ebe0de3fd6e 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
@@ -28,12 +28,21 @@ private class SmartPtr extends Class, PointerWrapper {
  * - `std::shared_ptr<T>::operator->()`
  * - `std::weak_ptr<T>::operator*()`
  */
-private class PointerUnwrapperFunction extends MemberFunction, AliasFunction, DataFlowFunction,
-  SideEffectFunction, TaintFunction {
+private class PointerUnwrapperFunction extends MemberFunction, TaintFunction, DataFlowFunction,
+  SideEffectFunction, AliasFunction {
   PointerUnwrapperFunction() {
     exists(PointerWrapper wrapper | wrapper.getAnUnwrapperFunction() = this)
   }
 
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isReturnValueDeref() and
+    output.isQualifierObject()
+  }
+
+  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
+    input.isQualifierObject() and output.isReturnValue()
+  }
+
   override predicate hasOnlySpecificReadSideEffects() { any() }
 
   override predicate hasOnlySpecificWriteSideEffects() { any() }
@@ -50,20 +59,6 @@ private class PointerUnwrapperFunction extends MemberFunction, AliasFunction, Da
   override predicate hasAddressFlow(FunctionInput input, FunctionOutput output) {
     input.isQualifierObject() and output.isReturnValue()
   }
-
-  override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierAddress() and output.isReturnValue()
-    or
-    input.isQualifierObject() and output.isReturnValueDeref()
-    or
-    input.isReturnValueDeref() and
-    output.isQualifierObject()
-  }
-
-  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
-    input.isQualifierObject() and
-    output.isReturnValue()
-  }
 }
 
 /**

From 84f00c21df471cc39f38f4c5b467895f4b2f7280 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Wed, 21 Apr 2021 15:38:41 +0800
Subject: [PATCH 0529/1429] update IfConditionSink.

---
 .../CWE/CWE-348/UseOfLessTrustedSourceLib.qll | 94 ++++++++++---------
 1 file changed, 48 insertions(+), 46 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
index 98c754c7727..fa9ec4da9bb 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
@@ -38,49 +38,53 @@ private class IfConditionSink extends UseOfLessTrustedSink {
   IfConditionSink() {
     exists(IfStmt is |
       is.getCondition() = this.asExpr() and
-      not exists(EQExpr eqe |
-        eqe.getAnOperand() instanceof NullLiteral and
-        is.getCondition() = eqe.getParent*()
-      ) and
-      not exists(NEExpr nee |
-        nee.getAnOperand() instanceof NullLiteral and
-        is.getCondition() = nee.getParent*()
-      ) and
-      not exists(MethodAccess ma |
-        ma.getMethod().hasName("equals") and
-        ma.getMethod().getNumberOfParameters() = 1 and
-        (
-          ma.getQualifier().(CompileTimeConstantExpr).getStringValue() = "" or
-          ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = ""
-        ) and
-        is.getCondition() = ma.getParent*()
-      ) and
-      not exists(MethodAccess ma |
-        ma.getMethod().hasName("equalsIgnoreCase") and
-        ma.getMethod().getNumberOfParameters() = 1 and
-        (
-          ma.getQualifier().(CompileTimeConstantExpr).getStringValue() = "unknown" or
-          ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "unknown"
-        ) and
-        is.getCondition() = ma.getParent*()
-      ) and
-      not exists(MethodAccess ma |
-        ma.getMethod().getName() in ["isEmpty", "isNotEmpty"] and
-        ma.getMethod().getNumberOfParameters() = 1 and
-        is.getCondition() = ma.getParent*()
-      ) and
-      not exists(MethodAccess ma |
-        (
-          ma.getMethod().hasQualifiedName("org.apache.commons.lang3", "StringUtils", "isBlank") or
-          ma.getMethod().hasQualifiedName("org.apache.commons.lang3", "StringUtils", "isNotBlank")
-        ) and
-        is.getCondition() = ma.getParent*()
-      ) and
-      not exists(MethodAccess ma |
-        ma.getMethod()
-            .hasQualifiedName("org.apache.commons.lang3", "StringUtils", "equalsIgnoreCase") and
-        ma.getAnArgument().(CompileTimeConstantExpr).getStringValue() = "unknown" and
-        is.getCondition() = ma.getParent*()
+      (
+        exists(MethodAccess ma |
+          ma.getMethod().getName() in ["equals", "equalsIgnoreCase"] and
+          ma.getMethod().getDeclaringType() instanceof TypeString and
+          ma.getMethod().getNumberOfParameters() = 1 and
+          not ma.getQualifier().(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
+              "", "unknown", ":"
+            ] and
+          not ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
+              "", "unknown", ":"
+            ] and
+          is.getCondition() = ma.getParent*()
+        )
+        or
+        exists(MethodAccess ma |
+          ma.getMethod().hasName("contains") and
+          ma.getMethod().getDeclaringType() instanceof TypeString and
+          ma.getMethod().getNumberOfParameters() = 1 and
+          ma.getAnArgument().(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
+              "", "unknown"
+            ] and
+          is.getCondition() = ma.getParent*()
+        )
+        or
+        exists(MethodAccess ma |
+          ma.getMethod().hasName("startsWith") and
+          ma.getMethod()
+              .getDeclaringType()
+              .hasQualifiedName(["org.apache.commons.lang3", "org.apache.commons.lang"],
+                "StringUtils") and
+          ma.getMethod().getNumberOfParameters() = 2 and
+          ma.getAnArgument().(CompileTimeConstantExpr).getStringValue() != "" and
+          is.getCondition() = ma.getParent*()
+        )
+        or
+        exists(MethodAccess ma |
+          ma.getMethod().getName() in ["equals", "equalsIgnoreCase"] and
+          ma.getMethod()
+              .getDeclaringType()
+              .hasQualifiedName(["org.apache.commons.lang3", "org.apache.commons.lang"],
+                "StringUtils") and
+          ma.getMethod().getNumberOfParameters() = 2 and
+          not ma.getAnArgument().(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
+              "", "unknown", ":"
+            ] and
+          is.getCondition() = ma.getParent*()
+        )
       )
     )
   }
@@ -101,9 +105,7 @@ private class PrintSink extends UseOfLessTrustedSink {
   PrintSink() {
     exists(MethodAccess ma |
       ma.getMethod().getName() in ["print", "println"] and
-      (
-        ma.getMethod().getDeclaringType().hasQualifiedName("java.io", ["PrintWriter", "PrintStream"])
-      ) and
+      ma.getMethod().getDeclaringType().hasQualifiedName("java.io", ["PrintWriter", "PrintStream"]) and
       ma.getAnArgument() = this.asExpr()
     )
   }

From 2a6f979ce6428952d2e0627c309610be4fdc3e8a Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 21 Apr 2021 10:42:06 +0200
Subject: [PATCH 0530/1429] C# Add line of code metric query

---
 csharp/ql/src/Metrics/Summaries/LinesOfCode.ql     | 11 +++++++++++
 .../Metrics/Summaries/LinesOfCode.expected         |  1 +
 .../Metrics/Summaries/LinesOfCode.qlref            |  1 +
 .../ql/test/query-tests/Metrics/Summaries/file1.cs | 14 ++++++++++++++
 4 files changed, 27 insertions(+)
 create mode 100644 csharp/ql/src/Metrics/Summaries/LinesOfCode.ql
 create mode 100644 csharp/ql/test/query-tests/Metrics/Summaries/LinesOfCode.expected
 create mode 100644 csharp/ql/test/query-tests/Metrics/Summaries/LinesOfCode.qlref
 create mode 100644 csharp/ql/test/query-tests/Metrics/Summaries/file1.cs

diff --git a/csharp/ql/src/Metrics/Summaries/LinesOfCode.ql b/csharp/ql/src/Metrics/Summaries/LinesOfCode.ql
new file mode 100644
index 00000000000..9156a5e4a7f
--- /dev/null
+++ b/csharp/ql/src/Metrics/Summaries/LinesOfCode.ql
@@ -0,0 +1,11 @@
+/**
+ * @id cs/summary/lines-of-code
+ * @name Total lines of code in the database
+ * @description The total number of lines of code across all files. This is a useful metric of the size of a database. For all files that were seen during the build, this query counts the lines of code, excluding whitespace or comments.
+ * @kind metric
+ * @tags summary
+ */
+
+import csharp
+
+select sum(File f | f.fromSource() | f.getNumberOfLinesOfCode())
diff --git a/csharp/ql/test/query-tests/Metrics/Summaries/LinesOfCode.expected b/csharp/ql/test/query-tests/Metrics/Summaries/LinesOfCode.expected
new file mode 100644
index 00000000000..b5a514b9ffa
--- /dev/null
+++ b/csharp/ql/test/query-tests/Metrics/Summaries/LinesOfCode.expected
@@ -0,0 +1 @@
+| 4 |
diff --git a/csharp/ql/test/query-tests/Metrics/Summaries/LinesOfCode.qlref b/csharp/ql/test/query-tests/Metrics/Summaries/LinesOfCode.qlref
new file mode 100644
index 00000000000..8c18065043f
--- /dev/null
+++ b/csharp/ql/test/query-tests/Metrics/Summaries/LinesOfCode.qlref
@@ -0,0 +1 @@
+Metrics/Summaries/LinesOfCode.ql
\ No newline at end of file
diff --git a/csharp/ql/test/query-tests/Metrics/Summaries/file1.cs b/csharp/ql/test/query-tests/Metrics/Summaries/file1.cs
new file mode 100644
index 00000000000..0c12535ee09
--- /dev/null
+++ b/csharp/ql/test/query-tests/Metrics/Summaries/file1.cs
@@ -0,0 +1,14 @@
+
+class C1
+{
+    /*
+      int M()
+      {
+        return 0;
+      }
+    */
+
+    // int M() => 0;
+
+    int M() => 0; // Comment
+}

From 16b62486e9708a4b2e4395d686335fdb5cba9441 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Sun, 18 Apr 2021 12:17:47 +0200
Subject: [PATCH 0531/1429] Python: Extract SensitiveDataHeuristics to be
 shared with JS

Initially I had called `nameIndicatesSensitiveData` for `maybeSensitiveName`,
which made the relationship with `maybeSensitive` and `notSensitive` quite
strange -- and therefore I added the more informative `maybeSensitiveRegexp` and
`notSensitiveRegexp`.

Although I'm no longer using `maybeSensitiveName`, and I no longer have a strong
argument for making this name change, I still like it. If someone thinks this is
a terrible idea, I'm happy to change it though :+1:
---
 config/identical-files.json                   |   6 +-
 .../internal/SensitiveDataHeuristics.qll      | 128 ++++++++++++++++++
 .../semmle/python/security/SensitiveData.qll  |  93 ++++---------
 .../internal/SensitiveDataHeuristics.qll      | 128 ++++++++++++++++++
 4 files changed, 285 insertions(+), 70 deletions(-)
 create mode 100644 javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll
 create mode 100644 python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll

diff --git a/config/identical-files.json b/config/identical-files.json
index 3916e95a0cf..db622682004 100644
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -439,5 +439,9 @@
   "CryptoAlgorithms Python/JS": [
     "javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
     "python/ql/src/semmle/crypto/Crypto.qll"
+  ],
+  "SensitiveDataHeuristics Python/JS": [
+    "javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
+    "python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll"
   ]
-}
\ No newline at end of file
+}
diff --git a/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll b/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll
new file mode 100644
index 00000000000..f747241c28e
--- /dev/null
+++ b/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll
@@ -0,0 +1,128 @@
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides classes and predicates for identifying strings that may indicate the presence of sensitive data.
+ * Such that we can share this logic across our CodeQL analysis of different languages.
+ *
+ * 'Sensitive' data in general is anything that should not be sent around in unencrypted form.
+ */
+
+/**
+ * A classification of different kinds of sensitive data:
+ *
+ *   - secret: generic secret or trusted data;
+ *   - id: a user name or other account information;
+ *   - password: a password or authorization key;
+ *   - certificate: a certificate.
+ *
+ * While classifications are represented as strings, this should not be relied upon.
+ * Instead, use the predicates in `SensitiveDataClassification::` to work with
+ * classifications.
+ */
+class SensitiveDataClassification extends string {
+  SensitiveDataClassification() { this in ["secret", "id", "password", "certificate"] }
+}
+
+/**
+ * Provides predicates to select the different kinds of sensitive data we support.
+ */
+module SensitiveDataClassification {
+  /** Gets the classification for secret or trusted data. */
+  SensitiveDataClassification secret() { result = "secret" }
+
+  /** Gets the classification for user names or other account information. */
+  SensitiveDataClassification id() { result = "id" }
+
+  /** Gets the classification for passwords or authorization keys. */
+  SensitiveDataClassification password() { result = "password" }
+
+  /** Gets the classification for certificates. */
+  SensitiveDataClassification certificate() { result = "certificate" }
+}
+
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides heuristics for identifying names related to sensitive information.
+ */
+module HeuristicNames {
+  /**
+   * Gets a regular expression that identifies strings that may indicate the presence of secret
+   * or trusted data.
+   */
+  string maybeSecret() { result = "(?is).*((?<!is)secret|(?<!un|is)trusted).*" }
+
+  /**
+   * Gets a regular expression that identifies strings that may indicate the presence of
+   * user names or other account information.
+   */
+  string maybeAccountInfo() {
+    result = "(?is).*acc(ou)?nt.*" or
+    result = "(?is).*(puid|username|userid).*"
+  }
+
+  /**
+   * Gets a regular expression that identifies strings that may indicate the presence of
+   * a password or an authorization key.
+   */
+  string maybePassword() {
+    result = "(?is).*pass(wd|word|code|phrase)(?!.*question).*" or
+    result = "(?is).*(auth(entication|ori[sz]ation)?)key.*"
+  }
+
+  /**
+   * Gets a regular expression that identifies strings that may indicate the presence of
+   * a certificate.
+   */
+  string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name)).*" }
+
+  /**
+   * Gets a regular expression that identifies strings that may indicate the presence
+   * of sensitive data, with `classification` describing the kind of sensitive data involved.
+   */
+  string maybeSensitiveRegexp(SensitiveDataClassification classification) {
+    result = maybeSecret() and classification = SensitiveDataClassification::secret()
+    or
+    result = maybeAccountInfo() and classification = SensitiveDataClassification::id()
+    or
+    result = maybePassword() and classification = SensitiveDataClassification::password()
+    or
+    result = maybeCertificate() and
+    classification = SensitiveDataClassification::certificate()
+  }
+
+  /**
+   * Gets a regular expression that identifies strings that may indicate the presence of data
+   * that is hashed or encrypted, and hence rendered non-sensitive.
+   */
+  string notSensitiveRegexp() {
+    result = "(?is).*(redact|censor|obfuscate|hash|md5|sha|((?<!un)(en))?(crypt|code)).*"
+  }
+
+  /**
+   * DEPRECATED: Use `maybeSensitiveRegexp` instead.
+   * Only added to aid with internal rewrite
+   */
+  deprecated predicate maybeSensitive = maybeSensitiveRegexp/1;
+
+  /**
+   * DEPRECATED: Use `notSensitiveRegexp` instead.
+   * Only added to aid with internal rewrite
+   */
+  deprecated predicate notSensitive = notSensitiveRegexp/0;
+
+  /**
+   * Holds if `name` may indicate the presence of sensitive data, and
+   * `name` does not indicate the presence of data that is hashed or encrypted, which would have
+   * rendered the data non-sensitive. `classification` describes the kind of sensitive data involved.
+   *
+   * That is, one of the rexeps from `maybeSensitiveRegexp` matches `name` (with the
+   * given classification), and none of the regexps from `notSensitiveRegexp` matches
+   * `name`.
+   */
+  bindingset[name]
+  predicate nameIndicatesSensitiveData(string name, SensitiveDataClassification classification) {
+    name.regexpMatch(maybeSensitiveRegexp(classification)) and
+    not name.regexpMatch(notSensitiveRegexp())
+  }
+}
diff --git a/python/ql/src/semmle/python/security/SensitiveData.qll b/python/ql/src/semmle/python/security/SensitiveData.qll
index b616c960940..141555bda1a 100644
--- a/python/ql/src/semmle/python/security/SensitiveData.qll
+++ b/python/ql/src/semmle/python/security/SensitiveData.qll
@@ -12,76 +12,15 @@
 import python
 import semmle.python.dataflow.TaintTracking
 import semmle.python.web.HttpRequest
-
-/**
- * Provides heuristics for identifying names related to sensitive information.
- *
- * INTERNAL: Do not use directly.
- * This is copied from the javascript library, but should be language independent.
- */
-private module HeuristicNames {
-  /**
-   * Gets a regular expression that identifies strings that may indicate the presence of secret
-   * or trusted data.
-   */
-  string maybeSecret() { result = "(?is).*((?<!is)secret|(?<!un|is)trusted).*" }
-
-  /**
-   * Gets a regular expression that identifies strings that may indicate the presence of
-   * user names or other account information.
-   */
-  string maybeAccountInfo() {
-    result = "(?is).*acc(ou)?nt.*" or
-    result = "(?is).*(puid|username|userid).*"
-  }
-
-  /**
-   * Gets a regular expression that identifies strings that may indicate the presence of
-   * a password or an authorization key.
-   */
-  string maybePassword() {
-    result = "(?is).*pass(wd|word|code|phrase)(?!.*question).*" or
-    result = "(?is).*(auth(entication|ori[sz]ation)?)key.*"
-  }
-
-  /**
-   * Gets a regular expression that identifies strings that may indicate the presence of
-   * a certificate.
-   */
-  string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name)).*" }
-
-  /**
-   * Gets a regular expression that identifies strings that may indicate the presence
-   * of sensitive data, with `classification` describing the kind of sensitive data involved.
-   */
-  string maybeSensitive(SensitiveData data) {
-    result = maybeSecret() and data instanceof SensitiveData::Secret
-    or
-    result = maybeAccountInfo() and data instanceof SensitiveData::Id
-    or
-    result = maybePassword() and data instanceof SensitiveData::Password
-    or
-    result = maybeCertificate() and data instanceof SensitiveData::Certificate
-  }
-
-  /**
-   * Gets a regular expression that identifies strings that may indicate the presence of data
-   * that is hashed or encrypted, and hence rendered non-sensitive.
-   */
-  string notSensitive() {
-    result = "(?is).*(redact|censor|obfuscate|hash|md5|sha|((?<!un)(en))?(crypt|code)).*"
-  }
-
-  bindingset[name]
-  SensitiveData getSensitiveDataForName(string name) {
-    name.regexpMatch(HeuristicNames::maybeSensitive(result)) and
-    not name.regexpMatch(HeuristicNames::notSensitive())
-  }
-}
+import semmle.python.security.internal.SensitiveDataHeuristics
+private import HeuristicNames
 
 abstract class SensitiveData extends TaintKind {
   bindingset[this]
   SensitiveData() { this = this }
+
+  /** Gets the classification of this sensitive data taint kind. */
+  abstract SensitiveDataClassification getClassification();
 }
 
 module SensitiveData {
@@ -89,28 +28,44 @@ module SensitiveData {
     Secret() { this = "sensitive.data.secret" }
 
     override string repr() { result = "a secret" }
+
+    override SensitiveDataClassification getClassification() {
+      result = SensitiveDataClassification::secret()
+    }
   }
 
   class Id extends SensitiveData {
     Id() { this = "sensitive.data.id" }
 
     override string repr() { result = "an ID" }
+
+    override SensitiveDataClassification getClassification() {
+      result = SensitiveDataClassification::id()
+    }
   }
 
   class Password extends SensitiveData {
     Password() { this = "sensitive.data.password" }
 
     override string repr() { result = "a password" }
+
+    override SensitiveDataClassification getClassification() {
+      result = SensitiveDataClassification::password()
+    }
   }
 
   class Certificate extends SensitiveData {
     Certificate() { this = "sensitive.data.certificate" }
 
     override string repr() { result = "a certificate or key" }
+
+    override SensitiveDataClassification getClassification() {
+      result = SensitiveDataClassification::certificate()
+    }
   }
 
   private SensitiveData fromFunction(Value func) {
-    result = HeuristicNames::getSensitiveDataForName(func.getName())
+    nameIndicatesSensitiveData(func.getName(), result.getClassification())
   }
 
   abstract class Source extends TaintSource {
@@ -134,7 +89,7 @@ module SensitiveData {
     SensitiveData data;
 
     SensitiveVariableAccess() {
-      data = HeuristicNames::getSensitiveDataForName(this.(AttrNode).getName())
+      nameIndicatesSensitiveData(this.(AttrNode).getName(), data.getClassification())
     }
 
     override predicate isSourceOf(TaintKind kind) { kind = data }
@@ -149,7 +104,7 @@ module SensitiveData {
       this.(CallNode).getFunction().(AttrNode).getName() = "get" and
       exists(StringValue sensitive |
         this.(CallNode).getAnArg().pointsTo(sensitive) and
-        data = HeuristicNames::getSensitiveDataForName(sensitive.getText())
+        nameIndicatesSensitiveData(sensitive.getText(), data.getClassification())
       )
     }
 
diff --git a/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll b/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll
new file mode 100644
index 00000000000..f747241c28e
--- /dev/null
+++ b/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll
@@ -0,0 +1,128 @@
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides classes and predicates for identifying strings that may indicate the presence of sensitive data.
+ * Such that we can share this logic across our CodeQL analysis of different languages.
+ *
+ * 'Sensitive' data in general is anything that should not be sent around in unencrypted form.
+ */
+
+/**
+ * A classification of different kinds of sensitive data:
+ *
+ *   - secret: generic secret or trusted data;
+ *   - id: a user name or other account information;
+ *   - password: a password or authorization key;
+ *   - certificate: a certificate.
+ *
+ * While classifications are represented as strings, this should not be relied upon.
+ * Instead, use the predicates in `SensitiveDataClassification::` to work with
+ * classifications.
+ */
+class SensitiveDataClassification extends string {
+  SensitiveDataClassification() { this in ["secret", "id", "password", "certificate"] }
+}
+
+/**
+ * Provides predicates to select the different kinds of sensitive data we support.
+ */
+module SensitiveDataClassification {
+  /** Gets the classification for secret or trusted data. */
+  SensitiveDataClassification secret() { result = "secret" }
+
+  /** Gets the classification for user names or other account information. */
+  SensitiveDataClassification id() { result = "id" }
+
+  /** Gets the classification for passwords or authorization keys. */
+  SensitiveDataClassification password() { result = "password" }
+
+  /** Gets the classification for certificates. */
+  SensitiveDataClassification certificate() { result = "certificate" }
+}
+
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides heuristics for identifying names related to sensitive information.
+ */
+module HeuristicNames {
+  /**
+   * Gets a regular expression that identifies strings that may indicate the presence of secret
+   * or trusted data.
+   */
+  string maybeSecret() { result = "(?is).*((?<!is)secret|(?<!un|is)trusted).*" }
+
+  /**
+   * Gets a regular expression that identifies strings that may indicate the presence of
+   * user names or other account information.
+   */
+  string maybeAccountInfo() {
+    result = "(?is).*acc(ou)?nt.*" or
+    result = "(?is).*(puid|username|userid).*"
+  }
+
+  /**
+   * Gets a regular expression that identifies strings that may indicate the presence of
+   * a password or an authorization key.
+   */
+  string maybePassword() {
+    result = "(?is).*pass(wd|word|code|phrase)(?!.*question).*" or
+    result = "(?is).*(auth(entication|ori[sz]ation)?)key.*"
+  }
+
+  /**
+   * Gets a regular expression that identifies strings that may indicate the presence of
+   * a certificate.
+   */
+  string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name)).*" }
+
+  /**
+   * Gets a regular expression that identifies strings that may indicate the presence
+   * of sensitive data, with `classification` describing the kind of sensitive data involved.
+   */
+  string maybeSensitiveRegexp(SensitiveDataClassification classification) {
+    result = maybeSecret() and classification = SensitiveDataClassification::secret()
+    or
+    result = maybeAccountInfo() and classification = SensitiveDataClassification::id()
+    or
+    result = maybePassword() and classification = SensitiveDataClassification::password()
+    or
+    result = maybeCertificate() and
+    classification = SensitiveDataClassification::certificate()
+  }
+
+  /**
+   * Gets a regular expression that identifies strings that may indicate the presence of data
+   * that is hashed or encrypted, and hence rendered non-sensitive.
+   */
+  string notSensitiveRegexp() {
+    result = "(?is).*(redact|censor|obfuscate|hash|md5|sha|((?<!un)(en))?(crypt|code)).*"
+  }
+
+  /**
+   * DEPRECATED: Use `maybeSensitiveRegexp` instead.
+   * Only added to aid with internal rewrite
+   */
+  deprecated predicate maybeSensitive = maybeSensitiveRegexp/1;
+
+  /**
+   * DEPRECATED: Use `notSensitiveRegexp` instead.
+   * Only added to aid with internal rewrite
+   */
+  deprecated predicate notSensitive = notSensitiveRegexp/0;
+
+  /**
+   * Holds if `name` may indicate the presence of sensitive data, and
+   * `name` does not indicate the presence of data that is hashed or encrypted, which would have
+   * rendered the data non-sensitive. `classification` describes the kind of sensitive data involved.
+   *
+   * That is, one of the rexeps from `maybeSensitiveRegexp` matches `name` (with the
+   * given classification), and none of the regexps from `notSensitiveRegexp` matches
+   * `name`.
+   */
+  bindingset[name]
+  predicate nameIndicatesSensitiveData(string name, SensitiveDataClassification classification) {
+    name.regexpMatch(maybeSensitiveRegexp(classification)) and
+    not name.regexpMatch(notSensitiveRegexp())
+  }
+}

From 775ed415923fddd565a21e39839fb35764cb8774 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 21 Apr 2021 10:44:28 +0200
Subject: [PATCH 0532/1429] Python: Update SensitiveDataHeuristics with newer
 JS version

which also prompted me to rewrite the QLDoc for `nameIndicatesSensitiveData`
---
 .../security/internal/SensitiveDataHeuristics.qll      | 10 ++++++----
 .../security/internal/SensitiveDataHeuristics.qll      | 10 ++++++----
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll b/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll
index f747241c28e..71f64d98e70 100644
--- a/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll
+++ b/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll
@@ -93,10 +93,11 @@ module HeuristicNames {
 
   /**
    * Gets a regular expression that identifies strings that may indicate the presence of data
-   * that is hashed or encrypted, and hence rendered non-sensitive.
+   * that is hashed or encrypted, and hence rendered non-sensitive, or contains special characters
+   * suggesting nouns within the string do not represent the meaning of the whole string (e.g. a URL or a SQL query).
    */
   string notSensitiveRegexp() {
-    result = "(?is).*(redact|censor|obfuscate|hash|md5|sha|((?<!un)(en))?(crypt|code)).*"
+    result = "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|((?<!un)(en))?(crypt|code)).*"
   }
 
   /**
@@ -113,8 +114,9 @@ module HeuristicNames {
 
   /**
    * Holds if `name` may indicate the presence of sensitive data, and
-   * `name` does not indicate the presence of data that is hashed or encrypted, which would have
-   * rendered the data non-sensitive. `classification` describes the kind of sensitive data involved.
+   * `name` does not indicate that the data is in fact non-sensitive (for example since
+   * it is hashed or encrypted). `classification` describes the kind of sensitive data
+   * involved.
    *
    * That is, one of the rexeps from `maybeSensitiveRegexp` matches `name` (with the
    * given classification), and none of the regexps from `notSensitiveRegexp` matches
diff --git a/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll b/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll
index f747241c28e..71f64d98e70 100644
--- a/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll
+++ b/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll
@@ -93,10 +93,11 @@ module HeuristicNames {
 
   /**
    * Gets a regular expression that identifies strings that may indicate the presence of data
-   * that is hashed or encrypted, and hence rendered non-sensitive.
+   * that is hashed or encrypted, and hence rendered non-sensitive, or contains special characters
+   * suggesting nouns within the string do not represent the meaning of the whole string (e.g. a URL or a SQL query).
    */
   string notSensitiveRegexp() {
-    result = "(?is).*(redact|censor|obfuscate|hash|md5|sha|((?<!un)(en))?(crypt|code)).*"
+    result = "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|((?<!un)(en))?(crypt|code)).*"
   }
 
   /**
@@ -113,8 +114,9 @@ module HeuristicNames {
 
   /**
    * Holds if `name` may indicate the presence of sensitive data, and
-   * `name` does not indicate the presence of data that is hashed or encrypted, which would have
-   * rendered the data non-sensitive. `classification` describes the kind of sensitive data involved.
+   * `name` does not indicate that the data is in fact non-sensitive (for example since
+   * it is hashed or encrypted). `classification` describes the kind of sensitive data
+   * involved.
    *
    * That is, one of the rexeps from `maybeSensitiveRegexp` matches `name` (with the
    * given classification), and none of the regexps from `notSensitiveRegexp` matches

From 0d08718f080b1c67ff310f0f29b13627e9c754a0 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 21 Apr 2021 11:19:33 +0200
Subject: [PATCH 0533/1429] JS: Adapt SensitiveActions to use shared lib

Although there are warnings for the new deprecated classes/predicates, the test
in javascript/ql/test/library-tests/SensitiveActions/ passes :+1:
---
 .../javascript/security/SensitiveActions.qll  | 97 +++----------------
 1 file changed, 13 insertions(+), 84 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
index 0a5a701ab82..e92229ab714 100644
--- a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
+++ b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
@@ -10,67 +10,7 @@
  */
 
 import javascript
-
-/**
- * Provides heuristics for identifying names related to sensitive information.
- *
- * INTERNAL: Do not use directly.
- */
-module HeuristicNames {
-  /**
-   * Gets a regular expression that identifies strings that may indicate the presence of secret
-   * or trusted data.
-   */
-  string maybeSecret() { result = "(?is).*((?<!is)secret|(?<!un|is)trusted).*" }
-
-  /**
-   * Gets a regular expression that identifies strings that may indicate the presence of
-   * user names or other account information.
-   */
-  string maybeAccountInfo() {
-    result = "(?is).*acc(ou)?nt.*" or
-    result = "(?is).*(puid|username|userid).*"
-  }
-
-  /**
-   * Gets a regular expression that identifies strings that may indicate the presence of
-   * a password or an authorization key.
-   */
-  string maybePassword() {
-    result = "(?is).*pass(wd|word|code|phrase)(?!.*question).*" or
-    result = "(?is).*(auth(entication|ori[sz]ation)?)key.*"
-  }
-
-  /**
-   * Gets a regular expression that identifies strings that may indicate the presence of
-   * a certificate.
-   */
-  string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name)).*" }
-
-  /**
-   * Gets a regular expression that identifies strings that may indicate the presence
-   * of sensitive data, with `classification` describing the kind of sensitive data involved.
-   */
-  string maybeSensitive(SensitiveExpr::Classification classification) {
-    result = maybeSecret() and classification = SensitiveExpr::secret()
-    or
-    result = maybeAccountInfo() and classification = SensitiveExpr::id()
-    or
-    result = maybePassword() and classification = SensitiveExpr::password()
-    or
-    result = maybeCertificate() and classification = SensitiveExpr::certificate()
-  }
-
-  /**
-   * Gets a regular expression that identifies strings that may indicate the presence of data
-   * that is hashed or encrypted, and hence rendered non-sensitive, or contains special characters
-   * suggesting nouns within the string do not represent the meaning of the whole string (e.g. a URL or a SQL query).
-   */
-  string notSensitive() {
-    result = "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|((?<!un)(en))?(crypt|code)).*"
-  }
-}
-
+import semmle.javascript.security.internal.SensitiveDataHeuristics
 private import HeuristicNames
 
 /** An expression that might contain sensitive data. */
@@ -82,33 +22,22 @@ abstract class SensitiveExpr extends Expr {
   abstract SensitiveExpr::Classification getClassification();
 }
 
-module SensitiveExpr {
-  /**
-   * A classification of different kinds of sensitive data:
-   *
-   *   - secret: generic secret or trusted data;
-   *   - id: a user name or other account information;
-   *   - password: a password or authorization key;
-   *   - certificate: a certificate.
-   *
-   * While classifications are represented as strings, this should not be relied upon.
-   * Instead, use the predicates below to work with classifications.
-   */
-  class Classification extends string {
-    Classification() { this = "secret" or this = "id" or this = "password" or this = "certificate" }
-  }
+/** DEPRECATED: Use `SensitiveDataClassification` and helpers instead. */
+deprecated module SensitiveExpr {
+  /** DEPRECATED: Use `SensitiveDataClassification` instead. */
+  deprecated class Classification = SensitiveDataClassification;
 
-  /** Gets the classification for secret or trusted data. */
-  Classification secret() { result = "secret" }
+  /** DEPRECATED: Use `SensitiveDataClassification::secret` instead. */
+  deprecated predicate secret = SensitiveDataClassification::secret/0;
 
-  /** Gets the classification for user names or other account information. */
-  Classification id() { result = "id" }
+  /** DEPRECATED: Use `SensitiveDataClassification::id` instead. */
+  deprecated predicate id = SensitiveDataClassification::id/0;
 
-  /** Gets the classification for passwords or authorization keys. */
-  Classification password() { result = "password" }
+  /** DEPRECATED: Use `SensitiveDataClassification::password` instead. */
+  deprecated predicate password = SensitiveDataClassification::password/0;
 
-  /** Gets the classification for certificates. */
-  Classification certificate() { result = "certificate" }
+  /** DEPRECATED: Use `SensitiveDataClassification::certificate` instead. */
+  deprecated predicate certificate = SensitiveDataClassification::certificate/0;
 }
 
 /** A function call that might produce sensitive data. */

From 94fec5f8b7f3a96e4fe29366186ba4779cc37dac Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 21 Apr 2021 11:22:48 +0200
Subject: [PATCH 0534/1429] JS: Rewrite to use SensitiveDataClassification

---
 .../javascript/security/SensitiveActions.qll  | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
index e92229ab714..19bb3f0c6a2 100644
--- a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
+++ b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
@@ -19,7 +19,7 @@ abstract class SensitiveExpr extends Expr {
   abstract string describe();
 
   /** Gets a classification of the kind of sensitive data this expression might contain. */
-  abstract SensitiveExpr::Classification getClassification();
+  abstract SensitiveDataClassification getClassification();
 }
 
 /** DEPRECATED: Use `SensitiveDataClassification` and helpers instead. */
@@ -42,7 +42,7 @@ deprecated module SensitiveExpr {
 
 /** A function call that might produce sensitive data. */
 class SensitiveCall extends SensitiveExpr, InvokeExpr {
-  SensitiveExpr::Classification classification;
+  SensitiveDataClassification classification;
 
   SensitiveCall() {
     classification = this.getCalleeName().(SensitiveDataFunctionName).getClassification()
@@ -57,7 +57,7 @@ class SensitiveCall extends SensitiveExpr, InvokeExpr {
 
   override string describe() { result = "a call to " + getCalleeName() }
 
-  override SensitiveExpr::Classification getClassification() { result = classification }
+  override SensitiveDataClassification getClassification() { result = classification }
 }
 
 /** An access to a variable or property that might contain sensitive data. */
@@ -81,7 +81,7 @@ abstract class SensitiveWrite extends DataFlow::Node { }
 
 /** A write to a variable or property that might contain sensitive data. */
 private class BasicSensitiveWrite extends SensitiveWrite {
-  SensitiveExpr::Classification classification;
+  SensitiveDataClassification classification;
 
   BasicSensitiveWrite() {
     exists(string name |
@@ -102,18 +102,18 @@ private class BasicSensitiveWrite extends SensitiveWrite {
   }
 
   /** Gets a classification of the kind of sensitive data the write might handle. */
-  SensitiveExpr::Classification getClassification() { result = classification }
+  SensitiveDataClassification getClassification() { result = classification }
 }
 
 /** An access to a variable or property that might contain sensitive data. */
 private class BasicSensitiveVariableAccess extends SensitiveVariableAccess {
-  SensitiveExpr::Classification classification;
+  SensitiveDataClassification classification;
 
   BasicSensitiveVariableAccess() {
     name.regexpMatch(maybeSensitive(classification)) and not name.regexpMatch(notSensitive())
   }
 
-  override SensitiveExpr::Classification getClassification() { result = classification }
+  override SensitiveDataClassification getClassification() { result = classification }
 }
 
 /** A function name that suggests it may be sensitive. */
@@ -128,16 +128,16 @@ abstract class SensitiveFunctionName extends string {
 /** A function name that suggests it may produce sensitive data. */
 abstract class SensitiveDataFunctionName extends SensitiveFunctionName {
   /** Gets a classification of the kind of sensitive data this function may produce. */
-  abstract SensitiveExpr::Classification getClassification();
+  abstract SensitiveDataClassification getClassification();
 }
 
 /** A method that might return sensitive data, based on the name. */
 class CredentialsFunctionName extends SensitiveDataFunctionName {
-  SensitiveExpr::Classification classification;
+  SensitiveDataClassification classification;
 
   CredentialsFunctionName() { this.regexpMatch(maybeSensitive(classification)) }
 
-  override SensitiveExpr::Classification getClassification() { result = classification }
+  override SensitiveDataClassification getClassification() { result = classification }
 }
 
 /**
@@ -173,7 +173,7 @@ class CleartextPasswordExpr extends SensitiveExpr {
 
   override string describe() { none() }
 
-  override SensitiveExpr::Classification getClassification() { none() }
+  override SensitiveDataClassification getClassification() { none() }
 }
 
 /**

From b6f8e5057b810988348d0bda9f4c10ef2c1fcc3f Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 21 Apr 2021 11:29:46 +0200
Subject: [PATCH 0535/1429] JS: Rewrite to use
 SensitiveDataClassification::password (and like)

---
 .../ql/src/semmle/javascript/security/SensitiveActions.qll    | 4 +++-
 .../security/dataflow/CleartextStorageCustomizations.qll      | 2 +-
 .../dataflow/InsufficientPasswordHashCustomizations.qll       | 4 +++-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
index 19bb3f0c6a2..86b552b7a59 100644
--- a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
+++ b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
@@ -169,7 +169,9 @@ class ProtectCall extends DataFlow::CallNode {
 
 /** An expression that might contain a clear-text password. */
 class CleartextPasswordExpr extends SensitiveExpr {
-  CleartextPasswordExpr() { this.(SensitiveExpr).getClassification() = SensitiveExpr::password() }
+  CleartextPasswordExpr() {
+    this.(SensitiveExpr).getClassification() = SensitiveDataClassification::password()
+  }
 
   override string describe() { none() }
 
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/CleartextStorageCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/CleartextStorageCustomizations.qll
index e365b6e74b4..e719d02d100 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/CleartextStorageCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/CleartextStorageCustomizations.qll
@@ -35,7 +35,7 @@ module CleartextStorage {
 
     SensitiveExprSource() {
       // storing user names or account names in plaintext isn't usually a problem
-      astNode.getClassification() != SensitiveExpr::id()
+      astNode.getClassification() != SensitiveDataClassification::id()
     }
 
     override string describe() { result = astNode.describe() }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/InsufficientPasswordHashCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/InsufficientPasswordHashCustomizations.qll
index d1824d25bd2..82ffe21e131 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/InsufficientPasswordHashCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/InsufficientPasswordHashCustomizations.qll
@@ -34,7 +34,9 @@ module InsufficientPasswordHash {
   class CleartextPasswordSource extends Source, DataFlow::ValueNode {
     override SensitiveExpr astNode;
 
-    CleartextPasswordSource() { astNode.getClassification() = SensitiveExpr::password() }
+    CleartextPasswordSource() {
+      astNode.getClassification() = SensitiveDataClassification::password()
+    }
 
     override string describe() { result = astNode.describe() }
   }

From b9a1a1fd5cbb357d9db36d131498e9d7102f0f35 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 21 Apr 2021 11:26:17 +0200
Subject: [PATCH 0536/1429] JS: Rewrite to use nameIndicatesSensitiveData

I added this predicate mostly because it was nice with an easy shortcut for it,
but also since I spotted the `CredentialsFunctionName` not checking agaisnt the
regexps in `notSensitive`, which looked suspicious. So the main goal of adding
`nameIndicatesSensitiveData` is that you don't accidentially forget to ensure
that the name doesn't match against `notSensitve`.
---
 .../javascript/security/SensitiveActions.qll   | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
index 86b552b7a59..5c96bf3fd7d 100644
--- a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
+++ b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
@@ -50,8 +50,7 @@ class SensitiveCall extends SensitiveExpr, InvokeExpr {
     // This is particularly to pick up methods with an argument like "password", which
     // may indicate a lookup.
     exists(string s | this.getAnArgument().mayHaveStringValue(s) |
-      s.regexpMatch(maybeSensitive(classification)) and
-      not s.regexpMatch(notSensitive())
+      nameIndicatesSensitiveData(s, classification)
     )
   }
 
@@ -84,10 +83,7 @@ private class BasicSensitiveWrite extends SensitiveWrite {
   SensitiveDataClassification classification;
 
   BasicSensitiveWrite() {
-    exists(string name |
-      name.regexpMatch(maybeSensitive(classification)) and
-      not name.regexpMatch(notSensitive())
-    |
+    exists(string name | nameIndicatesSensitiveData(name, classification) |
       exists(DataFlow::PropWrite pwn |
         pwn.getPropertyName() = name and
         pwn.getRhs() = this
@@ -109,9 +105,7 @@ private class BasicSensitiveWrite extends SensitiveWrite {
 private class BasicSensitiveVariableAccess extends SensitiveVariableAccess {
   SensitiveDataClassification classification;
 
-  BasicSensitiveVariableAccess() {
-    name.regexpMatch(maybeSensitive(classification)) and not name.regexpMatch(notSensitive())
-  }
+  BasicSensitiveVariableAccess() { nameIndicatesSensitiveData(name, classification) }
 
   override SensitiveDataClassification getClassification() { result = classification }
 }
@@ -135,7 +129,11 @@ abstract class SensitiveDataFunctionName extends SensitiveFunctionName {
 class CredentialsFunctionName extends SensitiveDataFunctionName {
   SensitiveDataClassification classification;
 
-  CredentialsFunctionName() { this.regexpMatch(maybeSensitive(classification)) }
+  CredentialsFunctionName() {
+    // TODO: is it by purpose that we don't check whether `this` does not
+    // match the regexps in `notSensitive`?
+    this.regexpMatch(maybeSensitive(classification))
+  }
 
   override SensitiveDataClassification getClassification() { result = classification }
 }

From e977d6eb7549e980983adb09398b2798939776b5 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 21 Apr 2021 11:31:03 +0200
Subject: [PATCH 0537/1429] JS: Rewrite to use notSensitiveRegexp

---
 .../security/dataflow/CleartextLoggingCustomizations.qll    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
index b0b9632a63c..7be46b4ee98 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
@@ -54,7 +54,7 @@ module CleartextLogging {
    */
   private class NameGuidedNonCleartextPassword extends NonCleartextPassword {
     NameGuidedNonCleartextPassword() {
-      exists(string name | name.regexpMatch(notSensitive()) |
+      exists(string name | name.regexpMatch(notSensitiveRegexp()) |
         this.asExpr().(VarAccess).getName() = name
         or
         this.(DataFlow::PropRead).getPropertyName() = name
@@ -94,7 +94,7 @@ module CleartextLogging {
    * A call that might obfuscate a password, for example through hashing.
    */
   private class ObfuscatorCall extends Barrier, DataFlow::InvokeNode {
-    ObfuscatorCall() { getCalleeName().regexpMatch(notSensitive()) }
+    ObfuscatorCall() { getCalleeName().regexpMatch(notSensitiveRegexp()) }
   }
 
   /**
@@ -113,7 +113,7 @@ module CleartextLogging {
     ObjectPasswordPropertySource() {
       exists(DataFlow::PropWrite write |
         name.regexpMatch(maybePassword()) and
-        not name.regexpMatch(notSensitive()) and
+        not name.regexpMatch(notSensitiveRegexp()) and
         write = this.(DataFlow::SourceNode).getAPropertyWrite(name) and
         // avoid safe values assigned to presumably unsafe names
         not write.getRhs() instanceof NonCleartextPassword

From 08e86fdfe59ccf771a862afd00e1c56875ebf083 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 21 Apr 2021 11:38:52 +0200
Subject: [PATCH 0538/1429] JS: Make CredentialsFunctionName use
 nameIndicatesSensitiveData

Someone from JS team needs to verify that this is actually OK.
---
 .../ql/src/semmle/javascript/security/SensitiveActions.qll  | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
index 5c96bf3fd7d..d66fe65b747 100644
--- a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
+++ b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
@@ -129,11 +129,7 @@ abstract class SensitiveDataFunctionName extends SensitiveFunctionName {
 class CredentialsFunctionName extends SensitiveDataFunctionName {
   SensitiveDataClassification classification;
 
-  CredentialsFunctionName() {
-    // TODO: is it by purpose that we don't check whether `this` does not
-    // match the regexps in `notSensitive`?
-    this.regexpMatch(maybeSensitive(classification))
-  }
+  CredentialsFunctionName() { nameIndicatesSensitiveData(this, classification) }
 
   override SensitiveDataClassification getClassification() { result = classification }
 }

From f611d06ed06a1a326de70383d7b2f917baca0a76 Mon Sep 17 00:00:00 2001
From: asgerf <asgerf@github.com>
Date: Wed, 21 Apr 2021 10:53:10 +0100
Subject: [PATCH 0539/1429] JS: Add getALocalUse to cheat sheet

---
 .../data-flow-cheat-sheet-for-javascript.rst                     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst b/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst
index 1b2e5ca450b..205db1d2032 100644
--- a/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst
+++ b/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst
@@ -59,6 +59,7 @@ Classes and member predicates in the ``DataFlow::`` module:
     - `getStringValue <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/dataflow/DataFlow.qll/predicate.DataFlow$DataFlow$Node$getStringValue.0.html>`__ -- value of this node if it's is a string constant
     - `mayHaveBooleanValue <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/dataflow/DataFlow.qll/predicate.DataFlow$DataFlow$Node$mayHaveBooleanValue.1.html>`__ -- check if the value is ``true`` or ``false``
 - `SourceNode <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/dataflow/Sources.qll/type.Sources$SourceNode.html>`__ extends `Node <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/dataflow/DataFlow.qll/type.DataFlow$DataFlow$Node.html>`__ -- function call, parameter, object creation, or reference to a property or global variable
+    - `getALocalUse <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/dataflow/Sources.qll/predicate.Sources$SourceNode$getALocalUse.0.html>`__ -- find nodes whose value came from this node
     - `getACall <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/dataflow/Sources.qll/predicate.Sources$SourceNode$getACall.0.html>`__ -- find calls with this as the callee
     - `getAnInstantiation <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/dataflow/Sources.qll/predicate.Sources$SourceNode$getAnInstantiation.0.html>`__ -- find ``new``-calls with this as the callee
     - `getAnInvocation <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/dataflow/Sources.qll/predicate.Sources$SourceNode$getAnInvocation.0.html>`__ -- find calls or ``new``-calls with this as the callee

From 13655b5d80cda15a22eb49941be2a3ddc50e6969 Mon Sep 17 00:00:00 2001
From: edvraa <80588099+edvraa@users.noreply.github.com>
Date: Wed, 21 Apr 2021 13:08:35 +0300
Subject: [PATCH 0540/1429] Add RegExUtils

---
 .../Security/CWE/CWE-730/RegexInjection.ql    | 29 +++++-
 .../security/CWE-730/RegexInjection.expected  | 96 ++++++++++++-------
 .../security/CWE-730/RegexInjection.java      | 54 ++++++++++-
 .../query-tests/security/CWE-730/options      |  2 +-
 4 files changed, 138 insertions(+), 43 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
index 58d0d81d615..9a96805c7e5 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
@@ -21,22 +21,39 @@ class RegexSink extends DataFlow::ExprNode {
   RegexSink() {
     exists(MethodAccess ma, Method m | m = ma.getMethod() |
       (
-        ma.getArgument(0) = this.asExpr() and
+        m.getDeclaringType().hasQualifiedName("java.lang", "String") and
         (
-          m.getDeclaringType().hasQualifiedName("java.lang", "String") and
+          ma.getArgument(0) = this.asExpr() and
           (
             m.hasName("matches") or
             m.hasName("split") or
             m.hasName("replaceFirst") or
             m.hasName("replaceAll")
           )
-          or
-          m.getDeclaringType().hasQualifiedName("java.util.regex", "Pattern") and
+        )
+        or
+        m.getDeclaringType().hasQualifiedName("java.util.regex", "Pattern") and
+        (
+          ma.getArgument(0) = this.asExpr() and
           (
             m.hasName("compile") or
             m.hasName("matches")
           )
         )
+        or
+        m.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "RegExUtils") and
+        (
+          ma.getArgument(1) = this.asExpr() and
+          m.getParameterType(1).(Class).hasQualifiedName("java.lang", "String") and
+          (
+            m.hasName("removeAll") or
+            m.hasName("removeFirst") or
+            m.hasName("removePattern") or
+            m.hasName("replaceAll") or
+            m.hasName("replaceFirst") or
+            m.hasName("replacePattern")
+          )
+        )
       )
     )
   }
@@ -51,7 +68,9 @@ class RegExpSanitizationCall extends Sanitizer {
       sanitize = "(?:escape|saniti[sz]e)" and
       regexp = "regexp?"
     |
-      calleeName.regexpMatch("(?i)(" + sanitize + ".*" + regexp + ".*)" + "|(" + regexp + ".*" + sanitize + ".*)")
+      calleeName
+          .regexpMatch("(?i)(" + sanitize + ".*" + regexp + ".*)" + "|(" + regexp + ".*" + sanitize +
+              ".*)")
     )
   }
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.expected
index 521a45d3d47..93961372d75 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.expected
@@ -1,39 +1,63 @@
 edges
-| RegexInjection.java:11:22:11:52 | getParameter(...) : String | RegexInjection.java:14:26:14:47 | ... + ... |
-| RegexInjection.java:18:22:18:52 | getParameter(...) : String | RegexInjection.java:21:24:21:30 | pattern |
-| RegexInjection.java:25:22:25:52 | getParameter(...) : String | RegexInjection.java:28:31:28:37 | pattern |
-| RegexInjection.java:32:22:32:52 | getParameter(...) : String | RegexInjection.java:35:29:35:35 | pattern |
-| RegexInjection.java:39:22:39:52 | getParameter(...) : String | RegexInjection.java:42:34:42:40 | pattern |
-| RegexInjection.java:49:22:49:52 | getParameter(...) : String | RegexInjection.java:52:28:52:34 | pattern |
-| RegexInjection.java:56:22:56:52 | getParameter(...) : String | RegexInjection.java:59:28:59:34 | pattern |
-| RegexInjection.java:63:22:63:52 | getParameter(...) : String | RegexInjection.java:66:36:66:42 | pattern : String |
-| RegexInjection.java:66:32:66:43 | foo(...) : String | RegexInjection.java:66:26:66:52 | ... + ... |
-| RegexInjection.java:66:36:66:42 | pattern : String | RegexInjection.java:66:32:66:43 | foo(...) : String |
+| RegexInjection.java:13:22:13:52 | getParameter(...) : String | RegexInjection.java:16:26:16:47 | ... + ... |
+| RegexInjection.java:20:22:20:52 | getParameter(...) : String | RegexInjection.java:23:24:23:30 | pattern |
+| RegexInjection.java:27:22:27:52 | getParameter(...) : String | RegexInjection.java:30:31:30:37 | pattern |
+| RegexInjection.java:34:22:34:52 | getParameter(...) : String | RegexInjection.java:37:29:37:35 | pattern |
+| RegexInjection.java:41:22:41:52 | getParameter(...) : String | RegexInjection.java:44:34:44:40 | pattern |
+| RegexInjection.java:51:22:51:52 | getParameter(...) : String | RegexInjection.java:54:28:54:34 | pattern |
+| RegexInjection.java:58:22:58:52 | getParameter(...) : String | RegexInjection.java:61:28:61:34 | pattern |
+| RegexInjection.java:65:22:65:52 | getParameter(...) : String | RegexInjection.java:68:36:68:42 | pattern : String |
+| RegexInjection.java:68:32:68:43 | foo(...) : String | RegexInjection.java:68:26:68:52 | ... + ... |
+| RegexInjection.java:68:36:68:42 | pattern : String | RegexInjection.java:68:32:68:43 | foo(...) : String |
+| RegexInjection.java:90:22:90:52 | getParameter(...) : String | RegexInjection.java:93:40:93:46 | pattern |
+| RegexInjection.java:97:22:97:52 | getParameter(...) : String | RegexInjection.java:100:42:100:48 | pattern |
+| RegexInjection.java:104:22:104:52 | getParameter(...) : String | RegexInjection.java:107:44:107:50 | pattern |
+| RegexInjection.java:111:22:111:52 | getParameter(...) : String | RegexInjection.java:114:41:114:47 | pattern |
+| RegexInjection.java:118:22:118:52 | getParameter(...) : String | RegexInjection.java:121:43:121:49 | pattern |
+| RegexInjection.java:133:22:133:52 | getParameter(...) : String | RegexInjection.java:136:45:136:51 | pattern |
 nodes
-| RegexInjection.java:11:22:11:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:14:26:14:47 | ... + ... | semmle.label | ... + ... |
-| RegexInjection.java:18:22:18:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:21:24:21:30 | pattern | semmle.label | pattern |
-| RegexInjection.java:25:22:25:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:28:31:28:37 | pattern | semmle.label | pattern |
-| RegexInjection.java:32:22:32:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:35:29:35:35 | pattern | semmle.label | pattern |
-| RegexInjection.java:39:22:39:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:42:34:42:40 | pattern | semmle.label | pattern |
-| RegexInjection.java:49:22:49:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:52:28:52:34 | pattern | semmle.label | pattern |
-| RegexInjection.java:56:22:56:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:59:28:59:34 | pattern | semmle.label | pattern |
-| RegexInjection.java:63:22:63:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:66:26:66:52 | ... + ... | semmle.label | ... + ... |
-| RegexInjection.java:66:32:66:43 | foo(...) : String | semmle.label | foo(...) : String |
-| RegexInjection.java:66:36:66:42 | pattern : String | semmle.label | pattern : String |
+| RegexInjection.java:13:22:13:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:16:26:16:47 | ... + ... | semmle.label | ... + ... |
+| RegexInjection.java:20:22:20:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:23:24:23:30 | pattern | semmle.label | pattern |
+| RegexInjection.java:27:22:27:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:30:31:30:37 | pattern | semmle.label | pattern |
+| RegexInjection.java:34:22:34:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:37:29:37:35 | pattern | semmle.label | pattern |
+| RegexInjection.java:41:22:41:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:44:34:44:40 | pattern | semmle.label | pattern |
+| RegexInjection.java:51:22:51:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:54:28:54:34 | pattern | semmle.label | pattern |
+| RegexInjection.java:58:22:58:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:61:28:61:34 | pattern | semmle.label | pattern |
+| RegexInjection.java:65:22:65:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:68:26:68:52 | ... + ... | semmle.label | ... + ... |
+| RegexInjection.java:68:32:68:43 | foo(...) : String | semmle.label | foo(...) : String |
+| RegexInjection.java:68:36:68:42 | pattern : String | semmle.label | pattern : String |
+| RegexInjection.java:90:22:90:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:93:40:93:46 | pattern | semmle.label | pattern |
+| RegexInjection.java:97:22:97:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:100:42:100:48 | pattern | semmle.label | pattern |
+| RegexInjection.java:104:22:104:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:107:44:107:50 | pattern | semmle.label | pattern |
+| RegexInjection.java:111:22:111:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:114:41:114:47 | pattern | semmle.label | pattern |
+| RegexInjection.java:118:22:118:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:121:43:121:49 | pattern | semmle.label | pattern |
+| RegexInjection.java:133:22:133:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:136:45:136:51 | pattern | semmle.label | pattern |
 #select
-| RegexInjection.java:14:26:14:47 | ... + ... | RegexInjection.java:11:22:11:52 | getParameter(...) : String | RegexInjection.java:14:26:14:47 | ... + ... | $@ is user controlled. | RegexInjection.java:11:22:11:52 | getParameter(...) | This regular expression pattern |
-| RegexInjection.java:21:24:21:30 | pattern | RegexInjection.java:18:22:18:52 | getParameter(...) : String | RegexInjection.java:21:24:21:30 | pattern | $@ is user controlled. | RegexInjection.java:18:22:18:52 | getParameter(...) | This regular expression pattern |
-| RegexInjection.java:28:31:28:37 | pattern | RegexInjection.java:25:22:25:52 | getParameter(...) : String | RegexInjection.java:28:31:28:37 | pattern | $@ is user controlled. | RegexInjection.java:25:22:25:52 | getParameter(...) | This regular expression pattern |
-| RegexInjection.java:35:29:35:35 | pattern | RegexInjection.java:32:22:32:52 | getParameter(...) : String | RegexInjection.java:35:29:35:35 | pattern | $@ is user controlled. | RegexInjection.java:32:22:32:52 | getParameter(...) | This regular expression pattern |
-| RegexInjection.java:42:34:42:40 | pattern | RegexInjection.java:39:22:39:52 | getParameter(...) : String | RegexInjection.java:42:34:42:40 | pattern | $@ is user controlled. | RegexInjection.java:39:22:39:52 | getParameter(...) | This regular expression pattern |
-| RegexInjection.java:52:28:52:34 | pattern | RegexInjection.java:49:22:49:52 | getParameter(...) : String | RegexInjection.java:52:28:52:34 | pattern | $@ is user controlled. | RegexInjection.java:49:22:49:52 | getParameter(...) | This regular expression pattern |
-| RegexInjection.java:59:28:59:34 | pattern | RegexInjection.java:56:22:56:52 | getParameter(...) : String | RegexInjection.java:59:28:59:34 | pattern | $@ is user controlled. | RegexInjection.java:56:22:56:52 | getParameter(...) | This regular expression pattern |
-| RegexInjection.java:66:26:66:52 | ... + ... | RegexInjection.java:63:22:63:52 | getParameter(...) : String | RegexInjection.java:66:26:66:52 | ... + ... | $@ is user controlled. | RegexInjection.java:63:22:63:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:16:26:16:47 | ... + ... | RegexInjection.java:13:22:13:52 | getParameter(...) : String | RegexInjection.java:16:26:16:47 | ... + ... | $@ is user controlled. | RegexInjection.java:13:22:13:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:23:24:23:30 | pattern | RegexInjection.java:20:22:20:52 | getParameter(...) : String | RegexInjection.java:23:24:23:30 | pattern | $@ is user controlled. | RegexInjection.java:20:22:20:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:30:31:30:37 | pattern | RegexInjection.java:27:22:27:52 | getParameter(...) : String | RegexInjection.java:30:31:30:37 | pattern | $@ is user controlled. | RegexInjection.java:27:22:27:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:37:29:37:35 | pattern | RegexInjection.java:34:22:34:52 | getParameter(...) : String | RegexInjection.java:37:29:37:35 | pattern | $@ is user controlled. | RegexInjection.java:34:22:34:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:44:34:44:40 | pattern | RegexInjection.java:41:22:41:52 | getParameter(...) : String | RegexInjection.java:44:34:44:40 | pattern | $@ is user controlled. | RegexInjection.java:41:22:41:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:54:28:54:34 | pattern | RegexInjection.java:51:22:51:52 | getParameter(...) : String | RegexInjection.java:54:28:54:34 | pattern | $@ is user controlled. | RegexInjection.java:51:22:51:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:61:28:61:34 | pattern | RegexInjection.java:58:22:58:52 | getParameter(...) : String | RegexInjection.java:61:28:61:34 | pattern | $@ is user controlled. | RegexInjection.java:58:22:58:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:68:26:68:52 | ... + ... | RegexInjection.java:65:22:65:52 | getParameter(...) : String | RegexInjection.java:68:26:68:52 | ... + ... | $@ is user controlled. | RegexInjection.java:65:22:65:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:93:40:93:46 | pattern | RegexInjection.java:90:22:90:52 | getParameter(...) : String | RegexInjection.java:93:40:93:46 | pattern | $@ is user controlled. | RegexInjection.java:90:22:90:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:100:42:100:48 | pattern | RegexInjection.java:97:22:97:52 | getParameter(...) : String | RegexInjection.java:100:42:100:48 | pattern | $@ is user controlled. | RegexInjection.java:97:22:97:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:107:44:107:50 | pattern | RegexInjection.java:104:22:104:52 | getParameter(...) : String | RegexInjection.java:107:44:107:50 | pattern | $@ is user controlled. | RegexInjection.java:104:22:104:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:114:41:114:47 | pattern | RegexInjection.java:111:22:111:52 | getParameter(...) : String | RegexInjection.java:114:41:114:47 | pattern | $@ is user controlled. | RegexInjection.java:111:22:111:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:121:43:121:49 | pattern | RegexInjection.java:118:22:118:52 | getParameter(...) : String | RegexInjection.java:121:43:121:49 | pattern | $@ is user controlled. | RegexInjection.java:118:22:118:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:136:45:136:51 | pattern | RegexInjection.java:133:22:133:52 | getParameter(...) : String | RegexInjection.java:136:45:136:51 | pattern | $@ is user controlled. | RegexInjection.java:133:22:133:52 | getParameter(...) | This regular expression pattern |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.java b/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.java
index c203360e105..43218202acf 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.java
@@ -6,6 +6,8 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.ServletException;
 
+import org.apache.commons.lang3.RegExUtils;
+
 public class RegexInjection extends HttpServlet {
   public boolean string1(javax.servlet.http.HttpServletRequest request) {
     String pattern = request.getParameter("pattern");
@@ -83,4 +85,54 @@ public class RegexInjection extends HttpServlet {
   String escapeSpecialRegexChars(String str) {
     return SPECIAL_REGEX_CHARS.matcher(str).replaceAll("\\\\$0");
   }
-}
\ No newline at end of file
+
+  public boolean apache1(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    return RegExUtils.removeAll(input, pattern).length() > 0;  // BAD
+  }
+
+  public boolean apache2(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    return RegExUtils.removeFirst(input, pattern).length() > 0;  // BAD
+  }
+
+  public boolean apache3(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    return RegExUtils.removePattern(input, pattern).length() > 0;  // BAD
+  }
+
+  public boolean apache4(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    return RegExUtils.replaceAll(input, pattern, "").length() > 0;  // BAD
+  }
+
+  public boolean apache5(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    return RegExUtils.replaceFirst(input, pattern, "").length() > 0;  // BAD
+  }
+
+  public boolean apache6(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    Pattern pt = (Pattern)(Object) pattern;
+    return RegExUtils.replaceFirst(input, pt, "").length() > 0;  // GOOD, Pattern compile is the sink instead
+  }
+
+  public boolean apache7(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    return RegExUtils.replacePattern(input, pattern, "").length() > 0;  // BAD
+  }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-730/options b/java/ql/test/experimental/query-tests/security/CWE-730/options
index dd125ad0f4e..73f1b5a3c3e 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-730/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-730/options
@@ -1 +1 @@
-// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4
\ No newline at end of file
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/apache-commons-lang3-3.7
\ No newline at end of file

From 452ec8c43f005b4ee7f84cbb6b702ce82f037d3b Mon Sep 17 00:00:00 2001
From: edvraa <80588099+edvraa@users.noreply.github.com>
Date: Wed, 21 Apr 2021 13:12:53 +0300
Subject: [PATCH 0541/1429] comments

---
 .../Security/CWE/CWE-730/RegexInjection.ql             | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
index 9a96805c7e5..451e8fe816b 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
@@ -17,6 +17,9 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 import DataFlow::PathGraph
 
+/**
+ * A data flow sink for untrusted user input used to construct regular expressions.
+ */
 class RegexSink extends DataFlow::ExprNode {
   RegexSink() {
     exists(MethodAccess ma, Method m | m = ma.getMethod() |
@@ -61,6 +64,10 @@ class RegexSink extends DataFlow::ExprNode {
 
 abstract class Sanitizer extends DataFlow::ExprNode { }
 
+/**
+ * A call to a function whose name suggests that it escapes regular
+ * expression meta-characters.
+ */
 class RegExpSanitizationCall extends Sanitizer {
   RegExpSanitizationCall() {
     exists(string calleeName, string sanitize, string regexp |
@@ -75,6 +82,9 @@ class RegExpSanitizationCall extends Sanitizer {
   }
 }
 
+/**
+ * A taint-tracking configuration for untrusted user input used to construct regular expressions.
+ */
 class RegexInjectionConfiguration extends TaintTracking::Configuration {
   RegexInjectionConfiguration() { this = "RegexInjectionConfiguration" }
 

From ff73c0b24783d31378b26fd3f496fd4533a6425a Mon Sep 17 00:00:00 2001
From: asgerf <asgerf@github.com>
Date: Wed, 21 Apr 2021 11:15:18 +0100
Subject: [PATCH 0542/1429] JS: Add section with access paths to cheat sheet

---
 .../data-flow-cheat-sheet-for-javascript.rst        | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst b/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst
index 205db1d2032..a29d0e63ec9 100644
--- a/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst
+++ b/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst
@@ -165,6 +165,19 @@ String matching
 -  x.\ `regexpMatch <https://codeql.github.com/codeql-standard-libraries/javascript/predicate.string$regexpMatch.1.html>`__\ ("(?i).*escape.*") -- holds if x contains
    "escape" (case insensitive)
 
+Access paths
+------------
+
+When multiple property accesses are chained together they form what's called an "access path".
+
+To identify nodes based on access paths, use the following predicates in `AccessPath <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/GlobalAccessPaths.qll/module.GlobalAccessPaths$AccessPath.html>`__ module:
+
+- AccessPath::`getAReferenceTo <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/GlobalAccessPaths.qll/predicate.GlobalAccessPaths$AccessPath$getAReferenceTo.2.html>`__ -- find nodes that refer to the given access path
+- AccessPath::`getAnAssignmentTo <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/GlobalAccessPaths.qll/predicate.GlobalAccessPaths$AccessPath$getAnAssignmentTo.2.html>`__ -- finds nodes that are assigned to the given access path
+- AccessPath::`getAnAliasedSourceNode <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/GlobalAccessPaths.qll/predicate.GlobalAccessPaths$AccessPath$getAnAliasedSourceNode.1.html>`__ -- finds nodes that refer to the same access path
+
+``getAReferenceTo`` and ``getAnAssignmentTo`` have a 1-argument version for global access paths, and a 2-argument version for access paths starting at a given node.
+
 Type tracking
 -------------
 

From 5df85830562144b3c873ef110cd9cffbc31f4d0a Mon Sep 17 00:00:00 2001
From: asgerf <asgerf@github.com>
Date: Wed, 21 Apr 2021 11:26:06 +0100
Subject: [PATCH 0543/1429] JS: Mention isUserControlledObject

---
 .../data-flow-cheat-sheet-for-javascript.rst                     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst b/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst
index a29d0e63ec9..7d6ba99c843 100644
--- a/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst
+++ b/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst
@@ -132,6 +132,7 @@ System and Network
 - `PersistentReadAccess <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/Concepts.qll/type.Concepts$PersistentReadAccess.html>`__ -- reading from persistent storage, like cookies
 - `PersistentWriteAccess <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/Concepts.qll/type.Concepts$PersistentWriteAccess.html>`__ -- writing to persistent storage
 - `RemoteFlowSource <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/security/dataflow/RemoteFlowSources.qll/type.RemoteFlowSources$Cached$RemoteFlowSource.html>`__ -- source of untrusted user input
+    - `isUserControlledObject` -- is the input deserialized to a JSON-like object? (as opposed to just being a string)
 - `SystemCommandExecution <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/Concepts.qll/type.Concepts$SystemCommandExecution.html>`__ -- execution of a system command
 
 Files

From 226792c73a6cec31880a5501d0dc111783cd5746 Mon Sep 17 00:00:00 2001
From: asgerf <asgerf@github.com>
Date: Wed, 21 Apr 2021 11:33:04 +0100
Subject: [PATCH 0544/1429] JS: Expand RemoteFlowSource and move into own
 section

---
 .../data-flow-cheat-sheet-for-javascript.rst    | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst b/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst
index 7d6ba99c843..79bc28f5c16 100644
--- a/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst
+++ b/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst
@@ -131,10 +131,23 @@ System and Network
     - `FileSystemWriteAccess <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/Concepts.qll/type.Concepts$FileSystemWriteAccess.html>`__ -- writing to the contents of a file
 - `PersistentReadAccess <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/Concepts.qll/type.Concepts$PersistentReadAccess.html>`__ -- reading from persistent storage, like cookies
 - `PersistentWriteAccess <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/Concepts.qll/type.Concepts$PersistentWriteAccess.html>`__ -- writing to persistent storage
-- `RemoteFlowSource <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/security/dataflow/RemoteFlowSources.qll/type.RemoteFlowSources$Cached$RemoteFlowSource.html>`__ -- source of untrusted user input
-    - `isUserControlledObject` -- is the input deserialized to a JSON-like object? (as opposed to just being a string)
 - `SystemCommandExecution <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/Concepts.qll/type.Concepts$SystemCommandExecution.html>`__ -- execution of a system command
 
+Untrusted Data
+--------------
+
+- `RemoteFlowSource <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/security/dataflow/RemoteFlowSources.qll/type.RemoteFlowSources$Cached$RemoteFlowSource.html>`__ -- source of untrusted user input
+    - `isUserControlledObject <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/security/dataflow/RemoteFlowSources.qll/predicate.RemoteFlowSources$Cached$RemoteFlowSource$isUserControlledObject.0.html>`__ -- is the input deserialized to a JSON-like object? (as opposed to just being a string)
+- `ClientSideRemoteFlowSource <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/security/dataflow/RemoteFlowSources.qll/type.RemoteFlowSources$Cached$ClientSideRemoteFlowSource.html>`__ extends `RemoteFlowSource <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/security/dataflow/RemoteFlowSources.qll/type.RemoteFlowSources$Cached$RemoteFlowSource.html>`__ -- input specific to the browser environment
+    - `getKind <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/security/dataflow/RemoteFlowSources.qll/predicate.RemoteFlowSources$Cached$ClientSideRemoteFlowSource$getKind.0.html>`__ -- is this derived from the ``path``, ``fragment``, ``query``, ``url``, or ``name``?
+- HTTP::`RequestInputAccess <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/frameworks/HTTP.qll/type.HTTP$HTTP$RequestInputAccess.html>`__ extends `RemoteFlowSource <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/security/dataflow/RemoteFlowSources.qll/type.RemoteFlowSources$Cached$RemoteFlowSource.html>`__ -- input from an incoming HTTP request
+    - `getKind <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/frameworks/HTTP.qll/predicate.HTTP$HTTP$RequestInputAccess$getKind.0.html>`__ -- is this derived from a ``parameter``, ``header``, ``body``, ``url``, or ``cookie``?
+- HTTP::`RequestHeaderAccess <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/frameworks/HTTP.qll/type.HTTP$HTTP$RequestHeaderAccess.html>`__ extends `RequestInputAccess <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/frameworks/HTTP.qll/type.HTTP$HTTP$RequestInputAccess.html>`__ -- access to a specific header
+    - `getAHeaderName <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/frameworks/HTTP.qll/predicate.HTTP$HTTP$RequestHeaderAccess$getAHeaderName.0.html>`__ -- the name of a header being accessed
+
+Note: some `RemoteFlowSource <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/security/dataflow/RemoteFlowSources.qll/type.RemoteFlowSources$Cached$RemoteFlowSource.html>`__ instances, such as input from a web socket,
+belong to none of the specific subcategories above.
+
 Files
 -----
 

From 9e95f6e7c1e75bebb5dbcd44789cd666ff64f0f5 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Wed, 21 Apr 2021 11:12:06 +0000
Subject: [PATCH 0545/1429] Python: Remove `typePreservingStep`

This requires a bit of explanation, so strap in.

Firstly, because we use `LocalSourceNode`s as the start and end points
of our `StepSummary::step` relation, there's no need to include
`simpleLocalFlowStep` (via `typePreservingStep`) in `smallstep`. Indeed,
since the successor node for a `step` is a `LocalSourceNode`, and local
sources never have incoming flow, this is entirely futile -- we can find
values for `mid` and `nodeTo` that satisfy the body of `step`, but
`nodeTo` will never be a `LocalSourceNode`.

With this in mind, we can simplify `smallstep` to only refer to
`jumpStep`.

This then brings the other uses of `typePreservingStep` into question.
The only other place we use this predicate is in the `TypeTracker` and
`TypeBackTracker` `smallstep` predicates. Note, however, that here we
no longer need `jumpStep` to be part of `typeTrackingStep` (as it is
already accounted for in `StepSummary::smallstep`) so we can simplify
to `simpleLocalFlowStep`. At this point, `typePreservingStep` is unused.

Finally, because of the way `smallstep` is used in `step` (inside
`StepSummary`), `nodeTo` must always be a `LocalSourceNode`, so I have
propagated this restriction to `smallstep` as well. We can always lift
this restriction later, but for now it seems like it's likely to cause
fewer surprises to have made this explicit.
---
 .../ql/src/experimental/typetracking/TypeTracker.qll   | 10 +++++-----
 .../experimental/typetracking/TypeTrackerPrivate.qll   |  8 +++-----
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/python/ql/src/experimental/typetracking/TypeTracker.qll b/python/ql/src/experimental/typetracking/TypeTracker.qll
index 46461d3e22e..1f9b2e0eab1 100644
--- a/python/ql/src/experimental/typetracking/TypeTracker.qll
+++ b/python/ql/src/experimental/typetracking/TypeTracker.qll
@@ -71,8 +71,8 @@ module StepSummary {
    * Unlike `StepSummary::step`, this predicate does not compress
    * type-preserving steps.
    */
-  predicate smallstep(Node nodeFrom, Node nodeTo, StepSummary summary) {
-    typePreservingStep(nodeFrom, nodeTo) and
+  predicate smallstep(Node nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {
+    jumpStep(nodeFrom, nodeTo) and
     summary = LevelStep()
     or
     callStep(nodeFrom, nodeTo) and summary = CallStep()
@@ -225,7 +225,7 @@ class TypeTracker extends TTypeTracker {
    * heap and/or inter-procedural step from `nodeFrom` to `nodeTo`.
    */
   pragma[inline]
-  TypeTracker step(LocalSourceNode nodeFrom, Node nodeTo) {
+  TypeTracker step(LocalSourceNode nodeFrom, LocalSourceNode nodeTo) {
     exists(StepSummary summary |
       StepSummary::step(nodeFrom, nodeTo, summary) and
       result = this.append(summary)
@@ -263,7 +263,7 @@ class TypeTracker extends TTypeTracker {
       result = this.append(summary)
     )
     or
-    typePreservingStep(nodeFrom, nodeTo) and
+    simpleLocalFlowStep(nodeFrom, nodeTo) and
     result = this
   }
 }
@@ -406,7 +406,7 @@ class TypeBackTracker extends TTypeBackTracker {
       this = result.prepend(summary)
     )
     or
-    typePreservingStep(nodeFrom, nodeTo) and
+    simpleLocalFlowStep(nodeFrom, nodeTo) and
     this = result
   }
 }
diff --git a/python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll b/python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll
index 6469eb93d98..8fb20aacd7f 100644
--- a/python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll
+++ b/python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll
@@ -6,11 +6,9 @@ class Node = DataFlowPublic::Node;
 
 class LocalSourceNode = DataFlowPublic::LocalSourceNode;
 
-/** Holds if it's reasonable to expect the data flow step from `nodeFrom` to `nodeTo` to preserve types. */
-predicate typePreservingStep(Node nodeFrom, Node nodeTo) {
-  DataFlowPrivate::simpleLocalFlowStep(nodeFrom, nodeTo) or
-  DataFlowPrivate::jumpStep(nodeFrom, nodeTo)
-}
+predicate simpleLocalFlowStep = DataFlowPrivate::simpleLocalFlowStep/2;
+
+predicate jumpStep = DataFlowPrivate::jumpStep/2;
 
 /**
  * Gets the name of a possible piece of content. For Python, this is currently only attribute names,

From 489e1e94e43b61db72f4467aa8594b2fe4149943 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Wed, 21 Apr 2021 11:44:34 +0000
Subject: [PATCH 0546/1429] Python: Prevent bad joins

Adds a few unbinds to prevent bad joins from occurring.

Firstly, we never want to join `StepSummary::step` with
`TypeTracker::append` on `summary` as the first join, as the resulting
relation is absolutely massive. So we decouple the two occurrences of
`summary` by unbinding each of them.

Secondly, in some cases the node we're stepping to (`nodeTo` for type
trackers, `nodeFrom` for type backtrackers) will get joined eagerly
with the typetracker one is defining, and again this produces an
uncomfortably large intermediate join. A bit of unbinding prevents this
as well.
---
 python/ql/src/experimental/typetracking/TypeTracker.qll | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/python/ql/src/experimental/typetracking/TypeTracker.qll b/python/ql/src/experimental/typetracking/TypeTracker.qll
index 1f9b2e0eab1..d370671f140 100644
--- a/python/ql/src/experimental/typetracking/TypeTracker.qll
+++ b/python/ql/src/experimental/typetracking/TypeTracker.qll
@@ -227,8 +227,8 @@ class TypeTracker extends TTypeTracker {
   pragma[inline]
   TypeTracker step(LocalSourceNode nodeFrom, LocalSourceNode nodeTo) {
     exists(StepSummary summary |
-      StepSummary::step(nodeFrom, nodeTo, summary) and
-      result = this.append(summary)
+      StepSummary::step(nodeFrom, pragma[only_bind_out](nodeTo), pragma[only_bind_into](summary)) and
+      result = this.append(pragma[only_bind_into](summary))
     )
   }
 
@@ -370,8 +370,8 @@ class TypeBackTracker extends TTypeBackTracker {
   pragma[inline]
   TypeBackTracker step(LocalSourceNode nodeFrom, LocalSourceNode nodeTo) {
     exists(StepSummary summary |
-      StepSummary::step(nodeFrom, nodeTo, summary) and
-      this = result.prepend(summary)
+      StepSummary::step(pragma[only_bind_out](nodeFrom), nodeTo, pragma[only_bind_into](summary)) and
+      this = result.prepend(pragma[only_bind_into](summary))
     )
   }
 

From 2302c8d5fa80b49dccf1234e8acb795fa014eb8d Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Fri, 9 Apr 2021 14:23:05 +0200
Subject: [PATCH 0547/1429] Python: Model new `alias` method on django
 QuerySets

---
 .../src/semmle/python/frameworks/Django.qll   | 28 +++++++++++++++++--
 .../frameworks/django/SqlExecution.py         |  5 ++++
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index 23c0a814a7a..8684eff5008 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -366,7 +366,7 @@ private module PrivateDjango {
               "none", "all", "filter", "exclude", "complex_filter", "union", "intersection",
               "difference", "select_for_update", "select_related", "prefetch_related", "order_by",
               "distinct", "reverse", "defer", "only", "using", "annotate", "extra", "raw",
-              "datetimes", "dates", "values", "values_list"
+              "datetimes", "dates", "values", "values_list", "alias"
             ] and
           result = [manager(), querySet()].getMember(name)
         }
@@ -386,7 +386,8 @@ private module PrivateDjango {
           /** Provides models for the `django.db.models.expressions.RawSQL` class. */
           module RawSQL {
             /**
-             * Gets a reference to the `django.db.models.expressions.RawSQL` class.
+             * Gets an instance of the `django.db.models.expressions.RawSQL` class,
+             * that was initiated with the SQL represented by `sql`.
              */
             API::Node classRef() {
               result = expressions().getMember("RawSQL")
@@ -406,7 +407,10 @@ private module PrivateDjango {
               exists(DataFlow::TypeTracker t2 | result = instance(t2, sql).track(t2, t))
             }
 
-            /** Gets an instance of the `django.db.models.expressions.RawSQL` class. */
+            /**
+             * Gets an instance of the `django.db.models.expressions.RawSQL` class,
+             * that was initiated with the SQL represented by `sql`.
+             */
             DataFlow::Node instance(ControlFlowNode sql) {
               instance(DataFlow::TypeTracker::end(), sql).flowsTo(result)
             }
@@ -435,6 +439,24 @@ private module PrivateDjango {
       override DataFlow::Node getSql() { result.asCfgNode() = sql }
     }
 
+    /**
+     * A call to the `alias` function on a model using a `RawSQL` argument.
+     *
+     * See https://docs.djangoproject.com/en/3.2/ref/models/querysets/#alias
+     */
+    private class ObjectsAlias extends SqlExecution::Range, DataFlow::CallCfgNode {
+      ControlFlowNode sql;
+
+      ObjectsAlias() {
+        this = django::db::models::querySetReturningMethod("alias").getACall() and
+        django::db::models::expressions::RawSQL::instance(sql) in [
+            this.getArg(_), this.getArgByName(_)
+          ]
+      }
+
+      override DataFlow::Node getSql() { result.asCfgNode() = sql }
+    }
+
     /**
      * A call to the `raw` function on a model.
      *
diff --git a/python/ql/test/library-tests/frameworks/django/SqlExecution.py b/python/ql/test/library-tests/frameworks/django/SqlExecution.py
index 449983fc898..8bf657d04da 100644
--- a/python/ql/test/library-tests/frameworks/django/SqlExecution.py
+++ b/python/ql/test/library-tests/frameworks/django/SqlExecution.py
@@ -19,9 +19,14 @@ class User(models.Model):
 
 def test_model():
     User.objects.raw("some sql")  # $getSql="some sql"
+
     User.objects.annotate(RawSQL("some sql"))  # $getSql="some sql"
     User.objects.annotate(RawSQL("foo"), RawSQL("bar"))  # $getSql="foo" getSql="bar"
     User.objects.annotate(val=RawSQL("some sql"))  # $getSql="some sql"
+
+    User.objects.alias(RawSQL("foo"), RawSQL("bar"))  # $getSql="foo" getSql="bar"
+    User.objects.alias(val=RawSQL("some sql"))  # $getSql="some sql"
+
     User.objects.extra("some sql")  # $getSql="some sql"
     User.objects.extra(select="select", where="where", tables="tables", order_by="order_by")  # $getSql="select" getSql="where" getSql="tables" getSql="order_by"
 

From 59c6f764575c5d0043f8053c473476c44d401b79 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 21 Apr 2021 13:55:22 +0200
Subject: [PATCH 0548/1429] Python: Add test for new response.headers in Django

See https://docs.djangoproject.com/en/3.2/ref/request-response/#setting-header-fields
---
 .../frameworks/django-v2-v3/response_test.py             | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/python/ql/test/library-tests/frameworks/django-v2-v3/response_test.py b/python/ql/test/library-tests/frameworks/django-v2-v3/response_test.py
index 91252378677..e3ec0390745 100644
--- a/python/ql/test/library-tests/frameworks/django-v2-v3/response_test.py
+++ b/python/ql/test/library-tests/frameworks/django-v2-v3/response_test.py
@@ -49,6 +49,15 @@ def redirect_through_normal_response(request):
     resp.content = private # $ MISSING: responseBody=private
     return resp
 
+def redirect_through_normal_response_new_headers_attr(request):
+    private = "private"
+    next = request.GET.get("next")
+
+    resp = HttpResponse() # $ HttpResponse mimetype=text/html
+    resp.status_code = 302
+    resp.headers['Location'] = next # $ MISSING: redirectLocation=next
+    resp.content = private # $ MISSING: responseBody=private
+    return resp
 
 def redirect_shortcut(request):
     next = request.GET.get("next")

From be9cbd79d60a62cb6d5bb957508274916270c30f Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 21 Apr 2021 13:58:34 +0200
Subject: [PATCH 0549/1429] Python: Add change-note for Django 3.2 support

---
 python/change-notes/2021-04-21-django-v3.2.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 python/change-notes/2021-04-21-django-v3.2.md

diff --git a/python/change-notes/2021-04-21-django-v3.2.md b/python/change-notes/2021-04-21-django-v3.2.md
new file mode 100644
index 00000000000..91fee509f7a
--- /dev/null
+++ b/python/change-notes/2021-04-21-django-v3.2.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Modeling of Django has been updated to handle new 3.2 release, by supporting the new `QuerySet.alias()` method, which can be a sink for SQL injection.

From f9599da32d1cbeb0be1c6bd42480d797895aef55 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Wed, 21 Apr 2021 14:24:15 +0200
Subject: [PATCH 0550/1429] Java/C#: Move a couple of flow summary tweaks to
 the shared implementation.

---
 .../csharp/dataflow/internal/FlowSummaryImpl.qll     | 12 ++++++++++++
 .../code/java/dataflow/internal/DataFlowUtil.qll     |  8 --------
 .../code/java/dataflow/internal/FlowSummaryImpl.qll  | 12 ++++++++++++
 .../java/dataflow/internal/TaintTrackingUtil.qll     |  3 +--
 4 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
index 3c8c94c913c..bdf5498d8c6 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
@@ -446,7 +446,19 @@ module Private {
         summary(c, inputContents, outputContents, preservesValue) and
         pred = summaryNodeInputState(c, inputContents) and
         succ = summaryNodeOutputState(c, outputContents)
+      |
+        preservesValue = true
+        or
+        preservesValue = false and not summary(c, inputContents, outputContents, true)
       )
+      or
+      // If flow through a method updates a parameter from some input A, and that
+      // parameter also is returned through B, then we'd like a combined flow from A
+      // to B as well. As an example, this simplifies modeling of fluent methods:
+      // for `StringBuilder.append(x)` with a specified value flow from qualifier to
+      // return value and taint flow from argument 0 to the qualifier, then this
+      // allows us to infer taint flow from argument 0 to the return value.
+      summaryPostUpdateNode(pred, succ) and preservesValue = true
     }
 
     /**
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
index 47743caf668..2ad09574015 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
@@ -150,14 +150,6 @@ predicate simpleLocalFlowStep(Node node1, Node node2) {
   )
   or
   FlowSummaryImpl::Private::Steps::summaryLocalStep(node1, node2, true)
-  or
-  // If flow through a method updates a parameter from some input A, and that
-  // parameter also is returned through B, then we'd like a combined flow from A
-  // to B as well. As an example, this simplifies modeling of fluent methods:
-  // for `StringBuilder.append(x)` with a specified value flow from qualifier to
-  // return value and taint flow from argument 0 to the qualifier, then this
-  // allows us to infer taint flow from argument 0 to the return value.
-  node1.(SummaryNode).(PostUpdateNode).getPreUpdateNode().(ParameterNode) = node2
 }
 
 /**
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
index 3c8c94c913c..bdf5498d8c6 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
@@ -446,7 +446,19 @@ module Private {
         summary(c, inputContents, outputContents, preservesValue) and
         pred = summaryNodeInputState(c, inputContents) and
         succ = summaryNodeOutputState(c, outputContents)
+      |
+        preservesValue = true
+        or
+        preservesValue = false and not summary(c, inputContents, outputContents, true)
       )
+      or
+      // If flow through a method updates a parameter from some input A, and that
+      // parameter also is returned through B, then we'd like a combined flow from A
+      // to B as well. As an example, this simplifies modeling of fluent methods:
+      // for `StringBuilder.append(x)` with a specified value flow from qualifier to
+      // return value and taint flow from argument 0 to the qualifier, then this
+      // allows us to infer taint flow from argument 0 to the return value.
+      summaryPostUpdateNode(pred, succ) and preservesValue = true
     }
 
     /**
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
index 9dc5d8f24b7..f9278ab815e 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -57,8 +57,7 @@ predicate localAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
     sink.(DataFlow::ImplicitVarargsArray).getCall() = arg.getCall()
   )
   or
-  FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, false) and
-  not FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, true)
+  FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, false)
 }
 
 /**

From e25305e3cc3396aed4dd694cbb615da141b5302b Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 21 Apr 2021 14:25:54 +0200
Subject: [PATCH 0551/1429] Java: Introduce LoC summary metric query

---
 java/ql/src/Metrics/Summaries/LinesOfCode.ql        | 13 +++++++++++++
 java/ql/test/query-tests/Metrics/A.java             |  9 +++++++++
 .../test/query-tests/Metrics/LinesOfCode.expected   |  1 +
 java/ql/test/query-tests/Metrics/LinesOfCode.qlref  |  1 +
 4 files changed, 24 insertions(+)
 create mode 100644 java/ql/src/Metrics/Summaries/LinesOfCode.ql
 create mode 100644 java/ql/test/query-tests/Metrics/A.java
 create mode 100644 java/ql/test/query-tests/Metrics/LinesOfCode.expected
 create mode 100644 java/ql/test/query-tests/Metrics/LinesOfCode.qlref

diff --git a/java/ql/src/Metrics/Summaries/LinesOfCode.ql b/java/ql/src/Metrics/Summaries/LinesOfCode.ql
new file mode 100644
index 00000000000..9a90242e3cb
--- /dev/null
+++ b/java/ql/src/Metrics/Summaries/LinesOfCode.ql
@@ -0,0 +1,13 @@
+/**
+ * @id java/summary/lines-of-code
+ * @name Total lines of code in the database
+ * @description The total number of lines of code across all files. This is a useful metric of the size of a database.
+ *              For all files that were seen during the build, this query counts the lines of code, excluding whitespace
+ *              or comments.
+ * @kind metric
+ * @tags summary
+ */
+
+import java
+
+select sum(File f, int i | i = f.getNumberOfLinesOfCode() | i)
diff --git a/java/ql/test/query-tests/Metrics/A.java b/java/ql/test/query-tests/Metrics/A.java
new file mode 100644
index 00000000000..2e481416966
--- /dev/null
+++ b/java/ql/test/query-tests/Metrics/A.java
@@ -0,0 +1,9 @@
+public class A {
+  public void M() {
+    //some comment
+  }
+
+  /* public void M() {
+    //some comment
+  } */
+}
diff --git a/java/ql/test/query-tests/Metrics/LinesOfCode.expected b/java/ql/test/query-tests/Metrics/LinesOfCode.expected
new file mode 100644
index 00000000000..b5a514b9ffa
--- /dev/null
+++ b/java/ql/test/query-tests/Metrics/LinesOfCode.expected
@@ -0,0 +1 @@
+| 4 |
diff --git a/java/ql/test/query-tests/Metrics/LinesOfCode.qlref b/java/ql/test/query-tests/Metrics/LinesOfCode.qlref
new file mode 100644
index 00000000000..4c00f1205cd
--- /dev/null
+++ b/java/ql/test/query-tests/Metrics/LinesOfCode.qlref
@@ -0,0 +1 @@
+Metrics/Summaries/LinesOfCode.ql

From 2c9a6e7befafffd20bab6b5954656b11131c823b Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Wed, 21 Apr 2021 13:45:58 +0100
Subject: [PATCH 0552/1429] JS: Cache function-wrapping steps in type-tracking
 stage

---
 .../semmle/javascript/dataflow/DataFlow.qll   | 125 +--------------
 .../internal/FunctionWrapperSteps.qll         | 144 ++++++++++++++++++
 .../javascript/internal/CachedStages.qll      |   2 +
 3 files changed, 147 insertions(+), 124 deletions(-)
 create mode 100644 javascript/ql/src/semmle/javascript/dataflow/internal/FunctionWrapperSteps.qll

diff --git a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
index 76c42cd16cf..2bcee954cbc 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -1682,130 +1682,7 @@ module DataFlow {
   import Configuration
   import TrackedNodes
   import TypeTracking
+  import internal.FunctionWrapperSteps
 
   predicate localTaintStep = TaintTracking::localTaintStep/2;
-
-  private predicate forwardsParameter(
-    DataFlow::FunctionNode function, int i, DataFlow::CallNode call
-  ) {
-    exists(DataFlow::ParameterNode parameter | parameter = function.getParameter(i) |
-      not parameter.isRestParameter() and
-      parameter.flowsTo(call.getArgument(i))
-      or
-      parameter.isRestParameter() and
-      parameter.flowsTo(call.getASpreadArgument())
-    )
-  }
-
-  /**
-   * Holds if the function in `succ` forwards all its arguments to a call to `pred` and returns
-   * its result. This can thus be seen as a step `pred -> succ` used for tracking function values
-   * through "wrapper functions", since the `succ` function partially replicates behavior of `pred`.
-   *
-   * Examples:
-   * ```js
-   * function f(x) {
-   *   return g(x); // step: g -> f
-   * }
-   *
-   * function doExec(x) {
-   *   console.log(x);
-   *   return exec(x); // step: exec -> doExec
-   * }
-   *
-   * function doEither(x, y) {
-   *   if (x > y) {
-   *     return foo(x, y); // step: foo -> doEither
-   *   } else {
-   *     return bar(x, y); // step: bar -> doEither
-   *   }
-   * }
-   *
-   * function wrapWithLogging(f) {
-   *   return (x) => {
-   *     console.log(x);
-   *     return f(x); // step: f -> anonymous function
-   *   }
-   * }
-   * wrapWithLogging(g); // step: g -> wrapWithLogging(g)
-   * ```
-   */
-  predicate functionForwardingStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(DataFlow::FunctionNode function, DataFlow::CallNode call |
-      call.flowsTo(function.getReturnNode()) and
-      forall(int i | exists([call.getArgument(i), function.getParameter(i)]) |
-        forwardsParameter(function, i, call)
-      ) and
-      pred = call.getCalleeNode() and
-      succ = function
-    )
-    or
-    // Given a generic wrapper function like,
-    //
-    //   function wrap(f) { return (x, y) => f(x, y) };
-    //
-    // add steps through calls to that function: `g -> wrap(g)`
-    exists(DataFlow::FunctionNode wrapperFunction, SourceNode param, Node paramUse |
-      FlowSteps::argumentPassing(succ, pred, wrapperFunction.getFunction(), param) and
-      param.flowsTo(paramUse) and
-      functionForwardingStep(paramUse, wrapperFunction.getReturnNode().getALocalSource())
-    )
-  }
-
-  /**
-   * Holds if the function in `succ` forwards all its arguments to a call to `pred`.
-   * This can thus be seen as a step `pred -> succ` used for tracking function values
-   * through "wrapper functions", since the `succ` function partially replicates behavior of `pred`.
-   *
-   * This is similar to `functionForwardingStep` except the innermost forwarding call does not
-   * need flow to the return value; this can be useful for tracking callback-style functions
-   * where the result tends to be unused.
-   *
-   * Examples:
-   * ```js
-   * function f(x, callback) {
-   *   g(x, callback); // step: g -> f
-   * }
-   *
-   * function doExec(x, callback) {
-   *   console.log(x);
-   *   exec(x, callback); // step: exec -> doExec
-   * }
-   *
-   * function doEither(x, y) {
-   *   if (x > y) {
-   *     return foo(x, y); // step: foo -> doEither
-   *   } else {
-   *     return bar(x, y); // step: bar -> doEither
-   *   }
-   * }
-   *
-   * function wrapWithLogging(f) {
-   *   return (x) => {
-   *     console.log(x);
-   *     return f(x); // step: f -> anonymous function
-   *   }
-   * }
-   * wrapWithLogging(g); // step: g -> wrapWithLogging(g)
-   * ```
-   */
-  predicate functionOneWayForwardingStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(DataFlow::FunctionNode function, DataFlow::CallNode call |
-      call.getContainer() = function.getFunction() and
-      forall(int i | exists(function.getParameter(i)) | forwardsParameter(function, i, call)) and
-      pred = call.getCalleeNode() and
-      succ = function
-    )
-    or
-    // Given a generic wrapper function like,
-    //
-    //   function wrap(f) { return (x, y) => f(x, y) };
-    //
-    // add steps through calls to that function: `g -> wrap(g)`
-    exists(DataFlow::FunctionNode wrapperFunction, SourceNode param, Node paramUse |
-      FlowSteps::argumentPassing(succ, pred, wrapperFunction.getFunction(), param) and
-      param.flowsTo(paramUse) and
-      functionOneWayForwardingStep(paramUse, wrapperFunction.getReturnNode().getALocalSource())
-    )
-  }
 }
diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/FunctionWrapperSteps.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/FunctionWrapperSteps.qll
new file mode 100644
index 00000000000..c0f8b36e645
--- /dev/null
+++ b/javascript/ql/src/semmle/javascript/dataflow/internal/FunctionWrapperSteps.qll
@@ -0,0 +1,144 @@
+private import javascript
+
+private import FlowSteps as FlowSteps
+private import semmle.javascript.internal.CachedStages
+
+cached
+private module Cached {
+  private predicate forwardsParameter(
+    DataFlow::FunctionNode function, int i, DataFlow::CallNode call
+  ) {
+    exists(DataFlow::ParameterNode parameter | parameter = function.getParameter(i) |
+      not parameter.isRestParameter() and
+      parameter.flowsTo(call.getArgument(i))
+      or
+      parameter.isRestParameter() and
+      parameter.flowsTo(call.getASpreadArgument())
+    )
+  }
+
+  cached
+  private module Stage {
+    // Forces the module to be computed as part of the type-tracking stage.
+    cached
+    predicate forceStage() {
+      Stages::TypeTracking::ref()
+    }
+  }
+
+  /**
+   * Holds if the function in `succ` forwards all its arguments to a call to `pred` and returns
+   * its result. This can thus be seen as a step `pred -> succ` used for tracking function values
+   * through "wrapper functions", since the `succ` function partially replicates behavior of `pred`.
+   *
+   * Examples:
+   * ```js
+   * function f(x) {
+   *   return g(x); // step: g -> f
+   * }
+   *
+   * function doExec(x) {
+   *   console.log(x);
+   *   return exec(x); // step: exec -> doExec
+   * }
+   *
+   * function doEither(x, y) {
+   *   if (x > y) {
+   *     return foo(x, y); // step: foo -> doEither
+   *   } else {
+   *     return bar(x, y); // step: bar -> doEither
+   *   }
+   * }
+   *
+   * function wrapWithLogging(f) {
+   *   return (x) => {
+   *     console.log(x);
+   *     return f(x); // step: f -> anonymous function
+   *   }
+   * }
+   * wrapWithLogging(g); // step: g -> wrapWithLogging(g)
+   * ```
+   */
+  cached
+  predicate functionForwardingStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::FunctionNode function, DataFlow::CallNode call |
+      call.flowsTo(function.getReturnNode()) and
+      forall(int i | exists([call.getArgument(i), function.getParameter(i)]) |
+        forwardsParameter(function, i, call)
+      ) and
+      pred = call.getCalleeNode() and
+      succ = function
+    )
+    or
+    // Given a generic wrapper function like,
+    //
+    //   function wrap(f) { return (x, y) => f(x, y) };
+    //
+    // add steps through calls to that function: `g -> wrap(g)`
+    exists(DataFlow::FunctionNode wrapperFunction, DataFlow::SourceNode param, DataFlow::Node paramUse |
+      FlowSteps::argumentPassing(succ, pred, wrapperFunction.getFunction(), param) and
+      param.flowsTo(paramUse) and
+      functionForwardingStep(paramUse, wrapperFunction.getReturnNode().getALocalSource())
+    )
+  }
+
+  /**
+   * Holds if the function in `succ` forwards all its arguments to a call to `pred`.
+   * This can thus be seen as a step `pred -> succ` used for tracking function values
+   * through "wrapper functions", since the `succ` function partially replicates behavior of `pred`.
+   *
+   * This is similar to `functionForwardingStep` except the innermost forwarding call does not
+   * need flow to the return value; this can be useful for tracking callback-style functions
+   * where the result tends to be unused.
+   *
+   * Examples:
+   * ```js
+   * function f(x, callback) {
+   *   g(x, callback); // step: g -> f
+   * }
+   *
+   * function doExec(x, callback) {
+   *   console.log(x);
+   *   exec(x, callback); // step: exec -> doExec
+   * }
+   *
+   * function doEither(x, y) {
+   *   if (x > y) {
+   *     return foo(x, y); // step: foo -> doEither
+   *   } else {
+   *     return bar(x, y); // step: bar -> doEither
+   *   }
+   * }
+   *
+   * function wrapWithLogging(f) {
+   *   return (x) => {
+   *     console.log(x);
+   *     return f(x); // step: f -> anonymous function
+   *   }
+   * }
+   * wrapWithLogging(g); // step: g -> wrapWithLogging(g)
+   * ```
+   */
+  cached
+  predicate functionOneWayForwardingStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::FunctionNode function, DataFlow::CallNode call |
+      call.getContainer() = function.getFunction() and
+      forall(int i | exists(function.getParameter(i)) | forwardsParameter(function, i, call)) and
+      pred = call.getCalleeNode() and
+      succ = function
+    )
+    or
+    // Given a generic wrapper function like,
+    //
+    //   function wrap(f) { return (x, y) => f(x, y) };
+    //
+    // add steps through calls to that function: `g -> wrap(g)`
+    exists(DataFlow::FunctionNode wrapperFunction, DataFlow::SourceNode param, DataFlow::Node paramUse |
+      FlowSteps::argumentPassing(succ, pred, wrapperFunction.getFunction(), param) and
+      param.flowsTo(paramUse) and
+      functionOneWayForwardingStep(paramUse, wrapperFunction.getReturnNode().getALocalSource())
+    )
+  }
+}
+
+import Cached
diff --git a/javascript/ql/src/semmle/javascript/internal/CachedStages.qll b/javascript/ql/src/semmle/javascript/internal/CachedStages.qll
index 6980a6eef7f..a48cb8ed5e0 100644
--- a/javascript/ql/src/semmle/javascript/internal/CachedStages.qll
+++ b/javascript/ql/src/semmle/javascript/internal/CachedStages.qll
@@ -196,6 +196,8 @@ module Stages {
       exists(any(DataFlow::TypeTracker t).append(_))
       or
       exists(any(DataFlow::TypeBackTracker t).prepend(_))
+      or
+      DataFlow::functionForwardingStep(_, _)
     }
   }
 

From 71780228ae4011e1bb5c76444abcd64203de0d34 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Wed, 21 Apr 2021 11:53:13 +0000
Subject: [PATCH 0553/1429] Python: Rename `TypeTrackerPrivate.qll`

---
 python/ql/src/experimental/typetracking/TypeTracker.qll       | 2 +-
 .../{TypeTrackerPrivate.qll => TypeTrackerSpecific.qll}       | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)
 rename python/ql/src/experimental/typetracking/{TypeTrackerPrivate.qll => TypeTrackerSpecific.qll} (96%)

diff --git a/python/ql/src/experimental/typetracking/TypeTracker.qll b/python/ql/src/experimental/typetracking/TypeTracker.qll
index d370671f140..3dba23fc0c1 100644
--- a/python/ql/src/experimental/typetracking/TypeTracker.qll
+++ b/python/ql/src/experimental/typetracking/TypeTracker.qll
@@ -1,6 +1,6 @@
 /** Step Summaries and Type Tracking */
 
-private import TypeTrackerPrivate
+private import TypeTrackerSpecific
 
 /**
  * Any string that may appear as the name of a piece of content. This will usually include things like:
diff --git a/python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll b/python/ql/src/experimental/typetracking/TypeTrackerSpecific.qll
similarity index 96%
rename from python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll
rename to python/ql/src/experimental/typetracking/TypeTrackerSpecific.qll
index 8fb20aacd7f..0065223f805 100644
--- a/python/ql/src/experimental/typetracking/TypeTrackerPrivate.qll
+++ b/python/ql/src/experimental/typetracking/TypeTrackerSpecific.qll
@@ -1,3 +1,7 @@
+/**
+ * Provides Python-specific definitions for use in the type tracker library.
+ */
+
 private import python
 private import semmle.python.dataflow.new.internal.DataFlowPublic as DataFlowPublic
 private import semmle.python.dataflow.new.internal.DataFlowPrivate as DataFlowPrivate

From 9c72e73a8297d72f6665e63e696d7a31656a39aa Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Wed, 21 Apr 2021 14:55:37 +0100
Subject: [PATCH 0554/1429] Make ExecTainted easier to extend

To add a method that executes a command, you can now define a class
extending ExecMethod.
---
 java/ql/src/semmle/code/java/JDK.qll              |  5 +++--
 .../semmle/code/java/frameworks/apache/Exec.qll   |  5 +++--
 .../semmle/code/java/security/ExternalProcess.qll | 15 +++++++--------
 3 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/java/ql/src/semmle/code/java/JDK.qll b/java/ql/src/semmle/code/java/JDK.qll
index 7bc072e177c..4d9e2bbc2d7 100644
--- a/java/ql/src/semmle/code/java/JDK.qll
+++ b/java/ql/src/semmle/code/java/JDK.qll
@@ -3,6 +3,7 @@
  */
 
 import Member
+import semmle.code.java.security.ExternalProcess
 
 // --- Standard types ---
 /** The class `java.lang.Object`. */
@@ -179,7 +180,7 @@ class TypeFile extends Class {
 /**
  * Any of the methods named `command` on class `java.lang.ProcessBuilder`.
  */
-class MethodProcessBuilderCommand extends Method {
+class MethodProcessBuilderCommand extends ExecMethod {
   MethodProcessBuilderCommand() {
     hasName("command") and
     getDeclaringType() instanceof TypeProcessBuilder
@@ -189,7 +190,7 @@ class MethodProcessBuilderCommand extends Method {
 /**
  * Any method named `exec` on class `java.lang.Runtime`.
  */
-class MethodRuntimeExec extends Method {
+class MethodRuntimeExec extends ExecMethod {
   MethodRuntimeExec() {
     hasName("exec") and
     getDeclaringType() instanceof TypeRuntime
diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Exec.qll b/java/ql/src/semmle/code/java/frameworks/apache/Exec.qll
index e24428d6fdc..b12887e5634 100644
--- a/java/ql/src/semmle/code/java/frameworks/apache/Exec.qll
+++ b/java/ql/src/semmle/code/java/frameworks/apache/Exec.qll
@@ -1,18 +1,19 @@
 /* Definitions related to the Apache Commons Exec library. */
 import semmle.code.java.Type
+import semmle.code.java.security.ExternalProcess
 
 library class TypeCommandLine extends Class {
   TypeCommandLine() { hasQualifiedName("org.apache.commons.exec", "CommandLine") }
 }
 
-library class MethodCommandLineParse extends Method {
+library class MethodCommandLineParse extends ExecMethod {
   MethodCommandLineParse() {
     getDeclaringType() instanceof TypeCommandLine and
     hasName("parse")
   }
 }
 
-library class MethodCommandLineAddArguments extends Method {
+library class MethodCommandLineAddArguments extends ExecMethod {
   MethodCommandLineAddArguments() {
     getDeclaringType() instanceof TypeCommandLine and
     hasName("addArguments")
diff --git a/java/ql/src/semmle/code/java/security/ExternalProcess.qll b/java/ql/src/semmle/code/java/security/ExternalProcess.qll
index 93d7acd8153..6b098a2d0e8 100644
--- a/java/ql/src/semmle/code/java/security/ExternalProcess.qll
+++ b/java/ql/src/semmle/code/java/security/ExternalProcess.qll
@@ -3,6 +3,11 @@ import semmle.code.java.Member
 import semmle.code.java.JDK
 import semmle.code.java.frameworks.apache.Exec
 
+/**
+ * A method that executes a command.
+ */
+abstract class ExecMethod extends Method { }
+
 /**
  * An expression used as an argument to a call that executes an external command. For calls to
  * varargs method calls, this only includes the first argument, which will be the command
@@ -10,15 +15,9 @@ import semmle.code.java.frameworks.apache.Exec
  */
 class ArgumentToExec extends Expr {
   ArgumentToExec() {
-    exists(MethodAccess execCall, Method method |
+    exists(MethodAccess execCall, ExecMethod method |
       execCall.getArgument(0) = this and
-      method = execCall.getMethod() and
-      (
-        method instanceof MethodRuntimeExec or
-        method instanceof MethodProcessBuilderCommand or
-        method instanceof MethodCommandLineParse or
-        method instanceof MethodCommandLineAddArguments
-      )
+      method = execCall.getMethod()
     )
     or
     exists(ConstructorCall expr, Constructor cons |

From a0f5e45ae9cd379b7410d86bb691ef04662a6b5e Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 21 Apr 2021 14:53:36 +0200
Subject: [PATCH 0555/1429] C#: Fix special case of default argument value
 extraction

---
 .../Semmle.Extraction.CSharp/Entities/Expression.cs    | 10 ++++++++++
 .../errorrecovery/DiagnosticsAndErrors.expected        |  1 +
 2 files changed, 11 insertions(+)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
index 6d36dded801..103ea8cacda 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
@@ -193,6 +193,16 @@ namespace Semmle.Extraction.CSharp.Entities
                 return Default.CreateGenerated(cx, parent, childIndex, location, parameter.Type.IsReferenceType ? ValueAsString(null) : null);
             }
 
+            if (parameter.Type.SpecialType == SpecialType.System_Object)
+            {
+                // this can happen in VB.NET
+                cx.ExtractionError($"Extracting default argument value 'object {parameter.Name} = default' instead of 'object {parameter.Name} = {defaultValue}'. The latter is not supported in C#.",
+                    null, null, severity: Util.Logging.Severity.Warning);
+
+                // we're generating a default expression:
+                return Default.CreateGenerated(cx, parent, childIndex, location, ValueAsString(null));
+            }
+
             // const literal:
             return Literal.CreateGenerated(cx, parent, childIndex, parameter.Type, defaultValue, location);
         }
diff --git a/csharp/ql/test/library-tests/standalone/errorrecovery/DiagnosticsAndErrors.expected b/csharp/ql/test/library-tests/standalone/errorrecovery/DiagnosticsAndErrors.expected
index ff6d7e236a4..13bdd30b1c4 100644
--- a/csharp/ql/test/library-tests/standalone/errorrecovery/DiagnosticsAndErrors.expected
+++ b/csharp/ql/test/library-tests/standalone/errorrecovery/DiagnosticsAndErrors.expected
@@ -1,2 +1,3 @@
 compilationMessages
 extractorMessages
+| file://:0:0:0:0 | Extracting default argument value 'object RecordNumber = default' instead of 'object RecordNumber = -1'. The latter is not supported in C#. |

From 6589460357229d5340539ae8e9b4442460a70902 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Tue, 16 Feb 2021 12:21:57 +0000
Subject: [PATCH 0556/1429] Add models for Commons ToStringBuilder

These don't include support for reflectionToString yet, which is coming up in a subsequent PR.
---
 .../code/java/frameworks/apache/Lang.qll      |  34 +++
 .../ToStringBuilderTest.java                  |  37 +++
 .../lang3/builder/ToStringBuilder.java        | 275 ++++++++++++++++++
 .../commons/lang3/builder/ToStringStyle.java  | 102 +++++++
 4 files changed, 448 insertions(+)
 create mode 100644 java/ql/test/library-tests/frameworks/apache-commons-lang3/ToStringBuilderTest.java
 create mode 100644 java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/builder/ToStringBuilder.java
 create mode 100644 java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/builder/ToStringStyle.java

diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
index 670014e0f8f..935b6347ec5 100644
--- a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
+++ b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
@@ -637,3 +637,37 @@ private class ApacheObjectUtilsModel extends SummaryModelCsv {
       ]
   }
 }
+
+private class ApacheToStringBuilderModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;toString;;;Argument[-1];ReturnValue;taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.Object);;Argument;ReturnValue;taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.Object);;Argument;Argument[-1];taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.Object[]);;Argument;ReturnValue;taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.Object[]);;Argument;Argument[-1];taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[]);;Argument;ReturnValue;taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[]);;Argument;Argument[-1];taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,boolean);;Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,boolean);;Argument[0];Argument[-1];taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object);;Argument;ReturnValue;taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object);;Argument;Argument[-1];taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[],boolean);;Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[],boolean);;Argument[0];Argument[-1];taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[],boolean);;Argument[1];ReturnValue;taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[],boolean);;Argument[1];Argument[-1];taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;build;;;Argument[-1];ReturnValue;taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;getStringBuffer;;;Argument[-1];ReturnValue;taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;appendToString;;;Argument;ReturnValue;taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;appendToString;;;Argument;Argument[-1];taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;appendSuper;;;Argument;ReturnValue;taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;appendSuper;;;Argument;Argument[-1];taint",
+        // The following are value-preserving steps for fluent methods:
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;appendAsObjectToString;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;appendSuper;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;appendToString;;;Argument[-1];ReturnValue;value"
+      ]
+  }
+}
diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/ToStringBuilderTest.java b/java/ql/test/library-tests/frameworks/apache-commons-lang3/ToStringBuilderTest.java
new file mode 100644
index 00000000000..ed2e4400dd7
--- /dev/null
+++ b/java/ql/test/library-tests/frameworks/apache-commons-lang3/ToStringBuilderTest.java
@@ -0,0 +1,37 @@
+import org.apache.commons.lang3.builder.ToStringBuilder;
+
+class ToStringBuilderTest {
+    String taint() { return "tainted"; }
+
+    void sink(Object o) {}
+
+    void test() throws Exception {
+
+        ToStringBuilder sb1 = new ToStringBuilder(null); sb1.append((Object)taint()); sink(sb1.toString()); // $hasTaintFlow
+        ToStringBuilder sb2 = new ToStringBuilder(null); sb2.append(new Object[] { taint() }); sink(sb2.toString()); // $hasTaintFlow
+        ToStringBuilder sb3 = new ToStringBuilder(null); sb3.append(taint(), true); sink(sb3.toString()); // $hasTaintFlow
+        ToStringBuilder sb4 = new ToStringBuilder(null); sb4.append("fieldname", taint()); sink(sb4.toString()); // $hasTaintFlow
+        ToStringBuilder sb5 = new ToStringBuilder(null); sb5.append("fieldname", new Object[] { taint() }); sink(sb5.toString()); // $hasTaintFlow
+        ToStringBuilder sb6 = new ToStringBuilder(null); sb6.append("fieldname", new Object[] { taint() }, true); sink(sb6.toString()); // $hasTaintFlow
+        // GOOD: this appends an Object using the Object.toString style, which does not expose fields or String content.
+        ToStringBuilder sb7 = new ToStringBuilder(null); sb7.appendAsObjectToString(taint()); sink(sb7.toString());
+        ToStringBuilder sb8 = new ToStringBuilder(null); sb8.appendSuper(taint()); sink(sb8.toString()); // $hasTaintFlow
+        ToStringBuilder sb9 = new ToStringBuilder(null); sb9.appendToString(taint()); sink(sb9.toString()); // $hasTaintFlow
+        ToStringBuilder sb10 = new ToStringBuilder(null); sb10.append((Object)taint()); sink(sb10.build()); // $hasTaintFlow
+        ToStringBuilder sb11 = new ToStringBuilder(null); sb11.append((Object)taint()); sink(sb11.getStringBuffer().toString()); // $hasTaintFlow
+
+        // Test fluent methods:
+        ToStringBuilder fluentTest = new ToStringBuilder(null);
+        sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $hasTaintFlow
+
+        ToStringBuilder fluentBackflowTest = new ToStringBuilder(null);
+        fluentBackflowTest.append("Harmless").append(taint()).append("Also harmless");
+        sink(fluentBackflowTest.toString()); // $hasTaintFlow
+
+        // Test the case where the fluent method contributing taint is at the end of a statement:
+        ToStringBuilder fluentBackflowTest2 = new ToStringBuilder(null);
+        fluentBackflowTest2.append("Harmless").append(taint());
+        sink(fluentBackflowTest2.toString()); // $hasTaintFlow
+
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/builder/ToStringBuilder.java b/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/builder/ToStringBuilder.java
new file mode 100644
index 00000000000..886d59637f0
--- /dev/null
+++ b/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/builder/ToStringBuilder.java
@@ -0,0 +1,275 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.lang3.builder;
+
+
+public class ToStringBuilder implements Builder<String> {
+    public static ToStringStyle getDefaultStyle() {
+      return null;
+    }
+
+    public static void setDefaultStyle(final ToStringStyle style) {
+    }
+
+    public static String reflectionToString(final Object object) {
+      return null;
+    }
+
+    public static String reflectionToString(final Object object, final ToStringStyle style) {
+      return null;
+    }
+
+    public static String reflectionToString(final Object object, final ToStringStyle style, final boolean outputTransients) {
+      return null;
+    }
+
+    public static <T> String reflectionToString(
+        final T object,
+        final ToStringStyle style,
+        final boolean outputTransients,
+        final Class<? super T> reflectUpToClass) {
+      return null;
+    }
+
+    public ToStringBuilder(final Object object) {
+    }
+
+    public ToStringBuilder(final Object object, final ToStringStyle style) {
+    }
+
+    public ToStringBuilder(final Object object, ToStringStyle style, StringBuffer buffer) {
+    }
+
+    public ToStringBuilder append(final boolean value) {
+      return null;
+    }
+
+    public ToStringBuilder append(final boolean[] array) {
+      return null;
+    }
+
+    public ToStringBuilder append(final byte value) {
+      return null;
+    }
+
+    public ToStringBuilder append(final byte[] array) {
+      return null;
+    }
+
+    public ToStringBuilder append(final char value) {
+      return null;
+    }
+
+    public ToStringBuilder append(final char[] array) {
+      return null;
+    }
+
+    public ToStringBuilder append(final double value) {
+      return null;
+    }
+
+    public ToStringBuilder append(final double[] array) {
+      return null;
+    }
+
+    public ToStringBuilder append(final float value) {
+      return null;
+    }
+
+    public ToStringBuilder append(final float[] array) {
+      return null;
+    }
+
+    public ToStringBuilder append(final int value) {
+      return null;
+    }
+
+    public ToStringBuilder append(final int[] array) {
+      return null;
+    }
+
+    public ToStringBuilder append(final long value) {
+      return null;
+    }
+
+    public ToStringBuilder append(final long[] array) {
+      return null;
+    }
+
+    public ToStringBuilder append(final Object obj) {
+      return null;
+    }
+
+    public ToStringBuilder append(final Object[] array) {
+      return null;
+    }
+
+    public ToStringBuilder append(final short value) {
+      return null;
+    }
+
+    public ToStringBuilder append(final short[] array) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final boolean value) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final boolean[] array) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final boolean[] array, final boolean fullDetail) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final byte value) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final byte[] array) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final byte[] array, final boolean fullDetail) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final char value) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final char[] array) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final char[] array, final boolean fullDetail) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final double value) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final double[] array) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final double[] array, final boolean fullDetail) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final float value) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final float[] array) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final float[] array, final boolean fullDetail) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final int value) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final int[] array) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final int[] array, final boolean fullDetail) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final long value) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final long[] array) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final long[] array, final boolean fullDetail) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final Object obj) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final Object obj, final boolean fullDetail) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final Object[] array) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final Object[] array, final boolean fullDetail) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final short value) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final short[] array) {
+      return null;
+    }
+
+    public ToStringBuilder append(final String fieldName, final short[] array, final boolean fullDetail) {
+      return null;
+    }
+
+    public ToStringBuilder appendAsObjectToString(final Object srcObject) {
+      return null;
+    }
+
+    public ToStringBuilder appendSuper(final String superToString) {
+      return null;
+    }
+
+    public ToStringBuilder appendToString(final String toString) {
+      return null;
+    }
+
+    public Object getObject() {
+      return null;
+    }
+
+    public StringBuffer getStringBuffer() {
+      return null;
+    }
+
+    public ToStringStyle getStyle() {
+      return null;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+    @Override
+    public String build() {
+      return null;
+    }
+
+}
diff --git a/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/builder/ToStringStyle.java b/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/builder/ToStringStyle.java
new file mode 100644
index 00000000000..eef4db08804
--- /dev/null
+++ b/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/builder/ToStringStyle.java
@@ -0,0 +1,102 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.lang3.builder;
+
+import java.io.Serializable;
+
+public abstract class ToStringStyle implements Serializable {
+    public static final ToStringStyle DEFAULT_STYLE = null;
+
+    public static final ToStringStyle MULTI_LINE_STYLE = null;
+
+    public static final ToStringStyle NO_FIELD_NAMES_STYLE = null;
+
+    public static final ToStringStyle SHORT_PREFIX_STYLE = null;
+
+    public static final ToStringStyle SIMPLE_STYLE = null;
+
+    public static final ToStringStyle NO_CLASS_NAME_STYLE = null;
+
+    public static final ToStringStyle JSON_STYLE = null;
+
+    public void appendSuper(final StringBuffer buffer, final String superToString) {
+    }
+
+    public void appendToString(final StringBuffer buffer, final String toString) {
+    }
+
+    public void appendStart(final StringBuffer buffer, final Object object) {
+    }
+
+    public void appendEnd(final StringBuffer buffer, final Object object) {
+    }
+
+    public void append(final StringBuffer buffer, final String fieldName, final Object value, final Boolean fullDetail) {
+    }
+
+    public void append(final StringBuffer buffer, final String fieldName, final long value) {
+    }
+
+    public void append(final StringBuffer buffer, final String fieldName, final int value) {
+    }
+
+    public void append(final StringBuffer buffer, final String fieldName, final short value) {
+    }
+
+    public void append(final StringBuffer buffer, final String fieldName, final byte value) {
+    }
+
+    public void append(final StringBuffer buffer, final String fieldName, final char value) {
+    }
+
+    public void append(final StringBuffer buffer, final String fieldName, final double value) {
+    }
+
+    public void append(final StringBuffer buffer, final String fieldName, final float value) {
+    }
+
+    public void append(final StringBuffer buffer, final String fieldName, final boolean value) {
+    }
+
+    public void append(final StringBuffer buffer, final String fieldName, final Object[] array, final Boolean fullDetail) {
+    }
+
+    public void append(final StringBuffer buffer, final String fieldName, final long[] array, final Boolean fullDetail) {
+    }
+
+    public void append(final StringBuffer buffer, final String fieldName, final int[] array, final Boolean fullDetail) {
+    }
+
+    public void append(final StringBuffer buffer, final String fieldName, final short[] array, final Boolean fullDetail) {
+    }
+
+    public void append(final StringBuffer buffer, final String fieldName, final byte[] array, final Boolean fullDetail) {
+    }
+
+    public void append(final StringBuffer buffer, final String fieldName, final char[] array, final Boolean fullDetail) {
+    }
+
+    public void append(final StringBuffer buffer, final String fieldName, final double[] array, final Boolean fullDetail) {
+    }
+
+    public void append(final StringBuffer buffer, final String fieldName, final float[] array, final Boolean fullDetail) {
+    }
+
+    public void append(final StringBuffer buffer, final String fieldName, final boolean[] array, final Boolean fullDetail) {
+    }
+
+}

From fce1d6122fa1ba2372d53595f76b026751e05643 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Thu, 18 Mar 2021 09:09:16 +0000
Subject: [PATCH 0557/1429] Add change note

---
 java/change-notes/2021-03-18-commons-tostring-builder.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 java/change-notes/2021-03-18-commons-tostring-builder.md

diff --git a/java/change-notes/2021-03-18-commons-tostring-builder.md b/java/change-notes/2021-03-18-commons-tostring-builder.md
new file mode 100644
index 00000000000..41ccfb95237
--- /dev/null
+++ b/java/change-notes/2021-03-18-commons-tostring-builder.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added models for Apache Commons Lang's `ToStringBuilder` class. This may lead to more results from any data-flow query where ToStringBuilder operations fall between the relevant untrusted source and vulnerable sink.

From 874733a61b25d78af4e474aeb045f51ad7a0aa5f Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Wed, 21 Apr 2021 15:53:55 +0100
Subject: [PATCH 0558/1429] Argument -> specific Argument indices

---
 .../code/java/frameworks/apache/Lang.qll      | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
index 935b6347ec5..b87c7044216 100644
--- a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
+++ b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
@@ -643,26 +643,26 @@ private class ApacheToStringBuilderModel extends SummaryModelCsv {
     row =
       [
         "org.apache.commons.lang3.builder;ToStringBuilder;false;toString;;;Argument[-1];ReturnValue;taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.Object);;Argument;ReturnValue;taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.Object);;Argument;Argument[-1];taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.Object[]);;Argument;ReturnValue;taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.Object[]);;Argument;Argument[-1];taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[]);;Argument;ReturnValue;taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[]);;Argument;Argument[-1];taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.Object);;Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.Object);;Argument[0];Argument[-1];taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.Object[]);;Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.Object[]);;Argument[0];Argument[-1];taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[]);;Argument[0..1];ReturnValue;taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[]);;Argument[0..1];Argument[-1];taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,boolean);;Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,boolean);;Argument[0];Argument[-1];taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object);;Argument;ReturnValue;taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object);;Argument;Argument[-1];taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object);;Argument[0..1];ReturnValue;taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object);;Argument[0..1];Argument[-1];taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[],boolean);;Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[],boolean);;Argument[0];Argument[-1];taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[],boolean);;Argument[1];ReturnValue;taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[],boolean);;Argument[1];Argument[-1];taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;build;;;Argument[-1];ReturnValue;taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;getStringBuffer;;;Argument[-1];ReturnValue;taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;appendToString;;;Argument;ReturnValue;taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;appendToString;;;Argument;Argument[-1];taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;appendSuper;;;Argument;ReturnValue;taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;appendSuper;;;Argument;Argument[-1];taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;appendToString;;;Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;appendToString;;;Argument[0];Argument[-1];taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;appendSuper;;;Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;appendSuper;;;Argument[0];Argument[-1];taint",
         // The following are value-preserving steps for fluent methods:
         "org.apache.commons.lang3.builder;ToStringBuilder;false;append;;;Argument[-1];ReturnValue;value",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;appendAsObjectToString;;;Argument[-1];ReturnValue;value",

From 2c95b7539f8eeaffcee400a2ab8d730a1abbe312 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Wed, 21 Apr 2021 15:57:09 +0100
Subject: [PATCH 0559/1429] Remove now-redundant steps

---
 .../src/semmle/code/java/frameworks/apache/Lang.qll  | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
index b87c7044216..7ff539ec041 100644
--- a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
+++ b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
@@ -643,25 +643,15 @@ private class ApacheToStringBuilderModel extends SummaryModelCsv {
     row =
       [
         "org.apache.commons.lang3.builder;ToStringBuilder;false;toString;;;Argument[-1];ReturnValue;taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.Object);;Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.Object);;Argument[0];Argument[-1];taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.Object[]);;Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.Object[]);;Argument[0];Argument[-1];taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[]);;Argument[0..1];ReturnValue;taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[]);;Argument[0..1];Argument[-1];taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,boolean);;Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,boolean);;Argument[0];Argument[-1];taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object);;Argument[0..1];ReturnValue;taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object);;Argument[0..1];Argument[-1];taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[],boolean);;Argument[0];ReturnValue;taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[],boolean);;Argument[0];Argument[-1];taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[],boolean);;Argument[1];ReturnValue;taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[],boolean);;Argument[1];Argument[-1];taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[],boolean);;Argument[0..1];Argument[-1];taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;build;;;Argument[-1];ReturnValue;taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;getStringBuffer;;;Argument[-1];ReturnValue;taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;appendToString;;;Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;appendToString;;;Argument[0];Argument[-1];taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;appendSuper;;;Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;appendSuper;;;Argument[0];Argument[-1];taint",
         // The following are value-preserving steps for fluent methods:
         "org.apache.commons.lang3.builder;ToStringBuilder;false;append;;;Argument[-1];ReturnValue;value",

From 76091f0f8db56886b9dd204b5a032132f0810605 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Wed, 21 Apr 2021 15:58:41 +0100
Subject: [PATCH 0560/1429] Use ArrayElement accessor where needed

---
 java/ql/src/semmle/code/java/frameworks/apache/Lang.qll | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
index 7ff539ec041..516b3c5588e 100644
--- a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
+++ b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
@@ -644,11 +644,13 @@ private class ApacheToStringBuilderModel extends SummaryModelCsv {
       [
         "org.apache.commons.lang3.builder;ToStringBuilder;false;toString;;;Argument[-1];ReturnValue;taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.Object);;Argument[0];Argument[-1];taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.Object[]);;Argument[0];Argument[-1];taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[]);;Argument[0..1];Argument[-1];taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.Object[]);;ArrayElement of Argument[0];Argument[-1];taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[]);;Argument[0];Argument[-1];taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[]);;ArrayElement of Argument[1];Argument[-1];taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,boolean);;Argument[0];Argument[-1];taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object);;Argument[0..1];Argument[-1];taint",
-        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[],boolean);;Argument[0..1];Argument[-1];taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[],boolean);;Argument[0];Argument[-1];taint",
+        "org.apache.commons.lang3.builder;ToStringBuilder;false;append;(java.lang.String,java.lang.Object[],boolean);;ArrayElement of Argument[1];Argument[-1];taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;build;;;Argument[-1];ReturnValue;taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;getStringBuffer;;;Argument[-1];ReturnValue;taint",
         "org.apache.commons.lang3.builder;ToStringBuilder;false;appendToString;;;Argument[0];Argument[-1];taint",

From 0bc4b0421dcf66e25c2391f988d09e18a66c7ae5 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Wed, 21 Apr 2021 12:12:01 -0400
Subject: [PATCH 0561/1429] C++: Remove unnecessary cast

---
 .../ir/implementation/aliased_ssa/internal/AliasAnalysis.qll    | 2 +-
 .../ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll  | 2 +-
 .../ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
index b745554f8df..e26d61b9792 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
@@ -9,7 +9,7 @@ private class IntValue = Ints::IntValue;
  * effect. If `instr` is a `CallInstruction`, gets that same `CallInstruction`.
  */
 private CallInstruction getPrimaryCall(Instruction instr) {
-  result = instr.(CallInstruction)
+  result = instr
   or
   result = instr.(SideEffectInstruction).getPrimaryInstruction()
 }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
index b745554f8df..e26d61b9792 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -9,7 +9,7 @@ private class IntValue = Ints::IntValue;
  * effect. If `instr` is a `CallInstruction`, gets that same `CallInstruction`.
  */
 private CallInstruction getPrimaryCall(Instruction instr) {
-  result = instr.(CallInstruction)
+  result = instr
   or
   result = instr.(SideEffectInstruction).getPrimaryInstruction()
 }
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
index b745554f8df..e26d61b9792 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -9,7 +9,7 @@ private class IntValue = Ints::IntValue;
  * effect. If `instr` is a `CallInstruction`, gets that same `CallInstruction`.
  */
 private CallInstruction getPrimaryCall(Instruction instr) {
-  result = instr.(CallInstruction)
+  result = instr
   or
   result = instr.(SideEffectInstruction).getPrimaryInstruction()
 }

From c113cfd8b72a7002bf187a9c017429fa8dbde5e4 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Wed, 21 Apr 2021 21:13:07 +0100
Subject: [PATCH 0562/1429] JS: Autoformat

---
 .../dataflow/internal/FunctionWrapperSteps.qll      | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/FunctionWrapperSteps.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/FunctionWrapperSteps.qll
index c0f8b36e645..de4f9da6c16 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/internal/FunctionWrapperSteps.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/internal/FunctionWrapperSteps.qll
@@ -1,5 +1,4 @@
 private import javascript
-
 private import FlowSteps as FlowSteps
 private import semmle.javascript.internal.CachedStages
 
@@ -21,9 +20,7 @@ private module Cached {
   private module Stage {
     // Forces the module to be computed as part of the type-tracking stage.
     cached
-    predicate forceStage() {
-      Stages::TypeTracking::ref()
-    }
+    predicate forceStage() { Stages::TypeTracking::ref() }
   }
 
   /**
@@ -75,7 +72,9 @@ private module Cached {
     //   function wrap(f) { return (x, y) => f(x, y) };
     //
     // add steps through calls to that function: `g -> wrap(g)`
-    exists(DataFlow::FunctionNode wrapperFunction, DataFlow::SourceNode param, DataFlow::Node paramUse |
+    exists(
+      DataFlow::FunctionNode wrapperFunction, DataFlow::SourceNode param, DataFlow::Node paramUse
+    |
       FlowSteps::argumentPassing(succ, pred, wrapperFunction.getFunction(), param) and
       param.flowsTo(paramUse) and
       functionForwardingStep(paramUse, wrapperFunction.getReturnNode().getALocalSource())
@@ -133,7 +132,9 @@ private module Cached {
     //   function wrap(f) { return (x, y) => f(x, y) };
     //
     // add steps through calls to that function: `g -> wrap(g)`
-    exists(DataFlow::FunctionNode wrapperFunction, DataFlow::SourceNode param, DataFlow::Node paramUse |
+    exists(
+      DataFlow::FunctionNode wrapperFunction, DataFlow::SourceNode param, DataFlow::Node paramUse
+    |
       FlowSteps::argumentPassing(succ, pred, wrapperFunction.getFunction(), param) and
       param.flowsTo(paramUse) and
       functionOneWayForwardingStep(paramUse, wrapperFunction.getReturnNode().getALocalSource())

From bb7934b381fd216973ff9ccd85436ec929d7702c Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Wed, 21 Apr 2021 21:20:12 +0100
Subject: [PATCH 0563/1429] JS: Change note

---
 javascript/change-notes/2021-04-21-rate-limiting-fixes.md | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 javascript/change-notes/2021-04-21-rate-limiting-fixes.md

diff --git a/javascript/change-notes/2021-04-21-rate-limiting-fixes.md b/javascript/change-notes/2021-04-21-rate-limiting-fixes.md
new file mode 100644
index 00000000000..44328a7f59b
--- /dev/null
+++ b/javascript/change-notes/2021-04-21-rate-limiting-fixes.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Tracking of HTTP route handlers has improved, which may lead to additional
+  security results, and fewer false-positive results from the `js/missing-rate-limiting` query.
\ No newline at end of file

From e98bfe921e02668b8546e359ec698be084e309d2 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Wed, 21 Apr 2021 22:14:50 +0100
Subject: [PATCH 0564/1429] JS: QLDoc

---
 .../semmle/javascript/dataflow/internal/FunctionWrapperSteps.qll | 1 +
 1 file changed, 1 insertion(+)

diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/FunctionWrapperSteps.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/FunctionWrapperSteps.qll
index de4f9da6c16..1069833eeea 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/internal/FunctionWrapperSteps.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/internal/FunctionWrapperSteps.qll
@@ -1,3 +1,4 @@
+/** Provides predicates for tracking functions through wrapper functions. */
 private import javascript
 private import FlowSteps as FlowSteps
 private import semmle.javascript.internal.CachedStages

From 383210096c85c4e03b621e0c35e77b5ae1b69466 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Wed, 21 Apr 2021 18:09:44 -0400
Subject: [PATCH 0565/1429] C++: Isolate models from AST dataflow's
 reference/object conflation

`DataFlowFunction` models treat references a pointers - an explicit level of indirection. The AST dataflow library generally treats references as if they were the referred-to object. This commit removes a workaround in the dataflow model for unary `operator*` on smart pointers, and makes the AST dataflow library adjust the results of querying the model so that a returned reference only gets flow that was modeled as going to the dereference of the return value.

This fixes some missing flow in IR dataflow, and recovers some (presumably) missing reverse taint flow in AST taint tracking as well.
---
 .../cpp/dataflow/internal/DataFlowUtil.qll    |  7 +-
 .../dataflow/taint-tests/localTaint.expected  | 69 +++++++++++--------
 .../dataflow/taint-tests/smart_pointer.cpp    |  6 +-
 3 files changed, 49 insertions(+), 33 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
index 690f24fc59a..558b43cb0da 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -694,7 +694,12 @@ private predicate exprToExprStep_nocfg(Expr fromExpr, Expr toExpr) {
           fromExpr = call.getQualifier()
         ) and
         call.getTarget() = f and
-        outModel.isReturnValue()
+        // AST dataflow treats a reference as if it were the referred-to object, while the dataflow
+        // models treat references as pointers. If the return type of the call is a reference, then
+        // look for data flow the the referred-to object, rather than the reference itself.
+        if call.getType().getUnspecifiedType() instanceof ReferenceType
+        then outModel.isReturnValueDeref()
+        else outModel.isReturnValue()
       )
     )
 }
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
index b003dc5a12b..ce939661c92 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -3228,6 +3228,7 @@
 | smart_pointer.cpp:17:32:17:54 | call to make_shared | smart_pointer.cpp:18:11:18:11 | p |  |
 | smart_pointer.cpp:17:32:17:54 | call to make_shared | smart_pointer.cpp:19:10:19:10 | p |  |
 | smart_pointer.cpp:18:10:18:10 | ref arg call to operator* | smart_pointer.cpp:18:11:18:11 | p [inner post update] |  |
+| smart_pointer.cpp:18:10:18:10 | ref arg call to operator* | smart_pointer.cpp:18:11:18:11 | ref arg p | TAINT |
 | smart_pointer.cpp:18:10:18:10 | ref arg call to operator* | smart_pointer.cpp:19:10:19:10 | p |  |
 | smart_pointer.cpp:18:11:18:11 | p | smart_pointer.cpp:18:10:18:10 | call to operator* | TAINT |
 | smart_pointer.cpp:18:11:18:11 | ref arg p | smart_pointer.cpp:18:11:18:11 | p [inner post update] |  |
@@ -3240,6 +3241,7 @@
 | smart_pointer.cpp:29:32:29:54 | call to make_unique | smart_pointer.cpp:30:11:30:11 | p |  |
 | smart_pointer.cpp:29:32:29:54 | call to make_unique | smart_pointer.cpp:31:10:31:10 | p |  |
 | smart_pointer.cpp:30:10:30:10 | ref arg call to operator* | smart_pointer.cpp:30:11:30:11 | p [inner post update] |  |
+| smart_pointer.cpp:30:10:30:10 | ref arg call to operator* | smart_pointer.cpp:30:11:30:11 | ref arg p | TAINT |
 | smart_pointer.cpp:30:10:30:10 | ref arg call to operator* | smart_pointer.cpp:31:10:31:10 | p |  |
 | smart_pointer.cpp:30:11:30:11 | p | smart_pointer.cpp:30:10:30:10 | call to operator* | TAINT |
 | smart_pointer.cpp:30:11:30:11 | ref arg p | smart_pointer.cpp:30:11:30:11 | p [inner post update] |  |
@@ -3248,6 +3250,7 @@
 | smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:38:10:38:10 | p |  |
 | smart_pointer.cpp:35:30:35:50 | call to make_shared | smart_pointer.cpp:39:11:39:11 | p |  |
 | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:37:6:37:6 | p [inner post update] |  |
+| smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:37:6:37:6 | ref arg p | TAINT |
 | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:38:10:38:10 | p |  |
 | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] | smart_pointer.cpp:39:11:39:11 | p |  |
 | smart_pointer.cpp:37:5:37:17 | ... = ... | smart_pointer.cpp:37:5:37:5 | call to operator* [post update] |  |
@@ -3262,6 +3265,7 @@
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:46:10:46:10 | p |  |
 | smart_pointer.cpp:43:29:43:51 | call to unique_ptr | smart_pointer.cpp:47:11:47:11 | p |  |
 | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:45:6:45:6 | p [inner post update] |  |
+| smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:45:6:45:6 | ref arg p | TAINT |
 | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:46:10:46:10 | p |  |
 | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] | smart_pointer.cpp:47:11:47:11 | p |  |
 | smart_pointer.cpp:45:5:45:17 | ... = ... | smart_pointer.cpp:45:5:45:5 | call to operator* [post update] |  |
@@ -3291,6 +3295,7 @@
 | smart_pointer.cpp:70:37:70:39 | ptr | smart_pointer.cpp:71:4:71:6 | ptr |  |
 | smart_pointer.cpp:71:3:71:3 | call to operator* [post update] | smart_pointer.cpp:70:37:70:39 | ptr |  |
 | smart_pointer.cpp:71:3:71:3 | call to operator* [post update] | smart_pointer.cpp:71:4:71:6 | ptr [inner post update] |  |
+| smart_pointer.cpp:71:3:71:3 | call to operator* [post update] | smart_pointer.cpp:71:4:71:6 | ref arg ptr | TAINT |
 | smart_pointer.cpp:71:3:71:17 | ... = ... | smart_pointer.cpp:71:3:71:3 | call to operator* [post update] |  |
 | smart_pointer.cpp:71:4:71:6 | ptr | smart_pointer.cpp:71:3:71:3 | call to operator* |  |
 | smart_pointer.cpp:71:4:71:6 | ref arg ptr | smart_pointer.cpp:70:37:70:39 | ptr |  |
@@ -3371,6 +3376,7 @@
 | smart_pointer.cpp:120:48:120:50 | ptr | smart_pointer.cpp:121:4:121:6 | ptr |  |
 | smart_pointer.cpp:121:3:121:3 | call to operator* [post update] | smart_pointer.cpp:120:48:120:50 | ptr |  |
 | smart_pointer.cpp:121:3:121:3 | call to operator* [post update] | smart_pointer.cpp:121:4:121:6 | ptr [inner post update] |  |
+| smart_pointer.cpp:121:3:121:3 | call to operator* [post update] | smart_pointer.cpp:121:4:121:6 | ref arg ptr | TAINT |
 | smart_pointer.cpp:121:3:121:17 | ... = ... | smart_pointer.cpp:121:3:121:3 | call to operator* [post update] |  |
 | smart_pointer.cpp:121:4:121:6 | ptr | smart_pointer.cpp:121:3:121:3 | call to operator* |  |
 | smart_pointer.cpp:121:4:121:6 | ref arg ptr | smart_pointer.cpp:120:48:120:50 | ptr |  |
@@ -3394,9 +3400,11 @@
 | smart_pointer.cpp:126:10:126:10 | call to operator-> [post update] | smart_pointer.cpp:126:8:126:9 | ref arg p1 | TAINT |
 | smart_pointer.cpp:126:12:126:12 | q | smart_pointer.cpp:126:13:126:13 | call to operator-> |  |
 | smart_pointer.cpp:128:13:128:13 | call to operator* | smart_pointer.cpp:128:13:128:15 | call to shared_ptr | TAINT |
+| smart_pointer.cpp:128:13:128:13 | call to operator* [inner post update] | smart_pointer.cpp:128:14:128:15 | ref arg p2 | TAINT |
 | smart_pointer.cpp:128:13:128:13 | ref arg call to operator* | smart_pointer.cpp:124:90:124:91 | p2 |  |
 | smart_pointer.cpp:128:13:128:13 | ref arg call to operator* | smart_pointer.cpp:128:13:128:13 | call to operator* [inner post update] |  |
 | smart_pointer.cpp:128:13:128:13 | ref arg call to operator* | smart_pointer.cpp:128:14:128:15 | p2 [inner post update] |  |
+| smart_pointer.cpp:128:13:128:13 | ref arg call to operator* | smart_pointer.cpp:128:14:128:15 | ref arg p2 | TAINT |
 | smart_pointer.cpp:128:13:128:13 | ref arg call to operator* | smart_pointer.cpp:129:10:129:11 | p2 |  |
 | smart_pointer.cpp:128:13:128:15 | ref arg call to shared_ptr | smart_pointer.cpp:124:90:124:91 | p2 |  |
 | smart_pointer.cpp:128:13:128:15 | ref arg call to shared_ptr | smart_pointer.cpp:128:13:128:13 | call to operator* [inner post update] |  |
@@ -3409,6 +3417,7 @@
 | smart_pointer.cpp:129:9:129:9 | call to operator* | smart_pointer.cpp:129:8:129:8 | call to operator* | TAINT |
 | smart_pointer.cpp:129:9:129:9 | ref arg call to operator* | smart_pointer.cpp:124:90:124:91 | p2 |  |
 | smart_pointer.cpp:129:9:129:9 | ref arg call to operator* | smart_pointer.cpp:129:10:129:11 | p2 [inner post update] |  |
+| smart_pointer.cpp:129:9:129:9 | ref arg call to operator* | smart_pointer.cpp:129:10:129:11 | ref arg p2 | TAINT |
 | smart_pointer.cpp:129:10:129:11 | p2 | smart_pointer.cpp:129:8:129:8 | call to operator* |  |
 | smart_pointer.cpp:129:10:129:11 | p2 | smart_pointer.cpp:129:9:129:9 | call to operator* | TAINT |
 | smart_pointer.cpp:129:10:129:11 | ref arg p2 | smart_pointer.cpp:124:90:124:91 | p2 |  |
@@ -3429,6 +3438,7 @@
 | smart_pointer.cpp:134:12:134:12 | q | smart_pointer.cpp:134:13:134:13 | call to operator-> |  |
 | smart_pointer.cpp:136:17:136:17 | ref arg call to operator* | smart_pointer.cpp:132:95:132:96 | p2 |  |
 | smart_pointer.cpp:136:17:136:17 | ref arg call to operator* | smart_pointer.cpp:136:18:136:19 | p2 [inner post update] |  |
+| smart_pointer.cpp:136:17:136:17 | ref arg call to operator* | smart_pointer.cpp:136:18:136:19 | ref arg p2 | TAINT |
 | smart_pointer.cpp:136:17:136:17 | ref arg call to operator* | smart_pointer.cpp:137:10:137:11 | p2 |  |
 | smart_pointer.cpp:136:18:136:19 | p2 | smart_pointer.cpp:136:17:136:17 | call to operator* | TAINT |
 | smart_pointer.cpp:136:18:136:19 | ref arg p2 | smart_pointer.cpp:132:95:132:96 | p2 |  |
@@ -3437,6 +3447,7 @@
 | smart_pointer.cpp:137:9:137:9 | call to operator* | smart_pointer.cpp:137:8:137:8 | call to operator* | TAINT |
 | smart_pointer.cpp:137:9:137:9 | ref arg call to operator* | smart_pointer.cpp:132:95:132:96 | p2 |  |
 | smart_pointer.cpp:137:9:137:9 | ref arg call to operator* | smart_pointer.cpp:137:10:137:11 | p2 [inner post update] |  |
+| smart_pointer.cpp:137:9:137:9 | ref arg call to operator* | smart_pointer.cpp:137:10:137:11 | ref arg p2 | TAINT |
 | smart_pointer.cpp:137:10:137:11 | p2 | smart_pointer.cpp:137:8:137:8 | call to operator* |  |
 | smart_pointer.cpp:137:10:137:11 | p2 | smart_pointer.cpp:137:9:137:9 | call to operator* | TAINT |
 | smart_pointer.cpp:137:10:137:11 | ref arg p2 | smart_pointer.cpp:132:95:132:96 | p2 |  |
@@ -3532,13 +3543,13 @@
 | standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:120:2:120:3 | it |  |
 | standalone_iterators.cpp:116:10:116:14 | call to begin | standalone_iterators.cpp:121:7:121:8 | it |  |
 | standalone_iterators.cpp:117:7:117:8 | it [post update] | standalone_iterators.cpp:122:7:122:8 | c1 |  |
-| standalone_iterators.cpp:118:2:118:3 | it | standalone_iterators.cpp:118:5:118:5 | call to operator+= |  |
+| standalone_iterators.cpp:118:2:118:3 | it | standalone_iterators.cpp:118:5:118:5 | call to operator+= | TAINT |
 | standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:119:7:119:8 | it |  |
 | standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:120:2:120:3 | it |  |
 | standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:121:7:121:8 | it |  |
 | standalone_iterators.cpp:118:2:118:3 | ref arg it | standalone_iterators.cpp:122:7:122:8 | c1 |  |
 | standalone_iterators.cpp:118:8:118:8 | 1 | standalone_iterators.cpp:118:2:118:3 | ref arg it | TAINT |
-| standalone_iterators.cpp:120:2:120:3 | it | standalone_iterators.cpp:120:5:120:5 | call to operator+= |  |
+| standalone_iterators.cpp:120:2:120:3 | it | standalone_iterators.cpp:120:5:120:5 | call to operator+= | TAINT |
 | standalone_iterators.cpp:120:2:120:3 | ref arg it | standalone_iterators.cpp:121:7:121:8 | it |  |
 | standalone_iterators.cpp:120:8:120:13 | call to source | standalone_iterators.cpp:120:2:120:3 | ref arg it | TAINT |
 | stl.h:75:8:75:8 | Unknown literal | stl.h:75:8:75:8 | constructor init of field container | TAINT |
@@ -3655,12 +3666,12 @@
 | stl.h:402:95:402:95 | y | stl.h:403:79:403:79 | y |  |
 | stl.h:402:95:402:95 | y | stl.h:403:79:403:79 | y |  |
 | stl.h:402:95:402:95 | y | stl.h:403:79:403:79 | y |  |
-| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward |  |
-| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward |  |
-| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward |  |
-| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward |  |
-| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward |  |
-| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward |  |
+| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward | TAINT |
+| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward | TAINT |
+| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward | TAINT |
+| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward | TAINT |
+| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward | TAINT |
+| stl.h:403:58:403:58 | x | stl.h:403:41:403:56 | call to forward | TAINT |
 | stl.h:403:62:403:77 | call to forward | stl.h:403:3:403:82 | call to pair | TAINT |
 | stl.h:403:62:403:77 | call to forward | stl.h:403:3:403:82 | call to pair | TAINT |
 | stl.h:403:62:403:77 | call to forward | stl.h:403:3:403:82 | call to pair | TAINT |
@@ -3673,12 +3684,12 @@
 | stl.h:403:79:403:79 | y | stl.h:403:3:403:82 | call to pair | TAINT |
 | stl.h:403:79:403:79 | y | stl.h:403:3:403:82 | call to pair | TAINT |
 | stl.h:403:79:403:79 | y | stl.h:403:3:403:82 | call to pair | TAINT |
-| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward |  |
-| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward |  |
-| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward |  |
-| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward |  |
-| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward |  |
-| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward |  |
+| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward | TAINT |
+| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward | TAINT |
+| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward | TAINT |
+| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward | TAINT |
+| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward | TAINT |
+| stl.h:403:79:403:79 | y | stl.h:403:62:403:77 | call to forward | TAINT |
 | string.cpp:25:12:25:17 | call to source | string.cpp:29:7:29:7 | a |  |
 | string.cpp:26:16:26:20 | 123 | string.cpp:26:16:26:21 | call to basic_string | TAINT |
 | string.cpp:26:16:26:21 | call to basic_string | string.cpp:30:7:30:7 | b |  |
@@ -4231,13 +4242,13 @@
 | string.cpp:407:9:407:10 | i6 | string.cpp:407:8:407:8 | call to operator* | TAINT |
 | string.cpp:408:8:408:9 | i2 | string.cpp:408:3:408:9 | ... = ... |  |
 | string.cpp:408:8:408:9 | i2 | string.cpp:409:10:409:11 | i7 |  |
-| string.cpp:409:10:409:11 | i7 | string.cpp:409:12:409:12 | call to operator+= |  |
+| string.cpp:409:10:409:11 | i7 | string.cpp:409:12:409:12 | call to operator+= | TAINT |
 | string.cpp:409:12:409:12 | call to operator+= | string.cpp:409:8:409:8 | call to operator* | TAINT |
 | string.cpp:409:12:409:12 | ref arg call to operator+= | string.cpp:409:10:409:11 | ref arg i7 | TAINT |
 | string.cpp:409:14:409:14 | 1 | string.cpp:409:10:409:11 | ref arg i7 | TAINT |
 | string.cpp:410:8:410:9 | i2 | string.cpp:410:3:410:9 | ... = ... |  |
 | string.cpp:410:8:410:9 | i2 | string.cpp:411:10:411:11 | i8 |  |
-| string.cpp:411:10:411:11 | i8 | string.cpp:411:12:411:12 | call to operator-= |  |
+| string.cpp:411:10:411:11 | i8 | string.cpp:411:12:411:12 | call to operator-= | TAINT |
 | string.cpp:411:12:411:12 | call to operator-= | string.cpp:411:8:411:8 | call to operator* | TAINT |
 | string.cpp:411:12:411:12 | ref arg call to operator-= | string.cpp:411:10:411:11 | ref arg i8 | TAINT |
 | string.cpp:411:14:411:14 | 1 | string.cpp:411:10:411:11 | ref arg i8 | TAINT |
@@ -4652,7 +4663,7 @@
 | stringstream.cpp:33:7:33:9 | ref arg ss3 | stringstream.cpp:39:7:39:9 | ss3 |  |
 | stringstream.cpp:33:7:33:9 | ref arg ss3 | stringstream.cpp:44:7:44:9 | ss3 |  |
 | stringstream.cpp:33:7:33:9 | ss3 | stringstream.cpp:33:11:33:11 | call to operator<< |  |
-| stringstream.cpp:33:11:33:11 | call to operator<< | stringstream.cpp:33:20:33:20 | call to operator<< |  |
+| stringstream.cpp:33:11:33:11 | call to operator<< | stringstream.cpp:33:20:33:20 | call to operator<< | TAINT |
 | stringstream.cpp:33:11:33:11 | ref arg call to operator<< | stringstream.cpp:33:7:33:9 | ref arg ss3 | TAINT |
 | stringstream.cpp:33:14:33:18 | 123 | stringstream.cpp:33:7:33:9 | ref arg ss3 | TAINT |
 | stringstream.cpp:33:14:33:18 | 123 | stringstream.cpp:33:11:33:11 | call to operator<< | TAINT |
@@ -4661,7 +4672,7 @@
 | stringstream.cpp:34:7:34:9 | ref arg ss4 | stringstream.cpp:40:7:40:9 | ss4 |  |
 | stringstream.cpp:34:7:34:9 | ref arg ss4 | stringstream.cpp:45:7:45:9 | ss4 |  |
 | stringstream.cpp:34:7:34:9 | ss4 | stringstream.cpp:34:11:34:11 | call to operator<< |  |
-| stringstream.cpp:34:11:34:11 | call to operator<< | stringstream.cpp:34:23:34:23 | call to operator<< |  |
+| stringstream.cpp:34:11:34:11 | call to operator<< | stringstream.cpp:34:23:34:23 | call to operator<< | TAINT |
 | stringstream.cpp:34:11:34:11 | ref arg call to operator<< | stringstream.cpp:34:7:34:9 | ref arg ss4 | TAINT |
 | stringstream.cpp:34:14:34:19 | call to source | stringstream.cpp:34:7:34:9 | ref arg ss4 | TAINT |
 | stringstream.cpp:34:14:34:19 | call to source | stringstream.cpp:34:11:34:11 | call to operator<< | TAINT |
@@ -4942,7 +4953,7 @@
 | stringstream.cpp:147:7:147:9 | ref arg ss2 | stringstream.cpp:179:7:179:9 | ss2 |  |
 | stringstream.cpp:147:7:147:9 | ss2 | stringstream.cpp:147:11:147:11 | call to operator>> |  |
 | stringstream.cpp:147:7:147:9 | ss2 | stringstream.cpp:147:14:147:15 | ref arg s3 | TAINT |
-| stringstream.cpp:147:11:147:11 | call to operator>> | stringstream.cpp:147:17:147:17 | call to operator>> |  |
+| stringstream.cpp:147:11:147:11 | call to operator>> | stringstream.cpp:147:17:147:17 | call to operator>> | TAINT |
 | stringstream.cpp:147:11:147:11 | call to operator>> | stringstream.cpp:147:20:147:21 | ref arg s4 | TAINT |
 | stringstream.cpp:147:11:147:11 | ref arg call to operator>> | stringstream.cpp:147:7:147:9 | ref arg ss2 | TAINT |
 | stringstream.cpp:147:14:147:15 | ref arg s3 | stringstream.cpp:150:7:150:8 | s3 |  |
@@ -4974,7 +4985,7 @@
 | stringstream.cpp:155:7:155:9 | ref arg ss2 | stringstream.cpp:179:7:179:9 | ss2 |  |
 | stringstream.cpp:155:7:155:9 | ss2 | stringstream.cpp:155:11:155:11 | call to operator>> |  |
 | stringstream.cpp:155:7:155:9 | ss2 | stringstream.cpp:155:14:155:15 | ref arg b3 | TAINT |
-| stringstream.cpp:155:11:155:11 | call to operator>> | stringstream.cpp:155:17:155:17 | call to operator>> |  |
+| stringstream.cpp:155:11:155:11 | call to operator>> | stringstream.cpp:155:17:155:17 | call to operator>> | TAINT |
 | stringstream.cpp:155:11:155:11 | call to operator>> | stringstream.cpp:155:20:155:21 | ref arg b4 | TAINT |
 | stringstream.cpp:155:11:155:11 | ref arg call to operator>> | stringstream.cpp:155:7:155:9 | ref arg ss2 | TAINT |
 | stringstream.cpp:155:14:155:15 | ref arg b3 | stringstream.cpp:158:7:158:8 | b3 |  |
@@ -5296,7 +5307,7 @@
 | stringstream.cpp:245:15:245:17 | ss1 | stringstream.cpp:245:7:245:13 | call to getline |  |
 | stringstream.cpp:245:15:245:17 | ss1 | stringstream.cpp:245:20:245:21 | ref arg s6 | TAINT |
 | stringstream.cpp:245:20:245:21 | ref arg s6 | stringstream.cpp:248:7:248:8 | s6 |  |
-| stringstream.cpp:250:15:250:21 | call to getline | stringstream.cpp:250:7:250:13 | call to getline |  |
+| stringstream.cpp:250:15:250:21 | call to getline | stringstream.cpp:250:7:250:13 | call to getline | TAINT |
 | stringstream.cpp:250:15:250:21 | call to getline | stringstream.cpp:250:33:250:34 | ref arg s8 | TAINT |
 | stringstream.cpp:250:15:250:21 | ref arg call to getline | stringstream.cpp:250:23:250:25 | ref arg ss2 | TAINT |
 | stringstream.cpp:250:23:250:25 | ss2 | stringstream.cpp:250:15:250:21 | call to getline |  |
@@ -5500,7 +5511,7 @@
 | swap1.cpp:100:9:100:17 | ref arg call to move | swap1.cpp:103:10:103:10 | x |  |
 | swap1.cpp:100:19:100:19 | x | swap1.cpp:100:5:100:5 | ref arg y | TAINT |
 | swap1.cpp:100:19:100:19 | x | swap1.cpp:100:7:100:7 | call to operator= | TAINT |
-| swap1.cpp:100:19:100:19 | x | swap1.cpp:100:9:100:17 | call to move |  |
+| swap1.cpp:100:19:100:19 | x | swap1.cpp:100:9:100:17 | call to move | TAINT |
 | swap1.cpp:108:23:108:31 | move_from | swap1.cpp:109:5:109:13 | move_from |  |
 | swap1.cpp:108:23:108:31 | move_from | swap1.cpp:111:10:111:18 | move_from |  |
 | swap1.cpp:108:23:108:31 | move_from | swap1.cpp:113:41:113:49 | move_from |  |
@@ -5513,7 +5524,7 @@
 | swap1.cpp:113:31:113:39 | call to move | swap1.cpp:113:31:113:51 | call to Class | TAINT |
 | swap1.cpp:113:31:113:39 | ref arg call to move | swap1.cpp:113:41:113:49 | move_from [inner post update] |  |
 | swap1.cpp:113:31:113:51 | call to Class | swap1.cpp:115:10:115:16 | move_to |  |
-| swap1.cpp:113:41:113:49 | move_from | swap1.cpp:113:31:113:39 | call to move |  |
+| swap1.cpp:113:41:113:49 | move_from | swap1.cpp:113:31:113:39 | call to move | TAINT |
 | swap1.cpp:113:41:113:49 | move_from | swap1.cpp:113:31:113:51 | call to Class |  |
 | swap1.cpp:120:23:120:23 | x | swap1.cpp:122:5:122:5 | x |  |
 | swap1.cpp:120:23:120:23 | x | swap1.cpp:124:10:124:10 | x |  |
@@ -5547,7 +5558,7 @@
 | swap1.cpp:142:5:142:5 | ref arg y | swap1.cpp:144:10:144:10 | y |  |
 | swap1.cpp:142:19:142:27 | ref arg call to move | swap1.cpp:142:29:142:29 | x [inner post update] |  |
 | swap1.cpp:142:19:142:27 | ref arg call to move | swap1.cpp:145:10:145:10 | x |  |
-| swap1.cpp:142:29:142:29 | x | swap1.cpp:142:19:142:27 | call to move |  |
+| swap1.cpp:142:29:142:29 | x | swap1.cpp:142:19:142:27 | call to move | TAINT |
 | swap2.cpp:14:17:14:17 | t | swap2.cpp:14:17:14:17 | t |  |
 | swap2.cpp:14:17:14:17 | t | swap2.cpp:14:17:14:17 | t |  |
 | swap2.cpp:14:17:14:17 | t | swap2.cpp:14:56:14:56 | t |  |
@@ -5679,7 +5690,7 @@
 | swap2.cpp:100:9:100:17 | ref arg call to move | swap2.cpp:103:10:103:10 | x |  |
 | swap2.cpp:100:19:100:19 | x | swap2.cpp:100:5:100:5 | ref arg y | TAINT |
 | swap2.cpp:100:19:100:19 | x | swap2.cpp:100:7:100:7 | call to operator= | TAINT |
-| swap2.cpp:100:19:100:19 | x | swap2.cpp:100:9:100:17 | call to move |  |
+| swap2.cpp:100:19:100:19 | x | swap2.cpp:100:9:100:17 | call to move | TAINT |
 | swap2.cpp:108:23:108:31 | move_from | swap2.cpp:109:5:109:13 | move_from |  |
 | swap2.cpp:108:23:108:31 | move_from | swap2.cpp:111:10:111:18 | move_from |  |
 | swap2.cpp:108:23:108:31 | move_from | swap2.cpp:113:41:113:49 | move_from |  |
@@ -5692,7 +5703,7 @@
 | swap2.cpp:113:31:113:39 | call to move | swap2.cpp:113:31:113:51 | call to Class | TAINT |
 | swap2.cpp:113:31:113:39 | ref arg call to move | swap2.cpp:113:41:113:49 | move_from [inner post update] |  |
 | swap2.cpp:113:31:113:51 | call to Class | swap2.cpp:115:10:115:16 | move_to |  |
-| swap2.cpp:113:41:113:49 | move_from | swap2.cpp:113:31:113:39 | call to move |  |
+| swap2.cpp:113:41:113:49 | move_from | swap2.cpp:113:31:113:39 | call to move | TAINT |
 | swap2.cpp:113:41:113:49 | move_from | swap2.cpp:113:31:113:51 | call to Class |  |
 | swap2.cpp:120:23:120:23 | x | swap2.cpp:122:5:122:5 | x |  |
 | swap2.cpp:120:23:120:23 | x | swap2.cpp:124:10:124:10 | x |  |
@@ -5726,7 +5737,7 @@
 | swap2.cpp:142:5:142:5 | ref arg y | swap2.cpp:144:10:144:10 | y |  |
 | swap2.cpp:142:19:142:27 | ref arg call to move | swap2.cpp:142:29:142:29 | x [inner post update] |  |
 | swap2.cpp:142:19:142:27 | ref arg call to move | swap2.cpp:145:10:145:10 | x |  |
-| swap2.cpp:142:29:142:29 | x | swap2.cpp:142:19:142:27 | call to move |  |
+| swap2.cpp:142:29:142:29 | x | swap2.cpp:142:19:142:27 | call to move | TAINT |
 | taint.cpp:4:27:4:33 | source1 | taint.cpp:6:13:6:19 | source1 |  |
 | taint.cpp:4:40:4:45 | clean1 | taint.cpp:5:8:5:13 | clean1 |  |
 | taint.cpp:4:40:4:45 | clean1 | taint.cpp:6:3:6:8 | clean1 |  |
@@ -7950,7 +7961,7 @@
 | vector.cpp:527:9:527:10 | ref arg it | vector.cpp:529:9:529:10 | it |  |
 | vector.cpp:527:9:527:10 | ref arg it | vector.cpp:530:3:530:4 | it |  |
 | vector.cpp:527:9:527:10 | ref arg it | vector.cpp:531:9:531:10 | it |  |
-| vector.cpp:528:3:528:4 | it | vector.cpp:528:6:528:6 | call to operator+= |  |
+| vector.cpp:528:3:528:4 | it | vector.cpp:528:6:528:6 | call to operator+= | TAINT |
 | vector.cpp:528:3:528:4 | ref arg it | vector.cpp:529:9:529:10 | it |  |
 | vector.cpp:528:3:528:4 | ref arg it | vector.cpp:530:3:530:4 | it |  |
 | vector.cpp:528:3:528:4 | ref arg it | vector.cpp:531:9:531:10 | it |  |
@@ -7958,7 +7969,7 @@
 | vector.cpp:529:9:529:10 | it | vector.cpp:529:8:529:8 | call to operator* | TAINT |
 | vector.cpp:529:9:529:10 | ref arg it | vector.cpp:530:3:530:4 | it |  |
 | vector.cpp:529:9:529:10 | ref arg it | vector.cpp:531:9:531:10 | it |  |
-| vector.cpp:530:3:530:4 | it | vector.cpp:530:6:530:6 | call to operator+= |  |
+| vector.cpp:530:3:530:4 | it | vector.cpp:530:6:530:6 | call to operator+= | TAINT |
 | vector.cpp:530:3:530:4 | ref arg it | vector.cpp:531:9:531:10 | it |  |
 | vector.cpp:530:9:530:14 | call to source | vector.cpp:530:3:530:4 | ref arg it | TAINT |
 | vector.cpp:531:9:531:10 | it | vector.cpp:531:8:531:8 | call to operator* | TAINT |
diff --git a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
index 39cff39e3ed..28e44779009 100644
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/smart_pointer.cpp
@@ -9,7 +9,7 @@ template<typename T> void sink(std::unique_ptr<T>&);
 
 void test_make_shared() {
     std::shared_ptr<int> p = std::make_shared<int>(source());
-    sink(*p); // $ ast MISSING: ir
+    sink(*p); // $ ast,ir
     sink(p); // $ ast,ir
 }
 
@@ -21,7 +21,7 @@ void test_make_shared_array() {
 
 void test_make_unique() {
     std::unique_ptr<int> p = std::make_unique<int>(source());
-    sink(*p); // $ ast MISSING: ir
+    sink(*p); // $ ast,ir
     sink(p); // $ ast,ir
 }
 
@@ -101,7 +101,7 @@ void taint_x(A* pa) {
 void reverse_taint_smart_pointer() {
   std::unique_ptr<A> p = std::unique_ptr<A>(new A);
   taint_x(p.get());
-  sink(p->x); // $ ast MISSING: ir
+  sink(p->x); // $ ast,ir
 }
 
 struct C {

From fe8deeaf6ba4915c0390c4dda3ba223a0f0aee8a Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Wed, 21 Apr 2021 23:13:57 +0100
Subject: [PATCH 0566/1429] JS: Autoformat

---
 .../semmle/javascript/dataflow/internal/FunctionWrapperSteps.qll | 1 +
 1 file changed, 1 insertion(+)

diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/FunctionWrapperSteps.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/FunctionWrapperSteps.qll
index 1069833eeea..dda1ac7ae34 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/internal/FunctionWrapperSteps.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/internal/FunctionWrapperSteps.qll
@@ -1,4 +1,5 @@
 /** Provides predicates for tracking functions through wrapper functions. */
+
 private import javascript
 private import FlowSteps as FlowSteps
 private import semmle.javascript.internal.CachedStages

From cac1bef6ea6c72631e8e74b50af900c9e1c70f91 Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Wed, 21 Apr 2021 11:58:14 -0700
Subject: [PATCH 0567/1429] C++: deprecate cpp/return-stack-allocated-object

---
 cpp/change-notes/2021-04-21-return-stack-allocated-object.md | 2 ++
 cpp/ql/src/Critical/ReturnStackAllocatedObject.ql            | 2 ++
 2 files changed, 4 insertions(+)
 create mode 100644 cpp/change-notes/2021-04-21-return-stack-allocated-object.md

diff --git a/cpp/change-notes/2021-04-21-return-stack-allocated-object.md b/cpp/change-notes/2021-04-21-return-stack-allocated-object.md
new file mode 100644
index 00000000000..1876f4cf5f7
--- /dev/null
+++ b/cpp/change-notes/2021-04-21-return-stack-allocated-object.md
@@ -0,0 +1,2 @@
+codescanning
+* The 'Pointer to stack object used as return value' (cpp/return-stack-allocated-object) query has been deprecated, and any uses should be replaced with `Returning stack-allocated memory` (cpp/return-stack-allocated-memory).
\ No newline at end of file
diff --git a/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql b/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
index 353e51daa71..e3873e487dd 100644
--- a/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
+++ b/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
@@ -7,6 +7,8 @@
  * @tags reliability
  *       security
  *       external/cwe/cwe-562
+ * @deprecated This query is not suitable for production use and has been deprecated. Use
+ *             cpp/return-stack-allocated-memory instead.
  */
 
 import semmle.code.cpp.pointsto.PointsTo

From 454324781d6115cbff7eb1f90a2d1bb2d99a9fd4 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Thu, 22 Apr 2021 11:59:33 +0800
Subject: [PATCH 0568/1429] delete IfStmt

---
 .../CWE/CWE-348/UseOfLessTrustedSource.ql     |  8 --
 .../CWE/CWE-348/UseOfLessTrustedSourceLib.qll | 97 +++++++++----------
 .../CWE-348/UseOfLessTrustedSource.expected   |  6 +-
 3 files changed, 48 insertions(+), 63 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
index e1d2a28c939..3c1d2a33ec1 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
@@ -36,14 +36,6 @@ class UseOfLessTrustedSourceConfig extends TaintTracking::Configuration {
       not aa.getIndexExpr().(CompileTimeConstantExpr).getIntValue() = 0
     )
   }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node prod, DataFlow::Node succ) {
-    exists(MethodAccess ma |
-      ma.getAnArgument() = prod.asExpr() and
-      ma = succ.asExpr() and
-      ma.getMethod().getReturnType() instanceof BooleanType
-    )
-  }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, UseOfLessTrustedSourceConfig conf
diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
index fa9ec4da9bb..29baa90875c 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
@@ -27,66 +27,59 @@ class UseOfLessTrustedSource extends DataFlow::Node {
 abstract class UseOfLessTrustedSink extends DataFlow::Node { }
 
 /**
- * A data flow sink for the if condition, which does not include the null judgment of the remote client ip address.
+ * A data flow sink for remote client ip comparison.
  *
  * For example: `if (!StringUtils.startsWith(ipAddr, "192.168.")){...` determine whether the client ip starts
  * with `192.168.`, and the program can be deceived by forging the ip address.
- * `if (remoteAddr == null || "".equals(remoteAddr)) {...` judging whether the client ip is a null value,
- * it needs to be excluded
  */
-private class IfConditionSink extends UseOfLessTrustedSink {
-  IfConditionSink() {
-    exists(IfStmt is |
-      is.getCondition() = this.asExpr() and
+private class CompareSink extends UseOfLessTrustedSink {
+  CompareSink() {
+    exists(MethodAccess ma |
+      ma.getMethod().getName() in ["equals", "equalsIgnoreCase"] and
+      ma.getMethod().getDeclaringType() instanceof TypeString and
+      ma.getMethod().getNumberOfParameters() = 1 and
       (
-        exists(MethodAccess ma |
-          ma.getMethod().getName() in ["equals", "equalsIgnoreCase"] and
-          ma.getMethod().getDeclaringType() instanceof TypeString and
-          ma.getMethod().getNumberOfParameters() = 1 and
-          not ma.getQualifier().(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
-              "", "unknown", ":"
-            ] and
-          not ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
-              "", "unknown", ":"
-            ] and
-          is.getCondition() = ma.getParent*()
-        )
+        ma.getArgument(0) = this.asExpr() and
+        not ma.getQualifier().(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
+            "", "unknown", ":"
+          ]
         or
-        exists(MethodAccess ma |
-          ma.getMethod().hasName("contains") and
-          ma.getMethod().getDeclaringType() instanceof TypeString and
-          ma.getMethod().getNumberOfParameters() = 1 and
-          ma.getAnArgument().(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
-              "", "unknown"
-            ] and
-          is.getCondition() = ma.getParent*()
-        )
-        or
-        exists(MethodAccess ma |
-          ma.getMethod().hasName("startsWith") and
-          ma.getMethod()
-              .getDeclaringType()
-              .hasQualifiedName(["org.apache.commons.lang3", "org.apache.commons.lang"],
-                "StringUtils") and
-          ma.getMethod().getNumberOfParameters() = 2 and
-          ma.getAnArgument().(CompileTimeConstantExpr).getStringValue() != "" and
-          is.getCondition() = ma.getParent*()
-        )
-        or
-        exists(MethodAccess ma |
-          ma.getMethod().getName() in ["equals", "equalsIgnoreCase"] and
-          ma.getMethod()
-              .getDeclaringType()
-              .hasQualifiedName(["org.apache.commons.lang3", "org.apache.commons.lang"],
-                "StringUtils") and
-          ma.getMethod().getNumberOfParameters() = 2 and
-          not ma.getAnArgument().(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
-              "", "unknown", ":"
-            ] and
-          is.getCondition() = ma.getParent*()
-        )
+        ma.getQualifier() = this.asExpr() and
+        not ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
+            "", "unknown", ":"
+          ]
       )
     )
+    or
+    exists(MethodAccess ma |
+      ma.getMethod().hasName("contains") and
+      ma.getMethod().getDeclaringType() instanceof TypeString and
+      ma.getMethod().getNumberOfParameters() = 1 and
+      ma.getQualifier() = this.asExpr() and
+      ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in ["", "unknown"]
+    )
+    or
+    exists(MethodAccess ma, int i |
+      ma.getMethod().hasName("startsWith") and
+      ma.getMethod()
+          .getDeclaringType()
+          .hasQualifiedName(["org.apache.commons.lang3", "org.apache.commons.lang"], "StringUtils") and
+      ma.getMethod().getNumberOfParameters() = 2 and
+      ma.getArgument(i) = this.asExpr() and
+      ma.getArgument(1 - i).(CompileTimeConstantExpr).getStringValue() != ""
+    )
+    or
+    exists(MethodAccess ma, int i |
+      ma.getMethod().getName() in ["equals", "equalsIgnoreCase"] and
+      ma.getMethod()
+          .getDeclaringType()
+          .hasQualifiedName(["org.apache.commons.lang3", "org.apache.commons.lang"], "StringUtils") and
+      ma.getMethod().getNumberOfParameters() = 2 and
+      ma.getArgument(i) = this.asExpr() and
+      not ma.getArgument(1 - i).(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
+          "", "unknown", ":"
+        ]
+    )
   }
 }
 
diff --git a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected
index 65bbc8d218b..1ece0b21ee0 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected
@@ -11,7 +11,7 @@ edges
 | UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
 | UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) : String | UseOfLessTrustedSource.java:42:58:42:59 | ip |
 | UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
-| UseOfLessTrustedSource.java:53:21:53:33 | getClientIP(...) : String | UseOfLessTrustedSource.java:54:13:54:51 | !... |
+| UseOfLessTrustedSource.java:53:21:53:33 | getClientIP(...) : String | UseOfLessTrustedSource.java:54:37:54:38 | ip |
 | UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) : String | UseOfLessTrustedSource.java:78:16:78:37 | ...[...] : String |
 | UseOfLessTrustedSource.java:78:16:78:37 | ...[...] : String | UseOfLessTrustedSource.java:53:21:53:33 | getClientIP(...) : String |
 nodes
@@ -29,7 +29,7 @@ nodes
 | UseOfLessTrustedSource.java:42:58:42:59 | ip | semmle.label | ip |
 | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | semmle.label | ... + ... |
 | UseOfLessTrustedSource.java:53:21:53:33 | getClientIP(...) : String | semmle.label | getClientIP(...) : String |
-| UseOfLessTrustedSource.java:54:13:54:51 | !... | semmle.label | !... |
+| UseOfLessTrustedSource.java:54:37:54:38 | ip | semmle.label | ip |
 | UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) : String | semmle.label | getHeader(...) : String |
 | UseOfLessTrustedSource.java:78:16:78:37 | ...[...] : String | semmle.label | ...[...] : String |
 #select
@@ -45,4 +45,4 @@ nodes
 | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) | this user input |
 | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) | this user input |
 | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) | this user input |
-| UseOfLessTrustedSource.java:54:13:54:51 | !... | UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) : String | UseOfLessTrustedSource.java:54:13:54:51 | !... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:54:37:54:38 | ip | UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) : String | UseOfLessTrustedSource.java:54:37:54:38 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) | this user input |

From 9774b24c4e297655148654047fa66d1fd133be34 Mon Sep 17 00:00:00 2001
From: edvraa <80588099+edvraa@users.noreply.github.com>
Date: Thu, 22 Apr 2021 09:44:07 +0300
Subject: [PATCH 0569/1429] Use TypeString

---
 .../src/experimental/Security/CWE/CWE-730/RegexInjection.ql   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
index 451e8fe816b..c33b7ecf3af 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
@@ -24,7 +24,7 @@ class RegexSink extends DataFlow::ExprNode {
   RegexSink() {
     exists(MethodAccess ma, Method m | m = ma.getMethod() |
       (
-        m.getDeclaringType().hasQualifiedName("java.lang", "String") and
+        m.getDeclaringType() instanceof TypeString and
         (
           ma.getArgument(0) = this.asExpr() and
           (
@@ -47,7 +47,7 @@ class RegexSink extends DataFlow::ExprNode {
         m.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "RegExUtils") and
         (
           ma.getArgument(1) = this.asExpr() and
-          m.getParameterType(1).(Class).hasQualifiedName("java.lang", "String") and
+          m.getParameterType(1).(Class) instanceof TypeString and
           (
             m.hasName("removeAll") or
             m.hasName("removeFirst") or

From 86444bfa09e2e48ec37801abf3b80d537dce4f92 Mon Sep 17 00:00:00 2001
From: edvraa <80588099+edvraa@users.noreply.github.com>
Date: Thu, 22 Apr 2021 09:48:46 +0300
Subject: [PATCH 0570/1429] Use set literal expression

---
 .../Security/CWE/CWE-730/RegexInjection.ql    | 24 +++++--------------
 1 file changed, 6 insertions(+), 18 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
index c33b7ecf3af..ad75e993c30 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
@@ -27,35 +27,23 @@ class RegexSink extends DataFlow::ExprNode {
         m.getDeclaringType() instanceof TypeString and
         (
           ma.getArgument(0) = this.asExpr() and
-          (
-            m.hasName("matches") or
-            m.hasName("split") or
-            m.hasName("replaceFirst") or
-            m.hasName("replaceAll")
-          )
+          m.hasName(["matches", "split", "replaceFirst", "replaceAll"])
         )
         or
         m.getDeclaringType().hasQualifiedName("java.util.regex", "Pattern") and
         (
           ma.getArgument(0) = this.asExpr() and
-          (
-            m.hasName("compile") or
-            m.hasName("matches")
-          )
+          m.hasName(["compile", "matches"])
         )
         or
         m.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "RegExUtils") and
         (
           ma.getArgument(1) = this.asExpr() and
           m.getParameterType(1).(Class) instanceof TypeString and
-          (
-            m.hasName("removeAll") or
-            m.hasName("removeFirst") or
-            m.hasName("removePattern") or
-            m.hasName("replaceAll") or
-            m.hasName("replaceFirst") or
-            m.hasName("replacePattern")
-          )
+          m.hasName([
+              "removeAll", "removeFirst", "removePattern", "replaceAll", "replaceFirst",
+              "replacePattern"
+            ])
         )
       )
     )

From 9c936867faa7cd92fc23b626211fc52ec0730679 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tam=C3=A1s=20Vajk?= <tamasvajk@github.com>
Date: Thu, 22 Apr 2021 09:00:31 +0200
Subject: [PATCH 0571/1429] Exclude code from XML files

Co-authored-by: yo-h <55373593+yo-h@users.noreply.github.com>
---
 java/ql/src/Metrics/Summaries/LinesOfCode.ql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/Metrics/Summaries/LinesOfCode.ql b/java/ql/src/Metrics/Summaries/LinesOfCode.ql
index 9a90242e3cb..d6db7c6ee6b 100644
--- a/java/ql/src/Metrics/Summaries/LinesOfCode.ql
+++ b/java/ql/src/Metrics/Summaries/LinesOfCode.ql
@@ -10,4 +10,4 @@
 
 import java
 
-select sum(File f, int i | i = f.getNumberOfLinesOfCode() | i)
+select sum(CompilationUnit f | f.fromSource() | f.getNumberOfLinesOfCode())

From ade238307f1416ad45af12f2a9c5ab949a04f427 Mon Sep 17 00:00:00 2001
From: edvraa <80588099+edvraa@users.noreply.github.com>
Date: Thu, 22 Apr 2021 10:02:06 +0300
Subject: [PATCH 0572/1429] Add a test

---
 .../security/CWE-730/RegexInjection.expected  | 52 ++++++++++---------
 .../security/CWE-730/RegexInjection.java      | 10 ++++
 2 files changed, 38 insertions(+), 24 deletions(-)

diff --git a/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.expected
index 93961372d75..1dfe806f10b 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.expected
@@ -9,12 +9,13 @@ edges
 | RegexInjection.java:65:22:65:52 | getParameter(...) : String | RegexInjection.java:68:36:68:42 | pattern : String |
 | RegexInjection.java:68:32:68:43 | foo(...) : String | RegexInjection.java:68:26:68:52 | ... + ... |
 | RegexInjection.java:68:36:68:42 | pattern : String | RegexInjection.java:68:32:68:43 | foo(...) : String |
-| RegexInjection.java:90:22:90:52 | getParameter(...) : String | RegexInjection.java:93:40:93:46 | pattern |
-| RegexInjection.java:97:22:97:52 | getParameter(...) : String | RegexInjection.java:100:42:100:48 | pattern |
-| RegexInjection.java:104:22:104:52 | getParameter(...) : String | RegexInjection.java:107:44:107:50 | pattern |
-| RegexInjection.java:111:22:111:52 | getParameter(...) : String | RegexInjection.java:114:41:114:47 | pattern |
-| RegexInjection.java:118:22:118:52 | getParameter(...) : String | RegexInjection.java:121:43:121:49 | pattern |
-| RegexInjection.java:133:22:133:52 | getParameter(...) : String | RegexInjection.java:136:45:136:51 | pattern |
+| RegexInjection.java:84:22:84:52 | getParameter(...) : String | RegexInjection.java:90:26:90:47 | ... + ... |
+| RegexInjection.java:100:22:100:52 | getParameter(...) : String | RegexInjection.java:103:40:103:46 | pattern |
+| RegexInjection.java:107:22:107:52 | getParameter(...) : String | RegexInjection.java:110:42:110:48 | pattern |
+| RegexInjection.java:114:22:114:52 | getParameter(...) : String | RegexInjection.java:117:44:117:50 | pattern |
+| RegexInjection.java:121:22:121:52 | getParameter(...) : String | RegexInjection.java:124:41:124:47 | pattern |
+| RegexInjection.java:128:22:128:52 | getParameter(...) : String | RegexInjection.java:131:43:131:49 | pattern |
+| RegexInjection.java:143:22:143:52 | getParameter(...) : String | RegexInjection.java:146:45:146:51 | pattern |
 nodes
 | RegexInjection.java:13:22:13:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | RegexInjection.java:16:26:16:47 | ... + ... | semmle.label | ... + ... |
@@ -34,18 +35,20 @@ nodes
 | RegexInjection.java:68:26:68:52 | ... + ... | semmle.label | ... + ... |
 | RegexInjection.java:68:32:68:43 | foo(...) : String | semmle.label | foo(...) : String |
 | RegexInjection.java:68:36:68:42 | pattern : String | semmle.label | pattern : String |
-| RegexInjection.java:90:22:90:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:93:40:93:46 | pattern | semmle.label | pattern |
-| RegexInjection.java:97:22:97:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:100:42:100:48 | pattern | semmle.label | pattern |
-| RegexInjection.java:104:22:104:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:107:44:107:50 | pattern | semmle.label | pattern |
-| RegexInjection.java:111:22:111:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:114:41:114:47 | pattern | semmle.label | pattern |
-| RegexInjection.java:118:22:118:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:121:43:121:49 | pattern | semmle.label | pattern |
-| RegexInjection.java:133:22:133:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RegexInjection.java:136:45:136:51 | pattern | semmle.label | pattern |
+| RegexInjection.java:84:22:84:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:90:26:90:47 | ... + ... | semmle.label | ... + ... |
+| RegexInjection.java:100:22:100:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:103:40:103:46 | pattern | semmle.label | pattern |
+| RegexInjection.java:107:22:107:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:110:42:110:48 | pattern | semmle.label | pattern |
+| RegexInjection.java:114:22:114:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:117:44:117:50 | pattern | semmle.label | pattern |
+| RegexInjection.java:121:22:121:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:124:41:124:47 | pattern | semmle.label | pattern |
+| RegexInjection.java:128:22:128:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:131:43:131:49 | pattern | semmle.label | pattern |
+| RegexInjection.java:143:22:143:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RegexInjection.java:146:45:146:51 | pattern | semmle.label | pattern |
 #select
 | RegexInjection.java:16:26:16:47 | ... + ... | RegexInjection.java:13:22:13:52 | getParameter(...) : String | RegexInjection.java:16:26:16:47 | ... + ... | $@ is user controlled. | RegexInjection.java:13:22:13:52 | getParameter(...) | This regular expression pattern |
 | RegexInjection.java:23:24:23:30 | pattern | RegexInjection.java:20:22:20:52 | getParameter(...) : String | RegexInjection.java:23:24:23:30 | pattern | $@ is user controlled. | RegexInjection.java:20:22:20:52 | getParameter(...) | This regular expression pattern |
@@ -55,9 +58,10 @@ nodes
 | RegexInjection.java:54:28:54:34 | pattern | RegexInjection.java:51:22:51:52 | getParameter(...) : String | RegexInjection.java:54:28:54:34 | pattern | $@ is user controlled. | RegexInjection.java:51:22:51:52 | getParameter(...) | This regular expression pattern |
 | RegexInjection.java:61:28:61:34 | pattern | RegexInjection.java:58:22:58:52 | getParameter(...) : String | RegexInjection.java:61:28:61:34 | pattern | $@ is user controlled. | RegexInjection.java:58:22:58:52 | getParameter(...) | This regular expression pattern |
 | RegexInjection.java:68:26:68:52 | ... + ... | RegexInjection.java:65:22:65:52 | getParameter(...) : String | RegexInjection.java:68:26:68:52 | ... + ... | $@ is user controlled. | RegexInjection.java:65:22:65:52 | getParameter(...) | This regular expression pattern |
-| RegexInjection.java:93:40:93:46 | pattern | RegexInjection.java:90:22:90:52 | getParameter(...) : String | RegexInjection.java:93:40:93:46 | pattern | $@ is user controlled. | RegexInjection.java:90:22:90:52 | getParameter(...) | This regular expression pattern |
-| RegexInjection.java:100:42:100:48 | pattern | RegexInjection.java:97:22:97:52 | getParameter(...) : String | RegexInjection.java:100:42:100:48 | pattern | $@ is user controlled. | RegexInjection.java:97:22:97:52 | getParameter(...) | This regular expression pattern |
-| RegexInjection.java:107:44:107:50 | pattern | RegexInjection.java:104:22:104:52 | getParameter(...) : String | RegexInjection.java:107:44:107:50 | pattern | $@ is user controlled. | RegexInjection.java:104:22:104:52 | getParameter(...) | This regular expression pattern |
-| RegexInjection.java:114:41:114:47 | pattern | RegexInjection.java:111:22:111:52 | getParameter(...) : String | RegexInjection.java:114:41:114:47 | pattern | $@ is user controlled. | RegexInjection.java:111:22:111:52 | getParameter(...) | This regular expression pattern |
-| RegexInjection.java:121:43:121:49 | pattern | RegexInjection.java:118:22:118:52 | getParameter(...) : String | RegexInjection.java:121:43:121:49 | pattern | $@ is user controlled. | RegexInjection.java:118:22:118:52 | getParameter(...) | This regular expression pattern |
-| RegexInjection.java:136:45:136:51 | pattern | RegexInjection.java:133:22:133:52 | getParameter(...) : String | RegexInjection.java:136:45:136:51 | pattern | $@ is user controlled. | RegexInjection.java:133:22:133:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:90:26:90:47 | ... + ... | RegexInjection.java:84:22:84:52 | getParameter(...) : String | RegexInjection.java:90:26:90:47 | ... + ... | $@ is user controlled. | RegexInjection.java:84:22:84:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:103:40:103:46 | pattern | RegexInjection.java:100:22:100:52 | getParameter(...) : String | RegexInjection.java:103:40:103:46 | pattern | $@ is user controlled. | RegexInjection.java:100:22:100:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:110:42:110:48 | pattern | RegexInjection.java:107:22:107:52 | getParameter(...) : String | RegexInjection.java:110:42:110:48 | pattern | $@ is user controlled. | RegexInjection.java:107:22:107:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:117:44:117:50 | pattern | RegexInjection.java:114:22:114:52 | getParameter(...) : String | RegexInjection.java:117:44:117:50 | pattern | $@ is user controlled. | RegexInjection.java:114:22:114:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:124:41:124:47 | pattern | RegexInjection.java:121:22:121:52 | getParameter(...) : String | RegexInjection.java:124:41:124:47 | pattern | $@ is user controlled. | RegexInjection.java:121:22:121:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:131:43:131:49 | pattern | RegexInjection.java:128:22:128:52 | getParameter(...) : String | RegexInjection.java:131:43:131:49 | pattern | $@ is user controlled. | RegexInjection.java:128:22:128:52 | getParameter(...) | This regular expression pattern |
+| RegexInjection.java:146:45:146:51 | pattern | RegexInjection.java:143:22:143:52 | getParameter(...) : String | RegexInjection.java:146:45:146:51 | pattern | $@ is user controlled. | RegexInjection.java:143:22:143:52 | getParameter(...) | This regular expression pattern |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.java b/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.java
index 43218202acf..2aace93aeb8 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-730/RegexInjection.java
@@ -80,6 +80,16 @@ public class RegexInjection extends HttpServlet {
     return input.matches("^" + escapeSpecialRegexChars(pattern) + "=.*$");
   }
 
+  public boolean pattern6(javax.servlet.http.HttpServletRequest request) {
+    String pattern = request.getParameter("pattern");
+    String input = request.getParameter("input");
+
+    escapeSpecialRegexChars(pattern);
+
+    // BAD: the pattern is not really sanitized
+    return input.matches("^" + pattern + "=.*$");
+  }
+
   Pattern SPECIAL_REGEX_CHARS = Pattern.compile("[{}()\\[\\]><-=!.+*?^$\\\\|]");
 
   String escapeSpecialRegexChars(String str) {

From 5149ffdd16f46b0dddb60552d162fd772e9a45df Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 21 Apr 2021 12:01:09 +0200
Subject: [PATCH 0573/1429] C#: Add extraction error diagnostic query

---
 .../Diagnostics/DiagnosticExtractionErrors.ql  | 18 ++++++++++++++++++
 .../DiagnosticExtractorErrors.expected         |  0
 .../DiagnosticExtractorErrors.qlref            |  1 +
 .../test/library-tests/diagnostics/Program.cs  | 17 +++++++++++++++++
 4 files changed, 36 insertions(+)
 create mode 100644 csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
 create mode 100644 csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.expected
 create mode 100644 csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.qlref
 create mode 100644 csharp/ql/test/library-tests/diagnostics/Program.cs

diff --git a/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql b/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
new file mode 100644
index 00000000000..e2fdf2751a4
--- /dev/null
+++ b/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
@@ -0,0 +1,18 @@
+/**
+ * @name Extraction errors
+ * @description List all errors reported by the extractor. The returned issues are
+ *              limited to those files where there are no compilation errors. This
+ *              indicates a bug or limitation in the extractor, and could lead to
+ *              inaccurate results.
+ * @kind diagnostic
+ * @id cs/diagnostics/extraction-errors
+ */
+
+import csharp
+import semmle.code.csharp.commons.Diagnostics
+
+from ExtractorError error
+where not exists(CompilerError ce | ce.getLocation().getFile() = error.getLocation().getFile())
+select error,
+  "Unexpected " + error.getOrigin() + " error: " + error.getText() + " in " +
+    error.getLocation().getFile(), 3
diff --git a/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.expected b/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.qlref b/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.qlref
new file mode 100644
index 00000000000..7068705cc1b
--- /dev/null
+++ b/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.qlref
@@ -0,0 +1 @@
+Diagnostics/DiagnosticExtractionErrors.ql
diff --git a/csharp/ql/test/library-tests/diagnostics/Program.cs b/csharp/ql/test/library-tests/diagnostics/Program.cs
new file mode 100644
index 00000000000..7f0a7e57d1c
--- /dev/null
+++ b/csharp/ql/test/library-tests/diagnostics/Program.cs
@@ -0,0 +1,17 @@
+// semmle-extractor-options: --standalone
+
+using System;
+
+class Class
+{
+    static void Main(string[] args)
+    {
+        int z = GetParamLength(__arglist(1, 2));
+    }
+
+    public static int GetParamLength(__arglist)
+    {
+        ArgIterator iterator = new ArgIterator(__arglist);
+        return iterator.GetRemainingCount();
+    }
+}

From 353d43a03930efd657638ad8a39e11d4eecbdfc2 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 21 Apr 2021 12:38:55 +0200
Subject: [PATCH 0574/1429] Log model errors even in standalone extraction

---
 csharp/extractor/Semmle.Extraction/Context.cs | 22 ++++++++++++++-----
 .../Diagnostics/DiagnosticExtractionErrors.ql |  9 ++++++--
 .../DiagnosticExtractorErrors.expected        |  2 ++
 3 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction/Context.cs b/csharp/extractor/Semmle.Extraction/Context.cs
index c0580db96a7..a60d82c6952 100644
--- a/csharp/extractor/Semmle.Extraction/Context.cs
+++ b/csharp/extractor/Semmle.Extraction/Context.cs
@@ -376,6 +376,19 @@ namespace Semmle.Extraction
             Extractor.Message(msg);
         }
 
+        private void ExtractionError(InternalError error)
+        {
+            ExtractionError(new Message(error.Message, error.EntityText, CreateLocation(error.Location), error.StackTrace, Severity.Error));
+        }
+
+        private void ReportError(InternalError error)
+        {
+            if (!Extractor.Standalone)
+                throw error;
+
+            ExtractionError(error);
+        }
+
         /// <summary>
         /// Signal an error in the program model.
         /// </summary>
@@ -383,8 +396,7 @@ namespace Semmle.Extraction
         /// <param name="msg">The error message.</param>
         public void ModelError(SyntaxNode node, string msg)
         {
-            if (!Extractor.Standalone)
-                throw new InternalError(node, msg);
+            ReportError(new InternalError(node, msg));
         }
 
         /// <summary>
@@ -394,8 +406,7 @@ namespace Semmle.Extraction
         /// <param name="msg">The error message.</param>
         public void ModelError(ISymbol symbol, string msg)
         {
-            if (!Extractor.Standalone)
-                throw new InternalError(symbol, msg);
+            ReportError(new InternalError(symbol, msg));
         }
 
         /// <summary>
@@ -404,8 +415,7 @@ namespace Semmle.Extraction
         /// <param name="msg">The error message.</param>
         public void ModelError(string msg)
         {
-            if (!Extractor.Standalone)
-                throw new InternalError(msg);
+            ReportError(new InternalError(msg));
         }
 
         /// <summary>
diff --git a/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql b/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
index e2fdf2751a4..91a3c76b254 100644
--- a/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
+++ b/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
@@ -11,8 +11,13 @@
 import csharp
 import semmle.code.csharp.commons.Diagnostics
 
+private string getLocation(ExtractorError error) {
+  if error.getLocation().getFile().fromSource()
+  then result = " in " + error.getLocation().getFile()
+  else result = ""
+}
+
 from ExtractorError error
 where not exists(CompilerError ce | ce.getLocation().getFile() = error.getLocation().getFile())
 select error,
-  "Unexpected " + error.getOrigin() + " error: " + error.getText() + " in " +
-    error.getLocation().getFile(), 3
+  "Unexpected " + error.getOrigin() + " error" + getLocation(error) + ": " + error.getText(), 3
diff --git a/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.expected b/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.expected
index e69de29bb2d..d83e9827256 100644
--- a/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.expected
+++ b/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.expected
@@ -0,0 +1,2 @@
+| Program.cs:9:32:9:46 | Unable to resolve target for call. (Compilation error?) | Unexpected C# extractor error in Program.cs: Unable to resolve target for call. (Compilation error?) | 3 |
+| file://:0:0:0:0 | Unhandled literal type | Unexpected C# extractor error: Unhandled literal type | 3 |

From b05e211e2133ec4eaa910393fa5e8282c8f632a2 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 21 Apr 2021 13:48:53 +0200
Subject: [PATCH 0575/1429] Fix failing test

---
 .../errorrecovery/DiagnosticsAndErrors.expected        | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/csharp/ql/test/library-tests/standalone/errorrecovery/DiagnosticsAndErrors.expected b/csharp/ql/test/library-tests/standalone/errorrecovery/DiagnosticsAndErrors.expected
index 13bdd30b1c4..917d625c10c 100644
--- a/csharp/ql/test/library-tests/standalone/errorrecovery/DiagnosticsAndErrors.expected
+++ b/csharp/ql/test/library-tests/standalone/errorrecovery/DiagnosticsAndErrors.expected
@@ -1,3 +1,13 @@
 compilationMessages
 extractorMessages
+| errors.cs:8:1:8:22 | Namespace not found |
+| errors.cs:24:31:24:32 | Failed to determine type |
+| errors.cs:24:31:24:40 | Failed to determine type |
+| errors.cs:24:31:24:40 | Unable to resolve target for call. (Compilation error?) |
+| errors.cs:24:38:24:39 | Failed to determine type |
+| errors.cs:57:20:57:20 | Failed to determine type |
+| errors.cs:93:45:93:45 | Failed to determine type |
+| errors.cs:93:45:93:45 | Failed to resolve name |
+| errors.cs:94:45:94:45 | Failed to determine type |
+| errors.cs:94:45:94:45 | Failed to resolve name |
 | file://:0:0:0:0 | Extracting default argument value 'object RecordNumber = default' instead of 'object RecordNumber = -1'. The latter is not supported in C#. |

From ff9327a03572d4774308dad1f640af9b73ea5736 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 21 Apr 2021 14:41:53 +0200
Subject: [PATCH 0576/1429] Add diagnostic query to get correctly extracted
 files

---
 .../Diagnostics/DiagnosticNoExtractionErrors.ql    | 14 ++++++++++++++
 csharp/ql/test/library-tests/diagnostics/A.cs      |  4 ++++
 .../DiagnosticNoExtractorErrors.expected           |  1 +
 .../diagnostics/DiagnosticNoExtractorErrors.qlref  |  1 +
 4 files changed, 20 insertions(+)
 create mode 100644 csharp/ql/src/Diagnostics/DiagnosticNoExtractionErrors.ql
 create mode 100644 csharp/ql/test/library-tests/diagnostics/A.cs
 create mode 100644 csharp/ql/test/library-tests/diagnostics/DiagnosticNoExtractorErrors.expected
 create mode 100644 csharp/ql/test/library-tests/diagnostics/DiagnosticNoExtractorErrors.qlref

diff --git a/csharp/ql/src/Diagnostics/DiagnosticNoExtractionErrors.ql b/csharp/ql/src/Diagnostics/DiagnosticNoExtractionErrors.ql
new file mode 100644
index 00000000000..11ef3b327fa
--- /dev/null
+++ b/csharp/ql/src/Diagnostics/DiagnosticNoExtractionErrors.ql
@@ -0,0 +1,14 @@
+/**
+ * @name Successfully extracted files
+ * @description A list of all files in the source code directory that were extracted
+ *              without encountering an extraction error in the file.
+ * @kind diagnostic
+ * @id cs/diagnostics/successfully-extracted-files
+ */
+
+import csharp
+import semmle.code.csharp.commons.Diagnostics
+
+from File file
+where file.fromSource() and not exists(ExtractorError e | e.getLocation().getFile() = file)
+select file, ""
diff --git a/csharp/ql/test/library-tests/diagnostics/A.cs b/csharp/ql/test/library-tests/diagnostics/A.cs
new file mode 100644
index 00000000000..21a5b7f5261
--- /dev/null
+++ b/csharp/ql/test/library-tests/diagnostics/A.cs
@@ -0,0 +1,4 @@
+public class A
+{
+    public void M() { }
+}
\ No newline at end of file
diff --git a/csharp/ql/test/library-tests/diagnostics/DiagnosticNoExtractorErrors.expected b/csharp/ql/test/library-tests/diagnostics/DiagnosticNoExtractorErrors.expected
new file mode 100644
index 00000000000..17e4dc54b7d
--- /dev/null
+++ b/csharp/ql/test/library-tests/diagnostics/DiagnosticNoExtractorErrors.expected
@@ -0,0 +1 @@
+| A.cs:0:0:0:0 | A.cs |  |
diff --git a/csharp/ql/test/library-tests/diagnostics/DiagnosticNoExtractorErrors.qlref b/csharp/ql/test/library-tests/diagnostics/DiagnosticNoExtractorErrors.qlref
new file mode 100644
index 00000000000..7994e050699
--- /dev/null
+++ b/csharp/ql/test/library-tests/diagnostics/DiagnosticNoExtractorErrors.qlref
@@ -0,0 +1 @@
+Diagnostics/DiagnosticNoExtractionErrors.ql

From 64354bbfaac18b9845033af46e01c9cf86d431db Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 22 Apr 2021 09:23:59 +0200
Subject: [PATCH 0577/1429] Fix test results after rebase

---
 .../library-tests/diagnostics/DiagnosticExtractorErrors.expected | 1 -
 1 file changed, 1 deletion(-)

diff --git a/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.expected b/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.expected
index d83e9827256..f1f4d9750a8 100644
--- a/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.expected
+++ b/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.expected
@@ -1,2 +1 @@
 | Program.cs:9:32:9:46 | Unable to resolve target for call. (Compilation error?) | Unexpected C# extractor error in Program.cs: Unable to resolve target for call. (Compilation error?) | 3 |
-| file://:0:0:0:0 | Unhandled literal type | Unexpected C# extractor error: Unhandled literal type | 3 |

From 0dceabe704ba363084fecdd58251060b99c8becc Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Thu, 22 Apr 2021 09:06:09 +0100
Subject: [PATCH 0578/1429] JS: Reference specific section of cheat sheet

---
 .../data-flow-cheat-sheet-for-javascript.rst                    | 2 ++
 ...specifying-additional-remote-flow-sources-for-javascript.rst | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst b/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst
index 79bc28f5c16..1b9378669a2 100644
--- a/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst
+++ b/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst
@@ -133,6 +133,8 @@ System and Network
 - `PersistentWriteAccess <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/Concepts.qll/type.Concepts$PersistentWriteAccess.html>`__ -- writing to persistent storage
 - `SystemCommandExecution <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/Concepts.qll/type.Concepts$SystemCommandExecution.html>`__ -- execution of a system command
 
+.. _data-flow-cheat-sheet-for-javascript--untrusted-data:
+
 Untrusted Data
 --------------
 
diff --git a/docs/codeql/codeql-language-guides/specifying-additional-remote-flow-sources-for-javascript.rst b/docs/codeql/codeql-language-guides/specifying-additional-remote-flow-sources-for-javascript.rst
index 082a7e3fcb7..cc3fe5e9469 100644
--- a/docs/codeql/codeql-language-guides/specifying-additional-remote-flow-sources-for-javascript.rst
+++ b/docs/codeql/codeql-language-guides/specifying-additional-remote-flow-sources-for-javascript.rst
@@ -11,7 +11,7 @@ You can model potential sources of untrusted user input in your code without mak
 
    Specifying remote flow sources in external files is currently in beta and subject to change.
 
-As mentioned in the :doc:`Data flow cheat sheet for JavaScript <data-flow-cheat-sheet-for-javascript>`, the CodeQL libraries for JavaScript
+As mentioned in the :ref:`Data flow cheat sheet for JavaScript <data-flow-cheat-sheet-for-javascript--untrusted-data>`, the CodeQL libraries for JavaScript
 provide a class `RemoteFlowSource <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/security/dataflow/RemoteFlowSources.qll/type.RemoteFlowSources$Cached$RemoteFlowSource.html>`__ to represent sources of untrusted user input, sometimes also referred to as remote flow
 sources.
 

From d2646ea4ad3be13460a4bc973e9e446e820cc86b Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Thu, 22 Apr 2021 09:06:44 +0100
Subject: [PATCH 0579/1429] JS: More consistent section capitalization

---
 .../data-flow-cheat-sheet-for-javascript.rst                    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst b/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst
index 1b9378669a2..7d9ac42c3d8 100644
--- a/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst
+++ b/docs/codeql/codeql-language-guides/data-flow-cheat-sheet-for-javascript.rst
@@ -135,7 +135,7 @@ System and Network
 
 .. _data-flow-cheat-sheet-for-javascript--untrusted-data:
 
-Untrusted Data
+Untrusted data
 --------------
 
 - `RemoteFlowSource <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/security/dataflow/RemoteFlowSources.qll/type.RemoteFlowSources$Cached$RemoteFlowSource.html>`__ -- source of untrusted user input

From 1a708affbfb30b137746359ba0dcc555cc86fbcc Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 22 Apr 2021 10:08:33 +0200
Subject: [PATCH 0580/1429] Include compilation errors in diagnostic check

---
 .../Diagnostics/DiagnosticExtractionErrors.ql | 56 +++++++++++++++----
 .../DiagnosticNoExtractionErrors.ql           |  7 ++-
 .../DiagnosticExtractorErrors.expected        |  2 +-
 3 files changed, 50 insertions(+), 15 deletions(-)

diff --git a/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql b/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
index 91a3c76b254..f19fcc6416a 100644
--- a/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
+++ b/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
@@ -1,9 +1,7 @@
 /**
  * @name Extraction errors
- * @description List all errors reported by the extractor. The returned issues are
- *              limited to those files where there are no compilation errors. This
- *              indicates a bug or limitation in the extractor, and could lead to
- *              inaccurate results.
+ * @description List all errors reported by the extractor or the compiler. Extractor errors are
+ *              limited to those files where there are no compilation errors.
  * @kind diagnostic
  * @id cs/diagnostics/extraction-errors
  */
@@ -11,13 +9,47 @@
 import csharp
 import semmle.code.csharp.commons.Diagnostics
 
-private string getLocation(ExtractorError error) {
-  if error.getLocation().getFile().fromSource()
-  then result = " in " + error.getLocation().getFile()
-  else result = ""
+private newtype TDiagnosticError =
+  TCompilerError(CompilerError c) or
+  TExtractorError(ExtractorError e)
+
+abstract private class DiagnosticError extends TDiagnosticError {
+  string getMessage() { none() }
+
+  string toString() { none() }
+
+  string getLocation(Location l) {
+    if l.getFile().fromSource() then result = " in " + l.getFile() else result = ""
+  }
 }
 
-from ExtractorError error
-where not exists(CompilerError ce | ce.getLocation().getFile() = error.getLocation().getFile())
-select error,
-  "Unexpected " + error.getOrigin() + " error" + getLocation(error) + ": " + error.getText(), 3
+private class DiagnosticCompilerError extends DiagnosticError {
+  CompilerError c;
+
+  DiagnosticCompilerError() { this = TCompilerError(c) }
+
+  override string getMessage() {
+    result = "Compiler error" + getLocation(c.getLocation()) + ": " + c.getMessage()
+  }
+
+  override string toString() { result = c.toString() }
+}
+
+private class DiagnosticExtractorError extends DiagnosticError {
+  ExtractorError e;
+
+  DiagnosticExtractorError() {
+    this = TExtractorError(e) and
+    not exists(CompilerError ce | ce.getLocation().getFile() = e.getLocation().getFile())
+  }
+
+  override string getMessage() {
+    result =
+      "Unexpected " + e.getOrigin() + " error" + getLocation(e.getLocation()) + ": " + e.getText()
+  }
+
+  override string toString() { result = e.toString() }
+}
+
+from DiagnosticError error
+select error.getMessage(), 3
diff --git a/csharp/ql/src/Diagnostics/DiagnosticNoExtractionErrors.ql b/csharp/ql/src/Diagnostics/DiagnosticNoExtractionErrors.ql
index 11ef3b327fa..cb86e293efc 100644
--- a/csharp/ql/src/Diagnostics/DiagnosticNoExtractionErrors.ql
+++ b/csharp/ql/src/Diagnostics/DiagnosticNoExtractionErrors.ql
@@ -1,7 +1,7 @@
 /**
  * @name Successfully extracted files
  * @description A list of all files in the source code directory that were extracted
- *              without encountering an extraction error in the file.
+ *              without encountering an extraction or compiler error in the file.
  * @kind diagnostic
  * @id cs/diagnostics/successfully-extracted-files
  */
@@ -10,5 +10,8 @@ import csharp
 import semmle.code.csharp.commons.Diagnostics
 
 from File file
-where file.fromSource() and not exists(ExtractorError e | e.getLocation().getFile() = file)
+where
+  file.fromSource() and
+  not exists(ExtractorError e | e.getLocation().getFile() = file) and
+  not exists(CompilerError e | e.getLocation().getFile() = file)
 select file, ""
diff --git a/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.expected b/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.expected
index f1f4d9750a8..e47e78cdce9 100644
--- a/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.expected
+++ b/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.expected
@@ -1 +1 @@
-| Program.cs:9:32:9:46 | Unable to resolve target for call. (Compilation error?) | Unexpected C# extractor error in Program.cs: Unable to resolve target for call. (Compilation error?) | 3 |
+| Unexpected C# extractor error in Program.cs: Unable to resolve target for call. (Compilation error?) | 3 |

From 1dab1590ea268cb6370f022efa7d5e4c5277f7d0 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 22 Apr 2021 10:18:31 +0200
Subject: [PATCH 0581/1429] C#: Adjust 'fromSource' to hold only on files
 passed to the compiler as a source file

---
 .../extractor/Semmle.Extraction.CSharp/Entities/File.cs  | 9 +++++----
 .../Semmle.Extraction/Entities/GeneratedFile.cs          | 2 +-
 csharp/extractor/Semmle.Extraction/FileSourceKind.cs     | 9 +++++++++
 csharp/extractor/Semmle.Extraction/Tuples.cs             | 4 ++--
 csharp/ql/src/semmle/code/csharp/File.qll                | 2 +-
 5 files changed, 18 insertions(+), 8 deletions(-)
 create mode 100644 csharp/extractor/Semmle.Extraction/FileSourceKind.cs

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/File.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/File.cs
index f22edb158aa..a853065ad04 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/File.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/File.cs
@@ -17,14 +17,15 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void Populate(TextWriter trapFile)
         {
-            trapFile.files(this, TransformedPath.Value, TransformedPath.NameWithoutExtension, TransformedPath.Extension);
+            var trees = Context.Compilation.SyntaxTrees.Where(t => t.FilePath == originalPath);
+            var isSource = trees.Any();
+
+            trapFile.files(this, TransformedPath.Value, TransformedPath.NameWithoutExtension, TransformedPath.Extension, isSource ? FileSourceKind.FromSource : FileSourceKind.Unknown);
 
             if (TransformedPath.ParentDirectory is PathTransformer.ITransformedPath dir)
                 trapFile.containerparent(Extraction.Entities.Folder.Create(Context, dir), this);
 
-            var trees = Context.Compilation.SyntaxTrees.Where(t => t.FilePath == originalPath);
-
-            if (trees.Any())
+            if (isSource)
             {
                 foreach (var text in trees.Select(tree => tree.GetText()))
                 {
diff --git a/csharp/extractor/Semmle.Extraction/Entities/GeneratedFile.cs b/csharp/extractor/Semmle.Extraction/Entities/GeneratedFile.cs
index db458e574a5..d6fc07c4fa3 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/GeneratedFile.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/GeneratedFile.cs
@@ -10,7 +10,7 @@ namespace Semmle.Extraction.Entities
 
         public override void Populate(TextWriter trapFile)
         {
-            trapFile.files(this, "", "", "");
+            trapFile.files(this, "", "", "", FileSourceKind.Unknown);
         }
 
         public override void WriteId(TextWriter trapFile)
diff --git a/csharp/extractor/Semmle.Extraction/FileSourceKind.cs b/csharp/extractor/Semmle.Extraction/FileSourceKind.cs
new file mode 100644
index 00000000000..1edce1943b3
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction/FileSourceKind.cs
@@ -0,0 +1,9 @@
+namespace Semmle.Extraction
+{
+    public enum FileSourceKind
+    {
+        Unknown = 0,
+        FromSource = 1,
+        FromLibrary = 2
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction/Tuples.cs b/csharp/extractor/Semmle.Extraction/Tuples.cs
index 49c14df7643..6d40a204947 100644
--- a/csharp/extractor/Semmle.Extraction/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction/Tuples.cs
@@ -18,9 +18,9 @@ namespace Semmle.Extraction
             trapFile.WriteTuple("extractor_messages", error, (int)severity, origin, errorMessage, entityText, location, stackTrace);
         }
 
-        public static void files(this System.IO.TextWriter trapFile, File file, string fullName, string name, string extension)
+        public static void files(this System.IO.TextWriter trapFile, File file, string fullName, string name, string extension, FileSourceKind kind)
         {
-            trapFile.WriteTuple("files", file, fullName, name, extension, 0);
+            trapFile.WriteTuple("files", file, fullName, name, extension, (int)kind);
         }
 
         internal static void folders(this System.IO.TextWriter trapFile, Folder folder, string path, string name)
diff --git a/csharp/ql/src/semmle/code/csharp/File.qll b/csharp/ql/src/semmle/code/csharp/File.qll
index 86656af4124..8ebc4aebe2b 100644
--- a/csharp/ql/src/semmle/code/csharp/File.qll
+++ b/csharp/ql/src/semmle/code/csharp/File.qll
@@ -192,7 +192,7 @@ class File extends Container, @file {
   override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" }
 
   /** Holds if this file contains source code. */
-  predicate fromSource() { this.getNumberOfLinesOfCode() > 0 }
+  predicate fromSource() { files(this, _, _, _, 1) }
 
   /** Holds if this file is a library. */
   predicate fromLibrary() {

From 9f1704560b754523626bf8e74e7f64c842faaeb5 Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Wed, 21 Apr 2021 15:39:23 +0100
Subject: [PATCH 0582/1429] Include constructors in abstract class

---
 java/ql/src/semmle/code/java/JDK.qll            | 17 +++++++++++++++--
 .../semmle/code/java/frameworks/apache/Exec.qll |  8 ++++++--
 .../code/java/security/ExternalProcess.qll      | 17 +++++++----------
 3 files changed, 28 insertions(+), 14 deletions(-)

diff --git a/java/ql/src/semmle/code/java/JDK.qll b/java/ql/src/semmle/code/java/JDK.qll
index 4d9e2bbc2d7..3e67fd8dfa6 100644
--- a/java/ql/src/semmle/code/java/JDK.qll
+++ b/java/ql/src/semmle/code/java/JDK.qll
@@ -180,21 +180,34 @@ class TypeFile extends Class {
 /**
  * Any of the methods named `command` on class `java.lang.ProcessBuilder`.
  */
-class MethodProcessBuilderCommand extends ExecMethod {
+class ProcessBuilderConstructor extends Constructor, ExecCallable {
+  ProcessBuilderConstructor() { this.getDeclaringType() instanceof TypeProcessBuilder }
+
+  override int getAnExecutedArgument() { result = 0 }
+}
+
+/**
+ * Any of the methods named `command` on class `java.lang.ProcessBuilder`.
+ */
+class MethodProcessBuilderCommand extends Method, ExecCallable {
   MethodProcessBuilderCommand() {
     hasName("command") and
     getDeclaringType() instanceof TypeProcessBuilder
   }
+
+  override int getAnExecutedArgument() { result = 0 }
 }
 
 /**
  * Any method named `exec` on class `java.lang.Runtime`.
  */
-class MethodRuntimeExec extends ExecMethod {
+class MethodRuntimeExec extends Method, ExecCallable {
   MethodRuntimeExec() {
     hasName("exec") and
     getDeclaringType() instanceof TypeRuntime
   }
+
+  override int getAnExecutedArgument() { result = 0 }
 }
 
 /**
diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Exec.qll b/java/ql/src/semmle/code/java/frameworks/apache/Exec.qll
index b12887e5634..49976c020a8 100644
--- a/java/ql/src/semmle/code/java/frameworks/apache/Exec.qll
+++ b/java/ql/src/semmle/code/java/frameworks/apache/Exec.qll
@@ -6,16 +6,20 @@ library class TypeCommandLine extends Class {
   TypeCommandLine() { hasQualifiedName("org.apache.commons.exec", "CommandLine") }
 }
 
-library class MethodCommandLineParse extends ExecMethod {
+library class MethodCommandLineParse extends Method, ExecCallable {
   MethodCommandLineParse() {
     getDeclaringType() instanceof TypeCommandLine and
     hasName("parse")
   }
+
+  override int getAnExecutedArgument() { result = 0 }
 }
 
-library class MethodCommandLineAddArguments extends ExecMethod {
+library class MethodCommandLineAddArguments extends Method, ExecCallable {
   MethodCommandLineAddArguments() {
     getDeclaringType() instanceof TypeCommandLine and
     hasName("addArguments")
   }
+
+  override int getAnExecutedArgument() { result = 0 }
 }
diff --git a/java/ql/src/semmle/code/java/security/ExternalProcess.qll b/java/ql/src/semmle/code/java/security/ExternalProcess.qll
index 6b098a2d0e8..e60efc42543 100644
--- a/java/ql/src/semmle/code/java/security/ExternalProcess.qll
+++ b/java/ql/src/semmle/code/java/security/ExternalProcess.qll
@@ -6,7 +6,9 @@ import semmle.code.java.frameworks.apache.Exec
 /**
  * A method that executes a command.
  */
-abstract class ExecMethod extends Method { }
+abstract class ExecCallable extends Callable {
+  abstract int getAnExecutedArgument();
+}
 
 /**
  * An expression used as an argument to a call that executes an external command. For calls to
@@ -15,15 +17,10 @@ abstract class ExecMethod extends Method { }
  */
 class ArgumentToExec extends Expr {
   ArgumentToExec() {
-    exists(MethodAccess execCall, ExecMethod method |
-      execCall.getArgument(0) = this and
-      method = execCall.getMethod()
-    )
-    or
-    exists(ConstructorCall expr, Constructor cons |
-      expr.getConstructor() = cons and
-      cons.getDeclaringType().hasQualifiedName("java.lang", "ProcessBuilder") and
-      expr.getArgument(0) = this
+    exists(Call execCall, ExecCallable execCallable, int i |
+      execCall.getArgument(i) = this and
+      execCallable = execCall.getCallee() and
+      i = execCallable.getAnExecutedArgument()
     )
   }
 }

From e448dcb7256400570cfb4408fc26ffe7121b004b Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Wed, 21 Apr 2021 16:11:18 +0100
Subject: [PATCH 0583/1429] Avoid bad join order

We want to avoid joining on `i` first.
---
 java/ql/src/semmle/code/java/security/ExternalProcess.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/security/ExternalProcess.qll b/java/ql/src/semmle/code/java/security/ExternalProcess.qll
index e60efc42543..46b3e8c65df 100644
--- a/java/ql/src/semmle/code/java/security/ExternalProcess.qll
+++ b/java/ql/src/semmle/code/java/security/ExternalProcess.qll
@@ -18,7 +18,7 @@ abstract class ExecCallable extends Callable {
 class ArgumentToExec extends Expr {
   ArgumentToExec() {
     exists(Call execCall, ExecCallable execCallable, int i |
-      execCall.getArgument(i) = this and
+      execCall.getArgument(pragma[only_bind_into](i)) = this and
       execCallable = execCall.getCallee() and
       i = execCallable.getAnExecutedArgument()
     )

From 4b8d4f5bbd903e07e03c4f570b6a562ac3de5804 Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Wed, 21 Apr 2021 16:12:21 +0100
Subject: [PATCH 0584/1429] Update docs

---
 java/ql/src/semmle/code/java/JDK.qll                     | 2 +-
 java/ql/src/semmle/code/java/frameworks/apache/Exec.qll  | 9 ++++++---
 .../ql/src/semmle/code/java/security/ExternalProcess.qll | 5 ++++-
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/java/ql/src/semmle/code/java/JDK.qll b/java/ql/src/semmle/code/java/JDK.qll
index 3e67fd8dfa6..1e6d730943a 100644
--- a/java/ql/src/semmle/code/java/JDK.qll
+++ b/java/ql/src/semmle/code/java/JDK.qll
@@ -178,7 +178,7 @@ class TypeFile extends Class {
 
 // --- Standard methods ---
 /**
- * Any of the methods named `command` on class `java.lang.ProcessBuilder`.
+ * Any constructor of class `java.lang.ProcessBuilder`.
  */
 class ProcessBuilderConstructor extends Constructor, ExecCallable {
   ProcessBuilderConstructor() { this.getDeclaringType() instanceof TypeProcessBuilder }
diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Exec.qll b/java/ql/src/semmle/code/java/frameworks/apache/Exec.qll
index 49976c020a8..978154d3274 100644
--- a/java/ql/src/semmle/code/java/frameworks/apache/Exec.qll
+++ b/java/ql/src/semmle/code/java/frameworks/apache/Exec.qll
@@ -2,11 +2,13 @@
 import semmle.code.java.Type
 import semmle.code.java.security.ExternalProcess
 
-library class TypeCommandLine extends Class {
+/** The class `org.apache.commons.exec.CommandLine`. */
+private class TypeCommandLine extends Class {
   TypeCommandLine() { hasQualifiedName("org.apache.commons.exec", "CommandLine") }
 }
 
-library class MethodCommandLineParse extends Method, ExecCallable {
+/** The `parse()` method of the class `org.apache.commons.exec.CommandLine`. */
+private class MethodCommandLineParse extends Method, ExecCallable {
   MethodCommandLineParse() {
     getDeclaringType() instanceof TypeCommandLine and
     hasName("parse")
@@ -15,7 +17,8 @@ library class MethodCommandLineParse extends Method, ExecCallable {
   override int getAnExecutedArgument() { result = 0 }
 }
 
-library class MethodCommandLineAddArguments extends Method, ExecCallable {
+/** The `addArguments()` method of the class `org.apache.commons.exec.CommandLine`. */
+private class MethodCommandLineAddArguments extends Method, ExecCallable {
   MethodCommandLineAddArguments() {
     getDeclaringType() instanceof TypeCommandLine and
     hasName("addArguments")
diff --git a/java/ql/src/semmle/code/java/security/ExternalProcess.qll b/java/ql/src/semmle/code/java/security/ExternalProcess.qll
index 46b3e8c65df..4cccdb2a1bd 100644
--- a/java/ql/src/semmle/code/java/security/ExternalProcess.qll
+++ b/java/ql/src/semmle/code/java/security/ExternalProcess.qll
@@ -4,9 +4,12 @@ import semmle.code.java.JDK
 import semmle.code.java.frameworks.apache.Exec
 
 /**
- * A method that executes a command.
+ * A callable that executes a command.
  */
 abstract class ExecCallable extends Callable {
+  /**
+   * Gets the index of an argument that will be part of the command that is executed.
+   */
   abstract int getAnExecutedArgument();
 }
 

From b724e51cab29a5a45f80d71619fb197f90b67ae1 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Thu, 22 Apr 2021 10:40:42 +0200
Subject: [PATCH 0585/1429] Python: Improvements from review suggestions

---
 .../src/semmle/python/frameworks/Stdlib.qll   | 24 ++++++-------------
 1 file changed, 7 insertions(+), 17 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index 01d35704ec7..77f3213a5fa 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -911,7 +911,7 @@ private module Stdlib {
   private string pathlibPathMethodExport() { result in ["as_posix", "as_uri"] }
 
   /**
-   * Flow for type presering mehtods.
+   * Flow for mehtods that return a `pathlib.Path` object.
    */
   private predicate typePreservingCall(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     exists(DataFlow::AttrRead returnsPath | returnsPath.getAttributeName() = pathlibPathMethod() |
@@ -921,7 +921,7 @@ private module Stdlib {
   }
 
   /**
-   * Flow for type presering attributes.
+   * Flow for attributes that are `pathlib.Path` objects.
    */
   private predicate typePreservingAttribute(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     exists(DataFlow::AttrRead isPath | isPath.getAttributeName() = pathlibPathAttribute() |
@@ -1018,7 +1018,7 @@ private module Stdlib {
         // Type-preserving call
         typePreservingCall(nodeFrom, nodeTo)
         or
-        // Type-preserving attribute
+        // Type-preserving attribute access
         typePreservingAttribute(nodeFrom, nodeTo)
       )
       or
@@ -1026,24 +1026,14 @@ private module Stdlib {
       nodeTo.getALocalSource() = pathlibPath() and
       (
         // Special handling of the `/` operator
-        exists(BinaryExprNode slash, DataFlow::Node pathOperand, DataFlow::Node dataOperand |
+        exists(BinaryExprNode slash, DataFlow::Node pathOperand |
           slash.getOp() instanceof Div and
-          (
-            pathOperand.asCfgNode() = slash.getLeft() and
-            dataOperand.asCfgNode() = slash.getRight()
-            or
-            pathOperand.asCfgNode() = slash.getRight() and
-            dataOperand.asCfgNode() = slash.getLeft()
-          ) and
+          pathOperand.asCfgNode() = slash.getAnOperand() and
           pathOperand.getALocalSource() = pathlibPath()
         |
           nodeTo.asCfgNode() = slash and
-          nodeFrom in [
-              // type-preserving call
-              pathOperand,
-              // data injection
-              dataOperand
-            ]
+          // Taint can flow either from the left or the right operand as long as one of them is a path.
+          nodeFrom.asCfgNode() = slash.getAnOperand()
         )
         or
         // standard case

From 8a01799fb8fd049d18bee768a51107680c4b3534 Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
Date: Thu, 22 Apr 2021 09:46:49 +0100
Subject: [PATCH 0586/1429] Make imports private

Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
---
 java/ql/src/semmle/code/java/security/ExternalProcess.qll | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/semmle/code/java/security/ExternalProcess.qll b/java/ql/src/semmle/code/java/security/ExternalProcess.qll
index 4cccdb2a1bd..fe5e46d5efb 100644
--- a/java/ql/src/semmle/code/java/security/ExternalProcess.qll
+++ b/java/ql/src/semmle/code/java/security/ExternalProcess.qll
@@ -1,7 +1,10 @@
 /* Definitions related to external processes. */
 import semmle.code.java.Member
-import semmle.code.java.JDK
-import semmle.code.java.frameworks.apache.Exec
+
+private module Instances {
+  private import semmle.code.java.JDK
+  private import semmle.code.java.frameworks.apache.Exec
+}
 
 /**
  * A callable that executes a command.

From a8a920c8f02fef08b3200473f502c6c4adac2cd7 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 22 Apr 2021 11:01:12 +0200
Subject: [PATCH 0587/1429] Add change note

---
 csharp/change-notes/2021-04-22-console-read-local-source.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 csharp/change-notes/2021-04-22-console-read-local-source.md

diff --git a/csharp/change-notes/2021-04-22-console-read-local-source.md b/csharp/change-notes/2021-04-22-console-read-local-source.md
new file mode 100644
index 00000000000..9fbb5f2ff32
--- /dev/null
+++ b/csharp/change-notes/2021-04-22-console-read-local-source.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* `System.Console.Read` methods have been added as data flow sources of local user input.
\ No newline at end of file

From 180904e9f6425db8e37d25abb2a780b78316bd6f Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 22 Apr 2021 11:14:51 +0200
Subject: [PATCH 0588/1429] Revert "Java: Convert Google HTTP client API
 parseAs  sink to CSV format"

This reverts commit 3e53484bb3b942c58f2bf1b90301a9779ebc34aa.
---
 .../code/java/dataflow/ExternalFlow.qll       |  1 -
 .../frameworks/google/GoogleHttpClientApi.qll | 22 ++++++++++++-------
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index 154ec98f2ad..ba329d99f21 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -76,7 +76,6 @@ private module Frameworks {
   private import semmle.code.java.frameworks.ApacheHttp
   private import semmle.code.java.frameworks.apache.Lang
   private import semmle.code.java.frameworks.guava.Guava
-  private import semmle.code.java.frameworks.google.GoogleHttpClientApi
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.XSS
 }
diff --git a/java/ql/src/semmle/code/java/frameworks/google/GoogleHttpClientApi.qll b/java/ql/src/semmle/code/java/frameworks/google/GoogleHttpClientApi.qll
index 07e30711b44..ccc446892f1 100644
--- a/java/ql/src/semmle/code/java/frameworks/google/GoogleHttpClientApi.qll
+++ b/java/ql/src/semmle/code/java/frameworks/google/GoogleHttpClientApi.qll
@@ -2,7 +2,14 @@ import java
 import semmle.code.java.Serializability
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.DataFlow5
-private import semmle.code.java.dataflow.ExternalFlow
+
+/** The method `parseAs` in `com.google.api.client.http.HttpResponse`. */
+private class ParseAsMethod extends Method {
+  ParseAsMethod() {
+    this.getDeclaringType().hasQualifiedName("com.google.api.client.http", "HttpResponse") and
+    this.hasName("parseAs")
+  }
+}
 
 private class TypeLiteralToParseAsFlowConfiguration extends DataFlow5::Configuration {
   TypeLiteralToParseAsFlowConfiguration() {
@@ -11,17 +18,16 @@ private class TypeLiteralToParseAsFlowConfiguration extends DataFlow5::Configura
 
   override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof TypeLiteral }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "google-parse-as") }
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma |
+      ma.getAnArgument() = sink.asExpr() and
+      ma.getMethod() instanceof ParseAsMethod
+    )
+  }
 
   TypeLiteral getSourceWithFlowToParseAs() { hasFlow(DataFlow::exprNode(result), _) }
 }
 
-private class ParseAsSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row = ["com.google.api.client.http;HttpResponse;false;parseAs;;;Argument;google-parse-as"]
-  }
-}
-
 /** A field that is deserialized by `HttpResponse.parseAs`. */
 class HttpResponseParseAsDeserializableField extends DeserializableField {
   HttpResponseParseAsDeserializableField() {

From 9b1c54e81b66d65e35f4cca6729e08cb337ed3c3 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 22 Apr 2021 11:17:25 +0200
Subject: [PATCH 0589/1429] Add argument indices to HTTP header splitting sinks

---
 java/ql/src/semmle/code/java/security/ResponseSplitting.qll | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll
index 040174d50b5..abc1d2723c9 100644
--- a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll
+++ b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll
@@ -17,8 +17,8 @@ private class HeaderSplittingSinkModel extends SinkModelCsv {
     row =
       [
         "javax.servlet.http;HttpServletResponse;false;addCookie;;;Argument[0];header-splitting",
-        "javax.servlet.http;HttpServletResponse;false;addHeader;;;Argument;header-splitting",
-        "javax.servlet.http;HttpServletResponse;false;setHeader;;;Argument;header-splitting",
+        "javax.servlet.http;HttpServletResponse;false;addHeader;;;Argument[0..1];header-splitting",
+        "javax.servlet.http;HttpServletResponse;false;setHeader;;;Argument[0..1];header-splitting",
         "javax.ws.rs.core;ResponseBuilder;false;header;;;Argument[1];header-splitting"
       ]
   }

From 6c78a247f2e4516a2e94963c3c2c2f3bb6ae390d Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 22 Apr 2021 11:20:39 +0200
Subject: [PATCH 0590/1429] Revert erroneous refactoring in header splitting
 sink base class

---
 java/ql/src/semmle/code/java/security/ResponseSplitting.qll | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll
index abc1d2723c9..70af02efc6d 100644
--- a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll
+++ b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll
@@ -8,8 +8,10 @@ import semmle.code.java.frameworks.JaxWS
 private import semmle.code.java.dataflow.ExternalFlow
 
 /** A sink that is vulnerable to an HTTP header splitting attack. */
-class HeaderSplittingSink extends DataFlow::Node {
-  HeaderSplittingSink() { sinkNode(this, "header-splitting") }
+abstract class HeaderSplittingSink extends DataFlow::Node { }
+
+private class DefaultHeaderSplittingSink extends HeaderSplittingSink {
+  DefaultHeaderSplittingSink() { sinkNode(this, "header-splitting") }
 }
 
 private class HeaderSplittingSinkModel extends SinkModelCsv {

From 1caa5c47800ca3d3db58b4fda63b6e4b2b450bb5 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 22 Apr 2021 11:22:18 +0200
Subject: [PATCH 0591/1429] Adjust hostname verifier sink identifier name

---
 .../ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql | 2 +-
 java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll        | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql b/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
index 058a1f9e169..d1fe8aee075 100644
--- a/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
+++ b/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
@@ -50,7 +50,7 @@ class TrustAllHostnameVerifierConfiguration extends DataFlow::Configuration {
     source.asExpr().(ClassInstanceExpr).getConstructedType() instanceof TrustAllHostnameVerifier
   }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "set-hostname") }
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "set-hostname-verifier") }
 
   override predicate isBarrier(DataFlow::Node barrier) {
     // ignore nodes that are in functions that intentionally disable hostname verification
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index ba329d99f21..b699f0922f3 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -209,8 +209,8 @@ private predicate sinkModelCsv(string row) {
       // Bean validation
       "javax.validation;ConstraintValidatorContext;true;buildConstraintViolationWithTemplate;;;Argument[0];bean-validation",
       // Set hostname
-      "javax.net.ssl;HttpsURLConnection;true;setDefaultHostnameVerifier;;;Argument[0];set-hostname",
-      "javax.net.ssl;HttpsURLConnection;true;setHostnameVerifier;;;Argument[0];set-hostname"
+      "javax.net.ssl;HttpsURLConnection;true;setDefaultHostnameVerifier;;;Argument[0];set-hostname-verifier",
+      "javax.net.ssl;HttpsURLConnection;true;setHostnameVerifier;;;Argument[0];set-hostname-verifier"
     ]
 }
 

From 7134eb9079e7798db2c497a441912574ec15e477 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 22 Apr 2021 11:37:41 +0200
Subject: [PATCH 0592/1429] Improve documentation of csv sink models

---
 java/ql/src/Security/CWE/CWE-022/ZipSlip.ql            |  9 ++++++++-
 .../src/Security/CWE/CWE-094/InsecureBeanValidation.ql | 10 +++++++++-
 .../Security/CWE/CWE-297/UnsafeHostnameVerification.ql |  9 ++++++++-
 java/ql/src/semmle/code/java/security/XSS.qll          |  1 +
 4 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql b/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
index 80de02d7067..6342a444a64 100644
--- a/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
+++ b/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
@@ -124,7 +124,7 @@ class ZipSlipConfiguration extends TaintTracking::Configuration {
     source.asExpr().(MethodAccess).getMethod() instanceof ArchiveEntryNameMethod
   }
 
-  override predicate isSink(Node sink) { sinkNode(sink, "create-file") }
+  override predicate isSink(Node sink) { sink instanceof FileCreationSink }
 
   override predicate isAdditionalTaintStep(Node n1, Node n2) {
     filePathStep(n1, n2) or fileTaintStep(n1, n2)
@@ -146,6 +146,13 @@ class ZipSlipConfiguration extends TaintTracking::Configuration {
   }
 }
 
+/**
+ * A sink that represents a file creation, such as a file write, copy or move operation.
+ */
+private class FileCreationSink extends DataFlow::Node {
+  FileCreationSink() { sinkNode(this, "create-file") }
+}
+
 from PathNode source, PathNode sink
 where any(ZipSlipConfiguration c).hasFlowPath(source, sink)
 select source.getNode(), source, sink,
diff --git a/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql b/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
index e4ee42008a1..aef404aabd1 100644
--- a/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
+++ b/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
@@ -60,7 +60,15 @@ class BeanValidationConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "bean-validation") }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink }
+}
+
+/**
+ * A bean validation sink, such as method `buildConstraintViolationWithTemplate`
+ * declared on a subtype of `javax.validation.ConstraintValidatorContext`.
+ */
+private class BeanValidationSink extends DataFlow::Node {
+  BeanValidationSink() { sinkNode(this, "bean-validation") }
 }
 
 from BeanValidationConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink
diff --git a/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql b/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
index d1fe8aee075..0bf7a164826 100644
--- a/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
+++ b/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
@@ -50,7 +50,7 @@ class TrustAllHostnameVerifierConfiguration extends DataFlow::Configuration {
     source.asExpr().(ClassInstanceExpr).getConstructedType() instanceof TrustAllHostnameVerifier
   }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "set-hostname-verifier") }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof HostnameVerifierSink }
 
   override predicate isBarrier(DataFlow::Node barrier) {
     // ignore nodes that are in functions that intentionally disable hostname verification
@@ -78,6 +78,13 @@ class TrustAllHostnameVerifierConfiguration extends DataFlow::Configuration {
   }
 }
 
+/**
+ * A sink that sets the `HostnameVerifier` on `HttpsURLConnection`.
+ */
+private class HostnameVerifierSink extends DataFlow::Node {
+  HostnameVerifierSink() { sinkNode(this, "set-hostname-verifier") }
+}
+
 bindingset[result]
 private string getAFlagName() {
   result
diff --git a/java/ql/src/semmle/code/java/security/XSS.qll b/java/ql/src/semmle/code/java/security/XSS.qll
index 9791eed203b..486e8053953 100644
--- a/java/ql/src/semmle/code/java/security/XSS.qll
+++ b/java/ql/src/semmle/code/java/security/XSS.qll
@@ -29,6 +29,7 @@ class XssAdditionalTaintStep extends Unit {
   abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
 }
 
+/** CSV sink models representing methods susceptible to XSS attacks. */
 private class DefaultXssSinkModel extends SinkModelCsv {
   override predicate row(string row) {
     row =

From aaef4ef22b90b60bed45b45c4cd6b5d49562e56c Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Thu, 22 Apr 2021 18:52:55 +0800
Subject: [PATCH 0593/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
index 29baa90875c..e7f6f17e9ae 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
@@ -56,7 +56,7 @@ private class CompareSink extends UseOfLessTrustedSink {
       ma.getMethod().getDeclaringType() instanceof TypeString and
       ma.getMethod().getNumberOfParameters() = 1 and
       ma.getQualifier() = this.asExpr() and
-      ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in ["", "unknown"]
+      not ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in ["", "unknown"]
     )
     or
     exists(MethodAccess ma, int i |

From 9b4442be8bd23859e8e55bb145250ae1fe87d6ee Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Thu, 22 Apr 2021 19:01:55 +0800
Subject: [PATCH 0594/1429] Fix some errors

---
 .../CWE/CWE-348/UseOfLessTrustedSourceLib.qll      | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
index 29baa90875c..796fa9d3fc3 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
@@ -56,27 +56,27 @@ private class CompareSink extends UseOfLessTrustedSink {
       ma.getMethod().getDeclaringType() instanceof TypeString and
       ma.getMethod().getNumberOfParameters() = 1 and
       ma.getQualifier() = this.asExpr() and
-      ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in ["", "unknown"]
+      not ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in ["", "unknown"]
     )
     or
-    exists(MethodAccess ma, int i |
+    exists(MethodAccess ma |
       ma.getMethod().hasName("startsWith") and
       ma.getMethod()
           .getDeclaringType()
           .hasQualifiedName(["org.apache.commons.lang3", "org.apache.commons.lang"], "StringUtils") and
       ma.getMethod().getNumberOfParameters() = 2 and
-      ma.getArgument(i) = this.asExpr() and
-      ma.getArgument(1 - i).(CompileTimeConstantExpr).getStringValue() != ""
+      ma.getAnArgument() = this.asExpr() and
+      ma.getAnArgument().(CompileTimeConstantExpr).getStringValue() != ""
     )
     or
-    exists(MethodAccess ma, int i |
+    exists(MethodAccess ma |
       ma.getMethod().getName() in ["equals", "equalsIgnoreCase"] and
       ma.getMethod()
           .getDeclaringType()
           .hasQualifiedName(["org.apache.commons.lang3", "org.apache.commons.lang"], "StringUtils") and
       ma.getMethod().getNumberOfParameters() = 2 and
-      ma.getArgument(i) = this.asExpr() and
-      not ma.getArgument(1 - i).(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
+      ma.getAnArgument() = this.asExpr() and
+      not ma.getAnArgument().(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
           "", "unknown", ":"
         ]
     )

From 407dcea75144aeba01a682df9bef3e705af0b84d Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Thu, 22 Apr 2021 19:20:54 +0800
Subject: [PATCH 0595/1429] add String type startsWith

---
 .../Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll      | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
index 796fa9d3fc3..be2aef5e9c7 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
@@ -52,11 +52,13 @@ private class CompareSink extends UseOfLessTrustedSink {
     )
     or
     exists(MethodAccess ma |
-      ma.getMethod().hasName("contains") and
+      ma.getMethod().getName() in ["contains", "startsWith"] and
       ma.getMethod().getDeclaringType() instanceof TypeString and
       ma.getMethod().getNumberOfParameters() = 1 and
       ma.getQualifier() = this.asExpr() and
-      not ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in ["", "unknown"]
+      not ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
+          "", "unknown"
+        ]
     )
     or
     exists(MethodAccess ma |

From b36d35bf1ef38194d20acd74aa6c4854d497844a Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 22 Apr 2021 14:16:10 +0200
Subject: [PATCH 0596/1429] Revert "C#: Adjust 'fromSource' to hold only on
 files passed to the compiler as a source file"

This reverts commit 1dab1590ea268cb6370f022efa7d5e4c5277f7d0.
---
 .../extractor/Semmle.Extraction.CSharp/Entities/File.cs  | 9 ++++-----
 .../Semmle.Extraction/Entities/GeneratedFile.cs          | 2 +-
 csharp/extractor/Semmle.Extraction/FileSourceKind.cs     | 9 ---------
 csharp/extractor/Semmle.Extraction/Tuples.cs             | 4 ++--
 csharp/ql/src/semmle/code/csharp/File.qll                | 2 +-
 5 files changed, 8 insertions(+), 18 deletions(-)
 delete mode 100644 csharp/extractor/Semmle.Extraction/FileSourceKind.cs

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/File.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/File.cs
index a853065ad04..f22edb158aa 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/File.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/File.cs
@@ -17,15 +17,14 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void Populate(TextWriter trapFile)
         {
-            var trees = Context.Compilation.SyntaxTrees.Where(t => t.FilePath == originalPath);
-            var isSource = trees.Any();
-
-            trapFile.files(this, TransformedPath.Value, TransformedPath.NameWithoutExtension, TransformedPath.Extension, isSource ? FileSourceKind.FromSource : FileSourceKind.Unknown);
+            trapFile.files(this, TransformedPath.Value, TransformedPath.NameWithoutExtension, TransformedPath.Extension);
 
             if (TransformedPath.ParentDirectory is PathTransformer.ITransformedPath dir)
                 trapFile.containerparent(Extraction.Entities.Folder.Create(Context, dir), this);
 
-            if (isSource)
+            var trees = Context.Compilation.SyntaxTrees.Where(t => t.FilePath == originalPath);
+
+            if (trees.Any())
             {
                 foreach (var text in trees.Select(tree => tree.GetText()))
                 {
diff --git a/csharp/extractor/Semmle.Extraction/Entities/GeneratedFile.cs b/csharp/extractor/Semmle.Extraction/Entities/GeneratedFile.cs
index d6fc07c4fa3..db458e574a5 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/GeneratedFile.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/GeneratedFile.cs
@@ -10,7 +10,7 @@ namespace Semmle.Extraction.Entities
 
         public override void Populate(TextWriter trapFile)
         {
-            trapFile.files(this, "", "", "", FileSourceKind.Unknown);
+            trapFile.files(this, "", "", "");
         }
 
         public override void WriteId(TextWriter trapFile)
diff --git a/csharp/extractor/Semmle.Extraction/FileSourceKind.cs b/csharp/extractor/Semmle.Extraction/FileSourceKind.cs
deleted file mode 100644
index 1edce1943b3..00000000000
--- a/csharp/extractor/Semmle.Extraction/FileSourceKind.cs
+++ /dev/null
@@ -1,9 +0,0 @@
-namespace Semmle.Extraction
-{
-    public enum FileSourceKind
-    {
-        Unknown = 0,
-        FromSource = 1,
-        FromLibrary = 2
-    }
-}
diff --git a/csharp/extractor/Semmle.Extraction/Tuples.cs b/csharp/extractor/Semmle.Extraction/Tuples.cs
index 6d40a204947..49c14df7643 100644
--- a/csharp/extractor/Semmle.Extraction/Tuples.cs
+++ b/csharp/extractor/Semmle.Extraction/Tuples.cs
@@ -18,9 +18,9 @@ namespace Semmle.Extraction
             trapFile.WriteTuple("extractor_messages", error, (int)severity, origin, errorMessage, entityText, location, stackTrace);
         }
 
-        public static void files(this System.IO.TextWriter trapFile, File file, string fullName, string name, string extension, FileSourceKind kind)
+        public static void files(this System.IO.TextWriter trapFile, File file, string fullName, string name, string extension)
         {
-            trapFile.WriteTuple("files", file, fullName, name, extension, (int)kind);
+            trapFile.WriteTuple("files", file, fullName, name, extension, 0);
         }
 
         internal static void folders(this System.IO.TextWriter trapFile, Folder folder, string path, string name)
diff --git a/csharp/ql/src/semmle/code/csharp/File.qll b/csharp/ql/src/semmle/code/csharp/File.qll
index 8ebc4aebe2b..86656af4124 100644
--- a/csharp/ql/src/semmle/code/csharp/File.qll
+++ b/csharp/ql/src/semmle/code/csharp/File.qll
@@ -192,7 +192,7 @@ class File extends Container, @file {
   override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" }
 
   /** Holds if this file contains source code. */
-  predicate fromSource() { files(this, _, _, _, 1) }
+  predicate fromSource() { this.getNumberOfLinesOfCode() > 0 }
 
   /** Holds if this file is a library. */
   predicate fromLibrary() {

From ed42c878b057d4f9cfc44b43d56b2ba64cd90068 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 22 Apr 2021 14:17:16 +0200
Subject: [PATCH 0597/1429] Adjust 'fromSource' to hold only on '.cs' files

---
 csharp/ql/src/semmle/code/csharp/File.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csharp/ql/src/semmle/code/csharp/File.qll b/csharp/ql/src/semmle/code/csharp/File.qll
index 86656af4124..d8b23bb61f4 100644
--- a/csharp/ql/src/semmle/code/csharp/File.qll
+++ b/csharp/ql/src/semmle/code/csharp/File.qll
@@ -192,7 +192,7 @@ class File extends Container, @file {
   override string getURL() { result = "file://" + this.getAbsolutePath() + ":0:0:0:0" }
 
   /** Holds if this file contains source code. */
-  predicate fromSource() { this.getNumberOfLinesOfCode() > 0 }
+  predicate fromSource() { files(this, _, _, "cs", _) }
 
   /** Holds if this file is a library. */
   predicate fromLibrary() {

From cf64701bcb1c33b37b695bc584c5b481d30f2884 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Sat, 27 Feb 2021 10:52:33 +0100
Subject: [PATCH 0598/1429] Python: Move weak-crypto-algorithm tests to own
 folder

---
 .../BrokenCryptoAlgorithm.expected                               | 0
 .../BrokenCryptoAlgorithm.qlref                                  | 0
 .../{CWE-327 => CWE-327-BrokenCryptoAlgorithm}/TestNode.expected | 0
 .../{CWE-327 => CWE-327-BrokenCryptoAlgorithm}/TestNode.ql       | 0
 .../query-tests/Security/CWE-327-BrokenCryptoAlgorithm/options   | 1 +
 .../test_cryptography.py                                         | 0
 .../{CWE-327 => CWE-327-BrokenCryptoAlgorithm}/test_pycrypto.py  | 0
 7 files changed, 1 insertion(+)
 rename python/ql/test/query-tests/Security/{CWE-327 => CWE-327-BrokenCryptoAlgorithm}/BrokenCryptoAlgorithm.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-327 => CWE-327-BrokenCryptoAlgorithm}/BrokenCryptoAlgorithm.qlref (100%)
 rename python/ql/test/query-tests/Security/{CWE-327 => CWE-327-BrokenCryptoAlgorithm}/TestNode.expected (100%)
 rename python/ql/test/query-tests/Security/{CWE-327 => CWE-327-BrokenCryptoAlgorithm}/TestNode.ql (100%)
 create mode 100644 python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/options
 rename python/ql/test/query-tests/Security/{CWE-327 => CWE-327-BrokenCryptoAlgorithm}/test_cryptography.py (100%)
 rename python/ql/test/query-tests/Security/{CWE-327 => CWE-327-BrokenCryptoAlgorithm}/test_pycrypto.py (100%)

diff --git a/python/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.expected b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/BrokenCryptoAlgorithm.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.expected
rename to python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/BrokenCryptoAlgorithm.expected
diff --git a/python/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.qlref b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/BrokenCryptoAlgorithm.qlref
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.qlref
rename to python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/BrokenCryptoAlgorithm.qlref
diff --git a/python/ql/test/query-tests/Security/CWE-327/TestNode.expected b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/TestNode.expected
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-327/TestNode.expected
rename to python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/TestNode.expected
diff --git a/python/ql/test/query-tests/Security/CWE-327/TestNode.ql b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/TestNode.ql
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-327/TestNode.ql
rename to python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/TestNode.ql
diff --git a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/options b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/options
new file mode 100644
index 00000000000..492768b3481
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/options
@@ -0,0 +1 @@
+semmle-extractor-options: -p ../lib/ --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/CWE-327/test_cryptography.py b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptography.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-327/test_cryptography.py
rename to python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptography.py
diff --git a/python/ql/test/query-tests/Security/CWE-327/test_pycrypto.py b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_pycrypto.py
similarity index 100%
rename from python/ql/test/query-tests/Security/CWE-327/test_pycrypto.py
rename to python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_pycrypto.py

From d18fbb7f07ee18a2cb46d91db0d62cca0fd2e207 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Sat, 27 Feb 2021 17:55:58 +0100
Subject: [PATCH 0599/1429] Python: Add working tests of AES and RC4

---
 .../frameworks/cryptodome/test_aes.py         | 36 +++++++++++++++++
 .../frameworks/cryptodome/test_rc4.py         | 30 ++++++++++++++
 .../frameworks/cryptography/test_aes.py       | 40 +++++++++++++++++++
 .../frameworks/cryptography/test_rc4.py       | 32 +++++++++++++++
 4 files changed, 138 insertions(+)
 create mode 100644 python/ql/test/experimental/library-tests/frameworks/cryptodome/test_aes.py
 create mode 100644 python/ql/test/experimental/library-tests/frameworks/cryptodome/test_rc4.py
 create mode 100644 python/ql/test/experimental/library-tests/frameworks/cryptography/test_aes.py
 create mode 100644 python/ql/test/experimental/library-tests/frameworks/cryptography/test_rc4.py

diff --git a/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_aes.py b/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_aes.py
new file mode 100644
index 00000000000..971fdadd327
--- /dev/null
+++ b/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_aes.py
@@ -0,0 +1,36 @@
+# https://pycryptodome.readthedocs.io/en/latest/src/cipher/aes.html
+from Cryptodome.Cipher import AES
+
+import os
+
+key = os.urandom(256//8)
+iv = os.urandom(16)
+
+# ------------------------------------------------------------------------------
+# encrypt/decrypt
+# ------------------------------------------------------------------------------
+
+
+print("encrypt/decrypt")
+
+secret_message = b"secret message"
+
+padding_len = 16 - (len(secret_message) % 16)
+padding = b"\0"*padding_len
+
+cipher = AES.new(key, AES.MODE_CBC, iv=iv)
+# using separate .encrypt calls on individual lines does not work
+whole_plantext = secret_message + padding
+encrypted = cipher.encrypt(whole_plantext)
+
+print("encrypted={}".format(encrypted))
+
+print()
+
+cipher = AES.new(key, AES.MODE_CBC, iv=iv)
+decrypted = cipher.decrypt(encrypted)
+
+decrypted = decrypted[:-padding_len]
+
+print("decrypted={}".format(decrypted))
+assert decrypted == secret_message
diff --git a/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_rc4.py b/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_rc4.py
new file mode 100644
index 00000000000..a336dca6a49
--- /dev/null
+++ b/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_rc4.py
@@ -0,0 +1,30 @@
+# https://pycryptodome.readthedocs.io/en/latest/src/cipher/arc4.html
+from Cryptodome.Cipher import ARC4
+
+import os
+
+key = os.urandom(256//8)
+
+
+# ------------------------------------------------------------------------------
+# encrypt/decrypt
+# ------------------------------------------------------------------------------
+
+
+
+print("encrypt/decrypt")
+
+secret_message = b"secret message"
+
+cipher = ARC4.new(key)
+encrypted = cipher.encrypt(secret_message)
+
+print("encrypted={}".format(encrypted))
+
+print()
+
+cipher = ARC4.new(key)
+decrypted = cipher.decrypt(encrypted)
+
+print("decrypted={}".format(decrypted))
+assert decrypted == secret_message
diff --git a/python/ql/test/experimental/library-tests/frameworks/cryptography/test_aes.py b/python/ql/test/experimental/library-tests/frameworks/cryptography/test_aes.py
new file mode 100644
index 00000000000..7bd7040d0b4
--- /dev/null
+++ b/python/ql/test/experimental/library-tests/frameworks/cryptography/test_aes.py
@@ -0,0 +1,40 @@
+from cryptography.hazmat.primitives.ciphers import algorithms, Cipher, modes
+import os
+
+key = os.urandom(256//8)
+iv = os.urandom(16)
+
+algorithm = algorithms.AES(key)
+cipher = Cipher(algorithm, mode=modes.CBC(iv))
+
+# ------------------------------------------------------------------------------
+# encrypt/decrypt
+# ------------------------------------------------------------------------------
+
+# following https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.Cipher
+
+print("encrypt/decrypt")
+
+secret_message = b"secret message"
+
+padding_len = 16 - (len(secret_message) % 16)
+padding = b"\0"*padding_len
+
+encryptor = cipher.encryptor()
+print(padding_len)
+encrypted = encryptor.update(secret_message)
+encrypted += encryptor.update(padding)
+encrypted += encryptor.finalize()
+
+print("encrypted={}".format(encrypted))
+
+print()
+
+decryptor = cipher.decryptor()
+decrypted = decryptor.update(encrypted)
+decrypted += decryptor.finalize()
+
+decrypted = decrypted[:-padding_len]
+
+print("decrypted={}".format(decrypted))
+assert decrypted == secret_message
diff --git a/python/ql/test/experimental/library-tests/frameworks/cryptography/test_rc4.py b/python/ql/test/experimental/library-tests/frameworks/cryptography/test_rc4.py
new file mode 100644
index 00000000000..0d3fbcc320c
--- /dev/null
+++ b/python/ql/test/experimental/library-tests/frameworks/cryptography/test_rc4.py
@@ -0,0 +1,32 @@
+from cryptography.hazmat.primitives.ciphers import algorithms, Cipher
+import os
+
+key = os.urandom(256//8)
+
+algorithm = algorithms.ARC4(key)
+cipher = Cipher(algorithm, mode=None)
+
+# ------------------------------------------------------------------------------
+# encrypt/decrypt
+# ------------------------------------------------------------------------------
+
+# following https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption.html#cryptography.hazmat.primitives.ciphers.algorithms.ARC4
+
+print("encrypt/decrypt")
+
+secret_message = b"secret message"
+
+encryptor = cipher.encryptor()
+encrypted = encryptor.update(secret_message)
+encrypted += encryptor.finalize()
+
+print("encrypted={}".format(encrypted))
+
+print()
+
+decryptor = cipher.decryptor()
+decrypted = decryptor.update(encrypted)
+decrypted += decryptor.finalize()
+
+print("decrypted={}".format(decrypted))
+assert decrypted == secret_message

From 65c8d9605e94e6c09b476d749e8cdd62af1c6e15 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Sat, 27 Feb 2021 18:29:53 +0100
Subject: [PATCH 0600/1429] Python: Add CryptographicOperation Concept

I considered using `getInput` like in JS, but things like signature verification
has multiple inputs (message and signature).

Using getAnInput also aligns better with Decoding/Encoding.
---
 python/ql/src/semmle/python/Concepts.qll      | 48 ++++++++++++++++++-
 .../test/experimental/meta/ConceptsTest.qll   | 30 ++++++++++++
 2 files changed, 77 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/Concepts.qll b/python/ql/src/semmle/python/Concepts.qll
index 4be00ba5bf9..50024f108c0 100644
--- a/python/ql/src/semmle/python/Concepts.qll
+++ b/python/ql/src/semmle/python/Concepts.qll
@@ -527,7 +527,14 @@ module HTTP {
   }
 }
 
-/** Provides models for cryptographic things. */
+/**
+ * Provides models for cryptographic things.
+ *
+ * Note: The `CryptographicAlgorithm` class currently doesn't take weak keys into
+ * consideration for the `isWeak` member predicate. So RSA is always considered
+ * secure, although using a low number of bits will actually make it insecure. We plan
+ * to improve our libraries in the future to more precisely capture this aspect.
+ */
 module Cryptography {
   /** Provides models for public-key cryptography, also called asymmetric cryptography. */
   module PublicKey {
@@ -626,4 +633,43 @@ module Cryptography {
       }
     }
   }
+
+  import semmle.crypto.Crypto
+
+  /**
+   * A data-flow node that is an application of a cryptographic algorithm. For example,
+   * encryption, decryption, signature-validation.
+   *
+   * Extend this class to refine existing API models. If you want to model new APIs,
+   * extend `CryptographicOperation::Range` instead.
+   */
+  class CryptographicOperation extends DataFlow::Node {
+    CryptographicOperation::Range range;
+
+    CryptographicOperation() { this = range }
+
+    /** Gets the algorithm used, if it matches a known `CryptographicAlgorithm`. */
+    CryptographicAlgorithm getAlgorithm() { result = range.getAlgorithm() }
+
+    /** Gets an input the algorithm is used on, for example the plain text input to be encrypted. */
+    DataFlow::Node getAnInput() { result = range.getAnInput() }
+  }
+
+  /** Provides classes for modeling new applications of a cryptographic algorithms. */
+  module CryptographicOperation {
+    /**
+     * A data-flow node that is an application of a cryptographic algorithm. For example,
+     * encryption, decryption, signature-validation.
+     *
+     * Extend this class to model new APIs. If you want to refine existing API models,
+     * extend `CryptographicOperation` instead.
+     */
+    abstract class Range extends DataFlow::Node {
+      /** Gets the algorithm used, if it matches a known `CryptographicAlgorithm`. */
+      abstract CryptographicAlgorithm getAlgorithm();
+
+      /** Gets an input the algorithm is used on, for example the plain text input to be encrypted. */
+      abstract DataFlow::Node getAnInput();
+    }
+  }
 }
diff --git a/python/ql/test/experimental/meta/ConceptsTest.qll b/python/ql/test/experimental/meta/ConceptsTest.qll
index 3800a4cd273..331ccd72c0a 100644
--- a/python/ql/test/experimental/meta/ConceptsTest.qll
+++ b/python/ql/test/experimental/meta/ConceptsTest.qll
@@ -341,3 +341,33 @@ class PublicKeyGenerationTest extends InlineExpectationsTest {
     )
   }
 }
+
+class CryptographicOperationTest extends InlineExpectationsTest {
+  CryptographicOperationTest() { this = "CryptographicOperationTest" }
+
+  override string getARelevantTag() {
+    result in [
+        "CryptographicOperation", "CryptographicOperationInput", "CryptographicOperationAlgorithm"
+      ]
+  }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(Cryptography::CryptographicOperation cryptoOperation |
+      location = cryptoOperation.getLocation() and
+      (
+        element = cryptoOperation.toString() and
+        value = "" and
+        tag = "CryptographicOperation"
+        or
+        element = cryptoOperation.toString() and
+        value = value_from_expr(cryptoOperation.getAnInput().asExpr()) and
+        tag = "CryptographicOperationInput"
+        or
+        element = cryptoOperation.toString() and
+        value = cryptoOperation.getAlgorithm().getName() and
+        tag = "CryptographicOperationAlgorithm"
+      )
+    )
+  }
+}

From a8de2aba3bb0d728eefb9b266f201319e957dfd5 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 15 Apr 2021 13:33:04 +0200
Subject: [PATCH 0601/1429] Python: Move CryptoAlgorithms implementation

---
 config/identical-files.json                   |   4 +-
 python/ql/src/semmle/crypto/Crypto.qll        | 175 +-----------------
 python/ql/src/semmle/python/Concepts.qll      |   2 +-
 .../python/concepts/CryptoAlgorithms.qll      | 174 +++++++++++++++++
 4 files changed, 179 insertions(+), 176 deletions(-)
 create mode 100644 python/ql/src/semmle/python/concepts/CryptoAlgorithms.qll

diff --git a/config/identical-files.json b/config/identical-files.json
index 3916e95a0cf..5576404f616 100644
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -438,6 +438,6 @@
   ],
   "CryptoAlgorithms Python/JS": [
     "javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
-    "python/ql/src/semmle/crypto/Crypto.qll"
+    "python/ql/src/semmle/python/concepts/CryptoAlgorithms.qll"
   ]
-}
\ No newline at end of file
+}
diff --git a/python/ql/src/semmle/crypto/Crypto.qll b/python/ql/src/semmle/crypto/Crypto.qll
index d9f25b42c9a..5e2bb97a0aa 100644
--- a/python/ql/src/semmle/crypto/Crypto.qll
+++ b/python/ql/src/semmle/crypto/Crypto.qll
@@ -1,174 +1,3 @@
-/**
- * Provides classes modeling cryptographic algorithms, separated into strong and weak variants.
- *
- * The classification into strong and weak are based on Wikipedia, OWASP and google (2017).
- */
+/** DEPRECATED: Use `semmle.python.concepts.CryptoAlgorithms` instead. */
 
-/**
- * Names of cryptographic algorithms, separated into strong and weak variants.
- *
- * The names are normalized: upper-case, no spaces, dashes or underscores.
- *
- * The names are inspired by the names used in real world crypto libraries.
- *
- * The classification into strong and weak are based on Wikipedia, OWASP and google (2017).
- */
-private module AlgorithmNames {
-  predicate isStrongHashingAlgorithm(string name) {
-    name = "DSA" or
-    name = "ED25519" or
-    name = "ES256" or
-    name = "ECDSA256" or
-    name = "ES384" or
-    name = "ECDSA384" or
-    name = "ES512" or
-    name = "ECDSA512" or
-    name = "SHA2" or
-    name = "SHA224" or
-    name = "SHA256" or
-    name = "SHA384" or
-    name = "SHA512" or
-    name = "SHA3"
-  }
-
-  predicate isWeakHashingAlgorithm(string name) {
-    name = "HAVEL128" or
-    name = "MD2" or
-    name = "MD4" or
-    name = "MD5" or
-    name = "PANAMA" or
-    name = "RIPEMD" or
-    name = "RIPEMD128" or
-    name = "RIPEMD256" or
-    name = "RIPEMD160" or
-    name = "RIPEMD320" or
-    name = "SHA0" or
-    name = "SHA1"
-  }
-
-  predicate isStrongEncryptionAlgorithm(string name) {
-    name = "AES" or
-    name = "AES128" or
-    name = "AES192" or
-    name = "AES256" or
-    name = "AES512" or
-    name = "RSA" or
-    name = "RABBIT" or
-    name = "BLOWFISH"
-  }
-
-  predicate isWeakEncryptionAlgorithm(string name) {
-    name = "DES" or
-    name = "3DES" or
-    name = "TRIPLEDES" or
-    name = "TDEA" or
-    name = "TRIPLEDEA" or
-    name = "ARC2" or
-    name = "RC2" or
-    name = "ARC4" or
-    name = "RC4" or
-    name = "ARCFOUR" or
-    name = "ARC5" or
-    name = "RC5"
-  }
-
-  predicate isStrongPasswordHashingAlgorithm(string name) {
-    name = "ARGON2" or
-    name = "PBKDF2" or
-    name = "BCRYPT" or
-    name = "SCRYPT"
-  }
-
-  predicate isWeakPasswordHashingAlgorithm(string name) { none() }
-}
-
-private import AlgorithmNames
-
-/**
- * A cryptographic algorithm.
- */
-private newtype TCryptographicAlgorithm =
-  MkHashingAlgorithm(string name, boolean isWeak) {
-    isStrongHashingAlgorithm(name) and isWeak = false
-    or
-    isWeakHashingAlgorithm(name) and isWeak = true
-  } or
-  MkEncryptionAlgorithm(string name, boolean isWeak) {
-    isStrongEncryptionAlgorithm(name) and isWeak = false
-    or
-    isWeakEncryptionAlgorithm(name) and isWeak = true
-  } or
-  MkPasswordHashingAlgorithm(string name, boolean isWeak) {
-    isStrongPasswordHashingAlgorithm(name) and isWeak = false
-    or
-    isWeakPasswordHashingAlgorithm(name) and isWeak = true
-  }
-
-/**
- * A cryptographic algorithm.
- */
-abstract class CryptographicAlgorithm extends TCryptographicAlgorithm {
-  /** Gets a textual representation of this element. */
-  string toString() { result = getName() }
-
-  /**
-   * Gets the normalized name of this algorithm (upper-case, no spaces, dashes or underscores).
-   */
-  abstract string getName();
-
-  /**
-   * Holds if the name of this algorithm matches `name` modulo case,
-   * white space, dashes, and underscores.
-   */
-  bindingset[name]
-  predicate matchesName(string name) {
-    name.toUpperCase().regexpReplaceAll("[-_ ]", "") = getName()
-  }
-
-  /**
-   * Holds if this algorithm is weak.
-   */
-  abstract predicate isWeak();
-}
-
-/**
- * A hashing algorithm such as `MD5` or `SHA512`.
- */
-class HashingAlgorithm extends MkHashingAlgorithm, CryptographicAlgorithm {
-  string name;
-  boolean isWeak;
-
-  HashingAlgorithm() { this = MkHashingAlgorithm(name, isWeak) }
-
-  override string getName() { result = name }
-
-  override predicate isWeak() { isWeak = true }
-}
-
-/**
- * An encryption algorithm such as `DES` or `AES512`.
- */
-class EncryptionAlgorithm extends MkEncryptionAlgorithm, CryptographicAlgorithm {
-  string name;
-  boolean isWeak;
-
-  EncryptionAlgorithm() { this = MkEncryptionAlgorithm(name, isWeak) }
-
-  override string getName() { result = name }
-
-  override predicate isWeak() { isWeak = true }
-}
-
-/**
- * A password hashing algorithm such as `PBKDF2` or `SCRYPT`.
- */
-class PasswordHashingAlgorithm extends MkPasswordHashingAlgorithm, CryptographicAlgorithm {
-  string name;
-  boolean isWeak;
-
-  PasswordHashingAlgorithm() { this = MkPasswordHashingAlgorithm(name, isWeak) }
-
-  override string getName() { result = name }
-
-  override predicate isWeak() { isWeak = true }
-}
+import semmle.python.concepts.CryptoAlgorithms
diff --git a/python/ql/src/semmle/python/Concepts.qll b/python/ql/src/semmle/python/Concepts.qll
index 50024f108c0..a1edb67dc52 100644
--- a/python/ql/src/semmle/python/Concepts.qll
+++ b/python/ql/src/semmle/python/Concepts.qll
@@ -634,7 +634,7 @@ module Cryptography {
     }
   }
 
-  import semmle.crypto.Crypto
+  import semmle.python.concepts.CryptoAlgorithms
 
   /**
    * A data-flow node that is an application of a cryptographic algorithm. For example,
diff --git a/python/ql/src/semmle/python/concepts/CryptoAlgorithms.qll b/python/ql/src/semmle/python/concepts/CryptoAlgorithms.qll
new file mode 100644
index 00000000000..d9f25b42c9a
--- /dev/null
+++ b/python/ql/src/semmle/python/concepts/CryptoAlgorithms.qll
@@ -0,0 +1,174 @@
+/**
+ * Provides classes modeling cryptographic algorithms, separated into strong and weak variants.
+ *
+ * The classification into strong and weak are based on Wikipedia, OWASP and google (2017).
+ */
+
+/**
+ * Names of cryptographic algorithms, separated into strong and weak variants.
+ *
+ * The names are normalized: upper-case, no spaces, dashes or underscores.
+ *
+ * The names are inspired by the names used in real world crypto libraries.
+ *
+ * The classification into strong and weak are based on Wikipedia, OWASP and google (2017).
+ */
+private module AlgorithmNames {
+  predicate isStrongHashingAlgorithm(string name) {
+    name = "DSA" or
+    name = "ED25519" or
+    name = "ES256" or
+    name = "ECDSA256" or
+    name = "ES384" or
+    name = "ECDSA384" or
+    name = "ES512" or
+    name = "ECDSA512" or
+    name = "SHA2" or
+    name = "SHA224" or
+    name = "SHA256" or
+    name = "SHA384" or
+    name = "SHA512" or
+    name = "SHA3"
+  }
+
+  predicate isWeakHashingAlgorithm(string name) {
+    name = "HAVEL128" or
+    name = "MD2" or
+    name = "MD4" or
+    name = "MD5" or
+    name = "PANAMA" or
+    name = "RIPEMD" or
+    name = "RIPEMD128" or
+    name = "RIPEMD256" or
+    name = "RIPEMD160" or
+    name = "RIPEMD320" or
+    name = "SHA0" or
+    name = "SHA1"
+  }
+
+  predicate isStrongEncryptionAlgorithm(string name) {
+    name = "AES" or
+    name = "AES128" or
+    name = "AES192" or
+    name = "AES256" or
+    name = "AES512" or
+    name = "RSA" or
+    name = "RABBIT" or
+    name = "BLOWFISH"
+  }
+
+  predicate isWeakEncryptionAlgorithm(string name) {
+    name = "DES" or
+    name = "3DES" or
+    name = "TRIPLEDES" or
+    name = "TDEA" or
+    name = "TRIPLEDEA" or
+    name = "ARC2" or
+    name = "RC2" or
+    name = "ARC4" or
+    name = "RC4" or
+    name = "ARCFOUR" or
+    name = "ARC5" or
+    name = "RC5"
+  }
+
+  predicate isStrongPasswordHashingAlgorithm(string name) {
+    name = "ARGON2" or
+    name = "PBKDF2" or
+    name = "BCRYPT" or
+    name = "SCRYPT"
+  }
+
+  predicate isWeakPasswordHashingAlgorithm(string name) { none() }
+}
+
+private import AlgorithmNames
+
+/**
+ * A cryptographic algorithm.
+ */
+private newtype TCryptographicAlgorithm =
+  MkHashingAlgorithm(string name, boolean isWeak) {
+    isStrongHashingAlgorithm(name) and isWeak = false
+    or
+    isWeakHashingAlgorithm(name) and isWeak = true
+  } or
+  MkEncryptionAlgorithm(string name, boolean isWeak) {
+    isStrongEncryptionAlgorithm(name) and isWeak = false
+    or
+    isWeakEncryptionAlgorithm(name) and isWeak = true
+  } or
+  MkPasswordHashingAlgorithm(string name, boolean isWeak) {
+    isStrongPasswordHashingAlgorithm(name) and isWeak = false
+    or
+    isWeakPasswordHashingAlgorithm(name) and isWeak = true
+  }
+
+/**
+ * A cryptographic algorithm.
+ */
+abstract class CryptographicAlgorithm extends TCryptographicAlgorithm {
+  /** Gets a textual representation of this element. */
+  string toString() { result = getName() }
+
+  /**
+   * Gets the normalized name of this algorithm (upper-case, no spaces, dashes or underscores).
+   */
+  abstract string getName();
+
+  /**
+   * Holds if the name of this algorithm matches `name` modulo case,
+   * white space, dashes, and underscores.
+   */
+  bindingset[name]
+  predicate matchesName(string name) {
+    name.toUpperCase().regexpReplaceAll("[-_ ]", "") = getName()
+  }
+
+  /**
+   * Holds if this algorithm is weak.
+   */
+  abstract predicate isWeak();
+}
+
+/**
+ * A hashing algorithm such as `MD5` or `SHA512`.
+ */
+class HashingAlgorithm extends MkHashingAlgorithm, CryptographicAlgorithm {
+  string name;
+  boolean isWeak;
+
+  HashingAlgorithm() { this = MkHashingAlgorithm(name, isWeak) }
+
+  override string getName() { result = name }
+
+  override predicate isWeak() { isWeak = true }
+}
+
+/**
+ * An encryption algorithm such as `DES` or `AES512`.
+ */
+class EncryptionAlgorithm extends MkEncryptionAlgorithm, CryptographicAlgorithm {
+  string name;
+  boolean isWeak;
+
+  EncryptionAlgorithm() { this = MkEncryptionAlgorithm(name, isWeak) }
+
+  override string getName() { result = name }
+
+  override predicate isWeak() { isWeak = true }
+}
+
+/**
+ * A password hashing algorithm such as `PBKDF2` or `SCRYPT`.
+ */
+class PasswordHashingAlgorithm extends MkPasswordHashingAlgorithm, CryptographicAlgorithm {
+  string name;
+  boolean isWeak;
+
+  PasswordHashingAlgorithm() { this = MkPasswordHashingAlgorithm(name, isWeak) }
+
+  override string getName() { result = name }
+
+  override predicate isWeak() { isWeak = true }
+}

From 2c0df8e6562f0621128005b8bb766bcdce5d0ed6 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 1 Mar 2021 09:29:14 +0100
Subject: [PATCH 0602/1429] Python: Add MD5 tests

---
 .../frameworks/cryptodome/test_md5.py         | 10 +++++++++
 .../frameworks/cryptography/test_md5.py       | 10 +++++++++
 .../frameworks/stdlib/test_md5.py             | 21 +++++++++++++++++++
 3 files changed, 41 insertions(+)
 create mode 100644 python/ql/test/experimental/library-tests/frameworks/cryptodome/test_md5.py
 create mode 100644 python/ql/test/experimental/library-tests/frameworks/cryptography/test_md5.py
 create mode 100644 python/ql/test/experimental/library-tests/frameworks/stdlib/test_md5.py

diff --git a/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_md5.py b/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_md5.py
new file mode 100644
index 00000000000..91aed63f393
--- /dev/null
+++ b/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_md5.py
@@ -0,0 +1,10 @@
+from Cryptodome.Hash import MD5
+
+hasher = MD5.new(b"secret message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=MD5
+print(hasher.hexdigest())
+
+
+hasher = MD5.new() # $ MISSING: CryptographicOperation CryptographicOperationAlgorithm=MD5
+hasher.update(b"secret") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret" CryptographicOperationAlgorithm=MD5
+hasher.update(b" message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b" message" CryptographicOperationAlgorithm=MD5
+print(hasher.hexdigest())
diff --git a/python/ql/test/experimental/library-tests/frameworks/cryptography/test_md5.py b/python/ql/test/experimental/library-tests/frameworks/cryptography/test_md5.py
new file mode 100644
index 00000000000..ff997a49ae2
--- /dev/null
+++ b/python/ql/test/experimental/library-tests/frameworks/cryptography/test_md5.py
@@ -0,0 +1,10 @@
+from cryptography.hazmat.primitives import hashes
+
+from binascii import hexlify
+
+
+hasher = hashes.Hash(hashes.MD5())
+hasher.update(b"secret message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=MD5
+
+digest = hasher.finalize()
+print(hexlify(digest).decode('utf-8'))
diff --git a/python/ql/test/experimental/library-tests/frameworks/stdlib/test_md5.py b/python/ql/test/experimental/library-tests/frameworks/stdlib/test_md5.py
new file mode 100644
index 00000000000..e8d78961308
--- /dev/null
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib/test_md5.py
@@ -0,0 +1,21 @@
+import hashlib
+
+
+hasher = hashlib.md5(b"secret message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=MD5
+print(hasher.hexdigest())
+
+
+hasher = hashlib.md5()
+hasher.update(b"secret") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret" CryptographicOperationAlgorithm=MD5
+hasher.update(b" message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b" message" CryptographicOperationAlgorithm=MD5
+print(hasher.hexdigest())
+
+
+hasher = hashlib.new('md5', b"secret message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=MD5
+print(hasher.hexdigest())
+
+
+hasher = hashlib.new('md5')
+hasher.update(b"secret") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret" CryptographicOperationAlgorithm=MD5
+hasher.update(b" message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b" message" CryptographicOperationAlgorithm=MD5
+print(hasher.hexdigest())

From 1b2ed9d99a3e4b0dd194e7bde57df6a6a783c237 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 1 Mar 2021 10:21:09 +0100
Subject: [PATCH 0603/1429] Python: Align cryptodome tests

---
 .../library-tests/frameworks/crypto/README.md | 13 +++++++
 .../frameworks/crypto/test_aes.py             | 36 +++++++++++++++++++
 .../frameworks/crypto/test_md5.py             | 10 ++++++
 .../frameworks/crypto/test_rc4.py             | 30 ++++++++++++++++
 .../frameworks/crypto/test_rsa.py             |  2 +-
 5 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 python/ql/test/experimental/library-tests/frameworks/crypto/README.md
 create mode 100644 python/ql/test/experimental/library-tests/frameworks/crypto/test_aes.py
 create mode 100644 python/ql/test/experimental/library-tests/frameworks/crypto/test_md5.py
 create mode 100644 python/ql/test/experimental/library-tests/frameworks/crypto/test_rc4.py

diff --git a/python/ql/test/experimental/library-tests/frameworks/crypto/README.md b/python/ql/test/experimental/library-tests/frameworks/crypto/README.md
new file mode 100644
index 00000000000..d3f680504be
--- /dev/null
+++ b/python/ql/test/experimental/library-tests/frameworks/crypto/README.md
@@ -0,0 +1,13 @@
+These tests are a copy of the tests in [../cryptodome](../cryptodome) with `Cryptodome` replaced by `Crypto`.
+
+You can run the following command to update the tests:
+
+```sh
+rm *.py && cp ../cryptodome/*.py . && sed -i -e 's/Cryptodome/Crypto/' *.py
+```
+
+The original [`pycrypto` PyPI package](https://pypi.org/project/pycrypto/) that provided the `Crypto` Python package has not been updated since 2013, so it is reasonable to assume that people will use the replacement [`pycryptodome` PyPI package](https://pypi.org/project/pycryptodome/) that has a (mostly) compatible API.
+
+The pycryptodome functionality is also available in the [`pycryptodomex` PyPI package](https://pypi.org/project/pycryptodomex/) which provides the `Cryptodome` Python package.
+
+To ensure our modeling actually covers _both_ ways of importing the same functionality, we have this convoluted test setup.
diff --git a/python/ql/test/experimental/library-tests/frameworks/crypto/test_aes.py b/python/ql/test/experimental/library-tests/frameworks/crypto/test_aes.py
new file mode 100644
index 00000000000..e22a4c6634f
--- /dev/null
+++ b/python/ql/test/experimental/library-tests/frameworks/crypto/test_aes.py
@@ -0,0 +1,36 @@
+# https://pycryptodome.readthedocs.io/en/latest/src/cipher/aes.html
+from Crypto.Cipher import AES
+
+import os
+
+key = os.urandom(256//8)
+iv = os.urandom(16)
+
+# ------------------------------------------------------------------------------
+# encrypt/decrypt
+# ------------------------------------------------------------------------------
+
+
+print("encrypt/decrypt")
+
+secret_message = b"secret message"
+
+padding_len = 16 - (len(secret_message) % 16)
+padding = b"\0"*padding_len
+
+cipher = AES.new(key, AES.MODE_CBC, iv=iv)
+# using separate .encrypt calls on individual lines does not work
+whole_plantext = secret_message + padding
+encrypted = cipher.encrypt(whole_plantext)
+
+print("encrypted={}".format(encrypted))
+
+print()
+
+cipher = AES.new(key, AES.MODE_CBC, iv=iv)
+decrypted = cipher.decrypt(encrypted)
+
+decrypted = decrypted[:-padding_len]
+
+print("decrypted={}".format(decrypted))
+assert decrypted == secret_message
diff --git a/python/ql/test/experimental/library-tests/frameworks/crypto/test_md5.py b/python/ql/test/experimental/library-tests/frameworks/crypto/test_md5.py
new file mode 100644
index 00000000000..c918094dd61
--- /dev/null
+++ b/python/ql/test/experimental/library-tests/frameworks/crypto/test_md5.py
@@ -0,0 +1,10 @@
+from Crypto.Hash import MD5
+
+hasher = MD5.new(b"secret message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=MD5
+print(hasher.hexdigest())
+
+
+hasher = MD5.new() # $ MISSING: CryptographicOperation CryptographicOperationAlgorithm=MD5
+hasher.update(b"secret") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret" CryptographicOperationAlgorithm=MD5
+hasher.update(b" message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b" message" CryptographicOperationAlgorithm=MD5
+print(hasher.hexdigest())
diff --git a/python/ql/test/experimental/library-tests/frameworks/crypto/test_rc4.py b/python/ql/test/experimental/library-tests/frameworks/crypto/test_rc4.py
new file mode 100644
index 00000000000..4ca870a7352
--- /dev/null
+++ b/python/ql/test/experimental/library-tests/frameworks/crypto/test_rc4.py
@@ -0,0 +1,30 @@
+# https://pycryptodome.readthedocs.io/en/latest/src/cipher/arc4.html
+from Crypto.Cipher import ARC4
+
+import os
+
+key = os.urandom(256//8)
+
+
+# ------------------------------------------------------------------------------
+# encrypt/decrypt
+# ------------------------------------------------------------------------------
+
+
+
+print("encrypt/decrypt")
+
+secret_message = b"secret message"
+
+cipher = ARC4.new(key)
+encrypted = cipher.encrypt(secret_message)
+
+print("encrypted={}".format(encrypted))
+
+print()
+
+cipher = ARC4.new(key)
+decrypted = cipher.decrypt(encrypted)
+
+print("decrypted={}".format(decrypted))
+assert decrypted == secret_message
diff --git a/python/ql/test/library-tests/frameworks/crypto/test_rsa.py b/python/ql/test/library-tests/frameworks/crypto/test_rsa.py
index 7d463e4f384..f27015f3812 100644
--- a/python/ql/test/library-tests/frameworks/crypto/test_rsa.py
+++ b/python/ql/test/library-tests/frameworks/crypto/test_rsa.py
@@ -58,8 +58,8 @@ print("signature={}".format(signature))
 
 print()
 
-
 verifier = pss.new(public_key)
+
 hasher = SHA256.new(message)
 verifier.verify(hasher, signature)
 print("Signature verified (as expected)")

From 23140dfb7634a909722ebd821005021618af9f2c Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 2 Mar 2021 09:52:41 +0100
Subject: [PATCH 0604/1429] Python: Add CryptographicOperation modeling for
 Cryptodome

---
 .../semmle/python/frameworks/Cryptodome.qll   | 112 +++++++++++++++++-
 .../frameworks/cryptodome/test_aes.py         |   4 +-
 .../frameworks/cryptodome/test_md5.py         |   8 +-
 .../frameworks/cryptodome/test_rc4.py         |   4 +-
 .../frameworks/cryptodome/test_dsa.py         |  12 +-
 .../frameworks/cryptodome/test_ec.py          |  12 +-
 .../frameworks/cryptodome/test_rsa.py         |  18 ++-
 7 files changed, 139 insertions(+), 31 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Cryptodome.qll b/python/ql/src/semmle/python/frameworks/Cryptodome.qll
index 19db03f2e8e..719deeb2d6b 100644
--- a/python/ql/src/semmle/python/frameworks/Cryptodome.qll
+++ b/python/ql/src/semmle/python/frameworks/Cryptodome.qll
@@ -17,7 +17,6 @@ private import semmle.python.ApiGraphs
  * See https://pycryptodome.readthedocs.io/en/latest/
  */
 private module CryptodomeModel {
-  // ---------------------------------------------------------------------------
   /**
    * A call to `Cryptodome.PublicKey.RSA.generate`/`Crypto.PublicKey.RSA.generate`
    *
@@ -101,4 +100,115 @@ private module CryptodomeModel {
     // Note: There is not really a key-size argument, since it's always specified by the curve.
     override DataFlow::Node getKeySizeArg() { none() }
   }
+
+  /**
+   * A cryptographic operation on an instance from the `Cipher` subpackage of `Cryptodome`/`Crypto`.
+   */
+  class CryptodomeGenericCipherOperation extends Cryptography::CryptographicOperation::Range,
+    DataFlow::CallCfgNode {
+    string methodName;
+    string cipherName;
+
+    CryptodomeGenericCipherOperation() {
+      methodName in [
+          "encrypt", "decrypt", "verify", "update", "hexverify", "encrypt_and_digest",
+          "decrypt_and_verify"
+        ] and
+      this =
+        API::moduleImport(["Crypto", "Cryptodome"])
+            .getMember(["Cipher"])
+            .getMember(cipherName)
+            .getMember("new")
+            .getReturn()
+            .getMember(methodName)
+            .getACall()
+    }
+
+    override Cryptography::CryptographicAlgorithm getAlgorithm() { result.matchesName(cipherName) }
+
+    override DataFlow::Node getAnInput() {
+      methodName = "encrypt" and
+      result in [this.getArg(0), this.getArgByName(["message", "plaintext"])]
+      or
+      methodName = "decrypt" and
+      result in [this.getArg(0), this.getArgByName("ciphertext")]
+      or
+      // for the following methods, method signatures can be found in
+      // https://pycryptodome.readthedocs.io/en/latest/src/cipher/modern.html
+      methodName in ["update"] and
+      result in [this.getArg(0), this.getArgByName("data")]
+      or
+      methodName in ["verify"] and
+      result in [this.getArg(0), this.getArgByName(["mac_tag", "received_mac_tag"])]
+      or
+      methodName in ["hexverify"] and
+      result in [this.getArg(0), this.getArgByName("mac_tag_hex")]
+      or
+      methodName in ["encrypt_and_digest"] and
+      result in [this.getArg(0), this.getArgByName("plaintext")]
+      or
+      methodName in ["decrypt_and_verify"] and
+      result in [this.getArg(0), this.getArgByName("ciphertext")]
+    }
+  }
+
+  /**
+   * A cryptographic operation on an instance from the `Signature` subpackage of `Cryptodome`/`Crypto`.
+   */
+  class CryptodomeGenericSignatureOperation extends Cryptography::CryptographicOperation::Range,
+    DataFlow::CallCfgNode {
+    string methodName;
+    string signatureName;
+
+    CryptodomeGenericSignatureOperation() {
+      methodName in ["sign", "verify"] and
+      this =
+        API::moduleImport(["Crypto", "Cryptodome"])
+            .getMember(["Signature"])
+            .getMember(signatureName)
+            .getMember("new")
+            .getReturn()
+            .getMember(methodName)
+            .getACall()
+    }
+
+    override Cryptography::CryptographicAlgorithm getAlgorithm() {
+      result.matchesName(signatureName)
+    }
+
+    override DataFlow::Node getAnInput() {
+      methodName = "sign" and
+      result in [this.getArg(0), this.getArgByName("msg_hash")] // Cryptodome.Hash instance
+      or
+      methodName in ["verify"] and
+      (
+        result in [this.getArg(0), this.getArgByName(["msg_hash"])] // Cryptodome.Hash instance
+        or
+        result in [this.getArg(1), this.getArgByName(["signature"])]
+      )
+    }
+  }
+
+  /**
+   * A cryptographic operation on an instance from the `Hash` subpackage of `Cryptodome`/`Crypto`.
+   */
+  class CryptodomeGenericHashOperation extends Cryptography::CryptographicOperation::Range,
+    DataFlow::CallCfgNode {
+    string hashName;
+
+    CryptodomeGenericHashOperation() {
+      exists(API::Node hashModule |
+        hashModule =
+          API::moduleImport(["Crypto", "Cryptodome"]).getMember(["Hash"]).getMember(hashName)
+      |
+        this = hashModule.getMember("new").getACall()
+        or
+        this = hashModule.getMember("new").getReturn().getMember("update").getACall()
+      )
+    }
+
+    override Cryptography::CryptographicAlgorithm getAlgorithm() { result.matchesName(hashName) }
+
+    override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }
+  }
 }
diff --git a/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_aes.py b/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_aes.py
index 971fdadd327..9d233b6e33c 100644
--- a/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_aes.py
+++ b/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_aes.py
@@ -21,14 +21,14 @@ padding = b"\0"*padding_len
 cipher = AES.new(key, AES.MODE_CBC, iv=iv)
 # using separate .encrypt calls on individual lines does not work
 whole_plantext = secret_message + padding
-encrypted = cipher.encrypt(whole_plantext)
+encrypted = cipher.encrypt(whole_plantext) # $ CryptographicOperation CryptographicOperationAlgorithm=AES CryptographicOperationInput=whole_plantext
 
 print("encrypted={}".format(encrypted))
 
 print()
 
 cipher = AES.new(key, AES.MODE_CBC, iv=iv)
-decrypted = cipher.decrypt(encrypted)
+decrypted = cipher.decrypt(encrypted) # $ CryptographicOperation CryptographicOperationAlgorithm=AES CryptographicOperationInput=encrypted
 
 decrypted = decrypted[:-padding_len]
 
diff --git a/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_md5.py b/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_md5.py
index 91aed63f393..a1de2177e1b 100644
--- a/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_md5.py
+++ b/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_md5.py
@@ -1,10 +1,10 @@
 from Cryptodome.Hash import MD5
 
-hasher = MD5.new(b"secret message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=MD5
+hasher = MD5.new(b"secret message") # $ CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=MD5
 print(hasher.hexdigest())
 
 
-hasher = MD5.new() # $ MISSING: CryptographicOperation CryptographicOperationAlgorithm=MD5
-hasher.update(b"secret") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret" CryptographicOperationAlgorithm=MD5
-hasher.update(b" message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b" message" CryptographicOperationAlgorithm=MD5
+hasher = MD5.new() # $ CryptographicOperation CryptographicOperationAlgorithm=MD5
+hasher.update(b"secret") # $ CryptographicOperation CryptographicOperationInput=b"secret" CryptographicOperationAlgorithm=MD5
+hasher.update(b" message") # $ CryptographicOperation CryptographicOperationInput=b" message" CryptographicOperationAlgorithm=MD5
 print(hasher.hexdigest())
diff --git a/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_rc4.py b/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_rc4.py
index a336dca6a49..4b2a2aeed37 100644
--- a/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_rc4.py
+++ b/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_rc4.py
@@ -17,14 +17,14 @@ print("encrypt/decrypt")
 secret_message = b"secret message"
 
 cipher = ARC4.new(key)
-encrypted = cipher.encrypt(secret_message)
+encrypted = cipher.encrypt(secret_message) # $ CryptographicOperation CryptographicOperationAlgorithm=ARC4 CryptographicOperationInput=secret_message
 
 print("encrypted={}".format(encrypted))
 
 print()
 
 cipher = ARC4.new(key)
-decrypted = cipher.decrypt(encrypted)
+decrypted = cipher.decrypt(encrypted) # $ CryptographicOperation CryptographicOperationAlgorithm=ARC4 CryptographicOperationInput=encrypted
 
 print("decrypted={}".format(decrypted))
 assert decrypted == secret_message
diff --git a/python/ql/test/library-tests/frameworks/cryptodome/test_dsa.py b/python/ql/test/library-tests/frameworks/cryptodome/test_dsa.py
index a33cf8c0944..617457da148 100644
--- a/python/ql/test/library-tests/frameworks/cryptodome/test_dsa.py
+++ b/python/ql/test/library-tests/frameworks/cryptodome/test_dsa.py
@@ -20,8 +20,8 @@ message = b"message"
 
 signer = DSS.new(private_key, mode='fips-186-3')
 
-hasher = SHA256.new(message)
-signature = signer.sign(hasher)
+hasher = SHA256.new(message) # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=message
+signature = signer.sign(hasher) # $ CryptographicOperation CryptographicOperationInput=hasher
 
 print("signature={}".format(signature))
 
@@ -29,13 +29,13 @@ print()
 
 verifier = DSS.new(public_key, mode='fips-186-3')
 
-hasher = SHA256.new(message)
-verifier.verify(hasher, signature)
+hasher = SHA256.new(message) # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=message
+verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature
 print("Signature verified (as expected)")
 
 try:
-    hasher = SHA256.new(b"other message")
-    verifier.verify(hasher, signature)
+    hasher = SHA256.new(b"other message") # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=b"other message"
+    verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature
     raise Exception("Signature verified (unexpected)")
 except ValueError:
     print("Signature mismatch (as expected)")
diff --git a/python/ql/test/library-tests/frameworks/cryptodome/test_ec.py b/python/ql/test/library-tests/frameworks/cryptodome/test_ec.py
index d3860bbb3b3..99512b682ac 100644
--- a/python/ql/test/library-tests/frameworks/cryptodome/test_ec.py
+++ b/python/ql/test/library-tests/frameworks/cryptodome/test_ec.py
@@ -17,8 +17,8 @@ message = b"message"
 
 signer = DSS.new(private_key, mode='fips-186-3')
 
-hasher = SHA256.new(message)
-signature = signer.sign(hasher)
+hasher = SHA256.new(message) # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=message
+signature = signer.sign(hasher) # $ CryptographicOperation CryptographicOperationInput=hasher
 
 print("signature={}".format(signature))
 
@@ -26,13 +26,13 @@ print()
 
 verifier = DSS.new(public_key, mode='fips-186-3')
 
-hasher = SHA256.new(message)
-verifier.verify(hasher, signature)
+hasher = SHA256.new(message) # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=message
+verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature
 print("Signature verified (as expected)")
 
 try:
-    hasher = SHA256.new(b"other message")
-    verifier.verify(hasher, signature)
+    hasher = SHA256.new(b"other message") # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=b"other message"
+    verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature
     raise Exception("Signature verified (unexpected)")
 except ValueError:
     print("Signature mismatch (as expected)")
diff --git a/python/ql/test/library-tests/frameworks/cryptodome/test_rsa.py b/python/ql/test/library-tests/frameworks/cryptodome/test_rsa.py
index cee261e5ebe..57cdb32f055 100644
--- a/python/ql/test/library-tests/frameworks/cryptodome/test_rsa.py
+++ b/python/ql/test/library-tests/frameworks/cryptodome/test_rsa.py
@@ -23,7 +23,7 @@ secret_message = b"secret message"
 
 encrypt_cipher = PKCS1_OAEP.new(public_key)
 
-encrypted = encrypt_cipher.encrypt(secret_message)
+encrypted = encrypt_cipher.encrypt(secret_message) # $ CryptographicOperation CryptographicOperationInput=secret_message
 
 print("encrypted={}".format(encrypted))
 
@@ -31,9 +31,7 @@ print()
 
 decrypt_cipher = PKCS1_OAEP.new(private_key)
 
-decrypted = decrypt_cipher.decrypt(
-    encrypted,
-)
+decrypted = decrypt_cipher.decrypt(encrypted) # $ CryptographicOperation CryptographicOperationInput=encrypted
 
 print("decrypted={}".format(decrypted))
 assert decrypted == secret_message
@@ -51,8 +49,8 @@ message = b"message"
 
 signer = pss.new(private_key)
 
-hasher = SHA256.new(message)
-signature = signer.sign(hasher)
+hasher = SHA256.new(message) # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=message
+signature = signer.sign(hasher) # $ CryptographicOperation CryptographicOperationInput=hasher
 
 print("signature={}".format(signature))
 
@@ -60,14 +58,14 @@ print()
 
 verifier = pss.new(public_key)
 
-hasher = SHA256.new(message)
-verifier.verify(hasher, signature)
+hasher = SHA256.new(message) # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=message
+verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature
 print("Signature verified (as expected)")
 
 try:
     verifier = pss.new(public_key)
-    hasher = SHA256.new(b"other message")
-    verifier.verify(hasher, signature)
+    hasher = SHA256.new(b"other message") # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=b"other message"
+    verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature
     raise Exception("Signature verified (unexpected)")
 except ValueError:
     print("Signature mismatch (as expected)")

From f8254381f3335d6e794ddda40007137a30ce5886 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 2 Mar 2021 09:53:09 +0100
Subject: [PATCH 0605/1429] Python: Add MISSING:
 CryptographicOperationAlgorithm annotations

For RSA it's unclear what the algorithm name should even be. Signatures based on
RSA private keys with PSS scheme is ok, but with pkcs#1 v1.5 they are
weak/vulnerable. So clearly just putting RSA as the algorithm name is not enough
information...

and that problem is also why I wanted to do this commit separetely (to call
extra atten to this).
---
 .../library-tests/frameworks/cryptodome/test_dsa.py    |  6 +++---
 .../library-tests/frameworks/cryptodome/test_ec.py     |  4 ++--
 .../library-tests/frameworks/cryptodome/test_rsa.py    | 10 +++++-----
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/python/ql/test/library-tests/frameworks/cryptodome/test_dsa.py b/python/ql/test/library-tests/frameworks/cryptodome/test_dsa.py
index 617457da148..fecf02fcbf7 100644
--- a/python/ql/test/library-tests/frameworks/cryptodome/test_dsa.py
+++ b/python/ql/test/library-tests/frameworks/cryptodome/test_dsa.py
@@ -21,7 +21,7 @@ message = b"message"
 signer = DSS.new(private_key, mode='fips-186-3')
 
 hasher = SHA256.new(message) # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=message
-signature = signer.sign(hasher) # $ CryptographicOperation CryptographicOperationInput=hasher
+signature = signer.sign(hasher) # $ CryptographicOperation CryptographicOperationInput=hasher # MISSING: CryptographicOperationAlgorithm=DSA
 
 print("signature={}".format(signature))
 
@@ -30,12 +30,12 @@ print()
 verifier = DSS.new(public_key, mode='fips-186-3')
 
 hasher = SHA256.new(message) # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=message
-verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature
+verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature # MISSING: CryptographicOperationAlgorithm=DSA
 print("Signature verified (as expected)")
 
 try:
     hasher = SHA256.new(b"other message") # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=b"other message"
-    verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature
+    verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature # MISSING: CryptographicOperationAlgorithm=DSA
     raise Exception("Signature verified (unexpected)")
 except ValueError:
     print("Signature mismatch (as expected)")
diff --git a/python/ql/test/library-tests/frameworks/cryptodome/test_ec.py b/python/ql/test/library-tests/frameworks/cryptodome/test_ec.py
index 99512b682ac..608aaecfdfd 100644
--- a/python/ql/test/library-tests/frameworks/cryptodome/test_ec.py
+++ b/python/ql/test/library-tests/frameworks/cryptodome/test_ec.py
@@ -18,7 +18,7 @@ message = b"message"
 signer = DSS.new(private_key, mode='fips-186-3')
 
 hasher = SHA256.new(message) # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=message
-signature = signer.sign(hasher) # $ CryptographicOperation CryptographicOperationInput=hasher
+signature = signer.sign(hasher) # $ CryptographicOperation CryptographicOperationInput=hasher # MISSING: CryptographicOperationAlgorithm=ECDSA
 
 print("signature={}".format(signature))
 
@@ -32,7 +32,7 @@ print("Signature verified (as expected)")
 
 try:
     hasher = SHA256.new(b"other message") # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=b"other message"
-    verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature
+    verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature # MISSING: CryptographicOperationAlgorithm=ECDSA
     raise Exception("Signature verified (unexpected)")
 except ValueError:
     print("Signature mismatch (as expected)")
diff --git a/python/ql/test/library-tests/frameworks/cryptodome/test_rsa.py b/python/ql/test/library-tests/frameworks/cryptodome/test_rsa.py
index 57cdb32f055..f6c2741c25d 100644
--- a/python/ql/test/library-tests/frameworks/cryptodome/test_rsa.py
+++ b/python/ql/test/library-tests/frameworks/cryptodome/test_rsa.py
@@ -23,7 +23,7 @@ secret_message = b"secret message"
 
 encrypt_cipher = PKCS1_OAEP.new(public_key)
 
-encrypted = encrypt_cipher.encrypt(secret_message) # $ CryptographicOperation CryptographicOperationInput=secret_message
+encrypted = encrypt_cipher.encrypt(secret_message) # $ CryptographicOperation CryptographicOperationInput=secret_message # MISSING: CryptographicOperationAlgorithm=RSA-OAEP?
 
 print("encrypted={}".format(encrypted))
 
@@ -31,7 +31,7 @@ print()
 
 decrypt_cipher = PKCS1_OAEP.new(private_key)
 
-decrypted = decrypt_cipher.decrypt(encrypted) # $ CryptographicOperation CryptographicOperationInput=encrypted
+decrypted = decrypt_cipher.decrypt(encrypted) # $ CryptographicOperation CryptographicOperationInput=encrypted # MISSING: CryptographicOperationAlgorithm=RSA-OAEP?
 
 print("decrypted={}".format(decrypted))
 assert decrypted == secret_message
@@ -50,7 +50,7 @@ message = b"message"
 signer = pss.new(private_key)
 
 hasher = SHA256.new(message) # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=message
-signature = signer.sign(hasher) # $ CryptographicOperation CryptographicOperationInput=hasher
+signature = signer.sign(hasher) # $ CryptographicOperation CryptographicOperationInput=hasher # MISSING: CryptographicOperationAlgorithm=RSA-PSS?
 
 print("signature={}".format(signature))
 
@@ -59,13 +59,13 @@ print()
 verifier = pss.new(public_key)
 
 hasher = SHA256.new(message) # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=message
-verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature
+verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature # MISSING: CryptographicOperationAlgorithm=RSA-PSS?
 print("Signature verified (as expected)")
 
 try:
     verifier = pss.new(public_key)
     hasher = SHA256.new(b"other message") # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=b"other message"
-    verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature
+    verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature # MISSING: CryptographicOperationAlgorithm=RSA-PSS?
     raise Exception("Signature verified (unexpected)")
 except ValueError:
     print("Signature mismatch (as expected)")

From bf6f5074c24ff8064a3609b3016b23d75a41def7 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 2 Mar 2021 10:06:06 +0100
Subject: [PATCH 0606/1429] Python: Port cryptodome tests to crypto

I don't know if this is really a smart test-setup... I feel a bit stupid when
doing this xD
---
 .../frameworks/crypto/test_aes.py              |  4 ++--
 .../frameworks/crypto/test_md5.py              |  8 ++++----
 .../frameworks/crypto/test_rc4.py              |  4 ++--
 .../frameworks/crypto/test_dsa.py              | 12 ++++++------
 .../library-tests/frameworks/crypto/test_ec.py | 12 ++++++------
 .../frameworks/crypto/test_rsa.py              | 18 ++++++++----------
 6 files changed, 28 insertions(+), 30 deletions(-)

diff --git a/python/ql/test/experimental/library-tests/frameworks/crypto/test_aes.py b/python/ql/test/experimental/library-tests/frameworks/crypto/test_aes.py
index e22a4c6634f..e838c1aaf2b 100644
--- a/python/ql/test/experimental/library-tests/frameworks/crypto/test_aes.py
+++ b/python/ql/test/experimental/library-tests/frameworks/crypto/test_aes.py
@@ -21,14 +21,14 @@ padding = b"\0"*padding_len
 cipher = AES.new(key, AES.MODE_CBC, iv=iv)
 # using separate .encrypt calls on individual lines does not work
 whole_plantext = secret_message + padding
-encrypted = cipher.encrypt(whole_plantext)
+encrypted = cipher.encrypt(whole_plantext) # $ CryptographicOperation CryptographicOperationAlgorithm=AES CryptographicOperationInput=whole_plantext
 
 print("encrypted={}".format(encrypted))
 
 print()
 
 cipher = AES.new(key, AES.MODE_CBC, iv=iv)
-decrypted = cipher.decrypt(encrypted)
+decrypted = cipher.decrypt(encrypted) # $ CryptographicOperation CryptographicOperationAlgorithm=AES CryptographicOperationInput=encrypted
 
 decrypted = decrypted[:-padding_len]
 
diff --git a/python/ql/test/experimental/library-tests/frameworks/crypto/test_md5.py b/python/ql/test/experimental/library-tests/frameworks/crypto/test_md5.py
index c918094dd61..7004638c065 100644
--- a/python/ql/test/experimental/library-tests/frameworks/crypto/test_md5.py
+++ b/python/ql/test/experimental/library-tests/frameworks/crypto/test_md5.py
@@ -1,10 +1,10 @@
 from Crypto.Hash import MD5
 
-hasher = MD5.new(b"secret message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=MD5
+hasher = MD5.new(b"secret message") # $ CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=MD5
 print(hasher.hexdigest())
 
 
-hasher = MD5.new() # $ MISSING: CryptographicOperation CryptographicOperationAlgorithm=MD5
-hasher.update(b"secret") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret" CryptographicOperationAlgorithm=MD5
-hasher.update(b" message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b" message" CryptographicOperationAlgorithm=MD5
+hasher = MD5.new() # $ CryptographicOperation CryptographicOperationAlgorithm=MD5
+hasher.update(b"secret") # $ CryptographicOperation CryptographicOperationInput=b"secret" CryptographicOperationAlgorithm=MD5
+hasher.update(b" message") # $ CryptographicOperation CryptographicOperationInput=b" message" CryptographicOperationAlgorithm=MD5
 print(hasher.hexdigest())
diff --git a/python/ql/test/experimental/library-tests/frameworks/crypto/test_rc4.py b/python/ql/test/experimental/library-tests/frameworks/crypto/test_rc4.py
index 4ca870a7352..56b65aac150 100644
--- a/python/ql/test/experimental/library-tests/frameworks/crypto/test_rc4.py
+++ b/python/ql/test/experimental/library-tests/frameworks/crypto/test_rc4.py
@@ -17,14 +17,14 @@ print("encrypt/decrypt")
 secret_message = b"secret message"
 
 cipher = ARC4.new(key)
-encrypted = cipher.encrypt(secret_message)
+encrypted = cipher.encrypt(secret_message) # $ CryptographicOperation CryptographicOperationAlgorithm=ARC4 CryptographicOperationInput=secret_message
 
 print("encrypted={}".format(encrypted))
 
 print()
 
 cipher = ARC4.new(key)
-decrypted = cipher.decrypt(encrypted)
+decrypted = cipher.decrypt(encrypted) # $ CryptographicOperation CryptographicOperationAlgorithm=ARC4 CryptographicOperationInput=encrypted
 
 print("decrypted={}".format(decrypted))
 assert decrypted == secret_message
diff --git a/python/ql/test/library-tests/frameworks/crypto/test_dsa.py b/python/ql/test/library-tests/frameworks/crypto/test_dsa.py
index a6c2c081845..7204ceb5917 100644
--- a/python/ql/test/library-tests/frameworks/crypto/test_dsa.py
+++ b/python/ql/test/library-tests/frameworks/crypto/test_dsa.py
@@ -20,8 +20,8 @@ message = b"message"
 
 signer = DSS.new(private_key, mode='fips-186-3')
 
-hasher = SHA256.new(message)
-signature = signer.sign(hasher)
+hasher = SHA256.new(message) # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=message
+signature = signer.sign(hasher) # $ CryptographicOperation CryptographicOperationInput=hasher # MISSING: CryptographicOperationAlgorithm=DSA
 
 print("signature={}".format(signature))
 
@@ -29,13 +29,13 @@ print()
 
 verifier = DSS.new(public_key, mode='fips-186-3')
 
-hasher = SHA256.new(message)
-verifier.verify(hasher, signature)
+hasher = SHA256.new(message) # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=message
+verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature # MISSING: CryptographicOperationAlgorithm=DSA
 print("Signature verified (as expected)")
 
 try:
-    hasher = SHA256.new(b"other message")
-    verifier.verify(hasher, signature)
+    hasher = SHA256.new(b"other message") # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=b"other message"
+    verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature # MISSING: CryptographicOperationAlgorithm=DSA
     raise Exception("Signature verified (unexpected)")
 except ValueError:
     print("Signature mismatch (as expected)")
diff --git a/python/ql/test/library-tests/frameworks/crypto/test_ec.py b/python/ql/test/library-tests/frameworks/crypto/test_ec.py
index 2b482b4aa4e..565c779f610 100644
--- a/python/ql/test/library-tests/frameworks/crypto/test_ec.py
+++ b/python/ql/test/library-tests/frameworks/crypto/test_ec.py
@@ -17,8 +17,8 @@ message = b"message"
 
 signer = DSS.new(private_key, mode='fips-186-3')
 
-hasher = SHA256.new(message)
-signature = signer.sign(hasher)
+hasher = SHA256.new(message) # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=message
+signature = signer.sign(hasher) # $ CryptographicOperation CryptographicOperationInput=hasher # MISSING: CryptographicOperationAlgorithm=ECDSA
 
 print("signature={}".format(signature))
 
@@ -26,13 +26,13 @@ print()
 
 verifier = DSS.new(public_key, mode='fips-186-3')
 
-hasher = SHA256.new(message)
-verifier.verify(hasher, signature)
+hasher = SHA256.new(message) # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=message
+verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature
 print("Signature verified (as expected)")
 
 try:
-    hasher = SHA256.new(b"other message")
-    verifier.verify(hasher, signature)
+    hasher = SHA256.new(b"other message") # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=b"other message"
+    verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature # MISSING: CryptographicOperationAlgorithm=ECDSA
     raise Exception("Signature verified (unexpected)")
 except ValueError:
     print("Signature mismatch (as expected)")
diff --git a/python/ql/test/library-tests/frameworks/crypto/test_rsa.py b/python/ql/test/library-tests/frameworks/crypto/test_rsa.py
index f27015f3812..c93763b9bc8 100644
--- a/python/ql/test/library-tests/frameworks/crypto/test_rsa.py
+++ b/python/ql/test/library-tests/frameworks/crypto/test_rsa.py
@@ -23,7 +23,7 @@ secret_message = b"secret message"
 
 encrypt_cipher = PKCS1_OAEP.new(public_key)
 
-encrypted = encrypt_cipher.encrypt(secret_message)
+encrypted = encrypt_cipher.encrypt(secret_message) # $ CryptographicOperation CryptographicOperationInput=secret_message # MISSING: CryptographicOperationAlgorithm=RSA-OAEP?
 
 print("encrypted={}".format(encrypted))
 
@@ -31,9 +31,7 @@ print()
 
 decrypt_cipher = PKCS1_OAEP.new(private_key)
 
-decrypted = decrypt_cipher.decrypt(
-    encrypted,
-)
+decrypted = decrypt_cipher.decrypt(encrypted) # $ CryptographicOperation CryptographicOperationInput=encrypted # MISSING: CryptographicOperationAlgorithm=RSA-OAEP?
 
 print("decrypted={}".format(decrypted))
 assert decrypted == secret_message
@@ -51,8 +49,8 @@ message = b"message"
 
 signer = pss.new(private_key)
 
-hasher = SHA256.new(message)
-signature = signer.sign(hasher)
+hasher = SHA256.new(message) # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=message
+signature = signer.sign(hasher) # $ CryptographicOperation CryptographicOperationInput=hasher # MISSING: CryptographicOperationAlgorithm=RSA-PSS?
 
 print("signature={}".format(signature))
 
@@ -60,14 +58,14 @@ print()
 
 verifier = pss.new(public_key)
 
-hasher = SHA256.new(message)
-verifier.verify(hasher, signature)
+hasher = SHA256.new(message) # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=message
+verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature # MISSING: CryptographicOperationAlgorithm=RSA-PSS?
 print("Signature verified (as expected)")
 
 try:
     verifier = pss.new(public_key)
-    hasher = SHA256.new(b"other message")
-    verifier.verify(hasher, signature)
+    hasher = SHA256.new(b"other message") # $ CryptographicOperation CryptographicOperationAlgorithm=SHA256 CryptographicOperationInput=b"other message"
+    verifier.verify(hasher, signature) # $ CryptographicOperation CryptographicOperationInput=hasher CryptographicOperationInput=signature # MISSING: CryptographicOperationAlgorithm=RSA-PSS?
     raise Exception("Signature verified (unexpected)")
 except ValueError:
     print("Signature mismatch (as expected)")

From c5f826580ba20b5ad6672f5e0beaada1ec1776cd Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 2 Mar 2021 13:32:13 +0100
Subject: [PATCH 0607/1429] Python: Model encrypt/decrypt in cryptography
 package

I introduced a InternalTypeTracking module, since the type-tracking code got so
verbose, that it was impossible to get an overview of the relevant predicates.
(this means the "first" type-tracking predicate that is usually private, cannot
be marked private anymore, since it needs to be exposed in the private module.
---
 .../semmle/python/frameworks/Cryptography.qll | 161 ++++++++++++++++++
 .../frameworks/cryptography/test_aes.py       |   6 +-
 .../frameworks/cryptography/test_rc4.py       |   4 +-
 3 files changed, 166 insertions(+), 5 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Cryptography.qll b/python/ql/src/semmle/python/frameworks/Cryptography.qll
index 266d41897d3..0bb5861c48f 100644
--- a/python/ql/src/semmle/python/frameworks/Cryptography.qll
+++ b/python/ql/src/semmle/python/frameworks/Cryptography.qll
@@ -169,4 +169,165 @@ private module CryptographyModel {
     // Note: There is not really a key-size argument, since it's always specified by the curve.
     override DataFlow::Node getKeySizeArg() { none() }
   }
+
+  /** Provides models for the `cryptography.hazmat.primitives.ciphers` package */
+  private module Ciphers {
+    /** Gets a reference to a `cryptography.hazmat.primitives.ciphers.algorithms` Class */
+    API::Node algorithmClassRef(string algorithmName) {
+      result =
+        API::moduleImport("cryptography")
+            .getMember("hazmat")
+            .getMember("primitives")
+            .getMember("ciphers")
+            .getMember("algorithms")
+            .getMember(algorithmName)
+    }
+
+    /**
+     * Internal module making it easy to hide verbose type-tracking helpers.
+     *
+     * These turned out to be so verbose, that it was impossible to get an overview of
+     * the relevant predicates without hiding them away.
+     */
+    private module InternalTypeTracking {
+      /** Gets a reference to a Cipher instance using algorithm with `algorithmName`. */
+      DataFlow::LocalSourceNode cipherInstance(DataFlow::TypeTracker t, string algorithmName) {
+        t.start() and
+        exists(DataFlow::CallCfgNode call | result = call |
+          call =
+            API::moduleImport("cryptography")
+                .getMember("hazmat")
+                .getMember("primitives")
+                .getMember("ciphers")
+                .getMember("Cipher")
+                .getACall() and
+          algorithmClassRef(algorithmName).getReturn().getAUse() in [
+              call.getArg(0), call.getArgByName("algorithm")
+            ]
+        )
+        or
+        // Due to bad performance when using normal setup with `cipherInstance(t2, algorithmName).track(t2, t)`
+        // we have inlined that code and forced a join
+        exists(DataFlow::TypeTracker t2 |
+          exists(DataFlow::StepSummary summary |
+            cipherInstance_first_join(t2, algorithmName, result, summary) and
+            t = t2.append(summary)
+          )
+        )
+      }
+
+      pragma[nomagic]
+      private predicate cipherInstance_first_join(
+        DataFlow::TypeTracker t2, string algorithmName, DataFlow::Node res,
+        DataFlow::StepSummary summary
+      ) {
+        DataFlow::StepSummary::step(cipherInstance(t2, algorithmName), res, summary)
+      }
+
+      /** Gets a reference to the encryptor of a Cipher instance using algorithm with `algorithmName`. */
+      DataFlow::LocalSourceNode cipherEncryptor(DataFlow::TypeTracker t, string algorithmName) {
+        t.start() and
+        exists(DataFlow::AttrRead attr |
+          result.(DataFlow::CallCfgNode).getFunction() = attr and
+          attr.getAttributeName() = "encryptor" and
+          attr.getObject() = cipherInstance(algorithmName)
+        )
+        or
+        // Due to bad performance when using normal setup with `cipherEncryptor(t2, algorithmName).track(t2, t)`
+        // we have inlined that code and forced a join
+        exists(DataFlow::TypeTracker t2 |
+          exists(DataFlow::StepSummary summary |
+            cipherEncryptor_first_join(t2, algorithmName, result, summary) and
+            t = t2.append(summary)
+          )
+        )
+      }
+
+      pragma[nomagic]
+      private predicate cipherEncryptor_first_join(
+        DataFlow::TypeTracker t2, string algorithmName, DataFlow::Node res,
+        DataFlow::StepSummary summary
+      ) {
+        DataFlow::StepSummary::step(cipherEncryptor(t2, algorithmName), res, summary)
+      }
+
+      /** Gets a reference to the dncryptor of a Cipher instance using algorithm with `algorithmName`. */
+      DataFlow::LocalSourceNode cipherDecryptor(DataFlow::TypeTracker t, string algorithmName) {
+        t.start() and
+        exists(DataFlow::AttrRead attr |
+          result.(DataFlow::CallCfgNode).getFunction() = attr and
+          attr.getAttributeName() = "decryptor" and
+          attr.getObject() = cipherInstance(algorithmName)
+        )
+        or
+        // Due to bad performance when using normal setup with `cipherDecryptor(t2, algorithmName).track(t2, t)`
+        // we have inlined that code and forced a join
+        exists(DataFlow::TypeTracker t2 |
+          exists(DataFlow::StepSummary summary |
+            cipherDecryptor_first_join(t2, algorithmName, result, summary) and
+            t = t2.append(summary)
+          )
+        )
+      }
+
+      pragma[nomagic]
+      private predicate cipherDecryptor_first_join(
+        DataFlow::TypeTracker t2, string algorithmName, DataFlow::Node res,
+        DataFlow::StepSummary summary
+      ) {
+        DataFlow::StepSummary::step(cipherDecryptor(t2, algorithmName), res, summary)
+      }
+    }
+
+    private import InternalTypeTracking
+
+    /** Gets a reference to a Cipher instance using algorithm with `algorithmName`. */
+    DataFlow::Node cipherInstance(string algorithmName) {
+      cipherInstance(DataFlow::TypeTracker::end(), algorithmName).flowsTo(result)
+    }
+
+    /**
+     * Gets a reference to the encryptor of a Cipher instance using algorithm with `algorithmName`.
+     *
+     * You obtain an encryptor by using the `encryptor()` method on a Cipher instance.
+     */
+    DataFlow::Node cipherEncryptor(string algorithmName) {
+      cipherEncryptor(DataFlow::TypeTracker::end(), algorithmName).flowsTo(result)
+    }
+
+    /**
+     * Gets a reference to the decryptor of a Cipher instance using algorithm with `algorithmName`.
+     *
+     * You obtain an decryptor by using the `decryptor()` method on a Cipher instance.
+     */
+    DataFlow::Node cipherDecryptor(string algorithmName) {
+      cipherDecryptor(DataFlow::TypeTracker::end(), algorithmName).flowsTo(result)
+    }
+
+    /**
+     * An encrypt or decrypt operation from `cryptography.hazmat.primitives.ciphers`.
+     */
+    class CryptographyGenericCipherOperation extends Cryptography::CryptographicOperation::Range,
+      DataFlow::CallCfgNode {
+      string algorithmName;
+
+      CryptographyGenericCipherOperation() {
+        exists(DataFlow::AttrRead attr |
+          this.getFunction() = attr and
+          attr.getAttributeName() = ["update", "update_into"] and
+          (
+            attr.getObject() = cipherEncryptor(algorithmName)
+            or
+            attr.getObject() = cipherDecryptor(algorithmName)
+          )
+        )
+      }
+
+      override Cryptography::CryptographicAlgorithm getAlgorithm() {
+        result.matchesName(algorithmName)
+      }
+
+      override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }
+    }
+  }
 }
diff --git a/python/ql/test/experimental/library-tests/frameworks/cryptography/test_aes.py b/python/ql/test/experimental/library-tests/frameworks/cryptography/test_aes.py
index 7bd7040d0b4..548eea5c32a 100644
--- a/python/ql/test/experimental/library-tests/frameworks/cryptography/test_aes.py
+++ b/python/ql/test/experimental/library-tests/frameworks/cryptography/test_aes.py
@@ -22,8 +22,8 @@ padding = b"\0"*padding_len
 
 encryptor = cipher.encryptor()
 print(padding_len)
-encrypted = encryptor.update(secret_message)
-encrypted += encryptor.update(padding)
+encrypted = encryptor.update(secret_message) # $ CryptographicOperation CryptographicOperationAlgorithm=AES CryptographicOperationInput=secret_message
+encrypted += encryptor.update(padding) # $ CryptographicOperation CryptographicOperationAlgorithm=AES CryptographicOperationInput=padding
 encrypted += encryptor.finalize()
 
 print("encrypted={}".format(encrypted))
@@ -31,7 +31,7 @@ print("encrypted={}".format(encrypted))
 print()
 
 decryptor = cipher.decryptor()
-decrypted = decryptor.update(encrypted)
+decrypted = decryptor.update(encrypted) # $ CryptographicOperation CryptographicOperationAlgorithm=AES CryptographicOperationInput=encrypted
 decrypted += decryptor.finalize()
 
 decrypted = decrypted[:-padding_len]
diff --git a/python/ql/test/experimental/library-tests/frameworks/cryptography/test_rc4.py b/python/ql/test/experimental/library-tests/frameworks/cryptography/test_rc4.py
index 0d3fbcc320c..3a74d3e9dd2 100644
--- a/python/ql/test/experimental/library-tests/frameworks/cryptography/test_rc4.py
+++ b/python/ql/test/experimental/library-tests/frameworks/cryptography/test_rc4.py
@@ -17,7 +17,7 @@ print("encrypt/decrypt")
 secret_message = b"secret message"
 
 encryptor = cipher.encryptor()
-encrypted = encryptor.update(secret_message)
+encrypted = encryptor.update(secret_message) # $ CryptographicOperation CryptographicOperationAlgorithm=ARC4 CryptographicOperationInput=secret_message
 encrypted += encryptor.finalize()
 
 print("encrypted={}".format(encrypted))
@@ -25,7 +25,7 @@ print("encrypted={}".format(encrypted))
 print()
 
 decryptor = cipher.decryptor()
-decrypted = decryptor.update(encrypted)
+decrypted = decryptor.update(encrypted) # $ CryptographicOperation CryptographicOperationAlgorithm=ARC4 CryptographicOperationInput=encrypted
 decrypted += decryptor.finalize()
 
 print("decrypted={}".format(decrypted))

From fa88f22453e9330f6224e8e61520e5e2e13c9ce8 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 2 Mar 2021 13:54:36 +0100
Subject: [PATCH 0608/1429] Python: Model hashing operations in `cryptography`
 package

---
 .../semmle/python/frameworks/Cryptography.qll | 77 +++++++++++++++++++
 .../frameworks/cryptography/test_md5.py       |  2 +-
 2 files changed, 78 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/frameworks/Cryptography.qll b/python/ql/src/semmle/python/frameworks/Cryptography.qll
index 0bb5861c48f..bc7bdc0109f 100644
--- a/python/ql/src/semmle/python/frameworks/Cryptography.qll
+++ b/python/ql/src/semmle/python/frameworks/Cryptography.qll
@@ -330,4 +330,81 @@ private module CryptographyModel {
       override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }
     }
   }
+
+  /** Provides models for the `cryptography.hazmat.primitives.hashes` package */
+  private module Hashes {
+    /**
+     * Gets a reference to a `cryptography.hazmat.primitives.hashes` class, representing
+     * a hashing algorithm.
+     */
+    API::Node algorithmClassRef(string algorithmName) {
+      result =
+        API::moduleImport("cryptography")
+            .getMember("hazmat")
+            .getMember("primitives")
+            .getMember("hashes")
+            .getMember(algorithmName)
+    }
+
+    /** Gets a reference to a Hash instance using algorithm with `algorithmName`. */
+    private DataFlow::LocalSourceNode hashInstance(DataFlow::TypeTracker t, string algorithmName) {
+      t.start() and
+      exists(DataFlow::CallCfgNode call | result = call |
+        call =
+          API::moduleImport("cryptography")
+              .getMember("hazmat")
+              .getMember("primitives")
+              .getMember("hashes")
+              .getMember("Hash")
+              .getACall() and
+        algorithmClassRef(algorithmName).getReturn().getAUse() in [
+            call.getArg(0), call.getArgByName("algorithm")
+          ]
+      )
+      or
+      // Due to bad performance when using normal setup with `hashInstance(t2, algorithmName).track(t2, t)`
+      // we have inlined that code and forced a join
+      exists(DataFlow::TypeTracker t2 |
+        exists(DataFlow::StepSummary summary |
+          hashInstance_first_join(t2, algorithmName, result, summary) and
+          t = t2.append(summary)
+        )
+      )
+    }
+
+    pragma[nomagic]
+    private predicate hashInstance_first_join(
+      DataFlow::TypeTracker t2, string algorithmName, DataFlow::Node res,
+      DataFlow::StepSummary summary
+    ) {
+      DataFlow::StepSummary::step(hashInstance(t2, algorithmName), res, summary)
+    }
+
+    /** Gets a reference to a Hash instance using algorithm with `algorithmName`. */
+    DataFlow::Node hashInstance(string algorithmName) {
+      hashInstance(DataFlow::TypeTracker::end(), algorithmName).flowsTo(result)
+    }
+
+    /**
+     * An hashing operation from `cryptography.hazmat.primitives.hashes`.
+     */
+    class CryptographyGenericHashOperation extends Cryptography::CryptographicOperation::Range,
+      DataFlow::CallCfgNode {
+      string algorithmName;
+
+      CryptographyGenericHashOperation() {
+        exists(DataFlow::AttrRead attr |
+          this.getFunction() = attr and
+          attr.getAttributeName() = "update" and
+          attr.getObject() = hashInstance(algorithmName)
+        )
+      }
+
+      override Cryptography::CryptographicAlgorithm getAlgorithm() {
+        result.matchesName(algorithmName)
+      }
+
+      override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }
+    }
+  }
 }
diff --git a/python/ql/test/experimental/library-tests/frameworks/cryptography/test_md5.py b/python/ql/test/experimental/library-tests/frameworks/cryptography/test_md5.py
index ff997a49ae2..14cc3322020 100644
--- a/python/ql/test/experimental/library-tests/frameworks/cryptography/test_md5.py
+++ b/python/ql/test/experimental/library-tests/frameworks/cryptography/test_md5.py
@@ -4,7 +4,7 @@ from binascii import hexlify
 
 
 hasher = hashes.Hash(hashes.MD5())
-hasher.update(b"secret message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=MD5
+hasher.update(b"secret message") # $ CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=MD5
 
 digest = hasher.finalize()
 print(hexlify(digest).decode('utf-8'))

From 7ffbfa80438731956f999832c2fbc356eec357c2 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 2 Mar 2021 16:45:09 +0100
Subject: [PATCH 0609/1429] Python: Expand stdlib md5 tests with
 keyword-arguments

---
 .../library-tests/frameworks/stdlib/test_md5.py           | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/python/ql/test/experimental/library-tests/frameworks/stdlib/test_md5.py b/python/ql/test/experimental/library-tests/frameworks/stdlib/test_md5.py
index e8d78961308..200a68662e4 100644
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib/test_md5.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib/test_md5.py
@@ -5,6 +5,10 @@ hasher = hashlib.md5(b"secret message") # $ MISSING: CryptographicOperation Cryp
 print(hasher.hexdigest())
 
 
+hasher = hashlib.md5(string=b"secret message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=MD5
+print(hasher.hexdigest())
+
+
 hasher = hashlib.md5()
 hasher.update(b"secret") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret" CryptographicOperationAlgorithm=MD5
 hasher.update(b" message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b" message" CryptographicOperationAlgorithm=MD5
@@ -15,6 +19,10 @@ hasher = hashlib.new('md5', b"secret message") # $ MISSING: CryptographicOperati
 print(hasher.hexdigest())
 
 
+hasher = hashlib.new('md5', data=b"secret message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=MD5
+print(hasher.hexdigest())
+
+
 hasher = hashlib.new('md5')
 hasher.update(b"secret") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret" CryptographicOperationAlgorithm=MD5
 hasher.update(b" message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b" message" CryptographicOperationAlgorithm=MD5

From 1616975e0682f7670911c58fe5bc96893d344d25 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 3 Mar 2021 10:06:01 +0100
Subject: [PATCH 0610/1429] Python: Model `hashlib` from standard library

---
 .../src/semmle/python/frameworks/Stdlib.qll   | 127 ++++++++++++++++++
 .../frameworks/stdlib/test_md5.py             |  16 +--
 2 files changed, 135 insertions(+), 8 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index 01df130d0db..5f4a2d22adb 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -866,6 +866,133 @@ private module Stdlib {
   }
 }
 
+// ---------------------------------------------------------------------------
+// hashlib
+// ---------------------------------------------------------------------------
+/** Gets a call to `hashlib.new` with `algorithmName` as the first argument. */
+private DataFlow::CallCfgNode hashlibNewCall(string algorithmName) {
+  exists(DataFlow::Node nameArg |
+    result = API::moduleImport("hashlib").getMember("new").getACall() and
+    nameArg in [result.getArg(0), result.getArgByName("name")] and
+    exists(StrConst str |
+      DataFlow::exprNode(str).(DataFlow::LocalSourceNode).flowsTo(nameArg) and
+      algorithmName = str.getText()
+    )
+  )
+}
+
+/** Gets a reference to the result of calling `hashlib.new` with `algorithmName` as the first argument. */
+private DataFlow::LocalSourceNode hashlibNewResult(DataFlow::TypeTracker t, string algorithmName) {
+  t.start() and
+  result = hashlibNewCall(algorithmName)
+  or
+  // Due to bad performance when using normal setup with `hashlibNewResult(t2, algorithmName).track(t2, t)`
+  // we have inlined that code and forced a join
+  exists(DataFlow::TypeTracker t2 |
+    exists(DataFlow::StepSummary summary |
+      hashlibNewResult_first_join(t2, algorithmName, result, summary) and
+      t = t2.append(summary)
+    )
+  )
+}
+
+pragma[nomagic]
+private predicate hashlibNewResult_first_join(
+  DataFlow::TypeTracker t2, string algorithmName, DataFlow::Node res, DataFlow::StepSummary summary
+) {
+  DataFlow::StepSummary::step(hashlibNewResult(t2, algorithmName), res, summary)
+}
+
+/** Gets a reference to the result of calling `hashlib.new` with `algorithmName` as the first argument. */
+DataFlow::Node hashlibNewResult(string algorithmName) {
+  hashlibNewResult(DataFlow::TypeTracker::end(), algorithmName).flowsTo(result)
+}
+
+/**
+ * A hashing operation by supplying initial data when calling the `hashlib.new` function.
+ */
+class HashlibNewCall extends Cryptography::CryptographicOperation::Range, DataFlow::CallCfgNode {
+  string hashName;
+
+  HashlibNewCall() {
+    this = hashlibNewCall(hashName) and
+    exists([this.getArg(1), this.getArgByName("data")])
+  }
+
+  override Cryptography::CryptographicAlgorithm getAlgorithm() { result.matchesName(hashName) }
+
+  override DataFlow::Node getAnInput() { result in [this.getArg(1), this.getArgByName("data")] }
+}
+
+/**
+ * A hashing operation by using the `update` method on the result of calling the `hashlib.new` function.
+ */
+class HashlibNewUpdateCall extends Cryptography::CryptographicOperation::Range,
+  DataFlow::CallCfgNode {
+  string hashName;
+
+  HashlibNewUpdateCall() {
+    exists(DataFlow::AttrRead attr |
+      attr.getObject() = hashlibNewResult(hashName) and
+      this.getFunction() = attr and
+      attr.getAttributeName() = "update"
+    )
+  }
+
+  override Cryptography::CryptographicAlgorithm getAlgorithm() { result.matchesName(hashName) }
+
+  override DataFlow::Node getAnInput() { result = this.getArg(0) }
+}
+
+/**
+ * A hashing operation from the `hashlib` package using one of the predefined classes
+ * (such as `hashlib.md5`). `hashlib.new` is not included, since it is handled by
+ * `HashlibNewCall` and `HashlibNewUpdateCall`.
+ */
+abstract class HashlibGenericHashOperation extends Cryptography::CryptographicOperation::Range,
+  DataFlow::CallCfgNode {
+  string hashName;
+  API::Node hashClass;
+
+  bindingset[this]
+  HashlibGenericHashOperation() {
+    not hashName = "new" and
+    hashClass = API::moduleImport("hashlib").getMember(hashName)
+  }
+
+  override Cryptography::CryptographicAlgorithm getAlgorithm() { result.matchesName(hashName) }
+}
+
+/**
+ * A hashing operation from the `hashlib` package using one of the predefined classes
+ * (such as `hashlib.md5`), by calling its' `update` mehtod.
+ */
+class HashlibHashClassUpdateCall extends HashlibGenericHashOperation {
+  HashlibHashClassUpdateCall() { this = hashClass.getReturn().getMember("update").getACall() }
+
+  override DataFlow::Node getAnInput() { result = this.getArg(0) }
+}
+
+/**
+ * A hashing operation from the `hashlib` package using one of the predefined classes
+ * (such as `hashlib.md5`), by passing data to when instantiating the class.
+ */
+class HashlibDataPassedToHashClass extends HashlibGenericHashOperation {
+  HashlibDataPassedToHashClass() {
+    // we only want to model calls to classes such as `hashlib.md5()` if initial data
+    // is passed as an argument
+    this = hashClass.getACall() and
+    exists([this.getArg(0), this.getArgByName("string")])
+  }
+
+  override DataFlow::Node getAnInput() {
+    result = this.getArg(0)
+    or
+    // in Python 3.9, you are allowed to use `hashlib.md5(string=<bytes-like>)`.
+    result = this.getArgByName("string")
+  }
+}
+
 // ---------------------------------------------------------------------------
 // OTHER
 // ---------------------------------------------------------------------------
diff --git a/python/ql/test/experimental/library-tests/frameworks/stdlib/test_md5.py b/python/ql/test/experimental/library-tests/frameworks/stdlib/test_md5.py
index 200a68662e4..b4fae98878f 100644
--- a/python/ql/test/experimental/library-tests/frameworks/stdlib/test_md5.py
+++ b/python/ql/test/experimental/library-tests/frameworks/stdlib/test_md5.py
@@ -1,29 +1,29 @@
 import hashlib
 
 
-hasher = hashlib.md5(b"secret message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=MD5
+hasher = hashlib.md5(b"secret message") # $ CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=MD5
 print(hasher.hexdigest())
 
 
-hasher = hashlib.md5(string=b"secret message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=MD5
+hasher = hashlib.md5(string=b"secret message") # $ CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=MD5
 print(hasher.hexdigest())
 
 
 hasher = hashlib.md5()
-hasher.update(b"secret") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret" CryptographicOperationAlgorithm=MD5
-hasher.update(b" message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b" message" CryptographicOperationAlgorithm=MD5
+hasher.update(b"secret") # $ CryptographicOperation CryptographicOperationInput=b"secret" CryptographicOperationAlgorithm=MD5
+hasher.update(b" message") # $ CryptographicOperation CryptographicOperationInput=b" message" CryptographicOperationAlgorithm=MD5
 print(hasher.hexdigest())
 
 
-hasher = hashlib.new('md5', b"secret message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=MD5
+hasher = hashlib.new('md5', b"secret message") # $ CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=MD5
 print(hasher.hexdigest())
 
 
-hasher = hashlib.new('md5', data=b"secret message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=MD5
+hasher = hashlib.new('md5', data=b"secret message") # $ CryptographicOperation CryptographicOperationInput=b"secret message" CryptographicOperationAlgorithm=MD5
 print(hasher.hexdigest())
 
 
 hasher = hashlib.new('md5')
-hasher.update(b"secret") # $ MISSING: CryptographicOperation CryptographicOperationInput=b"secret" CryptographicOperationAlgorithm=MD5
-hasher.update(b" message") # $ MISSING: CryptographicOperation CryptographicOperationInput=b" message" CryptographicOperationAlgorithm=MD5
+hasher.update(b"secret") # $ CryptographicOperation CryptographicOperationInput=b"secret" CryptographicOperationAlgorithm=MD5
+hasher.update(b" message") # $ CryptographicOperation CryptographicOperationInput=b" message" CryptographicOperationAlgorithm=MD5
 print(hasher.hexdigest())

From 59edd18c3494a53888be947f4283ae8ac3043983 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Fri, 9 Apr 2021 11:22:26 +0200
Subject: [PATCH 0611/1429] Python: Move framework test-files out of
 experimental

This PR was rebased on newest main, but was written a long time ago when all the
framework test-files were still in experimental. I have not re-written my local
git-history, since there are MANY updates to those files (and I dare not risk
it).
---
 .../{experimental => }/library-tests/frameworks/crypto/README.md  | 0
 .../library-tests/frameworks/crypto/test_aes.py                   | 0
 .../library-tests/frameworks/crypto/test_md5.py                   | 0
 .../library-tests/frameworks/crypto/test_rc4.py                   | 0
 .../library-tests/frameworks/cryptodome/test_aes.py               | 0
 .../library-tests/frameworks/cryptodome/test_md5.py               | 0
 .../library-tests/frameworks/cryptodome/test_rc4.py               | 0
 .../library-tests/frameworks/cryptography/test_aes.py             | 0
 .../library-tests/frameworks/cryptography/test_md5.py             | 0
 .../library-tests/frameworks/cryptography/test_rc4.py             | 0
 .../library-tests/frameworks/stdlib/test_md5.py                   | 0
 11 files changed, 0 insertions(+), 0 deletions(-)
 rename python/ql/test/{experimental => }/library-tests/frameworks/crypto/README.md (100%)
 rename python/ql/test/{experimental => }/library-tests/frameworks/crypto/test_aes.py (100%)
 rename python/ql/test/{experimental => }/library-tests/frameworks/crypto/test_md5.py (100%)
 rename python/ql/test/{experimental => }/library-tests/frameworks/crypto/test_rc4.py (100%)
 rename python/ql/test/{experimental => }/library-tests/frameworks/cryptodome/test_aes.py (100%)
 rename python/ql/test/{experimental => }/library-tests/frameworks/cryptodome/test_md5.py (100%)
 rename python/ql/test/{experimental => }/library-tests/frameworks/cryptodome/test_rc4.py (100%)
 rename python/ql/test/{experimental => }/library-tests/frameworks/cryptography/test_aes.py (100%)
 rename python/ql/test/{experimental => }/library-tests/frameworks/cryptography/test_md5.py (100%)
 rename python/ql/test/{experimental => }/library-tests/frameworks/cryptography/test_rc4.py (100%)
 rename python/ql/test/{experimental => }/library-tests/frameworks/stdlib/test_md5.py (100%)

diff --git a/python/ql/test/experimental/library-tests/frameworks/crypto/README.md b/python/ql/test/library-tests/frameworks/crypto/README.md
similarity index 100%
rename from python/ql/test/experimental/library-tests/frameworks/crypto/README.md
rename to python/ql/test/library-tests/frameworks/crypto/README.md
diff --git a/python/ql/test/experimental/library-tests/frameworks/crypto/test_aes.py b/python/ql/test/library-tests/frameworks/crypto/test_aes.py
similarity index 100%
rename from python/ql/test/experimental/library-tests/frameworks/crypto/test_aes.py
rename to python/ql/test/library-tests/frameworks/crypto/test_aes.py
diff --git a/python/ql/test/experimental/library-tests/frameworks/crypto/test_md5.py b/python/ql/test/library-tests/frameworks/crypto/test_md5.py
similarity index 100%
rename from python/ql/test/experimental/library-tests/frameworks/crypto/test_md5.py
rename to python/ql/test/library-tests/frameworks/crypto/test_md5.py
diff --git a/python/ql/test/experimental/library-tests/frameworks/crypto/test_rc4.py b/python/ql/test/library-tests/frameworks/crypto/test_rc4.py
similarity index 100%
rename from python/ql/test/experimental/library-tests/frameworks/crypto/test_rc4.py
rename to python/ql/test/library-tests/frameworks/crypto/test_rc4.py
diff --git a/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_aes.py b/python/ql/test/library-tests/frameworks/cryptodome/test_aes.py
similarity index 100%
rename from python/ql/test/experimental/library-tests/frameworks/cryptodome/test_aes.py
rename to python/ql/test/library-tests/frameworks/cryptodome/test_aes.py
diff --git a/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_md5.py b/python/ql/test/library-tests/frameworks/cryptodome/test_md5.py
similarity index 100%
rename from python/ql/test/experimental/library-tests/frameworks/cryptodome/test_md5.py
rename to python/ql/test/library-tests/frameworks/cryptodome/test_md5.py
diff --git a/python/ql/test/experimental/library-tests/frameworks/cryptodome/test_rc4.py b/python/ql/test/library-tests/frameworks/cryptodome/test_rc4.py
similarity index 100%
rename from python/ql/test/experimental/library-tests/frameworks/cryptodome/test_rc4.py
rename to python/ql/test/library-tests/frameworks/cryptodome/test_rc4.py
diff --git a/python/ql/test/experimental/library-tests/frameworks/cryptography/test_aes.py b/python/ql/test/library-tests/frameworks/cryptography/test_aes.py
similarity index 100%
rename from python/ql/test/experimental/library-tests/frameworks/cryptography/test_aes.py
rename to python/ql/test/library-tests/frameworks/cryptography/test_aes.py
diff --git a/python/ql/test/experimental/library-tests/frameworks/cryptography/test_md5.py b/python/ql/test/library-tests/frameworks/cryptography/test_md5.py
similarity index 100%
rename from python/ql/test/experimental/library-tests/frameworks/cryptography/test_md5.py
rename to python/ql/test/library-tests/frameworks/cryptography/test_md5.py
diff --git a/python/ql/test/experimental/library-tests/frameworks/cryptography/test_rc4.py b/python/ql/test/library-tests/frameworks/cryptography/test_rc4.py
similarity index 100%
rename from python/ql/test/experimental/library-tests/frameworks/cryptography/test_rc4.py
rename to python/ql/test/library-tests/frameworks/cryptography/test_rc4.py
diff --git a/python/ql/test/experimental/library-tests/frameworks/stdlib/test_md5.py b/python/ql/test/library-tests/frameworks/stdlib/test_md5.py
similarity index 100%
rename from python/ql/test/experimental/library-tests/frameworks/stdlib/test_md5.py
rename to python/ql/test/library-tests/frameworks/stdlib/test_md5.py

From 56c409737d16dbc26896fe2a25b2166d9fcea22e Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 22 Apr 2021 11:47:15 +0200
Subject: [PATCH 0612/1429] Python: Port py/weak-cryptographic-algorithm

The other query (py/weak-sensitive-data-hashing) is added in future commit
---
 .../CWE-327/BrokenCryptoAlgorithm.qhelp       | 22 ++++++++++----
 .../Security/CWE-327/BrokenCryptoAlgorithm.ql | 29 +++++++------------
 .../CWE-327/BrokenCryptoAlgorithm.ql          | 28 ++++++++++++++++++
 .../BrokenCryptoAlgorithm.expected            | 10 ++-----
 .../CWE-327-BrokenCryptoAlgorithm/README.md   |  3 ++
 .../TestNode.expected                         | 12 --------
 .../CWE-327-BrokenCryptoAlgorithm/TestNode.ql |  9 ------
 .../CWE-327-BrokenCryptoAlgorithm/options     |  1 -
 .../test_cryptodome.py                        | 13 +++++++++
 .../test_cryptography.py                      | 21 +++++++++-----
 .../test_pycrypto.py                          |  8 -----
 11 files changed, 87 insertions(+), 69 deletions(-)
 create mode 100644 python/ql/src/experimental/Security-old-dataflow/CWE-327/BrokenCryptoAlgorithm.ql
 create mode 100644 python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/README.md
 delete mode 100644 python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/TestNode.expected
 delete mode 100644 python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/TestNode.ql
 delete mode 100644 python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/options
 create mode 100644 python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptodome.py
 delete mode 100644 python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_pycrypto.py

diff --git a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
index ba5ab4d10c1..5d18f6dd5d3 100644
--- a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
+++ b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -15,22 +15,28 @@
                secure than it appears to be.
           </p>
 
+          <p>
+               This query alerts on any use of a weak cryptographic algorithm, that is
+               not a hashing algorithm. Use of broken or weak cryptographic hash
+               functions are handled by the
+               <code>py/weak-sensitive-data-hashing</code> query.
+          </p>
+
      </overview>
      <recommendation>
 
           <p>
                Ensure that you use a strong, modern cryptographic
-               algorithm. Use at least AES-128 or RSA-2048 for
-               encryption, and SHA-2 or SHA-3 for secure hashing.
+               algorithm, such as AES-128 or RSA-2048.
           </p>
 
      </recommendation>
      <example>
 
           <p>
-               The following code uses the <code>pycrypto</code>
+               The following code uses the <code>pycryptodome</code>
                library to encrypt some secret data. When you create a cipher using
-               <code>pycrypto</code> you must specify the encryption
+               <code>pycryptodome</code> you must specify the encryption
                algorithm to use. The first example uses DES, which is an
                older algorithm that is now considered weak. The second
                example uses AES, which is a stronger modern algorithm.
@@ -39,8 +45,12 @@
           <sample src="examples/broken_crypto.py" />
 
           <p>
-               WARNING: Although the second example above is more robust,
-               pycrypto is no longer actively maintained so we recommend using <code>cryptography</code> instead.
+               NOTICE: the original
+               <a href="https://pypi.org/project/pycrypto/"><code>pycrypto</code></a>
+               PyPI package that provided the <code>Crypto</code> module is not longer
+               actively maintained, so you should use the
+               <a href="https://pypi.org/project/pycryptodome/"><code>pycryptodome</code></a>
+               PyPI package instead (which has a compatible API).
           </p>
 
      </example>
diff --git a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
index 36064dc0386..66f07ea2c7b 100644
--- a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
@@ -1,7 +1,7 @@
 /**
  * @name Use of a broken or weak cryptographic algorithm
  * @description Using broken or weak cryptographic algorithms can compromise security.
- * @kind path-problem
+ * @kind problem
  * @problem.severity warning
  * @precision high
  * @id py/weak-cryptographic-algorithm
@@ -10,21 +10,14 @@
  */
 
 import python
-import semmle.python.security.Paths
-import semmle.python.security.SensitiveData
-import semmle.python.security.Crypto
+import semmle.python.Concepts
 
-class BrokenCryptoConfiguration extends TaintTracking::Configuration {
-  BrokenCryptoConfiguration() { this = "Broken crypto configuration" }
-
-  override predicate isSource(TaintTracking::Source source) {
-    source instanceof SensitiveDataSource
-  }
-
-  override predicate isSink(TaintTracking::Sink sink) { sink instanceof WeakCryptoSink }
-}
-
-from BrokenCryptoConfiguration config, TaintedPathSource src, TaintedPathSink sink
-where config.hasFlowPath(src, sink)
-select sink.getSink(), src, sink, "$@ is used in a broken or weak cryptographic algorithm.",
-  src.getSource(), "Sensitive data"
+from Cryptography::CryptographicOperation operation, Cryptography::CryptographicAlgorithm algorithm
+where
+  algorithm = operation.getAlgorithm() and
+  algorithm.isWeak() and
+  not algorithm instanceof Cryptography::HashingAlgorithm and // handled by `py/weak-sensitive-data-hashing`
+  not algorithm instanceof Cryptography::PasswordHashingAlgorithm // handled by `py/weak-sensitive-data-hashing`
+select operation,
+  "The cryptographic algorithm " + algorithm.getName() +
+    " is broken or weak, and should not be used."
diff --git a/python/ql/src/experimental/Security-old-dataflow/CWE-327/BrokenCryptoAlgorithm.ql b/python/ql/src/experimental/Security-old-dataflow/CWE-327/BrokenCryptoAlgorithm.ql
new file mode 100644
index 00000000000..3c183c3b4f9
--- /dev/null
+++ b/python/ql/src/experimental/Security-old-dataflow/CWE-327/BrokenCryptoAlgorithm.ql
@@ -0,0 +1,28 @@
+/**
+ * @name OLD QUERY: Use of a broken or weak cryptographic algorithm
+ * @description Using broken or weak cryptographic algorithms can compromise security.
+ * @kind path-problem
+ * @problem.severity warning
+ * @id py/old/weak-cryptographic-algorithm
+ * @deprecated
+ */
+
+import python
+import semmle.python.security.Paths
+import semmle.python.security.SensitiveData
+import semmle.python.security.Crypto
+
+class BrokenCryptoConfiguration extends TaintTracking::Configuration {
+  BrokenCryptoConfiguration() { this = "Broken crypto configuration" }
+
+  override predicate isSource(TaintTracking::Source source) {
+    source instanceof SensitiveDataSource
+  }
+
+  override predicate isSink(TaintTracking::Sink sink) { sink instanceof WeakCryptoSink }
+}
+
+from BrokenCryptoConfiguration config, TaintedPathSource src, TaintedPathSink sink
+where config.hasFlowPath(src, sink)
+select sink.getSink(), src, sink, "$@ is used in a broken or weak cryptographic algorithm.",
+  src.getSource(), "Sensitive data"
diff --git a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/BrokenCryptoAlgorithm.expected b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/BrokenCryptoAlgorithm.expected
index 8a680bc702c..acae4cbfb06 100644
--- a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/BrokenCryptoAlgorithm.expected
+++ b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/BrokenCryptoAlgorithm.expected
@@ -1,8 +1,2 @@
-edges
-| test_cryptography.py:5:17:5:30 | a password | test_cryptography.py:8:29:8:37 | a password |
-| test_cryptography.py:5:17:5:30 | a password | test_cryptography.py:8:29:8:37 | a password |
-| test_pycrypto.py:5:17:5:30 | a password | test_pycrypto.py:7:27:7:35 | a password |
-| test_pycrypto.py:5:17:5:30 | a password | test_pycrypto.py:7:27:7:35 | a password |
-#select
-| test_cryptography.py:8:29:8:37 | dangerous | test_cryptography.py:5:17:5:30 | a password | test_cryptography.py:8:29:8:37 | a password | $@ is used in a broken or weak cryptographic algorithm. | test_cryptography.py:5:17:5:30 | get_password() | Sensitive data |
-| test_pycrypto.py:7:27:7:35 | dangerous | test_pycrypto.py:5:17:5:30 | a password | test_pycrypto.py:7:27:7:35 | a password | $@ is used in a broken or weak cryptographic algorithm. | test_pycrypto.py:5:17:5:30 | get_password() | Sensitive data |
+| test_cryptodome.py:11:13:11:42 | ControlFlowNode for Attribute() | The cryptographic algorithm ARC4 is broken or weak, and should not be used. |
+| test_cryptography.py:13:13:13:44 | ControlFlowNode for Attribute() | The cryptographic algorithm ARC4 is broken or weak, and should not be used. |
diff --git a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/README.md b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/README.md
new file mode 100644
index 00000000000..9c6e429aefc
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/README.md
@@ -0,0 +1,3 @@
+Note that the tests in this directory are very shallow, and simply show that the query is able to produce alerts.
+
+More in-depth tests can be found for the individual frameworks that we have modeled `Cryptography::CryptographicOperation` for.
diff --git a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/TestNode.expected b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/TestNode.expected
deleted file mode 100644
index c79f7a9d195..00000000000
--- a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/TestNode.expected
+++ /dev/null
@@ -1,12 +0,0 @@
-| Taint Crypto.Cipher.ARC4 | test_pycrypto.py:6:14:6:27 | test_pycrypto.py:6 | test_pycrypto.py:6:14:6:27 | Attribute() |  |
-| Taint Crypto.Cipher.ARC4 | test_pycrypto.py:7:12:7:17 | test_pycrypto.py:7 | test_pycrypto.py:7:12:7:17 | cipher |  |
-| Taint cryptography.Cipher.RC4 | test_cryptography.py:6:14:6:47 | test_cryptography.py:6 | test_cryptography.py:6:14:6:47 | Cipher() |  |
-| Taint cryptography.Cipher.RC4 | test_cryptography.py:7:17:7:22 | test_cryptography.py:7 | test_cryptography.py:7:17:7:22 | cipher |  |
-| Taint cryptography.encryptor.RC4 | test_cryptography.py:7:17:7:34 | test_cryptography.py:7 | test_cryptography.py:7:17:7:34 | Attribute() |  |
-| Taint cryptography.encryptor.RC4 | test_cryptography.py:8:12:8:20 | test_cryptography.py:8 | test_cryptography.py:8:12:8:20 | encryptor |  |
-| Taint cryptography.encryptor.RC4 | test_cryptography.py:8:42:8:50 | test_cryptography.py:8 | test_cryptography.py:8:42:8:50 | encryptor |  |
-| Taint sensitive.data.password | test_cryptography.py:5:17:5:30 | test_cryptography.py:5 | test_cryptography.py:5:17:5:30 | get_password() |  |
-| Taint sensitive.data.password | test_cryptography.py:8:29:8:37 | test_cryptography.py:8 | test_cryptography.py:8:29:8:37 | dangerous |  |
-| Taint sensitive.data.password | test_cryptography.py:8:42:8:50 | test_cryptography.py:8 | test_cryptography.py:8:42:8:50 | encryptor |  |
-| Taint sensitive.data.password | test_pycrypto.py:5:17:5:30 | test_pycrypto.py:5 | test_pycrypto.py:5:17:5:30 | get_password() |  |
-| Taint sensitive.data.password | test_pycrypto.py:7:27:7:35 | test_pycrypto.py:7 | test_pycrypto.py:7:27:7:35 | dangerous |  |
diff --git a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/TestNode.ql b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/TestNode.ql
deleted file mode 100644
index 420ed8bb38e..00000000000
--- a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/TestNode.ql
+++ /dev/null
@@ -1,9 +0,0 @@
-import python
-import semmle.python.dataflow.TaintTracking
-import python
-import semmle.python.security.SensitiveData
-import semmle.python.security.Crypto
-
-from TaintedNode n, AstNode src
-where src = n.getAstNode() and src.getLocation().getFile().getAbsolutePath().matches("%test%")
-select "Taint " + n.getTaintKind(), n.getLocation(), src, n.getContext()
diff --git a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/options b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/options
deleted file mode 100644
index 492768b3481..00000000000
--- a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/options
+++ /dev/null
@@ -1 +0,0 @@
-semmle-extractor-options: -p ../lib/ --max-import-depth=3
diff --git a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptodome.py b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptodome.py
new file mode 100644
index 00000000000..7e5fe780d61
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptodome.py
@@ -0,0 +1,13 @@
+# snippet from python/ql/test/experimental/library-tests/frameworks/cryptodome/test_rc4.py
+from Cryptodome.Cipher import ARC4
+
+import os
+
+key = os.urandom(256//8)
+
+secret_message = b"secret message"
+
+cipher = ARC4.new(key)
+encrypted = cipher.encrypt(secret_message) # NOT OK
+
+print(secret_message, encrypted)
diff --git a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptography.py b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptography.py
index da6c3a4c3aa..2698f9c30d1 100644
--- a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptography.py
+++ b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_cryptography.py
@@ -1,9 +1,16 @@
-from cryptography.hazmat.primitives.ciphers import Cipher, algorithms
-from secrets_store import get_password
+# snippet from python/ql/test/experimental/library-tests/frameworks/cryptography/test_rc4.py
+from cryptography.hazmat.primitives.ciphers import algorithms, Cipher
+import os
 
-def get_badly_encrypted_password():
-    dangerous = get_password()
-    cipher = Cipher(algorithms.ARC4(key), _, _)
-    encryptor = cipher.encryptor()
-    return encryptor.update(dangerous) + encryptor.finalize()
+key = os.urandom(256//8)
 
+algorithm = algorithms.ARC4(key)
+cipher = Cipher(algorithm, mode=None)
+
+secret_message = b"secret message"
+
+encryptor = cipher.encryptor()
+encrypted = encryptor.update(secret_message) # NOT OK
+encrypted += encryptor.finalize()
+
+print(secret_message, encrypted)
diff --git a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_pycrypto.py b/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_pycrypto.py
deleted file mode 100644
index d1dda03b4df..00000000000
--- a/python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/test_pycrypto.py
+++ /dev/null
@@ -1,8 +0,0 @@
-from Crypto.Cipher import ARC4
-from secrets_store import get_password
-
-def get_badly_encrypted_password():
-    dangerous = get_password()
-    cipher = ARC4.new(_, _)
-    return cipher.encrypt(dangerous)
-

From 794a86a6b07709810ec43771e99d5f0fdaff9a68 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 22 Apr 2021 11:50:21 +0200
Subject: [PATCH 0613/1429] Python: Add SensitiveDataSource

---
 .../dataflow/new/SensitiveDataSources.qll     | 66 +++++++++++++++++++
 .../TestSensitiveDataSources.expected         |  0
 .../TestSensitiveDataSources.ql               | 20 ++++++
 .../dataflow/sensitive-data/test.py           | 21 ++++++
 4 files changed, 107 insertions(+)
 create mode 100644 python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
 create mode 100644 python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.expected
 create mode 100644 python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql
 create mode 100644 python/ql/test/experimental/dataflow/sensitive-data/test.py

diff --git a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
new file mode 100644
index 00000000000..2af11d7ecd0
--- /dev/null
+++ b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
@@ -0,0 +1,66 @@
+/**
+ * Provides an extension point for for modeling sensitive data, such as secrets, certificates, or passwords.
+ * Sensitive data is can be interesting to use as data-flow sources in security queries.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+// Need to import since frameworks can extend `RemoteFlowSource::Range`
+private import semmle.python.Frameworks
+private import semmle.python.Concepts
+private import semmle.python.security.SensitiveData as OldSensitiveData
+
+/**
+ * A data flow source of sensitive data, such as secrets, certificates, or passwords.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `SensitiveDataSource::Range` instead.
+ */
+class SensitiveDataSource extends DataFlow::Node {
+  SensitiveDataSource::Range range;
+
+  SensitiveDataSource() { this = range }
+
+  /**
+   * INTERNAL: Do not use.
+   *
+   * This will be rewritten to have better types soon, and therefore should only be used internally until then.
+   *
+   * Gets the classification of the sensitive data.
+   */
+  string getClassification() { result = range.getClassification() }
+}
+
+/** Provides a class for modeling new sources of sensitive data, such as secrets, certificates, or passwords. */
+module SensitiveDataSource {
+  /**
+   * A data flow source of sensitive data, such as secrets, certificates, or passwords.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `SensitiveDataSource` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /**
+     * INTERNAL: Do not use.
+     *
+     * This will be rewritten to have better types soon, and therefore should only be used internally until then.
+     *
+     * Gets the classification of the sensitive data.
+     */
+    abstract string getClassification();
+  }
+}
+
+private class PortOfOldModeling extends SensitiveDataSource::Range {
+  OldSensitiveData::SensitiveData::Source oldSensitiveSource;
+
+  PortOfOldModeling() { this.asCfgNode() = oldSensitiveSource }
+
+  override string getClassification() {
+    exists(OldSensitiveData::SensitiveData classification |
+      oldSensitiveSource.isSourceOf(classification)
+    |
+      classification = "sensitive.data." + result
+    )
+  }
+}
diff --git a/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.expected b/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql b/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql
new file mode 100644
index 00000000000..ce2a8a9a4fd
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql
@@ -0,0 +1,20 @@
+import python
+import semmle.python.dataflow.new.DataFlow
+import TestUtilities.InlineExpectationsTest
+import semmle.python.dataflow.new.SensitiveDataSources
+
+class SensitiveDataSourcesTest extends InlineExpectationsTest {
+  SensitiveDataSourcesTest() { this = "SensitiveDataSourcesTest" }
+
+  override string getARelevantTag() { result = "SensitiveDataSource" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(SensitiveDataSource source |
+      location = source.getLocation() and
+      element = source.toString() and
+      value = source.getClassification() and
+      tag = "SensitiveDataSource"
+    )
+  }
+}
diff --git a/python/ql/test/experimental/dataflow/sensitive-data/test.py b/python/ql/test/experimental/dataflow/sensitive-data/test.py
new file mode 100644
index 00000000000..6241ee3afe3
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/sensitive-data/test.py
@@ -0,0 +1,21 @@
+
+from not_found import get_passwd, account_id
+
+def get_password():
+    pass
+
+def get_secret():
+    pass
+
+def fetch_certificate():
+    pass
+
+def encrypt_password(pwd):
+    pass
+
+get_password() # $ SensitiveDataSource=password
+get_passwd() # $ SensitiveDataSource=password
+get_secret() # $ SensitiveDataSource=secret
+fetch_certificate() # $ SensitiveDataSource=certificate
+account_id() # $ SensitiveDataSource=id
+safe_to_store = encrypt_password(pwd)

From 499adc26a3e0c43f75c1be726995103a83606b7d Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 15 Apr 2021 11:47:43 +0200
Subject: [PATCH 0614/1429] Python: Extend SensitiveDataSource tests

Now it contains all the sort of things we actually support :+1:
---
 .../experimental/dataflow/sensitive-data/test.py     | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/python/ql/test/experimental/dataflow/sensitive-data/test.py b/python/ql/test/experimental/dataflow/sensitive-data/test.py
index 6241ee3afe3..7db57fff2fa 100644
--- a/python/ql/test/experimental/dataflow/sensitive-data/test.py
+++ b/python/ql/test/experimental/dataflow/sensitive-data/test.py
@@ -19,3 +19,15 @@ get_secret() # $ SensitiveDataSource=secret
 fetch_certificate() # $ SensitiveDataSource=certificate
 account_id() # $ SensitiveDataSource=id
 safe_to_store = encrypt_password(pwd)
+
+# attributes
+foo = ObjectFromDatabase()
+foo.secret # $ SensitiveDataSource=secret
+foo.username # $ SensitiveDataSource=id
+
+# Special handling of lookups of sensitive properties
+request.args["password"], # $ MISSING: SensitiveDataSource=password
+request.args.get("password") # $ SensitiveDataSource=password
+
+# I don't think handling `getlist` is super important, just included it to show what we don't handle
+request.args.getlist("password")[0] # $ MISSING: SensitiveDataSource=password

From ac83c695ade878beb40cedc4df0b38de9d58a2a0 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 22 Apr 2021 11:49:38 +0200
Subject: [PATCH 0615/1429] Python: Add py/weak-sensitive-data-hashing query

---
 .../CWE-327/WeakSensitiveDataHashing.qhelp    | 103 ++++++++++++
 .../CWE-327/WeakSensitiveDataHashing.ql       |  47 ++++++
 .../examples/weak_certificate_hashing.py      |   9 +
 .../examples/weak_password_hashing_bad.py     |   4 +
 .../examples/weak_password_hashing_good.py    |   9 +
 .../dataflow/WeakSensitiveDataHashing.qll     |  74 +++++++++
 ...WeakSensitiveDataHashingCustomizations.qll | 157 ++++++++++++++++++
 .../README.md                                 |   3 +
 .../WeakSensitiveDataHashing.expected         |  27 +++
 .../WeakSensitiveDataHashing.qlref            |   1 +
 .../test_cryptodome.py                        |  25 +++
 .../test_cryptography.py                      |  29 ++++
 12 files changed, 488 insertions(+)
 create mode 100644 python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.qhelp
 create mode 100644 python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql
 create mode 100644 python/ql/src/Security/CWE-327/examples/weak_certificate_hashing.py
 create mode 100644 python/ql/src/Security/CWE-327/examples/weak_password_hashing_bad.py
 create mode 100644 python/ql/src/Security/CWE-327/examples/weak_password_hashing_good.py
 create mode 100644 python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashing.qll
 create mode 100644 python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashingCustomizations.qll
 create mode 100644 python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/README.md
 create mode 100644 python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected
 create mode 100644 python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.qlref
 create mode 100644 python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/test_cryptodome.py
 create mode 100644 python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/test_cryptography.py

diff --git a/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.qhelp b/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.qhelp
new file mode 100644
index 00000000000..05c727f0815
--- /dev/null
+++ b/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.qhelp
@@ -0,0 +1,103 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+     <overview>
+          <p>
+               Using a broken or weak cryptographic hash function can leave data
+               vulnerable, and should not be used in security related code.
+          </p>
+
+          <p>
+               A strong cryptographic hash function should be resistant to:
+          </p>
+          <ul>
+               <li>
+                    pre-image attacks: if you know a hash value <code>h(x)</code>,
+                    you should not be able to easily find the input <code>x</code>.
+               </li>
+               <li>
+                    collision attacks: if you know a hash value <code>h(x)</code>,
+                    you should not be able to easily find a different input <code>y</code>
+                    such that hash value is the same <code>h(x) = h(y)</code>.
+               </li>
+          </ul>
+          <p>
+               In cases with a limited input space, such as for passwords, the hash
+               function also needs to be computationally expensive to be resistant to
+               brute-force attacks.
+          </p>
+
+          <p>
+               As an example, both MD5 and SHA-1 is known to be vulnerable to collision attacks.
+          </p>
+
+          <p>
+               Since it's OK to use a weak cryptographic hash function in a non-security
+               context, this query only alerts when these are used to hash sensitive
+               data (such as passwords, certificates, usernames).
+          </p>
+
+          <p>
+               Use of broken or weak cryptographic algorithms that are not hashing algorithms, is
+               handled by the <code>py/weak-cryptographic-algorithm</code> query.
+          </p>
+
+     </overview>
+     <recommendation>
+
+          <p>
+               Ensure that you use a strong, modern cryptographic hash function:
+          </p>
+
+          <ul>
+               <li>
+                    such as Argon2, scrypt, bcrypt, or PBKDF2 for passwords and other data with limited input space.
+               </li>
+               <li>
+                    such as SHA-2, or SHA-3 in other cases.
+               </li>
+          </ul>
+
+     </recommendation>
+     <example>
+
+          <p>
+               The following example shows two functions for checking whether the hash
+               of a certificate matches a known value -- to prevent tampering.
+
+               The first function uses MD5 that is known to be vulnerable to collision attacks.
+
+               The second function uses SHA-256 that is a strong cryptographic hashing function.
+          </p>
+
+          <sample src="examples/weak_certificate_hashing.py" />
+
+     </example>
+     <example>
+          <p>
+               The following example shows two functions for hashing passwords.
+
+               The first function uses SHA-256 to hash passwords. Although SHA-256 is a
+               strong cryptographic hash function, it is not suitable for password
+               hashing since it is not computationally expensive.
+          </p>
+
+          <sample src="examples/weak_password_hashing_bad.py" />
+
+
+          <p>
+               The second function uses Argon2 (through the <code>argon2-cffi</code>
+               PyPI package), which is a strong password hashing algorithm (and
+               includes a per-password salt by default).
+          </p>
+
+          <sample src="examples/weak_password_hashing_good.py" />
+
+     </example>
+
+     <references>
+          <li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html">Password Storage Cheat Sheet</a></li>
+     </references>
+
+</qhelp>
diff --git a/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql b/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql
new file mode 100644
index 00000000000..2df0148cce4
--- /dev/null
+++ b/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql
@@ -0,0 +1,47 @@
+/**
+ * @name Use of a broken or weak cryptographic hashing algorithm on sensitive data
+ * @description Using broken or weak cryptographic hashing algorithms can compromise security.
+ * @kind path-problem
+ * @problem.severity warning
+ * @precision high
+ * @id py/weak-sensitive-data-hashing
+ * @tags security
+ *       external/cwe/cwe-327
+ *       external/cwe/cwe-916
+ */
+
+import python
+import semmle.python.security.dataflow.WeakSensitiveDataHashing
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import DataFlow::PathGraph
+
+from
+  DataFlow::PathNode source, DataFlow::PathNode sink, string ending, string algorithmName,
+  string classification
+where
+  exists(NormalHashFunction::Configuration config |
+    config.hasFlowPath(source, sink) and
+    algorithmName = sink.getNode().(NormalHashFunction::Sink).getAlgorithmName() and
+    classification = source.getNode().(NormalHashFunction::Source).getClassification() and
+    ending = "."
+  )
+  or
+  exists(ComputationallyExpensiveHashFunction::Configuration config |
+    config.hasFlowPath(source, sink) and
+    algorithmName = sink.getNode().(ComputationallyExpensiveHashFunction::Sink).getAlgorithmName() and
+    classification =
+      source.getNode().(ComputationallyExpensiveHashFunction::Source).getClassification() and
+    (
+      sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
+      ending = "."
+      or
+      not sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
+      ending =
+        " for " + classification +
+          " hashing, since it is not a computationally expensive hash function."
+    )
+  )
+select sink.getNode(), source, sink,
+  "$@ is used in a hashing algorithm (" + algorithmName + ") that is insecure" + ending,
+  source.getNode(), "Sensitive data (" + classification + ")"
diff --git a/python/ql/src/Security/CWE-327/examples/weak_certificate_hashing.py b/python/ql/src/Security/CWE-327/examples/weak_certificate_hashing.py
new file mode 100644
index 00000000000..8725c8b3f4f
--- /dev/null
+++ b/python/ql/src/Security/CWE-327/examples/weak_certificate_hashing.py
@@ -0,0 +1,9 @@
+import hashlib
+
+def certificate_matches_known_hash_bad(certificate, known_hash):
+    hash = hashlib.md5(certificate).hexdigest() # BAD
+    return hash == known_hash
+
+def certificate_matches_known_hash_good(certificate, known_hash):
+    hash = hashlib.sha256(certificate).hexdigest() # GOOD
+    return hash == known_hash
diff --git a/python/ql/src/Security/CWE-327/examples/weak_password_hashing_bad.py b/python/ql/src/Security/CWE-327/examples/weak_password_hashing_bad.py
new file mode 100644
index 00000000000..077853131b8
--- /dev/null
+++ b/python/ql/src/Security/CWE-327/examples/weak_password_hashing_bad.py
@@ -0,0 +1,4 @@
+import hashlib
+
+def get_password_hash(password: str, salt: str):
+    return hashlib.sha256(password + salt).hexdigest() # BAD
diff --git a/python/ql/src/Security/CWE-327/examples/weak_password_hashing_good.py b/python/ql/src/Security/CWE-327/examples/weak_password_hashing_good.py
new file mode 100644
index 00000000000..e35ad31d1d7
--- /dev/null
+++ b/python/ql/src/Security/CWE-327/examples/weak_password_hashing_good.py
@@ -0,0 +1,9 @@
+from argon2 import PasswordHasher
+
+def get_initial_hash(password: str):
+    ph = PasswordHasher()
+    return ph.hash(password) # GOOD
+
+def check_password(password: str, known_hash):
+    ph = PasswordHasher()
+    return ph.verify(known_hash, password) # GOOD
diff --git a/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashing.qll b/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashing.qll
new file mode 100644
index 00000000000..49634d52a4e
--- /dev/null
+++ b/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashing.qll
@@ -0,0 +1,74 @@
+/**
+ * Provides a taint-tracking configuration for detecting use of a broken or weak
+ * cryptographic hashing algorithm on sensitive data.
+ *
+ * Note, for performance reasons: only import this file if
+ * `WeakSensitiveDataHashing::Configuration` is needed, otherwise
+ * `SqlInjectionCustomizations` should be imported instead.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.dataflow.new.BarrierGuards
+
+/**
+ * Provides a taint-tracking configuration for detecting use of a broken or weak
+ * cryptographic hash function on sensitive data, that does NOT require a
+ * computationally expensive hash function.
+ */
+module NormalHashFunction {
+  import WeakSensitiveDataHashingCustomizations::NormalHashFunction
+
+  /**
+   * A taint-tracking configuration for detecting use of a broken or weak
+   * cryptographic hashing algorithm on sensitive data.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "NormalHashFunction" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) {
+      super.isSanitizer(node)
+      or
+      node instanceof Sanitizer
+    }
+  }
+}
+
+/**
+ * Provides a taint-tracking configuration for detecting use of a broken or weak
+ * cryptographic hashing algorithm on passwords.
+ *
+ * Passwords has stricter requirements on the hashing algorithm used (must be
+ * computationally expensive to prevent brute-force attacks).
+ */
+module ComputationallyExpensiveHashFunction {
+  import WeakSensitiveDataHashingCustomizations::ComputationallyExpensiveHashFunction
+
+  /**
+   * A taint-tracking configuration for detecting use of a broken or weak
+   * cryptographic hashing algorithm on passwords.
+   *
+   * Passwords has stricter requirements on the hashing algorithm used (must be
+   * computationally expensive to prevent brute-force attacks).
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "ComputationallyExpensiveHashFunction" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) {
+      super.isSanitizer(node)
+      or
+      node instanceof Sanitizer
+    }
+  }
+}
diff --git a/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashingCustomizations.qll b/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashingCustomizations.qll
new file mode 100644
index 00000000000..e388c46d601
--- /dev/null
+++ b/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashingCustomizations.qll
@@ -0,0 +1,157 @@
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "use of a broken or weak cryptographic hashing algorithm on sensitive data"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.SensitiveDataSources
+private import semmle.python.dataflow.new.BarrierGuards
+
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "use of a broken or weak cryptographic hashing algorithm on sensitive data"
+ * vulnerabilities on sensitive data that does NOT require computationally expensive
+ * hashing, as well as extension points for adding your own.
+ *
+ * Also see the `ComputationallyExpensiveHashFunction` module.
+ */
+module NormalHashFunction {
+  /**
+   * A data flow source for "use of a broken or weak cryptographic hashing algorithm on
+   * sensitive data" vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node {
+    Source() { not this instanceof ComputationallyExpensiveHashFunction::Source }
+
+    /** Gets the classification of the sensitive data. */
+    abstract string getClassification();
+  }
+
+  /**
+   * A data flow sink for "use of a broken or weak cryptographic hashing algorithm on
+   * sensitive data" vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node {
+    /**
+     * Gets the name of the weak hashing algorithm.
+     */
+    abstract string getAlgorithmName();
+  }
+
+  /**
+   * A sanitizer for "use of a broken or weak cryptographic hashing algorithm on
+   * sensitive data" vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A source of sensitive data, considered as a flow source.
+   */
+  class SensitiveDataSourceAsSource extends Source, SensitiveDataSource {
+    override string getClassification() { result = SensitiveDataSource.super.getClassification() }
+  }
+
+  /** The input to a hashing operation using a weak algorithm, considered as a flow sink. */
+  class WeakHashingOperationInputSink extends Sink {
+    Cryptography::HashingAlgorithm algorithm;
+
+    WeakHashingOperationInputSink() {
+      exists(Cryptography::CryptographicOperation operation |
+        algorithm = operation.getAlgorithm() and
+        algorithm.isWeak() and
+        this = operation.getAnInput()
+      )
+    }
+
+    override string getAlgorithmName() { result = algorithm.getName() }
+  }
+}
+
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "use of a broken or weak cryptographic hashing algorithm on sensitive data"
+ * vulnerabilities on sensitive data that DOES require computationally expensive
+ * hashing, as well as extension points for adding your own.
+ *
+ * Also see the `NormalHashFunction` module.
+ */
+module ComputationallyExpensiveHashFunction {
+  /**
+   * A data flow source of sensitive data that requires computationally expensive
+   * hashing for "use of a broken or weak cryptographic hashing algorithm on sensitive
+   * data" vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node {
+    /** Gets the classification of the sensitive data. */
+    abstract string getClassification();
+  }
+
+  /**
+   * A data flow sink for sensitive data that requires computationally expensive
+   * hashing for "use of a broken or weak cryptographic hashing algorithm on sensitive
+   * data" vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node {
+    /**
+     * Gets the name of the weak hashing algorithm.
+     */
+    abstract string getAlgorithmName();
+
+    /**
+     * Holds if this sink is for a computationally expensive hash function (meaning that
+     * hash function is just weak in some other regard.
+     */
+    abstract predicate isComputationallyExpensive();
+  }
+
+  /**
+   * A sanitizer of sensitive data that requires computationally expensive
+   * hashing for "use of a broken or weak cryptographic hashing
+   * algorithm on sensitive data" vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A source of passwords, considered as a flow source.
+   */
+  class PasswordSourceAsSource extends Source, SensitiveDataSource {
+    PasswordSourceAsSource() {
+      // TODO: once https://github.com/github/codeql/pull/5739 has been merged,
+      // don't use hardcoded value anymore
+      SensitiveDataSource.super.getClassification() = "password"
+    }
+
+    override string getClassification() { result = SensitiveDataSource.super.getClassification() }
+  }
+
+  /**
+   * The input to a password hashing operation using a weak algorithm, considered as a
+   * flow sink.
+   */
+  class WeakPasswordHashingOperationInputSink extends Sink {
+    Cryptography::CryptographicAlgorithm algorithm;
+
+    WeakPasswordHashingOperationInputSink() {
+      (
+        algorithm instanceof Cryptography::PasswordHashingAlgorithm and
+        algorithm.isWeak()
+        or
+        algorithm instanceof Cryptography::HashingAlgorithm
+      ) and
+      exists(Cryptography::CryptographicOperation operation |
+        algorithm = operation.getAlgorithm() and
+        this = operation.getAnInput()
+      )
+    }
+
+    override string getAlgorithmName() { result = algorithm.getName() }
+
+    override predicate isComputationallyExpensive() {
+      algorithm instanceof Cryptography::PasswordHashingAlgorithm
+    }
+  }
+}
diff --git a/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/README.md b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/README.md
new file mode 100644
index 00000000000..9c6e429aefc
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/README.md
@@ -0,0 +1,3 @@
+Note that the tests in this directory are very shallow, and simply show that the query is able to produce alerts.
+
+More in-depth tests can be found for the individual frameworks that we have modeled `Cryptography::CryptographicOperation` for.
diff --git a/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected
new file mode 100644
index 00000000000..3a7dc65ddb4
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected
@@ -0,0 +1,27 @@
+edges
+| test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous |
+| test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous |
+| test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous |
+| test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous |
+| test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous |
+| test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous |
+nodes
+| test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | semmle.label | ControlFlowNode for get_certificate() |
+| test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous |
+| test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
+| test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous |
+| test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
+| test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous |
+| test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | semmle.label | ControlFlowNode for get_certificate() |
+| test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous |
+| test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
+| test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous |
+| test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
+| test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous |
+#select
+| test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | Sensitive data (certificate) |
+| test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | Sensitive data (password) |
+| test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | Sensitive data (password) |
+| test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | Sensitive data (certificate) |
+| test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | Sensitive data (password) |
+| test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | Sensitive data (password) |
diff --git a/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.qlref b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.qlref
new file mode 100644
index 00000000000..6c8eeda7222
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.qlref
@@ -0,0 +1 @@
+Security/CWE-327/WeakSensitiveDataHashing.ql
diff --git a/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/test_cryptodome.py b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/test_cryptodome.py
new file mode 100644
index 00000000000..3e196196ef9
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/test_cryptodome.py
@@ -0,0 +1,25 @@
+from Cryptodome.Hash import MD5, SHA256
+from my_module import get_password, get_certificate
+
+
+def get_badly_hashed_certificate():
+    dangerous = get_certificate()
+    hasher = MD5.new()
+    hasher.update(dangerous) # NOT OK
+    return hasher.hexdigest()
+
+
+def get_badly_hashed_password():
+    dangerous = get_password()
+    hasher = MD5.new()
+    hasher.update(dangerous) # NOT OK
+    return hasher.hexdigest()
+
+
+def get_badly_hashed_password2():
+    dangerous = get_password()
+    # Although SHA-256 is a strong cryptographic hash functions,
+    # it is not suitable for password hashing.
+    hasher = SHA256.new()
+    hasher.update(dangerous) # NOT OK
+    return hasher.hexdigest()
diff --git a/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/test_cryptography.py b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/test_cryptography.py
new file mode 100644
index 00000000000..1090fda959c
--- /dev/null
+++ b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/test_cryptography.py
@@ -0,0 +1,29 @@
+from cryptography.hazmat.primitives import hashes
+from binascii import hexlify
+from my_module import get_password, get_certificate
+
+
+def get_badly_hashed_certificate():
+    dangerous = get_certificate()
+    hasher = hashes.Hash(hashes.MD5())
+    hasher.update(dangerous) # NOT OK
+    digest = hasher.finalize()
+    return hexlify(digest).decode("utf-8")
+
+
+def get_badly_hashed_password():
+    dangerous = get_password()
+    hasher = hashes.Hash(hashes.MD5())
+    hasher.update(dangerous) # NOT OK
+    digest = hasher.finalize()
+    return hexlify(digest).decode("utf-8")
+
+
+def get_badly_hashed_password2():
+    dangerous = get_password()
+    # Although SHA-256 is a strong cryptographic hash functions,
+    # it is not suitable for password hashing.
+    hasher = hashes.Hash(hashes.SHA256())
+    hasher.update(dangerous) # NOT OK
+    digest = hasher.finalize()
+    return hexlify(digest).decode("utf-8")

From fc1a6d0e325f60868a95140d6c72e785a497230f Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 22 Apr 2021 14:47:33 +0200
Subject: [PATCH 0616/1429] Python: Say salting is not part of
 py/weak-sensitive-data-hashing

---
 python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.qhelp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.qhelp b/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.qhelp
index 05c727f0815..1d7b5a4f456 100644
--- a/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.qhelp
+++ b/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.qhelp
@@ -25,7 +25,8 @@
           <p>
                In cases with a limited input space, such as for passwords, the hash
                function also needs to be computationally expensive to be resistant to
-               brute-force attacks.
+               brute-force attacks. Passwords should also have an unique salt applied
+               before hashing, but that is not considered by this query.
           </p>
 
           <p>

From b82209964a74669766476c6be7619efedafa18a8 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 14 Apr 2021 13:55:01 +0200
Subject: [PATCH 0617/1429] Python: Add change-note for new weak crypto queries

---
 python/change-notes/2021-04-09-split-weak-crypto-query.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 python/change-notes/2021-04-09-split-weak-crypto-query.md

diff --git a/python/change-notes/2021-04-09-split-weak-crypto-query.md b/python/change-notes/2021-04-09-split-weak-crypto-query.md
new file mode 100644
index 00000000000..221b2ea07df
--- /dev/null
+++ b/python/change-notes/2021-04-09-split-weak-crypto-query.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Updated the _Use of a broken or weak cryptographic algorithm_ (`py/weak-cryptographic-algorithm`) query, so it alerts on any use of a weak cryptographic non-hashing algorithm. Introduced a new query _Use of a broken or weak cryptographic hashing algorithm on sensitive data_ (`py/weak-sensitive-data-hashing`) to handle weak cryptographic hashing algorithms, which only alerts when used on sensitive data.

From 222c087e8c2560a58579c3f5fb1ea1405bb23532 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 22 Apr 2021 15:22:08 +0200
Subject: [PATCH 0618/1429] Python: Remove type-tracking performance workaround

Since we shouldn't need it anymore (yay)
---
 .../semmle/python/frameworks/Cryptography.qll | 68 ++-----------------
 .../src/semmle/python/frameworks/Stdlib.qll   | 16 +----
 2 files changed, 5 insertions(+), 79 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Cryptography.qll b/python/ql/src/semmle/python/frameworks/Cryptography.qll
index bc7bdc0109f..5ad6b9200c2 100644
--- a/python/ql/src/semmle/python/frameworks/Cryptography.qll
+++ b/python/ql/src/semmle/python/frameworks/Cryptography.qll
@@ -206,22 +206,7 @@ private module CryptographyModel {
             ]
         )
         or
-        // Due to bad performance when using normal setup with `cipherInstance(t2, algorithmName).track(t2, t)`
-        // we have inlined that code and forced a join
-        exists(DataFlow::TypeTracker t2 |
-          exists(DataFlow::StepSummary summary |
-            cipherInstance_first_join(t2, algorithmName, result, summary) and
-            t = t2.append(summary)
-          )
-        )
-      }
-
-      pragma[nomagic]
-      private predicate cipherInstance_first_join(
-        DataFlow::TypeTracker t2, string algorithmName, DataFlow::Node res,
-        DataFlow::StepSummary summary
-      ) {
-        DataFlow::StepSummary::step(cipherInstance(t2, algorithmName), res, summary)
+        exists(DataFlow::TypeTracker t2 | result = cipherInstance(t2, algorithmName).track(t2, t))
       }
 
       /** Gets a reference to the encryptor of a Cipher instance using algorithm with `algorithmName`. */
@@ -233,22 +218,7 @@ private module CryptographyModel {
           attr.getObject() = cipherInstance(algorithmName)
         )
         or
-        // Due to bad performance when using normal setup with `cipherEncryptor(t2, algorithmName).track(t2, t)`
-        // we have inlined that code and forced a join
-        exists(DataFlow::TypeTracker t2 |
-          exists(DataFlow::StepSummary summary |
-            cipherEncryptor_first_join(t2, algorithmName, result, summary) and
-            t = t2.append(summary)
-          )
-        )
-      }
-
-      pragma[nomagic]
-      private predicate cipherEncryptor_first_join(
-        DataFlow::TypeTracker t2, string algorithmName, DataFlow::Node res,
-        DataFlow::StepSummary summary
-      ) {
-        DataFlow::StepSummary::step(cipherEncryptor(t2, algorithmName), res, summary)
+        exists(DataFlow::TypeTracker t2 | result = cipherEncryptor(t2, algorithmName).track(t2, t))
       }
 
       /** Gets a reference to the dncryptor of a Cipher instance using algorithm with `algorithmName`. */
@@ -260,22 +230,7 @@ private module CryptographyModel {
           attr.getObject() = cipherInstance(algorithmName)
         )
         or
-        // Due to bad performance when using normal setup with `cipherDecryptor(t2, algorithmName).track(t2, t)`
-        // we have inlined that code and forced a join
-        exists(DataFlow::TypeTracker t2 |
-          exists(DataFlow::StepSummary summary |
-            cipherDecryptor_first_join(t2, algorithmName, result, summary) and
-            t = t2.append(summary)
-          )
-        )
-      }
-
-      pragma[nomagic]
-      private predicate cipherDecryptor_first_join(
-        DataFlow::TypeTracker t2, string algorithmName, DataFlow::Node res,
-        DataFlow::StepSummary summary
-      ) {
-        DataFlow::StepSummary::step(cipherDecryptor(t2, algorithmName), res, summary)
+        exists(DataFlow::TypeTracker t2 | result = cipherDecryptor(t2, algorithmName).track(t2, t))
       }
     }
 
@@ -362,22 +317,7 @@ private module CryptographyModel {
           ]
       )
       or
-      // Due to bad performance when using normal setup with `hashInstance(t2, algorithmName).track(t2, t)`
-      // we have inlined that code and forced a join
-      exists(DataFlow::TypeTracker t2 |
-        exists(DataFlow::StepSummary summary |
-          hashInstance_first_join(t2, algorithmName, result, summary) and
-          t = t2.append(summary)
-        )
-      )
-    }
-
-    pragma[nomagic]
-    private predicate hashInstance_first_join(
-      DataFlow::TypeTracker t2, string algorithmName, DataFlow::Node res,
-      DataFlow::StepSummary summary
-    ) {
-      DataFlow::StepSummary::step(hashInstance(t2, algorithmName), res, summary)
+      exists(DataFlow::TypeTracker t2 | result = hashInstance(t2, algorithmName).track(t2, t))
     }
 
     /** Gets a reference to a Hash instance using algorithm with `algorithmName`. */
diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index 5f4a2d22adb..fd7dba70898 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -886,21 +886,7 @@ private DataFlow::LocalSourceNode hashlibNewResult(DataFlow::TypeTracker t, stri
   t.start() and
   result = hashlibNewCall(algorithmName)
   or
-  // Due to bad performance when using normal setup with `hashlibNewResult(t2, algorithmName).track(t2, t)`
-  // we have inlined that code and forced a join
-  exists(DataFlow::TypeTracker t2 |
-    exists(DataFlow::StepSummary summary |
-      hashlibNewResult_first_join(t2, algorithmName, result, summary) and
-      t = t2.append(summary)
-    )
-  )
-}
-
-pragma[nomagic]
-private predicate hashlibNewResult_first_join(
-  DataFlow::TypeTracker t2, string algorithmName, DataFlow::Node res, DataFlow::StepSummary summary
-) {
-  DataFlow::StepSummary::step(hashlibNewResult(t2, algorithmName), res, summary)
+  exists(DataFlow::TypeTracker t2 | result = hashlibNewResult(t2, algorithmName).track(t2, t))
 }
 
 /** Gets a reference to the result of calling `hashlib.new` with `algorithmName` as the first argument. */

From f9383a31bf83143b8465e5b653fc44cc4586f597 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 22 Apr 2021 15:58:28 +0200
Subject: [PATCH 0619/1429] Python: Fix BrokenCryptoAlgorithm.qhelp

---
 python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
index 5d18f6dd5d3..1b26d30e0fe 100644
--- a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
+++ b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -46,10 +46,10 @@
 
           <p>
                NOTICE: the original
-               <a href="https://pypi.org/project/pycrypto/"><code>pycrypto</code></a>
+               <code><a href="https://pypi.org/project/pycrypto/">pycrypto</a></code>
                PyPI package that provided the <code>Crypto</code> module is not longer
                actively maintained, so you should use the
-               <a href="https://pypi.org/project/pycryptodome/"><code>pycryptodome</code></a>
+               <code><a href="https://pypi.org/project/pycryptodome/">pycryptodome</a></code>
                PyPI package instead (which has a compatible API).
           </p>
 

From 5d0a4cae90e03e2098f2cd1e2a3febd8e1148f7a Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Thu, 22 Apr 2021 16:51:36 -0400
Subject: [PATCH 0620/1429] C++: Add `{AllAliased}` side effects for smart
 pointers

Smart pointer constructors, assignments, and `reset()` can actually have fairly large side effects, especially with custom deleters, destructors for objects being destroyed, and so on. I've re-introduced `{AllAliased}` side effects for these functions. There was no immediate effect on analysis results.
---
 .../semmle/code/cpp/models/implementations/SmartPointer.qll   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
index ebe0de3fd6e..7f9639f6373 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
@@ -106,9 +106,9 @@ private class SmartPtrSetterFunction extends MemberFunction, AliasFunction, Side
     )
   }
 
-  override predicate hasOnlySpecificReadSideEffects() { this instanceof Constructor }
+  override predicate hasOnlySpecificReadSideEffects() { none() }
 
-  override predicate hasOnlySpecificWriteSideEffects() { this instanceof ConstMemberFunction }
+  override predicate hasOnlySpecificWriteSideEffects() { none() }
 
   override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
     // Always write to the destination smart pointer itself.

From 3b04bedee0c951b318bab322a4df7261ab888efa Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Thu, 22 Apr 2021 17:19:00 -0400
Subject: [PATCH 0621/1429] Stub out additional bits of Alias model for C#

---
 .../internal/AliasAnalysisImports.qll         | 275 ++++++++++++++++++
 1 file changed, 275 insertions(+)

diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll
index 7992aa9ed14..e0bf271dcc7 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll
@@ -3,6 +3,276 @@ import experimental.ir.implementation.IRConfiguration
 import experimental.ir.internal.IntegerConstant as Ints
 
 module AliasModels {
+  class ParameterIndex = int;
+
+  /**
+   * An input to a function. This can be:
+   * - The value of one of the function's parameters
+   * - The value pointed to by one of function's pointer or reference parameters
+   * - The value of the function's `this` pointer
+   * - The value pointed to by the function's `this` pointer
+   */
+  abstract class FunctionInput extends string {
+    FunctionInput() { none() }
+
+    /**
+     * Holds if this is the input value of the parameter with index `index`.
+     *
+     * Example:
+     * ```
+     * void func(int n, char* p, float& r);
+     * ```
+     * - `isParameter(0)` holds for the `FunctionInput` that represents the value of `n` (with type
+     *   `int`) on entry to the function.
+     * - `isParameter(1)` holds for the `FunctionInput` that represents the value of `p` (with type
+     *   `char*`) on entry to the function.
+     * - `isParameter(2)` holds for the `FunctionInput` that represents the "value" of the reference
+     *   `r` (with type `float&`) on entry to the function, _not_ the value of the referred-to
+     *   `float`.
+     */
+    predicate isParameter(ParameterIndex index) { none() }
+
+    /**
+     * Holds if this is the input value of the parameter with index `index`.
+     * DEPRECATED: Use `isParameter(index)` instead.
+     */
+    deprecated final predicate isInParameter(ParameterIndex index) { isParameter(index) }
+
+    /**
+     * Holds if this is the input value pointed to by a pointer parameter to a function, or the input
+     * value referred to by a reference parameter to a function, where the parameter has index
+     * `index`.
+     *
+     * Example:
+     * ```
+     * void func(int n, char* p, float& r);
+     * ```
+     * - `isParameterDeref(1)` holds for the `FunctionInput` that represents the value of `*p` (with
+     *   type `char`) on entry to the function.
+     * - `isParameterDeref(2)` holds for the `FunctionInput` that represents the value of `r` (with type
+     *   `float`) on entry to the function.
+     * - There is no `FunctionInput` for which `isParameterDeref(0)` holds, because `n` is neither a
+     *   pointer nor a reference.
+     */
+    predicate isParameterDeref(ParameterIndex index) { none() }
+
+    /**
+     * Holds if this is the input value pointed to by a pointer parameter to a function, or the input
+     * value referred to by a reference parameter to a function, where the parameter has index
+     * `index`.
+     * DEPRECATED: Use `isParameterDeref(index)` instead.
+     */
+    deprecated final predicate isInParameterPointer(ParameterIndex index) {
+      isParameterDeref(index)
+    }
+
+    /**
+     * Holds if this is the input value pointed to by the `this` pointer of an instance member
+     * function.
+     *
+     * Example:
+     * ```
+     * struct C {
+     *   void mfunc(int n, char* p, float& r) const;
+     * };
+     * ```
+     * - `isQualifierObject()` holds for the `FunctionInput` that represents the value of `*this`
+     *   (with type `C const`) on entry to the function.
+     */
+    predicate isQualifierObject() { none() }
+
+    /**
+     * Holds if this is the input value pointed to by the `this` pointer of an instance member
+     * function.
+     * DEPRECATED: Use `isQualifierObject()` instead.
+     */
+    deprecated final predicate isInQualifier() { isQualifierObject() }
+
+    /**
+     * Holds if this is the input value of the `this` pointer of an instance member function.
+     *
+     * Example:
+     * ```
+     * struct C {
+     *   void mfunc(int n, char* p, float& r) const;
+     * };
+     * ```
+     * - `isQualifierAddress()` holds for the `FunctionInput` that represents the value of `this`
+     *   (with type `C const *`) on entry to the function.
+     */
+    predicate isQualifierAddress() { none() }
+
+    /**
+     * Holds if `i >= 0` and `isParameter(i)` holds for this value, or
+     * if `i = -1` and `isQualifierAddress()` holds for this value.
+     */
+    final predicate isParameterOrQualifierAddress(ParameterIndex i) {
+      i >= 0 and this.isParameter(i)
+      or
+      i = -1 and this.isQualifierAddress()
+    }
+
+    /**
+     * Holds if this is the input value pointed to by the return value of a
+     * function, if the function returns a pointer, or the input value referred
+     * to by the return value of a function, if the function returns a reference.
+     *
+     * Example:
+     * ```
+     * char* getPointer();
+     * float& getReference();
+     * int getInt();
+     * ```
+     * - `isReturnValueDeref()` holds for the `FunctionInput` that represents the
+     *   value of `*getPointer()` (with type `char`).
+     * - `isReturnValueDeref()` holds for the `FunctionInput` that represents the
+     *   value of `getReference()` (with type `float`).
+     * - There is no `FunctionInput` of `getInt()` for which
+     *   `isReturnValueDeref()` holds because the return type of `getInt()` is
+     *   neither a pointer nor a reference.
+     *
+     * Note that data flows in through function return values are relatively
+     * rare, but they do occur when a function returns a reference to itself,
+     * part of itself, or one of its other inputs.
+     */
+    predicate isReturnValueDeref() { none() }
+
+    /**
+     * Holds if `i >= 0` and `isParameterDeref(i)` holds for this value, or
+     * if `i = -1` and `isQualifierObject()` holds for this value.
+     */
+    final predicate isParameterDerefOrQualifierObject(ParameterIndex i) {
+      i >= 0 and this.isParameterDeref(i)
+      or
+      i = -1 and this.isQualifierObject()
+    }
+  }
+
+  /**
+   * An output from a function. This can be:
+   * - The value pointed to by one of function's pointer or reference parameters
+   * - The value pointed to by the function's `this` pointer
+   * - The function's return value
+   * - The value pointed to by the function's return value, if the return value is a pointer or
+   *   reference
+   */
+  abstract class FunctionOutput extends string {
+    FunctionOutput() { none() }
+
+    /**
+     * Holds if this is the output value pointed to by a pointer parameter to a function, or the
+     * output value referred to by a reference parameter to a function, where the parameter has
+     * index `index`.
+     *
+     * Example:
+     * ```
+     * void func(int n, char* p, float& r);
+     * ```
+     * - `isParameterDeref(1)` holds for the `FunctionOutput` that represents the value of `*p` (with
+     *   type `char`) on return from the function.
+     * - `isParameterDeref(2)` holds for the `FunctionOutput` that represents the value of `r` (with
+     *   type `float`) on return from the function.
+     * - There is no `FunctionOutput` for which `isParameterDeref(0)` holds, because `n` is neither a
+     *   pointer nor a reference.
+     */
+    predicate isParameterDeref(ParameterIndex i) { none() }
+
+    /**
+     * Holds if this is the output value pointed to by a pointer parameter to a function, or the
+     * output value referred to by a reference parameter to a function, where the parameter has
+     * index `index`.
+     * DEPRECATED: Use `isParameterDeref(index)` instead.
+     */
+    deprecated final predicate isOutParameterPointer(ParameterIndex index) {
+      isParameterDeref(index)
+    }
+
+    /**
+     * Holds if this is the output value pointed to by the `this` pointer of an instance member
+     *   function.
+     *
+     * Example:
+     * ```
+     * struct C {
+     *   void mfunc(int n, char* p, float& r);
+     * };
+     * ```
+     * - `isQualifierObject()` holds for the `FunctionOutput` that represents the value of `*this`
+     *   (with type `C`) on return from the function.
+     */
+    predicate isQualifierObject() { none() }
+
+    /**
+     * Holds if this is the output value pointed to by the `this` pointer of an instance member
+     * function.
+     * DEPRECATED: Use `isQualifierObject()` instead.
+     */
+    deprecated final predicate isOutQualifier() { isQualifierObject() }
+
+    /**
+     * Holds if this is the value returned by a function.
+     *
+     * Example:
+     * ```
+     * int getInt();
+     * char* getPointer();
+     * float& getReference();
+     * ```
+     * - `isReturnValue()` holds for the `FunctionOutput` that represents the value returned by
+     *   `getInt()` (with type `int`).
+     * - `isReturnValue()` holds for the `FunctionOutput` that represents the value returned by
+     *   `getPointer()` (with type `char*`).
+     * - `isReturnValue()` holds for the `FunctionOutput` that represents the "value" of the reference
+     *   returned by `getReference()` (with type `float&`), _not_ the value of the referred-to
+     *   `float`.
+     */
+    predicate isReturnValue() { none() }
+
+    /**
+     * Holds if this is the value returned by a function.
+     * DEPRECATED: Use `isReturnValue()` instead.
+     */
+    deprecated final predicate isOutReturnValue() { isReturnValue() }
+
+    /**
+     * Holds if this is the output value pointed to by the return value of a function, if the function
+     * returns a pointer, or the output value referred to by the return value of a function, if the
+     * function returns a reference.
+     *
+     * Example:
+     * ```
+     * char* getPointer();
+     * float& getReference();
+     * int getInt();
+     * ```
+     * - `isReturnValueDeref()` holds for the `FunctionOutput` that represents the value of
+     *   `*getPointer()` (with type `char`).
+     * - `isReturnValueDeref()` holds for the `FunctionOutput` that represents the value of
+     *   `getReference()` (with type `float`).
+     * - There is no `FunctionOutput` of `getInt()` for which `isReturnValueDeref()` holds because the
+     *   return type of `getInt()` is neither a pointer nor a reference.
+     */
+    predicate isReturnValueDeref() { none() }
+
+    /**
+     * Holds if this is the output value pointed to by the return value of a function, if the function
+     * returns a pointer, or the output value referred to by the return value of a function, if the
+     * function returns a reference.
+     * DEPRECATED: Use `isReturnValueDeref()` instead.
+     */
+    deprecated final predicate isOutReturnPointer() { isReturnValueDeref() }
+
+    /**
+     * Holds if `i >= 0` and `isParameterDeref(i)` holds for this is the value, or
+     * if `i = -1` and `isQualifierObject()` holds for this value.
+     */
+    final predicate isParameterDerefOrQualifierObject(ParameterIndex i) {
+      i >= 0 and this.isParameterDeref(i)
+      or
+      i = -1 and this.isQualifierObject()
+    }
+  }
+
   /**
    * Models the aliasing behavior of a library function.
    */
@@ -44,5 +314,10 @@ module AliasModels {
      * Holds if the function always returns the value of the parameter at the specified index.
      */
     abstract predicate parameterIsAlwaysReturned(int index);
+
+    /**
+     * Holds if the address passed in via `input` is always propagated to `output`.
+     */
+    abstract predicate hasAddressFlow(FunctionInput input, FunctionOutput output);
   }
 }

From 958e2fab050f42f29c51f196b0fc9412920e7fd4 Mon Sep 17 00:00:00 2001
From: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
Date: Thu, 22 Apr 2021 23:36:17 +0200
Subject: [PATCH 0622/1429] Apply suggestions from code review

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../CWE/CWE-347/MissingJWTSignatureCheck.qhelp       |  6 +++---
 .../Security/CWE/CWE-347/MissingJWTSignatureCheck.ql | 12 ++++++------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.qhelp b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.qhelp
index 4a5398f1ac5..3b93936c21b 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.qhelp
@@ -2,7 +2,7 @@
 <qhelp>
 
 <overview>
-<p> A JWT consists of three parts: header, payload, and signature.
+<p> A JSON Web Token (JWT) consists of three parts: header, payload, and signature.
 The <code>io.jsonwebtoken.jjwt</code> library is one of many libraries used for working with JWTs.
 It offers different methods for parsing tokens like <code>parse</code>, <code>parseClaimsJws</code>, and <code>parsePlaintextJws</code>.
 The last two correctly verify that the JWT is properly signed.
@@ -12,7 +12,7 @@ comparing the locally computed signature with the signature part of the JWT.
 <p>
 Therefore it is necessary to provide the <code>JwtParser</code> with a key that is used for signature validation.
 Unfortunately the <code>parse</code> method <b>accepts</b> a JWT whose signature is empty although a signing key has been set for the parser.
-This means that an attacker can create arbitrary JWTs that will be accepted.
+This means that an attacker can create arbitrary JWTs that will be accepted if this method is used.
 </p>
 </overview>
 <recommendation>
@@ -36,4 +36,4 @@ The third and fourth good cases use <code>parseClaimsJws</code> method or overri
 <references>
 <li>zofrex: <a href="https://www.zofrex.com/blog/2020/10/20/alg-none-jwt-nhs-contact-tracing-app/">How I Found An alg=none JWT Vulnerability in the NHS Contact Tracing App</a>.</li>
 </references>
-</qhelp>
\ No newline at end of file
+</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
index fafbf288b1f..d6b7fe3514a 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
@@ -70,10 +70,10 @@ private class JwtHandlerAdapterOnJwtMethod extends Method {
 
 /**
  * Holds if `parseHandlerExpr` is an insecure `JwtHandler`.
- * That is, it overrides a method from `JwtHandlerOnJwtMethod` and the overridden method is not a method from `JwtHandlerAdapterOnJwtMethod`.
- * A overridden method which is a method from `JwtHandlerAdapterOnJwtMethod` is safe, because these always throw an exception.
+ * That is, it overrides a method from `JwtHandlerOnJwtMethod` and the override is not defined on `JwtHandlerAdapter`.
+ * `JwtHandlerAdapter`'s overrides are safe since they always throw an exception.
  */
-private predicate isInsecureParseHandler(Expr parseHandlerExpr) {
+private predicate isInsecureJwtHandler(Expr parseHandlerExpr) {
   exists(RefType t |
     parseHandlerExpr.getType() = t and
     t.getASourceSupertype*() instanceof TypeJwtHandler and
@@ -95,7 +95,7 @@ private class JwtParserInsecureParseMethodAccess extends MethodAccess {
     this.getMethod().getASourceOverriddenMethod*() instanceof JwtParserInsecureParseMethod
     or
     this.getMethod().getASourceOverriddenMethod*() instanceof JwtParserParseHandlerMethod and
-    isInsecureParseHandler(this.getArgument(1))
+    isInsecureJwtHandler(this.getArgument(1))
   }
 }
 
@@ -113,7 +113,7 @@ private class JwtParserInsecureParseMethodAccess extends MethodAccess {
  * ```
  * In this case, the signing key is set on a `JwtParserBuilder` indirectly setting the key of `JwtParser` that is created by the call to `build`.
  */
-private predicate isSigningKeySet(Expr expr, MethodAccess signingMa) {
+private predicate isSigningKeySetter(Expr expr, MethodAccess signingMa) {
   any(SigningToExprDataFlow s).hasFlow(DataFlow::exprNode(signingMa), DataFlow::exprNode(expr))
 }
 
@@ -123,7 +123,7 @@ private class JwtParserWithSigningKeyExpr extends Expr {
 
   JwtParserWithSigningKeyExpr() {
     this.getType().(RefType).getASourceSupertype*() instanceof TypeJwtParser and
-    isSigningKeySet(this, signingMa)
+    isSigningKeySetter(this, signingMa)
   }
 
   /** Gets the method access that sets the signing key for this parser. */

From a385b30c297fc3a1b7a17e7af53707a3237faaba Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Thu, 22 Apr 2021 23:51:27 +0200
Subject: [PATCH 0623/1429] Java: Factor common expr into class.

---
 .../Security/CWE/CWE-347/MissingJWTSignatureCheck.ql  | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
index d6b7fe3514a..6409e8b6ab8 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
@@ -17,6 +17,11 @@ class TypeJwtParser extends Interface {
   TypeJwtParser() { this.hasQualifiedName("io.jsonwebtoken", "JwtParser") }
 }
 
+/** The interface `io.jsonwebtoken.JwtParser` or a type derived from it. */
+class TypeDerivedJwtParser extends RefType {
+  TypeDerivedJwtParser() { this.getASourceSupertype*() instanceof TypeJwtParser }
+}
+
 /** The interface `io.jsonwebtoken.JwtParserBuilder`. */
 class TypeJwtParserBuilder extends Interface {
   TypeJwtParserBuilder() { this.hasQualifiedName("io.jsonwebtoken", "JwtParserBuilder") }
@@ -122,7 +127,7 @@ private class JwtParserWithSigningKeyExpr extends Expr {
   MethodAccess signingMa;
 
   JwtParserWithSigningKeyExpr() {
-    this.getType().(RefType).getASourceSupertype*() instanceof TypeJwtParser and
+    this.getType() instanceof TypeDerivedJwtParser and
     isSigningKeySetter(this, signingMa)
   }
 
@@ -142,13 +147,13 @@ private class SigningToExprDataFlow extends DataFlow::Configuration {
   }
 
   override predicate isSink(DataFlow::Node sink) {
-    sink.asExpr().getType().(RefType).getASourceSupertype*() instanceof TypeJwtParser
+    sink.asExpr().getType() instanceof TypeDerivedJwtParser
   }
 
   /** Models the builder style of `JwtParser` and `JwtParserBuilder`. */
   override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
     (
-      pred.asExpr().getType().(RefType).getASourceSupertype*() instanceof TypeJwtParser or
+      pred.asExpr().getType() instanceof TypeDerivedJwtParser or
       pred.asExpr().getType().(RefType).getASourceSupertype*() instanceof TypeJwtParserBuilder
     ) and
     succ.asExpr().(MethodAccess).getQualifier() = pred.asExpr()

From 98dcd4e52bf8e60d8b3745c09953a4e5b6a5a1c6 Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Fri, 23 Apr 2021 00:14:48 +0200
Subject: [PATCH 0624/1429] Java: Tighten definition of sink.

---
 .../CWE/CWE-347/MissingJWTSignatureCheck.ql    | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
index 6409e8b6ab8..67b56555fd9 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
@@ -119,10 +119,14 @@ private class JwtParserInsecureParseMethodAccess extends MethodAccess {
  * In this case, the signing key is set on a `JwtParserBuilder` indirectly setting the key of `JwtParser` that is created by the call to `build`.
  */
 private predicate isSigningKeySetter(Expr expr, MethodAccess signingMa) {
-  any(SigningToExprDataFlow s).hasFlow(DataFlow::exprNode(signingMa), DataFlow::exprNode(expr))
+  any(SigningToInsecureMethodAccessDataFlow s)
+      .hasFlow(DataFlow::exprNode(signingMa), DataFlow::exprNode(expr))
 }
 
-/** An expr that is a `JwtParser` for which a signing key has been set. */
+/**
+ * An expr that is a `JwtParser` for which a signing key has been set and which is used as
+ * the qualifier to a `JwtParserInsecureParseMethodAccess`.
+ */
 private class JwtParserWithSigningKeyExpr extends Expr {
   MethodAccess signingMa;
 
@@ -136,18 +140,20 @@ private class JwtParserWithSigningKeyExpr extends Expr {
 }
 
 /**
- * Models flow from `SigningKeyMethodAccess`es to expressions that are a (sub-type of) `JwtParser`.
+ * Models flow from `SigningKeyMethodAccess`es to expressions that are a
+ * (sub-type of) `JwtParser` and which are also the qualifier to a `JwtParserInsecureParseMethodAccess`.
  * This is used to determine whether a `JwtParser` has a signing key set.
  */
-private class SigningToExprDataFlow extends DataFlow::Configuration {
-  SigningToExprDataFlow() { this = "SigningToExprDataFlow" }
+private class SigningToInsecureMethodAccessDataFlow extends DataFlow::Configuration {
+  SigningToInsecureMethodAccessDataFlow() { this = "SigningToExprDataFlow" }
 
   override predicate isSource(DataFlow::Node source) {
     source.asExpr() instanceof SigningKeyMethodAccess
   }
 
   override predicate isSink(DataFlow::Node sink) {
-    sink.asExpr().getType() instanceof TypeDerivedJwtParser
+    sink.asExpr().getType() instanceof TypeDerivedJwtParser and
+    any(JwtParserInsecureParseMethodAccess ma).getQualifier() = sink.asExpr()
   }
 
   /** Models the builder style of `JwtParser` and `JwtParserBuilder`. */

From 6e059ea002441b63da26006b4f5fdc2b8ae1df30 Mon Sep 17 00:00:00 2001
From: Jonas Jensen <jbj@github.com>
Date: Fri, 23 Apr 2021 09:58:15 +0200
Subject: [PATCH 0625/1429] C++: Remove reference to obsolete issue CPP-383

---
 .../src/semmle/code/cpp/controlflow/internal/ConstantExprs.qll  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/controlflow/internal/ConstantExprs.qll b/cpp/ql/src/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
index dc08f588e43..94417a0e640 100644
--- a/cpp/ql/src/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
+++ b/cpp/ql/src/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
@@ -118,7 +118,7 @@ private predicate isFunction(Element el) {
 
 /**
  * Holds if `fc` is a `FunctionCall` with no return value for `getTarget`. This
- * can happen due to extractor issue CPP-383.
+ * can happen in case of rare database inconsistencies.
  */
 pragma[noopt]
 private predicate callHasNoTarget(@funbindexpr fc) {

From 6de5b3021e54f2d7777396334d97a1081e4cf006 Mon Sep 17 00:00:00 2001
From: Jonas Jensen <jbj@github.com>
Date: Fri, 23 Apr 2021 09:58:39 +0200
Subject: [PATCH 0626/1429] C++: Replace Jira ticket reference with GH issue

---
 cpp/ql/src/semmle/code/cpp/controlflow/internal/CFG.qll        | 3 ++-
 .../src/semmle/code/cpp/controlflow/internal/ConstantExprs.qll | 3 ++-
 cpp/ql/src/semmle/code/cpp/exprs/Expr.qll                      | 3 ++-
 .../cpp/ir/implementation/raw/internal/TranslatedElement.qll   | 3 ++-
 .../ir/implementation/raw/internal/TranslatedElement.qll       | 3 ++-
 5 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/controlflow/internal/CFG.qll b/cpp/ql/src/semmle/code/cpp/controlflow/internal/CFG.qll
index b47618de2e9..31ef5570451 100644
--- a/cpp/ql/src/semmle/code/cpp/controlflow/internal/CFG.qll
+++ b/cpp/ql/src/semmle/code/cpp/controlflow/internal/CFG.qll
@@ -1307,7 +1307,8 @@ private predicate conditionJumps(Expr test, boolean truth, Node n2, Pos p2) {
   )
 }
 
-// Factored out for performance. See QL-796.
+// Pulled out for performance. See
+// https://github.com/github/codeql-coreql-team/issues/1044.
 private predicate normalGroupMemberBaseCase(Node memberNode, Pos memberPos, Node atNode) {
   memberNode = atNode and
   memberPos.isAt() and
diff --git a/cpp/ql/src/semmle/code/cpp/controlflow/internal/ConstantExprs.qll b/cpp/ql/src/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
index 94417a0e640..476f626e874 100644
--- a/cpp/ql/src/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
+++ b/cpp/ql/src/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
@@ -128,7 +128,8 @@ private predicate callHasNoTarget(@funbindexpr fc) {
   )
 }
 
-// This base case is pulled out to work around QL-796
+// Pulled out for performance. See
+// https://github.com/github/codeql-coreql-team/issues/1044.
 private predicate potentiallyReturningFunctionCall_base(FunctionCall fc) {
   fc.isVirtual()
   or
diff --git a/cpp/ql/src/semmle/code/cpp/exprs/Expr.qll b/cpp/ql/src/semmle/code/cpp/exprs/Expr.qll
index e02a72fe680..86f538e5d4e 100644
--- a/cpp/ql/src/semmle/code/cpp/exprs/Expr.qll
+++ b/cpp/ql/src/semmle/code/cpp/exprs/Expr.qll
@@ -1271,7 +1271,8 @@ private predicate convparents(Expr child, int idx, Element parent) {
   )
 }
 
-// Pulled out for performance. See QL-796.
+// Pulled out for performance. See
+// https://github.com/github/codeql-coreql-team/issues/1044.
 private predicate hasNoConversions(Expr e) { not e.hasConversion() }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
index eca659914b0..81c69cf0ea2 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedElement.qll
@@ -42,7 +42,8 @@ IRTempVariable getIRTempVariable(Locatable ast, TempVariableTag tag) {
  */
 predicate isIRConstant(Expr expr) { exists(expr.getValue()) }
 
-// Pulled out to work around QL-796
+// Pulled out for performance. See
+// https://github.com/github/codeql-coreql-team/issues/1044.
 private predicate isOrphan(Expr expr) { not exists(getRealParent(expr)) }
 
 /**
diff --git a/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedElement.qll b/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedElement.qll
index 81d7b71b952..04e05dc9814 100644
--- a/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedElement.qll
+++ b/csharp/ql/src/experimental/ir/implementation/raw/internal/TranslatedElement.qll
@@ -57,7 +57,8 @@ private Element getRealParent(Expr expr) { result = expr.getParent() }
  */
 predicate isIRConstant(Expr expr) { exists(expr.getValue()) }
 
-// Pulled out to work around QL-796
+// Pulled out for performance. See
+// https://github.com/github/codeql-coreql-team/issues/1044.
 private predicate isOrphan(Expr expr) { not exists(getRealParent(expr)) }
 
 /**

From 4c597dd467bc515542afb12fc69675440aeaa5a7 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Thu, 22 Apr 2021 15:02:31 +0200
Subject: [PATCH 0627/1429] C#: Improve performance of guards library

---
 .../semmle/code/csharp/controlflow/Guards.qll | 224 ++++++++++++------
 .../semmle/code/csharp/dataflow/Nullness.qll  |  15 +-
 .../internal/rangeanalysis/RangeUtils.qll     |   2 +-
 .../guards/BooleanGuardedExpr.expected        |  32 ---
 .../guards/GuardedControlFlowNode.expected    |  32 ---
 .../controlflow/guards/GuardedExpr.expected   |  32 ---
 6 files changed, 162 insertions(+), 175 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll b/csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll
index bdcfa6ac4b7..8a721da5293 100644
--- a/csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll
+++ b/csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll
@@ -36,7 +36,7 @@ class Guard extends Expr {
    * Holds if basic block `bb` is guarded by this expression having value `v`.
    */
   predicate controlsBasicBlock(BasicBlock bb, AbstractValue v) {
-    Internal::guardControls(this, _, bb, v)
+    Internal::guardControls(this, bb, v)
   }
 
   /**
@@ -50,6 +50,12 @@ class Guard extends Expr {
       polarity = v.getValue()
     )
   }
+
+  /**
+   * Gets a valid value for this guard. For example, if this guard is a test, then
+   * it can have Boolean values `true` and `false`.
+   */
+  AbstractValue getAValue() { isGuard(this, result) }
 }
 
 /** An abstract value. */
@@ -967,13 +973,6 @@ module Internal {
     e = any(BinaryArithmeticOperation bao | result = bao.getAnOperand())
   }
 
-  /** Same as `this.getAChildExpr*()`, but avoids `fastTC`. */
-  private Expr getAChildExprStar(Guard g) {
-    result = g
-    or
-    result = getAChildExprStar(g).getAChildExpr()
-  }
-
   private Expr stripConditionalExpr(Expr e) {
     e =
       any(ConditionalExpr ce |
@@ -1009,8 +1008,11 @@ module Internal {
 
     /** Holds if pre-basic-block `bb` only is reached when guard `g` has abstract value `v`. */
     predicate preControls(Guard g, PreBasicBlocks::PreBasicBlock bb, AbstractValue v) {
-      exists(AbstractValue v0, Guard g0 | preControlsDirect(g0, bb, v0) |
-        preImpliesSteps(g0, v0, g, v)
+      preControlsDirect(g, bb, v)
+      or
+      exists(AbstractValue v0, Guard g0 |
+        preControls(g0, bb, v0) and
+        preImpliesStep(g0, v0, g, v)
       )
     }
 
@@ -1038,6 +1040,23 @@ module Internal {
       }
     }
 
+    private predicate canReturnBool(Callable c, Expr ret) {
+      canReturn(c, ret) and
+      c.getReturnType() instanceof BoolType
+    }
+
+    private predicate boolReturnImplies(Expr ret, BooleanValue retVal, Guard g, AbstractValue v) {
+      canReturnBool(_, ret) and
+      isGuard(ret, retVal) and
+      g = ret and
+      v = retVal
+      or
+      exists(Guard g0, AbstractValue v0 |
+        boolReturnImplies(ret, retVal, g0, v0) and
+        preImpliesStep(g0, v0, g, v)
+      )
+    }
+
     /**
      * Holds if `ret` is an expression returned by the callable to which parameter
      * `p` belongs, and `ret` having Boolean value `retVal` allows the conclusion
@@ -1046,14 +1065,14 @@ module Internal {
     private predicate validReturnInCustomNullCheck(
       Expr ret, Parameter p, BooleanValue retVal, boolean isNull
     ) {
-      exists(Callable c | canReturn(c, ret) |
-        p.getCallable() = c and
-        c.getReturnType() instanceof BoolType
+      exists(Callable c |
+        canReturnBool(c, ret) and
+        p.getCallable() = c
       ) and
       exists(PreSsaImplicitParameterDefinition def | p = def.getParameter() |
         def.nullGuardedReturn(ret, isNull)
         or
-        exists(NullValue nv | preImpliesSteps(ret, retVal, def.getARead(), nv) |
+        exists(NullValue nv | boolReturnImplies(ret, retVal, def.getARead(), nv) |
           if nv.isNull() then isNull = true else isNull = false
         )
       )
@@ -1691,6 +1710,79 @@ module Internal {
 
   import PreCFG
 
+  private predicate interestingDescendantCandidate(Expr e) {
+    guardControls(e, _, _)
+    or
+    e instanceof AccessOrCallExpr
+  }
+
+  /**
+   * An (interesting) descendant of a guard that controls some basic block.
+   *
+   * This class exists purely for performance reasons: It allows us to big-step
+   * through the child hierarchy in `guardControlsSub()` instead of using
+   * `getAChildExpr()`.
+   */
+  private class ControlGuardDescendant extends Expr {
+    ControlGuardDescendant() {
+      guardControls(this, _, _)
+      or
+      any(ControlGuardDescendant other).interestingDescendant(this)
+    }
+
+    private predicate descendant(Expr e) {
+      e = this.getAChildExpr()
+      or
+      exists(Expr mid |
+        descendant(mid) and
+        not interestingDescendantCandidate(mid) and
+        e = mid.getAChildExpr()
+      )
+    }
+
+    /** Holds if `e` is an interesting descendant of this descendant. */
+    predicate interestingDescendant(Expr e) {
+      descendant(e) and
+      interestingDescendantCandidate(e)
+    }
+  }
+
+  /**
+   * Holds if `g` controls basic block `bb`, and `sub` is some (interesting)
+   * sub expression of `g`.
+   *
+   * Sub expressions inside nested logical operations that themselve control `bb`
+   * are not included, since these will be sub expressions of their immediately
+   * enclosing logical operation. (This restriction avoids a quadratic blow-up.)
+   *
+   * For example, in
+   *
+   * ```csharp
+   * if (a && (b && c))
+   *     BLOCK
+   * ```
+   *
+   * `a` is included as a sub expression of `a && (b && c)` (which controls `BLOCK`),
+   * while `b` and `c` are only included as sub expressions of `b && c` (which also
+   * controls `BLOCK`).
+   */
+  pragma[nomagic]
+  private predicate guardControlsSub(Guard g, BasicBlock bb, ControlGuardDescendant sub) {
+    guardControls(g, bb, _) and
+    sub = g
+    or
+    exists(ControlGuardDescendant mid |
+      guardControlsSub(g, bb, mid) and
+      mid.interestingDescendant(sub)
+    |
+      not guardControls(sub, bb, _)
+      or
+      not mid instanceof UnaryLogicalOperation and
+      not mid instanceof BinaryLogicalOperation and
+      not mid instanceof BitwiseOperation
+    )
+  }
+
   /**
    * A helper class for calculating structurally equal access/call expressions.
    */
@@ -1710,13 +1802,13 @@ module Internal {
 
     /**
      * Holds if access/call expression `e` (targeting declaration `target`)
-     * is a sub expression of a condition that controls whether basic block
+     * is a sub expression of a guard that controls whether basic block
      * `bb` is reached.
      */
     pragma[noinline]
     private predicate candidateAux(AccessOrCallExpr e, Declaration target, BasicBlock bb) {
       target = e.getTarget() and
-      exists(Guard g | e = getAChildExprStar(g) | guardControls(g, _, bb, _))
+      guardControlsSub(_, bb, e)
     }
   }
 
@@ -1727,49 +1819,67 @@ module Internal {
 
     /**
      * Holds if basic block `bb` only is reached when guard `g` has abstract value `v`.
-     *
-     * `cb` records all of the possible condition blocks for `g` that a path from the
-     * callable entry point to `bb` may go through.
      */
     cached
-    predicate guardControls(Guard g, ConditionBlock cb, BasicBlock bb, AbstractValue v) {
+    predicate guardControls(Guard g, BasicBlock bb, AbstractValue v) {
+      exists(ControlFlowElement cfe, ConditionalSuccessor cs |
+        v.branch(cfe, cs, g) and cfe.controlsBlock(bb, cs, _)
+      )
+      or
       exists(AbstractValue v0, Guard g0 |
-        impliesSteps(g0, v0, g, v) and
-        exists(ControlFlowElement cfe, ConditionalSuccessor cs |
-          v0.branch(cfe, cs, g0) and cfe.controlsBlock(bb, cs, cb)
-        )
+        guardControls(g0, bb, v0) and
+        impliesStep(g0, v0, g, v)
       )
     }
 
-    pragma[noinline]
+    pragma[nomagic]
+    private predicate guardControlsSubSame(Guard g, BasicBlock bb, ControlGuardDescendant sub) {
+      guardControlsSub(g, bb, sub) and
+      any(ConditionOnExprComparisonConfig c).same(sub, _)
+    }
+
+    pragma[nomagic]
     private predicate nodeIsGuardedBySameSubExpr0(
-      ControlFlow::Node guardedCfn, AccessOrCallExpr guarded, Guard g, ConditionBlock cb,
+      ControlFlow::Node guardedCfn, BasicBlock guardedBB, AccessOrCallExpr guarded, Guard g,
       AccessOrCallExpr sub, AbstractValue v
     ) {
       Stages::GuardsStage::forceCachingInSameStage() and
       guardedCfn = guarded.getAControlFlowNode() and
-      guardControls(g, cb, guardedCfn.getBasicBlock(), v) and
-      exists(ConditionOnExprComparisonConfig c | c.same(sub, guarded))
+      guardedBB = guardedCfn.getBasicBlock() and
+      guardControls(g, guardedBB, v) and
+      guardControlsSubSame(g, guardedBB, sub) and
+      any(ConditionOnExprComparisonConfig c).same(sub, guarded)
     }
 
-    pragma[noinline]
+    pragma[nomagic]
     private predicate nodeIsGuardedBySameSubExpr(
-      ControlFlow::Node guardedCfn, AccessOrCallExpr guarded, Guard g, ConditionBlock cb,
+      ControlFlow::Node guardedCfn, BasicBlock guardedBB, AccessOrCallExpr guarded, Guard g,
       AccessOrCallExpr sub, AbstractValue v
     ) {
-      nodeIsGuardedBySameSubExpr0(guardedCfn, guarded, g, cb, sub, v) and
-      sub = getAChildExprStar(g)
+      nodeIsGuardedBySameSubExpr0(guardedCfn, guardedBB, guarded, g, sub, v) and
+      guardControlsSub(g, guardedBB, sub)
     }
 
-    pragma[noinline]
+    pragma[nomagic]
+    private predicate nodeIsGuardedBySameSubExprSsaDef0(
+      ControlFlow::Node cfn, BasicBlock guardedBB, AccessOrCallExpr guarded, Guard g,
+      ControlFlow::Node subCfn, BasicBlock subCfnBB, AccessOrCallExpr sub, AbstractValue v,
+      Ssa::Definition def
+    ) {
+      nodeIsGuardedBySameSubExpr(cfn, guardedBB, guarded, g, sub, v) and
+      def = sub.getAnSsaQualifier(subCfn) and
+      subCfnBB = subCfn.getBasicBlock()
+    }
+
+    pragma[nomagic]
     private predicate nodeIsGuardedBySameSubExprSsaDef(
-      ControlFlow::Node cfn, AccessOrCallExpr guarded, Guard g, ControlFlow::Node subCfn,
+      ControlFlow::Node guardedCfn, AccessOrCallExpr guarded, Guard g, ControlFlow::Node subCfn,
       AccessOrCallExpr sub, AbstractValue v, Ssa::Definition def
     ) {
-      exists(ConditionBlock cb |
-        nodeIsGuardedBySameSubExpr(cfn, guarded, g, cb, sub, v) and
-        subCfn.getBasicBlock().dominates(cb) and
-        def = sub.getAnSsaQualifier(subCfn)
+      exists(BasicBlock guardedBB, BasicBlock subCfnBB |
+        nodeIsGuardedBySameSubExprSsaDef0(guardedCfn, guardedBB, guarded, g, subCfn, subCfnBB, sub,
+          v, def) and
+        subCfnBB.getASuccessor*() = guardedBB
       )
     }
 
@@ -1789,7 +1899,7 @@ module Internal {
       AccessOrCallExpr guarded, Guard g, AccessOrCallExpr sub, AbstractValue v
     ) {
       forex(ControlFlow::Node cfn | cfn = guarded.getAControlFlowNode() |
-        nodeIsGuardedBySameSubExpr(cfn, guarded, g, _, sub, v)
+        nodeIsGuardedBySameSubExpr(cfn, _, guarded, g, sub, v)
       )
     }
 
@@ -1814,7 +1924,7 @@ module Internal {
     predicate isGuardedByNode(
       ControlFlow::Nodes::ElementNode guarded, Guard g, AccessOrCallExpr sub, AbstractValue v
     ) {
-      nodeIsGuardedBySameSubExpr(guarded, _, g, _, sub, v) and
+      nodeIsGuardedBySameSubExpr(guarded, _, _, g, sub, v) and
       forall(ControlFlow::Node subCfn, Ssa::Definition def |
         nodeIsGuardedBySameSubExprSsaDef(guarded, _, g, subCfn, sub, v, def)
       |
@@ -1860,40 +1970,6 @@ module Internal {
   }
 
   import Cached
-
-  /**
-   * Holds if the assumption that `g1` has abstract value `v1` implies that
-   * `g2` has abstract value `v2`, using zero or more steps of reasoning. That is,
-   * the evaluation of `g2` to `v2` dominates the evaluation of `g1` to `v1`.
-   *
-   * This predicate does not rely on the control flow graph.
-   */
-  predicate preImpliesSteps(Guard g1, AbstractValue v1, Guard g2, AbstractValue v2) {
-    g1 = g2 and
-    v1 = v2 and
-    isGuard(g1, v1)
-    or
-    exists(Expr mid, AbstractValue vMid | preImpliesSteps(g1, v1, mid, vMid) |
-      preImpliesStep(mid, vMid, g2, v2)
-    )
-  }
-
-  /**
-   * Holds if the assumption that `g1` has abstract value `v1` implies that
-   * `g2` has abstract value `v2`, using zero or more steps of reasoning. That is,
-   * the evaluation of `g2` to `v2` dominates the evaluation of `g1` to `v1`.
-   *
-   * This predicate relies on the control flow graph.
-   */
-  predicate impliesSteps(Guard g1, AbstractValue v1, Guard g2, AbstractValue v2) {
-    g1 = g2 and
-    v1 = v2 and
-    isGuard(g1, v1)
-    or
-    exists(Expr mid, AbstractValue vMid | impliesSteps(g1, v1, mid, vMid) |
-      impliesStep(mid, vMid, g2, v2)
-    )
-  }
 }
 
 private import Internal
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/Nullness.qll b/csharp/ql/src/semmle/code/csharp/dataflow/Nullness.qll
index 15133668d00..131480a8b59 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/Nullness.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/Nullness.qll
@@ -128,12 +128,19 @@ private predicate dereferenceAt(BasicBlock bb, int i, Ssa::Definition def, Deref
  * has abstract value `vDef`.
  */
 private predicate exprImpliesSsaDef(
-  Expr e, G::AbstractValue vExpr, Ssa::Definition def, G::AbstractValue vDef
+  G::Guard e, G::AbstractValue vExpr, Ssa::Definition def, G::AbstractValue vDef
 ) {
-  exists(G::Guard g | G::Internal::impliesSteps(e, vExpr, g, vDef) |
-    g = def.getARead()
+  vExpr = e.getAValue() and
+  vExpr = vDef and
+  (
+    e = def.getARead()
     or
-    g = def.(Ssa::ExplicitDefinition).getADefinition().getTargetAccess()
+    e = def.(Ssa::ExplicitDefinition).getADefinition().getTargetAccess()
+  )
+  or
+  exists(Expr e0, G::AbstractValue vExpr0 |
+    exprImpliesSsaDef(e0, vExpr0, def, vDef) and
+    G::Internal::impliesStep(e, vExpr, e0, vExpr0)
   )
 }
 
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll
index 70ff26c1c58..2f8e93a4b75 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll
@@ -122,7 +122,7 @@ private module Impl {
     )
     or
     exists(G::AbstractValue v0 |
-      G::Internal::impliesSteps(result, v, eqFlowCondAbs(def, e, delta, isEq, v0), v0)
+      G::Internal::impliesStep(result, v, eqFlowCondAbs(def, e, delta, isEq, v0), v0)
     )
   }
 
diff --git a/csharp/ql/test/library-tests/controlflow/guards/BooleanGuardedExpr.expected b/csharp/ql/test/library-tests/controlflow/guards/BooleanGuardedExpr.expected
index 120e3e2c5ce..40d144f3719 100644
--- a/csharp/ql/test/library-tests/controlflow/guards/BooleanGuardedExpr.expected
+++ b/csharp/ql/test/library-tests/controlflow/guards/BooleanGuardedExpr.expected
@@ -5,16 +5,12 @@
 | Assert.cs:53:27:53:27 | access to local variable s | Assert.cs:52:24:52:32 | ... == ... | Assert.cs:52:24:52:24 | access to local variable s | false |
 | Assert.cs:59:36:59:36 | access to parameter b | Assert.cs:58:20:58:20 | access to parameter b | Assert.cs:58:20:58:20 | access to parameter b | false |
 | Assert.cs:60:27:60:27 | access to local variable s | Assert.cs:59:23:59:31 | ... != ... | Assert.cs:59:23:59:23 | access to local variable s | true |
-| Assert.cs:60:27:60:27 | access to local variable s | Assert.cs:59:23:59:36 | ... && ... | Assert.cs:59:23:59:23 | access to local variable s | true |
 | Assert.cs:66:37:66:37 | access to parameter b | Assert.cs:65:20:65:20 | access to parameter b | Assert.cs:65:20:65:20 | access to parameter b | false |
 | Assert.cs:67:27:67:27 | access to local variable s | Assert.cs:66:24:66:32 | ... == ... | Assert.cs:66:24:66:24 | access to local variable s | false |
-| Assert.cs:67:27:67:27 | access to local variable s | Assert.cs:66:24:66:37 | ... \|\| ... | Assert.cs:66:24:66:24 | access to local variable s | false |
 | Assert.cs:73:36:73:36 | access to parameter b | Assert.cs:72:20:72:20 | access to parameter b | Assert.cs:72:20:72:20 | access to parameter b | true |
 | Assert.cs:74:27:74:27 | access to local variable s | Assert.cs:73:23:73:31 | ... == ... | Assert.cs:73:23:73:23 | access to local variable s | true |
-| Assert.cs:74:27:74:27 | access to local variable s | Assert.cs:73:23:73:36 | ... && ... | Assert.cs:73:23:73:23 | access to local variable s | true |
 | Assert.cs:80:37:80:37 | access to parameter b | Assert.cs:79:20:79:20 | access to parameter b | Assert.cs:79:20:79:20 | access to parameter b | true |
 | Assert.cs:81:27:81:27 | access to local variable s | Assert.cs:80:24:80:32 | ... != ... | Assert.cs:80:24:80:24 | access to local variable s | false |
-| Assert.cs:81:27:81:27 | access to local variable s | Assert.cs:80:24:80:37 | ... \|\| ... | Assert.cs:80:24:80:24 | access to local variable s | false |
 | Assert.cs:94:16:94:17 | access to parameter b1 | Assert.cs:93:25:93:26 | access to parameter b1 | Assert.cs:93:25:93:26 | access to parameter b1 | true |
 | Assert.cs:94:23:94:24 | access to parameter b2 | Assert.cs:93:29:93:30 | access to parameter b2 | Assert.cs:93:29:93:30 | access to parameter b2 | false |
 | Collections.cs:52:17:52:20 | access to parameter args | Collections.cs:50:13:50:27 | ... == ... | Collections.cs:50:13:50:16 | access to parameter args | false |
@@ -22,39 +18,17 @@
 | Collections.cs:54:13:54:16 | access to parameter args | Collections.cs:50:13:50:27 | ... == ... | Collections.cs:50:13:50:16 | access to parameter args | false |
 | Collections.cs:67:13:67:13 | access to local variable x | Collections.cs:65:13:65:24 | ... == ... | Collections.cs:65:13:65:13 | access to local variable x | true |
 | Collections.cs:68:13:68:13 | access to local variable x | Collections.cs:65:13:65:24 | ... == ... | Collections.cs:65:13:65:13 | access to local variable x | true |
-| Guards.cs:12:13:12:13 | access to parameter s | Guards.cs:10:13:10:25 | !... | Guards.cs:10:16:10:16 | access to parameter s | false |
-| Guards.cs:12:13:12:13 | access to parameter s | Guards.cs:10:14:10:25 | !... | Guards.cs:10:16:10:16 | access to parameter s | true |
 | Guards.cs:12:13:12:13 | access to parameter s | Guards.cs:10:16:10:24 | ... == ... | Guards.cs:10:16:10:16 | access to parameter s | false |
-| Guards.cs:14:31:14:31 | access to parameter s | Guards.cs:10:13:10:25 | !... | Guards.cs:10:16:10:16 | access to parameter s | false |
-| Guards.cs:14:31:14:31 | access to parameter s | Guards.cs:10:14:10:25 | !... | Guards.cs:10:16:10:16 | access to parameter s | true |
 | Guards.cs:14:31:14:31 | access to parameter s | Guards.cs:10:16:10:24 | ... == ... | Guards.cs:10:16:10:16 | access to parameter s | false |
 | Guards.cs:14:31:14:31 | access to parameter s | Guards.cs:12:13:12:24 | ... > ... | Guards.cs:12:13:12:13 | access to parameter s | true |
 | Guards.cs:26:31:26:31 | access to parameter s | Guards.cs:24:13:24:21 | ... != ... | Guards.cs:24:13:24:13 | access to parameter s | true |
-| Guards.cs:33:31:33:31 | access to parameter x | Guards.cs:32:13:32:36 | !... | Guards.cs:32:35:32:35 | access to parameter x | true |
-| Guards.cs:33:31:33:31 | access to parameter x | Guards.cs:32:13:32:51 | ... & ... | Guards.cs:32:35:32:35 | access to parameter x | true |
 | Guards.cs:33:31:33:31 | access to parameter x | Guards.cs:32:14:32:36 | call to method IsNullOrEmpty | Guards.cs:32:35:32:35 | access to parameter x | false |
-| Guards.cs:33:35:33:35 | access to parameter y | Guards.cs:32:13:32:51 | ... & ... | Guards.cs:32:42:32:42 | access to parameter y | true |
-| Guards.cs:33:35:33:35 | access to parameter y | Guards.cs:32:40:32:51 | !... | Guards.cs:32:42:32:42 | access to parameter y | true |
 | Guards.cs:33:35:33:35 | access to parameter y | Guards.cs:32:42:32:50 | ... == ... | Guards.cs:32:42:32:42 | access to parameter y | false |
 | Guards.cs:36:32:36:32 | access to parameter x | Guards.cs:35:13:35:21 | ... == ... | Guards.cs:35:13:35:13 | access to parameter x | false |
-| Guards.cs:36:32:36:32 | access to parameter x | Guards.cs:35:13:35:34 | ... \|\| ... | Guards.cs:35:13:35:13 | access to parameter x | false |
-| Guards.cs:36:36:36:36 | access to parameter y | Guards.cs:35:13:35:34 | ... \|\| ... | Guards.cs:35:26:35:26 | access to parameter y | false |
 | Guards.cs:36:36:36:36 | access to parameter y | Guards.cs:35:26:35:34 | ... == ... | Guards.cs:35:26:35:26 | access to parameter y | false |
-| Guards.cs:39:31:39:31 | access to parameter x | Guards.cs:38:13:38:37 | !... | Guards.cs:38:15:38:15 | access to parameter x | true |
 | Guards.cs:39:31:39:31 | access to parameter x | Guards.cs:38:15:38:23 | ... == ... | Guards.cs:38:15:38:15 | access to parameter x | false |
-| Guards.cs:39:31:39:31 | access to parameter x | Guards.cs:38:15:38:36 | ... \|\| ... | Guards.cs:38:15:38:15 | access to parameter x | false |
-| Guards.cs:39:35:39:35 | access to parameter y | Guards.cs:38:13:38:37 | !... | Guards.cs:38:28:38:28 | access to parameter y | true |
-| Guards.cs:39:35:39:35 | access to parameter y | Guards.cs:38:15:38:36 | ... \|\| ... | Guards.cs:38:28:38:28 | access to parameter y | false |
 | Guards.cs:39:35:39:35 | access to parameter y | Guards.cs:38:28:38:36 | ... == ... | Guards.cs:38:28:38:28 | access to parameter y | false |
-| Guards.cs:42:32:42:32 | access to parameter x | Guards.cs:41:13:41:39 | !... | Guards.cs:41:17:41:17 | access to parameter x | false |
-| Guards.cs:42:32:42:32 | access to parameter x | Guards.cs:41:14:41:39 | !... | Guards.cs:41:17:41:17 | access to parameter x | true |
-| Guards.cs:42:32:42:32 | access to parameter x | Guards.cs:41:15:41:39 | !... | Guards.cs:41:17:41:17 | access to parameter x | false |
 | Guards.cs:42:32:42:32 | access to parameter x | Guards.cs:41:17:41:25 | ... != ... | Guards.cs:41:17:41:17 | access to parameter x | true |
-| Guards.cs:42:32:42:32 | access to parameter x | Guards.cs:41:17:41:38 | ... && ... | Guards.cs:41:17:41:17 | access to parameter x | true |
-| Guards.cs:42:36:42:36 | access to parameter y | Guards.cs:41:13:41:39 | !... | Guards.cs:41:30:41:30 | access to parameter y | false |
-| Guards.cs:42:36:42:36 | access to parameter y | Guards.cs:41:14:41:39 | !... | Guards.cs:41:30:41:30 | access to parameter y | true |
-| Guards.cs:42:36:42:36 | access to parameter y | Guards.cs:41:15:41:39 | !... | Guards.cs:41:30:41:30 | access to parameter y | false |
-| Guards.cs:42:36:42:36 | access to parameter y | Guards.cs:41:17:41:38 | ... && ... | Guards.cs:41:30:41:30 | access to parameter y | true |
 | Guards.cs:42:36:42:36 | access to parameter y | Guards.cs:41:30:41:38 | ... != ... | Guards.cs:41:30:41:30 | access to parameter y | true |
 | Guards.cs:48:31:48:40 | access to field Field | Guards.cs:47:13:47:25 | ... != ... | Guards.cs:47:13:47:17 | access to field Field | true |
 | Guards.cs:55:27:55:27 | access to parameter g | Guards.cs:53:13:53:27 | ... == ... | Guards.cs:53:13:53:13 | access to parameter g | false |
@@ -85,16 +59,11 @@
 | Guards.cs:138:20:138:20 | access to parameter s | Guards.cs:137:13:137:25 | ... is ... | Guards.cs:137:13:137:13 | access to parameter s | true |
 | Guards.cs:139:16:139:16 | access to parameter s | Guards.cs:137:13:137:25 | ... is ... | Guards.cs:137:13:137:13 | access to parameter s | false |
 | Guards.cs:146:16:146:16 | access to parameter o | Guards.cs:144:13:144:25 | ... is ... | Guards.cs:144:13:144:13 | access to parameter o | false |
-| Guards.cs:169:31:169:31 | access to parameter x | Guards.cs:168:13:168:41 | !... | Guards.cs:168:40:168:40 | access to parameter x | true |
 | Guards.cs:169:31:169:31 | access to parameter x | Guards.cs:168:14:168:41 | call to method IsNullOrWhiteSpace | Guards.cs:168:40:168:40 | access to parameter x | false |
-| Guards.cs:190:31:190:31 | access to parameter s | Guards.cs:189:13:189:25 | !... | Guards.cs:189:24:189:24 | access to parameter s | true |
 | Guards.cs:190:31:190:31 | access to parameter s | Guards.cs:189:14:189:25 | call to method NullTest1 | Guards.cs:189:24:189:24 | access to parameter s | false |
-| Guards.cs:192:31:192:31 | access to parameter s | Guards.cs:191:13:191:25 | !... | Guards.cs:191:24:191:24 | access to parameter s | true |
 | Guards.cs:192:31:192:31 | access to parameter s | Guards.cs:191:14:191:25 | call to method NullTest2 | Guards.cs:191:24:191:24 | access to parameter s | false |
-| Guards.cs:194:31:194:31 | access to parameter s | Guards.cs:193:13:193:25 | !... | Guards.cs:193:24:193:24 | access to parameter s | true |
 | Guards.cs:194:31:194:31 | access to parameter s | Guards.cs:193:14:193:25 | call to method NullTest3 | Guards.cs:193:24:193:24 | access to parameter s | false |
 | Guards.cs:196:31:196:31 | access to parameter s | Guards.cs:195:13:195:27 | call to method NotNullTest4 | Guards.cs:195:26:195:26 | access to parameter s | true |
-| Guards.cs:198:31:198:31 | access to parameter s | Guards.cs:197:13:197:29 | !... | Guards.cs:197:28:197:28 | access to parameter s | true |
 | Guards.cs:198:31:198:31 | access to parameter s | Guards.cs:197:14:197:29 | call to method NullTestWrong | Guards.cs:197:28:197:28 | access to parameter s | false |
 | Guards.cs:205:13:205:13 | access to parameter o | Guards.cs:203:13:203:21 | ... != ... | Guards.cs:203:13:203:13 | access to parameter o | true |
 | Guards.cs:208:17:208:17 | access to parameter o | Guards.cs:203:13:203:21 | ... != ... | Guards.cs:203:13:203:13 | access to parameter o | true |
@@ -102,7 +71,6 @@
 | Guards.cs:271:13:271:14 | access to parameter o1 | Guards.cs:270:13:270:42 | call to operator == | Guards.cs:270:13:270:14 | access to parameter o1 | true |
 | Guards.cs:342:27:342:27 | access to parameter b | Guards.cs:341:20:341:20 | access to parameter b | Guards.cs:341:20:341:20 | access to parameter b | false |
 | Guards.cs:343:31:343:31 | access to local variable s | Guards.cs:342:13:342:21 | ... != ... | Guards.cs:342:13:342:13 | access to local variable s | true |
-| Guards.cs:343:31:343:31 | access to local variable s | Guards.cs:342:13:342:27 | ... && ... | Guards.cs:342:13:342:13 | access to local variable s | true |
 | Guards.cs:349:13:349:13 | access to parameter o | Guards.cs:348:13:348:25 | ... is ... | Guards.cs:348:13:348:13 | access to parameter o | true |
 | Splitting.cs:13:17:13:17 | access to parameter o | Splitting.cs:12:17:12:25 | ... != ... | Splitting.cs:12:17:12:17 | access to parameter o | true |
 | Splitting.cs:23:24:23:24 | access to parameter o | Splitting.cs:22:17:22:25 | ... != ... | Splitting.cs:22:17:22:17 | access to parameter o | true |
diff --git a/csharp/ql/test/library-tests/controlflow/guards/GuardedControlFlowNode.expected b/csharp/ql/test/library-tests/controlflow/guards/GuardedControlFlowNode.expected
index 3db5997056c..404c0197556 100644
--- a/csharp/ql/test/library-tests/controlflow/guards/GuardedControlFlowNode.expected
+++ b/csharp/ql/test/library-tests/controlflow/guards/GuardedControlFlowNode.expected
@@ -17,7 +17,6 @@
 | Assert.cs:59:36:59:36 | [b (line 56): true] access to parameter b | Assert.cs:58:20:58:32 | ... ? ... : ... | Assert.cs:58:20:58:20 | access to parameter b | non-null |
 | Assert.cs:60:27:60:27 | access to local variable s | Assert.cs:59:23:59:23 | access to local variable s | Assert.cs:59:23:59:23 | access to local variable s | non-null |
 | Assert.cs:60:27:60:27 | access to local variable s | Assert.cs:59:23:59:31 | ... != ... | Assert.cs:59:23:59:23 | access to local variable s | true |
-| Assert.cs:60:27:60:27 | access to local variable s | Assert.cs:59:23:59:36 | ... && ... | Assert.cs:59:23:59:23 | access to local variable s | true |
 | Assert.cs:66:37:66:37 | [b (line 63): false] access to parameter b | Assert.cs:65:20:65:20 | access to parameter b | Assert.cs:65:20:65:20 | access to parameter b | false |
 | Assert.cs:66:37:66:37 | [b (line 63): false] access to parameter b | Assert.cs:65:20:65:32 | ... ? ... : ... | Assert.cs:65:20:65:20 | access to parameter b | non-null |
 | Assert.cs:66:37:66:37 | [b (line 63): true] access to parameter b | Assert.cs:65:20:65:20 | access to parameter b | Assert.cs:65:20:65:20 | access to parameter b | false |
@@ -25,7 +24,6 @@
 | Assert.cs:66:37:66:37 | [b (line 63): true] access to parameter b | Assert.cs:65:20:65:32 | ... ? ... : ... | Assert.cs:65:20:65:20 | access to parameter b | non-null |
 | Assert.cs:67:27:67:27 | access to local variable s | Assert.cs:66:24:66:24 | access to local variable s | Assert.cs:66:24:66:24 | access to local variable s | non-null |
 | Assert.cs:67:27:67:27 | access to local variable s | Assert.cs:66:24:66:32 | ... == ... | Assert.cs:66:24:66:24 | access to local variable s | false |
-| Assert.cs:67:27:67:27 | access to local variable s | Assert.cs:66:24:66:37 | ... \|\| ... | Assert.cs:66:24:66:24 | access to local variable s | false |
 | Assert.cs:73:36:73:36 | [b (line 70): false] access to parameter b | Assert.cs:72:20:72:20 | access to parameter b | Assert.cs:72:20:72:20 | access to parameter b | false |
 | Assert.cs:73:36:73:36 | [b (line 70): false] access to parameter b | Assert.cs:72:20:72:20 | access to parameter b | Assert.cs:72:20:72:20 | access to parameter b | true |
 | Assert.cs:73:36:73:36 | [b (line 70): false] access to parameter b | Assert.cs:72:20:72:32 | ... ? ... : ... | Assert.cs:72:20:72:20 | access to parameter b | null |
@@ -33,7 +31,6 @@
 | Assert.cs:73:36:73:36 | [b (line 70): true] access to parameter b | Assert.cs:72:20:72:32 | ... ? ... : ... | Assert.cs:72:20:72:20 | access to parameter b | null |
 | Assert.cs:74:27:74:27 | access to local variable s | Assert.cs:73:23:73:23 | access to local variable s | Assert.cs:73:23:73:23 | access to local variable s | null |
 | Assert.cs:74:27:74:27 | access to local variable s | Assert.cs:73:23:73:31 | ... == ... | Assert.cs:73:23:73:23 | access to local variable s | true |
-| Assert.cs:74:27:74:27 | access to local variable s | Assert.cs:73:23:73:36 | ... && ... | Assert.cs:73:23:73:23 | access to local variable s | true |
 | Assert.cs:80:37:80:37 | [b (line 77): false] access to parameter b | Assert.cs:79:20:79:20 | access to parameter b | Assert.cs:79:20:79:20 | access to parameter b | false |
 | Assert.cs:80:37:80:37 | [b (line 77): false] access to parameter b | Assert.cs:79:20:79:20 | access to parameter b | Assert.cs:79:20:79:20 | access to parameter b | true |
 | Assert.cs:80:37:80:37 | [b (line 77): false] access to parameter b | Assert.cs:79:20:79:32 | ... ? ... : ... | Assert.cs:79:20:79:20 | access to parameter b | null |
@@ -41,7 +38,6 @@
 | Assert.cs:80:37:80:37 | [b (line 77): true] access to parameter b | Assert.cs:79:20:79:32 | ... ? ... : ... | Assert.cs:79:20:79:20 | access to parameter b | null |
 | Assert.cs:81:27:81:27 | access to local variable s | Assert.cs:80:24:80:24 | access to local variable s | Assert.cs:80:24:80:24 | access to local variable s | null |
 | Assert.cs:81:27:81:27 | access to local variable s | Assert.cs:80:24:80:32 | ... != ... | Assert.cs:80:24:80:24 | access to local variable s | false |
-| Assert.cs:81:27:81:27 | access to local variable s | Assert.cs:80:24:80:37 | ... \|\| ... | Assert.cs:80:24:80:24 | access to local variable s | false |
 | Assert.cs:93:33:93:34 | [assertion failure, b1 (line 91): false] access to parameter b2 | Assert.cs:93:29:93:30 | access to parameter b2 | Assert.cs:93:29:93:30 | access to parameter b2 | false |
 | Assert.cs:93:33:93:34 | [assertion failure, b1 (line 91): false] access to parameter b2 | Assert.cs:93:29:93:30 | access to parameter b2 | Assert.cs:93:29:93:30 | access to parameter b2 | true |
 | Assert.cs:93:33:93:34 | [assertion failure, b1 (line 91): true] access to parameter b2 | Assert.cs:93:29:93:30 | access to parameter b2 | Assert.cs:93:29:93:30 | access to parameter b2 | true |
@@ -56,49 +52,27 @@
 | Collections.cs:67:13:67:13 | access to local variable x | Collections.cs:65:13:65:24 | ... == ... | Collections.cs:65:13:65:13 | access to local variable x | true |
 | Collections.cs:68:13:68:13 | access to local variable x | Collections.cs:65:13:65:24 | ... == ... | Collections.cs:65:13:65:13 | access to local variable x | true |
 | Collections.cs:96:31:96:34 | access to parameter args | Collections.cs:95:29:95:32 | access to parameter args | Collections.cs:95:29:95:32 | access to parameter args | non-empty |
-| Guards.cs:12:13:12:13 | access to parameter s | Guards.cs:10:13:10:25 | !... | Guards.cs:10:16:10:16 | access to parameter s | false |
-| Guards.cs:12:13:12:13 | access to parameter s | Guards.cs:10:14:10:25 | !... | Guards.cs:10:16:10:16 | access to parameter s | true |
 | Guards.cs:12:13:12:13 | access to parameter s | Guards.cs:10:16:10:16 | access to parameter s | Guards.cs:10:16:10:16 | access to parameter s | non-null |
 | Guards.cs:12:13:12:13 | access to parameter s | Guards.cs:10:16:10:24 | ... == ... | Guards.cs:10:16:10:16 | access to parameter s | false |
-| Guards.cs:14:31:14:31 | access to parameter s | Guards.cs:10:13:10:25 | !... | Guards.cs:10:16:10:16 | access to parameter s | false |
-| Guards.cs:14:31:14:31 | access to parameter s | Guards.cs:10:14:10:25 | !... | Guards.cs:10:16:10:16 | access to parameter s | true |
 | Guards.cs:14:31:14:31 | access to parameter s | Guards.cs:10:16:10:16 | access to parameter s | Guards.cs:10:16:10:16 | access to parameter s | non-null |
 | Guards.cs:14:31:14:31 | access to parameter s | Guards.cs:10:16:10:24 | ... == ... | Guards.cs:10:16:10:16 | access to parameter s | false |
 | Guards.cs:14:31:14:31 | access to parameter s | Guards.cs:12:13:12:24 | ... > ... | Guards.cs:12:13:12:13 | access to parameter s | true |
 | Guards.cs:26:31:26:31 | access to parameter s | Guards.cs:24:13:24:13 | access to parameter s | Guards.cs:24:13:24:13 | access to parameter s | non-null |
 | Guards.cs:26:31:26:31 | access to parameter s | Guards.cs:24:13:24:21 | ... != ... | Guards.cs:24:13:24:13 | access to parameter s | true |
-| Guards.cs:33:31:33:31 | access to parameter x | Guards.cs:32:13:32:36 | !... | Guards.cs:32:35:32:35 | access to parameter x | true |
-| Guards.cs:33:31:33:31 | access to parameter x | Guards.cs:32:13:32:51 | ... & ... | Guards.cs:32:35:32:35 | access to parameter x | true |
 | Guards.cs:33:31:33:31 | access to parameter x | Guards.cs:32:14:32:36 | call to method IsNullOrEmpty | Guards.cs:32:35:32:35 | access to parameter x | false |
 | Guards.cs:33:31:33:31 | access to parameter x | Guards.cs:32:35:32:35 | access to parameter x | Guards.cs:32:35:32:35 | access to parameter x | non-null |
-| Guards.cs:33:35:33:35 | access to parameter y | Guards.cs:32:13:32:51 | ... & ... | Guards.cs:32:42:32:42 | access to parameter y | true |
-| Guards.cs:33:35:33:35 | access to parameter y | Guards.cs:32:40:32:51 | !... | Guards.cs:32:42:32:42 | access to parameter y | true |
 | Guards.cs:33:35:33:35 | access to parameter y | Guards.cs:32:42:32:42 | access to parameter y | Guards.cs:32:42:32:42 | access to parameter y | non-null |
 | Guards.cs:33:35:33:35 | access to parameter y | Guards.cs:32:42:32:50 | ... == ... | Guards.cs:32:42:32:42 | access to parameter y | false |
 | Guards.cs:36:32:36:32 | access to parameter x | Guards.cs:35:13:35:13 | access to parameter x | Guards.cs:35:13:35:13 | access to parameter x | non-null |
 | Guards.cs:36:32:36:32 | access to parameter x | Guards.cs:35:13:35:21 | ... == ... | Guards.cs:35:13:35:13 | access to parameter x | false |
-| Guards.cs:36:32:36:32 | access to parameter x | Guards.cs:35:13:35:34 | ... \|\| ... | Guards.cs:35:13:35:13 | access to parameter x | false |
-| Guards.cs:36:36:36:36 | access to parameter y | Guards.cs:35:13:35:34 | ... \|\| ... | Guards.cs:35:26:35:26 | access to parameter y | false |
 | Guards.cs:36:36:36:36 | access to parameter y | Guards.cs:35:26:35:26 | access to parameter y | Guards.cs:35:26:35:26 | access to parameter y | non-null |
 | Guards.cs:36:36:36:36 | access to parameter y | Guards.cs:35:26:35:34 | ... == ... | Guards.cs:35:26:35:26 | access to parameter y | false |
-| Guards.cs:39:31:39:31 | access to parameter x | Guards.cs:38:13:38:37 | !... | Guards.cs:38:15:38:15 | access to parameter x | true |
 | Guards.cs:39:31:39:31 | access to parameter x | Guards.cs:38:15:38:15 | access to parameter x | Guards.cs:38:15:38:15 | access to parameter x | non-null |
 | Guards.cs:39:31:39:31 | access to parameter x | Guards.cs:38:15:38:23 | ... == ... | Guards.cs:38:15:38:15 | access to parameter x | false |
-| Guards.cs:39:31:39:31 | access to parameter x | Guards.cs:38:15:38:36 | ... \|\| ... | Guards.cs:38:15:38:15 | access to parameter x | false |
-| Guards.cs:39:35:39:35 | access to parameter y | Guards.cs:38:13:38:37 | !... | Guards.cs:38:28:38:28 | access to parameter y | true |
-| Guards.cs:39:35:39:35 | access to parameter y | Guards.cs:38:15:38:36 | ... \|\| ... | Guards.cs:38:28:38:28 | access to parameter y | false |
 | Guards.cs:39:35:39:35 | access to parameter y | Guards.cs:38:28:38:28 | access to parameter y | Guards.cs:38:28:38:28 | access to parameter y | non-null |
 | Guards.cs:39:35:39:35 | access to parameter y | Guards.cs:38:28:38:36 | ... == ... | Guards.cs:38:28:38:28 | access to parameter y | false |
-| Guards.cs:42:32:42:32 | access to parameter x | Guards.cs:41:13:41:39 | !... | Guards.cs:41:17:41:17 | access to parameter x | false |
-| Guards.cs:42:32:42:32 | access to parameter x | Guards.cs:41:14:41:39 | !... | Guards.cs:41:17:41:17 | access to parameter x | true |
-| Guards.cs:42:32:42:32 | access to parameter x | Guards.cs:41:15:41:39 | !... | Guards.cs:41:17:41:17 | access to parameter x | false |
 | Guards.cs:42:32:42:32 | access to parameter x | Guards.cs:41:17:41:17 | access to parameter x | Guards.cs:41:17:41:17 | access to parameter x | non-null |
 | Guards.cs:42:32:42:32 | access to parameter x | Guards.cs:41:17:41:25 | ... != ... | Guards.cs:41:17:41:17 | access to parameter x | true |
-| Guards.cs:42:32:42:32 | access to parameter x | Guards.cs:41:17:41:38 | ... && ... | Guards.cs:41:17:41:17 | access to parameter x | true |
-| Guards.cs:42:36:42:36 | access to parameter y | Guards.cs:41:13:41:39 | !... | Guards.cs:41:30:41:30 | access to parameter y | false |
-| Guards.cs:42:36:42:36 | access to parameter y | Guards.cs:41:14:41:39 | !... | Guards.cs:41:30:41:30 | access to parameter y | true |
-| Guards.cs:42:36:42:36 | access to parameter y | Guards.cs:41:15:41:39 | !... | Guards.cs:41:30:41:30 | access to parameter y | false |
-| Guards.cs:42:36:42:36 | access to parameter y | Guards.cs:41:17:41:38 | ... && ... | Guards.cs:41:30:41:30 | access to parameter y | true |
 | Guards.cs:42:36:42:36 | access to parameter y | Guards.cs:41:30:41:30 | access to parameter y | Guards.cs:41:30:41:30 | access to parameter y | non-null |
 | Guards.cs:42:36:42:36 | access to parameter y | Guards.cs:41:30:41:38 | ... != ... | Guards.cs:41:30:41:30 | access to parameter y | true |
 | Guards.cs:48:31:48:40 | access to field Field | Guards.cs:47:13:47:17 | access to field Field | Guards.cs:47:13:47:17 | access to field Field | non-null |
@@ -193,21 +167,16 @@
 | Guards.cs:162:24:162:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | non-match access to type Action<Object> |
 | Guards.cs:162:24:162:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | non-match null |
 | Guards.cs:162:24:162:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | non-null |
-| Guards.cs:169:31:169:31 | access to parameter x | Guards.cs:168:13:168:41 | !... | Guards.cs:168:40:168:40 | access to parameter x | true |
 | Guards.cs:169:31:169:31 | access to parameter x | Guards.cs:168:14:168:41 | call to method IsNullOrWhiteSpace | Guards.cs:168:40:168:40 | access to parameter x | false |
 | Guards.cs:169:31:169:31 | access to parameter x | Guards.cs:168:40:168:40 | access to parameter x | Guards.cs:168:40:168:40 | access to parameter x | non-null |
-| Guards.cs:190:31:190:31 | access to parameter s | Guards.cs:189:13:189:25 | !... | Guards.cs:189:24:189:24 | access to parameter s | true |
 | Guards.cs:190:31:190:31 | access to parameter s | Guards.cs:189:14:189:25 | call to method NullTest1 | Guards.cs:189:24:189:24 | access to parameter s | false |
 | Guards.cs:190:31:190:31 | access to parameter s | Guards.cs:189:24:189:24 | access to parameter s | Guards.cs:189:24:189:24 | access to parameter s | non-null |
-| Guards.cs:192:31:192:31 | access to parameter s | Guards.cs:191:13:191:25 | !... | Guards.cs:191:24:191:24 | access to parameter s | true |
 | Guards.cs:192:31:192:31 | access to parameter s | Guards.cs:191:14:191:25 | call to method NullTest2 | Guards.cs:191:24:191:24 | access to parameter s | false |
 | Guards.cs:192:31:192:31 | access to parameter s | Guards.cs:191:24:191:24 | access to parameter s | Guards.cs:191:24:191:24 | access to parameter s | non-null |
-| Guards.cs:194:31:194:31 | access to parameter s | Guards.cs:193:13:193:25 | !... | Guards.cs:193:24:193:24 | access to parameter s | true |
 | Guards.cs:194:31:194:31 | access to parameter s | Guards.cs:193:14:193:25 | call to method NullTest3 | Guards.cs:193:24:193:24 | access to parameter s | false |
 | Guards.cs:194:31:194:31 | access to parameter s | Guards.cs:193:24:193:24 | access to parameter s | Guards.cs:193:24:193:24 | access to parameter s | non-null |
 | Guards.cs:196:31:196:31 | access to parameter s | Guards.cs:195:13:195:27 | call to method NotNullTest4 | Guards.cs:195:26:195:26 | access to parameter s | true |
 | Guards.cs:196:31:196:31 | access to parameter s | Guards.cs:195:26:195:26 | access to parameter s | Guards.cs:195:26:195:26 | access to parameter s | non-null |
-| Guards.cs:198:31:198:31 | access to parameter s | Guards.cs:197:13:197:29 | !... | Guards.cs:197:28:197:28 | access to parameter s | true |
 | Guards.cs:198:31:198:31 | access to parameter s | Guards.cs:197:14:197:29 | call to method NullTestWrong | Guards.cs:197:28:197:28 | access to parameter s | false |
 | Guards.cs:205:13:205:13 | access to parameter o | Guards.cs:203:13:203:13 | access to parameter o | Guards.cs:203:13:203:13 | access to parameter o | non-null |
 | Guards.cs:205:13:205:13 | access to parameter o | Guards.cs:203:13:203:21 | ... != ... | Guards.cs:203:13:203:13 | access to parameter o | true |
@@ -241,7 +210,6 @@
 | Guards.cs:342:27:342:27 | [b (line 339): true] access to parameter b | Guards.cs:341:20:341:32 | ... ? ... : ... | Guards.cs:341:20:341:20 | access to parameter b | non-null |
 | Guards.cs:343:31:343:31 | access to local variable s | Guards.cs:342:13:342:13 | access to local variable s | Guards.cs:342:13:342:13 | access to local variable s | non-null |
 | Guards.cs:343:31:343:31 | access to local variable s | Guards.cs:342:13:342:21 | ... != ... | Guards.cs:342:13:342:13 | access to local variable s | true |
-| Guards.cs:343:31:343:31 | access to local variable s | Guards.cs:342:13:342:27 | ... && ... | Guards.cs:342:13:342:13 | access to local variable s | true |
 | Guards.cs:349:13:349:13 | access to parameter o | Guards.cs:348:13:348:13 | access to parameter o | Guards.cs:348:13:348:13 | access to parameter o | non-null |
 | Guards.cs:349:13:349:13 | access to parameter o | Guards.cs:348:13:348:25 | ... is ... | Guards.cs:348:13:348:13 | access to parameter o | true |
 | Splitting.cs:13:17:13:17 | [b (line 9): true] access to parameter o | Splitting.cs:12:17:12:17 | access to parameter o | Splitting.cs:12:17:12:17 | access to parameter o | non-null |
diff --git a/csharp/ql/test/library-tests/controlflow/guards/GuardedExpr.expected b/csharp/ql/test/library-tests/controlflow/guards/GuardedExpr.expected
index aad97097f21..bd5e3dbf1a1 100644
--- a/csharp/ql/test/library-tests/controlflow/guards/GuardedExpr.expected
+++ b/csharp/ql/test/library-tests/controlflow/guards/GuardedExpr.expected
@@ -14,22 +14,18 @@
 | Assert.cs:59:36:59:36 | access to parameter b | Assert.cs:58:20:58:32 | ... ? ... : ... | Assert.cs:58:20:58:20 | access to parameter b | non-null |
 | Assert.cs:60:27:60:27 | access to local variable s | Assert.cs:59:23:59:23 | access to local variable s | Assert.cs:59:23:59:23 | access to local variable s | non-null |
 | Assert.cs:60:27:60:27 | access to local variable s | Assert.cs:59:23:59:31 | ... != ... | Assert.cs:59:23:59:23 | access to local variable s | true |
-| Assert.cs:60:27:60:27 | access to local variable s | Assert.cs:59:23:59:36 | ... && ... | Assert.cs:59:23:59:23 | access to local variable s | true |
 | Assert.cs:66:37:66:37 | access to parameter b | Assert.cs:65:20:65:20 | access to parameter b | Assert.cs:65:20:65:20 | access to parameter b | false |
 | Assert.cs:66:37:66:37 | access to parameter b | Assert.cs:65:20:65:32 | ... ? ... : ... | Assert.cs:65:20:65:20 | access to parameter b | non-null |
 | Assert.cs:67:27:67:27 | access to local variable s | Assert.cs:66:24:66:24 | access to local variable s | Assert.cs:66:24:66:24 | access to local variable s | non-null |
 | Assert.cs:67:27:67:27 | access to local variable s | Assert.cs:66:24:66:32 | ... == ... | Assert.cs:66:24:66:24 | access to local variable s | false |
-| Assert.cs:67:27:67:27 | access to local variable s | Assert.cs:66:24:66:37 | ... \|\| ... | Assert.cs:66:24:66:24 | access to local variable s | false |
 | Assert.cs:73:36:73:36 | access to parameter b | Assert.cs:72:20:72:20 | access to parameter b | Assert.cs:72:20:72:20 | access to parameter b | true |
 | Assert.cs:73:36:73:36 | access to parameter b | Assert.cs:72:20:72:32 | ... ? ... : ... | Assert.cs:72:20:72:20 | access to parameter b | null |
 | Assert.cs:74:27:74:27 | access to local variable s | Assert.cs:73:23:73:23 | access to local variable s | Assert.cs:73:23:73:23 | access to local variable s | null |
 | Assert.cs:74:27:74:27 | access to local variable s | Assert.cs:73:23:73:31 | ... == ... | Assert.cs:73:23:73:23 | access to local variable s | true |
-| Assert.cs:74:27:74:27 | access to local variable s | Assert.cs:73:23:73:36 | ... && ... | Assert.cs:73:23:73:23 | access to local variable s | true |
 | Assert.cs:80:37:80:37 | access to parameter b | Assert.cs:79:20:79:20 | access to parameter b | Assert.cs:79:20:79:20 | access to parameter b | true |
 | Assert.cs:80:37:80:37 | access to parameter b | Assert.cs:79:20:79:32 | ... ? ... : ... | Assert.cs:79:20:79:20 | access to parameter b | null |
 | Assert.cs:81:27:81:27 | access to local variable s | Assert.cs:80:24:80:24 | access to local variable s | Assert.cs:80:24:80:24 | access to local variable s | null |
 | Assert.cs:81:27:81:27 | access to local variable s | Assert.cs:80:24:80:32 | ... != ... | Assert.cs:80:24:80:24 | access to local variable s | false |
-| Assert.cs:81:27:81:27 | access to local variable s | Assert.cs:80:24:80:37 | ... \|\| ... | Assert.cs:80:24:80:24 | access to local variable s | false |
 | Assert.cs:94:16:94:17 | access to parameter b1 | Assert.cs:93:25:93:26 | access to parameter b1 | Assert.cs:93:25:93:26 | access to parameter b1 | true |
 | Assert.cs:94:23:94:24 | access to parameter b2 | Assert.cs:93:29:93:30 | access to parameter b2 | Assert.cs:93:29:93:30 | access to parameter b2 | false |
 | Collections.cs:52:17:52:20 | access to parameter args | Collections.cs:50:13:50:16 | access to parameter args | Collections.cs:50:13:50:16 | access to parameter args | non-empty |
@@ -40,49 +36,27 @@
 | Collections.cs:67:13:67:13 | access to local variable x | Collections.cs:65:13:65:24 | ... == ... | Collections.cs:65:13:65:13 | access to local variable x | true |
 | Collections.cs:68:13:68:13 | access to local variable x | Collections.cs:65:13:65:24 | ... == ... | Collections.cs:65:13:65:13 | access to local variable x | true |
 | Collections.cs:96:31:96:34 | access to parameter args | Collections.cs:95:29:95:32 | access to parameter args | Collections.cs:95:29:95:32 | access to parameter args | non-empty |
-| Guards.cs:12:13:12:13 | access to parameter s | Guards.cs:10:13:10:25 | !... | Guards.cs:10:16:10:16 | access to parameter s | false |
-| Guards.cs:12:13:12:13 | access to parameter s | Guards.cs:10:14:10:25 | !... | Guards.cs:10:16:10:16 | access to parameter s | true |
 | Guards.cs:12:13:12:13 | access to parameter s | Guards.cs:10:16:10:16 | access to parameter s | Guards.cs:10:16:10:16 | access to parameter s | non-null |
 | Guards.cs:12:13:12:13 | access to parameter s | Guards.cs:10:16:10:24 | ... == ... | Guards.cs:10:16:10:16 | access to parameter s | false |
-| Guards.cs:14:31:14:31 | access to parameter s | Guards.cs:10:13:10:25 | !... | Guards.cs:10:16:10:16 | access to parameter s | false |
-| Guards.cs:14:31:14:31 | access to parameter s | Guards.cs:10:14:10:25 | !... | Guards.cs:10:16:10:16 | access to parameter s | true |
 | Guards.cs:14:31:14:31 | access to parameter s | Guards.cs:10:16:10:16 | access to parameter s | Guards.cs:10:16:10:16 | access to parameter s | non-null |
 | Guards.cs:14:31:14:31 | access to parameter s | Guards.cs:10:16:10:24 | ... == ... | Guards.cs:10:16:10:16 | access to parameter s | false |
 | Guards.cs:14:31:14:31 | access to parameter s | Guards.cs:12:13:12:24 | ... > ... | Guards.cs:12:13:12:13 | access to parameter s | true |
 | Guards.cs:26:31:26:31 | access to parameter s | Guards.cs:24:13:24:13 | access to parameter s | Guards.cs:24:13:24:13 | access to parameter s | non-null |
 | Guards.cs:26:31:26:31 | access to parameter s | Guards.cs:24:13:24:21 | ... != ... | Guards.cs:24:13:24:13 | access to parameter s | true |
-| Guards.cs:33:31:33:31 | access to parameter x | Guards.cs:32:13:32:36 | !... | Guards.cs:32:35:32:35 | access to parameter x | true |
-| Guards.cs:33:31:33:31 | access to parameter x | Guards.cs:32:13:32:51 | ... & ... | Guards.cs:32:35:32:35 | access to parameter x | true |
 | Guards.cs:33:31:33:31 | access to parameter x | Guards.cs:32:14:32:36 | call to method IsNullOrEmpty | Guards.cs:32:35:32:35 | access to parameter x | false |
 | Guards.cs:33:31:33:31 | access to parameter x | Guards.cs:32:35:32:35 | access to parameter x | Guards.cs:32:35:32:35 | access to parameter x | non-null |
-| Guards.cs:33:35:33:35 | access to parameter y | Guards.cs:32:13:32:51 | ... & ... | Guards.cs:32:42:32:42 | access to parameter y | true |
-| Guards.cs:33:35:33:35 | access to parameter y | Guards.cs:32:40:32:51 | !... | Guards.cs:32:42:32:42 | access to parameter y | true |
 | Guards.cs:33:35:33:35 | access to parameter y | Guards.cs:32:42:32:42 | access to parameter y | Guards.cs:32:42:32:42 | access to parameter y | non-null |
 | Guards.cs:33:35:33:35 | access to parameter y | Guards.cs:32:42:32:50 | ... == ... | Guards.cs:32:42:32:42 | access to parameter y | false |
 | Guards.cs:36:32:36:32 | access to parameter x | Guards.cs:35:13:35:13 | access to parameter x | Guards.cs:35:13:35:13 | access to parameter x | non-null |
 | Guards.cs:36:32:36:32 | access to parameter x | Guards.cs:35:13:35:21 | ... == ... | Guards.cs:35:13:35:13 | access to parameter x | false |
-| Guards.cs:36:32:36:32 | access to parameter x | Guards.cs:35:13:35:34 | ... \|\| ... | Guards.cs:35:13:35:13 | access to parameter x | false |
-| Guards.cs:36:36:36:36 | access to parameter y | Guards.cs:35:13:35:34 | ... \|\| ... | Guards.cs:35:26:35:26 | access to parameter y | false |
 | Guards.cs:36:36:36:36 | access to parameter y | Guards.cs:35:26:35:26 | access to parameter y | Guards.cs:35:26:35:26 | access to parameter y | non-null |
 | Guards.cs:36:36:36:36 | access to parameter y | Guards.cs:35:26:35:34 | ... == ... | Guards.cs:35:26:35:26 | access to parameter y | false |
-| Guards.cs:39:31:39:31 | access to parameter x | Guards.cs:38:13:38:37 | !... | Guards.cs:38:15:38:15 | access to parameter x | true |
 | Guards.cs:39:31:39:31 | access to parameter x | Guards.cs:38:15:38:15 | access to parameter x | Guards.cs:38:15:38:15 | access to parameter x | non-null |
 | Guards.cs:39:31:39:31 | access to parameter x | Guards.cs:38:15:38:23 | ... == ... | Guards.cs:38:15:38:15 | access to parameter x | false |
-| Guards.cs:39:31:39:31 | access to parameter x | Guards.cs:38:15:38:36 | ... \|\| ... | Guards.cs:38:15:38:15 | access to parameter x | false |
-| Guards.cs:39:35:39:35 | access to parameter y | Guards.cs:38:13:38:37 | !... | Guards.cs:38:28:38:28 | access to parameter y | true |
-| Guards.cs:39:35:39:35 | access to parameter y | Guards.cs:38:15:38:36 | ... \|\| ... | Guards.cs:38:28:38:28 | access to parameter y | false |
 | Guards.cs:39:35:39:35 | access to parameter y | Guards.cs:38:28:38:28 | access to parameter y | Guards.cs:38:28:38:28 | access to parameter y | non-null |
 | Guards.cs:39:35:39:35 | access to parameter y | Guards.cs:38:28:38:36 | ... == ... | Guards.cs:38:28:38:28 | access to parameter y | false |
-| Guards.cs:42:32:42:32 | access to parameter x | Guards.cs:41:13:41:39 | !... | Guards.cs:41:17:41:17 | access to parameter x | false |
-| Guards.cs:42:32:42:32 | access to parameter x | Guards.cs:41:14:41:39 | !... | Guards.cs:41:17:41:17 | access to parameter x | true |
-| Guards.cs:42:32:42:32 | access to parameter x | Guards.cs:41:15:41:39 | !... | Guards.cs:41:17:41:17 | access to parameter x | false |
 | Guards.cs:42:32:42:32 | access to parameter x | Guards.cs:41:17:41:17 | access to parameter x | Guards.cs:41:17:41:17 | access to parameter x | non-null |
 | Guards.cs:42:32:42:32 | access to parameter x | Guards.cs:41:17:41:25 | ... != ... | Guards.cs:41:17:41:17 | access to parameter x | true |
-| Guards.cs:42:32:42:32 | access to parameter x | Guards.cs:41:17:41:38 | ... && ... | Guards.cs:41:17:41:17 | access to parameter x | true |
-| Guards.cs:42:36:42:36 | access to parameter y | Guards.cs:41:13:41:39 | !... | Guards.cs:41:30:41:30 | access to parameter y | false |
-| Guards.cs:42:36:42:36 | access to parameter y | Guards.cs:41:14:41:39 | !... | Guards.cs:41:30:41:30 | access to parameter y | true |
-| Guards.cs:42:36:42:36 | access to parameter y | Guards.cs:41:15:41:39 | !... | Guards.cs:41:30:41:30 | access to parameter y | false |
-| Guards.cs:42:36:42:36 | access to parameter y | Guards.cs:41:17:41:38 | ... && ... | Guards.cs:41:30:41:30 | access to parameter y | true |
 | Guards.cs:42:36:42:36 | access to parameter y | Guards.cs:41:30:41:30 | access to parameter y | Guards.cs:41:30:41:30 | access to parameter y | non-null |
 | Guards.cs:42:36:42:36 | access to parameter y | Guards.cs:41:30:41:38 | ... != ... | Guards.cs:41:30:41:30 | access to parameter y | true |
 | Guards.cs:48:31:48:40 | access to field Field | Guards.cs:47:13:47:17 | access to field Field | Guards.cs:47:13:47:17 | access to field Field | non-null |
@@ -177,21 +151,16 @@
 | Guards.cs:162:24:162:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | non-match access to type Action<Object> |
 | Guards.cs:162:24:162:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | non-match null |
 | Guards.cs:162:24:162:24 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | Guards.cs:151:17:151:17 | access to parameter o | non-null |
-| Guards.cs:169:31:169:31 | access to parameter x | Guards.cs:168:13:168:41 | !... | Guards.cs:168:40:168:40 | access to parameter x | true |
 | Guards.cs:169:31:169:31 | access to parameter x | Guards.cs:168:14:168:41 | call to method IsNullOrWhiteSpace | Guards.cs:168:40:168:40 | access to parameter x | false |
 | Guards.cs:169:31:169:31 | access to parameter x | Guards.cs:168:40:168:40 | access to parameter x | Guards.cs:168:40:168:40 | access to parameter x | non-null |
-| Guards.cs:190:31:190:31 | access to parameter s | Guards.cs:189:13:189:25 | !... | Guards.cs:189:24:189:24 | access to parameter s | true |
 | Guards.cs:190:31:190:31 | access to parameter s | Guards.cs:189:14:189:25 | call to method NullTest1 | Guards.cs:189:24:189:24 | access to parameter s | false |
 | Guards.cs:190:31:190:31 | access to parameter s | Guards.cs:189:24:189:24 | access to parameter s | Guards.cs:189:24:189:24 | access to parameter s | non-null |
-| Guards.cs:192:31:192:31 | access to parameter s | Guards.cs:191:13:191:25 | !... | Guards.cs:191:24:191:24 | access to parameter s | true |
 | Guards.cs:192:31:192:31 | access to parameter s | Guards.cs:191:14:191:25 | call to method NullTest2 | Guards.cs:191:24:191:24 | access to parameter s | false |
 | Guards.cs:192:31:192:31 | access to parameter s | Guards.cs:191:24:191:24 | access to parameter s | Guards.cs:191:24:191:24 | access to parameter s | non-null |
-| Guards.cs:194:31:194:31 | access to parameter s | Guards.cs:193:13:193:25 | !... | Guards.cs:193:24:193:24 | access to parameter s | true |
 | Guards.cs:194:31:194:31 | access to parameter s | Guards.cs:193:14:193:25 | call to method NullTest3 | Guards.cs:193:24:193:24 | access to parameter s | false |
 | Guards.cs:194:31:194:31 | access to parameter s | Guards.cs:193:24:193:24 | access to parameter s | Guards.cs:193:24:193:24 | access to parameter s | non-null |
 | Guards.cs:196:31:196:31 | access to parameter s | Guards.cs:195:13:195:27 | call to method NotNullTest4 | Guards.cs:195:26:195:26 | access to parameter s | true |
 | Guards.cs:196:31:196:31 | access to parameter s | Guards.cs:195:26:195:26 | access to parameter s | Guards.cs:195:26:195:26 | access to parameter s | non-null |
-| Guards.cs:198:31:198:31 | access to parameter s | Guards.cs:197:13:197:29 | !... | Guards.cs:197:28:197:28 | access to parameter s | true |
 | Guards.cs:198:31:198:31 | access to parameter s | Guards.cs:197:14:197:29 | call to method NullTestWrong | Guards.cs:197:28:197:28 | access to parameter s | false |
 | Guards.cs:205:13:205:13 | access to parameter o | Guards.cs:203:13:203:13 | access to parameter o | Guards.cs:203:13:203:13 | access to parameter o | non-null |
 | Guards.cs:205:13:205:13 | access to parameter o | Guards.cs:203:13:203:21 | ... != ... | Guards.cs:203:13:203:13 | access to parameter o | true |
@@ -222,7 +191,6 @@
 | Guards.cs:342:27:342:27 | access to parameter b | Guards.cs:341:20:341:32 | ... ? ... : ... | Guards.cs:341:20:341:20 | access to parameter b | non-null |
 | Guards.cs:343:31:343:31 | access to local variable s | Guards.cs:342:13:342:13 | access to local variable s | Guards.cs:342:13:342:13 | access to local variable s | non-null |
 | Guards.cs:343:31:343:31 | access to local variable s | Guards.cs:342:13:342:21 | ... != ... | Guards.cs:342:13:342:13 | access to local variable s | true |
-| Guards.cs:343:31:343:31 | access to local variable s | Guards.cs:342:13:342:27 | ... && ... | Guards.cs:342:13:342:13 | access to local variable s | true |
 | Guards.cs:349:13:349:13 | access to parameter o | Guards.cs:348:13:348:13 | access to parameter o | Guards.cs:348:13:348:13 | access to parameter o | non-null |
 | Guards.cs:349:13:349:13 | access to parameter o | Guards.cs:348:13:348:25 | ... is ... | Guards.cs:348:13:348:13 | access to parameter o | true |
 | Splitting.cs:13:17:13:17 | access to parameter o | Splitting.cs:12:17:12:17 | access to parameter o | Splitting.cs:12:17:12:17 | access to parameter o | non-null |

From 1954c0ba8489395c56a726814c45a5284e7abe9f Mon Sep 17 00:00:00 2001
From: yoff <lerchedahl@gmail.com>
Date: Fri, 23 Apr 2021 10:20:18 +0200
Subject: [PATCH 0628/1429] Apply suggestions from code review

Co-authored-by: Taus <tausbn@github.com>
---
 .../ql/src/semmle/python/frameworks/Stdlib.qll | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index 77f3213a5fa..fc8e38fc9e7 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -941,7 +941,7 @@ private module Stdlib {
     or
     // Type-preserving call
     exists(DataFlow::Node nodeFrom, DataFlow::TypeTracker t2 |
-      nodeFrom.getALocalSource() = pathlibPath(t2) and
+      pathlibPath(t2).flowsTo(nodeFrom) and
       t2.end()
     |
       t.start() and
@@ -962,7 +962,7 @@ private module Stdlib {
     exists(BinaryExprNode slash, DataFlow::Node pathOperand, DataFlow::TypeTracker t2 |
       slash.getOp() instanceof Div and
       pathOperand.asCfgNode() = slash.getAnOperand() and
-      pathOperand.getALocalSource() = pathlibPath(t2) and
+      pathlibPath(t2).flowsTo(pathOperand) and
       t2.end()
     |
       t.start() and
@@ -972,7 +972,7 @@ private module Stdlib {
     //   standard case
     exists(DataFlow::AttrRead returnsPath, DataFlow::TypeTracker t2 |
       returnsPath.getAttributeName() = pathlibPathInjection() and
-      returnsPath.getObject().getALocalSource() = pathlibPath(t2) and
+      pathlibPath(t2).flowsTo(returnsPath.getObject()) and
       t2.end()
     |
       t.start() and
@@ -997,7 +997,7 @@ private module Stdlib {
           "rename", "replace", "resolve", "rglob", "rmdir", "samefile", "symlink_to", "touch",
           "unlink", "link_to", "write_bytes", "write_text"
         ] and
-      fileAccess.getObject().getALocalSource() = pathlibPath() and
+      pathlibPath().flowsTo(fileAccess.getObject()) and
       this.getFunction() = fileAccess
     }
 
@@ -1012,8 +1012,8 @@ private module Stdlib {
       nodeFrom = nodeTo.(DataFlow::CallCfgNode).getArg(_)
       or
       // Type preservation
-      nodeFrom.getALocalSource() = pathlibPath() and
-      nodeTo.getALocalSource() = pathlibPath() and
+      pathlibPath().flowsTo(nodeFrom) and
+      pathlibPath().flowsTo(nodeTo) and
       (
         // Type-preserving call
         typePreservingCall(nodeFrom, nodeTo)
@@ -1023,13 +1023,13 @@ private module Stdlib {
       )
       or
       // Data injection
-      nodeTo.getALocalSource() = pathlibPath() and
+      pathlibPath().flowsTo(nodeTo) and
       (
         // Special handling of the `/` operator
         exists(BinaryExprNode slash, DataFlow::Node pathOperand |
           slash.getOp() instanceof Div and
           pathOperand.asCfgNode() = slash.getAnOperand() and
-          pathOperand.getALocalSource() = pathlibPath()
+          pathlibPath().flowsTo(pathOperand)
         |
           nodeTo.asCfgNode() = slash and
           // Taint can flow either from the left or the right operand as long as one of them is a path.
@@ -1052,7 +1052,7 @@ private module Stdlib {
       )
       or
       // Export data from type
-      nodeFrom.getALocalSource() = pathlibPath() and
+      pathlibPath().flowsTo(nodeFrom) and
       (
         // exporting attribute
         exists(DataFlow::AttrRead export |

From 956507b5fa10857d97cf13590b9570ba195eb787 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Thu, 22 Apr 2021 15:02:53 +0200
Subject: [PATCH 0629/1429] C#: Add guards stress test

---
 .../guards-large/GuardedExpr.expected         | 797 ++++++++++++++++++
 .../controlflow/guards-large/GuardedExpr.ql   |   5 +
 .../guards-large/GuardsStressTest.cs          | 443 ++++++++++
 3 files changed, 1245 insertions(+)
 create mode 100644 csharp/ql/test/library-tests/controlflow/guards-large/GuardedExpr.expected
 create mode 100644 csharp/ql/test/library-tests/controlflow/guards-large/GuardedExpr.ql
 create mode 100644 csharp/ql/test/library-tests/controlflow/guards-large/GuardsStressTest.cs

diff --git a/csharp/ql/test/library-tests/controlflow/guards-large/GuardedExpr.expected b/csharp/ql/test/library-tests/controlflow/guards-large/GuardedExpr.expected
new file mode 100644
index 00000000000..b390b5be639
--- /dev/null
+++ b/csharp/ql/test/library-tests/controlflow/guards-large/GuardedExpr.expected
@@ -0,0 +1,797 @@
+| GuardsStressTest.cs:8:26:8:27 | access to field ch |
+| GuardsStressTest.cs:9:4:9:5 | access to field ch |
+| GuardsStressTest.cs:9:17:9:18 | access to field ch |
+| GuardsStressTest.cs:10:4:10:5 | access to field ch |
+| GuardsStressTest.cs:11:4:11:5 | access to field ch |
+| GuardsStressTest.cs:11:17:11:18 | access to field ch |
+| GuardsStressTest.cs:12:4:12:5 | access to field ch |
+| GuardsStressTest.cs:13:4:13:5 | access to field ch |
+| GuardsStressTest.cs:14:4:14:5 | access to field ch |
+| GuardsStressTest.cs:15:4:15:5 | access to field ch |
+| GuardsStressTest.cs:15:17:15:18 | access to field ch |
+| GuardsStressTest.cs:16:4:16:5 | access to field ch |
+| GuardsStressTest.cs:16:17:16:18 | access to field ch |
+| GuardsStressTest.cs:17:4:17:5 | access to field ch |
+| GuardsStressTest.cs:17:17:17:18 | access to field ch |
+| GuardsStressTest.cs:18:4:18:5 | access to field ch |
+| GuardsStressTest.cs:18:17:18:18 | access to field ch |
+| GuardsStressTest.cs:19:4:19:5 | access to field ch |
+| GuardsStressTest.cs:19:17:19:18 | access to field ch |
+| GuardsStressTest.cs:20:4:20:5 | access to field ch |
+| GuardsStressTest.cs:21:4:21:5 | access to field ch |
+| GuardsStressTest.cs:22:4:22:5 | access to field ch |
+| GuardsStressTest.cs:22:17:22:18 | access to field ch |
+| GuardsStressTest.cs:23:4:23:5 | access to field ch |
+| GuardsStressTest.cs:23:17:23:18 | access to field ch |
+| GuardsStressTest.cs:24:4:24:5 | access to field ch |
+| GuardsStressTest.cs:24:17:24:18 | access to field ch |
+| GuardsStressTest.cs:25:4:25:5 | access to field ch |
+| GuardsStressTest.cs:26:4:26:5 | access to field ch |
+| GuardsStressTest.cs:26:17:26:18 | access to field ch |
+| GuardsStressTest.cs:27:4:27:5 | access to field ch |
+| GuardsStressTest.cs:28:4:28:5 | access to field ch |
+| GuardsStressTest.cs:28:17:28:18 | access to field ch |
+| GuardsStressTest.cs:29:4:29:5 | access to field ch |
+| GuardsStressTest.cs:29:17:29:18 | access to field ch |
+| GuardsStressTest.cs:30:4:30:5 | access to field ch |
+| GuardsStressTest.cs:30:18:30:19 | access to field ch |
+| GuardsStressTest.cs:31:4:31:5 | access to field ch |
+| GuardsStressTest.cs:31:18:31:19 | access to field ch |
+| GuardsStressTest.cs:32:4:32:5 | access to field ch |
+| GuardsStressTest.cs:32:18:32:19 | access to field ch |
+| GuardsStressTest.cs:33:4:33:5 | access to field ch |
+| GuardsStressTest.cs:33:18:33:19 | access to field ch |
+| GuardsStressTest.cs:34:4:34:5 | access to field ch |
+| GuardsStressTest.cs:35:4:35:5 | access to field ch |
+| GuardsStressTest.cs:35:18:35:19 | access to field ch |
+| GuardsStressTest.cs:36:4:36:5 | access to field ch |
+| GuardsStressTest.cs:36:18:36:19 | access to field ch |
+| GuardsStressTest.cs:37:4:37:5 | access to field ch |
+| GuardsStressTest.cs:38:4:38:5 | access to field ch |
+| GuardsStressTest.cs:38:18:38:19 | access to field ch |
+| GuardsStressTest.cs:39:4:39:5 | access to field ch |
+| GuardsStressTest.cs:39:18:39:19 | access to field ch |
+| GuardsStressTest.cs:40:4:40:5 | access to field ch |
+| GuardsStressTest.cs:41:4:41:5 | access to field ch |
+| GuardsStressTest.cs:41:18:41:19 | access to field ch |
+| GuardsStressTest.cs:42:4:42:5 | access to field ch |
+| GuardsStressTest.cs:42:18:42:19 | access to field ch |
+| GuardsStressTest.cs:43:4:43:5 | access to field ch |
+| GuardsStressTest.cs:43:18:43:19 | access to field ch |
+| GuardsStressTest.cs:44:4:44:5 | access to field ch |
+| GuardsStressTest.cs:44:18:44:19 | access to field ch |
+| GuardsStressTest.cs:45:4:45:5 | access to field ch |
+| GuardsStressTest.cs:45:18:45:19 | access to field ch |
+| GuardsStressTest.cs:46:4:46:5 | access to field ch |
+| GuardsStressTest.cs:46:18:46:19 | access to field ch |
+| GuardsStressTest.cs:47:4:47:5 | access to field ch |
+| GuardsStressTest.cs:47:18:47:19 | access to field ch |
+| GuardsStressTest.cs:48:4:48:5 | access to field ch |
+| GuardsStressTest.cs:48:18:48:19 | access to field ch |
+| GuardsStressTest.cs:49:4:49:5 | access to field ch |
+| GuardsStressTest.cs:50:4:50:5 | access to field ch |
+| GuardsStressTest.cs:50:18:50:19 | access to field ch |
+| GuardsStressTest.cs:51:4:51:5 | access to field ch |
+| GuardsStressTest.cs:51:18:51:19 | access to field ch |
+| GuardsStressTest.cs:52:4:52:5 | access to field ch |
+| GuardsStressTest.cs:52:18:52:19 | access to field ch |
+| GuardsStressTest.cs:53:4:53:5 | access to field ch |
+| GuardsStressTest.cs:54:4:54:5 | access to field ch |
+| GuardsStressTest.cs:54:18:54:19 | access to field ch |
+| GuardsStressTest.cs:55:4:55:5 | access to field ch |
+| GuardsStressTest.cs:55:18:55:19 | access to field ch |
+| GuardsStressTest.cs:56:4:56:5 | access to field ch |
+| GuardsStressTest.cs:57:4:57:5 | access to field ch |
+| GuardsStressTest.cs:57:18:57:19 | access to field ch |
+| GuardsStressTest.cs:58:4:58:5 | access to field ch |
+| GuardsStressTest.cs:58:18:58:19 | access to field ch |
+| GuardsStressTest.cs:59:4:59:5 | access to field ch |
+| GuardsStressTest.cs:59:18:59:19 | access to field ch |
+| GuardsStressTest.cs:60:4:60:5 | access to field ch |
+| GuardsStressTest.cs:60:18:60:19 | access to field ch |
+| GuardsStressTest.cs:61:4:61:5 | access to field ch |
+| GuardsStressTest.cs:61:18:61:19 | access to field ch |
+| GuardsStressTest.cs:62:4:62:5 | access to field ch |
+| GuardsStressTest.cs:62:18:62:19 | access to field ch |
+| GuardsStressTest.cs:63:4:63:5 | access to field ch |
+| GuardsStressTest.cs:63:18:63:19 | access to field ch |
+| GuardsStressTest.cs:64:4:64:5 | access to field ch |
+| GuardsStressTest.cs:64:18:64:19 | access to field ch |
+| GuardsStressTest.cs:65:4:65:5 | access to field ch |
+| GuardsStressTest.cs:65:18:65:19 | access to field ch |
+| GuardsStressTest.cs:66:4:66:5 | access to field ch |
+| GuardsStressTest.cs:66:18:66:19 | access to field ch |
+| GuardsStressTest.cs:67:4:67:5 | access to field ch |
+| GuardsStressTest.cs:67:18:67:19 | access to field ch |
+| GuardsStressTest.cs:68:4:68:5 | access to field ch |
+| GuardsStressTest.cs:69:4:69:5 | access to field ch |
+| GuardsStressTest.cs:69:18:69:19 | access to field ch |
+| GuardsStressTest.cs:70:4:70:5 | access to field ch |
+| GuardsStressTest.cs:70:18:70:19 | access to field ch |
+| GuardsStressTest.cs:71:4:71:5 | access to field ch |
+| GuardsStressTest.cs:71:18:71:19 | access to field ch |
+| GuardsStressTest.cs:72:4:72:5 | access to field ch |
+| GuardsStressTest.cs:72:18:72:19 | access to field ch |
+| GuardsStressTest.cs:73:4:73:5 | access to field ch |
+| GuardsStressTest.cs:74:4:74:5 | access to field ch |
+| GuardsStressTest.cs:74:18:74:19 | access to field ch |
+| GuardsStressTest.cs:75:4:75:5 | access to field ch |
+| GuardsStressTest.cs:75:18:75:19 | access to field ch |
+| GuardsStressTest.cs:76:4:76:5 | access to field ch |
+| GuardsStressTest.cs:76:18:76:19 | access to field ch |
+| GuardsStressTest.cs:77:4:77:5 | access to field ch |
+| GuardsStressTest.cs:77:18:77:19 | access to field ch |
+| GuardsStressTest.cs:78:4:78:5 | access to field ch |
+| GuardsStressTest.cs:78:18:78:19 | access to field ch |
+| GuardsStressTest.cs:79:4:79:5 | access to field ch |
+| GuardsStressTest.cs:79:18:79:19 | access to field ch |
+| GuardsStressTest.cs:80:4:80:5 | access to field ch |
+| GuardsStressTest.cs:80:18:80:19 | access to field ch |
+| GuardsStressTest.cs:81:4:81:5 | access to field ch |
+| GuardsStressTest.cs:81:18:81:19 | access to field ch |
+| GuardsStressTest.cs:82:4:82:5 | access to field ch |
+| GuardsStressTest.cs:82:18:82:19 | access to field ch |
+| GuardsStressTest.cs:83:4:83:5 | access to field ch |
+| GuardsStressTest.cs:83:18:83:19 | access to field ch |
+| GuardsStressTest.cs:84:4:84:5 | access to field ch |
+| GuardsStressTest.cs:84:18:84:19 | access to field ch |
+| GuardsStressTest.cs:85:4:85:5 | access to field ch |
+| GuardsStressTest.cs:86:4:86:5 | access to field ch |
+| GuardsStressTest.cs:86:18:86:19 | access to field ch |
+| GuardsStressTest.cs:87:4:87:5 | access to field ch |
+| GuardsStressTest.cs:87:18:87:19 | access to field ch |
+| GuardsStressTest.cs:88:4:88:5 | access to field ch |
+| GuardsStressTest.cs:88:18:88:19 | access to field ch |
+| GuardsStressTest.cs:89:4:89:5 | access to field ch |
+| GuardsStressTest.cs:90:4:90:5 | access to field ch |
+| GuardsStressTest.cs:90:18:90:19 | access to field ch |
+| GuardsStressTest.cs:91:4:91:5 | access to field ch |
+| GuardsStressTest.cs:92:4:92:5 | access to field ch |
+| GuardsStressTest.cs:92:18:92:19 | access to field ch |
+| GuardsStressTest.cs:93:4:93:5 | access to field ch |
+| GuardsStressTest.cs:93:18:93:19 | access to field ch |
+| GuardsStressTest.cs:94:4:94:5 | access to field ch |
+| GuardsStressTest.cs:94:18:94:19 | access to field ch |
+| GuardsStressTest.cs:95:4:95:5 | access to field ch |
+| GuardsStressTest.cs:95:18:95:19 | access to field ch |
+| GuardsStressTest.cs:96:4:96:5 | access to field ch |
+| GuardsStressTest.cs:96:18:96:19 | access to field ch |
+| GuardsStressTest.cs:97:4:97:5 | access to field ch |
+| GuardsStressTest.cs:97:18:97:19 | access to field ch |
+| GuardsStressTest.cs:98:4:98:5 | access to field ch |
+| GuardsStressTest.cs:98:18:98:19 | access to field ch |
+| GuardsStressTest.cs:99:4:99:5 | access to field ch |
+| GuardsStressTest.cs:99:18:99:19 | access to field ch |
+| GuardsStressTest.cs:100:4:100:5 | access to field ch |
+| GuardsStressTest.cs:100:18:100:19 | access to field ch |
+| GuardsStressTest.cs:101:4:101:5 | access to field ch |
+| GuardsStressTest.cs:101:18:101:19 | access to field ch |
+| GuardsStressTest.cs:102:4:102:5 | access to field ch |
+| GuardsStressTest.cs:102:18:102:19 | access to field ch |
+| GuardsStressTest.cs:103:4:103:5 | access to field ch |
+| GuardsStressTest.cs:104:4:104:5 | access to field ch |
+| GuardsStressTest.cs:104:18:104:19 | access to field ch |
+| GuardsStressTest.cs:105:4:105:5 | access to field ch |
+| GuardsStressTest.cs:105:18:105:19 | access to field ch |
+| GuardsStressTest.cs:106:4:106:5 | access to field ch |
+| GuardsStressTest.cs:106:18:106:19 | access to field ch |
+| GuardsStressTest.cs:107:4:107:5 | access to field ch |
+| GuardsStressTest.cs:107:18:107:19 | access to field ch |
+| GuardsStressTest.cs:108:4:108:5 | access to field ch |
+| GuardsStressTest.cs:108:18:108:19 | access to field ch |
+| GuardsStressTest.cs:109:4:109:5 | access to field ch |
+| GuardsStressTest.cs:109:18:109:19 | access to field ch |
+| GuardsStressTest.cs:110:4:110:5 | access to field ch |
+| GuardsStressTest.cs:110:18:110:19 | access to field ch |
+| GuardsStressTest.cs:111:4:111:5 | access to field ch |
+| GuardsStressTest.cs:111:18:111:19 | access to field ch |
+| GuardsStressTest.cs:112:4:112:5 | access to field ch |
+| GuardsStressTest.cs:112:18:112:19 | access to field ch |
+| GuardsStressTest.cs:113:4:113:5 | access to field ch |
+| GuardsStressTest.cs:113:18:113:19 | access to field ch |
+| GuardsStressTest.cs:114:4:114:5 | access to field ch |
+| GuardsStressTest.cs:114:18:114:19 | access to field ch |
+| GuardsStressTest.cs:115:4:115:5 | access to field ch |
+| GuardsStressTest.cs:115:18:115:19 | access to field ch |
+| GuardsStressTest.cs:116:4:116:5 | access to field ch |
+| GuardsStressTest.cs:116:18:116:19 | access to field ch |
+| GuardsStressTest.cs:117:4:117:5 | access to field ch |
+| GuardsStressTest.cs:117:18:117:19 | access to field ch |
+| GuardsStressTest.cs:118:4:118:5 | access to field ch |
+| GuardsStressTest.cs:118:18:118:19 | access to field ch |
+| GuardsStressTest.cs:119:4:119:5 | access to field ch |
+| GuardsStressTest.cs:119:18:119:19 | access to field ch |
+| GuardsStressTest.cs:120:4:120:5 | access to field ch |
+| GuardsStressTest.cs:121:4:121:5 | access to field ch |
+| GuardsStressTest.cs:121:18:121:19 | access to field ch |
+| GuardsStressTest.cs:122:4:122:5 | access to field ch |
+| GuardsStressTest.cs:122:18:122:19 | access to field ch |
+| GuardsStressTest.cs:123:4:123:5 | access to field ch |
+| GuardsStressTest.cs:123:18:123:19 | access to field ch |
+| GuardsStressTest.cs:124:4:124:5 | access to field ch |
+| GuardsStressTest.cs:124:18:124:19 | access to field ch |
+| GuardsStressTest.cs:125:4:125:5 | access to field ch |
+| GuardsStressTest.cs:125:18:125:19 | access to field ch |
+| GuardsStressTest.cs:126:4:126:5 | access to field ch |
+| GuardsStressTest.cs:127:4:127:5 | access to field ch |
+| GuardsStressTest.cs:127:18:127:19 | access to field ch |
+| GuardsStressTest.cs:128:4:128:5 | access to field ch |
+| GuardsStressTest.cs:128:18:128:19 | access to field ch |
+| GuardsStressTest.cs:129:4:129:5 | access to field ch |
+| GuardsStressTest.cs:129:18:129:19 | access to field ch |
+| GuardsStressTest.cs:130:4:130:5 | access to field ch |
+| GuardsStressTest.cs:130:18:130:19 | access to field ch |
+| GuardsStressTest.cs:131:4:131:5 | access to field ch |
+| GuardsStressTest.cs:131:18:131:19 | access to field ch |
+| GuardsStressTest.cs:132:4:132:5 | access to field ch |
+| GuardsStressTest.cs:132:18:132:19 | access to field ch |
+| GuardsStressTest.cs:133:4:133:5 | access to field ch |
+| GuardsStressTest.cs:133:18:133:19 | access to field ch |
+| GuardsStressTest.cs:134:4:134:5 | access to field ch |
+| GuardsStressTest.cs:135:4:135:5 | access to field ch |
+| GuardsStressTest.cs:136:4:136:5 | access to field ch |
+| GuardsStressTest.cs:136:18:136:19 | access to field ch |
+| GuardsStressTest.cs:137:4:137:5 | access to field ch |
+| GuardsStressTest.cs:137:18:137:19 | access to field ch |
+| GuardsStressTest.cs:138:4:138:5 | access to field ch |
+| GuardsStressTest.cs:138:18:138:19 | access to field ch |
+| GuardsStressTest.cs:139:4:139:5 | access to field ch |
+| GuardsStressTest.cs:139:18:139:19 | access to field ch |
+| GuardsStressTest.cs:140:4:140:5 | access to field ch |
+| GuardsStressTest.cs:140:18:140:19 | access to field ch |
+| GuardsStressTest.cs:141:4:141:5 | access to field ch |
+| GuardsStressTest.cs:141:18:141:19 | access to field ch |
+| GuardsStressTest.cs:142:4:142:5 | access to field ch |
+| GuardsStressTest.cs:142:18:142:19 | access to field ch |
+| GuardsStressTest.cs:143:4:143:5 | access to field ch |
+| GuardsStressTest.cs:143:18:143:19 | access to field ch |
+| GuardsStressTest.cs:144:4:144:5 | access to field ch |
+| GuardsStressTest.cs:144:18:144:19 | access to field ch |
+| GuardsStressTest.cs:145:4:145:5 | access to field ch |
+| GuardsStressTest.cs:145:18:145:19 | access to field ch |
+| GuardsStressTest.cs:146:4:146:5 | access to field ch |
+| GuardsStressTest.cs:146:18:146:19 | access to field ch |
+| GuardsStressTest.cs:147:4:147:5 | access to field ch |
+| GuardsStressTest.cs:147:18:147:19 | access to field ch |
+| GuardsStressTest.cs:148:4:148:5 | access to field ch |
+| GuardsStressTest.cs:148:18:148:19 | access to field ch |
+| GuardsStressTest.cs:149:4:149:5 | access to field ch |
+| GuardsStressTest.cs:149:18:149:19 | access to field ch |
+| GuardsStressTest.cs:150:4:150:5 | access to field ch |
+| GuardsStressTest.cs:150:18:150:19 | access to field ch |
+| GuardsStressTest.cs:151:4:151:5 | access to field ch |
+| GuardsStressTest.cs:151:18:151:19 | access to field ch |
+| GuardsStressTest.cs:152:4:152:5 | access to field ch |
+| GuardsStressTest.cs:152:18:152:19 | access to field ch |
+| GuardsStressTest.cs:153:4:153:5 | access to field ch |
+| GuardsStressTest.cs:153:18:153:19 | access to field ch |
+| GuardsStressTest.cs:154:4:154:5 | access to field ch |
+| GuardsStressTest.cs:154:18:154:19 | access to field ch |
+| GuardsStressTest.cs:155:4:155:5 | access to field ch |
+| GuardsStressTest.cs:155:18:155:19 | access to field ch |
+| GuardsStressTest.cs:156:4:156:5 | access to field ch |
+| GuardsStressTest.cs:156:18:156:19 | access to field ch |
+| GuardsStressTest.cs:157:4:157:5 | access to field ch |
+| GuardsStressTest.cs:157:18:157:19 | access to field ch |
+| GuardsStressTest.cs:158:4:158:5 | access to field ch |
+| GuardsStressTest.cs:158:18:158:19 | access to field ch |
+| GuardsStressTest.cs:159:4:159:5 | access to field ch |
+| GuardsStressTest.cs:159:18:159:19 | access to field ch |
+| GuardsStressTest.cs:160:4:160:5 | access to field ch |
+| GuardsStressTest.cs:161:4:161:5 | access to field ch |
+| GuardsStressTest.cs:161:18:161:19 | access to field ch |
+| GuardsStressTest.cs:162:4:162:5 | access to field ch |
+| GuardsStressTest.cs:162:18:162:19 | access to field ch |
+| GuardsStressTest.cs:163:4:163:5 | access to field ch |
+| GuardsStressTest.cs:163:18:163:19 | access to field ch |
+| GuardsStressTest.cs:164:4:164:5 | access to field ch |
+| GuardsStressTest.cs:164:18:164:19 | access to field ch |
+| GuardsStressTest.cs:165:4:165:5 | access to field ch |
+| GuardsStressTest.cs:165:18:165:19 | access to field ch |
+| GuardsStressTest.cs:166:4:166:5 | access to field ch |
+| GuardsStressTest.cs:166:18:166:19 | access to field ch |
+| GuardsStressTest.cs:167:4:167:5 | access to field ch |
+| GuardsStressTest.cs:167:18:167:19 | access to field ch |
+| GuardsStressTest.cs:168:4:168:5 | access to field ch |
+| GuardsStressTest.cs:168:18:168:19 | access to field ch |
+| GuardsStressTest.cs:169:4:169:5 | access to field ch |
+| GuardsStressTest.cs:169:18:169:19 | access to field ch |
+| GuardsStressTest.cs:170:4:170:5 | access to field ch |
+| GuardsStressTest.cs:170:18:170:19 | access to field ch |
+| GuardsStressTest.cs:171:4:171:5 | access to field ch |
+| GuardsStressTest.cs:172:4:172:5 | access to field ch |
+| GuardsStressTest.cs:172:18:172:19 | access to field ch |
+| GuardsStressTest.cs:173:4:173:5 | access to field ch |
+| GuardsStressTest.cs:173:18:173:19 | access to field ch |
+| GuardsStressTest.cs:174:4:174:5 | access to field ch |
+| GuardsStressTest.cs:174:18:174:19 | access to field ch |
+| GuardsStressTest.cs:175:4:175:5 | access to field ch |
+| GuardsStressTest.cs:175:18:175:19 | access to field ch |
+| GuardsStressTest.cs:176:4:176:5 | access to field ch |
+| GuardsStressTest.cs:176:18:176:19 | access to field ch |
+| GuardsStressTest.cs:177:4:177:5 | access to field ch |
+| GuardsStressTest.cs:177:18:177:19 | access to field ch |
+| GuardsStressTest.cs:178:4:178:5 | access to field ch |
+| GuardsStressTest.cs:178:18:178:19 | access to field ch |
+| GuardsStressTest.cs:179:4:179:5 | access to field ch |
+| GuardsStressTest.cs:180:4:180:5 | access to field ch |
+| GuardsStressTest.cs:180:18:180:19 | access to field ch |
+| GuardsStressTest.cs:181:4:181:5 | access to field ch |
+| GuardsStressTest.cs:182:4:182:5 | access to field ch |
+| GuardsStressTest.cs:182:18:182:19 | access to field ch |
+| GuardsStressTest.cs:183:4:183:5 | access to field ch |
+| GuardsStressTest.cs:184:4:184:5 | access to field ch |
+| GuardsStressTest.cs:184:18:184:19 | access to field ch |
+| GuardsStressTest.cs:185:4:185:5 | access to field ch |
+| GuardsStressTest.cs:185:18:185:19 | access to field ch |
+| GuardsStressTest.cs:186:4:186:5 | access to field ch |
+| GuardsStressTest.cs:186:18:186:19 | access to field ch |
+| GuardsStressTest.cs:187:4:187:5 | access to field ch |
+| GuardsStressTest.cs:187:18:187:19 | access to field ch |
+| GuardsStressTest.cs:188:4:188:5 | access to field ch |
+| GuardsStressTest.cs:188:18:188:19 | access to field ch |
+| GuardsStressTest.cs:189:4:189:5 | access to field ch |
+| GuardsStressTest.cs:189:18:189:19 | access to field ch |
+| GuardsStressTest.cs:190:4:190:5 | access to field ch |
+| GuardsStressTest.cs:191:4:191:5 | access to field ch |
+| GuardsStressTest.cs:191:18:191:19 | access to field ch |
+| GuardsStressTest.cs:192:4:192:5 | access to field ch |
+| GuardsStressTest.cs:193:4:193:5 | access to field ch |
+| GuardsStressTest.cs:194:4:194:5 | access to field ch |
+| GuardsStressTest.cs:194:18:194:19 | access to field ch |
+| GuardsStressTest.cs:195:4:195:5 | access to field ch |
+| GuardsStressTest.cs:195:18:195:19 | access to field ch |
+| GuardsStressTest.cs:196:4:196:5 | access to field ch |
+| GuardsStressTest.cs:196:18:196:19 | access to field ch |
+| GuardsStressTest.cs:197:4:197:5 | access to field ch |
+| GuardsStressTest.cs:198:4:198:5 | access to field ch |
+| GuardsStressTest.cs:199:4:199:5 | access to field ch |
+| GuardsStressTest.cs:199:18:199:19 | access to field ch |
+| GuardsStressTest.cs:200:4:200:5 | access to field ch |
+| GuardsStressTest.cs:200:18:200:19 | access to field ch |
+| GuardsStressTest.cs:201:4:201:5 | access to field ch |
+| GuardsStressTest.cs:201:18:201:19 | access to field ch |
+| GuardsStressTest.cs:202:4:202:5 | access to field ch |
+| GuardsStressTest.cs:202:18:202:19 | access to field ch |
+| GuardsStressTest.cs:203:4:203:5 | access to field ch |
+| GuardsStressTest.cs:204:4:204:5 | access to field ch |
+| GuardsStressTest.cs:204:18:204:19 | access to field ch |
+| GuardsStressTest.cs:205:4:205:5 | access to field ch |
+| GuardsStressTest.cs:205:18:205:19 | access to field ch |
+| GuardsStressTest.cs:206:4:206:5 | access to field ch |
+| GuardsStressTest.cs:206:18:206:19 | access to field ch |
+| GuardsStressTest.cs:207:4:207:5 | access to field ch |
+| GuardsStressTest.cs:208:4:208:5 | access to field ch |
+| GuardsStressTest.cs:208:18:208:19 | access to field ch |
+| GuardsStressTest.cs:209:4:209:5 | access to field ch |
+| GuardsStressTest.cs:209:18:209:19 | access to field ch |
+| GuardsStressTest.cs:210:4:210:5 | access to field ch |
+| GuardsStressTest.cs:211:4:211:5 | access to field ch |
+| GuardsStressTest.cs:212:4:212:5 | access to field ch |
+| GuardsStressTest.cs:213:4:213:5 | access to field ch |
+| GuardsStressTest.cs:213:18:213:19 | access to field ch |
+| GuardsStressTest.cs:214:4:214:5 | access to field ch |
+| GuardsStressTest.cs:214:18:214:19 | access to field ch |
+| GuardsStressTest.cs:215:4:215:5 | access to field ch |
+| GuardsStressTest.cs:215:18:215:19 | access to field ch |
+| GuardsStressTest.cs:216:4:216:5 | access to field ch |
+| GuardsStressTest.cs:216:18:216:19 | access to field ch |
+| GuardsStressTest.cs:217:4:217:5 | access to field ch |
+| GuardsStressTest.cs:217:18:217:19 | access to field ch |
+| GuardsStressTest.cs:218:4:218:5 | access to field ch |
+| GuardsStressTest.cs:219:4:219:5 | access to field ch |
+| GuardsStressTest.cs:219:18:219:19 | access to field ch |
+| GuardsStressTest.cs:220:4:220:5 | access to field ch |
+| GuardsStressTest.cs:220:18:220:19 | access to field ch |
+| GuardsStressTest.cs:221:4:221:5 | access to field ch |
+| GuardsStressTest.cs:221:18:221:19 | access to field ch |
+| GuardsStressTest.cs:222:4:222:5 | access to field ch |
+| GuardsStressTest.cs:223:4:223:5 | access to field ch |
+| GuardsStressTest.cs:224:4:224:5 | access to field ch |
+| GuardsStressTest.cs:224:18:224:19 | access to field ch |
+| GuardsStressTest.cs:225:4:225:5 | access to field ch |
+| GuardsStressTest.cs:225:18:225:19 | access to field ch |
+| GuardsStressTest.cs:226:4:226:5 | access to field ch |
+| GuardsStressTest.cs:226:18:226:19 | access to field ch |
+| GuardsStressTest.cs:227:4:227:5 | access to field ch |
+| GuardsStressTest.cs:227:18:227:19 | access to field ch |
+| GuardsStressTest.cs:228:4:228:5 | access to field ch |
+| GuardsStressTest.cs:229:4:229:5 | access to field ch |
+| GuardsStressTest.cs:229:18:229:19 | access to field ch |
+| GuardsStressTest.cs:230:4:230:5 | access to field ch |
+| GuardsStressTest.cs:230:18:230:19 | access to field ch |
+| GuardsStressTest.cs:231:4:231:5 | access to field ch |
+| GuardsStressTest.cs:231:18:231:19 | access to field ch |
+| GuardsStressTest.cs:232:4:232:5 | access to field ch |
+| GuardsStressTest.cs:232:18:232:19 | access to field ch |
+| GuardsStressTest.cs:233:4:233:5 | access to field ch |
+| GuardsStressTest.cs:233:18:233:19 | access to field ch |
+| GuardsStressTest.cs:234:4:234:5 | access to field ch |
+| GuardsStressTest.cs:234:18:234:19 | access to field ch |
+| GuardsStressTest.cs:235:4:235:5 | access to field ch |
+| GuardsStressTest.cs:236:4:236:5 | access to field ch |
+| GuardsStressTest.cs:236:18:236:19 | access to field ch |
+| GuardsStressTest.cs:237:4:237:5 | access to field ch |
+| GuardsStressTest.cs:237:18:237:19 | access to field ch |
+| GuardsStressTest.cs:238:4:238:5 | access to field ch |
+| GuardsStressTest.cs:238:18:238:19 | access to field ch |
+| GuardsStressTest.cs:239:4:239:5 | access to field ch |
+| GuardsStressTest.cs:239:18:239:19 | access to field ch |
+| GuardsStressTest.cs:240:4:240:5 | access to field ch |
+| GuardsStressTest.cs:240:18:240:19 | access to field ch |
+| GuardsStressTest.cs:241:4:241:5 | access to field ch |
+| GuardsStressTest.cs:241:18:241:19 | access to field ch |
+| GuardsStressTest.cs:242:4:242:5 | access to field ch |
+| GuardsStressTest.cs:242:18:242:19 | access to field ch |
+| GuardsStressTest.cs:243:4:243:5 | access to field ch |
+| GuardsStressTest.cs:243:18:243:19 | access to field ch |
+| GuardsStressTest.cs:244:4:244:5 | access to field ch |
+| GuardsStressTest.cs:244:18:244:19 | access to field ch |
+| GuardsStressTest.cs:245:4:245:5 | access to field ch |
+| GuardsStressTest.cs:245:18:245:19 | access to field ch |
+| GuardsStressTest.cs:246:4:246:5 | access to field ch |
+| GuardsStressTest.cs:246:18:246:19 | access to field ch |
+| GuardsStressTest.cs:247:4:247:5 | access to field ch |
+| GuardsStressTest.cs:247:18:247:19 | access to field ch |
+| GuardsStressTest.cs:248:4:248:5 | access to field ch |
+| GuardsStressTest.cs:248:18:248:19 | access to field ch |
+| GuardsStressTest.cs:249:4:249:5 | access to field ch |
+| GuardsStressTest.cs:249:18:249:19 | access to field ch |
+| GuardsStressTest.cs:250:4:250:5 | access to field ch |
+| GuardsStressTest.cs:250:18:250:19 | access to field ch |
+| GuardsStressTest.cs:251:4:251:5 | access to field ch |
+| GuardsStressTest.cs:251:18:251:19 | access to field ch |
+| GuardsStressTest.cs:252:4:252:5 | access to field ch |
+| GuardsStressTest.cs:252:18:252:19 | access to field ch |
+| GuardsStressTest.cs:253:4:253:5 | access to field ch |
+| GuardsStressTest.cs:253:18:253:19 | access to field ch |
+| GuardsStressTest.cs:254:4:254:5 | access to field ch |
+| GuardsStressTest.cs:254:18:254:19 | access to field ch |
+| GuardsStressTest.cs:255:4:255:5 | access to field ch |
+| GuardsStressTest.cs:255:18:255:19 | access to field ch |
+| GuardsStressTest.cs:256:4:256:5 | access to field ch |
+| GuardsStressTest.cs:256:18:256:19 | access to field ch |
+| GuardsStressTest.cs:257:4:257:5 | access to field ch |
+| GuardsStressTest.cs:258:4:258:5 | access to field ch |
+| GuardsStressTest.cs:258:18:258:19 | access to field ch |
+| GuardsStressTest.cs:259:4:259:5 | access to field ch |
+| GuardsStressTest.cs:259:18:259:19 | access to field ch |
+| GuardsStressTest.cs:260:4:260:5 | access to field ch |
+| GuardsStressTest.cs:260:18:260:19 | access to field ch |
+| GuardsStressTest.cs:261:4:261:5 | access to field ch |
+| GuardsStressTest.cs:261:18:261:19 | access to field ch |
+| GuardsStressTest.cs:262:4:262:5 | access to field ch |
+| GuardsStressTest.cs:262:18:262:19 | access to field ch |
+| GuardsStressTest.cs:263:4:263:5 | access to field ch |
+| GuardsStressTest.cs:263:18:263:19 | access to field ch |
+| GuardsStressTest.cs:264:4:264:5 | access to field ch |
+| GuardsStressTest.cs:264:18:264:19 | access to field ch |
+| GuardsStressTest.cs:265:4:265:5 | access to field ch |
+| GuardsStressTest.cs:265:18:265:19 | access to field ch |
+| GuardsStressTest.cs:266:4:266:5 | access to field ch |
+| GuardsStressTest.cs:266:18:266:19 | access to field ch |
+| GuardsStressTest.cs:267:4:267:5 | access to field ch |
+| GuardsStressTest.cs:267:18:267:19 | access to field ch |
+| GuardsStressTest.cs:268:4:268:5 | access to field ch |
+| GuardsStressTest.cs:268:18:268:19 | access to field ch |
+| GuardsStressTest.cs:269:4:269:5 | access to field ch |
+| GuardsStressTest.cs:269:18:269:19 | access to field ch |
+| GuardsStressTest.cs:270:4:270:5 | access to field ch |
+| GuardsStressTest.cs:270:18:270:19 | access to field ch |
+| GuardsStressTest.cs:271:4:271:5 | access to field ch |
+| GuardsStressTest.cs:271:18:271:19 | access to field ch |
+| GuardsStressTest.cs:272:4:272:5 | access to field ch |
+| GuardsStressTest.cs:272:18:272:19 | access to field ch |
+| GuardsStressTest.cs:273:4:273:5 | access to field ch |
+| GuardsStressTest.cs:273:18:273:19 | access to field ch |
+| GuardsStressTest.cs:274:4:274:5 | access to field ch |
+| GuardsStressTest.cs:274:18:274:19 | access to field ch |
+| GuardsStressTest.cs:275:4:275:5 | access to field ch |
+| GuardsStressTest.cs:275:18:275:19 | access to field ch |
+| GuardsStressTest.cs:276:4:276:5 | access to field ch |
+| GuardsStressTest.cs:276:18:276:19 | access to field ch |
+| GuardsStressTest.cs:277:4:277:5 | access to field ch |
+| GuardsStressTest.cs:277:18:277:19 | access to field ch |
+| GuardsStressTest.cs:278:4:278:5 | access to field ch |
+| GuardsStressTest.cs:279:4:279:5 | access to field ch |
+| GuardsStressTest.cs:279:18:279:19 | access to field ch |
+| GuardsStressTest.cs:280:4:280:5 | access to field ch |
+| GuardsStressTest.cs:280:18:280:19 | access to field ch |
+| GuardsStressTest.cs:281:4:281:5 | access to field ch |
+| GuardsStressTest.cs:281:18:281:19 | access to field ch |
+| GuardsStressTest.cs:282:4:282:5 | access to field ch |
+| GuardsStressTest.cs:282:18:282:19 | access to field ch |
+| GuardsStressTest.cs:283:4:283:5 | access to field ch |
+| GuardsStressTest.cs:283:18:283:19 | access to field ch |
+| GuardsStressTest.cs:284:4:284:5 | access to field ch |
+| GuardsStressTest.cs:284:18:284:19 | access to field ch |
+| GuardsStressTest.cs:285:4:285:5 | access to field ch |
+| GuardsStressTest.cs:285:18:285:19 | access to field ch |
+| GuardsStressTest.cs:286:4:286:5 | access to field ch |
+| GuardsStressTest.cs:286:18:286:19 | access to field ch |
+| GuardsStressTest.cs:287:4:287:5 | access to field ch |
+| GuardsStressTest.cs:287:18:287:19 | access to field ch |
+| GuardsStressTest.cs:288:4:288:5 | access to field ch |
+| GuardsStressTest.cs:288:18:288:19 | access to field ch |
+| GuardsStressTest.cs:289:4:289:5 | access to field ch |
+| GuardsStressTest.cs:289:18:289:19 | access to field ch |
+| GuardsStressTest.cs:290:4:290:5 | access to field ch |
+| GuardsStressTest.cs:290:18:290:19 | access to field ch |
+| GuardsStressTest.cs:291:4:291:5 | access to field ch |
+| GuardsStressTest.cs:291:18:291:19 | access to field ch |
+| GuardsStressTest.cs:292:4:292:5 | access to field ch |
+| GuardsStressTest.cs:292:18:292:19 | access to field ch |
+| GuardsStressTest.cs:293:4:293:5 | access to field ch |
+| GuardsStressTest.cs:293:18:293:19 | access to field ch |
+| GuardsStressTest.cs:294:4:294:5 | access to field ch |
+| GuardsStressTest.cs:295:4:295:5 | access to field ch |
+| GuardsStressTest.cs:296:4:296:5 | access to field ch |
+| GuardsStressTest.cs:297:4:297:5 | access to field ch |
+| GuardsStressTest.cs:297:18:297:19 | access to field ch |
+| GuardsStressTest.cs:298:4:298:5 | access to field ch |
+| GuardsStressTest.cs:298:18:298:19 | access to field ch |
+| GuardsStressTest.cs:299:4:299:5 | access to field ch |
+| GuardsStressTest.cs:299:18:299:19 | access to field ch |
+| GuardsStressTest.cs:300:4:300:5 | access to field ch |
+| GuardsStressTest.cs:301:4:301:5 | access to field ch |
+| GuardsStressTest.cs:301:18:301:19 | access to field ch |
+| GuardsStressTest.cs:302:4:302:5 | access to field ch |
+| GuardsStressTest.cs:302:18:302:19 | access to field ch |
+| GuardsStressTest.cs:303:4:303:5 | access to field ch |
+| GuardsStressTest.cs:303:18:303:19 | access to field ch |
+| GuardsStressTest.cs:304:4:304:5 | access to field ch |
+| GuardsStressTest.cs:304:18:304:19 | access to field ch |
+| GuardsStressTest.cs:305:4:305:5 | access to field ch |
+| GuardsStressTest.cs:305:18:305:19 | access to field ch |
+| GuardsStressTest.cs:306:4:306:5 | access to field ch |
+| GuardsStressTest.cs:306:18:306:19 | access to field ch |
+| GuardsStressTest.cs:307:4:307:5 | access to field ch |
+| GuardsStressTest.cs:307:18:307:19 | access to field ch |
+| GuardsStressTest.cs:308:4:308:5 | access to field ch |
+| GuardsStressTest.cs:308:18:308:19 | access to field ch |
+| GuardsStressTest.cs:309:4:309:5 | access to field ch |
+| GuardsStressTest.cs:309:18:309:19 | access to field ch |
+| GuardsStressTest.cs:310:4:310:5 | access to field ch |
+| GuardsStressTest.cs:311:4:311:5 | access to field ch |
+| GuardsStressTest.cs:312:4:312:5 | access to field ch |
+| GuardsStressTest.cs:313:4:313:5 | access to field ch |
+| GuardsStressTest.cs:313:18:313:19 | access to field ch |
+| GuardsStressTest.cs:314:4:314:5 | access to field ch |
+| GuardsStressTest.cs:314:18:314:19 | access to field ch |
+| GuardsStressTest.cs:315:4:315:5 | access to field ch |
+| GuardsStressTest.cs:316:4:316:5 | access to field ch |
+| GuardsStressTest.cs:316:18:316:19 | access to field ch |
+| GuardsStressTest.cs:317:4:317:5 | access to field ch |
+| GuardsStressTest.cs:318:4:318:5 | access to field ch |
+| GuardsStressTest.cs:319:4:319:5 | access to field ch |
+| GuardsStressTest.cs:319:18:319:19 | access to field ch |
+| GuardsStressTest.cs:320:4:320:5 | access to field ch |
+| GuardsStressTest.cs:321:4:321:5 | access to field ch |
+| GuardsStressTest.cs:321:18:321:19 | access to field ch |
+| GuardsStressTest.cs:322:4:322:5 | access to field ch |
+| GuardsStressTest.cs:323:4:323:5 | access to field ch |
+| GuardsStressTest.cs:324:4:324:5 | access to field ch |
+| GuardsStressTest.cs:325:4:325:5 | access to field ch |
+| GuardsStressTest.cs:325:18:325:19 | access to field ch |
+| GuardsStressTest.cs:326:4:326:5 | access to field ch |
+| GuardsStressTest.cs:326:18:326:19 | access to field ch |
+| GuardsStressTest.cs:327:4:327:5 | access to field ch |
+| GuardsStressTest.cs:327:18:327:19 | access to field ch |
+| GuardsStressTest.cs:328:4:328:5 | access to field ch |
+| GuardsStressTest.cs:328:18:328:19 | access to field ch |
+| GuardsStressTest.cs:329:4:329:5 | access to field ch |
+| GuardsStressTest.cs:330:4:330:5 | access to field ch |
+| GuardsStressTest.cs:330:18:330:19 | access to field ch |
+| GuardsStressTest.cs:331:4:331:5 | access to field ch |
+| GuardsStressTest.cs:331:19:331:20 | access to field ch |
+| GuardsStressTest.cs:332:4:332:5 | access to field ch |
+| GuardsStressTest.cs:332:19:332:20 | access to field ch |
+| GuardsStressTest.cs:333:4:333:5 | access to field ch |
+| GuardsStressTest.cs:333:19:333:20 | access to field ch |
+| GuardsStressTest.cs:334:4:334:5 | access to field ch |
+| GuardsStressTest.cs:334:19:334:20 | access to field ch |
+| GuardsStressTest.cs:335:4:335:5 | access to field ch |
+| GuardsStressTest.cs:335:19:335:20 | access to field ch |
+| GuardsStressTest.cs:336:4:336:5 | access to field ch |
+| GuardsStressTest.cs:337:4:337:5 | access to field ch |
+| GuardsStressTest.cs:338:4:338:5 | access to field ch |
+| GuardsStressTest.cs:338:19:338:20 | access to field ch |
+| GuardsStressTest.cs:339:4:339:5 | access to field ch |
+| GuardsStressTest.cs:340:4:340:5 | access to field ch |
+| GuardsStressTest.cs:340:19:340:20 | access to field ch |
+| GuardsStressTest.cs:341:4:341:5 | access to field ch |
+| GuardsStressTest.cs:341:19:341:20 | access to field ch |
+| GuardsStressTest.cs:342:4:342:5 | access to field ch |
+| GuardsStressTest.cs:342:19:342:20 | access to field ch |
+| GuardsStressTest.cs:343:4:343:5 | access to field ch |
+| GuardsStressTest.cs:343:19:343:20 | access to field ch |
+| GuardsStressTest.cs:344:4:344:5 | access to field ch |
+| GuardsStressTest.cs:344:19:344:20 | access to field ch |
+| GuardsStressTest.cs:345:4:345:5 | access to field ch |
+| GuardsStressTest.cs:345:19:345:20 | access to field ch |
+| GuardsStressTest.cs:346:4:346:5 | access to field ch |
+| GuardsStressTest.cs:346:19:346:20 | access to field ch |
+| GuardsStressTest.cs:347:4:347:5 | access to field ch |
+| GuardsStressTest.cs:347:19:347:20 | access to field ch |
+| GuardsStressTest.cs:348:4:348:5 | access to field ch |
+| GuardsStressTest.cs:348:19:348:20 | access to field ch |
+| GuardsStressTest.cs:349:4:349:5 | access to field ch |
+| GuardsStressTest.cs:349:19:349:20 | access to field ch |
+| GuardsStressTest.cs:350:4:350:5 | access to field ch |
+| GuardsStressTest.cs:351:4:351:5 | access to field ch |
+| GuardsStressTest.cs:351:19:351:20 | access to field ch |
+| GuardsStressTest.cs:352:4:352:5 | access to field ch |
+| GuardsStressTest.cs:352:19:352:20 | access to field ch |
+| GuardsStressTest.cs:353:4:353:5 | access to field ch |
+| GuardsStressTest.cs:353:19:353:20 | access to field ch |
+| GuardsStressTest.cs:354:4:354:5 | access to field ch |
+| GuardsStressTest.cs:354:19:354:20 | access to field ch |
+| GuardsStressTest.cs:355:4:355:5 | access to field ch |
+| GuardsStressTest.cs:355:19:355:20 | access to field ch |
+| GuardsStressTest.cs:356:4:356:5 | access to field ch |
+| GuardsStressTest.cs:356:19:356:20 | access to field ch |
+| GuardsStressTest.cs:357:4:357:5 | access to field ch |
+| GuardsStressTest.cs:357:19:357:20 | access to field ch |
+| GuardsStressTest.cs:358:4:358:5 | access to field ch |
+| GuardsStressTest.cs:358:19:358:20 | access to field ch |
+| GuardsStressTest.cs:359:4:359:5 | access to field ch |
+| GuardsStressTest.cs:359:19:359:20 | access to field ch |
+| GuardsStressTest.cs:360:4:360:5 | access to field ch |
+| GuardsStressTest.cs:360:19:360:20 | access to field ch |
+| GuardsStressTest.cs:361:4:361:5 | access to field ch |
+| GuardsStressTest.cs:361:19:361:20 | access to field ch |
+| GuardsStressTest.cs:362:4:362:5 | access to field ch |
+| GuardsStressTest.cs:362:19:362:20 | access to field ch |
+| GuardsStressTest.cs:363:4:363:5 | access to field ch |
+| GuardsStressTest.cs:363:19:363:20 | access to field ch |
+| GuardsStressTest.cs:364:4:364:5 | access to field ch |
+| GuardsStressTest.cs:364:19:364:20 | access to field ch |
+| GuardsStressTest.cs:365:4:365:5 | access to field ch |
+| GuardsStressTest.cs:365:19:365:20 | access to field ch |
+| GuardsStressTest.cs:366:4:366:5 | access to field ch |
+| GuardsStressTest.cs:366:19:366:20 | access to field ch |
+| GuardsStressTest.cs:367:4:367:5 | access to field ch |
+| GuardsStressTest.cs:367:19:367:20 | access to field ch |
+| GuardsStressTest.cs:368:4:368:5 | access to field ch |
+| GuardsStressTest.cs:368:19:368:20 | access to field ch |
+| GuardsStressTest.cs:369:4:369:5 | access to field ch |
+| GuardsStressTest.cs:369:19:369:20 | access to field ch |
+| GuardsStressTest.cs:370:4:370:5 | access to field ch |
+| GuardsStressTest.cs:370:19:370:20 | access to field ch |
+| GuardsStressTest.cs:371:4:371:5 | access to field ch |
+| GuardsStressTest.cs:371:19:371:20 | access to field ch |
+| GuardsStressTest.cs:372:4:372:5 | access to field ch |
+| GuardsStressTest.cs:372:19:372:20 | access to field ch |
+| GuardsStressTest.cs:373:4:373:5 | access to field ch |
+| GuardsStressTest.cs:373:19:373:20 | access to field ch |
+| GuardsStressTest.cs:374:4:374:5 | access to field ch |
+| GuardsStressTest.cs:374:19:374:20 | access to field ch |
+| GuardsStressTest.cs:375:4:375:5 | access to field ch |
+| GuardsStressTest.cs:375:19:375:20 | access to field ch |
+| GuardsStressTest.cs:376:4:376:5 | access to field ch |
+| GuardsStressTest.cs:376:19:376:20 | access to field ch |
+| GuardsStressTest.cs:377:4:377:5 | access to field ch |
+| GuardsStressTest.cs:377:19:377:20 | access to field ch |
+| GuardsStressTest.cs:378:4:378:5 | access to field ch |
+| GuardsStressTest.cs:378:19:378:20 | access to field ch |
+| GuardsStressTest.cs:379:4:379:5 | access to field ch |
+| GuardsStressTest.cs:379:19:379:20 | access to field ch |
+| GuardsStressTest.cs:380:4:380:5 | access to field ch |
+| GuardsStressTest.cs:380:19:380:20 | access to field ch |
+| GuardsStressTest.cs:381:4:381:5 | access to field ch |
+| GuardsStressTest.cs:381:19:381:20 | access to field ch |
+| GuardsStressTest.cs:382:4:382:5 | access to field ch |
+| GuardsStressTest.cs:382:19:382:20 | access to field ch |
+| GuardsStressTest.cs:383:4:383:5 | access to field ch |
+| GuardsStressTest.cs:383:19:383:20 | access to field ch |
+| GuardsStressTest.cs:384:4:384:5 | access to field ch |
+| GuardsStressTest.cs:385:4:385:5 | access to field ch |
+| GuardsStressTest.cs:385:19:385:20 | access to field ch |
+| GuardsStressTest.cs:386:4:386:5 | access to field ch |
+| GuardsStressTest.cs:386:19:386:20 | access to field ch |
+| GuardsStressTest.cs:387:4:387:5 | access to field ch |
+| GuardsStressTest.cs:387:19:387:20 | access to field ch |
+| GuardsStressTest.cs:388:4:388:5 | access to field ch |
+| GuardsStressTest.cs:388:19:388:20 | access to field ch |
+| GuardsStressTest.cs:389:4:389:5 | access to field ch |
+| GuardsStressTest.cs:389:19:389:20 | access to field ch |
+| GuardsStressTest.cs:390:4:390:5 | access to field ch |
+| GuardsStressTest.cs:390:19:390:20 | access to field ch |
+| GuardsStressTest.cs:391:4:391:5 | access to field ch |
+| GuardsStressTest.cs:391:19:391:20 | access to field ch |
+| GuardsStressTest.cs:392:4:392:5 | access to field ch |
+| GuardsStressTest.cs:392:19:392:20 | access to field ch |
+| GuardsStressTest.cs:393:4:393:5 | access to field ch |
+| GuardsStressTest.cs:393:19:393:20 | access to field ch |
+| GuardsStressTest.cs:394:4:394:5 | access to field ch |
+| GuardsStressTest.cs:394:19:394:20 | access to field ch |
+| GuardsStressTest.cs:395:4:395:5 | access to field ch |
+| GuardsStressTest.cs:395:19:395:20 | access to field ch |
+| GuardsStressTest.cs:396:4:396:5 | access to field ch |
+| GuardsStressTest.cs:396:19:396:20 | access to field ch |
+| GuardsStressTest.cs:397:4:397:5 | access to field ch |
+| GuardsStressTest.cs:397:19:397:20 | access to field ch |
+| GuardsStressTest.cs:398:4:398:5 | access to field ch |
+| GuardsStressTest.cs:398:19:398:20 | access to field ch |
+| GuardsStressTest.cs:399:4:399:5 | access to field ch |
+| GuardsStressTest.cs:399:19:399:20 | access to field ch |
+| GuardsStressTest.cs:400:4:400:5 | access to field ch |
+| GuardsStressTest.cs:400:19:400:20 | access to field ch |
+| GuardsStressTest.cs:401:4:401:5 | access to field ch |
+| GuardsStressTest.cs:401:19:401:20 | access to field ch |
+| GuardsStressTest.cs:402:4:402:5 | access to field ch |
+| GuardsStressTest.cs:402:19:402:20 | access to field ch |
+| GuardsStressTest.cs:403:4:403:5 | access to field ch |
+| GuardsStressTest.cs:403:19:403:20 | access to field ch |
+| GuardsStressTest.cs:404:4:404:5 | access to field ch |
+| GuardsStressTest.cs:404:19:404:20 | access to field ch |
+| GuardsStressTest.cs:405:4:405:5 | access to field ch |
+| GuardsStressTest.cs:405:19:405:20 | access to field ch |
+| GuardsStressTest.cs:406:4:406:5 | access to field ch |
+| GuardsStressTest.cs:406:19:406:20 | access to field ch |
+| GuardsStressTest.cs:407:4:407:5 | access to field ch |
+| GuardsStressTest.cs:407:19:407:20 | access to field ch |
+| GuardsStressTest.cs:408:4:408:5 | access to field ch |
+| GuardsStressTest.cs:408:19:408:20 | access to field ch |
+| GuardsStressTest.cs:409:4:409:5 | access to field ch |
+| GuardsStressTest.cs:409:19:409:20 | access to field ch |
+| GuardsStressTest.cs:410:4:410:5 | access to field ch |
+| GuardsStressTest.cs:410:19:410:20 | access to field ch |
+| GuardsStressTest.cs:411:4:411:5 | access to field ch |
+| GuardsStressTest.cs:411:19:411:20 | access to field ch |
+| GuardsStressTest.cs:412:4:412:5 | access to field ch |
+| GuardsStressTest.cs:412:19:412:20 | access to field ch |
+| GuardsStressTest.cs:413:4:413:5 | access to field ch |
+| GuardsStressTest.cs:413:19:413:20 | access to field ch |
+| GuardsStressTest.cs:414:4:414:5 | access to field ch |
+| GuardsStressTest.cs:414:19:414:20 | access to field ch |
+| GuardsStressTest.cs:415:4:415:5 | access to field ch |
+| GuardsStressTest.cs:415:19:415:20 | access to field ch |
+| GuardsStressTest.cs:416:4:416:5 | access to field ch |
+| GuardsStressTest.cs:416:19:416:20 | access to field ch |
+| GuardsStressTest.cs:417:4:417:5 | access to field ch |
+| GuardsStressTest.cs:418:4:418:5 | access to field ch |
+| GuardsStressTest.cs:418:19:418:20 | access to field ch |
+| GuardsStressTest.cs:419:4:419:5 | access to field ch |
+| GuardsStressTest.cs:419:19:419:20 | access to field ch |
+| GuardsStressTest.cs:420:4:420:5 | access to field ch |
+| GuardsStressTest.cs:420:19:420:20 | access to field ch |
+| GuardsStressTest.cs:421:4:421:5 | access to field ch |
+| GuardsStressTest.cs:421:19:421:20 | access to field ch |
+| GuardsStressTest.cs:422:4:422:5 | access to field ch |
+| GuardsStressTest.cs:422:19:422:20 | access to field ch |
+| GuardsStressTest.cs:423:4:423:5 | access to field ch |
+| GuardsStressTest.cs:423:19:423:20 | access to field ch |
+| GuardsStressTest.cs:424:4:424:5 | access to field ch |
+| GuardsStressTest.cs:424:19:424:20 | access to field ch |
+| GuardsStressTest.cs:425:4:425:5 | access to field ch |
+| GuardsStressTest.cs:425:19:425:20 | access to field ch |
+| GuardsStressTest.cs:426:4:426:5 | access to field ch |
+| GuardsStressTest.cs:426:19:426:20 | access to field ch |
+| GuardsStressTest.cs:427:4:427:5 | access to field ch |
+| GuardsStressTest.cs:427:19:427:20 | access to field ch |
+| GuardsStressTest.cs:428:4:428:5 | access to field ch |
+| GuardsStressTest.cs:428:19:428:20 | access to field ch |
+| GuardsStressTest.cs:429:4:429:5 | access to field ch |
+| GuardsStressTest.cs:429:19:429:20 | access to field ch |
+| GuardsStressTest.cs:430:4:430:5 | access to field ch |
+| GuardsStressTest.cs:430:19:430:20 | access to field ch |
+| GuardsStressTest.cs:431:4:431:5 | access to field ch |
+| GuardsStressTest.cs:431:19:431:20 | access to field ch |
+| GuardsStressTest.cs:432:4:432:5 | access to field ch |
+| GuardsStressTest.cs:432:19:432:20 | access to field ch |
+| GuardsStressTest.cs:433:4:433:5 | access to field ch |
+| GuardsStressTest.cs:434:4:434:5 | access to field ch |
+| GuardsStressTest.cs:434:19:434:20 | access to field ch |
+| GuardsStressTest.cs:435:4:435:5 | access to field ch |
+| GuardsStressTest.cs:435:19:435:20 | access to field ch |
+| GuardsStressTest.cs:436:4:436:5 | access to field ch |
+| GuardsStressTest.cs:436:19:436:20 | access to field ch |
+| GuardsStressTest.cs:437:4:437:5 | access to field ch |
+| GuardsStressTest.cs:437:19:437:20 | access to field ch |
+| GuardsStressTest.cs:438:4:438:5 | access to field ch |
+| GuardsStressTest.cs:438:19:438:20 | access to field ch |
+| GuardsStressTest.cs:439:4:439:5 | access to field ch |
+| GuardsStressTest.cs:439:19:439:20 | access to field ch |
+| GuardsStressTest.cs:439:41:439:42 | access to field ch |
+| GuardsStressTest.cs:440:23:440:24 | access to field ch |
diff --git a/csharp/ql/test/library-tests/controlflow/guards-large/GuardedExpr.ql b/csharp/ql/test/library-tests/controlflow/guards-large/GuardedExpr.ql
new file mode 100644
index 00000000000..dbb472735b4
--- /dev/null
+++ b/csharp/ql/test/library-tests/controlflow/guards-large/GuardedExpr.ql
@@ -0,0 +1,5 @@
+import csharp
+import semmle.code.csharp.controlflow.Guards
+
+from GuardedExpr ge
+select ge
diff --git a/csharp/ql/test/library-tests/controlflow/guards-large/GuardsStressTest.cs b/csharp/ql/test/library-tests/controlflow/guards-large/GuardsStressTest.cs
new file mode 100644
index 00000000000..200c51d89fd
--- /dev/null
+++ b/csharp/ql/test/library-tests/controlflow/guards-large/GuardsStressTest.cs
@@ -0,0 +1,443 @@
+using System;
+#nullable enable
+public class StressTest
+{
+    int ch;
+    int Ors()
+    {
+        if (ch >= '0' && ch <= '9'
+|| ch >= 'A' && ch <= 'Z'
+|| ch == '_'
+|| ch >= 'a' && ch <= 'z'
+|| ch == 170
+|| ch == 181
+|| ch == 186
+|| ch >= 192 && ch <= 214
+|| ch >= 216 && ch <= 246
+|| ch >= 248 && ch <= 705
+|| ch >= 710 && ch <= 721
+|| ch >= 736 && ch <= 740
+|| ch == 748
+|| ch == 750
+|| ch >= 768 && ch <= 884
+|| ch >= 886 && ch <= 887
+|| ch >= 890 && ch <= 893
+|| ch == 902
+|| ch >= 904 && ch <= 906
+|| ch == 908
+|| ch >= 910 && ch <= 929
+|| ch >= 931 && ch <= 1013
+|| ch >= 1015 && ch <= 1153
+|| ch >= 1155 && ch <= 1159
+|| ch >= 1162 && ch <= 1319
+|| ch >= 1329 && ch <= 1366
+|| ch == 1369
+|| ch >= 1377 && ch <= 1415
+|| ch >= 1425 && ch <= 1469
+|| ch == 1471
+|| ch >= 1473 && ch <= 1474
+|| ch >= 1476 && ch <= 1477
+|| ch == 1479
+|| ch >= 1488 && ch <= 1514
+|| ch >= 1520 && ch <= 1522
+|| ch >= 1552 && ch <= 1562
+|| ch >= 1568 && ch <= 1641
+|| ch >= 1646 && ch <= 1747
+|| ch >= 1749 && ch <= 1756
+|| ch >= 1759 && ch <= 1768
+|| ch >= 1770 && ch <= 1788
+|| ch == 1791
+|| ch >= 1808 && ch <= 1866
+|| ch >= 1869 && ch <= 1969
+|| ch >= 1984 && ch <= 2037
+|| ch == 2042
+|| ch >= 2048 && ch <= 2093
+|| ch >= 2112 && ch <= 2139
+|| ch == 2208
+|| ch >= 2210 && ch <= 2220
+|| ch >= 2276 && ch <= 2302
+|| ch >= 2304 && ch <= 2403
+|| ch >= 2406 && ch <= 2415
+|| ch >= 2417 && ch <= 2423
+|| ch >= 2425 && ch <= 2431
+|| ch >= 2433 && ch <= 2435
+|| ch >= 2437 && ch <= 2444
+|| ch >= 2447 && ch <= 2448
+|| ch >= 2451 && ch <= 2472
+|| ch >= 2474 && ch <= 2480
+|| ch == 2482
+|| ch >= 2486 && ch <= 2489
+|| ch >= 2492 && ch <= 2500
+|| ch >= 2503 && ch <= 2504
+|| ch >= 2507 && ch <= 2510
+|| ch == 2519
+|| ch >= 2524 && ch <= 2525
+|| ch >= 2527 && ch <= 2531
+|| ch >= 2534 && ch <= 2545
+|| ch >= 2561 && ch <= 2563
+|| ch >= 2565 && ch <= 2570
+|| ch >= 2575 && ch <= 2576
+|| ch >= 2579 && ch <= 2600
+|| ch >= 2602 && ch <= 2608
+|| ch >= 2610 && ch <= 2611
+|| ch >= 2613 && ch <= 2614
+|| ch >= 2616 && ch <= 2617
+|| ch == 2620
+|| ch >= 2622 && ch <= 2626
+|| ch >= 2631 && ch <= 2632
+|| ch >= 2635 && ch <= 2637
+|| ch == 2641
+|| ch >= 2649 && ch <= 2652
+|| ch == 2654
+|| ch >= 2662 && ch <= 2677
+|| ch >= 2689 && ch <= 2691
+|| ch >= 2693 && ch <= 2701
+|| ch >= 2703 && ch <= 2705
+|| ch >= 2707 && ch <= 2728
+|| ch >= 2730 && ch <= 2736
+|| ch >= 2738 && ch <= 2739
+|| ch >= 2741 && ch <= 2745
+|| ch >= 2748 && ch <= 2757
+|| ch >= 2759 && ch <= 2761
+|| ch >= 2763 && ch <= 2765
+|| ch == 2768
+|| ch >= 2784 && ch <= 2787
+|| ch >= 2790 && ch <= 2799
+|| ch >= 2817 && ch <= 2819
+|| ch >= 2821 && ch <= 2828
+|| ch >= 2831 && ch <= 2832
+|| ch >= 2835 && ch <= 2856
+|| ch >= 2858 && ch <= 2864
+|| ch >= 2866 && ch <= 2867
+|| ch >= 2869 && ch <= 2873
+|| ch >= 2876 && ch <= 2884
+|| ch >= 2887 && ch <= 2888
+|| ch >= 2891 && ch <= 2893
+|| ch >= 2902 && ch <= 2903
+|| ch >= 2908 && ch <= 2909
+|| ch >= 2911 && ch <= 2915
+|| ch >= 2918 && ch <= 2927
+|| ch == 2929
+|| ch >= 2946 && ch <= 2947
+|| ch >= 2949 && ch <= 2954
+|| ch >= 2958 && ch <= 2960
+|| ch >= 2962 && ch <= 2965
+|| ch >= 2969 && ch <= 2970
+|| ch == 2972
+|| ch >= 2974 && ch <= 2975
+|| ch >= 2979 && ch <= 2980
+|| ch >= 2984 && ch <= 2986
+|| ch >= 2990 && ch <= 3001
+|| ch >= 3006 && ch <= 3010
+|| ch >= 3014 && ch <= 3016
+|| ch >= 3018 && ch <= 3021
+|| ch == 3024
+|| ch == 3031
+|| ch >= 3046 && ch <= 3055
+|| ch >= 3073 && ch <= 3075
+|| ch >= 3077 && ch <= 3084
+|| ch >= 3086 && ch <= 3088
+|| ch >= 3090 && ch <= 3112
+|| ch >= 3114 && ch <= 3123
+|| ch >= 3125 && ch <= 3129
+|| ch >= 3133 && ch <= 3140
+|| ch >= 3142 && ch <= 3144
+|| ch >= 3146 && ch <= 3149
+|| ch >= 3157 && ch <= 3158
+|| ch >= 3160 && ch <= 3161
+|| ch >= 3168 && ch <= 3171
+|| ch >= 3174 && ch <= 3183
+|| ch >= 3202 && ch <= 3203
+|| ch >= 3205 && ch <= 3212
+|| ch >= 3214 && ch <= 3216
+|| ch >= 3218 && ch <= 3240
+|| ch >= 3242 && ch <= 3251
+|| ch >= 3253 && ch <= 3257
+|| ch >= 3260 && ch <= 3268
+|| ch >= 3270 && ch <= 3272
+|| ch >= 3274 && ch <= 3277
+|| ch >= 3285 && ch <= 3286
+|| ch == 3294
+|| ch >= 3296 && ch <= 3299
+|| ch >= 3302 && ch <= 3311
+|| ch >= 3313 && ch <= 3314
+|| ch >= 3330 && ch <= 3331
+|| ch >= 3333 && ch <= 3340
+|| ch >= 3342 && ch <= 3344
+|| ch >= 3346 && ch <= 3386
+|| ch >= 3389 && ch <= 3396
+|| ch >= 3398 && ch <= 3400
+|| ch >= 3402 && ch <= 3406
+|| ch == 3415
+|| ch >= 3424 && ch <= 3427
+|| ch >= 3430 && ch <= 3439
+|| ch >= 3450 && ch <= 3455
+|| ch >= 3458 && ch <= 3459
+|| ch >= 3461 && ch <= 3478
+|| ch >= 3482 && ch <= 3505
+|| ch >= 3507 && ch <= 3515
+|| ch == 3517
+|| ch >= 3520 && ch <= 3526
+|| ch == 3530
+|| ch >= 3535 && ch <= 3540
+|| ch == 3542
+|| ch >= 3544 && ch <= 3551
+|| ch >= 3570 && ch <= 3571
+|| ch >= 3585 && ch <= 3642
+|| ch >= 3648 && ch <= 3662
+|| ch >= 3664 && ch <= 3673
+|| ch >= 3713 && ch <= 3714
+|| ch == 3716
+|| ch >= 3719 && ch <= 3720
+|| ch == 3722
+|| ch == 3725
+|| ch >= 3732 && ch <= 3735
+|| ch >= 3737 && ch <= 3743
+|| ch >= 3745 && ch <= 3747
+|| ch == 3749
+|| ch == 3751
+|| ch >= 3754 && ch <= 3755
+|| ch >= 3757 && ch <= 3769
+|| ch >= 3771 && ch <= 3773
+|| ch >= 3776 && ch <= 3780
+|| ch == 3782
+|| ch >= 3784 && ch <= 3789
+|| ch >= 3792 && ch <= 3801
+|| ch >= 3804 && ch <= 3807
+|| ch == 3840
+|| ch >= 3864 && ch <= 3865
+|| ch >= 3872 && ch <= 3881
+|| ch == 3893
+|| ch == 3895
+|| ch == 3897
+|| ch >= 3902 && ch <= 3911
+|| ch >= 3913 && ch <= 3948
+|| ch >= 3953 && ch <= 3972
+|| ch >= 3974 && ch <= 3991
+|| ch >= 3993 && ch <= 4028
+|| ch == 4038
+|| ch >= 4096 && ch <= 4169
+|| ch >= 4176 && ch <= 4253
+|| ch >= 4256 && ch <= 4293
+|| ch == 4295
+|| ch == 4301
+|| ch >= 4304 && ch <= 4346
+|| ch >= 4348 && ch <= 4680
+|| ch >= 4682 && ch <= 4685
+|| ch >= 4688 && ch <= 4694
+|| ch == 4696
+|| ch >= 4698 && ch <= 4701
+|| ch >= 4704 && ch <= 4744
+|| ch >= 4746 && ch <= 4749
+|| ch >= 4752 && ch <= 4784
+|| ch >= 4786 && ch <= 4789
+|| ch >= 4792 && ch <= 4798
+|| ch == 4800
+|| ch >= 4802 && ch <= 4805
+|| ch >= 4808 && ch <= 4822
+|| ch >= 4824 && ch <= 4880
+|| ch >= 4882 && ch <= 4885
+|| ch >= 4888 && ch <= 4954
+|| ch >= 4957 && ch <= 4959
+|| ch >= 4992 && ch <= 5007
+|| ch >= 5024 && ch <= 5108
+|| ch >= 5121 && ch <= 5740
+|| ch >= 5743 && ch <= 5759
+|| ch >= 5761 && ch <= 5786
+|| ch >= 5792 && ch <= 5866
+|| ch >= 5870 && ch <= 5872
+|| ch >= 5888 && ch <= 5900
+|| ch >= 5902 && ch <= 5908
+|| ch >= 5920 && ch <= 5940
+|| ch >= 5952 && ch <= 5971
+|| ch >= 5984 && ch <= 5996
+|| ch >= 5998 && ch <= 6000
+|| ch >= 6002 && ch <= 6003
+|| ch >= 6016 && ch <= 6099
+|| ch == 6103
+|| ch >= 6108 && ch <= 6109
+|| ch >= 6112 && ch <= 6121
+|| ch >= 6155 && ch <= 6157
+|| ch >= 6160 && ch <= 6169
+|| ch >= 6176 && ch <= 6263
+|| ch >= 6272 && ch <= 6314
+|| ch >= 6320 && ch <= 6389
+|| ch >= 6400 && ch <= 6428
+|| ch >= 6432 && ch <= 6443
+|| ch >= 6448 && ch <= 6459
+|| ch >= 6470 && ch <= 6509
+|| ch >= 6512 && ch <= 6516
+|| ch >= 6528 && ch <= 6571
+|| ch >= 6576 && ch <= 6601
+|| ch >= 6608 && ch <= 6617
+|| ch >= 6656 && ch <= 6683
+|| ch >= 6688 && ch <= 6750
+|| ch >= 6752 && ch <= 6780
+|| ch >= 6783 && ch <= 6793
+|| ch >= 6800 && ch <= 6809
+|| ch == 6823
+|| ch >= 6912 && ch <= 6987
+|| ch >= 6992 && ch <= 7001
+|| ch >= 7019 && ch <= 7027
+|| ch >= 7040 && ch <= 7155
+|| ch >= 7168 && ch <= 7223
+|| ch >= 7232 && ch <= 7241
+|| ch >= 7245 && ch <= 7293
+|| ch >= 7376 && ch <= 7378
+|| ch >= 7380 && ch <= 7414
+|| ch >= 7424 && ch <= 7654
+|| ch >= 7676 && ch <= 7957
+|| ch >= 7960 && ch <= 7965
+|| ch >= 7968 && ch <= 8005
+|| ch >= 8008 && ch <= 8013
+|| ch >= 8016 && ch <= 8023
+|| ch == 8025
+|| ch == 8027
+|| ch == 8029
+|| ch >= 8031 && ch <= 8061
+|| ch >= 8064 && ch <= 8116
+|| ch >= 8118 && ch <= 8124
+|| ch == 8126
+|| ch >= 8130 && ch <= 8132
+|| ch >= 8134 && ch <= 8140
+|| ch >= 8144 && ch <= 8147
+|| ch >= 8150 && ch <= 8155
+|| ch >= 8160 && ch <= 8172
+|| ch >= 8178 && ch <= 8180
+|| ch >= 8182 && ch <= 8188
+|| ch >= 8204 && ch <= 8205
+|| ch >= 8255 && ch <= 8256
+|| ch == 8276
+|| ch == 8305
+|| ch == 8319
+|| ch >= 8336 && ch <= 8348
+|| ch >= 8400 && ch <= 8412
+|| ch == 8417
+|| ch >= 8421 && ch <= 8432
+|| ch == 8450
+|| ch == 8455
+|| ch >= 8458 && ch <= 8467
+|| ch == 8469
+|| ch >= 8473 && ch <= 8477
+|| ch == 8484
+|| ch == 8486
+|| ch == 8488
+|| ch >= 8490 && ch <= 8493
+|| ch >= 8495 && ch <= 8505
+|| ch >= 8508 && ch <= 8511
+|| ch >= 8517 && ch <= 8521
+|| ch == 8526
+|| ch >= 8544 && ch <= 8584
+|| ch >= 11264 && ch <= 11310
+|| ch >= 11312 && ch <= 11358
+|| ch >= 11360 && ch <= 11492
+|| ch >= 11499 && ch <= 11507
+|| ch >= 11520 && ch <= 11557
+|| ch == 11559
+|| ch == 11565
+|| ch >= 11568 && ch <= 11623
+|| ch == 11631
+|| ch >= 11647 && ch <= 11670
+|| ch >= 11680 && ch <= 11686
+|| ch >= 11688 && ch <= 11694
+|| ch >= 11696 && ch <= 11702
+|| ch >= 11704 && ch <= 11710
+|| ch >= 11712 && ch <= 11718
+|| ch >= 11720 && ch <= 11726
+|| ch >= 11728 && ch <= 11734
+|| ch >= 11736 && ch <= 11742
+|| ch >= 11744 && ch <= 11775
+|| ch == 11823
+|| ch >= 12293 && ch <= 12295
+|| ch >= 12321 && ch <= 12335
+|| ch >= 12337 && ch <= 12341
+|| ch >= 12344 && ch <= 12348
+|| ch >= 12353 && ch <= 12438
+|| ch >= 12441 && ch <= 12442
+|| ch >= 12445 && ch <= 12447
+|| ch >= 12449 && ch <= 12538
+|| ch >= 12540 && ch <= 12543
+|| ch >= 12549 && ch <= 12589
+|| ch >= 12593 && ch <= 12686
+|| ch >= 12704 && ch <= 12730
+|| ch >= 12784 && ch <= 12799
+|| ch >= 13312 && ch <= 19893
+|| ch >= 19968 && ch <= 40908
+|| ch >= 40960 && ch <= 42124
+|| ch >= 42192 && ch <= 42237
+|| ch >= 42240 && ch <= 42508
+|| ch >= 42512 && ch <= 42539
+|| ch >= 42560 && ch <= 42607
+|| ch >= 42612 && ch <= 42621
+|| ch >= 42623 && ch <= 42647
+|| ch >= 42655 && ch <= 42737
+|| ch >= 42775 && ch <= 42783
+|| ch >= 42786 && ch <= 42888
+|| ch >= 42891 && ch <= 42894
+|| ch >= 42896 && ch <= 42899
+|| ch >= 42912 && ch <= 42922
+|| ch >= 43000 && ch <= 43047
+|| ch >= 43072 && ch <= 43123
+|| ch >= 43136 && ch <= 43204
+|| ch >= 43216 && ch <= 43225
+|| ch >= 43232 && ch <= 43255
+|| ch == 43259
+|| ch >= 43264 && ch <= 43309
+|| ch >= 43312 && ch <= 43347
+|| ch >= 43360 && ch <= 43388
+|| ch >= 43392 && ch <= 43456
+|| ch >= 43471 && ch <= 43481
+|| ch >= 43520 && ch <= 43574
+|| ch >= 43584 && ch <= 43597
+|| ch >= 43600 && ch <= 43609
+|| ch >= 43616 && ch <= 43638
+|| ch >= 43642 && ch <= 43643
+|| ch >= 43648 && ch <= 43714
+|| ch >= 43739 && ch <= 43741
+|| ch >= 43744 && ch <= 43759
+|| ch >= 43762 && ch <= 43766
+|| ch >= 43777 && ch <= 43782
+|| ch >= 43785 && ch <= 43790
+|| ch >= 43793 && ch <= 43798
+|| ch >= 43808 && ch <= 43814
+|| ch >= 43816 && ch <= 43822
+|| ch >= 43968 && ch <= 44010
+|| ch >= 44012 && ch <= 44013
+|| ch >= 44016 && ch <= 44025
+|| ch >= 44032 && ch <= 55203
+|| ch >= 55216 && ch <= 55238
+|| ch >= 55243 && ch <= 55291
+|| ch >= 63744 && ch <= 64109
+|| ch >= 64112 && ch <= 64217
+|| ch >= 64256 && ch <= 64262
+|| ch >= 64275 && ch <= 64279
+|| ch >= 64285 && ch <= 64296
+|| ch >= 64298 && ch <= 64310
+|| ch >= 64312 && ch <= 64316
+|| ch == 64318
+|| ch >= 64320 && ch <= 64321
+|| ch >= 64323 && ch <= 64324
+|| ch >= 64326 && ch <= 64433
+|| ch >= 64467 && ch <= 64829
+|| ch >= 64848 && ch <= 64911
+|| ch >= 64914 && ch <= 64967
+|| ch >= 65008 && ch <= 65019
+|| ch >= 65024 && ch <= 65039
+|| ch >= 65056 && ch <= 65062
+|| ch >= 65075 && ch <= 65076
+|| ch >= 65101 && ch <= 65103
+|| ch >= 65136 && ch <= 65140
+|| ch >= 65142 && ch <= 65276
+|| ch >= 65296 && ch <= 65305
+|| ch >= 65313 && ch <= 65338
+|| ch == 65343
+|| ch >= 65345 && ch <= 65370
+|| ch >= 65382 && ch <= 65470
+|| ch >= 65474 && ch <= 65479
+|| ch >= 65482 && ch <= 65487
+|| ch >= 65490 && ch <= 65495
+|| ch >= 65498 && ch <= 65500) { return ch; }
+        else { return ch + 1; }
+    }
+}
+

From e6077127bec3ac49144fe78a4d5eef384b14b254 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 23 Apr 2021 11:06:48 +0200
Subject: [PATCH 0630/1429] C++: Only unary and binary arithmetic operations
 and left shifts are now      reported as overflowing when we cannot analyze
 them.

---
 .../cpp/rangeanalysis/SimpleRangeAnalysis.qll | 24 +++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll b/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
index d22a7f96a45..2afe26bc3e0 100644
--- a/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
@@ -1617,6 +1617,18 @@ private module SimpleRangeAnalysisCached {
     defMightOverflowPositively(def, v)
   }
 
+  /**
+   * Holds if `e` is an expression where the concept of overflow makes sense.
+   * This predicate is used to filter out some of the unanalyzable expressions
+   * from `exprMightOverflowPositively` and `exprMightOverflowNegatively`.
+   */
+  pragma[inline]
+  private predicate exprThatCanOverflow(Expr e) {
+    e instanceof UnaryArithmeticOperation or
+    e instanceof BinaryArithmeticOperation or
+    e instanceof LShiftExpr
+  }
+
   /**
    * Holds if the expression might overflow negatively. This predicate
    * does not consider the possibility that the expression might overflow
@@ -1631,8 +1643,10 @@ private module SimpleRangeAnalysisCached {
     // detecting whether it might overflow.
     getLowerBoundsImpl(expr.(PostfixDecrExpr)) = exprMinVal(expr)
     or
-    // Expressions we cannot analyze could potentially overflow
-    not analyzableExpr(expr)
+    // We can't conclude that any unanalyzable expression might overflow. This
+    // is because there are many expressions that the range analysis doesn't
+    // handle, but where the concept of overflow doesn't make sense.
+    exprThatCanOverflow(expr) and not analyzableExpr(expr)
   }
 
   /**
@@ -1661,8 +1675,10 @@ private module SimpleRangeAnalysisCached {
     // detecting whether it might overflow.
     getUpperBoundsImpl(expr.(PostfixIncrExpr)) = exprMaxVal(expr)
     or
-    // Expressions we cannot analyze could potentially overflow
-    not analyzableExpr(expr)
+    // We can't conclude that any unanalyzable expression might overflow. This
+    // is because there are many expressions that the range analysis doesn't
+    // handle, but where the concept of overflow doesn't make sense.
+    exprThatCanOverflow(expr) and not analyzableExpr(expr)
   }
 
   /**

From ad12f383d95b80549ced0938a6cb858fda029766 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Thu, 15 Apr 2021 16:54:00 +0100
Subject: [PATCH 0631/1429] JS: Reduce reliance on RouteHandler in Express
 model

---
 .../semmle/javascript/frameworks/Express.qll  | 178 +++++++++---------
 1 file changed, 84 insertions(+), 94 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Express.qll b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
index 17bfed8afda..57bca07d13b 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Express.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
@@ -390,7 +390,7 @@ module Express {
   }
 
   /** An Express response source. */
-  abstract private class ResponseSource extends HTTP::Servers::ResponseSource { }
+  abstract class ResponseSource extends HTTP::Servers::ResponseSource { }
 
   /**
    * An Express response source, that is, the response parameter of a
@@ -421,7 +421,7 @@ module Express {
   }
 
   /** An Express request source. */
-  abstract private class RequestSource extends HTTP::Servers::RequestSource { }
+  abstract class RequestSource extends HTTP::Servers::RequestSource { }
 
   /**
    * An Express request source, that is, the request parameter of a
@@ -465,73 +465,98 @@ module Express {
    * Gets a reference to the "query" object from a request-object originating from route-handler `rh`.
    */
   DataFlow::SourceNode getAQueryObjectReference(DataFlow::TypeTracker t, RouteHandler rh) {
-    t.startInProp("query") and
-    result = rh.getARequestSource()
-    or
-    exists(DataFlow::TypeTracker t2 | result = getAQueryObjectReference(t2, rh).track(t2, t))
+    result = queryRef(rh.getARequestSource(), t)
   }
 
   /**
    * Gets a reference to the "params" object from a request-object originating from route-handler `rh`.
    */
   DataFlow::SourceNode getAParamsObjectReference(DataFlow::TypeTracker t, RouteHandler rh) {
-    t.startInProp("params") and
-    result = rh.getARequestSource()
+    result = paramsRef(rh.getARequestSource(), t)
+  }
+
+  /** The input parameter to an `app.param()` route handler. */
+  private class ParamHandlerInputAccess extends HTTP::RequestInputAccess {
+    RouteHandler rh;
+
+    ParamHandlerInputAccess() {
+      exists(RouteSetup setup | rh = setup.getARouteHandler() |
+        this = DataFlow::parameterNode(rh.getRouteHandlerParameter("parameter"))
+      )
+    }
+
+    override HTTP::RouteHandler getRouteHandler() { result = rh }
+
+    override string getKind() { result = "parameter" }
+  }
+
+  /** Gets a data flow node referring to `req.query`. */
+  private DataFlow::SourceNode queryRef(RequestSource req, DataFlow::TypeTracker t) {
+    t.start() and
+    result = req.ref().getAPropertyRead("query")
     or
-    exists(DataFlow::TypeTracker t2 | result = getAParamsObjectReference(t2, rh).track(t2, t))
+    exists(DataFlow::TypeTracker t2 | result = queryRef(req, t2).track(t2, t))
+  }
+
+  /** Gets a data flow node referring to `req.query`. */
+  private DataFlow::SourceNode queryRef(RequestSource req) {
+    result = queryRef(req, DataFlow::TypeTracker::end())
+  }
+
+  /** Gets a data flow node referring to `req.params`. */
+  private DataFlow::SourceNode paramsRef(RequestSource req, DataFlow::TypeTracker t) {
+    t.start() and
+    result = req.ref().getAPropertyRead("params")
+    or
+    exists(DataFlow::TypeTracker t2 | result = paramsRef(req, t2).track(t2, t))
+  }
+
+  /** Gets a data flow node referring to `req.params`. */
+  private DataFlow::SourceNode paramsRef(RequestSource req) {
+    result = paramsRef(req, DataFlow::TypeTracker::end())
   }
 
   /**
    * An access to a user-controlled Express request input.
    */
   class RequestInputAccess extends HTTP::RequestInputAccess {
-    RouteHandler rh;
+    RequestSource request;
     string kind;
 
     RequestInputAccess() {
       kind = "parameter" and
-      this =
-        [
-          getAQueryObjectReference(DataFlow::TypeTracker::end(), rh),
-          getAParamsObjectReference(DataFlow::TypeTracker::end(), rh)
-        ].getAPropertyRead()
+      this = [queryRef(request), paramsRef(request)].getAPropertyRead()
       or
-      exists(DataFlow::SourceNode request | request = rh.getARequestSource().ref() |
+      exists(DataFlow::SourceNode ref | ref = request.ref() |
         kind = "parameter" and
-        this = request.getAMethodCall("param")
+        this = ref.getAMethodCall("param")
         or
         // `req.originalUrl`
         kind = "url" and
-        this = request.getAPropertyRead("originalUrl")
+        this = ref.getAPropertyRead("originalUrl")
         or
         // `req.cookies`
         kind = "cookie" and
-        this = request.getAPropertyRead("cookies")
+        this = ref.getAPropertyRead("cookies")
         or
         // `req.files`, treated the same as `req.body`.
         // `express-fileupload` uses .files, and `multer` uses .files or .file
         kind = "body" and
-        this = request.getAPropertyRead(["files", "file"])
-      )
-      or
-      kind = "body" and
-      this.asExpr() = rh.getARequestBodyAccess()
-      or
-      // `value` in `router.param('foo', (req, res, next, value) => { ... })`
-      kind = "parameter" and
-      exists(RouteSetup setup | rh = setup.getARouteHandler() |
-        this = DataFlow::parameterNode(rh.getRouteHandlerParameter("parameter"))
+        this = ref.getAPropertyRead(["files", "file"])
+        or
+        kind = "body" and
+        this = ref.getAPropertyRead("body")
       )
     }
 
-    override RouteHandler getRouteHandler() { result = rh }
+    override RouteHandler getRouteHandler() { result = request.getRouteHandler() }
 
     override string getKind() { result = kind }
 
     override predicate isUserControlledObject() {
       kind = "body" and
       exists(ExpressLibraries::BodyParser bodyParser, RouteHandlerExpr expr |
-        expr.getBody() = rh and
+        expr.getBody() = request.getRouteHandler() and
         bodyParser.producesUserControlledObjects() and
         bodyParser.flowsToExpr(expr.getAMatchingAncestor())
       )
@@ -542,13 +567,11 @@ module Express {
       forall(ExpressLibraries::BodyParser bodyParser | bodyParser.producesUserControlledObjects())
       or
       kind = "parameter" and
-      exists(DataFlow::Node request | request = DataFlow::valueNode(rh.getARequestExpr()) |
-        this.(DataFlow::MethodCallNode).calls(request, "param")
-      )
+      this = request.ref().getAMethodCall("param")
       or
       // `req.query.name`
       kind = "parameter" and
-      this = getAQueryObjectReference(DataFlow::TypeTracker::end(), rh).getAPropertyRead()
+      this = queryRef(request).getAPropertyRead()
     }
   }
 
@@ -556,29 +579,14 @@ module Express {
    * An access to a header on an Express request.
    */
   private class RequestHeaderAccess extends HTTP::RequestHeaderAccess {
-    RouteHandler rh;
+    RequestSource request;
 
     RequestHeaderAccess() {
-      exists(DataFlow::Node request | request = DataFlow::valueNode(rh.getARequestExpr()) |
-        exists(string methodName |
-          // `req.get(...)` or `req.header(...)`
-          this.(DataFlow::MethodCallNode).calls(request, methodName)
-        |
-          methodName = "get" or
-          methodName = "header"
-        )
-        or
-        exists(DataFlow::PropRead headers |
-          // `req.headers.name`
-          headers.accesses(request, "headers") and
-          this = headers.getAPropertyRead()
-        )
-        or
-        exists(string propName | propName = "host" or propName = "hostname" |
-          // `req.host` and `req.hostname` are derived from headers
-          this.(DataFlow::PropRead).accesses(request, propName)
-        )
-      )
+      this = request.ref().getAMethodCall(["get", "header"])
+      or
+      this = request.ref().getAPropertyRead("headers").getAPropertyRead()
+      or
+      this = request.ref().getAPropertyRead(["host", "hostname"])
     }
 
     override string getAHeaderName() {
@@ -591,7 +599,7 @@ module Express {
       )
     }
 
-    override RouteHandler getRouteHandler() { result = rh }
+    override RouteHandler getRouteHandler() { result = request.getRouteHandler() }
 
     override string getKind() { result = "header" }
   }
@@ -599,14 +607,7 @@ module Express {
   /**
    * HTTP headers created by Express calls
    */
-  abstract private class ExplicitHeader extends HTTP::ExplicitHeaderDefinition {
-    Expr response;
-
-    /**
-     * Gets the response expression that this header is set on.
-     */
-    Expr getResponse() { result = response }
-  }
+  abstract private class ExplicitHeader extends HTTP::ExplicitHeaderDefinition { }
 
   /**
    * Holds if `e` is an HTTP request object.
@@ -635,16 +636,13 @@ module Express {
    * An invocation of the `redirect` method of an HTTP response object.
    */
   private class RedirectInvocation extends HTTP::RedirectInvocation, MethodCallExpr {
-    RouteHandler rh;
+    ResponseSource response;
 
-    RedirectInvocation() {
-      getReceiver() = rh.getAResponseExpr() and
-      getMethodName() = "redirect"
-    }
+    RedirectInvocation() { this = response.ref().getAMethodCall("redirect").asExpr() }
 
     override Expr getUrlArgument() { result = getLastArgument() }
 
-    override RouteHandler getRouteHandler() { result = rh }
+    override RouteHandler getRouteHandler() { result = response.getRouteHandler() }
   }
 
   /**
@@ -662,21 +660,18 @@ module Express {
    * An invocation of the `set` or `header` method on an HTTP response object that
    * sets multiple headers.
    */
-  class SetMultipleHeaders extends ExplicitHeader, DataFlow::ValueNode {
-    override MethodCallExpr astNode;
-    RouteHandler rh;
+  class SetMultipleHeaders extends ExplicitHeader, DataFlow::MethodCallNode {
+    ResponseSource response;
 
     SetMultipleHeaders() {
-      astNode.getReceiver() = rh.getAResponseExpr() and
-      response = astNode.getReceiver() and
-      astNode.getMethodName() = any(string n | n = "set" or n = "header") and
-      astNode.getNumArgument() = 1
+      this = response.ref().getAMethodCall(["set", "header"]) and
+      getNumArgument() = 1
     }
 
     /**
      * Gets a reference to the multiple headers object that is to be set.
      */
-    private DataFlow::SourceNode getAHeaderSource() { result.flowsToExpr(astNode.getArgument(0)) }
+    private DataFlow::SourceNode getAHeaderSource() { result.flowsTo(getArgument(0)) }
 
     override predicate definesExplicitly(string headerName, Expr headerValue) {
       exists(string header |
@@ -685,7 +680,7 @@ module Express {
       )
     }
 
-    override RouteHandler getRouteHandler() { result = rh }
+    override RouteHandler getRouteHandler() { result = response.getRouteHandler() }
 
     override Expr getNameExpr() {
       exists(DataFlow::PropWrite write | getAHeaderSource().getAPropertyWrite() = write |
@@ -705,31 +700,26 @@ module Express {
    * An argument passed to the `send` or `end` method of an HTTP response object.
    */
   private class ResponseSendArgument extends HTTP::ResponseSendArgument {
-    RouteHandler rh;
+    ResponseSource response;
 
-    ResponseSendArgument() {
-      exists(MethodCallExpr mce |
-        mce.calls(rh.getAResponseExpr(), "send") and
-        this = mce.getArgument(0)
-      )
-    }
+    ResponseSendArgument() { this = response.ref().getAMethodCall("send").getArgument(0).asExpr() }
 
-    override RouteHandler getRouteHandler() { result = rh }
+    override RouteHandler getRouteHandler() { result = response.getRouteHandler() }
   }
 
   /**
    * An invocation of the `cookie` method on an HTTP response object.
    */
   class SetCookie extends HTTP::CookieDefinition, MethodCallExpr {
-    RouteHandler rh;
+    ResponseSource response;
 
-    SetCookie() { calls(rh.getAResponseExpr(), "cookie") }
+    SetCookie() { this = response.ref().getAMethodCall("cookie").asExpr() }
 
     override Expr getNameArgument() { result = getArgument(0) }
 
     override Expr getValueArgument() { result = getArgument(1) }
 
-    override RouteHandler getRouteHandler() { result = rh }
+    override RouteHandler getRouteHandler() { result = response.getRouteHandler() }
   }
 
   /**
@@ -750,11 +740,11 @@ module Express {
    * An object passed to the `render` method of an HTTP response object.
    */
   class TemplateObjectInput extends DataFlow::Node {
-    RouteHandler rh;
+    ResponseSource response;
 
     TemplateObjectInput() {
       exists(DataFlow::MethodCallNode render |
-        render.calls(rh.getAResponseExpr().flow(), "render") and
+        render = response.ref().getAMethodCall("render") and
         this = render.getArgument(1)
       )
     }
@@ -762,7 +752,7 @@ module Express {
     /**
      * Gets the route handler that uses this object.
      */
-    RouteHandler getRouteHandler() { result = rh }
+    RouteHandler getRouteHandler() { result = response.getRouteHandler() }
   }
 
   /**

From 822d4525af952dd75d6d0fe7c28ad2e7c034ceae Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Thu, 15 Apr 2021 13:58:43 +0100
Subject: [PATCH 0632/1429] JS: Drive-by change in LogInjection

---
 .../semmle/javascript/security/dataflow/LogInjection.qll   | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/LogInjection.qll b/javascript/ql/src/semmle/javascript/security/dataflow/LogInjection.qll
index fa70ae3f965..265b978d4a3 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/LogInjection.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/LogInjection.qll
@@ -67,4 +67,11 @@ module LogInjection {
   class HtmlSanitizer extends Sanitizer {
     HtmlSanitizer() { this instanceof HtmlSanitizerCall }
   }
+
+  /**
+   * A call to `JSON.stringify` or similar, seen as sanitizing log output.
+   */
+  class JsonStringifySanitizer extends Sanitizer {
+    JsonStringifySanitizer() { this = any(JsonStringifyCall c).getOutput() }
+  }
 }

From 109d1ad27fd326680cebb682f5f10a4504c10af5 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Thu, 15 Apr 2021 14:09:58 +0100
Subject: [PATCH 0633/1429] JS: Model fs.promises

---
 javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll b/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
index bb9b0870a8b..840e9ea9b78 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
@@ -465,6 +465,9 @@ module NodeJSLib {
       ) and
       t.start()
       or
+      t.start() and
+      result = DataFlow::moduleMember("fs", "promises")
+      or
       exists(DataFlow::TypeTracker t2, DataFlow::SourceNode pred | pred = fsModule(t2) |
         result = pred.track(t2, t)
         or

From 354dee1b096653472f6fe49853fab937ebb031f1 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Fri, 23 Apr 2021 13:22:18 +0200
Subject: [PATCH 0634/1429] Python: Add non-alert data for lines of code

`py/summary/lines-of-code` is just a port of the C++/JS queries added in:

- https://github.com/github/codeql/pull/5271 (C++)
- https://github.com/github/codeql/pull/5304 (JS)

We are the first to implement the `lines-of-user-code` query, so nothing to
compare with in other languages -- but it makes a lot of sense to do for Python :+1:
---
 python/ql/src/Summary/LinesOfCode.ql          | 13 ++++++++++
 python/ql/src/Summary/LinesOfUserCode.ql      | 21 +++++++++++++++
 .../query-tests/Summary/LinesOfCode.expected  |  1 +
 .../query-tests/Summary/LinesOfCode.qlref     |  1 +
 .../Summary/LinesOfUserCode.expected          |  1 +
 .../query-tests/Summary/LinesOfUserCode.qlref |  1 +
 .../test/query-tests/Summary/also_python_code |  7 +++++
 python/ql/test/query-tests/Summary/my_file.py | 26 +++++++++++++++++++
 python/ql/test/query-tests/Summary/not_python |  5 ++++
 9 files changed, 76 insertions(+)
 create mode 100644 python/ql/src/Summary/LinesOfCode.ql
 create mode 100644 python/ql/src/Summary/LinesOfUserCode.ql
 create mode 100644 python/ql/test/query-tests/Summary/LinesOfCode.expected
 create mode 100644 python/ql/test/query-tests/Summary/LinesOfCode.qlref
 create mode 100644 python/ql/test/query-tests/Summary/LinesOfUserCode.expected
 create mode 100644 python/ql/test/query-tests/Summary/LinesOfUserCode.qlref
 create mode 100755 python/ql/test/query-tests/Summary/also_python_code
 create mode 100644 python/ql/test/query-tests/Summary/my_file.py
 create mode 100755 python/ql/test/query-tests/Summary/not_python

diff --git a/python/ql/src/Summary/LinesOfCode.ql b/python/ql/src/Summary/LinesOfCode.ql
new file mode 100644
index 00000000000..98af45dc2cf
--- /dev/null
+++ b/python/ql/src/Summary/LinesOfCode.ql
@@ -0,0 +1,13 @@
+/**
+ * @id py/summary/lines-of-code
+ * @name Total lines of Python code in the database
+ * @description The total number of lines of Python code across all files, including
+ *   external libraries and auto-generated files. This is a useful metric of the size of a
+ *   database. This query counts the lines of code, excluding whitespace or comments.
+ * @kind metric
+ * @tags summary
+ */
+
+import python
+
+select sum(Module m | | m.getMetrics().getNumberOfLinesOfCode())
diff --git a/python/ql/src/Summary/LinesOfUserCode.ql b/python/ql/src/Summary/LinesOfUserCode.ql
new file mode 100644
index 00000000000..515db27566b
--- /dev/null
+++ b/python/ql/src/Summary/LinesOfUserCode.ql
@@ -0,0 +1,21 @@
+/**
+ * @id py/summary/lines-of-user-code
+ * @name Total lines of user written Python code in the database
+ * @description The total number of lines of Python code from the source code directory,
+ *   excluding auto-generated files. This query counts the lines of code, excluding
+ *   whitespace or comments. Note: If external libraries are included in the codebase
+ *   either in a checked-in virtual environment or as vendored code, that will currently
+ *   be counted as user written code.
+ * @kind metric
+ * @tags summary
+ */
+
+import python
+import semmle.python.filters.GeneratedCode
+
+select sum(Module m |
+    exists(m.getFile().getRelativePath()) and
+    not m.getFile() instanceof GeneratedFile
+  |
+    m.getMetrics().getNumberOfLinesOfCode()
+  )
diff --git a/python/ql/test/query-tests/Summary/LinesOfCode.expected b/python/ql/test/query-tests/Summary/LinesOfCode.expected
new file mode 100644
index 00000000000..5aa95ec1ce5
--- /dev/null
+++ b/python/ql/test/query-tests/Summary/LinesOfCode.expected
@@ -0,0 +1 @@
+| 38 |
diff --git a/python/ql/test/query-tests/Summary/LinesOfCode.qlref b/python/ql/test/query-tests/Summary/LinesOfCode.qlref
new file mode 100644
index 00000000000..b60eb791722
--- /dev/null
+++ b/python/ql/test/query-tests/Summary/LinesOfCode.qlref
@@ -0,0 +1 @@
+Summary/LinesOfCode.ql
diff --git a/python/ql/test/query-tests/Summary/LinesOfUserCode.expected b/python/ql/test/query-tests/Summary/LinesOfUserCode.expected
new file mode 100644
index 00000000000..74c7709367a
--- /dev/null
+++ b/python/ql/test/query-tests/Summary/LinesOfUserCode.expected
@@ -0,0 +1 @@
+| 11 |
diff --git a/python/ql/test/query-tests/Summary/LinesOfUserCode.qlref b/python/ql/test/query-tests/Summary/LinesOfUserCode.qlref
new file mode 100644
index 00000000000..baaa947e6af
--- /dev/null
+++ b/python/ql/test/query-tests/Summary/LinesOfUserCode.qlref
@@ -0,0 +1 @@
+Summary/LinesOfUserCode.ql
diff --git a/python/ql/test/query-tests/Summary/also_python_code b/python/ql/test/query-tests/Summary/also_python_code
new file mode 100755
index 00000000000..1ced5f9ded3
--- /dev/null
+++ b/python/ql/test/query-tests/Summary/also_python_code
@@ -0,0 +1,7 @@
+#!/usr/bin/env python
+
+# although this is actually Python code, it is not included by the extractor by default.
+
+print("this is also code")
+
+print("but just dummy code")
diff --git a/python/ql/test/query-tests/Summary/my_file.py b/python/ql/test/query-tests/Summary/my_file.py
new file mode 100644
index 00000000000..949cca2c87a
--- /dev/null
+++ b/python/ql/test/query-tests/Summary/my_file.py
@@ -0,0 +1,26 @@
+"""
+module level docstring
+
+is not included
+"""
+# this line is not code
+
+# `tty` was chosen for stability over python versions (so we don't get diffrent results
+# on different computers, that has different versions of Python).
+#
+# According to https://github.com/python/cpython/tree/master/Lib (at 2021-04-23) `tty`
+# was last changed in 2001, so chances of this being changed in the future are slim.
+import tty
+
+s = """
+all these lines are code
+"""
+
+print(s)
+
+def func():
+    """
+    this string is a doc-string. Although the module-level docstring is not considered
+    code, this one apparently is ¯\_(ツ)_/¯
+    """
+    pass
diff --git a/python/ql/test/query-tests/Summary/not_python b/python/ql/test/query-tests/Summary/not_python
new file mode 100755
index 00000000000..45dbc9b269a
--- /dev/null
+++ b/python/ql/test/query-tests/Summary/not_python
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+# Although this is valid python code, it should not be counted as such.
+
+print("foo")

From deb3db3f952a2bf33b674e546b545f2466e38066 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Fri, 23 Apr 2021 13:24:45 +0200
Subject: [PATCH 0635/1429] Python: Add non-alert data for extractor
 diagnostics

This is basically just a port of the C++/JS queries added in:

- https://github.com/github/codeql/pull/5414 (C++)
- https://github.com/github/codeql/pull/5656 (JS)

SyntaxError should capture all errors we have information about. At least in
`python/ql/src/semmlecode.python.dbscheme` the only match for `error` is
`py_syntax_error_versioned` (which `SyntaxError` is based on).
---
 python/ql/src/Diagnostics/ExtractionErrors.ql | 23 +++++++++++++++++++
 .../Diagnostics/SuccessfullyExtractedFiles.ql | 15 ++++++++++++
 .../Diagnostics/ExtractionErrors.expected     |  2 ++
 .../Diagnostics/ExtractionErrors.qlref        |  1 +
 .../SuccessfullyExtractedFiles.expected       |  1 +
 .../SuccessfullyExtractedFiles.qlref          |  1 +
 .../query-tests/Diagnostics/bad_encoding.py   |  2 ++
 .../test/query-tests/Diagnostics/good_file.py |  1 +
 .../query-tests/Diagnostics/syntax_error.py   |  1 +
 9 files changed, 47 insertions(+)
 create mode 100644 python/ql/src/Diagnostics/ExtractionErrors.ql
 create mode 100644 python/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
 create mode 100644 python/ql/test/query-tests/Diagnostics/ExtractionErrors.expected
 create mode 100644 python/ql/test/query-tests/Diagnostics/ExtractionErrors.qlref
 create mode 100644 python/ql/test/query-tests/Diagnostics/SuccessfullyExtractedFiles.expected
 create mode 100644 python/ql/test/query-tests/Diagnostics/SuccessfullyExtractedFiles.qlref
 create mode 100644 python/ql/test/query-tests/Diagnostics/bad_encoding.py
 create mode 100644 python/ql/test/query-tests/Diagnostics/good_file.py
 create mode 100644 python/ql/test/query-tests/Diagnostics/syntax_error.py

diff --git a/python/ql/src/Diagnostics/ExtractionErrors.ql b/python/ql/src/Diagnostics/ExtractionErrors.ql
new file mode 100644
index 00000000000..5d9ddee6eb7
--- /dev/null
+++ b/python/ql/src/Diagnostics/ExtractionErrors.ql
@@ -0,0 +1,23 @@
+/**
+ * @name Python extraction errors
+ * @description List all extraction errors for Python files in the source code directory.
+ * @kind diagnostic
+ * @id py/diagnostics/extraction-errors
+ */
+
+import python
+
+/**
+ * Gets the SARIF severity for errors.
+ *
+ * See point 3.27.10 in https://docs.oasis-open.org/sarif/sarif/v2.0/sarif-v2.0.html for
+ * what error means.
+ */
+int getErrorSeverity() { result = 2 }
+
+from SyntaxError error, File file
+where
+  file = error.getFile() and
+  exists(file.getRelativePath())
+select error, "Extraction failed in " + file + " with error " + error.getMessage(),
+  getErrorSeverity()
diff --git a/python/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql b/python/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
new file mode 100644
index 00000000000..310ad5a7698
--- /dev/null
+++ b/python/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
@@ -0,0 +1,15 @@
+/**
+ * @name Successfully extracted Python files
+ * @description Lists all Python files in the source code directory that were extracted
+ *   without encountering an error.
+ * @kind diagnostic
+ * @id py/diagnostics/successfully-extracted-files
+ */
+
+import python
+
+from File file
+where
+  not exists(SyntaxError e | e.getFile() = file) and
+  exists(file.getRelativePath())
+select file, ""
diff --git a/python/ql/test/query-tests/Diagnostics/ExtractionErrors.expected b/python/ql/test/query-tests/Diagnostics/ExtractionErrors.expected
new file mode 100644
index 00000000000..b9412f3be45
--- /dev/null
+++ b/python/ql/test/query-tests/Diagnostics/ExtractionErrors.expected
@@ -0,0 +1,2 @@
+| bad_encoding.py:2:11:2:11 | Encoding Error | Extraction failed in bad_encoding.py with error 'utf-8' codec can't decode byte 0x9d in position 88: invalid start byte | 2 |
+| syntax_error.py:1:31:1:31 | Syntax Error | Extraction failed in syntax_error.py with error Syntax Error | 2 |
diff --git a/python/ql/test/query-tests/Diagnostics/ExtractionErrors.qlref b/python/ql/test/query-tests/Diagnostics/ExtractionErrors.qlref
new file mode 100644
index 00000000000..488db09ab05
--- /dev/null
+++ b/python/ql/test/query-tests/Diagnostics/ExtractionErrors.qlref
@@ -0,0 +1 @@
+Diagnostics/ExtractionErrors.ql
diff --git a/python/ql/test/query-tests/Diagnostics/SuccessfullyExtractedFiles.expected b/python/ql/test/query-tests/Diagnostics/SuccessfullyExtractedFiles.expected
new file mode 100644
index 00000000000..7214acd8b88
--- /dev/null
+++ b/python/ql/test/query-tests/Diagnostics/SuccessfullyExtractedFiles.expected
@@ -0,0 +1 @@
+| good_file.py:0:0:0:0 | good_file.py |  |
diff --git a/python/ql/test/query-tests/Diagnostics/SuccessfullyExtractedFiles.qlref b/python/ql/test/query-tests/Diagnostics/SuccessfullyExtractedFiles.qlref
new file mode 100644
index 00000000000..e67b23fd557
--- /dev/null
+++ b/python/ql/test/query-tests/Diagnostics/SuccessfullyExtractedFiles.qlref
@@ -0,0 +1 @@
+Diagnostics/SuccessfullyExtractedFiles.ql
diff --git a/python/ql/test/query-tests/Diagnostics/bad_encoding.py b/python/ql/test/query-tests/Diagnostics/bad_encoding.py
new file mode 100644
index 00000000000..28a90a4d3a6
--- /dev/null
+++ b/python/ql/test/query-tests/Diagnostics/bad_encoding.py
@@ -0,0 +1,2 @@
+# Note: This file has been encoded in Windows 1252 to provoke encoding error
+print("wat�")
diff --git a/python/ql/test/query-tests/Diagnostics/good_file.py b/python/ql/test/query-tests/Diagnostics/good_file.py
new file mode 100644
index 00000000000..8cde7829c17
--- /dev/null
+++ b/python/ql/test/query-tests/Diagnostics/good_file.py
@@ -0,0 +1 @@
+print("hello world")
diff --git a/python/ql/test/query-tests/Diagnostics/syntax_error.py b/python/ql/test/query-tests/Diagnostics/syntax_error.py
new file mode 100644
index 00000000000..cf8b127ae6b
--- /dev/null
+++ b/python/ql/test/query-tests/Diagnostics/syntax_error.py
@@ -0,0 +1 @@
+print("no closing parenthesis"

From e3f10c0e32f0d5659c594cf53fc19042d1fa58d4 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 23 Apr 2021 13:37:42 +0200
Subject: [PATCH 0636/1429] Cleanup DiagnosticError classes

---
 .../Diagnostics/DiagnosticExtractionErrors.ql | 20 +++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql b/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
index f19fcc6416a..91ed4a7b883 100644
--- a/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
+++ b/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
@@ -14,12 +14,16 @@ private newtype TDiagnosticError =
   TExtractorError(ExtractorError e)
 
 abstract private class DiagnosticError extends TDiagnosticError {
-  string getMessage() { none() }
+  abstract string getMessage();
 
-  string toString() { none() }
+  abstract string toString();
 
-  string getLocation(Location l) {
-    if l.getFile().fromSource() then result = " in " + l.getFile() else result = ""
+  abstract Location getLocation();
+
+  string getLocationMessage() {
+    if getLocation().getFile().fromSource()
+    then result = " in " + getLocation().getFile()
+    else result = ""
   }
 }
 
@@ -29,10 +33,12 @@ private class DiagnosticCompilerError extends DiagnosticError {
   DiagnosticCompilerError() { this = TCompilerError(c) }
 
   override string getMessage() {
-    result = "Compiler error" + getLocation(c.getLocation()) + ": " + c.getMessage()
+    result = "Compiler error" + this.getLocationMessage() + ": " + c.getMessage()
   }
 
   override string toString() { result = c.toString() }
+
+  override Location getLocation() { result = c.getLocation() }
 }
 
 private class DiagnosticExtractorError extends DiagnosticError {
@@ -45,10 +51,12 @@ private class DiagnosticExtractorError extends DiagnosticError {
 
   override string getMessage() {
     result =
-      "Unexpected " + e.getOrigin() + " error" + getLocation(e.getLocation()) + ": " + e.getText()
+      "Unexpected " + e.getOrigin() + " error" + this.getLocationMessage() + ": " + e.getText()
   }
 
   override string toString() { result = e.toString() }
+
+  override Location getLocation() { result = e.getLocation() }
 }
 
 from DiagnosticError error

From b4bd7af9c86a5f89095ee033574753bf46b8dae2 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 23 Apr 2021 13:40:12 +0200
Subject: [PATCH 0637/1429] Add change note

---
 csharp/change-notes/2021-04-23-model-error-extraction.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 csharp/change-notes/2021-04-23-model-error-extraction.md

diff --git a/csharp/change-notes/2021-04-23-model-error-extraction.md b/csharp/change-notes/2021-04-23-model-error-extraction.md
new file mode 100644
index 00000000000..7ac87844298
--- /dev/null
+++ b/csharp/change-notes/2021-04-23-model-error-extraction.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Program model errors are now extracted in standalone extraction.
\ No newline at end of file

From 819be43ce719f2aaa109d8bb3c23c25b44a92fc7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tam=C3=A1s=20Vajk?= <tamasvajk@github.com>
Date: Fri, 23 Apr 2021 13:41:59 +0200
Subject: [PATCH 0638/1429] Fix alphabetical order of supported frameworks

---
 docs/codeql/support/reusables/frameworks.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/codeql/support/reusables/frameworks.rst b/docs/codeql/support/reusables/frameworks.rst
index 2dfebad4919..7266aa4b028 100644
--- a/docs/codeql/support/reusables/frameworks.rst
+++ b/docs/codeql/support/reusables/frameworks.rst
@@ -23,12 +23,12 @@ C# built-in support
    ASP.NET, Web application framework
    ASP.NET Core, Web application framework
    ASP.NET Razor templates, Web application framework
+   Dapper, Database ORM
    EntityFramework, Database ORM
    EntityFramework Core, Database ORM
    Json.NET, Serialization
    NHibernate, Database ORM
    WinForms, User interface
-   Dapper, Database ORM
 
 Go built-in support
 ================================

From 1b4c3c7415598a422e1d9093461529149bcb33a6 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 23 Apr 2021 13:44:34 +0200
Subject: [PATCH 0639/1429] Fix code review findings

---
 .../code/csharp/security/dataflow/flowsources/Local.qll     | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsources/Local.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsources/Local.qll
index b1b0bf8df85..4c7f70921d9 100644
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsources/Local.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/flowsources/Local.qll
@@ -26,11 +26,9 @@ class SystemConsoleReadSource extends LocalUserInputSource {
   SystemConsoleReadSource() {
     this.asExpr() =
       any(MethodCall call |
-        call.getTarget().hasQualifiedName("System.Console", "ReadLine") or
-        call.getTarget().hasQualifiedName("System.Console", "Read") or
-        call.getTarget().hasQualifiedName("System.Console", "ReadKey")
+        call.getTarget().hasQualifiedName("System.Console", ["ReadLine", "Read", "ReadKey"])
       )
   }
 
-  override string getSourceType() { result = "TextBox text" }
+  override string getSourceType() { result = "System.Console input" }
 }

From 671e968936d78437a93b2689efe6599f08d24450 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Thu, 15 Apr 2021 16:54:11 +0100
Subject: [PATCH 0640/1429] JS: Model NestJS

---
 javascript/ql/src/javascript.qll              |   2 +
 .../src/semmle/javascript/dataflow/Nodes.qll  |   3 +
 .../javascript/dataflow/TaintTracking.qll     |   3 +-
 .../javascript/frameworks/ClassValidator.qll  |  67 +++
 .../src/semmle/javascript/frameworks/Nest.qll | 443 ++++++++++++++++++
 .../frameworks/Nest/Consistency.expected      |   0
 .../frameworks/Nest/Consistency.ql            |   3 +
 .../frameworks/Nest/global/app.ts             |  10 +
 .../frameworks/Nest/global/validation.ts      |  15 +
 .../frameworks/Nest/local/customDecorator.ts  |  26 +
 .../frameworks/Nest/local/customPipe.ts       |  50 ++
 .../frameworks/Nest/local/routes.ts           |  74 +++
 .../frameworks/Nest/local/validation.ts       |  51 ++
 .../frameworks/Nest/test.expected             |  94 ++++
 .../library-tests/frameworks/Nest/test.ql     |  19 +
 .../frameworks/Nest/tsconfig.json             |   6 +
 16 files changed, 865 insertions(+), 1 deletion(-)
 create mode 100644 javascript/ql/src/semmle/javascript/frameworks/ClassValidator.qll
 create mode 100644 javascript/ql/src/semmle/javascript/frameworks/Nest.qll
 create mode 100644 javascript/ql/test/library-tests/frameworks/Nest/Consistency.expected
 create mode 100644 javascript/ql/test/library-tests/frameworks/Nest/Consistency.ql
 create mode 100644 javascript/ql/test/library-tests/frameworks/Nest/global/app.ts
 create mode 100644 javascript/ql/test/library-tests/frameworks/Nest/global/validation.ts
 create mode 100644 javascript/ql/test/library-tests/frameworks/Nest/local/customDecorator.ts
 create mode 100644 javascript/ql/test/library-tests/frameworks/Nest/local/customPipe.ts
 create mode 100644 javascript/ql/test/library-tests/frameworks/Nest/local/routes.ts
 create mode 100644 javascript/ql/test/library-tests/frameworks/Nest/local/validation.ts
 create mode 100644 javascript/ql/test/library-tests/frameworks/Nest/test.expected
 create mode 100644 javascript/ql/test/library-tests/frameworks/Nest/test.ql
 create mode 100644 javascript/ql/test/library-tests/frameworks/Nest/tsconfig.json

diff --git a/javascript/ql/src/javascript.qll b/javascript/ql/src/javascript.qll
index b565a7cd21f..3818570c833 100644
--- a/javascript/ql/src/javascript.qll
+++ b/javascript/ql/src/javascript.qll
@@ -75,6 +75,7 @@ import semmle.javascript.frameworks.Babel
 import semmle.javascript.frameworks.Cheerio
 import semmle.javascript.frameworks.ComposedFunctions
 import semmle.javascript.frameworks.Classnames
+import semmle.javascript.frameworks.ClassValidator
 import semmle.javascript.frameworks.ClientRequests
 import semmle.javascript.frameworks.ClosureLibrary
 import semmle.javascript.frameworks.CookieLibraries
@@ -98,6 +99,7 @@ import semmle.javascript.frameworks.Logging
 import semmle.javascript.frameworks.HttpFrameworks
 import semmle.javascript.frameworks.HttpProxy
 import semmle.javascript.frameworks.Markdown
+import semmle.javascript.frameworks.Nest
 import semmle.javascript.frameworks.Next
 import semmle.javascript.frameworks.NoSQL
 import semmle.javascript.frameworks.PkgCloud
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
index 9c8d13582c3..5a110f44ff8 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
@@ -47,6 +47,9 @@ class ParameterNode extends DataFlow::SourceNode {
 
   /** Holds if this parameter is a rest parameter. */
   predicate isRestParameter() { p.isRestParameter() }
+
+  /** Gets the data flow node for an expression that is applied to this decorator. */
+  DataFlow::Node getADecorator() { result = getParameter().getADecorator().getExpression().flow() }
 }
 
 /**
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
index 251a691501e..1a642d980bd 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -550,7 +550,8 @@ module TaintTracking {
       // reading from a tainted object yields a tainted result
       succ.(DataFlow::PropRead).getBase() = pred and
       not AccessPath::DominatingPaths::hasDominatingWrite(succ) and
-      not isSafeClientSideUrlProperty(succ)
+      not isSafeClientSideUrlProperty(succ) and
+      not ClassValidator::isAccessToSanitizedField(succ)
       or
       // iterating over a tainted iterator taints the loop variable
       exists(ForOfStmt fos |
diff --git a/javascript/ql/src/semmle/javascript/frameworks/ClassValidator.qll b/javascript/ql/src/semmle/javascript/frameworks/ClassValidator.qll
new file mode 100644
index 00000000000..f0e95d0583d
--- /dev/null
+++ b/javascript/ql/src/semmle/javascript/frameworks/ClassValidator.qll
@@ -0,0 +1,67 @@
+/**
+ * Provides predicates for reasoning about sanitization via the `class-validator` library.
+ */
+
+import javascript
+
+/**
+ * Provides predicates for reasoning about sanitization via the `class-validator` library.
+ */
+module ClassValidator {
+  /**
+   * Holds if the decorator with the given name does not sanitize the input, for the purpose of taint tracking.
+   */
+  bindingset[name]
+  private predicate isSanitizingDecoratorName(string name) {
+    // Most decorators do sanitize the input, so only list those that don't.
+    not name =
+      [
+        "IsDefined", "IsOptional", "NotEquals", "IsNotEmpty", "IsNotIn", "IsString", "IsArray",
+        "Contains", "NotContains", "IsAscii", "IsByteLength", "IsDataURI", "IsFQDN", "IsJSON",
+        "IsJWT", "IsObject", "IsNotEmptyObject", "IsLowercase", "IsSurrogatePair", "IsUrl",
+        "IsUppercase", "Length", "MinLength", "MaxLength", "ArrayContains", "ArrayNotContains",
+        "ArrayNotEmpty", "ArrayMinSize", "ArrayMaxSize", "ArrayUnique", "Allow", "ValidateNested",
+        "Validate",
+        // Consider "Matches" to be non-sanitizing as it is special-cased below
+        "Matches"
+      ]
+  }
+
+  /** Holds if the given call is a decorator that sanitizes values for the purpose of taint tracking, such as `IsBoolean()`. */
+  API::CallNode sanitizingDecorator() {
+    exists(string name | result = API::moduleImport("class-validator").getMember(name).getACall() |
+      isSanitizingDecoratorName(name)
+      or
+      name = "Matches" and
+      RegExp::isGenericRegExpSanitizer(RegExp::getRegExpFromNode(result.getArgument(0)), true)
+    )
+  }
+
+  /** Holds if the given field has a decorator that sanitizes its value for the purpose of taint tracking. */
+  predicate isFieldSanitizedByDecorator(FieldDefinition field) {
+    field.getADecorator().getExpression().flow() = sanitizingDecorator().getReturn().getAUse()
+  }
+
+  pragma[noinline]
+  private predicate isFieldSanitizedByDecorator(ClassDefinition cls, string name) {
+    isFieldSanitizedByDecorator(cls.getField(name))
+  }
+
+  pragma[noinline]
+  private ClassDefinition getClassReferencedByPropRead(DataFlow::PropRead read) {
+    read.getBase().asExpr().getType().unfold().(ClassType).getClass() = result
+  }
+
+  /**
+   * Holds if the given property read refers to a field that has a sanitizing decorator.
+   *
+   * Only holds when TypeScript types are available.
+   */
+  pragma[noinline]
+  predicate isAccessToSanitizedField(DataFlow::PropRead read) {
+    exists(ClassDefinition class_ |
+      class_ = getClassReferencedByPropRead(read) and
+      isFieldSanitizedByDecorator(class_, read.getPropertyName())
+    )
+  }
+}
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Nest.qll b/javascript/ql/src/semmle/javascript/frameworks/Nest.qll
new file mode 100644
index 00000000000..297897b3541
--- /dev/null
+++ b/javascript/ql/src/semmle/javascript/frameworks/Nest.qll
@@ -0,0 +1,443 @@
+/**
+ * Provides classes and predicates for reasoning about [Nest](https://nestjs.com/).
+ */
+
+import javascript
+private import semmle.javascript.security.dataflow.ServerSideUrlRedirectCustomizations
+
+/**
+ * Provides classes and predicates for reasoning about [Nest](https://nestjs.com/).
+ */
+module NestJS {
+  /** Gets an API node referring to the `@nestjs/common` module. */
+  private API::Node nestjs() { result = API::moduleImport("@nestjs/common") }
+
+  /**
+   * Gets a data flow node that is applied as a decorator on the given function.
+   *
+   * Note that only methods in a class can have decorators.
+   */
+  private DataFlow::Node getAFunctionDecorator(DataFlow::FunctionNode fun) {
+    exists(MethodDefinition method |
+      fun = method.getInit().flow() and
+      result = method.getADecorator().getExpression().flow()
+    )
+  }
+
+  /**
+   * A method that is declared as a route handler using a decorator, for example:
+   *
+   * ```js
+   * class C {
+   *   @Get('posts')
+   *   getPosts() { .. }
+   * }
+   * ```
+   */
+  private class NestJSRouteHandler extends HTTP::RouteHandler, DataFlow::FunctionNode {
+    NestJSRouteHandler() {
+      getAFunctionDecorator(this) =
+        nestjs()
+            .getMember(["Get", "Post", "Put", "Delete", "Patch", "Options", "Head", "All"])
+            .getACall()
+    }
+
+    override HTTP::HeaderDefinition getAResponseHeader(string name) { none() }
+
+    /**
+     * Holds if this has the `@Redirect()` decorator.
+     */
+    predicate hasRedirectDecorator() {
+      getAFunctionDecorator(this) = nestjs().getMember("Redirect").getACall()
+    }
+
+    /** Gets a pipe applied to the inputs of this route handler, not including global pipes. */
+    DataFlow::Node getAPipe() {
+      exists(DataFlow::CallNode decorator |
+        decorator = nestjs().getMember("UsePipes").getACall() and
+        result = decorator.getAnArgument()
+      |
+        decorator = getAFunctionDecorator(this)
+        or
+        exists(DataFlow::ClassNode cls |
+          this = cls.getAnInstanceMember() and
+          decorator = cls.getADecorator()
+        )
+      )
+    }
+  }
+
+  /**
+   * A parameter with a decorator that makes it receive a value derived from the incoming request.
+   *
+   * For example, in the following,
+   * ```js
+   * @Get(':foo')
+   * foo(@Param('foo') foo, @Query() query) { ... }
+   * ```
+   * the `foo` and `query` parameters receive (part of) the path and query string, respectively.
+   */
+  private class NestJSRequestInput extends DataFlow::ParameterNode {
+    DataFlow::CallNode decorator;
+    string decoratorName;
+
+    NestJSRequestInput() {
+      decoratorName =
+        ["Query", "Param", "Headers", "Body", "HostParam", "UploadedFile", "UploadedFiles"] and
+      decorator = getADecorator() and
+      decorator = nestjs().getMember(decoratorName).getACall()
+    }
+
+    /** Gets the decorator marking this as a request input. */
+    DataFlow::CallNode getDecorator() { result = decorator }
+
+    /** Gets the route handler on which this parameter appears. */
+    NestJSRouteHandler getNestRouteHandler() { result.getAParameter() = this }
+
+    /** Gets a pipe applied to this parameter, not including global pipes. */
+    DataFlow::Node getAPipe() {
+      result = getNestRouteHandler().getAPipe()
+      or
+      result = decorator.getArgument(1)
+      or
+      decorator.getNumArgument() = 1 and
+      not decorator.getArgument(0).mayHaveStringValue(_) and
+      result = decorator.getArgument(0) // One-argument version can either take a pipe or a property name
+    }
+
+    /** Gets the kind of parameter, for use in `HTTP::RequestInputAccess`. */
+    string getInputKind() {
+      decoratorName = ["Param", "Query"] and result = "parameter"
+      or
+      decoratorName = ["Headers", "HostParam"] and result = "header"
+      or
+      decoratorName = ["Body", "UploadedFile", "UploadedFiles"] and result = "body"
+    }
+
+    /**
+     * Holds if this is sanitized by a sanitizing pipe, for example, a parameter
+     * with the decorator `@Param('x', ParseIntPipe)` is parsed as an integer, and
+     * is thus considered to be sanitized.
+     */
+    predicate isSanitizedByPipe() {
+      hasSanitizingPipe(this, false)
+      or
+      hasSanitizingPipe(this, true) and
+      isSanitizingType(getParameter().getType().unfold())
+    }
+  }
+
+  /** API node entry point for custom implementations of `ValidationPipe` (a common pattern). */
+  private class ValidationNodeEntry extends API::EntryPoint {
+    ValidationNodeEntry() { this = "ValidationNodeEntry" }
+
+    override DataFlow::SourceNode getAUse() {
+      result.(DataFlow::ClassNode).getName() = "ValidationPipe"
+    }
+
+    override DataFlow::Node getARhs() { none() }
+  }
+
+  /** Gets an API node referring to the constructor of `ValidationPipe` */
+  private API::Node validationPipe() {
+    result = nestjs().getMember("ValidationPipe")
+    or
+    result = API::root().getASuccessor(any(ValidationNodeEntry e))
+  }
+
+  /**
+   * Gets a pipe (instance or constructor) which causes its input to be sanitized, and thus not seen as a `RequestInputAccess`.
+   *
+   * If `dependsOnType` is `true`, then the validation depends on the declared type of the input,
+   * and some types may not be enough to be considered sanitized.
+   */
+  private API::Node sanitizingPipe(boolean dependsOnType) {
+    exists(API::Node ctor |
+      dependsOnType = false and
+      ctor = nestjs().getMember(["ParseIntPipe", "ParseBoolPipe", "ParseUUIDPipe"])
+      or
+      dependsOnType = true and
+      ctor = validationPipe()
+    |
+      result = [ctor, ctor.getInstance()]
+    )
+  }
+
+  /**
+   * Holds if `ValidationPipe` is installed as a global pipe by a file in the given folder
+   * or one of its enclosing folders.
+   *
+   * We use folder hierarchy to approximate the scope of globally-installed pipes.
+   */
+  predicate hasGlobalValidationPipe(Folder folder) {
+    exists(DataFlow::CallNode call |
+      call.getCalleeName() = "useGlobalPipes" and
+      call.getArgument(0) = validationPipe().getInstance().getAUse() and
+      folder = call.getFile().getParentContainer()
+    )
+    or
+    exists(API::CallNode decorator |
+      decorator = nestjs().getMember("Module").getACall() and
+      decorator
+          .getParameter(0)
+          .getMember("providers")
+          .getAMember()
+          .getMember("useFactory")
+          .getReturn()
+          .getARhs() = validationPipe().getInstance().getAUse() and
+      folder = decorator.getFile().getParentContainer()
+    )
+    or
+    hasGlobalValidationPipe(folder.getParentContainer())
+  }
+
+  /**
+   * Holds if `param` is affected by a pipe that sanitizes inputs.
+   */
+  private predicate hasSanitizingPipe(NestJSRequestInput param, boolean dependsOnType) {
+    param.getAPipe() = sanitizingPipe(dependsOnType).getAUse()
+    or
+    hasGlobalValidationPipe(param.getFile().getParentContainer()) and
+    dependsOnType = true
+  }
+
+  /**
+   * Holds if a parameter of type `t` is considered sanitized, provided it has been checked by `ValidationPipe`
+   * (which relies on metadata emitted by the TypeScript compiler).
+   */
+  private predicate isSanitizingType(Type t) {
+    t instanceof NumberType
+    or
+    t instanceof BooleanType
+    //
+    // Note: we could consider types with class-validator decorators to be sanitized here, but instead we consider the root
+    // object to be tainted, but omit taint steps for the individual properties names that have sanitizing decorators. See ClassValidator.qll.
+  }
+
+  /**
+   * A user-defined pipe class, for example:
+   * ```js
+   * class MyPipe implements PipeTransform {
+   *   transform(value) { return value + '!' }
+   * }
+   * ```
+   * This can be used as a pipe, for example, `@Param('x', MyPipe)` would pipe
+   * the request parameter `x` through the `transform` function before flowing into
+   * the route handler.
+   */
+  private class CustomPipeClass extends DataFlow::ClassNode {
+    CustomPipeClass() {
+      exists(ClassDefinition cls |
+        this = cls.flow() and
+        cls.getASuperInterface().hasQualifiedName("@nestjs/common", "PipeTransform")
+      )
+    }
+
+    DataFlow::FunctionNode getTransformFunction() { result = getInstanceMethod("transform") }
+
+    DataFlow::ParameterNode getInputData() { result = getTransformFunction().getParameter(0) }
+
+    DataFlow::Node getOutputData() { result = getTransformFunction().getReturnNode() }
+
+    NestJSRequestInput getAnAffectedParameter() {
+      [getAnInstanceReference(), getAClassReference()].flowsTo(result.getAPipe())
+    }
+  }
+
+  /**
+   * The input to a custom pipe, seen as a remote flow source.
+   *
+   * The type of remote flow depends on which decorator is applied at the parameter, so
+   * we just classify it as a `RemoteFlowSource`.
+   */
+  private class NestJSCustomPipeInput extends HTTP::RequestInputAccess {
+    CustomPipeClass pipe;
+
+    NestJSCustomPipeInput() {
+      this = pipe.getInputData() and
+      exists(NestJSRequestInput input |
+        input = pipe.getAnAffectedParameter() and
+        not input.isSanitizedByPipe()
+      )
+    }
+
+    override string getKind() {
+      // Use any input kind that the pipe is applied to.
+      result = pipe.getAnAffectedParameter().getInputKind()
+    }
+
+    override HTTP::RouteHandler getRouteHandler() {
+      result = pipe.getAnAffectedParameter().getNestRouteHandler()
+    }
+  }
+
+  /**
+   * A step from the result of a custom pipe, to an affected parameter.
+   */
+  private class CustomPipeStep extends DataFlow::SharedFlowStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(CustomPipeClass pipe |
+        pred = pipe.getOutputData() and
+        succ = pipe.getAnAffectedParameter()
+      )
+    }
+  }
+
+  /**
+   * A request input parameter that is not sanitized by a pipe, and therefore treated
+   * as a source of untrusted data.
+   */
+  private class NestJSRequestInputAsRequestInputAccess extends NestJSRequestInput,
+    HTTP::RequestInputAccess {
+    NestJSRequestInputAsRequestInputAccess() {
+      not isSanitizedByPipe() and
+      not this = any(CustomPipeClass cls).getAnAffectedParameter()
+    }
+
+    override HTTP::RouteHandler getRouteHandler() { result = getNestRouteHandler() }
+
+    override string getKind() { result = getInputKind() }
+
+    override predicate isUserControlledObject() {
+      not exists(getAPipe()) and // value is not transformed by a pipe
+      (
+        decorator.getNumArgument() = 0
+        or
+        decoratorName = ["Query", "Body"]
+      )
+    }
+  }
+
+  private class NestJSHeaderAccess extends NestJSRequestInputAsRequestInputAccess,
+    HTTP::RequestHeaderAccess {
+    NestJSHeaderAccess() { decoratorName = "Headers" and decorator.getNumArgument() > 0 }
+
+    override string getAHeaderName() {
+      result = decorator.getArgument(0).getStringValue().toLowerCase()
+    }
+  }
+
+  /**
+   * A return value from a route handler, seen as an argument to `res.send()`.
+   *
+   * For example,
+   * ```js
+   * @Get()
+   * foo() {
+   *   return '<b>Hello</b>';
+   * }
+   * ```
+   * writes `<b>Hello</b>` to the response.
+   */
+  private class ReturnValueAsResponseSend extends HTTP::ResponseSendArgument {
+    NestJSRouteHandler handler;
+
+    ReturnValueAsResponseSend() {
+      not handler.hasRedirectDecorator() and
+      this = handler.getAReturn().asExpr()
+    }
+
+    override HTTP::RouteHandler getRouteHandler() { result = handler }
+  }
+
+  /**
+   * A return value from a redirecting route handler, seen as a sink for server-side redirect.
+   *
+   * For example,
+   * ```js
+   * @Get()
+   * @Redirect
+   * foo() {
+   *   return { url: 'https://example.com' }
+   * }
+   * ```
+   * redirects to `https://example.com`.
+   */
+  private class ReturnValueAsRedirection extends ServerSideUrlRedirect::Sink {
+    NestJSRouteHandler handler;
+
+    ReturnValueAsRedirection() {
+      handler.hasRedirectDecorator() and
+      this = handler.getAReturn().getALocalSource().getAPropertyWrite("url").getRhs()
+    }
+  }
+
+  /**
+   * A parameter decorator created using `createParamDecorator`.
+   */
+  private class CustomParameterDecorator extends API::CallNode {
+    CustomParameterDecorator() { this = nestjs().getMember("createParamDecorator").getACall() }
+
+    /** Gets the `context` parameter. */
+    API::Node getExecutionContext() { result = getParameter(0).getParameter(1) }
+
+    /** Gets a parameter with this decorator applied. */
+    DataFlow::ParameterNode getADecoratedParameter() {
+      result.getADecorator() = getReturn().getReturn().getAUse()
+    }
+
+    /** Gets a value returned by the decorator's callback, which becomes the value of the decorated parameter. */
+    DataFlow::Node getResult() { result = getParameter(0).getReturn().getARhs() }
+  }
+
+  /**
+   * A flow step from a custom parameter decorator to a decorated parameter.
+   */
+  private class CustomParameterFlowStep extends DataFlow::SharedFlowStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(CustomParameterDecorator dec |
+        pred = dec.getResult() and
+        succ = dec.getADecoratedParameter()
+      )
+    }
+  }
+
+  private API::Node executionContext() {
+    result = API::Node::ofType("@nestjs/common", "ExecutionContext")
+    or
+    result = any(CustomParameterDecorator d).getExecutionContext()
+  }
+
+  /**
+   * A source of `express` request objects, based on the `@Req()` decorator,
+   * or the context object in a custom decorator.
+   */
+  private class ExpressRequestSource extends Express::RequestSource {
+    ExpressRequestSource() {
+      this.(DataFlow::ParameterNode).getADecorator() =
+        nestjs().getMember(["Req", "Request"]).getReturn().getAnImmediateUse()
+      or
+      this =
+        executionContext()
+            .getMember("switchToHttp")
+            .getReturn()
+            .getMember("getRequest")
+            .getReturn()
+            .getAnImmediateUse()
+    }
+
+    /**
+     * Gets the route handler that handles this request.
+     */
+    override HTTP::RouteHandler getRouteHandler() {
+      result.(DataFlow::FunctionNode).getAParameter() = this
+    }
+  }
+
+  /**
+   * A source of `express` response objects, based on the `@Res()` decorator.
+   */
+  private class ExpressResponseSource extends Express::ResponseSource {
+    ExpressResponseSource() {
+      this.(DataFlow::ParameterNode).getADecorator() =
+        nestjs().getMember(["Res", "Response"]).getReturn().getAnImmediateUse()
+    }
+
+    /**
+     * Gets the route handler that handles this request.
+     */
+    override HTTP::RouteHandler getRouteHandler() {
+      result.(DataFlow::FunctionNode).getAParameter() = this
+    }
+  }
+}
diff --git a/javascript/ql/test/library-tests/frameworks/Nest/Consistency.expected b/javascript/ql/test/library-tests/frameworks/Nest/Consistency.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/javascript/ql/test/library-tests/frameworks/Nest/Consistency.ql b/javascript/ql/test/library-tests/frameworks/Nest/Consistency.ql
new file mode 100644
index 00000000000..787d0a5fdc4
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Nest/Consistency.ql
@@ -0,0 +1,3 @@
+import testUtilities.ConsistencyChecking
+import semmle.javascript.security.dataflow.ReflectedXss
+import semmle.javascript.security.dataflow.ServerSideUrlRedirect
diff --git a/javascript/ql/test/library-tests/frameworks/Nest/global/app.ts b/javascript/ql/test/library-tests/frameworks/Nest/global/app.ts
new file mode 100644
index 00000000000..132f2162a9f
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Nest/global/app.ts
@@ -0,0 +1,10 @@
+import { NestFactory } from '@nestjs/core';
+import { ValidationPipe } from '@nestjs/common';
+import { AppModule } from './app.module';
+
+async function bootstrap() {
+    const app = await NestFactory.create(AppModule);
+    app.useGlobalPipes(new ValidationPipe());
+    await app.listen(3000);
+}
+bootstrap();
diff --git a/javascript/ql/test/library-tests/frameworks/Nest/global/validation.ts b/javascript/ql/test/library-tests/frameworks/Nest/global/validation.ts
new file mode 100644
index 00000000000..4bf67eff4cb
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Nest/global/validation.ts
@@ -0,0 +1,15 @@
+import { Get, Query } from '@nestjs/common';
+import { IsIn } from 'class-validator';
+
+export class Controller {
+  @Get()
+  route1(@Query('x') validatedObj: Struct, @Query('y') unvalidated: string) {
+    if (Math.random()) return unvalidated; // NOT OK
+    return validatedObj.key; // OK
+  }
+}
+
+class Struct {
+  @IsIn(['foo', 'bar'])
+  key: string;
+}
diff --git a/javascript/ql/test/library-tests/frameworks/Nest/local/customDecorator.ts b/javascript/ql/test/library-tests/frameworks/Nest/local/customDecorator.ts
new file mode 100644
index 00000000000..032d7032bc0
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Nest/local/customDecorator.ts
@@ -0,0 +1,26 @@
+import { Get, createParamDecorator, ExecutionContext } from '@nestjs/common';
+
+export const SneakyQueryParam = createParamDecorator(
+  (data: unknown, ctx: ExecutionContext) => {
+    const request = ctx.switchToHttp().getRequest();
+    return request.query.sneakyQueryParam;
+  },
+);
+
+export const SafeParam = createParamDecorator(
+  (data: unknown, ctx: ExecutionContext) => {
+    return 'Safe';
+  },
+);
+
+export class Controller {
+  @Get()
+  sneaky(@SneakyQueryParam() value) {
+    return value; // NOT OK
+  }
+
+  @Get()
+  safe(@SafeParam() value) {
+    return value; // OK
+  }
+}
diff --git a/javascript/ql/test/library-tests/frameworks/Nest/local/customPipe.ts b/javascript/ql/test/library-tests/frameworks/Nest/local/customPipe.ts
new file mode 100644
index 00000000000..58f6084ab0b
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Nest/local/customPipe.ts
@@ -0,0 +1,50 @@
+import { Get, Injectable, PipeTransform, Query, UsePipes } from '@nestjs/common';
+  
+@Injectable()
+export class CustomSanitizingPipe implements PipeTransform {
+    transform(value: string): number | undefined {
+        if (value == null) return undefined;
+        return Number(value);
+    }
+}
+
+@Injectable()
+export class CustomPropagatingPipe implements PipeTransform {
+    transform(value: string): string {
+        return value.toUpperCase() + '!';
+    }
+}
+
+export class Controller {
+    @Get()
+    sanitizingPipe1(@Query('x', CustomSanitizingPipe) sanitized: number): string {
+        return '' + sanitized; // OK
+    }
+
+    @Get()
+    sanitizingPipe2(@Query('x', new CustomSanitizingPipe()) sanitized: number): string {
+        return '' + sanitized; // OK
+    }
+
+    @Get()
+    @UsePipes(CustomSanitizingPipe)
+    sanitizingPipe3(@Query('x') sanitized: number): string {
+        return '' + sanitized; // OK
+    }
+
+    @Get()
+    propagatingPipe1(@Query('x', CustomPropagatingPipe) unsanitized: string): string {
+        return '' + unsanitized; // NOT OK
+    }
+
+    @Get()
+    propagatingPipe2(@Query('x', new CustomPropagatingPipe()) unsanitized: string): string {
+        return '' + unsanitized; // NOT OK
+    }
+
+    @Get()
+    @UsePipes(CustomPropagatingPipe)
+    propagatingPipe3(@Query('x') unsanitized: string): string {
+        return '' + unsanitized; // NOT OK
+    }
+}
diff --git a/javascript/ql/test/library-tests/frameworks/Nest/local/routes.ts b/javascript/ql/test/library-tests/frameworks/Nest/local/routes.ts
new file mode 100644
index 00000000000..b94c3942318
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Nest/local/routes.ts
@@ -0,0 +1,74 @@
+import { Get, Post, All, Query, Param, Body, Redirect, Req, Res, UploadedFile, UploadedFiles } from '@nestjs/common';
+import { SneakyQueryParam } from './customDecorator';
+
+export class TestController {
+  @Get('foo')
+  getFoo() {
+    return 'foo';
+  }
+
+  @Post('foo')
+  postFoo() {
+    return 'foo';
+  }
+
+  @Get()
+  getRoot() {
+    return 'foo';
+  }
+
+  @All('bar')
+  bar() {
+    return 'bar';
+  }
+
+  @Get('requestInputs/:x')
+  requestInputs(
+    @Param('x') x,
+    @Query() queryObj,
+    @Query('name') name,
+    @Req() req
+  ) {
+    if (Math.random()) return x; // NOT OK
+    if (Math.random()) return queryObj; // NOT OK
+    if (Math.random()) return name; // NOT OK
+    if (Math.random()) return req.query.abc; // NOT OK
+    return;
+  }
+
+  @Post('post')
+  post(@Body() body) {
+    return body.x; // NOT OK
+  }
+
+  @Get('redir')
+  @Redirect('https://example.com')
+  redir() {
+    return {
+      url: '//other.example.com' // OK
+    };
+  }
+
+  @Get('redir')
+  @Redirect('https://example.com')
+  redir2(@Query('redirect') target) {
+    return {
+      url: target // NOT OK
+    };
+  }
+
+  @Get()
+  explicitSend(@Req() req, @Res() res) {
+    res.send(req.query.x) // NOT OK
+  }
+
+  @Post()
+  upload(@UploadedFile() file) {
+    return file.originalname; // NOT OK
+  }
+
+  @Post()
+  uploadMany(@UploadedFiles() files) {
+    return files[0].originalname; // NOT OK
+  }
+}
diff --git a/javascript/ql/test/library-tests/frameworks/Nest/local/validation.ts b/javascript/ql/test/library-tests/frameworks/Nest/local/validation.ts
new file mode 100644
index 00000000000..d9771c195e1
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Nest/local/validation.ts
@@ -0,0 +1,51 @@
+import { Get, Query, UsePipes, ValidationPipe } from '@nestjs/common';
+import { IsIn } from 'class-validator';
+
+export class Controller {
+  @Get()
+  route1(@Query('x', new ValidationPipe()) validatedObj: Struct) {
+    return validatedObj.key; // OK
+  }
+
+  @Get()
+  route2(@Query('x', ValidationPipe) validatedObj: Struct) {
+    return validatedObj.key; // OK
+  }
+
+  @Get()
+  @UsePipes(new ValidationPipe())
+  route3(@Query('x') validatedObj: Struct, @Query('y') unvalidated: string) {
+    if (Math.random()) return validatedObj.key; // OK
+    return unvalidated; // NOT OK
+  }
+
+  @Get()
+  @UsePipes(ValidationPipe)
+  route4(@Query('x') validatedObj: Struct, @Query('y') unvalidated: string) {
+    if (Math.random()) return validatedObj.key; // OK
+    return unvalidated; // NOT OK
+  }
+}
+
+@UsePipes(new ValidationPipe())
+export class Controller2 {
+  @Get()
+  route5(@Query('x') validatedObj: Struct, @Query('y') unvalidated: string) {
+    if (Math.random()) return validatedObj.key; // OK
+    return unvalidated; // NOT OK
+  }
+}
+
+@UsePipes(ValidationPipe)
+export class Controller3 {
+  @Get()
+  route6(@Query('x') validatedObj: Struct, @Query('y') unvalidated: string) {
+    if (Math.random()) return validatedObj.key; // OK
+    return unvalidated; // NOT OK
+  }
+}
+
+class Struct {
+  @IsIn(['foo', 'bar'])
+  key: string;
+}
diff --git a/javascript/ql/test/library-tests/frameworks/Nest/test.expected b/javascript/ql/test/library-tests/frameworks/Nest/test.expected
new file mode 100644
index 00000000000..9de016189ba
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Nest/test.expected
@@ -0,0 +1,94 @@
+routeHandler
+| global/validation.ts:6:3:9:3 | route1( ...  OK\\n  } |
+| local/customDecorator.ts:18:3:20:3 | sneaky( ...  OK\\n  } |
+| local/customDecorator.ts:23:3:25:3 | safe(@S ...  OK\\n  } |
+| local/customPipe.ts:20:5:22:5 | sanitiz ... K\\n    } |
+| local/customPipe.ts:25:5:27:5 | sanitiz ... K\\n    } |
+| local/customPipe.ts:31:5:33:5 | sanitiz ... K\\n    } |
+| local/customPipe.ts:36:5:38:5 | propaga ... K\\n    } |
+| local/customPipe.ts:41:5:43:5 | propaga ... K\\n    } |
+| local/customPipe.ts:47:5:49:5 | propaga ... K\\n    } |
+| local/routes.ts:6:3:8:3 | getFoo( ... o';\\n  } |
+| local/routes.ts:11:3:13:3 | postFoo ... o';\\n  } |
+| local/routes.ts:16:3:18:3 | getRoot ... o';\\n  } |
+| local/routes.ts:21:3:23:3 | bar() { ... r';\\n  } |
+| local/routes.ts:26:3:37:3 | request ... rn;\\n  } |
+| local/routes.ts:40:3:42:3 | post(@B ...  OK\\n  } |
+| local/routes.ts:46:3:50:3 | redir() ...  };\\n  } |
+| local/routes.ts:54:3:58:3 | redir2( ...  };\\n  } |
+| local/routes.ts:61:3:63:3 | explici ...  OK\\n  } |
+| local/routes.ts:66:3:68:3 | upload( ...  OK\\n  } |
+| local/routes.ts:71:3:73:3 | uploadM ...  OK\\n  } |
+| local/validation.ts:6:3:8:3 | route1( ...  OK\\n  } |
+| local/validation.ts:11:3:13:3 | route2( ...  OK\\n  } |
+| local/validation.ts:17:3:20:3 | route3( ...  OK\\n  } |
+| local/validation.ts:24:3:27:3 | route4( ...  OK\\n  } |
+| local/validation.ts:33:3:36:3 | route5( ...  OK\\n  } |
+| local/validation.ts:42:3:45:3 | route6( ...  OK\\n  } |
+requestSource
+| local/customDecorator.ts:5:21:5:51 | ctx.swi ... quest() |
+| local/routes.ts:30:12:30:14 | req |
+| local/routes.ts:61:23:61:25 | req |
+responseSource
+| local/routes.ts:61:35:61:37 | res |
+requestInputAccess
+| body | local/routes.ts:40:16:40:19 | body |
+| body | local/routes.ts:66:26:66:29 | file |
+| body | local/routes.ts:71:31:71:35 | files |
+| parameter | global/validation.ts:6:22:6:33 | validatedObj |
+| parameter | global/validation.ts:6:56:6:66 | unvalidated |
+| parameter | local/customDecorator.ts:6:12:6:41 | request ... ryParam |
+| parameter | local/customPipe.ts:5:15:5:19 | value |
+| parameter | local/customPipe.ts:13:15:13:19 | value |
+| parameter | local/routes.ts:27:17:27:17 | x |
+| parameter | local/routes.ts:28:14:28:21 | queryObj |
+| parameter | local/routes.ts:29:20:29:23 | name |
+| parameter | local/routes.ts:35:31:35:43 | req.query.abc |
+| parameter | local/routes.ts:54:29:54:34 | target |
+| parameter | local/routes.ts:62:14:62:24 | req.query.x |
+| parameter | local/validation.ts:6:44:6:55 | validatedObj |
+| parameter | local/validation.ts:11:38:11:49 | validatedObj |
+| parameter | local/validation.ts:17:22:17:33 | validatedObj |
+| parameter | local/validation.ts:17:56:17:66 | unvalidated |
+| parameter | local/validation.ts:24:22:24:33 | validatedObj |
+| parameter | local/validation.ts:24:56:24:66 | unvalidated |
+| parameter | local/validation.ts:33:22:33:33 | validatedObj |
+| parameter | local/validation.ts:33:56:33:66 | unvalidated |
+| parameter | local/validation.ts:42:22:42:33 | validatedObj |
+| parameter | local/validation.ts:42:56:42:66 | unvalidated |
+responseSendArgument
+| global/validation.ts:7:31:7:41 | unvalidated |
+| global/validation.ts:8:12:8:27 | validatedObj.key |
+| local/customDecorator.ts:19:12:19:16 | value |
+| local/customDecorator.ts:24:12:24:16 | value |
+| local/customPipe.ts:21:16:21:29 | '' + sanitized |
+| local/customPipe.ts:26:16:26:29 | '' + sanitized |
+| local/customPipe.ts:32:16:32:29 | '' + sanitized |
+| local/customPipe.ts:37:16:37:31 | '' + unsanitized |
+| local/customPipe.ts:42:16:42:31 | '' + unsanitized |
+| local/customPipe.ts:48:16:48:31 | '' + unsanitized |
+| local/routes.ts:7:12:7:16 | 'foo' |
+| local/routes.ts:12:12:12:16 | 'foo' |
+| local/routes.ts:17:12:17:16 | 'foo' |
+| local/routes.ts:22:12:22:16 | 'bar' |
+| local/routes.ts:32:31:32:31 | x |
+| local/routes.ts:33:31:33:38 | queryObj |
+| local/routes.ts:34:31:34:34 | name |
+| local/routes.ts:35:31:35:43 | req.query.abc |
+| local/routes.ts:41:12:41:17 | body.x |
+| local/routes.ts:62:14:62:24 | req.query.x |
+| local/routes.ts:67:12:67:28 | file.originalname |
+| local/routes.ts:72:12:72:32 | files[0 ... nalname |
+| local/validation.ts:7:12:7:27 | validatedObj.key |
+| local/validation.ts:12:12:12:27 | validatedObj.key |
+| local/validation.ts:18:31:18:46 | validatedObj.key |
+| local/validation.ts:19:12:19:22 | unvalidated |
+| local/validation.ts:25:31:25:46 | validatedObj.key |
+| local/validation.ts:26:12:26:22 | unvalidated |
+| local/validation.ts:34:31:34:46 | validatedObj.key |
+| local/validation.ts:35:12:35:22 | unvalidated |
+| local/validation.ts:43:31:43:46 | validatedObj.key |
+| local/validation.ts:44:12:44:22 | unvalidated |
+redirectSink
+| local/routes.ts:48:12:48:32 | '//othe ... le.com' |
+| local/routes.ts:56:12:56:17 | target |
diff --git a/javascript/ql/test/library-tests/frameworks/Nest/test.ql b/javascript/ql/test/library-tests/frameworks/Nest/test.ql
new file mode 100644
index 00000000000..120727d2548
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Nest/test.ql
@@ -0,0 +1,19 @@
+import javascript
+private import semmle.javascript.security.dataflow.ServerSideUrlRedirectCustomizations
+
+query HTTP::RouteHandler routeHandler() { any() }
+
+query HTTP::Servers::RequestSource requestSource() { any() }
+
+query HTTP::Servers::ResponseSource responseSource() { any() }
+
+query RemoteFlowSource requestInputAccess(string kind) {
+  kind = result.(HTTP::RequestInputAccess).getKind()
+  or
+  not result instanceof HTTP::RequestInputAccess and
+  kind = "RemoteFlowSource"
+}
+
+query HTTP::ResponseSendArgument responseSendArgument() { any() }
+
+query ServerSideUrlRedirect::Sink redirectSink() { any() }
diff --git a/javascript/ql/test/library-tests/frameworks/Nest/tsconfig.json b/javascript/ql/test/library-tests/frameworks/Nest/tsconfig.json
new file mode 100644
index 00000000000..c5df21cd7d4
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Nest/tsconfig.json
@@ -0,0 +1,6 @@
+{
+    "compilerOptions": {
+        "experimentalDecorators": true
+    },
+    "include": ["."]
+}

From d0b8b323459760231ede07df240acc29aed87fbb Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Thu, 15 Apr 2021 14:33:05 +0100
Subject: [PATCH 0641/1429] JS: Add change notes

---
 javascript/change-notes/2021-04-15-fs-promises.md | 3 +++
 javascript/change-notes/2021-04-15-nestjs.md      | 3 +++
 2 files changed, 6 insertions(+)
 create mode 100644 javascript/change-notes/2021-04-15-fs-promises.md
 create mode 100644 javascript/change-notes/2021-04-15-nestjs.md

diff --git a/javascript/change-notes/2021-04-15-fs-promises.md b/javascript/change-notes/2021-04-15-fs-promises.md
new file mode 100644
index 00000000000..f410f00edb1
--- /dev/null
+++ b/javascript/change-notes/2021-04-15-fs-promises.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Support for `fs.promises` has been added, leading to more results for security queries
+  related to file system access.
diff --git a/javascript/change-notes/2021-04-15-nestjs.md b/javascript/change-notes/2021-04-15-nestjs.md
new file mode 100644
index 00000000000..5eaa0e5af69
--- /dev/null
+++ b/javascript/change-notes/2021-04-15-nestjs.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Support for Nest.js has been added. The security queries now recognize sources and sinks
+  specific to the Nest.js framework.

From 4f53a1ab409bce25bc0ac52ef60582f2d884f83f Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Wed, 21 Apr 2021 14:48:52 +0100
Subject: [PATCH 0642/1429] JS: Cache ClassNode::Range

---
 .../ql/src/semmle/javascript/dataflow/Nodes.qll       | 11 +++++++++++
 .../src/semmle/javascript/internal/CachedStages.qll   |  2 ++
 2 files changed, 13 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
index 5a110f44ff8..19fe93da259 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
@@ -1081,35 +1081,42 @@ module ClassNode {
    * Subclass this to introduce new kinds of class nodes. If you want to refine
    * the definition of existing class nodes, subclass `DataFlow::ClassNode` instead.
    */
+  cached
   abstract class Range extends DataFlow::SourceNode {
     /**
      * Gets the name of the class, if it has one.
      */
+    cached
     abstract string getName();
 
     /**
      * Gets a description of the class.
      */
+    cached
     abstract string describe();
 
     /**
      * Gets the constructor function of this class.
      */
+    cached
     abstract FunctionNode getConstructor();
 
     /**
      * Gets the instance member with the given name and kind.
      */
+    cached
     abstract FunctionNode getInstanceMember(string name, MemberKind kind);
 
     /**
      * Gets an instance member with the given kind.
      */
+    cached
     abstract FunctionNode getAnInstanceMember(MemberKind kind);
 
     /**
      * Gets the static method of this class with the given name.
      */
+    cached
     abstract FunctionNode getStaticMethod(string name);
 
     /**
@@ -1117,20 +1124,24 @@ module ClassNode {
      *
      * The constructor is not considered a static method.
      */
+    cached
     abstract FunctionNode getAStaticMethod();
 
     /**
      * Gets a dataflow node representing a class to be used as the super-class
      * of this node.
      */
+    cached
     abstract DataFlow::Node getASuperClassNode();
 
     /**
      * Gets the type annotation for the field `fieldName`, if any.
      */
+    cached
     TypeAnnotation getFieldTypeAnnotation(string fieldName) { none() }
 
     /** Gets a decorator applied to this class. */
+    cached
     DataFlow::Node getADecorator() { none() }
   }
 
diff --git a/javascript/ql/src/semmle/javascript/internal/CachedStages.qll b/javascript/ql/src/semmle/javascript/internal/CachedStages.qll
index 6980a6eef7f..80d0930cbed 100644
--- a/javascript/ql/src/semmle/javascript/internal/CachedStages.qll
+++ b/javascript/ql/src/semmle/javascript/internal/CachedStages.qll
@@ -135,6 +135,8 @@ module Stages {
       exists(any(AccessPath a).getAnInstanceIn(_))
       or
       exists(any(DataFlow::PropRef ref).getBase())
+      or
+      exists(any(DataFlow::ClassNode cls))
     }
   }
 

From 71e3041370735b3220853a666722b06a13b58df7 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Fri, 23 Apr 2021 13:15:13 +0100
Subject: [PATCH 0643/1429] JS: Fewer spurious reflected xss sinks

---
 .../src/semmle/javascript/frameworks/Nest.qll | 26 +++++++++++++++++--
 .../frameworks/Nest/test.expected             |  4 ---
 2 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Nest.qll b/javascript/ql/src/semmle/javascript/frameworks/Nest.qll
index 297897b3541..d216fac1712 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Nest.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Nest.qll
@@ -51,6 +51,15 @@ module NestJS {
       getAFunctionDecorator(this) = nestjs().getMember("Redirect").getACall()
     }
 
+    /**
+     * Holds if the return value is sent back in the response.
+     */
+    predicate isReturnValueReflected() {
+      getAFunctionDecorator(this) = nestjs().getMember(["Get", "Post"]).getACall() and
+      not hasRedirectDecorator() and
+      not getAFunctionDecorator(this) = nestjs().getMember("Render").getACall()
+    }
+
     /** Gets a pipe applied to the inputs of this route handler, not including global pipes. */
     DataFlow::Node getAPipe() {
       exists(DataFlow::CallNode decorator |
@@ -317,6 +326,14 @@ module NestJS {
     }
   }
 
+  private predicate isStringType(Type type) {
+    type instanceof StringType
+    or
+    type instanceof AnyType
+    or
+    isStringType(type.(PromiseType).getElementType().unfold())
+  }
+
   /**
    * A return value from a route handler, seen as an argument to `res.send()`.
    *
@@ -333,8 +350,13 @@ module NestJS {
     NestJSRouteHandler handler;
 
     ReturnValueAsResponseSend() {
-      not handler.hasRedirectDecorator() and
-      this = handler.getAReturn().asExpr()
+      handler.isReturnValueReflected() and
+      this = handler.getAReturn().asExpr() and
+      // Only returned strings are sinks
+      not exists(Type type |
+        type = getType() and
+        not isStringType(type.unfold())
+      )
     }
 
     override HTTP::RouteHandler getRouteHandler() { result = handler }
diff --git a/javascript/ql/test/library-tests/frameworks/Nest/test.expected b/javascript/ql/test/library-tests/frameworks/Nest/test.expected
index 9de016189ba..c659295f552 100644
--- a/javascript/ql/test/library-tests/frameworks/Nest/test.expected
+++ b/javascript/ql/test/library-tests/frameworks/Nest/test.expected
@@ -67,10 +67,6 @@ responseSendArgument
 | local/customPipe.ts:37:16:37:31 | '' + unsanitized |
 | local/customPipe.ts:42:16:42:31 | '' + unsanitized |
 | local/customPipe.ts:48:16:48:31 | '' + unsanitized |
-| local/routes.ts:7:12:7:16 | 'foo' |
-| local/routes.ts:12:12:12:16 | 'foo' |
-| local/routes.ts:17:12:17:16 | 'foo' |
-| local/routes.ts:22:12:22:16 | 'bar' |
 | local/routes.ts:32:31:32:31 | x |
 | local/routes.ts:33:31:33:38 | queryObj |
 | local/routes.ts:34:31:34:34 | name |

From 0da0670a79750f40f03c3fbbad78210af655b342 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Fri, 23 Apr 2021 11:04:19 +0100
Subject: [PATCH 0644/1429] JS: Add Nest.js to list of supported framworks

---
 docs/codeql/support/reusables/frameworks.rst | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/codeql/support/reusables/frameworks.rst b/docs/codeql/support/reusables/frameworks.rst
index 22569cbdcc6..5f88e3c907d 100644
--- a/docs/codeql/support/reusables/frameworks.rst
+++ b/docs/codeql/support/reusables/frameworks.rst
@@ -128,6 +128,7 @@ JavaScript and TypeScript built-in support
    mssql, Database
    mysql, Database
    node, Runtime environment
+   nest.js, Server
    postgres, Database
    ramda, Utility library
    react, HTML framework

From 3cf4f1f95634401c64dfcadafa9aa4dd1149799e Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 23 Apr 2021 16:00:23 +0200
Subject: [PATCH 0645/1429] C++: Accept test changes.

---
 .../CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.expected   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.expected
index e71cacde76c..e2b696ba0c0 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.expected
@@ -12,5 +12,6 @@
 | test6.cpp:16:15:16:15 | s | $@ flows to here and is used in an expression which might overflow. | test6.cpp:39:23:39:24 | & ... | User-provided value |
 | test6.cpp:30:16:30:16 | s | $@ flows to here and is used in an expression which might overflow. | test6.cpp:39:23:39:24 | & ... | User-provided value |
 | test.c:14:15:14:35 | ... * ... | $@ flows to here and is used in an expression which might overflow. | test.c:11:29:11:32 | argv | User-provided value |
+| test.c:25:5:25:9 | ... ++ | $@ flows to here and is used in an expression which might overflow. | test.c:23:15:23:18 | argv | User-provided value |
 | test.c:44:7:44:12 | ... -- | $@ flows to here and is used in an expression which might overflow negatively. | test.c:41:17:41:20 | argv | User-provided value |
 | test.c:54:7:54:12 | ... -- | $@ flows to here and is used in an expression which might overflow negatively. | test.c:51:17:51:20 | argv | User-provided value |

From 86822f6c6161dc22f369a1de8caadb82d3530c38 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 23 Apr 2021 16:01:53 +0200
Subject: [PATCH 0646/1429] C++: Exclude pointer results from
 cpp/integer-overflow-tainted.

---
 cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql        | 1 +
 .../CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.expected   | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
index 0adb600dbda..7a7aa716e8a 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
@@ -28,6 +28,7 @@ predicate outOfBoundsExpr(Expr expr, string kind) {
 
 from Expr use, Expr origin, string kind
 where
+  not use.getUnspecifiedType() instanceof PointerType and
   outOfBoundsExpr(use, kind) and
   tainted(origin, use) and
   origin != use and
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.expected
index e2b696ba0c0..e71cacde76c 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.expected
@@ -12,6 +12,5 @@
 | test6.cpp:16:15:16:15 | s | $@ flows to here and is used in an expression which might overflow. | test6.cpp:39:23:39:24 | & ... | User-provided value |
 | test6.cpp:30:16:30:16 | s | $@ flows to here and is used in an expression which might overflow. | test6.cpp:39:23:39:24 | & ... | User-provided value |
 | test.c:14:15:14:35 | ... * ... | $@ flows to here and is used in an expression which might overflow. | test.c:11:29:11:32 | argv | User-provided value |
-| test.c:25:5:25:9 | ... ++ | $@ flows to here and is used in an expression which might overflow. | test.c:23:15:23:18 | argv | User-provided value |
 | test.c:44:7:44:12 | ... -- | $@ flows to here and is used in an expression which might overflow negatively. | test.c:41:17:41:20 | argv | User-provided value |
 | test.c:54:7:54:12 | ... -- | $@ flows to here and is used in an expression which might overflow negatively. | test.c:51:17:51:20 | argv | User-provided value |

From 004450b201d63afa55ad25aa4e4ebd9e9edfd731 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Fri, 23 Apr 2021 15:49:39 +0200
Subject: [PATCH 0647/1429] C#: Add missing `StringBuilder` flow summaries

---
 .../csharp/dataflow/LibraryTypeDataFlow.qll   | 32 +++++---
 .../dataflow/library/FlowSummaries.expected   | 77 +++++++++++++------
 .../dataflow/local/DataFlowStep.expected      |  2 +
 .../dataflow/local/TaintTrackingStep.expected |  4 +-
 4 files changed, 79 insertions(+), 36 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/LibraryTypeDataFlow.qll b/csharp/ql/src/semmle/code/csharp/dataflow/LibraryTypeDataFlow.qll
index 5798080a98a..32f22b97914 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/LibraryTypeDataFlow.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/LibraryTypeDataFlow.qll
@@ -807,17 +807,29 @@ class SystemTextStringBuilderFlow extends LibraryTypeDataFlow, SystemTextStringB
       sinkAp = AccessPath::empty() and
       preservesValue = false
       or
-      exists(int i, Type t |
-        name.regexpMatch("Append(Format|Line)?") and
-        t = m.getParameter(i).getType() and
-        source = TCallableFlowSourceArg(i) and
+      name.regexpMatch("Append(Format|Line|Join)?") and
+      preservesValue = true and
+      (
+        exists(int i, Type t |
+          t = m.getParameter(i).getType() and
+          source = TCallableFlowSourceArg(i) and
+          sink = TCallableFlowSinkQualifier() and
+          sinkAp = AccessPath::element()
+        |
+          (
+            t instanceof StringType or
+            t instanceof ObjectType
+          ) and
+          sourceAp = AccessPath::empty()
+          or
+          isCollectionType(t) and
+          sourceAp = AccessPath::element()
+        )
+        or
+        source = TCallableFlowSourceQualifier() and
         sourceAp = AccessPath::empty() and
-        sink = [TCallableFlowSinkQualifier().(TCallableFlowSink), TCallableFlowSinkReturn()] and
-        sinkAp = AccessPath::element() and
-        preservesValue = true
-      |
-        t instanceof StringType or
-        t instanceof ObjectType
+        sink = TCallableFlowSinkReturn() and
+        sinkAp = AccessPath::empty()
       )
     )
   }
diff --git a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected
index 30b6ee553a1..faaef439eb5 100644
--- a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected
+++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected
@@ -2211,54 +2211,83 @@
 | System.Text.RegularExpressions.MatchCollection.get_Item(int) | element of argument -1 -> return (normal) | true |
 | System.Text.RegularExpressions.MatchCollection.set_Item(int, Match) | argument 1 -> element of argument -1 | true |
 | System.Text.RegularExpressions.MatchCollection.set_Item(int, object) | argument 1 -> element of argument -1 | true |
+| System.Text.StringBuilder.Append(Char[]) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.Append(Char[]) | element of argument 0 -> element of argument -1 | true |
+| System.Text.StringBuilder.Append(Char[], int, int) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.Append(Char[], int, int) | element of argument 0 -> element of argument -1 | true |
+| System.Text.StringBuilder.Append(ReadOnlyMemory<Char>) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.Append(ReadOnlySpan<Char>) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.Append(StringBuilder) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.Append(StringBuilder, int, int) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.Append(bool) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.Append(byte) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.Append(char) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.Append(char*, int) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.Append(char, int) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.Append(decimal) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.Append(double) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.Append(float) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.Append(int) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.Append(long) | argument -1 -> return (normal) | true |
 | System.Text.StringBuilder.Append(object) | argument 0 -> element of argument -1 | true |
-| System.Text.StringBuilder.Append(object) | argument 0 -> element of return (normal) | true |
+| System.Text.StringBuilder.Append(object) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.Append(sbyte) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.Append(short) | argument -1 -> return (normal) | true |
 | System.Text.StringBuilder.Append(string) | argument 0 -> element of argument -1 | true |
-| System.Text.StringBuilder.Append(string) | argument 0 -> element of return (normal) | true |
+| System.Text.StringBuilder.Append(string) | argument -1 -> return (normal) | true |
 | System.Text.StringBuilder.Append(string, int, int) | argument 0 -> element of argument -1 | true |
-| System.Text.StringBuilder.Append(string, int, int) | argument 0 -> element of return (normal) | true |
+| System.Text.StringBuilder.Append(string, int, int) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.Append(uint) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.Append(ulong) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.Append(ushort) | argument -1 -> return (normal) | true |
 | System.Text.StringBuilder.AppendFormat(IFormatProvider, string, object) | argument 1 -> element of argument -1 | true |
-| System.Text.StringBuilder.AppendFormat(IFormatProvider, string, object) | argument 1 -> element of return (normal) | true |
 | System.Text.StringBuilder.AppendFormat(IFormatProvider, string, object) | argument 2 -> element of argument -1 | true |
-| System.Text.StringBuilder.AppendFormat(IFormatProvider, string, object) | argument 2 -> element of return (normal) | true |
+| System.Text.StringBuilder.AppendFormat(IFormatProvider, string, object) | argument -1 -> return (normal) | true |
 | System.Text.StringBuilder.AppendFormat(IFormatProvider, string, object, object) | argument 1 -> element of argument -1 | true |
-| System.Text.StringBuilder.AppendFormat(IFormatProvider, string, object, object) | argument 1 -> element of return (normal) | true |
 | System.Text.StringBuilder.AppendFormat(IFormatProvider, string, object, object) | argument 2 -> element of argument -1 | true |
-| System.Text.StringBuilder.AppendFormat(IFormatProvider, string, object, object) | argument 2 -> element of return (normal) | true |
 | System.Text.StringBuilder.AppendFormat(IFormatProvider, string, object, object) | argument 3 -> element of argument -1 | true |
-| System.Text.StringBuilder.AppendFormat(IFormatProvider, string, object, object) | argument 3 -> element of return (normal) | true |
+| System.Text.StringBuilder.AppendFormat(IFormatProvider, string, object, object) | argument -1 -> return (normal) | true |
 | System.Text.StringBuilder.AppendFormat(IFormatProvider, string, object, object, object) | argument 1 -> element of argument -1 | true |
-| System.Text.StringBuilder.AppendFormat(IFormatProvider, string, object, object, object) | argument 1 -> element of return (normal) | true |
 | System.Text.StringBuilder.AppendFormat(IFormatProvider, string, object, object, object) | argument 2 -> element of argument -1 | true |
-| System.Text.StringBuilder.AppendFormat(IFormatProvider, string, object, object, object) | argument 2 -> element of return (normal) | true |
 | System.Text.StringBuilder.AppendFormat(IFormatProvider, string, object, object, object) | argument 3 -> element of argument -1 | true |
-| System.Text.StringBuilder.AppendFormat(IFormatProvider, string, object, object, object) | argument 3 -> element of return (normal) | true |
 | System.Text.StringBuilder.AppendFormat(IFormatProvider, string, object, object, object) | argument 4 -> element of argument -1 | true |
-| System.Text.StringBuilder.AppendFormat(IFormatProvider, string, object, object, object) | argument 4 -> element of return (normal) | true |
+| System.Text.StringBuilder.AppendFormat(IFormatProvider, string, object, object, object) | argument -1 -> return (normal) | true |
 | System.Text.StringBuilder.AppendFormat(IFormatProvider, string, params Object[]) | argument 1 -> element of argument -1 | true |
-| System.Text.StringBuilder.AppendFormat(IFormatProvider, string, params Object[]) | argument 1 -> element of return (normal) | true |
+| System.Text.StringBuilder.AppendFormat(IFormatProvider, string, params Object[]) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.AppendFormat(IFormatProvider, string, params Object[]) | element of argument 2 -> element of argument -1 | true |
 | System.Text.StringBuilder.AppendFormat(string, object) | argument 0 -> element of argument -1 | true |
-| System.Text.StringBuilder.AppendFormat(string, object) | argument 0 -> element of return (normal) | true |
 | System.Text.StringBuilder.AppendFormat(string, object) | argument 1 -> element of argument -1 | true |
-| System.Text.StringBuilder.AppendFormat(string, object) | argument 1 -> element of return (normal) | true |
+| System.Text.StringBuilder.AppendFormat(string, object) | argument -1 -> return (normal) | true |
 | System.Text.StringBuilder.AppendFormat(string, object, object) | argument 0 -> element of argument -1 | true |
-| System.Text.StringBuilder.AppendFormat(string, object, object) | argument 0 -> element of return (normal) | true |
 | System.Text.StringBuilder.AppendFormat(string, object, object) | argument 1 -> element of argument -1 | true |
-| System.Text.StringBuilder.AppendFormat(string, object, object) | argument 1 -> element of return (normal) | true |
 | System.Text.StringBuilder.AppendFormat(string, object, object) | argument 2 -> element of argument -1 | true |
-| System.Text.StringBuilder.AppendFormat(string, object, object) | argument 2 -> element of return (normal) | true |
+| System.Text.StringBuilder.AppendFormat(string, object, object) | argument -1 -> return (normal) | true |
 | System.Text.StringBuilder.AppendFormat(string, object, object, object) | argument 0 -> element of argument -1 | true |
-| System.Text.StringBuilder.AppendFormat(string, object, object, object) | argument 0 -> element of return (normal) | true |
 | System.Text.StringBuilder.AppendFormat(string, object, object, object) | argument 1 -> element of argument -1 | true |
-| System.Text.StringBuilder.AppendFormat(string, object, object, object) | argument 1 -> element of return (normal) | true |
 | System.Text.StringBuilder.AppendFormat(string, object, object, object) | argument 2 -> element of argument -1 | true |
-| System.Text.StringBuilder.AppendFormat(string, object, object, object) | argument 2 -> element of return (normal) | true |
 | System.Text.StringBuilder.AppendFormat(string, object, object, object) | argument 3 -> element of argument -1 | true |
-| System.Text.StringBuilder.AppendFormat(string, object, object, object) | argument 3 -> element of return (normal) | true |
+| System.Text.StringBuilder.AppendFormat(string, object, object, object) | argument -1 -> return (normal) | true |
 | System.Text.StringBuilder.AppendFormat(string, params Object[]) | argument 0 -> element of argument -1 | true |
-| System.Text.StringBuilder.AppendFormat(string, params Object[]) | argument 0 -> element of return (normal) | true |
+| System.Text.StringBuilder.AppendFormat(string, params Object[]) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.AppendFormat(string, params Object[]) | element of argument 1 -> element of argument -1 | true |
+| System.Text.StringBuilder.AppendJoin(char, params Object[]) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.AppendJoin(char, params Object[]) | element of argument 1 -> element of argument -1 | true |
+| System.Text.StringBuilder.AppendJoin(char, params String[]) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.AppendJoin(char, params String[]) | element of argument 1 -> element of argument -1 | true |
+| System.Text.StringBuilder.AppendJoin(string, params Object[]) | argument 0 -> element of argument -1 | true |
+| System.Text.StringBuilder.AppendJoin(string, params Object[]) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.AppendJoin(string, params Object[]) | element of argument 1 -> element of argument -1 | true |
+| System.Text.StringBuilder.AppendJoin(string, params String[]) | argument 0 -> element of argument -1 | true |
+| System.Text.StringBuilder.AppendJoin(string, params String[]) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.AppendJoin(string, params String[]) | element of argument 1 -> element of argument -1 | true |
+| System.Text.StringBuilder.AppendJoin<T>(char, IEnumerable<T>) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.AppendJoin<T>(char, IEnumerable<T>) | element of argument 1 -> element of argument -1 | true |
+| System.Text.StringBuilder.AppendJoin<T>(string, IEnumerable<T>) | argument 0 -> element of argument -1 | true |
+| System.Text.StringBuilder.AppendJoin<T>(string, IEnumerable<T>) | argument -1 -> return (normal) | true |
+| System.Text.StringBuilder.AppendJoin<T>(string, IEnumerable<T>) | element of argument 1 -> element of argument -1 | true |
+| System.Text.StringBuilder.AppendLine() | argument -1 -> return (normal) | true |
 | System.Text.StringBuilder.AppendLine(string) | argument 0 -> element of argument -1 | true |
-| System.Text.StringBuilder.AppendLine(string) | argument 0 -> element of return (normal) | true |
+| System.Text.StringBuilder.AppendLine(string) | argument -1 -> return (normal) | true |
 | System.Text.StringBuilder.StringBuilder(string) | argument 0 -> element of return (normal) | true |
 | System.Text.StringBuilder.StringBuilder(string, int) | argument 0 -> element of return (normal) | true |
 | System.Text.StringBuilder.StringBuilder(string, int, int, int) | argument 0 -> element of return (normal) | true |
diff --git a/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected b/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected
index e6c0dd9beda..f8d274d364d 100644
--- a/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected
+++ b/csharp/ql/test/library-tests/dataflow/local/DataFlowStep.expected
@@ -310,6 +310,7 @@
 | LocalDataFlow.cs:234:13:234:42 | SSA def(sink36) | LocalDataFlow.cs:235:9:235:14 | access to local variable sink36 |
 | LocalDataFlow.cs:234:22:234:42 | object creation of type StringBuilder | LocalDataFlow.cs:234:13:234:42 | SSA def(sink36) |
 | LocalDataFlow.cs:235:9:235:14 | [post] access to local variable sink36 | LocalDataFlow.cs:236:15:236:20 | access to local variable sink36 |
+| LocalDataFlow.cs:235:9:235:14 | access to local variable sink36 | LocalDataFlow.cs:235:9:235:33 | call to method AppendLine |
 | LocalDataFlow.cs:235:9:235:14 | access to local variable sink36 | LocalDataFlow.cs:236:15:236:20 | access to local variable sink36 |
 | LocalDataFlow.cs:239:13:239:51 | SSA def(nonSink10) | LocalDataFlow.cs:240:15:240:23 | access to local variable nonSink10 |
 | LocalDataFlow.cs:239:25:239:51 | object creation of type StringBuilder | LocalDataFlow.cs:239:13:239:51 | SSA def(nonSink10) |
@@ -322,6 +323,7 @@
 | LocalDataFlow.cs:242:15:242:22 | [post] access to local variable nonSink0 | LocalDataFlow.cs:243:30:243:37 | access to local variable nonSink0 |
 | LocalDataFlow.cs:242:15:242:22 | access to local variable nonSink0 | LocalDataFlow.cs:243:30:243:37 | access to local variable nonSink0 |
 | LocalDataFlow.cs:243:9:243:17 | [post] access to local variable nonSink10 | LocalDataFlow.cs:244:15:244:23 | access to local variable nonSink10 |
+| LocalDataFlow.cs:243:9:243:17 | access to local variable nonSink10 | LocalDataFlow.cs:243:9:243:38 | call to method AppendLine |
 | LocalDataFlow.cs:243:9:243:17 | access to local variable nonSink10 | LocalDataFlow.cs:244:15:244:23 | access to local variable nonSink10 |
 | LocalDataFlow.cs:247:13:247:52 | SSA def(taintedDataContract) | LocalDataFlow.cs:248:22:248:40 | access to local variable taintedDataContract |
 | LocalDataFlow.cs:247:13:247:52 | SSA qualifier def(taintedDataContract.AList) | LocalDataFlow.cs:250:22:250:46 | access to property AList |
diff --git a/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected b/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected
index e20fecfbe55..b5a6e1ba929 100644
--- a/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected
+++ b/csharp/ql/test/library-tests/dataflow/local/TaintTrackingStep.expected
@@ -400,9 +400,9 @@
 | LocalDataFlow.cs:234:22:234:42 | object creation of type StringBuilder | LocalDataFlow.cs:234:13:234:42 | SSA def(sink36) |
 | LocalDataFlow.cs:234:40:234:41 | "" | LocalDataFlow.cs:234:22:234:42 | object creation of type StringBuilder |
 | LocalDataFlow.cs:235:9:235:14 | [post] access to local variable sink36 | LocalDataFlow.cs:236:15:236:20 | access to local variable sink36 |
+| LocalDataFlow.cs:235:9:235:14 | access to local variable sink36 | LocalDataFlow.cs:235:9:235:33 | call to method AppendLine |
 | LocalDataFlow.cs:235:9:235:14 | access to local variable sink36 | LocalDataFlow.cs:236:15:236:20 | access to local variable sink36 |
 | LocalDataFlow.cs:235:27:235:32 | access to local variable sink35 | LocalDataFlow.cs:235:9:235:14 | [post] access to local variable sink36 |
-| LocalDataFlow.cs:235:27:235:32 | access to local variable sink35 | LocalDataFlow.cs:235:9:235:33 | call to method AppendLine |
 | LocalDataFlow.cs:239:13:239:51 | SSA def(nonSink10) | LocalDataFlow.cs:240:15:240:23 | access to local variable nonSink10 |
 | LocalDataFlow.cs:239:25:239:51 | object creation of type StringBuilder | LocalDataFlow.cs:239:13:239:51 | SSA def(nonSink10) |
 | LocalDataFlow.cs:239:43:239:50 | access to local variable nonSink0 | LocalDataFlow.cs:239:25:239:51 | object creation of type StringBuilder |
@@ -416,9 +416,9 @@
 | LocalDataFlow.cs:242:15:242:22 | [post] access to local variable nonSink0 | LocalDataFlow.cs:243:30:243:37 | access to local variable nonSink0 |
 | LocalDataFlow.cs:242:15:242:22 | access to local variable nonSink0 | LocalDataFlow.cs:243:30:243:37 | access to local variable nonSink0 |
 | LocalDataFlow.cs:243:9:243:17 | [post] access to local variable nonSink10 | LocalDataFlow.cs:244:15:244:23 | access to local variable nonSink10 |
+| LocalDataFlow.cs:243:9:243:17 | access to local variable nonSink10 | LocalDataFlow.cs:243:9:243:38 | call to method AppendLine |
 | LocalDataFlow.cs:243:9:243:17 | access to local variable nonSink10 | LocalDataFlow.cs:244:15:244:23 | access to local variable nonSink10 |
 | LocalDataFlow.cs:243:30:243:37 | access to local variable nonSink0 | LocalDataFlow.cs:243:9:243:17 | [post] access to local variable nonSink10 |
-| LocalDataFlow.cs:243:30:243:37 | access to local variable nonSink0 | LocalDataFlow.cs:243:9:243:38 | call to method AppendLine |
 | LocalDataFlow.cs:247:13:247:52 | SSA def(taintedDataContract) | LocalDataFlow.cs:248:22:248:40 | access to local variable taintedDataContract |
 | LocalDataFlow.cs:247:13:247:52 | SSA qualifier def(taintedDataContract.AList) | LocalDataFlow.cs:250:22:250:46 | access to property AList |
 | LocalDataFlow.cs:247:13:247:52 | SSA qualifier def(taintedDataContract.AString) | LocalDataFlow.cs:248:22:248:48 | access to property AString |

From 455b8407128d9467fb4272b0019c26bc34a03060 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Fri, 23 Apr 2021 15:20:21 +0100
Subject: [PATCH 0648/1429] Fix all dead qhelp links

For those documents with no obvious new home I've pointed the links to the Internet Archive.
---
 .../Magic Constants/MagicConstantsNumbers.qhelp             | 2 +-
 .../Magic Constants/MagicConstantsString.qhelp              | 2 +-
 cpp/ql/src/Best Practices/SloppyGlobal.qhelp                | 2 +-
 cpp/ql/src/Best Practices/UseOfGoto.qhelp                   | 2 +-
 cpp/ql/src/Critical/ReturnValueIgnored.qhelp                | 2 +-
 .../Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.qhelp  | 2 +-
 cpp/ql/src/Metrics/Files/FTransitiveIncludes.qhelp          | 2 +-
 cpp/ql/src/Metrics/Files/FTransitiveSourceIncludes.qhelp    | 2 +-
 .../src/jsf/4.24 Control Flow Structures/AV Rule 189.qhelp  | 2 +-
 .../src/jsf/4.24 Control Flow Structures/AV Rule 201.qhelp  | 2 +-
 csharp/ql/src/Language Abuse/ForeachCapture.qhelp           | 2 +-
 csharp/ql/src/Likely Bugs/MishandlingJapaneseEra.qhelp      | 2 +-
 csharp/ql/src/Likely Bugs/ReferenceEqualsOnValueTypes.qhelp | 2 +-
 csharp/ql/src/Metrics/Files/FNumberOfTests.qhelp            | 2 +-
 csharp/ql/src/Security Features/CWE-011/ASPNetDebug.qhelp   | 2 +-
 .../CWE-209/ExceptionInformationExposure.qhelp              | 3 ---
 .../ql/src/Likely Bugs/Concurrency/StartInConstructor.qhelp | 2 +-
 java/ql/src/Likely Bugs/Frameworks/Swing/ThreadSafety.qhelp | 2 +-
 .../src/Likely Bugs/Likely Typos/StringBufferCharInit.qhelp | 2 +-
 java/ql/src/Likely Bugs/Resource Leaks/CloseReader.qhelp    | 2 +-
 java/ql/src/Likely Bugs/Resource Leaks/CloseSql.qhelp       | 2 +-
 java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.qhelp    | 2 +-
 java/ql/src/Metrics/RefTypes/TEfferentCoupling.qhelp        | 2 +-
 java/ql/src/Metrics/RefTypes/TEfferentSourceCoupling.qhelp  | 2 +-
 .../ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp | 2 +-
 java/ql/src/Security/CWE/CWE-611/XXE.qhelp                  | 4 ++--
 .../Dead Code/FinalizerNullsFields.qhelp                    | 2 +-
 .../legacy/ParameterAssignment.qhelp                        | 2 +-
 .../src/Declarations/SuspiciousMethodNameDeclaration.qhelp  | 4 ++--
 .../ql/src/Declarations/UnreachableMethodOverloads.qhelp    | 2 +-
 .../ql/src/LanguageFeatures/PropertyWriteOnPrimitive.qhelp  | 4 ++--
 javascript/ql/src/NodeJS/CyclicImport.qhelp                 | 2 +-
 javascript/ql/src/NodeJS/UnusedDependency.qhelp             | 2 +-
 javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.qhelp | 2 +-
 .../ql/src/Security/CWE-400/RemotePropertyInjection.qhelp   | 4 ++--
 javascript/ql/src/Security/CWE-611/Xxe.qhelp                | 6 +++---
 javascript/ql/src/Security/CWE-829/InsecureDownload.qhelp   | 2 +-
 python/ql/src/Classes/ShouldBeContextManager.qhelp          | 2 +-
 .../src/Functions/ModificationOfParameterWithDefault.qhelp  | 2 +-
 python/ql/src/Imports/CyclicImport.qhelp                    | 2 +-
 python/ql/src/Imports/ModuleLevelCyclicImport.qhelp         | 2 +-
 python/ql/src/Metrics/ClassEfferentCoupling.qhelp           | 2 +-
 python/ql/src/Metrics/ModuleEfferentCoupling.qhelp          | 2 +-
 python/ql/src/Variables/ShadowGlobal.qhelp                  | 5 ++---
 python/ql/src/external/MostlyDuplicateClass.qhelp           | 2 +-
 python/ql/src/external/MostlyDuplicateFile.qhelp            | 2 +-
 python/ql/src/external/MostlySimilarFile.qhelp              | 2 +-
 python/ql/src/external/SimilarFunction.qhelp                | 2 +-
 48 files changed, 54 insertions(+), 58 deletions(-)

diff --git a/cpp/ql/src/Best Practices/Magic Constants/MagicConstantsNumbers.qhelp b/cpp/ql/src/Best Practices/Magic Constants/MagicConstantsNumbers.qhelp
index 16fc75fc7ad..aa97965996f 100644
--- a/cpp/ql/src/Best Practices/Magic Constants/MagicConstantsNumbers.qhelp	
+++ b/cpp/ql/src/Best Practices/Magic Constants/MagicConstantsNumbers.qhelp	
@@ -39,7 +39,7 @@ then replace all the relevant occurrences in the code.</p>
 </li>
 <li>
   Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997). 
-  Chapter 5: Object Life Cycle, Rec 5.4 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
+  Chapter 5: Object Life Cycle, Rec 5.4 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
 </li>
 <li>
   <a href="https://www.securecoding.cert.org/confluence/display/c/DCL06-C.+Use+meaningful+symbolic+constants+to+represent+literal+values">DCL06-C. Use meaningful symbolic constants to represent literal values</a>
diff --git a/cpp/ql/src/Best Practices/Magic Constants/MagicConstantsString.qhelp b/cpp/ql/src/Best Practices/Magic Constants/MagicConstantsString.qhelp
index ca01aac69f0..19182fe5b19 100644
--- a/cpp/ql/src/Best Practices/Magic Constants/MagicConstantsString.qhelp	
+++ b/cpp/ql/src/Best Practices/Magic Constants/MagicConstantsString.qhelp	
@@ -38,7 +38,7 @@ constant.</p>
 </li>
 <li>
   Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997). 
-  Chapter 5: Object Life Cycle, Rec 5.4 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
+  Chapter 5: Object Life Cycle, Rec 5.4 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
 </li>
 <li>
   <a href="https://www.securecoding.cert.org/confluence/display/c/DCL06-C.+Use+meaningful+symbolic+constants+to+represent+literal+values">DCL06-C. Use meaningful symbolic constants to represent literal values</a>
diff --git a/cpp/ql/src/Best Practices/SloppyGlobal.qhelp b/cpp/ql/src/Best Practices/SloppyGlobal.qhelp
index a6255cc6a9e..48b36e6d476 100644
--- a/cpp/ql/src/Best Practices/SloppyGlobal.qhelp	
+++ b/cpp/ql/src/Best Practices/SloppyGlobal.qhelp	
@@ -21,7 +21,7 @@ Review the purpose of the each global variable flagged by this rule and update e
 
 <li>
   Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997). 
-  Chapter 1: Naming, Rec 1.1 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
+  Chapter 1: Naming, Rec 1.1 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
 </li>
 <li>
   <a href="http://www.learncpp.com/cpp-tutorial/42-global-variables/">Global variables</a>.
diff --git a/cpp/ql/src/Best Practices/UseOfGoto.qhelp b/cpp/ql/src/Best Practices/UseOfGoto.qhelp
index dd5702aabe4..cfceb144605 100644
--- a/cpp/ql/src/Best Practices/UseOfGoto.qhelp	
+++ b/cpp/ql/src/Best Practices/UseOfGoto.qhelp	
@@ -45,7 +45,7 @@ this rule.
 </li>
 <li>
   Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, Rule 4.6. Prentice Hall PTR, 1997.
-  (<a href="http://mongers.org/industrial-c++/">PDF</a>).
+  (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
 </li>
 <li>
   cplusplus.com: <a href="http://www.cplusplus.com/doc/tutorial/control/">Control Structures</a>.
diff --git a/cpp/ql/src/Critical/ReturnValueIgnored.qhelp b/cpp/ql/src/Critical/ReturnValueIgnored.qhelp
index 26d0f5c6e84..de0636987a0 100644
--- a/cpp/ql/src/Critical/ReturnValueIgnored.qhelp
+++ b/cpp/ql/src/Critical/ReturnValueIgnored.qhelp
@@ -32,7 +32,7 @@ Check the return value of functions that return status information.
 <references>
 
 <li>
-  M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 12: Error handling. Prentice Hall PTR, 1997 (<a href="http://mongers.org/industrial-c++/">available online</a>).
+  M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 12: Error handling. Prentice Hall PTR, 1997 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">available online</a>).
 </li>
 <li>
   The CERT C Secure Coding Standard: <a href="https://www.securecoding.cert.org/confluence/display/perl/EXP32-PL.+Do+not+ignore+function+return+values">EXP32-PL. Do not ignore function return values</a>.
diff --git a/cpp/ql/src/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.qhelp b/cpp/ql/src/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.qhelp
index 88a150a0ba2..3c9a68b97e2 100644
--- a/cpp/ql/src/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.qhelp	
+++ b/cpp/ql/src/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.qhelp	
@@ -26,7 +26,7 @@ indication that there may be cases unhandled by the <code>switch</code> statemen
   MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/switch-statement-cpp">switch statement (C++)</a>
 </li>
 <li>
-  M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 4: Control Flow, Rec 4.5. Prentice Hall PTR, 1997 (<a href="http://mongers.org/industrial-c++/">available online</a>).
+  M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 4: Control Flow, Rec 4.5. Prentice Hall PTR, 1997 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">available online</a>).
 </li>
 
 
diff --git a/cpp/ql/src/Metrics/Files/FTransitiveIncludes.qhelp b/cpp/ql/src/Metrics/Files/FTransitiveIncludes.qhelp
index 4e0b989b121..846e54b33c9 100644
--- a/cpp/ql/src/Metrics/Files/FTransitiveIncludes.qhelp
+++ b/cpp/ql/src/Metrics/Files/FTransitiveIncludes.qhelp
@@ -29,7 +29,7 @@ build time: the more included files, the longer the compilation time.</p>
   <a href="http://www.drdobbs.com/cpp/decoupling-c-header-files/212701130">Decoupling C Header Files</a>
 </li>
 <li>
-  <a href="https://wiki.hsr.ch/Prog3/files/overload72-FINAL_DesigningHeaderFiles.pdf">C++ Best Practice -
+  <a href="https://accu.org/journals/overload/14/72/griffiths_1995/">C++ Best Practice -
 Designing Header Files</a>
 </li>
 
diff --git a/cpp/ql/src/Metrics/Files/FTransitiveSourceIncludes.qhelp b/cpp/ql/src/Metrics/Files/FTransitiveSourceIncludes.qhelp
index a3091c68285..785ad68847d 100644
--- a/cpp/ql/src/Metrics/Files/FTransitiveSourceIncludes.qhelp
+++ b/cpp/ql/src/Metrics/Files/FTransitiveSourceIncludes.qhelp
@@ -35,7 +35,7 @@ they are contributing to unnecessarily long build times and creating artificial
   <a href="http://www.drdobbs.com/cpp/decoupling-c-header-files/212701130">Decoupling C Header Files</a>
 </li>
 <li>
-  <a href="https://wiki.hsr.ch/Prog3/files/overload72-FINAL_DesigningHeaderFiles.pdf">C++ Best Practice -
+  <a href="https://accu.org/journals/overload/14/72/griffiths_1995/">C++ Best Practice -
 Designing Header Files</a>
 </li>
 </references>
diff --git a/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 189.qhelp b/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 189.qhelp
index d4edec95db9..fde62870954 100644
--- a/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 189.qhelp	
+++ b/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 189.qhelp	
@@ -33,7 +33,7 @@ the break statement only exits from one level of the loop.</p>
 </li>
 <li>
   Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997). 
-  Chapter 4: Control Flow, Rule 4.6 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
+  Chapter 4: Control Flow, Rule 4.6 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
 </li>
 <li>
   <a href="http://www.cplusplus.com/doc/tutorial/control/">www.cplusplus.com Control Structures</a>
diff --git a/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 201.qhelp b/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 201.qhelp
index c165fe59ba8..19d01d570cd 100644
--- a/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 201.qhelp	
+++ b/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 201.qhelp	
@@ -39,7 +39,7 @@ loop if the loop requires more complicated variable iteration.
 </li>
 <li>
   Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997). 
-  Chapter 4: Control Flow, Rule 4.1 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
+  Chapter 4: Control Flow, Rule 4.1 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
 </li>
 
 
diff --git a/csharp/ql/src/Language Abuse/ForeachCapture.qhelp b/csharp/ql/src/Language Abuse/ForeachCapture.qhelp
index da966c4d967..516ed43cbf4 100644
--- a/csharp/ql/src/Language Abuse/ForeachCapture.qhelp	
+++ b/csharp/ql/src/Language Abuse/ForeachCapture.qhelp	
@@ -29,7 +29,7 @@ However on older compilers, the actual output is <code>10 10 10 10 10 10 10 10 1
 
 <references>
 
-  <li>Eric Lippert's Blog: <a href="http://blogs.msdn.com/b/ericlippert/archive/2009/11/12/closing-over-the-loop-variable-considered-harmful.aspx">Closing over the loop variable considered harmful</a>.</li>
+  <li>Eric Lippert's Blog: <a href="https://docs.microsoft.com/en-gb/archive/blogs/ericlippert/closing-over-the-loop-variable-considered-harmful">Closing over the loop variable considered harmful</a>.</li>
 
 </references>
 
diff --git a/csharp/ql/src/Likely Bugs/MishandlingJapaneseEra.qhelp b/csharp/ql/src/Likely Bugs/MishandlingJapaneseEra.qhelp
index ee484d49d46..a2000deb2d5 100644
--- a/csharp/ql/src/Likely Bugs/MishandlingJapaneseEra.qhelp	
+++ b/csharp/ql/src/Likely Bugs/MishandlingJapaneseEra.qhelp	
@@ -27,7 +27,7 @@
     <a href="https://blogs.msdn.microsoft.com/shawnste/2018/04/12/the-japanese-calendars-y2k-moment/">The Japanese Calendar's Y2K Moment</a>.
   </li>
   <li>
-    <a href="https://docs.microsoft.com/en-us/windows/desktop/Intl/era-handling-for-the-japanese-calendar/">Era Handling for the Japanese Calendar</a>.
+    <a href="https://docs.microsoft.com/en-us/windows/win32/intl/era-handling-for-the-japanese-calendar">Era Handling for the Japanese Calendar</a>.
   </li>
   <li>
    <a href="https://simple.wikipedia.org/wiki/List_of_Japanese_eras">List of Japanese Eras (Wikipedia)</a>
diff --git a/csharp/ql/src/Likely Bugs/ReferenceEqualsOnValueTypes.qhelp b/csharp/ql/src/Likely Bugs/ReferenceEqualsOnValueTypes.qhelp
index ede1d57f1cf..945bcb15a28 100644
--- a/csharp/ql/src/Likely Bugs/ReferenceEqualsOnValueTypes.qhelp	
+++ b/csharp/ql/src/Likely Bugs/ReferenceEqualsOnValueTypes.qhelp	
@@ -25,7 +25,7 @@ really be compared using <code>i == j</code>.</p>
 <references>
 
   <li>MSDN: <a href="http://msdn.microsoft.com/en-us/library/system.object.referenceequals.aspx">Object.ReferenceEquals Method</a>.</li>
-  <li>The Way I See It: <a href="http://blogs.msdn.com/b/vijaysk/archive/2008/03/19/object-referenceequals-valuevar-valuevar-will-always-return-false.aspx">Object.ReferenceEquals(ValueVar, ValueVar) will always return false.</a></li>
+  <li>The Way I See It: <a href="https://web.archive.org/web/20190919103548/https://blogs.msdn.microsoft.com/vijaysk/2008/03/18/object-referenceequalsvaluevar-valuevar-will-always-return-false/">Object.ReferenceEquals(ValueVar, ValueVar) will always return false.</a></li>
 
 
 </references>
diff --git a/csharp/ql/src/Metrics/Files/FNumberOfTests.qhelp b/csharp/ql/src/Metrics/Files/FNumberOfTests.qhelp
index 1ebd170eaad..cddb5383bac 100644
--- a/csharp/ql/src/Metrics/Files/FNumberOfTests.qhelp
+++ b/csharp/ql/src/Metrics/Files/FNumberOfTests.qhelp
@@ -53,7 +53,7 @@
   Microsoft Visual Studio Unit Testing Framework: documentation at <a href="https://msdn.microsoft.com/en-us/library/microsoft.visualstudio.testtools.unittesting.aspx">MSDN</a>.
 </li>
 <li>
-  xUnit.net: official website at <a href="https://xunit.github.io/">https://xunit.github.io/</a>.
+  xUnit.net: official website at <a href="https://xunit.net/">https://xunit.net/</a>.
 </li>
 
 </references>
diff --git a/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.qhelp b/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.qhelp
index 5a65094f39c..5caf33d0cc9 100644
--- a/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.qhelp	
+++ b/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.qhelp	
@@ -42,7 +42,7 @@ To fix this problem, the 'debug' flag should be set to <code>false</code>, or re
 
 <li>
 MSDN:
-<a href="https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/">Why debug=false in ASP.NET applications in production environment</a>.
+<a href="https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/">Why debug=false in ASP.NET applications in production environment</a>.
 </li>
 <li>
 MSDN:
diff --git a/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.qhelp b/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.qhelp
index fc508827c9f..f36d8a3204e 100644
--- a/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.qhelp	
+++ b/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.qhelp	
@@ -36,7 +36,4 @@ use the error log, but remote users will not see the information.</p>
 <sample src="ExceptionInformationExposure.cs" />
 </example>
 
-<references>
-<li>OWASP: <a href="https://www.owasp.org/index.php/Information_Leak_(information_disclosure)">Information Leak</a>.</li>
-</references>
 </qhelp>
diff --git a/java/ql/src/Likely Bugs/Concurrency/StartInConstructor.qhelp b/java/ql/src/Likely Bugs/Concurrency/StartInConstructor.qhelp
index 1d0d5b0a1fb..1401c92b0d6 100644
--- a/java/ql/src/Likely Bugs/Concurrency/StartInConstructor.qhelp	
+++ b/java/ql/src/Likely Bugs/Concurrency/StartInConstructor.qhelp	
@@ -41,7 +41,7 @@ initialized. This results in the program outputting "hello my friend".</p>
 
 <li>
   IBM developerWorks:
-  <a href="http://www.ibm.com/developerworks/java/library/j-jtp0618/index.html#4">Don't start threads from within constructors</a>.
+  <a href="https://web.archive.org/web/20200417101823/http://www.ibm.com/developerworks/java/library/j-jtp0618/index.html#4">Don't start threads from within constructors</a>.
 </li>
 
 
diff --git a/java/ql/src/Likely Bugs/Frameworks/Swing/ThreadSafety.qhelp b/java/ql/src/Likely Bugs/Frameworks/Swing/ThreadSafety.qhelp
index af79f45d59c..060db52dd61 100644
--- a/java/ql/src/Likely Bugs/Frameworks/Swing/ThreadSafety.qhelp	
+++ b/java/ql/src/Likely Bugs/Frameworks/Swing/ThreadSafety.qhelp	
@@ -94,7 +94,7 @@ D. Flanagan, <em>Java Foundation Classes in a Nutshell</em>, p.28. O'Reilly, 199
 </li>
 <li>
 Java Developer's Journal:
-<a href="http://www2.sys-con.com/itsg/virtualcd/java/archives/0605/ford/index.html">Building Thread-Safe GUIs with Swing</a>.
+<a href="http://www.comscigate.com/JDJ/archives/0605/ford/index.html">Building Thread-Safe GUIs with Swing</a>.
 </li>
 <li>
 The Java Tutorials:
diff --git a/java/ql/src/Likely Bugs/Likely Typos/StringBufferCharInit.qhelp b/java/ql/src/Likely Bugs/Likely Typos/StringBufferCharInit.qhelp
index 48004a1f118..d76c09e872b 100644
--- a/java/ql/src/Likely Bugs/Likely Typos/StringBufferCharInit.qhelp	
+++ b/java/ql/src/Likely Bugs/Likely Typos/StringBufferCharInit.qhelp	
@@ -41,7 +41,7 @@ J. Bloch and N. Gafter, <em>Java Puzzlers: Traps, Pitfalls, and Corner Cases</em
 Addison-Wesley, 2005.
 </li>
 <li>
-NetBeans IDE: <a href="http://wiki.netbeans.org/Java_Hints">Java Hints</a>
+NetBeans IDE: <a href="https://web.archive.org/web/20210117160808/http://wiki.netbeans.org/Java_Hints">Java Hints</a>
 </li>
 <li>
 PMD: <a href="https://pmd.github.io/latest/pmd_rules_java_errorprone.html#stringbufferinstantiationwithchar">Rule StringBufferInstantiationWithChar</a>
diff --git a/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.qhelp b/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.qhelp
index 4d06bef040e..b0ded8e53a1 100644
--- a/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.qhelp	
+++ b/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.qhelp	
@@ -51,7 +51,7 @@ In this case, the inner expression needs to be assigned to a local variable and
 
 
 <li>
-  IBM developerWorks: <a href="https://www.ibm.com/developerworks/java/library/j-jtp03216/index.html">Java theory and practice: Good housekeeping practices</a>. 
+  IBM developerWorks: <a href="https://web.archive.org/web/20201109041839/http://www.ibm.com/developerworks/java/library/j-jtp03216/index.html">Java theory and practice: Good housekeeping practices</a>.
 </li>
 <li>
   The Java Tutorials: <a href="https://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html">The try-with-resources Statement</a>.
diff --git a/java/ql/src/Likely Bugs/Resource Leaks/CloseSql.qhelp b/java/ql/src/Likely Bugs/Resource Leaks/CloseSql.qhelp
index 8f89d16ef1d..eea0513dc8e 100644
--- a/java/ql/src/Likely Bugs/Resource Leaks/CloseSql.qhelp	
+++ b/java/ql/src/Likely Bugs/Resource Leaks/CloseSql.qhelp	
@@ -40,7 +40,7 @@ by the code that created it or by a server shutdown procedure, as appropriate.</
 
 
 <li>
-  IBM developerWorks: <a href="https://www.ibm.com/developerworks/java/library/j-jtp03216/index.html">Java theory and practice: Good housekeeping practices</a>.
+  IBM developerWorks: <a href="https://web.archive.org/web/20201109041839/http://www.ibm.com/developerworks/java/library/j-jtp03216/index.html">Java theory and practice: Good housekeeping practices</a>.
 </li>
 <li>
   The Java Tutorials: <a href="https://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html">The try-with-resources Statement</a>.
diff --git a/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.qhelp b/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.qhelp
index 36e834ecefd..0b348a3f9b8 100644
--- a/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.qhelp	
+++ b/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.qhelp	
@@ -50,7 +50,7 @@ In this case, the inner expression needs to be assigned to a local variable and
 
 
 <li>
-  IBM developerWorks: <a href="https://www.ibm.com/developerworks/java/library/j-jtp03216/index.html">Java theory and practice: Good housekeeping practices</a>. 
+  IBM developerWorks: <a href="https://web.archive.org/web/20201109041839/http://www.ibm.com/developerworks/java/library/j-jtp03216/index.html">Java theory and practice: Good housekeeping practices</a>.
 </li>
 <li>
   The Java Tutorials: <a href="https://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html">The try-with-resources Statement</a>.
diff --git a/java/ql/src/Metrics/RefTypes/TEfferentCoupling.qhelp b/java/ql/src/Metrics/RefTypes/TEfferentCoupling.qhelp
index 40e9e0ef5de..535faedf81e 100644
--- a/java/ql/src/Metrics/RefTypes/TEfferentCoupling.qhelp
+++ b/java/ql/src/Metrics/RefTypes/TEfferentCoupling.qhelp
@@ -51,7 +51,7 @@ so the general technique is quite widely applicable.
 
 
 <li>
-IBM developerWorks: <a href="http://www.ibm.com/developerworks/library/j-eaed6/">Evolutionary architecture and emergent design: Emergent design through metrics</a>.
+IBM developerWorks: <a href="https://web.archive.org/web/20190919085934/https://www.ibm.com/developerworks/library/j-eaed6/">Evolutionary architecture and emergent design: Emergent design through metrics</a>.
 </li>
 <li>
 R. Martin, <em>Agile Software Development: Principles, Patterns and Practices</em>. Pearson, 2011.
diff --git a/java/ql/src/Metrics/RefTypes/TEfferentSourceCoupling.qhelp b/java/ql/src/Metrics/RefTypes/TEfferentSourceCoupling.qhelp
index ceb74639c1e..965fb2795fb 100644
--- a/java/ql/src/Metrics/RefTypes/TEfferentSourceCoupling.qhelp
+++ b/java/ql/src/Metrics/RefTypes/TEfferentSourceCoupling.qhelp
@@ -81,7 +81,7 @@ so the general technique is quite widely applicable.
 
 
 <li>
-A. Glover. <a href="http://7thgen.info/wiki/Code_Quality_For_Software_Architects">Code quality for software architects</a>. Published online, 2006.
+A. Glover. <a href="https://web.archive.org/web/20190919093358/http://7thgen.info/wiki/Code_Quality_For_Software_Architects">Code quality for software architects</a>. Published online, 2006.
 </li>
 <li>
 R. Martin. <em>Agile Software Development: Principles, Patterns and Practices</em>. Pearson, 2011.
diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
index 61b50a986e3..0d1f21ca87f 100644
--- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
+++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
@@ -69,7 +69,7 @@ Or How I Learned to Start Worrying and Hate Java Object Deserialization</a>.
 </li>
 <li>
 Alvaro Muñoz &amp; Christian Schneider, RSAConference 2016:
-<a href="https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf">Serial Killer: Silently Pwning Your Java Endpoints</a>.
+<a href="https://speakerdeck.com/pwntester/serial-killer-silently-pwning-your-java-endpoints">Serial Killer: Silently Pwning Your Java Endpoints</a>.
 </li>
 <li>
 SnakeYaml documentation on deserialization:
diff --git a/java/ql/src/Security/CWE/CWE-611/XXE.qhelp b/java/ql/src/Security/CWE/CWE-611/XXE.qhelp
index 93d420f7495..c2557883080 100644
--- a/java/ql/src/Security/CWE/CWE-611/XXE.qhelp
+++ b/java/ql/src/Security/CWE/CWE-611/XXE.qhelp
@@ -56,11 +56,11 @@ OWASP guidance on parsing xml files:
 </li>
 <li>
 Paper by Timothy Morgen:
-<a href="https://www.vsecurity.com//download/publications/XMLDTDEntityAttacks.pdf">XML Schema, DTD, and Entity Attacks</a>
+<a href="https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/">XML Schema, DTD, and Entity Attacks</a>
 </li>
 <li>
 Out-of-band data retrieval: Timur Yunusov &amp; Alexey Osipov, Black hat EU 2013:
-<a href="https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf">XML Out-Of-Band Data Retrieval</a>.
+<a href="https://www.slideshare.net/qqlan/bh-ready-v4">XML Out-Of-Band Data Retrieval</a>.
 </li>
 <li>
 Denial of service attack (Billion laughs):
diff --git a/java/ql/src/Violations of Best Practice/Dead Code/FinalizerNullsFields.qhelp b/java/ql/src/Violations of Best Practice/Dead Code/FinalizerNullsFields.qhelp
index f85888f651c..5be6edda989 100644
--- a/java/ql/src/Violations of Best Practice/Dead Code/FinalizerNullsFields.qhelp	
+++ b/java/ql/src/Violations of Best Practice/Dead Code/FinalizerNullsFields.qhelp	
@@ -77,7 +77,7 @@ severely affect performance, and you should avoid defining <code>finalize</code>
 </li>
 <li>
   IBM developerWorks:
-  <a href="https://www.ibm.com/developerworks/java/library/j-jtp01274/index.html#3.2">Java theory and practice: Explicit nulling</a>.
+  <a href="https://web.archive.org/web/20201111184342/https://www.ibm.com/developerworks/java/library/j-jtp01274/index.html#3.2">Java theory and practice: Explicit nulling</a>.
 </li>
 <li>
   Oracle Technology Network:
diff --git a/java/ql/src/Violations of Best Practice/legacy/ParameterAssignment.qhelp b/java/ql/src/Violations of Best Practice/legacy/ParameterAssignment.qhelp
index a4a39d81bc6..260f8f7c9c9 100644
--- a/java/ql/src/Violations of Best Practice/legacy/ParameterAssignment.qhelp	
+++ b/java/ql/src/Violations of Best Practice/legacy/ParameterAssignment.qhelp	
@@ -41,7 +41,7 @@ Help - Eclipse Platform:
 </li>
 <li>
 Java Basics:
-<a href="http://www.leepoint.net/JavaBasics/methods/methods-22-local-variables.html">Methods 4 - Local variables</a>.
+<a href="https://web.archive.org/web/20200223080939/http://leepoint.net/JavaBasics/methods/methods-22-local-variables.html">Methods 4 - Local variables</a>.
 </li>
 
 
diff --git a/javascript/ql/src/Declarations/SuspiciousMethodNameDeclaration.qhelp b/javascript/ql/src/Declarations/SuspiciousMethodNameDeclaration.qhelp
index d47f11d95f0..e59f290ae6d 100644
--- a/javascript/ql/src/Declarations/SuspiciousMethodNameDeclaration.qhelp
+++ b/javascript/ql/src/Declarations/SuspiciousMethodNameDeclaration.qhelp
@@ -48,8 +48,8 @@ in the first place.
 </example>
 <references>
 
-<li>TypeScript specification: <a href="https://github.com/microsoft/TypeScript/blob/master/doc/spec.md#3.8.9">Constructor Type Literals</a>.</li>
-<li>TypeScript specification: <a href="https://github.com/microsoft/TypeScript/blob/master/doc/spec.md#8.3.1">Constructor Parameters</a>.</li>
+<li>TypeScript specification: <a href="https://github.com/microsoft/TypeScript/blob/30cb20434a6b117e007a4959b2a7c16489f86069/doc/spec-ARCHIVED.md#3.8.9">Constructor Type Literals</a>.</li>
+<li>TypeScript specification: <a href="https://github.com/microsoft/TypeScript/blob/30cb20434a6b117e007a4959b2a7c16489f86069/doc/spec-ARCHIVED.md#8.3.1">Constructor Parameters</a>.</li>
 
 </references>
 </qhelp>
diff --git a/javascript/ql/src/Declarations/UnreachableMethodOverloads.qhelp b/javascript/ql/src/Declarations/UnreachableMethodOverloads.qhelp
index a01de30057c..f5f760f9cff 100644
--- a/javascript/ql/src/Declarations/UnreachableMethodOverloads.qhelp
+++ b/javascript/ql/src/Declarations/UnreachableMethodOverloads.qhelp
@@ -61,7 +61,7 @@
 </example>
 <references>
 
-<li>TypeScript specification: <a href="https://github.com/microsoft/TypeScript/blob/7be7cba050799bc11c9411babd31f44c9ec087f0/doc/spec.md#4.15.1">Overload Resolution</a></li>
+<li>TypeScript specification: <a href="https://github.com/microsoft/TypeScript/blob/30cb20434a6b117e007a4959b2a7c16489f86069/doc/spec-ARCHIVED.md#4.15.1">Overload Resolution</a></li>
 
 </references>
 </qhelp>
diff --git a/javascript/ql/src/LanguageFeatures/PropertyWriteOnPrimitive.qhelp b/javascript/ql/src/LanguageFeatures/PropertyWriteOnPrimitive.qhelp
index 91bb87f44b9..05e9da7d198 100644
--- a/javascript/ql/src/LanguageFeatures/PropertyWriteOnPrimitive.qhelp
+++ b/javascript/ql/src/LanguageFeatures/PropertyWriteOnPrimitive.qhelp
@@ -58,7 +58,7 @@ for (var i=s.length; i%8; ++i)
 </example>
 
 <references>
-<li>Ecma International, <a href="http://www.ecma-international.org/ecma-262/7.0/#prod-AssignmentExpression">ECMAScript 2016 Language Specification, Section 12.15: Assignment Operators</a>.</li>
-<li>Ecma International, <a href="http://www.ecma-international.org/ecma-262/7.0/#sec-object.defineproperty">ECMAScript 2016 Language Specification, Section 19.1.2.4: Object.defineProperty</a>.</li>
+<li>Ecma International, <a href="https://262.ecma-international.org/7.0/#prod-AssignmentExpression">ECMAScript 2016 Language Specification, Section 12.15: Assignment Operators</a>.</li>
+<li>Ecma International, <a href="https://262.ecma-international.org/7.0/#sec-object.defineproperty">ECMAScript 2016 Language Specification, Section 19.1.2.4: Object.defineProperty</a>.</li>
 </references>
 </qhelp>
diff --git a/javascript/ql/src/NodeJS/CyclicImport.qhelp b/javascript/ql/src/NodeJS/CyclicImport.qhelp
index f52d129fe4e..b512c17db76 100644
--- a/javascript/ql/src/NodeJS/CyclicImport.qhelp
+++ b/javascript/ql/src/NodeJS/CyclicImport.qhelp
@@ -39,7 +39,7 @@ so that it no longer depends on <code>a.js</code>:
 <references>
 
 
-<li>Brad Harris: <a href="http://selfcontained.us/2012/05/08/node-js-circular-dependencies/">node.js and circular dependencies</a>.</li>
+<li>Brad Harris: <a href="https://web.archive.org/web/20200203213815/http://selfcontained.us/2012/05/08/node-js-circular-dependencies/">node.js and circular dependencies</a>.</li>
 <li>Node.js Manual: <a href="http://nodejs.org/api/modules.html#modules_cycles">Modules</a>.</li>
 
 
diff --git a/javascript/ql/src/NodeJS/UnusedDependency.qhelp b/javascript/ql/src/NodeJS/UnusedDependency.qhelp
index 530e9417062..d35ae5fd309 100644
--- a/javascript/ql/src/NodeJS/UnusedDependency.qhelp
+++ b/javascript/ql/src/NodeJS/UnusedDependency.qhelp
@@ -66,7 +66,7 @@ Since this dependency is only used during development, it should instead be list
 <references>
 
 
-<li>NPM Manual: <a href="https://www.npmjs.org/doc/files/package.json.html">package.json</a>.</li>
+<li>NPM Manual: <a href="https://docs.npmjs.com/cli/v7/configuring-npm/package-json">package.json</a>.</li>
 
 
 </references>
diff --git a/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.qhelp b/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.qhelp
index 7920c7ee891..ea3fa3be486 100644
--- a/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.qhelp
+++ b/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.qhelp
@@ -76,7 +76,7 @@
 		</li>
 		<li>
 			OWASP:
-			<a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">XSS
+			<a href="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html">XSS
 			(Cross Site Scripting) Prevention Cheat Sheet</a>.
 		</li>
 		<li>
diff --git a/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.qhelp b/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.qhelp
index c93ab4d09f6..f1c1f194e86 100644
--- a/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.qhelp
+++ b/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.qhelp
@@ -73,14 +73,14 @@
 	<li>Prototype pollution attacks:
 		<a href="https://github.com/electron/electron/pull/9287">electron</a>,
 		<a href="https://hackerone.com/reports/310443">lodash</a>,
-		<a href="https://nodesecurity.io/advisories/566">hoek</a>.
+		<a href="https://npmjs.com/advisories/566">hoek</a>.
 	</li>
 	<li> Penetration testing report:
 		<a href="http://seclists.org/pen-test/2009/Mar/67">
 			header name injection attack</a>
 	</li>
 	<li> npm blog post:
-		<a href="https://blog.liftsecurity.io/2015/01/14/the-dangers-of-square-bracket-notation#lift-security">
+		<a href="https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md">
 			dangers of square bracket notation</a>
 	</li>
 </references>
diff --git a/javascript/ql/src/Security/CWE-611/Xxe.qhelp b/javascript/ql/src/Security/CWE-611/Xxe.qhelp
index 94388f94530..1e859eb121f 100644
--- a/javascript/ql/src/Security/CWE-611/Xxe.qhelp
+++ b/javascript/ql/src/Security/CWE-611/Xxe.qhelp
@@ -34,7 +34,7 @@ To guard against XXE attacks, the <code>noent</code> option should be omitted or
 internal entities such as <code>&amp;amp;</code> or <code>&amp;gt;</code>. If desired, these
 entities can be expanded in a separate step using utility functions provided by libraries such
 as <a href="http://underscorejs.org/#unescape">underscore</a>,
-<a href="https://lodash.com/docs/latest#unescape">lodash</a> or
+<a href="https://lodash.com/docs/4.17.15#unescape">lodash</a> or
 <a href="https://github.com/mathiasbynens/he">he</a>.
 </p>
 <sample src="examples/XxeGood.js"/>
@@ -47,11 +47,11 @@ OWASP:
 </li>
 <li>
 Timothy Morgen:
-<a href="https://www.vsecurity.com//download/publications/XMLDTDEntityAttacks.pdf">XML Schema, DTD, and Entity Attacks</a>.
+<a href="https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/">XML Schema, DTD, and Entity Attacks</a>.
 </li>
 <li>
 Timur Yunusov, Alexey Osipov:
-<a href="https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf">XML Out-Of-Band Data Retrieval</a>.
+<a href="https://www.slideshare.net/qqlan/bh-ready-v4">XML Out-Of-Band Data Retrieval</a>.
 </li>
 </references>
 </qhelp>
diff --git a/javascript/ql/src/Security/CWE-829/InsecureDownload.qhelp b/javascript/ql/src/Security/CWE-829/InsecureDownload.qhelp
index 3db0aee40a2..2f79bde1a37 100644
--- a/javascript/ql/src/Security/CWE-829/InsecureDownload.qhelp
+++ b/javascript/ql/src/Security/CWE-829/InsecureDownload.qhelp
@@ -33,6 +33,6 @@
 	</example>
 
 	<references>
-		<li>OWASP: <a href="https://owasp.org/www-community/attacks/Man-in-the-middle_attack">Man-in-the-middle attack</a>.</li>
+		<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack">Man-in-the-middle attack</a></li>
 	</references>
 </qhelp>
diff --git a/python/ql/src/Classes/ShouldBeContextManager.qhelp b/python/ql/src/Classes/ShouldBeContextManager.qhelp
index 7c497688499..2af029677a7 100644
--- a/python/ql/src/Classes/ShouldBeContextManager.qhelp
+++ b/python/ql/src/Classes/ShouldBeContextManager.qhelp
@@ -31,7 +31,7 @@ updated to use a context manager.</p>
 </example>
 <references>
 
-<li>Effbot: <a href="http://effbot.org/zone/python-with-statement.htm">Python with statement</a>.</li>
+<li>Effbot: <a href="https://web.archive.org/web/20201012110738/http://effbot.org/zone/python-with-statement.htm">Python with statement</a>.</li>
 <li>Python Standard Library: <a href="http://docs.python.org/library/stdtypes.html#context-manager-types">Context manager
 </a>.</li>
 <li>Python Language Reference: <a href="http://docs.python.org/2.7/reference/datamodel.html#with-statement-context-managers">
diff --git a/python/ql/src/Functions/ModificationOfParameterWithDefault.qhelp b/python/ql/src/Functions/ModificationOfParameterWithDefault.qhelp
index ff225c68992..39bb484f891 100644
--- a/python/ql/src/Functions/ModificationOfParameterWithDefault.qhelp
+++ b/python/ql/src/Functions/ModificationOfParameterWithDefault.qhelp
@@ -36,7 +36,7 @@ function with a default of <code>default=None</code>, check if the parameter is
 </example>
 <references>
 
-  <li>Effbot: <a href="http://effbot.org/zone/default-values.htm">Default Parameter Values in Python</a>.</li>
+  <li>Effbot: <a href="https://web.archive.org/web/20201112004749/http://effbot.org/zone/default-values.htm">Default Parameter Values in Python</a>.</li>
   <li>Python Language Reference: <a href="http://docs.python.org/2/reference/compound_stmts.html#function-definitions">Function definitions</a>.</li>
 
 
diff --git a/python/ql/src/Imports/CyclicImport.qhelp b/python/ql/src/Imports/CyclicImport.qhelp
index 0d84c64418a..038f26c97aa 100644
--- a/python/ql/src/Imports/CyclicImport.qhelp
+++ b/python/ql/src/Imports/CyclicImport.qhelp
@@ -29,7 +29,7 @@ import that.
 
 <li>Python Language  Reference: <a href="http://docs.python.org/2/reference/simple_stmts.html#import">The import statement</a>.</li>
 <li>Python: <a href="http://docs.python.org/2/tutorial/modules.html">Modules</a>.</li>
-<li> Effbot: <a href="http://effbot.org/zone/import-confusion.htm">Import Confusion</a>.</li>
+<li> Effbot: <a href="https://web.archive.org/web/20200917011425/https://effbot.org/zone/import-confusion.htm">Import Confusion</a>.</li>
 
 
 </references>
diff --git a/python/ql/src/Imports/ModuleLevelCyclicImport.qhelp b/python/ql/src/Imports/ModuleLevelCyclicImport.qhelp
index 30af68d364e..45b6810cf23 100644
--- a/python/ql/src/Imports/ModuleLevelCyclicImport.qhelp
+++ b/python/ql/src/Imports/ModuleLevelCyclicImport.qhelp
@@ -33,7 +33,7 @@ import that.
 
 <li>Python Language  Reference: <a href="http://docs.python.org/2/reference/simple_stmts.html#import">The import statement</a>.</li>
 <li>Python: <a href="http://docs.python.org/2/tutorial/modules.html">Modules</a>.</li>
-<li> Effbot: <a href="http://effbot.org/zone/import-confusion.htm">Import Confusion</a>.</li>
+<li> Effbot: <a href="https://web.archive.org/web/20200917011425/https://effbot.org/zone/import-confusion.htm">Import Confusion</a>.</li>
 
 
 </references>
diff --git a/python/ql/src/Metrics/ClassEfferentCoupling.qhelp b/python/ql/src/Metrics/ClassEfferentCoupling.qhelp
index b28d6e5fb2e..04e7ce949e2 100644
--- a/python/ql/src/Metrics/ClassEfferentCoupling.qhelp
+++ b/python/ql/src/Metrics/ClassEfferentCoupling.qhelp
@@ -49,7 +49,7 @@ so the general technique is quite widely applicable.
 
 
 <li>
-IBM developerWorks: <a href="http://www.ibm.com/developerworks/library/j-eaed6/">Evolutionary architecture and emergent design: Emergent design through metrics</a>.
+IBM developerWorks: <a href="https://web.archive.org/web/20190919085934/https://www.ibm.com/developerworks/library/j-eaed6/">Evolutionary architecture and emergent design: Emergent design through metrics</a>.
 </li>
 <li>
 R. Martin, <em>Agile Software Development: Principles, Patterns and Practices</em>. Pearson, 2011.
diff --git a/python/ql/src/Metrics/ModuleEfferentCoupling.qhelp b/python/ql/src/Metrics/ModuleEfferentCoupling.qhelp
index 15cf254efac..aec3126aa57 100644
--- a/python/ql/src/Metrics/ModuleEfferentCoupling.qhelp
+++ b/python/ql/src/Metrics/ModuleEfferentCoupling.qhelp
@@ -29,7 +29,7 @@ You can reduce efferent coupling by splitting up a module so that each part depe
 
 
 <li>
-IBM developerWorks: <a href="http://www.ibm.com/developerworks/library/j-eaed6/">Evolutionary architecture and emergent design: Emergent design through metrics</a>.
+IBM developerWorks: <a href="https://web.archive.org/web/20190919085934/https://www.ibm.com/developerworks/library/j-eaed6/">Evolutionary architecture and emergent design: Emergent design through metrics</a>.
 </li>
 <li>
 R. Martin, <em>Agile Software Development: Principles, Patterns and Practices</em>. Pearson, 2011.
diff --git a/python/ql/src/Variables/ShadowGlobal.qhelp b/python/ql/src/Variables/ShadowGlobal.qhelp
index 52c88337570..f66a992c483 100644
--- a/python/ql/src/Variables/ShadowGlobal.qhelp
+++ b/python/ql/src/Variables/ShadowGlobal.qhelp
@@ -26,9 +26,8 @@ variable should be renamed to make the code easier to interpret.</p>
 </example>
 <references>
 
-<li>J. Lusth, <i>The Art and Craft of Programming - Python Edition</i>, Section: Scope. University of Alabama, 2012. (<a href="http://troll.cs.ua.edu/ACP-PY/index_13.html">Published online</a>).</li>
-<li>New Mexico Tech Computer Center: <a href="http://infohost.nmt.edu/tcc/help/pubs/python/web/global-statement.html">The global
-statement: Declare access to a global name</a>.</li>
+<li>J. Lusth, <i>The Art and Craft of Programming - Python Edition</i>, Section: Scope. University of Alabama, 2012. (<a href="https://web.archive.org/web/20190919091129/http://troll.cs.ua.edu/ACP-PY/index_13.html">Published online</a>).</li>
+<li>Python Language Reference: <a href="http://docs.python.org/reference/simple_stmts.html#the-global-statement">The global statement</a>.</li>
 
 
 
diff --git a/python/ql/src/external/MostlyDuplicateClass.qhelp b/python/ql/src/external/MostlyDuplicateClass.qhelp
index e7e5a0dc50f..5ca2bb0b6be 100644
--- a/python/ql/src/external/MostlyDuplicateClass.qhelp
+++ b/python/ql/src/external/MostlyDuplicateClass.qhelp
@@ -25,7 +25,7 @@ duplicate classes.</p>
 </recommendation>
 <references>
 
-  <li>E. Juergens, F. Deissenboeck, B. Hummel and S. Wagner, <em>Do Code Clones Matter?</em>, 2009. (<a href="http://www4.in.tum.de/~juergens/publications/ICSE2009_RP_0110_juergens.pdf">available online</a>).</li>
+  <li>E. Juergens, F. Deissenboeck, B. Hummel and S. Wagner, <em>Do Code Clones Matter?</em>, 2009. (<a href="https://wwwbroy.in.tum.de/~juergens/publications/ICSE2009_RP_0110_juergens.pdf">available online</a>).</li>
 
 </references>
 </qhelp>
diff --git a/python/ql/src/external/MostlyDuplicateFile.qhelp b/python/ql/src/external/MostlyDuplicateFile.qhelp
index 80035aef7f6..66594625a04 100644
--- a/python/ql/src/external/MostlyDuplicateFile.qhelp
+++ b/python/ql/src/external/MostlyDuplicateFile.qhelp
@@ -25,7 +25,7 @@ importing that module into the original module.</p>
 </recommendation>
 <references>
 
-  <li>E. Juergens, F. Deissenboeck, B. Hummel and S. Wagner, <em>Do Code Clones Matter?</em>, 2009. (<a href="http://www4.in.tum.de/~juergens/publications/ICSE2009_RP_0110_juergens.pdf">available online</a>).</li>
+  <li>E. Juergens, F. Deissenboeck, B. Hummel and S. Wagner, <em>Do Code Clones Matter?</em>, 2009. (<a href="https://wwwbroy.in.tum.de/~juergens/publications/ICSE2009_RP_0110_juergens.pdf">available online</a>).</li>
 
 </references>
 </qhelp>
diff --git a/python/ql/src/external/MostlySimilarFile.qhelp b/python/ql/src/external/MostlySimilarFile.qhelp
index 978c8f4450e..fc5bd517520 100644
--- a/python/ql/src/external/MostlySimilarFile.qhelp
+++ b/python/ql/src/external/MostlySimilarFile.qhelp
@@ -19,7 +19,7 @@ of the shared code into its own module and import that module into the original.
 </recommendation>
 <references>
 
-  <li>E. Juergens, F. Deissenboeck, B. Hummel and S. Wagner, <em>Do Code Clones Matter?</em>, 2009. (<a href="http://www4.in.tum.de/~juergens/publications/ICSE2009_RP_0110_juergens.pdf">available online</a>).</li>
+  <li>E. Juergens, F. Deissenboeck, B. Hummel and S. Wagner, <em>Do Code Clones Matter?</em>, 2009. (<a href="https://wwwbroy.in.tum.de/~juergens/publications/ICSE2009_RP_0110_juergens.pdf">available online</a>).</li>
 
 </references>
 </qhelp>
diff --git a/python/ql/src/external/SimilarFunction.qhelp b/python/ql/src/external/SimilarFunction.qhelp
index 5f8d0bdb7e9..2b1424c2374 100644
--- a/python/ql/src/external/SimilarFunction.qhelp
+++ b/python/ql/src/external/SimilarFunction.qhelp
@@ -25,7 +25,7 @@ almost all of their lines are the same, then consider extracting the same lines
 </recommendation>
 <references>
 
-  <li>E. Juergens, F. Deissenboeck, B. Hummel and S. Wagner, <em>Do Code Clones Matter?</em>, 2009. (<a href="http://www4.in.tum.de/~juergens/publications/ICSE2009_RP_0110_juergens.pdf">available online</a>).</li>
+  <li>E. Juergens, F. Deissenboeck, B. Hummel and S. Wagner, <em>Do Code Clones Matter?</em>, 2009. (<a href="https://wwwbroy.in.tum.de/~juergens/publications/ICSE2009_RP_0110_juergens.pdf">available online</a>).</li>
 
 </references>
 </qhelp>

From 78b9682a4e499ba0fb3a1f3ab12a785b92d2908d Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Fri, 23 Apr 2021 15:46:48 +0100
Subject: [PATCH 0649/1429] Fix dead links in JS externs too

---
 javascript/externs/es/es2016.js |  2 +-
 javascript/externs/es/es6.js    | 14 +++++++-------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/javascript/externs/es/es2016.js b/javascript/externs/es/es2016.js
index a3ca37da3b1..3fe253b155e 100644
--- a/javascript/externs/es/es2016.js
+++ b/javascript/externs/es/es2016.js
@@ -4,7 +4,7 @@
 
 /**
  * @fileoverview Definitions for ECMAScript 2016.
- * @see http://www.ecma-international.org/ecma-262/7.0/
+ * @see https://262.ecma-international.org/7.0/
  * @externs
  */
 
diff --git a/javascript/externs/es/es6.js b/javascript/externs/es/es6.js
index 08e2a47c270..cab2c1a1135 100644
--- a/javascript/externs/es/es6.js
+++ b/javascript/externs/es/es6.js
@@ -210,7 +210,7 @@ String.prototype.repeat = function(count) {};
 /**
  * @constructor
  * @extends {Array<string>}
- * @see http://www.ecma-international.org/ecma-262/6.0/#sec-gettemplateobject
+ * @see https://262.ecma-international.org/6.0/#sec-gettemplateobject
  */
 var ITemplateArray = function() {};
 
@@ -1228,7 +1228,7 @@ Array.prototype.entries;
  * @return {T|undefined}
  * @this {IArrayLike<T>|string}
  * @template T,S
- * @see http://www.ecma-international.org/ecma-262/6.0/#sec-array.prototype.find
+ * @see https://262.ecma-international.org/6.0/#sec-array.prototype.find
  */
 Array.prototype.find = function(predicate, opt_this) {};
 
@@ -1239,7 +1239,7 @@ Array.prototype.find = function(predicate, opt_this) {};
  * @return {number}
  * @this {IArrayLike<T>|string}
  * @template T,S
- * @see http://www.ecma-international.org/ecma-262/6.0/#sec-array.prototype.findindex
+ * @see https://262.ecma-international.org/6.0/#sec-array.prototype.findindex
  */
 Array.prototype.findIndex = function(predicate, opt_this) {};
 
@@ -1251,7 +1251,7 @@ Array.prototype.findIndex = function(predicate, opt_this) {};
  * @return {!IArrayLike<T>}
  * @this {!IArrayLike<T>|string}
  * @template T
- * @see http://www.ecma-international.org/ecma-262/6.0/#sec-array.prototype.fill
+ * @see https://262.ecma-international.org/6.0/#sec-array.prototype.fill
  */
 Array.prototype.fill = function(value, opt_begin, opt_end) {};
 
@@ -1260,7 +1260,7 @@ Array.prototype.fill = function(value, opt_begin, opt_end) {};
  * @param {number} target
  * @param {number} start
  * @param {number=} opt_end
- * @see http://www.ecma-international.org/ecma-262/6.0/#sec-array.prototype.copywithin
+ * @see https://262.ecma-international.org/6.0/#sec-array.prototype.copywithin
  * @template T
  * @return {!IArrayLike<T>}
  */
@@ -1281,7 +1281,7 @@ Array.prototype.includes = function(searchElement, opt_fromIndex) {};
 /**
  * @param {!Object} obj
  * @return {!Array<symbol>}
- * @see http://www.ecma-international.org/ecma-262/6.0/#sec-object.getownpropertysymbols
+ * @see https://262.ecma-international.org/6.0/#sec-object.getownpropertysymbols
  */
 Object.getOwnPropertySymbols = function(obj) {};
 
@@ -1290,7 +1290,7 @@ Object.getOwnPropertySymbols = function(obj) {};
  * @param {!Object} obj
  * @param {?} proto
  * @return {!Object}
- * @see http://www.ecma-international.org/ecma-262/6.0/#sec-object.setprototypeof
+ * @see https://262.ecma-international.org/6.0/#sec-object.setprototypeof
  */
 Object.setPrototypeOf = function(obj, proto) {};
 

From 7cc97836a9fbf7785e7d9dfa7f123afecc9725c6 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Fri, 23 Apr 2021 20:26:13 +0200
Subject: [PATCH 0650/1429] Python: More cleanup from reviewer suggestions

---
 .../src/semmle/python/frameworks/Stdlib.qll   | 68 +++++++------------
 1 file changed, 23 insertions(+), 45 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index fc8e38fc9e7..faab66347f0 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -911,25 +911,23 @@ private module Stdlib {
   private string pathlibPathMethodExport() { result in ["as_posix", "as_uri"] }
 
   /**
-   * Flow for mehtods that return a `pathlib.Path` object.
+   * Flow for attributes and methods that return a `pathlib.Path` object.
    */
-  private predicate typePreservingCall(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    exists(DataFlow::AttrRead returnsPath | returnsPath.getAttributeName() = pathlibPathMethod() |
-      nodeTo.(DataFlow::CallCfgNode).getFunction() = returnsPath and
+  private predicate pathlibPathStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    exists(DataFlow::AttrRead returnsPath |
+      (
+        // attribute access
+        returnsPath.getAttributeName() = pathlibPathAttribute() and
+        nodeTo = returnsPath
+        or
+        // method call
+        returnsPath.getAttributeName() = pathlibPathMethod() and
+        nodeTo.(DataFlow::CallCfgNode).getFunction() = returnsPath
+      ) and
       nodeFrom = returnsPath.getObject()
     )
   }
 
-  /**
-   * Flow for attributes that are `pathlib.Path` objects.
-   */
-  private predicate typePreservingAttribute(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    exists(DataFlow::AttrRead isPath | isPath.getAttributeName() = pathlibPathAttribute() |
-      nodeTo = isPath and
-      nodeFrom = isPath.getObject()
-    )
-  }
-
   /**
    * Gets a reference to a `pathlib.Path` object.
    * This type tracker makes the monomorphic API use assumption.
@@ -939,22 +937,13 @@ private module Stdlib {
     t.start() and
     result = pathlib().getMember(pathlibPathConstructor()).getACall()
     or
-    // Type-preserving call
+    // Type-preserving step
     exists(DataFlow::Node nodeFrom, DataFlow::TypeTracker t2 |
       pathlibPath(t2).flowsTo(nodeFrom) and
       t2.end()
     |
       t.start() and
-      typePreservingCall(nodeFrom, result)
-    )
-    or
-    // Type-preserving attribute access
-    exists(DataFlow::Node nodeFrom, DataFlow::TypeTracker t2 |
-      nodeFrom.getALocalSource() = pathlibPath(t2) and
-      t2.end()
-    |
-      t.start() and
-      typePreservingAttribute(nodeFrom, result)
+      pathlibPathStep(nodeFrom, result)
     )
     or
     // Data injection
@@ -1013,14 +1002,7 @@ private module Stdlib {
       or
       // Type preservation
       pathlibPath().flowsTo(nodeFrom) and
-      pathlibPath().flowsTo(nodeTo) and
-      (
-        // Type-preserving call
-        typePreservingCall(nodeFrom, nodeTo)
-        or
-        // Type-preserving attribute access
-        typePreservingAttribute(nodeFrom, nodeTo)
-      )
+      pathlibPathStep(nodeFrom, nodeTo)
       or
       // Data injection
       pathlibPath().flowsTo(nodeTo) and
@@ -1053,20 +1035,16 @@ private module Stdlib {
       or
       // Export data from type
       pathlibPath().flowsTo(nodeFrom) and
-      (
+      exists(DataFlow::AttrRead exportPath |
         // exporting attribute
-        exists(DataFlow::AttrRead export |
-          export.getAttributeName() = pathlibPathAttributeExport()
-        |
-          nodeTo = export and
-          nodeFrom = export.getObject()
-        )
+        exportPath.getAttributeName() = pathlibPathAttributeExport() and
+        nodeTo = exportPath
         or
-        // exporting call
-        exists(DataFlow::AttrRead export | export.getAttributeName() = pathlibPathMethodExport() |
-          nodeTo.(DataFlow::CallCfgNode).getFunction() = export and
-          nodeFrom = export.getObject()
-        )
+        // exporting method
+        exportPath.getAttributeName() = pathlibPathMethodExport() and
+        nodeTo.(DataFlow::CallCfgNode).getFunction() = exportPath
+      |
+        nodeFrom = exportPath.getObject()
       )
     }
   }

From b1a36334954afd1bf8af04ddc00da159fa330a6c Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Fri, 23 Apr 2021 22:06:04 +0200
Subject: [PATCH 0651/1429] Java: Remove redundant condition + docs.

---
 .../Security/CWE/CWE-347/MissingJWTSignatureCheck.ql        | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
index 67b56555fd9..6d7462f1338 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
@@ -124,7 +124,7 @@ private predicate isSigningKeySetter(Expr expr, MethodAccess signingMa) {
 }
 
 /**
- * An expr that is a `JwtParser` for which a signing key has been set and which is used as
+ * An expr that is a (sub-type of) `JwtParser` for which a signing key has been set and which is used as
  * the qualifier to a `JwtParserInsecureParseMethodAccess`.
  */
 private class JwtParserWithSigningKeyExpr extends Expr {
@@ -140,8 +140,7 @@ private class JwtParserWithSigningKeyExpr extends Expr {
 }
 
 /**
- * Models flow from `SigningKeyMethodAccess`es to expressions that are a
- * (sub-type of) `JwtParser` and which are also the qualifier to a `JwtParserInsecureParseMethodAccess`.
+ * Models flow from `SigningKeyMethodAccess`es to qualifiers of `JwtParserInsecureParseMethodAccess`es.
  * This is used to determine whether a `JwtParser` has a signing key set.
  */
 private class SigningToInsecureMethodAccessDataFlow extends DataFlow::Configuration {
@@ -152,7 +151,6 @@ private class SigningToInsecureMethodAccessDataFlow extends DataFlow::Configurat
   }
 
   override predicate isSink(DataFlow::Node sink) {
-    sink.asExpr().getType() instanceof TypeDerivedJwtParser and
     any(JwtParserInsecureParseMethodAccess ma).getQualifier() = sink.asExpr()
   }
 

From f2b2300da90f2ff9680f8934985784b968ed7642 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Sun, 25 Apr 2021 22:23:31 +0300
Subject: [PATCH 0652/1429] Add files via upload

---
 .../Security/CWE/CWE-415/DoubleFree.c         | 13 +++++
 .../Security/CWE/CWE-415/DoubleFree.qhelp     | 26 ++++++++++
 .../Security/CWE/CWE-415/DoubleFree.ql        | 51 +++++++++++++++++++
 3 files changed, 90 insertions(+)
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.c
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.qhelp
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.c b/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.c
new file mode 100644
index 00000000000..978ca445215
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.c
@@ -0,0 +1,13 @@
+...
+  buf = malloc(intSize);
+...
+  free(buf); 
+  buf = NULL; // GOOD
+...
+
+...
+  buf = malloc(intSize);
+...
+  free(buf); 
+  if(buf) free(buf); // BAD: the cleanup function does not zero out the pointer
+...
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.qhelp
new file mode 100644
index 00000000000..f30d2f2c48b
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.qhelp
@@ -0,0 +1,26 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Double freeing of a previously allocated resource can lead to various vulnerabilities in the program. Requires the attention of developers.</p>
+
+</overview>
+<recommendation>
+<p>We recommend that you exclude situations of possible double release.</p>
+
+</recommendation>
+<example>
+<p>The following example demonstrates an erroneous and corrected use of freeing a pointer.</p>
+<sample src="DoubleFree.c" />
+
+</example>
+<references>
+
+<li>
+  CERT C Coding Standard:
+  <a href="https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory">MEM30-C. Do not access freed memory</a>.
+</li>
+
+</references>
+</qhelp>
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql b/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql
new file mode 100644
index 00000000000..199dc18bee7
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql
@@ -0,0 +1,51 @@
+/**
+ * @name Errors When Double Free
+ * @description Double freeing of a previously allocated resource can lead to various vulnerabilities in the program
+ *              and requires the attention of the developer.
+ * @kind problem
+ * @id cpp/errors-when-double-free
+ * @problem.severity warning
+ * @precision medium
+ * @tags security
+ *       external/cwe/cwe-415
+ */
+
+import cpp
+
+/**
+ * The function allows `getASuccessor` to be called recursively.
+ * This provides a stop in situations of possible influence on the pointer.
+ */
+ControlFlowNode recursASuccessor(FunctionCall fc, LocalScopeVariable v) {
+  result = fc
+  or
+  exists(ControlFlowNode mid |
+    mid = recursASuccessor(fc, v) and
+    result = mid.getASuccessor() and
+    not result = v.getAnAssignedValue() and
+    not result.(AddressOfExpr).getOperand() = v.getAnAccess() and
+    not (
+      not result instanceof DeallocationExpr and
+      result.(FunctionCall).getAnArgument().(VariableAccess).getTarget() = v
+    ) and
+    (
+      fc.getTarget().hasGlobalOrStdName("realloc") and
+      (
+        not fc.getParent*() instanceof IfStmt and
+        not result instanceof IfStmt
+      )
+      or
+      not fc.getTarget().hasGlobalOrStdName("realloc")
+    )
+  )
+}
+
+from FunctionCall fc
+where
+  exists(FunctionCall fc2, LocalScopeVariable v |
+    freeCall(fc, v.getAnAccess()) and
+    freeCall(fc2, v.getAnAccess()) and
+    fc != fc2 and
+    recursASuccessor(fc, v) = fc2
+  )
+select fc.getArgument(0), "This pointer may be cleared again later."

From c1d125b3786d5d0afa5071a9165e5ba7235bc457 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Sun, 25 Apr 2021 22:25:17 +0300
Subject: [PATCH 0653/1429] Add files via upload

---
 .../CWE-415/semmle/tests/DoubleFree.expected  |  2 ++
 .../CWE/CWE-415/semmle/tests/DoubleFree.qlref |  1 +
 .../Security/CWE/CWE-415/semmle/tests/test.c  | 21 +++++++++++++++++++
 3 files changed, 24 insertions(+)
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/DoubleFree.expected
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/DoubleFree.qlref
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/DoubleFree.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/DoubleFree.expected
new file mode 100644
index 00000000000..669c65cba2a
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/DoubleFree.expected
@@ -0,0 +1,2 @@
+| test.c:9:8:9:10 | buf | This pointer may be cleared again later. |
+| test.c:19:26:19:29 | buf1 | This pointer may be cleared again later. |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/DoubleFree.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/DoubleFree.qlref
new file mode 100644
index 00000000000..242beb593f8
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/DoubleFree.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-415/DoubleFree.ql
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c
new file mode 100644
index 00000000000..1ebf3546480
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c
@@ -0,0 +1,21 @@
+typedef unsigned long size_t;
+void *malloc(size_t size);
+void free(void *ptr);
+
+void workFunction_0(char *s) {
+  int intSize = 10;
+  char *buf;
+  buf = (char *) malloc(intSize);
+  free(buf); // BAD
+  if(buf) free(buf);
+}
+void workFunction_1(char *s) {
+  int intSize = 10;
+  char *buf;
+  char *buf1;
+  buf = (char *) malloc(intSize);
+  buf1 = (char *) realloc(buf,intSize*2);
+  if(buf) free(buf); // GOOD
+  buf = (char *) realloc(buf1,intSize*4); // BAD
+  free(buf1);
+}

From 50c63a88c3036b7ffddd579fe5454fe3ad72cf2f Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Sun, 25 Apr 2021 22:34:41 +0300
Subject: [PATCH 0654/1429] Add files via upload

---
 ...tionOfVariableWithUnnecessarilyWideScope.c | 14 +++++
 ...OfVariableWithUnnecessarilyWideScope.qhelp | 26 ++++++++
 ...ionOfVariableWithUnnecessarilyWideScope.ql | 62 +++++++++++++++++++
 3 files changed, 102 insertions(+)
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.c
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.qhelp
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.c b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.c
new file mode 100644
index 00000000000..b09971b5328
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.c
@@ -0,0 +1,14 @@
+while(intIndex > 2)
+{
+  ...
+  intIndex--;
+  ...
+} // GOOD: coreten cycle
+...
+while(intIndex > 2)
+{
+  ...
+  int intIndex;
+  intIndex--;
+  ...
+} // BAD: the variable used in the condition does not change.
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.qhelp
new file mode 100644
index 00000000000..d84f47f5453
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.qhelp
@@ -0,0 +1,26 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Using variables with the same name is dangerous. However, such a situation inside the while loop can lead to a violation of the accessibility of the program. Requires the attention of developers.</p>
+
+</overview>
+<recommendation>
+<p>We recommend not to use local variables inside a loop if their names are the same as the variables in the condition of this loop.</p>
+
+</recommendation>
+<example>
+<p>The following example demonstrates an erroneous and corrected use of a local variable within a loop.</p>
+<sample src="DeclarationOfVariableWithUnnecessarilyWideScope.c" />
+
+</example>
+<references>
+
+<li>
+  CERT C Coding Standard:
+  <a href="https://wiki.sei.cmu.edu/confluence/display/c/DCL01-C.+Do+not+reuse+variable+names+in+subscopes">DCL01-C. Do not reuse variable names in subscopes</a>.
+</li>
+
+</references>
+</qhelp>
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
new file mode 100644
index 00000000000..a253a5e0599
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
@@ -0,0 +1,62 @@
+/**
+ * @name Errors When Using Variable Declaration Inside Loop
+ * @description Using variables with the same name is dangerous.
+ *              However, such a situation inside the while loop can lead to a violation of the accessibility of the program.
+ *              Requires the attention of developers.
+ * @kind problem
+ * @id cpp/errors-when-using-variable-declaration-inside-loop
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-1126
+ */
+
+import cpp
+
+/**
+ * Errors when using a variable declaration inside a loop.
+ */
+class DangerousWhileLoop extends WhileStmt {
+  Expr exp;
+  Declaration dl;
+
+  DangerousWhileLoop() {
+    this = dl.getParentScope().(BlockStmt).getParent*() and
+    exp = this.getCondition().getAChild*() and
+    not exp instanceof PointerFieldAccess and
+    not exp instanceof ValueFieldAccess and
+    exp.toString() = dl.getName() and
+    not exp.getParent*() instanceof CrementOperation and
+    not exp.getParent*() instanceof Assignment and
+    not exp.getParent*() instanceof FunctionCall
+  }
+
+  Declaration getDeclaration() { result = dl }
+
+  /** Holds when there are changes to the variables involved in the condition. */
+  predicate isUseThisVariable() {
+    exists(Variable v |
+      this.getCondition().getAChild*().(VariableAccess).getTarget() = v and
+      (
+        exists(Assignment aexp |
+          aexp = this.getStmt().getAChild*() and
+          (
+            aexp.getLValue().(ArrayExpr).getArrayBase().(VariableAccess).getTarget() = v
+            or
+            aexp.getLValue().(VariableAccess).getTarget() = v
+          )
+        )
+        or
+        exists(CrementOperation crm |
+          crm = this.getStmt().getAChild*() and
+          crm.getOperand().(VariableAccess).getTarget() = v
+        )
+      )
+    )
+  }
+}
+
+from DangerousWhileLoop lp
+where not lp.isUseThisVariable()
+select lp.getDeclaration(), "A variable with this name is used in the loop condition."

From 98f7f70814efa3dae55beb0fd1cb9f4e095d776e Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Sun, 25 Apr 2021 22:35:40 +0300
Subject: [PATCH 0655/1429] Add files via upload

---
 ...nOfVariableWithUnnecessarilyWideScope.expected |  1 +
 ...tionOfVariableWithUnnecessarilyWideScope.qlref |  1 +
 .../Security/CWE/CWE-1126/semmle/tests/test.c     | 15 +++++++++++++++
 3 files changed, 17 insertions(+)
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.expected
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.qlref
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.expected
new file mode 100644
index 00000000000..7b540a33384
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.expected
@@ -0,0 +1 @@
+| test.c:12:9:12:16 | intIndex | A variable with this name is used in the loop condition. |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.qlref
new file mode 100644
index 00000000000..6da5822f7f0
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c
new file mode 100644
index 00000000000..090bed34d45
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c
@@ -0,0 +1,15 @@
+void workFunction_0(char *s) {
+  int intIndex = 10;
+  char buf[80];
+  while(intIndex > 2) // GOOD
+  {
+    buf[intIndex] = 1;
+    intIndex--;
+  }
+  while(intIndex > 2)
+  {
+    buf[intIndex] = 1;
+    int intIndex; // BAD
+    intIndex--;
+  }
+}

From 4e8ae77b6f13d8d29923bf9b4f0bed8fb832462d Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 26 Apr 2021 08:57:20 +0200
Subject: [PATCH 0656/1429] cache more predicates

---
 .../src/semmle/javascript/PackageExports.qll  |  3 +
 .../semmle/javascript/dataflow/DataFlow.qll   |  4 +
 .../dataflow/internal/StepSummary.qll         | 84 ++++++++++---------
 .../javascript/internal/CachedStages.qll      |  8 ++
 4 files changed, 60 insertions(+), 39 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/PackageExports.qll b/javascript/ql/src/semmle/javascript/PackageExports.qll
index c6658534459..c225e5a733b 100644
--- a/javascript/ql/src/semmle/javascript/PackageExports.qll
+++ b/javascript/ql/src/semmle/javascript/PackageExports.qll
@@ -5,11 +5,14 @@
  */
 
 import javascript
+private import semmle.javascript.internal.CachedStages
 
 /**
  * Gets a parameter that is a library input to a top-level package.
  */
+cached
 DataFlow::ParameterNode getALibraryInputParameter() {
+  Stages::Taint::ref() and
   exists(int bound, DataFlow::FunctionNode func |
     func = getAValueExportedByPackage().getABoundFunctionValue(bound) and
     result = func.getParameter(any(int arg | arg >= bound))
diff --git a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
index 2bcee954cbc..c73c894ca4b 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -255,7 +255,9 @@ module DataFlow {
      * Holds if this node is annotated with the given named type,
      * or is declared as a subtype thereof, or is a union or intersection containing such a type.
      */
+    cached
     predicate hasUnderlyingType(string globalName) {
+      Stages::TypeTracking::ref() and
       getType().hasUnderlyingType(globalName)
       or
       getFallbackTypeAnnotation().getAnUnderlyingType().hasQualifiedName(globalName)
@@ -265,7 +267,9 @@ module DataFlow {
      * Holds if this node is annotated with the given named type,
      * or is declared as a subtype thereof, or is a union or intersection containing such a type.
      */
+    cached
     predicate hasUnderlyingType(string moduleName, string typeName) {
+      Stages::TypeTracking::ref() and
       getType().hasUnderlyingType(moduleName, typeName)
       or
       getFallbackTypeAnnotation().getAnUnderlyingType().hasQualifiedName(moduleName, typeName)
diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/StepSummary.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/StepSummary.qll
index 5869444053f..2c1362c871d 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/internal/StepSummary.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/internal/StepSummary.qll
@@ -53,49 +53,11 @@ private module Cached {
   predicate step(DataFlow::SourceNode pred, DataFlow::SourceNode succ, StepSummary summary) {
     exists(DataFlow::Node mid | pred.flowsTo(mid) | StepSummary::smallstep(mid, succ, summary))
   }
-}
-
-import Cached::Public
-
-class OptionalPropertyName extends string {
-  OptionalPropertyName() { this instanceof PropertyName or this = "" }
-}
-
-/**
- * INTERNAL: Use `TypeTracker` or `TypeBackTracker` instead.
- *
- * A description of a step on an inter-procedural data flow path.
- */
-class StepSummary extends TStepSummary {
-  /** Gets a textual representation of this step summary. */
-  string toString() {
-    this instanceof LevelStep and result = "level"
-    or
-    this instanceof CallStep and result = "call"
-    or
-    this instanceof ReturnStep and result = "return"
-    or
-    exists(string prop | this = StoreStep(prop) | result = "store " + prop)
-    or
-    exists(string prop | this = LoadStep(prop) | result = "load " + prop)
-    or
-    exists(string prop | this = CopyStep(prop) | result = "copy " + prop)
-    or
-    exists(string fromProp, string toProp | this = LoadStoreStep(fromProp, toProp) |
-      result = "load " + fromProp + " and store to " + toProp
-    )
-  }
-}
-
-module StepSummary {
-  /**
-   * INTERNAL: Use `SourceNode.track()` or `SourceNode.backtrack()` instead.
-   */
-  predicate step = Cached::step/3;
 
   /**
    * INTERNAL: Use `TypeBackTracker.smallstep()` instead.
    */
+  cached
   predicate smallstep(DataFlow::Node pred, DataFlow::Node succ, StepSummary summary) {
     // Flow through properties of objects
     propertyFlowStep(pred, succ) and
@@ -194,3 +156,47 @@ module StepSummary {
     )
   }
 }
+
+import Cached::Public
+
+class OptionalPropertyName extends string {
+  OptionalPropertyName() { this instanceof PropertyName or this = "" }
+}
+
+/**
+ * INTERNAL: Use `TypeTracker` or `TypeBackTracker` instead.
+ *
+ * A description of a step on an inter-procedural data flow path.
+ */
+class StepSummary extends TStepSummary {
+  /** Gets a textual representation of this step summary. */
+  string toString() {
+    this instanceof LevelStep and result = "level"
+    or
+    this instanceof CallStep and result = "call"
+    or
+    this instanceof ReturnStep and result = "return"
+    or
+    exists(string prop | this = StoreStep(prop) | result = "store " + prop)
+    or
+    exists(string prop | this = LoadStep(prop) | result = "load " + prop)
+    or
+    exists(string prop | this = CopyStep(prop) | result = "copy " + prop)
+    or
+    exists(string fromProp, string toProp | this = LoadStoreStep(fromProp, toProp) |
+      result = "load " + fromProp + " and store to " + toProp
+    )
+  }
+}
+
+module StepSummary {
+  /**
+   * INTERNAL: Use `SourceNode.track()` or `SourceNode.backtrack()` instead.
+   */
+  predicate step = Cached::step/3;
+
+  /**
+   * INTERNAL: Use `TypeBackTracker.smallstep()` instead.
+   */
+  predicate smallstep = Cached::smallstep/3;
+}
diff --git a/javascript/ql/src/semmle/javascript/internal/CachedStages.qll b/javascript/ql/src/semmle/javascript/internal/CachedStages.qll
index a48cb8ed5e0..40b5e5ba626 100644
--- a/javascript/ql/src/semmle/javascript/internal/CachedStages.qll
+++ b/javascript/ql/src/semmle/javascript/internal/CachedStages.qll
@@ -198,6 +198,10 @@ module Stages {
       exists(any(DataFlow::TypeBackTracker t).prepend(_))
       or
       DataFlow::functionForwardingStep(_, _)
+      or
+      any(DataFlow::Node node).hasUnderlyingType(_)
+      or
+      any(DataFlow::Node node).hasUnderlyingType(_, _)
     }
   }
 
@@ -232,6 +236,8 @@ module Stages {
    */
   cached
   module Taint {
+    private import semmle.javascript.PackageExports as Exports
+
     /**
      * Always holds.
      * Ensures that a predicate is evaluated as part of the Taint stage.
@@ -250,6 +256,8 @@ module Stages {
       TaintTracking::heapStep(_, _)
       or
       exists(RemoteFlowSource r)
+      or
+      exists(Exports::getALibraryInputParameter())
     }
   }
 }

From 772d5eaccafc82d25b4704b3a545083a8d55c7d5 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Mon, 26 Apr 2021 09:55:32 +0200
Subject: [PATCH 0657/1429] C++: Add change note.

---
 cpp/change-notes/2021-26-04-more-sound-expr-might-overflow.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 cpp/change-notes/2021-26-04-more-sound-expr-might-overflow.md

diff --git a/cpp/change-notes/2021-26-04-more-sound-expr-might-overflow.md b/cpp/change-notes/2021-26-04-more-sound-expr-might-overflow.md
new file mode 100644
index 00000000000..5a7b8414fad
--- /dev/null
+++ b/cpp/change-notes/2021-26-04-more-sound-expr-might-overflow.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The `exprMightOverflowPositively` and `exprMightOverflowNegatively` predicates from the `SimpleRangeAnalysis` library now recognize more expressions that might overflow.

From 824c243268931793e5b2d0cd019fb920ec449fc4 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Mon, 26 Apr 2021 10:50:17 +0200
Subject: [PATCH 0658/1429] C#: Add change note

---
 csharp/change-notes/2021-04-26-string-builder-summaries.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 csharp/change-notes/2021-04-26-string-builder-summaries.md

diff --git a/csharp/change-notes/2021-04-26-string-builder-summaries.md b/csharp/change-notes/2021-04-26-string-builder-summaries.md
new file mode 100644
index 00000000000..285f40faf39
--- /dev/null
+++ b/csharp/change-notes/2021-04-26-string-builder-summaries.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Data-flow modelling of `StringBuilder` objects has been improved.
\ No newline at end of file

From d717fc7b1f0e42dc2ff3e10e7ae9e5324a554147 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Mon, 26 Apr 2021 10:13:04 +0100
Subject: [PATCH 0659/1429] Use Microsoft archive of vijaysk's blog

---
 csharp/ql/src/Likely Bugs/ReferenceEqualsOnValueTypes.qhelp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csharp/ql/src/Likely Bugs/ReferenceEqualsOnValueTypes.qhelp b/csharp/ql/src/Likely Bugs/ReferenceEqualsOnValueTypes.qhelp
index 945bcb15a28..96feb557d3b 100644
--- a/csharp/ql/src/Likely Bugs/ReferenceEqualsOnValueTypes.qhelp	
+++ b/csharp/ql/src/Likely Bugs/ReferenceEqualsOnValueTypes.qhelp	
@@ -25,7 +25,7 @@ really be compared using <code>i == j</code>.</p>
 <references>
 
   <li>MSDN: <a href="http://msdn.microsoft.com/en-us/library/system.object.referenceequals.aspx">Object.ReferenceEquals Method</a>.</li>
-  <li>The Way I See It: <a href="https://web.archive.org/web/20190919103548/https://blogs.msdn.microsoft.com/vijaysk/2008/03/18/object-referenceequalsvaluevar-valuevar-will-always-return-false/">Object.ReferenceEquals(ValueVar, ValueVar) will always return false.</a></li>
+  <li>The Way I See It: <a href="https://docs.microsoft.com/en-us/archive/blogs/vijaysk/object-referenceequalsvaluevar-valuevar-will-always-return-false">Object.ReferenceEquals(ValueVar, ValueVar) will always return false.</a></li>
 
 
 </references>

From 3d891f0b391f3623c1baf5fc1ced7b8982e259b2 Mon Sep 17 00:00:00 2001
From: p0wn4j <p0wn4j@github.com>
Date: Wed, 24 Mar 2021 00:08:39 +0400
Subject: [PATCH 0660/1429] [Java] CWE-078: Add JSch OS command injection sink

---
 .../Security/CWE/CWE-078/ExecCommon.qll       | 32 ++++++++++
 .../Security/CWE/CWE-078/ExecTainted.ql       | 24 +++++++
 .../CWE/CWE-078/JSchOSInjection.qhelp         | 64 +++++++++++++++++++
 .../Security/CWE/CWE-078/JSchOSInjection.qll  | 20 ++++++
 .../CWE/CWE-078/JSchOSInjectionBad.java       | 17 +++++
 .../CWE/CWE-078/JSchOSInjectionSanitized.java | 46 +++++++++++++
 .../security/CWE-078/ExecTainted.expected     | 11 ++++
 .../security/CWE-078/ExecTainted.qlref        |  1 +
 .../security/CWE-078/JSchOSInjectionTest.java | 56 ++++++++++++++++
 .../query-tests/security/CWE-078/options      |  2 +
 .../jsch-0.1.55/com/jcraft/jsch/Channel.java  | 46 +++++++++++++
 .../com/jcraft/jsch/ChannelExec.java          | 40 ++++++++++++
 .../com/jcraft/jsch/ChannelSession.java       | 33 ++++++++++
 .../jsch-0.1.55/com/jcraft/jsch/JSch.java     | 40 ++++++++++++
 .../jsch-0.1.55/com/jcraft/jsch/Session.java  | 55 ++++++++++++++++
 15 files changed, 487 insertions(+)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-078/ExecCommon.qll
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjection.qhelp
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjection.qll
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjectionBad.java
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjectionSanitized.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.qlref
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-078/JSchOSInjectionTest.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-078/options
 create mode 100644 java/ql/test/experimental/stubs/jsch-0.1.55/com/jcraft/jsch/Channel.java
 create mode 100644 java/ql/test/experimental/stubs/jsch-0.1.55/com/jcraft/jsch/ChannelExec.java
 create mode 100644 java/ql/test/experimental/stubs/jsch-0.1.55/com/jcraft/jsch/ChannelSession.java
 create mode 100644 java/ql/test/experimental/stubs/jsch-0.1.55/com/jcraft/jsch/JSch.java
 create mode 100644 java/ql/test/experimental/stubs/jsch-0.1.55/com/jcraft/jsch/Session.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/ExecCommon.qll b/java/ql/src/experimental/Security/CWE/CWE-078/ExecCommon.qll
new file mode 100644
index 00000000000..c0025043fce
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-078/ExecCommon.qll
@@ -0,0 +1,32 @@
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.ExternalProcess
+import semmle.code.java.security.CommandArguments
+
+private class RemoteUserInputToArgumentToExecFlowConfig extends TaintTracking::Configuration {
+  RemoteUserInputToArgumentToExecFlowConfig() {
+    this = "ExecCommon::RemoteUserInputToArgumentToExecFlowConfig"
+  }
+
+  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType
+    or
+    node.getType() instanceof BoxedType
+    or
+    isSafeCommandArgument(node.asExpr())
+  }
+}
+
+/**
+ * Implementation of `ExecTainted.ql`. It is extracted to a QLL
+ * so that it can be excluded from `ExecUnescaped.ql` to avoid
+ * reporting overlapping results.
+ */
+predicate execTainted(DataFlow::PathNode source, DataFlow::PathNode sink, ArgumentToExec execArg) {
+  exists(RemoteUserInputToArgumentToExecFlowConfig conf |
+    conf.hasFlowPath(source, sink) and sink.getNode() = DataFlow::exprNode(execArg)
+  )
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql b/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
new file mode 100644
index 00000000000..b73203ecbbc
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
@@ -0,0 +1,24 @@
+/**
+ * @name Uncontrolled command line
+ * @description Using externally controlled strings in a command line is vulnerable to malicious
+ *              changes in the strings.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/command-line-injection
+ * @tags security
+ *       external/cwe/cwe-078
+ *       external/cwe/cwe-088
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.ExternalProcess
+import ExecCommon
+import JSchOSInjection
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, ArgumentToExec execArg
+where execTainted(source, sink, execArg)
+select execArg, source, sink, "$@ flows to here and is used in a command.", source.getNode(),
+  "User-provided value"
diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjection.qhelp
new file mode 100644
index 00000000000..57e8a61fe74
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjection.qhelp
@@ -0,0 +1,64 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+JSch is a pure Java implementation of SSH2.
+JSch allows you to connect to a sshd server and use port forwarding, X11 forwarding, 
+file transfer, command execution, etc., and you can integrate its functionality into your own Java programs. 
+JSch is licensed under BSD style license.
+If an OS command is built using an attacker-controlled data, it may allow the attacker
+to run an arbitrary code on the remote host.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Including an user input in a JSch lib's OS command expression should be avoided.
+If this is not possible, then a strong input validation must be performed. 
+Some examples of an effective validation include:
+
+Validating against an allowlist of permitted values.
+Validating that the input is a number.
+Validating that the input contains only alphanumeric characters, no other syntax or whitespace.
+
+Never attempt to sanitize input by escaping shell metacharacters. In practice, 
+this is just too error-prone and vulnerable to being bypassed by a skilled attacker.
+
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example uses the untrusted data to build an OS command.
+</p>
+<sample src="JSchOSInjectionBad.java" />
+</example>
+
+<example>
+<p>
+The following example validates the untrusted data before build an OS command.
+</p>
+<sample src="JSchOSInjectionSanitized.java" />
+</example>
+
+<references>
+<li>
+  JCraft:
+  <a href="http://www.jcraft.com/jsch/">JSch - Java Secure Channel</a>.
+</li>
+<li>
+  OWASP:
+  <a href="https://owasp.org/www-community/attacks/Command_Injection">Command Injection</a>.
+</li>
+<li>
+  OWASP:
+  <a href="https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html">OS Command Injection Defense Cheat Sheet</a>.
+</li>
+<li>
+  PortSwigger:
+  <a href="https://portswigger.net/web-security/os-command-injection">OS command injection</a>.
+</li>
+
+</references>
+</qhelp>
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjection.qll b/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjection.qll
new file mode 100644
index 00000000000..ec1f4d0adfa
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjection.qll
@@ -0,0 +1,20 @@
+/**
+ * Provides classes for JSch OS command injection detection
+ */
+
+import java
+
+/** The class `com.jcraft.jsch.ChannelExec`. */
+private class JSchChannelExec extends RefType {
+  JSchChannelExec() { this.hasQualifiedName("com.jcraft.jsch", "ChannelExec") }
+}
+
+/** A method to set an OS Command for the execution. */
+private class ChannelExecSetCommandMethod extends Method, ExecCallable {
+  ChannelExecSetCommandMethod() {
+    this.hasName("setCommand") and
+    this.getDeclaringType() instanceof JSchChannelExec
+  }
+
+  override int getAnExecutedArgument() { result = 0 }
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjectionBad.java b/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjectionBad.java
new file mode 100644
index 00000000000..ab4c3fb1c06
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjectionBad.java
@@ -0,0 +1,17 @@
+public class JSchOSInjectionBad {
+    void jschOsExecution(HttpServletRequest request) {
+        String command = request.getParameter("command");
+
+        JSch jsch = new JSch();
+        Session session = jsch.getSession("user", "sshHost", 22);
+        session.setPassword("password");
+        session.connect();
+
+        Channel channel = session.openChannel("exec");
+        // BAD - untrusted user data is used directly in a command
+        ((ChannelExec) channel).setCommand("ping " + command);
+        
+        channel.connect();
+    }
+}
+
diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjectionSanitized.java b/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjectionSanitized.java
new file mode 100644
index 00000000000..fdd72e551a0
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjectionSanitized.java
@@ -0,0 +1,46 @@
+public class JSchOSInjectionSanitized {
+    void jschOsExecutionPing(HttpServletRequest request) {
+        String untrusted = request.getParameter("command");
+
+        //GOOD - Validate user the input.
+        if (!com.google.common.net.InetAddresses.isInetAddress(untrusted)) {
+            System.out.println("Invalid IP address");
+            return;
+        }
+
+        JSch jsch = new JSch();
+        Session session = jsch.getSession("user", "host", 22);
+        session.setPassword("password");
+        session.connect();
+
+        Channel channel = session.openChannel("exec");
+        ((ChannelExec) channel).setCommand("ping " + untrusted);
+
+        channel.connect();
+    }
+
+    void jschOsExecutionDig(HttpServletRequest request) {
+        String untrusted = request.getParameter("command");
+
+        //GOOD - check whether the user input doesn't contain dangerous shell characters.
+        String[] badChars = new String[] {"^", "~" ," " , "&", "|", ";", "$", ">", "<", "`", "\\", ",", "!", "{", "}", "(", ")", "@", "%", "#", "%0A", "%0a", "\n", "\r\n"};
+
+        for (String badChar : badChars) {
+            if (untrusted.contains(badChar)) {
+                System.out.println("Invalid IP address");
+                return;
+            }    
+        }
+
+        JSch jsch = new JSch();
+        Session session = jsch.getSession("user", "host", 22);
+        session.setPassword("password");
+        session.connect();
+
+        Channel channel = session.openChannel("exec");
+        ((ChannelExec) channel).setCommand("dig " + untrusted);
+
+        channel.connect();
+    }
+}
+
diff --git a/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.expected b/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.expected
new file mode 100644
index 00000000000..6d87a2ffb89
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.expected
@@ -0,0 +1,11 @@
+edges
+| JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:26:48:26:64 | ... + ... |
+| JSchOSInjectionTest.java:38:30:38:60 | getParameter(...) : String | JSchOSInjectionTest.java:50:32:50:48 | ... + ... |
+nodes
+| JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JSchOSInjectionTest.java:26:48:26:64 | ... + ... | semmle.label | ... + ... |
+| JSchOSInjectionTest.java:38:30:38:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JSchOSInjectionTest.java:50:32:50:48 | ... + ... | semmle.label | ... + ... |
+#select
+| JSchOSInjectionTest.java:26:48:26:64 | ... + ... | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:26:48:26:64 | ... + ... | $@ flows to here and is used in a command. | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) | User-provided value |
+| JSchOSInjectionTest.java:50:32:50:48 | ... + ... | JSchOSInjectionTest.java:38:30:38:60 | getParameter(...) : String | JSchOSInjectionTest.java:50:32:50:48 | ... + ... | $@ flows to here and is used in a command. | JSchOSInjectionTest.java:38:30:38:60 | getParameter(...) | User-provided value |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.qlref b/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.qlref
new file mode 100644
index 00000000000..714c3cadc5f
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-078/ExecTainted.ql
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-078/JSchOSInjectionTest.java b/java/ql/test/experimental/query-tests/security/CWE-078/JSchOSInjectionTest.java
new file mode 100644
index 00000000000..08baf0a9772
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-078/JSchOSInjectionTest.java
@@ -0,0 +1,56 @@
+import com.jcraft.jsch.*;
+
+import javax.servlet.http.*;
+import javax.servlet.ServletException;
+import java.io.IOException;
+
+public class JSchOSInjectionTest extends HttpServlet {
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+        throws ServletException, IOException {
+            String host = "sshHost";
+            String user = "user";
+            String password = "password";
+            String command = request.getParameter("command");
+
+            java.util.Properties config = new java.util.Properties();
+            config.put("StrictHostKeyChecking", "no");
+            
+            JSch jsch = new JSch();
+            Session session = jsch.getSession(user, host, 22);
+            session.setPassword(password);
+            session.setConfig(config);
+            session.connect();
+
+            Channel channel = session.openChannel("exec");
+            ((ChannelExec) channel).setCommand("ping " + command);
+            channel.setInputStream(null);
+            ((ChannelExec) channel).setErrStream(System.err);
+
+            channel.connect();
+    }
+
+    protected void doPost(HttpServletRequest request, HttpServletResponse response)
+        throws ServletException, IOException {
+            String host = "sshHost";
+            String user = "user";
+            String password = "password";
+            String command = request.getParameter("command");
+
+            java.util.Properties config = new java.util.Properties();
+            config.put("StrictHostKeyChecking", "no");
+            
+            JSch jsch = new JSch();
+            Session session = jsch.getSession(user, host, 22);
+            session.setPassword(password);
+            session.setConfig(config);
+            session.connect();
+
+            ChannelExec channel = (ChannelExec)session.openChannel("exec");
+            channel.setCommand("ping " + command);
+            channel.setInputStream(null);
+            channel.setErrStream(System.err);
+
+            channel.connect();
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-078/options b/java/ql/test/experimental/query-tests/security/CWE-078/options
new file mode 100644
index 00000000000..eb7209ebe1e
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-078/options
@@ -0,0 +1,2 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/jsch-0.1.55
+
diff --git a/java/ql/test/experimental/stubs/jsch-0.1.55/com/jcraft/jsch/Channel.java b/java/ql/test/experimental/stubs/jsch-0.1.55/com/jcraft/jsch/Channel.java
new file mode 100644
index 00000000000..5b084813c61
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jsch-0.1.55/com/jcraft/jsch/Channel.java
@@ -0,0 +1,46 @@
+/* -*-mode:java; c-basic-offset:2; indent-tabs-mode:nil -*- */
+/*
+Copyright (c) 2002-2018 ymnk, JCraft,Inc. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+  1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+  2. Redistributions in binary form must reproduce the above copyright 
+     notice, this list of conditions and the following disclaimer in 
+     the documentation and/or other materials provided with the distribution.
+
+  3. The names of the authors may not be used to endorse or promote products
+     derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL JCRAFT,
+INC. OR ANY CONTRIBUTORS TO THIS SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
+OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+package com.jcraft.jsch;
+
+import java.io.*;
+
+public abstract class Channel implements Runnable {
+   public void connect() {
+   }
+
+   public void setInputStream(InputStream in){
+   }
+
+   public void disconnect(){
+   }
+
+   public void run() {
+   }
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/jsch-0.1.55/com/jcraft/jsch/ChannelExec.java b/java/ql/test/experimental/stubs/jsch-0.1.55/com/jcraft/jsch/ChannelExec.java
new file mode 100644
index 00000000000..6ff67754d99
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jsch-0.1.55/com/jcraft/jsch/ChannelExec.java
@@ -0,0 +1,40 @@
+/* -*-mode:java; c-basic-offset:2; indent-tabs-mode:nil -*- */
+/*
+Copyright (c) 2002-2018 ymnk, JCraft,Inc. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+  1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+  2. Redistributions in binary form must reproduce the above copyright 
+     notice, this list of conditions and the following disclaimer in 
+     the documentation and/or other materials provided with the distribution.
+
+  3. The names of the authors may not be used to endorse or promote products
+     derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL JCRAFT,
+INC. OR ANY CONTRIBUTORS TO THIS SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
+OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+package com.jcraft.jsch;
+
+import java.io.*;
+
+public class ChannelExec extends ChannelSession {
+   public void setErrStream(OutputStream out) {
+   }
+
+   public void setCommand(String command){ 
+   }
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/jsch-0.1.55/com/jcraft/jsch/ChannelSession.java b/java/ql/test/experimental/stubs/jsch-0.1.55/com/jcraft/jsch/ChannelSession.java
new file mode 100644
index 00000000000..a6c97b334b6
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jsch-0.1.55/com/jcraft/jsch/ChannelSession.java
@@ -0,0 +1,33 @@
+/* -*-mode:java; c-basic-offset:2; indent-tabs-mode:nil -*- */
+/*
+Copyright (c) 2002-2018 ymnk, JCraft,Inc. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+  1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+  2. Redistributions in binary form must reproduce the above copyright 
+     notice, this list of conditions and the following disclaimer in 
+     the documentation and/or other materials provided with the distribution.
+
+  3. The names of the authors may not be used to endorse or promote products
+     derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL JCRAFT,
+INC. OR ANY CONTRIBUTORS TO THIS SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
+OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+package com.jcraft.jsch;
+
+class ChannelSession extends Channel {
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/jsch-0.1.55/com/jcraft/jsch/JSch.java b/java/ql/test/experimental/stubs/jsch-0.1.55/com/jcraft/jsch/JSch.java
new file mode 100644
index 00000000000..b8ce91b9715
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jsch-0.1.55/com/jcraft/jsch/JSch.java
@@ -0,0 +1,40 @@
+/* -*-mode:java; c-basic-offset:2; indent-tabs-mode:nil -*- */
+/*
+Copyright (c) 2002-2018 ymnk, JCraft,Inc. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+  1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+  2. Redistributions in binary form must reproduce the above copyright 
+     notice, this list of conditions and the following disclaimer in 
+     the documentation and/or other materials provided with the distribution.
+
+  3. The names of the authors may not be used to endorse or promote products
+     derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL JCRAFT,
+INC. OR ANY CONTRIBUTORS TO THIS SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
+OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+package com.jcraft.jsch;
+
+public class JSch {
+
+    public JSch() {}
+
+    public Session getSession(String username, String host, int port) {
+        return null;
+    }
+
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/jsch-0.1.55/com/jcraft/jsch/Session.java b/java/ql/test/experimental/stubs/jsch-0.1.55/com/jcraft/jsch/Session.java
new file mode 100644
index 00000000000..4cf2015fceb
--- /dev/null
+++ b/java/ql/test/experimental/stubs/jsch-0.1.55/com/jcraft/jsch/Session.java
@@ -0,0 +1,55 @@
+/* -*-mode:java; c-basic-offset:2; indent-tabs-mode:nil -*- */
+/*
+Copyright (c) 2002-2018 ymnk, JCraft,Inc. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+  1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+  2. Redistributions in binary form must reproduce the above copyright 
+     notice, this list of conditions and the following disclaimer in 
+     the documentation and/or other materials provided with the distribution.
+
+  3. The names of the authors may not be used to endorse or promote products
+     derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL JCRAFT,
+INC. OR ANY CONTRIBUTORS TO THIS SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
+OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+package com.jcraft.jsch;
+
+public class Session implements Runnable {
+
+   public Channel openChannel(String type) {
+      if ("exec".equals(type))
+         return new ChannelExec();
+      
+      return null;
+   }
+
+   public void setPassword(String password) {
+   }
+
+   public void setConfig(java.util.Properties newconf) {
+   }
+
+   public void connect() {
+   }
+
+   public void run(){
+   }
+
+   public void disconnect(){
+   }
+}
\ No newline at end of file

From 7455b1b4f08d15029d82a4dee6b5c1143e7b95ae Mon Sep 17 00:00:00 2001
From: Hayk Andriasyan <77549590+p0wn4j@users.noreply.github.com>
Date: Mon, 26 Apr 2021 15:17:57 +0400
Subject: [PATCH 0661/1429] Update JSchOSInjectionSanitized.java

---
 .../Security/CWE/CWE-078/JSchOSInjectionSanitized.java          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjectionSanitized.java b/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjectionSanitized.java
index fdd72e551a0..b47a2b82ed7 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjectionSanitized.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjectionSanitized.java
@@ -27,7 +27,7 @@ public class JSchOSInjectionSanitized {
 
         for (String badChar : badChars) {
             if (untrusted.contains(badChar)) {
-                System.out.println("Invalid IP address");
+                System.out.println("Invalid host");
                 return;
             }    
         }

From 3889c8afec3595b041de6f0e02efa6393bbd8107 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Mon, 26 Apr 2021 13:10:15 +0000
Subject: [PATCH 0662/1429] Python: Use only `TApiNode` in `API::Impl`

This ensures that changes to `API::Node` does not invalidate the cached
`module Impl`. At present, I don't expect this to have any effect (as
the `Node` class is also fairly static, though not explicitly cached),
but I can imagine us making some of the `Node` methods have
user-extensible behaviour, in which case we definitely do not want this
to result in reevaluation of `API::Impl`.
---
 python/ql/src/semmle/python/ApiGraphs.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 5f71d9d1c40..a530e44e85d 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -452,7 +452,7 @@ module API {
      * Holds if there is an edge from `pred` to `succ` in the API graph that is labeled with `lbl`.
      */
     cached
-    predicate edge(Node pred, string lbl, Node succ) {
+    predicate edge(TApiNode pred, string lbl, TApiNode succ) {
       /* There's an edge from the root node for each imported module. */
       exists(string m |
         pred = MkRoot() and

From 3670c729c0b5a0a574b412df8512d5a867049f8b Mon Sep 17 00:00:00 2001
From: Andrew Eisenberg <aeisenberg@github.com>
Date: Mon, 26 Apr 2021 08:43:28 -0700
Subject: [PATCH 0663/1429] Actions: Use the main branch of the codeql action

This commit switches to the bleeding edge, main branch of the
codeql action. This helps us test the action before merging all
of the new changes into main, which occurs roughly once a week.

If there are commits that introduce bugs in codeql-action, then
we will be more likely to catch it before releasing to the world
if we are using it in this extension.
---
 .github/workflows/codeql-analysis.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index b86009ef6da..370d2f14881 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -25,7 +25,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@main
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: csharp
@@ -34,7 +34,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@main
 
     # ℹ� Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -48,4 +48,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@main

From 0e53ad33f65b7e3b72d8ebd713bab3d8117f3963 Mon Sep 17 00:00:00 2001
From: Andrew Eisenberg <aeisenberg@github.com>
Date: Mon, 26 Apr 2021 10:53:29 -0700
Subject: [PATCH 0664/1429] Actions: Add permissions block to code scanning
 workflow

---
 .github/workflows/codeql-analysis.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 370d2f14881..3cd94cb6215 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -19,6 +19,11 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      security_events: write
+      pull_requests: read
+
     steps:
     - name: Checkout repository
       uses: actions/checkout@v2

From b7de370918e4b193b855ccae6fa491fcf6f5726a Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Mon, 26 Apr 2021 23:04:08 +0300
Subject: [PATCH 0665/1429] Add files via upload

---
 .../Security/CWE/CWE-415/DoubleFree.ql        | 63 +++++++++----------
 1 file changed, 28 insertions(+), 35 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql b/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql
index 199dc18bee7..bb799ec4d52 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql
@@ -12,40 +12,33 @@
 
 import cpp
 
-/**
- * The function allows `getASuccessor` to be called recursively.
- * This provides a stop in situations of possible influence on the pointer.
- */
-ControlFlowNode recursASuccessor(FunctionCall fc, LocalScopeVariable v) {
-  result = fc
-  or
-  exists(ControlFlowNode mid |
-    mid = recursASuccessor(fc, v) and
-    result = mid.getASuccessor() and
-    not result = v.getAnAssignedValue() and
-    not result.(AddressOfExpr).getOperand() = v.getAnAccess() and
-    not (
-      not result instanceof DeallocationExpr and
-      result.(FunctionCall).getAnArgument().(VariableAccess).getTarget() = v
-    ) and
-    (
-      fc.getTarget().hasGlobalOrStdName("realloc") and
-      (
-        not fc.getParent*() instanceof IfStmt and
-        not result instanceof IfStmt
-      )
-      or
-      not fc.getTarget().hasGlobalOrStdName("realloc")
-    )
-  )
-}
-
-from FunctionCall fc
+from FunctionCall fc, FunctionCall fc2, LocalScopeVariable v
 where
-  exists(FunctionCall fc2, LocalScopeVariable v |
-    freeCall(fc, v.getAnAccess()) and
-    freeCall(fc2, v.getAnAccess()) and
-    fc != fc2 and
-    recursASuccessor(fc, v) = fc2
+  freeCall(fc, v.getAnAccess()) and
+  freeCall(fc2, v.getAnAccess()) and
+  fc != fc2 and
+  fc.getASuccessor*() = fc2 and
+  not exists(Expr exptmp |
+    (exptmp = v.getAnAssignedValue() or exptmp.(AddressOfExpr).getOperand() = v.getAnAccess()) and
+    exptmp = fc.getASuccessor*() and
+    exptmp = fc2.getAPredecessor*()
+  ) and
+  not exists(FunctionCall fctmp |
+    not fctmp instanceof DeallocationExpr and
+    fctmp = fc.getASuccessor*() and
+    fctmp = fc2.getAPredecessor*() and
+    fctmp.getAnArgument().(VariableAccess).getTarget() = v
+  ) and
+  (
+    fc.getTarget().hasGlobalOrStdName("realloc") and
+    (
+      not fc.getParent*() instanceof IfStmt and
+      not exists(IfStmt iftmp |
+        iftmp.getCondition().getAChild*().(VariableAccess).getTarget().getAnAssignedValue() = fc
+      )
+    )
+    or
+    not fc.getTarget().hasGlobalOrStdName("realloc")
   )
-select fc.getArgument(0), "This pointer may be cleared again later."
+select fc2.getArgument(0),
+  "This pointer may have already been cleared in the line " + fc.getLocation().getStartLine() + "."

From c31a761750e68916fb2a4bb8517ea9026d4ad87c Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Mon, 26 Apr 2021 23:05:08 +0300
Subject: [PATCH 0666/1429] Add files via upload

---
 .../CWE-415/semmle/tests/DoubleFree.expected  |  6 +-
 .../Security/CWE/CWE-415/semmle/tests/test.c  | 87 +++++++++++++++++--
 2 files changed, 85 insertions(+), 8 deletions(-)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/DoubleFree.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/DoubleFree.expected
index 669c65cba2a..0ab66e5b26c 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/DoubleFree.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/DoubleFree.expected
@@ -1,2 +1,4 @@
-| test.c:9:8:9:10 | buf | This pointer may be cleared again later. |
-| test.c:19:26:19:29 | buf1 | This pointer may be cleared again later. |
+| test.c:11:16:11:18 | buf | This pointer may have already been cleared in the line 10. |
+| test.c:18:8:18:10 | buf | This pointer may have already been cleared in the line 17. |
+| test.c:57:8:57:10 | buf | This pointer may have already been cleared in the line 55. |
+| test.c:78:8:78:10 | buf | This pointer may have already been cleared in the line 77. |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c
index 1ebf3546480..c9be64a645c 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c
@@ -1,21 +1,96 @@
 typedef unsigned long size_t;
 void *malloc(size_t size);
 void free(void *ptr);
+#define NULL 0
 
 void workFunction_0(char *s) {
   int intSize = 10;
   char *buf;
   buf = (char *) malloc(intSize);
-  free(buf); // BAD
-  if(buf) free(buf);
+  free(buf); // GOOD
+  if(buf) free(buf); // BAD
 }
 void workFunction_1(char *s) {
+  int intSize = 10;
+  char *buf;
+  buf = (char *) malloc(intSize);
+  free(buf); // GOOD
+  free(buf); // BAD
+}
+void workFunction_2(char *s) {
+  int intSize = 10;
+  char *buf;
+  buf = (char *) malloc(intSize);
+  free(buf); // GOOD
+  buf = NULL;
+  free(buf);
+}
+void workFunction_3(char *s) {
+  int intSize = 10;
+  char *buf;
+  int intFlag;
+  buf = (char *) malloc(intSize);
+  if(buf[1]%5) {
+    free(buf);
+    buf = NULL;
+  }
+  free(buf);
+}
+void workFunction_4(char *s) {
+  int intSize = 10;
+  char *buf;
+  char *tmpbuf;
+  tmpbuf = (char *) malloc(intSize);
+  buf = (char *) malloc(intSize);
+  free(buf); // GOOD
+  buf = tmpbuf;
+  free(buf); // GOOD
+}
+void workFunction_5(char *s) {
+  int intSize = 10;
+  char *buf;
+  int intFlag;
+  buf = (char *) malloc(intSize);
+  if(intFlag) {
+    free(buf);
+  }
+  free(buf); // BAD
+}
+void workFunction_6(char *s) {
+  int intSize = 10;
+  char *buf;
+  char *tmpbuf;
+  int intFlag;
+  tmpbuf = (char *) malloc(intSize);
+  buf = (char *) malloc(intSize);
+  if(intFlag) {
+    free(buf);
+    buf = tmpbuf;
+  }
+  free(buf);
+}
+void workFunction_7(char *s) {
   int intSize = 10;
   char *buf;
   char *buf1;
   buf = (char *) malloc(intSize);
-  buf1 = (char *) realloc(buf,intSize*2);
-  if(buf) free(buf); // GOOD
-  buf = (char *) realloc(buf1,intSize*4); // BAD
-  free(buf1);
+  buf1 = (char *) realloc(buf,intSize*4);
+  free(buf); // BAD
+}
+void workFunction_8(char *s) {
+  int intSize = 10;
+  char *buf;
+  char *buf1;
+  buf = (char *) malloc(intSize);
+  buf1 = (char *) realloc(buf,intSize*4);
+  if(!buf1)
+  free(buf); // GOOD
+}
+void workFunction_9(char *s) {
+  int intSize = 10;
+  char *buf;
+  char *buf1;
+  buf = (char *) malloc(intSize);
+  if(!(buf1 = (char *) realloc(buf,intSize*4)))
+  free(buf); // GOOD
 }

From 5be9fbbc5a299fa83f37556bdace2e3f87058fe1 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Tue, 27 Apr 2021 14:12:33 +0800
Subject: [PATCH 0667/1429] Remove LogOperationSink and PrintSink

---
 .../CWE/CWE-348/UseOfLessTrustedSource.java   |  37 ----
 .../CWE/CWE-348/UseOfLessTrustedSource.qhelp  |   3 +-
 .../CWE/CWE-348/UseOfLessTrustedSourceLib.qll |  16 --
 .../CWE-348/UseOfLessTrustedSource.expected   |  53 +----
 .../CWE-348/UseOfLessTrustedSource.java       |  37 ----
 .../query-tests/security/CWE-348/options      |   2 +-
 .../slf4j-api-1.6.4/org/slf4j/Logger.java     | 127 -----------
 .../org/slf4j/LoggerFactory.java              |  21 --
 .../slf4j-api-1.6.4/org/slf4j/Marker.java     |  30 ---
 .../org/springframework/util/ObjectUtils.java | 202 ------------------
 .../org/springframework/util/StringUtils.java |  30 ---
 11 files changed, 10 insertions(+), 548 deletions(-)
 delete mode 100644 java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/Logger.java
 delete mode 100644 java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/LoggerFactory.java
 delete mode 100644 java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/Marker.java
 delete mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/util/ObjectUtils.java
 delete mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/util/StringUtils.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java
index 22d7100223c..35a66dc2731 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java
@@ -1,7 +1,5 @@
 import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.lang3.StringUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -10,46 +8,11 @@ import org.springframework.web.bind.annotation.ResponseBody;
 @Controller
 public class UseOfLessTrustedSource {
 
-    private static final Logger log = LoggerFactory.getLogger(UseOfLessTrustedSource.class);
-
     @Autowired
     private HttpServletRequest request;
 
     @GetMapping(value = "bad1")
     public void bad1(HttpServletRequest request) {
-        String ip = request.getHeader("X-Forwarded-For");
-
-        log.debug("getClientIP header X-Forwarded-For:{}", ip);
-
-        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
-            ip = request.getHeader("Proxy-Client-IP");
-            log.debug("getClientIP header Proxy-Client-IP:{}", ip);
-        }
-        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
-            ip = request.getHeader("WL-Proxy-Client-IP");
-            log.debug("getClientIP header WL-Proxy-Client-IP:{}", ip);
-        }
-        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
-            ip = request.getHeader("HTTP_CLIENT_IP");
-            log.debug("getClientIP header HTTP_CLIENT_IP:{}", ip);
-        }
-        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
-            ip = request.getHeader("HTTP_X_FORWARDED_FOR");
-            log.debug("getClientIP header HTTP_X_FORWARDED_FOR:{}", ip);
-        }
-        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
-            ip = request.getHeader("X-Real-IP");
-            log.debug("getClientIP header X-Real-IP:{}", ip);
-        }
-        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
-            ip = request.getRemoteAddr();
-            log.debug("getRemoteAddr IP:{}", ip);
-        }
-        System.out.println("client ip is: " + ip);
-    }
-
-    @GetMapping(value = "bad2")
-    public void bad2(HttpServletRequest request) {
         String ip = getClientIP();
         if (!StringUtils.startsWith(ip, "192.168.")) {
             new Exception("ip illegal");
diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
index 15508f04977..6d5404a2683 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
@@ -16,8 +16,7 @@ bypass a ban-list, for example.</p>
 <example>
 
 <p>The following examples show the bad case and the good case respectively.
-In the <code>bad1</code> method, the client ip is obtained from an HTTP header for local 
-output and logging. In the <code>bad2</code> method, the client ip the <code>X-Forwarded-For</code> is split into comma-separated values, but the less-trustworthy first one is used. Both of these examples could be deceived by providing a forged HTTP header. The method
+In the <code>bad1</code> method, the client ip the <code>X-Forwarded-For</code> is split into comma-separated values, but the less-trustworthy first one is used. Both of these examples could be deceived by providing a forged HTTP header. The method
 <code>good1</code> similarly splits an <code>X-Forwarded-For</code> value, but uses the last, more-trustworthy entry.</p>
 
 <sample src="UseOfLessTrustedSource.java" />
diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
index be2aef5e9c7..1639d1c82d1 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
@@ -90,22 +90,6 @@ private class SqlOperationSink extends UseOfLessTrustedSink {
   SqlOperationSink() { this instanceof QueryInjectionSink }
 }
 
-/** A data flow sink for log operation. */
-private class LogOperationSink extends UseOfLessTrustedSink {
-  LogOperationSink() { exists(LoggingCall lc | lc.getAnArgument() = this.asExpr()) }
-}
-
-/** A data flow sink for local output. */
-private class PrintSink extends UseOfLessTrustedSink {
-  PrintSink() {
-    exists(MethodAccess ma |
-      ma.getMethod().getName() in ["print", "println"] and
-      ma.getMethod().getDeclaringType().hasQualifiedName("java.io", ["PrintWriter", "PrintStream"]) and
-      ma.getAnArgument() = this.asExpr()
-    )
-  }
-}
-
 /** A method that split string. */
 class SplitMethod extends Method {
   SplitMethod() {
diff --git a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected
index 1ece0b21ee0..df238e4c0a3 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected
@@ -1,48 +1,11 @@
 edges
-| UseOfLessTrustedSource.java:20:21:20:56 | getHeader(...) : String | UseOfLessTrustedSource.java:22:60:22:61 | ip |
-| UseOfLessTrustedSource.java:20:21:20:56 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
-| UseOfLessTrustedSource.java:25:18:25:53 | getHeader(...) : String | UseOfLessTrustedSource.java:26:64:26:65 | ip |
-| UseOfLessTrustedSource.java:25:18:25:53 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
-| UseOfLessTrustedSource.java:29:18:29:56 | getHeader(...) : String | UseOfLessTrustedSource.java:30:67:30:68 | ip |
-| UseOfLessTrustedSource.java:29:18:29:56 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
-| UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) : String | UseOfLessTrustedSource.java:34:63:34:64 | ip |
-| UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
-| UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) : String | UseOfLessTrustedSource.java:38:69:38:70 | ip |
-| UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
-| UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) : String | UseOfLessTrustedSource.java:42:58:42:59 | ip |
-| UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... |
-| UseOfLessTrustedSource.java:53:21:53:33 | getClientIP(...) : String | UseOfLessTrustedSource.java:54:37:54:38 | ip |
-| UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) : String | UseOfLessTrustedSource.java:78:16:78:37 | ...[...] : String |
-| UseOfLessTrustedSource.java:78:16:78:37 | ...[...] : String | UseOfLessTrustedSource.java:53:21:53:33 | getClientIP(...) : String |
+| UseOfLessTrustedSource.java:16:21:16:33 | getClientIP(...) : String | UseOfLessTrustedSource.java:17:37:17:38 | ip |
+| UseOfLessTrustedSource.java:37:27:37:62 | getHeader(...) : String | UseOfLessTrustedSource.java:41:16:41:37 | ...[...] : String |
+| UseOfLessTrustedSource.java:41:16:41:37 | ...[...] : String | UseOfLessTrustedSource.java:16:21:16:33 | getClientIP(...) : String |
 nodes
-| UseOfLessTrustedSource.java:20:21:20:56 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| UseOfLessTrustedSource.java:22:60:22:61 | ip | semmle.label | ip |
-| UseOfLessTrustedSource.java:25:18:25:53 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| UseOfLessTrustedSource.java:26:64:26:65 | ip | semmle.label | ip |
-| UseOfLessTrustedSource.java:29:18:29:56 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| UseOfLessTrustedSource.java:30:67:30:68 | ip | semmle.label | ip |
-| UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| UseOfLessTrustedSource.java:34:63:34:64 | ip | semmle.label | ip |
-| UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| UseOfLessTrustedSource.java:38:69:38:70 | ip | semmle.label | ip |
-| UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| UseOfLessTrustedSource.java:42:58:42:59 | ip | semmle.label | ip |
-| UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | semmle.label | ... + ... |
-| UseOfLessTrustedSource.java:53:21:53:33 | getClientIP(...) : String | semmle.label | getClientIP(...) : String |
-| UseOfLessTrustedSource.java:54:37:54:38 | ip | semmle.label | ip |
-| UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| UseOfLessTrustedSource.java:78:16:78:37 | ...[...] : String | semmle.label | ...[...] : String |
+| UseOfLessTrustedSource.java:16:21:16:33 | getClientIP(...) : String | semmle.label | getClientIP(...) : String |
+| UseOfLessTrustedSource.java:17:37:17:38 | ip | semmle.label | ip |
+| UseOfLessTrustedSource.java:37:27:37:62 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| UseOfLessTrustedSource.java:41:16:41:37 | ...[...] : String | semmle.label | ...[...] : String |
 #select
-| UseOfLessTrustedSource.java:22:60:22:61 | ip | UseOfLessTrustedSource.java:20:21:20:56 | getHeader(...) : String | UseOfLessTrustedSource.java:22:60:22:61 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:20:21:20:56 | getHeader(...) | this user input |
-| UseOfLessTrustedSource.java:26:64:26:65 | ip | UseOfLessTrustedSource.java:25:18:25:53 | getHeader(...) : String | UseOfLessTrustedSource.java:26:64:26:65 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:25:18:25:53 | getHeader(...) | this user input |
-| UseOfLessTrustedSource.java:30:67:30:68 | ip | UseOfLessTrustedSource.java:29:18:29:56 | getHeader(...) : String | UseOfLessTrustedSource.java:30:67:30:68 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:29:18:29:56 | getHeader(...) | this user input |
-| UseOfLessTrustedSource.java:34:63:34:64 | ip | UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) : String | UseOfLessTrustedSource.java:34:63:34:64 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) | this user input |
-| UseOfLessTrustedSource.java:38:69:38:70 | ip | UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) : String | UseOfLessTrustedSource.java:38:69:38:70 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) | this user input |
-| UseOfLessTrustedSource.java:42:58:42:59 | ip | UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) : String | UseOfLessTrustedSource.java:42:58:42:59 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) | this user input |
-| UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:20:21:20:56 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:20:21:20:56 | getHeader(...) | this user input |
-| UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:25:18:25:53 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:25:18:25:53 | getHeader(...) | this user input |
-| UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:29:18:29:56 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:29:18:29:56 | getHeader(...) | this user input |
-| UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:33:18:33:52 | getHeader(...) | this user input |
-| UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:37:18:37:58 | getHeader(...) | this user input |
-| UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) : String | UseOfLessTrustedSource.java:48:28:48:48 | ... + ... | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:41:18:41:47 | getHeader(...) | this user input |
-| UseOfLessTrustedSource.java:54:37:54:38 | ip | UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) : String | UseOfLessTrustedSource.java:54:37:54:38 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:74:27:74:62 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:17:37:17:38 | ip | UseOfLessTrustedSource.java:37:27:37:62 | getHeader(...) : String | UseOfLessTrustedSource.java:17:37:17:38 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:37:27:37:62 | getHeader(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java
index 22d7100223c..35a66dc2731 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java
@@ -1,7 +1,5 @@
 import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.lang3.StringUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -10,46 +8,11 @@ import org.springframework.web.bind.annotation.ResponseBody;
 @Controller
 public class UseOfLessTrustedSource {
 
-    private static final Logger log = LoggerFactory.getLogger(UseOfLessTrustedSource.class);
-
     @Autowired
     private HttpServletRequest request;
 
     @GetMapping(value = "bad1")
     public void bad1(HttpServletRequest request) {
-        String ip = request.getHeader("X-Forwarded-For");
-
-        log.debug("getClientIP header X-Forwarded-For:{}", ip);
-
-        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
-            ip = request.getHeader("Proxy-Client-IP");
-            log.debug("getClientIP header Proxy-Client-IP:{}", ip);
-        }
-        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
-            ip = request.getHeader("WL-Proxy-Client-IP");
-            log.debug("getClientIP header WL-Proxy-Client-IP:{}", ip);
-        }
-        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
-            ip = request.getHeader("HTTP_CLIENT_IP");
-            log.debug("getClientIP header HTTP_CLIENT_IP:{}", ip);
-        }
-        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
-            ip = request.getHeader("HTTP_X_FORWARDED_FOR");
-            log.debug("getClientIP header HTTP_X_FORWARDED_FOR:{}", ip);
-        }
-        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
-            ip = request.getHeader("X-Real-IP");
-            log.debug("getClientIP header X-Real-IP:{}", ip);
-        }
-        if (StringUtils.isBlank(ip) || StringUtils.equalsIgnoreCase("unknown", ip)) {
-            ip = request.getRemoteAddr();
-            log.debug("getRemoteAddr IP:{}", ip);
-        }
-        System.out.println("client ip is: " + ip);
-    }
-
-    @GetMapping(value = "bad2")
-    public void bad2(HttpServletRequest request) {
         String ip = getClientIP();
         if (!StringUtils.startsWith(ip, "192.168.")) {
             new Exception("ip illegal");
diff --git a/java/ql/test/experimental/query-tests/security/CWE-348/options b/java/ql/test/experimental/query-tests/security/CWE-348/options
index 7edf075ba8e..05f93394f49 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-348/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-348/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.2.3/:${testdir}/../../../../stubs/slf4j-api-1.6.4/:${testdir}/../../../../stubs/apache-commons-lang3-3.7/
\ No newline at end of file
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.2.3/:${testdir}/../../../../stubs/apache-commons-lang3-3.7/
\ No newline at end of file
diff --git a/java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/Logger.java b/java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/Logger.java
deleted file mode 100644
index 1d8b7ea2318..00000000000
--- a/java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/Logger.java
+++ /dev/null
@@ -1,127 +0,0 @@
-package org.slf4j;
-
-public interface Logger {
-    String ROOT_LOGGER_NAME = "ROOT";
-
-    String getName();
-
-    boolean isTraceEnabled();
-
-    void trace(String var1);
-
-    void trace(String var1, Object var2);
-
-    void trace(String var1, Object var2, Object var3);
-
-    void trace(String var1, Object[] var2);
-
-    void trace(String var1, Throwable var2);
-
-    boolean isTraceEnabled(Marker var1);
-
-    void trace(Marker var1, String var2);
-
-    void trace(Marker var1, String var2, Object var3);
-
-    void trace(Marker var1, String var2, Object var3, Object var4);
-
-    void trace(Marker var1, String var2, Object[] var3);
-
-    void trace(Marker var1, String var2, Throwable var3);
-
-    boolean isDebugEnabled();
-
-    void debug(String var1);
-
-    void debug(String var1, Object var2);
-
-    void debug(String var1, Object var2, Object var3);
-
-    void debug(String var1, Object[] var2);
-
-    void debug(String var1, Throwable var2);
-
-    boolean isDebugEnabled(Marker var1);
-
-    void debug(Marker var1, String var2);
-
-    void debug(Marker var1, String var2, Object var3);
-
-    void debug(Marker var1, String var2, Object var3, Object var4);
-
-    void debug(Marker var1, String var2, Object[] var3);
-
-    void debug(Marker var1, String var2, Throwable var3);
-
-    boolean isInfoEnabled();
-
-    void info(String var1);
-
-    void info(String var1, Object var2);
-
-    void info(String var1, Object var2, Object var3);
-
-    void info(String var1, Object[] var2);
-
-    void info(String var1, Throwable var2);
-
-    boolean isInfoEnabled(Marker var1);
-
-    void info(Marker var1, String var2);
-
-    void info(Marker var1, String var2, Object var3);
-
-    void info(Marker var1, String var2, Object var3, Object var4);
-
-    void info(Marker var1, String var2, Object[] var3);
-
-    void info(Marker var1, String var2, Throwable var3);
-
-    boolean isWarnEnabled();
-
-    void warn(String var1);
-
-    void warn(String var1, Object var2);
-
-    void warn(String var1, Object[] var2);
-
-    void warn(String var1, Object var2, Object var3);
-
-    void warn(String var1, Throwable var2);
-
-    boolean isWarnEnabled(Marker var1);
-
-    void warn(Marker var1, String var2);
-
-    void warn(Marker var1, String var2, Object var3);
-
-    void warn(Marker var1, String var2, Object var3, Object var4);
-
-    void warn(Marker var1, String var2, Object[] var3);
-
-    void warn(Marker var1, String var2, Throwable var3);
-
-    boolean isErrorEnabled();
-
-    void error(String var1);
-
-    void error(String var1, Object var2);
-
-    void error(String var1, Object var2, Object var3);
-
-    void error(String var1, Object[] var2);
-
-    void error(String var1, Throwable var2);
-
-    boolean isErrorEnabled(Marker var1);
-
-    void error(Marker var1, String var2);
-
-    void error(Marker var1, String var2, Object var3);
-
-    void error(Marker var1, String var2, Object var3, Object var4);
-
-    void error(Marker var1, String var2, Object[] var3);
-
-    void error(Marker var1, String var2, Throwable var3);
-}
\ No newline at end of file
diff --git a/java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/LoggerFactory.java b/java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/LoggerFactory.java
deleted file mode 100644
index 21ef158130a..00000000000
--- a/java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/LoggerFactory.java
+++ /dev/null
@@ -1,21 +0,0 @@
-package org.slf4j;
-
-import java.io.IOException;
-import java.net.URL;
-import java.util.Arrays;
-import java.util.Enumeration;
-import java.util.Iterator;
-import java.util.LinkedHashSet;
-import java.util.List;
-
-public final class LoggerFactory {
-
-    public static Logger getLogger(String name) {
-        return null;
-    }
-
-    public static Logger getLogger(Class clazz) {
-        return null;
-    }
-
-}
\ No newline at end of file
diff --git a/java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/Marker.java b/java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/Marker.java
deleted file mode 100644
index e6ac4846a79..00000000000
--- a/java/ql/test/stubs/slf4j-api-1.6.4/org/slf4j/Marker.java
+++ /dev/null
@@ -1,30 +0,0 @@
-package org.slf4j;
-
-import java.io.Serializable;
-import java.util.Iterator;
-
-public interface Marker extends Serializable {
-    String ANY_MARKER = "*";
-    String ANY_NON_NULL_MARKER = "+";
-
-    String getName();
-
-    void add(Marker var1);
-
-    boolean remove(Marker var1);
-
-    /** @deprecated */
-    boolean hasChildren();
-
-    boolean hasReferences();
-
-    Iterator iterator();
-
-    boolean contains(Marker var1);
-
-    boolean contains(String var1);
-
-    boolean equals(Object var1);
-
-    int hashCode();
-}
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/ObjectUtils.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/ObjectUtils.java
deleted file mode 100644
index a5a51786d20..00000000000
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/ObjectUtils.java
+++ /dev/null
@@ -1,202 +0,0 @@
-package org.springframework.util;
-
-import java.lang.reflect.Array;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Map;
-import java.util.Optional;
-import java.util.StringJoiner;
-import org.springframework.lang.Nullable;
-
-public abstract class ObjectUtils {
-
-    private static final int INITIAL_HASH = 7;
-    private static final int MULTIPLIER = 31;
-    private static final String EMPTY_STRING = "";
-    private static final String NULL_STRING = "null";
-    private static final String ARRAY_START = "{";
-    private static final String ARRAY_END = "}";
-    private static final String EMPTY_ARRAY = "{}";
-    private static final String ARRAY_ELEMENT_SEPARATOR = ", ";
-    private static final Object[] EMPTY_OBJECT_ARRAY = new Object[0];
-
-    public ObjectUtils() {
-    }
-
-    public static boolean isCheckedException(Throwable ex) {
-        return false;
-    }
-
-    public static boolean isCompatibleWithThrowsClause(Throwable ex, @Nullable Class<?>... declaredExceptions) {
-        return false;
-    }
-
-    public static boolean isArray(@Nullable Object obj) {
-        return false;
-    }
-
-    public static boolean isEmpty(@Nullable Object[] array) {
-        return false;
-    }
-
-    public static boolean isEmpty(@Nullable Object obj) {
-        return false;
-    }
-
-    @Nullable
-    public static Object unwrapOptional(@Nullable Object obj) {
-        return null;
-    }
-
-    public static boolean containsElement(@Nullable Object[] array, Object element) {
-        return true;
-    }
-
-    public static boolean containsConstant(Enum<?>[] enumValues, String constant) {
-        return true;
-    }
-
-    public static boolean containsConstant(Enum<?>[] enumValues, String constant, boolean caseSensitive) {  
-        return true;
-    }
-
-    public static <E extends Enum<?>> E caseInsensitiveValueOf(E[] enumValues, String constant) {
-        return null;
-    }
-
-    public static <A, O extends A> A[] addObjectToArray(@Nullable A[] array, @Nullable O obj) {
-        return null;
-    }
-
-    public static Object[] toObjectArray(@Nullable Object source) {
-        return null;
-    }
-
-    public static boolean nullSafeEquals(@Nullable Object o1, @Nullable Object o2) {
-        return false;
-    }
-
-    private static boolean arrayEquals(Object o1, Object o2) {
-        return false;
-    }
-
-    public static int nullSafeHashCode(@Nullable Object obj) {
-        return 1;
-    }
-
-    public static int nullSafeHashCode(@Nullable Object[] array) {
-        return 1;
-    }
-
-    public static int nullSafeHashCode(@Nullable boolean[] array) {
-        return 1;
-    }
-
-    public static int nullSafeHashCode(@Nullable byte[] array) {
-        return 1;
-    }
-
-    public static int nullSafeHashCode(@Nullable char[] array) {
-        return 1;
-    }
-
-    public static int nullSafeHashCode(@Nullable double[] array) {
-        return 1;
-    }
-
-    public static int nullSafeHashCode(@Nullable float[] array) {
-        return 1;
-    }
-
-    public static int nullSafeHashCode(@Nullable int[] array) {
-        return 1;
-    }
-
-    public static int nullSafeHashCode(@Nullable long[] array) {
-        return 1;
-    }
-
-    public static int nullSafeHashCode(@Nullable short[] array) {
-        return 1;
-    }
-
-    /** @deprecated */
-    @Deprecated
-    public static int hashCode(boolean bool) {
-        return 1;
-    }
-
-    /** @deprecated */
-    @Deprecated
-    public static int hashCode(double dbl) {
-        return 1;
-    }
-
-    /** @deprecated */
-    @Deprecated
-    public static int hashCode(float flt) {
-        return 1;
-    }
-
-    /** @deprecated */
-    @Deprecated
-    public static int hashCode(long lng) {
-        return 1;
-    }
-
-    public static String identityToString(@Nullable Object obj) {
-        return "";
-    }
-
-    public static String getIdentityHexString(Object obj) {
-        return "";
-    }
-
-    public static String getDisplayString(@Nullable Object obj) {
-        return "";
-    }
-
-    public static String nullSafeClassName(@Nullable Object obj) {
-        return "";
-    }
-
-    public static String nullSafeToString(@Nullable Object obj) {
-        return "";
-    }
-
-    public static String nullSafeToString(@Nullable Object[] array) {
-        return "";
-    }
-
-    public static String nullSafeToString(@Nullable boolean[] array) {
-        return "";
-    }
-
-    public static String nullSafeToString(@Nullable byte[] array) {
-        return "";
-    }
-
-    public static String nullSafeToString(@Nullable char[] array) {
-        return "";
-    }
-
-    public static String nullSafeToString(@Nullable double[] array) {
-        return "";
-    }
-
-    public static String nullSafeToString(@Nullable float[] array) {
-        return "";
-    }
-
-    public static String nullSafeToString(@Nullable int[] array) {
-        return "";
-    }
-
-    public static String nullSafeToString(@Nullable long[] array) {
-        return "";
-    }
-
-    public static String nullSafeToString(@Nullable short[] array) {
-        return "";
-    }
-}
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/StringUtils.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/StringUtils.java
deleted file mode 100644
index a78d47e44c6..00000000000
--- a/java/ql/test/stubs/springframework-5.2.3/org/springframework/util/StringUtils.java
+++ /dev/null
@@ -1,30 +0,0 @@
-package org.springframework.util;
-
-import java.io.ByteArrayOutputStream;
-import java.nio.charset.Charset;
-import java.util.ArrayDeque;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Deque;
-import java.util.Enumeration;
-import java.util.Iterator;
-import java.util.LinkedHashSet;
-import java.util.List;
-import java.util.Locale;
-import java.util.Properties;
-import java.util.Set;
-import java.util.StringJoiner;
-import java.util.StringTokenizer;
-import java.util.TimeZone;
-import org.springframework.lang.Nullable;
-
-public abstract class StringUtils {
-  
-    @Deprecated
-    public static boolean isEmpty(@Nullable Object str) {
-        return true;
-    }
-
-}

From 0b322a31438dc1c16d5048d59aa547a629272fc5 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 27 Apr 2021 08:53:15 +0200
Subject: [PATCH 0668/1429] update JS/TS versions to reflect supported versions

---
 docs/codeql/support/reusables/versions-compilers.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/codeql/support/reusables/versions-compilers.rst b/docs/codeql/support/reusables/versions-compilers.rst
index ff49b01a441..9bc3c855e58 100644
--- a/docs/codeql/support/reusables/versions-compilers.rst
+++ b/docs/codeql/support/reusables/versions-compilers.rst
@@ -20,9 +20,9 @@
    Java,"Java 7 to 15 [3]_","javac (OpenJDK and Oracle JDK),
 
    Eclipse compiler for Java (ECJ) [4]_",``.java``
-   JavaScript,ECMAScript 2019 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhm``, ``.xhtml``, ``.vue``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [5]_"
+   JavaScript,ECMAScript 2021 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhm``, ``.xhtml``, ``.vue``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [5]_"
    Python,"2.7, 3.5, 3.6, 3.7, 3.8",Not applicable,``.py``
-   TypeScript [6]_,"2.6-3.7",Standard TypeScript compiler,"``.ts``, ``.tsx``"
+   TypeScript [6]_,"2.6-4.2",Standard TypeScript compiler,"``.ts``, ``.tsx``"
 
 .. container:: footnote-group
 

From 0c3e2b9ab7e54cc6585d93132cea2a3a358f437f Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Tue, 27 Apr 2021 10:11:32 +0300
Subject: [PATCH 0669/1429] Update test.c

---
 .../Security/CWE/CWE-415/semmle/tests/test.c         | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c
index c9be64a645c..22cd6a536f4 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c
@@ -23,7 +23,7 @@ void workFunction_2(char *s) {
   buf = (char *) malloc(intSize);
   free(buf); // GOOD
   buf = NULL;
-  free(buf);
+  free(buf); // GOOD
 }
 void workFunction_3(char *s) {
   int intSize = 10;
@@ -31,10 +31,10 @@ void workFunction_3(char *s) {
   int intFlag;
   buf = (char *) malloc(intSize);
   if(buf[1]%5) {
-    free(buf);
+    free(buf); // GOOD
     buf = NULL;
   }
-  free(buf);
+  free(buf); // GOOD
 }
 void workFunction_4(char *s) {
   int intSize = 10;
@@ -52,7 +52,7 @@ void workFunction_5(char *s) {
   int intFlag;
   buf = (char *) malloc(intSize);
   if(intFlag) {
-    free(buf);
+    free(buf); // GOOD
   }
   free(buf); // BAD
 }
@@ -64,10 +64,10 @@ void workFunction_6(char *s) {
   tmpbuf = (char *) malloc(intSize);
   buf = (char *) malloc(intSize);
   if(intFlag) {
-    free(buf);
+    free(buf); // GOOD
     buf = tmpbuf;
   }
-  free(buf);
+  free(buf); // GOOD
 }
 void workFunction_7(char *s) {
   int intSize = 10;

From 05d693e3bb68bbece3a966d5b6c3afce6ee5ead1 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 27 Apr 2021 09:41:13 +0200
Subject: [PATCH 0670/1429] C++: Also include the assignment versions in
 exprThatCanOverflow.

---
 .../src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll b/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
index 2afe26bc3e0..79dbe49611e 100644
--- a/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll
@@ -1626,7 +1626,9 @@ private module SimpleRangeAnalysisCached {
   private predicate exprThatCanOverflow(Expr e) {
     e instanceof UnaryArithmeticOperation or
     e instanceof BinaryArithmeticOperation or
-    e instanceof LShiftExpr
+    e instanceof AssignArithmeticOperation or
+    e instanceof LShiftExpr or
+    e instanceof AssignLShiftExpr
   }
 
   /**

From a41e9055c564088f7ba32357cc53e48beaf6d0a0 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 27 Apr 2021 09:43:02 +0200
Subject: [PATCH 0671/1429] C++: Delete the fix that was introduced in
 bb447d7174141dc518e6ce90367121280fec1d80. This is no longer needed after
 #5678.

---
 .../src/semmle/code/cpp/security/Overflow.qll | 22 +++++++++----------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/security/Overflow.qll b/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
index 465e64b9b6c..6cf82791d52 100644
--- a/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
@@ -99,12 +99,11 @@ VariableAccess varUse(LocalScopeVariable v) { result = v.getAnAccess() }
  * Holds if `e` potentially overflows and `use` is an operand of `e` that is not guarded.
  */
 predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {
-  (
-    convertedExprMightOverflowPositively(e)
-    or
-    // Ensure that the predicate holds when range analysis cannot determine an upper bound
-    upperBound(e.getFullyConverted()) = exprMaxVal(e.getFullyConverted())
-  ) and
+  // Since `e` is guarenteed to be a `BinaryArithmeticOperation`, a `UnaryArithmeticOperation` or
+  // an `AssignArithmeticOperation` by the other constraints in this predicate, we know that
+  // `convertedExprMightOverflowPositively` will have a result even when `e` is not analyzable
+  // by `SimpleRangeAnalysis`.
+  convertedExprMightOverflowPositively(e) and
   use = e.getAnOperand() and
   exists(LocalScopeVariable v | use.getTarget() = v |
     // overflow possible if large
@@ -126,12 +125,11 @@ predicate missingGuardAgainstOverflow(Operation e, VariableAccess use) {
  * Holds if `e` potentially underflows and `use` is an operand of `e` that is not guarded.
  */
 predicate missingGuardAgainstUnderflow(Operation e, VariableAccess use) {
-  (
-    convertedExprMightOverflowNegatively(e)
-    or
-    // Ensure that the predicate holds when range analysis cannot determine a lower bound
-    lowerBound(e.getFullyConverted()) = exprMinVal(e.getFullyConverted())
-  ) and
+  // Since `e` is guarenteed to be a `BinaryArithmeticOperation`, a `UnaryArithmeticOperation` or
+  // an `AssignArithmeticOperation` by the other constraints in this predicate, we know that
+  // `convertedExprMightOverflowNegatively` will have a result even when `e` is not analyzable
+  // by `SimpleRangeAnalysis`.
+  convertedExprMightOverflowNegatively(e) and
   use = e.getAnOperand() and
   exists(LocalScopeVariable v | use.getTarget() = v |
     // underflow possible if use is left operand and small

From 04a785b9fb438e61e2af3b4dc788930260b4f8df Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 27 Apr 2021 09:43:27 +0200
Subject: [PATCH 0672/1429] C++: Accept test changes.

---
 .../CWE-190/semmle/extreme/ArithmeticWithExtremeValues.expected | 1 -
 .../test/query-tests/Security/CWE/CWE-190/semmle/extreme/test.c | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/ArithmeticWithExtremeValues.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/ArithmeticWithExtremeValues.expected
index 77b08e62d83..cbaf5d63079 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/ArithmeticWithExtremeValues.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/ArithmeticWithExtremeValues.expected
@@ -3,5 +3,4 @@
 | test.c:50:3:50:5 | sc3 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:49:9:49:16 | 127 | Extreme value |
 | test.c:59:3:59:5 | sc6 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:58:9:58:16 | 127 | Extreme value |
 | test.c:63:3:63:5 | sc8 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:62:9:62:16 | - ... | Extreme value |
-| test.c:75:3:75:5 | sc1 | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:74:9:74:16 | 127 | Extreme value |
 | test.c:124:9:124:9 | x | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:118:17:118:23 | 2147483647 | Extreme value |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/test.c
index ee2e041db3c..8760641c8e2 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/test.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/extreme/test.c
@@ -72,7 +72,7 @@ void test_negatives() {
   signed char sc1, sc2, sc3, sc4, sc5, sc6, sc7, sc8;
 
   sc1 = CHAR_MAX;
-  sc1 += 0; // GOOD [FALSE POSITIVE]
+  sc1 += 0; // GOOD
   sc1 += -1; // GOOD
   sc2 = CHAR_MIN;
   sc2 += -1; // BAD [NOT DETECTED]

From 017beb6786e275f39f11a73535ceb286118b08d5 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Tue, 27 Apr 2021 10:07:33 +0200
Subject: [PATCH 0673/1429] Java: Use separate data-flow copy for
 `PredictableSeedFlowConfiguration`

---
 config/identical-files.json                   |    1 +
 .../semmle/code/java/dataflow/DataFlow6.qll   |   10 +
 .../java/dataflow/internal/DataFlowImpl6.qll  | 4166 +++++++++++++++++
 .../src/semmle/code/java/security/Random.qll  |   12 +-
 4 files changed, 4183 insertions(+), 6 deletions(-)
 create mode 100644 java/ql/src/semmle/code/java/dataflow/DataFlow6.qll
 create mode 100644 java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll

diff --git a/config/identical-files.json b/config/identical-files.json
index 3916e95a0cf..8cfca3596c5 100644
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -5,6 +5,7 @@
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
diff --git a/java/ql/src/semmle/code/java/dataflow/DataFlow6.qll b/java/ql/src/semmle/code/java/dataflow/DataFlow6.qll
new file mode 100644
index 00000000000..28fa11da475
--- /dev/null
+++ b/java/ql/src/semmle/code/java/dataflow/DataFlow6.qll
@@ -0,0 +1,10 @@
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) data flow analyses.
+ */
+
+import java
+
+module DataFlow6 {
+  import semmle.code.java.dataflow.internal.DataFlowImpl6
+}
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
new file mode 100644
index 00000000000..9498e51e7e6
--- /dev/null
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
@@ -0,0 +1,4166 @@
+/**
+ * Provides an implementation of global (interprocedural) data flow. This file
+ * re-exports the local (intraprocedural) data flow analysis from
+ * `DataFlowImplSpecific::Public` and adds a global analysis, mainly exposed
+ * through the `Configuration` class. This file exists in several identical
+ * copies, allowing queries to use multiple `Configuration` classes that depend
+ * on each other without introducing mutual recursion among those configurations.
+ */
+
+private import DataFlowImplCommon
+private import DataFlowImplSpecific::Private
+import DataFlowImplSpecific::Public
+
+/**
+ * A configuration of interprocedural data flow analysis. This defines
+ * sources, sinks, and any other configurable aspect of the analysis. Each
+ * use of the global data flow library must define its own unique extension
+ * of this abstract class. To create a configuration, extend this class with
+ * a subclass whose characteristic predicate is a unique singleton string.
+ * For example, write
+ *
+ * ```ql
+ * class MyAnalysisConfiguration extends DataFlow::Configuration {
+ *   MyAnalysisConfiguration() { this = "MyAnalysisConfiguration" }
+ *   // Override `isSource` and `isSink`.
+ *   // Optionally override `isBarrier`.
+ *   // Optionally override `isAdditionalFlowStep`.
+ * }
+ * ```
+ * Conceptually, this defines a graph where the nodes are `DataFlow::Node`s and
+ * the edges are those data-flow steps that preserve the value of the node
+ * along with any additional edges defined by `isAdditionalFlowStep`.
+ * Specifying nodes in `isBarrier` will remove those nodes from the graph, and
+ * specifying nodes in `isBarrierIn` and/or `isBarrierOut` will remove in-going
+ * and/or out-going edges from those nodes, respectively.
+ *
+ * Then, to query whether there is flow between some `source` and `sink`,
+ * write
+ *
+ * ```ql
+ * exists(MyAnalysisConfiguration cfg | cfg.hasFlow(source, sink))
+ * ```
+ *
+ * Multiple configurations can coexist, but two classes extending
+ * `DataFlow::Configuration` should never depend on each other. One of them
+ * should instead depend on a `DataFlow2::Configuration`, a
+ * `DataFlow3::Configuration`, or a `DataFlow4::Configuration`.
+ */
+abstract class Configuration extends string {
+  bindingset[this]
+  Configuration() { any() }
+
+  /**
+   * Holds if `source` is a relevant data flow source.
+   */
+  abstract predicate isSource(Node source);
+
+  /**
+   * Holds if `sink` is a relevant data flow sink.
+   */
+  abstract predicate isSink(Node sink);
+
+  /**
+   * Holds if data flow through `node` is prohibited. This completely removes
+   * `node` from the data flow graph.
+   */
+  predicate isBarrier(Node node) { none() }
+
+  /** Holds if data flow into `node` is prohibited. */
+  predicate isBarrierIn(Node node) { none() }
+
+  /** Holds if data flow out of `node` is prohibited. */
+  predicate isBarrierOut(Node node) { none() }
+
+  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
+  predicate isBarrierGuard(BarrierGuard guard) { none() }
+
+  /**
+   * Holds if the additional flow step from `node1` to `node2` must be taken
+   * into account in the analysis.
+   */
+  predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
+
+  /**
+   * Gets the virtual dispatch branching limit when calculating field flow.
+   * This can be overridden to a smaller value to improve performance (a
+   * value of 0 disables field flow), or a larger value to get more results.
+   */
+  int fieldFlowBranchLimit() { result = 2 }
+
+  /**
+   * Holds if data may flow from `source` to `sink` for this configuration.
+   */
+  predicate hasFlow(Node source, Node sink) { flowsTo(source, sink, this) }
+
+  /**
+   * Holds if data may flow from `source` to `sink` for this configuration.
+   *
+   * The corresponding paths are generated from the end-points and the graph
+   * included in the module `PathGraph`.
+   */
+  predicate hasFlowPath(PathNode source, PathNode sink) { flowsTo(source, sink, _, _, this) }
+
+  /**
+   * Holds if data may flow from some source to `sink` for this configuration.
+   */
+  predicate hasFlowTo(Node sink) { hasFlow(_, sink) }
+
+  /**
+   * Holds if data may flow from some source to `sink` for this configuration.
+   */
+  predicate hasFlowToExpr(DataFlowExpr sink) { hasFlowTo(exprNode(sink)) }
+
+  /**
+   * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+   * measured in approximate number of interprocedural steps.
+   */
+  int explorationLimit() { none() }
+
+  /**
+   * Holds if there is a partial data flow path from `source` to `node`. The
+   * approximate distance between `node` and the closest source is `dist` and
+   * is restricted to be less than or equal to `explorationLimit()`. This
+   * predicate completely disregards sink definitions.
+   *
+   * This predicate is intended for data-flow exploration and debugging and may
+   * perform poorly if the number of sources is too big and/or the exploration
+   * limit is set too high without using barriers.
+   *
+   * This predicate is disabled (has no results) by default. Override
+   * `explorationLimit()` with a suitable number to enable this predicate.
+   *
+   * To use this in a `path-problem` query, import the module `PartialPathGraph`.
+   */
+  final predicate hasPartialFlow(PartialPathNode source, PartialPathNode node, int dist) {
+    partialFlow(source, node, this) and
+    dist = node.getSourceDistance()
+  }
+
+  /**
+   * Holds if there is a partial data flow path from `node` to `sink`. The
+   * approximate distance between `node` and the closest sink is `dist` and
+   * is restricted to be less than or equal to `explorationLimit()`. This
+   * predicate completely disregards source definitions.
+   *
+   * This predicate is intended for data-flow exploration and debugging and may
+   * perform poorly if the number of sinks is too big and/or the exploration
+   * limit is set too high without using barriers.
+   *
+   * This predicate is disabled (has no results) by default. Override
+   * `explorationLimit()` with a suitable number to enable this predicate.
+   *
+   * To use this in a `path-problem` query, import the module `PartialPathGraph`.
+   *
+   * Note that reverse flow has slightly lower precision than the corresponding
+   * forward flow, as reverse flow disregards type pruning among other features.
+   */
+  final predicate hasPartialFlowRev(PartialPathNode node, PartialPathNode sink, int dist) {
+    revPartialFlow(node, sink, this) and
+    dist = node.getSinkDistance()
+  }
+}
+
+/**
+ * This class exists to prevent mutual recursion between the user-overridden
+ * member predicates of `Configuration` and the rest of the data-flow library.
+ * Good performance cannot be guaranteed in the presence of such recursion, so
+ * it should be replaced by using more than one copy of the data flow library.
+ */
+abstract private class ConfigurationRecursionPrevention extends Configuration {
+  bindingset[this]
+  ConfigurationRecursionPrevention() { any() }
+
+  override predicate hasFlow(Node source, Node sink) {
+    strictcount(Node n | this.isSource(n)) < 0
+    or
+    strictcount(Node n | this.isSink(n)) < 0
+    or
+    strictcount(Node n1, Node n2 | this.isAdditionalFlowStep(n1, n2)) < 0
+    or
+    super.hasFlow(source, sink)
+  }
+}
+
+private predicate inBarrier(Node node, Configuration config) {
+  config.isBarrierIn(node) and
+  config.isSource(node)
+}
+
+private predicate outBarrier(Node node, Configuration config) {
+  config.isBarrierOut(node) and
+  config.isSink(node)
+}
+
+private predicate fullBarrier(Node node, Configuration config) {
+  config.isBarrier(node)
+  or
+  config.isBarrierIn(node) and
+  not config.isSource(node)
+  or
+  config.isBarrierOut(node) and
+  not config.isSink(node)
+  or
+  exists(BarrierGuard g |
+    config.isBarrierGuard(g) and
+    node = g.getAGuardedNode()
+  )
+}
+
+/**
+ * Holds if data can flow in one local step from `node1` to `node2`.
+ */
+private predicate localFlowStep(Node node1, Node node2, Configuration config) {
+  (
+    simpleLocalFlowStep(node1, node2) or
+    reverseStepThroughInputOutputAlias(node1, node2)
+  ) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
+  not fullBarrier(node1, config) and
+  not fullBarrier(node2, config)
+}
+
+/**
+ * Holds if the additional step from `node1` to `node2` does not jump between callables.
+ */
+private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration config) {
+  config.isAdditionalFlowStep(node1, node2) and
+  getNodeEnclosingCallable(node1) = getNodeEnclosingCallable(node2) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
+  not fullBarrier(node1, config) and
+  not fullBarrier(node2, config)
+}
+
+/**
+ * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
+ */
+private predicate jumpStep(Node node1, Node node2, Configuration config) {
+  jumpStep(node1, node2) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
+  not fullBarrier(node1, config) and
+  not fullBarrier(node2, config)
+}
+
+/**
+ * Holds if the additional step from `node1` to `node2` jumps between callables.
+ */
+private predicate additionalJumpStep(Node node1, Node node2, Configuration config) {
+  config.isAdditionalFlowStep(node1, node2) and
+  getNodeEnclosingCallable(node1) != getNodeEnclosingCallable(node2) and
+  not outBarrier(node1, config) and
+  not inBarrier(node2, config) and
+  not fullBarrier(node1, config) and
+  not fullBarrier(node2, config)
+}
+
+/**
+ * Holds if field flow should be used for the given configuration.
+ */
+private predicate useFieldFlow(Configuration config) { config.fieldFlowBranchLimit() >= 1 }
+
+private module Stage1 {
+  class ApApprox = Unit;
+
+  class Ap = Unit;
+
+  class ApOption = Unit;
+
+  class Cc = boolean;
+
+  /* Begin: Stage 1 logic. */
+  /**
+   * Holds if `node` is reachable from a source in the configuration `config`.
+   *
+   * The Boolean `cc` records whether the node is reached through an
+   * argument in a call.
+   */
+  predicate fwdFlow(Node node, Cc cc, Configuration config) {
+    not fullBarrier(node, config) and
+    (
+      config.isSource(node) and
+      cc = false
+      or
+      exists(Node mid |
+        fwdFlow(mid, cc, config) and
+        localFlowStep(mid, node, config)
+      )
+      or
+      exists(Node mid |
+        fwdFlow(mid, cc, config) and
+        additionalLocalFlowStep(mid, node, config)
+      )
+      or
+      exists(Node mid |
+        fwdFlow(mid, _, config) and
+        jumpStep(mid, node, config) and
+        cc = false
+      )
+      or
+      exists(Node mid |
+        fwdFlow(mid, _, config) and
+        additionalJumpStep(mid, node, config) and
+        cc = false
+      )
+      or
+      // store
+      exists(Node mid |
+        useFieldFlow(config) and
+        fwdFlow(mid, cc, config) and
+        store(mid, _, node, _) and
+        not outBarrier(mid, config)
+      )
+      or
+      // read
+      exists(Content c |
+        fwdFlowRead(c, node, cc, config) and
+        fwdFlowConsCand(c, config) and
+        not inBarrier(node, config)
+      )
+      or
+      // flow into a callable
+      exists(Node arg |
+        fwdFlow(arg, _, config) and
+        viableParamArg(_, node, arg) and
+        cc = true
+      )
+      or
+      // flow out of a callable
+      exists(DataFlowCall call |
+        fwdFlowOut(call, node, false, config) and
+        cc = false
+        or
+        fwdFlowOutFromArg(call, node, config) and
+        fwdFlowIsEntered(call, cc, config)
+      )
+    )
+  }
+
+  private predicate fwdFlow(Node node, Configuration config) { fwdFlow(node, _, config) }
+
+  pragma[nomagic]
+  private predicate fwdFlowRead(Content c, Node node, Cc cc, Configuration config) {
+    exists(Node mid |
+      fwdFlow(mid, cc, config) and
+      read(mid, c, node)
+    )
+  }
+
+  /**
+   * Holds if `c` is the target of a store in the flow covered by `fwdFlow`.
+   */
+  pragma[nomagic]
+  private predicate fwdFlowConsCand(Content c, Configuration config) {
+    exists(Node mid, Node node, TypedContent tc |
+      not fullBarrier(node, config) and
+      useFieldFlow(config) and
+      fwdFlow(mid, _, config) and
+      store(mid, tc, node, _) and
+      c = tc.getContent()
+    )
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlowReturnPosition(ReturnPosition pos, Cc cc, Configuration config) {
+    exists(ReturnNodeExt ret |
+      fwdFlow(ret, cc, config) and
+      getReturnPosition(ret) = pos
+    )
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlowOut(DataFlowCall call, Node out, Cc cc, Configuration config) {
+    exists(ReturnPosition pos |
+      fwdFlowReturnPosition(pos, cc, config) and
+      viableReturnPosOut(call, pos, out)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlowOutFromArg(DataFlowCall call, Node out, Configuration config) {
+    fwdFlowOut(call, out, true, config)
+  }
+
+  /**
+   * Holds if an argument to `call` is reached in the flow covered by `fwdFlow`.
+   */
+  pragma[nomagic]
+  private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
+    exists(ArgumentNode arg |
+      fwdFlow(arg, cc, config) and
+      viableParamArg(call, _, arg)
+    )
+  }
+
+  /**
+   * Holds if `node` is part of a path from a source to a sink in the
+   * configuration `config`.
+   *
+   * The Boolean `toReturn` records whether the node must be returned from
+   * the enclosing callable in order to reach a sink.
+   */
+  pragma[nomagic]
+  predicate revFlow(Node node, boolean toReturn, Configuration config) {
+    revFlow0(node, toReturn, config) and
+    fwdFlow(node, config)
+  }
+
+  pragma[nomagic]
+  private predicate revFlow0(Node node, boolean toReturn, Configuration config) {
+    fwdFlow(node, config) and
+    config.isSink(node) and
+    toReturn = false
+    or
+    exists(Node mid |
+      localFlowStep(node, mid, config) and
+      revFlow(mid, toReturn, config)
+    )
+    or
+    exists(Node mid |
+      additionalLocalFlowStep(node, mid, config) and
+      revFlow(mid, toReturn, config)
+    )
+    or
+    exists(Node mid |
+      jumpStep(node, mid, config) and
+      revFlow(mid, _, config) and
+      toReturn = false
+    )
+    or
+    exists(Node mid |
+      additionalJumpStep(node, mid, config) and
+      revFlow(mid, _, config) and
+      toReturn = false
+    )
+    or
+    // store
+    exists(Content c |
+      revFlowStore(c, node, toReturn, config) and
+      revFlowConsCand(c, config)
+    )
+    or
+    // read
+    exists(Node mid, Content c |
+      read(node, c, mid) and
+      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
+      revFlow(mid, toReturn, pragma[only_bind_into](config))
+    )
+    or
+    // flow into a callable
+    exists(DataFlowCall call |
+      revFlowIn(call, node, false, config) and
+      toReturn = false
+      or
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+    or
+    // flow out of a callable
+    exists(ReturnPosition pos |
+      revFlowOut(pos, config) and
+      getReturnPosition(node) = pos and
+      toReturn = true
+    )
+  }
+
+  /**
+   * Holds if `c` is the target of a read in the flow covered by `revFlow`.
+   */
+  pragma[nomagic]
+  private predicate revFlowConsCand(Content c, Configuration config) {
+    exists(Node mid, Node node |
+      fwdFlow(node, pragma[only_bind_into](config)) and
+      read(node, c, mid) and
+      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
+      revFlow(pragma[only_bind_into](mid), _, pragma[only_bind_into](config))
+    )
+  }
+
+  pragma[nomagic]
+  private predicate revFlowStore(Content c, Node node, boolean toReturn, Configuration config) {
+    exists(Node mid, TypedContent tc |
+      revFlow(mid, toReturn, pragma[only_bind_into](config)) and
+      fwdFlowConsCand(c, pragma[only_bind_into](config)) and
+      store(node, tc, mid, _) and
+      c = tc.getContent()
+    )
+  }
+
+  /**
+   * Holds if `c` is the target of both a read and a store in the flow covered
+   * by `revFlow`.
+   */
+  private predicate revFlowIsReadAndStored(Content c, Configuration conf) {
+    revFlowConsCand(c, conf) and
+    revFlowStore(c, _, _, conf)
+  }
+
+  pragma[nomagic]
+  predicate viableReturnPosOutNodeCandFwd1(
+    DataFlowCall call, ReturnPosition pos, Node out, Configuration config
+  ) {
+    fwdFlowReturnPosition(pos, _, config) and
+    viableReturnPosOut(call, pos, out)
+  }
+
+  pragma[nomagic]
+  private predicate revFlowOut(ReturnPosition pos, Configuration config) {
+    exists(DataFlowCall call, Node out |
+      revFlow(out, _, config) and
+      viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+    )
+  }
+
+  pragma[nomagic]
+  predicate viableParamArgNodeCandFwd1(
+    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  ) {
+    viableParamArg(call, p, arg) and
+    fwdFlow(arg, config)
+  }
+
+  pragma[nomagic]
+  private predicate revFlowIn(
+    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+  ) {
+    exists(ParameterNode p |
+      revFlow(p, toReturn, config) and
+      viableParamArgNodeCandFwd1(call, p, arg, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+    revFlowIn(call, arg, true, config)
+  }
+
+  /**
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   */
+  pragma[nomagic]
+  private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
+    exists(Node out |
+      revFlow(out, toReturn, config) and
+      fwdFlowOutFromArg(call, out, config)
+    )
+  }
+
+  pragma[nomagic]
+  predicate storeStepCand(
+    Node node1, Ap ap1, TypedContent tc, Node node2, DataFlowType contentType, Configuration config
+  ) {
+    exists(Content c |
+      revFlowIsReadAndStored(c, pragma[only_bind_into](config)) and
+      revFlow(node2, pragma[only_bind_into](config)) and
+      store(node1, tc, node2, contentType) and
+      c = tc.getContent() and
+      exists(ap1)
+    )
+  }
+
+  pragma[nomagic]
+  predicate readStepCand(Node n1, Content c, Node n2, Configuration config) {
+    revFlowIsReadAndStored(c, pragma[only_bind_into](config)) and
+    revFlow(n2, pragma[only_bind_into](config)) and
+    read(n1, c, n2)
+  }
+
+  pragma[nomagic]
+  predicate revFlow(Node node, Configuration config) { revFlow(node, _, config) }
+
+  predicate revFlow(Node node, boolean toReturn, ApOption returnAp, Ap ap, Configuration config) {
+    revFlow(node, toReturn, config) and exists(returnAp) and exists(ap)
+  }
+
+  private predicate throughFlowNodeCand(Node node, Configuration config) {
+    revFlow(node, true, config) and
+    fwdFlow(node, true, config) and
+    not inBarrier(node, config) and
+    not outBarrier(node, config)
+  }
+
+  /** Holds if flow may return from `callable`. */
+  pragma[nomagic]
+  private predicate returnFlowCallableNodeCand(
+    DataFlowCallable callable, ReturnKindExt kind, Configuration config
+  ) {
+    exists(ReturnNodeExt ret |
+      throughFlowNodeCand(ret, config) and
+      callable = getNodeEnclosingCallable(ret) and
+      kind = ret.getKind()
+    )
+  }
+
+  /**
+   * Holds if flow may enter through `p` and reach a return node making `p` a
+   * candidate for the origin of a summary.
+   */
+  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+    exists(ReturnKindExt kind |
+      throughFlowNodeCand(p, config) and
+      returnFlowCallableNodeCand(c, kind, config) and
+      getNodeEnclosingCallable(p) = c and
+      exists(ap) and
+      // we don't expect a parameter to return stored in itself
+      not exists(int pos |
+        kind.(ParamUpdateReturnKind).getPosition() = pos and p.isParameterOf(_, pos)
+      )
+    )
+  }
+
+  predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
+    fwd = true and
+    nodes = count(Node node | fwdFlow(node, config)) and
+    fields = count(Content f0 | fwdFlowConsCand(f0, config)) and
+    conscand = -1 and
+    tuples = count(Node n, boolean b | fwdFlow(n, b, config))
+    or
+    fwd = false and
+    nodes = count(Node node | revFlow(node, _, config)) and
+    fields = count(Content f0 | revFlowConsCand(f0, config)) and
+    conscand = -1 and
+    tuples = count(Node n, boolean b | revFlow(n, b, config))
+  }
+  /* End: Stage 1 logic. */
+}
+
+pragma[noinline]
+private predicate localFlowStepNodeCand1(Node node1, Node node2, Configuration config) {
+  Stage1::revFlow(node2, config) and
+  localFlowStep(node1, node2, config)
+}
+
+pragma[noinline]
+private predicate additionalLocalFlowStepNodeCand1(Node node1, Node node2, Configuration config) {
+  Stage1::revFlow(node2, config) and
+  additionalLocalFlowStep(node1, node2, config)
+}
+
+pragma[nomagic]
+private predicate viableReturnPosOutNodeCand1(
+  DataFlowCall call, ReturnPosition pos, Node out, Configuration config
+) {
+  Stage1::revFlow(out, config) and
+  Stage1::viableReturnPosOutNodeCandFwd1(call, pos, out, config)
+}
+
+/**
+ * Holds if data can flow out of `call` from `ret` to `out`, either
+ * through a `ReturnNode` or through an argument that has been mutated, and
+ * that this step is part of a path from a source to a sink.
+ */
+pragma[nomagic]
+private predicate flowOutOfCallNodeCand1(
+  DataFlowCall call, ReturnNodeExt ret, Node out, Configuration config
+) {
+  viableReturnPosOutNodeCand1(call, getReturnPosition(ret), out, config) and
+  Stage1::revFlow(ret, config) and
+  not outBarrier(ret, config) and
+  not inBarrier(out, config)
+}
+
+pragma[nomagic]
+private predicate viableParamArgNodeCand1(
+  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+) {
+  Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
+  Stage1::revFlow(arg, config)
+}
+
+/**
+ * Holds if data can flow into `call` and that this step is part of a
+ * path from a source to a sink.
+ */
+pragma[nomagic]
+private predicate flowIntoCallNodeCand1(
+  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+) {
+  viableParamArgNodeCand1(call, p, arg, config) and
+  Stage1::revFlow(p, config) and
+  not outBarrier(arg, config) and
+  not inBarrier(p, config)
+}
+
+/**
+ * Gets the amount of forward branching on the origin of a cross-call path
+ * edge in the graph of paths between sources and sinks that ignores call
+ * contexts.
+ */
+private int branch(Node n1, Configuration conf) {
+  result =
+    strictcount(Node n |
+      flowOutOfCallNodeCand1(_, n1, n, conf) or flowIntoCallNodeCand1(_, n1, n, conf)
+    )
+}
+
+/**
+ * Gets the amount of backward branching on the target of a cross-call path
+ * edge in the graph of paths between sources and sinks that ignores call
+ * contexts.
+ */
+private int join(Node n2, Configuration conf) {
+  result =
+    strictcount(Node n |
+      flowOutOfCallNodeCand1(_, n, n2, conf) or flowIntoCallNodeCand1(_, n, n2, conf)
+    )
+}
+
+/**
+ * Holds if data can flow out of `call` from `ret` to `out`, either
+ * through a `ReturnNode` or through an argument that has been mutated, and
+ * that this step is part of a path from a source to a sink. The
+ * `allowsFieldFlow` flag indicates whether the branching is within the limit
+ * specified by the configuration.
+ */
+pragma[nomagic]
+private predicate flowOutOfCallNodeCand1(
+  DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
+) {
+  flowOutOfCallNodeCand1(call, ret, out, config) and
+  exists(int b, int j |
+    b = branch(ret, config) and
+    j = join(out, config) and
+    if b.minimum(j) <= config.fieldFlowBranchLimit()
+    then allowsFieldFlow = true
+    else allowsFieldFlow = false
+  )
+}
+
+/**
+ * Holds if data can flow into `call` and that this step is part of a
+ * path from a source to a sink. The `allowsFieldFlow` flag indicates whether
+ * the branching is within the limit specified by the configuration.
+ */
+pragma[nomagic]
+private predicate flowIntoCallNodeCand1(
+  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  Configuration config
+) {
+  flowIntoCallNodeCand1(call, arg, p, config) and
+  exists(int b, int j |
+    b = branch(arg, config) and
+    j = join(p, config) and
+    if b.minimum(j) <= config.fieldFlowBranchLimit()
+    then allowsFieldFlow = true
+    else allowsFieldFlow = false
+  )
+}
+
+private module Stage2 {
+  module PrevStage = Stage1;
+
+  class ApApprox = PrevStage::Ap;
+
+  class Ap = boolean;
+
+  class ApNil extends Ap {
+    ApNil() { this = false }
+  }
+
+  bindingset[result, ap]
+  private ApApprox getApprox(Ap ap) { any() }
+
+  private ApNil getApNil(Node node) { PrevStage::revFlow(node, _) and exists(result) }
+
+  bindingset[tc, tail]
+  private Ap apCons(TypedContent tc, Ap tail) { result = true and exists(tc) and exists(tail) }
+
+  pragma[inline]
+  private Content getHeadContent(Ap ap) { exists(result) and ap = true }
+
+  class ApOption = BooleanOption;
+
+  ApOption apNone() { result = TBooleanNone() }
+
+  ApOption apSome(Ap ap) { result = TBooleanSome(ap) }
+
+  class Cc = boolean;
+
+  class CcCall extends Cc {
+    CcCall() { this = true }
+
+    /** Holds if this call context may be `call`. */
+    predicate matchesCall(DataFlowCall call) { any() }
+  }
+
+  class CcNoCall extends Cc {
+    CcNoCall() { this = false }
+  }
+
+  Cc ccNone() { result = false }
+
+  private class LocalCc = Unit;
+
+  bindingset[call, c, outercc]
+  private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() }
+
+  bindingset[call, c]
+  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call) { any() }
+
+  bindingset[innercc, inner, call]
+  private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
+    any()
+  }
+
+  bindingset[node, cc, config]
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) { any() }
+
+  private predicate localStep(
+    Node node1, Node node2, boolean preservesValue, ApNil ap, Configuration config, LocalCc lcc
+  ) {
+    (
+      preservesValue = true and
+      localFlowStepNodeCand1(node1, node2, config)
+      or
+      preservesValue = false and
+      additionalLocalFlowStepNodeCand1(node1, node2, config)
+    ) and
+    exists(ap) and
+    exists(lcc)
+  }
+
+  private predicate flowOutOfCall = flowOutOfCallNodeCand1/5;
+
+  private predicate flowIntoCall = flowIntoCallNodeCand1/5;
+
+  bindingset[ap, contentType]
+  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }
+
+  /* Begin: Stage 2 logic. */
+  private predicate flowCand(Node node, ApApprox apa, Configuration config) {
+    PrevStage::revFlow(node, _, _, apa, config)
+  }
+
+  /**
+   * Holds if `node` is reachable with access path `ap` from a source in the
+   * configuration `config`.
+   *
+   * The call context `cc` records whether the node is reached through an
+   * argument in a call, and if so, `argAp` records the access path of that
+   * argument.
+   */
+  pragma[nomagic]
+  predicate fwdFlow(Node node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    flowCand(node, _, config) and
+    config.isSource(node) and
+    cc = ccNone() and
+    argAp = apNone() and
+    ap = getApNil(node)
+    or
+    exists(Node mid, Ap ap0, LocalCc localCc |
+      fwdFlow(mid, cc, argAp, ap0, config) and
+      localCc = getLocalCc(mid, cc, config)
+    |
+      localStep(mid, node, true, _, config, localCc) and
+      ap = ap0
+      or
+      localStep(mid, node, false, ap, config, localCc) and
+      ap0 instanceof ApNil
+    )
+    or
+    exists(Node mid |
+      fwdFlow(mid, _, _, ap, pragma[only_bind_into](config)) and
+      flowCand(node, _, pragma[only_bind_into](config)) and
+      jumpStep(mid, node, config) and
+      cc = ccNone() and
+      argAp = apNone()
+    )
+    or
+    exists(Node mid, ApNil nil |
+      fwdFlow(mid, _, _, nil, pragma[only_bind_into](config)) and
+      flowCand(node, _, pragma[only_bind_into](config)) and
+      additionalJumpStep(mid, node, config) and
+      cc = ccNone() and
+      argAp = apNone() and
+      ap = getApNil(node)
+    )
+    or
+    // store
+    exists(TypedContent tc, Ap ap0 |
+      fwdFlowStore(_, ap0, tc, node, cc, argAp, config) and
+      ap = apCons(tc, ap0)
+    )
+    or
+    // read
+    exists(Ap ap0, Content c |
+      fwdFlowRead(ap0, c, _, node, cc, argAp, config) and
+      fwdFlowConsCand(ap0, c, ap, config)
+    )
+    or
+    // flow into a callable
+    exists(ApApprox apa |
+      fwdFlowIn(_, node, _, cc, _, ap, config) and
+      apa = getApprox(ap) and
+      if PrevStage::parameterMayFlowThrough(node, _, apa, config)
+      then argAp = apSome(ap)
+      else argAp = apNone()
+    )
+    or
+    // flow out of a callable
+    exists(DataFlowCall call |
+      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
+      or
+      exists(Ap argAp0 |
+        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      )
+    )
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlowStore(
+    Node node1, Ap ap1, TypedContent tc, Node node2, Cc cc, ApOption argAp, Configuration config
+  ) {
+    exists(DataFlowType contentType |
+      fwdFlow(node1, cc, argAp, ap1, config) and
+      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      typecheckStore(ap1, contentType)
+    )
+  }
+
+  /**
+   * Holds if forward flow with access path `tail` reaches a store of `c`
+   * resulting in access path `cons`.
+   */
+  pragma[nomagic]
+  private predicate fwdFlowConsCand(Ap cons, Content c, Ap tail, Configuration config) {
+    exists(TypedContent tc |
+      fwdFlowStore(_, tail, tc, _, _, _, config) and
+      tc.getContent() = c and
+      cons = apCons(tc, tail)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlowRead(
+    Ap ap, Content c, Node node1, Node node2, Cc cc, ApOption argAp, Configuration config
+  ) {
+    fwdFlow(node1, cc, argAp, ap, config) and
+    PrevStage::readStepCand(node1, c, node2, config) and
+    getHeadContent(ap) = c
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlowIn(
+    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    Configuration config
+  ) {
+    exists(ArgumentNode arg, boolean allowsFieldFlow |
+      fwdFlow(arg, outercc, argAp, ap, config) and
+      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+      innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
+  }
+
+  /**
+   * Holds if flow may exit from `call` at `out` with access path `ap`. The
+   * inner call context is `innercc`, but `ccOut` is just the call context
+   * based on the return step. In the case of through-flow `ccOut` is discarded
+   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
+   */
+  pragma[nomagic]
+  private predicate fwdFlowOut(
+    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  ) {
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+      fwdFlow(ret, innercc, argAp, ap, config) and
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      inner = getNodeEnclosingCallable(ret) and
+      checkCallContextReturn(innercc, inner, call) and
+      ccOut = getCallContextReturn(inner, call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlowOutFromArg(
+    DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
+  ) {
+    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+  }
+
+  /**
+   * Holds if an argument to `call` is reached in the flow covered by `fwdFlow`
+   * and data might flow through the target callable and back out at `call`.
+   */
+  pragma[nomagic]
+  private predicate fwdFlowIsEntered(
+    DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
+  ) {
+    exists(ParameterNode p |
+      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
+      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate storeStepFwd(
+    Node node1, Ap ap1, TypedContent tc, Node node2, Ap ap2, Configuration config
+  ) {
+    fwdFlowStore(node1, ap1, tc, node2, _, _, config) and
+    ap2 = apCons(tc, ap1) and
+    fwdFlowRead(ap2, tc.getContent(), _, _, _, _, config)
+  }
+
+  private predicate readStepFwd(Node n1, Ap ap1, Content c, Node n2, Ap ap2, Configuration config) {
+    fwdFlowRead(ap1, c, n1, n2, _, _, config) and
+    fwdFlowConsCand(ap1, c, ap2, config)
+  }
+
+  /**
+   * Holds if `node` with access path `ap` is part of a path from a source to a
+   * sink in the configuration `config`.
+   *
+   * The Boolean `toReturn` records whether the node must be returned from the
+   * enclosing callable in order to reach a sink, and if so, `returnAp` records
+   * the access path of the returned value.
+   */
+  pragma[nomagic]
+  predicate revFlow(Node node, boolean toReturn, ApOption returnAp, Ap ap, Configuration config) {
+    revFlow0(node, toReturn, returnAp, ap, config) and
+    fwdFlow(node, _, _, ap, config)
+  }
+
+  pragma[nomagic]
+  private predicate revFlow0(
+    Node node, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
+  ) {
+    fwdFlow(node, _, _, ap, config) and
+    config.isSink(node) and
+    toReturn = false and
+    returnAp = apNone() and
+    ap instanceof ApNil
+    or
+    exists(Node mid |
+      localStep(node, mid, true, _, config, _) and
+      revFlow(mid, toReturn, returnAp, ap, config)
+    )
+    or
+    exists(Node mid, ApNil nil |
+      fwdFlow(node, _, _, ap, pragma[only_bind_into](config)) and
+      localStep(node, mid, false, _, config, _) and
+      revFlow(mid, toReturn, returnAp, nil, pragma[only_bind_into](config)) and
+      ap instanceof ApNil
+    )
+    or
+    exists(Node mid |
+      jumpStep(node, mid, config) and
+      revFlow(mid, _, _, ap, config) and
+      toReturn = false and
+      returnAp = apNone()
+    )
+    or
+    exists(Node mid, ApNil nil |
+      fwdFlow(node, _, _, ap, pragma[only_bind_into](config)) and
+      additionalJumpStep(node, mid, config) and
+      revFlow(pragma[only_bind_into](mid), _, _, nil, pragma[only_bind_into](config)) and
+      toReturn = false and
+      returnAp = apNone() and
+      ap instanceof ApNil
+    )
+    or
+    // store
+    exists(Ap ap0, Content c |
+      revFlowStore(ap0, c, ap, node, _, _, toReturn, returnAp, config) and
+      revFlowConsCand(ap0, c, ap, config)
+    )
+    or
+    // read
+    exists(Node mid, Ap ap0 |
+      revFlow(mid, toReturn, returnAp, ap0, config) and
+      readStepFwd(node, ap, _, mid, ap0, config)
+    )
+    or
+    // flow into a callable
+    exists(DataFlowCall call |
+      revFlowIn(call, node, toReturn, returnAp, ap, config) and
+      toReturn = false
+      or
+      exists(Ap returnAp0 |
+        revFlowInToReturn(call, node, returnAp0, ap, config) and
+        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+      )
+    )
+    or
+    // flow out of a callable
+    revFlowOut(_, node, _, _, ap, config) and
+    toReturn = true and
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    then returnAp = apSome(ap)
+    else returnAp = apNone()
+  }
+
+  pragma[nomagic]
+  private predicate revFlowStore(
+    Ap ap0, Content c, Ap ap, Node node, TypedContent tc, Node mid, boolean toReturn,
+    ApOption returnAp, Configuration config
+  ) {
+    revFlow(mid, toReturn, returnAp, ap0, config) and
+    storeStepFwd(node, ap, tc, mid, ap0, config) and
+    tc.getContent() = c
+  }
+
+  /**
+   * Holds if reverse flow with access path `tail` reaches a read of `c`
+   * resulting in access path `cons`.
+   */
+  pragma[nomagic]
+  private predicate revFlowConsCand(Ap cons, Content c, Ap tail, Configuration config) {
+    exists(Node mid, Ap tail0 |
+      revFlow(mid, _, _, tail, config) and
+      tail = pragma[only_bind_into](tail0) and
+      readStepFwd(_, cons, c, mid, tail0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate revFlowOut(
+    DataFlowCall call, ReturnNodeExt ret, boolean toReturn, ApOption returnAp, Ap ap,
+    Configuration config
+  ) {
+    exists(Node out, boolean allowsFieldFlow |
+      revFlow(out, toReturn, returnAp, ap, config) and
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
+  }
+
+  pragma[nomagic]
+  private predicate revFlowIn(
+    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    Configuration config
+  ) {
+    exists(ParameterNode p, boolean allowsFieldFlow |
+      revFlow(p, toReturn, returnAp, ap, config) and
+      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
+  }
+
+  pragma[nomagic]
+  private predicate revFlowInToReturn(
+    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+  ) {
+    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+  }
+
+  /**
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
+   */
+  pragma[nomagic]
+  private predicate revFlowIsReturned(
+    DataFlowCall call, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
+  ) {
+    exists(ReturnNodeExt ret, CcCall ccc |
+      revFlowOut(call, ret, toReturn, returnAp, ap, config) and
+      fwdFlow(ret, ccc, apSome(_), ap, config) and
+      ccc.matchesCall(call)
+    )
+  }
+
+  pragma[nomagic]
+  predicate storeStepCand(
+    Node node1, Ap ap1, TypedContent tc, Node node2, DataFlowType contentType, Configuration config
+  ) {
+    exists(Ap ap2, Content c |
+      store(node1, tc, node2, contentType) and
+      revFlowStore(ap2, c, ap1, node1, tc, node2, _, _, config) and
+      revFlowConsCand(ap2, c, ap1, config)
+    )
+  }
+
+  predicate readStepCand(Node node1, Content c, Node node2, Configuration config) {
+    exists(Ap ap1, Ap ap2 |
+      revFlow(node2, _, _, pragma[only_bind_into](ap2), pragma[only_bind_into](config)) and
+      readStepFwd(node1, ap1, c, node2, ap2, config) and
+      revFlowStore(ap1, c, pragma[only_bind_into](ap2), _, _, _, _, _,
+        pragma[only_bind_into](config))
+    )
+  }
+
+  predicate revFlow(Node node, Configuration config) { revFlow(node, _, _, _, config) }
+
+  private predicate fwdConsCand(TypedContent tc, Ap ap, Configuration config) {
+    storeStepFwd(_, ap, tc, _, _, config)
+  }
+
+  predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    storeStepCand(_, ap, tc, _, _, config)
+  }
+
+  pragma[noinline]
+  private predicate parameterFlow(
+    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+  ) {
+    revFlow(p, true, apSome(ap0), ap, config) and
+    c = getNodeEnclosingCallable(p)
+  }
+
+  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+    exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
+      parameterFlow(p, ap, ap0, c, config) and
+      c = getNodeEnclosingCallable(ret) and
+      revFlow(ret, true, apSome(_), ap0, config) and
+      fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
+      kind = ret.getKind() and
+      p.isParameterOf(_, pos) and
+      // we don't expect a parameter to return stored in itself
+      not kind.(ParamUpdateReturnKind).getPosition() = pos
+    )
+  }
+
+  predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
+    fwd = true and
+    nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
+    fields = count(TypedContent f0 | fwdConsCand(f0, _, config)) and
+    conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
+    tuples = count(Node n, Cc cc, ApOption argAp, Ap ap | fwdFlow(n, cc, argAp, ap, config))
+    or
+    fwd = false and
+    nodes = count(Node node | revFlow(node, _, _, _, config)) and
+    fields = count(TypedContent f0 | consCand(f0, _, config)) and
+    conscand = count(TypedContent f0, Ap ap | consCand(f0, ap, config)) and
+    tuples = count(Node n, boolean b, ApOption retAp, Ap ap | revFlow(n, b, retAp, ap, config))
+  }
+  /* End: Stage 2 logic. */
+}
+
+pragma[nomagic]
+private predicate flowOutOfCallNodeCand2(
+  DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow, Configuration config
+) {
+  flowOutOfCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
+  Stage2::revFlow(node2, pragma[only_bind_into](config)) and
+  Stage2::revFlow(node1, pragma[only_bind_into](config))
+}
+
+pragma[nomagic]
+private predicate flowIntoCallNodeCand2(
+  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  Configuration config
+) {
+  flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
+  Stage2::revFlow(node2, pragma[only_bind_into](config)) and
+  Stage2::revFlow(node1, pragma[only_bind_into](config))
+}
+
+private module LocalFlowBigStep {
+  /**
+   * A node where some checking is required, and hence the big-step relation
+   * is not allowed to step over.
+   */
+  private class FlowCheckNode extends Node {
+    FlowCheckNode() {
+      this instanceof CastNode or
+      clearsContent(this, _)
+    }
+  }
+
+  /**
+   * Holds if `node` can be the first node in a maximal subsequence of local
+   * flow steps in a dataflow path.
+   */
+  predicate localFlowEntry(Node node, Configuration config) {
+    Stage2::revFlow(node, config) and
+    (
+      config.isSource(node) or
+      jumpStep(_, node, config) or
+      additionalJumpStep(_, node, config) or
+      node instanceof ParameterNode or
+      node instanceof OutNodeExt or
+      store(_, _, node, _) or
+      read(_, _, node) or
+      node instanceof FlowCheckNode
+    )
+  }
+
+  /**
+   * Holds if `node` can be the last node in a maximal subsequence of local
+   * flow steps in a dataflow path.
+   */
+  private predicate localFlowExit(Node node, Configuration config) {
+    exists(Node next | Stage2::revFlow(next, config) |
+      jumpStep(node, next, config) or
+      additionalJumpStep(node, next, config) or
+      flowIntoCallNodeCand1(_, node, next, config) or
+      flowOutOfCallNodeCand1(_, node, next, config) or
+      store(node, _, next, _) or
+      read(node, _, next)
+    )
+    or
+    node instanceof FlowCheckNode
+    or
+    config.isSink(node)
+  }
+
+  pragma[noinline]
+  private predicate additionalLocalFlowStepNodeCand2(Node node1, Node node2, Configuration config) {
+    additionalLocalFlowStepNodeCand1(node1, node2, config) and
+    Stage2::revFlow(node1, _, _, false, pragma[only_bind_into](config)) and
+    Stage2::revFlow(node2, _, _, false, pragma[only_bind_into](config))
+  }
+
+  /**
+   * Holds if the local path from `node1` to `node2` is a prefix of a maximal
+   * subsequence of local flow steps in a dataflow path.
+   *
+   * This is the transitive closure of `[additional]localFlowStep` beginning
+   * at `localFlowEntry`.
+   */
+  pragma[nomagic]
+  private predicate localFlowStepPlus(
+    Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
+    LocalCallContext cc
+  ) {
+    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    (
+      localFlowEntry(node1, pragma[only_bind_into](config)) and
+      (
+        localFlowStepNodeCand1(node1, node2, config) and
+        preservesValue = true and
+        t = getNodeType(node1)
+        or
+        additionalLocalFlowStepNodeCand2(node1, node2, config) and
+        preservesValue = false and
+        t = getNodeType(node2)
+      ) and
+      node1 != node2 and
+      cc.relevantFor(getNodeEnclosingCallable(node1)) and
+      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      Stage2::revFlow(node2, pragma[only_bind_into](config))
+      or
+      exists(Node mid |
+        localFlowStepPlus(node1, mid, preservesValue, t, pragma[only_bind_into](config), cc) and
+        localFlowStepNodeCand1(mid, node2, config) and
+        not mid instanceof FlowCheckNode and
+        Stage2::revFlow(node2, pragma[only_bind_into](config))
+      )
+      or
+      exists(Node mid |
+        localFlowStepPlus(node1, mid, _, _, pragma[only_bind_into](config), cc) and
+        additionalLocalFlowStepNodeCand2(mid, node2, config) and
+        not mid instanceof FlowCheckNode and
+        preservesValue = false and
+        t = getNodeType(node2) and
+        Stage2::revFlow(node2, pragma[only_bind_into](config))
+      )
+    )
+  }
+
+  /**
+   * Holds if `node1` can step to `node2` in one or more local steps and this
+   * path can occur as a maximal subsequence of local steps in a dataflow path.
+   */
+  pragma[nomagic]
+  predicate localFlowBigStep(
+    Node node1, Node node2, boolean preservesValue, AccessPathFrontNil apf, Configuration config,
+    LocalCallContext callContext
+  ) {
+    localFlowStepPlus(node1, node2, preservesValue, apf.getType(), config, callContext) and
+    localFlowExit(node2, config)
+  }
+}
+
+private import LocalFlowBigStep
+
+private module Stage3 {
+  module PrevStage = Stage2;
+
+  class ApApprox = PrevStage::Ap;
+
+  class Ap = AccessPathFront;
+
+  class ApNil = AccessPathFrontNil;
+
+  private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
+
+  private ApNil getApNil(Node node) {
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+  }
+
+  bindingset[tc, tail]
+  private Ap apCons(TypedContent tc, Ap tail) { result.getHead() = tc and exists(tail) }
+
+  pragma[noinline]
+  private Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
+
+  class ApOption = AccessPathFrontOption;
+
+  ApOption apNone() { result = TAccessPathFrontNone() }
+
+  ApOption apSome(Ap ap) { result = TAccessPathFrontSome(ap) }
+
+  class Cc = boolean;
+
+  class CcCall extends Cc {
+    CcCall() { this = true }
+
+    /** Holds if this call context may be `call`. */
+    predicate matchesCall(DataFlowCall call) { any() }
+  }
+
+  class CcNoCall extends Cc {
+    CcNoCall() { this = false }
+  }
+
+  Cc ccNone() { result = false }
+
+  private class LocalCc = Unit;
+
+  bindingset[call, c, outercc]
+  private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) { any() }
+
+  bindingset[call, c]
+  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call) { any() }
+
+  bindingset[innercc, inner, call]
+  private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
+    any()
+  }
+
+  bindingset[node, cc, config]
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) { any() }
+
+  private predicate localStep(
+    Node node1, Node node2, boolean preservesValue, ApNil ap, Configuration config, LocalCc lcc
+  ) {
+    localFlowBigStep(node1, node2, preservesValue, ap, config, _) and exists(lcc)
+  }
+
+  private predicate flowOutOfCall = flowOutOfCallNodeCand2/5;
+
+  private predicate flowIntoCall = flowIntoCallNodeCand2/5;
+
+  bindingset[node, ap]
+  private predicate filter(Node node, Ap ap) {
+    not ap.isClearedAt(node) and
+    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+  }
+
+  bindingset[ap, contentType]
+  private predicate typecheckStore(Ap ap, DataFlowType contentType) {
+    // We need to typecheck stores here, since reverse flow through a getter
+    // might have a different type here compared to inside the getter.
+    compatibleTypes(ap.getType(), contentType)
+  }
+
+  /* Begin: Stage 3 logic. */
+  private predicate flowCand(Node node, ApApprox apa, Configuration config) {
+    PrevStage::revFlow(node, _, _, apa, config)
+  }
+
+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
+  /**
+   * Holds if `node` is reachable with access path `ap` from a source in the
+   * configuration `config`.
+   *
+   * The call context `cc` records whether the node is reached through an
+   * argument in a call, and if so, `argAp` records the access path of that
+   * argument.
+   */
+  pragma[nomagic]
+  predicate fwdFlow(Node node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(Node node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    flowCand(node, _, config) and
+    config.isSource(node) and
+    cc = ccNone() and
+    argAp = apNone() and
+    ap = getApNil(node)
+    or
+    exists(Node mid, Ap ap0, LocalCc localCc |
+      fwdFlow(mid, cc, argAp, ap0, config) and
+      localCc = getLocalCc(mid, cc, config)
+    |
+      localStep(mid, node, true, _, config, localCc) and
+      ap = ap0
+      or
+      localStep(mid, node, false, ap, config, localCc) and
+      ap0 instanceof ApNil
+    )
+    or
+    exists(Node mid |
+      fwdFlow(mid, _, _, ap, pragma[only_bind_into](config)) and
+      flowCand(node, _, pragma[only_bind_into](config)) and
+      jumpStep(mid, node, config) and
+      cc = ccNone() and
+      argAp = apNone()
+    )
+    or
+    exists(Node mid, ApNil nil |
+      fwdFlow(mid, _, _, nil, pragma[only_bind_into](config)) and
+      flowCand(node, _, pragma[only_bind_into](config)) and
+      additionalJumpStep(mid, node, config) and
+      cc = ccNone() and
+      argAp = apNone() and
+      ap = getApNil(node)
+    )
+    or
+    // store
+    exists(TypedContent tc, Ap ap0 |
+      fwdFlowStore(_, ap0, tc, node, cc, argAp, config) and
+      ap = apCons(tc, ap0)
+    )
+    or
+    // read
+    exists(Ap ap0, Content c |
+      fwdFlowRead(ap0, c, _, node, cc, argAp, config) and
+      fwdFlowConsCand(ap0, c, ap, config)
+    )
+    or
+    // flow into a callable
+    exists(ApApprox apa |
+      fwdFlowIn(_, node, _, cc, _, ap, config) and
+      apa = getApprox(ap) and
+      if PrevStage::parameterMayFlowThrough(node, _, apa, config)
+      then argAp = apSome(ap)
+      else argAp = apNone()
+    )
+    or
+    // flow out of a callable
+    exists(DataFlowCall call |
+      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
+      or
+      exists(Ap argAp0 |
+        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      )
+    )
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlowStore(
+    Node node1, Ap ap1, TypedContent tc, Node node2, Cc cc, ApOption argAp, Configuration config
+  ) {
+    exists(DataFlowType contentType |
+      fwdFlow(node1, cc, argAp, ap1, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      typecheckStore(ap1, contentType)
+    )
+  }
+
+  /**
+   * Holds if forward flow with access path `tail` reaches a store of `c`
+   * resulting in access path `cons`.
+   */
+  pragma[nomagic]
+  private predicate fwdFlowConsCand(Ap cons, Content c, Ap tail, Configuration config) {
+    exists(TypedContent tc |
+      fwdFlowStore(_, tail, tc, _, _, _, config) and
+      tc.getContent() = c and
+      cons = apCons(tc, tail)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlowRead(
+    Ap ap, Content c, Node node1, Node node2, Cc cc, ApOption argAp, Configuration config
+  ) {
+    fwdFlow(node1, cc, argAp, ap, config) and
+    PrevStage::readStepCand(node1, c, node2, config) and
+    getHeadContent(ap) = c
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlowIn(
+    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    Configuration config
+  ) {
+    exists(ArgumentNode arg, boolean allowsFieldFlow |
+      fwdFlow(arg, outercc, argAp, ap, config) and
+      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+      innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
+  }
+
+  /**
+   * Holds if flow may exit from `call` at `out` with access path `ap`. The
+   * inner call context is `innercc`, but `ccOut` is just the call context
+   * based on the return step. In the case of through-flow `ccOut` is discarded
+   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
+   */
+  pragma[nomagic]
+  private predicate fwdFlowOut(
+    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  ) {
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+      fwdFlow(ret, innercc, argAp, ap, config) and
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      inner = getNodeEnclosingCallable(ret) and
+      checkCallContextReturn(innercc, inner, call) and
+      ccOut = getCallContextReturn(inner, call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlowOutFromArg(
+    DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
+  ) {
+    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+  }
+
+  /**
+   * Holds if an argument to `call` is reached in the flow covered by `fwdFlow`
+   * and data might flow through the target callable and back out at `call`.
+   */
+  pragma[nomagic]
+  private predicate fwdFlowIsEntered(
+    DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
+  ) {
+    exists(ParameterNode p |
+      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate storeStepFwd(
+    Node node1, Ap ap1, TypedContent tc, Node node2, Ap ap2, Configuration config
+  ) {
+    fwdFlowStore(node1, ap1, tc, node2, _, _, config) and
+    ap2 = apCons(tc, ap1) and
+    fwdFlowRead(ap2, tc.getContent(), _, _, _, _, config)
+  }
+
+  private predicate readStepFwd(Node n1, Ap ap1, Content c, Node n2, Ap ap2, Configuration config) {
+    fwdFlowRead(ap1, c, n1, n2, _, _, config) and
+    fwdFlowConsCand(ap1, c, ap2, config)
+  }
+
+  /**
+   * Holds if `node` with access path `ap` is part of a path from a source to a
+   * sink in the configuration `config`.
+   *
+   * The Boolean `toReturn` records whether the node must be returned from the
+   * enclosing callable in order to reach a sink, and if so, `returnAp` records
+   * the access path of the returned value.
+   */
+  pragma[nomagic]
+  predicate revFlow(Node node, boolean toReturn, ApOption returnAp, Ap ap, Configuration config) {
+    revFlow0(node, toReturn, returnAp, ap, config) and
+    fwdFlow(node, _, _, ap, config)
+  }
+
+  pragma[nomagic]
+  private predicate revFlow0(
+    Node node, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
+  ) {
+    fwdFlow(node, _, _, ap, config) and
+    config.isSink(node) and
+    toReturn = false and
+    returnAp = apNone() and
+    ap instanceof ApNil
+    or
+    exists(Node mid |
+      localStep(node, mid, true, _, config, _) and
+      revFlow(mid, toReturn, returnAp, ap, config)
+    )
+    or
+    exists(Node mid, ApNil nil |
+      fwdFlow(node, _, _, ap, pragma[only_bind_into](config)) and
+      localStep(node, mid, false, _, config, _) and
+      revFlow(mid, toReturn, returnAp, nil, pragma[only_bind_into](config)) and
+      ap instanceof ApNil
+    )
+    or
+    exists(Node mid |
+      jumpStep(node, mid, config) and
+      revFlow(mid, _, _, ap, config) and
+      toReturn = false and
+      returnAp = apNone()
+    )
+    or
+    exists(Node mid, ApNil nil |
+      fwdFlow(node, _, _, ap, pragma[only_bind_into](config)) and
+      additionalJumpStep(node, mid, config) and
+      revFlow(pragma[only_bind_into](mid), _, _, nil, pragma[only_bind_into](config)) and
+      toReturn = false and
+      returnAp = apNone() and
+      ap instanceof ApNil
+    )
+    or
+    // store
+    exists(Ap ap0, Content c |
+      revFlowStore(ap0, c, ap, node, _, _, toReturn, returnAp, config) and
+      revFlowConsCand(ap0, c, ap, config)
+    )
+    or
+    // read
+    exists(Node mid, Ap ap0 |
+      revFlow(mid, toReturn, returnAp, ap0, config) and
+      readStepFwd(node, ap, _, mid, ap0, config)
+    )
+    or
+    // flow into a callable
+    exists(DataFlowCall call |
+      revFlowIn(call, node, toReturn, returnAp, ap, config) and
+      toReturn = false
+      or
+      exists(Ap returnAp0 |
+        revFlowInToReturn(call, node, returnAp0, ap, config) and
+        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+      )
+    )
+    or
+    // flow out of a callable
+    revFlowOut(_, node, _, _, ap, config) and
+    toReturn = true and
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    then returnAp = apSome(ap)
+    else returnAp = apNone()
+  }
+
+  pragma[nomagic]
+  private predicate revFlowStore(
+    Ap ap0, Content c, Ap ap, Node node, TypedContent tc, Node mid, boolean toReturn,
+    ApOption returnAp, Configuration config
+  ) {
+    revFlow(mid, toReturn, returnAp, ap0, config) and
+    storeStepFwd(node, ap, tc, mid, ap0, config) and
+    tc.getContent() = c
+  }
+
+  /**
+   * Holds if reverse flow with access path `tail` reaches a read of `c`
+   * resulting in access path `cons`.
+   */
+  pragma[nomagic]
+  private predicate revFlowConsCand(Ap cons, Content c, Ap tail, Configuration config) {
+    exists(Node mid, Ap tail0 |
+      revFlow(mid, _, _, tail, config) and
+      tail = pragma[only_bind_into](tail0) and
+      readStepFwd(_, cons, c, mid, tail0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate revFlowOut(
+    DataFlowCall call, ReturnNodeExt ret, boolean toReturn, ApOption returnAp, Ap ap,
+    Configuration config
+  ) {
+    exists(Node out, boolean allowsFieldFlow |
+      revFlow(out, toReturn, returnAp, ap, config) and
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
+  }
+
+  pragma[nomagic]
+  private predicate revFlowIn(
+    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    Configuration config
+  ) {
+    exists(ParameterNode p, boolean allowsFieldFlow |
+      revFlow(p, toReturn, returnAp, ap, config) and
+      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
+  }
+
+  pragma[nomagic]
+  private predicate revFlowInToReturn(
+    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+  ) {
+    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+  }
+
+  /**
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
+   */
+  pragma[nomagic]
+  private predicate revFlowIsReturned(
+    DataFlowCall call, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
+  ) {
+    exists(ReturnNodeExt ret, CcCall ccc |
+      revFlowOut(call, ret, toReturn, returnAp, ap, config) and
+      fwdFlow(ret, ccc, apSome(_), ap, config) and
+      ccc.matchesCall(call)
+    )
+  }
+
+  pragma[nomagic]
+  predicate storeStepCand(
+    Node node1, Ap ap1, TypedContent tc, Node node2, DataFlowType contentType, Configuration config
+  ) {
+    exists(Ap ap2, Content c |
+      store(node1, tc, node2, contentType) and
+      revFlowStore(ap2, c, ap1, node1, tc, node2, _, _, config) and
+      revFlowConsCand(ap2, c, ap1, config)
+    )
+  }
+
+  predicate readStepCand(Node node1, Content c, Node node2, Configuration config) {
+    exists(Ap ap1, Ap ap2 |
+      revFlow(node2, _, _, pragma[only_bind_into](ap2), pragma[only_bind_into](config)) and
+      readStepFwd(node1, ap1, c, node2, ap2, config) and
+      revFlowStore(ap1, c, pragma[only_bind_into](ap2), _, _, _, _, _,
+        pragma[only_bind_into](config))
+    )
+  }
+
+  predicate revFlow(Node node, Configuration config) { revFlow(node, _, _, _, config) }
+
+  private predicate fwdConsCand(TypedContent tc, Ap ap, Configuration config) {
+    storeStepFwd(_, ap, tc, _, _, config)
+  }
+
+  predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    storeStepCand(_, ap, tc, _, _, config)
+  }
+
+  pragma[noinline]
+  private predicate parameterFlow(
+    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+  ) {
+    revFlow(p, true, apSome(ap0), ap, config) and
+    c = getNodeEnclosingCallable(p)
+  }
+
+  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+    exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
+      parameterFlow(p, ap, ap0, c, config) and
+      c = getNodeEnclosingCallable(ret) and
+      revFlow(ret, true, apSome(_), ap0, config) and
+      fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
+      kind = ret.getKind() and
+      p.isParameterOf(_, pos) and
+      // we don't expect a parameter to return stored in itself
+      not kind.(ParamUpdateReturnKind).getPosition() = pos
+    )
+  }
+
+  predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
+    fwd = true and
+    nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
+    fields = count(TypedContent f0 | fwdConsCand(f0, _, config)) and
+    conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
+    tuples = count(Node n, Cc cc, ApOption argAp, Ap ap | fwdFlow(n, cc, argAp, ap, config))
+    or
+    fwd = false and
+    nodes = count(Node node | revFlow(node, _, _, _, config)) and
+    fields = count(TypedContent f0 | consCand(f0, _, config)) and
+    conscand = count(TypedContent f0, Ap ap | consCand(f0, ap, config)) and
+    tuples = count(Node n, boolean b, ApOption retAp, Ap ap | revFlow(n, b, retAp, ap, config))
+  }
+  /* End: Stage 3 logic. */
+}
+
+/**
+ * Holds if `argApf` is recorded as the summary context for flow reaching `node`
+ * and remains relevant for the following pruning stage.
+ */
+private predicate flowCandSummaryCtx(Node node, AccessPathFront argApf, Configuration config) {
+  exists(AccessPathFront apf |
+    Stage3::revFlow(node, true, _, apf, config) and
+    Stage3::fwdFlow(node, true, TAccessPathFrontSome(argApf), apf, config)
+  )
+}
+
+/**
+ * Holds if a length 2 access path approximation with the head `tc` is expected
+ * to be expensive.
+ */
+private predicate expensiveLen2unfolding(TypedContent tc, Configuration config) {
+  exists(int tails, int nodes, int apLimit, int tupleLimit |
+    tails = strictcount(AccessPathFront apf | Stage3::consCand(tc, apf, config)) and
+    nodes =
+      strictcount(Node n |
+        Stage3::revFlow(n, _, _, any(AccessPathFrontHead apf | apf.getHead() = tc), config)
+        or
+        flowCandSummaryCtx(n, any(AccessPathFrontHead apf | apf.getHead() = tc), config)
+      ) and
+    accessPathApproxCostLimits(apLimit, tupleLimit) and
+    apLimit < tails and
+    tupleLimit < (tails - 1) * nodes
+  )
+}
+
+private newtype TAccessPathApprox =
+  TNil(DataFlowType t) or
+  TConsNil(TypedContent tc, DataFlowType t) {
+    Stage3::consCand(tc, TFrontNil(t), _) and
+    not expensiveLen2unfolding(tc, _)
+  } or
+  TConsCons(TypedContent tc1, TypedContent tc2, int len) {
+    Stage3::consCand(tc1, TFrontHead(tc2), _) and
+    len in [2 .. accessPathLimit()] and
+    not expensiveLen2unfolding(tc1, _)
+  } or
+  TCons1(TypedContent tc, int len) {
+    len in [1 .. accessPathLimit()] and
+    expensiveLen2unfolding(tc, _)
+  }
+
+/**
+ * Conceptually a list of `TypedContent`s followed by a `DataFlowType`, but only
+ * the first two elements of the list and its length are tracked. If data flows
+ * from a source to a given node with a given `AccessPathApprox`, this indicates
+ * the sequence of dereference operations needed to get from the value in the node
+ * to the tracked object. The final type indicates the type of the tracked object.
+ */
+abstract private class AccessPathApprox extends TAccessPathApprox {
+  abstract string toString();
+
+  abstract TypedContent getHead();
+
+  abstract int len();
+
+  abstract DataFlowType getType();
+
+  abstract AccessPathFront getFront();
+
+  /** Gets the access path obtained by popping `head` from this path, if any. */
+  abstract AccessPathApprox pop(TypedContent head);
+}
+
+private class AccessPathApproxNil extends AccessPathApprox, TNil {
+  private DataFlowType t;
+
+  AccessPathApproxNil() { this = TNil(t) }
+
+  override string toString() { result = concat(": " + ppReprType(t)) }
+
+  override TypedContent getHead() { none() }
+
+  override int len() { result = 0 }
+
+  override DataFlowType getType() { result = t }
+
+  override AccessPathFront getFront() { result = TFrontNil(t) }
+
+  override AccessPathApprox pop(TypedContent head) { none() }
+}
+
+abstract private class AccessPathApproxCons extends AccessPathApprox { }
+
+private class AccessPathApproxConsNil extends AccessPathApproxCons, TConsNil {
+  private TypedContent tc;
+  private DataFlowType t;
+
+  AccessPathApproxConsNil() { this = TConsNil(tc, t) }
+
+  override string toString() {
+    // The `concat` becomes "" if `ppReprType` has no result.
+    result = "[" + tc.toString() + "]" + concat(" : " + ppReprType(t))
+  }
+
+  override TypedContent getHead() { result = tc }
+
+  override int len() { result = 1 }
+
+  override DataFlowType getType() { result = tc.getContainerType() }
+
+  override AccessPathFront getFront() { result = TFrontHead(tc) }
+
+  override AccessPathApprox pop(TypedContent head) { head = tc and result = TNil(t) }
+}
+
+private class AccessPathApproxConsCons extends AccessPathApproxCons, TConsCons {
+  private TypedContent tc1;
+  private TypedContent tc2;
+  private int len;
+
+  AccessPathApproxConsCons() { this = TConsCons(tc1, tc2, len) }
+
+  override string toString() {
+    if len = 2
+    then result = "[" + tc1.toString() + ", " + tc2.toString() + "]"
+    else result = "[" + tc1.toString() + ", " + tc2.toString() + ", ... (" + len.toString() + ")]"
+  }
+
+  override TypedContent getHead() { result = tc1 }
+
+  override int len() { result = len }
+
+  override DataFlowType getType() { result = tc1.getContainerType() }
+
+  override AccessPathFront getFront() { result = TFrontHead(tc1) }
+
+  override AccessPathApprox pop(TypedContent head) {
+    head = tc1 and
+    (
+      result = TConsCons(tc2, _, len - 1)
+      or
+      len = 2 and
+      result = TConsNil(tc2, _)
+      or
+      result = TCons1(tc2, len - 1)
+    )
+  }
+}
+
+private class AccessPathApproxCons1 extends AccessPathApproxCons, TCons1 {
+  private TypedContent tc;
+  private int len;
+
+  AccessPathApproxCons1() { this = TCons1(tc, len) }
+
+  override string toString() {
+    if len = 1
+    then result = "[" + tc.toString() + "]"
+    else result = "[" + tc.toString() + ", ... (" + len.toString() + ")]"
+  }
+
+  override TypedContent getHead() { result = tc }
+
+  override int len() { result = len }
+
+  override DataFlowType getType() { result = tc.getContainerType() }
+
+  override AccessPathFront getFront() { result = TFrontHead(tc) }
+
+  override AccessPathApprox pop(TypedContent head) {
+    head = tc and
+    (
+      exists(TypedContent tc2 | Stage3::consCand(tc, TFrontHead(tc2), _) |
+        result = TConsCons(tc2, _, len - 1)
+        or
+        len = 2 and
+        result = TConsNil(tc2, _)
+        or
+        result = TCons1(tc2, len - 1)
+      )
+      or
+      exists(DataFlowType t |
+        len = 1 and
+        Stage3::consCand(tc, TFrontNil(t), _) and
+        result = TNil(t)
+      )
+    )
+  }
+}
+
+/** Gets the access path obtained by popping `tc` from `ap`, if any. */
+private AccessPathApprox pop(TypedContent tc, AccessPathApprox apa) { result = apa.pop(tc) }
+
+/** Gets the access path obtained by pushing `tc` onto `ap`. */
+private AccessPathApprox push(TypedContent tc, AccessPathApprox apa) { apa = pop(tc, result) }
+
+private newtype TAccessPathApproxOption =
+  TAccessPathApproxNone() or
+  TAccessPathApproxSome(AccessPathApprox apa)
+
+private class AccessPathApproxOption extends TAccessPathApproxOption {
+  string toString() {
+    this = TAccessPathApproxNone() and result = "<none>"
+    or
+    this = TAccessPathApproxSome(any(AccessPathApprox apa | result = apa.toString()))
+  }
+}
+
+private module Stage4 {
+  module PrevStage = Stage3;
+
+  class ApApprox = PrevStage::Ap;
+
+  class Ap = AccessPathApprox;
+
+  class ApNil = AccessPathApproxNil;
+
+  private ApApprox getApprox(Ap ap) { result = ap.getFront() }
+
+  private ApNil getApNil(Node node) {
+    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+  }
+
+  bindingset[tc, tail]
+  private Ap apCons(TypedContent tc, Ap tail) { result = push(tc, tail) }
+
+  pragma[noinline]
+  private Content getHeadContent(Ap ap) { result = ap.getHead().getContent() }
+
+  class ApOption = AccessPathApproxOption;
+
+  ApOption apNone() { result = TAccessPathApproxNone() }
+
+  ApOption apSome(Ap ap) { result = TAccessPathApproxSome(ap) }
+
+  class Cc = CallContext;
+
+  class CcCall = CallContextCall;
+
+  class CcNoCall = CallContextNoCall;
+
+  Cc ccNone() { result instanceof CallContextAny }
+
+  private class LocalCc = LocalCallContext;
+
+  bindingset[call, c, outercc]
+  private CcCall getCallContextCall(DataFlowCall call, DataFlowCallable c, Cc outercc) {
+    c = resolveCall(call, outercc) and
+    if recordDataFlowCallSite(call, c) then result = TSpecificCall(call) else result = TSomeCall()
+  }
+
+  bindingset[call, c]
+  private CcNoCall getCallContextReturn(DataFlowCallable c, DataFlowCall call) {
+    if reducedViableImplInReturn(c, call) then result = TReturn(c, call) else result = ccNone()
+  }
+
+  bindingset[innercc, inner, call]
+  private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
+    resolveReturn(innercc, inner, call)
+    or
+    innercc.(CallContextCall).matchesCall(call)
+  }
+
+  bindingset[node, cc, config]
+  private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
+    localFlowEntry(node, config) and
+    result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node))
+  }
+
+  private predicate localStep(
+    Node node1, Node node2, boolean preservesValue, ApNil ap, Configuration config, LocalCc lcc
+  ) {
+    localFlowBigStep(node1, node2, preservesValue, ap.getFront(), config, lcc)
+  }
+
+  pragma[nomagic]
+  private predicate flowOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::revFlow(node1, _, _, _, pragma[only_bind_into](config))
+  }
+
+  pragma[nomagic]
+  private predicate flowIntoCall(
+    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::revFlow(node1, _, _, _, pragma[only_bind_into](config))
+  }
+
+  bindingset[node, ap]
+  private predicate filter(Node node, Ap ap) { any() }
+
+  // Type checking is not necessary here as it has already been done in stage 3.
+  bindingset[ap, contentType]
+  private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }
+
+  /* Begin: Stage 4 logic. */
+  private predicate flowCand(Node node, ApApprox apa, Configuration config) {
+    PrevStage::revFlow(node, _, _, apa, config)
+  }
+
+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
+  /**
+   * Holds if `node` is reachable with access path `ap` from a source in the
+   * configuration `config`.
+   *
+   * The call context `cc` records whether the node is reached through an
+   * argument in a call, and if so, `argAp` records the access path of that
+   * argument.
+   */
+  pragma[nomagic]
+  predicate fwdFlow(Node node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(Node node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    flowCand(node, _, config) and
+    config.isSource(node) and
+    cc = ccNone() and
+    argAp = apNone() and
+    ap = getApNil(node)
+    or
+    exists(Node mid, Ap ap0, LocalCc localCc |
+      fwdFlow(mid, cc, argAp, ap0, config) and
+      localCc = getLocalCc(mid, cc, config)
+    |
+      localStep(mid, node, true, _, config, localCc) and
+      ap = ap0
+      or
+      localStep(mid, node, false, ap, config, localCc) and
+      ap0 instanceof ApNil
+    )
+    or
+    exists(Node mid |
+      fwdFlow(mid, _, _, ap, pragma[only_bind_into](config)) and
+      flowCand(node, _, pragma[only_bind_into](config)) and
+      jumpStep(mid, node, config) and
+      cc = ccNone() and
+      argAp = apNone()
+    )
+    or
+    exists(Node mid, ApNil nil |
+      fwdFlow(mid, _, _, nil, pragma[only_bind_into](config)) and
+      flowCand(node, _, pragma[only_bind_into](config)) and
+      additionalJumpStep(mid, node, config) and
+      cc = ccNone() and
+      argAp = apNone() and
+      ap = getApNil(node)
+    )
+    or
+    // store
+    exists(TypedContent tc, Ap ap0 |
+      fwdFlowStore(_, ap0, tc, node, cc, argAp, config) and
+      ap = apCons(tc, ap0)
+    )
+    or
+    // read
+    exists(Ap ap0, Content c |
+      fwdFlowRead(ap0, c, _, node, cc, argAp, config) and
+      fwdFlowConsCand(ap0, c, ap, config)
+    )
+    or
+    // flow into a callable
+    exists(ApApprox apa |
+      fwdFlowIn(_, node, _, cc, _, ap, config) and
+      apa = getApprox(ap) and
+      if PrevStage::parameterMayFlowThrough(node, _, apa, config)
+      then argAp = apSome(ap)
+      else argAp = apNone()
+    )
+    or
+    // flow out of a callable
+    exists(DataFlowCall call |
+      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
+      or
+      exists(Ap argAp0 |
+        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      )
+    )
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlowStore(
+    Node node1, Ap ap1, TypedContent tc, Node node2, Cc cc, ApOption argAp, Configuration config
+  ) {
+    exists(DataFlowType contentType |
+      fwdFlow(node1, cc, argAp, ap1, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
+      typecheckStore(ap1, contentType)
+    )
+  }
+
+  /**
+   * Holds if forward flow with access path `tail` reaches a store of `c`
+   * resulting in access path `cons`.
+   */
+  pragma[nomagic]
+  private predicate fwdFlowConsCand(Ap cons, Content c, Ap tail, Configuration config) {
+    exists(TypedContent tc |
+      fwdFlowStore(_, tail, tc, _, _, _, config) and
+      tc.getContent() = c and
+      cons = apCons(tc, tail)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlowRead(
+    Ap ap, Content c, Node node1, Node node2, Cc cc, ApOption argAp, Configuration config
+  ) {
+    fwdFlow(node1, cc, argAp, ap, config) and
+    PrevStage::readStepCand(node1, c, node2, config) and
+    getHeadContent(ap) = c
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlowIn(
+    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    Configuration config
+  ) {
+    exists(ArgumentNode arg, boolean allowsFieldFlow |
+      fwdFlow(arg, outercc, argAp, ap, config) and
+      flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+      innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
+  }
+
+  /**
+   * Holds if flow may exit from `call` at `out` with access path `ap`. The
+   * inner call context is `innercc`, but `ccOut` is just the call context
+   * based on the return step. In the case of through-flow `ccOut` is discarded
+   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
+   */
+  pragma[nomagic]
+  private predicate fwdFlowOut(
+    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  ) {
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+      fwdFlow(ret, innercc, argAp, ap, config) and
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      inner = getNodeEnclosingCallable(ret) and
+      checkCallContextReturn(innercc, inner, call) and
+      ccOut = getCallContextReturn(inner, call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlowOutFromArg(
+    DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
+  ) {
+    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+  }
+
+  /**
+   * Holds if an argument to `call` is reached in the flow covered by `fwdFlow`
+   * and data might flow through the target callable and back out at `call`.
+   */
+  pragma[nomagic]
+  private predicate fwdFlowIsEntered(
+    DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
+  ) {
+    exists(ParameterNode p |
+      fwdFlowIn(call, p, cc, _, argAp, ap, config) and
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate storeStepFwd(
+    Node node1, Ap ap1, TypedContent tc, Node node2, Ap ap2, Configuration config
+  ) {
+    fwdFlowStore(node1, ap1, tc, node2, _, _, config) and
+    ap2 = apCons(tc, ap1) and
+    fwdFlowRead(ap2, tc.getContent(), _, _, _, _, config)
+  }
+
+  private predicate readStepFwd(Node n1, Ap ap1, Content c, Node n2, Ap ap2, Configuration config) {
+    fwdFlowRead(ap1, c, n1, n2, _, _, config) and
+    fwdFlowConsCand(ap1, c, ap2, config)
+  }
+
+  /**
+   * Holds if `node` with access path `ap` is part of a path from a source to a
+   * sink in the configuration `config`.
+   *
+   * The Boolean `toReturn` records whether the node must be returned from the
+   * enclosing callable in order to reach a sink, and if so, `returnAp` records
+   * the access path of the returned value.
+   */
+  pragma[nomagic]
+  predicate revFlow(Node node, boolean toReturn, ApOption returnAp, Ap ap, Configuration config) {
+    revFlow0(node, toReturn, returnAp, ap, config) and
+    fwdFlow(node, _, _, ap, config)
+  }
+
+  pragma[nomagic]
+  private predicate revFlow0(
+    Node node, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
+  ) {
+    fwdFlow(node, _, _, ap, config) and
+    config.isSink(node) and
+    toReturn = false and
+    returnAp = apNone() and
+    ap instanceof ApNil
+    or
+    exists(Node mid |
+      localStep(node, mid, true, _, config, _) and
+      revFlow(mid, toReturn, returnAp, ap, config)
+    )
+    or
+    exists(Node mid, ApNil nil |
+      fwdFlow(node, _, _, ap, pragma[only_bind_into](config)) and
+      localStep(node, mid, false, _, config, _) and
+      revFlow(mid, toReturn, returnAp, nil, pragma[only_bind_into](config)) and
+      ap instanceof ApNil
+    )
+    or
+    exists(Node mid |
+      jumpStep(node, mid, config) and
+      revFlow(mid, _, _, ap, config) and
+      toReturn = false and
+      returnAp = apNone()
+    )
+    or
+    exists(Node mid, ApNil nil |
+      fwdFlow(node, _, _, ap, pragma[only_bind_into](config)) and
+      additionalJumpStep(node, mid, config) and
+      revFlow(pragma[only_bind_into](mid), _, _, nil, pragma[only_bind_into](config)) and
+      toReturn = false and
+      returnAp = apNone() and
+      ap instanceof ApNil
+    )
+    or
+    // store
+    exists(Ap ap0, Content c |
+      revFlowStore(ap0, c, ap, node, _, _, toReturn, returnAp, config) and
+      revFlowConsCand(ap0, c, ap, config)
+    )
+    or
+    // read
+    exists(Node mid, Ap ap0 |
+      revFlow(mid, toReturn, returnAp, ap0, config) and
+      readStepFwd(node, ap, _, mid, ap0, config)
+    )
+    or
+    // flow into a callable
+    exists(DataFlowCall call |
+      revFlowIn(call, node, toReturn, returnAp, ap, config) and
+      toReturn = false
+      or
+      exists(Ap returnAp0 |
+        revFlowInToReturn(call, node, returnAp0, ap, config) and
+        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+      )
+    )
+    or
+    // flow out of a callable
+    revFlowOut(_, node, _, _, ap, config) and
+    toReturn = true and
+    if fwdFlow(node, any(CcCall ccc), apSome(_), ap, config)
+    then returnAp = apSome(ap)
+    else returnAp = apNone()
+  }
+
+  pragma[nomagic]
+  private predicate revFlowStore(
+    Ap ap0, Content c, Ap ap, Node node, TypedContent tc, Node mid, boolean toReturn,
+    ApOption returnAp, Configuration config
+  ) {
+    revFlow(mid, toReturn, returnAp, ap0, config) and
+    storeStepFwd(node, ap, tc, mid, ap0, config) and
+    tc.getContent() = c
+  }
+
+  /**
+   * Holds if reverse flow with access path `tail` reaches a read of `c`
+   * resulting in access path `cons`.
+   */
+  pragma[nomagic]
+  private predicate revFlowConsCand(Ap cons, Content c, Ap tail, Configuration config) {
+    exists(Node mid, Ap tail0 |
+      revFlow(mid, _, _, tail, config) and
+      tail = pragma[only_bind_into](tail0) and
+      readStepFwd(_, cons, c, mid, tail0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate revFlowOut(
+    DataFlowCall call, ReturnNodeExt ret, boolean toReturn, ApOption returnAp, Ap ap,
+    Configuration config
+  ) {
+    exists(Node out, boolean allowsFieldFlow |
+      revFlow(out, toReturn, returnAp, ap, config) and
+      flowOutOfCall(call, ret, out, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
+  }
+
+  pragma[nomagic]
+  private predicate revFlowIn(
+    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    Configuration config
+  ) {
+    exists(ParameterNode p, boolean allowsFieldFlow |
+      revFlow(p, toReturn, returnAp, ap, config) and
+      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
+  }
+
+  pragma[nomagic]
+  private predicate revFlowInToReturn(
+    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+  ) {
+    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+  }
+
+  /**
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
+   */
+  pragma[nomagic]
+  private predicate revFlowIsReturned(
+    DataFlowCall call, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
+  ) {
+    exists(ReturnNodeExt ret, CcCall ccc |
+      revFlowOut(call, ret, toReturn, returnAp, ap, config) and
+      fwdFlow(ret, ccc, apSome(_), ap, config) and
+      ccc.matchesCall(call)
+    )
+  }
+
+  pragma[nomagic]
+  predicate storeStepCand(
+    Node node1, Ap ap1, TypedContent tc, Node node2, DataFlowType contentType, Configuration config
+  ) {
+    exists(Ap ap2, Content c |
+      store(node1, tc, node2, contentType) and
+      revFlowStore(ap2, c, ap1, node1, tc, node2, _, _, config) and
+      revFlowConsCand(ap2, c, ap1, config)
+    )
+  }
+
+  predicate readStepCand(Node node1, Content c, Node node2, Configuration config) {
+    exists(Ap ap1, Ap ap2 |
+      revFlow(node2, _, _, pragma[only_bind_into](ap2), pragma[only_bind_into](config)) and
+      readStepFwd(node1, ap1, c, node2, ap2, config) and
+      revFlowStore(ap1, c, pragma[only_bind_into](ap2), _, _, _, _, _,
+        pragma[only_bind_into](config))
+    )
+  }
+
+  predicate revFlow(Node node, Configuration config) { revFlow(node, _, _, _, config) }
+
+  private predicate fwdConsCand(TypedContent tc, Ap ap, Configuration config) {
+    storeStepFwd(_, ap, tc, _, _, config)
+  }
+
+  predicate consCand(TypedContent tc, Ap ap, Configuration config) {
+    storeStepCand(_, ap, tc, _, _, config)
+  }
+
+  pragma[noinline]
+  private predicate parameterFlow(
+    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+  ) {
+    revFlow(p, true, apSome(ap0), ap, config) and
+    c = getNodeEnclosingCallable(p)
+  }
+
+  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+    exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
+      parameterFlow(p, ap, ap0, c, config) and
+      c = getNodeEnclosingCallable(ret) and
+      revFlow(ret, true, apSome(_), ap0, config) and
+      fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
+      kind = ret.getKind() and
+      p.isParameterOf(_, pos) and
+      // we don't expect a parameter to return stored in itself
+      not kind.(ParamUpdateReturnKind).getPosition() = pos
+    )
+  }
+
+  predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
+    fwd = true and
+    nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
+    fields = count(TypedContent f0 | fwdConsCand(f0, _, config)) and
+    conscand = count(TypedContent f0, Ap ap | fwdConsCand(f0, ap, config)) and
+    tuples = count(Node n, Cc cc, ApOption argAp, Ap ap | fwdFlow(n, cc, argAp, ap, config))
+    or
+    fwd = false and
+    nodes = count(Node node | revFlow(node, _, _, _, config)) and
+    fields = count(TypedContent f0 | consCand(f0, _, config)) and
+    conscand = count(TypedContent f0, Ap ap | consCand(f0, ap, config)) and
+    tuples = count(Node n, boolean b, ApOption retAp, Ap ap | revFlow(n, b, retAp, ap, config))
+  }
+  /* End: Stage 4 logic. */
+}
+
+bindingset[conf, result]
+private Configuration unbindConf(Configuration conf) {
+  exists(Configuration c | result = pragma[only_bind_into](c) and conf = pragma[only_bind_into](c))
+}
+
+private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration config) {
+  exists(DataFlowCallable c, AccessPathApprox apa0 |
+    Stage4::parameterMayFlowThrough(_, c, apa, _) and
+    Stage4::revFlow(n, true, _, apa0, config) and
+    Stage4::fwdFlow(n, any(CallContextCall ccc), TAccessPathApproxSome(apa), apa0, config) and
+    getNodeEnclosingCallable(n) = c
+  )
+}
+
+private newtype TSummaryCtx =
+  TSummaryCtxNone() or
+  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+    Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
+  }
+
+/**
+ * A context for generating flow summaries. This represents flow entry through
+ * a specific parameter with an access path of a specific shape.
+ *
+ * Summaries are only created for parameters that may flow through.
+ */
+abstract private class SummaryCtx extends TSummaryCtx {
+  abstract string toString();
+}
+
+/** A summary context from which no flow summary can be generated. */
+private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
+  override string toString() { result = "<none>" }
+}
+
+/** A summary context from which a flow summary can be generated. */
+private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
+  private ParameterNode p;
+  private AccessPath ap;
+
+  SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
+
+  int getParameterPos() { p.isParameterOf(_, result) }
+
+  override string toString() { result = p + ": " + ap }
+
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    p.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+}
+
+/**
+ * Gets the number of length 2 access path approximations that correspond to `apa`.
+ */
+private int count1to2unfold(AccessPathApproxCons1 apa, Configuration config) {
+  exists(TypedContent tc, int len |
+    tc = apa.getHead() and
+    len = apa.len() and
+    result =
+      strictcount(AccessPathFront apf |
+        Stage4::consCand(tc, any(AccessPathApprox ap | ap.getFront() = apf and ap.len() = len - 1),
+          config)
+      )
+  )
+}
+
+private int countNodesUsingAccessPath(AccessPathApprox apa, Configuration config) {
+  result =
+    strictcount(Node n | Stage4::revFlow(n, _, _, apa, config) or nodeMayUseSummary(n, apa, config))
+}
+
+/**
+ * Holds if a length 2 access path approximation matching `apa` is expected
+ * to be expensive.
+ */
+private predicate expensiveLen1to2unfolding(AccessPathApproxCons1 apa, Configuration config) {
+  exists(int aps, int nodes, int apLimit, int tupleLimit |
+    aps = count1to2unfold(apa, config) and
+    nodes = countNodesUsingAccessPath(apa, config) and
+    accessPathCostLimits(apLimit, tupleLimit) and
+    apLimit < aps and
+    tupleLimit < (aps - 1) * nodes
+  )
+}
+
+private AccessPathApprox getATail(AccessPathApprox apa, Configuration config) {
+  exists(TypedContent head |
+    apa.pop(head) = result and
+    Stage4::consCand(head, result, config)
+  )
+}
+
+/**
+ * Holds with `unfold = false` if a precise head-tail representation of `apa` is
+ * expected to be expensive. Holds with `unfold = true` otherwise.
+ */
+private predicate evalUnfold(AccessPathApprox apa, boolean unfold, Configuration config) {
+  exists(int aps, int nodes, int apLimit, int tupleLimit |
+    aps = countPotentialAps(apa, config) and
+    nodes = countNodesUsingAccessPath(apa, config) and
+    accessPathCostLimits(apLimit, tupleLimit) and
+    if apLimit < aps and tupleLimit < (aps - 1) * nodes then unfold = false else unfold = true
+  )
+}
+
+/**
+ * Gets the number of `AccessPath`s that correspond to `apa`.
+ */
+private int countAps(AccessPathApprox apa, Configuration config) {
+  evalUnfold(apa, false, config) and
+  result = 1 and
+  (not apa instanceof AccessPathApproxCons1 or expensiveLen1to2unfolding(apa, config))
+  or
+  evalUnfold(apa, false, config) and
+  result = count1to2unfold(apa, config) and
+  not expensiveLen1to2unfolding(apa, config)
+  or
+  evalUnfold(apa, true, config) and
+  result = countPotentialAps(apa, config)
+}
+
+/**
+ * Gets the number of `AccessPath`s that would correspond to `apa` assuming
+ * that it is expanded to a precise head-tail representation.
+ */
+language[monotonicAggregates]
+private int countPotentialAps(AccessPathApprox apa, Configuration config) {
+  apa instanceof AccessPathApproxNil and result = 1
+  or
+  result = strictsum(AccessPathApprox tail | tail = getATail(apa, config) | countAps(tail, config))
+}
+
+private newtype TAccessPath =
+  TAccessPathNil(DataFlowType t) or
+  TAccessPathCons(TypedContent head, AccessPath tail) {
+    exists(AccessPathApproxCons apa |
+      not evalUnfold(apa, false, _) and
+      head = apa.getHead() and
+      tail.getApprox() = getATail(apa, _)
+    )
+  } or
+  TAccessPathCons2(TypedContent head1, TypedContent head2, int len) {
+    exists(AccessPathApproxCons apa |
+      evalUnfold(apa, false, _) and
+      not expensiveLen1to2unfolding(apa, _) and
+      apa.len() = len and
+      head1 = apa.getHead() and
+      head2 = getATail(apa, _).getHead()
+    )
+  } or
+  TAccessPathCons1(TypedContent head, int len) {
+    exists(AccessPathApproxCons apa |
+      evalUnfold(apa, false, _) and
+      expensiveLen1to2unfolding(apa, _) and
+      apa.len() = len and
+      head = apa.getHead()
+    )
+  }
+
+private newtype TPathNode =
+  TPathNodeMid(Node node, CallContext cc, SummaryCtx sc, AccessPath ap, Configuration config) {
+    // A PathNode is introduced by a source ...
+    Stage4::revFlow(node, config) and
+    config.isSource(node) and
+    cc instanceof CallContextAny and
+    sc instanceof SummaryCtxNone and
+    ap = TAccessPathNil(getNodeType(node))
+    or
+    // ... or a step from an existing PathNode to another node.
+    exists(PathNodeMid mid |
+      pathStep(mid, node, cc, sc, ap) and
+      pragma[only_bind_into](config) = mid.getConfiguration() and
+      Stage4::revFlow(node, _, _, ap.getApprox(), pragma[only_bind_into](config))
+    )
+  } or
+  TPathNodeSink(Node node, Configuration config) {
+    pragma[only_bind_into](config).isSink(node) and
+    Stage4::revFlow(node, pragma[only_bind_into](config)) and
+    (
+      // A sink that is also a source ...
+      config.isSource(node)
+      or
+      // ... or a sink that can be reached from a source
+      exists(PathNodeMid mid |
+        pathStep(mid, node, _, _, TAccessPathNil(_)) and
+        pragma[only_bind_into](config) = mid.getConfiguration()
+      )
+    )
+  }
+
+/**
+ * A list of `TypedContent`s followed by a `DataFlowType`. If data flows from a
+ * source to a given node with a given `AccessPath`, this indicates the sequence
+ * of dereference operations needed to get from the value in the node to the
+ * tracked object. The final type indicates the type of the tracked object.
+ */
+abstract private class AccessPath extends TAccessPath {
+  /** Gets the head of this access path, if any. */
+  abstract TypedContent getHead();
+
+  /** Gets the tail of this access path, if any. */
+  abstract AccessPath getTail();
+
+  /** Gets the front of this access path. */
+  abstract AccessPathFront getFront();
+
+  /** Gets the approximation of this access path. */
+  abstract AccessPathApprox getApprox();
+
+  /** Gets the length of this access path. */
+  abstract int length();
+
+  /** Gets a textual representation of this access path. */
+  abstract string toString();
+
+  /** Gets the access path obtained by popping `tc` from this access path, if any. */
+  final AccessPath pop(TypedContent tc) {
+    result = this.getTail() and
+    tc = this.getHead()
+  }
+
+  /** Gets the access path obtained by pushing `tc` onto this access path. */
+  final AccessPath push(TypedContent tc) { this = result.pop(tc) }
+}
+
+private class AccessPathNil extends AccessPath, TAccessPathNil {
+  private DataFlowType t;
+
+  AccessPathNil() { this = TAccessPathNil(t) }
+
+  DataFlowType getType() { result = t }
+
+  override TypedContent getHead() { none() }
+
+  override AccessPath getTail() { none() }
+
+  override AccessPathFrontNil getFront() { result = TFrontNil(t) }
+
+  override AccessPathApproxNil getApprox() { result = TNil(t) }
+
+  override int length() { result = 0 }
+
+  override string toString() { result = concat(": " + ppReprType(t)) }
+}
+
+private class AccessPathCons extends AccessPath, TAccessPathCons {
+  private TypedContent head;
+  private AccessPath tail;
+
+  AccessPathCons() { this = TAccessPathCons(head, tail) }
+
+  override TypedContent getHead() { result = head }
+
+  override AccessPath getTail() { result = tail }
+
+  override AccessPathFrontHead getFront() { result = TFrontHead(head) }
+
+  override AccessPathApproxCons getApprox() {
+    result = TConsNil(head, tail.(AccessPathNil).getType())
+    or
+    result = TConsCons(head, tail.getHead(), this.length())
+    or
+    result = TCons1(head, this.length())
+  }
+
+  override int length() { result = 1 + tail.length() }
+
+  private string toStringImpl(boolean needsSuffix) {
+    exists(DataFlowType t |
+      tail = TAccessPathNil(t) and
+      needsSuffix = false and
+      result = head.toString() + "]" + concat(" : " + ppReprType(t))
+    )
+    or
+    result = head + ", " + tail.(AccessPathCons).toStringImpl(needsSuffix)
+    or
+    exists(TypedContent tc2, TypedContent tc3, int len | tail = TAccessPathCons2(tc2, tc3, len) |
+      result = head + ", " + tc2 + ", " + tc3 + ", ... (" and len > 2 and needsSuffix = true
+      or
+      result = head + ", " + tc2 + ", " + tc3 + "]" and len = 2 and needsSuffix = false
+    )
+    or
+    exists(TypedContent tc2, int len | tail = TAccessPathCons1(tc2, len) |
+      result = head + ", " + tc2 + ", ... (" and len > 1 and needsSuffix = true
+      or
+      result = head + ", " + tc2 + "]" and len = 1 and needsSuffix = false
+    )
+  }
+
+  override string toString() {
+    result = "[" + this.toStringImpl(true) + length().toString() + ")]"
+    or
+    result = "[" + this.toStringImpl(false)
+  }
+}
+
+private class AccessPathCons2 extends AccessPath, TAccessPathCons2 {
+  private TypedContent head1;
+  private TypedContent head2;
+  private int len;
+
+  AccessPathCons2() { this = TAccessPathCons2(head1, head2, len) }
+
+  override TypedContent getHead() { result = head1 }
+
+  override AccessPath getTail() {
+    Stage4::consCand(head1, result.getApprox(), _) and
+    result.getHead() = head2 and
+    result.length() = len - 1
+  }
+
+  override AccessPathFrontHead getFront() { result = TFrontHead(head1) }
+
+  override AccessPathApproxCons getApprox() {
+    result = TConsCons(head1, head2, len) or
+    result = TCons1(head1, len)
+  }
+
+  override int length() { result = len }
+
+  override string toString() {
+    if len = 2
+    then result = "[" + head1.toString() + ", " + head2.toString() + "]"
+    else
+      result = "[" + head1.toString() + ", " + head2.toString() + ", ... (" + len.toString() + ")]"
+  }
+}
+
+private class AccessPathCons1 extends AccessPath, TAccessPathCons1 {
+  private TypedContent head;
+  private int len;
+
+  AccessPathCons1() { this = TAccessPathCons1(head, len) }
+
+  override TypedContent getHead() { result = head }
+
+  override AccessPath getTail() {
+    Stage4::consCand(head, result.getApprox(), _) and result.length() = len - 1
+  }
+
+  override AccessPathFrontHead getFront() { result = TFrontHead(head) }
+
+  override AccessPathApproxCons getApprox() { result = TCons1(head, len) }
+
+  override int length() { result = len }
+
+  override string toString() {
+    if len = 1
+    then result = "[" + head.toString() + "]"
+    else result = "[" + head.toString() + ", ... (" + len.toString() + ")]"
+  }
+}
+
+/**
+ * A `Node` augmented with a call context (except for sinks), an access path, and a configuration.
+ * Only those `PathNode`s that are reachable from a source are generated.
+ */
+class PathNode extends TPathNode {
+  /** Gets a textual representation of this element. */
+  string toString() { none() }
+
+  /**
+   * Gets a textual representation of this element, including a textual
+   * representation of the call context.
+   */
+  string toStringWithContext() { none() }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
+   */
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    none()
+  }
+
+  /** Gets the underlying `Node`. */
+  Node getNode() { none() }
+
+  /** Gets the associated configuration. */
+  Configuration getConfiguration() { none() }
+
+  private predicate isHidden() {
+    nodeIsHidden(this.getNode()) and
+    not this.isSource() and
+    not this instanceof PathNodeSink
+  }
+
+  private PathNode getASuccessorIfHidden() {
+    this.isHidden() and
+    result = this.(PathNodeImpl).getASuccessorImpl()
+  }
+
+  /** Gets a successor of this node, if any. */
+  final PathNode getASuccessor() {
+    result = this.(PathNodeImpl).getASuccessorImpl().getASuccessorIfHidden*() and
+    not this.isHidden() and
+    not result.isHidden()
+  }
+
+  /** Holds if this node is a source. */
+  predicate isSource() { none() }
+}
+
+abstract private class PathNodeImpl extends PathNode {
+  abstract PathNode getASuccessorImpl();
+
+  private string ppAp() {
+    this instanceof PathNodeSink and result = ""
+    or
+    exists(string s | s = this.(PathNodeMid).getAp().toString() |
+      if s = "" then result = "" else result = " " + s
+    )
+  }
+
+  private string ppCtx() {
+    this instanceof PathNodeSink and result = ""
+    or
+    result = " <" + this.(PathNodeMid).getCallContext().toString() + ">"
+  }
+
+  override string toString() { result = this.getNode().toString() + ppAp() }
+
+  override string toStringWithContext() { result = this.getNode().toString() + ppAp() + ppCtx() }
+
+  override predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    this.getNode().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+}
+
+/** Holds if `n` can reach a sink. */
+private predicate reach(PathNode n) { n instanceof PathNodeSink or reach(n.getASuccessor()) }
+
+/** Holds if `n1.getSucc() = n2` and `n2` can reach a sink. */
+private predicate pathSucc(PathNode n1, PathNode n2) { n1.getASuccessor() = n2 and reach(n2) }
+
+private predicate pathSuccPlus(PathNode n1, PathNode n2) = fastTC(pathSucc/2)(n1, n2)
+
+/**
+ * Provides the query predicates needed to include a graph in a path-problem query.
+ */
+module PathGraph {
+  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
+  query predicate edges(PathNode a, PathNode b) { pathSucc(a, b) }
+
+  /** Holds if `n` is a node in the graph of data flow path explanations. */
+  query predicate nodes(PathNode n, string key, string val) {
+    reach(n) and key = "semmle.label" and val = n.toString()
+  }
+}
+
+/**
+ * An intermediate flow graph node. This is a triple consisting of a `Node`,
+ * a `CallContext`, and a `Configuration`.
+ */
+private class PathNodeMid extends PathNodeImpl, TPathNodeMid {
+  Node node;
+  CallContext cc;
+  SummaryCtx sc;
+  AccessPath ap;
+  Configuration config;
+
+  PathNodeMid() { this = TPathNodeMid(node, cc, sc, ap, config) }
+
+  override Node getNode() { result = node }
+
+  CallContext getCallContext() { result = cc }
+
+  SummaryCtx getSummaryCtx() { result = sc }
+
+  AccessPath getAp() { result = ap }
+
+  override Configuration getConfiguration() { result = config }
+
+  private PathNodeMid getSuccMid() {
+    pathStep(this, result.getNode(), result.getCallContext(), result.getSummaryCtx(), result.getAp()) and
+    result.getConfiguration() = unbindConf(this.getConfiguration())
+  }
+
+  override PathNodeImpl getASuccessorImpl() {
+    // an intermediate step to another intermediate node
+    result = getSuccMid()
+    or
+    // a final step to a sink via zero steps means we merge the last two steps to prevent trivial-looking edges
+    exists(PathNodeMid mid, PathNodeSink sink |
+      mid = getSuccMid() and
+      mid.getNode() = sink.getNode() and
+      mid.getAp() instanceof AccessPathNil and
+      sink.getConfiguration() = unbindConf(mid.getConfiguration()) and
+      result = sink
+    )
+  }
+
+  override predicate isSource() {
+    config.isSource(node) and
+    cc instanceof CallContextAny and
+    sc instanceof SummaryCtxNone and
+    ap instanceof AccessPathNil
+  }
+}
+
+/**
+ * A flow graph node corresponding to a sink. This is disjoint from the
+ * intermediate nodes in order to uniquely correspond to a given sink by
+ * excluding the `CallContext`.
+ */
+private class PathNodeSink extends PathNodeImpl, TPathNodeSink {
+  Node node;
+  Configuration config;
+
+  PathNodeSink() { this = TPathNodeSink(node, config) }
+
+  override Node getNode() { result = node }
+
+  override Configuration getConfiguration() { result = config }
+
+  override PathNode getASuccessorImpl() { none() }
+
+  override predicate isSource() { config.isSource(node) }
+}
+
+/**
+ * Holds if data may flow from `mid` to `node`. The last step in or out of
+ * a callable is recorded by `cc`.
+ */
+private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCtx sc, AccessPath ap) {
+  exists(AccessPath ap0, Node midnode, Configuration conf, LocalCallContext localCC |
+    midnode = mid.getNode() and
+    conf = mid.getConfiguration() and
+    cc = mid.getCallContext() and
+    sc = mid.getSummaryCtx() and
+    localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and
+    ap0 = mid.getAp()
+  |
+    localFlowBigStep(midnode, node, true, _, conf, localCC) and
+    ap = ap0
+    or
+    localFlowBigStep(midnode, node, false, ap.getFront(), conf, localCC) and
+    ap0 instanceof AccessPathNil
+  )
+  or
+  jumpStep(mid.getNode(), node, mid.getConfiguration()) and
+  cc instanceof CallContextAny and
+  sc instanceof SummaryCtxNone and
+  ap = mid.getAp()
+  or
+  additionalJumpStep(mid.getNode(), node, mid.getConfiguration()) and
+  cc instanceof CallContextAny and
+  sc instanceof SummaryCtxNone and
+  mid.getAp() instanceof AccessPathNil and
+  ap = TAccessPathNil(getNodeType(node))
+  or
+  exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
+  sc = mid.getSummaryCtx()
+  or
+  exists(TypedContent tc | pathReadStep(mid, node, ap.push(tc), tc, cc)) and
+  sc = mid.getSummaryCtx()
+  or
+  pathIntoCallable(mid, node, _, cc, sc, _) and ap = mid.getAp()
+  or
+  pathOutOfCallable(mid, node, cc) and ap = mid.getAp() and sc instanceof SummaryCtxNone
+  or
+  pathThroughCallable(mid, node, cc, ap) and sc = mid.getSummaryCtx()
+}
+
+pragma[nomagic]
+private predicate pathReadStep(
+  PathNodeMid mid, Node node, AccessPath ap0, TypedContent tc, CallContext cc
+) {
+  ap0 = mid.getAp() and
+  tc = ap0.getHead() and
+  Stage4::readStepCand(mid.getNode(), tc.getContent(), node, mid.getConfiguration()) and
+  cc = mid.getCallContext()
+}
+
+pragma[nomagic]
+private predicate pathStoreStep(
+  PathNodeMid mid, Node node, AccessPath ap0, TypedContent tc, CallContext cc
+) {
+  ap0 = mid.getAp() and
+  Stage4::storeStepCand(mid.getNode(), _, tc, node, _, mid.getConfiguration()) and
+  cc = mid.getCallContext()
+}
+
+private predicate pathOutOfCallable0(
+  PathNodeMid mid, ReturnPosition pos, CallContext innercc, AccessPathApprox apa,
+  Configuration config
+) {
+  pos = getReturnPosition(mid.getNode()) and
+  innercc = mid.getCallContext() and
+  innercc instanceof CallContextNoCall and
+  apa = mid.getAp().getApprox() and
+  config = mid.getConfiguration()
+}
+
+pragma[nomagic]
+private predicate pathOutOfCallable1(
+  PathNodeMid mid, DataFlowCall call, ReturnKindExt kind, CallContext cc, AccessPathApprox apa,
+  Configuration config
+) {
+  exists(ReturnPosition pos, DataFlowCallable c, CallContext innercc |
+    pathOutOfCallable0(mid, pos, innercc, apa, config) and
+    c = pos.getCallable() and
+    kind = pos.getKind() and
+    resolveReturn(innercc, c, call)
+  |
+    if reducedViableImplInReturn(c, call) then cc = TReturn(c, call) else cc = TAnyCallContext()
+  )
+}
+
+pragma[noinline]
+private Node getAnOutNodeFlow(
+  ReturnKindExt kind, DataFlowCall call, AccessPathApprox apa, Configuration config
+) {
+  result = kind.getAnOutNode(call) and
+  Stage4::revFlow(result, _, _, apa, config)
+}
+
+/**
+ * Holds if data may flow from `mid` to `out`. The last step of this path
+ * is a return from a callable and is recorded by `cc`, if needed.
+ */
+pragma[noinline]
+private predicate pathOutOfCallable(PathNodeMid mid, Node out, CallContext cc) {
+  exists(ReturnKindExt kind, DataFlowCall call, AccessPathApprox apa, Configuration config |
+    pathOutOfCallable1(mid, call, kind, cc, apa, config) and
+    out = getAnOutNodeFlow(kind, call, apa, config)
+  )
+}
+
+/**
+ * Holds if data may flow from `mid` to the `i`th argument of `call` in `cc`.
+ */
+pragma[noinline]
+private predicate pathIntoArg(
+  PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
+) {
+  exists(ArgumentNode arg |
+    arg = mid.getNode() and
+    cc = mid.getCallContext() and
+    arg.argumentOf(call, i) and
+    ap = mid.getAp() and
+    apa = ap.getApprox()
+  )
+}
+
+pragma[noinline]
+private predicate parameterCand(
+  DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
+) {
+  exists(ParameterNode p |
+    Stage4::revFlow(p, _, _, apa, config) and
+    p.isParameterOf(callable, i)
+  )
+}
+
+pragma[nomagic]
+private predicate pathIntoCallable0(
+  PathNodeMid mid, DataFlowCallable callable, int i, CallContext outercc, DataFlowCall call,
+  AccessPath ap
+) {
+  exists(AccessPathApprox apa |
+    pathIntoArg(mid, i, outercc, call, ap, apa) and
+    callable = resolveCall(call, outercc) and
+    parameterCand(callable, any(int j | j <= i and j >= i), apa, mid.getConfiguration())
+  )
+}
+
+/**
+ * Holds if data may flow from `mid` to `p` through `call`. The contexts
+ * before and after entering the callable are `outercc` and `innercc`,
+ * respectively.
+ */
+private predicate pathIntoCallable(
+  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  DataFlowCall call
+) {
+  exists(int i, DataFlowCallable callable, AccessPath ap |
+    pathIntoCallable0(mid, callable, i, outercc, call, ap) and
+    p.isParameterOf(callable, i) and
+    (
+      sc = TSummaryCtxSome(p, ap)
+      or
+      not exists(TSummaryCtxSome(p, ap)) and
+      sc = TSummaryCtxNone()
+    )
+  |
+    if recordDataFlowCallSite(call, callable)
+    then innercc = TSpecificCall(call)
+    else innercc = TSomeCall()
+  )
+}
+
+/** Holds if data may flow from a parameter given by `sc` to a return of kind `kind`. */
+pragma[nomagic]
+private predicate paramFlowsThrough(
+  ReturnKindExt kind, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa,
+  Configuration config
+) {
+  exists(PathNodeMid mid, ReturnNodeExt ret, int pos |
+    mid.getNode() = ret and
+    kind = ret.getKind() and
+    cc = mid.getCallContext() and
+    sc = mid.getSummaryCtx() and
+    config = mid.getConfiguration() and
+    ap = mid.getAp() and
+    apa = ap.getApprox() and
+    pos = sc.getParameterPos() and
+    not kind.(ParamUpdateReturnKind).getPosition() = pos
+  )
+}
+
+pragma[nomagic]
+private predicate pathThroughCallable0(
+  DataFlowCall call, PathNodeMid mid, ReturnKindExt kind, CallContext cc, AccessPath ap,
+  AccessPathApprox apa
+) {
+  exists(CallContext innercc, SummaryCtx sc |
+    pathIntoCallable(mid, _, cc, innercc, sc, call) and
+    paramFlowsThrough(kind, innercc, sc, ap, apa, unbindConf(mid.getConfiguration()))
+  )
+}
+
+/**
+ * Holds if data may flow from `mid` through a callable to the node `out`.
+ * The context `cc` is restored to its value prior to entering the callable.
+ */
+pragma[noinline]
+private predicate pathThroughCallable(PathNodeMid mid, Node out, CallContext cc, AccessPath ap) {
+  exists(DataFlowCall call, ReturnKindExt kind, AccessPathApprox apa |
+    pathThroughCallable0(call, mid, kind, cc, ap, apa) and
+    out = getAnOutNodeFlow(kind, call, apa, unbindConf(mid.getConfiguration()))
+  )
+}
+
+/**
+ * Holds if data can flow (inter-procedurally) from `source` to `sink`.
+ *
+ * Will only have results if `configuration` has non-empty sources and
+ * sinks.
+ */
+private predicate flowsTo(
+  PathNode flowsource, PathNodeSink flowsink, Node source, Node sink, Configuration configuration
+) {
+  flowsource.isSource() and
+  flowsource.getConfiguration() = configuration and
+  flowsource.getNode() = source and
+  (flowsource = flowsink or pathSuccPlus(flowsource, flowsink)) and
+  flowsink.getNode() = sink
+}
+
+/**
+ * Holds if data can flow (inter-procedurally) from `source` to `sink`.
+ *
+ * Will only have results if `configuration` has non-empty sources and
+ * sinks.
+ */
+predicate flowsTo(Node source, Node sink, Configuration configuration) {
+  flowsTo(_, _, source, sink, configuration)
+}
+
+private predicate finalStats(boolean fwd, int nodes, int fields, int conscand, int tuples) {
+  fwd = true and
+  nodes = count(Node n0 | exists(PathNode pn | pn.getNode() = n0)) and
+  fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0)) and
+  conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap)) and
+  tuples = count(PathNode pn)
+  or
+  fwd = false and
+  nodes = count(Node n0 | exists(PathNode pn | pn.getNode() = n0 and reach(pn))) and
+  fields = count(TypedContent f0 | exists(PathNodeMid pn | pn.getAp().getHead() = f0 and reach(pn))) and
+  conscand = count(AccessPath ap | exists(PathNodeMid pn | pn.getAp() = ap and reach(pn))) and
+  tuples = count(PathNode pn | reach(pn))
+}
+
+/**
+ * INTERNAL: Only for debugging.
+ *
+ * Calculates per-stage metrics for data flow.
+ */
+predicate stageStats(
+  int n, string stage, int nodes, int fields, int conscand, int tuples, Configuration config
+) {
+  stage = "1 Fwd" and n = 10 and Stage1::stats(true, nodes, fields, conscand, tuples, config)
+  or
+  stage = "1 Rev" and n = 15 and Stage1::stats(false, nodes, fields, conscand, tuples, config)
+  or
+  stage = "2 Fwd" and n = 20 and Stage2::stats(true, nodes, fields, conscand, tuples, config)
+  or
+  stage = "2 Rev" and n = 25 and Stage2::stats(false, nodes, fields, conscand, tuples, config)
+  or
+  stage = "3 Fwd" and n = 30 and Stage3::stats(true, nodes, fields, conscand, tuples, config)
+  or
+  stage = "3 Rev" and n = 35 and Stage3::stats(false, nodes, fields, conscand, tuples, config)
+  or
+  stage = "4 Fwd" and n = 40 and Stage4::stats(true, nodes, fields, conscand, tuples, config)
+  or
+  stage = "4 Rev" and n = 45 and Stage4::stats(false, nodes, fields, conscand, tuples, config)
+  or
+  stage = "5 Fwd" and n = 50 and finalStats(true, nodes, fields, conscand, tuples)
+  or
+  stage = "5 Rev" and n = 55 and finalStats(false, nodes, fields, conscand, tuples)
+}
+
+private module FlowExploration {
+  private predicate callableStep(DataFlowCallable c1, DataFlowCallable c2, Configuration config) {
+    exists(Node node1, Node node2 |
+      jumpStep(node1, node2, config)
+      or
+      additionalJumpStep(node1, node2, config)
+      or
+      // flow into callable
+      viableParamArg(_, node2, node1)
+      or
+      // flow out of a callable
+      viableReturnPosOut(_, getReturnPosition(node1), node2)
+    |
+      c1 = getNodeEnclosingCallable(node1) and
+      c2 = getNodeEnclosingCallable(node2) and
+      c1 != c2
+    )
+  }
+
+  private predicate interestingCallableSrc(DataFlowCallable c, Configuration config) {
+    exists(Node n | config.isSource(n) and c = getNodeEnclosingCallable(n))
+    or
+    exists(DataFlowCallable mid |
+      interestingCallableSrc(mid, config) and callableStep(mid, c, config)
+    )
+  }
+
+  private predicate interestingCallableSink(DataFlowCallable c, Configuration config) {
+    exists(Node n | config.isSink(n) and c = getNodeEnclosingCallable(n))
+    or
+    exists(DataFlowCallable mid |
+      interestingCallableSink(mid, config) and callableStep(c, mid, config)
+    )
+  }
+
+  private newtype TCallableExt =
+    TCallable(DataFlowCallable c, Configuration config) {
+      interestingCallableSrc(c, config) or
+      interestingCallableSink(c, config)
+    } or
+    TCallableSrc() or
+    TCallableSink()
+
+  private predicate callableExtSrc(TCallableSrc src) { any() }
+
+  private predicate callableExtSink(TCallableSink sink) { any() }
+
+  private predicate callableExtStepFwd(TCallableExt ce1, TCallableExt ce2) {
+    exists(DataFlowCallable c1, DataFlowCallable c2, Configuration config |
+      callableStep(c1, c2, config) and
+      ce1 = TCallable(c1, pragma[only_bind_into](config)) and
+      ce2 = TCallable(c2, pragma[only_bind_into](config))
+    )
+    or
+    exists(Node n, Configuration config |
+      ce1 = TCallableSrc() and
+      config.isSource(n) and
+      ce2 = TCallable(getNodeEnclosingCallable(n), config)
+    )
+    or
+    exists(Node n, Configuration config |
+      ce2 = TCallableSink() and
+      config.isSink(n) and
+      ce1 = TCallable(getNodeEnclosingCallable(n), config)
+    )
+  }
+
+  private predicate callableExtStepRev(TCallableExt ce1, TCallableExt ce2) {
+    callableExtStepFwd(ce2, ce1)
+  }
+
+  private int distSrcExt(TCallableExt c) =
+    shortestDistances(callableExtSrc/1, callableExtStepFwd/2)(_, c, result)
+
+  private int distSinkExt(TCallableExt c) =
+    shortestDistances(callableExtSink/1, callableExtStepRev/2)(_, c, result)
+
+  private int distSrc(DataFlowCallable c, Configuration config) {
+    result = distSrcExt(TCallable(c, config)) - 1
+  }
+
+  private int distSink(DataFlowCallable c, Configuration config) {
+    result = distSinkExt(TCallable(c, config)) - 1
+  }
+
+  private newtype TPartialAccessPath =
+    TPartialNil(DataFlowType t) or
+    TPartialCons(TypedContent tc, int len) { len in [1 .. accessPathLimit()] }
+
+  /**
+   * Conceptually a list of `TypedContent`s followed by a `Type`, but only the first
+   * element of the list and its length are tracked. If data flows from a source to
+   * a given node with a given `AccessPath`, this indicates the sequence of
+   * dereference operations needed to get from the value in the node to the
+   * tracked object. The final type indicates the type of the tracked object.
+   */
+  private class PartialAccessPath extends TPartialAccessPath {
+    abstract string toString();
+
+    TypedContent getHead() { this = TPartialCons(result, _) }
+
+    int len() {
+      this = TPartialNil(_) and result = 0
+      or
+      this = TPartialCons(_, result)
+    }
+
+    DataFlowType getType() {
+      this = TPartialNil(result)
+      or
+      exists(TypedContent head | this = TPartialCons(head, _) | result = head.getContainerType())
+    }
+  }
+
+  private class PartialAccessPathNil extends PartialAccessPath, TPartialNil {
+    override string toString() {
+      exists(DataFlowType t | this = TPartialNil(t) | result = concat(": " + ppReprType(t)))
+    }
+  }
+
+  private class PartialAccessPathCons extends PartialAccessPath, TPartialCons {
+    override string toString() {
+      exists(TypedContent tc, int len | this = TPartialCons(tc, len) |
+        if len = 1
+        then result = "[" + tc.toString() + "]"
+        else result = "[" + tc.toString() + ", ... (" + len.toString() + ")]"
+      )
+    }
+  }
+
+  private newtype TRevPartialAccessPath =
+    TRevPartialNil() or
+    TRevPartialCons(Content c, int len) { len in [1 .. accessPathLimit()] }
+
+  /**
+   * Conceptually a list of `Content`s, but only the first
+   * element of the list and its length are tracked.
+   */
+  private class RevPartialAccessPath extends TRevPartialAccessPath {
+    abstract string toString();
+
+    Content getHead() { this = TRevPartialCons(result, _) }
+
+    int len() {
+      this = TRevPartialNil() and result = 0
+      or
+      this = TRevPartialCons(_, result)
+    }
+  }
+
+  private class RevPartialAccessPathNil extends RevPartialAccessPath, TRevPartialNil {
+    override string toString() { result = "" }
+  }
+
+  private class RevPartialAccessPathCons extends RevPartialAccessPath, TRevPartialCons {
+    override string toString() {
+      exists(Content c, int len | this = TRevPartialCons(c, len) |
+        if len = 1
+        then result = "[" + c.toString() + "]"
+        else result = "[" + c.toString() + ", ... (" + len.toString() + ")]"
+      )
+    }
+  }
+
+  private newtype TSummaryCtx1 =
+    TSummaryCtx1None() or
+    TSummaryCtx1Param(ParameterNode p)
+
+  private newtype TSummaryCtx2 =
+    TSummaryCtx2None() or
+    TSummaryCtx2Some(PartialAccessPath ap)
+
+  private newtype TRevSummaryCtx1 =
+    TRevSummaryCtx1None() or
+    TRevSummaryCtx1Some(ReturnPosition pos)
+
+  private newtype TRevSummaryCtx2 =
+    TRevSummaryCtx2None() or
+    TRevSummaryCtx2Some(RevPartialAccessPath ap)
+
+  private newtype TPartialPathNode =
+    TPartialPathNodeFwd(
+      Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, PartialAccessPath ap,
+      Configuration config
+    ) {
+      config.isSource(node) and
+      cc instanceof CallContextAny and
+      sc1 = TSummaryCtx1None() and
+      sc2 = TSummaryCtx2None() and
+      ap = TPartialNil(getNodeType(node)) and
+      not fullBarrier(node, config) and
+      exists(config.explorationLimit())
+      or
+      partialPathNodeMk0(node, cc, sc1, sc2, ap, config) and
+      distSrc(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
+    } or
+    TPartialPathNodeRev(
+      Node node, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2, RevPartialAccessPath ap,
+      Configuration config
+    ) {
+      config.isSink(node) and
+      sc1 = TRevSummaryCtx1None() and
+      sc2 = TRevSummaryCtx2None() and
+      ap = TRevPartialNil() and
+      not fullBarrier(node, config) and
+      exists(config.explorationLimit())
+      or
+      exists(PartialPathNodeRev mid |
+        revPartialPathStep(mid, node, sc1, sc2, ap, config) and
+        not clearsContent(node, ap.getHead()) and
+        not fullBarrier(node, config) and
+        distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
+      )
+    }
+
+  pragma[nomagic]
+  private predicate partialPathNodeMk0(
+    Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, PartialAccessPath ap,
+    Configuration config
+  ) {
+    exists(PartialPathNodeFwd mid |
+      partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
+      not fullBarrier(node, config) and
+      not clearsContent(node, ap.getHead().getContent()) and
+      if node instanceof CastingNode
+      then compatibleTypes(getNodeType(node), ap.getType())
+      else any()
+    )
+  }
+
+  /**
+   * A `Node` augmented with a call context, an access path, and a configuration.
+   */
+  class PartialPathNode extends TPartialPathNode {
+    /** Gets a textual representation of this element. */
+    string toString() { result = this.getNode().toString() + this.ppAp() }
+
+    /**
+     * Gets a textual representation of this element, including a textual
+     * representation of the call context.
+     */
+    string toStringWithContext() { result = this.getNode().toString() + this.ppAp() + this.ppCtx() }
+
+    /**
+     * Holds if this element is at the specified location.
+     * The location spans column `startcolumn` of line `startline` to
+     * column `endcolumn` of line `endline` in file `filepath`.
+     * For more information, see
+     * [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
+     */
+    predicate hasLocationInfo(
+      string filepath, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      this.getNode().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    }
+
+    /** Gets the underlying `Node`. */
+    Node getNode() { none() }
+
+    /** Gets the associated configuration. */
+    Configuration getConfiguration() { none() }
+
+    /** Gets a successor of this node, if any. */
+    PartialPathNode getASuccessor() { none() }
+
+    /**
+     * Gets the approximate distance to the nearest source measured in number
+     * of interprocedural steps.
+     */
+    int getSourceDistance() {
+      result = distSrc(getNodeEnclosingCallable(this.getNode()), this.getConfiguration())
+    }
+
+    /**
+     * Gets the approximate distance to the nearest sink measured in number
+     * of interprocedural steps.
+     */
+    int getSinkDistance() {
+      result = distSink(getNodeEnclosingCallable(this.getNode()), this.getConfiguration())
+    }
+
+    private string ppAp() {
+      exists(string s |
+        s = this.(PartialPathNodeFwd).getAp().toString() or
+        s = this.(PartialPathNodeRev).getAp().toString()
+      |
+        if s = "" then result = "" else result = " " + s
+      )
+    }
+
+    private string ppCtx() {
+      result = " <" + this.(PartialPathNodeFwd).getCallContext().toString() + ">"
+    }
+
+    /** Holds if this is a source in a forward-flow path. */
+    predicate isFwdSource() { this.(PartialPathNodeFwd).isSource() }
+
+    /** Holds if this is a sink in a reverse-flow path. */
+    predicate isRevSink() { this.(PartialPathNodeRev).isSink() }
+  }
+
+  /**
+   * Provides the query predicates needed to include a graph in a path-problem query.
+   */
+  module PartialPathGraph {
+    /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
+    query predicate edges(PartialPathNode a, PartialPathNode b) { a.getASuccessor() = b }
+  }
+
+  private class PartialPathNodeFwd extends PartialPathNode, TPartialPathNodeFwd {
+    Node node;
+    CallContext cc;
+    TSummaryCtx1 sc1;
+    TSummaryCtx2 sc2;
+    PartialAccessPath ap;
+    Configuration config;
+
+    PartialPathNodeFwd() { this = TPartialPathNodeFwd(node, cc, sc1, sc2, ap, config) }
+
+    override Node getNode() { result = node }
+
+    CallContext getCallContext() { result = cc }
+
+    TSummaryCtx1 getSummaryCtx1() { result = sc1 }
+
+    TSummaryCtx2 getSummaryCtx2() { result = sc2 }
+
+    PartialAccessPath getAp() { result = ap }
+
+    override Configuration getConfiguration() { result = config }
+
+    override PartialPathNodeFwd getASuccessor() {
+      partialPathStep(this, result.getNode(), result.getCallContext(), result.getSummaryCtx1(),
+        result.getSummaryCtx2(), result.getAp(), result.getConfiguration())
+    }
+
+    predicate isSource() {
+      config.isSource(node) and
+      cc instanceof CallContextAny and
+      sc1 = TSummaryCtx1None() and
+      sc2 = TSummaryCtx2None() and
+      ap instanceof TPartialNil
+    }
+  }
+
+  private class PartialPathNodeRev extends PartialPathNode, TPartialPathNodeRev {
+    Node node;
+    TRevSummaryCtx1 sc1;
+    TRevSummaryCtx2 sc2;
+    RevPartialAccessPath ap;
+    Configuration config;
+
+    PartialPathNodeRev() { this = TPartialPathNodeRev(node, sc1, sc2, ap, config) }
+
+    override Node getNode() { result = node }
+
+    TRevSummaryCtx1 getSummaryCtx1() { result = sc1 }
+
+    TRevSummaryCtx2 getSummaryCtx2() { result = sc2 }
+
+    RevPartialAccessPath getAp() { result = ap }
+
+    override Configuration getConfiguration() { result = config }
+
+    override PartialPathNodeRev getASuccessor() {
+      revPartialPathStep(result, this.getNode(), this.getSummaryCtx1(), this.getSummaryCtx2(),
+        this.getAp(), this.getConfiguration())
+    }
+
+    predicate isSink() {
+      config.isSink(node) and
+      sc1 = TRevSummaryCtx1None() and
+      sc2 = TRevSummaryCtx2None() and
+      ap = TRevPartialNil()
+    }
+  }
+
+  private predicate partialPathStep(
+    PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
+    PartialAccessPath ap, Configuration config
+  ) {
+    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    (
+      localFlowStep(mid.getNode(), node, config) and
+      cc = mid.getCallContext() and
+      sc1 = mid.getSummaryCtx1() and
+      sc2 = mid.getSummaryCtx2() and
+      ap = mid.getAp() and
+      config = mid.getConfiguration()
+      or
+      additionalLocalFlowStep(mid.getNode(), node, config) and
+      cc = mid.getCallContext() and
+      sc1 = mid.getSummaryCtx1() and
+      sc2 = mid.getSummaryCtx2() and
+      mid.getAp() instanceof PartialAccessPathNil and
+      ap = TPartialNil(getNodeType(node)) and
+      config = mid.getConfiguration()
+    )
+    or
+    jumpStep(mid.getNode(), node, config) and
+    cc instanceof CallContextAny and
+    sc1 = TSummaryCtx1None() and
+    sc2 = TSummaryCtx2None() and
+    ap = mid.getAp() and
+    config = mid.getConfiguration()
+    or
+    additionalJumpStep(mid.getNode(), node, config) and
+    cc instanceof CallContextAny and
+    sc1 = TSummaryCtx1None() and
+    sc2 = TSummaryCtx2None() and
+    mid.getAp() instanceof PartialAccessPathNil and
+    ap = TPartialNil(getNodeType(node)) and
+    config = mid.getConfiguration()
+    or
+    partialPathStoreStep(mid, _, _, node, ap) and
+    cc = mid.getCallContext() and
+    sc1 = mid.getSummaryCtx1() and
+    sc2 = mid.getSummaryCtx2() and
+    config = mid.getConfiguration()
+    or
+    exists(PartialAccessPath ap0, TypedContent tc |
+      partialPathReadStep(mid, ap0, tc, node, cc, config) and
+      sc1 = mid.getSummaryCtx1() and
+      sc2 = mid.getSummaryCtx2() and
+      apConsFwd(ap, tc, ap0, config) and
+      compatibleTypes(ap.getType(), getNodeType(node))
+    )
+    or
+    partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
+    or
+    partialPathOutOfCallable(mid, node, cc, ap, config) and
+    sc1 = TSummaryCtx1None() and
+    sc2 = TSummaryCtx2None()
+    or
+    partialPathThroughCallable(mid, node, cc, ap, config) and
+    sc1 = mid.getSummaryCtx1() and
+    sc2 = mid.getSummaryCtx2()
+  }
+
+  bindingset[result, i]
+  private int unbindInt(int i) { i <= result and i >= result }
+
+  pragma[inline]
+  private predicate partialPathStoreStep(
+    PartialPathNodeFwd mid, PartialAccessPath ap1, TypedContent tc, Node node, PartialAccessPath ap2
+  ) {
+    exists(Node midNode, DataFlowType contentType |
+      midNode = mid.getNode() and
+      ap1 = mid.getAp() and
+      store(midNode, tc, node, contentType) and
+      ap2.getHead() = tc and
+      ap2.len() = unbindInt(ap1.len() + 1) and
+      compatibleTypes(ap1.getType(), contentType)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate apConsFwd(
+    PartialAccessPath ap1, TypedContent tc, PartialAccessPath ap2, Configuration config
+  ) {
+    exists(PartialPathNodeFwd mid |
+      partialPathStoreStep(mid, ap1, tc, _, ap2) and
+      config = mid.getConfiguration()
+    )
+  }
+
+  pragma[nomagic]
+  private predicate partialPathReadStep(
+    PartialPathNodeFwd mid, PartialAccessPath ap, TypedContent tc, Node node, CallContext cc,
+    Configuration config
+  ) {
+    exists(Node midNode |
+      midNode = mid.getNode() and
+      ap = mid.getAp() and
+      read(midNode, tc.getContent(), node) and
+      ap.getHead() = tc and
+      config = mid.getConfiguration() and
+      cc = mid.getCallContext()
+    )
+  }
+
+  private predicate partialPathOutOfCallable0(
+    PartialPathNodeFwd mid, ReturnPosition pos, CallContext innercc, PartialAccessPath ap,
+    Configuration config
+  ) {
+    pos = getReturnPosition(mid.getNode()) and
+    innercc = mid.getCallContext() and
+    innercc instanceof CallContextNoCall and
+    ap = mid.getAp() and
+    config = mid.getConfiguration()
+  }
+
+  pragma[nomagic]
+  private predicate partialPathOutOfCallable1(
+    PartialPathNodeFwd mid, DataFlowCall call, ReturnKindExt kind, CallContext cc,
+    PartialAccessPath ap, Configuration config
+  ) {
+    exists(ReturnPosition pos, DataFlowCallable c, CallContext innercc |
+      partialPathOutOfCallable0(mid, pos, innercc, ap, config) and
+      c = pos.getCallable() and
+      kind = pos.getKind() and
+      resolveReturn(innercc, c, call)
+    |
+      if reducedViableImplInReturn(c, call) then cc = TReturn(c, call) else cc = TAnyCallContext()
+    )
+  }
+
+  private predicate partialPathOutOfCallable(
+    PartialPathNodeFwd mid, Node out, CallContext cc, PartialAccessPath ap, Configuration config
+  ) {
+    exists(ReturnKindExt kind, DataFlowCall call |
+      partialPathOutOfCallable1(mid, call, kind, cc, ap, config)
+    |
+      out = kind.getAnOutNode(call)
+    )
+  }
+
+  pragma[noinline]
+  private predicate partialPathIntoArg(
+    PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
+  ) {
+    exists(ArgumentNode arg |
+      arg = mid.getNode() and
+      cc = mid.getCallContext() and
+      arg.argumentOf(call, i) and
+      ap = mid.getAp() and
+      config = mid.getConfiguration()
+    )
+  }
+
+  pragma[nomagic]
+  private predicate partialPathIntoCallable0(
+    PartialPathNodeFwd mid, DataFlowCallable callable, int i, CallContext outercc,
+    DataFlowCall call, PartialAccessPath ap, Configuration config
+  ) {
+    partialPathIntoArg(mid, i, outercc, call, ap, config) and
+    callable = resolveCall(call, outercc)
+  }
+
+  private predicate partialPathIntoCallable(
+    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
+    Configuration config
+  ) {
+    exists(int i, DataFlowCallable callable |
+      partialPathIntoCallable0(mid, callable, i, outercc, call, ap, config) and
+      p.isParameterOf(callable, i) and
+      sc1 = TSummaryCtx1Param(p) and
+      sc2 = TSummaryCtx2Some(ap)
+    |
+      if recordDataFlowCallSite(call, callable)
+      then innercc = TSpecificCall(call)
+      else innercc = TSomeCall()
+    )
+  }
+
+  pragma[nomagic]
+  private predicate paramFlowsThroughInPartialPath(
+    ReturnKindExt kind, CallContextCall cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
+    PartialAccessPath ap, Configuration config
+  ) {
+    exists(PartialPathNodeFwd mid, ReturnNodeExt ret |
+      mid.getNode() = ret and
+      kind = ret.getKind() and
+      cc = mid.getCallContext() and
+      sc1 = mid.getSummaryCtx1() and
+      sc2 = mid.getSummaryCtx2() and
+      config = mid.getConfiguration() and
+      ap = mid.getAp()
+    )
+  }
+
+  pragma[noinline]
+  private predicate partialPathThroughCallable0(
+    DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
+    PartialAccessPath ap, Configuration config
+  ) {
+    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+      partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
+      paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
+    )
+  }
+
+  private predicate partialPathThroughCallable(
+    PartialPathNodeFwd mid, Node out, CallContext cc, PartialAccessPath ap, Configuration config
+  ) {
+    exists(DataFlowCall call, ReturnKindExt kind |
+      partialPathThroughCallable0(call, mid, kind, cc, ap, config) and
+      out = kind.getAnOutNode(call)
+    )
+  }
+
+  private predicate revPartialPathStep(
+    PartialPathNodeRev mid, Node node, TRevSummaryCtx1 sc1, TRevSummaryCtx2 sc2,
+    RevPartialAccessPath ap, Configuration config
+  ) {
+    localFlowStep(node, mid.getNode(), config) and
+    sc1 = mid.getSummaryCtx1() and
+    sc2 = mid.getSummaryCtx2() and
+    ap = mid.getAp() and
+    config = mid.getConfiguration()
+    or
+    additionalLocalFlowStep(node, mid.getNode(), config) and
+    sc1 = mid.getSummaryCtx1() and
+    sc2 = mid.getSummaryCtx2() and
+    mid.getAp() instanceof RevPartialAccessPathNil and
+    ap = TRevPartialNil() and
+    config = mid.getConfiguration()
+    or
+    jumpStep(node, mid.getNode(), config) and
+    sc1 = TRevSummaryCtx1None() and
+    sc2 = TRevSummaryCtx2None() and
+    ap = mid.getAp() and
+    config = mid.getConfiguration()
+    or
+    additionalJumpStep(node, mid.getNode(), config) and
+    sc1 = TRevSummaryCtx1None() and
+    sc2 = TRevSummaryCtx2None() and
+    mid.getAp() instanceof RevPartialAccessPathNil and
+    ap = TRevPartialNil() and
+    config = mid.getConfiguration()
+    or
+    revPartialPathReadStep(mid, _, _, node, ap) and
+    sc1 = mid.getSummaryCtx1() and
+    sc2 = mid.getSummaryCtx2() and
+    config = mid.getConfiguration()
+    or
+    exists(RevPartialAccessPath ap0, Content c |
+      revPartialPathStoreStep(mid, ap0, c, node, config) and
+      sc1 = mid.getSummaryCtx1() and
+      sc2 = mid.getSummaryCtx2() and
+      apConsRev(ap, c, ap0, config)
+    )
+    or
+    exists(ParameterNode p |
+      mid.getNode() = p and
+      viableParamArg(_, p, node) and
+      sc1 = mid.getSummaryCtx1() and
+      sc2 = mid.getSummaryCtx2() and
+      sc1 = TRevSummaryCtx1None() and
+      sc2 = TRevSummaryCtx2None() and
+      ap = mid.getAp() and
+      config = mid.getConfiguration()
+    )
+    or
+    exists(ReturnPosition pos |
+      revPartialPathIntoReturn(mid, pos, sc1, sc2, _, ap, config) and
+      pos = getReturnPosition(node)
+    )
+    or
+    revPartialPathThroughCallable(mid, node, ap, config) and
+    sc1 = mid.getSummaryCtx1() and
+    sc2 = mid.getSummaryCtx2()
+  }
+
+  pragma[inline]
+  private predicate revPartialPathReadStep(
+    PartialPathNodeRev mid, RevPartialAccessPath ap1, Content c, Node node, RevPartialAccessPath ap2
+  ) {
+    exists(Node midNode |
+      midNode = mid.getNode() and
+      ap1 = mid.getAp() and
+      read(node, c, midNode) and
+      ap2.getHead() = c and
+      ap2.len() = unbindInt(ap1.len() + 1)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate apConsRev(
+    RevPartialAccessPath ap1, Content c, RevPartialAccessPath ap2, Configuration config
+  ) {
+    exists(PartialPathNodeRev mid |
+      revPartialPathReadStep(mid, ap1, c, _, ap2) and
+      config = mid.getConfiguration()
+    )
+  }
+
+  pragma[nomagic]
+  private predicate revPartialPathStoreStep(
+    PartialPathNodeRev mid, RevPartialAccessPath ap, Content c, Node node, Configuration config
+  ) {
+    exists(Node midNode, TypedContent tc |
+      midNode = mid.getNode() and
+      ap = mid.getAp() and
+      store(node, tc, midNode, _) and
+      ap.getHead() = c and
+      config = mid.getConfiguration() and
+      tc.getContent() = c
+    )
+  }
+
+  pragma[nomagic]
+  private predicate revPartialPathIntoReturn(
+    PartialPathNodeRev mid, ReturnPosition pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2,
+    DataFlowCall call, RevPartialAccessPath ap, Configuration config
+  ) {
+    exists(Node out |
+      mid.getNode() = out and
+      viableReturnPosOut(call, pos, out) and
+      sc1 = TRevSummaryCtx1Some(pos) and
+      sc2 = TRevSummaryCtx2Some(ap) and
+      ap = mid.getAp() and
+      config = mid.getConfiguration()
+    )
+  }
+
+  pragma[nomagic]
+  private predicate revPartialPathFlowsThrough(
+    int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
+    Configuration config
+  ) {
+    exists(PartialPathNodeRev mid, ParameterNode p |
+      mid.getNode() = p and
+      p.isParameterOf(_, pos) and
+      sc1 = mid.getSummaryCtx1() and
+      sc2 = mid.getSummaryCtx2() and
+      ap = mid.getAp() and
+      config = mid.getConfiguration()
+    )
+  }
+
+  pragma[nomagic]
+  private predicate revPartialPathThroughCallable0(
+    DataFlowCall call, PartialPathNodeRev mid, int pos, RevPartialAccessPath ap,
+    Configuration config
+  ) {
+    exists(TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2 |
+      revPartialPathIntoReturn(mid, _, sc1, sc2, call, _, config) and
+      revPartialPathFlowsThrough(pos, sc1, sc2, ap, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate revPartialPathThroughCallable(
+    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+  ) {
+    exists(DataFlowCall call, int pos |
+      revPartialPathThroughCallable0(call, mid, pos, ap, config) and
+      node.argumentOf(call, pos)
+    )
+  }
+}
+
+import FlowExploration
+
+private predicate partialFlow(
+  PartialPathNode source, PartialPathNode node, Configuration configuration
+) {
+  source.getConfiguration() = configuration and
+  source.isFwdSource() and
+  node = source.getASuccessor+()
+}
+
+private predicate revPartialFlow(
+  PartialPathNode node, PartialPathNode sink, Configuration configuration
+) {
+  sink.getConfiguration() = configuration and
+  sink.isRevSink() and
+  node.getASuccessor+() = sink
+}
diff --git a/java/ql/src/semmle/code/java/security/Random.qll b/java/ql/src/semmle/code/java/security/Random.qll
index f589cfac9ca..75ee912a895 100644
--- a/java/ql/src/semmle/code/java/security/Random.qll
+++ b/java/ql/src/semmle/code/java/security/Random.qll
@@ -1,6 +1,6 @@
 import java
 import semmle.code.java.dataflow.DefUse
-import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.DataFlow6
 
 /**
  * The `java.security.SecureRandom` class.
@@ -166,16 +166,16 @@ private predicate isSeeded(RValue use) {
   )
 }
 
-private class PredictableSeedFlowConfiguration extends DataFlow::Configuration {
+private class PredictableSeedFlowConfiguration extends DataFlow6::Configuration {
   PredictableSeedFlowConfiguration() { this = "Random::PredictableSeedFlowConfiguration" }
 
-  override predicate isSource(DataFlow::Node source) {
+  override predicate isSource(DataFlow6::Node source) {
     source.asExpr() instanceof PredictableSeedExpr
   }
 
-  override predicate isSink(DataFlow::Node sink) { isSeeding(sink.asExpr(), _) }
+  override predicate isSink(DataFlow6::Node sink) { isSeeding(sink.asExpr(), _) }
 
-  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+  override predicate isAdditionalFlowStep(DataFlow6::Node node1, DataFlow6::Node node2) {
     predictableCalcStep(node1.asExpr(), node2.asExpr())
   }
 }
@@ -252,7 +252,7 @@ private predicate isSeeding(Expr arg, RValue use) {
 private predicate isSeedingSource(Expr arg, RValue use, Expr source) {
   isSeeding(arg, use) and
   exists(PredictableSeedFlowConfiguration conf |
-    conf.hasFlow(DataFlow::exprNode(source), DataFlow::exprNode(arg))
+    conf.hasFlow(DataFlow6::exprNode(source), DataFlow6::exprNode(arg))
   )
 }
 

From e08b629cb57ee7086e4df12b519a5ca2ff50a1b8 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 27 Apr 2021 10:32:41 +0200
Subject: [PATCH 0674/1429] Add documentation for URL opening sinks

---
 java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql b/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
index d1bce930054..a68998b3211 100644
--- a/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
+++ b/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
@@ -36,7 +36,7 @@ class HTTPStringToURLOpenMethodFlowConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof HTTPString }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "open-url") }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof URLOpenSink }
 
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(UrlConstructorCall u |
@@ -50,6 +50,13 @@ class HTTPStringToURLOpenMethodFlowConfig extends TaintTracking::Configuration {
   }
 }
 
+/**
+ * A sink that represents a URL opening method call, such as a call to `java.net.URL.openConnection()`.
+ */
+private class URLOpenSink extends DataFlow::Node {
+  URLOpenSink() { sinkNode(this, "open-url") }
+}
+
 from DataFlow::PathNode source, DataFlow::PathNode sink, MethodAccess m, HTTPString s
 where
   source.getNode().asExpr() = s and

From 523ed8272d7c423bfe4dd21d2fe2372216d16774 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
Date: Tue, 27 Apr 2021 14:42:05 +0200
Subject: [PATCH 0675/1429] Python: Apply suggestions from code review

Co-authored-by: Taus <tausbn@github.com>
---
 python/ql/src/Summary/LinesOfCode.ql     | 2 +-
 python/ql/src/Summary/LinesOfUserCode.ql | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/Summary/LinesOfCode.ql b/python/ql/src/Summary/LinesOfCode.ql
index 98af45dc2cf..d9bfc4f872c 100644
--- a/python/ql/src/Summary/LinesOfCode.ql
+++ b/python/ql/src/Summary/LinesOfCode.ql
@@ -1,11 +1,11 @@
 /**
- * @id py/summary/lines-of-code
  * @name Total lines of Python code in the database
  * @description The total number of lines of Python code across all files, including
  *   external libraries and auto-generated files. This is a useful metric of the size of a
  *   database. This query counts the lines of code, excluding whitespace or comments.
  * @kind metric
  * @tags summary
+ * @id py/summary/lines-of-code
  */
 
 import python
diff --git a/python/ql/src/Summary/LinesOfUserCode.ql b/python/ql/src/Summary/LinesOfUserCode.ql
index 515db27566b..94940d5fa18 100644
--- a/python/ql/src/Summary/LinesOfUserCode.ql
+++ b/python/ql/src/Summary/LinesOfUserCode.ql
@@ -1,5 +1,4 @@
 /**
- * @id py/summary/lines-of-user-code
  * @name Total lines of user written Python code in the database
  * @description The total number of lines of Python code from the source code directory,
  *   excluding auto-generated files. This query counts the lines of code, excluding
@@ -8,6 +7,7 @@
  *   be counted as user written code.
  * @kind metric
  * @tags summary
+ * @id py/summary/lines-of-user-code
  */
 
 import python

From 5b79094f34b9833e4706206bc8719c8459921558 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 27 Apr 2021 14:59:52 +0200
Subject: [PATCH 0676/1429] Fix naming in HTTPS URL check

---
 java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql b/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
index a68998b3211..77980f033f0 100644
--- a/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
+++ b/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
@@ -15,8 +15,8 @@ import semmle.code.java.frameworks.Networking
 import DataFlow::PathGraph
 private import semmle.code.java.dataflow.ExternalFlow
 
-class HTTPString extends StringLiteral {
-  HTTPString() {
+class HttpString extends StringLiteral {
+  HttpString() {
     // Avoid matching "https" here.
     exists(string s | this.getRepresentedString() = s |
       (
@@ -31,12 +31,12 @@ class HTTPString extends StringLiteral {
   }
 }
 
-class HTTPStringToURLOpenMethodFlowConfig extends TaintTracking::Configuration {
-  HTTPStringToURLOpenMethodFlowConfig() { this = "HttpsUrls::HTTPStringToURLOpenMethodFlowConfig" }
+class HttpStringToUrlOpenMethodFlowConfig extends TaintTracking::Configuration {
+  HttpStringToUrlOpenMethodFlowConfig() { this = "HttpsUrls::HttpStringToUrlOpenMethodFlowConfig" }
 
-  override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof HTTPString }
+  override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof HttpString }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof URLOpenSink }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof UrlOpenSink }
 
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(UrlConstructorCall u |
@@ -53,14 +53,14 @@ class HTTPStringToURLOpenMethodFlowConfig extends TaintTracking::Configuration {
 /**
  * A sink that represents a URL opening method call, such as a call to `java.net.URL.openConnection()`.
  */
-private class URLOpenSink extends DataFlow::Node {
-  URLOpenSink() { sinkNode(this, "open-url") }
+private class UrlOpenSink extends DataFlow::Node {
+  UrlOpenSink() { sinkNode(this, "open-url") }
 }
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, MethodAccess m, HTTPString s
+from DataFlow::PathNode source, DataFlow::PathNode sink, MethodAccess m, HttpString s
 where
   source.getNode().asExpr() = s and
   sink.getNode().asExpr() = m.getQualifier() and
-  any(HTTPStringToURLOpenMethodFlowConfig c).hasFlowPath(source, sink)
+  any(HttpStringToUrlOpenMethodFlowConfig c).hasFlowPath(source, sink)
 select m, source, sink, "URL may have been constructed with HTTP protocol, using $@.", s,
   "this source"

From 05ce49adaf7c6ac213128617982a9cefc481c0be Mon Sep 17 00:00:00 2001
From: Marcono1234 <Marcono1234@users.noreply.github.com>
Date: Tue, 27 Apr 2021 15:14:25 +0200
Subject: [PATCH 0677/1429] Java: Add StmtParent as superclass of SwitchExpr

Database type `@stmtparent` already includes `@switchexpr`, this commit merely
changes the class SwitchExpr to also accordingly extend StmtParent.
---
 java/ql/src/semmle/code/java/Expr.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/Expr.qll b/java/ql/src/semmle/code/java/Expr.qll
index 46186b4ee70..88038f2b4d1 100755
--- a/java/ql/src/semmle/code/java/Expr.qll
+++ b/java/ql/src/semmle/code/java/Expr.qll
@@ -1280,7 +1280,7 @@ class ConditionalExpr extends Expr, @conditionalexpr {
 /**
  * A `switch` expression.
  */
-class SwitchExpr extends Expr, @switchexpr {
+class SwitchExpr extends Expr, StmtParent, @switchexpr {
   /** Gets an immediate child statement of this `switch` expression. */
   Stmt getAStmt() { result.getParent() = this }
 

From 3aec9c1a412847fbbbd5fc2c5e731adb993f5c45 Mon Sep 17 00:00:00 2001
From: edvraa <80588099+edvraa@users.noreply.github.com>
Date: Tue, 27 Apr 2021 16:23:37 +0300
Subject: [PATCH 0678/1429] Cookies without HttpOnly

---
 .../CWE-1004/CookieWithoutHttpOnly.qhelp      |  25 ++++
 .../CWE-1004/CookieWithoutHttpOnly.ql         |  20 +++
 .../Security/CWE-614/InsecureCookie.ql        |   2 +-
 .../src/semmle/javascript/dataflow/Nodes.qll  |   5 +-
 .../javascript/security}/InsecureCookie.qll   | 125 +++++++++++++++--
 .../CWE-1004/CookieWithoutHttpOnly.expected   |  16 +++
 .../CWE-1004/CookieWithoutHttpOnly.qlref      |   1 +
 .../Security/CWE-1004/test_cookie-session.js  |  48 +++++++
 .../Security/CWE-1004/test_express-session.js |  32 +++++
 .../Security/CWE-1004/test_httpserver.js      |  71 ++++++++++
 .../Security/CWE-1004/test_responseCookie.js  | 126 ++++++++++++++++++
 .../Security/CWE-614/InsecureCookies.expected |   6 +-
 .../Security/CWE-614/test_cookie-session.js   |  24 ++--
 .../Security/CWE-614/test_httpserver.js       |  49 ++++++-
 14 files changed, 516 insertions(+), 34 deletions(-)
 create mode 100644 javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.qhelp
 create mode 100644 javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql
 rename javascript/ql/src/{experimental/Security/CWE-614 => semmle/javascript/security}/InsecureCookie.qll (53%)
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.qlref
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-1004/test_cookie-session.js
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-1004/test_express-session.js
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-1004/test_httpserver.js
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-1004/test_responseCookie.js

diff --git a/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.qhelp b/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.qhelp
new file mode 100644
index 00000000000..8f885614df4
--- /dev/null
+++ b/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.qhelp
@@ -0,0 +1,25 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Cookies without <code>HttpOnly</code> flag are accessible to JavaScript running in the same origin. In case of
+Cross-Site Scripting (XSS) vulnerability the cookie can be stolen by malicious script.</p>
+</overview>
+<recommendation>
+
+<p>Protect sensitive cookies, such as related to authentication, by setting <code>HttpOnly</code> to <code>true</code> to make
+them not accessible to JavaScript.</p>
+
+</recommendation>
+
+<references>
+
+<li>Production Best Practices: Security:<a href="https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely">Use cookies securely</a>.</li>
+<li>NodeJS security cheat sheet:<a href="https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately">Set cookie flags appropriately</a>.</li>
+<li>express-session:<a href="https://github.com/expressjs/session#cookiehttponly">cookie.httpOnly</a>.</li>
+<li>cookie-session:<a href="https://github.com/expressjs/cookie-session#cookie-options">Cookie Options</a>.</li>
+<li><a href="https://expressjs.com/en/api.html#res.cookie">express response.cookie</a>.</li>
+<li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a>.</li>
+</references>
+</qhelp>
diff --git a/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql b/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql
new file mode 100644
index 00000000000..e903763e21d
--- /dev/null
+++ b/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql
@@ -0,0 +1,20 @@
+/**
+ * @name 'HttpOnly' attribute is not set to true
+ * @description Omitting the 'HttpOnly' attribute for security sensitive data allows
+ *              malicious JavaScript to steal it in case of XSS vulnerability. Always set
+ *              'HttpOnly' to 'true' to authentication related cookie to make it
+ *              not accessible by JavaScript.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id js/cookie-httponly-not-set
+ * @tags security
+ *       external/cwe/cwe-1004
+ */
+
+import javascript
+import semmle.javascript.security.InsecureCookie::Cookie
+
+from Cookie cookie
+where cookie.isAuthNotHttpOnly()
+select cookie, "Cookie attribute 'HttpOnly' is not set to true."
diff --git a/javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.ql b/javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.ql
index 69b3afb1c7f..dcd10c54e4b 100644
--- a/javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.ql
+++ b/javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.ql
@@ -11,7 +11,7 @@
  */
 
 import javascript
-import InsecureCookie::Cookie
+import semmle.javascript.security.InsecureCookie::Cookie
 
 from Cookie cookie
 where not cookie.isSecure()
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
index 9c8d13582c3..36a059254a8 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
@@ -165,8 +165,11 @@ class InvokeNode extends DataFlow::SourceNode {
     getOptionsArgument(i).hasPropertyWrite(name, result)
   }
 
+  /**
+   * Holds if the `i`th argument of this invocation is an object literal set to `result`.
+   */
   pragma[noinline]
-  private ObjectLiteralNode getOptionsArgument(int i) { result.flowsTo(getArgument(i)) }
+  ObjectLiteralNode getOptionsArgument(int i) { result.flowsTo(getArgument(i)) }
 
   /** Gets an abstract value representing possible callees of this call site. */
   final AbstractValue getACalleeValue() {
diff --git a/javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.qll b/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
similarity index 53%
rename from javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.qll
rename to javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
index 19016eefaf8..beaa5be48d1 100644
--- a/javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.qll
+++ b/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
@@ -1,6 +1,7 @@
 /**
  * Provides classes for reasoning about cookies added to response without the 'secure' flag being set.
  * A cookie without the 'secure' flag being set can be intercepted and read by a malicious user.
+ * A cookie without the 'httponly' flag being set can be read by an injected JavaScript
  */
 
 import javascript
@@ -9,7 +10,12 @@ module Cookie {
   /**
    * `secure` property of the cookie options.
    */
-  string flag() { result = "secure" }
+  string secureFlag() { result = "secure" }
+
+  /**
+   * `httpOnly` property of the cookie options.
+   */
+  string httpOnlyFlag() { result = "httpOnly" }
 
   /**
    * Abstract class to represent different cases of insecure cookie settings.
@@ -29,6 +35,38 @@ module Cookie {
      * Holds if this cookie is secure.
      */
     abstract predicate isSecure();
+
+    /**
+     * Holds if this cookie is HttpOnly.
+     */
+    abstract predicate isHttpOnly();
+
+    /**
+     * Holds if the cookie is authentication sensitive and lacks HttpOnly.
+     */
+    abstract predicate isAuthNotHttpOnly();
+
+    /**
+     * Holds if the expression is a variable with a sensitive name.
+     */
+    predicate isAuthVariable(DataFlow::Node expr) {
+      exists(string val |
+        (
+          val = expr.getStringValue() or
+          val = expr.asExpr().(VarAccess).getName()
+        ) and
+        regexpMatchAuth(val)
+      )
+    }
+
+    /**
+     * Holds if the string contains sensitive auth keyword, but not antiforgery token.
+     */
+    bindingset[val]
+    predicate regexpMatchAuth(string val) {
+      val.regexpMatch("(?i).*(session|login|token|user|auth|credential).*") and
+      not val.regexpMatch("(?i).*(xsrf|csrf|forgery).*")
+    }
   }
 
   /**
@@ -37,7 +75,7 @@ module Cookie {
   class InsecureCookieSession extends ExpressLibraries::CookieSession::MiddlewareInstance, Cookie {
     override string getKind() { result = "cookie-session" }
 
-    override DataFlow::SourceNode getCookieOptionsArgument() { result = this.getOption("cookie") }
+    override DataFlow::SourceNode getCookieOptionsArgument() { result = this.getOptionsArgument(0) }
 
     private DataFlow::Node getCookieFlagValue(string flag) {
       result = this.getCookieOptionsArgument().getAPropertyWrite(flag).getRhs()
@@ -46,7 +84,17 @@ module Cookie {
     override predicate isSecure() {
       // The flag `secure` is set to `false` by default for HTTP, `true` by default for HTTPS (https://github.com/expressjs/cookie-session#cookie-options).
       // A cookie is secure if the `secure` flag is not explicitly set to `false`.
-      not getCookieFlagValue(flag()).mayHaveBooleanValue(false)
+      not getCookieFlagValue(secureFlag()).mayHaveBooleanValue(false)
+    }
+
+    override predicate isAuthNotHttpOnly() {
+      not isHttpOnly() // It is a session cookie, likely auth sensitive
+    }
+
+    override predicate isHttpOnly() {
+      // The flag `httpOnly` is set to `true` by default (https://github.com/expressjs/cookie-session#cookie-options).
+      // A cookie is httpOnly if the `httpOnly` flag is not explicitly set to `false`.
+      not getCookieFlagValue(httpOnlyFlag()).mayHaveBooleanValue(false)
     }
   }
 
@@ -67,8 +115,19 @@ module Cookie {
       // The flag `secure` is not set by default (https://github.com/expressjs/session#Cookieecure).
       // The default value for cookie options is { path: '/', httpOnly: true, secure: false, maxAge: null }.
       // A cookie is secure if there are the cookie options with the `secure` flag set to `true` or to `auto`.
-      getCookieFlagValue(flag()).mayHaveBooleanValue(true) or
-      getCookieFlagValue(flag()).mayHaveStringValue("auto")
+      getCookieFlagValue(secureFlag()).mayHaveBooleanValue(true) or
+      getCookieFlagValue(secureFlag()).mayHaveStringValue("auto")
+    }
+
+    override predicate isAuthNotHttpOnly() {
+      not isHttpOnly() // It is a session cookie, likely auth sensitive
+    }
+
+    override predicate isHttpOnly() {
+      // The flag `httpOnly` is set by default (https://github.com/expressjs/session#Cookieecure).
+      // The default value for cookie options is { path: '/', httpOnly: true, secure: false, maxAge: null }.
+      // A cookie is httpOnly if the `httpOnly` flag is not explicitly set to `false`.
+      not getCookieFlagValue(httpOnlyFlag()).mayHaveBooleanValue(false)
     }
   }
 
@@ -90,7 +149,19 @@ module Cookie {
 
     override predicate isSecure() {
       // A cookie is secure if there are cookie options with the `secure` flag set to `true`.
-      getCookieFlagValue(flag()).mayHaveBooleanValue(true)
+      // The default is `false`.
+      getCookieFlagValue(secureFlag()).mayHaveBooleanValue(true)
+    }
+
+    override predicate isAuthNotHttpOnly() {
+      isAuthVariable(this.getArgument(0)) and
+      not isHttpOnly()
+    }
+
+    override predicate isHttpOnly() {
+      // A cookie is httpOnly if there are cookie options with the `httpOnly` flag set to `true`.
+      // The default is `false`.
+      getCookieFlagValue(httpOnlyFlag()).mayHaveBooleanValue(true)
     }
   }
 
@@ -105,14 +176,42 @@ module Cookie {
     override string getKind() { result = "set-cookie header" }
 
     override DataFlow::Node getCookieOptionsArgument() {
-      result.asExpr() = this.asExpr().(ArrayExpr).getAnElement()
+      if this.asExpr() instanceof ArrayExpr
+      then result.asExpr() = this.asExpr().(ArrayExpr).getAnElement()
+      else result.asExpr() = this.asExpr()
     }
 
     override predicate isSecure() {
       // A cookie is secure if the 'secure' flag is specified in the cookie definition.
-      exists(string s |
-        getCookieOptionsArgument().mayHaveStringValue(s) and
-        s.regexpMatch("(.*;)?\\s*secure.*")
+      // The default is `false`.
+      forall(DataFlow::Node n | n = getCookieOptionsArgument() |
+        exists(string s |
+          n.mayHaveStringValue(s) and
+          s.regexpMatch("(?i).*;\\s*secure\\s*;?.*$")
+        )
+      )
+    }
+
+    override predicate isAuthNotHttpOnly() {
+      exists(DataFlow::Node n | n = getCookieOptionsArgument() |
+        exists(string s |
+          n.mayHaveStringValue(s) and
+          (
+            not s.regexpMatch("(?i).*;\\s*httponly\\s*;?.*$") and
+            regexpMatchAuth(s.regexpCapture("\\s*([^=\\s]*)\\s*=.*", 1))
+          )
+        )
+      )
+    }
+
+    override predicate isHttpOnly() {
+      // A cookie is httpOnly if the 'httpOnly' flag is specified in the cookie definition.
+      // The default is `false`.
+      forall(DataFlow::Node n | n = getCookieOptionsArgument() |
+        exists(string s |
+          n.mayHaveStringValue(s) and
+          s.regexpMatch("(?i).*;\\s*httponly\\s*;?.*$")
+        )
       )
     }
   }
@@ -142,7 +241,11 @@ module Cookie {
 
     override predicate isSecure() {
       // A cookie is secure if there are cookie options with the `secure` flag set to `true`.
-      getCookieFlagValue(flag()).mayHaveBooleanValue(true)
+      getCookieFlagValue(secureFlag()).mayHaveBooleanValue(true)
     }
+
+    override predicate isAuthNotHttpOnly() { none() }
+
+    override predicate isHttpOnly() { none() } // js-cookie is browser side library and doesn't support HttpOnly
   }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected b/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected
new file mode 100644
index 00000000000..bb113b398ec
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected
@@ -0,0 +1,16 @@
+| test_cookie-session.js:12:9:16:2 | session ...  BAD\\n}) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_cookie-session.js:30:9:30:21 | session(sess) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_cookie-session.js:39:9:39:22 | session(sess2) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_cookie-session.js:48:9:48:22 | session(sess2) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_express-session.js:11:9:15:2 | session ...  BAD\\n}) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_express-session.js:28:9:32:2 | session ... tter\\n}) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_httpserver.js:7:37:7:48 | "auth=ninja" | Cookie attribute 'HttpOnly' is not set to true. |
+| test_httpserver.js:27:37:27:70 | ["auth= ... cript"] | Cookie attribute 'HttpOnly' is not set to true. |
+| test_httpserver.js:57:37:57:80 | ["auth= ... cript"] | Cookie attribute 'HttpOnly' is not set to true. |
+| test_responseCookie.js:15:5:20:10 | res.coo ...      }) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_responseCookie.js:25:5:28:10 | res.coo ...      }) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_responseCookie.js:48:5:48:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_responseCookie.js:56:5:56:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_responseCookie.js:65:5:65:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_responseCookie.js:84:5:84:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_responseCookie.js:95:5:95:41 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.qlref b/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.qlref
new file mode 100644
index 00000000000..97de8ad9476
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql
diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/test_cookie-session.js b/javascript/ql/test/query-tests/Security/CWE-1004/test_cookie-session.js
new file mode 100644
index 00000000000..66e4f9bc4b7
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-1004/test_cookie-session.js
@@ -0,0 +1,48 @@
+const express = require('express')
+const app = express()
+const session = require('cookie-session')
+const expiryDate = new Date(Date.now() + 60 * 60 * 1000)
+
+app.use(session({
+    name: 'session',
+    keys: ['key1', 'key2'],
+    httpOnly: true, // GOOD
+}))
+
+app.use(session({
+    name: 'session',
+    keys: ['key1', 'key2'],
+    httpOnly: false // BAD
+}))
+
+app.use(session({
+    name: 'session',
+    keys: ['key1', 'key2'],
+    secure: true // GOOD, httpOnly is true by default
+}))
+
+var sess = {
+    name: 'session',
+    keys: ['key1', 'key2'],
+}
+
+sess.httpOnly = false;
+app.use(session(sess)) // BAD
+
+var sess2 = {
+    name: 'session',
+    keys: ['key1', 'key2'],
+    httpOnly: true,
+}
+
+sess2.httpOnly = false;
+app.use(session(sess2)) // BAD
+
+var sess2 = {
+    name: 'mycookie',
+    keys: ['key1', 'key2'],
+    httpOnly: true,
+}
+
+sess2.httpOnly = false;
+app.use(session(sess2)) // BAD, It is a session cookie, name doesn't matter
\ No newline at end of file
diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/test_express-session.js b/javascript/ql/test/query-tests/Security/CWE-1004/test_express-session.js
new file mode 100644
index 00000000000..1810055456b
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-1004/test_express-session.js
@@ -0,0 +1,32 @@
+const express = require('express')
+const app = express()
+const session = require('express-session')
+
+app.use(session({
+    name: 'session',
+    keys: ['key1', 'key2'],
+    cookie: { httpOnly: true }, // GOOD
+}))
+
+app.use(session({
+    name: 'session',
+    keys: ['key1', 'key2'],
+    cookie: { httpOnly: false } // BAD
+}))
+
+app.use(session({
+    name: 'session',
+    keys: ['key1', 'key2'],
+    cookie: { secure: true } // GOOD, httpOnly is true by default
+}))
+
+app.use(session({ // GOOD, httpOnly is true by default
+    name: 'session',
+    keys: ['key1', 'key2']
+}))
+
+app.use(session({
+    name: 'mycookie',
+    keys: ['key1', 'key2'],
+    cookie: { httpOnly: false } // BAD, It is a session cookie, name doesn't matter
+}))
diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/test_httpserver.js b/javascript/ql/test/query-tests/Security/CWE-1004/test_httpserver.js
new file mode 100644
index 00000000000..c7d433dff11
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-1004/test_httpserver.js
@@ -0,0 +1,71 @@
+const http = require('http');
+
+function test1() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        // BAD
+        res.setHeader("Set-Cookie", "auth=ninja");
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
+}
+
+function test2() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        // GOOD
+        res.setHeader("Set-Cookie", "auth=ninja; HttpOnly");
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
+}
+
+function test3() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        // BAD
+        res.setHeader("Set-Cookie", ["auth=ninja", "token=javascript"]);
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
+}
+
+function test4() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        // GOOD
+        res.setHeader("Set-Cookie", ["auth=ninja; HttpOnly"]);
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
+}
+
+function test5() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        // GOOD, case insensitive
+        res.setHeader("Set-Cookie", ["auth=ninja; httponly"]);
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
+}
+
+function test6() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        // BAD
+        res.setHeader("Set-Cookie", ["auth=ninja; httponly", "token=javascript"]);
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
+}
+
+function test7() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        // Good, not auth related
+        res.setHeader("Set-Cookie", ["foo=ninja", "bar=javascript"]);
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
+}
\ No newline at end of file
diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/test_responseCookie.js b/javascript/ql/test/query-tests/Security/CWE-1004/test_responseCookie.js
new file mode 100644
index 00000000000..e0bc5cb88e6
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-1004/test_responseCookie.js
@@ -0,0 +1,126 @@
+const express = require('express')
+const app = express()
+
+app.get('/a', function (req, res, next) {
+    res.cookie('session', 'value',
+        {
+            maxAge: 9000000000,
+            httpOnly: true, // GOOD
+            secure: false
+        });
+    res.end('ok')
+})
+
+app.get('/a', function (req, res, next) {
+    res.cookie('session', 'value',
+        {
+            maxAge: 9000000000,
+            httpOnly: false, // BAD
+            secure: false
+        });
+    res.end('ok')
+})
+
+app.get('/a', function (req, res, next) {
+    res.cookie('session', 'value',
+        {
+            maxAge: 9000000000
+        });
+    res.end('ok') // BAD
+})
+
+app.get('/a', function (req, res, next) {
+    let options = {
+        maxAge: 9000000000,
+        httpOnly: true, // GOOD
+        secure: false
+    }
+    res.cookie('session', 'value', options);
+    res.end('ok')
+})
+
+app.get('/a', function (req, res, next) {
+    let options = {
+        maxAge: 9000000000,
+        httpOnly: false, // BAD
+        secure: false
+    }
+    res.cookie('session', 'value', options);
+    res.end('ok')
+})
+
+app.get('/a', function (req, res, next) {
+    let options = {
+        maxAge: 9000000000
+    }
+    res.cookie('session', 'value', options); // BAD
+    res.end('ok')
+})
+
+app.get('/a', function (req, res, next) {
+    let options = {
+        maxAge: 9000000000
+    }
+    options.httpOnly = false;
+    res.cookie('session', 'value', options); // BAD
+    res.end('ok')
+})
+
+app.get('/a', function (req, res, next) {
+    let options = {
+        maxAge: 9000000000
+    }
+    options.httpOnly = true;
+    res.cookie('session', 'value', options); // GOOD
+    res.end('ok')
+})
+
+app.get('/a', function (req, res, next) {
+    let options = {
+        maxAge: 9000000000,
+        httpOnly: false,
+    }
+    options.httpOnly = false;
+    res.cookie('session', 'value', options); // BAD
+    res.end('ok')
+})
+
+app.get('/a', function (req, res, next) {
+    let options = {
+        maxAge: 9000000000,
+        httpOnly: false,
+    }
+    options.httpOnly = false;
+    let session = "blabla"
+    res.cookie(session, 'value', options); // BAD, var name likely auth related
+    res.end('ok')
+})
+
+app.get('/a', function (req, res, next) {
+    let options = {
+        maxAge: 9000000000,
+        httpOnly: true,
+    }
+    options.httpOnly = true;
+    res.cookie('session', 'value', options); // GOOD
+    res.end('ok')
+})
+
+app.get('/a', function (req, res, next) {
+    let options = {
+        maxAge: 9000000000,
+        httpOnly: false,
+    }
+    options.httpOnly = true;
+    res.cookie('session', 'value', options); // GOOD
+    res.end('ok')
+})
+
+app.get('/a', function (req, res, next) {
+    let options = {
+        maxAge: 9000000000,
+        httpOnly: false,
+    }
+    res.cookie('mycookie', 'value', options); // GOOD, name likely is not auth sensitive
+    res.end('ok')
+})
\ No newline at end of file
diff --git a/javascript/ql/test/query-tests/Security/CWE-614/InsecureCookies.expected b/javascript/ql/test/query-tests/Security/CWE-614/InsecureCookies.expected
index fc98205a151..6ea91cc8f94 100644
--- a/javascript/ql/test/query-tests/Security/CWE-614/InsecureCookies.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-614/InsecureCookies.expected
@@ -1,9 +1,11 @@
-| test_cookie-session.js:18:9:28:2 | session ...    }\\n}) | Cookie is added to response without the 'secure' flag being set to true |
+| test_cookie-session.js:16:9:24:2 | session ... Date\\n}) | Cookie is added to response without the 'secure' flag being set to true |
 | test_express-session.js:5:9:8:2 | session ... T OK\\n}) | Cookie is added to response without the 'secure' flag being set to true |
 | test_express-session.js:10:9:13:2 | session ... T OK\\n}) | Cookie is added to response without the 'secure' flag being set to true |
 | test_express-session.js:15:9:18:2 | session ... T OK\\n}) | Cookie is added to response without the 'secure' flag being set to true |
 | test_express-session.js:25:9:25:21 | session(sess) | Cookie is added to response without the 'secure' flag being set to true |
-| test_httpserver.js:7:37:7:73 | ["type= ... cript"] | Cookie is added to response without the 'secure' flag being set to true |
+| test_httpserver.js:7:37:7:48 | "type=ninja" | Cookie is added to response without the 'secure' flag being set to true |
+| test_httpserver.js:27:37:27:73 | ["type= ... cript"] | Cookie is added to response without the 'secure' flag being set to true |
+| test_httpserver.js:57:37:57:81 | ["type= ... cript"] | Cookie is added to response without the 'secure' flag being set to true |
 | test_jscookie.js:2:1:2:48 | js_cook ... alse }) | Cookie is added to response without the 'secure' flag being set to true |
 | test_responseCookie.js:5:5:10:10 | res.coo ...      }) | Cookie is added to response without the 'secure' flag being set to true |
 | test_responseCookie.js:20:5:20:40 | res.coo ... ptions) | Cookie is added to response without the 'secure' flag being set to true |
diff --git a/javascript/ql/test/query-tests/Security/CWE-614/test_cookie-session.js b/javascript/ql/test/query-tests/Security/CWE-614/test_cookie-session.js
index d8d80b0059e..18ee1a78055 100644
--- a/javascript/ql/test/query-tests/Security/CWE-614/test_cookie-session.js
+++ b/javascript/ql/test/query-tests/Security/CWE-614/test_cookie-session.js
@@ -6,23 +6,19 @@ const expiryDate = new Date(Date.now() + 60 * 60 * 1000)
 app.use(session({
     name: 'session',
     keys: ['key1', 'key2'],
-    cookie: {
-        secure: true, // OK
-        httpOnly: true,
-        domain: 'example.com',
-        path: 'foo/bar',
-        expires: expiryDate
-    }
+    secure: true, // OK
+    httpOnly: true,
+    domain: 'example.com',
+    path: 'foo/bar',
+    expires: expiryDate
 }))
 
 app.use(session({
     name: 'session',
     keys: ['key1', 'key2'],
-    cookie: {
-        secure: false, // NOT OK
-        httpOnly: true,
-        domain: 'example.com',
-        path: 'foo/bar',
-        expires: expiryDate
-    }
+    secure: false, // NOT OK
+    httpOnly: true,
+    domain: 'example.com',
+    path: 'foo/bar',
+    expires: expiryDate
 }))
diff --git a/javascript/ql/test/query-tests/Security/CWE-614/test_httpserver.js b/javascript/ql/test/query-tests/Security/CWE-614/test_httpserver.js
index fb9fd386850..f490cd5c838 100644
--- a/javascript/ql/test/query-tests/Security/CWE-614/test_httpserver.js
+++ b/javascript/ql/test/query-tests/Security/CWE-614/test_httpserver.js
@@ -3,20 +3,59 @@ const http = require('http');
 function test1() {
     const server = http.createServer((req, res) => {
         res.setHeader('Content-Type', 'text/html');
-        // NOT OK
+        // BAD
+        res.setHeader("Set-Cookie", "type=ninja");
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
+}
+
+function test2() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        // GOOD
+        res.setHeader("Set-Cookie", "type=ninja; Secure");
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
+}
+
+function test3() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        // BAD
         res.setHeader("Set-Cookie", ["type=ninja", "language=javascript"]);
         res.writeHead(200, { 'Content-Type': 'text/plain' });
         res.end('ok');
     });
 }
 
-
-function test2() {
+function test4() {
     const server = http.createServer((req, res) => {
         res.setHeader('Content-Type', 'text/html');
-        // OK
-        res.setHeader("Set-Cookie", ["type=ninja; Secure", "language=javascript; secure"]);
+        // GOOD
+        res.setHeader("Set-Cookie", ["type=ninja; Secure"]);
         res.writeHead(200, { 'Content-Type': 'text/plain' });
         res.end('ok');
     });
 }
+
+function test5() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        // GOOD, case insensitive
+        res.setHeader("Set-Cookie", ["type=ninja; secure"]);
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
+}
+
+function test6() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        // BAD
+        res.setHeader("Set-Cookie", ["type=ninja; secure", "language=javascript"]);
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
+}
\ No newline at end of file

From 51e08d494093b230eafb479782a9a2d42fd19cd2 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 27 Apr 2021 15:43:19 +0200
Subject: [PATCH 0679/1429] Fix error severity

---
 csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql         | 2 +-
 .../diagnostics/DiagnosticExtractorErrors.expected              | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql b/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
index 91ed4a7b883..23943d8491f 100644
--- a/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
+++ b/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
@@ -60,4 +60,4 @@ private class DiagnosticExtractorError extends DiagnosticError {
 }
 
 from DiagnosticError error
-select error.getMessage(), 3
+select error.getMessage(), 2
diff --git a/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.expected b/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.expected
index e47e78cdce9..e4ae5ec1ef2 100644
--- a/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.expected
+++ b/csharp/ql/test/library-tests/diagnostics/DiagnosticExtractorErrors.expected
@@ -1 +1 @@
-| Unexpected C# extractor error in Program.cs: Unable to resolve target for call. (Compilation error?) | 3 |
+| Unexpected C# extractor error in Program.cs: Unable to resolve target for call. (Compilation error?) | 2 |

From 9178f4b1c570a74dd9fada5a9bed202b8c855673 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 27 Apr 2021 15:57:17 +0200
Subject: [PATCH 0680/1429] add support for the anser library

---
 javascript/change-notes/2021-04-27-anser.md   |  4 +++
 javascript/ql/src/javascript.qll              |  1 +
 .../semmle/javascript/frameworks/Anser.qll    | 31 +++++++++++++++++++
 .../XssThroughDom/XssThroughDom.expected      | 19 ++++++++++++
 .../CWE-079/XssThroughDom/xss-through-dom.js  |  6 ++++
 5 files changed, 61 insertions(+)
 create mode 100644 javascript/change-notes/2021-04-27-anser.md
 create mode 100644 javascript/ql/src/semmle/javascript/frameworks/Anser.qll

diff --git a/javascript/change-notes/2021-04-27-anser.md b/javascript/change-notes/2021-04-27-anser.md
new file mode 100644
index 00000000000..f3808066f48
--- /dev/null
+++ b/javascript/change-notes/2021-04-27-anser.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The security queries now track taint through the anser library. 
+  Affected packages are
+    [anser](https://www.npmjs.com/package/anser)
\ No newline at end of file
diff --git a/javascript/ql/src/javascript.qll b/javascript/ql/src/javascript.qll
index b565a7cd21f..4660d7eaf93 100644
--- a/javascript/ql/src/javascript.qll
+++ b/javascript/ql/src/javascript.qll
@@ -68,6 +68,7 @@ import semmle.javascript.dataflow.TaintTracking
 import semmle.javascript.dataflow.TypeInference
 import semmle.javascript.frameworks.Angular2
 import semmle.javascript.frameworks.AngularJS
+import semmle.javascript.frameworks.Anser
 import semmle.javascript.frameworks.AsyncPackage
 import semmle.javascript.frameworks.AWS
 import semmle.javascript.frameworks.Azure
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Anser.qll b/javascript/ql/src/semmle/javascript/frameworks/Anser.qll
new file mode 100644
index 00000000000..77525689fa4
--- /dev/null
+++ b/javascript/ql/src/semmle/javascript/frameworks/Anser.qll
@@ -0,0 +1,31 @@
+/**
+ * Provides classes for working with applications using [anser](https://www.npmjs.com/package/anser).
+ */
+
+import javascript
+
+/**
+ * A taint step for the [anser](https://www.npmjs.com/package/anser) library.
+ */
+private class AnserTaintStep extends TaintTracking::SharedTaintStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::CallNode call |
+      call =
+        API::moduleImport("anser")
+            .getMember(["linkify", "ansiToHtml", "ansiToText", "ansiToJson"])
+            .getACall()
+      or
+      call =
+        API::moduleImport("anser")
+            .getInstance()
+            .getMember([
+                "linkify", "ansiToHtml", "ansiToText", "ansiToJson", "process", "processChunkJson",
+                "processChunk"
+              ])
+            .getACall()
+    |
+      succ = call and
+      pred = call.getArgument(0)
+    )
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
index b88c3eae8ef..b726a851f09 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/XssThroughDom.expected
@@ -103,6 +103,15 @@ nodes
 | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') |
 | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') |
 | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') |
+| xss-through-dom.js:84:8:84:30 | text |
+| xss-through-dom.js:84:15:84:30 | $("text").text() |
+| xss-through-dom.js:84:15:84:30 | $("text").text() |
+| xss-through-dom.js:86:16:86:37 | anser.a ... l(text) |
+| xss-through-dom.js:86:16:86:37 | anser.a ... l(text) |
+| xss-through-dom.js:86:33:86:36 | text |
+| xss-through-dom.js:87:16:87:40 | new ans ... s(text) |
+| xss-through-dom.js:87:16:87:40 | new ans ... s(text) |
+| xss-through-dom.js:87:36:87:39 | text |
 edges
 | forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
 | forms.js:8:23:8:28 | values | forms.js:9:31:9:36 | values |
@@ -161,6 +170,14 @@ edges
 | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:73:9:73:41 | selector |
 | xss-through-dom.js:79:4:79:34 | documen ... t.value | xss-through-dom.js:79:4:79:34 | documen ... t.value |
 | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') |
+| xss-through-dom.js:84:8:84:30 | text | xss-through-dom.js:86:33:86:36 | text |
+| xss-through-dom.js:84:8:84:30 | text | xss-through-dom.js:87:36:87:39 | text |
+| xss-through-dom.js:84:15:84:30 | $("text").text() | xss-through-dom.js:84:8:84:30 | text |
+| xss-through-dom.js:84:15:84:30 | $("text").text() | xss-through-dom.js:84:8:84:30 | text |
+| xss-through-dom.js:86:33:86:36 | text | xss-through-dom.js:86:16:86:37 | anser.a ... l(text) |
+| xss-through-dom.js:86:33:86:36 | text | xss-through-dom.js:86:16:86:37 | anser.a ... l(text) |
+| xss-through-dom.js:87:36:87:39 | text | xss-through-dom.js:87:16:87:40 | new ans ... s(text) |
+| xss-through-dom.js:87:36:87:39 | text | xss-through-dom.js:87:16:87:40 | new ans ... s(text) |
 #select
 | forms.js:9:31:9:40 | values.foo | forms.js:8:23:8:28 | values | forms.js:9:31:9:40 | values.foo | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:8:23:8:28 | values | DOM text |
 | forms.js:12:31:12:40 | values.bar | forms.js:11:24:11:29 | values | forms.js:12:31:12:40 | values.bar | $@ is reinterpreted as HTML without escaping meta-characters. | forms.js:11:24:11:29 | values | DOM text |
@@ -190,3 +207,5 @@ edges
 | xss-through-dom.js:77:4:77:11 | selector | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | xss-through-dom.js:77:4:77:11 | selector | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:73:20:73:41 | $("inpu ... 0).name | DOM text |
 | xss-through-dom.js:79:4:79:34 | documen ... t.value | xss-through-dom.js:79:4:79:34 | documen ... t.value | xss-through-dom.js:79:4:79:34 | documen ... t.value | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:79:4:79:34 | documen ... t.value | DOM text |
 | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:81:17:81:43 | $('#foo ... rText') | DOM text |
+| xss-through-dom.js:86:16:86:37 | anser.a ... l(text) | xss-through-dom.js:84:15:84:30 | $("text").text() | xss-through-dom.js:86:16:86:37 | anser.a ... l(text) | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:84:15:84:30 | $("text").text() | DOM text |
+| xss-through-dom.js:87:16:87:40 | new ans ... s(text) | xss-through-dom.js:84:15:84:30 | $("text").text() | xss-through-dom.js:87:16:87:40 | new ans ... s(text) | $@ is reinterpreted as HTML without escaping meta-characters. | xss-through-dom.js:84:15:84:30 | $("text").text() | DOM text |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js
index 9f85627ee7c..0e6555fe568 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js
@@ -79,4 +79,10 @@
 	$(document.my_form.my_input.value); // NOT OK
 
 	$("#id").html( $('#foo').prop('innerText') ); // NOT OK
+
+	const anser = require("anser");
+	const text = $("text").text();
+
+	$("#id").html(anser.ansiToHtml(text)); // NOT OK
+	$("#id").html(new anser().process(text)); // NOT OK
 })();
\ No newline at end of file

From 044c92016bd89438f8ba135a65717f13c6d52d7b Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Fri, 23 Apr 2021 11:52:26 +0200
Subject: [PATCH 0681/1429] Data flow: Cache enclosing callable predicates

---
 .../dataflow/internal/DataFlowImplCommon.qll   | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
index a51c20c2288..b5cc2438456 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
@@ -242,6 +242,14 @@ private DataFlowCallable viableCallableExt(DataFlowCall call) {
 
 cached
 private module Cached {
+  cached
+  predicate nodeEnclosingCallable(Node n, DataFlowCallable c) { c = n.getEnclosingCallable() }
+
+  cached
+  predicate callEnclosingCallable(DataFlowCall call, DataFlowCallable c) {
+    c = call.getEnclosingCallable()
+  }
+
   /**
    * Gets a viable target for the lambda call `call`.
    *
@@ -553,7 +561,7 @@ private module Cached {
     private predicate mayBenefitFromCallContextExt(DataFlowCall call, DataFlowCallable callable) {
       mayBenefitFromCallContext(call, callable)
       or
-      callable = call.getEnclosingCallable() and
+      callEnclosingCallable(call, callable) and
       exists(viableCallableLambda(call, TDataFlowCallSome(_)))
     }
 
@@ -611,7 +619,7 @@ private module Cached {
         mayBenefitFromCallContextExt(call, _) and
         c = viableCallableExt(call) and
         ctxtgts = count(DataFlowCall ctx | c = viableImplInCallContextExt(call, ctx)) and
-        tgts = strictcount(DataFlowCall ctx | viableCallableExt(ctx) = call.getEnclosingCallable()) and
+        tgts = strictcount(DataFlowCall ctx | callEnclosingCallable(call, viableCallableExt(ctx))) and
         ctxtgts < tgts
       )
     }
@@ -866,7 +874,7 @@ class CallContextReturn extends CallContextNoCall, TReturn {
   }
 
   override predicate relevantFor(DataFlowCallable callable) {
-    exists(DataFlowCall call | this = TReturn(_, call) and call.getEnclosingCallable() = callable)
+    exists(DataFlowCall call | this = TReturn(_, call) and callEnclosingCallable(call, callable))
   }
 }
 
@@ -1017,7 +1025,7 @@ pragma[inline]
 DataFlowCallable getNodeEnclosingCallable(Node n) {
   exists(Node n0 |
     pragma[only_bind_into](n0) = n and
-    pragma[only_bind_into](result) = n0.getEnclosingCallable()
+    nodeEnclosingCallable(n0, pragma[only_bind_into](result))
   )
 }
 
@@ -1042,7 +1050,7 @@ predicate resolveReturn(CallContext cc, DataFlowCallable callable, DataFlowCall
   cc instanceof CallContextAny and callable = viableCallableExt(call)
   or
   exists(DataFlowCallable c0, DataFlowCall call0 |
-    call0.getEnclosingCallable() = callable and
+    callEnclosingCallable(call0, callable) and
     cc = TReturn(c0, call0) and
     c0 = prunedViableImplInCallContextReverse(call0, call)
   )

From 1a56f0b79ce8edf7f7d577e599e49c2f51cdf32b Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Fri, 23 Apr 2021 11:58:00 +0200
Subject: [PATCH 0682/1429] Data flow: Cache `getNodeType`

---
 .../csharp/dataflow/internal/DataFlowImpl.qll | 28 ++++++-----
 .../dataflow/internal/DataFlowImplCommon.qll  | 48 +++++++++++--------
 2 files changed, 42 insertions(+), 34 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
index 9498e51e7e6..4dbf1b0cdaa 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -1327,11 +1327,11 @@ private module LocalFlowBigStep {
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
@@ -1350,7 +1350,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1384,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1443,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -2088,7 +2090,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2758,7 +2760,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -3148,7 +3150,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3591,7 +3593,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3627,7 +3629,7 @@ private module FlowExploration {
       not fullBarrier(node, config) and
       not clearsContent(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3797,7 +3799,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3815,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3829,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
index b5cc2438456..a6f04cb8ce9 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
@@ -119,7 +119,7 @@ private module LambdaFlow {
   ) {
     revLambdaFlow0(lambdaCall, kind, node, t, toReturn, toJump, lastCall) and
     if node instanceof CastNode or node instanceof ArgumentNode or node instanceof ReturnNode
-    then compatibleTypes(t, getNodeType(node))
+    then compatibleTypes(t, getNodeDataFlowType(node))
     else any()
   }
 
@@ -129,7 +129,7 @@ private module LambdaFlow {
     boolean toJump, DataFlowCallOption lastCall
   ) {
     lambdaCall(lambdaCall, kind, node) and
-    t = getNodeType(node) and
+    t = getNodeDataFlowType(node) and
     toReturn = false and
     toJump = false and
     lastCall = TDataFlowCallNone()
@@ -146,7 +146,7 @@ private module LambdaFlow {
         getNodeEnclosingCallable(node) = getNodeEnclosingCallable(mid)
       |
         preservesValue = false and
-        t = getNodeType(node)
+        t = getNodeDataFlowType(node)
         or
         preservesValue = true and
         t = t0
@@ -168,7 +168,7 @@ private module LambdaFlow {
         getNodeEnclosingCallable(node) != getNodeEnclosingCallable(mid)
       |
         preservesValue = false and
-        t = getNodeType(node)
+        t = getNodeDataFlowType(node)
         or
         preservesValue = true and
         t = t0
@@ -250,6 +250,9 @@ private module Cached {
     c = call.getEnclosingCallable()
   }
 
+  cached
+  predicate nodeDataFlowType(Node n, DataFlowType t) { t = getNodeType(n) }
+
   /**
    * Gets a viable target for the lambda call `call`.
    *
@@ -282,7 +285,7 @@ private module Cached {
     exists(int i |
       viableParam(call, i, p) and
       arg.argumentOf(call, i) and
-      compatibleTypes(getNodeType(arg), getNodeType(p))
+      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
     )
   }
 
@@ -430,10 +433,10 @@ private module Cached {
         then
           // normal flow through
           read = TReadStepTypesNone() and
-          compatibleTypes(getNodeType(p), getNodeType(node))
+          compatibleTypes(getNodeDataFlowType(p), getNodeDataFlowType(node))
           or
           // getter
-          compatibleTypes(read.getContentType(), getNodeType(node))
+          compatibleTypes(read.getContentType(), getNodeDataFlowType(node))
         else any()
       }
 
@@ -455,7 +458,7 @@ private module Cached {
           readStepWithTypes(mid, read.getContainerType(), read.getContent(), node,
             read.getContentType()) and
           Cand::parameterValueFlowReturnCand(p, _, true) and
-          compatibleTypes(getNodeType(p), read.getContainerType())
+          compatibleTypes(getNodeDataFlowType(p), read.getContainerType())
         )
         or
         parameterValueFlow0_0(TReadStepTypesNone(), p, node, read)
@@ -511,11 +514,11 @@ private module Cached {
         |
           // normal flow through
           read = TReadStepTypesNone() and
-          compatibleTypes(getNodeType(arg), getNodeType(out))
+          compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(out))
           or
           // getter
-          compatibleTypes(getNodeType(arg), read.getContainerType()) and
-          compatibleTypes(read.getContentType(), getNodeType(out))
+          compatibleTypes(getNodeDataFlowType(arg), read.getContainerType()) and
+          compatibleTypes(read.getContentType(), getNodeDataFlowType(out))
         )
       }
 
@@ -653,8 +656,8 @@ private module Cached {
   ) {
     storeStep(node1, c, node2) and
     readStep(_, c, _) and
-    contentType = getNodeType(node1) and
-    containerType = getNodeType(node2)
+    contentType = getNodeDataFlowType(node1) and
+    containerType = getNodeDataFlowType(node2)
     or
     exists(Node n1, Node n2 |
       n1 = node1.(PostUpdateNode).getPreUpdateNode() and
@@ -663,8 +666,8 @@ private module Cached {
       argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, c, contentType), n1)
       or
       readStep(n2, c, n1) and
-      contentType = getNodeType(n1) and
-      containerType = getNodeType(n2)
+      contentType = getNodeDataFlowType(n1) and
+      containerType = getNodeDataFlowType(n2)
     )
   }
 
@@ -784,8 +787,8 @@ private predicate readStepWithTypes(
   Node n1, DataFlowType container, Content c, Node n2, DataFlowType content
 ) {
   readStep(n1, c, n2) and
-  container = getNodeType(n1) and
-  content = getNodeType(n2)
+  container = getNodeDataFlowType(n1) and
+  content = getNodeDataFlowType(n2)
 }
 
 private newtype TReadStepTypesOption =
@@ -1023,10 +1026,13 @@ class ReturnPosition extends TReturnPosition0 {
  */
 pragma[inline]
 DataFlowCallable getNodeEnclosingCallable(Node n) {
-  exists(Node n0 |
-    pragma[only_bind_into](n0) = n and
-    nodeEnclosingCallable(n0, pragma[only_bind_into](result))
-  )
+  nodeEnclosingCallable(pragma[only_bind_out](n), pragma[only_bind_into](result))
+}
+
+/** Gets the type of `n` used for type pruning. */
+pragma[inline]
+DataFlowType getNodeDataFlowType(Node n) {
+  nodeDataFlowType(pragma[only_bind_out](n), pragma[only_bind_into](result))
 }
 
 pragma[noinline]

From 8bfeae768faac60bcdc8de1cc59664d1982e728a Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Fri, 23 Apr 2021 13:16:54 +0200
Subject: [PATCH 0683/1429] Data flow: Cache `simpleLocalFlowStep`

---
 .../code/csharp/dataflow/internal/DataFlowImpl.qll    |  5 +----
 .../csharp/dataflow/internal/DataFlowImplCommon.qll   | 11 +++++++++--
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
index 4dbf1b0cdaa..7bf05143cfa 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
index a6f04cb8ce9..87034b74fde 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
@@ -689,8 +689,9 @@ private module Cached {
    * are aliases. A typical example is a function returning `this`, implementing a fluent
    * interface.
    */
-  cached
-  predicate reverseStepThroughInputOutputAlias(PostUpdateNode fromNode, PostUpdateNode toNode) {
+  private predicate reverseStepThroughInputOutputAlias(
+    PostUpdateNode fromNode, PostUpdateNode toNode
+  ) {
     exists(Node fromPre, Node toPre |
       fromPre = fromNode.getPreUpdateNode() and
       toPre = toNode.getPreUpdateNode()
@@ -707,6 +708,12 @@ private module Cached {
     )
   }
 
+  cached
+  predicate simpleLocalFlowStepExt(Node node1, Node node2) {
+    simpleLocalFlowStep(node1, node2) or
+    reverseStepThroughInputOutputAlias(node1, node2)
+  }
+
   /**
    * Holds if the call context `call` either improves virtual dispatch in
    * `callable` or if it allows us to prune unreachable nodes in `callable`.

From 96aa1828935984adfdaa6b50abc566c79f94e79f Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Fri, 23 Apr 2021 13:22:37 +0200
Subject: [PATCH 0684/1429] Data flow: Cache `jumpStep`

---
 .../semmle/code/csharp/dataflow/internal/DataFlowImpl.qll    | 2 +-
 .../code/csharp/dataflow/internal/DataFlowImplCommon.qll     | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
index 7bf05143cfa..938a7b3fe2f 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -234,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
index 87034b74fde..32e0f913015 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
@@ -160,7 +160,7 @@ private module LambdaFlow {
       toJump = true and
       lastCall = TDataFlowCallNone()
     |
-      jumpStep(node, mid) and
+      jumpStepCached(node, mid) and
       t = t0
       or
       exists(boolean preservesValue |
@@ -253,6 +253,9 @@ private module Cached {
   cached
   predicate nodeDataFlowType(Node n, DataFlowType t) { t = getNodeType(n) }
 
+  cached
+  predicate jumpStepCached(Node node1, Node node2) { jumpStep(node1, node2) }
+
   /**
    * Gets a viable target for the lambda call `call`.
    *

From 4009c01558472839f32c006507505749bf864a57 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Fri, 23 Apr 2021 15:52:22 +0200
Subject: [PATCH 0685/1429] Data flow: Cache `readStep`

---
 .../dataflow/internal/DataFlowImplCommon.qll      | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
index 32e0f913015..3a245cda11a 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
@@ -339,7 +339,7 @@ private module Cached {
         // read
         exists(Node mid |
           parameterValueFlowCand(p, mid, false) and
-          readStep(mid, _, node) and
+          read(mid, _, node) and
           read = true
         )
         or
@@ -658,7 +658,7 @@ private module Cached {
     Node node1, Content c, Node node2, DataFlowType contentType, DataFlowType containerType
   ) {
     storeStep(node1, c, node2) and
-    readStep(_, c, _) and
+    read(_, c, _) and
     contentType = getNodeDataFlowType(node1) and
     containerType = getNodeDataFlowType(node2)
     or
@@ -668,12 +668,15 @@ private module Cached {
     |
       argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, c, contentType), n1)
       or
-      readStep(n2, c, n1) and
+      read(n2, c, n1) and
       contentType = getNodeDataFlowType(n1) and
       containerType = getNodeDataFlowType(n2)
     )
   }
 
+  cached
+  predicate read(Node node1, Content c, Node node2) { readStep(node1, c, node2) }
+
   /**
    * Holds if data can flow from `node1` to `node2` via a direct assignment to
    * `f`.
@@ -789,14 +792,14 @@ class CastingNode extends Node {
     // For reads, `x.f`, we want to check that the tracked type after the read (which
     // is obtained by popping the head of the access path stack) is compatible with
     // the type of `x.f`.
-    readStep(_, _, this)
+    read(_, _, this)
   }
 }
 
 private predicate readStepWithTypes(
   Node n1, DataFlowType container, Content c, Node n2, DataFlowType content
 ) {
-  readStep(n1, c, n2) and
+  read(n1, c, n2) and
   container = getNodeDataFlowType(n1) and
   content = getNodeDataFlowType(n2)
 }
@@ -1087,8 +1090,6 @@ DataFlowCallable resolveCall(DataFlowCall call, CallContext cc) {
   result = viableCallableExt(call) and cc instanceof CallContextReturn
 }
 
-predicate read = readStep/3;
-
 /** An optional Boolean value. */
 class BooleanOption extends TBooleanOption {
   string toString() {

From 1bf0e01a83c224632864d4825f5d9f67b69866d0 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Fri, 23 Apr 2021 15:55:52 +0200
Subject: [PATCH 0686/1429] Data flow: Cache `clearsContent`

---
 .../semmle/code/csharp/dataflow/internal/DataFlowImpl.qll   | 6 +++---
 .../code/csharp/dataflow/internal/DataFlowImplCommon.qll    | 5 ++++-
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
index 938a7b3fe2f..4099043f4d8 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -1258,7 +1258,7 @@ private module LocalFlowBigStep {
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
       this instanceof CastNode or
-      clearsContent(this, _)
+      clearsContentCached(this, _)
     }
   }
 
@@ -3610,7 +3610,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3624,7 +3624,7 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
       then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
index 3a245cda11a..e8260dd3c8c 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
@@ -256,6 +256,9 @@ private module Cached {
   cached
   predicate jumpStepCached(Node node1, Node node2) { jumpStep(node1, node2) }
 
+  cached
+  predicate clearsContentCached(Node n, Content c) { clearsContent(n, c) }
+
   /**
    * Gets a viable target for the lambda call `call`.
    *
@@ -1141,7 +1144,7 @@ abstract class AccessPathFront extends TAccessPathFront {
 
   TypedContent getHead() { this = TFrontHead(result) }
 
-  predicate isClearedAt(Node n) { clearsContent(n, getHead().getContent()) }
+  predicate isClearedAt(Node n) { clearsContentCached(n, getHead().getContent()) }
 }
 
 class AccessPathFrontNil extends AccessPathFront, TFrontNil {

From 23113c4ff7002828421630e34febca601341a826 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Fri, 23 Apr 2021 16:11:08 +0200
Subject: [PATCH 0687/1429] Data flow: Cache `isUnreachableInCall`

---
 .../code/csharp/dataflow/internal/DataFlowImpl.qll       | 6 +++---
 .../code/csharp/dataflow/internal/DataFlowImplCommon.qll | 9 ++++++---
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
index 4099043f4d8..68fde153549 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -1318,7 +1318,7 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
@@ -1332,7 +1332,7 @@ private module LocalFlowBigStep {
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -3782,7 +3782,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
index e8260dd3c8c..f3b005ff148 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
@@ -259,6 +259,9 @@ private module Cached {
   cached
   predicate clearsContentCached(Node n, Content c) { clearsContent(n, c) }
 
+  cached
+  predicate isUnreachableInCallCached(Node n, DataFlowCall call) { isUnreachableInCall(n, call) }
+
   /**
    * Gets a viable target for the lambda call `call`.
    *
@@ -731,7 +734,7 @@ private module Cached {
   predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) {
     reducedViableImplInCallContext(_, callable, call)
     or
-    exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCall(n, call))
+    exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCallCached(n, call))
   }
 
   cached
@@ -753,7 +756,7 @@ private module Cached {
   cached
   newtype TLocalFlowCallContext =
     TAnyLocalCall() or
-    TSpecificLocalCall(DataFlowCall call) { isUnreachableInCall(_, call) }
+    TSpecificLocalCall(DataFlowCall call) { isUnreachableInCallCached(_, call) }
 
   cached
   newtype TReturnKindExt =
@@ -926,7 +929,7 @@ class LocalCallContextSpecificCall extends LocalCallContext, TSpecificLocalCall
 }
 
 private predicate relevantLocalCCtx(DataFlowCall call, DataFlowCallable callable) {
-  exists(Node n | getNodeEnclosingCallable(n) = callable and isUnreachableInCall(n, call))
+  exists(Node n | getNodeEnclosingCallable(n) = callable and isUnreachableInCallCached(n, call))
 }
 
 /**

From 9738de2cb9487c52580dc595bea0f8efbd3066fd Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Mon, 26 Apr 2021 15:28:20 +0200
Subject: [PATCH 0688/1429] Data flow: Cache `OutNodeExt`

---
 .../dataflow/internal/DataFlowImplCommon.qll  | 36 ++++++++++---------
 1 file changed, 19 insertions(+), 17 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
index f3b005ff148..d6fbadd21f0 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
@@ -262,6 +262,23 @@ private module Cached {
   cached
   predicate isUnreachableInCallCached(Node n, DataFlowCall call) { isUnreachableInCall(n, call) }
 
+  cached
+  predicate outNodeExt(Node n) {
+    n instanceof OutNode
+    or
+    n.(PostUpdateNode).getPreUpdateNode() instanceof ArgumentNode
+  }
+
+  cached
+  OutNodeExt getAnOutNodeExt(DataFlowCall call, ReturnKindExt k) {
+    result = getAnOutNode(call, k.(ValueReturnKind).getKind())
+    or
+    exists(ArgumentNode arg |
+      result.(PostUpdateNode).getPreUpdateNode() = arg and
+      arg.argumentOf(call, k.(ParamUpdateReturnKind).getPosition())
+    )
+  }
+
   /**
    * Gets a viable target for the lambda call `call`.
    *
@@ -970,11 +987,7 @@ class ReturnNodeExt extends Node {
  * or a post-update node associated with a call argument.
  */
 class OutNodeExt extends Node {
-  OutNodeExt() {
-    this instanceof OutNode
-    or
-    this.(PostUpdateNode).getPreUpdateNode() instanceof ArgumentNode
-  }
+  OutNodeExt() { outNodeExt(this) }
 }
 
 /**
@@ -987,7 +1000,7 @@ abstract class ReturnKindExt extends TReturnKindExt {
   abstract string toString();
 
   /** Gets a node corresponding to data flow out of `call`. */
-  abstract OutNodeExt getAnOutNode(DataFlowCall call);
+  final OutNodeExt getAnOutNode(DataFlowCall call) { result = getAnOutNodeExt(call, this) }
 }
 
 class ValueReturnKind extends ReturnKindExt, TValueReturn {
@@ -998,10 +1011,6 @@ class ValueReturnKind extends ReturnKindExt, TValueReturn {
   ReturnKind getKind() { result = kind }
 
   override string toString() { result = kind.toString() }
-
-  override OutNodeExt getAnOutNode(DataFlowCall call) {
-    result = getAnOutNode(call, this.getKind())
-  }
 }
 
 class ParamUpdateReturnKind extends ReturnKindExt, TParamUpdate {
@@ -1012,13 +1021,6 @@ class ParamUpdateReturnKind extends ReturnKindExt, TParamUpdate {
   int getPosition() { result = pos }
 
   override string toString() { result = "param update " + pos }
-
-  override OutNodeExt getAnOutNode(DataFlowCall call) {
-    exists(ArgumentNode arg |
-      result.(PostUpdateNode).getPreUpdateNode() = arg and
-      arg.argumentOf(call, this.getPosition())
-    )
-  }
 }
 
 /** A callable tagged with a relevant return kind. */

From 346af4f97adf1c650ee4168352667c3de867bd69 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Mon, 26 Apr 2021 15:30:01 +0200
Subject: [PATCH 0689/1429] Data flow: Cache `ReturnNodeExt`

---
 .../dataflow/internal/DataFlowImplCommon.qll  | 29 +++++++++----------
 1 file changed, 14 insertions(+), 15 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
index d6fbadd21f0..c81af6cde57 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
@@ -279,6 +279,17 @@ private module Cached {
     )
   }
 
+  cached
+  predicate returnNodeExt(Node n, ReturnKindExt k) {
+    k = TValueReturn(n.(ReturnNode).getKind())
+    or
+    exists(ParameterNode p, int pos |
+      parameterValueFlowsToPreUpdate(p, n) and
+      p.isParameterOf(_, pos) and
+      k = TParamUpdate(pos)
+    )
+  }
+
   /**
    * Gets a viable target for the lambda call `call`.
    *
@@ -672,8 +683,7 @@ private module Cached {
    * Holds if `p` can flow to the pre-update node associated with post-update
    * node `n`, in the same callable, using only value-preserving steps.
    */
-  cached
-  predicate parameterValueFlowsToPreUpdate(ParameterNode p, PostUpdateNode n) {
+  private predicate parameterValueFlowsToPreUpdate(ParameterNode p, PostUpdateNode n) {
     parameterValueFlow(p, n.getPreUpdateNode(), TReadStepTypesNone())
   }
 
@@ -965,21 +975,10 @@ LocalCallContext getLocalCallContext(CallContext ctx, DataFlowCallable callable)
  * `ReturnNode` or a `PostUpdateNode` corresponding to the value of a parameter.
  */
 class ReturnNodeExt extends Node {
-  ReturnNodeExt() {
-    this instanceof ReturnNode or
-    parameterValueFlowsToPreUpdate(_, this)
-  }
+  ReturnNodeExt() { returnNodeExt(this, _) }
 
   /** Gets the kind of this returned value. */
-  ReturnKindExt getKind() {
-    result = TValueReturn(this.(ReturnNode).getKind())
-    or
-    exists(ParameterNode p, int pos |
-      parameterValueFlowsToPreUpdate(p, this) and
-      p.isParameterOf(_, pos) and
-      result = TParamUpdate(pos)
-    )
-  }
+  ReturnKindExt getKind() { returnNodeExt(this, result) }
 }
 
 /**

From ade99c2c2b104d7b5cc5295553a8e82da328bcae Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Mon, 26 Apr 2021 15:37:43 +0200
Subject: [PATCH 0690/1429] Data flow: Cache `Cast(ing)Node`

---
 .../csharp/dataflow/internal/DataFlowImpl.qll |  2 +-
 .../dataflow/internal/DataFlowImplCommon.qll  | 26 ++++++++++++-------
 2 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
index 68fde153549..242d5444d38 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -1257,7 +1257,7 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
+      castNode(this) or
       clearsContentCached(this, _)
     }
   }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
index c81af6cde57..d9e875ee281 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
@@ -118,7 +118,7 @@ private module LambdaFlow {
     boolean toJump, DataFlowCallOption lastCall
   ) {
     revLambdaFlow0(lambdaCall, kind, node, t, toReturn, toJump, lastCall) and
-    if node instanceof CastNode or node instanceof ArgumentNode or node instanceof ReturnNode
+    if castNode(node) or node instanceof ArgumentNode or node instanceof ReturnNode
     then compatibleTypes(t, getNodeDataFlowType(node))
     else any()
   }
@@ -290,6 +290,20 @@ private module Cached {
     )
   }
 
+  cached
+  predicate castNode(Node n) { n instanceof CastNode }
+
+  cached
+  predicate castingNode(Node n) {
+    castNode(n) or
+    n instanceof ParameterNode or
+    n instanceof OutNodeExt or
+    // For reads, `x.f`, we want to check that the tracked type after the read (which
+    // is obtained by popping the head of the access path stack) is compatible with
+    // the type of `x.f`.
+    read(_, _, n)
+  }
+
   /**
    * Gets a viable target for the lambda call `call`.
    *
@@ -818,15 +832,7 @@ private module Cached {
  * A `Node` at which a cast can occur such that the type should be checked.
  */
 class CastingNode extends Node {
-  CastingNode() {
-    this instanceof ParameterNode or
-    this instanceof CastNode or
-    this instanceof OutNodeExt or
-    // For reads, `x.f`, we want to check that the tracked type after the read (which
-    // is obtained by popping the head of the access path stack) is compatible with
-    // the type of `x.f`.
-    read(_, _, this)
-  }
+  CastingNode() { castingNode(this) }
 }
 
 private predicate readStepWithTypes(

From 7d4feaca2f421acd7241621d93e4d357bc721059 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Mon, 26 Apr 2021 15:44:22 +0200
Subject: [PATCH 0691/1429] Data flow: Cache `ArgumentNode`

---
 .../csharp/dataflow/internal/DataFlowImpl.qll | 42 +++++++--------
 .../dataflow/internal/DataFlowImplCommon.qll  | 51 ++++++++++++-------
 2 files changed, 53 insertions(+), 40 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
index 242d5444d38..53a8ebe2d54 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNode p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -520,7 +520,7 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
     exists(ParameterNode p |
       revFlow(p, toReturn, config) and
@@ -529,7 +529,7 @@ private module Stage1 {
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -660,7 +660,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNode p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -672,7 +672,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -732,7 +732,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNode p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,7 +944,7 @@ private module Stage2 {
     DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1130,7 +1130,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
     exists(ParameterNode p, boolean allowsFieldFlow |
@@ -1143,7 +1143,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1242,7 +1242,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNode node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1585,7 +1585,7 @@ private module Stage3 {
     DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1771,7 +1771,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
     exists(ParameterNode p, boolean allowsFieldFlow |
@@ -1784,7 +1784,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2154,7 +2154,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNode node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2302,7 +2302,7 @@ private module Stage4 {
     DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2488,7 +2488,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
     exists(ParameterNode p, boolean allowsFieldFlow |
@@ -2501,7 +2501,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -3234,7 +3234,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3923,7 +3923,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -4137,7 +4137,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
index d9e875ee281..f079d878dec 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
@@ -43,14 +43,14 @@ private module LambdaFlow {
     p.isParameterOf(viableCallableLambda(call, _), i)
   }
 
-  private predicate viableParamArgNonLambda(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
+  private predicate viableParamArgNonLambda(DataFlowCall call, ParameterNode p, ArgumentNodeExt arg) {
     exists(int i |
       viableParamNonLambda(call, i, p) and
       arg.argumentOf(call, i)
     )
   }
 
-  private predicate viableParamArgLambda(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
+  private predicate viableParamArgLambda(DataFlowCall call, ParameterNode p, ArgumentNodeExt arg) {
     exists(int i |
       viableParamLambda(call, i, p) and
       arg.argumentOf(call, i)
@@ -118,7 +118,7 @@ private module LambdaFlow {
     boolean toJump, DataFlowCallOption lastCall
   ) {
     revLambdaFlow0(lambdaCall, kind, node, t, toReturn, toJump, lastCall) and
-    if castNode(node) or node instanceof ArgumentNode or node instanceof ReturnNode
+    if castNode(node) or node instanceof ArgumentNodeExt or node instanceof ReturnNode
     then compatibleTypes(t, getNodeDataFlowType(node))
     else any()
   }
@@ -266,14 +266,14 @@ private module Cached {
   predicate outNodeExt(Node n) {
     n instanceof OutNode
     or
-    n.(PostUpdateNode).getPreUpdateNode() instanceof ArgumentNode
+    n.(PostUpdateNode).getPreUpdateNode() instanceof ArgumentNodeExt
   }
 
   cached
   OutNodeExt getAnOutNodeExt(DataFlowCall call, ReturnKindExt k) {
     result = getAnOutNode(call, k.(ValueReturnKind).getKind())
     or
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       result.(PostUpdateNode).getPreUpdateNode() = arg and
       arg.argumentOf(call, k.(ParamUpdateReturnKind).getPosition())
     )
@@ -304,6 +304,11 @@ private module Cached {
     read(_, _, n)
   }
 
+  cached
+  predicate argumentNode(Node n, DataFlowCall call, int pos) {
+    n.(ArgumentNode).argumentOf(call, pos)
+  }
+
   /**
    * Gets a viable target for the lambda call `call`.
    *
@@ -332,7 +337,7 @@ private module Cached {
    * dispatch into account.
    */
   cached
-  predicate viableParamArg(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
+  predicate viableParamArg(DataFlowCall call, ParameterNode p, ArgumentNodeExt arg) {
     exists(int i |
       viableParam(call, i, p) and
       arg.argumentOf(call, i) and
@@ -392,20 +397,20 @@ private module Cached {
         )
         or
         // flow through: no prior read
-        exists(ArgumentNode arg |
+        exists(ArgumentNodeExt arg |
           parameterValueFlowArgCand(p, arg, false) and
           argumentValueFlowsThroughCand(arg, node, read)
         )
         or
         // flow through: no read inside method
-        exists(ArgumentNode arg |
+        exists(ArgumentNodeExt arg |
           parameterValueFlowArgCand(p, arg, read) and
           argumentValueFlowsThroughCand(arg, node, false)
         )
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlowArgCand(ParameterNode p, ArgumentNode arg, boolean read) {
+      private predicate parameterValueFlowArgCand(ParameterNode p, ArgumentNodeExt arg, boolean read) {
         parameterValueFlowCand(p, arg, read)
       }
 
@@ -431,7 +436,7 @@ private module Cached {
 
       pragma[nomagic]
       private predicate argumentValueFlowsThroughCand0(
-        DataFlowCall call, ArgumentNode arg, ReturnKind kind, boolean read
+        DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, boolean read
       ) {
         exists(ParameterNode param | viableParamArg(call, param, arg) |
           parameterValueFlowReturnCand(param, kind, read)
@@ -444,7 +449,7 @@ private module Cached {
        *
        * `read` indicates whether it is contents of `arg` that can flow to `out`.
        */
-      predicate argumentValueFlowsThroughCand(ArgumentNode arg, Node out, boolean read) {
+      predicate argumentValueFlowsThroughCand(ArgumentNodeExt arg, Node out, boolean read) {
         exists(DataFlowCall call, ReturnKind kind |
           argumentValueFlowsThroughCand0(call, arg, kind, read) and
           out = getAnOutNode(call, kind)
@@ -520,13 +525,13 @@ private module Cached {
         ReadStepTypesOption mustBeNone, ParameterNode p, Node node, ReadStepTypesOption read
       ) {
         // flow through: no prior read
-        exists(ArgumentNode arg |
+        exists(ArgumentNodeExt arg |
           parameterValueFlowArg(p, arg, mustBeNone) and
           argumentValueFlowsThrough(arg, read, node)
         )
         or
         // flow through: no read inside method
-        exists(ArgumentNode arg |
+        exists(ArgumentNodeExt arg |
           parameterValueFlowArg(p, arg, read) and
           argumentValueFlowsThrough(arg, mustBeNone, node)
         )
@@ -534,7 +539,7 @@ private module Cached {
 
       pragma[nomagic]
       private predicate parameterValueFlowArg(
-        ParameterNode p, ArgumentNode arg, ReadStepTypesOption read
+        ParameterNode p, ArgumentNodeExt arg, ReadStepTypesOption read
       ) {
         parameterValueFlow(p, arg, read) and
         Cand::argumentValueFlowsThroughCand(arg, _, _)
@@ -542,7 +547,7 @@ private module Cached {
 
       pragma[nomagic]
       private predicate argumentValueFlowsThrough0(
-        DataFlowCall call, ArgumentNode arg, ReturnKind kind, ReadStepTypesOption read
+        DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, ReadStepTypesOption read
       ) {
         exists(ParameterNode param | viableParamArg(call, param, arg) |
           parameterValueFlowReturn(param, kind, read)
@@ -558,7 +563,7 @@ private module Cached {
        * container type, and the content type.
        */
       pragma[nomagic]
-      predicate argumentValueFlowsThrough(ArgumentNode arg, ReadStepTypesOption read, Node out) {
+      predicate argumentValueFlowsThrough(ArgumentNodeExt arg, ReadStepTypesOption read, Node out) {
         exists(DataFlowCall call, ReturnKind kind |
           argumentValueFlowsThrough0(call, arg, kind, read) and
           out = getAnOutNode(call, kind)
@@ -578,7 +583,7 @@ private module Cached {
        * value-preserving steps and a single read step, not taking call
        * contexts into account, thus representing a getter-step.
        */
-      predicate getterStep(ArgumentNode arg, Content c, Node out) {
+      predicate getterStep(ArgumentNodeExt arg, Content c, Node out) {
         argumentValueFlowsThrough(arg, TReadStepTypesSome(_, c, _), out)
       }
 
@@ -753,8 +758,8 @@ private module Cached {
         // Does the language-specific simpleLocalFlowStep already model flow
         // from function input to output?
         fromPre = getAnOutNode(c, _) and
-        toPre.(ArgumentNode).argumentOf(c, _) and
-        simpleLocalFlowStep(toPre.(ArgumentNode), fromPre)
+        toPre.(ArgumentNodeExt).argumentOf(c, _) and
+        simpleLocalFlowStep(toPre.(ArgumentNodeExt), fromPre)
       )
       or
       argumentValueFlowsThrough(toPre, TReadStepTypesNone(), fromPre)
@@ -976,6 +981,14 @@ LocalCallContext getLocalCallContext(CallContext ctx, DataFlowCallable callable)
   else result instanceof LocalCallContextAny
 }
 
+/** A data-flow node that represents a call argument. */
+class ArgumentNodeExt extends Node {
+  ArgumentNodeExt() { argumentNode(this, _, _) }
+
+  /** Holds if this argument occurs at the given position in the given call. */
+  final predicate argumentOf(DataFlowCall call, int pos) { argumentNode(this, call, pos) }
+}
+
 /**
  * A node from which flow can return to the caller. This is either a regular
  * `ReturnNode` or a `PostUpdateNode` corresponding to the value of a parameter.

From 1112c0f9942f237d362aabd8afc715a5175b949a Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Mon, 26 Apr 2021 15:50:00 +0200
Subject: [PATCH 0692/1429] Data flow: Cache `ParameterNode`

---
 .../csharp/dataflow/internal/DataFlowImpl.qll | 74 ++++++++++--------
 .../dataflow/internal/DataFlowImplCommon.qll  | 75 ++++++++++++-------
 2 files changed, 90 insertions(+), 59 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
index 53a8ebe2d54..ede9390bace 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -512,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -522,7 +522,7 @@ private module Stage1 {
   private predicate revFlowIn(
     DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
@@ -594,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -660,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -672,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -732,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -941,7 +943,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
     exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
@@ -989,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,7 +1135,7 @@ private module Stage2 {
     DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1196,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1242,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1272,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1582,7 +1586,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
     exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
@@ -1630,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1774,7 +1778,7 @@ private module Stage3 {
     DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1837,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2154,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2299,7 +2305,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
     exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
@@ -2347,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2491,7 +2497,7 @@ private module Stage4 {
     DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2554,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2605,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2626,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3247,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3271,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3567,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3942,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3979,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4036,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4114,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
index f079d878dec..a9a19ed322d 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
@@ -35,22 +35,24 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
  */
 private module LambdaFlow {
-  private predicate viableParamNonLambda(DataFlowCall call, int i, ParameterNode p) {
+  private predicate viableParamNonLambda(DataFlowCall call, int i, ParameterNodeExt p) {
     p.isParameterOf(viableCallable(call), i)
   }
 
-  private predicate viableParamLambda(DataFlowCall call, int i, ParameterNode p) {
+  private predicate viableParamLambda(DataFlowCall call, int i, ParameterNodeExt p) {
     p.isParameterOf(viableCallableLambda(call, _), i)
   }
 
-  private predicate viableParamArgNonLambda(DataFlowCall call, ParameterNode p, ArgumentNodeExt arg) {
+  private predicate viableParamArgNonLambda(
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg
+  ) {
     exists(int i |
       viableParamNonLambda(call, i, p) and
       arg.argumentOf(call, i)
     )
   }
 
-  private predicate viableParamArgLambda(DataFlowCall call, ParameterNode p, ArgumentNodeExt arg) {
+  private predicate viableParamArgLambda(DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg) {
     exists(int i |
       viableParamLambda(call, i, p) and
       arg.argumentOf(call, i)
@@ -176,7 +178,7 @@ private module LambdaFlow {
     )
     or
     // flow into a callable
-    exists(ParameterNode p, DataFlowCallOption lastCall0, DataFlowCall call |
+    exists(ParameterNodeExt p, DataFlowCallOption lastCall0, DataFlowCall call |
       revLambdaFlowIn(lambdaCall, kind, p, t, toJump, lastCall0) and
       (
         if lastCall0 = TDataFlowCallNone() and toJump = false
@@ -227,8 +229,8 @@ private module LambdaFlow {
 
   pragma[nomagic]
   predicate revLambdaFlowIn(
-    DataFlowCall lambdaCall, LambdaCallKind kind, ParameterNode p, DataFlowType t, boolean toJump,
-    DataFlowCallOption lastCall
+    DataFlowCall lambdaCall, LambdaCallKind kind, ParameterNodeExt p, DataFlowType t,
+    boolean toJump, DataFlowCallOption lastCall
   ) {
     revLambdaFlow(lambdaCall, kind, p, t, false, toJump, lastCall)
   }
@@ -283,7 +285,7 @@ private module Cached {
   predicate returnNodeExt(Node n, ReturnKindExt k) {
     k = TValueReturn(n.(ReturnNode).getKind())
     or
-    exists(ParameterNode p, int pos |
+    exists(ParameterNodeExt p, int pos |
       parameterValueFlowsToPreUpdate(p, n) and
       p.isParameterOf(_, pos) and
       k = TParamUpdate(pos)
@@ -296,7 +298,7 @@ private module Cached {
   cached
   predicate castingNode(Node n) {
     castNode(n) or
-    n instanceof ParameterNode or
+    n instanceof ParameterNodeExt or
     n instanceof OutNodeExt or
     // For reads, `x.f`, we want to check that the tracked type after the read (which
     // is obtained by popping the head of the access path stack) is compatible with
@@ -304,6 +306,11 @@ private module Cached {
     read(_, _, n)
   }
 
+  cached
+  predicate parameterNode(Node n, DataFlowCallable c, int i) {
+    n.(ParameterNode).isParameterOf(c, i)
+  }
+
   cached
   predicate argumentNode(Node n, DataFlowCall call, int pos) {
     n.(ArgumentNode).argumentOf(call, pos)
@@ -328,7 +335,7 @@ private module Cached {
    * The instance parameter is considered to have index `-1`.
    */
   pragma[nomagic]
-  private predicate viableParam(DataFlowCall call, int i, ParameterNode p) {
+  private predicate viableParam(DataFlowCall call, int i, ParameterNodeExt p) {
     p.isParameterOf(viableCallableExt(call), i)
   }
 
@@ -337,7 +344,7 @@ private module Cached {
    * dispatch into account.
    */
   cached
-  predicate viableParamArg(DataFlowCall call, ParameterNode p, ArgumentNodeExt arg) {
+  predicate viableParamArg(DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg) {
     exists(int i |
       viableParam(call, i, p) and
       arg.argumentOf(call, i) and
@@ -379,7 +386,7 @@ private module Cached {
        * `read` indicates whether it is contents of `p` that can flow to `node`.
        */
       pragma[nomagic]
-      private predicate parameterValueFlowCand(ParameterNode p, Node node, boolean read) {
+      private predicate parameterValueFlowCand(ParameterNodeExt p, Node node, boolean read) {
         p = node and
         read = false
         or
@@ -410,12 +417,14 @@ private module Cached {
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlowArgCand(ParameterNode p, ArgumentNodeExt arg, boolean read) {
+      private predicate parameterValueFlowArgCand(
+        ParameterNodeExt p, ArgumentNodeExt arg, boolean read
+      ) {
         parameterValueFlowCand(p, arg, read)
       }
 
       pragma[nomagic]
-      predicate parameterValueFlowsToPreUpdateCand(ParameterNode p, PostUpdateNode n) {
+      predicate parameterValueFlowsToPreUpdateCand(ParameterNodeExt p, PostUpdateNode n) {
         parameterValueFlowCand(p, n.getPreUpdateNode(), false)
       }
 
@@ -427,7 +436,7 @@ private module Cached {
        * `read` indicates whether it is contents of `p` that can flow to the return
        * node.
        */
-      predicate parameterValueFlowReturnCand(ParameterNode p, ReturnKind kind, boolean read) {
+      predicate parameterValueFlowReturnCand(ParameterNodeExt p, ReturnKind kind, boolean read) {
         exists(ReturnNode ret |
           parameterValueFlowCand(p, ret, read) and
           kind = ret.getKind()
@@ -438,7 +447,7 @@ private module Cached {
       private predicate argumentValueFlowsThroughCand0(
         DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, boolean read
       ) {
-        exists(ParameterNode param | viableParamArg(call, param, arg) |
+        exists(ParameterNodeExt param | viableParamArg(call, param, arg) |
           parameterValueFlowReturnCand(param, kind, read)
         )
       }
@@ -456,7 +465,7 @@ private module Cached {
         )
       }
 
-      predicate cand(ParameterNode p, Node n) {
+      predicate cand(ParameterNodeExt p, Node n) {
         parameterValueFlowCand(p, n, _) and
         (
           parameterValueFlowReturnCand(p, _, _)
@@ -483,7 +492,7 @@ private module Cached {
        * If a read step was taken, then `read` captures the `Content`, the
        * container type, and the content type.
        */
-      predicate parameterValueFlow(ParameterNode p, Node node, ReadStepTypesOption read) {
+      predicate parameterValueFlow(ParameterNodeExt p, Node node, ReadStepTypesOption read) {
         parameterValueFlow0(p, node, read) and
         if node instanceof CastingNode
         then
@@ -497,7 +506,7 @@ private module Cached {
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlow0(ParameterNode p, Node node, ReadStepTypesOption read) {
+      private predicate parameterValueFlow0(ParameterNodeExt p, Node node, ReadStepTypesOption read) {
         p = node and
         Cand::cand(p, _) and
         read = TReadStepTypesNone()
@@ -522,7 +531,7 @@ private module Cached {
 
       pragma[nomagic]
       private predicate parameterValueFlow0_0(
-        ReadStepTypesOption mustBeNone, ParameterNode p, Node node, ReadStepTypesOption read
+        ReadStepTypesOption mustBeNone, ParameterNodeExt p, Node node, ReadStepTypesOption read
       ) {
         // flow through: no prior read
         exists(ArgumentNodeExt arg |
@@ -539,7 +548,7 @@ private module Cached {
 
       pragma[nomagic]
       private predicate parameterValueFlowArg(
-        ParameterNode p, ArgumentNodeExt arg, ReadStepTypesOption read
+        ParameterNodeExt p, ArgumentNodeExt arg, ReadStepTypesOption read
       ) {
         parameterValueFlow(p, arg, read) and
         Cand::argumentValueFlowsThroughCand(arg, _, _)
@@ -549,7 +558,7 @@ private module Cached {
       private predicate argumentValueFlowsThrough0(
         DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, ReadStepTypesOption read
       ) {
-        exists(ParameterNode param | viableParamArg(call, param, arg) |
+        exists(ParameterNodeExt param | viableParamArg(call, param, arg) |
           parameterValueFlowReturn(param, kind, read)
         )
       }
@@ -596,7 +605,7 @@ private module Cached {
        * container type, and the content type.
        */
       private predicate parameterValueFlowReturn(
-        ParameterNode p, ReturnKind kind, ReadStepTypesOption read
+        ParameterNodeExt p, ReturnKind kind, ReadStepTypesOption read
       ) {
         exists(ReturnNode ret |
           parameterValueFlow(p, ret, read) and
@@ -702,7 +711,7 @@ private module Cached {
    * Holds if `p` can flow to the pre-update node associated with post-update
    * node `n`, in the same callable, using only value-preserving steps.
    */
-  private predicate parameterValueFlowsToPreUpdate(ParameterNode p, PostUpdateNode n) {
+  private predicate parameterValueFlowsToPreUpdate(ParameterNodeExt p, PostUpdateNode n) {
     parameterValueFlow(p, n.getPreUpdateNode(), TReadStepTypesNone())
   }
 
@@ -807,7 +816,7 @@ private module Cached {
   cached
   newtype TReturnKindExt =
     TValueReturn(ReturnKind kind) or
-    TParamUpdate(int pos) { exists(ParameterNode p | p.isParameterOf(_, pos)) }
+    TParamUpdate(int pos) { exists(ParameterNodeExt p | p.isParameterOf(_, pos)) }
 
   cached
   newtype TBooleanOption =
@@ -922,7 +931,7 @@ class CallContextSomeCall extends CallContextCall, TSomeCall {
   override string toString() { result = "CcSomeCall" }
 
   override predicate relevantFor(DataFlowCallable callable) {
-    exists(ParameterNode p | getNodeEnclosingCallable(p) = callable)
+    exists(ParameterNodeExt p | getNodeEnclosingCallable(p) = callable)
   }
 
   override predicate matchesCall(DataFlowCall call) { any() }
@@ -981,6 +990,20 @@ LocalCallContext getLocalCallContext(CallContext ctx, DataFlowCallable callable)
   else result instanceof LocalCallContextAny
 }
 
+/**
+ * The value of a parameter at function entry, viewed as a node in a data
+ * flow graph.
+ */
+class ParameterNodeExt extends Node {
+  ParameterNodeExt() { parameterNode(this, _, _) }
+
+  /**
+   * Holds if this node is the parameter of callable `c` at the specified
+   * (zero-based) position.
+   */
+  predicate isParameterOf(DataFlowCallable c, int i) { parameterNode(this, c, i) }
+}
+
 /** A data-flow node that represents a call argument. */
 class ArgumentNodeExt extends Node {
   ArgumentNodeExt() { argumentNode(this, _, _) }

From 0c8886967bb53b7ac3c5f81b4650aa22fcc09764 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Mon, 26 Apr 2021 16:38:17 +0200
Subject: [PATCH 0693/1429] Data flow: Cache `nodeIsHidden`

---
 .../code/csharp/dataflow/internal/DataFlowImpl.qll    |  2 +-
 .../csharp/dataflow/internal/DataFlowImplCommon.qll   | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
index ede9390bace..cf83530bcbd 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -2986,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
index a9a19ed322d..b5ceabc605d 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
@@ -244,6 +244,14 @@ private DataFlowCallable viableCallableExt(DataFlowCall call) {
 
 cached
 private module Cached {
+  /**
+   * If needed, call this predicate from `DataFlowImplSpecific.qll` in order to
+   * force a stage-dependency on the `DataFlowImplCommon.qll` stage and therby
+   * collapsing the two stages.
+   */
+  cached
+  predicate forceCachingInSameStage() { any() }
+
   cached
   predicate nodeEnclosingCallable(Node n, DataFlowCallable c) { c = n.getEnclosingCallable() }
 
@@ -271,6 +279,9 @@ private module Cached {
     n.(PostUpdateNode).getPreUpdateNode() instanceof ArgumentNodeExt
   }
 
+  cached
+  predicate hiddenNode(Node n) { nodeIsHidden(n) }
+
   cached
   OutNodeExt getAnOutNodeExt(DataFlowCall call, ReturnKindExt k) {
     result = getAnOutNode(call, k.(ValueReturnKind).getKind())

From 914184f3dd08969b0709104be32287a6779ad243 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Mon, 26 Apr 2021 17:02:20 +0200
Subject: [PATCH 0694/1429] Data flow: Sync files

---
 .../cpp/dataflow/internal/DataFlowImpl.qll    | 155 ++++-----
 .../cpp/dataflow/internal/DataFlowImpl2.qll   | 155 ++++-----
 .../cpp/dataflow/internal/DataFlowImpl3.qll   | 155 ++++-----
 .../cpp/dataflow/internal/DataFlowImpl4.qll   | 155 ++++-----
 .../dataflow/internal/DataFlowImplCommon.qll  | 313 +++++++++++-------
 .../dataflow/internal/DataFlowImplLocal.qll   | 155 ++++-----
 .../cpp/ir/dataflow/internal/DataFlowImpl.qll | 155 ++++-----
 .../ir/dataflow/internal/DataFlowImpl2.qll    | 155 ++++-----
 .../ir/dataflow/internal/DataFlowImpl3.qll    | 155 ++++-----
 .../ir/dataflow/internal/DataFlowImpl4.qll    | 155 ++++-----
 .../dataflow/internal/DataFlowImplCommon.qll  | 313 +++++++++++-------
 .../dataflow/internal/DataFlowImpl2.qll       | 155 ++++-----
 .../dataflow/internal/DataFlowImpl3.qll       | 155 ++++-----
 .../dataflow/internal/DataFlowImpl4.qll       | 155 ++++-----
 .../dataflow/internal/DataFlowImpl5.qll       | 155 ++++-----
 .../java/dataflow/internal/DataFlowImpl.qll   | 155 ++++-----
 .../java/dataflow/internal/DataFlowImpl2.qll  | 155 ++++-----
 .../java/dataflow/internal/DataFlowImpl3.qll  | 155 ++++-----
 .../java/dataflow/internal/DataFlowImpl4.qll  | 155 ++++-----
 .../java/dataflow/internal/DataFlowImpl5.qll  | 155 ++++-----
 .../java/dataflow/internal/DataFlowImpl6.qll  | 155 ++++-----
 .../dataflow/internal/DataFlowImplCommon.qll  | 313 +++++++++++-------
 .../dataflow/new/internal/DataFlowImpl.qll    | 155 ++++-----
 .../dataflow/new/internal/DataFlowImpl2.qll   | 155 ++++-----
 .../dataflow/new/internal/DataFlowImpl3.qll   | 155 ++++-----
 .../dataflow/new/internal/DataFlowImpl4.qll   | 155 ++++-----
 .../new/internal/DataFlowImplCommon.qll       | 313 +++++++++++-------
 27 files changed, 2659 insertions(+), 2158 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
index a51c20c2288..b5ceabc605d 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
@@ -35,22 +35,24 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
  */
 private module LambdaFlow {
-  private predicate viableParamNonLambda(DataFlowCall call, int i, ParameterNode p) {
+  private predicate viableParamNonLambda(DataFlowCall call, int i, ParameterNodeExt p) {
     p.isParameterOf(viableCallable(call), i)
   }
 
-  private predicate viableParamLambda(DataFlowCall call, int i, ParameterNode p) {
+  private predicate viableParamLambda(DataFlowCall call, int i, ParameterNodeExt p) {
     p.isParameterOf(viableCallableLambda(call, _), i)
   }
 
-  private predicate viableParamArgNonLambda(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
+  private predicate viableParamArgNonLambda(
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg
+  ) {
     exists(int i |
       viableParamNonLambda(call, i, p) and
       arg.argumentOf(call, i)
     )
   }
 
-  private predicate viableParamArgLambda(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
+  private predicate viableParamArgLambda(DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg) {
     exists(int i |
       viableParamLambda(call, i, p) and
       arg.argumentOf(call, i)
@@ -118,8 +120,8 @@ private module LambdaFlow {
     boolean toJump, DataFlowCallOption lastCall
   ) {
     revLambdaFlow0(lambdaCall, kind, node, t, toReturn, toJump, lastCall) and
-    if node instanceof CastNode or node instanceof ArgumentNode or node instanceof ReturnNode
-    then compatibleTypes(t, getNodeType(node))
+    if castNode(node) or node instanceof ArgumentNodeExt or node instanceof ReturnNode
+    then compatibleTypes(t, getNodeDataFlowType(node))
     else any()
   }
 
@@ -129,7 +131,7 @@ private module LambdaFlow {
     boolean toJump, DataFlowCallOption lastCall
   ) {
     lambdaCall(lambdaCall, kind, node) and
-    t = getNodeType(node) and
+    t = getNodeDataFlowType(node) and
     toReturn = false and
     toJump = false and
     lastCall = TDataFlowCallNone()
@@ -146,7 +148,7 @@ private module LambdaFlow {
         getNodeEnclosingCallable(node) = getNodeEnclosingCallable(mid)
       |
         preservesValue = false and
-        t = getNodeType(node)
+        t = getNodeDataFlowType(node)
         or
         preservesValue = true and
         t = t0
@@ -160,7 +162,7 @@ private module LambdaFlow {
       toJump = true and
       lastCall = TDataFlowCallNone()
     |
-      jumpStep(node, mid) and
+      jumpStepCached(node, mid) and
       t = t0
       or
       exists(boolean preservesValue |
@@ -168,7 +170,7 @@ private module LambdaFlow {
         getNodeEnclosingCallable(node) != getNodeEnclosingCallable(mid)
       |
         preservesValue = false and
-        t = getNodeType(node)
+        t = getNodeDataFlowType(node)
         or
         preservesValue = true and
         t = t0
@@ -176,7 +178,7 @@ private module LambdaFlow {
     )
     or
     // flow into a callable
-    exists(ParameterNode p, DataFlowCallOption lastCall0, DataFlowCall call |
+    exists(ParameterNodeExt p, DataFlowCallOption lastCall0, DataFlowCall call |
       revLambdaFlowIn(lambdaCall, kind, p, t, toJump, lastCall0) and
       (
         if lastCall0 = TDataFlowCallNone() and toJump = false
@@ -227,8 +229,8 @@ private module LambdaFlow {
 
   pragma[nomagic]
   predicate revLambdaFlowIn(
-    DataFlowCall lambdaCall, LambdaCallKind kind, ParameterNode p, DataFlowType t, boolean toJump,
-    DataFlowCallOption lastCall
+    DataFlowCall lambdaCall, LambdaCallKind kind, ParameterNodeExt p, DataFlowType t,
+    boolean toJump, DataFlowCallOption lastCall
   ) {
     revLambdaFlow(lambdaCall, kind, p, t, false, toJump, lastCall)
   }
@@ -242,6 +244,89 @@ private DataFlowCallable viableCallableExt(DataFlowCall call) {
 
 cached
 private module Cached {
+  /**
+   * If needed, call this predicate from `DataFlowImplSpecific.qll` in order to
+   * force a stage-dependency on the `DataFlowImplCommon.qll` stage and therby
+   * collapsing the two stages.
+   */
+  cached
+  predicate forceCachingInSameStage() { any() }
+
+  cached
+  predicate nodeEnclosingCallable(Node n, DataFlowCallable c) { c = n.getEnclosingCallable() }
+
+  cached
+  predicate callEnclosingCallable(DataFlowCall call, DataFlowCallable c) {
+    c = call.getEnclosingCallable()
+  }
+
+  cached
+  predicate nodeDataFlowType(Node n, DataFlowType t) { t = getNodeType(n) }
+
+  cached
+  predicate jumpStepCached(Node node1, Node node2) { jumpStep(node1, node2) }
+
+  cached
+  predicate clearsContentCached(Node n, Content c) { clearsContent(n, c) }
+
+  cached
+  predicate isUnreachableInCallCached(Node n, DataFlowCall call) { isUnreachableInCall(n, call) }
+
+  cached
+  predicate outNodeExt(Node n) {
+    n instanceof OutNode
+    or
+    n.(PostUpdateNode).getPreUpdateNode() instanceof ArgumentNodeExt
+  }
+
+  cached
+  predicate hiddenNode(Node n) { nodeIsHidden(n) }
+
+  cached
+  OutNodeExt getAnOutNodeExt(DataFlowCall call, ReturnKindExt k) {
+    result = getAnOutNode(call, k.(ValueReturnKind).getKind())
+    or
+    exists(ArgumentNodeExt arg |
+      result.(PostUpdateNode).getPreUpdateNode() = arg and
+      arg.argumentOf(call, k.(ParamUpdateReturnKind).getPosition())
+    )
+  }
+
+  cached
+  predicate returnNodeExt(Node n, ReturnKindExt k) {
+    k = TValueReturn(n.(ReturnNode).getKind())
+    or
+    exists(ParameterNodeExt p, int pos |
+      parameterValueFlowsToPreUpdate(p, n) and
+      p.isParameterOf(_, pos) and
+      k = TParamUpdate(pos)
+    )
+  }
+
+  cached
+  predicate castNode(Node n) { n instanceof CastNode }
+
+  cached
+  predicate castingNode(Node n) {
+    castNode(n) or
+    n instanceof ParameterNodeExt or
+    n instanceof OutNodeExt or
+    // For reads, `x.f`, we want to check that the tracked type after the read (which
+    // is obtained by popping the head of the access path stack) is compatible with
+    // the type of `x.f`.
+    read(_, _, n)
+  }
+
+  cached
+  predicate parameterNode(Node n, DataFlowCallable c, int i) {
+    n.(ParameterNode).isParameterOf(c, i)
+  }
+
+  cached
+  predicate argumentNode(Node n, DataFlowCall call, int pos) {
+    n.(ArgumentNode).argumentOf(call, pos)
+  }
+
   /**
    * Gets a viable target for the lambda call `call`.
    *
@@ -261,7 +346,7 @@ private module Cached {
    * The instance parameter is considered to have index `-1`.
    */
   pragma[nomagic]
-  private predicate viableParam(DataFlowCall call, int i, ParameterNode p) {
+  private predicate viableParam(DataFlowCall call, int i, ParameterNodeExt p) {
     p.isParameterOf(viableCallableExt(call), i)
   }
 
@@ -270,11 +355,11 @@ private module Cached {
    * dispatch into account.
    */
   cached
-  predicate viableParamArg(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
+  predicate viableParamArg(DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg) {
     exists(int i |
       viableParam(call, i, p) and
       arg.argumentOf(call, i) and
-      compatibleTypes(getNodeType(arg), getNodeType(p))
+      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
     )
   }
 
@@ -312,7 +397,7 @@ private module Cached {
        * `read` indicates whether it is contents of `p` that can flow to `node`.
        */
       pragma[nomagic]
-      private predicate parameterValueFlowCand(ParameterNode p, Node node, boolean read) {
+      private predicate parameterValueFlowCand(ParameterNodeExt p, Node node, boolean read) {
         p = node and
         read = false
         or
@@ -325,30 +410,32 @@ private module Cached {
         // read
         exists(Node mid |
           parameterValueFlowCand(p, mid, false) and
-          readStep(mid, _, node) and
+          read(mid, _, node) and
           read = true
         )
         or
         // flow through: no prior read
-        exists(ArgumentNode arg |
+        exists(ArgumentNodeExt arg |
           parameterValueFlowArgCand(p, arg, false) and
           argumentValueFlowsThroughCand(arg, node, read)
         )
         or
         // flow through: no read inside method
-        exists(ArgumentNode arg |
+        exists(ArgumentNodeExt arg |
           parameterValueFlowArgCand(p, arg, read) and
           argumentValueFlowsThroughCand(arg, node, false)
         )
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlowArgCand(ParameterNode p, ArgumentNode arg, boolean read) {
+      private predicate parameterValueFlowArgCand(
+        ParameterNodeExt p, ArgumentNodeExt arg, boolean read
+      ) {
         parameterValueFlowCand(p, arg, read)
       }
 
       pragma[nomagic]
-      predicate parameterValueFlowsToPreUpdateCand(ParameterNode p, PostUpdateNode n) {
+      predicate parameterValueFlowsToPreUpdateCand(ParameterNodeExt p, PostUpdateNode n) {
         parameterValueFlowCand(p, n.getPreUpdateNode(), false)
       }
 
@@ -360,7 +447,7 @@ private module Cached {
        * `read` indicates whether it is contents of `p` that can flow to the return
        * node.
        */
-      predicate parameterValueFlowReturnCand(ParameterNode p, ReturnKind kind, boolean read) {
+      predicate parameterValueFlowReturnCand(ParameterNodeExt p, ReturnKind kind, boolean read) {
         exists(ReturnNode ret |
           parameterValueFlowCand(p, ret, read) and
           kind = ret.getKind()
@@ -369,9 +456,9 @@ private module Cached {
 
       pragma[nomagic]
       private predicate argumentValueFlowsThroughCand0(
-        DataFlowCall call, ArgumentNode arg, ReturnKind kind, boolean read
+        DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, boolean read
       ) {
-        exists(ParameterNode param | viableParamArg(call, param, arg) |
+        exists(ParameterNodeExt param | viableParamArg(call, param, arg) |
           parameterValueFlowReturnCand(param, kind, read)
         )
       }
@@ -382,14 +469,14 @@ private module Cached {
        *
        * `read` indicates whether it is contents of `arg` that can flow to `out`.
        */
-      predicate argumentValueFlowsThroughCand(ArgumentNode arg, Node out, boolean read) {
+      predicate argumentValueFlowsThroughCand(ArgumentNodeExt arg, Node out, boolean read) {
         exists(DataFlowCall call, ReturnKind kind |
           argumentValueFlowsThroughCand0(call, arg, kind, read) and
           out = getAnOutNode(call, kind)
         )
       }
 
-      predicate cand(ParameterNode p, Node n) {
+      predicate cand(ParameterNodeExt p, Node n) {
         parameterValueFlowCand(p, n, _) and
         (
           parameterValueFlowReturnCand(p, _, _)
@@ -416,21 +503,21 @@ private module Cached {
        * If a read step was taken, then `read` captures the `Content`, the
        * container type, and the content type.
        */
-      predicate parameterValueFlow(ParameterNode p, Node node, ReadStepTypesOption read) {
+      predicate parameterValueFlow(ParameterNodeExt p, Node node, ReadStepTypesOption read) {
         parameterValueFlow0(p, node, read) and
         if node instanceof CastingNode
         then
           // normal flow through
           read = TReadStepTypesNone() and
-          compatibleTypes(getNodeType(p), getNodeType(node))
+          compatibleTypes(getNodeDataFlowType(p), getNodeDataFlowType(node))
           or
           // getter
-          compatibleTypes(read.getContentType(), getNodeType(node))
+          compatibleTypes(read.getContentType(), getNodeDataFlowType(node))
         else any()
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlow0(ParameterNode p, Node node, ReadStepTypesOption read) {
+      private predicate parameterValueFlow0(ParameterNodeExt p, Node node, ReadStepTypesOption read) {
         p = node and
         Cand::cand(p, _) and
         read = TReadStepTypesNone()
@@ -447,7 +534,7 @@ private module Cached {
           readStepWithTypes(mid, read.getContainerType(), read.getContent(), node,
             read.getContentType()) and
           Cand::parameterValueFlowReturnCand(p, _, true) and
-          compatibleTypes(getNodeType(p), read.getContainerType())
+          compatibleTypes(getNodeDataFlowType(p), read.getContainerType())
         )
         or
         parameterValueFlow0_0(TReadStepTypesNone(), p, node, read)
@@ -455,16 +542,16 @@ private module Cached {
 
       pragma[nomagic]
       private predicate parameterValueFlow0_0(
-        ReadStepTypesOption mustBeNone, ParameterNode p, Node node, ReadStepTypesOption read
+        ReadStepTypesOption mustBeNone, ParameterNodeExt p, Node node, ReadStepTypesOption read
       ) {
         // flow through: no prior read
-        exists(ArgumentNode arg |
+        exists(ArgumentNodeExt arg |
           parameterValueFlowArg(p, arg, mustBeNone) and
           argumentValueFlowsThrough(arg, read, node)
         )
         or
         // flow through: no read inside method
-        exists(ArgumentNode arg |
+        exists(ArgumentNodeExt arg |
           parameterValueFlowArg(p, arg, read) and
           argumentValueFlowsThrough(arg, mustBeNone, node)
         )
@@ -472,7 +559,7 @@ private module Cached {
 
       pragma[nomagic]
       private predicate parameterValueFlowArg(
-        ParameterNode p, ArgumentNode arg, ReadStepTypesOption read
+        ParameterNodeExt p, ArgumentNodeExt arg, ReadStepTypesOption read
       ) {
         parameterValueFlow(p, arg, read) and
         Cand::argumentValueFlowsThroughCand(arg, _, _)
@@ -480,9 +567,9 @@ private module Cached {
 
       pragma[nomagic]
       private predicate argumentValueFlowsThrough0(
-        DataFlowCall call, ArgumentNode arg, ReturnKind kind, ReadStepTypesOption read
+        DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, ReadStepTypesOption read
       ) {
-        exists(ParameterNode param | viableParamArg(call, param, arg) |
+        exists(ParameterNodeExt param | viableParamArg(call, param, arg) |
           parameterValueFlowReturn(param, kind, read)
         )
       }
@@ -496,18 +583,18 @@ private module Cached {
        * container type, and the content type.
        */
       pragma[nomagic]
-      predicate argumentValueFlowsThrough(ArgumentNode arg, ReadStepTypesOption read, Node out) {
+      predicate argumentValueFlowsThrough(ArgumentNodeExt arg, ReadStepTypesOption read, Node out) {
         exists(DataFlowCall call, ReturnKind kind |
           argumentValueFlowsThrough0(call, arg, kind, read) and
           out = getAnOutNode(call, kind)
         |
           // normal flow through
           read = TReadStepTypesNone() and
-          compatibleTypes(getNodeType(arg), getNodeType(out))
+          compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(out))
           or
           // getter
-          compatibleTypes(getNodeType(arg), read.getContainerType()) and
-          compatibleTypes(read.getContentType(), getNodeType(out))
+          compatibleTypes(getNodeDataFlowType(arg), read.getContainerType()) and
+          compatibleTypes(read.getContentType(), getNodeDataFlowType(out))
         )
       }
 
@@ -516,7 +603,7 @@ private module Cached {
        * value-preserving steps and a single read step, not taking call
        * contexts into account, thus representing a getter-step.
        */
-      predicate getterStep(ArgumentNode arg, Content c, Node out) {
+      predicate getterStep(ArgumentNodeExt arg, Content c, Node out) {
         argumentValueFlowsThrough(arg, TReadStepTypesSome(_, c, _), out)
       }
 
@@ -529,7 +616,7 @@ private module Cached {
        * container type, and the content type.
        */
       private predicate parameterValueFlowReturn(
-        ParameterNode p, ReturnKind kind, ReadStepTypesOption read
+        ParameterNodeExt p, ReturnKind kind, ReadStepTypesOption read
       ) {
         exists(ReturnNode ret |
           parameterValueFlow(p, ret, read) and
@@ -553,7 +640,7 @@ private module Cached {
     private predicate mayBenefitFromCallContextExt(DataFlowCall call, DataFlowCallable callable) {
       mayBenefitFromCallContext(call, callable)
       or
-      callable = call.getEnclosingCallable() and
+      callEnclosingCallable(call, callable) and
       exists(viableCallableLambda(call, TDataFlowCallSome(_)))
     }
 
@@ -611,7 +698,7 @@ private module Cached {
         mayBenefitFromCallContextExt(call, _) and
         c = viableCallableExt(call) and
         ctxtgts = count(DataFlowCall ctx | c = viableImplInCallContextExt(call, ctx)) and
-        tgts = strictcount(DataFlowCall ctx | viableCallableExt(ctx) = call.getEnclosingCallable()) and
+        tgts = strictcount(DataFlowCall ctx | callEnclosingCallable(call, viableCallableExt(ctx))) and
         ctxtgts < tgts
       )
     }
@@ -635,8 +722,7 @@ private module Cached {
    * Holds if `p` can flow to the pre-update node associated with post-update
    * node `n`, in the same callable, using only value-preserving steps.
    */
-  cached
-  predicate parameterValueFlowsToPreUpdate(ParameterNode p, PostUpdateNode n) {
+  private predicate parameterValueFlowsToPreUpdate(ParameterNodeExt p, PostUpdateNode n) {
     parameterValueFlow(p, n.getPreUpdateNode(), TReadStepTypesNone())
   }
 
@@ -644,9 +730,9 @@ private module Cached {
     Node node1, Content c, Node node2, DataFlowType contentType, DataFlowType containerType
   ) {
     storeStep(node1, c, node2) and
-    readStep(_, c, _) and
-    contentType = getNodeType(node1) and
-    containerType = getNodeType(node2)
+    read(_, c, _) and
+    contentType = getNodeDataFlowType(node1) and
+    containerType = getNodeDataFlowType(node2)
     or
     exists(Node n1, Node n2 |
       n1 = node1.(PostUpdateNode).getPreUpdateNode() and
@@ -654,12 +740,15 @@ private module Cached {
     |
       argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, c, contentType), n1)
       or
-      readStep(n2, c, n1) and
-      contentType = getNodeType(n1) and
-      containerType = getNodeType(n2)
+      read(n2, c, n1) and
+      contentType = getNodeDataFlowType(n1) and
+      containerType = getNodeDataFlowType(n2)
     )
   }
 
+  cached
+  predicate read(Node node1, Content c, Node node2) { readStep(node1, c, node2) }
+
   /**
    * Holds if data can flow from `node1` to `node2` via a direct assignment to
    * `f`.
@@ -678,8 +767,9 @@ private module Cached {
    * are aliases. A typical example is a function returning `this`, implementing a fluent
    * interface.
    */
-  cached
-  predicate reverseStepThroughInputOutputAlias(PostUpdateNode fromNode, PostUpdateNode toNode) {
+  private predicate reverseStepThroughInputOutputAlias(
+    PostUpdateNode fromNode, PostUpdateNode toNode
+  ) {
     exists(Node fromPre, Node toPre |
       fromPre = fromNode.getPreUpdateNode() and
       toPre = toNode.getPreUpdateNode()
@@ -688,14 +778,20 @@ private module Cached {
         // Does the language-specific simpleLocalFlowStep already model flow
         // from function input to output?
         fromPre = getAnOutNode(c, _) and
-        toPre.(ArgumentNode).argumentOf(c, _) and
-        simpleLocalFlowStep(toPre.(ArgumentNode), fromPre)
+        toPre.(ArgumentNodeExt).argumentOf(c, _) and
+        simpleLocalFlowStep(toPre.(ArgumentNodeExt), fromPre)
       )
       or
       argumentValueFlowsThrough(toPre, TReadStepTypesNone(), fromPre)
     )
   }
 
+  cached
+  predicate simpleLocalFlowStepExt(Node node1, Node node2) {
+    simpleLocalFlowStep(node1, node2) or
+    reverseStepThroughInputOutputAlias(node1, node2)
+  }
+
   /**
    * Holds if the call context `call` either improves virtual dispatch in
    * `callable` or if it allows us to prune unreachable nodes in `callable`.
@@ -704,7 +800,7 @@ private module Cached {
   predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) {
     reducedViableImplInCallContext(_, callable, call)
     or
-    exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCall(n, call))
+    exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCallCached(n, call))
   }
 
   cached
@@ -726,12 +822,12 @@ private module Cached {
   cached
   newtype TLocalFlowCallContext =
     TAnyLocalCall() or
-    TSpecificLocalCall(DataFlowCall call) { isUnreachableInCall(_, call) }
+    TSpecificLocalCall(DataFlowCall call) { isUnreachableInCallCached(_, call) }
 
   cached
   newtype TReturnKindExt =
     TValueReturn(ReturnKind kind) or
-    TParamUpdate(int pos) { exists(ParameterNode p | p.isParameterOf(_, pos)) }
+    TParamUpdate(int pos) { exists(ParameterNodeExt p | p.isParameterOf(_, pos)) }
 
   cached
   newtype TBooleanOption =
@@ -761,23 +857,15 @@ private module Cached {
  * A `Node` at which a cast can occur such that the type should be checked.
  */
 class CastingNode extends Node {
-  CastingNode() {
-    this instanceof ParameterNode or
-    this instanceof CastNode or
-    this instanceof OutNodeExt or
-    // For reads, `x.f`, we want to check that the tracked type after the read (which
-    // is obtained by popping the head of the access path stack) is compatible with
-    // the type of `x.f`.
-    readStep(_, _, this)
-  }
+  CastingNode() { castingNode(this) }
 }
 
 private predicate readStepWithTypes(
   Node n1, DataFlowType container, Content c, Node n2, DataFlowType content
 ) {
-  readStep(n1, c, n2) and
-  container = getNodeType(n1) and
-  content = getNodeType(n2)
+  read(n1, c, n2) and
+  container = getNodeDataFlowType(n1) and
+  content = getNodeDataFlowType(n2)
 }
 
 private newtype TReadStepTypesOption =
@@ -854,7 +942,7 @@ class CallContextSomeCall extends CallContextCall, TSomeCall {
   override string toString() { result = "CcSomeCall" }
 
   override predicate relevantFor(DataFlowCallable callable) {
-    exists(ParameterNode p | getNodeEnclosingCallable(p) = callable)
+    exists(ParameterNodeExt p | getNodeEnclosingCallable(p) = callable)
   }
 
   override predicate matchesCall(DataFlowCall call) { any() }
@@ -866,7 +954,7 @@ class CallContextReturn extends CallContextNoCall, TReturn {
   }
 
   override predicate relevantFor(DataFlowCallable callable) {
-    exists(DataFlowCall call | this = TReturn(_, call) and call.getEnclosingCallable() = callable)
+    exists(DataFlowCall call | this = TReturn(_, call) and callEnclosingCallable(call, callable))
   }
 }
 
@@ -899,7 +987,7 @@ class LocalCallContextSpecificCall extends LocalCallContext, TSpecificLocalCall
 }
 
 private predicate relevantLocalCCtx(DataFlowCall call, DataFlowCallable callable) {
-  exists(Node n | getNodeEnclosingCallable(n) = callable and isUnreachableInCall(n, call))
+  exists(Node n | getNodeEnclosingCallable(n) = callable and isUnreachableInCallCached(n, call))
 }
 
 /**
@@ -913,26 +1001,37 @@ LocalCallContext getLocalCallContext(CallContext ctx, DataFlowCallable callable)
   else result instanceof LocalCallContextAny
 }
 
+/**
+ * The value of a parameter at function entry, viewed as a node in a data
+ * flow graph.
+ */
+class ParameterNodeExt extends Node {
+  ParameterNodeExt() { parameterNode(this, _, _) }
+
+  /**
+   * Holds if this node is the parameter of callable `c` at the specified
+   * (zero-based) position.
+   */
+  predicate isParameterOf(DataFlowCallable c, int i) { parameterNode(this, c, i) }
+}
+
+/** A data-flow node that represents a call argument. */
+class ArgumentNodeExt extends Node {
+  ArgumentNodeExt() { argumentNode(this, _, _) }
+
+  /** Holds if this argument occurs at the given position in the given call. */
+  final predicate argumentOf(DataFlowCall call, int pos) { argumentNode(this, call, pos) }
+}
+
 /**
  * A node from which flow can return to the caller. This is either a regular
  * `ReturnNode` or a `PostUpdateNode` corresponding to the value of a parameter.
  */
 class ReturnNodeExt extends Node {
-  ReturnNodeExt() {
-    this instanceof ReturnNode or
-    parameterValueFlowsToPreUpdate(_, this)
-  }
+  ReturnNodeExt() { returnNodeExt(this, _) }
 
   /** Gets the kind of this returned value. */
-  ReturnKindExt getKind() {
-    result = TValueReturn(this.(ReturnNode).getKind())
-    or
-    exists(ParameterNode p, int pos |
-      parameterValueFlowsToPreUpdate(p, this) and
-      p.isParameterOf(_, pos) and
-      result = TParamUpdate(pos)
-    )
-  }
+  ReturnKindExt getKind() { returnNodeExt(this, result) }
 }
 
 /**
@@ -940,11 +1039,7 @@ class ReturnNodeExt extends Node {
  * or a post-update node associated with a call argument.
  */
 class OutNodeExt extends Node {
-  OutNodeExt() {
-    this instanceof OutNode
-    or
-    this.(PostUpdateNode).getPreUpdateNode() instanceof ArgumentNode
-  }
+  OutNodeExt() { outNodeExt(this) }
 }
 
 /**
@@ -957,7 +1052,7 @@ abstract class ReturnKindExt extends TReturnKindExt {
   abstract string toString();
 
   /** Gets a node corresponding to data flow out of `call`. */
-  abstract OutNodeExt getAnOutNode(DataFlowCall call);
+  final OutNodeExt getAnOutNode(DataFlowCall call) { result = getAnOutNodeExt(call, this) }
 }
 
 class ValueReturnKind extends ReturnKindExt, TValueReturn {
@@ -968,10 +1063,6 @@ class ValueReturnKind extends ReturnKindExt, TValueReturn {
   ReturnKind getKind() { result = kind }
 
   override string toString() { result = kind.toString() }
-
-  override OutNodeExt getAnOutNode(DataFlowCall call) {
-    result = getAnOutNode(call, this.getKind())
-  }
 }
 
 class ParamUpdateReturnKind extends ReturnKindExt, TParamUpdate {
@@ -982,13 +1073,6 @@ class ParamUpdateReturnKind extends ReturnKindExt, TParamUpdate {
   int getPosition() { result = pos }
 
   override string toString() { result = "param update " + pos }
-
-  override OutNodeExt getAnOutNode(DataFlowCall call) {
-    exists(ArgumentNode arg |
-      result.(PostUpdateNode).getPreUpdateNode() = arg and
-      arg.argumentOf(call, this.getPosition())
-    )
-  }
 }
 
 /** A callable tagged with a relevant return kind. */
@@ -1015,10 +1099,13 @@ class ReturnPosition extends TReturnPosition0 {
  */
 pragma[inline]
 DataFlowCallable getNodeEnclosingCallable(Node n) {
-  exists(Node n0 |
-    pragma[only_bind_into](n0) = n and
-    pragma[only_bind_into](result) = n0.getEnclosingCallable()
-  )
+  nodeEnclosingCallable(pragma[only_bind_out](n), pragma[only_bind_into](result))
+}
+
+/** Gets the type of `n` used for type pruning. */
+pragma[inline]
+DataFlowType getNodeDataFlowType(Node n) {
+  nodeDataFlowType(pragma[only_bind_out](n), pragma[only_bind_into](result))
 }
 
 pragma[noinline]
@@ -1042,7 +1129,7 @@ predicate resolveReturn(CallContext cc, DataFlowCallable callable, DataFlowCall
   cc instanceof CallContextAny and callable = viableCallableExt(call)
   or
   exists(DataFlowCallable c0, DataFlowCall call0 |
-    call0.getEnclosingCallable() = callable and
+    callEnclosingCallable(call0, callable) and
     cc = TReturn(c0, call0) and
     c0 = prunedViableImplInCallContextReverse(call0, call)
   )
@@ -1063,8 +1150,6 @@ DataFlowCallable resolveCall(DataFlowCall call, CallContext cc) {
   result = viableCallableExt(call) and cc instanceof CallContextReturn
 }
 
-predicate read = readStep/3;
-
 /** An optional Boolean value. */
 class BooleanOption extends TBooleanOption {
   string toString() {
@@ -1116,7 +1201,7 @@ abstract class AccessPathFront extends TAccessPathFront {
 
   TypedContent getHead() { this = TFrontHead(result) }
 
-  predicate isClearedAt(Node n) { clearsContent(n, getHead().getContent()) }
+  predicate isClearedAt(Node n) { clearsContentCached(n, getHead().getContent()) }
 }
 
 class AccessPathFrontNil extends AccessPathFront, TFrontNil {
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
index a51c20c2288..b5ceabc605d 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
@@ -35,22 +35,24 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
  */
 private module LambdaFlow {
-  private predicate viableParamNonLambda(DataFlowCall call, int i, ParameterNode p) {
+  private predicate viableParamNonLambda(DataFlowCall call, int i, ParameterNodeExt p) {
     p.isParameterOf(viableCallable(call), i)
   }
 
-  private predicate viableParamLambda(DataFlowCall call, int i, ParameterNode p) {
+  private predicate viableParamLambda(DataFlowCall call, int i, ParameterNodeExt p) {
     p.isParameterOf(viableCallableLambda(call, _), i)
   }
 
-  private predicate viableParamArgNonLambda(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
+  private predicate viableParamArgNonLambda(
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg
+  ) {
     exists(int i |
       viableParamNonLambda(call, i, p) and
       arg.argumentOf(call, i)
     )
   }
 
-  private predicate viableParamArgLambda(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
+  private predicate viableParamArgLambda(DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg) {
     exists(int i |
       viableParamLambda(call, i, p) and
       arg.argumentOf(call, i)
@@ -118,8 +120,8 @@ private module LambdaFlow {
     boolean toJump, DataFlowCallOption lastCall
   ) {
     revLambdaFlow0(lambdaCall, kind, node, t, toReturn, toJump, lastCall) and
-    if node instanceof CastNode or node instanceof ArgumentNode or node instanceof ReturnNode
-    then compatibleTypes(t, getNodeType(node))
+    if castNode(node) or node instanceof ArgumentNodeExt or node instanceof ReturnNode
+    then compatibleTypes(t, getNodeDataFlowType(node))
     else any()
   }
 
@@ -129,7 +131,7 @@ private module LambdaFlow {
     boolean toJump, DataFlowCallOption lastCall
   ) {
     lambdaCall(lambdaCall, kind, node) and
-    t = getNodeType(node) and
+    t = getNodeDataFlowType(node) and
     toReturn = false and
     toJump = false and
     lastCall = TDataFlowCallNone()
@@ -146,7 +148,7 @@ private module LambdaFlow {
         getNodeEnclosingCallable(node) = getNodeEnclosingCallable(mid)
       |
         preservesValue = false and
-        t = getNodeType(node)
+        t = getNodeDataFlowType(node)
         or
         preservesValue = true and
         t = t0
@@ -160,7 +162,7 @@ private module LambdaFlow {
       toJump = true and
       lastCall = TDataFlowCallNone()
     |
-      jumpStep(node, mid) and
+      jumpStepCached(node, mid) and
       t = t0
       or
       exists(boolean preservesValue |
@@ -168,7 +170,7 @@ private module LambdaFlow {
         getNodeEnclosingCallable(node) != getNodeEnclosingCallable(mid)
       |
         preservesValue = false and
-        t = getNodeType(node)
+        t = getNodeDataFlowType(node)
         or
         preservesValue = true and
         t = t0
@@ -176,7 +178,7 @@ private module LambdaFlow {
     )
     or
     // flow into a callable
-    exists(ParameterNode p, DataFlowCallOption lastCall0, DataFlowCall call |
+    exists(ParameterNodeExt p, DataFlowCallOption lastCall0, DataFlowCall call |
       revLambdaFlowIn(lambdaCall, kind, p, t, toJump, lastCall0) and
       (
         if lastCall0 = TDataFlowCallNone() and toJump = false
@@ -227,8 +229,8 @@ private module LambdaFlow {
 
   pragma[nomagic]
   predicate revLambdaFlowIn(
-    DataFlowCall lambdaCall, LambdaCallKind kind, ParameterNode p, DataFlowType t, boolean toJump,
-    DataFlowCallOption lastCall
+    DataFlowCall lambdaCall, LambdaCallKind kind, ParameterNodeExt p, DataFlowType t,
+    boolean toJump, DataFlowCallOption lastCall
   ) {
     revLambdaFlow(lambdaCall, kind, p, t, false, toJump, lastCall)
   }
@@ -242,6 +244,89 @@ private DataFlowCallable viableCallableExt(DataFlowCall call) {
 
 cached
 private module Cached {
+  /**
+   * If needed, call this predicate from `DataFlowImplSpecific.qll` in order to
+   * force a stage-dependency on the `DataFlowImplCommon.qll` stage and therby
+   * collapsing the two stages.
+   */
+  cached
+  predicate forceCachingInSameStage() { any() }
+
+  cached
+  predicate nodeEnclosingCallable(Node n, DataFlowCallable c) { c = n.getEnclosingCallable() }
+
+  cached
+  predicate callEnclosingCallable(DataFlowCall call, DataFlowCallable c) {
+    c = call.getEnclosingCallable()
+  }
+
+  cached
+  predicate nodeDataFlowType(Node n, DataFlowType t) { t = getNodeType(n) }
+
+  cached
+  predicate jumpStepCached(Node node1, Node node2) { jumpStep(node1, node2) }
+
+  cached
+  predicate clearsContentCached(Node n, Content c) { clearsContent(n, c) }
+
+  cached
+  predicate isUnreachableInCallCached(Node n, DataFlowCall call) { isUnreachableInCall(n, call) }
+
+  cached
+  predicate outNodeExt(Node n) {
+    n instanceof OutNode
+    or
+    n.(PostUpdateNode).getPreUpdateNode() instanceof ArgumentNodeExt
+  }
+
+  cached
+  predicate hiddenNode(Node n) { nodeIsHidden(n) }
+
+  cached
+  OutNodeExt getAnOutNodeExt(DataFlowCall call, ReturnKindExt k) {
+    result = getAnOutNode(call, k.(ValueReturnKind).getKind())
+    or
+    exists(ArgumentNodeExt arg |
+      result.(PostUpdateNode).getPreUpdateNode() = arg and
+      arg.argumentOf(call, k.(ParamUpdateReturnKind).getPosition())
+    )
+  }
+
+  cached
+  predicate returnNodeExt(Node n, ReturnKindExt k) {
+    k = TValueReturn(n.(ReturnNode).getKind())
+    or
+    exists(ParameterNodeExt p, int pos |
+      parameterValueFlowsToPreUpdate(p, n) and
+      p.isParameterOf(_, pos) and
+      k = TParamUpdate(pos)
+    )
+  }
+
+  cached
+  predicate castNode(Node n) { n instanceof CastNode }
+
+  cached
+  predicate castingNode(Node n) {
+    castNode(n) or
+    n instanceof ParameterNodeExt or
+    n instanceof OutNodeExt or
+    // For reads, `x.f`, we want to check that the tracked type after the read (which
+    // is obtained by popping the head of the access path stack) is compatible with
+    // the type of `x.f`.
+    read(_, _, n)
+  }
+
+  cached
+  predicate parameterNode(Node n, DataFlowCallable c, int i) {
+    n.(ParameterNode).isParameterOf(c, i)
+  }
+
+  cached
+  predicate argumentNode(Node n, DataFlowCall call, int pos) {
+    n.(ArgumentNode).argumentOf(call, pos)
+  }
+
   /**
    * Gets a viable target for the lambda call `call`.
    *
@@ -261,7 +346,7 @@ private module Cached {
    * The instance parameter is considered to have index `-1`.
    */
   pragma[nomagic]
-  private predicate viableParam(DataFlowCall call, int i, ParameterNode p) {
+  private predicate viableParam(DataFlowCall call, int i, ParameterNodeExt p) {
     p.isParameterOf(viableCallableExt(call), i)
   }
 
@@ -270,11 +355,11 @@ private module Cached {
    * dispatch into account.
    */
   cached
-  predicate viableParamArg(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
+  predicate viableParamArg(DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg) {
     exists(int i |
       viableParam(call, i, p) and
       arg.argumentOf(call, i) and
-      compatibleTypes(getNodeType(arg), getNodeType(p))
+      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
     )
   }
 
@@ -312,7 +397,7 @@ private module Cached {
        * `read` indicates whether it is contents of `p` that can flow to `node`.
        */
       pragma[nomagic]
-      private predicate parameterValueFlowCand(ParameterNode p, Node node, boolean read) {
+      private predicate parameterValueFlowCand(ParameterNodeExt p, Node node, boolean read) {
         p = node and
         read = false
         or
@@ -325,30 +410,32 @@ private module Cached {
         // read
         exists(Node mid |
           parameterValueFlowCand(p, mid, false) and
-          readStep(mid, _, node) and
+          read(mid, _, node) and
           read = true
         )
         or
         // flow through: no prior read
-        exists(ArgumentNode arg |
+        exists(ArgumentNodeExt arg |
           parameterValueFlowArgCand(p, arg, false) and
           argumentValueFlowsThroughCand(arg, node, read)
         )
         or
         // flow through: no read inside method
-        exists(ArgumentNode arg |
+        exists(ArgumentNodeExt arg |
           parameterValueFlowArgCand(p, arg, read) and
           argumentValueFlowsThroughCand(arg, node, false)
         )
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlowArgCand(ParameterNode p, ArgumentNode arg, boolean read) {
+      private predicate parameterValueFlowArgCand(
+        ParameterNodeExt p, ArgumentNodeExt arg, boolean read
+      ) {
         parameterValueFlowCand(p, arg, read)
       }
 
       pragma[nomagic]
-      predicate parameterValueFlowsToPreUpdateCand(ParameterNode p, PostUpdateNode n) {
+      predicate parameterValueFlowsToPreUpdateCand(ParameterNodeExt p, PostUpdateNode n) {
         parameterValueFlowCand(p, n.getPreUpdateNode(), false)
       }
 
@@ -360,7 +447,7 @@ private module Cached {
        * `read` indicates whether it is contents of `p` that can flow to the return
        * node.
        */
-      predicate parameterValueFlowReturnCand(ParameterNode p, ReturnKind kind, boolean read) {
+      predicate parameterValueFlowReturnCand(ParameterNodeExt p, ReturnKind kind, boolean read) {
         exists(ReturnNode ret |
           parameterValueFlowCand(p, ret, read) and
           kind = ret.getKind()
@@ -369,9 +456,9 @@ private module Cached {
 
       pragma[nomagic]
       private predicate argumentValueFlowsThroughCand0(
-        DataFlowCall call, ArgumentNode arg, ReturnKind kind, boolean read
+        DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, boolean read
       ) {
-        exists(ParameterNode param | viableParamArg(call, param, arg) |
+        exists(ParameterNodeExt param | viableParamArg(call, param, arg) |
           parameterValueFlowReturnCand(param, kind, read)
         )
       }
@@ -382,14 +469,14 @@ private module Cached {
        *
        * `read` indicates whether it is contents of `arg` that can flow to `out`.
        */
-      predicate argumentValueFlowsThroughCand(ArgumentNode arg, Node out, boolean read) {
+      predicate argumentValueFlowsThroughCand(ArgumentNodeExt arg, Node out, boolean read) {
         exists(DataFlowCall call, ReturnKind kind |
           argumentValueFlowsThroughCand0(call, arg, kind, read) and
           out = getAnOutNode(call, kind)
         )
       }
 
-      predicate cand(ParameterNode p, Node n) {
+      predicate cand(ParameterNodeExt p, Node n) {
         parameterValueFlowCand(p, n, _) and
         (
           parameterValueFlowReturnCand(p, _, _)
@@ -416,21 +503,21 @@ private module Cached {
        * If a read step was taken, then `read` captures the `Content`, the
        * container type, and the content type.
        */
-      predicate parameterValueFlow(ParameterNode p, Node node, ReadStepTypesOption read) {
+      predicate parameterValueFlow(ParameterNodeExt p, Node node, ReadStepTypesOption read) {
         parameterValueFlow0(p, node, read) and
         if node instanceof CastingNode
         then
           // normal flow through
           read = TReadStepTypesNone() and
-          compatibleTypes(getNodeType(p), getNodeType(node))
+          compatibleTypes(getNodeDataFlowType(p), getNodeDataFlowType(node))
           or
           // getter
-          compatibleTypes(read.getContentType(), getNodeType(node))
+          compatibleTypes(read.getContentType(), getNodeDataFlowType(node))
         else any()
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlow0(ParameterNode p, Node node, ReadStepTypesOption read) {
+      private predicate parameterValueFlow0(ParameterNodeExt p, Node node, ReadStepTypesOption read) {
         p = node and
         Cand::cand(p, _) and
         read = TReadStepTypesNone()
@@ -447,7 +534,7 @@ private module Cached {
           readStepWithTypes(mid, read.getContainerType(), read.getContent(), node,
             read.getContentType()) and
           Cand::parameterValueFlowReturnCand(p, _, true) and
-          compatibleTypes(getNodeType(p), read.getContainerType())
+          compatibleTypes(getNodeDataFlowType(p), read.getContainerType())
         )
         or
         parameterValueFlow0_0(TReadStepTypesNone(), p, node, read)
@@ -455,16 +542,16 @@ private module Cached {
 
       pragma[nomagic]
       private predicate parameterValueFlow0_0(
-        ReadStepTypesOption mustBeNone, ParameterNode p, Node node, ReadStepTypesOption read
+        ReadStepTypesOption mustBeNone, ParameterNodeExt p, Node node, ReadStepTypesOption read
       ) {
         // flow through: no prior read
-        exists(ArgumentNode arg |
+        exists(ArgumentNodeExt arg |
           parameterValueFlowArg(p, arg, mustBeNone) and
           argumentValueFlowsThrough(arg, read, node)
         )
         or
         // flow through: no read inside method
-        exists(ArgumentNode arg |
+        exists(ArgumentNodeExt arg |
           parameterValueFlowArg(p, arg, read) and
           argumentValueFlowsThrough(arg, mustBeNone, node)
         )
@@ -472,7 +559,7 @@ private module Cached {
 
       pragma[nomagic]
       private predicate parameterValueFlowArg(
-        ParameterNode p, ArgumentNode arg, ReadStepTypesOption read
+        ParameterNodeExt p, ArgumentNodeExt arg, ReadStepTypesOption read
       ) {
         parameterValueFlow(p, arg, read) and
         Cand::argumentValueFlowsThroughCand(arg, _, _)
@@ -480,9 +567,9 @@ private module Cached {
 
       pragma[nomagic]
       private predicate argumentValueFlowsThrough0(
-        DataFlowCall call, ArgumentNode arg, ReturnKind kind, ReadStepTypesOption read
+        DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, ReadStepTypesOption read
       ) {
-        exists(ParameterNode param | viableParamArg(call, param, arg) |
+        exists(ParameterNodeExt param | viableParamArg(call, param, arg) |
           parameterValueFlowReturn(param, kind, read)
         )
       }
@@ -496,18 +583,18 @@ private module Cached {
        * container type, and the content type.
        */
       pragma[nomagic]
-      predicate argumentValueFlowsThrough(ArgumentNode arg, ReadStepTypesOption read, Node out) {
+      predicate argumentValueFlowsThrough(ArgumentNodeExt arg, ReadStepTypesOption read, Node out) {
         exists(DataFlowCall call, ReturnKind kind |
           argumentValueFlowsThrough0(call, arg, kind, read) and
           out = getAnOutNode(call, kind)
         |
           // normal flow through
           read = TReadStepTypesNone() and
-          compatibleTypes(getNodeType(arg), getNodeType(out))
+          compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(out))
           or
           // getter
-          compatibleTypes(getNodeType(arg), read.getContainerType()) and
-          compatibleTypes(read.getContentType(), getNodeType(out))
+          compatibleTypes(getNodeDataFlowType(arg), read.getContainerType()) and
+          compatibleTypes(read.getContentType(), getNodeDataFlowType(out))
         )
       }
 
@@ -516,7 +603,7 @@ private module Cached {
        * value-preserving steps and a single read step, not taking call
        * contexts into account, thus representing a getter-step.
        */
-      predicate getterStep(ArgumentNode arg, Content c, Node out) {
+      predicate getterStep(ArgumentNodeExt arg, Content c, Node out) {
         argumentValueFlowsThrough(arg, TReadStepTypesSome(_, c, _), out)
       }
 
@@ -529,7 +616,7 @@ private module Cached {
        * container type, and the content type.
        */
       private predicate parameterValueFlowReturn(
-        ParameterNode p, ReturnKind kind, ReadStepTypesOption read
+        ParameterNodeExt p, ReturnKind kind, ReadStepTypesOption read
       ) {
         exists(ReturnNode ret |
           parameterValueFlow(p, ret, read) and
@@ -553,7 +640,7 @@ private module Cached {
     private predicate mayBenefitFromCallContextExt(DataFlowCall call, DataFlowCallable callable) {
       mayBenefitFromCallContext(call, callable)
       or
-      callable = call.getEnclosingCallable() and
+      callEnclosingCallable(call, callable) and
       exists(viableCallableLambda(call, TDataFlowCallSome(_)))
     }
 
@@ -611,7 +698,7 @@ private module Cached {
         mayBenefitFromCallContextExt(call, _) and
         c = viableCallableExt(call) and
         ctxtgts = count(DataFlowCall ctx | c = viableImplInCallContextExt(call, ctx)) and
-        tgts = strictcount(DataFlowCall ctx | viableCallableExt(ctx) = call.getEnclosingCallable()) and
+        tgts = strictcount(DataFlowCall ctx | callEnclosingCallable(call, viableCallableExt(ctx))) and
         ctxtgts < tgts
       )
     }
@@ -635,8 +722,7 @@ private module Cached {
    * Holds if `p` can flow to the pre-update node associated with post-update
    * node `n`, in the same callable, using only value-preserving steps.
    */
-  cached
-  predicate parameterValueFlowsToPreUpdate(ParameterNode p, PostUpdateNode n) {
+  private predicate parameterValueFlowsToPreUpdate(ParameterNodeExt p, PostUpdateNode n) {
     parameterValueFlow(p, n.getPreUpdateNode(), TReadStepTypesNone())
   }
 
@@ -644,9 +730,9 @@ private module Cached {
     Node node1, Content c, Node node2, DataFlowType contentType, DataFlowType containerType
   ) {
     storeStep(node1, c, node2) and
-    readStep(_, c, _) and
-    contentType = getNodeType(node1) and
-    containerType = getNodeType(node2)
+    read(_, c, _) and
+    contentType = getNodeDataFlowType(node1) and
+    containerType = getNodeDataFlowType(node2)
     or
     exists(Node n1, Node n2 |
       n1 = node1.(PostUpdateNode).getPreUpdateNode() and
@@ -654,12 +740,15 @@ private module Cached {
     |
       argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, c, contentType), n1)
       or
-      readStep(n2, c, n1) and
-      contentType = getNodeType(n1) and
-      containerType = getNodeType(n2)
+      read(n2, c, n1) and
+      contentType = getNodeDataFlowType(n1) and
+      containerType = getNodeDataFlowType(n2)
     )
   }
 
+  cached
+  predicate read(Node node1, Content c, Node node2) { readStep(node1, c, node2) }
+
   /**
    * Holds if data can flow from `node1` to `node2` via a direct assignment to
    * `f`.
@@ -678,8 +767,9 @@ private module Cached {
    * are aliases. A typical example is a function returning `this`, implementing a fluent
    * interface.
    */
-  cached
-  predicate reverseStepThroughInputOutputAlias(PostUpdateNode fromNode, PostUpdateNode toNode) {
+  private predicate reverseStepThroughInputOutputAlias(
+    PostUpdateNode fromNode, PostUpdateNode toNode
+  ) {
     exists(Node fromPre, Node toPre |
       fromPre = fromNode.getPreUpdateNode() and
       toPre = toNode.getPreUpdateNode()
@@ -688,14 +778,20 @@ private module Cached {
         // Does the language-specific simpleLocalFlowStep already model flow
         // from function input to output?
         fromPre = getAnOutNode(c, _) and
-        toPre.(ArgumentNode).argumentOf(c, _) and
-        simpleLocalFlowStep(toPre.(ArgumentNode), fromPre)
+        toPre.(ArgumentNodeExt).argumentOf(c, _) and
+        simpleLocalFlowStep(toPre.(ArgumentNodeExt), fromPre)
       )
       or
       argumentValueFlowsThrough(toPre, TReadStepTypesNone(), fromPre)
     )
   }
 
+  cached
+  predicate simpleLocalFlowStepExt(Node node1, Node node2) {
+    simpleLocalFlowStep(node1, node2) or
+    reverseStepThroughInputOutputAlias(node1, node2)
+  }
+
   /**
    * Holds if the call context `call` either improves virtual dispatch in
    * `callable` or if it allows us to prune unreachable nodes in `callable`.
@@ -704,7 +800,7 @@ private module Cached {
   predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) {
     reducedViableImplInCallContext(_, callable, call)
     or
-    exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCall(n, call))
+    exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCallCached(n, call))
   }
 
   cached
@@ -726,12 +822,12 @@ private module Cached {
   cached
   newtype TLocalFlowCallContext =
     TAnyLocalCall() or
-    TSpecificLocalCall(DataFlowCall call) { isUnreachableInCall(_, call) }
+    TSpecificLocalCall(DataFlowCall call) { isUnreachableInCallCached(_, call) }
 
   cached
   newtype TReturnKindExt =
     TValueReturn(ReturnKind kind) or
-    TParamUpdate(int pos) { exists(ParameterNode p | p.isParameterOf(_, pos)) }
+    TParamUpdate(int pos) { exists(ParameterNodeExt p | p.isParameterOf(_, pos)) }
 
   cached
   newtype TBooleanOption =
@@ -761,23 +857,15 @@ private module Cached {
  * A `Node` at which a cast can occur such that the type should be checked.
  */
 class CastingNode extends Node {
-  CastingNode() {
-    this instanceof ParameterNode or
-    this instanceof CastNode or
-    this instanceof OutNodeExt or
-    // For reads, `x.f`, we want to check that the tracked type after the read (which
-    // is obtained by popping the head of the access path stack) is compatible with
-    // the type of `x.f`.
-    readStep(_, _, this)
-  }
+  CastingNode() { castingNode(this) }
 }
 
 private predicate readStepWithTypes(
   Node n1, DataFlowType container, Content c, Node n2, DataFlowType content
 ) {
-  readStep(n1, c, n2) and
-  container = getNodeType(n1) and
-  content = getNodeType(n2)
+  read(n1, c, n2) and
+  container = getNodeDataFlowType(n1) and
+  content = getNodeDataFlowType(n2)
 }
 
 private newtype TReadStepTypesOption =
@@ -854,7 +942,7 @@ class CallContextSomeCall extends CallContextCall, TSomeCall {
   override string toString() { result = "CcSomeCall" }
 
   override predicate relevantFor(DataFlowCallable callable) {
-    exists(ParameterNode p | getNodeEnclosingCallable(p) = callable)
+    exists(ParameterNodeExt p | getNodeEnclosingCallable(p) = callable)
   }
 
   override predicate matchesCall(DataFlowCall call) { any() }
@@ -866,7 +954,7 @@ class CallContextReturn extends CallContextNoCall, TReturn {
   }
 
   override predicate relevantFor(DataFlowCallable callable) {
-    exists(DataFlowCall call | this = TReturn(_, call) and call.getEnclosingCallable() = callable)
+    exists(DataFlowCall call | this = TReturn(_, call) and callEnclosingCallable(call, callable))
   }
 }
 
@@ -899,7 +987,7 @@ class LocalCallContextSpecificCall extends LocalCallContext, TSpecificLocalCall
 }
 
 private predicate relevantLocalCCtx(DataFlowCall call, DataFlowCallable callable) {
-  exists(Node n | getNodeEnclosingCallable(n) = callable and isUnreachableInCall(n, call))
+  exists(Node n | getNodeEnclosingCallable(n) = callable and isUnreachableInCallCached(n, call))
 }
 
 /**
@@ -913,26 +1001,37 @@ LocalCallContext getLocalCallContext(CallContext ctx, DataFlowCallable callable)
   else result instanceof LocalCallContextAny
 }
 
+/**
+ * The value of a parameter at function entry, viewed as a node in a data
+ * flow graph.
+ */
+class ParameterNodeExt extends Node {
+  ParameterNodeExt() { parameterNode(this, _, _) }
+
+  /**
+   * Holds if this node is the parameter of callable `c` at the specified
+   * (zero-based) position.
+   */
+  predicate isParameterOf(DataFlowCallable c, int i) { parameterNode(this, c, i) }
+}
+
+/** A data-flow node that represents a call argument. */
+class ArgumentNodeExt extends Node {
+  ArgumentNodeExt() { argumentNode(this, _, _) }
+
+  /** Holds if this argument occurs at the given position in the given call. */
+  final predicate argumentOf(DataFlowCall call, int pos) { argumentNode(this, call, pos) }
+}
+
 /**
  * A node from which flow can return to the caller. This is either a regular
  * `ReturnNode` or a `PostUpdateNode` corresponding to the value of a parameter.
  */
 class ReturnNodeExt extends Node {
-  ReturnNodeExt() {
-    this instanceof ReturnNode or
-    parameterValueFlowsToPreUpdate(_, this)
-  }
+  ReturnNodeExt() { returnNodeExt(this, _) }
 
   /** Gets the kind of this returned value. */
-  ReturnKindExt getKind() {
-    result = TValueReturn(this.(ReturnNode).getKind())
-    or
-    exists(ParameterNode p, int pos |
-      parameterValueFlowsToPreUpdate(p, this) and
-      p.isParameterOf(_, pos) and
-      result = TParamUpdate(pos)
-    )
-  }
+  ReturnKindExt getKind() { returnNodeExt(this, result) }
 }
 
 /**
@@ -940,11 +1039,7 @@ class ReturnNodeExt extends Node {
  * or a post-update node associated with a call argument.
  */
 class OutNodeExt extends Node {
-  OutNodeExt() {
-    this instanceof OutNode
-    or
-    this.(PostUpdateNode).getPreUpdateNode() instanceof ArgumentNode
-  }
+  OutNodeExt() { outNodeExt(this) }
 }
 
 /**
@@ -957,7 +1052,7 @@ abstract class ReturnKindExt extends TReturnKindExt {
   abstract string toString();
 
   /** Gets a node corresponding to data flow out of `call`. */
-  abstract OutNodeExt getAnOutNode(DataFlowCall call);
+  final OutNodeExt getAnOutNode(DataFlowCall call) { result = getAnOutNodeExt(call, this) }
 }
 
 class ValueReturnKind extends ReturnKindExt, TValueReturn {
@@ -968,10 +1063,6 @@ class ValueReturnKind extends ReturnKindExt, TValueReturn {
   ReturnKind getKind() { result = kind }
 
   override string toString() { result = kind.toString() }
-
-  override OutNodeExt getAnOutNode(DataFlowCall call) {
-    result = getAnOutNode(call, this.getKind())
-  }
 }
 
 class ParamUpdateReturnKind extends ReturnKindExt, TParamUpdate {
@@ -982,13 +1073,6 @@ class ParamUpdateReturnKind extends ReturnKindExt, TParamUpdate {
   int getPosition() { result = pos }
 
   override string toString() { result = "param update " + pos }
-
-  override OutNodeExt getAnOutNode(DataFlowCall call) {
-    exists(ArgumentNode arg |
-      result.(PostUpdateNode).getPreUpdateNode() = arg and
-      arg.argumentOf(call, this.getPosition())
-    )
-  }
 }
 
 /** A callable tagged with a relevant return kind. */
@@ -1015,10 +1099,13 @@ class ReturnPosition extends TReturnPosition0 {
  */
 pragma[inline]
 DataFlowCallable getNodeEnclosingCallable(Node n) {
-  exists(Node n0 |
-    pragma[only_bind_into](n0) = n and
-    pragma[only_bind_into](result) = n0.getEnclosingCallable()
-  )
+  nodeEnclosingCallable(pragma[only_bind_out](n), pragma[only_bind_into](result))
+}
+
+/** Gets the type of `n` used for type pruning. */
+pragma[inline]
+DataFlowType getNodeDataFlowType(Node n) {
+  nodeDataFlowType(pragma[only_bind_out](n), pragma[only_bind_into](result))
 }
 
 pragma[noinline]
@@ -1042,7 +1129,7 @@ predicate resolveReturn(CallContext cc, DataFlowCallable callable, DataFlowCall
   cc instanceof CallContextAny and callable = viableCallableExt(call)
   or
   exists(DataFlowCallable c0, DataFlowCall call0 |
-    call0.getEnclosingCallable() = callable and
+    callEnclosingCallable(call0, callable) and
     cc = TReturn(c0, call0) and
     c0 = prunedViableImplInCallContextReverse(call0, call)
   )
@@ -1063,8 +1150,6 @@ DataFlowCallable resolveCall(DataFlowCall call, CallContext cc) {
   result = viableCallableExt(call) and cc instanceof CallContextReturn
 }
 
-predicate read = readStep/3;
-
 /** An optional Boolean value. */
 class BooleanOption extends TBooleanOption {
   string toString() {
@@ -1116,7 +1201,7 @@ abstract class AccessPathFront extends TAccessPathFront {
 
   TypedContent getHead() { this = TFrontHead(result) }
 
-  predicate isClearedAt(Node n) { clearsContent(n, getHead().getContent()) }
+  predicate isClearedAt(Node n) { clearsContentCached(n, getHead().getContent()) }
 }
 
 class AccessPathFrontNil extends AccessPathFront, TFrontNil {
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll
index a51c20c2288..b5ceabc605d 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll
@@ -35,22 +35,24 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
  */
 private module LambdaFlow {
-  private predicate viableParamNonLambda(DataFlowCall call, int i, ParameterNode p) {
+  private predicate viableParamNonLambda(DataFlowCall call, int i, ParameterNodeExt p) {
     p.isParameterOf(viableCallable(call), i)
   }
 
-  private predicate viableParamLambda(DataFlowCall call, int i, ParameterNode p) {
+  private predicate viableParamLambda(DataFlowCall call, int i, ParameterNodeExt p) {
     p.isParameterOf(viableCallableLambda(call, _), i)
   }
 
-  private predicate viableParamArgNonLambda(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
+  private predicate viableParamArgNonLambda(
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg
+  ) {
     exists(int i |
       viableParamNonLambda(call, i, p) and
       arg.argumentOf(call, i)
     )
   }
 
-  private predicate viableParamArgLambda(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
+  private predicate viableParamArgLambda(DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg) {
     exists(int i |
       viableParamLambda(call, i, p) and
       arg.argumentOf(call, i)
@@ -118,8 +120,8 @@ private module LambdaFlow {
     boolean toJump, DataFlowCallOption lastCall
   ) {
     revLambdaFlow0(lambdaCall, kind, node, t, toReturn, toJump, lastCall) and
-    if node instanceof CastNode or node instanceof ArgumentNode or node instanceof ReturnNode
-    then compatibleTypes(t, getNodeType(node))
+    if castNode(node) or node instanceof ArgumentNodeExt or node instanceof ReturnNode
+    then compatibleTypes(t, getNodeDataFlowType(node))
     else any()
   }
 
@@ -129,7 +131,7 @@ private module LambdaFlow {
     boolean toJump, DataFlowCallOption lastCall
   ) {
     lambdaCall(lambdaCall, kind, node) and
-    t = getNodeType(node) and
+    t = getNodeDataFlowType(node) and
     toReturn = false and
     toJump = false and
     lastCall = TDataFlowCallNone()
@@ -146,7 +148,7 @@ private module LambdaFlow {
         getNodeEnclosingCallable(node) = getNodeEnclosingCallable(mid)
       |
         preservesValue = false and
-        t = getNodeType(node)
+        t = getNodeDataFlowType(node)
         or
         preservesValue = true and
         t = t0
@@ -160,7 +162,7 @@ private module LambdaFlow {
       toJump = true and
       lastCall = TDataFlowCallNone()
     |
-      jumpStep(node, mid) and
+      jumpStepCached(node, mid) and
       t = t0
       or
       exists(boolean preservesValue |
@@ -168,7 +170,7 @@ private module LambdaFlow {
         getNodeEnclosingCallable(node) != getNodeEnclosingCallable(mid)
       |
         preservesValue = false and
-        t = getNodeType(node)
+        t = getNodeDataFlowType(node)
         or
         preservesValue = true and
         t = t0
@@ -176,7 +178,7 @@ private module LambdaFlow {
     )
     or
     // flow into a callable
-    exists(ParameterNode p, DataFlowCallOption lastCall0, DataFlowCall call |
+    exists(ParameterNodeExt p, DataFlowCallOption lastCall0, DataFlowCall call |
       revLambdaFlowIn(lambdaCall, kind, p, t, toJump, lastCall0) and
       (
         if lastCall0 = TDataFlowCallNone() and toJump = false
@@ -227,8 +229,8 @@ private module LambdaFlow {
 
   pragma[nomagic]
   predicate revLambdaFlowIn(
-    DataFlowCall lambdaCall, LambdaCallKind kind, ParameterNode p, DataFlowType t, boolean toJump,
-    DataFlowCallOption lastCall
+    DataFlowCall lambdaCall, LambdaCallKind kind, ParameterNodeExt p, DataFlowType t,
+    boolean toJump, DataFlowCallOption lastCall
   ) {
     revLambdaFlow(lambdaCall, kind, p, t, false, toJump, lastCall)
   }
@@ -242,6 +244,89 @@ private DataFlowCallable viableCallableExt(DataFlowCall call) {
 
 cached
 private module Cached {
+  /**
+   * If needed, call this predicate from `DataFlowImplSpecific.qll` in order to
+   * force a stage-dependency on the `DataFlowImplCommon.qll` stage and therby
+   * collapsing the two stages.
+   */
+  cached
+  predicate forceCachingInSameStage() { any() }
+
+  cached
+  predicate nodeEnclosingCallable(Node n, DataFlowCallable c) { c = n.getEnclosingCallable() }
+
+  cached
+  predicate callEnclosingCallable(DataFlowCall call, DataFlowCallable c) {
+    c = call.getEnclosingCallable()
+  }
+
+  cached
+  predicate nodeDataFlowType(Node n, DataFlowType t) { t = getNodeType(n) }
+
+  cached
+  predicate jumpStepCached(Node node1, Node node2) { jumpStep(node1, node2) }
+
+  cached
+  predicate clearsContentCached(Node n, Content c) { clearsContent(n, c) }
+
+  cached
+  predicate isUnreachableInCallCached(Node n, DataFlowCall call) { isUnreachableInCall(n, call) }
+
+  cached
+  predicate outNodeExt(Node n) {
+    n instanceof OutNode
+    or
+    n.(PostUpdateNode).getPreUpdateNode() instanceof ArgumentNodeExt
+  }
+
+  cached
+  predicate hiddenNode(Node n) { nodeIsHidden(n) }
+
+  cached
+  OutNodeExt getAnOutNodeExt(DataFlowCall call, ReturnKindExt k) {
+    result = getAnOutNode(call, k.(ValueReturnKind).getKind())
+    or
+    exists(ArgumentNodeExt arg |
+      result.(PostUpdateNode).getPreUpdateNode() = arg and
+      arg.argumentOf(call, k.(ParamUpdateReturnKind).getPosition())
+    )
+  }
+
+  cached
+  predicate returnNodeExt(Node n, ReturnKindExt k) {
+    k = TValueReturn(n.(ReturnNode).getKind())
+    or
+    exists(ParameterNodeExt p, int pos |
+      parameterValueFlowsToPreUpdate(p, n) and
+      p.isParameterOf(_, pos) and
+      k = TParamUpdate(pos)
+    )
+  }
+
+  cached
+  predicate castNode(Node n) { n instanceof CastNode }
+
+  cached
+  predicate castingNode(Node n) {
+    castNode(n) or
+    n instanceof ParameterNodeExt or
+    n instanceof OutNodeExt or
+    // For reads, `x.f`, we want to check that the tracked type after the read (which
+    // is obtained by popping the head of the access path stack) is compatible with
+    // the type of `x.f`.
+    read(_, _, n)
+  }
+
+  cached
+  predicate parameterNode(Node n, DataFlowCallable c, int i) {
+    n.(ParameterNode).isParameterOf(c, i)
+  }
+
+  cached
+  predicate argumentNode(Node n, DataFlowCall call, int pos) {
+    n.(ArgumentNode).argumentOf(call, pos)
+  }
+
   /**
    * Gets a viable target for the lambda call `call`.
    *
@@ -261,7 +346,7 @@ private module Cached {
    * The instance parameter is considered to have index `-1`.
    */
   pragma[nomagic]
-  private predicate viableParam(DataFlowCall call, int i, ParameterNode p) {
+  private predicate viableParam(DataFlowCall call, int i, ParameterNodeExt p) {
     p.isParameterOf(viableCallableExt(call), i)
   }
 
@@ -270,11 +355,11 @@ private module Cached {
    * dispatch into account.
    */
   cached
-  predicate viableParamArg(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
+  predicate viableParamArg(DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg) {
     exists(int i |
       viableParam(call, i, p) and
       arg.argumentOf(call, i) and
-      compatibleTypes(getNodeType(arg), getNodeType(p))
+      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
     )
   }
 
@@ -312,7 +397,7 @@ private module Cached {
        * `read` indicates whether it is contents of `p` that can flow to `node`.
        */
       pragma[nomagic]
-      private predicate parameterValueFlowCand(ParameterNode p, Node node, boolean read) {
+      private predicate parameterValueFlowCand(ParameterNodeExt p, Node node, boolean read) {
         p = node and
         read = false
         or
@@ -325,30 +410,32 @@ private module Cached {
         // read
         exists(Node mid |
           parameterValueFlowCand(p, mid, false) and
-          readStep(mid, _, node) and
+          read(mid, _, node) and
           read = true
         )
         or
         // flow through: no prior read
-        exists(ArgumentNode arg |
+        exists(ArgumentNodeExt arg |
           parameterValueFlowArgCand(p, arg, false) and
           argumentValueFlowsThroughCand(arg, node, read)
         )
         or
         // flow through: no read inside method
-        exists(ArgumentNode arg |
+        exists(ArgumentNodeExt arg |
           parameterValueFlowArgCand(p, arg, read) and
           argumentValueFlowsThroughCand(arg, node, false)
         )
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlowArgCand(ParameterNode p, ArgumentNode arg, boolean read) {
+      private predicate parameterValueFlowArgCand(
+        ParameterNodeExt p, ArgumentNodeExt arg, boolean read
+      ) {
         parameterValueFlowCand(p, arg, read)
       }
 
       pragma[nomagic]
-      predicate parameterValueFlowsToPreUpdateCand(ParameterNode p, PostUpdateNode n) {
+      predicate parameterValueFlowsToPreUpdateCand(ParameterNodeExt p, PostUpdateNode n) {
         parameterValueFlowCand(p, n.getPreUpdateNode(), false)
       }
 
@@ -360,7 +447,7 @@ private module Cached {
        * `read` indicates whether it is contents of `p` that can flow to the return
        * node.
        */
-      predicate parameterValueFlowReturnCand(ParameterNode p, ReturnKind kind, boolean read) {
+      predicate parameterValueFlowReturnCand(ParameterNodeExt p, ReturnKind kind, boolean read) {
         exists(ReturnNode ret |
           parameterValueFlowCand(p, ret, read) and
           kind = ret.getKind()
@@ -369,9 +456,9 @@ private module Cached {
 
       pragma[nomagic]
       private predicate argumentValueFlowsThroughCand0(
-        DataFlowCall call, ArgumentNode arg, ReturnKind kind, boolean read
+        DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, boolean read
       ) {
-        exists(ParameterNode param | viableParamArg(call, param, arg) |
+        exists(ParameterNodeExt param | viableParamArg(call, param, arg) |
           parameterValueFlowReturnCand(param, kind, read)
         )
       }
@@ -382,14 +469,14 @@ private module Cached {
        *
        * `read` indicates whether it is contents of `arg` that can flow to `out`.
        */
-      predicate argumentValueFlowsThroughCand(ArgumentNode arg, Node out, boolean read) {
+      predicate argumentValueFlowsThroughCand(ArgumentNodeExt arg, Node out, boolean read) {
         exists(DataFlowCall call, ReturnKind kind |
           argumentValueFlowsThroughCand0(call, arg, kind, read) and
           out = getAnOutNode(call, kind)
         )
       }
 
-      predicate cand(ParameterNode p, Node n) {
+      predicate cand(ParameterNodeExt p, Node n) {
         parameterValueFlowCand(p, n, _) and
         (
           parameterValueFlowReturnCand(p, _, _)
@@ -416,21 +503,21 @@ private module Cached {
        * If a read step was taken, then `read` captures the `Content`, the
        * container type, and the content type.
        */
-      predicate parameterValueFlow(ParameterNode p, Node node, ReadStepTypesOption read) {
+      predicate parameterValueFlow(ParameterNodeExt p, Node node, ReadStepTypesOption read) {
         parameterValueFlow0(p, node, read) and
         if node instanceof CastingNode
         then
           // normal flow through
           read = TReadStepTypesNone() and
-          compatibleTypes(getNodeType(p), getNodeType(node))
+          compatibleTypes(getNodeDataFlowType(p), getNodeDataFlowType(node))
           or
           // getter
-          compatibleTypes(read.getContentType(), getNodeType(node))
+          compatibleTypes(read.getContentType(), getNodeDataFlowType(node))
         else any()
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlow0(ParameterNode p, Node node, ReadStepTypesOption read) {
+      private predicate parameterValueFlow0(ParameterNodeExt p, Node node, ReadStepTypesOption read) {
         p = node and
         Cand::cand(p, _) and
         read = TReadStepTypesNone()
@@ -447,7 +534,7 @@ private module Cached {
           readStepWithTypes(mid, read.getContainerType(), read.getContent(), node,
             read.getContentType()) and
           Cand::parameterValueFlowReturnCand(p, _, true) and
-          compatibleTypes(getNodeType(p), read.getContainerType())
+          compatibleTypes(getNodeDataFlowType(p), read.getContainerType())
         )
         or
         parameterValueFlow0_0(TReadStepTypesNone(), p, node, read)
@@ -455,16 +542,16 @@ private module Cached {
 
       pragma[nomagic]
       private predicate parameterValueFlow0_0(
-        ReadStepTypesOption mustBeNone, ParameterNode p, Node node, ReadStepTypesOption read
+        ReadStepTypesOption mustBeNone, ParameterNodeExt p, Node node, ReadStepTypesOption read
       ) {
         // flow through: no prior read
-        exists(ArgumentNode arg |
+        exists(ArgumentNodeExt arg |
           parameterValueFlowArg(p, arg, mustBeNone) and
           argumentValueFlowsThrough(arg, read, node)
         )
         or
         // flow through: no read inside method
-        exists(ArgumentNode arg |
+        exists(ArgumentNodeExt arg |
           parameterValueFlowArg(p, arg, read) and
           argumentValueFlowsThrough(arg, mustBeNone, node)
         )
@@ -472,7 +559,7 @@ private module Cached {
 
       pragma[nomagic]
       private predicate parameterValueFlowArg(
-        ParameterNode p, ArgumentNode arg, ReadStepTypesOption read
+        ParameterNodeExt p, ArgumentNodeExt arg, ReadStepTypesOption read
       ) {
         parameterValueFlow(p, arg, read) and
         Cand::argumentValueFlowsThroughCand(arg, _, _)
@@ -480,9 +567,9 @@ private module Cached {
 
       pragma[nomagic]
       private predicate argumentValueFlowsThrough0(
-        DataFlowCall call, ArgumentNode arg, ReturnKind kind, ReadStepTypesOption read
+        DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, ReadStepTypesOption read
       ) {
-        exists(ParameterNode param | viableParamArg(call, param, arg) |
+        exists(ParameterNodeExt param | viableParamArg(call, param, arg) |
           parameterValueFlowReturn(param, kind, read)
         )
       }
@@ -496,18 +583,18 @@ private module Cached {
        * container type, and the content type.
        */
       pragma[nomagic]
-      predicate argumentValueFlowsThrough(ArgumentNode arg, ReadStepTypesOption read, Node out) {
+      predicate argumentValueFlowsThrough(ArgumentNodeExt arg, ReadStepTypesOption read, Node out) {
         exists(DataFlowCall call, ReturnKind kind |
           argumentValueFlowsThrough0(call, arg, kind, read) and
           out = getAnOutNode(call, kind)
         |
           // normal flow through
           read = TReadStepTypesNone() and
-          compatibleTypes(getNodeType(arg), getNodeType(out))
+          compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(out))
           or
           // getter
-          compatibleTypes(getNodeType(arg), read.getContainerType()) and
-          compatibleTypes(read.getContentType(), getNodeType(out))
+          compatibleTypes(getNodeDataFlowType(arg), read.getContainerType()) and
+          compatibleTypes(read.getContentType(), getNodeDataFlowType(out))
         )
       }
 
@@ -516,7 +603,7 @@ private module Cached {
        * value-preserving steps and a single read step, not taking call
        * contexts into account, thus representing a getter-step.
        */
-      predicate getterStep(ArgumentNode arg, Content c, Node out) {
+      predicate getterStep(ArgumentNodeExt arg, Content c, Node out) {
         argumentValueFlowsThrough(arg, TReadStepTypesSome(_, c, _), out)
       }
 
@@ -529,7 +616,7 @@ private module Cached {
        * container type, and the content type.
        */
       private predicate parameterValueFlowReturn(
-        ParameterNode p, ReturnKind kind, ReadStepTypesOption read
+        ParameterNodeExt p, ReturnKind kind, ReadStepTypesOption read
       ) {
         exists(ReturnNode ret |
           parameterValueFlow(p, ret, read) and
@@ -553,7 +640,7 @@ private module Cached {
     private predicate mayBenefitFromCallContextExt(DataFlowCall call, DataFlowCallable callable) {
       mayBenefitFromCallContext(call, callable)
       or
-      callable = call.getEnclosingCallable() and
+      callEnclosingCallable(call, callable) and
       exists(viableCallableLambda(call, TDataFlowCallSome(_)))
     }
 
@@ -611,7 +698,7 @@ private module Cached {
         mayBenefitFromCallContextExt(call, _) and
         c = viableCallableExt(call) and
         ctxtgts = count(DataFlowCall ctx | c = viableImplInCallContextExt(call, ctx)) and
-        tgts = strictcount(DataFlowCall ctx | viableCallableExt(ctx) = call.getEnclosingCallable()) and
+        tgts = strictcount(DataFlowCall ctx | callEnclosingCallable(call, viableCallableExt(ctx))) and
         ctxtgts < tgts
       )
     }
@@ -635,8 +722,7 @@ private module Cached {
    * Holds if `p` can flow to the pre-update node associated with post-update
    * node `n`, in the same callable, using only value-preserving steps.
    */
-  cached
-  predicate parameterValueFlowsToPreUpdate(ParameterNode p, PostUpdateNode n) {
+  private predicate parameterValueFlowsToPreUpdate(ParameterNodeExt p, PostUpdateNode n) {
     parameterValueFlow(p, n.getPreUpdateNode(), TReadStepTypesNone())
   }
 
@@ -644,9 +730,9 @@ private module Cached {
     Node node1, Content c, Node node2, DataFlowType contentType, DataFlowType containerType
   ) {
     storeStep(node1, c, node2) and
-    readStep(_, c, _) and
-    contentType = getNodeType(node1) and
-    containerType = getNodeType(node2)
+    read(_, c, _) and
+    contentType = getNodeDataFlowType(node1) and
+    containerType = getNodeDataFlowType(node2)
     or
     exists(Node n1, Node n2 |
       n1 = node1.(PostUpdateNode).getPreUpdateNode() and
@@ -654,12 +740,15 @@ private module Cached {
     |
       argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, c, contentType), n1)
       or
-      readStep(n2, c, n1) and
-      contentType = getNodeType(n1) and
-      containerType = getNodeType(n2)
+      read(n2, c, n1) and
+      contentType = getNodeDataFlowType(n1) and
+      containerType = getNodeDataFlowType(n2)
     )
   }
 
+  cached
+  predicate read(Node node1, Content c, Node node2) { readStep(node1, c, node2) }
+
   /**
    * Holds if data can flow from `node1` to `node2` via a direct assignment to
    * `f`.
@@ -678,8 +767,9 @@ private module Cached {
    * are aliases. A typical example is a function returning `this`, implementing a fluent
    * interface.
    */
-  cached
-  predicate reverseStepThroughInputOutputAlias(PostUpdateNode fromNode, PostUpdateNode toNode) {
+  private predicate reverseStepThroughInputOutputAlias(
+    PostUpdateNode fromNode, PostUpdateNode toNode
+  ) {
     exists(Node fromPre, Node toPre |
       fromPre = fromNode.getPreUpdateNode() and
       toPre = toNode.getPreUpdateNode()
@@ -688,14 +778,20 @@ private module Cached {
         // Does the language-specific simpleLocalFlowStep already model flow
         // from function input to output?
         fromPre = getAnOutNode(c, _) and
-        toPre.(ArgumentNode).argumentOf(c, _) and
-        simpleLocalFlowStep(toPre.(ArgumentNode), fromPre)
+        toPre.(ArgumentNodeExt).argumentOf(c, _) and
+        simpleLocalFlowStep(toPre.(ArgumentNodeExt), fromPre)
       )
       or
       argumentValueFlowsThrough(toPre, TReadStepTypesNone(), fromPre)
     )
   }
 
+  cached
+  predicate simpleLocalFlowStepExt(Node node1, Node node2) {
+    simpleLocalFlowStep(node1, node2) or
+    reverseStepThroughInputOutputAlias(node1, node2)
+  }
+
   /**
    * Holds if the call context `call` either improves virtual dispatch in
    * `callable` or if it allows us to prune unreachable nodes in `callable`.
@@ -704,7 +800,7 @@ private module Cached {
   predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) {
     reducedViableImplInCallContext(_, callable, call)
     or
-    exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCall(n, call))
+    exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCallCached(n, call))
   }
 
   cached
@@ -726,12 +822,12 @@ private module Cached {
   cached
   newtype TLocalFlowCallContext =
     TAnyLocalCall() or
-    TSpecificLocalCall(DataFlowCall call) { isUnreachableInCall(_, call) }
+    TSpecificLocalCall(DataFlowCall call) { isUnreachableInCallCached(_, call) }
 
   cached
   newtype TReturnKindExt =
     TValueReturn(ReturnKind kind) or
-    TParamUpdate(int pos) { exists(ParameterNode p | p.isParameterOf(_, pos)) }
+    TParamUpdate(int pos) { exists(ParameterNodeExt p | p.isParameterOf(_, pos)) }
 
   cached
   newtype TBooleanOption =
@@ -761,23 +857,15 @@ private module Cached {
  * A `Node` at which a cast can occur such that the type should be checked.
  */
 class CastingNode extends Node {
-  CastingNode() {
-    this instanceof ParameterNode or
-    this instanceof CastNode or
-    this instanceof OutNodeExt or
-    // For reads, `x.f`, we want to check that the tracked type after the read (which
-    // is obtained by popping the head of the access path stack) is compatible with
-    // the type of `x.f`.
-    readStep(_, _, this)
-  }
+  CastingNode() { castingNode(this) }
 }
 
 private predicate readStepWithTypes(
   Node n1, DataFlowType container, Content c, Node n2, DataFlowType content
 ) {
-  readStep(n1, c, n2) and
-  container = getNodeType(n1) and
-  content = getNodeType(n2)
+  read(n1, c, n2) and
+  container = getNodeDataFlowType(n1) and
+  content = getNodeDataFlowType(n2)
 }
 
 private newtype TReadStepTypesOption =
@@ -854,7 +942,7 @@ class CallContextSomeCall extends CallContextCall, TSomeCall {
   override string toString() { result = "CcSomeCall" }
 
   override predicate relevantFor(DataFlowCallable callable) {
-    exists(ParameterNode p | getNodeEnclosingCallable(p) = callable)
+    exists(ParameterNodeExt p | getNodeEnclosingCallable(p) = callable)
   }
 
   override predicate matchesCall(DataFlowCall call) { any() }
@@ -866,7 +954,7 @@ class CallContextReturn extends CallContextNoCall, TReturn {
   }
 
   override predicate relevantFor(DataFlowCallable callable) {
-    exists(DataFlowCall call | this = TReturn(_, call) and call.getEnclosingCallable() = callable)
+    exists(DataFlowCall call | this = TReturn(_, call) and callEnclosingCallable(call, callable))
   }
 }
 
@@ -899,7 +987,7 @@ class LocalCallContextSpecificCall extends LocalCallContext, TSpecificLocalCall
 }
 
 private predicate relevantLocalCCtx(DataFlowCall call, DataFlowCallable callable) {
-  exists(Node n | getNodeEnclosingCallable(n) = callable and isUnreachableInCall(n, call))
+  exists(Node n | getNodeEnclosingCallable(n) = callable and isUnreachableInCallCached(n, call))
 }
 
 /**
@@ -913,26 +1001,37 @@ LocalCallContext getLocalCallContext(CallContext ctx, DataFlowCallable callable)
   else result instanceof LocalCallContextAny
 }
 
+/**
+ * The value of a parameter at function entry, viewed as a node in a data
+ * flow graph.
+ */
+class ParameterNodeExt extends Node {
+  ParameterNodeExt() { parameterNode(this, _, _) }
+
+  /**
+   * Holds if this node is the parameter of callable `c` at the specified
+   * (zero-based) position.
+   */
+  predicate isParameterOf(DataFlowCallable c, int i) { parameterNode(this, c, i) }
+}
+
+/** A data-flow node that represents a call argument. */
+class ArgumentNodeExt extends Node {
+  ArgumentNodeExt() { argumentNode(this, _, _) }
+
+  /** Holds if this argument occurs at the given position in the given call. */
+  final predicate argumentOf(DataFlowCall call, int pos) { argumentNode(this, call, pos) }
+}
+
 /**
  * A node from which flow can return to the caller. This is either a regular
  * `ReturnNode` or a `PostUpdateNode` corresponding to the value of a parameter.
  */
 class ReturnNodeExt extends Node {
-  ReturnNodeExt() {
-    this instanceof ReturnNode or
-    parameterValueFlowsToPreUpdate(_, this)
-  }
+  ReturnNodeExt() { returnNodeExt(this, _) }
 
   /** Gets the kind of this returned value. */
-  ReturnKindExt getKind() {
-    result = TValueReturn(this.(ReturnNode).getKind())
-    or
-    exists(ParameterNode p, int pos |
-      parameterValueFlowsToPreUpdate(p, this) and
-      p.isParameterOf(_, pos) and
-      result = TParamUpdate(pos)
-    )
-  }
+  ReturnKindExt getKind() { returnNodeExt(this, result) }
 }
 
 /**
@@ -940,11 +1039,7 @@ class ReturnNodeExt extends Node {
  * or a post-update node associated with a call argument.
  */
 class OutNodeExt extends Node {
-  OutNodeExt() {
-    this instanceof OutNode
-    or
-    this.(PostUpdateNode).getPreUpdateNode() instanceof ArgumentNode
-  }
+  OutNodeExt() { outNodeExt(this) }
 }
 
 /**
@@ -957,7 +1052,7 @@ abstract class ReturnKindExt extends TReturnKindExt {
   abstract string toString();
 
   /** Gets a node corresponding to data flow out of `call`. */
-  abstract OutNodeExt getAnOutNode(DataFlowCall call);
+  final OutNodeExt getAnOutNode(DataFlowCall call) { result = getAnOutNodeExt(call, this) }
 }
 
 class ValueReturnKind extends ReturnKindExt, TValueReturn {
@@ -968,10 +1063,6 @@ class ValueReturnKind extends ReturnKindExt, TValueReturn {
   ReturnKind getKind() { result = kind }
 
   override string toString() { result = kind.toString() }
-
-  override OutNodeExt getAnOutNode(DataFlowCall call) {
-    result = getAnOutNode(call, this.getKind())
-  }
 }
 
 class ParamUpdateReturnKind extends ReturnKindExt, TParamUpdate {
@@ -982,13 +1073,6 @@ class ParamUpdateReturnKind extends ReturnKindExt, TParamUpdate {
   int getPosition() { result = pos }
 
   override string toString() { result = "param update " + pos }
-
-  override OutNodeExt getAnOutNode(DataFlowCall call) {
-    exists(ArgumentNode arg |
-      result.(PostUpdateNode).getPreUpdateNode() = arg and
-      arg.argumentOf(call, this.getPosition())
-    )
-  }
 }
 
 /** A callable tagged with a relevant return kind. */
@@ -1015,10 +1099,13 @@ class ReturnPosition extends TReturnPosition0 {
  */
 pragma[inline]
 DataFlowCallable getNodeEnclosingCallable(Node n) {
-  exists(Node n0 |
-    pragma[only_bind_into](n0) = n and
-    pragma[only_bind_into](result) = n0.getEnclosingCallable()
-  )
+  nodeEnclosingCallable(pragma[only_bind_out](n), pragma[only_bind_into](result))
+}
+
+/** Gets the type of `n` used for type pruning. */
+pragma[inline]
+DataFlowType getNodeDataFlowType(Node n) {
+  nodeDataFlowType(pragma[only_bind_out](n), pragma[only_bind_into](result))
 }
 
 pragma[noinline]
@@ -1042,7 +1129,7 @@ predicate resolveReturn(CallContext cc, DataFlowCallable callable, DataFlowCall
   cc instanceof CallContextAny and callable = viableCallableExt(call)
   or
   exists(DataFlowCallable c0, DataFlowCall call0 |
-    call0.getEnclosingCallable() = callable and
+    callEnclosingCallable(call0, callable) and
     cc = TReturn(c0, call0) and
     c0 = prunedViableImplInCallContextReverse(call0, call)
   )
@@ -1063,8 +1150,6 @@ DataFlowCallable resolveCall(DataFlowCall call, CallContext cc) {
   result = viableCallableExt(call) and cc instanceof CallContextReturn
 }
 
-predicate read = readStep/3;
-
 /** An optional Boolean value. */
 class BooleanOption extends TBooleanOption {
   string toString() {
@@ -1116,7 +1201,7 @@ abstract class AccessPathFront extends TAccessPathFront {
 
   TypedContent getHead() { this = TFrontHead(result) }
 
-  predicate isClearedAt(Node n) { clearsContent(n, getHead().getContent()) }
+  predicate isClearedAt(Node n) { clearsContentCached(n, getHead().getContent()) }
 }
 
 class AccessPathFrontNil extends AccessPathFront, TFrontNil {
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
index 9498e51e7e6..cf83530bcbd 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
@@ -211,10 +211,7 @@ private predicate fullBarrier(Node node, Configuration config) {
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  (
-    simpleLocalFlowStep(node1, node2) or
-    reverseStepThroughInputOutputAlias(node1, node2)
-  ) and
+  simpleLocalFlowStepExt(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -237,7 +234,7 @@ private predicate additionalLocalFlowStep(Node node1, Node node2, Configuration
  * Holds if data can flow from `node1` to `node2` in a way that discards call contexts.
  */
 private predicate jumpStep(Node node1, Node node2, Configuration config) {
-  jumpStep(node1, node2) and
+  jumpStepCached(node1, node2) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and
@@ -388,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -515,7 +512,7 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
@@ -523,16 +520,16 @@ private module Stage1 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNode arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -597,7 +594,9 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -663,7 +662,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNode p, ArgumentNode arg, Configuration config
+  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -675,7 +674,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, Configuration config
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -735,7 +734,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNode arg, ParameterNode p, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
@@ -944,10 +943,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -992,7 +991,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1133,10 +1132,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1146,7 +1145,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1199,13 +1198,15 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1245,7 +1246,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
   Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
@@ -1260,8 +1261,8 @@ private module LocalFlowBigStep {
    */
   private class FlowCheckNode extends Node {
     FlowCheckNode() {
-      this instanceof CastNode or
-      clearsContent(this, _)
+      castNode(this) or
+      clearsContentCached(this, _)
     }
   }
 
@@ -1275,7 +1276,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNode or
+      node instanceof ParameterNodeExt or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1321,21 +1322,21 @@ private module LocalFlowBigStep {
     Node node1, Node node2, boolean preservesValue, DataFlowType t, Configuration config,
     LocalCallContext cc
   ) {
-    not isUnreachableInCall(node2, cc.(LocalCallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node2, cc.(LocalCallContextSpecificCall).getCall()) and
     (
       localFlowEntry(node1, pragma[only_bind_into](config)) and
       (
         localFlowStepNodeCand1(node1, node2, config) and
         preservesValue = true and
-        t = getNodeType(node1)
+        t = getNodeDataFlowType(node1)
         or
         additionalLocalFlowStepNodeCand2(node1, node2, config) and
         preservesValue = false and
-        t = getNodeType(node2)
+        t = getNodeDataFlowType(node2)
       ) and
       node1 != node2 and
       cc.relevantFor(getNodeEnclosingCallable(node1)) and
-      not isUnreachableInCall(node1, cc.(LocalCallContextSpecificCall).getCall()) and
+      not isUnreachableInCallCached(node1, cc.(LocalCallContextSpecificCall).getCall()) and
       Stage2::revFlow(node2, pragma[only_bind_into](config))
       or
       exists(Node mid |
@@ -1350,7 +1351,7 @@ private module LocalFlowBigStep {
         additionalLocalFlowStepNodeCand2(mid, node2, config) and
         not mid instanceof FlowCheckNode and
         preservesValue = false and
-        t = getNodeType(node2) and
+        t = getNodeDataFlowType(node2) and
         Stage2::revFlow(node2, pragma[only_bind_into](config))
       )
     )
@@ -1384,7 +1385,7 @@ private module Stage3 {
   private ApApprox getApprox(Ap ap) { result = ap.toBoolNonEmpty() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TFrontNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -1443,7 +1444,9 @@ private module Stage3 {
   bindingset[node, ap]
   private predicate filter(Node node, Ap ap) {
     not ap.isClearedAt(node) and
-    if node instanceof CastingNode then compatibleTypes(getNodeType(node), ap.getType()) else any()
+    if node instanceof CastingNode
+    then compatibleTypes(getNodeDataFlowType(node), ap.getType())
+    else any()
   }
 
   bindingset[ap, contentType]
@@ -1583,10 +1586,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1631,7 +1634,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1772,10 +1775,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1785,7 +1788,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1838,13 +1841,15 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2088,7 +2093,7 @@ private module Stage4 {
   private ApApprox getApprox(Ap ap) { result = ap.getFront() }
 
   private ApNil getApNil(Node node) {
-    PrevStage::revFlow(node, _) and result = TNil(getNodeType(node))
+    PrevStage::revFlow(node, _) and result = TNil(getNodeDataFlowType(node))
   }
 
   bindingset[tc, tail]
@@ -2155,7 +2160,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNode node1, ParameterNode node2, boolean allowsFieldFlow,
+    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
     Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
@@ -2300,10 +2305,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg, boolean allowsFieldFlow |
+    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2348,7 +2353,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2489,10 +2494,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNode arg, boolean toReturn, ApOption returnAp, Ap ap,
+    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
     Configuration config
   ) {
-    exists(ParameterNode p, boolean allowsFieldFlow |
+    exists(ParameterNodeExt p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2502,7 +2507,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNode arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2555,13 +2560,15 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(ParameterNode p, DataFlowCallable c, Ap ap, Configuration config) {
+  predicate parameterMayFlowThrough(
+    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
+  ) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2606,7 +2613,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNode p, AccessPath ap) {
+  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2627,7 +2634,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNode p;
+  private ParameterNodeExt p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -2758,7 +2765,7 @@ private newtype TPathNode =
     config.isSource(node) and
     cc instanceof CallContextAny and
     sc instanceof SummaryCtxNone and
-    ap = TAccessPathNil(getNodeType(node))
+    ap = TAccessPathNil(getNodeDataFlowType(node))
     or
     // ... or a step from an existing PathNode to another node.
     exists(PathNodeMid mid |
@@ -2979,7 +2986,7 @@ class PathNode extends TPathNode {
   Configuration getConfiguration() { none() }
 
   private predicate isHidden() {
-    nodeIsHidden(this.getNode()) and
+    hiddenNode(this.getNode()) and
     not this.isSource() and
     not this instanceof PathNodeSink
   }
@@ -3148,7 +3155,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
   cc instanceof CallContextAny and
   sc instanceof SummaryCtxNone and
   mid.getAp() instanceof AccessPathNil and
-  ap = TAccessPathNil(getNodeType(node))
+  ap = TAccessPathNil(getNodeDataFlowType(node))
   or
   exists(TypedContent tc | pathStoreStep(mid, node, ap.pop(tc), tc, cc)) and
   sc = mid.getSummaryCtx()
@@ -3235,7 +3242,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNode arg |
+  exists(ArgumentNodeExt arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3248,7 +3255,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNode p |
+  exists(ParameterNodeExt p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3272,7 +3279,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3568,7 +3575,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNode p)
+    TSummaryCtx1Param(ParameterNodeExt p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3591,7 +3598,7 @@ private module FlowExploration {
       cc instanceof CallContextAny and
       sc1 = TSummaryCtx1None() and
       sc2 = TSummaryCtx2None() and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       not fullBarrier(node, config) and
       exists(config.explorationLimit())
       or
@@ -3611,7 +3618,7 @@ private module FlowExploration {
       or
       exists(PartialPathNodeRev mid |
         revPartialPathStep(mid, node, sc1, sc2, ap, config) and
-        not clearsContent(node, ap.getHead()) and
+        not clearsContentCached(node, ap.getHead()) and
         not fullBarrier(node, config) and
         distSink(getNodeEnclosingCallable(node), config) <= config.explorationLimit()
       )
@@ -3625,9 +3632,9 @@ private module FlowExploration {
     exists(PartialPathNodeFwd mid |
       partialPathStep(mid, node, cc, sc1, sc2, ap, config) and
       not fullBarrier(node, config) and
-      not clearsContent(node, ap.getHead().getContent()) and
+      not clearsContentCached(node, ap.getHead().getContent()) and
       if node instanceof CastingNode
-      then compatibleTypes(getNodeType(node), ap.getType())
+      then compatibleTypes(getNodeDataFlowType(node), ap.getType())
       else any()
     )
   }
@@ -3783,7 +3790,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, Node node, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
     PartialAccessPath ap, Configuration config
   ) {
-    not isUnreachableInCall(node, cc.(CallContextSpecificCall).getCall()) and
+    not isUnreachableInCallCached(node, cc.(CallContextSpecificCall).getCall()) and
     (
       localFlowStep(mid.getNode(), node, config) and
       cc = mid.getCallContext() and
@@ -3797,7 +3804,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       mid.getAp() instanceof PartialAccessPathNil and
-      ap = TPartialNil(getNodeType(node)) and
+      ap = TPartialNil(getNodeDataFlowType(node)) and
       config = mid.getConfiguration()
     )
     or
@@ -3813,7 +3820,7 @@ private module FlowExploration {
     sc1 = TSummaryCtx1None() and
     sc2 = TSummaryCtx2None() and
     mid.getAp() instanceof PartialAccessPathNil and
-    ap = TPartialNil(getNodeType(node)) and
+    ap = TPartialNil(getNodeDataFlowType(node)) and
     config = mid.getConfiguration()
     or
     partialPathStoreStep(mid, _, _, node, ap) and
@@ -3827,7 +3834,7 @@ private module FlowExploration {
       sc1 = mid.getSummaryCtx1() and
       sc2 = mid.getSummaryCtx2() and
       apConsFwd(ap, tc, ap0, config) and
-      compatibleTypes(ap.getType(), getNodeType(node))
+      compatibleTypes(ap.getType(), getNodeDataFlowType(node))
     )
     or
     partialPathIntoCallable(mid, node, _, cc, sc1, sc2, _, ap, config)
@@ -3924,7 +3931,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNode arg |
+    exists(ArgumentNodeExt arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3943,7 +3950,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNode p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3980,7 +3987,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4037,7 +4044,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNode p |
+    exists(ParameterNodeExt p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4115,7 +4122,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNode p |
+    exists(PartialPathNodeRev mid, ParameterNodeExt p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4138,7 +4145,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNode node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll
index a51c20c2288..b5ceabc605d 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll
@@ -35,22 +35,24 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
  */
 private module LambdaFlow {
-  private predicate viableParamNonLambda(DataFlowCall call, int i, ParameterNode p) {
+  private predicate viableParamNonLambda(DataFlowCall call, int i, ParameterNodeExt p) {
     p.isParameterOf(viableCallable(call), i)
   }
 
-  private predicate viableParamLambda(DataFlowCall call, int i, ParameterNode p) {
+  private predicate viableParamLambda(DataFlowCall call, int i, ParameterNodeExt p) {
     p.isParameterOf(viableCallableLambda(call, _), i)
   }
 
-  private predicate viableParamArgNonLambda(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
+  private predicate viableParamArgNonLambda(
+    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg
+  ) {
     exists(int i |
       viableParamNonLambda(call, i, p) and
       arg.argumentOf(call, i)
     )
   }
 
-  private predicate viableParamArgLambda(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
+  private predicate viableParamArgLambda(DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg) {
     exists(int i |
       viableParamLambda(call, i, p) and
       arg.argumentOf(call, i)
@@ -118,8 +120,8 @@ private module LambdaFlow {
     boolean toJump, DataFlowCallOption lastCall
   ) {
     revLambdaFlow0(lambdaCall, kind, node, t, toReturn, toJump, lastCall) and
-    if node instanceof CastNode or node instanceof ArgumentNode or node instanceof ReturnNode
-    then compatibleTypes(t, getNodeType(node))
+    if castNode(node) or node instanceof ArgumentNodeExt or node instanceof ReturnNode
+    then compatibleTypes(t, getNodeDataFlowType(node))
     else any()
   }
 
@@ -129,7 +131,7 @@ private module LambdaFlow {
     boolean toJump, DataFlowCallOption lastCall
   ) {
     lambdaCall(lambdaCall, kind, node) and
-    t = getNodeType(node) and
+    t = getNodeDataFlowType(node) and
     toReturn = false and
     toJump = false and
     lastCall = TDataFlowCallNone()
@@ -146,7 +148,7 @@ private module LambdaFlow {
         getNodeEnclosingCallable(node) = getNodeEnclosingCallable(mid)
       |
         preservesValue = false and
-        t = getNodeType(node)
+        t = getNodeDataFlowType(node)
         or
         preservesValue = true and
         t = t0
@@ -160,7 +162,7 @@ private module LambdaFlow {
       toJump = true and
       lastCall = TDataFlowCallNone()
     |
-      jumpStep(node, mid) and
+      jumpStepCached(node, mid) and
       t = t0
       or
       exists(boolean preservesValue |
@@ -168,7 +170,7 @@ private module LambdaFlow {
         getNodeEnclosingCallable(node) != getNodeEnclosingCallable(mid)
       |
         preservesValue = false and
-        t = getNodeType(node)
+        t = getNodeDataFlowType(node)
         or
         preservesValue = true and
         t = t0
@@ -176,7 +178,7 @@ private module LambdaFlow {
     )
     or
     // flow into a callable
-    exists(ParameterNode p, DataFlowCallOption lastCall0, DataFlowCall call |
+    exists(ParameterNodeExt p, DataFlowCallOption lastCall0, DataFlowCall call |
       revLambdaFlowIn(lambdaCall, kind, p, t, toJump, lastCall0) and
       (
         if lastCall0 = TDataFlowCallNone() and toJump = false
@@ -227,8 +229,8 @@ private module LambdaFlow {
 
   pragma[nomagic]
   predicate revLambdaFlowIn(
-    DataFlowCall lambdaCall, LambdaCallKind kind, ParameterNode p, DataFlowType t, boolean toJump,
-    DataFlowCallOption lastCall
+    DataFlowCall lambdaCall, LambdaCallKind kind, ParameterNodeExt p, DataFlowType t,
+    boolean toJump, DataFlowCallOption lastCall
   ) {
     revLambdaFlow(lambdaCall, kind, p, t, false, toJump, lastCall)
   }
@@ -242,6 +244,89 @@ private DataFlowCallable viableCallableExt(DataFlowCall call) {
 
 cached
 private module Cached {
+  /**
+   * If needed, call this predicate from `DataFlowImplSpecific.qll` in order to
+   * force a stage-dependency on the `DataFlowImplCommon.qll` stage and therby
+   * collapsing the two stages.
+   */
+  cached
+  predicate forceCachingInSameStage() { any() }
+
+  cached
+  predicate nodeEnclosingCallable(Node n, DataFlowCallable c) { c = n.getEnclosingCallable() }
+
+  cached
+  predicate callEnclosingCallable(DataFlowCall call, DataFlowCallable c) {
+    c = call.getEnclosingCallable()
+  }
+
+  cached
+  predicate nodeDataFlowType(Node n, DataFlowType t) { t = getNodeType(n) }
+
+  cached
+  predicate jumpStepCached(Node node1, Node node2) { jumpStep(node1, node2) }
+
+  cached
+  predicate clearsContentCached(Node n, Content c) { clearsContent(n, c) }
+
+  cached
+  predicate isUnreachableInCallCached(Node n, DataFlowCall call) { isUnreachableInCall(n, call) }
+
+  cached
+  predicate outNodeExt(Node n) {
+    n instanceof OutNode
+    or
+    n.(PostUpdateNode).getPreUpdateNode() instanceof ArgumentNodeExt
+  }
+
+  cached
+  predicate hiddenNode(Node n) { nodeIsHidden(n) }
+
+  cached
+  OutNodeExt getAnOutNodeExt(DataFlowCall call, ReturnKindExt k) {
+    result = getAnOutNode(call, k.(ValueReturnKind).getKind())
+    or
+    exists(ArgumentNodeExt arg |
+      result.(PostUpdateNode).getPreUpdateNode() = arg and
+      arg.argumentOf(call, k.(ParamUpdateReturnKind).getPosition())
+    )
+  }
+
+  cached
+  predicate returnNodeExt(Node n, ReturnKindExt k) {
+    k = TValueReturn(n.(ReturnNode).getKind())
+    or
+    exists(ParameterNodeExt p, int pos |
+      parameterValueFlowsToPreUpdate(p, n) and
+      p.isParameterOf(_, pos) and
+      k = TParamUpdate(pos)
+    )
+  }
+
+  cached
+  predicate castNode(Node n) { n instanceof CastNode }
+
+  cached
+  predicate castingNode(Node n) {
+    castNode(n) or
+    n instanceof ParameterNodeExt or
+    n instanceof OutNodeExt or
+    // For reads, `x.f`, we want to check that the tracked type after the read (which
+    // is obtained by popping the head of the access path stack) is compatible with
+    // the type of `x.f`.
+    read(_, _, n)
+  }
+
+  cached
+  predicate parameterNode(Node n, DataFlowCallable c, int i) {
+    n.(ParameterNode).isParameterOf(c, i)
+  }
+
+  cached
+  predicate argumentNode(Node n, DataFlowCall call, int pos) {
+    n.(ArgumentNode).argumentOf(call, pos)
+  }
+
   /**
    * Gets a viable target for the lambda call `call`.
    *
@@ -261,7 +346,7 @@ private module Cached {
    * The instance parameter is considered to have index `-1`.
    */
   pragma[nomagic]
-  private predicate viableParam(DataFlowCall call, int i, ParameterNode p) {
+  private predicate viableParam(DataFlowCall call, int i, ParameterNodeExt p) {
     p.isParameterOf(viableCallableExt(call), i)
   }
 
@@ -270,11 +355,11 @@ private module Cached {
    * dispatch into account.
    */
   cached
-  predicate viableParamArg(DataFlowCall call, ParameterNode p, ArgumentNode arg) {
+  predicate viableParamArg(DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg) {
     exists(int i |
       viableParam(call, i, p) and
       arg.argumentOf(call, i) and
-      compatibleTypes(getNodeType(arg), getNodeType(p))
+      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
     )
   }
 
@@ -312,7 +397,7 @@ private module Cached {
        * `read` indicates whether it is contents of `p` that can flow to `node`.
        */
       pragma[nomagic]
-      private predicate parameterValueFlowCand(ParameterNode p, Node node, boolean read) {
+      private predicate parameterValueFlowCand(ParameterNodeExt p, Node node, boolean read) {
         p = node and
         read = false
         or
@@ -325,30 +410,32 @@ private module Cached {
         // read
         exists(Node mid |
           parameterValueFlowCand(p, mid, false) and
-          readStep(mid, _, node) and
+          read(mid, _, node) and
           read = true
         )
         or
         // flow through: no prior read
-        exists(ArgumentNode arg |
+        exists(ArgumentNodeExt arg |
           parameterValueFlowArgCand(p, arg, false) and
           argumentValueFlowsThroughCand(arg, node, read)
         )
         or
         // flow through: no read inside method
-        exists(ArgumentNode arg |
+        exists(ArgumentNodeExt arg |
           parameterValueFlowArgCand(p, arg, read) and
           argumentValueFlowsThroughCand(arg, node, false)
         )
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlowArgCand(ParameterNode p, ArgumentNode arg, boolean read) {
+      private predicate parameterValueFlowArgCand(
+        ParameterNodeExt p, ArgumentNodeExt arg, boolean read
+      ) {
         parameterValueFlowCand(p, arg, read)
       }
 
       pragma[nomagic]
-      predicate parameterValueFlowsToPreUpdateCand(ParameterNode p, PostUpdateNode n) {
+      predicate parameterValueFlowsToPreUpdateCand(ParameterNodeExt p, PostUpdateNode n) {
         parameterValueFlowCand(p, n.getPreUpdateNode(), false)
       }
 
@@ -360,7 +447,7 @@ private module Cached {
        * `read` indicates whether it is contents of `p` that can flow to the return
        * node.
        */
-      predicate parameterValueFlowReturnCand(ParameterNode p, ReturnKind kind, boolean read) {
+      predicate parameterValueFlowReturnCand(ParameterNodeExt p, ReturnKind kind, boolean read) {
         exists(ReturnNode ret |
           parameterValueFlowCand(p, ret, read) and
           kind = ret.getKind()
@@ -369,9 +456,9 @@ private module Cached {
 
       pragma[nomagic]
       private predicate argumentValueFlowsThroughCand0(
-        DataFlowCall call, ArgumentNode arg, ReturnKind kind, boolean read
+        DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, boolean read
       ) {
-        exists(ParameterNode param | viableParamArg(call, param, arg) |
+        exists(ParameterNodeExt param | viableParamArg(call, param, arg) |
           parameterValueFlowReturnCand(param, kind, read)
         )
       }
@@ -382,14 +469,14 @@ private module Cached {
        *
        * `read` indicates whether it is contents of `arg` that can flow to `out`.
        */
-      predicate argumentValueFlowsThroughCand(ArgumentNode arg, Node out, boolean read) {
+      predicate argumentValueFlowsThroughCand(ArgumentNodeExt arg, Node out, boolean read) {
         exists(DataFlowCall call, ReturnKind kind |
           argumentValueFlowsThroughCand0(call, arg, kind, read) and
           out = getAnOutNode(call, kind)
         )
       }
 
-      predicate cand(ParameterNode p, Node n) {
+      predicate cand(ParameterNodeExt p, Node n) {
         parameterValueFlowCand(p, n, _) and
         (
           parameterValueFlowReturnCand(p, _, _)
@@ -416,21 +503,21 @@ private module Cached {
        * If a read step was taken, then `read` captures the `Content`, the
        * container type, and the content type.
        */
-      predicate parameterValueFlow(ParameterNode p, Node node, ReadStepTypesOption read) {
+      predicate parameterValueFlow(ParameterNodeExt p, Node node, ReadStepTypesOption read) {
         parameterValueFlow0(p, node, read) and
         if node instanceof CastingNode
         then
           // normal flow through
           read = TReadStepTypesNone() and
-          compatibleTypes(getNodeType(p), getNodeType(node))
+          compatibleTypes(getNodeDataFlowType(p), getNodeDataFlowType(node))
           or
           // getter
-          compatibleTypes(read.getContentType(), getNodeType(node))
+          compatibleTypes(read.getContentType(), getNodeDataFlowType(node))
         else any()
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlow0(ParameterNode p, Node node, ReadStepTypesOption read) {
+      private predicate parameterValueFlow0(ParameterNodeExt p, Node node, ReadStepTypesOption read) {
         p = node and
         Cand::cand(p, _) and
         read = TReadStepTypesNone()
@@ -447,7 +534,7 @@ private module Cached {
           readStepWithTypes(mid, read.getContainerType(), read.getContent(), node,
             read.getContentType()) and
           Cand::parameterValueFlowReturnCand(p, _, true) and
-          compatibleTypes(getNodeType(p), read.getContainerType())
+          compatibleTypes(getNodeDataFlowType(p), read.getContainerType())
         )
         or
         parameterValueFlow0_0(TReadStepTypesNone(), p, node, read)
@@ -455,16 +542,16 @@ private module Cached {
 
       pragma[nomagic]
       private predicate parameterValueFlow0_0(
-        ReadStepTypesOption mustBeNone, ParameterNode p, Node node, ReadStepTypesOption read
+        ReadStepTypesOption mustBeNone, ParameterNodeExt p, Node node, ReadStepTypesOption read
       ) {
         // flow through: no prior read
-        exists(ArgumentNode arg |
+        exists(ArgumentNodeExt arg |
           parameterValueFlowArg(p, arg, mustBeNone) and
           argumentValueFlowsThrough(arg, read, node)
         )
         or
         // flow through: no read inside method
-        exists(ArgumentNode arg |
+        exists(ArgumentNodeExt arg |
           parameterValueFlowArg(p, arg, read) and
           argumentValueFlowsThrough(arg, mustBeNone, node)
         )
@@ -472,7 +559,7 @@ private module Cached {
 
       pragma[nomagic]
       private predicate parameterValueFlowArg(
-        ParameterNode p, ArgumentNode arg, ReadStepTypesOption read
+        ParameterNodeExt p, ArgumentNodeExt arg, ReadStepTypesOption read
       ) {
         parameterValueFlow(p, arg, read) and
         Cand::argumentValueFlowsThroughCand(arg, _, _)
@@ -480,9 +567,9 @@ private module Cached {
 
       pragma[nomagic]
       private predicate argumentValueFlowsThrough0(
-        DataFlowCall call, ArgumentNode arg, ReturnKind kind, ReadStepTypesOption read
+        DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, ReadStepTypesOption read
       ) {
-        exists(ParameterNode param | viableParamArg(call, param, arg) |
+        exists(ParameterNodeExt param | viableParamArg(call, param, arg) |
           parameterValueFlowReturn(param, kind, read)
         )
       }
@@ -496,18 +583,18 @@ private module Cached {
        * container type, and the content type.
        */
       pragma[nomagic]
-      predicate argumentValueFlowsThrough(ArgumentNode arg, ReadStepTypesOption read, Node out) {
+      predicate argumentValueFlowsThrough(ArgumentNodeExt arg, ReadStepTypesOption read, Node out) {
         exists(DataFlowCall call, ReturnKind kind |
           argumentValueFlowsThrough0(call, arg, kind, read) and
           out = getAnOutNode(call, kind)
         |
           // normal flow through
           read = TReadStepTypesNone() and
-          compatibleTypes(getNodeType(arg), getNodeType(out))
+          compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(out))
           or
           // getter
-          compatibleTypes(getNodeType(arg), read.getContainerType()) and
-          compatibleTypes(read.getContentType(), getNodeType(out))
+          compatibleTypes(getNodeDataFlowType(arg), read.getContainerType()) and
+          compatibleTypes(read.getContentType(), getNodeDataFlowType(out))
         )
       }
 
@@ -516,7 +603,7 @@ private module Cached {
        * value-preserving steps and a single read step, not taking call
        * contexts into account, thus representing a getter-step.
        */
-      predicate getterStep(ArgumentNode arg, Content c, Node out) {
+      predicate getterStep(ArgumentNodeExt arg, Content c, Node out) {
         argumentValueFlowsThrough(arg, TReadStepTypesSome(_, c, _), out)
       }
 
@@ -529,7 +616,7 @@ private module Cached {
        * container type, and the content type.
        */
       private predicate parameterValueFlowReturn(
-        ParameterNode p, ReturnKind kind, ReadStepTypesOption read
+        ParameterNodeExt p, ReturnKind kind, ReadStepTypesOption read
       ) {
         exists(ReturnNode ret |
           parameterValueFlow(p, ret, read) and
@@ -553,7 +640,7 @@ private module Cached {
     private predicate mayBenefitFromCallContextExt(DataFlowCall call, DataFlowCallable callable) {
       mayBenefitFromCallContext(call, callable)
       or
-      callable = call.getEnclosingCallable() and
+      callEnclosingCallable(call, callable) and
       exists(viableCallableLambda(call, TDataFlowCallSome(_)))
     }
 
@@ -611,7 +698,7 @@ private module Cached {
         mayBenefitFromCallContextExt(call, _) and
         c = viableCallableExt(call) and
         ctxtgts = count(DataFlowCall ctx | c = viableImplInCallContextExt(call, ctx)) and
-        tgts = strictcount(DataFlowCall ctx | viableCallableExt(ctx) = call.getEnclosingCallable()) and
+        tgts = strictcount(DataFlowCall ctx | callEnclosingCallable(call, viableCallableExt(ctx))) and
         ctxtgts < tgts
       )
     }
@@ -635,8 +722,7 @@ private module Cached {
    * Holds if `p` can flow to the pre-update node associated with post-update
    * node `n`, in the same callable, using only value-preserving steps.
    */
-  cached
-  predicate parameterValueFlowsToPreUpdate(ParameterNode p, PostUpdateNode n) {
+  private predicate parameterValueFlowsToPreUpdate(ParameterNodeExt p, PostUpdateNode n) {
     parameterValueFlow(p, n.getPreUpdateNode(), TReadStepTypesNone())
   }
 
@@ -644,9 +730,9 @@ private module Cached {
     Node node1, Content c, Node node2, DataFlowType contentType, DataFlowType containerType
   ) {
     storeStep(node1, c, node2) and
-    readStep(_, c, _) and
-    contentType = getNodeType(node1) and
-    containerType = getNodeType(node2)
+    read(_, c, _) and
+    contentType = getNodeDataFlowType(node1) and
+    containerType = getNodeDataFlowType(node2)
     or
     exists(Node n1, Node n2 |
       n1 = node1.(PostUpdateNode).getPreUpdateNode() and
@@ -654,12 +740,15 @@ private module Cached {
     |
       argumentValueFlowsThrough(n2, TReadStepTypesSome(containerType, c, contentType), n1)
       or
-      readStep(n2, c, n1) and
-      contentType = getNodeType(n1) and
-      containerType = getNodeType(n2)
+      read(n2, c, n1) and
+      contentType = getNodeDataFlowType(n1) and
+      containerType = getNodeDataFlowType(n2)
     )
   }
 
+  cached
+  predicate read(Node node1, Content c, Node node2) { readStep(node1, c, node2) }
+
   /**
    * Holds if data can flow from `node1` to `node2` via a direct assignment to
    * `f`.
@@ -678,8 +767,9 @@ private module Cached {
    * are aliases. A typical example is a function returning `this`, implementing a fluent
    * interface.
    */
-  cached
-  predicate reverseStepThroughInputOutputAlias(PostUpdateNode fromNode, PostUpdateNode toNode) {
+  private predicate reverseStepThroughInputOutputAlias(
+    PostUpdateNode fromNode, PostUpdateNode toNode
+  ) {
     exists(Node fromPre, Node toPre |
       fromPre = fromNode.getPreUpdateNode() and
       toPre = toNode.getPreUpdateNode()
@@ -688,14 +778,20 @@ private module Cached {
         // Does the language-specific simpleLocalFlowStep already model flow
         // from function input to output?
         fromPre = getAnOutNode(c, _) and
-        toPre.(ArgumentNode).argumentOf(c, _) and
-        simpleLocalFlowStep(toPre.(ArgumentNode), fromPre)
+        toPre.(ArgumentNodeExt).argumentOf(c, _) and
+        simpleLocalFlowStep(toPre.(ArgumentNodeExt), fromPre)
       )
       or
       argumentValueFlowsThrough(toPre, TReadStepTypesNone(), fromPre)
     )
   }
 
+  cached
+  predicate simpleLocalFlowStepExt(Node node1, Node node2) {
+    simpleLocalFlowStep(node1, node2) or
+    reverseStepThroughInputOutputAlias(node1, node2)
+  }
+
   /**
    * Holds if the call context `call` either improves virtual dispatch in
    * `callable` or if it allows us to prune unreachable nodes in `callable`.
@@ -704,7 +800,7 @@ private module Cached {
   predicate recordDataFlowCallSite(DataFlowCall call, DataFlowCallable callable) {
     reducedViableImplInCallContext(_, callable, call)
     or
-    exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCall(n, call))
+    exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCallCached(n, call))
   }
 
   cached
@@ -726,12 +822,12 @@ private module Cached {
   cached
   newtype TLocalFlowCallContext =
     TAnyLocalCall() or
-    TSpecificLocalCall(DataFlowCall call) { isUnreachableInCall(_, call) }
+    TSpecificLocalCall(DataFlowCall call) { isUnreachableInCallCached(_, call) }
 
   cached
   newtype TReturnKindExt =
     TValueReturn(ReturnKind kind) or
-    TParamUpdate(int pos) { exists(ParameterNode p | p.isParameterOf(_, pos)) }
+    TParamUpdate(int pos) { exists(ParameterNodeExt p | p.isParameterOf(_, pos)) }
 
   cached
   newtype TBooleanOption =
@@ -761,23 +857,15 @@ private module Cached {
  * A `Node` at which a cast can occur such that the type should be checked.
  */
 class CastingNode extends Node {
-  CastingNode() {
-    this instanceof ParameterNode or
-    this instanceof CastNode or
-    this instanceof OutNodeExt or
-    // For reads, `x.f`, we want to check that the tracked type after the read (which
-    // is obtained by popping the head of the access path stack) is compatible with
-    // the type of `x.f`.
-    readStep(_, _, this)
-  }
+  CastingNode() { castingNode(this) }
 }
 
 private predicate readStepWithTypes(
   Node n1, DataFlowType container, Content c, Node n2, DataFlowType content
 ) {
-  readStep(n1, c, n2) and
-  container = getNodeType(n1) and
-  content = getNodeType(n2)
+  read(n1, c, n2) and
+  container = getNodeDataFlowType(n1) and
+  content = getNodeDataFlowType(n2)
 }
 
 private newtype TReadStepTypesOption =
@@ -854,7 +942,7 @@ class CallContextSomeCall extends CallContextCall, TSomeCall {
   override string toString() { result = "CcSomeCall" }
 
   override predicate relevantFor(DataFlowCallable callable) {
-    exists(ParameterNode p | getNodeEnclosingCallable(p) = callable)
+    exists(ParameterNodeExt p | getNodeEnclosingCallable(p) = callable)
   }
 
   override predicate matchesCall(DataFlowCall call) { any() }
@@ -866,7 +954,7 @@ class CallContextReturn extends CallContextNoCall, TReturn {
   }
 
   override predicate relevantFor(DataFlowCallable callable) {
-    exists(DataFlowCall call | this = TReturn(_, call) and call.getEnclosingCallable() = callable)
+    exists(DataFlowCall call | this = TReturn(_, call) and callEnclosingCallable(call, callable))
   }
 }
 
@@ -899,7 +987,7 @@ class LocalCallContextSpecificCall extends LocalCallContext, TSpecificLocalCall
 }
 
 private predicate relevantLocalCCtx(DataFlowCall call, DataFlowCallable callable) {
-  exists(Node n | getNodeEnclosingCallable(n) = callable and isUnreachableInCall(n, call))
+  exists(Node n | getNodeEnclosingCallable(n) = callable and isUnreachableInCallCached(n, call))
 }
 
 /**
@@ -913,26 +1001,37 @@ LocalCallContext getLocalCallContext(CallContext ctx, DataFlowCallable callable)
   else result instanceof LocalCallContextAny
 }
 
+/**
+ * The value of a parameter at function entry, viewed as a node in a data
+ * flow graph.
+ */
+class ParameterNodeExt extends Node {
+  ParameterNodeExt() { parameterNode(this, _, _) }
+
+  /**
+   * Holds if this node is the parameter of callable `c` at the specified
+   * (zero-based) position.
+   */
+  predicate isParameterOf(DataFlowCallable c, int i) { parameterNode(this, c, i) }
+}
+
+/** A data-flow node that represents a call argument. */
+class ArgumentNodeExt extends Node {
+  ArgumentNodeExt() { argumentNode(this, _, _) }
+
+  /** Holds if this argument occurs at the given position in the given call. */
+  final predicate argumentOf(DataFlowCall call, int pos) { argumentNode(this, call, pos) }
+}
+
 /**
  * A node from which flow can return to the caller. This is either a regular
  * `ReturnNode` or a `PostUpdateNode` corresponding to the value of a parameter.
  */
 class ReturnNodeExt extends Node {
-  ReturnNodeExt() {
-    this instanceof ReturnNode or
-    parameterValueFlowsToPreUpdate(_, this)
-  }
+  ReturnNodeExt() { returnNodeExt(this, _) }
 
   /** Gets the kind of this returned value. */
-  ReturnKindExt getKind() {
-    result = TValueReturn(this.(ReturnNode).getKind())
-    or
-    exists(ParameterNode p, int pos |
-      parameterValueFlowsToPreUpdate(p, this) and
-      p.isParameterOf(_, pos) and
-      result = TParamUpdate(pos)
-    )
-  }
+  ReturnKindExt getKind() { returnNodeExt(this, result) }
 }
 
 /**
@@ -940,11 +1039,7 @@ class ReturnNodeExt extends Node {
  * or a post-update node associated with a call argument.
  */
 class OutNodeExt extends Node {
-  OutNodeExt() {
-    this instanceof OutNode
-    or
-    this.(PostUpdateNode).getPreUpdateNode() instanceof ArgumentNode
-  }
+  OutNodeExt() { outNodeExt(this) }
 }
 
 /**
@@ -957,7 +1052,7 @@ abstract class ReturnKindExt extends TReturnKindExt {
   abstract string toString();
 
   /** Gets a node corresponding to data flow out of `call`. */
-  abstract OutNodeExt getAnOutNode(DataFlowCall call);
+  final OutNodeExt getAnOutNode(DataFlowCall call) { result = getAnOutNodeExt(call, this) }
 }
 
 class ValueReturnKind extends ReturnKindExt, TValueReturn {
@@ -968,10 +1063,6 @@ class ValueReturnKind extends ReturnKindExt, TValueReturn {
   ReturnKind getKind() { result = kind }
 
   override string toString() { result = kind.toString() }
-
-  override OutNodeExt getAnOutNode(DataFlowCall call) {
-    result = getAnOutNode(call, this.getKind())
-  }
 }
 
 class ParamUpdateReturnKind extends ReturnKindExt, TParamUpdate {
@@ -982,13 +1073,6 @@ class ParamUpdateReturnKind extends ReturnKindExt, TParamUpdate {
   int getPosition() { result = pos }
 
   override string toString() { result = "param update " + pos }
-
-  override OutNodeExt getAnOutNode(DataFlowCall call) {
-    exists(ArgumentNode arg |
-      result.(PostUpdateNode).getPreUpdateNode() = arg and
-      arg.argumentOf(call, this.getPosition())
-    )
-  }
 }
 
 /** A callable tagged with a relevant return kind. */
@@ -1015,10 +1099,13 @@ class ReturnPosition extends TReturnPosition0 {
  */
 pragma[inline]
 DataFlowCallable getNodeEnclosingCallable(Node n) {
-  exists(Node n0 |
-    pragma[only_bind_into](n0) = n and
-    pragma[only_bind_into](result) = n0.getEnclosingCallable()
-  )
+  nodeEnclosingCallable(pragma[only_bind_out](n), pragma[only_bind_into](result))
+}
+
+/** Gets the type of `n` used for type pruning. */
+pragma[inline]
+DataFlowType getNodeDataFlowType(Node n) {
+  nodeDataFlowType(pragma[only_bind_out](n), pragma[only_bind_into](result))
 }
 
 pragma[noinline]
@@ -1042,7 +1129,7 @@ predicate resolveReturn(CallContext cc, DataFlowCallable callable, DataFlowCall
   cc instanceof CallContextAny and callable = viableCallableExt(call)
   or
   exists(DataFlowCallable c0, DataFlowCall call0 |
-    call0.getEnclosingCallable() = callable and
+    callEnclosingCallable(call0, callable) and
     cc = TReturn(c0, call0) and
     c0 = prunedViableImplInCallContextReverse(call0, call)
   )
@@ -1063,8 +1150,6 @@ DataFlowCallable resolveCall(DataFlowCall call, CallContext cc) {
   result = viableCallableExt(call) and cc instanceof CallContextReturn
 }
 
-predicate read = readStep/3;
-
 /** An optional Boolean value. */
 class BooleanOption extends TBooleanOption {
   string toString() {
@@ -1116,7 +1201,7 @@ abstract class AccessPathFront extends TAccessPathFront {
 
   TypedContent getHead() { this = TFrontHead(result) }
 
-  predicate isClearedAt(Node n) { clearsContent(n, getHead().getContent()) }
+  predicate isClearedAt(Node n) { clearsContentCached(n, getHead().getContent()) }
 }
 
 class AccessPathFrontNil extends AccessPathFront, TFrontNil {

From befc80b3cbe8ac7899a2e5b023ba2a39d5221099 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Mon, 26 Apr 2021 17:02:28 +0200
Subject: [PATCH 0695/1429] C#: Update data-flow caching

---
 csharp/ql/src/semmle/code/csharp/Caching.qll  |  38 --
 .../dataflow/internal/DataFlowDispatch.qll    |  49 +-
 .../dataflow/internal/DataFlowPrivate.qll     | 582 ++++++++----------
 .../dataflow/internal/DataFlowPublic.qll      |  12 +-
 .../internal/TaintTrackingPrivate.qll         |   7 +-
 5 files changed, 304 insertions(+), 384 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/Caching.qll b/csharp/ql/src/semmle/code/csharp/Caching.qll
index 374ecaaa183..92417e34586 100644
--- a/csharp/ql/src/semmle/code/csharp/Caching.qll
+++ b/csharp/ql/src/semmle/code/csharp/Caching.qll
@@ -47,44 +47,6 @@ module Stages {
     }
   }
 
-  cached
-  module DataFlowStage {
-    private import semmle.code.csharp.dataflow.internal.DataFlowDispatch
-    private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
-    private import semmle.code.csharp.dataflow.internal.DataFlowImplCommon
-    private import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate
-
-    cached
-    predicate forceCachingInSameStage() { any() }
-
-    cached
-    private predicate forceCachingInSameStageRev() {
-      defaultAdditionalTaintStep(_, _)
-      or
-      any(ArgumentNode n).argumentOf(_, _)
-      or
-      exists(any(DataFlow::Node n).getEnclosingCallable())
-      or
-      exists(any(DataFlow::Node n).getControlFlowNode())
-      or
-      exists(any(DataFlow::Node n).getType())
-      or
-      exists(any(NodeImpl n).getDataFlowType())
-      or
-      exists(any(DataFlow::Node n).getLocation())
-      or
-      exists(any(DataFlow::Node n).toString())
-      or
-      exists(any(OutNode n).getCall(_))
-      or
-      exists(CallContext cc)
-      or
-      exists(any(DataFlowCall c).getEnclosingCallable())
-      or
-      forceCachingInSameStageRev()
-    }
-  }
-
   cached
   module UnificationStage {
     private import semmle.code.csharp.Unification
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
index 0a7cf4acc41..04465f5ae9e 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
@@ -1,10 +1,10 @@
 private import csharp
 private import cil
 private import dotnet
+private import DataFlowImplCommon as DataFlowImplCommon
 private import DataFlowPublic
 private import DataFlowPrivate
 private import FlowSummaryImpl as FlowSummaryImpl
-private import semmle.code.csharp.Caching
 private import semmle.code.csharp.dataflow.FlowSummary
 private import semmle.code.csharp.dispatch.Dispatch
 private import semmle.code.csharp.frameworks.system.Collections
@@ -68,31 +68,30 @@ private predicate transitiveCapturedCallTarget(ControlFlow::Nodes::ElementNode c
   )
 }
 
-cached
-private module Cached {
-  cached
-  newtype TReturnKind =
-    TNormalReturnKind() { Stages::DataFlowStage::forceCachingInSameStage() } or
-    TOutReturnKind(int i) { i = any(Parameter p | p.isOut()).getPosition() } or
-    TRefReturnKind(int i) { i = any(Parameter p | p.isRef()).getPosition() } or
-    TImplicitCapturedReturnKind(LocalScopeVariable v) {
-      exists(Ssa::ExplicitDefinition def | def.isCapturedVariableDefinitionFlowOut(_, _) |
-        v = def.getSourceVariable().getAssignable()
-      )
-    } or
-    TJumpReturnKind(DataFlowCallable target, ReturnKind rk) {
-      rk instanceof NormalReturnKind and
-      (
-        target instanceof Constructor or
-        not target.getReturnType() instanceof VoidType
-      )
-      or
-      exists(target.getParameter(rk.(OutRefReturnKind).getPosition()))
-    }
+newtype TReturnKind =
+  TNormalReturnKind() or
+  TOutReturnKind(int i) { i = any(Parameter p | p.isOut()).getPosition() } or
+  TRefReturnKind(int i) { i = any(Parameter p | p.isRef()).getPosition() } or
+  TImplicitCapturedReturnKind(LocalScopeVariable v) {
+    exists(Ssa::ExplicitDefinition def | def.isCapturedVariableDefinitionFlowOut(_, _) |
+      v = def.getSourceVariable().getAssignable()
+    )
+  } or
+  TJumpReturnKind(DataFlowCallable target, ReturnKind rk) {
+    rk instanceof NormalReturnKind and
+    (
+      target instanceof Constructor or
+      not target.getReturnType() instanceof VoidType
+    )
+    or
+    exists(target.getParameter(rk.(OutRefReturnKind).getPosition()))
+  }
 
+private module Cached {
   cached
   newtype TDataFlowCall =
     TNonDelegateCall(ControlFlow::Nodes::ElementNode cfn, DispatchCall dc) {
+      DataFlowImplCommon::forceCachingInSameStage() and
       cfn.getElement() = dc.getCall()
     } or
     TExplicitDelegateLikeCall(ControlFlow::Nodes::ElementNode cfn, DelegateLikeCall dc) {
@@ -246,7 +245,6 @@ abstract class DataFlowCall extends TDataFlowCall {
   abstract DataFlow::Node getNode();
 
   /** Gets the enclosing callable of this call. */
-  cached
   abstract DataFlowCallable getEnclosingCallable();
 
   /** Gets the underlying expression, if any. */
@@ -280,10 +278,7 @@ class NonDelegateDataFlowCall extends DataFlowCall, TNonDelegateCall {
 
   override DataFlow::ExprNode getNode() { result.getControlFlowNode() = cfn }
 
-  override DataFlowCallable getEnclosingCallable() {
-    Stages::DataFlowStage::forceCachingInSameStage() and
-    result = cfn.getEnclosingCallable()
-  }
+  override DataFlowCallable getEnclosingCallable() { result = cfn.getEnclosingCallable() }
 
   override string toString() { result = cfn.toString() }
 
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
index f42410ca3a5..c1b15df72dc 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -7,7 +7,6 @@ private import DataFlowImplCommon
 private import ControlFlowReachability
 private import FlowSummaryImpl as FlowSummaryImpl
 private import semmle.code.csharp.dataflow.FlowSummary
-private import semmle.code.csharp.Caching
 private import semmle.code.csharp.Conversion
 private import semmle.code.csharp.dataflow.internal.SsaImpl as SsaImpl
 private import semmle.code.csharp.ExprOrStmtParent
@@ -21,7 +20,6 @@ private import semmle.code.csharp.frameworks.system.threading.Tasks
 
 abstract class NodeImpl extends Node {
   /** Do not call: use `getEnclosingCallable()` instead. */
-  cached
   abstract DataFlowCallable getEnclosingCallableImpl();
 
   /** Do not call: use `getType()` instead. */
@@ -29,9 +27,8 @@ abstract class NodeImpl extends Node {
   abstract DotNet::Type getTypeImpl();
 
   /** Gets the type of this node used for type pruning. */
-  cached
   Gvn::GvnType getDataFlowType() {
-    Stages::DataFlowStage::forceCachingInSameStage() and
+    forceCachingInSameStage() and
     exists(Type t0 | result = Gvn::getGlobalValueNumber(t0) |
       t0 = getCSharpType(this.getType())
       or
@@ -55,26 +52,25 @@ abstract class NodeImpl extends Node {
 
 private class ExprNodeImpl extends ExprNode, NodeImpl {
   override DataFlowCallable getEnclosingCallableImpl() {
-    Stages::DataFlowStage::forceCachingInSameStage() and
     result = this.getExpr().getEnclosingCallable()
   }
 
   override DotNet::Type getTypeImpl() {
-    Stages::DataFlowStage::forceCachingInSameStage() and
+    forceCachingInSameStage() and
     result = this.getExpr().getType()
   }
 
   override ControlFlow::Nodes::ElementNode getControlFlowNodeImpl() {
-    Stages::DataFlowStage::forceCachingInSameStage() and this = TExprNode(result)
+    forceCachingInSameStage() and this = TExprNode(result)
   }
 
   override Location getLocationImpl() {
-    Stages::DataFlowStage::forceCachingInSameStage() and result = this.getExpr().getLocation()
+    forceCachingInSameStage() and result = this.getExpr().getLocation()
   }
 
   override string toStringImpl() {
-    Stages::DataFlowStage::forceCachingInSameStage() and
-    result = this.getControlFlowNode().toString()
+    forceCachingInSameStage() and
+    result = this.getControlFlowNodeImpl().toString()
     or
     exists(CIL::Expr e |
       this = TCilExprNode(e) and
@@ -394,6 +390,22 @@ module LocalFlow {
   }
 }
 
+/**
+ * This is the local flow predicate that is used as a building block in global
+ * data flow. It excludes SSA flow through instance fields, as flow through fields
+ * is handled by the global data-flow library, but includes various other steps
+ * that are only relevant for global flow.
+ */
+predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
+  LocalFlow::localFlowStepCommon(nodeFrom, nodeTo)
+  or
+  LocalFlow::localFlowCapturedVarStep(nodeFrom, nodeTo)
+  or
+  FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, nodeTo, true)
+  or
+  nodeTo.(ObjectCreationNode).getPreUpdateNode() = nodeFrom.(ObjectInitializerNode)
+}
+
 pragma[noinline]
 private Expr getImplicitArgument(Call c, int pos) {
   result = c.getArgument(pos) and
@@ -582,12 +594,16 @@ private Type getCSharpType(DotNet::Type t) {
   result.matchesHandle(t)
 }
 
+private class RelevantDataFlowType extends DataFlowType {
+  RelevantDataFlowType() { this = any(NodeImpl n).getDataFlowType() }
+}
+
 /** A GVN type that is either a `DataFlowType` or unifiable with a `DataFlowType`. */
 private class DataFlowTypeOrUnifiable extends Gvn::GvnType {
   pragma[nomagic]
   DataFlowTypeOrUnifiable() {
-    this instanceof DataFlowType or
-    Gvn::unifiable(any(DataFlowType t), this)
+    this instanceof RelevantDataFlowType or
+    Gvn::unifiable(any(RelevantDataFlowType t), this)
   }
 }
 
@@ -598,7 +614,7 @@ private TypeParameter getATypeParameterSubType(DataFlowTypeOrUnifiable t) {
 }
 
 pragma[noinline]
-private TypeParameter getATypeParameterSubTypeRestricted(DataFlowType t) {
+private TypeParameter getATypeParameterSubTypeRestricted(RelevantDataFlowType t) {
   result = getATypeParameterSubType(t)
 }
 
@@ -614,17 +630,30 @@ private Gvn::GvnType getANonTypeParameterSubType(DataFlowTypeOrUnifiable t) {
 }
 
 pragma[noinline]
-private Gvn::GvnType getANonTypeParameterSubTypeRestricted(DataFlowType t) {
+private Gvn::GvnType getANonTypeParameterSubTypeRestricted(RelevantDataFlowType t) {
   result = getANonTypeParameterSubType(t)
 }
 
 /** A collection of cached types and predicates to be evaluated in the same stage. */
 cached
 private module Cached {
+  private import TaintTrackingPrivate as TaintTrackingPrivate
+
+  // Add artificial dependencies to enforce all cached predicates are evaluated
+  // in the "DataFlowImplCommon stage"
+  private predicate forceCaching() {
+    TaintTrackingPrivate::forceCachingInSameStage() or
+    exists(any(NodeImpl n).getTypeImpl()) or
+    exists(any(NodeImpl n).getControlFlowNodeImpl()) or
+    exists(any(NodeImpl n).getLocationImpl()) or
+    exists(any(NodeImpl n).toStringImpl())
+  }
+
   cached
   newtype TNode =
     TExprNode(ControlFlow::Nodes::ElementNode cfn) {
-      Stages::DataFlowStage::forceCachingInSameStage() and cfn.getElement() instanceof Expr
+      forceCaching() and
+      cfn.getElement() instanceof Expr
     } or
     TCilExprNode(CIL::Expr e) { e.getImplementation() instanceof CIL::BestImplementation } or
     TSsaDefinitionNode(Ssa::Definition def) {
@@ -679,23 +708,6 @@ private module Cached {
       callCfn = any(Call c | isParamsArg(c, _, _)).getAControlFlowNode()
     }
 
-  /**
-   * This is the local flow predicate that is used as a building block in global
-   * data flow. It excludes SSA flow through instance fields, as flow through fields
-   * is handled by the global data-flow library, but includes various other steps
-   * that are only relevant for global flow.
-   */
-  cached
-  predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
-    LocalFlow::localFlowStepCommon(nodeFrom, nodeTo)
-    or
-    LocalFlow::localFlowCapturedVarStep(nodeFrom, nodeTo)
-    or
-    FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, nodeTo, true)
-    or
-    nodeTo.(ObjectCreationNode).getPreUpdateNode() = nodeFrom.(ObjectInitializerNode)
-  }
-
   /**
    * Holds if data flows from `nodeFrom` to `nodeTo` in exactly one local
    * (intra-procedural) step.
@@ -714,178 +726,14 @@ private module Cached {
     FlowSummaryImpl::Private::Steps::summaryThroughStep(nodeFrom, nodeTo, true)
   }
 
-  /**
-   * Holds if `pred` can flow to `succ`, by jumping from one callable to
-   * another. Additional steps specified by the configuration are *not*
-   * taken into account.
-   */
-  cached
-  predicate jumpStepImpl(Node pred, Node succ) {
-    pred.(NonLocalJumpNode).getAJumpSuccessor(true) = succ
-    or
-    exists(FieldOrProperty fl, FieldOrPropertyRead flr |
-      fl.isStatic() and
-      fl.isFieldLike() and
-      fl.getAnAssignedValue() = pred.asExpr() and
-      fl.getAnAccess() = flr and
-      flr = succ.asExpr() and
-      flr.hasNonlocalValue()
-    )
-    or
-    exists(JumpReturnKind jrk, DataFlowCall call |
-      FlowSummaryImpl::Private::summaryReturnNode(pred, jrk) and
-      viableCallable(call) = jrk.getTarget() and
-      succ = getAnOutNode(call, jrk.getTargetReturnKind())
-    )
-  }
-
   cached
   newtype TContent =
     TFieldContent(Field f) { f.isUnboundDeclaration() } or
     TPropertyContent(Property p) { p.isUnboundDeclaration() } or
     TElementContent()
 
-  /**
-   * Holds if data can flow from `node1` to `node2` via an assignment to
-   * content `c`.
-   */
-  cached
-  predicate storeStepImpl(Node node1, Content c, Node node2) {
-    exists(StoreStepConfiguration x, ExprNode node, boolean postUpdate |
-      hasNodePath(x, node1, node) and
-      if postUpdate = true then node = node2.(PostUpdateNode).getPreUpdateNode() else node = node2
-    |
-      fieldOrPropertyStore(_, c, node1.asExpr(), node.getExpr(), postUpdate)
-      or
-      arrayStore(_, node1.asExpr(), node.getExpr(), postUpdate) and c instanceof ElementContent
-    )
-    or
-    exists(StoreStepConfiguration x, Expr arg, ControlFlow::Node callCfn |
-      x.hasExprPath(arg, node1.(ExprNode).getControlFlowNode(), _, callCfn) and
-      node2 = TParamsArgumentNode(callCfn) and
-      isParamsArg(_, arg, _) and
-      c instanceof ElementContent
-    )
-    or
-    exists(Expr e |
-      e = node1.asExpr() and
-      node2.(YieldReturnNode).getYieldReturnStmt().getExpr() = e and
-      c instanceof ElementContent
-    )
-    or
-    exists(Expr e |
-      e = node1.asExpr() and
-      node2.(AsyncReturnNode).getExpr() = e and
-      c = getResultContent()
-    )
-    or
-    FlowSummaryImpl::Private::Steps::summaryStoreStep(node1, c, node2)
-  }
-
   pragma[nomagic]
-  private PropertyContent getResultContent() {
-    result.getProperty() = any(SystemThreadingTasksTaskTClass c_).getResultProperty()
-  }
-
-  /**
-   * Holds if data can flow from `node1` to `node2` via a read of content `c`.
-   */
-  cached
-  predicate readStepImpl(Node node1, Content c, Node node2) {
-    exists(ReadStepConfiguration x |
-      hasNodePath(x, node1, node2) and
-      fieldOrPropertyRead(node1.asExpr(), c, node2.asExpr())
-      or
-      hasNodePath(x, node1, node2) and
-      arrayRead(node1.asExpr(), node2.asExpr()) and
-      c instanceof ElementContent
-      or
-      exists(ForeachStmt fs, Ssa::ExplicitDefinition def |
-        x.hasDefPath(fs.getIterableExpr(), node1.getControlFlowNode(), def.getADefinition(),
-          def.getControlFlowNode()) and
-        node2.(SsaDefinitionNode).getDefinition() = def and
-        c instanceof ElementContent
-      )
-      or
-      hasNodePath(x, node1, node2) and
-      node2.asExpr().(AwaitExpr).getExpr() = node1.asExpr() and
-      c = getResultContent()
-      or
-      // node1 = (..., node2, ...)
-      // node1.ItemX flows to node2
-      exists(TupleExpr te, int i, Expr item |
-        te = node1.asExpr() and
-        not te.isConstruction() and
-        c.(FieldContent).getField() = te.getType().(TupleType).getElement(i).getUnboundDeclaration() and
-        // node1 = (..., item, ...)
-        te.getArgument(i) = item
-      |
-        // item = (..., ..., ...) in node1 = (..., (..., ..., ...), ...)
-        node2.asExpr().(TupleExpr) = item and
-        hasNodePath(x, node1, node2)
-        or
-        // item = variable in node1 = (..., variable, ...)
-        exists(AssignableDefinitions::TupleAssignmentDefinition tad, Ssa::ExplicitDefinition def |
-          node2.(SsaDefinitionNode).getDefinition() = def and
-          def.getADefinition() = tad and
-          tad.getLeaf() = item and
-          hasNodePath(x, node1, node2)
-        )
-        or
-        // item = variable in node1 = (..., variable, ...) in a case/is var (..., ...)
-        te = any(PatternExpr pe).getAChildExpr*() and
-        exists(AssignableDefinitions::LocalVariableDefinition lvd, Ssa::ExplicitDefinition def |
-          node2.(SsaDefinitionNode).getDefinition() = def and
-          def.getADefinition() = lvd and
-          lvd.getDeclaration() = item and
-          hasNodePath(x, node1, node2)
-        )
-      )
-    )
-    or
-    FlowSummaryImpl::Private::Steps::summaryReadStep(node1, c, node2)
-  }
-
-  /**
-   * Holds if values stored inside content `c` are cleared at node `n`. For example,
-   * any value stored inside `f` is cleared at the pre-update node associated with `x`
-   * in `x.f = newValue`.
-   */
-  cached
-  predicate clearsContent(Node n, Content c) {
-    fieldOrPropertyStore(_, c, _, n.asExpr(), true)
-    or
-    fieldOrPropertyStore(_, c, _, n.(ObjectInitializerNode).getInitializer(), false)
-    or
-    FlowSummaryImpl::Private::Steps::summaryStoresIntoArg(c, n) and
-    not c instanceof ElementContent
-    or
-    FlowSummaryImpl::Private::Steps::summaryClearsContent(n, c)
-    or
-    exists(WithExpr we, ObjectInitializer oi, FieldOrProperty f |
-      oi = we.getInitializer() and
-      n.asExpr() = oi and
-      f = oi.getAMemberInitializer().getInitializedMember() and
-      c = f.getContent()
-    )
-  }
-
-  /**
-   * Holds if the node `n` is unreachable when the call context is `call`.
-   */
-  cached
-  predicate isUnreachableInCall(Node n, DataFlowCall call) {
-    exists(
-      ExplicitParameterNode paramNode, Guard guard, ControlFlow::SuccessorTypes::BooleanSuccessor bs
-    |
-      viableConstantBooleanParamArg(paramNode, bs.getValue().booleanNot(), call) and
-      paramNode.getSsaDefinition().getARead() = guard and
-      guard.controlsBlock(n.getControlFlowNode().getBasicBlock(), bs, _)
-    )
-  }
-
-  pragma[nomagic]
-  private predicate commonSubTypeGeneral(DataFlowTypeOrUnifiable t1, DataFlowType t2) {
+  private predicate commonSubTypeGeneral(DataFlowTypeOrUnifiable t1, RelevantDataFlowType t2) {
     not t1 instanceof Gvn::TypeParameterGvnType and
     t1 = t2
     or
@@ -899,102 +747,53 @@ private module Cached {
    * `t2` are allowed to be type parameters.
    */
   cached
-  predicate commonSubType(DataFlowType t1, DataFlowType t2) { commonSubTypeGeneral(t1, t2) }
+  predicate commonSubType(RelevantDataFlowType t1, RelevantDataFlowType t2) {
+    commonSubTypeGeneral(t1, t2)
+  }
 
   cached
-  predicate commonSubTypeUnifiableLeft(DataFlowType t1, DataFlowType t2) {
+  predicate commonSubTypeUnifiableLeft(RelevantDataFlowType t1, RelevantDataFlowType t2) {
     exists(Gvn::GvnType t |
       Gvn::unifiable(t1, t) and
       commonSubTypeGeneral(t, t2)
     )
   }
-
-  cached
-  predicate outRefReturnNode(Ssa::ExplicitDefinition def, OutRefReturnKind kind) {
-    exists(Parameter p |
-      def.isLiveOutRefParameterDefinition(p) and
-      kind.getPosition() = p.getPosition()
-    |
-      p.isOut() and kind instanceof OutReturnKind
-      or
-      p.isRef() and kind instanceof RefReturnKind
-    )
-  }
-
-  cached
-  predicate summaryOutNodeCached(DataFlowCall c, Node out, ReturnKind rk) {
-    FlowSummaryImpl::Private::summaryOutNode(c, out, rk)
-  }
-
-  cached
-  predicate summaryArgumentNodeCached(DataFlowCall c, Node arg, int i) {
-    FlowSummaryImpl::Private::summaryArgumentNode(c, arg, i)
-  }
-
-  cached
-  predicate summaryPostUpdateNodeCached(Node post, ParameterNode pre) {
-    FlowSummaryImpl::Private::summaryPostUpdateNode(post, pre)
-  }
-
-  cached
-  predicate summaryReturnNodeCached(Node ret, ReturnKind rk) {
-    FlowSummaryImpl::Private::summaryReturnNode(ret, rk) and
-    not rk instanceof JumpReturnKind
-  }
-
-  cached
-  predicate castNode(Node n) {
-    n.asExpr() instanceof Cast
-    or
-    n.(AssignableDefinitionNode).getDefinition() instanceof AssignableDefinitions::PatternDefinition
-  }
-
-  /** Holds if `n` should be hidden from path explanations. */
-  cached
-  predicate nodeIsHidden(Node n) {
-    exists(Ssa::Definition def | def = n.(SsaDefinitionNode).getDefinition() |
-      def instanceof Ssa::PhiNode
-      or
-      def instanceof Ssa::ImplicitEntryDefinition
-      or
-      def instanceof Ssa::ImplicitCallDefinition
-    )
-    or
-    exists(Parameter p |
-      p = n.(ParameterNode).getParameter() and
-      not p.fromSource()
-    )
-    or
-    n = TInstanceParameterNode(any(Callable c | not c.fromSource()))
-    or
-    n instanceof YieldReturnNode
-    or
-    n instanceof AsyncReturnNode
-    or
-    n instanceof ImplicitCapturedArgumentNode
-    or
-    n instanceof MallocNode
-    or
-    n instanceof SummaryNode
-    or
-    n instanceof ParamsArgumentNode
-    or
-    n.asExpr() = any(WithExpr we).getInitializer()
-  }
-
-  cached
-  predicate parameterNode(Node n, DataFlowCallable c, int i) {
-    n.(ParameterNodeImpl).isParameterOf(c, i)
-  }
-
-  cached
-  predicate argumentNode(Node n, DataFlowCall call, int pos) {
-    n.(ArgumentNodeImpl).argumentOf(call, pos)
-  }
 }
 
 import Cached
 
+/** Holds if `n` should be hidden from path explanations. */
+predicate nodeIsHidden(Node n) {
+  exists(Ssa::Definition def | def = n.(SsaDefinitionNode).getDefinition() |
+    def instanceof Ssa::PhiNode
+    or
+    def instanceof Ssa::ImplicitEntryDefinition
+    or
+    def instanceof Ssa::ImplicitCallDefinition
+  )
+  or
+  exists(Parameter p |
+    p = n.(ParameterNode).getParameter() and
+    not p.fromSource()
+  )
+  or
+  n = TInstanceParameterNode(any(Callable c | not c.fromSource()))
+  or
+  n instanceof YieldReturnNode
+  or
+  n instanceof AsyncReturnNode
+  or
+  n instanceof ImplicitCapturedArgumentNode
+  or
+  n instanceof MallocNode
+  or
+  n instanceof SummaryNode
+  or
+  n instanceof ParamsArgumentNode
+  or
+  n.asExpr() = any(WithExpr we).getInitializer()
+}
+
 /** An SSA definition, viewed as a node in a data flow graph. */
 class SsaDefinitionNode extends NodeImpl, TSsaDefinitionNode {
   Ssa::Definition def;
@@ -1142,10 +941,12 @@ import ParameterNodes
 
 /** A data-flow node that represents a call argument. */
 class ArgumentNode extends Node {
-  ArgumentNode() { argumentNode(this, _, _) }
+  ArgumentNode() { this instanceof ArgumentNodeImpl }
 
   /** Holds if this argument occurs at the given position in the given call. */
-  final predicate argumentOf(DataFlowCall call, int pos) { argumentNode(this, call, pos) }
+  final predicate argumentOf(DataFlowCall call, int pos) {
+    this.(ArgumentNodeImpl).argumentOf(call, pos)
+  }
 }
 
 abstract private class ArgumentNodeImpl extends Node {
@@ -1310,14 +1111,10 @@ private module ArgumentNodes {
   }
 
   private class SummaryArgumentNode extends SummaryNode, ArgumentNodeImpl {
-    private DataFlowCall c;
-    private int i;
-
-    SummaryArgumentNode() { summaryArgumentNodeCached(c, this, i) }
+    SummaryArgumentNode() { FlowSummaryImpl::Private::summaryArgumentNode(_, this, _) }
 
     override predicate argumentOf(DataFlowCall call, int pos) {
-      call = c and
-      i = pos
+      FlowSummaryImpl::Private::summaryArgumentNode(call, this, pos)
     }
   }
 }
@@ -1352,7 +1149,16 @@ private module ReturnNodes {
   class OutRefReturnNode extends ReturnNode, SsaDefinitionNode {
     OutRefReturnKind kind;
 
-    OutRefReturnNode() { outRefReturnNode(this.getDefinition(), kind) }
+    OutRefReturnNode() {
+      exists(Parameter p |
+        this.getDefinition().isLiveOutRefParameterDefinition(p) and
+        kind.getPosition() = p.getPosition()
+      |
+        p.isOut() and kind instanceof OutReturnKind
+        or
+        p.isRef() and kind instanceof RefReturnKind
+      )
+    }
 
     override ReturnKind getKind() { result = kind }
   }
@@ -1449,7 +1255,10 @@ private module ReturnNodes {
   private class SummaryReturnNode extends SummaryNode, ReturnNode {
     private ReturnKind rk;
 
-    SummaryReturnNode() { summaryReturnNodeCached(this, rk) }
+    SummaryReturnNode() {
+      FlowSummaryImpl::Private::summaryReturnNode(this, rk) and
+      not rk instanceof JumpReturnKind
+    }
 
     override ReturnKind getKind() { result = rk }
   }
@@ -1460,7 +1269,6 @@ import ReturnNodes
 /** A data-flow node that represents the output of a call. */
 abstract class OutNode extends Node {
   /** Gets the underlying call, where this node is a corresponding output of kind `kind`. */
-  cached
   abstract DataFlowCall getCall(ReturnKind kind);
 }
 
@@ -1488,7 +1296,6 @@ private module OutNodes {
     }
 
     override DataFlowCall getCall(ReturnKind kind) {
-      Stages::DataFlowStage::forceCachingInSameStage() and
       result = call and
       (
         kind instanceof NormalReturnKind and
@@ -1564,14 +1371,10 @@ private module OutNodes {
   }
 
   private class SummaryOutNode extends SummaryNode, OutNode {
-    private DataFlowCall c;
-    private ReturnKind rk;
-
-    SummaryOutNode() { summaryOutNodeCached(c, this, rk) }
+    SummaryOutNode() { FlowSummaryImpl::Private::summaryOutNode(_, this, _) }
 
     override DataFlowCall getCall(ReturnKind kind) {
-      result = c and
-      kind = rk
+      FlowSummaryImpl::Private::summaryOutNode(result, this, kind)
     }
   }
 }
@@ -1654,7 +1457,29 @@ private class FieldOrPropertyRead extends FieldOrPropertyAccess, AssignableRead
   }
 }
 
-predicate jumpStep = jumpStepImpl/2;
+/**
+ * Holds if `pred` can flow to `succ`, by jumping from one callable to
+ * another. Additional steps specified by the configuration are *not*
+ * taken into account.
+ */
+predicate jumpStep(Node pred, Node succ) {
+  pred.(NonLocalJumpNode).getAJumpSuccessor(true) = succ
+  or
+  exists(FieldOrProperty fl, FieldOrPropertyRead flr |
+    fl.isStatic() and
+    fl.isFieldLike() and
+    fl.getAnAssignedValue() = pred.asExpr() and
+    fl.getAnAccess() = flr and
+    flr = succ.asExpr() and
+    flr.hasNonlocalValue()
+  )
+  or
+  exists(JumpReturnKind jrk, DataFlowCall call |
+    FlowSummaryImpl::Private::summaryReturnNode(pred, jrk) and
+    viableCallable(call) = jrk.getTarget() and
+    succ = getAnOutNode(call, jrk.getTargetReturnKind())
+  )
+}
 
 private class StoreStepConfiguration extends ControlFlowReachabilityConfiguration {
   StoreStepConfiguration() { this = "StoreStepConfiguration" }
@@ -1675,7 +1500,46 @@ private class StoreStepConfiguration extends ControlFlowReachabilityConfiguratio
   }
 }
 
-predicate storeStep = storeStepImpl/3;
+pragma[nomagic]
+private PropertyContent getResultContent() {
+  result.getProperty() = any(SystemThreadingTasksTaskTClass c_).getResultProperty()
+}
+
+/**
+ * Holds if data can flow from `node1` to `node2` via an assignment to
+ * content `c`.
+ */
+predicate storeStep(Node node1, Content c, Node node2) {
+  exists(StoreStepConfiguration x, ExprNode node, boolean postUpdate |
+    hasNodePath(x, node1, node) and
+    if postUpdate = true then node = node2.(PostUpdateNode).getPreUpdateNode() else node = node2
+  |
+    fieldOrPropertyStore(_, c, node1.asExpr(), node.getExpr(), postUpdate)
+    or
+    arrayStore(_, node1.asExpr(), node.getExpr(), postUpdate) and c instanceof ElementContent
+  )
+  or
+  exists(StoreStepConfiguration x, Expr arg, ControlFlow::Node callCfn |
+    x.hasExprPath(arg, node1.(ExprNode).getControlFlowNode(), _, callCfn) and
+    node2 = TParamsArgumentNode(callCfn) and
+    isParamsArg(_, arg, _) and
+    c instanceof ElementContent
+  )
+  or
+  exists(Expr e |
+    e = node1.asExpr() and
+    node2.(YieldReturnNode).getYieldReturnStmt().getExpr() = e and
+    c instanceof ElementContent
+  )
+  or
+  exists(Expr e |
+    e = node1.asExpr() and
+    node2.(AsyncReturnNode).getExpr() = e and
+    c = getResultContent()
+  )
+  or
+  FlowSummaryImpl::Private::Steps::summaryStoreStep(node1, c, node2)
+}
 
 private class ReadStepConfiguration extends ControlFlowReachabilityConfiguration {
   ReadStepConfiguration() { this = "ReadStepConfiguration" }
@@ -1742,7 +1606,99 @@ private class ReadStepConfiguration extends ControlFlowReachabilityConfiguration
   }
 }
 
-predicate readStep = readStepImpl/3;
+/**
+ * Holds if data can flow from `node1` to `node2` via a read of content `c`.
+ */
+predicate readStep(Node node1, Content c, Node node2) {
+  exists(ReadStepConfiguration x |
+    hasNodePath(x, node1, node2) and
+    fieldOrPropertyRead(node1.asExpr(), c, node2.asExpr())
+    or
+    hasNodePath(x, node1, node2) and
+    arrayRead(node1.asExpr(), node2.asExpr()) and
+    c instanceof ElementContent
+    or
+    exists(ForeachStmt fs, Ssa::ExplicitDefinition def |
+      x.hasDefPath(fs.getIterableExpr(), node1.getControlFlowNode(), def.getADefinition(),
+        def.getControlFlowNode()) and
+      node2.(SsaDefinitionNode).getDefinition() = def and
+      c instanceof ElementContent
+    )
+    or
+    hasNodePath(x, node1, node2) and
+    node2.asExpr().(AwaitExpr).getExpr() = node1.asExpr() and
+    c = getResultContent()
+    or
+    // node1 = (..., node2, ...)
+    // node1.ItemX flows to node2
+    exists(TupleExpr te, int i, Expr item |
+      te = node1.asExpr() and
+      not te.isConstruction() and
+      c.(FieldContent).getField() = te.getType().(TupleType).getElement(i).getUnboundDeclaration() and
+      // node1 = (..., item, ...)
+      te.getArgument(i) = item
+    |
+      // item = (..., ..., ...) in node1 = (..., (..., ..., ...), ...)
+      node2.asExpr().(TupleExpr) = item and
+      hasNodePath(x, node1, node2)
+      or
+      // item = variable in node1 = (..., variable, ...)
+      exists(AssignableDefinitions::TupleAssignmentDefinition tad, Ssa::ExplicitDefinition def |
+        node2.(SsaDefinitionNode).getDefinition() = def and
+        def.getADefinition() = tad and
+        tad.getLeaf() = item and
+        hasNodePath(x, node1, node2)
+      )
+      or
+      // item = variable in node1 = (..., variable, ...) in a case/is var (..., ...)
+      te = any(PatternExpr pe).getAChildExpr*() and
+      exists(AssignableDefinitions::LocalVariableDefinition lvd, Ssa::ExplicitDefinition def |
+        node2.(SsaDefinitionNode).getDefinition() = def and
+        def.getADefinition() = lvd and
+        lvd.getDeclaration() = item and
+        hasNodePath(x, node1, node2)
+      )
+    )
+  )
+  or
+  FlowSummaryImpl::Private::Steps::summaryReadStep(node1, c, node2)
+}
+
+/**
+ * Holds if values stored inside content `c` are cleared at node `n`. For example,
+ * any value stored inside `f` is cleared at the pre-update node associated with `x`
+ * in `x.f = newValue`.
+ */
+predicate clearsContent(Node n, Content c) {
+  fieldOrPropertyStore(_, c, _, n.asExpr(), true)
+  or
+  fieldOrPropertyStore(_, c, _, n.(ObjectInitializerNode).getInitializer(), false)
+  or
+  FlowSummaryImpl::Private::Steps::summaryStoresIntoArg(c, n) and
+  not c instanceof ElementContent
+  or
+  FlowSummaryImpl::Private::Steps::summaryClearsContent(n, c)
+  or
+  exists(WithExpr we, ObjectInitializer oi, FieldOrProperty f |
+    oi = we.getInitializer() and
+    n.asExpr() = oi and
+    f = oi.getAMemberInitializer().getInitializedMember() and
+    c = f.getContent()
+  )
+}
+
+/**
+ * Holds if the node `n` is unreachable when the call context is `call`.
+ */
+predicate isUnreachableInCall(Node n, DataFlowCall call) {
+  exists(
+    ExplicitParameterNode paramNode, Guard guard, ControlFlow::SuccessorTypes::BooleanSuccessor bs
+  |
+    viableConstantBooleanParamArg(paramNode, bs.getValue().booleanNot(), call) and
+    paramNode.getSsaDefinition().getARead() = guard and
+    guard.controlsBlock(n.getControlFlowNode().getBasicBlock(), bs, _)
+  )
+}
 
 /**
  * An entity used to represent the type of data-flow node. Two nodes will have
@@ -1753,10 +1709,7 @@ predicate readStep = readStepImpl/3;
  * `DataFlowType`, while `Func<T, int>` and `Func<string, int>` are not, because
  * `string` is not a type parameter.
  */
-class DataFlowType extends Gvn::GvnType {
-  pragma[nomagic]
-  DataFlowType() { this = any(NodeImpl n).getDataFlowType() }
-}
+class DataFlowType = Gvn::GvnType;
 
 /** Gets the type of `n` used for type pruning. */
 pragma[inline]
@@ -1888,11 +1841,11 @@ private module PostUpdateNodes {
   }
 
   private class SummaryPostUpdateNode extends SummaryNode, PostUpdateNode {
-    private Node pre;
+    SummaryPostUpdateNode() { FlowSummaryImpl::Private::summaryPostUpdateNode(this, _) }
 
-    SummaryPostUpdateNode() { summaryPostUpdateNodeCached(this, pre) }
-
-    override Node getPreUpdateNode() { result = pre }
+    override Node getPreUpdateNode() {
+      FlowSummaryImpl::Private::summaryPostUpdateNode(this, result)
+    }
   }
 }
 
@@ -1900,7 +1853,12 @@ private import PostUpdateNodes
 
 /** A node that performs a type cast. */
 class CastNode extends Node {
-  CastNode() { castNode(this) }
+  CastNode() {
+    this.asExpr() instanceof Cast
+    or
+    this.(AssignableDefinitionNode).getDefinition() instanceof
+      AssignableDefinitions::PatternDefinition
+  }
 }
 
 class DataFlowExpr = DotNet::Expr;
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll
index 12a62faf387..bfc2f5469d0 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll
@@ -67,6 +67,8 @@ class Node extends TNode {
   }
 }
 
+private class TExprNode_ = TExprNode or TCilExprNode;
+
 /**
  * An expression, viewed as a node in a data flow graph.
  *
@@ -74,9 +76,7 @@ class Node extends TNode {
  * to multiple `ExprNode`s, just like it may correspond to multiple
  * `ControlFlow::Node`s.
  */
-class ExprNode extends Node {
-  ExprNode() { this = TExprNode(_) or this = TCilExprNode(_) }
-
+class ExprNode extends Node, TExprNode_ {
   /** Gets the expression corresponding to this node. */
   DotNet::Expr getExpr() {
     result = this.getExprAtNode(_)
@@ -99,7 +99,7 @@ class ExprNode extends Node {
  * flow graph.
  */
 class ParameterNode extends Node {
-  ParameterNode() { parameterNode(this, _, _) }
+  ParameterNode() { this instanceof ParameterNodeImpl }
 
   /** Gets the parameter corresponding to this node, if any. */
   DotNet::Parameter getParameter() {
@@ -110,7 +110,9 @@ class ParameterNode extends Node {
    * Holds if this node is the parameter of callable `c` at the specified
    * (zero-based) position.
    */
-  predicate isParameterOf(DataFlowCallable c, int i) { parameterNode(this, c, i) }
+  predicate isParameterOf(DataFlowCallable c, int i) {
+    this.(ParameterNodeImpl).isParameterOf(c, i)
+  }
 }
 
 /** A definition, viewed as a node in a data flow graph. */
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll
index 72525d3234a..462838abcd1 100755
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll
@@ -1,6 +1,5 @@
 private import csharp
 private import TaintTrackingPublic
-private import DataFlowImplCommon
 private import FlowSummaryImpl as FlowSummaryImpl
 private import semmle.code.csharp.Caching
 private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
@@ -79,7 +78,6 @@ private class LocalTaintExprStepConfiguration extends ControlFlowReachabilityCon
 }
 
 private predicate localTaintStepCommon(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-  Stages::DataFlowStage::forceCachingInSameStage() and
   hasNodePath(any(LocalTaintExprStepConfiguration x), nodeFrom, nodeTo)
   or
   localTaintStepCil(nodeFrom, nodeTo)
@@ -87,6 +85,11 @@ private predicate localTaintStepCommon(DataFlow::Node nodeFrom, DataFlow::Node n
 
 cached
 private module Cached {
+  private import DataFlowImplCommon as DataFlowImplCommon
+
+  cached
+  predicate forceCachingInSameStage() { DataFlowImplCommon::forceCachingInSameStage() }
+
   /**
    * Holds if taint propagates from `nodeFrom` to `nodeTo` in exactly one local
    * (intra-procedural) step.

From bd0a196a397cd30d92f45b8d7e5db5dbfa2733c3 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Mon, 26 Apr 2021 20:19:43 +0200
Subject: [PATCH 0696/1429] Java: Update data-flow caching

---
 .../java/dataflow/internal/DataFlowNodes.qll  | 109 +++++++-----------
 .../dataflow/internal/DataFlowPrivate.qll     |   1 -
 .../java/dataflow/internal/DataFlowUtil.qll   |   2 +
 .../dataflow/internal/TaintTrackingUtil.qll   | 108 +++++++++--------
 4 files changed, 107 insertions(+), 113 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowNodes.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowNodes.qll
index 552849c2c34..c47efa287ad 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowNodes.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowNodes.qll
@@ -4,71 +4,48 @@ private import semmle.code.java.dataflow.FlowSummary
 private import semmle.code.java.dataflow.TypeFlow
 private import DataFlowPrivate
 private import FlowSummaryImpl as FlowSummaryImpl
+private import DataFlowImplCommon as DataFlowImplCommon
 
 cached
-private module Cached {
-  cached
-  newtype TNode =
-    TExprNode(Expr e) {
-      not e.getType() instanceof VoidType and
-      not e.getParent*() instanceof Annotation
-    } or
-    TExplicitParameterNode(Parameter p) {
-      exists(p.getCallable().getBody()) or p.getCallable() instanceof SummarizedCallable
-    } or
-    TImplicitVarargsArray(Call c) {
-      c.getCallee().isVarargs() and
-      not exists(Argument arg | arg.getCall() = c and arg.isExplicitVarargsArray())
-    } or
-    TInstanceParameterNode(Callable c) {
-      (exists(c.getBody()) or c instanceof SummarizedCallable) and
-      not c.isStatic()
-    } or
-    TImplicitInstanceAccess(InstanceAccessExt ia) { not ia.isExplicit(_) } or
-    TMallocNode(ClassInstanceExpr cie) or
-    TExplicitExprPostUpdate(Expr e) {
-      explicitInstanceArgument(_, e)
-      or
-      e instanceof Argument and not e.getType() instanceof ImmutableType
-      or
-      exists(FieldAccess fa | fa.getField() instanceof InstanceField and e = fa.getQualifier())
-      or
-      exists(ArrayAccess aa | e = aa.getArray())
-    } or
-    TImplicitExprPostUpdate(InstanceAccessExt ia) {
-      implicitInstanceArgument(_, ia)
-      or
-      exists(FieldAccess fa |
-        fa.getField() instanceof InstanceField and ia.isImplicitFieldQualifier(fa)
-      )
-    } or
-    TSummaryInternalNode(SummarizedCallable c, FlowSummaryImpl::Private::SummaryNodeState state) {
-      FlowSummaryImpl::Private::summaryNodeRange(c, state)
-    }
-
-  cached
-  predicate summaryOutNodeCached(DataFlowCall c, Node out) {
-    FlowSummaryImpl::Private::summaryOutNode(c, out, _)
+newtype TNode =
+  TExprNode(Expr e) {
+    DataFlowImplCommon::forceCachingInSameStage() and
+    not e.getType() instanceof VoidType and
+    not e.getParent*() instanceof Annotation
+  } or
+  TExplicitParameterNode(Parameter p) {
+    exists(p.getCallable().getBody()) or p.getCallable() instanceof SummarizedCallable
+  } or
+  TImplicitVarargsArray(Call c) {
+    c.getCallee().isVarargs() and
+    not exists(Argument arg | arg.getCall() = c and arg.isExplicitVarargsArray())
+  } or
+  TInstanceParameterNode(Callable c) {
+    (exists(c.getBody()) or c instanceof SummarizedCallable) and
+    not c.isStatic()
+  } or
+  TImplicitInstanceAccess(InstanceAccessExt ia) { not ia.isExplicit(_) } or
+  TMallocNode(ClassInstanceExpr cie) or
+  TExplicitExprPostUpdate(Expr e) {
+    explicitInstanceArgument(_, e)
+    or
+    e instanceof Argument and not e.getType() instanceof ImmutableType
+    or
+    exists(FieldAccess fa | fa.getField() instanceof InstanceField and e = fa.getQualifier())
+    or
+    exists(ArrayAccess aa | e = aa.getArray())
+  } or
+  TImplicitExprPostUpdate(InstanceAccessExt ia) {
+    implicitInstanceArgument(_, ia)
+    or
+    exists(FieldAccess fa |
+      fa.getField() instanceof InstanceField and ia.isImplicitFieldQualifier(fa)
+    )
+  } or
+  TSummaryInternalNode(SummarizedCallable c, FlowSummaryImpl::Private::SummaryNodeState state) {
+    FlowSummaryImpl::Private::summaryNodeRange(c, state)
   }
 
-  cached
-  predicate summaryArgumentNodeCached(DataFlowCall c, Node arg, int i) {
-    FlowSummaryImpl::Private::summaryArgumentNode(c, arg, i)
-  }
-
-  cached
-  predicate summaryPostUpdateNodeCached(Node post, ParameterNode pre) {
-    FlowSummaryImpl::Private::summaryPostUpdateNode(post, pre)
-  }
-
-  cached
-  predicate summaryReturnNodeCached(Node ret) {
-    FlowSummaryImpl::Private::summaryReturnNode(ret, _)
-  }
-}
-
-private import Cached
-
 private predicate explicitInstanceArgument(Call call, Expr instarg) {
   call instanceof MethodAccess and
   instarg = call.getQualifier() and
@@ -404,13 +381,15 @@ module Private {
     override string toString() { result = "[summary] " + state + " in " + c }
 
     /** Holds if this summary node is the `i`th argument of `call`. */
-    predicate isArgumentOf(DataFlowCall call, int i) { summaryArgumentNodeCached(call, this, i) }
+    predicate isArgumentOf(DataFlowCall call, int i) {
+      FlowSummaryImpl::Private::summaryArgumentNode(call, this, i)
+    }
 
     /** Holds if this summary node is a return node. */
-    predicate isReturn() { summaryReturnNodeCached(this) }
+    predicate isReturn() { FlowSummaryImpl::Private::summaryReturnNode(this, _) }
 
     /** Holds if this summary node is an out node for `call`. */
-    predicate isOut(DataFlowCall call) { summaryOutNodeCached(call, this) }
+    predicate isOut(DataFlowCall call) { FlowSummaryImpl::Private::summaryOutNode(call, this, _) }
   }
 
   SummaryNode getSummaryNode(SummarizedCallable c, FlowSummaryImpl::Private::SummaryNodeState state) {
@@ -439,7 +418,7 @@ private class MallocNode extends Node, TMallocNode {
 private class SummaryPostUpdateNode extends SummaryNode, PostUpdateNode {
   private Node pre;
 
-  SummaryPostUpdateNode() { summaryPostUpdateNodeCached(this, pre) }
+  SummaryPostUpdateNode() { FlowSummaryImpl::Private::summaryPostUpdateNode(this, pre) }
 
   override Node getPreUpdateNode() { result = pre }
 }
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
index 23d84c10c9f..5756c56ba6d 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
@@ -284,7 +284,6 @@ private class ConstantBooleanArgumentNode extends ArgumentNode, ExprNode {
 /**
  * Holds if the node `n` is unreachable when the call context is `call`.
  */
-cached
 predicate isUnreachableInCall(Node n, DataFlowCall call) {
   exists(
     ExplicitParameterNode paramNode, ConstantBooleanArgumentNode arg, SsaImplicitInit param,
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
index 2ad09574015..e25ab24cfbb 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
@@ -11,6 +11,7 @@ private import semmle.code.java.dataflow.FlowSteps
 private import semmle.code.java.dataflow.FlowSummary
 import semmle.code.java.dataflow.InstanceAccess
 private import FlowSummaryImpl as FlowSummaryImpl
+private import TaintTrackingUtil as TaintTrackingUtil
 import DataFlowNodes::Public
 
 /** Holds if `n` is an access to an unqualified `this` at `cfgnode`. */
@@ -112,6 +113,7 @@ predicate localFlowStep(Node node1, Node node2) {
  */
 cached
 predicate simpleLocalFlowStep(Node node1, Node node2) {
+  TaintTrackingUtil::forceCachingInSameStage() and
   // Variable flow steps through adjacent def-use and use-use pairs.
   exists(SsaExplicitUpdate upd |
     upd.getDefiningExpr().(VariableAssign).getSource() = node1.asExpr() or
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
index f9278ab815e..8c514e357d2 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -29,55 +29,69 @@ predicate localExprTaint(Expr src, Expr sink) {
   localTaint(DataFlow::exprNode(src), DataFlow::exprNode(sink))
 }
 
-/**
- * Holds if taint can flow in one local step from `src` to `sink`.
- */
-predicate localTaintStep(DataFlow::Node src, DataFlow::Node sink) {
-  DataFlow::localFlowStep(src, sink) or
-  localAdditionalTaintStep(src, sink) or
-  // Simple flow through library code is included in the exposed local
-  // step relation, even though flow is technically inter-procedural
-  FlowSummaryImpl::Private::Steps::summaryThroughStep(src, sink, false)
+cached
+private module Cached {
+  private import DataFlowImplCommon as DataFlowImplCommon
+
+  cached
+  predicate forceCachingInSameStage() { DataFlowImplCommon::forceCachingInSameStage() }
+
+  /**
+   * Holds if taint can flow in one local step from `src` to `sink`.
+   */
+  cached
+  predicate localTaintStep(DataFlow::Node src, DataFlow::Node sink) {
+    DataFlow::localFlowStep(src, sink) or
+    localAdditionalTaintStep(src, sink) or
+    // Simple flow through library code is included in the exposed local
+    // step relation, even though flow is technically inter-procedural
+    FlowSummaryImpl::Private::Steps::summaryThroughStep(src, sink, false)
+  }
+
+  /**
+   * Holds if taint can flow in one local step from `src` to `sink` excluding
+   * local data flow steps. That is, `src` and `sink` are likely to represent
+   * different objects.
+   */
+  cached
+  predicate localAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
+    localAdditionalTaintExprStep(src.asExpr(), sink.asExpr())
+    or
+    localAdditionalTaintUpdateStep(src.asExpr(),
+      sink.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr())
+    or
+    exists(Argument arg |
+      src.asExpr() = arg and
+      arg.isVararg() and
+      sink.(DataFlow::ImplicitVarargsArray).getCall() = arg.getCall()
+    )
+    or
+    FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, false)
+  }
+
+  /**
+   * Holds if the additional step from `src` to `sink` should be included in all
+   * global taint flow configurations.
+   */
+  cached
+  predicate defaultAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
+    localAdditionalTaintStep(src, sink) or
+    any(AdditionalTaintStep a).step(src, sink)
+  }
+
+  /**
+   * Holds if `node` should be a sanitizer in all global taint flow configurations
+   * but not in local taint.
+   */
+  cached
+  predicate defaultTaintSanitizer(DataFlow::Node node) {
+    // Ignore paths through test code.
+    node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass or
+    node.asExpr() instanceof ValidatedVariableAccess
+  }
 }
 
-/**
- * Holds if taint can flow in one local step from `src` to `sink` excluding
- * local data flow steps. That is, `src` and `sink` are likely to represent
- * different objects.
- */
-predicate localAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
-  localAdditionalTaintExprStep(src.asExpr(), sink.asExpr())
-  or
-  localAdditionalTaintUpdateStep(src.asExpr(),
-    sink.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr())
-  or
-  exists(Argument arg |
-    src.asExpr() = arg and
-    arg.isVararg() and
-    sink.(DataFlow::ImplicitVarargsArray).getCall() = arg.getCall()
-  )
-  or
-  FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, false)
-}
-
-/**
- * Holds if the additional step from `src` to `sink` should be included in all
- * global taint flow configurations.
- */
-predicate defaultAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
-  localAdditionalTaintStep(src, sink) or
-  any(AdditionalTaintStep a).step(src, sink)
-}
-
-/**
- * Holds if `node` should be a sanitizer in all global taint flow configurations
- * but not in local taint.
- */
-predicate defaultTaintSanitizer(DataFlow::Node node) {
-  // Ignore paths through test code.
-  node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass or
-  node.asExpr() instanceof ValidatedVariableAccess
-}
+import Cached
 
 /**
  * Holds if taint can flow in one local step from `src` to `sink` excluding

From 5eb96c1e4533729483037138d2719b729d79e521 Mon Sep 17 00:00:00 2001
From: edvraa <80588099+edvraa@users.noreply.github.com>
Date: Tue, 27 Apr 2021 20:26:29 +0300
Subject: [PATCH 0697/1429] Remove Class cast

---
 java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
index ad75e993c30..3b8b5dc759a 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
@@ -39,7 +39,7 @@ class RegexSink extends DataFlow::ExprNode {
         m.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "RegExUtils") and
         (
           ma.getArgument(1) = this.asExpr() and
-          m.getParameterType(1).(Class) instanceof TypeString and
+          m.getParameterType(1) instanceof TypeString and
           m.hasName([
               "removeAll", "removeFirst", "removePattern", "replaceAll", "replaceFirst",
               "replacePattern"

From 7adc3c2fba0ef298fba66f767404ca55ad5ccda7 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 18 Mar 2021 17:25:10 +0100
Subject: [PATCH 0698/1429] Upload ReDoS query, qhelp and tests

---
 python/ql/src/Security/CWE-400/RegexDoS.qhelp | 27 ++++++
 python/ql/src/Security/CWE-400/RegexDoS.ql    | 82 +++++++++++++++++++
 .../ql/src/Security/CWE-400/tests/re_bad.py   | 22 +++++
 .../ql/src/Security/CWE-400/tests/re_good.py  | 22 +++++
 4 files changed, 153 insertions(+)
 create mode 100644 python/ql/src/Security/CWE-400/RegexDoS.qhelp
 create mode 100644 python/ql/src/Security/CWE-400/RegexDoS.ql
 create mode 100644 python/ql/src/Security/CWE-400/tests/re_bad.py
 create mode 100644 python/ql/src/Security/CWE-400/tests/re_good.py

diff --git a/python/ql/src/Security/CWE-400/RegexDoS.qhelp b/python/ql/src/Security/CWE-400/RegexDoS.qhelp
new file mode 100644
index 00000000000..de564c83347
--- /dev/null
+++ b/python/ql/src/Security/CWE-400/RegexDoS.qhelp
@@ -0,0 +1,27 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+
+<qhelp>
+  <overview>
+    <p>If aregular expression is built by a not escaped user-provided value, a user is likely to be able to cause a Denial of Service.</p>
+  </overview>
+
+  <recommendation>
+    <p>In case user input must compose a regular expression, it should be escaped with functions such as <code>re.escape</code>.
+  <recommendation>
+
+  <references>
+    <li>
+      OWASP
+      <a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">Regular Expression DoS</a>
+    </li>
+    <li>
+      SonarSource
+      <a href="https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-2631">RSPEC-2631</a>
+    </li>
+    <li>
+      CWE-
+      <a href="http://cwe.mitre.org/data/definitions/400">400</a>
+    </li>
+  </references>
+
+</qhelp>
\ No newline at end of file
diff --git a/python/ql/src/Security/CWE-400/RegexDoS.ql b/python/ql/src/Security/CWE-400/RegexDoS.ql
new file mode 100644
index 00000000000..fbdca996e55
--- /dev/null
+++ b/python/ql/src/Security/CWE-400/RegexDoS.ql
@@ -0,0 +1,82 @@
+/**
+ * @name Python Regex DoS
+ * @description Python Regular Expression Denial of Service
+ * @kind path-problem
+ * @problem.severity error
+ * @id python/regex-dos
+ * @tags experimental	
+ *       security	
+ *       external/cwe/cwe-400
+ */
+
+import python
+import semmle.python.dataflow.new.RemoteFlowSources
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.dataflow.new.internal.TaintTrackingPublic
+import DataFlow::PathGraph
+
+class ReMethods extends string {
+  ReMethods() {
+    this = "match" or
+    this = "fullmatch" or
+    this = "search" or
+    this = "split" or
+    this = "findall" or
+    this = "finditer"
+  }
+}
+
+class DirectRegex extends DataFlow::Node {
+  DirectRegex() {
+    exists(string reMethod, CallNode reCall |
+      reMethod instanceof ReMethods and
+      reCall = Value::named("re." + reMethod).getACall() and
+      this.asExpr() = reCall.getArg(0).getNode()
+    )
+  }
+}
+
+class CompiledRegex extends DataFlow::Node {
+  CompiledRegex() {
+    exists(CallNode patternCall, SsaVariable patternVar, CallNode reMethodCall |
+      patternCall = Value::named("re.compile").getACall() and
+      patternVar.getDefinition().getImmediateDominator() = patternCall and
+      patternVar.getAUse().getNode() = reMethodCall.getNode().getFunc().(Attribute).getObject() and
+      reMethodCall.getNode().getFunc().(Attribute).getName() instanceof ReMethods and
+      this.asExpr() = patternCall.getArg(0).getNode()
+    )
+  }
+}
+
+class RegexDoSSink extends DataFlow::Node {
+  RegexDoSSink() { this instanceof DirectRegex or this instanceof CompiledRegex }
+}
+
+class EscapeSanitizer extends DataFlow::Node {
+  EscapeSanitizer() {
+    exists(Call c |
+      (
+        // avoid flow through any %escape% function
+        c.getFunc().(Attribute).getName().matches("%escape%") or // something.%escape%()
+        c.getFunc().(Name).getId().matches("%escape%") // %escape%()
+      ) and
+      this.asExpr() = c
+    )
+  }
+}
+
+class RegexDoSFlowConfig extends TaintTracking::Configuration {
+  RegexDoSFlowConfig() { this = "RegexDoSFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof RegexDoSSink }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof EscapeSanitizer }
+}
+
+from RegexDoSFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "$@ regex operation includes $@.", sink.getNode(), "This",
+  source.getNode(), "a user-provided value"
diff --git a/python/ql/src/Security/CWE-400/tests/re_bad.py b/python/ql/src/Security/CWE-400/tests/re_bad.py
new file mode 100644
index 00000000000..6a0aa7c6614
--- /dev/null
+++ b/python/ql/src/Security/CWE-400/tests/re_bad.py
@@ -0,0 +1,22 @@
+from flask import request, Flask
+import re
+
+app = Flask(__name__)
+
+
+@app.route("/direct")
+def direct():
+    pattern = request.args['pattern']
+
+    re.search(pattern, "")
+
+
+@app.route("/compile")
+def compile():
+    pattern = re.compile(request.args['pattern'])
+
+    pattern.search("")
+
+
+# if __name__ == "__main__":
+#     app.run(debug=True)
diff --git a/python/ql/src/Security/CWE-400/tests/re_good.py b/python/ql/src/Security/CWE-400/tests/re_good.py
new file mode 100644
index 00000000000..ba09b1fe30b
--- /dev/null
+++ b/python/ql/src/Security/CWE-400/tests/re_good.py
@@ -0,0 +1,22 @@
+from flask import request, Flask
+import re
+
+app = Flask(__name__)
+
+
+@app.route("/direct")
+def direct():
+    pattern = re.escape(request.args['pattern'])
+
+    re.search(pattern, "")
+
+
+@app.route("/compile")
+def compile():
+    pattern = re.compile(re.escape(request.args['pattern']))
+
+    pattern.search("")
+
+
+# if __name__ == "__main__":
+#     app.run(debug=True)

From bd3d2ec686ad9686180f8d6ec94d74c4703f2c1f Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 18 Mar 2021 19:44:23 +0100
Subject: [PATCH 0699/1429] Update to match consistent naming across languages

---
 .../{CWE-400 => CWE-730}/RegexDoS.qhelp       |  4 +++
 .../Security/{CWE-400 => CWE-730}/RegexDoS.ql | 30 +++++++++++--------
 .../{CWE-400 => CWE-730}/tests/re_bad.py      |  0
 .../{CWE-400 => CWE-730}/tests/re_good.py     |  0
 4 files changed, 21 insertions(+), 13 deletions(-)
 rename python/ql/src/Security/{CWE-400 => CWE-730}/RegexDoS.qhelp (88%)
 rename python/ql/src/Security/{CWE-400 => CWE-730}/RegexDoS.ql (66%)
 rename python/ql/src/Security/{CWE-400 => CWE-730}/tests/re_bad.py (100%)
 rename python/ql/src/Security/{CWE-400 => CWE-730}/tests/re_good.py (100%)

diff --git a/python/ql/src/Security/CWE-400/RegexDoS.qhelp b/python/ql/src/Security/CWE-730/RegexDoS.qhelp
similarity index 88%
rename from python/ql/src/Security/CWE-400/RegexDoS.qhelp
rename to python/ql/src/Security/CWE-730/RegexDoS.qhelp
index de564c83347..22f328e852b 100644
--- a/python/ql/src/Security/CWE-400/RegexDoS.qhelp
+++ b/python/ql/src/Security/CWE-730/RegexDoS.qhelp
@@ -22,6 +22,10 @@
       CWE-
       <a href="http://cwe.mitre.org/data/definitions/400">400</a>
     </li>
+    <li>
+      CWE-
+      <a href="http://cwe.mitre.org/data/definitions/730">730</a>
+    </li>
   </references>
 
 </qhelp>
\ No newline at end of file
diff --git a/python/ql/src/Security/CWE-400/RegexDoS.ql b/python/ql/src/Security/CWE-730/RegexDoS.ql
similarity index 66%
rename from python/ql/src/Security/CWE-400/RegexDoS.ql
rename to python/ql/src/Security/CWE-730/RegexDoS.ql
index fbdca996e55..79905fe6921 100644
--- a/python/ql/src/Security/CWE-400/RegexDoS.ql
+++ b/python/ql/src/Security/CWE-730/RegexDoS.ql
@@ -1,14 +1,17 @@
 /**
- * @name Python Regex DoS
- * @description Python Regular Expression Denial of Service
+ * @name Regular expression injection
+ * @description User input should not be used in regular expressions without first being escaped,
+ *              otherwise a malicious user may be able to inject an expression that could require
+ *              exponential time on certain inputs.
  * @kind path-problem
  * @problem.severity error
- * @id python/regex-dos
- * @tags experimental	
- *       security	
+ * @id python/regex-injection
+ * @tags security
+ *       external/cwe/cwe-730
  *       external/cwe/cwe-400
  */
 
+// determine precision above
 import python
 import semmle.python.dataflow.new.RemoteFlowSources
 import semmle.python.dataflow.new.DataFlow
@@ -16,6 +19,7 @@ import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.internal.TaintTrackingPublic
 import DataFlow::PathGraph
 
+// Should this be moved to a different structure? (For other queries to be able to use it)
 class ReMethods extends string {
   ReMethods() {
     this = "match" or
@@ -49,8 +53,8 @@ class CompiledRegex extends DataFlow::Node {
   }
 }
 
-class RegexDoSSink extends DataFlow::Node {
-  RegexDoSSink() { this instanceof DirectRegex or this instanceof CompiledRegex }
+class RegexInjectionSink extends DataFlow::Node {
+  RegexInjectionSink() { this instanceof DirectRegex or this instanceof CompiledRegex }
 }
 
 class EscapeSanitizer extends DataFlow::Node {
@@ -66,17 +70,17 @@ class EscapeSanitizer extends DataFlow::Node {
   }
 }
 
-class RegexDoSFlowConfig extends TaintTracking::Configuration {
-  RegexDoSFlowConfig() { this = "RegexDoSFlowConfig" }
+class RegexInjectionFlowConfig extends TaintTracking::Configuration {
+  RegexInjectionFlowConfig() { this = "RegexInjectionFlowConfig" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof RegexDoSSink }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink }
 
   override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof EscapeSanitizer }
 }
 
-from RegexDoSFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
+from RegexInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ regex operation includes $@.", sink.getNode(), "This",
-  source.getNode(), "a user-provided value"
+select sink.getNode(), source, sink, "$@ regular expression is constructed from a $@.",
+  sink.getNode(), "This", source.getNode(), "user-provided value"
diff --git a/python/ql/src/Security/CWE-400/tests/re_bad.py b/python/ql/src/Security/CWE-730/tests/re_bad.py
similarity index 100%
rename from python/ql/src/Security/CWE-400/tests/re_bad.py
rename to python/ql/src/Security/CWE-730/tests/re_bad.py
diff --git a/python/ql/src/Security/CWE-400/tests/re_good.py b/python/ql/src/Security/CWE-730/tests/re_good.py
similarity index 100%
rename from python/ql/src/Security/CWE-400/tests/re_good.py
rename to python/ql/src/Security/CWE-730/tests/re_good.py

From afc4f51e9c29bfef762f372b732157d583bdaeac Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 18 Mar 2021 20:10:18 +0100
Subject: [PATCH 0700/1429] Remove CWE references

---
 python/ql/src/Security/CWE-730/RegexDoS.qhelp | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/python/ql/src/Security/CWE-730/RegexDoS.qhelp b/python/ql/src/Security/CWE-730/RegexDoS.qhelp
index 22f328e852b..002cbcef0a8 100644
--- a/python/ql/src/Security/CWE-730/RegexDoS.qhelp
+++ b/python/ql/src/Security/CWE-730/RegexDoS.qhelp
@@ -18,14 +18,6 @@
       SonarSource
       <a href="https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-2631">RSPEC-2631</a>
     </li>
-    <li>
-      CWE-
-      <a href="http://cwe.mitre.org/data/definitions/400">400</a>
-    </li>
-    <li>
-      CWE-
-      <a href="http://cwe.mitre.org/data/definitions/730">730</a>
-    </li>
   </references>
 
 </qhelp>
\ No newline at end of file

From 21f8135fa6824f42bdf643d48c34b1a712cbe715 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 18 Mar 2021 20:19:08 +0100
Subject: [PATCH 0701/1429] Move to experimental folder

---
 python/ql/src/{ => experimental}/Security/CWE-730/RegexDoS.qhelp  | 0
 python/ql/src/{ => experimental}/Security/CWE-730/RegexDoS.ql     | 0
 python/ql/src/{ => experimental}/Security/CWE-730/tests/re_bad.py | 0
 .../ql/src/{ => experimental}/Security/CWE-730/tests/re_good.py   | 0
 4 files changed, 0 insertions(+), 0 deletions(-)
 rename python/ql/src/{ => experimental}/Security/CWE-730/RegexDoS.qhelp (100%)
 rename python/ql/src/{ => experimental}/Security/CWE-730/RegexDoS.ql (100%)
 rename python/ql/src/{ => experimental}/Security/CWE-730/tests/re_bad.py (100%)
 rename python/ql/src/{ => experimental}/Security/CWE-730/tests/re_good.py (100%)

diff --git a/python/ql/src/Security/CWE-730/RegexDoS.qhelp b/python/ql/src/experimental/Security/CWE-730/RegexDoS.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-730/RegexDoS.qhelp
rename to python/ql/src/experimental/Security/CWE-730/RegexDoS.qhelp
diff --git a/python/ql/src/Security/CWE-730/RegexDoS.ql b/python/ql/src/experimental/Security/CWE-730/RegexDoS.ql
similarity index 100%
rename from python/ql/src/Security/CWE-730/RegexDoS.ql
rename to python/ql/src/experimental/Security/CWE-730/RegexDoS.ql
diff --git a/python/ql/src/Security/CWE-730/tests/re_bad.py b/python/ql/src/experimental/Security/CWE-730/tests/re_bad.py
similarity index 100%
rename from python/ql/src/Security/CWE-730/tests/re_bad.py
rename to python/ql/src/experimental/Security/CWE-730/tests/re_bad.py
diff --git a/python/ql/src/Security/CWE-730/tests/re_good.py b/python/ql/src/experimental/Security/CWE-730/tests/re_good.py
similarity index 100%
rename from python/ql/src/Security/CWE-730/tests/re_good.py
rename to python/ql/src/experimental/Security/CWE-730/tests/re_good.py

From 6cc714464c519dd59bbc4456f312ca6b1b10a984 Mon Sep 17 00:00:00 2001
From: Jorge <46056498+jorgectf@users.noreply.github.com>
Date: Thu, 18 Mar 2021 22:42:49 +0100
Subject: [PATCH 0702/1429] Apply suggestions from code review

Co-authored-by: yoff <lerchedahl@gmail.com>
---
 .../experimental/Security/CWE-730/RegexDoS.ql | 27 +++++++------------
 1 file changed, 9 insertions(+), 18 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-730/RegexDoS.ql b/python/ql/src/experimental/Security/CWE-730/RegexDoS.ql
index 79905fe6921..b89835aad8a 100644
--- a/python/ql/src/experimental/Security/CWE-730/RegexDoS.ql
+++ b/python/ql/src/experimental/Security/CWE-730/RegexDoS.ql
@@ -21,34 +21,25 @@ import DataFlow::PathGraph
 
 // Should this be moved to a different structure? (For other queries to be able to use it)
 class ReMethods extends string {
-  ReMethods() {
-    this = "match" or
-    this = "fullmatch" or
-    this = "search" or
-    this = "split" or
-    this = "findall" or
-    this = "finditer"
-  }
+  ReMethods() { this in ["match", "fullmatch", "search", "split", "findall", "finditer"] }```
 }
 
 class DirectRegex extends DataFlow::Node {
   DirectRegex() {
-    exists(string reMethod, CallNode reCall |
-      reMethod instanceof ReMethods and
-      reCall = Value::named("re." + reMethod).getACall() and
-      this.asExpr() = reCall.getArg(0).getNode()
+    exists(ReMethods reMethod, DataFlow::CallCfgNode reCall |
+      reCall = API::moduleImport("re").getMember(reMethod).getACall() and
+      this = reCall.getArg(0)
     )
   }
 }
 
 class CompiledRegex extends DataFlow::Node {
   CompiledRegex() {
-    exists(CallNode patternCall, SsaVariable patternVar, CallNode reMethodCall |
-      patternCall = Value::named("re.compile").getACall() and
-      patternVar.getDefinition().getImmediateDominator() = patternCall and
-      patternVar.getAUse().getNode() = reMethodCall.getNode().getFunc().(Attribute).getObject() and
-      reMethodCall.getNode().getFunc().(Attribute).getName() instanceof ReMethods and
-      this.asExpr() = patternCall.getArg(0).getNode()
+    exists(DataFlow::CallCfgNode patternCall, AttrRead reMethod |
+      patternCall = API::moduleImport("re").getMember("compile").getACall() and
+      patternCall = reMethod.getObject().getALocalSource() and
+      reMethod.getAttributeName() instanceof ReMethods and
+      this = patternCall.getArg(0)
     )
   }
 }

From 63f708dd57e53bd3f4cb0c73aa865384933a1789 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 18 Mar 2021 23:03:33 +0100
Subject: [PATCH 0703/1429] Apply suggestions

---
 python/ql/src/experimental/Security/CWE-730/RegexDoS.ql | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-730/RegexDoS.ql b/python/ql/src/experimental/Security/CWE-730/RegexDoS.ql
index b89835aad8a..d35b596c045 100644
--- a/python/ql/src/experimental/Security/CWE-730/RegexDoS.ql
+++ b/python/ql/src/experimental/Security/CWE-730/RegexDoS.ql
@@ -17,11 +17,12 @@ import semmle.python.dataflow.new.RemoteFlowSources
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.internal.TaintTrackingPublic
+import semmle.python.ApiGraphs
 import DataFlow::PathGraph
 
 // Should this be moved to a different structure? (For other queries to be able to use it)
 class ReMethods extends string {
-  ReMethods() { this in ["match", "fullmatch", "search", "split", "findall", "finditer"] }```
+  ReMethods() { this in ["match", "fullmatch", "search", "split", "findall", "finditer"] }
 }
 
 class DirectRegex extends DataFlow::Node {
@@ -35,7 +36,7 @@ class DirectRegex extends DataFlow::Node {
 
 class CompiledRegex extends DataFlow::Node {
   CompiledRegex() {
-    exists(DataFlow::CallCfgNode patternCall, AttrRead reMethod |
+    exists(DataFlow::CallCfgNode patternCall, DataFlow::AttrRead reMethod |
       patternCall = API::moduleImport("re").getMember("compile").getACall() and
       patternCall = reMethod.getObject().getALocalSource() and
       reMethod.getAttributeName() instanceof ReMethods and

From 5dae9207831dbe30365235ef03e9c28357172668 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 18 Mar 2021 23:04:47 +0100
Subject: [PATCH 0704/1429] Edit filenames to match consistent naming

---
 .../Security/CWE-730/{RegexDoS.qhelp => RegexInjection.qhelp}     | 0
 .../Security/CWE-730/{RegexDoS.ql => RegexInjection.ql}           | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 rename python/ql/src/experimental/Security/CWE-730/{RegexDoS.qhelp => RegexInjection.qhelp} (100%)
 rename python/ql/src/experimental/Security/CWE-730/{RegexDoS.ql => RegexInjection.ql} (100%)

diff --git a/python/ql/src/experimental/Security/CWE-730/RegexDoS.qhelp b/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp
similarity index 100%
rename from python/ql/src/experimental/Security/CWE-730/RegexDoS.qhelp
rename to python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp
diff --git a/python/ql/src/experimental/Security/CWE-730/RegexDoS.ql b/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
similarity index 100%
rename from python/ql/src/experimental/Security/CWE-730/RegexDoS.ql
rename to python/ql/src/experimental/Security/CWE-730/RegexInjection.ql

From f45307f9906e581a527710eb5b6a1bf224a36c56 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 18 Mar 2021 23:33:10 +0100
Subject: [PATCH 0705/1429] Apply rebase

---
 .../Security/CWE-730/RegexInjection.qhelp     |  0
 .../ql/src/Security/CWE-730/RegexInjection.ql | 22 ++++++
 .../tests => Security/CWE-730}/re_bad.py      |  0
 .../tests => Security/CWE-730}/re_good.py     |  0
 .../Security/CWE-730/RegexInjection.ql        | 78 -------------------
 python/ql/src/semmle/python/Concepts.qll      | 43 ++++++++++
 .../security/dataflow/RegexInjection.qll      | 23 ++++++
 7 files changed, 88 insertions(+), 78 deletions(-)
 rename python/ql/src/{experimental => }/Security/CWE-730/RegexInjection.qhelp (100%)
 create mode 100644 python/ql/src/Security/CWE-730/RegexInjection.ql
 rename python/ql/src/{experimental/Security/CWE-730/tests => Security/CWE-730}/re_bad.py (100%)
 rename python/ql/src/{experimental/Security/CWE-730/tests => Security/CWE-730}/re_good.py (100%)
 delete mode 100644 python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
 create mode 100644 python/ql/src/semmle/python/security/dataflow/RegexInjection.qll

diff --git a/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp b/python/ql/src/Security/CWE-730/RegexInjection.qhelp
similarity index 100%
rename from python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp
rename to python/ql/src/Security/CWE-730/RegexInjection.qhelp
diff --git a/python/ql/src/Security/CWE-730/RegexInjection.ql b/python/ql/src/Security/CWE-730/RegexInjection.ql
new file mode 100644
index 00000000000..27bbe69529d
--- /dev/null
+++ b/python/ql/src/Security/CWE-730/RegexInjection.ql
@@ -0,0 +1,22 @@
+/**
+ * @name Regular expression injection
+ * @description User input should not be used in regular expressions without first being escaped,
+ *              otherwise a malicious user may be able to inject an expression that could require
+ *              exponential time on certain inputs.
+ * @kind path-problem
+ * @problem.severity error
+ * @id python/regex-injection
+ * @tags security
+ *       external/cwe/cwe-730
+ *       external/cwe/cwe-400
+ */
+
+// determine precision above
+import python
+import semmle.python.security.dataflow.RegexInjection
+import DataFlow::PathGraph
+
+from RegexInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "$@ regular expression is constructed from a $@.",
+  sink.getNode(), "This", source.getNode(), "user-provided value"
diff --git a/python/ql/src/experimental/Security/CWE-730/tests/re_bad.py b/python/ql/src/Security/CWE-730/re_bad.py
similarity index 100%
rename from python/ql/src/experimental/Security/CWE-730/tests/re_bad.py
rename to python/ql/src/Security/CWE-730/re_bad.py
diff --git a/python/ql/src/experimental/Security/CWE-730/tests/re_good.py b/python/ql/src/Security/CWE-730/re_good.py
similarity index 100%
rename from python/ql/src/experimental/Security/CWE-730/tests/re_good.py
rename to python/ql/src/Security/CWE-730/re_good.py
diff --git a/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql b/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
deleted file mode 100644
index d35b596c045..00000000000
--- a/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
+++ /dev/null
@@ -1,78 +0,0 @@
-/**
- * @name Regular expression injection
- * @description User input should not be used in regular expressions without first being escaped,
- *              otherwise a malicious user may be able to inject an expression that could require
- *              exponential time on certain inputs.
- * @kind path-problem
- * @problem.severity error
- * @id python/regex-injection
- * @tags security
- *       external/cwe/cwe-730
- *       external/cwe/cwe-400
- */
-
-// determine precision above
-import python
-import semmle.python.dataflow.new.RemoteFlowSources
-import semmle.python.dataflow.new.DataFlow
-import semmle.python.dataflow.new.TaintTracking
-import semmle.python.dataflow.new.internal.TaintTrackingPublic
-import semmle.python.ApiGraphs
-import DataFlow::PathGraph
-
-// Should this be moved to a different structure? (For other queries to be able to use it)
-class ReMethods extends string {
-  ReMethods() { this in ["match", "fullmatch", "search", "split", "findall", "finditer"] }
-}
-
-class DirectRegex extends DataFlow::Node {
-  DirectRegex() {
-    exists(ReMethods reMethod, DataFlow::CallCfgNode reCall |
-      reCall = API::moduleImport("re").getMember(reMethod).getACall() and
-      this = reCall.getArg(0)
-    )
-  }
-}
-
-class CompiledRegex extends DataFlow::Node {
-  CompiledRegex() {
-    exists(DataFlow::CallCfgNode patternCall, DataFlow::AttrRead reMethod |
-      patternCall = API::moduleImport("re").getMember("compile").getACall() and
-      patternCall = reMethod.getObject().getALocalSource() and
-      reMethod.getAttributeName() instanceof ReMethods and
-      this = patternCall.getArg(0)
-    )
-  }
-}
-
-class RegexInjectionSink extends DataFlow::Node {
-  RegexInjectionSink() { this instanceof DirectRegex or this instanceof CompiledRegex }
-}
-
-class EscapeSanitizer extends DataFlow::Node {
-  EscapeSanitizer() {
-    exists(Call c |
-      (
-        // avoid flow through any %escape% function
-        c.getFunc().(Attribute).getName().matches("%escape%") or // something.%escape%()
-        c.getFunc().(Name).getId().matches("%escape%") // %escape%()
-      ) and
-      this.asExpr() = c
-    )
-  }
-}
-
-class RegexInjectionFlowConfig extends TaintTracking::Configuration {
-  RegexInjectionFlowConfig() { this = "RegexInjectionFlowConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink }
-
-  override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof EscapeSanitizer }
-}
-
-from RegexInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ regular expression is constructed from a $@.",
-  sink.getNode(), "This", source.getNode(), "user-provided value"
diff --git a/python/ql/src/semmle/python/Concepts.qll b/python/ql/src/semmle/python/Concepts.qll
index 4be00ba5bf9..f58f6317e1e 100644
--- a/python/ql/src/semmle/python/Concepts.qll
+++ b/python/ql/src/semmle/python/Concepts.qll
@@ -9,6 +9,7 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Frameworks
+private import semmle.python.ApiGraphs
 
 /**
  * A data-flow node that executes an operating system command,
@@ -625,5 +626,47 @@ module Cryptography {
         final override int minimumSecureKeySize() { result = 224 }
       }
     }
+/*
+ */
+
+class ReMethods extends string {
+  ReMethods() { this in ["match", "fullmatch", "search", "split", "findall", "finditer"] }
+}
+
+class DirectRegex extends DataFlow::Node {
+  DirectRegex() {
+    exists(ReMethods reMethod, DataFlow::CallCfgNode reCall |
+      reCall = API::moduleImport("re").getMember(reMethod).getACall() and
+      this = reCall.getArg(0)
+    )
+  }
+}
+
+class CompiledRegex extends DataFlow::Node {
+  CompiledRegex() {
+    exists(DataFlow::CallCfgNode patternCall, DataFlow::AttrRead reMethod |
+      patternCall = API::moduleImport("re").getMember("compile").getACall() and
+      patternCall = reMethod.getObject().getALocalSource() and
+      reMethod.getAttributeName() instanceof ReMethods and
+      this = patternCall.getArg(0)
+    )
+  }
+}
+
+class RegexExecution extends DataFlow::Node {
+  RegexExecution() { this instanceof DirectRegex or this instanceof CompiledRegex }
+}
+
+// pending refactor if needed
+class RegexEscape extends DataFlow::Node {
+  RegexEscape() {
+    exists(Call c |
+      (
+        // avoid flow through any %escape% function
+        c.getFunc().(Attribute).getName().matches("%escape%") or // something.%escape%()
+        c.getFunc().(Name).getId().matches("%escape%") // %escape%()
+      ) and
+      this.asExpr() = c
+    )
   }
 }
diff --git a/python/ql/src/semmle/python/security/dataflow/RegexInjection.qll b/python/ql/src/semmle/python/security/dataflow/RegexInjection.qll
new file mode 100644
index 00000000000..5a8f386a781
--- /dev/null
+++ b/python/ql/src/semmle/python/security/dataflow/RegexInjection.qll
@@ -0,0 +1,23 @@
+/**
+ * Provides a taint-tracking configuration for detecting regular expression injections
+ * vulnerabilities.
+ */
+
+import python
+import semmle.python.Concepts
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.dataflow.new.RemoteFlowSources
+
+/**
+ * A taint-tracking configuration for detecting regular expression injections.
+ */
+class RegexInjectionFlowConfig extends TaintTracking::Configuration {
+  RegexInjectionFlowConfig() { this = "RegexInjectionFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof RegexExecution }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof RegexEscape }
+}

From e4736d064e525ca51cdb52df1fedcdb54b0b8b04 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 18 Mar 2021 23:36:54 +0100
Subject: [PATCH 0706/1429] Typo

---
 .../ql/src/semmle/python/security/dataflow/RegexInjection.qll   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/security/dataflow/RegexInjection.qll b/python/ql/src/semmle/python/security/dataflow/RegexInjection.qll
index 5a8f386a781..968010dd9a0 100644
--- a/python/ql/src/semmle/python/security/dataflow/RegexInjection.qll
+++ b/python/ql/src/semmle/python/security/dataflow/RegexInjection.qll
@@ -1,5 +1,5 @@
 /**
- * Provides a taint-tracking configuration for detecting regular expression injections
+ * Provides a taint-tracking configuration for detecting regular expression injection
  * vulnerabilities.
  */
 

From a1b5cc3bc61860e50449617a8c79a9bfa975b3bd Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Fri, 19 Mar 2021 01:26:21 +0100
Subject: [PATCH 0707/1429] Typo

---
 python/ql/src/Security/CWE-730/RegexInjection.qhelp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/Security/CWE-730/RegexInjection.qhelp b/python/ql/src/Security/CWE-730/RegexInjection.qhelp
index 002cbcef0a8..2e3d238daa4 100644
--- a/python/ql/src/Security/CWE-730/RegexInjection.qhelp
+++ b/python/ql/src/Security/CWE-730/RegexInjection.qhelp
@@ -2,7 +2,7 @@
 
 <qhelp>
   <overview>
-    <p>If aregular expression is built by a not escaped user-provided value, a user is likely to be able to cause a Denial of Service.</p>
+    <p>If a regular expression is built by a not escaped user-provided value, a user is likely to be able to cause a Denial of Service.</p>
   </overview>
 
   <recommendation>

From 6d5a0f2f842b1f7a459a2e8e5d54c67fc86516c7 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Fri, 19 Mar 2021 01:34:13 +0100
Subject: [PATCH 0708/1429] Limit Sanitizer to re.escape(arg)

---
 python/ql/src/semmle/python/Concepts.qll | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/python/ql/src/semmle/python/Concepts.qll b/python/ql/src/semmle/python/Concepts.qll
index f58f6317e1e..60880794845 100644
--- a/python/ql/src/semmle/python/Concepts.qll
+++ b/python/ql/src/semmle/python/Concepts.qll
@@ -657,16 +657,8 @@ class RegexExecution extends DataFlow::Node {
   RegexExecution() { this instanceof DirectRegex or this instanceof CompiledRegex }
 }
 
-// pending refactor if needed
 class RegexEscape extends DataFlow::Node {
   RegexEscape() {
-    exists(Call c |
-      (
-        // avoid flow through any %escape% function
-        c.getFunc().(Attribute).getName().matches("%escape%") or // something.%escape%()
-        c.getFunc().(Name).getId().matches("%escape%") // %escape%()
-      ) and
-      this.asExpr() = c
-    )
+    this = API::moduleImport("re").getMember("escape").getACall().(DataFlow::CallCfgNode).getArg(0)
   }
 }

From caaf5436c6a4ed8a32c0b4f43a1418052a4b7ba5 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Fri, 19 Mar 2021 01:51:59 +0100
Subject: [PATCH 0709/1429] Attempt to restructuring ReMethods and
 RegexExecution's modules

---
 python/ql/src/semmle/python/Concepts.qll      |  2 +-
 .../src/semmle/python/frameworks/Stdlib.qll   | 30 +++++++++++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/Concepts.qll b/python/ql/src/semmle/python/Concepts.qll
index 60880794845..751f9f0a302 100644
--- a/python/ql/src/semmle/python/Concepts.qll
+++ b/python/ql/src/semmle/python/Concepts.qll
@@ -654,7 +654,7 @@ class CompiledRegex extends DataFlow::Node {
 }
 
 class RegexExecution extends DataFlow::Node {
-  RegexExecution() { this instanceof DirectRegex or this instanceof CompiledRegex }
+  RegexExecution() { this instanceof DirectRegex or this instanceof CompiledRegex } // How should this be cross-imported with Stdlib?
 }
 
 class RegexEscape extends DataFlow::Node {
diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index 01df130d0db..c074e6fe1cd 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -864,6 +864,36 @@ private module Stdlib {
   class Sqlite3 extends PEP249ModuleApiNode {
     Sqlite3() { this = API::moduleImport("sqlite3") }
   }
+
+  // ---------------------------------------------------------------------------
+  // re
+  // ---------------------------------------------------------------------------
+  /** List of re methods. */
+  private class ReMethods extends string {
+    ReMethods() { this in ["match", "fullmatch", "search", "split", "findall", "finditer"] }
+  }
+
+  /** re.ReMethod(pattern, string) */
+  private class DirectRegex extends DataFlow::Node {
+    DirectRegex() {
+      exists(ReMethods reMethod, DataFlow::CallCfgNode reCall |
+        reCall = API::moduleImport("re").getMember(reMethod).getACall() and
+        this = reCall.getArg(0)
+      )
+    }
+  }
+
+  /** re.compile(pattern).ReMethod */
+  class CompiledRegex extends DataFlow::Node {
+    CompiledRegex() {
+      exists(DataFlow::CallCfgNode patternCall, DataFlow::AttrRead reMethod |
+        patternCall = API::moduleImport("re").getMember("compile").getACall() and
+        patternCall = reMethod.getObject().getALocalSource() and
+        reMethod.getAttributeName() instanceof ReMethods and
+        this = patternCall.getArg(0)
+      )
+    }
+  }
 }
 
 // ---------------------------------------------------------------------------

From 3daec8e6a27a0776220ca52fe28e184717e1fc50 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Fri, 19 Mar 2021 17:46:32 +0100
Subject: [PATCH 0710/1429] Enclose Sinks and ReMethods in a module

---
 .../src/semmle/python/frameworks/Stdlib.qll   | 46 ++++++++++---------
 1 file changed, 24 insertions(+), 22 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index c074e6fe1cd..f9949560d68 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -868,30 +868,32 @@ private module Stdlib {
   // ---------------------------------------------------------------------------
   // re
   // ---------------------------------------------------------------------------
-  /** List of re methods. */
-  private class ReMethods extends string {
-    ReMethods() { this in ["match", "fullmatch", "search", "split", "findall", "finditer"] }
-  }
-
-  /** re.ReMethod(pattern, string) */
-  private class DirectRegex extends DataFlow::Node {
-    DirectRegex() {
-      exists(ReMethods reMethod, DataFlow::CallCfgNode reCall |
-        reCall = API::moduleImport("re").getMember(reMethod).getACall() and
-        this = reCall.getArg(0)
-      )
+  private module Re {
+    /** List of re methods. */
+    private class ReMethods extends string {
+      ReMethods() { this in ["match", "fullmatch", "search", "split", "findall", "finditer"] }
     }
-  }
 
-  /** re.compile(pattern).ReMethod */
-  class CompiledRegex extends DataFlow::Node {
-    CompiledRegex() {
-      exists(DataFlow::CallCfgNode patternCall, DataFlow::AttrRead reMethod |
-        patternCall = API::moduleImport("re").getMember("compile").getACall() and
-        patternCall = reMethod.getObject().getALocalSource() and
-        reMethod.getAttributeName() instanceof ReMethods and
-        this = patternCall.getArg(0)
-      )
+    /** re.ReMethod(pattern, string) */
+    private class DirectRegex extends DataFlow::Node {
+      DirectRegex() {
+        exists(ReMethods reMethod, DataFlow::CallCfgNode reCall |
+          reCall = API::moduleImport("re").getMember(reMethod).getACall() and
+          this = reCall.getArg(0)
+        )
+      }
+    }
+
+    /** re.compile(pattern).ReMethod */
+    class CompiledRegex extends DataFlow::Node {
+      CompiledRegex() {
+        exists(DataFlow::CallCfgNode patternCall, DataFlow::AttrRead reMethod |
+          patternCall = API::moduleImport("re").getMember("compile").getACall() and
+          patternCall = reMethod.getObject().getALocalSource() and
+          reMethod.getAttributeName() instanceof ReMethods and
+          this = patternCall.getArg(0)
+        )
+      }
     }
   }
 }

From b207929e0ad280fec73fffb7d4c5d193e01f3e34 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Fri, 19 Mar 2021 18:07:39 +0100
Subject: [PATCH 0711/1429] RegexExecution restructuring

---
 python/ql/src/semmle/python/Concepts.qll       | 18 +++++++++++++++---
 .../ql/src/semmle/python/frameworks/Stdlib.qll |  9 ++++++++-
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/python/ql/src/semmle/python/Concepts.qll b/python/ql/src/semmle/python/Concepts.qll
index 751f9f0a302..aa0c748c1da 100644
--- a/python/ql/src/semmle/python/Concepts.qll
+++ b/python/ql/src/semmle/python/Concepts.qll
@@ -656,9 +656,21 @@ class CompiledRegex extends DataFlow::Node {
 class RegexExecution extends DataFlow::Node {
   RegexExecution() { this instanceof DirectRegex or this instanceof CompiledRegex } // How should this be cross-imported with Stdlib?
 }
+/*
+ */
 
-class RegexEscape extends DataFlow::Node {
-  RegexEscape() {
-    this = API::moduleImport("re").getMember("escape").getACall().(DataFlow::CallCfgNode).getArg(0)
+module RegexExecution {
+  abstract class Range extends DataFlow::Node {
+    DataFlow::Node getRegexNode() {
+      result instanceof DirectRegex or result instanceof CompiledRegex
+    }
   }
 }
+
+class RegexExecution extends DataFlow::Node {
+  override RegexExecution::Range range;
+
+  RegexExecution() { this = range }
+
+  DataFlow::Node getRegexNode() { result = range.getRegexNode() }
+}
diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index f9949560d68..ed5a56be931 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -885,7 +885,7 @@ private module Stdlib {
     }
 
     /** re.compile(pattern).ReMethod */
-    class CompiledRegex extends DataFlow::Node {
+    private class CompiledRegex extends DataFlow::Node {
       CompiledRegex() {
         exists(DataFlow::CallCfgNode patternCall, DataFlow::AttrRead reMethod |
           patternCall = API::moduleImport("re").getMember("compile").getACall() and
@@ -895,6 +895,13 @@ private module Stdlib {
         )
       }
     }
+
+    private class RegexEscape extends Concepts::RegexExecution {
+      RegexEscape() {
+        this =
+          API::moduleImport("re").getMember("escape").getACall().(DataFlow::CallCfgNode).getArg(0)
+      }
+    }
   }
 }
 

From 249e4097e3a2faaa7b10914ba01b99a39d2c8f65 Mon Sep 17 00:00:00 2001
From: Jorge <46056498+jorgectf@users.noreply.github.com>
Date: Mon, 22 Mar 2021 15:12:12 +0100
Subject: [PATCH 0712/1429] Change query ID

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
---
 python/ql/src/Security/CWE-730/RegexInjection.ql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/Security/CWE-730/RegexInjection.ql b/python/ql/src/Security/CWE-730/RegexInjection.ql
index 27bbe69529d..3baa3b54bea 100644
--- a/python/ql/src/Security/CWE-730/RegexInjection.ql
+++ b/python/ql/src/Security/CWE-730/RegexInjection.ql
@@ -5,7 +5,7 @@
  *              exponential time on certain inputs.
  * @kind path-problem
  * @problem.severity error
- * @id python/regex-injection
+ * @id py/regex-injection
  * @tags security
  *       external/cwe/cwe-730
  *       external/cwe/cwe-400

From b27b77c38fda588586bd1ea3a0e942a5f4e403f8 Mon Sep 17 00:00:00 2001
From: Jorge <46056498+jorgectf@users.noreply.github.com>
Date: Mon, 22 Mar 2021 15:30:54 +0100
Subject: [PATCH 0713/1429] Apply suggestions from code review

Co-authored-by: yoff <lerchedahl@gmail.com>
---
 python/ql/src/semmle/python/Concepts.qll          | 4 +---
 python/ql/src/semmle/python/frameworks/Stdlib.qll | 6 +++---
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/python/ql/src/semmle/python/Concepts.qll b/python/ql/src/semmle/python/Concepts.qll
index aa0c748c1da..497ea0c0e31 100644
--- a/python/ql/src/semmle/python/Concepts.qll
+++ b/python/ql/src/semmle/python/Concepts.qll
@@ -661,9 +661,7 @@ class RegexExecution extends DataFlow::Node {
 
 module RegexExecution {
   abstract class Range extends DataFlow::Node {
-    DataFlow::Node getRegexNode() {
-      result instanceof DirectRegex or result instanceof CompiledRegex
-    }
+    abstract DataFlow::Node getRegexNode();
   }
 }
 
diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index ed5a56be931..c40ac53f8e4 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -875,7 +875,7 @@ private module Stdlib {
     }
 
     /** re.ReMethod(pattern, string) */
-    private class DirectRegex extends DataFlow::Node {
+    private class DirectRegex extends RegexExecution::Range {
       DirectRegex() {
         exists(ReMethods reMethod, DataFlow::CallCfgNode reCall |
           reCall = API::moduleImport("re").getMember(reMethod).getACall() and
@@ -885,7 +885,7 @@ private module Stdlib {
     }
 
     /** re.compile(pattern).ReMethod */
-    private class CompiledRegex extends DataFlow::Node {
+    private class CompiledRegex extends RegexExecution::Range {
       CompiledRegex() {
         exists(DataFlow::CallCfgNode patternCall, DataFlow::AttrRead reMethod |
           patternCall = API::moduleImport("re").getMember("compile").getACall() and
@@ -896,7 +896,7 @@ private module Stdlib {
       }
     }
 
-    private class RegexEscape extends Concepts::RegexExecution {
+    private class RegexEscape extends DataFlow::Node {
       RegexEscape() {
         this =
           API::moduleImport("re").getMember("escape").getACall().(DataFlow::CallCfgNode).getArg(0)

From 0f20eeb395645b2185528b832a6f56ba039b0552 Mon Sep 17 00:00:00 2001
From: Jorge <46056498+jorgectf@users.noreply.github.com>
Date: Wed, 24 Mar 2021 09:34:04 +0100
Subject: [PATCH 0714/1429] Apply suggestions

Co-authored-by: yoff <lerchedahl@gmail.com>
---
 python/ql/src/semmle/python/Concepts.qll      |  2 +-
 .../src/semmle/python/frameworks/Stdlib.qll   | 21 ++++++++++++-------
 .../security/dataflow/RegexInjection.qll      |  7 +++++--
 3 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/python/ql/src/semmle/python/Concepts.qll b/python/ql/src/semmle/python/Concepts.qll
index 497ea0c0e31..d2defca27a1 100644
--- a/python/ql/src/semmle/python/Concepts.qll
+++ b/python/ql/src/semmle/python/Concepts.qll
@@ -666,7 +666,7 @@ module RegexExecution {
 }
 
 class RegexExecution extends DataFlow::Node {
-  override RegexExecution::Range range;
+  RegexExecution::Range range;
 
   RegexExecution() { this = range }
 
diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index c40ac53f8e4..c86e4cf2e22 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -875,25 +875,32 @@ private module Stdlib {
     }
 
     /** re.ReMethod(pattern, string) */
-    private class DirectRegex extends RegexExecution::Range {
+    private class DirectRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
+      DataFlow::Node regexNode;
+
       DirectRegex() {
-        exists(ReMethods reMethod, DataFlow::CallCfgNode reCall |
-          reCall = API::moduleImport("re").getMember(reMethod).getACall() and
-          this = reCall.getArg(0)
-        )
+        this = API::moduleImport("re").getMember(any(ReMethods m)).getACall() and
+        regexNode = this.getArg(0)
       }
+
+      override DataFlow::Node getRegexNode() { result = regexNode }
     }
 
     /** re.compile(pattern).ReMethod */
-    private class CompiledRegex extends RegexExecution::Range {
+    private class CompiledRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
+      DataFlow::Node regexNode;
+
       CompiledRegex() {
         exists(DataFlow::CallCfgNode patternCall, DataFlow::AttrRead reMethod |
+          this.getFunction() = reMethod and
           patternCall = API::moduleImport("re").getMember("compile").getACall() and
           patternCall = reMethod.getObject().getALocalSource() and
           reMethod.getAttributeName() instanceof ReMethods and
-          this = patternCall.getArg(0)
+          regexNode = patternCall.getArg(0)
         )
       }
+
+      override DataFlow::Node getRegexNode() { result = regexNode }
     }
 
     private class RegexEscape extends DataFlow::Node {
diff --git a/python/ql/src/semmle/python/security/dataflow/RegexInjection.qll b/python/ql/src/semmle/python/security/dataflow/RegexInjection.qll
index 968010dd9a0..2758db37d65 100644
--- a/python/ql/src/semmle/python/security/dataflow/RegexInjection.qll
+++ b/python/ql/src/semmle/python/security/dataflow/RegexInjection.qll
@@ -17,7 +17,10 @@ class RegexInjectionFlowConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof RegexExecution }
+ override predicate isSink(DataFlow::Node sink) { sink = any(RegexExecution re).getRegexNode() }
 
-  override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof RegexEscape }
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer =
+      API::moduleImport("re").getMember("escape").getACall().(DataFlow::CallCfgNode).getArg(0)
+  }
 }

From 444a15a461ee8f99428650daa2ae6d95f7eb25b1 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Wed, 24 Mar 2021 10:00:10 +0100
Subject: [PATCH 0715/1429] Polish imports

---
 python/ql/src/semmle/python/Concepts.qll                         | 1 -
 python/ql/src/semmle/python/security/dataflow/RegexInjection.qll | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/Concepts.qll b/python/ql/src/semmle/python/Concepts.qll
index d2defca27a1..cc2e4ac3ca7 100644
--- a/python/ql/src/semmle/python/Concepts.qll
+++ b/python/ql/src/semmle/python/Concepts.qll
@@ -9,7 +9,6 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Frameworks
-private import semmle.python.ApiGraphs
 
 /**
  * A data-flow node that executes an operating system command,
diff --git a/python/ql/src/semmle/python/security/dataflow/RegexInjection.qll b/python/ql/src/semmle/python/security/dataflow/RegexInjection.qll
index 2758db37d65..98545816c82 100644
--- a/python/ql/src/semmle/python/security/dataflow/RegexInjection.qll
+++ b/python/ql/src/semmle/python/security/dataflow/RegexInjection.qll
@@ -8,6 +8,7 @@ import semmle.python.Concepts
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
+import semmle.python.ApiGraphs
 
 /**
  * A taint-tracking configuration for detecting regular expression injections.

From 28fdeba4fafc4ab0b7cff4cb1307fff3298440b8 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Wed, 24 Mar 2021 17:59:48 +0100
Subject: [PATCH 0716/1429] Structure development

---
 .../Security/CWE-730/RegexInjection.qhelp     |   0
 .../Security/CWE-730/RegexInjection.ql        |   4 +-
 .../Security/CWE-730/re_bad.py                |   0
 .../Security/CWE-730/re_good.py               |   0
 .../experimental/semmle/python/Concepts.qll   |  29 +++
 .../semmle/python/frameworks/Stdlib.qll       | 232 +++++++++++++++++-
 .../security/injection}/RegexInjection.qll    |   2 +-
 python/ql/src/semmle/python/Concepts.qll      |  46 +---
 .../src/semmle/python/frameworks/Stdlib.qll   |  46 ----
 9 files changed, 264 insertions(+), 95 deletions(-)
 rename python/ql/src/{ => experimental}/Security/CWE-730/RegexInjection.qhelp (100%)
 rename python/ql/src/{ => experimental}/Security/CWE-730/RegexInjection.ql (92%)
 rename python/ql/src/{ => experimental}/Security/CWE-730/re_bad.py (100%)
 rename python/ql/src/{ => experimental}/Security/CWE-730/re_good.py (100%)
 rename python/ql/src/{semmle/python/security/dataflow => experimental/semmle/python/security/injection}/RegexInjection.qll (95%)

diff --git a/python/ql/src/Security/CWE-730/RegexInjection.qhelp b/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp
similarity index 100%
rename from python/ql/src/Security/CWE-730/RegexInjection.qhelp
rename to python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp
diff --git a/python/ql/src/Security/CWE-730/RegexInjection.ql b/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
similarity index 92%
rename from python/ql/src/Security/CWE-730/RegexInjection.ql
rename to python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
index 3baa3b54bea..ccb97fbee54 100644
--- a/python/ql/src/Security/CWE-730/RegexInjection.ql
+++ b/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
@@ -13,10 +13,10 @@
 
 // determine precision above
 import python
-import semmle.python.security.dataflow.RegexInjection
+import experimental.semmle.python.security.injection.RegexInjection
 import DataFlow::PathGraph
 
 from RegexInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "$@ regular expression is constructed from a $@.",
-  sink.getNode(), "This", source.getNode(), "user-provided value"
+  sink.getNode(), "This", source.getNode(), "user-provided value"
\ No newline at end of file
diff --git a/python/ql/src/Security/CWE-730/re_bad.py b/python/ql/src/experimental/Security/CWE-730/re_bad.py
similarity index 100%
rename from python/ql/src/Security/CWE-730/re_bad.py
rename to python/ql/src/experimental/Security/CWE-730/re_bad.py
diff --git a/python/ql/src/Security/CWE-730/re_good.py b/python/ql/src/experimental/Security/CWE-730/re_good.py
similarity index 100%
rename from python/ql/src/Security/CWE-730/re_good.py
rename to python/ql/src/experimental/Security/CWE-730/re_good.py
diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index 904b7967ee8..172a7fc2003 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -13,3 +13,32 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
 private import experimental.semmle.python.Frameworks
+
+/** Provides classes for modeling Regular Expression-related APIs. */
+module RegexExecution {
+  /**
+   * A data-flow node that works with regular expressions.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `RegexExecution` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    abstract DataFlow::Node getRegexNode();
+    abstract Attribute getRegexMethod();
+  }
+}
+
+/**
+ * A data-flow node that works with regular expressions.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `RegexExecution::Range` instead.
+ */
+class RegexExecution extends DataFlow::Node {
+  RegexExecution::Range range;
+
+  RegexExecution() { this = range }
+
+  DataFlow::Node getRegexNode() { result = range.getRegexNode() }
+  Attribute getRegexMethod() { result = range.getRegexMethod() }
+}
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index 420caf0d73b..edaa42fad8a 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -8,4 +8,234 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import experimental.semmle.python.Concepts
-private import semmle.python.ApiGraphs
+
+/** Provides models for the Python standard library. */
+private module Stdlib {
+  // ---------------------------------------------------------------------------
+  // re
+  // ---------------------------------------------------------------------------
+  private module Re {
+
+    /** Gets a reference to the `re` module. */
+    private DataFlow::Node re(DataFlow::TypeTracker t) {
+      t.start() and
+      result = DataFlow::importNode("re")
+      or
+      exists(DataFlow::TypeTracker t2 | result = re(t2).track(t2, t))
+    }
+
+    /** Gets a reference to the `re` module. */
+    DataFlow::Node re() { result = re(DataFlow::TypeTracker::end()) }
+
+    /**
+     * Gets a reference to the attribute `attr_name` of the `re` module.
+     * WARNING: Only holds for a few predefined attributes.
+     */
+    private DataFlow::Node re_attr(DataFlow::TypeTracker t, string attr_name) {
+      attr_name in ["match", "fullmatch", "search", "split", "findall", "finditer", "sub", "subn", "compile"] and
+      (
+        t.start() and
+        result = DataFlow::importNode("re" + "." + attr_name)
+        or
+        t.startInAttr(attr_name) and
+        result = re()
+      )
+      or
+      // Due to bad performance when using normal setup with `re_attr(t2, attr_name).track(t2, t)`
+      // we have inlined that code and forced a join
+      exists(DataFlow::TypeTracker t2 |
+        exists(DataFlow::StepSummary summary |
+          re_attr_first_join(t2, attr_name, result, summary) and
+          t = t2.append(summary)
+        )
+      )
+    }
+
+    pragma[nomagic]
+    private predicate re_attr_first_join(
+      DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
+    ) {
+      DataFlow::StepSummary::step(re_attr(t2, attr_name), res, summary)
+    }
+
+    /**
+     * Gets a reference to the attribute `attr_name` of the `re` module.
+     * WARNING: Only holds for a few predefined attributes.
+     */
+    private DataFlow::Node re_attr(string attr_name) {
+      result = re_attr(DataFlow::TypeTracker::end(), attr_name)
+    }
+
+    /**
+     * Gets a reference to any `attr_name` of the `re` module that immediately executes an expression.
+     * WARNING: Only holds for a few predefined attributes.
+     */
+    private DataFlow::Node re_exec_attr() {
+      exists(string attr_name |
+        attr_name in ["match", "fullmatch", "search", "split", "findall", "finditer", "sub", "subn"] and
+        result = re_attr(DataFlow::TypeTracker::end(), attr_name)
+      )
+    }
+
+    /**
+     * A call to `re.match`
+     * See https://docs.python.org/3/library/re.html#re.match
+     */
+    private class ReMatchCall extends RegexExecution::Range, DataFlow::CfgNode {
+      override CallNode node;
+
+      ReMatchCall() { node.getFunction() = re_attr("match").asCfgNode() }
+
+      override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
+      override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
+    }
+
+    /**
+     * A call to `re.fullmatch`
+     * See https://docs.python.org/3/library/re.html#re.fullmatch
+     */
+    private class ReFullMatchCall extends RegexExecution::Range, DataFlow::CfgNode {
+      override CallNode node;
+
+      ReFullMatchCall() { node.getFunction() = re_attr("fullmatch").asCfgNode() }
+
+      override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
+      override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
+    }
+
+    /**
+     * A call to `re.search`
+     * See https://docs.python.org/3/library/re.html#re.search
+     */
+    private class ReSearchCall extends RegexExecution::Range, DataFlow::CfgNode {
+      override CallNode node;
+
+      ReSearchCall() { node.getFunction() = re_attr("search").asCfgNode() }
+
+      override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
+      override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
+    }
+
+    /**
+     * A call to `re.split`
+     * See https://docs.python.org/3/library/re.html#re.split
+     */
+    private class ReSplitCall extends RegexExecution::Range, DataFlow::CfgNode {
+      override CallNode node;
+
+      ReSplitCall() { node.getFunction() = re_attr("split").asCfgNode() }
+
+      override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
+      override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
+    }
+
+    /**
+     * A call to `re.findall`
+     * See https://docs.python.org/3/library/re.html#re.findall
+     */
+    private class ReFindAllCall extends RegexExecution::Range, DataFlow::CfgNode {
+      override CallNode node;
+
+      ReFindAllCall() { node.getFunction() = re_attr("findall").asCfgNode() }
+
+      override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
+      override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
+    }
+
+    /**
+     * A call to `re.finditer`
+     * See https://docs.python.org/3/library/re.html#re.finditer
+     */
+    private class ReFindIterCall extends RegexExecution::Range, DataFlow::CfgNode {
+      override CallNode node;
+
+      ReFindIterCall() { node.getFunction() = re_attr("finditer").asCfgNode() }
+
+      override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
+      override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
+    }
+
+    /**
+     * A call to `re.sub`
+     * See https://docs.python.org/3/library/re.html#re.sub
+     */
+    private class ReSubCall extends RegexExecution::Range, DataFlow::CfgNode {
+      override CallNode node;
+
+      ReSubCall() { node.getFunction() = re_attr("sub").asCfgNode() }
+
+      override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
+      override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
+    }
+
+    /**
+     * A call to `re.subn`
+     * See https://docs.python.org/3/library/re.html#re.subn
+     */
+    private class ReSubNCall extends RegexExecution::Range, DataFlow::CfgNode {
+      override CallNode node;
+
+      ReSubNCall() { node.getFunction() = re_attr("subn").asCfgNode() }
+
+      override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
+      override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
+    }
+
+    /**
+     * A call to `re.compile`
+     * See https://docs.python.org/3/library/re.html#re.match
+     */
+    private class ReCompileCall extends RegexExecution::Range, DataFlow::CfgNode {
+      override CallNode node;
+
+      ReCompileCall() { node.getFunction() = re_attr("compile").asCfgNode() }
+
+      override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
+      override Attribute getRegexMethod() { 
+        exists (DataFlow::AttrRead reMethod |
+          reMethod = re_exec_attr() and
+          node.getFunction() = reMethod.getObject().getALocalSource().asCfgNode() and
+          result = reMethod.asExpr().(Attribute)
+        )
+       }
+    }
+
+    /** 
+     * A class for modeling expressions immediately executing a regular expression.
+     * See `re_exec_attr()`  
+    */
+    private class DirectRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
+      DataFlow::Node regexNode;
+      Attribute regexMethod;
+
+      DirectRegex() {
+        // needs inheritance (?)
+        this = re_exec_attr() and regexNode = this.getRegexNode() and regexMethod = this.getRegexMethod()
+      }
+
+      override DataFlow::Node getRegexNode() { result = regexNode }
+      override Attribute getRegexMethod() { result = regexMethod }
+    }
+
+    /** 
+     * A class for finding `ReCompileCall` whose `Attribute` is an instance of `DirectRegex`.
+     * See `ReCompileCall`, `DirectRegex`, `re_exec_attr()`
+    */
+    private class CompiledRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
+      DataFlow::Node regexNode;
+      Attribute regexMethod;
+
+      CompiledRegex() {
+        exists(DirectRegex reMethod, ReCompileCall compileCall |
+          this = reMethod and
+          reMethod.getRegexMethod() = compileCall.getRegexMethod() and
+          regexNode = compileCall.getRegexNode() and
+          regexMethod = reMethod.getRegexMethod()
+        )
+      }
+
+      override DataFlow::Node getRegexNode() { result = regexNode }
+      override Attribute getRegexMethod() { result = regexMethod }
+    }
+  }
+}
\ No newline at end of file
diff --git a/python/ql/src/semmle/python/security/dataflow/RegexInjection.qll b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
similarity index 95%
rename from python/ql/src/semmle/python/security/dataflow/RegexInjection.qll
rename to python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
index 98545816c82..5e2cc684b43 100644
--- a/python/ql/src/semmle/python/security/dataflow/RegexInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
@@ -4,7 +4,7 @@
  */
 
 import python
-import semmle.python.Concepts
+import experimental.semmle.python.Concepts
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
diff --git a/python/ql/src/semmle/python/Concepts.qll b/python/ql/src/semmle/python/Concepts.qll
index cc2e4ac3ca7..ccae7251a2c 100644
--- a/python/ql/src/semmle/python/Concepts.qll
+++ b/python/ql/src/semmle/python/Concepts.qll
@@ -625,49 +625,5 @@ module Cryptography {
         final override int minimumSecureKeySize() { result = 224 }
       }
     }
-/*
- */
-
-class ReMethods extends string {
-  ReMethods() { this in ["match", "fullmatch", "search", "split", "findall", "finditer"] }
-}
-
-class DirectRegex extends DataFlow::Node {
-  DirectRegex() {
-    exists(ReMethods reMethod, DataFlow::CallCfgNode reCall |
-      reCall = API::moduleImport("re").getMember(reMethod).getACall() and
-      this = reCall.getArg(0)
-    )
   }
-}
-
-class CompiledRegex extends DataFlow::Node {
-  CompiledRegex() {
-    exists(DataFlow::CallCfgNode patternCall, DataFlow::AttrRead reMethod |
-      patternCall = API::moduleImport("re").getMember("compile").getACall() and
-      patternCall = reMethod.getObject().getALocalSource() and
-      reMethod.getAttributeName() instanceof ReMethods and
-      this = patternCall.getArg(0)
-    )
-  }
-}
-
-class RegexExecution extends DataFlow::Node {
-  RegexExecution() { this instanceof DirectRegex or this instanceof CompiledRegex } // How should this be cross-imported with Stdlib?
-}
-/*
- */
-
-module RegexExecution {
-  abstract class Range extends DataFlow::Node {
-    abstract DataFlow::Node getRegexNode();
-  }
-}
-
-class RegexExecution extends DataFlow::Node {
-  RegexExecution::Range range;
-
-  RegexExecution() { this = range }
-
-  DataFlow::Node getRegexNode() { result = range.getRegexNode() }
-}
+}
\ No newline at end of file
diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index c86e4cf2e22..01df130d0db 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -864,52 +864,6 @@ private module Stdlib {
   class Sqlite3 extends PEP249ModuleApiNode {
     Sqlite3() { this = API::moduleImport("sqlite3") }
   }
-
-  // ---------------------------------------------------------------------------
-  // re
-  // ---------------------------------------------------------------------------
-  private module Re {
-    /** List of re methods. */
-    private class ReMethods extends string {
-      ReMethods() { this in ["match", "fullmatch", "search", "split", "findall", "finditer"] }
-    }
-
-    /** re.ReMethod(pattern, string) */
-    private class DirectRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
-      DataFlow::Node regexNode;
-
-      DirectRegex() {
-        this = API::moduleImport("re").getMember(any(ReMethods m)).getACall() and
-        regexNode = this.getArg(0)
-      }
-
-      override DataFlow::Node getRegexNode() { result = regexNode }
-    }
-
-    /** re.compile(pattern).ReMethod */
-    private class CompiledRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
-      DataFlow::Node regexNode;
-
-      CompiledRegex() {
-        exists(DataFlow::CallCfgNode patternCall, DataFlow::AttrRead reMethod |
-          this.getFunction() = reMethod and
-          patternCall = API::moduleImport("re").getMember("compile").getACall() and
-          patternCall = reMethod.getObject().getALocalSource() and
-          reMethod.getAttributeName() instanceof ReMethods and
-          regexNode = patternCall.getArg(0)
-        )
-      }
-
-      override DataFlow::Node getRegexNode() { result = regexNode }
-    }
-
-    private class RegexEscape extends DataFlow::Node {
-      RegexEscape() {
-        this =
-          API::moduleImport("re").getMember("escape").getACall().(DataFlow::CallCfgNode).getArg(0)
-      }
-    }
-  }
 }
 
 // ---------------------------------------------------------------------------

From a1a3c98d92fa433d642139a3e259713a31cc2c3e Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Wed, 24 Mar 2021 18:16:36 +0100
Subject: [PATCH 0717/1429] Undo main Concepts.qll change

---
 python/ql/src/semmle/python/Concepts.qll | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/python/ql/src/semmle/python/Concepts.qll b/python/ql/src/semmle/python/Concepts.qll
index ccae7251a2c..2706a497f9a 100644
--- a/python/ql/src/semmle/python/Concepts.qll
+++ b/python/ql/src/semmle/python/Concepts.qll
@@ -625,5 +625,4 @@ module Cryptography {
         final override int minimumSecureKeySize() { result = 224 }
       }
     }
-  }
-}
\ No newline at end of file
+  }
\ No newline at end of file

From d61adccd3c6b6511e106b106bfe2d6efef612c14 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Wed, 24 Mar 2021 18:23:59 +0100
Subject: [PATCH 0718/1429] Take main Concepts.qll out of the PR

---
 python/ql/src/semmle/python/Concepts.qll | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/Concepts.qll b/python/ql/src/semmle/python/Concepts.qll
index 2706a497f9a..4be00ba5bf9 100644
--- a/python/ql/src/semmle/python/Concepts.qll
+++ b/python/ql/src/semmle/python/Concepts.qll
@@ -625,4 +625,5 @@ module Cryptography {
         final override int minimumSecureKeySize() { result = 224 }
       }
     }
-  }
\ No newline at end of file
+  }
+}

From b5ea41fcca6d80ddeaa7209a8f7f0edaef5237f8 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Wed, 24 Mar 2021 21:02:09 +0100
Subject: [PATCH 0719/1429] Fix CompiledRegex

---
 .../src/experimental/semmle/python/frameworks/Stdlib.qll   | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index edaa42fad8a..a6d848cc126 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -226,11 +226,10 @@ private module Stdlib {
       Attribute regexMethod;
 
       CompiledRegex() {
-        exists(DirectRegex reMethod, ReCompileCall compileCall |
-          this = reMethod and
-          reMethod.getRegexMethod() = compileCall.getRegexMethod() and
+        exists(ReCompileCall compileCall |
           regexNode = compileCall.getRegexNode() and
-          regexMethod = reMethod.getRegexMethod()
+          regexMethod = compileCall.getRegexMethod() and
+          this = compileCall
         )
       }
 

From ce23db2e9ca80497f71b7c9792f60582906db42b Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Wed, 24 Mar 2021 21:11:45 +0100
Subject: [PATCH 0720/1429] Move Sanitizer to ReEscapeCall

---
 .../semmle/python/frameworks/Stdlib.qll           | 15 ++++++++++++++-
 .../python/security/injection/RegexInjection.qll  |  8 +++-----
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index a6d848cc126..d243eacd3d0 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -32,7 +32,7 @@ private module Stdlib {
      * WARNING: Only holds for a few predefined attributes.
      */
     private DataFlow::Node re_attr(DataFlow::TypeTracker t, string attr_name) {
-      attr_name in ["match", "fullmatch", "search", "split", "findall", "finditer", "sub", "subn", "compile"] and
+      attr_name in ["match", "fullmatch", "search", "split", "findall", "finditer", "sub", "subn", "compile", "escape"] and
       (
         t.start() and
         result = DataFlow::importNode("re" + "." + attr_name)
@@ -181,6 +181,19 @@ private module Stdlib {
       override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
     }
 
+    /**
+     * A call to `re.escape`
+     * See https://docs.python.org/3/library/re.html#re.escape
+     */
+    private class ReEscapeCall extends RegexExecution::Range, DataFlow::CfgNode {
+      override CallNode node;
+
+      ReEscapeCall() { node.getFunction() = re_attr("escape").asCfgNode() }
+
+      override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
+      override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
+    }
+
     /**
      * A call to `re.compile`
      * See https://docs.python.org/3/library/re.html#re.match
diff --git a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
index 5e2cc684b43..0d42acbac49 100644
--- a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
@@ -5,6 +5,7 @@
 
 import python
 import experimental.semmle.python.Concepts
+import experimental.semmle.python.frameworks.Stdlib
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
@@ -18,10 +19,7 @@ class RegexInjectionFlowConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
- override predicate isSink(DataFlow::Node sink) { sink = any(RegexExecution re).getRegexNode() }
+  override predicate isSink(DataFlow::Node sink) { sink = any(RegexExecution re).getRegexNode() }
 
-  override predicate isSanitizer(DataFlow::Node sanitizer) {
-    sanitizer =
-      API::moduleImport("re").getMember("escape").getACall().(DataFlow::CallCfgNode).getArg(0)
-  }
+  override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof ReEscapeCall }
 }

From ee1d2b645b0a42a370c6c47fb721ecff3562b348 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 25 Mar 2021 18:19:11 +0100
Subject: [PATCH 0721/1429] Delete DirectRegex and CompiledRegex

---
 .../semmle/python/frameworks/Stdlib.qll       | 37 -------------------
 1 file changed, 37 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index d243eacd3d0..fab8debb1b8 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -212,42 +212,5 @@ private module Stdlib {
         )
        }
     }
-
-    /** 
-     * A class for modeling expressions immediately executing a regular expression.
-     * See `re_exec_attr()`  
-    */
-    private class DirectRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
-      DataFlow::Node regexNode;
-      Attribute regexMethod;
-
-      DirectRegex() {
-        // needs inheritance (?)
-        this = re_exec_attr() and regexNode = this.getRegexNode() and regexMethod = this.getRegexMethod()
-      }
-
-      override DataFlow::Node getRegexNode() { result = regexNode }
-      override Attribute getRegexMethod() { result = regexMethod }
-    }
-
-    /** 
-     * A class for finding `ReCompileCall` whose `Attribute` is an instance of `DirectRegex`.
-     * See `ReCompileCall`, `DirectRegex`, `re_exec_attr()`
-    */
-    private class CompiledRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
-      DataFlow::Node regexNode;
-      Attribute regexMethod;
-
-      CompiledRegex() {
-        exists(ReCompileCall compileCall |
-          regexNode = compileCall.getRegexNode() and
-          regexMethod = compileCall.getRegexMethod() and
-          this = compileCall
-        )
-      }
-
-      override DataFlow::Node getRegexNode() { result = regexNode }
-      override Attribute getRegexMethod() { result = regexMethod }
-    }
   }
 }
\ No newline at end of file

From 30554a16da55ef9d652ad60e6437593682b07c23 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 25 Mar 2021 18:20:13 +0100
Subject: [PATCH 0722/1429] Format

---
 .../Security/CWE-730/RegexInjection.ql        |  2 +-
 .../semmle/python/frameworks/Stdlib.qll       | 24 ++++++++++++++-----
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql b/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
index ccb97fbee54..9d3da12f9bd 100644
--- a/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
+++ b/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
@@ -19,4 +19,4 @@ import DataFlow::PathGraph
 from RegexInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "$@ regular expression is constructed from a $@.",
-  sink.getNode(), "This", source.getNode(), "user-provided value"
\ No newline at end of file
+  sink.getNode(), "This", source.getNode(), "user-provided value"
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index fab8debb1b8..4b5f8f63f6a 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -15,7 +15,6 @@ private module Stdlib {
   // re
   // ---------------------------------------------------------------------------
   private module Re {
-
     /** Gets a reference to the `re` module. */
     private DataFlow::Node re(DataFlow::TypeTracker t) {
       t.start() and
@@ -32,7 +31,10 @@ private module Stdlib {
      * WARNING: Only holds for a few predefined attributes.
      */
     private DataFlow::Node re_attr(DataFlow::TypeTracker t, string attr_name) {
-      attr_name in ["match", "fullmatch", "search", "split", "findall", "finditer", "sub", "subn", "compile", "escape"] and
+      attr_name in [
+          "match", "fullmatch", "search", "split", "findall", "finditer", "sub", "subn", "compile",
+          "escape"
+        ] and
       (
         t.start() and
         result = DataFlow::importNode("re" + "." + attr_name)
@@ -87,6 +89,7 @@ private module Stdlib {
       ReMatchCall() { node.getFunction() = re_attr("match").asCfgNode() }
 
       override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
+
       override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
     }
 
@@ -100,6 +103,7 @@ private module Stdlib {
       ReFullMatchCall() { node.getFunction() = re_attr("fullmatch").asCfgNode() }
 
       override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
+
       override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
     }
 
@@ -113,6 +117,7 @@ private module Stdlib {
       ReSearchCall() { node.getFunction() = re_attr("search").asCfgNode() }
 
       override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
+
       override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
     }
 
@@ -126,6 +131,7 @@ private module Stdlib {
       ReSplitCall() { node.getFunction() = re_attr("split").asCfgNode() }
 
       override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
+
       override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
     }
 
@@ -139,6 +145,7 @@ private module Stdlib {
       ReFindAllCall() { node.getFunction() = re_attr("findall").asCfgNode() }
 
       override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
+
       override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
     }
 
@@ -152,6 +159,7 @@ private module Stdlib {
       ReFindIterCall() { node.getFunction() = re_attr("finditer").asCfgNode() }
 
       override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
+
       override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
     }
 
@@ -165,6 +173,7 @@ private module Stdlib {
       ReSubCall() { node.getFunction() = re_attr("sub").asCfgNode() }
 
       override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
+
       override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
     }
 
@@ -178,6 +187,7 @@ private module Stdlib {
       ReSubNCall() { node.getFunction() = re_attr("subn").asCfgNode() }
 
       override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
+
       override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
     }
 
@@ -191,6 +201,7 @@ private module Stdlib {
       ReEscapeCall() { node.getFunction() = re_attr("escape").asCfgNode() }
 
       override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
+
       override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
     }
 
@@ -204,13 +215,14 @@ private module Stdlib {
       ReCompileCall() { node.getFunction() = re_attr("compile").asCfgNode() }
 
       override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
-      override Attribute getRegexMethod() { 
-        exists (DataFlow::AttrRead reMethod |
+
+      override Attribute getRegexMethod() {
+        exists(DataFlow::AttrRead reMethod |
           reMethod = re_exec_attr() and
           node.getFunction() = reMethod.getObject().getALocalSource().asCfgNode() and
           result = reMethod.asExpr().(Attribute)
         )
-       }
+      }
     }
   }
-}
\ No newline at end of file
+}

From 3d990c595097c4af80392cc0ac26988605d2f059 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Fri, 26 Mar 2021 10:05:50 +0100
Subject: [PATCH 0723/1429] Get back to ApiGraphs

---
 .../experimental/semmle/python/Concepts.qll   |   9 +
 .../semmle/python/frameworks/Stdlib.qll       | 254 +++---------------
 .../security/injection/RegexInjection.qll     |   3 +-
 3 files changed, 51 insertions(+), 215 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index 172a7fc2003..8a88ffb2154 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -13,6 +13,7 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
 private import experimental.semmle.python.Frameworks
+private import semmle.python.ApiGraphs
 
 /** Provides classes for modeling Regular Expression-related APIs. */
 module RegexExecution {
@@ -24,6 +25,7 @@ module RegexExecution {
    */
   abstract class Range extends DataFlow::Node {
     abstract DataFlow::Node getRegexNode();
+
     abstract Attribute getRegexMethod();
   }
 }
@@ -40,5 +42,12 @@ class RegexExecution extends DataFlow::Node {
   RegexExecution() { this = range }
 
   DataFlow::Node getRegexNode() { result = range.getRegexNode() }
+
   Attribute getRegexMethod() { result = range.getRegexMethod() }
 }
+
+class RegexEscape extends DataFlow::Node {
+  RegexEscape() {
+    this = API::moduleImport("re").getMember("escape").getACall().(DataFlow::CallCfgNode).getArg(0)
+  }
+}
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index 4b5f8f63f6a..5a3441bed83 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -8,221 +8,49 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import experimental.semmle.python.Concepts
+private import semmle.python.ApiGraphs
 
 /** Provides models for the Python standard library. */
-private module Stdlib {
-  // ---------------------------------------------------------------------------
-  // re
-  // ---------------------------------------------------------------------------
-  private module Re {
-    /** Gets a reference to the `re` module. */
-    private DataFlow::Node re(DataFlow::TypeTracker t) {
-      t.start() and
-      result = DataFlow::importNode("re")
-      or
-      exists(DataFlow::TypeTracker t2 | result = re(t2).track(t2, t))
-    }
-
-    /** Gets a reference to the `re` module. */
-    DataFlow::Node re() { result = re(DataFlow::TypeTracker::end()) }
-
-    /**
-     * Gets a reference to the attribute `attr_name` of the `re` module.
-     * WARNING: Only holds for a few predefined attributes.
-     */
-    private DataFlow::Node re_attr(DataFlow::TypeTracker t, string attr_name) {
-      attr_name in [
-          "match", "fullmatch", "search", "split", "findall", "finditer", "sub", "subn", "compile",
-          "escape"
-        ] and
-      (
-        t.start() and
-        result = DataFlow::importNode("re" + "." + attr_name)
-        or
-        t.startInAttr(attr_name) and
-        result = re()
-      )
-      or
-      // Due to bad performance when using normal setup with `re_attr(t2, attr_name).track(t2, t)`
-      // we have inlined that code and forced a join
-      exists(DataFlow::TypeTracker t2 |
-        exists(DataFlow::StepSummary summary |
-          re_attr_first_join(t2, attr_name, result, summary) and
-          t = t2.append(summary)
-        )
-      )
-    }
-
-    pragma[nomagic]
-    private predicate re_attr_first_join(
-      DataFlow::TypeTracker t2, string attr_name, DataFlow::Node res, DataFlow::StepSummary summary
-    ) {
-      DataFlow::StepSummary::step(re_attr(t2, attr_name), res, summary)
-    }
-
-    /**
-     * Gets a reference to the attribute `attr_name` of the `re` module.
-     * WARNING: Only holds for a few predefined attributes.
-     */
-    private DataFlow::Node re_attr(string attr_name) {
-      result = re_attr(DataFlow::TypeTracker::end(), attr_name)
-    }
-
-    /**
-     * Gets a reference to any `attr_name` of the `re` module that immediately executes an expression.
-     * WARNING: Only holds for a few predefined attributes.
-     */
-    private DataFlow::Node re_exec_attr() {
-      exists(string attr_name |
-        attr_name in ["match", "fullmatch", "search", "split", "findall", "finditer", "sub", "subn"] and
-        result = re_attr(DataFlow::TypeTracker::end(), attr_name)
-      )
-    }
-
-    /**
-     * A call to `re.match`
-     * See https://docs.python.org/3/library/re.html#re.match
-     */
-    private class ReMatchCall extends RegexExecution::Range, DataFlow::CfgNode {
-      override CallNode node;
-
-      ReMatchCall() { node.getFunction() = re_attr("match").asCfgNode() }
-
-      override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
-
-      override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
-    }
-
-    /**
-     * A call to `re.fullmatch`
-     * See https://docs.python.org/3/library/re.html#re.fullmatch
-     */
-    private class ReFullMatchCall extends RegexExecution::Range, DataFlow::CfgNode {
-      override CallNode node;
-
-      ReFullMatchCall() { node.getFunction() = re_attr("fullmatch").asCfgNode() }
-
-      override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
-
-      override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
-    }
-
-    /**
-     * A call to `re.search`
-     * See https://docs.python.org/3/library/re.html#re.search
-     */
-    private class ReSearchCall extends RegexExecution::Range, DataFlow::CfgNode {
-      override CallNode node;
-
-      ReSearchCall() { node.getFunction() = re_attr("search").asCfgNode() }
-
-      override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
-
-      override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
-    }
-
-    /**
-     * A call to `re.split`
-     * See https://docs.python.org/3/library/re.html#re.split
-     */
-    private class ReSplitCall extends RegexExecution::Range, DataFlow::CfgNode {
-      override CallNode node;
-
-      ReSplitCall() { node.getFunction() = re_attr("split").asCfgNode() }
-
-      override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
-
-      override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
-    }
-
-    /**
-     * A call to `re.findall`
-     * See https://docs.python.org/3/library/re.html#re.findall
-     */
-    private class ReFindAllCall extends RegexExecution::Range, DataFlow::CfgNode {
-      override CallNode node;
-
-      ReFindAllCall() { node.getFunction() = re_attr("findall").asCfgNode() }
-
-      override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
-
-      override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
-    }
-
-    /**
-     * A call to `re.finditer`
-     * See https://docs.python.org/3/library/re.html#re.finditer
-     */
-    private class ReFindIterCall extends RegexExecution::Range, DataFlow::CfgNode {
-      override CallNode node;
-
-      ReFindIterCall() { node.getFunction() = re_attr("finditer").asCfgNode() }
-
-      override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
-
-      override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
-    }
-
-    /**
-     * A call to `re.sub`
-     * See https://docs.python.org/3/library/re.html#re.sub
-     */
-    private class ReSubCall extends RegexExecution::Range, DataFlow::CfgNode {
-      override CallNode node;
-
-      ReSubCall() { node.getFunction() = re_attr("sub").asCfgNode() }
-
-      override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
-
-      override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
-    }
-
-    /**
-     * A call to `re.subn`
-     * See https://docs.python.org/3/library/re.html#re.subn
-     */
-    private class ReSubNCall extends RegexExecution::Range, DataFlow::CfgNode {
-      override CallNode node;
-
-      ReSubNCall() { node.getFunction() = re_attr("subn").asCfgNode() }
-
-      override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
-
-      override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
-    }
-
-    /**
-     * A call to `re.escape`
-     * See https://docs.python.org/3/library/re.html#re.escape
-     */
-    private class ReEscapeCall extends RegexExecution::Range, DataFlow::CfgNode {
-      override CallNode node;
-
-      ReEscapeCall() { node.getFunction() = re_attr("escape").asCfgNode() }
-
-      override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
-
-      override Attribute getRegexMethod() { result = node.getNode().getFunc().(Attribute) }
-    }
-
-    /**
-     * A call to `re.compile`
-     * See https://docs.python.org/3/library/re.html#re.match
-     */
-    private class ReCompileCall extends RegexExecution::Range, DataFlow::CfgNode {
-      override CallNode node;
-
-      ReCompileCall() { node.getFunction() = re_attr("compile").asCfgNode() }
-
-      override DataFlow::Node getRegexNode() { result.asCfgNode() = node.getArg(0) }
-
-      override Attribute getRegexMethod() {
-        exists(DataFlow::AttrRead reMethod |
-          reMethod = re_exec_attr() and
-          node.getFunction() = reMethod.getObject().getALocalSource().asCfgNode() and
-          result = reMethod.asExpr().(Attribute)
-        )
-      }
+private module Re {
+  /** List of re methods. */
+  private class ReMethods extends string {
+    ReMethods() {
+      this in ["match", "fullmatch", "search", "split", "findall", "finditer", "sub", "subn"]
     }
   }
+
+  private class DirectRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
+    DataFlow::Node regexNode;
+    Attribute regexMethod;
+
+    DirectRegex() {
+      this = API::moduleImport("re").getMember(any(ReMethods m)).getACall() and
+      regexNode = this.getArg(0) and
+      regexMethod = this.asExpr().(Attribute)
+    }
+
+    override DataFlow::Node getRegexNode() { result = regexNode }
+
+    override Attribute getRegexMethod() { result = regexMethod }
+  }
+
+  private class CompiledRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
+    DataFlow::Node regexNode;
+    Attribute regexMethod;
+
+    CompiledRegex() {
+      exists(DataFlow::CallCfgNode patternCall, DirectRegex reMethod |
+        this = reMethod and
+        patternCall = API::moduleImport("re").getMember("compile").getACall() and
+        patternCall = reMethod.(DataFlow::AttrRead).getObject().getALocalSource() and
+        regexNode = patternCall.getArg(0) and
+        // regexMethod is *not* worked out outside class instanciation because `CompiledRegex` focuses on re.compile(pattern).ReMethod
+        regexMethod = reMethod.getRegexMethod()
+      )
+    }
+
+    override DataFlow::Node getRegexNode() { result = regexNode }
+
+    override Attribute getRegexMethod() { result = regexMethod }
+  }
 }
diff --git a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
index 0d42acbac49..102fb80cfff 100644
--- a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
@@ -5,7 +5,6 @@
 
 import python
 import experimental.semmle.python.Concepts
-import experimental.semmle.python.frameworks.Stdlib
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
@@ -21,5 +20,5 @@ class RegexInjectionFlowConfig extends TaintTracking::Configuration {
 
   override predicate isSink(DataFlow::Node sink) { sink = any(RegexExecution re).getRegexNode() }
 
-  override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof ReEscapeCall }
+  override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof RegexEscape }
 }

From 805f86a5cf49a81fa47c616064fc88efa12aca12 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Fri, 26 Mar 2021 10:15:12 +0100
Subject: [PATCH 0724/1429] Polish RegexEscape

---
 .../ql/src/experimental/semmle/python/Concepts.qll  | 13 +++++++++++--
 .../python/security/injection/RegexInjection.qll    |  4 +++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index 8a88ffb2154..b8cef8e4e11 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -46,8 +46,17 @@ class RegexExecution extends DataFlow::Node {
   Attribute getRegexMethod() { result = range.getRegexMethod() }
 }
 
-class RegexEscape extends DataFlow::Node {
+class RegexEscape extends DataFlow::CallCfgNode {
+  DataFlow::Node regexNode;
+  Attribute regexMethod;
+
   RegexEscape() {
-    this = API::moduleImport("re").getMember("escape").getACall().(DataFlow::CallCfgNode).getArg(0)
+    this = API::moduleImport("re").getMember("escape").getACall() and
+    regexNode = this.getArg(0) and
+    regexMethod = this.asExpr().(Attribute)
   }
+
+  DataFlow::Node getRegexNode() { result = regexNode }
+
+  Attribute getRegexMethod() { result = regexMethod }
 }
diff --git a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
index 102fb80cfff..f82af085db0 100644
--- a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
@@ -20,5 +20,7 @@ class RegexInjectionFlowConfig extends TaintTracking::Configuration {
 
   override predicate isSink(DataFlow::Node sink) { sink = any(RegexExecution re).getRegexNode() }
 
-  override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof RegexEscape }
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer = sanitizer.(RegexEscape).getRegexNode()
+  }
 }

From be09ffec3fbb31a69265911cad0d09989dfe5446 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Fri, 26 Mar 2021 10:24:42 +0100
Subject: [PATCH 0725/1429] Create RegexEscape Range

---
 .../experimental/semmle/python/Concepts.qll   | 42 +++++++++++++------
 .../semmle/python/frameworks/Stdlib.qll       | 15 +++++++
 .../security/injection/RegexInjection.qll     |  2 +-
 3 files changed, 45 insertions(+), 14 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index b8cef8e4e11..b4723c9e99d 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -18,7 +18,7 @@ private import semmle.python.ApiGraphs
 /** Provides classes for modeling Regular Expression-related APIs. */
 module RegexExecution {
   /**
-   * A data-flow node that works with regular expressions.
+   * A data-flow node that works with regular expressions immediately executing an expression.
    *
    * Extend this class to model new APIs. If you want to refine existing API models,
    * extend `RegexExecution` instead.
@@ -31,7 +31,7 @@ module RegexExecution {
 }
 
 /**
- * A data-flow node that works with regular expressions.
+ * A data-flow node that works with regular expressions immediately executing an expression.
  *
  * Extend this class to refine existing API models. If you want to model new APIs,
  * extend `RegexExecution::Range` instead.
@@ -46,17 +46,33 @@ class RegexExecution extends DataFlow::Node {
   Attribute getRegexMethod() { result = range.getRegexMethod() }
 }
 
-class RegexEscape extends DataFlow::CallCfgNode {
-  DataFlow::Node regexNode;
-  Attribute regexMethod;
+/** Provides classes for modeling Regular Expression escape-related APIs. */
+module RegexEscape {
+  /**
+   * A data-flow node that collects functions escaping regular expressions.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `RegexEscape` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    abstract DataFlow::Node getRegexNode();
 
-  RegexEscape() {
-    this = API::moduleImport("re").getMember("escape").getACall() and
-    regexNode = this.getArg(0) and
-    regexMethod = this.asExpr().(Attribute)
+    abstract Attribute getEscapeMethod();
   }
-
-  DataFlow::Node getRegexNode() { result = regexNode }
-
-  Attribute getRegexMethod() { result = regexMethod }
+}
+
+/**
+ * A data-flow node that collects functions escaping regular expressions.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `RegexEscape::Range` instead.
+ */
+class RegexEscape extends DataFlow::Node {
+  RegexEscape::Range range;
+
+  RegexEscape() { this = range }
+
+  DataFlow::Node getRegexNode() { result = range.getRegexNode() }
+
+  Attribute getEscapeMethod() { result = range.getEscapeMethod() }
 }
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index 5a3441bed83..0b5c57c1c67 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -53,4 +53,19 @@ private module Re {
 
     override Attribute getRegexMethod() { result = regexMethod }
   }
+
+  class ReEscape extends DataFlow::CallCfgNode, RegexEscape::Range {
+    DataFlow::Node regexNode;
+    Attribute escapeMethod;
+
+    ReEscape() {
+      this = API::moduleImport("re").getMember("escape").getACall() and
+      regexNode = this.getArg(0) and
+      escapeMethod = this.asExpr().(Attribute)
+    }
+
+    override DataFlow::Node getRegexNode() { result = regexNode }
+
+    override Attribute getEscapeMethod() { result = escapeMethod }
+  }
 }
diff --git a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
index f82af085db0..fb2ef2ed192 100644
--- a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
@@ -21,6 +21,6 @@ class RegexInjectionFlowConfig extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink = any(RegexExecution re).getRegexNode() }
 
   override predicate isSanitizer(DataFlow::Node sanitizer) {
-    sanitizer = sanitizer.(RegexEscape).getRegexNode()
+    sanitizer = any(RegexEscape reEscape).getRegexNode()
   }
 }

From c127b109d0ccf29db088f2f2f0e4d58107444df1 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Fri, 26 Mar 2021 16:21:34 +0100
Subject: [PATCH 0726/1429] Create re.compile().ReMethod test

---
 .../Security/CWE-730/{ => unit_tests}/re_bad.py          | 8 ++++++--
 .../Security/CWE-730/{ => unit_tests}/re_good.py         | 9 +++++++--
 2 files changed, 13 insertions(+), 4 deletions(-)
 rename python/ql/src/experimental/Security/CWE-730/{ => unit_tests}/re_bad.py (72%)
 rename python/ql/src/experimental/Security/CWE-730/{ => unit_tests}/re_good.py (71%)

diff --git a/python/ql/src/experimental/Security/CWE-730/re_bad.py b/python/ql/src/experimental/Security/CWE-730/unit_tests/re_bad.py
similarity index 72%
rename from python/ql/src/experimental/Security/CWE-730/re_bad.py
rename to python/ql/src/experimental/Security/CWE-730/unit_tests/re_bad.py
index 6a0aa7c6614..172fb94bab8 100644
--- a/python/ql/src/experimental/Security/CWE-730/re_bad.py
+++ b/python/ql/src/experimental/Security/CWE-730/unit_tests/re_bad.py
@@ -1,3 +1,5 @@
+# move outside test folder
+
 from flask import request, Flask
 import re
 
@@ -7,16 +9,18 @@ app = Flask(__name__)
 @app.route("/direct")
 def direct():
     pattern = request.args['pattern']
-
     re.search(pattern, "")
 
 
 @app.route("/compile")
 def compile():
     pattern = re.compile(request.args['pattern'])
-
     pattern.search("")
 
 
+@app.route("/compile_direct")
+def compile_direct():
+    re.compile(request.args['pattern']).search("")
+
 # if __name__ == "__main__":
 #     app.run(debug=True)
diff --git a/python/ql/src/experimental/Security/CWE-730/re_good.py b/python/ql/src/experimental/Security/CWE-730/unit_tests/re_good.py
similarity index 71%
rename from python/ql/src/experimental/Security/CWE-730/re_good.py
rename to python/ql/src/experimental/Security/CWE-730/unit_tests/re_good.py
index ba09b1fe30b..a226d7a8899 100644
--- a/python/ql/src/experimental/Security/CWE-730/re_good.py
+++ b/python/ql/src/experimental/Security/CWE-730/unit_tests/re_good.py
@@ -1,3 +1,5 @@
+# move outside test folder
+
 from flask import request, Flask
 import re
 
@@ -7,16 +9,19 @@ app = Flask(__name__)
 @app.route("/direct")
 def direct():
     pattern = re.escape(request.args['pattern'])
-
     re.search(pattern, "")
 
 
 @app.route("/compile")
 def compile():
     pattern = re.compile(re.escape(request.args['pattern']))
-
     pattern.search("")
 
 
+@app.route("/compile_direct")
+def compile_direct():
+    re.compile(re.escape(request.args['pattern'])).search("")
+
+
 # if __name__ == "__main__":
 #     app.run(debug=True)

From 35f1c45d3234ddd679d852f8266d62b9449486bf Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Fri, 26 Mar 2021 17:01:53 +0100
Subject: [PATCH 0727/1429] Change from Attribute to DataFlow::CallCfgNode in
 getRegexMethod()

---
 .../src/experimental/semmle/python/Concepts.qll  |  8 ++++----
 .../semmle/python/frameworks/Stdlib.qll          | 16 ++++++++--------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index b4723c9e99d..8530047e60c 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -26,7 +26,7 @@ module RegexExecution {
   abstract class Range extends DataFlow::Node {
     abstract DataFlow::Node getRegexNode();
 
-    abstract Attribute getRegexMethod();
+    abstract DataFlow::CallCfgNode getRegexMethod();
   }
 }
 
@@ -43,7 +43,7 @@ class RegexExecution extends DataFlow::Node {
 
   DataFlow::Node getRegexNode() { result = range.getRegexNode() }
 
-  Attribute getRegexMethod() { result = range.getRegexMethod() }
+  DataFlow::CallCfgNode getRegexMethod() { result = range.getRegexMethod() }
 }
 
 /** Provides classes for modeling Regular Expression escape-related APIs. */
@@ -57,7 +57,7 @@ module RegexEscape {
   abstract class Range extends DataFlow::Node {
     abstract DataFlow::Node getRegexNode();
 
-    abstract Attribute getEscapeMethod();
+    abstract DataFlow::CallCfgNode getEscapeMethod();
   }
 }
 
@@ -74,5 +74,5 @@ class RegexEscape extends DataFlow::Node {
 
   DataFlow::Node getRegexNode() { result = range.getRegexNode() }
 
-  Attribute getEscapeMethod() { result = range.getEscapeMethod() }
+  DataFlow::CallCfgNode getEscapeMethod() { result = range.getEscapeMethod() }
 }
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index 0b5c57c1c67..635c7a5803f 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -21,22 +21,22 @@ private module Re {
 
   private class DirectRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
     DataFlow::Node regexNode;
-    Attribute regexMethod;
+    DataFlow::CallCfgNode regexMethod;
 
     DirectRegex() {
       this = API::moduleImport("re").getMember(any(ReMethods m)).getACall() and
       regexNode = this.getArg(0) and
-      regexMethod = this.asExpr().(Attribute)
+      regexMethod = this
     }
 
     override DataFlow::Node getRegexNode() { result = regexNode }
 
-    override Attribute getRegexMethod() { result = regexMethod }
+    override DataFlow::CallCfgNode getRegexMethod() { result = regexMethod }
   }
 
   private class CompiledRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
     DataFlow::Node regexNode;
-    Attribute regexMethod;
+    DataFlow::CallCfgNode regexMethod;
 
     CompiledRegex() {
       exists(DataFlow::CallCfgNode patternCall, DirectRegex reMethod |
@@ -51,21 +51,21 @@ private module Re {
 
     override DataFlow::Node getRegexNode() { result = regexNode }
 
-    override Attribute getRegexMethod() { result = regexMethod }
+    override DataFlow::CallCfgNode getRegexMethod() { result = regexMethod }
   }
 
   class ReEscape extends DataFlow::CallCfgNode, RegexEscape::Range {
     DataFlow::Node regexNode;
-    Attribute escapeMethod;
+    DataFlow::CallCfgNode escapeMethod;
 
     ReEscape() {
       this = API::moduleImport("re").getMember("escape").getACall() and
       regexNode = this.getArg(0) and
-      escapeMethod = this.asExpr().(Attribute)
+      escapeMethod = this
     }
 
     override DataFlow::Node getRegexNode() { result = regexNode }
 
-    override Attribute getEscapeMethod() { result = escapeMethod }
+    override DataFlow::CallCfgNode getEscapeMethod() { result = escapeMethod }
   }
 }

From 36cc7b5e3fee327db28144f142ac94268611a0c6 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Fri, 26 Mar 2021 17:19:01 +0100
Subject: [PATCH 0728/1429] Fix CompiledRegex

---
 .../experimental/semmle/python/frameworks/Stdlib.qll  | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index 635c7a5803f..44305b0bc03 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -31,6 +31,7 @@ private module Re {
 
     override DataFlow::Node getRegexNode() { result = regexNode }
 
+    // pending obj.this discussion
     override DataFlow::CallCfgNode getRegexMethod() { result = regexMethod }
   }
 
@@ -39,13 +40,13 @@ private module Re {
     DataFlow::CallCfgNode regexMethod;
 
     CompiledRegex() {
-      exists(DataFlow::CallCfgNode patternCall, DirectRegex reMethod |
-        this = reMethod and
+      exists(DataFlow::CallCfgNode patternCall, DataFlow::AttrRead reMethod |
+        this.getFunction() = reMethod and
         patternCall = API::moduleImport("re").getMember("compile").getACall() and
-        patternCall = reMethod.(DataFlow::AttrRead).getObject().getALocalSource() and
+        patternCall = reMethod.getObject().getALocalSource() and
+        reMethod.getAttributeName() instanceof ReMethods and
         regexNode = patternCall.getArg(0) and
-        // regexMethod is *not* worked out outside class instanciation because `CompiledRegex` focuses on re.compile(pattern).ReMethod
-        regexMethod = reMethod.getRegexMethod()
+        regexMethod = this
       )
     }
 

From 53d61c4fb68445ea88e8b8753aaf65341771dc78 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Fri, 26 Mar 2021 19:18:14 +0100
Subject: [PATCH 0729/1429] Use custom Sink

---
 .../Security/CWE-730/RegexInjection.ql             | 14 ++++++++++----
 .../ql/src/experimental/semmle/python/Concepts.qll | 13 +++++++++++++
 .../semmle/python/frameworks/Stdlib.qll            |  2 ++
 .../python/security/injection/RegexInjection.qll   |  3 +--
 4 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql b/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
index 9d3da12f9bd..ab6d11de53c 100644
--- a/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
+++ b/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
@@ -16,7 +16,13 @@ import python
 import experimental.semmle.python.security.injection.RegexInjection
 import DataFlow::PathGraph
 
-from RegexInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ regular expression is constructed from a $@.",
-  sink.getNode(), "This", source.getNode(), "user-provided value"
+from
+  RegexInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
+  Attribute sinkAttribute
+where
+  config.hasFlowPath(source, sink) and
+  sinkAttribute = sink.getNode().(RegexInjectionSink).getRegexMethod()
+select sink.getNode(), source, sink,
+  "$@ regular expression is constructed from a $@ and executed by $@.", sink.getNode(), "This",
+  source.getNode(), "user-provided value", sinkAttribute,
+  sinkAttribute.getObject().toString() + "." + sinkAttribute.getName()
diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index 8530047e60c..ab30e97f8d9 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -76,3 +76,16 @@ class RegexEscape extends DataFlow::Node {
 
   DataFlow::CallCfgNode getEscapeMethod() { result = range.getEscapeMethod() }
 }
+
+class RegexInjectionSink extends DataFlow::Node {
+  Attribute regexMethod;
+
+  RegexInjectionSink() {
+    exists(RegexExecution reExec |
+      this = reExec.getRegexNode() and
+      regexMethod = reExec.getRegexMethod().getFunction().asExpr().(Attribute)
+    )
+  }
+
+  Attribute getRegexMethod() { result = regexMethod }
+}
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index 44305b0bc03..5ba4a652244 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -24,6 +24,7 @@ private module Re {
     DataFlow::CallCfgNode regexMethod;
 
     DirectRegex() {
+      // this.getLocation().getFile().getBaseName().regexpMatch("^re_(good|bad)\\.py$") and // debug
       this = API::moduleImport("re").getMember(any(ReMethods m)).getACall() and
       regexNode = this.getArg(0) and
       regexMethod = this
@@ -41,6 +42,7 @@ private module Re {
 
     CompiledRegex() {
       exists(DataFlow::CallCfgNode patternCall, DataFlow::AttrRead reMethod |
+        // this.getLocation().getFile().getBaseName().regexpMatch("^re_(good|bad)\\.py$") and // debug
         this.getFunction() = reMethod and
         patternCall = API::moduleImport("re").getMember("compile").getACall() and
         patternCall = reMethod.getObject().getALocalSource() and
diff --git a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
index fb2ef2ed192..c2112175bfa 100644
--- a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
@@ -8,7 +8,6 @@ import experimental.semmle.python.Concepts
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
-import semmle.python.ApiGraphs
 
 /**
  * A taint-tracking configuration for detecting regular expression injections.
@@ -18,7 +17,7 @@ class RegexInjectionFlowConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) { sink = any(RegexExecution re).getRegexNode() }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink }
 
   override predicate isSanitizer(DataFlow::Node sanitizer) {
     sanitizer = any(RegexEscape reEscape).getRegexNode()

From 18ce257fc8bea35cdbc97437fd04dd1da9957a1e Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Sat, 27 Mar 2021 00:26:30 +0100
Subject: [PATCH 0730/1429] Move RegexInjectionSink to query config (qll)

---
 .../ql/src/experimental/semmle/python/Concepts.qll  | 13 -------------
 .../python/security/injection/RegexInjection.qll    | 13 +++++++++++++
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index ab30e97f8d9..8530047e60c 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -76,16 +76,3 @@ class RegexEscape extends DataFlow::Node {
 
   DataFlow::CallCfgNode getEscapeMethod() { result = range.getEscapeMethod() }
 }
-
-class RegexInjectionSink extends DataFlow::Node {
-  Attribute regexMethod;
-
-  RegexInjectionSink() {
-    exists(RegexExecution reExec |
-      this = reExec.getRegexNode() and
-      regexMethod = reExec.getRegexMethod().getFunction().asExpr().(Attribute)
-    )
-  }
-
-  Attribute getRegexMethod() { result = regexMethod }
-}
diff --git a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
index c2112175bfa..358d884687b 100644
--- a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
@@ -9,6 +9,19 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
 
+class RegexInjectionSink extends DataFlow::Node {
+  Attribute regexMethod;
+
+  RegexInjectionSink() {
+    exists(RegexExecution reExec |
+      this = reExec.getRegexNode() and
+      regexMethod = reExec.getRegexMethod().getFunction().asExpr().(Attribute)
+    )
+  }
+
+  Attribute getRegexMethod() { result = regexMethod }
+}
+
 /**
  * A taint-tracking configuration for detecting regular expression injections.
  */

From e78e2ac2667740a7899436ffeae8bf9e1b4e2dfa Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Sat, 27 Mar 2021 00:36:00 +0100
Subject: [PATCH 0731/1429] Get rid of (get)regexMethod

---
 .../src/experimental/semmle/python/Concepts.qll  |  8 --------
 .../semmle/python/frameworks/Stdlib.qll          | 16 +++-------------
 .../python/security/injection/RegexInjection.qll |  2 +-
 3 files changed, 4 insertions(+), 22 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index 8530047e60c..46bb8ad4ee3 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -25,8 +25,6 @@ module RegexExecution {
    */
   abstract class Range extends DataFlow::Node {
     abstract DataFlow::Node getRegexNode();
-
-    abstract DataFlow::CallCfgNode getRegexMethod();
   }
 }
 
@@ -42,8 +40,6 @@ class RegexExecution extends DataFlow::Node {
   RegexExecution() { this = range }
 
   DataFlow::Node getRegexNode() { result = range.getRegexNode() }
-
-  DataFlow::CallCfgNode getRegexMethod() { result = range.getRegexMethod() }
 }
 
 /** Provides classes for modeling Regular Expression escape-related APIs. */
@@ -56,8 +52,6 @@ module RegexEscape {
    */
   abstract class Range extends DataFlow::Node {
     abstract DataFlow::Node getRegexNode();
-
-    abstract DataFlow::CallCfgNode getEscapeMethod();
   }
 }
 
@@ -73,6 +67,4 @@ class RegexEscape extends DataFlow::Node {
   RegexEscape() { this = range }
 
   DataFlow::Node getRegexNode() { result = range.getRegexNode() }
-
-  DataFlow::CallCfgNode getEscapeMethod() { result = range.getEscapeMethod() }
 }
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index 5ba4a652244..28f07eddff4 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -26,14 +26,10 @@ private module Re {
     DirectRegex() {
       // this.getLocation().getFile().getBaseName().regexpMatch("^re_(good|bad)\\.py$") and // debug
       this = API::moduleImport("re").getMember(any(ReMethods m)).getACall() and
-      regexNode = this.getArg(0) and
-      regexMethod = this
+      regexNode = this.getArg(0)
     }
 
     override DataFlow::Node getRegexNode() { result = regexNode }
-
-    // pending obj.this discussion
-    override DataFlow::CallCfgNode getRegexMethod() { result = regexMethod }
   }
 
   private class CompiledRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
@@ -47,14 +43,11 @@ private module Re {
         patternCall = API::moduleImport("re").getMember("compile").getACall() and
         patternCall = reMethod.getObject().getALocalSource() and
         reMethod.getAttributeName() instanceof ReMethods and
-        regexNode = patternCall.getArg(0) and
-        regexMethod = this
+        regexNode = patternCall.getArg(0)
       )
     }
 
     override DataFlow::Node getRegexNode() { result = regexNode }
-
-    override DataFlow::CallCfgNode getRegexMethod() { result = regexMethod }
   }
 
   class ReEscape extends DataFlow::CallCfgNode, RegexEscape::Range {
@@ -63,12 +56,9 @@ private module Re {
 
     ReEscape() {
       this = API::moduleImport("re").getMember("escape").getACall() and
-      regexNode = this.getArg(0) and
-      escapeMethod = this
+      regexNode = this.getArg(0)
     }
 
     override DataFlow::Node getRegexNode() { result = regexNode }
-
-    override DataFlow::CallCfgNode getEscapeMethod() { result = escapeMethod }
   }
 }
diff --git a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
index 358d884687b..b77eae22371 100644
--- a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
@@ -15,7 +15,7 @@ class RegexInjectionSink extends DataFlow::Node {
   RegexInjectionSink() {
     exists(RegexExecution reExec |
       this = reExec.getRegexNode() and
-      regexMethod = reExec.getRegexMethod().getFunction().asExpr().(Attribute)
+      regexMethod = reExec.asExpr().(Attribute)
     )
   }
 

From a5850f4a9908e99df007cabaeae2460d920b4772 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Sat, 27 Mar 2021 11:32:58 +0100
Subject: [PATCH 0732/1429] Use getRegexModule to know used lib

---
 .../src/experimental/Security/CWE-730/RegexInjection.ql   | 8 ++++----
 python/ql/src/experimental/semmle/python/Concepts.qll     | 4 ++++
 .../src/experimental/semmle/python/frameworks/Stdlib.qll  | 7 ++++---
 .../semmle/python/security/injection/RegexInjection.qll   | 6 +++---
 4 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql b/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
index ab6d11de53c..422c57c9bff 100644
--- a/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
+++ b/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
@@ -18,11 +18,11 @@ import DataFlow::PathGraph
 
 from
   RegexInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
-  Attribute sinkAttribute
+  RegexInjectionSink castedSink
 where
   config.hasFlowPath(source, sink) and
-  sinkAttribute = sink.getNode().(RegexInjectionSink).getRegexMethod()
+  castedSink = sink.getNode()
 select sink.getNode(), source, sink,
   "$@ regular expression is constructed from a $@ and executed by $@.", sink.getNode(), "This",
-  source.getNode(), "user-provided value", sinkAttribute,
-  sinkAttribute.getObject().toString() + "." + sinkAttribute.getName()
+  source.getNode(), "user-provided value", castedSink,
+  castedSink.getRegexModule() + "." + castedSink.asExpr().(Attribute).getName()
diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index 46bb8ad4ee3..6bdf1a37bb0 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -25,6 +25,8 @@ module RegexExecution {
    */
   abstract class Range extends DataFlow::Node {
     abstract DataFlow::Node getRegexNode();
+
+    abstract string getRegexModule();
   }
 }
 
@@ -40,6 +42,8 @@ class RegexExecution extends DataFlow::Node {
   RegexExecution() { this = range }
 
   DataFlow::Node getRegexNode() { result = range.getRegexNode() }
+
+  string getRegexModule() { result = range.getRegexModule() }
 }
 
 /** Provides classes for modeling Regular Expression escape-related APIs. */
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index 28f07eddff4..a4a860711b8 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -21,15 +21,15 @@ private module Re {
 
   private class DirectRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
     DataFlow::Node regexNode;
-    DataFlow::CallCfgNode regexMethod;
 
     DirectRegex() {
-      // this.getLocation().getFile().getBaseName().regexpMatch("^re_(good|bad)\\.py$") and // debug
       this = API::moduleImport("re").getMember(any(ReMethods m)).getACall() and
       regexNode = this.getArg(0)
     }
 
     override DataFlow::Node getRegexNode() { result = regexNode }
+
+    override string getRegexModule() { result = "re" }
   }
 
   private class CompiledRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
@@ -38,7 +38,6 @@ private module Re {
 
     CompiledRegex() {
       exists(DataFlow::CallCfgNode patternCall, DataFlow::AttrRead reMethod |
-        // this.getLocation().getFile().getBaseName().regexpMatch("^re_(good|bad)\\.py$") and // debug
         this.getFunction() = reMethod and
         patternCall = API::moduleImport("re").getMember("compile").getACall() and
         patternCall = reMethod.getObject().getALocalSource() and
@@ -48,6 +47,8 @@ private module Re {
     }
 
     override DataFlow::Node getRegexNode() { result = regexNode }
+
+    override string getRegexModule() { result = "re" }
   }
 
   class ReEscape extends DataFlow::CallCfgNode, RegexEscape::Range {
diff --git a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
index b77eae22371..c4e06abf390 100644
--- a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
@@ -10,16 +10,16 @@ import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
 
 class RegexInjectionSink extends DataFlow::Node {
-  Attribute regexMethod;
+  string regexModule;
 
   RegexInjectionSink() {
     exists(RegexExecution reExec |
       this = reExec.getRegexNode() and
-      regexMethod = reExec.asExpr().(Attribute)
+      regexModule = reExec.getRegexModule()
     )
   }
 
-  Attribute getRegexMethod() { result = regexMethod }
+  string getRegexModule() { result = regexModule }
 }
 
 /**

From f75110365fdc9cef4c18ba4a5395f1f8699bd54b Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Sat, 27 Mar 2021 19:54:30 +0100
Subject: [PATCH 0733/1429] Fix Sink utilization in select

---
 .../experimental/Security/CWE-730/RegexInjection.ql | 13 +++++--------
 .../python/security/injection/RegexInjection.qll    |  6 +++++-
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql b/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
index 422c57c9bff..73178ca1c03 100644
--- a/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
+++ b/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
@@ -16,13 +16,10 @@ import python
 import experimental.semmle.python.security.injection.RegexInjection
 import DataFlow::PathGraph
 
-from
-  RegexInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
-  RegexInjectionSink castedSink
-where
-  config.hasFlowPath(source, sink) and
-  castedSink = sink.getNode()
+from RegexInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
   "$@ regular expression is constructed from a $@ and executed by $@.", sink.getNode(), "This",
-  source.getNode(), "user-provided value", castedSink,
-  castedSink.getRegexModule() + "." + castedSink.asExpr().(Attribute).getName()
+  source.getNode(), "user-provided value", sink.getNode(),
+  sink.getNode().(RegexInjectionSink).getRegexModule() + "." +
+    sink.getNode().(RegexInjectionSink).getRegexMethod().getName()
diff --git a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
index c4e06abf390..2f0fa71ef79 100644
--- a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
@@ -11,15 +11,19 @@ import semmle.python.dataflow.new.RemoteFlowSources
 
 class RegexInjectionSink extends DataFlow::Node {
   string regexModule;
+  Attribute regexMethod;
 
   RegexInjectionSink() {
     exists(RegexExecution reExec |
       this = reExec.getRegexNode() and
-      regexModule = reExec.getRegexModule()
+      regexModule = reExec.getRegexModule() and
+      regexMethod = reExec.(DataFlow::CallCfgNode).getFunction().asExpr().(Attribute)
     )
   }
 
   string getRegexModule() { result = regexModule }
+
+  Attribute getRegexMethod() { result = regexMethod }
 }
 
 /**

From 66ee67a7817037495f28909d2c6b75be4006a7e7 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Sat, 27 Mar 2021 19:59:39 +0100
Subject: [PATCH 0734/1429] Polished select statement

---
 .../Security/CWE-730/RegexInjection.ql             | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql b/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
index 73178ca1c03..77355fdf30d 100644
--- a/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
+++ b/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
@@ -16,10 +16,14 @@ import python
 import experimental.semmle.python.security.injection.RegexInjection
 import DataFlow::PathGraph
 
-from RegexInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+from
+  RegexInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
+  RegexInjectionSink castedSink, Attribute methodAttribute
+where
+  config.hasFlowPath(source, sink) and
+  castedSink = sink.getNode() and
+  methodAttribute = castedSink.getRegexMethod()
 select sink.getNode(), source, sink,
   "$@ regular expression is constructed from a $@ and executed by $@.", sink.getNode(), "This",
-  source.getNode(), "user-provided value", sink.getNode(),
-  sink.getNode().(RegexInjectionSink).getRegexModule() + "." +
-    sink.getNode().(RegexInjectionSink).getRegexMethod().getName()
+  source.getNode(), "user-provided value", methodAttribute,
+  castedSink.getRegexModule() + "." + methodAttribute.getName()

From c54f08f33a00571ac2b1454c87b2cefbfd3e8b4d Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Sat, 27 Mar 2021 20:13:32 +0100
Subject: [PATCH 0735/1429] Improve qhelp

---
 .../Security/CWE-730/RegexInjection.qhelp     | 65 ++++++++++++++-----
 1 file changed, 47 insertions(+), 18 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp b/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp
index 2e3d238daa4..0fc0445e07b 100644
--- a/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp
+++ b/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp
@@ -1,23 +1,52 @@
-<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" qhelp.dtd"> <qhelp>
 
-<qhelp>
-  <overview>
-    <p>If a regular expression is built by a not escaped user-provided value, a user is likely to be able to cause a Denial of Service.</p>
-  </overview>
+<overview>
+  <p>
+    Constructing a regular expression with unsanitized user input is dangerous as a malicious user may
+    be able to modify the meaning of the expression. In particular, such a user may be able to provide
+    a regular expression fragment that takes exponential time in the worst case, and use that to
+    perform a Denial of Service attack.
+  </p>
+</overview>
 
-  <recommendation>
-    <p>In case user input must compose a regular expression, it should be escaped with functions such as <code>re.escape</code>.
-  <recommendation>
+<recommendation>
+  <p>
+    Before embedding user input into a regular expression, use a sanitization function such as
+    <code>re.escape</code> to escape meta-characters that have a special meaning regarding 
+    regular expressions' syntax.
+  </p>
+</recommendation>
 
-  <references>
-    <li>
-      OWASP
-      <a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">Regular Expression DoS</a>
-    </li>
-    <li>
-      SonarSource
-      <a href="https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-2631">RSPEC-2631</a>
-    </li>
-  </references>
+<example>
+  <p>
+    The following examples are based on a simple Flask web server environment.
+  </p>
+  <p>
+    The following example shows a HTTP request parameter that is used to construct a regular expression
+    without sanitizing it first:
+  </p>
+  <sample src="unit_tests/re_bad.py" />
+  <p>
+    Instead, the request parameter should be sanitized first, for example using the function
+    <code>re.escape</code>. This ensures that the user cannot insert characters which have a
+    special meaning in regular expressions.
+  </p>
+  <sample src="examples/re_good.py" />
+</example>
 
+<references>
+  <li>
+    OWASP:
+    <a href="https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS">Regular expression Denial of Service - ReDoS</a>.
+  </li>
+  <li>
+    Wikipedia: <a href="https://en.wikipedia.org/wiki/ReDoS">ReDoS</a>.
+  </li>
+  <li>
+    Python docs: <a href="https://docs.python.org/3/library/re.html">re</a>.
+  </li>
+  <li>
+    SonarSource: <a href="https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-2631">RSPEC-2631</a>
+  </li>
+</references>
 </qhelp>
\ No newline at end of file

From 0e169ba10ebfbc1c0fe56fc347d3abb857577b9f Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Sat, 27 Mar 2021 20:14:11 +0100
Subject: [PATCH 0736/1429] Format qhelp

---
 .../Security/CWE-730/RegexInjection.qhelp     | 96 +++++++++----------
 1 file changed, 48 insertions(+), 48 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp b/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp
index 0fc0445e07b..3e635017da1 100644
--- a/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp
+++ b/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp
@@ -1,52 +1,52 @@
-<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" qhelp.dtd"> <qhelp>
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      Constructing a regular expression with unsanitized user input is dangerous as a malicious user may
+      be able to modify the meaning of the expression. In particular, such a user may be able to provide
+      a regular expression fragment that takes exponential time in the worst case, and use that to
+      perform a Denial of Service attack.
+    </p>
+  </overview>
 
-<overview>
-  <p>
-    Constructing a regular expression with unsanitized user input is dangerous as a malicious user may
-    be able to modify the meaning of the expression. In particular, such a user may be able to provide
-    a regular expression fragment that takes exponential time in the worst case, and use that to
-    perform a Denial of Service attack.
-  </p>
-</overview>
+  <recommendation>
+    <p>
+      Before embedding user input into a regular expression, use a sanitization function such as
+      <code>re.escape</code> to escape meta-characters that have a special meaning regarding 
+      regular expressions' syntax.
+    </p>
+  </recommendation>
 
-<recommendation>
-  <p>
-    Before embedding user input into a regular expression, use a sanitization function such as
-    <code>re.escape</code> to escape meta-characters that have a special meaning regarding 
-    regular expressions' syntax.
-  </p>
-</recommendation>
+  <example>
+    <p>
+      The following examples are based on a simple Flask web server environment.
+    </p>
+    <p>
+      The following example shows a HTTP request parameter that is used to construct a regular expression
+      without sanitizing it first:
+    </p>
+    <sample src="unit_tests/re_bad.py" />
+    <p>
+      Instead, the request parameter should be sanitized first, for example using the function
+      <code>re.escape</code>. This ensures that the user cannot insert characters which have a
+      special meaning in regular expressions.
+    </p>
+    <sample src="examples/re_good.py" />
+  </example>
 
-<example>
-  <p>
-    The following examples are based on a simple Flask web server environment.
-  </p>
-  <p>
-    The following example shows a HTTP request parameter that is used to construct a regular expression
-    without sanitizing it first:
-  </p>
-  <sample src="unit_tests/re_bad.py" />
-  <p>
-    Instead, the request parameter should be sanitized first, for example using the function
-    <code>re.escape</code>. This ensures that the user cannot insert characters which have a
-    special meaning in regular expressions.
-  </p>
-  <sample src="examples/re_good.py" />
-</example>
-
-<references>
-  <li>
-    OWASP:
-    <a href="https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS">Regular expression Denial of Service - ReDoS</a>.
-  </li>
-  <li>
-    Wikipedia: <a href="https://en.wikipedia.org/wiki/ReDoS">ReDoS</a>.
-  </li>
-  <li>
-    Python docs: <a href="https://docs.python.org/3/library/re.html">re</a>.
-  </li>
-  <li>
-    SonarSource: <a href="https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-2631">RSPEC-2631</a>
-  </li>
-</references>
+  <references>
+    <li>
+      OWASP:
+      <a href="https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS">Regular expression Denial of Service - ReDoS</a>.
+    </li>
+    <li>
+      Wikipedia: <a href="https://en.wikipedia.org/wiki/ReDoS">ReDoS</a>.
+    </li>
+    <li>
+      Python docs: <a href="https://docs.python.org/3/library/re.html">re</a>.
+    </li>
+    <li>
+      SonarSource: <a href="https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-2631">RSPEC-2631</a>
+    </li>
+  </references>
 </qhelp>
\ No newline at end of file

From d49c23fe67035e676148ee9b690b00e2e894ada0 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Sat, 27 Mar 2021 20:26:55 +0100
Subject: [PATCH 0737/1429] Improve tests' readability

---
 .../Security/CWE-730/unit_tests/re_bad.py     | 30 +++++++++++++----
 .../Security/CWE-730/unit_tests/re_good.py    | 32 +++++++++++++++----
 2 files changed, 48 insertions(+), 14 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-730/unit_tests/re_bad.py b/python/ql/src/experimental/Security/CWE-730/unit_tests/re_bad.py
index 172fb94bab8..55b306c8857 100644
--- a/python/ql/src/experimental/Security/CWE-730/unit_tests/re_bad.py
+++ b/python/ql/src/experimental/Security/CWE-730/unit_tests/re_bad.py
@@ -1,5 +1,3 @@
-# move outside test folder
-
 from flask import request, Flask
 import re
 
@@ -8,19 +6,37 @@ app = Flask(__name__)
 
 @app.route("/direct")
 def direct():
-    pattern = request.args['pattern']
-    re.search(pattern, "")
+    """
+    A RemoteFlowSource is used directly as re.search's pattern
+    """
 
+    unsafe_pattern = request.args["pattern"]
+    re.search(unsafe_pattern, "")
+
+
+# A RemoteFlowSource is used directly as re.compile's pattern
 
 @app.route("/compile")
 def compile():
-    pattern = re.compile(request.args['pattern'])
-    pattern.search("")
+    """
+    A RemoteFlowSource is used directly as re.compile's pattern
+    which also executes .search() 
+    """
+
+    unsafe_pattern = request.args["pattern"]
+    compiled_pattern = re.compile(unsafe_pattern)
+    compiled_pattern.search("")
 
 
 @app.route("/compile_direct")
 def compile_direct():
-    re.compile(request.args['pattern']).search("")
+    """
+    A RemoteFlowSource is used directly as re.compile's pattern
+    which also executes .search() in the same line
+    """
+
+    unsafe_pattern = request.args["pattern"]
+    re.compile(unsafe_pattern).search("")
 
 # if __name__ == "__main__":
 #     app.run(debug=True)
diff --git a/python/ql/src/experimental/Security/CWE-730/unit_tests/re_good.py b/python/ql/src/experimental/Security/CWE-730/unit_tests/re_good.py
index a226d7a8899..6dc58b87f85 100644
--- a/python/ql/src/experimental/Security/CWE-730/unit_tests/re_good.py
+++ b/python/ql/src/experimental/Security/CWE-730/unit_tests/re_good.py
@@ -1,5 +1,3 @@
-# move outside test folder
-
 from flask import request, Flask
 import re
 
@@ -8,19 +6,39 @@ app = Flask(__name__)
 
 @app.route("/direct")
 def direct():
-    pattern = re.escape(request.args['pattern'])
-    re.search(pattern, "")
+    """
+    A RemoteFlowSource is escaped by re.escape and then used as
+    re'search pattern
+    """
+
+    unsafe_pattern = request.args['pattern']
+    safe_pattern = re.escape(unsafe_pattern)
+    re.search(safe_pattern, "")
 
 
 @app.route("/compile")
 def compile():
-    pattern = re.compile(re.escape(request.args['pattern']))
-    pattern.search("")
+    """
+    A RemoteFlowSource is escaped by re.escape and used as re.compile's
+    pattern which also executes .search()
+    """
+
+    unsafe_pattern = request.args['pattern']
+    safe_pattern = re.escape(unsafe_pattern)
+    compiled_pattern = re.compile(safe_pattern)
+    compiled_pattern.search("")
 
 
 @app.route("/compile_direct")
 def compile_direct():
-    re.compile(re.escape(request.args['pattern'])).search("")
+    """
+    A RemoteFlowSource is escaped by re.escape and then used as re.compile's
+    pattern which also executes .search() in the same line
+    """
+
+    unsafe_pattern = request.args['pattern']
+    safe_pattern = re.escape(unsafe_pattern)
+    re.compile(safe_pattern).search("")
 
 
 # if __name__ == "__main__":

From d4a89b2fd822689f626523d0da786f077ca7464f Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Sat, 27 Mar 2021 20:29:11 +0100
Subject: [PATCH 0738/1429] Fix qhelp typo while converting to python's regex
 injection

---
 .../ql/src/experimental/Security/CWE-730/RegexInjection.qhelp   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp b/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp
index 3e635017da1..3c1d5907a77 100644
--- a/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp
+++ b/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp
@@ -31,7 +31,7 @@
       <code>re.escape</code>. This ensures that the user cannot insert characters which have a
       special meaning in regular expressions.
     </p>
-    <sample src="examples/re_good.py" />
+    <sample src="unit_tests/re_good.py" />
   </example>
 
   <references>

From b6721971dd9149992fd53524a99f878c7220fcc2 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Sat, 27 Mar 2021 20:54:46 +0100
Subject: [PATCH 0739/1429] Improve code comments

---
 .../experimental/semmle/python/Concepts.qll   |  9 +++++
 .../semmle/python/frameworks/Stdlib.qll       | 38 ++++++++++++++++---
 .../security/injection/RegexInjection.qll     |  5 +++
 3 files changed, 46 insertions(+), 6 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index 6bdf1a37bb0..b325925f321 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -24,8 +24,14 @@ module RegexExecution {
    * extend `RegexExecution` instead.
    */
   abstract class Range extends DataFlow::Node {
+    /**
+     * Gets the argument containing the executed expression.
+     */
     abstract DataFlow::Node getRegexNode();
 
+    /**
+     * Gets the library used to execute the regular expression.
+     */
     abstract string getRegexModule();
   }
 }
@@ -55,6 +61,9 @@ module RegexEscape {
    * extend `RegexEscape` instead.
    */
   abstract class Range extends DataFlow::Node {
+    /**
+     * Gets the argument containing the escaped expression.
+     */
     abstract DataFlow::Node getRegexNode();
   }
 }
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index a4a860711b8..c825bcfc086 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -10,20 +10,33 @@ private import semmle.python.dataflow.new.RemoteFlowSources
 private import experimental.semmle.python.Concepts
 private import semmle.python.ApiGraphs
 
-/** Provides models for the Python standard library. */
+/**
+ * Provides models for Python's `re` library.
+ *
+ * See https://docs.python.org/3/library/re.html
+ */
 private module Re {
-  /** List of re methods. */
-  private class ReMethods extends string {
-    ReMethods() {
+  /**
+   * List of `re` methods immediately executing an expression.
+   *
+   * See https://docs.python.org/3/library/re.html#module-contents
+   */
+  private class RegexExecutionMethods extends string {
+    RegexExecutionMethods() {
       this in ["match", "fullmatch", "search", "split", "findall", "finditer", "sub", "subn"]
     }
   }
 
+  /**
+   * A class to find `re` methods immediately executing an expression.
+   *
+   * See `RegexExecutionMethods`
+   */
   private class DirectRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
     DataFlow::Node regexNode;
 
     DirectRegex() {
-      this = API::moduleImport("re").getMember(any(ReMethods m)).getACall() and
+      this = API::moduleImport("re").getMember(any(RegexExecutionMethods m)).getACall() and
       regexNode = this.getArg(0)
     }
 
@@ -32,6 +45,14 @@ private module Re {
     override string getRegexModule() { result = "re" }
   }
 
+  /**
+   * A class to find `re` methods immediately executing an expression from a
+   * compiled expression by `re.compile`.
+   *
+   * See `RegexExecutionMethods`
+   *
+   * See https://docs.python.org/3/library/re.html#regular-expression-objects
+   */
   private class CompiledRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
     DataFlow::Node regexNode;
     DataFlow::CallCfgNode regexMethod;
@@ -41,7 +62,7 @@ private module Re {
         this.getFunction() = reMethod and
         patternCall = API::moduleImport("re").getMember("compile").getACall() and
         patternCall = reMethod.getObject().getALocalSource() and
-        reMethod.getAttributeName() instanceof ReMethods and
+        reMethod.getAttributeName() instanceof RegexExecutionMethods and
         regexNode = patternCall.getArg(0)
       )
     }
@@ -51,6 +72,11 @@ private module Re {
     override string getRegexModule() { result = "re" }
   }
 
+  /**
+   * A class to find `re` methods escaping an expression.
+   *
+   * See https://docs.python.org/3/library/re.html#re.escape
+   */
   class ReEscape extends DataFlow::CallCfgNode, RegexEscape::Range {
     DataFlow::Node regexNode;
     DataFlow::CallCfgNode escapeMethod;
diff --git a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
index 2f0fa71ef79..2ce6f06edc0 100644
--- a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
@@ -9,6 +9,11 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
 
+/**
+ * A class to find methods executing regular expressions.
+ *
+ * See `RegexExecution`
+ */
 class RegexInjectionSink extends DataFlow::Node {
   string regexModule;
   Attribute regexMethod;

From 36555149245fc55d0fd72dc1953342956a386c71 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Sat, 27 Mar 2021 21:01:07 +0100
Subject: [PATCH 0740/1429] Fix ambiguity

---
 python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index c825bcfc086..849dd47467d 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -46,8 +46,7 @@ private module Re {
   }
 
   /**
-   * A class to find `re` methods immediately executing an expression from a
-   * compiled expression by `re.compile`.
+   * A class to find `re` methods immediately executing a compiled expression by `re.compile`.
    *
    * See `RegexExecutionMethods`
    *

From fc27c6c5470043c4c6b5cf96d2abded89ef152e6 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Sat, 27 Mar 2021 21:03:19 +0100
Subject: [PATCH 0741/1429] Fix RegexExecution ambiguity

---
 python/ql/src/experimental/semmle/python/Concepts.qll | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index b325925f321..08131064912 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -18,7 +18,7 @@ private import semmle.python.ApiGraphs
 /** Provides classes for modeling Regular Expression-related APIs. */
 module RegexExecution {
   /**
-   * A data-flow node that works with regular expressions immediately executing an expression.
+   * A data-flow node that collects methods immediately executing an expression.
    *
    * Extend this class to model new APIs. If you want to refine existing API models,
    * extend `RegexExecution` instead.
@@ -37,7 +37,7 @@ module RegexExecution {
 }
 
 /**
- * A data-flow node that works with regular expressions immediately executing an expression.
+ * A data-flow node that collect methods immediately executing an expression.
  *
  * Extend this class to refine existing API models. If you want to model new APIs,
  * extend `RegexExecution::Range` instead.

From 03825a6052a1d9412e02aaca7990f094e596f9a3 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Sat, 27 Mar 2021 21:05:49 +0100
Subject: [PATCH 0742/1429] Add comment to Sink's predicates

---
 .../semmle/python/security/injection/RegexInjection.qll     | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
index 2ce6f06edc0..a7a0526f750 100644
--- a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
@@ -26,8 +26,14 @@ class RegexInjectionSink extends DataFlow::Node {
     )
   }
 
+  /**
+   * Gets the argument containing the executed expression.
+   */
   string getRegexModule() { result = regexModule }
 
+  /**
+   * Gets the mthod used to execute the regular expression.
+   */
   Attribute getRegexMethod() { result = regexMethod }
 }
 

From ec85ee453777eed7053859692a257cb89da5400f Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Sat, 27 Mar 2021 21:07:53 +0100
Subject: [PATCH 0743/1429] Sink's predicate typo

---
 .../semmle/python/security/injection/RegexInjection.qll         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
index a7a0526f750..7b7b08cacab 100644
--- a/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/RegexInjection.qll
@@ -32,7 +32,7 @@ class RegexInjectionSink extends DataFlow::Node {
   string getRegexModule() { result = regexModule }
 
   /**
-   * Gets the mthod used to execute the regular expression.
+   * Gets the method used to execute the regular expression.
    */
   Attribute getRegexMethod() { result = regexMethod }
 }

From d401d18e7193558eedd1c17c82b6f46ef504d39f Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Sun, 28 Mar 2021 01:22:12 +0100
Subject: [PATCH 0744/1429] Add .expected and qlref

---
 .../Security/CWE-730/RegexInjection.expected  | 27 +++++++++++++++++++
 .../Security/CWE-730/RegexInjection.qlref     |  1 +
 2 files changed, 28 insertions(+)
 create mode 100644 python/ql/src/experimental/Security/CWE-730/RegexInjection.expected
 create mode 100644 python/ql/src/experimental/Security/CWE-730/RegexInjection.qlref

diff --git a/python/ql/src/experimental/Security/CWE-730/RegexInjection.expected b/python/ql/src/experimental/Security/CWE-730/RegexInjection.expected
new file mode 100644
index 00000000000..9886df2904d
--- /dev/null
+++ b/python/ql/src/experimental/Security/CWE-730/RegexInjection.expected
@@ -0,0 +1,27 @@
+edges
+| re_bad.py:13:22:13:28 | ControlFlowNode for request | re_bad.py:13:22:13:33 | ControlFlowNode for Attribute |
+| re_bad.py:13:22:13:33 | ControlFlowNode for Attribute | re_bad.py:13:22:13:44 | ControlFlowNode for Subscript |
+| re_bad.py:13:22:13:44 | ControlFlowNode for Subscript | re_bad.py:14:15:14:28 | ControlFlowNode for unsafe_pattern |
+| re_bad.py:26:22:26:28 | ControlFlowNode for request | re_bad.py:26:22:26:33 | ControlFlowNode for Attribute |
+| re_bad.py:26:22:26:33 | ControlFlowNode for Attribute | re_bad.py:26:22:26:44 | ControlFlowNode for Subscript |
+| re_bad.py:26:22:26:44 | ControlFlowNode for Subscript | re_bad.py:27:35:27:48 | ControlFlowNode for unsafe_pattern |
+| re_bad.py:38:22:38:28 | ControlFlowNode for request | re_bad.py:38:22:38:33 | ControlFlowNode for Attribute |
+| re_bad.py:38:22:38:33 | ControlFlowNode for Attribute | re_bad.py:38:22:38:44 | ControlFlowNode for Subscript |
+| re_bad.py:38:22:38:44 | ControlFlowNode for Subscript | re_bad.py:39:16:39:29 | ControlFlowNode for unsafe_pattern |
+nodes
+| re_bad.py:13:22:13:28 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| re_bad.py:13:22:13:33 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| re_bad.py:13:22:13:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| re_bad.py:14:15:14:28 | ControlFlowNode for unsafe_pattern | semmle.label | ControlFlowNode for unsafe_pattern |
+| re_bad.py:26:22:26:28 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| re_bad.py:26:22:26:33 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| re_bad.py:26:22:26:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| re_bad.py:27:35:27:48 | ControlFlowNode for unsafe_pattern | semmle.label | ControlFlowNode for unsafe_pattern |
+| re_bad.py:38:22:38:28 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| re_bad.py:38:22:38:33 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| re_bad.py:38:22:38:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| re_bad.py:39:16:39:29 | ControlFlowNode for unsafe_pattern | semmle.label | ControlFlowNode for unsafe_pattern |
+#select
+| re_bad.py:14:15:14:28 | ControlFlowNode for unsafe_pattern | re_bad.py:13:22:13:28 | ControlFlowNode for request | re_bad.py:14:15:14:28 | ControlFlowNode for unsafe_pattern | $@ regular expression is constructed from a $@ and executed by $@. | re_bad.py:14:15:14:28 | ControlFlowNode for unsafe_pattern | This | re_bad.py:13:22:13:28 | ControlFlowNode for request | user-provided value | re_bad.py:14:5:14:13 | Attribute | re.search |
+| re_bad.py:27:35:27:48 | ControlFlowNode for unsafe_pattern | re_bad.py:26:22:26:28 | ControlFlowNode for request | re_bad.py:27:35:27:48 | ControlFlowNode for unsafe_pattern | $@ regular expression is constructed from a $@ and executed by $@. | re_bad.py:27:35:27:48 | ControlFlowNode for unsafe_pattern | This | re_bad.py:26:22:26:28 | ControlFlowNode for request | user-provided value | re_bad.py:28:5:28:27 | Attribute | re.search |
+| re_bad.py:39:16:39:29 | ControlFlowNode for unsafe_pattern | re_bad.py:38:22:38:28 | ControlFlowNode for request | re_bad.py:39:16:39:29 | ControlFlowNode for unsafe_pattern | $@ regular expression is constructed from a $@ and executed by $@. | re_bad.py:39:16:39:29 | ControlFlowNode for unsafe_pattern | This | re_bad.py:38:22:38:28 | ControlFlowNode for request | user-provided value | re_bad.py:39:5:39:37 | Attribute | re.search |
diff --git a/python/ql/src/experimental/Security/CWE-730/RegexInjection.qlref b/python/ql/src/experimental/Security/CWE-730/RegexInjection.qlref
new file mode 100644
index 00000000000..c0c506c4707
--- /dev/null
+++ b/python/ql/src/experimental/Security/CWE-730/RegexInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-730/RegexInjection.ql

From 81d23c066c4fbad99914aa3410e57e328c5c2375 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Sun, 28 Mar 2021 01:37:55 +0100
Subject: [PATCH 0745/1429] Move tests and qlref from /src to /test

---
 .../query-tests}/Security/CWE-730/RegexInjection.qlref            | 0
 .../experimental/query-tests/Security/CWE-730}/re_bad.py          | 0
 .../experimental/query-tests/Security/CWE-730}/re_good.py         | 0
 3 files changed, 0 insertions(+), 0 deletions(-)
 rename python/ql/{src/experimental => test/experimental/query-tests}/Security/CWE-730/RegexInjection.qlref (100%)
 rename python/ql/{src/experimental/Security/CWE-730/unit_tests => test/experimental/query-tests/Security/CWE-730}/re_bad.py (100%)
 rename python/ql/{src/experimental/Security/CWE-730/unit_tests => test/experimental/query-tests/Security/CWE-730}/re_good.py (100%)

diff --git a/python/ql/src/experimental/Security/CWE-730/RegexInjection.qlref b/python/ql/test/experimental/query-tests/Security/CWE-730/RegexInjection.qlref
similarity index 100%
rename from python/ql/src/experimental/Security/CWE-730/RegexInjection.qlref
rename to python/ql/test/experimental/query-tests/Security/CWE-730/RegexInjection.qlref
diff --git a/python/ql/src/experimental/Security/CWE-730/unit_tests/re_bad.py b/python/ql/test/experimental/query-tests/Security/CWE-730/re_bad.py
similarity index 100%
rename from python/ql/src/experimental/Security/CWE-730/unit_tests/re_bad.py
rename to python/ql/test/experimental/query-tests/Security/CWE-730/re_bad.py
diff --git a/python/ql/src/experimental/Security/CWE-730/unit_tests/re_good.py b/python/ql/test/experimental/query-tests/Security/CWE-730/re_good.py
similarity index 100%
rename from python/ql/src/experimental/Security/CWE-730/unit_tests/re_good.py
rename to python/ql/test/experimental/query-tests/Security/CWE-730/re_good.py

From d968eea9143fda8d6118d1cf906f0a23fd673065 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Sun, 28 Mar 2021 18:36:59 +0200
Subject: [PATCH 0746/1429] Move expected to /test

---
 .../query-tests}/Security/CWE-730/RegexInjection.expected         | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename python/ql/{src/experimental => test/experimental/query-tests}/Security/CWE-730/RegexInjection.expected (100%)

diff --git a/python/ql/src/experimental/Security/CWE-730/RegexInjection.expected b/python/ql/test/experimental/query-tests/Security/CWE-730/RegexInjection.expected
similarity index 100%
rename from python/ql/src/experimental/Security/CWE-730/RegexInjection.expected
rename to python/ql/test/experimental/query-tests/Security/CWE-730/RegexInjection.expected

From 6a20a4dcc32f9dc0016e39446c579de4e5389b0e Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Mon, 29 Mar 2021 15:01:58 +0200
Subject: [PATCH 0747/1429] Add newline to qhelp

---
 .../ql/src/experimental/Security/CWE-730/RegexInjection.qhelp   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp b/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp
index 3c1d5907a77..94e66b2b89c 100644
--- a/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp
+++ b/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp
@@ -49,4 +49,4 @@
       SonarSource: <a href="https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-2631">RSPEC-2631</a>
     </li>
   </references>
-</qhelp>
\ No newline at end of file
+</qhelp>

From 3fae3fd93e25a7913d762a00d0869a4c3cfabd13 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Tue, 30 Mar 2021 17:39:27 +0200
Subject: [PATCH 0748/1429] Take ApiGraphs out of Concepts.qll

---
 python/ql/src/experimental/semmle/python/Concepts.qll | 1 -
 1 file changed, 1 deletion(-)

diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index 08131064912..07bbae2a060 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -13,7 +13,6 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
 private import experimental.semmle.python.Frameworks
-private import semmle.python.ApiGraphs
 
 /** Provides classes for modeling Regular Expression-related APIs. */
 module RegexExecution {

From 05ee853c4e380f5580b17620fce1e4aa4ca14ab6 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Tue, 6 Apr 2021 15:52:31 +0200
Subject: [PATCH 0749/1429] Remove wrong comment

---
 .../ql/test/experimental/query-tests/Security/CWE-730/re_bad.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/python/ql/test/experimental/query-tests/Security/CWE-730/re_bad.py b/python/ql/test/experimental/query-tests/Security/CWE-730/re_bad.py
index 55b306c8857..622eaf199f6 100644
--- a/python/ql/test/experimental/query-tests/Security/CWE-730/re_bad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-730/re_bad.py
@@ -14,8 +14,6 @@ def direct():
     re.search(unsafe_pattern, "")
 
 
-# A RemoteFlowSource is used directly as re.compile's pattern
-
 @app.route("/compile")
 def compile():
     """

From 12ccd7e3b643899b1abff49056390e6adb40a763 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 8 Apr 2021 22:20:09 +0200
Subject: [PATCH 0750/1429] Update .expected

---
 .../Security/CWE-730/RegexInjection.expected  | 32 +++++++++----------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/python/ql/test/experimental/query-tests/Security/CWE-730/RegexInjection.expected b/python/ql/test/experimental/query-tests/Security/CWE-730/RegexInjection.expected
index 9886df2904d..97ed0d1bdfa 100644
--- a/python/ql/test/experimental/query-tests/Security/CWE-730/RegexInjection.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-730/RegexInjection.expected
@@ -2,26 +2,26 @@ edges
 | re_bad.py:13:22:13:28 | ControlFlowNode for request | re_bad.py:13:22:13:33 | ControlFlowNode for Attribute |
 | re_bad.py:13:22:13:33 | ControlFlowNode for Attribute | re_bad.py:13:22:13:44 | ControlFlowNode for Subscript |
 | re_bad.py:13:22:13:44 | ControlFlowNode for Subscript | re_bad.py:14:15:14:28 | ControlFlowNode for unsafe_pattern |
-| re_bad.py:26:22:26:28 | ControlFlowNode for request | re_bad.py:26:22:26:33 | ControlFlowNode for Attribute |
-| re_bad.py:26:22:26:33 | ControlFlowNode for Attribute | re_bad.py:26:22:26:44 | ControlFlowNode for Subscript |
-| re_bad.py:26:22:26:44 | ControlFlowNode for Subscript | re_bad.py:27:35:27:48 | ControlFlowNode for unsafe_pattern |
-| re_bad.py:38:22:38:28 | ControlFlowNode for request | re_bad.py:38:22:38:33 | ControlFlowNode for Attribute |
-| re_bad.py:38:22:38:33 | ControlFlowNode for Attribute | re_bad.py:38:22:38:44 | ControlFlowNode for Subscript |
-| re_bad.py:38:22:38:44 | ControlFlowNode for Subscript | re_bad.py:39:16:39:29 | ControlFlowNode for unsafe_pattern |
+| re_bad.py:24:22:24:28 | ControlFlowNode for request | re_bad.py:24:22:24:33 | ControlFlowNode for Attribute |
+| re_bad.py:24:22:24:33 | ControlFlowNode for Attribute | re_bad.py:24:22:24:44 | ControlFlowNode for Subscript |
+| re_bad.py:24:22:24:44 | ControlFlowNode for Subscript | re_bad.py:25:35:25:48 | ControlFlowNode for unsafe_pattern |
+| re_bad.py:36:22:36:28 | ControlFlowNode for request | re_bad.py:36:22:36:33 | ControlFlowNode for Attribute |
+| re_bad.py:36:22:36:33 | ControlFlowNode for Attribute | re_bad.py:36:22:36:44 | ControlFlowNode for Subscript |
+| re_bad.py:36:22:36:44 | ControlFlowNode for Subscript | re_bad.py:37:16:37:29 | ControlFlowNode for unsafe_pattern |
 nodes
 | re_bad.py:13:22:13:28 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | re_bad.py:13:22:13:33 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | re_bad.py:13:22:13:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | re_bad.py:14:15:14:28 | ControlFlowNode for unsafe_pattern | semmle.label | ControlFlowNode for unsafe_pattern |
-| re_bad.py:26:22:26:28 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| re_bad.py:26:22:26:33 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| re_bad.py:26:22:26:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
-| re_bad.py:27:35:27:48 | ControlFlowNode for unsafe_pattern | semmle.label | ControlFlowNode for unsafe_pattern |
-| re_bad.py:38:22:38:28 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| re_bad.py:38:22:38:33 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| re_bad.py:38:22:38:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
-| re_bad.py:39:16:39:29 | ControlFlowNode for unsafe_pattern | semmle.label | ControlFlowNode for unsafe_pattern |
+| re_bad.py:24:22:24:28 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| re_bad.py:24:22:24:33 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| re_bad.py:24:22:24:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| re_bad.py:25:35:25:48 | ControlFlowNode for unsafe_pattern | semmle.label | ControlFlowNode for unsafe_pattern |
+| re_bad.py:36:22:36:28 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| re_bad.py:36:22:36:33 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| re_bad.py:36:22:36:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| re_bad.py:37:16:37:29 | ControlFlowNode for unsafe_pattern | semmle.label | ControlFlowNode for unsafe_pattern |
 #select
 | re_bad.py:14:15:14:28 | ControlFlowNode for unsafe_pattern | re_bad.py:13:22:13:28 | ControlFlowNode for request | re_bad.py:14:15:14:28 | ControlFlowNode for unsafe_pattern | $@ regular expression is constructed from a $@ and executed by $@. | re_bad.py:14:15:14:28 | ControlFlowNode for unsafe_pattern | This | re_bad.py:13:22:13:28 | ControlFlowNode for request | user-provided value | re_bad.py:14:5:14:13 | Attribute | re.search |
-| re_bad.py:27:35:27:48 | ControlFlowNode for unsafe_pattern | re_bad.py:26:22:26:28 | ControlFlowNode for request | re_bad.py:27:35:27:48 | ControlFlowNode for unsafe_pattern | $@ regular expression is constructed from a $@ and executed by $@. | re_bad.py:27:35:27:48 | ControlFlowNode for unsafe_pattern | This | re_bad.py:26:22:26:28 | ControlFlowNode for request | user-provided value | re_bad.py:28:5:28:27 | Attribute | re.search |
-| re_bad.py:39:16:39:29 | ControlFlowNode for unsafe_pattern | re_bad.py:38:22:38:28 | ControlFlowNode for request | re_bad.py:39:16:39:29 | ControlFlowNode for unsafe_pattern | $@ regular expression is constructed from a $@ and executed by $@. | re_bad.py:39:16:39:29 | ControlFlowNode for unsafe_pattern | This | re_bad.py:38:22:38:28 | ControlFlowNode for request | user-provided value | re_bad.py:39:5:39:37 | Attribute | re.search |
+| re_bad.py:25:35:25:48 | ControlFlowNode for unsafe_pattern | re_bad.py:24:22:24:28 | ControlFlowNode for request | re_bad.py:25:35:25:48 | ControlFlowNode for unsafe_pattern | $@ regular expression is constructed from a $@ and executed by $@. | re_bad.py:25:35:25:48 | ControlFlowNode for unsafe_pattern | This | re_bad.py:24:22:24:28 | ControlFlowNode for request | user-provided value | re_bad.py:26:5:26:27 | Attribute | re.search |
+| re_bad.py:37:16:37:29 | ControlFlowNode for unsafe_pattern | re_bad.py:36:22:36:28 | ControlFlowNode for request | re_bad.py:37:16:37:29 | ControlFlowNode for unsafe_pattern | $@ regular expression is constructed from a $@ and executed by $@. | re_bad.py:37:16:37:29 | ControlFlowNode for unsafe_pattern | This | re_bad.py:36:22:36:28 | ControlFlowNode for request | user-provided value | re_bad.py:37:5:37:37 | Attribute | re.search |

From c4322848ec8525dc70ed5c7ee7d6381362621aeb Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 8 Apr 2021 22:42:35 +0200
Subject: [PATCH 0751/1429] Polish qhelp

---
 .../Security/CWE-730/RegexInjection.qhelp     | 87 +++++++++----------
 .../experimental/Security/CWE-730/re_bad.py   | 15 ++++
 .../experimental/Security/CWE-730/re_good.py  | 17 ++++
 3 files changed, 72 insertions(+), 47 deletions(-)
 create mode 100644 python/ql/src/experimental/Security/CWE-730/re_bad.py
 create mode 100644 python/ql/src/experimental/Security/CWE-730/re_good.py

diff --git a/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp b/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp
index 94e66b2b89c..f19f0744469 100644
--- a/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp
+++ b/python/ql/src/experimental/Security/CWE-730/RegexInjection.qhelp
@@ -1,52 +1,45 @@
-<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" qhelp.dtd">
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
 <qhelp>
-  <overview>
-    <p>
-      Constructing a regular expression with unsanitized user input is dangerous as a malicious user may
-      be able to modify the meaning of the expression. In particular, such a user may be able to provide
-      a regular expression fragment that takes exponential time in the worst case, and use that to
-      perform a Denial of Service attack.
-    </p>
-  </overview>
+<overview>
+<p>
+Constructing a regular expression with unsanitized user input is dangerous as a malicious user may
+be able to modify the meaning of the expression. In particular, such a user may be able to provide
+a regular expression fragment that takes exponential time in the worst case, and use that to
+perform a Denial of Service attack.
+</p>
+</overview>
 
-  <recommendation>
-    <p>
-      Before embedding user input into a regular expression, use a sanitization function such as
-      <code>re.escape</code> to escape meta-characters that have a special meaning regarding 
-      regular expressions' syntax.
-    </p>
-  </recommendation>
+<recommendation>
+<p>
+Before embedding user input into a regular expression, use a sanitization function such as
+<code>re.escape</code> to escape meta-characters that have a special meaning regarding 
+regular expressions' syntax.
+</p>
+</recommendation>
 
-  <example>
-    <p>
-      The following examples are based on a simple Flask web server environment.
-    </p>
-    <p>
-      The following example shows a HTTP request parameter that is used to construct a regular expression
-      without sanitizing it first:
-    </p>
-    <sample src="unit_tests/re_bad.py" />
-    <p>
-      Instead, the request parameter should be sanitized first, for example using the function
-      <code>re.escape</code>. This ensures that the user cannot insert characters which have a
-      special meaning in regular expressions.
-    </p>
-    <sample src="unit_tests/re_good.py" />
-  </example>
+<example>
+<p>
+The following examples are based on a simple Flask web server environment.
+</p>
+<p>
+The following example shows a HTTP request parameter that is used to construct a regular expression
+without sanitizing it first:
+</p>
+<sample src="re_bad.py" />
+<p>
+Instead, the request parameter should be sanitized first, for example using the function
+<code>re.escape</code>. This ensures that the user cannot insert characters which have a
+special meaning in regular expressions.
+</p>
+<sample src="re_good.py" />
+</example>
 
-  <references>
-    <li>
-      OWASP:
-      <a href="https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS">Regular expression Denial of Service - ReDoS</a>.
-    </li>
-    <li>
-      Wikipedia: <a href="https://en.wikipedia.org/wiki/ReDoS">ReDoS</a>.
-    </li>
-    <li>
-      Python docs: <a href="https://docs.python.org/3/library/re.html">re</a>.
-    </li>
-    <li>
-      SonarSource: <a href="https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-2631">RSPEC-2631</a>
-    </li>
-  </references>
+<references>
+<li>OWASP: <a href="https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS">Regular expression Denial of Service - ReDoS</a>.</li>
+<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/ReDoS">ReDoS</a>.</li>
+<li>Python docs: <a href="https://docs.python.org/3/library/re.html">re</a>.</li>
+<li>SonarSource: <a href="https://rules.sonarsource.com/python/type/Vulnerability/RSPEC-2631">RSPEC-2631</a>.</li>
+</references>
 </qhelp>
diff --git a/python/ql/src/experimental/Security/CWE-730/re_bad.py b/python/ql/src/experimental/Security/CWE-730/re_bad.py
new file mode 100644
index 00000000000..3befaba9a01
--- /dev/null
+++ b/python/ql/src/experimental/Security/CWE-730/re_bad.py
@@ -0,0 +1,15 @@
+from flask import request, Flask
+import re
+
+
+@app.route("/direct")
+def direct():
+    unsafe_pattern = request.args["pattern"]
+    re.search(unsafe_pattern, "")
+
+
+@app.route("/compile")
+def compile():
+    unsafe_pattern = request.args["pattern"]
+    compiled_pattern = re.compile(unsafe_pattern)
+    compiled_pattern.search("")
diff --git a/python/ql/src/experimental/Security/CWE-730/re_good.py b/python/ql/src/experimental/Security/CWE-730/re_good.py
new file mode 100644
index 00000000000..cdc9a7ac158
--- /dev/null
+++ b/python/ql/src/experimental/Security/CWE-730/re_good.py
@@ -0,0 +1,17 @@
+from flask import request, Flask
+import re
+
+
+@app.route("/direct")
+def direct():
+    unsafe_pattern = request.args['pattern']
+    safe_pattern = re.escape(unsafe_pattern)
+    re.search(safe_pattern, "")
+
+
+@app.route("/compile")
+def compile():
+    unsafe_pattern = request.args['pattern']
+    safe_pattern = re.escape(unsafe_pattern)
+    compiled_pattern = re.compile(safe_pattern)
+    compiled_pattern.search("")

From c0c71c509c4f9bbf31b665763ed89deeebae90c3 Mon Sep 17 00:00:00 2001
From: Jorge <46056498+jorgectf@users.noreply.github.com>
Date: Tue, 27 Apr 2021 19:21:43 +0200
Subject: [PATCH 0752/1429] Apply suggestions from code review

Update `RegexExecution` docs and use `flowsTo()` instead of `getALocalSource()`.

Co-authored-by: yoff <lerchedahl@gmail.com>
---
 python/ql/src/experimental/semmle/python/Concepts.qll          | 2 +-
 python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index 07bbae2a060..e11e21da914 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -17,7 +17,7 @@ private import experimental.semmle.python.Frameworks
 /** Provides classes for modeling Regular Expression-related APIs. */
 module RegexExecution {
   /**
-   * A data-flow node that collects methods immediately executing an expression.
+   * A data-flow node that executes a regular expression.
    *
    * Extend this class to model new APIs. If you want to refine existing API models,
    * extend `RegexExecution` instead.
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index 849dd47467d..1e3478c55f5 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -60,7 +60,7 @@ private module Re {
       exists(DataFlow::CallCfgNode patternCall, DataFlow::AttrRead reMethod |
         this.getFunction() = reMethod and
         patternCall = API::moduleImport("re").getMember("compile").getACall() and
-        patternCall = reMethod.getObject().getALocalSource() and
+        patternCall.flowsTo(reMethod.getObject()) and
         reMethod.getAttributeName() instanceof RegexExecutionMethods and
         regexNode = patternCall.getArg(0)
       )

From 20b532ec5e3b57790cf20ea7ebc587b9fcadc10d Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Tue, 27 Apr 2021 19:24:25 +0200
Subject: [PATCH 0753/1429] Update to-cast sink's naming

Signed-off-by: jorgectf <jorgectf@protonmail.com>
---
 .../src/experimental/Security/CWE-730/RegexInjection.ql   | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql b/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
index 77355fdf30d..7725f636eb0 100644
--- a/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
+++ b/python/ql/src/experimental/Security/CWE-730/RegexInjection.ql
@@ -18,12 +18,12 @@ import DataFlow::PathGraph
 
 from
   RegexInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink,
-  RegexInjectionSink castedSink, Attribute methodAttribute
+  RegexInjectionSink regexInjectionSink, Attribute methodAttribute
 where
   config.hasFlowPath(source, sink) and
-  castedSink = sink.getNode() and
-  methodAttribute = castedSink.getRegexMethod()
+  regexInjectionSink = sink.getNode() and
+  methodAttribute = regexInjectionSink.getRegexMethod()
 select sink.getNode(), source, sink,
   "$@ regular expression is constructed from a $@ and executed by $@.", sink.getNode(), "This",
   source.getNode(), "user-provided value", methodAttribute,
-  castedSink.getRegexModule() + "." + methodAttribute.getName()
+  regexInjectionSink.getRegexModule() + "." + methodAttribute.getName()

From 8a800986a290a89492df3d6161d4547d80015bf4 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Tue, 27 Apr 2021 19:26:04 +0200
Subject: [PATCH 0754/1429] Remove unused class variables

Signed-off-by: jorgectf <jorgectf@protonmail.com>
---
 python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll | 2 --
 1 file changed, 2 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index 1e3478c55f5..c7a8842cad7 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -54,7 +54,6 @@ private module Re {
    */
   private class CompiledRegex extends DataFlow::CallCfgNode, RegexExecution::Range {
     DataFlow::Node regexNode;
-    DataFlow::CallCfgNode regexMethod;
 
     CompiledRegex() {
       exists(DataFlow::CallCfgNode patternCall, DataFlow::AttrRead reMethod |
@@ -78,7 +77,6 @@ private module Re {
    */
   class ReEscape extends DataFlow::CallCfgNode, RegexEscape::Range {
     DataFlow::Node regexNode;
-    DataFlow::CallCfgNode escapeMethod;
 
     ReEscape() {
       this = API::moduleImport("re").getMember("escape").getACall() and

From 21e01b809fe169f281dbc539e1cc6460dd22edf3 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Tue, 27 Apr 2021 19:52:26 +0200
Subject: [PATCH 0755/1429] Add code example in CompiledRegex

Signed-off-by: jorgectf <jorgectf@protonmail.com>
---
 .../experimental/semmle/python/frameworks/Stdlib.qll  | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index c7a8842cad7..9bda2cb3158 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -48,6 +48,17 @@ private module Re {
   /**
    * A class to find `re` methods immediately executing a compiled expression by `re.compile`.
    *
+   * Given the following example:
+   *
+   * ```py
+   * pattern = re.compile(input)
+   * input.match(s)
+   * ```
+   *
+   * `patternCall` refers to `re.compile(input)`,
+   * `regexNode` refers to `input` and
+   * `this` will refer to `input.match(s)`
+   *
    * See `RegexExecutionMethods`
    *
    * See https://docs.python.org/3/library/re.html#regular-expression-objects

From c27363cea53d82bed873d77217e7549dca602ae9 Mon Sep 17 00:00:00 2001
From: Chuan-kai Lin <cklin@github.com>
Date: Tue, 27 Apr 2021 13:57:16 -0700
Subject: [PATCH 0756/1429] Fix inconsistencies in information about the thief

The find-the-thief exercise is inconsistent.  The first part lists 10 answered questions about the thief, but later discussion silently adds a new question as question 8, so there are a total of 11 answered questions.

This commit updates the first list of answered questions so that it matches later discussions and the sample solution.
---
 docs/codeql/writing-codeql-queries/find-the-thief.rst | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/docs/codeql/writing-codeql-queries/find-the-thief.rst b/docs/codeql/writing-codeql-queries/find-the-thief.rst
index 131423b8058..ff9ee49f5dc 100644
--- a/docs/codeql/writing-codeql-queries/find-the-thief.rst
+++ b/docs/codeql/writing-codeql-queries/find-the-thief.rst
@@ -39,11 +39,13 @@ You start asking some creative questions and making notes of the answers so you
 +------+--------------------------------------------------------------------+--------+
 | (7)  | Is the thief taller than 180cm and shorter than 190cm?             | no     |
 +------+--------------------------------------------------------------------+--------+
-| (8)  | Is the thief the tallest person in the village?                    | no     |
+| (8)  | Is the thief the oldest person in the village?                     | no     |
 +------+--------------------------------------------------------------------+--------+
-| (9)  | Is the thief shorter than the average villager?                    | yes    |
+| (9)  | Is the thief the tallest person in the village?                    | no     |
 +------+--------------------------------------------------------------------+--------+
-| (10) | Is the thief the oldest person in the eastern part of the village? | yes    |
+| (10) | Is the thief shorter than the average villager?                    | yes    |
++------+--------------------------------------------------------------------+--------+
+| (11) | Is the thief the oldest person in the eastern part of the village? | yes    |
 +------+--------------------------------------------------------------------+--------+
 
 There is too much information to search through by hand, so you decide to use your newly acquired QL skills to help you with your investigation...

From 4ae3a230899d41964029df57cbd49fdc2de0440b Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 27 Apr 2021 21:47:38 +0000
Subject: [PATCH 0757/1429] Python: Limit absolute imports

Limits the behaviour of github/codeql#5614 in two ways:

First, we only consider files that are contained in the source archive.
This prevents unnecessary computation involving files in e.g. the
standard library.

Secondly, we ignore any relative imports (e.g. `from .foo import ...`),
as these only work inside packages anyway.

This fixes an observed performance regression on projects that include
`google-cloud-sdk` as part of their source code.
---
 python/ql/src/semmle/python/Module.qll | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/Module.qll b/python/ql/src/semmle/python/Module.qll
index 1e9d76bf1d8..8f9344f60c0 100644
--- a/python/ql/src/semmle/python/Module.qll
+++ b/python/ql/src/semmle/python/Module.qll
@@ -212,8 +212,15 @@ private string moduleNameFromBase(Container file) {
 private predicate transitively_imported_from_entry_point(File file) {
   file.getExtension().matches("%py%") and
   exists(File importer |
+    // Only consider files that are in the source archive
+    exists(importer.getRelativePath()) and
     importer.getParent() = file.getParent() and
-    exists(ImportExpr i | i.getLocation().getFile() = importer and i.getName() = file.getStem())
+    exists(ImportExpr i |
+      i.getLocation().getFile() = importer and
+      i.getName() = file.getStem() and
+      // Disregard relative imports
+      i.getLevel() = 0
+    )
   |
     importer.isPossibleEntryPoint() or transitively_imported_from_entry_point(importer)
   )

From b0f745365d8924351b814d0c0f2194621ca90c57 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Wed, 28 Apr 2021 14:32:25 +0800
Subject: [PATCH 0758/1429] Node type restriction

---
 .../Security/CWE/CWE-348/UseOfLessTrustedSource.ql          | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
index 3c1d2a33ec1..3e25dba427c 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
@@ -35,6 +35,12 @@ class UseOfLessTrustedSourceConfig extends TaintTracking::Configuration {
       ma.getMethod() instanceof SplitMethod and
       not aa.getIndexExpr().(CompileTimeConstantExpr).getIntValue() = 0
     )
+    or
+    node.getType().hasName("Object")
+    or
+    node.getType() instanceof PrimitiveType
+    or
+    node.getType() instanceof BoxedType
   }
 }
 

From f2b4e31e7ff6758f1705f3d1d8d4d8ff7fa82e68 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 28 Apr 2021 10:21:59 +0200
Subject: [PATCH 0759/1429] Python: Make Diagnostics tests pass

I had comitted a bad .expected file it seems, and since the encoding for UTF-8
is named differently from Python 2 to Python 3, we're only going to run the test
for one version.
---
 .../ql/test/query-tests/Diagnostics/ExtractionErrors.expected   | 2 +-
 python/ql/test/query-tests/Diagnostics/options                  | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 python/ql/test/query-tests/Diagnostics/options

diff --git a/python/ql/test/query-tests/Diagnostics/ExtractionErrors.expected b/python/ql/test/query-tests/Diagnostics/ExtractionErrors.expected
index b9412f3be45..4103e4d0cdc 100644
--- a/python/ql/test/query-tests/Diagnostics/ExtractionErrors.expected
+++ b/python/ql/test/query-tests/Diagnostics/ExtractionErrors.expected
@@ -1,2 +1,2 @@
-| bad_encoding.py:2:11:2:11 | Encoding Error | Extraction failed in bad_encoding.py with error 'utf-8' codec can't decode byte 0x9d in position 88: invalid start byte | 2 |
+| bad_encoding.py:2:11:2:11 | Encoding Error | Extraction failed in bad_encoding.py with error 'utf-8' codec can't decode byte 0x9d in position 87: invalid start byte | 2 |
 | syntax_error.py:1:31:1:31 | Syntax Error | Extraction failed in syntax_error.py with error Syntax Error | 2 |
diff --git a/python/ql/test/query-tests/Diagnostics/options b/python/ql/test/query-tests/Diagnostics/options
new file mode 100644
index 00000000000..cfef58cf2b2
--- /dev/null
+++ b/python/ql/test/query-tests/Diagnostics/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=1 --lang=3

From e60628d4633511b2c65998b46bcd43b294481a6c Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 27 Apr 2021 10:33:19 +0200
Subject: [PATCH 0760/1429] add global replacements using inverted char classes
 as a sanitizer for DOM based XSS

---
 .../ql/src/semmle/javascript/security/dataflow/Xss.qll   | 9 ++++++++-
 .../Security/CWE-079/XssThroughDom/xss-through-dom.js    | 4 ++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
index 6a7bd111a9f..899c1c17e87 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
@@ -34,7 +34,14 @@ module Shared {
   class MetacharEscapeSanitizer extends Sanitizer, StringReplaceCall {
     MetacharEscapeSanitizer() {
       isGlobal() and
-      RegExp::alwaysMatchesMetaCharacter(getRegExp().getRoot(), ["<", "'", "\""])
+      (
+        RegExp::alwaysMatchesMetaCharacter(getRegExp().getRoot(), ["<", "'", "\""])
+        or
+        // or it's a global inverted char class.
+        getRegExp().getRoot().(RegExpCharacterClass).isInverted()
+        or
+        getRegExp().getRoot().(RegExpQuantifier).getAChild().(RegExpCharacterClass).isInverted()
+      )
     }
   }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js
index 0e6555fe568..656f233ca9e 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/XssThroughDom/xss-through-dom.js
@@ -85,4 +85,8 @@
 
 	$("#id").html(anser.ansiToHtml(text)); // NOT OK
 	$("#id").html(new anser().process(text)); // NOT OK
+	
+	$("section h1").each(function(){
+		$("nav ul").append("<a href='#" + $(this).text().toLowerCase().replace(/ /g, '-').replace(/[^\w-]+/g,'') + "'>Section</a>"); // OK
+	});
 })();
\ No newline at end of file

From 160fa148f11d0f43f4d9ee5a19e32e93597b2e88 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 28 Apr 2021 11:39:28 +0200
Subject: [PATCH 0761/1429] move `InfiniteRepetitionQuantifier` to Regexp.qll

---
 javascript/ql/src/semmle/javascript/Regexp.qll      | 13 +++++++++++++
 .../javascript/security/performance/ReDoSUtil.qll   | 13 -------------
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/Regexp.qll b/javascript/ql/src/semmle/javascript/Regexp.qll
index 842cf0705c7..0d600f8f8c4 100644
--- a/javascript/ql/src/semmle/javascript/Regexp.qll
+++ b/javascript/ql/src/semmle/javascript/Regexp.qll
@@ -191,6 +191,19 @@ class RegExpQuantifier extends RegExpTerm, @regexp_quantifier {
   predicate isGreedy() { is_greedy(this) }
 }
 
+/**
+ * A regular expression term that permits unlimited repetitions.
+ */
+class InfiniteRepetitionQuantifier extends RegExpQuantifier {
+  InfiniteRepetitionQuantifier() {
+    this instanceof RegExpPlus
+    or
+    this instanceof RegExpStar
+    or
+    this instanceof RegExpRange and not exists(this.(RegExpRange).getUpperBound())
+  }
+}
+
 /**
  * An escaped regular expression term, that is, a regular expression
  * term starting with a backslash.
diff --git a/javascript/ql/src/semmle/javascript/security/performance/ReDoSUtil.qll b/javascript/ql/src/semmle/javascript/security/performance/ReDoSUtil.qll
index ae2917920d7..a6f91c595dd 100644
--- a/javascript/ql/src/semmle/javascript/security/performance/ReDoSUtil.qll
+++ b/javascript/ql/src/semmle/javascript/security/performance/ReDoSUtil.qll
@@ -53,19 +53,6 @@ private predicate isReDoSCandidate(State state, string pump) {
   )
 }
 
-/**
- * A regular expression term that permits unlimited repetitions.
- */
-class InfiniteRepetitionQuantifier extends RegExpQuantifier {
-  InfiniteRepetitionQuantifier() {
-    this instanceof RegExpPlus
-    or
-    this instanceof RegExpStar
-    or
-    this instanceof RegExpRange and not exists(this.(RegExpRange).getUpperBound())
-  }
-}
-
 /**
  * Gets the char after `c` (from a simplified ASCII table).
  */

From d07c71c99de5f318230bedca605d43afd799e8a2 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 28 Apr 2021 11:46:35 +0200
Subject: [PATCH 0762/1429] unlimited repetition of a wildcard is also a
 wildcard

---
 javascript/ql/src/semmle/javascript/Regexp.qll | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/Regexp.qll b/javascript/ql/src/semmle/javascript/Regexp.qll
index 0d600f8f8c4..1a27f001d60 100644
--- a/javascript/ql/src/semmle/javascript/Regexp.qll
+++ b/javascript/ql/src/semmle/javascript/Regexp.qll
@@ -1078,6 +1078,12 @@ module RegExp {
       not cls.isInverted() and
       cls.getAChild().(RegExpCharacterClassEscape).getValue().isUppercase()
     )
+    or
+    // an unlimited number of wildcards, is also a wildcard.
+    exists(InfiniteRepetitionQuantifier q |
+      term = q and
+      isWildcardLike(q.getAChild())
+    )
   }
 
   /**

From d5450f1df6d82f7e3457e23fbc8c6b6da7467147 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 28 Apr 2021 11:46:50 +0200
Subject: [PATCH 0763/1429] use `isWildcardLike` in `MetacharEscapeSanitizer`

---
 .../ql/src/semmle/javascript/security/dataflow/Xss.qll      | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
index 899c1c17e87..81e69a5229b 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
@@ -37,10 +37,8 @@ module Shared {
       (
         RegExp::alwaysMatchesMetaCharacter(getRegExp().getRoot(), ["<", "'", "\""])
         or
-        // or it's a global inverted char class.
-        getRegExp().getRoot().(RegExpCharacterClass).isInverted()
-        or
-        getRegExp().getRoot().(RegExpQuantifier).getAChild().(RegExpCharacterClass).isInverted()
+        // or it's like a wild-card.
+        RegExp::isWildcardLike(getRegExp().getRoot())
       )
     }
   }

From 8b9c5f8228bf5c2cf8c6cddcc35744fda16a26d0 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 28 Apr 2021 11:50:06 +0200
Subject: [PATCH 0764/1429] Python/JS: Remove "Only added to aid with internal
 rewrite"

---
 .../javascript/security/internal/SensitiveDataHeuristics.qll    | 2 --
 .../semmle/python/security/internal/SensitiveDataHeuristics.qll | 2 --
 2 files changed, 4 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll b/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll
index 71f64d98e70..592b6c23f29 100644
--- a/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll
+++ b/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll
@@ -102,13 +102,11 @@ module HeuristicNames {
 
   /**
    * DEPRECATED: Use `maybeSensitiveRegexp` instead.
-   * Only added to aid with internal rewrite
    */
   deprecated predicate maybeSensitive = maybeSensitiveRegexp/1;
 
   /**
    * DEPRECATED: Use `notSensitiveRegexp` instead.
-   * Only added to aid with internal rewrite
    */
   deprecated predicate notSensitive = notSensitiveRegexp/0;
 
diff --git a/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll b/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll
index 71f64d98e70..592b6c23f29 100644
--- a/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll
+++ b/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll
@@ -102,13 +102,11 @@ module HeuristicNames {
 
   /**
    * DEPRECATED: Use `maybeSensitiveRegexp` instead.
-   * Only added to aid with internal rewrite
    */
   deprecated predicate maybeSensitive = maybeSensitiveRegexp/1;
 
   /**
    * DEPRECATED: Use `notSensitiveRegexp` instead.
-   * Only added to aid with internal rewrite
    */
   deprecated predicate notSensitive = notSensitiveRegexp/0;
 

From baa926359e7c28de1078a0a9e68a3113ae744acc Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 28 Apr 2021 12:18:27 +0200
Subject: [PATCH 0765/1429] Python: Minor fix to Django RawSQL QLDoc

---
 python/ql/src/semmle/python/frameworks/Django.qll | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index 4c63589866b..93aa921e496 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -386,8 +386,7 @@ private module PrivateDjango {
           /** Provides models for the `django.db.models.expressions.RawSQL` class. */
           module RawSQL {
             /**
-             * Gets an instance of the `django.db.models.expressions.RawSQL` class,
-             * that was initiated with the SQL represented by `sql`.
+             * Gets an reference to the `django.db.models.expressions.RawSQL` class.
              */
             API::Node classRef() {
               result = expressions().getMember("RawSQL")
@@ -396,7 +395,10 @@ private module PrivateDjango {
               result = models().getMember("RawSQL")
             }
 
-            /** Gets an instance of the `django.db.models.expressions.RawSQL` class. */
+            /**
+             * Gets an instance of the `django.db.models.expressions.RawSQL` class,
+             * that was initiated with the SQL represented by `sql`.
+             */
             private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t, ControlFlowNode sql) {
               t.start() and
               exists(DataFlow::CallCfgNode c | result = c |

From 2f14a6218a07b95f6aca2ecb3381ba1997a38e7f Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 28 Apr 2021 12:26:02 +0200
Subject: [PATCH 0766/1429] generalize RxJS pipes

---
 .../src/semmle/javascript/frameworks/RxJS.qll | 62 +++++++++++++------
 .../TaintTracking/BasicTaintTracking.expected |  3 +
 .../test/library-tests/TaintTracking/rxjs.js  | 14 ++++-
 3 files changed, 60 insertions(+), 19 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/RxJS.qll b/javascript/ql/src/semmle/javascript/frameworks/RxJS.qll
index aff312ee9b0..abc322de2a7 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/RxJS.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/RxJS.qll
@@ -23,7 +23,7 @@ private class RxJsSubscribeStep extends TaintTracking::SharedTaintStep {
  * created by the `map` call.
  */
 private DataFlow::Node pipeInput(DataFlow::CallNode pipe) {
-  pipe = DataFlow::moduleMember("rxjs/operators", ["map", "filter"]).getACall() and
+  pipe = DataFlow::moduleMember("rxjs/operators", any(string s | not s = "catchError")).getACall() and
   result = pipe.getCallback(0).getParameter(0)
 }
 
@@ -48,7 +48,46 @@ private DataFlow::Node pipeOutput(DataFlow::CallNode pipe) {
  * be special-cased.
  */
 private predicate isIdentityPipe(DataFlow::CallNode pipe) {
-  pipe = DataFlow::moduleMember("rxjs/operators", "catchError").getACall()
+  pipe = DataFlow::moduleMember("rxjs/operators", ["catchError", "tap"]).getACall()
+}
+
+/**
+ * A call to `pipe`, which is assumed to be an `rxjs/operators` pipe.
+ *
+ * Has utility methods `getInput`/`getOutput` to get the input/output of each
+ * element of the pipe.
+ * These utility methods automatically handle itentity pipes, and the
+ * first/last elements of the pipe.
+ */
+private class RxJSPipe extends DataFlow::MethodCallNode {
+  RxJSPipe() { this.getMethodName() = "pipe" }
+
+  /**
+   * Gets an input to pipe element `i`.
+   * Or if `i` is equal to the number of elements, gets the output of the pipe (the call itself)
+   */
+  DataFlow::Node getInput(int i) {
+    result = pipeInput(this.getArgument(i).getALocalSource())
+    or
+    i = this.getNumArgument() and
+    result = this
+  }
+
+  /**
+   * Gets an output from pipe element `i`.
+   * Handles identity pipes by getting the output from the previous element.
+   * If `i` is -1, gets the receiver to the call, which started the pipe.
+   */
+  DataFlow::Node getOutput(int i) {
+    isIdentityPipe(this.getArgument(i).getALocalSource()) and
+    result = getOutput(i - 1)
+    or
+    not isIdentityPipe(this.getArgument(i).getALocalSource()) and
+    result = pipeOutput(this.getArgument(i).getALocalSource())
+    or
+    i = -1 and
+    result = this.getReceiver()
+  }
 }
 
 /**
@@ -56,22 +95,9 @@ private predicate isIdentityPipe(DataFlow::CallNode pipe) {
  */
 private class RxJsPipeMapStep extends TaintTracking::SharedTaintStep {
   override predicate heapStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(DataFlow::MethodCallNode call | call.getMethodName() = "pipe" |
-      pred = call.getReceiver() and
-      succ = pipeInput(call.getArgument(0).getALocalSource())
-      or
-      exists(int i |
-        pred = pipeOutput(call.getArgument(i).getALocalSource()) and
-        succ = pipeInput(call.getArgument(i + 1).getALocalSource())
-      )
-      or
-      pred = pipeOutput(call.getLastArgument().getALocalSource()) and
-      succ = call
-      or
-      // Handle a common case where the last step is `catchError`.
-      isIdentityPipe(call.getLastArgument().getALocalSource()) and
-      pred = pipeOutput(call.getArgument(call.getNumArgument() - 2)) and
-      succ = call
+    exists(RxJSPipe pipe, int i |
+      pred = pipe.getOutput(i) and
+      succ = pipe.getInput(i + 1)
     )
   }
 }
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
index 8eae0bb62aa..6f3c00270e6 100644
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -109,6 +109,9 @@ typeInferenceMismatch
 | promise.js:10:24:10:31 | source() | promise.js:10:8:10:32 | Promise ... urce()) |
 | promise.js:12:20:12:27 | source() | promise.js:13:8:13:23 | resolver.promise |
 | rxjs.js:3:1:3:8 | source() | rxjs.js:10:14:10:17 | data |
+| rxjs.js:13:1:13:8 | source() | rxjs.js:17:23:17:23 | x |
+| rxjs.js:13:1:13:8 | source() | rxjs.js:18:23:18:23 | x |
+| rxjs.js:13:1:13:8 | source() | rxjs.js:22:14:22:17 | data |
 | sanitizer-function.js:12:17:12:24 | source() | sanitizer-function.js:14:10:14:14 | taint |
 | sanitizer-function.js:12:17:12:24 | source() | sanitizer-function.js:33:14:33:18 | taint |
 | sanitizer-guards.js:2:11:2:18 | source() | sanitizer-guards.js:4:8:4:8 | x |
diff --git a/javascript/ql/test/library-tests/TaintTracking/rxjs.js b/javascript/ql/test/library-tests/TaintTracking/rxjs.js
index f3ef209d392..70715545e66 100644
--- a/javascript/ql/test/library-tests/TaintTracking/rxjs.js
+++ b/javascript/ql/test/library-tests/TaintTracking/rxjs.js
@@ -1,4 +1,4 @@
-import { map, catchError } from 'rxjs/operators';
+import { map, tap, catchError } from 'rxjs/operators';
 
 source()
     .pipe(
@@ -9,3 +9,15 @@ source()
     .subscribe(data => {
         sink(data)
     });
+
+source()
+    .pipe(
+        map(x => x + 'foo'),
+        // `tap` taps into the source observable, so like `subscribe` but inside the pipe.
+        tap(x => sink(x)),
+        tap(x => sink(x)),
+        catchError(err => {})
+    )
+    .subscribe(data => {
+        sink(data)
+    });

From 902a4368a1f90b84e2b537690fae4f1028f86d18 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 28 Apr 2021 12:36:07 +0200
Subject: [PATCH 0767/1429] assume that all pipe elements that return
 something, return outputs

---
 .../ql/src/semmle/javascript/frameworks/RxJS.qll   |  3 ++-
 .../TaintTracking/BasicTaintTracking.expected      |  2 ++
 .../ql/test/library-tests/TaintTracking/rxjs.js    | 14 +++++++++++++-
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/RxJS.qll b/javascript/ql/src/semmle/javascript/frameworks/RxJS.qll
index abc322de2a7..8cd05f5047d 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/RxJS.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/RxJS.qll
@@ -34,7 +34,8 @@ private DataFlow::Node pipeInput(DataFlow::CallNode pipe) {
  * the pipe.
  */
 private DataFlow::Node pipeOutput(DataFlow::CallNode pipe) {
-  pipe = DataFlow::moduleMember("rxjs/operators", "map").getACall() and
+  // we assume if there is a return, it is an output.
+  pipe = DataFlow::moduleMember("rxjs/operators", _).getACall() and
   result = pipe.getCallback(0).getReturnNode()
   or
   pipe = DataFlow::moduleMember("rxjs/operators", "filter").getACall() and
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
index 6f3c00270e6..0eaafa38965 100644
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -112,6 +112,8 @@ typeInferenceMismatch
 | rxjs.js:13:1:13:8 | source() | rxjs.js:17:23:17:23 | x |
 | rxjs.js:13:1:13:8 | source() | rxjs.js:18:23:18:23 | x |
 | rxjs.js:13:1:13:8 | source() | rxjs.js:22:14:22:17 | data |
+| rxjs.js:27:24:27:32 | source(x) | rxjs.js:29:23:29:23 | x |
+| rxjs.js:27:24:27:32 | source(x) | rxjs.js:34:14:34:17 | data |
 | sanitizer-function.js:12:17:12:24 | source() | sanitizer-function.js:14:10:14:14 | taint |
 | sanitizer-function.js:12:17:12:24 | source() | sanitizer-function.js:33:14:33:18 | taint |
 | sanitizer-guards.js:2:11:2:18 | source() | sanitizer-guards.js:4:8:4:8 | x |
diff --git a/javascript/ql/test/library-tests/TaintTracking/rxjs.js b/javascript/ql/test/library-tests/TaintTracking/rxjs.js
index 70715545e66..2591c6c2364 100644
--- a/javascript/ql/test/library-tests/TaintTracking/rxjs.js
+++ b/javascript/ql/test/library-tests/TaintTracking/rxjs.js
@@ -1,4 +1,4 @@
-import { map, tap, catchError } from 'rxjs/operators';
+import { map, tap, catchError, switchMap, filter } from 'rxjs/operators';
 
 source()
     .pipe(
@@ -21,3 +21,15 @@ source()
     .subscribe(data => {
         sink(data)
     });
+
+myIdentifier()
+    .pipe(
+        switchMap(x => source(x)),
+        filter(x => myFilter(x)),
+        tap(x => sink(x)),
+        catchError(err => {}),
+        map(x => x + 'foo')
+    )
+    .subscribe(data => {
+        sink(data)
+    });

From e8347c2c20e6b8c4c150e443372159bcb3034abf Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Tue, 27 Apr 2021 10:43:45 +0200
Subject: [PATCH 0768/1429] C++: Update data-flow caching

---
 .../cpp/dataflow/internal/DataFlowUtil.qll    |   1 -
 .../dataflow/internal/TaintTrackingUtil.qll   |   1 +
 .../cpp/ir/dataflow/DefaultTaintTracking.qll  | 233 ++++++++++--------
 .../ir/dataflow/internal/DataFlowDispatch.qll |   4 +-
 .../cpp/ir/dataflow/internal/DataFlowUtil.qll |  21 +-
 5 files changed, 143 insertions(+), 117 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
index 690f24fc59a..75e8c8922d0 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -526,7 +526,6 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) {
  * This is the local flow predicate that's used as a building block in global
  * data flow. It may have less flow than the `localFlowStep` predicate.
  */
-cached
 predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
   // Expr -> Expr
   exprToExprStep_nocfg(nodeFrom.asExpr(), nodeTo.asExpr())
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
index 591f461c8eb..6216045db32 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
@@ -45,6 +45,7 @@ predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
  * local data flow steps. That is, `nodeFrom` and `nodeTo` are likely to represent
  * different objects.
  */
+cached
 predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
   // Taint can flow through expressions that alter the value but preserve
   // more than one bit of it _or_ expressions that follow data through
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
index 3092031cbc7..49d11a7e3cc 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
@@ -165,105 +165,132 @@ private predicate nodeIsBarrierEqualityCandidate(
   any(IRGuardCondition guard).ensuresEq(access, _, _, node.asInstruction().getBlock(), true)
 }
 
-private predicate nodeIsBarrier(DataFlow::Node node) {
-  exists(Variable checkedVar |
-    readsVariable(node.asInstruction(), checkedVar) and
-    hasUpperBoundsCheck(checkedVar)
-  )
-  or
-  exists(Variable checkedVar, Operand access |
-    /*
-     * This node is guarded by a condition that forces the accessed variable
-     * to equal something else.  For example:
-     * ```
-     * x = taintsource()
-     * if (x == 10) {
-     *   taintsink(x); // not considered tainted
-     * }
-     * ```
-     */
-
-    nodeIsBarrierEqualityCandidate(node, access, checkedVar) and
-    readsVariable(access.getDef(), checkedVar)
-  )
-}
-
-private predicate nodeIsBarrierIn(DataFlow::Node node) {
-  // don't use dataflow into taint sources, as this leads to duplicate results.
-  exists(Expr source | isUserInput(source, _) |
-    node = DataFlow::exprNode(source)
+cached
+private module Cached {
+  cached
+  predicate nodeIsBarrier(DataFlow::Node node) {
+    exists(Variable checkedVar |
+      readsVariable(node.asInstruction(), checkedVar) and
+      hasUpperBoundsCheck(checkedVar)
+    )
     or
-    // This case goes together with the similar (but not identical) rule in
-    // `getNodeForSource`.
-    node = DataFlow::definitionByReferenceNodeFromArgument(source)
-  )
-  or
-  // don't use dataflow into binary instructions if both operands are unpredictable
-  exists(BinaryInstruction iTo |
-    iTo = node.asInstruction() and
-    not predictableInstruction(iTo.getLeft()) and
-    not predictableInstruction(iTo.getRight()) and
-    // propagate taint from either the pointer or the offset, regardless of predictability
-    not iTo instanceof PointerArithmeticInstruction
-  )
-  or
-  // don't use dataflow through calls to pure functions if two or more operands
-  // are unpredictable
-  exists(Instruction iFrom1, Instruction iFrom2, CallInstruction iTo |
-    iTo = node.asInstruction() and
-    isPureFunction(iTo.getStaticCallTarget().getName()) and
-    iFrom1 = iTo.getAnArgument() and
-    iFrom2 = iTo.getAnArgument() and
-    not predictableInstruction(iFrom1) and
-    not predictableInstruction(iFrom2) and
-    iFrom1 != iFrom2
-  )
+    exists(Variable checkedVar, Operand access |
+      /*
+       * This node is guarded by a condition that forces the accessed variable
+       * to equal something else.  For example:
+       * ```
+       * x = taintsource()
+       * if (x == 10) {
+       *   taintsink(x); // not considered tainted
+       * }
+       * ```
+       */
+
+      nodeIsBarrierEqualityCandidate(node, access, checkedVar) and
+      readsVariable(access.getDef(), checkedVar)
+    )
+  }
+
+  cached
+  predicate nodeIsBarrierIn(DataFlow::Node node) {
+    // don't use dataflow into taint sources, as this leads to duplicate results.
+    exists(Expr source | isUserInput(source, _) |
+      node = DataFlow::exprNode(source)
+      or
+      // This case goes together with the similar (but not identical) rule in
+      // `getNodeForSource`.
+      node = DataFlow::definitionByReferenceNodeFromArgument(source)
+    )
+    or
+    // don't use dataflow into binary instructions if both operands are unpredictable
+    exists(BinaryInstruction iTo |
+      iTo = node.asInstruction() and
+      not predictableInstruction(iTo.getLeft()) and
+      not predictableInstruction(iTo.getRight()) and
+      // propagate taint from either the pointer or the offset, regardless of predictability
+      not iTo instanceof PointerArithmeticInstruction
+    )
+    or
+    // don't use dataflow through calls to pure functions if two or more operands
+    // are unpredictable
+    exists(Instruction iFrom1, Instruction iFrom2, CallInstruction iTo |
+      iTo = node.asInstruction() and
+      isPureFunction(iTo.getStaticCallTarget().getName()) and
+      iFrom1 = iTo.getAnArgument() and
+      iFrom2 = iTo.getAnArgument() and
+      not predictableInstruction(iFrom1) and
+      not predictableInstruction(iFrom2) and
+      iFrom1 != iFrom2
+    )
+  }
+
+  cached
+  Element adjustedSink(DataFlow::Node sink) {
+    // TODO: is it more appropriate to use asConvertedExpr here and avoid
+    // `getConversion*`? Or will that cause us to miss some cases where there's
+    // flow to a conversion (like a `ReferenceDereferenceExpr`) and we want to
+    // pretend there was flow to the converted `Expr` for the sake of
+    // compatibility.
+    sink.asExpr().getConversion*() = result
+    or
+    // For compatibility, send flow from arguments to parameters, even for
+    // functions with no body.
+    exists(FunctionCall call, int i |
+      sink.asExpr() = call.getArgument(i) and
+      result = resolveCall(call).getParameter(i)
+    )
+    or
+    // For compatibility, send flow into a `Variable` if there is flow to any
+    // Load or Store of that variable.
+    exists(CopyInstruction copy |
+      copy.getSourceValue() = sink.asInstruction() and
+      (
+        readsVariable(copy, result) or
+        writesVariable(copy, result)
+      ) and
+      not hasUpperBoundsCheck(result)
+    )
+    or
+    // For compatibility, send flow into a `NotExpr` even if it's part of a
+    // short-circuiting condition and thus might get skipped.
+    result.(NotExpr).getOperand() = sink.asExpr()
+    or
+    // Taint postfix and prefix crement operations when their operand is tainted.
+    result.(CrementOperation).getAnOperand() = sink.asExpr()
+    or
+    // Taint `e1 += e2`, `e &= e2` and friends when `e1` or `e2` is tainted.
+    result.(AssignOperation).getAnOperand() = sink.asExpr()
+    or
+    result =
+      sink.asOperand()
+          .(SideEffectOperand)
+          .getUse()
+          .(ReadSideEffectInstruction)
+          .getArgumentDef()
+          .getUnconvertedResultExpression()
+  }
+
+  /**
+   * Step to return value of a modeled function when an input taints the
+   * dereference of the return value.
+   */
+  cached
+  predicate additionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+    exists(CallInstruction call, Function func, FunctionInput modelIn, FunctionOutput modelOut |
+      n1.asOperand() = callInput(call, modelIn) and
+      (
+        func.(TaintFunction).hasTaintFlow(modelIn, modelOut)
+        or
+        func.(DataFlowFunction).hasDataFlow(modelIn, modelOut)
+      ) and
+      call.getStaticCallTarget() = func and
+      modelOut.isReturnValueDeref() and
+      call = n2.asInstruction()
+    )
+  }
 }
 
-private Element adjustedSink(DataFlow::Node sink) {
-  // TODO: is it more appropriate to use asConvertedExpr here and avoid
-  // `getConversion*`? Or will that cause us to miss some cases where there's
-  // flow to a conversion (like a `ReferenceDereferenceExpr`) and we want to
-  // pretend there was flow to the converted `Expr` for the sake of
-  // compatibility.
-  sink.asExpr().getConversion*() = result
-  or
-  // For compatibility, send flow from arguments to parameters, even for
-  // functions with no body.
-  exists(FunctionCall call, int i |
-    sink.asExpr() = call.getArgument(i) and
-    result = resolveCall(call).getParameter(i)
-  )
-  or
-  // For compatibility, send flow into a `Variable` if there is flow to any
-  // Load or Store of that variable.
-  exists(CopyInstruction copy |
-    copy.getSourceValue() = sink.asInstruction() and
-    (
-      readsVariable(copy, result) or
-      writesVariable(copy, result)
-    ) and
-    not hasUpperBoundsCheck(result)
-  )
-  or
-  // For compatibility, send flow into a `NotExpr` even if it's part of a
-  // short-circuiting condition and thus might get skipped.
-  result.(NotExpr).getOperand() = sink.asExpr()
-  or
-  // Taint postfix and prefix crement operations when their operand is tainted.
-  result.(CrementOperation).getAnOperand() = sink.asExpr()
-  or
-  // Taint `e1 += e2`, `e &= e2` and friends when `e1` or `e2` is tainted.
-  result.(AssignOperation).getAnOperand() = sink.asExpr()
-  or
-  result =
-    sink.asOperand()
-        .(SideEffectOperand)
-        .getUse()
-        .(ReadSideEffectInstruction)
-        .getArgumentDef()
-        .getUnconvertedResultExpression()
-}
+private import Cached
 
 /**
  * Holds if `tainted` may contain taint from `source`.
@@ -402,19 +429,7 @@ module TaintedWithPath {
         readsVariable(n2.asInstruction(), n1.asVariable().(GlobalOrNamespaceVariable))
       )
       or
-      // Step to return value of a modeled function when an input taints the
-      // dereference of the return value
-      exists(CallInstruction call, Function func, FunctionInput modelIn, FunctionOutput modelOut |
-        n1.asOperand() = callInput(call, modelIn) and
-        (
-          func.(TaintFunction).hasTaintFlow(modelIn, modelOut)
-          or
-          func.(DataFlowFunction).hasDataFlow(modelIn, modelOut)
-        ) and
-        call.getStaticCallTarget() = func and
-        modelOut.isReturnValueDeref() and
-        call = n2.asInstruction()
-      )
+      additionalTaintStep(n1, n2)
     }
 
     override predicate isSanitizer(DataFlow::Node node) {
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
index e927634fec2..99d8555f8ca 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
@@ -2,11 +2,14 @@ private import cpp
 private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.ir.dataflow.DataFlow
 private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate
+private import DataFlowImplCommon as DataFlowImplCommon
 
 /**
  * Gets a function that might be called by `call`.
  */
+cached
 Function viableCallable(CallInstruction call) {
+  DataFlowImplCommon::forceCachingInSameStage() and
   result = call.getStaticCallTarget()
   or
   // If the target of the call does not have a body in the snapshot, it might
@@ -43,7 +46,6 @@ private module VirtualDispatch {
     abstract DataFlow::Node getDispatchValue();
 
     /** Gets a candidate target for this call. */
-    cached
     abstract Function resolve();
 
     /**
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
index f5fb7309cff..8ed61da4c92 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -12,10 +12,20 @@ private import semmle.code.cpp.controlflow.IRGuards
 private import semmle.code.cpp.models.interfaces.DataFlow
 
 cached
-private newtype TIRDataFlowNode =
-  TInstructionNode(Instruction i) or
-  TOperandNode(Operand op) or
-  TVariableNode(Variable var)
+private module Cached {
+  cached
+  newtype TIRDataFlowNode =
+    TInstructionNode(Instruction i) or
+    TOperandNode(Operand op) or
+    TVariableNode(Variable var)
+
+  cached
+  predicate localFlowStepCached(Node nodeFrom, Node nodeTo) {
+    simpleLocalFlowStep(nodeFrom, nodeTo)
+  }
+}
+
+private import Cached
 
 /**
  * A node in a data flow graph.
@@ -590,7 +600,7 @@ Node uninitializedNode(LocalVariable v) { none() }
  * Holds if data flows from `nodeFrom` to `nodeTo` in exactly one local
  * (intra-procedural) step.
  */
-predicate localFlowStep(Node nodeFrom, Node nodeTo) { simpleLocalFlowStep(nodeFrom, nodeTo) }
+predicate localFlowStep = localFlowStepCached/2;
 
 /**
  * INTERNAL: do not use.
@@ -598,7 +608,6 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) { simpleLocalFlowStep(nodeFr
  * This is the local flow predicate that's used as a building block in global
  * data flow. It may have less flow than the `localFlowStep` predicate.
  */
-cached
 predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
   // Operand -> Instruction flow
   simpleInstructionLocalFlowStep(nodeFrom.asOperand(), nodeTo.asInstruction())

From c35a2b959af56993a7cc659d09323a3328b62959 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Tue, 27 Apr 2021 11:37:17 +0200
Subject: [PATCH 0769/1429] Python: Update data-flow caching

---
 .../dataflow/new/internal/DataFlowPrivate.qll |  2 -
 .../new/internal/TaintTrackingPrivate.qll     | 62 ++++++++++---------
 2 files changed, 34 insertions(+), 30 deletions(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
index 9b0a8267270..a6640f41dc0 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
@@ -228,7 +228,6 @@ module EssaFlow {
  * data flow. It is a strict subset of the `localFlowStep` predicate, as it
  * excludes SSA flow through instance fields.
  */
-cached
 predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
   // If there is ESSA-flow out of a node `node`, we want flow
   // both out of `node` and any post-update node of `node`.
@@ -1559,7 +1558,6 @@ predicate kwUnpackReadStep(CfgNode nodeFrom, DictionaryElementContent c, Node no
  * any value stored inside `f` is cleared at the pre-update node associated with `x`
  * in `x.f = newValue`.
  */
-cached
 predicate clearsContent(Node n, Content c) {
   exists(CallNode call, CallableValue callable, string name |
     call_unpacks(call, _, callable, name, _) and
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll b/python/ql/src/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
index f12d97d2fa5..a6e169243db 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
@@ -9,36 +9,42 @@ private import semmle.python.dataflow.new.internal.TaintTrackingPublic
  */
 predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
 
-/**
- * Holds if the additional step from `nodeFrom` to `nodeTo` should be included in all
- * global taint flow configurations.
- */
-predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-  localAdditionalTaintStep(nodeFrom, nodeTo)
-  or
-  any(AdditionalTaintStep a).step(nodeFrom, nodeTo)
+private module Cached {
+  /**
+   * Holds if the additional step from `nodeFrom` to `nodeTo` should be included in all
+   * global taint flow configurations.
+   */
+  cached
+  predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    localAdditionalTaintStep(nodeFrom, nodeTo)
+    or
+    any(AdditionalTaintStep a).step(nodeFrom, nodeTo)
+  }
+
+  /**
+   * Holds if taint can flow in one local step from `nodeFrom` to `nodeTo` excluding
+   * local data flow steps. That is, `nodeFrom` and `nodeTo` are likely to represent
+   * different objects.
+   */
+  cached
+  predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    concatStep(nodeFrom, nodeTo)
+    or
+    subscriptStep(nodeFrom, nodeTo)
+    or
+    stringManipulation(nodeFrom, nodeTo)
+    or
+    containerStep(nodeFrom, nodeTo)
+    or
+    copyStep(nodeFrom, nodeTo)
+    or
+    forStep(nodeFrom, nodeTo)
+    or
+    unpackingAssignmentStep(nodeFrom, nodeTo)
+  }
 }
 
-/**
- * Holds if taint can flow in one local step from `nodeFrom` to `nodeTo` excluding
- * local data flow steps. That is, `nodeFrom` and `nodeTo` are likely to represent
- * different objects.
- */
-predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-  concatStep(nodeFrom, nodeTo)
-  or
-  subscriptStep(nodeFrom, nodeTo)
-  or
-  stringManipulation(nodeFrom, nodeTo)
-  or
-  containerStep(nodeFrom, nodeTo)
-  or
-  copyStep(nodeFrom, nodeTo)
-  or
-  forStep(nodeFrom, nodeTo)
-  or
-  unpackingAssignmentStep(nodeFrom, nodeTo)
-}
+import Cached
 
 /**
  * Holds if taint can flow from `nodeFrom` to `nodeTo` with a step related to concatenation.

From 058925cca91c23d3b52621f0084ffe888bf6a637 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Wed, 28 Apr 2021 16:50:08 +0200
Subject: [PATCH 0770/1429] C++: Do not inline `Dominance::hasMultiScopeNode`

---
 cpp/ql/src/semmle/code/cpp/controlflow/Dominance.qll | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cpp/ql/src/semmle/code/cpp/controlflow/Dominance.qll b/cpp/ql/src/semmle/code/cpp/controlflow/Dominance.qll
index 3abe68e0442..424e615f3ea 100644
--- a/cpp/ql/src/semmle/code/cpp/controlflow/Dominance.qll
+++ b/cpp/ql/src/semmle/code/cpp/controlflow/Dominance.qll
@@ -14,6 +14,7 @@ import cpp
  * In rare cases, the same node is used in multiple control-flow scopes. This
  * confuses the dominance analysis, so this predicate is used to exclude them.
  */
+pragma[noinline]
 private predicate hasMultiScopeNode(Function f) {
   exists(ControlFlowNode node |
     node.getControlFlowScope() = f and

From 16bde2729da08279d697c7a789bb1222ed5169c4 Mon Sep 17 00:00:00 2001
From: Rasmus Lerchedahl Petersen <yoff@github.com>
Date: Wed, 28 Apr 2021 17:02:24 +0200
Subject: [PATCH 0771/1429] Python: add flow from methods to calls

---
 python/ql/src/semmle/python/frameworks/Stdlib.qll    | 12 ++++++++----
 .../frameworks/stdlib/FileSystemAccess.py            |  3 +++
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index faab66347f0..07753e9fde5 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -922,7 +922,9 @@ private module Stdlib {
         or
         // method call
         returnsPath.getAttributeName() = pathlibPathMethod() and
-        nodeTo.(DataFlow::CallCfgNode).getFunction() = returnsPath
+        returnsPath
+            .(DataFlow::LocalSourceNode)
+            .flowsTo(nodeTo.(DataFlow::CallCfgNode).getFunction())
       ) and
       nodeFrom = returnsPath.getObject()
     )
@@ -987,7 +989,7 @@ private module Stdlib {
           "unlink", "link_to", "write_bytes", "write_text"
         ] and
       pathlibPath().flowsTo(fileAccess.getObject()) and
-      this.getFunction() = fileAccess
+      fileAccess.(DataFlow::LocalSourceNode).flowsTo(this.getFunction())
     }
 
     override DataFlow::Node getAPathArgument() { result = fileAccess.getObject() }
@@ -1022,7 +1024,9 @@ private module Stdlib {
         exists(DataFlow::AttrRead augmentsPath |
           augmentsPath.getAttributeName() = pathlibPathInjection()
         |
-          nodeTo.(DataFlow::CallCfgNode).getFunction() = augmentsPath and
+          augmentsPath
+              .(DataFlow::LocalSourceNode)
+              .flowsTo(nodeTo.(DataFlow::CallCfgNode).getFunction()) and
           (
             // type-preserving call
             nodeFrom = augmentsPath.getObject()
@@ -1042,7 +1046,7 @@ private module Stdlib {
         or
         // exporting method
         exportPath.getAttributeName() = pathlibPathMethodExport() and
-        nodeTo.(DataFlow::CallCfgNode).getFunction() = exportPath
+        exportPath.(DataFlow::LocalSourceNode).flowsTo(nodeTo.(DataFlow::CallCfgNode).getFunction())
       |
         nodeFrom = exportPath.getObject()
       )
diff --git a/python/ql/test/library-tests/frameworks/stdlib/FileSystemAccess.py b/python/ql/test/library-tests/frameworks/stdlib/FileSystemAccess.py
index 1703869d4f4..318fd086cf6 100644
--- a/python/ql/test/library-tests/frameworks/stdlib/FileSystemAccess.py
+++ b/python/ql/test/library-tests/frameworks/stdlib/FileSystemAccess.py
@@ -34,3 +34,6 @@ p.write_bytes(b"hello")  # $getAPathArgument=p
 
 name = windows.parent.name
 o(name)  # $getAPathArgument=name
+
+wb = p.write_bytes
+wb(b"hello")  # $getAPathArgument=p

From dfd63e5d5afacf65d33f887c3adfb6328b84f30a Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 28 Apr 2021 18:52:00 +0200
Subject: [PATCH 0772/1429] track window object to where .location is read

---
 javascript/ql/src/semmle/javascript/DOM.qll            |  3 +++
 .../ClientSideUrlRedirect.expected                     | 10 ++++++++++
 .../Security/CWE-601/ClientSideUrlRedirect/tst.js      |  6 ++++++
 3 files changed, 19 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/DOM.qll b/javascript/ql/src/semmle/javascript/DOM.qll
index 73e06441b28..c3a55a9991b 100644
--- a/javascript/ql/src/semmle/javascript/DOM.qll
+++ b/javascript/ql/src/semmle/javascript/DOM.qll
@@ -469,6 +469,9 @@ module DOM {
     t.start() and
     result = locationSource()
     or
+    t.startInProp("location") and
+    result = [DataFlow::globalObjectRef(), documentSource()]
+    or
     exists(DataFlow::TypeTracker t2 | result = locationRef(t2).track(t2, t))
   }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
index 3d179602e22..e835fa95acc 100644
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
@@ -171,6 +171,11 @@ nodes
 | tst.js:22:34:22:50 | document.location |
 | tst.js:22:34:22:55 | documen ... on.href |
 | tst.js:22:34:22:55 | documen ... on.href |
+| tst.js:26:22:26:79 | new Reg ... n.href) |
+| tst.js:26:22:26:82 | new Reg ... ref)[1] |
+| tst.js:26:22:26:82 | new Reg ... ref)[1] |
+| tst.js:26:62:26:78 | win.location.href |
+| tst.js:26:62:26:78 | win.location.href |
 | typed.ts:4:13:4:36 | params |
 | typed.ts:4:22:4:36 | location.search |
 | typed.ts:4:22:4:36 | location.search |
@@ -337,6 +342,10 @@ edges
 | tst.js:22:34:22:50 | document.location | tst.js:22:34:22:55 | documen ... on.href |
 | tst.js:22:34:22:55 | documen ... on.href | tst.js:22:20:22:56 | indirec ... n.href) |
 | tst.js:22:34:22:55 | documen ... on.href | tst.js:22:20:22:56 | indirec ... n.href) |
+| tst.js:26:22:26:79 | new Reg ... n.href) | tst.js:26:22:26:82 | new Reg ... ref)[1] |
+| tst.js:26:22:26:79 | new Reg ... n.href) | tst.js:26:22:26:82 | new Reg ... ref)[1] |
+| tst.js:26:62:26:78 | win.location.href | tst.js:26:22:26:79 | new Reg ... n.href) |
+| tst.js:26:62:26:78 | win.location.href | tst.js:26:22:26:79 | new Reg ... n.href) |
 | typed.ts:4:13:4:36 | params | typed.ts:5:25:5:30 | params |
 | typed.ts:4:22:4:36 | location.search | typed.ts:4:13:4:36 | params |
 | typed.ts:4:22:4:36 | location.search | typed.ts:4:13:4:36 | params |
@@ -400,5 +409,6 @@ edges
 | tst.js:18:19:18:84 | new Reg ... ref)[1] | tst.js:18:59:18:80 | documen ... on.href | tst.js:18:19:18:84 | new Reg ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:18:59:18:80 | documen ... on.href | user-provided value |
 | tst.js:22:20:22:59 | indirec ... ref)[1] | tst.js:22:34:22:50 | document.location | tst.js:22:20:22:59 | indirec ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:22:34:22:50 | document.location | user-provided value |
 | tst.js:22:20:22:59 | indirec ... ref)[1] | tst.js:22:34:22:55 | documen ... on.href | tst.js:22:20:22:59 | indirec ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:22:34:22:55 | documen ... on.href | user-provided value |
+| tst.js:26:22:26:82 | new Reg ... ref)[1] | tst.js:26:62:26:78 | win.location.href | tst.js:26:22:26:82 | new Reg ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:26:62:26:78 | win.location.href | user-provided value |
 | typed.ts:8:33:8:43 | redirectUri | typed.ts:4:22:4:36 | location.search | typed.ts:8:33:8:43 | redirectUri | Untrusted URL redirection due to $@. | typed.ts:4:22:4:36 | location.search | user-provided value |
 | typed.ts:29:33:29:43 | redirectUri | typed.ts:25:25:25:34 | loc.search | typed.ts:29:33:29:43 | redirectUri | Untrusted URL redirection due to $@. | typed.ts:25:25:25:34 | loc.search | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst.js b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst.js
index 7994c1e3558..8f426918c54 100644
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst.js
@@ -21,3 +21,9 @@ window.location = new RegExp(/.*redirect=([^&]*).*/).exec(document.location.href
 	var indirect = new RegExp(/.*redirect=([^&]*).*/)
 	window.location = indirect.exec(document.location.href)[1];
 });
+
+function foo(win) {
+	win.location.assign(new RegExp(/.*redirect=([^&]*).*/).exec(win.location.href)[1]); // NOT OK
+}
+
+foo(window);
\ No newline at end of file

From a8865e2fa27d07635a5a6f14f74a653b33b72021 Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Wed, 28 Apr 2021 20:46:09 +0200
Subject: [PATCH 0773/1429] Java: Cleanup jwt stubs.

---
 .../io/jsonwebtoken/ClaimJwtException.java    |   15 +-
 .../io/jsonwebtoken/Claims.java               |  148 ---
 .../io/jsonwebtoken/ClaimsMutator.java        |   72 --
 .../io/jsonwebtoken/Clock.java                |   33 -
 .../io/jsonwebtoken/CompressionCodec.java     |   55 -
 .../CompressionCodecResolver.java             |   46 -
 .../io/jsonwebtoken/CompressionCodecs.java    |   49 -
 .../io/jsonwebtoken/CompressionException.java |   33 -
 .../io/jsonwebtoken/Header.java               |   91 --
 .../jsonwebtoken/IncorrectClaimException.java |   33 -
 .../jsonwebtoken/InvalidClaimException.java   |   55 -
 .../jwtk-jjwt-0.11.2/io/jsonwebtoken/Jws.java |    5 +-
 .../io/jsonwebtoken/JwsHeader.java            |   81 --
 .../jwtk-jjwt-0.11.2/io/jsonwebtoken/Jwt.java |    8 -
 .../io/jsonwebtoken/JwtBuilder.java           |  530 --------
 .../io/jsonwebtoken/JwtParser.java            |  253 ----
 .../io/jsonwebtoken/JwtParserBuilder.java     |  166 ---
 .../io/jsonwebtoken/Jwts.java                 |   81 +-
 .../jsonwebtoken/MissingClaimException.java   |   32 -
 .../jsonwebtoken/PrematureJwtException.java   |   39 -
 .../jsonwebtoken/RequiredTypeException.java   |   32 -
 .../io/jsonwebtoken/SignatureAlgorithm.java   |  655 ----------
 .../io/jsonwebtoken/SigningKeyResolver.java   |   21 -
 .../SigningKeyResolverAdapter.java            |   99 --
 .../jsonwebtoken/impl/DefaultJwtParser.java   |  125 +-
 .../impl/crypto/JwtSignatureValidator.java    |   21 -
 .../io/jsonwebtoken/io/Base64.java            |  680 ----------
 .../io/jsonwebtoken/io/Base64Decoder.java     |   38 -
 .../io/jsonwebtoken/io/Base64Encoder.java     |   38 -
 .../io/jsonwebtoken/io/Base64Support.java     |   31 -
 .../io/jsonwebtoken/io/Base64UrlDecoder.java  |   26 -
 .../io/jsonwebtoken/io/Base64UrlEncoder.java  |   26 -
 .../io/jsonwebtoken/io/CodecException.java    |   30 -
 .../io/jsonwebtoken/io/Decoder.java           |   24 -
 .../io/jsonwebtoken/io/Decoders.java          |   28 -
 .../io/jsonwebtoken/io/DecodingException.java |   30 -
 .../io/DeserializationException.java          |   30 -
 .../io/jsonwebtoken/io/Deserializer.java      |   24 -
 .../io/jsonwebtoken/io/Encoder.java           |   24 -
 .../io/jsonwebtoken/io/Encoders.java          |   28 -
 .../io/jsonwebtoken/io/EncodingException.java |   26 -
 .../io/ExceptionPropagatingDecoder.java       |   44 -
 .../io/ExceptionPropagatingEncoder.java       |   44 -
 .../io/jsonwebtoken/io/IOException.java       |   32 -
 .../io/jsonwebtoken/io/SerialException.java   |   30 -
 .../io/SerializationException.java            |   30 -
 .../io/jsonwebtoken/io/Serializer.java        |   25 -
 .../io/jsonwebtoken/lang/Arrays.java          |   32 -
 .../io/jsonwebtoken/lang/Assert.java          |  377 ------
 .../io/jsonwebtoken/lang/Classes.java         |  254 ----
 .../io/jsonwebtoken/lang/Collections.java     |  365 ------
 .../io/jsonwebtoken/lang/DateFormats.java     |   70 -
 .../lang/InstantiationException.java          |   26 -
 .../io/jsonwebtoken/lang/Maps.java            |   87 --
 .../io/jsonwebtoken/lang/Objects.java         |  927 -------------
 .../jsonwebtoken/lang/RuntimeEnvironment.java |   65 -
 .../io/jsonwebtoken/lang/Strings.java         | 1147 -----------------
 .../lang/UnknownClassException.java           |   64 -
 .../security/InvalidKeyException.java         |   26 -
 .../jsonwebtoken/security/KeyException.java   |   26 -
 .../io/jsonwebtoken/security/Keys.java        |  231 ----
 .../security/SignatureException.java          |   30 -
 .../security/WeakKeyException.java            |   26 -
 63 files changed, 6 insertions(+), 7813 deletions(-)
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Clock.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodec.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodecResolver.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodecs.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionException.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/IncorrectClaimException.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/InvalidClaimException.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtBuilder.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/MissingClaimException.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/PrematureJwtException.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/RequiredTypeException.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SignatureAlgorithm.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SigningKeyResolverAdapter.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/impl/crypto/JwtSignatureValidator.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Decoder.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Encoder.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Support.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64UrlDecoder.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64UrlEncoder.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/CodecException.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Decoder.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Decoders.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/DecodingException.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/DeserializationException.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Deserializer.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Encoder.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Encoders.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/EncodingException.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/ExceptionPropagatingDecoder.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/ExceptionPropagatingEncoder.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/IOException.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/SerialException.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/SerializationException.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Serializer.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Arrays.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Assert.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Classes.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Collections.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/DateFormats.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/InstantiationException.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Maps.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Objects.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/RuntimeEnvironment.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Strings.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/UnknownClassException.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/InvalidKeyException.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/KeyException.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/Keys.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/SignatureException.java
 delete mode 100644 java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/WeakKeyException.java

diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/ClaimJwtException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/ClaimJwtException.java
index bb7c81fd550..af003d48a65 100644
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/ClaimJwtException.java
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/ClaimJwtException.java
@@ -22,30 +22,19 @@ package io.jsonwebtoken;
  */
 public abstract class ClaimJwtException extends JwtException {
 
-    public static final String INCORRECT_EXPECTED_CLAIM_MESSAGE_TEMPLATE = "Expected %s claim to be: %s, but was: %s.";
-    public static final String MISSING_EXPECTED_CLAIM_MESSAGE_TEMPLATE = "Expected %s claim to be: %s, but was not present in the JWT claims.";
-
-    private final Header header;
-
-    private final Claims claims;
-
     protected ClaimJwtException(Header header, Claims claims, String message) {
         super(message);
-        this.header = header;
-        this.claims = claims;
     }
 
     protected ClaimJwtException(Header header, Claims claims, String message, Throwable cause) {
         super(message, cause);
-        this.header = header;
-        this.claims = claims;
     }
 
     public Claims getClaims() {
-        return claims;
+        return null;
     }
 
     public Header getHeader() {
-        return header;
+        return null;
     }
 }
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Claims.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Claims.java
index b5a404fb988..e1fab7582bf 100644
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Claims.java
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Claims.java
@@ -40,152 +40,4 @@ import java.util.Map;
  */
 public interface Claims extends Map<String, Object>, ClaimsMutator<Claims> {
 
-    /** JWT {@code Issuer} claims parameter name: <code>"iss"</code> */
-    public static final String ISSUER = "iss";
-
-    /** JWT {@code Subject} claims parameter name: <code>"sub"</code> */
-    public static final String SUBJECT = "sub";
-
-    /** JWT {@code Audience} claims parameter name: <code>"aud"</code> */
-    public static final String AUDIENCE = "aud";
-
-    /** JWT {@code Expiration} claims parameter name: <code>"exp"</code> */
-    public static final String EXPIRATION = "exp";
-
-    /** JWT {@code Not Before} claims parameter name: <code>"nbf"</code> */
-    public static final String NOT_BEFORE = "nbf";
-
-    /** JWT {@code Issued At} claims parameter name: <code>"iat"</code> */
-    public static final String ISSUED_AT = "iat";
-
-    /** JWT {@code JWT ID} claims parameter name: <code>"jti"</code> */
-    public static final String ID = "jti";
-
-    /**
-     * Returns the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.1">
-     * <code>iss</code></a> (issuer) value or {@code null} if not present.
-     *
-     * @return the JWT {@code iss} value or {@code null} if not present.
-     */
-    String getIssuer();
-
-    /**
-     * {@inheritDoc}
-     */
-    @Override //only for better/targeted JavaDoc
-    Claims setIssuer(String iss);
-
-    /**
-     * Returns the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.2">
-     * <code>sub</code></a> (subject) value or {@code null} if not present.
-     *
-     * @return the JWT {@code sub} value or {@code null} if not present.
-     */
-    String getSubject();
-
-    /**
-     * {@inheritDoc}
-     */
-    @Override //only for better/targeted JavaDoc
-    Claims setSubject(String sub);
-
-    /**
-     * Returns the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.3">
-     * <code>aud</code></a> (audience) value or {@code null} if not present.
-     *
-     * @return the JWT {@code aud} value or {@code null} if not present.
-     */
-    String getAudience();
-
-    /**
-     * {@inheritDoc}
-     */
-    @Override //only for better/targeted JavaDoc
-    Claims setAudience(String aud);
-
-    /**
-     * Returns the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.4">
-     * <code>exp</code></a> (expiration) timestamp or {@code null} if not present.
-     *
-     * <p>A JWT obtained after this timestamp should not be used.</p>
-     *
-     * @return the JWT {@code exp} value or {@code null} if not present.
-     */
-    Date getExpiration();
-
-    /**
-     * {@inheritDoc}
-     */
-    @Override //only for better/targeted JavaDoc
-    Claims setExpiration(Date exp);
-
-    /**
-     * Returns the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.5">
-     * <code>nbf</code></a> (not before) timestamp or {@code null} if not present.
-     *
-     * <p>A JWT obtained before this timestamp should not be used.</p>
-     *
-     * @return the JWT {@code nbf} value or {@code null} if not present.
-     */
-    Date getNotBefore();
-
-    /**
-     * {@inheritDoc}
-     */
-    @Override //only for better/targeted JavaDoc
-    Claims setNotBefore(Date nbf);
-
-    /**
-     * Returns the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.6">
-     * <code>iat</code></a> (issued at) timestamp or {@code null} if not present.
-     *
-     * <p>If present, this value is the timestamp when the JWT was created.</p>
-     *
-     * @return the JWT {@code iat} value or {@code null} if not present.
-     */
-    Date getIssuedAt();
-
-    /**
-     * {@inheritDoc}
-     */
-    @Override //only for better/targeted JavaDoc
-    Claims setIssuedAt(Date iat);
-
-    /**
-     * Returns the JWTs <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.7">
-     * <code>jti</code></a> (JWT ID) value or {@code null} if not present.
-     *
-     * <p>This value is a CaSe-SenSiTiVe unique identifier for the JWT. If available, this value is expected to be
-     * assigned in a manner that ensures that there is a negligible probability that the same value will be
-     * accidentally
-     * assigned to a different data object.  The ID can be used to prevent the JWT from being replayed.</p>
-     *
-     * @return the JWT {@code jti} value or {@code null} if not present.
-     */
-    String getId();
-
-    /**
-     * {@inheritDoc}
-     */
-    @Override //only for better/targeted JavaDoc
-    Claims setId(String jti);
-
-    /**
-     * Returns the JWTs claim ({@code claimName}) value as a type {@code requiredType}, or {@code null} if not present.
-     *
-     * <p>JJWT only converts simple String, Date, Long, Integer, Short and Byte types automatically. Anything more
-     * complex is expected to be already converted to your desired type by the JSON
-     * {@link io.jsonwebtoken.io.Deserializer Deserializer} implementation. You may specify a custom Deserializer for a
-     * JwtParser with the desired conversion configuration via the {@link JwtParserBuilder#deserializeJsonWith} method.
-     * See <a href="https://github.com/jwtk/jjwt#custom-json-processor">custom JSON processor</a></a> for more
-     * information. If using Jackson, you can specify custom claim POJO types as described in
-     * <a href="https://github.com/jwtk/jjwt#json-jackson-custom-types">custom claim types</a>.
-     *
-     * @param claimName name of claim
-     * @param requiredType the type of the value expected to be returned
-     * @param <T> the type of the value expected to be returned
-     * @return the JWT {@code claimName} value or {@code null} if not present.
-     * @throws RequiredTypeException throw if the claim value is not null and not of type {@code requiredType}
-     */
-    <T> T get(String claimName, Class<T> requiredType);
 }
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/ClaimsMutator.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/ClaimsMutator.java
index 66528d8ffab..1fda02c2b4d 100644
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/ClaimsMutator.java
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/ClaimsMutator.java
@@ -27,76 +27,4 @@ import java.util.Date;
  */
 public interface ClaimsMutator<T extends ClaimsMutator> {
 
-    /**
-     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.1">
-     * <code>iss</code></a> (issuer) value.  A {@code null} value will remove the property from the JSON map.
-     *
-     * @param iss the JWT {@code iss} value or {@code null} to remove the property from the JSON map.
-     * @return the {@code Claims} instance for method chaining.
-     */
-    T setIssuer(String iss);
-
-    /**
-     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.2">
-     * <code>sub</code></a> (subject) value.  A {@code null} value will remove the property from the JSON map.
-     *
-     * @param sub the JWT {@code sub} value or {@code null} to remove the property from the JSON map.
-     * @return the {@code Claims} instance for method chaining.
-     */
-    T setSubject(String sub);
-
-    /**
-     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.3">
-     * <code>aud</code></a> (audience) value.  A {@code null} value will remove the property from the JSON map.
-     *
-     * @param aud the JWT {@code aud} value or {@code null} to remove the property from the JSON map.
-     * @return the {@code Claims} instance for method chaining.
-     */
-    T setAudience(String aud);
-
-    /**
-     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.4">
-     * <code>exp</code></a> (expiration) timestamp.  A {@code null} value will remove the property from the JSON map.
-     *
-     * <p>A JWT obtained after this timestamp should not be used.</p>
-     *
-     * @param exp the JWT {@code exp} value or {@code null} to remove the property from the JSON map.
-     * @return the {@code Claims} instance for method chaining.
-     */
-    T setExpiration(Date exp);
-
-    /**
-     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.5">
-     * <code>nbf</code></a> (not before) timestamp.  A {@code null} value will remove the property from the JSON map.
-     *
-     * <p>A JWT obtained before this timestamp should not be used.</p>
-     *
-     * @param nbf the JWT {@code nbf} value or {@code null} to remove the property from the JSON map.
-     * @return the {@code Claims} instance for method chaining.
-     */
-    T setNotBefore(Date nbf);
-
-    /**
-     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.6">
-     * <code>iat</code></a> (issued at) timestamp.  A {@code null} value will remove the property from the JSON map.
-     *
-     * <p>The value is the timestamp when the JWT was created.</p>
-     *
-     * @param iat the JWT {@code iat} value or {@code null} to remove the property from the JSON map.
-     * @return the {@code Claims} instance for method chaining.
-     */
-    T setIssuedAt(Date iat);
-
-    /**
-     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.7">
-     * <code>jti</code></a> (JWT ID) value.  A {@code null} value will remove the property from the JSON map.
-     *
-     * <p>This value is a CaSe-SenSiTiVe unique identifier for the JWT. If specified, this value MUST be assigned in a
-     * manner that ensures that there is a negligible probability that the same value will be accidentally
-     * assigned to a different data object.  The ID can be used to prevent the JWT from being replayed.</p>
-     *
-     * @param jti the JWT {@code jti} value or {@code null} to remove the property from the JSON map.
-     * @return the {@code Claims} instance for method chaining.
-     */
-    T setId(String jti);
 }
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Clock.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Clock.java
deleted file mode 100644
index 584dd605f0b..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Clock.java
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken;
-
-import java.util.Date;
-
-/**
- * A clock represents a time source that can be used when creating and verifying JWTs.
- *
- * @since 0.7.0
- */
-public interface Clock {
-
-    /**
-     * Returns the clock's current timestamp at the instant the method is invoked.
-     *
-     * @return the clock's current timestamp at the instant the method is invoked.
-     */
-    Date now();
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodec.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodec.java
deleted file mode 100644
index 47e54761e19..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodec.java
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright (C) 2015 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken;
-
-/**
- * Compresses and decompresses byte arrays according to a compression algorithm.
- *
- * @see CompressionCodecs#DEFLATE
- * @see CompressionCodecs#GZIP
- * @since 0.6.0
- */
-public interface CompressionCodec {
-
-    /**
-     * The compression algorithm name to use as the JWT's {@code zip} header value.
-     *
-     * @return the compression algorithm name to use as the JWT's {@code zip} header value.
-     */
-    String getAlgorithmName();
-
-    /**
-     * Compresses the specified byte array according to the compression {@link #getAlgorithmName() algorithm}.
-     *
-     * @param payload bytes to compress
-     * @return compressed bytes
-     * @throws CompressionException if the specified byte array cannot be compressed according to the compression
-     *                              {@link #getAlgorithmName() algorithm}.
-     */
-    byte[] compress(byte[] payload) throws CompressionException;
-
-    /**
-     * Decompresses the specified compressed byte array according to the compression
-     * {@link #getAlgorithmName() algorithm}.  The specified byte array must already be in compressed form
-     * according to the {@link #getAlgorithmName() algorithm}.
-     *
-     * @param compressed compressed bytes
-     * @return decompressed bytes
-     * @throws CompressionException if the specified byte array cannot be decompressed according to the compression
-     *                              {@link #getAlgorithmName() algorithm}.
-     */
-    byte[] decompress(byte[] compressed) throws CompressionException;
-}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodecResolver.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodecResolver.java
deleted file mode 100644
index 50ebe08fc62..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodecResolver.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Copyright (C) 2015 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken;
-
-/**
- * Looks for a JWT {@code zip} header, and if found, returns the corresponding {@link CompressionCodec} the parser
- * can use to decompress the JWT body.
- *
- * <p>JJWT's default {@link JwtParser} implementation supports both the
- * {@link CompressionCodecs#DEFLATE DEFLATE}
- * and {@link CompressionCodecs#GZIP GZIP} algorithms by default - you do not need to
- * specify a {@code CompressionCodecResolver} in these cases.</p>
- *
- * <p>However, if you want to use a compression algorithm other than {@code DEF} or {@code GZIP}, you must implement
- * your own {@link CompressionCodecResolver} and specify that when
- * {@link io.jsonwebtoken.JwtBuilder#compressWith(CompressionCodec) building} and
- * {@link io.jsonwebtoken.JwtParser#setCompressionCodecResolver(CompressionCodecResolver) parsing} JWTs.</p>
- *
- * @since 0.6.0
- */
-public interface CompressionCodecResolver {
-
-    /**
-     * Looks for a JWT {@code zip} header, and if found, returns the corresponding {@link CompressionCodec} the parser
-     * can use to decompress the JWT body.
-     *
-     * @param header of the JWT
-     * @return CompressionCodec matching the {@code zip} header, or null if there is no {@code zip} header.
-     * @throws CompressionException if a {@code zip} header value is found and not supported.
-     */
-    CompressionCodec resolveCompressionCodec(Header header) throws CompressionException;
-
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodecs.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodecs.java
deleted file mode 100644
index 71c2e8bb55e..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionCodecs.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken;
-
-import io.jsonwebtoken.lang.Classes;
-
-/**
- * Provides default implementations of the {@link CompressionCodec} interface.
- *
- * @see #DEFLATE
- * @see #GZIP
- * @since 0.7.0
- */
-public final class CompressionCodecs {
-
-    private CompressionCodecs() {
-    } //prevent external instantiation
-
-    /**
-     * Codec implementing the <a href="https://tools.ietf.org/html/rfc7518">JWA</a> standard
-     * <a href="https://en.wikipedia.org/wiki/DEFLATE">deflate</a> compression algorithm
-     */
-    public static final CompressionCodec DEFLATE =
-        Classes.newInstance("io.jsonwebtoken.impl.compression.DeflateCompressionCodec");
-
-    /**
-     * Codec implementing the <a href="https://en.wikipedia.org/wiki/Gzip">gzip</a> compression algorithm.
-     * <h3>Compatibility Warning</h3>
-     * <p><b>This is not a standard JWA compression algorithm</b>.  Be sure to use this only when you are confident
-     * that all parties accessing the token support the gzip algorithm.</p>
-     * <p>If you're concerned about compatibility, the {@link #DEFLATE DEFLATE} code is JWA standards-compliant.</p>
-     */
-    public static final CompressionCodec GZIP =
-        Classes.newInstance("io.jsonwebtoken.impl.compression.GzipCompressionCodec");
-
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionException.java
deleted file mode 100644
index 287ccfb01ae..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/CompressionException.java
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2015 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken;
-
-/**
- * Exception indicating that either compressing or decompressing an JWT body failed.
- *
- * @since 0.6.0
- */
-public class CompressionException extends JwtException {
-
-    public CompressionException(String message) {
-        super(message);
-    }
-
-    public CompressionException(String message, Throwable cause) {
-        super(message, cause);
-    }
-
-}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Header.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Header.java
index 589af0d55d8..f25935ebe17 100644
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Header.java
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Header.java
@@ -38,95 +38,4 @@ import java.util.Map;
  * @since 0.1
  */
 public interface Header<T extends Header<T>> extends Map<String,Object> {
-
-    /** JWT {@code Type} (typ) value: <code>"JWT"</code> */
-    public static final String JWT_TYPE = "JWT";
-
-    /** JWT {@code Type} header parameter name: <code>"typ"</code> */
-    public static final String TYPE = "typ";
-
-    /** JWT {@code Content Type} header parameter name: <code>"cty"</code> */
-    public static final String CONTENT_TYPE = "cty";
-
-    /** JWT {@code Compression Algorithm} header parameter name: <code>"zip"</code> */
-    public static final String COMPRESSION_ALGORITHM = "zip";
-
-    /** JJWT legacy/deprecated compression algorithm header parameter name: <code>"calg"</code>
-     * @deprecated use {@link #COMPRESSION_ALGORITHM} instead. */
-    @Deprecated
-    public static final String DEPRECATED_COMPRESSION_ALGORITHM = "calg";
-
-    /**
-     * Returns the <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-5.1">
-     * <code>typ</code></a> (type) header value or {@code null} if not present.
-     *
-     * @return the {@code typ} header value or {@code null} if not present.
-     */
-    String getType();
-
-    /**
-     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-5.1">
-     * <code>typ</code></a> (Type) header value.  A {@code null} value will remove the property from the JSON map.
-     *
-     * @param typ the JWT JOSE {@code typ} header value or {@code null} to remove the property from the JSON map.
-     * @return the {@code Header} instance for method chaining.
-     */
-    T setType(String typ);
-
-    /**
-     * Returns the <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-5.2">
-     * <code>cty</code></a> (Content Type) header value or {@code null} if not present.
-     *
-     * <p>In the normal case where nested signing or encryption operations are not employed (i.e. a compact
-     * serialization JWT), the use of this header parameter is NOT RECOMMENDED.  In the case that nested
-     * signing or encryption is employed, this Header Parameter MUST be present; in this case, the value MUST be
-     * {@code JWT}, to indicate that a Nested JWT is carried in this JWT.  While media type names are not
-     * case-sensitive, it is RECOMMENDED that {@code JWT} always be spelled using uppercase characters for
-     * compatibility with legacy implementations.  See
-     * <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#appendix-A.2">JWT Appendix A.2</a> for
-     * an example of a Nested JWT.</p>
-     *
-     * @return the {@code typ} header parameter value or {@code null} if not present.
-     */
-    String getContentType();
-
-    /**
-     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-5.2">
-     * <code>cty</code></a> (Content Type) header parameter value.  A {@code null} value will remove the property from
-     * the JSON map.
-     *
-     * <p>In the normal case where nested signing or encryption operations are not employed (i.e. a compact
-     * serialization JWT), the use of this header parameter is NOT RECOMMENDED.  In the case that nested
-     * signing or encryption is employed, this Header Parameter MUST be present; in this case, the value MUST be
-     * {@code JWT}, to indicate that a Nested JWT is carried in this JWT.  While media type names are not
-     * case-sensitive, it is RECOMMENDED that {@code JWT} always be spelled using uppercase characters for
-     * compatibility with legacy implementations.  See
-     * <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#appendix-A.2">JWT Appendix A.2</a> for
-     * an example of a Nested JWT.</p>
-     *
-     * @param cty the JWT JOSE {@code cty} header value or {@code null} to remove the property from the JSON map.
-     */
-    T setContentType(String cty);
-
-    /**
-     * Returns the JWT <code>zip</code> (Compression Algorithm) header value or {@code null} if not present.
-     *
-     * @return the {@code zip} header parameter value or {@code null} if not present.
-     * @since 0.6.0
-     */
-    String getCompressionAlgorithm();
-
-    /**
-     * Sets the JWT <code>zip</code> (Compression Algorithm) header parameter value. A {@code null} value will remove
-     * the property from the JSON map.
-     * <p>
-     * <p>The compression algorithm is NOT part of the <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25">JWT specification</a>
-     * and must be used carefully since, is not expected that other libraries (including previous versions of this one)
-     * be able to deserialize a compressed JTW body correctly. </p>
-     *
-     * @param zip the JWT compression algorithm {@code zip} value or {@code null} to remove the property from the JSON map.
-     * @since 0.6.0
-     */
-    T setCompressionAlgorithm(String zip);
-
 }
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/IncorrectClaimException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/IncorrectClaimException.java
deleted file mode 100644
index df68fe1e697..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/IncorrectClaimException.java
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2015 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken;
-
-/**
- * Exception thrown when discovering that a required claim does not equal the required value, indicating the JWT is
- * invalid and may not be used.
- *
- * @since 0.6
- */
-public class IncorrectClaimException extends InvalidClaimException {
-
-    public IncorrectClaimException(Header header, Claims claims, String message) {
-        super(header, claims, message);
-    }
-
-    public IncorrectClaimException(Header header, Claims claims, String message, Throwable cause) {
-        super(header, claims, message, cause);
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/InvalidClaimException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/InvalidClaimException.java
deleted file mode 100644
index fbca6cabeeb..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/InvalidClaimException.java
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright (C) 2015 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken;
-
-/**
- * Exception indicating a parsed claim is invalid in some way.  Subclasses reflect the specific
- * reason the claim is invalid.
- *
- * @see IncorrectClaimException
- * @see MissingClaimException
- *
- * @since 0.6
- */
-public class InvalidClaimException extends ClaimJwtException {
-
-    private String claimName;
-    private Object claimValue;
-
-    protected InvalidClaimException(Header header, Claims claims, String message) {
-        super(header, claims, message);
-    }
-
-    protected InvalidClaimException(Header header, Claims claims, String message, Throwable cause) {
-        super(header, claims, message, cause);
-    }
-
-    public String getClaimName() {
-        return claimName;
-    }
-
-    public void setClaimName(String claimName) {
-        this.claimName = claimName;
-    }
-
-    public Object getClaimValue() {
-        return claimValue;
-    }
-
-    public void setClaimValue(Object claimValue) {
-        this.claimValue = claimValue;
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jws.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jws.java
index 1be5fb39018..2fbdd2d6183 100644
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jws.java
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jws.java
@@ -20,9 +20,6 @@ package io.jsonwebtoken;
  *
  * @param <B> the type of the JWS body contents, either a String or a {@link Claims} instance.
  *
- * @since 0.1
- */
+ * @since 0.1 */
 public interface Jws<B> extends Jwt<JwsHeader,B> {
-
-    String getSignature();
 }
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwsHeader.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwsHeader.java
index aaf08d86b93..3a07b66720d 100644
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwsHeader.java
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwsHeader.java
@@ -23,85 +23,4 @@ package io.jsonwebtoken;
  */
 public interface JwsHeader<T extends JwsHeader<T>> extends Header<T> {
 
-    /** JWS {@code Algorithm} header parameter name: <code>"alg"</code> */
-    public static final String ALGORITHM = "alg";
-
-    /** JWS {@code JWT Set URL} header parameter name: <code>"jku"</code> */
-    public static final String JWK_SET_URL = "jku";
-
-    /** JWS {@code JSON Web Key} header parameter name: <code>"jwk"</code> */
-    public static final String JSON_WEB_KEY = "jwk";
-
-    /** JWS {@code Key ID} header parameter name: <code>"kid"</code> */
-    public static final String KEY_ID = "kid";
-
-    /** JWS {@code X.509 URL} header parameter name: <code>"x5u"</code> */
-    public static final String X509_URL = "x5u";
-
-    /** JWS {@code X.509 Certificate Chain} header parameter name: <code>"x5c"</code> */
-    public static final String X509_CERT_CHAIN = "x5c";
-
-    /** JWS {@code X.509 Certificate SHA-1 Thumbprint} header parameter name: <code>"x5t"</code> */
-    public static final String X509_CERT_SHA1_THUMBPRINT = "x5t";
-
-    /** JWS {@code X.509 Certificate SHA-256 Thumbprint} header parameter name: <code>"x5t#S256"</code> */
-    public static final String X509_CERT_SHA256_THUMBPRINT = "x5t#S256";
-
-    /** JWS {@code Critical} header parameter name: <code>"crit"</code> */
-    public static final String CRITICAL = "crit";
-
-    /**
-     * Returns the JWS <a href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31#section-4.1.1">
-     * <code>alg</code></a> (algorithm) header value or {@code null} if not present.
-     *
-     * <p>The algorithm header parameter identifies the cryptographic algorithm used to secure the JWS.  Consider
-     * using {@link io.jsonwebtoken.SignatureAlgorithm#forName(String) SignatureAlgorithm.forName} to convert this
-     * string value to a type-safe enum instance.</p>
-     *
-     * @return the JWS {@code alg} header value or {@code null} if not present.  This will always be
-     * {@code non-null} on validly constructed JWS instances, but could be {@code null} during construction.
-     */
-    String getAlgorithm();
-
-    /**
-     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31#section-4.1.1">
-     * <code>alg</code></a> (Algorithm) header value.  A {@code null} value will remove the property from the JSON map.
-     *
-     * <p>The algorithm header parameter identifies the cryptographic algorithm used to secure the JWS.  Consider
-     * using a type-safe {@link io.jsonwebtoken.SignatureAlgorithm SignatureAlgorithm} instance and using its
-     * {@link io.jsonwebtoken.SignatureAlgorithm#getValue() value} as the argument to this method.</p>
-     *
-     * @param alg the JWS {@code alg} header value or {@code null} to remove the property from the JSON map.
-     * @return the {@code Header} instance for method chaining.
-     */
-    T setAlgorithm(String alg);
-
-    /**
-     * Returns the JWS <a href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31#section-4.1.4">
-     * <code>kid</code></a> (Key ID) header value or {@code null} if not present.
-     *
-     * <p>The keyId header parameter is a hint indicating which key was used to secure the JWS.  This parameter allows
-     * originators to explicitly signal a change of key to recipients.  The structure of the keyId value is
-     * unspecified.</p>
-     *
-     * <p>When used with a JWK, the keyId value is used to match a JWK {@code keyId} parameter value.</p>
-     *
-     * @return the JWS {@code kid} header value or {@code null} if not present.
-     */
-    String getKeyId();
-
-    /**
-     * Sets the JWT <a href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-31#section-4.1.4">
-     * <code>kid</code></a> (Key ID) header value.  A {@code null} value will remove the property from the JSON map.
-     *
-     * <p>The keyId header parameter is a hint indicating which key was used to secure the JWS.  This parameter allows
-     * originators to explicitly signal a change of key to recipients.  The structure of the keyId value is
-     * unspecified.</p>
-     *
-     * <p>When used with a JWK, the keyId value is used to match a JWK {@code keyId} parameter value.</p>
-     *
-     * @param kid the JWS {@code kid} header value or {@code null} to remove the property from the JSON map.
-     * @return the {@code Header} instance for method chaining.
-     */
-    T setKeyId(String kid);
 }
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jwt.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jwt.java
index 1de5c6e3141..0d27328b329 100644
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jwt.java
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jwt.java
@@ -23,14 +23,6 @@ package io.jsonwebtoken;
  * @since 0.1
  */
 public interface Jwt<H extends Header, B> {
-
-    /**
-     * Returns the JWT {@link Header} or {@code null} if not present.
-     *
-     * @return the JWT {@link Header} or {@code null} if not present.
-     */
-    H getHeader();
-
     /**
      * Returns the JWT body, either a {@code String} or a {@code Claims} instance.
      *
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtBuilder.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtBuilder.java
deleted file mode 100644
index 02da2be2fa5..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtBuilder.java
+++ /dev/null
@@ -1,530 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken;
-
-import io.jsonwebtoken.io.Decoder;
-import io.jsonwebtoken.io.Decoders;
-import io.jsonwebtoken.io.Encoder;
-import io.jsonwebtoken.io.Serializer;
-import io.jsonwebtoken.security.InvalidKeyException;
-import io.jsonwebtoken.security.Keys;
-import java.security.Key;
-import java.util.Date;
-import java.util.Map;
-
-/**
- * A builder for constructing JWTs.
- *
- * @since 0.1
- */
-public interface JwtBuilder extends ClaimsMutator<JwtBuilder> {
-
-    //replaces any existing header with the specified header.
-
-    /**
-     * Sets (and replaces) any existing header with the specified header.  If you do not want to replace the existing
-     * header and only want to append to it, use the {@link #setHeaderParams(java.util.Map)} method instead.
-     *
-     * @param header the header to set (and potentially replace any existing header).
-     * @return the builder for method chaining.
-     */
-    JwtBuilder setHeader(Header header);
-
-    /**
-     * Sets (and replaces) any existing header with the specified header.  If you do not want to replace the existing
-     * header and only want to append to it, use the {@link #setHeaderParams(java.util.Map)} method instead.
-     *
-     * @param header the header to set (and potentially replace any existing header).
-     * @return the builder for method chaining.
-     */
-    JwtBuilder setHeader(Map<String, Object> header);
-
-    /**
-     * Applies the specified name/value pairs to the header.  If a header does not yet exist at the time this method
-     * is called, one will be created automatically before applying the name/value pairs.
-     *
-     * @param params the header name/value pairs to append to the header.
-     * @return the builder for method chaining.
-     */
-    JwtBuilder setHeaderParams(Map<String, Object> params);
-
-    //sets the specified header parameter, overwriting any previous value under the same name.
-
-    /**
-     * Applies the specified name/value pair to the header.  If a header does not yet exist at the time this method
-     * is called, one will be created automatically before applying the name/value pair.
-     *
-     * @param name  the header parameter name
-     * @param value the header parameter value
-     * @return the builder for method chaining.
-     */
-    JwtBuilder setHeaderParam(String name, Object value);
-
-    /**
-     * Sets the JWT's payload to be a plaintext (non-JSON) string.  If you want the JWT body to be JSON, use the
-     * {@link #setClaims(Claims)} or {@link #setClaims(java.util.Map)} methods instead.
-     *
-     * <p>The payload and claims properties are mutually exclusive - only one of the two may be used.</p>
-     *
-     * @param payload the plaintext (non-JSON) string that will be the body of the JWT.
-     * @return the builder for method chaining.
-     */
-    JwtBuilder setPayload(String payload);
-
-    /**
-     * Sets the JWT payload to be a JSON Claims instance.  If you do not want the JWT body to be JSON and instead want
-     * it to be a plaintext string, use the {@link #setPayload(String)} method instead.
-     *
-     * <p>The payload and claims properties are mutually exclusive - only one of the two may be used.</p>
-     *
-     * @param claims the JWT claims to be set as the JWT body.
-     * @return the builder for method chaining.
-     */
-    JwtBuilder setClaims(Claims claims);
-
-    /**
-     * Sets the JWT payload to be a JSON Claims instance populated by the specified name/value pairs.  If you do not
-     * want the JWT body to be JSON and instead want it to be a plaintext string, use the {@link #setPayload(String)}
-     * method instead.
-     *
-     * <p>The payload* and claims* properties are mutually exclusive - only one of the two may be used.</p>
-     *
-     * @param claims the JWT claims to be set as the JWT body.
-     * @return the builder for method chaining.
-     */
-    JwtBuilder setClaims(Map<String, ?> claims);
-
-    /**
-     * Adds all given name/value pairs to the JSON Claims in the payload. If a Claims instance does not yet exist at the
-     * time this method is called, one will be created automatically before applying the name/value pairs.
-     *
-     * <p>The payload and claims properties are mutually exclusive - only one of the two may be used.</p>
-     *
-     * @param claims the JWT claims to be added to the JWT body.
-     * @return the builder for method chaining.
-     * @since 0.8
-     */
-    JwtBuilder addClaims(Map<String, Object> claims);
-
-    /**
-     * Sets the JWT Claims <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.1">
-     * <code>iss</code></a> (issuer) value.  A {@code null} value will remove the property from the Claims.
-     *
-     * <p>This is a convenience method.  It will first ensure a Claims instance exists as the JWT body and then set
-     * the Claims {@link Claims#setIssuer(String) issuer} field with the specified value.  This allows you to write
-     * code like this:</p>
-     *
-     * <pre>
-     * String jwt = Jwts.builder().setIssuer("Joe").compact();
-     * </pre>
-     *
-     * <p>instead of this:</p>
-     * <pre>
-     * Claims claims = Jwts.claims().setIssuer("Joe");
-     * String jwt = Jwts.builder().setClaims(claims).compact();
-     * </pre>
-     * <p>if desired.</p>
-     *
-     * @param iss the JWT {@code iss} value or {@code null} to remove the property from the Claims map.
-     * @return the builder instance for method chaining.
-     * @since 0.2
-     */
-    @Override
-    //only for better/targeted JavaDoc
-    JwtBuilder setIssuer(String iss);
-
-    /**
-     * Sets the JWT Claims <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.2">
-     * <code>sub</code></a> (subject) value.  A {@code null} value will remove the property from the Claims.
-     *
-     * <p>This is a convenience method.  It will first ensure a Claims instance exists as the JWT body and then set
-     * the Claims {@link Claims#setSubject(String) subject} field with the specified value.  This allows you to write
-     * code like this:</p>
-     *
-     * <pre>
-     * String jwt = Jwts.builder().setSubject("Me").compact();
-     * </pre>
-     *
-     * <p>instead of this:</p>
-     * <pre>
-     * Claims claims = Jwts.claims().setSubject("Me");
-     * String jwt = Jwts.builder().setClaims(claims).compact();
-     * </pre>
-     * <p>if desired.</p>
-     *
-     * @param sub the JWT {@code sub} value or {@code null} to remove the property from the Claims map.
-     * @return the builder instance for method chaining.
-     * @since 0.2
-     */
-    @Override
-    //only for better/targeted JavaDoc
-    JwtBuilder setSubject(String sub);
-
-    /**
-     * Sets the JWT Claims <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.3">
-     * <code>aud</code></a> (audience) value.  A {@code null} value will remove the property from the Claims.
-     *
-     * <p>This is a convenience method.  It will first ensure a Claims instance exists as the JWT body and then set
-     * the Claims {@link Claims#setAudience(String) audience} field with the specified value.  This allows you to write
-     * code like this:</p>
-     *
-     * <pre>
-     * String jwt = Jwts.builder().setAudience("You").compact();
-     * </pre>
-     *
-     * <p>instead of this:</p>
-     * <pre>
-     * Claims claims = Jwts.claims().setAudience("You");
-     * String jwt = Jwts.builder().setClaims(claims).compact();
-     * </pre>
-     * <p>if desired.</p>
-     *
-     * @param aud the JWT {@code aud} value or {@code null} to remove the property from the Claims map.
-     * @return the builder instance for method chaining.
-     * @since 0.2
-     */
-    @Override
-    //only for better/targeted JavaDoc
-    JwtBuilder setAudience(String aud);
-
-    /**
-     * Sets the JWT Claims <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.4">
-     * <code>exp</code></a> (expiration) value.  A {@code null} value will remove the property from the Claims.
-     *
-     * <p>A JWT obtained after this timestamp should not be used.</p>
-     *
-     * <p>This is a convenience method.  It will first ensure a Claims instance exists as the JWT body and then set
-     * the Claims {@link Claims#setExpiration(java.util.Date) expiration} field with the specified value.  This allows
-     * you to write code like this:</p>
-     *
-     * <pre>
-     * String jwt = Jwts.builder().setExpiration(new Date(System.currentTimeMillis() + 3600000)).compact();
-     * </pre>
-     *
-     * <p>instead of this:</p>
-     * <pre>
-     * Claims claims = Jwts.claims().setExpiration(new Date(System.currentTimeMillis() + 3600000));
-     * String jwt = Jwts.builder().setClaims(claims).compact();
-     * </pre>
-     * <p>if desired.</p>
-     *
-     * @param exp the JWT {@code exp} value or {@code null} to remove the property from the Claims map.
-     * @return the builder instance for method chaining.
-     * @since 0.2
-     */
-    @Override
-    //only for better/targeted JavaDoc
-    JwtBuilder setExpiration(Date exp);
-
-    /**
-     * Sets the JWT Claims <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.5">
-     * <code>nbf</code></a> (not before) value.  A {@code null} value will remove the property from the Claims.
-     *
-     * <p>A JWT obtained before this timestamp should not be used.</p>
-     *
-     * <p>This is a convenience method.  It will first ensure a Claims instance exists as the JWT body and then set
-     * the Claims {@link Claims#setNotBefore(java.util.Date) notBefore} field with the specified value.  This allows
-     * you to write code like this:</p>
-     *
-     * <pre>
-     * String jwt = Jwts.builder().setNotBefore(new Date()).compact();
-     * </pre>
-     *
-     * <p>instead of this:</p>
-     * <pre>
-     * Claims claims = Jwts.claims().setNotBefore(new Date());
-     * String jwt = Jwts.builder().setClaims(claims).compact();
-     * </pre>
-     * <p>if desired.</p>
-     *
-     * @param nbf the JWT {@code nbf} value or {@code null} to remove the property from the Claims map.
-     * @return the builder instance for method chaining.
-     * @since 0.2
-     */
-    @Override
-    //only for better/targeted JavaDoc
-    JwtBuilder setNotBefore(Date nbf);
-
-    /**
-     * Sets the JWT Claims <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.6">
-     * <code>iat</code></a> (issued at) value.  A {@code null} value will remove the property from the Claims.
-     *
-     * <p>The value is the timestamp when the JWT was created.</p>
-     *
-     * <p>This is a convenience method.  It will first ensure a Claims instance exists as the JWT body and then set
-     * the Claims {@link Claims#setIssuedAt(java.util.Date) issuedAt} field with the specified value.  This allows
-     * you to write code like this:</p>
-     *
-     * <pre>
-     * String jwt = Jwts.builder().setIssuedAt(new Date()).compact();
-     * </pre>
-     *
-     * <p>instead of this:</p>
-     * <pre>
-     * Claims claims = Jwts.claims().setIssuedAt(new Date());
-     * String jwt = Jwts.builder().setClaims(claims).compact();
-     * </pre>
-     * <p>if desired.</p>
-     *
-     * @param iat the JWT {@code iat} value or {@code null} to remove the property from the Claims map.
-     * @return the builder instance for method chaining.
-     * @since 0.2
-     */
-    @Override
-    //only for better/targeted JavaDoc
-    JwtBuilder setIssuedAt(Date iat);
-
-    /**
-     * Sets the JWT Claims <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.7">
-     * <code>jti</code></a> (JWT ID) value.  A {@code null} value will remove the property from the Claims.
-     *
-     * <p>The value is a CaSe-SenSiTiVe unique identifier for the JWT. If specified, this value MUST be assigned in a
-     * manner that ensures that there is a negligible probability that the same value will be accidentally
-     * assigned to a different data object.  The ID can be used to prevent the JWT from being replayed.</p>
-     *
-     * <p>This is a convenience method.  It will first ensure a Claims instance exists as the JWT body and then set
-     * the Claims {@link Claims#setId(String) id} field with the specified value.  This allows
-     * you to write code like this:</p>
-     *
-     * <pre>
-     * String jwt = Jwts.builder().setId(UUID.randomUUID().toString()).compact();
-     * </pre>
-     *
-     * <p>instead of this:</p>
-     * <pre>
-     * Claims claims = Jwts.claims().setId(UUID.randomUUID().toString());
-     * String jwt = Jwts.builder().setClaims(claims).compact();
-     * </pre>
-     * <p>if desired.</p>
-     *
-     * @param jti the JWT {@code jti} (id) value or {@code null} to remove the property from the Claims map.
-     * @return the builder instance for method chaining.
-     * @since 0.2
-     */
-    @Override
-    //only for better/targeted JavaDoc
-    JwtBuilder setId(String jti);
-
-    /**
-     * Sets a custom JWT Claims parameter value.  A {@code null} value will remove the property from the Claims.
-     *
-     * <p>This is a convenience method.  It will first ensure a Claims instance exists as the JWT body and then set the
-     * named property on the Claims instance using the Claims {@link Claims#put(Object, Object) put} method. This allows
-     * you to write code like this:</p>
-     *
-     * <pre>
-     * String jwt = Jwts.builder().claim("aName", "aValue").compact();
-     * </pre>
-     *
-     * <p>instead of this:</p>
-     * <pre>
-     * Claims claims = Jwts.claims().put("aName", "aValue");
-     * String jwt = Jwts.builder().setClaims(claims).compact();
-     * </pre>
-     * <p>if desired.</p>
-     *
-     * @param name  the JWT Claims property name
-     * @param value the value to set for the specified Claims property name
-     * @return the builder instance for method chaining.
-     * @since 0.2
-     */
-    JwtBuilder claim(String name, Object value);
-
-    /**
-     * Signs the constructed JWT with the specified key using the key's
-     * {@link SignatureAlgorithm#forSigningKey(Key) recommended signature algorithm}, producing a JWS. If the
-     * recommended signature algorithm isn't sufficient for your needs, consider using
-     * {@link #signWith(Key, SignatureAlgorithm)} instead.
-     *
-     * <p>If you are looking to invoke this method with a byte array that you are confident may be used for HMAC-SHA
-     * algorithms, consider using {@link Keys Keys}.{@link Keys#hmacShaKeyFor(byte[]) hmacShaKeyFor(bytes)} to
-     * convert the byte array into a valid {@code Key}.</p>
-     *
-     * @param key the key to use for signing
-     * @return the builder instance for method chaining.
-     * @throws InvalidKeyException if the Key is insufficient or explicitly disallowed by the JWT specification as
-     *                             described by {@link SignatureAlgorithm#forSigningKey(Key)}.
-     * @see #signWith(Key, SignatureAlgorithm)
-     * @since 0.10.0
-     */
-    JwtBuilder signWith(Key key) throws InvalidKeyException;
-
-    /**
-     * Signs the constructed JWT using the specified algorithm with the specified key, producing a JWS.
-     *
-     * <h4>Deprecation Notice: Deprecated as of 0.10.0</h4>
-     *
-     * <p>Use {@link Keys Keys}.{@link Keys#hmacShaKeyFor(byte[]) hmacShaKeyFor(bytes)} to
-     * obtain the {@code Key} and then invoke {@link #signWith(Key)} or {@link #signWith(Key, SignatureAlgorithm)}.</p>
-     *
-     * <p>This method will be removed in the 1.0 release.</p>
-     *
-     * @param alg       the JWS algorithm to use to digitally sign the JWT, thereby producing a JWS.
-     * @param secretKey the algorithm-specific signing key to use to digitally sign the JWT.
-     * @return the builder for method chaining.
-     * @throws InvalidKeyException if the Key is insufficient or explicitly disallowed by the JWT specification as
-     *                             described by {@link SignatureAlgorithm#forSigningKey(Key)}.
-     * @deprecated as of 0.10.0: use {@link Keys Keys}.{@link Keys#hmacShaKeyFor(byte[]) hmacShaKeyFor(bytes)} to
-     * obtain the {@code Key} and then invoke {@link #signWith(Key)} or {@link #signWith(Key, SignatureAlgorithm)}.
-     * This method will be removed in the 1.0 release.
-     */
-    @Deprecated
-    JwtBuilder signWith(SignatureAlgorithm alg, byte[] secretKey) throws InvalidKeyException;
-
-    /**
-     * Signs the constructed JWT using the specified algorithm with the specified key, producing a JWS.
-     *
-     * <p>This is a convenience method: the string argument is first BASE64-decoded to a byte array and this resulting
-     * byte array is used to invoke {@link #signWith(SignatureAlgorithm, byte[])}.</p>
-     *
-     * <h4>Deprecation Notice: Deprecated as of 0.10.0, will be removed in the 1.0 release.</h4>
-     *
-     * <p>This method has been deprecated because the {@code key} argument for this method can be confusing: keys for
-     * cryptographic operations are always binary (byte arrays), and many people were confused as to how bytes were
-     * obtained from the String argument.</p>
-     *
-     * <p>This method always expected a String argument that was effectively the same as the result of the following
-     * (pseudocode):</p>
-     *
-     * <p>{@code String base64EncodedSecretKey = base64Encode(secretKeyBytes);}</p>
-     *
-     * <p>However, a non-trivial number of JJWT users were confused by the method signature and attempted to
-     * use raw password strings as the key argument - for example {@code signWith(HS256, myPassword)} - which is
-     * almost always incorrect for cryptographic hashes and can produce erroneous or insecure results.</p>
-     *
-     * <p>See this
-     * <a href="https://stackoverflow.com/questions/40252903/static-secret-as-byte-key-or-string/40274325#40274325">
-     * StackOverflow answer</a> explaining why raw (non-base64-encoded) strings are almost always incorrect for
-     * signature operations.</p>
-     *
-     * <p>To perform the correct logic with base64EncodedSecretKey strings with JJWT >= 0.10.0, you may do this:
-     * <pre><code>
-     * byte[] keyBytes = {@link Decoders Decoders}.{@link Decoders#BASE64 BASE64}.{@link Decoder#decode(Object) decode(base64EncodedSecretKey)};
-     * Key key = {@link Keys Keys}.{@link Keys#hmacShaKeyFor(byte[]) hmacShaKeyFor(keyBytes)};
-     * jwtBuilder.signWith(key); //or {@link #signWith(Key, SignatureAlgorithm)}
-     * </code></pre>
-     * </p>
-     *
-     * <p>This method will be removed in the 1.0 release.</p>
-     *
-     * @param alg                    the JWS algorithm to use to digitally sign the JWT, thereby producing a JWS.
-     * @param base64EncodedSecretKey the BASE64-encoded algorithm-specific signing key to use to digitally sign the
-     *                               JWT.
-     * @return the builder for method chaining.
-     * @throws InvalidKeyException if the Key is insufficient or explicitly disallowed by the JWT specification as
-     *                             described by {@link SignatureAlgorithm#forSigningKey(Key)}.
-     * @deprecated as of 0.10.0: use {@link #signWith(Key)} or {@link #signWith(Key, SignatureAlgorithm)} instead.  This
-     * method will be removed in the 1.0 release.
-     */
-    @Deprecated
-    JwtBuilder signWith(SignatureAlgorithm alg, String base64EncodedSecretKey) throws InvalidKeyException;
-
-    /**
-     * Signs the constructed JWT using the specified algorithm with the specified key, producing a JWS.
-     *
-     * <p>It is typically recommended to call the {@link #signWith(Key)} instead for simplicity.
-     * However, this method can be useful if the recommended algorithm heuristics do not meet your needs or if
-     * you want explicit control over the signature algorithm used with the specified key.</p>
-     *
-     * @param alg the JWS algorithm to use to digitally sign the JWT, thereby producing a JWS.
-     * @param key the algorithm-specific signing key to use to digitally sign the JWT.
-     * @return the builder for method chaining.
-     * @throws InvalidKeyException if the Key is insufficient or explicitly disallowed by the JWT specification for
-     *                             the specified algorithm.
-     * @see #signWith(Key)
-     * @deprecated since 0.10.0: use {@link #signWith(Key, SignatureAlgorithm)} instead.  This method will be removed
-     * in the 1.0 release.
-     */
-    @Deprecated
-    JwtBuilder signWith(SignatureAlgorithm alg, Key key) throws InvalidKeyException;
-
-    /**
-     * Signs the constructed JWT with the specified key using the specified algorithm, producing a JWS.
-     *
-     * <p>It is typically recommended to call the {@link #signWith(Key)} instead for simplicity.
-     * However, this method can be useful if the recommended algorithm heuristics do not meet your needs or if
-     * you want explicit control over the signature algorithm used with the specified key.</p>
-     *
-     * @param key the signing key to use to digitally sign the JWT.
-     * @param alg the JWS algorithm to use with the key to digitally sign the JWT, thereby producing a JWS.
-     * @return the builder for method chaining.
-     * @throws InvalidKeyException if the Key is insufficient or explicitly disallowed by the JWT specification for
-     *                             the specified algorithm.
-     * @see #signWith(Key)
-     * @since 0.10.0
-     */
-    JwtBuilder signWith(Key key, SignatureAlgorithm alg) throws InvalidKeyException;
-
-    /**
-     * Compresses the JWT body using the specified {@link CompressionCodec}.
-     *
-     * <p>If your compact JWTs are large, and you want to reduce their total size during network transmission, this
-     * can be useful.  For example, when embedding JWTs  in URLs, some browsers may not support URLs longer than a
-     * certain length.  Using compression can help ensure the compact JWT fits within that length.  However, NOTE:</p>
-     *
-     * <h3>Compatibility Warning</h3>
-     *
-     * <p>The JWT family of specifications defines compression only for JWE (Json Web Encryption)
-     * tokens.  Even so, JJWT will also support compression for JWS tokens as well if you choose to use it.
-     * However, be aware that <b>if you use compression when creating a JWS token, other libraries may not be able to
-     * parse that JWS token</b>.  When using compression for JWS tokens, be sure that that all parties accessing the
-     * JWS token support compression for JWS.</p>
-     *
-     * <p>Compression when creating JWE tokens however should be universally accepted for any
-     * library that supports JWE.</p>
-     *
-     * @param codec implementation of the {@link CompressionCodec} to be used.
-     * @return the builder for method chaining.
-     * @see io.jsonwebtoken.CompressionCodecs
-     * @since 0.6.0
-     */
-    JwtBuilder compressWith(CompressionCodec codec);
-
-    /**
-     * Perform Base64Url encoding with the specified Encoder.
-     *
-     * <p>JJWT uses a spec-compliant encoder that works on all supported JDK versions, but you may call this method
-     * to specify a different encoder if you desire.</p>
-     *
-     * @param base64UrlEncoder the encoder to use when Base64Url-encoding
-     * @return the builder for method chaining.
-     * @since 0.10.0
-     */
-    JwtBuilder base64UrlEncodeWith(Encoder<byte[], String> base64UrlEncoder);
-
-    /**
-     * Performs object-to-JSON serialization with the specified Serializer.  This is used by the builder to convert
-     * JWT/JWS/JWT headers and claims Maps to JSON strings as required by the JWT specification.
-     *
-     * <p>If this method is not called, JJWT will use whatever serializer it can find at runtime, checking for the
-     * presence of well-known implementations such Jackson, Gson, and org.json.  If one of these is not found
-     * in the runtime classpath, an exception will be thrown when the {@link #compact()} method is invoked.</p>
-     *
-     * @param serializer the serializer to use when converting Map objects to JSON strings.
-     * @return the builder for method chaining.
-     * @since 0.10.0
-     */
-    JwtBuilder serializeToJsonWith(Serializer<Map<String, ?>> serializer);
-
-    /**
-     * Actually builds the JWT and serializes it to a compact, URL-safe string according to the
-     * <a href="https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-7">JWT Compact Serialization</a>
-     * rules.
-     *
-     * @return A compact URL-safe JWT string.
-     */
-    String compact();
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtParser.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtParser.java
index 7e86b91136c..3e43079f1c2 100644
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtParser.java
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtParser.java
@@ -15,10 +15,6 @@
  */
 package io.jsonwebtoken;
 
-import io.jsonwebtoken.io.Decoder;
-import io.jsonwebtoken.io.Deserializer;
-import io.jsonwebtoken.security.SignatureException;
-
 import java.security.Key;
 import java.util.Date;
 import java.util.Map;
@@ -30,177 +26,6 @@ import java.util.Map;
  */
 public interface JwtParser {
 
-    public static final char SEPARATOR_CHAR = '.';
-
-    /**
-     * Ensures that the specified {@code jti} exists in the parsed JWT.  If missing or if the parsed
-     * value does not equal the specified value, an exception will be thrown indicating that the
-     * JWT is invalid and may not be used.
-     *
-     * @param id
-     * @return the parser method for chaining.
-     * @see MissingClaimException
-     * @see IncorrectClaimException
-     * @deprecated see {@link JwtParserBuilder#requireId(String)}.
-     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
-     * immutable JwtParser.
-     * <p><b>NOTE: this method will be removed before version 1.0</b>
-     */
-    @Deprecated
-    JwtParser requireId(String id);
-
-    /**
-     * Ensures that the specified {@code sub} exists in the parsed JWT.  If missing or if the parsed
-     * value does not equal the specified value, an exception will be thrown indicating that the
-     * JWT is invalid and may not be used.
-     *
-     * @param subject
-     * @return the parser for method chaining.
-     * @see MissingClaimException
-     * @see IncorrectClaimException
-     * @deprecated see {@link JwtParserBuilder#requireSubject(String)}.
-     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
-     * immutable JwtParser.
-     * <p><b>NOTE: this method will be removed before version 1.0</b>
-     */
-    @Deprecated
-    JwtParser requireSubject(String subject);
-
-    /**
-     * Ensures that the specified {@code aud} exists in the parsed JWT.  If missing or if the parsed
-     * value does not equal the specified value, an exception will be thrown indicating that the
-     * JWT is invalid and may not be used.
-     *
-     * @param audience
-     * @return the parser for method chaining.
-     * @see MissingClaimException
-     * @see IncorrectClaimException
-     * @deprecated see {@link JwtParserBuilder#requireAudience(String)}.
-     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
-     * immutable JwtParser.
-     * <p><b>NOTE: this method will be removed before version 1.0</b>
-     */
-    @Deprecated
-    JwtParser requireAudience(String audience);
-
-    /**
-     * Ensures that the specified {@code iss} exists in the parsed JWT.  If missing or if the parsed
-     * value does not equal the specified value, an exception will be thrown indicating that the
-     * JWT is invalid and may not be used.
-     *
-     * @param issuer
-     * @return the parser for method chaining.
-     * @see MissingClaimException
-     * @see IncorrectClaimException
-     * @deprecated see {@link JwtParserBuilder#requireIssuer(String)}.
-     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
-     * immutable JwtParser.
-     * <p><b>NOTE: this method will be removed before version 1.0</b>
-     */
-    @Deprecated
-    JwtParser requireIssuer(String issuer);
-
-    /**
-     * Ensures that the specified {@code iat} exists in the parsed JWT.  If missing or if the parsed
-     * value does not equal the specified value, an exception will be thrown indicating that the
-     * JWT is invalid and may not be used.
-     *
-     * @param issuedAt
-     * @return the parser for method chaining.
-     * @see MissingClaimException
-     * @see IncorrectClaimException
-     * @deprecated see {@link JwtParserBuilder#requireIssuedAt(Date)}.
-     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
-     * immutable JwtParser.
-     * <p><b>NOTE: this method will be removed before version 1.0</b>
-     */
-    @Deprecated
-    JwtParser requireIssuedAt(Date issuedAt);
-
-    /**
-     * Ensures that the specified {@code exp} exists in the parsed JWT.  If missing or if the parsed
-     * value does not equal the specified value, an exception will be thrown indicating that the
-     * JWT is invalid and may not be used.
-     *
-     * @param expiration
-     * @return the parser for method chaining.
-     * @see MissingClaimException
-     * @see IncorrectClaimException
-     * @deprecated see {@link JwtParserBuilder#requireExpiration(Date)}.
-     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
-     * immutable JwtParser.
-     * <p><b>NOTE: this method will be removed before version 1.0</b>
-     */
-    @Deprecated
-    JwtParser requireExpiration(Date expiration);
-
-    /**
-     * Ensures that the specified {@code nbf} exists in the parsed JWT.  If missing or if the parsed
-     * value does not equal the specified value, an exception will be thrown indicating that the
-     * JWT is invalid and may not be used.
-     *
-     * @param notBefore
-     * @return the parser for method chaining
-     * @see MissingClaimException
-     * @see IncorrectClaimException
-     * @deprecated see {@link JwtParserBuilder#requireNotBefore(Date)}.
-     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
-     * immutable JwtParser.
-     * <p><b>NOTE: this method will be removed before version 1.0</b>
-     */
-    @Deprecated
-    JwtParser requireNotBefore(Date notBefore);
-
-    /**
-     * Ensures that the specified {@code claimName} exists in the parsed JWT.  If missing or if the parsed
-     * value does not equal the specified value, an exception will be thrown indicating that the
-     * JWT is invalid and may not be used.
-     *
-     * @param claimName
-     * @param value
-     * @return the parser for method chaining.
-     * @see MissingClaimException
-     * @see IncorrectClaimException
-     * @deprecated see {@link JwtParserBuilder#require(String, Object)}.
-     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
-     * immutable JwtParser.
-     * <p><b>NOTE: this method will be removed before version 1.0</b>
-     */
-    @Deprecated
-    JwtParser require(String claimName, Object value);
-
-    /**
-     * Sets the {@link Clock} that determines the timestamp to use when validating the parsed JWT.
-     * The parser uses a default Clock implementation that simply returns {@code new Date()} when called.
-     *
-     * @param clock a {@code Clock} object to return the timestamp to use when validating the parsed JWT.
-     * @return the parser for method chaining.
-     * @since 0.7.0
-     * @deprecated see {@link JwtParserBuilder#setClock(Clock)}.
-     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
-     * immutable JwtParser.
-     * <p><b>NOTE: this method will be removed before version 1.0</b>
-     */
-    @Deprecated
-    JwtParser setClock(Clock clock);
-
-    /**
-     * Sets the amount of clock skew in seconds to tolerate when verifying the local time against the {@code exp}
-     * and {@code nbf} claims.
-     *
-     * @param seconds the number of seconds to tolerate for clock skew when verifying {@code exp} or {@code nbf} claims.
-     * @return the parser for method chaining.
-     * @since 0.7.0
-     * @throws IllegalArgumentException if {@code seconds} is a value greater than {@code Long.MAX_VALUE / 1000} as
-     * any such value would cause numeric overflow when multiplying by 1000 to obtain a millisecond value.
-     * @deprecated see {@link JwtParserBuilder#setAllowedClockSkewSeconds(long)}.
-     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
-     * immutable JwtParser.
-     * <p><b>NOTE: this method will be removed before version 1.0</b>
-     */
-    @Deprecated
-    JwtParser setAllowedClockSkewSeconds(long seconds) throws IllegalArgumentException;
-
     /**
      * Sets the signing key used to verify any discovered JWS digital signature.  If the specified JWT string is not
      * a JWS (no signature), this key is not used.
@@ -322,84 +147,6 @@ public interface JwtParser {
     @Deprecated
     JwtParser setSigningKeyResolver(SigningKeyResolver signingKeyResolver);
 
-    /**
-     * Sets the {@link CompressionCodecResolver} used to acquire the {@link CompressionCodec} that should be used to
-     * decompress the JWT body. If the parsed JWT is not compressed, this resolver is not used.
-     * <p><b>NOTE:</b> Compression is not defined by the JWT Specification, and it is not expected that other libraries
-     * (including JJWT versions &lt; 0.6.0) are able to consume a compressed JWT body correctly.  This method is only
-     * useful if the compact JWT was compressed with JJWT &gt;= 0.6.0 or another library that you know implements
-     * the same behavior.</p>
-     * <h3>Default Support</h3>
-     * <p>JJWT's default {@link JwtParser} implementation supports both the
-     * {@link CompressionCodecs#DEFLATE DEFLATE}
-     * and {@link CompressionCodecs#GZIP GZIP} algorithms by default - you do not need to
-     * specify a {@code CompressionCodecResolver} in these cases.</p>
-     * <p>However, if you want to use a compression algorithm other than {@code DEF} or {@code GZIP}, you must implement
-     * your own {@link CompressionCodecResolver} and specify that via this method and also when
-     * {@link io.jsonwebtoken.JwtBuilder#compressWith(CompressionCodec) building} JWTs.</p>
-     *
-     * @param compressionCodecResolver the compression codec resolver used to decompress the JWT body.
-     * @return the parser for method chaining.
-     * @since 0.6.0
-     * @deprecated see {@link JwtParserBuilder#setCompressionCodecResolver(CompressionCodecResolver)}.
-     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
-     * immutable JwtParser.
-     * <p><b>NOTE: this method will be removed before version 1.0</b>
-     */
-    @Deprecated
-    JwtParser setCompressionCodecResolver(CompressionCodecResolver compressionCodecResolver);
-
-    /**
-     * Perform Base64Url decoding with the specified Decoder
-     *
-     * <p>JJWT uses a spec-compliant decoder that works on all supported JDK versions, but you may call this method
-     * to specify a different decoder if you desire.</p>
-     *
-     * @param base64UrlDecoder the decoder to use when Base64Url-decoding
-     * @return the parser for method chaining.
-     * @since 0.10.0
-     * @deprecated see {@link JwtParserBuilder#base64UrlDecodeWith(Decoder)}.
-     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
-     * immutable JwtParser.
-     * <p><b>NOTE: this method will be removed before version 1.0</b>
-     */
-    @Deprecated
-    JwtParser base64UrlDecodeWith(Decoder<String, byte[]> base64UrlDecoder);
-
-    /**
-     * Uses the specified deserializer to convert JSON Strings (UTF-8 byte arrays) into Java Map objects.  This is
-     * used by the parser after Base64Url-decoding to convert JWT/JWS/JWT JSON headers and claims into Java Map
-     * objects.
-     *
-     * <p>If this method is not called, JJWT will use whatever deserializer it can find at runtime, checking for the
-     * presence of well-known implementations such Jackson, Gson, and org.json.  If one of these is not found
-     * in the runtime classpath, an exception will be thrown when one of the various {@code parse}* methods is
-     * invoked.</p>
-     *
-     * @param deserializer the deserializer to use when converting JSON Strings (UTF-8 byte arrays) into Map objects.
-     * @return the parser for method chaining.
-     * @since 0.10.0
-     * @deprecated see {@link JwtParserBuilder#deserializeJsonWith(Deserializer)} )}.
-     * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
-     * immutable JwtParser.
-     * <p><b>NOTE: this method will be removed before version 1.0</b>
-     */
-    @Deprecated
-    JwtParser deserializeJsonWith(Deserializer<Map<String,?>> deserializer);
-
-    /**
-     * Returns {@code true} if the specified JWT compact string represents a signed JWT (aka a 'JWS'), {@code false}
-     * otherwise.
-     * <p>
-     * <p>Note that if you are reasonably sure that the token is signed, it is more efficient to attempt to
-     * parse the token (and catching exceptions if necessary) instead of calling this method first before parsing.</p>
-     *
-     * @param jwt the compact serialized JWT to check
-     * @return {@code true} if the specified JWT compact string represents a signed JWT (aka a 'JWS'), {@code false}
-     * otherwise.
-     */
-    boolean isSigned(String jwt);
-
     /**
      * Parses the specified compact serialized JWT string based on the builder's current configuration state and
      * returns the resulting JWT or JWS instance.
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtParserBuilder.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtParserBuilder.java
index 2e8dd879451..cc0060b0c26 100644
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtParserBuilder.java
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/JwtParserBuilder.java
@@ -15,9 +15,6 @@
  */
 package io.jsonwebtoken;
 
-import io.jsonwebtoken.io.Decoder;
-import io.jsonwebtoken.io.Deserializer;
-
 import java.security.Key;
 import java.util.Date;
 import java.util.Map;
@@ -35,122 +32,6 @@ import java.util.Map;
  */
 public interface JwtParserBuilder {
 
-    /**
-     * Ensures that the specified {@code jti} exists in the parsed JWT.  If missing or if the parsed
-     * value does not equal the specified value, an exception will be thrown indicating that the
-     * JWT is invalid and may not be used.
-     *
-     * @param id
-     * @return the parser builder for method chaining.
-     * @see MissingClaimException
-     * @see IncorrectClaimException
-     */
-    JwtParserBuilder requireId(String id);
-
-    /**
-     * Ensures that the specified {@code sub} exists in the parsed JWT.  If missing or if the parsed
-     * value does not equal the specified value, an exception will be thrown indicating that the
-     * JWT is invalid and may not be used.
-     *
-     * @param subject
-     * @return the parser builder for method chaining.
-     * @see MissingClaimException
-     * @see IncorrectClaimException
-     */
-    JwtParserBuilder requireSubject(String subject);
-
-    /**
-     * Ensures that the specified {@code aud} exists in the parsed JWT.  If missing or if the parsed
-     * value does not equal the specified value, an exception will be thrown indicating that the
-     * JWT is invalid and may not be used.
-     *
-     * @param audience
-     * @return the parser builder for method chaining.
-     * @see MissingClaimException
-     * @see IncorrectClaimException
-     */
-    JwtParserBuilder requireAudience(String audience);
-
-    /**
-     * Ensures that the specified {@code iss} exists in the parsed JWT.  If missing or if the parsed
-     * value does not equal the specified value, an exception will be thrown indicating that the
-     * JWT is invalid and may not be used.
-     *
-     * @param issuer
-     * @return the parser builder for method chaining.
-     * @see MissingClaimException
-     * @see IncorrectClaimException
-     */
-    JwtParserBuilder requireIssuer(String issuer);
-
-    /**
-     * Ensures that the specified {@code iat} exists in the parsed JWT.  If missing or if the parsed
-     * value does not equal the specified value, an exception will be thrown indicating that the
-     * JWT is invalid and may not be used.
-     *
-     * @param issuedAt
-     * @return the parser builder for method chaining.
-     * @see MissingClaimException
-     * @see IncorrectClaimException
-     */
-    JwtParserBuilder requireIssuedAt(Date issuedAt);
-
-    /**
-     * Ensures that the specified {@code exp} exists in the parsed JWT.  If missing or if the parsed
-     * value does not equal the specified value, an exception will be thrown indicating that the
-     * JWT is invalid and may not be used.
-     *
-     * @param expiration
-     * @return the parser builder for method chaining.
-     * @see MissingClaimException
-     * @see IncorrectClaimException
-     */
-    JwtParserBuilder requireExpiration(Date expiration);
-
-    /**
-     * Ensures that the specified {@code nbf} exists in the parsed JWT.  If missing or if the parsed
-     * value does not equal the specified value, an exception will be thrown indicating that the
-     * JWT is invalid and may not be used.
-     *
-     * @param notBefore
-     * @return the parser builder for method chaining
-     * @see MissingClaimException
-     * @see IncorrectClaimException
-     */
-    JwtParserBuilder requireNotBefore(Date notBefore);
-
-    /**
-     * Ensures that the specified {@code claimName} exists in the parsed JWT.  If missing or if the parsed
-     * value does not equal the specified value, an exception will be thrown indicating that the
-     * JWT is invalid and may not be used.
-     *
-     * @param claimName
-     * @param value
-     * @return the parser builder for method chaining.
-     * @see MissingClaimException
-     * @see IncorrectClaimException
-     */
-    JwtParserBuilder require(String claimName, Object value);
-
-    /**
-     * Sets the {@link Clock} that determines the timestamp to use when validating the parsed JWT.
-     * The parser uses a default Clock implementation that simply returns {@code new Date()} when called.
-     *
-     * @param clock a {@code Clock} object to return the timestamp to use when validating the parsed JWT.
-     * @return the parser builder for method chaining.
-     */
-    JwtParserBuilder setClock(Clock clock);
-
-    /**
-     * Sets the amount of clock skew in seconds to tolerate when verifying the local time against the {@code exp}
-     * and {@code nbf} claims.
-     *
-     * @param seconds the number of seconds to tolerate for clock skew when verifying {@code exp} or {@code nbf} claims.
-     * @return the parser builder for method chaining.
-     * @throws IllegalArgumentException if {@code seconds} is a value greater than {@code Long.MAX_VALUE / 1000} as
-     * any such value would cause numeric overflow when multiplying by 1000 to obtain a millisecond value.
-     */
-    JwtParserBuilder setAllowedClockSkewSeconds(long seconds) throws IllegalArgumentException;
 
     /**
      * Sets the signing key used to verify any discovered JWS digital signature.  If the specified JWT string is not
@@ -252,53 +133,6 @@ public interface JwtParserBuilder {
      */
     JwtParserBuilder setSigningKeyResolver(SigningKeyResolver signingKeyResolver);
 
-    /**
-     * Sets the {@link CompressionCodecResolver} used to acquire the {@link CompressionCodec} that should be used to
-     * decompress the JWT body. If the parsed JWT is not compressed, this resolver is not used.
-     * <p><b>NOTE:</b> Compression is not defined by the JWT Specification, and it is not expected that other libraries
-     * (including JJWT versions &lt; 0.6.0) are able to consume a compressed JWT body correctly.  This method is only
-     * useful if the compact JWT was compressed with JJWT &gt;= 0.6.0 or another library that you know implements
-     * the same behavior.</p>
-     * <h3>Default Support</h3>
-     * <p>JJWT's default {@link JwtParser} implementation supports both the
-     * {@link CompressionCodecs#DEFLATE DEFLATE}
-     * and {@link CompressionCodecs#GZIP GZIP} algorithms by default - you do not need to
-     * specify a {@code CompressionCodecResolver} in these cases.</p>
-     * <p>However, if you want to use a compression algorithm other than {@code DEF} or {@code GZIP}, you must implement
-     * your own {@link CompressionCodecResolver} and specify that via this method and also when
-     * {@link io.jsonwebtoken.JwtBuilder#compressWith(CompressionCodec) building} JWTs.</p>
-     *
-     * @param compressionCodecResolver the compression codec resolver used to decompress the JWT body.
-     * @return the parser builder for method chaining.
-     */
-    JwtParserBuilder setCompressionCodecResolver(CompressionCodecResolver compressionCodecResolver);
-
-    /**
-     * Perform Base64Url decoding with the specified Decoder
-     *
-     * <p>JJWT uses a spec-compliant decoder that works on all supported JDK versions, but you may call this method
-     * to specify a different decoder if you desire.</p>
-     *
-     * @param base64UrlDecoder the decoder to use when Base64Url-decoding
-     * @return the parser builder for method chaining.
-     */
-    JwtParserBuilder base64UrlDecodeWith(Decoder<String, byte[]> base64UrlDecoder);
-
-    /**
-     * Uses the specified deserializer to convert JSON Strings (UTF-8 byte arrays) into Java Map objects.  This is
-     * used by the parser after Base64Url-decoding to convert JWT/JWS/JWT JSON headers and claims into Java Map
-     * objects.
-     *
-     * <p>If this method is not called, JJWT will use whatever deserializer it can find at runtime, checking for the
-     * presence of well-known implementations such Jackson, Gson, and org.json.  If one of these is not found
-     * in the runtime classpath, an exception will be thrown when one of the various {@code parse}* methods is
-     * invoked.</p>
-     *
-     * @param deserializer the deserializer to use when converting JSON Strings (UTF-8 byte arrays) into Map objects.
-     * @return the builder for method chaining.
-     */
-    JwtParserBuilder deserializeJsonWith(Deserializer<Map<String,?>> deserializer);
-
     /**
      * Returns an immutable/thread-safe {@link JwtParser} created from the configuration from this JwtParserBuilder.
      * @return an immutable/thread-safe JwtParser created from the configuration from this JwtParserBuilder.
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jwts.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jwts.java
index 80de65a44f1..11caab3b7d3 100644
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jwts.java
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/Jwts.java
@@ -15,8 +15,6 @@
  */
 package io.jsonwebtoken;
 
-import io.jsonwebtoken.lang.Classes;
-
 import java.util.Map;
 
 /**
@@ -27,73 +25,9 @@ import java.util.Map;
  */
 public final class Jwts {
 
-    private static final Class[] MAP_ARG = new Class[]{Map.class};
-
     private Jwts() {
     }
 
-    /**
-     * Creates a new {@link Header} instance suitable for <em>plaintext</em> (not digitally signed) JWTs.  As this
-     * is a less common use of JWTs, consider using the {@link #jwsHeader()} factory method instead if you will later
-     * digitally sign the JWT.
-     *
-     * @return a new {@link Header} instance suitable for <em>plaintext</em> (not digitally signed) JWTs.
-     */
-    public static Header header() {
-        return Classes.newInstance("io.jsonwebtoken.impl.DefaultHeader");
-    }
-
-    /**
-     * Creates a new {@link Header} instance suitable for <em>plaintext</em> (not digitally signed) JWTs, populated
-     * with the specified name/value pairs.  As this is a less common use of JWTs, consider using the
-     * {@link #jwsHeader(java.util.Map)} factory method instead if you will later digitally sign the JWT.
-     *
-     * @return a new {@link Header} instance suitable for <em>plaintext</em> (not digitally signed) JWTs.
-     */
-    public static Header header(Map<String, Object> header) {
-        return Classes.newInstance("io.jsonwebtoken.impl.DefaultHeader", MAP_ARG, header);
-    }
-
-    /**
-     * Returns a new {@link JwsHeader} instance suitable for digitally signed JWTs (aka 'JWS's).
-     *
-     * @return a new {@link JwsHeader} instance suitable for digitally signed JWTs (aka 'JWS's).
-     * @see JwtBuilder#setHeader(Header)
-     */
-    public static JwsHeader jwsHeader() {
-        return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwsHeader");
-    }
-
-    /**
-     * Returns a new {@link JwsHeader} instance suitable for digitally signed JWTs (aka 'JWS's), populated with the
-     * specified name/value pairs.
-     *
-     * @return a new {@link JwsHeader} instance suitable for digitally signed JWTs (aka 'JWS's), populated with the
-     * specified name/value pairs.
-     * @see JwtBuilder#setHeader(Header)
-     */
-    public static JwsHeader jwsHeader(Map<String, Object> header) {
-        return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwsHeader", MAP_ARG, header);
-    }
-
-    /**
-     * Returns a new {@link Claims} instance to be used as a JWT body.
-     *
-     * @return a new {@link Claims} instance to be used as a JWT body.
-     */
-    public static Claims claims() {
-        return Classes.newInstance("io.jsonwebtoken.impl.DefaultClaims");
-    }
-
-    /**
-     * Returns a new {@link Claims} instance populated with the specified name/value pairs.
-     *
-     * @param claims the name/value pairs to populate the new Claims instance.
-     * @return a new {@link Claims} instance populated with the specified name/value pairs.
-     */
-    public static Claims claims(Map<String, Object> claims) {
-        return Classes.newInstance("io.jsonwebtoken.impl.DefaultClaims", MAP_ARG, claims);
-    }
 
     /**
      * Returns a new {@link JwtParser} instance that can be configured and then used to parse JWT strings.
@@ -118,7 +52,7 @@ public final class Jwts {
      */
     @Deprecated
     public static JwtParser parser() {
-        return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwtParser");
+        return null;
     }
 
     /**
@@ -127,17 +61,6 @@ public final class Jwts {
      * @return a new {@link JwtParser} instance that can be configured create an immutable/thread-safe {@link JwtParser).
      */
     public static JwtParserBuilder parserBuilder() {
-        return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwtParserBuilder");
-    }
-
-    /**
-     * Returns a new {@link JwtBuilder} instance that can be configured and then used to create JWT compact serialized
-     * strings.
-     *
-     * @return a new {@link JwtBuilder} instance that can be configured and then used to create JWT compact serialized
-     * strings.
-     */
-    public static JwtBuilder builder() {
-        return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwtBuilder");
+        return null;
     }
 }
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/MissingClaimException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/MissingClaimException.java
deleted file mode 100644
index 030fe98d06b..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/MissingClaimException.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2015 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken;
-
-/**
- * Exception thrown when discovering that a required claim is not present, indicating the JWT is
- * invalid and may not be used.
- *
- * @since 0.6
- */
-public class MissingClaimException extends InvalidClaimException {
-    public MissingClaimException(Header header, Claims claims, String message) {
-        super(header, claims, message);
-    }
-
-    public MissingClaimException(Header header, Claims claims, String message, Throwable cause) {
-        super(header, claims, message, cause);
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/PrematureJwtException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/PrematureJwtException.java
deleted file mode 100644
index 8853832e80a..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/PrematureJwtException.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken;
-
-/**
- * Exception indicating that a JWT was accepted before it is allowed to be accessed and must be rejected.
- *
- * @since 0.3
- */
-public class PrematureJwtException extends ClaimJwtException {
-
-    public PrematureJwtException(Header header, Claims claims, String message) {
-        super(header, claims, message);
-    }
-
-    /**
-     * @param header jwt header
-     * @param claims jwt claims (body)
-     * @param message exception message
-     * @param cause cause
-     * @since 0.5
-     */
-    public PrematureJwtException(Header header, Claims claims, String message, Throwable cause) {
-        super(header, claims, message, cause);
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/RequiredTypeException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/RequiredTypeException.java
deleted file mode 100644
index eeb60d3084d..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/RequiredTypeException.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken;
-
-/**
- * Exception thrown when {@link Claims#get(String, Class)} is called and the value does not match the type of the
- * {@code Class} argument.
- *
- * @since 0.6
- */
-public class RequiredTypeException extends JwtException {
-    public RequiredTypeException(String message) {
-        super(message);
-    }
-
-    public RequiredTypeException(String message, Throwable cause) {
-        super(message, cause);
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SignatureAlgorithm.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SignatureAlgorithm.java
deleted file mode 100644
index 9f646502dfa..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SignatureAlgorithm.java
+++ /dev/null
@@ -1,655 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken;
-
-import io.jsonwebtoken.security.InvalidKeyException;
-import io.jsonwebtoken.security.Keys;
-import io.jsonwebtoken.security.SignatureException;
-import io.jsonwebtoken.security.WeakKeyException;
-
-import javax.crypto.SecretKey;
-import java.security.Key;
-import java.security.PrivateKey;
-import java.security.interfaces.ECKey;
-import java.security.interfaces.RSAKey;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.List;
-
-/**
- * Type-safe representation of standard JWT signature algorithm names as defined in the
- * <a href="https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-31">JSON Web Algorithms</a> specification.
- *
- * @since 0.1
- */
-public enum SignatureAlgorithm {
-
-    /**
-     * JWA name for {@code No digital signature or MAC performed}
-     */
-    NONE("none", "No digital signature or MAC performed", "None", null, false, 0, 0),
-
-    /**
-     * JWA algorithm name for {@code HMAC using SHA-256}
-     */
-    HS256("HS256", "HMAC using SHA-256", "HMAC", "HmacSHA256", true, 256, 256, "1.2.840.113549.2.9"),
-
-    /**
-     * JWA algorithm name for {@code HMAC using SHA-384}
-     */
-    HS384("HS384", "HMAC using SHA-384", "HMAC", "HmacSHA384", true, 384, 384, "1.2.840.113549.2.10"),
-
-    /**
-     * JWA algorithm name for {@code HMAC using SHA-512}
-     */
-    HS512("HS512", "HMAC using SHA-512", "HMAC", "HmacSHA512", true, 512, 512, "1.2.840.113549.2.11"),
-
-    /**
-     * JWA algorithm name for {@code RSASSA-PKCS-v1_5 using SHA-256}
-     */
-    RS256("RS256", "RSASSA-PKCS-v1_5 using SHA-256", "RSA", "SHA256withRSA", true, 256, 2048),
-
-    /**
-     * JWA algorithm name for {@code RSASSA-PKCS-v1_5 using SHA-384}
-     */
-    RS384("RS384", "RSASSA-PKCS-v1_5 using SHA-384", "RSA", "SHA384withRSA", true, 384, 2048),
-
-    /**
-     * JWA algorithm name for {@code RSASSA-PKCS-v1_5 using SHA-512}
-     */
-    RS512("RS512", "RSASSA-PKCS-v1_5 using SHA-512", "RSA", "SHA512withRSA", true, 512, 2048),
-
-    /**
-     * JWA algorithm name for {@code ECDSA using P-256 and SHA-256}
-     */
-    ES256("ES256", "ECDSA using P-256 and SHA-256", "ECDSA", "SHA256withECDSA", true, 256, 256),
-
-    /**
-     * JWA algorithm name for {@code ECDSA using P-384 and SHA-384}
-     */
-    ES384("ES384", "ECDSA using P-384 and SHA-384", "ECDSA", "SHA384withECDSA", true, 384, 384),
-
-    /**
-     * JWA algorithm name for {@code ECDSA using P-521 and SHA-512}
-     */
-    ES512("ES512", "ECDSA using P-521 and SHA-512", "ECDSA", "SHA512withECDSA", true, 512, 521),
-
-    /**
-     * JWA algorithm name for {@code RSASSA-PSS using SHA-256 and MGF1 with SHA-256}.  <b>This algorithm requires
-     * Java 11 or later or a JCA provider like BouncyCastle to be in the runtime classpath.</b>  If on Java 10 or
-     * earlier, BouncyCastle will be used automatically if found in the runtime classpath.
-     */
-    PS256("PS256", "RSASSA-PSS using SHA-256 and MGF1 with SHA-256", "RSA", "RSASSA-PSS", false, 256, 2048),
-
-    /**
-     * JWA algorithm name for {@code RSASSA-PSS using SHA-384 and MGF1 with SHA-384}.  <b>This algorithm requires
-     * Java 11 or later or a JCA provider like BouncyCastle to be in the runtime classpath.</b>  If on Java 10 or
-     * earlier, BouncyCastle will be used automatically if found in the runtime classpath.
-     */
-    PS384("PS384", "RSASSA-PSS using SHA-384 and MGF1 with SHA-384", "RSA", "RSASSA-PSS", false, 384, 2048),
-
-    /**
-     * JWA algorithm name for {@code RSASSA-PSS using SHA-512 and MGF1 with SHA-512}. <b>This algorithm requires
-     * Java 11 or later or a JCA provider like BouncyCastle to be in the runtime classpath.</b>  If on Java 10 or
-     * earlier, BouncyCastle will be used automatically if found in the runtime classpath.
-     */
-    PS512("PS512", "RSASSA-PSS using SHA-512 and MGF1 with SHA-512", "RSA", "RSASSA-PSS", false, 512, 2048);
-
-    //purposefully ordered higher to lower:
-    private static final List<SignatureAlgorithm> PREFERRED_HMAC_ALGS = Collections.unmodifiableList(Arrays.asList(
-        SignatureAlgorithm.HS512, SignatureAlgorithm.HS384, SignatureAlgorithm.HS256));
-    //purposefully ordered higher to lower:
-    private static final List<SignatureAlgorithm> PREFERRED_EC_ALGS = Collections.unmodifiableList(Arrays.asList(
-        SignatureAlgorithm.ES512, SignatureAlgorithm.ES384, SignatureAlgorithm.ES256));
-
-    private final String value;
-    private final String description;
-    private final String familyName;
-    private final String jcaName;
-    private final boolean jdkStandard;
-    private final int digestLength;
-    private final int minKeyLength;
-    /**
-     * Algorithm name as given by {@link Key#getAlgorithm()} if the key was loaded from a pkcs12 Keystore.
-     *
-     * @deprecated This is just a workaround for https://bugs.openjdk.java.net/browse/JDK-8243551
-     */
-    @Deprecated
-    private final String pkcs12Name;
-
-    SignatureAlgorithm(String value, String description, String familyName, String jcaName, boolean jdkStandard,
-                       int digestLength, int minKeyLength) {
-        this(value, description,familyName, jcaName, jdkStandard, digestLength, minKeyLength, jcaName);
-    }
-
-    SignatureAlgorithm(String value, String description, String familyName, String jcaName, boolean jdkStandard,
-                       int digestLength, int minKeyLength, String pkcs12Name) {
-        this.value = value;
-        this.description = description;
-        this.familyName = familyName;
-        this.jcaName = jcaName;
-        this.jdkStandard = jdkStandard;
-        this.digestLength = digestLength;
-        this.minKeyLength = minKeyLength;
-        this.pkcs12Name = pkcs12Name;
-    }
-
-    /**
-     * Returns the JWA algorithm name constant.
-     *
-     * @return the JWA algorithm name constant.
-     */
-    public String getValue() {
-        return value;
-    }
-
-    /**
-     * Returns the JWA algorithm description.
-     *
-     * @return the JWA algorithm description.
-     */
-    public String getDescription() {
-        return description;
-    }
-
-
-    /**
-     * Returns the cryptographic family name of the signature algorithm.  The value returned is according to the
-     * following table:
-     *
-     * <table>
-     * <caption>Crypto Family</caption>
-     * <thead>
-     * <tr>
-     * <th>SignatureAlgorithm</th>
-     * <th>Family Name</th>
-     * </tr>
-     * </thead>
-     * <tbody>
-     * <tr>
-     * <td>HS256</td>
-     * <td>HMAC</td>
-     * </tr>
-     * <tr>
-     * <td>HS384</td>
-     * <td>HMAC</td>
-     * </tr>
-     * <tr>
-     * <td>HS512</td>
-     * <td>HMAC</td>
-     * </tr>
-     * <tr>
-     * <td>RS256</td>
-     * <td>RSA</td>
-     * </tr>
-     * <tr>
-     * <td>RS384</td>
-     * <td>RSA</td>
-     * </tr>
-     * <tr>
-     * <td>RS512</td>
-     * <td>RSA</td>
-     * </tr>
-     * <tr>
-     * <td>PS256</td>
-     * <td>RSA</td>
-     * </tr>
-     * <tr>
-     * <td>PS384</td>
-     * <td>RSA</td>
-     * </tr>
-     * <tr>
-     * <td>PS512</td>
-     * <td>RSA</td>
-     * </tr>
-     * <tr>
-     * <td>ES256</td>
-     * <td>ECDSA</td>
-     * </tr>
-     * <tr>
-     * <td>ES384</td>
-     * <td>ECDSA</td>
-     * </tr>
-     * <tr>
-     * <td>ES512</td>
-     * <td>ECDSA</td>
-     * </tr>
-     * </tbody>
-     * </table>
-     *
-     * @return Returns the cryptographic family name of the signature algorithm.
-     * @since 0.5
-     */
-    public String getFamilyName() {
-        return familyName;
-    }
-
-    /**
-     * Returns the name of the JCA algorithm used to compute the signature.
-     *
-     * @return the name of the JCA algorithm used to compute the signature.
-     */
-    public String getJcaName() {
-        return jcaName;
-    }
-
-    /**
-     * Returns {@code true} if the algorithm is supported by standard JDK distributions or {@code false} if the
-     * algorithm implementation is not in the JDK and must be provided by a separate runtime JCA Provider (like
-     * BouncyCastle for example).
-     *
-     * @return {@code true} if the algorithm is supported by standard JDK distributions or {@code false} if the
-     * algorithm implementation is not in the JDK and must be provided by a separate runtime JCA Provider (like
-     * BouncyCastle for example).
-     */
-    public boolean isJdkStandard() {
-        return jdkStandard;
-    }
-
-    /**
-     * Returns {@code true} if the enum instance represents an HMAC signature algorithm, {@code false} otherwise.
-     *
-     * @return {@code true} if the enum instance represents an HMAC signature algorithm, {@code false} otherwise.
-     */
-    public boolean isHmac() {
-        return familyName.equals("HMAC");
-    }
-
-    /**
-     * Returns {@code true} if the enum instance represents an RSA public/private key pair signature algorithm,
-     * {@code false} otherwise.
-     *
-     * @return {@code true} if the enum instance represents an RSA public/private key pair signature algorithm,
-     * {@code false} otherwise.
-     */
-    public boolean isRsa() {
-        return familyName.equals("RSA");
-    }
-
-    /**
-     * Returns {@code true} if the enum instance represents an Elliptic Curve ECDSA signature algorithm, {@code false}
-     * otherwise.
-     *
-     * @return {@code true} if the enum instance represents an Elliptic Curve ECDSA signature algorithm, {@code false}
-     * otherwise.
-     */
-    public boolean isEllipticCurve() {
-        return familyName.equals("ECDSA");
-    }
-
-    /**
-     * Returns the minimum key length in bits (not bytes) that may be used with this algorithm according to the
-     * <a href="https://tools.ietf.org/html/rfc7518">JWT JWA Specification (RFC 7518)</a>.
-     *
-     * @return the minimum key length in bits (not bytes) that may be used with this algorithm according to the
-     * <a href="https://tools.ietf.org/html/rfc7518">JWT JWA Specification (RFC 7518)</a>.
-     * @since 0.10.0
-     */
-    public int getMinKeyLength() {
-        return this.minKeyLength;
-    }
-
-    /**
-     * Returns quietly if the specified key is allowed to create signatures using this algorithm
-     * according to the <a href="https://tools.ietf.org/html/rfc7518">JWT JWA Specification (RFC 7518)</a> or throws an
-     * {@link InvalidKeyException} if the key is not allowed or not secure enough for this algorithm.
-     *
-     * @param key the key to check for validity.
-     * @throws InvalidKeyException if the key is not allowed or not secure enough for this algorithm.
-     * @since 0.10.0
-     */
-    public void assertValidSigningKey(Key key) throws InvalidKeyException {
-        assertValid(key, true);
-    }
-
-    /**
-     * Returns quietly if the specified key is allowed to verify signatures using this algorithm
-     * according to the <a href="https://tools.ietf.org/html/rfc7518">JWT JWA Specification (RFC 7518)</a> or throws an
-     * {@link InvalidKeyException} if the key is not allowed or not secure enough for this algorithm.
-     *
-     * @param key the key to check for validity.
-     * @throws InvalidKeyException if the key is not allowed or not secure enough for this algorithm.
-     * @since 0.10.0
-     */
-    public void assertValidVerificationKey(Key key) throws InvalidKeyException {
-        assertValid(key, false);
-    }
-
-    /**
-     * @since 0.10.0 to support assertValid(Key, boolean)
-     */
-    private static String keyType(boolean signing) {
-        return signing ? "signing" : "verification";
-    }
-
-    /**
-     * @since 0.10.0
-     */
-    private void assertValid(Key key, boolean signing) throws InvalidKeyException {
-
-        if (this == NONE) {
-
-            String msg = "The 'NONE' signature algorithm does not support cryptographic keys.";
-            throw new InvalidKeyException(msg);
-
-        } else if (isHmac()) {
-
-            if (!(key instanceof SecretKey)) {
-                String msg = this.familyName + " " + keyType(signing) + " keys must be SecretKey instances.";
-                throw new InvalidKeyException(msg);
-            }
-            SecretKey secretKey = (SecretKey) key;
-
-            byte[] encoded = secretKey.getEncoded();
-            if (encoded == null) {
-                throw new InvalidKeyException("The " + keyType(signing) + " key's encoded bytes cannot be null.");
-            }
-
-            String alg = secretKey.getAlgorithm();
-            if (alg == null) {
-                throw new InvalidKeyException("The " + keyType(signing) + " key's algorithm cannot be null.");
-            }
-
-            // These next checks use equalsIgnoreCase per https://github.com/jwtk/jjwt/issues/381#issuecomment-412912272
-            if (!HS256.jcaName.equalsIgnoreCase(alg) &&
-                !HS384.jcaName.equalsIgnoreCase(alg) &&
-                !HS512.jcaName.equalsIgnoreCase(alg) &&
-                !HS256.pkcs12Name.equals(alg) &&
-                !HS384.pkcs12Name.equals(alg) &&
-                !HS512.pkcs12Name.equals(alg)) {
-                throw new InvalidKeyException("The " + keyType(signing) + " key's algorithm '" + alg +
-                    "' does not equal a valid HmacSHA* algorithm name and cannot be used with " + name() + ".");
-            }
-
-            int size = encoded.length * 8; //size in bits
-            if (size < this.minKeyLength) {
-                String msg = "The " + keyType(signing) + " key's size is " + size + " bits which " +
-                    "is not secure enough for the " + name() + " algorithm.  The JWT " +
-                    "JWA Specification (RFC 7518, Section 3.2) states that keys used with " + name() + " MUST have a " +
-                    "size >= " + minKeyLength + " bits (the key size must be greater than or equal to the hash " +
-                    "output size).  Consider using the " + Keys.class.getName() + " class's " +
-                    "'secretKeyFor(SignatureAlgorithm." + name() + ")' method to create a key guaranteed to be " +
-                    "secure enough for " + name() + ".  See " +
-                    "https://tools.ietf.org/html/rfc7518#section-3.2 for more information.";
-                throw new WeakKeyException(msg);
-            }
-
-        } else { //EC or RSA
-
-            if (signing) {
-                if (!(key instanceof PrivateKey)) {
-                    String msg = familyName + " signing keys must be PrivateKey instances.";
-                    throw new InvalidKeyException(msg);
-                }
-            }
-
-            if (isEllipticCurve()) {
-
-                if (!(key instanceof ECKey)) {
-                    String msg = familyName + " " + keyType(signing) + " keys must be ECKey instances.";
-                    throw new InvalidKeyException(msg);
-                }
-
-                ECKey ecKey = (ECKey) key;
-                int size = ecKey.getParams().getOrder().bitLength();
-                if (size < this.minKeyLength) {
-                    String msg = "The " + keyType(signing) + " key's size (ECParameterSpec order) is " + size +
-                        " bits which is not secure enough for the " + name() + " algorithm.  The JWT " +
-                        "JWA Specification (RFC 7518, Section 3.4) states that keys used with " +
-                        name() + " MUST have a size >= " + this.minKeyLength +
-                        " bits.  Consider using the " + Keys.class.getName() + " class's " +
-                        "'keyPairFor(SignatureAlgorithm." + name() + ")' method to create a key pair guaranteed " +
-                        "to be secure enough for " + name() + ".  See " +
-                        "https://tools.ietf.org/html/rfc7518#section-3.4 for more information.";
-                    throw new WeakKeyException(msg);
-                }
-
-            } else { //RSA
-
-                if (!(key instanceof RSAKey)) {
-                    String msg = familyName + " " + keyType(signing) + " keys must be RSAKey instances.";
-                    throw new InvalidKeyException(msg);
-                }
-
-                RSAKey rsaKey = (RSAKey) key;
-                int size = rsaKey.getModulus().bitLength();
-                if (size < this.minKeyLength) {
-
-                    String section = name().startsWith("P") ? "3.5" : "3.3";
-
-                    String msg = "The " + keyType(signing) + " key's size is " + size + " bits which is not secure " +
-                        "enough for the " + name() + " algorithm.  The JWT JWA Specification (RFC 7518, Section " +
-                        section + ") states that keys used with " + name() + " MUST have a size >= " +
-                        this.minKeyLength + " bits.  Consider using the " + Keys.class.getName() + " class's " +
-                        "'keyPairFor(SignatureAlgorithm." + name() + ")' method to create a key pair guaranteed " +
-                        "to be secure enough for " + name() + ".  See " +
-                        "https://tools.ietf.org/html/rfc7518#section-" + section + " for more information.";
-                    throw new WeakKeyException(msg);
-                }
-            }
-        }
-    }
-
-    /**
-     * Returns the recommended signature algorithm to be used with the specified key according to the following
-     * heuristics:
-     *
-     * <table>
-     * <caption>Key Signature Algorithm</caption>
-     * <thead>
-     * <tr>
-     * <th>If the Key is a:</th>
-     * <th>And:</th>
-     * <th>With a key size of:</th>
-     * <th>The returned SignatureAlgorithm will be:</th>
-     * </tr>
-     * </thead>
-     * <tbody>
-     * <tr>
-     * <td>{@link SecretKey}</td>
-     * <td><code>{@link Key#getAlgorithm() getAlgorithm()}.equals("HmacSHA256")</code><sup>1</sup></td>
-     * <td>256 &lt;= size &lt;= 383 <sup>2</sup></td>
-     * <td>{@link SignatureAlgorithm#HS256 HS256}</td>
-     * </tr>
-     * <tr>
-     * <td>{@link SecretKey}</td>
-     * <td><code>{@link Key#getAlgorithm() getAlgorithm()}.equals("HmacSHA384")</code><sup>1</sup></td>
-     * <td>384 &lt;= size &lt;= 511</td>
-     * <td>{@link SignatureAlgorithm#HS384 HS384}</td>
-     * </tr>
-     * <tr>
-     * <td>{@link SecretKey}</td>
-     * <td><code>{@link Key#getAlgorithm() getAlgorithm()}.equals("HmacSHA512")</code><sup>1</sup></td>
-     * <td>512 &lt;= size</td>
-     * <td>{@link SignatureAlgorithm#HS512 HS512}</td>
-     * </tr>
-     * <tr>
-     * <td>{@link ECKey}</td>
-     * <td><code>instanceof {@link PrivateKey}</code></td>
-     * <td>256 &lt;= size &lt;= 383 <sup>3</sup></td>
-     * <td>{@link SignatureAlgorithm#ES256 ES256}</td>
-     * </tr>
-     * <tr>
-     * <td>{@link ECKey}</td>
-     * <td><code>instanceof {@link PrivateKey}</code></td>
-     * <td>384 &lt;= size &lt;= 511</td>
-     * <td>{@link SignatureAlgorithm#ES384 ES384}</td>
-     * </tr>
-     * <tr>
-     * <td>{@link ECKey}</td>
-     * <td><code>instanceof {@link PrivateKey}</code></td>
-     * <td>4096 &lt;= size</td>
-     * <td>{@link SignatureAlgorithm#ES512 ES512}</td>
-     * </tr>
-     * <tr>
-     * <td>{@link RSAKey}</td>
-     * <td><code>instanceof {@link PrivateKey}</code></td>
-     * <td>2048 &lt;= size &lt;= 3071 <sup>4,5</sup></td>
-     * <td>{@link SignatureAlgorithm#RS256 RS256}</td>
-     * </tr>
-     * <tr>
-     * <td>{@link RSAKey}</td>
-     * <td><code>instanceof {@link PrivateKey}</code></td>
-     * <td>3072 &lt;= size &lt;= 4095 <sup>5</sup></td>
-     * <td>{@link SignatureAlgorithm#RS384 RS384}</td>
-     * </tr>
-     * <tr>
-     * <td>{@link RSAKey}</td>
-     * <td><code>instanceof {@link PrivateKey}</code></td>
-     * <td>4096 &lt;= size <sup>5</sup></td>
-     * <td>{@link SignatureAlgorithm#RS512 RS512}</td>
-     * </tr>
-     * </tbody>
-     * </table>
-     * <p>Notes:</p>
-     * <ol>
-     * <li>{@code SecretKey} instances must have an {@link Key#getAlgorithm() algorithm} name equal
-     * to {@code HmacSHA256}, {@code HmacSHA384} or {@code HmacSHA512}.  If not, the key bytes might not be
-     * suitable for HMAC signatures will be rejected with a {@link InvalidKeyException}. </li>
-     * <li>The JWT <a href="https://tools.ietf.org/html/rfc7518#section-3.2">JWA Specification (RFC 7518,
-     * Section 3.2)</a> mandates that HMAC-SHA-* signing keys <em>MUST</em> be 256 bits or greater.
-     * {@code SecretKey}s with key lengths less than 256 bits will be rejected with an
-     * {@link WeakKeyException}.</li>
-     * <li>The JWT <a href="https://tools.ietf.org/html/rfc7518#section-3.4">JWA Specification (RFC 7518,
-     * Section 3.4)</a> mandates that ECDSA signing key lengths <em>MUST</em> be 256 bits or greater.
-     * {@code ECKey}s with key lengths less than 256 bits will be rejected with a
-     * {@link WeakKeyException}.</li>
-     * <li>The JWT <a href="https://tools.ietf.org/html/rfc7518#section-3.3">JWA Specification (RFC 7518,
-     * Section 3.3)</a> mandates that RSA signing key lengths <em>MUST</em> be 2048 bits or greater.
-     * {@code RSAKey}s with key lengths less than 2048 bits will be rejected with a
-     * {@link WeakKeyException}.</li>
-     * <li>Technically any RSA key of length >= 2048 bits may be used with the {@link #RS256}, {@link #RS384}, and
-     * {@link #RS512} algorithms, so we assume an RSA signature algorithm based on the key length to
-     * parallel similar decisions in the JWT specification for HMAC and ECDSA signature algorithms.
-     * This is not required - just a convenience.</li>
-     * </ol>
-     * <p>This implementation does not return the {@link #PS256}, {@link #PS256}, {@link #PS256} RSA variant for any
-     * specified {@link RSAKey} because:
-     * <ul>
-     * <li>The JWT <a href="https://tools.ietf.org/html/rfc7518#section-3.1">JWA Specification (RFC 7518,
-     * Section 3.1)</a> indicates that {@link #RS256}, {@link #RS384}, and {@link #RS512} are
-     * recommended algorithms while the {@code PS}* variants are simply marked as optional.</li>
-     * <li>The {@link #RS256}, {@link #RS384}, and {@link #RS512} algorithms are available in the JDK by default
-     * while the {@code PS}* variants require an additional JCA Provider (like BouncyCastle).</li>
-     * </ul>
-     * </p>
-     *
-     * <p>Finally, this method will throw an {@link InvalidKeyException} for any key that does not match the
-     * heuristics and requirements documented above, since that inevitably means the Key is either insufficient or
-     * explicitly disallowed by the JWT specification.</p>
-     *
-     * @param key the key to inspect
-     * @return the recommended signature algorithm to be used with the specified key
-     * @throws InvalidKeyException for any key that does not match the heuristics and requirements documented above,
-     *                             since that inevitably means the Key is either insufficient or explicitly disallowed by the JWT specification.
-     * @since 0.10.0
-     */
-    public static SignatureAlgorithm forSigningKey(Key key) throws InvalidKeyException {
-
-        if (key == null) {
-            throw new InvalidKeyException("Key argument cannot be null.");
-        }
-
-        if (!(key instanceof SecretKey ||
-            (key instanceof PrivateKey && (key instanceof ECKey || key instanceof RSAKey)))) {
-            String msg = "JWT standard signing algorithms require either 1) a SecretKey for HMAC-SHA algorithms or " +
-                "2) a private RSAKey for RSA algorithms or 3) a private ECKey for Elliptic Curve algorithms.  " +
-                "The specified key is of type " + key.getClass().getName();
-            throw new InvalidKeyException(msg);
-        }
-
-        if (key instanceof SecretKey) {
-
-            SecretKey secretKey = (SecretKey)key;
-            int bitLength = io.jsonwebtoken.lang.Arrays.length(secretKey.getEncoded()) * Byte.SIZE;
-
-            for(SignatureAlgorithm alg : PREFERRED_HMAC_ALGS) {
-                // ensure compatibility check is based on key length. See https://github.com/jwtk/jjwt/issues/381
-                if (bitLength >= alg.minKeyLength) {
-                    return alg;
-                }
-            }
-
-            String msg = "The specified SecretKey is not strong enough to be used with JWT HMAC signature " +
-                "algorithms.  The JWT specification requires HMAC keys to be >= 256 bits long.  The specified " +
-                "key is " + bitLength + " bits.  See https://tools.ietf.org/html/rfc7518#section-3.2 for more " +
-                "information.";
-            throw new WeakKeyException(msg);
-        }
-
-        if (key instanceof RSAKey) {
-
-            RSAKey rsaKey = (RSAKey) key;
-            int bitLength = rsaKey.getModulus().bitLength();
-
-            if (bitLength >= 4096) {
-                RS512.assertValidSigningKey(key);
-                return RS512;
-            } else if (bitLength >= 3072) {
-                RS384.assertValidSigningKey(key);
-                return RS384;
-            } else if (bitLength >= RS256.minKeyLength) {
-                RS256.assertValidSigningKey(key);
-                return RS256;
-            }
-
-            String msg = "The specified RSA signing key is not strong enough to be used with JWT RSA signature " +
-                "algorithms.  The JWT specification requires RSA keys to be >= 2048 bits long.  The specified RSA " +
-                "key is " + bitLength + " bits.  See https://tools.ietf.org/html/rfc7518#section-3.3 for more " +
-                "information.";
-            throw new WeakKeyException(msg);
-        }
-
-        // if we've made it this far in the method, the key is an ECKey due to the instanceof assertions at the
-        // top of the method
-
-        ECKey ecKey = (ECKey) key;
-        int bitLength = ecKey.getParams().getOrder().bitLength();
-
-        for (SignatureAlgorithm alg : PREFERRED_EC_ALGS) {
-            if (bitLength >= alg.minKeyLength) {
-                alg.assertValidSigningKey(key);
-                return alg;
-            }
-        }
-
-        String msg = "The specified Elliptic Curve signing key is not strong enough to be used with JWT ECDSA " +
-            "signature algorithms.  The JWT specification requires ECDSA keys to be >= 256 bits long.  " +
-            "The specified ECDSA key is " + bitLength + " bits.  See " +
-            "https://tools.ietf.org/html/rfc7518#section-3.4 for more information.";
-        throw new WeakKeyException(msg);
-    }
-
-    /**
-     * Looks up and returns the corresponding {@code SignatureAlgorithm} enum instance based on a
-     * case-<em>insensitive</em> name comparison.
-     *
-     * @param value The case-insensitive name of the {@code SignatureAlgorithm} instance to return
-     * @return the corresponding {@code SignatureAlgorithm} enum instance based on a
-     * case-<em>insensitive</em> name comparison.
-     * @throws SignatureException if the specified value does not match any {@code SignatureAlgorithm}
-     *                            name.
-     */
-    public static SignatureAlgorithm forName(String value) throws SignatureException {
-        for (SignatureAlgorithm alg : values()) {
-            if (alg.getValue().equalsIgnoreCase(value)) {
-                return alg;
-            }
-        }
-
-        throw new SignatureException("Unsupported signature algorithm '" + value + "'");
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SigningKeyResolver.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SigningKeyResolver.java
index fbd9887f983..1d584612cc9 100644
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SigningKeyResolver.java
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SigningKeyResolver.java
@@ -49,25 +49,4 @@ import java.security.Key;
  */
 public interface SigningKeyResolver {
 
-    /**
-     * Returns the signing key that should be used to validate a digital signature for the Claims JWS with the specified
-     * header and claims.
-     *
-     * @param header the header of the JWS to validate
-     * @param claims the claims (body) of the JWS to validate
-     * @return the signing key that should be used to validate a digital signature for the Claims JWS with the specified
-     * header and claims.
-     */
-    Key resolveSigningKey(JwsHeader header, Claims claims);
-
-    /**
-     * Returns the signing key that should be used to validate a digital signature for the Plaintext JWS with the
-     * specified header and plaintext payload.
-     *
-     * @param header    the header of the JWS to validate
-     * @param plaintext the plaintext body of the JWS to validate
-     * @return the signing key that should be used to validate a digital signature for the Plaintext JWS with the
-     * specified header and plaintext payload.
-     */
-    Key resolveSigningKey(JwsHeader header, String plaintext);
 }
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SigningKeyResolverAdapter.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SigningKeyResolverAdapter.java
deleted file mode 100644
index 1be7ec55654..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/SigningKeyResolverAdapter.java
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken;
-
-import io.jsonwebtoken.lang.Assert;
-
-import javax.crypto.spec.SecretKeySpec;
-import java.security.Key;
-
-/**
- * An <a href="http://en.wikipedia.org/wiki/Adapter_pattern">Adapter</a> implementation of the
- * {@link SigningKeyResolver} interface that allows subclasses to process only the type of JWS body that
- * is known/expected for a particular case.
- *
- * <p>The {@link #resolveSigningKey(JwsHeader, Claims)} and {@link #resolveSigningKey(JwsHeader, String)} method
- * implementations delegate to the
- * {@link #resolveSigningKeyBytes(JwsHeader, Claims)} and {@link #resolveSigningKeyBytes(JwsHeader, String)} methods
- * respectively.  The latter two methods simply throw exceptions:  they represent scenarios expected by
- * calling code in known situations, and it is expected that you override the implementation in those known situations;
- * non-overridden *KeyBytes methods indicates that the JWS input was unexpected.</p>
- *
- * <p>If either {@link #resolveSigningKey(JwsHeader, String)} or {@link #resolveSigningKey(JwsHeader, Claims)}
- * are not overridden, one (or both) of the *KeyBytes variants must be overridden depending on your expected
- * use case.  You do not have to override any method that does not represent an expected condition.</p>
- *
- * @since 0.4
- */
-public class SigningKeyResolverAdapter implements SigningKeyResolver {
-
-    @Override
-    public Key resolveSigningKey(JwsHeader header, Claims claims) {
-        SignatureAlgorithm alg = SignatureAlgorithm.forName(header.getAlgorithm());
-        Assert.isTrue(alg.isHmac(), "The default resolveSigningKey(JwsHeader, Claims) implementation cannot be " +
-                                    "used for asymmetric key algorithms (RSA, Elliptic Curve).  " +
-                                    "Override the resolveSigningKey(JwsHeader, Claims) method instead and return a " +
-                                    "Key instance appropriate for the " + alg.name() + " algorithm.");
-        byte[] keyBytes = resolveSigningKeyBytes(header, claims);
-        return new SecretKeySpec(keyBytes, alg.getJcaName());
-    }
-
-    @Override
-    public Key resolveSigningKey(JwsHeader header, String plaintext) {
-        SignatureAlgorithm alg = SignatureAlgorithm.forName(header.getAlgorithm());
-        Assert.isTrue(alg.isHmac(), "The default resolveSigningKey(JwsHeader, String) implementation cannot be " +
-                                    "used for asymmetric key algorithms (RSA, Elliptic Curve).  " +
-                                    "Override the resolveSigningKey(JwsHeader, String) method instead and return a " +
-                                    "Key instance appropriate for the " + alg.name() + " algorithm.");
-        byte[] keyBytes = resolveSigningKeyBytes(header, plaintext);
-        return new SecretKeySpec(keyBytes, alg.getJcaName());
-    }
-
-    /**
-     * Convenience method invoked by {@link #resolveSigningKey(JwsHeader, Claims)} that obtains the necessary signing
-     * key bytes.  This implementation simply throws an exception: if the JWS parsed is a Claims JWS, you must
-     * override this method or the {@link #resolveSigningKey(JwsHeader, Claims)} method instead.
-     *
-     * <p><b>NOTE:</b> You cannot override this method when validating RSA signatures.  If you expect RSA signatures,
-     * you must override the {@link #resolveSigningKey(JwsHeader, Claims)} method instead.</p>
-     *
-     * @param header the parsed {@link JwsHeader}
-     * @param claims the parsed {@link Claims}
-     * @return the signing key bytes to use to verify the JWS signature.
-     */
-    public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
-        throw new UnsupportedJwtException("The specified SigningKeyResolver implementation does not support " +
-                                          "Claims JWS signing key resolution.  Consider overriding either the " +
-                                          "resolveSigningKey(JwsHeader, Claims) method or, for HMAC algorithms, the " +
-                                          "resolveSigningKeyBytes(JwsHeader, Claims) method.");
-    }
-
-    /**
-     * Convenience method invoked by {@link #resolveSigningKey(JwsHeader, String)} that obtains the necessary signing
-     * key bytes.  This implementation simply throws an exception: if the JWS parsed is a plaintext JWS, you must
-     * override this method or the {@link #resolveSigningKey(JwsHeader, String)} method instead.
-     *
-     * @param header the parsed {@link JwsHeader}
-     * @param payload the parsed String plaintext payload
-     * @return the signing key bytes to use to verify the JWS signature.
-     */
-    public byte[] resolveSigningKeyBytes(JwsHeader header, String payload) {
-        throw new UnsupportedJwtException("The specified SigningKeyResolver implementation does not support " +
-                                          "plaintext JWS signing key resolution.  Consider overriding either the " +
-                                          "resolveSigningKey(JwsHeader, String) method or, for HMAC algorithms, the " +
-                                          "resolveSigningKeyBytes(JwsHeader, String) method.");
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/impl/DefaultJwtParser.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/impl/DefaultJwtParser.java
index 4eef6741d47..ddd137027de 100644
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/impl/DefaultJwtParser.java
+++ b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/impl/DefaultJwtParser.java
@@ -15,44 +15,19 @@
  */
 package io.jsonwebtoken.impl;
 
-import io.jsonwebtoken.ClaimJwtException;
 import io.jsonwebtoken.Claims;
-import io.jsonwebtoken.Clock;
-import io.jsonwebtoken.CompressionCodec;
-import io.jsonwebtoken.CompressionCodecResolver;
 import io.jsonwebtoken.ExpiredJwtException;
 import io.jsonwebtoken.Header;
-import io.jsonwebtoken.IncorrectClaimException;
-import io.jsonwebtoken.InvalidClaimException;
 import io.jsonwebtoken.Jws;
 import io.jsonwebtoken.JwsHeader;
 import io.jsonwebtoken.Jwt;
 import io.jsonwebtoken.JwtHandler;
-import io.jsonwebtoken.JwtHandlerAdapter;
 import io.jsonwebtoken.JwtParser;
 import io.jsonwebtoken.MalformedJwtException;
-import io.jsonwebtoken.MissingClaimException;
-import io.jsonwebtoken.PrematureJwtException;
-import io.jsonwebtoken.SignatureAlgorithm;
+import io.jsonwebtoken.SignatureException;
 import io.jsonwebtoken.SigningKeyResolver;
-import io.jsonwebtoken.impl.crypto.JwtSignatureValidator;
-import io.jsonwebtoken.UnsupportedJwtException;
-import io.jsonwebtoken.io.Decoder;
-import io.jsonwebtoken.io.Decoders;
-import io.jsonwebtoken.io.DeserializationException;
-import io.jsonwebtoken.io.Deserializer;
-import io.jsonwebtoken.lang.Assert;
-import io.jsonwebtoken.lang.DateFormats;
-import io.jsonwebtoken.lang.Objects;
-import io.jsonwebtoken.lang.Strings;
-import io.jsonwebtoken.security.InvalidKeyException;
-import io.jsonwebtoken.security.SignatureException;
-import io.jsonwebtoken.security.WeakKeyException;
 
-import javax.crypto.spec.SecretKeySpec;
 import java.security.Key;
-import java.util.Date;
-import java.util.Map;
 
 @SuppressWarnings("unchecked")
 public class DefaultJwtParser implements JwtParser {
@@ -60,71 +35,6 @@ public class DefaultJwtParser implements JwtParser {
     public DefaultJwtParser() {
     }
 
-    DefaultJwtParser(SigningKeyResolver signingKeyResolver, Key key, byte[] keyBytes, Clock clock,
-            long allowedClockSkewMillis, Claims expectedClaims, Decoder<String, byte[]> base64UrlDecoder,
-            Deserializer<Map<String, ?>> deserializer, CompressionCodecResolver compressionCodecResolver) {
-    }
-
-    @Override
-    public JwtParser deserializeJsonWith(Deserializer<Map<String, ?>> deserializer) {
-        return null;
-    }
-
-    @Override
-    public JwtParser base64UrlDecodeWith(Decoder<String, byte[]> base64UrlDecoder) {
-        return null;
-    }
-
-    @Override
-    public JwtParser requireIssuedAt(Date issuedAt) {
-        return null;
-    }
-
-    @Override
-    public JwtParser requireIssuer(String issuer) {
-        return null;
-    }
-
-    @Override
-    public JwtParser requireAudience(String audience) {
-        return null;
-    }
-
-    @Override
-    public JwtParser requireSubject(String subject) {
-        return null;
-    }
-
-    @Override
-    public JwtParser requireId(String id) {
-        return null;
-    }
-
-    @Override
-    public JwtParser requireExpiration(Date expiration) {
-        return null;
-    }
-
-    @Override
-    public JwtParser requireNotBefore(Date notBefore) {
-        return null;
-    }
-
-    @Override
-    public JwtParser require(String claimName, Object value) {
-        return null;
-    }
-
-    @Override
-    public JwtParser setClock(Clock clock) {
-        return null;
-    }
-
-    @Override
-    public JwtParser setAllowedClockSkewSeconds(long seconds) throws IllegalArgumentException {
-        return null;
-    }
-
     @Override
     public JwtParser setSigningKey(byte[] key) {
         return null;
@@ -145,39 +55,11 @@ public class DefaultJwtParser implements JwtParser {
         return null;
     }
 
-    @Override
-    public JwtParser setCompressionCodecResolver(CompressionCodecResolver compressionCodecResolver) {
-        return null;
-    }
-
-    @Override
-    public boolean isSigned(String jwt) {
-        return false;
-    }
-
     @Override
     public Jwt parse(String jwt) throws ExpiredJwtException, MalformedJwtException, SignatureException {
         return null;
     }
 
-    /**
-     * @since 0.10.0
-     */
-    private static Object normalize(Object o) {
-        return null;
-    }
-
-    private void validateExpectedClaims(Header header, Claims claims) {
-        return;
-    }
-
-    /*
-     * @since 0.5 mostly to allow testing overrides
-     */
-    protected JwtSignatureValidator createSignatureValidator(SignatureAlgorithm alg, Key key) {
-        return null;
-    }
-
     @Override
     public <T> T parse(String compact, JwtHandler<T> handler)
             throws ExpiredJwtException, MalformedJwtException, SignatureException {
@@ -203,9 +85,4 @@ public class DefaultJwtParser implements JwtParser {
     public Jws<Claims> parseClaimsJws(String claimsJws) {
         return null;
     }
-
-    @SuppressWarnings("unchecked")
-    protected Map<String, ?> readValue(String val) {
-        return null;
-    }
 }
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/impl/crypto/JwtSignatureValidator.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/impl/crypto/JwtSignatureValidator.java
deleted file mode 100644
index a7175070bfe..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/impl/crypto/JwtSignatureValidator.java
+++ /dev/null
@@ -1,21 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.impl.crypto;
-
-public interface JwtSignatureValidator {
-
-    boolean isValid(String jwtWithoutSignature, String base64UrlEncodedSignature);
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64.java
deleted file mode 100644
index 201e3c543e2..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64.java
+++ /dev/null
@@ -1,680 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.io;
-
-import java.util.Arrays;
-
-/**
- * A very fast and memory efficient class to encode and decode to and from BASE64 or BASE64URL in full accordance
- * with <a href="https://tools.ietf.org/html/rfc4648">RFC 4648</a>.
- *
- * <p>Based initially on MigBase64 with continued modifications for Base64 URL support and JDK-standard code formatting.</p>
- *
- * <p>This encode/decode algorithm doesn't create any temporary arrays as many other codecs do, it only
- * allocates the resulting array. This produces less garbage and it is possible to handle arrays twice
- * as large as algorithms that create a temporary array.</p>
- *
- * <p>There is also a "fast" version of all decode methods that works the same way as the normal ones, but
- * has a few demands on the decoded input. Normally though, these fast versions should be used if the source if
- * the input is known and it hasn't bee tampered with.</p>
- *
- * @author Mikael Grev
- * @author Les Hazlewood
- * @since 0.10.0
- */
-@SuppressWarnings("Duplicates")
-final class Base64 { //final and package-protected on purpose
-
-    private static final char[] BASE64_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".toCharArray();
-    private static final char[] BASE64URL_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_".toCharArray();
-    private static final int[] BASE64_IALPHABET = new int[256];
-    private static final int[] BASE64URL_IALPHABET = new int[256];
-    private static final int IALPHABET_MAX_INDEX = BASE64_IALPHABET.length - 1;
-
-    static {
-        Arrays.fill(BASE64_IALPHABET, -1);
-        System.arraycopy(BASE64_IALPHABET, 0, BASE64URL_IALPHABET, 0, BASE64_IALPHABET.length);
-        for (int i = 0, iS = BASE64_ALPHABET.length; i < iS; i++) {
-            BASE64_IALPHABET[BASE64_ALPHABET[i]] = i;
-            BASE64URL_IALPHABET[BASE64URL_ALPHABET[i]] = i;
-        }
-        BASE64_IALPHABET['='] = 0;
-        BASE64URL_IALPHABET['='] = 0;
-    }
-
-    static final Base64 DEFAULT = new Base64(false);
-    static final Base64 URL_SAFE = new Base64(true);
-
-    private final boolean urlsafe;
-    private final char[] ALPHABET;
-    private final int[] IALPHABET;
-
-    private Base64(boolean urlsafe) {
-        this.urlsafe = urlsafe;
-        this.ALPHABET = urlsafe ? BASE64URL_ALPHABET : BASE64_ALPHABET;
-        this.IALPHABET = urlsafe ? BASE64URL_IALPHABET : BASE64_IALPHABET;
-    }
-
-    // ****************************************************************************************
-    // *  char[] version
-    // ****************************************************************************************
-
-    private String getName() {
-        return urlsafe ? "base64url" : "base64"; // RFC 4648 codec names are all lowercase
-    }
-
-    /**
-     * Encodes a raw byte array into a BASE64 <code>char[]</code> representation in accordance with RFC 2045.
-     *
-     * @param sArr    The bytes to convert. If <code>null</code> or length 0 an empty array will be returned.
-     * @param lineSep Optional "\r\n" after 76 characters, unless end of file.<br>
-     *                No line separator will be in breach of RFC 2045 which specifies max 76 per line but will be a
-     *                little faster.
-     * @return A BASE64 encoded array. Never <code>null</code>.
-     */
-    private char[] encodeToChar(byte[] sArr, boolean lineSep) {
-
-        // Check special case
-        int sLen = sArr != null ? sArr.length : 0;
-        if (sLen == 0) {
-            return new char[0];
-        }
-
-        int eLen = (sLen / 3) * 3; // # of bytes that can encode evenly into 24-bit chunks
-        int left = sLen - eLen;    // # of bytes that remain after 24-bit chunking. Always 0, 1 or 2
-
-        int cCnt = (((sLen - 1) / 3 + 1) << 2); // # of base64-encoded characters including padding
-        int dLen = cCnt + (lineSep ? (cCnt - 1) / 76 << 1 : 0); // Length of returned char array with padding and any line separators
-
-        int padCount = 0;
-        if (left == 2) {
-            padCount = 1;
-        } else if (left == 1) {
-            padCount = 2;
-        }
-
-        char[] dArr = new char[urlsafe ? (dLen - padCount) : dLen];
-
-        // Encode even 24-bits
-        for (int s = 0, d = 0, cc = 0; s < eLen; ) {
-
-            // Copy next three bytes into lower 24 bits of int, paying attension to sign.
-            int i = (sArr[s++] & 0xff) << 16 | (sArr[s++] & 0xff) << 8 | (sArr[s++] & 0xff);
-
-            // Encode the int into four chars
-            dArr[d++] = ALPHABET[(i >>> 18) & 0x3f];
-            dArr[d++] = ALPHABET[(i >>> 12) & 0x3f];
-            dArr[d++] = ALPHABET[(i >>> 6) & 0x3f];
-            dArr[d++] = ALPHABET[i & 0x3f];
-
-            // Add optional line separator
-            if (lineSep && ++cc == 19 && d < dLen - 2) {
-                dArr[d++] = '\r';
-                dArr[d++] = '\n';
-                cc = 0;
-            }
-        }
-
-        // Pad and encode last bits if source isn't even 24 bits.
-        if (left > 0) {
-            // Prepare the int
-            int i = ((sArr[eLen] & 0xff) << 10) | (left == 2 ? ((sArr[sLen - 1] & 0xff) << 2) : 0);
-
-            // Set last four chars
-            dArr[dLen - 4] = ALPHABET[i >> 12];
-            dArr[dLen - 3] = ALPHABET[(i >>> 6) & 0x3f];
-            //dArr[dLen - 2] = left == 2 ? ALPHABET[i & 0x3f] : '=';
-            //dArr[dLen - 1] = '=';
-            if (left == 2) {
-                dArr[dLen - 2] = ALPHABET[i & 0x3f];
-            } else if (!urlsafe) { // if not urlsafe, we need to include the padding characters
-                dArr[dLen - 2] = '=';
-            }
-            if (!urlsafe) { // include padding
-                dArr[dLen - 1] = '=';
-            }
-        }
-        return dArr;
-    }
-
-    /*
-     * Decodes a BASE64 encoded char array. All illegal characters will be ignored and can handle both arrays with
-     * and without line separators.
-     *
-     * @param sArr The source array. <code>null</code> or length 0 will return an empty array.
-     * @return The decoded array of bytes. May be of length 0. Will be <code>null</code> if the legal characters
-     * (including '=') isn't divideable by 4.  (I.e. definitely corrupted).
-     *
-    public final byte[] decode(char[] sArr) {
-        // Check special case
-        int sLen = sArr != null ? sArr.length : 0;
-        if (sLen == 0) {
-            return new byte[0];
-        }
-
-        // Count illegal characters (including '\r', '\n') to know what size the returned array will be,
-        // so we don't have to reallocate & copy it later.
-        int sepCnt = 0; // Number of separator characters. (Actually illegal characters, but that's a bonus...)
-        for (int i = 0; i < sLen; i++) { // If input is "pure" (I.e. no line separators or illegal chars) base64 this loop can be commented out.
-            if (IALPHABET[sArr[i]] < 0) {
-                sepCnt++;
-            }
-        }
-
-        // Check so that legal chars (including '=') are evenly divideable by 4 as specified in RFC 2045.
-        if ((sLen - sepCnt) % 4 != 0) {
-            return null;
-        }
-
-        int pad = 0;
-        for (int i = sLen; i > 1 && IALPHABET[sArr[--i]] <= 0; ) {
-            if (sArr[i] == '=') {
-                pad++;
-            }
-        }
-
-        int len = ((sLen - sepCnt) * 6 >> 3) - pad;
-
-        byte[] dArr = new byte[len];       // Preallocate byte[] of exact length
-
-        for (int s = 0, d = 0; d < len; ) {
-            // Assemble three bytes into an int from four "valid" characters.
-            int i = 0;
-            for (int j = 0; j < 4; j++) {   // j only increased if a valid char was found.
-                int c = IALPHABET[sArr[s++]];
-                if (c >= 0) {
-                    i |= c << (18 - j * 6);
-                } else {
-                    j--;
-                }
-            }
-            // Add the bytes
-            dArr[d++] = (byte) (i >> 16);
-            if (d < len) {
-                dArr[d++] = (byte) (i >> 8);
-                if (d < len) {
-                    dArr[d++] = (byte) i;
-                }
-            }
-        }
-        return dArr;
-    }
-    */
-
-    private int ctoi(char c) {
-        int i = c > IALPHABET_MAX_INDEX ? -1 : IALPHABET[c];
-        if (i < 0) {
-            String msg = "Illegal " + getName() + " character: '" + c + "'";
-            throw new DecodingException(msg);
-        }
-        return i;
-    }
-
-    /**
-     * Decodes a BASE64 encoded char array that is known to be reasonably well formatted. The preconditions are:<br>
-     * + The array must have a line length of 76 chars OR no line separators at all (one line).<br>
-     * + Line separator must be "\r\n", as specified in RFC 2045
-     * + The array must not contain illegal characters within the encoded string<br>
-     * + The array CAN have illegal characters at the beginning and end, those will be dealt with appropriately.<br>
-     *
-     * @param sArr The source array. Length 0 will return an empty array. <code>null</code> will throw an exception.
-     * @return The decoded array of bytes. May be of length 0.
-     * @throws DecodingException on illegal input
-     */
-    final byte[] decodeFast(char[] sArr) throws DecodingException {
-
-        // Check special case
-        int sLen = sArr != null ? sArr.length : 0;
-        if (sLen == 0) {
-            return new byte[0];
-        }
-
-        int sIx = 0, eIx = sLen - 1;    // Start and end index after trimming.
-
-        // Trim illegal chars from start
-        while (sIx < eIx && IALPHABET[sArr[sIx]] < 0) {
-            sIx++;
-        }
-
-        // Trim illegal chars from end
-        while (eIx > 0 && IALPHABET[sArr[eIx]] < 0) {
-            eIx--;
-        }
-
-        // get the padding count (=) (0, 1 or 2)
-        int pad = sArr[eIx] == '=' ? (sArr[eIx - 1] == '=' ? 2 : 1) : 0;  // Count '=' at end.
-        int cCnt = eIx - sIx + 1;   // Content count including possible separators
-        int sepCnt = sLen > 76 ? (sArr[76] == '\r' ? cCnt / 78 : 0) << 1 : 0;
-
-        int len = ((cCnt - sepCnt) * 6 >> 3) - pad; // The number of decoded bytes
-        byte[] dArr = new byte[len];       // Preallocate byte[] of exact length
-
-        // Decode all but the last 0 - 2 bytes.
-        int d = 0;
-        for (int cc = 0, eLen = (len / 3) * 3; d < eLen; ) {
-
-            // Assemble three bytes into an int from four "valid" characters.
-            int i = ctoi(sArr[sIx++]) << 18 | ctoi(sArr[sIx++]) << 12 | ctoi(sArr[sIx++]) << 6 | ctoi(sArr[sIx++]);
-
-            // Add the bytes
-            dArr[d++] = (byte) (i >> 16);
-            dArr[d++] = (byte) (i >> 8);
-            dArr[d++] = (byte) i;
-
-            // If line separator, jump over it.
-            if (sepCnt > 0 && ++cc == 19) {
-                sIx += 2;
-                cc = 0;
-            }
-        }
-
-        if (d < len) {
-            // Decode last 1-3 bytes (incl '=') into 1-3 bytes
-            int i = 0;
-            for (int j = 0; sIx <= eIx - pad; j++) {
-                i |= ctoi(sArr[sIx++]) << (18 - j * 6);
-            }
-
-            for (int r = 16; d < len; r -= 8) {
-                dArr[d++] = (byte) (i >> r);
-            }
-        }
-
-        return dArr;
-    }
-
-    // ****************************************************************************************
-    // *  byte[] version
-    // ****************************************************************************************
-
-    /*
-     * Encodes a raw byte array into a BASE64 <code>byte[]</code> representation i accordance with RFC 2045.
-     *
-     * @param sArr    The bytes to convert. If <code>null</code> or length 0 an empty array will be returned.
-     * @param lineSep Optional "\r\n" after 76 characters, unless end of file.<br>
-     *                No line separator will be in breach of RFC 2045 which specifies max 76 per line but will be a
-     *                little faster.
-     * @return A BASE64 encoded array. Never <code>null</code>.
-     *
-    public final byte[] encodeToByte(byte[] sArr, boolean lineSep) {
-        return encodeToByte(sArr, 0, sArr != null ? sArr.length : 0, lineSep);
-    }
-
-    /**
-     * Encodes a raw byte array into a BASE64 <code>byte[]</code> representation i accordance with RFC 2045.
-     *
-     * @param sArr    The bytes to convert. If <code>null</code> an empty array will be returned.
-     * @param sOff    The starting position in the bytes to convert.
-     * @param sLen    The number of bytes to convert. If 0 an empty array will be returned.
-     * @param lineSep Optional "\r\n" after 76 characters, unless end of file.<br>
-     *                No line separator will be in breach of RFC 2045 which specifies max 76 per line but will be a
-     *                little faster.
-     * @return A BASE64 encoded array. Never <code>null</code>.
-     *
-    public final byte[] encodeToByte(byte[] sArr, int sOff, int sLen, boolean lineSep) {
-
-        // Check special case
-        if (sArr == null || sLen == 0) {
-            return new byte[0];
-        }
-
-        int eLen = (sLen / 3) * 3;                              // Length of even 24-bits.
-        int cCnt = ((sLen - 1) / 3 + 1) << 2;                   // Returned character count
-        int dLen = cCnt + (lineSep ? (cCnt - 1) / 76 << 1 : 0); // Length of returned array
-        byte[] dArr = new byte[dLen];
-
-        // Encode even 24-bits
-        for (int s = sOff, d = 0, cc = 0; s < sOff + eLen; ) {
-
-            // Copy next three bytes into lower 24 bits of int, paying attension to sign.
-            int i = (sArr[s++] & 0xff) << 16 | (sArr[s++] & 0xff) << 8 | (sArr[s++] & 0xff);
-
-            // Encode the int into four chars
-            dArr[d++] = (byte) ALPHABET[(i >>> 18) & 0x3f];
-            dArr[d++] = (byte) ALPHABET[(i >>> 12) & 0x3f];
-            dArr[d++] = (byte) ALPHABET[(i >>> 6) & 0x3f];
-            dArr[d++] = (byte) ALPHABET[i & 0x3f];
-
-            // Add optional line separator
-            if (lineSep && ++cc == 19 && d < dLen - 2) {
-                dArr[d++] = '\r';
-                dArr[d++] = '\n';
-                cc = 0;
-            }
-        }
-
-        // Pad and encode last bits if source isn't an even 24 bits.
-        int left = sLen - eLen; // 0 - 2.
-        if (left > 0) {
-            // Prepare the int
-            int i = ((sArr[sOff + eLen] & 0xff) << 10) | (left == 2 ? ((sArr[sOff + sLen - 1] & 0xff) << 2) : 0);
-
-            // Set last four chars
-            dArr[dLen - 4] = (byte) ALPHABET[i >> 12];
-            dArr[dLen - 3] = (byte) ALPHABET[(i >>> 6) & 0x3f];
-            dArr[dLen - 2] = left == 2 ? (byte) ALPHABET[i & 0x3f] : (byte) '=';
-            dArr[dLen - 1] = '=';
-        }
-        return dArr;
-    }
-
-    /**
-     * Decodes a BASE64 encoded byte array. All illegal characters will be ignored and can handle both arrays with
-     * and without line separators.
-     *
-     * @param sArr The source array. Length 0 will return an empty array. <code>null</code> will throw an exception.
-     * @return The decoded array of bytes. May be of length 0. Will be <code>null</code> if the legal characters
-     * (including '=') isn't divideable by 4. (I.e. definitely corrupted).
-     *
-    public final byte[] decode(byte[] sArr) {
-        return decode(sArr, 0, sArr.length);
-    }
-
-    /**
-     * Decodes a BASE64 encoded byte array. All illegal characters will be ignored and can handle both arrays with
-     * and without line separators.
-     *
-     * @param sArr The source array. <code>null</code> will throw an exception.
-     * @param sOff The starting position in the source array.
-     * @param sLen The number of bytes to decode from the source array. Length 0 will return an empty array.
-     * @return The decoded array of bytes. May be of length 0. Will be <code>null</code> if the legal characters
-     * (including '=') isn't divideable by 4. (I.e. definitely corrupted).
-     *
-    public final byte[] decode(byte[] sArr, int sOff, int sLen) {
-
-        // Count illegal characters (including '\r', '\n') to know what size the returned array will be,
-        // so we don't have to reallocate & copy it later.
-        int sepCnt = 0; // Number of separator characters. (Actually illegal characters, but that's a bonus...)
-        for (int i = 0; i < sLen; i++) {     // If input is "pure" (I.e. no line separators or illegal chars) base64 this loop can be commented out.
-            if (IALPHABET[sArr[sOff + i] & 0xff] < 0) {
-                sepCnt++;
-            }
-        }
-
-        // Check so that legal chars (including '=') are evenly divideable by 4 as specified in RFC 2045.
-        if ((sLen - sepCnt) % 4 != 0) {
-            return null;
-        }
-
-        int pad = 0;
-        for (int i = sLen; i > 1 && IALPHABET[sArr[sOff + --i] & 0xff] <= 0; ) {
-            if (sArr[sOff + i] == '=') {
-                pad++;
-            }
-        }
-
-        int len = ((sLen - sepCnt) * 6 >> 3) - pad;
-
-        byte[] dArr = new byte[len];       // Preallocate byte[] of exact length
-
-        for (int s = 0, d = 0; d < len; ) {
-            // Assemble three bytes into an int from four "valid" characters.
-            int i = 0;
-            for (int j = 0; j < 4; j++) {   // j only increased if a valid char was found.
-                int c = IALPHABET[sArr[sOff + s++] & 0xff];
-                if (c >= 0) {
-                    i |= c << (18 - j * 6);
-                } else {
-                    j--;
-                }
-            }
-
-            // Add the bytes
-            dArr[d++] = (byte) (i >> 16);
-            if (d < len) {
-                dArr[d++] = (byte) (i >> 8);
-                if (d < len) {
-                    dArr[d++] = (byte) i;
-                }
-            }
-        }
-
-        return dArr;
-    }
-
-
-    /*
-     * Decodes a BASE64 encoded byte array that is known to be resonably well formatted. The method is about twice as
-     * fast as {@link #decode(byte[])}. The preconditions are:<br>
-     * + The array must have a line length of 76 chars OR no line separators at all (one line).<br>
-     * + Line separator must be "\r\n", as specified in RFC 2045
-     * + The array must not contain illegal characters within the encoded string<br>
-     * + The array CAN have illegal characters at the beginning and end, those will be dealt with appropriately.<br>
-     *
-     * @param sArr The source array. Length 0 will return an empty array. <code>null</code> will throw an exception.
-     * @return The decoded array of bytes. May be of length 0.
-     *
-    public final byte[] decodeFast(byte[] sArr) {
-
-        // Check special case
-        int sLen = sArr.length;
-        if (sLen == 0) {
-            return new byte[0];
-        }
-
-        int sIx = 0, eIx = sLen - 1;    // Start and end index after trimming.
-
-        // Trim illegal chars from start
-        while (sIx < eIx && IALPHABET[sArr[sIx] & 0xff] < 0) {
-            sIx++;
-        }
-
-        // Trim illegal chars from end
-        while (eIx > 0 && IALPHABET[sArr[eIx] & 0xff] < 0) {
-            eIx--;
-        }
-
-        // get the padding count (=) (0, 1 or 2)
-        int pad = sArr[eIx] == '=' ? (sArr[eIx - 1] == '=' ? 2 : 1) : 0;  // Count '=' at end.
-        int cCnt = eIx - sIx + 1;   // Content count including possible separators
-        int sepCnt = sLen > 76 ? (sArr[76] == '\r' ? cCnt / 78 : 0) << 1 : 0;
-
-        int len = ((cCnt - sepCnt) * 6 >> 3) - pad; // The number of decoded bytes
-        byte[] dArr = new byte[len];       // Preallocate byte[] of exact length
-
-        // Decode all but the last 0 - 2 bytes.
-        int d = 0;
-        for (int cc = 0, eLen = (len / 3) * 3; d < eLen; ) {
-
-            // Assemble three bytes into an int from four "valid" characters.
-            int i = IALPHABET[sArr[sIx++]] << 18 | IALPHABET[sArr[sIx++]] << 12 | IALPHABET[sArr[sIx++]] << 6 | IALPHABET[sArr[sIx++]];
-
-            // Add the bytes
-            dArr[d++] = (byte) (i >> 16);
-            dArr[d++] = (byte) (i >> 8);
-            dArr[d++] = (byte) i;
-
-            // If line separator, jump over it.
-            if (sepCnt > 0 && ++cc == 19) {
-                sIx += 2;
-                cc = 0;
-            }
-        }
-
-        if (d < len) {
-            // Decode last 1-3 bytes (incl '=') into 1-3 bytes
-            int i = 0;
-            for (int j = 0; sIx <= eIx - pad; j++) {
-                i |= IALPHABET[sArr[sIx++]] << (18 - j * 6);
-            }
-
-            for (int r = 16; d < len; r -= 8) {
-                dArr[d++] = (byte) (i >> r);
-            }
-        }
-
-        return dArr;
-    }
-    */
-
-    // ****************************************************************************************
-    // * String version
-    // ****************************************************************************************
-
-    /**
-     * Encodes a raw byte array into a BASE64 <code>String</code> representation i accordance with RFC 2045.
-     *
-     * @param sArr    The bytes to convert. If <code>null</code> or length 0 an empty array will be returned.
-     * @param lineSep Optional "\r\n" after 76 characters, unless end of file.<br>
-     *                No line separator will be in breach of RFC 2045 which specifies max 76 per line but will be a
-     *                little faster.
-     * @return A BASE64 encoded array. Never <code>null</code>.
-     */
-    final String encodeToString(byte[] sArr, boolean lineSep) {
-        // Reuse char[] since we can't create a String incrementally anyway and StringBuffer/Builder would be slower.
-        return new String(encodeToChar(sArr, lineSep));
-    }
-
-    /*
-     * Decodes a BASE64 encoded <code>String</code>. All illegal characters will be ignored and can handle both strings with
-     * and without line separators.<br>
-     * <b>Note!</b> It can be up to about 2x the speed to call <code>decode(str.toCharArray())</code> instead. That
-     * will create a temporary array though. This version will use <code>str.charAt(i)</code> to iterate the string.
-     *
-     * @param str The source string. <code>null</code> or length 0 will return an empty array.
-     * @return The decoded array of bytes. May be of length 0. Will be <code>null</code> if the legal characters
-     * (including '=') isn't divideable by 4.  (I.e. definitely corrupted).
-     *
-    public final byte[] decode(String str) {
-
-        // Check special case
-        int sLen = str != null ? str.length() : 0;
-        if (sLen == 0) {
-            return new byte[0];
-        }
-
-        // Count illegal characters (including '\r', '\n') to know what size the returned array will be,
-        // so we don't have to reallocate & copy it later.
-        int sepCnt = 0; // Number of separator characters. (Actually illegal characters, but that's a bonus...)
-        for (int i = 0; i < sLen; i++) { // If input is "pure" (I.e. no line separators or illegal chars) base64 this loop can be commented out.
-            if (IALPHABET[str.charAt(i)] < 0) {
-                sepCnt++;
-            }
-        }
-
-        // Check so that legal chars (including '=') are evenly divideable by 4 as specified in RFC 2045.
-        if ((sLen - sepCnt) % 4 != 0) {
-            return null;
-        }
-
-        // Count '=' at end
-        int pad = 0;
-        for (int i = sLen; i > 1 && IALPHABET[str.charAt(--i)] <= 0; ) {
-            if (str.charAt(i) == '=') {
-                pad++;
-            }
-        }
-
-        int len = ((sLen - sepCnt) * 6 >> 3) - pad;
-
-        byte[] dArr = new byte[len];       // Preallocate byte[] of exact length
-
-        for (int s = 0, d = 0; d < len; ) {
-            // Assemble three bytes into an int from four "valid" characters.
-            int i = 0;
-            for (int j = 0; j < 4; j++) {   // j only increased if a valid char was found.
-                int c = IALPHABET[str.charAt(s++)];
-                if (c >= 0) {
-                    i |= c << (18 - j * 6);
-                } else {
-                    j--;
-                }
-            }
-            // Add the bytes
-            dArr[d++] = (byte) (i >> 16);
-            if (d < len) {
-                dArr[d++] = (byte) (i >> 8);
-                if (d < len) {
-                    dArr[d++] = (byte) i;
-                }
-            }
-        }
-        return dArr;
-    }
-
-    /**
-     * Decodes a BASE64 encoded string that is known to be resonably well formatted. The method is about twice as
-     * fast as {@link #decode(String)}. The preconditions are:<br>
-     * + The array must have a line length of 76 chars OR no line separators at all (one line).<br>
-     * + Line separator must be "\r\n", as specified in RFC 2045
-     * + The array must not contain illegal characters within the encoded string<br>
-     * + The array CAN have illegal characters at the beginning and end, those will be dealt with appropriately.<br>
-     *
-     * @param s The source string. Length 0 will return an empty array. <code>null</code> will throw an exception.
-     * @return The decoded array of bytes. May be of length 0.
-     *
-    public final byte[] decodeFast(String s) {
-
-        // Check special case
-        int sLen = s.length();
-        if (sLen == 0) {
-            return new byte[0];
-        }
-
-        int sIx = 0, eIx = sLen - 1;    // Start and end index after trimming.
-
-        // Trim illegal chars from start
-        while (sIx < eIx && IALPHABET[s.charAt(sIx) & 0xff] < 0) {
-            sIx++;
-        }
-
-        // Trim illegal chars from end
-        while (eIx > 0 && IALPHABET[s.charAt(eIx) & 0xff] < 0) {
-            eIx--;
-        }
-
-        // get the padding count (=) (0, 1 or 2)
-        int pad = s.charAt(eIx) == '=' ? (s.charAt(eIx - 1) == '=' ? 2 : 1) : 0;  // Count '=' at end.
-        int cCnt = eIx - sIx + 1;   // Content count including possible separators
-        int sepCnt = sLen > 76 ? (s.charAt(76) == '\r' ? cCnt / 78 : 0) << 1 : 0;
-
-        int len = ((cCnt - sepCnt) * 6 >> 3) - pad; // The number of decoded bytes
-        byte[] dArr = new byte[len];       // Preallocate byte[] of exact length
-
-        // Decode all but the last 0 - 2 bytes.
-        int d = 0;
-        for (int cc = 0, eLen = (len / 3) * 3; d < eLen; ) {
-            // Assemble three bytes into an int from four "valid" characters.
-            int i = IALPHABET[s.charAt(sIx++)] << 18 | IALPHABET[s.charAt(sIx++)] << 12 | IALPHABET[s.charAt(sIx++)] << 6 | IALPHABET[s.charAt(sIx++)];
-
-            // Add the bytes
-            dArr[d++] = (byte) (i >> 16);
-            dArr[d++] = (byte) (i >> 8);
-            dArr[d++] = (byte) i;
-
-            // If line separator, jump over it.
-            if (sepCnt > 0 && ++cc == 19) {
-                sIx += 2;
-                cc = 0;
-            }
-        }
-
-        if (d < len) {
-            // Decode last 1-3 bytes (incl '=') into 1-3 bytes
-            int i = 0;
-            for (int j = 0; sIx <= eIx - pad; j++) {
-                i |= IALPHABET[s.charAt(sIx++)] << (18 - j * 6);
-            }
-
-            for (int r = 16; d < len; r -= 8) {
-                dArr[d++] = (byte) (i >> r);
-            }
-        }
-
-        return dArr;
-    }
-    */
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Decoder.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Decoder.java
deleted file mode 100644
index 3c8bc817daa..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Decoder.java
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.io;
-
-import io.jsonwebtoken.lang.Assert;
-
-/**
- * @since 0.10.0
- */
-class Base64Decoder extends Base64Support implements Decoder<String, byte[]> {
-
-    Base64Decoder() {
-        super(Base64.DEFAULT);
-    }
-
-    Base64Decoder(Base64 base64) {
-        super(base64);
-    }
-
-    @Override
-    public byte[] decode(String s) throws DecodingException {
-        Assert.notNull(s, "String argument cannot be null");
-        return this.base64.decodeFast(s.toCharArray());
-    }
-}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Encoder.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Encoder.java
deleted file mode 100644
index 963d8810c7b..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Encoder.java
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.io;
-
-import io.jsonwebtoken.lang.Assert;
-
-/**
- * @since 0.10.0
- */
-class Base64Encoder extends Base64Support implements Encoder<byte[], String> {
-
-    Base64Encoder() {
-        super(Base64.DEFAULT);
-    }
-
-    Base64Encoder(Base64 base64) {
-        super(base64);
-    }
-
-    @Override
-    public String encode(byte[] bytes) throws EncodingException {
-        Assert.notNull(bytes, "byte array argument cannot be null");
-        return this.base64.encodeToString(bytes, false);
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Support.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Support.java
deleted file mode 100644
index eed404d5834..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64Support.java
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.io;
-
-import io.jsonwebtoken.lang.Assert;
-
-/**
- * @since 0.10.0
- */
-class Base64Support {
-
-    protected final Base64 base64;
-
-    Base64Support(Base64 base64) {
-        Assert.notNull(base64, "Base64 argument cannot be null");
-        this.base64 = base64;
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64UrlDecoder.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64UrlDecoder.java
deleted file mode 100644
index 0d26d948fad..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64UrlDecoder.java
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.io;
-
-/**
- * @since 0.10.0
- */
-class Base64UrlDecoder extends Base64Decoder {
-
-    Base64UrlDecoder() {
-        super(Base64.URL_SAFE);
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64UrlEncoder.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64UrlEncoder.java
deleted file mode 100644
index 86781922259..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Base64UrlEncoder.java
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.io;
-
-/**
- * @since 0.10.0
- */
-class Base64UrlEncoder extends Base64Encoder {
-
-    Base64UrlEncoder() {
-        super(Base64.URL_SAFE);
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/CodecException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/CodecException.java
deleted file mode 100644
index 5b449bd97e0..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/CodecException.java
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.io;
-
-/**
- * @since 0.10.0
- */
-public class CodecException extends IOException {
-
-    public CodecException(String message) {
-        super(message);
-    }
-
-    public CodecException(String message, Throwable cause) {
-        super(message, cause);
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Decoder.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Decoder.java
deleted file mode 100644
index f9f2c189073..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Decoder.java
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.io;
-
-/**
- * @since 0.10.0
- */
-public interface Decoder<T, R> {
-
-    R decode(T t) throws DecodingException;
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Decoders.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Decoders.java
deleted file mode 100644
index 3e95c28d754..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Decoders.java
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.io;
-
-/**
- * @since 0.10.0
- */
-public final class Decoders {
-
-    public static final Decoder<String, byte[]> BASE64 = new ExceptionPropagatingDecoder<>(new Base64Decoder());
-    public static final Decoder<String, byte[]> BASE64URL = new ExceptionPropagatingDecoder<>(new Base64UrlDecoder());
-
-    private Decoders() { //prevent instantiation
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/DecodingException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/DecodingException.java
deleted file mode 100644
index 0bbe62a160e..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/DecodingException.java
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.io;
-
-/**
- * @since 0.10.0
- */
-public class DecodingException extends CodecException {
-
-    public DecodingException(String message) {
-        super(message);
-    }
-
-    public DecodingException(String message, Throwable cause) {
-        super(message, cause);
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/DeserializationException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/DeserializationException.java
deleted file mode 100644
index 59559666a47..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/DeserializationException.java
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.io;
-
-/**
- * @since 0.10.0
- */
-public class DeserializationException extends SerialException {
-
-    public DeserializationException(String msg) {
-        super(msg);
-    }
-
-    public DeserializationException(String message, Throwable cause) {
-        super(message, cause);
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Deserializer.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Deserializer.java
deleted file mode 100644
index f66a73edb91..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Deserializer.java
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.io;
-
-/**
- * @since 0.10.0
- */
-public interface Deserializer<T> {
-
-    T deserialize(byte[] bytes) throws DeserializationException;
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Encoder.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Encoder.java
deleted file mode 100644
index 6b28f31ec82..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Encoder.java
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.io;
-
-/**
- * @since 0.10.0
- */
-public interface Encoder<T, R> {
-
-    R encode(T t) throws EncodingException;
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Encoders.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Encoders.java
deleted file mode 100644
index 3b7c060f617..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Encoders.java
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.io;
-
-/**
- * @since 0.10.0
- */
-public final class Encoders {
-
-    public static final Encoder<byte[], String> BASE64 = new ExceptionPropagatingEncoder<>(new Base64Encoder());
-    public static final Encoder<byte[], String> BASE64URL = new ExceptionPropagatingEncoder<>(new Base64UrlEncoder());
-
-    private Encoders() { //prevent instantiation
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/EncodingException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/EncodingException.java
deleted file mode 100644
index 5b65389a1ff..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/EncodingException.java
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.io;
-
-/**
- * @since 0.10.0
- */
-public class EncodingException extends CodecException {
-
-    public EncodingException(String message, Throwable cause) {
-        super(message, cause);
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/ExceptionPropagatingDecoder.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/ExceptionPropagatingDecoder.java
deleted file mode 100644
index a0d98134cec..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/ExceptionPropagatingDecoder.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.io;
-
-import io.jsonwebtoken.lang.Assert;
-
-/**
- * @since 0.10.0
- */
-class ExceptionPropagatingDecoder<T, R> implements Decoder<T, R> {
-
-    private final Decoder<T, R> decoder;
-
-    ExceptionPropagatingDecoder(Decoder<T, R> decoder) {
-        Assert.notNull(decoder, "Decoder cannot be null.");
-        this.decoder = decoder;
-    }
-
-    @Override
-    public R decode(T t) throws DecodingException {
-        Assert.notNull(t, "Decode argument cannot be null.");
-        try {
-            return decoder.decode(t);
-        } catch (DecodingException e) {
-            throw e; //propagate
-        } catch (Exception e) {
-            String msg = "Unable to decode input: " + e.getMessage();
-            throw new DecodingException(msg, e);
-        }
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/ExceptionPropagatingEncoder.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/ExceptionPropagatingEncoder.java
deleted file mode 100644
index c483c8cdd5d..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/ExceptionPropagatingEncoder.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.io;
-
-import io.jsonwebtoken.lang.Assert;
-
-/**
- * @since 0.10.0
- */
-class ExceptionPropagatingEncoder<T, R> implements Encoder<T, R> {
-
-    private final Encoder<T, R> encoder;
-
-    ExceptionPropagatingEncoder(Encoder<T, R> encoder) {
-        Assert.notNull(encoder, "Encoder cannot be null.");
-        this.encoder = encoder;
-    }
-
-    @Override
-    public R encode(T t) throws EncodingException {
-        Assert.notNull(t, "Encode argument cannot be null.");
-        try {
-            return this.encoder.encode(t);
-        } catch (EncodingException e) {
-            throw e; //propagate
-        } catch (Exception e) {
-            String msg = "Unable to encode input: " + e.getMessage();
-            throw new EncodingException(msg, e);
-        }
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/IOException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/IOException.java
deleted file mode 100644
index 9ed1e03149c..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/IOException.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.io;
-
-import io.jsonwebtoken.JwtException;
-
-/**
- * @since 0.10.0
- */
-public class IOException extends JwtException {
-
-    public IOException(String msg) {
-        super(msg);
-    }
-
-    public IOException(String message, Throwable cause) {
-        super(message, cause);
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/SerialException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/SerialException.java
deleted file mode 100644
index 86f70920c8c..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/SerialException.java
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.io;
-
-/**
- * @since 0.10.0
- */
-public class SerialException extends IOException {
-
-    public SerialException(String msg) {
-        super(msg);
-    }
-
-    public SerialException(String message, Throwable cause) {
-        super(message, cause);
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/SerializationException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/SerializationException.java
deleted file mode 100644
index 514830deffb..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/SerializationException.java
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.io;
-
-/**
- * @since 0.10.0
- */
-public class SerializationException extends SerialException {
-
-    public SerializationException(String msg) {
-        super(msg);
-    }
-
-    public SerializationException(String message, Throwable cause) {
-        super(message, cause);
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Serializer.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Serializer.java
deleted file mode 100644
index 5d6cd794ab8..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/io/Serializer.java
+++ /dev/null
@@ -1,25 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.io;
-
-/**
- * @since 0.10.0
- */
-public interface Serializer<T> {
-
-    byte[] serialize(T t) throws SerializationException;
-
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Arrays.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Arrays.java
deleted file mode 100644
index 6b58a376e88..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Arrays.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.lang;
-
-/**
- * @since 0.6
- */
-public final class Arrays {
-
-    private Arrays(){} //prevent instantiation
-
-    public static int length(byte[] bytes) {
-        return bytes != null ? bytes.length : 0;
-    }
-
-    public static byte[] clean(byte[] bytes) {
-        return length(bytes) > 0 ? bytes : null;
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Assert.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Assert.java
deleted file mode 100644
index 7c9e7c36766..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Assert.java
+++ /dev/null
@@ -1,377 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.lang;
-
-import java.util.Collection;
-import java.util.Map;
-
-public final class Assert {
-
-    private Assert(){} //prevent instantiation
-
-    /**
-     * Assert a boolean expression, throwing <code>IllegalArgumentException</code>
-     * if the test result is <code>false</code>.
-     * <pre class="code">Assert.isTrue(i &gt; 0, "The value must be greater than zero");</pre>
-     * @param expression a boolean expression
-     * @param message the exception message to use if the assertion fails
-     * @throws IllegalArgumentException if expression is <code>false</code>
-     */
-    public static void isTrue(boolean expression, String message) {
-        if (!expression) {
-            throw new IllegalArgumentException(message);
-        }
-    }
-
-    /**
-     * Assert a boolean expression, throwing <code>IllegalArgumentException</code>
-     * if the test result is <code>false</code>.
-     * <pre class="code">Assert.isTrue(i &gt; 0);</pre>
-     * @param expression a boolean expression
-     * @throws IllegalArgumentException if expression is <code>false</code>
-     */
-    public static void isTrue(boolean expression) {
-        isTrue(expression, "[Assertion failed] - this expression must be true");
-    }
-
-    /**
-     * Assert that an object is <code>null</code> .
-     * <pre class="code">Assert.isNull(value, "The value must be null");</pre>
-     * @param object the object to check
-     * @param message the exception message to use if the assertion fails
-     * @throws IllegalArgumentException if the object is not <code>null</code>
-     */
-    public static void isNull(Object object, String message) {
-        if (object != null) {
-            throw new IllegalArgumentException(message);
-        }
-    }
-
-    /**
-     * Assert that an object is <code>null</code> .
-     * <pre class="code">Assert.isNull(value);</pre>
-     * @param object the object to check
-     * @throws IllegalArgumentException if the object is not <code>null</code>
-     */
-    public static void isNull(Object object) {
-        isNull(object, "[Assertion failed] - the object argument must be null");
-    }
-
-    /**
-     * Assert that an object is not <code>null</code> .
-     * <pre class="code">Assert.notNull(clazz, "The class must not be null");</pre>
-     * @param object the object to check
-     * @param message the exception message to use if the assertion fails
-     * @throws IllegalArgumentException if the object is <code>null</code>
-     */
-    public static void notNull(Object object, String message) {
-        if (object == null) {
-            throw new IllegalArgumentException(message);
-        }
-    }
-
-    /**
-     * Assert that an object is not <code>null</code> .
-     * <pre class="code">Assert.notNull(clazz);</pre>
-     * @param object the object to check
-     * @throws IllegalArgumentException if the object is <code>null</code>
-     */
-    public static void notNull(Object object) {
-        notNull(object, "[Assertion failed] - this argument is required; it must not be null");
-    }
-
-    /**
-     * Assert that the given String is not empty; that is,
-     * it must not be <code>null</code> and not the empty String.
-     * <pre class="code">Assert.hasLength(name, "Name must not be empty");</pre>
-     * @param text the String to check
-     * @param message the exception message to use if the assertion fails
-     * @see Strings#hasLength
-     */
-    public static void hasLength(String text, String message) {
-        if (!Strings.hasLength(text)) {
-            throw new IllegalArgumentException(message);
-        }
-    }
-
-    /**
-     * Assert that the given String is not empty; that is,
-     * it must not be <code>null</code> and not the empty String.
-     * <pre class="code">Assert.hasLength(name);</pre>
-     * @param text the String to check
-     * @see Strings#hasLength
-     */
-    public static void hasLength(String text) {
-        hasLength(text,
-                  "[Assertion failed] - this String argument must have length; it must not be null or empty");
-    }
-
-    /**
-     * Assert that the given String has valid text content; that is, it must not
-     * be <code>null</code> and must contain at least one non-whitespace character.
-     * <pre class="code">Assert.hasText(name, "'name' must not be empty");</pre>
-     * @param text the String to check
-     * @param message the exception message to use if the assertion fails
-     * @see Strings#hasText
-     */
-    public static void hasText(String text, String message) {
-        if (!Strings.hasText(text)) {
-            throw new IllegalArgumentException(message);
-        }
-    }
-
-    /**
-     * Assert that the given String has valid text content; that is, it must not
-     * be <code>null</code> and must contain at least one non-whitespace character.
-     * <pre class="code">Assert.hasText(name, "'name' must not be empty");</pre>
-     * @param text the String to check
-     * @see Strings#hasText
-     */
-    public static void hasText(String text) {
-        hasText(text,
-                "[Assertion failed] - this String argument must have text; it must not be null, empty, or blank");
-    }
-
-    /**
-     * Assert that the given text does not contain the given substring.
-     * <pre class="code">Assert.doesNotContain(name, "rod", "Name must not contain 'rod'");</pre>
-     * @param textToSearch the text to search
-     * @param substring the substring to find within the text
-     * @param message the exception message to use if the assertion fails
-     */
-    public static void doesNotContain(String textToSearch, String substring, String message) {
-        if (Strings.hasLength(textToSearch) && Strings.hasLength(substring) &&
-            textToSearch.indexOf(substring) != -1) {
-            throw new IllegalArgumentException(message);
-        }
-    }
-
-    /**
-     * Assert that the given text does not contain the given substring.
-     * <pre class="code">Assert.doesNotContain(name, "rod");</pre>
-     * @param textToSearch the text to search
-     * @param substring the substring to find within the text
-     */
-    public static void doesNotContain(String textToSearch, String substring) {
-        doesNotContain(textToSearch, substring,
-                       "[Assertion failed] - this String argument must not contain the substring [" + substring + "]");
-    }
-
-
-    /**
-     * Assert that an array has elements; that is, it must not be
-     * <code>null</code> and must have at least one element.
-     * <pre class="code">Assert.notEmpty(array, "The array must have elements");</pre>
-     * @param array the array to check
-     * @param message the exception message to use if the assertion fails
-     * @throws IllegalArgumentException if the object array is <code>null</code> or has no elements
-     */
-    public static void notEmpty(Object[] array, String message) {
-        if (Objects.isEmpty(array)) {
-            throw new IllegalArgumentException(message);
-        }
-    }
-
-    /**
-     * Assert that an array has elements; that is, it must not be
-     * <code>null</code> and must have at least one element.
-     * <pre class="code">Assert.notEmpty(array);</pre>
-     * @param array the array to check
-     * @throws IllegalArgumentException if the object array is <code>null</code> or has no elements
-     */
-    public static void notEmpty(Object[] array) {
-        notEmpty(array, "[Assertion failed] - this array must not be empty: it must contain at least 1 element");
-    }
-
-    public static void notEmpty(byte[] array, String msg) {
-        if (Objects.isEmpty(array)) {
-            throw new IllegalArgumentException(msg);
-        }
-    }
-
-    /**
-     * Assert that an array has no null elements.
-     * Note: Does not complain if the array is empty!
-     * <pre class="code">Assert.noNullElements(array, "The array must have non-null elements");</pre>
-     * @param array the array to check
-     * @param message the exception message to use if the assertion fails
-     * @throws IllegalArgumentException if the object array contains a <code>null</code> element
-     */
-    public static void noNullElements(Object[] array, String message) {
-        if (array != null) {
-            for (int i = 0; i < array.length; i++) {
-                if (array[i] == null) {
-                    throw new IllegalArgumentException(message);
-                }
-            }
-        }
-    }
-
-    /**
-     * Assert that an array has no null elements.
-     * Note: Does not complain if the array is empty!
-     * <pre class="code">Assert.noNullElements(array);</pre>
-     * @param array the array to check
-     * @throws IllegalArgumentException if the object array contains a <code>null</code> element
-     */
-    public static void noNullElements(Object[] array) {
-        noNullElements(array, "[Assertion failed] - this array must not contain any null elements");
-    }
-
-    /**
-     * Assert that a collection has elements; that is, it must not be
-     * <code>null</code> and must have at least one element.
-     * <pre class="code">Assert.notEmpty(collection, "Collection must have elements");</pre>
-     * @param collection the collection to check
-     * @param message the exception message to use if the assertion fails
-     * @throws IllegalArgumentException if the collection is <code>null</code> or has no elements
-     */
-    public static void notEmpty(Collection collection, String message) {
-        if (Collections.isEmpty(collection)) {
-            throw new IllegalArgumentException(message);
-        }
-    }
-
-    /**
-     * Assert that a collection has elements; that is, it must not be
-     * <code>null</code> and must have at least one element.
-     * <pre class="code">Assert.notEmpty(collection, "Collection must have elements");</pre>
-     * @param collection the collection to check
-     * @throws IllegalArgumentException if the collection is <code>null</code> or has no elements
-     */
-    public static void notEmpty(Collection collection) {
-        notEmpty(collection,
-                 "[Assertion failed] - this collection must not be empty: it must contain at least 1 element");
-    }
-
-    /**
-     * Assert that a Map has entries; that is, it must not be <code>null</code>
-     * and must have at least one entry.
-     * <pre class="code">Assert.notEmpty(map, "Map must have entries");</pre>
-     * @param map the map to check
-     * @param message the exception message to use if the assertion fails
-     * @throws IllegalArgumentException if the map is <code>null</code> or has no entries
-     */
-    public static void notEmpty(Map map, String message) {
-        if (Collections.isEmpty(map)) {
-            throw new IllegalArgumentException(message);
-        }
-    }
-
-    /**
-     * Assert that a Map has entries; that is, it must not be <code>null</code>
-     * and must have at least one entry.
-     * <pre class="code">Assert.notEmpty(map);</pre>
-     * @param map the map to check
-     * @throws IllegalArgumentException if the map is <code>null</code> or has no entries
-     */
-    public static void notEmpty(Map map) {
-        notEmpty(map, "[Assertion failed] - this map must not be empty; it must contain at least one entry");
-    }
-
-
-    /**
-     * Assert that the provided object is an instance of the provided class.
-     * <pre class="code">Assert.instanceOf(Foo.class, foo);</pre>
-     * @param clazz the required class
-     * @param obj the object to check
-     * @throws IllegalArgumentException if the object is not an instance of clazz
-     * @see Class#isInstance
-     */
-    public static void isInstanceOf(Class clazz, Object obj) {
-        isInstanceOf(clazz, obj, "");
-    }
-
-    /**
-     * Assert that the provided object is an instance of the provided class.
-     * <pre class="code">Assert.instanceOf(Foo.class, foo);</pre>
-     * @param type the type to check against
-     * @param obj the object to check
-     * @param message a message which will be prepended to the message produced by
-     * the function itself, and which may be used to provide context. It should
-     * normally end in a ": " or ". " so that the function generate message looks
-     * ok when prepended to it.
-     * @throws IllegalArgumentException if the object is not an instance of clazz
-     * @see Class#isInstance
-     */
-    public static void isInstanceOf(Class type, Object obj, String message) {
-        notNull(type, "Type to check against must not be null");
-        if (!type.isInstance(obj)) {
-            throw new IllegalArgumentException(message +
-                                               "Object of class [" + (obj != null ? obj.getClass().getName() : "null") +
-                                               "] must be an instance of " + type);
-        }
-    }
-
-    /**
-     * Assert that <code>superType.isAssignableFrom(subType)</code> is <code>true</code>.
-     * <pre class="code">Assert.isAssignable(Number.class, myClass);</pre>
-     * @param superType the super type to check
-     * @param subType the sub type to check
-     * @throws IllegalArgumentException if the classes are not assignable
-     */
-    public static void isAssignable(Class superType, Class subType) {
-        isAssignable(superType, subType, "");
-    }
-
-    /**
-     * Assert that <code>superType.isAssignableFrom(subType)</code> is <code>true</code>.
-     * <pre class="code">Assert.isAssignable(Number.class, myClass);</pre>
-     * @param superType the super type to check against
-     * @param subType the sub type to check
-     * @param message a message which will be prepended to the message produced by
-     * the function itself, and which may be used to provide context. It should
-     * normally end in a ": " or ". " so that the function generate message looks
-     * ok when prepended to it.
-     * @throws IllegalArgumentException if the classes are not assignable
-     */
-    public static void isAssignable(Class superType, Class subType, String message) {
-        notNull(superType, "Type to check against must not be null");
-        if (subType == null || !superType.isAssignableFrom(subType)) {
-            throw new IllegalArgumentException(message + subType + " is not assignable to " + superType);
-        }
-    }
-
-
-    /**
-     * Assert a boolean expression, throwing <code>IllegalStateException</code>
-     * if the test result is <code>false</code>. Call isTrue if you wish to
-     * throw IllegalArgumentException on an assertion failure.
-     * <pre class="code">Assert.state(id == null, "The id property must not already be initialized");</pre>
-     * @param expression a boolean expression
-     * @param message the exception message to use if the assertion fails
-     * @throws IllegalStateException if expression is <code>false</code>
-     */
-    public static void state(boolean expression, String message) {
-        if (!expression) {
-            throw new IllegalStateException(message);
-        }
-    }
-
-    /**
-     * Assert a boolean expression, throwing {@link IllegalStateException}
-     * if the test result is <code>false</code>.
-     * <p>Call {@link #isTrue(boolean)} if you wish to
-     * throw {@link IllegalArgumentException} on an assertion failure.
-     * <pre class="code">Assert.state(id == null);</pre>
-     * @param expression a boolean expression
-     * @throws IllegalStateException if the supplied expression is <code>false</code>
-     */
-    public static void state(boolean expression) {
-        state(expression, "[Assertion failed] - this state invariant must be true");
-    }
-
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Classes.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Classes.java
deleted file mode 100644
index 27d4d18c2fe..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Classes.java
+++ /dev/null
@@ -1,254 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.lang;
-
-import java.io.InputStream;
-import java.lang.reflect.Constructor;
-import java.lang.reflect.Method;
-
-/**
- * @since 0.1
- */
-public final class Classes {
-
-    private Classes() {} //prevent instantiation
-
-    /**
-     * @since 0.1
-     */
-    private static final ClassLoaderAccessor THREAD_CL_ACCESSOR = new ExceptionIgnoringAccessor() {
-        @Override
-        protected ClassLoader doGetClassLoader() throws Throwable {
-            return Thread.currentThread().getContextClassLoader();
-        }
-    };
-
-    /**
-     * @since 0.1
-     */
-    private static final ClassLoaderAccessor CLASS_CL_ACCESSOR = new ExceptionIgnoringAccessor() {
-        @Override
-        protected ClassLoader doGetClassLoader() throws Throwable {
-            return Classes.class.getClassLoader();
-        }
-    };
-
-    /**
-     * @since 0.1
-     */
-    private static final ClassLoaderAccessor SYSTEM_CL_ACCESSOR = new ExceptionIgnoringAccessor() {
-        @Override
-        protected ClassLoader doGetClassLoader() throws Throwable {
-            return ClassLoader.getSystemClassLoader();
-        }
-    };
-
-    /**
-     * Attempts to load the specified class name from the current thread's
-     * {@link Thread#getContextClassLoader() context class loader}, then the
-     * current ClassLoader (<code>Classes.class.getClassLoader()</code>), then the system/application
-     * ClassLoader (<code>ClassLoader.getSystemClassLoader()</code>, in that order.  If any of them cannot locate
-     * the specified class, an <code>UnknownClassException</code> is thrown (our RuntimeException equivalent of
-     * the JRE's <code>ClassNotFoundException</code>.
-     *
-     * @param fqcn the fully qualified class name to load
-     * @return the located class
-     * @throws UnknownClassException if the class cannot be found.
-     */
-    @SuppressWarnings("unchecked")
-    public static <T> Class<T> forName(String fqcn) throws UnknownClassException {
-
-        Class clazz = THREAD_CL_ACCESSOR.loadClass(fqcn);
-
-        if (clazz == null) {
-            clazz = CLASS_CL_ACCESSOR.loadClass(fqcn);
-        }
-
-        if (clazz == null) {
-            clazz = SYSTEM_CL_ACCESSOR.loadClass(fqcn);
-        }
-
-        if (clazz == null) {
-            String msg = "Unable to load class named [" + fqcn + "] from the thread context, current, or " +
-                    "system/application ClassLoaders.  All heuristics have been exhausted.  Class could not be found.";
-
-            if (fqcn != null && fqcn.startsWith("io.jsonwebtoken.impl")) {
-                msg += "  Have you remembered to include the jjwt-impl.jar in your runtime classpath?";
-            }
-
-            throw new UnknownClassException(msg);
-        }
-
-        return clazz;
-    }
-
-    /**
-     * Returns the specified resource by checking the current thread's
-     * {@link Thread#getContextClassLoader() context class loader}, then the
-     * current ClassLoader (<code>Classes.class.getClassLoader()</code>), then the system/application
-     * ClassLoader (<code>ClassLoader.getSystemClassLoader()</code>, in that order, using
-     * {@link ClassLoader#getResourceAsStream(String) getResourceAsStream(name)}.
-     *
-     * @param name the name of the resource to acquire from the classloader(s).
-     * @return the InputStream of the resource found, or <code>null</code> if the resource cannot be found from any
-     * of the three mentioned ClassLoaders.
-     * @since 0.8
-     */
-    public static InputStream getResourceAsStream(String name) {
-
-        InputStream is = THREAD_CL_ACCESSOR.getResourceStream(name);
-
-        if (is == null) {
-            is = CLASS_CL_ACCESSOR.getResourceStream(name);
-        }
-
-        if (is == null) {
-            is = SYSTEM_CL_ACCESSOR.getResourceStream(name);
-        }
-
-        return is;
-    }
-
-    public static boolean isAvailable(String fullyQualifiedClassName) {
-        try {
-            forName(fullyQualifiedClassName);
-            return true;
-        } catch (UnknownClassException e) {
-            return false;
-        }
-    }
-
-    @SuppressWarnings("unchecked")
-    public static <T> T newInstance(String fqcn) {
-        return (T)newInstance(forName(fqcn));
-    }
-
-    public static <T> T newInstance(String fqcn, Class[] ctorArgTypes, Object... args) {
-        Class<T> clazz = forName(fqcn);
-        Constructor<T> ctor = getConstructor(clazz, ctorArgTypes);
-        return instantiate(ctor, args);
-    }
-
-    @SuppressWarnings("unchecked")
-    public static <T> T newInstance(String fqcn, Object... args) {
-        return (T)newInstance(forName(fqcn), args);
-    }
-
-    public static <T> T newInstance(Class<T> clazz) {
-        if (clazz == null) {
-            String msg = "Class method parameter cannot be null.";
-            throw new IllegalArgumentException(msg);
-        }
-        try {
-            return clazz.newInstance();
-        } catch (Exception e) {
-            throw new InstantiationException("Unable to instantiate class [" + clazz.getName() + "]", e);
-        }
-    }
-
-    public static <T> T newInstance(Class<T> clazz, Object... args) {
-        Class[] argTypes = new Class[args.length];
-        for (int i = 0; i < args.length; i++) {
-            argTypes[i] = args[i].getClass();
-        }
-        Constructor<T> ctor = getConstructor(clazz, argTypes);
-        return instantiate(ctor, args);
-    }
-
-    public static <T> Constructor<T> getConstructor(Class<T> clazz, Class... argTypes) {
-        try {
-            return clazz.getConstructor(argTypes);
-        } catch (NoSuchMethodException e) {
-            throw new IllegalStateException(e);
-        }
-
-    }
-
-    public static <T> T instantiate(Constructor<T> ctor, Object... args) {
-        try {
-            return ctor.newInstance(args);
-        } catch (Exception e) {
-            String msg = "Unable to instantiate instance with constructor [" + ctor + "]";
-            throw new InstantiationException(msg, e);
-        }
-    }
-
-    /**
-     * @since 0.10.0
-     */
-    @SuppressWarnings("unchecked")
-    public static <T> T invokeStatic(String fqcn, String methodName, Class[] argTypes, Object... args) {
-        try {
-            Class clazz = Classes.forName(fqcn);
-            Method method = clazz.getDeclaredMethod(methodName, argTypes);
-            method.setAccessible(true);
-            return(T)method.invoke(null, args);
-        } catch (Exception e) {
-            String msg = "Unable to invoke class method " + fqcn + "#" + methodName + ".  Ensure the necessary " +
-                "implementation is in the runtime classpath.";
-            throw new IllegalStateException(msg, e);
-        }
-    }
-
-    /**
-     * @since 1.0
-     */
-    private static interface ClassLoaderAccessor {
-        Class loadClass(String fqcn);
-
-        InputStream getResourceStream(String name);
-    }
-
-    /**
-     * @since 1.0
-     */
-    private static abstract class ExceptionIgnoringAccessor implements ClassLoaderAccessor {
-
-        public Class loadClass(String fqcn) {
-            Class clazz = null;
-            ClassLoader cl = getClassLoader();
-            if (cl != null) {
-                try {
-                    clazz = cl.loadClass(fqcn);
-                } catch (ClassNotFoundException e) {
-                    //Class couldn't be found by loader
-                }
-            }
-            return clazz;
-        }
-
-        public InputStream getResourceStream(String name) {
-            InputStream is = null;
-            ClassLoader cl = getClassLoader();
-            if (cl != null) {
-                is = cl.getResourceAsStream(name);
-            }
-            return is;
-        }
-
-        protected final ClassLoader getClassLoader() {
-            try {
-                return doGetClassLoader();
-            } catch (Throwable t) {
-                //Unable to get ClassLoader
-            }
-            return null;
-        }
-
-        protected abstract ClassLoader doGetClassLoader() throws Throwable;
-    }
-}
-
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Collections.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Collections.java
deleted file mode 100644
index d775a002adf..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Collections.java
+++ /dev/null
@@ -1,365 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.lang;
-
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Enumeration;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.Properties;
-
-public final class Collections {
-
-    private Collections(){} //prevent instantiation
-
-    /**
-     * Return <code>true</code> if the supplied Collection is <code>null</code>
-     * or empty. Otherwise, return <code>false</code>.
-     * @param collection the Collection to check
-     * @return whether the given Collection is empty
-     */
-    public static boolean isEmpty(Collection collection) {
-        return (collection == null || collection.isEmpty());
-    }
-
-    /**
-     * Returns the collection's size or {@code 0} if the collection is {@code null}.
-     *
-     * @param collection the collection to check.
-     * @return the collection's size or {@code 0} if the collection is {@code null}.
-     * @since 0.9.2
-     */
-    public static int size(Collection collection) {
-        return collection == null ? 0 : collection.size();
-    }
-
-    /**
-     * Returns the map's size or {@code 0} if the map is {@code null}.
-     *
-     * @param map the map to check
-     * @return the map's size or {@code 0} if the map is {@code null}.
-     * @since 0.9.2
-     */
-    public static int size(Map map) {
-        return map == null ? 0 : map.size();
-    }
-
-    /**
-     * Return <code>true</code> if the supplied Map is <code>null</code>
-     * or empty. Otherwise, return <code>false</code>.
-     * @param map the Map to check
-     * @return whether the given Map is empty
-     */
-    public static boolean isEmpty(Map map) {
-        return (map == null || map.isEmpty());
-    }
-
-    /**
-     * Convert the supplied array into a List. A primitive array gets
-     * converted into a List of the appropriate wrapper type.
-     * <p>A <code>null</code> source value will be converted to an
-     * empty List.
-     * @param source the (potentially primitive) array
-     * @return the converted List result
-     * @see Objects#toObjectArray(Object)
-     */
-    public static List arrayToList(Object source) {
-        return Arrays.asList(Objects.toObjectArray(source));
-    }
-
-    /**
-     * Merge the given array into the given Collection.
-     * @param array the array to merge (may be <code>null</code>)
-     * @param collection the target Collection to merge the array into
-     */
-    @SuppressWarnings("unchecked")
-    public static void mergeArrayIntoCollection(Object array, Collection collection) {
-        if (collection == null) {
-            throw new IllegalArgumentException("Collection must not be null");
-        }
-        Object[] arr = Objects.toObjectArray(array);
-        for (Object elem : arr) {
-            collection.add(elem);
-        }
-    }
-
-    /**
-     * Merge the given Properties instance into the given Map,
-     * copying all properties (key-value pairs) over.
-     * <p>Uses <code>Properties.propertyNames()</code> to even catch
-     * default properties linked into the original Properties instance.
-     * @param props the Properties instance to merge (may be <code>null</code>)
-     * @param map the target Map to merge the properties into
-     */
-    @SuppressWarnings("unchecked")
-    public static void mergePropertiesIntoMap(Properties props, Map map) {
-        if (map == null) {
-            throw new IllegalArgumentException("Map must not be null");
-        }
-        if (props != null) {
-            for (Enumeration en = props.propertyNames(); en.hasMoreElements();) {
-                String key = (String) en.nextElement();
-                Object value = props.getProperty(key);
-                if (value == null) {
-                    // Potentially a non-String value...
-                    value = props.get(key);
-                }
-                map.put(key, value);
-            }
-        }
-    }
-
-
-    /**
-     * Check whether the given Iterator contains the given element.
-     * @param iterator the Iterator to check
-     * @param element the element to look for
-     * @return <code>true</code> if found, <code>false</code> else
-     */
-    public static boolean contains(Iterator iterator, Object element) {
-        if (iterator != null) {
-            while (iterator.hasNext()) {
-                Object candidate = iterator.next();
-                if (Objects.nullSafeEquals(candidate, element)) {
-                    return true;
-                }
-            }
-        }
-        return false;
-    }
-
-    /**
-     * Check whether the given Enumeration contains the given element.
-     * @param enumeration the Enumeration to check
-     * @param element the element to look for
-     * @return <code>true</code> if found, <code>false</code> else
-     */
-    public static boolean contains(Enumeration enumeration, Object element) {
-        if (enumeration != null) {
-            while (enumeration.hasMoreElements()) {
-                Object candidate = enumeration.nextElement();
-                if (Objects.nullSafeEquals(candidate, element)) {
-                    return true;
-                }
-            }
-        }
-        return false;
-    }
-
-    /**
-     * Check whether the given Collection contains the given element instance.
-     * <p>Enforces the given instance to be present, rather than returning
-     * <code>true</code> for an equal element as well.
-     * @param collection the Collection to check
-     * @param element the element to look for
-     * @return <code>true</code> if found, <code>false</code> else
-     */
-    public static boolean containsInstance(Collection collection, Object element) {
-        if (collection != null) {
-            for (Object candidate : collection) {
-                if (candidate == element) {
-                    return true;
-                }
-            }
-        }
-        return false;
-    }
-
-    /**
-     * Return <code>true</code> if any element in '<code>candidates</code>' is
-     * contained in '<code>source</code>'; otherwise returns <code>false</code>.
-     * @param source the source Collection
-     * @param candidates the candidates to search for
-     * @return whether any of the candidates has been found
-     */
-    public static boolean containsAny(Collection source, Collection candidates) {
-        if (isEmpty(source) || isEmpty(candidates)) {
-            return false;
-        }
-        for (Object candidate : candidates) {
-            if (source.contains(candidate)) {
-                return true;
-            }
-        }
-        return false;
-    }
-
-    /**
-     * Return the first element in '<code>candidates</code>' that is contained in
-     * '<code>source</code>'. If no element in '<code>candidates</code>' is present in
-     * '<code>source</code>' returns <code>null</code>. Iteration order is
-     * {@link Collection} implementation specific.
-     * @param source the source Collection
-     * @param candidates the candidates to search for
-     * @return the first present object, or <code>null</code> if not found
-     */
-    public static Object findFirstMatch(Collection source, Collection candidates) {
-        if (isEmpty(source) || isEmpty(candidates)) {
-            return null;
-        }
-        for (Object candidate : candidates) {
-            if (source.contains(candidate)) {
-                return candidate;
-            }
-        }
-        return null;
-    }
-
-    /**
-     * Find a single value of the given type in the given Collection.
-     * @param collection the Collection to search
-     * @param type the type to look for
-     * @return a value of the given type found if there is a clear match,
-     * or <code>null</code> if none or more than one such value found
-     */
-    @SuppressWarnings("unchecked")
-    public static <T> T findValueOfType(Collection<?> collection, Class<T> type) {
-        if (isEmpty(collection)) {
-            return null;
-        }
-        T value = null;
-        for (Object element : collection) {
-            if (type == null || type.isInstance(element)) {
-                if (value != null) {
-                    // More than one value found... no clear single value.
-                    return null;
-                }
-                value = (T) element;
-            }
-        }
-        return value;
-    }
-
-    /**
-     * Find a single value of one of the given types in the given Collection:
-     * searching the Collection for a value of the first type, then
-     * searching for a value of the second type, etc.
-     * @param collection the collection to search
-     * @param types the types to look for, in prioritized order
-     * @return a value of one of the given types found if there is a clear match,
-     * or <code>null</code> if none or more than one such value found
-     */
-    public static Object findValueOfType(Collection<?> collection, Class<?>[] types) {
-        if (isEmpty(collection) || Objects.isEmpty(types)) {
-            return null;
-        }
-        for (Class<?> type : types) {
-            Object value = findValueOfType(collection, type);
-            if (value != null) {
-                return value;
-            }
-        }
-        return null;
-    }
-
-    /**
-     * Determine whether the given Collection only contains a single unique object.
-     * @param collection the Collection to check
-     * @return <code>true</code> if the collection contains a single reference or
-     * multiple references to the same instance, <code>false</code> else
-     */
-    public static boolean hasUniqueObject(Collection collection) {
-        if (isEmpty(collection)) {
-            return false;
-        }
-        boolean hasCandidate = false;
-        Object candidate = null;
-        for (Object elem : collection) {
-            if (!hasCandidate) {
-                hasCandidate = true;
-                candidate = elem;
-            }
-            else if (candidate != elem) {
-                return false;
-            }
-        }
-        return true;
-    }
-
-    /**
-     * Find the common element type of the given Collection, if any.
-     * @param collection the Collection to check
-     * @return the common element type, or <code>null</code> if no clear
-     * common type has been found (or the collection was empty)
-     */
-    public static Class<?> findCommonElementType(Collection collection) {
-        if (isEmpty(collection)) {
-            return null;
-        }
-        Class<?> candidate = null;
-        for (Object val : collection) {
-            if (val != null) {
-                if (candidate == null) {
-                    candidate = val.getClass();
-                }
-                else if (candidate != val.getClass()) {
-                    return null;
-                }
-            }
-        }
-        return candidate;
-    }
-
-    /**
-     * Marshal the elements from the given enumeration into an array of the given type.
-     * Enumeration elements must be assignable to the type of the given array. The array
-     * returned will be a different instance than the array given.
-     */
-    public static <A,E extends A> A[] toArray(Enumeration<E> enumeration, A[] array) {
-        ArrayList<A> elements = new ArrayList<A>();
-        while (enumeration.hasMoreElements()) {
-            elements.add(enumeration.nextElement());
-        }
-        return elements.toArray(array);
-    }
-
-    /**
-     * Adapt an enumeration to an iterator.
-     * @param enumeration the enumeration
-     * @return the iterator
-     */
-    public static <E> Iterator<E> toIterator(Enumeration<E> enumeration) {
-        return new EnumerationIterator<E>(enumeration);
-    }
-
-    /**
-     * Iterator wrapping an Enumeration.
-     */
-    private static class EnumerationIterator<E> implements Iterator<E> {
-
-        private Enumeration<E> enumeration;
-
-        public EnumerationIterator(Enumeration<E> enumeration) {
-            this.enumeration = enumeration;
-        }
-
-        public boolean hasNext() {
-            return this.enumeration.hasMoreElements();
-        }
-
-        public E next() {
-            return this.enumeration.nextElement();
-        }
-
-        public void remove() throws UnsupportedOperationException {
-            throw new UnsupportedOperationException("Not supported");
-        }
-    }
-}
-
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/DateFormats.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/DateFormats.java
deleted file mode 100644
index 250d9892d93..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/DateFormats.java
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.lang;
-
-import java.text.DateFormat;
-import java.text.ParseException;
-import java.text.SimpleDateFormat;
-import java.util.Date;
-import java.util.TimeZone;
-
-/**
- * @since 0.10.0
- */
-public class DateFormats {
-
-    private static final String ISO_8601_PATTERN = "yyyy-MM-dd'T'HH:mm:ss'Z'";
-
-    private static final String ISO_8601_MILLIS_PATTERN = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'";
-
-    private static final ThreadLocal<DateFormat> ISO_8601 = new ThreadLocal<DateFormat>() {
-        @Override
-        protected DateFormat initialValue() {
-            SimpleDateFormat format = new SimpleDateFormat(ISO_8601_PATTERN);
-            format.setTimeZone(TimeZone.getTimeZone("UTC"));
-            return format;
-        }
-    };
-
-    private static final ThreadLocal<DateFormat> ISO_8601_MILLIS = new ThreadLocal<DateFormat>() {
-        @Override
-        protected DateFormat initialValue() {
-            SimpleDateFormat format = new SimpleDateFormat(ISO_8601_MILLIS_PATTERN);
-            format.setTimeZone(TimeZone.getTimeZone("UTC"));
-            return format;
-        }
-    };
-
-    public static String formatIso8601(Date date) {
-        return formatIso8601(date, true);
-    }
-
-    public static String formatIso8601(Date date, boolean includeMillis) {
-        if (includeMillis) {
-            return ISO_8601_MILLIS.get().format(date);
-        }
-        return ISO_8601.get().format(date);
-    }
-
-    public static Date parseIso8601Date(String s) throws ParseException {
-        Assert.notNull(s, "String argument cannot be null.");
-        if (s.lastIndexOf('.') > -1) { //assume ISO-8601 with milliseconds
-            return ISO_8601_MILLIS.get().parse(s);
-        } else { //assume ISO-8601 without millis:
-            return ISO_8601.get().parse(s);
-        }
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/InstantiationException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/InstantiationException.java
deleted file mode 100644
index 0ee8418f5ea..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/InstantiationException.java
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.lang;
-
-/**
- * @since 0.1
- */
-public class InstantiationException extends RuntimeException {
-
-    public InstantiationException(String s, Throwable t) {
-        super(s, t);
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Maps.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Maps.java
deleted file mode 100644
index f96e4cb302c..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Maps.java
+++ /dev/null
@@ -1,87 +0,0 @@
-/*
- * Copyright (C) 2019 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.lang;
-
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
-
-/**
- * Utility class to help with the manipulation of working with Maps.
- * @since 0.11.0
- */
-public final class Maps {
-
-    private Maps() {} //prevent instantiation
-
-    /**
-     * Creates a new map builder with a single entry.
-     * <p> Typical usage: <pre>{@code
-     * Map<K,V> result = Maps.of("key1", value1)
-     *     .and("key2", value2)
-     *     // ...
-     *     .build();
-     * }</pre>
-     * @param key the key of an map entry to be added
-     * @param value the value of map entry to be added
-     * @param <K> the maps key type
-     * @param <V> the maps value type
-     * Creates a new map builder with a single entry.
-     */
-    public static <K, V> MapBuilder<K, V> of(K key, V value) {
-        return new HashMapBuilder<K, V>().and(key, value);
-    }
-
-    /**
-     * Utility Builder class for fluently building maps:
-     * <p> Typical usage: <pre>{@code
-     * Map<K,V> result = Maps.of("key1", value1)
-     *     .and("key2", value2)
-     *     // ...
-     *     .build();
-     * }</pre>
-     * @param <K> the maps key type
-     * @param <V> the maps value type
-     */
-    public interface MapBuilder<K, V> {
-        /**
-         * Add a new entry to this map builder
-         * @param key the key of an map entry to be added
-         * @param value the value of map entry to be added
-         * @return the current MapBuilder to allow for method chaining.
-         */
-        MapBuilder<K, V> and(K key, V value);
-
-        /**
-         * Returns a the resulting Map object from this MapBuilder.
-         * @return Returns a the resulting Map object from this MapBuilder.
-         */
-        Map<K, V> build();
-    }
-
-    private static class HashMapBuilder<K, V> implements MapBuilder<K, V> {
-
-        private final Map<K, V> data = new HashMap<>();
-
-        public MapBuilder<K, V> and(K key, V value) {
-            data.put(key, value);
-            return this;
-        }
-        public Map<K, V> build() {
-            return Collections.unmodifiableMap(data);
-        }
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Objects.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Objects.java
deleted file mode 100644
index 4960b73553b..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Objects.java
+++ /dev/null
@@ -1,927 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.lang;
-
-import java.io.Closeable;
-import java.io.IOException;
-import java.lang.reflect.Array;
-import java.util.Arrays;
-
-public final class Objects {
-
-    private Objects(){} //prevent instantiation
-
-    private static final int INITIAL_HASH = 7;
-    private static final int MULTIPLIER   = 31;
-
-    private static final String EMPTY_STRING            = "";
-    private static final String NULL_STRING             = "null";
-    private static final String ARRAY_START             = "{";
-    private static final String ARRAY_END               = "}";
-    private static final String EMPTY_ARRAY             = ARRAY_START + ARRAY_END;
-    private static final String ARRAY_ELEMENT_SEPARATOR = ", ";
-
-    /**
-     * Return whether the given throwable is a checked exception:
-     * that is, neither a RuntimeException nor an Error.
-     *
-     * @param ex the throwable to check
-     * @return whether the throwable is a checked exception
-     * @see java.lang.Exception
-     * @see java.lang.RuntimeException
-     * @see java.lang.Error
-     */
-    public static boolean isCheckedException(Throwable ex) {
-        return !(ex instanceof RuntimeException || ex instanceof Error);
-    }
-
-    /**
-     * Check whether the given exception is compatible with the exceptions
-     * declared in a throws clause.
-     *
-     * @param ex                 the exception to checked
-     * @param declaredExceptions the exceptions declared in the throws clause
-     * @return whether the given exception is compatible
-     */
-    public static boolean isCompatibleWithThrowsClause(Throwable ex, Class[] declaredExceptions) {
-        if (!isCheckedException(ex)) {
-            return true;
-        }
-        if (declaredExceptions != null) {
-            int i = 0;
-            while (i < declaredExceptions.length) {
-                if (declaredExceptions[i].isAssignableFrom(ex.getClass())) {
-                    return true;
-                }
-                i++;
-            }
-        }
-        return false;
-    }
-
-    /**
-     * Determine whether the given object is an array:
-     * either an Object array or a primitive array.
-     *
-     * @param obj the object to check
-     */
-    public static boolean isArray(Object obj) {
-        return (obj != null && obj.getClass().isArray());
-    }
-
-    /**
-     * Determine whether the given array is empty:
-     * i.e. <code>null</code> or of zero length.
-     *
-     * @param array the array to check
-     */
-    public static boolean isEmpty(Object[] array) {
-        return (array == null || array.length == 0);
-    }
-
-    /**
-     * Returns {@code true} if the specified byte array is null or of zero length, {@code false} otherwise.
-     *
-     * @param array the byte array to check
-     * @return {@code true} if the specified byte array is null or of zero length, {@code false} otherwise.
-     */
-    public static boolean isEmpty(byte[] array) {
-        return array == null || array.length == 0;
-    }
-
-    /**
-     * Check whether the given array contains the given element.
-     *
-     * @param array   the array to check (may be <code>null</code>,
-     *                in which case the return value will always be <code>false</code>)
-     * @param element the element to check for
-     * @return whether the element has been found in the given array
-     */
-    public static boolean containsElement(Object[] array, Object element) {
-        if (array == null) {
-            return false;
-        }
-        for (Object arrayEle : array) {
-            if (nullSafeEquals(arrayEle, element)) {
-                return true;
-            }
-        }
-        return false;
-    }
-
-    /**
-     * Check whether the given array of enum constants contains a constant with the given name,
-     * ignoring case when determining a match.
-     *
-     * @param enumValues the enum values to check, typically the product of a call to MyEnum.values()
-     * @param constant   the constant name to find (must not be null or empty string)
-     * @return whether the constant has been found in the given array
-     */
-    public static boolean containsConstant(Enum<?>[] enumValues, String constant) {
-        return containsConstant(enumValues, constant, false);
-    }
-
-    /**
-     * Check whether the given array of enum constants contains a constant with the given name.
-     *
-     * @param enumValues    the enum values to check, typically the product of a call to MyEnum.values()
-     * @param constant      the constant name to find (must not be null or empty string)
-     * @param caseSensitive whether case is significant in determining a match
-     * @return whether the constant has been found in the given array
-     */
-    public static boolean containsConstant(Enum<?>[] enumValues, String constant, boolean caseSensitive) {
-        for (Enum<?> candidate : enumValues) {
-            if (caseSensitive ?
-                candidate.toString().equals(constant) :
-                candidate.toString().equalsIgnoreCase(constant)) {
-                return true;
-            }
-        }
-        return false;
-    }
-
-    /**
-     * Case insensitive alternative to {@link Enum#valueOf(Class, String)}.
-     *
-     * @param <E>        the concrete Enum type
-     * @param enumValues the array of all Enum constants in question, usually per Enum.values()
-     * @param constant   the constant to get the enum value of
-     * @throws IllegalArgumentException if the given constant is not found in the given array
-     *                                  of enum values. Use {@link #containsConstant(Enum[], String)} as a guard to
-     *                                  avoid this exception.
-     */
-    public static <E extends Enum<?>> E caseInsensitiveValueOf(E[] enumValues, String constant) {
-        for (E candidate : enumValues) {
-            if (candidate.toString().equalsIgnoreCase(constant)) {
-                return candidate;
-            }
-        }
-        throw new IllegalArgumentException(
-            String.format("constant [%s] does not exist in enum type %s",
-                          constant, enumValues.getClass().getComponentType().getName()));
-    }
-
-    /**
-     * Append the given object to the given array, returning a new array
-     * consisting of the input array contents plus the given object.
-     *
-     * @param array the array to append to (can be <code>null</code>)
-     * @param obj   the object to append
-     * @return the new array (of the same component type; never <code>null</code>)
-     */
-    public static <A, O extends A> A[] addObjectToArray(A[] array, O obj) {
-        Class<?> compType = Object.class;
-        if (array != null) {
-            compType = array.getClass().getComponentType();
-        } else if (obj != null) {
-            compType = obj.getClass();
-        }
-        int newArrLength = (array != null ? array.length + 1 : 1);
-        @SuppressWarnings("unchecked")
-        A[] newArr = (A[]) Array.newInstance(compType, newArrLength);
-        if (array != null) {
-            System.arraycopy(array, 0, newArr, 0, array.length);
-        }
-        newArr[newArr.length - 1] = obj;
-        return newArr;
-    }
-
-    /**
-     * Convert the given array (which may be a primitive array) to an
-     * object array (if necessary of primitive wrapper objects).
-     * <p>A <code>null</code> source value will be converted to an
-     * empty Object array.
-     *
-     * @param source the (potentially primitive) array
-     * @return the corresponding object array (never <code>null</code>)
-     * @throws IllegalArgumentException if the parameter is not an array
-     */
-    public static Object[] toObjectArray(Object source) {
-        if (source instanceof Object[]) {
-            return (Object[]) source;
-        }
-        if (source == null) {
-            return new Object[0];
-        }
-        if (!source.getClass().isArray()) {
-            throw new IllegalArgumentException("Source is not an array: " + source);
-        }
-        int length = Array.getLength(source);
-        if (length == 0) {
-            return new Object[0];
-        }
-        Class wrapperType = Array.get(source, 0).getClass();
-        Object[] newArray = (Object[]) Array.newInstance(wrapperType, length);
-        for (int i = 0; i < length; i++) {
-            newArray[i] = Array.get(source, i);
-        }
-        return newArray;
-    }
-
-
-    //---------------------------------------------------------------------
-    // Convenience methods for content-based equality/hash-code handling
-    //---------------------------------------------------------------------
-
-    /**
-     * Determine if the given objects are equal, returning <code>true</code>
-     * if both are <code>null</code> or <code>false</code> if only one is
-     * <code>null</code>.
-     * <p>Compares arrays with <code>Arrays.equals</code>, performing an equality
-     * check based on the array elements rather than the array reference.
-     *
-     * @param o1 first Object to compare
-     * @param o2 second Object to compare
-     * @return whether the given objects are equal
-     * @see java.util.Arrays#equals
-     */
-    public static boolean nullSafeEquals(Object o1, Object o2) {
-        if (o1 == o2) {
-            return true;
-        }
-        if (o1 == null || o2 == null) {
-            return false;
-        }
-        if (o1.equals(o2)) {
-            return true;
-        }
-        if (o1.getClass().isArray() && o2.getClass().isArray()) {
-            if (o1 instanceof Object[] && o2 instanceof Object[]) {
-                return Arrays.equals((Object[]) o1, (Object[]) o2);
-            }
-            if (o1 instanceof boolean[] && o2 instanceof boolean[]) {
-                return Arrays.equals((boolean[]) o1, (boolean[]) o2);
-            }
-            if (o1 instanceof byte[] && o2 instanceof byte[]) {
-                return Arrays.equals((byte[]) o1, (byte[]) o2);
-            }
-            if (o1 instanceof char[] && o2 instanceof char[]) {
-                return Arrays.equals((char[]) o1, (char[]) o2);
-            }
-            if (o1 instanceof double[] && o2 instanceof double[]) {
-                return Arrays.equals((double[]) o1, (double[]) o2);
-            }
-            if (o1 instanceof float[] && o2 instanceof float[]) {
-                return Arrays.equals((float[]) o1, (float[]) o2);
-            }
-            if (o1 instanceof int[] && o2 instanceof int[]) {
-                return Arrays.equals((int[]) o1, (int[]) o2);
-            }
-            if (o1 instanceof long[] && o2 instanceof long[]) {
-                return Arrays.equals((long[]) o1, (long[]) o2);
-            }
-            if (o1 instanceof short[] && o2 instanceof short[]) {
-                return Arrays.equals((short[]) o1, (short[]) o2);
-            }
-        }
-        return false;
-    }
-
-    /**
-     * Return as hash code for the given object; typically the value of
-     * <code>{@link Object#hashCode()}</code>. If the object is an array,
-     * this method will delegate to any of the <code>nullSafeHashCode</code>
-     * methods for arrays in this class. If the object is <code>null</code>,
-     * this method returns 0.
-     *
-     * @see #nullSafeHashCode(Object[])
-     * @see #nullSafeHashCode(boolean[])
-     * @see #nullSafeHashCode(byte[])
-     * @see #nullSafeHashCode(char[])
-     * @see #nullSafeHashCode(double[])
-     * @see #nullSafeHashCode(float[])
-     * @see #nullSafeHashCode(int[])
-     * @see #nullSafeHashCode(long[])
-     * @see #nullSafeHashCode(short[])
-     */
-    public static int nullSafeHashCode(Object obj) {
-        if (obj == null) {
-            return 0;
-        }
-        if (obj.getClass().isArray()) {
-            if (obj instanceof Object[]) {
-                return nullSafeHashCode((Object[]) obj);
-            }
-            if (obj instanceof boolean[]) {
-                return nullSafeHashCode((boolean[]) obj);
-            }
-            if (obj instanceof byte[]) {
-                return nullSafeHashCode((byte[]) obj);
-            }
-            if (obj instanceof char[]) {
-                return nullSafeHashCode((char[]) obj);
-            }
-            if (obj instanceof double[]) {
-                return nullSafeHashCode((double[]) obj);
-            }
-            if (obj instanceof float[]) {
-                return nullSafeHashCode((float[]) obj);
-            }
-            if (obj instanceof int[]) {
-                return nullSafeHashCode((int[]) obj);
-            }
-            if (obj instanceof long[]) {
-                return nullSafeHashCode((long[]) obj);
-            }
-            if (obj instanceof short[]) {
-                return nullSafeHashCode((short[]) obj);
-            }
-        }
-        return obj.hashCode();
-    }
-
-    /**
-     * Return a hash code based on the contents of the specified array.
-     * If <code>array</code> is <code>null</code>, this method returns 0.
-     */
-    public static int nullSafeHashCode(Object[] array) {
-        if (array == null) {
-            return 0;
-        }
-        int hash = INITIAL_HASH;
-        int arraySize = array.length;
-        for (int i = 0; i < arraySize; i++) {
-            hash = MULTIPLIER * hash + nullSafeHashCode(array[i]);
-        }
-        return hash;
-    }
-
-    /**
-     * Return a hash code based on the contents of the specified array.
-     * If <code>array</code> is <code>null</code>, this method returns 0.
-     */
-    public static int nullSafeHashCode(boolean[] array) {
-        if (array == null) {
-            return 0;
-        }
-        int hash = INITIAL_HASH;
-        int arraySize = array.length;
-        for (int i = 0; i < arraySize; i++) {
-            hash = MULTIPLIER * hash + hashCode(array[i]);
-        }
-        return hash;
-    }
-
-    /**
-     * Return a hash code based on the contents of the specified array.
-     * If <code>array</code> is <code>null</code>, this method returns 0.
-     */
-    public static int nullSafeHashCode(byte[] array) {
-        if (array == null) {
-            return 0;
-        }
-        int hash = INITIAL_HASH;
-        int arraySize = array.length;
-        for (int i = 0; i < arraySize; i++) {
-            hash = MULTIPLIER * hash + array[i];
-        }
-        return hash;
-    }
-
-    /**
-     * Return a hash code based on the contents of the specified array.
-     * If <code>array</code> is <code>null</code>, this method returns 0.
-     */
-    public static int nullSafeHashCode(char[] array) {
-        if (array == null) {
-            return 0;
-        }
-        int hash = INITIAL_HASH;
-        int arraySize = array.length;
-        for (int i = 0; i < arraySize; i++) {
-            hash = MULTIPLIER * hash + array[i];
-        }
-        return hash;
-    }
-
-    /**
-     * Return a hash code based on the contents of the specified array.
-     * If <code>array</code> is <code>null</code>, this method returns 0.
-     */
-    public static int nullSafeHashCode(double[] array) {
-        if (array == null) {
-            return 0;
-        }
-        int hash = INITIAL_HASH;
-        int arraySize = array.length;
-        for (int i = 0; i < arraySize; i++) {
-            hash = MULTIPLIER * hash + hashCode(array[i]);
-        }
-        return hash;
-    }
-
-    /**
-     * Return a hash code based on the contents of the specified array.
-     * If <code>array</code> is <code>null</code>, this method returns 0.
-     */
-    public static int nullSafeHashCode(float[] array) {
-        if (array == null) {
-            return 0;
-        }
-        int hash = INITIAL_HASH;
-        int arraySize = array.length;
-        for (int i = 0; i < arraySize; i++) {
-            hash = MULTIPLIER * hash + hashCode(array[i]);
-        }
-        return hash;
-    }
-
-    /**
-     * Return a hash code based on the contents of the specified array.
-     * If <code>array</code> is <code>null</code>, this method returns 0.
-     */
-    public static int nullSafeHashCode(int[] array) {
-        if (array == null) {
-            return 0;
-        }
-        int hash = INITIAL_HASH;
-        int arraySize = array.length;
-        for (int i = 0; i < arraySize; i++) {
-            hash = MULTIPLIER * hash + array[i];
-        }
-        return hash;
-    }
-
-    /**
-     * Return a hash code based on the contents of the specified array.
-     * If <code>array</code> is <code>null</code>, this method returns 0.
-     */
-    public static int nullSafeHashCode(long[] array) {
-        if (array == null) {
-            return 0;
-        }
-        int hash = INITIAL_HASH;
-        int arraySize = array.length;
-        for (int i = 0; i < arraySize; i++) {
-            hash = MULTIPLIER * hash + hashCode(array[i]);
-        }
-        return hash;
-    }
-
-    /**
-     * Return a hash code based on the contents of the specified array.
-     * If <code>array</code> is <code>null</code>, this method returns 0.
-     */
-    public static int nullSafeHashCode(short[] array) {
-        if (array == null) {
-            return 0;
-        }
-        int hash = INITIAL_HASH;
-        int arraySize = array.length;
-        for (int i = 0; i < arraySize; i++) {
-            hash = MULTIPLIER * hash + array[i];
-        }
-        return hash;
-    }
-
-    /**
-     * Return the same value as <code>{@link Boolean#hashCode()}</code>.
-     *
-     * @see Boolean#hashCode()
-     */
-    public static int hashCode(boolean bool) {
-        return bool ? 1231 : 1237;
-    }
-
-    /**
-     * Return the same value as <code>{@link Double#hashCode()}</code>.
-     *
-     * @see Double#hashCode()
-     */
-    public static int hashCode(double dbl) {
-        long bits = Double.doubleToLongBits(dbl);
-        return hashCode(bits);
-    }
-
-    /**
-     * Return the same value as <code>{@link Float#hashCode()}</code>.
-     *
-     * @see Float#hashCode()
-     */
-    public static int hashCode(float flt) {
-        return Float.floatToIntBits(flt);
-    }
-
-    /**
-     * Return the same value as <code>{@link Long#hashCode()}</code>.
-     *
-     * @see Long#hashCode()
-     */
-    public static int hashCode(long lng) {
-        return (int) (lng ^ (lng >>> 32));
-    }
-
-
-    //---------------------------------------------------------------------
-    // Convenience methods for toString output
-    //---------------------------------------------------------------------
-
-    /**
-     * Return a String representation of an object's overall identity.
-     *
-     * @param obj the object (may be <code>null</code>)
-     * @return the object's identity as String representation,
-     * or an empty String if the object was <code>null</code>
-     */
-    public static String identityToString(Object obj) {
-        if (obj == null) {
-            return EMPTY_STRING;
-        }
-        return obj.getClass().getName() + "@" + getIdentityHexString(obj);
-    }
-
-    /**
-     * Return a hex String form of an object's identity hash code.
-     *
-     * @param obj the object
-     * @return the object's identity code in hex notation
-     */
-    public static String getIdentityHexString(Object obj) {
-        return Integer.toHexString(System.identityHashCode(obj));
-    }
-
-    /**
-     * Return a content-based String representation if <code>obj</code> is
-     * not <code>null</code>; otherwise returns an empty String.
-     * <p>Differs from {@link #nullSafeToString(Object)} in that it returns
-     * an empty String rather than "null" for a <code>null</code> value.
-     *
-     * @param obj the object to build a display String for
-     * @return a display String representation of <code>obj</code>
-     * @see #nullSafeToString(Object)
-     */
-    public static String getDisplayString(Object obj) {
-        if (obj == null) {
-            return EMPTY_STRING;
-        }
-        return nullSafeToString(obj);
-    }
-
-    /**
-     * Determine the class name for the given object.
-     * <p>Returns <code>"null"</code> if <code>obj</code> is <code>null</code>.
-     *
-     * @param obj the object to introspect (may be <code>null</code>)
-     * @return the corresponding class name
-     */
-    public static String nullSafeClassName(Object obj) {
-        return (obj != null ? obj.getClass().getName() : NULL_STRING);
-    }
-
-    /**
-     * Return a String representation of the specified Object.
-     * <p>Builds a String representation of the contents in case of an array.
-     * Returns <code>"null"</code> if <code>obj</code> is <code>null</code>.
-     *
-     * @param obj the object to build a String representation for
-     * @return a String representation of <code>obj</code>
-     */
-    public static String nullSafeToString(Object obj) {
-        if (obj == null) {
-            return NULL_STRING;
-        }
-        if (obj instanceof String) {
-            return (String) obj;
-        }
-        if (obj instanceof Object[]) {
-            return nullSafeToString((Object[]) obj);
-        }
-        if (obj instanceof boolean[]) {
-            return nullSafeToString((boolean[]) obj);
-        }
-        if (obj instanceof byte[]) {
-            return nullSafeToString((byte[]) obj);
-        }
-        if (obj instanceof char[]) {
-            return nullSafeToString((char[]) obj);
-        }
-        if (obj instanceof double[]) {
-            return nullSafeToString((double[]) obj);
-        }
-        if (obj instanceof float[]) {
-            return nullSafeToString((float[]) obj);
-        }
-        if (obj instanceof int[]) {
-            return nullSafeToString((int[]) obj);
-        }
-        if (obj instanceof long[]) {
-            return nullSafeToString((long[]) obj);
-        }
-        if (obj instanceof short[]) {
-            return nullSafeToString((short[]) obj);
-        }
-        String str = obj.toString();
-        return (str != null ? str : EMPTY_STRING);
-    }
-
-    /**
-     * Return a String representation of the contents of the specified array.
-     * <p>The String representation consists of a list of the array's elements,
-     * enclosed in curly braces (<code>"{}"</code>). Adjacent elements are separated
-     * by the characters <code>", "</code> (a comma followed by a space). Returns
-     * <code>"null"</code> if <code>array</code> is <code>null</code>.
-     *
-     * @param array the array to build a String representation for
-     * @return a String representation of <code>array</code>
-     */
-    public static String nullSafeToString(Object[] array) {
-        if (array == null) {
-            return NULL_STRING;
-        }
-        int length = array.length;
-        if (length == 0) {
-            return EMPTY_ARRAY;
-        }
-        StringBuilder sb = new StringBuilder();
-        for (int i = 0; i < length; i++) {
-            if (i == 0) {
-                sb.append(ARRAY_START);
-            } else {
-                sb.append(ARRAY_ELEMENT_SEPARATOR);
-            }
-            sb.append(String.valueOf(array[i]));
-        }
-        sb.append(ARRAY_END);
-        return sb.toString();
-    }
-
-    /**
-     * Return a String representation of the contents of the specified array.
-     * <p>The String representation consists of a list of the array's elements,
-     * enclosed in curly braces (<code>"{}"</code>). Adjacent elements are separated
-     * by the characters <code>", "</code> (a comma followed by a space). Returns
-     * <code>"null"</code> if <code>array</code> is <code>null</code>.
-     *
-     * @param array the array to build a String representation for
-     * @return a String representation of <code>array</code>
-     */
-    public static String nullSafeToString(boolean[] array) {
-        if (array == null) {
-            return NULL_STRING;
-        }
-        int length = array.length;
-        if (length == 0) {
-            return EMPTY_ARRAY;
-        }
-        StringBuilder sb = new StringBuilder();
-        for (int i = 0; i < length; i++) {
-            if (i == 0) {
-                sb.append(ARRAY_START);
-            } else {
-                sb.append(ARRAY_ELEMENT_SEPARATOR);
-            }
-
-            sb.append(array[i]);
-        }
-        sb.append(ARRAY_END);
-        return sb.toString();
-    }
-
-    /**
-     * Return a String representation of the contents of the specified array.
-     * <p>The String representation consists of a list of the array's elements,
-     * enclosed in curly braces (<code>"{}"</code>). Adjacent elements are separated
-     * by the characters <code>", "</code> (a comma followed by a space). Returns
-     * <code>"null"</code> if <code>array</code> is <code>null</code>.
-     *
-     * @param array the array to build a String representation for
-     * @return a String representation of <code>array</code>
-     */
-    public static String nullSafeToString(byte[] array) {
-        if (array == null) {
-            return NULL_STRING;
-        }
-        int length = array.length;
-        if (length == 0) {
-            return EMPTY_ARRAY;
-        }
-        StringBuilder sb = new StringBuilder();
-        for (int i = 0; i < length; i++) {
-            if (i == 0) {
-                sb.append(ARRAY_START);
-            } else {
-                sb.append(ARRAY_ELEMENT_SEPARATOR);
-            }
-            sb.append(array[i]);
-        }
-        sb.append(ARRAY_END);
-        return sb.toString();
-    }
-
-    /**
-     * Return a String representation of the contents of the specified array.
-     * <p>The String representation consists of a list of the array's elements,
-     * enclosed in curly braces (<code>"{}"</code>). Adjacent elements are separated
-     * by the characters <code>", "</code> (a comma followed by a space). Returns
-     * <code>"null"</code> if <code>array</code> is <code>null</code>.
-     *
-     * @param array the array to build a String representation for
-     * @return a String representation of <code>array</code>
-     */
-    public static String nullSafeToString(char[] array) {
-        if (array == null) {
-            return NULL_STRING;
-        }
-        int length = array.length;
-        if (length == 0) {
-            return EMPTY_ARRAY;
-        }
-        StringBuilder sb = new StringBuilder();
-        for (int i = 0; i < length; i++) {
-            if (i == 0) {
-                sb.append(ARRAY_START);
-            } else {
-                sb.append(ARRAY_ELEMENT_SEPARATOR);
-            }
-            sb.append("'").append(array[i]).append("'");
-        }
-        sb.append(ARRAY_END);
-        return sb.toString();
-    }
-
-    /**
-     * Return a String representation of the contents of the specified array.
-     * <p>The String representation consists of a list of the array's elements,
-     * enclosed in curly braces (<code>"{}"</code>). Adjacent elements are separated
-     * by the characters <code>", "</code> (a comma followed by a space). Returns
-     * <code>"null"</code> if <code>array</code> is <code>null</code>.
-     *
-     * @param array the array to build a String representation for
-     * @return a String representation of <code>array</code>
-     */
-    public static String nullSafeToString(double[] array) {
-        if (array == null) {
-            return NULL_STRING;
-        }
-        int length = array.length;
-        if (length == 0) {
-            return EMPTY_ARRAY;
-        }
-        StringBuilder sb = new StringBuilder();
-        for (int i = 0; i < length; i++) {
-            if (i == 0) {
-                sb.append(ARRAY_START);
-            } else {
-                sb.append(ARRAY_ELEMENT_SEPARATOR);
-            }
-
-            sb.append(array[i]);
-        }
-        sb.append(ARRAY_END);
-        return sb.toString();
-    }
-
-    /**
-     * Return a String representation of the contents of the specified array.
-     * <p>The String representation consists of a list of the array's elements,
-     * enclosed in curly braces (<code>"{}"</code>). Adjacent elements are separated
-     * by the characters <code>", "</code> (a comma followed by a space). Returns
-     * <code>"null"</code> if <code>array</code> is <code>null</code>.
-     *
-     * @param array the array to build a String representation for
-     * @return a String representation of <code>array</code>
-     */
-    public static String nullSafeToString(float[] array) {
-        if (array == null) {
-            return NULL_STRING;
-        }
-        int length = array.length;
-        if (length == 0) {
-            return EMPTY_ARRAY;
-        }
-        StringBuilder sb = new StringBuilder();
-        for (int i = 0; i < length; i++) {
-            if (i == 0) {
-                sb.append(ARRAY_START);
-            } else {
-                sb.append(ARRAY_ELEMENT_SEPARATOR);
-            }
-
-            sb.append(array[i]);
-        }
-        sb.append(ARRAY_END);
-        return sb.toString();
-    }
-
-    /**
-     * Return a String representation of the contents of the specified array.
-     * <p>The String representation consists of a list of the array's elements,
-     * enclosed in curly braces (<code>"{}"</code>). Adjacent elements are separated
-     * by the characters <code>", "</code> (a comma followed by a space). Returns
-     * <code>"null"</code> if <code>array</code> is <code>null</code>.
-     *
-     * @param array the array to build a String representation for
-     * @return a String representation of <code>array</code>
-     */
-    public static String nullSafeToString(int[] array) {
-        if (array == null) {
-            return NULL_STRING;
-        }
-        int length = array.length;
-        if (length == 0) {
-            return EMPTY_ARRAY;
-        }
-        StringBuilder sb = new StringBuilder();
-        for (int i = 0; i < length; i++) {
-            if (i == 0) {
-                sb.append(ARRAY_START);
-            } else {
-                sb.append(ARRAY_ELEMENT_SEPARATOR);
-            }
-            sb.append(array[i]);
-        }
-        sb.append(ARRAY_END);
-        return sb.toString();
-    }
-
-    /**
-     * Return a String representation of the contents of the specified array.
-     * <p>The String representation consists of a list of the array's elements,
-     * enclosed in curly braces (<code>"{}"</code>). Adjacent elements are separated
-     * by the characters <code>", "</code> (a comma followed by a space). Returns
-     * <code>"null"</code> if <code>array</code> is <code>null</code>.
-     *
-     * @param array the array to build a String representation for
-     * @return a String representation of <code>array</code>
-     */
-    public static String nullSafeToString(long[] array) {
-        if (array == null) {
-            return NULL_STRING;
-        }
-        int length = array.length;
-        if (length == 0) {
-            return EMPTY_ARRAY;
-        }
-        StringBuilder sb = new StringBuilder();
-        for (int i = 0; i < length; i++) {
-            if (i == 0) {
-                sb.append(ARRAY_START);
-            } else {
-                sb.append(ARRAY_ELEMENT_SEPARATOR);
-            }
-            sb.append(array[i]);
-        }
-        sb.append(ARRAY_END);
-        return sb.toString();
-    }
-
-    /**
-     * Return a String representation of the contents of the specified array.
-     * <p>The String representation consists of a list of the array's elements,
-     * enclosed in curly braces (<code>"{}"</code>). Adjacent elements are separated
-     * by the characters <code>", "</code> (a comma followed by a space). Returns
-     * <code>"null"</code> if <code>array</code> is <code>null</code>.
-     *
-     * @param array the array to build a String representation for
-     * @return a String representation of <code>array</code>
-     */
-    public static String nullSafeToString(short[] array) {
-        if (array == null) {
-            return NULL_STRING;
-        }
-        int length = array.length;
-        if (length == 0) {
-            return EMPTY_ARRAY;
-        }
-        StringBuilder sb = new StringBuilder();
-        for (int i = 0; i < length; i++) {
-            if (i == 0) {
-                sb.append(ARRAY_START);
-            } else {
-                sb.append(ARRAY_ELEMENT_SEPARATOR);
-            }
-            sb.append(array[i]);
-        }
-        sb.append(ARRAY_END);
-        return sb.toString();
-    }
-
-    public static void nullSafeClose(Closeable... closeables) {
-        if (closeables == null) {
-            return;
-        }
-
-        for (Closeable closeable : closeables) {
-            if (closeable != null) {
-                try {
-                    closeable.close();
-                } catch (IOException e) {
-                    //Ignore the exception during close.
-                }
-            }
-        }
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/RuntimeEnvironment.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/RuntimeEnvironment.java
deleted file mode 100644
index df5b8c7c7ae..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/RuntimeEnvironment.java
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.lang;
-
-import java.security.Provider;
-import java.security.Security;
-import java.util.concurrent.atomic.AtomicBoolean;
-
-public final class RuntimeEnvironment {
-
-    private RuntimeEnvironment(){} //prevent instantiation
-
-    private static final String BC_PROVIDER_CLASS_NAME = "org.bouncycastle.jce.provider.BouncyCastleProvider";
-
-    private static final AtomicBoolean bcLoaded = new AtomicBoolean(false);
-
-    public static final boolean BOUNCY_CASTLE_AVAILABLE = Classes.isAvailable(BC_PROVIDER_CLASS_NAME);
-
-    public static void enableBouncyCastleIfPossible() {
-
-        if (!BOUNCY_CASTLE_AVAILABLE || bcLoaded.get()) {
-            return;
-        }
-
-        try {
-            Class clazz = Classes.forName(BC_PROVIDER_CLASS_NAME);
-
-            //check to see if the user has already registered the BC provider:
-
-            Provider[] providers = Security.getProviders();
-
-            for(Provider provider : providers) {
-                if (clazz.isInstance(provider)) {
-                    bcLoaded.set(true);
-                    return;
-                }
-            }
-
-            //bc provider not enabled - add it:
-            Security.addProvider((Provider)Classes.newInstance(clazz));
-            bcLoaded.set(true);
-
-        } catch (UnknownClassException e) {
-            //not available
-        }
-    }
-
-    static {
-        enableBouncyCastleIfPossible();
-    }
-
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Strings.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Strings.java
deleted file mode 100644
index 065bb2512bc..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/Strings.java
+++ /dev/null
@@ -1,1147 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.lang;
-
-import java.nio.charset.Charset;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Enumeration;
-import java.util.Iterator;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Locale;
-import java.util.Properties;
-import java.util.Set;
-import java.util.StringTokenizer;
-import java.util.TreeSet;
-
-public final class Strings {
-
-    private static final String FOLDER_SEPARATOR = "/";
-
-    private static final String WINDOWS_FOLDER_SEPARATOR = "\\";
-
-    private static final String TOP_PATH = "..";
-
-    private static final String CURRENT_PATH = ".";
-
-    private static final char EXTENSION_SEPARATOR = '.';
-
-    public static final Charset UTF_8 = Charset.forName("UTF-8");
-
-    private Strings(){} //prevent instantiation
-
-    //---------------------------------------------------------------------
-    // General convenience methods for working with Strings
-    //---------------------------------------------------------------------
-
-    /**
-     * Check that the given CharSequence is neither <code>null</code> nor of length 0.
-     * Note: Will return <code>true</code> for a CharSequence that purely consists of whitespace.
-     * <p><pre>
-     * Strings.hasLength(null) = false
-     * Strings.hasLength("") = false
-     * Strings.hasLength(" ") = true
-     * Strings.hasLength("Hello") = true
-     * </pre>
-     * @param str the CharSequence to check (may be <code>null</code>)
-     * @return <code>true</code> if the CharSequence is not null and has length
-     * @see #hasText(String)
-     */
-    public static boolean hasLength(CharSequence str) {
-        return (str != null && str.length() > 0);
-    }
-
-    /**
-     * Check that the given String is neither <code>null</code> nor of length 0.
-     * Note: Will return <code>true</code> for a String that purely consists of whitespace.
-     * @param str the String to check (may be <code>null</code>)
-     * @return <code>true</code> if the String is not null and has length
-     * @see #hasLength(CharSequence)
-     */
-    public static boolean hasLength(String str) {
-        return hasLength((CharSequence) str);
-    }
-
-    /**
-     * Check whether the given CharSequence has actual text.
-     * More specifically, returns <code>true</code> if the string not <code>null</code>,
-     * its length is greater than 0, and it contains at least one non-whitespace character.
-     * <p><pre>
-     * Strings.hasText(null) = false
-     * Strings.hasText("") = false
-     * Strings.hasText(" ") = false
-     * Strings.hasText("12345") = true
-     * Strings.hasText(" 12345 ") = true
-     * </pre>
-     * @param str the CharSequence to check (may be <code>null</code>)
-     * @return <code>true</code> if the CharSequence is not <code>null</code>,
-     * its length is greater than 0, and it does not contain whitespace only
-     * @see java.lang.Character#isWhitespace
-     */
-    public static boolean hasText(CharSequence str) {
-        if (!hasLength(str)) {
-            return false;
-        }
-        int strLen = str.length();
-        for (int i = 0; i < strLen; i++) {
-            if (!Character.isWhitespace(str.charAt(i))) {
-                return true;
-            }
-        }
-        return false;
-    }
-
-    /**
-     * Check whether the given String has actual text.
-     * More specifically, returns <code>true</code> if the string not <code>null</code>,
-     * its length is greater than 0, and it contains at least one non-whitespace character.
-     * @param str the String to check (may be <code>null</code>)
-     * @return <code>true</code> if the String is not <code>null</code>, its length is
-     * greater than 0, and it does not contain whitespace only
-     * @see #hasText(CharSequence)
-     */
-    public static boolean hasText(String str) {
-        return hasText((CharSequence) str);
-    }
-
-    /**
-     * Check whether the given CharSequence contains any whitespace characters.
-     * @param str the CharSequence to check (may be <code>null</code>)
-     * @return <code>true</code> if the CharSequence is not empty and
-     * contains at least 1 whitespace character
-     * @see java.lang.Character#isWhitespace
-     */
-    public static boolean containsWhitespace(CharSequence str) {
-        if (!hasLength(str)) {
-            return false;
-        }
-        int strLen = str.length();
-        for (int i = 0; i < strLen; i++) {
-            if (Character.isWhitespace(str.charAt(i))) {
-                return true;
-            }
-        }
-        return false;
-    }
-
-    /**
-     * Check whether the given String contains any whitespace characters.
-     * @param str the String to check (may be <code>null</code>)
-     * @return <code>true</code> if the String is not empty and
-     * contains at least 1 whitespace character
-     * @see #containsWhitespace(CharSequence)
-     */
-    public static boolean containsWhitespace(String str) {
-        return containsWhitespace((CharSequence) str);
-    }
-
-    /**
-     * Trim leading and trailing whitespace from the given String.
-     * @param str the String to check
-     * @return the trimmed String
-     * @see java.lang.Character#isWhitespace
-     */
-    public static String trimWhitespace(String str) {
-        return (String) trimWhitespace((CharSequence)str);
-    }
-    
-    
-    private static CharSequence trimWhitespace(CharSequence str) {
-        if (!hasLength(str)) {
-            return str;
-        }
-        final int length = str.length();
-
-        int start = 0;
-		while (start < length && Character.isWhitespace(str.charAt(start))) {
-            start++;
-        }
-        
-		int end = length;
-        while (start < length && Character.isWhitespace(str.charAt(end - 1))) {
-            end--;
-        }
-        
-        return ((start > 0) || (end < length)) ? str.subSequence(start, end) : str;
-    }
-
-    public static String clean(String str) {
-    	CharSequence result = clean((CharSequence) str);
-        
-        return result!=null?result.toString():null;
-    }
-    
-    public static CharSequence clean(CharSequence str) {
-        str = trimWhitespace(str);
-        if (!hasLength(str)) {
-            return null;
-        }
-        return str;
-    }
-
-    /**
-     * Trim <i>all</i> whitespace from the given String:
-     * leading, trailing, and inbetween characters.
-     * @param str the String to check
-     * @return the trimmed String
-     * @see java.lang.Character#isWhitespace
-     */
-    public static String trimAllWhitespace(String str) {
-        if (!hasLength(str)) {
-            return str;
-        }
-        StringBuilder sb = new StringBuilder(str);
-        int index = 0;
-        while (sb.length() > index) {
-            if (Character.isWhitespace(sb.charAt(index))) {
-                sb.deleteCharAt(index);
-            }
-            else {
-                index++;
-            }
-        }
-        return sb.toString();
-    }
-
-    /**
-     * Trim leading whitespace from the given String.
-     * @param str the String to check
-     * @return the trimmed String
-     * @see java.lang.Character#isWhitespace
-     */
-    public static String trimLeadingWhitespace(String str) {
-        if (!hasLength(str)) {
-            return str;
-        }
-        StringBuilder sb = new StringBuilder(str);
-        while (sb.length() > 0 && Character.isWhitespace(sb.charAt(0))) {
-            sb.deleteCharAt(0);
-        }
-        return sb.toString();
-    }
-
-    /**
-     * Trim trailing whitespace from the given String.
-     * @param str the String to check
-     * @return the trimmed String
-     * @see java.lang.Character#isWhitespace
-     */
-    public static String trimTrailingWhitespace(String str) {
-        if (!hasLength(str)) {
-            return str;
-        }
-        StringBuilder sb = new StringBuilder(str);
-        while (sb.length() > 0 && Character.isWhitespace(sb.charAt(sb.length() - 1))) {
-            sb.deleteCharAt(sb.length() - 1);
-        }
-        return sb.toString();
-    }
-
-    /**
-     * Trim all occurences of the supplied leading character from the given String.
-     * @param str the String to check
-     * @param leadingCharacter the leading character to be trimmed
-     * @return the trimmed String
-     */
-    public static String trimLeadingCharacter(String str, char leadingCharacter) {
-        if (!hasLength(str)) {
-            return str;
-        }
-        StringBuilder sb = new StringBuilder(str);
-        while (sb.length() > 0 && sb.charAt(0) == leadingCharacter) {
-            sb.deleteCharAt(0);
-        }
-        return sb.toString();
-    }
-
-    /**
-     * Trim all occurences of the supplied trailing character from the given String.
-     * @param str the String to check
-     * @param trailingCharacter the trailing character to be trimmed
-     * @return the trimmed String
-     */
-    public static String trimTrailingCharacter(String str, char trailingCharacter) {
-        if (!hasLength(str)) {
-            return str;
-        }
-        StringBuilder sb = new StringBuilder(str);
-        while (sb.length() > 0 && sb.charAt(sb.length() - 1) == trailingCharacter) {
-            sb.deleteCharAt(sb.length() - 1);
-        }
-        return sb.toString();
-    }
-
-
-    /**
-     * Test if the given String starts with the specified prefix,
-     * ignoring upper/lower case.
-     * @param str the String to check
-     * @param prefix the prefix to look for
-     * @see java.lang.String#startsWith
-     */
-    public static boolean startsWithIgnoreCase(String str, String prefix) {
-        if (str == null || prefix == null) {
-            return false;
-        }
-        if (str.startsWith(prefix)) {
-            return true;
-        }
-        if (str.length() < prefix.length()) {
-            return false;
-        }
-        String lcStr = str.substring(0, prefix.length()).toLowerCase();
-        String lcPrefix = prefix.toLowerCase();
-        return lcStr.equals(lcPrefix);
-    }
-
-    /**
-     * Test if the given String ends with the specified suffix,
-     * ignoring upper/lower case.
-     * @param str the String to check
-     * @param suffix the suffix to look for
-     * @see java.lang.String#endsWith
-     */
-    public static boolean endsWithIgnoreCase(String str, String suffix) {
-        if (str == null || suffix == null) {
-            return false;
-        }
-        if (str.endsWith(suffix)) {
-            return true;
-        }
-        if (str.length() < suffix.length()) {
-            return false;
-        }
-
-        String lcStr = str.substring(str.length() - suffix.length()).toLowerCase();
-        String lcSuffix = suffix.toLowerCase();
-        return lcStr.equals(lcSuffix);
-    }
-
-    /**
-     * Test whether the given string matches the given substring
-     * at the given index.
-     * @param str the original string (or StringBuilder)
-     * @param index the index in the original string to start matching against
-     * @param substring the substring to match at the given index
-     */
-    public static boolean substringMatch(CharSequence str, int index, CharSequence substring) {
-        for (int j = 0; j < substring.length(); j++) {
-            int i = index + j;
-            if (i >= str.length() || str.charAt(i) != substring.charAt(j)) {
-                return false;
-            }
-        }
-        return true;
-    }
-
-    /**
-     * Count the occurrences of the substring in string s.
-     * @param str string to search in. Return 0 if this is null.
-     * @param sub string to search for. Return 0 if this is null.
-     */
-    public static int countOccurrencesOf(String str, String sub) {
-        if (str == null || sub == null || str.length() == 0 || sub.length() == 0) {
-            return 0;
-        }
-        int count = 0;
-        int pos = 0;
-        int idx;
-        while ((idx = str.indexOf(sub, pos)) != -1) {
-            ++count;
-            pos = idx + sub.length();
-        }
-        return count;
-    }
-
-    /**
-     * Replace all occurences of a substring within a string with
-     * another string.
-     * @param inString String to examine
-     * @param oldPattern String to replace
-     * @param newPattern String to insert
-     * @return a String with the replacements
-     */
-    public static String replace(String inString, String oldPattern, String newPattern) {
-        if (!hasLength(inString) || !hasLength(oldPattern) || newPattern == null) {
-            return inString;
-        }
-        StringBuilder sb = new StringBuilder();
-        int pos = 0; // our position in the old string
-        int index = inString.indexOf(oldPattern);
-        // the index of an occurrence we've found, or -1
-        int patLen = oldPattern.length();
-        while (index >= 0) {
-            sb.append(inString.substring(pos, index));
-            sb.append(newPattern);
-            pos = index + patLen;
-            index = inString.indexOf(oldPattern, pos);
-        }
-        sb.append(inString.substring(pos));
-        // remember to append any characters to the right of a match
-        return sb.toString();
-    }
-
-    /**
-     * Delete all occurrences of the given substring.
-     * @param inString the original String
-     * @param pattern the pattern to delete all occurrences of
-     * @return the resulting String
-     */
-    public static String delete(String inString, String pattern) {
-        return replace(inString, pattern, "");
-    }
-
-    /**
-     * Delete any character in a given String.
-     * @param inString the original String
-     * @param charsToDelete a set of characters to delete.
-     * E.g. "az\n" will delete 'a's, 'z's and new lines.
-     * @return the resulting String
-     */
-    public static String deleteAny(String inString, String charsToDelete) {
-        if (!hasLength(inString) || !hasLength(charsToDelete)) {
-            return inString;
-        }
-        StringBuilder sb = new StringBuilder();
-        for (int i = 0; i < inString.length(); i++) {
-            char c = inString.charAt(i);
-            if (charsToDelete.indexOf(c) == -1) {
-                sb.append(c);
-            }
-        }
-        return sb.toString();
-    }
-
-
-    //---------------------------------------------------------------------
-    // Convenience methods for working with formatted Strings
-    //---------------------------------------------------------------------
-
-    /**
-     * Quote the given String with single quotes.
-     * @param str the input String (e.g. "myString")
-     * @return the quoted String (e.g. "'myString'"),
-     * or <code>null</code> if the input was <code>null</code>
-     */
-    public static String quote(String str) {
-        return (str != null ? "'" + str + "'" : null);
-    }
-
-    /**
-     * Turn the given Object into a String with single quotes
-     * if it is a String; keeping the Object as-is else.
-     * @param obj the input Object (e.g. "myString")
-     * @return the quoted String (e.g. "'myString'"),
-     * or the input object as-is if not a String
-     */
-    public static Object quoteIfString(Object obj) {
-        return (obj instanceof String ? quote((String) obj) : obj);
-    }
-
-    /**
-     * Unqualify a string qualified by a '.' dot character. For example,
-     * "this.name.is.qualified", returns "qualified".
-     * @param qualifiedName the qualified name
-     */
-    public static String unqualify(String qualifiedName) {
-        return unqualify(qualifiedName, '.');
-    }
-
-    /**
-     * Unqualify a string qualified by a separator character. For example,
-     * "this:name:is:qualified" returns "qualified" if using a ':' separator.
-     * @param qualifiedName the qualified name
-     * @param separator the separator
-     */
-    public static String unqualify(String qualifiedName, char separator) {
-        return qualifiedName.substring(qualifiedName.lastIndexOf(separator) + 1);
-    }
-
-    /**
-     * Capitalize a <code>String</code>, changing the first letter to
-     * upper case as per {@link Character#toUpperCase(char)}.
-     * No other letters are changed.
-     * @param str the String to capitalize, may be <code>null</code>
-     * @return the capitalized String, <code>null</code> if null
-     */
-    public static String capitalize(String str) {
-        return changeFirstCharacterCase(str, true);
-    }
-
-    /**
-     * Uncapitalize a <code>String</code>, changing the first letter to
-     * lower case as per {@link Character#toLowerCase(char)}.
-     * No other letters are changed.
-     * @param str the String to uncapitalize, may be <code>null</code>
-     * @return the uncapitalized String, <code>null</code> if null
-     */
-    public static String uncapitalize(String str) {
-        return changeFirstCharacterCase(str, false);
-    }
-
-    private static String changeFirstCharacterCase(String str, boolean capitalize) {
-        if (str == null || str.length() == 0) {
-            return str;
-        }
-        StringBuilder sb = new StringBuilder(str.length());
-        if (capitalize) {
-            sb.append(Character.toUpperCase(str.charAt(0)));
-        }
-        else {
-            sb.append(Character.toLowerCase(str.charAt(0)));
-        }
-        sb.append(str.substring(1));
-        return sb.toString();
-    }
-
-    /**
-     * Extract the filename from the given path,
-     * e.g. "mypath/myfile.txt" -&gt; "myfile.txt".
-     * @param path the file path (may be <code>null</code>)
-     * @return the extracted filename, or <code>null</code> if none
-     */
-    public static String getFilename(String path) {
-        if (path == null) {
-            return null;
-        }
-        int separatorIndex = path.lastIndexOf(FOLDER_SEPARATOR);
-        return (separatorIndex != -1 ? path.substring(separatorIndex + 1) : path);
-    }
-
-    /**
-     * Extract the filename extension from the given path,
-     * e.g. "mypath/myfile.txt" -&gt; "txt".
-     * @param path the file path (may be <code>null</code>)
-     * @return the extracted filename extension, or <code>null</code> if none
-     */
-    public static String getFilenameExtension(String path) {
-        if (path == null) {
-            return null;
-        }
-        int extIndex = path.lastIndexOf(EXTENSION_SEPARATOR);
-        if (extIndex == -1) {
-            return null;
-        }
-        int folderIndex = path.lastIndexOf(FOLDER_SEPARATOR);
-        if (folderIndex > extIndex) {
-            return null;
-        }
-        return path.substring(extIndex + 1);
-    }
-
-    /**
-     * Strip the filename extension from the given path,
-     * e.g. "mypath/myfile.txt" -&gt; "mypath/myfile".
-     * @param path the file path (may be <code>null</code>)
-     * @return the path with stripped filename extension,
-     * or <code>null</code> if none
-     */
-    public static String stripFilenameExtension(String path) {
-        if (path == null) {
-            return null;
-        }
-        int extIndex = path.lastIndexOf(EXTENSION_SEPARATOR);
-        if (extIndex == -1) {
-            return path;
-        }
-        int folderIndex = path.lastIndexOf(FOLDER_SEPARATOR);
-        if (folderIndex > extIndex) {
-            return path;
-        }
-        return path.substring(0, extIndex);
-    }
-
-    /**
-     * Apply the given relative path to the given path,
-     * assuming standard Java folder separation (i.e. "/" separators).
-     * @param path the path to start from (usually a full file path)
-     * @param relativePath the relative path to apply
-     * (relative to the full file path above)
-     * @return the full file path that results from applying the relative path
-     */
-    public static String applyRelativePath(String path, String relativePath) {
-        int separatorIndex = path.lastIndexOf(FOLDER_SEPARATOR);
-        if (separatorIndex != -1) {
-            String newPath = path.substring(0, separatorIndex);
-            if (!relativePath.startsWith(FOLDER_SEPARATOR)) {
-                newPath += FOLDER_SEPARATOR;
-            }
-            return newPath + relativePath;
-        }
-        else {
-            return relativePath;
-        }
-    }
-
-    /**
-     * Normalize the path by suppressing sequences like "path/.." and
-     * inner simple dots.
-     * <p>The result is convenient for path comparison. For other uses,
-     * notice that Windows separators ("\") are replaced by simple slashes.
-     * @param path the original path
-     * @return the normalized path
-     */
-    public static String cleanPath(String path) {
-        if (path == null) {
-            return null;
-        }
-        String pathToUse = replace(path, WINDOWS_FOLDER_SEPARATOR, FOLDER_SEPARATOR);
-
-        // Strip prefix from path to analyze, to not treat it as part of the
-        // first path element. This is necessary to correctly parse paths like
-        // "file:core/../core/io/Resource.class", where the ".." should just
-        // strip the first "core" directory while keeping the "file:" prefix.
-        int prefixIndex = pathToUse.indexOf(":");
-        String prefix = "";
-        if (prefixIndex != -1) {
-            prefix = pathToUse.substring(0, prefixIndex + 1);
-            pathToUse = pathToUse.substring(prefixIndex + 1);
-        }
-        if (pathToUse.startsWith(FOLDER_SEPARATOR)) {
-            prefix = prefix + FOLDER_SEPARATOR;
-            pathToUse = pathToUse.substring(1);
-        }
-
-        String[] pathArray = delimitedListToStringArray(pathToUse, FOLDER_SEPARATOR);
-        List<String> pathElements = new LinkedList<String>();
-        int tops = 0;
-
-        for (int i = pathArray.length - 1; i >= 0; i--) {
-            String element = pathArray[i];
-            if (CURRENT_PATH.equals(element)) {
-                // Points to current directory - drop it.
-            }
-            else if (TOP_PATH.equals(element)) {
-                // Registering top path found.
-                tops++;
-            }
-            else {
-                if (tops > 0) {
-                    // Merging path element with element corresponding to top path.
-                    tops--;
-                }
-                else {
-                    // Normal path element found.
-                    pathElements.add(0, element);
-                }
-            }
-        }
-
-        // Remaining top paths need to be retained.
-        for (int i = 0; i < tops; i++) {
-            pathElements.add(0, TOP_PATH);
-        }
-
-        return prefix + collectionToDelimitedString(pathElements, FOLDER_SEPARATOR);
-    }
-
-    /**
-     * Compare two paths after normalization of them.
-     * @param path1 first path for comparison
-     * @param path2 second path for comparison
-     * @return whether the two paths are equivalent after normalization
-     */
-    public static boolean pathEquals(String path1, String path2) {
-        return cleanPath(path1).equals(cleanPath(path2));
-    }
-
-    /**
-     * Parse the given <code>localeString</code> value into a {@link java.util.Locale}.
-     * <p>This is the inverse operation of {@link java.util.Locale#toString Locale's toString}.
-     * @param localeString the locale string, following <code>Locale's</code>
-     * <code>toString()</code> format ("en", "en_UK", etc);
-     * also accepts spaces as separators, as an alternative to underscores
-     * @return a corresponding <code>Locale</code> instance
-     */
-    public static Locale parseLocaleString(String localeString) {
-        String[] parts = tokenizeToStringArray(localeString, "_ ", false, false);
-        String language = (parts.length > 0 ? parts[0] : "");
-        String country = (parts.length > 1 ? parts[1] : "");
-        validateLocalePart(language);
-        validateLocalePart(country);
-        String variant = "";
-        if (parts.length >= 2) {
-            // There is definitely a variant, and it is everything after the country
-            // code sans the separator between the country code and the variant.
-            int endIndexOfCountryCode = localeString.indexOf(country) + country.length();
-            // Strip off any leading '_' and whitespace, what's left is the variant.
-            variant = trimLeadingWhitespace(localeString.substring(endIndexOfCountryCode));
-            if (variant.startsWith("_")) {
-                variant = trimLeadingCharacter(variant, '_');
-            }
-        }
-        return (language.length() > 0 ? new Locale(language, country, variant) : null);
-    }
-
-    private static void validateLocalePart(String localePart) {
-        for (int i = 0; i < localePart.length(); i++) {
-            char ch = localePart.charAt(i);
-            if (ch != '_' && ch != ' ' && !Character.isLetterOrDigit(ch)) {
-                throw new IllegalArgumentException(
-                    "Locale part \"" + localePart + "\" contains invalid characters");
-            }
-        }
-    }
-
-    /**
-     * Determine the RFC 3066 compliant language tag,
-     * as used for the HTTP "Accept-Language" header.
-     * @param locale the Locale to transform to a language tag
-     * @return the RFC 3066 compliant language tag as String
-     */
-    public static String toLanguageTag(Locale locale) {
-        return locale.getLanguage() + (hasText(locale.getCountry()) ? "-" + locale.getCountry() : "");
-    }
-
-
-    //---------------------------------------------------------------------
-    // Convenience methods for working with String arrays
-    //---------------------------------------------------------------------
-
-    /**
-     * Append the given String to the given String array, returning a new array
-     * consisting of the input array contents plus the given String.
-     * @param array the array to append to (can be <code>null</code>)
-     * @param str the String to append
-     * @return the new array (never <code>null</code>)
-     */
-    public static String[] addStringToArray(String[] array, String str) {
-        if (Objects.isEmpty(array)) {
-            return new String[] {str};
-        }
-        String[] newArr = new String[array.length + 1];
-        System.arraycopy(array, 0, newArr, 0, array.length);
-        newArr[array.length] = str;
-        return newArr;
-    }
-
-    /**
-     * Concatenate the given String arrays into one,
-     * with overlapping array elements included twice.
-     * <p>The order of elements in the original arrays is preserved.
-     * @param array1 the first array (can be <code>null</code>)
-     * @param array2 the second array (can be <code>null</code>)
-     * @return the new array (<code>null</code> if both given arrays were <code>null</code>)
-     */
-    public static String[] concatenateStringArrays(String[] array1, String[] array2) {
-        if (Objects.isEmpty(array1)) {
-            return array2;
-        }
-        if (Objects.isEmpty(array2)) {
-            return array1;
-        }
-        String[] newArr = new String[array1.length + array2.length];
-        System.arraycopy(array1, 0, newArr, 0, array1.length);
-        System.arraycopy(array2, 0, newArr, array1.length, array2.length);
-        return newArr;
-    }
-
-    /**
-     * Merge the given String arrays into one, with overlapping
-     * array elements only included once.
-     * <p>The order of elements in the original arrays is preserved
-     * (with the exception of overlapping elements, which are only
-     * included on their first occurrence).
-     * @param array1 the first array (can be <code>null</code>)
-     * @param array2 the second array (can be <code>null</code>)
-     * @return the new array (<code>null</code> if both given arrays were <code>null</code>)
-     */
-    public static String[] mergeStringArrays(String[] array1, String[] array2) {
-        if (Objects.isEmpty(array1)) {
-            return array2;
-        }
-        if (Objects.isEmpty(array2)) {
-            return array1;
-        }
-        List<String> result = new ArrayList<String>();
-        result.addAll(Arrays.asList(array1));
-        for (String str : array2) {
-            if (!result.contains(str)) {
-                result.add(str);
-            }
-        }
-        return toStringArray(result);
-    }
-
-    /**
-     * Turn given source String array into sorted array.
-     * @param array the source array
-     * @return the sorted array (never <code>null</code>)
-     */
-    public static String[] sortStringArray(String[] array) {
-        if (Objects.isEmpty(array)) {
-            return new String[0];
-        }
-        Arrays.sort(array);
-        return array;
-    }
-
-    /**
-     * Copy the given Collection into a String array.
-     * The Collection must contain String elements only.
-     * @param collection the Collection to copy
-     * @return the String array (<code>null</code> if the passed-in
-     * Collection was <code>null</code>)
-     */
-    public static String[] toStringArray(Collection<String> collection) {
-        if (collection == null) {
-            return null;
-        }
-        return collection.toArray(new String[collection.size()]);
-    }
-
-    /**
-     * Copy the given Enumeration into a String array.
-     * The Enumeration must contain String elements only.
-     * @param enumeration the Enumeration to copy
-     * @return the String array (<code>null</code> if the passed-in
-     * Enumeration was <code>null</code>)
-     */
-    public static String[] toStringArray(Enumeration<String> enumeration) {
-        if (enumeration == null) {
-            return null;
-        }
-        List<String> list = java.util.Collections.list(enumeration);
-        return list.toArray(new String[list.size()]);
-    }
-
-    /**
-     * Trim the elements of the given String array,
-     * calling <code>String.trim()</code> on each of them.
-     * @param array the original String array
-     * @return the resulting array (of the same size) with trimmed elements
-     */
-    public static String[] trimArrayElements(String[] array) {
-        if (Objects.isEmpty(array)) {
-            return new String[0];
-        }
-        String[] result = new String[array.length];
-        for (int i = 0; i < array.length; i++) {
-            String element = array[i];
-            result[i] = (element != null ? element.trim() : null);
-        }
-        return result;
-    }
-
-    /**
-     * Remove duplicate Strings from the given array.
-     * Also sorts the array, as it uses a TreeSet.
-     * @param array the String array
-     * @return an array without duplicates, in natural sort order
-     */
-    public static String[] removeDuplicateStrings(String[] array) {
-        if (Objects.isEmpty(array)) {
-            return array;
-        }
-        Set<String> set = new TreeSet<String>();
-        for (String element : array) {
-            set.add(element);
-        }
-        return toStringArray(set);
-    }
-
-    /**
-     * Split a String at the first occurrence of the delimiter.
-     * Does not include the delimiter in the result.
-     * @param toSplit the string to split
-     * @param delimiter to split the string up with
-     * @return a two element array with index 0 being before the delimiter, and
-     * index 1 being after the delimiter (neither element includes the delimiter);
-     * or <code>null</code> if the delimiter wasn't found in the given input String
-     */
-    public static String[] split(String toSplit, String delimiter) {
-        if (!hasLength(toSplit) || !hasLength(delimiter)) {
-            return null;
-        }
-        int offset = toSplit.indexOf(delimiter);
-        if (offset < 0) {
-            return null;
-        }
-        String beforeDelimiter = toSplit.substring(0, offset);
-        String afterDelimiter = toSplit.substring(offset + delimiter.length());
-        return new String[] {beforeDelimiter, afterDelimiter};
-    }
-
-    /**
-     * Take an array Strings and split each element based on the given delimiter.
-     * A <code>Properties</code> instance is then generated, with the left of the
-     * delimiter providing the key, and the right of the delimiter providing the value.
-     * <p>Will trim both the key and value before adding them to the
-     * <code>Properties</code> instance.
-     * @param array the array to process
-     * @param delimiter to split each element using (typically the equals symbol)
-     * @return a <code>Properties</code> instance representing the array contents,
-     * or <code>null</code> if the array to process was null or empty
-     */
-    public static Properties splitArrayElementsIntoProperties(String[] array, String delimiter) {
-        return splitArrayElementsIntoProperties(array, delimiter, null);
-    }
-
-    /**
-     * Take an array Strings and split each element based on the given delimiter.
-     * A <code>Properties</code> instance is then generated, with the left of the
-     * delimiter providing the key, and the right of the delimiter providing the value.
-     * <p>Will trim both the key and value before adding them to the
-     * <code>Properties</code> instance.
-     * @param array the array to process
-     * @param delimiter to split each element using (typically the equals symbol)
-     * @param charsToDelete one or more characters to remove from each element
-     * prior to attempting the split operation (typically the quotation mark
-     * symbol), or <code>null</code> if no removal should occur
-     * @return a <code>Properties</code> instance representing the array contents,
-     * or <code>null</code> if the array to process was <code>null</code> or empty
-     */
-    public static Properties splitArrayElementsIntoProperties(
-        String[] array, String delimiter, String charsToDelete) {
-
-        if (Objects.isEmpty(array)) {
-            return null;
-        }
-        Properties result = new Properties();
-        for (String element : array) {
-            if (charsToDelete != null) {
-                element = deleteAny(element, charsToDelete);
-            }
-            String[] splittedElement = split(element, delimiter);
-            if (splittedElement == null) {
-                continue;
-            }
-            result.setProperty(splittedElement[0].trim(), splittedElement[1].trim());
-        }
-        return result;
-    }
-
-    /**
-     * Tokenize the given String into a String array via a StringTokenizer.
-     * Trims tokens and omits empty tokens.
-     * <p>The given delimiters string is supposed to consist of any number of
-     * delimiter characters. Each of those characters can be used to separate
-     * tokens. A delimiter is always a single character; for multi-character
-     * delimiters, consider using <code>delimitedListToStringArray</code>
-     * @param str the String to tokenize
-     * @param delimiters the delimiter characters, assembled as String
-     * (each of those characters is individually considered as delimiter).
-     * @return an array of the tokens
-     * @see java.util.StringTokenizer
-     * @see java.lang.String#trim()
-     * @see #delimitedListToStringArray
-     */
-    public static String[] tokenizeToStringArray(String str, String delimiters) {
-        return tokenizeToStringArray(str, delimiters, true, true);
-    }
-
-    /**
-     * Tokenize the given String into a String array via a StringTokenizer.
-     * <p>The given delimiters string is supposed to consist of any number of
-     * delimiter characters. Each of those characters can be used to separate
-     * tokens. A delimiter is always a single character; for multi-character
-     * delimiters, consider using <code>delimitedListToStringArray</code>
-     * @param str the String to tokenize
-     * @param delimiters the delimiter characters, assembled as String
-     * (each of those characters is individually considered as delimiter)
-     * @param trimTokens trim the tokens via String's <code>trim</code>
-     * @param ignoreEmptyTokens omit empty tokens from the result array
-     * (only applies to tokens that are empty after trimming; StringTokenizer
-     * will not consider subsequent delimiters as token in the first place).
-     * @return an array of the tokens (<code>null</code> if the input String
-     * was <code>null</code>)
-     * @see java.util.StringTokenizer
-     * @see java.lang.String#trim()
-     * @see #delimitedListToStringArray
-     */
-    public static String[] tokenizeToStringArray(
-        String str, String delimiters, boolean trimTokens, boolean ignoreEmptyTokens) {
-
-        if (str == null) {
-            return null;
-        }
-        StringTokenizer st = new StringTokenizer(str, delimiters);
-        List<String> tokens = new ArrayList<String>();
-        while (st.hasMoreTokens()) {
-            String token = st.nextToken();
-            if (trimTokens) {
-                token = token.trim();
-            }
-            if (!ignoreEmptyTokens || token.length() > 0) {
-                tokens.add(token);
-            }
-        }
-        return toStringArray(tokens);
-    }
-
-    /**
-     * Take a String which is a delimited list and convert it to a String array.
-     * <p>A single delimiter can consists of more than one character: It will still
-     * be considered as single delimiter string, rather than as bunch of potential
-     * delimiter characters - in contrast to <code>tokenizeToStringArray</code>.
-     * @param str the input String
-     * @param delimiter the delimiter between elements (this is a single delimiter,
-     * rather than a bunch individual delimiter characters)
-     * @return an array of the tokens in the list
-     * @see #tokenizeToStringArray
-     */
-    public static String[] delimitedListToStringArray(String str, String delimiter) {
-        return delimitedListToStringArray(str, delimiter, null);
-    }
-
-    /**
-     * Take a String which is a delimited list and convert it to a String array.
-     * <p>A single delimiter can consists of more than one character: It will still
-     * be considered as single delimiter string, rather than as bunch of potential
-     * delimiter characters - in contrast to <code>tokenizeToStringArray</code>.
-     * @param str the input String
-     * @param delimiter the delimiter between elements (this is a single delimiter,
-     * rather than a bunch individual delimiter characters)
-     * @param charsToDelete a set of characters to delete. Useful for deleting unwanted
-     * line breaks: e.g. "\r\n\f" will delete all new lines and line feeds in a String.
-     * @return an array of the tokens in the list
-     * @see #tokenizeToStringArray
-     */
-    public static String[] delimitedListToStringArray(String str, String delimiter, String charsToDelete) {
-        if (str == null) {
-            return new String[0];
-        }
-        if (delimiter == null) {
-            return new String[] {str};
-        }
-        List<String> result = new ArrayList<String>();
-        if ("".equals(delimiter)) {
-            for (int i = 0; i < str.length(); i++) {
-                result.add(deleteAny(str.substring(i, i + 1), charsToDelete));
-            }
-        }
-        else {
-            int pos = 0;
-            int delPos;
-            while ((delPos = str.indexOf(delimiter, pos)) != -1) {
-                result.add(deleteAny(str.substring(pos, delPos), charsToDelete));
-                pos = delPos + delimiter.length();
-            }
-            if (str.length() > 0 && pos <= str.length()) {
-                // Add rest of String, but not in case of empty input.
-                result.add(deleteAny(str.substring(pos), charsToDelete));
-            }
-        }
-        return toStringArray(result);
-    }
-
-    /**
-     * Convert a CSV list into an array of Strings.
-     * @param str the input String
-     * @return an array of Strings, or the empty array in case of empty input
-     */
-    public static String[] commaDelimitedListToStringArray(String str) {
-        return delimitedListToStringArray(str, ",");
-    }
-
-    /**
-     * Convenience method to convert a CSV string list to a set.
-     * Note that this will suppress duplicates.
-     * @param str the input String
-     * @return a Set of String entries in the list
-     */
-    public static Set<String> commaDelimitedListToSet(String str) {
-        Set<String> set = new TreeSet<String>();
-        String[] tokens = commaDelimitedListToStringArray(str);
-        for (String token : tokens) {
-            set.add(token);
-        }
-        return set;
-    }
-
-    /**
-     * Convenience method to return a Collection as a delimited (e.g. CSV)
-     * String. E.g. useful for <code>toString()</code> implementations.
-     * @param coll the Collection to display
-     * @param delim the delimiter to use (probably a ",")
-     * @param prefix the String to start each element with
-     * @param suffix the String to end each element with
-     * @return the delimited String
-     */
-    public static String collectionToDelimitedString(Collection<?> coll, String delim, String prefix, String suffix) {
-        if (Collections.isEmpty(coll)) {
-            return "";
-        }
-        StringBuilder sb = new StringBuilder();
-        Iterator<?> it = coll.iterator();
-        while (it.hasNext()) {
-            sb.append(prefix).append(it.next()).append(suffix);
-            if (it.hasNext()) {
-                sb.append(delim);
-            }
-        }
-        return sb.toString();
-    }
-
-    /**
-     * Convenience method to return a Collection as a delimited (e.g. CSV)
-     * String. E.g. useful for <code>toString()</code> implementations.
-     * @param coll the Collection to display
-     * @param delim the delimiter to use (probably a ",")
-     * @return the delimited String
-     */
-    public static String collectionToDelimitedString(Collection<?> coll, String delim) {
-        return collectionToDelimitedString(coll, delim, "", "");
-    }
-
-    /**
-     * Convenience method to return a Collection as a CSV String.
-     * E.g. useful for <code>toString()</code> implementations.
-     * @param coll the Collection to display
-     * @return the delimited String
-     */
-    public static String collectionToCommaDelimitedString(Collection<?> coll) {
-        return collectionToDelimitedString(coll, ",");
-    }
-
-    /**
-     * Convenience method to return a String array as a delimited (e.g. CSV)
-     * String. E.g. useful for <code>toString()</code> implementations.
-     * @param arr the array to display
-     * @param delim the delimiter to use (probably a ",")
-     * @return the delimited String
-     */
-    public static String arrayToDelimitedString(Object[] arr, String delim) {
-        if (Objects.isEmpty(arr)) {
-            return "";
-        }
-        if (arr.length == 1) {
-            return Objects.nullSafeToString(arr[0]);
-        }
-        StringBuilder sb = new StringBuilder();
-        for (int i = 0; i < arr.length; i++) {
-            if (i > 0) {
-                sb.append(delim);
-            }
-            sb.append(arr[i]);
-        }
-        return sb.toString();
-    }
-
-    /**
-     * Convenience method to return a String array as a CSV String.
-     * E.g. useful for <code>toString()</code> implementations.
-     * @param arr the array to display
-     * @return the delimited String
-     */
-    public static String arrayToCommaDelimitedString(Object[] arr) {
-        return arrayToDelimitedString(arr, ",");
-    }
-
-}
-
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/UnknownClassException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/UnknownClassException.java
deleted file mode 100644
index 07b44d9fcab..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/lang/UnknownClassException.java
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.lang;
-
-/**
- * A <code>RuntimeException</code> equivalent of the JDK's
- * <code>ClassNotFoundException</code>, to maintain a RuntimeException paradigm.
- *
- * @since 0.1
- */
-public class UnknownClassException extends RuntimeException {
-
-    /*
-    /**
-     * Creates a new UnknownClassException.
-     *
-    public UnknownClassException() {
-        super();
-    }*/
-
-    /**
-     * Constructs a new UnknownClassException.
-     *
-     * @param message the reason for the exception
-     */
-    public UnknownClassException(String message) {
-        super(message);
-    }
-
-    /*
-     * Constructs a new UnknownClassException.
-     *
-     * @param cause the underlying Throwable that caused this exception to be thrown.
-     *
-    public UnknownClassException(Throwable cause) {
-        super(cause);
-    }
-    */
-
-    /**
-     * Constructs a new UnknownClassException.
-     *
-     * @param message the reason for the exception
-     * @param cause   the underlying Throwable that caused this exception to be thrown.
-     */
-    public UnknownClassException(String message, Throwable cause) {
-        // TODO: remove in v1.0, this constructor is only exposed to allow for backward compatible behavior
-        super(message, cause);
-    }
-
-}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/InvalidKeyException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/InvalidKeyException.java
deleted file mode 100644
index 2e3b84b8af1..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/InvalidKeyException.java
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.security;
-
-/**
- * @since 0.10.0
- */
-public class InvalidKeyException extends KeyException {
-
-    public InvalidKeyException(String message) {
-        super(message);
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/KeyException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/KeyException.java
deleted file mode 100644
index 0db21924573..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/KeyException.java
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.security;
-
-/**
- * @since 0.10.0
- */
-public class KeyException extends SecurityException {
-
-    public KeyException(String message) {
-        super(message);
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/Keys.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/Keys.java
deleted file mode 100644
index cb478424893..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/Keys.java
+++ /dev/null
@@ -1,231 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.security;
-
-import io.jsonwebtoken.SignatureAlgorithm;
-import io.jsonwebtoken.lang.Assert;
-import io.jsonwebtoken.lang.Classes;
-
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-import java.security.KeyPair;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.List;
-
-/**
- * Utility class for securely generating {@link SecretKey}s and {@link KeyPair}s.
- *
- * @since 0.10.0
- */
-public final class Keys {
-
-    private static final String MAC = "io.jsonwebtoken.impl.crypto.MacProvider";
-    private static final String RSA = "io.jsonwebtoken.impl.crypto.RsaProvider";
-    private static final String EC = "io.jsonwebtoken.impl.crypto.EllipticCurveProvider";
-
-    private static final Class[] SIG_ARG_TYPES = new Class[]{SignatureAlgorithm.class};
-
-    //purposefully ordered higher to lower:
-    private static final List<SignatureAlgorithm> PREFERRED_HMAC_ALGS = Collections.unmodifiableList(Arrays.asList(
-        SignatureAlgorithm.HS512, SignatureAlgorithm.HS384, SignatureAlgorithm.HS256));
-
-    //prevent instantiation
-    private Keys() {
-    }
-
-    /*
-    public static final int bitLength(Key key) throws IllegalArgumentException {
-        Assert.notNull(key, "Key cannot be null.");
-        if (key instanceof SecretKey) {
-            byte[] encoded = key.getEncoded();
-            return Arrays.length(encoded) * 8;
-        } else if (key instanceof RSAKey) {
-            return ((RSAKey)key).getModulus().bitLength();
-        } else if (key instanceof ECKey) {
-            return ((ECKey)key).getParams().getOrder().bitLength();
-        }
-
-        throw new IllegalArgumentException("Unsupported key type: " + key.getClass().getName());
-    }
-    */
-
-    /**
-     * Creates a new SecretKey instance for use with HMAC-SHA algorithms based on the specified key byte array.
-     *
-     * @param bytes the key byte array
-     * @return a new SecretKey instance for use with HMAC-SHA algorithms based on the specified key byte array.
-     * @throws WeakKeyException if the key byte array length is less than 256 bits (32 bytes) as mandated by the
-     *                          <a href="https://tools.ietf.org/html/rfc7518#section-3.2">JWT JWA Specification
-     *                          (RFC 7518, Section 3.2)</a>
-     */
-    public static SecretKey hmacShaKeyFor(byte[] bytes) throws WeakKeyException {
-
-        if (bytes == null) {
-            throw new InvalidKeyException("SecretKey byte array cannot be null.");
-        }
-
-        int bitLength = bytes.length * 8;
-
-        for (SignatureAlgorithm alg : PREFERRED_HMAC_ALGS) {
-            if (bitLength >= alg.getMinKeyLength()) {
-                return new SecretKeySpec(bytes, alg.getJcaName());
-            }
-        }
-
-        String msg = "The specified key byte array is " + bitLength + " bits which " +
-            "is not secure enough for any JWT HMAC-SHA algorithm.  The JWT " +
-            "JWA Specification (RFC 7518, Section 3.2) states that keys used with HMAC-SHA algorithms MUST have a " +
-            "size >= 256 bits (the key size must be greater than or equal to the hash " +
-            "output size).  Consider using the " + Keys.class.getName() + "#secretKeyFor(SignatureAlgorithm) method " +
-            "to create a key guaranteed to be secure enough for your preferred HMAC-SHA algorithm.  See " +
-            "https://tools.ietf.org/html/rfc7518#section-3.2 for more information.";
-        throw new WeakKeyException(msg);
-    }
-
-    /**
-     * Returns a new {@link SecretKey} with a key length suitable for use with the specified {@link SignatureAlgorithm}.
-     *
-     * <p><a href="https://tools.ietf.org/html/rfc7518#section-3.2">JWA Specification (RFC 7518), Section 3.2</a>
-     * requires minimum key lengths to be used for each respective Signature Algorithm.  This method returns a
-     * secure-random generated SecretKey that adheres to the required minimum key length.  The lengths are:</p>
-     *
-     * <table>
-     * <tr>
-     * <th>Algorithm</th>
-     * <th>Key Length</th>
-     * </tr>
-     * <tr>
-     * <td>HS256</td>
-     * <td>256 bits (32 bytes)</td>
-     * </tr>
-     * <tr>
-     * <td>HS384</td>
-     * <td>384 bits (48 bytes)</td>
-     * </tr>
-     * <tr>
-     * <td>HS512</td>
-     * <td>512 bits (64 bytes)</td>
-     * </tr>
-     * </table>
-     *
-     * @param alg the {@code SignatureAlgorithm} to inspect to determine which key length to use.
-     * @return a new {@link SecretKey} instance suitable for use with the specified {@link SignatureAlgorithm}.
-     * @throws IllegalArgumentException for any input value other than {@link SignatureAlgorithm#HS256},
-     *                                  {@link SignatureAlgorithm#HS384}, or {@link SignatureAlgorithm#HS512}
-     */
-    public static SecretKey secretKeyFor(SignatureAlgorithm alg) throws IllegalArgumentException {
-        Assert.notNull(alg, "SignatureAlgorithm cannot be null.");
-        switch (alg) {
-            case HS256:
-            case HS384:
-            case HS512:
-                return Classes.invokeStatic(MAC, "generateKey", SIG_ARG_TYPES, alg);
-            default:
-                String msg = "The " + alg.name() + " algorithm does not support shared secret keys.";
-                throw new IllegalArgumentException(msg);
-        }
-    }
-
-    /**
-     * Returns a new {@link KeyPair} suitable for use with the specified asymmetric algorithm.
-     *
-     * <p>If the {@code alg} argument is an RSA algorithm, a KeyPair is generated based on the following:</p>
-     *
-     * <table>
-     * <tr>
-     * <th>JWA Algorithm</th>
-     * <th>Key Size</th>
-     * </tr>
-     * <tr>
-     * <td>RS256</td>
-     * <td>2048 bits</td>
-     * </tr>
-     * <tr>
-     * <td>PS256</td>
-     * <td>2048 bits</td>
-     * </tr>
-     * <tr>
-     * <td>RS384</td>
-     * <td>3072 bits</td>
-     * </tr>
-     * <tr>
-     * <td>PS384</td>
-     * <td>3072 bits</td>
-     * </tr>
-     * <tr>
-     * <td>RS512</td>
-     * <td>4096 bits</td>
-     * </tr>
-     * <tr>
-     * <td>PS512</td>
-     * <td>4096 bits</td>
-     * </tr>
-     * </table>
-     *
-     * <p>If the {@code alg} argument is an Elliptic Curve algorithm, a KeyPair is generated based on the following:</p>
-     *
-     * <table>
-     * <tr>
-     * <th>JWA Algorithm</th>
-     * <th>Key Size</th>
-     * <th><a href="https://tools.ietf.org/html/rfc7518#section-7.6.2">JWA Curve Name</a></th>
-     * <th><a href="https://tools.ietf.org/html/rfc5480#section-2.1.1.1">ASN1 OID Curve Name</a></th>
-     * </tr>
-     * <tr>
-     * <td>EC256</td>
-     * <td>256 bits</td>
-     * <td>{@code P-256}</td>
-     * <td>{@code secp256r1}</td>
-     * </tr>
-     * <tr>
-     * <td>EC384</td>
-     * <td>384 bits</td>
-     * <td>{@code P-384}</td>
-     * <td>{@code secp384r1}</td>
-     * </tr>
-     * <tr>
-     * <td>EC512</td>
-     * <td>512 bits</td>
-     * <td>{@code P-521}</td>
-     * <td>{@code secp521r1}</td>
-     * </tr>
-     * </table>
-     *
-     * @param alg the {@code SignatureAlgorithm} to inspect to determine which asymmetric algorithm to use.
-     * @return a new {@link KeyPair} suitable for use with the specified asymmetric algorithm.
-     * @throws IllegalArgumentException if {@code alg} is not an asymmetric algorithm
-     */
-    public static KeyPair keyPairFor(SignatureAlgorithm alg) throws IllegalArgumentException {
-        Assert.notNull(alg, "SignatureAlgorithm cannot be null.");
-        switch (alg) {
-            case RS256:
-            case PS256:
-            case RS384:
-            case PS384:
-            case RS512:
-            case PS512:
-                return Classes.invokeStatic(RSA, "generateKeyPair", SIG_ARG_TYPES, alg);
-            case ES256:
-            case ES384:
-            case ES512:
-                return Classes.invokeStatic(EC, "generateKeyPair", SIG_ARG_TYPES, alg);
-            default:
-                String msg = "The " + alg.name() + " algorithm does not support Key Pairs.";
-                throw new IllegalArgumentException(msg);
-        }
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/SignatureException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/SignatureException.java
deleted file mode 100644
index 7cddb2cac36..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/SignatureException.java
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.security;
-
-/**
- * @since 0.10.0
- */
-public class SignatureException extends io.jsonwebtoken.SignatureException {
-
-    public SignatureException(String message) {
-        super(message);
-    }
-
-    public SignatureException(String message, Throwable cause) {
-        super(message, cause);
-    }
-}
diff --git a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/WeakKeyException.java b/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/WeakKeyException.java
deleted file mode 100644
index 8a7688fed8b..00000000000
--- a/java/ql/test/experimental/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/security/WeakKeyException.java
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2014 jsonwebtoken.io
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package io.jsonwebtoken.security;
-
-/**
- * @since 0.10.0
- */
-public class WeakKeyException extends InvalidKeyException {
-
-    public WeakKeyException(String message) {
-        super(message);
-    }
-}

From 0376a13dd82460ac82ed1ee0e17ec4056a3542a1 Mon Sep 17 00:00:00 2001
From: Andrew Eisenberg <aeisenberg@github.com>
Date: Wed, 28 Apr 2021 15:05:13 -0700
Subject: [PATCH 0774/1429] Actions: Fix code scanning workflow

---
 .github/workflows/codeql-analysis.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 3cd94cb6215..87d6632d03e 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -21,8 +21,8 @@ jobs:
 
     permissions:
       contents: read
-      security_events: write
-      pull_requests: read
+      security-events: write
+      pull-requests: read
 
     steps:
     - name: Checkout repository

From 39c7816edea83d8934ae0b007642f7a0d20babce Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 29 Apr 2021 10:09:46 +0200
Subject: [PATCH 0775/1429] C++: Dont allow magic in getUnspecifiedType.

---
 cpp/ql/src/semmle/code/cpp/Type.qll | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cpp/ql/src/semmle/code/cpp/Type.qll b/cpp/ql/src/semmle/code/cpp/Type.qll
index a0d8c42df32..fd9ae4c8737 100644
--- a/cpp/ql/src/semmle/code/cpp/Type.qll
+++ b/cpp/ql/src/semmle/code/cpp/Type.qll
@@ -101,6 +101,7 @@ class Type extends Locatable, @type {
    *
    * For example, starting with `const i64* const` in the context of `typedef long long i64;`, this predicate will return `long long*`.
    */
+  pragma[nomagic]
   Type getUnspecifiedType() { unspecifiedtype(underlyingElement(this), unresolveElement(result)) }
 
   /**

From 213d011a8cfcd3179c7db3922fbe259ddc48df0d Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Thu, 29 Apr 2021 11:10:03 +0200
Subject: [PATCH 0776/1429] Edit code example in CompiledRegex

Signed-off-by: jorgectf <jorgectf@protonmail.com>
---
 .../src/experimental/semmle/python/frameworks/Stdlib.qll | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index 9bda2cb3158..05ea4f62630 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -52,12 +52,13 @@ private module Re {
    *
    * ```py
    * pattern = re.compile(input)
-   * input.match(s)
+   * pattern.match(s)
    * ```
    *
-   * `patternCall` refers to `re.compile(input)`,
-   * `regexNode` refers to `input` and
-   * `this` will refer to `input.match(s)`
+   * This class will identify that `re.compile` compiles `input` and afterwards
+   * executes `re`'s `match`. As a result, `this` will refer to `pattern.match(s)`
+   * and `this.getRegexNode()` will return the node for `input` (`re.compile`'s first argument)
+   * 
    *
    * See `RegexExecutionMethods`
    *

From 44de127bfff1acdd7ef4943249983eb5a4596546 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 29 Apr 2021 11:57:43 +0200
Subject: [PATCH 0777/1429] C++: Extend and improve the testcases for
 cpp/detect-and-handle-memory-allocation-errors.

---
 ...AndHandlingMemoryAllocationErrors.expected |  14 +-
 .../CWE/CWE-570/semmle/tests/test.cpp         | 214 +++++++++++-------
 2 files changed, 136 insertions(+), 92 deletions(-)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.expected
index 80e82cff212..19886efd28f 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.expected
@@ -1,5 +1,9 @@
-| test.cpp:30:15:30:26 | call to operator new[] | memory allocation error check is incorrect or missing |
-| test.cpp:38:9:38:20 | call to operator new[] | memory allocation error check is incorrect or missing |
-| test.cpp:50:13:50:38 | call to operator new[] | memory allocation error check is incorrect or missing |
-| test.cpp:51:22:51:47 | call to operator new[] | memory allocation error check is incorrect or missing |
-| test.cpp:53:18:53:43 | call to operator new[] | memory allocation error check is incorrect or missing |
+| test.cpp:29:13:29:24 | call to operator new[] | memory allocation error check is incorrect or missing |
+| test.cpp:37:13:37:24 | call to operator new[] | memory allocation error check is incorrect or missing |
+| test.cpp:41:13:41:24 | call to operator new[] | memory allocation error check is incorrect or missing |
+| test.cpp:49:8:49:19 | call to operator new[] | memory allocation error check is incorrect or missing |
+| test.cpp:58:8:58:19 | call to operator new[] | memory allocation error check is incorrect or missing |
+| test.cpp:63:8:63:19 | call to operator new[] | memory allocation error check is incorrect or missing |
+| test.cpp:92:5:92:31 | call to operator new[] | memory allocation error check is incorrect or missing |
+| test.cpp:93:15:93:41 | call to operator new[] | memory allocation error check is incorrect or missing |
+| test.cpp:96:10:96:36 | call to operator new[] | memory allocation error check is incorrect or missing |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
index 4fc12d9ccbf..06c22778812 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
@@ -1,97 +1,137 @@
-#define NULL ((void*)0)
-class exception {};
+#define NULL ((void *)0)
 
-namespace std{
-  struct nothrow_t {};
-  typedef unsigned long size_t;
-  class bad_alloc{
-    const char* what() const throw();
-  };
-  extern const std::nothrow_t nothrow;
-}
+namespace std {
+struct nothrow_t {};
+typedef unsigned long size_t;
+
+class exception {};
+class bad_alloc : public exception {};
+
+extern const std::nothrow_t nothrow;
+} // namespace std
 
 using namespace std;
 
-void* operator new(std::size_t _Size);
-void* operator new[](std::size_t _Size);
-void* operator new( std::size_t count, const std::nothrow_t& tag ) noexcept;
-void* operator new[]( std::size_t count, const std::nothrow_t& tag ) noexcept;
+void *operator new(std::size_t);
+void *operator new[](std::size_t);
+void *operator new(std::size_t, const std::nothrow_t &) noexcept;
+void *operator new[](std::size_t, const std::nothrow_t &) noexcept;
 
-void badNew_0_0()
-{
-    while (true) {
-        new int[100]; // BAD [NOT DETECTED]
-        if(!(new int[100])) // BAD [NOT DETECTED]
-            return;
-    }
-}
-void badNew_0_1()
-{
-    int * i = new int[100]; // BAD
-    if(i == 0)
-        return;
-    if(!i)
-        return;
-    if(i == NULL)
-        return;
-    int * j;
-    j = new int[100]; // BAD
-    if(j == 0)
-        return;
-    if(!j)
-        return;
-    if(j == NULL)
-        return;
-}
-void badNew_1_0()
-{
-    try {
-        while (true) {
-            new(std::nothrow) int[100]; // BAD
-            int* p = new(std::nothrow) int[100]; // BAD
-            int* p1;
-            p1 = new(std::nothrow) int[100]; // BAD
-        }
-    } catch (const exception &){//const std::bad_alloc& e) {
-//        std::cout << e.what() << '\n';
-    }
-}
-void badNew_1_1()
-{
-    while (true) {
-        int* p = new(std::nothrow) int[100]; // BAD [NOT DETECTED]
-        new(std::nothrow) int[100]; // BAD [NOT DETECTED]
-    }
+void bad_new_in_condition() {
+  if (!(new int)) { // BAD [NOT DETECTED]
+    return;
+  }
 }
 
-void goodNew_0_0()
-{
-    try {
-        while (true) {
-            new int[100]; // GOOD
-        }
-    } catch (const exception &){//const std::bad_alloc& e) {
-//        std::cout << e.what() << '\n';
-    }
+void foo(int**);
+
+void bad_new_missing_exception_handling() {
+  int *p1 = new int[100]; // BAD
+  if (p1 == 0)
+    return;
+
+  int *p2 = new int[100]; // BAD [NOT DETECTED]
+  if (!p2)
+    return;
+
+  int *p3 = new int[100]; // BAD
+  if (p3 == NULL)
+    return;
+
+  int *p4 = new int[100]; // BAD
+  if (p4 == nullptr)
+    return;
+
+  int *p5 = new int[100]; // BAD [NOT DETECTED]
+  if (p5) {} else return;
+
+  int *p6;
+  p6 = new int[100]; // BAD
+  if (p6 == 0) return;
+
+  int *p7;
+  p7 = new int[100]; // BAD [NOT DETECTED]
+  if (!p7)
+    return;
+
+  int *p8;
+  p8 = new int[100]; // BAD
+  if (p8 == NULL)
+    return;
+
+  int *p9;
+  p9 = new int[100]; // BAD
+  if (p9 != nullptr) {
+  } else
+    return;
+
+  int *p10;
+  p10 = new int[100]; // BAD [NOT DETECTED]
+  if (p10 != 0) {
+  }
+
+  int *p11;
+  do {
+    p11 = new int[100]; // BAD [NOT DETECTED]
+  } while (!p11);
+
+  int* p12 = new int[100];
+  foo(&p12);
+  if(p12) {} else return; // GOOD: p12 is probably modified in foo, so it's
+                          // not the return value of the new that's checked.
+
+  int* p13 = new int[100];
+  foo(&p13);
+  if(!p13) {
+      return;
+  } else { }; // GOOD: same as above.
 }
 
-void goodNew_1_0()
-{
-    while (true) {
-        int* p = new(std::nothrow) int[100]; // GOOD
-        if (p == nullptr) {
-//            std::cout << "Allocation returned nullptr\n";
-            break;
-        }
-        int* p1;
-        p1 = new(std::nothrow) int[100]; // GOOD
-        if (p1 == nullptr) {
-//            std::cout << "Allocation returned nullptr\n";
-            break;
-        }
-        if (new(std::nothrow) int[100] == nullptr) { // GOOD
-//            std::cout << "Allocation returned nullptr\n";
-            break;
-        }
-    }
+void bad_new_nothrow_in_exception_body() {
+  try {
+    new (std::nothrow) int[100];           // BAD
+    int *p1 = new (std::nothrow) int[100]; // BAD
+
+    int *p2;
+    p2 = new (std::nothrow) int[100]; // BAD
+  } catch (const std::bad_alloc &) {
+  }
+}
+
+void good_new_has_exception_handling() {
+  try {
+    int *p1 = new int[100]; // GOOD
+  } catch (...) {
+  }
+}
+
+void good_new_handles_nullptr() {
+  int *p1 = new (std::nothrow) int[100]; // GOOD
+  if (p1 == nullptr)
+    return;
+
+  int *p2;
+  p2 = new (std::nothrow) int[100]; // GOOD
+  if (p2 == nullptr)
+    return;
+
+  int *p3;
+  p3 = new (std::nothrow) int[100]; // GOOD
+  if (p3 != nullptr) {
+  }
+
+  int *p4;
+  p4 = new (std::nothrow) int[100]; // GOOD
+  if (p4) {
+  } else
+    return;
+
+  int *p5;
+  p5 = new (std::nothrow) int[100]; // GOOD
+  if (p5 != nullptr) {
+  } else
+    return;
+
+  if (new (std::nothrow) int[100] == nullptr)
+    return; // GOOD
 }

From 9e39b083251f8780a3559fd2a33adba52c81e432 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 29 Apr 2021 11:58:36 +0200
Subject: [PATCH 0778/1429] C++: Improve the qhelp for
 cpp/detect-and-handle-memory-allocation-errors.

---
 ...ctingAndHandlingMemoryAllocationErrors.cpp | 52 +++++++++++--------
 ...ingAndHandlingMemoryAllocationErrors.qhelp |  9 ++--
 2 files changed, 36 insertions(+), 25 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.cpp b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.cpp
index df69886e97b..60f8c7cc9b7 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.cpp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.cpp
@@ -1,35 +1,43 @@
-// BAD: on memory allocation error, the program terminates.
-void badFunction(const int *source, std::size_t length) noexcept {
-  int * dest = new int[length];
+// BAD: the allocation will throw an unhandled exception
+// instead of returning a null pointer.
+void bad1(std::size_t length) noexcept {
+  int* dest = new int[length];
+  if(!dest) {
+    return;
+  }
   std::memset(dest, 0, length);
-// ..
+  // ...
 }
-// GOOD: memory allocation error will be handled.
-void goodFunction(const int *source, std::size_t length) noexcept {
+
+// BAD: the allocation won't throw an exception, but
+// instead return a null pointer.
+void bad2(std::size_t length) noexcept {
   try {
-       int * dest = new int[length];
-  } catch(std::bad_alloc) {
+    int* dest = new(std::nothrow) int[length];
+    std::memset(dest, 0, length);
+    // ...
+  } catch(std::bad_alloc&) {
     // ...
   }
-  std::memset(dest, 0, length);
-// ..
 }
-// BAD: memory allocation error will not be handled.
-void badFunction(const int *source, std::size_t length) noexcept {
+
+// GOOD: the allocation failure is handled appropiately.
+void good1(std::size_t length) noexcept {
   try {
-       int * dest = new (std::nothrow) int[length];
-  } catch(std::bad_alloc) {
+    int* dest = new int[length];
+    std::memset(dest, 0, length);
+    // ...
+  } catch(std::bad_alloc&) {
     // ...
   }
-  std::memset(dest, 0, length);
-// ..
 }
-// GOOD: memory allocation error will be handled.
-void goodFunction(const int *source, std::size_t length) noexcept {
-  int * dest = new (std::nothrow) int[length];
-  if (!dest) {
-      return;
+
+// GOOD: the allocation failure is handled appropiately.
+void good2(std::size_t length) noexcept {
+  int* dest = new int[length];
+  if(!dest) {
+    return;
   }
   std::memset(dest, 0, length);
-// ..
+  // ...
 }
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp
index 9e6cb2d89ce..968e12f7508 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp
@@ -3,16 +3,19 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>When using the <code>new</code> operator to allocate memory, you need to pay attention to the different ways of detecting errors. <code>::operator new(std::size_t)</code> throws an exception on error, whereas <code>::operator new(std::size_t, const std::nothrow_t &amp;)</code> returns zero on error. The programmer can get confused and check the error that occurs when allocating memory incorrectly. That can lead to an unhandled program termination or to a violation of the program logic.</p>
+<p>Different overloads of the <code>new</code> operator handle allocation failures in different ways:
+If <code>new T</code> fails for some type <code>T</code>, it throws a <code>std::bad_alloc</code> exception,
+but <code>new(std::nothrow) T</code> returns a null pointer. If the programmer handles the wrong kind of
+failure, it could cause the program to behave in unexpected ways.</p>
 
 </overview>
 <recommendation>
 
-<p>Use the correct error detection method corresponding with the memory allocation.</p>
+<p>Make sure that exceptions are handled appropriately if <code>new T</code> is used. On the other hand,
+make sure to handle the possibility of null pointers if <code>new(std::nothrow) T</code> is used.</p>
 
 </recommendation>
 <example>
-<p>The following example demonstrates various approaches to detecting memory allocation errors using the <code>new</code> operator.</p>
 <sample src="WrongInDetectingAndHandlingMemoryAllocationErrors.cpp" />
 
 </example>

From e81b40978ed736713e3cf6b675d0eae37846f72a Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 29 Apr 2021 12:10:29 +0200
Subject: [PATCH 0779/1429] C++: Improve the description tag.

---
 .../WrongInDetectingAndHandlingMemoryAllocationErrors.ql      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
index 4869da7e6f3..c609094925c 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
@@ -1,7 +1,7 @@
 /**
  * @name Detect And Handle Memory Allocation Errors
- * @description --::operator new(std::size_t) throws an exception on error, and ::operator new(std::size_t, const std::nothrow_t &) returns zero on error.
- *              --the programmer can get confused when check the error that occurs when allocating memory incorrectly.
+ * @description `operator new` throws an exception on allocation failures, while `operator new(std::nothrow)` returns a null pointer.
+ *              Mixing up these two failure conditions can result in unexpected behavior.
  * @kind problem
  * @id cpp/detect-and-handle-memory-allocation-errors
  * @problem.severity warning

From 2787c2f874b591a524025b30c7246ecfb8c84b96 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Thu, 29 Apr 2021 12:28:26 +0100
Subject: [PATCH 0780/1429] Document `SpringProperty::getSetterMethod`.

---
 .../semmle/code/java/frameworks/spring/SpringProperty.qll | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/java/ql/src/semmle/code/java/frameworks/spring/SpringProperty.qll b/java/ql/src/semmle/code/java/frameworks/spring/SpringProperty.qll
index 762b5187559..cdf6a1f9bd0 100644
--- a/java/ql/src/semmle/code/java/frameworks/spring/SpringProperty.qll
+++ b/java/ql/src/semmle/code/java/frameworks/spring/SpringProperty.qll
@@ -69,11 +69,19 @@ class SpringProperty extends SpringXMLElement {
     )
   }
 
+  /**
+   * Gets a setter method declared on this property's enclosing bean that sets this property.
+   */
   Method getSetterMethod() {
     this.getEnclosingBean().getClass().hasMethod(result, _) and
     result.getName().toLowerCase() = "set" + this.getPropertyName().toLowerCase()
   }
 
+  /**
+   * Gets a setter method declared on bean `context` that sets this property.
+   *
+   * This property must be declared on a bean that is an ancestor of `context`.
+   */
   Method getSetterMethod(SpringBean context) {
     this.getEnclosingBean() = context.getBeanParent*() and
     context.getClass().hasMethod(result, _) and

From c67ab8f1f0dd170d3b6bbc13f39e2b39e009a346 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 29 Apr 2021 14:01:04 +0200
Subject: [PATCH 0781/1429] C++: Respond to review comments.

---
 ...WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp | 7 ++++---
 .../WrongInDetectingAndHandlingMemoryAllocationErrors.ql   | 3 +--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp
index 968e12f7508..9365579b44a 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp
@@ -3,10 +3,11 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>Different overloads of the <code>new</code> operator handle allocation failures in different ways:
+<p>Different overloads of the <code>new</code> operator handle allocation failures in different ways.
 If <code>new T</code> fails for some type <code>T</code>, it throws a <code>std::bad_alloc</code> exception,
-but <code>new(std::nothrow) T</code> returns a null pointer. If the programmer handles the wrong kind of
-failure, it could cause the program to behave in unexpected ways.</p>
+but <code>new(std::nothrow) T</code> returns a null pointer. If the programmer does not use the corresponding
+method of error handling, allocation failure may go unhandled and could cause the program to behave in
+unexpected ways.</p>
 
 </overview>
 <recommendation>
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
index c609094925c..8c7b8e5d067 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
@@ -1,7 +1,6 @@
 /**
  * @name Detect And Handle Memory Allocation Errors
- * @description `operator new` throws an exception on allocation failures, while `operator new(std::nothrow)` returns a null pointer.
- *              Mixing up these two failure conditions can result in unexpected behavior.
+ * @description `operator new` throws an exception on allocation failures, while `operator new(std::nothrow)` returns a null pointer. Mixing up these two failure conditions can result in unexpected behavior.
  * @kind problem
  * @id cpp/detect-and-handle-memory-allocation-errors
  * @problem.severity warning

From ee62522c51ebdb6257523eb54567bf44931e80a0 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Wed, 28 Apr 2021 11:28:09 +0200
Subject: [PATCH 0782/1429] C#: Extract implicit constructor initializer calls

---
 .../Entities/Constructor.cs                   |  31 ++++
 .../test/experimental/ir/ir/raw_ir.expected   | 146 ++++++++++--------
 .../dataflow/global/GetAnOutNode.expected     |   2 +
 .../ConstructorInitializers.expected          |   8 +
 .../expressions/ConstructorInitializers.ql    |  21 +++
 .../expressions/PrintAst.expected             |  11 +-
 .../library-tests/expressions/expressions.cs  |   4 +-
 7 files changed, 158 insertions(+), 65 deletions(-)
 create mode 100644 csharp/ql/test/library-tests/expressions/ConstructorInitializers.expected
 create mode 100644 csharp/ql/test/library-tests/expressions/ConstructorInitializers.ql

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs
index 1424ba31f4d..39c202929d2 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs
@@ -41,7 +41,38 @@ namespace Semmle.Extraction.CSharp.Entities
             var initializer = syntax?.Initializer;
 
             if (initializer is null)
+            {
+                if (Symbol.MethodKind is MethodKind.Constructor)
+                {
+                    var baseType = Symbol.ContainingType.BaseType;
+                    if (baseType is null)
+                    {
+                        Context.ModelError(Symbol, "Unable to resolve base type in implicit constructor initializer");
+                        return;
+                    }
+
+                    var baseConstructor = baseType.InstanceConstructors.FirstOrDefault(c => c.Arity is 0);
+
+                    if (baseConstructor is null)
+                    {
+                        Context.ModelError(Symbol, "Unable to resolve implicit constructor initializer call");
+                        return;
+                    }
+
+                    var baseConstructorTarget = Create(Context, baseConstructor);
+                    var info = new ExpressionInfo(Context,
+                        AnnotatedTypeSymbol.CreateNotAnnotated(baseType),
+                        Location,
+                        Kinds.ExprKind.CONSTRUCTOR_INIT,
+                        this,
+                        -1,
+                        isCompilerGenerated: true,
+                        null);
+
+                    trapFile.expr_call(new Expression(info), baseConstructorTarget);
+                }
                 return;
+            }
 
             ITypeSymbol initializerType;
             var symbolInfo = Context.GetSymbolInfo(initializer);
diff --git a/csharp/ql/test/experimental/ir/ir/raw_ir.expected b/csharp/ql/test/experimental/ir/ir/raw_ir.expected
index bfbcc0066a3..646cd0f26f9 100644
--- a/csharp/ql/test/experimental/ir/ir/raw_ir.expected
+++ b/csharp/ql/test/experimental/ir/ir/raw_ir.expected
@@ -285,29 +285,37 @@ collections.cs:
 constructor_init.cs:
 #    5| System.Void BaseClass..ctor()
 #    5|   Block 0
-#    5|     v5_1(Void)             = EnterFunction     : 
-#    5|     mu5_2(<unknown>)       = AliasedDefinition : 
-#    5|     r5_3(glval<BaseClass>) = InitializeThis    : 
-#    6|     v6_1(Void)             = NoOp              : 
-#    5|     v5_4(Void)             = ReturnVoid        : 
-#    5|     v5_5(Void)             = AliasedUse        : ~m?
-#    5|     v5_6(Void)             = ExitFunction      : 
+#    5|     v5_1(Void)             = EnterFunction               : 
+#    5|     mu5_2(<unknown>)       = AliasedDefinition           : 
+#    5|     r5_3(glval<BaseClass>) = InitializeThis              : 
+#    5|     r5_4(glval<Object>)    = Convert[BaseClass : Object] : r5_3
+#    5|     r5_5(<funcaddr>)       = FunctionAddress[Object]     : 
+#    5|     v5_6(Void)             = Call[Object]                : func:r5_5, this:r5_4
+#    5|     mu5_7(<unknown>)       = ^CallSideEffect             : ~m?
+#    6|     v6_1(Void)             = NoOp                        : 
+#    5|     v5_8(Void)             = ReturnVoid                  : 
+#    5|     v5_9(Void)             = AliasedUse                  : ~m?
+#    5|     v5_10(Void)            = ExitFunction                : 
 
 #    9| System.Void BaseClass..ctor(System.Int32)
 #    9|   Block 0
-#    9|     v9_1(Void)             = EnterFunction          : 
-#    9|     mu9_2(<unknown>)       = AliasedDefinition      : 
-#    9|     r9_3(glval<BaseClass>) = InitializeThis         : 
-#    9|     r9_4(glval<Int32>)     = VariableAddress[i]     : 
-#    9|     mu9_5(Int32)           = InitializeParameter[i] : &:r9_4
-#   11|     r11_1(glval<Int32>)    = VariableAddress[i]     : 
-#   11|     r11_2(Int32)           = Load[i]                : &:r11_1, ~m?
-#   11|     r11_3(BaseClass)       = CopyValue              : r9_3
-#   11|     r11_4(glval<Int32>)    = FieldAddress[num]      : r11_3
-#   11|     mu11_5(Int32)          = Store[?]               : &:r11_4, r11_2
-#    9|     v9_6(Void)             = ReturnVoid             : 
-#    9|     v9_7(Void)             = AliasedUse             : ~m?
-#    9|     v9_8(Void)             = ExitFunction           : 
+#    9|     v9_1(Void)             = EnterFunction               : 
+#    9|     mu9_2(<unknown>)       = AliasedDefinition           : 
+#    9|     r9_3(glval<BaseClass>) = InitializeThis              : 
+#    9|     r9_4(glval<Int32>)     = VariableAddress[i]          : 
+#    9|     mu9_5(Int32)           = InitializeParameter[i]      : &:r9_4
+#    9|     r9_6(glval<Object>)    = Convert[BaseClass : Object] : r9_3
+#    9|     r9_7(<funcaddr>)       = FunctionAddress[Object]     : 
+#    9|     v9_8(Void)             = Call[Object]                : func:r9_7, this:r9_6
+#    9|     mu9_9(<unknown>)       = ^CallSideEffect             : ~m?
+#   11|     r11_1(glval<Int32>)    = VariableAddress[i]          : 
+#   11|     r11_2(Int32)           = Load[i]                     : &:r11_1, ~m?
+#   11|     r11_3(BaseClass)       = CopyValue                   : r9_3
+#   11|     r11_4(glval<Int32>)    = FieldAddress[num]           : r11_3
+#   11|     mu11_5(Int32)          = Store[?]                    : &:r11_4, r11_2
+#    9|     v9_10(Void)            = ReturnVoid                  : 
+#    9|     v9_11(Void)            = AliasedUse                  : ~m?
+#    9|     v9_12(Void)            = ExitFunction                : 
 
 #   17| System.Void DerivedClass..ctor()
 #   17|   Block 0
@@ -469,20 +477,24 @@ delegates.cs:
 events.cs:
 #    8| System.Void Events..ctor()
 #    8|   Block 0
-#    8|     v8_1(Void)          = EnterFunction          : 
-#    8|     mu8_2(<unknown>)    = AliasedDefinition      : 
-#    8|     r8_3(glval<Events>) = InitializeThis         : 
-#   10|     r10_1(MyDel)        = NewObj                 : 
-#   10|     r10_2(<funcaddr>)   = FunctionAddress[MyDel] : 
-#   10|     r10_3(glval<MyDel>) = FunctionAddress[Fun]   : 
-#   10|     v10_4(Void)         = Call[MyDel]            : func:r10_2, this:r10_1, 0:r10_3
-#   10|     mu10_5(<unknown>)   = ^CallSideEffect        : ~m?
-#   10|     r10_6(Events)       = CopyValue              : r8_3
-#   10|     r10_7(glval<MyDel>) = FieldAddress[Inst]     : r10_6
-#   10|     mu10_8(MyDel)       = Store[?]               : &:r10_7, r10_1
-#    8|     v8_4(Void)          = ReturnVoid             : 
-#    8|     v8_5(Void)          = AliasedUse             : ~m?
-#    8|     v8_6(Void)          = ExitFunction           : 
+#    8|     v8_1(Void)          = EnterFunction            : 
+#    8|     mu8_2(<unknown>)    = AliasedDefinition        : 
+#    8|     r8_3(glval<Events>) = InitializeThis           : 
+#    8|     r8_4(glval<Object>) = Convert[Events : Object] : r8_3
+#    8|     r8_5(<funcaddr>)    = FunctionAddress[Object]  : 
+#    8|     v8_6(Void)          = Call[Object]             : func:r8_5, this:r8_4
+#    8|     mu8_7(<unknown>)    = ^CallSideEffect          : ~m?
+#   10|     r10_1(MyDel)        = NewObj                   : 
+#   10|     r10_2(<funcaddr>)   = FunctionAddress[MyDel]   : 
+#   10|     r10_3(glval<MyDel>) = FunctionAddress[Fun]     : 
+#   10|     v10_4(Void)         = Call[MyDel]              : func:r10_2, this:r10_1, 0:r10_3
+#   10|     mu10_5(<unknown>)   = ^CallSideEffect          : ~m?
+#   10|     r10_6(Events)       = CopyValue                : r8_3
+#   10|     r10_7(glval<MyDel>) = FieldAddress[Inst]       : r10_6
+#   10|     mu10_8(MyDel)       = Store[?]                 : &:r10_7, r10_1
+#    8|     v8_8(Void)          = ReturnVoid               : 
+#    8|     v8_9(Void)          = AliasedUse               : ~m?
+#    8|     v8_10(Void)         = ExitFunction             : 
 
 #   13| System.Void Events.AddEvent()
 #   13|   Block 0
@@ -1237,29 +1249,37 @@ lock.cs:
 obj_creation.cs:
 #    7| System.Void ObjCreation.MyClass..ctor()
 #    7|   Block 0
-#    7|     v7_1(Void)           = EnterFunction     : 
-#    7|     mu7_2(<unknown>)     = AliasedDefinition : 
-#    7|     r7_3(glval<MyClass>) = InitializeThis    : 
-#    8|     v8_1(Void)           = NoOp              : 
-#    7|     v7_4(Void)           = ReturnVoid        : 
-#    7|     v7_5(Void)           = AliasedUse        : ~m?
-#    7|     v7_6(Void)           = ExitFunction      : 
+#    7|     v7_1(Void)           = EnterFunction             : 
+#    7|     mu7_2(<unknown>)     = AliasedDefinition         : 
+#    7|     r7_3(glval<MyClass>) = InitializeThis            : 
+#    7|     r7_4(glval<Object>)  = Convert[MyClass : Object] : r7_3
+#    7|     r7_5(<funcaddr>)     = FunctionAddress[Object]   : 
+#    7|     v7_6(Void)           = Call[Object]              : func:r7_5, this:r7_4
+#    7|     mu7_7(<unknown>)     = ^CallSideEffect           : ~m?
+#    8|     v8_1(Void)           = NoOp                      : 
+#    7|     v7_8(Void)           = ReturnVoid                : 
+#    7|     v7_9(Void)           = AliasedUse                : ~m?
+#    7|     v7_10(Void)          = ExitFunction              : 
 
 #   11| System.Void ObjCreation.MyClass..ctor(System.Int32)
 #   11|   Block 0
-#   11|     v11_1(Void)           = EnterFunction           : 
-#   11|     mu11_2(<unknown>)     = AliasedDefinition       : 
-#   11|     r11_3(glval<MyClass>) = InitializeThis          : 
-#   11|     r11_4(glval<Int32>)   = VariableAddress[_x]     : 
-#   11|     mu11_5(Int32)         = InitializeParameter[_x] : &:r11_4
-#   13|     r13_1(glval<Int32>)   = VariableAddress[_x]     : 
-#   13|     r13_2(Int32)          = Load[_x]                : &:r13_1, ~m?
-#   13|     r13_3(MyClass)        = CopyValue               : r11_3
-#   13|     r13_4(glval<Int32>)   = FieldAddress[x]         : r13_3
-#   13|     mu13_5(Int32)         = Store[?]                : &:r13_4, r13_2
-#   11|     v11_6(Void)           = ReturnVoid              : 
-#   11|     v11_7(Void)           = AliasedUse              : ~m?
-#   11|     v11_8(Void)           = ExitFunction            : 
+#   11|     v11_1(Void)           = EnterFunction             : 
+#   11|     mu11_2(<unknown>)     = AliasedDefinition         : 
+#   11|     r11_3(glval<MyClass>) = InitializeThis            : 
+#   11|     r11_4(glval<Int32>)   = VariableAddress[_x]       : 
+#   11|     mu11_5(Int32)         = InitializeParameter[_x]   : &:r11_4
+#   11|     r11_6(glval<Object>)  = Convert[MyClass : Object] : r11_3
+#   11|     r11_7(<funcaddr>)     = FunctionAddress[Object]   : 
+#   11|     v11_8(Void)           = Call[Object]              : func:r11_7, this:r11_6
+#   11|     mu11_9(<unknown>)     = ^CallSideEffect           : ~m?
+#   13|     r13_1(glval<Int32>)   = VariableAddress[_x]       : 
+#   13|     r13_2(Int32)          = Load[_x]                  : &:r13_1, ~m?
+#   13|     r13_3(MyClass)        = CopyValue                 : r11_3
+#   13|     r13_4(glval<Int32>)   = FieldAddress[x]           : r13_3
+#   13|     mu13_5(Int32)         = Store[?]                  : &:r13_4, r13_2
+#   11|     v11_10(Void)          = ReturnVoid                : 
+#   11|     v11_11(Void)          = AliasedUse                : ~m?
+#   11|     v11_12(Void)          = ExitFunction              : 
 
 #   17| System.Void ObjCreation.SomeFun(ObjCreation.MyClass)
 #   17|   Block 0
@@ -1884,13 +1904,17 @@ stmts.cs:
 using.cs:
 #    7| System.Void UsingStmt.MyDisposable..ctor()
 #    7|   Block 0
-#    7|     v7_1(Void)                = EnterFunction     : 
-#    7|     mu7_2(<unknown>)          = AliasedDefinition : 
-#    7|     r7_3(glval<MyDisposable>) = InitializeThis    : 
-#    7|     v7_4(Void)                = NoOp              : 
-#    7|     v7_5(Void)                = ReturnVoid        : 
-#    7|     v7_6(Void)                = AliasedUse        : ~m?
-#    7|     v7_7(Void)                = ExitFunction      : 
+#    7|     v7_1(Void)                = EnterFunction                  : 
+#    7|     mu7_2(<unknown>)          = AliasedDefinition              : 
+#    7|     r7_3(glval<MyDisposable>) = InitializeThis                 : 
+#    7|     r7_4(glval<Object>)       = Convert[MyDisposable : Object] : r7_3
+#    7|     r7_5(<funcaddr>)          = FunctionAddress[Object]        : 
+#    7|     v7_6(Void)                = Call[Object]                   : func:r7_5, this:r7_4
+#    7|     mu7_7(<unknown>)          = ^CallSideEffect                : ~m?
+#    7|     v7_8(Void)                = NoOp                           : 
+#    7|     v7_9(Void)                = ReturnVoid                     : 
+#    7|     v7_10(Void)               = AliasedUse                     : ~m?
+#    7|     v7_11(Void)               = ExitFunction                   : 
 
 #    8| System.Void UsingStmt.MyDisposable.DoSomething()
 #    8|   Block 0
diff --git a/csharp/ql/test/library-tests/dataflow/global/GetAnOutNode.expected b/csharp/ql/test/library-tests/dataflow/global/GetAnOutNode.expected
index ce0ed3c75af..7f8a89af2e2 100644
--- a/csharp/ql/test/library-tests/dataflow/global/GetAnOutNode.expected
+++ b/csharp/ql/test/library-tests/dataflow/global/GetAnOutNode.expected
@@ -167,7 +167,9 @@
 | Splitting.cs:32:9:32:16 | [b (line 24): false] dynamic call to method Check | normal | Splitting.cs:32:9:32:16 | [b (line 24): false] dynamic call to method Check |
 | Splitting.cs:32:9:32:16 | [b (line 24): true] dynamic call to method Check | normal | Splitting.cs:32:9:32:16 | [b (line 24): true] dynamic call to method Check |
 | Splitting.cs:34:13:34:20 | dynamic call to method Check | normal | Splitting.cs:34:13:34:20 | dynamic call to method Check |
+| This.cs:7:5:7:8 | call to constructor Object | normal | This.cs:7:5:7:8 | call to constructor Object |
 | This.cs:17:9:17:18 | object creation of type This | normal | This.cs:17:9:17:18 | object creation of type This |
+| This.cs:22:9:22:11 | call to constructor This | normal | This.cs:22:9:22:11 | call to constructor This |
 | This.cs:28:13:28:21 | object creation of type Sub | normal | This.cs:28:13:28:21 | object creation of type Sub |
 | file://:0:0:0:0 | [summary] call to collectionSelector in SelectMany | normal | file://:0:0:0:0 | [summary] read: return (normal) of argument 1 in SelectMany |
 | file://:0:0:0:0 | [summary] call to collectionSelector in SelectMany | normal | file://:0:0:0:0 | [summary] read: return (normal) of argument 1 in SelectMany |
diff --git a/csharp/ql/test/library-tests/expressions/ConstructorInitializers.expected b/csharp/ql/test/library-tests/expressions/ConstructorInitializers.expected
new file mode 100644
index 00000000000..0bc1597c0dd
--- /dev/null
+++ b/csharp/ql/test/library-tests/expressions/ConstructorInitializers.expected
@@ -0,0 +1,8 @@
+| expressions.cs:56:9:56:13 | Class | expressions.cs:56:19:56:22 | call to constructor Class | expressions.cs:58:19:58:23 | Class |
+| expressions.cs:58:19:58:23 | Class | expressions.cs:58:19:58:23 | call to constructor Object | file://:0:0:0:0 | Object |
+| expressions.cs:132:13:132:18 | Nested | expressions.cs:132:13:132:18 | call to constructor Class | expressions.cs:56:9:56:13 | Class |
+| expressions.cs:133:13:133:18 | Nested | expressions.cs:133:29:133:32 | call to constructor Class | expressions.cs:58:19:58:23 | Class |
+| expressions.cs:249:16:249:26 | LoginDialog | expressions.cs:249:16:249:26 | call to constructor Object | file://:0:0:0:0 | Object |
+| expressions.cs:270:16:270:24 | IntVector | expressions.cs:270:16:270:24 | call to constructor Object | file://:0:0:0:0 | Object |
+| expressions.cs:310:16:310:20 | Digit | expressions.cs:310:16:310:20 | call to constructor ValueType | file://:0:0:0:0 | ValueType |
+| expressions.cs:480:20:480:22 | Num | expressions.cs:480:20:480:22 | call to constructor Object | file://:0:0:0:0 | Object |
diff --git a/csharp/ql/test/library-tests/expressions/ConstructorInitializers.ql b/csharp/ql/test/library-tests/expressions/ConstructorInitializers.ql
new file mode 100644
index 00000000000..d5799127ea0
--- /dev/null
+++ b/csharp/ql/test/library-tests/expressions/ConstructorInitializers.ql
@@ -0,0 +1,21 @@
+import csharp
+
+private class ConstructorInitializerTarget extends Constructor {
+  override predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    if this.fromSource()
+    then this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    else (
+      filepath = "" and
+      startline = 0 and
+      startcolumn = 0 and
+      endline = 0 and
+      endcolumn = 0
+    )
+  }
+}
+
+from Constructor c, ConstructorInitializer i, ConstructorInitializerTarget target
+where c.getInitializer() = i and target = i.getTarget()
+select c, i, target
diff --git a/csharp/ql/test/library-tests/expressions/PrintAst.expected b/csharp/ql/test/library-tests/expressions/PrintAst.expected
index 5c23d3eb03f..1af5eb1b856 100644
--- a/csharp/ql/test/library-tests/expressions/PrintAst.expected
+++ b/csharp/ql/test/library-tests/expressions/PrintAst.expected
@@ -835,7 +835,14 @@ expressions.cs:
 #  129|     21: [Class] Nested
 #-----|       3: (Base types)
 #  129|         0: [TypeMention] Class
-#  133|       4: [InstanceConstructor] Nested
+#  131|       4: [StaticConstructor] Nested
+#  131|         4: [BlockStmt] {...}
+#  132|       5: [InstanceConstructor] Nested
+#-----|         2: (Parameters)
+#  132|           0: [Parameter] b
+#  132|             -1: [TypeMention] bool
+#  132|         4: [BlockStmt] {...}
+#  133|       6: [InstanceConstructor] Nested
 #-----|         2: (Parameters)
 #  133|           0: [Parameter] i
 #  133|             -1: [TypeMention] int
@@ -844,7 +851,7 @@ expressions.cs:
 #  133|             0: [ParameterAccess] access to parameter i
 #  133|             1: [IntLiteral] 1
 #  133|         4: [BlockStmt] {...}
-#  135|       5: [Method] OtherAccesses
+#  135|       7: [Method] OtherAccesses
 #  135|         -1: [TypeMention] Void
 #  136|         4: [BlockStmt] {...}
 #  137|           0: [ExprStmt] ...;
diff --git a/csharp/ql/test/library-tests/expressions/expressions.cs b/csharp/ql/test/library-tests/expressions/expressions.cs
index 5d995e10985..242db973baa 100644
--- a/csharp/ql/test/library-tests/expressions/expressions.cs
+++ b/csharp/ql/test/library-tests/expressions/expressions.cs
@@ -128,8 +128,8 @@ namespace Expressions
 
         class Nested : Class
         {
-
-
+            static Nested() { }
+            Nested(bool b) { }
             Nested(int i) : base(i + 1) { }
 
             void OtherAccesses()

From c3890a9435eb2b98dcf7361d8ba8a399d6663d07 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Wed, 28 Apr 2021 14:21:39 +0200
Subject: [PATCH 0783/1429] C#: Adjust CFG for instance constructors

---
 .../csharp/controlflow/internal/Splitting.qll | 14 +----
 .../controlflow/graph/BasicBlock.expected     | 12 ++--
 .../controlflow/graph/Consistency.expected    |  4 ++
 .../controlflow/graph/Dominance.expected      | 60 +++++++++++--------
 .../graph/EnclosingCallable.expected          | 19 ++++--
 .../controlflow/graph/EntryElement.expected   |  7 +++
 .../controlflow/graph/ExitElement.expected    |  7 +++
 .../controlflow/graph/NodeGraph.expected      | 33 +++++-----
 .../controlflow/graph/Nodes.expected          | 18 +++---
 9 files changed, 102 insertions(+), 72 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/controlflow/internal/Splitting.qll b/csharp/ql/src/semmle/code/csharp/controlflow/internal/Splitting.qll
index 0947059d873..498e6c461ae 100644
--- a/csharp/ql/src/semmle/code/csharp/controlflow/internal/Splitting.qll
+++ b/csharp/ql/src/semmle/code/csharp/controlflow/internal/Splitting.qll
@@ -244,18 +244,10 @@ module InitializerSplitting {
    * Holds if `c` is a non-static constructor that performs the initialization
    * of member `m`.
    */
-  predicate constructorInitializes(Constructor c, InitializedInstanceMember m) {
+  predicate constructorInitializes(InstanceConstructor c, InitializedInstanceMember m) {
     c.isUnboundDeclaration() and
-    not c.isStatic() and
-    c.getDeclaringType().hasMember(m) and
-    (
-      not c.hasInitializer()
-      or
-      // Members belonging to the base class are initialized via calls to the
-      // base constructor
-      c.getInitializer().isBase() and
-      m.getDeclaringType() = c.getDeclaringType()
-    )
+    c.getDeclaringType().getAMember() = m and
+    not c.getInitializer().isThis()
   }
 
   /**
diff --git a/csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected b/csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected
index 3936ebd12ae..2ec16a930fb 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected
+++ b/csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected
@@ -674,14 +674,14 @@
 | Foreach.cs:36:10:36:11 | exit M6 (normal) | Foreach.cs:36:10:36:11 | exit M6 | 2 |
 | Foreach.cs:38:9:39:11 | foreach (... ... in ...) ... | Foreach.cs:38:9:39:11 | foreach (... ... in ...) ... | 1 |
 | Foreach.cs:38:26:38:26 | String x | Foreach.cs:39:11:39:11 | ; | 4 |
-| Initializers.cs:8:5:8:16 | enter Initializers | Initializers.cs:8:5:8:16 | exit Initializers | 15 |
-| Initializers.cs:10:5:10:16 | enter Initializers | Initializers.cs:10:5:10:16 | exit Initializers | 15 |
+| Initializers.cs:8:5:8:16 | enter Initializers | Initializers.cs:8:5:8:16 | exit Initializers | 16 |
+| Initializers.cs:10:5:10:16 | enter Initializers | Initializers.cs:10:5:10:16 | exit Initializers | 16 |
 | Initializers.cs:12:10:12:10 | enter M | Initializers.cs:12:10:12:10 | exit M | 22 |
 | Initializers.cs:18:20:18:20 | 1 | Initializers.cs:18:16:18:20 | ... = ... | 2 |
 | Initializers.cs:20:11:20:23 | enter NoConstructor | Initializers.cs:20:11:20:23 | exit NoConstructor | 9 |
 | Initializers.cs:31:9:31:11 | enter Sub | Initializers.cs:31:9:31:11 | exit Sub | 12 |
 | Initializers.cs:33:9:33:11 | enter Sub | Initializers.cs:33:9:33:11 | exit Sub | 9 |
-| Initializers.cs:35:9:35:11 | enter Sub | Initializers.cs:35:9:35:11 | exit Sub | 19 |
+| Initializers.cs:35:9:35:11 | enter Sub | Initializers.cs:35:9:35:11 | exit Sub | 14 |
 | Initializers.cs:51:10:51:13 | enter Test | Initializers.cs:51:10:51:13 | exit Test | 105 |
 | LoopUnrolling.cs:7:10:7:11 | enter M1 | LoopUnrolling.cs:9:13:9:28 | ... == ... | 7 |
 | LoopUnrolling.cs:7:10:7:11 | exit M1 (normal) | LoopUnrolling.cs:7:10:7:11 | exit M1 | 2 |
@@ -776,6 +776,7 @@
 | MultiImplementationA.cs:16:17:16:18 | exit M1 (normal) | MultiImplementationB.cs:14:17:14:18 | exit M1 | 2 |
 | MultiImplementationA.cs:17:5:19:5 | {...} | MultiImplementationA.cs:18:9:18:22 | M2(...) | 2 |
 | MultiImplementationA.cs:18:9:18:22 | enter M2 | MultiImplementationA.cs:18:9:18:22 | exit M2 | 4 |
+| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationA.cs:20:12:20:13 | call to constructor Object | 1 |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | enter C2 | 1 |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | enter C2 | 1 |
 | MultiImplementationA.cs:20:12:20:13 | exit C2 | MultiImplementationA.cs:20:12:20:13 | exit C2 | 1 |
@@ -858,6 +859,7 @@
 | MultiImplementationB.cs:14:17:14:18 | exit M1 (normal) | MultiImplementationB.cs:14:17:14:18 | exit M1 | 2 |
 | MultiImplementationB.cs:15:5:17:5 | {...} | MultiImplementationB.cs:16:9:16:31 | M2(...) | 2 |
 | MultiImplementationB.cs:16:9:16:31 | enter M2 | MultiImplementationB.cs:16:9:16:31 | exit M2 | 5 |
+| MultiImplementationB.cs:18:12:18:13 | call to constructor Object | MultiImplementationB.cs:18:12:18:13 | call to constructor Object | 1 |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | enter C2 | 1 |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | enter C2 | 1 |
 | MultiImplementationB.cs:18:12:18:13 | exit C2 | MultiImplementationA.cs:20:12:20:13 | exit C2 | 1 |
@@ -1231,7 +1233,7 @@
 | cflow.cs:127:48:127:49 | "" | cflow.cs:127:48:127:49 | "" | 1 |
 | cflow.cs:127:53:127:57 | this access | cflow.cs:127:53:127:57 | access to field Field | 2 |
 | cflow.cs:127:62:127:64 | enter set_Prop | cflow.cs:127:62:127:64 | exit set_Prop | 8 |
-| cflow.cs:129:5:129:15 | enter ControlFlow | cflow.cs:129:5:129:15 | exit ControlFlow | 8 |
+| cflow.cs:129:5:129:15 | enter ControlFlow | cflow.cs:129:5:129:15 | exit ControlFlow | 9 |
 | cflow.cs:134:5:134:15 | enter ControlFlow | cflow.cs:134:5:134:15 | exit ControlFlow | 9 |
 | cflow.cs:136:12:136:22 | enter ControlFlow | cflow.cs:136:12:136:22 | exit ControlFlow | 8 |
 | cflow.cs:138:40:138:40 | enter + | cflow.cs:138:40:138:40 | exit + | 9 |
@@ -1330,7 +1332,7 @@
 | cflow.cs:284:5:284:18 | enter ControlFlowSub | cflow.cs:284:5:284:18 | exit ControlFlowSub | 5 |
 | cflow.cs:286:5:286:18 | enter ControlFlowSub | cflow.cs:286:5:286:18 | exit ControlFlowSub | 7 |
 | cflow.cs:291:12:291:12 | enter M | cflow.cs:291:12:291:12 | exit M | 6 |
-| cflow.cs:296:5:296:25 | enter NegationInConstructor | cflow.cs:296:5:296:25 | exit NegationInConstructor | 4 |
+| cflow.cs:296:5:296:25 | enter NegationInConstructor | cflow.cs:296:5:296:25 | exit NegationInConstructor | 5 |
 | cflow.cs:298:10:298:10 | enter M | cflow.cs:300:46:300:50 | ... > ... | 7 |
 | cflow.cs:300:44:300:51 | [false] !... | cflow.cs:300:44:300:51 | [false] !... | 1 |
 | cflow.cs:300:44:300:51 | [true] !... | cflow.cs:300:44:300:51 | [true] !... | 1 |
diff --git a/csharp/ql/test/library-tests/controlflow/graph/Consistency.expected b/csharp/ql/test/library-tests/controlflow/graph/Consistency.expected
index 8e868a0678a..0df56b8f207 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/Consistency.expected
+++ b/csharp/ql/test/library-tests/controlflow/graph/Consistency.expected
@@ -9,6 +9,8 @@ multipleSuccessors
 | MultiImplementationA.cs:13:16:13:20 | ... = ... | successor | MultiImplementationA.cs:24:16:24:16 | this access |
 | MultiImplementationA.cs:13:16:13:20 | ... = ... | successor | MultiImplementationB.cs:11:16:11:16 | this access |
 | MultiImplementationA.cs:13:16:13:20 | ... = ... | successor | MultiImplementationB.cs:22:16:22:16 | this access |
+| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | successor | MultiImplementationA.cs:13:16:13:16 | this access |
+| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | successor | MultiImplementationB.cs:11:16:11:16 | this access |
 | MultiImplementationA.cs:21:19:21:22 | call to constructor C2 | successor | MultiImplementationA.cs:21:27:21:29 | {...} |
 | MultiImplementationA.cs:21:19:21:22 | call to constructor C2 | successor | MultiImplementationB.cs:19:27:19:29 | {...} |
 | MultiImplementationA.cs:24:32:24:34 | ... = ... | successor | MultiImplementationA.cs:20:22:20:31 | {...} |
@@ -19,6 +21,8 @@ multipleSuccessors
 | MultiImplementationB.cs:11:16:11:20 | ... = ... | successor | MultiImplementationA.cs:24:16:24:16 | this access |
 | MultiImplementationB.cs:11:16:11:20 | ... = ... | successor | MultiImplementationB.cs:11:16:11:16 | this access |
 | MultiImplementationB.cs:11:16:11:20 | ... = ... | successor | MultiImplementationB.cs:22:16:22:16 | this access |
+| MultiImplementationB.cs:18:12:18:13 | call to constructor Object | successor | MultiImplementationA.cs:13:16:13:16 | this access |
+| MultiImplementationB.cs:18:12:18:13 | call to constructor Object | successor | MultiImplementationB.cs:11:16:11:16 | this access |
 | MultiImplementationB.cs:19:19:19:22 | call to constructor C2 | successor | MultiImplementationA.cs:21:27:21:29 | {...} |
 | MultiImplementationB.cs:19:19:19:22 | call to constructor C2 | successor | MultiImplementationB.cs:19:27:19:29 | {...} |
 | MultiImplementationB.cs:22:32:22:34 | ... = ... | successor | MultiImplementationA.cs:20:22:20:31 | {...} |
diff --git a/csharp/ql/test/library-tests/controlflow/graph/Dominance.expected b/csharp/ql/test/library-tests/controlflow/graph/Dominance.expected
index 2583984542d..5a316e90ec0 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/Dominance.expected
+++ b/csharp/ql/test/library-tests/controlflow/graph/Dominance.expected
@@ -2475,10 +2475,12 @@ dominance
 | Initializers.cs:6:27:6:31 | ... + ... | Initializers.cs:6:9:6:9 | access to property G |
 | Initializers.cs:6:31:6:31 | 2 | Initializers.cs:6:27:6:31 | ... + ... |
 | Initializers.cs:6:31:6:31 | 2 | Initializers.cs:6:27:6:31 | ... + ... |
-| Initializers.cs:8:5:8:16 | enter Initializers | Initializers.cs:5:9:5:9 | this access |
+| Initializers.cs:8:5:8:16 | call to constructor Object | Initializers.cs:5:9:5:9 | this access |
+| Initializers.cs:8:5:8:16 | enter Initializers | Initializers.cs:8:5:8:16 | call to constructor Object |
 | Initializers.cs:8:5:8:16 | exit Initializers (normal) | Initializers.cs:8:5:8:16 | exit Initializers |
 | Initializers.cs:8:20:8:22 | {...} | Initializers.cs:8:5:8:16 | exit Initializers (normal) |
-| Initializers.cs:10:5:10:16 | enter Initializers | Initializers.cs:5:9:5:9 | this access |
+| Initializers.cs:10:5:10:16 | call to constructor Object | Initializers.cs:5:9:5:9 | this access |
+| Initializers.cs:10:5:10:16 | enter Initializers | Initializers.cs:10:5:10:16 | call to constructor Object |
 | Initializers.cs:10:5:10:16 | exit Initializers (normal) | Initializers.cs:10:5:10:16 | exit Initializers |
 | Initializers.cs:10:28:10:30 | {...} | Initializers.cs:10:5:10:16 | exit Initializers (normal) |
 | Initializers.cs:12:10:12:10 | enter M | Initializers.cs:13:5:16:5 | {...} |
@@ -2506,16 +2508,10 @@ dominance
 | Initializers.cs:20:11:20:23 | enter NoConstructor | Initializers.cs:22:23:22:23 | this access |
 | Initializers.cs:20:11:20:23 | exit NoConstructor (normal) | Initializers.cs:20:11:20:23 | exit NoConstructor |
 | Initializers.cs:22:23:22:23 | this access | Initializers.cs:22:27:22:27 | 0 |
-| Initializers.cs:22:23:22:23 | this access | Initializers.cs:22:27:22:27 | 0 |
-| Initializers.cs:22:23:22:27 | ... = ... | Initializers.cs:23:23:23:23 | this access |
 | Initializers.cs:22:23:22:27 | ... = ... | Initializers.cs:23:23:23:23 | this access |
 | Initializers.cs:22:27:22:27 | 0 | Initializers.cs:22:23:22:27 | ... = ... |
-| Initializers.cs:22:27:22:27 | 0 | Initializers.cs:22:23:22:27 | ... = ... |
-| Initializers.cs:23:23:23:23 | this access | Initializers.cs:23:27:23:27 | 1 |
 | Initializers.cs:23:23:23:23 | this access | Initializers.cs:23:27:23:27 | 1 |
 | Initializers.cs:23:23:23:27 | ... = ... | Initializers.cs:20:11:20:23 | exit NoConstructor (normal) |
-| Initializers.cs:23:23:23:27 | ... = ... | Initializers.cs:28:13:28:13 | this access |
-| Initializers.cs:23:27:23:27 | 1 | Initializers.cs:23:23:23:27 | ... = ... |
 | Initializers.cs:23:27:23:27 | 1 | Initializers.cs:23:23:23:27 | ... = ... |
 | Initializers.cs:28:13:28:13 | this access | Initializers.cs:28:17:28:17 | 2 |
 | Initializers.cs:28:13:28:13 | this access | Initializers.cs:28:17:28:17 | 2 |
@@ -2539,7 +2535,8 @@ dominance
 | Initializers.cs:33:31:33:35 | ... = ... | Initializers.cs:33:9:33:11 | exit Sub (normal) |
 | Initializers.cs:33:31:33:36 | ...; | Initializers.cs:33:31:33:31 | this access |
 | Initializers.cs:33:35:33:35 | access to parameter i | Initializers.cs:33:31:33:35 | ... = ... |
-| Initializers.cs:35:9:35:11 | enter Sub | Initializers.cs:22:23:22:23 | this access |
+| Initializers.cs:35:9:35:11 | call to constructor NoConstructor | Initializers.cs:28:13:28:13 | this access |
+| Initializers.cs:35:9:35:11 | enter Sub | Initializers.cs:35:9:35:11 | call to constructor NoConstructor |
 | Initializers.cs:35:9:35:11 | exit Sub (normal) | Initializers.cs:35:9:35:11 | exit Sub |
 | Initializers.cs:35:27:35:40 | {...} | Initializers.cs:35:29:35:38 | ...; |
 | Initializers.cs:35:29:35:29 | this access | Initializers.cs:35:33:35:33 | access to parameter i |
@@ -2888,8 +2885,8 @@ dominance
 | MultiImplementationA.cs:18:9:18:22 | enter M2 | MultiImplementationA.cs:18:21:18:21 | 0 |
 | MultiImplementationA.cs:18:9:18:22 | exit M2 (normal) | MultiImplementationA.cs:18:9:18:22 | exit M2 |
 | MultiImplementationA.cs:18:21:18:21 | 0 | MultiImplementationA.cs:18:9:18:22 | exit M2 (normal) |
-| MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:13:16:13:16 | this access |
-| MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:11:16:11:16 | this access |
+| MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | call to constructor Object |
+| MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | call to constructor Object |
 | MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationA.cs:20:24:20:29 | ...; |
 | MultiImplementationA.cs:20:24:20:24 | this access | MultiImplementationA.cs:20:28:20:28 | access to parameter i |
 | MultiImplementationA.cs:20:24:20:28 | ... = ... | MultiImplementationA.cs:20:12:20:13 | exit C2 (normal) |
@@ -2973,8 +2970,8 @@ dominance
 | MultiImplementationB.cs:16:9:16:31 | exit M2 (abnormal) | MultiImplementationB.cs:16:9:16:31 | exit M2 |
 | MultiImplementationB.cs:16:21:16:30 | throw ... | MultiImplementationB.cs:16:9:16:31 | exit M2 (abnormal) |
 | MultiImplementationB.cs:16:27:16:30 | null | MultiImplementationB.cs:16:21:16:30 | throw ... |
-| MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:13:16:13:16 | this access |
-| MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:11:16:11:16 | this access |
+| MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | call to constructor Object |
+| MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | call to constructor Object |
 | MultiImplementationB.cs:18:22:18:36 | {...} | MultiImplementationB.cs:18:30:18:33 | null |
 | MultiImplementationB.cs:18:24:18:34 | throw ...; | MultiImplementationA.cs:20:12:20:13 | exit C2 (abnormal) |
 | MultiImplementationB.cs:18:24:18:34 | throw ...; | MultiImplementationB.cs:18:12:18:13 | exit C2 (abnormal) |
@@ -3917,7 +3914,8 @@ dominance
 | cflow.cs:127:68:127:80 | ... = ... | cflow.cs:127:62:127:64 | exit set_Prop (normal) |
 | cflow.cs:127:68:127:81 | ...; | cflow.cs:127:68:127:72 | this access |
 | cflow.cs:127:76:127:80 | access to parameter value | cflow.cs:127:68:127:80 | ... = ... |
-| cflow.cs:129:5:129:15 | enter ControlFlow | cflow.cs:130:5:132:5 | {...} |
+| cflow.cs:129:5:129:15 | call to constructor Object | cflow.cs:130:5:132:5 | {...} |
+| cflow.cs:129:5:129:15 | enter ControlFlow | cflow.cs:129:5:129:15 | call to constructor Object |
 | cflow.cs:129:5:129:15 | exit ControlFlow (normal) | cflow.cs:129:5:129:15 | exit ControlFlow |
 | cflow.cs:130:5:132:5 | {...} | cflow.cs:131:9:131:18 | ...; |
 | cflow.cs:131:9:131:13 | this access | cflow.cs:131:17:131:17 | access to parameter s |
@@ -4278,7 +4276,8 @@ dominance
 | cflow.cs:291:38:291:38 | access to parameter f | cflow.cs:291:40:291:40 | 0 |
 | cflow.cs:291:38:291:41 | delegate call | cflow.cs:291:12:291:12 | exit M (normal) |
 | cflow.cs:291:40:291:40 | 0 | cflow.cs:291:38:291:41 | delegate call |
-| cflow.cs:296:5:296:25 | enter NegationInConstructor | cflow.cs:296:52:296:54 | {...} |
+| cflow.cs:296:5:296:25 | call to constructor Object | cflow.cs:296:52:296:54 | {...} |
+| cflow.cs:296:5:296:25 | enter NegationInConstructor | cflow.cs:296:5:296:25 | call to constructor Object |
 | cflow.cs:296:5:296:25 | exit NegationInConstructor (normal) | cflow.cs:296:5:296:25 | exit NegationInConstructor |
 | cflow.cs:296:52:296:54 | {...} | cflow.cs:296:5:296:25 | exit NegationInConstructor (normal) |
 | cflow.cs:298:10:298:10 | enter M | cflow.cs:299:5:301:5 | {...} |
@@ -6550,8 +6549,8 @@ postDominance
 | Foreach.cs:38:33:38:33 | Int32 y | Foreach.cs:38:26:38:26 | String x |
 | Foreach.cs:38:39:38:42 | access to parameter args | Foreach.cs:37:5:40:5 | {...} |
 | Foreach.cs:39:11:39:11 | ; | Foreach.cs:38:18:38:34 | (..., ...) |
-| Initializers.cs:5:9:5:9 | this access | Initializers.cs:8:5:8:16 | enter Initializers |
-| Initializers.cs:5:9:5:9 | this access | Initializers.cs:10:5:10:16 | enter Initializers |
+| Initializers.cs:5:9:5:9 | this access | Initializers.cs:8:5:8:16 | call to constructor Object |
+| Initializers.cs:5:9:5:9 | this access | Initializers.cs:10:5:10:16 | call to constructor Object |
 | Initializers.cs:5:9:5:17 | ... = ... | Initializers.cs:5:13:5:17 | ... + ... |
 | Initializers.cs:5:9:5:17 | ... = ... | Initializers.cs:5:13:5:17 | ... + ... |
 | Initializers.cs:5:13:5:13 | access to field H | Initializers.cs:5:9:5:9 | this access |
@@ -6572,9 +6571,11 @@ postDominance
 | Initializers.cs:6:27:6:31 | ... + ... | Initializers.cs:6:31:6:31 | 2 |
 | Initializers.cs:6:31:6:31 | 2 | Initializers.cs:6:27:6:27 | access to field H |
 | Initializers.cs:6:31:6:31 | 2 | Initializers.cs:6:27:6:27 | access to field H |
+| Initializers.cs:8:5:8:16 | call to constructor Object | Initializers.cs:8:5:8:16 | enter Initializers |
 | Initializers.cs:8:5:8:16 | exit Initializers | Initializers.cs:8:5:8:16 | exit Initializers (normal) |
 | Initializers.cs:8:5:8:16 | exit Initializers (normal) | Initializers.cs:8:20:8:22 | {...} |
 | Initializers.cs:8:20:8:22 | {...} | Initializers.cs:6:25:6:31 | ... = ... |
+| Initializers.cs:10:5:10:16 | call to constructor Object | Initializers.cs:10:5:10:16 | enter Initializers |
 | Initializers.cs:10:5:10:16 | exit Initializers | Initializers.cs:10:5:10:16 | exit Initializers (normal) |
 | Initializers.cs:10:5:10:16 | exit Initializers (normal) | Initializers.cs:10:28:10:30 | {...} |
 | Initializers.cs:10:28:10:30 | {...} | Initializers.cs:6:25:6:31 | ... = ... |
@@ -6603,19 +6604,13 @@ postDominance
 | Initializers.cs:20:11:20:23 | exit NoConstructor | Initializers.cs:20:11:20:23 | exit NoConstructor (normal) |
 | Initializers.cs:20:11:20:23 | exit NoConstructor (normal) | Initializers.cs:23:23:23:27 | ... = ... |
 | Initializers.cs:22:23:22:23 | this access | Initializers.cs:20:11:20:23 | enter NoConstructor |
-| Initializers.cs:22:23:22:23 | this access | Initializers.cs:35:9:35:11 | enter Sub |
-| Initializers.cs:22:23:22:27 | ... = ... | Initializers.cs:22:27:22:27 | 0 |
 | Initializers.cs:22:23:22:27 | ... = ... | Initializers.cs:22:27:22:27 | 0 |
 | Initializers.cs:22:27:22:27 | 0 | Initializers.cs:22:23:22:23 | this access |
-| Initializers.cs:22:27:22:27 | 0 | Initializers.cs:22:23:22:23 | this access |
-| Initializers.cs:23:23:23:23 | this access | Initializers.cs:22:23:22:27 | ... = ... |
 | Initializers.cs:23:23:23:23 | this access | Initializers.cs:22:23:22:27 | ... = ... |
 | Initializers.cs:23:23:23:27 | ... = ... | Initializers.cs:23:27:23:27 | 1 |
-| Initializers.cs:23:23:23:27 | ... = ... | Initializers.cs:23:27:23:27 | 1 |
 | Initializers.cs:23:27:23:27 | 1 | Initializers.cs:23:23:23:23 | this access |
-| Initializers.cs:23:27:23:27 | 1 | Initializers.cs:23:23:23:23 | this access |
-| Initializers.cs:28:13:28:13 | this access | Initializers.cs:23:23:23:27 | ... = ... |
 | Initializers.cs:28:13:28:13 | this access | Initializers.cs:31:17:31:20 | call to constructor NoConstructor |
+| Initializers.cs:28:13:28:13 | this access | Initializers.cs:35:9:35:11 | call to constructor NoConstructor |
 | Initializers.cs:28:13:28:17 | ... = ... | Initializers.cs:28:17:28:17 | 2 |
 | Initializers.cs:28:13:28:17 | ... = ... | Initializers.cs:28:17:28:17 | 2 |
 | Initializers.cs:28:17:28:17 | 2 | Initializers.cs:28:13:28:13 | this access |
@@ -6636,6 +6631,7 @@ postDominance
 | Initializers.cs:33:31:33:35 | ... = ... | Initializers.cs:33:35:33:35 | access to parameter i |
 | Initializers.cs:33:31:33:36 | ...; | Initializers.cs:33:29:33:38 | {...} |
 | Initializers.cs:33:35:33:35 | access to parameter i | Initializers.cs:33:31:33:31 | this access |
+| Initializers.cs:35:9:35:11 | call to constructor NoConstructor | Initializers.cs:35:9:35:11 | enter Sub |
 | Initializers.cs:35:9:35:11 | exit Sub | Initializers.cs:35:9:35:11 | exit Sub (normal) |
 | Initializers.cs:35:9:35:11 | exit Sub (normal) | Initializers.cs:35:29:35:37 | ... = ... |
 | Initializers.cs:35:27:35:40 | {...} | Initializers.cs:28:13:28:17 | ... = ... |
@@ -7948,9 +7944,10 @@ postDominance
 | cflow.cs:127:68:127:80 | ... = ... | cflow.cs:127:76:127:80 | access to parameter value |
 | cflow.cs:127:68:127:81 | ...; | cflow.cs:127:66:127:83 | {...} |
 | cflow.cs:127:76:127:80 | access to parameter value | cflow.cs:127:68:127:72 | this access |
+| cflow.cs:129:5:129:15 | call to constructor Object | cflow.cs:129:5:129:15 | enter ControlFlow |
 | cflow.cs:129:5:129:15 | exit ControlFlow | cflow.cs:129:5:129:15 | exit ControlFlow (normal) |
 | cflow.cs:129:5:129:15 | exit ControlFlow (normal) | cflow.cs:131:9:131:17 | ... = ... |
-| cflow.cs:130:5:132:5 | {...} | cflow.cs:129:5:129:15 | enter ControlFlow |
+| cflow.cs:130:5:132:5 | {...} | cflow.cs:129:5:129:15 | call to constructor Object |
 | cflow.cs:131:9:131:13 | this access | cflow.cs:131:9:131:18 | ...; |
 | cflow.cs:131:9:131:17 | ... = ... | cflow.cs:131:17:131:17 | access to parameter s |
 | cflow.cs:131:9:131:18 | ...; | cflow.cs:130:5:132:5 | {...} |
@@ -8301,9 +8298,10 @@ postDominance
 | cflow.cs:291:38:291:38 | access to parameter f | cflow.cs:291:12:291:12 | enter M |
 | cflow.cs:291:38:291:41 | delegate call | cflow.cs:291:40:291:40 | 0 |
 | cflow.cs:291:40:291:40 | 0 | cflow.cs:291:38:291:38 | access to parameter f |
+| cflow.cs:296:5:296:25 | call to constructor Object | cflow.cs:296:5:296:25 | enter NegationInConstructor |
 | cflow.cs:296:5:296:25 | exit NegationInConstructor | cflow.cs:296:5:296:25 | exit NegationInConstructor (normal) |
 | cflow.cs:296:5:296:25 | exit NegationInConstructor (normal) | cflow.cs:296:52:296:54 | {...} |
-| cflow.cs:296:52:296:54 | {...} | cflow.cs:296:5:296:25 | enter NegationInConstructor |
+| cflow.cs:296:52:296:54 | {...} | cflow.cs:296:5:296:25 | call to constructor Object |
 | cflow.cs:298:10:298:10 | exit M | cflow.cs:298:10:298:10 | exit M (normal) |
 | cflow.cs:298:10:298:10 | exit M (normal) | cflow.cs:300:9:300:72 | object creation of type NegationInConstructor |
 | cflow.cs:299:5:301:5 | {...} | cflow.cs:298:10:298:10 | enter M |
@@ -11404,12 +11402,15 @@ blockDominance
 | MultiImplementationA.cs:16:17:16:18 | exit M1 (normal) | MultiImplementationB.cs:14:17:14:18 | exit M1 (normal) |
 | MultiImplementationA.cs:17:5:19:5 | {...} | MultiImplementationA.cs:17:5:19:5 | {...} |
 | MultiImplementationA.cs:18:9:18:22 | enter M2 | MultiImplementationA.cs:18:9:18:22 | enter M2 |
+| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationA.cs:20:12:20:13 | call to constructor Object |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:13:16:13:16 | this access |
+| MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | call to constructor Object |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | enter C2 |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | exit C2 |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:20:22:20:31 | {...} |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:24:16:24:16 | this access |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:11:16:11:16 | this access |
+| MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | call to constructor Object |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | enter C2 |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | exit C2 |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:18:22:18:36 | {...} |
@@ -11534,12 +11535,15 @@ blockDominance
 | MultiImplementationB.cs:14:17:14:18 | exit M1 (normal) | MultiImplementationB.cs:14:17:14:18 | exit M1 (normal) |
 | MultiImplementationB.cs:15:5:17:5 | {...} | MultiImplementationB.cs:15:5:17:5 | {...} |
 | MultiImplementationB.cs:16:9:16:31 | enter M2 | MultiImplementationB.cs:16:9:16:31 | enter M2 |
+| MultiImplementationB.cs:18:12:18:13 | call to constructor Object | MultiImplementationB.cs:18:12:18:13 | call to constructor Object |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:13:16:13:16 | this access |
+| MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | call to constructor Object |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | enter C2 |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | exit C2 |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:20:22:20:31 | {...} |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:24:16:24:16 | this access |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:11:16:11:16 | this access |
+| MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | call to constructor Object |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | enter C2 |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | exit C2 |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:18:22:18:36 | {...} |
@@ -14983,15 +14987,18 @@ postBlockDominance
 | MultiImplementationA.cs:16:17:16:18 | exit M1 (normal) | MultiImplementationB.cs:15:5:17:5 | {...} |
 | MultiImplementationA.cs:17:5:19:5 | {...} | MultiImplementationA.cs:17:5:19:5 | {...} |
 | MultiImplementationA.cs:18:9:18:22 | enter M2 | MultiImplementationA.cs:18:9:18:22 | enter M2 |
+| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationA.cs:20:12:20:13 | call to constructor Object |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | enter C2 |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | enter C2 |
 | MultiImplementationA.cs:20:12:20:13 | exit C2 | MultiImplementationA.cs:20:12:20:13 | exit C2 |
 | MultiImplementationA.cs:20:12:20:13 | exit C2 | MultiImplementationB.cs:18:12:18:13 | exit C2 |
 | MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationA.cs:13:16:13:16 | this access |
+| MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationA.cs:20:12:20:13 | call to constructor Object |
 | MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationA.cs:20:12:20:13 | enter C2 |
 | MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationA.cs:20:22:20:31 | {...} |
 | MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationA.cs:24:16:24:16 | this access |
 | MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationB.cs:11:16:11:16 | this access |
+| MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationB.cs:18:12:18:13 | call to constructor Object |
 | MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationB.cs:18:12:18:13 | enter C2 |
 | MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationB.cs:22:16:22:16 | this access |
 | MultiImplementationA.cs:21:12:21:13 | enter C2 | MultiImplementationA.cs:21:12:21:13 | enter C2 |
@@ -15087,6 +15094,7 @@ postBlockDominance
 | MultiImplementationB.cs:14:17:14:18 | exit M1 (normal) | MultiImplementationB.cs:15:5:17:5 | {...} |
 | MultiImplementationB.cs:15:5:17:5 | {...} | MultiImplementationB.cs:15:5:17:5 | {...} |
 | MultiImplementationB.cs:16:9:16:31 | enter M2 | MultiImplementationB.cs:16:9:16:31 | enter M2 |
+| MultiImplementationB.cs:18:12:18:13 | call to constructor Object | MultiImplementationB.cs:18:12:18:13 | call to constructor Object |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | enter C2 |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | enter C2 |
 | MultiImplementationB.cs:18:12:18:13 | exit C2 | MultiImplementationA.cs:20:12:20:13 | exit C2 |
diff --git a/csharp/ql/test/library-tests/controlflow/graph/EnclosingCallable.expected b/csharp/ql/test/library-tests/controlflow/graph/EnclosingCallable.expected
index 6df7f49dc63..c9a2116762d 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/EnclosingCallable.expected
+++ b/csharp/ql/test/library-tests/controlflow/graph/EnclosingCallable.expected
@@ -2675,10 +2675,12 @@ nodeEnclosing
 | Initializers.cs:6:27:6:31 | ... + ... | Initializers.cs:10:5:10:16 | Initializers |
 | Initializers.cs:6:31:6:31 | 2 | Initializers.cs:8:5:8:16 | Initializers |
 | Initializers.cs:6:31:6:31 | 2 | Initializers.cs:10:5:10:16 | Initializers |
+| Initializers.cs:8:5:8:16 | call to constructor Object | Initializers.cs:8:5:8:16 | Initializers |
 | Initializers.cs:8:5:8:16 | enter Initializers | Initializers.cs:8:5:8:16 | Initializers |
 | Initializers.cs:8:5:8:16 | exit Initializers | Initializers.cs:8:5:8:16 | Initializers |
 | Initializers.cs:8:5:8:16 | exit Initializers (normal) | Initializers.cs:8:5:8:16 | Initializers |
 | Initializers.cs:8:20:8:22 | {...} | Initializers.cs:8:5:8:16 | Initializers |
+| Initializers.cs:10:5:10:16 | call to constructor Object | Initializers.cs:10:5:10:16 | Initializers |
 | Initializers.cs:10:5:10:16 | enter Initializers | Initializers.cs:10:5:10:16 | Initializers |
 | Initializers.cs:10:5:10:16 | exit Initializers | Initializers.cs:10:5:10:16 | Initializers |
 | Initializers.cs:10:5:10:16 | exit Initializers (normal) | Initializers.cs:10:5:10:16 | Initializers |
@@ -2709,17 +2711,11 @@ nodeEnclosing
 | Initializers.cs:20:11:20:23 | exit NoConstructor | Initializers.cs:20:11:20:23 | NoConstructor |
 | Initializers.cs:20:11:20:23 | exit NoConstructor (normal) | Initializers.cs:20:11:20:23 | NoConstructor |
 | Initializers.cs:22:23:22:23 | this access | Initializers.cs:20:11:20:23 | NoConstructor |
-| Initializers.cs:22:23:22:23 | this access | Initializers.cs:35:9:35:11 | Sub |
 | Initializers.cs:22:23:22:27 | ... = ... | Initializers.cs:20:11:20:23 | NoConstructor |
-| Initializers.cs:22:23:22:27 | ... = ... | Initializers.cs:35:9:35:11 | Sub |
 | Initializers.cs:22:27:22:27 | 0 | Initializers.cs:20:11:20:23 | NoConstructor |
-| Initializers.cs:22:27:22:27 | 0 | Initializers.cs:35:9:35:11 | Sub |
 | Initializers.cs:23:23:23:23 | this access | Initializers.cs:20:11:20:23 | NoConstructor |
-| Initializers.cs:23:23:23:23 | this access | Initializers.cs:35:9:35:11 | Sub |
 | Initializers.cs:23:23:23:27 | ... = ... | Initializers.cs:20:11:20:23 | NoConstructor |
-| Initializers.cs:23:23:23:27 | ... = ... | Initializers.cs:35:9:35:11 | Sub |
 | Initializers.cs:23:27:23:27 | 1 | Initializers.cs:20:11:20:23 | NoConstructor |
-| Initializers.cs:23:27:23:27 | 1 | Initializers.cs:35:9:35:11 | Sub |
 | Initializers.cs:28:13:28:13 | this access | Initializers.cs:31:9:31:11 | Sub |
 | Initializers.cs:28:13:28:13 | this access | Initializers.cs:35:9:35:11 | Sub |
 | Initializers.cs:28:13:28:17 | ... = ... | Initializers.cs:31:9:31:11 | Sub |
@@ -2744,6 +2740,7 @@ nodeEnclosing
 | Initializers.cs:33:31:33:35 | ... = ... | Initializers.cs:33:9:33:11 | Sub |
 | Initializers.cs:33:31:33:36 | ...; | Initializers.cs:33:9:33:11 | Sub |
 | Initializers.cs:33:35:33:35 | access to parameter i | Initializers.cs:33:9:33:11 | Sub |
+| Initializers.cs:35:9:35:11 | call to constructor NoConstructor | Initializers.cs:35:9:35:11 | Sub |
 | Initializers.cs:35:9:35:11 | enter Sub | Initializers.cs:35:9:35:11 | Sub |
 | Initializers.cs:35:9:35:11 | exit Sub | Initializers.cs:35:9:35:11 | Sub |
 | Initializers.cs:35:9:35:11 | exit Sub (normal) | Initializers.cs:35:9:35:11 | Sub |
@@ -3167,6 +3164,8 @@ nodeEnclosing
 | MultiImplementationA.cs:18:9:18:22 | exit M2 | MultiImplementationA.cs:18:9:18:22 | M2 |
 | MultiImplementationA.cs:18:9:18:22 | exit M2 (normal) | MultiImplementationA.cs:18:9:18:22 | M2 |
 | MultiImplementationA.cs:18:21:18:21 | 0 | MultiImplementationA.cs:18:9:18:22 | M2 |
+| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationA.cs:20:12:20:13 | C2 |
+| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationB.cs:18:12:18:13 | C2 |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | C2 |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | C2 |
 | MultiImplementationA.cs:20:12:20:13 | exit C2 | MultiImplementationA.cs:20:12:20:13 | C2 |
@@ -3354,6 +3353,8 @@ nodeEnclosing
 | MultiImplementationB.cs:16:9:16:31 | exit M2 (abnormal) | MultiImplementationB.cs:16:9:16:31 | M2 |
 | MultiImplementationB.cs:16:21:16:30 | throw ... | MultiImplementationB.cs:16:9:16:31 | M2 |
 | MultiImplementationB.cs:16:27:16:30 | null | MultiImplementationB.cs:16:9:16:31 | M2 |
+| MultiImplementationB.cs:18:12:18:13 | call to constructor Object | MultiImplementationA.cs:20:12:20:13 | C2 |
+| MultiImplementationB.cs:18:12:18:13 | call to constructor Object | MultiImplementationB.cs:18:12:18:13 | C2 |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | C2 |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | C2 |
 | MultiImplementationB.cs:18:12:18:13 | exit C2 | MultiImplementationA.cs:20:12:20:13 | C2 |
@@ -4436,6 +4437,7 @@ nodeEnclosing
 | cflow.cs:127:68:127:80 | ... = ... | cflow.cs:127:62:127:64 | set_Prop |
 | cflow.cs:127:68:127:81 | ...; | cflow.cs:127:62:127:64 | set_Prop |
 | cflow.cs:127:76:127:80 | access to parameter value | cflow.cs:127:62:127:64 | set_Prop |
+| cflow.cs:129:5:129:15 | call to constructor Object | cflow.cs:129:5:129:15 | ControlFlow |
 | cflow.cs:129:5:129:15 | enter ControlFlow | cflow.cs:129:5:129:15 | ControlFlow |
 | cflow.cs:129:5:129:15 | exit ControlFlow | cflow.cs:129:5:129:15 | ControlFlow |
 | cflow.cs:129:5:129:15 | exit ControlFlow (normal) | cflow.cs:129:5:129:15 | ControlFlow |
@@ -4826,6 +4828,7 @@ nodeEnclosing
 | cflow.cs:291:38:291:38 | access to parameter f | cflow.cs:291:12:291:12 | M |
 | cflow.cs:291:38:291:41 | delegate call | cflow.cs:291:12:291:12 | M |
 | cflow.cs:291:40:291:40 | 0 | cflow.cs:291:12:291:12 | M |
+| cflow.cs:296:5:296:25 | call to constructor Object | cflow.cs:296:5:296:25 | NegationInConstructor |
 | cflow.cs:296:5:296:25 | enter NegationInConstructor | cflow.cs:296:5:296:25 | NegationInConstructor |
 | cflow.cs:296:5:296:25 | exit NegationInConstructor | cflow.cs:296:5:296:25 | NegationInConstructor |
 | cflow.cs:296:5:296:25 | exit NegationInConstructor (normal) | cflow.cs:296:5:296:25 | NegationInConstructor |
@@ -5628,6 +5631,8 @@ blockEnclosing
 | MultiImplementationA.cs:17:5:19:5 | {...} | MultiImplementationA.cs:16:17:16:18 | M1 |
 | MultiImplementationA.cs:17:5:19:5 | {...} | MultiImplementationB.cs:14:17:14:18 | M1 |
 | MultiImplementationA.cs:18:9:18:22 | enter M2 | MultiImplementationA.cs:18:9:18:22 | M2 |
+| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationA.cs:20:12:20:13 | C2 |
+| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationB.cs:18:12:18:13 | C2 |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | C2 |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | C2 |
 | MultiImplementationA.cs:20:12:20:13 | exit C2 | MultiImplementationA.cs:20:12:20:13 | C2 |
@@ -5716,6 +5721,8 @@ blockEnclosing
 | MultiImplementationB.cs:15:5:17:5 | {...} | MultiImplementationA.cs:16:17:16:18 | M1 |
 | MultiImplementationB.cs:15:5:17:5 | {...} | MultiImplementationB.cs:14:17:14:18 | M1 |
 | MultiImplementationB.cs:16:9:16:31 | enter M2 | MultiImplementationB.cs:16:9:16:31 | M2 |
+| MultiImplementationB.cs:18:12:18:13 | call to constructor Object | MultiImplementationA.cs:20:12:20:13 | C2 |
+| MultiImplementationB.cs:18:12:18:13 | call to constructor Object | MultiImplementationB.cs:18:12:18:13 | C2 |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | C2 |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | C2 |
 | MultiImplementationB.cs:18:12:18:13 | exit C2 | MultiImplementationA.cs:20:12:20:13 | C2 |
diff --git a/csharp/ql/test/library-tests/controlflow/graph/EntryElement.expected b/csharp/ql/test/library-tests/controlflow/graph/EntryElement.expected
index 28fd165909c..d48906f29c5 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/EntryElement.expected
+++ b/csharp/ql/test/library-tests/controlflow/graph/EntryElement.expected
@@ -1687,7 +1687,9 @@
 | Initializers.cs:6:27:6:27 | access to field H | Initializers.cs:6:27:6:27 | access to field H |
 | Initializers.cs:6:27:6:31 | ... + ... | Initializers.cs:6:27:6:27 | access to field H |
 | Initializers.cs:6:31:6:31 | 2 | Initializers.cs:6:31:6:31 | 2 |
+| Initializers.cs:8:5:8:16 | call to constructor Object | Initializers.cs:8:5:8:16 | call to constructor Object |
 | Initializers.cs:8:20:8:22 | {...} | Initializers.cs:8:20:8:22 | {...} |
+| Initializers.cs:10:5:10:16 | call to constructor Object | Initializers.cs:10:5:10:16 | call to constructor Object |
 | Initializers.cs:10:28:10:30 | {...} | Initializers.cs:10:28:10:30 | {...} |
 | Initializers.cs:13:5:16:5 | {...} | Initializers.cs:13:5:16:5 | {...} |
 | Initializers.cs:14:9:14:54 | ... ...; | Initializers.cs:14:9:14:54 | ... ...; |
@@ -1735,6 +1737,7 @@
 | Initializers.cs:33:31:33:35 | ... = ... | Initializers.cs:33:31:33:31 | this access |
 | Initializers.cs:33:31:33:36 | ...; | Initializers.cs:33:31:33:36 | ...; |
 | Initializers.cs:33:35:33:35 | access to parameter i | Initializers.cs:33:35:33:35 | access to parameter i |
+| Initializers.cs:35:9:35:11 | call to constructor NoConstructor | Initializers.cs:35:9:35:11 | call to constructor NoConstructor |
 | Initializers.cs:35:27:35:40 | {...} | Initializers.cs:35:27:35:40 | {...} |
 | Initializers.cs:35:29:35:29 | access to field I | Initializers.cs:35:29:35:29 | this access |
 | Initializers.cs:35:29:35:29 | this access | Initializers.cs:35:29:35:29 | this access |
@@ -2045,6 +2048,7 @@
 | MultiImplementationA.cs:17:5:19:5 | {...} | MultiImplementationA.cs:17:5:19:5 | {...} |
 | MultiImplementationA.cs:18:9:18:22 | M2(...) | MultiImplementationA.cs:18:9:18:22 | M2(...) |
 | MultiImplementationA.cs:18:21:18:21 | 0 | MultiImplementationA.cs:18:21:18:21 | 0 |
+| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationA.cs:20:12:20:13 | call to constructor Object |
 | MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationA.cs:20:22:20:31 | {...} |
 | MultiImplementationA.cs:20:24:20:24 | access to field F | MultiImplementationA.cs:20:24:20:24 | this access |
 | MultiImplementationA.cs:20:24:20:24 | this access | MultiImplementationA.cs:20:24:20:24 | this access |
@@ -2089,6 +2093,7 @@
 | MultiImplementationB.cs:16:9:16:31 | M2(...) | MultiImplementationB.cs:16:9:16:31 | M2(...) |
 | MultiImplementationB.cs:16:21:16:30 | throw ... | MultiImplementationB.cs:16:27:16:30 | null |
 | MultiImplementationB.cs:16:27:16:30 | null | MultiImplementationB.cs:16:27:16:30 | null |
+| MultiImplementationB.cs:18:12:18:13 | call to constructor Object | MultiImplementationB.cs:18:12:18:13 | call to constructor Object |
 | MultiImplementationB.cs:18:22:18:36 | {...} | MultiImplementationB.cs:18:22:18:36 | {...} |
 | MultiImplementationB.cs:18:24:18:34 | throw ...; | MultiImplementationB.cs:18:30:18:33 | null |
 | MultiImplementationB.cs:18:30:18:33 | null | MultiImplementationB.cs:18:30:18:33 | null |
@@ -2933,6 +2938,7 @@
 | cflow.cs:127:68:127:80 | ... = ... | cflow.cs:127:68:127:72 | this access |
 | cflow.cs:127:68:127:81 | ...; | cflow.cs:127:68:127:81 | ...; |
 | cflow.cs:127:76:127:80 | access to parameter value | cflow.cs:127:76:127:80 | access to parameter value |
+| cflow.cs:129:5:129:15 | call to constructor Object | cflow.cs:129:5:129:15 | call to constructor Object |
 | cflow.cs:130:5:132:5 | {...} | cflow.cs:130:5:132:5 | {...} |
 | cflow.cs:131:9:131:13 | access to field Field | cflow.cs:131:9:131:13 | this access |
 | cflow.cs:131:9:131:13 | this access | cflow.cs:131:9:131:13 | this access |
@@ -3267,6 +3273,7 @@
 | cflow.cs:291:38:291:38 | access to parameter f | cflow.cs:291:38:291:38 | access to parameter f |
 | cflow.cs:291:38:291:41 | delegate call | cflow.cs:291:38:291:38 | access to parameter f |
 | cflow.cs:291:40:291:40 | 0 | cflow.cs:291:40:291:40 | 0 |
+| cflow.cs:296:5:296:25 | call to constructor Object | cflow.cs:296:5:296:25 | call to constructor Object |
 | cflow.cs:296:52:296:54 | {...} | cflow.cs:296:52:296:54 | {...} |
 | cflow.cs:299:5:301:5 | {...} | cflow.cs:299:5:301:5 | {...} |
 | cflow.cs:300:9:300:72 | object creation of type NegationInConstructor | cflow.cs:300:38:300:38 | 0 |
diff --git a/csharp/ql/test/library-tests/controlflow/graph/ExitElement.expected b/csharp/ql/test/library-tests/controlflow/graph/ExitElement.expected
index df6d8eb416f..c96b19b371b 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/ExitElement.expected
+++ b/csharp/ql/test/library-tests/controlflow/graph/ExitElement.expected
@@ -2325,7 +2325,9 @@
 | Initializers.cs:6:27:6:27 | access to field H | Initializers.cs:6:27:6:27 | access to field H | normal |
 | Initializers.cs:6:27:6:31 | ... + ... | Initializers.cs:6:27:6:31 | ... + ... | normal |
 | Initializers.cs:6:31:6:31 | 2 | Initializers.cs:6:31:6:31 | 2 | normal |
+| Initializers.cs:8:5:8:16 | call to constructor Object | Initializers.cs:8:5:8:16 | call to constructor Object | normal |
 | Initializers.cs:8:20:8:22 | {...} | Initializers.cs:8:20:8:22 | {...} | normal |
+| Initializers.cs:10:5:10:16 | call to constructor Object | Initializers.cs:10:5:10:16 | call to constructor Object | normal |
 | Initializers.cs:10:28:10:30 | {...} | Initializers.cs:10:28:10:30 | {...} | normal |
 | Initializers.cs:13:5:16:5 | {...} | Initializers.cs:15:13:15:63 | Initializers[] iz = ... | normal |
 | Initializers.cs:14:9:14:54 | ... ...; | Initializers.cs:14:13:14:53 | Initializers i = ... | normal |
@@ -2373,6 +2375,7 @@
 | Initializers.cs:33:31:33:35 | ... = ... | Initializers.cs:33:31:33:35 | ... = ... | normal |
 | Initializers.cs:33:31:33:36 | ...; | Initializers.cs:33:31:33:35 | ... = ... | normal |
 | Initializers.cs:33:35:33:35 | access to parameter i | Initializers.cs:33:35:33:35 | access to parameter i | normal |
+| Initializers.cs:35:9:35:11 | call to constructor NoConstructor | Initializers.cs:35:9:35:11 | call to constructor NoConstructor | normal |
 | Initializers.cs:35:27:35:40 | {...} | Initializers.cs:35:29:35:37 | ... = ... | normal |
 | Initializers.cs:35:29:35:29 | access to field I | Initializers.cs:35:29:35:29 | this access | normal |
 | Initializers.cs:35:29:35:29 | this access | Initializers.cs:35:29:35:29 | this access | normal |
@@ -2697,6 +2700,7 @@
 | MultiImplementationA.cs:17:5:19:5 | {...} | MultiImplementationA.cs:18:9:18:22 | M2(...) | normal |
 | MultiImplementationA.cs:18:9:18:22 | M2(...) | MultiImplementationA.cs:18:9:18:22 | M2(...) | normal |
 | MultiImplementationA.cs:18:21:18:21 | 0 | MultiImplementationA.cs:18:21:18:21 | 0 | normal |
+| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationA.cs:20:12:20:13 | call to constructor Object | normal |
 | MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationA.cs:20:24:20:28 | ... = ... | normal |
 | MultiImplementationA.cs:20:24:20:24 | access to field F | MultiImplementationA.cs:20:24:20:24 | this access | normal |
 | MultiImplementationA.cs:20:24:20:24 | this access | MultiImplementationA.cs:20:24:20:24 | this access | normal |
@@ -2741,6 +2745,7 @@
 | MultiImplementationB.cs:16:9:16:31 | M2(...) | MultiImplementationB.cs:16:9:16:31 | M2(...) | normal |
 | MultiImplementationB.cs:16:21:16:30 | throw ... | MultiImplementationB.cs:16:21:16:30 | throw ... | throw(NullReferenceException) |
 | MultiImplementationB.cs:16:27:16:30 | null | MultiImplementationB.cs:16:27:16:30 | null | normal |
+| MultiImplementationB.cs:18:12:18:13 | call to constructor Object | MultiImplementationB.cs:18:12:18:13 | call to constructor Object | normal |
 | MultiImplementationB.cs:18:22:18:36 | {...} | MultiImplementationB.cs:18:24:18:34 | throw ...; | throw(NullReferenceException) |
 | MultiImplementationB.cs:18:24:18:34 | throw ...; | MultiImplementationB.cs:18:24:18:34 | throw ...; | throw(NullReferenceException) |
 | MultiImplementationB.cs:18:30:18:33 | null | MultiImplementationB.cs:18:30:18:33 | null | normal |
@@ -3868,6 +3873,7 @@
 | cflow.cs:127:68:127:80 | ... = ... | cflow.cs:127:68:127:80 | ... = ... | normal |
 | cflow.cs:127:68:127:81 | ...; | cflow.cs:127:68:127:80 | ... = ... | normal |
 | cflow.cs:127:76:127:80 | access to parameter value | cflow.cs:127:76:127:80 | access to parameter value | normal |
+| cflow.cs:129:5:129:15 | call to constructor Object | cflow.cs:129:5:129:15 | call to constructor Object | normal |
 | cflow.cs:130:5:132:5 | {...} | cflow.cs:131:9:131:17 | ... = ... | normal |
 | cflow.cs:131:9:131:13 | access to field Field | cflow.cs:131:9:131:13 | this access | normal |
 | cflow.cs:131:9:131:13 | this access | cflow.cs:131:9:131:13 | this access | normal |
@@ -4272,6 +4278,7 @@
 | cflow.cs:291:38:291:38 | access to parameter f | cflow.cs:291:38:291:38 | access to parameter f | normal |
 | cflow.cs:291:38:291:41 | delegate call | cflow.cs:291:38:291:41 | delegate call | normal |
 | cflow.cs:291:40:291:40 | 0 | cflow.cs:291:40:291:40 | 0 | normal |
+| cflow.cs:296:5:296:25 | call to constructor Object | cflow.cs:296:5:296:25 | call to constructor Object | normal |
 | cflow.cs:296:52:296:54 | {...} | cflow.cs:296:52:296:54 | {...} | normal |
 | cflow.cs:299:5:301:5 | {...} | cflow.cs:300:9:300:72 | object creation of type NegationInConstructor | normal |
 | cflow.cs:300:9:300:72 | object creation of type NegationInConstructor | cflow.cs:300:9:300:72 | object creation of type NegationInConstructor | normal |
diff --git a/csharp/ql/test/library-tests/controlflow/graph/NodeGraph.expected b/csharp/ql/test/library-tests/controlflow/graph/NodeGraph.expected
index 4ee65369ce6..c39b233b314 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/NodeGraph.expected
+++ b/csharp/ql/test/library-tests/controlflow/graph/NodeGraph.expected
@@ -2792,10 +2792,12 @@
 | Initializers.cs:6:27:6:31 | ... + ... | Initializers.cs:6:9:6:9 | access to property G | semmle.label | successor |
 | Initializers.cs:6:31:6:31 | 2 | Initializers.cs:6:27:6:31 | ... + ... | semmle.label | successor |
 | Initializers.cs:6:31:6:31 | 2 | Initializers.cs:6:27:6:31 | ... + ... | semmle.label | successor |
-| Initializers.cs:8:5:8:16 | enter Initializers | Initializers.cs:5:9:5:9 | this access | semmle.label | successor |
+| Initializers.cs:8:5:8:16 | call to constructor Object | Initializers.cs:5:9:5:9 | this access | semmle.label | successor |
+| Initializers.cs:8:5:8:16 | enter Initializers | Initializers.cs:8:5:8:16 | call to constructor Object | semmle.label | successor |
 | Initializers.cs:8:5:8:16 | exit Initializers (normal) | Initializers.cs:8:5:8:16 | exit Initializers | semmle.label | successor |
 | Initializers.cs:8:20:8:22 | {...} | Initializers.cs:8:5:8:16 | exit Initializers (normal) | semmle.label | successor |
-| Initializers.cs:10:5:10:16 | enter Initializers | Initializers.cs:5:9:5:9 | this access | semmle.label | successor |
+| Initializers.cs:10:5:10:16 | call to constructor Object | Initializers.cs:5:9:5:9 | this access | semmle.label | successor |
+| Initializers.cs:10:5:10:16 | enter Initializers | Initializers.cs:10:5:10:16 | call to constructor Object | semmle.label | successor |
 | Initializers.cs:10:5:10:16 | exit Initializers (normal) | Initializers.cs:10:5:10:16 | exit Initializers | semmle.label | successor |
 | Initializers.cs:10:28:10:30 | {...} | Initializers.cs:10:5:10:16 | exit Initializers (normal) | semmle.label | successor |
 | Initializers.cs:12:10:12:10 | enter M | Initializers.cs:13:5:16:5 | {...} | semmle.label | successor |
@@ -2823,16 +2825,10 @@
 | Initializers.cs:20:11:20:23 | enter NoConstructor | Initializers.cs:22:23:22:23 | this access | semmle.label | successor |
 | Initializers.cs:20:11:20:23 | exit NoConstructor (normal) | Initializers.cs:20:11:20:23 | exit NoConstructor | semmle.label | successor |
 | Initializers.cs:22:23:22:23 | this access | Initializers.cs:22:27:22:27 | 0 | semmle.label | successor |
-| Initializers.cs:22:23:22:23 | this access | Initializers.cs:22:27:22:27 | 0 | semmle.label | successor |
-| Initializers.cs:22:23:22:27 | ... = ... | Initializers.cs:23:23:23:23 | this access | semmle.label | successor |
 | Initializers.cs:22:23:22:27 | ... = ... | Initializers.cs:23:23:23:23 | this access | semmle.label | successor |
 | Initializers.cs:22:27:22:27 | 0 | Initializers.cs:22:23:22:27 | ... = ... | semmle.label | successor |
-| Initializers.cs:22:27:22:27 | 0 | Initializers.cs:22:23:22:27 | ... = ... | semmle.label | successor |
-| Initializers.cs:23:23:23:23 | this access | Initializers.cs:23:27:23:27 | 1 | semmle.label | successor |
 | Initializers.cs:23:23:23:23 | this access | Initializers.cs:23:27:23:27 | 1 | semmle.label | successor |
 | Initializers.cs:23:23:23:27 | ... = ... | Initializers.cs:20:11:20:23 | exit NoConstructor (normal) | semmle.label | successor |
-| Initializers.cs:23:23:23:27 | ... = ... | Initializers.cs:28:13:28:13 | this access | semmle.label | successor |
-| Initializers.cs:23:27:23:27 | 1 | Initializers.cs:23:23:23:27 | ... = ... | semmle.label | successor |
 | Initializers.cs:23:27:23:27 | 1 | Initializers.cs:23:23:23:27 | ... = ... | semmle.label | successor |
 | Initializers.cs:28:13:28:13 | this access | Initializers.cs:28:17:28:17 | 2 | semmle.label | successor |
 | Initializers.cs:28:13:28:13 | this access | Initializers.cs:28:17:28:17 | 2 | semmle.label | successor |
@@ -2856,7 +2852,8 @@
 | Initializers.cs:33:31:33:35 | ... = ... | Initializers.cs:33:9:33:11 | exit Sub (normal) | semmle.label | successor |
 | Initializers.cs:33:31:33:36 | ...; | Initializers.cs:33:31:33:31 | this access | semmle.label | successor |
 | Initializers.cs:33:35:33:35 | access to parameter i | Initializers.cs:33:31:33:35 | ... = ... | semmle.label | successor |
-| Initializers.cs:35:9:35:11 | enter Sub | Initializers.cs:22:23:22:23 | this access | semmle.label | successor |
+| Initializers.cs:35:9:35:11 | call to constructor NoConstructor | Initializers.cs:28:13:28:13 | this access | semmle.label | successor |
+| Initializers.cs:35:9:35:11 | enter Sub | Initializers.cs:35:9:35:11 | call to constructor NoConstructor | semmle.label | successor |
 | Initializers.cs:35:9:35:11 | exit Sub (normal) | Initializers.cs:35:9:35:11 | exit Sub | semmle.label | successor |
 | Initializers.cs:35:27:35:40 | {...} | Initializers.cs:35:29:35:38 | ...; | semmle.label | successor |
 | Initializers.cs:35:29:35:29 | this access | Initializers.cs:35:33:35:33 | access to parameter i | semmle.label | successor |
@@ -3253,8 +3250,10 @@
 | MultiImplementationA.cs:18:9:18:22 | enter M2 | MultiImplementationA.cs:18:21:18:21 | 0 | semmle.label | successor |
 | MultiImplementationA.cs:18:9:18:22 | exit M2 (normal) | MultiImplementationA.cs:18:9:18:22 | exit M2 | semmle.label | successor |
 | MultiImplementationA.cs:18:21:18:21 | 0 | MultiImplementationA.cs:18:9:18:22 | exit M2 (normal) | semmle.label | successor |
-| MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:13:16:13:16 | this access | semmle.label | successor |
-| MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:11:16:11:16 | this access | semmle.label | successor |
+| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationA.cs:13:16:13:16 | this access | semmle.label | successor |
+| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationB.cs:11:16:11:16 | this access | semmle.label | successor |
+| MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | call to constructor Object | semmle.label | successor |
+| MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | call to constructor Object | semmle.label | successor |
 | MultiImplementationA.cs:20:12:20:13 | exit C2 (abnormal) | MultiImplementationA.cs:20:12:20:13 | exit C2 | semmle.label | successor |
 | MultiImplementationA.cs:20:12:20:13 | exit C2 (abnormal) | MultiImplementationB.cs:18:12:18:13 | exit C2 | semmle.label | successor |
 | MultiImplementationA.cs:20:12:20:13 | exit C2 (normal) | MultiImplementationA.cs:20:12:20:13 | exit C2 | semmle.label | successor |
@@ -3394,8 +3393,10 @@
 | MultiImplementationB.cs:16:9:16:31 | exit M2 (abnormal) | MultiImplementationB.cs:16:9:16:31 | exit M2 | semmle.label | successor |
 | MultiImplementationB.cs:16:21:16:30 | throw ... | MultiImplementationB.cs:16:9:16:31 | exit M2 (abnormal) | semmle.label | exception(NullReferenceException) |
 | MultiImplementationB.cs:16:27:16:30 | null | MultiImplementationB.cs:16:21:16:30 | throw ... | semmle.label | successor |
-| MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:13:16:13:16 | this access | semmle.label | successor |
-| MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:11:16:11:16 | this access | semmle.label | successor |
+| MultiImplementationB.cs:18:12:18:13 | call to constructor Object | MultiImplementationA.cs:13:16:13:16 | this access | semmle.label | successor |
+| MultiImplementationB.cs:18:12:18:13 | call to constructor Object | MultiImplementationB.cs:11:16:11:16 | this access | semmle.label | successor |
+| MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | call to constructor Object | semmle.label | successor |
+| MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | call to constructor Object | semmle.label | successor |
 | MultiImplementationB.cs:18:12:18:13 | exit C2 (abnormal) | MultiImplementationA.cs:20:12:20:13 | exit C2 | semmle.label | successor |
 | MultiImplementationB.cs:18:12:18:13 | exit C2 (abnormal) | MultiImplementationB.cs:18:12:18:13 | exit C2 | semmle.label | successor |
 | MultiImplementationB.cs:18:12:18:13 | exit C2 (normal) | MultiImplementationA.cs:20:12:20:13 | exit C2 | semmle.label | successor |
@@ -4501,7 +4502,8 @@
 | cflow.cs:127:68:127:80 | ... = ... | cflow.cs:127:62:127:64 | exit set_Prop (normal) | semmle.label | successor |
 | cflow.cs:127:68:127:81 | ...; | cflow.cs:127:68:127:72 | this access | semmle.label | successor |
 | cflow.cs:127:76:127:80 | access to parameter value | cflow.cs:127:68:127:80 | ... = ... | semmle.label | successor |
-| cflow.cs:129:5:129:15 | enter ControlFlow | cflow.cs:130:5:132:5 | {...} | semmle.label | successor |
+| cflow.cs:129:5:129:15 | call to constructor Object | cflow.cs:130:5:132:5 | {...} | semmle.label | successor |
+| cflow.cs:129:5:129:15 | enter ControlFlow | cflow.cs:129:5:129:15 | call to constructor Object | semmle.label | successor |
 | cflow.cs:129:5:129:15 | exit ControlFlow (normal) | cflow.cs:129:5:129:15 | exit ControlFlow | semmle.label | successor |
 | cflow.cs:130:5:132:5 | {...} | cflow.cs:131:9:131:18 | ...; | semmle.label | successor |
 | cflow.cs:131:9:131:13 | this access | cflow.cs:131:17:131:17 | access to parameter s | semmle.label | successor |
@@ -4894,7 +4896,8 @@
 | cflow.cs:291:38:291:38 | access to parameter f | cflow.cs:291:40:291:40 | 0 | semmle.label | successor |
 | cflow.cs:291:38:291:41 | delegate call | cflow.cs:291:12:291:12 | exit M (normal) | semmle.label | successor |
 | cflow.cs:291:40:291:40 | 0 | cflow.cs:291:38:291:41 | delegate call | semmle.label | successor |
-| cflow.cs:296:5:296:25 | enter NegationInConstructor | cflow.cs:296:52:296:54 | {...} | semmle.label | successor |
+| cflow.cs:296:5:296:25 | call to constructor Object | cflow.cs:296:52:296:54 | {...} | semmle.label | successor |
+| cflow.cs:296:5:296:25 | enter NegationInConstructor | cflow.cs:296:5:296:25 | call to constructor Object | semmle.label | successor |
 | cflow.cs:296:5:296:25 | exit NegationInConstructor (normal) | cflow.cs:296:5:296:25 | exit NegationInConstructor | semmle.label | successor |
 | cflow.cs:296:52:296:54 | {...} | cflow.cs:296:5:296:25 | exit NegationInConstructor (normal) | semmle.label | successor |
 | cflow.cs:298:10:298:10 | enter M | cflow.cs:299:5:301:5 | {...} | semmle.label | successor |
diff --git a/csharp/ql/test/library-tests/controlflow/graph/Nodes.expected b/csharp/ql/test/library-tests/controlflow/graph/Nodes.expected
index 9085e248d03..b58f1a57cc7 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/Nodes.expected
+++ b/csharp/ql/test/library-tests/controlflow/graph/Nodes.expected
@@ -1137,13 +1137,13 @@ entryPoint
 | Foreach.cs:24:10:24:11 | M4 | Foreach.cs:25:5:28:5 | {...} |
 | Foreach.cs:30:10:30:11 | M5 | Foreach.cs:31:5:34:5 | {...} |
 | Foreach.cs:36:10:36:11 | M6 | Foreach.cs:37:5:40:5 | {...} |
-| Initializers.cs:8:5:8:16 | Initializers | Initializers.cs:5:9:5:9 | this access |
-| Initializers.cs:10:5:10:16 | Initializers | Initializers.cs:5:9:5:9 | this access |
+| Initializers.cs:8:5:8:16 | Initializers | Initializers.cs:8:5:8:16 | call to constructor Object |
+| Initializers.cs:10:5:10:16 | Initializers | Initializers.cs:10:5:10:16 | call to constructor Object |
 | Initializers.cs:12:10:12:10 | M | Initializers.cs:13:5:16:5 | {...} |
 | Initializers.cs:20:11:20:23 | NoConstructor | Initializers.cs:22:23:22:23 | this access |
 | Initializers.cs:31:9:31:11 | Sub | Initializers.cs:31:17:31:20 | call to constructor NoConstructor |
 | Initializers.cs:33:9:33:11 | Sub | Initializers.cs:33:22:33:25 | call to constructor Sub |
-| Initializers.cs:35:9:35:11 | Sub | Initializers.cs:22:23:22:23 | this access |
+| Initializers.cs:35:9:35:11 | Sub | Initializers.cs:35:9:35:11 | call to constructor NoConstructor |
 | Initializers.cs:51:10:51:13 | Test | Initializers.cs:52:5:66:5 | {...} |
 | LoopUnrolling.cs:7:10:7:11 | M1 | LoopUnrolling.cs:8:5:13:5 | {...} |
 | LoopUnrolling.cs:15:10:15:11 | M2 | LoopUnrolling.cs:16:5:20:5 | {...} |
@@ -1173,8 +1173,8 @@ entryPoint
 | MultiImplementationA.cs:16:17:16:18 | M1 | MultiImplementationA.cs:17:5:19:5 | {...} |
 | MultiImplementationA.cs:16:17:16:18 | M1 | MultiImplementationB.cs:15:5:17:5 | {...} |
 | MultiImplementationA.cs:18:9:18:22 | M2 | MultiImplementationA.cs:18:21:18:21 | 0 |
-| MultiImplementationA.cs:20:12:20:13 | C2 | MultiImplementationA.cs:13:16:13:16 | this access |
-| MultiImplementationA.cs:20:12:20:13 | C2 | MultiImplementationB.cs:11:16:11:16 | this access |
+| MultiImplementationA.cs:20:12:20:13 | C2 | MultiImplementationA.cs:20:12:20:13 | call to constructor Object |
+| MultiImplementationA.cs:20:12:20:13 | C2 | MultiImplementationB.cs:18:12:18:13 | call to constructor Object |
 | MultiImplementationA.cs:21:12:21:13 | C2 | MultiImplementationA.cs:21:24:21:24 | 0 |
 | MultiImplementationA.cs:21:12:21:13 | C2 | MultiImplementationB.cs:19:24:19:24 | 1 |
 | MultiImplementationA.cs:22:6:22:7 | ~C2 | MultiImplementationA.cs:22:11:22:13 | {...} |
@@ -1202,8 +1202,8 @@ entryPoint
 | MultiImplementationB.cs:14:17:14:18 | M1 | MultiImplementationA.cs:17:5:19:5 | {...} |
 | MultiImplementationB.cs:14:17:14:18 | M1 | MultiImplementationB.cs:15:5:17:5 | {...} |
 | MultiImplementationB.cs:16:9:16:31 | M2 | MultiImplementationB.cs:16:27:16:30 | null |
-| MultiImplementationB.cs:18:12:18:13 | C2 | MultiImplementationA.cs:13:16:13:16 | this access |
-| MultiImplementationB.cs:18:12:18:13 | C2 | MultiImplementationB.cs:11:16:11:16 | this access |
+| MultiImplementationB.cs:18:12:18:13 | C2 | MultiImplementationA.cs:20:12:20:13 | call to constructor Object |
+| MultiImplementationB.cs:18:12:18:13 | C2 | MultiImplementationB.cs:18:12:18:13 | call to constructor Object |
 | MultiImplementationB.cs:19:12:19:13 | C2 | MultiImplementationA.cs:21:24:21:24 | 0 |
 | MultiImplementationB.cs:19:12:19:13 | C2 | MultiImplementationB.cs:19:24:19:24 | 1 |
 | MultiImplementationB.cs:20:6:20:7 | ~C2 | MultiImplementationA.cs:22:11:22:13 | {...} |
@@ -1265,7 +1265,7 @@ entryPoint
 | cflow.cs:119:20:119:21 | M5 | cflow.cs:120:5:124:5 | {...} |
 | cflow.cs:127:19:127:21 | get_Prop | cflow.cs:127:23:127:60 | {...} |
 | cflow.cs:127:62:127:64 | set_Prop | cflow.cs:127:66:127:83 | {...} |
-| cflow.cs:129:5:129:15 | ControlFlow | cflow.cs:130:5:132:5 | {...} |
+| cflow.cs:129:5:129:15 | ControlFlow | cflow.cs:129:5:129:15 | call to constructor Object |
 | cflow.cs:134:5:134:15 | ControlFlow | cflow.cs:134:31:134:31 | access to parameter i |
 | cflow.cs:136:12:136:22 | ControlFlow | cflow.cs:136:33:136:33 | 0 |
 | cflow.cs:138:40:138:40 | + | cflow.cs:139:5:142:5 | {...} |
@@ -1285,5 +1285,5 @@ entryPoint
 | cflow.cs:284:5:284:18 | ControlFlowSub | cflow.cs:284:32:284:35 | call to constructor ControlFlowSub |
 | cflow.cs:286:5:286:18 | ControlFlowSub | cflow.cs:286:34:286:34 | access to parameter i |
 | cflow.cs:291:12:291:12 | M | cflow.cs:291:38:291:38 | access to parameter f |
-| cflow.cs:296:5:296:25 | NegationInConstructor | cflow.cs:296:52:296:54 | {...} |
+| cflow.cs:296:5:296:25 | NegationInConstructor | cflow.cs:296:5:296:25 | call to constructor Object |
 | cflow.cs:298:10:298:10 | M | cflow.cs:299:5:301:5 | {...} |

From e813257431654f2b39eed2d9c972b000d1dd48f3 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Thu, 29 Apr 2021 21:23:52 +0800
Subject: [PATCH 0784/1429] use hardCode

---
 .../CWE/CWE-348/UseOfLessTrustedSource.java   |  8 ++++++
 .../CWE/CWE-348/UseOfLessTrustedSource.qhelp  |  2 +-
 .../CWE/CWE-348/UseOfLessTrustedSource.ql     |  2 --
 .../CWE/CWE-348/UseOfLessTrustedSourceLib.qll | 25 +++++++++----------
 .../CWE-348/UseOfLessTrustedSource.expected   | 15 +++++++----
 .../CWE-348/UseOfLessTrustedSource.java       |  8 ++++++
 6 files changed, 39 insertions(+), 21 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java
index 35a66dc2731..689246340da 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java
@@ -19,6 +19,14 @@ public class UseOfLessTrustedSource {
         }
     }
 
+    @GetMapping(value = "bad2")
+    public void bad2(HttpServletRequest request) {
+        String ip = getClientIP();
+        if (!"127.0.0.1".equals(ip)) {
+            new Exception("ip illegal");
+        }
+    }
+
     @GetMapping(value = "good1")
     @ResponseBody
     public String good1(HttpServletRequest request) {
diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
index 6d5404a2683..5e43b9b1cfe 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
@@ -16,7 +16,7 @@ bypass a ban-list, for example.</p>
 <example>
 
 <p>The following examples show the bad case and the good case respectively.
-In the <code>bad1</code> method, the client ip the <code>X-Forwarded-For</code> is split into comma-separated values, but the less-trustworthy first one is used. Both of these examples could be deceived by providing a forged HTTP header. The method
+In <code>bad1</code> method and <code>bad2</code> method, the client ip the <code>X-Forwarded-For</code> is split into comma-separated values, but the less-trustworthy first one is used. Both of these examples could be deceived by providing a forged HTTP header. The method
 <code>good1</code> similarly splits an <code>X-Forwarded-For</code> value, but uses the last, more-trustworthy entry.</p>
 
 <sample src="UseOfLessTrustedSource.java" />
diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
index 3e25dba427c..14ae3444263 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
@@ -36,8 +36,6 @@ class UseOfLessTrustedSourceConfig extends TaintTracking::Configuration {
       not aa.getIndexExpr().(CompileTimeConstantExpr).getIntValue() = 0
     )
     or
-    node.getType().hasName("Object")
-    or
     node.getType() instanceof PrimitiveType
     or
     node.getType() instanceof BoxedType
diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
index 1639d1c82d1..708460cdaa1 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
@@ -1,5 +1,6 @@
 import java
 import DataFlow
+import semmle.code.java.frameworks.Networking
 import semmle.code.java.security.QueryInjection
 import experimental.semmle.code.java.Logging
 
@@ -40,14 +41,10 @@ private class CompareSink extends UseOfLessTrustedSink {
       ma.getMethod().getNumberOfParameters() = 1 and
       (
         ma.getArgument(0) = this.asExpr() and
-        not ma.getQualifier().(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
-            "", "unknown", ":"
-          ]
+        ma.getQualifier().(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName
         or
         ma.getQualifier() = this.asExpr() and
-        not ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
-            "", "unknown", ":"
-          ]
+        ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName
       )
     )
     or
@@ -56,9 +53,10 @@ private class CompareSink extends UseOfLessTrustedSink {
       ma.getMethod().getDeclaringType() instanceof TypeString and
       ma.getMethod().getNumberOfParameters() = 1 and
       ma.getQualifier() = this.asExpr() and
-      not ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
-          "", "unknown"
-        ]
+      ma.getAnArgument()
+          .(CompileTimeConstantExpr)
+          .getStringValue()
+          .regexpMatch("^((10\\.((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?)|(192\\.168\\.)|172\\.(1[6789]|2[0-9]|3[01])\\.)((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)$")
     )
     or
     exists(MethodAccess ma |
@@ -68,7 +66,10 @@ private class CompareSink extends UseOfLessTrustedSink {
           .hasQualifiedName(["org.apache.commons.lang3", "org.apache.commons.lang"], "StringUtils") and
       ma.getMethod().getNumberOfParameters() = 2 and
       ma.getAnArgument() = this.asExpr() and
-      ma.getAnArgument().(CompileTimeConstantExpr).getStringValue() != ""
+      ma.getAnArgument()
+          .(CompileTimeConstantExpr)
+          .getStringValue()
+          .regexpMatch("^((10\\.((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?)|(192\\.168\\.)|172\\.(1[6789]|2[0-9]|3[01])\\.)((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)$")
     )
     or
     exists(MethodAccess ma |
@@ -78,9 +79,7 @@ private class CompareSink extends UseOfLessTrustedSink {
           .hasQualifiedName(["org.apache.commons.lang3", "org.apache.commons.lang"], "StringUtils") and
       ma.getMethod().getNumberOfParameters() = 2 and
       ma.getAnArgument() = this.asExpr() and
-      not ma.getAnArgument().(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
-          "", "unknown", ":"
-        ]
+      ma.getAnArgument().(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName
     )
   }
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected
index df238e4c0a3..ff9cbc24a20 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected
@@ -1,11 +1,16 @@
 edges
 | UseOfLessTrustedSource.java:16:21:16:33 | getClientIP(...) : String | UseOfLessTrustedSource.java:17:37:17:38 | ip |
-| UseOfLessTrustedSource.java:37:27:37:62 | getHeader(...) : String | UseOfLessTrustedSource.java:41:16:41:37 | ...[...] : String |
-| UseOfLessTrustedSource.java:41:16:41:37 | ...[...] : String | UseOfLessTrustedSource.java:16:21:16:33 | getClientIP(...) : String |
+| UseOfLessTrustedSource.java:24:21:24:33 | getClientIP(...) : String | UseOfLessTrustedSource.java:25:33:25:34 | ip |
+| UseOfLessTrustedSource.java:45:27:45:62 | getHeader(...) : String | UseOfLessTrustedSource.java:49:16:49:37 | ...[...] : String |
+| UseOfLessTrustedSource.java:49:16:49:37 | ...[...] : String | UseOfLessTrustedSource.java:16:21:16:33 | getClientIP(...) : String |
+| UseOfLessTrustedSource.java:49:16:49:37 | ...[...] : String | UseOfLessTrustedSource.java:24:21:24:33 | getClientIP(...) : String |
 nodes
 | UseOfLessTrustedSource.java:16:21:16:33 | getClientIP(...) : String | semmle.label | getClientIP(...) : String |
 | UseOfLessTrustedSource.java:17:37:17:38 | ip | semmle.label | ip |
-| UseOfLessTrustedSource.java:37:27:37:62 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| UseOfLessTrustedSource.java:41:16:41:37 | ...[...] : String | semmle.label | ...[...] : String |
+| UseOfLessTrustedSource.java:24:21:24:33 | getClientIP(...) : String | semmle.label | getClientIP(...) : String |
+| UseOfLessTrustedSource.java:25:33:25:34 | ip | semmle.label | ip |
+| UseOfLessTrustedSource.java:45:27:45:62 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| UseOfLessTrustedSource.java:49:16:49:37 | ...[...] : String | semmle.label | ...[...] : String |
 #select
-| UseOfLessTrustedSource.java:17:37:17:38 | ip | UseOfLessTrustedSource.java:37:27:37:62 | getHeader(...) : String | UseOfLessTrustedSource.java:17:37:17:38 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:37:27:37:62 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:17:37:17:38 | ip | UseOfLessTrustedSource.java:45:27:45:62 | getHeader(...) : String | UseOfLessTrustedSource.java:17:37:17:38 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:45:27:45:62 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:25:33:25:34 | ip | UseOfLessTrustedSource.java:45:27:45:62 | getHeader(...) : String | UseOfLessTrustedSource.java:25:33:25:34 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:45:27:45:62 | getHeader(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java
index 35a66dc2731..689246340da 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java
@@ -19,6 +19,14 @@ public class UseOfLessTrustedSource {
         }
     }
 
+    @GetMapping(value = "bad2")
+    public void bad2(HttpServletRequest request) {
+        String ip = getClientIP();
+        if (!"127.0.0.1".equals(ip)) {
+            new Exception("ip illegal");
+        }
+    }
+
     @GetMapping(value = "good1")
     @ResponseBody
     public String good1(HttpServletRequest request) {

From bd4b1893733ccdff3bc4ef564d03a15400e9b00b Mon Sep 17 00:00:00 2001
From: Jorge <46056498+jorgectf@users.noreply.github.com>
Date: Thu, 29 Apr 2021 16:26:28 +0200
Subject: [PATCH 0785/1429] Polish documentation consistency

Co-authored-by: yoff <lerchedahl@gmail.com>
---
 python/ql/src/experimental/semmle/python/Concepts.qll | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index e11e21da914..0661ebc5890 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -36,7 +36,7 @@ module RegexExecution {
 }
 
 /**
- * A data-flow node that collect methods immediately executing an expression.
+ * A data-flow node that executes a regular expression.
  *
  * Extend this class to refine existing API models. If you want to model new APIs,
  * extend `RegexExecution::Range` instead.
@@ -54,7 +54,7 @@ class RegexExecution extends DataFlow::Node {
 /** Provides classes for modeling Regular Expression escape-related APIs. */
 module RegexEscape {
   /**
-   * A data-flow node that collects functions escaping regular expressions.
+   * A data-flow node that escapes a regular expression.
    *
    * Extend this class to model new APIs. If you want to refine existing API models,
    * extend `RegexEscape` instead.
@@ -68,7 +68,7 @@ module RegexEscape {
 }
 
 /**
- * A data-flow node that collects functions escaping regular expressions.
+ * A data-flow node that escapes a regular expression.
  *
  * Extend this class to refine existing API models. If you want to model new APIs,
  * extend `RegexEscape::Range` instead.

From 08731fc6cf4ba6951cd4e8f239eac1f3388d3957 Mon Sep 17 00:00:00 2001
From: intrigus <abc123zeus@live.de>
Date: Thu, 29 Apr 2021 20:26:34 +0200
Subject: [PATCH 0786/1429] Fix typo.

---
 .../semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll    | 2 +-
 .../src/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll   | 2 +-
 .../semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll | 2 +-
 .../semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll    | 2 +-
 .../semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll | 2 +-
 .../semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll    | 2 +-
 .../semmle/code/java/dataflow/internal/DataFlowImplCommon.qll   | 2 +-
 .../src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll  | 2 +-
 .../semmle/python/dataflow/new/internal/DataFlowImplCommon.qll  | 2 +-
 .../src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll | 2 +-
 10 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
index a51c20c2288..966c30038cc 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
@@ -31,7 +31,7 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  * currently excludes read-steps, store-steps, and flow-through.
  *
  * The analysis uses non-linear recursion: When computing a flow path in or out
- * of a call, we use the results of the analysis recursively to resolve lamba
+ * of a call, we use the results of the analysis recursively to resolve lambda
  * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
  */
 private module LambdaFlow {
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
index 835e6c46451..cb0ae4490f8 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowPrivate.qll
@@ -321,5 +321,5 @@ predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c)
 /** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
 predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { none() }
 
-/** Extra data-flow steps needed for lamba flow analysis. */
+/** Extra data-flow steps needed for lambda flow analysis. */
 predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
index a51c20c2288..966c30038cc 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
@@ -31,7 +31,7 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  * currently excludes read-steps, store-steps, and flow-through.
  *
  * The analysis uses non-linear recursion: When computing a flow path in or out
- * of a call, we use the results of the analysis recursively to resolve lamba
+ * of a call, we use the results of the analysis recursively to resolve lambda
  * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
  */
 private module LambdaFlow {
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
index 3b94e574de0..43b82f4d517 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -557,5 +557,5 @@ predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c)
 /** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
 predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { none() }
 
-/** Extra data-flow steps needed for lamba flow analysis. */
+/** Extra data-flow steps needed for lambda flow analysis. */
 predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
index a51c20c2288..966c30038cc 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
@@ -31,7 +31,7 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  * currently excludes read-steps, store-steps, and flow-through.
  *
  * The analysis uses non-linear recursion: When computing a flow path in or out
- * of a call, we use the results of the analysis recursively to resolve lamba
+ * of a call, we use the results of the analysis recursively to resolve lambda
  * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
  */
 private module LambdaFlow {
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
index f42410ca3a5..97a8406a21e 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -1999,7 +1999,7 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
   kind = TMkUnit()
 }
 
-/** Extra data-flow steps needed for lamba flow analysis. */
+/** Extra data-flow steps needed for lambda flow analysis. */
 predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) {
   exists(Ssa::Definition def |
     LocalFlow::localSsaFlowStep(def, nodeFrom, nodeTo) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll
index a51c20c2288..966c30038cc 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll
@@ -31,7 +31,7 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  * currently excludes read-steps, store-steps, and flow-through.
  *
  * The analysis uses non-linear recursion: When computing a flow path in or out
- * of a call, we use the results of the analysis recursively to resolve lamba
+ * of a call, we use the results of the analysis recursively to resolve lambda
  * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
  */
 private module LambdaFlow {
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
index 23d84c10c9f..2e22b7e1963 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
@@ -325,5 +325,5 @@ predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c)
 /** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
 predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { none() }
 
-/** Extra data-flow steps needed for lamba flow analysis. */
+/** Extra data-flow steps needed for lambda flow analysis. */
 predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll
index a51c20c2288..966c30038cc 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll
@@ -31,7 +31,7 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  * currently excludes read-steps, store-steps, and flow-through.
  *
  * The analysis uses non-linear recursion: When computing a flow path in or out
- * of a call, we use the results of the analysis recursively to resolve lamba
+ * of a call, we use the results of the analysis recursively to resolve lambda
  * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
  */
 private module LambdaFlow {
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
index 9b0a8267270..82c1751bb07 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
@@ -1617,5 +1617,5 @@ predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c)
 /** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
 predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { none() }
 
-/** Extra data-flow steps needed for lamba flow analysis. */
+/** Extra data-flow steps needed for lambda flow analysis. */
 predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }

From 711a74c9c9a4fc2a0e925f09617f3c0fad9c3699 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Fri, 30 Apr 2021 10:31:40 +0800
Subject: [PATCH 0787/1429] Eliminate false positives\

---
 .../Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll   | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
index 708460cdaa1..807ebd013d7 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
@@ -41,10 +41,12 @@ private class CompareSink extends UseOfLessTrustedSink {
       ma.getMethod().getNumberOfParameters() = 1 and
       (
         ma.getArgument(0) = this.asExpr() and
-        ma.getQualifier().(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName
+        ma.getQualifier().(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName and
+        not ma.getQualifier().(CompileTimeConstantExpr).getStringValue() = "0:0:0:0:0:0:0:1"
         or
         ma.getQualifier() = this.asExpr() and
-        ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName
+        ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName and
+        not ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "0:0:0:0:0:0:0:1"
       )
     )
     or
@@ -79,7 +81,8 @@ private class CompareSink extends UseOfLessTrustedSink {
           .hasQualifiedName(["org.apache.commons.lang3", "org.apache.commons.lang"], "StringUtils") and
       ma.getMethod().getNumberOfParameters() = 2 and
       ma.getAnArgument() = this.asExpr() and
-      ma.getAnArgument().(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName
+      ma.getAnArgument().(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName and
+      not ma.getAnArgument().(CompileTimeConstantExpr).getStringValue() = "0:0:0:0:0:0:0:1"
     )
   }
 }

From 8142810455cf4266e6b4266053daa8908ded3f79 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Fri, 30 Apr 2021 16:54:28 +0800
Subject: [PATCH 0788/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
index 5e43b9b1cfe..61848f111ad 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
@@ -4,7 +4,7 @@
 <qhelp>
 <overview>
 <p>An original client IP address is retrieved from an http header (<code>X-Forwarded-For</code> or <code>X-Real-IP</code> or <code>Proxy-Client-IP</code> 
-etc.), which is used to ensure security or track it in the log for statistical or other reasons. Attackers can forge the value of these identifiers to
+etc.), which is used to ensure security. Attackers can forge the value of these identifiers to
 bypass a ban-list, for example.</p>
 
 </overview>

From 0691cac5ab2429644cfc84d5acced219f7ed6a99 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Fri, 30 Apr 2021 16:54:41 +0800
Subject: [PATCH 0789/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
index 807ebd013d7..04df6aa5dd6 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
@@ -58,7 +58,7 @@ private class CompareSink extends UseOfLessTrustedSink {
       ma.getAnArgument()
           .(CompileTimeConstantExpr)
           .getStringValue()
-          .regexpMatch("^((10\\.((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?)|(192\\.168\\.)|172\\.(1[6789]|2[0-9]|3[01])\\.)((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)$")
+          .regexpMatch("^((10\\.((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?)|(192\\.168\\.)|172\\.(1[6789]|2[0-9]|3[01])\\.)((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)$") // Matches IP-address-like strings
     )
     or
     exists(MethodAccess ma |

From f41301f8f58f48ebb2663deae3108a12ed738936 Mon Sep 17 00:00:00 2001
From: haby0 <Ha_yub@163.com>
Date: Fri, 30 Apr 2021 16:55:17 +0800
Subject: [PATCH 0790/1429] Update
 java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../CWE/CWE-348/UseOfLessTrustedSource.java      | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java
index 689246340da..ad959cb2dc8 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java
@@ -30,15 +30,13 @@ public class UseOfLessTrustedSource {
     @GetMapping(value = "good1")
     @ResponseBody
     public String good1(HttpServletRequest request) {
-        String remoteAddr = "";
-        if (request != null) {
-            remoteAddr = request.getHeader("X-FORWARDED-FOR");
-            remoteAddr = remoteAddr.split(",")[remoteAddr.split(",").length - 1]; // good
-            if (remoteAddr == null || "".equals(remoteAddr)) {
-                remoteAddr = request.getRemoteAddr();
-            }
+        String ip = request.getHeader("X-FORWARDED-FOR");
+        String[] parts = ip.split(",");
+        // Good: if this application runs behind a reverse proxy it may append the real remote IP to the end of any client-supplied X-Forwarded-For header.
+        ip = parts[parts.length - 1];
+        if (!StringUtils.startsWith(ip, "192.168.")) {
+            new Exception("ip illegal");
         }
-        return remoteAddr;
     }
 
     protected String getClientIP() {
@@ -48,4 +46,4 @@ public class UseOfLessTrustedSource {
         }
         return xfHeader.split(",")[0];
     }
-}
\ No newline at end of file
+}

From fdcc517b9fcb8917775feb5977cb050d4bfc9f94 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Fri, 30 Apr 2021 17:43:34 +0800
Subject: [PATCH 0791/1429] UseOfLessTrustedSource ->
 ClientSuppliedIpUsedInSecurityCheck"

---
 ... ClientSuppliedIpUsedInSecurityCheck.java} |  6 ++---
 ...ClientSuppliedIpUsedInSecurityCheck.qhelp} |  2 +-
 ...=> ClientSuppliedIpUsedInSecurityCheck.ql} | 17 ++++++++-----
 ...lientSuppliedIpUsedInSecurityCheckLib.qll} | 25 +++++++++----------
 ...ientSuppliedIpUsedInSecurityCheck.expected | 16 ++++++++++++
 ... ClientSuppliedIpUsedInSecurityCheck.java} | 18 ++++++-------
 .../ClientSuppliedIpUsedInSecurityCheck.qlref |  1 +
 .../CWE-348/UseOfLessTrustedSource.expected   | 16 ------------
 .../CWE-348/UseOfLessTrustedSource.qlref      |  1 -
 9 files changed, 52 insertions(+), 50 deletions(-)
 rename java/ql/src/experimental/Security/CWE/CWE-348/{UseOfLessTrustedSource.java => ClientSuppliedIpUsedInSecurityCheck.java} (92%)
 rename java/ql/src/experimental/Security/CWE/CWE-348/{UseOfLessTrustedSource.qhelp => ClientSuppliedIpUsedInSecurityCheck.qhelp} (96%)
 rename java/ql/src/experimental/Security/CWE/CWE-348/{UseOfLessTrustedSource.ql => ClientSuppliedIpUsedInSecurityCheck.ql} (69%)
 rename java/ql/src/experimental/Security/CWE/CWE-348/{UseOfLessTrustedSourceLib.qll => ClientSuppliedIpUsedInSecurityCheckLib.qll} (77%)
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected
 rename java/ql/test/experimental/query-tests/security/CWE-348/{UseOfLessTrustedSource.java => ClientSuppliedIpUsedInSecurityCheck.java} (73%)
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.qlref
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.qlref

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java b/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.java
similarity index 92%
rename from java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java
rename to java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.java
index ad959cb2dc8..93a860981d1 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.java
@@ -6,7 +6,7 @@ import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 @Controller
-public class UseOfLessTrustedSource {
+public class ClientSuppliedIpUsedInSecurityCheck {
 
     @Autowired
     private HttpServletRequest request;
@@ -31,12 +31,12 @@ public class UseOfLessTrustedSource {
     @ResponseBody
     public String good1(HttpServletRequest request) {
         String ip = request.getHeader("X-FORWARDED-FOR");
-        String[] parts = ip.split(",");
         // Good: if this application runs behind a reverse proxy it may append the real remote IP to the end of any client-supplied X-Forwarded-For header.
-        ip = parts[parts.length - 1];
+        ip = ip.split(",")[ip.split(",").length - 1];
         if (!StringUtils.startsWith(ip, "192.168.")) {
             new Exception("ip illegal");
         }
+        return ip;
     }
 
     protected String getClientIP() {
diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp b/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.qhelp
similarity index 96%
rename from java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
rename to java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.qhelp
index 61848f111ad..fd62ab2968b 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.qhelp
@@ -19,7 +19,7 @@ bypass a ban-list, for example.</p>
 In <code>bad1</code> method and <code>bad2</code> method, the client ip the <code>X-Forwarded-For</code> is split into comma-separated values, but the less-trustworthy first one is used. Both of these examples could be deceived by providing a forged HTTP header. The method
 <code>good1</code> similarly splits an <code>X-Forwarded-For</code> value, but uses the last, more-trustworthy entry.</p>
 
-<sample src="UseOfLessTrustedSource.java" />
+<sample src="ClientSuppliedIpUsedInSecurityCheck.java" />
 
 </example>
 <references>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql b/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
similarity index 69%
rename from java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
rename to java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
index 14ae3444263..78d8bfee5f0 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
@@ -11,19 +11,23 @@
  */
 
 import java
-import UseOfLessTrustedSourceLib
+import ClientSuppliedIpUsedInSecurityCheckLib
 import semmle.code.java.dataflow.FlowSources
 import DataFlow::PathGraph
 
 /**
  * Taint-tracking configuration tracing flow from obtaining a client ip from an HTTP header to a sensitive use.
  */
-class UseOfLessTrustedSourceConfig extends TaintTracking::Configuration {
-  UseOfLessTrustedSourceConfig() { this = "UseOfLessTrustedSourceConfig" }
+class ClientSuppliedIpUsedInSecurityCheckConfig extends TaintTracking::Configuration {
+  ClientSuppliedIpUsedInSecurityCheckConfig() { this = "ClientSuppliedIpUsedInSecurityCheckConfig" }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof UseOfLessTrustedSource }
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof ClientSuppliedIpUsedInSecurityCheck
+  }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof UseOfLessTrustedSink }
+  override predicate isSink(DataFlow::Node sink) {
+    sink instanceof ClientSuppliedIpUsedInSecurityCheckSink
+  }
 
   /**
    * Splitting a header value by `,` and taking an entry other than the first is sanitizing, because
@@ -42,7 +46,8 @@ class UseOfLessTrustedSourceConfig extends TaintTracking::Configuration {
   }
 }
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, UseOfLessTrustedSourceConfig conf
+from
+  DataFlow::PathNode source, DataFlow::PathNode sink, ClientSuppliedIpUsedInSecurityCheckConfig conf
 where conf.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "IP address spoofing might include code from $@.",
   source.getNode(), "this user input"
diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll b/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheckLib.qll
similarity index 77%
rename from java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
rename to java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheckLib.qll
index 04df6aa5dd6..fd9353d3414 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheckLib.qll
@@ -10,8 +10,8 @@ import experimental.semmle.code.java.Logging
  *
  * For example: `ServletRequest.getHeader("X-Forwarded-For")`.
  */
-class UseOfLessTrustedSource extends DataFlow::Node {
-  UseOfLessTrustedSource() {
+class ClientSuppliedIpUsedInSecurityCheck extends DataFlow::Node {
+  ClientSuppliedIpUsedInSecurityCheck() {
     exists(MethodAccess ma |
       ma.getMethod().hasName("getHeader") and
       ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
@@ -25,7 +25,7 @@ class UseOfLessTrustedSource extends DataFlow::Node {
 }
 
 /** A data flow sink for ip address forgery vulnerabilities. */
-abstract class UseOfLessTrustedSink extends DataFlow::Node { }
+abstract class ClientSuppliedIpUsedInSecurityCheckSink extends DataFlow::Node { }
 
 /**
  * A data flow sink for remote client ip comparison.
@@ -33,7 +33,7 @@ abstract class UseOfLessTrustedSink extends DataFlow::Node { }
  * For example: `if (!StringUtils.startsWith(ipAddr, "192.168.")){...` determine whether the client ip starts
  * with `192.168.`, and the program can be deceived by forging the ip address.
  */
-private class CompareSink extends UseOfLessTrustedSink {
+private class CompareSink extends ClientSuppliedIpUsedInSecurityCheckSink {
   CompareSink() {
     exists(MethodAccess ma |
       ma.getMethod().getName() in ["equals", "equalsIgnoreCase"] and
@@ -55,10 +55,7 @@ private class CompareSink extends UseOfLessTrustedSink {
       ma.getMethod().getDeclaringType() instanceof TypeString and
       ma.getMethod().getNumberOfParameters() = 1 and
       ma.getQualifier() = this.asExpr() and
-      ma.getAnArgument()
-          .(CompileTimeConstantExpr)
-          .getStringValue()
-          .regexpMatch("^((10\\.((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?)|(192\\.168\\.)|172\\.(1[6789]|2[0-9]|3[01])\\.)((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)$") // Matches IP-address-like strings
+      ma.getAnArgument().(CompileTimeConstantExpr).getStringValue().regexpMatch(getIpAddressRegex()) // Matches IP-address-like strings
     )
     or
     exists(MethodAccess ma |
@@ -68,10 +65,7 @@ private class CompareSink extends UseOfLessTrustedSink {
           .hasQualifiedName(["org.apache.commons.lang3", "org.apache.commons.lang"], "StringUtils") and
       ma.getMethod().getNumberOfParameters() = 2 and
       ma.getAnArgument() = this.asExpr() and
-      ma.getAnArgument()
-          .(CompileTimeConstantExpr)
-          .getStringValue()
-          .regexpMatch("^((10\\.((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?)|(192\\.168\\.)|172\\.(1[6789]|2[0-9]|3[01])\\.)((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)$")
+      ma.getAnArgument().(CompileTimeConstantExpr).getStringValue().regexpMatch(getIpAddressRegex())
     )
     or
     exists(MethodAccess ma |
@@ -88,7 +82,7 @@ private class CompareSink extends UseOfLessTrustedSink {
 }
 
 /** A data flow sink for sql operation. */
-private class SqlOperationSink extends UseOfLessTrustedSink {
+private class SqlOperationSink extends ClientSuppliedIpUsedInSecurityCheckSink {
   SqlOperationSink() { this instanceof QueryInjectionSink }
 }
 
@@ -99,3 +93,8 @@ class SplitMethod extends Method {
     this.hasQualifiedName("java.lang", "String", "split")
   }
 }
+
+string getIpAddressRegex() {
+  result =
+    "^((10\\.((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?)|(192\\.168\\.)|172\\.(1[6789]|2[0-9]|3[01])\\.)((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)$"
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected b/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected
new file mode 100644
index 00000000000..5627f9541f1
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected
@@ -0,0 +1,16 @@
+edges
+| ClientSuppliedIpUsedInSecurityCheck.java:16:21:16:33 | getClientIP(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:17:37:17:38 | ip |
+| ClientSuppliedIpUsedInSecurityCheck.java:24:21:24:33 | getClientIP(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:25:33:25:34 | ip |
+| ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:37 | ...[...] : String |
+| ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:37 | ...[...] : String | ClientSuppliedIpUsedInSecurityCheck.java:16:21:16:33 | getClientIP(...) : String |
+| ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:37 | ...[...] : String | ClientSuppliedIpUsedInSecurityCheck.java:24:21:24:33 | getClientIP(...) : String |
+nodes
+| ClientSuppliedIpUsedInSecurityCheck.java:16:21:16:33 | getClientIP(...) : String | semmle.label | getClientIP(...) : String |
+| ClientSuppliedIpUsedInSecurityCheck.java:17:37:17:38 | ip | semmle.label | ip |
+| ClientSuppliedIpUsedInSecurityCheck.java:24:21:24:33 | getClientIP(...) : String | semmle.label | getClientIP(...) : String |
+| ClientSuppliedIpUsedInSecurityCheck.java:25:33:25:34 | ip | semmle.label | ip |
+| ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:37 | ...[...] : String | semmle.label | ...[...] : String |
+#select
+| ClientSuppliedIpUsedInSecurityCheck.java:17:37:17:38 | ip | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:17:37:17:38 | ip | IP address spoofing might include code from $@. | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) | this user input |
+| ClientSuppliedIpUsedInSecurityCheck.java:25:33:25:34 | ip | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:25:33:25:34 | ip | IP address spoofing might include code from $@. | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java b/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.java
similarity index 73%
rename from java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java
rename to java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.java
index 689246340da..93a860981d1 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.java
@@ -6,7 +6,7 @@ import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 @Controller
-public class UseOfLessTrustedSource {
+public class ClientSuppliedIpUsedInSecurityCheck {
 
     @Autowired
     private HttpServletRequest request;
@@ -30,15 +30,13 @@ public class UseOfLessTrustedSource {
     @GetMapping(value = "good1")
     @ResponseBody
     public String good1(HttpServletRequest request) {
-        String remoteAddr = "";
-        if (request != null) {
-            remoteAddr = request.getHeader("X-FORWARDED-FOR");
-            remoteAddr = remoteAddr.split(",")[remoteAddr.split(",").length - 1]; // good
-            if (remoteAddr == null || "".equals(remoteAddr)) {
-                remoteAddr = request.getRemoteAddr();
-            }
+        String ip = request.getHeader("X-FORWARDED-FOR");
+        // Good: if this application runs behind a reverse proxy it may append the real remote IP to the end of any client-supplied X-Forwarded-For header.
+        ip = ip.split(",")[ip.split(",").length - 1];
+        if (!StringUtils.startsWith(ip, "192.168.")) {
+            new Exception("ip illegal");
         }
-        return remoteAddr;
+        return ip;
     }
 
     protected String getClientIP() {
@@ -48,4 +46,4 @@ public class UseOfLessTrustedSource {
         }
         return xfHeader.split(",")[0];
     }
-}
\ No newline at end of file
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.qlref b/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.qlref
new file mode 100644
index 00000000000..476249f5fd9
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected
deleted file mode 100644
index ff9cbc24a20..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected
+++ /dev/null
@@ -1,16 +0,0 @@
-edges
-| UseOfLessTrustedSource.java:16:21:16:33 | getClientIP(...) : String | UseOfLessTrustedSource.java:17:37:17:38 | ip |
-| UseOfLessTrustedSource.java:24:21:24:33 | getClientIP(...) : String | UseOfLessTrustedSource.java:25:33:25:34 | ip |
-| UseOfLessTrustedSource.java:45:27:45:62 | getHeader(...) : String | UseOfLessTrustedSource.java:49:16:49:37 | ...[...] : String |
-| UseOfLessTrustedSource.java:49:16:49:37 | ...[...] : String | UseOfLessTrustedSource.java:16:21:16:33 | getClientIP(...) : String |
-| UseOfLessTrustedSource.java:49:16:49:37 | ...[...] : String | UseOfLessTrustedSource.java:24:21:24:33 | getClientIP(...) : String |
-nodes
-| UseOfLessTrustedSource.java:16:21:16:33 | getClientIP(...) : String | semmle.label | getClientIP(...) : String |
-| UseOfLessTrustedSource.java:17:37:17:38 | ip | semmle.label | ip |
-| UseOfLessTrustedSource.java:24:21:24:33 | getClientIP(...) : String | semmle.label | getClientIP(...) : String |
-| UseOfLessTrustedSource.java:25:33:25:34 | ip | semmle.label | ip |
-| UseOfLessTrustedSource.java:45:27:45:62 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| UseOfLessTrustedSource.java:49:16:49:37 | ...[...] : String | semmle.label | ...[...] : String |
-#select
-| UseOfLessTrustedSource.java:17:37:17:38 | ip | UseOfLessTrustedSource.java:45:27:45:62 | getHeader(...) : String | UseOfLessTrustedSource.java:17:37:17:38 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:45:27:45:62 | getHeader(...) | this user input |
-| UseOfLessTrustedSource.java:25:33:25:34 | ip | UseOfLessTrustedSource.java:45:27:45:62 | getHeader(...) : String | UseOfLessTrustedSource.java:25:33:25:34 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:45:27:45:62 | getHeader(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.qlref b/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.qlref
deleted file mode 100644
index 3c547a2c871..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.qlref
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql
\ No newline at end of file

From ae857db657ffce39f9d009c11cf94f25d2651f7d Mon Sep 17 00:00:00 2001
From: Mario Campos <mario-campos@github.com>
Date: Fri, 30 Apr 2021 10:47:08 -0500
Subject: [PATCH 0792/1429] Add React Native to JavaScript frameworks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

According to @asgerf, React Native is already supported 🎉
---
 docs/codeql/support/reusables/frameworks.rst | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/codeql/support/reusables/frameworks.rst b/docs/codeql/support/reusables/frameworks.rst
index 7266aa4b028..afdf63bdb7b 100644
--- a/docs/codeql/support/reusables/frameworks.rst
+++ b/docs/codeql/support/reusables/frameworks.rst
@@ -132,6 +132,7 @@ JavaScript and TypeScript built-in support
    postgres, Database
    ramda, Utility library
    react, HTML framework
+   react native, HTML framework
    request, Network communicator
    sequelize, Database
    socket.io, Network communicator

From 53e04d0d96dd0038a8d2f47d2a098bd79c2095c0 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Fri, 30 Apr 2021 17:53:43 +0200
Subject: [PATCH 0793/1429] Refactor to CSV sink model

---
 .../Security/CWE/CWE-094/JexlInjection.ql     |  19 ++
 .../Security/CWE/CWE-094/JexlInjectionLib.qll | 178 +++++++++++-------
 2 files changed, 127 insertions(+), 70 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjection.ql
index 2a23dd7368d..8b5e0d8eea1 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjection.ql
@@ -13,6 +13,25 @@
 import java
 import JexlInjectionLib
 import DataFlow::PathGraph
+import FlowUtils
+
+/**
+ * A taint-tracking configuration for unsafe user input
+ * that is used to construct and evaluate a JEXL expression.
+ * It supports both JEXL 2 and 3.
+ */
+class JexlInjectionConfig extends TaintTracking::Configuration {
+  JexlInjectionConfig() { this = "JexlInjectionConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(JexlInjectionAdditionalTaintStep c).step(node1, node2) or
+    hasGetterFlow(node1, node2)
+  }
+}
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, JexlInjectionConfig conf
 where conf.hasFlowPath(source, sink)
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
index 89d7cb496a4..dfe3a793ef3 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
@@ -1,89 +1,127 @@
 import java
-import FlowUtils
-import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
-
-/**
- * A taint-tracking configuration for unsafe user input
- * that is used to construct and evaluate a JEXL expression.
- * It supports both JEXL 2 and 3.
- */
-class JexlInjectionConfig extends TaintTracking::Configuration {
-  JexlInjectionConfig() { this = "JexlInjectionConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
-    any(TaintPropagatingJexlMethodCall c).taintFlow(fromNode, toNode) or
-    hasGetterFlow(fromNode, toNode)
-  }
-}
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A sink for Expresssion Language injection vulnerabilities via Jexl,
  * i.e. method calls that run evaluation of a JEXL expression.
- *
- * Creating a `Callable` from a tainted JEXL expression or script is considered as a sink
- * although the tainted expression is not executed at this point.
- * Here we assume that it will get executed at some point,
- * maybe stored in an object field and then reached by a different flow.
  */
-private class JexlEvaluationSink extends DataFlow::ExprNode {
-  JexlEvaluationSink() {
-    exists(MethodAccess ma, Method m, Expr taintFrom |
-      ma.getMethod() = m and taintFrom = this.asExpr()
-    |
-      m instanceof DirectJexlEvaluationMethod and ma.getQualifier() = taintFrom
-      or
-      m instanceof CreateJexlCallableMethod and ma.getQualifier() = taintFrom
-      or
-      m instanceof JexlEngineGetSetPropertyMethod and
-      taintFrom.getType() instanceof TypeString and
-      ma.getAnArgument() = taintFrom
-    )
+abstract class JexlEvaluationSink extends DataFlow::ExprNode { }
+
+/** Default sink for JXEL injection vulnerabilities. */
+private class DefaultJexlEvaluationSink extends JexlEvaluationSink {
+  DefaultJexlEvaluationSink() { sinkNode(this, "jexl") }
+}
+
+private class DefaultJexlInjectionSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // JEXL2
+        "org.apache.commons.jexl2;JexlEngine;false;getProperty;(JexlContext,Object,String);;Argument[2];jexl",
+        "org.apache.commons.jexl2;JexlEngine;false;getProperty;(Object,String);;Argument[1];jexl",
+        "org.apache.commons.jexl2;JexlEngine;false;setProperty;(JexlContext,Object,String,Object);;Argument[2];jexl",
+        "org.apache.commons.jexl2;JexlEngine;false;setProperty;(Object,String,Object);;Argument[1];jexl",
+        "org.apache.commons.jexl2;Expression;false;evaluate;;;Argument[-1];jexl",
+        "org.apache.commons.jexl2;Expression;false;callable;;;Argument[-1];jexl",
+        "org.apache.commons.jexl2;JexlExpression;false;evaluate;;;Argument[-1];jexl",
+        "org.apache.commons.jexl2;JexlExpression;false;callable;;;Argument[-1];jexl",
+        "org.apache.commons.jexl2;Script;false;execute;;;Argument[-1];jexl",
+        "org.apache.commons.jexl2;Script;false;callable;;;Argument[-1];jexl",
+        "org.apache.commons.jexl2;JexlScript;false;execute;;;Argument[-1];jexl",
+        "org.apache.commons.jexl2;JexlScript;false;callable;;;Argument[-1];jexl",
+        "org.apache.commons.jexl2;JxltEngine$Expression;false;evaluate;;;Argument[-1];jexl",
+        "org.apache.commons.jexl2;JxltEngine$Expression;false;prepare;;;Argument[-1];jexl",
+        "org.apache.commons.jexl2;JxltEngine$Template;false;evaluate;;;Argument[-1];jexl",
+        "org.apache.commons.jexl2;UnifiedJEXL$Expression;false;evaluate;;;Argument[-1];jexl",
+        "org.apache.commons.jexl2;UnifiedJEXL$Expression;false;prepare;;;Argument[-1];jexl",
+        "org.apache.commons.jexl2;UnifiedJEXL$Template;false;evaluate;;;Argument[-1];jexl",
+        // JEXL3
+        "org.apache.commons.jexl3;JexlEngine;false;getProperty;(JexlContext,Object,String);;Argument[2];jexl",
+        "org.apache.commons.jexl3;JexlEngine;false;getProperty;(Object,String);;Argument[1];jexl",
+        "org.apache.commons.jexl3;JexlEngine;false;setProperty;(JexlContext,Object,String);;Argument[2];jexl",
+        "org.apache.commons.jexl3;JexlEngine;false;setProperty;(Object,String,Object);;Argument[1];jexl",
+        "org.apache.commons.jexl3;Expression;false;evaluate;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;Expression;false;callable;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;JexlExpression;false;evaluate;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;JexlExpression;false;callable;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;Script;false;execute;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;Script;false;callable;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;JexlScript;false;execute;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;JexlScript;false;callable;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;JxltEngine$Expression;false;evaluate;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;JxltEngine$Expression;false;prepare;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;JxltEngine$Template;false;evaluate;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;UnifiedJEXL$Expression;false;evaluate;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;UnifiedJEXL$Expression;false;prepare;;;Argument[-1];jexl",
+        "org.apache.commons.jexl3;UnifiedJEXL$Template;false;evaluate;;;Argument[-1];jexl"
+      ]
   }
 }
 
 /**
- * Defines method calls that propagate tainted data via one of the methods
- * from JEXL library.
+ * A unit class for adding additional taint steps.
+ *
+ * Extend this class to add additional taint steps that should apply to the `JexlInjectionFlowConfig`.
  */
-private class TaintPropagatingJexlMethodCall extends MethodAccess {
-  Expr taintFromExpr;
-
-  TaintPropagatingJexlMethodCall() {
-    exists(Method m, RefType taintType |
-      this.getMethod() = m and
-      taintType = taintFromExpr.getType()
-    |
-      isUnsafeEngine(this.getQualifier()) and
-      (
-        m instanceof CreateJexlScriptMethod and
-        taintFromExpr = this.getArgument(0) and
-        taintType instanceof TypeString
-        or
-        m instanceof CreateJexlExpressionMethod and
-        taintFromExpr = this.getAnArgument() and
-        taintType instanceof TypeString
-        or
-        m instanceof CreateJexlTemplateMethod and
-        (taintType instanceof TypeString or taintType instanceof Reader) and
-        taintFromExpr = this.getArgument([0, 1])
-      )
-    )
-  }
-
+abstract class JexlInjectionAdditionalTaintStep extends Unit {
   /**
-   * Holds if `fromNode` to `toNode` is a dataflow step that propagates
-   * tainted data.
+   * Holds if the step from `node1` to `node2` should be considered a taint
+   * step for the `JexlInjectionConfig` configuration.
    */
-  predicate taintFlow(DataFlow::Node fromNode, DataFlow::Node toNode) {
-    fromNode.asExpr() = taintFromExpr and toNode.asExpr() = this
+  abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
+}
+
+/** A set of additional taint steps to consider when taint tracking JXEL related data flows. */
+private class DefaultJexlInjectionAdditionalTaintStep extends JexlInjectionAdditionalTaintStep {
+  override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
+    createJexlScriptStep(node1, node2) or
+    createJexlExpressionStep(node1, node2) or
+    createJexlTemplateStep(node1, node2)
   }
 }
 
+/**
+ * Holds if `n1` to `n2` is a dataflow step that creates a JEXL script using an unsafe engine
+ * i.e. `tainted.createScript(jexlExpr)`.
+ */
+private predicate createJexlScriptStep(DataFlow::Node n1, DataFlow::Node n2) {
+  exists(MethodAccess ma, Method m | m = ma.getMethod() and n2.asExpr() = ma |
+    isUnsafeEngine(ma.getQualifier()) and
+    m instanceof CreateJexlScriptMethod and
+    n1.asExpr() = ma.getArgument(0) and
+    n1.asExpr().getType() instanceof TypeString
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that creates a JEXL expression using an unsafe engine
+ * i.e. `tainted.createExpression(jexlExpr)`.
+ */
+private predicate createJexlExpressionStep(DataFlow::Node n1, DataFlow::Node n2) {
+  exists(MethodAccess ma, Method m | m = ma.getMethod() and n2.asExpr() = ma |
+    isUnsafeEngine(ma.getQualifier()) and
+    m instanceof CreateJexlExpressionMethod and
+    n1.asExpr() = ma.getAnArgument() and
+    n1.asExpr().getType() instanceof TypeString
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that creates a JEXL template using an unsafe engine
+ * i.e. `tainted.createTemplate(jexlExpr)`.
+ */
+private predicate createJexlTemplateStep(DataFlow::Node n1, DataFlow::Node n2) {
+  exists(MethodAccess ma, Method m, RefType taintType |
+    m = ma.getMethod() and n2.asExpr() = ma and taintType = n1.asExpr().getType()
+  |
+    isUnsafeEngine(ma.getQualifier()) and
+    m instanceof CreateJexlTemplateMethod and
+    n1.asExpr() = ma.getArgument([0, 1]) and
+    (taintType instanceof TypeString or taintType instanceof Reader)
+  )
+}
+
 /**
  * Holds if `expr` is a JEXL engine that is not configured with a sandbox.
  */
@@ -92,7 +130,7 @@ private predicate isUnsafeEngine(Expr expr) {
 }
 
 /**
- * A configuration for a tracking sandboxed JEXL engines.
+ * A configuration for tracking sandboxed JEXL engines.
  */
 private class SandboxedJexlFlowConfig extends DataFlow2::Configuration {
   SandboxedJexlFlowConfig() { this = "JexlInjection::SandboxedJexlFlowConfig" }

From 8c3980d80b88e56db5c01265a9b2ca2c86bff197 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Sun, 2 May 2021 22:54:43 +0300
Subject: [PATCH 0794/1429] Update
 cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.c

Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
---
 .../CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.c  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.c b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.c
index b09971b5328..53a50841977 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.c
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.c
@@ -3,7 +3,7 @@ while(intIndex > 2)
   ...
   intIndex--;
   ...
-} // GOOD: coreten cycle
+} // GOOD: correct cycle
 ...
 while(intIndex > 2)
 {

From 0935c5a0f2a2fa2404eac279823ca2faecf6ab30 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Sun, 2 May 2021 22:58:30 +0300
Subject: [PATCH 0795/1429] Update
 DeclarationOfVariableWithUnnecessarilyWideScope.ql

---
 .../CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
index a253a5e0599..9acc1d35d81 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
@@ -26,7 +26,7 @@ class DangerousWhileLoop extends WhileStmt {
     exp = this.getCondition().getAChild*() and
     not exp instanceof PointerFieldAccess and
     not exp instanceof ValueFieldAccess and
-    exp.toString() = dl.getName() and
+    exp.(VariableAccess).getTarget().getName() = dl.getName() and
     not exp.getParent*() instanceof CrementOperation and
     not exp.getParent*() instanceof Assignment and
     not exp.getParent*() instanceof FunctionCall

From 21f43252e6d48cc3638690225e762fc092c75f99 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Sun, 2 May 2021 22:59:04 +0300
Subject: [PATCH 0796/1429] Update
 DeclarationOfVariableWithUnnecessarilyWideScope.expected

---
 .../DeclarationOfVariableWithUnnecessarilyWideScope.expected    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.expected
index 7b540a33384..4b29dad8779 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.expected
@@ -1 +1 @@
-| test.c:12:9:12:16 | intIndex | A variable with this name is used in the loop condition. |
+| test.c:13:9:13:16 | intIndex | A variable with this name is used in the loop condition. |

From bb97507ebc195ecdb43126c4fcab6741b274791e Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Sun, 2 May 2021 22:59:56 +0300
Subject: [PATCH 0797/1429] Update test.c

---
 .../Security/CWE/CWE-1126/semmle/tests/test.c   | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c
index 090bed34d45..325c278f697 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c
@@ -6,10 +6,27 @@ void workFunction_0(char *s) {
     buf[intIndex] = 1;
     intIndex--;
   }
+  intIndex = 10;
   while(intIndex > 2)
   {
     buf[intIndex] = 1;
     int intIndex; // BAD
     intIndex--;
   }
+  intIndex = 10;
+  while(intIndex > 2) // GOOD
+  {
+    buf[intIndex] = 1;
+    intIndex -= 2;
+    int intIndex;
+    intIndex--;
+  }
+  intIndex = 10;
+  while(intIndex > 2) // GOOD
+  {
+    buf[intIndex] = 1;
+    --intIndex;
+    int intIndex;
+    intIndex--;
+  }
 }

From 7ab91bb1857a46fe25b3c341231353303608ab39 Mon Sep 17 00:00:00 2001
From: edvraa <80588099+edvraa@users.noreply.github.com>
Date: Mon, 3 May 2021 00:09:15 +0300
Subject: [PATCH 0798/1429] Inline getOptionsArgument

---
 javascript/ql/src/semmle/javascript/dataflow/Nodes.qll          | 2 +-
 javascript/ql/src/semmle/javascript/security/InsecureCookie.qll | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
index 36a059254a8..9044ad39549 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
@@ -169,7 +169,7 @@ class InvokeNode extends DataFlow::SourceNode {
    * Holds if the `i`th argument of this invocation is an object literal set to `result`.
    */
   pragma[noinline]
-  ObjectLiteralNode getOptionsArgument(int i) { result.flowsTo(getArgument(i)) }
+  private ObjectLiteralNode getOptionsArgument(int i) { result.flowsTo(getArgument(i)) }
 
   /** Gets an abstract value representing possible callees of this call site. */
   final AbstractValue getACalleeValue() {
diff --git a/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll b/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
index beaa5be48d1..6d45f6460db 100644
--- a/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
+++ b/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
@@ -75,7 +75,7 @@ module Cookie {
   class InsecureCookieSession extends ExpressLibraries::CookieSession::MiddlewareInstance, Cookie {
     override string getKind() { result = "cookie-session" }
 
-    override DataFlow::SourceNode getCookieOptionsArgument() { result = this.getOptionsArgument(0) }
+    override DataFlow::SourceNode getCookieOptionsArgument() { result.flowsTo(getArgument(0)) }
 
     private DataFlow::Node getCookieFlagValue(string flag) {
       result = this.getCookieOptionsArgument().getAPropertyWrite(flag).getRhs()

From 97bc7e38d2a48d5c313cbcc1fadf10e8ec6ce493 Mon Sep 17 00:00:00 2001
From: edvraa <80588099+edvraa@users.noreply.github.com>
Date: Mon, 3 May 2021 00:31:29 +0300
Subject: [PATCH 0799/1429] check for sensitive property name

---
 .../src/semmle/javascript/security/InsecureCookie.qll |  3 ++-
 .../Security/CWE-1004/CookieWithoutHttpOnly.expected  |  1 +
 .../Security/CWE-1004/test_responseCookie.js          | 11 +++++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll b/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
index 6d45f6460db..b6a45130ac8 100644
--- a/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
+++ b/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
@@ -53,7 +53,8 @@ module Cookie {
       exists(string val |
         (
           val = expr.getStringValue() or
-          val = expr.asExpr().(VarAccess).getName()
+          val = expr.asExpr().(VarAccess).getName() or
+          val = expr.(DataFlow::PropRead).getPropertyName()
         ) and
         regexpMatchAuth(val)
       )
diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected b/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected
index bb113b398ec..c8335af92a5 100644
--- a/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected
@@ -14,3 +14,4 @@
 | test_responseCookie.js:65:5:65:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_responseCookie.js:84:5:84:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_responseCookie.js:95:5:95:41 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_responseCookie.js:106:5:106:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/test_responseCookie.js b/javascript/ql/test/query-tests/Security/CWE-1004/test_responseCookie.js
index e0bc5cb88e6..c21fce16050 100644
--- a/javascript/ql/test/query-tests/Security/CWE-1004/test_responseCookie.js
+++ b/javascript/ql/test/query-tests/Security/CWE-1004/test_responseCookie.js
@@ -96,6 +96,17 @@ app.get('/a', function (req, res, next) {
     res.end('ok')
 })
 
+app.get('/a', function (req, res, next) {
+    let options = {
+        maxAge: 9000000000,
+        httpOnly: false,
+    }
+    options.httpOnly = false;
+    let o = { session: "blabla" }
+    res.cookie(o.session, 'value', options); // BAD, var name likely auth related
+    res.end('ok')
+})
+
 app.get('/a', function (req, res, next) {
     let options = {
         maxAge: 9000000000,

From fa94fedfc30ce461c15273772fb6ff19f81648ad Mon Sep 17 00:00:00 2001
From: edvraa <80588099+edvraa@users.noreply.github.com>
Date: Mon, 3 May 2021 00:36:26 +0300
Subject: [PATCH 0800/1429] simple dataflow for sensitive name

---
 .../src/semmle/javascript/security/InsecureCookie.qll |  2 ++
 .../Security/CWE-1004/CookieWithoutHttpOnly.expected  |  1 +
 .../Security/CWE-1004/test_responseCookie.js          | 11 +++++++++++
 3 files changed, 14 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll b/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
index b6a45130ac8..c3e6acf0357 100644
--- a/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
+++ b/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
@@ -58,6 +58,8 @@ module Cookie {
         ) and
         regexpMatchAuth(val)
       )
+      or
+      isAuthVariable(expr.getAPredecessor())
     }
 
     /**
diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected b/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected
index c8335af92a5..da9e730cc16 100644
--- a/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected
@@ -15,3 +15,4 @@
 | test_responseCookie.js:84:5:84:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_responseCookie.js:95:5:95:41 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_responseCookie.js:106:5:106:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_responseCookie.js:117:5:117:40 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/test_responseCookie.js b/javascript/ql/test/query-tests/Security/CWE-1004/test_responseCookie.js
index c21fce16050..b27e8d6a568 100644
--- a/javascript/ql/test/query-tests/Security/CWE-1004/test_responseCookie.js
+++ b/javascript/ql/test/query-tests/Security/CWE-1004/test_responseCookie.js
@@ -107,6 +107,17 @@ app.get('/a', function (req, res, next) {
     res.end('ok')
 })
 
+app.get('/a', function (req, res, next) {
+    let options = {
+        maxAge: 9000000000,
+        httpOnly: false,
+    }
+    options.httpOnly = false;
+    let blabla = "session"
+    res.cookie(blabla, 'value', options); // BAD, var name likely auth related
+    res.end('ok')
+})
+
 app.get('/a', function (req, res, next) {
     let options = {
         maxAge: 9000000000,

From a24c1c81141d2d23c1c9f885ef793a38f2994299 Mon Sep 17 00:00:00 2001
From: edvraa <80588099+edvraa@users.noreply.github.com>
Date: Mon, 3 May 2021 00:36:38 +0300
Subject: [PATCH 0801/1429] fix comment

---
 javascript/ql/src/semmle/javascript/security/InsecureCookie.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll b/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
index c3e6acf0357..d960a45ac63 100644
--- a/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
+++ b/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
@@ -1,5 +1,5 @@
 /**
- * Provides classes for reasoning about cookies added to response without the 'secure' flag being set.
+ * Provides classes for reasoning about cookies added to response without the 'secure' or 'httponly' flag being set.
  * A cookie without the 'secure' flag being set can be intercepted and read by a malicious user.
  * A cookie without the 'httponly' flag being set can be read by an injected JavaScript
  */

From 4709e8139d88ff445352716fdc6177e8a4995d70 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Mon, 3 May 2021 01:43:56 +0000
Subject: [PATCH 0802/1429] JPython code injection

---
 .../CWE/CWE-094/JPythonInjection.java         |  48 ++++
 .../CWE/CWE-094/JPythonInjection.qhelp        |  34 +++
 .../Security/CWE/CWE-094/JPythonInjection.ql  |  68 +++++
 .../CWE-094/JPythonInjection.expected         |  11 +
 .../security/CWE-094/JPythonInjection.java    |  64 +++++
 .../security/CWE-094/JPythonInjection.qlref   |   1 +
 .../query-tests/security/CWE-094/options      |   2 +-
 .../jpython-2.7.2/org/python/core/PyCode.java |  43 +++
 .../org/python/core/PyException.java          |  12 +
 .../org/python/core/PyObject.java             |  11 +
 .../org/python/core/PySystemState.java        | 177 ++++++++++++
 .../org/python/core/ThreadState.java          |  28 ++
 .../org/python/util/PythonInterpreter.java    | 252 ++++++++++++++++++
 13 files changed, 750 insertions(+), 1 deletion(-)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.java
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.qhelp
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.ql
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.qlref
 create mode 100644 java/ql/test/stubs/jpython-2.7.2/org/python/core/PyCode.java
 create mode 100644 java/ql/test/stubs/jpython-2.7.2/org/python/core/PyException.java
 create mode 100644 java/ql/test/stubs/jpython-2.7.2/org/python/core/PyObject.java
 create mode 100644 java/ql/test/stubs/jpython-2.7.2/org/python/core/PySystemState.java
 create mode 100644 java/ql/test/stubs/jpython-2.7.2/org/python/core/ThreadState.java
 create mode 100644 java/ql/test/stubs/jpython-2.7.2/org/python/util/PythonInterpreter.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.java b/java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.java
new file mode 100644
index 00000000000..13db6830a71
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.java
@@ -0,0 +1,48 @@
+public class JPythonInjection extends HttpServlet {
+    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        response.setContentType("text/plain");
+        String code = request.getParameter("code");
+        PythonInterpreter interpreter = null;
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+
+        try {
+          interpreter = new PythonInterpreter();
+          interpreter.setOut(out);
+          interpreter.setErr(out);
+
+          // BAD: allow arbitrary JPython expression to execute
+          interpreter.exec(code);
+          out.flush();
+
+          response.getWriter().print(out.toString());
+        } catch(PyException ex) {
+            response.getWriter().println(ex.getMessage());
+        } finally {
+            if (interpreter != null) {
+              interpreter.close();
+            }
+            out.close();
+        }
+    }
+
+    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+      response.setContentType("text/plain");
+      String code = request.getParameter("code");
+      PythonInterpreter interpreter = null;
+
+      try {
+        interpreter = new PythonInterpreter();
+        // BAD: allow arbitrary JPython expression to evaluate
+        PyObject py = interpreter.eval(code);
+
+        response.getWriter().print(py.toString());
+      } catch(PyException ex) {
+          response.getWriter().println(ex.getMessage());
+      } finally {
+          if (interpreter != null) {
+            interpreter.close();
+          }
+      }
+  }
+}
+
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.qhelp
new file mode 100644
index 00000000000..dddbb2d618a
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.qhelp
@@ -0,0 +1,34 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Python has been the most widely used programming language in recent years, and JPython
+  is a popular Java implementation of Python. It allows embedded Python scripting inside 
+  Java applications and provides an interactive interpreter that can be used to interact 
+  with Java packages or with running Java applications. If an expression is built using 
+  attacker-controlled data and then evaluated, it may allow the attacker to run arbitrary 
+  code.</p>
+</overview>
+
+<recommendation>
+<p>In general, including user input in JPython expression should be avoided. If user input 
+  must be included in an expression, it should be then evaluated in a safe context that 
+  doesn't allow arbitrary code invocation.</p>
+</recommendation>
+
+<example>
+<p>The following code could execute random code in JPython Interpreter</p>
+<sample src="JPythonInjection.java" />
+</example>
+
+<references>
+<li>
+  JPython Organization: <a href="https://jython.readthedocs.io/en/latest/JythonAndJavaIntegration/">JPython and Java Integration</a>
+</li>
+<li>
+  PortSwigger: <a href="https://portswigger.net/kb/issues/00100f10_python-code-injection">Python code injection</a>
+</li>
+</references>
+</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.ql
new file mode 100644
index 00000000000..a6621d89c26
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.ql
@@ -0,0 +1,68 @@
+/**
+ * @name Injection in JPython
+ * @description Evaluation of a user-controlled malicious expression in JPython
+ *              may lead to remote code execution.
+ * @kind path-problem
+ * @id java/jpython-injection
+ * @tags security
+ *       external/cwe/cwe-094
+ *       external/cwe/cwe-095
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import DataFlow::PathGraph
+
+/** The class `org.python.util.PythonInterpreter`. */
+class PythonInterpreter extends RefType {
+  PythonInterpreter() { this.hasQualifiedName("org.python.util", "PythonInterpreter") }
+}
+
+/** A method that evaluates, compiles or executes a JPython expression. */
+class InterpretExprMethod extends Method {
+  InterpretExprMethod() {
+    this.getDeclaringType().getAnAncestor*() instanceof PythonInterpreter and
+    (
+      hasName("exec") or
+      hasName("eval") or
+      hasName("compile")
+    )
+  }
+}
+
+/** Holds if a JPython expression if evaluated, compiled or executed. */
+predicate runCode(MethodAccess ma, Expr sink) {
+  exists(Method m | m = ma.getMethod() |
+    m instanceof InterpretExprMethod and
+    sink = ma.getArgument(0)
+  )
+}
+
+/** Sink of an expression interpreted by JPython interpreter. */
+class CodeInjectionSink extends DataFlow::ExprNode {
+  CodeInjectionSink() { runCode(_, this.getExpr()) }
+
+  MethodAccess getMethodAccess() { runCode(result, this.getExpr()) }
+}
+
+class CodeInjectionConfiguration extends TaintTracking::Configuration {
+  CodeInjectionConfiguration() { this = "CodeInjectionConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource
+    or
+    source instanceof LocalUserInput
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // @RequestBody MyQueryObj query; interpreter.exec(query.getInterpreterCode());
+    exists(MethodAccess ma | ma.getQualifier() = node1.asExpr() and ma = node2.asExpr())
+  }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, CodeInjectionConfiguration conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode().(CodeInjectionSink).getMethodAccess(), source, sink, "JPython evaluate $@.",
+  source.getNode(), "user input"
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.expected
new file mode 100644
index 00000000000..f5816001939
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.expected
@@ -0,0 +1,11 @@
+edges
+| JPythonInjection.java:22:23:22:50 | getParameter(...) : String | JPythonInjection.java:30:28:30:31 | code |
+| JPythonInjection.java:47:21:47:48 | getParameter(...) : String | JPythonInjection.java:52:40:52:43 | code |
+nodes
+| JPythonInjection.java:22:23:22:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JPythonInjection.java:30:28:30:31 | code | semmle.label | code |
+| JPythonInjection.java:47:21:47:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JPythonInjection.java:52:40:52:43 | code | semmle.label | code |
+#select
+| JPythonInjection.java:30:11:30:32 | exec(...) | JPythonInjection.java:22:23:22:50 | getParameter(...) : String | JPythonInjection.java:30:28:30:31 | code | JPython evaluate $@. | JPythonInjection.java:22:23:22:50 | getParameter(...) | user input |
+| JPythonInjection.java:52:23:52:44 | eval(...) | JPythonInjection.java:47:21:47:48 | getParameter(...) : String | JPythonInjection.java:52:40:52:43 | code | JPython evaluate $@. | JPythonInjection.java:47:21:47:48 | getParameter(...) | user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.java b/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.java
new file mode 100644
index 00000000000..a0515eb4212
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.java
@@ -0,0 +1,64 @@
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.python.core.PyObject;
+import org.python.core.PyException;
+import org.python.util.PythonInterpreter;
+
+public class JPythonInjection extends HttpServlet {
+    private static final long serialVersionUID = 1L;
+       
+    public JPythonInjection() {
+        super();
+    }
+
+    // BAD: allow arbitrary JPython expression to execute
+    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        response.setContentType("text/plain");
+        String code = request.getParameter("code");
+        PythonInterpreter interpreter = null;
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+
+        try {
+          interpreter = new PythonInterpreter();
+          interpreter.setOut(out);
+          interpreter.setErr(out);
+          interpreter.exec(code);
+          out.flush();
+
+          response.getWriter().print(out.toString());
+        } catch(PyException ex) {
+            response.getWriter().println(ex.getMessage());
+        } finally {
+            if (interpreter != null) {
+              interpreter.close();
+            }
+            out.close();
+        }
+    }
+
+    // BAD: allow arbitrary JPython expression to evaluate
+    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+      response.setContentType("text/plain");
+      String code = request.getParameter("code");
+      PythonInterpreter interpreter = null;
+
+      try {
+        interpreter = new PythonInterpreter();
+        PyObject py = interpreter.eval(code);
+
+        response.getWriter().print(py.toString());
+      } catch(PyException ex) {
+          response.getWriter().println(ex.getMessage());
+      } finally {
+          if (interpreter != null) {
+            interpreter.close();
+          }
+      }
+  }
+}
+
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.qlref
new file mode 100644
index 00000000000..80217a193bd
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-094/JPythonInjection.ql
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/options b/java/ql/test/experimental/query-tests/security/CWE-094/options
index 18e3518fc97..ccf3a24f215 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/options
@@ -1,2 +1,2 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jpython-2.7.2
 
diff --git a/java/ql/test/stubs/jpython-2.7.2/org/python/core/PyCode.java b/java/ql/test/stubs/jpython-2.7.2/org/python/core/PyCode.java
new file mode 100644
index 00000000000..9b7c99f94fa
--- /dev/null
+++ b/java/ql/test/stubs/jpython-2.7.2/org/python/core/PyCode.java
@@ -0,0 +1,43 @@
+// Copyright (c) Corporation for National Research Initiatives
+package org.python.core;
+
+/**
+ * A super class for all python code implementations.
+ */
+public abstract class PyCode extends PyObject
+{
+    abstract public PyObject call(ThreadState state,
+                                  PyObject args[], String keywords[],
+                                  PyObject globals, PyObject[] defaults,
+                                  PyObject closure);
+
+    abstract public PyObject call(ThreadState state,
+                                  PyObject self, PyObject args[],
+                                  String keywords[],
+                                  PyObject globals, PyObject[] defaults,
+                                  PyObject closure);
+
+    abstract public PyObject call(ThreadState state,
+                                  PyObject globals, PyObject[] defaults,
+                                  PyObject closure);
+
+    abstract public PyObject call(ThreadState state,
+                                  PyObject arg1, PyObject globals,
+                                  PyObject[] defaults, PyObject closure);
+
+    abstract public PyObject call(ThreadState state,
+                                  PyObject arg1, PyObject arg2,
+                                  PyObject globals, PyObject[] defaults,
+                                  PyObject closure);
+
+    abstract public PyObject call(ThreadState state,
+                                  PyObject arg1, PyObject arg2, PyObject arg3,
+                                  PyObject globals, PyObject[] defaults,
+                                  PyObject closure);
+
+    abstract public PyObject call(ThreadState state,
+                                  PyObject arg1, PyObject arg2, PyObject arg3, PyObject arg4,
+                                  PyObject globals, PyObject[] defaults,
+                                  PyObject closure);
+
+}
diff --git a/java/ql/test/stubs/jpython-2.7.2/org/python/core/PyException.java b/java/ql/test/stubs/jpython-2.7.2/org/python/core/PyException.java
new file mode 100644
index 00000000000..3a0a6c52c69
--- /dev/null
+++ b/java/ql/test/stubs/jpython-2.7.2/org/python/core/PyException.java
@@ -0,0 +1,12 @@
+// Copyright (c) Corporation for National Research Initiatives
+package org.python.core;
+import java.io.*;
+
+/**
+ * A wrapper for all python exception. Note that the well-known python exceptions are <b>not</b>
+ * subclasses of PyException. Instead the python exception class is stored in the <code>type</code>
+ * field and value or class instance is stored in the <code>value</code> field.
+ */
+public class PyException extends RuntimeException
+{
+}
diff --git a/java/ql/test/stubs/jpython-2.7.2/org/python/core/PyObject.java b/java/ql/test/stubs/jpython-2.7.2/org/python/core/PyObject.java
new file mode 100644
index 00000000000..00993123461
--- /dev/null
+++ b/java/ql/test/stubs/jpython-2.7.2/org/python/core/PyObject.java
@@ -0,0 +1,11 @@
+// Copyright (c) Corporation for National Research Initiatives
+package org.python.core;
+
+import java.io.Serializable;
+
+/**
+ * All objects known to the Jython runtime system are represented by an instance of the class
+ * {@code PyObject} or one of its subclasses.
+ */
+public class PyObject implements Serializable {
+}
diff --git a/java/ql/test/stubs/jpython-2.7.2/org/python/core/PySystemState.java b/java/ql/test/stubs/jpython-2.7.2/org/python/core/PySystemState.java
new file mode 100644
index 00000000000..8444bbba70e
--- /dev/null
+++ b/java/ql/test/stubs/jpython-2.7.2/org/python/core/PySystemState.java
@@ -0,0 +1,177 @@
+// Copyright (c) Corporation for National Research Initiatives
+package org.python.core;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Properties;
+
+/**
+ * The "sys" module.
+ */
+// xxx Many have lamented, this should really be a module!
+// but it will require some refactoring to see this wish come true.
+public class PySystemState extends PyObject {
+    public PySystemState() {
+    }
+
+    public static void classDictInit(PyObject dict) {
+    }
+
+    public ClassLoader getSyspathJavaLoader() {
+        return null;
+    }
+
+    // xxx fix this accessors
+    public PyObject __findattr_ex__(String name) {
+        return null;
+    }
+
+    public void __setattr__(String name, PyObject value) {
+    }
+
+    public void __delattr__(String name) {
+    }
+
+    public PyObject gettrace() {
+        return null;
+    }
+
+    public void settrace(PyObject tracefunc) {
+    }
+
+    /**
+     * Change the current working directory to the specified path.
+     *
+     * path is assumed to be absolute and canonical (via os.path.realpath).
+     *
+     * @param path a path String
+     */
+    public void setCurrentWorkingDir(String path) {
+    }
+
+    /**
+     * Return a string representing the current working directory.
+     *
+     * @return a path String
+     */
+    public String getCurrentWorkingDir() {
+        return null;
+    }
+
+    /**
+     * Resolve a path. Returns the full path taking the current working directory into account.
+     *
+     * @param path a path String
+     * @return a resolved path String
+     */
+    public String getPath(String path) {
+        return null;
+    }
+
+    /**
+     * Resolve a path, returning a {@link File}, taking the current working directory into account.
+     *
+     * @param path a path <code>String</code>
+     * @return a resolved <code>File</code>
+     */
+    public File getFile(String path) {
+        return null;
+    }
+
+    public ClassLoader getClassLoader() {
+        return null;
+    }
+
+    public void setClassLoader(ClassLoader classLoader) {
+    }
+
+    public static Properties getBaseProperties() {
+        return null;
+    }
+
+    public static synchronized void initialize() {
+    }
+
+    public static synchronized void initialize(Properties preProperties,
+            Properties postProperties) {
+    }
+
+    public static synchronized void initialize(Properties preProperties, Properties postProperties,
+            String[] argv) {
+    }
+
+    public static synchronized void initialize(Properties preProperties, Properties postProperties,
+            String[] argv, ClassLoader classLoader) {
+    }
+
+    /**
+     * Add a classpath directory to the list of places that are searched for java packages.
+     * <p>
+     * <b>Note</b>. Classes found in directory and sub-directory are not made available to jython by
+     * this call. It only makes the java package found in the directory available. This call is
+     * mostly useful if jython is embedded in an application that deals with its own class loaders.
+     * A servlet container is a very good example. Calling
+     * {@code add_classdir("<context>/WEB-INF/classes")} makes the java packages in WEB-INF classes
+     * available to jython import. However the actual class loading is completely handled by the
+     * servlet container's context classloader.
+     */
+    public static void add_classdir(String directoryPath) {
+    }
+
+    /**
+     * Add a .jar and .zip directory to the list of places that are searched for java .jar and .zip
+     * files. The .jar and .zip files found will not be cached.
+     * <p>
+     * <b>Note</b>. Classes in .jar and .zip files found in the directory are not made available to
+     * jython by this call. See the note for add_classdir(dir) for more details.
+     *
+     * @param directoryPath The name of a directory.
+     *
+     * @see #add_classdir
+     */
+    public static void add_extdir(String directoryPath) {
+    }
+
+    /**
+     * Add a .jar and .zip directory to the list of places that are searched for java .jar and .zip
+     * files.
+     * <p>
+     * <b>Note</b>. Classes in .jar and .zip files found in the directory are not made available to
+     * jython by this call. See the note for add_classdir(dir) for more details.
+     *
+     * @param directoryPath The name of a directory.
+     * @param cache Controls if the packages in the zip and jar file should be cached.
+     *
+     * @see #add_classdir
+     */
+    public static void add_extdir(String directoryPath, boolean cache) {
+    }
+
+    // Not public by design. We can't rebind the displayhook if
+    // a reflected function is inserted in the class dict.
+
+    /**
+     * Exit a Python program with the given status.
+     *
+     * @param status the value to exit with
+     * @throws PyException {@code SystemExit} always throws this exception. When caught at top level
+     *             the program will exit.
+     */
+    public static void exit(PyObject status) {
+    }
+
+    /**
+     * Exit a Python program with the status 0.
+     */
+    public static void exit() {
+    }
+
+    public static void exc_clear() {
+    }
+
+    public void cleanup() {
+    }
+
+    public void close() {
+    }
+}
diff --git a/java/ql/test/stubs/jpython-2.7.2/org/python/core/ThreadState.java b/java/ql/test/stubs/jpython-2.7.2/org/python/core/ThreadState.java
new file mode 100644
index 00000000000..920270fe053
--- /dev/null
+++ b/java/ql/test/stubs/jpython-2.7.2/org/python/core/ThreadState.java
@@ -0,0 +1,28 @@
+// Copyright (c) Corporation for National Research Initiatives
+package org.python.core;
+
+// a ThreadState refers to one PySystemState; this weak ref allows for tracking all ThreadState objects
+// that refer to a given PySystemState
+
+public class ThreadState {
+
+    public PyException exception;
+
+    public ThreadState(PySystemState systemState) {
+        setSystemState(systemState);
+    }
+
+    public void setSystemState(PySystemState systemState) {
+    }
+
+    public PySystemState getSystemState() {
+        return null;
+    }
+
+    public boolean enterRepr(PyObject obj) {
+        return false;
+    }
+
+    public void exitRepr(PyObject obj) {
+    }
+}
diff --git a/java/ql/test/stubs/jpython-2.7.2/org/python/util/PythonInterpreter.java b/java/ql/test/stubs/jpython-2.7.2/org/python/util/PythonInterpreter.java
new file mode 100644
index 00000000000..92c50917b59
--- /dev/null
+++ b/java/ql/test/stubs/jpython-2.7.2/org/python/util/PythonInterpreter.java
@@ -0,0 +1,252 @@
+package org.python.util;
+
+import java.io.Closeable;
+import java.io.Reader;
+import java.io.StringReader;
+import java.util.Properties;
+
+import org.python.core.PyCode;
+import org.python.core.PyObject;
+
+/**
+ * The PythonInterpreter class is a standard wrapper for a Jython interpreter for embedding in a
+ * Java application.
+ */
+public class PythonInterpreter implements Closeable {
+
+    /**
+     * Initializes the Jython runtime. This should only be called once, before any other Python
+     * objects (including PythonInterpreter) are created.
+     *
+     * @param preProperties A set of properties. Typically System.getProperties() is used.
+     *            preProperties override properties from the registry file.
+     * @param postProperties Another set of properties. Values like python.home, python.path and all
+     *            other values from the registry files can be added to this property set.
+     *            postProperties override system properties and registry properties.
+     * @param argv Command line arguments, assigned to sys.argv.
+     */
+    public static void
+            initialize(Properties preProperties, Properties postProperties, String[] argv) {
+    }
+
+    /**
+     * Creates a new interpreter with an empty local namespace.
+     */
+    public PythonInterpreter() {
+    }
+
+    /**
+     * Creates a new interpreter with the ability to maintain a separate local namespace for each
+     * thread (set by invoking setLocals()).
+     *
+     * @param dict a Python mapping object (e.g., a dictionary) for use as the default namespace
+     */
+    public static PythonInterpreter threadLocalStateInterpreter(PyObject dict) {
+        return null;
+    }
+
+    /**
+     * Creates a new interpreter with a specified local namespace.
+     *
+     * @param dict a Python mapping object (e.g., a dictionary) for use as the namespace
+     */
+    public PythonInterpreter(PyObject dict) {
+    }
+
+    /**
+     * Sets a Python object to use for the standard output stream, <code>sys.stdout</code>. This
+     * stream is used in a byte-oriented way (mostly) that depends on the type of file-like object.
+     * The behaviour as implemented is:
+     * <table border=1>
+     * <caption>Stream behaviour for various object types</caption>
+     * <tr align=center>
+     * <td></td>
+     * <td colspan=3>Python type of object <code>o</code> written</td>
+     * </tr>
+     * <tr align=left>
+     * <th></th>
+     * <th><code>str/bytes</code></th>
+     * <th><code>unicode</code></th>
+     * <th>Any other type</th>
+     * </tr>
+     * <tr align=left>
+     * <th>{@link PyFile}</th>
+     * <td>as bytes directly</td>
+     * <td>respect {@link PyFile#encoding}</td>
+     * <td>call <code>str(o)</code> first</td>
+     * </tr>
+     * <tr align=left>
+     * <th>{@link PyFileWriter}</th>
+     * <td>each byte value as a <code>char</code></td>
+     * <td>write as Java <code>char</code>s</td>
+     * <td>call <code>o.toString()</code> first</td>
+     * </tr>
+     * <tr align=left>
+     * <th>Other {@link PyObject} <code>f</code></th>
+     * <td>invoke <code>f.write(str(o))</code></td>
+     * <td>invoke <code>f.write(o)</code></td>
+     * <td>invoke <code>f.write(str(o))</code></td>
+     * </tr>
+     * </table>
+     *
+     * @param outStream Python file-like object to use as the output stream
+     */
+    public void setOut(PyObject outStream) {
+    }
+
+    /**
+     * Sets a {@link java.io.Writer} to use for the standard output stream, <code>sys.stdout</code>.
+     * The behaviour as implemented is to output each object <code>o</code> by calling
+     * <code>o.toString()</code> and writing this as UTF-16.
+     *
+     * @param outStream to use as the output stream
+     */
+    public void setOut(java.io.Writer outStream) {
+    }
+
+    /**
+     * Sets a {@link java.io.OutputStream} to use for the standard output stream.
+     *
+     * @param outStream OutputStream to use as output stream
+     */
+    public void setOut(java.io.OutputStream outStream) {
+    }
+
+    /**
+     * Sets a Python object to use for the standard output stream, <code>sys.stderr</code>. This
+     * stream is used in a byte-oriented way (mostly) that depends on the type of file-like object,
+     * in the same way as {@link #setOut(PyObject)}.
+     *
+     * @param outStream Python file-like object to use as the error output stream
+     */
+    public void setErr(PyObject outStream) {
+    }
+
+    /**
+     * Sets a {@link java.io.Writer} to use for the standard output stream, <code>sys.stdout</code>.
+     * The behaviour as implemented is to output each object <code>o</code> by calling
+     * <code>o.toString()</code> and writing this as UTF-16.
+     *
+     * @param outStream to use as the error output stream
+     */
+    public void setErr(java.io.Writer outStream) {
+    }
+
+    public void setErr(java.io.OutputStream outStream) {
+    }
+
+    /**
+     * Evaluates a string as a Python expression and returns the result.
+     */
+    public PyObject eval(String s) {
+        return null;
+    }
+
+    /**
+     * Evaluates a Python code object and returns the result.
+     */
+    public PyObject eval(PyObject code) {
+        return null;
+    }
+
+    /**
+     * Executes a string of Python source in the local namespace.
+     *
+     * In some environments, such as Windows, Unicode characters in the script will be converted
+     * into ascii question marks (?). This can be avoided by first compiling the fragment using
+     * PythonInterpreter.compile(), and using the overridden form of this method which takes a
+     * PyCode object. Code page declarations are not supported.
+     */
+    public void exec(String s) {
+    }
+
+    /**
+     * Executes a Python code object in the local namespace.
+     */
+    public void exec(PyObject code) {
+    }
+
+    /**
+     * Executes a file of Python source in the local namespace.
+     */
+    public void execfile(String filename) {
+    }
+
+    public void execfile(java.io.InputStream s) {
+    }
+
+    public void execfile(java.io.InputStream s, String name) {
+    }
+
+    /**
+     * Compiles a string of Python source as either an expression (if possible) or a module.
+     *
+     * Designed for use by a JSR 223 implementation: "the Scripting API does not distinguish between
+     * scripts which return values and those which do not, nor do they make the corresponding
+     * distinction between evaluating or executing objects." (SCR.4.2.1)
+     */
+    public PyCode compile(String script) {
+        return null;
+    }
+
+    public PyCode compile(Reader reader) {
+        return null;
+    }
+
+    public PyCode compile(String script, String filename) {
+        return null;
+    }
+
+    public PyCode compile(Reader reader, String filename) {
+        return null;
+    }
+
+    /**
+     * Sets a variable in the local namespace.
+     *
+     * @param name the name of the variable
+     * @param value the object to set the variable to (as converted to an appropriate Python object)
+     */
+    public void set(String name, Object value) {
+    }
+
+    /**
+     * Sets a variable in the local namespace.
+     *
+     * @param name the name of the variable
+     * @param value the Python object to set the variable to
+     */
+    public void set(String name, PyObject value) {
+    }
+
+    /**
+     * Returns the value of a variable in the local namespace.
+     *
+     * @param name the name of the variable
+     * @return the value of the variable, or null if that name isn't assigned
+     */
+    public PyObject get(String name) {
+        return null;
+    }
+
+    /**
+     * Returns the value of a variable in the local namespace.
+     *
+     * The value will be returned as an instance of the given Java class.
+     * <code>interp.get("foo", Object.class)</code> will return the most appropriate generic Java
+     * object.
+     *
+     * @param name the name of the variable
+     * @param javaclass the class of object to return
+     * @return the value of the variable as the given class, or null if that name isn't assigned
+     */
+    public <T> T get(String name, Class<T> javaclass) {
+        return null;
+    }
+
+    public void cleanup() {
+    }
+
+    public void close() {
+    }
+}

From bd99114cd6f15b131850eebf5bd904fac7eb7f85 Mon Sep 17 00:00:00 2001
From: edvraa <80588099+edvraa@users.noreply.github.com>
Date: Mon, 3 May 2021 09:55:04 +0300
Subject: [PATCH 0803/1429] Comments added

---
 .../javascript/security/InsecureCookie.qll    | 64 ++++++++++++++-----
 1 file changed, 48 insertions(+), 16 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll b/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
index d960a45ac63..83fe3fef40d 100644
--- a/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
+++ b/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
@@ -169,7 +169,10 @@ module Cookie {
   }
 
   /**
-   * A cookie set using `Set-Cookie` header of an `HTTP` response (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).
+   * A cookie set using `Set-Cookie` header of an `HTTP` response.
+   * (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).
+   * In case an array is passed `setHeader("Set-Cookie", [...]` it sets multiple cookies.
+   * Each array element has its own attributes.
    */
   class InsecureSetCookieHeader extends Cookie {
     InsecureSetCookieHeader() {
@@ -184,38 +187,67 @@ module Cookie {
       else result.asExpr() = this.asExpr()
     }
 
-    override predicate isSecure() {
-      // A cookie is secure if the 'secure' flag is specified in the cookie definition.
-      // The default is `false`.
+    /**
+     * A cookie is secure if the `secure` flag is specified in the cookie definition.
+     * The default is `false`.
+     */
+    override predicate isSecure() { allHaveCookieAttribute("secure") }
+
+    /**
+     * A cookie is httpOnly if the `httpOnly` flag is specified in the cookie definition.
+     * The default is `false`.
+     */
+    override predicate isHttpOnly() { allHaveCookieAttribute("httponly") }
+
+    /**
+     * The predicate holds only if all elements have the specified attribute.
+     */
+    bindingset[attribute]
+    private predicate allHaveCookieAttribute(string attribute) {
       forall(DataFlow::Node n | n = getCookieOptionsArgument() |
         exists(string s |
           n.mayHaveStringValue(s) and
-          s.regexpMatch("(?i).*;\\s*secure\\s*;?.*$")
+          hasCookieAttribute(s, attribute)
         )
       )
     }
 
+    /**
+     * The predicate holds only if any element has a sensitive name and
+     * doesn't have the `httpOnly` flag.
+     */
     override predicate isAuthNotHttpOnly() {
       exists(DataFlow::Node n | n = getCookieOptionsArgument() |
         exists(string s |
           n.mayHaveStringValue(s) and
           (
-            not s.regexpMatch("(?i).*;\\s*httponly\\s*;?.*$") and
-            regexpMatchAuth(s.regexpCapture("\\s*([^=\\s]*)\\s*=.*", 1))
+            not hasCookieAttribute(s, "httponly") and
+            regexpMatchAuth(getCookieName(s))
           )
         )
       )
     }
 
-    override predicate isHttpOnly() {
-      // A cookie is httpOnly if the 'httpOnly' flag is specified in the cookie definition.
-      // The default is `false`.
-      forall(DataFlow::Node n | n = getCookieOptionsArgument() |
-        exists(string s |
-          n.mayHaveStringValue(s) and
-          s.regexpMatch("(?i).*;\\s*httponly\\s*;?.*$")
-        )
-      )
+    /**
+     * Gets cookie name from a `Set-Cookie` header value.
+     * The header value always starts with `<cookie-name>=<cookie-value>` optionally followed by attributes:
+     * `<cookie-name>=<cookie-value>; Domain=<domain-value>; Secure; HttpOnly`
+     */
+    bindingset[s]
+    private string getCookieName(string s) { result = s.regexpCapture("\\s*([^=\\s]*)\\s*=.*", 1) }
+
+    /**
+     * Holds if the `Set-Cookie` header value contains the specified attribute
+     * 1. The attribute is case insensitive
+     * 2. It always starts with a pair `<cookie-name>=<cookie-value>`.
+     *    If the attribute is present there must be `;` after the pair.
+     *    Other attributes like `Domain=`, `Path=`, etc. may come after the pair:
+     *    `<cookie-name>=<cookie-value>; Domain=<domain-value>; Secure; HttpOnly`
+     * See `https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie`
+     */
+    bindingset[s, attribute]
+    private predicate hasCookieAttribute(string s, string attribute) {
+      s.regexpMatch("(?i).*;\\s*" + attribute + "\\s*;?.*$")
     }
   }
 

From 65183cde80f4a9473b8bba1eae02d94433cd12c4 Mon Sep 17 00:00:00 2001
From: edvraa <80588099+edvraa@users.noreply.github.com>
Date: Mon, 3 May 2021 09:59:52 +0300
Subject: [PATCH 0804/1429] Move to experimental

---
 .../src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql | 2 +-
 .../ql/src/experimental/Security/CWE-614/InsecureCookie.ql      | 2 +-
 .../semmle/javascript/security/InsecureCookie.qll               | 0
 3 files changed, 2 insertions(+), 2 deletions(-)
 rename javascript/ql/src/{ => experimental}/semmle/javascript/security/InsecureCookie.qll (100%)

diff --git a/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql b/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql
index e903763e21d..1cc9742e8e4 100644
--- a/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql
+++ b/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql
@@ -13,7 +13,7 @@
  */
 
 import javascript
-import semmle.javascript.security.InsecureCookie::Cookie
+import experimental.semmle.javascript.security.InsecureCookie::Cookie
 
 from Cookie cookie
 where cookie.isAuthNotHttpOnly()
diff --git a/javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.ql b/javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.ql
index dcd10c54e4b..789a7ec53e2 100644
--- a/javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.ql
+++ b/javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.ql
@@ -11,7 +11,7 @@
  */
 
 import javascript
-import semmle.javascript.security.InsecureCookie::Cookie
+import experimental.semmle.javascript.security.InsecureCookie::Cookie
 
 from Cookie cookie
 where not cookie.isSecure()
diff --git a/javascript/ql/src/semmle/javascript/security/InsecureCookie.qll b/javascript/ql/src/experimental/semmle/javascript/security/InsecureCookie.qll
similarity index 100%
rename from javascript/ql/src/semmle/javascript/security/InsecureCookie.qll
rename to javascript/ql/src/experimental/semmle/javascript/security/InsecureCookie.qll

From b77b3da8d648e9f44468447d787988d04d3ae59c Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Mon, 3 May 2021 09:38:52 +0200
Subject: [PATCH 0805/1429] C#: Add change note

---
 .../2021-05-03-implicit-constructor-init.md        | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 csharp/change-notes/2021-05-03-implicit-constructor-init.md

diff --git a/csharp/change-notes/2021-05-03-implicit-constructor-init.md b/csharp/change-notes/2021-05-03-implicit-constructor-init.md
new file mode 100644
index 00000000000..06267557aa8
--- /dev/null
+++ b/csharp/change-notes/2021-05-03-implicit-constructor-init.md
@@ -0,0 +1,14 @@
+lgtm,codescanning
+* Implicit base constructor calls are now extracted. For example, in
+  ```csharp
+    class Base
+    {
+        public Base() { }
+    }
+
+    class Sub : Base
+    {
+        public Sub() { }
+    }
+  ```
+  there is an implicit call to the `Base` constructor from the `Sub` constructor.

From 633f228dc2d444584128b7cfdb348b82512fde2e Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Thu, 29 Apr 2021 11:48:28 +0200
Subject: [PATCH 0806/1429] C#: Add CFG tests for partial classes

---
 .../controlflow/graph/BasicBlock.expected     |  2 +
 .../controlflow/graph/Dominance.expected      | 48 +++++++++++++++++++
 .../graph/EnclosingCallable.expected          | 26 ++++++++++
 .../controlflow/graph/EntryElement.expected   | 12 +++++
 .../controlflow/graph/ExitElement.expected    | 12 +++++
 .../controlflow/graph/NodeGraph.expected      | 22 +++++++++
 .../controlflow/graph/Nodes.expected          |  2 +
 .../graph/PartialImplementationA.cs           |  4 ++
 .../graph/PartialImplementationB.cs           |  6 +++
 9 files changed, 134 insertions(+)
 create mode 100644 csharp/ql/test/library-tests/controlflow/graph/PartialImplementationA.cs
 create mode 100644 csharp/ql/test/library-tests/controlflow/graph/PartialImplementationB.cs

diff --git a/csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected b/csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected
index 2ec16a930fb..dc77c10b22d 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected
+++ b/csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected
@@ -930,6 +930,8 @@
 | NullCoalescing.cs:15:31:15:31 | 0 | NullCoalescing.cs:16:17:16:18 | "" | 5 |
 | NullCoalescing.cs:16:17:16:25 | ... ?? ... | NullCoalescing.cs:17:13:17:19 | (...) ... | 5 |
 | NullCoalescing.cs:17:13:17:24 | ... ?? ... | NullCoalescing.cs:13:10:13:11 | exit M6 | 4 |
+| PartialImplementationA.cs:3:12:3:18 | enter Partial | PartialImplementationA.cs:3:12:3:18 | exit Partial | 12 |
+| PartialImplementationB.cs:4:12:4:18 | enter Partial | PartialImplementationB.cs:4:12:4:18 | exit Partial | 12 |
 | Patterns.cs:5:10:5:11 | enter M1 | Patterns.cs:8:18:8:23 | Int32 i1 | 8 |
 | Patterns.cs:8:13:8:23 | [false] ... is ... | Patterns.cs:8:13:8:23 | [false] ... is ... | 1 |
 | Patterns.cs:8:13:8:23 | [true] ... is ... | Patterns.cs:8:13:8:23 | [true] ... is ... | 1 |
diff --git a/csharp/ql/test/library-tests/controlflow/graph/Dominance.expected b/csharp/ql/test/library-tests/controlflow/graph/Dominance.expected
index 5a316e90ec0..72cebfe5621 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/Dominance.expected
+++ b/csharp/ql/test/library-tests/controlflow/graph/Dominance.expected
@@ -3058,6 +3058,28 @@ dominance
 | NullCoalescing.cs:17:13:17:19 | (...) ... | NullCoalescing.cs:17:13:17:24 | ... ?? ... |
 | NullCoalescing.cs:17:13:17:24 | ... ?? ... | NullCoalescing.cs:17:9:17:24 | ... = ... |
 | NullCoalescing.cs:17:19:17:19 | access to parameter i | NullCoalescing.cs:17:13:17:19 | (...) ... |
+| PartialImplementationA.cs:3:12:3:18 | call to constructor Object | PartialImplementationB.cs:3:16:3:16 | this access |
+| PartialImplementationA.cs:3:12:3:18 | enter Partial | PartialImplementationA.cs:3:12:3:18 | call to constructor Object |
+| PartialImplementationA.cs:3:12:3:18 | exit Partial (normal) | PartialImplementationA.cs:3:12:3:18 | exit Partial |
+| PartialImplementationA.cs:3:27:3:29 | {...} | PartialImplementationA.cs:3:12:3:18 | exit Partial (normal) |
+| PartialImplementationB.cs:3:16:3:16 | this access | PartialImplementationB.cs:3:20:3:20 | 0 |
+| PartialImplementationB.cs:3:16:3:16 | this access | PartialImplementationB.cs:3:20:3:20 | 0 |
+| PartialImplementationB.cs:3:16:3:20 | ... = ... | PartialImplementationB.cs:5:16:5:16 | this access |
+| PartialImplementationB.cs:3:16:3:20 | ... = ... | PartialImplementationB.cs:5:16:5:16 | this access |
+| PartialImplementationB.cs:3:20:3:20 | 0 | PartialImplementationB.cs:3:16:3:20 | ... = ... |
+| PartialImplementationB.cs:3:20:3:20 | 0 | PartialImplementationB.cs:3:16:3:20 | ... = ... |
+| PartialImplementationB.cs:4:12:4:18 | call to constructor Object | PartialImplementationB.cs:3:16:3:16 | this access |
+| PartialImplementationB.cs:4:12:4:18 | enter Partial | PartialImplementationB.cs:4:12:4:18 | call to constructor Object |
+| PartialImplementationB.cs:4:12:4:18 | exit Partial (normal) | PartialImplementationB.cs:4:12:4:18 | exit Partial |
+| PartialImplementationB.cs:4:22:4:24 | {...} | PartialImplementationB.cs:4:12:4:18 | exit Partial (normal) |
+| PartialImplementationB.cs:5:16:5:16 | access to property P | PartialImplementationB.cs:5:32:5:34 | ... = ... |
+| PartialImplementationB.cs:5:16:5:16 | access to property P | PartialImplementationB.cs:5:32:5:34 | ... = ... |
+| PartialImplementationB.cs:5:16:5:16 | this access | PartialImplementationB.cs:5:34:5:34 | 0 |
+| PartialImplementationB.cs:5:16:5:16 | this access | PartialImplementationB.cs:5:34:5:34 | 0 |
+| PartialImplementationB.cs:5:32:5:34 | ... = ... | PartialImplementationA.cs:3:27:3:29 | {...} |
+| PartialImplementationB.cs:5:32:5:34 | ... = ... | PartialImplementationB.cs:4:22:4:24 | {...} |
+| PartialImplementationB.cs:5:34:5:34 | 0 | PartialImplementationB.cs:5:16:5:16 | access to property P |
+| PartialImplementationB.cs:5:34:5:34 | 0 | PartialImplementationB.cs:5:16:5:16 | access to property P |
 | Patterns.cs:5:10:5:11 | enter M1 | Patterns.cs:6:5:43:5 | {...} |
 | Patterns.cs:5:10:5:11 | exit M1 (normal) | Patterns.cs:5:10:5:11 | exit M1 |
 | Patterns.cs:6:5:43:5 | {...} | Patterns.cs:7:9:7:24 | ... ...; |
@@ -7130,6 +7152,28 @@ postDominance
 | NullCoalescing.cs:17:13:17:19 | (...) ... | NullCoalescing.cs:17:19:17:19 | access to parameter i |
 | NullCoalescing.cs:17:13:17:24 | ... ?? ... | NullCoalescing.cs:17:13:17:19 | (...) ... |
 | NullCoalescing.cs:17:19:17:19 | access to parameter i | NullCoalescing.cs:17:9:17:25 | ...; |
+| PartialImplementationA.cs:3:12:3:18 | call to constructor Object | PartialImplementationA.cs:3:12:3:18 | enter Partial |
+| PartialImplementationA.cs:3:12:3:18 | exit Partial | PartialImplementationA.cs:3:12:3:18 | exit Partial (normal) |
+| PartialImplementationA.cs:3:12:3:18 | exit Partial (normal) | PartialImplementationA.cs:3:27:3:29 | {...} |
+| PartialImplementationA.cs:3:27:3:29 | {...} | PartialImplementationB.cs:5:32:5:34 | ... = ... |
+| PartialImplementationB.cs:3:16:3:16 | this access | PartialImplementationA.cs:3:12:3:18 | call to constructor Object |
+| PartialImplementationB.cs:3:16:3:16 | this access | PartialImplementationB.cs:4:12:4:18 | call to constructor Object |
+| PartialImplementationB.cs:3:16:3:20 | ... = ... | PartialImplementationB.cs:3:20:3:20 | 0 |
+| PartialImplementationB.cs:3:16:3:20 | ... = ... | PartialImplementationB.cs:3:20:3:20 | 0 |
+| PartialImplementationB.cs:3:20:3:20 | 0 | PartialImplementationB.cs:3:16:3:16 | this access |
+| PartialImplementationB.cs:3:20:3:20 | 0 | PartialImplementationB.cs:3:16:3:16 | this access |
+| PartialImplementationB.cs:4:12:4:18 | call to constructor Object | PartialImplementationB.cs:4:12:4:18 | enter Partial |
+| PartialImplementationB.cs:4:12:4:18 | exit Partial | PartialImplementationB.cs:4:12:4:18 | exit Partial (normal) |
+| PartialImplementationB.cs:4:12:4:18 | exit Partial (normal) | PartialImplementationB.cs:4:22:4:24 | {...} |
+| PartialImplementationB.cs:4:22:4:24 | {...} | PartialImplementationB.cs:5:32:5:34 | ... = ... |
+| PartialImplementationB.cs:5:16:5:16 | access to property P | PartialImplementationB.cs:5:34:5:34 | 0 |
+| PartialImplementationB.cs:5:16:5:16 | access to property P | PartialImplementationB.cs:5:34:5:34 | 0 |
+| PartialImplementationB.cs:5:16:5:16 | this access | PartialImplementationB.cs:3:16:3:20 | ... = ... |
+| PartialImplementationB.cs:5:16:5:16 | this access | PartialImplementationB.cs:3:16:3:20 | ... = ... |
+| PartialImplementationB.cs:5:32:5:34 | ... = ... | PartialImplementationB.cs:5:16:5:16 | access to property P |
+| PartialImplementationB.cs:5:32:5:34 | ... = ... | PartialImplementationB.cs:5:16:5:16 | access to property P |
+| PartialImplementationB.cs:5:34:5:34 | 0 | PartialImplementationB.cs:5:16:5:16 | this access |
+| PartialImplementationB.cs:5:34:5:34 | 0 | PartialImplementationB.cs:5:16:5:16 | this access |
 | Patterns.cs:5:10:5:11 | exit M1 | Patterns.cs:5:10:5:11 | exit M1 (normal) |
 | Patterns.cs:5:10:5:11 | exit M1 (normal) | Patterns.cs:40:17:40:17 | access to local variable o |
 | Patterns.cs:6:5:43:5 | {...} | Patterns.cs:5:10:5:11 | enter M1 |
@@ -11677,6 +11721,8 @@ blockDominance
 | NullCoalescing.cs:16:17:16:25 | ... ?? ... | NullCoalescing.cs:16:17:16:25 | ... ?? ... |
 | NullCoalescing.cs:16:17:16:25 | ... ?? ... | NullCoalescing.cs:17:13:17:24 | ... ?? ... |
 | NullCoalescing.cs:17:13:17:24 | ... ?? ... | NullCoalescing.cs:17:13:17:24 | ... ?? ... |
+| PartialImplementationA.cs:3:12:3:18 | enter Partial | PartialImplementationA.cs:3:12:3:18 | enter Partial |
+| PartialImplementationB.cs:4:12:4:18 | enter Partial | PartialImplementationB.cs:4:12:4:18 | enter Partial |
 | Patterns.cs:5:10:5:11 | enter M1 | Patterns.cs:5:10:5:11 | enter M1 |
 | Patterns.cs:5:10:5:11 | enter M1 | Patterns.cs:8:13:8:23 | [false] ... is ... |
 | Patterns.cs:5:10:5:11 | enter M1 | Patterns.cs:8:13:8:23 | [true] ... is ... |
@@ -15218,6 +15264,8 @@ postBlockDominance
 | NullCoalescing.cs:17:13:17:24 | ... ?? ... | NullCoalescing.cs:15:31:15:31 | 0 |
 | NullCoalescing.cs:17:13:17:24 | ... ?? ... | NullCoalescing.cs:16:17:16:25 | ... ?? ... |
 | NullCoalescing.cs:17:13:17:24 | ... ?? ... | NullCoalescing.cs:17:13:17:24 | ... ?? ... |
+| PartialImplementationA.cs:3:12:3:18 | enter Partial | PartialImplementationA.cs:3:12:3:18 | enter Partial |
+| PartialImplementationB.cs:4:12:4:18 | enter Partial | PartialImplementationB.cs:4:12:4:18 | enter Partial |
 | Patterns.cs:5:10:5:11 | enter M1 | Patterns.cs:5:10:5:11 | enter M1 |
 | Patterns.cs:8:13:8:23 | [false] ... is ... | Patterns.cs:8:13:8:23 | [false] ... is ... |
 | Patterns.cs:8:13:8:23 | [true] ... is ... | Patterns.cs:8:13:8:23 | [true] ... is ... |
diff --git a/csharp/ql/test/library-tests/controlflow/graph/EnclosingCallable.expected b/csharp/ql/test/library-tests/controlflow/graph/EnclosingCallable.expected
index c9a2116762d..fe42f87ad26 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/EnclosingCallable.expected
+++ b/csharp/ql/test/library-tests/controlflow/graph/EnclosingCallable.expected
@@ -3498,6 +3498,30 @@ nodeEnclosing
 | NullCoalescing.cs:17:13:17:19 | (...) ... | NullCoalescing.cs:13:10:13:11 | M6 |
 | NullCoalescing.cs:17:13:17:24 | ... ?? ... | NullCoalescing.cs:13:10:13:11 | M6 |
 | NullCoalescing.cs:17:19:17:19 | access to parameter i | NullCoalescing.cs:13:10:13:11 | M6 |
+| PartialImplementationA.cs:3:12:3:18 | call to constructor Object | PartialImplementationA.cs:3:12:3:18 | Partial |
+| PartialImplementationA.cs:3:12:3:18 | enter Partial | PartialImplementationA.cs:3:12:3:18 | Partial |
+| PartialImplementationA.cs:3:12:3:18 | exit Partial | PartialImplementationA.cs:3:12:3:18 | Partial |
+| PartialImplementationA.cs:3:12:3:18 | exit Partial (normal) | PartialImplementationA.cs:3:12:3:18 | Partial |
+| PartialImplementationA.cs:3:27:3:29 | {...} | PartialImplementationA.cs:3:12:3:18 | Partial |
+| PartialImplementationB.cs:3:16:3:16 | this access | PartialImplementationA.cs:3:12:3:18 | Partial |
+| PartialImplementationB.cs:3:16:3:16 | this access | PartialImplementationB.cs:4:12:4:18 | Partial |
+| PartialImplementationB.cs:3:16:3:20 | ... = ... | PartialImplementationA.cs:3:12:3:18 | Partial |
+| PartialImplementationB.cs:3:16:3:20 | ... = ... | PartialImplementationB.cs:4:12:4:18 | Partial |
+| PartialImplementationB.cs:3:20:3:20 | 0 | PartialImplementationA.cs:3:12:3:18 | Partial |
+| PartialImplementationB.cs:3:20:3:20 | 0 | PartialImplementationB.cs:4:12:4:18 | Partial |
+| PartialImplementationB.cs:4:12:4:18 | call to constructor Object | PartialImplementationB.cs:4:12:4:18 | Partial |
+| PartialImplementationB.cs:4:12:4:18 | enter Partial | PartialImplementationB.cs:4:12:4:18 | Partial |
+| PartialImplementationB.cs:4:12:4:18 | exit Partial | PartialImplementationB.cs:4:12:4:18 | Partial |
+| PartialImplementationB.cs:4:12:4:18 | exit Partial (normal) | PartialImplementationB.cs:4:12:4:18 | Partial |
+| PartialImplementationB.cs:4:22:4:24 | {...} | PartialImplementationB.cs:4:12:4:18 | Partial |
+| PartialImplementationB.cs:5:16:5:16 | access to property P | PartialImplementationA.cs:3:12:3:18 | Partial |
+| PartialImplementationB.cs:5:16:5:16 | access to property P | PartialImplementationB.cs:4:12:4:18 | Partial |
+| PartialImplementationB.cs:5:16:5:16 | this access | PartialImplementationA.cs:3:12:3:18 | Partial |
+| PartialImplementationB.cs:5:16:5:16 | this access | PartialImplementationB.cs:4:12:4:18 | Partial |
+| PartialImplementationB.cs:5:32:5:34 | ... = ... | PartialImplementationA.cs:3:12:3:18 | Partial |
+| PartialImplementationB.cs:5:32:5:34 | ... = ... | PartialImplementationB.cs:4:12:4:18 | Partial |
+| PartialImplementationB.cs:5:34:5:34 | 0 | PartialImplementationA.cs:3:12:3:18 | Partial |
+| PartialImplementationB.cs:5:34:5:34 | 0 | PartialImplementationB.cs:4:12:4:18 | Partial |
 | Patterns.cs:5:10:5:11 | enter M1 | Patterns.cs:5:10:5:11 | M1 |
 | Patterns.cs:5:10:5:11 | exit M1 | Patterns.cs:5:10:5:11 | M1 |
 | Patterns.cs:5:10:5:11 | exit M1 (normal) | Patterns.cs:5:10:5:11 | M1 |
@@ -5796,6 +5820,8 @@ blockEnclosing
 | NullCoalescing.cs:15:31:15:31 | 0 | NullCoalescing.cs:13:10:13:11 | M6 |
 | NullCoalescing.cs:16:17:16:25 | ... ?? ... | NullCoalescing.cs:13:10:13:11 | M6 |
 | NullCoalescing.cs:17:13:17:24 | ... ?? ... | NullCoalescing.cs:13:10:13:11 | M6 |
+| PartialImplementationA.cs:3:12:3:18 | enter Partial | PartialImplementationA.cs:3:12:3:18 | Partial |
+| PartialImplementationB.cs:4:12:4:18 | enter Partial | PartialImplementationB.cs:4:12:4:18 | Partial |
 | Patterns.cs:5:10:5:11 | enter M1 | Patterns.cs:5:10:5:11 | M1 |
 | Patterns.cs:8:13:8:23 | [false] ... is ... | Patterns.cs:5:10:5:11 | M1 |
 | Patterns.cs:8:13:8:23 | [true] ... is ... | Patterns.cs:5:10:5:11 | M1 |
diff --git a/csharp/ql/test/library-tests/controlflow/graph/EntryElement.expected b/csharp/ql/test/library-tests/controlflow/graph/EntryElement.expected
index d48906f29c5..4a8935d09b5 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/EntryElement.expected
+++ b/csharp/ql/test/library-tests/controlflow/graph/EntryElement.expected
@@ -2158,6 +2158,18 @@
 | NullCoalescing.cs:17:13:17:24 | ... ?? ... | NullCoalescing.cs:17:19:17:19 | access to parameter i |
 | NullCoalescing.cs:17:19:17:19 | access to parameter i | NullCoalescing.cs:17:19:17:19 | access to parameter i |
 | NullCoalescing.cs:17:24:17:24 | 1 | NullCoalescing.cs:17:24:17:24 | 1 |
+| PartialImplementationA.cs:3:12:3:18 | call to constructor Object | PartialImplementationA.cs:3:12:3:18 | call to constructor Object |
+| PartialImplementationA.cs:3:27:3:29 | {...} | PartialImplementationA.cs:3:27:3:29 | {...} |
+| PartialImplementationB.cs:3:16:3:16 | access to field F | PartialImplementationB.cs:3:16:3:16 | this access |
+| PartialImplementationB.cs:3:16:3:16 | this access | PartialImplementationB.cs:3:16:3:16 | this access |
+| PartialImplementationB.cs:3:16:3:20 | ... = ... | PartialImplementationB.cs:3:16:3:16 | this access |
+| PartialImplementationB.cs:3:20:3:20 | 0 | PartialImplementationB.cs:3:20:3:20 | 0 |
+| PartialImplementationB.cs:4:12:4:18 | call to constructor Object | PartialImplementationB.cs:4:12:4:18 | call to constructor Object |
+| PartialImplementationB.cs:4:22:4:24 | {...} | PartialImplementationB.cs:4:22:4:24 | {...} |
+| PartialImplementationB.cs:5:16:5:16 | access to property P | PartialImplementationB.cs:5:16:5:16 | this access |
+| PartialImplementationB.cs:5:16:5:16 | this access | PartialImplementationB.cs:5:16:5:16 | this access |
+| PartialImplementationB.cs:5:32:5:34 | ... = ... | PartialImplementationB.cs:5:16:5:16 | this access |
+| PartialImplementationB.cs:5:34:5:34 | 0 | PartialImplementationB.cs:5:34:5:34 | 0 |
 | Patterns.cs:6:5:43:5 | {...} | Patterns.cs:6:5:43:5 | {...} |
 | Patterns.cs:7:9:7:24 | ... ...; | Patterns.cs:7:9:7:24 | ... ...; |
 | Patterns.cs:7:16:7:23 | Object o = ... | Patterns.cs:7:20:7:23 | null |
diff --git a/csharp/ql/test/library-tests/controlflow/graph/ExitElement.expected b/csharp/ql/test/library-tests/controlflow/graph/ExitElement.expected
index c96b19b371b..0207253e3f9 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/ExitElement.expected
+++ b/csharp/ql/test/library-tests/controlflow/graph/ExitElement.expected
@@ -2826,6 +2826,18 @@
 | NullCoalescing.cs:17:13:17:24 | ... ?? ... | NullCoalescing.cs:17:13:17:24 | ... ?? ... | normal |
 | NullCoalescing.cs:17:19:17:19 | access to parameter i | NullCoalescing.cs:17:19:17:19 | access to parameter i | normal |
 | NullCoalescing.cs:17:24:17:24 | 1 | NullCoalescing.cs:17:24:17:24 | 1 | normal |
+| PartialImplementationA.cs:3:12:3:18 | call to constructor Object | PartialImplementationA.cs:3:12:3:18 | call to constructor Object | normal |
+| PartialImplementationA.cs:3:27:3:29 | {...} | PartialImplementationA.cs:3:27:3:29 | {...} | normal |
+| PartialImplementationB.cs:3:16:3:16 | access to field F | PartialImplementationB.cs:3:16:3:16 | this access | normal |
+| PartialImplementationB.cs:3:16:3:16 | this access | PartialImplementationB.cs:3:16:3:16 | this access | normal |
+| PartialImplementationB.cs:3:16:3:20 | ... = ... | PartialImplementationB.cs:3:16:3:20 | ... = ... | normal |
+| PartialImplementationB.cs:3:20:3:20 | 0 | PartialImplementationB.cs:3:20:3:20 | 0 | normal |
+| PartialImplementationB.cs:4:12:4:18 | call to constructor Object | PartialImplementationB.cs:4:12:4:18 | call to constructor Object | normal |
+| PartialImplementationB.cs:4:22:4:24 | {...} | PartialImplementationB.cs:4:22:4:24 | {...} | normal |
+| PartialImplementationB.cs:5:16:5:16 | access to property P | PartialImplementationB.cs:5:16:5:16 | this access | normal |
+| PartialImplementationB.cs:5:16:5:16 | this access | PartialImplementationB.cs:5:16:5:16 | this access | normal |
+| PartialImplementationB.cs:5:32:5:34 | ... = ... | PartialImplementationB.cs:5:32:5:34 | ... = ... | normal |
+| PartialImplementationB.cs:5:34:5:34 | 0 | PartialImplementationB.cs:5:34:5:34 | 0 | normal |
 | Patterns.cs:6:5:43:5 | {...} | Patterns.cs:40:17:40:17 | access to local variable o | normal |
 | Patterns.cs:7:9:7:24 | ... ...; | Patterns.cs:7:16:7:23 | Object o = ... | normal |
 | Patterns.cs:7:16:7:23 | Object o = ... | Patterns.cs:7:16:7:23 | Object o = ... | normal |
diff --git a/csharp/ql/test/library-tests/controlflow/graph/NodeGraph.expected b/csharp/ql/test/library-tests/controlflow/graph/NodeGraph.expected
index c39b233b314..a637ecdd987 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/NodeGraph.expected
+++ b/csharp/ql/test/library-tests/controlflow/graph/NodeGraph.expected
@@ -3524,6 +3524,28 @@
 | NullCoalescing.cs:17:13:17:19 | (...) ... | NullCoalescing.cs:17:13:17:24 | ... ?? ... | semmle.label | non-null |
 | NullCoalescing.cs:17:13:17:24 | ... ?? ... | NullCoalescing.cs:17:9:17:24 | ... = ... | semmle.label | successor |
 | NullCoalescing.cs:17:19:17:19 | access to parameter i | NullCoalescing.cs:17:13:17:19 | (...) ... | semmle.label | successor |
+| PartialImplementationA.cs:3:12:3:18 | call to constructor Object | PartialImplementationB.cs:3:16:3:16 | this access | semmle.label | successor |
+| PartialImplementationA.cs:3:12:3:18 | enter Partial | PartialImplementationA.cs:3:12:3:18 | call to constructor Object | semmle.label | successor |
+| PartialImplementationA.cs:3:12:3:18 | exit Partial (normal) | PartialImplementationA.cs:3:12:3:18 | exit Partial | semmle.label | successor |
+| PartialImplementationA.cs:3:27:3:29 | {...} | PartialImplementationA.cs:3:12:3:18 | exit Partial (normal) | semmle.label | successor |
+| PartialImplementationB.cs:3:16:3:16 | this access | PartialImplementationB.cs:3:20:3:20 | 0 | semmle.label | successor |
+| PartialImplementationB.cs:3:16:3:16 | this access | PartialImplementationB.cs:3:20:3:20 | 0 | semmle.label | successor |
+| PartialImplementationB.cs:3:16:3:20 | ... = ... | PartialImplementationB.cs:5:16:5:16 | this access | semmle.label | successor |
+| PartialImplementationB.cs:3:16:3:20 | ... = ... | PartialImplementationB.cs:5:16:5:16 | this access | semmle.label | successor |
+| PartialImplementationB.cs:3:20:3:20 | 0 | PartialImplementationB.cs:3:16:3:20 | ... = ... | semmle.label | successor |
+| PartialImplementationB.cs:3:20:3:20 | 0 | PartialImplementationB.cs:3:16:3:20 | ... = ... | semmle.label | successor |
+| PartialImplementationB.cs:4:12:4:18 | call to constructor Object | PartialImplementationB.cs:3:16:3:16 | this access | semmle.label | successor |
+| PartialImplementationB.cs:4:12:4:18 | enter Partial | PartialImplementationB.cs:4:12:4:18 | call to constructor Object | semmle.label | successor |
+| PartialImplementationB.cs:4:12:4:18 | exit Partial (normal) | PartialImplementationB.cs:4:12:4:18 | exit Partial | semmle.label | successor |
+| PartialImplementationB.cs:4:22:4:24 | {...} | PartialImplementationB.cs:4:12:4:18 | exit Partial (normal) | semmle.label | successor |
+| PartialImplementationB.cs:5:16:5:16 | access to property P | PartialImplementationB.cs:5:32:5:34 | ... = ... | semmle.label | successor |
+| PartialImplementationB.cs:5:16:5:16 | access to property P | PartialImplementationB.cs:5:32:5:34 | ... = ... | semmle.label | successor |
+| PartialImplementationB.cs:5:16:5:16 | this access | PartialImplementationB.cs:5:34:5:34 | 0 | semmle.label | successor |
+| PartialImplementationB.cs:5:16:5:16 | this access | PartialImplementationB.cs:5:34:5:34 | 0 | semmle.label | successor |
+| PartialImplementationB.cs:5:32:5:34 | ... = ... | PartialImplementationA.cs:3:27:3:29 | {...} | semmle.label | successor |
+| PartialImplementationB.cs:5:32:5:34 | ... = ... | PartialImplementationB.cs:4:22:4:24 | {...} | semmle.label | successor |
+| PartialImplementationB.cs:5:34:5:34 | 0 | PartialImplementationB.cs:5:16:5:16 | access to property P | semmle.label | successor |
+| PartialImplementationB.cs:5:34:5:34 | 0 | PartialImplementationB.cs:5:16:5:16 | access to property P | semmle.label | successor |
 | Patterns.cs:5:10:5:11 | enter M1 | Patterns.cs:6:5:43:5 | {...} | semmle.label | successor |
 | Patterns.cs:5:10:5:11 | exit M1 (normal) | Patterns.cs:5:10:5:11 | exit M1 | semmle.label | successor |
 | Patterns.cs:6:5:43:5 | {...} | Patterns.cs:7:9:7:24 | ... ...; | semmle.label | successor |
diff --git a/csharp/ql/test/library-tests/controlflow/graph/Nodes.expected b/csharp/ql/test/library-tests/controlflow/graph/Nodes.expected
index b58f1a57cc7..8b158822831 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/Nodes.expected
+++ b/csharp/ql/test/library-tests/controlflow/graph/Nodes.expected
@@ -1219,6 +1219,8 @@ entryPoint
 | NullCoalescing.cs:9:12:9:13 | M4 | NullCoalescing.cs:9:37:9:37 | access to parameter b |
 | NullCoalescing.cs:11:9:11:10 | M5 | NullCoalescing.cs:11:44:11:45 | access to parameter b1 |
 | NullCoalescing.cs:13:10:13:11 | M6 | NullCoalescing.cs:14:5:18:5 | {...} |
+| PartialImplementationA.cs:3:12:3:18 | Partial | PartialImplementationA.cs:3:12:3:18 | call to constructor Object |
+| PartialImplementationB.cs:4:12:4:18 | Partial | PartialImplementationB.cs:4:12:4:18 | call to constructor Object |
 | Patterns.cs:5:10:5:11 | M1 | Patterns.cs:6:5:43:5 | {...} |
 | Patterns.cs:47:24:47:25 | M2 | Patterns.cs:48:9:48:9 | access to parameter c |
 | Patterns.cs:50:24:50:25 | M3 | Patterns.cs:51:9:51:9 | access to parameter c |
diff --git a/csharp/ql/test/library-tests/controlflow/graph/PartialImplementationA.cs b/csharp/ql/test/library-tests/controlflow/graph/PartialImplementationA.cs
new file mode 100644
index 00000000000..e3061f38a6e
--- /dev/null
+++ b/csharp/ql/test/library-tests/controlflow/graph/PartialImplementationA.cs
@@ -0,0 +1,4 @@
+partial class Partial
+{
+    public Partial(int i) { }
+}
diff --git a/csharp/ql/test/library-tests/controlflow/graph/PartialImplementationB.cs b/csharp/ql/test/library-tests/controlflow/graph/PartialImplementationB.cs
new file mode 100644
index 00000000000..c5120b44cdd
--- /dev/null
+++ b/csharp/ql/test/library-tests/controlflow/graph/PartialImplementationB.cs
@@ -0,0 +1,6 @@
+partial class Partial
+{
+    public int F = 0;
+    public Partial() { }
+    public int P { get; set; } = 0;
+}

From 182b2d0457d7607c5f9d8a28ca165ff3b954d2cc Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Tue, 27 Apr 2021 09:10:25 +0200
Subject: [PATCH 0807/1429] C#: Improve CFG for constructors when there are
 multiple implementations

---
 .../internal/ControlFlowGraphImpl.qll         | 73 ++++++++++-------
 .../csharp/controlflow/internal/Splitting.qll | 80 ++++++++++---------
 .../controlflow/graph/BasicBlock.expected     | 20 ++---
 .../controlflow/graph/Consistency.expected    | 24 ------
 .../controlflow/graph/Dominance.expected      | 64 +++++----------
 .../graph/EnclosingCallable.expected          | 16 ----
 .../controlflow/graph/NodeGraph.expected      | 16 ----
 7 files changed, 112 insertions(+), 181 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll b/csharp/ql/src/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
index a0c0784c010..6a5944db3a2 100644
--- a/csharp/ql/src/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
@@ -49,6 +49,27 @@ private import SuccessorType
 private import SuccessorTypes
 private import Splitting
 private import semmle.code.csharp.ExprOrStmtParent
+private import semmle.code.csharp.commons.Compilation
+
+/**
+ * A compilation.
+ *
+ * Unlike the standard `Compilation` class, this class also supports buildless
+ * extraction.
+ */
+newtype CompilationExt =
+  TCompilation(Compilation c) { not extractionIsStandalone() } or
+  TBuildless() { extractionIsStandalone() }
+
+/** Gets the compilation that source file `f` belongs to. */
+CompilationExt getCompilation(SourceFile f) {
+  exists(Compilation c |
+    f = c.getAFileCompiled() and
+    result = TCompilation(c)
+  )
+  or
+  result = TBuildless()
+}
 
 /** An element that defines a new CFG scope. */
 class CfgScope extends Element, @top_level_exprorstmt_parent {
@@ -135,10 +156,7 @@ predicate scopeFirst(CfgScope scope, ControlFlowElement first) {
       then first(c.(Constructor).getInitializer(), first)
       else
         if InitializerSplitting::constructorInitializes(c, _)
-        then
-          first(any(InitializerSplitting::InitializedInstanceMember m |
-              InitializerSplitting::constructorInitializeOrder(c, m, 0)
-            ).getInitializer(), first)
+        then first(InitializerSplitting::constructorInitializeOrder(c, _, 0), first)
         else first(c.getBody(), first)
     )
   or
@@ -152,36 +170,36 @@ predicate scopeLast(Callable scope, ControlFlowElement last, Completion c) {
   last(scope.getBody(), last, c) and
   not c instanceof GotoCompletion
   or
-  exists(InitializerSplitting::InitializedInstanceMember m |
-    m = InitializerSplitting::lastConstructorInitializer(scope) and
-    last(m.getInitializer(), last, c) and
-    not scope.hasBody()
-  )
+  last(InitializerSplitting::lastConstructorInitializer(scope, _), last, c) and
+  not scope.hasBody()
 }
 
-private class CallableTree extends ControlFlowTree, Callable {
+private class ConstructorTree extends ControlFlowTree, Constructor {
   final override predicate propagatesAbnormal(ControlFlowElement child) { none() }
 
   final override predicate first(ControlFlowElement first) { none() }
 
   final override predicate last(ControlFlowElement last, Completion c) { none() }
 
+  /** Gets the body of this constructor belonging to compilation `comp`. */
+  pragma[noinline]
+  ControlFlowElement getBody(CompilationExt comp) {
+    result = this.getBody() and
+    comp = getCompilation(result.getFile())
+  }
+
   final override predicate succ(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
-    exists(Constructor con, InitializerSplitting::InitializedInstanceMember m, int i |
-      this = con and
-      last(m.getInitializer(), pred, c) and
-      c instanceof NormalCompletion and
-      InitializerSplitting::constructorInitializeOrder(con, m, i)
+    exists(CompilationExt comp, int i, AssignExpr ae |
+      ae = InitializerSplitting::constructorInitializeOrder(this, comp, i) and
+      last(ae, pred, c) and
+      c instanceof NormalCompletion
     |
       // Flow from one member initializer to the next
-      exists(InitializerSplitting::InitializedInstanceMember next |
-        InitializerSplitting::constructorInitializeOrder(con, next, i + 1) and
-        first(next.getInitializer(), succ)
-      )
+      first(InitializerSplitting::constructorInitializeOrder(this, comp, i + 1), succ)
       or
       // Flow from last member initializer to constructor body
-      m = InitializerSplitting::lastConstructorInitializer(con) and
-      first(con.getBody(), succ)
+      ae = InitializerSplitting::lastConstructorInitializer(this, comp) and
+      first(this.getBody(comp), succ)
     )
   }
 }
@@ -884,21 +902,18 @@ module Expressions {
         first(this.getChildElement(i + 1), succ)
       )
       or
-      exists(Constructor con |
+      exists(ConstructorTree con, CompilationExt comp |
         last(this, pred, c) and
         con = this.getConstructor() and
+        comp = getCompilation(this.getFile()) and
         c instanceof NormalCompletion
       |
         // Flow from constructor initializer to first member initializer
-        exists(InitializerSplitting::InitializedInstanceMember m |
-          InitializerSplitting::constructorInitializeOrder(con, m, 0)
-        |
-          first(m.getInitializer(), succ)
-        )
+        first(InitializerSplitting::constructorInitializeOrder(con, comp, 0), succ)
         or
         // Flow from constructor initializer to first element of constructor body
-        not InitializerSplitting::constructorInitializeOrder(con, _, _) and
-        first(con.getBody(), succ)
+        not exists(InitializerSplitting::constructorInitializeOrder(con, comp, _)) and
+        first(con.getBody(comp), succ)
       )
     }
   }
diff --git a/csharp/ql/src/semmle/code/csharp/controlflow/internal/Splitting.qll b/csharp/ql/src/semmle/code/csharp/controlflow/internal/Splitting.qll
index 498e6c461ae..8826ee7c1be 100644
--- a/csharp/ql/src/semmle/code/csharp/controlflow/internal/Splitting.qll
+++ b/csharp/ql/src/semmle/code/csharp/controlflow/internal/Splitting.qll
@@ -218,23 +218,23 @@ module InitializerSplitting {
    * A non-static member with an initializer, for example a field `int Field = 0`.
    */
   class InitializedInstanceMember extends Member {
-    private AssignExpr ae;
-
     InitializedInstanceMember() {
-      not this.isStatic() and
-      expr_parent_top_level_adjusted(ae, _, this) and
-      not ae = any(Callable c).getExpressionBody()
+      exists(AssignExpr ae |
+        not this.isStatic() and
+        expr_parent_top_level(ae, _, this) and
+        not ae = any(Callable c).getExpressionBody()
+      )
     }
 
     /** Gets the initializer expression. */
-    AssignExpr getInitializer() { result = ae }
+    AssignExpr getInitializer() { expr_parent_top_level(result, _, this) }
 
     /**
      * Gets a control flow element that is a syntactic descendant of the
      * initializer expression.
      */
     ControlFlowElement getAnInitializerDescendant() {
-      result = ae
+      result = this.getInitializer()
       or
       result = this.getAnInitializerDescendant().getAChild()
     }
@@ -242,35 +242,41 @@ module InitializerSplitting {
 
   /**
    * Holds if `c` is a non-static constructor that performs the initialization
-   * of member `m`.
+   * of a member via assignment `init`.
    */
-  predicate constructorInitializes(InstanceConstructor c, InitializedInstanceMember m) {
-    c.isUnboundDeclaration() and
-    c.getDeclaringType().getAMember() = m and
-    not c.getInitializer().isThis()
+  predicate constructorInitializes(InstanceConstructor c, AssignExpr init) {
+    exists(InitializedInstanceMember m |
+      c.isUnboundDeclaration() and
+      c.getDeclaringType().getAMember() = m and
+      not c.getInitializer().isThis() and
+      init = m.getInitializer()
+    )
   }
 
   /**
-   * Holds if `m` is the `i`th member initialized by non-static constructor `c`.
+   * Gets the `i`th member initializer expression for non-static constructor `c`
+   * in compilation `comp`.
    */
-  predicate constructorInitializeOrder(Constructor c, InitializedInstanceMember m, int i) {
-    constructorInitializes(c, m) and
-    m =
-      rank[i + 1](InitializedInstanceMember m0 |
-        constructorInitializes(c, m0)
+  AssignExpr constructorInitializeOrder(Constructor c, CompilationExt comp, int i) {
+    constructorInitializes(c, result) and
+    result =
+      rank[i + 1](AssignExpr ae0, Location l |
+        constructorInitializes(c, ae0) and
+        l = ae0.getLocation() and
+        getCompilation(l.getFile()) = comp
       |
-        m0
-        order by
-          m0.getLocation().getStartLine(), m0.getLocation().getStartColumn(),
-          m0.getLocation().getFile().getAbsolutePath()
+        ae0 order by l.getStartLine(), l.getStartColumn(), l.getFile().getAbsolutePath()
       )
   }
 
-  /** Gets the last member initialized by non-static constructor `c`. */
-  InitializedInstanceMember lastConstructorInitializer(Constructor c) {
+  /**
+   * Gets the last member initializer expression for non-static constructor `c`
+   * in compilation `comp`.
+   */
+  AssignExpr lastConstructorInitializer(Constructor c, CompilationExt comp) {
     exists(int i |
-      constructorInitializeOrder(c, result, i) and
-      not constructorInitializeOrder(c, _, i + 1)
+      result = constructorInitializeOrder(c, comp, i) and
+      not exists(constructorInitializeOrder(c, comp, i + 1))
     )
   }
 
@@ -379,8 +385,9 @@ module InitializerSplitting {
       this.appliesTo(pred) and
       succ(pred, succ, c) and
       succ =
-        any(InitializedInstanceMember m | constructorInitializes(this.getConstructor(), m))
-            .getAnInitializerDescendant()
+        any(InitializedInstanceMember m |
+          constructorInitializes(this.getConstructor(), m.getInitializer())
+        ).getAnInitializerDescendant()
     }
   }
 }
@@ -1204,14 +1211,12 @@ module BooleanSplitting {
     exists(Callable c, int r | c = kind.getEnclosingCallable() |
       result = r + ExceptionHandlerSplitting::getNextListOrder() - 1 and
       kind =
-        rank[r](BooleanSplitSubKind kind0 |
+        rank[r](BooleanSplitSubKind kind0, Location l |
           kind0.getEnclosingCallable() = c and
-          kind0.startsSplit(_)
+          kind0.startsSplit(_) and
+          l = kind0.getLocation()
         |
-          kind0
-          order by
-            kind0.getLocation().getStartLine(), kind0.getLocation().getStartColumn(),
-            kind0.toString()
+          kind0 order by l.getStartLine(), l.getStartColumn(), kind0.toString()
         )
     )
   }
@@ -1430,10 +1435,11 @@ module LoopSplitting {
     exists(Callable c, int r | c = enclosingCallable(loop) |
       result = r + BooleanSplitting::getNextListOrder() - 1 and
       loop =
-        rank[r](AnalyzableLoopStmt loop0 |
-          enclosingCallable(loop0) = c
+        rank[r](AnalyzableLoopStmt loop0, Location l |
+          enclosingCallable(loop0) = c and
+          l = loop0.getLocation()
         |
-          loop0 order by loop0.getLocation().getStartLine(), loop0.getLocation().getStartColumn()
+          loop0 order by l.getStartLine(), l.getStartColumn()
         )
     )
   }
diff --git a/csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected b/csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected
index dc77c10b22d..45b1b481612 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected
+++ b/csharp/ql/test/library-tests/controlflow/graph/BasicBlock.expected
@@ -752,7 +752,6 @@
 | MultiImplementationA.cs:8:16:8:16 | exit M | MultiImplementationB.cs:5:16:5:16 | exit M | 1 |
 | MultiImplementationA.cs:8:29:8:32 | null | MultiImplementationA.cs:8:16:8:16 | exit M (abnormal) | 3 |
 | MultiImplementationA.cs:8:29:8:32 | null | MultiImplementationB.cs:5:16:5:16 | exit M (abnormal) | 3 |
-| MultiImplementationA.cs:13:16:13:16 | this access | MultiImplementationA.cs:13:16:13:20 | ... = ... | 3 |
 | MultiImplementationA.cs:14:31:14:31 | access to parameter i | MultiImplementationA.cs:14:31:14:31 | exit get_Item (normal) | 2 |
 | MultiImplementationA.cs:14:31:14:31 | access to parameter i | MultiImplementationB.cs:12:31:12:40 | exit get_Item (normal) | 2 |
 | MultiImplementationA.cs:14:31:14:31 | enter get_Item | MultiImplementationA.cs:14:31:14:31 | enter get_Item | 1 |
@@ -776,19 +775,17 @@
 | MultiImplementationA.cs:16:17:16:18 | exit M1 (normal) | MultiImplementationB.cs:14:17:14:18 | exit M1 | 2 |
 | MultiImplementationA.cs:17:5:19:5 | {...} | MultiImplementationA.cs:18:9:18:22 | M2(...) | 2 |
 | MultiImplementationA.cs:18:9:18:22 | enter M2 | MultiImplementationA.cs:18:9:18:22 | exit M2 | 4 |
-| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationA.cs:20:12:20:13 | call to constructor Object | 1 |
+| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationA.cs:20:12:20:13 | exit C2 (normal) | 14 |
+| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationB.cs:18:12:18:13 | exit C2 (normal) | 14 |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | enter C2 | 1 |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | enter C2 | 1 |
 | MultiImplementationA.cs:20:12:20:13 | exit C2 | MultiImplementationA.cs:20:12:20:13 | exit C2 | 1 |
 | MultiImplementationA.cs:20:12:20:13 | exit C2 | MultiImplementationB.cs:18:12:18:13 | exit C2 | 1 |
-| MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationA.cs:20:12:20:13 | exit C2 (normal) | 6 |
-| MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationB.cs:18:12:18:13 | exit C2 (normal) | 6 |
 | MultiImplementationA.cs:21:12:21:13 | enter C2 | MultiImplementationA.cs:21:12:21:13 | enter C2 | 1 |
 | MultiImplementationA.cs:21:12:21:13 | enter C2 | MultiImplementationB.cs:19:12:19:13 | enter C2 | 1 |
 | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | MultiImplementationA.cs:21:12:21:13 | exit C2 | 2 |
 | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | MultiImplementationB.cs:19:12:19:13 | exit C2 | 2 |
-| MultiImplementationA.cs:21:24:21:24 | 0 | MultiImplementationA.cs:21:19:21:22 | call to constructor C2 | 2 |
-| MultiImplementationA.cs:21:27:21:29 | {...} | MultiImplementationA.cs:21:27:21:29 | {...} | 1 |
+| MultiImplementationA.cs:21:24:21:24 | 0 | MultiImplementationA.cs:21:27:21:29 | {...} | 3 |
 | MultiImplementationA.cs:22:6:22:7 | enter ~C2 | MultiImplementationA.cs:22:6:22:7 | enter ~C2 | 1 |
 | MultiImplementationA.cs:22:6:22:7 | enter ~C2 | MultiImplementationB.cs:20:6:20:7 | enter ~C2 | 1 |
 | MultiImplementationA.cs:22:6:22:7 | exit ~C2 | MultiImplementationA.cs:22:6:22:7 | exit ~C2 | 1 |
@@ -801,7 +798,6 @@
 | MultiImplementationA.cs:23:28:23:35 | exit implicit conversion | MultiImplementationB.cs:21:28:21:35 | exit implicit conversion | 1 |
 | MultiImplementationA.cs:23:50:23:53 | null | MultiImplementationA.cs:23:28:23:35 | exit implicit conversion (normal) | 2 |
 | MultiImplementationA.cs:23:50:23:53 | null | MultiImplementationB.cs:21:28:21:35 | exit implicit conversion (normal) | 2 |
-| MultiImplementationA.cs:24:16:24:16 | this access | MultiImplementationA.cs:24:32:24:34 | ... = ... | 4 |
 | MultiImplementationA.cs:30:21:30:23 | enter get_P3 | MultiImplementationA.cs:30:21:30:23 | exit get_P3 | 5 |
 | MultiImplementationA.cs:30:21:30:23 | enter get_P3 | MultiImplementationB.cs:27:21:27:23 | exit get_P3 | 5 |
 | MultiImplementationA.cs:36:9:36:10 | enter M1 | MultiImplementationA.cs:36:9:36:10 | enter M1 | 1 |
@@ -835,7 +831,6 @@
 | MultiImplementationB.cs:5:16:5:16 | exit M | MultiImplementationB.cs:5:16:5:16 | exit M | 1 |
 | MultiImplementationB.cs:5:23:5:23 | 2 | MultiImplementationA.cs:8:16:8:16 | exit M (normal) | 2 |
 | MultiImplementationB.cs:5:23:5:23 | 2 | MultiImplementationB.cs:5:16:5:16 | exit M (normal) | 2 |
-| MultiImplementationB.cs:11:16:11:16 | this access | MultiImplementationB.cs:11:16:11:20 | ... = ... | 3 |
 | MultiImplementationB.cs:12:31:12:40 | enter get_Item | MultiImplementationA.cs:14:31:14:31 | enter get_Item | 1 |
 | MultiImplementationB.cs:12:31:12:40 | enter get_Item | MultiImplementationB.cs:12:31:12:40 | enter get_Item | 1 |
 | MultiImplementationB.cs:12:31:12:40 | exit get_Item | MultiImplementationA.cs:14:31:14:31 | exit get_Item | 1 |
@@ -859,19 +854,17 @@
 | MultiImplementationB.cs:14:17:14:18 | exit M1 (normal) | MultiImplementationB.cs:14:17:14:18 | exit M1 | 2 |
 | MultiImplementationB.cs:15:5:17:5 | {...} | MultiImplementationB.cs:16:9:16:31 | M2(...) | 2 |
 | MultiImplementationB.cs:16:9:16:31 | enter M2 | MultiImplementationB.cs:16:9:16:31 | exit M2 | 5 |
-| MultiImplementationB.cs:18:12:18:13 | call to constructor Object | MultiImplementationB.cs:18:12:18:13 | call to constructor Object | 1 |
+| MultiImplementationB.cs:18:12:18:13 | call to constructor Object | MultiImplementationA.cs:20:12:20:13 | exit C2 (abnormal) | 12 |
+| MultiImplementationB.cs:18:12:18:13 | call to constructor Object | MultiImplementationB.cs:18:12:18:13 | exit C2 (abnormal) | 12 |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | enter C2 | 1 |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | enter C2 | 1 |
 | MultiImplementationB.cs:18:12:18:13 | exit C2 | MultiImplementationA.cs:20:12:20:13 | exit C2 | 1 |
 | MultiImplementationB.cs:18:12:18:13 | exit C2 | MultiImplementationB.cs:18:12:18:13 | exit C2 | 1 |
-| MultiImplementationB.cs:18:22:18:36 | {...} | MultiImplementationA.cs:20:12:20:13 | exit C2 (abnormal) | 4 |
-| MultiImplementationB.cs:18:22:18:36 | {...} | MultiImplementationB.cs:18:12:18:13 | exit C2 (abnormal) | 4 |
 | MultiImplementationB.cs:19:12:19:13 | enter C2 | MultiImplementationA.cs:21:12:21:13 | enter C2 | 1 |
 | MultiImplementationB.cs:19:12:19:13 | enter C2 | MultiImplementationB.cs:19:12:19:13 | enter C2 | 1 |
 | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) | MultiImplementationA.cs:21:12:21:13 | exit C2 | 2 |
 | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) | MultiImplementationB.cs:19:12:19:13 | exit C2 | 2 |
-| MultiImplementationB.cs:19:24:19:24 | 1 | MultiImplementationB.cs:19:19:19:22 | call to constructor C2 | 2 |
-| MultiImplementationB.cs:19:27:19:29 | {...} | MultiImplementationB.cs:19:27:19:29 | {...} | 1 |
+| MultiImplementationB.cs:19:24:19:24 | 1 | MultiImplementationB.cs:19:27:19:29 | {...} | 3 |
 | MultiImplementationB.cs:20:6:20:7 | enter ~C2 | MultiImplementationA.cs:22:6:22:7 | enter ~C2 | 1 |
 | MultiImplementationB.cs:20:6:20:7 | enter ~C2 | MultiImplementationB.cs:20:6:20:7 | enter ~C2 | 1 |
 | MultiImplementationB.cs:20:6:20:7 | exit ~C2 | MultiImplementationA.cs:22:6:22:7 | exit ~C2 | 1 |
@@ -884,7 +877,6 @@
 | MultiImplementationB.cs:21:28:21:35 | exit implicit conversion | MultiImplementationB.cs:21:28:21:35 | exit implicit conversion | 1 |
 | MultiImplementationB.cs:21:56:21:59 | null | MultiImplementationA.cs:23:28:23:35 | exit implicit conversion (abnormal) | 3 |
 | MultiImplementationB.cs:21:56:21:59 | null | MultiImplementationB.cs:21:28:21:35 | exit implicit conversion (abnormal) | 3 |
-| MultiImplementationB.cs:22:16:22:16 | this access | MultiImplementationB.cs:22:32:22:34 | ... = ... | 4 |
 | MultiImplementationB.cs:27:21:27:23 | enter get_P3 | MultiImplementationA.cs:30:21:30:23 | exit get_P3 | 5 |
 | MultiImplementationB.cs:27:21:27:23 | enter get_P3 | MultiImplementationB.cs:27:21:27:23 | exit get_P3 | 5 |
 | MultiImplementationB.cs:32:9:32:10 | enter M1 | MultiImplementationA.cs:36:9:36:10 | enter M1 | 1 |
diff --git a/csharp/ql/test/library-tests/controlflow/graph/Consistency.expected b/csharp/ql/test/library-tests/controlflow/graph/Consistency.expected
index 0df56b8f207..bccab8e85a4 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/Consistency.expected
+++ b/csharp/ql/test/library-tests/controlflow/graph/Consistency.expected
@@ -5,27 +5,3 @@ breakInvariant3
 breakInvariant4
 breakInvariant5
 multipleSuccessors
-| MultiImplementationA.cs:13:16:13:20 | ... = ... | successor | MultiImplementationA.cs:13:16:13:16 | this access |
-| MultiImplementationA.cs:13:16:13:20 | ... = ... | successor | MultiImplementationA.cs:24:16:24:16 | this access |
-| MultiImplementationA.cs:13:16:13:20 | ... = ... | successor | MultiImplementationB.cs:11:16:11:16 | this access |
-| MultiImplementationA.cs:13:16:13:20 | ... = ... | successor | MultiImplementationB.cs:22:16:22:16 | this access |
-| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | successor | MultiImplementationA.cs:13:16:13:16 | this access |
-| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | successor | MultiImplementationB.cs:11:16:11:16 | this access |
-| MultiImplementationA.cs:21:19:21:22 | call to constructor C2 | successor | MultiImplementationA.cs:21:27:21:29 | {...} |
-| MultiImplementationA.cs:21:19:21:22 | call to constructor C2 | successor | MultiImplementationB.cs:19:27:19:29 | {...} |
-| MultiImplementationA.cs:24:32:24:34 | ... = ... | successor | MultiImplementationA.cs:20:22:20:31 | {...} |
-| MultiImplementationA.cs:24:32:24:34 | ... = ... | successor | MultiImplementationA.cs:24:16:24:16 | this access |
-| MultiImplementationA.cs:24:32:24:34 | ... = ... | successor | MultiImplementationB.cs:18:22:18:36 | {...} |
-| MultiImplementationA.cs:24:32:24:34 | ... = ... | successor | MultiImplementationB.cs:22:16:22:16 | this access |
-| MultiImplementationB.cs:11:16:11:20 | ... = ... | successor | MultiImplementationA.cs:13:16:13:16 | this access |
-| MultiImplementationB.cs:11:16:11:20 | ... = ... | successor | MultiImplementationA.cs:24:16:24:16 | this access |
-| MultiImplementationB.cs:11:16:11:20 | ... = ... | successor | MultiImplementationB.cs:11:16:11:16 | this access |
-| MultiImplementationB.cs:11:16:11:20 | ... = ... | successor | MultiImplementationB.cs:22:16:22:16 | this access |
-| MultiImplementationB.cs:18:12:18:13 | call to constructor Object | successor | MultiImplementationA.cs:13:16:13:16 | this access |
-| MultiImplementationB.cs:18:12:18:13 | call to constructor Object | successor | MultiImplementationB.cs:11:16:11:16 | this access |
-| MultiImplementationB.cs:19:19:19:22 | call to constructor C2 | successor | MultiImplementationA.cs:21:27:21:29 | {...} |
-| MultiImplementationB.cs:19:19:19:22 | call to constructor C2 | successor | MultiImplementationB.cs:19:27:19:29 | {...} |
-| MultiImplementationB.cs:22:32:22:34 | ... = ... | successor | MultiImplementationA.cs:20:22:20:31 | {...} |
-| MultiImplementationB.cs:22:32:22:34 | ... = ... | successor | MultiImplementationA.cs:24:16:24:16 | this access |
-| MultiImplementationB.cs:22:32:22:34 | ... = ... | successor | MultiImplementationB.cs:18:22:18:36 | {...} |
-| MultiImplementationB.cs:22:32:22:34 | ... = ... | successor | MultiImplementationB.cs:22:16:22:16 | this access |
diff --git a/csharp/ql/test/library-tests/controlflow/graph/Dominance.expected b/csharp/ql/test/library-tests/controlflow/graph/Dominance.expected
index 72cebfe5621..de10c0acf6f 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/Dominance.expected
+++ b/csharp/ql/test/library-tests/controlflow/graph/Dominance.expected
@@ -2862,6 +2862,7 @@ dominance
 | MultiImplementationA.cs:8:23:8:32 | throw ... | MultiImplementationB.cs:5:16:5:16 | exit M (abnormal) |
 | MultiImplementationA.cs:8:29:8:32 | null | MultiImplementationA.cs:8:23:8:32 | throw ... |
 | MultiImplementationA.cs:13:16:13:16 | this access | MultiImplementationA.cs:13:20:13:20 | 0 |
+| MultiImplementationA.cs:13:16:13:20 | ... = ... | MultiImplementationA.cs:24:16:24:16 | this access |
 | MultiImplementationA.cs:13:20:13:20 | 0 | MultiImplementationA.cs:13:16:13:20 | ... = ... |
 | MultiImplementationA.cs:14:31:14:31 | access to parameter i | MultiImplementationA.cs:14:31:14:31 | exit get_Item (normal) |
 | MultiImplementationA.cs:14:31:14:31 | access to parameter i | MultiImplementationB.cs:12:31:12:40 | exit get_Item (normal) |
@@ -2885,6 +2886,7 @@ dominance
 | MultiImplementationA.cs:18:9:18:22 | enter M2 | MultiImplementationA.cs:18:21:18:21 | 0 |
 | MultiImplementationA.cs:18:9:18:22 | exit M2 (normal) | MultiImplementationA.cs:18:9:18:22 | exit M2 |
 | MultiImplementationA.cs:18:21:18:21 | 0 | MultiImplementationA.cs:18:9:18:22 | exit M2 (normal) |
+| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationA.cs:13:16:13:16 | this access |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | call to constructor Object |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | call to constructor Object |
 | MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationA.cs:20:24:20:29 | ...; |
@@ -2897,6 +2899,7 @@ dominance
 | MultiImplementationA.cs:21:12:21:13 | enter C2 | MultiImplementationB.cs:19:24:19:24 | 1 |
 | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | MultiImplementationA.cs:21:12:21:13 | exit C2 |
 | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | MultiImplementationB.cs:19:12:19:13 | exit C2 |
+| MultiImplementationA.cs:21:19:21:22 | call to constructor C2 | MultiImplementationA.cs:21:27:21:29 | {...} |
 | MultiImplementationA.cs:21:24:21:24 | 0 | MultiImplementationA.cs:21:19:21:22 | call to constructor C2 |
 | MultiImplementationA.cs:22:6:22:7 | enter ~C2 | MultiImplementationA.cs:22:11:22:13 | {...} |
 | MultiImplementationA.cs:22:6:22:7 | enter ~C2 | MultiImplementationB.cs:20:11:20:25 | {...} |
@@ -2908,6 +2911,7 @@ dominance
 | MultiImplementationA.cs:23:50:23:53 | null | MultiImplementationB.cs:21:28:21:35 | exit implicit conversion (normal) |
 | MultiImplementationA.cs:24:16:24:16 | access to property P | MultiImplementationA.cs:24:32:24:34 | ... = ... |
 | MultiImplementationA.cs:24:16:24:16 | this access | MultiImplementationA.cs:24:34:24:34 | 0 |
+| MultiImplementationA.cs:24:32:24:34 | ... = ... | MultiImplementationA.cs:20:22:20:31 | {...} |
 | MultiImplementationA.cs:24:34:24:34 | 0 | MultiImplementationA.cs:24:16:24:16 | access to property P |
 | MultiImplementationA.cs:30:21:30:23 | enter get_P3 | MultiImplementationA.cs:30:34:30:37 | null |
 | MultiImplementationA.cs:30:21:30:23 | exit get_P3 (abnormal) | MultiImplementationA.cs:30:21:30:23 | exit get_P3 |
@@ -2945,6 +2949,7 @@ dominance
 | MultiImplementationB.cs:5:23:5:23 | 2 | MultiImplementationA.cs:8:16:8:16 | exit M (normal) |
 | MultiImplementationB.cs:5:23:5:23 | 2 | MultiImplementationB.cs:5:16:5:16 | exit M (normal) |
 | MultiImplementationB.cs:11:16:11:16 | this access | MultiImplementationB.cs:11:20:11:20 | 1 |
+| MultiImplementationB.cs:11:16:11:20 | ... = ... | MultiImplementationB.cs:22:16:22:16 | this access |
 | MultiImplementationB.cs:11:20:11:20 | 1 | MultiImplementationB.cs:11:16:11:20 | ... = ... |
 | MultiImplementationB.cs:12:31:12:40 | enter get_Item | MultiImplementationA.cs:14:31:14:31 | access to parameter i |
 | MultiImplementationB.cs:12:31:12:40 | enter get_Item | MultiImplementationB.cs:12:37:12:40 | null |
@@ -2970,6 +2975,7 @@ dominance
 | MultiImplementationB.cs:16:9:16:31 | exit M2 (abnormal) | MultiImplementationB.cs:16:9:16:31 | exit M2 |
 | MultiImplementationB.cs:16:21:16:30 | throw ... | MultiImplementationB.cs:16:9:16:31 | exit M2 (abnormal) |
 | MultiImplementationB.cs:16:27:16:30 | null | MultiImplementationB.cs:16:21:16:30 | throw ... |
+| MultiImplementationB.cs:18:12:18:13 | call to constructor Object | MultiImplementationB.cs:11:16:11:16 | this access |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | call to constructor Object |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | call to constructor Object |
 | MultiImplementationB.cs:18:22:18:36 | {...} | MultiImplementationB.cs:18:30:18:33 | null |
@@ -2980,6 +2986,7 @@ dominance
 | MultiImplementationB.cs:19:12:19:13 | enter C2 | MultiImplementationB.cs:19:24:19:24 | 1 |
 | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) | MultiImplementationA.cs:21:12:21:13 | exit C2 |
 | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) | MultiImplementationB.cs:19:12:19:13 | exit C2 |
+| MultiImplementationB.cs:19:19:19:22 | call to constructor C2 | MultiImplementationB.cs:19:27:19:29 | {...} |
 | MultiImplementationB.cs:19:24:19:24 | 1 | MultiImplementationB.cs:19:19:19:22 | call to constructor C2 |
 | MultiImplementationB.cs:20:6:20:7 | enter ~C2 | MultiImplementationA.cs:22:11:22:13 | {...} |
 | MultiImplementationB.cs:20:6:20:7 | enter ~C2 | MultiImplementationB.cs:20:11:20:25 | {...} |
@@ -2994,6 +3001,7 @@ dominance
 | MultiImplementationB.cs:21:56:21:59 | null | MultiImplementationB.cs:21:50:21:59 | throw ... |
 | MultiImplementationB.cs:22:16:22:16 | access to property P | MultiImplementationB.cs:22:32:22:34 | ... = ... |
 | MultiImplementationB.cs:22:16:22:16 | this access | MultiImplementationB.cs:22:34:22:34 | 1 |
+| MultiImplementationB.cs:22:32:22:34 | ... = ... | MultiImplementationB.cs:18:22:18:36 | {...} |
 | MultiImplementationB.cs:22:34:22:34 | 1 | MultiImplementationB.cs:22:16:22:16 | access to property P |
 | MultiImplementationB.cs:27:21:27:23 | enter get_P3 | MultiImplementationA.cs:30:34:30:37 | null |
 | MultiImplementationB.cs:27:21:27:23 | exit get_P3 (abnormal) | MultiImplementationA.cs:30:21:30:23 | exit get_P3 |
@@ -6969,6 +6977,7 @@ postDominance
 | MultiImplementationA.cs:8:16:8:16 | exit M (abnormal) | MultiImplementationA.cs:8:23:8:32 | throw ... |
 | MultiImplementationA.cs:8:16:8:16 | exit M (normal) | MultiImplementationB.cs:5:23:5:23 | 2 |
 | MultiImplementationA.cs:8:23:8:32 | throw ... | MultiImplementationA.cs:8:29:8:32 | null |
+| MultiImplementationA.cs:13:16:13:16 | this access | MultiImplementationA.cs:20:12:20:13 | call to constructor Object |
 | MultiImplementationA.cs:13:16:13:20 | ... = ... | MultiImplementationA.cs:13:20:13:20 | 0 |
 | MultiImplementationA.cs:13:20:13:20 | 0 | MultiImplementationA.cs:13:16:13:16 | this access |
 | MultiImplementationA.cs:14:31:14:31 | access to parameter i | MultiImplementationA.cs:14:31:14:31 | enter get_Item |
@@ -6993,10 +7002,11 @@ postDominance
 | MultiImplementationA.cs:18:9:18:22 | exit M2 | MultiImplementationA.cs:18:9:18:22 | exit M2 (normal) |
 | MultiImplementationA.cs:18:9:18:22 | exit M2 (normal) | MultiImplementationA.cs:18:21:18:21 | 0 |
 | MultiImplementationA.cs:18:21:18:21 | 0 | MultiImplementationA.cs:18:9:18:22 | enter M2 |
+| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationA.cs:20:12:20:13 | enter C2 |
+| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationB.cs:18:12:18:13 | enter C2 |
 | MultiImplementationA.cs:20:12:20:13 | exit C2 (abnormal) | MultiImplementationB.cs:18:24:18:34 | throw ...; |
 | MultiImplementationA.cs:20:12:20:13 | exit C2 (normal) | MultiImplementationA.cs:20:24:20:28 | ... = ... |
 | MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationA.cs:24:32:24:34 | ... = ... |
-| MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationB.cs:22:32:22:34 | ... = ... |
 | MultiImplementationA.cs:20:24:20:24 | this access | MultiImplementationA.cs:20:24:20:29 | ...; |
 | MultiImplementationA.cs:20:24:20:28 | ... = ... | MultiImplementationA.cs:20:28:20:28 | access to parameter i |
 | MultiImplementationA.cs:20:24:20:29 | ...; | MultiImplementationA.cs:20:22:20:31 | {...} |
@@ -7006,6 +7016,7 @@ postDominance
 | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | MultiImplementationA.cs:21:27:21:29 | {...} |
 | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | MultiImplementationB.cs:19:27:19:29 | {...} |
 | MultiImplementationA.cs:21:19:21:22 | call to constructor C2 | MultiImplementationA.cs:21:24:21:24 | 0 |
+| MultiImplementationA.cs:21:27:21:29 | {...} | MultiImplementationA.cs:21:19:21:22 | call to constructor C2 |
 | MultiImplementationA.cs:22:6:22:7 | exit ~C2 (abnormal) | MultiImplementationB.cs:20:13:20:23 | throw ...; |
 | MultiImplementationA.cs:22:6:22:7 | exit ~C2 (normal) | MultiImplementationA.cs:22:11:22:13 | {...} |
 | MultiImplementationA.cs:22:11:22:13 | {...} | MultiImplementationA.cs:22:6:22:7 | enter ~C2 |
@@ -7015,6 +7026,7 @@ postDominance
 | MultiImplementationA.cs:23:50:23:53 | null | MultiImplementationA.cs:23:28:23:35 | enter implicit conversion |
 | MultiImplementationA.cs:23:50:23:53 | null | MultiImplementationB.cs:21:28:21:35 | enter implicit conversion |
 | MultiImplementationA.cs:24:16:24:16 | access to property P | MultiImplementationA.cs:24:34:24:34 | 0 |
+| MultiImplementationA.cs:24:16:24:16 | this access | MultiImplementationA.cs:13:16:13:20 | ... = ... |
 | MultiImplementationA.cs:24:32:24:34 | ... = ... | MultiImplementationA.cs:24:16:24:16 | access to property P |
 | MultiImplementationA.cs:24:34:24:34 | 0 | MultiImplementationA.cs:24:16:24:16 | this access |
 | MultiImplementationA.cs:30:21:30:23 | exit get_P3 | MultiImplementationA.cs:30:21:30:23 | exit get_P3 (abnormal) |
@@ -7050,6 +7062,7 @@ postDominance
 | MultiImplementationB.cs:5:16:5:16 | exit M (normal) | MultiImplementationB.cs:5:23:5:23 | 2 |
 | MultiImplementationB.cs:5:23:5:23 | 2 | MultiImplementationA.cs:8:16:8:16 | enter M |
 | MultiImplementationB.cs:5:23:5:23 | 2 | MultiImplementationB.cs:5:16:5:16 | enter M |
+| MultiImplementationB.cs:11:16:11:16 | this access | MultiImplementationB.cs:18:12:18:13 | call to constructor Object |
 | MultiImplementationB.cs:11:16:11:20 | ... = ... | MultiImplementationB.cs:11:20:11:20 | 1 |
 | MultiImplementationB.cs:11:20:11:20 | 1 | MultiImplementationB.cs:11:16:11:16 | this access |
 | MultiImplementationB.cs:12:31:12:40 | exit get_Item (abnormal) | MultiImplementationB.cs:12:31:12:40 | throw ... |
@@ -7074,6 +7087,7 @@ postDominance
 | MultiImplementationB.cs:16:27:16:30 | null | MultiImplementationB.cs:16:9:16:31 | enter M2 |
 | MultiImplementationB.cs:18:12:18:13 | exit C2 (abnormal) | MultiImplementationB.cs:18:24:18:34 | throw ...; |
 | MultiImplementationB.cs:18:12:18:13 | exit C2 (normal) | MultiImplementationA.cs:20:24:20:28 | ... = ... |
+| MultiImplementationB.cs:18:22:18:36 | {...} | MultiImplementationB.cs:22:32:22:34 | ... = ... |
 | MultiImplementationB.cs:18:24:18:34 | throw ...; | MultiImplementationB.cs:18:30:18:33 | null |
 | MultiImplementationB.cs:18:30:18:33 | null | MultiImplementationB.cs:18:22:18:36 | {...} |
 | MultiImplementationB.cs:19:12:19:13 | exit C2 | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) |
@@ -7081,6 +7095,7 @@ postDominance
 | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) | MultiImplementationA.cs:21:27:21:29 | {...} |
 | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) | MultiImplementationB.cs:19:27:19:29 | {...} |
 | MultiImplementationB.cs:19:19:19:22 | call to constructor C2 | MultiImplementationB.cs:19:24:19:24 | 1 |
+| MultiImplementationB.cs:19:27:19:29 | {...} | MultiImplementationB.cs:19:19:19:22 | call to constructor C2 |
 | MultiImplementationB.cs:20:6:20:7 | exit ~C2 (abnormal) | MultiImplementationB.cs:20:13:20:23 | throw ...; |
 | MultiImplementationB.cs:20:6:20:7 | exit ~C2 (normal) | MultiImplementationA.cs:22:11:22:13 | {...} |
 | MultiImplementationB.cs:20:13:20:23 | throw ...; | MultiImplementationB.cs:20:19:20:22 | null |
@@ -7089,6 +7104,7 @@ postDominance
 | MultiImplementationB.cs:21:28:21:35 | exit implicit conversion (normal) | MultiImplementationA.cs:23:50:23:53 | null |
 | MultiImplementationB.cs:21:50:21:59 | throw ... | MultiImplementationB.cs:21:56:21:59 | null |
 | MultiImplementationB.cs:22:16:22:16 | access to property P | MultiImplementationB.cs:22:34:22:34 | 1 |
+| MultiImplementationB.cs:22:16:22:16 | this access | MultiImplementationB.cs:11:16:11:20 | ... = ... |
 | MultiImplementationB.cs:22:32:22:34 | ... = ... | MultiImplementationB.cs:22:16:22:16 | access to property P |
 | MultiImplementationB.cs:22:34:22:34 | 1 | MultiImplementationB.cs:22:16:22:16 | this access |
 | MultiImplementationB.cs:27:21:27:23 | exit get_P3 | MultiImplementationA.cs:30:21:30:23 | exit get_P3 (abnormal) |
@@ -11408,7 +11424,6 @@ blockDominance
 | MultiImplementationA.cs:8:16:8:16 | exit M | MultiImplementationA.cs:8:16:8:16 | exit M |
 | MultiImplementationA.cs:8:16:8:16 | exit M | MultiImplementationB.cs:5:16:5:16 | exit M |
 | MultiImplementationA.cs:8:29:8:32 | null | MultiImplementationA.cs:8:29:8:32 | null |
-| MultiImplementationA.cs:13:16:13:16 | this access | MultiImplementationA.cs:13:16:13:16 | this access |
 | MultiImplementationA.cs:14:31:14:31 | access to parameter i | MultiImplementationA.cs:14:31:14:31 | access to parameter i |
 | MultiImplementationA.cs:14:31:14:31 | enter get_Item | MultiImplementationA.cs:14:31:14:31 | access to parameter i |
 | MultiImplementationA.cs:14:31:14:31 | enter get_Item | MultiImplementationA.cs:14:31:14:31 | enter get_Item |
@@ -11447,33 +11462,23 @@ blockDominance
 | MultiImplementationA.cs:17:5:19:5 | {...} | MultiImplementationA.cs:17:5:19:5 | {...} |
 | MultiImplementationA.cs:18:9:18:22 | enter M2 | MultiImplementationA.cs:18:9:18:22 | enter M2 |
 | MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationA.cs:20:12:20:13 | call to constructor Object |
-| MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:13:16:13:16 | this access |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | call to constructor Object |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | enter C2 |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | exit C2 |
-| MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:20:22:20:31 | {...} |
-| MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:24:16:24:16 | this access |
-| MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:11:16:11:16 | this access |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | call to constructor Object |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | enter C2 |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | exit C2 |
-| MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:18:22:18:36 | {...} |
-| MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:22:16:22:16 | this access |
 | MultiImplementationA.cs:20:12:20:13 | exit C2 | MultiImplementationA.cs:20:12:20:13 | exit C2 |
 | MultiImplementationA.cs:20:12:20:13 | exit C2 | MultiImplementationB.cs:18:12:18:13 | exit C2 |
-| MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationA.cs:20:22:20:31 | {...} |
 | MultiImplementationA.cs:21:12:21:13 | enter C2 | MultiImplementationA.cs:21:12:21:13 | enter C2 |
 | MultiImplementationA.cs:21:12:21:13 | enter C2 | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) |
 | MultiImplementationA.cs:21:12:21:13 | enter C2 | MultiImplementationA.cs:21:24:21:24 | 0 |
-| MultiImplementationA.cs:21:12:21:13 | enter C2 | MultiImplementationA.cs:21:27:21:29 | {...} |
 | MultiImplementationA.cs:21:12:21:13 | enter C2 | MultiImplementationB.cs:19:12:19:13 | enter C2 |
 | MultiImplementationA.cs:21:12:21:13 | enter C2 | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) |
 | MultiImplementationA.cs:21:12:21:13 | enter C2 | MultiImplementationB.cs:19:24:19:24 | 1 |
-| MultiImplementationA.cs:21:12:21:13 | enter C2 | MultiImplementationB.cs:19:27:19:29 | {...} |
 | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) |
 | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) |
 | MultiImplementationA.cs:21:24:21:24 | 0 | MultiImplementationA.cs:21:24:21:24 | 0 |
-| MultiImplementationA.cs:21:27:21:29 | {...} | MultiImplementationA.cs:21:27:21:29 | {...} |
 | MultiImplementationA.cs:22:6:22:7 | enter ~C2 | MultiImplementationA.cs:22:6:22:7 | enter ~C2 |
 | MultiImplementationA.cs:22:6:22:7 | enter ~C2 | MultiImplementationA.cs:22:6:22:7 | exit ~C2 |
 | MultiImplementationA.cs:22:6:22:7 | enter ~C2 | MultiImplementationA.cs:22:11:22:13 | {...} |
@@ -11492,7 +11497,6 @@ blockDominance
 | MultiImplementationA.cs:23:28:23:35 | exit implicit conversion | MultiImplementationA.cs:23:28:23:35 | exit implicit conversion |
 | MultiImplementationA.cs:23:28:23:35 | exit implicit conversion | MultiImplementationB.cs:21:28:21:35 | exit implicit conversion |
 | MultiImplementationA.cs:23:50:23:53 | null | MultiImplementationA.cs:23:50:23:53 | null |
-| MultiImplementationA.cs:24:16:24:16 | this access | MultiImplementationA.cs:24:16:24:16 | this access |
 | MultiImplementationA.cs:30:21:30:23 | enter get_P3 | MultiImplementationA.cs:30:21:30:23 | enter get_P3 |
 | MultiImplementationA.cs:30:21:30:23 | enter get_P3 | MultiImplementationB.cs:27:21:27:23 | enter get_P3 |
 | MultiImplementationA.cs:36:9:36:10 | enter M1 | MultiImplementationA.cs:36:9:36:10 | enter M1 |
@@ -11541,7 +11545,6 @@ blockDominance
 | MultiImplementationB.cs:5:16:5:16 | exit M | MultiImplementationA.cs:8:16:8:16 | exit M |
 | MultiImplementationB.cs:5:16:5:16 | exit M | MultiImplementationB.cs:5:16:5:16 | exit M |
 | MultiImplementationB.cs:5:23:5:23 | 2 | MultiImplementationB.cs:5:23:5:23 | 2 |
-| MultiImplementationB.cs:11:16:11:16 | this access | MultiImplementationB.cs:11:16:11:16 | this access |
 | MultiImplementationB.cs:12:31:12:40 | enter get_Item | MultiImplementationA.cs:14:31:14:31 | access to parameter i |
 | MultiImplementationB.cs:12:31:12:40 | enter get_Item | MultiImplementationA.cs:14:31:14:31 | enter get_Item |
 | MultiImplementationB.cs:12:31:12:40 | enter get_Item | MultiImplementationA.cs:14:31:14:31 | exit get_Item |
@@ -11580,33 +11583,23 @@ blockDominance
 | MultiImplementationB.cs:15:5:17:5 | {...} | MultiImplementationB.cs:15:5:17:5 | {...} |
 | MultiImplementationB.cs:16:9:16:31 | enter M2 | MultiImplementationB.cs:16:9:16:31 | enter M2 |
 | MultiImplementationB.cs:18:12:18:13 | call to constructor Object | MultiImplementationB.cs:18:12:18:13 | call to constructor Object |
-| MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:13:16:13:16 | this access |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | call to constructor Object |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | enter C2 |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | exit C2 |
-| MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:20:22:20:31 | {...} |
-| MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:24:16:24:16 | this access |
-| MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:11:16:11:16 | this access |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | call to constructor Object |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | enter C2 |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | exit C2 |
-| MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:18:22:18:36 | {...} |
-| MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:22:16:22:16 | this access |
 | MultiImplementationB.cs:18:12:18:13 | exit C2 | MultiImplementationA.cs:20:12:20:13 | exit C2 |
 | MultiImplementationB.cs:18:12:18:13 | exit C2 | MultiImplementationB.cs:18:12:18:13 | exit C2 |
-| MultiImplementationB.cs:18:22:18:36 | {...} | MultiImplementationB.cs:18:22:18:36 | {...} |
 | MultiImplementationB.cs:19:12:19:13 | enter C2 | MultiImplementationA.cs:21:12:21:13 | enter C2 |
 | MultiImplementationB.cs:19:12:19:13 | enter C2 | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) |
 | MultiImplementationB.cs:19:12:19:13 | enter C2 | MultiImplementationA.cs:21:24:21:24 | 0 |
-| MultiImplementationB.cs:19:12:19:13 | enter C2 | MultiImplementationA.cs:21:27:21:29 | {...} |
 | MultiImplementationB.cs:19:12:19:13 | enter C2 | MultiImplementationB.cs:19:12:19:13 | enter C2 |
 | MultiImplementationB.cs:19:12:19:13 | enter C2 | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) |
 | MultiImplementationB.cs:19:12:19:13 | enter C2 | MultiImplementationB.cs:19:24:19:24 | 1 |
-| MultiImplementationB.cs:19:12:19:13 | enter C2 | MultiImplementationB.cs:19:27:19:29 | {...} |
 | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) |
 | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) |
 | MultiImplementationB.cs:19:24:19:24 | 1 | MultiImplementationB.cs:19:24:19:24 | 1 |
-| MultiImplementationB.cs:19:27:19:29 | {...} | MultiImplementationB.cs:19:27:19:29 | {...} |
 | MultiImplementationB.cs:20:6:20:7 | enter ~C2 | MultiImplementationA.cs:22:6:22:7 | enter ~C2 |
 | MultiImplementationB.cs:20:6:20:7 | enter ~C2 | MultiImplementationA.cs:22:6:22:7 | exit ~C2 |
 | MultiImplementationB.cs:20:6:20:7 | enter ~C2 | MultiImplementationA.cs:22:11:22:13 | {...} |
@@ -11625,7 +11618,6 @@ blockDominance
 | MultiImplementationB.cs:21:28:21:35 | exit implicit conversion | MultiImplementationA.cs:23:28:23:35 | exit implicit conversion |
 | MultiImplementationB.cs:21:28:21:35 | exit implicit conversion | MultiImplementationB.cs:21:28:21:35 | exit implicit conversion |
 | MultiImplementationB.cs:21:56:21:59 | null | MultiImplementationB.cs:21:56:21:59 | null |
-| MultiImplementationB.cs:22:16:22:16 | this access | MultiImplementationB.cs:22:16:22:16 | this access |
 | MultiImplementationB.cs:27:21:27:23 | enter get_P3 | MultiImplementationA.cs:30:21:30:23 | enter get_P3 |
 | MultiImplementationB.cs:27:21:27:23 | enter get_P3 | MultiImplementationB.cs:27:21:27:23 | enter get_P3 |
 | MultiImplementationB.cs:32:9:32:10 | enter M1 | MultiImplementationA.cs:36:9:36:10 | enter M1 |
@@ -14999,7 +14991,6 @@ postBlockDominance
 | MultiImplementationA.cs:8:16:8:16 | exit M | MultiImplementationA.cs:8:16:8:16 | exit M |
 | MultiImplementationA.cs:8:16:8:16 | exit M | MultiImplementationB.cs:5:16:5:16 | exit M |
 | MultiImplementationA.cs:8:29:8:32 | null | MultiImplementationA.cs:8:29:8:32 | null |
-| MultiImplementationA.cs:13:16:13:16 | this access | MultiImplementationA.cs:13:16:13:16 | this access |
 | MultiImplementationA.cs:14:31:14:31 | access to parameter i | MultiImplementationA.cs:14:31:14:31 | access to parameter i |
 | MultiImplementationA.cs:14:31:14:31 | access to parameter i | MultiImplementationA.cs:14:31:14:31 | enter get_Item |
 | MultiImplementationA.cs:14:31:14:31 | access to parameter i | MultiImplementationB.cs:12:31:12:40 | enter get_Item |
@@ -15034,31 +15025,21 @@ postBlockDominance
 | MultiImplementationA.cs:17:5:19:5 | {...} | MultiImplementationA.cs:17:5:19:5 | {...} |
 | MultiImplementationA.cs:18:9:18:22 | enter M2 | MultiImplementationA.cs:18:9:18:22 | enter M2 |
 | MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationA.cs:20:12:20:13 | call to constructor Object |
+| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationA.cs:20:12:20:13 | enter C2 |
+| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationB.cs:18:12:18:13 | enter C2 |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | enter C2 |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | enter C2 |
 | MultiImplementationA.cs:20:12:20:13 | exit C2 | MultiImplementationA.cs:20:12:20:13 | exit C2 |
 | MultiImplementationA.cs:20:12:20:13 | exit C2 | MultiImplementationB.cs:18:12:18:13 | exit C2 |
-| MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationA.cs:13:16:13:16 | this access |
-| MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationA.cs:20:12:20:13 | call to constructor Object |
-| MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationA.cs:20:12:20:13 | enter C2 |
-| MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationA.cs:20:22:20:31 | {...} |
-| MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationA.cs:24:16:24:16 | this access |
-| MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationB.cs:11:16:11:16 | this access |
-| MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationB.cs:18:12:18:13 | call to constructor Object |
-| MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationB.cs:18:12:18:13 | enter C2 |
-| MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationB.cs:22:16:22:16 | this access |
 | MultiImplementationA.cs:21:12:21:13 | enter C2 | MultiImplementationA.cs:21:12:21:13 | enter C2 |
 | MultiImplementationA.cs:21:12:21:13 | enter C2 | MultiImplementationB.cs:19:12:19:13 | enter C2 |
 | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | MultiImplementationA.cs:21:12:21:13 | enter C2 |
 | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) |
 | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | MultiImplementationA.cs:21:24:21:24 | 0 |
-| MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | MultiImplementationA.cs:21:27:21:29 | {...} |
 | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | MultiImplementationB.cs:19:12:19:13 | enter C2 |
 | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) |
 | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | MultiImplementationB.cs:19:24:19:24 | 1 |
-| MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | MultiImplementationB.cs:19:27:19:29 | {...} |
 | MultiImplementationA.cs:21:24:21:24 | 0 | MultiImplementationA.cs:21:24:21:24 | 0 |
-| MultiImplementationA.cs:21:27:21:29 | {...} | MultiImplementationA.cs:21:27:21:29 | {...} |
 | MultiImplementationA.cs:22:6:22:7 | enter ~C2 | MultiImplementationA.cs:22:6:22:7 | enter ~C2 |
 | MultiImplementationA.cs:22:6:22:7 | enter ~C2 | MultiImplementationB.cs:20:6:20:7 | enter ~C2 |
 | MultiImplementationA.cs:22:6:22:7 | exit ~C2 | MultiImplementationA.cs:22:6:22:7 | exit ~C2 |
@@ -15073,7 +15054,6 @@ postBlockDominance
 | MultiImplementationA.cs:23:50:23:53 | null | MultiImplementationA.cs:23:28:23:35 | enter implicit conversion |
 | MultiImplementationA.cs:23:50:23:53 | null | MultiImplementationA.cs:23:50:23:53 | null |
 | MultiImplementationA.cs:23:50:23:53 | null | MultiImplementationB.cs:21:28:21:35 | enter implicit conversion |
-| MultiImplementationA.cs:24:16:24:16 | this access | MultiImplementationA.cs:24:16:24:16 | this access |
 | MultiImplementationA.cs:30:21:30:23 | enter get_P3 | MultiImplementationA.cs:30:21:30:23 | enter get_P3 |
 | MultiImplementationA.cs:30:21:30:23 | enter get_P3 | MultiImplementationB.cs:27:21:27:23 | enter get_P3 |
 | MultiImplementationA.cs:36:9:36:10 | enter M1 | MultiImplementationA.cs:36:9:36:10 | enter M1 |
@@ -15110,7 +15090,6 @@ postBlockDominance
 | MultiImplementationB.cs:5:23:5:23 | 2 | MultiImplementationA.cs:8:16:8:16 | enter M |
 | MultiImplementationB.cs:5:23:5:23 | 2 | MultiImplementationB.cs:5:16:5:16 | enter M |
 | MultiImplementationB.cs:5:23:5:23 | 2 | MultiImplementationB.cs:5:23:5:23 | 2 |
-| MultiImplementationB.cs:11:16:11:16 | this access | MultiImplementationB.cs:11:16:11:16 | this access |
 | MultiImplementationB.cs:12:31:12:40 | enter get_Item | MultiImplementationA.cs:14:31:14:31 | enter get_Item |
 | MultiImplementationB.cs:12:31:12:40 | enter get_Item | MultiImplementationB.cs:12:31:12:40 | enter get_Item |
 | MultiImplementationB.cs:12:31:12:40 | exit get_Item | MultiImplementationA.cs:14:31:14:31 | exit get_Item |
@@ -15145,19 +15124,15 @@ postBlockDominance
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | enter C2 |
 | MultiImplementationB.cs:18:12:18:13 | exit C2 | MultiImplementationA.cs:20:12:20:13 | exit C2 |
 | MultiImplementationB.cs:18:12:18:13 | exit C2 | MultiImplementationB.cs:18:12:18:13 | exit C2 |
-| MultiImplementationB.cs:18:22:18:36 | {...} | MultiImplementationB.cs:18:22:18:36 | {...} |
 | MultiImplementationB.cs:19:12:19:13 | enter C2 | MultiImplementationA.cs:21:12:21:13 | enter C2 |
 | MultiImplementationB.cs:19:12:19:13 | enter C2 | MultiImplementationB.cs:19:12:19:13 | enter C2 |
 | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) | MultiImplementationA.cs:21:12:21:13 | enter C2 |
 | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) |
 | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) | MultiImplementationA.cs:21:24:21:24 | 0 |
-| MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) | MultiImplementationA.cs:21:27:21:29 | {...} |
 | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) | MultiImplementationB.cs:19:12:19:13 | enter C2 |
 | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) |
 | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) | MultiImplementationB.cs:19:24:19:24 | 1 |
-| MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) | MultiImplementationB.cs:19:27:19:29 | {...} |
 | MultiImplementationB.cs:19:24:19:24 | 1 | MultiImplementationB.cs:19:24:19:24 | 1 |
-| MultiImplementationB.cs:19:27:19:29 | {...} | MultiImplementationB.cs:19:27:19:29 | {...} |
 | MultiImplementationB.cs:20:6:20:7 | enter ~C2 | MultiImplementationA.cs:22:6:22:7 | enter ~C2 |
 | MultiImplementationB.cs:20:6:20:7 | enter ~C2 | MultiImplementationB.cs:20:6:20:7 | enter ~C2 |
 | MultiImplementationB.cs:20:6:20:7 | exit ~C2 | MultiImplementationA.cs:22:6:22:7 | exit ~C2 |
@@ -15168,7 +15143,6 @@ postBlockDominance
 | MultiImplementationB.cs:21:28:21:35 | exit implicit conversion | MultiImplementationA.cs:23:28:23:35 | exit implicit conversion |
 | MultiImplementationB.cs:21:28:21:35 | exit implicit conversion | MultiImplementationB.cs:21:28:21:35 | exit implicit conversion |
 | MultiImplementationB.cs:21:56:21:59 | null | MultiImplementationB.cs:21:56:21:59 | null |
-| MultiImplementationB.cs:22:16:22:16 | this access | MultiImplementationB.cs:22:16:22:16 | this access |
 | MultiImplementationB.cs:27:21:27:23 | enter get_P3 | MultiImplementationA.cs:30:21:30:23 | enter get_P3 |
 | MultiImplementationB.cs:27:21:27:23 | enter get_P3 | MultiImplementationB.cs:27:21:27:23 | enter get_P3 |
 | MultiImplementationB.cs:32:9:32:10 | enter M1 | MultiImplementationA.cs:36:9:36:10 | enter M1 |
diff --git a/csharp/ql/test/library-tests/controlflow/graph/EnclosingCallable.expected b/csharp/ql/test/library-tests/controlflow/graph/EnclosingCallable.expected
index fe42f87ad26..ab190057a83 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/EnclosingCallable.expected
+++ b/csharp/ql/test/library-tests/controlflow/graph/EnclosingCallable.expected
@@ -5628,8 +5628,6 @@ blockEnclosing
 | MultiImplementationA.cs:8:16:8:16 | exit M | MultiImplementationB.cs:5:16:5:16 | M |
 | MultiImplementationA.cs:8:29:8:32 | null | MultiImplementationA.cs:8:16:8:16 | M |
 | MultiImplementationA.cs:8:29:8:32 | null | MultiImplementationB.cs:5:16:5:16 | M |
-| MultiImplementationA.cs:13:16:13:16 | this access | MultiImplementationA.cs:20:12:20:13 | C2 |
-| MultiImplementationA.cs:13:16:13:16 | this access | MultiImplementationB.cs:18:12:18:13 | C2 |
 | MultiImplementationA.cs:14:31:14:31 | access to parameter i | MultiImplementationA.cs:14:31:14:31 | get_Item |
 | MultiImplementationA.cs:14:31:14:31 | access to parameter i | MultiImplementationB.cs:12:31:12:40 | get_Item |
 | MultiImplementationA.cs:14:31:14:31 | enter get_Item | MultiImplementationA.cs:14:31:14:31 | get_Item |
@@ -5661,16 +5659,12 @@ blockEnclosing
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | C2 |
 | MultiImplementationA.cs:20:12:20:13 | exit C2 | MultiImplementationA.cs:20:12:20:13 | C2 |
 | MultiImplementationA.cs:20:12:20:13 | exit C2 | MultiImplementationB.cs:18:12:18:13 | C2 |
-| MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationA.cs:20:12:20:13 | C2 |
-| MultiImplementationA.cs:20:22:20:31 | {...} | MultiImplementationB.cs:18:12:18:13 | C2 |
 | MultiImplementationA.cs:21:12:21:13 | enter C2 | MultiImplementationA.cs:21:12:21:13 | C2 |
 | MultiImplementationA.cs:21:12:21:13 | enter C2 | MultiImplementationB.cs:19:12:19:13 | C2 |
 | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | MultiImplementationA.cs:21:12:21:13 | C2 |
 | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | MultiImplementationB.cs:19:12:19:13 | C2 |
 | MultiImplementationA.cs:21:24:21:24 | 0 | MultiImplementationA.cs:21:12:21:13 | C2 |
 | MultiImplementationA.cs:21:24:21:24 | 0 | MultiImplementationB.cs:19:12:19:13 | C2 |
-| MultiImplementationA.cs:21:27:21:29 | {...} | MultiImplementationA.cs:21:12:21:13 | C2 |
-| MultiImplementationA.cs:21:27:21:29 | {...} | MultiImplementationB.cs:19:12:19:13 | C2 |
 | MultiImplementationA.cs:22:6:22:7 | enter ~C2 | MultiImplementationA.cs:22:6:22:7 | ~C2 |
 | MultiImplementationA.cs:22:6:22:7 | enter ~C2 | MultiImplementationB.cs:20:6:20:7 | ~C2 |
 | MultiImplementationA.cs:22:6:22:7 | exit ~C2 | MultiImplementationA.cs:22:6:22:7 | ~C2 |
@@ -5683,8 +5677,6 @@ blockEnclosing
 | MultiImplementationA.cs:23:28:23:35 | exit implicit conversion | MultiImplementationB.cs:21:28:21:35 | implicit conversion |
 | MultiImplementationA.cs:23:50:23:53 | null | MultiImplementationA.cs:23:28:23:35 | implicit conversion |
 | MultiImplementationA.cs:23:50:23:53 | null | MultiImplementationB.cs:21:28:21:35 | implicit conversion |
-| MultiImplementationA.cs:24:16:24:16 | this access | MultiImplementationA.cs:20:12:20:13 | C2 |
-| MultiImplementationA.cs:24:16:24:16 | this access | MultiImplementationB.cs:18:12:18:13 | C2 |
 | MultiImplementationA.cs:30:21:30:23 | enter get_P3 | MultiImplementationA.cs:30:21:30:23 | get_P3 |
 | MultiImplementationA.cs:30:21:30:23 | enter get_P3 | MultiImplementationB.cs:27:21:27:23 | get_P3 |
 | MultiImplementationA.cs:36:9:36:10 | enter M1 | MultiImplementationA.cs:36:9:36:10 | M1 |
@@ -5718,8 +5710,6 @@ blockEnclosing
 | MultiImplementationB.cs:5:16:5:16 | exit M | MultiImplementationB.cs:5:16:5:16 | M |
 | MultiImplementationB.cs:5:23:5:23 | 2 | MultiImplementationA.cs:8:16:8:16 | M |
 | MultiImplementationB.cs:5:23:5:23 | 2 | MultiImplementationB.cs:5:16:5:16 | M |
-| MultiImplementationB.cs:11:16:11:16 | this access | MultiImplementationA.cs:20:12:20:13 | C2 |
-| MultiImplementationB.cs:11:16:11:16 | this access | MultiImplementationB.cs:18:12:18:13 | C2 |
 | MultiImplementationB.cs:12:31:12:40 | enter get_Item | MultiImplementationA.cs:14:31:14:31 | get_Item |
 | MultiImplementationB.cs:12:31:12:40 | enter get_Item | MultiImplementationB.cs:12:31:12:40 | get_Item |
 | MultiImplementationB.cs:12:31:12:40 | exit get_Item | MultiImplementationA.cs:14:31:14:31 | get_Item |
@@ -5751,16 +5741,12 @@ blockEnclosing
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | C2 |
 | MultiImplementationB.cs:18:12:18:13 | exit C2 | MultiImplementationA.cs:20:12:20:13 | C2 |
 | MultiImplementationB.cs:18:12:18:13 | exit C2 | MultiImplementationB.cs:18:12:18:13 | C2 |
-| MultiImplementationB.cs:18:22:18:36 | {...} | MultiImplementationA.cs:20:12:20:13 | C2 |
-| MultiImplementationB.cs:18:22:18:36 | {...} | MultiImplementationB.cs:18:12:18:13 | C2 |
 | MultiImplementationB.cs:19:12:19:13 | enter C2 | MultiImplementationA.cs:21:12:21:13 | C2 |
 | MultiImplementationB.cs:19:12:19:13 | enter C2 | MultiImplementationB.cs:19:12:19:13 | C2 |
 | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) | MultiImplementationA.cs:21:12:21:13 | C2 |
 | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) | MultiImplementationB.cs:19:12:19:13 | C2 |
 | MultiImplementationB.cs:19:24:19:24 | 1 | MultiImplementationA.cs:21:12:21:13 | C2 |
 | MultiImplementationB.cs:19:24:19:24 | 1 | MultiImplementationB.cs:19:12:19:13 | C2 |
-| MultiImplementationB.cs:19:27:19:29 | {...} | MultiImplementationA.cs:21:12:21:13 | C2 |
-| MultiImplementationB.cs:19:27:19:29 | {...} | MultiImplementationB.cs:19:12:19:13 | C2 |
 | MultiImplementationB.cs:20:6:20:7 | enter ~C2 | MultiImplementationA.cs:22:6:22:7 | ~C2 |
 | MultiImplementationB.cs:20:6:20:7 | enter ~C2 | MultiImplementationB.cs:20:6:20:7 | ~C2 |
 | MultiImplementationB.cs:20:6:20:7 | exit ~C2 | MultiImplementationA.cs:22:6:22:7 | ~C2 |
@@ -5773,8 +5759,6 @@ blockEnclosing
 | MultiImplementationB.cs:21:28:21:35 | exit implicit conversion | MultiImplementationB.cs:21:28:21:35 | implicit conversion |
 | MultiImplementationB.cs:21:56:21:59 | null | MultiImplementationA.cs:23:28:23:35 | implicit conversion |
 | MultiImplementationB.cs:21:56:21:59 | null | MultiImplementationB.cs:21:28:21:35 | implicit conversion |
-| MultiImplementationB.cs:22:16:22:16 | this access | MultiImplementationA.cs:20:12:20:13 | C2 |
-| MultiImplementationB.cs:22:16:22:16 | this access | MultiImplementationB.cs:18:12:18:13 | C2 |
 | MultiImplementationB.cs:27:21:27:23 | enter get_P3 | MultiImplementationA.cs:30:21:30:23 | get_P3 |
 | MultiImplementationB.cs:27:21:27:23 | enter get_P3 | MultiImplementationB.cs:27:21:27:23 | get_P3 |
 | MultiImplementationB.cs:32:9:32:10 | enter M1 | MultiImplementationA.cs:36:9:36:10 | M1 |
diff --git a/csharp/ql/test/library-tests/controlflow/graph/NodeGraph.expected b/csharp/ql/test/library-tests/controlflow/graph/NodeGraph.expected
index a637ecdd987..2441e36f62d 100644
--- a/csharp/ql/test/library-tests/controlflow/graph/NodeGraph.expected
+++ b/csharp/ql/test/library-tests/controlflow/graph/NodeGraph.expected
@@ -3211,10 +3211,7 @@
 | MultiImplementationA.cs:8:23:8:32 | throw ... | MultiImplementationB.cs:5:16:5:16 | exit M (abnormal) | semmle.label | exception(NullReferenceException) |
 | MultiImplementationA.cs:8:29:8:32 | null | MultiImplementationA.cs:8:23:8:32 | throw ... | semmle.label | successor |
 | MultiImplementationA.cs:13:16:13:16 | this access | MultiImplementationA.cs:13:20:13:20 | 0 | semmle.label | successor |
-| MultiImplementationA.cs:13:16:13:20 | ... = ... | MultiImplementationA.cs:13:16:13:16 | this access | semmle.label | successor |
 | MultiImplementationA.cs:13:16:13:20 | ... = ... | MultiImplementationA.cs:24:16:24:16 | this access | semmle.label | successor |
-| MultiImplementationA.cs:13:16:13:20 | ... = ... | MultiImplementationB.cs:11:16:11:16 | this access | semmle.label | successor |
-| MultiImplementationA.cs:13:16:13:20 | ... = ... | MultiImplementationB.cs:22:16:22:16 | this access | semmle.label | successor |
 | MultiImplementationA.cs:13:20:13:20 | 0 | MultiImplementationA.cs:13:16:13:20 | ... = ... | semmle.label | successor |
 | MultiImplementationA.cs:14:31:14:31 | access to parameter i | MultiImplementationA.cs:14:31:14:31 | exit get_Item (normal) | semmle.label | successor |
 | MultiImplementationA.cs:14:31:14:31 | access to parameter i | MultiImplementationB.cs:12:31:12:40 | exit get_Item (normal) | semmle.label | successor |
@@ -3251,7 +3248,6 @@
 | MultiImplementationA.cs:18:9:18:22 | exit M2 (normal) | MultiImplementationA.cs:18:9:18:22 | exit M2 | semmle.label | successor |
 | MultiImplementationA.cs:18:21:18:21 | 0 | MultiImplementationA.cs:18:9:18:22 | exit M2 (normal) | semmle.label | successor |
 | MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationA.cs:13:16:13:16 | this access | semmle.label | successor |
-| MultiImplementationA.cs:20:12:20:13 | call to constructor Object | MultiImplementationB.cs:11:16:11:16 | this access | semmle.label | successor |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | call to constructor Object | semmle.label | successor |
 | MultiImplementationA.cs:20:12:20:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | call to constructor Object | semmle.label | successor |
 | MultiImplementationA.cs:20:12:20:13 | exit C2 (abnormal) | MultiImplementationA.cs:20:12:20:13 | exit C2 | semmle.label | successor |
@@ -3269,7 +3265,6 @@
 | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | MultiImplementationA.cs:21:12:21:13 | exit C2 | semmle.label | successor |
 | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | MultiImplementationB.cs:19:12:19:13 | exit C2 | semmle.label | successor |
 | MultiImplementationA.cs:21:19:21:22 | call to constructor C2 | MultiImplementationA.cs:21:27:21:29 | {...} | semmle.label | successor |
-| MultiImplementationA.cs:21:19:21:22 | call to constructor C2 | MultiImplementationB.cs:19:27:19:29 | {...} | semmle.label | successor |
 | MultiImplementationA.cs:21:24:21:24 | 0 | MultiImplementationA.cs:21:19:21:22 | call to constructor C2 | semmle.label | successor |
 | MultiImplementationA.cs:21:27:21:29 | {...} | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | semmle.label | successor |
 | MultiImplementationA.cs:21:27:21:29 | {...} | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) | semmle.label | successor |
@@ -3292,9 +3287,6 @@
 | MultiImplementationA.cs:24:16:24:16 | access to property P | MultiImplementationA.cs:24:32:24:34 | ... = ... | semmle.label | successor |
 | MultiImplementationA.cs:24:16:24:16 | this access | MultiImplementationA.cs:24:34:24:34 | 0 | semmle.label | successor |
 | MultiImplementationA.cs:24:32:24:34 | ... = ... | MultiImplementationA.cs:20:22:20:31 | {...} | semmle.label | successor |
-| MultiImplementationA.cs:24:32:24:34 | ... = ... | MultiImplementationA.cs:24:16:24:16 | this access | semmle.label | successor |
-| MultiImplementationA.cs:24:32:24:34 | ... = ... | MultiImplementationB.cs:18:22:18:36 | {...} | semmle.label | successor |
-| MultiImplementationA.cs:24:32:24:34 | ... = ... | MultiImplementationB.cs:22:16:22:16 | this access | semmle.label | successor |
 | MultiImplementationA.cs:24:34:24:34 | 0 | MultiImplementationA.cs:24:16:24:16 | access to property P | semmle.label | successor |
 | MultiImplementationA.cs:30:21:30:23 | enter get_P3 | MultiImplementationA.cs:30:34:30:37 | null | semmle.label | successor |
 | MultiImplementationA.cs:30:21:30:23 | exit get_P3 (abnormal) | MultiImplementationA.cs:30:21:30:23 | exit get_P3 | semmle.label | successor |
@@ -3352,9 +3344,6 @@
 | MultiImplementationB.cs:5:23:5:23 | 2 | MultiImplementationA.cs:8:16:8:16 | exit M (normal) | semmle.label | successor |
 | MultiImplementationB.cs:5:23:5:23 | 2 | MultiImplementationB.cs:5:16:5:16 | exit M (normal) | semmle.label | successor |
 | MultiImplementationB.cs:11:16:11:16 | this access | MultiImplementationB.cs:11:20:11:20 | 1 | semmle.label | successor |
-| MultiImplementationB.cs:11:16:11:20 | ... = ... | MultiImplementationA.cs:13:16:13:16 | this access | semmle.label | successor |
-| MultiImplementationB.cs:11:16:11:20 | ... = ... | MultiImplementationA.cs:24:16:24:16 | this access | semmle.label | successor |
-| MultiImplementationB.cs:11:16:11:20 | ... = ... | MultiImplementationB.cs:11:16:11:16 | this access | semmle.label | successor |
 | MultiImplementationB.cs:11:16:11:20 | ... = ... | MultiImplementationB.cs:22:16:22:16 | this access | semmle.label | successor |
 | MultiImplementationB.cs:11:20:11:20 | 1 | MultiImplementationB.cs:11:16:11:20 | ... = ... | semmle.label | successor |
 | MultiImplementationB.cs:12:31:12:40 | enter get_Item | MultiImplementationA.cs:14:31:14:31 | access to parameter i | semmle.label | successor |
@@ -3393,7 +3382,6 @@
 | MultiImplementationB.cs:16:9:16:31 | exit M2 (abnormal) | MultiImplementationB.cs:16:9:16:31 | exit M2 | semmle.label | successor |
 | MultiImplementationB.cs:16:21:16:30 | throw ... | MultiImplementationB.cs:16:9:16:31 | exit M2 (abnormal) | semmle.label | exception(NullReferenceException) |
 | MultiImplementationB.cs:16:27:16:30 | null | MultiImplementationB.cs:16:21:16:30 | throw ... | semmle.label | successor |
-| MultiImplementationB.cs:18:12:18:13 | call to constructor Object | MultiImplementationA.cs:13:16:13:16 | this access | semmle.label | successor |
 | MultiImplementationB.cs:18:12:18:13 | call to constructor Object | MultiImplementationB.cs:11:16:11:16 | this access | semmle.label | successor |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationA.cs:20:12:20:13 | call to constructor Object | semmle.label | successor |
 | MultiImplementationB.cs:18:12:18:13 | enter C2 | MultiImplementationB.cs:18:12:18:13 | call to constructor Object | semmle.label | successor |
@@ -3409,7 +3397,6 @@
 | MultiImplementationB.cs:19:12:19:13 | enter C2 | MultiImplementationB.cs:19:24:19:24 | 1 | semmle.label | successor |
 | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) | MultiImplementationA.cs:21:12:21:13 | exit C2 | semmle.label | successor |
 | MultiImplementationB.cs:19:12:19:13 | exit C2 (normal) | MultiImplementationB.cs:19:12:19:13 | exit C2 | semmle.label | successor |
-| MultiImplementationB.cs:19:19:19:22 | call to constructor C2 | MultiImplementationA.cs:21:27:21:29 | {...} | semmle.label | successor |
 | MultiImplementationB.cs:19:19:19:22 | call to constructor C2 | MultiImplementationB.cs:19:27:19:29 | {...} | semmle.label | successor |
 | MultiImplementationB.cs:19:24:19:24 | 1 | MultiImplementationB.cs:19:19:19:22 | call to constructor C2 | semmle.label | successor |
 | MultiImplementationB.cs:19:27:19:29 | {...} | MultiImplementationA.cs:21:12:21:13 | exit C2 (normal) | semmle.label | successor |
@@ -3435,10 +3422,7 @@
 | MultiImplementationB.cs:21:56:21:59 | null | MultiImplementationB.cs:21:50:21:59 | throw ... | semmle.label | successor |
 | MultiImplementationB.cs:22:16:22:16 | access to property P | MultiImplementationB.cs:22:32:22:34 | ... = ... | semmle.label | successor |
 | MultiImplementationB.cs:22:16:22:16 | this access | MultiImplementationB.cs:22:34:22:34 | 1 | semmle.label | successor |
-| MultiImplementationB.cs:22:32:22:34 | ... = ... | MultiImplementationA.cs:20:22:20:31 | {...} | semmle.label | successor |
-| MultiImplementationB.cs:22:32:22:34 | ... = ... | MultiImplementationA.cs:24:16:24:16 | this access | semmle.label | successor |
 | MultiImplementationB.cs:22:32:22:34 | ... = ... | MultiImplementationB.cs:18:22:18:36 | {...} | semmle.label | successor |
-| MultiImplementationB.cs:22:32:22:34 | ... = ... | MultiImplementationB.cs:22:16:22:16 | this access | semmle.label | successor |
 | MultiImplementationB.cs:22:34:22:34 | 1 | MultiImplementationB.cs:22:16:22:16 | access to property P | semmle.label | successor |
 | MultiImplementationB.cs:27:21:27:23 | enter get_P3 | MultiImplementationA.cs:30:34:30:37 | null | semmle.label | successor |
 | MultiImplementationB.cs:27:21:27:23 | exit get_P3 (abnormal) | MultiImplementationA.cs:30:21:30:23 | exit get_P3 | semmle.label | successor |

From 000826af119229d17070dbd36e224e07749c9934 Mon Sep 17 00:00:00 2001
From: edvraa <80588099+edvraa@users.noreply.github.com>
Date: Mon, 3 May 2021 12:18:43 +0300
Subject: [PATCH 0808/1429] typo

---
 .../semmle/javascript/security/InsecureCookie.qll             | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/experimental/semmle/javascript/security/InsecureCookie.qll b/javascript/ql/src/experimental/semmle/javascript/security/InsecureCookie.qll
index 83fe3fef40d..b116b9e75e6 100644
--- a/javascript/ql/src/experimental/semmle/javascript/security/InsecureCookie.qll
+++ b/javascript/ql/src/experimental/semmle/javascript/security/InsecureCookie.qll
@@ -115,7 +115,7 @@ module Cookie {
     }
 
     override predicate isSecure() {
-      // The flag `secure` is not set by default (https://github.com/expressjs/session#Cookieecure).
+      // The flag `secure` is not set by default (https://github.com/expressjs/session#Cookiesecure).
       // The default value for cookie options is { path: '/', httpOnly: true, secure: false, maxAge: null }.
       // A cookie is secure if there are the cookie options with the `secure` flag set to `true` or to `auto`.
       getCookieFlagValue(secureFlag()).mayHaveBooleanValue(true) or
@@ -127,7 +127,7 @@ module Cookie {
     }
 
     override predicate isHttpOnly() {
-      // The flag `httpOnly` is set by default (https://github.com/expressjs/session#Cookieecure).
+      // The flag `httpOnly` is set by default (https://github.com/expressjs/session#Cookiesecure).
       // The default value for cookie options is { path: '/', httpOnly: true, secure: false, maxAge: null }.
       // A cookie is httpOnly if the `httpOnly` flag is not explicitly set to `false`.
       not getCookieFlagValue(httpOnlyFlag()).mayHaveBooleanValue(false)

From ea38f0d3bd309d752d5bccee8a170263c4eb7d49 Mon Sep 17 00:00:00 2001
From: edvraa <80588099+edvraa@users.noreply.github.com>
Date: Mon, 3 May 2021 12:19:05 +0300
Subject: [PATCH 0809/1429] a new test for simple flow

---
 .../CWE-1004/CookieWithoutHttpOnly.expected        |  3 ++-
 .../Security/CWE-1004/test_cookie-session.js       | 14 +++++++++++---
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected b/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected
index da9e730cc16..837df006d92 100644
--- a/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected
@@ -1,7 +1,8 @@
 | test_cookie-session.js:12:9:16:2 | session ...  BAD\\n}) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_cookie-session.js:30:9:30:21 | session(sess) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_cookie-session.js:39:9:39:22 | session(sess2) | Cookie attribute 'HttpOnly' is not set to true. |
-| test_cookie-session.js:48:9:48:22 | session(sess2) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_cookie-session.js:48:9:48:22 | session(sess3) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_cookie-session.js:52:9:56:2 | session ...  BAD\\n}) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_express-session.js:11:9:15:2 | session ...  BAD\\n}) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_express-session.js:28:9:32:2 | session ... tter\\n}) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_httpserver.js:7:37:7:48 | "auth=ninja" | Cookie attribute 'HttpOnly' is not set to true. |
diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/test_cookie-session.js b/javascript/ql/test/query-tests/Security/CWE-1004/test_cookie-session.js
index 66e4f9bc4b7..b29faed1cd9 100644
--- a/javascript/ql/test/query-tests/Security/CWE-1004/test_cookie-session.js
+++ b/javascript/ql/test/query-tests/Security/CWE-1004/test_cookie-session.js
@@ -38,11 +38,19 @@ var sess2 = {
 sess2.httpOnly = false;
 app.use(session(sess2)) // BAD
 
-var sess2 = {
+var sess3 = {
     name: 'mycookie',
     keys: ['key1', 'key2'],
     httpOnly: true,
 }
 
-sess2.httpOnly = false;
-app.use(session(sess2)) // BAD, It is a session cookie, name doesn't matter
\ No newline at end of file
+sess3.httpOnly = false;
+app.use(session(sess3)) // BAD, It is a session cookie, name doesn't matter
+
+var flag = false
+var flag2 = flag
+app.use(session({
+    name: 'session',
+    keys: ['key1', 'key2'],
+    httpOnly: flag2 // BAD
+}))
\ No newline at end of file

From 38e052482c4b1017396962f29705d38f1c8854ae Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Mon, 3 May 2021 12:44:53 +0200
Subject: [PATCH 0810/1429] More csv sinks and sources

---
 .../Security/CWE/CWE-094/JexlInjectionLib.qll | 140 +++++-------------
 .../query-tests/security/CWE-094/options      |   2 +-
 .../apache/commons/jexl2/JexlArithmetic.java  |   5 +
 .../org/apache/commons/jexl2/JexlEngine.java  |  16 +-
 .../org/apache/commons/logging/Log.java       |   5 +
 5 files changed, 54 insertions(+), 114 deletions(-)
 create mode 100644 java/ql/test/stubs/apache-commons-jexl-2.1.1/org/apache/commons/jexl2/JexlArithmetic.java
 create mode 100644 java/ql/test/stubs/apache-commons-logging-1.2/org/apache/commons/logging/Log.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
index dfe3a793ef3..811d9877112 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
@@ -30,9 +30,6 @@ private class DefaultJexlInjectionSinkModel extends SinkModelCsv {
         "org.apache.commons.jexl2;Script;false;callable;;;Argument[-1];jexl",
         "org.apache.commons.jexl2;JexlScript;false;execute;;;Argument[-1];jexl",
         "org.apache.commons.jexl2;JexlScript;false;callable;;;Argument[-1];jexl",
-        "org.apache.commons.jexl2;JxltEngine$Expression;false;evaluate;;;Argument[-1];jexl",
-        "org.apache.commons.jexl2;JxltEngine$Expression;false;prepare;;;Argument[-1];jexl",
-        "org.apache.commons.jexl2;JxltEngine$Template;false;evaluate;;;Argument[-1];jexl",
         "org.apache.commons.jexl2;UnifiedJEXL$Expression;false;evaluate;;;Argument[-1];jexl",
         "org.apache.commons.jexl2;UnifiedJEXL$Expression;false;prepare;;;Argument[-1];jexl",
         "org.apache.commons.jexl2;UnifiedJEXL$Template;false;evaluate;;;Argument[-1];jexl",
@@ -51,10 +48,7 @@ private class DefaultJexlInjectionSinkModel extends SinkModelCsv {
         "org.apache.commons.jexl3;JexlScript;false;callable;;;Argument[-1];jexl",
         "org.apache.commons.jexl3;JxltEngine$Expression;false;evaluate;;;Argument[-1];jexl",
         "org.apache.commons.jexl3;JxltEngine$Expression;false;prepare;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;JxltEngine$Template;false;evaluate;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;UnifiedJEXL$Expression;false;evaluate;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;UnifiedJEXL$Expression;false;prepare;;;Argument[-1];jexl",
-        "org.apache.commons.jexl3;UnifiedJEXL$Template;false;evaluate;;;Argument[-1];jexl"
+        "org.apache.commons.jexl3;JxltEngine$Template;false;evaluate;;;Argument[-1];jexl"
       ]
   }
 }
@@ -135,48 +129,50 @@ private predicate isUnsafeEngine(Expr expr) {
 private class SandboxedJexlFlowConfig extends DataFlow2::Configuration {
   SandboxedJexlFlowConfig() { this = "JexlInjection::SandboxedJexlFlowConfig" }
 
-  override predicate isSource(DataFlow::Node node) { node instanceof SandboxedJexlSource }
+  override predicate isSource(DataFlow::Node node) { sourceNode(node, "sandboxed-jexl") }
 
-  override predicate isSink(DataFlow::Node node) {
-    exists(MethodAccess ma, Method m | ma.getMethod() = m |
-      (
-        m instanceof CreateJexlScriptMethod or
-        m instanceof CreateJexlExpressionMethod or
-        m instanceof CreateJexlTemplateMethod
-      ) and
-      ma.getQualifier() = node.asExpr()
-    )
-  }
+  override predicate isSink(DataFlow::Node node) { sinkNode(node, "sandboxed-jexl") }
 
   override predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
-    createsJexlEngine(fromNode, toNode)
+    createJexlEngineStep(fromNode, toNode)
   }
 }
 
-/**
- * Defines a data flow source for JEXL engines configured with a sandbox.
- */
-private class SandboxedJexlSource extends DataFlow::ExprNode {
-  SandboxedJexlSource() {
-    exists(MethodAccess ma, Method m | m = ma.getMethod() |
-      m.getDeclaringType() instanceof JexlBuilder and
-      m.hasName(["uberspect", "sandbox"]) and
-      m.getReturnType() instanceof JexlBuilder and
-      this.asExpr() = [ma, ma.getQualifier()]
-    )
-    or
-    exists(ConstructorCall cc |
-      cc.getConstructedType() instanceof JexlEngine and
-      cc.getArgument(0).getType() instanceof JexlUberspect and
-      cc = this.asExpr()
-    )
+private class SandoboxedJexlSourceModel extends SourceModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // JEXL2
+        "org.apache.commons.jexl2;JexlEngine;false;JexlEngine;(Uberspect,JexlArithmetic,Map<String,Object>,Log);;ReturnValue;sandboxed-jexl",
+        // JEXL3
+        "org.apache.commons.jexl3;JexlBuilder;false;uberspect;(JexlUberspect);;ReturnValue;sandboxed-jexl",
+        "org.apache.commons.jexl3;JexlBuilder;false;sandbox;(JexlSandbox);;ReturnValue;sandboxed-jexl"
+      ]
+  }
+}
+
+private class SandoboxedJexlSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // JEXL2
+        "org.apache.commons.jexl2;JexlEngine;false;createScript;;;Argument[-1];sandboxed-jexl",
+        "org.apache.commons.jexl2;JexlEngine;false;createExpression;;;Argument[-1];sandboxed-jexl",
+        "org.apache.commons.jexl2;UnifiedJEXL;false;parse;;;Argument[-1];sandboxed-jexl",
+        "org.apache.commons.jexl2;UnifiedJEXL;false;createTemplate;;;Argument[-1];sandboxed-jexl",
+        // JEXL3
+        "org.apache.commons.jexl3;JexlEngine;false;createScript;;;Argument[-1];sandboxed-jexl",
+        "org.apache.commons.jexl3;JexlEngine;false;createExpression;;;Argument[-1];sandboxed-jexl",
+        "org.apache.commons.jexl3;JxltEngine;false;createExpression;;;Argument[-1];sandboxed-jexl",
+        "org.apache.commons.jexl3;JxltEngine;false;createTemplate;;;Argument[-1];sandboxed-jexl"
+      ]
   }
 }
 
 /**
  * Holds if `fromNode` to `toNode` is a dataflow step that creates one of the JEXL engines.
  */
-private predicate createsJexlEngine(DataFlow::Node fromNode, DataFlow::Node toNode) {
+private predicate createJexlEngineStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
   exists(MethodAccess ma, Method m | m = ma.getMethod() |
     (m.getDeclaringType() instanceof JexlBuilder or m.getDeclaringType() instanceof JexlEngine) and
     m.hasName(["create", "createJxltEngine"]) and
@@ -191,35 +187,6 @@ private predicate createsJexlEngine(DataFlow::Node fromNode, DataFlow::Node toNo
   )
 }
 
-/**
- * A methods in the `JexlEngine` class that gets or sets a property with a JEXL expression.
- */
-private class JexlEngineGetSetPropertyMethod extends Method {
-  JexlEngineGetSetPropertyMethod() {
-    getDeclaringType() instanceof JexlEngine and
-    hasName(["getProperty", "setProperty"])
-  }
-}
-
-/**
- * A method that triggers direct evaluation of JEXL expressions.
- */
-private class DirectJexlEvaluationMethod extends Method {
-  DirectJexlEvaluationMethod() {
-    getDeclaringType() instanceof JexlExpression and hasName("evaluate")
-    or
-    getDeclaringType() instanceof JexlScript and hasName("execute")
-    or
-    getDeclaringType() instanceof JxltEngineExpression and hasName(["evaluate", "prepare"])
-    or
-    getDeclaringType() instanceof JxltEngineTemplate and hasName("evaluate")
-    or
-    getDeclaringType() instanceof UnifiedJexlExpression and hasName(["evaluate", "prepare"])
-    or
-    getDeclaringType() instanceof UnifiedJexlTemplate and hasName("evaluate")
-  }
-}
-
 /**
  * A method that creates a JEXL script.
  */
@@ -227,16 +194,6 @@ private class CreateJexlScriptMethod extends Method {
   CreateJexlScriptMethod() { getDeclaringType() instanceof JexlEngine and hasName("createScript") }
 }
 
-/**
- * A method that creates a `Callable` for a JEXL expression or script.
- */
-private class CreateJexlCallableMethod extends Method {
-  CreateJexlCallableMethod() {
-    (getDeclaringType() instanceof JexlExpression or getDeclaringType() instanceof JexlScript) and
-    hasName("callable")
-  }
-}
-
 /**
  * A method that creates a JEXL template.
  */
@@ -263,14 +220,6 @@ private class JexlRefType extends RefType {
   JexlRefType() { getPackage().hasName(["org.apache.commons.jexl2", "org.apache.commons.jexl3"]) }
 }
 
-private class JexlExpression extends JexlRefType {
-  JexlExpression() { hasName(["Expression", "JexlExpression"]) }
-}
-
-private class JexlScript extends JexlRefType {
-  JexlScript() { hasName(["Script", "JexlScript"]) }
-}
-
 private class JexlBuilder extends JexlRefType {
   JexlBuilder() { hasName("JexlBuilder") }
 }
@@ -287,29 +236,6 @@ private class UnifiedJexl extends JexlRefType {
   UnifiedJexl() { hasName("UnifiedJEXL") }
 }
 
-private class JexlUberspect extends Interface {
-  JexlUberspect() {
-    hasQualifiedName("org.apache.commons.jexl2.introspection", "Uberspect") or
-    hasQualifiedName("org.apache.commons.jexl3.introspection", "JexlUberspect")
-  }
-}
-
-private class JxltEngineExpression extends NestedType {
-  JxltEngineExpression() { getEnclosingType() instanceof JxltEngine and hasName("Expression") }
-}
-
-private class JxltEngineTemplate extends NestedType {
-  JxltEngineTemplate() { getEnclosingType() instanceof JxltEngine and hasName("Template") }
-}
-
-private class UnifiedJexlExpression extends NestedType {
-  UnifiedJexlExpression() { getEnclosingType() instanceof UnifiedJexl and hasName("Expression") }
-}
-
-private class UnifiedJexlTemplate extends NestedType {
-  UnifiedJexlTemplate() { getEnclosingType() instanceof UnifiedJexl and hasName("Template") }
-}
-
 private class Reader extends RefType {
   Reader() { hasQualifiedName("java.io", "Reader") }
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/options b/java/ql/test/experimental/query-tests/security/CWE-094/options
index 18e3518fc97..4841ceb7488 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/options
@@ -1,2 +1,2 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/apache-commons-logging-1.2
 
diff --git a/java/ql/test/stubs/apache-commons-jexl-2.1.1/org/apache/commons/jexl2/JexlArithmetic.java b/java/ql/test/stubs/apache-commons-jexl-2.1.1/org/apache/commons/jexl2/JexlArithmetic.java
new file mode 100644
index 00000000000..cff0dbeb54c
--- /dev/null
+++ b/java/ql/test/stubs/apache-commons-jexl-2.1.1/org/apache/commons/jexl2/JexlArithmetic.java
@@ -0,0 +1,5 @@
+package org.apache.commons.jexl2;
+
+public class JexlArithmetic {
+
+}
diff --git a/java/ql/test/stubs/apache-commons-jexl-2.1.1/org/apache/commons/jexl2/JexlEngine.java b/java/ql/test/stubs/apache-commons-jexl-2.1.1/org/apache/commons/jexl2/JexlEngine.java
index 38568b08ac0..b6cf38487f9 100644
--- a/java/ql/test/stubs/apache-commons-jexl-2.1.1/org/apache/commons/jexl2/JexlEngine.java
+++ b/java/ql/test/stubs/apache-commons-jexl-2.1.1/org/apache/commons/jexl2/JexlEngine.java
@@ -2,12 +2,15 @@ package org.apache.commons.jexl2;
 
 import java.util.Map;
 import org.apache.commons.jexl2.introspection.*;
+import org.apache.commons.logging.Log;
 
 public class JexlEngine {
 
-    public JexlEngine() {}
+    public JexlEngine() {
+    }
 
-    public JexlEngine(Uberspect uberspect, Object arithmetic, Map<String, Object> functions, Object log) {}
+    public JexlEngine(Uberspect uberspect, JexlArithmetic arithmetic, Map<String, Object> functions, Log log) {
+    }
 
     public Expression createExpression(String expression) {
         return null;
@@ -41,9 +44,10 @@ public class JexlEngine {
         return null;
     }
 
-    public void setProperty(Object bean, String expr, Object value) {}
+    public void setProperty(Object bean, String expr, Object value) {
+    }
+
+    public void setProperty(JexlContext context, Object bean, String expr, Object value) {
+    }
 
-    public void setProperty(JexlContext context, Object bean, String expr, Object value) {}
-    
-      
 }
\ No newline at end of file
diff --git a/java/ql/test/stubs/apache-commons-logging-1.2/org/apache/commons/logging/Log.java b/java/ql/test/stubs/apache-commons-logging-1.2/org/apache/commons/logging/Log.java
new file mode 100644
index 00000000000..4c8ee14acc8
--- /dev/null
+++ b/java/ql/test/stubs/apache-commons-logging-1.2/org/apache/commons/logging/Log.java
@@ -0,0 +1,5 @@
+package org.apache.commons.logging;
+
+public interface Log {
+
+}

From cef845ac47faa110296d992334fa054cbba6523a Mon Sep 17 00:00:00 2001
From: edvraa <80588099+edvraa@users.noreply.github.com>
Date: Mon, 3 May 2021 13:46:56 +0300
Subject: [PATCH 0811/1429] Support string expressions

---
 .../javascript/security/InsecureCookie.qll    | 87 +++++++++++++------
 .../CWE-1004/CookieWithoutHttpOnly.expected   |  1 +
 .../Security/CWE-1004/test_httpserver.js      | 20 +++++
 3 files changed, 83 insertions(+), 25 deletions(-)

diff --git a/javascript/ql/src/experimental/semmle/javascript/security/InsecureCookie.qll b/javascript/ql/src/experimental/semmle/javascript/security/InsecureCookie.qll
index b116b9e75e6..16ad014ef72 100644
--- a/javascript/ql/src/experimental/semmle/javascript/security/InsecureCookie.qll
+++ b/javascript/ql/src/experimental/semmle/javascript/security/InsecureCookie.qll
@@ -45,31 +45,31 @@ module Cookie {
      * Holds if the cookie is authentication sensitive and lacks HttpOnly.
      */
     abstract predicate isAuthNotHttpOnly();
+  }
 
-    /**
-     * Holds if the expression is a variable with a sensitive name.
-     */
-    predicate isAuthVariable(DataFlow::Node expr) {
-      exists(string val |
-        (
-          val = expr.getStringValue() or
-          val = expr.asExpr().(VarAccess).getName() or
-          val = expr.(DataFlow::PropRead).getPropertyName()
-        ) and
-        regexpMatchAuth(val)
-      )
-      or
-      isAuthVariable(expr.getAPredecessor())
-    }
+  /**
+   * Holds if the expression is a variable with a sensitive name.
+   */
+  private predicate isAuthVariable(DataFlow::Node expr) {
+    exists(string val |
+      (
+        val = expr.getStringValue() or
+        val = expr.asExpr().(VarAccess).getName() or
+        val = expr.(DataFlow::PropRead).getPropertyName()
+      ) and
+      regexpMatchAuth(val)
+    )
+    or
+    isAuthVariable(expr.getAPredecessor())
+  }
 
-    /**
-     * Holds if the string contains sensitive auth keyword, but not antiforgery token.
-     */
-    bindingset[val]
-    predicate regexpMatchAuth(string val) {
-      val.regexpMatch("(?i).*(session|login|token|user|auth|credential).*") and
-      not val.regexpMatch("(?i).*(xsrf|csrf|forgery).*")
-    }
+  /**
+   * Holds if the string contains sensitive auth keyword, but not antiforgery token.
+   */
+  bindingset[val]
+  private predicate regexpMatchAuth(string val) {
+    val.regexpMatch("(?i).*(session|login|token|user|auth|credential).*") and
+    not val.regexpMatch("(?i).*(xsrf|csrf|forgery).*")
   }
 
   /**
@@ -168,6 +168,26 @@ module Cookie {
     }
   }
 
+  private class AttributeToSetCookieHeaderTrackingConfig extends TaintTracking::Configuration {
+    AttributeToSetCookieHeaderTrackingConfig() { this = "AttributeToSetCookieHeaderTrackingConfig" }
+
+    override predicate isSource(DataFlow::Node source) {
+      exists(string s | source.mayHaveStringValue(s))
+    }
+
+    override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof TemplateLiteral }
+  }
+
+  private class SensitiveNameToSetCookieHeaderTrackingConfig extends TaintTracking::Configuration {
+    SensitiveNameToSetCookieHeaderTrackingConfig() {
+      this = "SensitiveNameToSetCookieHeaderTrackingConfig"
+    }
+
+    override predicate isSource(DataFlow::Node source) { isAuthVariable(source) }
+
+    override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof TemplateLiteral }
+  }
+
   /**
    * A cookie set using `Set-Cookie` header of an `HTTP` response.
    * (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).
@@ -197,7 +217,7 @@ module Cookie {
      * A cookie is httpOnly if the `httpOnly` flag is specified in the cookie definition.
      * The default is `false`.
      */
-    override predicate isHttpOnly() { allHaveCookieAttribute("httponly") }
+    override predicate isHttpOnly() { allHaveCookieAttribute(httpOnlyFlag()) }
 
     /**
      * The predicate holds only if all elements have the specified attribute.
@@ -209,6 +229,14 @@ module Cookie {
           n.mayHaveStringValue(s) and
           hasCookieAttribute(s, attribute)
         )
+        or
+        exists(AttributeToSetCookieHeaderTrackingConfig cfg, DataFlow::Node source |
+          cfg.hasFlow(source, n) and
+          exists(string attr |
+            source.mayHaveStringValue(attr) and
+            attr.regexpMatch("(?i).*\\b" + attribute + "\\b.*")
+          )
+        )
       )
     }
 
@@ -221,10 +249,19 @@ module Cookie {
         exists(string s |
           n.mayHaveStringValue(s) and
           (
-            not hasCookieAttribute(s, "httponly") and
+            not hasCookieAttribute(s, httpOnlyFlag()) and
             regexpMatchAuth(getCookieName(s))
           )
         )
+        or
+        not exists(AttributeToSetCookieHeaderTrackingConfig cfg, DataFlow::Node source |
+          cfg.hasFlow(source, n) and
+          exists(string attr |
+            source.mayHaveStringValue(attr) and
+            attr.regexpMatch("(?i).*\\b" + httpOnlyFlag() + "\\b.*")
+          )
+        ) and
+        exists(SensitiveNameToSetCookieHeaderTrackingConfig cfg | cfg.hasFlow(_, n))
       )
     }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected b/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected
index 837df006d92..52a9ec99832 100644
--- a/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected
@@ -8,6 +8,7 @@
 | test_httpserver.js:7:37:7:48 | "auth=ninja" | Cookie attribute 'HttpOnly' is not set to true. |
 | test_httpserver.js:27:37:27:70 | ["auth= ... cript"] | Cookie attribute 'HttpOnly' is not set to true. |
 | test_httpserver.js:57:37:57:80 | ["auth= ... cript"] | Cookie attribute 'HttpOnly' is not set to true. |
+| test_httpserver.js:87:37:87:59 | `sessio ... {attr}` | Cookie attribute 'HttpOnly' is not set to true. |
 | test_responseCookie.js:15:5:20:10 | res.coo ...      }) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_responseCookie.js:25:5:28:10 | res.coo ...      }) | Cookie attribute 'HttpOnly' is not set to true. |
 | test_responseCookie.js:48:5:48:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/test_httpserver.js b/javascript/ql/test/query-tests/Security/CWE-1004/test_httpserver.js
index c7d433dff11..721a24a55e8 100644
--- a/javascript/ql/test/query-tests/Security/CWE-1004/test_httpserver.js
+++ b/javascript/ql/test/query-tests/Security/CWE-1004/test_httpserver.js
@@ -68,4 +68,24 @@ function test7() {
         res.writeHead(200, { 'Content-Type': 'text/plain' });
         res.end('ok');
     });
+}
+
+function test8() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        let attr = "; httponly"
+        res.setHeader("Set-Cookie", `session=ninja ${attr}`); // Good, httponly string expression
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
+}
+
+function test9() {
+    const server = http.createServer((req, res) => {
+        res.setHeader('Content-Type', 'text/html');
+        let attr = "; secure"
+        res.setHeader("Set-Cookie", `session=ninja ${attr}`); // Bad, not httponly string expression
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('ok');
+    });
 }
\ No newline at end of file

From 4bfd34b1fea100f4f08cd9c68065a44eeec0499f Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Mon, 3 May 2021 13:15:24 +0200
Subject: [PATCH 0812/1429] Moved from experimental

---
 .../Security/CWE/CWE-094/JexlInjection.qhelp               | 0
 .../Security/CWE/CWE-094/JexlInjection.ql                  | 7 ++++---
 .../Security/CWE/CWE-094/JexlInjectionLib.qll              | 0
 .../query-tests/security/CWE-094/JexlInjection.qlref       | 1 -
 .../test/experimental/query-tests/security/CWE-094/options | 2 +-
 .../query-tests/security/CWE-094/Jexl2Injection.java       | 0
 .../query-tests/security/CWE-094/Jexl3Injection.java       | 0
 .../query-tests/security/CWE-094/JexlInjection.expected    | 0
 .../test/query-tests/security/CWE-094/JexlInjection.qlref  | 1 +
 .../query-tests/security/CWE-094/SandboxedJexl2.java       | 0
 .../query-tests/security/CWE-094/SandboxedJexl3.java       | 0
 java/ql/test/query-tests/security/CWE-094/options          | 2 +-
 12 files changed, 7 insertions(+), 6 deletions(-)
 rename java/ql/src/{experimental => }/Security/CWE/CWE-094/JexlInjection.qhelp (100%)
 rename java/ql/src/{experimental => }/Security/CWE/CWE-094/JexlInjection.ql (87%)
 rename java/ql/src/{experimental => }/Security/CWE/CWE-094/JexlInjectionLib.qll (100%)
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/JexlInjection.qlref
 rename java/ql/test/{experimental => }/query-tests/security/CWE-094/Jexl2Injection.java (100%)
 rename java/ql/test/{experimental => }/query-tests/security/CWE-094/Jexl3Injection.java (100%)
 rename java/ql/test/{experimental => }/query-tests/security/CWE-094/JexlInjection.expected (100%)
 create mode 100644 java/ql/test/query-tests/security/CWE-094/JexlInjection.qlref
 rename java/ql/test/{experimental => }/query-tests/security/CWE-094/SandboxedJexl2.java (100%)
 rename java/ql/test/{experimental => }/query-tests/security/CWE-094/SandboxedJexl3.java (100%)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjection.qhelp b/java/ql/src/Security/CWE/CWE-094/JexlInjection.qhelp
similarity index 100%
rename from java/ql/src/experimental/Security/CWE/CWE-094/JexlInjection.qhelp
rename to java/ql/src/Security/CWE/CWE-094/JexlInjection.qhelp
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjection.ql b/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
similarity index 87%
rename from java/ql/src/experimental/Security/CWE/CWE-094/JexlInjection.ql
rename to java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
index 8b5e0d8eea1..460fa4540ef 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
@@ -13,7 +13,8 @@
 import java
 import JexlInjectionLib
 import DataFlow::PathGraph
-import FlowUtils
+import semmle.code.java.dataflow.FlowSources
+//import FlowUtils
 
 /**
  * A taint-tracking configuration for unsafe user input
@@ -28,8 +29,8 @@ class JexlInjectionConfig extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }
 
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    any(JexlInjectionAdditionalTaintStep c).step(node1, node2) or
-    hasGetterFlow(node1, node2)
+    any(JexlInjectionAdditionalTaintStep c).step(node1, node2) /*or
+    hasGetterFlow(node1, node2)*/
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll b/java/ql/src/Security/CWE/CWE-094/JexlInjectionLib.qll
similarity index 100%
rename from java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
rename to java/ql/src/Security/CWE/CWE-094/JexlInjectionLib.qll
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JexlInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-094/JexlInjection.qlref
deleted file mode 100644
index 82ad87b1751..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JexlInjection.qlref
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-094/JexlInjection.ql
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/options b/java/ql/test/experimental/query-tests/security/CWE-094/options
index 4841ceb7488..0104bad4f22 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/options
@@ -1,2 +1,2 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/apache-commons-logging-1.2
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4
 
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/Jexl2Injection.java b/java/ql/test/query-tests/security/CWE-094/Jexl2Injection.java
similarity index 100%
rename from java/ql/test/experimental/query-tests/security/CWE-094/Jexl2Injection.java
rename to java/ql/test/query-tests/security/CWE-094/Jexl2Injection.java
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/Jexl3Injection.java b/java/ql/test/query-tests/security/CWE-094/Jexl3Injection.java
similarity index 100%
rename from java/ql/test/experimental/query-tests/security/CWE-094/Jexl3Injection.java
rename to java/ql/test/query-tests/security/CWE-094/Jexl3Injection.java
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JexlInjection.expected b/java/ql/test/query-tests/security/CWE-094/JexlInjection.expected
similarity index 100%
rename from java/ql/test/experimental/query-tests/security/CWE-094/JexlInjection.expected
rename to java/ql/test/query-tests/security/CWE-094/JexlInjection.expected
diff --git a/java/ql/test/query-tests/security/CWE-094/JexlInjection.qlref b/java/ql/test/query-tests/security/CWE-094/JexlInjection.qlref
new file mode 100644
index 00000000000..63f170df617
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-094/JexlInjection.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-094/JexlInjection.ql
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/SandboxedJexl2.java b/java/ql/test/query-tests/security/CWE-094/SandboxedJexl2.java
similarity index 100%
rename from java/ql/test/experimental/query-tests/security/CWE-094/SandboxedJexl2.java
rename to java/ql/test/query-tests/security/CWE-094/SandboxedJexl2.java
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/SandboxedJexl3.java b/java/ql/test/query-tests/security/CWE-094/SandboxedJexl3.java
similarity index 100%
rename from java/ql/test/experimental/query-tests/security/CWE-094/SandboxedJexl3.java
rename to java/ql/test/query-tests/security/CWE-094/SandboxedJexl3.java
diff --git a/java/ql/test/query-tests/security/CWE-094/options b/java/ql/test/query-tests/security/CWE-094/options
index 468d90aeabc..27fdb569cd8 100644
--- a/java/ql/test/query-tests/security/CWE-094/options
+++ b/java/ql/test/query-tests/security/CWE-094/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/validation-api-2.0.1.Final
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../stubs/apache-commons-logging-1.2

From 4d5ec87de9b368fc57a21fea948316a10b21786b Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Mon, 3 May 2021 13:27:24 +0200
Subject: [PATCH 0813/1429] Use InlineTest

---
 .../src/Security/CWE/CWE-094/JexlInjection.ql |   6 +-
 .../code/java/security/JexlInjection.qll}     |   0
 .../security/CWE-094/Jexl2Injection.java      |  21 +-
 .../security/CWE-094/Jexl3Injection.java      |  26 ++-
 .../security/CWE-094/JexlInjection.expected   | 199 ------------------
 .../CWE-094/JexlInjectionTest.expected        |   0
 .../security/CWE-094/JexlInjectionTest.ql     |  33 +++
 .../security/CWE-094/SandboxedJexl2.java      |   6 +-
 8 files changed, 60 insertions(+), 231 deletions(-)
 rename java/ql/src/{Security/CWE/CWE-094/JexlInjectionLib.qll => semmle/code/java/security/JexlInjection.qll} (100%)
 delete mode 100644 java/ql/test/query-tests/security/CWE-094/JexlInjection.expected
 create mode 100644 java/ql/test/query-tests/security/CWE-094/JexlInjectionTest.expected
 create mode 100644 java/ql/test/query-tests/security/CWE-094/JexlInjectionTest.ql

diff --git a/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql b/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
index 460fa4540ef..80810378dce 100644
--- a/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
@@ -11,10 +11,9 @@
  */
 
 import java
-import JexlInjectionLib
 import DataFlow::PathGraph
 import semmle.code.java.dataflow.FlowSources
-//import FlowUtils
+import semmle.code.java.security.JexlInjection
 
 /**
  * A taint-tracking configuration for unsafe user input
@@ -29,8 +28,7 @@ class JexlInjectionConfig extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }
 
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    any(JexlInjectionAdditionalTaintStep c).step(node1, node2) /*or
-    hasGetterFlow(node1, node2)*/
+    any(JexlInjectionAdditionalTaintStep c).step(node1, node2) 
   }
 }
 
diff --git a/java/ql/src/Security/CWE/CWE-094/JexlInjectionLib.qll b/java/ql/src/semmle/code/java/security/JexlInjection.qll
similarity index 100%
rename from java/ql/src/Security/CWE/CWE-094/JexlInjectionLib.qll
rename to java/ql/src/semmle/code/java/security/JexlInjection.qll
diff --git a/java/ql/test/query-tests/security/CWE-094/Jexl2Injection.java b/java/ql/test/query-tests/security/CWE-094/Jexl2Injection.java
index 438e9b036b6..d7ee659a4c8 100644
--- a/java/ql/test/query-tests/security/CWE-094/Jexl2Injection.java
+++ b/java/ql/test/query-tests/security/CWE-094/Jexl2Injection.java
@@ -11,22 +11,21 @@ public class Jexl2Injection {
         JexlEngine jexl = new JexlEngine();
         Expression e = jexl.createExpression(jexlExpr);
         JexlContext jc = new MapContext();
-        e.evaluate(jc);
+        e.evaluate(jc); // $hasJexlInjection
     }
 
     private static void runJexlExpressionWithJexlInfo(String jexlExpr) {
         JexlEngine jexl = new JexlEngine();
-        Expression e = jexl.createExpression(
-                jexlExpr, new DebugInfo("unknown", 0, 0));
+        Expression e = jexl.createExpression(jexlExpr, new DebugInfo("unknown", 0, 0));
         JexlContext jc = new MapContext();
-        e.evaluate(jc);
+        e.evaluate(jc); // $hasJexlInjection
     }
 
     private static void runJexlScript(String jexlExpr) {
         JexlEngine jexl = new JexlEngine();
         Script script = jexl.createScript(jexlExpr);
         JexlContext jc = new MapContext();
-        script.execute(jc);
+        script.execute(jc); // $hasJexlInjection
     }
 
     private static void runJexlScriptViaCallable(String jexlExpr) {
@@ -35,7 +34,7 @@ public class Jexl2Injection {
         JexlContext jc = new MapContext();
 
         try {
-            script.callable(jc).call();
+            script.callable(jc).call(); // $hasJexlInjection
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
@@ -43,30 +42,30 @@ public class Jexl2Injection {
 
     private static void runJexlExpressionViaGetProperty(String jexlExpr) {
         JexlEngine jexl = new JexlEngine();
-        jexl.getProperty(new Object(), jexlExpr);
+        jexl.getProperty(new Object(), jexlExpr); // $hasJexlInjection
     }
 
     private static void runJexlExpressionViaSetProperty(String jexlExpr) {
         JexlEngine jexl = new JexlEngine();
-        jexl.setProperty(new Object(), jexlExpr, new Object());
+        jexl.setProperty(new Object(), jexlExpr, new Object()); // $hasJexlInjection
     }
 
     private static void runJexlExpressionViaUnifiedJEXLParseAndEvaluate(String jexlExpr) {
         JexlEngine jexl = new JexlEngine();
         UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
-        unifiedJEXL.parse(jexlExpr).evaluate(new MapContext());
+        unifiedJEXL.parse(jexlExpr).evaluate(new MapContext()); // $hasJexlInjection
     }
 
     private static void runJexlExpressionViaUnifiedJEXLParseAndPrepare(String jexlExpr) {
         JexlEngine jexl = new JexlEngine();
         UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
-        unifiedJEXL.parse(jexlExpr).prepare(new MapContext());
+        unifiedJEXL.parse(jexlExpr).prepare(new MapContext()); // $hasJexlInjection
     }
 
     private static void runJexlExpressionViaUnifiedJEXLTemplateEvaluate(String jexlExpr) {
         JexlEngine jexl = new JexlEngine();
         UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
-        unifiedJEXL.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter());
+        unifiedJEXL.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $hasJexlInjection
     }
 
     private static void testWithSocket(Consumer<String> action) throws Exception {
diff --git a/java/ql/test/query-tests/security/CWE-094/Jexl3Injection.java b/java/ql/test/query-tests/security/CWE-094/Jexl3Injection.java
index a23a8b35841..0300b8ffe3f 100644
--- a/java/ql/test/query-tests/security/CWE-094/Jexl3Injection.java
+++ b/java/ql/test/query-tests/security/CWE-094/Jexl3Injection.java
@@ -18,21 +18,21 @@ public class Jexl3Injection {
         JexlEngine jexl = new JexlBuilder().create();
         JexlExpression e = jexl.createExpression(jexlExpr);
         JexlContext jc = new MapContext();
-        e.evaluate(jc);
+        e.evaluate(jc); // $hasJexlInjection
     }
 
     private static void runJexlExpressionWithJexlInfo(String jexlExpr) {
         JexlEngine jexl = new JexlBuilder().create();
         JexlExpression e = jexl.createExpression(new JexlInfo("unknown", 0, 0), jexlExpr);
         JexlContext jc = new MapContext();
-        e.evaluate(jc);
+        e.evaluate(jc); // $hasJexlInjection
     }
 
     private static void runJexlScript(String jexlExpr) {
         JexlEngine jexl = new JexlBuilder().create();
         JexlScript script = jexl.createScript(jexlExpr);
         JexlContext jc = new MapContext();
-        script.execute(jc);
+        script.execute(jc); // $hasJexlInjection
     }
 
     private static void runJexlScriptViaCallable(String jexlExpr) {
@@ -41,7 +41,7 @@ public class Jexl3Injection {
         JexlContext jc = new MapContext();
 
         try {
-            script.callable(jc).call();
+            script.callable(jc).call(); // $hasJexlInjection
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
@@ -49,30 +49,30 @@ public class Jexl3Injection {
 
     private static void runJexlExpressionViaGetProperty(String jexlExpr) {
         JexlEngine jexl = new JexlBuilder().create();
-        jexl.getProperty(new Object(), jexlExpr);
+        jexl.getProperty(new Object(), jexlExpr); // $hasJexlInjection
     }
 
     private static void runJexlExpressionViaSetProperty(String jexlExpr) {
         JexlEngine jexl = new JexlBuilder().create();
-        jexl.setProperty(new Object(), jexlExpr, new Object());
+        jexl.setProperty(new Object(), jexlExpr, new Object()); // $hasJexlInjection
     }
 
     private static void runJexlExpressionViaJxltEngineExpressionEvaluate(String jexlExpr) {
         JexlEngine jexl = new JexlBuilder().create();
         JxltEngine jxlt = jexl.createJxltEngine();
-        jxlt.createExpression(jexlExpr).evaluate(new MapContext());
+        jxlt.createExpression(jexlExpr).evaluate(new MapContext()); // $hasJexlInjection
     }
 
     private static void runJexlExpressionViaJxltEngineExpressionPrepare(String jexlExpr) {
         JexlEngine jexl = new JexlBuilder().create();
         JxltEngine jxlt = jexl.createJxltEngine();
-        jxlt.createExpression(jexlExpr).prepare(new MapContext());
+        jxlt.createExpression(jexlExpr).prepare(new MapContext()); // $hasJexlInjection
     }
 
     private static void runJexlExpressionViaJxltEngineTemplateEvaluate(String jexlExpr) {
         JexlEngine jexl = new JexlBuilder().create();
         JxltEngine jxlt = jexl.createJxltEngine();
-        jxlt.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter());
+        jxlt.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $hasJexlInjection
     }
 
     private static void runJexlExpressionViaCallable(String jexlExpr) {
@@ -81,7 +81,7 @@ public class Jexl3Injection {
         JexlContext jc = new MapContext();
 
         try {
-            e.callable(jc).call();
+            e.callable(jc).call(); // $hasJexlInjection
         } catch (Exception ex) {
             throw new RuntimeException(ex);
         }
@@ -141,16 +141,14 @@ public class Jexl3Injection {
     }
 
     @PostMapping("/request")
-    public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromPathVariable(
-            @PathVariable String expr) {
+    public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromPathVariable(@PathVariable String expr) {
 
         runJexlExpression(expr);
         return ResponseEntity.ok(HttpStatus.OK);
     }
 
     @PostMapping("/request")
-    public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBody(
-            @RequestBody Data data) {
+    public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBody(@RequestBody Data data) {
 
         String expr = data.getExpr();
         runJexlExpression(expr);
diff --git a/java/ql/test/query-tests/security/CWE-094/JexlInjection.expected b/java/ql/test/query-tests/security/CWE-094/JexlInjection.expected
deleted file mode 100644
index f42f083578e..00000000000
--- a/java/ql/test/query-tests/security/CWE-094/JexlInjection.expected
+++ /dev/null
@@ -1,199 +0,0 @@
-edges
-| Jexl2Injection.java:10:43:10:57 | jexlExpr : String | Jexl2Injection.java:14:9:14:9 | e |
-| Jexl2Injection.java:17:55:17:69 | jexlExpr : String | Jexl2Injection.java:22:9:22:9 | e |
-| Jexl2Injection.java:25:39:25:53 | jexlExpr : String | Jexl2Injection.java:29:9:29:14 | script |
-| Jexl2Injection.java:32:50:32:64 | jexlExpr : String | Jexl2Injection.java:38:13:38:18 | script |
-| Jexl2Injection.java:44:57:44:71 | jexlExpr : String | Jexl2Injection.java:46:40:46:47 | jexlExpr |
-| Jexl2Injection.java:49:57:49:71 | jexlExpr : String | Jexl2Injection.java:51:40:51:47 | jexlExpr |
-| Jexl2Injection.java:54:73:54:87 | jexlExpr : String | Jexl2Injection.java:57:9:57:35 | parse(...) |
-| Jexl2Injection.java:60:72:60:86 | jexlExpr : String | Jexl2Injection.java:63:9:63:35 | parse(...) |
-| Jexl2Injection.java:66:73:66:87 | jexlExpr : String | Jexl2Injection.java:69:9:69:44 | createTemplate(...) |
-| Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:76:54:76:58 | bytes [post update] : byte[] |
-| Jexl2Injection.java:76:54:76:58 | bytes [post update] : byte[] | Jexl2Injection.java:78:31:78:38 | jexlExpr : String |
-| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:86:24:86:56 | jexlExpr : String |
-| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:90:24:90:68 | jexlExpr : String |
-| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:94:24:94:52 | jexlExpr : String |
-| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:98:24:98:63 | jexlExpr : String |
-| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:102:24:102:70 | jexlExpr : String |
-| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:106:24:106:70 | jexlExpr : String |
-| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:110:24:110:86 | jexlExpr : String |
-| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:114:24:114:85 | jexlExpr : String |
-| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:118:24:118:86 | jexlExpr : String |
-| Jexl2Injection.java:86:24:86:56 | jexlExpr : String | Jexl2Injection.java:10:43:10:57 | jexlExpr : String |
-| Jexl2Injection.java:86:24:86:56 | jexlExpr : String | Jexl2Injection.java:86:24:86:56 | jexlExpr : String |
-| Jexl2Injection.java:90:24:90:68 | jexlExpr : String | Jexl2Injection.java:17:55:17:69 | jexlExpr : String |
-| Jexl2Injection.java:90:24:90:68 | jexlExpr : String | Jexl2Injection.java:90:24:90:68 | jexlExpr : String |
-| Jexl2Injection.java:94:24:94:52 | jexlExpr : String | Jexl2Injection.java:25:39:25:53 | jexlExpr : String |
-| Jexl2Injection.java:94:24:94:52 | jexlExpr : String | Jexl2Injection.java:94:24:94:52 | jexlExpr : String |
-| Jexl2Injection.java:98:24:98:63 | jexlExpr : String | Jexl2Injection.java:32:50:32:64 | jexlExpr : String |
-| Jexl2Injection.java:98:24:98:63 | jexlExpr : String | Jexl2Injection.java:98:24:98:63 | jexlExpr : String |
-| Jexl2Injection.java:102:24:102:70 | jexlExpr : String | Jexl2Injection.java:44:57:44:71 | jexlExpr : String |
-| Jexl2Injection.java:102:24:102:70 | jexlExpr : String | Jexl2Injection.java:102:24:102:70 | jexlExpr : String |
-| Jexl2Injection.java:106:24:106:70 | jexlExpr : String | Jexl2Injection.java:49:57:49:71 | jexlExpr : String |
-| Jexl2Injection.java:106:24:106:70 | jexlExpr : String | Jexl2Injection.java:106:24:106:70 | jexlExpr : String |
-| Jexl2Injection.java:110:24:110:86 | jexlExpr : String | Jexl2Injection.java:54:73:54:87 | jexlExpr : String |
-| Jexl2Injection.java:110:24:110:86 | jexlExpr : String | Jexl2Injection.java:110:24:110:86 | jexlExpr : String |
-| Jexl2Injection.java:114:24:114:85 | jexlExpr : String | Jexl2Injection.java:60:72:60:86 | jexlExpr : String |
-| Jexl2Injection.java:114:24:114:85 | jexlExpr : String | Jexl2Injection.java:114:24:114:85 | jexlExpr : String |
-| Jexl2Injection.java:118:24:118:86 | jexlExpr : String | Jexl2Injection.java:66:73:66:87 | jexlExpr : String |
-| Jexl2Injection.java:118:24:118:86 | jexlExpr : String | Jexl2Injection.java:118:24:118:86 | jexlExpr : String |
-| Jexl3Injection.java:17:43:17:57 | jexlExpr : String | Jexl3Injection.java:21:9:21:9 | e |
-| Jexl3Injection.java:24:55:24:69 | jexlExpr : String | Jexl3Injection.java:28:9:28:9 | e |
-| Jexl3Injection.java:31:39:31:53 | jexlExpr : String | Jexl3Injection.java:35:9:35:14 | script |
-| Jexl3Injection.java:38:50:38:64 | jexlExpr : String | Jexl3Injection.java:44:13:44:18 | script |
-| Jexl3Injection.java:50:57:50:71 | jexlExpr : String | Jexl3Injection.java:52:40:52:47 | jexlExpr |
-| Jexl3Injection.java:55:57:55:71 | jexlExpr : String | Jexl3Injection.java:57:40:57:47 | jexlExpr |
-| Jexl3Injection.java:60:74:60:88 | jexlExpr : String | Jexl3Injection.java:63:9:63:39 | createExpression(...) |
-| Jexl3Injection.java:66:73:66:87 | jexlExpr : String | Jexl3Injection.java:69:9:69:39 | createExpression(...) |
-| Jexl3Injection.java:72:72:72:86 | jexlExpr : String | Jexl3Injection.java:75:9:75:37 | createTemplate(...) |
-| Jexl3Injection.java:78:54:78:68 | jexlExpr : String | Jexl3Injection.java:84:13:84:13 | e |
-| Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:94:54:94:58 | bytes [post update] : byte[] |
-| Jexl3Injection.java:94:54:94:58 | bytes [post update] : byte[] | Jexl3Injection.java:96:31:96:38 | jexlExpr : String |
-| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:104:24:104:56 | jexlExpr : String |
-| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:108:24:108:68 | jexlExpr : String |
-| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:112:24:112:52 | jexlExpr : String |
-| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:116:24:116:63 | jexlExpr : String |
-| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:120:24:120:70 | jexlExpr : String |
-| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:124:24:124:70 | jexlExpr : String |
-| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:128:24:128:87 | jexlExpr : String |
-| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:132:24:132:86 | jexlExpr : String |
-| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:136:24:136:85 | jexlExpr : String |
-| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:140:24:140:67 | jexlExpr : String |
-| Jexl3Injection.java:104:24:104:56 | jexlExpr : String | Jexl3Injection.java:17:43:17:57 | jexlExpr : String |
-| Jexl3Injection.java:104:24:104:56 | jexlExpr : String | Jexl3Injection.java:104:24:104:56 | jexlExpr : String |
-| Jexl3Injection.java:108:24:108:68 | jexlExpr : String | Jexl3Injection.java:24:55:24:69 | jexlExpr : String |
-| Jexl3Injection.java:108:24:108:68 | jexlExpr : String | Jexl3Injection.java:108:24:108:68 | jexlExpr : String |
-| Jexl3Injection.java:112:24:112:52 | jexlExpr : String | Jexl3Injection.java:31:39:31:53 | jexlExpr : String |
-| Jexl3Injection.java:112:24:112:52 | jexlExpr : String | Jexl3Injection.java:112:24:112:52 | jexlExpr : String |
-| Jexl3Injection.java:116:24:116:63 | jexlExpr : String | Jexl3Injection.java:38:50:38:64 | jexlExpr : String |
-| Jexl3Injection.java:116:24:116:63 | jexlExpr : String | Jexl3Injection.java:116:24:116:63 | jexlExpr : String |
-| Jexl3Injection.java:120:24:120:70 | jexlExpr : String | Jexl3Injection.java:50:57:50:71 | jexlExpr : String |
-| Jexl3Injection.java:120:24:120:70 | jexlExpr : String | Jexl3Injection.java:120:24:120:70 | jexlExpr : String |
-| Jexl3Injection.java:124:24:124:70 | jexlExpr : String | Jexl3Injection.java:55:57:55:71 | jexlExpr : String |
-| Jexl3Injection.java:124:24:124:70 | jexlExpr : String | Jexl3Injection.java:124:24:124:70 | jexlExpr : String |
-| Jexl3Injection.java:128:24:128:87 | jexlExpr : String | Jexl3Injection.java:60:74:60:88 | jexlExpr : String |
-| Jexl3Injection.java:128:24:128:87 | jexlExpr : String | Jexl3Injection.java:128:24:128:87 | jexlExpr : String |
-| Jexl3Injection.java:132:24:132:86 | jexlExpr : String | Jexl3Injection.java:66:73:66:87 | jexlExpr : String |
-| Jexl3Injection.java:132:24:132:86 | jexlExpr : String | Jexl3Injection.java:132:24:132:86 | jexlExpr : String |
-| Jexl3Injection.java:136:24:136:85 | jexlExpr : String | Jexl3Injection.java:72:72:72:86 | jexlExpr : String |
-| Jexl3Injection.java:136:24:136:85 | jexlExpr : String | Jexl3Injection.java:136:24:136:85 | jexlExpr : String |
-| Jexl3Injection.java:140:24:140:67 | jexlExpr : String | Jexl3Injection.java:78:54:78:68 | jexlExpr : String |
-| Jexl3Injection.java:140:24:140:67 | jexlExpr : String | Jexl3Injection.java:140:24:140:67 | jexlExpr : String |
-| Jexl3Injection.java:145:13:145:37 | expr : String | Jexl3Injection.java:147:27:147:30 | expr : String |
-| Jexl3Injection.java:147:27:147:30 | expr : String | Jexl3Injection.java:17:43:17:57 | jexlExpr : String |
-| Jexl3Injection.java:153:13:153:34 | data : Data | Jexl3Injection.java:156:27:156:30 | expr : String |
-| Jexl3Injection.java:156:27:156:30 | expr : String | Jexl3Injection.java:17:43:17:57 | jexlExpr : String |
-| Jexl3Injection.java:163:13:163:52 | customRequest : CustomRequest | Jexl3Injection.java:166:27:166:30 | expr : String |
-| Jexl3Injection.java:166:27:166:30 | expr : String | Jexl3Injection.java:17:43:17:57 | jexlExpr : String |
-nodes
-| Jexl2Injection.java:10:43:10:57 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:14:9:14:9 | e | semmle.label | e |
-| Jexl2Injection.java:17:55:17:69 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:22:9:22:9 | e | semmle.label | e |
-| Jexl2Injection.java:25:39:25:53 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:29:9:29:14 | script | semmle.label | script |
-| Jexl2Injection.java:32:50:32:64 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:38:13:38:18 | script | semmle.label | script |
-| Jexl2Injection.java:44:57:44:71 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:46:40:46:47 | jexlExpr | semmle.label | jexlExpr |
-| Jexl2Injection.java:49:57:49:71 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:51:40:51:47 | jexlExpr | semmle.label | jexlExpr |
-| Jexl2Injection.java:54:73:54:87 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:57:9:57:35 | parse(...) | semmle.label | parse(...) |
-| Jexl2Injection.java:60:72:60:86 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:63:9:63:35 | parse(...) | semmle.label | parse(...) |
-| Jexl2Injection.java:66:73:66:87 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:69:9:69:44 | createTemplate(...) | semmle.label | createTemplate(...) |
-| Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
-| Jexl2Injection.java:76:54:76:58 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
-| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:86:24:86:56 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:86:24:86:56 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:90:24:90:68 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:90:24:90:68 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:94:24:94:52 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:94:24:94:52 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:98:24:98:63 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:98:24:98:63 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:102:24:102:70 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:102:24:102:70 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:106:24:106:70 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:106:24:106:70 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:110:24:110:86 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:110:24:110:86 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:114:24:114:85 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:114:24:114:85 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:118:24:118:86 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:118:24:118:86 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:17:43:17:57 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:21:9:21:9 | e | semmle.label | e |
-| Jexl3Injection.java:24:55:24:69 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:28:9:28:9 | e | semmle.label | e |
-| Jexl3Injection.java:31:39:31:53 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:35:9:35:14 | script | semmle.label | script |
-| Jexl3Injection.java:38:50:38:64 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:44:13:44:18 | script | semmle.label | script |
-| Jexl3Injection.java:50:57:50:71 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:52:40:52:47 | jexlExpr | semmle.label | jexlExpr |
-| Jexl3Injection.java:55:57:55:71 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:57:40:57:47 | jexlExpr | semmle.label | jexlExpr |
-| Jexl3Injection.java:60:74:60:88 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:63:9:63:39 | createExpression(...) | semmle.label | createExpression(...) |
-| Jexl3Injection.java:66:73:66:87 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:69:9:69:39 | createExpression(...) | semmle.label | createExpression(...) |
-| Jexl3Injection.java:72:72:72:86 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:75:9:75:37 | createTemplate(...) | semmle.label | createTemplate(...) |
-| Jexl3Injection.java:78:54:78:68 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:84:13:84:13 | e | semmle.label | e |
-| Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
-| Jexl3Injection.java:94:54:94:58 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
-| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:104:24:104:56 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:104:24:104:56 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:108:24:108:68 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:108:24:108:68 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:112:24:112:52 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:112:24:112:52 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:116:24:116:63 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:116:24:116:63 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:120:24:120:70 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:120:24:120:70 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:124:24:124:70 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:124:24:124:70 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:128:24:128:87 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:128:24:128:87 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:132:24:132:86 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:132:24:132:86 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:136:24:136:85 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:136:24:136:85 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:140:24:140:67 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:140:24:140:67 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:145:13:145:37 | expr : String | semmle.label | expr : String |
-| Jexl3Injection.java:147:27:147:30 | expr : String | semmle.label | expr : String |
-| Jexl3Injection.java:153:13:153:34 | data : Data | semmle.label | data : Data |
-| Jexl3Injection.java:156:27:156:30 | expr : String | semmle.label | expr : String |
-| Jexl3Injection.java:163:13:163:52 | customRequest : CustomRequest | semmle.label | customRequest : CustomRequest |
-| Jexl3Injection.java:166:27:166:30 | expr : String | semmle.label | expr : String |
-#select
-| Jexl2Injection.java:14:9:14:9 | e | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:14:9:14:9 | e | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
-| Jexl2Injection.java:22:9:22:9 | e | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:22:9:22:9 | e | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
-| Jexl2Injection.java:29:9:29:14 | script | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:29:9:29:14 | script | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
-| Jexl2Injection.java:38:13:38:18 | script | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:38:13:38:18 | script | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
-| Jexl2Injection.java:46:40:46:47 | jexlExpr | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:46:40:46:47 | jexlExpr | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
-| Jexl2Injection.java:51:40:51:47 | jexlExpr | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:51:40:51:47 | jexlExpr | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
-| Jexl2Injection.java:57:9:57:35 | parse(...) | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:57:9:57:35 | parse(...) | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
-| Jexl2Injection.java:63:9:63:35 | parse(...) | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:63:9:63:35 | parse(...) | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
-| Jexl2Injection.java:69:9:69:44 | createTemplate(...) | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:69:9:69:44 | createTemplate(...) | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
-| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:21:9:21:9 | e | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
-| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:145:13:145:37 | expr : String | Jexl3Injection.java:21:9:21:9 | e | JEXL injection from $@. | Jexl3Injection.java:145:13:145:37 | expr | this user input |
-| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:153:13:153:34 | data : Data | Jexl3Injection.java:21:9:21:9 | e | JEXL injection from $@. | Jexl3Injection.java:153:13:153:34 | data | this user input |
-| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:163:13:163:52 | customRequest : CustomRequest | Jexl3Injection.java:21:9:21:9 | e | JEXL injection from $@. | Jexl3Injection.java:163:13:163:52 | customRequest | this user input |
-| Jexl3Injection.java:28:9:28:9 | e | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:28:9:28:9 | e | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
-| Jexl3Injection.java:35:9:35:14 | script | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:35:9:35:14 | script | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
-| Jexl3Injection.java:44:13:44:18 | script | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:44:13:44:18 | script | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
-| Jexl3Injection.java:52:40:52:47 | jexlExpr | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:52:40:52:47 | jexlExpr | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
-| Jexl3Injection.java:57:40:57:47 | jexlExpr | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:57:40:57:47 | jexlExpr | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
-| Jexl3Injection.java:63:9:63:39 | createExpression(...) | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:63:9:63:39 | createExpression(...) | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
-| Jexl3Injection.java:69:9:69:39 | createExpression(...) | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:69:9:69:39 | createExpression(...) | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
-| Jexl3Injection.java:75:9:75:37 | createTemplate(...) | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:75:9:75:37 | createTemplate(...) | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
-| Jexl3Injection.java:84:13:84:13 | e | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:84:13:84:13 | e | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
diff --git a/java/ql/test/query-tests/security/CWE-094/JexlInjectionTest.expected b/java/ql/test/query-tests/security/CWE-094/JexlInjectionTest.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/java/ql/test/query-tests/security/CWE-094/JexlInjectionTest.ql b/java/ql/test/query-tests/security/CWE-094/JexlInjectionTest.ql
new file mode 100644
index 00000000000..e7c713213b0
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-094/JexlInjectionTest.ql
@@ -0,0 +1,33 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.FlowSteps
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.JexlInjection
+import TestUtilities.InlineExpectationsTest
+
+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "qltest:cwe:jexl-injection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(JexlInjectionAdditionalTaintStep c).step(node1, node2)
+  }
+}
+
+class JexlInjectionTest extends InlineExpectationsTest {
+  JexlInjectionTest() { this = "HasJexlInjectionTest" }
+
+  override string getARelevantTag() { result = "hasJexlInjection" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasJexlInjection" and
+    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}
diff --git a/java/ql/test/query-tests/security/CWE-094/SandboxedJexl2.java b/java/ql/test/query-tests/security/CWE-094/SandboxedJexl2.java
index dd9b113ca0b..cbc955389b3 100644
--- a/java/ql/test/query-tests/security/CWE-094/SandboxedJexl2.java
+++ b/java/ql/test/query-tests/security/CWE-094/SandboxedJexl2.java
@@ -6,7 +6,7 @@ import java.net.Socket;
 import java.util.function.Consumer;
 
 public class SandboxedJexl2 {
-    
+
     private static void runJexlExpressionWithSandbox(String jexlExpr) {
         Sandbox sandbox = new Sandbox();
         sandbox.white(SandboxedJexl2.class.getCanonicalName());
@@ -14,7 +14,7 @@ public class SandboxedJexl2 {
         JexlEngine jexl = new JexlEngine(uberspect, null, null, null);
         Expression e = jexl.createExpression(jexlExpr);
         JexlContext jc = new MapContext();
-        e.evaluate(jc);
+        e.evaluate(jc); // Safe
     }
 
     private static void runJexlExpressionViaSandboxedUnifiedJexl(String jexlExpr) {
@@ -23,7 +23,7 @@ public class SandboxedJexl2 {
         Uberspect uberspect = new SandboxUberspectImpl(null, sandbox);
         JexlEngine jexl = new JexlEngine(uberspect, null, null, null);
         UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
-        unifiedJEXL.parse(jexlExpr).evaluate(new MapContext());
+        unifiedJEXL.parse(jexlExpr).evaluate(new MapContext()); // Safe
     }
 
     private static void simpleServer(Consumer<String> action) throws Exception {

From 38bce39baa4d8fad01a2ba25f9d6463a97d186cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
Date: Mon, 3 May 2021 15:06:57 +0300
Subject: [PATCH 0814/1429] Update UncaughtServletException.qhelp

There is no single word in https://cwe.mitre.org/data/definitions/600.html about possible DoS or unexpected state.
---
 .../Security/CWE/CWE-600/UncaughtServletException.qhelp         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.qhelp b/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.qhelp
index de9d395e731..cf04705eecd 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.qhelp
@@ -2,7 +2,7 @@
 <qhelp>
   <overview>
     <p>
-      Even though the request-handling methods of <code>Servlet</code> are declared <code>throws IOException, ServletException</code>, it's a bad idea to let such exceptions be thrown. Failure to catch exceptions in a servlet could leave a system in an unexpected state, possibly resulting in denial-of-service attacks, or could lead to exposure of sensitive information because when a servlet throws an exception, the servlet container typically sends debugging information back to the user. That information could be valuable to an attacker.
+      Even though the request-handling methods of <code>Servlet</code> are declared <code>throws IOException, ServletException</code>, it's a bad idea to let such exceptions be thrown. Failure to catch exceptions in a servlet could lead to exposure of sensitive information because when a servlet throws an exception, the servlet container typically sends debugging information back to the user. That information could be valuable to an attacker.
     </p>
   </overview>
 

From 27c680e28b6ebda3979803073668ee6ec46ded42 Mon Sep 17 00:00:00 2001
From: Edwin <edvraa@gmail.com>
Date: Mon, 3 May 2021 16:41:09 +0300
Subject: [PATCH 0815/1429] Apply suggestions from code review

Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
---
 .../Security/CWE-1004/CookieWithoutHttpOnly.qhelp      |  2 +-
 .../Security/CWE-1004/CookieWithoutHttpOnly.ql         | 10 +++++-----
 .../semmle/javascript/security/InsecureCookie.qll      |  6 +++---
 javascript/ql/src/semmle/javascript/dataflow/Nodes.qll |  3 ---
 4 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.qhelp b/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.qhelp
index 8f885614df4..d674c97aef0 100644
--- a/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.qhelp
+++ b/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.qhelp
@@ -8,7 +8,7 @@ Cross-Site Scripting (XSS) vulnerability the cookie can be stolen by malicious s
 </overview>
 <recommendation>
 
-<p>Protect sensitive cookies, such as related to authentication, by setting <code>HttpOnly</code> to <code>true</code> to make
+<p>Protect sensitive cookies, such as those related to authentication, by setting <code>HttpOnly</code> to <code>true</code> to make
 them not accessible to JavaScript.</p>
 
 </recommendation>
diff --git a/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql b/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql
index 1cc9742e8e4..bcce52ed8ec 100644
--- a/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql
+++ b/javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql
@@ -1,9 +1,9 @@
 /**
  * @name 'HttpOnly' attribute is not set to true
- * @description Omitting the 'HttpOnly' attribute for security sensitive data allows
- *              malicious JavaScript to steal it in case of XSS vulnerability. Always set
- *              'HttpOnly' to 'true' to authentication related cookie to make it
- *              not accessible by JavaScript.
+ * @description Omitting the 'HttpOnly' attribute for security sensitive cookie data allows
+ *              malicious JavaScript to steal it in case of XSS vulnerabilities. Always set
+ *              'HttpOnly' to 'true' for authentication related cookies to make them
+ *              inaccessible from JavaScript.
  * @kind problem
  * @problem.severity warning
  * @precision high
@@ -17,4 +17,4 @@ import experimental.semmle.javascript.security.InsecureCookie::Cookie
 
 from Cookie cookie
 where cookie.isAuthNotHttpOnly()
-select cookie, "Cookie attribute 'HttpOnly' is not set to true."
+select cookie, "Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie."
diff --git a/javascript/ql/src/experimental/semmle/javascript/security/InsecureCookie.qll b/javascript/ql/src/experimental/semmle/javascript/security/InsecureCookie.qll
index 16ad014ef72..0b3406c9dd9 100644
--- a/javascript/ql/src/experimental/semmle/javascript/security/InsecureCookie.qll
+++ b/javascript/ql/src/experimental/semmle/javascript/security/InsecureCookie.qll
@@ -1,7 +1,7 @@
 /**
  * Provides classes for reasoning about cookies added to response without the 'secure' or 'httponly' flag being set.
- * A cookie without the 'secure' flag being set can be intercepted and read by a malicious user.
- * A cookie without the 'httponly' flag being set can be read by an injected JavaScript
+ * - A cookie without the 'secure' flag being set can be intercepted and read by a malicious user.
+ * - A cookie without the 'httponly' flag being set can be read by maliciously injected JavaScript.
  */
 
 import javascript
@@ -64,7 +64,7 @@ module Cookie {
   }
 
   /**
-   * Holds if the string contains sensitive auth keyword, but not antiforgery token.
+   * Holds if `val` looks related to authentication, without being an anti-forgery token.
    */
   bindingset[val]
   private predicate regexpMatchAuth(string val) {
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
index 9044ad39549..9c8d13582c3 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
@@ -165,9 +165,6 @@ class InvokeNode extends DataFlow::SourceNode {
     getOptionsArgument(i).hasPropertyWrite(name, result)
   }
 
-  /**
-   * Holds if the `i`th argument of this invocation is an object literal set to `result`.
-   */
   pragma[noinline]
   private ObjectLiteralNode getOptionsArgument(int i) { result.flowsTo(getArgument(i)) }
 

From 2912c2e7f5609a48a7bf1e9bf7e4b6d7009a568a Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Mon, 3 May 2021 16:58:47 +0200
Subject: [PATCH 0816/1429] C++: Add more CWE tags to queries in the code
 scanning suite.

---
 cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql      | 2 ++
 .../src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql  | 2 +-
 cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql             | 4 ++++
 cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql | 2 ++
 cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql   | 2 ++
 cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql                  | 1 +
 .../Likely Bugs/Underspecified Functions/TooFewArguments.ql   | 3 +++
 cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql   | 2 ++
 cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql    | 1 +
 9 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql b/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
index 1cc7b74375d..ecd11db43fb 100644
--- a/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql	
+++ b/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql	
@@ -9,6 +9,8 @@
  * @id cpp/signed-overflow-check
  * @tags correctness
  *       security
+ *       external/cwe/cwe-128
+ *       external/cwe/cwe-190
  */
 
 import cpp
diff --git a/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql b/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
index ff9afff9e7f..66e18c4f677 100644
--- a/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql	
+++ b/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql	
@@ -7,12 +7,12 @@
  * @kind path-problem
  * @problem.severity warning
  * @precision high
+ * @id cpp/upcast-array-pointer-arithmetic
  * @tags correctness
  *       reliability
  *       security
  *       external/cwe/cwe-119
  *       external/cwe/cwe-843
- * @id cpp/upcast-array-pointer-arithmetic
  */
 
 import cpp
diff --git a/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql b/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
index 029f11dd8c6..3b91de67ece 100644
--- a/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql	
+++ b/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql	
@@ -8,6 +8,10 @@
  * @tags reliability
  *       correctness
  *       security
+ *       external/cwe/cwe-190
+ *       external/cwe/cwe-253
+ *       external/cwe/cwe-573
+ *       external/cwe/cwe-754
  */
 
 import cpp
diff --git a/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql b/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
index 0f112e1ca6f..8feaefa6364 100644
--- a/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql	
+++ b/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql	
@@ -9,6 +9,8 @@
  * @tags reliability
  *       correctness
  *       security
+ *       external/cwe/cwe-233
+ *       external/cwe/cwe-234
  *       external/cwe/cwe-685
  */
 
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql b/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
index 6344addd547..23f27fcfff0 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql	
@@ -8,6 +8,8 @@
  * @id cpp/pointer-overflow-check
  * @tags reliability
  *       security
+ *       external/cwe/cwe-758
+ *       external/cwe/cwe-119
  */
 
 import cpp
diff --git a/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql b/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
index 8e78dab08ab..0d3aee42c54 100644
--- a/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql	
+++ b/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql	
@@ -10,6 +10,7 @@
  * @tags correctness
  *       language-features
  *       security
+ *       external/cwe/cwe-670
  */
 
 import cpp
diff --git a/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql b/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
index fdacae48e07..a4308bebaaa 100644
--- a/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql	
+++ b/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql	
@@ -12,6 +12,9 @@
  * @tags correctness
  *       maintainability
  *       security
+ *       external/cwe/cwe-233
+ *       external/cwe/cwe-234
+ *       external/cwe/cwe-685
  */
 
 import cpp
diff --git a/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql b/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
index 605321b51d0..f599d834319 100644
--- a/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
+++ b/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
@@ -7,6 +7,8 @@
  * @precision high
  * @tags security
  *       external/cwe/cwe-253
+ *       external/cwe/cwe-573
+ *       external/cwe/cwe-754
  *       external/microsoft/C6214
  *       external/microsoft/C6215
  *       external/microsoft/C6216
diff --git a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
index d356ba7bbc4..4bade14f989 100644
--- a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
@@ -9,6 +9,7 @@
  * @id cpp/suspicious-add-sizeof
  * @tags security
  *       external/cwe/cwe-468
+ *       external/cwe/cwe-682
  */
 
 import cpp

From 745a6f6fb4a8c66daf615354f1f6de6c08f7a902 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Mon, 3 May 2021 17:43:33 +0200
Subject: [PATCH 0817/1429] Getters called on  parameters propagate taint

---
 java/ql/src/Security/CWE/CWE-094/JexlInjection.ql              | 2 +-
 .../semmle/code/java/dataflow/internal/TaintTrackingUtil.qll   | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql b/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
index 80810378dce..c97de906aec 100644
--- a/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
@@ -28,7 +28,7 @@ class JexlInjectionConfig extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }
 
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    any(JexlInjectionAdditionalTaintStep c).step(node1, node2) 
+    any(JexlInjectionAdditionalTaintStep c).step(node1, node2)
   }
 }
 
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
index f9278ab815e..00d5b2bb093 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -14,6 +14,7 @@ private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.internal.DataFlowPrivate
 import semmle.code.java.dataflow.FlowSteps
 private import FlowSummaryImpl as FlowSummaryImpl
+private import semmle.code.java.frameworks.JaxWS
 
 /**
  * Holds if taint can flow from `src` to `sink` in zero or more
@@ -263,6 +264,8 @@ private predicate taintPreservingQualifierToMethod(Method m) {
   )
   or
   m.(TaintPreservingCallable).returnsTaintFrom(-1)
+  or
+  exists(JaxRsResourceMethod resourceMethod | m.(GetterMethod).getDeclaringType() = resourceMethod.getAParameter().getType())
 }
 
 private class StringReplaceMethod extends TaintPreservingCallable {

From e68c6e66a5cb7fe70e61badb82206abeb3840007 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Mon, 3 May 2021 17:53:37 +0200
Subject: [PATCH 0818/1429] Remove qlref file

---
 java/ql/test/query-tests/security/CWE-094/JexlInjection.qlref | 1 -
 1 file changed, 1 deletion(-)
 delete mode 100644 java/ql/test/query-tests/security/CWE-094/JexlInjection.qlref

diff --git a/java/ql/test/query-tests/security/CWE-094/JexlInjection.qlref b/java/ql/test/query-tests/security/CWE-094/JexlInjection.qlref
deleted file mode 100644
index 63f170df617..00000000000
--- a/java/ql/test/query-tests/security/CWE-094/JexlInjection.qlref
+++ /dev/null
@@ -1 +0,0 @@
-Security/CWE/CWE-094/JexlInjection.ql
\ No newline at end of file

From dfad1fc7402cd28f2e90fc4c8c43fa1ce1a7b734 Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Mon, 3 May 2021 12:58:00 -0400
Subject: [PATCH 0819/1429] [Java] Add support for
 com.google.common.base.MoreObjects#firstNonNull

---
 java/change-notes/2021-05-03-guava-first-non-null.md     | 2 ++
 java/ql/src/semmle/code/java/frameworks/guava/Base.qll   | 3 ++-
 .../ql/test/library-tests/frameworks/guava/TestBase.java | 6 ++++++
 .../guava-30.0/com/google/common/base/MoreObjects.java   | 9 +++++++++
 4 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 java/change-notes/2021-05-03-guava-first-non-null.md
 create mode 100644 java/ql/test/stubs/guava-30.0/com/google/common/base/MoreObjects.java

diff --git a/java/change-notes/2021-05-03-guava-first-non-null.md b/java/change-notes/2021-05-03-guava-first-non-null.md
new file mode 100644
index 00000000000..3cd307d9455
--- /dev/null
+++ b/java/change-notes/2021-05-03-guava-first-non-null.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Increase coverage of the Guava framework by adding support for `com.google.common.base.MoreObjects#firstNonNull`.
diff --git a/java/ql/src/semmle/code/java/frameworks/guava/Base.qll b/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
index 194d723caf5..04a97f79f53 100644
--- a/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
+++ b/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
@@ -35,7 +35,8 @@ private class GuavaBaseCsv extends SummaryModelCsv {
         "com.google.common.base;Splitter;false;splitToList;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Splitter;false;splitToStream;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Splitter$MapSplitter;false;split;(CharSequence);;Argument[0];ReturnValue;taint",
-        "com.google.common.base;Preconditions;false;checkNotNull;;;Argument[0];ReturnValue;value"
+        "com.google.common.base;Preconditions;false;checkNotNull;;;Argument[0];ReturnValue;value",
+        "com.google.common.base;MoreObjects;false;firstNonNull;;;Argument[0..1];ReturnValue;value"
       ]
   }
 }
diff --git a/java/ql/test/library-tests/frameworks/guava/TestBase.java b/java/ql/test/library-tests/frameworks/guava/TestBase.java
index 9ce907f4551..ad75f5cafbf 100644
--- a/java/ql/test/library-tests/frameworks/guava/TestBase.java
+++ b/java/ql/test/library-tests/frameworks/guava/TestBase.java
@@ -60,4 +60,10 @@ class TestBase {
     void test4() {
         sink(Preconditions.checkNotNull(taint())); // $numTaintFlow=1
     }
+
+    void test5() {
+        sink(MoreObjects.firstNonNull(taint(), taint())); // $numTaintFlow=2
+        sink(MoreObjects.firstNonNull(null, taint())); // $numTaintFlow=1
+        sink(MoreObjects.firstNonNull(taint(), null)); // $numTaintFlow=1
+    }
 }
diff --git a/java/ql/test/stubs/guava-30.0/com/google/common/base/MoreObjects.java b/java/ql/test/stubs/guava-30.0/com/google/common/base/MoreObjects.java
new file mode 100644
index 00000000000..3f4912b021b
--- /dev/null
+++ b/java/ql/test/stubs/guava-30.0/com/google/common/base/MoreObjects.java
@@ -0,0 +1,9 @@
+package com.google.common.base;
+
+import org.checkerframework.checker.nullness.qual.Nullable;
+
+public final class MoreObjects {
+    public static <T> T firstNonNull(@Nullable T first, @Nullable T second) {
+        return null;
+    }
+}
\ No newline at end of file

From 6fa2f1e65391bca48217979532fb39c3edb6e1e1 Mon Sep 17 00:00:00 2001
From: edvraa <80588099+edvraa@users.noreply.github.com>
Date: Tue, 4 May 2021 00:32:01 +0300
Subject: [PATCH 0820/1429] update test message

---
 .../CWE-1004/CookieWithoutHttpOnly.expected   | 40 +++++++++----------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected b/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected
index 52a9ec99832..fb523cbb315 100644
--- a/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.expected
@@ -1,20 +1,20 @@
-| test_cookie-session.js:12:9:16:2 | session ...  BAD\\n}) | Cookie attribute 'HttpOnly' is not set to true. |
-| test_cookie-session.js:30:9:30:21 | session(sess) | Cookie attribute 'HttpOnly' is not set to true. |
-| test_cookie-session.js:39:9:39:22 | session(sess2) | Cookie attribute 'HttpOnly' is not set to true. |
-| test_cookie-session.js:48:9:48:22 | session(sess3) | Cookie attribute 'HttpOnly' is not set to true. |
-| test_cookie-session.js:52:9:56:2 | session ...  BAD\\n}) | Cookie attribute 'HttpOnly' is not set to true. |
-| test_express-session.js:11:9:15:2 | session ...  BAD\\n}) | Cookie attribute 'HttpOnly' is not set to true. |
-| test_express-session.js:28:9:32:2 | session ... tter\\n}) | Cookie attribute 'HttpOnly' is not set to true. |
-| test_httpserver.js:7:37:7:48 | "auth=ninja" | Cookie attribute 'HttpOnly' is not set to true. |
-| test_httpserver.js:27:37:27:70 | ["auth= ... cript"] | Cookie attribute 'HttpOnly' is not set to true. |
-| test_httpserver.js:57:37:57:80 | ["auth= ... cript"] | Cookie attribute 'HttpOnly' is not set to true. |
-| test_httpserver.js:87:37:87:59 | `sessio ... {attr}` | Cookie attribute 'HttpOnly' is not set to true. |
-| test_responseCookie.js:15:5:20:10 | res.coo ...      }) | Cookie attribute 'HttpOnly' is not set to true. |
-| test_responseCookie.js:25:5:28:10 | res.coo ...      }) | Cookie attribute 'HttpOnly' is not set to true. |
-| test_responseCookie.js:48:5:48:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
-| test_responseCookie.js:56:5:56:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
-| test_responseCookie.js:65:5:65:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
-| test_responseCookie.js:84:5:84:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
-| test_responseCookie.js:95:5:95:41 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
-| test_responseCookie.js:106:5:106:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
-| test_responseCookie.js:117:5:117:40 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true. |
+| test_cookie-session.js:12:9:16:2 | session ...  BAD\\n}) | Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie. |
+| test_cookie-session.js:30:9:30:21 | session(sess) | Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie. |
+| test_cookie-session.js:39:9:39:22 | session(sess2) | Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie. |
+| test_cookie-session.js:48:9:48:22 | session(sess3) | Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie. |
+| test_cookie-session.js:52:9:56:2 | session ...  BAD\\n}) | Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie. |
+| test_express-session.js:11:9:15:2 | session ...  BAD\\n}) | Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie. |
+| test_express-session.js:28:9:32:2 | session ... tter\\n}) | Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie. |
+| test_httpserver.js:7:37:7:48 | "auth=ninja" | Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie. |
+| test_httpserver.js:27:37:27:70 | ["auth= ... cript"] | Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie. |
+| test_httpserver.js:57:37:57:80 | ["auth= ... cript"] | Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie. |
+| test_httpserver.js:87:37:87:59 | `sessio ... {attr}` | Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie. |
+| test_responseCookie.js:15:5:20:10 | res.coo ...      }) | Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie. |
+| test_responseCookie.js:25:5:28:10 | res.coo ...      }) | Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie. |
+| test_responseCookie.js:48:5:48:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie. |
+| test_responseCookie.js:56:5:56:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie. |
+| test_responseCookie.js:65:5:65:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie. |
+| test_responseCookie.js:84:5:84:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie. |
+| test_responseCookie.js:95:5:95:41 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie. |
+| test_responseCookie.js:106:5:106:43 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie. |
+| test_responseCookie.js:117:5:117:40 | res.coo ... ptions) | Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie. |

From edf1a90161bdb4c4fbfe25d3cc35e8f8925d98df Mon Sep 17 00:00:00 2001
From: yo-h <55373593+yo-h@users.noreply.github.com>
Date: Mon, 3 May 2021 11:34:18 -0400
Subject: [PATCH 0821/1429] Java: split extractor diagnostics query into two

---
 .../src/Diagnostics/DiagnosticsReporting.qll   | 18 ++++++++++++++++--
 java/ql/src/Diagnostics/ExtractionErrors.ql    |  2 +-
 java/ql/src/Diagnostics/ExtractionWarnings.ql  | 13 +++++++++++++
 3 files changed, 30 insertions(+), 3 deletions(-)
 create mode 100644 java/ql/src/Diagnostics/ExtractionWarnings.ql

diff --git a/java/ql/src/Diagnostics/DiagnosticsReporting.qll b/java/ql/src/Diagnostics/DiagnosticsReporting.qll
index 76ce4cdfd50..72403ea120f 100644
--- a/java/ql/src/Diagnostics/DiagnosticsReporting.qll
+++ b/java/ql/src/Diagnostics/DiagnosticsReporting.qll
@@ -51,12 +51,26 @@ private predicate unknownErrors(@diagnostic d, string msg, int sev) {
 
 /**
  * Holds if an extraction error or warning occurred that should be reported to end users,
- * with the error message `msg` and SARIF severity `sev`.
+ * with the message `msg` and SARIF severity `sev`.
  */
 predicate reportableDiagnostics(@diagnostic d, string msg, int sev) {
-  knownWarnings(d, msg, sev) or knownErrors(d, msg, sev) or unknownErrors(d, msg, sev)
+  reportableWarnings(d, msg, sev) or reportableErrors(d, msg, sev)
 }
 
+/**
+ * Holds if an extraction error occurred that should be reported to end users,
+ * with the message `msg` and SARIF severity `sev`.
+ */
+predicate reportableErrors(@diagnostic d, string msg, int sev) {
+  knownErrors(d, msg, sev) or unknownErrors(d, msg, sev)
+}
+
+/**
+ * Holds if an extraction warning occurred that should be reported to end users,
+ * with the message `msg` and SARIF severity `sev`.
+ */
+predicate reportableWarnings(@diagnostic d, string msg, int sev) { knownWarnings(d, msg, sev) }
+
 /**
  * Holds if compilation unit `f` is a source file that has
  * no relevant extraction diagnostics associated with it.
diff --git a/java/ql/src/Diagnostics/ExtractionErrors.ql b/java/ql/src/Diagnostics/ExtractionErrors.ql
index 8b045df256e..d9a3da2767a 100644
--- a/java/ql/src/Diagnostics/ExtractionErrors.ql
+++ b/java/ql/src/Diagnostics/ExtractionErrors.ql
@@ -9,5 +9,5 @@ import java
 import DiagnosticsReporting
 
 from string msg, int sev
-where reportableDiagnostics(_, msg, sev)
+where reportableErrors(_, msg, sev)
 select msg, sev
diff --git a/java/ql/src/Diagnostics/ExtractionWarnings.ql b/java/ql/src/Diagnostics/ExtractionWarnings.ql
new file mode 100644
index 00000000000..52d173d469e
--- /dev/null
+++ b/java/ql/src/Diagnostics/ExtractionWarnings.ql
@@ -0,0 +1,13 @@
+/**
+ * @name Extraction warnings
+ * @description A list of extraction warnings for files in the source code directory.
+ * @kind diagnostic
+ * @id java/diagnostics/extraction-warnings
+ */
+
+import java
+import DiagnosticsReporting
+
+from string msg, int sev
+where reportableWarnings(_, msg, sev)
+select msg, sev

From 703fbf139aaf828b1bd954f5b60714036a99df64 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Tue, 4 May 2021 02:54:49 +0000
Subject: [PATCH 0822/1429] Add more methods and update the library name

---
 .../CWE/CWE-094/JPythonInjection.java         |  48 ------
 .../CWE/CWE-094/JPythonInjection.qhelp        |  34 -----
 .../Security/CWE/CWE-094/JPythonInjection.ql  |  68 ---------
 .../Security/CWE/CWE-094/JythonInjection.java |  47 ++++++
 .../CWE/CWE-094/JythonInjection.qhelp         |  34 +++++
 .../Security/CWE/CWE-094/JythonInjection.ql   | 123 +++++++++++++++
 .../CWE-094/JPythonInjection.expected         |  11 --
 .../security/CWE-094/JPythonInjection.java    |  64 --------
 .../security/CWE-094/JPythonInjection.qlref   |   1 -
 .../security/CWE-094/JythonInjection.expected |  21 +++
 .../security/CWE-094/JythonInjection.java     | 144 ++++++++++++++++++
 .../security/CWE-094/JythonInjection.qlref    |   1 +
 .../query-tests/security/CWE-094/options      |   2 +-
 .../org/python/antlr/base/mod.java            |   5 +
 .../org/python/core/BytecodeLoader.java       |  47 ++++++
 .../org/python/core/CompileMode.java          |  11 ++
 .../org/python/core/CompilerFlags.java        |  17 +++
 .../jython-2.7.2/org/python/core/Py.java      | 134 ++++++++++++++++
 .../org/python/core/PyCode.java               |   0
 .../org/python/core/PyException.java          |   0
 .../org/python/core/PyObject.java             |   0
 .../org/python/core/PySystemState.java        |   0
 .../org/python/core/ThreadState.java          |   0
 .../python/util/InteractiveInterpreter.java   | 114 ++++++++++++++
 .../org/python/util/PythonInterpreter.java    |   0
 25 files changed, 699 insertions(+), 227 deletions(-)
 delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.java
 delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.qhelp
 delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.ql
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.java
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.qhelp
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.expected
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.java
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.qlref
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.qlref
 create mode 100644 java/ql/test/stubs/jython-2.7.2/org/python/antlr/base/mod.java
 create mode 100644 java/ql/test/stubs/jython-2.7.2/org/python/core/BytecodeLoader.java
 create mode 100644 java/ql/test/stubs/jython-2.7.2/org/python/core/CompileMode.java
 create mode 100644 java/ql/test/stubs/jython-2.7.2/org/python/core/CompilerFlags.java
 create mode 100644 java/ql/test/stubs/jython-2.7.2/org/python/core/Py.java
 rename java/ql/test/stubs/{jpython-2.7.2 => jython-2.7.2}/org/python/core/PyCode.java (100%)
 rename java/ql/test/stubs/{jpython-2.7.2 => jython-2.7.2}/org/python/core/PyException.java (100%)
 rename java/ql/test/stubs/{jpython-2.7.2 => jython-2.7.2}/org/python/core/PyObject.java (100%)
 rename java/ql/test/stubs/{jpython-2.7.2 => jython-2.7.2}/org/python/core/PySystemState.java (100%)
 rename java/ql/test/stubs/{jpython-2.7.2 => jython-2.7.2}/org/python/core/ThreadState.java (100%)
 create mode 100644 java/ql/test/stubs/jython-2.7.2/org/python/util/InteractiveInterpreter.java
 rename java/ql/test/stubs/{jpython-2.7.2 => jython-2.7.2}/org/python/util/PythonInterpreter.java (100%)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.java b/java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.java
deleted file mode 100644
index 13db6830a71..00000000000
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.java
+++ /dev/null
@@ -1,48 +0,0 @@
-public class JPythonInjection extends HttpServlet {
-    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-        response.setContentType("text/plain");
-        String code = request.getParameter("code");
-        PythonInterpreter interpreter = null;
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-
-        try {
-          interpreter = new PythonInterpreter();
-          interpreter.setOut(out);
-          interpreter.setErr(out);
-
-          // BAD: allow arbitrary JPython expression to execute
-          interpreter.exec(code);
-          out.flush();
-
-          response.getWriter().print(out.toString());
-        } catch(PyException ex) {
-            response.getWriter().println(ex.getMessage());
-        } finally {
-            if (interpreter != null) {
-              interpreter.close();
-            }
-            out.close();
-        }
-    }
-
-    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-      response.setContentType("text/plain");
-      String code = request.getParameter("code");
-      PythonInterpreter interpreter = null;
-
-      try {
-        interpreter = new PythonInterpreter();
-        // BAD: allow arbitrary JPython expression to evaluate
-        PyObject py = interpreter.eval(code);
-
-        response.getWriter().print(py.toString());
-      } catch(PyException ex) {
-          response.getWriter().println(ex.getMessage());
-      } finally {
-          if (interpreter != null) {
-            interpreter.close();
-          }
-      }
-  }
-}
-
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.qhelp
deleted file mode 100644
index dddbb2d618a..00000000000
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.qhelp
+++ /dev/null
@@ -1,34 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-
-<overview>
-<p>Python has been the most widely used programming language in recent years, and JPython
-  is a popular Java implementation of Python. It allows embedded Python scripting inside 
-  Java applications and provides an interactive interpreter that can be used to interact 
-  with Java packages or with running Java applications. If an expression is built using 
-  attacker-controlled data and then evaluated, it may allow the attacker to run arbitrary 
-  code.</p>
-</overview>
-
-<recommendation>
-<p>In general, including user input in JPython expression should be avoided. If user input 
-  must be included in an expression, it should be then evaluated in a safe context that 
-  doesn't allow arbitrary code invocation.</p>
-</recommendation>
-
-<example>
-<p>The following code could execute random code in JPython Interpreter</p>
-<sample src="JPythonInjection.java" />
-</example>
-
-<references>
-<li>
-  JPython Organization: <a href="https://jython.readthedocs.io/en/latest/JythonAndJavaIntegration/">JPython and Java Integration</a>
-</li>
-<li>
-  PortSwigger: <a href="https://portswigger.net/kb/issues/00100f10_python-code-injection">Python code injection</a>
-</li>
-</references>
-</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.ql
deleted file mode 100644
index a6621d89c26..00000000000
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.ql
+++ /dev/null
@@ -1,68 +0,0 @@
-/**
- * @name Injection in JPython
- * @description Evaluation of a user-controlled malicious expression in JPython
- *              may lead to remote code execution.
- * @kind path-problem
- * @id java/jpython-injection
- * @tags security
- *       external/cwe/cwe-094
- *       external/cwe/cwe-095
- */
-
-import java
-import semmle.code.java.dataflow.FlowSources
-import DataFlow::PathGraph
-
-/** The class `org.python.util.PythonInterpreter`. */
-class PythonInterpreter extends RefType {
-  PythonInterpreter() { this.hasQualifiedName("org.python.util", "PythonInterpreter") }
-}
-
-/** A method that evaluates, compiles or executes a JPython expression. */
-class InterpretExprMethod extends Method {
-  InterpretExprMethod() {
-    this.getDeclaringType().getAnAncestor*() instanceof PythonInterpreter and
-    (
-      hasName("exec") or
-      hasName("eval") or
-      hasName("compile")
-    )
-  }
-}
-
-/** Holds if a JPython expression if evaluated, compiled or executed. */
-predicate runCode(MethodAccess ma, Expr sink) {
-  exists(Method m | m = ma.getMethod() |
-    m instanceof InterpretExprMethod and
-    sink = ma.getArgument(0)
-  )
-}
-
-/** Sink of an expression interpreted by JPython interpreter. */
-class CodeInjectionSink extends DataFlow::ExprNode {
-  CodeInjectionSink() { runCode(_, this.getExpr()) }
-
-  MethodAccess getMethodAccess() { runCode(result, this.getExpr()) }
-}
-
-class CodeInjectionConfiguration extends TaintTracking::Configuration {
-  CodeInjectionConfiguration() { this = "CodeInjectionConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource
-    or
-    source instanceof LocalUserInput
-  }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    // @RequestBody MyQueryObj query; interpreter.exec(query.getInterpreterCode());
-    exists(MethodAccess ma | ma.getQualifier() = node1.asExpr() and ma = node2.asExpr())
-  }
-}
-
-from DataFlow::PathNode source, DataFlow::PathNode sink, CodeInjectionConfiguration conf
-where conf.hasFlowPath(source, sink)
-select sink.getNode().(CodeInjectionSink).getMethodAccess(), source, sink, "JPython evaluate $@.",
-  source.getNode(), "user input"
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.java b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.java
new file mode 100644
index 00000000000..fca518443d1
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.java
@@ -0,0 +1,47 @@
+public class JythonInjection extends HttpServlet {
+    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        response.setContentType("text/plain");
+        String code = request.getParameter("code");
+        PythonInterpreter interpreter = null;
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+
+        try {
+            interpreter = new PythonInterpreter();
+            interpreter.setOut(out);
+            interpreter.setErr(out);
+
+            // BAD: allow arbitrary Jython expression to execute
+            interpreter.exec(code);
+            out.flush();
+
+            response.getWriter().print(out.toString());
+        } catch(PyException ex) {
+            response.getWriter().println(ex.getMessage());
+        } finally {
+            if (interpreter != null) {
+                interpreter.close();
+            }
+            out.close();
+        }
+    }
+
+    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        response.setContentType("text/plain");
+        String code = request.getParameter("code");
+        PythonInterpreter interpreter = null;
+
+        try {
+            interpreter = new PythonInterpreter();
+            // BAD: allow arbitrary Jython expression to evaluate
+            PyObject py = interpreter.eval(code);
+
+            response.getWriter().print(py.toString());
+        } catch(PyException ex) {
+            response.getWriter().println(ex.getMessage());
+        } finally {
+            if (interpreter != null) {
+                interpreter.close();
+            }
+        }
+    }
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.qhelp
new file mode 100644
index 00000000000..8916296f93b
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.qhelp
@@ -0,0 +1,34 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Python has been the most widely used programming language in recent years, and Jython
+  (formerly known as JPython) is a popular Java implementation of Python. It allows 
+  embedded Python scripting inside Java applications and provides an interactive interpreter
+  that can be used to interact with Java packages or with running Java applications. If an 
+  expression is built using attacker-controlled data and then evaluated, it may allow the 
+  attacker to run arbitrary code.</p>
+</overview>
+
+<recommendation>
+<p>In general, including user input in Jython expression should be avoided. If user input 
+  must be included in an expression, it should be then evaluated in a safe context that 
+  doesn't allow arbitrary code invocation.</p>
+</recommendation>
+
+<example>
+<p>The following code could execute arbitrary code in Jython Interpreter</p>
+<sample src="JythonInjection.java" />
+</example>
+
+<references>
+<li>
+  Jython Organization: <a href="https://jython.readthedocs.io/en/latest/JythonAndJavaIntegration/">Jython and Java Integration</a>
+</li>
+<li>
+  PortSwigger: <a href="https://portswigger.net/kb/issues/00100f10_python-code-injection">Python code injection</a>
+</li>
+</references>
+</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
new file mode 100644
index 00000000000..088c33e00fd
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
@@ -0,0 +1,123 @@
+/**
+ * @name Injection in Jython
+ * @description Evaluation of a user-controlled malicious expression in Java Python
+ *              interpreter may lead to remote code execution.
+ * @kind path-problem
+ * @id java/jython-injection
+ * @tags security
+ *       external/cwe/cwe-094
+ *       external/cwe/cwe-095
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import DataFlow::PathGraph
+
+/** The class `org.python.util.PythonInterpreter`. */
+class PythonInterpreter extends RefType {
+  PythonInterpreter() { this.hasQualifiedName("org.python.util", "PythonInterpreter") }
+}
+
+/** A method that evaluates, compiles or executes a Jython expression. */
+class InterpretExprMethod extends Method {
+  InterpretExprMethod() {
+    this.getDeclaringType().getAnAncestor*() instanceof PythonInterpreter and
+    (
+      getName().matches("exec%") or
+      hasName("eval") or
+      hasName("compile") or
+      getName().matches("run%")
+    )
+  }
+}
+
+/** The class `org.python.core.BytecodeLoader`. */
+class BytecodeLoader extends RefType {
+  BytecodeLoader() { this.hasQualifiedName("org.python.core", "BytecodeLoader") }
+}
+
+/** Holds if a Jython expression if evaluated, compiled or executed. */
+predicate runCode(MethodAccess ma, Expr sink) {
+  exists(Method m | m = ma.getMethod() |
+    m instanceof InterpretExprMethod and
+    sink = ma.getArgument(0)
+  )
+}
+
+/** A method that loads Java class data. */
+class LoadClassMethod extends Method {
+  LoadClassMethod() {
+    this.getDeclaringType().getAnAncestor*() instanceof BytecodeLoader and
+    (
+      hasName("makeClass") or
+      hasName("makeCode")
+    )
+  }
+}
+
+/** Holds if a Java class file is loaded. */
+predicate loadClass(MethodAccess ma, Expr sink) {
+  exists(Method m, int i | m = ma.getMethod() |
+    m instanceof LoadClassMethod and
+    m.getParameter(i).getType() instanceof Array and // makeClass(java.lang.String name, byte[] data, ...)
+    sink = ma.getArgument(i)
+  )
+}
+
+/** The class `org.python.core.Py`. */
+class Py extends RefType {
+  Py() { this.hasQualifiedName("org.python.core", "Py") }
+}
+
+/** A method that compiles code with `Py`. */
+class PyCompileMethod extends Method {
+  PyCompileMethod() {
+    this.getDeclaringType().getAnAncestor*() instanceof Py and
+    getName().matches("compile%")
+  }
+}
+
+/** Holds if source code is compiled with `PyCompileMethod`. */
+predicate compile(MethodAccess ma, Expr sink) {
+  exists(Method m | m = ma.getMethod() |
+    m instanceof PyCompileMethod and
+    sink = ma.getArgument(0)
+  )
+}
+
+/** Sink of an expression loaded by Jython. */
+class CodeInjectionSink extends DataFlow::ExprNode {
+  CodeInjectionSink() {
+    runCode(_, this.getExpr()) or
+    loadClass(_, this.getExpr()) or
+    compile(_, this.getExpr())
+  }
+
+  MethodAccess getMethodAccess() {
+    runCode(result, this.getExpr()) or
+    loadClass(result, this.getExpr()) or
+    compile(result, this.getExpr())
+  }
+}
+
+class CodeInjectionConfiguration extends TaintTracking::Configuration {
+  CodeInjectionConfiguration() { this = "CodeInjectionConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource
+    or
+    source instanceof LocalUserInput
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // @RequestBody MyQueryObj query; interpreter.exec(query.getInterpreterCode());
+    exists(MethodAccess ma | ma.getQualifier() = node1.asExpr() and ma = node2.asExpr())
+  }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, CodeInjectionConfiguration conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode().(CodeInjectionSink).getMethodAccess(), source, sink, "Jython evaluate $@.",
+  source.getNode(), "user input"
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.expected
deleted file mode 100644
index f5816001939..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.expected
+++ /dev/null
@@ -1,11 +0,0 @@
-edges
-| JPythonInjection.java:22:23:22:50 | getParameter(...) : String | JPythonInjection.java:30:28:30:31 | code |
-| JPythonInjection.java:47:21:47:48 | getParameter(...) : String | JPythonInjection.java:52:40:52:43 | code |
-nodes
-| JPythonInjection.java:22:23:22:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JPythonInjection.java:30:28:30:31 | code | semmle.label | code |
-| JPythonInjection.java:47:21:47:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JPythonInjection.java:52:40:52:43 | code | semmle.label | code |
-#select
-| JPythonInjection.java:30:11:30:32 | exec(...) | JPythonInjection.java:22:23:22:50 | getParameter(...) : String | JPythonInjection.java:30:28:30:31 | code | JPython evaluate $@. | JPythonInjection.java:22:23:22:50 | getParameter(...) | user input |
-| JPythonInjection.java:52:23:52:44 | eval(...) | JPythonInjection.java:47:21:47:48 | getParameter(...) : String | JPythonInjection.java:52:40:52:43 | code | JPython evaluate $@. | JPythonInjection.java:47:21:47:48 | getParameter(...) | user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.java b/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.java
deleted file mode 100644
index a0515eb4212..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.java
+++ /dev/null
@@ -1,64 +0,0 @@
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.python.core.PyObject;
-import org.python.core.PyException;
-import org.python.util.PythonInterpreter;
-
-public class JPythonInjection extends HttpServlet {
-    private static final long serialVersionUID = 1L;
-       
-    public JPythonInjection() {
-        super();
-    }
-
-    // BAD: allow arbitrary JPython expression to execute
-    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-        response.setContentType("text/plain");
-        String code = request.getParameter("code");
-        PythonInterpreter interpreter = null;
-        ByteArrayOutputStream out = new ByteArrayOutputStream();
-
-        try {
-          interpreter = new PythonInterpreter();
-          interpreter.setOut(out);
-          interpreter.setErr(out);
-          interpreter.exec(code);
-          out.flush();
-
-          response.getWriter().print(out.toString());
-        } catch(PyException ex) {
-            response.getWriter().println(ex.getMessage());
-        } finally {
-            if (interpreter != null) {
-              interpreter.close();
-            }
-            out.close();
-        }
-    }
-
-    // BAD: allow arbitrary JPython expression to evaluate
-    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-      response.setContentType("text/plain");
-      String code = request.getParameter("code");
-      PythonInterpreter interpreter = null;
-
-      try {
-        interpreter = new PythonInterpreter();
-        PyObject py = interpreter.eval(code);
-
-        response.getWriter().print(py.toString());
-      } catch(PyException ex) {
-          response.getWriter().println(ex.getMessage());
-      } finally {
-          if (interpreter != null) {
-            interpreter.close();
-          }
-      }
-  }
-}
-
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.qlref
deleted file mode 100644
index 80217a193bd..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.qlref
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-094/JPythonInjection.ql
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.expected
new file mode 100644
index 00000000000..4f66cc83fbd
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.expected
@@ -0,0 +1,21 @@
+edges
+| JythonInjection.java:28:23:28:50 | getParameter(...) : String | JythonInjection.java:36:30:36:33 | code |
+| JythonInjection.java:53:23:53:50 | getParameter(...) : String | JythonInjection.java:58:44:58:47 | code |
+| JythonInjection.java:73:23:73:50 | getParameter(...) : String | JythonInjection.java:81:35:81:38 | code |
+| JythonInjection.java:97:23:97:50 | getParameter(...) : String | JythonInjection.java:106:61:106:75 | getBytes(...) |
+nodes
+| JythonInjection.java:28:23:28:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JythonInjection.java:36:30:36:33 | code | semmle.label | code |
+| JythonInjection.java:53:23:53:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JythonInjection.java:58:44:58:47 | code | semmle.label | code |
+| JythonInjection.java:73:23:73:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JythonInjection.java:81:35:81:38 | code | semmle.label | code |
+| JythonInjection.java:97:23:97:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JythonInjection.java:106:61:106:75 | getBytes(...) | semmle.label | getBytes(...) |
+| JythonInjection.java:131:40:131:63 | getInputStream(...) | semmle.label | getInputStream(...) |
+#select
+| JythonInjection.java:36:13:36:34 | exec(...) | JythonInjection.java:28:23:28:50 | getParameter(...) : String | JythonInjection.java:36:30:36:33 | code | Jython evaluate $@. | JythonInjection.java:28:23:28:50 | getParameter(...) | user input |
+| JythonInjection.java:58:27:58:48 | eval(...) | JythonInjection.java:53:23:53:50 | getParameter(...) : String | JythonInjection.java:58:44:58:47 | code | Jython evaluate $@. | JythonInjection.java:53:23:53:50 | getParameter(...) | user input |
+| JythonInjection.java:81:13:81:39 | runsource(...) | JythonInjection.java:73:23:73:50 | getParameter(...) : String | JythonInjection.java:81:35:81:38 | code | Jython evaluate $@. | JythonInjection.java:73:23:73:50 | getParameter(...) | user input |
+| JythonInjection.java:106:29:106:134 | makeCode(...) | JythonInjection.java:97:23:97:50 | getParameter(...) : String | JythonInjection.java:106:61:106:75 | getBytes(...) | Jython evaluate $@. | JythonInjection.java:97:23:97:50 | getParameter(...) | user input |
+| JythonInjection.java:131:29:131:109 | compile(...) | JythonInjection.java:131:40:131:63 | getInputStream(...) | JythonInjection.java:131:40:131:63 | getInputStream(...) | Jython evaluate $@. | JythonInjection.java:131:40:131:63 | getInputStream(...) | user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.java b/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.java
new file mode 100644
index 00000000000..682e8af5113
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.java
@@ -0,0 +1,144 @@
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.python.core.BytecodeLoader;
+import org.python.core.Py;
+import org.python.core.PyCode;
+import org.python.core.PyException;
+import org.python.core.PyObject;
+import org.python.util.InteractiveInterpreter;
+import org.python.util.PythonInterpreter;
+
+public class JythonInjection extends HttpServlet {
+    private static final long serialVersionUID = 1L;
+       
+    public JythonInjection() {
+        super();
+    }
+
+    // BAD: allow arbitrary Jython expression to execute
+    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        response.setContentType("text/plain");
+        String code = request.getParameter("code");
+        PythonInterpreter interpreter = null;
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+
+        try {
+            interpreter = new PythonInterpreter();
+            interpreter.setOut(out);
+            interpreter.setErr(out);
+            interpreter.exec(code);
+            out.flush();
+
+            response.getWriter().print(out.toString());
+        } catch(PyException ex) {
+            response.getWriter().println(ex.getMessage());
+        } finally {
+            if (interpreter != null) {
+                interpreter.close();
+            }
+            out.close();
+        }
+    }
+
+    // BAD: allow arbitrary Jython expression to evaluate
+    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        response.setContentType("text/plain");
+        String code = request.getParameter("code");
+        PythonInterpreter interpreter = null;
+
+        try {
+            interpreter = new PythonInterpreter();
+            PyObject py = interpreter.eval(code);
+
+            response.getWriter().print(py.toString());
+        } catch(PyException ex) {
+            response.getWriter().println(ex.getMessage());
+        } finally {
+            if (interpreter != null) {
+                interpreter.close();
+            }
+        }
+    }
+
+    // BAD: allow arbitrary Jython expression to run
+    protected void doPut(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        response.setContentType("text/plain");
+        String code = request.getParameter("code");
+        InteractiveInterpreter interpreter = null;
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+
+        try {
+            interpreter = new InteractiveInterpreter();
+            interpreter.setOut(out);
+            interpreter.setErr(out);
+            interpreter.runsource(code);
+            out.flush();
+
+            response.getWriter().print(out.toString());
+        } catch(PyException ex) {
+            response.getWriter().println(ex.getMessage());
+        } finally {
+            if (interpreter != null) {
+                interpreter.close();
+            }
+        }
+    }
+
+    // BAD: load arbitrary class file to execute
+    protected void doTrace(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        response.setContentType("text/plain");
+        String code = request.getParameter("code");
+        PythonInterpreter interpreter = null;
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+
+        try {
+            interpreter = new PythonInterpreter();
+            interpreter.setOut(out);
+            interpreter.setErr(out);
+          
+            PyCode pyCode = BytecodeLoader.makeCode("test", code.getBytes(), getServletContext().getRealPath("/com/example/test.pyc"));
+            interpreter.exec(pyCode);
+            out.flush();
+
+            response.getWriter().print(out.toString());
+        } catch(PyException ex) {
+            response.getWriter().println(ex.getMessage());
+        } finally {
+            if (interpreter != null) {
+                interpreter.close();
+            }
+        }
+    }
+
+    // BAD: Compile Python code to execute
+    protected void doHead(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        response.setContentType("text/plain");
+        PythonInterpreter interpreter = null;
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+
+        try {
+            interpreter = new PythonInterpreter();
+            interpreter.setOut(out);
+            interpreter.setErr(out);
+        
+            PyCode pyCode = Py.compile(request.getInputStream(), "Test.py", org.python.core.CompileMode.eval);
+            interpreter.exec(pyCode);
+            out.flush();
+
+            response.getWriter().print(out.toString());
+        } catch(PyException ex) {
+            response.getWriter().println(ex.getMessage());
+        } finally {
+            if (interpreter != null) {
+                interpreter.close();
+            }
+        }
+    }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.qlref
new file mode 100644
index 00000000000..0ba9fd60621
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-094/JythonInjection.ql
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/options b/java/ql/test/experimental/query-tests/security/CWE-094/options
index ccf3a24f215..95bc9acaa08 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/options
@@ -1,2 +1,2 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jpython-2.7.2
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jython-2.7.2
 
diff --git a/java/ql/test/stubs/jython-2.7.2/org/python/antlr/base/mod.java b/java/ql/test/stubs/jython-2.7.2/org/python/antlr/base/mod.java
new file mode 100644
index 00000000000..785212f62fa
--- /dev/null
+++ b/java/ql/test/stubs/jython-2.7.2/org/python/antlr/base/mod.java
@@ -0,0 +1,5 @@
+// Autogenerated AST node
+package org.python.antlr.base;
+
+public abstract class mod {
+}
diff --git a/java/ql/test/stubs/jython-2.7.2/org/python/core/BytecodeLoader.java b/java/ql/test/stubs/jython-2.7.2/org/python/core/BytecodeLoader.java
new file mode 100644
index 00000000000..e414216ed03
--- /dev/null
+++ b/java/ql/test/stubs/jython-2.7.2/org/python/core/BytecodeLoader.java
@@ -0,0 +1,47 @@
+// Copyright (c) Corporation for National Research Initiatives
+package org.python.core;
+
+import java.util.List;
+
+/**
+ * Utility class for loading compiled Python modules and Java classes defined in Python modules.
+ */
+public class BytecodeLoader {
+
+    /**
+     * Turn the Java class file data into a Java class.
+     *
+     * @param name fully-qualified binary name of the class
+     * @param data a class file as a byte array
+     * @param referents super-classes and interfaces that the new class will reference.
+     */
+    @SuppressWarnings("unchecked")
+    public static Class<?> makeClass(String name, byte[] data, Class<?>... referents) {
+        return null;
+    }
+
+    /**
+     * Turn the Java class file data into a Java class.
+     *
+     * @param name the name of the class
+     * @param referents super-classes and interfaces that the new class will reference.
+     * @param data a class file as a byte array
+     */
+    public static Class<?> makeClass(String name, List<Class<?>> referents, byte[] data) {
+        return null;
+    }
+
+    /**
+     * Turn the Java class file data for a compiled Python module into a {@code PyCode} object, by
+     * constructing an instance of the named class and calling the instance's
+     * {@link PyRunnable#getMain()}.
+     *
+     * @param name fully-qualified binary name of the class
+     * @param data a class file as a byte array
+     * @param filename to provide to the constructor of the named class
+     * @return the {@code PyCode} object produced by the named class' {@code getMain}
+     */
+    public static PyCode makeCode(String name, byte[] data, String filename) {
+        return null;
+    }
+}
diff --git a/java/ql/test/stubs/jython-2.7.2/org/python/core/CompileMode.java b/java/ql/test/stubs/jython-2.7.2/org/python/core/CompileMode.java
new file mode 100644
index 00000000000..cf7ad1e7201
--- /dev/null
+++ b/java/ql/test/stubs/jython-2.7.2/org/python/core/CompileMode.java
@@ -0,0 +1,11 @@
+package org.python.core;
+
+public enum CompileMode {
+    eval,
+    single,
+    exec;
+
+    public static CompileMode getMode(String mode) {
+        return null;
+    }
+}
diff --git a/java/ql/test/stubs/jython-2.7.2/org/python/core/CompilerFlags.java b/java/ql/test/stubs/jython-2.7.2/org/python/core/CompilerFlags.java
new file mode 100644
index 00000000000..916b93c84ea
--- /dev/null
+++ b/java/ql/test/stubs/jython-2.7.2/org/python/core/CompilerFlags.java
@@ -0,0 +1,17 @@
+// At some future point this will also be extended - in conjunction with
+// Py#compileFlags - to add
+// support for a compiler factory that user code can choose in place of the
+// normal compiler.
+// (Perhaps a better name might have been "CompilerOptions".)
+
+package org.python.core;
+
+import java.io.Serializable;
+
+public class CompilerFlags implements Serializable {
+    public CompilerFlags() {
+    }
+
+    public CompilerFlags(int co_flags) {
+    }
+}
diff --git a/java/ql/test/stubs/jython-2.7.2/org/python/core/Py.java b/java/ql/test/stubs/jython-2.7.2/org/python/core/Py.java
new file mode 100644
index 00000000000..cc0c9f1e4bd
--- /dev/null
+++ b/java/ql/test/stubs/jython-2.7.2/org/python/core/Py.java
@@ -0,0 +1,134 @@
+// Copyright (c) Corporation for National Research Initiatives
+package org.python.core;
+
+import java.io.InputStream;
+import java.io.Serializable;
+
+import org.python.antlr.base.mod;
+
+public final class Py {
+    /**
+    Convert a given <code>PyObject</code> to an instance of a Java class.
+    Identical to <code>o.__tojava__(c)</code> except that it will
+    raise a <code>TypeError</code> if the conversion fails.
+    @param o the <code>PyObject</code> to convert.
+    @param c the class to convert it to.
+     **/
+    @SuppressWarnings("unchecked")
+    public static <T> T tojava(PyObject o, Class<T> c) {
+        return null;
+    }
+
+    // ??pending: was @deprecated but is actually used by proxie code.
+    // Can get rid of it?
+    public static Object tojava(PyObject o, String s) {
+        return null;
+    }
+
+    /**
+     * Uses the PyObjectAdapter passed to {@link PySystemState#initialize} to turn o into a PyObject.
+     *
+     * @see ClassicPyObjectAdapter - default PyObjectAdapter type
+     */
+    public static PyObject java2py(Object o) {
+        return null;
+    }
+
+    /**
+     * Uses the PyObjectAdapter passed to {@link PySystemState#initialize} to turn
+     * <code>objects</code> into an array of PyObjects.
+     *
+     * @see ClassicPyObjectAdapter - default PyObjectAdapter type
+     */
+    public static PyObject[] javas2pys(Object... objects) {
+        return null;
+    }
+
+    public static PyObject makeClass(String name, PyObject[] bases, PyCode code,
+                                     PyObject[] closure_cells) {
+        return null;
+    }
+
+    public static PyObject makeClass(String name, PyObject base, PyObject dict) {
+        return null;
+    }
+
+    /**
+     * Create a new Python class.
+     *
+     * @param name the String name of the class
+     * @param bases an array of PyObject base classes
+     * @param dict the class's namespace, containing the class body
+     * definition
+     * @return a new Python Class PyObject
+     */
+    public static PyObject makeClass(String name, PyObject[] bases, PyObject dict) {
+        return null;
+    }
+
+    public static CompilerFlags getCompilerFlags() {
+        return null;
+    }
+
+    public static CompilerFlags getCompilerFlags(int flags, boolean dont_inherit) {
+        return null;
+    }
+
+    public static CompilerFlags getCompilerFlags(CompilerFlags flags, boolean dont_inherit) {
+        return null;
+    }
+
+    // w/o compiler-flags
+    public static PyCode compile(InputStream istream, String filename, CompileMode kind) {
+        return null;
+    }
+
+    /**
+     * Entry point for compiling modules.
+     *
+     * @param node Module node, coming from the parsing process
+     * @param name Internal name for the compiled code. Typically generated by
+     *        calling {@link #getName()}.
+     * @param filename Source file name
+     * @param linenumbers True to track source line numbers on the generated
+     *        code
+     * @param printResults True to call the sys.displayhook on the result of
+     *                     the code
+     * @param cflags Compiler flags
+     * @return Code object for the compiled module
+     */
+    public static PyCode compile_flags(mod node, String name, String filename,
+                                         boolean linenumbers, boolean printResults,
+                                         CompilerFlags cflags) {
+        return null;
+    }
+
+    public static PyCode compile_flags(mod node, String filename,
+                                         CompileMode kind, CompilerFlags cflags) {
+        return null;
+    }
+
+    /**
+     * Compiles python source code coming from a file or another external stream
+     */
+    public static PyCode compile_flags(InputStream istream, String filename,
+                                         CompileMode kind, CompilerFlags cflags) {
+        return null;
+    }
+
+    /**
+     * Compiles python source code coming from String (raw bytes) data.
+     *
+     * If the String is properly decoded (from PyUnicode) the PyCF_SOURCE_IS_UTF8 flag
+     * should be specified.
+     */
+    public static PyCode compile_flags(String data, String filename,
+                                         CompileMode kind, CompilerFlags cflags) {
+        return null;
+    }
+
+    public static PyObject compile_command_flags(String string, String filename,
+            CompileMode kind, CompilerFlags cflags, boolean stdprompt) {
+        return null;
+    }
+}
diff --git a/java/ql/test/stubs/jpython-2.7.2/org/python/core/PyCode.java b/java/ql/test/stubs/jython-2.7.2/org/python/core/PyCode.java
similarity index 100%
rename from java/ql/test/stubs/jpython-2.7.2/org/python/core/PyCode.java
rename to java/ql/test/stubs/jython-2.7.2/org/python/core/PyCode.java
diff --git a/java/ql/test/stubs/jpython-2.7.2/org/python/core/PyException.java b/java/ql/test/stubs/jython-2.7.2/org/python/core/PyException.java
similarity index 100%
rename from java/ql/test/stubs/jpython-2.7.2/org/python/core/PyException.java
rename to java/ql/test/stubs/jython-2.7.2/org/python/core/PyException.java
diff --git a/java/ql/test/stubs/jpython-2.7.2/org/python/core/PyObject.java b/java/ql/test/stubs/jython-2.7.2/org/python/core/PyObject.java
similarity index 100%
rename from java/ql/test/stubs/jpython-2.7.2/org/python/core/PyObject.java
rename to java/ql/test/stubs/jython-2.7.2/org/python/core/PyObject.java
diff --git a/java/ql/test/stubs/jpython-2.7.2/org/python/core/PySystemState.java b/java/ql/test/stubs/jython-2.7.2/org/python/core/PySystemState.java
similarity index 100%
rename from java/ql/test/stubs/jpython-2.7.2/org/python/core/PySystemState.java
rename to java/ql/test/stubs/jython-2.7.2/org/python/core/PySystemState.java
diff --git a/java/ql/test/stubs/jpython-2.7.2/org/python/core/ThreadState.java b/java/ql/test/stubs/jython-2.7.2/org/python/core/ThreadState.java
similarity index 100%
rename from java/ql/test/stubs/jpython-2.7.2/org/python/core/ThreadState.java
rename to java/ql/test/stubs/jython-2.7.2/org/python/core/ThreadState.java
diff --git a/java/ql/test/stubs/jython-2.7.2/org/python/util/InteractiveInterpreter.java b/java/ql/test/stubs/jython-2.7.2/org/python/util/InteractiveInterpreter.java
new file mode 100644
index 00000000000..b12fa617227
--- /dev/null
+++ b/java/ql/test/stubs/jython-2.7.2/org/python/util/InteractiveInterpreter.java
@@ -0,0 +1,114 @@
+// Copyright (c) Corporation for National Research Initiatives
+package org.python.util;
+
+import org.python.core.*;
+
+/**
+ * This class provides the interface for compiling and running code that supports an interactive
+ * interpreter.
+ */
+// Based on CPython-1.5.2's code module
+public class InteractiveInterpreter extends PythonInterpreter {
+
+    /**
+     * Construct an InteractiveInterpreter with all default characteristics: default state (from
+     * {@link Py#getSystemState()}), and a new empty dictionary of local variables.
+     * */
+    public InteractiveInterpreter() {
+    }
+
+    /**
+     * Construct an InteractiveInterpreter with state (from {@link Py#getSystemState()}), and the
+     * specified dictionary of local variables.
+     *
+     * @param locals dictionary to use, or if <code>null</code>, a new empty one will be created
+     */
+    public InteractiveInterpreter(PyObject locals) {
+    }
+
+    /**
+     * Construct an InteractiveInterpreter with, and system state the specified dictionary of local
+     * variables.
+     *
+     * @param locals dictionary to use, or if <code>null</code>, a new empty one will be created
+     * @param systemState interpreter state, or if <code>null</code> use {@link Py#getSystemState()}
+     */
+    public InteractiveInterpreter(PyObject locals, PySystemState systemState) {
+    }
+
+    /**
+     * Compile and run some source in the interpreter, in the mode {@link CompileMode#single} which
+     * is used for incremental compilation at the interactive console, known as {@code <input>}.
+     *
+     * @param source Python code
+     * @return <code>true</code> to indicate a partial statement was entered
+     */
+    public boolean runsource(String source) {
+        return false;
+    }
+
+    /**
+     * Compile and run some source in the interpreter, in the mode {@link CompileMode#single} which
+     * is used for incremental compilation at the interactive console.
+     *
+     * @param source Python code
+     * @param filename name with which to label this console input (e.g. in error messages).
+     * @return <code>true</code> to indicate a partial statement was entered
+     */
+    public boolean runsource(String source, String filename) {
+        return false;
+    }
+
+    /**
+     * Compile and run some source in the interpreter, according to the {@link CompileMode} given.
+     * This method supports incremental compilation and interpretation through the return value,
+     * where {@code true} signifies that more input is expected in order to complete the Python
+     * statement. An interpreter can use this to decide whether to use {@code sys.ps1}
+     * ("{@code >>> }") or {@code sys.ps2} ("{@code ... }") to prompt the next line. The arguments
+     * are the same as the mandatory ones in the Python {@code compile()} command.
+     * <p>
+     * One the following can happen:
+     * <ol>
+     * <li>The input is incorrect; compilation raised an exception (SyntaxError or OverflowError). A
+     * syntax traceback will be printed by calling {@link #showexception(PyException)}. Return is
+     * {@code false}.</li>
+     *
+     * <li>The input is incomplete, and more input is required; compilation returned no code.
+     * Nothing happens. Return is {@code true}.</li>
+     *
+     * <li>The input is complete; compilation returned a code object. The code is executed by
+     * calling {@link #runcode(PyObject)} (which also handles run-time exceptions, except for
+     * SystemExit). Return is {@code false}.</li>
+     * </ol>
+     *
+     * @param source Python code
+     * @param filename name with which to label this console input (e.g. in error messages).
+     * @param kind of compilation required: {@link CompileMode#eval}, {@link CompileMode#exec} or
+     *            {@link CompileMode#single}
+     * @return {@code true} to indicate a partial statement was provided
+     */
+    public boolean runsource(String source, String filename, CompileMode kind) {
+        return false;
+    }
+
+    /**
+     * Execute a code object. When an exception occurs, {@link #showexception(PyException)} is
+     * called to display a stack trace, except in the case of SystemExit, which is re-raised.
+     * <p>
+     * A note about KeyboardInterrupt: this exception may occur elsewhere in this code, and may not
+     * always be caught. The caller should be prepared to deal with it.
+     **/
+
+    // Make this run in another thread somehow????
+    public void runcode(PyObject code) {
+    }
+
+    public void showexception(PyException exc) {
+    }
+
+    public void write(String data) {
+    }
+
+    public void resetbuffer() {
+    }
+}
diff --git a/java/ql/test/stubs/jpython-2.7.2/org/python/util/PythonInterpreter.java b/java/ql/test/stubs/jython-2.7.2/org/python/util/PythonInterpreter.java
similarity index 100%
rename from java/ql/test/stubs/jpython-2.7.2/org/python/util/PythonInterpreter.java
rename to java/ql/test/stubs/jython-2.7.2/org/python/util/PythonInterpreter.java

From 6b79ca6403b7b562b9a81389580f2394bfc706bd Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Tue, 4 May 2021 09:32:03 +0200
Subject: [PATCH 0823/1429] Fix warning

---
 java/ql/src/semmle/code/java/security/JexlInjection.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/security/JexlInjection.qll b/java/ql/src/semmle/code/java/security/JexlInjection.qll
index 811d9877112..448c1f3cdb5 100644
--- a/java/ql/src/semmle/code/java/security/JexlInjection.qll
+++ b/java/ql/src/semmle/code/java/security/JexlInjection.qll
@@ -58,7 +58,7 @@ private class DefaultJexlInjectionSinkModel extends SinkModelCsv {
  *
  * Extend this class to add additional taint steps that should apply to the `JexlInjectionFlowConfig`.
  */
-abstract class JexlInjectionAdditionalTaintStep extends Unit {
+class JexlInjectionAdditionalTaintStep extends Unit {
   /**
    * Holds if the step from `node1` to `node2` should be considered a taint
    * step for the `JexlInjectionConfig` configuration.

From aaf754ebf502759ef994ad4a45bc16bfd6ecd16e Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 4 May 2021 10:06:14 +0200
Subject: [PATCH 0824/1429] recognize more library input

---
 .../src/semmle/javascript/PackageExports.qll  | 26 +++++++++++++++++++
 .../ReDoS/PolynomialBackTracking.expected     |  1 +
 .../ReDoS/PolynomialReDoS.expected            |  9 +++++++
 .../Performance/ReDoS/lib/sublib/factory.js   | 17 ++++++++++++
 .../Performance/ReDoS/lib/sublib/package.json |  5 ++++
 5 files changed, 58 insertions(+)
 create mode 100644 javascript/ql/test/query-tests/Performance/ReDoS/lib/sublib/factory.js
 create mode 100644 javascript/ql/test/query-tests/Performance/ReDoS/lib/sublib/package.json

diff --git a/javascript/ql/src/semmle/javascript/PackageExports.qll b/javascript/ql/src/semmle/javascript/PackageExports.qll
index c6658534459..e0f3d11ac38 100644
--- a/javascript/ql/src/semmle/javascript/PackageExports.qll
+++ b/javascript/ql/src/semmle/javascript/PackageExports.qll
@@ -50,6 +50,32 @@ private DataFlow::Node getAValueExportedByPackage() {
     result = cla.getConstructor()
   )
   or
+  // One shot closures that define a "factory" function.
+  // Recognizes the following pattern:
+  // ```Javascript
+  // (function (root, factory) {
+  //   if (typeof define === 'function' && define.amd) {
+  //     define('library-name', factory);
+  //   } else if (typeof exports === 'object') {
+  //     module.exports = factory();
+  //   } else {
+  //     root.libraryName = factory();
+  //   }
+  // }(this, function () {
+  //   ....
+  // }));
+  // ```
+  exists(ImmediatelyInvokedFunctionExpr func, DataFlow::ParameterNode prev, int i |
+    prev.getName() = "factory" and
+    func.getParameter(i) = prev.getParameter() and
+    result = func.getInvocation().getArgument(i).flow().getAFunctionValue().getAReturn()
+  )
+  or
+  // the exported value is a call to a unique callee
+  exists(DataFlow::CallNode call | call = getAValueExportedByPackage() |
+    result = unique( | | call.getCalleeNode().getAFunctionValue()).getAReturn()
+  )
+  or
   // *****
   // Common styles of transforming exported objects.
   // *****
diff --git a/javascript/ql/test/query-tests/Performance/ReDoS/PolynomialBackTracking.expected b/javascript/ql/test/query-tests/Performance/ReDoS/PolynomialBackTracking.expected
index cb7c526af5d..ad6bbc49dbb 100644
--- a/javascript/ql/test/query-tests/Performance/ReDoS/PolynomialBackTracking.expected
+++ b/javascript/ql/test/query-tests/Performance/ReDoS/PolynomialBackTracking.expected
@@ -30,6 +30,7 @@
 | lib/closure.js:4:6:4:7 | u* | Strings with many repetitions of 'u' can start matching anywhere after the start of the preceeding u*o |
 | lib/lib.js:1:15:1:16 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding a*b |
 | lib/lib.js:8:3:8:4 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
+| lib/sublib/factory.js:13:14:13:15 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
 | polynomial-redos.js:7:24:7:26 | \\s+ | Strings with many repetitions of ' ' can start matching anywhere after the start of the preceeding \\s+$ |
 | polynomial-redos.js:8:17:8:18 |  * | Strings with many repetitions of ' ' can start matching anywhere after the start of the preceeding  *, * |
 | polynomial-redos.js:9:19:9:21 | \\s* | Strings with many repetitions of ' ' can start matching anywhere after the start of the preceeding \\s*\\n\\s* |
diff --git a/javascript/ql/test/query-tests/Performance/ReDoS/PolynomialReDoS.expected b/javascript/ql/test/query-tests/Performance/ReDoS/PolynomialReDoS.expected
index d40e70d0fc6..23f10937f28 100644
--- a/javascript/ql/test/query-tests/Performance/ReDoS/PolynomialReDoS.expected
+++ b/javascript/ql/test/query-tests/Performance/ReDoS/PolynomialReDoS.expected
@@ -11,6 +11,10 @@ nodes
 | lib/lib.js:7:19:7:22 | name |
 | lib/lib.js:8:13:8:16 | name |
 | lib/lib.js:8:13:8:16 | name |
+| lib/sublib/factory.js:12:26:12:29 | name |
+| lib/sublib/factory.js:12:26:12:29 | name |
+| lib/sublib/factory.js:13:24:13:27 | name |
+| lib/sublib/factory.js:13:24:13:27 | name |
 | polynomial-redos.js:5:6:5:32 | tainted |
 | polynomial-redos.js:5:16:5:32 | req.query.tainted |
 | polynomial-redos.js:5:16:5:32 | req.query.tainted |
@@ -166,6 +170,10 @@ edges
 | lib/lib.js:7:19:7:22 | name | lib/lib.js:8:13:8:16 | name |
 | lib/lib.js:7:19:7:22 | name | lib/lib.js:8:13:8:16 | name |
 | lib/lib.js:7:19:7:22 | name | lib/lib.js:8:13:8:16 | name |
+| lib/sublib/factory.js:12:26:12:29 | name | lib/sublib/factory.js:13:24:13:27 | name |
+| lib/sublib/factory.js:12:26:12:29 | name | lib/sublib/factory.js:13:24:13:27 | name |
+| lib/sublib/factory.js:12:26:12:29 | name | lib/sublib/factory.js:13:24:13:27 | name |
+| lib/sublib/factory.js:12:26:12:29 | name | lib/sublib/factory.js:13:24:13:27 | name |
 | polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:7:2:7:8 | tainted |
 | polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:7:2:7:8 | tainted |
 | polynomial-redos.js:5:6:5:32 | tainted | polynomial-redos.js:8:2:8:8 | tainted |
@@ -307,6 +315,7 @@ edges
 | lib/closure.js:4:5:4:17 | /u*o/.test(x) | lib/closure.js:3:21:3:21 | x | lib/closure.js:4:16:4:16 | x | This $@ that depends on $@ may run slow on strings with many repetitions of 'u'. | lib/closure.js:4:6:4:7 | u* | regular expression | lib/closure.js:3:21:3:21 | x | library input |
 | lib/lib.js:4:2:4:18 | regexp.test(name) | lib/lib.js:3:28:3:31 | name | lib/lib.js:4:14:4:17 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'a'. | lib/lib.js:1:15:1:16 | a* | regular expression | lib/lib.js:3:28:3:31 | name | library input |
 | lib/lib.js:8:2:8:17 | /f*g/.test(name) | lib/lib.js:7:19:7:22 | name | lib/lib.js:8:13:8:16 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'f'. | lib/lib.js:8:3:8:4 | f* | regular expression | lib/lib.js:7:19:7:22 | name | library input |
+| lib/sublib/factory.js:13:13:13:28 | /f*g/.test(name) | lib/sublib/factory.js:12:26:12:29 | name | lib/sublib/factory.js:13:24:13:27 | name | This $@ that depends on $@ may run slow on strings with many repetitions of 'f'. | lib/sublib/factory.js:13:14:13:15 | f* | regular expression | lib/sublib/factory.js:12:26:12:29 | name | library input |
 | polynomial-redos.js:7:2:7:34 | tainted ... /g, '') | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:7:2:7:8 | tainted | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | polynomial-redos.js:7:24:7:26 | \\s+ | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
 | polynomial-redos.js:8:2:8:23 | tainted ...  *, */) | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:8:2:8:8 | tainted | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | polynomial-redos.js:8:17:8:18 |  * | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
 | polynomial-redos.js:9:2:9:34 | tainted ... g, ' ') | polynomial-redos.js:5:16:5:32 | req.query.tainted | polynomial-redos.js:9:2:9:8 | tainted | This $@ that depends on $@ may run slow on strings with many repetitions of ' '. | polynomial-redos.js:9:19:9:21 | \\s* | regular expression | polynomial-redos.js:5:16:5:32 | req.query.tainted | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Performance/ReDoS/lib/sublib/factory.js b/javascript/ql/test/query-tests/Performance/ReDoS/lib/sublib/factory.js
new file mode 100644
index 00000000000..e7f6afb3f08
--- /dev/null
+++ b/javascript/ql/test/query-tests/Performance/ReDoS/lib/sublib/factory.js
@@ -0,0 +1,17 @@
+
+(function (root, factory) {
+    if (typeof define === 'function' && define.amd) {
+        define('my-sub-library', factory);
+    } else if (typeof exports === 'object') {
+        module.exports = factory();
+    } else {
+        root.mySubLibrary = factory();
+    }
+}(this, function () {
+    function create() {
+        return function (name) {
+            /f*g/.test(name); // NOT OK
+        }
+    }
+    return create()
+}));
diff --git a/javascript/ql/test/query-tests/Performance/ReDoS/lib/sublib/package.json b/javascript/ql/test/query-tests/Performance/ReDoS/lib/sublib/package.json
new file mode 100644
index 00000000000..2804217e9ba
--- /dev/null
+++ b/javascript/ql/test/query-tests/Performance/ReDoS/lib/sublib/package.json
@@ -0,0 +1,5 @@
+{
+  "name": "my-sub-lib",
+  "version": "0.0.7",
+  "main": "./my-file.js"
+}
\ No newline at end of file

From c5479077843f29573b258d2ce4badf0ea8661b95 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 30 Apr 2021 11:36:19 +0200
Subject: [PATCH 0825/1429] C#: Use invariant culture in the extractor

---
 .../Semmle.Extraction.CSharp.Driver/Driver.cs   |  2 ++
 .../Program.cs                                  |  2 ++
 .../Extractor/Extractor.cs                      | 17 +++++++++++++++++
 3 files changed, 21 insertions(+)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp.Driver/Driver.cs b/csharp/extractor/Semmle.Extraction.CSharp.Driver/Driver.cs
index 1c4142097fe..e8a42b3f5a0 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp.Driver/Driver.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.Driver/Driver.cs
@@ -7,6 +7,8 @@ namespace Semmle.Extraction.CSharp
     {
         public static int Main(string[] args)
         {
+            Extractor.SetInvariantCulture();
+
             return (int)Extractor.Run(args);
         }
     }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Program.cs b/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Program.cs
index 197001a22a6..e2c973ee60f 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Program.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.Standalone/Program.cs
@@ -52,6 +52,8 @@ namespace Semmle.Extraction.CSharp.Standalone
     {
         public static int Main(string[] args)
         {
+            Extractor.SetInvariantCulture();
+
             var options = Options.Create(args);
             // options.CIL = true;  // To do: Enable this
             using var output = new ConsoleLogger(options.Verbosity);
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Extractor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Extractor.cs
index 1d5e5412a88..179d1f14de5 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Extractor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Extractor.cs
@@ -11,6 +11,8 @@ using System.Diagnostics;
 using System.Threading.Tasks;
 using Semmle.Util.Logging;
 using System.Collections.Concurrent;
+using System.Globalization;
+using System.Threading;
 
 namespace Semmle.Extraction.CSharp
 {
@@ -52,6 +54,21 @@ namespace Semmle.Extraction.CSharp
             public void MissingType(string type) { }
         }
 
+        /// <summary>
+        /// Set the application culture to the invariant culture.
+        ///
+        /// This is required among others to ensure that the invariant culture is used for value formatting during TRAP
+        /// file writing.
+        /// </summary>
+        public static void SetInvariantCulture()
+        {
+            var culture = CultureInfo.InvariantCulture;
+            CultureInfo.DefaultThreadCurrentCulture = culture;
+            CultureInfo.DefaultThreadCurrentUICulture = culture;
+            Thread.CurrentThread.CurrentCulture = culture;
+            Thread.CurrentThread.CurrentUICulture = culture;
+        }
+
         /// <summary>
         /// Command-line driver for the extractor.
         /// </summary>

From f79d2e06f90cadb82da04424f9456f5e6fb20a9a Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Tue, 4 May 2021 11:29:09 +0200
Subject: [PATCH 0826/1429] Fix failing checks

---
 java/change-notes/2021-05-04-jexl-injection-query.md            | 2 ++
 .../CWE/CWE-094/SaferJexlExpressionEvaluationWithSandbox.java   | 0
 .../SaferJexlExpressionEvaluationWithUberspectSandbox.java      | 0
 .../Security/CWE/CWE-094/UnsafeJexlExpressionEvaluation.java    | 0
 java/ql/src/semmle/code/java/security/JexlInjection.qll         | 2 ++
 5 files changed, 4 insertions(+)
 create mode 100644 java/change-notes/2021-05-04-jexl-injection-query.md
 rename java/ql/src/{experimental => }/Security/CWE/CWE-094/SaferJexlExpressionEvaluationWithSandbox.java (100%)
 rename java/ql/src/{experimental => }/Security/CWE/CWE-094/SaferJexlExpressionEvaluationWithUberspectSandbox.java (100%)
 rename java/ql/src/{experimental => }/Security/CWE/CWE-094/UnsafeJexlExpressionEvaluation.java (100%)

diff --git a/java/change-notes/2021-05-04-jexl-injection-query.md b/java/change-notes/2021-05-04-jexl-injection-query.md
new file mode 100644
index 00000000000..4dad3c4a8f9
--- /dev/null
+++ b/java/change-notes/2021-05-04-jexl-injection-query.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Expression language injection (JEXL)" (`java/jexl-expression-injection`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @artem-smotrakov](https://github.com/github/codeql/pull/4965)
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/SaferJexlExpressionEvaluationWithSandbox.java b/java/ql/src/Security/CWE/CWE-094/SaferJexlExpressionEvaluationWithSandbox.java
similarity index 100%
rename from java/ql/src/experimental/Security/CWE/CWE-094/SaferJexlExpressionEvaluationWithSandbox.java
rename to java/ql/src/Security/CWE/CWE-094/SaferJexlExpressionEvaluationWithSandbox.java
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/SaferJexlExpressionEvaluationWithUberspectSandbox.java b/java/ql/src/Security/CWE/CWE-094/SaferJexlExpressionEvaluationWithUberspectSandbox.java
similarity index 100%
rename from java/ql/src/experimental/Security/CWE/CWE-094/SaferJexlExpressionEvaluationWithUberspectSandbox.java
rename to java/ql/src/Security/CWE/CWE-094/SaferJexlExpressionEvaluationWithUberspectSandbox.java
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/UnsafeJexlExpressionEvaluation.java b/java/ql/src/Security/CWE/CWE-094/UnsafeJexlExpressionEvaluation.java
similarity index 100%
rename from java/ql/src/experimental/Security/CWE/CWE-094/UnsafeJexlExpressionEvaluation.java
rename to java/ql/src/Security/CWE/CWE-094/UnsafeJexlExpressionEvaluation.java
diff --git a/java/ql/src/semmle/code/java/security/JexlInjection.qll b/java/ql/src/semmle/code/java/security/JexlInjection.qll
index 448c1f3cdb5..d36fa0aad9b 100644
--- a/java/ql/src/semmle/code/java/security/JexlInjection.qll
+++ b/java/ql/src/semmle/code/java/security/JexlInjection.qll
@@ -1,3 +1,5 @@
+/** Provides classes to reason about Expression Langauge (JEXL) injection vulnerabilities. */
+
 import java
 import semmle.code.java.dataflow.TaintTracking
 private import semmle.code.java.dataflow.ExternalFlow

From ded377bcd2ed253a99a34adc9c354a99c6fb5968 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 4 May 2021 12:13:34 +0200
Subject: [PATCH 0827/1429] C++: Reorder getInstructionOpcode to produce better
 RA.

---
 .../cpp/ir/implementation/aliased_ssa/Instruction.qll  |  3 ++-
 .../aliased_ssa/internal/SSAConstruction.qll           | 10 +++++-----
 .../code/cpp/ir/implementation/raw/Instruction.qll     |  3 ++-
 .../ir/implementation/raw/internal/IRConstruction.qll  |  4 ++--
 .../ir/implementation/unaliased_ssa/Instruction.qll    |  3 ++-
 .../unaliased_ssa/internal/SSAConstruction.qll         | 10 +++++-----
 .../experimental/ir/implementation/raw/Instruction.qll |  3 ++-
 .../ir/implementation/unaliased_ssa/Instruction.qll    |  3 ++-
 .../unaliased_ssa/internal/SSAConstruction.qll         | 10 +++++-----
 9 files changed, 27 insertions(+), 22 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
index 13c38401737..e335080ad6b 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
@@ -297,7 +297,8 @@ class Instruction extends Construction::TStageInstruction {
   /**
    * Gets the opcode that specifies the operation performed by this instruction.
    */
-  final Opcode getOpcode() { result = Construction::getInstructionOpcode(this) }
+  pragma[inline]
+  final Opcode getOpcode() { Construction::getInstructionOpcode(result, this) }
 
   /**
    * Gets all direct uses of the result of this instruction. The result can be
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
index 340f524fce8..f3ef4f2e8af 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
@@ -339,14 +339,14 @@ private module Cached {
   }
 
   cached
-  Opcode getInstructionOpcode(Instruction instr) {
-    result = getOldInstruction(instr).getOpcode()
+  predicate getInstructionOpcode(Opcode opcode, Instruction instr) {
+    opcode = getOldInstruction(instr).getOpcode()
     or
-    instr = phiInstruction(_, _) and result instanceof Opcode::Phi
+    instr = phiInstruction(_, _) and opcode instanceof Opcode::Phi
     or
-    instr = chiInstruction(_) and result instanceof Opcode::Chi
+    instr = chiInstruction(_) and opcode instanceof Opcode::Chi
     or
-    instr = unreachedInstruction(_) and result instanceof Opcode::Unreached
+    instr = unreachedInstruction(_) and opcode instanceof Opcode::Unreached
   }
 
   cached
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
index 13c38401737..e335080ad6b 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
@@ -297,7 +297,8 @@ class Instruction extends Construction::TStageInstruction {
   /**
    * Gets the opcode that specifies the operation performed by this instruction.
    */
-  final Opcode getOpcode() { result = Construction::getInstructionOpcode(this) }
+  pragma[inline]
+  final Opcode getOpcode() { Construction::getInstructionOpcode(result, this) }
 
   /**
    * Gets all direct uses of the result of this instruction. The result can be
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll
index b0faec547f3..e8fcf3fcdf3 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/IRConstruction.qll
@@ -360,8 +360,8 @@ CppType getInstructionResultType(TStageInstruction instr) {
   getInstructionTranslatedElement(instr).hasInstruction(_, getInstructionTag(instr), result)
 }
 
-Opcode getInstructionOpcode(TStageInstruction instr) {
-  getInstructionTranslatedElement(instr).hasInstruction(result, getInstructionTag(instr), _)
+predicate getInstructionOpcode(Opcode opcode, TStageInstruction instr) {
+  getInstructionTranslatedElement(instr).hasInstruction(opcode, getInstructionTag(instr), _)
 }
 
 IRFunctionBase getInstructionEnclosingIRFunction(TStageInstruction instr) {
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
index 13c38401737..e335080ad6b 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
@@ -297,7 +297,8 @@ class Instruction extends Construction::TStageInstruction {
   /**
    * Gets the opcode that specifies the operation performed by this instruction.
    */
-  final Opcode getOpcode() { result = Construction::getInstructionOpcode(this) }
+  pragma[inline]
+  final Opcode getOpcode() { Construction::getInstructionOpcode(result, this) }
 
   /**
    * Gets all direct uses of the result of this instruction. The result can be
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
index 340f524fce8..f3ef4f2e8af 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -339,14 +339,14 @@ private module Cached {
   }
 
   cached
-  Opcode getInstructionOpcode(Instruction instr) {
-    result = getOldInstruction(instr).getOpcode()
+  predicate getInstructionOpcode(Opcode opcode, Instruction instr) {
+    opcode = getOldInstruction(instr).getOpcode()
     or
-    instr = phiInstruction(_, _) and result instanceof Opcode::Phi
+    instr = phiInstruction(_, _) and opcode instanceof Opcode::Phi
     or
-    instr = chiInstruction(_) and result instanceof Opcode::Chi
+    instr = chiInstruction(_) and opcode instanceof Opcode::Chi
     or
-    instr = unreachedInstruction(_) and result instanceof Opcode::Unreached
+    instr = unreachedInstruction(_) and opcode instanceof Opcode::Unreached
   }
 
   cached
diff --git a/csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll b/csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll
index 13c38401737..e335080ad6b 100644
--- a/csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll
+++ b/csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll
@@ -297,7 +297,8 @@ class Instruction extends Construction::TStageInstruction {
   /**
    * Gets the opcode that specifies the operation performed by this instruction.
    */
-  final Opcode getOpcode() { result = Construction::getInstructionOpcode(this) }
+  pragma[inline]
+  final Opcode getOpcode() { Construction::getInstructionOpcode(result, this) }
 
   /**
    * Gets all direct uses of the result of this instruction. The result can be
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll
index 13c38401737..e335080ad6b 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll
@@ -297,7 +297,8 @@ class Instruction extends Construction::TStageInstruction {
   /**
    * Gets the opcode that specifies the operation performed by this instruction.
    */
-  final Opcode getOpcode() { result = Construction::getInstructionOpcode(this) }
+  pragma[inline]
+  final Opcode getOpcode() { Construction::getInstructionOpcode(result, this) }
 
   /**
    * Gets all direct uses of the result of this instruction. The result can be
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
index 340f524fce8..f3ef4f2e8af 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -339,14 +339,14 @@ private module Cached {
   }
 
   cached
-  Opcode getInstructionOpcode(Instruction instr) {
-    result = getOldInstruction(instr).getOpcode()
+  predicate getInstructionOpcode(Opcode opcode, Instruction instr) {
+    opcode = getOldInstruction(instr).getOpcode()
     or
-    instr = phiInstruction(_, _) and result instanceof Opcode::Phi
+    instr = phiInstruction(_, _) and opcode instanceof Opcode::Phi
     or
-    instr = chiInstruction(_) and result instanceof Opcode::Chi
+    instr = chiInstruction(_) and opcode instanceof Opcode::Chi
     or
-    instr = unreachedInstruction(_) and result instanceof Opcode::Unreached
+    instr = unreachedInstruction(_) and opcode instanceof Opcode::Unreached
   }
 
   cached

From ab90fe18fd3b1957ad26d9d18b2fa2d29cfe2bb5 Mon Sep 17 00:00:00 2001
From: Marcono1234 <Marcono1234@users.noreply.github.com>
Date: Tue, 4 May 2021 12:22:09 +0200
Subject: [PATCH 0828/1429] Docs: Use GitHub links for guides, improve
 formatting

---
 docs/ql-style-guide.md             |  16 ++--
 docs/qldoc-style-guide.md          |   3 +-
 docs/query-help-style-guide.md     |  67 +++++++-------
 docs/query-metadata-style-guide.md | 142 ++++++++++++++---------------
 docs/supported-queries.md          |  10 +-
 5 files changed, 120 insertions(+), 118 deletions(-)

diff --git a/docs/ql-style-guide.md b/docs/ql-style-guide.md
index bea84aff36e..0b0efef27cc 100644
--- a/docs/ql-style-guide.md
+++ b/docs/ql-style-guide.md
@@ -3,7 +3,7 @@
 ## Introduction
 
 This document describes how to format the code you contribute to this repository. It covers aspects such as layout, white-space, naming, and documentation. Adhering to consistent standards makes code easier to read and maintain. Of course, these are only guidelines, and can be overridden as the need arises on a case-by-case basis. Where existing code deviates from these guidelines, prefer consistency with the surrounding code.
-Note, if you use [CodeQL for Visual Studio Code](https://help.semmle.com/codeql/codeql-for-vscode/procedures/about-codeql-for-vscode.html), you can autoformat your query in the editor.
+Note, if you use [CodeQL for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/about-codeql-for-visual-studio-code/), you can autoformat your query in the editor.
 
 Words in *italic* are defined in the [Glossary](#glossary).
 
@@ -166,7 +166,7 @@ private predicate foo(Expr e, Expr p) {
 ```
 
 ## Naming
-1. Use [PascalCase](http://wiki.c2.com/?PascalCase) for:
+1. Use [PascalCase](https://wiki.c2.com/?PascalCase) for:
    - `class` names
    - `module` names
    - `newtype` names
@@ -249,7 +249,7 @@ For more information about documenting the code that you contribute to this repo
 1. The `and` and `else` keywords *may* be placed on the same line as the closing parenthesis.
 1. The `and` and `else` keywords *may* be "cuddled": `) else (`
 1. *Always* qualify *calls* to predicates of the same class with `this`.
-2. *Prefer* postfix casts `a.(Expr)` to prefix casts `(Expr)a`.
+1. *Prefer* postfix casts `a.(Expr)` to prefix casts `(Expr)a`.
 
 ### Examples
 
@@ -350,16 +350,16 @@ For more information about documenting the code that you contribute to this repo
 
 | Phrase      | Meaning  |
 |-------------|----------|
-| *[annotation](https://help.semmle.com/QL/ql-handbook/language.html#annotations)* | An additional specifier used to modify a declaration, such as `private`, `override`, `deprecated`, `pragma`, `bindingset`, or `cached`. |
+| *[annotation](https://codeql.github.com/docs/ql-language-reference/ql-language-specification/#annotations)* | An additional specifier used to modify a declaration, such as `private`, `override`, `deprecated`, `pragma`, `bindingset`, or `cached`. |
 | *body* | The text inside `{ }`, `( )`, or each section of an `if`-`then`-`else` or `from`-`where`-`select`. |
 | *binary operator* | An operator with two operands, such as comparison operators, `and`, `or`, `implies`, or arithmetic operators. |
 | *call* | A *formula* that invokes a predicate, e.g. `this.isStatic()` or `calls(a,b)`. |
-| *[conjunct](https://help.semmle.com/QL/ql-handbook/language.html#conjunctions)* | A formula that is an operand to an `and`. |
+| *[conjunct](https://codeql.github.com/docs/ql-language-reference/ql-language-specification/#conjunctions)* | A formula that is an operand to an `and`. |
 | *declaration* | A class, module, predicate, field or newtype. |
-| *[disjunct](https://help.semmle.com/QL/ql-handbook/language.html#disjunctions)* | A formula that is an operand to an `or`. |
-| *[formula](https://help.semmle.com/QL/ql-handbook/language.html#formulas)* | A logical expression, such as `A = B`, a *call*, a *quantifier*, `and`, `or`, `not`, `in` or `instanceof`. |
+| *[disjunct](https://codeql.github.com/docs/ql-language-reference/ql-language-specification/#disjunctions)* | A formula that is an operand to an `or`. |
+| *[formula](https://codeql.github.com/docs/ql-language-reference/ql-language-specification/#formulas)* | A logical expression, such as `A = B`, a *call*, a *quantifier*, `and`, `or`, `not`, `in` or `instanceof`. |
 | *should/should not/avoid/prefer* | Adhere to this rule wherever possible, where it makes sense. |
 | *may/can* | This is a reasonable alternative, to be used with discretion. |
 | *must/always/do not* | Always adhere to this rule. |
-| *[quantifier/aggregation](https://help.semmle.com/QL/ql-handbook/language.html#aggregations)* | `exists`, `count`, `strictcount`, `any`, `forall`, `forex` and so on. |
+| *[quantifier/aggregation](https://codeql.github.com/docs/ql-language-reference/ql-language-specification/#aggregations)* | `exists`, `count`, `strictcount`, `any`, `forall`, `forex` and so on. |
 | *variable* | A parameter to a predicate, a field, a from variable, or a variable introduced by a *quantifier* or *aggregation*. |
diff --git a/docs/qldoc-style-guide.md b/docs/qldoc-style-guide.md
index fde4d3ea2f8..b8329e7a338 100644
--- a/docs/qldoc-style-guide.md
+++ b/docs/qldoc-style-guide.md
@@ -124,11 +124,12 @@ Certain special predicates should be documented consistently.
    * The location spans column `startcolumn` of line `startline` to
    * column `endcolumn` of line `endline` in file `filepath`.
    * For more information, see
-   * [Locations](https://help.semmle.com/QL/learn-ql/locations.html).
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
    */
 
   predicate hasLocationInfo(string filepath, int startline, int startcolumn, int endline, int endcolumn) { ... }
   ```
+
 ## QLDoc for classes
 
 1. Document classes using a noun phrase of the form `A <domain element> that <has property>.`
diff --git a/docs/query-help-style-guide.md b/docs/query-help-style-guide.md
index 1b6f81e683d..f7377b6c955 100644
--- a/docs/query-help-style-guide.md
+++ b/docs/query-help-style-guide.md
@@ -4,11 +4,12 @@
 
 When you contribute a new [supported query](supported-queries.md) to this repository, or add a custom query for analysis in LGTM, you should also write a query help file. This file provides detailed information about the purpose and use of the query, which is available to users in LGTM (for example [here](https://lgtm.com/rules/1506093386171/)) and on the query homepages:
 
-*   [C/C++ queries](https://help.semmle.com/wiki/display/CCPPOBJ/)
-*   [C# queries](https://help.semmle.com/wiki/display/CSHARP/)
-*   [Java queries](https://help.semmle.com/wiki/display/JAVA/)
-*   [JavaScript queries](https://help.semmle.com/wiki/display/JS/)
-*   [Python queries](https://help.semmle.com/wiki/display/PYTHON/)
+* [C/C++ queries](https://codeql.github.com/codeql-query-help/cpp/)
+* [C# queries](https://codeql.github.com/codeql-query-help/csharp/)
+* [Go queries](https://codeql.github.com/codeql-query-help/go/)
+* [Java queries](https://codeql.github.com/codeql-query-help/java/)
+* [JavaScript queries](https://codeql.github.com/codeql-query-help/javascript/)
+* [Python queries](https://codeql.github.com/codeql-query-help/python/)
 
 ### Location and file name
 
@@ -18,57 +19,57 @@ Query help files must have the same base name as the query they describe and mus
 
 Query help files are written using a custom XML format, and stored in a file with a `.qhelp` extension. The basic structure is as follows:
 
-```
+```xml
 <!DOCTYPE qhelp SYSTEM "qhelp.dtd">
 <qhelp>
     CONTAINS one or more section-level elements
 </qhelp>
 ```
 
-The header and single top-level `<qhelp>` element are both mandatory. 
+The header and single top-level `<qhelp>` element are both mandatory.
 
 ### Section-level elements
 
 Section-level elements are used to group the information within the query help file. All query help files should include at least the following section elements, in the order specified:
 
-1.  `overview`—a short summary of the issue that the query identifies, including an explanation of how it could affect the behavior of the program.
-2.  `recommendation`—information on how to fix the issue highlighted by the query.
-3.  `example`—an example of code showing the problem. Where possible, this section should also include a solution to the issue.
-4.  `references`—relevant references, such as authoritative sources on language semantics and best practice. 
+1. `overview`—a short summary of the issue that the query identifies, including an explanation of how it could affect the behavior of the program.
+2. `recommendation`—information on how to fix the issue highlighted by the query.
+3. `example`—an example of code showing the problem. Where possible, this section should also include a solution to the issue.
+4. `references`—relevant references, such as authoritative sources on language semantics and best practice.
 
-For further information about the other section-level, block, list and table elements supported by query help files, see [Query help files](https://help.semmle.com/QL/learn-ql/ql/writing-queries/query-help.html) on help.semmle.com.
+For further information about the other section-level, block, list and table elements supported by query help files, see [Query help files](https://codeql.github.com/docs/writing-codeql-queries/query-help-files/) on codeql.github.com.
 
 
 ## English style
 
 You should write the overview and recommendation elements in simple English that is easy to follow. You should:
 
-*   Use simple sentence structures and avoid complex or academic language.
-*   Avoid colloquialisms and contractions.
-*   Use US English spelling throughout.
-*   Use words that are in common usage.
+* Use simple sentence structures and avoid complex or academic language.
+* Avoid colloquialisms and contractions.
+* Use US English spelling throughout.
+* Use words that are in common usage.
 
 ## Code examples
 
 Whenever possible, you should include a code example that helps to explain the issue you are highlighting. Any code examples that you include should adhere to the following guidelines:
 
-*   The example should be less than 20 lines, but it should still clearly illustrate the issue that the query identifies.  If appropriate, then the example may also be runnable.
-*   Put the code example after the recommendation element where possible. Only include an example in the description element if absolutely necessary.
-*   If you are using an example to illustrate the solution to a problem, and the change required is minor, avoid repeating the whole example. It is preferable to either describe the change required or to include a smaller snippet of the corrected code.
-*   Clearly indicate which of the samples is an example of bad coding practice and which is recommended practice.
-*   Define the code examples in `src` files. The language is inferred from the file extension:
+* The example should be less than 20 lines, but it should still clearly illustrate the issue that the query identifies.  If appropriate, then the example may also be runnable.
+* Put the code example after the recommendation element where possible. Only include an example in the description element if absolutely necessary.
+* If you are using an example to illustrate the solution to a problem, and the change required is minor, avoid repeating the whole example. It is preferable to either describe the change required or to include a smaller snippet of the corrected code.
+* Clearly indicate which of the samples is an example of bad coding practice and which is recommended practice.
+* Define the code examples in `src` files. The language is inferred from the file extension:
 
-```
-<example>
-<p>This example highlights poor coding practice</p>
+  ```xml
+  <example>
+  <p>This example highlights poor coding practice</p>
 
-<sample src = "example-code-bad.java" />
+  <sample src = "example-code-bad.java" />
 
-<p>This example shows how to fix the code</p>
+  <p>This example shows how to fix the code</p>
 
-<sample src = "example-code-fixed.java" />
-</example>
-```
+  <sample src = "example-code-fixed.java" />
+  </example>
+  ```
 
 Note, if any code words are included in the `overview` and `recommendation` sections, they should be formatted with `<code> ... </code>` for emphasis.
 
@@ -90,7 +91,7 @@ Note, & symbols need to be replaced by \&amp;. The symbol will be displayed corr
 
 ### Academic papers
 
-If you are citing an academic paper, we recommend adopting the reference style of the journal that you are citing. For example: 
+If you are citing an academic paper, we recommend adopting the reference style of the journal that you are citing. For example:
 
 >S. R. Chidamber and C. F. Kemerer, _A metrics suite for object-oriented design_. IEEE Transactions on Software Engineering, 20(6):476-493, 1994.
 
@@ -109,11 +110,11 @@ For example:
 
 If your query checks code for a CWE weakness, you should use the `@tags` element in the query file to reference the associated CWEs, as explained [here](query-metadata-style-guide.md). When you use these tags, a link to the appropriate entry from the [MITRE.org](https://cwe.mitre.org/scoring/index.html) site will automatically appear as a reference in the output HTML file.
 
-## Query help example 
+## Query help example
 
-The following example is a query help file for a query from the standard query suite for Java: 
+The following example is a query help file for a query from the standard query suite for Java:
 
-```
+```xml
 <!DOCTYPE qhelp PUBLIC
   "-//Semmle//qhelp//EN"
   "qhelp.dtd">
diff --git a/docs/query-metadata-style-guide.md b/docs/query-metadata-style-guide.md
index 21e5897e243..143564d49b0 100644
--- a/docs/query-metadata-style-guide.md
+++ b/docs/query-metadata-style-guide.md
@@ -8,27 +8,27 @@ This document outlines the structure of CodeQL query files. You should adopt thi
 
 Query files have the extension `.ql`. Each file has two distinct areas:
 
-*   Metadata area–displayed at the top of the file, contains the metadata that defines how results for the query are interpreted and gives a brief description of the purpose of the query.
-*   Query definition–defined using QL. The query includes a select statement, which defines the content and format of the results. For further information about writing QL, see the following topics:
-    *   [Learning CodeQL](https://help.semmle.com/QL/learn-ql/index.html)
-    *   [QL language reference](https://help.semmle.com/QL/ql-handbook/index.html)
-    *   [CodeQL style guide](https://github.com/github/codeql/blob/main/docs/ql-style-guide.md) 
+* Metadata area–displayed at the top of the file, contains the metadata that defines how results for the query are interpreted and gives a brief description of the purpose of the query.
+* Query definition–defined using QL. The query includes a select statement, which defines the content and format of the results. For further information about writing QL, see the following topics:
+  * [CodeQL documentation](https://codeql.github.com/docs/)
+  * [QL language reference](https://codeql.github.com/docs/ql-language-reference/)
+  * [CodeQL style guide](ql-style-guide.md)
 
 
-For examples of query files for the languages supported by CodeQL, visit the following links: 
+For examples of query files for the languages supported by CodeQL, visit the following links:
 
-*   [C/C++ queries](https://help.semmle.com/wiki/display/CCPPOBJ/)
-*   [C# queries](https://help.semmle.com/wiki/display/CSHARP/)
-*   [Go queries](https://help.semmle.com/wiki/display/GO/)
-*   [Java queries](https://help.semmle.com/wiki/display/JAVA/)
-*   [JavaScript queries](https://help.semmle.com/wiki/display/JS/)
-*   [Python queries](https://help.semmle.com/wiki/display/PYTHON/)
+* [C/C++ queries](https://codeql.github.com/codeql-query-help/cpp/)
+* [C# queries](https://codeql.github.com/codeql-query-help/csharp/)
+* [Go queries](https://codeql.github.com/codeql-query-help/go/)
+* [Java queries](https://codeql.github.com/codeql-query-help/java/)
+* [JavaScript queries](https://codeql.github.com/codeql-query-help/javascript/)
+* [Python queries](https://codeql.github.com/codeql-query-help/python/)
 
 ## Metadata area
 
 Query file metadata contains important information that defines the identifier and purpose of the query. The metadata is included as the content of a valid [QLDoc](https://codeql.github.com/docs/ql-language-reference/ql-language-specification/#qldoc) comment, on lines with leading whitespace followed by `*`, between an initial `/**` and a trailing `*/`. For example:
 
-```
+```ql
 /**
  * @name Useless assignment to local variable
  * @description An assignment to a local variable that is not used later on, or whose value is always
@@ -42,7 +42,7 @@ Query file metadata contains important information that defines the identifier a
  */
  ```
 
-To help others use your query, and to ensure that the query works correctly on LGTM, you should include all of the required information outlined below in the metadata, and as much of the optional information as possible. For further information on query metadata see [Metadata for CodeQL queries](https://help.semmle.com/QL/learn-ql/ql/writing-queries/query-metadata.html) on help.semmle.com.
+To help others use your query, and to ensure that the query works correctly on LGTM, you should include all of the required information outlined below in the metadata, and as much of the optional information as possible. For further information on query metadata see [Metadata for CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/metadata-for-codeql-queries/) on codeql.github.com.
 
 
 
@@ -51,10 +51,10 @@ To help others use your query, and to ensure that the query works correctly on L
 
 You must specify an `@name` property for your query. This property defines the display name for the query. Query names should use sentence capitalization, but not include a full stop. For example:
 
-*   `@name Access to variable in enclosing class`
-*   `@name Array argument size mismatch`
-*   `@name Reference equality test on strings`
-*   `@name Return statement outside function`
+* `@name Access to variable in enclosing class`
+* `@name Array argument size mismatch`
+* `@name Reference equality test on strings`
+* `@name Return statement outside function`
 
 
 ### Query descriptions `@description`
@@ -62,38 +62,38 @@ You must specify an `@name` property for your query. This property defines the d
 You must define an `@description` property for your query. This property defines a short help message. Query descriptions should be written as a sentence or short-paragraph of plain prose, with sentence capitalization and full stop. The preferred pattern for alert queries is  "Syntax X causes behavior Y." Any code elements included in the description should be enclosed in single quotes. For example:
 
 
-*   `@description Using a format string with an incorrect format causes a 'System.FormatException'.`
-*   `@description Commented-out code makes the remaining code more difficult to read.`
+* `@description Using a format string with an incorrect format causes a 'System.FormatException'.`
+* `@description Commented-out code makes the remaining code more difficult to read.`
 
 ### Query ID `@id`
 
 You must specify an `@id` property for your query. It must be unique and should follow the standard CodeQL convention. That is, it should begin with the 'language code' for the language that the query analyzes followed by a forward slash. The following language codes are supported:
 
-*   C and C++: `cpp`
-*   C#: `cs`
-*   Go: `go`
-*   Java: `java`
-*   JavaScript and TypeScript: `js`
-*   Python: `py`
+* C and C++: `cpp`
+* C#: `cs`
+* Go: `go`
+* Java: `java`
+* JavaScript and TypeScript: `js`
+* Python: `py`
 
 The `@id` should consist of a short noun phrase that identifies the issue that the query highlights. For example:
 
 
 
-*   `@id cs/command-line-injection`
-*   `@id java/string-concatenation-in-loop`
+* `@id cs/command-line-injection`
+* `@id java/string-concatenation-in-loop`
 
 Further terms can be added to the `@id` to group queries that, for example, highlight similar issues or are of particular relevance to a certain framework. For example:
 
-*   `@id js/angular-js/missing-explicit-injection`
-*   `@id js/angular-js/duplicate-dependency`
+* `@id js/angular-js/missing-explicit-injection`
+* `@id js/angular-js/duplicate-dependency`
 
 Note, `@id` properties should be consistent for queries that highlight the same issue for different languages. For example, the following queries identify format strings that contain unsanitized input in Java and C++ code respectively:
 
 
 
-*   `@id java/tainted-format-string`
-*   `@id cpp/tainted-format-string`
+* `@id java/tainted-format-string`
+* `@id cpp/tainted-format-string`
 
 
 ### Query type `@kind`
@@ -102,48 +102,48 @@ Note, `@id` properties should be consistent for queries that highlight the same
 
 
 
-*   alerts (`@kind problem`)
-*   alerts containing path information (`@kind path-problem`)
+* alerts (`@kind problem`)
+* alerts containing path information (`@kind path-problem`)
 
 Alert queries (`@kind problem` or `path-problem`) support two further properties. These are added by GitHub staff after the query has been tested, prior to deployment to LGTM. The following information is for reference:
 
 
 
-*   `@precision`–broadly indicates the proportion of query results that are true positives, while also considering their context and relevance:
-    *   `low `
-    *   `medium `
-    *   `high `
-    *   `very-high`
-*   `@problem.severity`–defines the level of severity of the alert: 
-    *   `error`–an issue that is likely to cause incorrect program behavior, for example a crash or vulnerability.
-    *   `warning`–an issue that indicates a potential problem in the code, or makes the code fragile if another (unrelated) part of code is changed.
-    *   `recommendation`–an issue where the code behaves correctly, but it could be improved.
+* `@precision`–broadly indicates the proportion of query results that are true positives, while also considering their context and relevance:
+  * `low`
+  * `medium`
+  * `high`
+  * `very-high`
+* `@problem.severity`–defines the level of severity of the alert: 
+  * `error`–an issue that is likely to cause incorrect program behavior, for example a crash or vulnerability.
+  * `warning`–an issue that indicates a potential problem in the code, or makes the code fragile if another (unrelated) part of code is changed.
+  * `recommendation`–an issue where the code behaves correctly, but it could be improved.
 
-The values of `@precision` and `@problem.severity` assigned to a query that is part of the standard set determine how the results are displayed by LGTM. See [About alerts](https://help.semmle.com/lgtm-enterprise/user/help/about-alerts.html) and [Alert interest](https://lgtm.com/help/lgtm/alert-interest) for further information. For information about using custom queries in LGTM on a 'per-project' basis, see [Writing custom queries to include in LGTM analysis](https://lgtm.com/help/lgtm/writing-custom-queries) and [About adding custom queries](https://help.semmle.com/lgtm-enterprise/admin/help/about-adding-custom-queries.html). 
+The values of `@precision` and `@problem.severity` assigned to a query that is part of the standard set determine how the results are displayed by LGTM. See [About alerts](https://help.semmle.com/lgtm-enterprise/user/help/about-alerts.html) and [Alert interest](https://lgtm.com/help/lgtm/alert-interest) for further information. For information about using custom queries in LGTM on a 'per-project' basis, see [Writing custom queries to include in LGTM analysis](https://lgtm.com/help/lgtm/writing-custom-queries) and [About adding custom queries](https://help.semmle.com/lgtm-enterprise/admin/help/about-adding-custom-queries.html).
 
 ## Query tags `@tags`
 
 The `@tags` property is used to define categories that the query relates to. Each query should belong to one (or more, if necessary) of the following four top-level categories:
 
-*   `@tags correctness`–for queries that detect incorrect program behavior.
-*   `@tags maintainability`–for queries that detect patterns that make it harder for developers to make changes to the code.
-*   `@tags readability`–for queries that detect confusing patterns that make it harder for developers to read the code.
-*   `@tags security`–for queries that detect security weaknesses. See below for further information.
+* `@tags correctness`–for queries that detect incorrect program behavior.
+* `@tags maintainability`–for queries that detect patterns that make it harder for developers to make changes to the code.
+* `@tags readability`–for queries that detect confusing patterns that make it harder for developers to read the code.
+* `@tags security`–for queries that detect security weaknesses. See below for further information.
 
 There are also more specific `@tags` that can be added. See, the following pages for examples of the low-level tags:
 
-*   [C/C++ queries](https://help.semmle.com/wiki/display/CCPPOBJ/)
-*   [C# queries](https://help.semmle.com/wiki/display/CSHARP/)
-*   [Go queries](https://help.semmle.com/wiki/display/GO/)
-*   [Java queries](https://help.semmle.com/wiki/display/JAVA/)
-*   [JavaScript queries](https://help.semmle.com/wiki/display/JS/)
-*   [Python queries](https://help.semmle.com/wiki/display/PYTHON/)
+* [C/C++ queries](https://codeql.github.com/codeql-query-help/cpp/)
+* [C# queries](https://codeql.github.com/codeql-query-help/csharp/)
+* [Go queries](https://codeql.github.com/codeql-query-help/go/)
+* [Java queries](https://codeql.github.com/codeql-query-help/java/)
+* [JavaScript queries](https://codeql.github.com/codeql-query-help/javascript/)
+* [Python queries](https://codeql.github.com/codeql-query-help/python/)
 
 If necessary, you can also define your own low-level tags to categorize the queries specific to your project or organization. When creating your own tags, you should:
 
-*   Use all lower-case letters, including for acronyms and proper nouns, with no spaces. All characters apart from * and @ are accepted.
-*   Use a forward slash / to indicate a hierarchical relationship between tags if necessary. For example, a query with tag `foo/bar` is also interpreted as also having tag `foo`, but not `bar`.
-*   Use a single-word `@tags` name. Multiple words, separated with hyphens, can be used for clarity if necessary. 
+* Use all lower-case letters, including for acronyms and proper nouns, with no spaces. All characters apart from * and @ are accepted.
+* Use a forward slash / to indicate a hierarchical relationship between tags if necessary. For example, a query with tag `foo/bar` is also interpreted as also having tag `foo`, but not `bar`.
+* Use a single-word `@tags` name. Multiple words, separated with hyphens, can be used for clarity if necessary.
 
 #### Security query `@tags`
 
@@ -155,7 +155,7 @@ If your query is a security query, use one or more `@tags` to associate it with
 ||`external/cwe/cwe-036` |
 ||`external/cwe/cwe-073` |
 
-When you tag a query like this, the associated CWE pages from [MITRE.org](http://cwe.mitre.org/index.html) will automatically appear in the reference section of its associated qhelp file.
+When you tag a query like this, the associated CWE pages from [MITRE.org](https://cwe.mitre.org/index.html) will automatically appear in the reference section of its associated qhelp file.
 
 ## QL area
 
@@ -163,20 +163,20 @@ When you tag a query like this, the associated CWE pages from [MITRE.org](http:/
 
 The select clause of each alert query defines the alert message that is displayed for each result found by the query. Alert messages are strings that concisely describe the problem that the alert is highlighting and, if possible, also provide some context. For consistency, alert messages should adhere to the following guidelines:
 
-*   Each message should be a complete, standalone sentence. That is, it should be capitalized and have proper punctuation, including a full stop.
-*   The message should factually describe the problem that is being highlighted–it should not contain recommendations about how to fix the problem or value judgements.
-*   Program element references should be in 'single quotes' to distinguish them from ordinary words. Quotes are not needed around substitutions ($@).
-*   Avoid constant alert message strings and include some context, if possible. For example, `The class 'Foo' is duplicated as 'Bar'.` is preferable to `This class is duplicated here.`
-*   Where you reference another program element, link to it if possible using a substitution (`$@`). Links should be used inline in the sentence, rather than as parenthesised lists or appositions. 
-*   When a message contains multiple links, construct a sentence that has the most variable link (that is, the link with most targets) last. For further information, see [Defining the results of a query](https://help.semmle.com/QL/learn-ql/ql/writing-queries/select-statement.html).
+* Each message should be a complete, standalone sentence. That is, it should be capitalized and have proper punctuation, including a full stop.
+* The message should factually describe the problem that is being highlighted–it should not contain recommendations about how to fix the problem or value judgements.
+* Program element references should be in 'single quotes' to distinguish them from ordinary words. Quotes are not needed around substitutions (`$@`).
+* Avoid constant alert message strings and include some context, if possible. For example, `The class 'Foo' is duplicated as 'Bar'.` is preferable to `This class is duplicated here.`
+* Where you reference another program element, link to it if possible using a substitution (`$@`). Links should be used inline in the sentence, rather than as parenthesised lists or appositions.
+* When a message contains multiple links, construct a sentence that has the most variable link (that is, the link with most targets) last. For further information, see [Defining the results of a query](https://codeql.github.com/docs/writing-codeql-queries/defining-the-results-of-a-query/).
 
 For examples of select clauses and alert messages, see the query source files at the following pages:
 
-*   [C/C++ queries](https://help.semmle.com/wiki/display/CCPPOBJ/)
-*   [C# queries](https://help.semmle.com/wiki/display/CSHARP/)
-*   [Go queries](https://help.semmle.com/wiki/display/GO/)
-*   [Java queries](https://help.semmle.com/wiki/display/JAVA/)
-*   [JavaScript queries](https://help.semmle.com/wiki/display/JS/)
-*   [Python queries](https://help.semmle.com/wiki/display/PYTHON/)
+* [C/C++ queries](https://codeql.github.com/codeql-query-help/cpp/)
+* [C# queries](https://codeql.github.com/codeql-query-help/csharp/)
+* [Go queries](https://codeql.github.com/codeql-query-help/go/)
+* [Java queries](https://codeql.github.com/codeql-query-help/java/)
+* [JavaScript queries](https://codeql.github.com/codeql-query-help/javascript/)
+* [Python queries](https://codeql.github.com/codeql-query-help/python/)
 
-For further information on query writing, see [CodeQL queries](https://help.semmle.com/QL/learn-ql/ql/writing-queries/writing-queries.html). For more information on learning CodeQL, see [Learning CodeQL](https://help.semmle.com/QL/learn-ql/index.html).
+For further information on query writing, see [CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries/). For more information on learning CodeQL, see [CodeQL documentation](https://codeql.github.com/docs/).
diff --git a/docs/supported-queries.md b/docs/supported-queries.md
index 55530c2fa12..2d76906e82f 100644
--- a/docs/supported-queries.md
+++ b/docs/supported-queries.md
@@ -27,8 +27,8 @@ The process must begin with the first step and must conclude with the final step
 
    Add one or more unit tests for the query (and for any library changes you make) to the `ql/<language>/ql/test/experimental` directory. Tests for library changes go into the `library-tests` subdirectory, and tests for queries go into `query-tests` with their relative path mirroring the query's location under `ql/<language>/ql/src/experimental`.
 
- 	- See the section on [Testing custom queries](https://help.semmle.com/codeql/codeql-cli/procedures/test-queries.html) in the [CodeQL documentation](https://help.semmle.com/codeql/) for more information.
-	- See [C/C++ CodeQL tests](/cpp/ql/test/README.md) for more information about contributing tests for C/C++ queries in particular.
+   - See the section on [Testing custom queries](https://help.semmle.com/codeql/codeql-cli/procedures/test-queries.html) in the [CodeQL documentation](https://codeql.github.com/docs/) for more information.
+   - See [C/C++ CodeQL tests](/cpp/ql/test/README.md) for more information about contributing tests for C/C++ queries in particular.
 
 4. **Test for correctness on real-world code**
 
@@ -46,10 +46,10 @@ The process must begin with the first step and must conclude with the final step
 
    QL performance profiling and tuning is an advanced topic, and some tasks will require assistance from GitHub employees. With that said, there are several things you can do.
 
-   - Understand [the evaluation model of QL](https://help.semmle.com/QL/ql-handbook/evaluation.html). It's more similar to SQL than to any mainstream programming language.
+   - Understand [the evaluation model of QL](https://codeql.github.com/docs/ql-language-reference/evaluation-of-ql-programs/). It's more similar to SQL than to any mainstream programming language.
    - Most performance tuning in QL boils down to computing as few tuples (rows of data) as possible. As a mental model, think of predicate evaluation as enumerating all combinations of parameters that satisfy the predicate body. This includes the implicit parameters `this` and `result`.
    - The major libraries in CodeQL are _cached_ and will only be computed once for the entire suite of queries. The first query that needs a cached _stage_ will trigger its evaluation. This means that query authors should usually only look at the run time of the last stage of evaluation.
-   - In [the settings for the VSCode extension](https://help.semmle.com/codeql/codeql-for-vscode/reference/settings.html), check the box "Running Queries: Debug" (`codeQL.runningQueries.debug`). Then find "CodeQL Query Server" in the VSCode Output panel (View -> Output) and capture the output when running the query. That output contains timing and tuple counts for all computed predicates.
+   - In [the settings for the VSCode extension](https://codeql.github.com/docs/codeql-for-visual-studio-code/customizing-settings/), check the box "Running Queries: Debug" (`codeQL.runningQueries.debug`). Then find "CodeQL Query Server" in the VSCode Output panel (View -> Output) and capture the output when running the query. That output contains timing and tuple counts for all computed predicates.
    - To clear the entire cache, invoke "CodeQL: Clear Cache" from the VSCode command palette.
 
 6. **Make sure your query has the correct metadata**
@@ -78,4 +78,4 @@ The process must begin with the first step and must conclude with the final step
    - The structure of an `experimental` subdirectory mirrors the structure of its parent directory, so this step may just be a matter of removing the `experimental/` prefix of the query and test paths. Be sure to also edit any references to the query path in tests.
    - Add the query to one of the legacy suite files in `ql/<language>/config/suites/<language>/` if it exists. Note that there are separate suite directories for C and C++, `c` and `cpp` respectively, and the query should be added to one or both as appropriate.
    - Add a release note to `change-notes/<next-version>/analysis-<language>.md`.
-   - Your pull request will be flagged automatically for a review by the documentation team to ensure that the query help file is ready for wider use. 
+   - Your pull request will be flagged automatically for a review by the documentation team to ensure that the query help file is ready for wider use.

From 568724bffd4de1a36e078ccde33cfde2308a0d73 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 4 May 2021 13:00:28 +0200
Subject: [PATCH 0829/1429] C#: Fix getInstructionOpcode to make sure
 IRConstruction.qll compiles for C#.

---
 .../ir/implementation/raw/internal/IRConstruction.qll         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/csharp/ql/src/experimental/ir/implementation/raw/internal/IRConstruction.qll b/csharp/ql/src/experimental/ir/implementation/raw/internal/IRConstruction.qll
index f5fe747472f..956a95e0667 100644
--- a/csharp/ql/src/experimental/ir/implementation/raw/internal/IRConstruction.qll
+++ b/csharp/ql/src/experimental/ir/implementation/raw/internal/IRConstruction.qll
@@ -165,10 +165,10 @@ import Cached
 cached
 private module Cached {
   cached
-  Opcode getInstructionOpcode(TRawInstruction instr) {
+  predicate getInstructionOpcode(Opcode opcode, TRawInstruction instr) {
     exists(TranslatedElement element, InstructionTag tag |
       instructionOrigin(instr, element, tag) and
-      element.hasInstruction(result, tag, _)
+      element.hasInstruction(opcode, tag, _)
     )
   }
 

From 616a57d6d40c159bbe186269a9153eb956c567b2 Mon Sep 17 00:00:00 2001
From: Felicity Chapman <felicitymay@github.com>
Date: Tue, 4 May 2021 11:24:19 +0100
Subject: [PATCH 0830/1429] Update article with code scanning example

---
 ...nalyzing-databases-with-the-codeql-cli.rst | 37 +++++++++++--------
 1 file changed, 21 insertions(+), 16 deletions(-)

diff --git a/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst b/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
index 60126d12d0a..6d30fee7f65 100644
--- a/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
+++ b/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
@@ -101,39 +101,44 @@ You can also run your own custom queries with the ``database analyze`` command.
 For more information about preparing your queries to use with the CodeQL CLI,
 see ":doc:`Using custom queries with the CodeQL CLI <using-custom-queries-with-the-codeql-cli>`."
 
-
-Running LGTM.com query suites
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Running GitHub code scanning suites
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 The CodeQL repository also includes query suites, which can be run over your
 code as part of a broader code review. CodeQL query suites are ``.qls`` files
 that use directives to select queries to run based on certain metadata
 properties.
 
-The query suites included in the CodeQL repository select the same set of
-queries that are run by default on `LGTM.com <https://lgtm.com>`__. The queries
-are selected to highlight the most relevant and useful results for each
-language. 
-
-The language-specific LGTM query suites are located at the following paths in
+The CodeQL repository includes query suites that are used by the CodeQL action on 
+`GitHub.com <https://github.com>`__. The query suites are located at the following paths in
 the CodeQL repository::
 
-   ql/<language>/ql/src/codeql-suites/<language>-lgtm.qls
+   ql/<language>/ql/src/codeql-suites/<language>-code-scanning.qls
 
 and at the following path in the CodeQL for Go repository::
 
-   ql/src/codeql-suites/go-lgtm.qls
+   ql/src/codeql-suites/go-code-scanning.qls
 
 These locations are specified in the metadata included in the standard QL packs.
-This means that CodeQL knows where to find the suite files automatically, and
+This means that the CodeQL CLI knows where to find the suite files automatically, and
 you don't have to specify the full path on the command line when running an
 analysis. For more information, see ":ref:`About QL packs <standard-ql-packs>`."
 
-For example, to run the LGTM.com query suite on a C++ codebase (generating
-results in the latest SARIF format), you would run::
+.. pull-quote::
+
+   Important
+
+   If you plan to upload the results to GitHub, you must generate SARIF results.
+   For more information, see `Analyzing a CodeQL database <https://docs.github.com/en/code-security/secure-coding/running-codeql-cli-in-your-ci-system#analyzing-a-codeql-database>`__ in the GitHub documentation.
+
+For example, to run the code scanning query suite on a C++ codebase and generate
+results in the v2.1 SARIF format supported by all versions of GitHub, you would run::
+
+   codeql database analyze <cpp-database> cpp-code-scanning.qls --format=sarifv2.1.0 --output=cpp-analysis/cpp-results.sarif
+
+The repository also includes the query suites used by `LGTM.com <https://lgtm.com>`__.
+These are stored alongside the code scanning suites with names of the form: ``<language>-lgtm.qls``.
 
-   codeql database analyze <cpp-database> cpp-lgtm.qls --format=sarif-latest --output=cpp-analysis/cpp-results.sarif
-   
 For information about creating custom query suites, see ":doc:`Creating
 CodeQL query suites <creating-codeql-query-suites>`."
 

From 6e94dc5b85e6a0f245d06d956339a7842a6ba829 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Tue, 4 May 2021 13:15:20 +0200
Subject: [PATCH 0831/1429] Autoformatting

---
 .../semmle/code/java/dataflow/internal/TaintTrackingUtil.qll  | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
index 00d5b2bb093..262a3babc0b 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -265,7 +265,9 @@ private predicate taintPreservingQualifierToMethod(Method m) {
   or
   m.(TaintPreservingCallable).returnsTaintFrom(-1)
   or
-  exists(JaxRsResourceMethod resourceMethod | m.(GetterMethod).getDeclaringType() = resourceMethod.getAParameter().getType())
+  exists(JaxRsResourceMethod resourceMethod |
+    m.(GetterMethod).getDeclaringType() = resourceMethod.getAParameter().getType()
+  )
 }
 
 private class StringReplaceMethod extends TaintPreservingCallable {

From d5793418f9c8e37ba8b0d091bfa9f6bc716d063b Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 4 May 2021 14:39:23 +0200
Subject: [PATCH 0832/1429] C++: Remove parent CWE tags.

---
 cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql               | 2 --
 cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql   | 1 -
 cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql     | 1 -
 .../src/Likely Bugs/Underspecified Functions/TooFewArguments.ql | 1 -
 cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql     | 2 --
 cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql      | 1 -
 6 files changed, 8 deletions(-)

diff --git a/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql b/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
index 3b91de67ece..566758c10bd 100644
--- a/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql	
+++ b/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql	
@@ -10,8 +10,6 @@
  *       security
  *       external/cwe/cwe-190
  *       external/cwe/cwe-253
- *       external/cwe/cwe-573
- *       external/cwe/cwe-754
  */
 
 import cpp
diff --git a/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql b/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
index 8feaefa6364..9412364183c 100644
--- a/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql	
+++ b/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql	
@@ -9,7 +9,6 @@
  * @tags reliability
  *       correctness
  *       security
- *       external/cwe/cwe-233
  *       external/cwe/cwe-234
  *       external/cwe/cwe-685
  */
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql b/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
index 23f27fcfff0..134f6101ea1 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql	
@@ -9,7 +9,6 @@
  * @tags reliability
  *       security
  *       external/cwe/cwe-758
- *       external/cwe/cwe-119
  */
 
 import cpp
diff --git a/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql b/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
index a4308bebaaa..b803f2b1fbc 100644
--- a/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql	
+++ b/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql	
@@ -12,7 +12,6 @@
  * @tags correctness
  *       maintainability
  *       security
- *       external/cwe/cwe-233
  *       external/cwe/cwe-234
  *       external/cwe/cwe-685
  */
diff --git a/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql b/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
index f599d834319..605321b51d0 100644
--- a/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
+++ b/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
@@ -7,8 +7,6 @@
  * @precision high
  * @tags security
  *       external/cwe/cwe-253
- *       external/cwe/cwe-573
- *       external/cwe/cwe-754
  *       external/microsoft/C6214
  *       external/microsoft/C6215
  *       external/microsoft/C6216
diff --git a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
index 4bade14f989..d356ba7bbc4 100644
--- a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
@@ -9,7 +9,6 @@
  * @id cpp/suspicious-add-sizeof
  * @tags security
  *       external/cwe/cwe-468
- *       external/cwe/cwe-682
  */
 
 import cpp

From 4964ce347b288d2bf8baffccee39c43bd39881d4 Mon Sep 17 00:00:00 2001
From: Henning Makholm <hmakholm@github.com>
Date: Wed, 5 May 2021 02:31:11 +0200
Subject: [PATCH 0833/1429] CPP: fix semi-unused variables in
 WrongInDetectingAndHandlingMemoryAllocationErrors.ql

The fact that `aex` and `it` was each used in just one disjunct of the
exists() body caused the optimizer to generate perfectly horrible
code, including a pointless cartesian product between them that caused
the evaluation to blow up.

Fix it such that each variable is logically scoped. That makes the
compiler much happier.
---
 ...ectingAndHandlingMemoryAllocationErrors.ql | 27 ++++++++++++-------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
index 8c7b8e5d067..8789a468896 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
@@ -53,20 +53,27 @@ class WrongCheckErrorOperatorNew extends FunctionCall {
    * Holds if results call `operator new` check in `operator if`.
    */
   predicate isExistsIfCondition() {
-    exists(IfCompareWithZero ifc, AssignExpr aex, Initializer it |
+    exists(IfCompareWithZero ifc |
       // call `operator new` directly from the condition of `operator if`.
       this = ifc.getCondition().getAChild*()
       or
-      // check results call `operator new` with variable appropriation
       postDominates(ifc, this) and
-      aex.getAChild() = exp and
-      ifc.getCondition().getAChild().(VariableAccess).getTarget() =
-        aex.getLValue().(VariableAccess).getTarget()
-      or
-      // check results call `operator new` with declaration variable
-      postDominates(ifc, this) and
-      exp = it.getExpr() and
-      it.getDeclaration() = ifc.getCondition().getAChild().(VariableAccess).getTarget()
+      exists(Variable v |
+        v = ifc.getCondition().getAChild().(VariableAccess).getTarget() and
+        (
+          exists(AssignExpr aex |
+            // check results call `operator new` with variable appropriation
+            aex.getAChild() = exp and
+            v = aex.getLValue().(VariableAccess).getTarget()
+          )
+          or
+          exists(Initializer it |
+            // check results call `operator new` with declaration variable
+            exp = it.getExpr() and
+            it.getDeclaration() = v
+          )
+        )
+      )
     )
   }
 

From 066cdb55d7836834ac67bdb6fcc39828118f9154 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 5 May 2021 09:30:12 +0200
Subject: [PATCH 0834/1429] C++: Add qldoc explaining column order.

---
 .../implementation/aliased_ssa/internal/SSAConstruction.qll | 6 ++++++
 .../unaliased_ssa/internal/SSAConstruction.qll              | 6 ++++++
 .../unaliased_ssa/internal/SSAConstruction.qll              | 6 ++++++
 3 files changed, 18 insertions(+)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
index f3ef4f2e8af..1ba19b4a4c3 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
@@ -338,6 +338,12 @@ private module Cached {
     instr = unreachedInstruction(_) and result = Language::getVoidType()
   }
 
+  /**
+   * Holds if `opcode` is the opcode that specifies the operation performed by `instr`.
+   *
+   * The parameters are ordered such that they produce a clean join (with no need for reordering)
+   * in the characteristic predicates of the `Instruction` subclasses.
+   */
   cached
   predicate getInstructionOpcode(Opcode opcode, Instruction instr) {
     opcode = getOldInstruction(instr).getOpcode()
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
index f3ef4f2e8af..1ba19b4a4c3 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -338,6 +338,12 @@ private module Cached {
     instr = unreachedInstruction(_) and result = Language::getVoidType()
   }
 
+  /**
+   * Holds if `opcode` is the opcode that specifies the operation performed by `instr`.
+   *
+   * The parameters are ordered such that they produce a clean join (with no need for reordering)
+   * in the characteristic predicates of the `Instruction` subclasses.
+   */
   cached
   predicate getInstructionOpcode(Opcode opcode, Instruction instr) {
     opcode = getOldInstruction(instr).getOpcode()
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
index f3ef4f2e8af..1ba19b4a4c3 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -338,6 +338,12 @@ private module Cached {
     instr = unreachedInstruction(_) and result = Language::getVoidType()
   }
 
+  /**
+   * Holds if `opcode` is the opcode that specifies the operation performed by `instr`.
+   *
+   * The parameters are ordered such that they produce a clean join (with no need for reordering)
+   * in the characteristic predicates of the `Instruction` subclasses.
+   */
   cached
   predicate getInstructionOpcode(Opcode opcode, Instruction instr) {
     opcode = getOldInstruction(instr).getOpcode()

From dc4a0c1d38dfe3cc6daae92b4cdae98f133ac766 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 5 May 2021 10:13:54 +0200
Subject: [PATCH 0835/1429] Python/JS: Fix typo

---
 .../javascript/security/internal/SensitiveDataHeuristics.qll    | 2 +-
 .../semmle/python/security/internal/SensitiveDataHeuristics.qll | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll b/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll
index 592b6c23f29..ddf95b1b534 100644
--- a/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll
+++ b/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll
@@ -116,7 +116,7 @@ module HeuristicNames {
    * it is hashed or encrypted). `classification` describes the kind of sensitive data
    * involved.
    *
-   * That is, one of the rexeps from `maybeSensitiveRegexp` matches `name` (with the
+   * That is, one of the regexps from `maybeSensitiveRegexp` matches `name` (with the
    * given classification), and none of the regexps from `notSensitiveRegexp` matches
    * `name`.
    */
diff --git a/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll b/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll
index 592b6c23f29..ddf95b1b534 100644
--- a/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll
+++ b/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll
@@ -116,7 +116,7 @@ module HeuristicNames {
    * it is hashed or encrypted). `classification` describes the kind of sensitive data
    * involved.
    *
-   * That is, one of the rexeps from `maybeSensitiveRegexp` matches `name` (with the
+   * That is, one of the regexps from `maybeSensitiveRegexp` matches `name` (with the
    * given classification), and none of the regexps from `notSensitiveRegexp` matches
    * `name`.
    */

From 3ceb8bbcc6b5b43deae31a1c64331e86555eb601 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 5 May 2021 10:52:57 +0200
Subject: [PATCH 0836/1429] Python: Add cryptography test for EC

Apparently, passing in the class (without instantiating it) is allowed
---
 python/ql/test/library-tests/frameworks/cryptography/test_ec.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/python/ql/test/library-tests/frameworks/cryptography/test_ec.py b/python/ql/test/library-tests/frameworks/cryptography/test_ec.py
index 0372d7e9dbf..96d60adb2fa 100644
--- a/python/ql/test/library-tests/frameworks/cryptography/test_ec.py
+++ b/python/ql/test/library-tests/frameworks/cryptography/test_ec.py
@@ -6,6 +6,7 @@ from cryptography.exceptions import InvalidSignature
 
 
 private_key = ec.generate_private_key(curve=ec.SECP384R1()) # $ PublicKeyGeneration keySize=384
+private_key = ec.generate_private_key(curve=ec.SECP384R1) # $ MISSING: PublicKeyGeneration keySize=384
 public_key = private_key.public_key()
 
 HASH_ALGORITHM = hashes.SHA256()

From 3ca670146e7e024bbac9255f88ff3c815e8e0ba6 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 5 May 2021 11:10:45 +0200
Subject: [PATCH 0837/1429] remove outdated comment

---
 javascript/ql/src/semmle/javascript/PackageExports.qll | 1 -
 1 file changed, 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/PackageExports.qll b/javascript/ql/src/semmle/javascript/PackageExports.qll
index e0f3d11ac38..60245ee5e0d 100644
--- a/javascript/ql/src/semmle/javascript/PackageExports.qll
+++ b/javascript/ql/src/semmle/javascript/PackageExports.qll
@@ -18,7 +18,6 @@ DataFlow::ParameterNode getALibraryInputParameter() {
 
 /**
  * Gets a value exported by the main module from a named `package.json` file.
- * The value is either directly the `module.exports` value, a nested property of `module.exports`, or a method on an exported class.
  */
 private DataFlow::Node getAValueExportedByPackage() {
   result =

From 28eef264e5d08e2cc1b18eb312904023f538232b Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 5 May 2021 11:23:25 +0200
Subject: [PATCH 0838/1429] recognize the `define(..)` call in
 PackageExports.qll

---
 javascript/ql/src/semmle/javascript/PackageExports.qll | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/PackageExports.qll b/javascript/ql/src/semmle/javascript/PackageExports.qll
index 60245ee5e0d..e784061a4f4 100644
--- a/javascript/ql/src/semmle/javascript/PackageExports.qll
+++ b/javascript/ql/src/semmle/javascript/PackageExports.qll
@@ -67,7 +67,8 @@ private DataFlow::Node getAValueExportedByPackage() {
   exists(ImmediatelyInvokedFunctionExpr func, DataFlow::ParameterNode prev, int i |
     prev.getName() = "factory" and
     func.getParameter(i) = prev.getParameter() and
-    result = func.getInvocation().getArgument(i).flow().getAFunctionValue().getAReturn()
+    result = func.getInvocation().getArgument(i).flow().getAFunctionValue().getAReturn() and
+    DataFlow::globalVarRef("define").getACall().getArgument(1) = prev.getALocalUse()
   )
   or
   // the exported value is a call to a unique callee

From fc3f5adbbb600ecbe3c0193f399c1aabb4c5bd38 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 5 May 2021 11:48:41 +0200
Subject: [PATCH 0839/1429] more source code examples in `PackageExports.qll`

---
 .../src/semmle/javascript/PackageExports.qll  | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/PackageExports.qll b/javascript/ql/src/semmle/javascript/PackageExports.qll
index e784061a4f4..03ae341c7b4 100644
--- a/javascript/ql/src/semmle/javascript/PackageExports.qll
+++ b/javascript/ql/src/semmle/javascript/PackageExports.qll
@@ -20,11 +20,17 @@ DataFlow::ParameterNode getALibraryInputParameter() {
  * Gets a value exported by the main module from a named `package.json` file.
  */
 private DataFlow::Node getAValueExportedByPackage() {
+  // The base case, an export from a named `package.json` file.
   result =
     getAnExportFromModule(any(PackageJSON pack | exists(pack.getPackageName())).getMainModule())
   or
+  // module.exports.bar.baz = result;
   result = getAValueExportedByPackage().(DataFlow::PropWrite).getRhs()
   or
+  // class Foo {
+  //   bar() {} // <- result
+  // };
+  // module.exports = new Foo();
   exists(DataFlow::SourceNode callee |
     callee = getAValueExportedByPackage().(DataFlow::NewNode).getCalleeNode().getALocalSource()
   |
@@ -35,14 +41,21 @@ private DataFlow::Node getAValueExportedByPackage() {
   or
   result = getAValueExportedByPackage().getALocalSource()
   or
+  // Nested property reads.
   result = getAValueExportedByPackage().(DataFlow::SourceNode).getAPropertyReference()
   or
+  // module.exports.foo = require("./other-module.js");
   exists(Module mod |
     mod = getAValueExportedByPackage().getEnclosingExpr().(Import).getImportedModule()
   |
     result = getAnExportFromModule(mod)
   )
   or
+  // module.exports = class Foo {
+  //   bar() {} // <- result
+  //   static baz() {} // <- result
+  //   constructor() {} // <- result
+  // };
   exists(DataFlow::ClassNode cla | cla = getAValueExportedByPackage() |
     result = cla.getAnInstanceMethod() or
     result = cla.getAStaticMethod() or
@@ -72,6 +85,12 @@ private DataFlow::Node getAValueExportedByPackage() {
   )
   or
   // the exported value is a call to a unique callee
+  // ```JavaScript
+  // module.exports = foo();
+  // function foo() {
+  //   return result;
+  // }
+  // ```
   exists(DataFlow::CallNode call | call = getAValueExportedByPackage() |
     result = unique( | | call.getCalleeNode().getAFunctionValue()).getAReturn()
   )

From e333267e69a54173d153edda9d8ed0051676d38b Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 5 May 2021 12:00:38 +0200
Subject: [PATCH 0840/1429] require that the `factory` function is in a main
 module file

---
 .../ql/src/semmle/javascript/PackageExports.qll       | 11 ++++++++++-
 .../Performance/ReDoS/lib/sublib/package.json         |  2 +-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/PackageExports.qll b/javascript/ql/src/semmle/javascript/PackageExports.qll
index 03ae341c7b4..92d295f1169 100644
--- a/javascript/ql/src/semmle/javascript/PackageExports.qll
+++ b/javascript/ql/src/semmle/javascript/PackageExports.qll
@@ -16,6 +16,8 @@ DataFlow::ParameterNode getALibraryInputParameter() {
   )
 }
 
+private import NodeModuleResolutionImpl as NodeModule
+
 /**
  * Gets a value exported by the main module from a named `package.json` file.
  */
@@ -77,11 +79,18 @@ private DataFlow::Node getAValueExportedByPackage() {
   //   ....
   // }));
   // ```
+  // Such files are not recognized as modules, so we manually use `NodeModule::resolveMainModule` to resolve the file against a `package.json` file.
   exists(ImmediatelyInvokedFunctionExpr func, DataFlow::ParameterNode prev, int i |
     prev.getName() = "factory" and
     func.getParameter(i) = prev.getParameter() and
     result = func.getInvocation().getArgument(i).flow().getAFunctionValue().getAReturn() and
-    DataFlow::globalVarRef("define").getACall().getArgument(1) = prev.getALocalUse()
+    DataFlow::globalVarRef("define").getACall().getArgument(1) = prev.getALocalUse() and
+    func.getFile() =
+      min(int j, File f |
+        f = NodeModule::resolveMainModule(any(PackageJSON pack | exists(pack.getPackageName())), j)
+      |
+        f order by j
+      )
   )
   or
   // the exported value is a call to a unique callee
diff --git a/javascript/ql/test/query-tests/Performance/ReDoS/lib/sublib/package.json b/javascript/ql/test/query-tests/Performance/ReDoS/lib/sublib/package.json
index 2804217e9ba..71e8c6000d1 100644
--- a/javascript/ql/test/query-tests/Performance/ReDoS/lib/sublib/package.json
+++ b/javascript/ql/test/query-tests/Performance/ReDoS/lib/sublib/package.json
@@ -1,5 +1,5 @@
 {
   "name": "my-sub-lib",
   "version": "0.0.7",
-  "main": "./my-file.js"
+  "main": "./factory.js"
 }
\ No newline at end of file

From ab53f3b3808ed0f727e9a74b75d96d18b8352dea Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 4 May 2021 21:09:15 +0200
Subject: [PATCH 0841/1429] add `array.filter()` as a taint-step

---
 javascript/ql/src/semmle/javascript/Arrays.qll        |  5 +++++
 .../Security/CWE-730/RegExpInjection.expected         | 11 +++++++++++
 .../query-tests/Security/CWE-730/RegExpInjection.js   |  1 +
 3 files changed, 17 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/Arrays.qll b/javascript/ql/src/semmle/javascript/Arrays.qll
index e33d62437ba..4c3d116aad1 100644
--- a/javascript/ql/src/semmle/javascript/Arrays.qll
+++ b/javascript/ql/src/semmle/javascript/Arrays.qll
@@ -36,6 +36,11 @@ module ArrayTaintTracking {
       succ = call
     )
     or
+    // `array.filter` keeps the taint
+    call.(DataFlow::MethodCallNode).getMethodName() = "filter" and
+    pred = call.getReceiver() and
+    succ = call
+    or
     // `array.reduce` with tainted value in callback
     call.(DataFlow::MethodCallNode).getMethodName() = "reduce" and
     pred = call.getArgument(0).(DataFlow::FunctionNode).getAReturn() and // Require the argument to be a closure to avoid spurious call/return flow
diff --git a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected b/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected
index dedd3625d6e..29bad1be0fb 100644
--- a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected
@@ -39,6 +39,11 @@ nodes
 | RegExpInjection.js:47:22:47:26 | input |
 | RegExpInjection.js:50:46:50:50 | input |
 | RegExpInjection.js:50:46:50:50 | input |
+| RegExpInjection.js:54:14:54:16 | key |
+| RegExpInjection.js:54:14:54:27 | key.split(".") |
+| RegExpInjection.js:54:14:54:42 | key.spl ... x => x) |
+| RegExpInjection.js:54:14:54:52 | key.spl ... in("-") |
+| RegExpInjection.js:54:14:54:52 | key.spl ... in("-") |
 | tst.js:1:46:1:46 | e |
 | tst.js:1:46:1:46 | e |
 | tst.js:2:9:2:21 | data |
@@ -53,6 +58,7 @@ edges
 | RegExpInjection.js:5:7:5:28 | key | RegExpInjection.js:19:19:19:21 | key |
 | RegExpInjection.js:5:7:5:28 | key | RegExpInjection.js:21:19:21:21 | key |
 | RegExpInjection.js:5:7:5:28 | key | RegExpInjection.js:33:12:33:14 | key |
+| RegExpInjection.js:5:7:5:28 | key | RegExpInjection.js:54:14:54:16 | key |
 | RegExpInjection.js:5:13:5:28 | req.param("key") | RegExpInjection.js:5:7:5:28 | key |
 | RegExpInjection.js:5:13:5:28 | req.param("key") | RegExpInjection.js:5:7:5:28 | key |
 | RegExpInjection.js:5:31:5:56 | input | RegExpInjection.js:40:19:40:23 | input |
@@ -89,6 +95,10 @@ edges
 | RegExpInjection.js:29:21:29:21 | s | RegExpInjection.js:31:23:31:23 | s |
 | RegExpInjection.js:33:12:33:14 | key | RegExpInjection.js:29:21:29:21 | s |
 | RegExpInjection.js:34:12:34:19 | getKey() | RegExpInjection.js:29:21:29:21 | s |
+| RegExpInjection.js:54:14:54:16 | key | RegExpInjection.js:54:14:54:27 | key.split(".") |
+| RegExpInjection.js:54:14:54:27 | key.split(".") | RegExpInjection.js:54:14:54:42 | key.spl ... x => x) |
+| RegExpInjection.js:54:14:54:42 | key.spl ... x => x) | RegExpInjection.js:54:14:54:52 | key.spl ... in("-") |
+| RegExpInjection.js:54:14:54:42 | key.spl ... x => x) | RegExpInjection.js:54:14:54:52 | key.spl ... in("-") |
 | tst.js:1:46:1:46 | e | tst.js:2:16:2:16 | e |
 | tst.js:1:46:1:46 | e | tst.js:2:16:2:16 | e |
 | tst.js:2:9:2:21 | data | tst.js:3:21:3:24 | data |
@@ -111,4 +121,5 @@ edges
 | RegExpInjection.js:46:23:46:27 | input | RegExpInjection.js:5:39:5:56 | req.param("input") | RegExpInjection.js:46:23:46:27 | input | This regular expression is constructed from a $@. | RegExpInjection.js:5:39:5:56 | req.param("input") | user-provided value |
 | RegExpInjection.js:47:22:47:26 | input | RegExpInjection.js:5:39:5:56 | req.param("input") | RegExpInjection.js:47:22:47:26 | input | This regular expression is constructed from a $@. | RegExpInjection.js:5:39:5:56 | req.param("input") | user-provided value |
 | RegExpInjection.js:50:46:50:50 | input | RegExpInjection.js:5:39:5:56 | req.param("input") | RegExpInjection.js:50:46:50:50 | input | This regular expression is constructed from a $@. | RegExpInjection.js:5:39:5:56 | req.param("input") | user-provided value |
+| RegExpInjection.js:54:14:54:52 | key.spl ... in("-") | RegExpInjection.js:5:13:5:28 | req.param("key") | RegExpInjection.js:54:14:54:52 | key.spl ... in("-") | This regular expression is constructed from a $@. | RegExpInjection.js:5:13:5:28 | req.param("key") | user-provided value |
 | tst.js:3:16:3:35 | "^"+ data.name + "$" | tst.js:1:46:1:46 | e | tst.js:3:16:3:35 | "^"+ data.name + "$" | This regular expression is constructed from a $@. | tst.js:1:46:1:46 | e | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js b/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js
index 9eeadfdbe6e..dc1910b1ae5 100644
--- a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js
+++ b/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js
@@ -51,6 +51,7 @@ app.get('/findKey', function(req, res) {
   URI(`${protocol}://${host}${path}`).search(input).href(); // OK
   unknown.search(input).unknown; // OK
 
+  new RegExp(key.split(".").filter(x => x).join("-")); // NOT OK
 });
 
 import * as Search from './search';

From 668bfd3a4163118fbffef379e613274e1d057f05 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 5 May 2021 12:29:55 +0200
Subject: [PATCH 0842/1429] Python: Support EC keygen without class-instance
 for cryptography

I also added a new test to show off how what the origin ends up looking
like... I think it looks ok
---
 .../semmle/python/frameworks/Cryptography.qll | 26 ++++++++++++++++---
 .../cryptography/EcKeygenOrigin.expected      |  5 ++++
 .../frameworks/cryptography/EcKeygenOrigin.ql |  8 ++++++
 .../cryptography/ec_keygen_origin.py          | 20 ++++++++++++++
 .../frameworks/cryptography/test_ec.py        |  2 +-
 5 files changed, 56 insertions(+), 5 deletions(-)
 create mode 100644 python/ql/test/library-tests/frameworks/cryptography/EcKeygenOrigin.expected
 create mode 100644 python/ql/test/library-tests/frameworks/cryptography/EcKeygenOrigin.ql
 create mode 100644 python/ql/test/library-tests/frameworks/cryptography/ec_keygen_origin.py

diff --git a/python/ql/src/semmle/python/frameworks/Cryptography.qll b/python/ql/src/semmle/python/frameworks/Cryptography.qll
index 266d41897d3..fe9177227bd 100644
--- a/python/ql/src/semmle/python/frameworks/Cryptography.qll
+++ b/python/ql/src/semmle/python/frameworks/Cryptography.qll
@@ -22,7 +22,7 @@ private module CryptographyModel {
      * Gets a predefined curve class from
      * `cryptography.hazmat.primitives.asymmetric.ec` with a specific key size (in bits).
      */
-    private DataFlow::Node curveClassWithKeySize(int keySize) {
+    private API::Node predefinedCurveClass(int keySize) {
       exists(string curveName |
         result =
           API::moduleImport("cryptography")
@@ -31,7 +31,6 @@ private module CryptographyModel {
               .getMember("asymmetric")
               .getMember("ec")
               .getMember(curveName)
-              .getAUse()
       |
         // obtained by manually looking at source code in
         // https://github.com/pyca/cryptography/blob/cba69f1922803f4f29a3fde01741890d88b8e217/src/cryptography/hazmat/primitives/asymmetric/ec.py#L208-L300
@@ -75,13 +74,30 @@ private module CryptographyModel {
       )
     }
 
+    /** Gets a reference to a predefined curve class with a specific key size (in bits), as well as the origin of the class. */
+    private DataFlow::LocalSourceNode curveClassWithKeySize(
+      DataFlow::TypeTracker t, int keySize, DataFlow::Node origin
+    ) {
+      t.start() and
+      result = predefinedCurveClass(keySize).getAnImmediateUse() and
+      origin = result
+      or
+      exists(DataFlow::TypeTracker t2 |
+        result = curveClassWithKeySize(t2, keySize, origin).track(t2, t)
+      )
+    }
+
+    /** Gets a reference to a predefined curve class with a specific key size (in bits), as well as the origin of the class. */
+    DataFlow::Node curveClassWithKeySize(int keySize, DataFlow::Node origin) {
+      curveClassWithKeySize(DataFlow::TypeTracker::end(), keySize, origin).flowsTo(result)
+    }
+
     /** Gets a reference to a predefined curve class instance with a specific key size (in bits), as well as the origin of the class. */
     private DataFlow::LocalSourceNode curveClassInstanceWithKeySize(
       DataFlow::TypeTracker t, int keySize, DataFlow::Node origin
     ) {
       t.start() and
-      result.(DataFlow::CallCfgNode).getFunction() = curveClassWithKeySize(keySize) and
-      origin = result
+      result.(DataFlow::CallCfgNode).getFunction() = curveClassWithKeySize(keySize, origin)
       or
       exists(DataFlow::TypeTracker t2 |
         result = curveClassInstanceWithKeySize(t2, keySize, origin).track(t2, t)
@@ -164,6 +180,8 @@ private module CryptographyModel {
 
     override int getKeySizeWithOrigin(DataFlow::Node origin) {
       this.getCurveArg() = Ecc::curveClassInstanceWithKeySize(result, origin)
+      or
+      this.getCurveArg() = Ecc::curveClassWithKeySize(result, origin)
     }
 
     // Note: There is not really a key-size argument, since it's always specified by the curve.
diff --git a/python/ql/test/library-tests/frameworks/cryptography/EcKeygenOrigin.expected b/python/ql/test/library-tests/frameworks/cryptography/EcKeygenOrigin.expected
new file mode 100644
index 00000000000..a94092533f0
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/cryptography/EcKeygenOrigin.expected
@@ -0,0 +1,5 @@
+| ec_keygen_origin.py:8:1:8:45 | ControlFlowNode for Attribute() | 384 | ec_keygen_origin.py:8:31:8:42 | ControlFlowNode for Attribute |
+| ec_keygen_origin.py:9:1:9:43 | ControlFlowNode for Attribute() | 384 | ec_keygen_origin.py:9:31:9:42 | ControlFlowNode for Attribute |
+| ec_keygen_origin.py:12:1:12:36 | ControlFlowNode for Attribute() | 384 | ec_keygen_origin.py:11:9:11:20 | ControlFlowNode for Attribute |
+| ec_keygen_origin.py:15:1:15:39 | ControlFlowNode for Attribute() | 384 | ec_keygen_origin.py:11:9:11:20 | ControlFlowNode for Attribute |
+| ec_keygen_origin.py:20:1:20:32 | ControlFlowNode for Attribute() | 384 | ec_keygen_origin.py:6:58:6:66 | ControlFlowNode for ImportMember |
diff --git a/python/ql/test/library-tests/frameworks/cryptography/EcKeygenOrigin.ql b/python/ql/test/library-tests/frameworks/cryptography/EcKeygenOrigin.ql
new file mode 100644
index 00000000000..4234177d50d
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/cryptography/EcKeygenOrigin.ql
@@ -0,0 +1,8 @@
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.Concepts
+
+from Cryptography::PublicKey::KeyGeneration keyGen, int keySize, DataFlow::Node origin
+where
+  keyGen.getLocation().getFile().getShortName() = "ec_keygen_origin.py" and
+  keySize = keyGen.getKeySizeWithOrigin(origin)
+select keyGen, keySize, origin
diff --git a/python/ql/test/library-tests/frameworks/cryptography/ec_keygen_origin.py b/python/ql/test/library-tests/frameworks/cryptography/ec_keygen_origin.py
new file mode 100644
index 00000000000..c1469adb2ac
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/cryptography/ec_keygen_origin.py
@@ -0,0 +1,20 @@
+# Since key-size is not specified explicitly as an integer for the predefined
+# classes in the `cryptography.hazmat.primitives.asymmetric.ec` module, we need
+# special handling of the origin... this test is simply to show off how we handle this.
+
+from cryptography.hazmat.primitives.asymmetric import ec
+from cryptography.hazmat.primitives.asymmetric.ec import SECP384R1
+
+ec.generate_private_key(curve=ec.SECP384R1()) # $ PublicKeyGeneration keySize=384
+ec.generate_private_key(curve=ec.SECP384R1) # $ PublicKeyGeneration keySize=384
+
+alias = ec.SECP384R1
+ec.generate_private_key(curve=alias) # $ PublicKeyGeneration keySize=384
+
+instance = alias()
+ec.generate_private_key(curve=instance) # $ PublicKeyGeneration keySize=384
+
+
+x = SECP384R1
+y = x
+ec.generate_private_key(curve=y) # $ PublicKeyGeneration keySize=384
diff --git a/python/ql/test/library-tests/frameworks/cryptography/test_ec.py b/python/ql/test/library-tests/frameworks/cryptography/test_ec.py
index 96d60adb2fa..1e1e284dc33 100644
--- a/python/ql/test/library-tests/frameworks/cryptography/test_ec.py
+++ b/python/ql/test/library-tests/frameworks/cryptography/test_ec.py
@@ -6,7 +6,7 @@ from cryptography.exceptions import InvalidSignature
 
 
 private_key = ec.generate_private_key(curve=ec.SECP384R1()) # $ PublicKeyGeneration keySize=384
-private_key = ec.generate_private_key(curve=ec.SECP384R1) # $ MISSING: PublicKeyGeneration keySize=384
+private_key = ec.generate_private_key(curve=ec.SECP384R1) # $ PublicKeyGeneration keySize=384
 public_key = private_key.public_key()
 
 HASH_ALGORITHM = hashes.SHA256()

From 8b2009cfb105f1e240e433c3bb3d63f862965ee6 Mon Sep 17 00:00:00 2001
From: Felicity Chapman <felicitymay@github.com>
Date: Wed, 5 May 2021 12:36:29 +0100
Subject: [PATCH 0843/1429] Minor updates to qhelp file

---
 .../Security/CWE/CWE-643/XPathInjection.qhelp        | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.qhelp
index 91d110b80aa..f7fccc89ab8 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.qhelp
@@ -5,14 +5,14 @@
 <overview>
 <p>
 If an XPath expression is built using string concatenation, and the components of the concatenation
-include user input, a user is likely to be able to create a malicious XPath expression.
+include user input, it makes it very easy for a user to create a malicious XPath expression.
 </p>
 </overview>
 
 <recommendation>
 <p>
-If user input must be included in an XPath expression, pre-compile the query and use variable
-references to include the user input.
+If user input must be included in an XPath expression, either sanitize the data or pre-compile the query
+and use variable references to include the user input.
 </p>
 <p>
 XPath injection can also be prevented by using XQuery.
@@ -22,14 +22,14 @@ XPath injection can also be prevented by using XQuery.
 
 <example>
 <p>
-In the first, second, and third example, the code accepts a name and password specified by the user, and uses this
+In the first three examples, the code accepts a name and password specified by the user, and uses this
 unvalidated and unsanitized value in an XPath expression. This is vulnerable to the user providing
 special characters or string sequences that change the meaning of the XPath expression to search
 for different values.
 </p>
 
 <p>
-In the fourth example, the code utilizes setXPathVariableResolver which prevents XPath Injection.
+In the fourth example, the code uses `setXPathVariableResolver` which prevents XPath injection.
 </p>
 <p>
 The fifth example is a dom4j XPath injection example.
@@ -39,6 +39,6 @@ The fifth example is a dom4j XPath injection example.
 
 <references>
 <li>OWASP: <a href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection">Testing for XPath Injection</a>.</li>
-<li>OWASP: <a href="https://www.owasp.org/index.php/XPATH_Injection">XPath Injection</a>.</li>
+<li>OWASP: <a href="https://owasp.org/www-community/attacks/XPATH_Injection">XPath Injection</a>.</li>
 </references>
 </qhelp>

From d50f22504e9517ee1ac959ab756ee739476479d9 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 5 May 2021 14:07:15 +0200
Subject: [PATCH 0844/1429] Python: Fix .expected

---
 .../test/query-tests/Security/CWE-326/WeakCryptoKey.expected  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/test/query-tests/Security/CWE-326/WeakCryptoKey.expected b/python/ql/test/query-tests/Security/CWE-326/WeakCryptoKey.expected
index 05d759d6f70..dc50ddd7873 100644
--- a/python/ql/test/query-tests/Security/CWE-326/WeakCryptoKey.expected
+++ b/python/ql/test/query-tests/Security/CWE-326/WeakCryptoKey.expected
@@ -1,8 +1,8 @@
 | weak_crypto.py:68:1:68:21 | ControlFlowNode for dsa_gen_key() | Creation of an DSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:16:12:16:15 | ControlFlowNode for IntegerLiteral | 1024 |
-| weak_crypto.py:69:1:69:19 | ControlFlowNode for ec_gen_key() | Creation of an ECC key uses $@ bits, which is below 224 and considered breakable. | weak_crypto.py:22:11:22:24 | ControlFlowNode for Attribute() | 163 |
+| weak_crypto.py:69:1:69:19 | ControlFlowNode for ec_gen_key() | Creation of an ECC key uses $@ bits, which is below 224 and considered breakable. | weak_crypto.py:22:11:22:22 | ControlFlowNode for Attribute | 163 |
 | weak_crypto.py:70:1:70:28 | ControlFlowNode for rsa_gen_key() | Creation of an RSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:12:12:12:15 | ControlFlowNode for IntegerLiteral | 1024 |
 | weak_crypto.py:72:1:72:30 | ControlFlowNode for dsa_gen_key() | Creation of an DSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:16:12:16:15 | ControlFlowNode for IntegerLiteral | 1024 |
-| weak_crypto.py:73:1:73:25 | ControlFlowNode for ec_gen_key() | Creation of an ECC key uses $@ bits, which is below 224 and considered breakable. | weak_crypto.py:22:11:22:24 | ControlFlowNode for Attribute() | 163 |
+| weak_crypto.py:73:1:73:25 | ControlFlowNode for ec_gen_key() | Creation of an ECC key uses $@ bits, which is below 224 and considered breakable. | weak_crypto.py:22:11:22:22 | ControlFlowNode for Attribute | 163 |
 | weak_crypto.py:74:1:74:37 | ControlFlowNode for rsa_gen_key() | Creation of an RSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:12:12:12:15 | ControlFlowNode for IntegerLiteral | 1024 |
 | weak_crypto.py:76:1:76:22 | ControlFlowNode for Attribute() | Creation of an DSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:16:12:16:15 | ControlFlowNode for IntegerLiteral | 1024 |
 | weak_crypto.py:77:1:77:22 | ControlFlowNode for Attribute() | Creation of an RSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:12:12:12:15 | ControlFlowNode for IntegerLiteral | 1024 |

From 4ac21e9f3ffaacd50392fee6bd665c5d2f15989f Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 5 May 2021 13:21:37 +0200
Subject: [PATCH 0845/1429] make the `.filter` step more precise

---
 javascript/ql/src/semmle/javascript/Arrays.qll | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/Arrays.qll b/javascript/ql/src/semmle/javascript/Arrays.qll
index 4c3d116aad1..33ad18c9a04 100644
--- a/javascript/ql/src/semmle/javascript/Arrays.qll
+++ b/javascript/ql/src/semmle/javascript/Arrays.qll
@@ -36,10 +36,13 @@ module ArrayTaintTracking {
       succ = call
     )
     or
-    // `array.filter` keeps the taint
+    // `array.filter(x => x)` keeps the taint
     call.(DataFlow::MethodCallNode).getMethodName() = "filter" and
     pred = call.getReceiver() and
-    succ = call
+    succ = call and
+    exists(DataFlow::FunctionNode callback | callback = call.getArgument(0).getAFunctionValue() |
+      callback.getParameter(0).getALocalUse() = callback.getAReturn()
+    )
     or
     // `array.reduce` with tainted value in callback
     call.(DataFlow::MethodCallNode).getMethodName() = "reduce" and

From 74c99943050810581607091ba338ae09ae5e8fca Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Wed, 5 May 2021 16:36:29 +0100
Subject: [PATCH 0846/1429] Code Scanning selectors: Add alert aliases

---
 misc/suite-helpers/code-scanning-selectors.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/misc/suite-helpers/code-scanning-selectors.yml b/misc/suite-helpers/code-scanning-selectors.yml
index 6178e187ee9..a3460f62377 100644
--- a/misc/suite-helpers/code-scanning-selectors.yml
+++ b/misc/suite-helpers/code-scanning-selectors.yml
@@ -3,6 +3,8 @@
     kind:
     - problem
     - path-problem
+    - alert
+    - path-alert
     precision:
     - high
     - very-high

From a3c57c43c87e48a55e5efbebcead78d84bb9dbbb Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Wed, 5 May 2021 16:38:39 +0100
Subject: [PATCH 0847/1429] Code Scanning selectors: Include summary metrics

---
 misc/suite-helpers/code-scanning-selectors.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/misc/suite-helpers/code-scanning-selectors.yml b/misc/suite-helpers/code-scanning-selectors.yml
index a3460f62377..a57aa15679e 100644
--- a/misc/suite-helpers/code-scanning-selectors.yml
+++ b/misc/suite-helpers/code-scanning-selectors.yml
@@ -13,8 +13,12 @@
     - warning
     tags contain:
     - security
+- include:
+    kind:
+    - metric
+    tags contain:
+    - summary
 - exclude:
     deprecated: //
 - exclude:
     query path: /^experimental\/.*/
-

From 955d97f6bed68939dd8e613ff265aabaa15b2e1c Mon Sep 17 00:00:00 2001
From: Evgenii Protsenko <procenkoeg@yandex.ru>
Date: Wed, 5 May 2021 21:25:36 +0300
Subject: [PATCH 0848/1429] C++: Init SqlPqxxTainted.ql

---
 .../Security/CWE/CWE-089/SqlPqxxTainted.cpp   |  28 +++
 .../Security/CWE/CWE-089/SqlPqxxTainted.qhelp |  31 ++++
 .../Security/CWE/CWE-089/SqlPqxxTainted.ql    | 170 ++++++++++++++++++
 3 files changed, 229 insertions(+)
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.cpp
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.qhelp
 create mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.cpp b/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.cpp
new file mode 100644
index 00000000000..3b85835fff9
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.cpp
@@ -0,0 +1,28 @@
+#include <iostream>
+#include <stdexcept>
+#include <pqxx/pqxx>
+
+int main(int argc, char ** argv) {
+
+    if (argc != 2) { 
+        throw std::runtime_error("Give me a string!");
+    }
+    
+    pqxx::connection c;
+    pqxx::work w(c);
+
+    // BAD
+    char *userName = argv[1];
+    char query1[1000] = {0};
+    sprintf(query1, "SELECT UID FROM USERS where name = \"%s\"", userName);
+    pqxx::row r = w.exec1(query1);
+    w.commit();
+    std::cout << r[0].as<int>() << std::endl;
+
+    // GOOD
+    pqxx::result r2 = w.exec("SELECT " + w.quote(argv[1]));
+    w.commit();
+    std::cout << r2[0][0].c_str() << std::endl;
+
+    return 0;
+}
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.qhelp
new file mode 100644
index 00000000000..e92015edecf
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.qhelp
@@ -0,0 +1,31 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The code passes user input as part of a SQL query without escaping special elements. 
+It generates a SQL query to Postgres using <code>sprintf</code>,
+with the user-supplied data directly passed as an argument
+to <code>sprintf</code>. This leaves the code vulnerable to attack by SQL Injection.</p>
+
+</overview>
+<recommendation>
+
+<p>Use a library routine to escape characters in the user-supplied
+string before converting it to SQL. Use esc and quote pqxx library functions.</p>
+
+</recommendation>
+<example>
+<sample src="SqlPqxxTainted.c" />
+
+</example>
+<references>
+
+<li>MSDN Library: <a href="https://docs.microsoft.com/en-us/sql/relational-databases/security/sql-injection">SQL Injection</a>.</li>
+
+
+<!--  LocalWords:  SQL CWE
+ -->
+
+</references>
+</qhelp>
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql b/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql
new file mode 100644
index 00000000000..2481b723cac
--- /dev/null
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql
@@ -0,0 +1,170 @@
+/**
+ * @name Uncontrolled data in SQL query to Postgres
+ * @description Including user-supplied data in a SQL query to Postgres
+ *              without neutralizing special elements can make code
+ *              vulnerable to SQL Injection.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id cpp/sql-injection
+ * @tags security
+ *       external/cwe/cwe-089
+ */
+
+import cpp
+import semmle.code.cpp.security.Security
+// import semmle.code.cpp.security.FunctionWithWrappers
+// import semmle.code.cpp.security.TaintTracking
+// import TaintedWithPath
+import semmle.code.cpp.dataflow.TaintTracking
+import DataFlow::PathGraph
+
+predicate pqxxTransationClassNames(string class_name, string namespace) {
+  class_name = "dbtransaction" and namespace = "pqxx"
+  or
+  class_name = "nontransaction" and namespace = "pqxx"
+  or
+  class_name = "basic_robusttransaction" and namespace = "pqxx"
+  or
+  class_name = "robusttransaction" and namespace = "pqxx"
+  or
+  class_name = "subtransaction" and namespace = "pqxx"
+  or
+  class_name = "transaction" and namespace = "pqxx"
+  or
+  class_name = "basic_transaction" and namespace = "pqxx"
+  or
+  class_name = "transaction_base" and namespace = "pqxx"
+  or
+  class_name = "work" and namespace = "pqxx"
+}
+
+predicate pqxxConnectionClassNames(string class_name, string namespace) {
+  class_name = "connection_base" and namespace = "pqxx"
+  or
+  class_name = "basic_connection" and namespace = "pqxx"
+  or
+  class_name = "connection" and namespace = "pqxx"
+}
+
+predicate pqxxTransactionSqlArgument(string function, int arg) {
+  function = "exec" and arg = 0
+  or
+  function = "exec0" and arg = 0
+  or
+  function = "exec1" and arg = 0
+  or
+  function = "exec_n" and arg = 1
+  or
+  function = "exec_params" and arg = 0
+  or
+  function = "exec_params0" and arg = 0
+  or
+  function = "exec_params1" and arg = 0
+  or
+  function = "exec_params_n" and arg = 1
+  or
+  function = "query_value" and arg = 0
+  or
+  function = "stream" and arg = 0
+}
+
+predicate pqxxConnectionSqlArgument(string function, int arg) {
+  function = "prepare" and arg = 1
+}
+
+Expr getPqxxSqlArgument() {
+  exists(FunctionCall fc, Expr e, int argIndex, Type t |
+      // examples: 'work' for 'work.exec(...)'; '->' for 'tx->exec()'.
+      e = fc.getQualifier() and
+      // to find ConnectionHandle/TransationHandle and similar classes which override '->' operator behavior
+      // and return pointer to a connection/transation object
+      e.getType().refersTo(t) and
+      // transation exec and connection prepare variations
+      (
+          pqxxTransationClassNames(t.getName(), _) and pqxxTransactionSqlArgument(fc.getTarget().getName(), argIndex)
+          or
+          pqxxConnectionClassNames(t.getName(), _) and pqxxConnectionSqlArgument(fc.getTarget().getName(), argIndex)
+      )
+      and
+      result = fc.getArgument(argIndex)
+  )
+}
+
+predicate pqxxEscapeArgument(string function, int arg) {
+  arg = 0 and
+  (
+      function = "esc"
+      or
+      function = "esc_raw"
+      or
+      function = "quote"
+      or
+      function = "quote_raw"
+      or
+      function = "quote_name"
+      or
+      function = "quote_table"
+      or
+      function = "esc_like"
+  )
+}
+
+predicate isEscapedPqxxArgument(Expr argExpr) {
+  exists(FunctionCall fc, Expr e, int argIndex, Type t |
+      // examples: 'work' for 'work.exec(...)'; '->' for 'tx->exec()'.
+      e = fc.getQualifier() and
+      // to find ConnectionHandle/TransationHandle and similar classes which override '->' operator behavior
+      // and return pointer to a connection/transation object
+      e.getType().refersTo(t) and
+      // transation and connection escape functions
+      (pqxxTransationClassNames(t.getName(), _) or pqxxConnectionClassNames(t.getName(), _))
+      and
+      pqxxEscapeArgument(fc.getTarget().getName(), argIndex)
+      and
+      // eval is escaped
+      argExpr = fc.getArgument(argIndex)
+  )
+}
+
+// class Configuration extends TaintTrackingConfiguration {
+//   override predicate isSink(Element tainted) {
+//     tainted = getPqxxSqlArgument()
+//   }
+//   override predicate isBarrier(Expr e) {
+//     super.isBarrier(e) or e.getUnspecifiedType() instanceof IntegralType
+//   }
+// }
+// from
+//   Expr taintedArg, Expr taintSource, PathNode sourceNode, PathNode sinkNode, string taintCause
+// where
+//   taintedWithPath(taintSource, taintedArg, sourceNode, sinkNode) and
+//   isUserInput(taintSource, taintCause)
+// select taintedArg, sourceNode, sinkNode,
+//   "This argument to a SQL query function is derived from $@", taintSource, "user input (" + taintCause + ")"
+
+
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "SqlPqxxTainted" }
+
+  override predicate isSource(DataFlow::Node source) {
+    isUserInput(source.asExpr(), _)
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() = getPqxxSqlArgument()
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    isEscapedPqxxArgument(node.asExpr())
+  }
+}
+
+from 
+  DataFlow::PathNode source, DataFlow::PathNode sink, Configuration config, string taintCause
+where 
+  config.hasFlowPath(source, sink) and
+  isUserInput(source.getNode().asExpr(), taintCause)
+select 
+  sink, source, sink,
+  "This argument to a SQL query function is derived from $@", source, "user input (" + taintCause + ")"

From 330eaea467532fac4fc2501bf56de7f606c3b64f Mon Sep 17 00:00:00 2001
From: Evgenii Protsenko <procenkoeg@yandex.ru>
Date: Wed, 5 May 2021 21:48:14 +0300
Subject: [PATCH 0849/1429] C++: SqlPqxxTainted.ql style fixes

---
 .../Security/CWE/CWE-089/SqlPqxxTainted.ql    | 121 +++++++-----------
 1 file changed, 45 insertions(+), 76 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql b/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql
index 2481b723cac..9d27674409a 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql
@@ -13,9 +13,6 @@
 
 import cpp
 import semmle.code.cpp.security.Security
-// import semmle.code.cpp.security.FunctionWithWrappers
-// import semmle.code.cpp.security.TaintTracking
-// import TaintedWithPath
 import semmle.code.cpp.dataflow.TaintTracking
 import DataFlow::PathGraph
 
@@ -69,102 +66,74 @@ predicate pqxxTransactionSqlArgument(string function, int arg) {
   function = "stream" and arg = 0
 }
 
-predicate pqxxConnectionSqlArgument(string function, int arg) {
-  function = "prepare" and arg = 1
-}
+predicate pqxxConnectionSqlArgument(string function, int arg) { function = "prepare" and arg = 1 }
 
 Expr getPqxxSqlArgument() {
   exists(FunctionCall fc, Expr e, int argIndex, Type t |
-      // examples: 'work' for 'work.exec(...)'; '->' for 'tx->exec()'.
-      e = fc.getQualifier() and
-      // to find ConnectionHandle/TransationHandle and similar classes which override '->' operator behavior
-      // and return pointer to a connection/transation object
-      e.getType().refersTo(t) and
-      // transation exec and connection prepare variations
-      (
-          pqxxTransationClassNames(t.getName(), _) and pqxxTransactionSqlArgument(fc.getTarget().getName(), argIndex)
-          or
-          pqxxConnectionClassNames(t.getName(), _) and pqxxConnectionSqlArgument(fc.getTarget().getName(), argIndex)
-      )
-      and
-      result = fc.getArgument(argIndex)
+    // examples: 'work' for 'work.exec(...)'; '->' for 'tx->exec()'.
+    e = fc.getQualifier() and
+    // to find ConnectionHandle/TransationHandle and similar classes which override '->' operator behavior
+    // and return pointer to a connection/transation object
+    e.getType().refersTo(t) and
+    // transation exec and connection prepare variations
+    (
+      pqxxTransationClassNames(t.getName(), _) and
+      pqxxTransactionSqlArgument(fc.getTarget().getName(), argIndex)
+      or
+      pqxxConnectionClassNames(t.getName(), _) and
+      pqxxConnectionSqlArgument(fc.getTarget().getName(), argIndex)
+    ) and
+    result = fc.getArgument(argIndex)
   )
 }
 
 predicate pqxxEscapeArgument(string function, int arg) {
   arg = 0 and
   (
-      function = "esc"
-      or
-      function = "esc_raw"
-      or
-      function = "quote"
-      or
-      function = "quote_raw"
-      or
-      function = "quote_name"
-      or
-      function = "quote_table"
-      or
-      function = "esc_like"
+    function = "esc"
+    or
+    function = "esc_raw"
+    or
+    function = "quote"
+    or
+    function = "quote_raw"
+    or
+    function = "quote_name"
+    or
+    function = "quote_table"
+    or
+    function = "esc_like"
   )
 }
 
 predicate isEscapedPqxxArgument(Expr argExpr) {
   exists(FunctionCall fc, Expr e, int argIndex, Type t |
-      // examples: 'work' for 'work.exec(...)'; '->' for 'tx->exec()'.
-      e = fc.getQualifier() and
-      // to find ConnectionHandle/TransationHandle and similar classes which override '->' operator behavior
-      // and return pointer to a connection/transation object
-      e.getType().refersTo(t) and
-      // transation and connection escape functions
-      (pqxxTransationClassNames(t.getName(), _) or pqxxConnectionClassNames(t.getName(), _))
-      and
-      pqxxEscapeArgument(fc.getTarget().getName(), argIndex)
-      and
-      // eval is escaped
-      argExpr = fc.getArgument(argIndex)
+    // examples: 'work' for 'work.exec(...)'; '->' for 'tx->exec()'.
+    e = fc.getQualifier() and
+    // to find ConnectionHandle/TransationHandle and similar classes which override '->' operator behavior
+    // and return pointer to a connection/transation object
+    e.getType().refersTo(t) and
+    // transation and connection escape functions
+    (pqxxTransationClassNames(t.getName(), _) or pqxxConnectionClassNames(t.getName(), _)) and
+    pqxxEscapeArgument(fc.getTarget().getName(), argIndex) and
+    // eval is escaped
+    argExpr = fc.getArgument(argIndex)
   )
 }
 
-// class Configuration extends TaintTrackingConfiguration {
-//   override predicate isSink(Element tainted) {
-//     tainted = getPqxxSqlArgument()
-//   }
-//   override predicate isBarrier(Expr e) {
-//     super.isBarrier(e) or e.getUnspecifiedType() instanceof IntegralType
-//   }
-// }
-// from
-//   Expr taintedArg, Expr taintSource, PathNode sourceNode, PathNode sinkNode, string taintCause
-// where
-//   taintedWithPath(taintSource, taintedArg, sourceNode, sinkNode) and
-//   isUserInput(taintSource, taintCause)
-// select taintedArg, sourceNode, sinkNode,
-//   "This argument to a SQL query function is derived from $@", taintSource, "user input (" + taintCause + ")"
-
-
 class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "SqlPqxxTainted" }
 
-  override predicate isSource(DataFlow::Node source) {
-    isUserInput(source.asExpr(), _)
-  }
+  override predicate isSource(DataFlow::Node source) { isUserInput(source.asExpr(), _) }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() = getPqxxSqlArgument()
-  }
+  override predicate isSink(DataFlow::Node sink) { sink.asExpr() = getPqxxSqlArgument() }
 
-  override predicate isSanitizer(DataFlow::Node node) {
-    isEscapedPqxxArgument(node.asExpr())
-  }
+  override predicate isSanitizer(DataFlow::Node node) { isEscapedPqxxArgument(node.asExpr()) }
 }
 
-from 
-  DataFlow::PathNode source, DataFlow::PathNode sink, Configuration config, string taintCause
-where 
+from DataFlow::PathNode source, DataFlow::PathNode sink, Configuration config, string taintCause
+where
   config.hasFlowPath(source, sink) and
   isUserInput(source.getNode().asExpr(), taintCause)
-select 
-  sink, source, sink,
-  "This argument to a SQL query function is derived from $@", source, "user input (" + taintCause + ")"
+select sink, source, sink, "This argument to a SQL query function is derived from $@", source,
+  "user input (" + taintCause + ")"

From b277082462848f3b102fac3c4f79e9babe8b4048 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Wed, 5 May 2021 23:28:04 +0300
Subject: [PATCH 0850/1429] Update
 DeclarationOfVariableWithUnnecessarilyWideScope.qhelp

---
 .../DeclarationOfVariableWithUnnecessarilyWideScope.qhelp       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.qhelp
index d84f47f5453..5234212f7ca 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.qhelp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.qhelp
@@ -3,7 +3,7 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>Using variables with the same name is dangerous. However, such a situation inside the while loop can lead to a violation of the accessibility of the program. Requires the attention of developers.</p>
+<p>Using variables with the same name is dangerous. However, such a situation inside the while loop can create an infinite loop exhausting resources. Requires the attention of developers.</p>
 
 </overview>
 <recommendation>

From 976ccda135748f5fff12250eed60f02e14d9aab3 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Wed, 5 May 2021 23:34:21 +0300
Subject: [PATCH 0851/1429] Update
 DeclarationOfVariableWithUnnecessarilyWideScope.ql

---
 .../DeclarationOfVariableWithUnnecessarilyWideScope.ql        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
index 9acc1d35d81..be712b1cb1d 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
@@ -1,7 +1,7 @@
 /**
  * @name Errors When Using Variable Declaration Inside Loop
  * @description Using variables with the same name is dangerous.
- *              However, such a situation inside the while loop can lead to a violation of the accessibility of the program.
+ *              However, such a situation inside the while loop can create an infinite loop exhausting resources.
  *              Requires the attention of developers.
  * @kind problem
  * @id cpp/errors-when-using-variable-declaration-inside-loop
@@ -37,7 +37,7 @@ class DangerousWhileLoop extends WhileStmt {
   /** Holds when there are changes to the variables involved in the condition. */
   predicate isUseThisVariable() {
     exists(Variable v |
-      this.getCondition().getAChild*().(VariableAccess).getTarget() = v and
+      exp.(VariableAccess).getTarget() = v and
       (
         exists(Assignment aexp |
           aexp = this.getStmt().getAChild*() and

From 67e9f063047d5040f73f21f641270e07a8a3a144 Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Wed, 5 May 2021 17:27:49 -0400
Subject: [PATCH 0852/1429] [Java] Fix Kryo FP & Kryo 5 Support

Closes #4992
---
 .../2021-05-05-kryo-improvements.md           |  3 +
 .../code/java/dataflow/ExternalFlow.qll       |  1 +
 .../src/semmle/code/java/frameworks/Kryo.qll  | 55 ++++++++++++++++-
 .../java/security/UnsafeDeserialization.qll   | 59 +++++++++++++++++++
 .../security/CWE-502/KryoTest.java            | 34 +++++++++++
 .../kryo/pool/KryoCallback.java               |  7 +++
 .../kryo/pool/KryoFactory.java                |  7 +++
 .../esotericsoftware/kryo/pool/KryoPool.java  | 30 ++++++++++
 8 files changed, 194 insertions(+), 2 deletions(-)
 create mode 100644 java/change-notes/2021-05-05-kryo-improvements.md
 create mode 100644 java/ql/test/query-tests/security/CWE-502/KryoTest.java
 create mode 100644 java/ql/test/stubs/kryo-4.0.2/com/esotericsoftware/kryo/pool/KryoCallback.java
 create mode 100644 java/ql/test/stubs/kryo-4.0.2/com/esotericsoftware/kryo/pool/KryoFactory.java
 create mode 100644 java/ql/test/stubs/kryo-4.0.2/com/esotericsoftware/kryo/pool/KryoPool.java

diff --git a/java/change-notes/2021-05-05-kryo-improvements.md b/java/change-notes/2021-05-05-kryo-improvements.md
new file mode 100644
index 00000000000..f8ba79eb863
--- /dev/null
+++ b/java/change-notes/2021-05-05-kryo-improvements.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Add support for version 5 of the Kryo serialzation/deserialization framework.
+* Add support for detecting safe uses of Kryo utilizing `KryoPool.Builder. (#4992)[https://github.com/github/codeql/issues/4992]
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index 7073c57ff9c..b62018dc2c4 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -291,6 +291,7 @@ private predicate summaryModelCsv(string row) {
       "java.util;StringTokenizer;false;StringTokenizer;;;Argument[0];Argument[-1];taint",
       "java.beans;XMLDecoder;false;XMLDecoder;;;Argument[0];Argument[-1];taint",
       "com.esotericsoftware.kryo.io;Input;false;Input;;;Argument[0];Argument[-1];taint",
+      "com.esotericsoftware.kryo5.io;Input;false;Input;;;Argument[0];Argument[-1];taint",
       "java.io;BufferedInputStream;false;BufferedInputStream;;;Argument[0];Argument[-1];taint",
       "java.io;DataInputStream;false;DataInputStream;;;Argument[0];Argument[-1];taint",
       "java.io;ByteArrayInputStream;false;ByteArrayInputStream;;;Argument[0];Argument[-1];taint",
diff --git a/java/ql/src/semmle/code/java/frameworks/Kryo.qll b/java/ql/src/semmle/code/java/frameworks/Kryo.qll
index 049be97ea9c..16873fc751f 100644
--- a/java/ql/src/semmle/code/java/frameworks/Kryo.qll
+++ b/java/ql/src/semmle/code/java/frameworks/Kryo.qll
@@ -3,19 +3,60 @@
  */
 
 import java
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.FlowSteps
 
 /**
  * The type `com.esotericsoftware.kryo.Kryo`.
  */
 class Kryo extends RefType {
-  Kryo() { this.hasQualifiedName("com.esotericsoftware.kryo", "Kryo") }
+  Kryo() {
+    hasQualifiedName("com.esotericsoftware.kryo", "Kryo") or
+    hasQualifiedName("com.esotericsoftware.kryo5", "Kryo")
+  }
 }
 
 /**
  * A Kryo input stream.
  */
 class KryoInput extends RefType {
-  KryoInput() { this.hasQualifiedName("com.esotericsoftware.kryo.io", "Input") }
+  KryoInput() {
+    hasQualifiedName("com.esotericsoftware.kryo.io", "Input") or
+    hasQualifiedName("com.esotericsoftware.kryo5.io", "Input")
+  }
+}
+
+/**
+ * A Kryo pool.
+ */
+class KryoPool extends RefType {
+  KryoPool() {
+    hasQualifiedName("com.esotericsoftware.kryo.pool", "KryoPool") or
+    hasQualifiedName("com.esotericsoftware.kryo5.pool", "KryoPool")
+  }
+}
+
+/**
+ * A Kryo pool builder.
+ */
+class KryoPoolBuilder extends RefType {
+  KryoPoolBuilder() {
+    hasQualifiedName("com.esotericsoftware.kryo.pool", "KryoPool$Builder") or
+    hasQualifiedName("com.esotericsoftware.kryo5.pool", "KryoPool$Builder")
+  }
+}
+
+/**
+ * A Kryo pool builder method used a fluent API call chain.
+ */
+class KryoPoolBuilderMethod extends Method {
+  KryoPoolBuilderMethod() {
+    getDeclaringType() instanceof KryoPoolBuilder and
+    (
+      getReturnType() instanceof KryoPoolBuilder or
+      getReturnType() instanceof KryoPool
+    )
+  }
 }
 
 /**
@@ -45,3 +86,13 @@ class KryoEnableWhiteListing extends MethodAccess {
     )
   }
 }
+
+/**
+ * A KryoPool method that uses a Kryo instance.
+ */
+class KryoPoolRunMethod extends Method {
+  KryoPoolRunMethod() {
+    getDeclaringType() instanceof KryoPool and
+    hasName("run")
+  }
+}
diff --git a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
index ab809f07d6d..def37c0964e 100644
--- a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
+++ b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
@@ -48,6 +48,65 @@ class SafeKryo extends DataFlow2::Configuration {
       ma.getMethod() instanceof KryoReadObjectMethod
     )
   }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    stepKryoPoolBuilderFactoryArgToConstructor(node1, node2) or
+    stepKryoPoolRunMethodAccessQualifierToFunctionalArgument(node1, node2) or
+    stepKryoPoolBuilderChainMethod(node1, node2) or
+    stepKryoPoolBorrowMethod(node1, node2)
+  }
+
+  /**
+   * Holds when a funcitonal expression is used to create a `KryoPool.Builder`.
+   * Eg. `new KryoPool.Builder(() -> new Kryo())`
+   */
+  private predicate stepKryoPoolBuilderFactoryArgToConstructor(
+    DataFlow::Node node1, DataFlow::Node node2
+  ) {
+    exists(ConstructorCall cc, FunctionalExpr fe |
+      cc.getConstructedType() instanceof KryoPoolBuilder and
+      fe.asMethod().getBody().getAStmt().(ReturnStmt).getResult() = node1.asExpr() and
+      node2.asExpr() = cc and
+      cc.getArgument(0) = fe
+    )
+  }
+
+  /**
+   * Holds when a `KryoPool.run` is called to use a `Kryo` instance.
+   * Eg. `pool.run(kryo -> ...)`
+   */
+  private predicate stepKryoPoolRunMethodAccessQualifierToFunctionalArgument(
+    DataFlow::Node node1, DataFlow::Node node2
+  ) {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof KryoPoolRunMethod and
+      node1.asExpr() = ma.getQualifier() and
+      ma.getArgument(0).(FunctionalExpr).asMethod().getParameter(0) = node2.asParameter()
+    )
+  }
+
+  /**
+   * Holds when a `KryoPool.Builder` method is called fluently.
+   */
+  private predicate stepKryoPoolBuilderChainMethod(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof KryoPoolBuilderMethod and
+      ma = node2.asExpr() and
+      ma.getQualifier() = node1.asExpr()
+    )
+  }
+
+  /**
+   * Holds when a `KryoPool.borrow` method is called.
+   */
+  private predicate stepKryoPoolBorrowMethod(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(MethodAccess ma |
+      ma.getMethod() =
+        any(Method m | m.getDeclaringType() instanceof KryoPool and m.hasName("borrow")) and
+      node1.asExpr() = ma.getQualifier() and
+      node2.asExpr() = ma
+    )
+  }
 }
 
 predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
diff --git a/java/ql/test/query-tests/security/CWE-502/KryoTest.java b/java/ql/test/query-tests/security/CWE-502/KryoTest.java
new file mode 100644
index 00000000000..8890bad91b9
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-502/KryoTest.java
@@ -0,0 +1,34 @@
+
+import java.io.*;
+import java.net.Socket;
+import com.esotericsoftware.kryo.Kryo;
+import com.esotericsoftware.kryo.pool.KryoPool;
+import com.esotericsoftware.kryo.io.Input;
+
+public class KryoTest {
+
+    private Kryo getSafeKryo() {
+        Kryo kryo = new Kryo();
+        kryo.setRegistrationRequired(true);
+        // ... kryo.register(A.class) ...
+        return kryo;
+    }
+
+    public void kryoDeserialize(Socket sock) throws java.io.IOException {
+        KryoPool kryoPool = new KryoPool.Builder(this::getSafeKryo).softReferences().build();
+        Input input = new Input(sock.getInputStream());
+        Object o = kryoPool.run(kryo -> kryo.readClassAndObject(input)); // OK
+    }
+
+    public void kryoDeserialize2(Socket sock) throws java.io.IOException {
+        KryoPool kryoPool = new KryoPool.Builder(this::getSafeKryo).softReferences().build();
+        Input input = new Input(sock.getInputStream());
+        Kryo k = kryoPool.borrow();
+        try {
+            Object o = k.readClassAndObject(input); // OK
+        } finally {
+            kryoPool.release(k);
+        }
+    }
+
+}
diff --git a/java/ql/test/stubs/kryo-4.0.2/com/esotericsoftware/kryo/pool/KryoCallback.java b/java/ql/test/stubs/kryo-4.0.2/com/esotericsoftware/kryo/pool/KryoCallback.java
new file mode 100644
index 00000000000..729426aba62
--- /dev/null
+++ b/java/ql/test/stubs/kryo-4.0.2/com/esotericsoftware/kryo/pool/KryoCallback.java
@@ -0,0 +1,7 @@
+package com.esotericsoftware.kryo.pool;
+
+import com.esotericsoftware.kryo.Kryo;
+
+public interface KryoCallback<T> {
+	T execute (Kryo kryo);
+}
diff --git a/java/ql/test/stubs/kryo-4.0.2/com/esotericsoftware/kryo/pool/KryoFactory.java b/java/ql/test/stubs/kryo-4.0.2/com/esotericsoftware/kryo/pool/KryoFactory.java
new file mode 100644
index 00000000000..4dcda1445df
--- /dev/null
+++ b/java/ql/test/stubs/kryo-4.0.2/com/esotericsoftware/kryo/pool/KryoFactory.java
@@ -0,0 +1,7 @@
+package com.esotericsoftware.kryo.pool;
+
+import com.esotericsoftware.kryo.Kryo;
+
+public interface KryoFactory {
+	Kryo create ();
+}
diff --git a/java/ql/test/stubs/kryo-4.0.2/com/esotericsoftware/kryo/pool/KryoPool.java b/java/ql/test/stubs/kryo-4.0.2/com/esotericsoftware/kryo/pool/KryoPool.java
new file mode 100644
index 00000000000..c005442c9e8
--- /dev/null
+++ b/java/ql/test/stubs/kryo-4.0.2/com/esotericsoftware/kryo/pool/KryoPool.java
@@ -0,0 +1,30 @@
+package com.esotericsoftware.kryo.pool;
+
+import com.esotericsoftware.kryo.Kryo;
+import java.util.Queue;
+
+public interface KryoPool {
+
+    Kryo borrow ();
+
+    void release (Kryo kryo);
+
+    <T> T run (KryoCallback<T> callback);
+
+    static class Builder {
+        public Builder (KryoFactory factory) {
+        }
+    
+        public Builder queue (Queue<Kryo> queue) {
+            return null;
+        }
+    
+        public Builder softReferences () {
+            return null;
+        }
+    
+        public KryoPool build () {
+            return null;
+        }
+    }
+}

From ed5619498c64f25aad6d3a558ddda3c23ddcc146 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Mon, 26 Apr 2021 17:20:31 +0200
Subject: [PATCH 0853/1429] WIP: XPath Injection promotion

---
 .../Security/CWE/CWE-643/XPathInjection.ql    | 25 +-----
 .../src/semmle/code/java/security/XPath.qll   | 56 ++++++++++++
 .../query-tests/security/CWE-643/A.java       | 85 +++++++++++++++++++
 .../CWE-643/XPathInjectionTest.expected       |  0
 .../security/CWE-643/XPathInjectionTest.ql    | 22 +++++
 .../query-tests/security/CWE-643/options      |  1 +
 .../stubs/dom4j-2.1.1/org/dom4j/Document.java |  6 ++
 .../stubs/dom4j-2.1.1/org/dom4j/Node.java     | 31 +++++++
 8 files changed, 202 insertions(+), 24 deletions(-)
 create mode 100644 java/ql/src/semmle/code/java/security/XPath.qll
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-643/A.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-643/XPathInjectionTest.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-643/XPathInjectionTest.ql
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-643/options
 create mode 100644 java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Node.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql
index e5a29df46d5..0b9ec948db9 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql
@@ -11,32 +11,9 @@
  */
 
 import java
-import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.security.XmlParsers
 import DataFlow::PathGraph
-
-class XPathInjectionConfiguration extends TaintTracking::Configuration {
-  XPathInjectionConfiguration() { this = "XPathInjection" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
-}
-
-class XPathInjectionSink extends DataFlow::ExprNode {
-  XPathInjectionSink() {
-    exists(Method m, MethodAccess ma | ma.getMethod() = m |
-      m.getDeclaringType().hasQualifiedName("javax.xml.xpath", "XPath") and
-      (m.hasName("evaluate") or m.hasName("compile")) and
-      ma.getArgument(0) = this.getExpr()
-      or
-      m.getDeclaringType().hasQualifiedName("org.dom4j", "Node") and
-      (m.hasName("selectNodes") or m.hasName("selectSingleNode")) and
-      ma.getArgument(0) = this.getExpr()
-    )
-  }
-}
+import semmle.code.java.security.XPath
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, XPathInjectionConfiguration c
 where c.hasFlowPath(source, sink)
diff --git a/java/ql/src/semmle/code/java/security/XPath.qll b/java/ql/src/semmle/code/java/security/XPath.qll
new file mode 100644
index 00000000000..d55139b6ba1
--- /dev/null
+++ b/java/ql/src/semmle/code/java/security/XPath.qll
@@ -0,0 +1,56 @@
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.security.XmlParsers
+
+/**
+ * An abstract type representing a call to interpret XPath expressions.
+ */
+class XPathSink extends MethodAccess {
+  abstract Expr getSink();
+}
+
+/** The class `javax.xml.xpath.XPath` */
+class XPath extends RefType {
+  XPath() { this.hasQualifiedName("javax.xml.xpath", "XPath") }
+}
+
+/** A call to `XPath.Evaluate` or `XPath.compile` */
+class XPathEvaluateOrCompile extends XPathSink {
+  XPathEvaluateOrCompile() {
+    exists(Method m | this.getMethod() = m and m.getDeclaringType() instanceof XPath |
+      m.hasName("evaluate")
+      or
+      m.hasName("compile")
+    )
+  }
+
+  override Expr getSink() { result = this.getArgument(0) }
+}
+
+/** The class `org.dom4j.Node` */
+class Dom4JNode extends RefType {
+  Dom4JNode() { this.hasQualifiedName("org.dom4j", "Node") }
+}
+
+/** A call to `Node.selectNodes` or `Node.selectSingleNode` */
+class NodeSelectNodes extends XPathSink {
+  NodeSelectNodes() {
+    exists(Method m | this.getMethod() = m and m.getDeclaringType() instanceof Dom4JNode |
+      m.hasName("selectNodes") or m.hasName("selectSingleNode")
+    )
+  }
+
+  override Expr getSink() { result = this.getArgument(0) }
+}
+
+class XPathInjectionSink extends DataFlow::ExprNode {
+  XPathInjectionSink() { exists(XPathSink sink | this.getExpr() = sink.getSink()) }
+}
+
+class XPathInjectionConfiguration extends TaintTracking::Configuration {
+  XPathInjectionConfiguration() { this = "XPathInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-643/A.java b/java/ql/test/experimental/query-tests/security/CWE-643/A.java
new file mode 100644
index 00000000000..e9ad83e63ea
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-643/A.java
@@ -0,0 +1,85 @@
+import javax.xml.*;
+
+import org.w3c.dom.Document;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpression;
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;
+
+import java.io.BufferedInputStream;
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.io.StringReader;
+
+import javax.servlet.http.HttpServletRequest;
+
+public class A {
+    public void handle(HttpServletRequest request) throws Exception {
+        final String xmlStr = "<users>" + "   <user name=\"aaa\" pass=\"pass1\"></user>"
+                + "   <user name=\"bbb\" pass=\"pass2\"></user>" + "</users>";
+        DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
+        domFactory.setNamespaceAware(true);
+        DocumentBuilder builder = domFactory.newDocumentBuilder();
+        Document doc = builder.parse(new InputSource(new StringReader(xmlStr)));
+
+        XPathFactory factory = XPathFactory.newInstance();
+        XPath xpath = factory.newXPath();
+
+        // Injectable data
+        String user = request.getParameter("user");
+        String pass = request.getParameter("pass");
+        if (user != null && pass != null) {
+            boolean isExist = false;
+
+            // Bad expression
+            String expression1 = "/users/user[@name='" + user + "' and @pass='" + pass + "']";
+            isExist = (boolean) xpath.evaluate(expression1, doc, XPathConstants.BOOLEAN); // $hasXPathInjection
+            System.out.println(isExist);
+
+            // Bad expression
+            XPathExpression expression2 = xpath.compile("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+            isExist = (boolean) expression2.evaluate(doc, XPathConstants.BOOLEAN);
+            System.out.println(isExist);
+
+            // Bad expression
+            StringBuffer sb = new StringBuffer("/users/user[@name=");
+            sb.append(user);
+            sb.append("' and @pass='");
+            sb.append(pass);
+            sb.append("']");
+            String query = sb.toString();
+            XPathExpression expression3 = xpath.compile(query); // $hasXPathInjection
+            isExist = (boolean) expression3.evaluate(doc, XPathConstants.BOOLEAN);
+            System.out.println(isExist);
+
+            // Good expression
+            String expression4 = "/users/user[@name=$user and @pass=$pass]";
+            xpath.setXPathVariableResolver(v -> {
+                switch (v.getLocalPart()) {
+                case "user":
+                    return user;
+                case "pass":
+                    return pass;
+                default:
+                    throw new IllegalArgumentException();
+                }
+            });
+            isExist = (boolean) xpath.evaluate(expression4, doc, XPathConstants.BOOLEAN);
+            System.out.println(isExist);
+
+            // Bad Dom4j
+            org.dom4j.io.SAXReader reader = new org.dom4j.io.SAXReader();
+            org.dom4j.Document document = reader.read(new ByteArrayInputStream(xmlStr.getBytes()));
+            isExist = document.selectSingleNode("/users/user[@name='" + user + "' and @pass='" + pass + "']") // $hasXPathInjection
+                    .hasContent();
+            document.selectNodes("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        }
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-643/XPathInjectionTest.expected b/java/ql/test/experimental/query-tests/security/CWE-643/XPathInjectionTest.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/java/ql/test/experimental/query-tests/security/CWE-643/XPathInjectionTest.ql b/java/ql/test/experimental/query-tests/security/CWE-643/XPathInjectionTest.ql
new file mode 100644
index 00000000000..a49dccd2240
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-643/XPathInjectionTest.ql
@@ -0,0 +1,22 @@
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.XPath
+import TestUtilities.InlineExpectationsTest
+
+class HasXPathInjectionTest extends InlineExpectationsTest {
+  HasXPathInjectionTest() { this = "HasXPathInjectionTest" }
+
+  override string getARelevantTag() { result = "hasXPathInjection" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasXPathInjection" and
+    exists(DataFlow::Node src, DataFlow::Node sink, XPathInjectionConfiguration conf |
+      conf.hasFlow(src, sink)
+    |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-643/options b/java/ql/test/experimental/query-tests/security/CWE-643/options
new file mode 100644
index 00000000000..90c9ae2ca33
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-643/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/dom4j-2.1.1:${testdir}/../../../../stubs/servlet-api-2.4
\ No newline at end of file
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Document.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Document.java
index 86b950b125c..0ffcfba3ece 100644
--- a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Document.java
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Document.java
@@ -13,7 +13,13 @@
 
 package org.dom4j;
 
+import java.util.List;
+
 public interface Document {
+
+    public Node selectSingleNode(String xpathExpression);
+
+    public List selectNodes(String xpathExpression);
 }
 
 /*
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Node.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Node.java
new file mode 100644
index 00000000000..641c5c15f86
--- /dev/null
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Node.java
@@ -0,0 +1,31 @@
+/*
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ *
+ * This software is open source.
+ * See the bottom of this file for the licence.
+ */
+
+/*
+ * Adapted from DOM4J version 2.1.1 as available at
+ *   https://search.maven.org/remotecontent?filepath=org/dom4j/dom4j/2.1.1/dom4j-2.1.1-sources.jar
+ * Only relevant stubs of this file have been retained for test purposes.
+ */
+package org.dom4j;
+
+public interface Node {
+
+    public boolean hasContent();
+}
+
+/*
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ *
+ * This software is open source. See the bottom of this file for the licence.
+ */
+
+/*
+ * Adapted from DOM4J version 2.1.1 as available at
+ * https://search.maven.org/remotecontent?filepath=org/dom4j/dom4j/2.1.1/dom4j-2
+ * .1.1-sources.jar Only relevant stubs of this file have been retained for test
+ * purposes.
+ */
\ No newline at end of file

From a62997463f3cb2b4c2abd3d4a91c76fb5e187d58 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Mon, 26 Apr 2021 18:26:20 +0200
Subject: [PATCH 0854/1429] Remove unused imports; use set literals in hasName

---
 java/ql/src/semmle/code/java/security/XPath.qll            | 7 ++-----
 .../test/experimental/query-tests/security/CWE-643/A.java  | 2 --
 2 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/java/ql/src/semmle/code/java/security/XPath.qll b/java/ql/src/semmle/code/java/security/XPath.qll
index d55139b6ba1..1d56d9521e0 100644
--- a/java/ql/src/semmle/code/java/security/XPath.qll
+++ b/java/ql/src/semmle/code/java/security/XPath.qll
@@ -1,6 +1,5 @@
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.security.XmlParsers
 
 /**
  * An abstract type representing a call to interpret XPath expressions.
@@ -18,9 +17,7 @@ class XPath extends RefType {
 class XPathEvaluateOrCompile extends XPathSink {
   XPathEvaluateOrCompile() {
     exists(Method m | this.getMethod() = m and m.getDeclaringType() instanceof XPath |
-      m.hasName("evaluate")
-      or
-      m.hasName("compile")
+      m.hasName(["evaluate", "compile"])
     )
   }
 
@@ -36,7 +33,7 @@ class Dom4JNode extends RefType {
 class NodeSelectNodes extends XPathSink {
   NodeSelectNodes() {
     exists(Method m | this.getMethod() = m and m.getDeclaringType() instanceof Dom4JNode |
-      m.hasName("selectNodes") or m.hasName("selectSingleNode")
+      m.hasName(["selectNodes", "selectSingleNode"])
     )
   }
 
diff --git a/java/ql/test/experimental/query-tests/security/CWE-643/A.java b/java/ql/test/experimental/query-tests/security/CWE-643/A.java
index e9ad83e63ea..bc4ca472b22 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-643/A.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-643/A.java
@@ -1,5 +1,3 @@
-import javax.xml.*;
-
 import org.w3c.dom.Document;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;

From fb3e56eac8ede2a1fd2d5d17af421323fdb5fd0e Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Mon, 26 Apr 2021 20:11:51 +0200
Subject: [PATCH 0855/1429] Fix imports and stubs so that tests pass

---
 .../2021-04-26-xpath-injection-query.md       |  2 +
 .../src/semmle/code/java/security/XPath.qll   | 10 ++--
 .../query-tests/security/CWE-643/A.java       | 40 +++++---------
 .../stubs/dom4j-2.1.1/org/dom4j/Branch.java   | 54 +++++++++++++++++++
 .../stubs/dom4j-2.1.1/org/dom4j/Document.java |  2 +-
 5 files changed, 78 insertions(+), 30 deletions(-)
 create mode 100644 java/change-notes/2021-04-26-xpath-injection-query.md
 create mode 100644 java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Branch.java

diff --git a/java/change-notes/2021-04-26-xpath-injection-query.md b/java/change-notes/2021-04-26-xpath-injection-query.md
new file mode 100644
index 00000000000..e049a9af764
--- /dev/null
+++ b/java/change-notes/2021-04-26-xpath-injection-query.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "XPath injection" (`java/xml/xpath-injection`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @SpaceWhite](https://github.com/github/codeql/pull/2800)
\ No newline at end of file
diff --git a/java/ql/src/semmle/code/java/security/XPath.qll b/java/ql/src/semmle/code/java/security/XPath.qll
index 1d56d9521e0..d93fca365e8 100644
--- a/java/ql/src/semmle/code/java/security/XPath.qll
+++ b/java/ql/src/semmle/code/java/security/XPath.qll
@@ -13,7 +13,7 @@ class XPath extends RefType {
   XPath() { this.hasQualifiedName("javax.xml.xpath", "XPath") }
 }
 
-/** A call to `XPath.Evaluate` or `XPath.compile` */
+/** A call to `XPath.evaluate` or `XPath.compile` */
 class XPathEvaluateOrCompile extends XPathSink {
   XPathEvaluateOrCompile() {
     exists(Method m | this.getMethod() = m and m.getDeclaringType() instanceof XPath |
@@ -24,9 +24,13 @@ class XPathEvaluateOrCompile extends XPathSink {
   override Expr getSink() { result = this.getArgument(0) }
 }
 
-/** The class `org.dom4j.Node` */
+/** Any class extending or implementing `org.dom4j.Node` */
 class Dom4JNode extends RefType {
-  Dom4JNode() { this.hasQualifiedName("org.dom4j", "Node") }
+  Dom4JNode() {
+    exists(Interface node | node.hasQualifiedName("org.dom4j", "Node") |
+      this.extendsOrImplements*(node)
+    )
+  }
 }
 
 /** A call to `Node.selectNodes` or `Node.selectSingleNode` */
diff --git a/java/ql/test/experimental/query-tests/security/CWE-643/A.java b/java/ql/test/experimental/query-tests/security/CWE-643/A.java
index bc4ca472b22..e1624124b52 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-643/A.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-643/A.java
@@ -1,22 +1,16 @@
-import org.w3c.dom.Document;
-import org.xml.sax.InputSource;
-import org.xml.sax.SAXException;
-
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.xpath.XPath;
-import javax.xml.xpath.XPathConstants;
-import javax.xml.xpath.XPathExpression;
-import javax.xml.xpath.XPathExpressionException;
-import javax.xml.xpath.XPathFactory;
-
-import java.io.BufferedInputStream;
 import java.io.ByteArrayInputStream;
-import java.io.InputStream;
 import java.io.StringReader;
 
 import javax.servlet.http.HttpServletRequest;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpression;
+import javax.xml.xpath.XPathFactory;
+
+import org.w3c.dom.Document;
+import org.xml.sax.InputSource;
 
 public class A {
     public void handle(HttpServletRequest request) throws Exception {
@@ -34,17 +28,13 @@ public class A {
         String user = request.getParameter("user");
         String pass = request.getParameter("pass");
         if (user != null && pass != null) {
-            boolean isExist = false;
-
             // Bad expression
             String expression1 = "/users/user[@name='" + user + "' and @pass='" + pass + "']";
-            isExist = (boolean) xpath.evaluate(expression1, doc, XPathConstants.BOOLEAN); // $hasXPathInjection
-            System.out.println(isExist);
+            xpath.evaluate(expression1, doc, XPathConstants.BOOLEAN); // $hasXPathInjection
 
             // Bad expression
             XPathExpression expression2 = xpath.compile("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-            isExist = (boolean) expression2.evaluate(doc, XPathConstants.BOOLEAN);
-            System.out.println(isExist);
+            expression2.evaluate(doc, XPathConstants.BOOLEAN);
 
             // Bad expression
             StringBuffer sb = new StringBuffer("/users/user[@name=");
@@ -54,8 +44,7 @@ public class A {
             sb.append("']");
             String query = sb.toString();
             XPathExpression expression3 = xpath.compile(query); // $hasXPathInjection
-            isExist = (boolean) expression3.evaluate(doc, XPathConstants.BOOLEAN);
-            System.out.println(isExist);
+            expression3.evaluate(doc, XPathConstants.BOOLEAN);
 
             // Good expression
             String expression4 = "/users/user[@name=$user and @pass=$pass]";
@@ -69,13 +58,12 @@ public class A {
                     throw new IllegalArgumentException();
                 }
             });
-            isExist = (boolean) xpath.evaluate(expression4, doc, XPathConstants.BOOLEAN);
-            System.out.println(isExist);
+            xpath.evaluate(expression4, doc, XPathConstants.BOOLEAN); // Safe
 
             // Bad Dom4j
             org.dom4j.io.SAXReader reader = new org.dom4j.io.SAXReader();
             org.dom4j.Document document = reader.read(new ByteArrayInputStream(xmlStr.getBytes()));
-            isExist = document.selectSingleNode("/users/user[@name='" + user + "' and @pass='" + pass + "']") // $hasXPathInjection
+            document.selectSingleNode("/users/user[@name='" + user + "' and @pass='" + pass + "']") // $hasXPathInjection
                     .hasContent();
             document.selectNodes("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
         }
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Branch.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Branch.java
new file mode 100644
index 00000000000..5218b8f098f
--- /dev/null
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Branch.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ *
+ * This software is open source.
+ * See the bottom of this file for the licence.
+ */
+
+/*
+ * Adapted from DOM4J version 2.1.1 as available at
+ *   https://search.maven.org/remotecontent?filepath=org/dom4j/dom4j/2.1.1/dom4j-2.1.1-sources.jar
+ * Only relevant stubs of this file have been retained for test purposes.
+ */
+
+package org.dom4j;
+
+public interface Branch extends Node {
+}
+
+/*
+ * Redistribution and use of this software and associated documentation
+ * ("Software"), with or without modification, are permitted provided that the
+ * following conditions are met:
+ * 
+ * 1. Redistributions of source code must retain copyright statements and
+ * notices. Redistributions must also contain a copy of this document.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * 3. The name "DOM4J" must not be used to endorse or promote products derived
+ * from this Software without prior written permission of MetaStuff, Ltd. For
+ * written permission, please contact dom4j-info@metastuff.com.
+ * 
+ * 4. Products derived from this Software may not be called "DOM4J" nor may
+ * "DOM4J" appear in their names without prior written permission of MetaStuff,
+ * Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
+ * 
+ * 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org
+ * 
+ * THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL METASTUFF, LTD. OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ * 
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ */
\ No newline at end of file
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Document.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Document.java
index 0ffcfba3ece..5231db0f5cf 100644
--- a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Document.java
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Document.java
@@ -15,7 +15,7 @@ package org.dom4j;
 
 import java.util.List;
 
-public interface Document {
+public interface Document extends Branch {
 
     public Node selectSingleNode(String xpathExpression);
 

From ee269fbc6917a155524b555016af993826487952 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Mon, 26 Apr 2021 20:37:48 +0200
Subject: [PATCH 0856/1429] Added missing doc comments

---
 java/ql/src/semmle/code/java/security/XPath.qll | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/java/ql/src/semmle/code/java/security/XPath.qll b/java/ql/src/semmle/code/java/security/XPath.qll
index d93fca365e8..6bc74328dc7 100644
--- a/java/ql/src/semmle/code/java/security/XPath.qll
+++ b/java/ql/src/semmle/code/java/security/XPath.qll
@@ -1,3 +1,6 @@
+/** Provides classes to reason about XPath vulnerabilities. */
+
+import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 
@@ -5,6 +8,9 @@ import semmle.code.java.dataflow.TaintTracking
  * An abstract type representing a call to interpret XPath expressions.
  */
 class XPathSink extends MethodAccess {
+  /**
+   * Gets the argument representing the XPath expressions to be evaluated.
+   */
   abstract Expr getSink();
 }
 
@@ -44,10 +50,12 @@ class NodeSelectNodes extends XPathSink {
   override Expr getSink() { result = this.getArgument(0) }
 }
 
+/** A sink that represents a method that interprets XPath expressions. */
 class XPathInjectionSink extends DataFlow::ExprNode {
   XPathInjectionSink() { exists(XPathSink sink | this.getExpr() = sink.getSink()) }
 }
 
+/** A configuration that tracks data from a remote input source to a XPath evaluation sink. */
 class XPathInjectionConfiguration extends TaintTracking::Configuration {
   XPathInjectionConfiguration() { this = "XPathInjection" }
 

From d739a8cac25a64358ba9cbd68ee144de6178c48f Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Tue, 27 Apr 2021 12:03:03 +0200
Subject: [PATCH 0857/1429] Moved configuration from XPath.qll back to XPath
 Injection query

---
 .../Security/CWE/CWE-643/XPathInjection.ql           |  8 ++++++++
 java/ql/src/semmle/code/java/security/XPath.qll      |  7 -------
 .../security/CWE-643/XPathInjectionTest.ql           | 12 +++++++++---
 3 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql
index 0b9ec948db9..fbef6285021 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql
@@ -15,6 +15,14 @@ import semmle.code.java.dataflow.TaintTracking
 import DataFlow::PathGraph
 import semmle.code.java.security.XPath
 
+class XPathInjectionConfiguration extends TaintTracking::Configuration {
+  XPathInjectionConfiguration() { this = "XPathInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
+}
+
 from DataFlow::PathNode source, DataFlow::PathNode sink, XPathInjectionConfiguration c
 where c.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "$@ flows to here and is used in an XPath expression.",
diff --git a/java/ql/src/semmle/code/java/security/XPath.qll b/java/ql/src/semmle/code/java/security/XPath.qll
index 6bc74328dc7..80dc0e9d5da 100644
--- a/java/ql/src/semmle/code/java/security/XPath.qll
+++ b/java/ql/src/semmle/code/java/security/XPath.qll
@@ -55,11 +55,4 @@ class XPathInjectionSink extends DataFlow::ExprNode {
   XPathInjectionSink() { exists(XPathSink sink | this.getExpr() = sink.getSink()) }
 }
 
-/** A configuration that tracks data from a remote input source to a XPath evaluation sink. */
-class XPathInjectionConfiguration extends TaintTracking::Configuration {
-  XPathInjectionConfiguration() { this = "XPathInjection" }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
-}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-643/XPathInjectionTest.ql b/java/ql/test/experimental/query-tests/security/CWE-643/XPathInjectionTest.ql
index a49dccd2240..f675651c40f 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-643/XPathInjectionTest.ql
+++ b/java/ql/test/experimental/query-tests/security/CWE-643/XPathInjectionTest.ql
@@ -4,6 +4,14 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.XPath
 import TestUtilities.InlineExpectationsTest
 
+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "test:xml:xpathinjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
+}
+
 class HasXPathInjectionTest extends InlineExpectationsTest {
   HasXPathInjectionTest() { this = "HasXPathInjectionTest" }
 
@@ -11,9 +19,7 @@ class HasXPathInjectionTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "hasXPathInjection" and
-    exists(DataFlow::Node src, DataFlow::Node sink, XPathInjectionConfiguration conf |
-      conf.hasFlow(src, sink)
-    |
+    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
       sink.getLocation() = location and
       element = sink.toString() and
       value = ""

From 3705970bfd3319fcf5ba869da2c85ec97e922bb1 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Tue, 27 Apr 2021 12:20:05 +0200
Subject: [PATCH 0858/1429] Refactored XPath.qll to remove redundant classes
 and restrict visibility

---
 .../src/semmle/code/java/security/XPath.qll   | 54 ++++++++-----------
 1 file changed, 23 insertions(+), 31 deletions(-)

diff --git a/java/ql/src/semmle/code/java/security/XPath.qll b/java/ql/src/semmle/code/java/security/XPath.qll
index 80dc0e9d5da..8b983be5093 100644
--- a/java/ql/src/semmle/code/java/security/XPath.qll
+++ b/java/ql/src/semmle/code/java/security/XPath.qll
@@ -4,55 +4,47 @@ import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 
-/**
- * An abstract type representing a call to interpret XPath expressions.
- */
-class XPathSink extends MethodAccess {
-  /**
-   * Gets the argument representing the XPath expressions to be evaluated.
-   */
-  abstract Expr getSink();
-}
-
 /** The class `javax.xml.xpath.XPath` */
-class XPath extends RefType {
+private class XPath extends RefType {
   XPath() { this.hasQualifiedName("javax.xml.xpath", "XPath") }
 }
 
 /** A call to `XPath.evaluate` or `XPath.compile` */
-class XPathEvaluateOrCompile extends XPathSink {
+private class XPathEvaluateOrCompile extends MethodAccess {
   XPathEvaluateOrCompile() {
-    exists(Method m | this.getMethod() = m and m.getDeclaringType() instanceof XPath |
+    exists(Method m |
+      this.getMethod() = m and m.getDeclaringType() instanceof XPath
+    |
       m.hasName(["evaluate", "compile"])
     )
   }
-
-  override Expr getSink() { result = this.getArgument(0) }
 }
 
-/** Any class extending or implementing `org.dom4j.Node` */
-class Dom4JNode extends RefType {
-  Dom4JNode() {
-    exists(Interface node | node.hasQualifiedName("org.dom4j", "Node") |
-      this.extendsOrImplements*(node)
-    )
-  }
+/** The interface `org.dom4j.Node` */
+private class Dom4JNode extends Interface {
+  Dom4JNode() { this.hasQualifiedName("org.dom4j", "Node") }
 }
 
 /** A call to `Node.selectNodes` or `Node.selectSingleNode` */
-class NodeSelectNodes extends XPathSink {
+private class NodeSelectNodes extends MethodAccess {
   NodeSelectNodes() {
-    exists(Method m | this.getMethod() = m and m.getDeclaringType() instanceof Dom4JNode |
+    exists(Method m |
+      this.getMethod() = m and m.getDeclaringType().getASourceSupertype*() instanceof Dom4JNode
+    |
       m.hasName(["selectNodes", "selectSingleNode"])
     )
   }
-
-  override Expr getSink() { result = this.getArgument(0) }
 }
 
-/** A sink that represents a method that interprets XPath expressions. */
-class XPathInjectionSink extends DataFlow::ExprNode {
-  XPathInjectionSink() { exists(XPathSink sink | this.getExpr() = sink.getSink()) }
+/**
+ *  A sink that represents a method that interprets XPath expressions.
+ *  Extend this class to add your own XPath Injection sinks.
+ */
+abstract class XPathInjectionSink extends DataFlow::Node { }
+
+private class DefaultXPathInjectionSink extends XPathInjectionSink {
+  DefaultXPathInjectionSink() {
+    exists(NodeSelectNodes sink | sink.getArgument(0) = this.asExpr()) or
+    exists(XPathEvaluateOrCompile sink | sink.getArgument(0) = this.asExpr())
+  }
 }
-
-

From 2bb2baf6f70ec945ddfb0ea300701663f1051a01 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Tue, 27 Apr 2021 15:02:15 +0200
Subject: [PATCH 0859/1429] Support more methods that evaluate XPath
 expressions

---
 .../src/semmle/code/java/security/XPath.qll   | 25 +++---
 .../query-tests/security/CWE-643/A.java       | 53 ++++++++++++-
 .../stubs/dom4j-2.1.1/org/dom4j/Document.java |  3 -
 .../org/dom4j/InvalidXPathException.java      | 60 +++++++++++++++
 .../stubs/dom4j-2.1.1/org/dom4j/Node.java     | 76 +++++++++++++++----
 5 files changed, 185 insertions(+), 32 deletions(-)
 create mode 100644 java/ql/test/stubs/dom4j-2.1.1/org/dom4j/InvalidXPathException.java

diff --git a/java/ql/src/semmle/code/java/security/XPath.qll b/java/ql/src/semmle/code/java/security/XPath.qll
index 8b983be5093..a1090e70b26 100644
--- a/java/ql/src/semmle/code/java/security/XPath.qll
+++ b/java/ql/src/semmle/code/java/security/XPath.qll
@@ -9,13 +9,13 @@ private class XPath extends RefType {
   XPath() { this.hasQualifiedName("javax.xml.xpath", "XPath") }
 }
 
-/** A call to `XPath.evaluate` or `XPath.compile` */
-private class XPathEvaluateOrCompile extends MethodAccess {
-  XPathEvaluateOrCompile() {
+/** A call to methods of any class implementing the interface `XPath` that evaluate XPath expressions */
+private class XPathEvaluation extends MethodAccess {
+  XPathEvaluation() {
     exists(Method m |
-      this.getMethod() = m and m.getDeclaringType() instanceof XPath
+      this.getMethod() = m and m.getDeclaringType().getASourceSupertype*() instanceof XPath
     |
-      m.hasName(["evaluate", "compile"])
+      m.hasName(["evaluate", "evaluateExpression", "compile"])
     )
   }
 }
@@ -25,13 +25,16 @@ private class Dom4JNode extends Interface {
   Dom4JNode() { this.hasQualifiedName("org.dom4j", "Node") }
 }
 
-/** A call to `Node.selectNodes` or `Node.selectSingleNode` */
-private class NodeSelectNodes extends MethodAccess {
-  NodeSelectNodes() {
+/** A call to methods of any class implementing the interface `Node` that evaluate XPath expressions */
+private class NodeXPathEvaluation extends MethodAccess {
+  NodeXPathEvaluation() {
     exists(Method m |
       this.getMethod() = m and m.getDeclaringType().getASourceSupertype*() instanceof Dom4JNode
     |
-      m.hasName(["selectNodes", "selectSingleNode"])
+      m.hasName([
+          "selectObject", "selectNodes", "selectSingleNode", "numberValueOf", "valueOf", "matches",
+          "createXPath"
+        ])
     )
   }
 }
@@ -44,7 +47,7 @@ abstract class XPathInjectionSink extends DataFlow::Node { }
 
 private class DefaultXPathInjectionSink extends XPathInjectionSink {
   DefaultXPathInjectionSink() {
-    exists(NodeSelectNodes sink | sink.getArgument(0) = this.asExpr()) or
-    exists(XPathEvaluateOrCompile sink | sink.getArgument(0) = this.asExpr())
+    exists(NodeXPathEvaluation sink | sink.getArgument(0) = this.asExpr()) or
+    exists(XPathEvaluation sink | sink.getArgument(0) = this.asExpr())
   }
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-643/A.java b/java/ql/test/experimental/query-tests/security/CWE-643/A.java
index e1624124b52..b709a9e7786 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-643/A.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-643/A.java
@@ -2,27 +2,64 @@ import java.io.ByteArrayInputStream;
 import java.io.StringReader;
 
 import javax.servlet.http.HttpServletRequest;
+import javax.xml.namespace.QName;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpression;
+import javax.xml.xpath.XPathExpressionException;
 import javax.xml.xpath.XPathFactory;
 
 import org.w3c.dom.Document;
 import org.xml.sax.InputSource;
 
 public class A {
+    private static abstract class XPathImplStub implements XPath {
+        public static XPathImplStub getInstance() {
+            return null;
+        }
+
+        @Override
+        public XPathExpression compile(String expression) throws XPathExpressionException {
+            return null;
+        }
+
+        @Override
+        public Object evaluate(String expression, Object item, QName returnType) throws XPathExpressionException {
+            return null;
+        }
+
+        @Override
+        public String evaluate(String expression, Object item) throws XPathExpressionException {
+            return null;
+        }
+
+        @Override
+        public Object evaluate(String expression, InputSource source, QName returnType)
+                throws XPathExpressionException {
+            return null;
+        }
+
+        @Override
+        public String evaluate(String expression, InputSource source) throws XPathExpressionException {
+            return null;
+        }
+
+    }
+
     public void handle(HttpServletRequest request) throws Exception {
         final String xmlStr = "<users>" + "   <user name=\"aaa\" pass=\"pass1\"></user>"
                 + "   <user name=\"bbb\" pass=\"pass2\"></user>" + "</users>";
         DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
         domFactory.setNamespaceAware(true);
         DocumentBuilder builder = domFactory.newDocumentBuilder();
-        Document doc = builder.parse(new InputSource(new StringReader(xmlStr)));
+        InputSource xmlSource = new InputSource(new StringReader(xmlStr));
+        Document doc = builder.parse(xmlSource);
 
         XPathFactory factory = XPathFactory.newInstance();
         XPath xpath = factory.newXPath();
+        XPathImplStub xpathStub = XPathImplStub.getInstance();
 
         // Injectable data
         String user = request.getParameter("user");
@@ -31,9 +68,13 @@ public class A {
             // Bad expression
             String expression1 = "/users/user[@name='" + user + "' and @pass='" + pass + "']";
             xpath.evaluate(expression1, doc, XPathConstants.BOOLEAN); // $hasXPathInjection
+            xpathStub.evaluate(expression1, doc, XPathConstants.BOOLEAN); // $hasXPathInjection
+            xpath.evaluateExpression(expression1, xmlSource); // $hasXPathInjection
+            xpathStub.evaluateExpression(expression1, xmlSource); // $hasXPathInjection
 
             // Bad expression
             XPathExpression expression2 = xpath.compile("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+            xpathStub.compile("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
             expression2.evaluate(doc, XPathConstants.BOOLEAN);
 
             // Bad expression
@@ -44,6 +85,7 @@ public class A {
             sb.append("']");
             String query = sb.toString();
             XPathExpression expression3 = xpath.compile(query); // $hasXPathInjection
+            xpathStub.compile(query); // $hasXPathInjection
             expression3.evaluate(doc, XPathConstants.BOOLEAN);
 
             // Good expression
@@ -63,9 +105,14 @@ public class A {
             // Bad Dom4j
             org.dom4j.io.SAXReader reader = new org.dom4j.io.SAXReader();
             org.dom4j.Document document = reader.read(new ByteArrayInputStream(xmlStr.getBytes()));
-            document.selectSingleNode("/users/user[@name='" + user + "' and @pass='" + pass + "']") // $hasXPathInjection
-                    .hasContent();
+            document.selectObject("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
             document.selectNodes("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+            document.selectNodes("/users/user[@name='test']", "/users/user[@pass='" + pass + "']"); // Safe-ish
+            document.selectSingleNode("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+            document.valueOf("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+            document.numberValueOf("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+            document.matches("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+            document.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
         }
     }
 }
\ No newline at end of file
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Document.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Document.java
index 5231db0f5cf..a3c430dacb1 100644
--- a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Document.java
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Document.java
@@ -17,9 +17,6 @@ import java.util.List;
 
 public interface Document extends Branch {
 
-    public Node selectSingleNode(String xpathExpression);
-
-    public List selectNodes(String xpathExpression);
 }
 
 /*
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/InvalidXPathException.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/InvalidXPathException.java
new file mode 100644
index 00000000000..2068ff3895f
--- /dev/null
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/InvalidXPathException.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ *
+ * This software is open source.
+ * See the bottom of this file for the licence.
+ */
+
+/*
+ * Adapted from DOM4J version 2.1.1 as available at
+ *   https://search.maven.org/remotecontent?filepath=org/dom4j/dom4j/2.1.1/dom4j-2.1.1-sources.jar
+ * Only relevant stubs of this file have been retained for test purposes.
+ */
+
+package org.dom4j;
+
+public class InvalidXPathException extends IllegalArgumentException {
+    public InvalidXPathException(String xpath) {
+    }
+
+    public InvalidXPathException(String xpath, String reason) {
+    }
+
+}
+
+/*
+ * Redistribution and use of this software and associated documentation
+ * ("Software"), with or without modification, are permitted provided that the
+ * following conditions are met:
+ * 
+ * 1. Redistributions of source code must retain copyright statements and
+ * notices. Redistributions must also contain a copy of this document.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * 3. The name "DOM4J" must not be used to endorse or promote products derived
+ * from this Software without prior written permission of MetaStuff, Ltd. For
+ * written permission, please contact dom4j-info@metastuff.com.
+ * 
+ * 4. Products derived from this Software may not be called "DOM4J" nor may
+ * "DOM4J" appear in their names without prior written permission of MetaStuff,
+ * Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
+ * 
+ * 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org
+ * 
+ * THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL METASTUFF, LTD. OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ * 
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ */
\ No newline at end of file
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Node.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Node.java
index 641c5c15f86..34cca235a9d 100644
--- a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Node.java
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Node.java
@@ -6,26 +6,72 @@
  */
 
 /*
- * Adapted from DOM4J version 2.1.1 as available at
- *   https://search.maven.org/remotecontent?filepath=org/dom4j/dom4j/2.1.1/dom4j-2.1.1-sources.jar
- * Only relevant stubs of this file have been retained for test purposes.
- */
+* Adapted from DOM4J version 2.1.1 as available at
+*   https://search.maven.org/remotecontent?filepath=org/dom4j/dom4j/2.1.1/dom4j-2.1.1-sources.jar
+* Only relevant stubs of this file have been retained for test purposes.
+*/
+
 package org.dom4j;
 
-public interface Node {
+import java.util.List;
+
+import javax.xml.xpath.XPath;
+
+public interface Node extends Cloneable {
+
+    List<Node> selectNodes(String xpathExpression);
+
+    Object selectObject(String xpathExpression);
+
+    List<Node> selectNodes(String xpathExpression, String comparisonXPathExpression);
+
+    List<Node> selectNodes(String xpathExpression, String comparisonXPathExpression, boolean removeDuplicates);
+
+    Node selectSingleNode(String xpathExpression);
+
+    String valueOf(String xpathExpression);
+
+    Number numberValueOf(String xpathExpression);
+
+    boolean matches(String xpathExpression);
+
+    XPath createXPath(String xpathExpression) throws InvalidXPathException;
 
-    public boolean hasContent();
 }
 
 /*
+ * Redistribution and use of this software and associated documentation
+ * ("Software"), with or without modification, are permitted provided that the
+ * following conditions are met:
+ * 
+ * 1. Redistributions of source code must retain copyright statements and
+ * notices. Redistributions must also contain a copy of this document.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * 3. The name "DOM4J" must not be used to endorse or promote products derived
+ * from this Software without prior written permission of MetaStuff, Ltd. For
+ * written permission, please contact dom4j-info@metastuff.com.
+ * 
+ * 4. Products derived from this Software may not be called "DOM4J" nor may
+ * "DOM4J" appear in their names without prior written permission of MetaStuff,
+ * Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
+ * 
+ * 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org
+ * 
+ * THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL METASTUFF, LTD. OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ * 
  * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
- *
- * This software is open source. See the bottom of this file for the licence.
- */
-
-/*
- * Adapted from DOM4J version 2.1.1 as available at
- * https://search.maven.org/remotecontent?filepath=org/dom4j/dom4j/2.1.1/dom4j-2
- * .1.1-sources.jar Only relevant stubs of this file have been retained for test
- * purposes.
  */
\ No newline at end of file

From d72dd9b861e9639a25e14792091e8771ef19f740 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Tue, 27 Apr 2021 15:15:57 +0200
Subject: [PATCH 0860/1429] javax.xml.xpath.XPath is an interface

---
 java/ql/src/semmle/code/java/security/XPath.qll | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/semmle/code/java/security/XPath.qll b/java/ql/src/semmle/code/java/security/XPath.qll
index a1090e70b26..92cacebb005 100644
--- a/java/ql/src/semmle/code/java/security/XPath.qll
+++ b/java/ql/src/semmle/code/java/security/XPath.qll
@@ -4,8 +4,8 @@ import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 
-/** The class `javax.xml.xpath.XPath` */
-private class XPath extends RefType {
+/** The interface `javax.xml.xpath.XPath` */
+private class XPath extends Interface {
   XPath() { this.hasQualifiedName("javax.xml.xpath", "XPath") }
 }
 

From ab62bb66f42314cc74215c7b2754672d1263f6ee Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Tue, 27 Apr 2021 15:49:49 +0200
Subject: [PATCH 0861/1429] Consider second parameter of Node.selectNodes

---
 .../src/semmle/code/java/security/XPath.qll   | 21 ++++++++++++++-----
 .../query-tests/security/CWE-643/A.java       |  2 +-
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/java/ql/src/semmle/code/java/security/XPath.qll b/java/ql/src/semmle/code/java/security/XPath.qll
index 92cacebb005..e2b4058c671 100644
--- a/java/ql/src/semmle/code/java/security/XPath.qll
+++ b/java/ql/src/semmle/code/java/security/XPath.qll
@@ -18,6 +18,8 @@ private class XPathEvaluation extends MethodAccess {
       m.hasName(["evaluate", "evaluateExpression", "compile"])
     )
   }
+
+  Expr getSink() { result = this.getArgument(0) }
 }
 
 /** The interface `org.dom4j.Node` */
@@ -27,16 +29,25 @@ private class Dom4JNode extends Interface {
 
 /** A call to methods of any class implementing the interface `Node` that evaluate XPath expressions */
 private class NodeXPathEvaluation extends MethodAccess {
+  Expr sink;
+
   NodeXPathEvaluation() {
-    exists(Method m |
-      this.getMethod() = m and m.getDeclaringType().getASourceSupertype*() instanceof Dom4JNode
+    exists(Method m, int index |
+      this.getMethod() = m and
+      m.getDeclaringType().getASourceSupertype*() instanceof Dom4JNode and
+      sink = this.getArgument(index)
     |
       m.hasName([
           "selectObject", "selectNodes", "selectSingleNode", "numberValueOf", "valueOf", "matches",
           "createXPath"
-        ])
+        ]) and
+      index = 0
+      or
+      m.hasName("selectNodes") and index in [0, 1]
     )
   }
+
+  Expr getSink() { result = sink }
 }
 
 /**
@@ -47,7 +58,7 @@ abstract class XPathInjectionSink extends DataFlow::Node { }
 
 private class DefaultXPathInjectionSink extends XPathInjectionSink {
   DefaultXPathInjectionSink() {
-    exists(NodeXPathEvaluation sink | sink.getArgument(0) = this.asExpr()) or
-    exists(XPathEvaluation sink | sink.getArgument(0) = this.asExpr())
+    exists(NodeXPathEvaluation sink | sink.getSink() = this.asExpr()) or
+    exists(XPathEvaluation sink | sink.getSink() = this.asExpr())
   }
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-643/A.java b/java/ql/test/experimental/query-tests/security/CWE-643/A.java
index b709a9e7786..00b22a1d989 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-643/A.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-643/A.java
@@ -107,7 +107,7 @@ public class A {
             org.dom4j.Document document = reader.read(new ByteArrayInputStream(xmlStr.getBytes()));
             document.selectObject("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
             document.selectNodes("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-            document.selectNodes("/users/user[@name='test']", "/users/user[@pass='" + pass + "']"); // Safe-ish
+            document.selectNodes("/users/user[@name='test']", "/users/user[@pass='" + pass + "']"); // $hasXPathInjection
             document.selectSingleNode("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
             document.valueOf("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
             document.numberValueOf("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection

From 720b5d6da3e163371a665d38b5b9362a5a166be5 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Wed, 28 Apr 2021 15:48:21 +0200
Subject: [PATCH 0862/1429] Refactored sto use CSV sink model. Also, added more
 sinks

---
 .../src/semmle/code/java/security/XPath.qll   |  93 ++++-----
 .../query-tests/security/CWE-643/A.java       | 122 +++++++-----
 .../query-tests/security/CWE-643/options      |   2 +-
 .../org/dom4j/DocumentFactory.java            |  75 +++++++
 .../dom4j-2.1.1/org/dom4j/DocumentHelper.java |  66 +++++++
 .../stubs/dom4j-2.1.1/org/dom4j/Element.java  | 140 ++++++++++++++
 .../dom4j-2.1.1/org/dom4j/Namespace.java      | 119 ++++++++++++
 .../stubs/dom4j-2.1.1/org/dom4j/Node.java     |   2 -
 .../dom4j-2.1.1/org/dom4j/NodeFilter.java     |  56 ++++++
 .../stubs/dom4j-2.1.1/org/dom4j/Visitor.java  |  60 ++++++
 .../stubs/dom4j-2.1.1/org/dom4j/XPath.java    |  85 ++++++++
 .../dom4j-2.1.1/org/dom4j/rule/Pattern.java   |  67 +++++++
 .../org/dom4j/tree/AbstractNode.java          | 183 ++++++++++++++++++
 .../org/dom4j/util/ProxyDocumentFactory.java  |  57 ++++++
 .../org/dom4j/xpath/DefaultXPath.java         | 131 +++++++++++++
 .../org/dom4j/xpath/XPathPattern.java         |  87 +++++++++
 .../org/jaxen/VariableContext.java            |  59 ++++++
 17 files changed, 1301 insertions(+), 103 deletions(-)
 create mode 100644 java/ql/test/stubs/dom4j-2.1.1/org/dom4j/DocumentFactory.java
 create mode 100644 java/ql/test/stubs/dom4j-2.1.1/org/dom4j/DocumentHelper.java
 create mode 100644 java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Element.java
 create mode 100644 java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Namespace.java
 create mode 100644 java/ql/test/stubs/dom4j-2.1.1/org/dom4j/NodeFilter.java
 create mode 100644 java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Visitor.java
 create mode 100644 java/ql/test/stubs/dom4j-2.1.1/org/dom4j/XPath.java
 create mode 100644 java/ql/test/stubs/dom4j-2.1.1/org/dom4j/rule/Pattern.java
 create mode 100644 java/ql/test/stubs/dom4j-2.1.1/org/dom4j/tree/AbstractNode.java
 create mode 100644 java/ql/test/stubs/dom4j-2.1.1/org/dom4j/util/ProxyDocumentFactory.java
 create mode 100644 java/ql/test/stubs/dom4j-2.1.1/org/dom4j/xpath/DefaultXPath.java
 create mode 100644 java/ql/test/stubs/dom4j-2.1.1/org/dom4j/xpath/XPathPattern.java
 create mode 100644 java/ql/test/stubs/jaxen-1.2.0/org/jaxen/VariableContext.java

diff --git a/java/ql/src/semmle/code/java/security/XPath.qll b/java/ql/src/semmle/code/java/security/XPath.qll
index e2b4058c671..4eed6537f23 100644
--- a/java/ql/src/semmle/code/java/security/XPath.qll
+++ b/java/ql/src/semmle/code/java/security/XPath.qll
@@ -3,52 +3,7 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
-
-/** The interface `javax.xml.xpath.XPath` */
-private class XPath extends Interface {
-  XPath() { this.hasQualifiedName("javax.xml.xpath", "XPath") }
-}
-
-/** A call to methods of any class implementing the interface `XPath` that evaluate XPath expressions */
-private class XPathEvaluation extends MethodAccess {
-  XPathEvaluation() {
-    exists(Method m |
-      this.getMethod() = m and m.getDeclaringType().getASourceSupertype*() instanceof XPath
-    |
-      m.hasName(["evaluate", "evaluateExpression", "compile"])
-    )
-  }
-
-  Expr getSink() { result = this.getArgument(0) }
-}
-
-/** The interface `org.dom4j.Node` */
-private class Dom4JNode extends Interface {
-  Dom4JNode() { this.hasQualifiedName("org.dom4j", "Node") }
-}
-
-/** A call to methods of any class implementing the interface `Node` that evaluate XPath expressions */
-private class NodeXPathEvaluation extends MethodAccess {
-  Expr sink;
-
-  NodeXPathEvaluation() {
-    exists(Method m, int index |
-      this.getMethod() = m and
-      m.getDeclaringType().getASourceSupertype*() instanceof Dom4JNode and
-      sink = this.getArgument(index)
-    |
-      m.hasName([
-          "selectObject", "selectNodes", "selectSingleNode", "numberValueOf", "valueOf", "matches",
-          "createXPath"
-        ]) and
-      index = 0
-      or
-      m.hasName("selectNodes") and index in [0, 1]
-    )
-  }
-
-  Expr getSink() { result = sink }
-}
+import semmle.code.java.dataflow.ExternalFlow
 
 /**
  *  A sink that represents a method that interprets XPath expressions.
@@ -56,9 +11,47 @@ private class NodeXPathEvaluation extends MethodAccess {
  */
 abstract class XPathInjectionSink extends DataFlow::Node { }
 
-private class DefaultXPathInjectionSink extends XPathInjectionSink {
-  DefaultXPathInjectionSink() {
-    exists(NodeXPathEvaluation sink | sink.getSink() = this.asExpr()) or
-    exists(XPathEvaluation sink | sink.getSink() = this.asExpr())
+/** CSV sink models representing methods susceptible to XPath Injection attacks. */
+private class DefaultXPathInjectionSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.xml.xpath;XPath;true;evaluate;;;Argument[0];xpath",
+        "javax.xml.xpath;XPath;true;evaluateExpression;;;Argument[0];xpath",
+        "javax.xml.xpath;XPath;true;compile;;;Argument[0];xpath",
+        "org.dom4j;Node;true;selectObject;;;Argument[0];xpath",
+        "org.dom4j;Node;true;selectNodes;;;Argument[0..1];xpath",
+        "org.dom4j;Node;true;selectSingleNode;;;Argument[0];xpath",
+        "org.dom4j;Node;true;numberValueOf;;;Argument[0];xpath",
+        "org.dom4j;Node;true;valueOf;;;Argument[0];xpath",
+        "org.dom4j;Node;true;matches;;;Argument[0];xpath",
+        "org.dom4j;Node;true;createXPath;;;Argument[0];xpath",
+        "org.dom4j;DocumentFactory;true;createPattern;;;Argument[0];xpath",
+        "org.dom4j;DocumentFactory;true;createXPath;;;Argument[0];xpath",
+        "org.dom4j;DocumentFactory;true;createXPathFilter;;;Argument[0];xpath",
+        "org.dom4j;DocumentHelper;false;createPattern;;;Argument[0];xpath",
+        "org.dom4j;DocumentHelper;false;createXPath;;;Argument[0];xpath",
+        "org.dom4j;DocumentHelper;false;createXPathFilter;;;Argument[0];xpath",
+        "org.dom4j.tree;AbstractNode;true;createXPathFilter;;;Argument[0];xpath",
+        "org.dom4j.tree;AbstractNode;true;createPattern;;;Argument[0];xpath",
+        "org.dom4j.util;ProxyDocumentFactory;true;createPattern;;;Argument[0];xpath",
+        "org.dom4j.util;ProxyDocumentFactory;true;createXPath;;;Argument[0];xpath",
+        "org.dom4j.util;ProxyDocumentFactory;true;createXPathFilter;;;Argument[0];xpath"
+      ]
+  }
+}
+
+/** A default sink representing methods susceptible to XPath Injection attacks. */
+private class DefaultXPathInjectionSink extends XPathInjectionSink {
+  DefaultXPathInjectionSink() {
+    sinkNode(this, "xpath")
+    or
+    exists(ClassInstanceExpr constructor |
+      constructor.getConstructedType().getASourceSupertype*().hasQualifiedName("org.dom4j", "XPath")
+      or
+      constructor.getConstructedType().hasQualifiedName("org.dom4j.xpath", "XPathPattern")
+    |
+      this.asExpr() = constructor.getArgument(0)
+    )
   }
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-643/A.java b/java/ql/test/experimental/query-tests/security/CWE-643/A.java
index 00b22a1d989..431e51716b1 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-643/A.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-643/A.java
@@ -11,6 +11,13 @@ import javax.xml.xpath.XPathExpression;
 import javax.xml.xpath.XPathExpressionException;
 import javax.xml.xpath.XPathFactory;
 
+import org.dom4j.DocumentFactory;
+import org.dom4j.DocumentHelper;
+import org.dom4j.Namespace;
+import org.dom4j.io.SAXReader;
+import org.dom4j.util.ProxyDocumentFactory;
+import org.dom4j.xpath.DefaultXPath;
+import org.dom4j.xpath.XPathPattern;
 import org.w3c.dom.Document;
 import org.xml.sax.InputSource;
 
@@ -48,71 +55,86 @@ public class A {
 
     }
 
+    private static class ProxyDocumentFactoryStub extends ProxyDocumentFactory {
+    }
+
     public void handle(HttpServletRequest request) throws Exception {
+        String user = request.getParameter("user");
+        String pass = request.getParameter("pass");
+        String expression = "/users/user[@name='" + user + "' and @pass='" + pass + "']";
+
         final String xmlStr = "<users>" + "   <user name=\"aaa\" pass=\"pass1\"></user>"
                 + "   <user name=\"bbb\" pass=\"pass2\"></user>" + "</users>";
         DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
-        domFactory.setNamespaceAware(true);
         DocumentBuilder builder = domFactory.newDocumentBuilder();
         InputSource xmlSource = new InputSource(new StringReader(xmlStr));
         Document doc = builder.parse(xmlSource);
 
         XPathFactory factory = XPathFactory.newInstance();
         XPath xpath = factory.newXPath();
+
+        xpath.evaluate(expression, doc, XPathConstants.BOOLEAN); // $hasXPathInjection
+        xpath.evaluateExpression(expression, xmlSource); // $hasXPathInjection
+        xpath.compile("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+
         XPathImplStub xpathStub = XPathImplStub.getInstance();
+        xpathStub.evaluate(expression, doc, XPathConstants.BOOLEAN); // $hasXPathInjection
+        xpathStub.evaluateExpression(expression, xmlSource); // $hasXPathInjection
+        xpathStub.compile("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
 
-        // Injectable data
-        String user = request.getParameter("user");
-        String pass = request.getParameter("pass");
-        if (user != null && pass != null) {
-            // Bad expression
-            String expression1 = "/users/user[@name='" + user + "' and @pass='" + pass + "']";
-            xpath.evaluate(expression1, doc, XPathConstants.BOOLEAN); // $hasXPathInjection
-            xpathStub.evaluate(expression1, doc, XPathConstants.BOOLEAN); // $hasXPathInjection
-            xpath.evaluateExpression(expression1, xmlSource); // $hasXPathInjection
-            xpathStub.evaluateExpression(expression1, xmlSource); // $hasXPathInjection
+        StringBuffer sb = new StringBuffer("/users/user[@name=");
+        sb.append(user);
+        sb.append("' and @pass='");
+        sb.append(pass);
+        sb.append("']");
+        String query = sb.toString();
 
-            // Bad expression
-            XPathExpression expression2 = xpath.compile("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-            xpathStub.compile("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-            expression2.evaluate(doc, XPathConstants.BOOLEAN);
+        xpath.compile(query); // $hasXPathInjection
+        xpathStub.compile(query); // $hasXPathInjection
 
-            // Bad expression
-            StringBuffer sb = new StringBuffer("/users/user[@name=");
-            sb.append(user);
-            sb.append("' and @pass='");
-            sb.append(pass);
-            sb.append("']");
-            String query = sb.toString();
-            XPathExpression expression3 = xpath.compile(query); // $hasXPathInjection
-            xpathStub.compile(query); // $hasXPathInjection
-            expression3.evaluate(doc, XPathConstants.BOOLEAN);
+        String expression4 = "/users/user[@name=$user and @pass=$pass]";
+        xpath.setXPathVariableResolver(v -> {
+            switch (v.getLocalPart()) {
+            case "user":
+                return user;
+            case "pass":
+                return pass;
+            default:
+                throw new IllegalArgumentException();
+            }
+        });
+        xpath.evaluate(expression4, doc, XPathConstants.BOOLEAN); // Safe
 
-            // Good expression
-            String expression4 = "/users/user[@name=$user and @pass=$pass]";
-            xpath.setXPathVariableResolver(v -> {
-                switch (v.getLocalPart()) {
-                case "user":
-                    return user;
-                case "pass":
-                    return pass;
-                default:
-                    throw new IllegalArgumentException();
-                }
-            });
-            xpath.evaluate(expression4, doc, XPathConstants.BOOLEAN); // Safe
+        SAXReader reader = new SAXReader();
+        org.dom4j.Document document = reader.read(new ByteArrayInputStream(xmlStr.getBytes()));
+        document.selectObject("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        document.selectNodes("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        document.selectNodes("/users/user[@name='test']", "/users/user[@pass='" + pass + "']"); // $hasXPathInjection
+        document.selectSingleNode("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        document.valueOf("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        document.numberValueOf("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        document.matches("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        document.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
 
-            // Bad Dom4j
-            org.dom4j.io.SAXReader reader = new org.dom4j.io.SAXReader();
-            org.dom4j.Document document = reader.read(new ByteArrayInputStream(xmlStr.getBytes()));
-            document.selectObject("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-            document.selectNodes("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-            document.selectNodes("/users/user[@name='test']", "/users/user[@pass='" + pass + "']"); // $hasXPathInjection
-            document.selectSingleNode("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-            document.valueOf("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-            document.numberValueOf("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-            document.matches("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-            document.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-        }
+        new DefaultXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        new XPathPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+
+        DocumentFactory docFactory = DocumentFactory.getInstance();
+        docFactory.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        docFactory.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        docFactory.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+
+        DocumentHelper.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        DocumentHelper.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        DocumentHelper.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+
+        ProxyDocumentFactoryStub proxyDocFactory = new ProxyDocumentFactoryStub();
+        proxyDocFactory.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        proxyDocFactory.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        proxyDocFactory.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+
+        Namespace namespace = new Namespace("prefix", "http://some.uri.io");
+        namespace.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        namespace.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
     }
 }
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-643/options b/java/ql/test/experimental/query-tests/security/CWE-643/options
index 90c9ae2ca33..ee686f5a071 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-643/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-643/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/dom4j-2.1.1:${testdir}/../../../../stubs/servlet-api-2.4
\ No newline at end of file
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/dom4j-2.1.1:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jaxen-1.2.0
\ No newline at end of file
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/DocumentFactory.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/DocumentFactory.java
new file mode 100644
index 00000000000..21a8bc49497
--- /dev/null
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/DocumentFactory.java
@@ -0,0 +1,75 @@
+/*
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ *
+ * This software is open source.
+ * See the bottom of this file for the licence.
+ */
+
+package org.dom4j;
+
+import java.io.Serializable;
+import java.util.Map;
+
+import org.dom4j.rule.Pattern;
+import org.jaxen.VariableContext;
+
+public class DocumentFactory implements Serializable {
+  public DocumentFactory() {
+  }
+
+  public static synchronized DocumentFactory getInstance() {
+    return null;
+  }
+
+  public Document createDocument() {
+    return null;
+  }
+
+  public Document createDocument(String encoding) {
+    return null;
+  }
+
+  public Document createDocument(Element rootElement) {
+    return null;
+  }
+
+  public Element createElement(String name) {
+    return null;
+  }
+
+  public Element createElement(String qualifiedName, String namespaceURI) {
+    return null;
+  }
+
+  public Namespace createNamespace(String prefix, String uri) {
+    return null;
+  }
+
+  public XPath createXPath(String xpathExpression) throws InvalidXPathException {
+    return null;
+  }
+
+  public XPath createXPath(String xpathExpression, VariableContext variableContext) {
+    return null;
+  }
+
+  public NodeFilter createXPathFilter(String xpathFilterExpression, VariableContext variableContext) {
+    return null;
+  }
+
+  public NodeFilter createXPathFilter(String xpathFilterExpression) {
+    return null;
+  }
+
+  public Pattern createPattern(String xpathPattern) {
+    return null;
+  }
+
+  public Map<String, String> getXPathNamespaceURIs() {
+    return null;
+  }
+
+  public void setXPathNamespaceURIs(Map<String, String> namespaceURIs) {
+  }
+
+}
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/DocumentHelper.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/DocumentHelper.java
new file mode 100644
index 00000000000..b17731205f7
--- /dev/null
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/DocumentHelper.java
@@ -0,0 +1,66 @@
+/*
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ *
+ * This software is open source.
+ * See the bottom of this file for the licence.
+ */
+
+package org.dom4j;
+
+import java.util.List;
+import java.util.Map;
+import org.dom4j.rule.Pattern;
+import org.jaxen.VariableContext;
+
+public final class DocumentHelper {
+  public static Document createDocument() {
+    return null;
+  }
+
+  public static Document createDocument(Element rootElement) {
+    return null;
+  }
+
+  public static Element createElement(String name) {
+    return null;
+  }
+
+  public static Namespace createNamespace(String prefix, String uri) {
+    return null;
+  }
+
+  public static XPath createXPath(String xpathExpression) throws InvalidXPathException {
+    return null;
+  }
+
+  public static XPath createXPath(String xpathExpression, VariableContext context) throws InvalidXPathException {
+    return null;
+  }
+
+  public static NodeFilter createXPathFilter(String xpathFilterExpression) {
+    return null;
+  }
+
+  public static Pattern createPattern(String xpathPattern) {
+    return null;
+  }
+
+  public static List<Node> selectNodes(String xpathFilterExpression, List<Node> nodes) {
+    return null;
+  }
+
+  public static List<Node> selectNodes(String xpathFilterExpression, Node node) {
+    return null;
+  }
+
+  public static void sort(List<Node> list, String xpathExpression) {
+  }
+
+  public static void sort(List<Node> list, String expression, boolean distinct) {
+  }
+
+  public static Element makeElement(Branch source, String path) {
+    return null;
+  }
+
+}
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Element.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Element.java
new file mode 100644
index 00000000000..a702debc0cd
--- /dev/null
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Element.java
@@ -0,0 +1,140 @@
+/*
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ *
+ * This software is open source.
+ * See the bottom of this file for the licence.
+ */
+
+/*
+* Adapted from DOM4J version 2.1.1 as available at
+*   https://search.maven.org/remotecontent?filepath=org/dom4j/dom4j/2.1.1/dom4j-2.1.1-sources.jar
+* Only relevant stubs of this file have been retained for test purposes.
+*/
+package org.dom4j;
+
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+
+public interface Element extends Branch {
+
+	Namespace getNamespace();
+
+	Namespace getNamespaceForPrefix(String prefix);
+
+	Namespace getNamespaceForURI(String uri);
+
+	List<Namespace> getNamespacesForURI(String uri);
+
+	String getNamespacePrefix();
+
+	String getNamespaceURI();
+
+	String getQualifiedName();
+
+	List<Namespace> additionalNamespaces();
+
+	List<Namespace> declaredNamespaces();
+
+	Element addAttribute(String name, String value);
+
+	Element addComment(String comment);
+
+	Element addCDATA(String cdata);
+
+	Element addEntity(String name, String text);
+
+	Element addNamespace(String prefix, String uri);
+
+	Element addProcessingInstruction(String target, String text);
+
+	Element addProcessingInstruction(String target, Map<String, String> data);
+
+	Element addText(String text);
+
+	void add(Namespace namespace);
+
+	String getText();
+
+	String getTextTrim();
+
+	String getStringValue();
+
+	Object getData();
+
+	void setData(Object data);
+
+	int attributeCount();
+
+	String attributeValue(String name);
+
+	String attributeValue(String name, String defaultValue);
+
+	void setAttributeValue(String name, String value);
+
+	Element element(String name);
+
+	List<Element> elements();
+
+	List<Element> elements(String name);
+
+	Iterator<Element> elementIterator();
+
+	Iterator<Element> elementIterator(String name);
+
+	boolean isRootElement();
+
+	boolean hasMixedContent();
+
+	boolean isTextOnly();
+
+	void appendAttributes(Element element);
+
+	Element createCopy();
+
+	Element createCopy(String name);
+
+	String elementText(String name);
+
+	String elementTextTrim(String name);
+
+	Node getXPathResult(int index);
+
+}
+
+/*
+ * Redistribution and use of this software and associated documentation
+ * ("Software"), with or without modification, are permitted provided that the
+ * following conditions are met:
+ * 
+ * 1. Redistributions of source code must retain copyright statements and
+ * notices. Redistributions must also contain a copy of this document.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * 3. The name "DOM4J" must not be used to endorse or promote products derived
+ * from this Software without prior written permission of MetaStuff, Ltd. For
+ * written permission, please contact dom4j-info@metastuff.com.
+ * 
+ * 4. Products derived from this Software may not be called "DOM4J" nor may
+ * "DOM4J" appear in their names without prior written permission of MetaStuff,
+ * Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
+ * 
+ * 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org
+ * 
+ * THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL METASTUFF, LTD. OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ * 
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ */
\ No newline at end of file
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Namespace.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Namespace.java
new file mode 100644
index 00000000000..e8539bc788b
--- /dev/null
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Namespace.java
@@ -0,0 +1,119 @@
+/*
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ *
+ * This software is open source.
+ * See the bottom of this file for the licence.
+ */
+
+/*
+* Adapted from DOM4J version 2.1.1 as available at
+*   https://search.maven.org/remotecontent?filepath=org/dom4j/dom4j/2.1.1/dom4j-2.1.1-sources.jar
+* Only relevant stubs of this file have been retained for test purposes.
+*/
+
+package org.dom4j;
+
+import org.dom4j.tree.AbstractNode;
+
+public class Namespace extends AbstractNode {
+
+  public Namespace(String prefix, String uri) {
+  }
+
+  public static Namespace get(String prefix, String uri) {
+    return null;
+  }
+
+  public static Namespace get(String uri) {
+    return null;
+  }
+
+  public short getNodeType() {
+    return 0;
+  }
+
+  public int hashCode() {
+    return 0;
+  }
+
+  public boolean equals(Object object) {
+    return false;
+  }
+
+  public String getText() {
+    return null;
+  }
+
+  public String getStringValue() {
+    return null;
+  }
+
+  public String getPrefix() {
+    return null;
+  }
+
+  public String getURI() {
+    return null;
+  }
+
+  public String getXPathNameStep() {
+    return null;
+  }
+
+  public String getPath(Element context) {
+    return null;
+  }
+
+  public String getUniquePath(Element context) {
+    return null;
+  }
+
+  public String toString() {
+    return null;
+  }
+
+  public String asXML() {
+    return null;
+  }
+
+  public void accept(Visitor visitor) {
+  }
+
+}
+
+/*
+ * Redistribution and use of this software and associated documentation
+ * ("Software"), with or without modification, are permitted provided that the
+ * following conditions are met:
+ * 
+ * 1. Redistributions of source code must retain copyright statements and
+ * notices. Redistributions must also contain a copy of this document.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * 3. The name "DOM4J" must not be used to endorse or promote products derived
+ * from this Software without prior written permission of MetaStuff, Ltd. For
+ * written permission, please contact dom4j-info@metastuff.com.
+ * 
+ * 4. Products derived from this Software may not be called "DOM4J" nor may
+ * "DOM4J" appear in their names without prior written permission of MetaStuff,
+ * Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
+ * 
+ * 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org
+ * 
+ * THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL METASTUFF, LTD. OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ * 
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ */
\ No newline at end of file
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Node.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Node.java
index 34cca235a9d..dfc47088026 100644
--- a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Node.java
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Node.java
@@ -15,8 +15,6 @@ package org.dom4j;
 
 import java.util.List;
 
-import javax.xml.xpath.XPath;
-
 public interface Node extends Cloneable {
 
     List<Node> selectNodes(String xpathExpression);
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/NodeFilter.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/NodeFilter.java
new file mode 100644
index 00000000000..782e9dae66c
--- /dev/null
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/NodeFilter.java
@@ -0,0 +1,56 @@
+/*
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ *
+ * This software is open source.
+ * See the bottom of this file for the licence.
+ */
+
+/*
+* Adapted from DOM4J version 2.1.1 as available at
+*   https://search.maven.org/remotecontent?filepath=org/dom4j/dom4j/2.1.1/dom4j-2.1.1-sources.jar
+* Only relevant stubs of this file have been retained for test purposes.
+*/
+
+package org.dom4j;
+
+public interface NodeFilter {
+    boolean matches(Node node);
+
+}
+
+/*
+ * Redistribution and use of this software and associated documentation
+ * ("Software"), with or without modification, are permitted provided that the
+ * following conditions are met:
+ * 
+ * 1. Redistributions of source code must retain copyright statements and
+ * notices. Redistributions must also contain a copy of this document.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * 3. The name "DOM4J" must not be used to endorse or promote products derived
+ * from this Software without prior written permission of MetaStuff, Ltd. For
+ * written permission, please contact dom4j-info@metastuff.com.
+ * 
+ * 4. Products derived from this Software may not be called "DOM4J" nor may
+ * "DOM4J" appear in their names without prior written permission of MetaStuff,
+ * Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
+ * 
+ * 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org
+ * 
+ * THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL METASTUFF, LTD. OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ * 
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ */
\ No newline at end of file
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Visitor.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Visitor.java
new file mode 100644
index 00000000000..b8f55de44e4
--- /dev/null
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Visitor.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ *
+ * This software is open source.
+ * See the bottom of this file for the licence.
+ */
+
+/*
+* Adapted from DOM4J version 2.1.1 as available at
+*   https://search.maven.org/remotecontent?filepath=org/dom4j/dom4j/2.1.1/dom4j-2.1.1-sources.jar
+* Only relevant stubs of this file have been retained for test purposes.
+*/
+
+package org.dom4j;
+
+public interface Visitor {
+    void visit(Document document);
+
+    void visit(Element node);
+
+    void visit(Namespace namespace);
+
+}
+
+/*
+ * Redistribution and use of this software and associated documentation
+ * ("Software"), with or without modification, are permitted provided that the
+ * following conditions are met:
+ * 
+ * 1. Redistributions of source code must retain copyright statements and
+ * notices. Redistributions must also contain a copy of this document.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * 3. The name "DOM4J" must not be used to endorse or promote products derived
+ * from this Software without prior written permission of MetaStuff, Ltd. For
+ * written permission, please contact dom4j-info@metastuff.com.
+ * 
+ * 4. Products derived from this Software may not be called "DOM4J" nor may
+ * "DOM4J" appear in their names without prior written permission of MetaStuff,
+ * Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
+ * 
+ * 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org
+ * 
+ * THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL METASTUFF, LTD. OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ * 
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ */
\ No newline at end of file
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/XPath.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/XPath.java
new file mode 100644
index 00000000000..eec983b5bc7
--- /dev/null
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/XPath.java
@@ -0,0 +1,85 @@
+/*
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ *
+ * This software is open source.
+ * See the bottom of this file for the licence.
+ */
+
+/*
+* Adapted from DOM4J version 2.1.1 as available at
+*   https://search.maven.org/remotecontent?filepath=org/dom4j/dom4j/2.1.1/dom4j-2.1.1-sources.jar
+* Only relevant stubs of this file have been retained for test purposes.
+*/
+
+package org.dom4j;
+
+import java.util.List;
+import java.util.Map;
+
+public interface XPath extends NodeFilter {
+	String getText();
+
+	boolean matches(Node node);
+
+	Object evaluate(Object context);
+
+	Object selectObject(Object context);
+
+	List<Node> selectNodes(Object context);
+
+	List<Node> selectNodes(Object context, XPath sortXPath);
+
+	List<Node> selectNodes(Object context, XPath sortXPath, boolean distinct);
+
+	Node selectSingleNode(Object context);
+
+	String valueOf(Object context);
+
+	Number numberValueOf(Object context);
+
+	boolean booleanValueOf(Object context);
+
+	void sort(List<Node> list);
+
+	void sort(List<Node> list, boolean distinct);
+
+	void setNamespaceURIs(Map<String, String> map);
+
+}
+
+/*
+ * Redistribution and use of this software and associated documentation
+ * ("Software"), with or without modification, are permitted provided that the
+ * following conditions are met:
+ * 
+ * 1. Redistributions of source code must retain copyright statements and
+ * notices. Redistributions must also contain a copy of this document.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * 3. The name "DOM4J" must not be used to endorse or promote products derived
+ * from this Software without prior written permission of MetaStuff, Ltd. For
+ * written permission, please contact dom4j-info@metastuff.com.
+ * 
+ * 4. Products derived from this Software may not be called "DOM4J" nor may
+ * "DOM4J" appear in their names without prior written permission of MetaStuff,
+ * Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
+ * 
+ * 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org
+ * 
+ * THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL METASTUFF, LTD. OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ * 
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ */
\ No newline at end of file
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/rule/Pattern.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/rule/Pattern.java
new file mode 100644
index 00000000000..bf08c6cfd0a
--- /dev/null
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/rule/Pattern.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ *
+ * This software is open source.
+ * See the bottom of this file for the licence.
+ */
+
+/*
+* Adapted from DOM4J version 2.1.1 as available at
+*   https://search.maven.org/remotecontent?filepath=org/dom4j/dom4j/2.1.1/dom4j-2.1.1-sources.jar
+* Only relevant stubs of this file have been retained for test purposes.
+*/
+
+package org.dom4j.rule;
+
+import org.dom4j.Node;
+import org.dom4j.NodeFilter;
+
+public interface Pattern extends NodeFilter {
+    boolean matches(Node node);
+
+    double getPriority();
+
+    Pattern[] getUnionPatterns();
+
+    short getMatchType();
+
+    String getMatchesNodeName();
+
+}
+
+/*
+ * Redistribution and use of this software and associated documentation
+ * ("Software"), with or without modification, are permitted provided that the
+ * following conditions are met:
+ * 
+ * 1. Redistributions of source code must retain copyright statements and
+ * notices. Redistributions must also contain a copy of this document.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * 3. The name "DOM4J" must not be used to endorse or promote products derived
+ * from this Software without prior written permission of MetaStuff, Ltd. For
+ * written permission, please contact dom4j-info@metastuff.com.
+ * 
+ * 4. Products derived from this Software may not be called "DOM4J" nor may
+ * "DOM4J" appear in their names without prior written permission of MetaStuff,
+ * Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
+ * 
+ * 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org
+ * 
+ * THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL METASTUFF, LTD. OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ * 
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ */
\ No newline at end of file
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/tree/AbstractNode.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/tree/AbstractNode.java
new file mode 100644
index 00000000000..29ca5198145
--- /dev/null
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/tree/AbstractNode.java
@@ -0,0 +1,183 @@
+/*
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ *
+ * This software is open source.
+ * See the bottom of this file for the licence.
+ */
+
+/*
+* Adapted from DOM4J version 2.1.1 as available at
+*   https://search.maven.org/remotecontent?filepath=org/dom4j/dom4j/2.1.1/dom4j-2.1.1-sources.jar
+* Only relevant stubs of this file have been retained for test purposes.
+*/
+
+package org.dom4j.tree;
+
+import org.dom4j.*;
+import org.dom4j.rule.Pattern;
+import java.io.IOException;
+import java.io.Serializable;
+import java.io.Writer;
+import java.util.List;
+
+public abstract class AbstractNode implements Node, Cloneable, Serializable {
+  public AbstractNode() {
+  }
+
+  public short getNodeType() {
+    return 0;
+  }
+
+  public String getNodeTypeName() {
+    return null;
+  }
+
+  public Document getDocument() {
+    return null;
+  }
+
+  public void setDocument(Document document) {
+  }
+
+  public Element getParent() {
+    return null;
+  }
+
+  public void setParent(Element parent) {
+  }
+
+  public boolean supportsParent() {
+    return false;
+  }
+
+  public boolean isReadOnly() {
+    return false;
+  }
+
+  public boolean hasContent() {
+    return false;
+  }
+
+  public String getPath() {
+    return null;
+  }
+
+  public String getUniquePath() {
+    return null;
+  }
+
+  public Object clone() {
+    return null;
+  }
+
+  public Node detach() {
+    return null;
+  }
+
+  public String getName() {
+    return null;
+  }
+
+  public void setName(String name) {
+  }
+
+  public String getText() {
+    return null;
+  }
+
+  public String getStringValue() {
+    return null;
+  }
+
+  public void setText(String text) {
+  }
+
+  public void write(Writer writer) throws IOException {
+  }
+
+  public Object selectObject(String xpathExpression) {
+    return null;
+  }
+
+  public List<Node> selectNodes(String xpathExpression) {
+    return null;
+  }
+
+  public List<Node> selectNodes(String xpathExpression, String comparisonXPathExpression) {
+    return null;
+  }
+
+  public List<Node> selectNodes(String xpathExpression, String comparisonXPathExpression, boolean removeDuplicates) {
+    return null;
+  }
+
+  public Node selectSingleNode(String xpathExpression) {
+    return null;
+  }
+
+  public String valueOf(String xpathExpression) {
+    return null;
+  }
+
+  public Number numberValueOf(String xpathExpression) {
+    return null;
+  }
+
+  public boolean matches(String patternText) {
+    return false;
+  }
+
+  public XPath createXPath(String xpathExpression) {
+    return null;
+  }
+
+  public NodeFilter createXPathFilter(String patternText) {
+    return null;
+  }
+
+  public Pattern createPattern(String patternText) {
+    return null;
+  }
+
+  public Node asXPathResult(Element parent) {
+    return null;
+  }
+
+}
+
+/*
+ * Redistribution and use of this software and associated documentation
+ * ("Software"), with or without modification, are permitted provided that the
+ * following conditions are met:
+ * 
+ * 1. Redistributions of source code must retain copyright statements and
+ * notices. Redistributions must also contain a copy of this document.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * 3. The name "DOM4J" must not be used to endorse or promote products derived
+ * from this Software without prior written permission of MetaStuff, Ltd. For
+ * written permission, please contact dom4j-info@metastuff.com.
+ * 
+ * 4. Products derived from this Software may not be called "DOM4J" nor may
+ * "DOM4J" appear in their names without prior written permission of MetaStuff,
+ * Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
+ * 
+ * 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org
+ * 
+ * THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL METASTUFF, LTD. OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ * 
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ */
\ No newline at end of file
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/util/ProxyDocumentFactory.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/util/ProxyDocumentFactory.java
new file mode 100644
index 00000000000..29d1b575a8c
--- /dev/null
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/util/ProxyDocumentFactory.java
@@ -0,0 +1,57 @@
+/*
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ *
+ * This software is open source.
+ * See the bottom of this file for the licence.
+ */
+
+package org.dom4j.util;
+
+import org.dom4j.Document;
+import org.dom4j.DocumentFactory;
+import org.dom4j.Element;
+import org.dom4j.NodeFilter;
+import org.dom4j.XPath;
+import org.dom4j.rule.Pattern;
+import org.jaxen.VariableContext;
+
+public abstract class ProxyDocumentFactory {
+  public ProxyDocumentFactory() {
+  }
+
+  public ProxyDocumentFactory(DocumentFactory proxy) {
+  }
+
+  public Document createDocument() {
+    return null;
+  }
+
+  public Document createDocument(Element rootElement) {
+    return null;
+  }
+
+  public Element createElement(String name) {
+    return null;
+  }
+
+  public XPath createXPath(String xpathExpression) {
+    return null;
+  }
+
+  public XPath createXPath(String xpathExpression, VariableContext variableContext) {
+    return null;
+  }
+
+  public NodeFilter createXPathFilter(String xpathFilterExpression, VariableContext variableContext) {
+    return null;
+  }
+
+  public NodeFilter createXPathFilter(String xpathFilterExpression) {
+    return null;
+  }
+
+  public Pattern createPattern(String xpathPattern) {
+    return null;
+  }
+
+}
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/xpath/DefaultXPath.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/xpath/DefaultXPath.java
new file mode 100644
index 00000000000..95b0bdac499
--- /dev/null
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/xpath/DefaultXPath.java
@@ -0,0 +1,131 @@
+/*
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ *
+ * This software is open source.
+ * See the bottom of this file for the licence.
+ */
+
+/*
+* Adapted from DOM4J version 2.1.1 as available at
+*   https://search.maven.org/remotecontent?filepath=org/dom4j/dom4j/2.1.1/dom4j-2.1.1-sources.jar
+* Only relevant stubs of this file have been retained for test purposes.
+*/
+
+package org.dom4j.xpath;
+
+import java.io.Serializable;
+import java.util.List;
+import java.util.Map;
+import org.dom4j.InvalidXPathException;
+import org.dom4j.Node;
+import org.dom4j.XPath;
+
+public class DefaultXPath implements org.dom4j.XPath, Serializable {
+  public DefaultXPath(String text) throws InvalidXPathException {
+  }
+
+  @Override
+  public String getText() {
+    return null;
+  }
+
+  @Override
+  public boolean matches(Node node) {
+    return false;
+  }
+
+  @Override
+  public Object evaluate(Object context) {
+    return null;
+  }
+
+  @Override
+  public Object selectObject(Object context) {
+    return null;
+  }
+
+  @Override
+  public List<Node> selectNodes(Object context) {
+    return null;
+  }
+
+  @Override
+  public List<Node> selectNodes(Object context, XPath sortXPath) {
+    return null;
+  }
+
+  @Override
+  public List<Node> selectNodes(Object context, XPath sortXPath, boolean distinct) {
+    return null;
+  }
+
+  @Override
+  public Node selectSingleNode(Object context) {
+    return null;
+  }
+
+  @Override
+  public String valueOf(Object context) {
+    return null;
+  }
+
+  @Override
+  public Number numberValueOf(Object context) {
+    return null;
+  }
+
+  @Override
+  public boolean booleanValueOf(Object context) {
+    return false;
+  }
+
+  @Override
+  public void sort(List<Node> list) {
+  }
+
+  @Override
+  public void sort(List<Node> list, boolean distinct) {
+  }
+
+  @Override
+  public void setNamespaceURIs(Map<String, String> map) {
+  }
+
+}
+
+/*
+ * Redistribution and use of this software and associated documentation
+ * ("Software"), with or without modification, are permitted provided that the
+ * following conditions are met:
+ * 
+ * 1. Redistributions of source code must retain copyright statements and
+ * notices. Redistributions must also contain a copy of this document.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * 3. The name "DOM4J" must not be used to endorse or promote products derived
+ * from this Software without prior written permission of MetaStuff, Ltd. For
+ * written permission, please contact dom4j-info@metastuff.com.
+ * 
+ * 4. Products derived from this Software may not be called "DOM4J" nor may
+ * "DOM4J" appear in their names without prior written permission of MetaStuff,
+ * Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
+ * 
+ * 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org
+ * 
+ * THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL METASTUFF, LTD. OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ * 
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ */
\ No newline at end of file
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/xpath/XPathPattern.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/xpath/XPathPattern.java
new file mode 100644
index 00000000000..b48bc5b79b4
--- /dev/null
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/xpath/XPathPattern.java
@@ -0,0 +1,87 @@
+/*
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ *
+ * This software is open source.
+ * See the bottom of this file for the licence.
+ */
+
+/*
+* Adapted from DOM4J version 2.1.1 as available at
+*   https://search.maven.org/remotecontent?filepath=org/dom4j/dom4j/2.1.1/dom4j-2.1.1-sources.jar
+* Only relevant stubs of this file have been retained for test purposes.
+*/
+
+package org.dom4j.xpath;
+
+import org.dom4j.Node;
+
+public class XPathPattern implements org.dom4j.rule.Pattern {
+  public XPathPattern(String text) {
+  }
+
+  public boolean matches(Node node) {
+    return false;
+  }
+
+  public String getText() {
+    return null;
+  }
+
+  public double getPriority() {
+    return 0;
+  }
+
+  public org.dom4j.rule.Pattern[] getUnionPatterns() {
+    return null;
+  }
+
+  public short getMatchType() {
+    return 0;
+  }
+
+  public String getMatchesNodeName() {
+    return null;
+  }
+
+  public String toString() {
+    return null;
+  }
+
+}
+
+/*
+ * Redistribution and use of this software and associated documentation
+ * ("Software"), with or without modification, are permitted provided that the
+ * following conditions are met:
+ * 
+ * 1. Redistributions of source code must retain copyright statements and
+ * notices. Redistributions must also contain a copy of this document.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * 3. The name "DOM4J" must not be used to endorse or promote products derived
+ * from this Software without prior written permission of MetaStuff, Ltd. For
+ * written permission, please contact dom4j-info@metastuff.com.
+ * 
+ * 4. Products derived from this Software may not be called "DOM4J" nor may
+ * "DOM4J" appear in their names without prior written permission of MetaStuff,
+ * Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
+ * 
+ * 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org
+ * 
+ * THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL METASTUFF, LTD. OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ * 
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ */
\ No newline at end of file
diff --git a/java/ql/test/stubs/jaxen-1.2.0/org/jaxen/VariableContext.java b/java/ql/test/stubs/jaxen-1.2.0/org/jaxen/VariableContext.java
new file mode 100644
index 00000000000..c550a7d097e
--- /dev/null
+++ b/java/ql/test/stubs/jaxen-1.2.0/org/jaxen/VariableContext.java
@@ -0,0 +1,59 @@
+/*
+ * $Header$
+ * $Revision$
+ * $Date$
+ *
+ * ====================================================================
+ *
+ * Copyright 2000-2002 bob mcwhirter & James Strachan.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ * 
+ *   * Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 
+ *   * Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 
+ *   * Neither the name of the Jaxen Project nor the names of its
+ *     contributors may be used to endorse or promote products derived 
+ *     from this software without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * ====================================================================
+ * This software consists of voluntary contributions made by many 
+ * individuals on behalf of the Jaxen Project and was originally 
+ * created by bob mcwhirter <bob@werken.com> and 
+ * James Strachan <jstrachan@apache.org>.  For more information on the 
+ * Jaxen Project, please see <http://www.jaxen.org/>.
+ * 
+ * $Id$
+ */
+
+/*
+* Adapted from Jaxen version 1.2.0 as available at
+*   https://repo1.maven.org/maven2/jaxen/jaxen/1.2.0/jaxen-1.2.0-sources.jar
+* Only relevant stubs of this file have been retained for test purposes.
+*/
+
+package org.jaxen;
+
+public interface VariableContext {
+    public Object getVariableValue(String namespaceURI, String prefix, String localName);
+
+}

From 215118c7eac8edff38f0b51181178218fe87bc2d Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Wed, 28 Apr 2021 15:53:11 +0200
Subject: [PATCH 0863/1429] Fixes in QLDocs and imports

---
 .../experimental/Security/CWE/CWE-643/XPathInjection.ql    | 3 ++-
 java/ql/src/semmle/code/java/security/XPath.qll            | 7 +++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql
index fbef6285021..1949093e8ea 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql
@@ -11,8 +11,9 @@
  */
 
 import java
-import semmle.code.java.dataflow.TaintTracking
 import DataFlow::PathGraph
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.XPath
 
 class XPathInjectionConfiguration extends TaintTracking::Configuration {
diff --git a/java/ql/src/semmle/code/java/security/XPath.qll b/java/ql/src/semmle/code/java/security/XPath.qll
index 4eed6537f23..b728ffc2b45 100644
--- a/java/ql/src/semmle/code/java/security/XPath.qll
+++ b/java/ql/src/semmle/code/java/security/XPath.qll
@@ -1,13 +1,12 @@
 /** Provides classes to reason about XPath vulnerabilities. */
 
 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.ExternalFlow
 
 /**
- *  A sink that represents a method that interprets XPath expressions.
- *  Extend this class to add your own XPath Injection sinks.
+ * A sink that represents a method that interprets XPath expressions.
+ * Extend this class to add your own XPath Injection sinks.
  */
 abstract class XPathInjectionSink extends DataFlow::Node { }
 

From 26c3ff2cee86a663cc97205ee25494c81f051e4f Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Wed, 28 Apr 2021 20:46:59 +0200
Subject: [PATCH 0864/1429] Move from experimental to standard

---
 .../{experimental => }/Security/CWE/CWE-643/XPathInjection.java   | 0
 .../{experimental => }/Security/CWE/CWE-643/XPathInjection.qhelp  | 0
 .../src/{experimental => }/Security/CWE/CWE-643/XPathInjection.ql | 0
 .../test/{experimental => }/query-tests/security/CWE-643/A.java   | 0
 .../query-tests/security/CWE-643/XPathInjectionTest.expected      | 0
 .../query-tests/security/CWE-643/XPathInjectionTest.ql            | 0
 .../test/{experimental => }/query-tests/security/CWE-643/options  | 0
 7 files changed, 0 insertions(+), 0 deletions(-)
 rename java/ql/src/{experimental => }/Security/CWE/CWE-643/XPathInjection.java (100%)
 rename java/ql/src/{experimental => }/Security/CWE/CWE-643/XPathInjection.qhelp (100%)
 rename java/ql/src/{experimental => }/Security/CWE/CWE-643/XPathInjection.ql (100%)
 rename java/ql/test/{experimental => }/query-tests/security/CWE-643/A.java (100%)
 rename java/ql/test/{experimental => }/query-tests/security/CWE-643/XPathInjectionTest.expected (100%)
 rename java/ql/test/{experimental => }/query-tests/security/CWE-643/XPathInjectionTest.ql (100%)
 rename java/ql/test/{experimental => }/query-tests/security/CWE-643/options (100%)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.java b/java/ql/src/Security/CWE/CWE-643/XPathInjection.java
similarity index 100%
rename from java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.java
rename to java/ql/src/Security/CWE/CWE-643/XPathInjection.java
diff --git a/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.qhelp b/java/ql/src/Security/CWE/CWE-643/XPathInjection.qhelp
similarity index 100%
rename from java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.qhelp
rename to java/ql/src/Security/CWE/CWE-643/XPathInjection.qhelp
diff --git a/java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql b/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
similarity index 100%
rename from java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql
rename to java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
diff --git a/java/ql/test/experimental/query-tests/security/CWE-643/A.java b/java/ql/test/query-tests/security/CWE-643/A.java
similarity index 100%
rename from java/ql/test/experimental/query-tests/security/CWE-643/A.java
rename to java/ql/test/query-tests/security/CWE-643/A.java
diff --git a/java/ql/test/experimental/query-tests/security/CWE-643/XPathInjectionTest.expected b/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.expected
similarity index 100%
rename from java/ql/test/experimental/query-tests/security/CWE-643/XPathInjectionTest.expected
rename to java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.expected
diff --git a/java/ql/test/experimental/query-tests/security/CWE-643/XPathInjectionTest.ql b/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.ql
similarity index 100%
rename from java/ql/test/experimental/query-tests/security/CWE-643/XPathInjectionTest.ql
rename to java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.ql
diff --git a/java/ql/test/experimental/query-tests/security/CWE-643/options b/java/ql/test/query-tests/security/CWE-643/options
similarity index 100%
rename from java/ql/test/experimental/query-tests/security/CWE-643/options
rename to java/ql/test/query-tests/security/CWE-643/options

From 509fc8a640d63ab7ae3b105db36a4beab037cd4a Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Wed, 28 Apr 2021 20:51:47 +0200
Subject: [PATCH 0865/1429] Add missing docs to stubs

---
 .../stubs/dom4j-2.1.1/org/dom4j/Document.java |  2 -
 .../org/dom4j/DocumentFactory.java            | 43 ++++++++++++++++++
 .../dom4j-2.1.1/org/dom4j/DocumentHelper.java | 45 ++++++++++++++++++-
 .../org/dom4j/util/ProxyDocumentFactory.java  | 43 ++++++++++++++++++
 4 files changed, 130 insertions(+), 3 deletions(-)

diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Document.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Document.java
index a3c430dacb1..234048883a0 100644
--- a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Document.java
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/Document.java
@@ -13,8 +13,6 @@
 
 package org.dom4j;
 
-import java.util.List;
-
 public interface Document extends Branch {
 
 }
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/DocumentFactory.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/DocumentFactory.java
index 21a8bc49497..b7a50a5cfef 100644
--- a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/DocumentFactory.java
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/DocumentFactory.java
@@ -5,6 +5,12 @@
  * See the bottom of this file for the licence.
  */
 
+/*
+* Adapted from DOM4J version 2.1.1 as available at
+*   https://search.maven.org/remotecontent?filepath=org/dom4j/dom4j/2.1.1/dom4j-2.1.1-sources.jar
+* Only relevant stubs of this file have been retained for test purposes.
+*/
+
 package org.dom4j;
 
 import java.io.Serializable;
@@ -73,3 +79,40 @@ public class DocumentFactory implements Serializable {
   }
 
 }
+
+/*
+ * Redistribution and use of this software and associated documentation
+ * ("Software"), with or without modification, are permitted provided that the
+ * following conditions are met:
+ * 
+ * 1. Redistributions of source code must retain copyright statements and
+ * notices. Redistributions must also contain a copy of this document.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * 3. The name "DOM4J" must not be used to endorse or promote products derived
+ * from this Software without prior written permission of MetaStuff, Ltd. For
+ * written permission, please contact dom4j-info@metastuff.com.
+ * 
+ * 4. Products derived from this Software may not be called "DOM4J" nor may
+ * "DOM4J" appear in their names without prior written permission of MetaStuff,
+ * Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
+ * 
+ * 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org
+ * 
+ * THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL METASTUFF, LTD. OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ * 
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ */
\ No newline at end of file
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/DocumentHelper.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/DocumentHelper.java
index b17731205f7..669dbfa9e9b 100644
--- a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/DocumentHelper.java
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/DocumentHelper.java
@@ -5,10 +5,16 @@
  * See the bottom of this file for the licence.
  */
 
+/*
+* Adapted from DOM4J version 2.1.1 as available at
+*   https://search.maven.org/remotecontent?filepath=org/dom4j/dom4j/2.1.1/dom4j-2.1.1-sources.jar
+* Only relevant stubs of this file have been retained for test purposes.
+*/
+
 package org.dom4j;
 
 import java.util.List;
-import java.util.Map;
+
 import org.dom4j.rule.Pattern;
 import org.jaxen.VariableContext;
 
@@ -64,3 +70,40 @@ public final class DocumentHelper {
   }
 
 }
+
+/*
+ * Redistribution and use of this software and associated documentation
+ * ("Software"), with or without modification, are permitted provided that the
+ * following conditions are met:
+ * 
+ * 1. Redistributions of source code must retain copyright statements and
+ * notices. Redistributions must also contain a copy of this document.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * 3. The name "DOM4J" must not be used to endorse or promote products derived
+ * from this Software without prior written permission of MetaStuff, Ltd. For
+ * written permission, please contact dom4j-info@metastuff.com.
+ * 
+ * 4. Products derived from this Software may not be called "DOM4J" nor may
+ * "DOM4J" appear in their names without prior written permission of MetaStuff,
+ * Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
+ * 
+ * 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org
+ * 
+ * THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL METASTUFF, LTD. OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ * 
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ */
\ No newline at end of file
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/util/ProxyDocumentFactory.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/util/ProxyDocumentFactory.java
index 29d1b575a8c..8aa3c7a2195 100644
--- a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/util/ProxyDocumentFactory.java
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/util/ProxyDocumentFactory.java
@@ -5,6 +5,12 @@
  * See the bottom of this file for the licence.
  */
 
+/*
+* Adapted from DOM4J version 2.1.1 as available at
+*   https://search.maven.org/remotecontent?filepath=org/dom4j/dom4j/2.1.1/dom4j-2.1.1-sources.jar
+* Only relevant stubs of this file have been retained for test purposes.
+*/
+
 package org.dom4j.util;
 
 import org.dom4j.Document;
@@ -55,3 +61,40 @@ public abstract class ProxyDocumentFactory {
   }
 
 }
+
+/*
+ * Redistribution and use of this software and associated documentation
+ * ("Software"), with or without modification, are permitted provided that the
+ * following conditions are met:
+ * 
+ * 1. Redistributions of source code must retain copyright statements and
+ * notices. Redistributions must also contain a copy of this document.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * 3. The name "DOM4J" must not be used to endorse or promote products derived
+ * from this Software without prior written permission of MetaStuff, Ltd. For
+ * written permission, please contact dom4j-info@metastuff.com.
+ * 
+ * 4. Products derived from this Software may not be called "DOM4J" nor may
+ * "DOM4J" appear in their names without prior written permission of MetaStuff,
+ * Ltd. DOM4J is a registered trademark of MetaStuff, Ltd.
+ * 
+ * 5. Due credit should be given to the DOM4J Project - http://www.dom4j.org
+ * 
+ * THIS SOFTWARE IS PROVIDED BY METASTUFF, LTD. AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL METASTUFF, LTD. OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ * 
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ */
\ No newline at end of file

From ccb3ea4453102dfe204eb744b4d92c45e95113f8 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Fri, 30 Apr 2021 09:40:01 +0200
Subject: [PATCH 0866/1429] Fix XPath Injection tests classpath

---
 java/ql/test/query-tests/security/CWE-643/options | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/test/query-tests/security/CWE-643/options b/java/ql/test/query-tests/security/CWE-643/options
index ee686f5a071..13143a15a6a 100644
--- a/java/ql/test/query-tests/security/CWE-643/options
+++ b/java/ql/test/query-tests/security/CWE-643/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/dom4j-2.1.1:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jaxen-1.2.0
\ No newline at end of file
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/jaxen-1.2.0

From 8af7f4a4843e1f14a0834348d05466d7074bbbfc Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Fri, 30 Apr 2021 09:40:48 +0200
Subject: [PATCH 0867/1429] New sinks and test cases

---
 .../src/semmle/code/java/security/XPath.qll   |  2 +
 .../test/query-tests/security/CWE-643/A.java  | 18 +++++
 .../org/dom4j/xpath/XPathPattern.java         |  3 +
 .../org/jaxen/pattern/Pattern.java            | 73 +++++++++++++++++++
 4 files changed, 96 insertions(+)
 create mode 100644 java/ql/test/stubs/jaxen-1.2.0/org/jaxen/pattern/Pattern.java

diff --git a/java/ql/src/semmle/code/java/security/XPath.qll b/java/ql/src/semmle/code/java/security/XPath.qll
index b728ffc2b45..374fbcdbebe 100644
--- a/java/ql/src/semmle/code/java/security/XPath.qll
+++ b/java/ql/src/semmle/code/java/security/XPath.qll
@@ -31,6 +31,8 @@ private class DefaultXPathInjectionSinkModel extends SinkModelCsv {
         "org.dom4j;DocumentHelper;false;createPattern;;;Argument[0];xpath",
         "org.dom4j;DocumentHelper;false;createXPath;;;Argument[0];xpath",
         "org.dom4j;DocumentHelper;false;createXPathFilter;;;Argument[0];xpath",
+        "org.dom4j;DocumentHelper;false;selectNodes;;;Argument[0];xpath",
+        "org.dom4j;DocumentHelper;false;sort;;;Argument[1];xpath",
         "org.dom4j.tree;AbstractNode;true;createXPathFilter;;;Argument[0];xpath",
         "org.dom4j.tree;AbstractNode;true;createPattern;;;Argument[0];xpath",
         "org.dom4j.util;ProxyDocumentFactory;true;createPattern;;;Argument[0];xpath",
diff --git a/java/ql/test/query-tests/security/CWE-643/A.java b/java/ql/test/query-tests/security/CWE-643/A.java
index 431e51716b1..5ccc1b11a94 100644
--- a/java/ql/test/query-tests/security/CWE-643/A.java
+++ b/java/ql/test/query-tests/security/CWE-643/A.java
@@ -1,5 +1,6 @@
 import java.io.ByteArrayInputStream;
 import java.io.StringReader;
+import java.util.ArrayList;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.xml.namespace.QName;
@@ -11,9 +12,11 @@ import javax.xml.xpath.XPathExpression;
 import javax.xml.xpath.XPathExpressionException;
 import javax.xml.xpath.XPathFactory;
 
+import org.jaxen.pattern.Pattern;
 import org.dom4j.DocumentFactory;
 import org.dom4j.DocumentHelper;
 import org.dom4j.Namespace;
+import org.dom4j.Node;
 import org.dom4j.io.SAXReader;
 import org.dom4j.util.ProxyDocumentFactory;
 import org.dom4j.xpath.DefaultXPath;
@@ -58,6 +61,18 @@ public class A {
     private static class ProxyDocumentFactoryStub extends ProxyDocumentFactory {
     }
 
+    private static class PatternStub extends Pattern {
+        private String text;
+
+        PatternStub(String text) {
+            this.text = text;
+        }
+
+        public String getText() {
+            return text;
+        }
+    }
+
     public void handle(HttpServletRequest request) throws Exception {
         String user = request.getParameter("user");
         String pass = request.getParameter("pass");
@@ -118,6 +133,7 @@ public class A {
 
         new DefaultXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
         new XPathPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        new XPathPattern(new PatternStub(user)); // Safe
 
         DocumentFactory docFactory = DocumentFactory.getInstance();
         docFactory.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
@@ -127,6 +143,8 @@ public class A {
         DocumentHelper.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
         DocumentHelper.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
         DocumentHelper.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        DocumentHelper.selectNodes("/users/user[@name='" + user + "' and @pass='" + pass + "']", new ArrayList<Node>()); // $hasXPathInjection
+        DocumentHelper.sort(new ArrayList<Node>(), "/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
 
         ProxyDocumentFactoryStub proxyDocFactory = new ProxyDocumentFactoryStub();
         proxyDocFactory.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/xpath/XPathPattern.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/xpath/XPathPattern.java
index b48bc5b79b4..94ec166e8a9 100644
--- a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/xpath/XPathPattern.java
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/xpath/XPathPattern.java
@@ -19,6 +19,9 @@ public class XPathPattern implements org.dom4j.rule.Pattern {
   public XPathPattern(String text) {
   }
 
+  public XPathPattern(org.jaxen.pattern.Pattern pattern) {
+  }
+
   public boolean matches(Node node) {
     return false;
   }
diff --git a/java/ql/test/stubs/jaxen-1.2.0/org/jaxen/pattern/Pattern.java b/java/ql/test/stubs/jaxen-1.2.0/org/jaxen/pattern/Pattern.java
new file mode 100644
index 00000000000..984024e8449
--- /dev/null
+++ b/java/ql/test/stubs/jaxen-1.2.0/org/jaxen/pattern/Pattern.java
@@ -0,0 +1,73 @@
+/*
+ * $Header$
+ * $Revision$
+ * $Date$
+ *
+ * ====================================================================
+ *
+ * Copyright 2000-2002 bob mcwhirter & James Strachan.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ * 
+ *   * Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 
+ *   * Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 
+ *   * Neither the name of the Jaxen Project nor the names of its
+ *     contributors may be used to endorse or promote products derived 
+ *     from this software without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * ====================================================================
+ * This software consists of voluntary contributions made by many 
+ * individuals on behalf of the Jaxen Project and was originally 
+ * created by bob mcwhirter <bob@werken.com> and 
+ * James Strachan <jstrachan@apache.org>.  For more information on the 
+ * Jaxen Project, please see <http://www.jaxen.org/>.
+ * 
+ * $Id$
+ */
+
+package org.jaxen.pattern;
+
+public abstract class Pattern {
+  public double getPriority() {
+    return 0;
+  }
+
+  public Pattern[] getUnionPatterns() {
+    return null;
+  }
+
+  public short getMatchType() {
+    return 0;
+  }
+
+  public String getMatchesNodeName() {
+    return null;
+  }
+
+  public Pattern simplify() {
+    return null;
+  }
+
+  public abstract String getText();
+
+}

From 00a757667979d7a1a83f4cd1fb9647371a9d6e3d Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Fri, 30 Apr 2021 09:59:52 +0200
Subject: [PATCH 0868/1429] Rename XPath Injection test file

---
 .../security/CWE-643/{A.java => XPathInjectionTest.java}        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename java/ql/test/query-tests/security/CWE-643/{A.java => XPathInjectionTest.java} (99%)

diff --git a/java/ql/test/query-tests/security/CWE-643/A.java b/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java
similarity index 99%
rename from java/ql/test/query-tests/security/CWE-643/A.java
rename to java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java
index 5ccc1b11a94..1644f761fa6 100644
--- a/java/ql/test/query-tests/security/CWE-643/A.java
+++ b/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java
@@ -24,7 +24,7 @@ import org.dom4j.xpath.XPathPattern;
 import org.w3c.dom.Document;
 import org.xml.sax.InputSource;
 
-public class A {
+public class XPathInjectionTest {
     private static abstract class XPathImplStub implements XPath {
         public static XPathImplStub getInstance() {
             return null;

From 926fedb7fb6bca3587b99f18606a7f32be00cff8 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Mon, 3 May 2021 09:10:45 +0200
Subject: [PATCH 0869/1429] Update
 java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java

Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
---
 .../test/query-tests/security/CWE-643/XPathInjectionTest.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java b/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java
index 1644f761fa6..62b547a2227 100644
--- a/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java
+++ b/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java
@@ -133,7 +133,7 @@ public class XPathInjectionTest {
 
         new DefaultXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
         new XPathPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-        new XPathPattern(new PatternStub(user)); // Safe
+        new XPathPattern(new PatternStub(user)); // Jaxen is not modeled yet
 
         DocumentFactory docFactory = DocumentFactory.getInstance();
         docFactory.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
@@ -155,4 +155,4 @@ public class XPathInjectionTest {
         namespace.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
         namespace.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
     }
-}
\ No newline at end of file
+}

From 76468559ba8ba993bb9fae0b78d3f3482eb0ec48 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Thu, 6 May 2021 10:17:25 +0200
Subject: [PATCH 0870/1429] Add safe example for dom4j

---
 .../Security/CWE/CWE-643/XPathInjection.java  | 12 +++-
 .../security/CWE-643/XPathInjectionTest.java  | 20 ++++--
 .../stubs/dom4j-2.1.1/org/dom4j/XPath.java    |  1 +
 .../org/dom4j/xpath/DefaultXPath.java         |  4 ++
 .../org/jaxen/SimpleVariableContext.java      | 66 +++++++++++++++++++
 5 files changed, 96 insertions(+), 7 deletions(-)
 create mode 100644 java/ql/test/stubs/jaxen-1.2.0/org/jaxen/SimpleVariableContext.java

diff --git a/java/ql/src/Security/CWE/CWE-643/XPathInjection.java b/java/ql/src/Security/CWE/CWE-643/XPathInjection.java
index 95a38a5a7ac..093ac32fa6a 100644
--- a/java/ql/src/Security/CWE/CWE-643/XPathInjection.java
+++ b/java/ql/src/Security/CWE/CWE-643/XPathInjection.java
@@ -58,9 +58,19 @@ try {
         // Bad Dom4j 
         org.dom4j.io.SAXReader reader = new org.dom4j.io.SAXReader();
         org.dom4j.Document document = reader.read(new InputSource(new StringReader(xmlStr)));
-        isExist = document.selectSingleNode("/users/user[@name='" + user + "' and @pass='" + pass + "']").hasContent();
+        isExist = document.selectSingleNode("/users/user[@name='" + user + "' and @pass='" + pass + "']") != null;
         // or document.selectNodes
         System.out.println(isExist);
+
+        // Good Dom4j
+        org.jaxen.SimpleVariableContext svc = new org.jaxen.SimpleVariableContext();
+        svc.setVariableValue("user", user);
+        svc.setVariableValue("pass", pass);
+        String xpathString = "/users/user[@name=$user and @pass=$pass]";
+        org.dom4j.XPath safeXPath = document.createXPath(xpathString);
+        safeXPath.setVariableContext(svc);
+        isExist = safeXPath.selectSingleNode(document) != null;
+        System.out.println(isExist);
     }
 } catch (ParserConfigurationException e) {
 
diff --git a/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java b/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java
index 62b547a2227..88aeca73b78 100644
--- a/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java
+++ b/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java
@@ -110,12 +110,12 @@ public class XPathInjectionTest {
         String expression4 = "/users/user[@name=$user and @pass=$pass]";
         xpath.setXPathVariableResolver(v -> {
             switch (v.getLocalPart()) {
-            case "user":
-                return user;
-            case "pass":
-                return pass;
-            default:
-                throw new IllegalArgumentException();
+                case "user":
+                    return user;
+                case "pass":
+                    return pass;
+                default:
+                    throw new IllegalArgumentException();
             }
         });
         xpath.evaluate(expression4, doc, XPathConstants.BOOLEAN); // Safe
@@ -154,5 +154,13 @@ public class XPathInjectionTest {
         Namespace namespace = new Namespace("prefix", "http://some.uri.io");
         namespace.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
         namespace.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+
+        org.jaxen.SimpleVariableContext svc = new org.jaxen.SimpleVariableContext();
+        svc.setVariableValue("user", user);
+        svc.setVariableValue("pass", pass);
+        String xpathString = "/users/user[@name=$user and @pass=$pass]";
+        org.dom4j.XPath safeXPath = document.createXPath(xpathString); // Safe
+        safeXPath.setVariableContext(svc);
+        safeXPath.selectSingleNode(document); // Safe
     }
 }
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/XPath.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/XPath.java
index eec983b5bc7..64147c75a13 100644
--- a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/XPath.java
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/XPath.java
@@ -45,6 +45,7 @@ public interface XPath extends NodeFilter {
 
 	void setNamespaceURIs(Map<String, String> map);
 
+	void setVariableContext(org.jaxen.VariableContext variableContext);
 }
 
 /*
diff --git a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/xpath/DefaultXPath.java b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/xpath/DefaultXPath.java
index 95b0bdac499..fc7e32ed616 100644
--- a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/xpath/DefaultXPath.java
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/xpath/DefaultXPath.java
@@ -91,6 +91,10 @@ public class DefaultXPath implements org.dom4j.XPath, Serializable {
   public void setNamespaceURIs(Map<String, String> map) {
   }
 
+  @Override
+  public void setVariableContext(org.jaxen.VariableContext variableContext) {
+  }
+
 }
 
 /*
diff --git a/java/ql/test/stubs/jaxen-1.2.0/org/jaxen/SimpleVariableContext.java b/java/ql/test/stubs/jaxen-1.2.0/org/jaxen/SimpleVariableContext.java
new file mode 100644
index 00000000000..5e34f7d92a3
--- /dev/null
+++ b/java/ql/test/stubs/jaxen-1.2.0/org/jaxen/SimpleVariableContext.java
@@ -0,0 +1,66 @@
+/*
+ * $Header$
+ * $Revision$
+ * $Date$
+ *
+ * ====================================================================
+ *
+ * Copyright 2000-2002 bob mcwhirter & James Strachan.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ * 
+ *   * Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 
+ *   * Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 
+ *   * Neither the name of the Jaxen Project nor the names of its
+ *     contributors may be used to endorse or promote products derived 
+ *     from this software without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * ====================================================================
+ * This software consists of voluntary contributions made by many 
+ * individuals on behalf of the Jaxen Project and was originally 
+ * created by bob mcwhirter <bob@werken.com> and 
+ * James Strachan <jstrachan@apache.org>.  For more information on the 
+ * Jaxen Project, please see <http://www.jaxen.org/>.
+ * 
+ * $Id$
+ */
+
+package org.jaxen;
+
+import java.io.Serializable;
+
+public class SimpleVariableContext implements VariableContext, Serializable {
+  public SimpleVariableContext() {
+  }
+
+  public void setVariableValue(String namespaceURI, String localName, Object value) {
+  }
+
+  public void setVariableValue(String localName, Object value) {
+  }
+
+  public Object getVariableValue(String namespaceURI, String prefix, String localName) {
+    return null;
+  }
+
+}

From a400a1e9d4cd4542767a8e78e7b2afb8c73fb4a3 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 26 Apr 2021 10:17:57 +0200
Subject: [PATCH 0871/1429] split the markdown steps into a separate class

---
 .../semmle/javascript/frameworks/Markdown.qll | 289 ++++++++++--------
 1 file changed, 155 insertions(+), 134 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
index 743341325a7..788e28e2e9e 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
@@ -2,159 +2,180 @@
  * Provides classes for modelling common markdown parsers and generators.
  */
 
+import semmle.javascript.Unit
 import javascript
 
 /**
- * A taint step for the `marked` library, that converts markdown to HTML.
+ * A module providing taint-steps for common markdown parsers and generators.
  */
-private class MarkedStep extends TaintTracking::SharedTaintStep {
-  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(DataFlow::CallNode call |
-      call = DataFlow::globalVarRef("marked").getACall()
-      or
-      call = DataFlow::moduleImport("marked").getACall()
-    |
-      succ = call and
-      pred = call.getArgument(0)
-    )
-  }
-}
-
-/**
- * A taint step for the `markdown-table` library.
- */
-private class MarkdownTableStep extends TaintTracking::SharedTaintStep {
-  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(DataFlow::CallNode call | call = DataFlow::moduleImport("markdown-table").getACall() |
-      succ = call and
-      pred = call.getArgument(0)
-    )
-  }
-}
-
-/**
- * A taint step for the `showdown` library.
- */
-private class ShowDownStep extends TaintTracking::SharedTaintStep {
-  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(DataFlow::CallNode call |
-      call =
-        [DataFlow::globalVarRef("showdown"), DataFlow::moduleImport("showdown")]
-            .getAConstructorInvocation("Converter")
-            .getAMemberCall(["makeHtml", "makeMd"])
-    |
-      succ = call and
-      pred = call.getArgument(0)
-    )
-  }
-}
-
-/**
- * Classes and predicates for modelling taint steps in `unified` and `remark`.
- */
-private module Unified {
+module Markdown {
   /**
-   * The creation of a parser from `unified`.
-   * The `remark` module is a shorthand that initializes `unified` with a markdown parser.
+   * A taint-step that parses a markdown document, but preserves taint.import
    */
-  DataFlow::CallNode unified() { result = DataFlow::moduleImport(["unified", "remark"]).getACall() }
-
-  /**
-   * A chain of method calls that process an input with `unified`.
-   */
-  class UnifiedChain extends DataFlow::CallNode {
-    DataFlow::CallNode root;
-
-    UnifiedChain() {
-      root = unified() and
-      this = root.getAChainedMethodCall(["process", "processSync"])
-    }
-
-    /**
-     * Gets a plugin that is used in this chain.
-     */
-    DataFlow::Node getAUsedPlugin() { result = root.getAChainedMethodCall("use").getArgument(0) }
-
-    /**
-     * Gets the input that is processed.
-     */
-    DataFlow::Node getInput() { result = getArgument(0) }
-
-    /**
-     * Gets the processed output.
-     */
-    DataFlow::Node getOutput() {
-      this.getCalleeName() = "process" and result = getABoundCallbackParameter(1, 1)
-      or
-      this.getCalleeName() = "processSync" and result = this
-    }
+  class MarkdownStep extends Unit {
+    abstract predicate step(DataFlow::Node pred, DataFlow::Node succ);
   }
 
-  /**
-   * A taint step for the `unified` library.
-   */
-  class UnifiedStep extends TaintTracking::SharedTaintStep {
+  private class MarkdownStepAsTaintStep extends TaintTracking::SharedTaintStep {
     override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-      exists(UnifiedChain chain |
-        // sanitizer. Mostly looking for `rehype-sanitize`, but also other plugins with `sanitize` in their name.
-        not chain.getAUsedPlugin().getALocalSource() =
-          DataFlow::moduleImport(any(string s | s.matches("%sanitize%")))
-      |
-        pred = chain.getInput() and
-        succ = chain.getOutput()
-      )
+      any(MarkdownStep step).step(pred, succ)
     }
   }
-}
-
-/**
- * A taint step for the `snarkdown` library.
- */
-private class SnarkdownStep extends TaintTracking::SharedTaintStep {
-  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(DataFlow::CallNode call | call = DataFlow::moduleImport("snarkdown").getACall() |
-      call = succ and
-      pred = call.getArgument(0)
-    )
-  }
-}
-
-/**
- * Classes and predicates for modelling taint steps the `markdown-it` library.
- */
-private module MarkdownIt {
-  /**
-   * The creation of a parser from `markdown-it`.
-   */
-  private API::Node markdownIt() {
-    exists(API::InvokeNode call |
-      call = API::moduleImport("markdown-it").getAnInvocation()
-      or
-      call = API::moduleImport("markdown-it").getMember("Markdown").getAnInvocation()
-    |
-      call.getParameter(0).getMember("html").getARhs().mayHaveBooleanValue(true) and
-      result = call.getReturn()
-    )
-    or
-    exists(API::CallNode call |
-      call = markdownIt().getMember(["use", "set", "configure", "enable", "disable"]).getACall() and
-      result = call.getReturn() and
-      not call.getParameter(0).getAValueReachingRhs() =
-        DataFlow::moduleImport("markdown-it-sanitizer")
-    )
-  }
 
   /**
-   * A taint step for the `markdown-it` library.
+   * A taint step for the `marked` library, that converts markdown to HTML.
    */
-  private class MarkdownItStep extends TaintTracking::SharedTaintStep {
+  private class MarkedStep extends MarkdownStep {
     override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-      exists(API::CallNode call |
-        call = markdownIt().getMember(["render", "renderInline"]).getACall()
+      exists(DataFlow::CallNode call |
+        call = DataFlow::globalVarRef("marked").getACall()
+        or
+        call = DataFlow::moduleImport("marked").getACall()
       |
         succ = call and
         pred = call.getArgument(0)
       )
     }
   }
+
+  /**
+   * A taint step for the `markdown-table` library.
+   */
+  private class MarkdownTableStep extends MarkdownStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(DataFlow::CallNode call | call = DataFlow::moduleImport("markdown-table").getACall() |
+        succ = call and
+        pred = call.getArgument(0)
+      )
+    }
+  }
+
+  /**
+   * A taint step for the `showdown` library.
+   */
+  private class ShowDownStep extends MarkdownStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(DataFlow::CallNode call |
+        call =
+          [DataFlow::globalVarRef("showdown"), DataFlow::moduleImport("showdown")]
+              .getAConstructorInvocation("Converter")
+              .getAMemberCall(["makeHtml", "makeMd"])
+      |
+        succ = call and
+        pred = call.getArgument(0)
+      )
+    }
+  }
+
+  /**
+   * Classes and predicates for modelling taint steps in `unified` and `remark`.
+   */
+  private module Unified {
+    /**
+     * The creation of a parser from `unified`.
+     * The `remark` module is a shorthand that initializes `unified` with a markdown parser.
+     */
+    DataFlow::CallNode unified() {
+      result = DataFlow::moduleImport(["unified", "remark"]).getACall()
+    }
+
+    /**
+     * A chain of method calls that process an input with `unified`.
+     */
+    class UnifiedChain extends DataFlow::CallNode {
+      DataFlow::CallNode root;
+
+      UnifiedChain() {
+        root = unified() and
+        this = root.getAChainedMethodCall(["process", "processSync"])
+      }
+
+      /**
+       * Gets a plugin that is used in this chain.
+       */
+      DataFlow::Node getAUsedPlugin() { result = root.getAChainedMethodCall("use").getArgument(0) }
+
+      /**
+       * Gets the input that is processed.
+       */
+      DataFlow::Node getInput() { result = getArgument(0) }
+
+      /**
+       * Gets the processed output.
+       */
+      DataFlow::Node getOutput() {
+        this.getCalleeName() = "process" and result = getABoundCallbackParameter(1, 1)
+        or
+        this.getCalleeName() = "processSync" and result = this
+      }
+    }
+
+    /**
+     * A taint step for the `unified` library.
+     */
+    class UnifiedStep extends MarkdownStep {
+      override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+        exists(UnifiedChain chain |
+          // sanitizer. Mostly looking for `rehype-sanitize`, but also other plugins with `sanitize` in their name.
+          not chain.getAUsedPlugin().getALocalSource() =
+            DataFlow::moduleImport(any(string s | s.matches("%sanitize%")))
+        |
+          pred = chain.getInput() and
+          succ = chain.getOutput()
+        )
+      }
+    }
+  }
+
+  /**
+   * A taint step for the `snarkdown` library.
+   */
+  private class SnarkdownStep extends MarkdownStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(DataFlow::CallNode call | call = DataFlow::moduleImport("snarkdown").getACall() |
+        call = succ and
+        pred = call.getArgument(0)
+      )
+    }
+  }
+
+  /**
+   * Classes and predicates for modelling taint steps the `markdown-it` library.
+   */
+  private module MarkdownIt {
+    /**
+     * The creation of a parser from `markdown-it`.
+     */
+    private API::Node markdownIt() {
+      exists(API::InvokeNode call |
+        call = API::moduleImport("markdown-it").getAnInvocation()
+        or
+        call = API::moduleImport("markdown-it").getMember("Markdown").getAnInvocation()
+      |
+        call.getParameter(0).getMember("html").getARhs().mayHaveBooleanValue(true) and
+        result = call.getReturn()
+      )
+      or
+      exists(API::CallNode call |
+        call = markdownIt().getMember(["use", "set", "configure", "enable", "disable"]).getACall() and
+        result = call.getReturn() and
+        not call.getParameter(0).getAValueReachingRhs() =
+          DataFlow::moduleImport("markdown-it-sanitizer")
+      )
+    }
+
+    /**
+     * A taint step for the `markdown-it` library.
+     */
+    private class MarkdownItStep extends MarkdownStep {
+      override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+        exists(API::CallNode call |
+          call = markdownIt().getMember(["render", "renderInline"]).getACall()
+        |
+          succ = call and
+          pred = call.getArgument(0)
+        )
+      }
+    }
+  }
 }

From e86a3b5e577fc603c5cf1dd171c191b7e692e373 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 26 Apr 2021 10:21:25 +0200
Subject: [PATCH 0872/1429] add js/html-constructed-from-input query

---
 .../CWE-079/UnsafeHtmlConstruction.ql         |  22 +++
 .../semmle/javascript/frameworks/Markdown.qll |   3 +
 .../dataflow/UnsafeHtmlConstruction.qll       |  32 ++++
 .../UnsafeHtmlConstructionCustomizations.qll  | 168 ++++++++++++++++++
 4 files changed, 225 insertions(+)
 create mode 100644 javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql
 create mode 100644 javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll
 create mode 100644 javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll

diff --git a/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql b/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql
new file mode 100644
index 00000000000..464f4951307
--- /dev/null
+++ b/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql
@@ -0,0 +1,22 @@
+/**
+ * @name Unsafe HTML constructed from library input
+ * @description Using externally controlled strings to construct HTML might allow a malicious
+ *              user to perform an cross-site scripting attack.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id js/html-constructed-from-input
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+import javascript
+import DataFlow::PathGraph
+import semmle.javascript.security.dataflow.UnsafeHtmlConstruction::UnsafeHtmlConstruction
+
+from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode
+where cfg.hasFlowPath(source, sink) and sink.getNode() = sinkNode
+select sinkNode, source, sink, "$@ based on $@ might later cause $@.", sinkNode,
+  sinkNode.describe(), source.getNode(), "library input", sinkNode.getSink(),
+  sinkNode.getVulnerabilityKind().toLowerCase()
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
index 788e28e2e9e..c98243e4fbb 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
@@ -13,6 +13,9 @@ module Markdown {
    * A taint-step that parses a markdown document, but preserves taint.import
    */
   class MarkdownStep extends Unit {
+    /**
+     * Holds if there is a taint-step from `pred` to `succ` for a taint-preserving markdown parser.
+     */
     abstract predicate step(DataFlow::Node pred, DataFlow::Node succ);
   }
 
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll
new file mode 100644
index 00000000000..3e2bf53bde9
--- /dev/null
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll
@@ -0,0 +1,32 @@
+/**
+ * Provides a taint-tracking configuration for reasoning about
+ * unsafe HTML constructed from library input vulnerabilities.
+ */
+
+import javascript
+
+/**
+ * Classes and predicates for the unsafe HTML constructed from library input query.
+ */
+module UnsafeHtmlConstruction {
+  private import semmle.javascript.security.dataflow.DomBasedXssCustomizations::DomBasedXss as DomBasedXss
+  private import semmle.javascript.security.dataflow.UnsafeJQueryPluginCustomizations::UnsafeJQueryPlugin as UnsafeJQueryPlugin
+  import UnsafeHtmlConstructionCustomizations::UnsafeHtmlConstruction
+
+  /**
+   * A taint-tracking configuration for reasoning about unsafe HTML constructed from library input vulnerabilities.
+   */
+  class Configration extends TaintTracking::Configuration {
+    Configration() { this = "UnsafeHtmlConstruction" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) { super.isSanitizer(node) }
+
+    override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
+      DomBasedXss::isOptionallySanitizedEdge(pred, succ)
+    }
+  }
+}
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
new file mode 100644
index 00000000000..b72df1b7421
--- /dev/null
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
@@ -0,0 +1,168 @@
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about
+ * unsafe HTML constructed from library input, as well as extension points
+ * for adding your own.
+ */
+
+import javascript
+
+/**
+ * Module containing sources, sinks, and sanitizers for unsafe HTML constructed from library input.
+ */
+module UnsafeHtmlConstruction {
+  private import semmle.javascript.security.dataflow.DomBasedXssCustomizations::DomBasedXss as DomBasedXss
+  private import semmle.javascript.security.dataflow.UnsafeJQueryPluginCustomizations::UnsafeJQueryPlugin as UnsafeJQueryPlugin
+  private import semmle.javascript.PackageExports as Exports
+
+  /**
+   * A source for unsafe HTML constructed from library input.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A parameter of an exported function, seen as a source for usnafe HTML constructed from input.
+   */
+  class ExternalInputSource extends Source, DataFlow::ParameterNode {
+    ExternalInputSource() {
+      this = Exports::getALibraryInputParameter() and
+      not this = JQuery::dollarSource()
+    }
+  }
+
+  /**
+   * A sink for unsafe HTML constructed from library input.
+   * This sink somehow transforms its input into a value that can cause XSS if it ends up in a XSS sink.
+   */
+  abstract class Sink extends DataFlow::Node {
+    /**
+     * Gets the kind of vulnerability to report in the alert message.
+     *
+     * Defaults to `Cross-site scripting`, but may be overriden for sinks
+     * that do not allow script injection, but injection of other undesirable HTML elements.
+     */
+    abstract string getVulnerabilityKind();
+
+    /**
+     * Gets the XSS sink that this transformed input ends up in.
+     */
+    abstract DataFlow::Node getSink();
+
+    /**
+     * Gets a string describing the transformation that this sink represents.
+     */
+    abstract string describe();
+  }
+
+  /**
+   * A sink for `js/html-constructed-from-input` that constructs some HTML where
+   * that HTML is later used in `xssSink`.
+   */
+  abstract class XssSink extends Sink {
+    DomBasedXss::Sink xssSink;
+
+    final override string getVulnerabilityKind() { result = xssSink.getVulnerabilityKind() }
+
+    final override DomBasedXss::Sink getSink() { result = xssSink }
+  }
+
+  /**
+   * Gets a dataflow node that flows to `sink` tracked by `t`.
+   */
+  private DataFlow::Node isUsedInXssSink(DataFlow::TypeBackTracker t, DomBasedXss::Sink sink) {
+    t.start() and
+    result = sink
+    or
+    exists(DataFlow::TypeBackTracker t2 | t = t2.smallstep(result, isUsedInXssSink(t2, sink)))
+    or
+    exists(DataFlow::TypeBackTracker t2 |
+      t.continue() = t2 and
+      domBasedTaintStep(result, isUsedInXssSink(t2, sink))
+    )
+  }
+
+  /**
+   * Gets a dataflow node that flows to `sink`.
+   */
+  DataFlow::Node isUsedInXssSink(DomBasedXss::Sink sink) {
+    result = isUsedInXssSink(DataFlow::TypeBackTracker::end(), sink)
+  }
+
+  /**
+   * Holds if there is a taint step from `pred` to `succ` for DOM strings/nodes.
+   * These steps are mostly relevant for DOM nodes that are created by an XML parser.
+   */
+  predicate domBasedTaintStep(DataFlow::Node pred, DataFlow::SourceNode succ) {
+    // node.appendChild(newChild) and similar
+    exists(DataFlow::MethodCallNode call |
+      call.getMethodName() = ["insertBefore", "replaceChild", "appendChild"]
+    |
+      pred = call.getArgument(0) and
+      succ = [call.getReceiver().getALocalSource(), call]
+    )
+    or
+    // element.{prepend,append}(node) and similar
+    exists(DataFlow::MethodCallNode call |
+      call.getMethodName() = ["prepend", "append", "replaceWith", "replaceChildren"]
+    |
+      pred = call.getAnArgument() and
+      succ = call.getReceiver().getALocalSource()
+    )
+    or
+    // node.insertAdjacentElement("location", newChild)
+    exists(DataFlow::MethodCallNode call | call.getMethodName() = "insertAdjacentElement" |
+      pred = call.getArgument(1) and
+      succ = call.getReceiver().getALocalSource()
+    )
+    or
+    // clone = node.cloneNode()
+    exists(DataFlow::MethodCallNode cloneNode | cloneNode.getMethodName() = "cloneNode" |
+      pred = cloneNode.getReceiver() and
+      succ = cloneNode
+    )
+    or
+    // var succ = pred.documentElement;
+    // documentElement is the root element of the document, and childNodes is the list of all children
+    exists(DataFlow::PropRead read | read.getPropertyName() = ["documentElement", "childNodes"] |
+      pred = read.getBase() and
+      succ = read
+    )
+  }
+
+  /**
+   * A string-concatenation of HTML, where the result is used as an XSS sink.
+   */
+  class HTMLConcatenationSink extends XssSink, StringOps::HtmlConcatenationLeaf {
+    HTMLConcatenationSink() { isUsedInXssSink(xssSink) = this.getRoot() }
+
+    override string describe() { result = "HTML construction" }
+  }
+
+  /**
+   * A string parsed as XML, which is later used in an XSS sink.
+   */
+  class XMLParsedSink extends XssSink {
+    XML::ParserInvocation parser;
+
+    XMLParsedSink() {
+      this.asExpr() = parser.getSourceArgument() and
+      isUsedInXssSink(xssSink) = parser.getAResult()
+    }
+
+    override string describe() { result = "XML parsing" }
+  }
+
+  /**
+   * A string rendered as markdown, where the rendering preserves HTML.
+   */
+  class MarkdownSink extends XssSink {
+    MarkdownSink() {
+      exists(DataFlow::Node pred, DataFlow::Node succ, Markdown::MarkdownStep step |
+        step.step(pred, succ) and
+        this = pred and
+        succ = isUsedInXssSink(xssSink)
+      )
+    }
+
+    override string describe() { result = "Markdown rendering" }
+  }
+}

From 6e754c70aa7f5828799aa3291a84a30bceef1c89 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 26 Apr 2021 10:21:53 +0200
Subject: [PATCH 0873/1429] add test for js/html-constructed-from-input

---
 ...ConsistencyUnsafeHtmlConstruction.expected |  0
 .../ConsistencyUnsafeHtmlConstruction.ql      |  3 +
 .../UnsafeHtmlConstruction.expected           | 72 +++++++++++++++++++
 .../UnsafeHtmlConstruction.qlref              |  1 +
 .../UnsafeHtmlConstruction/jquery-plugin.js   |  9 +++
 .../CWE-079/UnsafeHtmlConstruction/main.js    | 54 ++++++++++++++
 .../UnsafeHtmlConstruction/package.json       |  4 ++
 .../UnsafeHtmlConstruction/tsconfig.json      |  1 +
 .../CWE-079/UnsafeHtmlConstruction/typed.ts   | 20 ++++++
 9 files changed, 164 insertions(+)
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.expected
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.ql
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.qlref
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/package.json
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/tsconfig.json
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts

diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.ql b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.ql
new file mode 100644
index 00000000000..823644730b2
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/ConsistencyUnsafeHtmlConstruction.ql
@@ -0,0 +1,3 @@
+import javascript
+import testUtilities.ConsistencyChecking
+import semmle.javascript.security.dataflow.UnsafeHtmlConstruction as UnsafeHtmlConstruction
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected
new file mode 100644
index 00000000000..0a8c8013cbc
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected
@@ -0,0 +1,72 @@
+nodes
+| main.js:1:55:1:55 | s |
+| main.js:1:55:1:55 | s |
+| main.js:2:29:2:29 | s |
+| main.js:2:29:2:29 | s |
+| main.js:6:49:6:49 | s |
+| main.js:6:49:6:49 | s |
+| main.js:7:49:7:49 | s |
+| main.js:7:49:7:49 | s |
+| main.js:11:60:11:60 | s |
+| main.js:11:60:11:60 | s |
+| main.js:12:49:12:49 | s |
+| main.js:12:49:12:49 | s |
+| main.js:21:47:21:47 | s |
+| main.js:21:47:21:47 | s |
+| main.js:22:34:22:34 | s |
+| main.js:22:34:22:34 | s |
+| typed.ts:1:39:1:39 | s |
+| typed.ts:1:39:1:39 | s |
+| typed.ts:2:29:2:29 | s |
+| typed.ts:2:29:2:29 | s |
+| typed.ts:6:43:6:43 | s |
+| typed.ts:6:43:6:43 | s |
+| typed.ts:8:40:8:40 | s |
+| typed.ts:8:40:8:40 | s |
+| typed.ts:11:20:11:20 | s |
+| typed.ts:11:20:11:20 | s |
+| typed.ts:12:12:12:12 | s |
+| typed.ts:16:11:16:21 | s |
+| typed.ts:16:15:16:21 | id("x") |
+| typed.ts:17:29:17:29 | s |
+| typed.ts:17:29:17:29 | s |
+edges
+| main.js:1:55:1:55 | s | main.js:2:29:2:29 | s |
+| main.js:1:55:1:55 | s | main.js:2:29:2:29 | s |
+| main.js:1:55:1:55 | s | main.js:2:29:2:29 | s |
+| main.js:1:55:1:55 | s | main.js:2:29:2:29 | s |
+| main.js:6:49:6:49 | s | main.js:7:49:7:49 | s |
+| main.js:6:49:6:49 | s | main.js:7:49:7:49 | s |
+| main.js:6:49:6:49 | s | main.js:7:49:7:49 | s |
+| main.js:6:49:6:49 | s | main.js:7:49:7:49 | s |
+| main.js:11:60:11:60 | s | main.js:12:49:12:49 | s |
+| main.js:11:60:11:60 | s | main.js:12:49:12:49 | s |
+| main.js:11:60:11:60 | s | main.js:12:49:12:49 | s |
+| main.js:11:60:11:60 | s | main.js:12:49:12:49 | s |
+| main.js:21:47:21:47 | s | main.js:22:34:22:34 | s |
+| main.js:21:47:21:47 | s | main.js:22:34:22:34 | s |
+| main.js:21:47:21:47 | s | main.js:22:34:22:34 | s |
+| main.js:21:47:21:47 | s | main.js:22:34:22:34 | s |
+| typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s |
+| typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s |
+| typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s |
+| typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s |
+| typed.ts:6:43:6:43 | s | typed.ts:8:40:8:40 | s |
+| typed.ts:6:43:6:43 | s | typed.ts:8:40:8:40 | s |
+| typed.ts:6:43:6:43 | s | typed.ts:8:40:8:40 | s |
+| typed.ts:6:43:6:43 | s | typed.ts:8:40:8:40 | s |
+| typed.ts:11:20:11:20 | s | typed.ts:12:12:12:12 | s |
+| typed.ts:11:20:11:20 | s | typed.ts:12:12:12:12 | s |
+| typed.ts:12:12:12:12 | s | typed.ts:16:15:16:21 | id("x") |
+| typed.ts:16:11:16:21 | s | typed.ts:17:29:17:29 | s |
+| typed.ts:16:11:16:21 | s | typed.ts:17:29:17:29 | s |
+| typed.ts:16:15:16:21 | id("x") | typed.ts:16:11:16:21 | s |
+#select
+| main.js:2:29:2:29 | s | main.js:1:55:1:55 | s | main.js:2:29:2:29 | s | $@ based on $@ might later cause $@. | main.js:2:29:2:29 | s | HTML construction | main.js:1:55:1:55 | s | library input | main.js:3:49:3:52 | html | cross-site scripting |
+| main.js:7:49:7:49 | s | main.js:6:49:6:49 | s | main.js:7:49:7:49 | s | $@ based on $@ might later cause $@. | main.js:7:49:7:49 | s | XML parsing | main.js:6:49:6:49 | s | library input | main.js:8:48:8:66 | doc.documentElement | cross-site scripting |
+| main.js:12:49:12:49 | s | main.js:11:60:11:60 | s | main.js:12:49:12:49 | s | $@ based on $@ might later cause $@. | main.js:12:49:12:49 | s | XML parsing | main.js:11:60:11:60 | s | library input | main.js:16:21:16:35 | xml.cloneNode() | cross-site scripting |
+| main.js:12:49:12:49 | s | main.js:11:60:11:60 | s | main.js:12:49:12:49 | s | $@ based on $@ might later cause $@. | main.js:12:49:12:49 | s | XML parsing | main.js:11:60:11:60 | s | library input | main.js:17:48:17:50 | tmp | cross-site scripting |
+| main.js:22:34:22:34 | s | main.js:21:47:21:47 | s | main.js:22:34:22:34 | s | $@ based on $@ might later cause $@. | main.js:22:34:22:34 | s | Markdown rendering | main.js:21:47:21:47 | s | library input | main.js:23:53:23:56 | html | cross-site scripting |
+| typed.ts:2:29:2:29 | s | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s | $@ based on $@ might later cause $@. | typed.ts:2:29:2:29 | s | HTML construction | typed.ts:1:39:1:39 | s | library input | typed.ts:3:31:3:34 | html | cross-site scripting |
+| typed.ts:8:40:8:40 | s | typed.ts:6:43:6:43 | s | typed.ts:8:40:8:40 | s | $@ based on $@ might later cause $@. | typed.ts:8:40:8:40 | s | HTML construction | typed.ts:6:43:6:43 | s | library input | typed.ts:8:29:8:52 | "<span> ... /span>" | cross-site scripting |
+| typed.ts:17:29:17:29 | s | typed.ts:11:20:11:20 | s | typed.ts:17:29:17:29 | s | $@ based on $@ might later cause $@. | typed.ts:17:29:17:29 | s | HTML construction | typed.ts:11:20:11:20 | s | library input | typed.ts:18:31:18:34 | html | cross-site scripting |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.qlref b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.qlref
new file mode 100644
index 00000000000..0fbe0ed0ba1
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.qlref
@@ -0,0 +1 @@
+Security/CWE-079/UnsafeHtmlConstruction.ql
\ No newline at end of file
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js
new file mode 100644
index 00000000000..07b25b558f9
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/jquery-plugin.js
@@ -0,0 +1,9 @@
+(function (factory) {
+	if (typeof define === 'function' && define.amd) {
+		define(['jquery', 'jquery-ui'], factory);
+	} else {
+		factory(jQuery);
+	}
+}(function ($) {
+    $("<span>" + $.trim("foo") + "</span>"); // OK
+}));
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js
new file mode 100644
index 00000000000..6564cd2dfe7
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js
@@ -0,0 +1,54 @@
+module.exports.xssThroughHTMLConstruction = function (s) {
+    const html = "<span>" + s + "</span>";// NOT OK
+    document.querySelector("#html").innerHTML = html;
+}
+ 
+module.exports.xssThroughXMLParsing = function (s) {
+    const doc = new DOMParser().parseFromString(s, "text/xml"); // NOT OK
+    document.querySelector("#xml").appendChild(doc.documentElement);
+}
+
+module.exports.xssThroughMoreComplexXMLParsing = function (s) {
+    const doc = new DOMParser().parseFromString(s, "text/xml"); // NOT OK
+    const xml = doc.documentElement;
+    
+    const tmp = document.createElement('span');
+    tmp.appendChild(xml.cloneNode()); 
+    document.querySelector("#xml").appendChild(tmp);
+}
+
+const markdown = require('markdown-it')({html: true});
+module.exports.xssThroughMarkdown = function (s) {
+    const html = markdown.render(s); // NOT OK
+    document.querySelector("#markdown").innerHTML = html;
+}
+
+const striptags = require('striptags');
+module.exports.sanitizedHTML = function (s) {
+    const html = striptags("<span>" + s + "</span>"); // OK
+    document.querySelector("#sanitized").innerHTML = html;
+}
+
+module.exports.ts = require("./typed");
+
+module.exports.jquery = require("./jquery-plugin");
+
+module.exports.plainDOMXMLParsing = function (s) {
+    const doc = new DOMParser().parseFromString(s, "text/xml"); // OK - is never added to the DOM.
+}
+
+class Foo {
+    constructor(s) {
+        this.step = s;
+    }
+
+    doXss() {
+        // not called here, but still bad.
+        document.querySelector("#class").innerHTML = "<span>" + this.step + "</span>"; // NOT OK - but not flagged [INCONSISTENCY]
+    }
+
+}
+
+module.exports.createsClass = function (s) {
+    return new Foo(s);
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/package.json b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/package.json
new file mode 100644
index 00000000000..f4fa73f79d9
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/package.json
@@ -0,0 +1,4 @@
+{
+    "name": "my-unsafe-library",
+    "main": "./main.js"
+}
\ No newline at end of file
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/tsconfig.json b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/tsconfig.json
new file mode 100644
index 00000000000..9e26dfeeb6e
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/tsconfig.json
@@ -0,0 +1 @@
+{}
\ No newline at end of file
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts
new file mode 100644
index 00000000000..73c035c0ad2
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts
@@ -0,0 +1,20 @@
+export function basicHtmlConstruction(s: string) {
+    const html = "<span>" + s + "</span>"; // NOT OK
+    document.body.innerHTML = html;
+}
+
+export function insertIntoCreatedDocument(s: string) {
+    const newDoc = document.implementation.createHTMLDocument("");
+    newDoc.body.innerHTML = "<span>" + s + "</span>"; // OK - inserted into document disconnected from the main DOM. [INCONSISTENCY]
+}
+
+export function id(s: string) {
+    return s;
+}
+
+export function notVulnerable() {
+    const s = id("x");
+    const html = "<span>" + s + "</span>"; // OK - but flagged due to step with unmatched call [INCONSISTENCY]
+    document.body.innerHTML = html;
+}
+ 
\ No newline at end of file

From 23908f9ec2ba6166bf161ba25d2f61e3a1f2373a Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 26 Apr 2021 10:23:27 +0200
Subject: [PATCH 0874/1429] remove flowpaths that has a returns without a
 matching call

---
 .../dataflow/UnsafeHtmlConstruction.qll       | 10 ++++++++
 .../UnsafeHtmlConstructionCustomizations.qll  | 24 +++++++++++++++++++
 .../UnsafeHtmlConstruction.expected           | 15 +++++++++++-
 .../CWE-079/UnsafeHtmlConstruction/main.js    |  2 +-
 .../CWE-079/UnsafeHtmlConstruction/typed.ts   |  2 +-
 5 files changed, 50 insertions(+), 3 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll
index 3e2bf53bde9..7e0194defd3 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll
@@ -28,5 +28,15 @@ module UnsafeHtmlConstruction {
     override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
       DomBasedXss::isOptionallySanitizedEdge(pred, succ)
     }
+
+    // override to require that there is a path without unmatched return steps
+    override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
+      super.hasFlowPath(source, sink) and
+      requireMatchedReturn(source, sink)
+    }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+      classFieldStep(pred, succ)
+    }
   }
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
index b72df1b7421..845438b6b17 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
@@ -165,4 +165,28 @@ module UnsafeHtmlConstruction {
 
     override string describe() { result = "Markdown rendering" }
   }
+
+  /**
+   * A taint step from the write of a field in a constructor to a read of the same field in an instance method.
+   */
+  predicate classFieldStep(DataFlow::Node pred, DataFlow::Node succ) {
+    // flow-step from a property written in the constructor to a use in an instance method.
+    // "simulates" client usage of a class, and regains some flow-steps lost by `requireMatchedReturn` below.
+    exists(DataFlow::ClassNode clazz, string prop |
+      DataFlow::thisNode(clazz.getConstructor().getFunction()).getAPropertyWrite(prop).getRhs() =
+        pred and
+      DataFlow::thisNode(clazz.getAnInstanceMethod().getFunction()).getAPropertyRead(prop) = succ
+    )
+  }
+
+  /**
+   *  Holds if there is a path without unmatched return steps from `source` to `sink`.
+   */
+  predicate requireMatchedReturn(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
+    exists(DataFlow::MidPathNode mid |
+      source.getASuccessor*() = mid and
+      sink = mid.getASuccessor() and
+      mid.getPathSummary().hasReturn() = false
+    )
+  }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected
index 0a8c8013cbc..3f87d690d5b 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected
@@ -15,6 +15,13 @@ nodes
 | main.js:21:47:21:47 | s |
 | main.js:22:34:22:34 | s |
 | main.js:22:34:22:34 | s |
+| main.js:46:17:46:17 | s |
+| main.js:47:21:47:21 | s |
+| main.js:52:65:52:73 | this.step |
+| main.js:52:65:52:73 | this.step |
+| main.js:57:41:57:41 | s |
+| main.js:57:41:57:41 | s |
+| main.js:58:20:58:20 | s |
 | typed.ts:1:39:1:39 | s |
 | typed.ts:1:39:1:39 | s |
 | typed.ts:2:29:2:29 | s |
@@ -47,6 +54,12 @@ edges
 | main.js:21:47:21:47 | s | main.js:22:34:22:34 | s |
 | main.js:21:47:21:47 | s | main.js:22:34:22:34 | s |
 | main.js:21:47:21:47 | s | main.js:22:34:22:34 | s |
+| main.js:46:17:46:17 | s | main.js:47:21:47:21 | s |
+| main.js:47:21:47:21 | s | main.js:52:65:52:73 | this.step |
+| main.js:47:21:47:21 | s | main.js:52:65:52:73 | this.step |
+| main.js:57:41:57:41 | s | main.js:58:20:58:20 | s |
+| main.js:57:41:57:41 | s | main.js:58:20:58:20 | s |
+| main.js:58:20:58:20 | s | main.js:46:17:46:17 | s |
 | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s |
 | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s |
 | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s |
@@ -67,6 +80,6 @@ edges
 | main.js:12:49:12:49 | s | main.js:11:60:11:60 | s | main.js:12:49:12:49 | s | $@ based on $@ might later cause $@. | main.js:12:49:12:49 | s | XML parsing | main.js:11:60:11:60 | s | library input | main.js:16:21:16:35 | xml.cloneNode() | cross-site scripting |
 | main.js:12:49:12:49 | s | main.js:11:60:11:60 | s | main.js:12:49:12:49 | s | $@ based on $@ might later cause $@. | main.js:12:49:12:49 | s | XML parsing | main.js:11:60:11:60 | s | library input | main.js:17:48:17:50 | tmp | cross-site scripting |
 | main.js:22:34:22:34 | s | main.js:21:47:21:47 | s | main.js:22:34:22:34 | s | $@ based on $@ might later cause $@. | main.js:22:34:22:34 | s | Markdown rendering | main.js:21:47:21:47 | s | library input | main.js:23:53:23:56 | html | cross-site scripting |
+| main.js:52:65:52:73 | this.step | main.js:57:41:57:41 | s | main.js:52:65:52:73 | this.step | $@ based on $@ might later cause $@. | main.js:52:65:52:73 | this.step | HTML construction | main.js:57:41:57:41 | s | library input | main.js:52:54:52:85 | "<span> ... /span>" | cross-site scripting |
 | typed.ts:2:29:2:29 | s | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s | $@ based on $@ might later cause $@. | typed.ts:2:29:2:29 | s | HTML construction | typed.ts:1:39:1:39 | s | library input | typed.ts:3:31:3:34 | html | cross-site scripting |
 | typed.ts:8:40:8:40 | s | typed.ts:6:43:6:43 | s | typed.ts:8:40:8:40 | s | $@ based on $@ might later cause $@. | typed.ts:8:40:8:40 | s | HTML construction | typed.ts:6:43:6:43 | s | library input | typed.ts:8:29:8:52 | "<span> ... /span>" | cross-site scripting |
-| typed.ts:17:29:17:29 | s | typed.ts:11:20:11:20 | s | typed.ts:17:29:17:29 | s | $@ based on $@ might later cause $@. | typed.ts:17:29:17:29 | s | HTML construction | typed.ts:11:20:11:20 | s | library input | typed.ts:18:31:18:34 | html | cross-site scripting |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js
index 6564cd2dfe7..d3620615c08 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js
@@ -44,7 +44,7 @@ class Foo {
 
     doXss() {
         // not called here, but still bad.
-        document.querySelector("#class").innerHTML = "<span>" + this.step + "</span>"; // NOT OK - but not flagged [INCONSISTENCY]
+        document.querySelector("#class").innerHTML = "<span>" + this.step + "</span>"; // NOT OK
     }
 
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts
index 73c035c0ad2..0f04e92cdc0 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts
+++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/typed.ts
@@ -14,7 +14,7 @@ export function id(s: string) {
 
 export function notVulnerable() {
     const s = id("x");
-    const html = "<span>" + s + "</span>"; // OK - but flagged due to step with unmatched call [INCONSISTENCY]
+    const html = "<span>" + s + "</span>"; // OK
     document.body.innerHTML = html;
 }
  
\ No newline at end of file

From ee0140e7044ea81b7b08c20e68dbcce54ab5366b Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 26 Apr 2021 10:23:44 +0200
Subject: [PATCH 0875/1429] share code between unsafe-shell and unsafe-html
 queries

---
 .../security/dataflow/UnsafeHtmlConstruction.qll  |  2 +-
 .../UnsafeHtmlConstructionCustomizations.qll      | 13 -------------
 .../dataflow/UnsafeShellCommandConstruction.qll   | 15 +++------------
 3 files changed, 4 insertions(+), 26 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll
index 7e0194defd3..8d2855dd766 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll
@@ -36,7 +36,7 @@ module UnsafeHtmlConstruction {
     }
 
     override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-      classFieldStep(pred, succ)
+      DataFlow::localFieldStep(pred, succ)
     }
   }
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
index 845438b6b17..26da71aa633 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
@@ -166,19 +166,6 @@ module UnsafeHtmlConstruction {
     override string describe() { result = "Markdown rendering" }
   }
 
-  /**
-   * A taint step from the write of a field in a constructor to a read of the same field in an instance method.
-   */
-  predicate classFieldStep(DataFlow::Node pred, DataFlow::Node succ) {
-    // flow-step from a property written in the constructor to a use in an instance method.
-    // "simulates" client usage of a class, and regains some flow-steps lost by `requireMatchedReturn` below.
-    exists(DataFlow::ClassNode clazz, string prop |
-      DataFlow::thisNode(clazz.getConstructor().getFunction()).getAPropertyWrite(prop).getRhs() =
-        pred and
-      DataFlow::thisNode(clazz.getAnInstanceMethod().getFunction()).getAPropertyRead(prop) = succ
-    )
-  }
-
   /**
    *  Holds if there is a path without unmatched return steps from `source` to `sink`.
    */
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstruction.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstruction.qll
index 90caf59ad33..2c7de7555de 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstruction.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstruction.qll
@@ -14,6 +14,7 @@ import javascript
  */
 module UnsafeShellCommandConstruction {
   import UnsafeShellCommandConstructionCustomizations::UnsafeShellCommandConstruction
+  import UnsafeHtmlConstructionCustomizations
 
   /**
    * A taint-tracking configuration for reasoning about shell command constructed from library input vulnerabilities.
@@ -35,21 +36,11 @@ module UnsafeShellCommandConstruction {
     // override to require that there is a path without unmatched return steps
     override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
       super.hasFlowPath(source, sink) and
-      exists(DataFlow::MidPathNode mid |
-        source.getASuccessor*() = mid and
-        sink = mid.getASuccessor() and
-        mid.getPathSummary().hasReturn() = false
-      )
+      UnsafeHtmlConstruction::requireMatchedReturn(source, sink)
     }
 
     override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-      // flow-step from a property written in the constructor to a use in an instance method.
-      // "simulates" client usage of a class, and regains some flow-steps lost by `hasFlowPath` above.
-      exists(DataFlow::ClassNode clz, string name |
-        pred =
-          DataFlow::thisNode(clz.getConstructor().getFunction()).getAPropertyWrite(name).getRhs() and
-        succ = DataFlow::thisNode(clz.getInstanceMethod(_).getFunction()).getAPropertyRead(name)
-      )
+      DataFlow::localFieldStep(pred, succ)
     }
   }
 }

From 7ef641e7b256754803b1e0f1531916010181739b Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 26 Apr 2021 11:47:52 +0200
Subject: [PATCH 0876/1429] add qhelp

---
 .../CWE-079/UnsafeHtmlConstruction.qhelp      | 80 +++++++++++++++++++
 .../examples/unsafe-html-construction.js      |  3 +
 .../examples/unsafe-html-construction_safe.js |  5 ++
 .../unsafe-html-construction_sanitizer.js     |  5 ++
 4 files changed, 93 insertions(+)
 create mode 100644 javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp
 create mode 100644 javascript/ql/src/Security/CWE-079/examples/unsafe-html-construction.js
 create mode 100644 javascript/ql/src/Security/CWE-079/examples/unsafe-html-construction_safe.js
 create mode 100644 javascript/ql/src/Security/CWE-079/examples/unsafe-html-construction_sanitizer.js

diff --git a/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp b/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp
new file mode 100644
index 00000000000..12e030150b6
--- /dev/null
+++ b/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp
@@ -0,0 +1,80 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+<overview>
+	<p>
+		Dynamically constructing HTML with inputs from exported functions may 
+		inadvertently leave a client open to XSS attacks.
+		
+		Clients using the exported function may use inputs containing unsafe HTML,
+		and if these inputs end up in the DOM, the client may be vulnerable to
+		cross-site scripting attacks.
+	</p>
+
+</overview>
+<recommendation>
+
+	<p>
+		If possible, use safe APIs when inserting HTML into the DOM.  
+		Such as writing to the <code>innerText</code> property instead of <code>innerHTML</code>.
+	</p>
+
+	<p>
+		Alternatively, use a HTML sanitizer to escape/remove unsafe content.
+	</p>
+
+</recommendation>
+<example>
+
+	<p>
+		The following example shows a library function that shows a boldface name
+		by writing to the <code>innerHTML</code> property of an element.
+	</p>
+
+	<sample src="examples/unsafe-html-construction.js" />
+
+	<p>
+		This library function, however, does not escape unsafe HTML, and a client
+		that calls the function with user-supplied input may be vulnerable to
+		cross-site scripting attacks.
+	</p>
+
+	<p>
+		To avoid such attacks, a program can use safe APIs such as <code>innerText</code>.
+	</p>
+
+	<sample src="examples/unsafe-html-construction_safe.js" />
+	
+	<p>
+		Alternatively, use a HTML sanitizer to remove unsafe content.
+	</p>
+
+	<sample src="examples/unsafe-html-construction_sanitizer.js" />
+
+</example>
+<references>
+	<li>
+		OWASP:
+		<a href="https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet">DOM based
+		XSS Prevention Cheat Sheet</a>.
+	</li>
+	<li>
+		OWASP:
+		<a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">XSS
+		(Cross Site Scripting) Prevention Cheat Sheet</a>.
+	</li>
+	<li>
+		OWASP
+		<a href="https://www.owasp.org/index.php/DOM_Based_XSS">DOM Based XSS</a>.
+	</li>
+	<li>
+		OWASP
+		<a href="https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting">Types of Cross-Site
+		Scripting</a>.
+	</li>
+	<li>
+		Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
+	</li>
+</references>
+</qhelp>
diff --git a/javascript/ql/src/Security/CWE-079/examples/unsafe-html-construction.js b/javascript/ql/src/Security/CWE-079/examples/unsafe-html-construction.js
new file mode 100644
index 00000000000..ab4bfee0a25
--- /dev/null
+++ b/javascript/ql/src/Security/CWE-079/examples/unsafe-html-construction.js
@@ -0,0 +1,3 @@
+module.exports = function showBoldName(name) {
+  document.getElementById('name').innerHTML = "<b>" + name + "</b>";
+}
diff --git a/javascript/ql/src/Security/CWE-079/examples/unsafe-html-construction_safe.js b/javascript/ql/src/Security/CWE-079/examples/unsafe-html-construction_safe.js
new file mode 100644
index 00000000000..b2b3af9bcfb
--- /dev/null
+++ b/javascript/ql/src/Security/CWE-079/examples/unsafe-html-construction_safe.js
@@ -0,0 +1,5 @@
+module.exports = function showBoldName(name) {
+  const bold = document.createElement('b');
+  bold.innerText = name;
+  document.getElementById('name').appendChild(bold);
+}
diff --git a/javascript/ql/src/Security/CWE-079/examples/unsafe-html-construction_sanitizer.js b/javascript/ql/src/Security/CWE-079/examples/unsafe-html-construction_sanitizer.js
new file mode 100644
index 00000000000..9c63e278720
--- /dev/null
+++ b/javascript/ql/src/Security/CWE-079/examples/unsafe-html-construction_sanitizer.js
@@ -0,0 +1,5 @@
+
+const striptags = require('striptags');
+module.exports = function showBoldName(name) {
+  document.getElementById('name').innerHTML = "<b>" + striptags(name) + "</b>";
+}

From 5c37e6a435ae1a1f048d087af68daedd0d9f40ab Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 26 Apr 2021 11:56:44 +0200
Subject: [PATCH 0877/1429] add change note

---
 javascript/change-notes/2021-04-26-unsafe-html-construction.md | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 javascript/change-notes/2021-04-26-unsafe-html-construction.md

diff --git a/javascript/change-notes/2021-04-26-unsafe-html-construction.md b/javascript/change-notes/2021-04-26-unsafe-html-construction.md
new file mode 100644
index 00000000000..8b0f513d760
--- /dev/null
+++ b/javascript/change-notes/2021-04-26-unsafe-html-construction.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* A new query, `js/html-constructed-from-input`, has been added to the query suite,
+  highlighting libraries that may leave clients vulnerable to cross-site-scripting attacks.

From 8ba5bddae8d99817107ebfea1f3527b27cdd74f7 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 26 Apr 2021 20:03:14 +0200
Subject: [PATCH 0878/1429] add jQuery options objects as sources

---
 .../UnsafeHtmlConstructionCustomizations.qll  |  8 +++
 .../UnsafeHtmlConstruction.expected           | 51 ++++++++++++++-----
 .../CWE-079/UnsafeHtmlConstruction/main.js    | 10 ++++
 3 files changed, 55 insertions(+), 14 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
index 26da71aa633..49097c81379 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
@@ -13,6 +13,7 @@ module UnsafeHtmlConstruction {
   private import semmle.javascript.security.dataflow.DomBasedXssCustomizations::DomBasedXss as DomBasedXss
   private import semmle.javascript.security.dataflow.UnsafeJQueryPluginCustomizations::UnsafeJQueryPlugin as UnsafeJQueryPlugin
   private import semmle.javascript.PackageExports as Exports
+  private import semmle.javascript.security.dataflow.UnsafeJQueryPlugin::UnsafeJQueryPlugin as UnsafeJQueryPlugin
 
   /**
    * A source for unsafe HTML constructed from library input.
@@ -29,6 +30,13 @@ module UnsafeHtmlConstruction {
     }
   }
 
+  /**
+   * A jQuery plugin options object, seen as a source for unsafe HTML constructed from input.
+   */
+  class JQueryPluginOptionsAsSource extends Source {
+    JQueryPluginOptionsAsSource() { this instanceof UnsafeJQueryPlugin::JQueryPluginOptions }
+  }
+
   /**
    * A sink for unsafe HTML constructed from library input.
    * This sink somehow transforms its input into a value that can cause XSS if it ends up in a XSS sink.
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected
index 3f87d690d5b..73e2177b198 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected
@@ -15,13 +15,24 @@ nodes
 | main.js:21:47:21:47 | s |
 | main.js:22:34:22:34 | s |
 | main.js:22:34:22:34 | s |
-| main.js:46:17:46:17 | s |
-| main.js:47:21:47:21 | s |
-| main.js:52:65:52:73 | this.step |
-| main.js:52:65:52:73 | this.step |
-| main.js:57:41:57:41 | s |
-| main.js:57:41:57:41 | s |
-| main.js:58:20:58:20 | s |
+| main.js:41:17:41:17 | s |
+| main.js:42:21:42:21 | s |
+| main.js:47:65:47:73 | this.step |
+| main.js:47:65:47:73 | this.step |
+| main.js:52:41:52:41 | s |
+| main.js:52:41:52:41 | s |
+| main.js:53:20:53:20 | s |
+| main.js:56:28:56:34 | options |
+| main.js:56:28:56:34 | options |
+| main.js:57:11:59:5 | defaults |
+| main.js:57:22:59:5 | {\\n      ... "\\n    } |
+| main.js:60:11:60:48 | settings |
+| main.js:60:22:60:48 | $.exten ... ptions) |
+| main.js:60:31:60:38 | defaults |
+| main.js:60:41:60:47 | options |
+| main.js:62:19:62:26 | settings |
+| main.js:62:19:62:31 | settings.name |
+| main.js:62:19:62:31 | settings.name |
 | typed.ts:1:39:1:39 | s |
 | typed.ts:1:39:1:39 | s |
 | typed.ts:2:29:2:29 | s |
@@ -54,12 +65,23 @@ edges
 | main.js:21:47:21:47 | s | main.js:22:34:22:34 | s |
 | main.js:21:47:21:47 | s | main.js:22:34:22:34 | s |
 | main.js:21:47:21:47 | s | main.js:22:34:22:34 | s |
-| main.js:46:17:46:17 | s | main.js:47:21:47:21 | s |
-| main.js:47:21:47:21 | s | main.js:52:65:52:73 | this.step |
-| main.js:47:21:47:21 | s | main.js:52:65:52:73 | this.step |
-| main.js:57:41:57:41 | s | main.js:58:20:58:20 | s |
-| main.js:57:41:57:41 | s | main.js:58:20:58:20 | s |
-| main.js:58:20:58:20 | s | main.js:46:17:46:17 | s |
+| main.js:41:17:41:17 | s | main.js:42:21:42:21 | s |
+| main.js:42:21:42:21 | s | main.js:47:65:47:73 | this.step |
+| main.js:42:21:42:21 | s | main.js:47:65:47:73 | this.step |
+| main.js:52:41:52:41 | s | main.js:53:20:53:20 | s |
+| main.js:52:41:52:41 | s | main.js:53:20:53:20 | s |
+| main.js:53:20:53:20 | s | main.js:41:17:41:17 | s |
+| main.js:56:28:56:34 | options | main.js:60:41:60:47 | options |
+| main.js:56:28:56:34 | options | main.js:60:41:60:47 | options |
+| main.js:57:11:59:5 | defaults | main.js:60:31:60:38 | defaults |
+| main.js:57:22:59:5 | {\\n      ... "\\n    } | main.js:57:11:59:5 | defaults |
+| main.js:60:11:60:48 | settings | main.js:62:19:62:26 | settings |
+| main.js:60:22:60:48 | $.exten ... ptions) | main.js:60:11:60:48 | settings |
+| main.js:60:31:60:38 | defaults | main.js:60:22:60:48 | $.exten ... ptions) |
+| main.js:60:41:60:47 | options | main.js:57:22:59:5 | {\\n      ... "\\n    } |
+| main.js:60:41:60:47 | options | main.js:60:22:60:48 | $.exten ... ptions) |
+| main.js:62:19:62:26 | settings | main.js:62:19:62:31 | settings.name |
+| main.js:62:19:62:26 | settings | main.js:62:19:62:31 | settings.name |
 | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s |
 | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s |
 | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s |
@@ -80,6 +102,7 @@ edges
 | main.js:12:49:12:49 | s | main.js:11:60:11:60 | s | main.js:12:49:12:49 | s | $@ based on $@ might later cause $@. | main.js:12:49:12:49 | s | XML parsing | main.js:11:60:11:60 | s | library input | main.js:16:21:16:35 | xml.cloneNode() | cross-site scripting |
 | main.js:12:49:12:49 | s | main.js:11:60:11:60 | s | main.js:12:49:12:49 | s | $@ based on $@ might later cause $@. | main.js:12:49:12:49 | s | XML parsing | main.js:11:60:11:60 | s | library input | main.js:17:48:17:50 | tmp | cross-site scripting |
 | main.js:22:34:22:34 | s | main.js:21:47:21:47 | s | main.js:22:34:22:34 | s | $@ based on $@ might later cause $@. | main.js:22:34:22:34 | s | Markdown rendering | main.js:21:47:21:47 | s | library input | main.js:23:53:23:56 | html | cross-site scripting |
-| main.js:52:65:52:73 | this.step | main.js:57:41:57:41 | s | main.js:52:65:52:73 | this.step | $@ based on $@ might later cause $@. | main.js:52:65:52:73 | this.step | HTML construction | main.js:57:41:57:41 | s | library input | main.js:52:54:52:85 | "<span> ... /span>" | cross-site scripting |
+| main.js:47:65:47:73 | this.step | main.js:52:41:52:41 | s | main.js:47:65:47:73 | this.step | $@ based on $@ might later cause $@. | main.js:47:65:47:73 | this.step | HTML construction | main.js:52:41:52:41 | s | library input | main.js:47:54:47:85 | "<span> ... /span>" | cross-site scripting |
+| main.js:62:19:62:31 | settings.name | main.js:56:28:56:34 | options | main.js:62:19:62:31 | settings.name | $@ based on $@ might later cause $@. | main.js:62:19:62:31 | settings.name | HTML construction | main.js:56:28:56:34 | options | library input | main.js:62:11:62:40 | "<b>" + ...  "</b>" | cross-site scripting |
 | typed.ts:2:29:2:29 | s | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s | $@ based on $@ might later cause $@. | typed.ts:2:29:2:29 | s | HTML construction | typed.ts:1:39:1:39 | s | library input | typed.ts:3:31:3:34 | html | cross-site scripting |
 | typed.ts:8:40:8:40 | s | typed.ts:6:43:6:43 | s | typed.ts:8:40:8:40 | s | $@ based on $@ might later cause $@. | typed.ts:8:40:8:40 | s | HTML construction | typed.ts:6:43:6:43 | s | library input | typed.ts:8:29:8:52 | "<span> ... /span>" | cross-site scripting |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js
index d3620615c08..d0a117c2341 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js
@@ -52,3 +52,13 @@ class Foo {
 module.exports.createsClass = function (s) {
     return new Foo(s);
 }
+
+$.fn.xssPlugin = function (options) {
+    const defaults = {
+        name: "name"
+    };
+    const settings = $.extend(defaults, options);
+    return this.each(function () {
+        $("<b>" + settings.name + "</b>").appendTo(this); // NOT OK
+    });
+}
\ No newline at end of file

From 3815797dda55766cc497caa08d789e75c8134f70 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 26 Apr 2021 22:39:59 +0200
Subject: [PATCH 0879/1429] add sanitizers from DOM and jQuery queries

---
 .../security/dataflow/UnsafeHtmlConstruction.qll  |  8 +++++++-
 .../UnsafeHtmlConstructionCustomizations.qll      |  1 -
 .../UnsafeHtmlConstruction.expected               |  9 +++++++++
 .../CWE-079/UnsafeHtmlConstruction/main.js        | 15 ++++++++++++++-
 4 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll
index 8d2855dd766..699d9d3e510 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll
@@ -23,7 +23,13 @@ module UnsafeHtmlConstruction {
 
     override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
-    override predicate isSanitizer(DataFlow::Node node) { super.isSanitizer(node) }
+    override predicate isSanitizer(DataFlow::Node node) {
+      super.isSanitizer(node)
+      or
+      node instanceof DomBasedXss::Sanitizer
+      or
+      node instanceof UnsafeJQueryPlugin::Sanitizer
+    }
 
     override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
       DomBasedXss::isOptionallySanitizedEdge(pred, succ)
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
index 49097c81379..a99b5e7986d 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
@@ -13,7 +13,6 @@ module UnsafeHtmlConstruction {
   private import semmle.javascript.security.dataflow.DomBasedXssCustomizations::DomBasedXss as DomBasedXss
   private import semmle.javascript.security.dataflow.UnsafeJQueryPluginCustomizations::UnsafeJQueryPlugin as UnsafeJQueryPlugin
   private import semmle.javascript.PackageExports as Exports
-  private import semmle.javascript.security.dataflow.UnsafeJQueryPlugin::UnsafeJQueryPlugin as UnsafeJQueryPlugin
 
   /**
    * A source for unsafe HTML constructed from library input.
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected
index 73e2177b198..7994fbad934 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected
@@ -33,6 +33,10 @@ nodes
 | main.js:62:19:62:26 | settings |
 | main.js:62:19:62:31 | settings.name |
 | main.js:62:19:62:31 | settings.name |
+| main.js:66:35:66:41 | attrVal |
+| main.js:66:35:66:41 | attrVal |
+| main.js:67:63:67:69 | attrVal |
+| main.js:67:63:67:69 | attrVal |
 | typed.ts:1:39:1:39 | s |
 | typed.ts:1:39:1:39 | s |
 | typed.ts:2:29:2:29 | s |
@@ -82,6 +86,10 @@ edges
 | main.js:60:41:60:47 | options | main.js:60:22:60:48 | $.exten ... ptions) |
 | main.js:62:19:62:26 | settings | main.js:62:19:62:31 | settings.name |
 | main.js:62:19:62:26 | settings | main.js:62:19:62:31 | settings.name |
+| main.js:66:35:66:41 | attrVal | main.js:67:63:67:69 | attrVal |
+| main.js:66:35:66:41 | attrVal | main.js:67:63:67:69 | attrVal |
+| main.js:66:35:66:41 | attrVal | main.js:67:63:67:69 | attrVal |
+| main.js:66:35:66:41 | attrVal | main.js:67:63:67:69 | attrVal |
 | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s |
 | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s |
 | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s |
@@ -104,5 +112,6 @@ edges
 | main.js:22:34:22:34 | s | main.js:21:47:21:47 | s | main.js:22:34:22:34 | s | $@ based on $@ might later cause $@. | main.js:22:34:22:34 | s | Markdown rendering | main.js:21:47:21:47 | s | library input | main.js:23:53:23:56 | html | cross-site scripting |
 | main.js:47:65:47:73 | this.step | main.js:52:41:52:41 | s | main.js:47:65:47:73 | this.step | $@ based on $@ might later cause $@. | main.js:47:65:47:73 | this.step | HTML construction | main.js:52:41:52:41 | s | library input | main.js:47:54:47:85 | "<span> ... /span>" | cross-site scripting |
 | main.js:62:19:62:31 | settings.name | main.js:56:28:56:34 | options | main.js:62:19:62:31 | settings.name | $@ based on $@ might later cause $@. | main.js:62:19:62:31 | settings.name | HTML construction | main.js:56:28:56:34 | options | library input | main.js:62:11:62:40 | "<b>" + ...  "</b>" | cross-site scripting |
+| main.js:67:63:67:69 | attrVal | main.js:66:35:66:41 | attrVal | main.js:67:63:67:69 | attrVal | $@ based on $@ might later cause $@. | main.js:67:63:67:69 | attrVal | HTML construction | main.js:66:35:66:41 | attrVal | library input | main.js:67:47:67:78 | "<img a ...  "\\"/>" | cross-site scripting |
 | typed.ts:2:29:2:29 | s | typed.ts:1:39:1:39 | s | typed.ts:2:29:2:29 | s | $@ based on $@ might later cause $@. | typed.ts:2:29:2:29 | s | HTML construction | typed.ts:1:39:1:39 | s | library input | typed.ts:3:31:3:34 | html | cross-site scripting |
 | typed.ts:8:40:8:40 | s | typed.ts:6:43:6:43 | s | typed.ts:8:40:8:40 | s | $@ based on $@ might later cause $@. | typed.ts:8:40:8:40 | s | HTML construction | typed.ts:6:43:6:43 | s | library input | typed.ts:8:29:8:52 | "<span> ... /span>" | cross-site scripting |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js
index d0a117c2341..1097e126feb 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/main.js
@@ -61,4 +61,17 @@ $.fn.xssPlugin = function (options) {
     return this.each(function () {
         $("<b>" + settings.name + "</b>").appendTo(this); // NOT OK
     });
-}
\ No newline at end of file
+}
+
+module.exports.guards = function (attrVal) {
+    document.querySelector("#id").innerHTML = "<img alt=\"" + attrVal + "\"/>"; // NOT OK
+    document.querySelector("#id").innerHTML = "<img alt=\"" + attrVal.replace(/"|'/g, "") + "\"/>"; // OK
+    if (attrVal.indexOf("\"") === -1 && attrVal.indexOf("'") === -1) {
+        document.querySelector("#id").innerHTML = "<img alt=\"" + attrVal + "\"/>"; // OK
+    }
+}
+
+module.exports.intentionalTemplate = function (obj) {
+    const html = "<span>" + obj.spanTemplate + "</span>"; // OK
+    document.querySelector("#template").innerHTML = html;
+}

From b1a63949594372616573d59206cfc47d58e95704 Mon Sep 17 00:00:00 2001
From: Evgenii Protsenko <procenkoeg@yandex.ru>
Date: Thu, 6 May 2021 12:36:48 +0300
Subject: [PATCH 0880/1429] C++: SqlPqxxTainted.ql. Change @id in query
 metadata

---
 .../experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql   | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql b/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql
index 9d27674409a..9048c8fdab1 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql
@@ -6,7 +6,7 @@
  * @kind path-problem
  * @problem.severity error
  * @precision high
- * @id cpp/sql-injection
+ * @id cpp/sql-injection-via-pqxx
  * @tags security
  *       external/cwe/cwe-089
  */
@@ -75,7 +75,7 @@ Expr getPqxxSqlArgument() {
     // to find ConnectionHandle/TransationHandle and similar classes which override '->' operator behavior
     // and return pointer to a connection/transation object
     e.getType().refersTo(t) and
-    // transation exec and connection prepare variations
+    // transaction exec and connection prepare variations
     (
       pqxxTransationClassNames(t.getName(), _) and
       pqxxTransactionSqlArgument(fc.getTarget().getName(), argIndex)
@@ -113,10 +113,10 @@ predicate isEscapedPqxxArgument(Expr argExpr) {
     // to find ConnectionHandle/TransationHandle and similar classes which override '->' operator behavior
     // and return pointer to a connection/transation object
     e.getType().refersTo(t) and
-    // transation and connection escape functions
+    // transaction and connection escape functions
     (pqxxTransationClassNames(t.getName(), _) or pqxxConnectionClassNames(t.getName(), _)) and
     pqxxEscapeArgument(fc.getTarget().getName(), argIndex) and
-    // eval is escaped
+    // is escaped arg == argExpr
     argExpr = fc.getArgument(argIndex)
   )
 }

From f1fab854c4233214c6f4b15673e4240907724f0c Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Thu, 6 May 2021 12:11:55 +0200
Subject: [PATCH 0881/1429] Fix tests for XXE, introduced a dependency with
 jaxen

---
 java/ql/test/query-tests/security/CWE-611/options | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/test/query-tests/security/CWE-611/options b/java/ql/test/query-tests/security/CWE-611/options
index 89b9a39f7ce..c3935792c6b 100644
--- a/java/ql/test/query-tests/security/CWE-611/options
+++ b/java/ql/test/query-tests/security/CWE-611/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1:${testdir}/../../../stubs/jaxen-1.2.0

From 58f304880899e1f84195aaf346544b6a1e0f1add Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 6 May 2021 13:15:34 +0200
Subject: [PATCH 0882/1429] C++: Add more testcases.

---
 ...AndHandlingMemoryAllocationErrors.expected |  7 ++
 .../CWE/CWE-570/semmle/tests/test.cpp         | 71 +++++++++++++++++++
 2 files changed, 78 insertions(+)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.expected
index 19886efd28f..04482cb59dc 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.expected
@@ -7,3 +7,10 @@
 | test.cpp:92:5:92:31 | call to operator new[] | memory allocation error check is incorrect or missing |
 | test.cpp:93:15:93:41 | call to operator new[] | memory allocation error check is incorrect or missing |
 | test.cpp:96:10:96:36 | call to operator new[] | memory allocation error check is incorrect or missing |
+| test.cpp:151:9:151:24 | call to operator new | memory allocation error check is incorrect or missing |
+| test.cpp:157:9:157:28 | call to operator new | memory allocation error check is incorrect or missing |
+| test.cpp:182:15:182:35 | call to operator new | memory allocation error check is incorrect or missing |
+| test.cpp:187:15:187:35 | call to operator new | memory allocation error check is incorrect or missing |
+| test.cpp:192:15:192:35 | call to operator new | memory allocation error check is incorrect or missing |
+| test.cpp:199:15:199:35 | call to operator new | memory allocation error check is incorrect or missing |
+| test.cpp:204:15:204:35 | call to operator new | memory allocation error check is incorrect or missing |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
index 06c22778812..54755ecf51b 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
@@ -135,3 +135,74 @@ void good_new_handles_nullptr() {
   if (new (std::nothrow) int[100] == nullptr)
     return; // GOOD
 }
+
+void* operator new(std::size_t count, void*) noexcept;
+void* operator new[](std::size_t count, void*) noexcept;
+
+struct Foo {
+  Foo() noexcept;
+  Foo(int);
+
+  operator bool();
+};
+
+void bad_placement_new_with_exception_handling() {
+  char buffer[1024];
+  try { new (buffer) Foo; } // BAD
+  catch (...) {  }
+}
+
+void good_placement_new_with_exception_handling() {
+  char buffer[1024];
+  try { new (buffer) Foo(42); } // GOOD: Foo constructor might throw [FALSE POSITIVE]
+  catch (...) {  }
+}
+
+int rand();
+
+void may_throw() {
+  if(rand()) {
+    throw "bad luck exception!";
+  }
+}
+
+void unknown_code_that_may_throw(int*);
+void unknown_code_that_will_not_throw(int*) noexcept;
+
+void calls_throwing_code(int* p) {
+  if(rand()) unknown_code_that_may_throw(p);
+}
+
+void calls_non_throwing(int* p) {
+  if (rand()) unknown_code_that_will_not_throw(p);
+}
+
+void good_new_with_throwing_call() {
+  try {
+    int* p1 = new(std::nothrow) int; // GOOD [FALSE POSITIVE]
+    may_throw();
+  } catch(...) {  }
+
+  try {
+    int* p2 = new(std::nothrow) int; // GOOD [FALSE POSITIVE]
+    Foo f(10);
+  } catch(...) {  }
+
+  try {
+    int* p3 = new(std::nothrow) int; // GOOD [FALSE POSITIVE]
+    calls_throwing_code(p3);
+  } catch(...) {  }
+}
+
+void bad_new_with_nonthrowing_call() {
+  try {
+    int* p1 = new(std::nothrow) int; // BAD
+    calls_non_throwing(p1);
+  } catch(...) {  }
+
+  try {
+    int* p2 = new(std::nothrow) int; // GOOD: boolean conversion constructor might throw [FALSE POSITIVE]
+    Foo f(12);
+    if(f) { }
+  } catch(...) {  }
+}
\ No newline at end of file

From 56d734239807e22a0eacad44bba9ea7cfd27562e Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 6 May 2021 13:29:20 +0200
Subject: [PATCH 0883/1429] C++: Improve the
 cpp/detect-and-handle-memory-allocation-errors query.

---
 ...ectingAndHandlingMemoryAllocationErrors.ql | 232 +++++++++++++-----
 1 file changed, 168 insertions(+), 64 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
index 8c7b8e5d067..58221e07f5c 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
@@ -11,76 +11,180 @@
  */
 
 import cpp
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+import semmle.code.cpp.controlflow.Guards
 
 /**
- * Lookup if condition compare with 0
+ * A C++ `delete` or `delete[]` expression.
  */
-class IfCompareWithZero extends IfStmt {
-  IfCompareWithZero() {
-    this.getCondition().(EQExpr).getAChild().getValue() = "0"
-    or
-    this.getCondition().(NEExpr).getAChild().getValue() = "0" and
-    this.hasElse()
-    or
-    this.getCondition().(NEExpr).getAChild().getValue() = "0" and
-    this.getThen().getAChild*() instanceof ReturnStmt
+class DeleteOrDeleteArrayExpr extends Expr {
+  DeleteOrDeleteArrayExpr() { this instanceof DeleteExpr or this instanceof DeleteArrayExpr }
+
+  DeallocationFunction getDeallocator() {
+    result = [this.(DeleteExpr).getDeallocator(), this.(DeleteArrayExpr).getDeallocator()]
   }
 }
 
-/**
- * lookup for calls to `operator new`, with incorrect error handling.
- */
-class WrongCheckErrorOperatorNew extends FunctionCall {
-  Expr exp;
-
-  WrongCheckErrorOperatorNew() {
-    this = exp.(NewOrNewArrayExpr).getAChild().(FunctionCall) and
-    (
-      this.getTarget().hasGlobalOrStdName("operator new")
-      or
-      this.getTarget().hasGlobalOrStdName("operator new[]")
-    )
-  }
-
-  /**
-   * Holds if handler `try ... catch` exists.
-   */
-  predicate isExistsTryCatchBlock() {
-    exists(TryStmt ts | this.getEnclosingStmt() = ts.getStmt().getAChild*())
-  }
-
-  /**
-   * Holds if results call `operator new` check in `operator if`.
-   */
-  predicate isExistsIfCondition() {
-    exists(IfCompareWithZero ifc, AssignExpr aex, Initializer it |
-      // call `operator new` directly from the condition of `operator if`.
-      this = ifc.getCondition().getAChild*()
-      or
-      // check results call `operator new` with variable appropriation
-      postDominates(ifc, this) and
-      aex.getAChild() = exp and
-      ifc.getCondition().getAChild().(VariableAccess).getTarget() =
-        aex.getLValue().(VariableAccess).getTarget()
-      or
-      // check results call `operator new` with declaration variable
-      postDominates(ifc, this) and
-      exp = it.getExpr() and
-      it.getDeclaration() = ifc.getCondition().getAChild().(VariableAccess).getTarget()
-    )
-  }
-
-  /**
-   * Holds if `(std::nothrow)` or `(std::noexcept)` exists in call `operator new`.
-   */
-  predicate isExistsNothrow() { getTarget().isNoExcept() or getTarget().isNoThrow() }
+/** Gets the `Constructor` invoked when `newExpr` allocates memory. */
+Constructor getConstructorForAllocation(NewOrNewArrayExpr newExpr) {
+  result.getACallToThisFunction().getLocation() = newExpr.getLocation()
 }
 
-from WrongCheckErrorOperatorNew op
-where
-  // use call `operator new` with `(std::nothrow)` and checking error using `try ... catch` block and not `operator if`
-  op.isExistsNothrow() and not op.isExistsIfCondition() and op.isExistsTryCatchBlock()
+/** Gets the `Destructor` invoked when `deleteExpr` deallocates memory. */
+Destructor getDestructorForDeallocation(DeleteOrDeleteArrayExpr deleteExpr) {
+  result.getACallToThisFunction().getLocation() = deleteExpr.getLocation()
+}
+
+/** Holds if the evaluation of `newExpr` may throw an exception. */
+predicate newMayThrow(NewOrNewArrayExpr newExpr) {
+  functionMayThrow(newExpr.getAllocator()) or
+  functionMayThrow(getConstructorForAllocation(newExpr))
+}
+
+/** Holds if the evaluation of `deleteExpr` may throw an exception. */
+predicate deleteMayThrow(DeleteOrDeleteArrayExpr deleteExpr) {
+  functionMayThrow(deleteExpr.getDeallocator()) or
+  functionMayThrow(getDestructorForDeallocation(deleteExpr))
+}
+
+/**
+ * Holds if the function may throw an exception when called. That is, if the body of the function looks
+ * like it might throw an exception, and the function does not have a `noexcept` or `throw()` specifier.
+ */
+predicate functionMayThrow(Function f) {
+  (not exists(f.getBlock()) or stmtMayThrow(f.getBlock())) and
+  not f.isNoExcept() and
+  not f.isNoThrow()
+}
+
+/** Holds if the evaluation of `stmt` may throw an exception. */
+predicate stmtMayThrow(Stmt stmt) {
+  stmtMayThrow(stmt.(BlockStmt).getAStmt())
   or
-  // use call `operator new` without `(std::nothrow)` and checking error using `operator if` and not  `try ... catch` block
-  not op.isExistsNothrow() and not op.isExistsTryCatchBlock() and op.isExistsIfCondition()
-select op, "memory allocation error check is incorrect or missing"
+  convertedExprMayThrow(stmt.(ExprStmt).getExpr())
+  or
+  exists(IfStmt ifStmt | ifStmt = stmt |
+    convertedExprMayThrow(ifStmt.getCondition()) or
+    stmtMayThrow([ifStmt.getThen(), ifStmt.getElse()])
+  )
+  or
+  exists(Loop loop | loop = stmt |
+    convertedExprMayThrow(loop.getCondition()) or
+    stmtMayThrow(loop.getStmt())
+  )
+}
+
+/** Holds if the evaluation of `e` (including conversions) may throw an exception. */
+predicate convertedExprMayThrow(Expr e) { exprMayThrow(e.getFullyConverted()) }
+
+/** Holds if the evaluation of `e` may throw an exception. */
+predicate exprMayThrow(Expr e) {
+  e instanceof DynamicCast
+  or
+  e instanceof TypeidOperator
+  or
+  e instanceof ThrowExpr
+  or
+  newMayThrow(e)
+  or
+  deleteMayThrow(e)
+  or
+  convertedExprMayThrow(e.(UnaryOperation).getOperand())
+  or
+  exists(BinaryOperation binOp | binOp = e |
+    convertedExprMayThrow([binOp.getLeftOperand(), binOp.getRightOperand()])
+  )
+  or
+  exists(CommaExpr comma | comma = e |
+    convertedExprMayThrow([comma.getLeftOperand(), comma.getRightOperand()])
+  )
+  or
+  exists(StmtExpr stmtExpr | stmtExpr = e |
+    convertedExprMayThrow(stmtExpr.getResultExpr()) or
+    stmtMayThrow(stmtExpr.getStmt())
+  )
+  or
+  convertedExprMayThrow(e.(Conversion).getExpr())
+  or
+  exists(FunctionCall fc | fc = e |
+    not exists(fc.getTarget()) or
+    functionMayThrow(fc.getTarget()) or
+    convertedExprMayThrow(fc.getAnArgument())
+  )
+}
+
+/** An allocator that will not throw an exception. */
+class NoThrowAllocator extends Function {
+  NoThrowAllocator() {
+    exists(NewOrNewArrayExpr newExpr |
+      newExpr.getAllocator() = this and
+      not functionMayThrow(this)
+    )
+  }
+}
+
+/** An allocator that might throw an exception. */
+class ThrowingAllocator extends Function {
+  ThrowingAllocator() { not this instanceof NoThrowAllocator }
+}
+
+/** The `std::bad_alloc` exception and its `bsl` variant. */
+class BadAllocType extends Class {
+  BadAllocType() { this.hasGlobalOrStdOrBslName("bad_alloc") }
+}
+
+/**
+ * A catch block that catches a `std::bad_alloc` (or any of its subclasses), or a catch
+ * block that catches every exception (i.e., `catch(...)`).
+ */
+class BadAllocCatchBlock extends CatchBlock {
+  BadAllocCatchBlock() {
+    this.getParameter().getUnspecifiedType() = any(BadAllocType badAlloc).getADerivedClass*()
+    or
+    not exists(this.getParameter())
+  }
+}
+
+/**
+ * Holds if `newExpr` will not throw an exception, but is embedded in a `try` statement
+ * with a catch block `catchBlock` that catches an `std::bad_alloc` exception.
+ */
+predicate noThrowInTryBlock(NewOrNewArrayExpr newExpr, BadAllocCatchBlock catchBlock) {
+  exists(TryStmt try |
+    forall(Expr cand | cand.getEnclosingBlock().getEnclosingBlock*() = try.getStmt() |
+      not convertedExprMayThrow(cand)
+    ) and
+    try.getACatchClause() = catchBlock and
+    newExpr.getEnclosingBlock().getEnclosingBlock*() = try.getStmt() and
+    not newMayThrow(newExpr)
+  )
+}
+
+/**
+ * Holds if `newExpr` is handles allocation failures by throwing an exception, yet
+ * the guard condition `guard` compares the result of `newExpr` to a null value.
+ */
+predicate nullCheckInThrowingNew(NewOrNewArrayExpr newExpr, GuardCondition guard) {
+  newExpr.getAllocator() instanceof ThrowingAllocator and
+  (
+    // Handles null comparisons.
+    guard.ensuresEq(globalValueNumber(newExpr).getAnExpr(), any(NullValue null), _, _, _)
+    or
+    // Handles `if(ptr)` and `if(!ptr)` cases.
+    guard = globalValueNumber(newExpr).getAnExpr()
+  )
+}
+
+from NewOrNewArrayExpr newExpr, Element element, string msg, string elementString
+where
+  not newExpr.isFromUninstantiatedTemplate(_) and
+  (
+    noThrowInTryBlock(newExpr, element) and
+    msg = "This allocation cannot throw. $@ is unnecessary." and
+    elementString = "This catch block"
+    or
+    nullCheckInThrowingNew(newExpr, element) and
+    msg = "This allocation cannot return null. $@ is unnecessary." and
+    elementString = "This check"
+  )
+select newExpr, msg, element, elementString

From d3576b9c92027b0d8371f4ed329adea2bb93159f Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 6 May 2021 13:29:28 +0200
Subject: [PATCH 0884/1429] C++: Accept test changes.

---
 ...AndHandlingMemoryAllocationErrors.expected | 30 +++++++++----------
 .../CWE/CWE-570/semmle/tests/test.cpp         | 22 +++++++-------
 2 files changed, 25 insertions(+), 27 deletions(-)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.expected
index 04482cb59dc..edd08b9802d 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.expected
@@ -1,16 +1,14 @@
-| test.cpp:29:13:29:24 | call to operator new[] | memory allocation error check is incorrect or missing |
-| test.cpp:37:13:37:24 | call to operator new[] | memory allocation error check is incorrect or missing |
-| test.cpp:41:13:41:24 | call to operator new[] | memory allocation error check is incorrect or missing |
-| test.cpp:49:8:49:19 | call to operator new[] | memory allocation error check is incorrect or missing |
-| test.cpp:58:8:58:19 | call to operator new[] | memory allocation error check is incorrect or missing |
-| test.cpp:63:8:63:19 | call to operator new[] | memory allocation error check is incorrect or missing |
-| test.cpp:92:5:92:31 | call to operator new[] | memory allocation error check is incorrect or missing |
-| test.cpp:93:15:93:41 | call to operator new[] | memory allocation error check is incorrect or missing |
-| test.cpp:96:10:96:36 | call to operator new[] | memory allocation error check is incorrect or missing |
-| test.cpp:151:9:151:24 | call to operator new | memory allocation error check is incorrect or missing |
-| test.cpp:157:9:157:28 | call to operator new | memory allocation error check is incorrect or missing |
-| test.cpp:182:15:182:35 | call to operator new | memory allocation error check is incorrect or missing |
-| test.cpp:187:15:187:35 | call to operator new | memory allocation error check is incorrect or missing |
-| test.cpp:192:15:192:35 | call to operator new | memory allocation error check is incorrect or missing |
-| test.cpp:199:15:199:35 | call to operator new | memory allocation error check is incorrect or missing |
-| test.cpp:204:15:204:35 | call to operator new | memory allocation error check is incorrect or missing |
+| test.cpp:21:9:21:15 | new | This allocation cannot return null. $@ is unnecessary. | test.cpp:21:9:21:15 | new | This check |
+| test.cpp:29:13:29:24 | new[] | This allocation cannot return null. $@ is unnecessary. | test.cpp:30:7:30:13 | ... == ... | This check |
+| test.cpp:33:13:33:24 | new[] | This allocation cannot return null. $@ is unnecessary. | test.cpp:34:8:34:9 | p2 | This check |
+| test.cpp:37:13:37:24 | new[] | This allocation cannot return null. $@ is unnecessary. | test.cpp:38:7:38:16 | ... == ... | This check |
+| test.cpp:41:13:41:24 | new[] | This allocation cannot return null. $@ is unnecessary. | test.cpp:42:7:42:19 | ... == ... | This check |
+| test.cpp:45:13:45:24 | new[] | This allocation cannot return null. $@ is unnecessary. | test.cpp:46:7:46:8 | p5 | This check |
+| test.cpp:49:8:49:19 | new[] | This allocation cannot return null. $@ is unnecessary. | test.cpp:50:7:50:13 | ... == ... | This check |
+| test.cpp:53:8:53:19 | new[] | This allocation cannot return null. $@ is unnecessary. | test.cpp:54:8:54:9 | p7 | This check |
+| test.cpp:58:8:58:19 | new[] | This allocation cannot return null. $@ is unnecessary. | test.cpp:59:7:59:16 | ... == ... | This check |
+| test.cpp:63:8:63:19 | new[] | This allocation cannot return null. $@ is unnecessary. | test.cpp:64:7:64:19 | ... != ... | This check |
+| test.cpp:69:9:69:20 | new[] | This allocation cannot return null. $@ is unnecessary. | test.cpp:70:7:70:14 | ... != ... | This check |
+| test.cpp:75:11:75:22 | new[] | This allocation cannot return null. $@ is unnecessary. | test.cpp:76:13:76:15 | p11 | This check |
+| test.cpp:151:9:151:24 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:152:15:152:18 | { ... } | This catch block |
+| test.cpp:199:15:199:35 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:201:16:201:19 | { ... } | This catch block |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
index 54755ecf51b..8d27c4b727d 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
@@ -18,7 +18,7 @@ void *operator new(std::size_t, const std::nothrow_t &) noexcept;
 void *operator new[](std::size_t, const std::nothrow_t &) noexcept;
 
 void bad_new_in_condition() {
-  if (!(new int)) { // BAD [NOT DETECTED]
+  if (!(new int)) { // BAD
     return;
   }
 }
@@ -30,7 +30,7 @@ void bad_new_missing_exception_handling() {
   if (p1 == 0)
     return;
 
-  int *p2 = new int[100]; // BAD [NOT DETECTED]
+  int *p2 = new int[100]; // BAD
   if (!p2)
     return;
 
@@ -42,7 +42,7 @@ void bad_new_missing_exception_handling() {
   if (p4 == nullptr)
     return;
 
-  int *p5 = new int[100]; // BAD [NOT DETECTED]
+  int *p5 = new int[100]; // BAD
   if (p5) {} else return;
 
   int *p6;
@@ -50,7 +50,7 @@ void bad_new_missing_exception_handling() {
   if (p6 == 0) return;
 
   int *p7;
-  p7 = new int[100]; // BAD [NOT DETECTED]
+  p7 = new int[100]; // BAD
   if (!p7)
     return;
 
@@ -66,13 +66,13 @@ void bad_new_missing_exception_handling() {
     return;
 
   int *p10;
-  p10 = new int[100]; // BAD [NOT DETECTED]
+  p10 = new int[100]; // BAD
   if (p10 != 0) {
   }
 
   int *p11;
   do {
-    p11 = new int[100]; // BAD [NOT DETECTED]
+    p11 = new int[100]; // BAD
   } while (!p11);
 
   int* p12 = new int[100];
@@ -154,7 +154,7 @@ void bad_placement_new_with_exception_handling() {
 
 void good_placement_new_with_exception_handling() {
   char buffer[1024];
-  try { new (buffer) Foo(42); } // GOOD: Foo constructor might throw [FALSE POSITIVE]
+  try { new (buffer) Foo(42); } // GOOD: Foo constructor might throw
   catch (...) {  }
 }
 
@@ -179,17 +179,17 @@ void calls_non_throwing(int* p) {
 
 void good_new_with_throwing_call() {
   try {
-    int* p1 = new(std::nothrow) int; // GOOD [FALSE POSITIVE]
+    int* p1 = new(std::nothrow) int; // GOOD
     may_throw();
   } catch(...) {  }
 
   try {
-    int* p2 = new(std::nothrow) int; // GOOD [FALSE POSITIVE]
+    int* p2 = new(std::nothrow) int; // GOOD
     Foo f(10);
   } catch(...) {  }
 
   try {
-    int* p3 = new(std::nothrow) int; // GOOD [FALSE POSITIVE]
+    int* p3 = new(std::nothrow) int; // GOOD
     calls_throwing_code(p3);
   } catch(...) {  }
 }
@@ -201,7 +201,7 @@ void bad_new_with_nonthrowing_call() {
   } catch(...) {  }
 
   try {
-    int* p2 = new(std::nothrow) int; // GOOD: boolean conversion constructor might throw [FALSE POSITIVE]
+    int* p2 = new(std::nothrow) int; // GOOD: boolean conversion constructor might throw
     Foo f(12);
     if(f) { }
   } catch(...) {  }

From 420215931c0546e882e362c89cf03588647424bc Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 6 May 2021 13:35:08 +0200
Subject: [PATCH 0885/1429] C++: Rename query.

---
 ...ocationErrors.cpp => IncorrectAllocationErrorHandling.cpp} | 0
 ...ionErrors.qhelp => IncorrectAllocationErrorHandling.qhelp} | 2 +-
 ...llocationErrors.ql => IncorrectAllocationErrorHandling.ql} | 4 ++--
 ...ors.expected => IncorrectAllocationErrorHandling.expected} | 0
 .../semmle/tests/IncorrectAllocationErrorHandling.qlref       | 1 +
 .../WrongInDetectingAndHandlingMemoryAllocationErrors.qlref   | 1 -
 6 files changed, 4 insertions(+), 4 deletions(-)
 rename cpp/ql/src/experimental/Security/CWE/CWE-570/{WrongInDetectingAndHandlingMemoryAllocationErrors.cpp => IncorrectAllocationErrorHandling.cpp} (100%)
 rename cpp/ql/src/experimental/Security/CWE/CWE-570/{WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp => IncorrectAllocationErrorHandling.qhelp} (93%)
 rename cpp/ql/src/experimental/Security/CWE/CWE-570/{WrongInDetectingAndHandlingMemoryAllocationErrors.ql => IncorrectAllocationErrorHandling.ql} (98%)
 rename cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/{WrongInDetectingAndHandlingMemoryAllocationErrors.expected => IncorrectAllocationErrorHandling.expected} (100%)
 create mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.qlref
 delete mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.qlref

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.cpp b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.cpp
similarity index 100%
rename from cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.cpp
rename to cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.cpp
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qhelp
similarity index 93%
rename from cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp
rename to cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qhelp
index 9365579b44a..9e131e75d4e 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.qhelp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qhelp
@@ -17,7 +17,7 @@ make sure to handle the possibility of null pointers if <code>new(std::nothrow)
 
 </recommendation>
 <example>
-<sample src="WrongInDetectingAndHandlingMemoryAllocationErrors.cpp" />
+<sample src="IncorrectAllocationErrorHandling.cpp" />
 
 </example>
 <references>
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
similarity index 98%
rename from cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
rename to cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
index 58221e07f5c..66bbb8bfad7 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
@@ -1,8 +1,8 @@
 /**
- * @name Detect And Handle Memory Allocation Errors
+ * @name Incorrect allocation-error handling
  * @description `operator new` throws an exception on allocation failures, while `operator new(std::nothrow)` returns a null pointer. Mixing up these two failure conditions can result in unexpected behavior.
  * @kind problem
- * @id cpp/detect-and-handle-memory-allocation-errors
+ * @id cpp/incorrect-allocation-error-handling
  * @problem.severity warning
  * @precision medium
  * @tags correctness
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
similarity index 100%
rename from cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.expected
rename to cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.qlref
new file mode 100644
index 00000000000..4bba5039aea
--- /dev/null
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.qlref
deleted file mode 100644
index fc3252ef122..00000000000
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/WrongInDetectingAndHandlingMemoryAllocationErrors.qlref
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-570/WrongInDetectingAndHandlingMemoryAllocationErrors.ql

From 42b8f923be0f5977789f8780b68d4aa9140967ff Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 6 May 2021 14:30:43 +0200
Subject: [PATCH 0886/1429] C++: Call noexcept constructor instead.

---
 .../query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
index 8d27c4b727d..0bb241ab5c7 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
@@ -202,7 +202,7 @@ void bad_new_with_nonthrowing_call() {
 
   try {
     int* p2 = new(std::nothrow) int; // GOOD: boolean conversion constructor might throw
-    Foo f(12);
+    Foo f;
     if(f) { }
   } catch(...) {  }
 }
\ No newline at end of file

From 95e65dec8faf1eb0836f09c3469a96a6fd1f8b1e Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 6 May 2021 14:35:27 +0200
Subject: [PATCH 0887/1429] C++: Make sure a CatchBlock that catches a const
 std::bad_alloc& is also a BadAllocCatchBlock.

---
 .../Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
index 66bbb8bfad7..dcf5a994de4 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
@@ -139,7 +139,8 @@ class BadAllocType extends Class {
  */
 class BadAllocCatchBlock extends CatchBlock {
   BadAllocCatchBlock() {
-    this.getParameter().getUnspecifiedType() = any(BadAllocType badAlloc).getADerivedClass*()
+    this.getParameter().getUnspecifiedType().stripType() =
+      any(BadAllocType badAlloc).getADerivedClass*()
     or
     not exists(this.getParameter())
   }

From 167dc86f7a7e6d920e36e520f1d870afee55b421 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 6 May 2021 14:36:35 +0200
Subject: [PATCH 0888/1429] C++: Accept test changes.

---
 .../semmle/tests/IncorrectAllocationErrorHandling.expected     | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
index edd08b9802d..b0af0f72e32 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
@@ -10,5 +10,8 @@
 | test.cpp:63:8:63:19 | new[] | This allocation cannot return null. $@ is unnecessary. | test.cpp:64:7:64:19 | ... != ... | This check |
 | test.cpp:69:9:69:20 | new[] | This allocation cannot return null. $@ is unnecessary. | test.cpp:70:7:70:14 | ... != ... | This check |
 | test.cpp:75:11:75:22 | new[] | This allocation cannot return null. $@ is unnecessary. | test.cpp:76:13:76:15 | p11 | This check |
+| test.cpp:92:5:92:31 | new[] | This allocation cannot throw. $@ is unnecessary. | test.cpp:97:36:98:3 | { ... } | This catch block |
+| test.cpp:93:15:93:41 | new[] | This allocation cannot throw. $@ is unnecessary. | test.cpp:97:36:98:3 | { ... } | This catch block |
+| test.cpp:96:10:96:36 | new[] | This allocation cannot throw. $@ is unnecessary. | test.cpp:97:36:98:3 | { ... } | This catch block |
 | test.cpp:151:9:151:24 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:152:15:152:18 | { ... } | This catch block |
 | test.cpp:199:15:199:35 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:201:16:201:19 | { ... } | This catch block |

From f16605b3c1e24b7337b5d58c8a928a92410ca79e Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Thu, 6 May 2021 15:17:55 +0200
Subject: [PATCH 0889/1429] Apply suggestions from code review

Co-authored-by: Felicity Chapman <felicitymay@github.com>
---
 java/ql/src/Security/CWE/CWE-643/XPathInjection.qhelp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-643/XPathInjection.qhelp b/java/ql/src/Security/CWE/CWE-643/XPathInjection.qhelp
index f7fccc89ab8..31441d70a18 100644
--- a/java/ql/src/Security/CWE/CWE-643/XPathInjection.qhelp
+++ b/java/ql/src/Security/CWE/CWE-643/XPathInjection.qhelp
@@ -29,10 +29,10 @@ for different values.
 </p>
 
 <p>
-In the fourth example, the code uses `setXPathVariableResolver` which prevents XPath injection.
+In the fourth example, the code uses <code>setXPathVariableResolver</code> which prevents XPath injection.
 </p>
 <p>
-The fifth example is a dom4j XPath injection example.
+The final two examples are for dom4j. They show an example of XPath injection and one method of preventing it.
 </p>
 <sample src="XPathInjection.java" />
 </example>

From 4463293dc445376b38e8c96530e35c573f0ed35b Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 6 May 2021 16:35:41 +0200
Subject: [PATCH 0890/1429] C++: Move common code from NewExpr and NewArrayExpr
 into the NewOrNewArrayExpr class.

---
 cpp/ql/src/semmle/code/cpp/exprs/Expr.qll | 38 +++++++++++------------
 1 file changed, 18 insertions(+), 20 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/exprs/Expr.qll b/cpp/ql/src/semmle/code/cpp/exprs/Expr.qll
index 86f538e5d4e..f77518c2f56 100644
--- a/cpp/ql/src/semmle/code/cpp/exprs/Expr.qll
+++ b/cpp/ql/src/semmle/code/cpp/exprs/Expr.qll
@@ -850,6 +850,24 @@ class NewOrNewArrayExpr extends Expr, @any_new_expr {
       this.getAllocatorCall()
           .getArgument(this.getAllocator().(OperatorNewAllocationFunction).getPlacementArgument())
   }
+
+  /**
+   * For `operator new`, this gets the call or expression that initializes the allocated object, if any.
+   *
+   * As examples, for `new int(4)`, this will be `4`, and for `new std::vector(4)`, this will
+   * be a call to the constructor `std::vector::vector(size_t)` with `4` as an argument.
+   *
+   * For `operator new[]`, this gets the call or expression that initializes the first element of the
+   * array, if any.
+   *
+   * This will either be a call to the default constructor for the array's element type (as
+   * in `new std::string[10]`), or a literal zero for arrays of scalars which are zero-initialized
+   * due to extra parentheses (as in `new int[10]()`).
+   *
+   * At runtime, the constructor will be called once for each element in the array, but the
+   * constructor call only exists once in the AST.
+   */
+  final Expr getInitializer() { result = this.getChild(1) }
 }
 
 /**
@@ -871,14 +889,6 @@ class NewExpr extends NewOrNewArrayExpr, @new_expr {
   override Type getAllocatedType() {
     new_allocated_type(underlyingElement(this), unresolveElement(result))
   }
-
-  /**
-   * Gets the call or expression that initializes the allocated object, if any.
-   *
-   * As examples, for `new int(4)`, this will be `4`, and for `new std::vector(4)`, this will
-   * be a call to the constructor `std::vector::vector(size_t)` with `4` as an argument.
-   */
-  Expr getInitializer() { result = this.getChild(1) }
 }
 
 /**
@@ -909,18 +919,6 @@ class NewArrayExpr extends NewOrNewArrayExpr, @new_array_expr {
     result = getType().getUnderlyingType().(PointerType).getBaseType()
   }
 
-  /**
-   * Gets the call or expression that initializes the first element of the array, if any.
-   *
-   * This will either be a call to the default constructor for the array's element type (as
-   * in `new std::string[10]`), or a literal zero for arrays of scalars which are zero-initialized
-   * due to extra parentheses (as in `new int[10]()`).
-   *
-   * At runtime, the constructor will be called once for each element in the array, but the
-   * constructor call only exists once in the AST.
-   */
-  Expr getInitializer() { result = this.getChild(1) }
-
   /**
    * Gets the extent of the non-constant array dimension, if any.
    *

From 47a419a5f1bcb9022145aa1a982d998e776b2e17 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 6 May 2021 16:37:26 +0200
Subject: [PATCH 0891/1429] C++: Respond to review comments. First: Avoid using
 locations to detect constructor and destructor calls. Second: Include missing
 statements in stmtMayThrow.

---
 .../IncorrectAllocationErrorHandling.ql       | 38 ++++++++++++++++++-
 1 file changed, 36 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
index dcf5a994de4..9a091663848 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
@@ -23,16 +23,20 @@ class DeleteOrDeleteArrayExpr extends Expr {
   DeallocationFunction getDeallocator() {
     result = [this.(DeleteExpr).getDeallocator(), this.(DeleteArrayExpr).getDeallocator()]
   }
+
+  Destructor getDestructor() {
+    result = [this.(DeleteExpr).getDestructor(), this.(DeleteArrayExpr).getDestructor()]
+  }
 }
 
 /** Gets the `Constructor` invoked when `newExpr` allocates memory. */
 Constructor getConstructorForAllocation(NewOrNewArrayExpr newExpr) {
-  result.getACallToThisFunction().getLocation() = newExpr.getLocation()
+  result.getACallToThisFunction() = newExpr.getInitializer()
 }
 
 /** Gets the `Destructor` invoked when `deleteExpr` deallocates memory. */
 Destructor getDestructorForDeallocation(DeleteOrDeleteArrayExpr deleteExpr) {
-  result.getACallToThisFunction().getLocation() = deleteExpr.getLocation()
+  result = deleteExpr.getDestructor()
 }
 
 /** Holds if the evaluation of `newExpr` may throw an exception. */
@@ -63,15 +67,45 @@ predicate stmtMayThrow(Stmt stmt) {
   or
   convertedExprMayThrow(stmt.(ExprStmt).getExpr())
   or
+  convertedExprMayThrow(stmt.(DeclStmt).getADeclaration().(Variable).getInitializer().getExpr())
+  or
   exists(IfStmt ifStmt | ifStmt = stmt |
     convertedExprMayThrow(ifStmt.getCondition()) or
     stmtMayThrow([ifStmt.getThen(), ifStmt.getElse()])
   )
   or
+  exists(ConstexprIfStmt constIfStmt | constIfStmt = stmt |
+    stmtMayThrow([constIfStmt.getThen(), constIfStmt.getElse()])
+  )
+  or
   exists(Loop loop | loop = stmt |
     convertedExprMayThrow(loop.getCondition()) or
     stmtMayThrow(loop.getStmt())
   )
+  or
+  // The case for `Loop` already checked the condition and the statement.
+  convertedExprMayThrow(stmt.(RangeBasedForStmt).getUpdate())
+  or
+  // The case for `Loop` already checked the condition and the statement.
+  exists(ForStmt forStmt | forStmt = stmt |
+    stmtMayThrow(forStmt.getInitialization())
+    or
+    convertedExprMayThrow(forStmt.getUpdate())
+  )
+  or
+  exists(SwitchStmt switchStmt | switchStmt = stmt |
+    convertedExprMayThrow(switchStmt.getExpr()) or
+    stmtMayThrow(switchStmt.getStmt())
+  )
+  or
+  stmtMayThrow(stmt.(SwitchCase).getAStmt())
+  or
+  // NOTE: We don't include `TryStmt` as those exceptions are not "observable" outside the function.
+  stmtMayThrow(stmt.(Handler).getBlock())
+  or
+  convertedExprMayThrow(stmt.(CoReturnStmt).getExpr())
+  or
+  convertedExprMayThrow(stmt.(ReturnStmt).getExpr())
 }
 
 /** Holds if the evaluation of `e` (including conversions) may throw an exception. */

From 7b8a51f995be2297265cb087cc19868bfa02cfc3 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 6 May 2021 16:56:11 +0200
Subject: [PATCH 0892/1429] C++: Add test with missing result.

---
 .../Security/CWE/CWE-570/semmle/tests/test.cpp            | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
index 0bb241ab5c7..dde820d5df6 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
@@ -205,4 +205,10 @@ void bad_new_with_nonthrowing_call() {
     Foo f;
     if(f) { }
   } catch(...) {  }
-}
\ No newline at end of file
+}
+
+void bad_new_catch_baseclass_of_bad_alloc() {
+  try {
+    int* p = new(std::nothrow) int; // BAD [NOT DETECTED]
+  } catch(const std::exception&) { }
+}

From c12837cff0bd1ba92a08a0898891b0519ed2db2f Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 6 May 2021 16:57:09 +0200
Subject: [PATCH 0893/1429] C++: Fix false negative.

---
 .../Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql  | 4 ++--
 .../semmle/tests/IncorrectAllocationErrorHandling.expected    | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
index 9a091663848..c1f457f47e1 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
@@ -168,13 +168,13 @@ class BadAllocType extends Class {
 }
 
 /**
- * A catch block that catches a `std::bad_alloc` (or any of its subclasses), or a catch
+ * A catch block that catches a `std::bad_alloc` (or any of its superclasses), or a catch
  * block that catches every exception (i.e., `catch(...)`).
  */
 class BadAllocCatchBlock extends CatchBlock {
   BadAllocCatchBlock() {
     this.getParameter().getUnspecifiedType().stripType() =
-      any(BadAllocType badAlloc).getADerivedClass*()
+      any(BadAllocType badAlloc).getABaseClass*()
     or
     not exists(this.getParameter())
   }
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
index b0af0f72e32..4720e02b381 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
@@ -15,3 +15,4 @@
 | test.cpp:96:10:96:36 | new[] | This allocation cannot throw. $@ is unnecessary. | test.cpp:97:36:98:3 | { ... } | This catch block |
 | test.cpp:151:9:151:24 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:152:15:152:18 | { ... } | This catch block |
 | test.cpp:199:15:199:35 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:201:16:201:19 | { ... } | This catch block |
+| test.cpp:212:14:212:34 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:213:34:213:36 | { ... } | This catch block |

From e0606d61b613844d8a9355b718515a38c6729999 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 6 May 2021 16:58:49 +0200
Subject: [PATCH 0894/1429] C++: Fix qldoc.

---
 .../Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
index c1f457f47e1..557d73edd0d 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
@@ -181,8 +181,9 @@ class BadAllocCatchBlock extends CatchBlock {
 }
 
 /**
- * Holds if `newExpr` will not throw an exception, but is embedded in a `try` statement
- * with a catch block `catchBlock` that catches an `std::bad_alloc` exception.
+ * Holds if `newExpr` is embedded in a `try` statement with a catch block `catchBlock` that
+ * catches a `std::bad_alloc` exception, but nothing in the `try` block (including the `newExpr`)
+ * will throw that exception.
  */
 predicate noThrowInTryBlock(NewOrNewArrayExpr newExpr, BadAllocCatchBlock catchBlock) {
   exists(TryStmt try |

From d1eb7747371815275c47d0947cf5c1969cb8984c Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 6 May 2021 17:03:42 +0200
Subject: [PATCH 0895/1429] C++: Remove implied conjunction.

---
 .../Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql   | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
index 557d73edd0d..6bb0182a79e 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
@@ -191,8 +191,7 @@ predicate noThrowInTryBlock(NewOrNewArrayExpr newExpr, BadAllocCatchBlock catchB
       not convertedExprMayThrow(cand)
     ) and
     try.getACatchClause() = catchBlock and
-    newExpr.getEnclosingBlock().getEnclosingBlock*() = try.getStmt() and
-    not newMayThrow(newExpr)
+    newExpr.getEnclosingBlock().getEnclosingBlock*() = try.getStmt()
   )
 }
 

From d95ef89cee68f558e3e5fbc8fb17c4e105527962 Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Tue, 13 Apr 2021 12:31:42 -0700
Subject: [PATCH 0896/1429] C++: add test for IR alias analysis soundness

---
 .../ir/ssa/aliased_ssa_ir.expected            | 87 +++++++++++++++++++
 .../ir/ssa/aliased_ssa_ir_unsound.expected    | 84 ++++++++++++++++++
 cpp/ql/test/library-tests/ir/ssa/ssa.cpp      | 20 +++++
 .../ir/ssa/unaliased_ssa_ir.expected          | 74 ++++++++++++++++
 .../ir/ssa/unaliased_ssa_ir_unsound.expected  | 74 ++++++++++++++++
 5 files changed, 339 insertions(+)

diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
index 76de50dd792..c83ed76902e 100644
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
@@ -1502,3 +1502,90 @@ ssa.cpp:
 #  310|     v310_12(void)                = ReturnVoid                   : 
 #  310|     v310_13(void)                = AliasedUse                   : m310_3
 #  310|     v310_14(void)                = ExitFunction                 : 
+
+#  319| void DoubleIndirectionEscapes(char*)
+#  319|   Block 0
+#  319|     v319_1(void)              = EnterFunction                      : 
+#  319|     m319_2(unknown)           = AliasedDefinition                  : 
+#  319|     m319_3(unknown)           = InitializeNonLocal                 : 
+#  319|     m319_4(unknown)           = Chi                                : total:m319_2, partial:m319_3
+#  319|     r319_5(glval<char *>)     = VariableAddress[s]                 : 
+#  319|     m319_6(char *)            = InitializeParameter[s]             : &:r319_5
+#  319|     r319_7(char *)            = Load[s]                            : &:r319_5, m319_6
+#  319|     m319_8(unknown)           = InitializeIndirection[s]           : &:r319_7
+#  321|     r321_1(glval<char[1024]>) = VariableAddress[buffer]            : 
+#  321|     m321_2(char[1024])        = Uninitialized[buffer]              : &:r321_1
+#  321|     m321_3(unknown)           = Chi                                : total:m319_4, partial:m321_2
+#  322|     r322_1(glval<char *>)     = VariableAddress[ptr1]              : 
+#  322|     m322_2(char *)            = Uninitialized[ptr1]                : &:r322_1
+#  322|     m322_3(unknown)           = Chi                                : total:m321_3, partial:m322_2
+#  322|     r322_4(glval<char **>)    = VariableAddress[ptr2]              : 
+#  322|     m322_5(char **)           = Uninitialized[ptr2]                : &:r322_4
+#  323|     r323_1(glval<char *>)     = VariableAddress[ptr3]              : 
+#  323|     m323_2(char *)            = Uninitialized[ptr3]                : &:r323_1
+#  323|     r323_3(glval<char **>)    = VariableAddress[ptr4]              : 
+#  323|     m323_4(char **)           = Uninitialized[ptr4]                : &:r323_3
+#  325|     r325_1(glval<char[1024]>) = VariableAddress[buffer]            : 
+#  325|     r325_2(char *)            = Convert                            : r325_1
+#  325|     r325_3(glval<char *>)     = VariableAddress[ptr1]              : 
+#  325|     m325_4(char *)            = Store[ptr1]                        : &:r325_3, r325_2
+#  325|     m325_5(unknown)           = Chi                                : total:m322_3, partial:m325_4
+#  326|     r326_1(glval<char *>)     = VariableAddress[ptr1]              : 
+#  326|     r326_2(char **)           = CopyValue                          : r326_1
+#  326|     r326_3(glval<char **>)    = VariableAddress[ptr2]              : 
+#  326|     m326_4(char **)           = Store[ptr2]                        : &:r326_3, r326_2
+#  327|     r327_1(glval<unknown>)    = FunctionAddress[memcpy]            : 
+#  327|     r327_2(glval<char **>)    = VariableAddress[ptr2]              : 
+#  327|     r327_3(char **)           = Load[ptr2]                         : &:r327_2, m326_4
+#  327|     r327_4(char *)            = Load[?]                            : &:r327_3, m325_4
+#  327|     r327_5(void *)            = Convert                            : r327_4
+#  327|     r327_6(glval<char *>)     = VariableAddress[s]                 : 
+#  327|     r327_7(char *)            = Load[s]                            : &:r327_6, m319_6
+#  327|     r327_8(void *)            = Convert                            : r327_7
+#  327|     r327_9(int)               = Constant[1024]                     : 
+#  327|     r327_10(void *)           = Call[memcpy]                       : func:r327_1, 0:r327_5, 1:r327_8, 2:r327_9
+#  327|     v327_11(void)             = ^SizedBufferReadSideEffect[1]      : &:r327_8, r327_9, ~m319_8
+#  327|     m327_12(unknown)          = ^SizedBufferMustWriteSideEffect[0] : &:r327_5, r327_9
+#  327|     m327_13(unknown)          = Chi                                : total:m325_5, partial:m327_12
+#  329|     r329_1(glval<unknown>)    = FunctionAddress[sink]              : 
+#  329|     r329_2(glval<char[1024]>) = VariableAddress[buffer]            : 
+#  329|     r329_3(char *)            = Convert                            : r329_2
+#  329|     v329_4(void)              = Call[sink]                         : func:r329_1, 0:r329_3
+#  329|     m329_5(unknown)           = ^CallSideEffect                    : ~m327_13
+#  329|     m329_6(unknown)           = Chi                                : total:m327_13, partial:m329_5
+#  329|     v329_7(void)              = ^BufferReadSideEffect[0]           : &:r329_3, ~m329_6
+#  329|     m329_8(unknown)           = ^BufferMayWriteSideEffect[0]       : &:r329_3
+#  329|     m329_9(unknown)           = Chi                                : total:m329_6, partial:m329_8
+#  330|     r330_1(glval<unknown>)    = FunctionAddress[sink]              : 
+#  330|     r330_2(glval<char *>)     = VariableAddress[ptr1]              : 
+#  330|     r330_3(char *)            = Load[ptr1]                         : &:r330_2, ~m329_6
+#  330|     v330_4(void)              = Call[sink]                         : func:r330_1, 0:r330_3
+#  330|     m330_5(unknown)           = ^CallSideEffect                    : ~m329_9
+#  330|     m330_6(unknown)           = Chi                                : total:m329_9, partial:m330_5
+#  330|     v330_7(void)              = ^BufferReadSideEffect[0]           : &:r330_3, ~m330_6
+#  330|     m330_8(unknown)           = ^BufferMayWriteSideEffect[0]       : &:r330_3
+#  330|     m330_9(unknown)           = Chi                                : total:m330_6, partial:m330_8
+#  331|     r331_1(glval<unknown>)    = FunctionAddress[sink]              : 
+#  331|     r331_2(glval<char **>)    = VariableAddress[ptr2]              : 
+#  331|     r331_3(char **)           = Load[ptr2]                         : &:r331_2, m326_4
+#  331|     v331_4(void)              = Call[sink]                         : func:r331_1, 0:r331_3
+#  331|     m331_5(unknown)           = ^CallSideEffect                    : ~m330_9
+#  331|     m331_6(unknown)           = Chi                                : total:m330_9, partial:m331_5
+#  331|     v331_7(void)              = ^BufferReadSideEffect[0]           : &:r331_3, ~m331_6
+#  331|     m331_8(unknown)           = ^BufferMayWriteSideEffect[0]       : &:r331_3
+#  331|     m331_9(unknown)           = Chi                                : total:m331_6, partial:m331_8
+#  332|     r332_1(glval<unknown>)    = FunctionAddress[sink]              : 
+#  332|     r332_2(glval<char **>)    = VariableAddress[ptr2]              : 
+#  332|     r332_3(char **)           = Load[ptr2]                         : &:r332_2, m326_4
+#  332|     r332_4(char *)            = Load[?]                            : &:r332_3, ~m331_9
+#  332|     v332_5(void)              = Call[sink]                         : func:r332_1, 0:r332_4
+#  332|     m332_6(unknown)           = ^CallSideEffect                    : ~m331_9
+#  332|     m332_7(unknown)           = Chi                                : total:m331_9, partial:m332_6
+#  332|     v332_8(void)              = ^BufferReadSideEffect[0]           : &:r332_4, ~m332_7
+#  332|     m332_9(unknown)           = ^BufferMayWriteSideEffect[0]       : &:r332_4
+#  332|     m332_10(unknown)          = Chi                                : total:m332_7, partial:m332_9
+#  333|     v333_1(void)              = NoOp                               : 
+#  319|     v319_9(void)              = ReturnIndirection[s]               : &:r319_7, m319_8
+#  319|     v319_10(void)             = ReturnVoid                         : 
+#  319|     v319_11(void)             = AliasedUse                         : ~m332_10
+#  319|     v319_12(void)             = ExitFunction                       : 
diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
index ab79d20214a..839e85ec4b5 100644
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
@@ -1495,3 +1495,87 @@ ssa.cpp:
 #  310|     v310_12(void)                = ReturnVoid                   : 
 #  310|     v310_13(void)                = AliasedUse                   : m310_3
 #  310|     v310_14(void)                = ExitFunction                 : 
+
+#  319| void DoubleIndirectionEscapes(char*)
+#  319|   Block 0
+#  319|     v319_1(void)              = EnterFunction                      : 
+#  319|     m319_2(unknown)           = AliasedDefinition                  : 
+#  319|     m319_3(unknown)           = InitializeNonLocal                 : 
+#  319|     m319_4(unknown)           = Chi                                : total:m319_2, partial:m319_3
+#  319|     r319_5(glval<char *>)     = VariableAddress[s]                 : 
+#  319|     m319_6(char *)            = InitializeParameter[s]             : &:r319_5
+#  319|     r319_7(char *)            = Load[s]                            : &:r319_5, m319_6
+#  319|     m319_8(unknown)           = InitializeIndirection[s]           : &:r319_7
+#  321|     r321_1(glval<char[1024]>) = VariableAddress[buffer]            : 
+#  321|     m321_2(char[1024])        = Uninitialized[buffer]              : &:r321_1
+#  322|     r322_1(glval<char *>)     = VariableAddress[ptr1]              : 
+#  322|     m322_2(char *)            = Uninitialized[ptr1]                : &:r322_1
+#  322|     r322_3(glval<char **>)    = VariableAddress[ptr2]              : 
+#  322|     m322_4(char **)           = Uninitialized[ptr2]                : &:r322_3
+#  323|     r323_1(glval<char *>)     = VariableAddress[ptr3]              : 
+#  323|     m323_2(char *)            = Uninitialized[ptr3]                : &:r323_1
+#  323|     r323_3(glval<char **>)    = VariableAddress[ptr4]              : 
+#  323|     m323_4(char **)           = Uninitialized[ptr4]                : &:r323_3
+#  325|     r325_1(glval<char[1024]>) = VariableAddress[buffer]            : 
+#  325|     r325_2(char *)            = Convert                            : r325_1
+#  325|     r325_3(glval<char *>)     = VariableAddress[ptr1]              : 
+#  325|     m325_4(char *)            = Store[ptr1]                        : &:r325_3, r325_2
+#  326|     r326_1(glval<char *>)     = VariableAddress[ptr1]              : 
+#  326|     r326_2(char **)           = CopyValue                          : r326_1
+#  326|     r326_3(glval<char **>)    = VariableAddress[ptr2]              : 
+#  326|     m326_4(char **)           = Store[ptr2]                        : &:r326_3, r326_2
+#  327|     r327_1(glval<unknown>)    = FunctionAddress[memcpy]            : 
+#  327|     r327_2(glval<char **>)    = VariableAddress[ptr2]              : 
+#  327|     r327_3(char **)           = Load[ptr2]                         : &:r327_2, m326_4
+#  327|     r327_4(char *)            = Load[?]                            : &:r327_3, m325_4
+#  327|     r327_5(void *)            = Convert                            : r327_4
+#  327|     r327_6(glval<char *>)     = VariableAddress[s]                 : 
+#  327|     r327_7(char *)            = Load[s]                            : &:r327_6, m319_6
+#  327|     r327_8(void *)            = Convert                            : r327_7
+#  327|     r327_9(int)               = Constant[1024]                     : 
+#  327|     r327_10(void *)           = Call[memcpy]                       : func:r327_1, 0:r327_5, 1:r327_8, 2:r327_9
+#  327|     v327_11(void)             = ^SizedBufferReadSideEffect[1]      : &:r327_8, r327_9, ~m319_8
+#  327|     m327_12(unknown)          = ^SizedBufferMustWriteSideEffect[0] : &:r327_5, r327_9
+#  327|     m327_13(unknown)          = Chi                                : total:m319_4, partial:m327_12
+#  329|     r329_1(glval<unknown>)    = FunctionAddress[sink]              : 
+#  329|     r329_2(glval<char[1024]>) = VariableAddress[buffer]            : 
+#  329|     r329_3(char *)            = Convert                            : r329_2
+#  329|     v329_4(void)              = Call[sink]                         : func:r329_1, 0:r329_3
+#  329|     m329_5(unknown)           = ^CallSideEffect                    : ~m327_13
+#  329|     m329_6(unknown)           = Chi                                : total:m327_13, partial:m329_5
+#  329|     v329_7(void)              = ^BufferReadSideEffect[0]           : &:r329_3, ~m321_2
+#  329|     m329_8(unknown)           = ^BufferMayWriteSideEffect[0]       : &:r329_3
+#  329|     m329_9(char[1024])        = Chi                                : total:m321_2, partial:m329_8
+#  330|     r330_1(glval<unknown>)    = FunctionAddress[sink]              : 
+#  330|     r330_2(glval<char *>)     = VariableAddress[ptr1]              : 
+#  330|     r330_3(char *)            = Load[ptr1]                         : &:r330_2, m325_4
+#  330|     v330_4(void)              = Call[sink]                         : func:r330_1, 0:r330_3
+#  330|     m330_5(unknown)           = ^CallSideEffect                    : ~m329_6
+#  330|     m330_6(unknown)           = Chi                                : total:m329_6, partial:m330_5
+#  330|     v330_7(void)              = ^BufferReadSideEffect[0]           : &:r330_3, ~m329_9
+#  330|     m330_8(unknown)           = ^BufferMayWriteSideEffect[0]       : &:r330_3
+#  330|     m330_9(char[1024])        = Chi                                : total:m329_9, partial:m330_8
+#  331|     r331_1(glval<unknown>)    = FunctionAddress[sink]              : 
+#  331|     r331_2(glval<char **>)    = VariableAddress[ptr2]              : 
+#  331|     r331_3(char **)           = Load[ptr2]                         : &:r331_2, m326_4
+#  331|     v331_4(void)              = Call[sink]                         : func:r331_1, 0:r331_3
+#  331|     m331_5(unknown)           = ^CallSideEffect                    : ~m330_6
+#  331|     m331_6(unknown)           = Chi                                : total:m330_6, partial:m331_5
+#  331|     v331_7(void)              = ^BufferReadSideEffect[0]           : &:r331_3, ~m325_4
+#  331|     m331_8(unknown)           = ^BufferMayWriteSideEffect[0]       : &:r331_3
+#  331|     m331_9(char *)            = Chi                                : total:m325_4, partial:m331_8
+#  332|     r332_1(glval<unknown>)    = FunctionAddress[sink]              : 
+#  332|     r332_2(glval<char **>)    = VariableAddress[ptr2]              : 
+#  332|     r332_3(char **)           = Load[ptr2]                         : &:r332_2, m326_4
+#  332|     r332_4(char *)            = Load[?]                            : &:r332_3, m331_9
+#  332|     v332_5(void)              = Call[sink]                         : func:r332_1, 0:r332_4
+#  332|     m332_6(unknown)           = ^CallSideEffect                    : ~m331_6
+#  332|     m332_7(unknown)           = Chi                                : total:m331_6, partial:m332_6
+#  332|     v332_8(void)              = ^BufferReadSideEffect[0]           : &:r332_4, ~m332_7
+#  332|     m332_9(unknown)           = ^BufferMayWriteSideEffect[0]       : &:r332_4
+#  332|     m332_10(unknown)          = Chi                                : total:m332_7, partial:m332_9
+#  333|     v333_1(void)              = NoOp                               : 
+#  319|     v319_9(void)              = ReturnIndirection[s]               : &:r319_7, m319_8
+#  319|     v319_10(void)             = ReturnVoid                         : 
+#  319|     v319_11(void)             = AliasedUse                         : ~m332_10
+#  319|     v319_12(void)             = ExitFunction                       : 
diff --git a/cpp/ql/test/library-tests/ir/ssa/ssa.cpp b/cpp/ql/test/library-tests/ir/ssa/ssa.cpp
index 34886b1f343..73aefa17dae 100644
--- a/cpp/ql/test/library-tests/ir/ssa/ssa.cpp
+++ b/cpp/ql/test/library-tests/ir/ssa/ssa.cpp
@@ -311,3 +311,23 @@ class ThisAliasTest {
     this->x = arg;
   }
 };
+
+void sink(char **);
+void sink(char *);
+
+// This test case comes from DefaultTaintTracking.
+void DoubleIndirectionEscapes(char *s)
+{
+	char buffer[1024];
+	char *ptr1, **ptr2;
+	char *ptr3, **ptr4;
+
+	ptr1 = buffer;
+	ptr2 = &ptr1;
+	memcpy(*ptr2, s, 1024);
+
+	sink(buffer); // $ MISSING: ast,ir
+	sink(ptr1); // $ ast MISSING: ir
+	sink(ptr2); // $ SPURIOUS: ast
+	sink(*ptr2); // $ ast MISSING: ir
+}
diff --git a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected
index 0b257db98a4..b396d50c366 100644
--- a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected
@@ -1376,3 +1376,77 @@ ssa.cpp:
 #  310|     v310_11(void)                = ReturnVoid                   : 
 #  310|     v310_12(void)                = AliasedUse                   : ~m?
 #  310|     v310_13(void)                = ExitFunction                 : 
+
+#  319| void DoubleIndirectionEscapes(char*)
+#  319|   Block 0
+#  319|     v319_1(void)              = EnterFunction                      : 
+#  319|     mu319_2(unknown)          = AliasedDefinition                  : 
+#  319|     mu319_3(unknown)          = InitializeNonLocal                 : 
+#  319|     r319_4(glval<char *>)     = VariableAddress[s]                 : 
+#  319|     m319_5(char *)            = InitializeParameter[s]             : &:r319_4
+#  319|     r319_6(char *)            = Load[s]                            : &:r319_4, m319_5
+#  319|     mu319_7(unknown)          = InitializeIndirection[s]           : &:r319_6
+#  321|     r321_1(glval<char[1024]>) = VariableAddress[buffer]            : 
+#  321|     mu321_2(char[1024])       = Uninitialized[buffer]              : &:r321_1
+#  322|     r322_1(glval<char *>)     = VariableAddress[ptr1]              : 
+#  322|     mu322_2(char *)           = Uninitialized[ptr1]                : &:r322_1
+#  322|     r322_3(glval<char **>)    = VariableAddress[ptr2]              : 
+#  322|     m322_4(char **)           = Uninitialized[ptr2]                : &:r322_3
+#  323|     r323_1(glval<char *>)     = VariableAddress[ptr3]              : 
+#  323|     m323_2(char *)            = Uninitialized[ptr3]                : &:r323_1
+#  323|     r323_3(glval<char **>)    = VariableAddress[ptr4]              : 
+#  323|     m323_4(char **)           = Uninitialized[ptr4]                : &:r323_3
+#  325|     r325_1(glval<char[1024]>) = VariableAddress[buffer]            : 
+#  325|     r325_2(char *)            = Convert                            : r325_1
+#  325|     r325_3(glval<char *>)     = VariableAddress[ptr1]              : 
+#  325|     mu325_4(char *)           = Store[ptr1]                        : &:r325_3, r325_2
+#  326|     r326_1(glval<char *>)     = VariableAddress[ptr1]              : 
+#  326|     r326_2(char **)           = CopyValue                          : r326_1
+#  326|     r326_3(glval<char **>)    = VariableAddress[ptr2]              : 
+#  326|     m326_4(char **)           = Store[ptr2]                        : &:r326_3, r326_2
+#  327|     r327_1(glval<unknown>)    = FunctionAddress[memcpy]            : 
+#  327|     r327_2(glval<char **>)    = VariableAddress[ptr2]              : 
+#  327|     r327_3(char **)           = Load[ptr2]                         : &:r327_2, m326_4
+#  327|     r327_4(char *)            = Load[?]                            : &:r327_3, ~m?
+#  327|     r327_5(void *)            = Convert                            : r327_4
+#  327|     r327_6(glval<char *>)     = VariableAddress[s]                 : 
+#  327|     r327_7(char *)            = Load[s]                            : &:r327_6, m319_5
+#  327|     r327_8(void *)            = Convert                            : r327_7
+#  327|     r327_9(int)               = Constant[1024]                     : 
+#  327|     r327_10(void *)           = Call[memcpy]                       : func:r327_1, 0:r327_5, 1:r327_8, 2:r327_9
+#  327|     v327_11(void)             = ^SizedBufferReadSideEffect[1]      : &:r327_8, r327_9, ~m?
+#  327|     mu327_12(unknown)         = ^SizedBufferMustWriteSideEffect[0] : &:r327_5, r327_9
+#  329|     r329_1(glval<unknown>)    = FunctionAddress[sink]              : 
+#  329|     r329_2(glval<char[1024]>) = VariableAddress[buffer]            : 
+#  329|     r329_3(char *)            = Convert                            : r329_2
+#  329|     v329_4(void)              = Call[sink]                         : func:r329_1, 0:r329_3
+#  329|     mu329_5(unknown)          = ^CallSideEffect                    : ~m?
+#  329|     v329_6(void)              = ^BufferReadSideEffect[0]           : &:r329_3, ~m?
+#  329|     mu329_7(unknown)          = ^BufferMayWriteSideEffect[0]       : &:r329_3
+#  330|     r330_1(glval<unknown>)    = FunctionAddress[sink]              : 
+#  330|     r330_2(glval<char *>)     = VariableAddress[ptr1]              : 
+#  330|     r330_3(char *)            = Load[ptr1]                         : &:r330_2, ~m?
+#  330|     v330_4(void)              = Call[sink]                         : func:r330_1, 0:r330_3
+#  330|     mu330_5(unknown)          = ^CallSideEffect                    : ~m?
+#  330|     v330_6(void)              = ^BufferReadSideEffect[0]           : &:r330_3, ~m?
+#  330|     mu330_7(unknown)          = ^BufferMayWriteSideEffect[0]       : &:r330_3
+#  331|     r331_1(glval<unknown>)    = FunctionAddress[sink]              : 
+#  331|     r331_2(glval<char **>)    = VariableAddress[ptr2]              : 
+#  331|     r331_3(char **)           = Load[ptr2]                         : &:r331_2, m326_4
+#  331|     v331_4(void)              = Call[sink]                         : func:r331_1, 0:r331_3
+#  331|     mu331_5(unknown)          = ^CallSideEffect                    : ~m?
+#  331|     v331_6(void)              = ^BufferReadSideEffect[0]           : &:r331_3, ~m?
+#  331|     mu331_7(unknown)          = ^BufferMayWriteSideEffect[0]       : &:r331_3
+#  332|     r332_1(glval<unknown>)    = FunctionAddress[sink]              : 
+#  332|     r332_2(glval<char **>)    = VariableAddress[ptr2]              : 
+#  332|     r332_3(char **)           = Load[ptr2]                         : &:r332_2, m326_4
+#  332|     r332_4(char *)            = Load[?]                            : &:r332_3, ~m?
+#  332|     v332_5(void)              = Call[sink]                         : func:r332_1, 0:r332_4
+#  332|     mu332_6(unknown)          = ^CallSideEffect                    : ~m?
+#  332|     v332_7(void)              = ^BufferReadSideEffect[0]           : &:r332_4, ~m?
+#  332|     mu332_8(unknown)          = ^BufferMayWriteSideEffect[0]       : &:r332_4
+#  333|     v333_1(void)              = NoOp                               : 
+#  319|     v319_8(void)              = ReturnIndirection[s]               : &:r319_6, ~m?
+#  319|     v319_9(void)              = ReturnVoid                         : 
+#  319|     v319_10(void)             = AliasedUse                         : ~m?
+#  319|     v319_11(void)             = ExitFunction                       : 
diff --git a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected
index 0b257db98a4..c48cd7a7186 100644
--- a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected
@@ -1376,3 +1376,77 @@ ssa.cpp:
 #  310|     v310_11(void)                = ReturnVoid                   : 
 #  310|     v310_12(void)                = AliasedUse                   : ~m?
 #  310|     v310_13(void)                = ExitFunction                 : 
+
+#  319| void DoubleIndirectionEscapes(char*)
+#  319|   Block 0
+#  319|     v319_1(void)              = EnterFunction                      : 
+#  319|     mu319_2(unknown)          = AliasedDefinition                  : 
+#  319|     mu319_3(unknown)          = InitializeNonLocal                 : 
+#  319|     r319_4(glval<char *>)     = VariableAddress[s]                 : 
+#  319|     m319_5(char *)            = InitializeParameter[s]             : &:r319_4
+#  319|     r319_6(char *)            = Load[s]                            : &:r319_4, m319_5
+#  319|     mu319_7(unknown)          = InitializeIndirection[s]           : &:r319_6
+#  321|     r321_1(glval<char[1024]>) = VariableAddress[buffer]            : 
+#  321|     mu321_2(char[1024])       = Uninitialized[buffer]              : &:r321_1
+#  322|     r322_1(glval<char *>)     = VariableAddress[ptr1]              : 
+#  322|     m322_2(char *)            = Uninitialized[ptr1]                : &:r322_1
+#  322|     r322_3(glval<char **>)    = VariableAddress[ptr2]              : 
+#  322|     m322_4(char **)           = Uninitialized[ptr2]                : &:r322_3
+#  323|     r323_1(glval<char *>)     = VariableAddress[ptr3]              : 
+#  323|     m323_2(char *)            = Uninitialized[ptr3]                : &:r323_1
+#  323|     r323_3(glval<char **>)    = VariableAddress[ptr4]              : 
+#  323|     m323_4(char **)           = Uninitialized[ptr4]                : &:r323_3
+#  325|     r325_1(glval<char[1024]>) = VariableAddress[buffer]            : 
+#  325|     r325_2(char *)            = Convert                            : r325_1
+#  325|     r325_3(glval<char *>)     = VariableAddress[ptr1]              : 
+#  325|     m325_4(char *)            = Store[ptr1]                        : &:r325_3, r325_2
+#  326|     r326_1(glval<char *>)     = VariableAddress[ptr1]              : 
+#  326|     r326_2(char **)           = CopyValue                          : r326_1
+#  326|     r326_3(glval<char **>)    = VariableAddress[ptr2]              : 
+#  326|     m326_4(char **)           = Store[ptr2]                        : &:r326_3, r326_2
+#  327|     r327_1(glval<unknown>)    = FunctionAddress[memcpy]            : 
+#  327|     r327_2(glval<char **>)    = VariableAddress[ptr2]              : 
+#  327|     r327_3(char **)           = Load[ptr2]                         : &:r327_2, m326_4
+#  327|     r327_4(char *)            = Load[?]                            : &:r327_3, ~m?
+#  327|     r327_5(void *)            = Convert                            : r327_4
+#  327|     r327_6(glval<char *>)     = VariableAddress[s]                 : 
+#  327|     r327_7(char *)            = Load[s]                            : &:r327_6, m319_5
+#  327|     r327_8(void *)            = Convert                            : r327_7
+#  327|     r327_9(int)               = Constant[1024]                     : 
+#  327|     r327_10(void *)           = Call[memcpy]                       : func:r327_1, 0:r327_5, 1:r327_8, 2:r327_9
+#  327|     v327_11(void)             = ^SizedBufferReadSideEffect[1]      : &:r327_8, r327_9, ~m?
+#  327|     mu327_12(unknown)         = ^SizedBufferMustWriteSideEffect[0] : &:r327_5, r327_9
+#  329|     r329_1(glval<unknown>)    = FunctionAddress[sink]              : 
+#  329|     r329_2(glval<char[1024]>) = VariableAddress[buffer]            : 
+#  329|     r329_3(char *)            = Convert                            : r329_2
+#  329|     v329_4(void)              = Call[sink]                         : func:r329_1, 0:r329_3
+#  329|     mu329_5(unknown)          = ^CallSideEffect                    : ~m?
+#  329|     v329_6(void)              = ^BufferReadSideEffect[0]           : &:r329_3, ~m?
+#  329|     mu329_7(unknown)          = ^BufferMayWriteSideEffect[0]       : &:r329_3
+#  330|     r330_1(glval<unknown>)    = FunctionAddress[sink]              : 
+#  330|     r330_2(glval<char *>)     = VariableAddress[ptr1]              : 
+#  330|     r330_3(char *)            = Load[ptr1]                         : &:r330_2, m325_4
+#  330|     v330_4(void)              = Call[sink]                         : func:r330_1, 0:r330_3
+#  330|     mu330_5(unknown)          = ^CallSideEffect                    : ~m?
+#  330|     v330_6(void)              = ^BufferReadSideEffect[0]           : &:r330_3, ~m?
+#  330|     mu330_7(unknown)          = ^BufferMayWriteSideEffect[0]       : &:r330_3
+#  331|     r331_1(glval<unknown>)    = FunctionAddress[sink]              : 
+#  331|     r331_2(glval<char **>)    = VariableAddress[ptr2]              : 
+#  331|     r331_3(char **)           = Load[ptr2]                         : &:r331_2, m326_4
+#  331|     v331_4(void)              = Call[sink]                         : func:r331_1, 0:r331_3
+#  331|     mu331_5(unknown)          = ^CallSideEffect                    : ~m?
+#  331|     v331_6(void)              = ^BufferReadSideEffect[0]           : &:r331_3, ~m?
+#  331|     mu331_7(unknown)          = ^BufferMayWriteSideEffect[0]       : &:r331_3
+#  332|     r332_1(glval<unknown>)    = FunctionAddress[sink]              : 
+#  332|     r332_2(glval<char **>)    = VariableAddress[ptr2]              : 
+#  332|     r332_3(char **)           = Load[ptr2]                         : &:r332_2, m326_4
+#  332|     r332_4(char *)            = Load[?]                            : &:r332_3, ~m?
+#  332|     v332_5(void)              = Call[sink]                         : func:r332_1, 0:r332_4
+#  332|     mu332_6(unknown)          = ^CallSideEffect                    : ~m?
+#  332|     v332_7(void)              = ^BufferReadSideEffect[0]           : &:r332_4, ~m?
+#  332|     mu332_8(unknown)          = ^BufferMayWriteSideEffect[0]       : &:r332_4
+#  333|     v333_1(void)              = NoOp                               : 
+#  319|     v319_8(void)              = ReturnIndirection[s]               : &:r319_6, ~m?
+#  319|     v319_9(void)              = ReturnVoid                         : 
+#  319|     v319_10(void)             = AliasedUse                         : ~m?
+#  319|     v319_11(void)             = ExitFunction                       : 

From a9d7990596540d7f56035bd51796c378c29711ba Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Wed, 17 Mar 2021 17:41:25 -0700
Subject: [PATCH 0897/1429] C++: make unaliased_ssa IR stage sound

---
 .../implementation/aliased_ssa/internal/AliasAnalysis.qll | 4 ++++
 .../aliased_ssa/internal/AliasConfiguration.qll           | 8 ++++++++
 .../unaliased_ssa/internal/AliasAnalysis.qll              | 4 ++++
 .../unaliased_ssa/internal/AliasConfiguration.qll         | 8 ++++++++
 .../annotate_sinks_only/tainted.expected                  | 2 ++
 .../library-tests/ir/ssa/aliased_ssa_ir_unsound.expected  | 8 ++++----
 .../ir/ssa/unaliased_ssa_ir_unsound.expected              | 6 +++---
 .../unaliased_ssa/internal/AliasAnalysis.qll              | 4 ++++
 .../unaliased_ssa/internal/AliasConfiguration.qll         | 8 ++++++++
 9 files changed, 45 insertions(+), 7 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
index e26d61b9792..ce2ebf5ce14 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
@@ -325,6 +325,10 @@ predicate allocationEscapes(Configuration::Allocation allocation) {
   exists(IREscapeAnalysisConfiguration config |
     config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
   )
+  or
+  exists(Configuration::StageEscapeConfiguration config |
+    config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
+  )
 }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll
index 866afb64b31..d03e424abd7 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll
@@ -138,3 +138,11 @@ class DynamicAllocation extends Allocation, TDynamicAllocation {
 
   final override predicate alwaysEscapes() { none() }
 }
+
+class StageEscapeConfiguration extends string {
+  StageEscapeConfiguration() {
+    this = "StageEscapeConfiguration (aliased_ssa)"
+  }
+
+  predicate useSoundEscapeAnalysis() { none() }
+}
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
index e26d61b9792..ce2ebf5ce14 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -325,6 +325,10 @@ predicate allocationEscapes(Configuration::Allocation allocation) {
   exists(IREscapeAnalysisConfiguration config |
     config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
   )
+  or
+  exists(Configuration::StageEscapeConfiguration config |
+    config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
+  )
 }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll
index 5be476e12ee..2ca333ad25c 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll
@@ -14,3 +14,11 @@ class Allocation extends IRAutomaticVariable {
     none()
   }
 }
+
+class StageEscapeConfiguration extends string {
+  StageEscapeConfiguration() {
+    this = "StageEscapeConfiguration (unaliased_ssa)"
+  }
+
+  predicate useSoundEscapeAnalysis() { any() }
+}
diff --git a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected
index e69de29bb2d..8babe64dfc1 100644
--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected
@@ -0,0 +1,2 @@
+| defaulttainttracking.cpp:190:14:190:24 | // $ ast,ir | Missing result:ir= |
+| defaulttainttracking.cpp:193:14:193:24 | // $ ast,ir | Missing result:ir= |
diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
index 839e85ec4b5..81c80c6b4c7 100644
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
@@ -1552,15 +1552,15 @@ ssa.cpp:
 #  330|     v330_4(void)              = Call[sink]                         : func:r330_1, 0:r330_3
 #  330|     m330_5(unknown)           = ^CallSideEffect                    : ~m329_6
 #  330|     m330_6(unknown)           = Chi                                : total:m329_6, partial:m330_5
-#  330|     v330_7(void)              = ^BufferReadSideEffect[0]           : &:r330_3, ~m329_9
+#  330|     v330_7(void)              = ^BufferReadSideEffect[0]           : &:r330_3, ~m330_6
 #  330|     m330_8(unknown)           = ^BufferMayWriteSideEffect[0]       : &:r330_3
-#  330|     m330_9(char[1024])        = Chi                                : total:m329_9, partial:m330_8
+#  330|     m330_9(unknown)           = Chi                                : total:m330_6, partial:m330_8
 #  331|     r331_1(glval<unknown>)    = FunctionAddress[sink]              : 
 #  331|     r331_2(glval<char **>)    = VariableAddress[ptr2]              : 
 #  331|     r331_3(char **)           = Load[ptr2]                         : &:r331_2, m326_4
 #  331|     v331_4(void)              = Call[sink]                         : func:r331_1, 0:r331_3
-#  331|     m331_5(unknown)           = ^CallSideEffect                    : ~m330_6
-#  331|     m331_6(unknown)           = Chi                                : total:m330_6, partial:m331_5
+#  331|     m331_5(unknown)           = ^CallSideEffect                    : ~m330_9
+#  331|     m331_6(unknown)           = Chi                                : total:m330_9, partial:m331_5
 #  331|     v331_7(void)              = ^BufferReadSideEffect[0]           : &:r331_3, ~m325_4
 #  331|     m331_8(unknown)           = ^BufferMayWriteSideEffect[0]       : &:r331_3
 #  331|     m331_9(char *)            = Chi                                : total:m325_4, partial:m331_8
diff --git a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected
index c48cd7a7186..b396d50c366 100644
--- a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected
@@ -1389,7 +1389,7 @@ ssa.cpp:
 #  321|     r321_1(glval<char[1024]>) = VariableAddress[buffer]            : 
 #  321|     mu321_2(char[1024])       = Uninitialized[buffer]              : &:r321_1
 #  322|     r322_1(glval<char *>)     = VariableAddress[ptr1]              : 
-#  322|     m322_2(char *)            = Uninitialized[ptr1]                : &:r322_1
+#  322|     mu322_2(char *)           = Uninitialized[ptr1]                : &:r322_1
 #  322|     r322_3(glval<char **>)    = VariableAddress[ptr2]              : 
 #  322|     m322_4(char **)           = Uninitialized[ptr2]                : &:r322_3
 #  323|     r323_1(glval<char *>)     = VariableAddress[ptr3]              : 
@@ -1399,7 +1399,7 @@ ssa.cpp:
 #  325|     r325_1(glval<char[1024]>) = VariableAddress[buffer]            : 
 #  325|     r325_2(char *)            = Convert                            : r325_1
 #  325|     r325_3(glval<char *>)     = VariableAddress[ptr1]              : 
-#  325|     m325_4(char *)            = Store[ptr1]                        : &:r325_3, r325_2
+#  325|     mu325_4(char *)           = Store[ptr1]                        : &:r325_3, r325_2
 #  326|     r326_1(glval<char *>)     = VariableAddress[ptr1]              : 
 #  326|     r326_2(char **)           = CopyValue                          : r326_1
 #  326|     r326_3(glval<char **>)    = VariableAddress[ptr2]              : 
@@ -1425,7 +1425,7 @@ ssa.cpp:
 #  329|     mu329_7(unknown)          = ^BufferMayWriteSideEffect[0]       : &:r329_3
 #  330|     r330_1(glval<unknown>)    = FunctionAddress[sink]              : 
 #  330|     r330_2(glval<char *>)     = VariableAddress[ptr1]              : 
-#  330|     r330_3(char *)            = Load[ptr1]                         : &:r330_2, m325_4
+#  330|     r330_3(char *)            = Load[ptr1]                         : &:r330_2, ~m?
 #  330|     v330_4(void)              = Call[sink]                         : func:r330_1, 0:r330_3
 #  330|     mu330_5(unknown)          = ^CallSideEffect                    : ~m?
 #  330|     v330_6(void)              = ^BufferReadSideEffect[0]           : &:r330_3, ~m?
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
index e26d61b9792..ce2ebf5ce14 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -325,6 +325,10 @@ predicate allocationEscapes(Configuration::Allocation allocation) {
   exists(IREscapeAnalysisConfiguration config |
     config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
   )
+  or
+  exists(Configuration::StageEscapeConfiguration config |
+    config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
+  )
 }
 
 /**
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll
index 5be476e12ee..2ca333ad25c 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll
@@ -14,3 +14,11 @@ class Allocation extends IRAutomaticVariable {
     none()
   }
 }
+
+class StageEscapeConfiguration extends string {
+  StageEscapeConfiguration() {
+    this = "StageEscapeConfiguration (unaliased_ssa)"
+  }
+
+  predicate useSoundEscapeAnalysis() { any() }
+}

From deff5c3af15b5c04677c9c0a9a71bc788b1c4e39 Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Wed, 10 Mar 2021 14:45:46 -0800
Subject: [PATCH 0898/1429] C++: Reuse SSA from earlier stages

This refactors the SSA stages of the IR so that instructions which have
a modeled memory result in the unaliased SSA stage do not have SSA
recomputed in the aliased SSA stage.
---
 .../aliased_ssa/Instruction.qll               |   8 ++
 .../ir/implementation/aliased_ssa/Operand.qll |   9 +-
 .../aliased_ssa/internal/AliasAnalysis.qll    |   5 +
 .../internal/AliasConfiguration.qll           |   6 +-
 .../aliased_ssa/internal/AliasedSSA.qll       |  13 +++
 .../aliased_ssa/internal/SSAConstruction.qll  | 100 +++++++++++++++++-
 .../implementation/internal/TInstruction.qll  |  12 ++-
 .../ir/implementation/internal/TOperand.qll   |  30 +++++-
 .../cpp/ir/implementation/raw/Instruction.qll |   8 ++
 .../cpp/ir/implementation/raw/Operand.qll     |   9 +-
 .../unaliased_ssa/Instruction.qll             |   8 ++
 .../implementation/unaliased_ssa/Operand.qll  |   9 +-
 .../unaliased_ssa/internal/AliasAnalysis.qll  |   5 +
 .../internal/SSAConstruction.qll              | 100 +++++++++++++++++-
 .../unaliased_ssa/internal/SimpleSSA.qll      |  19 +++-
 .../implementation/internal/TInstruction.qll  |  12 ++-
 .../unaliased_ssa/internal/AliasAnalysis.qll  |   5 +
 .../internal/SSAConstruction.qll              |  20 ++++
 .../unaliased_ssa/internal/SimpleSSA.qll      |  19 +++-
 19 files changed, 375 insertions(+), 22 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
index e335080ad6b..453838215ff 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll
@@ -1994,6 +1994,14 @@ class PhiInstruction extends Instruction {
    */
   pragma[noinline]
   final Instruction getAnInput() { result = this.getAnInputOperand().getDef() }
+
+  /**
+   * Gets the input operand representing the value that flows from the specified predecessor block.
+   */
+  final PhiInputOperand getInputOperand(IRBlock predecessorBlock) {
+    result = this.getAnOperand() and
+    result.getPredecessorBlock() = predecessorBlock
+  }
 }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll
index a2ce0662dc2..760f2b5b39d 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll
@@ -31,7 +31,8 @@ class Operand extends TStageOperand {
     exists(Instruction use, Instruction def | this = registerOperand(use, _, def)) or
     exists(Instruction use | this = nonSSAMemoryOperand(use, _)) or
     exists(Instruction use, Instruction def, IRBlock predecessorBlock |
-      this = phiOperand(use, def, predecessorBlock, _)
+      this = phiOperand(use, def, predecessorBlock, _) or
+      this = reusedPhiOperand(use, def, predecessorBlock, _)
     ) or
     exists(Instruction use | this = chiOperand(use, _))
   }
@@ -431,7 +432,11 @@ class PhiInputOperand extends MemoryOperand, TPhiOperand {
   Overlap overlap;
 
   cached
-  PhiInputOperand() { this = phiOperand(useInstr, defInstr, predecessorBlock, overlap) }
+  PhiInputOperand() {
+    this = phiOperand(useInstr, defInstr, predecessorBlock, overlap)
+    or
+    this = reusedPhiOperand(useInstr, defInstr, predecessorBlock, overlap)
+  }
 
   override string toString() { result = "Phi" }
 
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
index ce2ebf5ce14..83492e6ab79 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
@@ -90,6 +90,11 @@ private predicate operandIsConsumedWithoutEscaping(Operand operand) {
       or
       // Converting an address to a `bool` does not escape the address.
       instr.(ConvertInstruction).getResultIRType() instanceof IRBooleanType
+      or
+      instr instanceof CallInstruction and
+      not exists(IREscapeAnalysisConfiguration config |
+        config.useSoundEscapeAnalysis()
+      )
     )
   )
   or
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll
index d03e424abd7..3be9dc581d7 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll
@@ -2,9 +2,13 @@ private import AliasConfigurationInternal
 private import semmle.code.cpp.ir.implementation.unaliased_ssa.IR
 private import cpp
 private import AliasAnalysis
+private import semmle.code.cpp.ir.implementation.unaliased_ssa.internal.SimpleSSA as UnaliasedSSA
 
 private newtype TAllocation =
-  TVariableAllocation(IRVariable var) or
+  TVariableAllocation(IRVariable var) {
+    // Only model variables that were not already handled in unaliased SSA.
+    not UnaliasedSSA::canReuseSSAForVariable(var)
+  } or
   TIndirectParameterAllocation(IRAutomaticVariable var) {
     exists(InitializeIndirectionInstruction instr | instr.getIRVariable() = var)
   } or
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll
index fdabee2affe..d8e6bba31a7 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll
@@ -3,6 +3,7 @@ import semmle.code.cpp.ir.internal.Overlap
 private import semmle.code.cpp.ir.internal.IRCppLanguage as Language
 private import semmle.code.cpp.Print
 private import semmle.code.cpp.ir.implementation.unaliased_ssa.IR
+private import semmle.code.cpp.ir.implementation.unaliased_ssa.internal.SSAConstruction as OldSSA
 private import semmle.code.cpp.ir.internal.IntegerConstant as Ints
 private import semmle.code.cpp.ir.internal.IntegerInterval as Interval
 private import semmle.code.cpp.ir.implementation.internal.OperandTag
@@ -131,6 +132,8 @@ abstract class MemoryLocation extends TMemoryLocation {
    * with automatic storage duration).
    */
   predicate isAlwaysAllocatedOnStack() { none() }
+
+  final predicate canReuseSSA() { any() }
 }
 
 /**
@@ -562,10 +565,19 @@ private Overlap getVariableMemoryLocationOverlap(
       use.getEndBitOffset())
 }
 
+/**
+ * Holds if the def/use information for the result of `instr` can be reused from the previous
+ * iteration of the IR.
+ */
+predicate canReuseSSAForOldResult(Instruction instr) {
+  OldSSA::canReuseSSAForMemoryResult(instr)
+}
+
 bindingset[result, b]
 private boolean unbindBool(boolean b) { result != b.booleanNot() }
 
 MemoryLocation getResultMemoryLocation(Instruction instr) {
+  not(canReuseSSAForOldResult(instr)) and
   exists(MemoryAccessKind kind, boolean isMayAccess |
     kind = instr.getResultMemoryAccess() and
     (if instr.hasResultMayMemoryAccess() then isMayAccess = true else isMayAccess = false) and
@@ -598,6 +610,7 @@ MemoryLocation getResultMemoryLocation(Instruction instr) {
 }
 
 MemoryLocation getOperandMemoryLocation(MemoryOperand operand) {
+  not(canReuseSSAForOldResult(operand.getAnyDef())) and
   exists(MemoryAccessKind kind, boolean isMayAccess |
     kind = operand.getMemoryAccess() and
     (if operand.hasMayReadMemoryAccess() then isMayAccess = true else isMayAccess = false) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
index 1ba19b4a4c3..6e4440f253c 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
@@ -58,9 +58,28 @@ private module Cached {
     result.getFirstInstruction() = getNewInstruction(oldBlock.getFirstInstruction())
   }
 
+  /**
+   * Gets the block from the old IR that corresponds to `newBlock`.
+   */
+  private OldBlock getOldBlock(IRBlock newBlock) { getNewBlock(result) = newBlock }
+
+  /**
+   * Holds if this iteration of SSA can model the def/use information for the result of
+   * `oldInstruction`, either because alias analysis has determined a memory location for that
+   * result, or because a previous iteration of the IR already computed that def/use information
+   * completely.
+   */
+  private predicate canModelResultForOldInstruction(OldInstruction oldInstruction) {
+    // We're modeling the result's memory location ourselves.
+    exists(Alias::getResultMemoryLocation(oldInstruction))
+    or
+    // This result was already modeled by a previous iteration of SSA.
+    Alias::canReuseSSAForOldResult(oldInstruction)
+  }
+
   cached
   predicate hasModeledMemoryResult(Instruction instruction) {
-    exists(Alias::getResultMemoryLocation(getOldInstruction(instruction))) or
+    canModelResultForOldInstruction(getOldInstruction(instruction)) or
     instruction instanceof PhiInstruction or // Phis always have modeled results
     instruction instanceof ChiInstruction // Chis always have modeled results
   }
@@ -117,6 +136,30 @@ private module Cached {
     )
   }
 
+  /**
+   * Gets the new definition instruction for `oldOperand` based on `oldOperand`'s definition in the
+   * old IR. Usually, this will just get the old definition of `oldOperand` and map it to the
+   * corresponding new instruction. However, if the old definition of `oldOperand` is a `Phi`
+   * instruction that is now degenerate due all but one of its predecessor branches being
+   * unreachable, this predicate will recurse through any degenerate `Phi` instructions to find the
+   * true definition.
+   */
+  private Instruction getNewDefinitionFromOldSSA(OldIR::MemoryOperand oldOperand, Overlap overlap) {
+    exists(Overlap originalOverlap |
+      originalOverlap = oldOperand.getDefinitionOverlap() and
+      (
+        result = getNewInstruction(oldOperand.getAnyDef()) and
+        overlap = originalOverlap
+        /*or
+        exists(OldIR::PhiInputOperand phiOperand, Overlap phiOperandOverlap |
+          phiOperand = getDegeneratePhiOperand(oldOperand.getAnyDef()) and
+          result = getNewDefinitionFromOldSSA(phiOperand, phiOperandOverlap) and
+          overlap = combineOverlap(phiOperandOverlap, originalOverlap)
+        ) */
+      )
+    )
+  }
+
   cached
   private Instruction getMemoryOperandDefinition0(
     Instruction instruction, MemoryOperandTag tag, Overlap overlap
@@ -148,6 +191,12 @@ private module Cached {
       overlap instanceof MustExactlyOverlap and
       exists(MustTotallyOverlap o | exists(getMemoryOperandDefinition0(instruction, tag, o)))
     )
+    or
+    exists(OldIR::NonPhiMemoryOperand oldOperand |
+      result = getNewDefinitionFromOldSSA(oldOperand, overlap) and
+      oldOperand.getUse() = instruction and
+      tag = oldOperand.getOperandTag()
+    )
   }
 
   /**
@@ -214,10 +263,24 @@ private module Cached {
     )
   }
 
+  /**
+   * Gets the new definition instruction for the operand of `instr` that flows from the block
+   * `newPredecessorBlock`, based on that operand's definition in the old IR.
+   */
+  private Instruction getNewPhiOperandDefinitionFromOldSSA(
+    Instruction instr, IRBlock newPredecessorBlock, Overlap overlap
+  ) {
+    exists(OldIR::PhiInstruction oldPhi, OldIR::PhiInputOperand oldOperand |
+      oldPhi = getOldInstruction(instr) and
+      oldOperand = oldPhi.getInputOperand(getOldBlock(newPredecessorBlock)) and
+      result = getNewDefinitionFromOldSSA(oldOperand, overlap)
+    )
+  }
+
   pragma[noopt]
   cached
   Instruction getPhiOperandDefinition(
-    PhiInstruction instr, IRBlock newPredecessorBlock, Overlap overlap
+    Instruction instr, IRBlock newPredecessorBlock, Overlap overlap
   ) {
     exists(
       Alias::MemoryLocation defLocation, Alias::MemoryLocation useLocation, OldBlock phiBlock,
@@ -229,6 +292,8 @@ private module Cached {
       result = getDefinitionOrChiInstruction(defBlock, defOffset, defLocation, actualDefLocation) and
       overlap = Alias::getOverlap(actualDefLocation, useLocation)
     )
+    or
+    result = getNewPhiOperandDefinitionFromOldSSA(instr, newPredecessorBlock, overlap)
   }
 
   cached
@@ -248,8 +313,12 @@ private module Cached {
 
   cached
   Instruction getPhiInstructionBlockStart(PhiInstruction instr) {
-    exists(OldBlock oldBlock |
-      instr = getPhi(oldBlock, _) and
+    exists(OldBlock oldBlock |      (
+      instr = getPhi(oldBlock, _)
+      or
+      // Any `Phi` that we propagated from the previous iteration stays in the same block.
+      getOldInstruction(instr).getBlock() = oldBlock
+    ) and
       result = getNewInstruction(oldBlock.getFirstInstruction())
     )
   }
@@ -335,6 +404,9 @@ private module Cached {
       result = vvar.getType()
     )
     or
+    instr = reusedPhiInstruction(_) and
+    result = instr.(OldInstruction).getResultLanguageType()
+    or
     instr = unreachedInstruction(_) and result = Language::getVoidType()
   }
 
@@ -862,6 +934,26 @@ module DefUse {
   }
 }
 
+predicate canReuseSSAForMemoryResult(Instruction instruction) {
+  exists(OldInstruction oldInstruction |
+    oldInstruction = getOldInstruction(instruction) and
+    (
+      // The previous iteration said it was reusable, so we should mark it as reusable as well.
+      Alias::canReuseSSAForOldResult(oldInstruction)
+      or
+      // The current alias analysis says it is reusable.
+      Alias::getResultMemoryLocation(oldInstruction).canReuseSSA()
+    )
+  )
+  or
+  exists(Alias::MemoryLocation defLocation |
+    // This is a `Phi` for a reusable location, so the result of the `Phi` is reusable as well.
+    instruction = phiInstruction(_, defLocation) and
+    defLocation.canReuseSSA()
+  )
+  // We don't support reusing SSA for any location that could create a `Chi` instruction.
+}
+
 /**
  * Expose some of the internal predicates to PrintSSA.qll. We do this by publically importing those modules in the
  * `DebugSSA` module, which is then imported by PrintSSA.
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TInstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TInstruction.qll
index e16b71733b5..e7dfea40313 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TInstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TInstruction.qll
@@ -55,6 +55,11 @@ module UnaliasedSSAInstructions {
     result = TUnaliasedSSAPhiInstruction(blockStartInstr, memoryLocation)
   }
 
+  TRawInstruction reusedPhiInstruction(
+    TRawInstruction blockStartInstr) {
+    none()
+  }
+
   class TChiInstruction = TUnaliasedSSAChiInstruction;
 
   TChiInstruction chiInstruction(TRawInstruction primaryInstruction) {
@@ -75,7 +80,7 @@ module UnaliasedSSAInstructions {
  * a class alias.
  */
 module AliasedSSAInstructions {
-  class TPhiInstruction = TAliasedSSAPhiInstruction;
+  class TPhiInstruction = TAliasedSSAPhiInstruction or TUnaliasedSSAPhiInstruction;
 
   TPhiInstruction phiInstruction(
     TRawInstruction blockStartInstr, AliasedSSA::SSA::MemoryLocation memoryLocation
@@ -83,6 +88,11 @@ module AliasedSSAInstructions {
     result = TAliasedSSAPhiInstruction(blockStartInstr, memoryLocation)
   }
 
+  TPhiInstruction reusedPhiInstruction(
+    TRawInstruction blockStartInstr) {
+    result = TUnaliasedSSAPhiInstruction(blockStartInstr, _)
+  }
+
   class TChiInstruction = TAliasedSSAChiInstruction;
 
   TChiInstruction chiInstruction(TRawInstruction primaryInstruction) {
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TOperand.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TOperand.qll
index 1e132463cdd..69e68d97adc 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TOperand.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TOperand.qll
@@ -84,7 +84,7 @@ private module Shared {
   }
 }
 
-/**
+/** 
  * Provides wrappers for the constructors of each branch of `TOperand` that is used by the
  * raw IR stage.
  * These wrappers are not parameterized because it is not possible to invoke an IPA constructor via
@@ -109,6 +109,12 @@ module RawOperands {
     none()
   }
 
+  TPhiOperand reusedPhiOperand(
+    Raw::PhiInstruction useInstr, Raw::Instruction defInstr, Raw::IRBlock predecessorBlock,
+    Overlap overlap
+  ) {
+    none()
+  }
   /**
    * Returns the Chi operand with the specified parameters.
    */
@@ -140,6 +146,12 @@ module UnaliasedSSAOperands {
     result = Internal::TUnaliasedPhiOperand(useInstr, defInstr, predecessorBlock, overlap)
   }
 
+  TPhiOperand reusedPhiOperand(
+    Unaliased::PhiInstruction useInstr, Unaliased::Instruction defInstr,
+    Unaliased::IRBlock predecessorBlock, Overlap overlap
+  ) {
+    none()
+  }
   /**
    * Returns the Chi operand with the specified parameters.
    */
@@ -155,7 +167,7 @@ module UnaliasedSSAOperands {
 module AliasedSSAOperands {
   import Shared
 
-  class TPhiOperand = Internal::TAliasedPhiOperand;
+  class TPhiOperand = Internal::TAliasedPhiOperand or Internal::TUnaliasedPhiOperand;
 
   class TChiOperand = Internal::TAliasedChiOperand;
 
@@ -165,12 +177,24 @@ module AliasedSSAOperands {
    * Returns the Phi operand with the specified parameters.
    */
   TPhiOperand phiOperand(
-    TAliasedSSAPhiInstruction useInstr, Aliased::Instruction defInstr,
+    Aliased::PhiInstruction useInstr, Aliased::Instruction defInstr,
     Aliased::IRBlock predecessorBlock, Overlap overlap
   ) {
     result = Internal::TAliasedPhiOperand(useInstr, defInstr, predecessorBlock, overlap)
   }
 
+  /**
+   * Returns the Phi operand with the specified parameters.
+   */
+  TPhiOperand reusedPhiOperand(
+    Aliased::PhiInstruction useInstr, Aliased::Instruction defInstr,
+    Aliased::IRBlock predecessorBlock, Overlap overlap
+  ) {
+    exists(Unaliased::IRBlock oldBlock |
+      predecessorBlock.getFirstInstruction() = oldBlock.getFirstInstruction() and
+      result = Internal::TUnaliasedPhiOperand(useInstr, defInstr, oldBlock, overlap)
+    )
+  }
   /**
    * Returns the Chi operand with the specified parameters.
    */
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
index e335080ad6b..453838215ff 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll
@@ -1994,6 +1994,14 @@ class PhiInstruction extends Instruction {
    */
   pragma[noinline]
   final Instruction getAnInput() { result = this.getAnInputOperand().getDef() }
+
+  /**
+   * Gets the input operand representing the value that flows from the specified predecessor block.
+   */
+  final PhiInputOperand getInputOperand(IRBlock predecessorBlock) {
+    result = this.getAnOperand() and
+    result.getPredecessorBlock() = predecessorBlock
+  }
 }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll
index a2ce0662dc2..760f2b5b39d 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll
@@ -31,7 +31,8 @@ class Operand extends TStageOperand {
     exists(Instruction use, Instruction def | this = registerOperand(use, _, def)) or
     exists(Instruction use | this = nonSSAMemoryOperand(use, _)) or
     exists(Instruction use, Instruction def, IRBlock predecessorBlock |
-      this = phiOperand(use, def, predecessorBlock, _)
+      this = phiOperand(use, def, predecessorBlock, _) or
+      this = reusedPhiOperand(use, def, predecessorBlock, _)
     ) or
     exists(Instruction use | this = chiOperand(use, _))
   }
@@ -431,7 +432,11 @@ class PhiInputOperand extends MemoryOperand, TPhiOperand {
   Overlap overlap;
 
   cached
-  PhiInputOperand() { this = phiOperand(useInstr, defInstr, predecessorBlock, overlap) }
+  PhiInputOperand() {
+    this = phiOperand(useInstr, defInstr, predecessorBlock, overlap)
+    or
+    this = reusedPhiOperand(useInstr, defInstr, predecessorBlock, overlap)
+  }
 
   override string toString() { result = "Phi" }
 
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
index e335080ad6b..453838215ff 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll
@@ -1994,6 +1994,14 @@ class PhiInstruction extends Instruction {
    */
   pragma[noinline]
   final Instruction getAnInput() { result = this.getAnInputOperand().getDef() }
+
+  /**
+   * Gets the input operand representing the value that flows from the specified predecessor block.
+   */
+  final PhiInputOperand getInputOperand(IRBlock predecessorBlock) {
+    result = this.getAnOperand() and
+    result.getPredecessorBlock() = predecessorBlock
+  }
 }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll
index a2ce0662dc2..760f2b5b39d 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll
@@ -31,7 +31,8 @@ class Operand extends TStageOperand {
     exists(Instruction use, Instruction def | this = registerOperand(use, _, def)) or
     exists(Instruction use | this = nonSSAMemoryOperand(use, _)) or
     exists(Instruction use, Instruction def, IRBlock predecessorBlock |
-      this = phiOperand(use, def, predecessorBlock, _)
+      this = phiOperand(use, def, predecessorBlock, _) or
+      this = reusedPhiOperand(use, def, predecessorBlock, _)
     ) or
     exists(Instruction use | this = chiOperand(use, _))
   }
@@ -431,7 +432,11 @@ class PhiInputOperand extends MemoryOperand, TPhiOperand {
   Overlap overlap;
 
   cached
-  PhiInputOperand() { this = phiOperand(useInstr, defInstr, predecessorBlock, overlap) }
+  PhiInputOperand() {
+    this = phiOperand(useInstr, defInstr, predecessorBlock, overlap)
+    or
+    this = reusedPhiOperand(useInstr, defInstr, predecessorBlock, overlap)
+  }
 
   override string toString() { result = "Phi" }
 
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
index ce2ebf5ce14..83492e6ab79 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -90,6 +90,11 @@ private predicate operandIsConsumedWithoutEscaping(Operand operand) {
       or
       // Converting an address to a `bool` does not escape the address.
       instr.(ConvertInstruction).getResultIRType() instanceof IRBooleanType
+      or
+      instr instanceof CallInstruction and
+      not exists(IREscapeAnalysisConfiguration config |
+        config.useSoundEscapeAnalysis()
+      )
     )
   )
   or
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
index 1ba19b4a4c3..6e4440f253c 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -58,9 +58,28 @@ private module Cached {
     result.getFirstInstruction() = getNewInstruction(oldBlock.getFirstInstruction())
   }
 
+  /**
+   * Gets the block from the old IR that corresponds to `newBlock`.
+   */
+  private OldBlock getOldBlock(IRBlock newBlock) { getNewBlock(result) = newBlock }
+
+  /**
+   * Holds if this iteration of SSA can model the def/use information for the result of
+   * `oldInstruction`, either because alias analysis has determined a memory location for that
+   * result, or because a previous iteration of the IR already computed that def/use information
+   * completely.
+   */
+  private predicate canModelResultForOldInstruction(OldInstruction oldInstruction) {
+    // We're modeling the result's memory location ourselves.
+    exists(Alias::getResultMemoryLocation(oldInstruction))
+    or
+    // This result was already modeled by a previous iteration of SSA.
+    Alias::canReuseSSAForOldResult(oldInstruction)
+  }
+
   cached
   predicate hasModeledMemoryResult(Instruction instruction) {
-    exists(Alias::getResultMemoryLocation(getOldInstruction(instruction))) or
+    canModelResultForOldInstruction(getOldInstruction(instruction)) or
     instruction instanceof PhiInstruction or // Phis always have modeled results
     instruction instanceof ChiInstruction // Chis always have modeled results
   }
@@ -117,6 +136,30 @@ private module Cached {
     )
   }
 
+  /**
+   * Gets the new definition instruction for `oldOperand` based on `oldOperand`'s definition in the
+   * old IR. Usually, this will just get the old definition of `oldOperand` and map it to the
+   * corresponding new instruction. However, if the old definition of `oldOperand` is a `Phi`
+   * instruction that is now degenerate due all but one of its predecessor branches being
+   * unreachable, this predicate will recurse through any degenerate `Phi` instructions to find the
+   * true definition.
+   */
+  private Instruction getNewDefinitionFromOldSSA(OldIR::MemoryOperand oldOperand, Overlap overlap) {
+    exists(Overlap originalOverlap |
+      originalOverlap = oldOperand.getDefinitionOverlap() and
+      (
+        result = getNewInstruction(oldOperand.getAnyDef()) and
+        overlap = originalOverlap
+        /*or
+        exists(OldIR::PhiInputOperand phiOperand, Overlap phiOperandOverlap |
+          phiOperand = getDegeneratePhiOperand(oldOperand.getAnyDef()) and
+          result = getNewDefinitionFromOldSSA(phiOperand, phiOperandOverlap) and
+          overlap = combineOverlap(phiOperandOverlap, originalOverlap)
+        ) */
+      )
+    )
+  }
+
   cached
   private Instruction getMemoryOperandDefinition0(
     Instruction instruction, MemoryOperandTag tag, Overlap overlap
@@ -148,6 +191,12 @@ private module Cached {
       overlap instanceof MustExactlyOverlap and
       exists(MustTotallyOverlap o | exists(getMemoryOperandDefinition0(instruction, tag, o)))
     )
+    or
+    exists(OldIR::NonPhiMemoryOperand oldOperand |
+      result = getNewDefinitionFromOldSSA(oldOperand, overlap) and
+      oldOperand.getUse() = instruction and
+      tag = oldOperand.getOperandTag()
+    )
   }
 
   /**
@@ -214,10 +263,24 @@ private module Cached {
     )
   }
 
+  /**
+   * Gets the new definition instruction for the operand of `instr` that flows from the block
+   * `newPredecessorBlock`, based on that operand's definition in the old IR.
+   */
+  private Instruction getNewPhiOperandDefinitionFromOldSSA(
+    Instruction instr, IRBlock newPredecessorBlock, Overlap overlap
+  ) {
+    exists(OldIR::PhiInstruction oldPhi, OldIR::PhiInputOperand oldOperand |
+      oldPhi = getOldInstruction(instr) and
+      oldOperand = oldPhi.getInputOperand(getOldBlock(newPredecessorBlock)) and
+      result = getNewDefinitionFromOldSSA(oldOperand, overlap)
+    )
+  }
+
   pragma[noopt]
   cached
   Instruction getPhiOperandDefinition(
-    PhiInstruction instr, IRBlock newPredecessorBlock, Overlap overlap
+    Instruction instr, IRBlock newPredecessorBlock, Overlap overlap
   ) {
     exists(
       Alias::MemoryLocation defLocation, Alias::MemoryLocation useLocation, OldBlock phiBlock,
@@ -229,6 +292,8 @@ private module Cached {
       result = getDefinitionOrChiInstruction(defBlock, defOffset, defLocation, actualDefLocation) and
       overlap = Alias::getOverlap(actualDefLocation, useLocation)
     )
+    or
+    result = getNewPhiOperandDefinitionFromOldSSA(instr, newPredecessorBlock, overlap)
   }
 
   cached
@@ -248,8 +313,12 @@ private module Cached {
 
   cached
   Instruction getPhiInstructionBlockStart(PhiInstruction instr) {
-    exists(OldBlock oldBlock |
-      instr = getPhi(oldBlock, _) and
+    exists(OldBlock oldBlock |      (
+      instr = getPhi(oldBlock, _)
+      or
+      // Any `Phi` that we propagated from the previous iteration stays in the same block.
+      getOldInstruction(instr).getBlock() = oldBlock
+    ) and
       result = getNewInstruction(oldBlock.getFirstInstruction())
     )
   }
@@ -335,6 +404,9 @@ private module Cached {
       result = vvar.getType()
     )
     or
+    instr = reusedPhiInstruction(_) and
+    result = instr.(OldInstruction).getResultLanguageType()
+    or
     instr = unreachedInstruction(_) and result = Language::getVoidType()
   }
 
@@ -862,6 +934,26 @@ module DefUse {
   }
 }
 
+predicate canReuseSSAForMemoryResult(Instruction instruction) {
+  exists(OldInstruction oldInstruction |
+    oldInstruction = getOldInstruction(instruction) and
+    (
+      // The previous iteration said it was reusable, so we should mark it as reusable as well.
+      Alias::canReuseSSAForOldResult(oldInstruction)
+      or
+      // The current alias analysis says it is reusable.
+      Alias::getResultMemoryLocation(oldInstruction).canReuseSSA()
+    )
+  )
+  or
+  exists(Alias::MemoryLocation defLocation |
+    // This is a `Phi` for a reusable location, so the result of the `Phi` is reusable as well.
+    instruction = phiInstruction(_, defLocation) and
+    defLocation.canReuseSSA()
+  )
+  // We don't support reusing SSA for any location that could create a `Chi` instruction.
+}
+
 /**
  * Expose some of the internal predicates to PrintSSA.qll. We do this by publically importing those modules in the
  * `DebugSSA` module, which is then imported by PrintSSA.
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll
index a7b9160bdc7..906699b6394 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll
@@ -17,7 +17,7 @@ private predicate isTotalAccess(Allocation var, AddressOperand addrOperand, IRTy
  * variable if its address never escapes and all reads and writes of that variable access the entire
  * variable using the original type of the variable.
  */
-private predicate isVariableModeled(Allocation var) {
+predicate isVariableModeled(Allocation var) {
   not allocationEscapes(var) and
   forall(Instruction instr, AddressOperand addrOperand, IRType type |
     addrOperand = instr.getResultAddressOperand() and
@@ -35,6 +35,17 @@ private predicate isVariableModeled(Allocation var) {
   )
 }
 
+/**
+ * Holds if the SSA use/def chain for the specified variable can be safely reused by later
+ * iterations of SSA construction. This will hold only if we modeled the variable soundly, so that
+ * subsequent iterations will recompute SSA for any variable that we assumed did not escape, but
+ * actually would have escaped if we had used a sound escape analysis.
+ */
+predicate canReuseSSAForVariable(IRAutomaticVariable var) {
+  isVariableModeled(var) and
+  not allocationEscapes(var)
+}
+
 private newtype TMemoryLocation = MkMemoryLocation(Allocation var) { isVariableModeled(var) }
 
 private MemoryLocation getMemoryLocation(Allocation var) { result.getAllocation() = var }
@@ -57,6 +68,12 @@ class MemoryLocation extends TMemoryLocation {
   final Language::LanguageType getType() { result = var.getLanguageType() }
 
   final string getUniqueId() { result = var.getUniqueId() }
+
+  final predicate canReuseSSA() { canReuseSSAForVariable(var) }
+}
+
+predicate canReuseSSAForOldResult(Instruction instr) {
+  none()
 }
 
 /**
diff --git a/csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll b/csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll
index e16b71733b5..911d9af78fa 100644
--- a/csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll
+++ b/csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll
@@ -55,6 +55,11 @@ module UnaliasedSSAInstructions {
     result = TUnaliasedSSAPhiInstruction(blockStartInstr, memoryLocation)
   }
 
+  TPhiInstruction reusedPhiInstruction(
+    TRawInstruction blockStartInstr) {
+    none()
+  }
+
   class TChiInstruction = TUnaliasedSSAChiInstruction;
 
   TChiInstruction chiInstruction(TRawInstruction primaryInstruction) {
@@ -75,7 +80,7 @@ module UnaliasedSSAInstructions {
  * a class alias.
  */
 module AliasedSSAInstructions {
-  class TPhiInstruction = TAliasedSSAPhiInstruction;
+  class TPhiInstruction = TAliasedSSAPhiInstruction or TUnaliasedSSAPhiInstruction;
 
   TPhiInstruction phiInstruction(
     TRawInstruction blockStartInstr, AliasedSSA::SSA::MemoryLocation memoryLocation
@@ -83,6 +88,11 @@ module AliasedSSAInstructions {
     result = TAliasedSSAPhiInstruction(blockStartInstr, memoryLocation)
   }
 
+  TPhiInstruction reusedPhiInstruction(
+    TRawInstruction blockStartInstr) {
+    result = TUnaliasedSSAPhiInstruction(blockStartInstr, _)
+  }
+
   class TChiInstruction = TAliasedSSAChiInstruction;
 
   TChiInstruction chiInstruction(TRawInstruction primaryInstruction) {
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
index ce2ebf5ce14..83492e6ab79 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -90,6 +90,11 @@ private predicate operandIsConsumedWithoutEscaping(Operand operand) {
       or
       // Converting an address to a `bool` does not escape the address.
       instr.(ConvertInstruction).getResultIRType() instanceof IRBooleanType
+      or
+      instr instanceof CallInstruction and
+      not exists(IREscapeAnalysisConfiguration config |
+        config.useSoundEscapeAnalysis()
+      )
     )
   )
   or
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
index 1ba19b4a4c3..262865fa1d1 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -862,6 +862,26 @@ module DefUse {
   }
 }
 
+predicate canReuseSSAForMemoryResult(Instruction instruction) {
+  exists(OldInstruction oldInstruction |
+    oldInstruction = getOldInstruction(instruction) and
+    (
+      // The previous iteration said it was reusable, so we should mark it as reusable as well.
+      Alias::canReuseSSAForOldResult(oldInstruction)
+      or
+      // The current alias analysis says it is reusable.
+      Alias::getResultMemoryLocation(oldInstruction).canReuseSSA()
+    )
+  )
+  or
+  exists(Alias::MemoryLocation defLocation |
+    // This is a `Phi` for a reusable location, so the result of the `Phi` is reusable as well.
+    instruction = phiInstruction(_, defLocation) and
+    defLocation.canReuseSSA()
+  )
+  // We don't support reusing SSA for any location that could create a `Chi` instruction.
+}
+
 /**
  * Expose some of the internal predicates to PrintSSA.qll. We do this by publically importing those modules in the
  * `DebugSSA` module, which is then imported by PrintSSA.
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll
index a7b9160bdc7..906699b6394 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll
@@ -17,7 +17,7 @@ private predicate isTotalAccess(Allocation var, AddressOperand addrOperand, IRTy
  * variable if its address never escapes and all reads and writes of that variable access the entire
  * variable using the original type of the variable.
  */
-private predicate isVariableModeled(Allocation var) {
+predicate isVariableModeled(Allocation var) {
   not allocationEscapes(var) and
   forall(Instruction instr, AddressOperand addrOperand, IRType type |
     addrOperand = instr.getResultAddressOperand() and
@@ -35,6 +35,17 @@ private predicate isVariableModeled(Allocation var) {
   )
 }
 
+/**
+ * Holds if the SSA use/def chain for the specified variable can be safely reused by later
+ * iterations of SSA construction. This will hold only if we modeled the variable soundly, so that
+ * subsequent iterations will recompute SSA for any variable that we assumed did not escape, but
+ * actually would have escaped if we had used a sound escape analysis.
+ */
+predicate canReuseSSAForVariable(IRAutomaticVariable var) {
+  isVariableModeled(var) and
+  not allocationEscapes(var)
+}
+
 private newtype TMemoryLocation = MkMemoryLocation(Allocation var) { isVariableModeled(var) }
 
 private MemoryLocation getMemoryLocation(Allocation var) { result.getAllocation() = var }
@@ -57,6 +68,12 @@ class MemoryLocation extends TMemoryLocation {
   final Language::LanguageType getType() { result = var.getLanguageType() }
 
   final string getUniqueId() { result = var.getUniqueId() }
+
+  final predicate canReuseSSA() { canReuseSSAForVariable(var) }
+}
+
+predicate canReuseSSAForOldResult(Instruction instr) {
+  none()
 }
 
 /**

From 8bc7e5993e436089c48b54d7cfcfed0c26ea7588 Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Tue, 13 Apr 2021 16:49:41 -0700
Subject: [PATCH 0899/1429] autoformat and sync C++ files

---
 .../ir/implementation/aliased_ssa/Operand.qll |  9 ++++--
 .../aliased_ssa/internal/AliasAnalysis.qll    |  4 +--
 .../internal/AliasConfiguration.qll           |  4 +--
 .../aliased_ssa/internal/AliasedSSA.qll       |  8 ++---
 .../aliased_ssa/internal/SSAConstruction.qll  | 30 +++++++++++--------
 .../implementation/internal/TInstruction.qll  |  8 ++---
 .../ir/implementation/internal/TOperand.qll   |  5 +++-
 .../cpp/ir/implementation/raw/Operand.qll     |  9 ++++--
 .../implementation/unaliased_ssa/Operand.qll  |  9 ++++--
 .../unaliased_ssa/internal/AliasAnalysis.qll  |  4 +--
 .../internal/AliasConfiguration.qll           |  4 +--
 .../internal/SSAConstruction.qll              | 30 +++++++++++--------
 .../unaliased_ssa/internal/SimpleSSA.qll      |  4 +--
 13 files changed, 66 insertions(+), 62 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll
index 760f2b5b39d..d7cf89ca9aa 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll
@@ -28,12 +28,15 @@ class Operand extends TStageOperand {
   cached
   Operand() {
     // Ensure that the operand does not refer to instructions from earlier stages that are unreachable here
-    exists(Instruction use, Instruction def | this = registerOperand(use, _, def)) or
-    exists(Instruction use | this = nonSSAMemoryOperand(use, _)) or
+    exists(Instruction use, Instruction def | this = registerOperand(use, _, def))
+    or
+    exists(Instruction use | this = nonSSAMemoryOperand(use, _))
+    or
     exists(Instruction use, Instruction def, IRBlock predecessorBlock |
       this = phiOperand(use, def, predecessorBlock, _) or
       this = reusedPhiOperand(use, def, predecessorBlock, _)
-    ) or
+    )
+    or
     exists(Instruction use | this = chiOperand(use, _))
   }
 
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
index 83492e6ab79..1198c828ecb 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
@@ -92,9 +92,7 @@ private predicate operandIsConsumedWithoutEscaping(Operand operand) {
       instr.(ConvertInstruction).getResultIRType() instanceof IRBooleanType
       or
       instr instanceof CallInstruction and
-      not exists(IREscapeAnalysisConfiguration config |
-        config.useSoundEscapeAnalysis()
-      )
+      not exists(IREscapeAnalysisConfiguration config | config.useSoundEscapeAnalysis())
     )
   )
   or
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll
index 3be9dc581d7..236db922646 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll
@@ -144,9 +144,7 @@ class DynamicAllocation extends Allocation, TDynamicAllocation {
 }
 
 class StageEscapeConfiguration extends string {
-  StageEscapeConfiguration() {
-    this = "StageEscapeConfiguration (aliased_ssa)"
-  }
+  StageEscapeConfiguration() { this = "StageEscapeConfiguration (aliased_ssa)" }
 
   predicate useSoundEscapeAnalysis() { none() }
 }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll
index d8e6bba31a7..74638b6ec1d 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll
@@ -569,15 +569,13 @@ private Overlap getVariableMemoryLocationOverlap(
  * Holds if the def/use information for the result of `instr` can be reused from the previous
  * iteration of the IR.
  */
-predicate canReuseSSAForOldResult(Instruction instr) {
-  OldSSA::canReuseSSAForMemoryResult(instr)
-}
+predicate canReuseSSAForOldResult(Instruction instr) { OldSSA::canReuseSSAForMemoryResult(instr) }
 
 bindingset[result, b]
 private boolean unbindBool(boolean b) { result != b.booleanNot() }
 
 MemoryLocation getResultMemoryLocation(Instruction instr) {
-  not(canReuseSSAForOldResult(instr)) and
+  not canReuseSSAForOldResult(instr) and
   exists(MemoryAccessKind kind, boolean isMayAccess |
     kind = instr.getResultMemoryAccess() and
     (if instr.hasResultMayMemoryAccess() then isMayAccess = true else isMayAccess = false) and
@@ -610,7 +608,7 @@ MemoryLocation getResultMemoryLocation(Instruction instr) {
 }
 
 MemoryLocation getOperandMemoryLocation(MemoryOperand operand) {
-  not(canReuseSSAForOldResult(operand.getAnyDef())) and
+  not canReuseSSAForOldResult(operand.getAnyDef()) and
   exists(MemoryAccessKind kind, boolean isMayAccess |
     kind = operand.getMemoryAccess() and
     (if operand.hasMayReadMemoryAccess() then isMayAccess = true else isMayAccess = false) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
index 6e4440f253c..343499dcc6c 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
@@ -150,13 +150,16 @@ private module Cached {
       (
         result = getNewInstruction(oldOperand.getAnyDef()) and
         overlap = originalOverlap
-        /*or
-        exists(OldIR::PhiInputOperand phiOperand, Overlap phiOperandOverlap |
-          phiOperand = getDegeneratePhiOperand(oldOperand.getAnyDef()) and
-          result = getNewDefinitionFromOldSSA(phiOperand, phiOperandOverlap) and
-          overlap = combineOverlap(phiOperandOverlap, originalOverlap)
-        ) */
-      )
+        /*
+         * or
+         *        exists(OldIR::PhiInputOperand phiOperand, Overlap phiOperandOverlap |
+         *          phiOperand = getDegeneratePhiOperand(oldOperand.getAnyDef()) and
+         *          result = getNewDefinitionFromOldSSA(phiOperand, phiOperandOverlap) and
+         *          overlap = combineOverlap(phiOperandOverlap, originalOverlap)
+         *        )
+         */
+
+        )
     )
   }
 
@@ -313,12 +316,13 @@ private module Cached {
 
   cached
   Instruction getPhiInstructionBlockStart(PhiInstruction instr) {
-    exists(OldBlock oldBlock |      (
-      instr = getPhi(oldBlock, _)
-      or
-      // Any `Phi` that we propagated from the previous iteration stays in the same block.
-      getOldInstruction(instr).getBlock() = oldBlock
-    ) and
+    exists(OldBlock oldBlock |
+      (
+        instr = getPhi(oldBlock, _)
+        or
+        // Any `Phi` that we propagated from the previous iteration stays in the same block.
+        getOldInstruction(instr).getBlock() = oldBlock
+      ) and
       result = getNewInstruction(oldBlock.getFirstInstruction())
     )
   }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TInstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TInstruction.qll
index e7dfea40313..4b3f19cbdde 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TInstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TInstruction.qll
@@ -55,10 +55,7 @@ module UnaliasedSSAInstructions {
     result = TUnaliasedSSAPhiInstruction(blockStartInstr, memoryLocation)
   }
 
-  TRawInstruction reusedPhiInstruction(
-    TRawInstruction blockStartInstr) {
-    none()
-  }
+  TRawInstruction reusedPhiInstruction(TRawInstruction blockStartInstr) { none() }
 
   class TChiInstruction = TUnaliasedSSAChiInstruction;
 
@@ -88,8 +85,7 @@ module AliasedSSAInstructions {
     result = TAliasedSSAPhiInstruction(blockStartInstr, memoryLocation)
   }
 
-  TPhiInstruction reusedPhiInstruction(
-    TRawInstruction blockStartInstr) {
+  TPhiInstruction reusedPhiInstruction(TRawInstruction blockStartInstr) {
     result = TUnaliasedSSAPhiInstruction(blockStartInstr, _)
   }
 
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TOperand.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TOperand.qll
index 69e68d97adc..57cbb995a00 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TOperand.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TOperand.qll
@@ -84,7 +84,7 @@ private module Shared {
   }
 }
 
-/** 
+/**
  * Provides wrappers for the constructors of each branch of `TOperand` that is used by the
  * raw IR stage.
  * These wrappers are not parameterized because it is not possible to invoke an IPA constructor via
@@ -115,6 +115,7 @@ module RawOperands {
   ) {
     none()
   }
+
   /**
    * Returns the Chi operand with the specified parameters.
    */
@@ -152,6 +153,7 @@ module UnaliasedSSAOperands {
   ) {
     none()
   }
+
   /**
    * Returns the Chi operand with the specified parameters.
    */
@@ -195,6 +197,7 @@ module AliasedSSAOperands {
       result = Internal::TUnaliasedPhiOperand(useInstr, defInstr, oldBlock, overlap)
     )
   }
+
   /**
    * Returns the Chi operand with the specified parameters.
    */
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll
index 760f2b5b39d..d7cf89ca9aa 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Operand.qll
@@ -28,12 +28,15 @@ class Operand extends TStageOperand {
   cached
   Operand() {
     // Ensure that the operand does not refer to instructions from earlier stages that are unreachable here
-    exists(Instruction use, Instruction def | this = registerOperand(use, _, def)) or
-    exists(Instruction use | this = nonSSAMemoryOperand(use, _)) or
+    exists(Instruction use, Instruction def | this = registerOperand(use, _, def))
+    or
+    exists(Instruction use | this = nonSSAMemoryOperand(use, _))
+    or
     exists(Instruction use, Instruction def, IRBlock predecessorBlock |
       this = phiOperand(use, def, predecessorBlock, _) or
       this = reusedPhiOperand(use, def, predecessorBlock, _)
-    ) or
+    )
+    or
     exists(Instruction use | this = chiOperand(use, _))
   }
 
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll
index 760f2b5b39d..d7cf89ca9aa 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll
@@ -28,12 +28,15 @@ class Operand extends TStageOperand {
   cached
   Operand() {
     // Ensure that the operand does not refer to instructions from earlier stages that are unreachable here
-    exists(Instruction use, Instruction def | this = registerOperand(use, _, def)) or
-    exists(Instruction use | this = nonSSAMemoryOperand(use, _)) or
+    exists(Instruction use, Instruction def | this = registerOperand(use, _, def))
+    or
+    exists(Instruction use | this = nonSSAMemoryOperand(use, _))
+    or
     exists(Instruction use, Instruction def, IRBlock predecessorBlock |
       this = phiOperand(use, def, predecessorBlock, _) or
       this = reusedPhiOperand(use, def, predecessorBlock, _)
-    ) or
+    )
+    or
     exists(Instruction use | this = chiOperand(use, _))
   }
 
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
index 83492e6ab79..1198c828ecb 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -92,9 +92,7 @@ private predicate operandIsConsumedWithoutEscaping(Operand operand) {
       instr.(ConvertInstruction).getResultIRType() instanceof IRBooleanType
       or
       instr instanceof CallInstruction and
-      not exists(IREscapeAnalysisConfiguration config |
-        config.useSoundEscapeAnalysis()
-      )
+      not exists(IREscapeAnalysisConfiguration config | config.useSoundEscapeAnalysis())
     )
   )
   or
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll
index 2ca333ad25c..d39288cd412 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll
@@ -16,9 +16,7 @@ class Allocation extends IRAutomaticVariable {
 }
 
 class StageEscapeConfiguration extends string {
-  StageEscapeConfiguration() {
-    this = "StageEscapeConfiguration (unaliased_ssa)"
-  }
+  StageEscapeConfiguration() { this = "StageEscapeConfiguration (unaliased_ssa)" }
 
   predicate useSoundEscapeAnalysis() { any() }
 }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
index 6e4440f253c..343499dcc6c 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -150,13 +150,16 @@ private module Cached {
       (
         result = getNewInstruction(oldOperand.getAnyDef()) and
         overlap = originalOverlap
-        /*or
-        exists(OldIR::PhiInputOperand phiOperand, Overlap phiOperandOverlap |
-          phiOperand = getDegeneratePhiOperand(oldOperand.getAnyDef()) and
-          result = getNewDefinitionFromOldSSA(phiOperand, phiOperandOverlap) and
-          overlap = combineOverlap(phiOperandOverlap, originalOverlap)
-        ) */
-      )
+        /*
+         * or
+         *        exists(OldIR::PhiInputOperand phiOperand, Overlap phiOperandOverlap |
+         *          phiOperand = getDegeneratePhiOperand(oldOperand.getAnyDef()) and
+         *          result = getNewDefinitionFromOldSSA(phiOperand, phiOperandOverlap) and
+         *          overlap = combineOverlap(phiOperandOverlap, originalOverlap)
+         *        )
+         */
+
+        )
     )
   }
 
@@ -313,12 +316,13 @@ private module Cached {
 
   cached
   Instruction getPhiInstructionBlockStart(PhiInstruction instr) {
-    exists(OldBlock oldBlock |      (
-      instr = getPhi(oldBlock, _)
-      or
-      // Any `Phi` that we propagated from the previous iteration stays in the same block.
-      getOldInstruction(instr).getBlock() = oldBlock
-    ) and
+    exists(OldBlock oldBlock |
+      (
+        instr = getPhi(oldBlock, _)
+        or
+        // Any `Phi` that we propagated from the previous iteration stays in the same block.
+        getOldInstruction(instr).getBlock() = oldBlock
+      ) and
       result = getNewInstruction(oldBlock.getFirstInstruction())
     )
   }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll
index 906699b6394..f3e02c9f6a8 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll
@@ -72,9 +72,7 @@ class MemoryLocation extends TMemoryLocation {
   final predicate canReuseSSA() { canReuseSSAForVariable(var) }
 }
 
-predicate canReuseSSAForOldResult(Instruction instr) {
-  none()
-}
+predicate canReuseSSAForOldResult(Instruction instr) { none() }
 
 /**
  * Represents a set of `MemoryLocation`s that cannot overlap with

From 1c72ea97a73b1b0008210a689894efd4503a9888 Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Tue, 13 Apr 2021 17:12:51 -0700
Subject: [PATCH 0900/1429] C++: accept phi node reorderings in IR tests

---
 .../library-tests/ir/ssa/aliased_ssa_ir.expected   | 14 +++++++-------
 .../ir/ssa/aliased_ssa_ir_unsound.expected         | 14 +++++++-------
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
index c83ed76902e..b694ef800d6 100644
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
@@ -219,11 +219,11 @@ ssa.cpp:
 #-----|   Goto -> Block 1
 
 #   69|   Block 1
-#   69|     m69_1(char *)     = Phi                : from 0:m68_8, from 2:m70_6
-#   69|     m69_2(int)        = Phi                : from 0:m68_6, from 2:m69_8
-#   69|     m69_3(unknown)    = Phi                : from 0:~m68_4, from 2:~m70_10
+#   69|     m69_1(unknown)    = Phi                : from 0:~m68_4, from 2:~m70_10
+#   69|     m69_2(char *)     = Phi                : from 0:m68_8, from 2:m70_6
+#   69|     m69_3(int)        = Phi                : from 0:m68_6, from 2:m69_8
 #   69|     r69_4(glval<int>) = VariableAddress[n] : 
-#   69|     r69_5(int)        = Load[n]            : &:r69_4, m69_2
+#   69|     r69_5(int)        = Load[n]            : &:r69_4, m69_3
 #   69|     r69_6(int)        = Constant[1]        : 
 #   69|     r69_7(int)        = Sub                : r69_5, r69_6
 #   69|     m69_8(int)        = Store[n]           : &:r69_4, r69_7
@@ -237,21 +237,21 @@ ssa.cpp:
 #   70|   Block 2
 #   70|     r70_1(char)          = Constant[0]        : 
 #   70|     r70_2(glval<char *>) = VariableAddress[p] : 
-#   70|     r70_3(char *)        = Load[p]            : &:r70_2, m69_1
+#   70|     r70_3(char *)        = Load[p]            : &:r70_2, m69_2
 #   70|     r70_4(int)           = Constant[1]        : 
 #   70|     r70_5(char *)        = PointerAdd[1]      : r70_3, r70_4
 #   70|     m70_6(char *)        = Store[p]           : &:r70_2, r70_5
 #   70|     r70_7(char *)        = CopyValue          : r70_3
 #   70|     r70_8(glval<char>)   = CopyValue          : r70_7
 #   70|     m70_9(char)          = Store[?]           : &:r70_8, r70_1
-#   70|     m70_10(unknown)      = Chi                : total:m69_3, partial:m70_9
+#   70|     m70_10(unknown)      = Chi                : total:m69_1, partial:m70_9
 #-----|   Goto (back edge) -> Block 1
 
 #   71|   Block 3
 #   71|     v71_1(void)  = NoOp                 : 
 #   68|     v68_11(void) = ReturnIndirection[p] : &:r68_9, m68_10
 #   68|     v68_12(void) = ReturnVoid           : 
-#   68|     v68_13(void) = AliasedUse           : ~m69_3
+#   68|     v68_13(void) = AliasedUse           : ~m69_1
 #   68|     v68_14(void) = ExitFunction         : 
 
 #   75| void ScalarPhi(bool)
diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
index 81c80c6b4c7..a877587ea21 100644
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
@@ -219,11 +219,11 @@ ssa.cpp:
 #-----|   Goto -> Block 1
 
 #   69|   Block 1
-#   69|     m69_1(char *)     = Phi                : from 0:m68_8, from 2:m70_6
-#   69|     m69_2(int)        = Phi                : from 0:m68_6, from 2:m69_8
-#   69|     m69_3(unknown)    = Phi                : from 0:~m68_4, from 2:~m70_10
+#   69|     m69_1(unknown)    = Phi                : from 0:~m68_4, from 2:~m70_10
+#   69|     m69_2(char *)     = Phi                : from 0:m68_8, from 2:m70_6
+#   69|     m69_3(int)        = Phi                : from 0:m68_6, from 2:m69_8
 #   69|     r69_4(glval<int>) = VariableAddress[n] : 
-#   69|     r69_5(int)        = Load[n]            : &:r69_4, m69_2
+#   69|     r69_5(int)        = Load[n]            : &:r69_4, m69_3
 #   69|     r69_6(int)        = Constant[1]        : 
 #   69|     r69_7(int)        = Sub                : r69_5, r69_6
 #   69|     m69_8(int)        = Store[n]           : &:r69_4, r69_7
@@ -237,21 +237,21 @@ ssa.cpp:
 #   70|   Block 2
 #   70|     r70_1(char)          = Constant[0]        : 
 #   70|     r70_2(glval<char *>) = VariableAddress[p] : 
-#   70|     r70_3(char *)        = Load[p]            : &:r70_2, m69_1
+#   70|     r70_3(char *)        = Load[p]            : &:r70_2, m69_2
 #   70|     r70_4(int)           = Constant[1]        : 
 #   70|     r70_5(char *)        = PointerAdd[1]      : r70_3, r70_4
 #   70|     m70_6(char *)        = Store[p]           : &:r70_2, r70_5
 #   70|     r70_7(char *)        = CopyValue          : r70_3
 #   70|     r70_8(glval<char>)   = CopyValue          : r70_7
 #   70|     m70_9(char)          = Store[?]           : &:r70_8, r70_1
-#   70|     m70_10(unknown)      = Chi                : total:m69_3, partial:m70_9
+#   70|     m70_10(unknown)      = Chi                : total:m69_1, partial:m70_9
 #-----|   Goto (back edge) -> Block 1
 
 #   71|   Block 3
 #   71|     v71_1(void)  = NoOp                 : 
 #   68|     v68_11(void) = ReturnIndirection[p] : &:r68_9, m68_10
 #   68|     v68_12(void) = ReturnVoid           : 
-#   68|     v68_13(void) = AliasedUse           : ~m69_3
+#   68|     v68_13(void) = AliasedUse           : ~m69_1
 #   68|     v68_14(void) = ExitFunction         : 
 
 #   75| void ScalarPhi(bool)

From f9e0ba17e01b63ca228ae8f4a3cd9ce089fe8269 Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Tue, 13 Apr 2021 17:14:41 -0700
Subject: [PATCH 0901/1429] C++: remove points-to expectations for reused SSA

---
 .../library-tests/ir/points_to/points_to.cpp  | 68 +++++++++----------
 1 file changed, 34 insertions(+), 34 deletions(-)

diff --git a/cpp/ql/test/library-tests/ir/points_to/points_to.cpp b/cpp/ql/test/library-tests/ir/points_to/points_to.cpp
index 024a3190706..fa4d062c5f8 100644
--- a/cpp/ql/test/library-tests/ir/points_to/points_to.cpp
+++ b/cpp/ql/test/library-tests/ir/points_to/points_to.cpp
@@ -37,51 +37,51 @@ void Locals() {
 }
 
 void PointsTo(
-  int a,         //$raw,ussa=a
-  Point& b,      //$raw,ussa=b ussa=*b
-  Point* c,      //$raw,ussa=c ussa=*c
-  int* d,        //$raw,ussa=d ussa=*d
-  DerivedSI* e,  //$raw,ussa=e ussa=*e
-  DerivedMI* f,  //$raw,ussa=f ussa=*f
-  DerivedVI* g   //$raw,ussa=g ussa=*g
+  int a,         //$raw=a
+  Point& b,      //$raw=b ussa=*b
+  Point* c,      //$raw=c ussa=*c
+  int* d,        //$raw=d ussa=*d
+  DerivedSI* e,  //$raw=e ussa=*e
+  DerivedMI* f,  //$raw=f ussa=*f
+  DerivedVI* g   //$raw=g ussa=*g
 ) {
 
-  int i = a;  //$raw,ussa=a
-  i = *&a;  //$raw,ussa=a
-  i = *(&a + 0);  //$raw,ussa=a
-  i = b.x;  //$raw,ussa=b ussa=*b[0..4)<int>
-  i = b.y;  //$raw,ussa=b ussa=*b[4..8)<int>
-  i = c->x;  //$raw,ussa=c ussa=*c[0..4)<int>
-  i = c->y;  //$raw,ussa=c ussa=*c[4..8)<int>
-  i = *d;  //$raw,ussa=d ussa=*d[0..4)<int>
-  i = *(d + 0);  //$raw,ussa=d ussa=*d[0..4)<int>
-  i = d[5];  //$raw,ussa=d ussa=*d[20..24)<int>
-  i = 5[d];  //$raw,ussa=d ussa=*d[20..24)<int>
-  i = d[a];  //$raw,ussa=d raw,ussa=a ussa=*d[?..?)<int>
-  i = a[d];  //$raw,ussa=d raw,ussa=a ussa=*d[?..?)<int>
+  int i = a;  //$raw=a
+  i = *&a;  //$raw=a
+  i = *(&a + 0);  //$raw=a
+  i = b.x;  //$raw=b ussa=*b[0..4)<int>
+  i = b.y;  //$raw=b ussa=*b[4..8)<int>
+  i = c->x;  //$raw=c ussa=*c[0..4)<int>
+  i = c->y;  //$raw=c ussa=*c[4..8)<int>
+  i = *d;  //$raw=d ussa=*d[0..4)<int>
+  i = *(d + 0);  //$raw=d ussa=*d[0..4)<int>
+  i = d[5];  //$raw=d ussa=*d[20..24)<int>
+  i = 5[d];  //$raw=d ussa=*d[20..24)<int>
+  i = d[a];  //$raw=d raw=a ussa=*d[?..?)<int>
+  i = a[d];  //$raw=d raw=a ussa=*d[?..?)<int>
 
-  int* p = &b.x;  //$raw,ussa=b
+  int* p = &b.x;  //$raw=b
   i = *p;  //$ussa=*b[0..4)<int>
-  p = &b.y;  //$raw,ussa=b
+  p = &b.y;  //$raw=b
   i = *p;  //$ussa=*b[4..8)<int>
-  p = &c->x;  //$raw,ussa=c
+  p = &c->x;  //$raw=c
   i = *p;  //$ussa=*c[0..4)<int>
-  p = &c->y;  //$raw,ussa=c
+  p = &c->y;  //$raw=c
   i = *p;  //$ussa=*c[4..8)<int>
-  p = &d[5];  //$raw,ussa=d
+  p = &d[5];  //$raw=d
   i = *p;  //$ussa=*d[20..24)<int>
-  p = &d[a];  //$raw,ussa=d raw,ussa=a
+  p = &d[a];  //$raw=d raw=a
   i = *p;  //$ussa=*d[?..?)<int>
 
-  Point* q = &c[a];  //$raw,ussa=c raw,ussa=a
+  Point* q = &c[a];  //$raw=c raw=a
   i = q->x;  //$ussa=*c[?..?)<int>
   i = q->y;  //$ussa=*c[?..?)<int>
 
-  i = e->b1;  //$raw,ussa=e ussa=*e[0..4)<int>
-  i = e->dsi;  //$raw,ussa=e ussa=*e[4..8)<int>
-  i = f->b1;  //$raw,ussa=f ussa=*f[0..4)<int>
-  i = f->b2;  //$raw,ussa=f ussa=*f[4..8)<int>
-  i = f->dmi;  //$raw,ussa=f ussa=*f[8..12)<int>
-  i = g->b1;  //$raw,ussa=g ussa=*g[?..?)<int>
-  i = g->dvi;  //$raw,ussa=g ussa=*g[8..12)<int>
+  i = e->b1;  //$raw=e ussa=*e[0..4)<int>
+  i = e->dsi;  //$raw=e ussa=*e[4..8)<int>
+  i = f->b1;  //$raw=f ussa=*f[0..4)<int>
+  i = f->b2;  //$raw=f ussa=*f[4..8)<int>
+  i = f->dmi;  //$raw=f ussa=*f[8..12)<int>
+  i = g->b1;  //$raw=g ussa=*g[?..?)<int>
+  i = g->dvi;  //$raw=g ussa=*g[8..12)<int>
 }
\ No newline at end of file

From 86b1d032ae08cb62a9323a36076185beb1cfdd98 Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Thu, 15 Apr 2021 17:06:14 -0700
Subject: [PATCH 0902/1429] C++: accept test regressions

---
 .../dataflow/fields/ir-path-flow.expected     | 22 -----------------
 .../UncontrolledProcessOperation.expected     | 24 -------------------
 2 files changed, 46 deletions(-)

diff --git a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
index e6234ca17f7..ee6b6a39bde 100644
--- a/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
+++ b/cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected
@@ -135,40 +135,24 @@ edges
 | by_reference.cpp:128:15:128:23 | Chi [a] | by_reference.cpp:136:16:136:16 | a |
 | by_reference.cpp:128:15:128:23 | taint_a_ref output argument [array content] | by_reference.cpp:128:15:128:23 | Chi |
 | complex.cpp:40:17:40:17 | *b [a_] | complex.cpp:42:16:42:16 | f indirection [a_] |
-| complex.cpp:40:17:40:17 | *b [b_] | complex.cpp:42:16:42:16 | Chi [b_] |
 | complex.cpp:40:17:40:17 | *b [b_] | complex.cpp:42:16:42:16 | f indirection [b_] |
 | complex.cpp:40:17:40:17 | *b [b_] | complex.cpp:43:16:43:16 | f indirection [b_] |
-| complex.cpp:42:16:42:16 | Chi [b_] | complex.cpp:43:16:43:16 | f indirection [b_] |
-| complex.cpp:42:16:42:16 | a output argument [b_] | complex.cpp:42:16:42:16 | Chi [b_] |
 | complex.cpp:42:16:42:16 | a output argument [b_] | complex.cpp:43:16:43:16 | f indirection [b_] |
 | complex.cpp:42:16:42:16 | f indirection [a_] | complex.cpp:42:18:42:18 | call to a |
 | complex.cpp:42:16:42:16 | f indirection [b_] | complex.cpp:42:16:42:16 | a output argument [b_] |
 | complex.cpp:43:16:43:16 | f indirection [b_] | complex.cpp:43:18:43:18 | call to b |
-| complex.cpp:53:12:53:12 | Chi [a_] | complex.cpp:59:7:59:8 | b1 indirection [a_] |
-| complex.cpp:53:12:53:12 | setA output argument [a_] | complex.cpp:53:12:53:12 | Chi [a_] |
 | complex.cpp:53:12:53:12 | setA output argument [a_] | complex.cpp:59:7:59:8 | b1 indirection [a_] |
 | complex.cpp:53:14:53:17 | call to user_input | complex.cpp:53:12:53:12 | setA output argument [a_] |
 | complex.cpp:53:19:53:28 | call to user_input | complex.cpp:53:14:53:17 | call to user_input |
-| complex.cpp:54:12:54:12 | Chi [b_] | complex.cpp:62:7:62:8 | b2 indirection [b_] |
-| complex.cpp:54:12:54:12 | setB output argument [b_] | complex.cpp:54:12:54:12 | Chi [b_] |
 | complex.cpp:54:12:54:12 | setB output argument [b_] | complex.cpp:62:7:62:8 | b2 indirection [b_] |
 | complex.cpp:54:14:54:17 | call to user_input | complex.cpp:54:12:54:12 | setB output argument [b_] |
 | complex.cpp:54:19:54:28 | call to user_input | complex.cpp:54:14:54:17 | call to user_input |
-| complex.cpp:55:12:55:12 | Chi [a_] | complex.cpp:56:12:56:12 | Chi [a_] |
-| complex.cpp:55:12:55:12 | Chi [a_] | complex.cpp:56:12:56:12 | f indirection [a_] |
-| complex.cpp:55:12:55:12 | Chi [a_] | complex.cpp:65:7:65:8 | b3 indirection [a_] |
-| complex.cpp:55:12:55:12 | setA output argument [a_] | complex.cpp:55:12:55:12 | Chi [a_] |
-| complex.cpp:55:12:55:12 | setA output argument [a_] | complex.cpp:56:12:56:12 | Chi [a_] |
 | complex.cpp:55:12:55:12 | setA output argument [a_] | complex.cpp:56:12:56:12 | f indirection [a_] |
 | complex.cpp:55:12:55:12 | setA output argument [a_] | complex.cpp:65:7:65:8 | b3 indirection [a_] |
 | complex.cpp:55:14:55:17 | call to user_input | complex.cpp:55:12:55:12 | setA output argument [a_] |
 | complex.cpp:55:19:55:28 | call to user_input | complex.cpp:55:14:55:17 | call to user_input |
-| complex.cpp:56:12:56:12 | Chi [a_] | complex.cpp:65:7:65:8 | b3 indirection [a_] |
-| complex.cpp:56:12:56:12 | Chi [b_] | complex.cpp:65:7:65:8 | b3 indirection [b_] |
 | complex.cpp:56:12:56:12 | f indirection [a_] | complex.cpp:56:12:56:12 | setB output argument [a_] |
-| complex.cpp:56:12:56:12 | setB output argument [a_] | complex.cpp:56:12:56:12 | Chi [a_] |
 | complex.cpp:56:12:56:12 | setB output argument [a_] | complex.cpp:65:7:65:8 | b3 indirection [a_] |
-| complex.cpp:56:12:56:12 | setB output argument [b_] | complex.cpp:56:12:56:12 | Chi [b_] |
 | complex.cpp:56:12:56:12 | setB output argument [b_] | complex.cpp:65:7:65:8 | b3 indirection [b_] |
 | complex.cpp:56:14:56:17 | call to user_input | complex.cpp:56:12:56:12 | setB output argument [b_] |
 | complex.cpp:56:19:56:28 | call to user_input | complex.cpp:56:14:56:17 | call to user_input |
@@ -410,27 +394,21 @@ nodes
 | by_reference.cpp:136:16:136:16 | a | semmle.label | a |
 | complex.cpp:40:17:40:17 | *b [a_] | semmle.label | *b [a_] |
 | complex.cpp:40:17:40:17 | *b [b_] | semmle.label | *b [b_] |
-| complex.cpp:42:16:42:16 | Chi [b_] | semmle.label | Chi [b_] |
 | complex.cpp:42:16:42:16 | a output argument [b_] | semmle.label | a output argument [b_] |
 | complex.cpp:42:16:42:16 | f indirection [a_] | semmle.label | f indirection [a_] |
 | complex.cpp:42:16:42:16 | f indirection [b_] | semmle.label | f indirection [b_] |
 | complex.cpp:42:18:42:18 | call to a | semmle.label | call to a |
 | complex.cpp:43:16:43:16 | f indirection [b_] | semmle.label | f indirection [b_] |
 | complex.cpp:43:18:43:18 | call to b | semmle.label | call to b |
-| complex.cpp:53:12:53:12 | Chi [a_] | semmle.label | Chi [a_] |
 | complex.cpp:53:12:53:12 | setA output argument [a_] | semmle.label | setA output argument [a_] |
 | complex.cpp:53:14:53:17 | call to user_input | semmle.label | call to user_input |
 | complex.cpp:53:19:53:28 | call to user_input | semmle.label | call to user_input |
-| complex.cpp:54:12:54:12 | Chi [b_] | semmle.label | Chi [b_] |
 | complex.cpp:54:12:54:12 | setB output argument [b_] | semmle.label | setB output argument [b_] |
 | complex.cpp:54:14:54:17 | call to user_input | semmle.label | call to user_input |
 | complex.cpp:54:19:54:28 | call to user_input | semmle.label | call to user_input |
-| complex.cpp:55:12:55:12 | Chi [a_] | semmle.label | Chi [a_] |
 | complex.cpp:55:12:55:12 | setA output argument [a_] | semmle.label | setA output argument [a_] |
 | complex.cpp:55:14:55:17 | call to user_input | semmle.label | call to user_input |
 | complex.cpp:55:19:55:28 | call to user_input | semmle.label | call to user_input |
-| complex.cpp:56:12:56:12 | Chi [a_] | semmle.label | Chi [a_] |
-| complex.cpp:56:12:56:12 | Chi [b_] | semmle.label | Chi [b_] |
 | complex.cpp:56:12:56:12 | f indirection [a_] | semmle.label | f indirection [a_] |
 | complex.cpp:56:12:56:12 | setB output argument [a_] | semmle.label | setB output argument [a_] |
 | complex.cpp:56:12:56:12 | setB output argument [b_] | semmle.label | setB output argument [b_] |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
index 5b45af80d5b..c610e346bb1 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
@@ -26,27 +26,15 @@ edges
 | test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | (const char *)... |
 | test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer |
 | test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer indirection |
-| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | (const char *)... |
-| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data indirection |
 | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | (const char *)... |
 | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer |
 | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer indirection |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | (const char *)... |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data indirection |
 | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | (const char *)... |
 | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer |
 | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer indirection |
-| test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | (const char *)... |
-| test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | data |
-| test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | data indirection |
 | test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | (const char *)... |
 | test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer |
 | test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer indirection |
-| test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | (const char *)... |
-| test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | data |
-| test.cpp:76:12:76:17 | fgets output argument | test.cpp:79:10:79:13 | data indirection |
 | test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | (const char *)... |
 | test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer |
 | test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer indirection |
@@ -89,11 +77,6 @@ nodes
 | test.cpp:62:10:62:15 | buffer | semmle.label | buffer |
 | test.cpp:62:10:62:15 | buffer indirection | semmle.label | buffer indirection |
 | test.cpp:62:10:62:15 | buffer indirection | semmle.label | buffer indirection |
-| test.cpp:63:10:63:13 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:63:10:63:13 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:63:10:63:13 | data | semmle.label | data |
-| test.cpp:63:10:63:13 | data indirection | semmle.label | data indirection |
-| test.cpp:63:10:63:13 | data indirection | semmle.label | data indirection |
 | test.cpp:76:12:76:17 | buffer | semmle.label | buffer |
 | test.cpp:76:12:76:17 | fgets output argument | semmle.label | fgets output argument |
 | test.cpp:78:10:78:15 | (const char *)... | semmle.label | (const char *)... |
@@ -101,11 +84,6 @@ nodes
 | test.cpp:78:10:78:15 | buffer | semmle.label | buffer |
 | test.cpp:78:10:78:15 | buffer indirection | semmle.label | buffer indirection |
 | test.cpp:78:10:78:15 | buffer indirection | semmle.label | buffer indirection |
-| test.cpp:79:10:79:13 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:79:10:79:13 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:79:10:79:13 | data | semmle.label | data |
-| test.cpp:79:10:79:13 | data indirection | semmle.label | data indirection |
-| test.cpp:79:10:79:13 | data indirection | semmle.label | data indirection |
 | test.cpp:98:17:98:22 | buffer | semmle.label | buffer |
 | test.cpp:98:17:98:22 | recv output argument | semmle.label | recv output argument |
 | test.cpp:99:15:99:20 | (const char *)... | semmle.label | (const char *)... |
@@ -124,8 +102,6 @@ nodes
 | test.cpp:26:10:26:16 | command | test.cpp:42:18:42:23 | call to getenv | test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:42:18:42:23 | call to getenv | call to getenv |
 | test.cpp:31:10:31:16 | command | test.cpp:43:18:43:23 | call to getenv | test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system | test.cpp:43:18:43:23 | call to getenv | call to getenv |
 | test.cpp:62:10:62:15 | buffer | test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer | The value of this argument may come from $@ and is being passed to system | test.cpp:56:12:56:17 | buffer | buffer |
-| test.cpp:63:10:63:13 | data | test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data | The value of this argument may come from $@ and is being passed to system | test.cpp:56:12:56:17 | buffer | buffer |
 | test.cpp:78:10:78:15 | buffer | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer | The value of this argument may come from $@ and is being passed to system | test.cpp:76:12:76:17 | buffer | buffer |
-| test.cpp:79:10:79:13 | data | test.cpp:76:12:76:17 | buffer | test.cpp:79:10:79:13 | data | The value of this argument may come from $@ and is being passed to system | test.cpp:76:12:76:17 | buffer | buffer |
 | test.cpp:99:15:99:20 | buffer | test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer | The value of this argument may come from $@ and is being passed to LoadLibrary | test.cpp:98:17:98:22 | buffer | buffer |
 | test.cpp:107:15:107:20 | buffer | test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer | The value of this argument may come from $@ and is being passed to LoadLibrary | test.cpp:106:17:106:22 | buffer | buffer |

From 922cf640f4d34ac78b0311dc93cfb65ba10be740 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Mon, 20 Apr 2020 15:37:41 -0400
Subject: [PATCH 0903/1429] C++/C#: Add `combineOverlap()` predicate

---
 .../semmle/code/cpp/ir/internal/Overlap.qll   | 35 +++++++++++++++++++
 .../src/experimental/ir/internal/Overlap.qll  | 35 +++++++++++++++++++
 2 files changed, 70 insertions(+)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/internal/Overlap.qll b/cpp/ql/src/semmle/code/cpp/ir/internal/Overlap.qll
index f9a0c574f8c..ca643b56cbb 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/internal/Overlap.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/internal/Overlap.qll
@@ -8,6 +8,16 @@ private newtype TOverlap =
  */
 abstract class Overlap extends TOverlap {
   abstract string toString();
+
+  /**
+   * Gets a value representing how precise this overlap is. The higher the value, the more precise
+   * the overlap. The precision values are ordered as
+   * follows, from most to least precise:
+   * `MustExactlyOverlap`
+   * `MustTotallyOverlap`
+   * `MayPartiallyOverlap`
+   */
+  abstract int getPrecision();
 }
 
 /**
@@ -16,6 +26,8 @@ abstract class Overlap extends TOverlap {
  */
 class MayPartiallyOverlap extends Overlap, TMayPartiallyOverlap {
   final override string toString() { result = "MayPartiallyOverlap" }
+
+  final override int getPrecision() { result = 0 }
 }
 
 /**
@@ -24,6 +36,8 @@ class MayPartiallyOverlap extends Overlap, TMayPartiallyOverlap {
  */
 class MustTotallyOverlap extends Overlap, TMustTotallyOverlap {
   final override string toString() { result = "MustTotallyOverlap" }
+
+  final override int getPrecision() { result = 1 }
 }
 
 /**
@@ -32,4 +46,25 @@ class MustTotallyOverlap extends Overlap, TMustTotallyOverlap {
  */
 class MustExactlyOverlap extends Overlap, TMustExactlyOverlap {
   final override string toString() { result = "MustExactlyOverlap" }
+
+  final override int getPrecision() { result = 2 }
+}
+
+/**
+ * Gets the `Overlap` that best represents the relationship between two memory locations `a` and
+ * `c`, where `getOverlap(a, b) = previousOverlap` and `getOverlap(b, c) = newOverlap`, for some
+ * intermediate memory location `b`.
+ */
+Overlap combineOverlap(Overlap previousOverlap, Overlap newOverlap) {
+  // Note that it's possible that two less precise overlaps could combine to result in a more
+  // precise overlap. For example, both `previousOverlap` and `newOverlap` could be
+  // `MustTotallyOverlap` even though the actual relationship between `a` and `c` is
+  // `MustExactlyOverlap`. We will still return `MustTotallyOverlap` as the best conservative
+  // approximation we can make without additional input information.
+  result =
+    min(Overlap overlap |
+      overlap = [previousOverlap, newOverlap]
+    |
+      overlap order by overlap.getPrecision()
+    )
 }
diff --git a/csharp/ql/src/experimental/ir/internal/Overlap.qll b/csharp/ql/src/experimental/ir/internal/Overlap.qll
index f9a0c574f8c..ca643b56cbb 100644
--- a/csharp/ql/src/experimental/ir/internal/Overlap.qll
+++ b/csharp/ql/src/experimental/ir/internal/Overlap.qll
@@ -8,6 +8,16 @@ private newtype TOverlap =
  */
 abstract class Overlap extends TOverlap {
   abstract string toString();
+
+  /**
+   * Gets a value representing how precise this overlap is. The higher the value, the more precise
+   * the overlap. The precision values are ordered as
+   * follows, from most to least precise:
+   * `MustExactlyOverlap`
+   * `MustTotallyOverlap`
+   * `MayPartiallyOverlap`
+   */
+  abstract int getPrecision();
 }
 
 /**
@@ -16,6 +26,8 @@ abstract class Overlap extends TOverlap {
  */
 class MayPartiallyOverlap extends Overlap, TMayPartiallyOverlap {
   final override string toString() { result = "MayPartiallyOverlap" }
+
+  final override int getPrecision() { result = 0 }
 }
 
 /**
@@ -24,6 +36,8 @@ class MayPartiallyOverlap extends Overlap, TMayPartiallyOverlap {
  */
 class MustTotallyOverlap extends Overlap, TMustTotallyOverlap {
   final override string toString() { result = "MustTotallyOverlap" }
+
+  final override int getPrecision() { result = 1 }
 }
 
 /**
@@ -32,4 +46,25 @@ class MustTotallyOverlap extends Overlap, TMustTotallyOverlap {
  */
 class MustExactlyOverlap extends Overlap, TMustExactlyOverlap {
   final override string toString() { result = "MustExactlyOverlap" }
+
+  final override int getPrecision() { result = 2 }
+}
+
+/**
+ * Gets the `Overlap` that best represents the relationship between two memory locations `a` and
+ * `c`, where `getOverlap(a, b) = previousOverlap` and `getOverlap(b, c) = newOverlap`, for some
+ * intermediate memory location `b`.
+ */
+Overlap combineOverlap(Overlap previousOverlap, Overlap newOverlap) {
+  // Note that it's possible that two less precise overlaps could combine to result in a more
+  // precise overlap. For example, both `previousOverlap` and `newOverlap` could be
+  // `MustTotallyOverlap` even though the actual relationship between `a` and `c` is
+  // `MustExactlyOverlap`. We will still return `MustTotallyOverlap` as the best conservative
+  // approximation we can make without additional input information.
+  result =
+    min(Overlap overlap |
+      overlap = [previousOverlap, newOverlap]
+    |
+      overlap order by overlap.getPrecision()
+    )
 }

From 7930c4ab19b78141152604640c0119638c5efea8 Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Mon, 19 Apr 2021 15:58:34 -0700
Subject: [PATCH 0904/1429] C++: tests for phi nodes after unreachable blocks

---
 .../ir/ssa/aliased_ssa_consistency.expected   |   5 +
 .../aliased_ssa_consistency_unsound.expected  |   5 +
 .../ir/ssa/aliased_ssa_ir.expected            | 225 ++++++++++++++++
 .../ir/ssa/aliased_ssa_ir_unsound.expected    | 225 ++++++++++++++++
 cpp/ql/test/library-tests/ir/ssa/ssa.cpp      |  66 +++++
 .../ir/ssa/unaliased_ssa_ir.expected          | 245 ++++++++++++++++++
 .../ir/ssa/unaliased_ssa_ir_unsound.expected  | 245 ++++++++++++++++++
 7 files changed, 1016 insertions(+)

diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency.expected
index 31e5b01229c..f0de9cc90d5 100644
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency.expected
@@ -2,6 +2,7 @@ missingOperand
 unexpectedOperand
 duplicateOperand
 missingPhiOperand
+| ssa.cpp:398:3:398:13 | Phi: return ... | Instruction 'Phi: return ...' is missing an operand for predecessor block 'VariableAddress: y' in function '$@'. | ssa.cpp:383:5:383:24 | int FusedBlockPhiOperand(int, int, int, bool) | int FusedBlockPhiOperand(int, int, int, bool) |
 missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
@@ -9,9 +10,13 @@ instructionWithoutSuccessor
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
+| ssa.cpp:345:3:345:13 | Phi: return ... | Instruction 'Phi: return ...' is in a block with only 0 predecessors in function '$@'. | ssa.cpp:335:5:335:25 | int UnreachablePhiOperand(int, int) | int UnreachablePhiOperand(int, int) |
+| ssa.cpp:395:5:395:5 | Phi: ; | Instruction 'Phi: ;' is in a block with only 0 predecessors in function '$@'. | ssa.cpp:383:5:383:24 | int FusedBlockPhiOperand(int, int, int, bool) | int FusedBlockPhiOperand(int, int, int, bool) |
 memoryOperandDefinitionIsUnmodeled
 operandAcrossFunctions
 instructionWithoutUniqueBlock
+| ssa.cpp:345:3:345:13 | Phi: return ... | Instruction 'Phi: return ...' is a member of 0 blocks in function '$@'. | ssa.cpp:335:5:335:25 | int UnreachablePhiOperand(int, int) | int UnreachablePhiOperand(int, int) |
+| ssa.cpp:395:5:395:5 | Phi: ; | Instruction 'Phi: ;' is a member of 0 blocks in function '$@'. | ssa.cpp:383:5:383:24 | int FusedBlockPhiOperand(int, int, int, bool) | int FusedBlockPhiOperand(int, int, int, bool) |
 containsLoopOfForwardEdges
 lostReachability
 backEdgeCountMismatch
diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.expected
index 31e5b01229c..f0de9cc90d5 100644
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.expected
@@ -2,6 +2,7 @@ missingOperand
 unexpectedOperand
 duplicateOperand
 missingPhiOperand
+| ssa.cpp:398:3:398:13 | Phi: return ... | Instruction 'Phi: return ...' is missing an operand for predecessor block 'VariableAddress: y' in function '$@'. | ssa.cpp:383:5:383:24 | int FusedBlockPhiOperand(int, int, int, bool) | int FusedBlockPhiOperand(int, int, int, bool) |
 missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
@@ -9,9 +10,13 @@ instructionWithoutSuccessor
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
+| ssa.cpp:345:3:345:13 | Phi: return ... | Instruction 'Phi: return ...' is in a block with only 0 predecessors in function '$@'. | ssa.cpp:335:5:335:25 | int UnreachablePhiOperand(int, int) | int UnreachablePhiOperand(int, int) |
+| ssa.cpp:395:5:395:5 | Phi: ; | Instruction 'Phi: ;' is in a block with only 0 predecessors in function '$@'. | ssa.cpp:383:5:383:24 | int FusedBlockPhiOperand(int, int, int, bool) | int FusedBlockPhiOperand(int, int, int, bool) |
 memoryOperandDefinitionIsUnmodeled
 operandAcrossFunctions
 instructionWithoutUniqueBlock
+| ssa.cpp:345:3:345:13 | Phi: return ... | Instruction 'Phi: return ...' is a member of 0 blocks in function '$@'. | ssa.cpp:335:5:335:25 | int UnreachablePhiOperand(int, int) | int UnreachablePhiOperand(int, int) |
+| ssa.cpp:395:5:395:5 | Phi: ; | Instruction 'Phi: ;' is a member of 0 blocks in function '$@'. | ssa.cpp:383:5:383:24 | int FusedBlockPhiOperand(int, int, int, bool) | int FusedBlockPhiOperand(int, int, int, bool) |
 containsLoopOfForwardEdges
 lostReachability
 backEdgeCountMismatch
diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
index b694ef800d6..d53c52e058c 100644
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
@@ -1589,3 +1589,228 @@ ssa.cpp:
 #  319|     v319_10(void)             = ReturnVoid                         : 
 #  319|     v319_11(void)             = AliasedUse                         : ~m332_10
 #  319|     v319_12(void)             = ExitFunction                       : 
+
+#  335| int UnreachablePhiOperand(int, int)
+#  335|   Block 0
+#  335|     v335_1(void)        = EnterFunction          : 
+#  335|     m335_2(unknown)     = AliasedDefinition      : 
+#  335|     m335_3(unknown)     = InitializeNonLocal     : 
+#  335|     m335_4(unknown)     = Chi                    : total:m335_2, partial:m335_3
+#  335|     r335_5(glval<int>)  = VariableAddress[x]     : 
+#  335|     m335_6(int)         = InitializeParameter[x] : &:r335_5
+#  335|     r335_7(glval<int>)  = VariableAddress[y]     : 
+#  335|     m335_8(int)         = InitializeParameter[y] : &:r335_7
+#  336|     r336_1(glval<bool>) = VariableAddress[b]     : 
+#  336|     r336_2(bool)        = Constant[1]            : 
+#  336|     m336_3(bool)        = Store[b]               : &:r336_1, r336_2
+#  337|     r337_1(glval<int>)  = VariableAddress[ret]   : 
+#  337|     m337_2(int)         = Uninitialized[ret]     : &:r337_1
+#  339|     r339_1(glval<bool>) = VariableAddress[b]     : 
+#  339|     r339_2(bool)        = Load[b]                : &:r339_1, m336_3
+#  339|     v339_3(void)        = ConditionalBranch      : r339_2
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  340|   Block 1
+#  340|     r340_1(glval<int>) = VariableAddress[x]       : 
+#  340|     r340_2(int)        = Load[x]                  : &:r340_1, m335_6
+#  340|     r340_3(glval<int>) = VariableAddress[ret]     : 
+#  340|     m340_4(int)        = Store[ret]               : &:r340_3, r340_2
+#  345|     r345_1(glval<int>) = VariableAddress[#return] : 
+#  345|     r345_2(glval<int>) = VariableAddress[ret]     : 
+#  345|     r345_3(int)        = Load[ret]                : &:r345_2
+#  345|     m345_4(int)        = Store[#return]           : &:r345_1, r345_3
+#  335|     r335_9(glval<int>) = VariableAddress[#return] : 
+#  335|     v335_10(void)      = ReturnValue              : &:r335_9, m345_4
+#  335|     v335_11(void)      = AliasedUse               : m335_3
+#  335|     v335_12(void)      = ExitFunction             : 
+
+#  335|   Block 2
+#  335|     v335_13(void) = Unreached : 
+
+#  348| int UnreachablePhiOperand2(int, int, int, bool)
+#  348|   Block 0
+#  348|     v348_1(void)         = EnterFunction           : 
+#  348|     m348_2(unknown)      = AliasedDefinition       : 
+#  348|     m348_3(unknown)      = InitializeNonLocal      : 
+#  348|     m348_4(unknown)      = Chi                     : total:m348_2, partial:m348_3
+#  348|     r348_5(glval<int>)   = VariableAddress[x]      : 
+#  348|     m348_6(int)          = InitializeParameter[x]  : &:r348_5
+#  348|     r348_7(glval<int>)   = VariableAddress[y]      : 
+#  348|     m348_8(int)          = InitializeParameter[y]  : &:r348_7
+#  348|     r348_9(glval<int>)   = VariableAddress[z]      : 
+#  348|     m348_10(int)         = InitializeParameter[z]  : &:r348_9
+#  348|     r348_11(glval<bool>) = VariableAddress[b1]     : 
+#  348|     m348_12(bool)        = InitializeParameter[b1] : &:r348_11
+#  349|     r349_1(glval<bool>)  = VariableAddress[b2]     : 
+#  349|     r349_2(bool)         = Constant[1]             : 
+#  349|     m349_3(bool)         = Store[b2]               : &:r349_1, r349_2
+#  350|     r350_1(glval<int>)   = VariableAddress[ret]    : 
+#  350|     m350_2(int)          = Uninitialized[ret]      : &:r350_1
+#  352|     r352_1(glval<bool>)  = VariableAddress[b1]     : 
+#  352|     r352_2(bool)         = Load[b1]                : &:r352_1, m348_12
+#  352|     v352_3(void)         = ConditionalBranch       : r352_2
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  353|   Block 1
+#  353|     r353_1(glval<int>) = VariableAddress[x]   : 
+#  353|     r353_2(int)        = Load[x]              : &:r353_1, m348_6
+#  353|     r353_3(glval<int>) = VariableAddress[ret] : 
+#  353|     m353_4(int)        = Store[ret]           : &:r353_3, r353_2
+#-----|   Goto -> Block 4
+
+#  355|   Block 2
+#  355|     r355_1(glval<bool>) = VariableAddress[b2] : 
+#  355|     r355_2(bool)        = Load[b2]            : &:r355_1, m349_3
+#  355|     v355_3(void)        = ConditionalBranch   : r355_2
+#-----|   False -> Block 5
+#-----|   True -> Block 3
+
+#  356|   Block 3
+#  356|     r356_1(glval<int>) = VariableAddress[y]   : 
+#  356|     r356_2(int)        = Load[y]              : &:r356_1, m348_8
+#  356|     r356_3(glval<int>) = VariableAddress[ret] : 
+#  356|     m356_4(int)        = Store[ret]           : &:r356_3, r356_2
+#-----|   Goto -> Block 4
+
+#  362|   Block 4
+#  362|     m362_1(int)         = Phi                      : from 1:m353_4, from 3:m356_4
+#  362|     r362_2(glval<int>)  = VariableAddress[#return] : 
+#  362|     r362_3(glval<int>)  = VariableAddress[ret]     : 
+#  362|     r362_4(int)         = Load[ret]                : &:r362_3, m362_1
+#  362|     m362_5(int)         = Store[#return]           : &:r362_2, r362_4
+#  348|     r348_13(glval<int>) = VariableAddress[#return] : 
+#  348|     v348_14(void)       = ReturnValue              : &:r348_13, m362_5
+#  348|     v348_15(void)       = AliasedUse               : m348_3
+#  348|     v348_16(void)       = ExitFunction             : 
+
+#  348|   Block 5
+#  348|     v348_17(void) = Unreached : 
+
+#  365| int DegeneratePhi(int, int, bool)
+#  365|   Block 0
+#  365|     v365_1(void)        = EnterFunction           : 
+#  365|     m365_2(unknown)     = AliasedDefinition       : 
+#  365|     m365_3(unknown)     = InitializeNonLocal      : 
+#  365|     m365_4(unknown)     = Chi                     : total:m365_2, partial:m365_3
+#  365|     r365_5(glval<int>)  = VariableAddress[x]      : 
+#  365|     m365_6(int)         = InitializeParameter[x]  : &:r365_5
+#  365|     r365_7(glval<int>)  = VariableAddress[y]      : 
+#  365|     m365_8(int)         = InitializeParameter[y]  : &:r365_7
+#  365|     r365_9(glval<bool>) = VariableAddress[b1]     : 
+#  365|     m365_10(bool)       = InitializeParameter[b1] : &:r365_9
+#  366|     r366_1(glval<bool>) = VariableAddress[b2]     : 
+#  366|     r366_2(bool)        = Constant[1]             : 
+#  366|     m366_3(bool)        = Store[b2]               : &:r366_1, r366_2
+#  367|     r367_1(glval<int>)  = VariableAddress[ret1]   : 
+#  367|     m367_2(int)         = Uninitialized[ret1]     : &:r367_1
+#  368|     r368_1(glval<int>)  = VariableAddress[ret2]   : 
+#  368|     r368_2(glval<int>)  = VariableAddress[x]      : 
+#  368|     r368_3(int)         = Load[x]                 : &:r368_2, m365_6
+#  368|     m368_4(int)         = Store[ret2]             : &:r368_1, r368_3
+#  370|     r370_1(glval<bool>) = VariableAddress[b1]     : 
+#  370|     r370_2(bool)        = Load[b1]                : &:r370_1, m365_10
+#  370|     v370_3(void)        = ConditionalBranch       : r370_2
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  371|   Block 1
+#  371|     r371_1(glval<int>) = VariableAddress[x]    : 
+#  371|     r371_2(int)        = Load[x]               : &:r371_1, m365_6
+#  371|     r371_3(glval<int>) = VariableAddress[ret1] : 
+#  371|     m371_4(int)        = Store[ret1]           : &:r371_3, r371_2
+#-----|   Goto -> Block 4
+
+#  373|   Block 2
+#  373|     r373_1(glval<bool>) = VariableAddress[b2] : 
+#  373|     r373_2(bool)        = Load[b2]            : &:r373_1, m366_3
+#  373|     v373_3(void)        = ConditionalBranch   : r373_2
+#-----|   False -> Block 5
+#-----|   True -> Block 3
+
+#  374|   Block 3
+#  374|     r374_1(glval<int>) = VariableAddress[x]    : 
+#  374|     r374_2(int)        = Load[x]               : &:r374_1, m365_6
+#  374|     r374_3(glval<int>) = VariableAddress[ret1] : 
+#  374|     m374_4(int)        = Store[ret1]           : &:r374_3, r374_2
+#-----|   Goto -> Block 4
+
+#  380|   Block 4
+#  380|     m380_1(int)         = Phi                      : from 1:m368_4, from 3:m368_4
+#  380|     m380_2(int)         = Phi                      : from 1:m371_4, from 3:m374_4
+#  380|     r380_3(glval<int>)  = VariableAddress[#return] : 
+#  380|     r380_4(glval<int>)  = VariableAddress[ret1]    : 
+#  380|     r380_5(int)         = Load[ret1]               : &:r380_4, m380_2
+#  380|     r380_6(glval<int>)  = VariableAddress[ret2]    : 
+#  380|     r380_7(int)         = Load[ret2]               : &:r380_6, m380_1
+#  380|     r380_8(int)         = Add                      : r380_5, r380_7
+#  380|     m380_9(int)         = Store[#return]           : &:r380_3, r380_8
+#  365|     r365_11(glval<int>) = VariableAddress[#return] : 
+#  365|     v365_12(void)       = ReturnValue              : &:r365_11, m380_9
+#  365|     v365_13(void)       = AliasedUse               : m365_3
+#  365|     v365_14(void)       = ExitFunction             : 
+
+#  365|   Block 5
+#  365|     v365_15(void) = Unreached : 
+
+#  383| int FusedBlockPhiOperand(int, int, int, bool)
+#  383|   Block 0
+#  383|     v383_1(void)         = EnterFunction           : 
+#  383|     m383_2(unknown)      = AliasedDefinition       : 
+#  383|     m383_3(unknown)      = InitializeNonLocal      : 
+#  383|     m383_4(unknown)      = Chi                     : total:m383_2, partial:m383_3
+#  383|     r383_5(glval<int>)   = VariableAddress[x]      : 
+#  383|     m383_6(int)          = InitializeParameter[x]  : &:r383_5
+#  383|     r383_7(glval<int>)   = VariableAddress[y]      : 
+#  383|     m383_8(int)          = InitializeParameter[y]  : &:r383_7
+#  383|     r383_9(glval<int>)   = VariableAddress[z]      : 
+#  383|     m383_10(int)         = InitializeParameter[z]  : &:r383_9
+#  383|     r383_11(glval<bool>) = VariableAddress[b1]     : 
+#  383|     m383_12(bool)        = InitializeParameter[b1] : &:r383_11
+#  384|     r384_1(glval<bool>)  = VariableAddress[b2]     : 
+#  384|     r384_2(bool)         = Constant[1]             : 
+#  384|     m384_3(bool)         = Store[b2]               : &:r384_1, r384_2
+#  385|     r385_1(glval<int>)   = VariableAddress[ret]    : 
+#  385|     m385_2(int)          = Uninitialized[ret]      : &:r385_1
+#  387|     r387_1(glval<bool>)  = VariableAddress[b1]     : 
+#  387|     r387_2(bool)         = Load[b1]                : &:r387_1, m383_12
+#  387|     v387_3(void)         = ConditionalBranch       : r387_2
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  388|   Block 1
+#  388|     r388_1(glval<int>) = VariableAddress[x]   : 
+#  388|     r388_2(int)        = Load[x]              : &:r388_1, m383_6
+#  388|     r388_3(glval<int>) = VariableAddress[ret] : 
+#  388|     m388_4(int)        = Store[ret]           : &:r388_3, r388_2
+#-----|   Goto -> Block 4
+
+#  390|   Block 2
+#  390|     r390_1(glval<bool>) = VariableAddress[b2] : 
+#  390|     r390_2(bool)        = Load[b2]            : &:r390_1, m384_3
+#  390|     v390_3(void)        = ConditionalBranch   : r390_2
+#-----|   False -> Block 5
+#-----|   True -> Block 3
+
+#  391|   Block 3
+#  391|     r391_1(glval<int>) = VariableAddress[y]   : 
+#  391|     r391_2(int)        = Load[y]              : &:r391_1, m383_8
+#  391|     r391_3(glval<int>) = VariableAddress[ret] : 
+#  391|     m391_4(int)        = Store[ret]           : &:r391_3, r391_2
+#  395|     v395_1(void)       = NoOp                 : 
+#-----|   Goto -> Block 4
+
+#  398|   Block 4
+#  398|     m398_1(int)         = Phi                      : from 1:m388_4
+#  398|     r398_2(glval<int>)  = VariableAddress[#return] : 
+#  398|     r398_3(glval<int>)  = VariableAddress[ret]     : 
+#  398|     r398_4(int)         = Load[ret]                : &:r398_3, m398_1
+#  398|     m398_5(int)         = Store[#return]           : &:r398_2, r398_4
+#  383|     r383_13(glval<int>) = VariableAddress[#return] : 
+#  383|     v383_14(void)       = ReturnValue              : &:r383_13, m398_5
+#  383|     v383_15(void)       = AliasedUse               : m383_3
+#  383|     v383_16(void)       = ExitFunction             : 
+
+#  383|   Block 5
+#  383|     v383_17(void) = Unreached : 
diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
index a877587ea21..5af11581b0c 100644
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
@@ -1579,3 +1579,228 @@ ssa.cpp:
 #  319|     v319_10(void)             = ReturnVoid                         : 
 #  319|     v319_11(void)             = AliasedUse                         : ~m332_10
 #  319|     v319_12(void)             = ExitFunction                       : 
+
+#  335| int UnreachablePhiOperand(int, int)
+#  335|   Block 0
+#  335|     v335_1(void)        = EnterFunction          : 
+#  335|     m335_2(unknown)     = AliasedDefinition      : 
+#  335|     m335_3(unknown)     = InitializeNonLocal     : 
+#  335|     m335_4(unknown)     = Chi                    : total:m335_2, partial:m335_3
+#  335|     r335_5(glval<int>)  = VariableAddress[x]     : 
+#  335|     m335_6(int)         = InitializeParameter[x] : &:r335_5
+#  335|     r335_7(glval<int>)  = VariableAddress[y]     : 
+#  335|     m335_8(int)         = InitializeParameter[y] : &:r335_7
+#  336|     r336_1(glval<bool>) = VariableAddress[b]     : 
+#  336|     r336_2(bool)        = Constant[1]            : 
+#  336|     m336_3(bool)        = Store[b]               : &:r336_1, r336_2
+#  337|     r337_1(glval<int>)  = VariableAddress[ret]   : 
+#  337|     m337_2(int)         = Uninitialized[ret]     : &:r337_1
+#  339|     r339_1(glval<bool>) = VariableAddress[b]     : 
+#  339|     r339_2(bool)        = Load[b]                : &:r339_1, m336_3
+#  339|     v339_3(void)        = ConditionalBranch      : r339_2
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  340|   Block 1
+#  340|     r340_1(glval<int>) = VariableAddress[x]       : 
+#  340|     r340_2(int)        = Load[x]                  : &:r340_1, m335_6
+#  340|     r340_3(glval<int>) = VariableAddress[ret]     : 
+#  340|     m340_4(int)        = Store[ret]               : &:r340_3, r340_2
+#  345|     r345_1(glval<int>) = VariableAddress[#return] : 
+#  345|     r345_2(glval<int>) = VariableAddress[ret]     : 
+#  345|     r345_3(int)        = Load[ret]                : &:r345_2
+#  345|     m345_4(int)        = Store[#return]           : &:r345_1, r345_3
+#  335|     r335_9(glval<int>) = VariableAddress[#return] : 
+#  335|     v335_10(void)      = ReturnValue              : &:r335_9, m345_4
+#  335|     v335_11(void)      = AliasedUse               : m335_3
+#  335|     v335_12(void)      = ExitFunction             : 
+
+#  335|   Block 2
+#  335|     v335_13(void) = Unreached : 
+
+#  348| int UnreachablePhiOperand2(int, int, int, bool)
+#  348|   Block 0
+#  348|     v348_1(void)         = EnterFunction           : 
+#  348|     m348_2(unknown)      = AliasedDefinition       : 
+#  348|     m348_3(unknown)      = InitializeNonLocal      : 
+#  348|     m348_4(unknown)      = Chi                     : total:m348_2, partial:m348_3
+#  348|     r348_5(glval<int>)   = VariableAddress[x]      : 
+#  348|     m348_6(int)          = InitializeParameter[x]  : &:r348_5
+#  348|     r348_7(glval<int>)   = VariableAddress[y]      : 
+#  348|     m348_8(int)          = InitializeParameter[y]  : &:r348_7
+#  348|     r348_9(glval<int>)   = VariableAddress[z]      : 
+#  348|     m348_10(int)         = InitializeParameter[z]  : &:r348_9
+#  348|     r348_11(glval<bool>) = VariableAddress[b1]     : 
+#  348|     m348_12(bool)        = InitializeParameter[b1] : &:r348_11
+#  349|     r349_1(glval<bool>)  = VariableAddress[b2]     : 
+#  349|     r349_2(bool)         = Constant[1]             : 
+#  349|     m349_3(bool)         = Store[b2]               : &:r349_1, r349_2
+#  350|     r350_1(glval<int>)   = VariableAddress[ret]    : 
+#  350|     m350_2(int)          = Uninitialized[ret]      : &:r350_1
+#  352|     r352_1(glval<bool>)  = VariableAddress[b1]     : 
+#  352|     r352_2(bool)         = Load[b1]                : &:r352_1, m348_12
+#  352|     v352_3(void)         = ConditionalBranch       : r352_2
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  353|   Block 1
+#  353|     r353_1(glval<int>) = VariableAddress[x]   : 
+#  353|     r353_2(int)        = Load[x]              : &:r353_1, m348_6
+#  353|     r353_3(glval<int>) = VariableAddress[ret] : 
+#  353|     m353_4(int)        = Store[ret]           : &:r353_3, r353_2
+#-----|   Goto -> Block 4
+
+#  355|   Block 2
+#  355|     r355_1(glval<bool>) = VariableAddress[b2] : 
+#  355|     r355_2(bool)        = Load[b2]            : &:r355_1, m349_3
+#  355|     v355_3(void)        = ConditionalBranch   : r355_2
+#-----|   False -> Block 5
+#-----|   True -> Block 3
+
+#  356|   Block 3
+#  356|     r356_1(glval<int>) = VariableAddress[y]   : 
+#  356|     r356_2(int)        = Load[y]              : &:r356_1, m348_8
+#  356|     r356_3(glval<int>) = VariableAddress[ret] : 
+#  356|     m356_4(int)        = Store[ret]           : &:r356_3, r356_2
+#-----|   Goto -> Block 4
+
+#  362|   Block 4
+#  362|     m362_1(int)         = Phi                      : from 1:m353_4, from 3:m356_4
+#  362|     r362_2(glval<int>)  = VariableAddress[#return] : 
+#  362|     r362_3(glval<int>)  = VariableAddress[ret]     : 
+#  362|     r362_4(int)         = Load[ret]                : &:r362_3, m362_1
+#  362|     m362_5(int)         = Store[#return]           : &:r362_2, r362_4
+#  348|     r348_13(glval<int>) = VariableAddress[#return] : 
+#  348|     v348_14(void)       = ReturnValue              : &:r348_13, m362_5
+#  348|     v348_15(void)       = AliasedUse               : m348_3
+#  348|     v348_16(void)       = ExitFunction             : 
+
+#  348|   Block 5
+#  348|     v348_17(void) = Unreached : 
+
+#  365| int DegeneratePhi(int, int, bool)
+#  365|   Block 0
+#  365|     v365_1(void)        = EnterFunction           : 
+#  365|     m365_2(unknown)     = AliasedDefinition       : 
+#  365|     m365_3(unknown)     = InitializeNonLocal      : 
+#  365|     m365_4(unknown)     = Chi                     : total:m365_2, partial:m365_3
+#  365|     r365_5(glval<int>)  = VariableAddress[x]      : 
+#  365|     m365_6(int)         = InitializeParameter[x]  : &:r365_5
+#  365|     r365_7(glval<int>)  = VariableAddress[y]      : 
+#  365|     m365_8(int)         = InitializeParameter[y]  : &:r365_7
+#  365|     r365_9(glval<bool>) = VariableAddress[b1]     : 
+#  365|     m365_10(bool)       = InitializeParameter[b1] : &:r365_9
+#  366|     r366_1(glval<bool>) = VariableAddress[b2]     : 
+#  366|     r366_2(bool)        = Constant[1]             : 
+#  366|     m366_3(bool)        = Store[b2]               : &:r366_1, r366_2
+#  367|     r367_1(glval<int>)  = VariableAddress[ret1]   : 
+#  367|     m367_2(int)         = Uninitialized[ret1]     : &:r367_1
+#  368|     r368_1(glval<int>)  = VariableAddress[ret2]   : 
+#  368|     r368_2(glval<int>)  = VariableAddress[x]      : 
+#  368|     r368_3(int)         = Load[x]                 : &:r368_2, m365_6
+#  368|     m368_4(int)         = Store[ret2]             : &:r368_1, r368_3
+#  370|     r370_1(glval<bool>) = VariableAddress[b1]     : 
+#  370|     r370_2(bool)        = Load[b1]                : &:r370_1, m365_10
+#  370|     v370_3(void)        = ConditionalBranch       : r370_2
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  371|   Block 1
+#  371|     r371_1(glval<int>) = VariableAddress[x]    : 
+#  371|     r371_2(int)        = Load[x]               : &:r371_1, m365_6
+#  371|     r371_3(glval<int>) = VariableAddress[ret1] : 
+#  371|     m371_4(int)        = Store[ret1]           : &:r371_3, r371_2
+#-----|   Goto -> Block 4
+
+#  373|   Block 2
+#  373|     r373_1(glval<bool>) = VariableAddress[b2] : 
+#  373|     r373_2(bool)        = Load[b2]            : &:r373_1, m366_3
+#  373|     v373_3(void)        = ConditionalBranch   : r373_2
+#-----|   False -> Block 5
+#-----|   True -> Block 3
+
+#  374|   Block 3
+#  374|     r374_1(glval<int>) = VariableAddress[x]    : 
+#  374|     r374_2(int)        = Load[x]               : &:r374_1, m365_6
+#  374|     r374_3(glval<int>) = VariableAddress[ret1] : 
+#  374|     m374_4(int)        = Store[ret1]           : &:r374_3, r374_2
+#-----|   Goto -> Block 4
+
+#  380|   Block 4
+#  380|     m380_1(int)         = Phi                      : from 1:m368_4, from 3:m368_4
+#  380|     m380_2(int)         = Phi                      : from 1:m371_4, from 3:m374_4
+#  380|     r380_3(glval<int>)  = VariableAddress[#return] : 
+#  380|     r380_4(glval<int>)  = VariableAddress[ret1]    : 
+#  380|     r380_5(int)         = Load[ret1]               : &:r380_4, m380_2
+#  380|     r380_6(glval<int>)  = VariableAddress[ret2]    : 
+#  380|     r380_7(int)         = Load[ret2]               : &:r380_6, m380_1
+#  380|     r380_8(int)         = Add                      : r380_5, r380_7
+#  380|     m380_9(int)         = Store[#return]           : &:r380_3, r380_8
+#  365|     r365_11(glval<int>) = VariableAddress[#return] : 
+#  365|     v365_12(void)       = ReturnValue              : &:r365_11, m380_9
+#  365|     v365_13(void)       = AliasedUse               : m365_3
+#  365|     v365_14(void)       = ExitFunction             : 
+
+#  365|   Block 5
+#  365|     v365_15(void) = Unreached : 
+
+#  383| int FusedBlockPhiOperand(int, int, int, bool)
+#  383|   Block 0
+#  383|     v383_1(void)         = EnterFunction           : 
+#  383|     m383_2(unknown)      = AliasedDefinition       : 
+#  383|     m383_3(unknown)      = InitializeNonLocal      : 
+#  383|     m383_4(unknown)      = Chi                     : total:m383_2, partial:m383_3
+#  383|     r383_5(glval<int>)   = VariableAddress[x]      : 
+#  383|     m383_6(int)          = InitializeParameter[x]  : &:r383_5
+#  383|     r383_7(glval<int>)   = VariableAddress[y]      : 
+#  383|     m383_8(int)          = InitializeParameter[y]  : &:r383_7
+#  383|     r383_9(glval<int>)   = VariableAddress[z]      : 
+#  383|     m383_10(int)         = InitializeParameter[z]  : &:r383_9
+#  383|     r383_11(glval<bool>) = VariableAddress[b1]     : 
+#  383|     m383_12(bool)        = InitializeParameter[b1] : &:r383_11
+#  384|     r384_1(glval<bool>)  = VariableAddress[b2]     : 
+#  384|     r384_2(bool)         = Constant[1]             : 
+#  384|     m384_3(bool)         = Store[b2]               : &:r384_1, r384_2
+#  385|     r385_1(glval<int>)   = VariableAddress[ret]    : 
+#  385|     m385_2(int)          = Uninitialized[ret]      : &:r385_1
+#  387|     r387_1(glval<bool>)  = VariableAddress[b1]     : 
+#  387|     r387_2(bool)         = Load[b1]                : &:r387_1, m383_12
+#  387|     v387_3(void)         = ConditionalBranch       : r387_2
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  388|   Block 1
+#  388|     r388_1(glval<int>) = VariableAddress[x]   : 
+#  388|     r388_2(int)        = Load[x]              : &:r388_1, m383_6
+#  388|     r388_3(glval<int>) = VariableAddress[ret] : 
+#  388|     m388_4(int)        = Store[ret]           : &:r388_3, r388_2
+#-----|   Goto -> Block 4
+
+#  390|   Block 2
+#  390|     r390_1(glval<bool>) = VariableAddress[b2] : 
+#  390|     r390_2(bool)        = Load[b2]            : &:r390_1, m384_3
+#  390|     v390_3(void)        = ConditionalBranch   : r390_2
+#-----|   False -> Block 5
+#-----|   True -> Block 3
+
+#  391|   Block 3
+#  391|     r391_1(glval<int>) = VariableAddress[y]   : 
+#  391|     r391_2(int)        = Load[y]              : &:r391_1, m383_8
+#  391|     r391_3(glval<int>) = VariableAddress[ret] : 
+#  391|     m391_4(int)        = Store[ret]           : &:r391_3, r391_2
+#  395|     v395_1(void)       = NoOp                 : 
+#-----|   Goto -> Block 4
+
+#  398|   Block 4
+#  398|     m398_1(int)         = Phi                      : from 1:m388_4
+#  398|     r398_2(glval<int>)  = VariableAddress[#return] : 
+#  398|     r398_3(glval<int>)  = VariableAddress[ret]     : 
+#  398|     r398_4(int)         = Load[ret]                : &:r398_3, m398_1
+#  398|     m398_5(int)         = Store[#return]           : &:r398_2, r398_4
+#  383|     r383_13(glval<int>) = VariableAddress[#return] : 
+#  383|     v383_14(void)       = ReturnValue              : &:r383_13, m398_5
+#  383|     v383_15(void)       = AliasedUse               : m383_3
+#  383|     v383_16(void)       = ExitFunction             : 
+
+#  383|   Block 5
+#  383|     v383_17(void) = Unreached : 
diff --git a/cpp/ql/test/library-tests/ir/ssa/ssa.cpp b/cpp/ql/test/library-tests/ir/ssa/ssa.cpp
index 73aefa17dae..ec8ea81e9e4 100644
--- a/cpp/ql/test/library-tests/ir/ssa/ssa.cpp
+++ b/cpp/ql/test/library-tests/ir/ssa/ssa.cpp
@@ -331,3 +331,69 @@ void DoubleIndirectionEscapes(char *s)
 	sink(ptr2); // $ SPURIOUS: ast
 	sink(*ptr2); // $ ast MISSING: ir
 }
+
+int UnreachablePhiOperand(int x, int y) {
+  bool b = true;
+  int ret;
+
+  if(b) {
+    ret = x;
+  } else {
+    ret = y;
+  }
+
+  return ret;
+}
+
+int UnreachablePhiOperand2(int x, int y, int z, bool b1) {
+  bool b2 = true;
+  int ret;
+
+  if(b1) {
+    ret = x;
+  } else {
+    if(b2) {
+      ret = y;
+    } else {
+      ret = z;
+    }
+  }
+
+  return ret;
+}
+
+int DegeneratePhi(int x, int y, bool b1) {
+  bool b2 = true;
+  int ret1;
+  int ret2 = x;
+
+  if(b1) {
+    ret1 = x;
+  } else {
+    if(b2) {
+      ret1 = x;
+    } else {
+      ret2 = y;
+    }
+  }
+
+  return ret1 + ret2;
+}
+
+int FusedBlockPhiOperand(int x, int y, int z, bool b1) {
+  bool b2 = true;
+  int ret;
+
+  if(b1) {
+    ret = x;
+  } else {
+    if(b2) {
+      ret = y;
+    } else {
+      ret = z;
+    }
+    ; // creates a NoOp instruction with its own basic block
+  }
+
+  return ret;
+}
\ No newline at end of file
diff --git a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected
index b396d50c366..9b1ebd7fe6e 100644
--- a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir.expected
@@ -1450,3 +1450,248 @@ ssa.cpp:
 #  319|     v319_9(void)              = ReturnVoid                         : 
 #  319|     v319_10(void)             = AliasedUse                         : ~m?
 #  319|     v319_11(void)             = ExitFunction                       : 
+
+#  335| int UnreachablePhiOperand(int, int)
+#  335|   Block 0
+#  335|     v335_1(void)        = EnterFunction          : 
+#  335|     mu335_2(unknown)    = AliasedDefinition      : 
+#  335|     mu335_3(unknown)    = InitializeNonLocal     : 
+#  335|     r335_4(glval<int>)  = VariableAddress[x]     : 
+#  335|     m335_5(int)         = InitializeParameter[x] : &:r335_4
+#  335|     r335_6(glval<int>)  = VariableAddress[y]     : 
+#  335|     m335_7(int)         = InitializeParameter[y] : &:r335_6
+#  336|     r336_1(glval<bool>) = VariableAddress[b]     : 
+#  336|     r336_2(bool)        = Constant[1]            : 
+#  336|     m336_3(bool)        = Store[b]               : &:r336_1, r336_2
+#  337|     r337_1(glval<int>)  = VariableAddress[ret]   : 
+#  337|     m337_2(int)         = Uninitialized[ret]     : &:r337_1
+#  339|     r339_1(glval<bool>) = VariableAddress[b]     : 
+#  339|     r339_2(bool)        = Load[b]                : &:r339_1, m336_3
+#  339|     v339_3(void)        = ConditionalBranch      : r339_2
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  340|   Block 1
+#  340|     r340_1(glval<int>) = VariableAddress[x]   : 
+#  340|     r340_2(int)        = Load[x]              : &:r340_1, m335_5
+#  340|     r340_3(glval<int>) = VariableAddress[ret] : 
+#  340|     m340_4(int)        = Store[ret]           : &:r340_3, r340_2
+#-----|   Goto -> Block 3
+
+#  342|   Block 2
+#  342|     r342_1(glval<int>) = VariableAddress[y]   : 
+#  342|     r342_2(int)        = Load[y]              : &:r342_1, m335_7
+#  342|     r342_3(glval<int>) = VariableAddress[ret] : 
+#  342|     m342_4(int)        = Store[ret]           : &:r342_3, r342_2
+#-----|   Goto -> Block 3
+
+#  345|   Block 3
+#  345|     m345_1(int)        = Phi                      : from 1:m340_4, from 2:m342_4
+#  345|     r345_2(glval<int>) = VariableAddress[#return] : 
+#  345|     r345_3(glval<int>) = VariableAddress[ret]     : 
+#  345|     r345_4(int)        = Load[ret]                : &:r345_3, m345_1
+#  345|     m345_5(int)        = Store[#return]           : &:r345_2, r345_4
+#  335|     r335_8(glval<int>) = VariableAddress[#return] : 
+#  335|     v335_9(void)       = ReturnValue              : &:r335_8, m345_5
+#  335|     v335_10(void)      = AliasedUse               : ~m?
+#  335|     v335_11(void)      = ExitFunction             : 
+
+#  348| int UnreachablePhiOperand2(int, int, int, bool)
+#  348|   Block 0
+#  348|     v348_1(void)         = EnterFunction           : 
+#  348|     mu348_2(unknown)     = AliasedDefinition       : 
+#  348|     mu348_3(unknown)     = InitializeNonLocal      : 
+#  348|     r348_4(glval<int>)   = VariableAddress[x]      : 
+#  348|     m348_5(int)          = InitializeParameter[x]  : &:r348_4
+#  348|     r348_6(glval<int>)   = VariableAddress[y]      : 
+#  348|     m348_7(int)          = InitializeParameter[y]  : &:r348_6
+#  348|     r348_8(glval<int>)   = VariableAddress[z]      : 
+#  348|     m348_9(int)          = InitializeParameter[z]  : &:r348_8
+#  348|     r348_10(glval<bool>) = VariableAddress[b1]     : 
+#  348|     m348_11(bool)        = InitializeParameter[b1] : &:r348_10
+#  349|     r349_1(glval<bool>)  = VariableAddress[b2]     : 
+#  349|     r349_2(bool)         = Constant[1]             : 
+#  349|     m349_3(bool)         = Store[b2]               : &:r349_1, r349_2
+#  350|     r350_1(glval<int>)   = VariableAddress[ret]    : 
+#  350|     m350_2(int)          = Uninitialized[ret]      : &:r350_1
+#  352|     r352_1(glval<bool>)  = VariableAddress[b1]     : 
+#  352|     r352_2(bool)         = Load[b1]                : &:r352_1, m348_11
+#  352|     v352_3(void)         = ConditionalBranch       : r352_2
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  353|   Block 1
+#  353|     r353_1(glval<int>) = VariableAddress[x]   : 
+#  353|     r353_2(int)        = Load[x]              : &:r353_1, m348_5
+#  353|     r353_3(glval<int>) = VariableAddress[ret] : 
+#  353|     m353_4(int)        = Store[ret]           : &:r353_3, r353_2
+#-----|   Goto -> Block 5
+
+#  355|   Block 2
+#  355|     r355_1(glval<bool>) = VariableAddress[b2] : 
+#  355|     r355_2(bool)        = Load[b2]            : &:r355_1, m349_3
+#  355|     v355_3(void)        = ConditionalBranch   : r355_2
+#-----|   False -> Block 4
+#-----|   True -> Block 3
+
+#  356|   Block 3
+#  356|     r356_1(glval<int>) = VariableAddress[y]   : 
+#  356|     r356_2(int)        = Load[y]              : &:r356_1, m348_7
+#  356|     r356_3(glval<int>) = VariableAddress[ret] : 
+#  356|     m356_4(int)        = Store[ret]           : &:r356_3, r356_2
+#-----|   Goto -> Block 5
+
+#  358|   Block 4
+#  358|     r358_1(glval<int>) = VariableAddress[z]   : 
+#  358|     r358_2(int)        = Load[z]              : &:r358_1, m348_9
+#  358|     r358_3(glval<int>) = VariableAddress[ret] : 
+#  358|     m358_4(int)        = Store[ret]           : &:r358_3, r358_2
+#-----|   Goto -> Block 5
+
+#  362|   Block 5
+#  362|     m362_1(int)         = Phi                      : from 1:m353_4, from 3:m356_4, from 4:m358_4
+#  362|     r362_2(glval<int>)  = VariableAddress[#return] : 
+#  362|     r362_3(glval<int>)  = VariableAddress[ret]     : 
+#  362|     r362_4(int)         = Load[ret]                : &:r362_3, m362_1
+#  362|     m362_5(int)         = Store[#return]           : &:r362_2, r362_4
+#  348|     r348_12(glval<int>) = VariableAddress[#return] : 
+#  348|     v348_13(void)       = ReturnValue              : &:r348_12, m362_5
+#  348|     v348_14(void)       = AliasedUse               : ~m?
+#  348|     v348_15(void)       = ExitFunction             : 
+
+#  365| int DegeneratePhi(int, int, bool)
+#  365|   Block 0
+#  365|     v365_1(void)        = EnterFunction           : 
+#  365|     mu365_2(unknown)    = AliasedDefinition       : 
+#  365|     mu365_3(unknown)    = InitializeNonLocal      : 
+#  365|     r365_4(glval<int>)  = VariableAddress[x]      : 
+#  365|     m365_5(int)         = InitializeParameter[x]  : &:r365_4
+#  365|     r365_6(glval<int>)  = VariableAddress[y]      : 
+#  365|     m365_7(int)         = InitializeParameter[y]  : &:r365_6
+#  365|     r365_8(glval<bool>) = VariableAddress[b1]     : 
+#  365|     m365_9(bool)        = InitializeParameter[b1] : &:r365_8
+#  366|     r366_1(glval<bool>) = VariableAddress[b2]     : 
+#  366|     r366_2(bool)        = Constant[1]             : 
+#  366|     m366_3(bool)        = Store[b2]               : &:r366_1, r366_2
+#  367|     r367_1(glval<int>)  = VariableAddress[ret1]   : 
+#  367|     m367_2(int)         = Uninitialized[ret1]     : &:r367_1
+#  368|     r368_1(glval<int>)  = VariableAddress[ret2]   : 
+#  368|     r368_2(glval<int>)  = VariableAddress[x]      : 
+#  368|     r368_3(int)         = Load[x]                 : &:r368_2, m365_5
+#  368|     m368_4(int)         = Store[ret2]             : &:r368_1, r368_3
+#  370|     r370_1(glval<bool>) = VariableAddress[b1]     : 
+#  370|     r370_2(bool)        = Load[b1]                : &:r370_1, m365_9
+#  370|     v370_3(void)        = ConditionalBranch       : r370_2
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  371|   Block 1
+#  371|     r371_1(glval<int>) = VariableAddress[x]    : 
+#  371|     r371_2(int)        = Load[x]               : &:r371_1, m365_5
+#  371|     r371_3(glval<int>) = VariableAddress[ret1] : 
+#  371|     m371_4(int)        = Store[ret1]           : &:r371_3, r371_2
+#-----|   Goto -> Block 5
+
+#  373|   Block 2
+#  373|     r373_1(glval<bool>) = VariableAddress[b2] : 
+#  373|     r373_2(bool)        = Load[b2]            : &:r373_1, m366_3
+#  373|     v373_3(void)        = ConditionalBranch   : r373_2
+#-----|   False -> Block 4
+#-----|   True -> Block 3
+
+#  374|   Block 3
+#  374|     r374_1(glval<int>) = VariableAddress[x]    : 
+#  374|     r374_2(int)        = Load[x]               : &:r374_1, m365_5
+#  374|     r374_3(glval<int>) = VariableAddress[ret1] : 
+#  374|     m374_4(int)        = Store[ret1]           : &:r374_3, r374_2
+#-----|   Goto -> Block 5
+
+#  376|   Block 4
+#  376|     r376_1(glval<int>) = VariableAddress[y]    : 
+#  376|     r376_2(int)        = Load[y]               : &:r376_1, m365_7
+#  376|     r376_3(glval<int>) = VariableAddress[ret2] : 
+#  376|     m376_4(int)        = Store[ret2]           : &:r376_3, r376_2
+#-----|   Goto -> Block 5
+
+#  380|   Block 5
+#  380|     m380_1(int)         = Phi                      : from 1:m368_4, from 3:m368_4, from 4:m376_4
+#  380|     m380_2(int)         = Phi                      : from 1:m371_4, from 3:m374_4, from 4:m367_2
+#  380|     r380_3(glval<int>)  = VariableAddress[#return] : 
+#  380|     r380_4(glval<int>)  = VariableAddress[ret1]    : 
+#  380|     r380_5(int)         = Load[ret1]               : &:r380_4, m380_2
+#  380|     r380_6(glval<int>)  = VariableAddress[ret2]    : 
+#  380|     r380_7(int)         = Load[ret2]               : &:r380_6, m380_1
+#  380|     r380_8(int)         = Add                      : r380_5, r380_7
+#  380|     m380_9(int)         = Store[#return]           : &:r380_3, r380_8
+#  365|     r365_10(glval<int>) = VariableAddress[#return] : 
+#  365|     v365_11(void)       = ReturnValue              : &:r365_10, m380_9
+#  365|     v365_12(void)       = AliasedUse               : ~m?
+#  365|     v365_13(void)       = ExitFunction             : 
+
+#  383| int FusedBlockPhiOperand(int, int, int, bool)
+#  383|   Block 0
+#  383|     v383_1(void)         = EnterFunction           : 
+#  383|     mu383_2(unknown)     = AliasedDefinition       : 
+#  383|     mu383_3(unknown)     = InitializeNonLocal      : 
+#  383|     r383_4(glval<int>)   = VariableAddress[x]      : 
+#  383|     m383_5(int)          = InitializeParameter[x]  : &:r383_4
+#  383|     r383_6(glval<int>)   = VariableAddress[y]      : 
+#  383|     m383_7(int)          = InitializeParameter[y]  : &:r383_6
+#  383|     r383_8(glval<int>)   = VariableAddress[z]      : 
+#  383|     m383_9(int)          = InitializeParameter[z]  : &:r383_8
+#  383|     r383_10(glval<bool>) = VariableAddress[b1]     : 
+#  383|     m383_11(bool)        = InitializeParameter[b1] : &:r383_10
+#  384|     r384_1(glval<bool>)  = VariableAddress[b2]     : 
+#  384|     r384_2(bool)         = Constant[1]             : 
+#  384|     m384_3(bool)         = Store[b2]               : &:r384_1, r384_2
+#  385|     r385_1(glval<int>)   = VariableAddress[ret]    : 
+#  385|     m385_2(int)          = Uninitialized[ret]      : &:r385_1
+#  387|     r387_1(glval<bool>)  = VariableAddress[b1]     : 
+#  387|     r387_2(bool)         = Load[b1]                : &:r387_1, m383_11
+#  387|     v387_3(void)         = ConditionalBranch       : r387_2
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  388|   Block 1
+#  388|     r388_1(glval<int>) = VariableAddress[x]   : 
+#  388|     r388_2(int)        = Load[x]              : &:r388_1, m383_5
+#  388|     r388_3(glval<int>) = VariableAddress[ret] : 
+#  388|     m388_4(int)        = Store[ret]           : &:r388_3, r388_2
+#-----|   Goto -> Block 6
+
+#  390|   Block 2
+#  390|     r390_1(glval<bool>) = VariableAddress[b2] : 
+#  390|     r390_2(bool)        = Load[b2]            : &:r390_1, m384_3
+#  390|     v390_3(void)        = ConditionalBranch   : r390_2
+#-----|   False -> Block 4
+#-----|   True -> Block 3
+
+#  391|   Block 3
+#  391|     r391_1(glval<int>) = VariableAddress[y]   : 
+#  391|     r391_2(int)        = Load[y]              : &:r391_1, m383_7
+#  391|     r391_3(glval<int>) = VariableAddress[ret] : 
+#  391|     m391_4(int)        = Store[ret]           : &:r391_3, r391_2
+#-----|   Goto -> Block 5
+
+#  393|   Block 4
+#  393|     r393_1(glval<int>) = VariableAddress[z]   : 
+#  393|     r393_2(int)        = Load[z]              : &:r393_1, m383_9
+#  393|     r393_3(glval<int>) = VariableAddress[ret] : 
+#  393|     m393_4(int)        = Store[ret]           : &:r393_3, r393_2
+#-----|   Goto -> Block 5
+
+#  395|   Block 5
+#  395|     m395_1(int)  = Phi  : from 3:m391_4, from 4:m393_4
+#  395|     v395_2(void) = NoOp : 
+#-----|   Goto -> Block 6
+
+#  398|   Block 6
+#  398|     m398_1(int)         = Phi                      : from 1:m388_4, from 5:m395_1
+#  398|     r398_2(glval<int>)  = VariableAddress[#return] : 
+#  398|     r398_3(glval<int>)  = VariableAddress[ret]     : 
+#  398|     r398_4(int)         = Load[ret]                : &:r398_3, m398_1
+#  398|     m398_5(int)         = Store[#return]           : &:r398_2, r398_4
+#  383|     r383_12(glval<int>) = VariableAddress[#return] : 
+#  383|     v383_13(void)       = ReturnValue              : &:r383_12, m398_5
+#  383|     v383_14(void)       = AliasedUse               : ~m?
+#  383|     v383_15(void)       = ExitFunction             : 
diff --git a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected
index b396d50c366..9b1ebd7fe6e 100644
--- a/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/unaliased_ssa_ir_unsound.expected
@@ -1450,3 +1450,248 @@ ssa.cpp:
 #  319|     v319_9(void)              = ReturnVoid                         : 
 #  319|     v319_10(void)             = AliasedUse                         : ~m?
 #  319|     v319_11(void)             = ExitFunction                       : 
+
+#  335| int UnreachablePhiOperand(int, int)
+#  335|   Block 0
+#  335|     v335_1(void)        = EnterFunction          : 
+#  335|     mu335_2(unknown)    = AliasedDefinition      : 
+#  335|     mu335_3(unknown)    = InitializeNonLocal     : 
+#  335|     r335_4(glval<int>)  = VariableAddress[x]     : 
+#  335|     m335_5(int)         = InitializeParameter[x] : &:r335_4
+#  335|     r335_6(glval<int>)  = VariableAddress[y]     : 
+#  335|     m335_7(int)         = InitializeParameter[y] : &:r335_6
+#  336|     r336_1(glval<bool>) = VariableAddress[b]     : 
+#  336|     r336_2(bool)        = Constant[1]            : 
+#  336|     m336_3(bool)        = Store[b]               : &:r336_1, r336_2
+#  337|     r337_1(glval<int>)  = VariableAddress[ret]   : 
+#  337|     m337_2(int)         = Uninitialized[ret]     : &:r337_1
+#  339|     r339_1(glval<bool>) = VariableAddress[b]     : 
+#  339|     r339_2(bool)        = Load[b]                : &:r339_1, m336_3
+#  339|     v339_3(void)        = ConditionalBranch      : r339_2
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  340|   Block 1
+#  340|     r340_1(glval<int>) = VariableAddress[x]   : 
+#  340|     r340_2(int)        = Load[x]              : &:r340_1, m335_5
+#  340|     r340_3(glval<int>) = VariableAddress[ret] : 
+#  340|     m340_4(int)        = Store[ret]           : &:r340_3, r340_2
+#-----|   Goto -> Block 3
+
+#  342|   Block 2
+#  342|     r342_1(glval<int>) = VariableAddress[y]   : 
+#  342|     r342_2(int)        = Load[y]              : &:r342_1, m335_7
+#  342|     r342_3(glval<int>) = VariableAddress[ret] : 
+#  342|     m342_4(int)        = Store[ret]           : &:r342_3, r342_2
+#-----|   Goto -> Block 3
+
+#  345|   Block 3
+#  345|     m345_1(int)        = Phi                      : from 1:m340_4, from 2:m342_4
+#  345|     r345_2(glval<int>) = VariableAddress[#return] : 
+#  345|     r345_3(glval<int>) = VariableAddress[ret]     : 
+#  345|     r345_4(int)        = Load[ret]                : &:r345_3, m345_1
+#  345|     m345_5(int)        = Store[#return]           : &:r345_2, r345_4
+#  335|     r335_8(glval<int>) = VariableAddress[#return] : 
+#  335|     v335_9(void)       = ReturnValue              : &:r335_8, m345_5
+#  335|     v335_10(void)      = AliasedUse               : ~m?
+#  335|     v335_11(void)      = ExitFunction             : 
+
+#  348| int UnreachablePhiOperand2(int, int, int, bool)
+#  348|   Block 0
+#  348|     v348_1(void)         = EnterFunction           : 
+#  348|     mu348_2(unknown)     = AliasedDefinition       : 
+#  348|     mu348_3(unknown)     = InitializeNonLocal      : 
+#  348|     r348_4(glval<int>)   = VariableAddress[x]      : 
+#  348|     m348_5(int)          = InitializeParameter[x]  : &:r348_4
+#  348|     r348_6(glval<int>)   = VariableAddress[y]      : 
+#  348|     m348_7(int)          = InitializeParameter[y]  : &:r348_6
+#  348|     r348_8(glval<int>)   = VariableAddress[z]      : 
+#  348|     m348_9(int)          = InitializeParameter[z]  : &:r348_8
+#  348|     r348_10(glval<bool>) = VariableAddress[b1]     : 
+#  348|     m348_11(bool)        = InitializeParameter[b1] : &:r348_10
+#  349|     r349_1(glval<bool>)  = VariableAddress[b2]     : 
+#  349|     r349_2(bool)         = Constant[1]             : 
+#  349|     m349_3(bool)         = Store[b2]               : &:r349_1, r349_2
+#  350|     r350_1(glval<int>)   = VariableAddress[ret]    : 
+#  350|     m350_2(int)          = Uninitialized[ret]      : &:r350_1
+#  352|     r352_1(glval<bool>)  = VariableAddress[b1]     : 
+#  352|     r352_2(bool)         = Load[b1]                : &:r352_1, m348_11
+#  352|     v352_3(void)         = ConditionalBranch       : r352_2
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  353|   Block 1
+#  353|     r353_1(glval<int>) = VariableAddress[x]   : 
+#  353|     r353_2(int)        = Load[x]              : &:r353_1, m348_5
+#  353|     r353_3(glval<int>) = VariableAddress[ret] : 
+#  353|     m353_4(int)        = Store[ret]           : &:r353_3, r353_2
+#-----|   Goto -> Block 5
+
+#  355|   Block 2
+#  355|     r355_1(glval<bool>) = VariableAddress[b2] : 
+#  355|     r355_2(bool)        = Load[b2]            : &:r355_1, m349_3
+#  355|     v355_3(void)        = ConditionalBranch   : r355_2
+#-----|   False -> Block 4
+#-----|   True -> Block 3
+
+#  356|   Block 3
+#  356|     r356_1(glval<int>) = VariableAddress[y]   : 
+#  356|     r356_2(int)        = Load[y]              : &:r356_1, m348_7
+#  356|     r356_3(glval<int>) = VariableAddress[ret] : 
+#  356|     m356_4(int)        = Store[ret]           : &:r356_3, r356_2
+#-----|   Goto -> Block 5
+
+#  358|   Block 4
+#  358|     r358_1(glval<int>) = VariableAddress[z]   : 
+#  358|     r358_2(int)        = Load[z]              : &:r358_1, m348_9
+#  358|     r358_3(glval<int>) = VariableAddress[ret] : 
+#  358|     m358_4(int)        = Store[ret]           : &:r358_3, r358_2
+#-----|   Goto -> Block 5
+
+#  362|   Block 5
+#  362|     m362_1(int)         = Phi                      : from 1:m353_4, from 3:m356_4, from 4:m358_4
+#  362|     r362_2(glval<int>)  = VariableAddress[#return] : 
+#  362|     r362_3(glval<int>)  = VariableAddress[ret]     : 
+#  362|     r362_4(int)         = Load[ret]                : &:r362_3, m362_1
+#  362|     m362_5(int)         = Store[#return]           : &:r362_2, r362_4
+#  348|     r348_12(glval<int>) = VariableAddress[#return] : 
+#  348|     v348_13(void)       = ReturnValue              : &:r348_12, m362_5
+#  348|     v348_14(void)       = AliasedUse               : ~m?
+#  348|     v348_15(void)       = ExitFunction             : 
+
+#  365| int DegeneratePhi(int, int, bool)
+#  365|   Block 0
+#  365|     v365_1(void)        = EnterFunction           : 
+#  365|     mu365_2(unknown)    = AliasedDefinition       : 
+#  365|     mu365_3(unknown)    = InitializeNonLocal      : 
+#  365|     r365_4(glval<int>)  = VariableAddress[x]      : 
+#  365|     m365_5(int)         = InitializeParameter[x]  : &:r365_4
+#  365|     r365_6(glval<int>)  = VariableAddress[y]      : 
+#  365|     m365_7(int)         = InitializeParameter[y]  : &:r365_6
+#  365|     r365_8(glval<bool>) = VariableAddress[b1]     : 
+#  365|     m365_9(bool)        = InitializeParameter[b1] : &:r365_8
+#  366|     r366_1(glval<bool>) = VariableAddress[b2]     : 
+#  366|     r366_2(bool)        = Constant[1]             : 
+#  366|     m366_3(bool)        = Store[b2]               : &:r366_1, r366_2
+#  367|     r367_1(glval<int>)  = VariableAddress[ret1]   : 
+#  367|     m367_2(int)         = Uninitialized[ret1]     : &:r367_1
+#  368|     r368_1(glval<int>)  = VariableAddress[ret2]   : 
+#  368|     r368_2(glval<int>)  = VariableAddress[x]      : 
+#  368|     r368_3(int)         = Load[x]                 : &:r368_2, m365_5
+#  368|     m368_4(int)         = Store[ret2]             : &:r368_1, r368_3
+#  370|     r370_1(glval<bool>) = VariableAddress[b1]     : 
+#  370|     r370_2(bool)        = Load[b1]                : &:r370_1, m365_9
+#  370|     v370_3(void)        = ConditionalBranch       : r370_2
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  371|   Block 1
+#  371|     r371_1(glval<int>) = VariableAddress[x]    : 
+#  371|     r371_2(int)        = Load[x]               : &:r371_1, m365_5
+#  371|     r371_3(glval<int>) = VariableAddress[ret1] : 
+#  371|     m371_4(int)        = Store[ret1]           : &:r371_3, r371_2
+#-----|   Goto -> Block 5
+
+#  373|   Block 2
+#  373|     r373_1(glval<bool>) = VariableAddress[b2] : 
+#  373|     r373_2(bool)        = Load[b2]            : &:r373_1, m366_3
+#  373|     v373_3(void)        = ConditionalBranch   : r373_2
+#-----|   False -> Block 4
+#-----|   True -> Block 3
+
+#  374|   Block 3
+#  374|     r374_1(glval<int>) = VariableAddress[x]    : 
+#  374|     r374_2(int)        = Load[x]               : &:r374_1, m365_5
+#  374|     r374_3(glval<int>) = VariableAddress[ret1] : 
+#  374|     m374_4(int)        = Store[ret1]           : &:r374_3, r374_2
+#-----|   Goto -> Block 5
+
+#  376|   Block 4
+#  376|     r376_1(glval<int>) = VariableAddress[y]    : 
+#  376|     r376_2(int)        = Load[y]               : &:r376_1, m365_7
+#  376|     r376_3(glval<int>) = VariableAddress[ret2] : 
+#  376|     m376_4(int)        = Store[ret2]           : &:r376_3, r376_2
+#-----|   Goto -> Block 5
+
+#  380|   Block 5
+#  380|     m380_1(int)         = Phi                      : from 1:m368_4, from 3:m368_4, from 4:m376_4
+#  380|     m380_2(int)         = Phi                      : from 1:m371_4, from 3:m374_4, from 4:m367_2
+#  380|     r380_3(glval<int>)  = VariableAddress[#return] : 
+#  380|     r380_4(glval<int>)  = VariableAddress[ret1]    : 
+#  380|     r380_5(int)         = Load[ret1]               : &:r380_4, m380_2
+#  380|     r380_6(glval<int>)  = VariableAddress[ret2]    : 
+#  380|     r380_7(int)         = Load[ret2]               : &:r380_6, m380_1
+#  380|     r380_8(int)         = Add                      : r380_5, r380_7
+#  380|     m380_9(int)         = Store[#return]           : &:r380_3, r380_8
+#  365|     r365_10(glval<int>) = VariableAddress[#return] : 
+#  365|     v365_11(void)       = ReturnValue              : &:r365_10, m380_9
+#  365|     v365_12(void)       = AliasedUse               : ~m?
+#  365|     v365_13(void)       = ExitFunction             : 
+
+#  383| int FusedBlockPhiOperand(int, int, int, bool)
+#  383|   Block 0
+#  383|     v383_1(void)         = EnterFunction           : 
+#  383|     mu383_2(unknown)     = AliasedDefinition       : 
+#  383|     mu383_3(unknown)     = InitializeNonLocal      : 
+#  383|     r383_4(glval<int>)   = VariableAddress[x]      : 
+#  383|     m383_5(int)          = InitializeParameter[x]  : &:r383_4
+#  383|     r383_6(glval<int>)   = VariableAddress[y]      : 
+#  383|     m383_7(int)          = InitializeParameter[y]  : &:r383_6
+#  383|     r383_8(glval<int>)   = VariableAddress[z]      : 
+#  383|     m383_9(int)          = InitializeParameter[z]  : &:r383_8
+#  383|     r383_10(glval<bool>) = VariableAddress[b1]     : 
+#  383|     m383_11(bool)        = InitializeParameter[b1] : &:r383_10
+#  384|     r384_1(glval<bool>)  = VariableAddress[b2]     : 
+#  384|     r384_2(bool)         = Constant[1]             : 
+#  384|     m384_3(bool)         = Store[b2]               : &:r384_1, r384_2
+#  385|     r385_1(glval<int>)   = VariableAddress[ret]    : 
+#  385|     m385_2(int)          = Uninitialized[ret]      : &:r385_1
+#  387|     r387_1(glval<bool>)  = VariableAddress[b1]     : 
+#  387|     r387_2(bool)         = Load[b1]                : &:r387_1, m383_11
+#  387|     v387_3(void)         = ConditionalBranch       : r387_2
+#-----|   False -> Block 2
+#-----|   True -> Block 1
+
+#  388|   Block 1
+#  388|     r388_1(glval<int>) = VariableAddress[x]   : 
+#  388|     r388_2(int)        = Load[x]              : &:r388_1, m383_5
+#  388|     r388_3(glval<int>) = VariableAddress[ret] : 
+#  388|     m388_4(int)        = Store[ret]           : &:r388_3, r388_2
+#-----|   Goto -> Block 6
+
+#  390|   Block 2
+#  390|     r390_1(glval<bool>) = VariableAddress[b2] : 
+#  390|     r390_2(bool)        = Load[b2]            : &:r390_1, m384_3
+#  390|     v390_3(void)        = ConditionalBranch   : r390_2
+#-----|   False -> Block 4
+#-----|   True -> Block 3
+
+#  391|   Block 3
+#  391|     r391_1(glval<int>) = VariableAddress[y]   : 
+#  391|     r391_2(int)        = Load[y]              : &:r391_1, m383_7
+#  391|     r391_3(glval<int>) = VariableAddress[ret] : 
+#  391|     m391_4(int)        = Store[ret]           : &:r391_3, r391_2
+#-----|   Goto -> Block 5
+
+#  393|   Block 4
+#  393|     r393_1(glval<int>) = VariableAddress[z]   : 
+#  393|     r393_2(int)        = Load[z]              : &:r393_1, m383_9
+#  393|     r393_3(glval<int>) = VariableAddress[ret] : 
+#  393|     m393_4(int)        = Store[ret]           : &:r393_3, r393_2
+#-----|   Goto -> Block 5
+
+#  395|   Block 5
+#  395|     m395_1(int)  = Phi  : from 3:m391_4, from 4:m393_4
+#  395|     v395_2(void) = NoOp : 
+#-----|   Goto -> Block 6
+
+#  398|   Block 6
+#  398|     m398_1(int)         = Phi                      : from 1:m388_4, from 5:m395_1
+#  398|     r398_2(glval<int>)  = VariableAddress[#return] : 
+#  398|     r398_3(glval<int>)  = VariableAddress[ret]     : 
+#  398|     r398_4(int)         = Load[ret]                : &:r398_3, m398_1
+#  398|     m398_5(int)         = Store[#return]           : &:r398_2, r398_4
+#  383|     r383_12(glval<int>) = VariableAddress[#return] : 
+#  383|     v383_13(void)       = ReturnValue              : &:r383_12, m398_5
+#  383|     v383_14(void)       = AliasedUse               : ~m?
+#  383|     v383_15(void)       = ExitFunction             : 

From 6600436dd930151f0a1caf24d9b0e187e1faff4c Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Mon, 19 Apr 2021 17:21:34 -0700
Subject: [PATCH 0905/1429] C++: handle degenerate phi nodes

---
 .../aliased_ssa/internal/SSAConstruction.qll  | 31 +++++++++++++------
 .../ir/ssa/aliased_ssa_consistency.expected   |  4 ---
 .../aliased_ssa_consistency_unsound.expected  |  4 ---
 .../ir/ssa/aliased_ssa_ir.expected            |  2 +-
 .../ir/ssa/aliased_ssa_ir_unsound.expected    |  2 +-
 5 files changed, 23 insertions(+), 20 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
index 343499dcc6c..34a2e031f0f 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
@@ -43,11 +43,25 @@ private module Cached {
   class TStageInstruction =
     TRawInstruction or TPhiInstruction or TChiInstruction or TUnreachedInstruction;
 
+  /**
+   * If `oldInstruction` is a `Phi` instruction that has exactly one reachable predecessor block,
+   * this predicate returns the `PhiInputOperand` corresponding to that predecessor block.
+   * Otherwise, this predicate does not hold.
+   */
+  private OldIR::PhiInputOperand getDegeneratePhiOperand(OldInstruction oldInstruction) {
+    result =
+      unique(OldIR::PhiInputOperand operand |
+        operand = oldInstruction.(OldIR::PhiInstruction).getAnInputOperand() and
+        operand.getPredecessorBlock() instanceof OldBlock
+      )
+  }
+
   cached
   predicate hasInstruction(TStageInstruction instr) {
     instr instanceof TRawInstruction and instr instanceof OldInstruction
     or
-    instr instanceof TPhiInstruction
+    instr instanceof TPhiInstruction and 
+    not exists(getDegeneratePhiOperand(instr))
     or
     instr instanceof TChiInstruction
     or
@@ -150,16 +164,13 @@ private module Cached {
       (
         result = getNewInstruction(oldOperand.getAnyDef()) and
         overlap = originalOverlap
-        /*
-         * or
-         *        exists(OldIR::PhiInputOperand phiOperand, Overlap phiOperandOverlap |
-         *          phiOperand = getDegeneratePhiOperand(oldOperand.getAnyDef()) and
-         *          result = getNewDefinitionFromOldSSA(phiOperand, phiOperandOverlap) and
-         *          overlap = combineOverlap(phiOperandOverlap, originalOverlap)
-         *        )
-         */
-
+         or
+        exists(OldIR::PhiInputOperand phiOperand, Overlap phiOperandOverlap |
+          phiOperand = getDegeneratePhiOperand(oldOperand.getAnyDef()) and
+          result = getNewDefinitionFromOldSSA(phiOperand, phiOperandOverlap) and
+          overlap = combineOverlap(phiOperandOverlap, originalOverlap)
         )
+      )
     )
   }
 
diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency.expected
index f0de9cc90d5..e358bfd49da 100644
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency.expected
@@ -10,13 +10,9 @@ instructionWithoutSuccessor
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
-| ssa.cpp:345:3:345:13 | Phi: return ... | Instruction 'Phi: return ...' is in a block with only 0 predecessors in function '$@'. | ssa.cpp:335:5:335:25 | int UnreachablePhiOperand(int, int) | int UnreachablePhiOperand(int, int) |
-| ssa.cpp:395:5:395:5 | Phi: ; | Instruction 'Phi: ;' is in a block with only 0 predecessors in function '$@'. | ssa.cpp:383:5:383:24 | int FusedBlockPhiOperand(int, int, int, bool) | int FusedBlockPhiOperand(int, int, int, bool) |
 memoryOperandDefinitionIsUnmodeled
 operandAcrossFunctions
 instructionWithoutUniqueBlock
-| ssa.cpp:345:3:345:13 | Phi: return ... | Instruction 'Phi: return ...' is a member of 0 blocks in function '$@'. | ssa.cpp:335:5:335:25 | int UnreachablePhiOperand(int, int) | int UnreachablePhiOperand(int, int) |
-| ssa.cpp:395:5:395:5 | Phi: ; | Instruction 'Phi: ;' is a member of 0 blocks in function '$@'. | ssa.cpp:383:5:383:24 | int FusedBlockPhiOperand(int, int, int, bool) | int FusedBlockPhiOperand(int, int, int, bool) |
 containsLoopOfForwardEdges
 lostReachability
 backEdgeCountMismatch
diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.expected
index f0de9cc90d5..e358bfd49da 100644
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.expected
@@ -10,13 +10,9 @@ instructionWithoutSuccessor
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
-| ssa.cpp:345:3:345:13 | Phi: return ... | Instruction 'Phi: return ...' is in a block with only 0 predecessors in function '$@'. | ssa.cpp:335:5:335:25 | int UnreachablePhiOperand(int, int) | int UnreachablePhiOperand(int, int) |
-| ssa.cpp:395:5:395:5 | Phi: ; | Instruction 'Phi: ;' is in a block with only 0 predecessors in function '$@'. | ssa.cpp:383:5:383:24 | int FusedBlockPhiOperand(int, int, int, bool) | int FusedBlockPhiOperand(int, int, int, bool) |
 memoryOperandDefinitionIsUnmodeled
 operandAcrossFunctions
 instructionWithoutUniqueBlock
-| ssa.cpp:345:3:345:13 | Phi: return ... | Instruction 'Phi: return ...' is a member of 0 blocks in function '$@'. | ssa.cpp:335:5:335:25 | int UnreachablePhiOperand(int, int) | int UnreachablePhiOperand(int, int) |
-| ssa.cpp:395:5:395:5 | Phi: ; | Instruction 'Phi: ;' is a member of 0 blocks in function '$@'. | ssa.cpp:383:5:383:24 | int FusedBlockPhiOperand(int, int, int, bool) | int FusedBlockPhiOperand(int, int, int, bool) |
 containsLoopOfForwardEdges
 lostReachability
 backEdgeCountMismatch
diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
index d53c52e058c..6a7cb2cfa1d 100644
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
@@ -1618,7 +1618,7 @@ ssa.cpp:
 #  340|     m340_4(int)        = Store[ret]               : &:r340_3, r340_2
 #  345|     r345_1(glval<int>) = VariableAddress[#return] : 
 #  345|     r345_2(glval<int>) = VariableAddress[ret]     : 
-#  345|     r345_3(int)        = Load[ret]                : &:r345_2
+#  345|     r345_3(int)        = Load[ret]                : &:r345_2, m340_4
 #  345|     m345_4(int)        = Store[#return]           : &:r345_1, r345_3
 #  335|     r335_9(glval<int>) = VariableAddress[#return] : 
 #  335|     v335_10(void)      = ReturnValue              : &:r335_9, m345_4
diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
index 5af11581b0c..8ca46003e1b 100644
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
@@ -1608,7 +1608,7 @@ ssa.cpp:
 #  340|     m340_4(int)        = Store[ret]               : &:r340_3, r340_2
 #  345|     r345_1(glval<int>) = VariableAddress[#return] : 
 #  345|     r345_2(glval<int>) = VariableAddress[ret]     : 
-#  345|     r345_3(int)        = Load[ret]                : &:r345_2
+#  345|     r345_3(int)        = Load[ret]                : &:r345_2, m340_4
 #  345|     m345_4(int)        = Store[#return]           : &:r345_1, r345_3
 #  335|     r335_9(glval<int>) = VariableAddress[#return] : 
 #  335|     v335_10(void)      = ReturnValue              : &:r335_9, m345_4

From 195b8114222ae91e2608165dc981a343e16471c2 Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Tue, 20 Apr 2021 16:47:20 -0700
Subject: [PATCH 0906/1429] C++: handle phi operands from unreachable blocks

---
 .../aliased_ssa/internal/SSAConstruction.qll  | 20 +++++++++++++++---
 .../ir/implementation/internal/TOperand.qll   | 21 ++++++++++---------
 .../ir/ssa/aliased_ssa_consistency.expected   |  1 -
 .../aliased_ssa_consistency_unsound.expected  |  1 -
 .../ir/ssa/aliased_ssa_ir.expected            |  2 +-
 .../ir/ssa/aliased_ssa_ir_unsound.expected    |  2 +-
 6 files changed, 30 insertions(+), 17 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
index 34a2e031f0f..e12faff0c84 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
@@ -68,8 +68,22 @@ private module Cached {
     instr instanceof TUnreachedInstruction
   }
 
-  private IRBlock getNewBlock(OldBlock oldBlock) {
-    result.getFirstInstruction() = getNewInstruction(oldBlock.getFirstInstruction())
+  cached IRBlock getNewBlock(OldBlock oldBlock) {
+    exists(Instruction newEnd, OldIR::Instruction oldEnd |
+      (
+      result.getLastInstruction() = newEnd and
+      not newEnd instanceof ChiInstruction
+      or
+      newEnd = result.getLastInstruction().(ChiInstruction).getAPredecessor() // does this work?
+      ) and
+      (
+        oldBlock.getLastInstruction() = oldEnd and
+        not oldEnd instanceof OldIR::ChiInstruction
+        or
+        oldEnd = oldBlock.getLastInstruction().(OldIR::ChiInstruction).getAPredecessor() // does this work?
+      ) and
+      oldEnd = getNewInstruction(newEnd)
+    )
   }
 
   /**
@@ -164,7 +178,7 @@ private module Cached {
       (
         result = getNewInstruction(oldOperand.getAnyDef()) and
         overlap = originalOverlap
-         or
+        or
         exists(OldIR::PhiInputOperand phiOperand, Overlap phiOperandOverlap |
           phiOperand = getDegeneratePhiOperand(oldOperand.getAnyDef()) and
           result = getNewDefinitionFromOldSSA(phiOperand, phiOperandOverlap) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TOperand.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TOperand.qll
index 57cbb995a00..e86494af03a 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TOperand.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/internal/TOperand.qll
@@ -36,10 +36,9 @@ private module Internal {
       useInstr.getOpcode().hasOperand(tag)
     } or
     TUnaliasedPhiOperand(
-      Unaliased::PhiInstruction useInstr, Unaliased::Instruction defInstr,
-      Unaliased::IRBlock predecessorBlock, Overlap overlap
+      Unaliased::PhiInstruction useInstr, Unaliased::IRBlock predecessorBlock, Overlap overlap
     ) {
-      defInstr = UnaliasedConstruction::getPhiOperandDefinition(useInstr, predecessorBlock, overlap)
+      exists(UnaliasedConstruction::getPhiOperandDefinition(useInstr, predecessorBlock, overlap))
     } or
     //// ALIASED
     ////
@@ -50,10 +49,9 @@ private module Internal {
     // important that we use the same definition of "is variable aliased" across
     // the phases.
     TAliasedPhiOperand(
-      TAliasedSSAPhiInstruction useInstr, Aliased::Instruction defInstr,
-      Aliased::IRBlock predecessorBlock, Overlap overlap
+      TAliasedSSAPhiInstruction useInstr, Aliased::IRBlock predecessorBlock, Overlap overlap
     ) {
-      defInstr = AliasedConstruction::getPhiOperandDefinition(useInstr, predecessorBlock, overlap)
+      exists(AliasedConstruction::getPhiOperandDefinition(useInstr, predecessorBlock, overlap))
     } or
     TAliasedChiOperand(TAliasedSSAChiInstruction useInstr, ChiOperandTag tag) { any() }
 }
@@ -144,7 +142,8 @@ module UnaliasedSSAOperands {
     Unaliased::PhiInstruction useInstr, Unaliased::Instruction defInstr,
     Unaliased::IRBlock predecessorBlock, Overlap overlap
   ) {
-    result = Internal::TUnaliasedPhiOperand(useInstr, defInstr, predecessorBlock, overlap)
+    defInstr = UnaliasedConstruction::getPhiOperandDefinition(useInstr, predecessorBlock, overlap) and
+    result = Internal::TUnaliasedPhiOperand(useInstr, predecessorBlock, overlap)
   }
 
   TPhiOperand reusedPhiOperand(
@@ -182,7 +181,8 @@ module AliasedSSAOperands {
     Aliased::PhiInstruction useInstr, Aliased::Instruction defInstr,
     Aliased::IRBlock predecessorBlock, Overlap overlap
   ) {
-    result = Internal::TAliasedPhiOperand(useInstr, defInstr, predecessorBlock, overlap)
+    defInstr = AliasedConstruction::getPhiOperandDefinition(useInstr, predecessorBlock, overlap) and
+    result = Internal::TAliasedPhiOperand(useInstr, predecessorBlock, overlap)
   }
 
   /**
@@ -193,8 +193,9 @@ module AliasedSSAOperands {
     Aliased::IRBlock predecessorBlock, Overlap overlap
   ) {
     exists(Unaliased::IRBlock oldBlock |
-      predecessorBlock.getFirstInstruction() = oldBlock.getFirstInstruction() and
-      result = Internal::TUnaliasedPhiOperand(useInstr, defInstr, oldBlock, overlap)
+      predecessorBlock = AliasedConstruction::getNewBlock(oldBlock) and
+      result = Internal::TUnaliasedPhiOperand(useInstr, oldBlock, _) and
+      defInstr = AliasedConstruction::getPhiOperandDefinition(useInstr, predecessorBlock, overlap)
     )
   }
 
diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency.expected
index e358bfd49da..31e5b01229c 100644
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency.expected
@@ -2,7 +2,6 @@ missingOperand
 unexpectedOperand
 duplicateOperand
 missingPhiOperand
-| ssa.cpp:398:3:398:13 | Phi: return ... | Instruction 'Phi: return ...' is missing an operand for predecessor block 'VariableAddress: y' in function '$@'. | ssa.cpp:383:5:383:24 | int FusedBlockPhiOperand(int, int, int, bool) | int FusedBlockPhiOperand(int, int, int, bool) |
 missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.expected
index e358bfd49da..31e5b01229c 100644
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_consistency_unsound.expected
@@ -2,7 +2,6 @@ missingOperand
 unexpectedOperand
 duplicateOperand
 missingPhiOperand
-| ssa.cpp:398:3:398:13 | Phi: return ... | Instruction 'Phi: return ...' is missing an operand for predecessor block 'VariableAddress: y' in function '$@'. | ssa.cpp:383:5:383:24 | int FusedBlockPhiOperand(int, int, int, bool) | int FusedBlockPhiOperand(int, int, int, bool) |
 missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
index 6a7cb2cfa1d..59505ce6f39 100644
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir.expected
@@ -1802,7 +1802,7 @@ ssa.cpp:
 #-----|   Goto -> Block 4
 
 #  398|   Block 4
-#  398|     m398_1(int)         = Phi                      : from 1:m388_4
+#  398|     m398_1(int)         = Phi                      : from 1:m388_4, from 3:m391_4
 #  398|     r398_2(glval<int>)  = VariableAddress[#return] : 
 #  398|     r398_3(glval<int>)  = VariableAddress[ret]     : 
 #  398|     r398_4(int)         = Load[ret]                : &:r398_3, m398_1
diff --git a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
index 8ca46003e1b..b87b65363dc 100644
--- a/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
+++ b/cpp/ql/test/library-tests/ir/ssa/aliased_ssa_ir_unsound.expected
@@ -1792,7 +1792,7 @@ ssa.cpp:
 #-----|   Goto -> Block 4
 
 #  398|   Block 4
-#  398|     m398_1(int)         = Phi                      : from 1:m388_4
+#  398|     m398_1(int)         = Phi                      : from 1:m388_4, from 3:m391_4
 #  398|     r398_2(glval<int>)  = VariableAddress[#return] : 
 #  398|     r398_3(glval<int>)  = VariableAddress[ret]     : 
 #  398|     r398_4(int)         = Load[ret]                : &:r398_3, m398_1

From 1f69b312393c96a3f735374b620a8d8c17c99342 Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Tue, 20 Apr 2021 16:52:19 -0700
Subject: [PATCH 0907/1429] C++: test changes in annotate_sinks_only

---
 .../annotate_sinks_only/defaulttainttracking.cpp              | 4 ++--
 .../DefaultTaintTracking/annotate_sinks_only/tainted.expected | 2 --
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/defaulttainttracking.cpp b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/defaulttainttracking.cpp
index d64f1966b49..843587b576a 100644
--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/defaulttainttracking.cpp
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/defaulttainttracking.cpp
@@ -187,10 +187,10 @@ void test_pointers1()
 	ptr4 = &ptr3;
 
 	sink(buffer); // $ ast,ir
-	sink(ptr1); // $ ast,ir
+	sink(ptr1); // $ ast MISSING: ir
 	sink(ptr2); // $ SPURIOUS: ast
 	sink(*ptr2); // $ ast MISSING: ir
-	sink(ptr3); // $ ast,ir
+	sink(ptr3); // $ ast MISSING: ir
 	sink(ptr4); // $ SPURIOUS: ast
 	sink(*ptr4); // $ ast MISSING: ir
 }
diff --git a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected
index 8babe64dfc1..e69de29bb2d 100644
--- a/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected
+++ b/cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/annotate_sinks_only/tainted.expected
@@ -1,2 +0,0 @@
-| defaulttainttracking.cpp:190:14:190:24 | // $ ast,ir | Missing result:ir= |
-| defaulttainttracking.cpp:193:14:193:24 | // $ ast,ir | Missing result:ir= |

From 5d7d26bed12f76fa4f3b8f31aaba25e0af36e11d Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Wed, 21 Apr 2021 16:17:50 -0700
Subject: [PATCH 0908/1429] C++: fixups and file sync for SSA sharing

---
 .../aliased_ssa/internal/AliasAnalysis.qll    |  4 +-
 .../internal/AliasConfiguration.qll           |  6 +-
 .../aliased_ssa/internal/AliasedSSA.qll       |  2 +-
 .../aliased_ssa/internal/SSAConstruction.qll  | 15 ++++-
 .../unaliased_ssa/internal/AliasAnalysis.qll  |  4 +-
 .../internal/AliasConfiguration.qll           |  6 +-
 .../internal/SSAConstruction.qll              | 60 +++++++++++++++----
 7 files changed, 66 insertions(+), 31 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
index 1198c828ecb..1082b0d6a48 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
@@ -329,9 +329,7 @@ predicate allocationEscapes(Configuration::Allocation allocation) {
     config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
   )
   or
-  exists(Configuration::StageEscapeConfiguration config |
-    config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
-  )
+  Configuration::phaseNeedsSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
 }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll
index 236db922646..8ba91d70087 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasConfiguration.qll
@@ -143,8 +143,4 @@ class DynamicAllocation extends Allocation, TDynamicAllocation {
   final override predicate alwaysEscapes() { none() }
 }
 
-class StageEscapeConfiguration extends string {
-  StageEscapeConfiguration() { this = "StageEscapeConfiguration (aliased_ssa)" }
-
-  predicate useSoundEscapeAnalysis() { none() }
-}
+predicate phaseNeedsSoundEscapeAnalysis() { none() }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll
index 74638b6ec1d..acdae2b758a 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasedSSA.qll
@@ -133,7 +133,7 @@ abstract class MemoryLocation extends TMemoryLocation {
    */
   predicate isAlwaysAllocatedOnStack() { none() }
 
-  final predicate canReuseSSA() { any() }
+  final predicate canReuseSSA() { none() }
 }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
index e12faff0c84..5192d8de9da 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
@@ -60,8 +60,19 @@ private module Cached {
   predicate hasInstruction(TStageInstruction instr) {
     instr instanceof TRawInstruction and instr instanceof OldInstruction
     or
-    instr instanceof TPhiInstruction and 
-    not exists(getDegeneratePhiOperand(instr))
+    instr = phiInstruction(_, _)
+    or
+    instr = reusedPhiInstruction(_) and
+    // Check that the phi instruction is *not* degenerate, but we can't use
+    // getDegeneratePhiOperand in the first stage with phi instyructions
+    exists(OldIR::PhiInputOperand operand1, OldIR::PhiInputOperand operand2, OldInstruction oldInstruction |
+      oldInstruction = instr and
+      operand1 = oldInstruction.(OldIR::PhiInstruction).getAnInputOperand() and
+      operand1.getPredecessorBlock() instanceof OldBlock and
+      operand2 = oldInstruction.(OldIR::PhiInstruction).getAnInputOperand() and
+      operand2.getPredecessorBlock() instanceof OldBlock and
+      operand1 != operand2
+    )
     or
     instr instanceof TChiInstruction
     or
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
index 1198c828ecb..1082b0d6a48 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -329,9 +329,7 @@ predicate allocationEscapes(Configuration::Allocation allocation) {
     config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
   )
   or
-  exists(Configuration::StageEscapeConfiguration config |
-    config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
-  )
+  Configuration::phaseNeedsSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
 }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll
index d39288cd412..dbdd3c14c85 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll
@@ -15,8 +15,4 @@ class Allocation extends IRAutomaticVariable {
   }
 }
 
-class StageEscapeConfiguration extends string {
-  StageEscapeConfiguration() { this = "StageEscapeConfiguration (unaliased_ssa)" }
-
-  predicate useSoundEscapeAnalysis() { any() }
-}
+predicate phaseNeedsSoundEscapeAnalysis() { any() }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
index 343499dcc6c..5192d8de9da 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -43,19 +43,58 @@ private module Cached {
   class TStageInstruction =
     TRawInstruction or TPhiInstruction or TChiInstruction or TUnreachedInstruction;
 
+  /**
+   * If `oldInstruction` is a `Phi` instruction that has exactly one reachable predecessor block,
+   * this predicate returns the `PhiInputOperand` corresponding to that predecessor block.
+   * Otherwise, this predicate does not hold.
+   */
+  private OldIR::PhiInputOperand getDegeneratePhiOperand(OldInstruction oldInstruction) {
+    result =
+      unique(OldIR::PhiInputOperand operand |
+        operand = oldInstruction.(OldIR::PhiInstruction).getAnInputOperand() and
+        operand.getPredecessorBlock() instanceof OldBlock
+      )
+  }
+
   cached
   predicate hasInstruction(TStageInstruction instr) {
     instr instanceof TRawInstruction and instr instanceof OldInstruction
     or
-    instr instanceof TPhiInstruction
+    instr = phiInstruction(_, _)
+    or
+    instr = reusedPhiInstruction(_) and
+    // Check that the phi instruction is *not* degenerate, but we can't use
+    // getDegeneratePhiOperand in the first stage with phi instyructions
+    exists(OldIR::PhiInputOperand operand1, OldIR::PhiInputOperand operand2, OldInstruction oldInstruction |
+      oldInstruction = instr and
+      operand1 = oldInstruction.(OldIR::PhiInstruction).getAnInputOperand() and
+      operand1.getPredecessorBlock() instanceof OldBlock and
+      operand2 = oldInstruction.(OldIR::PhiInstruction).getAnInputOperand() and
+      operand2.getPredecessorBlock() instanceof OldBlock and
+      operand1 != operand2
+    )
     or
     instr instanceof TChiInstruction
     or
     instr instanceof TUnreachedInstruction
   }
 
-  private IRBlock getNewBlock(OldBlock oldBlock) {
-    result.getFirstInstruction() = getNewInstruction(oldBlock.getFirstInstruction())
+  cached IRBlock getNewBlock(OldBlock oldBlock) {
+    exists(Instruction newEnd, OldIR::Instruction oldEnd |
+      (
+      result.getLastInstruction() = newEnd and
+      not newEnd instanceof ChiInstruction
+      or
+      newEnd = result.getLastInstruction().(ChiInstruction).getAPredecessor() // does this work?
+      ) and
+      (
+        oldBlock.getLastInstruction() = oldEnd and
+        not oldEnd instanceof OldIR::ChiInstruction
+        or
+        oldEnd = oldBlock.getLastInstruction().(OldIR::ChiInstruction).getAPredecessor() // does this work?
+      ) and
+      oldEnd = getNewInstruction(newEnd)
+    )
   }
 
   /**
@@ -150,16 +189,13 @@ private module Cached {
       (
         result = getNewInstruction(oldOperand.getAnyDef()) and
         overlap = originalOverlap
-        /*
-         * or
-         *        exists(OldIR::PhiInputOperand phiOperand, Overlap phiOperandOverlap |
-         *          phiOperand = getDegeneratePhiOperand(oldOperand.getAnyDef()) and
-         *          result = getNewDefinitionFromOldSSA(phiOperand, phiOperandOverlap) and
-         *          overlap = combineOverlap(phiOperandOverlap, originalOverlap)
-         *        )
-         */
-
+        or
+        exists(OldIR::PhiInputOperand phiOperand, Overlap phiOperandOverlap |
+          phiOperand = getDegeneratePhiOperand(oldOperand.getAnyDef()) and
+          result = getNewDefinitionFromOldSSA(phiOperand, phiOperandOverlap) and
+          overlap = combineOverlap(phiOperandOverlap, originalOverlap)
         )
+      )
     )
   }
 

From b2811022d7126fc18011d9f1de65c4f7d99dfbb3 Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Thu, 22 Apr 2021 14:10:54 -0700
Subject: [PATCH 0909/1429] C#: sync IR files and update for C++ SSA reuse

---
 .../implementation/internal/TInstruction.qll  |   8 +-
 .../ir/implementation/internal/TOperand.qll   |  20 +++
 .../ir/implementation/raw/Instruction.qll     |   8 ++
 .../ir/implementation/raw/Operand.qll         |  18 ++-
 .../unaliased_ssa/Instruction.qll             |   8 ++
 .../implementation/unaliased_ssa/Operand.qll  |  18 ++-
 .../unaliased_ssa/internal/AliasAnalysis.qll  |   8 +-
 .../internal/AliasConfiguration.qll           |   8 +-
 .../internal/SSAConstruction.qll              | 124 +++++++++++++++++-
 .../unaliased_ssa/internal/SimpleSSA.qll      |   4 +-
 10 files changed, 186 insertions(+), 38 deletions(-)

diff --git a/csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll b/csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll
index 911d9af78fa..4b3f19cbdde 100644
--- a/csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll
+++ b/csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll
@@ -55,10 +55,7 @@ module UnaliasedSSAInstructions {
     result = TUnaliasedSSAPhiInstruction(blockStartInstr, memoryLocation)
   }
 
-  TPhiInstruction reusedPhiInstruction(
-    TRawInstruction blockStartInstr) {
-    none()
-  }
+  TRawInstruction reusedPhiInstruction(TRawInstruction blockStartInstr) { none() }
 
   class TChiInstruction = TUnaliasedSSAChiInstruction;
 
@@ -88,8 +85,7 @@ module AliasedSSAInstructions {
     result = TAliasedSSAPhiInstruction(blockStartInstr, memoryLocation)
   }
 
-  TPhiInstruction reusedPhiInstruction(
-    TRawInstruction blockStartInstr) {
+  TPhiInstruction reusedPhiInstruction(TRawInstruction blockStartInstr) {
     result = TUnaliasedSSAPhiInstruction(blockStartInstr, _)
   }
 
diff --git a/csharp/ql/src/experimental/ir/implementation/internal/TOperand.qll b/csharp/ql/src/experimental/ir/implementation/internal/TOperand.qll
index 9c3e7620186..20fe77f8223 100644
--- a/csharp/ql/src/experimental/ir/implementation/internal/TOperand.qll
+++ b/csharp/ql/src/experimental/ir/implementation/internal/TOperand.qll
@@ -92,6 +92,16 @@ module RawOperands {
     none()
   }
 
+  /**
+   * Returns the Phi operand with the specified parameters.
+   */
+  TPhiOperand reusedPhiOperand(
+    Raw::PhiInstruction useInstr, Raw::Instruction defInstr, Raw::IRBlock predecessorBlock,
+    Overlap overlap
+  ) {
+    none()
+  }
+
   /**
    * Returns the Chi operand with the specified parameters.
    */
@@ -123,6 +133,16 @@ module UnaliasedSSAOperands {
     result = Internal::TUnaliasedPhiOperand(useInstr, defInstr, predecessorBlock, overlap)
   }
 
+  /**
+   * Returns the Phi operand with the specified parameters.
+   */
+  TPhiOperand reusedPhiOperand(
+    Unaliased::PhiInstruction useInstr, Unaliased::Instruction defInstr,
+    Unaliased::IRBlock predecessorBlock, Overlap overlap
+  ) {
+    none()
+  }
+
   /**
    * Returns the Chi operand with the specified parameters.
    */
diff --git a/csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll b/csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll
index e335080ad6b..453838215ff 100644
--- a/csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll
+++ b/csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll
@@ -1994,6 +1994,14 @@ class PhiInstruction extends Instruction {
    */
   pragma[noinline]
   final Instruction getAnInput() { result = this.getAnInputOperand().getDef() }
+
+  /**
+   * Gets the input operand representing the value that flows from the specified predecessor block.
+   */
+  final PhiInputOperand getInputOperand(IRBlock predecessorBlock) {
+    result = this.getAnOperand() and
+    result.getPredecessorBlock() = predecessorBlock
+  }
 }
 
 /**
diff --git a/csharp/ql/src/experimental/ir/implementation/raw/Operand.qll b/csharp/ql/src/experimental/ir/implementation/raw/Operand.qll
index a2ce0662dc2..d7cf89ca9aa 100644
--- a/csharp/ql/src/experimental/ir/implementation/raw/Operand.qll
+++ b/csharp/ql/src/experimental/ir/implementation/raw/Operand.qll
@@ -28,11 +28,15 @@ class Operand extends TStageOperand {
   cached
   Operand() {
     // Ensure that the operand does not refer to instructions from earlier stages that are unreachable here
-    exists(Instruction use, Instruction def | this = registerOperand(use, _, def)) or
-    exists(Instruction use | this = nonSSAMemoryOperand(use, _)) or
+    exists(Instruction use, Instruction def | this = registerOperand(use, _, def))
+    or
+    exists(Instruction use | this = nonSSAMemoryOperand(use, _))
+    or
     exists(Instruction use, Instruction def, IRBlock predecessorBlock |
-      this = phiOperand(use, def, predecessorBlock, _)
-    ) or
+      this = phiOperand(use, def, predecessorBlock, _) or
+      this = reusedPhiOperand(use, def, predecessorBlock, _)
+    )
+    or
     exists(Instruction use | this = chiOperand(use, _))
   }
 
@@ -431,7 +435,11 @@ class PhiInputOperand extends MemoryOperand, TPhiOperand {
   Overlap overlap;
 
   cached
-  PhiInputOperand() { this = phiOperand(useInstr, defInstr, predecessorBlock, overlap) }
+  PhiInputOperand() {
+    this = phiOperand(useInstr, defInstr, predecessorBlock, overlap)
+    or
+    this = reusedPhiOperand(useInstr, defInstr, predecessorBlock, overlap)
+  }
 
   override string toString() { result = "Phi" }
 
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll
index e335080ad6b..453838215ff 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll
@@ -1994,6 +1994,14 @@ class PhiInstruction extends Instruction {
    */
   pragma[noinline]
   final Instruction getAnInput() { result = this.getAnInputOperand().getDef() }
+
+  /**
+   * Gets the input operand representing the value that flows from the specified predecessor block.
+   */
+  final PhiInputOperand getInputOperand(IRBlock predecessorBlock) {
+    result = this.getAnOperand() and
+    result.getPredecessorBlock() = predecessorBlock
+  }
 }
 
 /**
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Operand.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Operand.qll
index a2ce0662dc2..d7cf89ca9aa 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Operand.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Operand.qll
@@ -28,11 +28,15 @@ class Operand extends TStageOperand {
   cached
   Operand() {
     // Ensure that the operand does not refer to instructions from earlier stages that are unreachable here
-    exists(Instruction use, Instruction def | this = registerOperand(use, _, def)) or
-    exists(Instruction use | this = nonSSAMemoryOperand(use, _)) or
+    exists(Instruction use, Instruction def | this = registerOperand(use, _, def))
+    or
+    exists(Instruction use | this = nonSSAMemoryOperand(use, _))
+    or
     exists(Instruction use, Instruction def, IRBlock predecessorBlock |
-      this = phiOperand(use, def, predecessorBlock, _)
-    ) or
+      this = phiOperand(use, def, predecessorBlock, _) or
+      this = reusedPhiOperand(use, def, predecessorBlock, _)
+    )
+    or
     exists(Instruction use | this = chiOperand(use, _))
   }
 
@@ -431,7 +435,11 @@ class PhiInputOperand extends MemoryOperand, TPhiOperand {
   Overlap overlap;
 
   cached
-  PhiInputOperand() { this = phiOperand(useInstr, defInstr, predecessorBlock, overlap) }
+  PhiInputOperand() {
+    this = phiOperand(useInstr, defInstr, predecessorBlock, overlap)
+    or
+    this = reusedPhiOperand(useInstr, defInstr, predecessorBlock, overlap)
+  }
 
   override string toString() { result = "Phi" }
 
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
index 83492e6ab79..1082b0d6a48 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -92,9 +92,7 @@ private predicate operandIsConsumedWithoutEscaping(Operand operand) {
       instr.(ConvertInstruction).getResultIRType() instanceof IRBooleanType
       or
       instr instanceof CallInstruction and
-      not exists(IREscapeAnalysisConfiguration config |
-        config.useSoundEscapeAnalysis()
-      )
+      not exists(IREscapeAnalysisConfiguration config | config.useSoundEscapeAnalysis())
     )
   )
   or
@@ -331,9 +329,7 @@ predicate allocationEscapes(Configuration::Allocation allocation) {
     config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
   )
   or
-  exists(Configuration::StageEscapeConfiguration config |
-    config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
-  )
+  Configuration::phaseNeedsSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
 }
 
 /**
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll
index 2ca333ad25c..dbdd3c14c85 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll
@@ -15,10 +15,4 @@ class Allocation extends IRAutomaticVariable {
   }
 }
 
-class StageEscapeConfiguration extends string {
-  StageEscapeConfiguration() {
-    this = "StageEscapeConfiguration (unaliased_ssa)"
-  }
-
-  predicate useSoundEscapeAnalysis() { any() }
-}
+predicate phaseNeedsSoundEscapeAnalysis() { any() }
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
index 262865fa1d1..5192d8de9da 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -43,24 +43,82 @@ private module Cached {
   class TStageInstruction =
     TRawInstruction or TPhiInstruction or TChiInstruction or TUnreachedInstruction;
 
+  /**
+   * If `oldInstruction` is a `Phi` instruction that has exactly one reachable predecessor block,
+   * this predicate returns the `PhiInputOperand` corresponding to that predecessor block.
+   * Otherwise, this predicate does not hold.
+   */
+  private OldIR::PhiInputOperand getDegeneratePhiOperand(OldInstruction oldInstruction) {
+    result =
+      unique(OldIR::PhiInputOperand operand |
+        operand = oldInstruction.(OldIR::PhiInstruction).getAnInputOperand() and
+        operand.getPredecessorBlock() instanceof OldBlock
+      )
+  }
+
   cached
   predicate hasInstruction(TStageInstruction instr) {
     instr instanceof TRawInstruction and instr instanceof OldInstruction
     or
-    instr instanceof TPhiInstruction
+    instr = phiInstruction(_, _)
+    or
+    instr = reusedPhiInstruction(_) and
+    // Check that the phi instruction is *not* degenerate, but we can't use
+    // getDegeneratePhiOperand in the first stage with phi instyructions
+    exists(OldIR::PhiInputOperand operand1, OldIR::PhiInputOperand operand2, OldInstruction oldInstruction |
+      oldInstruction = instr and
+      operand1 = oldInstruction.(OldIR::PhiInstruction).getAnInputOperand() and
+      operand1.getPredecessorBlock() instanceof OldBlock and
+      operand2 = oldInstruction.(OldIR::PhiInstruction).getAnInputOperand() and
+      operand2.getPredecessorBlock() instanceof OldBlock and
+      operand1 != operand2
+    )
     or
     instr instanceof TChiInstruction
     or
     instr instanceof TUnreachedInstruction
   }
 
-  private IRBlock getNewBlock(OldBlock oldBlock) {
-    result.getFirstInstruction() = getNewInstruction(oldBlock.getFirstInstruction())
+  cached IRBlock getNewBlock(OldBlock oldBlock) {
+    exists(Instruction newEnd, OldIR::Instruction oldEnd |
+      (
+      result.getLastInstruction() = newEnd and
+      not newEnd instanceof ChiInstruction
+      or
+      newEnd = result.getLastInstruction().(ChiInstruction).getAPredecessor() // does this work?
+      ) and
+      (
+        oldBlock.getLastInstruction() = oldEnd and
+        not oldEnd instanceof OldIR::ChiInstruction
+        or
+        oldEnd = oldBlock.getLastInstruction().(OldIR::ChiInstruction).getAPredecessor() // does this work?
+      ) and
+      oldEnd = getNewInstruction(newEnd)
+    )
+  }
+
+  /**
+   * Gets the block from the old IR that corresponds to `newBlock`.
+   */
+  private OldBlock getOldBlock(IRBlock newBlock) { getNewBlock(result) = newBlock }
+
+  /**
+   * Holds if this iteration of SSA can model the def/use information for the result of
+   * `oldInstruction`, either because alias analysis has determined a memory location for that
+   * result, or because a previous iteration of the IR already computed that def/use information
+   * completely.
+   */
+  private predicate canModelResultForOldInstruction(OldInstruction oldInstruction) {
+    // We're modeling the result's memory location ourselves.
+    exists(Alias::getResultMemoryLocation(oldInstruction))
+    or
+    // This result was already modeled by a previous iteration of SSA.
+    Alias::canReuseSSAForOldResult(oldInstruction)
   }
 
   cached
   predicate hasModeledMemoryResult(Instruction instruction) {
-    exists(Alias::getResultMemoryLocation(getOldInstruction(instruction))) or
+    canModelResultForOldInstruction(getOldInstruction(instruction)) or
     instruction instanceof PhiInstruction or // Phis always have modeled results
     instruction instanceof ChiInstruction // Chis always have modeled results
   }
@@ -117,6 +175,30 @@ private module Cached {
     )
   }
 
+  /**
+   * Gets the new definition instruction for `oldOperand` based on `oldOperand`'s definition in the
+   * old IR. Usually, this will just get the old definition of `oldOperand` and map it to the
+   * corresponding new instruction. However, if the old definition of `oldOperand` is a `Phi`
+   * instruction that is now degenerate due all but one of its predecessor branches being
+   * unreachable, this predicate will recurse through any degenerate `Phi` instructions to find the
+   * true definition.
+   */
+  private Instruction getNewDefinitionFromOldSSA(OldIR::MemoryOperand oldOperand, Overlap overlap) {
+    exists(Overlap originalOverlap |
+      originalOverlap = oldOperand.getDefinitionOverlap() and
+      (
+        result = getNewInstruction(oldOperand.getAnyDef()) and
+        overlap = originalOverlap
+        or
+        exists(OldIR::PhiInputOperand phiOperand, Overlap phiOperandOverlap |
+          phiOperand = getDegeneratePhiOperand(oldOperand.getAnyDef()) and
+          result = getNewDefinitionFromOldSSA(phiOperand, phiOperandOverlap) and
+          overlap = combineOverlap(phiOperandOverlap, originalOverlap)
+        )
+      )
+    )
+  }
+
   cached
   private Instruction getMemoryOperandDefinition0(
     Instruction instruction, MemoryOperandTag tag, Overlap overlap
@@ -148,6 +230,12 @@ private module Cached {
       overlap instanceof MustExactlyOverlap and
       exists(MustTotallyOverlap o | exists(getMemoryOperandDefinition0(instruction, tag, o)))
     )
+    or
+    exists(OldIR::NonPhiMemoryOperand oldOperand |
+      result = getNewDefinitionFromOldSSA(oldOperand, overlap) and
+      oldOperand.getUse() = instruction and
+      tag = oldOperand.getOperandTag()
+    )
   }
 
   /**
@@ -214,10 +302,24 @@ private module Cached {
     )
   }
 
+  /**
+   * Gets the new definition instruction for the operand of `instr` that flows from the block
+   * `newPredecessorBlock`, based on that operand's definition in the old IR.
+   */
+  private Instruction getNewPhiOperandDefinitionFromOldSSA(
+    Instruction instr, IRBlock newPredecessorBlock, Overlap overlap
+  ) {
+    exists(OldIR::PhiInstruction oldPhi, OldIR::PhiInputOperand oldOperand |
+      oldPhi = getOldInstruction(instr) and
+      oldOperand = oldPhi.getInputOperand(getOldBlock(newPredecessorBlock)) and
+      result = getNewDefinitionFromOldSSA(oldOperand, overlap)
+    )
+  }
+
   pragma[noopt]
   cached
   Instruction getPhiOperandDefinition(
-    PhiInstruction instr, IRBlock newPredecessorBlock, Overlap overlap
+    Instruction instr, IRBlock newPredecessorBlock, Overlap overlap
   ) {
     exists(
       Alias::MemoryLocation defLocation, Alias::MemoryLocation useLocation, OldBlock phiBlock,
@@ -229,6 +331,8 @@ private module Cached {
       result = getDefinitionOrChiInstruction(defBlock, defOffset, defLocation, actualDefLocation) and
       overlap = Alias::getOverlap(actualDefLocation, useLocation)
     )
+    or
+    result = getNewPhiOperandDefinitionFromOldSSA(instr, newPredecessorBlock, overlap)
   }
 
   cached
@@ -249,7 +353,12 @@ private module Cached {
   cached
   Instruction getPhiInstructionBlockStart(PhiInstruction instr) {
     exists(OldBlock oldBlock |
-      instr = getPhi(oldBlock, _) and
+      (
+        instr = getPhi(oldBlock, _)
+        or
+        // Any `Phi` that we propagated from the previous iteration stays in the same block.
+        getOldInstruction(instr).getBlock() = oldBlock
+      ) and
       result = getNewInstruction(oldBlock.getFirstInstruction())
     )
   }
@@ -335,6 +444,9 @@ private module Cached {
       result = vvar.getType()
     )
     or
+    instr = reusedPhiInstruction(_) and
+    result = instr.(OldInstruction).getResultLanguageType()
+    or
     instr = unreachedInstruction(_) and result = Language::getVoidType()
   }
 
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll
index 906699b6394..f3e02c9f6a8 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll
@@ -72,9 +72,7 @@ class MemoryLocation extends TMemoryLocation {
   final predicate canReuseSSA() { canReuseSSAForVariable(var) }
 }
 
-predicate canReuseSSAForOldResult(Instruction instr) {
-  none()
-}
+predicate canReuseSSAForOldResult(Instruction instr) { none() }
 
 /**
  * Represents a set of `MemoryLocation`s that cannot overlap with

From 230f4bcae83aca11e241ce07b2859a581c953a73 Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Tue, 27 Apr 2021 14:32:14 -0700
Subject: [PATCH 0910/1429] C++: accept test changes from IR sharing

---
 .../Security/CWE/CWE-134/semmle/ifs/ifs.c     |  4 +--
 .../CWE/CWE-134/semmle/ifs/ifs.expected       | 36 -------------------
 2 files changed, 2 insertions(+), 38 deletions(-)

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.c b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.c
index 3d15905d82d..69a46dd3879 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.c
@@ -86,13 +86,13 @@ int main(int argc, char **argv) {
 		i3 = argv[1];
 	printf(i3);
 	
-	// BAD: varOne is 1 so condition is true and it always goes inside the if
+	// BAD [FALSE NEGATIVE]: varOne is 1 so condition is true and it always goes inside the if
 	char *i4;
 	if (varOne)
 		i4 = argv[1];
 	printf(i4);
 	
-	// BAD: varZero is 0 so condition is true and it always goes inside the if
+	// BAD [FALSE NEGATIVE]: varZero is 0 so condition is true and it always goes inside the if
 	char *i5;
 	if (!varZero)
 		i5 = argv[1];
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected
index 50ae940400a..8c2c89035e2 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/ifs/ifs.expected
@@ -39,22 +39,6 @@ edges
 | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 |
 | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 indirection |
 | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 indirection |
-| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... |
-| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | (const char *)... |
-| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
-| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
-| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
-| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 |
-| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 indirection |
-| ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 indirection |
-| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... |
-| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | (const char *)... |
-| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
-| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
-| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
-| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 |
-| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 indirection |
-| ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 indirection |
 | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... |
 | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | (const char *)... |
 | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 |
@@ -133,24 +117,6 @@ nodes
 | ifs.c:87:9:87:10 | i3 | semmle.label | i3 |
 | ifs.c:87:9:87:10 | i3 indirection | semmle.label | i3 indirection |
 | ifs.c:87:9:87:10 | i3 indirection | semmle.label | i3 indirection |
-| ifs.c:92:8:92:11 | argv | semmle.label | argv |
-| ifs.c:92:8:92:11 | argv | semmle.label | argv |
-| ifs.c:93:9:93:10 | (const char *)... | semmle.label | (const char *)... |
-| ifs.c:93:9:93:10 | (const char *)... | semmle.label | (const char *)... |
-| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
-| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
-| ifs.c:93:9:93:10 | i4 | semmle.label | i4 |
-| ifs.c:93:9:93:10 | i4 indirection | semmle.label | i4 indirection |
-| ifs.c:93:9:93:10 | i4 indirection | semmle.label | i4 indirection |
-| ifs.c:98:8:98:11 | argv | semmle.label | argv |
-| ifs.c:98:8:98:11 | argv | semmle.label | argv |
-| ifs.c:99:9:99:10 | (const char *)... | semmle.label | (const char *)... |
-| ifs.c:99:9:99:10 | (const char *)... | semmle.label | (const char *)... |
-| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
-| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
-| ifs.c:99:9:99:10 | i5 | semmle.label | i5 |
-| ifs.c:99:9:99:10 | i5 indirection | semmle.label | i5 indirection |
-| ifs.c:99:9:99:10 | i5 indirection | semmle.label | i5 indirection |
 | ifs.c:105:8:105:11 | argv | semmle.label | argv |
 | ifs.c:105:8:105:11 | argv | semmle.label | argv |
 | ifs.c:106:9:106:10 | (const char *)... | semmle.label | (const char *)... |
@@ -193,8 +159,6 @@ nodes
 | ifs.c:75:9:75:10 | i1 | ifs.c:74:8:74:11 | argv | ifs.c:75:9:75:10 | i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:74:8:74:11 | argv | argv |
 | ifs.c:81:9:81:10 | i2 | ifs.c:80:8:80:11 | argv | ifs.c:81:9:81:10 | i2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:80:8:80:11 | argv | argv |
 | ifs.c:87:9:87:10 | i3 | ifs.c:86:8:86:11 | argv | ifs.c:87:9:87:10 | i3 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:86:8:86:11 | argv | argv |
-| ifs.c:93:9:93:10 | i4 | ifs.c:92:8:92:11 | argv | ifs.c:93:9:93:10 | i4 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:92:8:92:11 | argv | argv |
-| ifs.c:99:9:99:10 | i5 | ifs.c:98:8:98:11 | argv | ifs.c:99:9:99:10 | i5 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:98:8:98:11 | argv | argv |
 | ifs.c:106:9:106:10 | i6 | ifs.c:105:8:105:11 | argv | ifs.c:106:9:106:10 | i6 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:105:8:105:11 | argv | argv |
 | ifs.c:112:9:112:10 | i7 | ifs.c:111:8:111:11 | argv | ifs.c:112:9:112:10 | i7 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:111:8:111:11 | argv | argv |
 | ifs.c:118:9:118:10 | i8 | ifs.c:117:8:117:11 | argv | ifs.c:118:9:118:10 | i8 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format) | ifs.c:117:8:117:11 | argv | argv |

From 5406783e9c49e7f45e5c8b2c12fe531b9c3c869d Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Tue, 27 Apr 2021 14:32:22 -0700
Subject: [PATCH 0911/1429] C++: autoformat

---
 .../aliased_ssa/internal/AliasAnalysis.qll       |  3 ++-
 .../aliased_ssa/internal/SSAConstruction.qll     | 16 ++++++++++------
 .../unaliased_ssa/internal/AliasAnalysis.qll     |  3 ++-
 .../unaliased_ssa/internal/SSAConstruction.qll   | 16 ++++++++++------
 .../unaliased_ssa/internal/AliasAnalysis.qll     |  3 ++-
 .../unaliased_ssa/internal/SSAConstruction.qll   | 16 ++++++++++------
 6 files changed, 36 insertions(+), 21 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
index 1082b0d6a48..26f8a89a235 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
@@ -329,7 +329,8 @@ predicate allocationEscapes(Configuration::Allocation allocation) {
     config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
   )
   or
-  Configuration::phaseNeedsSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
+  Configuration::phaseNeedsSoundEscapeAnalysis() and
+  resultEscapesNonReturn(allocation.getABaseInstruction())
 }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
index 5192d8de9da..9c4a0bb0bf5 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
@@ -65,7 +65,10 @@ private module Cached {
     instr = reusedPhiInstruction(_) and
     // Check that the phi instruction is *not* degenerate, but we can't use
     // getDegeneratePhiOperand in the first stage with phi instyructions
-    exists(OldIR::PhiInputOperand operand1, OldIR::PhiInputOperand operand2, OldInstruction oldInstruction |
+    exists(
+      OldIR::PhiInputOperand operand1, OldIR::PhiInputOperand operand2,
+      OldInstruction oldInstruction
+    |
       oldInstruction = instr and
       operand1 = oldInstruction.(OldIR::PhiInstruction).getAnInputOperand() and
       operand1.getPredecessorBlock() instanceof OldBlock and
@@ -79,13 +82,14 @@ private module Cached {
     instr instanceof TUnreachedInstruction
   }
 
-  cached IRBlock getNewBlock(OldBlock oldBlock) {
+  cached
+  IRBlock getNewBlock(OldBlock oldBlock) {
     exists(Instruction newEnd, OldIR::Instruction oldEnd |
       (
-      result.getLastInstruction() = newEnd and
-      not newEnd instanceof ChiInstruction
-      or
-      newEnd = result.getLastInstruction().(ChiInstruction).getAPredecessor() // does this work?
+        result.getLastInstruction() = newEnd and
+        not newEnd instanceof ChiInstruction
+        or
+        newEnd = result.getLastInstruction().(ChiInstruction).getAPredecessor() // does this work?
       ) and
       (
         oldBlock.getLastInstruction() = oldEnd and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
index 1082b0d6a48..26f8a89a235 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -329,7 +329,8 @@ predicate allocationEscapes(Configuration::Allocation allocation) {
     config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
   )
   or
-  Configuration::phaseNeedsSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
+  Configuration::phaseNeedsSoundEscapeAnalysis() and
+  resultEscapesNonReturn(allocation.getABaseInstruction())
 }
 
 /**
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
index 5192d8de9da..9c4a0bb0bf5 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -65,7 +65,10 @@ private module Cached {
     instr = reusedPhiInstruction(_) and
     // Check that the phi instruction is *not* degenerate, but we can't use
     // getDegeneratePhiOperand in the first stage with phi instyructions
-    exists(OldIR::PhiInputOperand operand1, OldIR::PhiInputOperand operand2, OldInstruction oldInstruction |
+    exists(
+      OldIR::PhiInputOperand operand1, OldIR::PhiInputOperand operand2,
+      OldInstruction oldInstruction
+    |
       oldInstruction = instr and
       operand1 = oldInstruction.(OldIR::PhiInstruction).getAnInputOperand() and
       operand1.getPredecessorBlock() instanceof OldBlock and
@@ -79,13 +82,14 @@ private module Cached {
     instr instanceof TUnreachedInstruction
   }
 
-  cached IRBlock getNewBlock(OldBlock oldBlock) {
+  cached
+  IRBlock getNewBlock(OldBlock oldBlock) {
     exists(Instruction newEnd, OldIR::Instruction oldEnd |
       (
-      result.getLastInstruction() = newEnd and
-      not newEnd instanceof ChiInstruction
-      or
-      newEnd = result.getLastInstruction().(ChiInstruction).getAPredecessor() // does this work?
+        result.getLastInstruction() = newEnd and
+        not newEnd instanceof ChiInstruction
+        or
+        newEnd = result.getLastInstruction().(ChiInstruction).getAPredecessor() // does this work?
       ) and
       (
         oldBlock.getLastInstruction() = oldEnd and
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
index 1082b0d6a48..26f8a89a235 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -329,7 +329,8 @@ predicate allocationEscapes(Configuration::Allocation allocation) {
     config.useSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
   )
   or
-  Configuration::phaseNeedsSoundEscapeAnalysis() and resultEscapesNonReturn(allocation.getABaseInstruction())
+  Configuration::phaseNeedsSoundEscapeAnalysis() and
+  resultEscapesNonReturn(allocation.getABaseInstruction())
 }
 
 /**
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
index 5192d8de9da..9c4a0bb0bf5 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -65,7 +65,10 @@ private module Cached {
     instr = reusedPhiInstruction(_) and
     // Check that the phi instruction is *not* degenerate, but we can't use
     // getDegeneratePhiOperand in the first stage with phi instyructions
-    exists(OldIR::PhiInputOperand operand1, OldIR::PhiInputOperand operand2, OldInstruction oldInstruction |
+    exists(
+      OldIR::PhiInputOperand operand1, OldIR::PhiInputOperand operand2,
+      OldInstruction oldInstruction
+    |
       oldInstruction = instr and
       operand1 = oldInstruction.(OldIR::PhiInstruction).getAnInputOperand() and
       operand1.getPredecessorBlock() instanceof OldBlock and
@@ -79,13 +82,14 @@ private module Cached {
     instr instanceof TUnreachedInstruction
   }
 
-  cached IRBlock getNewBlock(OldBlock oldBlock) {
+  cached
+  IRBlock getNewBlock(OldBlock oldBlock) {
     exists(Instruction newEnd, OldIR::Instruction oldEnd |
       (
-      result.getLastInstruction() = newEnd and
-      not newEnd instanceof ChiInstruction
-      or
-      newEnd = result.getLastInstruction().(ChiInstruction).getAPredecessor() // does this work?
+        result.getLastInstruction() = newEnd and
+        not newEnd instanceof ChiInstruction
+        or
+        newEnd = result.getLastInstruction().(ChiInstruction).getAPredecessor() // does this work?
       ) and
       (
         oldBlock.getLastInstruction() = oldEnd and

From 35594eac22953e2bcb8de1bc81405f2962f26c5a Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Mon, 3 May 2021 11:49:12 -0700
Subject: [PATCH 0912/1429] C++: fix bad join order in phi node sharing

---
 .../aliased_ssa/internal/SSAConstruction.qll      | 15 ++++-----------
 .../unaliased_ssa/internal/SSAConstruction.qll    | 15 ++++-----------
 .../unaliased_ssa/internal/SSAConstruction.qll    | 15 ++++-----------
 3 files changed, 12 insertions(+), 33 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
index 9c4a0bb0bf5..11c5af43719 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
@@ -65,17 +65,10 @@ private module Cached {
     instr = reusedPhiInstruction(_) and
     // Check that the phi instruction is *not* degenerate, but we can't use
     // getDegeneratePhiOperand in the first stage with phi instyructions
-    exists(
-      OldIR::PhiInputOperand operand1, OldIR::PhiInputOperand operand2,
-      OldInstruction oldInstruction
-    |
-      oldInstruction = instr and
-      operand1 = oldInstruction.(OldIR::PhiInstruction).getAnInputOperand() and
-      operand1.getPredecessorBlock() instanceof OldBlock and
-      operand2 = oldInstruction.(OldIR::PhiInstruction).getAnInputOperand() and
-      operand2.getPredecessorBlock() instanceof OldBlock and
-      operand1 != operand2
-    )
+    not exists(unique(OldIR::PhiInputOperand operand |
+      operand = instr.(OldIR::PhiInstruction).getAnInputOperand() and
+      operand.getPredecessorBlock() instanceof OldBlock
+    ))
     or
     instr instanceof TChiInstruction
     or
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
index 9c4a0bb0bf5..11c5af43719 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -65,17 +65,10 @@ private module Cached {
     instr = reusedPhiInstruction(_) and
     // Check that the phi instruction is *not* degenerate, but we can't use
     // getDegeneratePhiOperand in the first stage with phi instyructions
-    exists(
-      OldIR::PhiInputOperand operand1, OldIR::PhiInputOperand operand2,
-      OldInstruction oldInstruction
-    |
-      oldInstruction = instr and
-      operand1 = oldInstruction.(OldIR::PhiInstruction).getAnInputOperand() and
-      operand1.getPredecessorBlock() instanceof OldBlock and
-      operand2 = oldInstruction.(OldIR::PhiInstruction).getAnInputOperand() and
-      operand2.getPredecessorBlock() instanceof OldBlock and
-      operand1 != operand2
-    )
+    not exists(unique(OldIR::PhiInputOperand operand |
+      operand = instr.(OldIR::PhiInstruction).getAnInputOperand() and
+      operand.getPredecessorBlock() instanceof OldBlock
+    ))
     or
     instr instanceof TChiInstruction
     or
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
index 9c4a0bb0bf5..11c5af43719 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -65,17 +65,10 @@ private module Cached {
     instr = reusedPhiInstruction(_) and
     // Check that the phi instruction is *not* degenerate, but we can't use
     // getDegeneratePhiOperand in the first stage with phi instyructions
-    exists(
-      OldIR::PhiInputOperand operand1, OldIR::PhiInputOperand operand2,
-      OldInstruction oldInstruction
-    |
-      oldInstruction = instr and
-      operand1 = oldInstruction.(OldIR::PhiInstruction).getAnInputOperand() and
-      operand1.getPredecessorBlock() instanceof OldBlock and
-      operand2 = oldInstruction.(OldIR::PhiInstruction).getAnInputOperand() and
-      operand2.getPredecessorBlock() instanceof OldBlock and
-      operand1 != operand2
-    )
+    not exists(unique(OldIR::PhiInputOperand operand |
+      operand = instr.(OldIR::PhiInstruction).getAnInputOperand() and
+      operand.getPredecessorBlock() instanceof OldBlock
+    ))
     or
     instr instanceof TChiInstruction
     or

From 5318aa8ead6ec2eb487f72af5aeaac2b4f1fd3ce Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Mon, 3 May 2021 14:08:35 -0700
Subject: [PATCH 0913/1429] C++: autoformat

---
 .../aliased_ssa/internal/SSAConstruction.qll           | 10 ++++++----
 .../unaliased_ssa/internal/SSAConstruction.qll         | 10 ++++++----
 .../unaliased_ssa/internal/SSAConstruction.qll         | 10 ++++++----
 3 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
index 11c5af43719..5c789276318 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
@@ -65,10 +65,12 @@ private module Cached {
     instr = reusedPhiInstruction(_) and
     // Check that the phi instruction is *not* degenerate, but we can't use
     // getDegeneratePhiOperand in the first stage with phi instyructions
-    not exists(unique(OldIR::PhiInputOperand operand |
-      operand = instr.(OldIR::PhiInstruction).getAnInputOperand() and
-      operand.getPredecessorBlock() instanceof OldBlock
-    ))
+    not exists(
+      unique(OldIR::PhiInputOperand operand |
+        operand = instr.(OldIR::PhiInstruction).getAnInputOperand() and
+        operand.getPredecessorBlock() instanceof OldBlock
+      )
+    )
     or
     instr instanceof TChiInstruction
     or
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
index 11c5af43719..5c789276318 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -65,10 +65,12 @@ private module Cached {
     instr = reusedPhiInstruction(_) and
     // Check that the phi instruction is *not* degenerate, but we can't use
     // getDegeneratePhiOperand in the first stage with phi instyructions
-    not exists(unique(OldIR::PhiInputOperand operand |
-      operand = instr.(OldIR::PhiInstruction).getAnInputOperand() and
-      operand.getPredecessorBlock() instanceof OldBlock
-    ))
+    not exists(
+      unique(OldIR::PhiInputOperand operand |
+        operand = instr.(OldIR::PhiInstruction).getAnInputOperand() and
+        operand.getPredecessorBlock() instanceof OldBlock
+      )
+    )
     or
     instr instanceof TChiInstruction
     or
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
index 11c5af43719..5c789276318 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -65,10 +65,12 @@ private module Cached {
     instr = reusedPhiInstruction(_) and
     // Check that the phi instruction is *not* degenerate, but we can't use
     // getDegeneratePhiOperand in the first stage with phi instyructions
-    not exists(unique(OldIR::PhiInputOperand operand |
-      operand = instr.(OldIR::PhiInstruction).getAnInputOperand() and
-      operand.getPredecessorBlock() instanceof OldBlock
-    ))
+    not exists(
+      unique(OldIR::PhiInputOperand operand |
+        operand = instr.(OldIR::PhiInstruction).getAnInputOperand() and
+        operand.getPredecessorBlock() instanceof OldBlock
+      )
+    )
     or
     instr instanceof TChiInstruction
     or

From b3e598c1a7460b66dfd72f6da0a7c17dab4b5fef Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Tue, 4 May 2021 11:34:24 -0700
Subject: [PATCH 0914/1429] C++/C#: fix another join order in SSA construction

---
 .../implementation/aliased_ssa/internal/SSAConstruction.qll   | 4 +++-
 .../implementation/unaliased_ssa/internal/SSAConstruction.qll | 4 +++-
 .../implementation/unaliased_ssa/internal/SSAConstruction.qll | 4 +++-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
index 5c789276318..63253ce7cda 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
@@ -192,7 +192,9 @@ private module Cached {
         exists(OldIR::PhiInputOperand phiOperand, Overlap phiOperandOverlap |
           phiOperand = getDegeneratePhiOperand(oldOperand.getAnyDef()) and
           result = getNewDefinitionFromOldSSA(phiOperand, phiOperandOverlap) and
-          overlap = combineOverlap(phiOperandOverlap, originalOverlap)
+          overlap =
+            combineOverlap(pragma[only_bind_out](phiOperandOverlap),
+              pragma[only_bind_out](originalOverlap))
         )
       )
     )
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
index 5c789276318..63253ce7cda 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -192,7 +192,9 @@ private module Cached {
         exists(OldIR::PhiInputOperand phiOperand, Overlap phiOperandOverlap |
           phiOperand = getDegeneratePhiOperand(oldOperand.getAnyDef()) and
           result = getNewDefinitionFromOldSSA(phiOperand, phiOperandOverlap) and
-          overlap = combineOverlap(phiOperandOverlap, originalOverlap)
+          overlap =
+            combineOverlap(pragma[only_bind_out](phiOperandOverlap),
+              pragma[only_bind_out](originalOverlap))
         )
       )
     )
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
index 5c789276318..63253ce7cda 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -192,7 +192,9 @@ private module Cached {
         exists(OldIR::PhiInputOperand phiOperand, Overlap phiOperandOverlap |
           phiOperand = getDegeneratePhiOperand(oldOperand.getAnyDef()) and
           result = getNewDefinitionFromOldSSA(phiOperand, phiOperandOverlap) and
-          overlap = combineOverlap(phiOperandOverlap, originalOverlap)
+          overlap =
+            combineOverlap(pragma[only_bind_out](phiOperandOverlap),
+              pragma[only_bind_out](originalOverlap))
         )
       )
     )

From 5437bd7a41f06e4082906606a31f041527b8e802 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 6 May 2021 17:57:57 +0200
Subject: [PATCH 0915/1429] C++: Fix annotation.

---
 .../query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
index dde820d5df6..da990934515 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
@@ -209,6 +209,6 @@ void bad_new_with_nonthrowing_call() {
 
 void bad_new_catch_baseclass_of_bad_alloc() {
   try {
-    int* p = new(std::nothrow) int; // BAD [NOT DETECTED]
+    int* p = new(std::nothrow) int; // BAD
   } catch(const std::exception&) { }
 }

From 7c1720a1d194e4b4a56547dafbb2b2172f6b0066 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 6 May 2021 18:02:05 +0200
Subject: [PATCH 0916/1429] C++: Remove NoThrowAllocator and inline its
 (corrected) definition in ThrowingAllocator.

---
 .../CWE-570/IncorrectAllocationErrorHandling.ql | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
index 6bb0182a79e..3ca8a5eee54 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
@@ -147,19 +147,14 @@ predicate exprMayThrow(Expr e) {
   )
 }
 
-/** An allocator that will not throw an exception. */
-class NoThrowAllocator extends Function {
-  NoThrowAllocator() {
-    exists(NewOrNewArrayExpr newExpr |
-      newExpr.getAllocator() = this and
-      not functionMayThrow(this)
-    )
-  }
-}
-
 /** An allocator that might throw an exception. */
 class ThrowingAllocator extends Function {
-  ThrowingAllocator() { not this instanceof NoThrowAllocator }
+  ThrowingAllocator() {
+    exists(NewOrNewArrayExpr newExpr |
+      newExpr.getAllocator() = this and
+      functionMayThrow(this)
+    )
+  }
 }
 
 /** The `std::bad_alloc` exception and its `bsl` variant. */

From 856d512aa677a8f3097320918d4f21d7da003128 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 6 May 2021 18:36:09 +0200
Subject: [PATCH 0917/1429] C++: Simplify noThrowInTryBlock.

---
 .../Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql  | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
index 3ca8a5eee54..97ff9e06d64 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
@@ -182,9 +182,7 @@ class BadAllocCatchBlock extends CatchBlock {
  */
 predicate noThrowInTryBlock(NewOrNewArrayExpr newExpr, BadAllocCatchBlock catchBlock) {
   exists(TryStmt try |
-    forall(Expr cand | cand.getEnclosingBlock().getEnclosingBlock*() = try.getStmt() |
-      not convertedExprMayThrow(cand)
-    ) and
+    not stmtMayThrow(try.getStmt()) and
     try.getACatchClause() = catchBlock and
     newExpr.getEnclosingBlock().getEnclosingBlock*() = try.getStmt()
   )

From 852134023da7a697866fab5022564914e816e0de Mon Sep 17 00:00:00 2001
From: alexet <alexet@semmle.com>
Date: Thu, 6 May 2021 18:11:28 +0100
Subject: [PATCH 0918/1429] Use only bind-out to fix join order.

---
 csharp/ql/src/semmle/code/csharp/dispatch/Dispatch.qll | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dispatch/Dispatch.qll b/csharp/ql/src/semmle/code/csharp/dispatch/Dispatch.qll
index cca858d69ba..f06fbca375d 100644
--- a/csharp/ql/src/semmle/code/csharp/dispatch/Dispatch.qll
+++ b/csharp/ql/src/semmle/code/csharp/dispatch/Dispatch.qll
@@ -387,7 +387,8 @@ private module Internal {
       result = this.getAStaticTarget()
       or
       result.getUnboundDeclaration() =
-        this.getASubsumedStaticTarget0(Gvn::getGlobalValueNumber(result.getDeclaringType()))
+        this.getASubsumedStaticTarget0(pragma[only_bind_out](Gvn::getGlobalValueNumber(result
+                .getDeclaringType())))
     }
 
     /**

From fab8400ecdc7f26bfcd95f781bb287ba156d5d73 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Thu, 6 May 2021 10:45:37 +0200
Subject: [PATCH 0919/1429] C#: Escape IDs in TRAP label definitions

---
 .../Context.Factories.cs                      |   2 +-
 .../Entities/ArrayType.cs                     |   2 +-
 .../Entities/Assembly.cs                      |   2 +-
 .../Entities/Base/LabelledEntity.cs           |   4 +-
 .../Entities/ByRefType.cs                     |   2 +-
 .../Entities/ConstructedType.cs               |   2 +-
 .../Entities/ErrorType.cs                     |   2 +-
 .../Semmle.Extraction.CIL/Entities/Event.cs   |   2 +-
 .../Semmle.Extraction.CIL/Entities/Field.cs   |   2 +-
 .../Semmle.Extraction.CIL/Entities/File.cs    |   2 +-
 .../Semmle.Extraction.CIL/Entities/Folder.cs  |   2 +-
 .../Entities/FunctionPointerType.cs           |   2 +-
 .../Entities/ITypeSignature.cs                |   2 +-
 .../Entities/LocalVariable.cs                 |   2 +-
 .../Semmle.Extraction.CIL/Entities/Method.cs  |  12 +-
 .../Entities/MethodSpecificationMethod.cs     |   2 +-
 .../Entities/MethodTypeParameter.cs           |   2 +-
 .../Entities/ModifiedType.cs                  |   2 +-
 .../Entities/NamedTypeIdWriter.cs             |   2 +-
 .../Entities/Namespace.cs                     |   5 +-
 .../Entities/NoMetadataHandleType.cs          |   2 +-
 .../Entities/Parameter.cs                     |   2 +-
 .../Entities/PointerType.cs                   |   2 +-
 .../Entities/PrimitiveType.cs                 |   2 +-
 .../Entities/Property.cs                      |   2 +-
 .../Entities/SignatureDecoder.cs              |  24 +-
 .../Entities/SourceLocation.cs                |   2 +-
 .../Semmle.Extraction.CIL/Entities/Type.cs    |  16 +-
 .../Entities/TypeContainer.cs                 |  10 -
 .../Entities/TypeDefinitionType.cs            |   2 +-
 .../Entities/TypeReferenceType.cs             |   2 +-
 .../Entities/TypeTypeParameter.cs             |   2 +-
 .../Entities/Assembly.cs                      |   2 +-
 .../Entities/Attribute.cs                     |   4 +-
 .../Entities/CommentBlock.cs                  |   2 +-
 .../Entities/CommentLine.cs                   |   2 +-
 .../Entities/Compilations/Compilation.cs      |   2 +-
 .../Entities/Constructor.cs                   |   2 +-
 .../Entities/Event.cs                         |   2 +-
 .../Entities/Field.cs                         |   2 +-
 .../Entities/Indexer.cs                       |   4 +-
 .../Entities/LocalFunction.cs                 |   4 +-
 .../Entities/LocalVariable.cs                 |   4 +-
 .../Entities/Method.cs                        |  10 +-
 .../Entities/Modifier.cs                      |   2 +-
 .../Entities/Namespace.cs                     |   2 +-
 .../Entities/NamespaceDeclaration.cs          |   2 +-
 .../Entities/NonGeneratedSourceLocation.cs    |   2 +-
 .../Entities/Parameter.cs                     |   4 +-
 .../Entities/Property.cs                      |   2 +-
 .../Entities/Types/ArrayType.cs               |   2 +-
 .../Entities/Types/DynamicType.cs             |   2 +-
 .../Entities/Types/FunctionPointerType.cs     |   2 +-
 .../Entities/Types/NamedType.cs               |   6 +-
 .../Entities/Types/NullType.cs                |   2 +-
 .../Entities/Types/Nullability.cs             |   6 +-
 .../Entities/Types/PointerType.cs             |   2 +-
 .../Entities/Types/TupleType.cs               |   2 +-
 .../Entities/Types/TypeParameter.cs           |   2 +-
 .../SymbolExtensions.cs                       |  48 +--
 csharp/extractor/Semmle.Extraction/Context.cs |   2 +-
 .../Semmle.Extraction/Entities/Base/Entity.cs |  14 +-
 .../Entities/Base/IEntity.cs                  |   4 +-
 .../Entities/Base/LabelledEntity.cs           |   7 -
 .../Entities/Base/UnlabelledEntity.cs         |   6 +-
 .../Semmle.Extraction/Entities/File.cs        |   2 +-
 .../Semmle.Extraction/Entities/Folder.cs      |   2 +-
 .../Entities/GeneratedFile.cs                 |   2 +-
 .../Entities/GeneratedLocation.cs             |   2 +-
 .../Semmle.Extraction/EscapingTextWriter.cs   | 340 ++++++++++++++++++
 .../Semmle.Extraction/TrapExtensions.cs       |  22 +-
 .../ql/test/library-tests/regressions/{}.cs   |   1 +
 72 files changed, 486 insertions(+), 169 deletions(-)
 create mode 100644 csharp/extractor/Semmle.Extraction/EscapingTextWriter.cs
 create mode 100644 csharp/ql/test/library-tests/regressions/{}.cs

diff --git a/csharp/extractor/Semmle.Extraction.CIL/Context.Factories.cs b/csharp/extractor/Semmle.Extraction.CIL/Context.Factories.cs
index 0cdc5bf8dac..5ce1a58491f 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Context.Factories.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Context.Factories.cs
@@ -36,7 +36,7 @@ namespace Semmle.Extraction.CIL
                         c.Extract(this);
                 });
 #if DEBUG_LABELS
-                using var writer = new StringWriter();
+                using var writer = new EscapingTextWriter();
                 e.WriteId(writer);
                 var id = writer.ToString();
 
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/ArrayType.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/ArrayType.cs
index b838a9070ff..0f4138e20c5 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/ArrayType.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/ArrayType.cs
@@ -29,7 +29,7 @@ namespace Semmle.Extraction.CIL.Entities
 
         public override int GetHashCode() => HashCode.Combine(elementType, rank);
 
-        public override void WriteId(TextWriter trapFile, bool inContext)
+        public override void WriteId(EscapingTextWriter trapFile, bool inContext)
         {
             elementType.WriteId(trapFile, inContext);
             trapFile.Write('[');
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Assembly.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Assembly.cs
index d28fa0035c3..c94038902f7 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Assembly.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Assembly.cs
@@ -32,7 +32,7 @@ namespace Semmle.Extraction.CIL.Entities
             file = new File(cx, cx.AssemblyPath);
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.Write(FullName);
             trapFile.Write("#file:///");
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/LabelledEntity.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/LabelledEntity.cs
index 150074f22ee..b7e946979fd 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/LabelledEntity.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/LabelledEntity.cs
@@ -25,9 +25,9 @@ namespace Semmle.Extraction.CIL
 
         public override string ToString()
         {
-            using var writer = new StringWriter();
+            using var writer = new EscapingTextWriter();
             WriteQuotedId(writer);
-            return writer.ToString();
+            return writer.ToString()!;
         }
 
         public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NoLabel;
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/ByRefType.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/ByRefType.cs
index 2a527419249..5b9ae9fd1aa 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/ByRefType.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/ByRefType.cs
@@ -33,7 +33,7 @@ namespace Semmle.Extraction.CIL.Entities
 
         public override void WriteAssemblyPrefix(TextWriter trapFile) => throw new NotImplementedException();
 
-        public override void WriteId(TextWriter trapFile, bool inContext)
+        public override void WriteId(EscapingTextWriter trapFile, bool inContext)
         {
             ElementType.WriteId(trapFile, inContext);
             trapFile.Write('&');
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/ConstructedType.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/ConstructedType.cs
index 6e2fb90beae..c97ef697700 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/ConstructedType.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/ConstructedType.cs
@@ -100,7 +100,7 @@ namespace Semmle.Extraction.CIL.Entities
             throw new NotImplementedException();
         }
 
-        public override void WriteId(TextWriter trapFile, bool inContext)
+        public override void WriteId(EscapingTextWriter trapFile, bool inContext)
         {
             idWriter.WriteId(trapFile, inContext);
         }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/ErrorType.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/ErrorType.cs
index e08cea2854c..41b5810ba27 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/ErrorType.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/ErrorType.cs
@@ -10,7 +10,7 @@ namespace Semmle.Extraction.CIL.Entities
         {
         }
 
-        public override void WriteId(TextWriter trapFile, bool inContext) => trapFile.Write("<ErrorType>");
+        public override void WriteId(EscapingTextWriter trapFile, bool inContext) => trapFile.Write("<ErrorType>");
 
         public override CilTypeKind Kind => CilTypeKind.ValueOrRefType;
 
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Event.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Event.cs
index a54d0a8065d..0ed8e871d55 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Event.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Event.cs
@@ -20,7 +20,7 @@ namespace Semmle.Extraction.CIL.Entities
             ed = cx.MdReader.GetEventDefinition(handle);
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             parent.WriteId(trapFile);
             trapFile.Write('.');
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Field.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Field.cs
index 8decef24128..96ad1715c27 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Field.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Field.cs
@@ -14,7 +14,7 @@ namespace Semmle.Extraction.CIL.Entities
         {
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.WriteSubId(DeclaringType);
             trapFile.Write('.');
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/File.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/File.cs
index a07ffc61de8..c2fd6837e3e 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/File.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/File.cs
@@ -14,7 +14,7 @@ namespace Semmle.Extraction.CIL.Entities
             TransformedPath = Context.Extractor.PathTransformer.Transform(OriginalPath);
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.Write(TransformedPath.DatabaseId);
             trapFile.Write(";sourcefile");
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Folder.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Folder.cs
index b49abce64c9..9c3fbadcf20 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Folder.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Folder.cs
@@ -12,7 +12,7 @@ namespace Semmle.Extraction.CIL.Entities
             this.transformedPath = path;
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.Write(transformedPath.DatabaseId);
             trapFile.Write(";folder");
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/FunctionPointerType.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/FunctionPointerType.cs
index 3b6bbba00cc..511826e003c 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/FunctionPointerType.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/FunctionPointerType.cs
@@ -42,7 +42,7 @@ namespace Semmle.Extraction.CIL.Entities
 
         public override void WriteAssemblyPrefix(TextWriter trapFile) { }
 
-        public override void WriteId(TextWriter trapFile, bool inContext)
+        public override void WriteId(EscapingTextWriter trapFile, bool inContext)
         {
             WriteName(
                 trapFile.Write,
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/ITypeSignature.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/ITypeSignature.cs
index beaecdfab6f..004d2707738 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/ITypeSignature.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/ITypeSignature.cs
@@ -4,6 +4,6 @@ namespace Semmle.Extraction.CIL.Entities
 {
     internal interface ITypeSignature
     {
-        void WriteId(TextWriter trapFile, IGenericContext gc);
+        void WriteId(EscapingTextWriter trapFile, IGenericContext gc);
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/LocalVariable.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/LocalVariable.cs
index 5d7a00c64c9..b7690d2498e 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/LocalVariable.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/LocalVariable.cs
@@ -16,7 +16,7 @@ namespace Semmle.Extraction.CIL.Entities
             type = t;
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.WriteSubId(method);
             trapFile.Write('_');
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Method.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Method.cs
index 9df82edaa68..199eb691689 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Method.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Method.cs
@@ -37,17 +37,15 @@ namespace Semmle.Extraction.CIL.Entities
         public virtual IList<LocalVariable>? LocalVariables => throw new NotImplementedException();
         public IList<Parameter>? Parameters { get; protected set; }
 
-        public override void WriteId(TextWriter trapFile) => WriteMethodId(trapFile, DeclaringType, NameLabel);
-
         public abstract string NameLabel { get; }
 
-        protected internal void WriteMethodId(TextWriter trapFile, Type parent, string methodName)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             signature.ReturnType.WriteId(trapFile, this);
             trapFile.Write(' ');
-            parent.WriteId(trapFile);
+            DeclaringType.WriteId(trapFile);
             trapFile.Write('.');
-            trapFile.Write(methodName);
+            trapFile.Write(NameLabel);
 
             if (signature.GenericParameterCount > 0)
             {
@@ -61,11 +59,9 @@ namespace Semmle.Extraction.CIL.Entities
                 trapFile.WriteSeparator(",", ref index);
                 param.WriteId(trapFile, this);
             }
-            trapFile.Write(')');
+            trapFile.Write(");cil-method");
         }
 
-        public override string IdSuffix => ";cil-method";
-
         protected IEnumerable<IExtractionProduct> PopulateFlags
         {
             get
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/MethodSpecificationMethod.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/MethodSpecificationMethod.cs
index 840d106b536..2cea67ec16c 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/MethodSpecificationMethod.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/MethodSpecificationMethod.cs
@@ -26,7 +26,7 @@ namespace Semmle.Extraction.CIL.Entities
             unboundMethod = (Method)Context.CreateGeneric(gc, ms.Method);
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             unboundMethod.WriteId(trapFile);
             trapFile.Write('<');
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/MethodTypeParameter.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/MethodTypeParameter.cs
index 1795eb29269..a36cf372ea0 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/MethodTypeParameter.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/MethodTypeParameter.cs
@@ -9,7 +9,7 @@ namespace Semmle.Extraction.CIL.Entities
         private readonly Method method;
         private readonly int index;
 
-        public override void WriteId(TextWriter trapFile, bool inContext)
+        public override void WriteId(EscapingTextWriter trapFile, bool inContext)
         {
             if (!(inContext && method == gc))
             {
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/ModifiedType.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/ModifiedType.cs
index f160c6869de..36e08a2e594 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/ModifiedType.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/ModifiedType.cs
@@ -37,7 +37,7 @@ namespace Semmle.Extraction.CIL.Entities
 
         public override void WriteAssemblyPrefix(TextWriter trapFile) => throw new NotImplementedException();
 
-        public override void WriteId(TextWriter trapFile, bool inContext)
+        public override void WriteId(EscapingTextWriter trapFile, bool inContext)
         {
             Unmodified.WriteId(trapFile, inContext);
             trapFile.Write(IsRequired ? " modreq" : " modopt");
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/NamedTypeIdWriter.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/NamedTypeIdWriter.cs
index 59c7d172d01..3a71b76b0c3 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/NamedTypeIdWriter.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/NamedTypeIdWriter.cs
@@ -12,7 +12,7 @@ namespace Semmle.Extraction.CIL.Entities
             this.type = type;
         }
 
-        public void WriteId(TextWriter trapFile, bool inContext)
+        public void WriteId(EscapingTextWriter trapFile, bool inContext)
         {
             if (type.IsPrimitiveType)
             {
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Namespace.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Namespace.cs
index 1d0b373952b..3b7354c791d 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Namespace.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Namespace.cs
@@ -14,7 +14,7 @@ namespace Semmle.Extraction.CIL.Entities
 
         public bool IsGlobalNamespace => ParentNamespace is null;
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             if (ParentNamespace is not null && !ParentNamespace.IsGlobalNamespace)
             {
@@ -22,10 +22,9 @@ namespace Semmle.Extraction.CIL.Entities
                 trapFile.Write('.');
             }
             trapFile.Write(Name);
+            trapFile.Write(";namespace");
         }
 
-        public override string IdSuffix => ";namespacee";
-
         public override bool Equals(object? obj)
         {
             if (obj is Namespace ns && Name == ns.Name)
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/NoMetadataHandleType.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/NoMetadataHandleType.cs
index c2a340c4de1..41a28e32bf1 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/NoMetadataHandleType.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/NoMetadataHandleType.cs
@@ -137,7 +137,7 @@ namespace Semmle.Extraction.CIL.Entities
             }
         }
 
-        public override void WriteId(TextWriter trapFile, bool inContext)
+        public override void WriteId(EscapingTextWriter trapFile, bool inContext)
         {
             idWriter.WriteId(trapFile, inContext);
         }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Parameter.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Parameter.cs
index 9cf96412309..b8906f6b845 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Parameter.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Parameter.cs
@@ -19,7 +19,7 @@ namespace Semmle.Extraction.CIL.Entities
             type = t;
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.WriteSubId(parameterizable);
             trapFile.Write('_');
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/PointerType.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/PointerType.cs
index 8b1209925b6..1a6bd474bd0 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/PointerType.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/PointerType.cs
@@ -20,7 +20,7 @@ namespace Semmle.Extraction.CIL.Entities
 
         public override int GetHashCode() => HashCode.Combine(pointee, nameof(PointerType));
 
-        public override void WriteId(TextWriter trapFile, bool inContext)
+        public override void WriteId(EscapingTextWriter trapFile, bool inContext)
         {
             pointee.WriteId(trapFile, inContext);
             trapFile.Write('*');
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/PrimitiveType.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/PrimitiveType.cs
index 1e331397237..0e776c1aaad 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/PrimitiveType.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/PrimitiveType.cs
@@ -20,7 +20,7 @@ namespace Semmle.Extraction.CIL.Entities
 
         public override int GetHashCode() => typeCode.GetHashCode();
 
-        public override void WriteId(TextWriter trapFile, bool inContext)
+        public override void WriteId(EscapingTextWriter trapFile, bool inContext)
         {
             Type.WritePrimitiveTypeId(trapFile, Name);
         }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Property.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Property.cs
index 9e56c22a099..99a462069e1 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Property.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Property.cs
@@ -23,7 +23,7 @@ namespace Semmle.Extraction.CIL.Entities
             this.type = type;
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.WriteSubId(type);
             trapFile.Write('.');
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/SignatureDecoder.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/SignatureDecoder.cs
index ea646449421..0f012c0c18d 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/SignatureDecoder.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/SignatureDecoder.cs
@@ -17,7 +17,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.shape = shape;
             }
 
-            public void WriteId(TextWriter trapFile, IGenericContext gc)
+            public void WriteId(EscapingTextWriter trapFile, IGenericContext gc)
             {
                 elementType.WriteId(trapFile, gc);
                 trapFile.Write('[');
@@ -38,7 +38,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.elementType = elementType;
             }
 
-            public void WriteId(TextWriter trapFile, IGenericContext gc)
+            public void WriteId(EscapingTextWriter trapFile, IGenericContext gc)
             {
                 elementType.WriteId(trapFile, gc);
                 trapFile.Write('&');
@@ -54,7 +54,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.signature = signature;
             }
 
-            public void WriteId(TextWriter trapFile, IGenericContext gc)
+            public void WriteId(EscapingTextWriter trapFile, IGenericContext gc)
             {
                 FunctionPointerType.WriteName(
                     trapFile.Write,
@@ -84,7 +84,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.typeArguments = typeArguments;
             }
 
-            public void WriteId(TextWriter trapFile, IGenericContext gc)
+            public void WriteId(EscapingTextWriter trapFile, IGenericContext gc)
             {
                 genericType.WriteId(trapFile, gc);
                 trapFile.Write('<');
@@ -112,7 +112,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.index = index;
             }
 
-            public void WriteId(TextWriter trapFile, IGenericContext outerGc)
+            public void WriteId(EscapingTextWriter trapFile, IGenericContext outerGc)
             {
                 if (!ReferenceEquals(innerGc, outerGc) && innerGc is Method method)
                 {
@@ -132,7 +132,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.index = index;
             }
 
-            public void WriteId(TextWriter trapFile, IGenericContext gc)
+            public void WriteId(EscapingTextWriter trapFile, IGenericContext gc)
             {
                 trapFile.Write("T!");
                 trapFile.Write(index);
@@ -158,7 +158,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.isRequired = isRequired;
             }
 
-            public void WriteId(TextWriter trapFile, IGenericContext gc)
+            public void WriteId(EscapingTextWriter trapFile, IGenericContext gc)
             {
                 unmodifiedType.WriteId(trapFile, gc);
                 trapFile.Write(isRequired ? " modreq(" : " modopt(");
@@ -186,7 +186,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.elementType = elementType;
             }
 
-            public void WriteId(TextWriter trapFile, IGenericContext gc)
+            public void WriteId(EscapingTextWriter trapFile, IGenericContext gc)
             {
                 elementType.WriteId(trapFile, gc);
                 trapFile.Write('*');
@@ -207,7 +207,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.typeCode = typeCode;
             }
 
-            public void WriteId(TextWriter trapFile, IGenericContext gc)
+            public void WriteId(EscapingTextWriter trapFile, IGenericContext gc)
             {
                 trapFile.Write(typeCode.Id());
             }
@@ -227,7 +227,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.elementType = elementType;
             }
 
-            public void WriteId(TextWriter trapFile, IGenericContext gc)
+            public void WriteId(EscapingTextWriter trapFile, IGenericContext gc)
             {
                 elementType.WriteId(trapFile, gc);
                 trapFile.Write("[]");
@@ -248,7 +248,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.handle = handle;
             }
 
-            public void WriteId(TextWriter trapFile, IGenericContext gc)
+            public void WriteId(EscapingTextWriter trapFile, IGenericContext gc)
             {
                 var type = (Type)gc.Context.Create(handle);
                 type.WriteId(trapFile);
@@ -269,7 +269,7 @@ namespace Semmle.Extraction.CIL.Entities
                 this.handle = handle;
             }
 
-            public void WriteId(TextWriter trapFile, IGenericContext gc)
+            public void WriteId(EscapingTextWriter trapFile, IGenericContext gc)
             {
                 var type = (Type)gc.Context.Create(handle);
                 type.WriteId(trapFile);
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/SourceLocation.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/SourceLocation.cs
index ff67844121a..5420ac53645 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/SourceLocation.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/SourceLocation.cs
@@ -15,7 +15,7 @@ namespace Semmle.Extraction.CIL.Entities
             file = cx.CreateSourceFile(location.File);
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             file.WriteId(trapFile);
             trapFile.Write(',');
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Type.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Type.cs
index db4876f8a9a..5d27c5400d5 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Type.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Type.cs
@@ -43,11 +43,13 @@ namespace Semmle.Extraction.CIL.Entities
         /// (This is to avoid infinite recursion generating a method ID that returns a
         /// type parameter.)
         /// </param>
-        public abstract void WriteId(TextWriter trapFile, bool inContext);
+        public abstract void WriteId(EscapingTextWriter trapFile, bool inContext);
 
-        public sealed override void WriteId(TextWriter trapFile) => WriteId(trapFile, false);
-
-        public override string IdSuffix => ";cil-type";
+        public sealed override void WriteId(EscapingTextWriter trapFile)
+        {
+            WriteId(trapFile, false);
+            trapFile.Write(";cil-type");
+        }
 
         /// <summary>
         /// Returns the friendly qualified name of types, such as
@@ -58,10 +60,12 @@ namespace Semmle.Extraction.CIL.Entities
         /// </summary>
         public string GetQualifiedName()
         {
-            using var writer = new StringWriter();
+            using var writer = new EscapingTextWriter();
             WriteId(writer, false);
             var name = writer.ToString();
-            return name.Substring(name.IndexOf(AssemblyTypeNameSeparator) + 2);
+            return name.Substring(name.IndexOf(AssemblyTypeNameSeparator) + 2).
+                Replace(";namespace", "").
+                Replace(";cil-type", "");
         }
 
         public abstract CilTypeKind Kind { get; }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeContainer.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeContainer.cs
index e201e065255..aae0b4b0b48 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeContainer.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeContainer.cs
@@ -12,16 +12,6 @@ namespace Semmle.Extraction.CIL.Entities
         {
         }
 
-        public abstract string IdSuffix { get; }
-
-        public override void WriteQuotedId(TextWriter trapFile)
-        {
-            trapFile.Write("@\"");
-            WriteId(trapFile);
-            trapFile.Write(IdSuffix);
-            trapFile.Write('\"');
-        }
-
         public abstract IEnumerable<Type> MethodParameters { get; }
         public abstract IEnumerable<Type> TypeParameters { get; }
     }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeDefinitionType.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeDefinitionType.cs
index 51b02f1482e..a5d377846d7 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeDefinitionType.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeDefinitionType.cs
@@ -40,7 +40,7 @@ namespace Semmle.Extraction.CIL.Entities
 
         public override int GetHashCode() => handle.GetHashCode();
 
-        public override void WriteId(TextWriter trapFile, bool inContext)
+        public override void WriteId(EscapingTextWriter trapFile, bool inContext)
         {
             idWriter.WriteId(trapFile, inContext);
         }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeReferenceType.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeReferenceType.cs
index c94a6978f5e..1af91d32586 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeReferenceType.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeReferenceType.cs
@@ -88,7 +88,7 @@ namespace Semmle.Extraction.CIL.Entities
 
         public override IEnumerable<Type> ThisGenericArguments => typeParams.Value;
 
-        public override void WriteId(TextWriter trapFile, bool inContext)
+        public override void WriteId(EscapingTextWriter trapFile, bool inContext)
         {
             idWriter.WriteId(trapFile, inContext);
         }
diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeTypeParameter.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeTypeParameter.cs
index 15db1536a3f..580c8573acf 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeTypeParameter.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/TypeTypeParameter.cs
@@ -25,7 +25,7 @@ namespace Semmle.Extraction.CIL.Entities
             return type.GetHashCode() * 13 + index;
         }
 
-        public override void WriteId(TextWriter trapFile, bool inContext)
+        public override void WriteId(EscapingTextWriter trapFile, bool inContext)
         {
             type.WriteId(trapFile, inContext);
             trapFile.Write('!');
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Assembly.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Assembly.cs
index c0ffce70dbe..9555fabec4f 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Assembly.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Assembly.cs
@@ -69,7 +69,7 @@ namespace Semmle.Extraction.CSharp.Entities
             return AssemblyConstructorFactory.Instance.CreateEntity(cx, outputAssemblyCacheKey, null);
         }
 
-        public override void WriteId(System.IO.TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.Write(assembly.ToString());
             if (!(assemblyPath is null))
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Attribute.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Attribute.cs
index b1bfb508d75..7e7fc39aab8 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Attribute.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Attribute.cs
@@ -20,7 +20,7 @@ namespace Semmle.Extraction.CSharp.Entities
             this.entity = entity;
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             if (ReportingLocation?.IsInSource == true)
             {
@@ -33,7 +33,7 @@ namespace Semmle.Extraction.CSharp.Entities
             }
         }
 
-        public override void WriteQuotedId(TextWriter trapFile)
+        public sealed override void WriteQuotedId(EscapingTextWriter trapFile)
         {
             if (ReportingLocation?.IsInSource == true)
             {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentBlock.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentBlock.cs
index a3394885d1c..6d4a2cf07f9 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentBlock.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentBlock.cs
@@ -21,7 +21,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override bool NeedsPopulation => true;
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.WriteSubId(Context.CreateLocation(Symbol.Location));
             trapFile.Write(";commentblock");
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentLine.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentLine.cs
index a1c9fb5c643..b9fb6cdfee2 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentLine.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/CommentLine.cs
@@ -32,7 +32,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override bool NeedsPopulation => true;
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.WriteSubId(Context.CreateLocation(Location));
             trapFile.Write(";commentline");
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Compilation.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Compilation.cs
index 1c929c1ad5a..f3672e4c6e4 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Compilation.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Compilation.cs
@@ -81,7 +81,7 @@ namespace Semmle.Extraction.CSharp.Entities
             trapFile.compilation_finished(this, (float)p.Total.Cpu.TotalSeconds, (float)p.Total.Elapsed.TotalSeconds);
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.Write(hashCode);
             trapFile.Write(";compilation");
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs
index 39c202929d2..3f31108b57e 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs
@@ -144,7 +144,7 @@ namespace Semmle.Extraction.CSharp.Entities
             }
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             if (Symbol.IsStatic)
                 trapFile.Write("static");
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Event.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Event.cs
index e92a42d8ab1..ca9753d229b 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Event.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Event.cs
@@ -10,7 +10,7 @@ namespace Semmle.Extraction.CSharp.Entities
         private Event(Context cx, IEventSymbol init)
             : base(cx, init) { }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.WriteSubId(ContainingType!);
             trapFile.Write('.');
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs
index 2fe1cf224ab..851d1103e1d 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs
@@ -118,7 +118,7 @@ namespace Semmle.Extraction.CSharp.Entities
         private readonly Lazy<Type> type;
         public Type Type => type.Value;
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.WriteSubId(Type);
             trapFile.Write(" ");
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Indexer.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Indexer.cs
index 3da002f8b2c..8c00bb94335 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Indexer.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Indexer.cs
@@ -73,13 +73,13 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public static new Indexer Create(Context cx, IPropertySymbol prop) => IndexerFactory.Instance.CreateEntityFromSymbol(cx, prop);
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.WriteSubId(ContainingType!);
             trapFile.Write('.');
             trapFile.Write(Symbol.MetadataName);
             trapFile.Write('(');
-            trapFile.BuildList(",", Symbol.Parameters, (p, tb0) => tb0.WriteSubId(Type.Create(Context, p.Type)));
+            trapFile.BuildList(",", Symbol.Parameters, p => trapFile.WriteSubId(Type.Create(Context, p.Type)));
             trapFile.Write(");indexer");
         }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/LocalFunction.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/LocalFunction.cs
index a94401f2a93..a94c170f408 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/LocalFunction.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/LocalFunction.cs
@@ -10,12 +10,12 @@ namespace Semmle.Extraction.CSharp.Entities
         {
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             throw new InvalidOperationException();
         }
 
-        public override void WriteQuotedId(TextWriter trapFile)
+        public sealed override void WriteQuotedId(EscapingTextWriter trapFile)
         {
             trapFile.Write('*');
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/LocalVariable.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/LocalVariable.cs
index ee685731c60..81a47710ba1 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/LocalVariable.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/LocalVariable.cs
@@ -8,12 +8,12 @@ namespace Semmle.Extraction.CSharp.Entities
     {
         private LocalVariable(Context cx, ISymbol init) : base(cx, init) { }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             throw new InvalidOperationException();
         }
 
-        public override void WriteQuotedId(TextWriter trapFile)
+        public sealed override void WriteQuotedId(EscapingTextWriter trapFile)
         {
             trapFile.Write('*');
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
index 61c8d768521..12d0ce4cc10 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
@@ -127,7 +127,7 @@ namespace Semmle.Extraction.CSharp.Entities
         /// <summary>
         ///  Factored out to share logic between `Method` and `UserOperator`.
         /// </summary>
-        private static void BuildMethodId(Method m, TextWriter trapFile)
+        private static void BuildMethodId(Method m, EscapingTextWriter trapFile)
         {
             m.Symbol.ReturnType.BuildOrWriteId(m.Context, trapFile, m.Symbol);
             trapFile.Write(" ");
@@ -153,7 +153,7 @@ namespace Semmle.Extraction.CSharp.Entities
                     // Type arguments with different nullability can result in
                     // a constructed method with different nullability of its parameters and return type,
                     // so we need to create a distinct database entity for it.
-                    trapFile.BuildList(",", m.Symbol.GetAnnotatedTypeArguments(), (ta, tb0) => { ta.Symbol.BuildOrWriteId(m.Context, tb0, m.Symbol); trapFile.Write((int)ta.Nullability); });
+                    trapFile.BuildList(",", m.Symbol.GetAnnotatedTypeArguments(), ta => { ta.Symbol.BuildOrWriteId(m.Context, trapFile, m.Symbol); trapFile.Write((int)ta.Nullability); });
                     trapFile.Write('>');
                 }
             }
@@ -182,12 +182,12 @@ namespace Semmle.Extraction.CSharp.Entities
             }
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             BuildMethodId(this, trapFile);
         }
 
-        protected static void AddParametersToId(Context cx, TextWriter trapFile, IMethodSymbol method)
+        protected static void AddParametersToId(Context cx, EscapingTextWriter trapFile, IMethodSymbol method)
         {
             trapFile.Write('(');
             var index = 0;
@@ -222,7 +222,7 @@ namespace Semmle.Extraction.CSharp.Entities
             trapFile.Write(')');
         }
 
-        public static void AddExplicitInterfaceQualifierToId(Context cx, System.IO.TextWriter trapFile, IEnumerable<ISymbol> explicitInterfaceImplementations)
+        public static void AddExplicitInterfaceQualifierToId(Context cx, EscapingTextWriter trapFile, IEnumerable<ISymbol> explicitInterfaceImplementations)
         {
             if (explicitInterfaceImplementations.Any())
                 trapFile.AppendList(",", explicitInterfaceImplementations.Select(impl => cx.CreateEntity(impl.ContainingType)));
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Modifier.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Modifier.cs
index 1d56da2623f..806e73e3590 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Modifier.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Modifier.cs
@@ -10,7 +10,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override Location? ReportingLocation => null;
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.Write(Symbol);
             trapFile.Write(";modifier");
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Namespace.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Namespace.cs
index 7d77ef276cb..68b108743f3 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Namespace.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Namespace.cs
@@ -23,7 +23,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override bool NeedsPopulation => true;
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             if (!Symbol.IsGlobalNamespace)
             {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/NamespaceDeclaration.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/NamespaceDeclaration.cs
index 749c7ae22c8..b9fd57b2cea 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/NamespaceDeclaration.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/NamespaceDeclaration.cs
@@ -20,7 +20,7 @@ namespace Semmle.Extraction.CSharp.Entities
             this.parent = parent;
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.WriteSubId(Context.CreateLocation(ReportingLocation));
             trapFile.Write(";namespacedeclaration");
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/NonGeneratedSourceLocation.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/NonGeneratedSourceLocation.cs
index 141c428dd55..7642c30d1a7 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/NonGeneratedSourceLocation.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/NonGeneratedSourceLocation.cs
@@ -41,7 +41,7 @@ namespace Semmle.Extraction.CSharp.Entities
             get;
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.Write("loc,");
             trapFile.WriteSubId(FileEntity);
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
index 462c8bbb297..9d69372174e 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
@@ -74,7 +74,7 @@ namespace Semmle.Extraction.CSharp.Entities
         public static Parameter Create(Context cx, IParameterSymbol param) =>
             ParameterFactory.Instance.CreateEntity(cx, param, (param, null, null));
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             if (Parent is null)
                 Parent = Method.Create(Context, Symbol.ContainingSymbol as IMethodSymbol);
@@ -209,7 +209,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override bool NeedsPopulation => true;
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.Write("__arglist;type");
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs
index 5fb77cf4dc2..9e4a1c79ad2 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs
@@ -21,7 +21,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         private Type Type => type.Value;
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.WriteSubId(Type);
             trapFile.Write(" ");
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/ArrayType.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/ArrayType.cs
index 48381430428..18a98883c8b 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/ArrayType.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/ArrayType.cs
@@ -30,7 +30,7 @@ namespace Semmle.Extraction.CSharp.Entities
             PopulateType(trapFile);
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.WriteSubId(ElementType);
             Symbol.BuildArraySuffix(trapFile);
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/DynamicType.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/DynamicType.cs
index b43c4c741f4..8a28beaff7b 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/DynamicType.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/DynamicType.cs
@@ -22,7 +22,7 @@ namespace Semmle.Extraction.CSharp.Entities
             trapFile.parent_namespace(this, Namespace.Create(Context, Context.Compilation.GlobalNamespace));
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.Write("dynamic;type");
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/FunctionPointerType.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/FunctionPointerType.cs
index 2bb9cd3a1b6..37ba909ec46 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/FunctionPointerType.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/FunctionPointerType.cs
@@ -11,7 +11,7 @@ namespace Semmle.Extraction.CSharp.Entities
         {
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             Symbol.BuildTypeId(Context, trapFile, Symbol);
             trapFile.Write(";functionpointertype");
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NamedType.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NamedType.cs
index b607da5d998..01ca82b71ba 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NamedType.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NamedType.cs
@@ -128,7 +128,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         private bool IsAnonymousType() => Symbol.IsAnonymousType || Symbol.Name.Contains("__AnonymousType");
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             if (IsAnonymousType())
             {
@@ -141,7 +141,7 @@ namespace Semmle.Extraction.CSharp.Entities
             }
         }
 
-        public override void WriteQuotedId(TextWriter trapFile)
+        public sealed override void WriteQuotedId(EscapingTextWriter trapFile)
         {
             if (IsAnonymousType())
                 trapFile.Write('*');
@@ -195,7 +195,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override bool NeedsPopulation => true;
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.WriteSubId(referencedType);
             trapFile.Write(";typeRef");
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NullType.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NullType.cs
index f65d7b17db6..6a049bc3939 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NullType.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/NullType.cs
@@ -13,7 +13,7 @@ namespace Semmle.Extraction.CSharp.Entities
             trapFile.types(this, Kinds.TypeKind.NULL, "null");
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.Write("<null>;type");
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Nullability.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Nullability.cs
index 3cd85bdbdde..c0ef8299eed 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Nullability.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Nullability.cs
@@ -79,7 +79,7 @@ namespace Semmle.Extraction.CSharp.Entities
             return h;
         }
 
-        public void WriteId(TextWriter trapFile)
+        public void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.Write(Annotation);
             trapFile.Write('(');
@@ -90,7 +90,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override string ToString()
         {
-            using var w = new StringWriter();
+            using var w = new EscapingTextWriter();
             WriteId(w);
             return w.ToString();
         }
@@ -120,7 +120,7 @@ namespace Semmle.Extraction.CSharp.Entities
             }
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             Symbol.WriteId(trapFile);
         }
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/PointerType.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/PointerType.cs
index 635172a0e62..c4f8aa74245 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/PointerType.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/PointerType.cs
@@ -11,7 +11,7 @@ namespace Semmle.Extraction.CSharp.Entities
             PointedAtType = Create(cx, Symbol.PointedAtType);
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.WriteSubId(PointedAtType);
             trapFile.Write("*;type");
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TupleType.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TupleType.cs
index ca3e182a99d..ddbf1ac52a6 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TupleType.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TupleType.cs
@@ -30,7 +30,7 @@ namespace Semmle.Extraction.CSharp.Entities
         // All tuple types are "local types"
         public override bool NeedsPopulation => true;
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             Symbol.BuildTypeId(Context, trapFile, Symbol);
             trapFile.Write(";tuple");
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TypeParameter.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TypeParameter.cs
index dcddf5d5cf2..146b1905018 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TypeParameter.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TypeParameter.cs
@@ -103,7 +103,7 @@ namespace Semmle.Extraction.CSharp.Entities
             }
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             string kind;
             IEntity containingEntity;
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs b/csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs
index f03f1674969..32b90e37068 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs
@@ -160,10 +160,10 @@ namespace Semmle.Extraction.CSharp
         /// <param name="trapFile">The trap builder used to store the result.</param>
         /// <param name="symbolBeingDefined">The outer symbol being defined (to avoid recursive ids).</param>
         /// <param name="constructUnderlyingTupleType">Whether to build a type ID for the underlying `System.ValueTuple` struct in the case of tuple types.</param>
-        public static void BuildTypeId(this ITypeSymbol type, Context cx, TextWriter trapFile, ISymbol symbolBeingDefined, bool constructUnderlyingTupleType = false) =>
+        public static void BuildTypeId(this ITypeSymbol type, Context cx, EscapingTextWriter trapFile, ISymbol symbolBeingDefined, bool constructUnderlyingTupleType = false) =>
             type.BuildTypeId(cx, trapFile, symbolBeingDefined, true, constructUnderlyingTupleType);
 
-        private static void BuildTypeId(this ITypeSymbol type, Context cx, TextWriter trapFile, ISymbol symbolBeingDefined, bool addBaseClass, bool constructUnderlyingTupleType)
+        private static void BuildTypeId(this ITypeSymbol type, Context cx, EscapingTextWriter trapFile, ISymbol symbolBeingDefined, bool addBaseClass, bool constructUnderlyingTupleType)
         {
             using (cx.StackGuard)
             {
@@ -207,7 +207,7 @@ namespace Semmle.Extraction.CSharp
             }
         }
 
-        private static void BuildOrWriteId(this ISymbol? symbol, Context cx, TextWriter trapFile, ISymbol symbolBeingDefined, bool addBaseClass, bool constructUnderlyingTupleType = false)
+        private static void BuildOrWriteId(this ISymbol? symbol, Context cx, EscapingTextWriter trapFile, ISymbol symbolBeingDefined, bool addBaseClass, bool constructUnderlyingTupleType = false)
         {
             if (symbol is null)
             {
@@ -249,7 +249,7 @@ namespace Semmle.Extraction.CSharp
         /// it will generate an appropriate ID that encodes the signature of
         /// <paramref name="symbol" />.
         /// </summary>
-        public static void BuildOrWriteId(this ISymbol? symbol, Context cx, TextWriter trapFile, ISymbol symbolBeingDefined) =>
+        public static void BuildOrWriteId(this ISymbol? symbol, Context cx, EscapingTextWriter trapFile, ISymbol symbolBeingDefined) =>
             symbol.BuildOrWriteId(cx, trapFile, symbolBeingDefined, true);
 
         /// <summary>
@@ -264,7 +264,7 @@ namespace Semmle.Extraction.CSharp
             trapFile.Write(']');
         }
 
-        private static void BuildAssembly(IAssemblySymbol asm, TextWriter trapFile, bool extraPrecise = false)
+        private static void BuildAssembly(IAssemblySymbol asm, EscapingTextWriter trapFile, bool extraPrecise = false)
         {
             var assembly = asm.Identity;
             trapFile.Write(assembly.Name);
@@ -282,22 +282,22 @@ namespace Semmle.Extraction.CSharp
             trapFile.Write("::");
         }
 
-        private static void BuildFunctionPointerTypeId(this IFunctionPointerTypeSymbol funptr, Context cx, TextWriter trapFile, ISymbol symbolBeingDefined)
+        private static void BuildFunctionPointerTypeId(this IFunctionPointerTypeSymbol funptr, Context cx, EscapingTextWriter trapFile, ISymbol symbolBeingDefined)
         {
-            BuildFunctionPointerSignature(funptr, trapFile, (s, tw) => s.BuildOrWriteId(cx, tw, symbolBeingDefined));
+            BuildFunctionPointerSignature(funptr, trapFile, s => s.BuildOrWriteId(cx, trapFile, symbolBeingDefined));
         }
 
-        private static void BuildNamedTypeId(this INamedTypeSymbol named, Context cx, TextWriter trapFile, ISymbol symbolBeingDefined, bool addBaseClass, bool constructUnderlyingTupleType)
+        private static void BuildNamedTypeId(this INamedTypeSymbol named, Context cx, EscapingTextWriter trapFile, ISymbol symbolBeingDefined, bool addBaseClass, bool constructUnderlyingTupleType)
         {
             if (!constructUnderlyingTupleType && named.IsTupleType)
             {
                 trapFile.Write('(');
                 trapFile.BuildList(",", named.TupleElements,
-                    (f, tb0) =>
+                    f =>
                     {
                         trapFile.Write((f.CorrespondingTupleField ?? f).Name);
                         trapFile.Write(":");
-                        f.Type.BuildOrWriteId(cx, tb0, symbolBeingDefined, addBaseClass);
+                        f.Type.BuildOrWriteId(cx, trapFile, symbolBeingDefined, addBaseClass);
                     }
                     );
                 trapFile.Write(")");
@@ -340,7 +340,7 @@ namespace Semmle.Extraction.CSharp
                 // a constructed type with different nullability of its members and methods,
                 // so we need to create a distinct database entity for it.
                 trapFile.BuildList(",", named.GetAnnotatedTypeArguments(),
-                    (ta, tb0) => ta.Symbol.BuildOrWriteId(cx, tb0, symbolBeingDefined, addBaseClass)
+                    ta => ta.Symbol.BuildOrWriteId(cx, trapFile, symbolBeingDefined, addBaseClass)
                     );
                 trapFile.Write('>');
             }
@@ -364,7 +364,7 @@ namespace Semmle.Extraction.CSharp
             }
         }
 
-        private static void BuildNamespace(this INamespaceSymbol ns, Context cx, TextWriter trapFile)
+        private static void BuildNamespace(this INamespaceSymbol ns, Context cx, EscapingTextWriter trapFile)
         {
             trapFile.WriteSubId(Namespace.Create(cx, ns));
             trapFile.Write('.');
@@ -377,7 +377,7 @@ namespace Semmle.Extraction.CSharp
             trapFile.Write("<>__AnonType");
             trapFile.Write(hackTypeNumber);
             trapFile.Write('<');
-            trapFile.BuildList(",", type.GetMembers().OfType<IPropertySymbol>(), (prop, tb0) => BuildDisplayName(prop.Type, cx, tb0));
+            trapFile.BuildList(",", type.GetMembers().OfType<IPropertySymbol>(), prop => BuildDisplayName(prop.Type, cx, trapFile));
             trapFile.Write('>');
         }
 
@@ -433,7 +433,7 @@ namespace Semmle.Extraction.CSharp
         }
 
         public static void BuildFunctionPointerSignature(IFunctionPointerTypeSymbol funptr, TextWriter trapFile,
-            Action<ITypeSymbol, TextWriter> buildNested)
+            Action<ITypeSymbol> buildNested)
         {
             trapFile.Write("delegate* ");
             trapFile.Write(funptr.Signature.CallingConvention.ToString().ToLowerInvariant());
@@ -447,19 +447,19 @@ namespace Semmle.Extraction.CSharp
 
             trapFile.Write('<');
             trapFile.BuildList(",", funptr.Signature.Parameters,
-                (p, trap) =>
+                p =>
                 {
-                    buildNested(p.Type, trap);
+                    buildNested(p.Type);
                     switch (p.RefKind)
                     {
                         case RefKind.Out:
-                            trap.Write(" out");
+                            trapFile.Write(" out");
                             break;
                         case RefKind.In:
-                            trap.Write(" in");
+                            trapFile.Write(" in");
                             break;
                         case RefKind.Ref:
-                            trap.Write(" ref");
+                            trapFile.Write(" ref");
                             break;
                     }
                 });
@@ -469,7 +469,7 @@ namespace Semmle.Extraction.CSharp
                 trapFile.Write(",");
             }
 
-            buildNested(funptr.Signature.ReturnType, trapFile);
+            buildNested(funptr.Signature.ReturnType);
 
             if (funptr.Signature.ReturnsByRef)
                 trapFile.Write(" ref");
@@ -481,7 +481,7 @@ namespace Semmle.Extraction.CSharp
 
         private static void BuildFunctionPointerTypeDisplayName(this IFunctionPointerTypeSymbol funptr, Context cx, TextWriter trapFile)
         {
-            BuildFunctionPointerSignature(funptr, trapFile, (s, tw) => s.BuildDisplayName(cx, tw));
+            BuildFunctionPointerSignature(funptr, trapFile, s => s.BuildDisplayName(cx, trapFile));
         }
 
         private static void BuildNamedTypeDisplayName(this INamedTypeSymbol namedType, Context cx, TextWriter trapFile, bool constructUnderlyingTupleType)
@@ -492,7 +492,7 @@ namespace Semmle.Extraction.CSharp
                 trapFile.BuildList(
                     ",",
                     namedType.TupleElements.Select(f => f.Type),
-                    (t, tb0) => t.BuildDisplayName(cx, tb0));
+                    t => t.BuildDisplayName(cx, trapFile));
                 trapFile.Write(")");
                 return;
             }
@@ -512,11 +512,11 @@ namespace Semmle.Extraction.CSharp
                 trapFile.BuildList(
                     ",",
                     namedType.TypeArguments,
-                    (p, tb0) =>
+                    p =>
                     {
                         if (IsReallyBound(namedType))
                         {
-                            p.BuildDisplayName(cx, tb0);
+                            p.BuildDisplayName(cx, trapFile);
                         }
                     });
                 trapFile.Write('>');
diff --git a/csharp/extractor/Semmle.Extraction/Context.cs b/csharp/extractor/Semmle.Extraction/Context.cs
index a60d82c6952..b08fb98fc55 100644
--- a/csharp/extractor/Semmle.Extraction/Context.cs
+++ b/csharp/extractor/Semmle.Extraction/Context.cs
@@ -108,7 +108,7 @@ namespace Semmle.Extraction
                     Populate(init as ISymbol, entity);
 
 #if DEBUG_LABELS
-                using var id = new StringWriter();
+                using var id = new EscapingTextWriter();
                 entity.WriteQuotedId(id);
                 CheckEntityHasUniqueLabel(id.ToString(), entity);
 #endif
diff --git a/csharp/extractor/Semmle.Extraction/Entities/Base/Entity.cs b/csharp/extractor/Semmle.Extraction/Entities/Base/Entity.cs
index 1d5081df2e5..c5d630bc7b1 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/Base/Entity.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/Base/Entity.cs
@@ -15,9 +15,14 @@ namespace Semmle.Extraction
 
         public Label Label { get; set; }
 
-        public abstract void WriteId(TextWriter trapFile);
+        public abstract void WriteId(EscapingTextWriter trapFile);
 
-        public abstract void WriteQuotedId(TextWriter trapFile);
+        public virtual void WriteQuotedId(EscapingTextWriter trapFile)
+        {
+            trapFile.WriteUnescaped("@\"");
+            WriteId(trapFile);
+            trapFile.WriteUnescaped('\"');
+        }
 
         public abstract Location? ReportingLocation { get; }
 
@@ -27,9 +32,10 @@ namespace Semmle.Extraction
         {
             trapFile.WriteLabel(this);
             trapFile.Write("=");
+            using var escaping = new EscapingTextWriter(trapFile);
             try
             {
-                WriteQuotedId(trapFile);
+                WriteQuotedId(escaping);
             }
             catch (Exception ex)  // lgtm[cs/catch-of-all-exceptions]
             {
@@ -51,7 +57,7 @@ namespace Semmle.Extraction
         /// </summary>
         public string GetDebugLabel()
         {
-            using var writer = new StringWriter();
+            using var writer = new EscapingTextWriter();
             writer.WriteLabel(Label.Value);
             writer.Write('=');
             WriteQuotedId(writer);
diff --git a/csharp/extractor/Semmle.Extraction/Entities/Base/IEntity.cs b/csharp/extractor/Semmle.Extraction/Entities/Base/IEntity.cs
index 5aadbeb9e4d..dcf8dcbc373 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/Base/IEntity.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/Base/IEntity.cs
@@ -29,14 +29,14 @@ namespace Semmle.Extraction
         /// Writes the unique identifier of this entitiy to a trap file.
         /// </summary>
         /// <param name="trapFile">The trapfile to write to.</param>
-        void WriteId(TextWriter trapFile);
+        void WriteId(EscapingTextWriter trapFile);
 
         /// <summary>
         /// Writes the quoted identifier of this entity,
         /// which could be @"..." or *
         /// </summary>
         /// <param name="trapFile">The trapfile to write to.</param>
-        void WriteQuotedId(TextWriter trapFile);
+        void WriteQuotedId(EscapingTextWriter trapFile);
 
         /// <summary>
         /// The location for reporting purposes.
diff --git a/csharp/extractor/Semmle.Extraction/Entities/Base/LabelledEntity.cs b/csharp/extractor/Semmle.Extraction/Entities/Base/LabelledEntity.cs
index 12a98ce2303..62d9cbd64be 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/Base/LabelledEntity.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/Base/LabelledEntity.cs
@@ -7,12 +7,5 @@ namespace Semmle.Extraction
         protected LabelledEntity(Context cx) : base(cx)
         {
         }
-
-        public override void WriteQuotedId(TextWriter trapFile)
-        {
-            trapFile.Write("@\"");
-            WriteId(trapFile);
-            trapFile.Write('\"');
-        }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction/Entities/Base/UnlabelledEntity.cs b/csharp/extractor/Semmle.Extraction/Entities/Base/UnlabelledEntity.cs
index 6b6a22eb4b5..506a84bf7ad 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/Base/UnlabelledEntity.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/Base/UnlabelledEntity.cs
@@ -9,14 +9,14 @@ namespace Semmle.Extraction
             cx.AddFreshLabel(this);
         }
 
-        public sealed override void WriteId(TextWriter writer)
+        public sealed override void WriteId(EscapingTextWriter writer)
         {
             writer.Write('*');
         }
 
-        public sealed override void WriteQuotedId(TextWriter writer)
+        public sealed override void WriteQuotedId(EscapingTextWriter writer)
         {
-            WriteId(writer);
+            writer.Write('*');
         }
     }
 }
diff --git a/csharp/extractor/Semmle.Extraction/Entities/File.cs b/csharp/extractor/Semmle.Extraction/Entities/File.cs
index ed8881f0d2f..11d37c99636 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/File.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/File.cs
@@ -17,7 +17,7 @@ namespace Semmle.Extraction.Entities
 
         public override bool NeedsPopulation => true;
 
-        public override void WriteId(System.IO.TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.Write(TransformedPath.DatabaseId);
             trapFile.Write(";sourcefile");
diff --git a/csharp/extractor/Semmle.Extraction/Entities/Folder.cs b/csharp/extractor/Semmle.Extraction/Entities/Folder.cs
index 82364c987e7..07e8c805e7f 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/Folder.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/Folder.cs
@@ -15,7 +15,7 @@ namespace Semmle.Extraction.Entities
 
         public override bool NeedsPopulation => true;
 
-        public override void WriteId(System.IO.TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.Write(Symbol.DatabaseId);
             trapFile.Write(";folder");
diff --git a/csharp/extractor/Semmle.Extraction/Entities/GeneratedFile.cs b/csharp/extractor/Semmle.Extraction/Entities/GeneratedFile.cs
index db458e574a5..7c0e5df7be9 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/GeneratedFile.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/GeneratedFile.cs
@@ -13,7 +13,7 @@ namespace Semmle.Extraction.Entities
             trapFile.files(this, "", "", "");
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.Write("GENERATED;sourcefile");
         }
diff --git a/csharp/extractor/Semmle.Extraction/Entities/GeneratedLocation.cs b/csharp/extractor/Semmle.Extraction/Entities/GeneratedLocation.cs
index 331e70262dc..db552f7e452 100644
--- a/csharp/extractor/Semmle.Extraction/Entities/GeneratedLocation.cs
+++ b/csharp/extractor/Semmle.Extraction/Entities/GeneratedLocation.cs
@@ -17,7 +17,7 @@ namespace Semmle.Extraction.Entities
             trapFile.locations_default(this, generatedFile, 0, 0, 0, 0);
         }
 
-        public override void WriteId(TextWriter trapFile)
+        public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.Write("loc,");
             trapFile.WriteSubId(generatedFile);
diff --git a/csharp/extractor/Semmle.Extraction/EscapingTextWriter.cs b/csharp/extractor/Semmle.Extraction/EscapingTextWriter.cs
new file mode 100644
index 00000000000..5f6805de658
--- /dev/null
+++ b/csharp/extractor/Semmle.Extraction/EscapingTextWriter.cs
@@ -0,0 +1,340 @@
+using System;
+using System.IO;
+using System.Text;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace Semmle.Extraction
+{
+    /// <summary>
+    /// A `TextWriter` object that wraps another `TextWriter` object, and which
+    /// HTML escapes the characters `&`, `{`, `}`, `"`, `@`, and `#`, before
+    /// writing to the underlying object.
+    /// </summary>
+    public class EscapingTextWriter : TextWriter
+    {
+        private readonly TextWriter wrapped;
+        private readonly bool disposeUnderlying;
+
+        public EscapingTextWriter(TextWriter wrapped, bool disposeUnderlying = false)
+        {
+            this.wrapped = wrapped;
+            this.disposeUnderlying = disposeUnderlying;
+        }
+
+        /// <summary>
+        /// Creates a new instance with a new underlying `StringWriter` object. The
+        /// underlying object is disposed of when this object is.
+        /// </summary>
+        public EscapingTextWriter() : this(new StringWriter(), true) { }
+
+        public EscapingTextWriter(IFormatProvider? formatProvider) : base(formatProvider)
+            => throw new NotImplementedException();
+
+        private void WriteEscaped(char c)
+        {
+            switch (c)
+            {
+                case '&':
+                    wrapped.Write("&amp;");
+                    break;
+                case '{':
+                    wrapped.Write("&lbrace;");
+                    break;
+                case '}':
+                    wrapped.Write("&rbrace;");
+                    break;
+                case '"':
+                    wrapped.Write("&quot;");
+                    break;
+                case '@':
+                    wrapped.Write("&commat;");
+                    break;
+                case '#':
+                    wrapped.Write("&num;");
+                    break;
+                default:
+                    wrapped.Write(c);
+                    break;
+            };
+        }
+
+        public void WriteSubId(IEntity entity)
+        {
+            if (entity is null)
+            {
+                wrapped.Write("<null>");
+                return;
+            }
+
+            WriteUnescaped('{');
+            wrapped.WriteLabel(entity);
+            WriteUnescaped('}');
+        }
+
+        public void WriteUnescaped(char c)
+            => wrapped.Write(c);
+
+        public void WriteUnescaped(string s)
+            => wrapped.Write(s);
+
+        #region overrides
+
+        public override Encoding Encoding => wrapped.Encoding;
+
+        public override IFormatProvider FormatProvider => wrapped.FormatProvider;
+
+        public override string NewLine { get => wrapped.NewLine; }
+
+        public override void Close()
+            => throw new NotImplementedException();
+
+        public override ValueTask DisposeAsync()
+            => throw new NotImplementedException();
+
+        public override bool Equals(object? obj)
+            => wrapped.Equals(obj);
+
+        public override void Flush()
+            => wrapped.Flush();
+
+        public override Task FlushAsync()
+            => wrapped.FlushAsync();
+
+        public override int GetHashCode()
+            => wrapped.GetHashCode();
+
+        public override string ToString()
+            => wrapped.ToString() ?? "";
+
+        public override void Write(bool value)
+            => wrapped.Write(value);
+
+        public override void Write(char value)
+            => WriteEscaped(value);
+
+        public override void Write(char[]? buffer)
+        {
+            if (buffer is null)
+                return;
+            Write(buffer, 0, buffer.Length);
+        }
+
+        public override void Write(char[] buffer, int index, int count)
+        {
+            for (var i = index; i < buffer.Length && i < index + count; i++)
+            {
+                WriteEscaped(buffer[i]);
+            }
+        }
+
+
+        public override void Write(decimal value)
+            => wrapped.Write(value);
+
+        public override void Write(double value)
+            => wrapped.Write(value);
+
+        public override void Write(int value)
+            => wrapped.Write(value);
+
+        public override void Write(long value)
+            => wrapped.Write(value);
+
+        public override void Write(object? value)
+            => Write(value?.ToString());
+
+        public override void Write(ReadOnlySpan<char> buffer)
+        {
+            foreach (var c in buffer)
+            {
+                WriteEscaped(c);
+            }
+        }
+
+        public override void Write(float value)
+            => wrapped.Write(value);
+
+        public override void Write(string? value)
+        {
+            if (value is null)
+            {
+                wrapped.Write(value);
+            }
+            else
+            {
+                foreach (var c in value)
+                {
+                    WriteEscaped(c);
+                }
+            }
+        }
+
+        public override void Write(string format, object? arg0)
+            => Write(string.Format(format, arg0));
+
+        public override void Write(string format, object? arg0, object? arg1)
+            => Write(string.Format(format, arg0, arg1));
+
+        public override void Write(string format, object? arg0, object? arg1, object? arg2)
+            => Write(string.Format(format, arg0, arg1, arg2));
+
+        public override void Write(string format, params object?[] arg)
+            => Write(string.Format(format, arg));
+
+        public override void Write(StringBuilder? value)
+        {
+            if (value is null)
+            {
+                wrapped.Write(value);
+            }
+            else
+            {
+                for (var i = 0; i < value.Length; i++)
+                {
+                    WriteEscaped(value[i]);
+                }
+            }
+        }
+
+        public override void Write(uint value)
+            => wrapped.Write(value);
+
+        public override void Write(ulong value)
+            => wrapped.Write(value);
+
+        public override Task WriteAsync(char value)
+            => throw new NotImplementedException();
+
+        public override Task WriteAsync(char[] buffer, int index, int count)
+            => throw new NotImplementedException();
+
+        public override Task WriteAsync(ReadOnlyMemory<char> buffer, CancellationToken cancellationToken = default)
+            => throw new NotImplementedException();
+
+        public override Task WriteAsync(string? value)
+            => throw new NotImplementedException();
+
+        public override Task WriteAsync(StringBuilder? value, CancellationToken cancellationToken = default)
+            => throw new NotImplementedException();
+
+        public override void WriteLine()
+            => wrapped.WriteLine();
+
+        public override void WriteLine(bool value)
+            => wrapped.WriteLine(value);
+
+        public override void WriteLine(char value)
+        {
+            Write(value);
+            WriteLine();
+        }
+
+        public override void WriteLine(char[]? buffer)
+        {
+            Write(buffer);
+            WriteLine();
+        }
+
+        public override void WriteLine(char[] buffer, int index, int count)
+        {
+            Write(buffer, index, count);
+            WriteLine();
+        }
+
+        public override void WriteLine(decimal value)
+            => wrapped.WriteLine(value);
+
+        public override void WriteLine(double value)
+            => wrapped.WriteLine(value);
+
+        public override void WriteLine(int value)
+            => wrapped.WriteLine(value);
+
+        public override void WriteLine(long value)
+            => wrapped.WriteLine(value);
+
+        public override void WriteLine(object? value)
+        {
+            Write(value);
+            WriteLine();
+        }
+
+        public override void WriteLine(ReadOnlySpan<char> buffer)
+        {
+            Write(buffer);
+            WriteLine();
+        }
+
+        public override void WriteLine(float value)
+            => wrapped.WriteLine(value);
+
+        public override void WriteLine(string? value)
+        {
+            Write(value);
+            WriteLine();
+        }
+
+        public override void WriteLine(string format, object? arg0)
+        {
+            Write(format, arg0);
+            WriteLine();
+        }
+
+        public override void WriteLine(string format, object? arg0, object? arg1)
+        {
+            Write(format, arg0, arg1);
+            WriteLine();
+        }
+
+        public override void WriteLine(string format, object? arg0, object? arg1, object? arg2)
+        {
+            Write(format, arg0, arg1, arg2);
+            WriteLine();
+        }
+
+        public override void WriteLine(string format, params object?[] arg)
+        {
+            Write(format, arg);
+            WriteLine();
+        }
+
+        public override void WriteLine(StringBuilder? value)
+        {
+            Write(value);
+            WriteLine();
+        }
+
+        public override void WriteLine(uint value)
+            => wrapped.WriteLine(value);
+
+        public override void WriteLine(ulong value)
+            => wrapped.WriteLine(value);
+
+        public override Task WriteLineAsync()
+            => throw new NotImplementedException();
+
+        public override Task WriteLineAsync(char value)
+            => throw new NotImplementedException();
+
+        public override Task WriteLineAsync(char[] buffer, int index, int count)
+            => throw new NotImplementedException();
+
+        public override Task WriteLineAsync(ReadOnlyMemory<char> buffer, CancellationToken cancellationToken = default)
+            => throw new NotImplementedException();
+
+        public override Task WriteLineAsync(string? value)
+            => throw new NotImplementedException();
+
+        public override Task WriteLineAsync(StringBuilder? value, CancellationToken cancellationToken = default)
+            => throw new NotImplementedException();
+
+        protected override void Dispose(bool disposing)
+        {
+            if (disposing && disposeUnderlying)
+                wrapped.Dispose();
+        }
+
+        #endregion overrides
+    }
+}
diff --git a/csharp/extractor/Semmle.Extraction/TrapExtensions.cs b/csharp/extractor/Semmle.Extraction/TrapExtensions.cs
index 11111467147..e7d3fcec6b5 100644
--- a/csharp/extractor/Semmle.Extraction/TrapExtensions.cs
+++ b/csharp/extractor/Semmle.Extraction/TrapExtensions.cs
@@ -17,19 +17,6 @@ namespace Semmle.Extraction
             trapFile.WriteLabel(entity.Label.Value);
         }
 
-        public static void WriteSubId(this TextWriter trapFile, IEntity entity)
-        {
-            if (entity is null)
-            {
-                trapFile.Write("<null>");
-                return;
-            }
-
-            trapFile.Write('{');
-            trapFile.WriteLabel(entity);
-            trapFile.Write('}');
-        }
-
         public static void WriteSeparator(this TextWriter trapFile, string separator, ref int index)
         {
             if (index++ > 0)
@@ -231,9 +218,9 @@ namespace Semmle.Extraction
         /// <param name="separator">The separator string (e.g. ",")</param>
         /// <param name="items">The list of items.</param>
         /// <returns>The original trap builder (fluent interface).</returns>
-        public static TextWriter AppendList<T>(this TextWriter trapFile, string separator, IEnumerable<T> items) where T : IEntity
+        public static TextWriter AppendList<T>(this EscapingTextWriter trapFile, string separator, IEnumerable<T> items) where T : IEntity
         {
-            return trapFile.BuildList(separator, items, (x, tb0) => { tb0.WriteSubId(x); });
+            return trapFile.BuildList(separator, items, x => trapFile.WriteSubId(x));
         }
 
         /// <summary>
@@ -245,7 +232,8 @@ namespace Semmle.Extraction
         /// <param name="items">The list of items.</param>
         /// <param name="action">The action on each item.</param>
         /// <returns>The original trap builder (fluent interface).</returns>
-        public static TextWriter BuildList<T>(this TextWriter trapFile, string separator, IEnumerable<T> items, Action<T, TextWriter> action)
+        public static T1 BuildList<T1, T2>(this T1 trapFile, string separator, IEnumerable<T2> items, Action<T2> action)
+            where T1 : TextWriter
         {
             var first = true;
             foreach (var item in items)
@@ -254,7 +242,7 @@ namespace Semmle.Extraction
                     first = false;
                 else
                     trapFile.Write(separator);
-                action(item, trapFile);
+                action(item);
             }
             return trapFile;
         }
diff --git a/csharp/ql/test/library-tests/regressions/{}.cs b/csharp/ql/test/library-tests/regressions/{}.cs
new file mode 100644
index 00000000000..266f8ccf4b1
--- /dev/null
+++ b/csharp/ql/test/library-tests/regressions/{}.cs
@@ -0,0 +1 @@
+class CheckFileNameEscaping { }
\ No newline at end of file

From 2d1ba59e6d8ccc2bf77e84db9220a7bbb1634dd1 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 6 May 2021 21:55:30 +0200
Subject: [PATCH 0920/1429] Apply suggestions from code review

Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
---
 .../ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp      | 4 ++--
 javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp b/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp
index 12e030150b6..76a7e65fd3f 100644
--- a/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp
+++ b/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp
@@ -4,7 +4,7 @@
 <qhelp>
 <overview>
 	<p>
-		Dynamically constructing HTML with inputs from exported functions may 
+		Dynamically constructing HTML with inputs from library functions may 
 		inadvertently leave a client open to XSS attacks.
 		
 		Clients using the exported function may use inputs containing unsafe HTML,
@@ -28,7 +28,7 @@
 <example>
 
 	<p>
-		The following example shows a library function that shows a boldface name
+		The following example has a library function that renders a boldface name
 		by writing to the <code>innerHTML</code> property of an element.
 	</p>
 
diff --git a/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql b/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql
index 464f4951307..d6199af4598 100644
--- a/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql
+++ b/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql
@@ -1,7 +1,7 @@
 /**
  * @name Unsafe HTML constructed from library input
  * @description Using externally controlled strings to construct HTML might allow a malicious
- *              user to perform an cross-site scripting attack.
+ *              user to perform a cross-site scripting attack.
  * @kind path-problem
  * @problem.severity error
  * @precision high

From be69c3a458385525bc893d0dfb8fbf82e9dd05d1 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 6 May 2021 21:59:35 +0200
Subject: [PATCH 0921/1429] Apply suggestions from code review

Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
---
 .../dataflow/UnsafeHtmlConstructionCustomizations.qll        | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
index a99b5e7986d..99e72970642 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
@@ -38,7 +38,7 @@ module UnsafeHtmlConstruction {
 
   /**
    * A sink for unsafe HTML constructed from library input.
-   * This sink somehow transforms its input into a value that can cause XSS if it ends up in a XSS sink.
+   * This sink transforms its input into a value that can cause XSS if it ends up in a XSS sink.
    */
   abstract class Sink extends DataFlow::Node {
     /**
@@ -165,6 +165,7 @@ module UnsafeHtmlConstruction {
     MarkdownSink() {
       exists(DataFlow::Node pred, DataFlow::Node succ, Markdown::MarkdownStep step |
         step.step(pred, succ) and
+        step.preservesHtml() and
         this = pred and
         succ = isUsedInXssSink(xssSink)
       )
@@ -176,7 +177,7 @@ module UnsafeHtmlConstruction {
   /**
    *  Holds if there is a path without unmatched return steps from `source` to `sink`.
    */
-  predicate requireMatchedReturn(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
+  predicate hasPathWithoutUnmatchedReturn(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
     exists(DataFlow::MidPathNode mid |
       source.getASuccessor*() = mid and
       sink = mid.getASuccessor() and

From b53759c5a059b40cc6865371fd46f0d848e6a737 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 6 May 2021 22:49:25 +0200
Subject: [PATCH 0922/1429] corrections after code review

---
 .../ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp    | 4 ++--
 javascript/ql/src/semmle/javascript/frameworks/Markdown.qll | 5 +++++
 .../javascript/security/dataflow/UnsafeHtmlConstruction.qll | 2 +-
 .../dataflow/UnsafeHtmlConstructionCustomizations.qll       | 6 ++++--
 4 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp b/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp
index 76a7e65fd3f..619b55e4920 100644
--- a/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp
+++ b/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp
@@ -4,8 +4,8 @@
 <qhelp>
 <overview>
 	<p>
-		Dynamically constructing HTML with inputs from library functions may 
-		inadvertently leave a client open to XSS attacks.
+		Dynamically constructing HTML with inputs from library functions that are 
+		available to external clients may inadvertently leave a client open to XSS attacks.
 		
 		Clients using the exported function may use inputs containing unsafe HTML,
 		and if these inputs end up in the DOM, the client may be vulnerable to
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
index c98243e4fbb..1a6c9d7a8c2 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
@@ -17,6 +17,11 @@ module Markdown {
      * Holds if there is a taint-step from `pred` to `succ` for a taint-preserving markdown parser.
      */
     abstract predicate step(DataFlow::Node pred, DataFlow::Node succ);
+
+    /**
+     * Holds if the taint-step preserves HTML.
+     */
+    predicate preservesHTML() { any() }
   }
 
   private class MarkdownStepAsTaintStep extends TaintTracking::SharedTaintStep {
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll
index 699d9d3e510..53debb48ff6 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll
@@ -38,7 +38,7 @@ module UnsafeHtmlConstruction {
     // override to require that there is a path without unmatched return steps
     override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
       super.hasFlowPath(source, sink) and
-      requireMatchedReturn(source, sink)
+      hasPathWithoutUnmatchedReturn(source, sink)
     }
 
     override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
index 99e72970642..8546041ef06 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
@@ -165,7 +165,7 @@ module UnsafeHtmlConstruction {
     MarkdownSink() {
       exists(DataFlow::Node pred, DataFlow::Node succ, Markdown::MarkdownStep step |
         step.step(pred, succ) and
-        step.preservesHtml() and
+        step.preservesHTML() and
         this = pred and
         succ = isUsedInXssSink(xssSink)
       )
@@ -177,7 +177,9 @@ module UnsafeHtmlConstruction {
   /**
    *  Holds if there is a path without unmatched return steps from `source` to `sink`.
    */
-  predicate hasPathWithoutUnmatchedReturn(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
+  predicate hasPathWithoutUnmatchedReturn(
+    DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink
+  ) {
     exists(DataFlow::MidPathNode mid |
       source.getASuccessor*() = mid and
       sink = mid.getASuccessor() and

From 9ac55aff0e17be8796a89a471e58103e9a00f7cb Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Thu, 6 May 2021 17:43:28 -0700
Subject: [PATCH 0923/1429] C++: One more join order fix

---
 .../src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
index f5fb7309cff..a7da1ad16d8 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -656,7 +656,7 @@ private predicate simpleOperandLocalFlowStep(Instruction iFrom, Operand opTo) {
   exists(LoadInstruction load |
     load.getSourceValueOperand() = opTo and
     opTo.getAnyDef() = iFrom and
-    isSingleFieldClass(iFrom.getResultType(), opTo)
+    isSingleFieldClass(pragma[only_bind_out](pragma[only_bind_out](iFrom).getResultType()), opTo)
   )
 }
 

From b69be30b8832092c90e27124dfb3343d60ffa64d Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Fri, 7 May 2021 11:07:06 +0200
Subject: [PATCH 0924/1429] Fix imports as suggested in code review

---
 java/ql/src/Security/CWE/CWE-643/XPathInjection.ql     | 2 +-
 java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql b/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
index 1949093e8ea..7e23aa7cb77 100644
--- a/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
@@ -11,10 +11,10 @@
  */
 
 import java
-import DataFlow::PathGraph
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.XPath
+import DataFlow::PathGraph
 
 class XPathInjectionConfiguration extends TaintTracking::Configuration {
   XPathInjectionConfiguration() { this = "XPathInjection" }
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index 7073c57ff9c..df529b49efb 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -80,6 +80,7 @@ private module Frameworks {
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.XSS
   private import semmle.code.java.security.LdapInjection
+  private import semmle.code.java.security.XPath
 }
 
 private predicate sourceModelCsv(string row) {

From 2a501956b3f5bbba0fb609fe04cf7f0fcd815508 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Fri, 7 May 2021 11:17:51 +0200
Subject: [PATCH 0925/1429] Mark a MISSING test result as suggested in code
 review

---
 .../test/query-tests/security/CWE-643/XPathInjectionTest.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java b/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java
index 88aeca73b78..5631f3a4ae9 100644
--- a/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java
+++ b/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java
@@ -133,7 +133,7 @@ public class XPathInjectionTest {
 
         new DefaultXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
         new XPathPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-        new XPathPattern(new PatternStub(user)); // Jaxen is not modeled yet
+        new XPathPattern(new PatternStub(user)); // $ MISSING: hasXPathInjection // Jaxen is not modeled yet
 
         DocumentFactory docFactory = DocumentFactory.getInstance();
         docFactory.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection

From 08fa611700b36174985cdcf4e5b2f3326e5ff472 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 7 May 2021 11:18:50 +0200
Subject: [PATCH 0926/1429] C++: Avoid calling SwitchCase.getAStmt for
 performance reasons. This turns out to not be needed as the statements inside
 the switch case will get picked up by the BlockStmt.getAStmt case already.

---
 .../Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql    | 2 --
 1 file changed, 2 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
index 97ff9e06d64..716e8927480 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
@@ -98,8 +98,6 @@ predicate stmtMayThrow(Stmt stmt) {
     stmtMayThrow(switchStmt.getStmt())
   )
   or
-  stmtMayThrow(stmt.(SwitchCase).getAStmt())
-  or
   // NOTE: We don't include `TryStmt` as those exceptions are not "observable" outside the function.
   stmtMayThrow(stmt.(Handler).getBlock())
   or

From ca895608494b07ab142034c75d9a6be305a3a4fd Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Fri, 7 May 2021 11:42:53 +0200
Subject: [PATCH 0927/1429] C#: Remove unnecessary `!`

---
 .../Semmle.Extraction.CIL/Entities/Base/LabelledEntity.cs       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/LabelledEntity.cs b/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/LabelledEntity.cs
index b7e946979fd..780ced94916 100644
--- a/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/LabelledEntity.cs
+++ b/csharp/extractor/Semmle.Extraction.CIL/Entities/Base/LabelledEntity.cs
@@ -27,7 +27,7 @@ namespace Semmle.Extraction.CIL
         {
             using var writer = new EscapingTextWriter();
             WriteQuotedId(writer);
-            return writer.ToString()!;
+            return writer.ToString();
         }
 
         public override TrapStackBehaviour TrapStackBehaviour => TrapStackBehaviour.NoLabel;

From 80d41d9fe5bf7c648e58eecacf25ba55f97085c7 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 7 May 2021 11:48:09 +0200
Subject: [PATCH 0928/1429] C++: Add false positive testcase involving
 assignments.

---
 .../semmle/tests/IncorrectAllocationErrorHandling.expected | 1 +
 .../query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
index 4720e02b381..51d9a10bc27 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
@@ -16,3 +16,4 @@
 | test.cpp:151:9:151:24 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:152:15:152:18 | { ... } | This catch block |
 | test.cpp:199:15:199:35 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:201:16:201:19 | { ... } | This catch block |
 | test.cpp:212:14:212:34 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:213:34:213:36 | { ... } | This catch block |
+| test.cpp:219:9:219:15 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:220:34:220:36 | { ... } | This catch block |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
index da990934515..90b8e87a13c 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
@@ -212,3 +212,10 @@ void bad_new_catch_baseclass_of_bad_alloc() {
     int* p = new(std::nothrow) int; // BAD
   } catch(const std::exception&) { }
 }
+
+void good_new_catch_exception_in_assignment() {
+  int* p;
+  try {
+    p = new int; // GOOD [FALSE POSITIVE]
+  } catch(const std::bad_alloc&) { }
+}
\ No newline at end of file

From 88e6cbaacda1bb8be882558206eb36ab63750664 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 7 May 2021 11:49:25 +0200
Subject: [PATCH 0929/1429] C++: Include Assignments in exprMayThrow and accept
 test changes.

---
 .../Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql  | 4 ++++
 .../semmle/tests/IncorrectAllocationErrorHandling.expected    | 1 -
 .../query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp    | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
index 716e8927480..a7bd82987be 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
@@ -127,6 +127,10 @@ predicate exprMayThrow(Expr e) {
     convertedExprMayThrow([binOp.getLeftOperand(), binOp.getRightOperand()])
   )
   or
+  exists(Assignment assign | assign = e |
+    convertedExprMayThrow([assign.getLValue(), assign.getRValue()])
+  )
+  or
   exists(CommaExpr comma | comma = e |
     convertedExprMayThrow([comma.getLeftOperand(), comma.getRightOperand()])
   )
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
index 51d9a10bc27..4720e02b381 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
@@ -16,4 +16,3 @@
 | test.cpp:151:9:151:24 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:152:15:152:18 | { ... } | This catch block |
 | test.cpp:199:15:199:35 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:201:16:201:19 | { ... } | This catch block |
 | test.cpp:212:14:212:34 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:213:34:213:36 | { ... } | This catch block |
-| test.cpp:219:9:219:15 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:220:34:220:36 | { ... } | This catch block |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
index 90b8e87a13c..285069f4cb3 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
@@ -216,6 +216,6 @@ void bad_new_catch_baseclass_of_bad_alloc() {
 void good_new_catch_exception_in_assignment() {
   int* p;
   try {
-    p = new int; // GOOD [FALSE POSITIVE]
+    p = new int; // GOOD
   } catch(const std::bad_alloc&) { }
 }
\ No newline at end of file

From 7adb7b67f21d1e90cf343ea6dbf9c3775b66802f Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 7 May 2021 12:19:19 +0200
Subject: [PATCH 0930/1429] C++: Add false positive testcase involving
 conversions.

---
 .../semmle/tests/IncorrectAllocationErrorHandling.expected  | 1 +
 .../query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp  | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
index 4720e02b381..895eeaf1665 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
@@ -16,3 +16,4 @@
 | test.cpp:151:9:151:24 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:152:15:152:18 | { ... } | This catch block |
 | test.cpp:199:15:199:35 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:201:16:201:19 | { ... } | This catch block |
 | test.cpp:212:14:212:34 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:213:34:213:36 | { ... } | This catch block |
+| test.cpp:225:23:225:29 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:226:34:226:36 | { ... } | This catch block |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
index 285069f4cb3..db73bbb8b55 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
@@ -218,4 +218,10 @@ void good_new_catch_exception_in_assignment() {
   try {
     p = new int; // GOOD
   } catch(const std::bad_alloc&) { }
+}
+
+void good_new_catch_exception_in_conversion() {
+  try {
+    long* p = (long*) new int; // GOOD [FALSE POSITIVE]
+  } catch(const std::bad_alloc&) { }
 }
\ No newline at end of file

From 90e8368258ea513208802fd5cf19a8a2ee496976 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 7 May 2021 12:31:43 +0200
Subject: [PATCH 0931/1429] C++: Properly handle conversions in
 convertedExprMayThrow. This recursive implementation idea is stolen from
 convertedExprMightOverflow in SimpleRangeAnalysis.

---
 .../CWE/CWE-570/IncorrectAllocationErrorHandling.ql         | 6 +++++-
 .../semmle/tests/IncorrectAllocationErrorHandling.expected  | 2 --
 .../query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp  | 4 ++--
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
index a7bd82987be..2f67b02e856 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
@@ -107,7 +107,11 @@ predicate stmtMayThrow(Stmt stmt) {
 }
 
 /** Holds if the evaluation of `e` (including conversions) may throw an exception. */
-predicate convertedExprMayThrow(Expr e) { exprMayThrow(e.getFullyConverted()) }
+predicate convertedExprMayThrow(Expr e) {
+  exprMayThrow(e)
+  or
+  convertedExprMayThrow(e.getConversion())
+}
 
 /** Holds if the evaluation of `e` may throw an exception. */
 predicate exprMayThrow(Expr e) {
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
index 895eeaf1665..d597dee46f7 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
@@ -14,6 +14,4 @@
 | test.cpp:93:15:93:41 | new[] | This allocation cannot throw. $@ is unnecessary. | test.cpp:97:36:98:3 | { ... } | This catch block |
 | test.cpp:96:10:96:36 | new[] | This allocation cannot throw. $@ is unnecessary. | test.cpp:97:36:98:3 | { ... } | This catch block |
 | test.cpp:151:9:151:24 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:152:15:152:18 | { ... } | This catch block |
-| test.cpp:199:15:199:35 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:201:16:201:19 | { ... } | This catch block |
 | test.cpp:212:14:212:34 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:213:34:213:36 | { ... } | This catch block |
-| test.cpp:225:23:225:29 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:226:34:226:36 | { ... } | This catch block |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
index db73bbb8b55..98755a5692e 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
@@ -196,7 +196,7 @@ void good_new_with_throwing_call() {
 
 void bad_new_with_nonthrowing_call() {
   try {
-    int* p1 = new(std::nothrow) int; // BAD
+    int* p1 = new(std::nothrow) int; // BAD [NOT DETECTED]
     calls_non_throwing(p1);
   } catch(...) {  }
 
@@ -222,6 +222,6 @@ void good_new_catch_exception_in_assignment() {
 
 void good_new_catch_exception_in_conversion() {
   try {
-    long* p = (long*) new int; // GOOD [FALSE POSITIVE]
+    long* p = (long*) new int; // GOOD
   } catch(const std::bad_alloc&) { }
 }
\ No newline at end of file

From b37b15cea40514fcf811621a094ecbec1f922c57 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Fri, 7 May 2021 12:33:51 +0200
Subject: [PATCH 0932/1429] Re-structure imports, add some new comments to
 tests

---
 java/ql/src/Security/CWE/CWE-094/JexlInjection.ql      |  2 +-
 java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll |  1 +
 .../query-tests/security/CWE-094/SandboxedJexl3.java   | 10 +++++-----
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql b/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
index c97de906aec..c9827d3a123 100644
--- a/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
@@ -11,9 +11,9 @@
  */
 
 import java
-import DataFlow::PathGraph
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.JexlInjection
+import DataFlow::PathGraph
 
 /**
  * A taint-tracking configuration for unsafe user input
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index 7073c57ff9c..2463777f620 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -80,6 +80,7 @@ private module Frameworks {
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.XSS
   private import semmle.code.java.security.LdapInjection
+  private import semmle.code.java.security.JexlInjection
 }
 
 private predicate sourceModelCsv(string row) {
diff --git a/java/ql/test/query-tests/security/CWE-094/SandboxedJexl3.java b/java/ql/test/query-tests/security/CWE-094/SandboxedJexl3.java
index 4c20ac0c901..1950564ecb1 100644
--- a/java/ql/test/query-tests/security/CWE-094/SandboxedJexl3.java
+++ b/java/ql/test/query-tests/security/CWE-094/SandboxedJexl3.java
@@ -15,17 +15,17 @@ public class SandboxedJexl3 {
         JexlSandbox sandbox = new JexlSandbox(false);
         sandbox.white(SandboxedJexl3.class.getCanonicalName());
         JexlEngine jexl = new JexlBuilder().sandbox(sandbox).create();
-        JexlExpression e = jexl.createExpression(jexlExpr);
+        JexlExpression e = jexl.createExpression(jexlExpr); // Safe
         JexlContext jc = new MapContext();
-        e.evaluate(jc);
+        e.evaluate(jc); // Safe
     }
 
     private static void runJexlExpressionWithUberspectSandbox(String jexlExpr) {
         JexlUberspect sandbox = new JexlUberspectSandbox();
         JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create();
-        JexlExpression e = jexl.createExpression(jexlExpr);
+        JexlExpression e = jexl.createExpression(jexlExpr); // Safe
         JexlContext jc = new MapContext();
-        e.evaluate(jc);
+        e.evaluate(jc); // Safe
     }
 
     private static JexlBuilder STATIC_JEXL_BUILDER;
@@ -39,7 +39,7 @@ public class SandboxedJexl3 {
     private static void runJexlExpressionViaJxltEngineWithSandbox(String jexlExpr) {
         JexlEngine jexl = STATIC_JEXL_BUILDER.create();
         JxltEngine jxlt = jexl.createJxltEngine();
-        jxlt.createExpression(jexlExpr).evaluate(new MapContext());
+        jxlt.createExpression(jexlExpr).evaluate(new MapContext()); // Safe
     }
 
     private static class JexlUberspectSandbox implements JexlUberspect {

From fc7d9c2c09f9163247b7c5e69f463643d3a2d25b Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 7 May 2021 12:34:38 +0200
Subject: [PATCH 0933/1429] C++: Fix missing result by properly specifying that
 the function with unknown code actually didn't throw an exception.

---
 .../tests/IncorrectAllocationErrorHandling.expected    |  1 +
 .../Security/CWE/CWE-570/semmle/tests/test.cpp         | 10 +++++-----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
index d597dee46f7..4720e02b381 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
@@ -14,4 +14,5 @@
 | test.cpp:93:15:93:41 | new[] | This allocation cannot throw. $@ is unnecessary. | test.cpp:97:36:98:3 | { ... } | This catch block |
 | test.cpp:96:10:96:36 | new[] | This allocation cannot throw. $@ is unnecessary. | test.cpp:97:36:98:3 | { ... } | This catch block |
 | test.cpp:151:9:151:24 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:152:15:152:18 | { ... } | This catch block |
+| test.cpp:199:15:199:35 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:201:16:201:19 | { ... } | This catch block |
 | test.cpp:212:14:212:34 | new | This allocation cannot throw. $@ is unnecessary. | test.cpp:213:34:213:36 | { ... } | This catch block |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
index 98755a5692e..5b3425029e9 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
@@ -158,10 +158,10 @@ void good_placement_new_with_exception_handling() {
   catch (...) {  }
 }
 
-int rand();
+int unknown_value_without_exceptions() noexcept;
 
 void may_throw() {
-  if(rand()) {
+  if(unknown_value_without_exceptions()) {
     throw "bad luck exception!";
   }
 }
@@ -170,11 +170,11 @@ void unknown_code_that_may_throw(int*);
 void unknown_code_that_will_not_throw(int*) noexcept;
 
 void calls_throwing_code(int* p) {
-  if(rand()) unknown_code_that_may_throw(p);
+  if(unknown_value_without_exceptions()) unknown_code_that_may_throw(p);
 }
 
 void calls_non_throwing(int* p) {
-  if (rand()) unknown_code_that_will_not_throw(p);
+  if (unknown_value_without_exceptions()) unknown_code_that_will_not_throw(p);
 }
 
 void good_new_with_throwing_call() {
@@ -196,7 +196,7 @@ void good_new_with_throwing_call() {
 
 void bad_new_with_nonthrowing_call() {
   try {
-    int* p1 = new(std::nothrow) int; // BAD [NOT DETECTED]
+    int* p1 = new(std::nothrow) int; // BAD
     calls_non_throwing(p1);
   } catch(...) {  }
 

From 894f5d523c122890c9a00491e2e889cef6e0f18b Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 7 May 2021 16:19:48 +0100
Subject: [PATCH 0934/1429] Update
 cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql

Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
---
 .../CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
index b002cd3631e..4a872f29fd2 100644
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -35,7 +35,7 @@ predicate isGuarded(SubExpr sub, Expr left, Expr right) {
  * `sub.getLeftOperand()`.
  */
 predicate exprIsSubLeftOrLess(SubExpr sub, DataFlow::Node n) {
-  n = DataFlow::exprNode(sub.getLeftOperand())
+  n.asExpr() = sub.getLeftOperand()
   or
   exists(DataFlow::Node other |
     // dataflow

From 5db6abe2f4979d03c9b92ed7e08756580ce7856d Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 7 May 2021 16:22:48 +0100
Subject: [PATCH 0935/1429] Update
 cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql

Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
---
 .../CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
index 4a872f29fd2..d205824c9dd 100644
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -61,7 +61,7 @@ predicate exprIsSubLeftOrLess(SubExpr sub, DataFlow::Node n) {
   )
   or
   exists(DataFlow::Node other, float p, float q |
-    // linear access of `e`
+    // linear access of `n`
     exprIsSubLeftOrLess(sub, other) and
     linearAccess(other.asExpr(), n.asExpr(), p, q) and // other = p * e + q
     p >= 1 and

From fc96c1c400b09e6772e94ce4b23d98136d3f52e1 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 7 May 2021 16:26:23 +0100
Subject: [PATCH 0936/1429] Update
 cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql

Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
---
 .../CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
index d205824c9dd..5448ae98dd4 100644
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -49,7 +49,7 @@ predicate exprIsSubLeftOrLess(SubExpr sub, DataFlow::Node n) {
   exists(DataFlow::Node other |
     // guard constraining `sub`
     exprIsSubLeftOrLess(sub, other) and
-    isGuarded(sub, other.asExpr(), n.asExpr()) // other >= e
+    isGuarded(sub, other.asExpr(), n.asExpr()) // other >= n
   )
   or
   exists(DataFlow::Node other, float p, float q |

From 91be483c57386846d22577dd1cc836f7eb81576d Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 7 May 2021 16:26:36 +0100
Subject: [PATCH 0937/1429] Update
 cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql

Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
---
 .../CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
index 5448ae98dd4..daab33ff252 100644
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -55,7 +55,7 @@ predicate exprIsSubLeftOrLess(SubExpr sub, DataFlow::Node n) {
   exists(DataFlow::Node other, float p, float q |
     // linear access of `other`
     exprIsSubLeftOrLess(sub, other) and
-    linearAccess(n.asExpr(), other.asExpr(), p, q) and // e = p * other + q
+    linearAccess(n.asExpr(), other.asExpr(), p, q) and // n = p * other + q
     p <= 1 and
     q <= 0
   )

From 69468514f00240c7a07fa3c640614cef9f5c488c Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 7 May 2021 16:26:42 +0100
Subject: [PATCH 0938/1429] Update
 cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql

Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
---
 .../CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
index daab33ff252..ff339af8b67 100644
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -63,7 +63,7 @@ predicate exprIsSubLeftOrLess(SubExpr sub, DataFlow::Node n) {
   exists(DataFlow::Node other, float p, float q |
     // linear access of `n`
     exprIsSubLeftOrLess(sub, other) and
-    linearAccess(other.asExpr(), n.asExpr(), p, q) and // other = p * e + q
+    linearAccess(other.asExpr(), n.asExpr(), p, q) and // other = p * n + q
     p >= 1 and
     q >= 0
   )

From c2b96b3a5e8e8b0c7ff0a0f352e8e014233b29cf Mon Sep 17 00:00:00 2001
From: Jorge <46056498+jorgectf@users.noreply.github.com>
Date: Fri, 7 May 2021 21:51:10 +0200
Subject: [PATCH 0939/1429] Add documentation to main classes' functions.

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
---
 python/ql/src/experimental/semmle/python/Concepts.qll | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index cb90a465a54..18fd0b992eb 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -41,6 +41,9 @@ class LDAPQuery extends DataFlow::Node {
 
   LDAPQuery() { this = range }
 
+  /**
+   * Gets the argument containing the executed expression.
+   */
   DataFlow::Node getLDAPNode() { result = range.getLDAPNode() }
 }
 
@@ -71,5 +74,8 @@ class LDAPEscape extends DataFlow::Node {
 
   LDAPEscape() { this = range }
 
+  /**
+   * Gets the argument containing the escaped expression.
+   */
   DataFlow::Node getEscapeNode() { result = range.getEscapeNode() }
 }

From 54b9f2175dfbf586fdaca3524d6f95ce6787d198 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Fri, 7 May 2021 16:02:54 -0400
Subject: [PATCH 0940/1429] C++: Allow annotating IR dumps with Alias Analysis
 info

This commit adds a `PrintAliasAnalysis.qll` module, which can be imported alongside `PrintIR.qll` to annotate those dumps with alias analysis results.
---
 config/identical-files.json                   |  4 ++
 .../aliased_ssa/internal/AliasAnalysis.qll    | 43 +++++++++++++++++++
 .../internal/PrintAliasAnalysis.qll           | 19 ++++++++
 .../unaliased_ssa/internal/AliasAnalysis.qll  | 43 +++++++++++++++++++
 .../internal/PrintAliasAnalysis.qll           | 19 ++++++++
 .../unaliased_ssa/internal/AliasAnalysis.qll  | 43 +++++++++++++++++++
 6 files changed, 171 insertions(+)
 create mode 100644 cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll
 create mode 100644 cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll

diff --git a/config/identical-files.json b/config/identical-files.json
index 3916e95a0cf..a17079e8ac0 100644
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -249,6 +249,10 @@
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
     "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll"
   ],
+  "SSA PrintAliasAnalysis": [
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll",
+    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll"
+  ],
   "C++ SSA AliasAnalysisImports": [
     "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
     "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
index e26d61b9792..216fa72bf0d 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
@@ -400,3 +400,46 @@ predicate addressOperandAllocationAndOffset(
     )
   )
 }
+
+/**
+ * Predicates used only for printing annotated IR dumps. These should not be used in production
+ * queries.
+ */
+module Print {
+  string getOperandProperty(Operand operand, string key) {
+    key = "alloc" and
+    result =
+      strictconcat(Configuration::Allocation allocation, IntValue bitOffset |
+        addressOperandAllocationAndOffset(operand, allocation, bitOffset)
+      |
+        allocation.toString() + Ints::getBitOffsetString(bitOffset), ", "
+      )
+    or
+    key = "prop" and
+    result =
+      strictconcat(Instruction destInstr, IntValue bitOffset, string value |
+        operandIsPropagatedIncludingByCall(operand, bitOffset, destInstr) and
+        if destInstr = operand.getUse()
+        then value = "@" + Ints::getBitOffsetString(bitOffset) + "->result"
+        else value = "@" + Ints::getBitOffsetString(bitOffset) + "->" + destInstr.getResultId()
+      |
+        value, ", "
+      )
+  }
+
+  string getInstructionProperty(Instruction instr, string key) {
+    key = "prop" and
+    result =
+      strictconcat(IntValue bitOffset, Operand sourceOperand, string value |
+        operandIsPropagatedIncludingByCall(sourceOperand, bitOffset, instr) and
+        if instr = sourceOperand.getUse()
+        then value = sourceOperand.getDumpId() + Ints::getBitOffsetString(bitOffset) + "->@"
+        else
+          value =
+            sourceOperand.getUse().getResultId() + "." + sourceOperand.getDumpId() +
+              Ints::getBitOffsetString(bitOffset) + "->@"
+      |
+        value, ", "
+      )
+  }
+}
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll
new file mode 100644
index 00000000000..262088245e8
--- /dev/null
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll
@@ -0,0 +1,19 @@
+/**
+ * Include this module to annotate IR dumps with information computed by `AliasAnalysis.qll`.
+ */
+
+private import AliasAnalysisInternal
+private import InputIR
+private import AliasAnalysisImports
+private import AliasAnalysis
+private import semmle.code.cpp.ir.internal.IntegerConstant
+
+private class AliasPropertyProvider extends IRPropertyProvider {
+  override string getOperandProperty(Operand operand, string key) {
+    result = Print::getOperandProperty(operand, key)
+  }
+
+  override string getInstructionProperty(Instruction instr, string key) {
+    result = Print::getInstructionProperty(instr, key)
+  }
+}
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
index e26d61b9792..216fa72bf0d 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -400,3 +400,46 @@ predicate addressOperandAllocationAndOffset(
     )
   )
 }
+
+/**
+ * Predicates used only for printing annotated IR dumps. These should not be used in production
+ * queries.
+ */
+module Print {
+  string getOperandProperty(Operand operand, string key) {
+    key = "alloc" and
+    result =
+      strictconcat(Configuration::Allocation allocation, IntValue bitOffset |
+        addressOperandAllocationAndOffset(operand, allocation, bitOffset)
+      |
+        allocation.toString() + Ints::getBitOffsetString(bitOffset), ", "
+      )
+    or
+    key = "prop" and
+    result =
+      strictconcat(Instruction destInstr, IntValue bitOffset, string value |
+        operandIsPropagatedIncludingByCall(operand, bitOffset, destInstr) and
+        if destInstr = operand.getUse()
+        then value = "@" + Ints::getBitOffsetString(bitOffset) + "->result"
+        else value = "@" + Ints::getBitOffsetString(bitOffset) + "->" + destInstr.getResultId()
+      |
+        value, ", "
+      )
+  }
+
+  string getInstructionProperty(Instruction instr, string key) {
+    key = "prop" and
+    result =
+      strictconcat(IntValue bitOffset, Operand sourceOperand, string value |
+        operandIsPropagatedIncludingByCall(sourceOperand, bitOffset, instr) and
+        if instr = sourceOperand.getUse()
+        then value = sourceOperand.getDumpId() + Ints::getBitOffsetString(bitOffset) + "->@"
+        else
+          value =
+            sourceOperand.getUse().getResultId() + "." + sourceOperand.getDumpId() +
+              Ints::getBitOffsetString(bitOffset) + "->@"
+      |
+        value, ", "
+      )
+  }
+}
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll
new file mode 100644
index 00000000000..262088245e8
--- /dev/null
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll
@@ -0,0 +1,19 @@
+/**
+ * Include this module to annotate IR dumps with information computed by `AliasAnalysis.qll`.
+ */
+
+private import AliasAnalysisInternal
+private import InputIR
+private import AliasAnalysisImports
+private import AliasAnalysis
+private import semmle.code.cpp.ir.internal.IntegerConstant
+
+private class AliasPropertyProvider extends IRPropertyProvider {
+  override string getOperandProperty(Operand operand, string key) {
+    result = Print::getOperandProperty(operand, key)
+  }
+
+  override string getInstructionProperty(Instruction instr, string key) {
+    result = Print::getInstructionProperty(instr, key)
+  }
+}
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
index e26d61b9792..216fa72bf0d 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -400,3 +400,46 @@ predicate addressOperandAllocationAndOffset(
     )
   )
 }
+
+/**
+ * Predicates used only for printing annotated IR dumps. These should not be used in production
+ * queries.
+ */
+module Print {
+  string getOperandProperty(Operand operand, string key) {
+    key = "alloc" and
+    result =
+      strictconcat(Configuration::Allocation allocation, IntValue bitOffset |
+        addressOperandAllocationAndOffset(operand, allocation, bitOffset)
+      |
+        allocation.toString() + Ints::getBitOffsetString(bitOffset), ", "
+      )
+    or
+    key = "prop" and
+    result =
+      strictconcat(Instruction destInstr, IntValue bitOffset, string value |
+        operandIsPropagatedIncludingByCall(operand, bitOffset, destInstr) and
+        if destInstr = operand.getUse()
+        then value = "@" + Ints::getBitOffsetString(bitOffset) + "->result"
+        else value = "@" + Ints::getBitOffsetString(bitOffset) + "->" + destInstr.getResultId()
+      |
+        value, ", "
+      )
+  }
+
+  string getInstructionProperty(Instruction instr, string key) {
+    key = "prop" and
+    result =
+      strictconcat(IntValue bitOffset, Operand sourceOperand, string value |
+        operandIsPropagatedIncludingByCall(sourceOperand, bitOffset, instr) and
+        if instr = sourceOperand.getUse()
+        then value = sourceOperand.getDumpId() + Ints::getBitOffsetString(bitOffset) + "->@"
+        else
+          value =
+            sourceOperand.getUse().getResultId() + "." + sourceOperand.getDumpId() +
+              Ints::getBitOffsetString(bitOffset) + "->@"
+      |
+        value, ", "
+      )
+  }
+}

From 653ef9d257a4ded2701bc2da2548359ae0141ff5 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Fri, 7 May 2021 16:04:01 -0400
Subject: [PATCH 0941/1429] C++: Improve consistency failure message for
 multiple `MemoryLocation`s on a memory access.

---
 .../implementation/aliased_ssa/internal/SSAConstruction.qll  | 5 ++++-
 .../unaliased_ssa/internal/SSAConstruction.qll               | 5 ++++-
 .../unaliased_ssa/internal/SSAConstruction.qll               | 5 ++++-
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
index 340f524fce8..39b3a7fbf5c 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
@@ -934,7 +934,10 @@ module SSAConsistency {
       locationCount > 1 and
       func = operand.getEnclosingIRFunction() and
       funcText = Language::getIdentityString(func.getFunction()) and
-      message = "Operand has " + locationCount.toString() + " memory accesses in function '$@'."
+      message =
+        operand.getUse().toString() + " " + "Operand has " + locationCount.toString() +
+          " memory accesses in function '$@': " +
+          strictconcat(Alias::getOperandMemoryLocation(operand).toString(), ", ")
     )
   }
 
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
index 340f524fce8..39b3a7fbf5c 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -934,7 +934,10 @@ module SSAConsistency {
       locationCount > 1 and
       func = operand.getEnclosingIRFunction() and
       funcText = Language::getIdentityString(func.getFunction()) and
-      message = "Operand has " + locationCount.toString() + " memory accesses in function '$@'."
+      message =
+        operand.getUse().toString() + " " + "Operand has " + locationCount.toString() +
+          " memory accesses in function '$@': " +
+          strictconcat(Alias::getOperandMemoryLocation(operand).toString(), ", ")
     )
   }
 
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
index 340f524fce8..39b3a7fbf5c 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
@@ -934,7 +934,10 @@ module SSAConsistency {
       locationCount > 1 and
       func = operand.getEnclosingIRFunction() and
       funcText = Language::getIdentityString(func.getFunction()) and
-      message = "Operand has " + locationCount.toString() + " memory accesses in function '$@'."
+      message =
+        operand.getUse().toString() + " " + "Operand has " + locationCount.toString() +
+          " memory accesses in function '$@': " +
+          strictconcat(Alias::getOperandMemoryLocation(operand).toString(), ", ")
     )
   }
 

From 34b8af30acd8d28b5f5980169ed0d0d4ec826455 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Fri, 7 May 2021 22:09:57 +0200
Subject: [PATCH 0942/1429] Move structure to LDAP.qll

---
 .../semmle/python/frameworks/LDAP.qll         | 153 ++++++++++++++++++
 .../semmle/python/frameworks/Stdlib.qll       | 143 ----------------
 2 files changed, 153 insertions(+), 143 deletions(-)
 create mode 100644 python/ql/src/experimental/semmle/python/frameworks/LDAP.qll

diff --git a/python/ql/src/experimental/semmle/python/frameworks/LDAP.qll b/python/ql/src/experimental/semmle/python/frameworks/LDAP.qll
new file mode 100644
index 00000000000..2153f070457
--- /dev/null
+++ b/python/ql/src/experimental/semmle/python/frameworks/LDAP.qll
@@ -0,0 +1,153 @@
+/**
+ * Provides classes modeling security-relevant aspects of the LDAP libraries.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import experimental.semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+/**
+ * Provides models for Python's ldap-related libraries.
+ */
+private module LDAP {
+  /**
+   * Provides models for Python's `ldap` library.
+   *
+   * See https://www.python-ldap.org/en/python-ldap-3.3.0/index.html
+   */
+  private module LDAP2 {
+    /**
+     * List of `ldap` methods used to execute a query.
+     *
+     * See https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#functions
+     */
+    private class LDAP2QueryMethods extends string {
+      LDAP2QueryMethods() {
+        this in ["search", "search_s", "search_st", "search_ext", "search_ext_s"]
+      }
+    }
+
+    /**
+     * A class to find `ldap` methods executing a query.
+     *
+     * See `LDAP2QueryMethods`
+     */
+    private class LDAP2Query extends DataFlow::CallCfgNode, LDAPQuery::Range {
+      DataFlow::Node ldapNode;
+
+      LDAP2Query() {
+        exists(DataFlow::AttrRead searchMethod |
+          this.getFunction() = searchMethod and
+          API::moduleImport("ldap").getMember("initialize").getACall() =
+            searchMethod.getObject().getALocalSource() and
+          searchMethod.getAttributeName() instanceof LDAP2QueryMethods and
+          (
+            ldapNode = this.getArg(0)
+            or
+            (
+              ldapNode = this.getArg(2) or
+              ldapNode = this.getArgByName("filterstr")
+            )
+          )
+        )
+      }
+
+      override DataFlow::Node getLDAPNode() { result = ldapNode }
+    }
+
+    /**
+     * A class to find calls to `ldap.dn.escape_dn_chars`.
+     *
+     * See https://github.com/python-ldap/python-ldap/blob/7ce471e238cdd9a4dd8d17baccd1c9e05e6f894a/Lib/ldap/dn.py#L17
+     */
+    private class LDAP2EscapeDNCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
+      LDAP2EscapeDNCall() {
+        this = API::moduleImport("ldap").getMember("dn").getMember("escape_dn_chars").getACall()
+      }
+
+      override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
+    }
+
+    /**
+     * A class to find calls to `ldap.filter.escape_filter_chars`.
+     *
+     * See https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap-filter.html#ldap.filter.escape_filter_chars
+     */
+    private class LDAP2EscapeFilterCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
+      LDAP2EscapeFilterCall() {
+        this =
+          API::moduleImport("ldap").getMember("filter").getMember("escape_filter_chars").getACall()
+      }
+
+      override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
+    }
+  }
+
+  /**
+   * Provides models for Python's `ldap3` library.
+   *
+   * See https://pypi.org/project/ldap3/
+   */
+  private module LDAP3 {
+    /**
+     * A class to find `ldap3` methods executing a query.
+     */
+    private class LDAP3Query extends DataFlow::CallCfgNode, LDAPQuery::Range {
+      DataFlow::Node ldapNode;
+
+      LDAP3Query() {
+        exists(DataFlow::AttrRead searchMethod |
+          this.getFunction() = searchMethod and
+          API::moduleImport("ldap3").getMember("Connection").getACall() =
+            searchMethod.getObject().getALocalSource() and
+          searchMethod.getAttributeName() = "search" and
+          (
+            ldapNode = this.getArg(0) or
+            ldapNode = this.getArg(1)
+          )
+        )
+      }
+
+      override DataFlow::Node getLDAPNode() { result = ldapNode }
+    }
+
+    /**
+     * A class to find calls to `ldap3.utils.dn.escape_rdn`.
+     *
+     * See https://github.com/cannatag/ldap3/blob/4d33166f0869b929f59c6e6825a1b9505eb99967/ldap3/utils/dn.py#L390
+     */
+    private class LDAP3EscapeDNCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
+      LDAP3EscapeDNCall() {
+        this =
+          API::moduleImport("ldap3")
+              .getMember("utils")
+              .getMember("dn")
+              .getMember("escape_rdn")
+              .getACall()
+      }
+
+      override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
+    }
+
+    /**
+     * A class to find calls to `ldap3.utils.conv.escape_filter_chars`.
+     *
+     * See https://github.com/cannatag/ldap3/blob/4d33166f0869b929f59c6e6825a1b9505eb99967/ldap3/utils/conv.py#L91
+     */
+    private class LDAP3EscapeFilterCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
+      LDAP3EscapeFilterCall() {
+        this =
+          API::moduleImport("ldap3")
+              .getMember("utils")
+              .getMember("conv")
+              .getMember("escape_filter_chars")
+              .getACall()
+      }
+
+      override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
+    }
+  }
+}
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index 2bbca55f820..420caf0d73b 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -9,146 +9,3 @@ private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import experimental.semmle.python.Concepts
 private import semmle.python.ApiGraphs
-
-/**
- * Provides models for Python's ldap-related libraries.
- */
-private module LDAP {
-  /**
-   * Provides models for Python's `ldap` library.
-   *
-   * See https://www.python-ldap.org/en/python-ldap-3.3.0/index.html
-   */
-  private module LDAP2 {
-    /**
-     * List of `ldap` methods used to execute a query.
-     *
-     * See https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#functions
-     */
-    private class LDAP2QueryMethods extends string {
-      LDAP2QueryMethods() {
-        this in ["search", "search_s", "search_st", "search_ext", "search_ext_s"]
-      }
-    }
-
-    /**
-     * A class to find `ldap` methods executing a query.
-     *
-     * See `LDAP2QueryMethods`
-     */
-    private class LDAP2Query extends DataFlow::CallCfgNode, LDAPQuery::Range {
-      DataFlow::Node ldapNode;
-
-      LDAP2Query() {
-        exists(DataFlow::AttrRead searchMethod |
-          this.getFunction() = searchMethod and
-          API::moduleImport("ldap").getMember("initialize").getACall() =
-            searchMethod.getObject().getALocalSource() and
-          searchMethod.getAttributeName() instanceof LDAP2QueryMethods and
-          (
-            ldapNode = this.getArg(0)
-            or
-            (
-              ldapNode = this.getArg(2) or
-              ldapNode = this.getArgByName("filterstr")
-            )
-          )
-        )
-      }
-
-      override DataFlow::Node getLDAPNode() { result = ldapNode }
-    }
-
-    /**
-     * A class to find calls to `ldap.dn.escape_dn_chars`.
-     *
-     * See https://github.com/python-ldap/python-ldap/blob/7ce471e238cdd9a4dd8d17baccd1c9e05e6f894a/Lib/ldap/dn.py#L17
-     */
-    private class LDAP2EscapeDNCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
-      LDAP2EscapeDNCall() {
-        this = API::moduleImport("ldap").getMember("dn").getMember("escape_dn_chars").getACall()
-      }
-
-      override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
-    }
-
-    /**
-     * A class to find calls to `ldap.filter.escape_filter_chars`.
-     *
-     * See https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap-filter.html#ldap.filter.escape_filter_chars
-     */
-    private class LDAP2EscapeFilterCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
-      LDAP2EscapeFilterCall() {
-        this =
-          API::moduleImport("ldap").getMember("filter").getMember("escape_filter_chars").getACall()
-      }
-
-      override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
-    }
-  }
-
-  /**
-   * Provides models for Python's `ldap3` library.
-   *
-   * See https://pypi.org/project/ldap3/
-   */
-  private module LDAP3 {
-    /**
-     * A class to find `ldap3` methods executing a query.
-     */
-    private class LDAP3Query extends DataFlow::CallCfgNode, LDAPQuery::Range {
-      DataFlow::Node ldapNode;
-
-      LDAP3Query() {
-        exists(DataFlow::AttrRead searchMethod |
-          this.getFunction() = searchMethod and
-          API::moduleImport("ldap3").getMember("Connection").getACall() =
-            searchMethod.getObject().getALocalSource() and
-          searchMethod.getAttributeName() = "search" and
-          (
-            ldapNode = this.getArg(0) or
-            ldapNode = this.getArg(1)
-          )
-        )
-      }
-
-      override DataFlow::Node getLDAPNode() { result = ldapNode }
-    }
-
-    /**
-     * A class to find calls to `ldap3.utils.dn.escape_rdn`.
-     *
-     * See https://github.com/cannatag/ldap3/blob/4d33166f0869b929f59c6e6825a1b9505eb99967/ldap3/utils/dn.py#L390
-     */
-    private class LDAP3EscapeDNCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
-      LDAP3EscapeDNCall() {
-        this =
-          API::moduleImport("ldap3")
-              .getMember("utils")
-              .getMember("dn")
-              .getMember("escape_rdn")
-              .getACall()
-      }
-
-      override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
-    }
-
-    /**
-     * A class to find calls to `ldap3.utils.conv.escape_filter_chars`.
-     *
-     * See https://github.com/cannatag/ldap3/blob/4d33166f0869b929f59c6e6825a1b9505eb99967/ldap3/utils/conv.py#L91
-     */
-    private class LDAP3EscapeFilterCall extends DataFlow::CallCfgNode, LDAPEscape::Range {
-      LDAP3EscapeFilterCall() {
-        this =
-          API::moduleImport("ldap3")
-              .getMember("utils")
-              .getMember("conv")
-              .getMember("escape_filter_chars")
-              .getACall()
-      }
-
-      override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
-    }
-  }
-}

From 6159fbea2bc8f4fdacdcf76829f23c7124e44d38 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Fri, 7 May 2021 22:15:51 +0200
Subject: [PATCH 0943/1429] Update functions naming

---
 .../experimental/semmle/python/Concepts.qll   |  8 +++---
 .../semmle/python/frameworks/LDAP.qll         | 26 +++++++++----------
 2 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
index 18fd0b992eb..0d7c351974b 100644
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -26,7 +26,7 @@ module LDAPQuery {
     /**
      * Gets the argument containing the executed expression.
      */
-    abstract DataFlow::Node getLDAPNode();
+    abstract DataFlow::Node getQuery();
   }
 }
 
@@ -44,7 +44,7 @@ class LDAPQuery extends DataFlow::Node {
   /**
    * Gets the argument containing the executed expression.
    */
-  DataFlow::Node getLDAPNode() { result = range.getLDAPNode() }
+  DataFlow::Node getQuery() { result = range.getQuery() }
 }
 
 /** Provides classes for modeling LDAP components escape-related APIs. */
@@ -59,7 +59,7 @@ module LDAPEscape {
     /**
      * Gets the argument containing the escaped expression.
      */
-    abstract DataFlow::Node getEscapeNode();
+    abstract DataFlow::Node getAnInput();
   }
 }
 
@@ -77,5 +77,5 @@ class LDAPEscape extends DataFlow::Node {
   /**
    * Gets the argument containing the escaped expression.
    */
-  DataFlow::Node getEscapeNode() { result = range.getEscapeNode() }
+  DataFlow::Node getAnInput() { result = range.getAnInput() }
 }
diff --git a/python/ql/src/experimental/semmle/python/frameworks/LDAP.qll b/python/ql/src/experimental/semmle/python/frameworks/LDAP.qll
index 2153f070457..6c3e03cb267 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/LDAP.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/LDAP.qll
@@ -36,7 +36,7 @@ private module LDAP {
      * See `LDAP2QueryMethods`
      */
     private class LDAP2Query extends DataFlow::CallCfgNode, LDAPQuery::Range {
-      DataFlow::Node ldapNode;
+      DataFlow::Node ldapQuery;
 
       LDAP2Query() {
         exists(DataFlow::AttrRead searchMethod |
@@ -45,17 +45,17 @@ private module LDAP {
             searchMethod.getObject().getALocalSource() and
           searchMethod.getAttributeName() instanceof LDAP2QueryMethods and
           (
-            ldapNode = this.getArg(0)
+            ldapQuery = this.getArg(0)
             or
             (
-              ldapNode = this.getArg(2) or
-              ldapNode = this.getArgByName("filterstr")
+              ldapQuery = this.getArg(2) or
+              ldapQuery = this.getArgByName("filterstr")
             )
           )
         )
       }
 
-      override DataFlow::Node getLDAPNode() { result = ldapNode }
+      override DataFlow::Node getQuery() { result = ldapQuery }
     }
 
     /**
@@ -68,7 +68,7 @@ private module LDAP {
         this = API::moduleImport("ldap").getMember("dn").getMember("escape_dn_chars").getACall()
       }
 
-      override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
+      override DataFlow::Node getAnInput() { result = this.getArg(0) }
     }
 
     /**
@@ -82,7 +82,7 @@ private module LDAP {
           API::moduleImport("ldap").getMember("filter").getMember("escape_filter_chars").getACall()
       }
 
-      override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
+      override DataFlow::Node getAnInput() { result = this.getArg(0) }
     }
   }
 
@@ -96,7 +96,7 @@ private module LDAP {
      * A class to find `ldap3` methods executing a query.
      */
     private class LDAP3Query extends DataFlow::CallCfgNode, LDAPQuery::Range {
-      DataFlow::Node ldapNode;
+      DataFlow::Node ldapQuery;
 
       LDAP3Query() {
         exists(DataFlow::AttrRead searchMethod |
@@ -105,13 +105,13 @@ private module LDAP {
             searchMethod.getObject().getALocalSource() and
           searchMethod.getAttributeName() = "search" and
           (
-            ldapNode = this.getArg(0) or
-            ldapNode = this.getArg(1)
+            ldapQuery = this.getArg(0) or
+            ldapQuery = this.getArg(1)
           )
         )
       }
 
-      override DataFlow::Node getLDAPNode() { result = ldapNode }
+      override DataFlow::Node getQuery() { result = ldapQuery }
     }
 
     /**
@@ -129,7 +129,7 @@ private module LDAP {
               .getACall()
       }
 
-      override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
+      override DataFlow::Node getAnInput() { result = this.getArg(0) }
     }
 
     /**
@@ -147,7 +147,7 @@ private module LDAP {
               .getACall()
       }
 
-      override DataFlow::Node getEscapeNode() { result = this.getArg(0) }
+      override DataFlow::Node getAnInput() { result = this.getArg(0) }
     }
   }
 }

From 2ad72ad69390652dc7e68b831e71ecaf020bc14f Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Fri, 7 May 2021 22:16:12 +0200
Subject: [PATCH 0944/1429] Add LDAP framework entry in Frameworks.qll

---
 python/ql/src/experimental/semmle/python/Frameworks.qll | 1 +
 1 file changed, 1 insertion(+)

diff --git a/python/ql/src/experimental/semmle/python/Frameworks.qll b/python/ql/src/experimental/semmle/python/Frameworks.qll
index ca1dd04e57d..b64532dda7c 100644
--- a/python/ql/src/experimental/semmle/python/Frameworks.qll
+++ b/python/ql/src/experimental/semmle/python/Frameworks.qll
@@ -3,3 +3,4 @@
  */
 
 private import experimental.semmle.python.frameworks.Stdlib
+private import experimental.semmle.python.frameworks.LDAP
\ No newline at end of file

From f0a994a570ddd10937a70b7a9a1d9feca33c9d84 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Fri, 7 May 2021 16:33:15 -0400
Subject: [PATCH 0945/1429] C++: Fix pointer flow modeling for smart pointer
 setters

---
 .../code/cpp/models/implementations/SmartPointer.qll      | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
index 7f9639f6373..ab44671f83d 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
@@ -158,11 +158,11 @@ private class SmartPtrSetterFunction extends MemberFunction, AliasFunction, Side
           // parameter.
           result.isParameter(1)
         else result.isParameterDeref(0)
+        or
+        // One of the functions that takes ownership of a raw pointer.
+        param0.getUnspecifiedType() instanceof PointerType and
+        result.isParameter(0)
       )
-      or
-      // One of the functions that takes ownership of a raw pointer.
-      param0.getUnspecifiedType() instanceof PointerType and
-      result.isParameter(0)
     )
   }
 }

From 187e136ecc7d81d48b83f86804d116f549d53aa6 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Fri, 7 May 2021 16:50:03 -0400
Subject: [PATCH 0946/1429] C++: Generate IR side effects for smart pointer
 indirections

When inserting side effect instructions for argument indirections, we now insert side effects for smart pointers as we would for raw pointers. The address operand of the side effect instruction is  the smart pointer object, which is a bit odd. However, I'd like to think through the design of a more principled solution before doing additional work.

A few new tests are added to the existing IR tests. In addition, the IR tests now `#include` some of the shared STL headers. I've disabled IR dumps for functions from those headers, since they only get in the way of the test cases we intended.
---
 .../raw/internal/SideEffects.qll              |  4 +-
 .../library-tests/ir/ir/PrintAST.expected     | 80 +++++++++++++++++++
 cpp/ql/test/library-tests/ir/ir/PrintAST.ql   | 11 +++
 .../test/library-tests/ir/ir/PrintAST.qlref   |  1 -
 .../test/library-tests/ir/ir/PrintConfig.qll  | 10 +++
 .../ir/ir/raw_consistency.expected            |  1 +
 .../test/library-tests/ir/ir/raw_ir.expected  | 74 +++++++++++++++++
 cpp/ql/test/library-tests/ir/ir/raw_ir.ql     | 11 +++
 cpp/ql/test/library-tests/ir/ir/raw_ir.qlref  |  1 -
 cpp/ql/test/library-tests/ir/ir/smart_ptr.cpp | 20 +++++
 10 files changed, 210 insertions(+), 3 deletions(-)
 create mode 100644 cpp/ql/test/library-tests/ir/ir/PrintAST.ql
 delete mode 100644 cpp/ql/test/library-tests/ir/ir/PrintAST.qlref
 create mode 100644 cpp/ql/test/library-tests/ir/ir/PrintConfig.qll
 create mode 100644 cpp/ql/test/library-tests/ir/ir/raw_ir.ql
 delete mode 100644 cpp/ql/test/library-tests/ir/ir/raw_ir.qlref
 create mode 100644 cpp/ql/test/library-tests/ir/ir/smart_ptr.cpp

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll
index 350127a58d1..e7de9d26326 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll
@@ -7,6 +7,7 @@
 
 private import cpp
 private import semmle.code.cpp.ir.implementation.Opcode
+private import semmle.code.cpp.models.interfaces.PointerWrapper
 private import semmle.code.cpp.models.interfaces.SideEffect
 
 /**
@@ -39,7 +40,8 @@ private predicate hasDefaultSideEffect(Call call, ParameterIndex i, boolean buff
       exists(Type t | t = expr.getUnspecifiedType() |
         t instanceof ArrayType or
         t instanceof PointerType or
-        t instanceof ReferenceType
+        t instanceof ReferenceType or
+        t instanceof PointerWrapper
       ) and
       (
         isWrite = true and
diff --git a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
index 44d379e46fe..4b997627182 100644
--- a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
+++ b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
@@ -11365,6 +11365,86 @@ perf-regression.cpp:
 #   12|           Type = [IntType] int
 #   12|           Value = [Literal] 0
 #   12|           ValueCategory = prvalue
+smart_ptr.cpp:
+#    8| [TopLevelFunction] void unique_ptr_arg(std::unique_ptr<int, std::default_delete<int>>)
+#    8|   <params>: 
+#    8|     getParameter(0): [Parameter] up
+#    8|         Type = [ClassTemplateInstantiation] unique_ptr<int, default_delete<int>>
+#   10| [TopLevelFunction] void call_unique_ptr_arg(int*)
+#   10|   <params>: 
+#   10|     getParameter(0): [Parameter] p
+#   10|         Type = [IntPointerType] int *
+#   10|   getEntryPoint(): [BlockStmt] { ... }
+#   11|     getStmt(0): [DeclStmt] declaration
+#   11|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of up
+#   11|           Type = [ClassTemplateInstantiation] unique_ptr<int, default_delete<int>>
+#   11|         getVariable().getInitializer(): [Initializer] initializer for up
+#   11|           getExpr(): [ConstructorCall] call to unique_ptr
+#   11|               Type = [VoidType] void
+#   11|               ValueCategory = prvalue
+#   11|             getArgument(0): [VariableAccess] p
+#   11|                 Type = [IntPointerType] int *
+#   11|                 ValueCategory = prvalue(load)
+#   12|     getStmt(1): [ExprStmt] ExprStmt
+#   12|       getExpr(): [FunctionCall] call to unique_ptr_arg
+#   12|           Type = [VoidType] void
+#   12|           ValueCategory = prvalue
+#   12|         getArgument(0): [FunctionCall] call to move
+#   12|             Type = [RValueReferenceType] type &&
+#   12|             ValueCategory = prvalue
+#   12|           getArgument(0): [VariableAccess] up
+#   12|               Type = [ClassTemplateInstantiation] unique_ptr<int, default_delete<int>>
+#   12|               ValueCategory = lvalue
+#   12|           getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
+#   12|               Type = [LValueReferenceType] unique_ptr<int, default_delete<int>> &
+#   12|               ValueCategory = prvalue
+#   12|         getArgument(0).getFullyConverted(): [TemporaryObjectExpr] temporary object
+#   12|             Type = [ClassTemplateInstantiation] unique_ptr<int, default_delete<int>>
+#   12|             ValueCategory = lvalue
+#   12|           getExpr(): [ReferenceDereferenceExpr] (reference dereference)
+#   12|               Type = [CTypedefType,NestedTypedefType] type
+#   12|               ValueCategory = prvalue(load)
+#   13|     getStmt(2): [ReturnStmt] return ...
+#   15| [TopLevelFunction] void shared_ptr_arg(std::shared_ptr<float>)
+#   15|   <params>: 
+#   15|     getParameter(0): [Parameter] sp
+#   15|         Type = [ClassTemplateInstantiation] shared_ptr<float>
+#   17| [TopLevelFunction] void call_shared_ptr_arg(float*)
+#   17|   <params>: 
+#   17|     getParameter(0): [Parameter] p
+#   17|         Type = [PointerType] float *
+#   17|   getEntryPoint(): [BlockStmt] { ... }
+#   18|     getStmt(0): [DeclStmt] declaration
+#   18|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of sp
+#   18|           Type = [ClassTemplateInstantiation] shared_ptr<float>
+#   18|         getVariable().getInitializer(): [Initializer] initializer for sp
+#   18|           getExpr(): [ConstructorCall] call to shared_ptr
+#   18|               Type = [VoidType] void
+#   18|               ValueCategory = prvalue
+#   18|             getArgument(0): [VariableAccess] p
+#   18|                 Type = [PointerType] float *
+#   18|                 ValueCategory = prvalue(load)
+#   19|     getStmt(1): [ExprStmt] ExprStmt
+#   19|       getExpr(): [FunctionCall] call to shared_ptr_arg
+#   19|           Type = [VoidType] void
+#   19|           ValueCategory = prvalue
+#   19|         getArgument(0): [ConstructorCall] call to shared_ptr
+#   19|             Type = [VoidType] void
+#   19|             ValueCategory = prvalue
+#   19|           getArgument(0): [VariableAccess] sp
+#   19|               Type = [ClassTemplateInstantiation] shared_ptr<float>
+#   19|               ValueCategory = lvalue
+#   19|           getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
+#   19|               Type = [LValueReferenceType] const shared_ptr<float> &
+#   19|               ValueCategory = prvalue
+#   19|             getExpr(): [CStyleCast] (const shared_ptr<float>)...
+#   19|                 Conversion = [GlvalueConversion] glvalue conversion
+#   19|                 Type = [SpecifiedType] const shared_ptr<float>
+#   19|                 ValueCategory = lvalue
+#   19|         getArgument(0).getFullyConverted(): [TemporaryObjectExpr] temporary object
+#   19|             Type = [ClassTemplateInstantiation] shared_ptr<float>
+#   19|             ValueCategory = lvalue
+#   20|     getStmt(2): [ReturnStmt] return ...
 struct_init.cpp:
 #    1| [TopLevelFunction] int handler1(void*)
 #    1|   <params>: 
diff --git a/cpp/ql/test/library-tests/ir/ir/PrintAST.ql b/cpp/ql/test/library-tests/ir/ir/PrintAST.ql
new file mode 100644
index 00000000000..e107c80de02
--- /dev/null
+++ b/cpp/ql/test/library-tests/ir/ir/PrintAST.ql
@@ -0,0 +1,11 @@
+/**
+ * @kind graph
+ */
+
+private import cpp
+private import semmle.code.cpp.PrintAST
+private import PrintConfig
+
+private class PrintConfig extends PrintASTConfiguration {
+  override predicate shouldPrintFunction(Function func) { shouldDumpFunction(func) }
+}
diff --git a/cpp/ql/test/library-tests/ir/ir/PrintAST.qlref b/cpp/ql/test/library-tests/ir/ir/PrintAST.qlref
deleted file mode 100644
index 6fcb30ac7a6..00000000000
--- a/cpp/ql/test/library-tests/ir/ir/PrintAST.qlref
+++ /dev/null
@@ -1 +0,0 @@
-semmle/code/cpp/PrintAST.ql
\ No newline at end of file
diff --git a/cpp/ql/test/library-tests/ir/ir/PrintConfig.qll b/cpp/ql/test/library-tests/ir/ir/PrintConfig.qll
new file mode 100644
index 00000000000..3253a1196b6
--- /dev/null
+++ b/cpp/ql/test/library-tests/ir/ir/PrintConfig.qll
@@ -0,0 +1,10 @@
+private import cpp
+
+/**
+ * Holds if the AST or IR for the specified function should be printed in the test output.
+ *
+ * This predicate excludes functions defined in standard headers.
+ */
+predicate shouldDumpFunction(Function func) {
+  not func.getLocation().getFile().getAbsolutePath().regexpMatch(".*/include/[^/]+")
+}
diff --git a/cpp/ql/test/library-tests/ir/ir/raw_consistency.expected b/cpp/ql/test/library-tests/ir/ir/raw_consistency.expected
index 31e5b01229c..57f16b48a1a 100644
--- a/cpp/ql/test/library-tests/ir/ir/raw_consistency.expected
+++ b/cpp/ql/test/library-tests/ir/ir/raw_consistency.expected
@@ -6,6 +6,7 @@ missingOperandType
 duplicateChiOperand
 sideEffectWithoutPrimary
 instructionWithoutSuccessor
+| ../../../include/memory.h:68:25:68:33 | CopyValue: (reference to) | Instruction 'CopyValue: (reference to)' has no successors in function '$@'. | ../../../include/memory.h:67:5:67:5 | void std::unique_ptr<int, std::default_delete<int>>::~unique_ptr() | void std::unique_ptr<int, std::default_delete<int>>::~unique_ptr() |
 ambiguousSuccessors
 unexplainedLoop
 unnecessaryPhiInstruction
diff --git a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
index e008e2de659..6bcfd2c43e4 100644
--- a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
@@ -7903,6 +7903,80 @@ perf-regression.cpp:
 #    9|     v9_6(void)            = AliasedUse                      : ~m?
 #    9|     v9_7(void)            = ExitFunction                    : 
 
+smart_ptr.cpp:
+#   10| void call_unique_ptr_arg(int*)
+#   10|   Block 0
+#   10|     v10_1(void)                                        = EnterFunction                    : 
+#   10|     mu10_2(unknown)                                    = AliasedDefinition                : 
+#   10|     mu10_3(unknown)                                    = InitializeNonLocal               : 
+#   10|     r10_4(glval<int *>)                                = VariableAddress[p]               : 
+#   10|     mu10_5(int *)                                      = InitializeParameter[p]           : &:r10_4
+#   10|     r10_6(int *)                                       = Load[p]                          : &:r10_4, ~m?
+#   10|     mu10_7(unknown)                                    = InitializeIndirection[p]         : &:r10_6
+#   11|     r11_1(glval<unique_ptr<int, default_delete<int>>>) = VariableAddress[up]              : 
+#   11|     mu11_2(unique_ptr<int, default_delete<int>>)       = Uninitialized[up]                : &:r11_1
+#   11|     r11_3(glval<unknown>)                              = FunctionAddress[unique_ptr]      : 
+#   11|     r11_4(glval<int *>)                                = VariableAddress[p]               : 
+#   11|     r11_5(int *)                                       = Load[p]                          : &:r11_4, ~m?
+#   11|     v11_6(void)                                        = Call[unique_ptr]                 : func:r11_3, this:r11_1, 0:r11_5
+#   11|     mu11_7(unknown)                                    = ^CallSideEffect                  : ~m?
+#   11|     mu11_8(unique_ptr<int, default_delete<int>>)       = ^IndirectMustWriteSideEffect[-1] : &:r11_1
+#   12|     r12_1(glval<unknown>)                              = FunctionAddress[unique_ptr_arg]  : 
+#   12|     r12_2(glval<unique_ptr<int, default_delete<int>>>) = VariableAddress[#temp12:20]      : 
+#   12|     r12_3(glval<unknown>)                              = FunctionAddress[move]            : 
+#   12|     r12_4(glval<unique_ptr<int, default_delete<int>>>) = VariableAddress[up]              : 
+#   12|     r12_5(unique_ptr<int, default_delete<int>> &)      = CopyValue                        : r12_4
+#   12|     r12_6(unique_ptr<int, default_delete<int>> &&)     = Call[move]                       : func:r12_3, 0:r12_5
+#   12|     r12_7(unique_ptr<int, default_delete<int>>)        = Load[?]                          : &:r12_6, ~m?
+#   12|     mu12_8(unique_ptr<int, default_delete<int>>)       = Store[#temp12:20]                : &:r12_2, r12_7
+#   12|     r12_9(unique_ptr<int, default_delete<int>>)        = Load[#temp12:20]                 : &:r12_2, ~m?
+#   12|     v12_10(void)                                       = Call[unique_ptr_arg]             : func:r12_1, 0:r12_9
+#   12|     mu12_11(unknown)                                   = ^CallSideEffect                  : ~m?
+#   12|     v12_12(void)                                       = ^BufferReadSideEffect[0]         : &:r12_9, ~m?
+#   13|     v13_1(void)                                        = NoOp                             : 
+#   10|     v10_8(void)                                        = ReturnIndirection[p]             : &:r10_6, ~m?
+#   10|     v10_9(void)                                        = ReturnVoid                       : 
+#   10|     v10_10(void)                                       = AliasedUse                       : ~m?
+#   10|     v10_11(void)                                       = ExitFunction                     : 
+
+#   17| void call_shared_ptr_arg(float*)
+#   17|   Block 0
+#   17|     v17_1(void)                     = EnterFunction                    : 
+#   17|     mu17_2(unknown)                 = AliasedDefinition                : 
+#   17|     mu17_3(unknown)                 = InitializeNonLocal               : 
+#   17|     r17_4(glval<float *>)           = VariableAddress[p]               : 
+#   17|     mu17_5(float *)                 = InitializeParameter[p]           : &:r17_4
+#   17|     r17_6(float *)                  = Load[p]                          : &:r17_4, ~m?
+#   17|     mu17_7(unknown)                 = InitializeIndirection[p]         : &:r17_6
+#   18|     r18_1(glval<shared_ptr<float>>) = VariableAddress[sp]              : 
+#   18|     mu18_2(shared_ptr<float>)       = Uninitialized[sp]                : &:r18_1
+#   18|     r18_3(glval<unknown>)           = FunctionAddress[shared_ptr]      : 
+#   18|     r18_4(glval<float *>)           = VariableAddress[p]               : 
+#   18|     r18_5(float *)                  = Load[p]                          : &:r18_4, ~m?
+#   18|     v18_6(void)                     = Call[shared_ptr]                 : func:r18_3, this:r18_1, 0:r18_5
+#   18|     mu18_7(unknown)                 = ^CallSideEffect                  : ~m?
+#   18|     mu18_8(shared_ptr<float>)       = ^IndirectMustWriteSideEffect[-1] : &:r18_1
+#   19|     r19_1(glval<unknown>)           = FunctionAddress[shared_ptr_arg]  : 
+#   19|     r19_2(glval<shared_ptr<float>>) = VariableAddress[#temp19:20]      : 
+#   19|     mu19_3(shared_ptr<float>)       = Uninitialized[#temp19:20]        : &:r19_2
+#   19|     r19_4(glval<unknown>)           = FunctionAddress[shared_ptr]      : 
+#   19|     r19_5(glval<shared_ptr<float>>) = VariableAddress[sp]              : 
+#   19|     r19_6(glval<shared_ptr<float>>) = Convert                          : r19_5
+#   19|     r19_7(shared_ptr<float> &)      = CopyValue                        : r19_6
+#   19|     v19_8(void)                     = Call[shared_ptr]                 : func:r19_4, this:r19_2, 0:r19_7
+#   19|     mu19_9(unknown)                 = ^CallSideEffect                  : ~m?
+#   19|     mu19_10(shared_ptr<float>)      = ^IndirectMustWriteSideEffect[-1] : &:r19_2
+#   19|     v19_11(void)                    = ^IndirectReadSideEffect[0]       : &:r19_7, ~m?
+#   19|     r19_12(shared_ptr<float>)       = Load[#temp19:20]                 : &:r19_2, ~m?
+#   19|     v19_13(void)                    = Call[shared_ptr_arg]             : func:r19_1, 0:r19_12
+#   19|     mu19_14(unknown)                = ^CallSideEffect                  : ~m?
+#   19|     v19_15(void)                    = ^BufferReadSideEffect[0]         : &:r19_12, ~m?
+#   20|     v20_1(void)                     = NoOp                             : 
+#   17|     v17_8(void)                     = ReturnIndirection[p]             : &:r17_6, ~m?
+#   17|     v17_9(void)                     = ReturnVoid                       : 
+#   17|     v17_10(void)                    = AliasedUse                       : ~m?
+#   17|     v17_11(void)                    = ExitFunction                     : 
+
 struct_init.cpp:
 #   16| void let_info_escape(Info*)
 #   16|   Block 0
diff --git a/cpp/ql/test/library-tests/ir/ir/raw_ir.ql b/cpp/ql/test/library-tests/ir/ir/raw_ir.ql
new file mode 100644
index 00000000000..a0ebe4d2bdd
--- /dev/null
+++ b/cpp/ql/test/library-tests/ir/ir/raw_ir.ql
@@ -0,0 +1,11 @@
+/**
+ * @kind graph
+ */
+
+private import cpp
+private import semmle.code.cpp.ir.implementation.raw.PrintIR
+private import PrintConfig
+
+private class PrintConfig extends PrintIRConfiguration {
+  override predicate shouldPrintFunction(Function func) { shouldDumpFunction(func) }
+}
diff --git a/cpp/ql/test/library-tests/ir/ir/raw_ir.qlref b/cpp/ql/test/library-tests/ir/ir/raw_ir.qlref
deleted file mode 100644
index fa4c4bda903..00000000000
--- a/cpp/ql/test/library-tests/ir/ir/raw_ir.qlref
+++ /dev/null
@@ -1 +0,0 @@
-semmle/code/cpp/ir/implementation/raw/PrintIR.ql
\ No newline at end of file
diff --git a/cpp/ql/test/library-tests/ir/ir/smart_ptr.cpp b/cpp/ql/test/library-tests/ir/ir/smart_ptr.cpp
new file mode 100644
index 00000000000..980c7767009
--- /dev/null
+++ b/cpp/ql/test/library-tests/ir/ir/smart_ptr.cpp
@@ -0,0 +1,20 @@
+#include "../../../include/memory.h"
+#include "../../../include/utility.h"
+
+using std::move;
+using std::shared_ptr;
+using std::unique_ptr;
+
+void unique_ptr_arg(unique_ptr<int> up);
+
+void call_unique_ptr_arg(int* p) {
+    unique_ptr<int> up(p);
+    unique_ptr_arg(move(up));
+}
+
+void shared_ptr_arg(shared_ptr<float> sp);
+
+void call_shared_ptr_arg(float* p) {
+    shared_ptr<float> sp(p);
+    shared_ptr_arg(sp);
+}

From fd88b7210101f75af27b938878f9b6ad1abddae7 Mon Sep 17 00:00:00 2001
From: Hayk Andriasyan <77549590+p0wn4j@users.noreply.github.com>
Date: Sat, 8 May 2021 12:51:15 +0400
Subject: [PATCH 0947/1429] Delete JSchOSInjection.qhelp

---
 .../CWE/CWE-078/JSchOSInjection.qhelp         | 64 -------------------
 1 file changed, 64 deletions(-)
 delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjection.qhelp

diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjection.qhelp
deleted file mode 100644
index 57e8a61fe74..00000000000
--- a/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjection.qhelp
+++ /dev/null
@@ -1,64 +0,0 @@
-<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
-<qhelp>
-
-<overview>
-<p>
-JSch is a pure Java implementation of SSH2.
-JSch allows you to connect to a sshd server and use port forwarding, X11 forwarding, 
-file transfer, command execution, etc., and you can integrate its functionality into your own Java programs. 
-JSch is licensed under BSD style license.
-If an OS command is built using an attacker-controlled data, it may allow the attacker
-to run an arbitrary code on the remote host.
-</p>
-</overview>
-
-<recommendation>
-<p>
-Including an user input in a JSch lib's OS command expression should be avoided.
-If this is not possible, then a strong input validation must be performed. 
-Some examples of an effective validation include:
-
-Validating against an allowlist of permitted values.
-Validating that the input is a number.
-Validating that the input contains only alphanumeric characters, no other syntax or whitespace.
-
-Never attempt to sanitize input by escaping shell metacharacters. In practice, 
-this is just too error-prone and vulnerable to being bypassed by a skilled attacker.
-
-</p>
-</recommendation>
-
-<example>
-<p>
-The following example uses the untrusted data to build an OS command.
-</p>
-<sample src="JSchOSInjectionBad.java" />
-</example>
-
-<example>
-<p>
-The following example validates the untrusted data before build an OS command.
-</p>
-<sample src="JSchOSInjectionSanitized.java" />
-</example>
-
-<references>
-<li>
-  JCraft:
-  <a href="http://www.jcraft.com/jsch/">JSch - Java Secure Channel</a>.
-</li>
-<li>
-  OWASP:
-  <a href="https://owasp.org/www-community/attacks/Command_Injection">Command Injection</a>.
-</li>
-<li>
-  OWASP:
-  <a href="https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html">OS Command Injection Defense Cheat Sheet</a>.
-</li>
-<li>
-  PortSwigger:
-  <a href="https://portswigger.net/web-security/os-command-injection">OS command injection</a>.
-</li>
-
-</references>
-</qhelp>
\ No newline at end of file

From d9f243d18a487736c54d9f5655116fb4222fcbb0 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Sat, 8 May 2021 11:14:02 -0400
Subject: [PATCH 0948/1429] Java: Fix QLDoc for `Container.toString()`

Fixes #5828

The QLDoc was just too specific about the default implementation. I've improved the wording.
---
 java/ql/src/semmle/code/FileSystem.qll | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/semmle/code/FileSystem.qll b/java/ql/src/semmle/code/FileSystem.qll
index 13908d547dc..708348b85f5 100755
--- a/java/ql/src/semmle/code/FileSystem.qll
+++ b/java/ql/src/semmle/code/FileSystem.qll
@@ -146,9 +146,11 @@ class Container extends @container, Top {
   }
 
   /**
-   * Gets a textual representation of the path of this container.
+   * Gets a textual representation of this container.
    *
-   * This is the absolute path of the container.
+   * The default implementation returns the absolute path to the container, but subclasses may
+   * may override to provide a different result. To get the absolute path for any `Container`, call
+   * `Container.getAbsolutePath()` directly.
    */
   override string toString() { result = getAbsolutePath() }
 }

From 8665747316064806f09a0018f48c7ce439bf7ee6 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Sat, 8 May 2021 18:08:50 +0200
Subject: [PATCH 0949/1429] Update sink and sanitizer to match new naming

---
 .../experimental/semmle/python/security/injection/LDAP.qll    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/security/injection/LDAP.qll b/python/ql/src/experimental/semmle/python/security/injection/LDAP.qll
index 9f91f91b321..1927e7a95d3 100644
--- a/python/ql/src/experimental/semmle/python/security/injection/LDAP.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/LDAP.qll
@@ -16,9 +16,9 @@ class LDAPInjectionFlowConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) { sink = any(LDAPQuery ldapQuery).getLDAPNode() }
+  override predicate isSink(DataFlow::Node sink) { sink = any(LDAPQuery ldapQuery).getQuery() }
 
   override predicate isSanitizer(DataFlow::Node sanitizer) {
-    sanitizer = any(LDAPEscape ldapEsc).getEscapeNode()
+    sanitizer = any(LDAPEscape ldapEsc).getAnInput()
   }
 }

From 3fe5dd0f3508525ba9ef9724784d15709dbc04d9 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 10 May 2021 10:05:18 +0200
Subject: [PATCH 0950/1429] add comment about filtering away jQuery from the
 source

---
 .../security/dataflow/UnsafeHtmlConstructionCustomizations.qll   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
index 8546041ef06..61ee6cd4622 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
@@ -25,6 +25,7 @@ module UnsafeHtmlConstruction {
   class ExternalInputSource extends Source, DataFlow::ParameterNode {
     ExternalInputSource() {
       this = Exports::getALibraryInputParameter() and
+      // An AMD-style module sometimes loads the jQuery library in a way which looks like library input.
       not this = JQuery::dollarSource()
     }
   }

From 7ac783097329729dc3f4d1a38de689a867a5dd55 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Mon, 10 May 2021 10:08:42 +0200
Subject: [PATCH 0951/1429] C++: Add testcase with false positive involving a
 conversion on the large-expression side of the comparison.

---
 .../ComparisonWithWiderType/ComparisonWithWiderType.expected   | 1 +
 .../CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp       | 3 +++
 2 files changed, 4 insertions(+)
 create mode 100644 cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected
index d04bff0a812..58e4a4acfed 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected
@@ -1,3 +1,4 @@
+| test3.cpp:2:8:2:53 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test3.cpp:1:36:1:40 | small | small | test3.cpp:2:43:2:52 | ... - ... | ... - ... |
 | test.c:4:14:4:18 | ... < ... | Comparison between $@ of type char and $@ of wider type int. | test.c:3:7:3:7 | c | c | test.c:2:17:2:17 | x | x |
 | test.c:9:14:9:18 | ... > ... | Comparison between $@ of type char and $@ of wider type int. | test.c:8:7:8:7 | c | c | test.c:7:17:7:17 | x | x |
 | test.c:14:14:14:18 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:13:8:13:8 | s | s | test.c:12:17:12:17 | x | x |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp
new file mode 100644
index 00000000000..000987cdcfa
--- /dev/null
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp
@@ -0,0 +1,3 @@
+void test_issue_5850(unsigned char small, unsigned int large1) {
+	for(; small < static_cast<unsigned char>(large1 - 1); small++) { } // GOOD [FALSE POSITIVE]
+}
\ No newline at end of file

From c91ed80e6ca5d8aa83a8207c50778b6a5fadf287 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Mon, 10 May 2021 10:12:43 +0200
Subject: [PATCH 0952/1429] C++: Fix false positive by computing range of the
 converted expression.

---
 cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql      | 2 +-
 .../ComparisonWithWiderType/ComparisonWithWiderType.expected    | 1 -
 .../CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp        | 2 +-
 3 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
index 3303316cede..8c33f78316a 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
@@ -49,7 +49,7 @@ where
   small = rel.getLesserOperand() and
   large = rel.getGreaterOperand() and
   rel = l.getCondition().getAChild*() and
-  upperBound(large).log2() > getComparisonSize(small) * 8 and
+  upperBound(large.getFullyConverted()).log2() > getComparisonSize(small) * 8 and
   // Ignore cases where the smaller type is int or larger
   // These are still bugs, but you should need a very large string or array to
   // trigger them. We will want to disable this for some applications, but it's
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected
index 58e4a4acfed..d04bff0a812 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected
@@ -1,4 +1,3 @@
-| test3.cpp:2:8:2:53 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type unsigned int. | test3.cpp:1:36:1:40 | small | small | test3.cpp:2:43:2:52 | ... - ... | ... - ... |
 | test.c:4:14:4:18 | ... < ... | Comparison between $@ of type char and $@ of wider type int. | test.c:3:7:3:7 | c | c | test.c:2:17:2:17 | x | x |
 | test.c:9:14:9:18 | ... > ... | Comparison between $@ of type char and $@ of wider type int. | test.c:8:7:8:7 | c | c | test.c:7:17:7:17 | x | x |
 | test.c:14:14:14:18 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:13:8:13:8 | s | s | test.c:12:17:12:17 | x | x |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp
index 000987cdcfa..3ae02d9d56c 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp
@@ -1,3 +1,3 @@
 void test_issue_5850(unsigned char small, unsigned int large1) {
-	for(; small < static_cast<unsigned char>(large1 - 1); small++) { } // GOOD [FALSE POSITIVE]
+	for(; small < static_cast<unsigned char>(large1 - 1); small++) { } // GOOD
 }
\ No newline at end of file

From 474b337eeb2697b9534ee0432dd29a4dc8ae0c92 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Mon, 10 May 2021 10:22:44 +0200
Subject: [PATCH 0953/1429] C++: Add change-note.

---
 cpp/change-notes/2021-10-05-comparison-with-wider-type.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 cpp/change-notes/2021-10-05-comparison-with-wider-type.md

diff --git a/cpp/change-notes/2021-10-05-comparison-with-wider-type.md b/cpp/change-notes/2021-10-05-comparison-with-wider-type.md
new file mode 100644
index 00000000000..f06895a3c1a
--- /dev/null
+++ b/cpp/change-notes/2021-10-05-comparison-with-wider-type.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The 'Comparison with wider type' (cpp/comparison-with-wider-type) query has been improved to produce fewer false positives.
\ No newline at end of file

From df5eab33f946ed0b88da4287f24659e01ab6e399 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 10 May 2021 09:43:33 +0100
Subject: [PATCH 0954/1429] JS: Update relevantTaintSource()

---
 javascript/ql/src/meta/internal/TaintMetrics.qll | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/javascript/ql/src/meta/internal/TaintMetrics.qll b/javascript/ql/src/meta/internal/TaintMetrics.qll
index 6d10b2c6ad6..f6eae2eaa6e 100644
--- a/javascript/ql/src/meta/internal/TaintMetrics.qll
+++ b/javascript/ql/src/meta/internal/TaintMetrics.qll
@@ -75,16 +75,9 @@ DataFlow::Node relevantTaintSink(string kind) {
 DataFlow::Node relevantTaintSink() { result = relevantTaintSink(_) }
 
 /**
- * Gets a remote flow source or `document.location` source.
+ * Gets a relevant remote flow source.
  */
-DataFlow::Node relevantTaintSource() {
-  not result.getFile() instanceof IgnoredFile and
-  (
-    result instanceof RemoteFlowSource
-    or
-    result = DOM::locationSource()
-  )
-}
+RemoteFlowSource relevantTaintSource() { not result.getFile() instanceof IgnoredFile }
 
 /**
  * Gets the output of a call that shows intent to sanitize a value

From 646bf994896d951c90a2cc09dc40ef1500625a63 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 10 May 2021 10:45:33 +0200
Subject: [PATCH 0955/1429] rewrite the qhelp to focus more on documenting
 unsafe functions

---
 .../CWE-079/UnsafeHtmlConstruction.qhelp      | 29 +++++++++----------
 1 file changed, 13 insertions(+), 16 deletions(-)

diff --git a/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp b/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp
index 619b55e4920..0bc3bd53a0d 100644
--- a/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp
+++ b/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.qhelp
@@ -4,26 +4,22 @@
 <qhelp>
 <overview>
 	<p>
-		Dynamically constructing HTML with inputs from library functions that are 
-		available to external clients may inadvertently leave a client open to XSS attacks.
-		
-		Clients using the exported function may use inputs containing unsafe HTML,
-		and if these inputs end up in the DOM, the client may be vulnerable to
-		cross-site scripting attacks.
-	</p>
+		When a library function dynamically constructs HTML in a potentially unsafe
+		way, then it's important to document to clients of the library that the function 
+		should only be used with trusted inputs. 
 
+		If the function is not documented as being potentially unsafe, then a client
+		may inadvertently use inputs containing unsafe HTML fragments, and thereby leave
+		the client vulnerable to cross-site scripting attacks.
+	</p>
 </overview>
 <recommendation>
 
 	<p>
-		If possible, use safe APIs when inserting HTML into the DOM.  
-		Such as writing to the <code>innerText</code> property instead of <code>innerHTML</code>.
+		Document all library functions that can lead to cross-site scripting 
+		attacks, and guard against unsafe inputs where dynamic HTML
+		construction is not intended.
 	</p>
-
-	<p>
-		Alternatively, use a HTML sanitizer to escape/remove unsafe content.
-	</p>
-
 </recommendation>
 <example>
 
@@ -41,13 +37,14 @@
 	</p>
 
 	<p>
-		To avoid such attacks, a program can use safe APIs such as <code>innerText</code>.
+		The library could either document that this function should not be used
+		with unsafe inputs, or use safe APIs such as <code>innerText</code>.
 	</p>
 
 	<sample src="examples/unsafe-html-construction_safe.js" />
 	
 	<p>
-		Alternatively, use a HTML sanitizer to remove unsafe content.
+		Alternatively, a HTML sanitizer can be used to remove unsafe content.
 	</p>
 
 	<sample src="examples/unsafe-html-construction_sanitizer.js" />

From b4e35f54d9bc6900f2f881e05366a7dc043b92d9 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 10 May 2021 10:47:34 +0200
Subject: [PATCH 0956/1429] fix typo

---
 javascript/ql/src/semmle/javascript/frameworks/Markdown.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
index 1a6c9d7a8c2..b2235577b04 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
@@ -10,7 +10,7 @@ import javascript
  */
 module Markdown {
   /**
-   * A taint-step that parses a markdown document, but preserves taint.import
+   * A taint-step that parses a markdown document, but preserves taint.
    */
   class MarkdownStep extends Unit {
     /**

From 7ed20a8b2c07be79f5ba5936d52870fd2c21940f Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 10 May 2021 10:55:21 +0200
Subject: [PATCH 0957/1429] Python: Add reminder to update docs for new
 frameworks

---
 python/ql/src/semmle/python/Frameworks.qll | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/python/ql/src/semmle/python/Frameworks.qll b/python/ql/src/semmle/python/Frameworks.qll
index a00511ca545..1c8ef1f551b 100644
--- a/python/ql/src/semmle/python/Frameworks.qll
+++ b/python/ql/src/semmle/python/Frameworks.qll
@@ -2,6 +2,8 @@
  * Helper file that imports all framework modeling.
  */
 
+// If you add modeling of a new framework/library, remember to add it it to the docs in
+// `docs/codeql/support/reusables/frameworks.rst`
 private import semmle.python.frameworks.Cryptodome
 private import semmle.python.frameworks.Cryptography
 private import semmle.python.frameworks.Dill

From d9136689430f412491f81830bc06801f7b3a40f6 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 10 May 2021 10:55:09 +0200
Subject: [PATCH 0958/1429] move hasPathWithoutUnmatchedReturn to
 Configuration.qll

---
 .../semmle/javascript/dataflow/Configuration.qll    | 11 +++++++++++
 .../security/dataflow/UnsafeHtmlConstruction.qll    |  2 +-
 .../UnsafeHtmlConstructionCustomizations.qll        | 13 -------------
 .../dataflow/UnsafeShellCommandConstruction.qll     |  3 +--
 4 files changed, 13 insertions(+), 16 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
index b4842026e24..45e7515df91 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -2068,3 +2068,14 @@ class VarAccessBarrier extends DataFlow::Node {
     )
   }
 }
+
+/**
+ *  Holds if there is a path without unmatched return steps from `source` to `sink`.
+ */
+predicate hasPathWithoutUnmatchedReturn(SourcePathNode source, SinkPathNode sink) {
+  exists(MidPathNode mid |
+    source.getASuccessor*() = mid and
+    sink = mid.getASuccessor() and
+    mid.getPathSummary().hasReturn() = false
+  )
+}
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll
index 53debb48ff6..4fe675b16d9 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll
@@ -38,7 +38,7 @@ module UnsafeHtmlConstruction {
     // override to require that there is a path without unmatched return steps
     override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
       super.hasFlowPath(source, sink) and
-      hasPathWithoutUnmatchedReturn(source, sink)
+      DataFlow::hasPathWithoutUnmatchedReturn(source, sink)
     }
 
     override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
index 61ee6cd4622..c660657a322 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
@@ -174,17 +174,4 @@ module UnsafeHtmlConstruction {
 
     override string describe() { result = "Markdown rendering" }
   }
-
-  /**
-   *  Holds if there is a path without unmatched return steps from `source` to `sink`.
-   */
-  predicate hasPathWithoutUnmatchedReturn(
-    DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink
-  ) {
-    exists(DataFlow::MidPathNode mid |
-      source.getASuccessor*() = mid and
-      sink = mid.getASuccessor() and
-      mid.getPathSummary().hasReturn() = false
-    )
-  }
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstruction.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstruction.qll
index 2c7de7555de..d47b3696de6 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstruction.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstruction.qll
@@ -14,7 +14,6 @@ import javascript
  */
 module UnsafeShellCommandConstruction {
   import UnsafeShellCommandConstructionCustomizations::UnsafeShellCommandConstruction
-  import UnsafeHtmlConstructionCustomizations
 
   /**
    * A taint-tracking configuration for reasoning about shell command constructed from library input vulnerabilities.
@@ -36,7 +35,7 @@ module UnsafeShellCommandConstruction {
     // override to require that there is a path without unmatched return steps
     override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
       super.hasFlowPath(source, sink) and
-      UnsafeHtmlConstruction::requireMatchedReturn(source, sink)
+      DataFlow::hasPathWithoutUnmatchedReturn(source, sink)
     }
 
     override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {

From f4e636dcd628bc00bcf367dadee993d156a164e6 Mon Sep 17 00:00:00 2001
From: Asger F <asgerf@github.com>
Date: Mon, 10 May 2021 10:08:10 +0100
Subject: [PATCH 0959/1429] Update
 javascript/ql/src/semmle/javascript/frameworks/ClassValidator.qll

Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
---
 .../ql/src/semmle/javascript/frameworks/ClassValidator.qll      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/ClassValidator.qll b/javascript/ql/src/semmle/javascript/frameworks/ClassValidator.qll
index f0e95d0583d..381451c393c 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/ClassValidator.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/ClassValidator.qll
@@ -9,7 +9,7 @@ import javascript
  */
 module ClassValidator {
   /**
-   * Holds if the decorator with the given name does not sanitize the input, for the purpose of taint tracking.
+   * Holds if the decorator with the given name sanitizes the input, for the purpose of taint tracking.
    */
   bindingset[name]
   private predicate isSanitizingDecoratorName(string name) {

From 8afdf2654035bcc38eb4c343572f94d0b7d4560d Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 10 May 2021 10:57:33 +0200
Subject: [PATCH 0960/1429] Python: Add modeling of idna PyPI package

---
 docs/codeql/support/reusables/frameworks.rst  |  1 +
 .../2021-05-10-idna-add-modeling.md           |  2 +
 python/ql/src/semmle/python/Frameworks.qll    |  1 +
 .../ql/src/semmle/python/frameworks/Idna.qll  | 40 +++++++++++++++++++
 .../frameworks/idna/ConceptsTest.expected     |  0
 .../frameworks/idna/ConceptsTest.ql           |  2 +
 .../frameworks/idna/InlineTaintTest.expected  |  3 ++
 .../frameworks/idna/InlineTaintTest.ql        |  1 +
 .../frameworks/idna/taint_test.py             | 13 ++++++
 9 files changed, 63 insertions(+)
 create mode 100644 python/change-notes/2021-05-10-idna-add-modeling.md
 create mode 100644 python/ql/src/semmle/python/frameworks/Idna.qll
 create mode 100644 python/ql/test/library-tests/frameworks/idna/ConceptsTest.expected
 create mode 100644 python/ql/test/library-tests/frameworks/idna/ConceptsTest.ql
 create mode 100644 python/ql/test/library-tests/frameworks/idna/InlineTaintTest.expected
 create mode 100644 python/ql/test/library-tests/frameworks/idna/InlineTaintTest.ql
 create mode 100644 python/ql/test/library-tests/frameworks/idna/taint_test.py

diff --git a/docs/codeql/support/reusables/frameworks.rst b/docs/codeql/support/reusables/frameworks.rst
index afdf63bdb7b..d54c07454bc 100644
--- a/docs/codeql/support/reusables/frameworks.rst
+++ b/docs/codeql/support/reusables/frameworks.rst
@@ -158,6 +158,7 @@ Python built-in support
    dill, Serialization
    fabric, Utility library
    invoke, Utility library
+   idna, Utility library
    mysql-connector-python, Database
    MySQLdb, Database
    psycopg2, Database
diff --git a/python/change-notes/2021-05-10-idna-add-modeling.md b/python/change-notes/2021-05-10-idna-add-modeling.md
new file mode 100644
index 00000000000..95856ffe5a8
--- /dev/null
+++ b/python/change-notes/2021-05-10-idna-add-modeling.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added modeling of the PyPI package `idna`, for encoding/decoding Internationalised Domain Names in Applications.
diff --git a/python/ql/src/semmle/python/Frameworks.qll b/python/ql/src/semmle/python/Frameworks.qll
index 1c8ef1f551b..ed8f308c70a 100644
--- a/python/ql/src/semmle/python/Frameworks.qll
+++ b/python/ql/src/semmle/python/Frameworks.qll
@@ -10,6 +10,7 @@ private import semmle.python.frameworks.Dill
 private import semmle.python.frameworks.Django
 private import semmle.python.frameworks.Fabric
 private import semmle.python.frameworks.Flask
+private import semmle.python.frameworks.Idna
 private import semmle.python.frameworks.Invoke
 private import semmle.python.frameworks.MysqlConnectorPython
 private import semmle.python.frameworks.MySQLdb
diff --git a/python/ql/src/semmle/python/frameworks/Idna.qll b/python/ql/src/semmle/python/frameworks/Idna.qll
new file mode 100644
index 00000000000..331cafbd084
--- /dev/null
+++ b/python/ql/src/semmle/python/frameworks/Idna.qll
@@ -0,0 +1,40 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `idna` PyPI package.
+ * See https://pypi.org/project/idna/.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+/**
+ * Provides models for the `idna` PyPI package.
+ * See https://pypi.org/project/idna/.
+ */
+private module IdnaModel {
+  /** A call to `idna.encode`. */
+  private class IdnaEncodeCall extends Encoding::Range, DataFlow::CallCfgNode {
+    IdnaEncodeCall() { this = API::moduleImport("idna").getMember("encode").getACall() }
+
+    override DataFlow::Node getAnInput() { result = [this.getArg(0), this.getArgByName("s")] }
+
+    override DataFlow::Node getOutput() { result = this }
+
+    override string getFormat() { result = "IDNA" }
+  }
+
+  /** A call to `idna.decode`. */
+  private class IdnaDecodeCall extends Decoding::Range, DataFlow::CallCfgNode {
+    IdnaDecodeCall() { this = API::moduleImport("idna").getMember("decode").getACall() }
+
+    override DataFlow::Node getAnInput() { result = [this.getArg(0), this.getArgByName("s")] }
+
+    override DataFlow::Node getOutput() { result = this }
+
+    override string getFormat() { result = "IDNA" }
+
+    override predicate mayExecuteInput() { none() }
+  }
+}
diff --git a/python/ql/test/library-tests/frameworks/idna/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/idna/ConceptsTest.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/python/ql/test/library-tests/frameworks/idna/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/idna/ConceptsTest.ql
new file mode 100644
index 00000000000..b557a0bccb6
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/idna/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
diff --git a/python/ql/test/library-tests/frameworks/idna/InlineTaintTest.expected b/python/ql/test/library-tests/frameworks/idna/InlineTaintTest.expected
new file mode 100644
index 00000000000..79d760d87f4
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/idna/InlineTaintTest.expected
@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
diff --git a/python/ql/test/library-tests/frameworks/idna/InlineTaintTest.ql b/python/ql/test/library-tests/frameworks/idna/InlineTaintTest.ql
new file mode 100644
index 00000000000..027ad8667be
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/idna/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
diff --git a/python/ql/test/library-tests/frameworks/idna/taint_test.py b/python/ql/test/library-tests/frameworks/idna/taint_test.py
new file mode 100644
index 00000000000..61b9dad166c
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/idna/taint_test.py
@@ -0,0 +1,13 @@
+import idna
+
+def test_idna():
+    ts = TAINTED_STRING
+    tb = TAINTED_BYTES
+
+    ensure_tainted(
+        idna.encode(ts),  # $ tainted encodeInput=ts encodeOutput=Attribute() encodeFormat=IDNA
+        idna.encode(s=ts),  # $ tainted encodeInput=ts encodeOutput=Attribute() encodeFormat=IDNA
+
+        idna.decode(tb),  # $ tainted decodeInput=tb decodeOutput=Attribute() decodeFormat=IDNA
+        idna.decode(s=tb),  # $ tainted decodeInput=tb decodeOutput=Attribute() decodeFormat=IDNA
+    )

From 8f91e9eba0d50cb0dc142f35a78b922629dca64c Mon Sep 17 00:00:00 2001
From: Max Schaefer <max-schaefer@github.com>
Date: Mon, 10 May 2021 10:30:26 +0100
Subject: [PATCH 0961/1429] JavaScript: Model chaining calls in sqlite3.

---
 .../change-notes/2021-05-10-sqlite3-chaining.md    |  3 +++
 .../ql/src/semmle/javascript/frameworks/SQL.qll    | 14 ++++++++++++--
 .../frameworks/SQL/SqlString.expected              |  1 +
 .../ql/test/library-tests/frameworks/SQL/sqlite.js |  3 ++-
 4 files changed, 18 insertions(+), 3 deletions(-)
 create mode 100644 javascript/change-notes/2021-05-10-sqlite3-chaining.md

diff --git a/javascript/change-notes/2021-05-10-sqlite3-chaining.md b/javascript/change-notes/2021-05-10-sqlite3-chaining.md
new file mode 100644
index 00000000000..2b541440308
--- /dev/null
+++ b/javascript/change-notes/2021-05-10-sqlite3-chaining.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Modelling of chaining methods in the `sqlite3` package has improved, which may lead to
+  additional results from the `js/sql-injection` query.
diff --git a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
index ce702decc96..4d345142eb4 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
@@ -341,18 +341,28 @@ private module Sqlite {
     result = sqlite().getMember("verbose").getReturn()
   }
 
-  /** Gets an expression that constructs a Sqlite database instance. */
+  /** Gets an expression that constructs or returns a Sqlite database instance. */
   API::Node database() {
     // new require('sqlite3').Database()
     result = sqlite().getMember("Database").getInstance()
     or
+    // chained call
+    result = getAChainingQueryCall()
+    or
     result = API::Node::ofType("sqlite3", "Database")
   }
 
+  /** A call to a query method on a Sqlite database instance that returns the same instance. */
+  private API::Node getAChainingQueryCall() {
+    result = database().getMember(["all", "each", "exec", "get", "run"]).getReturn()
+  }
+
   /** A call to a Sqlite query method. */
   private class QueryCall extends DatabaseAccess, DataFlow::MethodCallNode {
     QueryCall() {
-      this = database().getMember(["all", "each", "exec", "get", "prepare", "run"]).getACall()
+      this = getAChainingQueryCall().getAnImmediateUse()
+      or
+      this = database().getMember("prepare").getACall()
     }
 
     override DataFlow::Node getAQueryArgument() { result = getArgument(0) }
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
index 81338e00140..cf9470ce355 100644
--- a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
+++ b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
@@ -66,5 +66,6 @@
 | spannerImport.js:4:8:4:17 | "SQL code" |
 | sqlite-types.ts:4:12:4:49 | "UPDATE ... id = ?" |
 | sqlite.js:7:8:7:45 | "UPDATE ... id = ?" |
+| sqlite.js:8:8:8:45 | "UPDATE ... id = ?" |
 | sqliteArray.js:6:12:6:49 | "UPDATE ... id = ?" |
 | sqliteImport.js:2:8:2:44 | "UPDATE ... id = ?" |
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/sqlite.js b/javascript/ql/test/library-tests/frameworks/SQL/sqlite.js
index e2f072902d0..da03517c839 100644
--- a/javascript/ql/test/library-tests/frameworks/SQL/sqlite.js
+++ b/javascript/ql/test/library-tests/frameworks/SQL/sqlite.js
@@ -4,6 +4,7 @@
 var sqlite = require('sqlite3');
 
 var db = new sqlite.Database(":memory:");
-db.run("UPDATE tbl SET name = ? WHERE id = ?", "bar", 2);
+db.run("UPDATE tbl SET name = ? WHERE id = ?", "bar", 2)
+  .run("UPDATE tbl SET name = ? WHERE id = ?", "foo", 3);
 
 exports.db = db;

From dcdd54593e043d0ff889e1ddcb5dd556017d5219 Mon Sep 17 00:00:00 2001
From: Alex Denisov <alex@lowlevelbits.org>
Date: Mon, 10 May 2021 13:03:40 +0200
Subject: [PATCH 0962/1429] C++: Adjust user-defined literals test'
 expectations

---
 cpp/ql/test/library-tests/udl/udl.expected | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/test/library-tests/udl/udl.expected b/cpp/ql/test/library-tests/udl/udl.expected
index fce69664a06..52c57beffc5 100644
--- a/cpp/ql/test/library-tests/udl/udl.expected
+++ b/cpp/ql/test/library-tests/udl/udl.expected
@@ -1,4 +1,4 @@
 | udl.cpp:5:25:5:28 | Xy | udl.cpp:5:25:5:28 | initializer for xy |
 | udl.cpp:6:27:6:34 | XyXy | udl.cpp:6:27:6:34 | initializer for xyxy |
-| udl.cpp:7:26:7:30 | X | udl.cpp:7:26:7:26 | call to operator "_Y |
-| udl.cpp:8:29:8:38 | XX | udl.cpp:8:29:8:29 | call to operator "_Y |
+| udl.cpp:7:26:7:30 | X | udl.cpp:7:26:7:26 | call to operator ""_Y |
+| udl.cpp:8:29:8:38 | XX | udl.cpp:8:29:8:29 | call to operator ""_Y |

From 7f1f2b4dd373f86c344f8963373dae6830e12921 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Mon, 10 May 2021 13:05:51 +0200
Subject: [PATCH 0963/1429] C#: Fix `GetHashCode/Equals` on
 `EscapingTextWriter`

---
 csharp/extractor/Semmle.Extraction/EscapingTextWriter.cs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction/EscapingTextWriter.cs b/csharp/extractor/Semmle.Extraction/EscapingTextWriter.cs
index 5f6805de658..6294ec3ffd3 100644
--- a/csharp/extractor/Semmle.Extraction/EscapingTextWriter.cs
+++ b/csharp/extractor/Semmle.Extraction/EscapingTextWriter.cs
@@ -11,7 +11,7 @@ namespace Semmle.Extraction
     /// HTML escapes the characters `&`, `{`, `}`, `"`, `@`, and `#`, before
     /// writing to the underlying object.
     /// </summary>
-    public class EscapingTextWriter : TextWriter
+    public sealed class EscapingTextWriter : TextWriter
     {
         private readonly TextWriter wrapped;
         private readonly bool disposeUnderlying;
@@ -93,7 +93,7 @@ namespace Semmle.Extraction
             => throw new NotImplementedException();
 
         public override bool Equals(object? obj)
-            => wrapped.Equals(obj);
+            => wrapped.Equals(obj) && obj is EscapingTextWriter other && disposeUnderlying == other.disposeUnderlying;
 
         public override void Flush()
             => wrapped.Flush();
@@ -102,7 +102,7 @@ namespace Semmle.Extraction
             => wrapped.FlushAsync();
 
         public override int GetHashCode()
-            => wrapped.GetHashCode();
+            => HashCode.Combine(wrapped, disposeUnderlying);
 
         public override string ToString()
             => wrapped.ToString() ?? "";

From c8f2937df9bd4d990f0cf654161319c668475e13 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Mon, 10 May 2021 14:16:11 +0300
Subject: [PATCH 0964/1429] Update
 DeclarationOfVariableWithUnnecessarilyWideScope.ql

---
 .../DeclarationOfVariableWithUnnecessarilyWideScope.ql | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
index be712b1cb1d..e73f36145c6 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
@@ -27,8 +27,6 @@ class DangerousWhileLoop extends WhileStmt {
     not exp instanceof PointerFieldAccess and
     not exp instanceof ValueFieldAccess and
     exp.(VariableAccess).getTarget().getName() = dl.getName() and
-    not exp.getParent*() instanceof CrementOperation and
-    not exp.getParent*() instanceof Assignment and
     not exp.getParent*() instanceof FunctionCall
   }
 
@@ -37,10 +35,10 @@ class DangerousWhileLoop extends WhileStmt {
   /** Holds when there are changes to the variables involved in the condition. */
   predicate isUseThisVariable() {
     exists(Variable v |
-      exp.(VariableAccess).getTarget() = v and
+      this.getCondition().getAChild*().(VariableAccess).getTarget() = v and
       (
         exists(Assignment aexp |
-          aexp = this.getStmt().getAChild*() and
+          this = aexp.getEnclosingStmt().getParentStmt*() and
           (
             aexp.getLValue().(ArrayExpr).getArrayBase().(VariableAccess).getTarget() = v
             or
@@ -49,7 +47,7 @@ class DangerousWhileLoop extends WhileStmt {
         )
         or
         exists(CrementOperation crm |
-          crm = this.getStmt().getAChild*() and
+          this = crm.getEnclosingStmt().getParentStmt*() and
           crm.getOperand().(VariableAccess).getTarget() = v
         )
       )
@@ -59,4 +57,4 @@ class DangerousWhileLoop extends WhileStmt {
 
 from DangerousWhileLoop lp
 where not lp.isUseThisVariable()
-select lp.getDeclaration(), "A variable with this name is used in the loop condition."
+select lp.getDeclaration(), "A variable with this name is used in the $@ condition.", lp, "loop"

From d3c6093f37d14861a10cf1ef2134c8bc183340d7 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Mon, 10 May 2021 14:16:38 +0300
Subject: [PATCH 0965/1429] Update test.c

---
 .../Security/CWE/CWE-1126/semmle/tests/test.c | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c
index 325c278f697..47d89188e6b 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/test.c
@@ -1,5 +1,6 @@
 void workFunction_0(char *s) {
   int intIndex = 10;
+  int intGuard;
   char buf[80];
   while(intIndex > 2) // GOOD
   {
@@ -14,6 +15,32 @@ void workFunction_0(char *s) {
     intIndex--;
   }
   intIndex = 10;
+  intGuard = 20;
+  while(intIndex < intGuard--) // GOOD
+  {
+    buf[intIndex] = 1;
+    int intIndex;
+    intIndex--;
+  }
+  intIndex = 10;
+  intGuard = 20;
+  while(intIndex < intGuard) // GOOD
+  {
+    buf[intIndex] = 1;
+    int intIndex;
+    intIndex++;
+    intGuard--;
+  }
+  intIndex = 10;
+  intGuard = 20;
+  while(intIndex < intGuard) // GOOD
+  {
+    buf[intIndex] = 1;
+    int intIndex;
+    intIndex--;
+    intGuard -= 4;
+  }
+  intIndex = 10;
   while(intIndex > 2) // GOOD
   {
     buf[intIndex] = 1;

From 3e5dc1efb7ea527e8b2d7b8149ce2f5dbc76a2ef Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 10 May 2021 13:17:25 +0200
Subject: [PATCH 0966/1429] JS: More robust hasUnderlyingType

---
 javascript/ql/src/semmle/javascript/TypeScript.qll           | 2 +-
 javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll    | 1 -
 .../TypeScript/HasUnderlyingType/HasUnderlyingType.expected  | 4 ++++
 .../TypeScript/HasUnderlyingType/HasUnderlyingType.ql        | 4 ++++
 .../test/library-tests/TypeScript/HasUnderlyingType/foo.ts   | 5 +++++
 5 files changed, 14 insertions(+), 2 deletions(-)
 create mode 100644 javascript/ql/test/library-tests/TypeScript/HasUnderlyingType/foo.ts

diff --git a/javascript/ql/src/semmle/javascript/TypeScript.qll b/javascript/ql/src/semmle/javascript/TypeScript.qll
index 4fe263c8389..0b611140449 100644
--- a/javascript/ql/src/semmle/javascript/TypeScript.qll
+++ b/javascript/ql/src/semmle/javascript/TypeScript.qll
@@ -725,7 +725,7 @@ class TypeAccess extends @typeaccess, TypeExpr, TypeRef {
       spec.getImportedName() = exportedName and
       this = spec.getLocal().(TypeDecl).getLocalTypeName().getAnAccess()
       or
-      spec instanceof ImportNamespaceSpecifier and
+      (spec instanceof ImportNamespaceSpecifier or spec instanceof ImportDefaultSpecifier) and
       this =
         spec.getLocal().(LocalNamespaceDecl).getLocalNamespaceName().getAMemberAccess(exportedName)
     )
diff --git a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
index c73c894ca4b..f02e9b0f287 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -239,7 +239,6 @@ module DataFlow {
     private TypeAnnotation getFallbackTypeAnnotation() {
       exists(BindingPattern pattern |
         this = valueNode(pattern) and
-        not ast_node_type(pattern, _) and
         result = pattern.getTypeAnnotation()
       )
       or
diff --git a/javascript/ql/test/library-tests/TypeScript/HasUnderlyingType/HasUnderlyingType.expected b/javascript/ql/test/library-tests/TypeScript/HasUnderlyingType/HasUnderlyingType.expected
index 95c6d7e03d9..47e57e0a242 100644
--- a/javascript/ql/test/library-tests/TypeScript/HasUnderlyingType/HasUnderlyingType.expected
+++ b/javascript/ql/test/library-tests/TypeScript/HasUnderlyingType/HasUnderlyingType.expected
@@ -1,2 +1,6 @@
+underlyingTypeNode
+| foo | Bar | foo.ts:3:1:5:1 | use (instance (member Bar (member exports (module foo)))) |
+| foo | Bar | foo.ts:3:12:3:12 | use (instance (member Bar (member exports (module foo)))) |
+#select
 | tst.ts:8:14:8:16 | arg | Base in global scope |
 | tst.ts:8:14:8:16 | arg | Sub in global scope |
diff --git a/javascript/ql/test/library-tests/TypeScript/HasUnderlyingType/HasUnderlyingType.ql b/javascript/ql/test/library-tests/TypeScript/HasUnderlyingType/HasUnderlyingType.ql
index 77e311b3b76..72d4e6d0f3d 100644
--- a/javascript/ql/test/library-tests/TypeScript/HasUnderlyingType/HasUnderlyingType.ql
+++ b/javascript/ql/test/library-tests/TypeScript/HasUnderlyingType/HasUnderlyingType.ql
@@ -3,3 +3,7 @@ import javascript
 from Expr e, TypeName typeName
 where e.getType().hasUnderlyingTypeName(typeName)
 select e, typeName
+
+query API::Node underlyingTypeNode(string mod, string name) {
+  result = API::Node::ofType(mod, name)
+}
diff --git a/javascript/ql/test/library-tests/TypeScript/HasUnderlyingType/foo.ts b/javascript/ql/test/library-tests/TypeScript/HasUnderlyingType/foo.ts
new file mode 100644
index 00000000000..1b5be79068a
--- /dev/null
+++ b/javascript/ql/test/library-tests/TypeScript/HasUnderlyingType/foo.ts
@@ -0,0 +1,5 @@
+import foo from "foo";
+
+function f(x: foo.Bar) {
+  return x;
+}

From 9e5a38debd315a8f7ca90c9bcc78d7798b334e5d Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Mon, 10 May 2021 14:17:40 +0300
Subject: [PATCH 0967/1429] Update
 DeclarationOfVariableWithUnnecessarilyWideScope.expected

---
 .../DeclarationOfVariableWithUnnecessarilyWideScope.expected    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.expected
index 4b29dad8779..244a28cf332 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-1126/semmle/tests/DeclarationOfVariableWithUnnecessarilyWideScope.expected
@@ -1 +1 @@
-| test.c:13:9:13:16 | intIndex | A variable with this name is used in the loop condition. |
+| test.c:14:9:14:16 | intIndex | A variable with this name is used in the $@ condition. | test.c:11:3:16:3 | while (...) ... | loop |

From d6f9e37e3943f689891df1360c651c61c0a403e6 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 10 May 2021 13:31:00 +0200
Subject: [PATCH 0968/1429] add printAst.ql support for regular expressions

---
 .../ql/src/semmle/javascript/PrintAst.qll     |  36 +++-
 .../ql/src/semmle/javascript/Regexp.qll       | 100 +++++++++--
 .../library-tests/TypeScript/Types/dummy.ts   |   2 +
 .../TypeScript/Types/printAst.expected        | 163 +++++++++++-------
 .../TypeScript/Types/tests.expected           |   2 +
 5 files changed, 219 insertions(+), 84 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/PrintAst.qll b/javascript/ql/src/semmle/javascript/PrintAst.qll
index 0499e3bd547..99f06354d74 100644
--- a/javascript/ql/src/semmle/javascript/PrintAst.qll
+++ b/javascript/ql/src/semmle/javascript/PrintAst.qll
@@ -73,7 +73,8 @@ private newtype TPrintAstNode =
   THTMLAttributesNodes(HTML::Element e) { shouldPrint(e, _) and not isNotNeeded(e) } or
   THTMLAttributeNode(HTML::Attribute attr) { shouldPrint(attr, _) and not isNotNeeded(attr) } or
   THTMLScript(Script script) { shouldPrint(script, _) and not isNotNeeded(script) } or
-  THTMLCodeInAttr(CodeInAttribute attr) { shouldPrint(attr, _) and not isNotNeeded(attr) }
+  THTMLCodeInAttr(CodeInAttribute attr) { shouldPrint(attr, _) and not isNotNeeded(attr) } or
+  TRegExpTermNode(RegExpTerm term) { term.isUsedAsRegExp() }
 
 /**
  * A node in the output tree.
@@ -282,6 +283,39 @@ private module PrintJavaScript {
     }
   }
 
+  /**
+   * A print node for regexp literals.
+   *
+   * The single child of this node is the root `RegExpTerm`.
+   */
+  class RegexpNode extends ElementNode {
+    override RegExpLiteral element;
+
+    override PrintAstNode getChild(int childIndex) {
+      childIndex = 0 and
+      result.(RegExpTermNode).getTerm() = element.getRoot()
+    }
+  }
+
+  /**
+   * A print node for regexp terms.
+   */
+  class RegExpTermNode extends PrintAstNode, TRegExpTermNode {
+    RegExpTerm term;
+
+    RegExpTermNode() { this = TRegExpTermNode(term) }
+
+    RegExpTerm getTerm() { result = term }
+
+    override PrintAstNode getChild(int childIndex) {
+      result.(RegExpTermNode).getTerm() = term.getChild(childIndex)
+    }
+
+    override string toString() { result = getQlClass(term) + term.toString() }
+
+    override Location getLocation() { result = term.getLocation() }
+  }
+
   /**
    * An aggregate node representing all the arguments for an function invocation.
    */
diff --git a/javascript/ql/src/semmle/javascript/Regexp.qll b/javascript/ql/src/semmle/javascript/Regexp.qll
index a34b052005d..d3b7e9cac7e 100644
--- a/javascript/ql/src/semmle/javascript/Regexp.qll
+++ b/javascript/ql/src/semmle/javascript/Regexp.qll
@@ -215,7 +215,9 @@ class InfiniteRepetitionQuantifier extends RegExpQuantifier {
  * \w
  * ```
  */
-class RegExpEscape extends RegExpTerm, @regexp_escape { }
+class RegExpEscape extends RegExpTerm, @regexp_escape {
+  override string getAPrimaryQlClass() { result = "RegExpEscape" }
+}
 
 /**
  * A constant regular expression term, that is, a regular expression
@@ -240,6 +242,8 @@ class RegExpConstant extends RegExpTerm, @regexp_constant {
   override predicate isNullable() { none() }
 
   override string getConstantValue() { result = getValue() }
+
+  override string getAPrimaryQlClass() { result = "RegExpConstant" }
 }
 
 /**
@@ -264,6 +268,8 @@ class RegExpCharEscape extends RegExpEscape, RegExpConstant, @regexp_char_escape
       )
     )
   }
+
+  override string getAPrimaryQlClass() { result = "RegExpCharEscape" }
 }
 
 /**
@@ -285,6 +291,8 @@ class RegExpAlt extends RegExpTerm, @regexp_alt {
   override predicate isNullable() { getAlternative().isNullable() }
 
   override string getAMatchedString() { result = getAlternative().getAMatchedString() }
+
+  override string getAPrimaryQlClass() { result = "RegExpAlt" }
 }
 
 /**
@@ -332,6 +340,8 @@ class RegExpSequence extends RegExpTerm, @regexp_seq {
       result = this.getChild(i + 1)
     )
   }
+
+  override string getAPrimaryQlClass() { result = "RegExpSequence" }
 }
 
 /**
@@ -346,6 +356,8 @@ class RegExpSequence extends RegExpTerm, @regexp_seq {
  */
 class RegExpAnchor extends RegExpTerm, @regexp_anchor {
   override predicate isNullable() { any() }
+
+  override string getAPrimaryQlClass() { result = "RegExpAnchor" }
 }
 
 /**
@@ -357,7 +369,9 @@ class RegExpAnchor extends RegExpTerm, @regexp_anchor {
  * ^
  * ```
  */
-class RegExpCaret extends RegExpAnchor, @regexp_caret { }
+class RegExpCaret extends RegExpAnchor, @regexp_caret {
+  override string getAPrimaryQlClass() { result = "RegExpCaret" }
+}
 
 /**
  * A dollar assertion `$` matching the end of a line.
@@ -368,7 +382,9 @@ class RegExpCaret extends RegExpAnchor, @regexp_caret { }
  * $
  * ```
  */
-class RegExpDollar extends RegExpAnchor, @regexp_dollar { }
+class RegExpDollar extends RegExpAnchor, @regexp_dollar {
+  override string getAPrimaryQlClass() { result = "RegExpDollar" }
+}
 
 /**
  * A word boundary assertion.
@@ -381,6 +397,8 @@ class RegExpDollar extends RegExpAnchor, @regexp_dollar { }
  */
 class RegExpWordBoundary extends RegExpTerm, @regexp_wordboundary {
   override predicate isNullable() { any() }
+
+  override string getAPrimaryQlClass() { result = "RegExpWordBoundary" }
 }
 
 /**
@@ -394,6 +412,8 @@ class RegExpWordBoundary extends RegExpTerm, @regexp_wordboundary {
  */
 class RegExpNonWordBoundary extends RegExpTerm, @regexp_nonwordboundary {
   override predicate isNullable() { any() }
+
+  override string getAPrimaryQlClass() { result = "RegExpNonWordBoundary" }
 }
 
 /**
@@ -425,7 +445,9 @@ class RegExpSubPattern extends RegExpTerm, @regexp_subpattern {
  * (?!\n)
  * ```
  */
-class RegExpLookahead extends RegExpSubPattern, @regexp_lookahead { }
+class RegExpLookahead extends RegExpSubPattern, @regexp_lookahead {
+  override string getAPrimaryQlClass() { result = "RegExpLookahead" }
+}
 
 /**
  * A zero-width lookbehind assertion.
@@ -437,7 +459,9 @@ class RegExpLookahead extends RegExpSubPattern, @regexp_lookahead { }
  * (?<!\\)
  * ```
  */
-class RegExpLookbehind extends RegExpSubPattern, @regexp_lookbehind { }
+class RegExpLookbehind extends RegExpSubPattern, @regexp_lookbehind {
+  override string getAPrimaryQlClass() { result = "RegExpLookbehind" }
+}
 
 /**
  * A positive-lookahead assertion.
@@ -448,7 +472,9 @@ class RegExpLookbehind extends RegExpSubPattern, @regexp_lookbehind { }
  * (?=\w)
  * ```
  */
-class RegExpPositiveLookahead extends RegExpLookahead, @regexp_positive_lookahead { }
+class RegExpPositiveLookahead extends RegExpLookahead, @regexp_positive_lookahead {
+  override string getAPrimaryQlClass() { result = "RegExpPositiveLookahead" }
+}
 
 /**
  * A negative-lookahead assertion.
@@ -459,7 +485,9 @@ class RegExpPositiveLookahead extends RegExpLookahead, @regexp_positive_lookahea
  * (?!\n)
  * ```
  */
-class RegExpNegativeLookahead extends RegExpLookahead, @regexp_negative_lookahead { }
+class RegExpNegativeLookahead extends RegExpLookahead, @regexp_negative_lookahead {
+  override string getAPrimaryQlClass() { result = "RegExpNegativeLookahead" }
+}
 
 /**
  * A positive-lookbehind assertion.
@@ -470,7 +498,9 @@ class RegExpNegativeLookahead extends RegExpLookahead, @regexp_negative_lookahea
  * (?<=\.)
  * ```
  */
-class RegExpPositiveLookbehind extends RegExpLookbehind, @regexp_positive_lookbehind { }
+class RegExpPositiveLookbehind extends RegExpLookbehind, @regexp_positive_lookbehind {
+  override string getAPrimaryQlClass() { result = "RegExpPositiveLookbehind" }
+}
 
 /**
  * A negative-lookbehind assertion.
@@ -481,7 +511,9 @@ class RegExpPositiveLookbehind extends RegExpLookbehind, @regexp_positive_lookbe
  * (?<!\\)
  * ```
  */
-class RegExpNegativeLookbehind extends RegExpLookbehind, @regexp_negative_lookbehind { }
+class RegExpNegativeLookbehind extends RegExpLookbehind, @regexp_negative_lookbehind {
+  override string getAPrimaryQlClass() { result = "RegExpNegativeLookbehind" }
+}
 
 /**
  * A star-quantified term.
@@ -494,6 +526,8 @@ class RegExpNegativeLookbehind extends RegExpLookbehind, @regexp_negative_lookbe
  */
 class RegExpStar extends RegExpQuantifier, @regexp_star {
   override predicate isNullable() { any() }
+
+  override string getAPrimaryQlClass() { result = "RegExpStar" }
 }
 
 /**
@@ -507,6 +541,8 @@ class RegExpStar extends RegExpQuantifier, @regexp_star {
  */
 class RegExpPlus extends RegExpQuantifier, @regexp_plus {
   override predicate isNullable() { getAChild().isNullable() }
+
+  override string getAPrimaryQlClass() { result = "RegExpPlus" }
 }
 
 /**
@@ -520,6 +556,8 @@ class RegExpPlus extends RegExpQuantifier, @regexp_plus {
  */
 class RegExpOpt extends RegExpQuantifier, @regexp_opt {
   override predicate isNullable() { any() }
+
+  override string getAPrimaryQlClass() { result = "RegExpOpt" }
 }
 
 /**
@@ -550,6 +588,8 @@ class RegExpRange extends RegExpQuantifier, @regexp_range {
     getAChild().isNullable() or
     getLowerBound() = 0
   }
+
+  override string getAPrimaryQlClass() { result = "RegExpRange" }
 }
 
 /**
@@ -563,6 +603,8 @@ class RegExpRange extends RegExpQuantifier, @regexp_range {
  */
 class RegExpDot extends RegExpTerm, @regexp_dot {
   override predicate isNullable() { none() }
+
+  override string getAPrimaryQlClass() { result = "RegExpDot" }
 }
 
 /**
@@ -602,6 +644,8 @@ class RegExpGroup extends RegExpTerm, @regexp_group {
   override string getConstantValue() { result = getAChild().getConstantValue() }
 
   override string getAMatchedString() { result = getAChild().getAMatchedString() }
+
+  override string getAPrimaryQlClass() { result = "RegExpGroup" }
 }
 
 /**
@@ -614,7 +658,9 @@ class RegExpGroup extends RegExpTerm, @regexp_group {
  * ;
  * ```
  */
-class RegExpNormalConstant extends RegExpConstant, @regexp_normal_constant { }
+class RegExpNormalConstant extends RegExpConstant, @regexp_normal_constant {
+  override string getAPrimaryQlClass() { result = "RegExpNormalConstant" }
+}
 
 /**
  * DEPRECATED. Use `RegExpNormalConstant` instead.
@@ -634,7 +680,9 @@ deprecated class RegExpNormalChar = RegExpNormalConstant;
  * \x0a
  * ```
  */
-class RegExpHexEscape extends RegExpCharEscape, @regexp_hex_escape { }
+class RegExpHexEscape extends RegExpCharEscape, @regexp_hex_escape {
+  override string getAPrimaryQlClass() { result = "RegExpHexEscape" }
+}
 
 /**
  * A unicode character escape in a regular expression.
@@ -645,7 +693,9 @@ class RegExpHexEscape extends RegExpCharEscape, @regexp_hex_escape { }
  * \u000a
  * ```
  */
-class RegExpUnicodeEscape extends RegExpCharEscape, @regexp_unicode_escape { }
+class RegExpUnicodeEscape extends RegExpCharEscape, @regexp_unicode_escape {
+  override string getAPrimaryQlClass() { result = "RegExpUnicodeEscape" }
+}
 
 /**
  * A decimal character escape in a regular expression.
@@ -656,7 +706,9 @@ class RegExpUnicodeEscape extends RegExpCharEscape, @regexp_unicode_escape { }
  * \0
  * ```
  */
-class RegExpDecimalEscape extends RegExpCharEscape, @regexp_dec_escape { }
+class RegExpDecimalEscape extends RegExpCharEscape, @regexp_dec_escape {
+  override string getAPrimaryQlClass() { result = "RegExpDecimalEscape" }
+}
 
 /**
  * An octal character escape in a regular expression.
@@ -667,7 +719,9 @@ class RegExpDecimalEscape extends RegExpCharEscape, @regexp_dec_escape { }
  * \0177
  * ```
  */
-class RegExpOctalEscape extends RegExpCharEscape, @regexp_oct_escape { }
+class RegExpOctalEscape extends RegExpCharEscape, @regexp_oct_escape {
+  override string getAPrimaryQlClass() { result = "RegExpOctalEscape" }
+}
 
 /**
  * A control character escape in a regular expression.
@@ -678,7 +732,9 @@ class RegExpOctalEscape extends RegExpCharEscape, @regexp_oct_escape { }
  * \ca
  * ```
  */
-class RegExpControlEscape extends RegExpCharEscape, @regexp_ctrl_escape { }
+class RegExpControlEscape extends RegExpCharEscape, @regexp_ctrl_escape {
+  override string getAPrimaryQlClass() { result = "RegExpControlEscape" }
+}
 
 /**
  * A character class escape in a regular expression.
@@ -695,6 +751,8 @@ class RegExpCharacterClassEscape extends RegExpEscape, @regexp_char_class_escape
   string getValue() { char_class_escape(this, result) }
 
   override predicate isNullable() { none() }
+
+  override string getAPrimaryQlClass() { result = "RegExpCharacterClassEscape" }
 }
 
 /**
@@ -723,6 +781,8 @@ class RegExpUnicodePropertyEscape extends RegExpEscape, @regexp_unicode_property
   string getValue() { unicode_property_escapevalue(this, result) }
 
   override predicate isNullable() { none() }
+
+  override string getAPrimaryQlClass() { result = "RegExpUnicodePropertyEscape" }
 }
 
 /**
@@ -736,7 +796,9 @@ class RegExpUnicodePropertyEscape extends RegExpEscape, @regexp_unicode_property
  * \/
  * ```
  */
-class RegExpIdentityEscape extends RegExpCharEscape, @regexp_id_escape { }
+class RegExpIdentityEscape extends RegExpCharEscape, @regexp_id_escape {
+  override string getAPrimaryQlClass() { result = "RegExpIdentityEscape" }
+}
 
 /**
  * A back reference, that is, a term of the form `\i` or `\k<name>`
@@ -770,6 +832,8 @@ class RegExpBackRef extends RegExpTerm, @regexp_backref {
   }
 
   override predicate isNullable() { getGroup().isNullable() }
+
+  override string getAPrimaryQlClass() { result = "RegExpBackRef" }
 }
 
 /**
@@ -808,6 +872,8 @@ class RegExpCharacterClass extends RegExpTerm, @regexp_char_class {
       cce1 != cce2 and cce1.toLowerCase() = cce2.toLowerCase()
     )
   }
+
+  override string getAPrimaryQlClass() { result = "RegExpCharacterClass" }
 }
 
 /**
@@ -827,6 +893,8 @@ class RegExpCharacterRange extends RegExpTerm, @regexp_char_range {
     lo = getChild(0).(RegExpConstant).getValue() and
     hi = getChild(1).(RegExpConstant).getValue()
   }
+
+  override string getAPrimaryQlClass() { result = "RegExpCharacterRange" }
 }
 
 /** A parse error encountered while processing a regular expression literal. */
diff --git a/javascript/ql/test/library-tests/TypeScript/Types/dummy.ts b/javascript/ql/test/library-tests/TypeScript/Types/dummy.ts
index 77f17538e18..d36be434986 100644
--- a/javascript/ql/test/library-tests/TypeScript/Types/dummy.ts
+++ b/javascript/ql/test/library-tests/TypeScript/Types/dummy.ts
@@ -1,2 +1,4 @@
 // Dummy file to be imported so the other files are seen as modules.
 export let x = 5;
+
+export let reg = /ab+c/;
\ No newline at end of file
diff --git a/javascript/ql/test/library-tests/TypeScript/Types/printAst.expected b/javascript/ql/test/library-tests/TypeScript/Types/printAst.expected
index bd50eaa28ec..1f39b308479 100644
--- a/javascript/ql/test/library-tests/TypeScript/Types/printAst.expected
+++ b/javascript/ql/test/library-tests/TypeScript/Types/printAst.expected
@@ -74,6 +74,17 @@ nodes
 | dummy.ts:2:12:2:12 | [VarDecl] x | semmle.label | [VarDecl] x |
 | dummy.ts:2:12:2:16 | [VariableDeclarator] x = 5 | semmle.label | [VariableDeclarator] x = 5 |
 | dummy.ts:2:16:2:16 | [Literal] 5 | semmle.label | [Literal] 5 |
+| dummy.ts:4:1:4:24 | [ExportDeclaration] export ... /ab+c/; | semmle.label | [ExportDeclaration] export ... /ab+c/; |
+| dummy.ts:4:1:4:24 | [ExportDeclaration] export ... /ab+c/; | semmle.order | 13 |
+| dummy.ts:4:8:4:24 | [DeclStmt] let reg = ... | semmle.label | [DeclStmt] let reg = ... |
+| dummy.ts:4:12:4:14 | [VarDecl] reg | semmle.label | [VarDecl] reg |
+| dummy.ts:4:12:4:23 | [VariableDeclarator] reg = /ab+c/ | semmle.label | [VariableDeclarator] reg = /ab+c/ |
+| dummy.ts:4:18:4:23 | [RegExpLiteral] /ab+c/ | semmle.label | [RegExpLiteral] /ab+c/ |
+| dummy.ts:4:19:4:19 | [RegExpNormalConstant] a | semmle.label | [RegExpNormalConstant] a |
+| dummy.ts:4:19:4:22 | [RegExpSequence] ab+c | semmle.label | [RegExpSequence] ab+c |
+| dummy.ts:4:20:4:20 | [RegExpNormalConstant] b | semmle.label | [RegExpNormalConstant] b |
+| dummy.ts:4:20:4:21 | [RegExpPlus] b+ | semmle.label | [RegExpPlus] b+ |
+| dummy.ts:4:22:4:22 | [RegExpNormalConstant] c | semmle.label | [RegExpNormalConstant] c |
 | file://:0:0:0:0 | (Parameters) | semmle.label | (Parameters) |
 | file://:0:0:0:0 | (Parameters) | semmle.label | (Parameters) |
 | file://:0:0:0:0 | (Parameters) | semmle.label | (Parameters) |
@@ -85,7 +96,7 @@ nodes
 | file://:0:0:0:0 | (TypeParameters) | semmle.label | (TypeParameters) |
 | file://:0:0:0:0 | (TypeParameters) | semmle.label | (TypeParameters) |
 | middle-rest.ts:1:1:1:40 | [DeclStmt] let foo = ... | semmle.label | [DeclStmt] let foo = ... |
-| middle-rest.ts:1:1:1:40 | [DeclStmt] let foo = ... | semmle.order | 13 |
+| middle-rest.ts:1:1:1:40 | [DeclStmt] let foo = ... | semmle.order | 14 |
 | middle-rest.ts:1:5:1:7 | [VarDecl] foo | semmle.label | [VarDecl] foo |
 | middle-rest.ts:1:5:1:39 | [VariableDeclarator] foo: [b ... number] | semmle.label | [VariableDeclarator] foo: [b ... number] |
 | middle-rest.ts:1:10:1:39 | [TupleTypeExpr] [boolea ... number] | semmle.label | [TupleTypeExpr] [boolea ... number] |
@@ -97,55 +108,55 @@ nodes
 | middle-rest.ts:3:1:3:3 | [VarRef] foo | semmle.label | [VarRef] foo |
 | middle-rest.ts:3:1:3:26 | [AssignExpr] foo = [ ... ", 123] | semmle.label | [AssignExpr] foo = [ ... ", 123] |
 | middle-rest.ts:3:1:3:27 | [ExprStmt] foo = [ ... , 123]; | semmle.label | [ExprStmt] foo = [ ... , 123]; |
-| middle-rest.ts:3:1:3:27 | [ExprStmt] foo = [ ... , 123]; | semmle.order | 14 |
+| middle-rest.ts:3:1:3:27 | [ExprStmt] foo = [ ... , 123]; | semmle.order | 15 |
 | middle-rest.ts:3:7:3:26 | [ArrayExpr] [true, "hello", 123] | semmle.label | [ArrayExpr] [true, "hello", 123] |
 | middle-rest.ts:3:8:3:11 | [Literal] true | semmle.label | [Literal] true |
 | middle-rest.ts:3:14:3:20 | [Literal] "hello" | semmle.label | [Literal] "hello" |
 | middle-rest.ts:3:23:3:25 | [Literal] 123 | semmle.label | [Literal] 123 |
 | tst.ts:1:1:1:33 | [ImportDeclaration] import ... dummy"; | semmle.label | [ImportDeclaration] import ... dummy"; |
-| tst.ts:1:1:1:33 | [ImportDeclaration] import ... dummy"; | semmle.order | 15 |
+| tst.ts:1:1:1:33 | [ImportDeclaration] import ... dummy"; | semmle.order | 16 |
 | tst.ts:1:8:1:17 | [ImportSpecifier] * as dummy | semmle.label | [ImportSpecifier] * as dummy |
 | tst.ts:1:13:1:17 | [VarDecl] dummy | semmle.label | [VarDecl] dummy |
 | tst.ts:1:24:1:32 | [Literal] "./dummy" | semmle.label | [Literal] "./dummy" |
 | tst.ts:3:1:3:19 | [DeclStmt] var numVar = ... | semmle.label | [DeclStmt] var numVar = ... |
-| tst.ts:3:1:3:19 | [DeclStmt] var numVar = ... | semmle.order | 16 |
+| tst.ts:3:1:3:19 | [DeclStmt] var numVar = ... | semmle.order | 17 |
 | tst.ts:3:5:3:10 | [VarDecl] numVar | semmle.label | [VarDecl] numVar |
 | tst.ts:3:5:3:18 | [VariableDeclarator] numVar: number | semmle.label | [VariableDeclarator] numVar: number |
 | tst.ts:3:13:3:18 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
 | tst.ts:5:1:5:18 | [DeclStmt] var num1 = ... | semmle.label | [DeclStmt] var num1 = ... |
-| tst.ts:5:1:5:18 | [DeclStmt] var num1 = ... | semmle.order | 17 |
+| tst.ts:5:1:5:18 | [DeclStmt] var num1 = ... | semmle.order | 18 |
 | tst.ts:5:5:5:8 | [VarDecl] num1 | semmle.label | [VarDecl] num1 |
 | tst.ts:5:5:5:17 | [VariableDeclarator] num1 = numVar | semmle.label | [VariableDeclarator] num1 = numVar |
 | tst.ts:5:12:5:17 | [VarRef] numVar | semmle.label | [VarRef] numVar |
 | tst.ts:6:1:6:13 | [DeclStmt] var num2 = ... | semmle.label | [DeclStmt] var num2 = ... |
-| tst.ts:6:1:6:13 | [DeclStmt] var num2 = ... | semmle.order | 18 |
+| tst.ts:6:1:6:13 | [DeclStmt] var num2 = ... | semmle.order | 19 |
 | tst.ts:6:5:6:8 | [VarDecl] num2 | semmle.label | [VarDecl] num2 |
 | tst.ts:6:5:6:12 | [VariableDeclarator] num2 = 5 | semmle.label | [VariableDeclarator] num2 = 5 |
 | tst.ts:6:12:6:12 | [Literal] 5 | semmle.label | [Literal] 5 |
 | tst.ts:7:1:7:23 | [DeclStmt] var num3 = ... | semmle.label | [DeclStmt] var num3 = ... |
-| tst.ts:7:1:7:23 | [DeclStmt] var num3 = ... | semmle.order | 19 |
+| tst.ts:7:1:7:23 | [DeclStmt] var num3 = ... | semmle.order | 20 |
 | tst.ts:7:5:7:8 | [VarDecl] num3 | semmle.label | [VarDecl] num3 |
 | tst.ts:7:5:7:22 | [VariableDeclarator] num3 = num1 + num2 | semmle.label | [VariableDeclarator] num3 = num1 + num2 |
 | tst.ts:7:12:7:15 | [VarRef] num1 | semmle.label | [VarRef] num1 |
 | tst.ts:7:12:7:22 | [BinaryExpr] num1 + num2 | semmle.label | [BinaryExpr] num1 + num2 |
 | tst.ts:7:19:7:22 | [VarRef] num2 | semmle.label | [VarRef] num2 |
 | tst.ts:9:1:9:19 | [DeclStmt] var strVar = ... | semmle.label | [DeclStmt] var strVar = ... |
-| tst.ts:9:1:9:19 | [DeclStmt] var strVar = ... | semmle.order | 20 |
+| tst.ts:9:1:9:19 | [DeclStmt] var strVar = ... | semmle.order | 21 |
 | tst.ts:9:5:9:10 | [VarDecl] strVar | semmle.label | [VarDecl] strVar |
 | tst.ts:9:5:9:18 | [VariableDeclarator] strVar: string | semmle.label | [VariableDeclarator] strVar: string |
 | tst.ts:9:13:9:18 | [KeywordTypeExpr] string | semmle.label | [KeywordTypeExpr] string |
 | tst.ts:10:1:10:20 | [DeclStmt] var hello = ... | semmle.label | [DeclStmt] var hello = ... |
-| tst.ts:10:1:10:20 | [DeclStmt] var hello = ... | semmle.order | 21 |
+| tst.ts:10:1:10:20 | [DeclStmt] var hello = ... | semmle.order | 22 |
 | tst.ts:10:5:10:9 | [VarDecl] hello | semmle.label | [VarDecl] hello |
 | tst.ts:10:5:10:19 | [VariableDeclarator] hello = "hello" | semmle.label | [VariableDeclarator] hello = "hello" |
 | tst.ts:10:13:10:19 | [Literal] "hello" | semmle.label | [Literal] "hello" |
 | tst.ts:11:1:11:20 | [DeclStmt] var world = ... | semmle.label | [DeclStmt] var world = ... |
-| tst.ts:11:1:11:20 | [DeclStmt] var world = ... | semmle.order | 22 |
+| tst.ts:11:1:11:20 | [DeclStmt] var world = ... | semmle.order | 23 |
 | tst.ts:11:5:11:9 | [VarDecl] world | semmle.label | [VarDecl] world |
 | tst.ts:11:5:11:19 | [VariableDeclarator] world = "world" | semmle.label | [VariableDeclarator] world = "world" |
 | tst.ts:11:13:11:19 | [Literal] "world" | semmle.label | [Literal] "world" |
 | tst.ts:12:1:12:30 | [DeclStmt] var msg = ... | semmle.label | [DeclStmt] var msg = ... |
-| tst.ts:12:1:12:30 | [DeclStmt] var msg = ... | semmle.order | 23 |
+| tst.ts:12:1:12:30 | [DeclStmt] var msg = ... | semmle.order | 24 |
 | tst.ts:12:5:12:7 | [VarDecl] msg | semmle.label | [VarDecl] msg |
 | tst.ts:12:5:12:29 | [VariableDeclarator] msg = h ... + world | semmle.label | [VariableDeclarator] msg = h ... + world |
 | tst.ts:12:11:12:15 | [VarRef] hello | semmle.label | [VarRef] hello |
@@ -154,7 +165,7 @@ nodes
 | tst.ts:12:19:12:21 | [Literal] " " | semmle.label | [Literal] " " |
 | tst.ts:12:25:12:29 | [VarRef] world | semmle.label | [VarRef] world |
 | tst.ts:14:1:14:63 | [FunctionDeclStmt] functio ... + y; } | semmle.label | [FunctionDeclStmt] functio ... + y; } |
-| tst.ts:14:1:14:63 | [FunctionDeclStmt] functio ... + y; } | semmle.order | 24 |
+| tst.ts:14:1:14:63 | [FunctionDeclStmt] functio ... + y; } | semmle.order | 25 |
 | tst.ts:14:10:14:15 | [VarDecl] concat | semmle.label | [VarDecl] concat |
 | tst.ts:14:17:14:17 | [SimpleParameter] x | semmle.label | [SimpleParameter] x |
 | tst.ts:14:20:14:25 | [KeywordTypeExpr] string | semmle.label | [KeywordTypeExpr] string |
@@ -167,7 +178,7 @@ nodes
 | tst.ts:14:56:14:60 | [BinaryExpr] x + y | semmle.label | [BinaryExpr] x + y |
 | tst.ts:14:60:14:60 | [VarRef] y | semmle.label | [VarRef] y |
 | tst.ts:16:1:16:60 | [FunctionDeclStmt] functio ... + y; } | semmle.label | [FunctionDeclStmt] functio ... + y; } |
-| tst.ts:16:1:16:60 | [FunctionDeclStmt] functio ... + y; } | semmle.order | 25 |
+| tst.ts:16:1:16:60 | [FunctionDeclStmt] functio ... + y; } | semmle.order | 26 |
 | tst.ts:16:10:16:12 | [VarDecl] add | semmle.label | [VarDecl] add |
 | tst.ts:16:14:16:14 | [SimpleParameter] x | semmle.label | [SimpleParameter] x |
 | tst.ts:16:17:16:22 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
@@ -180,7 +191,7 @@ nodes
 | tst.ts:16:53:16:57 | [BinaryExpr] x + y | semmle.label | [BinaryExpr] x + y |
 | tst.ts:16:57:16:57 | [VarRef] y | semmle.label | [VarRef] y |
 | tst.ts:18:1:18:40 | [FunctionDeclStmt] functio ... + y; } | semmle.label | [FunctionDeclStmt] functio ... + y; } |
-| tst.ts:18:1:18:40 | [FunctionDeclStmt] functio ... + y; } | semmle.order | 26 |
+| tst.ts:18:1:18:40 | [FunctionDeclStmt] functio ... + y; } | semmle.order | 27 |
 | tst.ts:18:10:18:16 | [VarDecl] untyped | semmle.label | [VarDecl] untyped |
 | tst.ts:18:18:18:18 | [SimpleParameter] x | semmle.label | [SimpleParameter] x |
 | tst.ts:18:21:18:21 | [SimpleParameter] y | semmle.label | [SimpleParameter] y |
@@ -190,7 +201,7 @@ nodes
 | tst.ts:18:33:18:37 | [BinaryExpr] x + y | semmle.label | [BinaryExpr] x + y |
 | tst.ts:18:37:18:37 | [VarRef] y | semmle.label | [VarRef] y |
 | tst.ts:20:1:20:53 | [FunctionDeclStmt] functio ... + y; } | semmle.label | [FunctionDeclStmt] functio ... + y; } |
-| tst.ts:20:1:20:53 | [FunctionDeclStmt] functio ... + y; } | semmle.order | 27 |
+| tst.ts:20:1:20:53 | [FunctionDeclStmt] functio ... + y; } | semmle.order | 28 |
 | tst.ts:20:10:20:21 | [VarDecl] partialTyped | semmle.label | [VarDecl] partialTyped |
 | tst.ts:20:23:20:23 | [SimpleParameter] x | semmle.label | [SimpleParameter] x |
 | tst.ts:20:26:20:26 | [SimpleParameter] y | semmle.label | [SimpleParameter] y |
@@ -201,7 +212,7 @@ nodes
 | tst.ts:20:46:20:50 | [BinaryExpr] x + y | semmle.label | [BinaryExpr] x + y |
 | tst.ts:20:50:20:50 | [VarRef] y | semmle.label | [VarRef] y |
 | tst.ts:22:1:22:34 | [ForOfStmt] for (le ... 2]) {} | semmle.label | [ForOfStmt] for (le ... 2]) {} |
-| tst.ts:22:1:22:34 | [ForOfStmt] for (le ... 2]) {} | semmle.order | 28 |
+| tst.ts:22:1:22:34 | [ForOfStmt] for (le ... 2]) {} | semmle.order | 29 |
 | tst.ts:22:6:22:20 | [DeclStmt] let numFromLoop = ... | semmle.label | [DeclStmt] let numFromLoop = ... |
 | tst.ts:22:10:22:20 | [VarDecl] numFromLoop | semmle.label | [VarDecl] numFromLoop |
 | tst.ts:22:10:22:20 | [VariableDeclarator] numFromLoop | semmle.label | [VariableDeclarator] numFromLoop |
@@ -210,54 +221,54 @@ nodes
 | tst.ts:22:29:22:29 | [Literal] 2 | semmle.label | [Literal] 2 |
 | tst.ts:22:33:22:34 | [BlockStmt] {} | semmle.label | [BlockStmt] {} |
 | tst.ts:24:1:24:20 | [DeclStmt] let array = ... | semmle.label | [DeclStmt] let array = ... |
-| tst.ts:24:1:24:20 | [DeclStmt] let array = ... | semmle.order | 29 |
+| tst.ts:24:1:24:20 | [DeclStmt] let array = ... | semmle.order | 30 |
 | tst.ts:24:5:24:9 | [VarDecl] array | semmle.label | [VarDecl] array |
 | tst.ts:24:5:24:19 | [VariableDeclarator] array: number[] | semmle.label | [VariableDeclarator] array: number[] |
 | tst.ts:24:12:24:17 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
 | tst.ts:24:12:24:19 | [ArrayTypeExpr] number[] | semmle.label | [ArrayTypeExpr] number[] |
 | tst.ts:26:1:26:25 | [DeclStmt] let voidType = ... | semmle.label | [DeclStmt] let voidType = ... |
-| tst.ts:26:1:26:25 | [DeclStmt] let voidType = ... | semmle.order | 30 |
+| tst.ts:26:1:26:25 | [DeclStmt] let voidType = ... | semmle.order | 31 |
 | tst.ts:26:5:26:12 | [VarDecl] voidType | semmle.label | [VarDecl] voidType |
 | tst.ts:26:5:26:24 | [VariableDeclarator] voidType: () => void | semmle.label | [VariableDeclarator] voidType: () => void |
 | tst.ts:26:15:26:24 | [FunctionExpr] () => void | semmle.label | [FunctionExpr] () => void |
 | tst.ts:26:15:26:24 | [FunctionTypeExpr] () => void | semmle.label | [FunctionTypeExpr] () => void |
 | tst.ts:26:21:26:24 | [KeywordTypeExpr] void | semmle.label | [KeywordTypeExpr] void |
 | tst.ts:27:1:27:29 | [DeclStmt] let undefinedType = ... | semmle.label | [DeclStmt] let undefinedType = ... |
-| tst.ts:27:1:27:29 | [DeclStmt] let undefinedType = ... | semmle.order | 31 |
+| tst.ts:27:1:27:29 | [DeclStmt] let undefinedType = ... | semmle.order | 32 |
 | tst.ts:27:5:27:17 | [VarDecl] undefinedType | semmle.label | [VarDecl] undefinedType |
 | tst.ts:27:5:27:28 | [VariableDeclarator] undefin ... defined | semmle.label | [VariableDeclarator] undefin ... defined |
 | tst.ts:27:20:27:28 | [KeywordTypeExpr] undefined | semmle.label | [KeywordTypeExpr] undefined |
 | tst.ts:28:1:28:26 | [DeclStmt] let nullType = ... | semmle.label | [DeclStmt] let nullType = ... |
-| tst.ts:28:1:28:26 | [DeclStmt] let nullType = ... | semmle.order | 32 |
+| tst.ts:28:1:28:26 | [DeclStmt] let nullType = ... | semmle.order | 33 |
 | tst.ts:28:5:28:12 | [VarDecl] nullType | semmle.label | [VarDecl] nullType |
 | tst.ts:28:5:28:25 | [VariableDeclarator] nullTyp ... = null | semmle.label | [VariableDeclarator] nullTyp ... = null |
 | tst.ts:28:15:28:18 | [KeywordTypeExpr] null | semmle.label | [KeywordTypeExpr] null |
 | tst.ts:28:22:28:25 | [Literal] null | semmle.label | [Literal] null |
 | tst.ts:29:1:29:27 | [DeclStmt] let neverType = ... | semmle.label | [DeclStmt] let neverType = ... |
-| tst.ts:29:1:29:27 | [DeclStmt] let neverType = ... | semmle.order | 33 |
+| tst.ts:29:1:29:27 | [DeclStmt] let neverType = ... | semmle.order | 34 |
 | tst.ts:29:5:29:13 | [VarDecl] neverType | semmle.label | [VarDecl] neverType |
 | tst.ts:29:5:29:26 | [VariableDeclarator] neverTy ... > never | semmle.label | [VariableDeclarator] neverTy ... > never |
 | tst.ts:29:16:29:26 | [FunctionExpr] () => never | semmle.label | [FunctionExpr] () => never |
 | tst.ts:29:16:29:26 | [FunctionTypeExpr] () => never | semmle.label | [FunctionTypeExpr] () => never |
 | tst.ts:29:22:29:26 | [KeywordTypeExpr] never | semmle.label | [KeywordTypeExpr] never |
 | tst.ts:30:1:30:23 | [DeclStmt] let symbolType = ... | semmle.label | [DeclStmt] let symbolType = ... |
-| tst.ts:30:1:30:23 | [DeclStmt] let symbolType = ... | semmle.order | 34 |
+| tst.ts:30:1:30:23 | [DeclStmt] let symbolType = ... | semmle.order | 35 |
 | tst.ts:30:5:30:14 | [VarDecl] symbolType | semmle.label | [VarDecl] symbolType |
 | tst.ts:30:5:30:22 | [VariableDeclarator] symbolType: symbol | semmle.label | [VariableDeclarator] symbolType: symbol |
 | tst.ts:30:17:30:22 | [KeywordTypeExpr] symbol | semmle.label | [KeywordTypeExpr] symbol |
 | tst.ts:31:1:31:45 | [DeclStmt] const uniqueSymbolType = ... | semmle.label | [DeclStmt] const uniqueSymbolType = ... |
-| tst.ts:31:1:31:45 | [DeclStmt] const uniqueSymbolType = ... | semmle.order | 35 |
+| tst.ts:31:1:31:45 | [DeclStmt] const uniqueSymbolType = ... | semmle.order | 36 |
 | tst.ts:31:7:31:22 | [VarDecl] uniqueSymbolType | semmle.label | [VarDecl] uniqueSymbolType |
 | tst.ts:31:7:31:44 | [VariableDeclarator] uniqueS ... = null | semmle.label | [VariableDeclarator] uniqueS ... = null |
 | tst.ts:31:25:31:37 | [KeywordTypeExpr] unique symbol | semmle.label | [KeywordTypeExpr] unique symbol |
 | tst.ts:31:41:31:44 | [Literal] null | semmle.label | [Literal] null |
 | tst.ts:32:1:32:23 | [DeclStmt] let objectType = ... | semmle.label | [DeclStmt] let objectType = ... |
-| tst.ts:32:1:32:23 | [DeclStmt] let objectType = ... | semmle.order | 36 |
+| tst.ts:32:1:32:23 | [DeclStmt] let objectType = ... | semmle.order | 37 |
 | tst.ts:32:5:32:14 | [VarDecl] objectType | semmle.label | [VarDecl] objectType |
 | tst.ts:32:5:32:22 | [VariableDeclarator] objectType: object | semmle.label | [VariableDeclarator] objectType: object |
 | tst.ts:32:17:32:22 | [KeywordTypeExpr] object | semmle.label | [KeywordTypeExpr] object |
 | tst.ts:33:1:33:39 | [DeclStmt] let intersection = ... | semmle.label | [DeclStmt] let intersection = ... |
-| tst.ts:33:1:33:39 | [DeclStmt] let intersection = ... | semmle.order | 37 |
+| tst.ts:33:1:33:39 | [DeclStmt] let intersection = ... | semmle.order | 38 |
 | tst.ts:33:5:33:16 | [VarDecl] intersection | semmle.label | [VarDecl] intersection |
 | tst.ts:33:5:33:38 | [VariableDeclarator] interse ... string} | semmle.label | [VariableDeclarator] interse ... string} |
 | tst.ts:33:19:33:24 | [KeywordTypeExpr] string | semmle.label | [KeywordTypeExpr] string |
@@ -267,14 +278,14 @@ nodes
 | tst.ts:33:29:33:37 | [FieldDeclaration] x: string | semmle.label | [FieldDeclaration] x: string |
 | tst.ts:33:32:33:37 | [KeywordTypeExpr] string | semmle.label | [KeywordTypeExpr] string |
 | tst.ts:34:1:34:28 | [DeclStmt] let tuple = ... | semmle.label | [DeclStmt] let tuple = ... |
-| tst.ts:34:1:34:28 | [DeclStmt] let tuple = ... | semmle.order | 38 |
+| tst.ts:34:1:34:28 | [DeclStmt] let tuple = ... | semmle.order | 39 |
 | tst.ts:34:5:34:9 | [VarDecl] tuple | semmle.label | [VarDecl] tuple |
 | tst.ts:34:5:34:27 | [VariableDeclarator] tuple: ... string] | semmle.label | [VariableDeclarator] tuple: ... string] |
 | tst.ts:34:12:34:27 | [TupleTypeExpr] [number, string] | semmle.label | [TupleTypeExpr] [number, string] |
 | tst.ts:34:13:34:18 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
 | tst.ts:34:21:34:26 | [KeywordTypeExpr] string | semmle.label | [KeywordTypeExpr] string |
 | tst.ts:36:1:36:56 | [DeclStmt] let tupleWithOptionalElement = ... | semmle.label | [DeclStmt] let tupleWithOptionalElement = ... |
-| tst.ts:36:1:36:56 | [DeclStmt] let tupleWithOptionalElement = ... | semmle.order | 39 |
+| tst.ts:36:1:36:56 | [DeclStmt] let tupleWithOptionalElement = ... | semmle.order | 40 |
 | tst.ts:36:5:36:28 | [VarDecl] tupleWithOptionalElement | semmle.label | [VarDecl] tupleWithOptionalElement |
 | tst.ts:36:5:36:55 | [VariableDeclarator] tupleWi ... umber?] | semmle.label | [VariableDeclarator] tupleWi ... umber?] |
 | tst.ts:36:31:36:55 | [TupleTypeExpr] [number ... umber?] | semmle.label | [TupleTypeExpr] [number ... umber?] |
@@ -283,12 +294,12 @@ nodes
 | tst.ts:36:48:36:53 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
 | tst.ts:36:48:36:54 | [OptionalTypeExpr] number? | semmle.label | [OptionalTypeExpr] number? |
 | tst.ts:37:1:37:19 | [DeclStmt] let emptyTuple = ... | semmle.label | [DeclStmt] let emptyTuple = ... |
-| tst.ts:37:1:37:19 | [DeclStmt] let emptyTuple = ... | semmle.order | 40 |
+| tst.ts:37:1:37:19 | [DeclStmt] let emptyTuple = ... | semmle.order | 41 |
 | tst.ts:37:5:37:14 | [VarDecl] emptyTuple | semmle.label | [VarDecl] emptyTuple |
 | tst.ts:37:5:37:18 | [VariableDeclarator] emptyTuple: [] | semmle.label | [VariableDeclarator] emptyTuple: [] |
 | tst.ts:37:17:37:18 | [TupleTypeExpr] [] | semmle.label | [TupleTypeExpr] [] |
 | tst.ts:38:1:38:48 | [DeclStmt] let tupleWithRestElement = ... | semmle.label | [DeclStmt] let tupleWithRestElement = ... |
-| tst.ts:38:1:38:48 | [DeclStmt] let tupleWithRestElement = ... | semmle.order | 41 |
+| tst.ts:38:1:38:48 | [DeclStmt] let tupleWithRestElement = ... | semmle.order | 42 |
 | tst.ts:38:5:38:24 | [VarDecl] tupleWithRestElement | semmle.label | [VarDecl] tupleWithRestElement |
 | tst.ts:38:5:38:47 | [VariableDeclarator] tupleWi ... ring[]] | semmle.label | [VariableDeclarator] tupleWi ... ring[]] |
 | tst.ts:38:27:38:47 | [TupleTypeExpr] [number ... ring[]] | semmle.label | [TupleTypeExpr] [number ... ring[]] |
@@ -297,7 +308,7 @@ nodes
 | tst.ts:38:39:38:44 | [KeywordTypeExpr] string | semmle.label | [KeywordTypeExpr] string |
 | tst.ts:38:39:38:46 | [ArrayTypeExpr] string[] | semmle.label | [ArrayTypeExpr] string[] |
 | tst.ts:39:1:39:69 | [DeclStmt] let tupleWithOptionalAndRestElements = ... | semmle.label | [DeclStmt] let tupleWithOptionalAndRestElements = ... |
-| tst.ts:39:1:39:69 | [DeclStmt] let tupleWithOptionalAndRestElements = ... | semmle.order | 42 |
+| tst.ts:39:1:39:69 | [DeclStmt] let tupleWithOptionalAndRestElements = ... | semmle.order | 43 |
 | tst.ts:39:5:39:36 | [VarDecl] tupleWithOptionalAndRestElements | semmle.label | [VarDecl] tupleWithOptionalAndRestElements |
 | tst.ts:39:5:39:68 | [VariableDeclarator] tupleWi ... mber[]] | semmle.label | [VariableDeclarator] tupleWi ... mber[]] |
 | tst.ts:39:39:39:68 | [TupleTypeExpr] [number ... mber[]] | semmle.label | [TupleTypeExpr] [number ... mber[]] |
@@ -308,12 +319,12 @@ nodes
 | tst.ts:39:60:39:65 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
 | tst.ts:39:60:39:67 | [ArrayTypeExpr] number[] | semmle.label | [ArrayTypeExpr] number[] |
 | tst.ts:40:1:40:25 | [DeclStmt] let unknownType = ... | semmle.label | [DeclStmt] let unknownType = ... |
-| tst.ts:40:1:40:25 | [DeclStmt] let unknownType = ... | semmle.order | 43 |
+| tst.ts:40:1:40:25 | [DeclStmt] let unknownType = ... | semmle.order | 44 |
 | tst.ts:40:5:40:15 | [VarDecl] unknownType | semmle.label | [VarDecl] unknownType |
 | tst.ts:40:5:40:24 | [VariableDeclarator] unknownType: unknown | semmle.label | [VariableDeclarator] unknownType: unknown |
 | tst.ts:40:18:40:24 | [KeywordTypeExpr] unknown | semmle.label | [KeywordTypeExpr] unknown |
 | tst.ts:42:1:42:40 | [DeclStmt] let constArrayLiteral = ... | semmle.label | [DeclStmt] let constArrayLiteral = ... |
-| tst.ts:42:1:42:40 | [DeclStmt] let constArrayLiteral = ... | semmle.order | 44 |
+| tst.ts:42:1:42:40 | [DeclStmt] let constArrayLiteral = ... | semmle.order | 45 |
 | tst.ts:42:5:42:21 | [VarDecl] constArrayLiteral | semmle.label | [VarDecl] constArrayLiteral |
 | tst.ts:42:5:42:39 | [VariableDeclarator] constAr ... s const | semmle.label | [VariableDeclarator] constAr ... s const |
 | tst.ts:42:25:42:30 | [ArrayExpr] [1, 2] | semmle.label | [ArrayExpr] [1, 2] |
@@ -322,7 +333,7 @@ nodes
 | tst.ts:42:29:42:29 | [Literal] 2 | semmle.label | [Literal] 2 |
 | tst.ts:42:35:42:39 | [KeywordTypeExpr] const | semmle.label | [KeywordTypeExpr] const |
 | tst.ts:43:1:43:49 | [DeclStmt] let constObjectLiteral = ... | semmle.label | [DeclStmt] let constObjectLiteral = ... |
-| tst.ts:43:1:43:49 | [DeclStmt] let constObjectLiteral = ... | semmle.order | 45 |
+| tst.ts:43:1:43:49 | [DeclStmt] let constObjectLiteral = ... | semmle.order | 46 |
 | tst.ts:43:5:43:22 | [VarDecl] constObjectLiteral | semmle.label | [VarDecl] constObjectLiteral |
 | tst.ts:43:5:43:48 | [VariableDeclarator] constOb ... s const | semmle.label | [VariableDeclarator] constOb ... s const |
 | tst.ts:43:26:43:39 | [ObjectExpr] {foo: ...} | semmle.label | [ObjectExpr] {foo: ...} |
@@ -332,7 +343,7 @@ nodes
 | tst.ts:43:33:43:37 | [Literal] "foo" | semmle.label | [Literal] "foo" |
 | tst.ts:43:44:43:48 | [KeywordTypeExpr] const | semmle.label | [KeywordTypeExpr] const |
 | tst.ts:46:1:51:1 | [TryStmt] try { } ... ; } } | semmle.label | [TryStmt] try { } ... ; } } |
-| tst.ts:46:1:51:1 | [TryStmt] try { } ... ; } } | semmle.order | 46 |
+| tst.ts:46:1:51:1 | [TryStmt] try { } ... ; } } | semmle.order | 47 |
 | tst.ts:46:5:46:7 | [BlockStmt] { } | semmle.label | [BlockStmt] { } |
 | tst.ts:47:1:51:1 | [CatchClause] catch ( ... ; } } | semmle.label | [CatchClause] catch ( ... ; } } |
 | tst.ts:47:8:47:8 | [SimpleParameter] e | semmle.label | [SimpleParameter] e |
@@ -349,21 +360,21 @@ nodes
 | tst.ts:49:15:49:20 | [KeywordTypeExpr] string | semmle.label | [KeywordTypeExpr] string |
 | tst.ts:49:24:49:24 | [VarRef] e | semmle.label | [VarRef] e |
 | tst.ts:54:1:56:1 | [InterfaceDeclaration,TypeDefinition] interfa ... mber; } | semmle.label | [InterfaceDeclaration,TypeDefinition] interfa ... mber; } |
-| tst.ts:54:1:56:1 | [InterfaceDeclaration,TypeDefinition] interfa ... mber; } | semmle.order | 47 |
+| tst.ts:54:1:56:1 | [InterfaceDeclaration,TypeDefinition] interfa ... mber; } | semmle.order | 48 |
 | tst.ts:54:11:54:26 | [Identifier] NonAbstractDummy | semmle.label | [Identifier] NonAbstractDummy |
 | tst.ts:55:3:55:9 | [Label] getArea | semmle.label | [Label] getArea |
 | tst.ts:55:3:55:20 | [FunctionExpr] getArea(): number; | semmle.label | [FunctionExpr] getArea(): number; |
 | tst.ts:55:3:55:20 | [MethodSignature] getArea(): number; | semmle.label | [MethodSignature] getArea(): number; |
 | tst.ts:55:14:55:19 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
 | tst.ts:58:1:60:1 | [InterfaceDeclaration,TypeDefinition] interfa ... mber; } | semmle.label | [InterfaceDeclaration,TypeDefinition] interfa ... mber; } |
-| tst.ts:58:1:60:1 | [InterfaceDeclaration,TypeDefinition] interfa ... mber; } | semmle.order | 48 |
+| tst.ts:58:1:60:1 | [InterfaceDeclaration,TypeDefinition] interfa ... mber; } | semmle.order | 49 |
 | tst.ts:58:11:58:17 | [Identifier] HasArea | semmle.label | [Identifier] HasArea |
 | tst.ts:59:3:59:9 | [Label] getArea | semmle.label | [Label] getArea |
 | tst.ts:59:3:59:20 | [FunctionExpr] getArea(): number; | semmle.label | [FunctionExpr] getArea(): number; |
 | tst.ts:59:3:59:20 | [MethodSignature] getArea(): number; | semmle.label | [MethodSignature] getArea(): number; |
 | tst.ts:59:14:59:19 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
 | tst.ts:63:1:63:45 | [DeclStmt] let Ctor = ... | semmle.label | [DeclStmt] let Ctor = ... |
-| tst.ts:63:1:63:45 | [DeclStmt] let Ctor = ... | semmle.order | 49 |
+| tst.ts:63:1:63:45 | [DeclStmt] let Ctor = ... | semmle.order | 50 |
 | tst.ts:63:5:63:8 | [VarDecl] Ctor | semmle.label | [VarDecl] Ctor |
 | tst.ts:63:5:63:44 | [VariableDeclarator] Ctor: a ... = Shape | semmle.label | [VariableDeclarator] Ctor: a ... = Shape |
 | tst.ts:63:11:63:36 | [FunctionExpr] abstrac ... HasArea | semmle.label | [FunctionExpr] abstrac ... HasArea |
@@ -371,7 +382,7 @@ nodes
 | tst.ts:63:30:63:36 | [LocalTypeAccess] HasArea | semmle.label | [LocalTypeAccess] HasArea |
 | tst.ts:63:40:63:44 | [VarRef] Shape | semmle.label | [VarRef] Shape |
 | tst.ts:65:1:65:54 | [TypeAliasDeclaration,TypeDefinition] type My ... true}; | semmle.label | [TypeAliasDeclaration,TypeDefinition] type My ... true}; |
-| tst.ts:65:1:65:54 | [TypeAliasDeclaration,TypeDefinition] type My ... true}; | semmle.order | 50 |
+| tst.ts:65:1:65:54 | [TypeAliasDeclaration,TypeDefinition] type My ... true}; | semmle.order | 51 |
 | tst.ts:65:6:65:12 | [Identifier] MyUnion | semmle.label | [Identifier] MyUnion |
 | tst.ts:65:16:65:30 | [InterfaceTypeExpr] {myUnion: true} | semmle.label | [InterfaceTypeExpr] {myUnion: true} |
 | tst.ts:65:16:65:53 | [UnionTypeExpr] {myUnio ... : true} | semmle.label | [UnionTypeExpr] {myUnio ... : true} |
@@ -383,7 +394,7 @@ nodes
 | tst.ts:65:35:65:52 | [FieldDeclaration] stillMyUnion: true | semmle.label | [FieldDeclaration] stillMyUnion: true |
 | tst.ts:65:49:65:52 | [LiteralTypeExpr] true | semmle.label | [LiteralTypeExpr] true |
 | tst.ts:66:1:66:38 | [DeclStmt] let union1 = ... | semmle.label | [DeclStmt] let union1 = ... |
-| tst.ts:66:1:66:38 | [DeclStmt] let union1 = ... | semmle.order | 51 |
+| tst.ts:66:1:66:38 | [DeclStmt] let union1 = ... | semmle.order | 52 |
 | tst.ts:66:5:66:10 | [VarDecl] union1 | semmle.label | [VarDecl] union1 |
 | tst.ts:66:5:66:37 | [VariableDeclarator] union1: ... : true} | semmle.label | [VariableDeclarator] union1: ... : true} |
 | tst.ts:66:13:66:19 | [LocalTypeAccess] MyUnion | semmle.label | [LocalTypeAccess] MyUnion |
@@ -392,7 +403,7 @@ nodes
 | tst.ts:66:24:66:36 | [Property] myUnion: true | semmle.label | [Property] myUnion: true |
 | tst.ts:66:33:66:36 | [Literal] true | semmle.label | [Literal] true |
 | tst.ts:68:1:68:49 | [TypeAliasDeclaration,TypeDefinition] type My ... true}; | semmle.label | [TypeAliasDeclaration,TypeDefinition] type My ... true}; |
-| tst.ts:68:1:68:49 | [TypeAliasDeclaration,TypeDefinition] type My ... true}; | semmle.order | 52 |
+| tst.ts:68:1:68:49 | [TypeAliasDeclaration,TypeDefinition] type My ... true}; | semmle.order | 53 |
 | tst.ts:68:6:68:13 | [Identifier] MyUnion2 | semmle.label | [Identifier] MyUnion2 |
 | tst.ts:68:17:68:23 | [LocalTypeAccess] MyUnion | semmle.label | [LocalTypeAccess] MyUnion |
 | tst.ts:68:17:68:48 | [UnionTypeExpr] MyUnion ... : true} | semmle.label | [UnionTypeExpr] MyUnion ... : true} |
@@ -401,7 +412,7 @@ nodes
 | tst.ts:68:28:68:47 | [FieldDeclaration] yetAnotherType: true | semmle.label | [FieldDeclaration] yetAnotherType: true |
 | tst.ts:68:44:68:47 | [LiteralTypeExpr] true | semmle.label | [LiteralTypeExpr] true |
 | tst.ts:69:1:69:46 | [DeclStmt] let union2 = ... | semmle.label | [DeclStmt] let union2 = ... |
-| tst.ts:69:1:69:46 | [DeclStmt] let union2 = ... | semmle.order | 53 |
+| tst.ts:69:1:69:46 | [DeclStmt] let union2 = ... | semmle.order | 54 |
 | tst.ts:69:5:69:10 | [VarDecl] union2 | semmle.label | [VarDecl] union2 |
 | tst.ts:69:5:69:45 | [VariableDeclarator] union2: ... : true} | semmle.label | [VariableDeclarator] union2: ... : true} |
 | tst.ts:69:13:69:20 | [LocalTypeAccess] MyUnion2 | semmle.label | [LocalTypeAccess] MyUnion2 |
@@ -410,16 +421,16 @@ nodes
 | tst.ts:69:25:69:44 | [Property] yetAnotherType: true | semmle.label | [Property] yetAnotherType: true |
 | tst.ts:69:41:69:44 | [Literal] true | semmle.label | [Literal] true |
 | type_alias.ts:1:1:1:17 | [TypeAliasDeclaration,TypeDefinition] type B = boolean; | semmle.label | [TypeAliasDeclaration,TypeDefinition] type B = boolean; |
-| type_alias.ts:1:1:1:17 | [TypeAliasDeclaration,TypeDefinition] type B = boolean; | semmle.order | 54 |
+| type_alias.ts:1:1:1:17 | [TypeAliasDeclaration,TypeDefinition] type B = boolean; | semmle.order | 55 |
 | type_alias.ts:1:6:1:6 | [Identifier] B | semmle.label | [Identifier] B |
 | type_alias.ts:1:10:1:16 | [KeywordTypeExpr] boolean | semmle.label | [KeywordTypeExpr] boolean |
 | type_alias.ts:3:1:3:9 | [DeclStmt] var b = ... | semmle.label | [DeclStmt] var b = ... |
-| type_alias.ts:3:1:3:9 | [DeclStmt] var b = ... | semmle.order | 55 |
+| type_alias.ts:3:1:3:9 | [DeclStmt] var b = ... | semmle.order | 56 |
 | type_alias.ts:3:5:3:5 | [VarDecl] b | semmle.label | [VarDecl] b |
 | type_alias.ts:3:5:3:8 | [VariableDeclarator] b: B | semmle.label | [VariableDeclarator] b: B |
 | type_alias.ts:3:8:3:8 | [LocalTypeAccess] B | semmle.label | [LocalTypeAccess] B |
 | type_alias.ts:5:1:5:50 | [TypeAliasDeclaration,TypeDefinition] type Va ... ay<T>>; | semmle.label | [TypeAliasDeclaration,TypeDefinition] type Va ... ay<T>>; |
-| type_alias.ts:5:1:5:50 | [TypeAliasDeclaration,TypeDefinition] type Va ... ay<T>>; | semmle.order | 56 |
+| type_alias.ts:5:1:5:50 | [TypeAliasDeclaration,TypeDefinition] type Va ... ay<T>>; | semmle.order | 57 |
 | type_alias.ts:5:6:5:17 | [Identifier] ValueOrArray | semmle.label | [Identifier] ValueOrArray |
 | type_alias.ts:5:19:5:19 | [Identifier] T | semmle.label | [Identifier] T |
 | type_alias.ts:5:19:5:19 | [TypeParameter] T | semmle.label | [TypeParameter] T |
@@ -431,14 +442,14 @@ nodes
 | type_alias.ts:5:34:5:48 | [GenericTypeExpr] ValueOrArray<T> | semmle.label | [GenericTypeExpr] ValueOrArray<T> |
 | type_alias.ts:5:47:5:47 | [LocalTypeAccess] T | semmle.label | [LocalTypeAccess] T |
 | type_alias.ts:7:1:7:28 | [DeclStmt] var c = ... | semmle.label | [DeclStmt] var c = ... |
-| type_alias.ts:7:1:7:28 | [DeclStmt] var c = ... | semmle.order | 57 |
+| type_alias.ts:7:1:7:28 | [DeclStmt] var c = ... | semmle.order | 58 |
 | type_alias.ts:7:5:7:5 | [VarDecl] c | semmle.label | [VarDecl] c |
 | type_alias.ts:7:5:7:27 | [VariableDeclarator] c: Valu ... number> | semmle.label | [VariableDeclarator] c: Valu ... number> |
 | type_alias.ts:7:8:7:19 | [LocalTypeAccess] ValueOrArray | semmle.label | [LocalTypeAccess] ValueOrArray |
 | type_alias.ts:7:8:7:27 | [GenericTypeExpr] ValueOrArray<number> | semmle.label | [GenericTypeExpr] ValueOrArray<number> |
 | type_alias.ts:7:21:7:26 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
 | type_alias.ts:9:1:15:13 | [TypeAliasDeclaration,TypeDefinition] type Js ... Json[]; | semmle.label | [TypeAliasDeclaration,TypeDefinition] type Js ... Json[]; |
-| type_alias.ts:9:1:15:13 | [TypeAliasDeclaration,TypeDefinition] type Js ... Json[]; | semmle.order | 58 |
+| type_alias.ts:9:1:15:13 | [TypeAliasDeclaration,TypeDefinition] type Js ... Json[]; | semmle.order | 59 |
 | type_alias.ts:9:6:9:9 | [Identifier] Json | semmle.label | [Identifier] Json |
 | type_alias.ts:10:5:15:12 | [UnionTypeExpr] \| strin ... Json[] | semmle.label | [UnionTypeExpr] \| strin ... Json[] |
 | type_alias.ts:10:7:10:12 | [KeywordTypeExpr] string | semmle.label | [KeywordTypeExpr] string |
@@ -454,12 +465,12 @@ nodes
 | type_alias.ts:15:7:15:10 | [LocalTypeAccess] Json | semmle.label | [LocalTypeAccess] Json |
 | type_alias.ts:15:7:15:12 | [ArrayTypeExpr] Json[] | semmle.label | [ArrayTypeExpr] Json[] |
 | type_alias.ts:17:1:17:15 | [DeclStmt] var json = ... | semmle.label | [DeclStmt] var json = ... |
-| type_alias.ts:17:1:17:15 | [DeclStmt] var json = ... | semmle.order | 59 |
+| type_alias.ts:17:1:17:15 | [DeclStmt] var json = ... | semmle.order | 60 |
 | type_alias.ts:17:5:17:8 | [VarDecl] json | semmle.label | [VarDecl] json |
 | type_alias.ts:17:5:17:14 | [VariableDeclarator] json: Json | semmle.label | [VariableDeclarator] json: Json |
 | type_alias.ts:17:11:17:14 | [LocalTypeAccess] Json | semmle.label | [LocalTypeAccess] Json |
 | type_alias.ts:19:1:21:57 | [TypeAliasDeclaration,TypeDefinition] type Vi ... ode[]]; | semmle.label | [TypeAliasDeclaration,TypeDefinition] type Vi ... ode[]]; |
-| type_alias.ts:19:1:21:57 | [TypeAliasDeclaration,TypeDefinition] type Vi ... ode[]]; | semmle.order | 60 |
+| type_alias.ts:19:1:21:57 | [TypeAliasDeclaration,TypeDefinition] type Vi ... ode[]]; | semmle.order | 61 |
 | type_alias.ts:19:6:19:16 | [Identifier] VirtualNode | semmle.label | [Identifier] VirtualNode |
 | type_alias.ts:20:5:21:56 | [UnionTypeExpr] \| strin ... Node[]] | semmle.label | [UnionTypeExpr] \| strin ... Node[]] |
 | type_alias.ts:20:7:20:12 | [KeywordTypeExpr] string | semmle.label | [KeywordTypeExpr] string |
@@ -475,7 +486,7 @@ nodes
 | type_alias.ts:21:43:21:53 | [LocalTypeAccess] VirtualNode | semmle.label | [LocalTypeAccess] VirtualNode |
 | type_alias.ts:21:43:21:55 | [ArrayTypeExpr] VirtualNode[] | semmle.label | [ArrayTypeExpr] VirtualNode[] |
 | type_alias.ts:23:1:27:6 | [DeclStmt] const myNode = ... | semmle.label | [DeclStmt] const myNode = ... |
-| type_alias.ts:23:1:27:6 | [DeclStmt] const myNode = ... | semmle.order | 61 |
+| type_alias.ts:23:1:27:6 | [DeclStmt] const myNode = ... | semmle.order | 62 |
 | type_alias.ts:23:7:23:12 | [VarDecl] myNode | semmle.label | [VarDecl] myNode |
 | type_alias.ts:23:7:27:5 | [VariableDeclarator] myNode: ... ] ] | semmle.label | [VariableDeclarator] myNode: ... ] ] |
 | type_alias.ts:23:15:23:25 | [LocalTypeAccess] VirtualNode | semmle.label | [LocalTypeAccess] VirtualNode |
@@ -500,12 +511,12 @@ nodes
 | type_alias.ts:26:23:26:36 | [Literal] "second-child" | semmle.label | [Literal] "second-child" |
 | type_alias.ts:26:41:26:62 | [Literal] "I'm the second child" | semmle.label | [Literal] "I'm the second child" |
 | type_definition_objects.ts:1:1:1:33 | [ImportDeclaration] import ... dummy"; | semmle.label | [ImportDeclaration] import ... dummy"; |
-| type_definition_objects.ts:1:1:1:33 | [ImportDeclaration] import ... dummy"; | semmle.order | 62 |
+| type_definition_objects.ts:1:1:1:33 | [ImportDeclaration] import ... dummy"; | semmle.order | 63 |
 | type_definition_objects.ts:1:8:1:17 | [ImportSpecifier] * as dummy | semmle.label | [ImportSpecifier] * as dummy |
 | type_definition_objects.ts:1:13:1:17 | [VarDecl] dummy | semmle.label | [VarDecl] dummy |
 | type_definition_objects.ts:1:24:1:32 | [Literal] "./dummy" | semmle.label | [Literal] "./dummy" |
 | type_definition_objects.ts:3:1:3:17 | [ExportDeclaration] export class C {} | semmle.label | [ExportDeclaration] export class C {} |
-| type_definition_objects.ts:3:1:3:17 | [ExportDeclaration] export class C {} | semmle.order | 63 |
+| type_definition_objects.ts:3:1:3:17 | [ExportDeclaration] export class C {} | semmle.order | 64 |
 | type_definition_objects.ts:3:8:3:17 | [ClassDefinition,TypeDefinition] class C {} | semmle.label | [ClassDefinition,TypeDefinition] class C {} |
 | type_definition_objects.ts:3:14:3:14 | [VarDecl] C | semmle.label | [VarDecl] C |
 | type_definition_objects.ts:3:16:3:15 | [BlockStmt] {} | semmle.label | [BlockStmt] {} |
@@ -513,36 +524,36 @@ nodes
 | type_definition_objects.ts:3:16:3:15 | [FunctionExpr] () {} | semmle.label | [FunctionExpr] () {} |
 | type_definition_objects.ts:3:16:3:15 | [Label] constructor | semmle.label | [Label] constructor |
 | type_definition_objects.ts:4:1:4:17 | [DeclStmt] let classObj = ... | semmle.label | [DeclStmt] let classObj = ... |
-| type_definition_objects.ts:4:1:4:17 | [DeclStmt] let classObj = ... | semmle.order | 64 |
+| type_definition_objects.ts:4:1:4:17 | [DeclStmt] let classObj = ... | semmle.order | 65 |
 | type_definition_objects.ts:4:5:4:12 | [VarDecl] classObj | semmle.label | [VarDecl] classObj |
 | type_definition_objects.ts:4:5:4:16 | [VariableDeclarator] classObj = C | semmle.label | [VariableDeclarator] classObj = C |
 | type_definition_objects.ts:4:16:4:16 | [VarRef] C | semmle.label | [VarRef] C |
 | type_definition_objects.ts:6:1:6:16 | [ExportDeclaration] export enum E {} | semmle.label | [ExportDeclaration] export enum E {} |
-| type_definition_objects.ts:6:1:6:16 | [ExportDeclaration] export enum E {} | semmle.order | 65 |
+| type_definition_objects.ts:6:1:6:16 | [ExportDeclaration] export enum E {} | semmle.order | 66 |
 | type_definition_objects.ts:6:8:6:16 | [EnumDeclaration,TypeDefinition] enum E {} | semmle.label | [EnumDeclaration,TypeDefinition] enum E {} |
 | type_definition_objects.ts:6:13:6:13 | [VarDecl] E | semmle.label | [VarDecl] E |
 | type_definition_objects.ts:7:1:7:16 | [DeclStmt] let enumObj = ... | semmle.label | [DeclStmt] let enumObj = ... |
-| type_definition_objects.ts:7:1:7:16 | [DeclStmt] let enumObj = ... | semmle.order | 66 |
+| type_definition_objects.ts:7:1:7:16 | [DeclStmt] let enumObj = ... | semmle.order | 67 |
 | type_definition_objects.ts:7:5:7:11 | [VarDecl] enumObj | semmle.label | [VarDecl] enumObj |
 | type_definition_objects.ts:7:5:7:15 | [VariableDeclarator] enumObj = E | semmle.label | [VariableDeclarator] enumObj = E |
 | type_definition_objects.ts:7:15:7:15 | [VarRef] E | semmle.label | [VarRef] E |
 | type_definition_objects.ts:9:1:9:22 | [ExportDeclaration] export ... e N {;} | semmle.label | [ExportDeclaration] export ... e N {;} |
-| type_definition_objects.ts:9:1:9:22 | [ExportDeclaration] export ... e N {;} | semmle.order | 67 |
+| type_definition_objects.ts:9:1:9:22 | [ExportDeclaration] export ... e N {;} | semmle.order | 68 |
 | type_definition_objects.ts:9:8:9:22 | [NamespaceDeclaration] namespace N {;} | semmle.label | [NamespaceDeclaration] namespace N {;} |
 | type_definition_objects.ts:9:18:9:18 | [VarDecl] N | semmle.label | [VarDecl] N |
 | type_definition_objects.ts:9:21:9:21 | [EmptyStmt] ; | semmle.label | [EmptyStmt] ; |
 | type_definition_objects.ts:10:1:10:21 | [DeclStmt] let namespaceObj = ... | semmle.label | [DeclStmt] let namespaceObj = ... |
-| type_definition_objects.ts:10:1:10:21 | [DeclStmt] let namespaceObj = ... | semmle.order | 68 |
+| type_definition_objects.ts:10:1:10:21 | [DeclStmt] let namespaceObj = ... | semmle.order | 69 |
 | type_definition_objects.ts:10:5:10:16 | [VarDecl] namespaceObj | semmle.label | [VarDecl] namespaceObj |
 | type_definition_objects.ts:10:5:10:20 | [VariableDeclarator] namespaceObj = N | semmle.label | [VariableDeclarator] namespaceObj = N |
 | type_definition_objects.ts:10:20:10:20 | [VarRef] N | semmle.label | [VarRef] N |
 | type_definitions.ts:1:1:1:33 | [ImportDeclaration] import ... dummy"; | semmle.label | [ImportDeclaration] import ... dummy"; |
-| type_definitions.ts:1:1:1:33 | [ImportDeclaration] import ... dummy"; | semmle.order | 69 |
+| type_definitions.ts:1:1:1:33 | [ImportDeclaration] import ... dummy"; | semmle.order | 70 |
 | type_definitions.ts:1:8:1:17 | [ImportSpecifier] * as dummy | semmle.label | [ImportSpecifier] * as dummy |
 | type_definitions.ts:1:13:1:17 | [VarDecl] dummy | semmle.label | [VarDecl] dummy |
 | type_definitions.ts:1:24:1:32 | [Literal] "./dummy" | semmle.label | [Literal] "./dummy" |
 | type_definitions.ts:3:1:5:1 | [InterfaceDeclaration,TypeDefinition] interfa ... x: S; } | semmle.label | [InterfaceDeclaration,TypeDefinition] interfa ... x: S; } |
-| type_definitions.ts:3:1:5:1 | [InterfaceDeclaration,TypeDefinition] interfa ... x: S; } | semmle.order | 70 |
+| type_definitions.ts:3:1:5:1 | [InterfaceDeclaration,TypeDefinition] interfa ... x: S; } | semmle.order | 71 |
 | type_definitions.ts:3:11:3:11 | [Identifier] I | semmle.label | [Identifier] I |
 | type_definitions.ts:3:13:3:13 | [Identifier] S | semmle.label | [Identifier] S |
 | type_definitions.ts:3:13:3:13 | [TypeParameter] S | semmle.label | [TypeParameter] S |
@@ -550,14 +561,14 @@ nodes
 | type_definitions.ts:4:3:4:7 | [FieldDeclaration] x: S; | semmle.label | [FieldDeclaration] x: S; |
 | type_definitions.ts:4:6:4:6 | [LocalTypeAccess] S | semmle.label | [LocalTypeAccess] S |
 | type_definitions.ts:6:1:6:16 | [DeclStmt] let i = ... | semmle.label | [DeclStmt] let i = ... |
-| type_definitions.ts:6:1:6:16 | [DeclStmt] let i = ... | semmle.order | 71 |
+| type_definitions.ts:6:1:6:16 | [DeclStmt] let i = ... | semmle.order | 72 |
 | type_definitions.ts:6:5:6:5 | [VarDecl] i | semmle.label | [VarDecl] i |
 | type_definitions.ts:6:5:6:16 | [VariableDeclarator] i: I<number> | semmle.label | [VariableDeclarator] i: I<number> |
 | type_definitions.ts:6:8:6:8 | [LocalTypeAccess] I | semmle.label | [LocalTypeAccess] I |
 | type_definitions.ts:6:8:6:16 | [GenericTypeExpr] I<number> | semmle.label | [GenericTypeExpr] I<number> |
 | type_definitions.ts:6:10:6:15 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
 | type_definitions.ts:8:1:10:1 | [ClassDefinition,TypeDefinition] class C ... x: T } | semmle.label | [ClassDefinition,TypeDefinition] class C ... x: T } |
-| type_definitions.ts:8:1:10:1 | [ClassDefinition,TypeDefinition] class C ... x: T } | semmle.order | 72 |
+| type_definitions.ts:8:1:10:1 | [ClassDefinition,TypeDefinition] class C ... x: T } | semmle.order | 73 |
 | type_definitions.ts:8:7:8:7 | [VarDecl] C | semmle.label | [VarDecl] C |
 | type_definitions.ts:8:8:8:7 | [BlockStmt] {} | semmle.label | [BlockStmt] {} |
 | type_definitions.ts:8:8:8:7 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | semmle.label | [ClassInitializedMember,ConstructorDefinition] constructor() {} |
@@ -569,14 +580,14 @@ nodes
 | type_definitions.ts:9:3:9:6 | [FieldDeclaration] x: T | semmle.label | [FieldDeclaration] x: T |
 | type_definitions.ts:9:6:9:6 | [LocalTypeAccess] T | semmle.label | [LocalTypeAccess] T |
 | type_definitions.ts:11:1:11:17 | [DeclStmt] let c = ... | semmle.label | [DeclStmt] let c = ... |
-| type_definitions.ts:11:1:11:17 | [DeclStmt] let c = ... | semmle.order | 73 |
+| type_definitions.ts:11:1:11:17 | [DeclStmt] let c = ... | semmle.order | 74 |
 | type_definitions.ts:11:5:11:5 | [VarDecl] c | semmle.label | [VarDecl] c |
 | type_definitions.ts:11:5:11:16 | [VariableDeclarator] c: C<number> | semmle.label | [VariableDeclarator] c: C<number> |
 | type_definitions.ts:11:8:11:8 | [LocalTypeAccess] C | semmle.label | [LocalTypeAccess] C |
 | type_definitions.ts:11:8:11:16 | [GenericTypeExpr] C<number> | semmle.label | [GenericTypeExpr] C<number> |
 | type_definitions.ts:11:10:11:15 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
 | type_definitions.ts:13:1:15:1 | [EnumDeclaration,TypeDefinition] enum Co ... blue } | semmle.label | [EnumDeclaration,TypeDefinition] enum Co ... blue } |
-| type_definitions.ts:13:1:15:1 | [EnumDeclaration,TypeDefinition] enum Co ... blue } | semmle.order | 74 |
+| type_definitions.ts:13:1:15:1 | [EnumDeclaration,TypeDefinition] enum Co ... blue } | semmle.order | 75 |
 | type_definitions.ts:13:6:13:10 | [VarDecl] Color | semmle.label | [VarDecl] Color |
 | type_definitions.ts:14:3:14:5 | [EnumMember,TypeDefinition] red | semmle.label | [EnumMember,TypeDefinition] red |
 | type_definitions.ts:14:3:14:5 | [VarDecl] red | semmle.label | [VarDecl] red |
@@ -585,29 +596,29 @@ nodes
 | type_definitions.ts:14:15:14:18 | [EnumMember,TypeDefinition] blue | semmle.label | [EnumMember,TypeDefinition] blue |
 | type_definitions.ts:14:15:14:18 | [VarDecl] blue | semmle.label | [VarDecl] blue |
 | type_definitions.ts:16:1:16:17 | [DeclStmt] let color = ... | semmle.label | [DeclStmt] let color = ... |
-| type_definitions.ts:16:1:16:17 | [DeclStmt] let color = ... | semmle.order | 75 |
+| type_definitions.ts:16:1:16:17 | [DeclStmt] let color = ... | semmle.order | 76 |
 | type_definitions.ts:16:5:16:9 | [VarDecl] color | semmle.label | [VarDecl] color |
 | type_definitions.ts:16:5:16:16 | [VariableDeclarator] color: Color | semmle.label | [VariableDeclarator] color: Color |
 | type_definitions.ts:16:12:16:16 | [LocalTypeAccess] Color | semmle.label | [LocalTypeAccess] Color |
 | type_definitions.ts:18:1:18:33 | [EnumDeclaration,TypeDefinition] enum En ... ember } | semmle.label | [EnumDeclaration,TypeDefinition] enum En ... ember } |
-| type_definitions.ts:18:1:18:33 | [EnumDeclaration,TypeDefinition] enum En ... ember } | semmle.order | 76 |
+| type_definitions.ts:18:1:18:33 | [EnumDeclaration,TypeDefinition] enum En ... ember } | semmle.order | 77 |
 | type_definitions.ts:18:6:18:22 | [VarDecl] EnumWithOneMember | semmle.label | [VarDecl] EnumWithOneMember |
 | type_definitions.ts:18:26:18:31 | [EnumMember,TypeDefinition] member | semmle.label | [EnumMember,TypeDefinition] member |
 | type_definitions.ts:18:26:18:31 | [VarDecl] member | semmle.label | [VarDecl] member |
 | type_definitions.ts:19:1:19:25 | [DeclStmt] let e = ... | semmle.label | [DeclStmt] let e = ... |
-| type_definitions.ts:19:1:19:25 | [DeclStmt] let e = ... | semmle.order | 77 |
+| type_definitions.ts:19:1:19:25 | [DeclStmt] let e = ... | semmle.order | 78 |
 | type_definitions.ts:19:5:19:5 | [VarDecl] e | semmle.label | [VarDecl] e |
 | type_definitions.ts:19:5:19:24 | [VariableDeclarator] e: EnumWithOneMember | semmle.label | [VariableDeclarator] e: EnumWithOneMember |
 | type_definitions.ts:19:8:19:24 | [LocalTypeAccess] EnumWithOneMember | semmle.label | [LocalTypeAccess] EnumWithOneMember |
 | type_definitions.ts:21:1:21:20 | [TypeAliasDeclaration,TypeDefinition] type Alias<T> = T[]; | semmle.label | [TypeAliasDeclaration,TypeDefinition] type Alias<T> = T[]; |
-| type_definitions.ts:21:1:21:20 | [TypeAliasDeclaration,TypeDefinition] type Alias<T> = T[]; | semmle.order | 78 |
+| type_definitions.ts:21:1:21:20 | [TypeAliasDeclaration,TypeDefinition] type Alias<T> = T[]; | semmle.order | 79 |
 | type_definitions.ts:21:6:21:10 | [Identifier] Alias | semmle.label | [Identifier] Alias |
 | type_definitions.ts:21:12:21:12 | [Identifier] T | semmle.label | [Identifier] T |
 | type_definitions.ts:21:12:21:12 | [TypeParameter] T | semmle.label | [TypeParameter] T |
 | type_definitions.ts:21:17:21:17 | [LocalTypeAccess] T | semmle.label | [LocalTypeAccess] T |
 | type_definitions.ts:21:17:21:19 | [ArrayTypeExpr] T[] | semmle.label | [ArrayTypeExpr] T[] |
 | type_definitions.ts:22:1:22:39 | [DeclStmt] let aliasForNumberArray = ... | semmle.label | [DeclStmt] let aliasForNumberArray = ... |
-| type_definitions.ts:22:1:22:39 | [DeclStmt] let aliasForNumberArray = ... | semmle.order | 79 |
+| type_definitions.ts:22:1:22:39 | [DeclStmt] let aliasForNumberArray = ... | semmle.order | 80 |
 | type_definitions.ts:22:5:22:23 | [VarDecl] aliasForNumberArray | semmle.label | [VarDecl] aliasForNumberArray |
 | type_definitions.ts:22:5:22:38 | [VariableDeclarator] aliasFo ... number> | semmle.label | [VariableDeclarator] aliasFo ... number> |
 | type_definitions.ts:22:26:22:30 | [LocalTypeAccess] Alias | semmle.label | [LocalTypeAccess] Alias |
@@ -716,6 +727,24 @@ edges
 | dummy.ts:2:12:2:16 | [VariableDeclarator] x = 5 | dummy.ts:2:12:2:12 | [VarDecl] x | semmle.order | 1 |
 | dummy.ts:2:12:2:16 | [VariableDeclarator] x = 5 | dummy.ts:2:16:2:16 | [Literal] 5 | semmle.label | 2 |
 | dummy.ts:2:12:2:16 | [VariableDeclarator] x = 5 | dummy.ts:2:16:2:16 | [Literal] 5 | semmle.order | 2 |
+| dummy.ts:4:1:4:24 | [ExportDeclaration] export ... /ab+c/; | dummy.ts:4:8:4:24 | [DeclStmt] let reg = ... | semmle.label | 1 |
+| dummy.ts:4:1:4:24 | [ExportDeclaration] export ... /ab+c/; | dummy.ts:4:8:4:24 | [DeclStmt] let reg = ... | semmle.order | 1 |
+| dummy.ts:4:8:4:24 | [DeclStmt] let reg = ... | dummy.ts:4:12:4:23 | [VariableDeclarator] reg = /ab+c/ | semmle.label | 1 |
+| dummy.ts:4:8:4:24 | [DeclStmt] let reg = ... | dummy.ts:4:12:4:23 | [VariableDeclarator] reg = /ab+c/ | semmle.order | 1 |
+| dummy.ts:4:12:4:23 | [VariableDeclarator] reg = /ab+c/ | dummy.ts:4:12:4:14 | [VarDecl] reg | semmle.label | 1 |
+| dummy.ts:4:12:4:23 | [VariableDeclarator] reg = /ab+c/ | dummy.ts:4:12:4:14 | [VarDecl] reg | semmle.order | 1 |
+| dummy.ts:4:12:4:23 | [VariableDeclarator] reg = /ab+c/ | dummy.ts:4:18:4:23 | [RegExpLiteral] /ab+c/ | semmle.label | 2 |
+| dummy.ts:4:12:4:23 | [VariableDeclarator] reg = /ab+c/ | dummy.ts:4:18:4:23 | [RegExpLiteral] /ab+c/ | semmle.order | 2 |
+| dummy.ts:4:18:4:23 | [RegExpLiteral] /ab+c/ | dummy.ts:4:19:4:22 | [RegExpSequence] ab+c | semmle.label | 0 |
+| dummy.ts:4:18:4:23 | [RegExpLiteral] /ab+c/ | dummy.ts:4:19:4:22 | [RegExpSequence] ab+c | semmle.order | 0 |
+| dummy.ts:4:19:4:22 | [RegExpSequence] ab+c | dummy.ts:4:19:4:19 | [RegExpNormalConstant] a | semmle.label | 0 |
+| dummy.ts:4:19:4:22 | [RegExpSequence] ab+c | dummy.ts:4:19:4:19 | [RegExpNormalConstant] a | semmle.order | 0 |
+| dummy.ts:4:19:4:22 | [RegExpSequence] ab+c | dummy.ts:4:20:4:21 | [RegExpPlus] b+ | semmle.label | 1 |
+| dummy.ts:4:19:4:22 | [RegExpSequence] ab+c | dummy.ts:4:20:4:21 | [RegExpPlus] b+ | semmle.order | 1 |
+| dummy.ts:4:19:4:22 | [RegExpSequence] ab+c | dummy.ts:4:22:4:22 | [RegExpNormalConstant] c | semmle.label | 2 |
+| dummy.ts:4:19:4:22 | [RegExpSequence] ab+c | dummy.ts:4:22:4:22 | [RegExpNormalConstant] c | semmle.order | 2 |
+| dummy.ts:4:20:4:21 | [RegExpPlus] b+ | dummy.ts:4:20:4:20 | [RegExpNormalConstant] b | semmle.label | 0 |
+| dummy.ts:4:20:4:21 | [RegExpPlus] b+ | dummy.ts:4:20:4:20 | [RegExpNormalConstant] b | semmle.order | 0 |
 | file://:0:0:0:0 | (Parameters) | tst.ts:14:17:14:17 | [SimpleParameter] x | semmle.label | 0 |
 | file://:0:0:0:0 | (Parameters) | tst.ts:14:17:14:17 | [SimpleParameter] x | semmle.order | 0 |
 | file://:0:0:0:0 | (Parameters) | tst.ts:14:28:14:28 | [SimpleParameter] y | semmle.label | 1 |
diff --git a/javascript/ql/test/library-tests/TypeScript/Types/tests.expected b/javascript/ql/test/library-tests/TypeScript/Types/tests.expected
index c9cad8a1443..7c8159a9b10 100644
--- a/javascript/ql/test/library-tests/TypeScript/Types/tests.expected
+++ b/javascript/ql/test/library-tests/TypeScript/Types/tests.expected
@@ -15,6 +15,8 @@ getExprType
 | boolean-type.ts:15:5:15:12 | boolean6 | boolean |
 | dummy.ts:2:12:2:12 | x | number |
 | dummy.ts:2:16:2:16 | 5 | 5 |
+| dummy.ts:4:12:4:14 | reg | RegExp |
+| dummy.ts:4:18:4:23 | /ab+c/ | RegExp |
 | middle-rest.ts:1:5:1:7 | foo | [boolean, ...string[], number] |
 | middle-rest.ts:3:1:3:3 | foo | [boolean, ...string[], number] |
 | middle-rest.ts:3:1:3:26 | foo = [ ... ", 123] | [true, string, number] |

From 504c34ed2c1493b0f7b413e710e8545d8ebfd21f Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 10 May 2021 14:51:13 +0200
Subject: [PATCH 0969/1429] use shouldPrint to filter out regular expressions
 from other files

---
 javascript/ql/src/semmle/javascript/PrintAst.qll | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/PrintAst.qll b/javascript/ql/src/semmle/javascript/PrintAst.qll
index 99f06354d74..029cfd536fc 100644
--- a/javascript/ql/src/semmle/javascript/PrintAst.qll
+++ b/javascript/ql/src/semmle/javascript/PrintAst.qll
@@ -74,7 +74,11 @@ private newtype TPrintAstNode =
   THTMLAttributeNode(HTML::Attribute attr) { shouldPrint(attr, _) and not isNotNeeded(attr) } or
   THTMLScript(Script script) { shouldPrint(script, _) and not isNotNeeded(script) } or
   THTMLCodeInAttr(CodeInAttribute attr) { shouldPrint(attr, _) and not isNotNeeded(attr) } or
-  TRegExpTermNode(RegExpTerm term) { term.isUsedAsRegExp() }
+  TRegExpTermNode(RegExpTerm term) {
+    shouldPrint(term, _) and
+    term.isUsedAsRegExp() and
+    any(RegExpLiteral lit).getRoot() = term.getRootTerm()
+  }
 
 /**
  * A node in the output tree.

From 78370cf63fa0bf528c3f566654c73bdf25547f1f Mon Sep 17 00:00:00 2001
From: yoff <lerchedahl@gmail.com>
Date: Mon, 10 May 2021 14:53:40 +0200
Subject: [PATCH 0970/1429] Update
 python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll

---
 python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
index 05ea4f62630..4f3457e0a99 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
@@ -58,7 +58,7 @@ private module Re {
    * This class will identify that `re.compile` compiles `input` and afterwards
    * executes `re`'s `match`. As a result, `this` will refer to `pattern.match(s)`
    * and `this.getRegexNode()` will return the node for `input` (`re.compile`'s first argument)
-   * 
+   *
    *
    * See `RegexExecutionMethods`
    *

From c7cd75437ffb4748c63239eb95f72efa537c0f2b Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Mon, 10 May 2021 14:58:33 +0200
Subject: [PATCH 0971/1429] C++: Add testcase demonstrating false positive from
 conversions.

---
 .../ComparisonWithWiderType.expected                        | 1 +
 .../CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp    | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected
index d04bff0a812..652a34f98f1 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected
@@ -1,3 +1,4 @@
+| test3.cpp:6:8:6:71 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type int. | test3.cpp:5:34:5:38 | small | small | test3.cpp:6:42:6:70 | ... - ... | ... - ... |
 | test.c:4:14:4:18 | ... < ... | Comparison between $@ of type char and $@ of wider type int. | test.c:3:7:3:7 | c | c | test.c:2:17:2:17 | x | x |
 | test.c:9:14:9:18 | ... > ... | Comparison between $@ of type char and $@ of wider type int. | test.c:8:7:8:7 | c | c | test.c:7:17:7:17 | x | x |
 | test.c:14:14:14:18 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:13:8:13:8 | s | s | test.c:12:17:12:17 | x | x |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp
index 3ae02d9d56c..cbd9c2e5bd9 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp
@@ -1,3 +1,7 @@
 void test_issue_5850(unsigned char small, unsigned int large1) {
 	for(; small < static_cast<unsigned char>(large1 - 1); small++) { } // GOOD
-}
\ No newline at end of file
+}
+
+void test_widening(unsigned char small, char large) {
+	for(; small < static_cast<unsigned int>(static_cast<short>(large) - 1); small++) { } // GOOD [FALSE POSITIVE]
+}

From 3fe9a3d9334699a4db47ebd6ee9e5c3d2640cd45 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 10 May 2021 12:15:40 +0200
Subject: [PATCH 0972/1429] Python: Add modeling of simplejson PyPI package

I noticed that we don't handle PostUpdateNote very well in the concept tests,
for exmaple for `json.dump(...)` there _should_ have been an `encodeOutput` as
part of the inline expectations.

I'll work on fixing that up in a separate PR, to keep things clean.
---
 docs/codeql/support/reusables/frameworks.rst  |  1 +
 .../2021-05-10-simplejson-add-modeling.md     |  2 +
 python/ql/src/semmle/python/Frameworks.qll    |  1 +
 .../semmle/python/frameworks/Simplejson.qll   | 84 +++++++++++++++++++
 .../simplejson/ConceptsTest.expected          |  0
 .../frameworks/simplejson/ConceptsTest.ql     |  2 +
 .../simplejson/InlineTaintTest.expected       |  3 +
 .../frameworks/simplejson/InlineTaintTest.ql  |  1 +
 .../frameworks/simplejson/taint_test.py       | 46 ++++++++++
 9 files changed, 140 insertions(+)
 create mode 100644 python/change-notes/2021-05-10-simplejson-add-modeling.md
 create mode 100644 python/ql/src/semmle/python/frameworks/Simplejson.qll
 create mode 100644 python/ql/test/library-tests/frameworks/simplejson/ConceptsTest.expected
 create mode 100644 python/ql/test/library-tests/frameworks/simplejson/ConceptsTest.ql
 create mode 100644 python/ql/test/library-tests/frameworks/simplejson/InlineTaintTest.expected
 create mode 100644 python/ql/test/library-tests/frameworks/simplejson/InlineTaintTest.ql
 create mode 100644 python/ql/test/library-tests/frameworks/simplejson/taint_test.py

diff --git a/docs/codeql/support/reusables/frameworks.rst b/docs/codeql/support/reusables/frameworks.rst
index d54c07454bc..4ea461ed435 100644
--- a/docs/codeql/support/reusables/frameworks.rst
+++ b/docs/codeql/support/reusables/frameworks.rst
@@ -156,6 +156,7 @@ Python built-in support
    Tornado, Web framework
    PyYAML, Serialization
    dill, Serialization
+   simplejson, Serialization
    fabric, Utility library
    invoke, Utility library
    idna, Utility library
diff --git a/python/change-notes/2021-05-10-simplejson-add-modeling.md b/python/change-notes/2021-05-10-simplejson-add-modeling.md
new file mode 100644
index 00000000000..910441bdeac
--- /dev/null
+++ b/python/change-notes/2021-05-10-simplejson-add-modeling.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added modeling of the PyPI package `simplejson`.
diff --git a/python/ql/src/semmle/python/Frameworks.qll b/python/ql/src/semmle/python/Frameworks.qll
index ed8f308c70a..bec73652394 100644
--- a/python/ql/src/semmle/python/Frameworks.qll
+++ b/python/ql/src/semmle/python/Frameworks.qll
@@ -16,6 +16,7 @@ private import semmle.python.frameworks.MysqlConnectorPython
 private import semmle.python.frameworks.MySQLdb
 private import semmle.python.frameworks.Psycopg2
 private import semmle.python.frameworks.PyMySQL
+private import semmle.python.frameworks.Simplejson
 private import semmle.python.frameworks.Stdlib
 private import semmle.python.frameworks.Tornado
 private import semmle.python.frameworks.Yaml
diff --git a/python/ql/src/semmle/python/frameworks/Simplejson.qll b/python/ql/src/semmle/python/frameworks/Simplejson.qll
new file mode 100644
index 00000000000..41676705a40
--- /dev/null
+++ b/python/ql/src/semmle/python/frameworks/Simplejson.qll
@@ -0,0 +1,84 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `simplejson` PyPI package.
+ * See https://simplejson.readthedocs.io/en/latest/.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+/**
+ * Provides models for the `simplejson` PyPI package.
+ * See https://simplejson.readthedocs.io/en/latest/.
+ */
+private module SimplejsonModel {
+  /**
+   * A call to `simplejson.dumps`.
+   *
+   * See https://simplejson.readthedocs.io/en/latest/#simplejson.dumps
+   */
+  private class SimplejsonDumpsCall extends Encoding::Range, DataFlow::CallCfgNode {
+    SimplejsonDumpsCall() { this = API::moduleImport("simplejson").getMember("dumps").getACall() }
+
+    override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("obj")] }
+
+    override DataFlow::Node getOutput() { result = this }
+
+    override string getFormat() { result = "JSON" }
+  }
+
+  /**
+   * A call to `simplejson.dump`.
+   *
+   * See https://simplejson.readthedocs.io/en/latest/#simplejson.dump
+   */
+  private class SimplejsonDumpCall extends Encoding::Range, DataFlow::CallCfgNode {
+    SimplejsonDumpCall() { this = API::moduleImport("simplejson").getMember("dump").getACall() }
+
+    override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("obj")] }
+
+    override DataFlow::Node getOutput() {
+      result.(DataFlow::PostUpdateNode).getPreUpdateNode() in [
+          this.getArg(1), this.getArgByName("fp")
+        ]
+    }
+
+    override string getFormat() { result = "JSON" }
+  }
+
+  /**
+   * A call to `simplejson.loads`.
+   *
+   * See https://simplejson.readthedocs.io/en/latest/#simplejson.loads
+   */
+  private class SimplejsonLoadsCall extends Decoding::Range, DataFlow::CallCfgNode {
+    SimplejsonLoadsCall() { this = API::moduleImport("simplejson").getMember("loads").getACall() }
+
+    override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("s")] }
+
+    override DataFlow::Node getOutput() { result = this }
+
+    override string getFormat() { result = "JSON" }
+
+    override predicate mayExecuteInput() { none() }
+  }
+
+  /**
+   * A call to `simplejson.load`.
+   *
+   * See https://simplejson.readthedocs.io/en/latest/#simplejson.load
+   */
+  private class SimplejsonLoadCall extends Decoding::Range, DataFlow::CallCfgNode {
+    SimplejsonLoadCall() { this = API::moduleImport("simplejson").getMember("load").getACall() }
+
+    override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("fp")] }
+
+    override DataFlow::Node getOutput() { result = this }
+
+    override string getFormat() { result = "JSON" }
+
+    override predicate mayExecuteInput() { none() }
+  }
+}
diff --git a/python/ql/test/library-tests/frameworks/simplejson/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/simplejson/ConceptsTest.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/python/ql/test/library-tests/frameworks/simplejson/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/simplejson/ConceptsTest.ql
new file mode 100644
index 00000000000..b557a0bccb6
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/simplejson/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
diff --git a/python/ql/test/library-tests/frameworks/simplejson/InlineTaintTest.expected b/python/ql/test/library-tests/frameworks/simplejson/InlineTaintTest.expected
new file mode 100644
index 00000000000..79d760d87f4
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/simplejson/InlineTaintTest.expected
@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
diff --git a/python/ql/test/library-tests/frameworks/simplejson/InlineTaintTest.ql b/python/ql/test/library-tests/frameworks/simplejson/InlineTaintTest.ql
new file mode 100644
index 00000000000..027ad8667be
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/simplejson/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
diff --git a/python/ql/test/library-tests/frameworks/simplejson/taint_test.py b/python/ql/test/library-tests/frameworks/simplejson/taint_test.py
new file mode 100644
index 00000000000..2b7de24a0c2
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/simplejson/taint_test.py
@@ -0,0 +1,46 @@
+import simplejson
+from io import StringIO
+
+def test():
+    ts = TAINTED_STRING
+    tainted_obj = {"foo": ts}
+
+    encoded = simplejson.dumps(tainted_obj) # $ encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
+
+    ensure_tainted(
+        encoded, # $ tainted
+        simplejson.dumps(tainted_obj), # $ tainted encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
+        simplejson.dumps(obj=tainted_obj), # $ tainted encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
+        simplejson.loads(encoded), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=encoded
+        simplejson.loads(s=encoded), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=encoded
+    )
+
+    # load/dump with file-like
+    tainted_filelike = StringIO()
+    simplejson.dump(tainted_obj, tainted_filelike) # $ encodeFormat=JSON encodeInput=tainted_obj
+
+    tainted_filelike.seek(0)
+    ensure_tainted(
+        tainted_filelike, # $ tainted
+        simplejson.load(tainted_filelike), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=tainted_filelike
+    )
+
+    # load/dump with file-like using keyword-args
+    tainted_filelike = StringIO()
+    simplejson.dump(obj=tainted_obj, fp=tainted_filelike) # $ encodeFormat=JSON encodeInput=tainted_obj
+
+    tainted_filelike.seek(0)
+    ensure_tainted(
+        tainted_filelike, # $ tainted
+        simplejson.load(fp=tainted_filelike), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=tainted_filelike
+    )
+
+# To make things runable
+
+TAINTED_STRING = "TAINTED_STRING"
+def ensure_tainted(*args):
+    print("- ensure_tainted")
+    for i, arg in enumerate(args):
+        print("arg {}: {!r}".format(i, arg))
+
+test()

From 784e0cdb96b1f5dbe72aecc0d595e78cdd6dd085 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 10 May 2021 14:28:54 +0200
Subject: [PATCH 0973/1429] Python: Improve tests of `json` module

Inspired by the work on previous commit
---
 .../defaultAdditionalTaintStep/test_json.py   | 45 +++++++------------
 1 file changed, 17 insertions(+), 28 deletions(-)

diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py
index a7398b4d001..46ac4afc219 100644
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py
@@ -11,54 +11,43 @@ if TYPE_CHECKING:
 # Actual tests
 
 from io import StringIO
-
-# Workaround for Python3 not having unicode
-import sys
-if sys.version_info[0] == 3:
-    unicode = str
+import json
 
 def test():
     print("\n# test")
     ts = TAINTED_STRING
-    import json
+
+    encoded = json.dumps(ts)
 
     ensure_tainted(
+        encoded, # $ tainted
         json.dumps(ts), # $ tainted
-        json.loads(json.dumps(ts)), # $ tainted
+        json.dumps(obj=ts), # $ MISSING: tainted
+        json.loads(encoded), # $ tainted
+        json.loads(s=encoded), # $ MISSING: tainted
     )
 
-    # For Python2, need to convert to unicode for StringIO to work
-    tainted_filelike = StringIO(unicode(json.dumps(ts)))
+    # load/dump with file-like
+    tainted_filelike = StringIO()
+    json.dump(ts, tainted_filelike)
 
+    tainted_filelike.seek(0)
     ensure_tainted(
         tainted_filelike, # $ MISSING: tainted
         json.load(tainted_filelike), # $ MISSING: tainted
     )
 
-def non_syntacical():
-    print("\n# non_syntacical")
-    ts = TAINTED_STRING
-
-    # a less syntactical approach
-    from json import load, loads, dumps
-
-    dumps_alias = dumps
-
-    ensure_tainted(
-        dumps(ts), # $ tainted
-        dumps_alias(ts), # $ tainted
-        loads(dumps(ts)), # $ tainted
-    )
-
-    # For Python2, need to convert to unicode for StringIO to work
-    tainted_filelike = StringIO(unicode(dumps(ts)))
+    # load/dump with file-like using keyword-args
+    tainted_filelike = StringIO()
+    json.dump(obj=ts, fp=tainted_filelike)
 
+    tainted_filelike.seek(0)
     ensure_tainted(
         tainted_filelike, # $ MISSING: tainted
-        load(tainted_filelike), # $ MISSING: tainted
+        json.load(fp=tainted_filelike), # $ MISSING: tainted
     )
 
+
 # Make tests runable
 
 test()
-non_syntacical()

From 63f28d7d9b1946b97c1b3150957268ac5e316c9e Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 10 May 2021 14:33:27 +0200
Subject: [PATCH 0974/1429] Python: Model keyword args to json loads/dumps

---
 python/ql/src/semmle/python/frameworks/Stdlib.qll             | 4 ++--
 .../tainttracking/defaultAdditionalTaintStep/test_json.py     | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index 07753e9fde5..afc1fb45f25 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -511,7 +511,7 @@ private module Stdlib {
 
     override predicate mayExecuteInput() { none() }
 
-    override DataFlow::Node getAnInput() { result.asCfgNode() = node.getArg(0) }
+    override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("s")] }
 
     override DataFlow::Node getOutput() { result = this }
 
@@ -525,7 +525,7 @@ private module Stdlib {
   private class JsonDumpsCall extends Encoding::Range, DataFlow::CallCfgNode {
     JsonDumpsCall() { this = json().getMember("dumps").getACall() }
 
-    override DataFlow::Node getAnInput() { result.asCfgNode() = node.getArg(0) }
+    override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("obj")] }
 
     override DataFlow::Node getOutput() { result = this }
 
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py
index 46ac4afc219..f91bcacd3bc 100644
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py
@@ -22,9 +22,9 @@ def test():
     ensure_tainted(
         encoded, # $ tainted
         json.dumps(ts), # $ tainted
-        json.dumps(obj=ts), # $ MISSING: tainted
+        json.dumps(obj=ts), # $ tainted
         json.loads(encoded), # $ tainted
-        json.loads(s=encoded), # $ MISSING: tainted
+        json.loads(s=encoded), # $ tainted
     )
 
     # load/dump with file-like

From 72d08f4d6eeea58d96bd8a252203caf687ee93ed Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 10 May 2021 14:35:33 +0200
Subject: [PATCH 0975/1429] Python: Model json load/dump

---
 .../src/semmle/python/frameworks/Stdlib.qll   | 34 +++++++++++++++++++
 .../defaultAdditionalTaintStep/test_json.py   |  8 ++---
 2 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index afc1fb45f25..69023b8940a 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -518,6 +518,22 @@ private module Stdlib {
     override string getFormat() { result = "JSON" }
   }
 
+  /**
+   * A call to `json.load`
+   * See https://docs.python.org/3/library/json.html#json.load
+   */
+  private class JsonLoadCall extends Decoding::Range, DataFlow::CallCfgNode {
+    JsonLoadCall() { this = json().getMember("load").getACall() }
+
+    override predicate mayExecuteInput() { none() }
+
+    override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("fp")] }
+
+    override DataFlow::Node getOutput() { result = this }
+
+    override string getFormat() { result = "JSON" }
+  }
+
   /**
    * A call to `json.dumps`
    * See https://docs.python.org/3/library/json.html#json.dumps
@@ -532,6 +548,24 @@ private module Stdlib {
     override string getFormat() { result = "JSON" }
   }
 
+  /**
+   * A call to `json.dump`
+   * See https://docs.python.org/3/library/json.html#json.dump
+   */
+  private class JsonDumpCall extends Encoding::Range, DataFlow::CallCfgNode {
+    JsonDumpCall() { this = json().getMember("dump").getACall() }
+
+    override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("obj")] }
+
+    override DataFlow::Node getOutput() {
+      result.(DataFlow::PostUpdateNode).getPreUpdateNode() in [
+          this.getArg(1), this.getArgByName("fp")
+        ]
+    }
+
+    override string getFormat() { result = "JSON" }
+  }
+
   // ---------------------------------------------------------------------------
   // cgi
   // ---------------------------------------------------------------------------
diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py
index f91bcacd3bc..b1b0536b03b 100644
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py
+++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py
@@ -33,8 +33,8 @@ def test():
 
     tainted_filelike.seek(0)
     ensure_tainted(
-        tainted_filelike, # $ MISSING: tainted
-        json.load(tainted_filelike), # $ MISSING: tainted
+        tainted_filelike, # $ tainted
+        json.load(tainted_filelike), # $ tainted
     )
 
     # load/dump with file-like using keyword-args
@@ -43,8 +43,8 @@ def test():
 
     tainted_filelike.seek(0)
     ensure_tainted(
-        tainted_filelike, # $ MISSING: tainted
-        json.load(fp=tainted_filelike), # $ MISSING: tainted
+        tainted_filelike, # $ tainted
+        json.load(fp=tainted_filelike), # $ tainted
     )
 
 

From c2a6b811fcb2236c2400a18a54041543aa729dbc Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 10 May 2021 15:07:55 +0200
Subject: [PATCH 0976/1429] Python: Add modeling of ujson PyPI package

The problem with `tainted_filelike` not having taint, is that in the call

`ujson.dump(tainted_obj, tainted_filelike)`

there is no PostUpdateNote for `tainted_filelike` :( The reason is that
points-to is not able to resolve the call, so none of the clauses in
`argumentPreUpdateNode` matches

See https://github.com/github/codeql/blob/08731fc6cf4ba6951cd4e8f239eac1f3388d3957/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll#L101-L111

Let's deal with that issue in an other PR though
---
 docs/codeql/support/reusables/frameworks.rst  |  1 +
 .../2021-05-10-ujson-add-modeling.md          |  2 +
 python/ql/src/semmle/python/Frameworks.qll    |  1 +
 .../ql/src/semmle/python/frameworks/Ujson.qll | 76 +++++++++++++++++++
 .../frameworks/ujson/ConceptsTest.expected    |  0
 .../frameworks/ujson/ConceptsTest.ql          |  2 +
 .../frameworks/ujson/InlineTaintTest.expected |  3 +
 .../frameworks/ujson/InlineTaintTest.ql       |  1 +
 .../frameworks/ujson/taint_test.py            | 44 +++++++++++
 9 files changed, 130 insertions(+)
 create mode 100644 python/change-notes/2021-05-10-ujson-add-modeling.md
 create mode 100644 python/ql/src/semmle/python/frameworks/Ujson.qll
 create mode 100644 python/ql/test/library-tests/frameworks/ujson/ConceptsTest.expected
 create mode 100644 python/ql/test/library-tests/frameworks/ujson/ConceptsTest.ql
 create mode 100644 python/ql/test/library-tests/frameworks/ujson/InlineTaintTest.expected
 create mode 100644 python/ql/test/library-tests/frameworks/ujson/InlineTaintTest.ql
 create mode 100644 python/ql/test/library-tests/frameworks/ujson/taint_test.py

diff --git a/docs/codeql/support/reusables/frameworks.rst b/docs/codeql/support/reusables/frameworks.rst
index 4ea461ed435..5bc7d572e7f 100644
--- a/docs/codeql/support/reusables/frameworks.rst
+++ b/docs/codeql/support/reusables/frameworks.rst
@@ -157,6 +157,7 @@ Python built-in support
    PyYAML, Serialization
    dill, Serialization
    simplejson, Serialization
+   ujson, Serialization
    fabric, Utility library
    invoke, Utility library
    idna, Utility library
diff --git a/python/change-notes/2021-05-10-ujson-add-modeling.md b/python/change-notes/2021-05-10-ujson-add-modeling.md
new file mode 100644
index 00000000000..2d7cdc4b68a
--- /dev/null
+++ b/python/change-notes/2021-05-10-ujson-add-modeling.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added modeling of the PyPI package `ujson`.
diff --git a/python/ql/src/semmle/python/Frameworks.qll b/python/ql/src/semmle/python/Frameworks.qll
index bec73652394..3115c3ffac6 100644
--- a/python/ql/src/semmle/python/Frameworks.qll
+++ b/python/ql/src/semmle/python/Frameworks.qll
@@ -19,4 +19,5 @@ private import semmle.python.frameworks.PyMySQL
 private import semmle.python.frameworks.Simplejson
 private import semmle.python.frameworks.Stdlib
 private import semmle.python.frameworks.Tornado
+private import semmle.python.frameworks.Ujson
 private import semmle.python.frameworks.Yaml
diff --git a/python/ql/src/semmle/python/frameworks/Ujson.qll b/python/ql/src/semmle/python/frameworks/Ujson.qll
new file mode 100644
index 00000000000..145f7f883a9
--- /dev/null
+++ b/python/ql/src/semmle/python/frameworks/Ujson.qll
@@ -0,0 +1,76 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `ujson` PyPI package.
+ * See https://pypi.org/project/ujson/.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+/**
+ * Provides models for the `ujson` PyPI package.
+ * See https://pypi.org/project/ujson/.
+ */
+private module UjsonModel {
+  /**
+   * A call to `usjon.dumps` or `ujson.encode`.
+   */
+  private class UjsonDumpsCall extends Encoding::Range, DataFlow::CallCfgNode {
+    UjsonDumpsCall() { this = API::moduleImport("ujson").getMember(["dumps", "encode"]).getACall() }
+
+    override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("obj")] }
+
+    override DataFlow::Node getOutput() { result = this }
+
+    override string getFormat() { result = "JSON" }
+  }
+
+  /**
+   * A call to `ujson.dump`.
+   */
+  private class UjsonDumpCall extends Encoding::Range, DataFlow::CallCfgNode {
+    UjsonDumpCall() { this = API::moduleImport("ujson").getMember("dump").getACall() }
+
+    override DataFlow::Node getAnInput() { result = this.getArg(0) }
+
+    override DataFlow::Node getOutput() {
+      result.(DataFlow::PostUpdateNode).getPreUpdateNode() = this.getArg(1)
+    }
+
+    override string getFormat() { result = "JSON" }
+  }
+
+  /**
+   * A call to `ujson.loads` or `ujson.decode`.
+   */
+  private class UjsonLoadsCall extends Decoding::Range, DataFlow::CallCfgNode {
+    UjsonLoadsCall() { this = API::moduleImport("ujson").getMember(["loads", "decode"]).getACall() }
+
+    // Note: Most other JSON libraries allow the keyword argument `s`, but as of version
+    // 4.0.2 `ujson` uses `obj` instead.
+    override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("obj")] }
+
+    override DataFlow::Node getOutput() { result = this }
+
+    override string getFormat() { result = "JSON" }
+
+    override predicate mayExecuteInput() { none() }
+  }
+
+  /**
+   * A call to `ujson.load`.
+   */
+  private class UjsonLoadCall extends Decoding::Range, DataFlow::CallCfgNode {
+    UjsonLoadCall() { this = API::moduleImport("ujson").getMember("load").getACall() }
+
+    override DataFlow::Node getAnInput() { result = this.getArg(0) }
+
+    override DataFlow::Node getOutput() { result = this }
+
+    override string getFormat() { result = "JSON" }
+
+    override predicate mayExecuteInput() { none() }
+  }
+}
diff --git a/python/ql/test/library-tests/frameworks/ujson/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/ujson/ConceptsTest.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/python/ql/test/library-tests/frameworks/ujson/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/ujson/ConceptsTest.ql
new file mode 100644
index 00000000000..b557a0bccb6
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/ujson/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
diff --git a/python/ql/test/library-tests/frameworks/ujson/InlineTaintTest.expected b/python/ql/test/library-tests/frameworks/ujson/InlineTaintTest.expected
new file mode 100644
index 00000000000..79d760d87f4
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/ujson/InlineTaintTest.expected
@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
diff --git a/python/ql/test/library-tests/frameworks/ujson/InlineTaintTest.ql b/python/ql/test/library-tests/frameworks/ujson/InlineTaintTest.ql
new file mode 100644
index 00000000000..027ad8667be
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/ujson/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
diff --git a/python/ql/test/library-tests/frameworks/ujson/taint_test.py b/python/ql/test/library-tests/frameworks/ujson/taint_test.py
new file mode 100644
index 00000000000..2c965518393
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/ujson/taint_test.py
@@ -0,0 +1,44 @@
+import ujson
+from io import StringIO
+
+def test():
+    ts = TAINTED_STRING
+    tainted_obj = {"foo": ts}
+
+    encoded = ujson.dumps(tainted_obj) # $ encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
+
+    ensure_tainted(
+        encoded, # $ tainted
+        ujson.dumps(tainted_obj), # $ tainted encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
+        ujson.dumps(obj=tainted_obj), # $ tainted encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
+        ujson.loads(encoded), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=encoded
+        ujson.loads(obj=encoded), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=encoded
+
+        ujson.encode(tainted_obj), # $ tainted encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
+        ujson.encode(obj=tainted_obj), # $ tainted encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
+        ujson.decode(encoded), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=encoded
+        ujson.decode(obj=encoded), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=encoded
+    )
+
+    # load/dump with file-like
+    tainted_filelike = StringIO()
+    ujson.dump(tainted_obj, tainted_filelike) # $ encodeFormat=JSON encodeInput=tainted_obj
+
+    tainted_filelike.seek(0)
+    ensure_tainted(
+        tainted_filelike, # $ MISSING: tainted
+        ujson.load(tainted_filelike), # $ decodeOutput=Attribute() decodeFormat=JSON decodeInput=tainted_filelike MISSING: tainted
+    )
+
+    # load/dump with file-like using keyword-args does not work in `ujson`
+
+
+# To make things runable
+
+TAINTED_STRING = "TAINTED_STRING"
+def ensure_tainted(*args):
+    print("- ensure_tainted")
+    for i, arg in enumerate(args):
+        print("arg {}: {!r}".format(i, arg))
+
+test()

From c0b65314be2a83d28ac441bab610a4ea00a12e17 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Mon, 10 May 2021 15:18:42 +0200
Subject: [PATCH 0977/1429] C++: Fix false positive by restricting _both_ the
 old (unconverted) expression _and_ all of the conversions.

---
 cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql     | 3 +++
 .../ComparisonWithWiderType/ComparisonWithWiderType.expected   | 1 -
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
index 8c33f78316a..1053b5041c8 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
@@ -49,6 +49,9 @@ where
   small = rel.getLesserOperand() and
   large = rel.getGreaterOperand() and
   rel = l.getCondition().getAChild*() and
+  forall(Expr conv | conv = large.getConversion*() |
+    upperBound(conv).log2() > getComparisonSize(small) * 8
+  ) and
   upperBound(large.getFullyConverted()).log2() > getComparisonSize(small) * 8 and
   // Ignore cases where the smaller type is int or larger
   // These are still bugs, but you should need a very large string or array to
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected
index 652a34f98f1..d04bff0a812 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/ComparisonWithWiderType.expected
@@ -1,4 +1,3 @@
-| test3.cpp:6:8:6:71 | ... < ... | Comparison between $@ of type unsigned char and $@ of wider type int. | test3.cpp:5:34:5:38 | small | small | test3.cpp:6:42:6:70 | ... - ... | ... - ... |
 | test.c:4:14:4:18 | ... < ... | Comparison between $@ of type char and $@ of wider type int. | test.c:3:7:3:7 | c | c | test.c:2:17:2:17 | x | x |
 | test.c:9:14:9:18 | ... > ... | Comparison between $@ of type char and $@ of wider type int. | test.c:8:7:8:7 | c | c | test.c:7:17:7:17 | x | x |
 | test.c:14:14:14:18 | ... < ... | Comparison between $@ of type short and $@ of wider type int. | test.c:13:8:13:8 | s | s | test.c:12:17:12:17 | x | x |

From 51d04cb5b333e55bb91a848e68f958b8744959e2 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Mon, 10 May 2021 15:30:35 +0200
Subject: [PATCH 0978/1429] C++: Correct test annotation.

---
 .../CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp
index cbd9c2e5bd9..2cde5e689c7 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/ComparisonWithWiderType/test3.cpp
@@ -3,5 +3,5 @@ void test_issue_5850(unsigned char small, unsigned int large1) {
 }
 
 void test_widening(unsigned char small, char large) {
-	for(; small < static_cast<unsigned int>(static_cast<short>(large) - 1); small++) { } // GOOD [FALSE POSITIVE]
+	for(; small < static_cast<unsigned int>(static_cast<short>(large) - 1); small++) { } // GOOD
 }

From d55db836cb4aa8ae65eb1d6046bd0547dd52b919 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Mon, 10 May 2021 16:13:54 +0200
Subject: [PATCH 0979/1429] C++: Remove implied conjunct.

---
 cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql | 1 -
 1 file changed, 1 deletion(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
index 1053b5041c8..2d21ed8a3b2 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
@@ -52,7 +52,6 @@ where
   forall(Expr conv | conv = large.getConversion*() |
     upperBound(conv).log2() > getComparisonSize(small) * 8
   ) and
-  upperBound(large.getFullyConverted()).log2() > getComparisonSize(small) * 8 and
   // Ignore cases where the smaller type is int or larger
   // These are still bugs, but you should need a very large string or array to
   // trigger them. We will want to disable this for some applications, but it's

From 1b0d5053e7a7a1fccaa463761fc8d7a5e142f7a5 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 10 May 2021 16:21:29 +0200
Subject: [PATCH 0980/1429] Python: simplejson load/dump only works with lib
 installed

Which I had done locally. Problem is the same about not having PostUpdateNode
when points-to is not able to resolve the call, so I'm happy to just make CI
happy right now, and hopefully we'll get a fix to the underlying problem soon :blush:
---
 .../library-tests/frameworks/simplejson/taint_test.py     | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/python/ql/test/library-tests/frameworks/simplejson/taint_test.py b/python/ql/test/library-tests/frameworks/simplejson/taint_test.py
index 2b7de24a0c2..6f5d45b0b33 100644
--- a/python/ql/test/library-tests/frameworks/simplejson/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/simplejson/taint_test.py
@@ -21,8 +21,8 @@ def test():
 
     tainted_filelike.seek(0)
     ensure_tainted(
-        tainted_filelike, # $ tainted
-        simplejson.load(tainted_filelike), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=tainted_filelike
+        tainted_filelike, # $ MISSING: tainted
+        simplejson.load(tainted_filelike), # $ decodeOutput=Attribute() decodeFormat=JSON decodeInput=tainted_filelike MISSING: tainted
     )
 
     # load/dump with file-like using keyword-args
@@ -31,8 +31,8 @@ def test():
 
     tainted_filelike.seek(0)
     ensure_tainted(
-        tainted_filelike, # $ tainted
-        simplejson.load(fp=tainted_filelike), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=tainted_filelike
+        tainted_filelike, # $ MISSING: tainted
+        simplejson.load(fp=tainted_filelike), # $ decodeOutput=Attribute() decodeFormat=JSON decodeInput=tainted_filelike MISSING: tainted
     )
 
 # To make things runable

From 31ac6442e8c3161405938f8621d6c15b34439df8 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Mon, 10 May 2021 15:49:31 +0200
Subject: [PATCH 0981/1429] C#: Fix default parameter value generation in case
 of error symbols

---
 .../extractor/Semmle.Extraction.CSharp/Entities/Expression.cs  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
index 103ea8cacda..a478047ac7b 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs
@@ -170,7 +170,8 @@ namespace Semmle.Extraction.CSharp.Entities
         public static Expression? CreateGenerated(Context cx, IParameterSymbol parameter, IExpressionParentEntity parent,
             int childIndex, Extraction.Entities.Location location)
         {
-            if (!parameter.HasExplicitDefaultValue)
+            if (!parameter.HasExplicitDefaultValue ||
+                parameter.Type is IErrorTypeSymbol)
             {
                 return null;
             }

From dd86da3f242ea1186f85be6da8e424940b91fe02 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Mon, 10 May 2021 15:48:33 +0200
Subject: [PATCH 0982/1429] C#: Remove base class from type IDs in trap files

---
 .../Entities/Types/Type.cs                    |   74 +-
 .../SymbolExtensions.cs                       |   47 +-
 csharp/ql/src/semmlecode.csharp.dbscheme      |    2 +-
 .../old.dbscheme                              | 2083 +++++++++++++++++
 .../semmlecode.csharp.dbscheme                | 2083 +++++++++++++++++
 .../upgrade.properties                        |    2 +
 6 files changed, 4233 insertions(+), 58 deletions(-)
 create mode 100644 csharp/upgrades/9258e9b38d85f92cee9559f2ed21e241f0c7a29e/old.dbscheme
 create mode 100644 csharp/upgrades/9258e9b38d85f92cee9559f2ed21e241f0c7a29e/semmlecode.csharp.dbscheme
 create mode 100644 csharp/upgrades/9258e9b38d85f92cee9559f2ed21e241f0c7a29e/upgrade.properties

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Type.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Type.cs
index e2522648678..67936f9a913 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Type.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/Type.cs
@@ -81,22 +81,45 @@ namespace Semmle.Extraction.CSharp.Entities
             Symbol.BuildDisplayName(Context, trapFile, constructUnderlyingTupleType);
             trapFile.WriteLine("\")");
 
+            var baseTypes = GetBaseTypeDeclarations();
+
             // Visit base types
-            var baseTypes = new List<Type>();
             if (Symbol.GetNonObjectBaseType(Context) is INamedTypeSymbol @base)
             {
-                var baseKey = Create(Context, @base);
-                trapFile.extend(this, baseKey.TypeRef);
-                if (Symbol.TypeKind != TypeKind.Struct)
-                    baseTypes.Add(baseKey);
+                var bts = GetBaseTypeDeclarations(baseTypes, @base);
+
+                Context.PopulateLater(() =>
+                {
+                    var baseKey = Create(Context, @base);
+                    trapFile.extend(this, baseKey.TypeRef);
+
+                    if (Symbol.TypeKind != TypeKind.Struct)
+                    {
+                        foreach (var bt in bts)
+                        {
+                            TypeMention.Create(Context, bt.Type, this, baseKey);
+                        }
+                    }
+                });
             }
 
+            // Visit implemented interfaces
             if (!(base.Symbol is IArrayTypeSymbol))
             {
-                foreach (var t in base.Symbol.Interfaces.Select(i => Create(Context, i)))
+                foreach (var i in base.Symbol.Interfaces)
                 {
-                    trapFile.implement(this, t.TypeRef);
-                    baseTypes.Add(t);
+                    var bts = GetBaseTypeDeclarations(baseTypes, i);
+
+                    Context.PopulateLater(() =>
+                    {
+                        var interfaceKey = Create(Context, i);
+                        trapFile.implement(this, interfaceKey.TypeRef);
+
+                        foreach (var bt in bts)
+                        {
+                            TypeMention.Create(Context, bt.Type, this, interfaceKey);
+                        }
+                    });
                 }
             }
 
@@ -145,23 +168,30 @@ namespace Semmle.Extraction.CSharp.Entities
             }
 
             Modifier.ExtractModifiers(Context, trapFile, this, Symbol);
+        }
 
-            if (IsSourceDeclaration && Symbol.FromSource())
+        private IEnumerable<BaseTypeSyntax> GetBaseTypeDeclarations()
+        {
+            if (!IsSourceDeclaration || !Symbol.FromSource())
             {
-                var declSyntaxReferences = Symbol.DeclaringSyntaxReferences.Select(d => d.GetSyntax()).ToArray();
-
-                var baseLists = declSyntaxReferences.OfType<ClassDeclarationSyntax>().Select(c => c.BaseList);
-                baseLists = baseLists.Concat(declSyntaxReferences.OfType<InterfaceDeclarationSyntax>().Select(c => c.BaseList));
-                baseLists = baseLists.Concat(declSyntaxReferences.OfType<StructDeclarationSyntax>().Select(c => c.BaseList));
-
-                baseLists
-                    .Where(bl => bl is not null)
-                    .SelectMany(bl => bl!.Types)
-                    .Zip(
-                        baseTypes.Where(bt => bt.Symbol.SpecialType != SpecialType.System_Object),
-                        (s, t) => TypeMention.Create(Context, s.Type, this, t))
-                    .Enumerate();
+                return Enumerable.Empty<BaseTypeSyntax>();
             }
+
+            var declSyntaxReferences = Symbol.DeclaringSyntaxReferences.Select(d => d.GetSyntax()).ToArray();
+
+            var baseLists = declSyntaxReferences.OfType<ClassDeclarationSyntax>().Select(c => c.BaseList);
+            baseLists = baseLists.Concat(declSyntaxReferences.OfType<InterfaceDeclarationSyntax>().Select(c => c.BaseList));
+            baseLists = baseLists.Concat(declSyntaxReferences.OfType<StructDeclarationSyntax>().Select(c => c.BaseList));
+
+            return baseLists
+                .Where(bl => bl is not null)
+                .SelectMany(bl => bl!.Types)
+                .ToList();
+        }
+
+        private IEnumerable<BaseTypeSyntax> GetBaseTypeDeclarations(IEnumerable<BaseTypeSyntax> baseTypes, INamedTypeSymbol type)
+        {
+            return baseTypes.Where(bt => SymbolEqualityComparer.Default.Equals(Context.GetModel(bt).GetTypeInfo(bt.Type).Type, type));
         }
 
         private void ExtractParametersForDelegateLikeType(TextWriter trapFile, IMethodSymbol invokeMethod, Action<Type> storeReturnType)
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs b/csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs
index 32b90e37068..91f0d0edf20 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs
@@ -121,8 +121,6 @@ namespace Semmle.Extraction.CSharp
                                 named = named.TupleUnderlyingType;
                             if (IdDependsOnImpl(named.ContainingType))
                                 return true;
-                            if (IdDependsOnImpl(named.GetNonObjectBaseType(cx)))
-                                return true;
                             if (IdDependsOnImpl(named.ConstructedFrom))
                                 return true;
                             return named.TypeArguments.Any(IdDependsOnImpl);
@@ -160,10 +158,7 @@ namespace Semmle.Extraction.CSharp
         /// <param name="trapFile">The trap builder used to store the result.</param>
         /// <param name="symbolBeingDefined">The outer symbol being defined (to avoid recursive ids).</param>
         /// <param name="constructUnderlyingTupleType">Whether to build a type ID for the underlying `System.ValueTuple` struct in the case of tuple types.</param>
-        public static void BuildTypeId(this ITypeSymbol type, Context cx, EscapingTextWriter trapFile, ISymbol symbolBeingDefined, bool constructUnderlyingTupleType = false) =>
-            type.BuildTypeId(cx, trapFile, symbolBeingDefined, true, constructUnderlyingTupleType);
-
-        private static void BuildTypeId(this ITypeSymbol type, Context cx, EscapingTextWriter trapFile, ISymbol symbolBeingDefined, bool addBaseClass, bool constructUnderlyingTupleType)
+        public static void BuildTypeId(this ITypeSymbol type, Context cx, EscapingTextWriter trapFile, ISymbol symbolBeingDefined, bool constructUnderlyingTupleType = false)
         {
             using (cx.StackGuard)
             {
@@ -171,7 +166,7 @@ namespace Semmle.Extraction.CSharp
                 {
                     case TypeKind.Array:
                         var array = (IArrayTypeSymbol)type;
-                        array.ElementType.BuildOrWriteId(cx, trapFile, symbolBeingDefined, addBaseClass);
+                        array.ElementType.BuildOrWriteId(cx, trapFile, symbolBeingDefined);
                         array.BuildArraySuffix(trapFile);
                         return;
                     case TypeKind.Class:
@@ -181,16 +176,16 @@ namespace Semmle.Extraction.CSharp
                     case TypeKind.Delegate:
                     case TypeKind.Error:
                         var named = (INamedTypeSymbol)type;
-                        named.BuildNamedTypeId(cx, trapFile, symbolBeingDefined, addBaseClass, constructUnderlyingTupleType);
+                        named.BuildNamedTypeId(cx, trapFile, symbolBeingDefined, constructUnderlyingTupleType);
                         return;
                     case TypeKind.Pointer:
                         var ptr = (IPointerTypeSymbol)type;
-                        ptr.PointedAtType.BuildOrWriteId(cx, trapFile, symbolBeingDefined, addBaseClass);
+                        ptr.PointedAtType.BuildOrWriteId(cx, trapFile, symbolBeingDefined);
                         trapFile.Write('*');
                         return;
                     case TypeKind.TypeParameter:
                         var tp = (ITypeParameterSymbol)type;
-                        tp.ContainingSymbol.BuildOrWriteId(cx, trapFile, symbolBeingDefined, addBaseClass);
+                        tp.ContainingSymbol.BuildOrWriteId(cx, trapFile, symbolBeingDefined);
                         trapFile.Write('_');
                         trapFile.Write(tp.Name);
                         return;
@@ -207,7 +202,7 @@ namespace Semmle.Extraction.CSharp
             }
         }
 
-        private static void BuildOrWriteId(this ISymbol? symbol, Context cx, EscapingTextWriter trapFile, ISymbol symbolBeingDefined, bool addBaseClass, bool constructUnderlyingTupleType = false)
+        private static void BuildOrWriteId(this ISymbol? symbol, Context cx, EscapingTextWriter trapFile, ISymbol symbolBeingDefined, bool constructUnderlyingTupleType = false)
         {
             if (symbol is null)
             {
@@ -232,7 +227,7 @@ namespace Semmle.Extraction.CSharp
             if (SymbolEqualityComparer.Default.Equals(symbol, symbolBeingDefined))
                 trapFile.Write("__self__");
             else if (symbol is ITypeSymbol type && type.IdDependsOn(cx, symbolBeingDefined))
-                type.BuildTypeId(cx, trapFile, symbolBeingDefined, addBaseClass, constructUnderlyingTupleType);
+                type.BuildTypeId(cx, trapFile, symbolBeingDefined, constructUnderlyingTupleType);
             else if (symbol is INamedTypeSymbol namedType && namedType.IsTupleType && constructUnderlyingTupleType)
                 trapFile.WriteSubId(NamedType.CreateNamedTypeFromTupleType(cx, namedType));
             else
@@ -287,7 +282,7 @@ namespace Semmle.Extraction.CSharp
             BuildFunctionPointerSignature(funptr, trapFile, s => s.BuildOrWriteId(cx, trapFile, symbolBeingDefined));
         }
 
-        private static void BuildNamedTypeId(this INamedTypeSymbol named, Context cx, EscapingTextWriter trapFile, ISymbol symbolBeingDefined, bool addBaseClass, bool constructUnderlyingTupleType)
+        private static void BuildNamedTypeId(this INamedTypeSymbol named, Context cx, EscapingTextWriter trapFile, ISymbol symbolBeingDefined, bool constructUnderlyingTupleType)
         {
             if (!constructUnderlyingTupleType && named.IsTupleType)
             {
@@ -297,7 +292,7 @@ namespace Semmle.Extraction.CSharp
                     {
                         trapFile.Write((f.CorrespondingTupleField ?? f).Name);
                         trapFile.Write(":");
-                        f.Type.BuildOrWriteId(cx, trapFile, symbolBeingDefined, addBaseClass);
+                        f.Type.BuildOrWriteId(cx, trapFile, symbolBeingDefined);
                     }
                     );
                 trapFile.Write(")");
@@ -308,7 +303,7 @@ namespace Semmle.Extraction.CSharp
             {
                 if (named.ContainingType is not null)
                 {
-                    named.ContainingType.BuildOrWriteId(cx, trapFile, symbolBeingDefined, addBaseClass);
+                    named.ContainingType.BuildOrWriteId(cx, trapFile, symbolBeingDefined);
                     trapFile.Write('.');
                 }
                 else if (named.ContainingNamespace is not null)
@@ -333,35 +328,17 @@ namespace Semmle.Extraction.CSharp
             }
             else
             {
-                named.ConstructedFrom.BuildOrWriteId(cx, trapFile, symbolBeingDefined, addBaseClass, constructUnderlyingTupleType);
+                named.ConstructedFrom.BuildOrWriteId(cx, trapFile, symbolBeingDefined, constructUnderlyingTupleType);
                 trapFile.Write('<');
                 // Encode the nullability of the type arguments in the label.
                 // Type arguments with different nullability can result in
                 // a constructed type with different nullability of its members and methods,
                 // so we need to create a distinct database entity for it.
                 trapFile.BuildList(",", named.GetAnnotatedTypeArguments(),
-                    ta => ta.Symbol.BuildOrWriteId(cx, trapFile, symbolBeingDefined, addBaseClass)
+                    ta => ta.Symbol.BuildOrWriteId(cx, trapFile, symbolBeingDefined)
                     );
                 trapFile.Write('>');
             }
-
-            if (addBaseClass && named.GetNonObjectBaseType(cx) is INamedTypeSymbol @base)
-            {
-                // We need to limit unfolding of base classes. For example, in
-                //
-                // ```csharp
-                // class C1<T> { }
-                // class C2<T> : C1<C3<T>> { }
-                // class C3<T> : C1<C2<T>> { }
-                // class C4 : C3<C4> { }
-                // ```
-                //
-                // when we generate the label for `C4`, the base class `C3<C4>` has itself `C1<C2<C4>>` as
-                // a base class, which in turn has `C1<C3<C4>>` as a base class. The latter has the original
-                // base class `C3<C4>` as a type argument, which would lead to infinite unfolding.
-                trapFile.Write(" : ");
-                @base.BuildOrWriteId(cx, trapFile, symbolBeingDefined, addBaseClass: false);
-            }
         }
 
         private static void BuildNamespace(this INamespaceSymbol ns, Context cx, EscapingTextWriter trapFile)
diff --git a/csharp/ql/src/semmlecode.csharp.dbscheme b/csharp/ql/src/semmlecode.csharp.dbscheme
index 9258e9b38d8..770f844243d 100644
--- a/csharp/ql/src/semmlecode.csharp.dbscheme
+++ b/csharp/ql/src/semmlecode.csharp.dbscheme
@@ -529,7 +529,7 @@ function_pointer_return_type(
     int return_type_id: @type_or_ref ref);
 
 extend(
-  unique int sub: @type ref,
+  int sub: @type ref,
   int super: @type_or_ref ref);
 
 anonymous_types(
diff --git a/csharp/upgrades/9258e9b38d85f92cee9559f2ed21e241f0c7a29e/old.dbscheme b/csharp/upgrades/9258e9b38d85f92cee9559f2ed21e241f0c7a29e/old.dbscheme
new file mode 100644
index 00000000000..9258e9b38d8
--- /dev/null
+++ b/csharp/upgrades/9258e9b38d85f92cee9559f2ed21e241f0c7a29e/old.dbscheme
@@ -0,0 +1,2083 @@
+
+/**
+ * An invocation of the compiler. Note that more than one file may be
+ * compiled per invocation. For example, this command compiles three
+ * source files:
+ *
+ *   csc f1.cs f2.cs f3.cs
+ *
+ * The `id` simply identifies the invocation, while `cwd` is the working
+ * directory from which the compiler was invoked.
+ */
+compilations(
+    unique int id : @compilation,
+    string cwd : string ref
+);
+
+/**
+ * The arguments that were passed to the extractor for a compiler
+ * invocation. If `id` is for the compiler invocation
+ *
+ *   csc f1.cs f2.cs f3.cs
+ *
+ * then typically there will be rows for
+ *
+ * num | arg
+ * --- | ---
+ * 0   | --compiler
+ * 1   | *path to compiler*
+ * 2   | --cil
+ * 3   | f1.cs
+ * 4   | f2.cs
+ * 5   | f3.cs
+ */
+#keyset[id, num]
+compilation_args(
+    int id : @compilation ref,
+    int num : int ref,
+    string arg : string ref
+);
+
+/**
+ * The source files that are compiled by a compiler invocation.
+ * If `id` is for the compiler invocation
+ *
+ *   csc f1.cs f2.cs f3.cs
+ *
+ * then there will be rows for
+ *
+ * num | arg
+ * --- | ---
+ * 0   | f1.cs
+ * 1   | f2.cs
+ * 2   | f3.cs
+ */
+#keyset[id, num]
+compilation_compiling_files(
+    int id : @compilation ref,
+    int num : int ref,
+    int file : @file ref
+);
+
+/**
+ * The references used by a compiler invocation.
+ * If `id` is for the compiler invocation
+ *
+ *   csc f1.cs f2.cs f3.cs /r:ref1.dll /r:ref2.dll /r:ref3.dll
+ *
+ * then there will be rows for
+ *
+ * num | arg
+ * --- | ---
+ * 0   | ref1.dll
+ * 1   | ref2.dll
+ * 2   | ref3.dll
+ */
+#keyset[id, num]
+compilation_referencing_files(
+    int id : @compilation ref,
+    int num : int ref,
+    int file : @file ref
+);
+
+/**
+ * The time taken by the extractor for a compiler invocation.
+ *
+ * For each file `num`, there will be rows for
+ *
+ * kind | seconds
+ * ---- | ---
+ * 1    | CPU seconds used by the extractor frontend
+ * 2    | Elapsed seconds during the extractor frontend
+ * 3    | CPU seconds used by the extractor backend
+ * 4    | Elapsed seconds during the extractor backend
+ */
+#keyset[id, num, kind]
+compilation_time(
+    int id : @compilation ref,
+    int num : int ref,
+    /* kind:
+       1 = frontend_cpu_seconds
+       2 = frontend_elapsed_seconds
+       3 = extractor_cpu_seconds
+       4 = extractor_elapsed_seconds
+    */
+    int kind : int ref,
+    float seconds : float ref
+);
+
+/**
+ * An error or warning generated by the extractor.
+ * The diagnostic message `diagnostic` was generated during compiler
+ * invocation `compilation`, and is the `file_number_diagnostic_number`th
+ * message generated while extracting the `file_number`th file of that
+ * invocation.
+ */
+#keyset[compilation, file_number, file_number_diagnostic_number]
+diagnostic_for(
+    unique int diagnostic : @diagnostic ref,
+    int compilation : @compilation ref,
+    int file_number : int ref,
+    int file_number_diagnostic_number : int ref
+);
+
+diagnostics(
+    unique int id: @diagnostic,
+    int severity: int ref,
+    string error_tag: string ref,
+    string error_message: string ref,
+    string full_error_message: string ref,
+    int location: @location_default ref
+);
+
+extractor_messages(
+    unique int id: @extractor_message,
+    int severity: int ref,
+    string origin : string ref,
+    string text : string ref,
+    string entity : string ref,
+    int location: @location_default ref,
+    string stack_trace : string ref
+);
+
+/**
+ * If extraction was successful, then `cpu_seconds` and
+ * `elapsed_seconds` are the CPU time and elapsed time (respectively)
+ * that extraction took for compiler invocation `id`.
+ */
+compilation_finished(
+    unique int id : @compilation ref,
+    float cpu_seconds : float ref,
+    float elapsed_seconds : float ref
+);
+
+compilation_assembly(
+  unique int id : @compilation ref,
+  int assembly: @assembly ref
+)
+
+/*
+ * External artifacts
+ */
+
+externalDefects(
+  unique int id: @externalDefect,
+  string queryPath: string ref,
+  int location: @location ref,
+  string message: string ref,
+  float severity: float ref);
+
+externalMetrics(
+  unique int id: @externalMetric,
+  string queryPath: string ref,
+  int location: @location ref,
+  float value: float ref);
+
+externalData(
+  int id: @externalDataElement,
+  string path: string ref,
+  int column: int ref,
+  string value: string ref);
+
+snapshotDate(
+  unique date snapshotDate: date ref);
+
+sourceLocationPrefix(
+  string prefix: string ref);
+
+/*
+ * Duplicate code
+ */
+
+duplicateCode(
+  unique int id: @duplication,
+  string relativePath: string ref,
+  int equivClass: int ref);
+
+similarCode(
+  unique int id: @similarity,
+  string relativePath: string ref,
+  int equivClass: int ref);
+
+@duplication_or_similarity = @duplication | @similarity
+
+tokens(
+  int id: @duplication_or_similarity ref,
+  int offset: int ref,
+  int beginLine: int ref,
+  int beginColumn: int ref,
+  int endLine: int ref,
+  int endColumn: int ref);
+
+/*
+ * C# dbscheme
+ */
+
+/** ELEMENTS **/
+
+@element = @declaration | @stmt | @expr | @modifier | @attribute | @namespace_declaration
+         | @using_directive | @type_parameter_constraints | @external_element
+         | @xmllocatable | @asp_element | @namespace | @preprocessor_directive;
+
+@declaration = @callable | @generic | @assignable | @namespace;
+
+@named_element = @namespace | @declaration;
+
+@declaration_with_accessors = @property | @indexer | @event;
+
+@assignable = @variable | @assignable_with_accessors | @event;
+
+@assignable_with_accessors = @property | @indexer;
+
+@external_element = @externalMetric | @externalDefect | @externalDataElement;
+
+@attributable = @assembly | @field | @parameter | @operator | @method | @constructor
+              | @destructor | @callable_accessor | @value_or_ref_type | @declaration_with_accessors
+              | @local_function;
+
+/** LOCATIONS, ASEMMBLIES, MODULES, FILES and FOLDERS **/
+
+@location = @location_default | @assembly;
+
+locations_default(
+  unique int id: @location_default,
+  int file: @file ref,
+  int beginLine: int ref,
+  int beginColumn: int ref,
+  int endLine: int ref,
+  int endColumn: int ref);
+
+locations_mapped(
+  unique int id: @location_default ref,
+  int mapped_to: @location_default ref);
+
+@sourceline = @file | @callable | @xmllocatable;
+
+numlines(
+  int element_id: @sourceline ref,
+  int num_lines: int ref,
+  int num_code: int ref,
+  int num_comment: int ref);
+
+assemblies(
+  unique int id: @assembly,
+  int file: @file ref,
+  string fullname: string ref,
+  string name: string ref,
+  string version: string ref);
+
+/*
+  fromSource(0) = unknown,
+  fromSource(1) = from source,
+  fromSource(2) = from library
+*/
+files(
+  unique int id: @file,
+  string name: string ref,
+  string simple: string ref,
+  string ext: string ref,
+  int fromSource: int ref);
+
+folders(
+  unique int id: @folder,
+  string name: string ref,
+  string simple: string ref);
+
+@container = @folder | @file ;
+
+containerparent(
+  int parent: @container ref,
+  unique int child: @container ref);
+
+file_extraction_mode(
+  unique int file: @file ref,
+  int mode: int ref
+  /* 0 = normal, 1 = standalone extractor */
+  );
+
+/** NAMESPACES **/
+
+@type_container = @namespace | @type;
+
+namespaces(
+  unique int id: @namespace,
+  string name: string ref);
+
+namespace_declarations(
+  unique int id: @namespace_declaration,
+  int namespace_id: @namespace ref);
+
+namespace_declaration_location(
+  unique int id: @namespace_declaration ref,
+  int loc: @location ref);
+
+parent_namespace(
+  unique int child_id: @type_container ref,
+  int namespace_id: @namespace ref);
+
+@declaration_or_directive = @namespace_declaration | @type | @using_directive;
+
+parent_namespace_declaration(
+  int child_id: @declaration_or_directive ref, // cannot be unique because of partial classes
+  int namespace_id: @namespace_declaration ref);
+
+@using_directive = @using_namespace_directive | @using_static_directive;
+
+using_namespace_directives(
+  unique int id: @using_namespace_directive,
+  int namespace_id: @namespace ref);
+
+using_static_directives(
+  unique int id: @using_static_directive,
+  int type_id: @type_or_ref ref);
+
+using_directive_location(
+  unique int id: @using_directive ref,
+  int loc: @location ref);
+
+@preprocessor_directive = @pragma_warning | @pragma_checksum | @directive_define | @directive_undefine | @directive_warning
+  | @directive_error | @directive_nullable | @directive_line | @directive_region | @directive_endregion | @directive_if
+  | @directive_elif | @directive_else | @directive_endif;
+
+@conditional_directive = @directive_if | @directive_elif;
+@branch_directive = @directive_if | @directive_elif | @directive_else;
+
+directive_ifs(
+  unique int id: @directive_if,
+  int branchTaken: int ref,     /* 0: false, 1: true */
+  int conditionValue: int ref); /* 0: false, 1: true */
+
+directive_elifs(
+  unique int id: @directive_elif,
+  int branchTaken: int ref,     /* 0: false, 1: true */
+  int conditionValue: int ref,  /* 0: false, 1: true */
+  int parent: @directive_if ref,
+  int index: int ref);
+
+directive_elses(
+  unique int id: @directive_else,
+  int branchTaken: int ref,   /* 0: false, 1: true */
+  int parent: @directive_if ref,
+  int index: int ref);
+
+#keyset[id, start]
+directive_endifs(
+  unique int id: @directive_endif,
+  unique int start: @directive_if ref);
+
+directive_define_symbols(
+  unique int id: @define_symbol_expr ref,
+  string name: string ref);
+
+directive_regions(
+  unique int id: @directive_region,
+  string name: string ref);
+
+#keyset[id, start]
+directive_endregions(
+  unique int id: @directive_endregion,
+  unique int start: @directive_region ref);
+
+directive_lines(
+  unique int id: @directive_line,
+  int kind: int ref); /* 0: default, 1: hidden, 2: numeric */
+
+directive_line_value(
+  unique int id: @directive_line ref,
+  int line: int ref);
+
+directive_line_file(
+  unique int id: @directive_line ref,
+  int file: @file ref
+)
+
+directive_nullables(
+  unique int id: @directive_nullable,
+  int setting: int ref, /* 0: disable, 1: enable, 2: restore */
+  int target: int ref); /* 0: none, 1: annotations, 2: warnings */
+
+directive_warnings(
+  unique int id: @directive_warning,
+  string message: string ref);
+
+directive_errors(
+  unique int id: @directive_error,
+  string message: string ref);
+
+directive_undefines(
+  unique int id: @directive_undefine,
+  string name: string ref);
+
+directive_defines(
+  unique int id: @directive_define,
+  string name: string ref);
+
+pragma_checksums(
+  unique int id: @pragma_checksum,
+  int file: @file ref,
+  string guid: string ref,
+  string bytes: string ref);
+
+pragma_warnings(
+  unique int id: @pragma_warning,
+  int kind: int ref /* 0 = disable, 1 = restore */);
+
+#keyset[id, index]
+pragma_warning_error_codes(
+  int id: @pragma_warning ref,
+  string errorCode: string ref,
+  int index: int ref);
+
+preprocessor_directive_location(
+  unique int id: @preprocessor_directive ref,
+  int loc: @location ref);
+
+preprocessor_directive_compilation(
+  unique int id: @preprocessor_directive ref,
+  int compilation: @compilation ref);
+
+preprocessor_directive_active(
+  unique int id: @preprocessor_directive ref,
+  int active: int ref);  /* 0: false, 1: true */
+
+/** TYPES **/
+
+types(
+  unique int id: @type,
+  int kind: int ref,
+  string name: string ref);
+
+case @type.kind of
+   1 = @bool_type
+|  2 = @char_type
+|  3 = @decimal_type
+|  4 = @sbyte_type
+|  5 = @short_type
+|  6 = @int_type
+|  7 = @long_type
+|  8 = @byte_type
+|  9 = @ushort_type
+| 10 = @uint_type
+| 11 = @ulong_type
+| 12 = @float_type
+| 13 = @double_type
+| 14 = @enum_type
+| 15 = @struct_type
+| 17 = @class_type
+| 19 = @interface_type
+| 20 = @delegate_type
+| 21 = @null_type
+| 22 = @type_parameter
+| 23 = @pointer_type
+| 24 = @nullable_type
+| 25 = @array_type
+| 26 = @void_type
+| 27 = @int_ptr_type
+| 28 = @uint_ptr_type
+| 29 = @dynamic_type
+| 30 = @arglist_type
+| 31 = @unknown_type
+| 32 = @tuple_type
+| 33 = @function_pointer_type
+  ;
+
+@simple_type = @bool_type | @char_type | @integral_type | @floating_point_type | @decimal_type;
+@integral_type = @signed_integral_type | @unsigned_integral_type;
+@signed_integral_type = @sbyte_type | @short_type | @int_type | @long_type;
+@unsigned_integral_type = @byte_type  | @ushort_type | @uint_type | @ulong_type;
+@floating_point_type = @float_type | @double_type;
+@value_type = @simple_type | @enum_type | @struct_type | @nullable_type | @int_ptr_type
+            | @uint_ptr_type | @tuple_type;
+@ref_type = @class_type | @interface_type | @array_type | @delegate_type | @null_type
+          | @dynamic_type;
+@value_or_ref_type = @value_type | @ref_type;
+
+typerefs(
+  unique int id: @typeref,
+  string name: string ref);
+
+typeref_type(
+  int id: @typeref ref,
+  unique int typeId: @type ref);
+
+@type_or_ref = @type | @typeref;
+
+array_element_type(
+  unique int array: @array_type ref,
+  int dimension: int ref,
+  int rank: int ref,
+  int element: @type_or_ref ref);
+
+nullable_underlying_type(
+  unique int nullable: @nullable_type ref,
+  int underlying: @type_or_ref ref);
+
+pointer_referent_type(
+  unique int pointer: @pointer_type ref,
+  int referent: @type_or_ref ref);
+
+enum_underlying_type(
+  unique int enum_id: @enum_type ref,
+  int underlying_type_id: @type_or_ref ref);
+
+delegate_return_type(
+  unique int delegate_id: @delegate_type ref,
+  int return_type_id: @type_or_ref ref);
+
+function_pointer_return_type(
+    unique int function_pointer_id: @function_pointer_type ref,
+    int return_type_id: @type_or_ref ref);
+
+extend(
+  unique int sub: @type ref,
+  int super: @type_or_ref ref);
+
+anonymous_types(
+  unique int id: @type ref);
+
+@interface_or_ref = @interface_type | @typeref;
+
+implement(
+  int sub: @type ref,
+  int super: @type_or_ref ref);
+
+type_location(
+  int id: @type ref,
+  int loc: @location ref);
+
+tuple_underlying_type(
+  unique int tuple: @tuple_type ref,
+  int struct: @type_or_ref ref);
+
+#keyset[tuple, index]
+tuple_element(
+  int tuple: @tuple_type ref,
+  int index: int ref,
+  unique int field: @field ref);
+
+attributes(
+  unique int id: @attribute,
+  int type_id: @type_or_ref ref,
+  int target:  @attributable ref);
+
+attribute_location(
+  int id: @attribute ref,
+  int loc: @location ref);
+
+@type_mention_parent = @element | @type_mention;
+
+type_mention(
+  unique int id: @type_mention,
+  int type_id: @type_or_ref ref,
+  int parent: @type_mention_parent ref);
+
+type_mention_location(
+  unique int id: @type_mention ref,
+  int loc: @location ref);
+
+@has_type_annotation = @assignable | @type_parameter | @callable | @expr | @delegate_type | @generic | @function_pointer_type;
+
+/**
+ * A direct annotation on an entity, for example `string? x;`.
+ *
+ * Annotations:
+ * 2 = reftype is not annotated "!"
+ * 3 = reftype is annotated "?"
+ * 4 = readonly ref type / in parameter
+ * 5 = ref type parameter, return or local variable
+ * 6 = out parameter
+ *
+ * Note that the annotation depends on the element it annotates.
+ * @assignable: The annotation is on the type of the assignable, for example the variable type.
+ * @type_parameter: The annotation is on the reftype constraint
+ * @callable: The annotation is on the return type
+ * @array_type: The annotation is on the element type
+ */
+type_annotation(int id: @has_type_annotation ref, int annotation: int ref);
+
+nullability(unique int nullability: @nullability, int kind: int ref);
+
+case @nullability.kind of
+  0 = @oblivious
+| 1 = @not_annotated
+| 2 = @annotated
+;
+
+#keyset[parent, index]
+nullability_parent(int nullability: @nullability ref, int index: int ref, int parent: @nullability ref)
+
+type_nullability(int id: @has_type_annotation ref, int nullability: @nullability ref);
+
+/**
+ * The nullable flow state of an expression, as determined by Roslyn.
+ *   0 = none (default, not populated)
+ *   1 = not null
+ *   2 = maybe null
+ */
+expr_flowstate(unique int id: @expr ref, int state: int ref);
+
+/** GENERICS **/
+
+@generic = @type | @method | @local_function;
+
+type_parameters(
+  unique int id: @type_parameter ref,
+  int index: int ref,
+  int generic_id: @generic ref,
+  int variance: int ref /* none = 0, out = 1, in = 2 */);
+
+#keyset[constructed_id, index]
+type_arguments(
+  int id: @type_or_ref ref,
+  int index: int ref,
+  int constructed_id: @generic_or_ref ref);
+
+@generic_or_ref = @generic | @typeref;
+
+constructed_generic(
+  unique int constructed: @generic ref,
+  int generic: @generic_or_ref ref);
+
+type_parameter_constraints(
+  unique int id: @type_parameter_constraints,
+  int param_id: @type_parameter ref);
+
+type_parameter_constraints_location(
+  int id: @type_parameter_constraints ref,
+  int loc: @location ref);
+
+general_type_parameter_constraints(
+  int id: @type_parameter_constraints ref,
+  int kind: int ref /* class = 1, struct = 2, new = 3 */);
+
+specific_type_parameter_constraints(
+  int id: @type_parameter_constraints ref,
+  int base_id: @type_or_ref ref);
+
+specific_type_parameter_nullability(
+  int id: @type_parameter_constraints ref,
+  int base_id: @type_or_ref ref,
+  int nullability: @nullability ref);
+
+/** FUNCTION POINTERS */
+
+function_pointer_calling_conventions(
+  int id: @function_pointer_type ref,
+  int kind: int ref);
+
+#keyset[id, index]
+has_unmanaged_calling_conventions(
+  int id: @function_pointer_type ref,
+  int index: int ref,
+  int conv_id: @type_or_ref ref);
+
+/** MODIFIERS */
+
+@modifiable = @modifiable_direct | @event_accessor;
+
+@modifiable_direct = @member | @accessor | @local_function | @anonymous_function_expr;
+
+modifiers(
+  unique int id: @modifier,
+  string name: string ref);
+
+has_modifiers(
+  int id: @modifiable_direct ref,
+  int mod_id: @modifier ref);
+
+compiler_generated(unique int id: @modifiable_direct ref);
+
+/** MEMBERS **/
+
+@member = @method | @constructor | @destructor | @field | @property | @event | @operator | @indexer | @type;
+
+@named_exprorstmt = @goto_stmt | @labeled_stmt | @expr;
+
+@virtualizable = @method | @property | @indexer | @event;
+
+exprorstmt_name(
+  unique int parent_id: @named_exprorstmt ref,
+  string name: string ref);
+
+nested_types(
+  unique int id: @type ref,
+  int declaring_type_id: @type ref,
+  int unbound_id: @type ref);
+
+properties(
+  unique int id: @property,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @property ref);
+
+property_location(
+  int id: @property ref,
+  int loc: @location ref);
+
+indexers(
+  unique int id: @indexer,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @indexer ref);
+
+indexer_location(
+  int id: @indexer ref,
+  int loc: @location ref);
+
+accessors(
+  unique int id: @accessor,
+  int kind: int ref,
+  string name: string ref,
+  int declaring_member_id: @member ref,
+  int unbound_id: @accessor ref);
+
+case @accessor.kind of
+  1 = @getter
+| 2 = @setter
+  ;
+
+init_only_accessors(
+  unique int id: @accessor ref);
+
+accessor_location(
+  int id: @accessor ref,
+  int loc: @location ref);
+
+events(
+  unique int id: @event,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @event ref);
+
+event_location(
+  int id: @event ref,
+  int loc: @location ref);
+
+event_accessors(
+  unique int id: @event_accessor,
+  int kind: int ref,
+  string name: string ref,
+  int declaring_event_id: @event ref,
+  int unbound_id: @event_accessor ref);
+
+case @event_accessor.kind of
+  1 = @add_event_accessor
+| 2 = @remove_event_accessor
+  ;
+
+event_accessor_location(
+  int id: @event_accessor ref,
+  int loc: @location ref);
+
+operators(
+  unique int id: @operator,
+  string name: string ref,
+  string symbol: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @operator ref);
+
+operator_location(
+  int id: @operator ref,
+  int loc: @location ref);
+
+constant_value(
+  int id: @variable ref,
+  string value: string ref);
+
+/** CALLABLES **/
+
+@callable = @method | @constructor | @destructor | @operator | @callable_accessor | @anonymous_function_expr | @local_function;
+
+@callable_accessor = @accessor | @event_accessor;
+
+methods(
+  unique int id: @method,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @method ref);
+
+method_location(
+  int id: @method ref,
+  int loc: @location ref);
+
+constructors(
+  unique int id: @constructor,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int unbound_id: @constructor ref);
+
+constructor_location(
+  int id: @constructor ref,
+  int loc: @location ref);
+
+destructors(
+  unique int id: @destructor,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int unbound_id: @destructor ref);
+
+destructor_location(
+  int id: @destructor ref,
+  int loc: @location ref);
+
+overrides(
+  int id: @callable ref,
+  int base_id: @callable ref);
+
+explicitly_implements(
+  int id: @member ref,
+  int interface_id: @interface_or_ref ref);
+
+local_functions(
+    unique int id: @local_function,
+    string name: string ref,
+    int return_type: @type ref,
+    int unbound_id: @local_function ref);
+
+local_function_stmts(
+    unique int fn: @local_function_stmt ref,
+    int stmt: @local_function ref);
+
+/** VARIABLES **/
+
+@variable = @local_scope_variable | @field;
+
+@local_scope_variable = @local_variable | @parameter;
+
+fields(
+  unique int id: @field,
+  int kind: int ref,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @field ref);
+
+case @field.kind of
+  1 = @addressable_field
+| 2 = @constant
+  ;
+
+field_location(
+  int id: @field ref,
+  int loc: @location ref);
+
+localvars(
+  unique int id: @local_variable,
+  int kind: int ref,
+  string name: string ref,
+  int implicitly_typed: int ref /* 0 = no, 1 = yes */,
+  int type_id: @type_or_ref ref,
+  int parent_id: @local_var_decl_expr ref);
+
+case @local_variable.kind of
+  1 = @addressable_local_variable
+| 2 = @local_constant
+| 3 = @local_variable_ref
+  ;
+
+localvar_location(
+  unique int id: @local_variable ref,
+  int loc: @location ref);
+
+@parameterizable = @callable | @delegate_type | @indexer | @function_pointer_type;
+
+#keyset[name, parent_id]
+#keyset[index, parent_id]
+params(
+  unique int id: @parameter,
+  string name: string ref,
+  int type_id: @type_or_ref ref,
+  int index: int ref,
+  int mode: int ref, /* value = 0, ref = 1, out = 2, array = 3, this = 4 */
+  int parent_id: @parameterizable ref,
+  int unbound_id: @parameter ref);
+
+param_location(
+  int id: @parameter ref,
+  int loc: @location ref);
+
+/** STATEMENTS **/
+
+@exprorstmt_parent = @control_flow_element | @top_level_exprorstmt_parent;
+
+statements(
+  unique int id: @stmt,
+  int kind: int ref);
+
+#keyset[index, parent]
+stmt_parent(
+  unique int stmt: @stmt ref,
+  int index: int ref,
+  int parent: @control_flow_element ref);
+
+@top_level_stmt_parent = @callable;
+
+// [index, parent] is not a keyset because the same parent may be compiled multiple times
+stmt_parent_top_level(
+  unique int stmt: @stmt ref,
+  int index: int ref,
+  int parent: @top_level_stmt_parent ref);
+
+case @stmt.kind of
+   1 = @block_stmt
+|  2 = @expr_stmt
+|  3 = @if_stmt
+|  4 = @switch_stmt
+|  5 = @while_stmt
+|  6 = @do_stmt
+|  7 = @for_stmt
+|  8 = @foreach_stmt
+|  9 = @break_stmt
+| 10 = @continue_stmt
+| 11 = @goto_stmt
+| 12 = @goto_case_stmt
+| 13 = @goto_default_stmt
+| 14 = @throw_stmt
+| 15 = @return_stmt
+| 16 = @yield_stmt
+| 17 = @try_stmt
+| 18 = @checked_stmt
+| 19 = @unchecked_stmt
+| 20 = @lock_stmt
+| 21 = @using_block_stmt
+| 22 = @var_decl_stmt
+| 23 = @const_decl_stmt
+| 24 = @empty_stmt
+| 25 = @unsafe_stmt
+| 26 = @fixed_stmt
+| 27 = @label_stmt
+| 28 = @catch
+| 29 = @case_stmt
+| 30 = @local_function_stmt
+| 31 = @using_decl_stmt
+  ;
+
+@using_stmt = @using_block_stmt | @using_decl_stmt;
+
+@labeled_stmt = @label_stmt | @case;
+
+@decl_stmt = @var_decl_stmt | @const_decl_stmt | @using_decl_stmt;
+
+@cond_stmt = @if_stmt | @switch_stmt;
+
+@loop_stmt = @while_stmt | @do_stmt | @for_stmt | @foreach_stmt;
+
+@jump_stmt = @break_stmt | @goto_any_stmt | @continue_stmt | @throw_stmt | @return_stmt
+           | @yield_stmt;
+
+@goto_any_stmt = @goto_default_stmt | @goto_case_stmt | @goto_stmt;
+
+
+stmt_location(
+  unique int id: @stmt ref,
+  int loc: @location ref);
+
+catch_type(
+  unique int catch_id: @catch ref,
+  int type_id: @type_or_ref ref,
+  int kind: int ref /* explicit = 1, implicit = 2 */);
+
+foreach_stmt_info(
+  unique int id: @foreach_stmt ref,
+  int kind: int ref /* non-async = 1, async = 2 */);
+
+@foreach_symbol =  @method | @property | @type_or_ref;
+
+#keyset[id, kind]
+foreach_stmt_desugar(
+  int id: @foreach_stmt ref,
+  int symbol: @foreach_symbol ref,
+  int kind: int ref /* GetEnumeratorMethod = 1, CurrentProperty = 2, MoveNextMethod = 3, DisposeMethod = 4, ElementType = 5 */);
+
+/** EXPRESSIONS **/
+
+expressions(
+  unique int id: @expr,
+  int kind: int ref,
+  int type_id: @type_or_ref ref);
+
+#keyset[index, parent]
+expr_parent(
+  unique int expr: @expr ref,
+  int index: int ref,
+  int parent: @control_flow_element ref);
+
+@top_level_expr_parent = @attribute | @field | @property | @indexer | @parameter | @directive_if | @directive_elif;
+
+@top_level_exprorstmt_parent = @top_level_expr_parent | @top_level_stmt_parent;
+
+// [index, parent] is not a keyset because the same parent may be compiled multiple times
+expr_parent_top_level(
+  unique int expr: @expr ref,
+  int index: int ref,
+  int parent: @top_level_exprorstmt_parent ref);
+
+case @expr.kind of
+/* literal */
+   1 = @bool_literal_expr
+|  2 = @char_literal_expr
+|  3 = @decimal_literal_expr
+|  4 = @int_literal_expr
+|  5 = @long_literal_expr
+|  6 = @uint_literal_expr
+|  7 = @ulong_literal_expr
+|  8 = @float_literal_expr
+|  9 = @double_literal_expr
+| 10 = @string_literal_expr
+| 11 = @null_literal_expr
+/* primary & unary */
+| 12 = @this_access_expr
+| 13 = @base_access_expr
+| 14 = @local_variable_access_expr
+| 15 = @parameter_access_expr
+| 16 = @field_access_expr
+| 17 = @property_access_expr
+| 18 = @method_access_expr
+| 19 = @event_access_expr
+| 20 = @indexer_access_expr
+| 21 = @array_access_expr
+| 22 = @type_access_expr
+| 23 = @typeof_expr
+| 24 = @method_invocation_expr
+| 25 = @delegate_invocation_expr
+| 26 = @operator_invocation_expr
+| 27 = @cast_expr
+| 28 = @object_creation_expr
+| 29 = @explicit_delegate_creation_expr
+| 30 = @implicit_delegate_creation_expr
+| 31 = @array_creation_expr
+| 32 = @default_expr
+| 33 = @plus_expr
+| 34 = @minus_expr
+| 35 = @bit_not_expr
+| 36 = @log_not_expr
+| 37 = @post_incr_expr
+| 38 = @post_decr_expr
+| 39 = @pre_incr_expr
+| 40 = @pre_decr_expr
+/* multiplicative */
+| 41 = @mul_expr
+| 42 = @div_expr
+| 43 = @rem_expr
+/* additive */
+| 44 = @add_expr
+| 45 = @sub_expr
+/* shift */
+| 46 = @lshift_expr
+| 47 = @rshift_expr
+/* relational */
+| 48 = @lt_expr
+| 49 = @gt_expr
+| 50 = @le_expr
+| 51 = @ge_expr
+/* equality */
+| 52 = @eq_expr
+| 53 = @ne_expr
+/* logical */
+| 54 = @bit_and_expr
+| 55 = @bit_xor_expr
+| 56 = @bit_or_expr
+| 57 = @log_and_expr
+| 58 = @log_or_expr
+/* type testing */
+| 59 = @is_expr
+| 60 = @as_expr
+/* null coalescing */
+| 61 = @null_coalescing_expr
+/* conditional */
+| 62 = @conditional_expr
+/* assignment */
+| 63 = @simple_assign_expr
+| 64 = @assign_add_expr
+| 65 = @assign_sub_expr
+| 66 = @assign_mul_expr
+| 67 = @assign_div_expr
+| 68 = @assign_rem_expr
+| 69 = @assign_and_expr
+| 70 = @assign_xor_expr
+| 71 = @assign_or_expr
+| 72 = @assign_lshift_expr
+| 73 = @assign_rshift_expr
+/* more */
+| 74 = @object_init_expr
+| 75 = @collection_init_expr
+| 76 = @array_init_expr
+| 77 = @checked_expr
+| 78 = @unchecked_expr
+| 79 = @constructor_init_expr
+| 80 = @add_event_expr
+| 81 = @remove_event_expr
+| 82 = @par_expr
+| 83 = @local_var_decl_expr
+| 84 = @lambda_expr
+| 85 = @anonymous_method_expr
+| 86 = @namespace_expr
+/* dynamic */
+| 92 = @dynamic_element_access_expr
+| 93 = @dynamic_member_access_expr
+/* unsafe */
+| 100 = @pointer_indirection_expr
+| 101 = @address_of_expr
+| 102 = @sizeof_expr
+/* async */
+| 103 = @await_expr
+/* C# 6.0 */
+| 104 = @nameof_expr
+| 105 = @interpolated_string_expr
+| 106 = @unknown_expr
+/* C# 7.0 */
+| 107 = @throw_expr
+| 108 = @tuple_expr
+| 109 = @local_function_invocation_expr
+| 110 = @ref_expr
+| 111 = @discard_expr
+/* C# 8.0 */
+| 112 = @range_expr
+| 113 = @index_expr
+| 114 = @switch_expr
+| 115 = @recursive_pattern_expr
+| 116 = @property_pattern_expr
+| 117 = @positional_pattern_expr
+| 118 = @switch_case_expr
+| 119 = @assign_coalesce_expr
+| 120 = @suppress_nullable_warning_expr
+| 121 = @namespace_access_expr
+/* C# 9.0 */
+| 122 = @lt_pattern_expr
+| 123 = @gt_pattern_expr
+| 124 = @le_pattern_expr
+| 125 = @ge_pattern_expr
+| 126 = @not_pattern_expr
+| 127 = @and_pattern_expr
+| 128 = @or_pattern_expr
+| 129 = @function_pointer_invocation_expr
+| 130 = @with_expr
+/* Preprocessor */
+| 999 = @define_symbol_expr
+;
+
+@switch = @switch_stmt | @switch_expr;
+@case = @case_stmt | @switch_case_expr;
+@pattern_match = @case | @is_expr;
+@unary_pattern_expr = @not_pattern_expr;
+@relational_pattern_expr = @gt_pattern_expr | @lt_pattern_expr | @ge_pattern_expr | @le_pattern_expr;
+@binary_pattern_expr = @and_pattern_expr | @or_pattern_expr;
+
+@integer_literal_expr = @int_literal_expr | @long_literal_expr | @uint_literal_expr | @ulong_literal_expr;
+@real_literal_expr = @float_literal_expr | @double_literal_expr | @decimal_literal_expr;
+@literal_expr = @bool_literal_expr | @char_literal_expr | @integer_literal_expr | @real_literal_expr
+              | @string_literal_expr | @null_literal_expr;
+
+@assign_expr = @simple_assign_expr | @assign_op_expr | @local_var_decl_expr;
+@assign_op_expr =  @assign_arith_expr | @assign_bitwise_expr | @assign_event_expr | @assign_coalesce_expr;
+@assign_event_expr = @add_event_expr | @remove_event_expr;
+
+@assign_arith_expr = @assign_add_expr | @assign_sub_expr | @assign_mul_expr | @assign_div_expr
+                   | @assign_rem_expr
+@assign_bitwise_expr = @assign_and_expr | @assign_or_expr | @assign_xor_expr
+                   | @assign_lshift_expr | @assign_rshift_expr;
+
+@member_access_expr = @field_access_expr | @property_access_expr | @indexer_access_expr | @event_access_expr
+                    | @method_access_expr | @type_access_expr | @dynamic_member_access_expr;
+@access_expr = @member_access_expr | @this_access_expr | @base_access_expr | @assignable_access_expr | @namespace_access_expr;
+@element_access_expr = @indexer_access_expr | @array_access_expr | @dynamic_element_access_expr;
+
+@local_variable_access = @local_variable_access_expr | @local_var_decl_expr;
+@local_scope_variable_access_expr = @parameter_access_expr | @local_variable_access;
+@variable_access_expr = @local_scope_variable_access_expr | @field_access_expr;
+
+@assignable_access_expr = @variable_access_expr | @property_access_expr | @element_access_expr
+                        | @event_access_expr | @dynamic_member_access_expr;
+
+@objectorcollection_init_expr = @object_init_expr | @collection_init_expr;
+
+@delegate_creation_expr = @explicit_delegate_creation_expr | @implicit_delegate_creation_expr;
+
+@bin_arith_op_expr = @mul_expr | @div_expr | @rem_expr | @add_expr | @sub_expr;
+@incr_op_expr =  @pre_incr_expr | @post_incr_expr;
+@decr_op_expr =  @pre_decr_expr | @post_decr_expr;
+@mut_op_expr = @incr_op_expr | @decr_op_expr;
+@un_arith_op_expr = @plus_expr | @minus_expr | @mut_op_expr;
+@arith_op_expr = @bin_arith_op_expr | @un_arith_op_expr;
+
+@ternary_log_op_expr = @conditional_expr;
+@bin_log_op_expr = @log_and_expr | @log_or_expr | @null_coalescing_expr;
+@un_log_op_expr = @log_not_expr;
+@log_expr = @un_log_op_expr | @bin_log_op_expr | @ternary_log_op_expr;
+
+@bin_bit_op_expr =  @bit_and_expr | @bit_or_expr | @bit_xor_expr | @lshift_expr
+                 | @rshift_expr;
+@un_bit_op_expr = @bit_not_expr;
+@bit_expr = @un_bit_op_expr | @bin_bit_op_expr;
+
+@equality_op_expr =  @eq_expr | @ne_expr;
+@rel_op_expr = @gt_expr | @lt_expr| @ge_expr | @le_expr;
+@comp_expr = @equality_op_expr | @rel_op_expr;
+
+@op_expr = @assign_expr | @un_op | @bin_op | @ternary_op;
+
+@ternary_op = @ternary_log_op_expr;
+@bin_op = @bin_arith_op_expr | @bin_log_op_expr | @bin_bit_op_expr | @comp_expr;
+@un_op = @un_arith_op_expr | @un_log_op_expr | @un_bit_op_expr | @sizeof_expr
+       | @pointer_indirection_expr | @address_of_expr;
+
+@anonymous_function_expr = @lambda_expr | @anonymous_method_expr;
+
+@call = @method_invocation_expr | @constructor_init_expr | @operator_invocation_expr
+      | @delegate_invocation_expr | @object_creation_expr | @call_access_expr
+      | @local_function_invocation_expr | @function_pointer_invocation_expr;
+
+@call_access_expr = @property_access_expr | @event_access_expr | @indexer_access_expr;
+
+@late_bindable_expr = @dynamic_element_access_expr | @dynamic_member_access_expr
+                    | @object_creation_expr | @method_invocation_expr | @operator_invocation_expr;
+
+@throw_element = @throw_expr | @throw_stmt;
+
+@implicitly_typeable_object_creation_expr = @object_creation_expr | @explicit_delegate_creation_expr;
+
+implicitly_typed_array_creation(
+  unique int id: @array_creation_expr ref);
+
+explicitly_sized_array_creation(
+  unique int id: @array_creation_expr ref);
+
+stackalloc_array_creation(
+  unique int id: @array_creation_expr ref);
+
+implicitly_typed_object_creation(
+  unique int id: @implicitly_typeable_object_creation_expr ref);
+
+mutator_invocation_mode(
+  unique int id: @operator_invocation_expr ref,
+  int mode: int ref /* prefix = 1, postfix = 2*/);
+
+expr_compiler_generated(
+  unique int id: @expr ref);
+
+expr_value(
+  unique int id: @expr ref,
+  string value: string ref);
+
+expr_call(
+  unique int caller_id: @expr ref,
+  int target_id: @callable ref);
+
+expr_access(
+  unique int accesser_id: @access_expr ref,
+  int target_id: @accessible ref);
+
+@accessible = @method | @assignable | @local_function | @namespace;
+
+expr_location(
+  unique int id: @expr ref,
+  int loc: @location ref);
+
+dynamic_member_name(
+  unique int id: @late_bindable_expr ref,
+  string name: string ref);
+
+@qualifiable_expr = @member_access_expr
+                  | @method_invocation_expr
+                  | @element_access_expr;
+
+conditional_access(
+  unique int id: @qualifiable_expr ref);
+
+expr_argument(
+  unique int id: @expr ref,
+  int mode: int ref);
+  /* mode is the same as params: value = 0, ref = 1, out = 2 */
+
+expr_argument_name(
+  unique int id: @expr ref,
+  string name: string ref);
+
+/** CONTROL/DATA FLOW **/
+
+@control_flow_element = @stmt | @expr;
+
+/* XML Files */
+
+xmlEncoding  (
+  unique int id: @file ref,
+  string encoding: string ref);
+
+xmlDTDs(
+  unique int id: @xmldtd,
+  string root: string ref,
+  string publicId: string ref,
+  string systemId: string ref,
+  int fileid: @file ref);
+
+xmlElements(
+  unique int id: @xmlelement,
+  string name: string ref,
+  int parentid: @xmlparent ref,
+  int idx: int ref,
+  int fileid: @file ref);
+
+xmlAttrs(
+  unique int id: @xmlattribute,
+  int elementid: @xmlelement ref,
+  string name: string ref,
+  string value: string ref,
+  int idx: int ref,
+  int fileid: @file ref);
+
+xmlNs(
+  int id: @xmlnamespace,
+  string prefixName: string ref,
+  string URI: string ref,
+  int fileid: @file ref);
+
+xmlHasNs(
+  int elementId: @xmlnamespaceable ref,
+  int nsId: @xmlnamespace ref,
+  int fileid: @file ref);
+
+xmlComments(
+  unique int id: @xmlcomment,
+  string text: string ref,
+  int parentid: @xmlparent ref,
+  int fileid: @file ref);
+
+xmlChars(
+  unique int id: @xmlcharacters,
+  string text: string ref,
+  int parentid: @xmlparent ref,
+  int idx: int ref,
+  int isCDATA: int ref,
+  int fileid: @file ref);
+
+@xmlparent = @file | @xmlelement;
+@xmlnamespaceable = @xmlelement | @xmlattribute;
+
+xmllocations(
+  int xmlElement: @xmllocatable ref,
+  int location: @location_default ref);
+
+@xmllocatable = @xmlcharacters | @xmlelement | @xmlcomment | @xmlattribute | @xmldtd | @file | @xmlnamespace;
+
+/* Comments */
+
+commentline(
+  unique int id: @commentline,
+  int kind: int ref,
+  string text: string ref,
+  string rawtext: string ref);
+
+case @commentline.kind of
+  0 = @singlelinecomment
+| 1 = @xmldoccomment
+| 2 = @multilinecomment;
+
+commentline_location(
+  unique int id: @commentline ref,
+  int loc: @location ref);
+
+commentblock(
+  unique int id : @commentblock);
+
+commentblock_location(
+  unique int id: @commentblock ref,
+  int loc: @location ref);
+
+commentblock_binding(
+  int id: @commentblock ref,
+  int entity: @element ref,
+  int bindtype: int ref);    /* 0: Parent, 1: Best, 2: Before, 3: After */
+
+commentblock_child(
+  int id: @commentblock ref,
+  int commentline: @commentline ref,
+  int index: int ref);
+
+/* ASP.NET */
+
+case @asp_element.kind of
+  0=@asp_close_tag
+| 1=@asp_code
+| 2=@asp_comment
+| 3=@asp_data_binding
+| 4=@asp_directive
+| 5=@asp_open_tag
+| 6=@asp_quoted_string
+| 7=@asp_text
+| 8=@asp_xml_directive;
+
+@asp_attribute = @asp_code | @asp_data_binding | @asp_quoted_string;
+
+asp_elements(
+  unique int id: @asp_element,
+  int kind: int ref,
+  int loc: @location ref);
+
+asp_comment_server(unique int comment: @asp_comment ref);
+asp_code_inline(unique int code: @asp_code ref);
+asp_directive_attribute(
+  int directive: @asp_directive ref,
+  int index: int ref,
+  string name: string ref,
+  int value: @asp_quoted_string ref);
+asp_directive_name(
+  unique int directive: @asp_directive ref,
+  string name: string ref);
+asp_element_body(
+  unique int element: @asp_element ref,
+  string body: string ref);
+asp_tag_attribute(
+  int tag: @asp_open_tag ref,
+  int index: int ref,
+  string name: string ref,
+  int attribute: @asp_attribute ref);
+asp_tag_name(
+  unique int tag: @asp_open_tag ref,
+  string name: string ref);
+asp_tag_isempty(int tag: @asp_open_tag ref);
+
+/* Common Intermediate Language - CIL */
+
+case @cil_instruction.opcode of
+  0 = @cil_nop
+| 1 = @cil_break
+| 2 = @cil_ldarg_0
+| 3 = @cil_ldarg_1
+| 4 = @cil_ldarg_2
+| 5 = @cil_ldarg_3
+| 6 = @cil_ldloc_0
+| 7 = @cil_ldloc_1
+| 8 = @cil_ldloc_2
+| 9 = @cil_ldloc_3
+| 10 = @cil_stloc_0
+| 11 = @cil_stloc_1
+| 12 = @cil_stloc_2
+| 13 = @cil_stloc_3
+| 14 = @cil_ldarg_s
+| 15 = @cil_ldarga_s
+| 16 = @cil_starg_s
+| 17 = @cil_ldloc_s
+| 18 = @cil_ldloca_s
+| 19 = @cil_stloc_s
+| 20 = @cil_ldnull
+| 21 = @cil_ldc_i4_m1
+| 22 = @cil_ldc_i4_0
+| 23 = @cil_ldc_i4_1
+| 24 = @cil_ldc_i4_2
+| 25 = @cil_ldc_i4_3
+| 26 = @cil_ldc_i4_4
+| 27 = @cil_ldc_i4_5
+| 28 = @cil_ldc_i4_6
+| 29 = @cil_ldc_i4_7
+| 30 = @cil_ldc_i4_8
+| 31 = @cil_ldc_i4_s
+| 32 = @cil_ldc_i4
+| 33 = @cil_ldc_i8
+| 34 = @cil_ldc_r4
+| 35 = @cil_ldc_r8
+| 37 = @cil_dup
+| 38 = @cil_pop
+| 39 = @cil_jmp
+| 40 = @cil_call
+| 41 = @cil_calli
+| 42 = @cil_ret
+| 43 = @cil_br_s
+| 44 = @cil_brfalse_s
+| 45 = @cil_brtrue_s
+| 46 = @cil_beq_s
+| 47 = @cil_bge_s
+| 48 = @cil_bgt_s
+| 49 = @cil_ble_s
+| 50 = @cil_blt_s
+| 51 = @cil_bne_un_s
+| 52 = @cil_bge_un_s
+| 53 = @cil_bgt_un_s
+| 54 = @cil_ble_un_s
+| 55 = @cil_blt_un_s
+| 56 = @cil_br
+| 57 = @cil_brfalse
+| 58 = @cil_brtrue
+| 59 = @cil_beq
+| 60 = @cil_bge
+| 61 = @cil_bgt
+| 62 = @cil_ble
+| 63 = @cil_blt
+| 64 = @cil_bne_un
+| 65 = @cil_bge_un
+| 66 = @cil_bgt_un
+| 67 = @cil_ble_un
+| 68 = @cil_blt_un
+| 69 = @cil_switch
+| 70 = @cil_ldind_i1
+| 71 = @cil_ldind_u1
+| 72 = @cil_ldind_i2
+| 73 = @cil_ldind_u2
+| 74 = @cil_ldind_i4
+| 75 = @cil_ldind_u4
+| 76 = @cil_ldind_i8
+| 77 = @cil_ldind_i
+| 78 = @cil_ldind_r4
+| 79 = @cil_ldind_r8
+| 80 = @cil_ldind_ref
+| 81 = @cil_stind_ref
+| 82 = @cil_stind_i1
+| 83 = @cil_stind_i2
+| 84 = @cil_stind_i4
+| 85 = @cil_stind_i8
+| 86 = @cil_stind_r4
+| 87 = @cil_stind_r8
+| 88 = @cil_add
+| 89 = @cil_sub
+| 90 = @cil_mul
+| 91 = @cil_div
+| 92 = @cil_div_un
+| 93 = @cil_rem
+| 94 = @cil_rem_un
+| 95 = @cil_and
+| 96 = @cil_or
+| 97 = @cil_xor
+| 98 = @cil_shl
+| 99 = @cil_shr
+| 100 = @cil_shr_un
+| 101 = @cil_neg
+| 102 = @cil_not
+| 103 = @cil_conv_i1
+| 104 = @cil_conv_i2
+| 105 = @cil_conv_i4
+| 106 = @cil_conv_i8
+| 107 = @cil_conv_r4
+| 108 = @cil_conv_r8
+| 109 = @cil_conv_u4
+| 110 = @cil_conv_u8
+| 111 = @cil_callvirt
+| 112 = @cil_cpobj
+| 113 = @cil_ldobj
+| 114 = @cil_ldstr
+| 115 = @cil_newobj
+| 116 = @cil_castclass
+| 117 = @cil_isinst
+| 118 = @cil_conv_r_un
+| 121 = @cil_unbox
+| 122 = @cil_throw
+| 123 = @cil_ldfld
+| 124 = @cil_ldflda
+| 125 = @cil_stfld
+| 126 = @cil_ldsfld
+| 127 = @cil_ldsflda
+| 128 = @cil_stsfld
+| 129 = @cil_stobj
+| 130 = @cil_conv_ovf_i1_un
+| 131 = @cil_conv_ovf_i2_un
+| 132 = @cil_conv_ovf_i4_un
+| 133 = @cil_conv_ovf_i8_un
+| 134 = @cil_conv_ovf_u1_un
+| 135 = @cil_conv_ovf_u2_un
+| 136 = @cil_conv_ovf_u4_un
+| 137 = @cil_conv_ovf_u8_un
+| 138 = @cil_conv_ovf_i_un
+| 139 = @cil_conv_ovf_u_un
+| 140 = @cil_box
+| 141 = @cil_newarr
+| 142 = @cil_ldlen
+| 143 = @cil_ldelema
+| 144 = @cil_ldelem_i1
+| 145 = @cil_ldelem_u1
+| 146 = @cil_ldelem_i2
+| 147 = @cil_ldelem_u2
+| 148 = @cil_ldelem_i4
+| 149 = @cil_ldelem_u4
+| 150 = @cil_ldelem_i8
+| 151 = @cil_ldelem_i
+| 152 = @cil_ldelem_r4
+| 153 = @cil_ldelem_r8
+| 154 = @cil_ldelem_ref
+| 155 = @cil_stelem_i
+| 156 = @cil_stelem_i1
+| 157 = @cil_stelem_i2
+| 158 = @cil_stelem_i4
+| 159 = @cil_stelem_i8
+| 160 = @cil_stelem_r4
+| 161 = @cil_stelem_r8
+| 162 = @cil_stelem_ref
+| 163 = @cil_ldelem
+| 164 = @cil_stelem
+| 165 = @cil_unbox_any
+| 179 = @cil_conv_ovf_i1
+| 180 = @cil_conv_ovf_u1
+| 181 = @cil_conv_ovf_i2
+| 182 = @cil_conv_ovf_u2
+| 183 = @cil_conv_ovf_i4
+| 184 = @cil_conv_ovf_u4
+| 185 = @cil_conv_ovf_i8
+| 186 = @cil_conv_ovf_u8
+| 194 = @cil_refanyval
+| 195 = @cil_ckinfinite
+| 198 = @cil_mkrefany
+| 208 = @cil_ldtoken
+| 209 = @cil_conv_u2
+| 210 = @cil_conv_u1
+| 211 = @cil_conv_i
+| 212 = @cil_conv_ovf_i
+| 213 = @cil_conv_ovf_u
+| 214 = @cil_add_ovf
+| 215 = @cil_add_ovf_un
+| 216 = @cil_mul_ovf
+| 217 = @cil_mul_ovf_un
+| 218 = @cil_sub_ovf
+| 219 = @cil_sub_ovf_un
+| 220 = @cil_endfinally
+| 221 = @cil_leave
+| 222 = @cil_leave_s
+| 223 = @cil_stind_i
+| 224 = @cil_conv_u
+| 65024 = @cil_arglist
+| 65025 = @cil_ceq
+| 65026 = @cil_cgt
+| 65027 = @cil_cgt_un
+| 65028 = @cil_clt
+| 65029 = @cil_clt_un
+| 65030 = @cil_ldftn
+| 65031 = @cil_ldvirtftn
+| 65033 = @cil_ldarg
+| 65034 = @cil_ldarga
+| 65035 = @cil_starg
+| 65036 = @cil_ldloc
+| 65037 = @cil_ldloca
+| 65038 = @cil_stloc
+| 65039 = @cil_localloc
+| 65041 = @cil_endfilter
+| 65042 = @cil_unaligned
+| 65043 = @cil_volatile
+| 65044 = @cil_tail
+| 65045 = @cil_initobj
+| 65046 = @cil_constrained
+| 65047 = @cil_cpblk
+| 65048 = @cil_initblk
+| 65050 = @cil_rethrow
+| 65052 = @cil_sizeof
+| 65053 = @cil_refanytype
+| 65054 = @cil_readonly
+;
+
+// CIL ignored instructions
+
+@cil_ignore = @cil_nop | @cil_break | @cil_volatile | @cil_unaligned;
+
+// CIL local/parameter/field access
+
+@cil_ldarg_any = @cil_ldarg_0 | @cil_ldarg_1 | @cil_ldarg_2 | @cil_ldarg_3 | @cil_ldarg_s | @cil_ldarga_s | @cil_ldarg | @cil_ldarga;
+@cil_starg_any = @cil_starg | @cil_starg_s;
+
+@cil_ldloc_any = @cil_ldloc_0 | @cil_ldloc_1 | @cil_ldloc_2 | @cil_ldloc_3 | @cil_ldloc_s | @cil_ldloca_s | @cil_ldloc | @cil_ldloca;
+@cil_stloc_any = @cil_stloc_0 | @cil_stloc_1 | @cil_stloc_2 | @cil_stloc_3 | @cil_stloc_s | @cil_stloc;
+
+@cil_ldfld_any = @cil_ldfld | @cil_ldsfld | @cil_ldsflda | @cil_ldflda;
+@cil_stfld_any = @cil_stfld | @cil_stsfld;
+
+@cil_local_access = @cil_stloc_any | @cil_ldloc_any;
+@cil_arg_access = @cil_starg_any | @cil_ldarg_any;
+@cil_read_access = @cil_ldloc_any | @cil_ldarg_any | @cil_ldfld_any;
+@cil_write_access = @cil_stloc_any | @cil_starg_any | @cil_stfld_any;
+
+@cil_stack_access = @cil_local_access | @cil_arg_access;
+@cil_field_access = @cil_ldfld_any | @cil_stfld_any;
+
+@cil_access = @cil_read_access | @cil_write_access;
+
+// CIL constant/literal instructions
+
+@cil_ldc_i = @cil_ldc_i4_any | @cil_ldc_i8;
+
+@cil_ldc_i4_any = @cil_ldc_i4_m1 | @cil_ldc_i4_0 | @cil_ldc_i4_1 | @cil_ldc_i4_2 | @cil_ldc_i4_3 |
+  @cil_ldc_i4_4 | @cil_ldc_i4_5 | @cil_ldc_i4_6 | @cil_ldc_i4_7 | @cil_ldc_i4_8 | @cil_ldc_i4_s | @cil_ldc_i4;
+
+@cil_ldc_r = @cil_ldc_r4 | @cil_ldc_r8;
+
+@cil_literal = @cil_ldnull | @cil_ldc_i | @cil_ldc_r | @cil_ldstr;
+
+// Control flow
+
+@cil_conditional_jump = @cil_binary_jump | @cil_unary_jump;
+@cil_binary_jump = @cil_beq_s | @cil_bge_s | @cil_bgt_s | @cil_ble_s | @cil_blt_s |
+    @cil_bne_un_s | @cil_bge_un_s | @cil_bgt_un_s | @cil_ble_un_s | @cil_blt_un_s |
+    @cil_beq | @cil_bge | @cil_bgt | @cil_ble | @cil_blt |
+    @cil_bne_un | @cil_bge_un | @cil_bgt_un | @cil_ble_un | @cil_blt_un;
+@cil_unary_jump = @cil_brfalse_s | @cil_brtrue_s | @cil_brfalse | @cil_brtrue | @cil_switch;
+@cil_unconditional_jump = @cil_br | @cil_br_s | @cil_leave_any;
+@cil_leave_any = @cil_leave | @cil_leave_s;
+@cil_jump = @cil_unconditional_jump | @cil_conditional_jump;
+
+// CIL call instructions
+
+@cil_call_any = @cil_jmp | @cil_call | @cil_calli | @cil_tail | @cil_callvirt | @cil_newobj;
+
+// CIL expression instructions
+
+@cil_expr = @cil_literal | @cil_binary_expr | @cil_unary_expr | @cil_call_any | @cil_read_access |
+  @cil_newarr | @cil_ldtoken | @cil_sizeof |
+  @cil_ldftn | @cil_ldvirtftn | @cil_localloc | @cil_mkrefany | @cil_refanytype | @cil_arglist | @cil_dup;
+
+@cil_unary_expr =
+  @cil_conversion_operation | @cil_unary_arithmetic_operation | @cil_unary_bitwise_operation|
+  @cil_ldlen | @cil_isinst | @cil_box | @cil_ldobj | @cil_castclass | @cil_unbox_any |
+  @cil_ldind | @cil_unbox;
+
+@cil_conversion_operation =
+  @cil_conv_i1 | @cil_conv_i2 | @cil_conv_i4 | @cil_conv_i8 |
+  @cil_conv_u1 | @cil_conv_u2 | @cil_conv_u4 | @cil_conv_u8 |
+  @cil_conv_ovf_i | @cil_conv_ovf_i_un | @cil_conv_ovf_i1 | @cil_conv_ovf_i1_un |
+  @cil_conv_ovf_i2 | @cil_conv_ovf_i2_un | @cil_conv_ovf_i4 | @cil_conv_ovf_i4_un |
+  @cil_conv_ovf_i8 | @cil_conv_ovf_i8_un | @cil_conv_ovf_u | @cil_conv_ovf_u_un |
+  @cil_conv_ovf_u1 | @cil_conv_ovf_u1_un | @cil_conv_ovf_u2 | @cil_conv_ovf_u2_un |
+  @cil_conv_ovf_u4 | @cil_conv_ovf_u4_un | @cil_conv_ovf_u8 | @cil_conv_ovf_u8_un |
+  @cil_conv_r4 | @cil_conv_r8 | @cil_conv_ovf_u2 | @cil_conv_ovf_u2_un |
+  @cil_conv_i | @cil_conv_u | @cil_conv_r_un;
+
+@cil_ldind = @cil_ldind_i | @cil_ldind_i1 | @cil_ldind_i2 | @cil_ldind_i4 | @cil_ldind_i8 |
+  @cil_ldind_r4 | @cil_ldind_r8 | @cil_ldind_ref | @cil_ldind_u1 | @cil_ldind_u2 | @cil_ldind_u4;
+
+@cil_stind = @cil_stind_i | @cil_stind_i1 | @cil_stind_i2 | @cil_stind_i4 | @cil_stind_i8 |
+  @cil_stind_r4 | @cil_stind_r8 | @cil_stind_ref;
+
+@cil_bitwise_operation = @cil_binary_bitwise_operation | @cil_unary_bitwise_operation;
+
+@cil_binary_bitwise_operation = @cil_and | @cil_or | @cil_xor | @cil_shr | @cil_shr | @cil_shr_un | @cil_shl;
+
+@cil_binary_arithmetic_operation = @cil_add | @cil_sub | @cil_mul | @cil_div | @cil_div_un |
+  @cil_rem | @cil_rem_un | @cil_add_ovf | @cil_add_ovf_un | @cil_mul_ovf | @cil_mul_ovf_un |
+  @cil_sub_ovf | @cil_sub_ovf_un;
+
+@cil_unary_bitwise_operation = @cil_not;
+
+@cil_binary_expr = @cil_binary_arithmetic_operation | @cil_binary_bitwise_operation | @cil_read_array | @cil_comparison_operation;
+
+@cil_unary_arithmetic_operation = @cil_neg;
+
+@cil_comparison_operation = @cil_cgt_un | @cil_ceq | @cil_cgt | @cil_clt | @cil_clt_un;
+
+// Elements that retrieve an address of something
+@cil_read_ref = @cil_ldloca_s | @cil_ldarga_s | @cil_ldflda | @cil_ldsflda | @cil_ldelema;
+
+// CIL array instructions
+
+@cil_read_array =
+  @cil_ldelem | @cil_ldelema | @cil_ldelem_i1 | @cil_ldelem_ref | @cil_ldelem_i |
+  @cil_ldelem_i1 | @cil_ldelem_i2 | @cil_ldelem_i4 | @cil_ldelem_i8 | @cil_ldelem_r4 |
+  @cil_ldelem_r8 | @cil_ldelem_u1 | @cil_ldelem_u2 | @cil_ldelem_u4;
+
+@cil_write_array = @cil_stelem | @cil_stelem_ref |
+  @cil_stelem_i | @cil_stelem_i1 | @cil_stelem_i2 | @cil_stelem_i4 | @cil_stelem_i8 |
+  @cil_stelem_r4 | @cil_stelem_r8;
+
+@cil_throw_any = @cil_throw | @cil_rethrow;
+
+#keyset[impl, index]
+cil_instruction(
+  unique int id: @cil_instruction,
+  int opcode: int ref,
+  int index: int ref,
+  int impl: @cil_method_implementation ref);
+
+cil_jump(
+  unique int instruction: @cil_jump ref,
+  int target: @cil_instruction ref);
+
+cil_access(
+  unique int instruction: @cil_instruction ref,
+  int target: @cil_accessible ref);
+
+cil_value(
+  unique int instruction: @cil_literal ref,
+  string value: string ref);
+
+#keyset[instruction, index]
+cil_switch(
+  int instruction: @cil_switch ref,
+  int index: int ref,
+  int target: @cil_instruction ref);
+
+cil_instruction_location(
+  unique int id: @cil_instruction ref,
+  int loc: @location ref);
+
+cil_type_location(
+  int id: @cil_type ref,
+  int loc: @location ref);
+
+cil_method_location(
+  int id: @cil_method ref,
+  int loc: @location ref);
+
+@cil_namespace = @namespace;
+
+@cil_type_container = @cil_type | @cil_namespace | @cil_method;
+
+case @cil_type.kind of
+  0 = @cil_valueorreftype
+| 1 = @cil_typeparameter
+| 2 = @cil_array_type
+| 3 = @cil_pointer_type
+| 4 = @cil_function_pointer_type
+;
+
+cil_type(
+  unique int id: @cil_type,
+  string name: string ref,
+  int kind: int ref,
+  int parent: @cil_type_container ref,
+  int sourceDecl: @cil_type ref);
+
+cil_pointer_type(
+  unique int id: @cil_pointer_type ref,
+  int pointee: @cil_type ref);
+
+cil_array_type(
+  unique int id: @cil_array_type ref,
+  int element_type: @cil_type ref,
+  int rank: int ref);
+
+cil_function_pointer_return_type(
+  unique int id: @cil_function_pointer_type ref,
+  int return_type: @cil_type ref);
+
+cil_method(
+  unique int id: @cil_method,
+  string name: string ref,
+  int parent: @cil_type ref,
+  int return_type: @cil_type ref);
+
+cil_method_source_declaration(
+  unique int method: @cil_method ref,
+  int source: @cil_method ref);
+
+cil_method_implementation(
+  unique int id: @cil_method_implementation,
+  int method: @cil_method ref,
+  int location: @assembly ref);
+
+cil_implements(
+  int id: @cil_method ref,
+  int decl: @cil_method ref);
+
+#keyset[parent, name]
+cil_field(
+  unique int id: @cil_field,
+  int parent: @cil_type ref,
+  string name: string ref,
+  int field_type: @cil_type ref);
+
+@cil_element = @cil_instruction | @cil_declaration | @cil_handler | @cil_attribute | @cil_namespace;
+@cil_named_element = @cil_declaration | @cil_namespace;
+@cil_declaration = @cil_variable | @cil_method | @cil_type | @cil_member;
+@cil_accessible = @cil_declaration;
+@cil_variable = @cil_field | @cil_stack_variable;
+@cil_stack_variable = @cil_local_variable | @cil_parameter;
+@cil_member = @cil_method | @cil_type | @cil_field | @cil_property | @cil_event;
+@cil_custom_modifier_receiver = @cil_method | @cil_property | @cil_parameter | @cil_field | @cil_function_pointer_type;
+@cil_parameterizable = @cil_method | @cil_function_pointer_type;
+@cil_has_type_annotation = @cil_stack_variable | @cil_property | @cil_method | @cil_function_pointer_type;
+
+#keyset[parameterizable, index]
+cil_parameter(
+  unique int id: @cil_parameter,
+  int parameterizable: @cil_parameterizable ref,
+  int index: int ref,
+  int param_type: @cil_type ref);
+
+cil_parameter_in(unique int id: @cil_parameter ref);
+cil_parameter_out(unique int id: @cil_parameter ref);
+
+cil_setter(unique int prop: @cil_property ref,
+  int method: @cil_method ref);
+
+#keyset[id, modifier]
+cil_custom_modifiers(
+  int id: @cil_custom_modifier_receiver ref,
+  int modifier: @cil_type ref,
+  int kind: int ref); // modreq: 1, modopt: 0
+
+cil_type_annotation(
+  int id: @cil_has_type_annotation ref,
+  int annotation: int ref);
+
+cil_getter(unique int prop: @cil_property ref,
+  int method: @cil_method ref);
+
+cil_adder(unique int event: @cil_event ref,
+  int method: @cil_method ref);
+
+cil_remover(unique int event: @cil_event ref, int method: @cil_method ref);
+
+cil_raiser(unique int event: @cil_event ref, int method: @cil_method ref);
+
+cil_property(
+  unique int id: @cil_property,
+  int parent: @cil_type ref,
+  string name: string ref,
+  int property_type: @cil_type ref);
+
+#keyset[parent, name]
+cil_event(unique int id: @cil_event,
+  int parent: @cil_type ref,
+  string name: string ref,
+  int event_type: @cil_type ref);
+
+#keyset[impl, index]
+cil_local_variable(
+  unique int id: @cil_local_variable,
+  int impl: @cil_method_implementation ref,
+  int index: int ref,
+  int var_type: @cil_type ref);
+
+cil_function_pointer_calling_conventions(
+  int id: @cil_function_pointer_type ref,
+  int kind: int ref);
+
+// CIL handlers (exception handlers etc).
+
+case @cil_handler.kind of
+  0 = @cil_catch_handler
+| 1 = @cil_filter_handler
+| 2 = @cil_finally_handler
+| 4 = @cil_fault_handler
+;
+
+#keyset[impl, index]
+cil_handler(
+  unique int id: @cil_handler,
+  int impl: @cil_method_implementation ref,
+  int index: int ref,
+  int kind: int ref,
+  int try_start: @cil_instruction ref,
+  int try_end: @cil_instruction ref,
+  int handler_start: @cil_instruction ref);
+
+cil_handler_filter(
+  unique int id: @cil_handler ref,
+  int filter_start: @cil_instruction ref);
+
+cil_handler_type(
+  unique int id: @cil_handler ref,
+  int catch_type: @cil_type ref);
+
+@cil_controlflow_node = @cil_entry_point | @cil_instruction;
+
+@cil_entry_point = @cil_method_implementation | @cil_handler;
+
+@cil_dataflow_node = @cil_instruction | @cil_variable | @cil_method;
+
+cil_method_stack_size(
+  unique int method: @cil_method_implementation ref,
+  int size: int ref);
+
+// CIL modifiers
+
+cil_public(int id: @cil_member ref);
+cil_private(int id: @cil_member ref);
+cil_protected(int id: @cil_member ref);
+cil_internal(int id: @cil_member ref);
+cil_static(int id: @cil_member ref);
+cil_sealed(int id: @cil_member ref);
+cil_virtual(int id: @cil_method ref);
+cil_abstract(int id: @cil_member ref);
+cil_class(int id: @cil_type ref);
+cil_interface(int id: @cil_type ref);
+cil_security(int id: @cil_member ref);
+cil_requiresecobject(int id: @cil_method ref);
+cil_specialname(int id: @cil_method ref);
+cil_newslot(int id: @cil_method ref);
+
+cil_base_class(unique int id: @cil_type ref, int base: @cil_type ref);
+cil_base_interface(int id: @cil_type ref, int base: @cil_type ref);
+cil_enum_underlying_type(unique int id: @cil_type ref, int underlying: @cil_type ref);
+
+#keyset[unbound, index]
+cil_type_parameter(
+  int unbound: @cil_member ref,
+  int index: int ref,
+  int param: @cil_typeparameter ref);
+
+#keyset[bound, index]
+cil_type_argument(
+  int bound: @cil_member ref,
+  int index: int ref,
+  int t: @cil_type ref);
+
+// CIL type parameter constraints
+
+cil_typeparam_covariant(int tp: @cil_typeparameter ref);
+cil_typeparam_contravariant(int tp: @cil_typeparameter ref);
+cil_typeparam_class(int tp: @cil_typeparameter ref);
+cil_typeparam_struct(int tp: @cil_typeparameter ref);
+cil_typeparam_new(int tp: @cil_typeparameter ref);
+cil_typeparam_constraint(int tp: @cil_typeparameter ref, int supertype: @cil_type ref);
+
+// CIL attributes
+
+cil_attribute(
+  unique int attributeid: @cil_attribute,
+  int element: @cil_declaration ref,
+  int constructor: @cil_method ref);
+
+#keyset[attribute_id, param]
+cil_attribute_named_argument(
+  int attribute_id: @cil_attribute ref,
+  string param: string ref,
+  string value: string ref);
+
+#keyset[attribute_id, index]
+cil_attribute_positional_argument(
+  int attribute_id: @cil_attribute ref,
+  int index: int ref,
+  string value: string ref);
+
+
+// Common .Net data model covering both C# and CIL
+
+// Common elements
+@dotnet_element = @element | @cil_element;
+@dotnet_named_element = @named_element | @cil_named_element;
+@dotnet_callable = @callable | @cil_method;
+@dotnet_variable = @variable | @cil_variable;
+@dotnet_field = @field | @cil_field;
+@dotnet_parameter = @parameter | @cil_parameter;
+@dotnet_declaration = @declaration | @cil_declaration;
+@dotnet_member = @member | @cil_member;
+@dotnet_event = @event | @cil_event;
+@dotnet_property = @property | @cil_property | @indexer;
+@dotnet_parameterizable = @parameterizable | @cil_parameterizable;
+
+// Common types
+@dotnet_type = @type | @cil_type;
+@dotnet_call = @call | @cil_call_any;
+@dotnet_throw = @throw_element | @cil_throw_any;
+@dotnet_valueorreftype = @cil_valueorreftype | @value_or_ref_type | @cil_array_type | @void_type;
+@dotnet_typeparameter = @type_parameter | @cil_typeparameter;
+@dotnet_array_type = @array_type | @cil_array_type;
+@dotnet_pointer_type = @pointer_type | @cil_pointer_type;
+@dotnet_type_parameter = @type_parameter | @cil_typeparameter;
+@dotnet_generic = @dotnet_valueorreftype | @dotnet_callable;
+
+// Attributes
+@dotnet_attribute = @attribute | @cil_attribute;
+
+// Expressions
+@dotnet_expr = @expr | @cil_expr;
+
+// Literals
+@dotnet_literal = @literal_expr | @cil_literal;
+@dotnet_string_literal = @string_literal_expr | @cil_ldstr;
+@dotnet_int_literal = @integer_literal_expr | @cil_ldc_i;
+@dotnet_float_literal = @float_literal_expr | @cil_ldc_r;
+@dotnet_null_literal = @null_literal_expr | @cil_ldnull;
+
+@metadata_entity = @cil_method | @cil_type | @cil_field | @cil_property | @field | @property |
+    @callable | @value_or_ref_type | @void_type;
+
+#keyset[entity, location]
+metadata_handle(int entity : @metadata_entity ref, int location: @assembly ref, int handle: int ref)
diff --git a/csharp/upgrades/9258e9b38d85f92cee9559f2ed21e241f0c7a29e/semmlecode.csharp.dbscheme b/csharp/upgrades/9258e9b38d85f92cee9559f2ed21e241f0c7a29e/semmlecode.csharp.dbscheme
new file mode 100644
index 00000000000..770f844243d
--- /dev/null
+++ b/csharp/upgrades/9258e9b38d85f92cee9559f2ed21e241f0c7a29e/semmlecode.csharp.dbscheme
@@ -0,0 +1,2083 @@
+
+/**
+ * An invocation of the compiler. Note that more than one file may be
+ * compiled per invocation. For example, this command compiles three
+ * source files:
+ *
+ *   csc f1.cs f2.cs f3.cs
+ *
+ * The `id` simply identifies the invocation, while `cwd` is the working
+ * directory from which the compiler was invoked.
+ */
+compilations(
+    unique int id : @compilation,
+    string cwd : string ref
+);
+
+/**
+ * The arguments that were passed to the extractor for a compiler
+ * invocation. If `id` is for the compiler invocation
+ *
+ *   csc f1.cs f2.cs f3.cs
+ *
+ * then typically there will be rows for
+ *
+ * num | arg
+ * --- | ---
+ * 0   | --compiler
+ * 1   | *path to compiler*
+ * 2   | --cil
+ * 3   | f1.cs
+ * 4   | f2.cs
+ * 5   | f3.cs
+ */
+#keyset[id, num]
+compilation_args(
+    int id : @compilation ref,
+    int num : int ref,
+    string arg : string ref
+);
+
+/**
+ * The source files that are compiled by a compiler invocation.
+ * If `id` is for the compiler invocation
+ *
+ *   csc f1.cs f2.cs f3.cs
+ *
+ * then there will be rows for
+ *
+ * num | arg
+ * --- | ---
+ * 0   | f1.cs
+ * 1   | f2.cs
+ * 2   | f3.cs
+ */
+#keyset[id, num]
+compilation_compiling_files(
+    int id : @compilation ref,
+    int num : int ref,
+    int file : @file ref
+);
+
+/**
+ * The references used by a compiler invocation.
+ * If `id` is for the compiler invocation
+ *
+ *   csc f1.cs f2.cs f3.cs /r:ref1.dll /r:ref2.dll /r:ref3.dll
+ *
+ * then there will be rows for
+ *
+ * num | arg
+ * --- | ---
+ * 0   | ref1.dll
+ * 1   | ref2.dll
+ * 2   | ref3.dll
+ */
+#keyset[id, num]
+compilation_referencing_files(
+    int id : @compilation ref,
+    int num : int ref,
+    int file : @file ref
+);
+
+/**
+ * The time taken by the extractor for a compiler invocation.
+ *
+ * For each file `num`, there will be rows for
+ *
+ * kind | seconds
+ * ---- | ---
+ * 1    | CPU seconds used by the extractor frontend
+ * 2    | Elapsed seconds during the extractor frontend
+ * 3    | CPU seconds used by the extractor backend
+ * 4    | Elapsed seconds during the extractor backend
+ */
+#keyset[id, num, kind]
+compilation_time(
+    int id : @compilation ref,
+    int num : int ref,
+    /* kind:
+       1 = frontend_cpu_seconds
+       2 = frontend_elapsed_seconds
+       3 = extractor_cpu_seconds
+       4 = extractor_elapsed_seconds
+    */
+    int kind : int ref,
+    float seconds : float ref
+);
+
+/**
+ * An error or warning generated by the extractor.
+ * The diagnostic message `diagnostic` was generated during compiler
+ * invocation `compilation`, and is the `file_number_diagnostic_number`th
+ * message generated while extracting the `file_number`th file of that
+ * invocation.
+ */
+#keyset[compilation, file_number, file_number_diagnostic_number]
+diagnostic_for(
+    unique int diagnostic : @diagnostic ref,
+    int compilation : @compilation ref,
+    int file_number : int ref,
+    int file_number_diagnostic_number : int ref
+);
+
+diagnostics(
+    unique int id: @diagnostic,
+    int severity: int ref,
+    string error_tag: string ref,
+    string error_message: string ref,
+    string full_error_message: string ref,
+    int location: @location_default ref
+);
+
+extractor_messages(
+    unique int id: @extractor_message,
+    int severity: int ref,
+    string origin : string ref,
+    string text : string ref,
+    string entity : string ref,
+    int location: @location_default ref,
+    string stack_trace : string ref
+);
+
+/**
+ * If extraction was successful, then `cpu_seconds` and
+ * `elapsed_seconds` are the CPU time and elapsed time (respectively)
+ * that extraction took for compiler invocation `id`.
+ */
+compilation_finished(
+    unique int id : @compilation ref,
+    float cpu_seconds : float ref,
+    float elapsed_seconds : float ref
+);
+
+compilation_assembly(
+  unique int id : @compilation ref,
+  int assembly: @assembly ref
+)
+
+/*
+ * External artifacts
+ */
+
+externalDefects(
+  unique int id: @externalDefect,
+  string queryPath: string ref,
+  int location: @location ref,
+  string message: string ref,
+  float severity: float ref);
+
+externalMetrics(
+  unique int id: @externalMetric,
+  string queryPath: string ref,
+  int location: @location ref,
+  float value: float ref);
+
+externalData(
+  int id: @externalDataElement,
+  string path: string ref,
+  int column: int ref,
+  string value: string ref);
+
+snapshotDate(
+  unique date snapshotDate: date ref);
+
+sourceLocationPrefix(
+  string prefix: string ref);
+
+/*
+ * Duplicate code
+ */
+
+duplicateCode(
+  unique int id: @duplication,
+  string relativePath: string ref,
+  int equivClass: int ref);
+
+similarCode(
+  unique int id: @similarity,
+  string relativePath: string ref,
+  int equivClass: int ref);
+
+@duplication_or_similarity = @duplication | @similarity
+
+tokens(
+  int id: @duplication_or_similarity ref,
+  int offset: int ref,
+  int beginLine: int ref,
+  int beginColumn: int ref,
+  int endLine: int ref,
+  int endColumn: int ref);
+
+/*
+ * C# dbscheme
+ */
+
+/** ELEMENTS **/
+
+@element = @declaration | @stmt | @expr | @modifier | @attribute | @namespace_declaration
+         | @using_directive | @type_parameter_constraints | @external_element
+         | @xmllocatable | @asp_element | @namespace | @preprocessor_directive;
+
+@declaration = @callable | @generic | @assignable | @namespace;
+
+@named_element = @namespace | @declaration;
+
+@declaration_with_accessors = @property | @indexer | @event;
+
+@assignable = @variable | @assignable_with_accessors | @event;
+
+@assignable_with_accessors = @property | @indexer;
+
+@external_element = @externalMetric | @externalDefect | @externalDataElement;
+
+@attributable = @assembly | @field | @parameter | @operator | @method | @constructor
+              | @destructor | @callable_accessor | @value_or_ref_type | @declaration_with_accessors
+              | @local_function;
+
+/** LOCATIONS, ASEMMBLIES, MODULES, FILES and FOLDERS **/
+
+@location = @location_default | @assembly;
+
+locations_default(
+  unique int id: @location_default,
+  int file: @file ref,
+  int beginLine: int ref,
+  int beginColumn: int ref,
+  int endLine: int ref,
+  int endColumn: int ref);
+
+locations_mapped(
+  unique int id: @location_default ref,
+  int mapped_to: @location_default ref);
+
+@sourceline = @file | @callable | @xmllocatable;
+
+numlines(
+  int element_id: @sourceline ref,
+  int num_lines: int ref,
+  int num_code: int ref,
+  int num_comment: int ref);
+
+assemblies(
+  unique int id: @assembly,
+  int file: @file ref,
+  string fullname: string ref,
+  string name: string ref,
+  string version: string ref);
+
+/*
+  fromSource(0) = unknown,
+  fromSource(1) = from source,
+  fromSource(2) = from library
+*/
+files(
+  unique int id: @file,
+  string name: string ref,
+  string simple: string ref,
+  string ext: string ref,
+  int fromSource: int ref);
+
+folders(
+  unique int id: @folder,
+  string name: string ref,
+  string simple: string ref);
+
+@container = @folder | @file ;
+
+containerparent(
+  int parent: @container ref,
+  unique int child: @container ref);
+
+file_extraction_mode(
+  unique int file: @file ref,
+  int mode: int ref
+  /* 0 = normal, 1 = standalone extractor */
+  );
+
+/** NAMESPACES **/
+
+@type_container = @namespace | @type;
+
+namespaces(
+  unique int id: @namespace,
+  string name: string ref);
+
+namespace_declarations(
+  unique int id: @namespace_declaration,
+  int namespace_id: @namespace ref);
+
+namespace_declaration_location(
+  unique int id: @namespace_declaration ref,
+  int loc: @location ref);
+
+parent_namespace(
+  unique int child_id: @type_container ref,
+  int namespace_id: @namespace ref);
+
+@declaration_or_directive = @namespace_declaration | @type | @using_directive;
+
+parent_namespace_declaration(
+  int child_id: @declaration_or_directive ref, // cannot be unique because of partial classes
+  int namespace_id: @namespace_declaration ref);
+
+@using_directive = @using_namespace_directive | @using_static_directive;
+
+using_namespace_directives(
+  unique int id: @using_namespace_directive,
+  int namespace_id: @namespace ref);
+
+using_static_directives(
+  unique int id: @using_static_directive,
+  int type_id: @type_or_ref ref);
+
+using_directive_location(
+  unique int id: @using_directive ref,
+  int loc: @location ref);
+
+@preprocessor_directive = @pragma_warning | @pragma_checksum | @directive_define | @directive_undefine | @directive_warning
+  | @directive_error | @directive_nullable | @directive_line | @directive_region | @directive_endregion | @directive_if
+  | @directive_elif | @directive_else | @directive_endif;
+
+@conditional_directive = @directive_if | @directive_elif;
+@branch_directive = @directive_if | @directive_elif | @directive_else;
+
+directive_ifs(
+  unique int id: @directive_if,
+  int branchTaken: int ref,     /* 0: false, 1: true */
+  int conditionValue: int ref); /* 0: false, 1: true */
+
+directive_elifs(
+  unique int id: @directive_elif,
+  int branchTaken: int ref,     /* 0: false, 1: true */
+  int conditionValue: int ref,  /* 0: false, 1: true */
+  int parent: @directive_if ref,
+  int index: int ref);
+
+directive_elses(
+  unique int id: @directive_else,
+  int branchTaken: int ref,   /* 0: false, 1: true */
+  int parent: @directive_if ref,
+  int index: int ref);
+
+#keyset[id, start]
+directive_endifs(
+  unique int id: @directive_endif,
+  unique int start: @directive_if ref);
+
+directive_define_symbols(
+  unique int id: @define_symbol_expr ref,
+  string name: string ref);
+
+directive_regions(
+  unique int id: @directive_region,
+  string name: string ref);
+
+#keyset[id, start]
+directive_endregions(
+  unique int id: @directive_endregion,
+  unique int start: @directive_region ref);
+
+directive_lines(
+  unique int id: @directive_line,
+  int kind: int ref); /* 0: default, 1: hidden, 2: numeric */
+
+directive_line_value(
+  unique int id: @directive_line ref,
+  int line: int ref);
+
+directive_line_file(
+  unique int id: @directive_line ref,
+  int file: @file ref
+)
+
+directive_nullables(
+  unique int id: @directive_nullable,
+  int setting: int ref, /* 0: disable, 1: enable, 2: restore */
+  int target: int ref); /* 0: none, 1: annotations, 2: warnings */
+
+directive_warnings(
+  unique int id: @directive_warning,
+  string message: string ref);
+
+directive_errors(
+  unique int id: @directive_error,
+  string message: string ref);
+
+directive_undefines(
+  unique int id: @directive_undefine,
+  string name: string ref);
+
+directive_defines(
+  unique int id: @directive_define,
+  string name: string ref);
+
+pragma_checksums(
+  unique int id: @pragma_checksum,
+  int file: @file ref,
+  string guid: string ref,
+  string bytes: string ref);
+
+pragma_warnings(
+  unique int id: @pragma_warning,
+  int kind: int ref /* 0 = disable, 1 = restore */);
+
+#keyset[id, index]
+pragma_warning_error_codes(
+  int id: @pragma_warning ref,
+  string errorCode: string ref,
+  int index: int ref);
+
+preprocessor_directive_location(
+  unique int id: @preprocessor_directive ref,
+  int loc: @location ref);
+
+preprocessor_directive_compilation(
+  unique int id: @preprocessor_directive ref,
+  int compilation: @compilation ref);
+
+preprocessor_directive_active(
+  unique int id: @preprocessor_directive ref,
+  int active: int ref);  /* 0: false, 1: true */
+
+/** TYPES **/
+
+types(
+  unique int id: @type,
+  int kind: int ref,
+  string name: string ref);
+
+case @type.kind of
+   1 = @bool_type
+|  2 = @char_type
+|  3 = @decimal_type
+|  4 = @sbyte_type
+|  5 = @short_type
+|  6 = @int_type
+|  7 = @long_type
+|  8 = @byte_type
+|  9 = @ushort_type
+| 10 = @uint_type
+| 11 = @ulong_type
+| 12 = @float_type
+| 13 = @double_type
+| 14 = @enum_type
+| 15 = @struct_type
+| 17 = @class_type
+| 19 = @interface_type
+| 20 = @delegate_type
+| 21 = @null_type
+| 22 = @type_parameter
+| 23 = @pointer_type
+| 24 = @nullable_type
+| 25 = @array_type
+| 26 = @void_type
+| 27 = @int_ptr_type
+| 28 = @uint_ptr_type
+| 29 = @dynamic_type
+| 30 = @arglist_type
+| 31 = @unknown_type
+| 32 = @tuple_type
+| 33 = @function_pointer_type
+  ;
+
+@simple_type = @bool_type | @char_type | @integral_type | @floating_point_type | @decimal_type;
+@integral_type = @signed_integral_type | @unsigned_integral_type;
+@signed_integral_type = @sbyte_type | @short_type | @int_type | @long_type;
+@unsigned_integral_type = @byte_type  | @ushort_type | @uint_type | @ulong_type;
+@floating_point_type = @float_type | @double_type;
+@value_type = @simple_type | @enum_type | @struct_type | @nullable_type | @int_ptr_type
+            | @uint_ptr_type | @tuple_type;
+@ref_type = @class_type | @interface_type | @array_type | @delegate_type | @null_type
+          | @dynamic_type;
+@value_or_ref_type = @value_type | @ref_type;
+
+typerefs(
+  unique int id: @typeref,
+  string name: string ref);
+
+typeref_type(
+  int id: @typeref ref,
+  unique int typeId: @type ref);
+
+@type_or_ref = @type | @typeref;
+
+array_element_type(
+  unique int array: @array_type ref,
+  int dimension: int ref,
+  int rank: int ref,
+  int element: @type_or_ref ref);
+
+nullable_underlying_type(
+  unique int nullable: @nullable_type ref,
+  int underlying: @type_or_ref ref);
+
+pointer_referent_type(
+  unique int pointer: @pointer_type ref,
+  int referent: @type_or_ref ref);
+
+enum_underlying_type(
+  unique int enum_id: @enum_type ref,
+  int underlying_type_id: @type_or_ref ref);
+
+delegate_return_type(
+  unique int delegate_id: @delegate_type ref,
+  int return_type_id: @type_or_ref ref);
+
+function_pointer_return_type(
+    unique int function_pointer_id: @function_pointer_type ref,
+    int return_type_id: @type_or_ref ref);
+
+extend(
+  int sub: @type ref,
+  int super: @type_or_ref ref);
+
+anonymous_types(
+  unique int id: @type ref);
+
+@interface_or_ref = @interface_type | @typeref;
+
+implement(
+  int sub: @type ref,
+  int super: @type_or_ref ref);
+
+type_location(
+  int id: @type ref,
+  int loc: @location ref);
+
+tuple_underlying_type(
+  unique int tuple: @tuple_type ref,
+  int struct: @type_or_ref ref);
+
+#keyset[tuple, index]
+tuple_element(
+  int tuple: @tuple_type ref,
+  int index: int ref,
+  unique int field: @field ref);
+
+attributes(
+  unique int id: @attribute,
+  int type_id: @type_or_ref ref,
+  int target:  @attributable ref);
+
+attribute_location(
+  int id: @attribute ref,
+  int loc: @location ref);
+
+@type_mention_parent = @element | @type_mention;
+
+type_mention(
+  unique int id: @type_mention,
+  int type_id: @type_or_ref ref,
+  int parent: @type_mention_parent ref);
+
+type_mention_location(
+  unique int id: @type_mention ref,
+  int loc: @location ref);
+
+@has_type_annotation = @assignable | @type_parameter | @callable | @expr | @delegate_type | @generic | @function_pointer_type;
+
+/**
+ * A direct annotation on an entity, for example `string? x;`.
+ *
+ * Annotations:
+ * 2 = reftype is not annotated "!"
+ * 3 = reftype is annotated "?"
+ * 4 = readonly ref type / in parameter
+ * 5 = ref type parameter, return or local variable
+ * 6 = out parameter
+ *
+ * Note that the annotation depends on the element it annotates.
+ * @assignable: The annotation is on the type of the assignable, for example the variable type.
+ * @type_parameter: The annotation is on the reftype constraint
+ * @callable: The annotation is on the return type
+ * @array_type: The annotation is on the element type
+ */
+type_annotation(int id: @has_type_annotation ref, int annotation: int ref);
+
+nullability(unique int nullability: @nullability, int kind: int ref);
+
+case @nullability.kind of
+  0 = @oblivious
+| 1 = @not_annotated
+| 2 = @annotated
+;
+
+#keyset[parent, index]
+nullability_parent(int nullability: @nullability ref, int index: int ref, int parent: @nullability ref)
+
+type_nullability(int id: @has_type_annotation ref, int nullability: @nullability ref);
+
+/**
+ * The nullable flow state of an expression, as determined by Roslyn.
+ *   0 = none (default, not populated)
+ *   1 = not null
+ *   2 = maybe null
+ */
+expr_flowstate(unique int id: @expr ref, int state: int ref);
+
+/** GENERICS **/
+
+@generic = @type | @method | @local_function;
+
+type_parameters(
+  unique int id: @type_parameter ref,
+  int index: int ref,
+  int generic_id: @generic ref,
+  int variance: int ref /* none = 0, out = 1, in = 2 */);
+
+#keyset[constructed_id, index]
+type_arguments(
+  int id: @type_or_ref ref,
+  int index: int ref,
+  int constructed_id: @generic_or_ref ref);
+
+@generic_or_ref = @generic | @typeref;
+
+constructed_generic(
+  unique int constructed: @generic ref,
+  int generic: @generic_or_ref ref);
+
+type_parameter_constraints(
+  unique int id: @type_parameter_constraints,
+  int param_id: @type_parameter ref);
+
+type_parameter_constraints_location(
+  int id: @type_parameter_constraints ref,
+  int loc: @location ref);
+
+general_type_parameter_constraints(
+  int id: @type_parameter_constraints ref,
+  int kind: int ref /* class = 1, struct = 2, new = 3 */);
+
+specific_type_parameter_constraints(
+  int id: @type_parameter_constraints ref,
+  int base_id: @type_or_ref ref);
+
+specific_type_parameter_nullability(
+  int id: @type_parameter_constraints ref,
+  int base_id: @type_or_ref ref,
+  int nullability: @nullability ref);
+
+/** FUNCTION POINTERS */
+
+function_pointer_calling_conventions(
+  int id: @function_pointer_type ref,
+  int kind: int ref);
+
+#keyset[id, index]
+has_unmanaged_calling_conventions(
+  int id: @function_pointer_type ref,
+  int index: int ref,
+  int conv_id: @type_or_ref ref);
+
+/** MODIFIERS */
+
+@modifiable = @modifiable_direct | @event_accessor;
+
+@modifiable_direct = @member | @accessor | @local_function | @anonymous_function_expr;
+
+modifiers(
+  unique int id: @modifier,
+  string name: string ref);
+
+has_modifiers(
+  int id: @modifiable_direct ref,
+  int mod_id: @modifier ref);
+
+compiler_generated(unique int id: @modifiable_direct ref);
+
+/** MEMBERS **/
+
+@member = @method | @constructor | @destructor | @field | @property | @event | @operator | @indexer | @type;
+
+@named_exprorstmt = @goto_stmt | @labeled_stmt | @expr;
+
+@virtualizable = @method | @property | @indexer | @event;
+
+exprorstmt_name(
+  unique int parent_id: @named_exprorstmt ref,
+  string name: string ref);
+
+nested_types(
+  unique int id: @type ref,
+  int declaring_type_id: @type ref,
+  int unbound_id: @type ref);
+
+properties(
+  unique int id: @property,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @property ref);
+
+property_location(
+  int id: @property ref,
+  int loc: @location ref);
+
+indexers(
+  unique int id: @indexer,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @indexer ref);
+
+indexer_location(
+  int id: @indexer ref,
+  int loc: @location ref);
+
+accessors(
+  unique int id: @accessor,
+  int kind: int ref,
+  string name: string ref,
+  int declaring_member_id: @member ref,
+  int unbound_id: @accessor ref);
+
+case @accessor.kind of
+  1 = @getter
+| 2 = @setter
+  ;
+
+init_only_accessors(
+  unique int id: @accessor ref);
+
+accessor_location(
+  int id: @accessor ref,
+  int loc: @location ref);
+
+events(
+  unique int id: @event,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @event ref);
+
+event_location(
+  int id: @event ref,
+  int loc: @location ref);
+
+event_accessors(
+  unique int id: @event_accessor,
+  int kind: int ref,
+  string name: string ref,
+  int declaring_event_id: @event ref,
+  int unbound_id: @event_accessor ref);
+
+case @event_accessor.kind of
+  1 = @add_event_accessor
+| 2 = @remove_event_accessor
+  ;
+
+event_accessor_location(
+  int id: @event_accessor ref,
+  int loc: @location ref);
+
+operators(
+  unique int id: @operator,
+  string name: string ref,
+  string symbol: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @operator ref);
+
+operator_location(
+  int id: @operator ref,
+  int loc: @location ref);
+
+constant_value(
+  int id: @variable ref,
+  string value: string ref);
+
+/** CALLABLES **/
+
+@callable = @method | @constructor | @destructor | @operator | @callable_accessor | @anonymous_function_expr | @local_function;
+
+@callable_accessor = @accessor | @event_accessor;
+
+methods(
+  unique int id: @method,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @method ref);
+
+method_location(
+  int id: @method ref,
+  int loc: @location ref);
+
+constructors(
+  unique int id: @constructor,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int unbound_id: @constructor ref);
+
+constructor_location(
+  int id: @constructor ref,
+  int loc: @location ref);
+
+destructors(
+  unique int id: @destructor,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int unbound_id: @destructor ref);
+
+destructor_location(
+  int id: @destructor ref,
+  int loc: @location ref);
+
+overrides(
+  int id: @callable ref,
+  int base_id: @callable ref);
+
+explicitly_implements(
+  int id: @member ref,
+  int interface_id: @interface_or_ref ref);
+
+local_functions(
+    unique int id: @local_function,
+    string name: string ref,
+    int return_type: @type ref,
+    int unbound_id: @local_function ref);
+
+local_function_stmts(
+    unique int fn: @local_function_stmt ref,
+    int stmt: @local_function ref);
+
+/** VARIABLES **/
+
+@variable = @local_scope_variable | @field;
+
+@local_scope_variable = @local_variable | @parameter;
+
+fields(
+  unique int id: @field,
+  int kind: int ref,
+  string name: string ref,
+  int declaring_type_id: @type ref,
+  int type_id: @type_or_ref ref,
+  int unbound_id: @field ref);
+
+case @field.kind of
+  1 = @addressable_field
+| 2 = @constant
+  ;
+
+field_location(
+  int id: @field ref,
+  int loc: @location ref);
+
+localvars(
+  unique int id: @local_variable,
+  int kind: int ref,
+  string name: string ref,
+  int implicitly_typed: int ref /* 0 = no, 1 = yes */,
+  int type_id: @type_or_ref ref,
+  int parent_id: @local_var_decl_expr ref);
+
+case @local_variable.kind of
+  1 = @addressable_local_variable
+| 2 = @local_constant
+| 3 = @local_variable_ref
+  ;
+
+localvar_location(
+  unique int id: @local_variable ref,
+  int loc: @location ref);
+
+@parameterizable = @callable | @delegate_type | @indexer | @function_pointer_type;
+
+#keyset[name, parent_id]
+#keyset[index, parent_id]
+params(
+  unique int id: @parameter,
+  string name: string ref,
+  int type_id: @type_or_ref ref,
+  int index: int ref,
+  int mode: int ref, /* value = 0, ref = 1, out = 2, array = 3, this = 4 */
+  int parent_id: @parameterizable ref,
+  int unbound_id: @parameter ref);
+
+param_location(
+  int id: @parameter ref,
+  int loc: @location ref);
+
+/** STATEMENTS **/
+
+@exprorstmt_parent = @control_flow_element | @top_level_exprorstmt_parent;
+
+statements(
+  unique int id: @stmt,
+  int kind: int ref);
+
+#keyset[index, parent]
+stmt_parent(
+  unique int stmt: @stmt ref,
+  int index: int ref,
+  int parent: @control_flow_element ref);
+
+@top_level_stmt_parent = @callable;
+
+// [index, parent] is not a keyset because the same parent may be compiled multiple times
+stmt_parent_top_level(
+  unique int stmt: @stmt ref,
+  int index: int ref,
+  int parent: @top_level_stmt_parent ref);
+
+case @stmt.kind of
+   1 = @block_stmt
+|  2 = @expr_stmt
+|  3 = @if_stmt
+|  4 = @switch_stmt
+|  5 = @while_stmt
+|  6 = @do_stmt
+|  7 = @for_stmt
+|  8 = @foreach_stmt
+|  9 = @break_stmt
+| 10 = @continue_stmt
+| 11 = @goto_stmt
+| 12 = @goto_case_stmt
+| 13 = @goto_default_stmt
+| 14 = @throw_stmt
+| 15 = @return_stmt
+| 16 = @yield_stmt
+| 17 = @try_stmt
+| 18 = @checked_stmt
+| 19 = @unchecked_stmt
+| 20 = @lock_stmt
+| 21 = @using_block_stmt
+| 22 = @var_decl_stmt
+| 23 = @const_decl_stmt
+| 24 = @empty_stmt
+| 25 = @unsafe_stmt
+| 26 = @fixed_stmt
+| 27 = @label_stmt
+| 28 = @catch
+| 29 = @case_stmt
+| 30 = @local_function_stmt
+| 31 = @using_decl_stmt
+  ;
+
+@using_stmt = @using_block_stmt | @using_decl_stmt;
+
+@labeled_stmt = @label_stmt | @case;
+
+@decl_stmt = @var_decl_stmt | @const_decl_stmt | @using_decl_stmt;
+
+@cond_stmt = @if_stmt | @switch_stmt;
+
+@loop_stmt = @while_stmt | @do_stmt | @for_stmt | @foreach_stmt;
+
+@jump_stmt = @break_stmt | @goto_any_stmt | @continue_stmt | @throw_stmt | @return_stmt
+           | @yield_stmt;
+
+@goto_any_stmt = @goto_default_stmt | @goto_case_stmt | @goto_stmt;
+
+
+stmt_location(
+  unique int id: @stmt ref,
+  int loc: @location ref);
+
+catch_type(
+  unique int catch_id: @catch ref,
+  int type_id: @type_or_ref ref,
+  int kind: int ref /* explicit = 1, implicit = 2 */);
+
+foreach_stmt_info(
+  unique int id: @foreach_stmt ref,
+  int kind: int ref /* non-async = 1, async = 2 */);
+
+@foreach_symbol =  @method | @property | @type_or_ref;
+
+#keyset[id, kind]
+foreach_stmt_desugar(
+  int id: @foreach_stmt ref,
+  int symbol: @foreach_symbol ref,
+  int kind: int ref /* GetEnumeratorMethod = 1, CurrentProperty = 2, MoveNextMethod = 3, DisposeMethod = 4, ElementType = 5 */);
+
+/** EXPRESSIONS **/
+
+expressions(
+  unique int id: @expr,
+  int kind: int ref,
+  int type_id: @type_or_ref ref);
+
+#keyset[index, parent]
+expr_parent(
+  unique int expr: @expr ref,
+  int index: int ref,
+  int parent: @control_flow_element ref);
+
+@top_level_expr_parent = @attribute | @field | @property | @indexer | @parameter | @directive_if | @directive_elif;
+
+@top_level_exprorstmt_parent = @top_level_expr_parent | @top_level_stmt_parent;
+
+// [index, parent] is not a keyset because the same parent may be compiled multiple times
+expr_parent_top_level(
+  unique int expr: @expr ref,
+  int index: int ref,
+  int parent: @top_level_exprorstmt_parent ref);
+
+case @expr.kind of
+/* literal */
+   1 = @bool_literal_expr
+|  2 = @char_literal_expr
+|  3 = @decimal_literal_expr
+|  4 = @int_literal_expr
+|  5 = @long_literal_expr
+|  6 = @uint_literal_expr
+|  7 = @ulong_literal_expr
+|  8 = @float_literal_expr
+|  9 = @double_literal_expr
+| 10 = @string_literal_expr
+| 11 = @null_literal_expr
+/* primary & unary */
+| 12 = @this_access_expr
+| 13 = @base_access_expr
+| 14 = @local_variable_access_expr
+| 15 = @parameter_access_expr
+| 16 = @field_access_expr
+| 17 = @property_access_expr
+| 18 = @method_access_expr
+| 19 = @event_access_expr
+| 20 = @indexer_access_expr
+| 21 = @array_access_expr
+| 22 = @type_access_expr
+| 23 = @typeof_expr
+| 24 = @method_invocation_expr
+| 25 = @delegate_invocation_expr
+| 26 = @operator_invocation_expr
+| 27 = @cast_expr
+| 28 = @object_creation_expr
+| 29 = @explicit_delegate_creation_expr
+| 30 = @implicit_delegate_creation_expr
+| 31 = @array_creation_expr
+| 32 = @default_expr
+| 33 = @plus_expr
+| 34 = @minus_expr
+| 35 = @bit_not_expr
+| 36 = @log_not_expr
+| 37 = @post_incr_expr
+| 38 = @post_decr_expr
+| 39 = @pre_incr_expr
+| 40 = @pre_decr_expr
+/* multiplicative */
+| 41 = @mul_expr
+| 42 = @div_expr
+| 43 = @rem_expr
+/* additive */
+| 44 = @add_expr
+| 45 = @sub_expr
+/* shift */
+| 46 = @lshift_expr
+| 47 = @rshift_expr
+/* relational */
+| 48 = @lt_expr
+| 49 = @gt_expr
+| 50 = @le_expr
+| 51 = @ge_expr
+/* equality */
+| 52 = @eq_expr
+| 53 = @ne_expr
+/* logical */
+| 54 = @bit_and_expr
+| 55 = @bit_xor_expr
+| 56 = @bit_or_expr
+| 57 = @log_and_expr
+| 58 = @log_or_expr
+/* type testing */
+| 59 = @is_expr
+| 60 = @as_expr
+/* null coalescing */
+| 61 = @null_coalescing_expr
+/* conditional */
+| 62 = @conditional_expr
+/* assignment */
+| 63 = @simple_assign_expr
+| 64 = @assign_add_expr
+| 65 = @assign_sub_expr
+| 66 = @assign_mul_expr
+| 67 = @assign_div_expr
+| 68 = @assign_rem_expr
+| 69 = @assign_and_expr
+| 70 = @assign_xor_expr
+| 71 = @assign_or_expr
+| 72 = @assign_lshift_expr
+| 73 = @assign_rshift_expr
+/* more */
+| 74 = @object_init_expr
+| 75 = @collection_init_expr
+| 76 = @array_init_expr
+| 77 = @checked_expr
+| 78 = @unchecked_expr
+| 79 = @constructor_init_expr
+| 80 = @add_event_expr
+| 81 = @remove_event_expr
+| 82 = @par_expr
+| 83 = @local_var_decl_expr
+| 84 = @lambda_expr
+| 85 = @anonymous_method_expr
+| 86 = @namespace_expr
+/* dynamic */
+| 92 = @dynamic_element_access_expr
+| 93 = @dynamic_member_access_expr
+/* unsafe */
+| 100 = @pointer_indirection_expr
+| 101 = @address_of_expr
+| 102 = @sizeof_expr
+/* async */
+| 103 = @await_expr
+/* C# 6.0 */
+| 104 = @nameof_expr
+| 105 = @interpolated_string_expr
+| 106 = @unknown_expr
+/* C# 7.0 */
+| 107 = @throw_expr
+| 108 = @tuple_expr
+| 109 = @local_function_invocation_expr
+| 110 = @ref_expr
+| 111 = @discard_expr
+/* C# 8.0 */
+| 112 = @range_expr
+| 113 = @index_expr
+| 114 = @switch_expr
+| 115 = @recursive_pattern_expr
+| 116 = @property_pattern_expr
+| 117 = @positional_pattern_expr
+| 118 = @switch_case_expr
+| 119 = @assign_coalesce_expr
+| 120 = @suppress_nullable_warning_expr
+| 121 = @namespace_access_expr
+/* C# 9.0 */
+| 122 = @lt_pattern_expr
+| 123 = @gt_pattern_expr
+| 124 = @le_pattern_expr
+| 125 = @ge_pattern_expr
+| 126 = @not_pattern_expr
+| 127 = @and_pattern_expr
+| 128 = @or_pattern_expr
+| 129 = @function_pointer_invocation_expr
+| 130 = @with_expr
+/* Preprocessor */
+| 999 = @define_symbol_expr
+;
+
+@switch = @switch_stmt | @switch_expr;
+@case = @case_stmt | @switch_case_expr;
+@pattern_match = @case | @is_expr;
+@unary_pattern_expr = @not_pattern_expr;
+@relational_pattern_expr = @gt_pattern_expr | @lt_pattern_expr | @ge_pattern_expr | @le_pattern_expr;
+@binary_pattern_expr = @and_pattern_expr | @or_pattern_expr;
+
+@integer_literal_expr = @int_literal_expr | @long_literal_expr | @uint_literal_expr | @ulong_literal_expr;
+@real_literal_expr = @float_literal_expr | @double_literal_expr | @decimal_literal_expr;
+@literal_expr = @bool_literal_expr | @char_literal_expr | @integer_literal_expr | @real_literal_expr
+              | @string_literal_expr | @null_literal_expr;
+
+@assign_expr = @simple_assign_expr | @assign_op_expr | @local_var_decl_expr;
+@assign_op_expr =  @assign_arith_expr | @assign_bitwise_expr | @assign_event_expr | @assign_coalesce_expr;
+@assign_event_expr = @add_event_expr | @remove_event_expr;
+
+@assign_arith_expr = @assign_add_expr | @assign_sub_expr | @assign_mul_expr | @assign_div_expr
+                   | @assign_rem_expr
+@assign_bitwise_expr = @assign_and_expr | @assign_or_expr | @assign_xor_expr
+                   | @assign_lshift_expr | @assign_rshift_expr;
+
+@member_access_expr = @field_access_expr | @property_access_expr | @indexer_access_expr | @event_access_expr
+                    | @method_access_expr | @type_access_expr | @dynamic_member_access_expr;
+@access_expr = @member_access_expr | @this_access_expr | @base_access_expr | @assignable_access_expr | @namespace_access_expr;
+@element_access_expr = @indexer_access_expr | @array_access_expr | @dynamic_element_access_expr;
+
+@local_variable_access = @local_variable_access_expr | @local_var_decl_expr;
+@local_scope_variable_access_expr = @parameter_access_expr | @local_variable_access;
+@variable_access_expr = @local_scope_variable_access_expr | @field_access_expr;
+
+@assignable_access_expr = @variable_access_expr | @property_access_expr | @element_access_expr
+                        | @event_access_expr | @dynamic_member_access_expr;
+
+@objectorcollection_init_expr = @object_init_expr | @collection_init_expr;
+
+@delegate_creation_expr = @explicit_delegate_creation_expr | @implicit_delegate_creation_expr;
+
+@bin_arith_op_expr = @mul_expr | @div_expr | @rem_expr | @add_expr | @sub_expr;
+@incr_op_expr =  @pre_incr_expr | @post_incr_expr;
+@decr_op_expr =  @pre_decr_expr | @post_decr_expr;
+@mut_op_expr = @incr_op_expr | @decr_op_expr;
+@un_arith_op_expr = @plus_expr | @minus_expr | @mut_op_expr;
+@arith_op_expr = @bin_arith_op_expr | @un_arith_op_expr;
+
+@ternary_log_op_expr = @conditional_expr;
+@bin_log_op_expr = @log_and_expr | @log_or_expr | @null_coalescing_expr;
+@un_log_op_expr = @log_not_expr;
+@log_expr = @un_log_op_expr | @bin_log_op_expr | @ternary_log_op_expr;
+
+@bin_bit_op_expr =  @bit_and_expr | @bit_or_expr | @bit_xor_expr | @lshift_expr
+                 | @rshift_expr;
+@un_bit_op_expr = @bit_not_expr;
+@bit_expr = @un_bit_op_expr | @bin_bit_op_expr;
+
+@equality_op_expr =  @eq_expr | @ne_expr;
+@rel_op_expr = @gt_expr | @lt_expr| @ge_expr | @le_expr;
+@comp_expr = @equality_op_expr | @rel_op_expr;
+
+@op_expr = @assign_expr | @un_op | @bin_op | @ternary_op;
+
+@ternary_op = @ternary_log_op_expr;
+@bin_op = @bin_arith_op_expr | @bin_log_op_expr | @bin_bit_op_expr | @comp_expr;
+@un_op = @un_arith_op_expr | @un_log_op_expr | @un_bit_op_expr | @sizeof_expr
+       | @pointer_indirection_expr | @address_of_expr;
+
+@anonymous_function_expr = @lambda_expr | @anonymous_method_expr;
+
+@call = @method_invocation_expr | @constructor_init_expr | @operator_invocation_expr
+      | @delegate_invocation_expr | @object_creation_expr | @call_access_expr
+      | @local_function_invocation_expr | @function_pointer_invocation_expr;
+
+@call_access_expr = @property_access_expr | @event_access_expr | @indexer_access_expr;
+
+@late_bindable_expr = @dynamic_element_access_expr | @dynamic_member_access_expr
+                    | @object_creation_expr | @method_invocation_expr | @operator_invocation_expr;
+
+@throw_element = @throw_expr | @throw_stmt;
+
+@implicitly_typeable_object_creation_expr = @object_creation_expr | @explicit_delegate_creation_expr;
+
+implicitly_typed_array_creation(
+  unique int id: @array_creation_expr ref);
+
+explicitly_sized_array_creation(
+  unique int id: @array_creation_expr ref);
+
+stackalloc_array_creation(
+  unique int id: @array_creation_expr ref);
+
+implicitly_typed_object_creation(
+  unique int id: @implicitly_typeable_object_creation_expr ref);
+
+mutator_invocation_mode(
+  unique int id: @operator_invocation_expr ref,
+  int mode: int ref /* prefix = 1, postfix = 2*/);
+
+expr_compiler_generated(
+  unique int id: @expr ref);
+
+expr_value(
+  unique int id: @expr ref,
+  string value: string ref);
+
+expr_call(
+  unique int caller_id: @expr ref,
+  int target_id: @callable ref);
+
+expr_access(
+  unique int accesser_id: @access_expr ref,
+  int target_id: @accessible ref);
+
+@accessible = @method | @assignable | @local_function | @namespace;
+
+expr_location(
+  unique int id: @expr ref,
+  int loc: @location ref);
+
+dynamic_member_name(
+  unique int id: @late_bindable_expr ref,
+  string name: string ref);
+
+@qualifiable_expr = @member_access_expr
+                  | @method_invocation_expr
+                  | @element_access_expr;
+
+conditional_access(
+  unique int id: @qualifiable_expr ref);
+
+expr_argument(
+  unique int id: @expr ref,
+  int mode: int ref);
+  /* mode is the same as params: value = 0, ref = 1, out = 2 */
+
+expr_argument_name(
+  unique int id: @expr ref,
+  string name: string ref);
+
+/** CONTROL/DATA FLOW **/
+
+@control_flow_element = @stmt | @expr;
+
+/* XML Files */
+
+xmlEncoding  (
+  unique int id: @file ref,
+  string encoding: string ref);
+
+xmlDTDs(
+  unique int id: @xmldtd,
+  string root: string ref,
+  string publicId: string ref,
+  string systemId: string ref,
+  int fileid: @file ref);
+
+xmlElements(
+  unique int id: @xmlelement,
+  string name: string ref,
+  int parentid: @xmlparent ref,
+  int idx: int ref,
+  int fileid: @file ref);
+
+xmlAttrs(
+  unique int id: @xmlattribute,
+  int elementid: @xmlelement ref,
+  string name: string ref,
+  string value: string ref,
+  int idx: int ref,
+  int fileid: @file ref);
+
+xmlNs(
+  int id: @xmlnamespace,
+  string prefixName: string ref,
+  string URI: string ref,
+  int fileid: @file ref);
+
+xmlHasNs(
+  int elementId: @xmlnamespaceable ref,
+  int nsId: @xmlnamespace ref,
+  int fileid: @file ref);
+
+xmlComments(
+  unique int id: @xmlcomment,
+  string text: string ref,
+  int parentid: @xmlparent ref,
+  int fileid: @file ref);
+
+xmlChars(
+  unique int id: @xmlcharacters,
+  string text: string ref,
+  int parentid: @xmlparent ref,
+  int idx: int ref,
+  int isCDATA: int ref,
+  int fileid: @file ref);
+
+@xmlparent = @file | @xmlelement;
+@xmlnamespaceable = @xmlelement | @xmlattribute;
+
+xmllocations(
+  int xmlElement: @xmllocatable ref,
+  int location: @location_default ref);
+
+@xmllocatable = @xmlcharacters | @xmlelement | @xmlcomment | @xmlattribute | @xmldtd | @file | @xmlnamespace;
+
+/* Comments */
+
+commentline(
+  unique int id: @commentline,
+  int kind: int ref,
+  string text: string ref,
+  string rawtext: string ref);
+
+case @commentline.kind of
+  0 = @singlelinecomment
+| 1 = @xmldoccomment
+| 2 = @multilinecomment;
+
+commentline_location(
+  unique int id: @commentline ref,
+  int loc: @location ref);
+
+commentblock(
+  unique int id : @commentblock);
+
+commentblock_location(
+  unique int id: @commentblock ref,
+  int loc: @location ref);
+
+commentblock_binding(
+  int id: @commentblock ref,
+  int entity: @element ref,
+  int bindtype: int ref);    /* 0: Parent, 1: Best, 2: Before, 3: After */
+
+commentblock_child(
+  int id: @commentblock ref,
+  int commentline: @commentline ref,
+  int index: int ref);
+
+/* ASP.NET */
+
+case @asp_element.kind of
+  0=@asp_close_tag
+| 1=@asp_code
+| 2=@asp_comment
+| 3=@asp_data_binding
+| 4=@asp_directive
+| 5=@asp_open_tag
+| 6=@asp_quoted_string
+| 7=@asp_text
+| 8=@asp_xml_directive;
+
+@asp_attribute = @asp_code | @asp_data_binding | @asp_quoted_string;
+
+asp_elements(
+  unique int id: @asp_element,
+  int kind: int ref,
+  int loc: @location ref);
+
+asp_comment_server(unique int comment: @asp_comment ref);
+asp_code_inline(unique int code: @asp_code ref);
+asp_directive_attribute(
+  int directive: @asp_directive ref,
+  int index: int ref,
+  string name: string ref,
+  int value: @asp_quoted_string ref);
+asp_directive_name(
+  unique int directive: @asp_directive ref,
+  string name: string ref);
+asp_element_body(
+  unique int element: @asp_element ref,
+  string body: string ref);
+asp_tag_attribute(
+  int tag: @asp_open_tag ref,
+  int index: int ref,
+  string name: string ref,
+  int attribute: @asp_attribute ref);
+asp_tag_name(
+  unique int tag: @asp_open_tag ref,
+  string name: string ref);
+asp_tag_isempty(int tag: @asp_open_tag ref);
+
+/* Common Intermediate Language - CIL */
+
+case @cil_instruction.opcode of
+  0 = @cil_nop
+| 1 = @cil_break
+| 2 = @cil_ldarg_0
+| 3 = @cil_ldarg_1
+| 4 = @cil_ldarg_2
+| 5 = @cil_ldarg_3
+| 6 = @cil_ldloc_0
+| 7 = @cil_ldloc_1
+| 8 = @cil_ldloc_2
+| 9 = @cil_ldloc_3
+| 10 = @cil_stloc_0
+| 11 = @cil_stloc_1
+| 12 = @cil_stloc_2
+| 13 = @cil_stloc_3
+| 14 = @cil_ldarg_s
+| 15 = @cil_ldarga_s
+| 16 = @cil_starg_s
+| 17 = @cil_ldloc_s
+| 18 = @cil_ldloca_s
+| 19 = @cil_stloc_s
+| 20 = @cil_ldnull
+| 21 = @cil_ldc_i4_m1
+| 22 = @cil_ldc_i4_0
+| 23 = @cil_ldc_i4_1
+| 24 = @cil_ldc_i4_2
+| 25 = @cil_ldc_i4_3
+| 26 = @cil_ldc_i4_4
+| 27 = @cil_ldc_i4_5
+| 28 = @cil_ldc_i4_6
+| 29 = @cil_ldc_i4_7
+| 30 = @cil_ldc_i4_8
+| 31 = @cil_ldc_i4_s
+| 32 = @cil_ldc_i4
+| 33 = @cil_ldc_i8
+| 34 = @cil_ldc_r4
+| 35 = @cil_ldc_r8
+| 37 = @cil_dup
+| 38 = @cil_pop
+| 39 = @cil_jmp
+| 40 = @cil_call
+| 41 = @cil_calli
+| 42 = @cil_ret
+| 43 = @cil_br_s
+| 44 = @cil_brfalse_s
+| 45 = @cil_brtrue_s
+| 46 = @cil_beq_s
+| 47 = @cil_bge_s
+| 48 = @cil_bgt_s
+| 49 = @cil_ble_s
+| 50 = @cil_blt_s
+| 51 = @cil_bne_un_s
+| 52 = @cil_bge_un_s
+| 53 = @cil_bgt_un_s
+| 54 = @cil_ble_un_s
+| 55 = @cil_blt_un_s
+| 56 = @cil_br
+| 57 = @cil_brfalse
+| 58 = @cil_brtrue
+| 59 = @cil_beq
+| 60 = @cil_bge
+| 61 = @cil_bgt
+| 62 = @cil_ble
+| 63 = @cil_blt
+| 64 = @cil_bne_un
+| 65 = @cil_bge_un
+| 66 = @cil_bgt_un
+| 67 = @cil_ble_un
+| 68 = @cil_blt_un
+| 69 = @cil_switch
+| 70 = @cil_ldind_i1
+| 71 = @cil_ldind_u1
+| 72 = @cil_ldind_i2
+| 73 = @cil_ldind_u2
+| 74 = @cil_ldind_i4
+| 75 = @cil_ldind_u4
+| 76 = @cil_ldind_i8
+| 77 = @cil_ldind_i
+| 78 = @cil_ldind_r4
+| 79 = @cil_ldind_r8
+| 80 = @cil_ldind_ref
+| 81 = @cil_stind_ref
+| 82 = @cil_stind_i1
+| 83 = @cil_stind_i2
+| 84 = @cil_stind_i4
+| 85 = @cil_stind_i8
+| 86 = @cil_stind_r4
+| 87 = @cil_stind_r8
+| 88 = @cil_add
+| 89 = @cil_sub
+| 90 = @cil_mul
+| 91 = @cil_div
+| 92 = @cil_div_un
+| 93 = @cil_rem
+| 94 = @cil_rem_un
+| 95 = @cil_and
+| 96 = @cil_or
+| 97 = @cil_xor
+| 98 = @cil_shl
+| 99 = @cil_shr
+| 100 = @cil_shr_un
+| 101 = @cil_neg
+| 102 = @cil_not
+| 103 = @cil_conv_i1
+| 104 = @cil_conv_i2
+| 105 = @cil_conv_i4
+| 106 = @cil_conv_i8
+| 107 = @cil_conv_r4
+| 108 = @cil_conv_r8
+| 109 = @cil_conv_u4
+| 110 = @cil_conv_u8
+| 111 = @cil_callvirt
+| 112 = @cil_cpobj
+| 113 = @cil_ldobj
+| 114 = @cil_ldstr
+| 115 = @cil_newobj
+| 116 = @cil_castclass
+| 117 = @cil_isinst
+| 118 = @cil_conv_r_un
+| 121 = @cil_unbox
+| 122 = @cil_throw
+| 123 = @cil_ldfld
+| 124 = @cil_ldflda
+| 125 = @cil_stfld
+| 126 = @cil_ldsfld
+| 127 = @cil_ldsflda
+| 128 = @cil_stsfld
+| 129 = @cil_stobj
+| 130 = @cil_conv_ovf_i1_un
+| 131 = @cil_conv_ovf_i2_un
+| 132 = @cil_conv_ovf_i4_un
+| 133 = @cil_conv_ovf_i8_un
+| 134 = @cil_conv_ovf_u1_un
+| 135 = @cil_conv_ovf_u2_un
+| 136 = @cil_conv_ovf_u4_un
+| 137 = @cil_conv_ovf_u8_un
+| 138 = @cil_conv_ovf_i_un
+| 139 = @cil_conv_ovf_u_un
+| 140 = @cil_box
+| 141 = @cil_newarr
+| 142 = @cil_ldlen
+| 143 = @cil_ldelema
+| 144 = @cil_ldelem_i1
+| 145 = @cil_ldelem_u1
+| 146 = @cil_ldelem_i2
+| 147 = @cil_ldelem_u2
+| 148 = @cil_ldelem_i4
+| 149 = @cil_ldelem_u4
+| 150 = @cil_ldelem_i8
+| 151 = @cil_ldelem_i
+| 152 = @cil_ldelem_r4
+| 153 = @cil_ldelem_r8
+| 154 = @cil_ldelem_ref
+| 155 = @cil_stelem_i
+| 156 = @cil_stelem_i1
+| 157 = @cil_stelem_i2
+| 158 = @cil_stelem_i4
+| 159 = @cil_stelem_i8
+| 160 = @cil_stelem_r4
+| 161 = @cil_stelem_r8
+| 162 = @cil_stelem_ref
+| 163 = @cil_ldelem
+| 164 = @cil_stelem
+| 165 = @cil_unbox_any
+| 179 = @cil_conv_ovf_i1
+| 180 = @cil_conv_ovf_u1
+| 181 = @cil_conv_ovf_i2
+| 182 = @cil_conv_ovf_u2
+| 183 = @cil_conv_ovf_i4
+| 184 = @cil_conv_ovf_u4
+| 185 = @cil_conv_ovf_i8
+| 186 = @cil_conv_ovf_u8
+| 194 = @cil_refanyval
+| 195 = @cil_ckinfinite
+| 198 = @cil_mkrefany
+| 208 = @cil_ldtoken
+| 209 = @cil_conv_u2
+| 210 = @cil_conv_u1
+| 211 = @cil_conv_i
+| 212 = @cil_conv_ovf_i
+| 213 = @cil_conv_ovf_u
+| 214 = @cil_add_ovf
+| 215 = @cil_add_ovf_un
+| 216 = @cil_mul_ovf
+| 217 = @cil_mul_ovf_un
+| 218 = @cil_sub_ovf
+| 219 = @cil_sub_ovf_un
+| 220 = @cil_endfinally
+| 221 = @cil_leave
+| 222 = @cil_leave_s
+| 223 = @cil_stind_i
+| 224 = @cil_conv_u
+| 65024 = @cil_arglist
+| 65025 = @cil_ceq
+| 65026 = @cil_cgt
+| 65027 = @cil_cgt_un
+| 65028 = @cil_clt
+| 65029 = @cil_clt_un
+| 65030 = @cil_ldftn
+| 65031 = @cil_ldvirtftn
+| 65033 = @cil_ldarg
+| 65034 = @cil_ldarga
+| 65035 = @cil_starg
+| 65036 = @cil_ldloc
+| 65037 = @cil_ldloca
+| 65038 = @cil_stloc
+| 65039 = @cil_localloc
+| 65041 = @cil_endfilter
+| 65042 = @cil_unaligned
+| 65043 = @cil_volatile
+| 65044 = @cil_tail
+| 65045 = @cil_initobj
+| 65046 = @cil_constrained
+| 65047 = @cil_cpblk
+| 65048 = @cil_initblk
+| 65050 = @cil_rethrow
+| 65052 = @cil_sizeof
+| 65053 = @cil_refanytype
+| 65054 = @cil_readonly
+;
+
+// CIL ignored instructions
+
+@cil_ignore = @cil_nop | @cil_break | @cil_volatile | @cil_unaligned;
+
+// CIL local/parameter/field access
+
+@cil_ldarg_any = @cil_ldarg_0 | @cil_ldarg_1 | @cil_ldarg_2 | @cil_ldarg_3 | @cil_ldarg_s | @cil_ldarga_s | @cil_ldarg | @cil_ldarga;
+@cil_starg_any = @cil_starg | @cil_starg_s;
+
+@cil_ldloc_any = @cil_ldloc_0 | @cil_ldloc_1 | @cil_ldloc_2 | @cil_ldloc_3 | @cil_ldloc_s | @cil_ldloca_s | @cil_ldloc | @cil_ldloca;
+@cil_stloc_any = @cil_stloc_0 | @cil_stloc_1 | @cil_stloc_2 | @cil_stloc_3 | @cil_stloc_s | @cil_stloc;
+
+@cil_ldfld_any = @cil_ldfld | @cil_ldsfld | @cil_ldsflda | @cil_ldflda;
+@cil_stfld_any = @cil_stfld | @cil_stsfld;
+
+@cil_local_access = @cil_stloc_any | @cil_ldloc_any;
+@cil_arg_access = @cil_starg_any | @cil_ldarg_any;
+@cil_read_access = @cil_ldloc_any | @cil_ldarg_any | @cil_ldfld_any;
+@cil_write_access = @cil_stloc_any | @cil_starg_any | @cil_stfld_any;
+
+@cil_stack_access = @cil_local_access | @cil_arg_access;
+@cil_field_access = @cil_ldfld_any | @cil_stfld_any;
+
+@cil_access = @cil_read_access | @cil_write_access;
+
+// CIL constant/literal instructions
+
+@cil_ldc_i = @cil_ldc_i4_any | @cil_ldc_i8;
+
+@cil_ldc_i4_any = @cil_ldc_i4_m1 | @cil_ldc_i4_0 | @cil_ldc_i4_1 | @cil_ldc_i4_2 | @cil_ldc_i4_3 |
+  @cil_ldc_i4_4 | @cil_ldc_i4_5 | @cil_ldc_i4_6 | @cil_ldc_i4_7 | @cil_ldc_i4_8 | @cil_ldc_i4_s | @cil_ldc_i4;
+
+@cil_ldc_r = @cil_ldc_r4 | @cil_ldc_r8;
+
+@cil_literal = @cil_ldnull | @cil_ldc_i | @cil_ldc_r | @cil_ldstr;
+
+// Control flow
+
+@cil_conditional_jump = @cil_binary_jump | @cil_unary_jump;
+@cil_binary_jump = @cil_beq_s | @cil_bge_s | @cil_bgt_s | @cil_ble_s | @cil_blt_s |
+    @cil_bne_un_s | @cil_bge_un_s | @cil_bgt_un_s | @cil_ble_un_s | @cil_blt_un_s |
+    @cil_beq | @cil_bge | @cil_bgt | @cil_ble | @cil_blt |
+    @cil_bne_un | @cil_bge_un | @cil_bgt_un | @cil_ble_un | @cil_blt_un;
+@cil_unary_jump = @cil_brfalse_s | @cil_brtrue_s | @cil_brfalse | @cil_brtrue | @cil_switch;
+@cil_unconditional_jump = @cil_br | @cil_br_s | @cil_leave_any;
+@cil_leave_any = @cil_leave | @cil_leave_s;
+@cil_jump = @cil_unconditional_jump | @cil_conditional_jump;
+
+// CIL call instructions
+
+@cil_call_any = @cil_jmp | @cil_call | @cil_calli | @cil_tail | @cil_callvirt | @cil_newobj;
+
+// CIL expression instructions
+
+@cil_expr = @cil_literal | @cil_binary_expr | @cil_unary_expr | @cil_call_any | @cil_read_access |
+  @cil_newarr | @cil_ldtoken | @cil_sizeof |
+  @cil_ldftn | @cil_ldvirtftn | @cil_localloc | @cil_mkrefany | @cil_refanytype | @cil_arglist | @cil_dup;
+
+@cil_unary_expr =
+  @cil_conversion_operation | @cil_unary_arithmetic_operation | @cil_unary_bitwise_operation|
+  @cil_ldlen | @cil_isinst | @cil_box | @cil_ldobj | @cil_castclass | @cil_unbox_any |
+  @cil_ldind | @cil_unbox;
+
+@cil_conversion_operation =
+  @cil_conv_i1 | @cil_conv_i2 | @cil_conv_i4 | @cil_conv_i8 |
+  @cil_conv_u1 | @cil_conv_u2 | @cil_conv_u4 | @cil_conv_u8 |
+  @cil_conv_ovf_i | @cil_conv_ovf_i_un | @cil_conv_ovf_i1 | @cil_conv_ovf_i1_un |
+  @cil_conv_ovf_i2 | @cil_conv_ovf_i2_un | @cil_conv_ovf_i4 | @cil_conv_ovf_i4_un |
+  @cil_conv_ovf_i8 | @cil_conv_ovf_i8_un | @cil_conv_ovf_u | @cil_conv_ovf_u_un |
+  @cil_conv_ovf_u1 | @cil_conv_ovf_u1_un | @cil_conv_ovf_u2 | @cil_conv_ovf_u2_un |
+  @cil_conv_ovf_u4 | @cil_conv_ovf_u4_un | @cil_conv_ovf_u8 | @cil_conv_ovf_u8_un |
+  @cil_conv_r4 | @cil_conv_r8 | @cil_conv_ovf_u2 | @cil_conv_ovf_u2_un |
+  @cil_conv_i | @cil_conv_u | @cil_conv_r_un;
+
+@cil_ldind = @cil_ldind_i | @cil_ldind_i1 | @cil_ldind_i2 | @cil_ldind_i4 | @cil_ldind_i8 |
+  @cil_ldind_r4 | @cil_ldind_r8 | @cil_ldind_ref | @cil_ldind_u1 | @cil_ldind_u2 | @cil_ldind_u4;
+
+@cil_stind = @cil_stind_i | @cil_stind_i1 | @cil_stind_i2 | @cil_stind_i4 | @cil_stind_i8 |
+  @cil_stind_r4 | @cil_stind_r8 | @cil_stind_ref;
+
+@cil_bitwise_operation = @cil_binary_bitwise_operation | @cil_unary_bitwise_operation;
+
+@cil_binary_bitwise_operation = @cil_and | @cil_or | @cil_xor | @cil_shr | @cil_shr | @cil_shr_un | @cil_shl;
+
+@cil_binary_arithmetic_operation = @cil_add | @cil_sub | @cil_mul | @cil_div | @cil_div_un |
+  @cil_rem | @cil_rem_un | @cil_add_ovf | @cil_add_ovf_un | @cil_mul_ovf | @cil_mul_ovf_un |
+  @cil_sub_ovf | @cil_sub_ovf_un;
+
+@cil_unary_bitwise_operation = @cil_not;
+
+@cil_binary_expr = @cil_binary_arithmetic_operation | @cil_binary_bitwise_operation | @cil_read_array | @cil_comparison_operation;
+
+@cil_unary_arithmetic_operation = @cil_neg;
+
+@cil_comparison_operation = @cil_cgt_un | @cil_ceq | @cil_cgt | @cil_clt | @cil_clt_un;
+
+// Elements that retrieve an address of something
+@cil_read_ref = @cil_ldloca_s | @cil_ldarga_s | @cil_ldflda | @cil_ldsflda | @cil_ldelema;
+
+// CIL array instructions
+
+@cil_read_array =
+  @cil_ldelem | @cil_ldelema | @cil_ldelem_i1 | @cil_ldelem_ref | @cil_ldelem_i |
+  @cil_ldelem_i1 | @cil_ldelem_i2 | @cil_ldelem_i4 | @cil_ldelem_i8 | @cil_ldelem_r4 |
+  @cil_ldelem_r8 | @cil_ldelem_u1 | @cil_ldelem_u2 | @cil_ldelem_u4;
+
+@cil_write_array = @cil_stelem | @cil_stelem_ref |
+  @cil_stelem_i | @cil_stelem_i1 | @cil_stelem_i2 | @cil_stelem_i4 | @cil_stelem_i8 |
+  @cil_stelem_r4 | @cil_stelem_r8;
+
+@cil_throw_any = @cil_throw | @cil_rethrow;
+
+#keyset[impl, index]
+cil_instruction(
+  unique int id: @cil_instruction,
+  int opcode: int ref,
+  int index: int ref,
+  int impl: @cil_method_implementation ref);
+
+cil_jump(
+  unique int instruction: @cil_jump ref,
+  int target: @cil_instruction ref);
+
+cil_access(
+  unique int instruction: @cil_instruction ref,
+  int target: @cil_accessible ref);
+
+cil_value(
+  unique int instruction: @cil_literal ref,
+  string value: string ref);
+
+#keyset[instruction, index]
+cil_switch(
+  int instruction: @cil_switch ref,
+  int index: int ref,
+  int target: @cil_instruction ref);
+
+cil_instruction_location(
+  unique int id: @cil_instruction ref,
+  int loc: @location ref);
+
+cil_type_location(
+  int id: @cil_type ref,
+  int loc: @location ref);
+
+cil_method_location(
+  int id: @cil_method ref,
+  int loc: @location ref);
+
+@cil_namespace = @namespace;
+
+@cil_type_container = @cil_type | @cil_namespace | @cil_method;
+
+case @cil_type.kind of
+  0 = @cil_valueorreftype
+| 1 = @cil_typeparameter
+| 2 = @cil_array_type
+| 3 = @cil_pointer_type
+| 4 = @cil_function_pointer_type
+;
+
+cil_type(
+  unique int id: @cil_type,
+  string name: string ref,
+  int kind: int ref,
+  int parent: @cil_type_container ref,
+  int sourceDecl: @cil_type ref);
+
+cil_pointer_type(
+  unique int id: @cil_pointer_type ref,
+  int pointee: @cil_type ref);
+
+cil_array_type(
+  unique int id: @cil_array_type ref,
+  int element_type: @cil_type ref,
+  int rank: int ref);
+
+cil_function_pointer_return_type(
+  unique int id: @cil_function_pointer_type ref,
+  int return_type: @cil_type ref);
+
+cil_method(
+  unique int id: @cil_method,
+  string name: string ref,
+  int parent: @cil_type ref,
+  int return_type: @cil_type ref);
+
+cil_method_source_declaration(
+  unique int method: @cil_method ref,
+  int source: @cil_method ref);
+
+cil_method_implementation(
+  unique int id: @cil_method_implementation,
+  int method: @cil_method ref,
+  int location: @assembly ref);
+
+cil_implements(
+  int id: @cil_method ref,
+  int decl: @cil_method ref);
+
+#keyset[parent, name]
+cil_field(
+  unique int id: @cil_field,
+  int parent: @cil_type ref,
+  string name: string ref,
+  int field_type: @cil_type ref);
+
+@cil_element = @cil_instruction | @cil_declaration | @cil_handler | @cil_attribute | @cil_namespace;
+@cil_named_element = @cil_declaration | @cil_namespace;
+@cil_declaration = @cil_variable | @cil_method | @cil_type | @cil_member;
+@cil_accessible = @cil_declaration;
+@cil_variable = @cil_field | @cil_stack_variable;
+@cil_stack_variable = @cil_local_variable | @cil_parameter;
+@cil_member = @cil_method | @cil_type | @cil_field | @cil_property | @cil_event;
+@cil_custom_modifier_receiver = @cil_method | @cil_property | @cil_parameter | @cil_field | @cil_function_pointer_type;
+@cil_parameterizable = @cil_method | @cil_function_pointer_type;
+@cil_has_type_annotation = @cil_stack_variable | @cil_property | @cil_method | @cil_function_pointer_type;
+
+#keyset[parameterizable, index]
+cil_parameter(
+  unique int id: @cil_parameter,
+  int parameterizable: @cil_parameterizable ref,
+  int index: int ref,
+  int param_type: @cil_type ref);
+
+cil_parameter_in(unique int id: @cil_parameter ref);
+cil_parameter_out(unique int id: @cil_parameter ref);
+
+cil_setter(unique int prop: @cil_property ref,
+  int method: @cil_method ref);
+
+#keyset[id, modifier]
+cil_custom_modifiers(
+  int id: @cil_custom_modifier_receiver ref,
+  int modifier: @cil_type ref,
+  int kind: int ref); // modreq: 1, modopt: 0
+
+cil_type_annotation(
+  int id: @cil_has_type_annotation ref,
+  int annotation: int ref);
+
+cil_getter(unique int prop: @cil_property ref,
+  int method: @cil_method ref);
+
+cil_adder(unique int event: @cil_event ref,
+  int method: @cil_method ref);
+
+cil_remover(unique int event: @cil_event ref, int method: @cil_method ref);
+
+cil_raiser(unique int event: @cil_event ref, int method: @cil_method ref);
+
+cil_property(
+  unique int id: @cil_property,
+  int parent: @cil_type ref,
+  string name: string ref,
+  int property_type: @cil_type ref);
+
+#keyset[parent, name]
+cil_event(unique int id: @cil_event,
+  int parent: @cil_type ref,
+  string name: string ref,
+  int event_type: @cil_type ref);
+
+#keyset[impl, index]
+cil_local_variable(
+  unique int id: @cil_local_variable,
+  int impl: @cil_method_implementation ref,
+  int index: int ref,
+  int var_type: @cil_type ref);
+
+cil_function_pointer_calling_conventions(
+  int id: @cil_function_pointer_type ref,
+  int kind: int ref);
+
+// CIL handlers (exception handlers etc).
+
+case @cil_handler.kind of
+  0 = @cil_catch_handler
+| 1 = @cil_filter_handler
+| 2 = @cil_finally_handler
+| 4 = @cil_fault_handler
+;
+
+#keyset[impl, index]
+cil_handler(
+  unique int id: @cil_handler,
+  int impl: @cil_method_implementation ref,
+  int index: int ref,
+  int kind: int ref,
+  int try_start: @cil_instruction ref,
+  int try_end: @cil_instruction ref,
+  int handler_start: @cil_instruction ref);
+
+cil_handler_filter(
+  unique int id: @cil_handler ref,
+  int filter_start: @cil_instruction ref);
+
+cil_handler_type(
+  unique int id: @cil_handler ref,
+  int catch_type: @cil_type ref);
+
+@cil_controlflow_node = @cil_entry_point | @cil_instruction;
+
+@cil_entry_point = @cil_method_implementation | @cil_handler;
+
+@cil_dataflow_node = @cil_instruction | @cil_variable | @cil_method;
+
+cil_method_stack_size(
+  unique int method: @cil_method_implementation ref,
+  int size: int ref);
+
+// CIL modifiers
+
+cil_public(int id: @cil_member ref);
+cil_private(int id: @cil_member ref);
+cil_protected(int id: @cil_member ref);
+cil_internal(int id: @cil_member ref);
+cil_static(int id: @cil_member ref);
+cil_sealed(int id: @cil_member ref);
+cil_virtual(int id: @cil_method ref);
+cil_abstract(int id: @cil_member ref);
+cil_class(int id: @cil_type ref);
+cil_interface(int id: @cil_type ref);
+cil_security(int id: @cil_member ref);
+cil_requiresecobject(int id: @cil_method ref);
+cil_specialname(int id: @cil_method ref);
+cil_newslot(int id: @cil_method ref);
+
+cil_base_class(unique int id: @cil_type ref, int base: @cil_type ref);
+cil_base_interface(int id: @cil_type ref, int base: @cil_type ref);
+cil_enum_underlying_type(unique int id: @cil_type ref, int underlying: @cil_type ref);
+
+#keyset[unbound, index]
+cil_type_parameter(
+  int unbound: @cil_member ref,
+  int index: int ref,
+  int param: @cil_typeparameter ref);
+
+#keyset[bound, index]
+cil_type_argument(
+  int bound: @cil_member ref,
+  int index: int ref,
+  int t: @cil_type ref);
+
+// CIL type parameter constraints
+
+cil_typeparam_covariant(int tp: @cil_typeparameter ref);
+cil_typeparam_contravariant(int tp: @cil_typeparameter ref);
+cil_typeparam_class(int tp: @cil_typeparameter ref);
+cil_typeparam_struct(int tp: @cil_typeparameter ref);
+cil_typeparam_new(int tp: @cil_typeparameter ref);
+cil_typeparam_constraint(int tp: @cil_typeparameter ref, int supertype: @cil_type ref);
+
+// CIL attributes
+
+cil_attribute(
+  unique int attributeid: @cil_attribute,
+  int element: @cil_declaration ref,
+  int constructor: @cil_method ref);
+
+#keyset[attribute_id, param]
+cil_attribute_named_argument(
+  int attribute_id: @cil_attribute ref,
+  string param: string ref,
+  string value: string ref);
+
+#keyset[attribute_id, index]
+cil_attribute_positional_argument(
+  int attribute_id: @cil_attribute ref,
+  int index: int ref,
+  string value: string ref);
+
+
+// Common .Net data model covering both C# and CIL
+
+// Common elements
+@dotnet_element = @element | @cil_element;
+@dotnet_named_element = @named_element | @cil_named_element;
+@dotnet_callable = @callable | @cil_method;
+@dotnet_variable = @variable | @cil_variable;
+@dotnet_field = @field | @cil_field;
+@dotnet_parameter = @parameter | @cil_parameter;
+@dotnet_declaration = @declaration | @cil_declaration;
+@dotnet_member = @member | @cil_member;
+@dotnet_event = @event | @cil_event;
+@dotnet_property = @property | @cil_property | @indexer;
+@dotnet_parameterizable = @parameterizable | @cil_parameterizable;
+
+// Common types
+@dotnet_type = @type | @cil_type;
+@dotnet_call = @call | @cil_call_any;
+@dotnet_throw = @throw_element | @cil_throw_any;
+@dotnet_valueorreftype = @cil_valueorreftype | @value_or_ref_type | @cil_array_type | @void_type;
+@dotnet_typeparameter = @type_parameter | @cil_typeparameter;
+@dotnet_array_type = @array_type | @cil_array_type;
+@dotnet_pointer_type = @pointer_type | @cil_pointer_type;
+@dotnet_type_parameter = @type_parameter | @cil_typeparameter;
+@dotnet_generic = @dotnet_valueorreftype | @dotnet_callable;
+
+// Attributes
+@dotnet_attribute = @attribute | @cil_attribute;
+
+// Expressions
+@dotnet_expr = @expr | @cil_expr;
+
+// Literals
+@dotnet_literal = @literal_expr | @cil_literal;
+@dotnet_string_literal = @string_literal_expr | @cil_ldstr;
+@dotnet_int_literal = @integer_literal_expr | @cil_ldc_i;
+@dotnet_float_literal = @float_literal_expr | @cil_ldc_r;
+@dotnet_null_literal = @null_literal_expr | @cil_ldnull;
+
+@metadata_entity = @cil_method | @cil_type | @cil_field | @cil_property | @field | @property |
+    @callable | @value_or_ref_type | @void_type;
+
+#keyset[entity, location]
+metadata_handle(int entity : @metadata_entity ref, int location: @assembly ref, int handle: int ref)
diff --git a/csharp/upgrades/9258e9b38d85f92cee9559f2ed21e241f0c7a29e/upgrade.properties b/csharp/upgrades/9258e9b38d85f92cee9559f2ed21e241f0c7a29e/upgrade.properties
new file mode 100644
index 00000000000..64b44aecc3c
--- /dev/null
+++ b/csharp/upgrades/9258e9b38d85f92cee9559f2ed21e241f0c7a29e/upgrade.properties
@@ -0,0 +1,2 @@
+description: Removed unique base class constraint
+compatibility: backwards

From d27316eb3e7227930e966d7eba441496e4281dad Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
Date: Mon, 10 May 2021 11:55:31 -0400
Subject: [PATCH 0983/1429] Apply suggestions from code review

Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
---
 java/change-notes/2021-05-05-kryo-improvements.md               | 2 +-
 java/ql/src/semmle/code/java/frameworks/Kryo.qll                | 2 +-
 java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/java/change-notes/2021-05-05-kryo-improvements.md b/java/change-notes/2021-05-05-kryo-improvements.md
index f8ba79eb863..5b39d1daae0 100644
--- a/java/change-notes/2021-05-05-kryo-improvements.md
+++ b/java/change-notes/2021-05-05-kryo-improvements.md
@@ -1,3 +1,3 @@
 lgtm,codescanning
 * Add support for version 5 of the Kryo serialzation/deserialization framework.
-* Add support for detecting safe uses of Kryo utilizing `KryoPool.Builder. (#4992)[https://github.com/github/codeql/issues/4992]
+* Add support for detecting safe uses of Kryo utilizing `KryoPool.Builder`. [#4992](https://github.com/github/codeql/issues/4992)
diff --git a/java/ql/src/semmle/code/java/frameworks/Kryo.qll b/java/ql/src/semmle/code/java/frameworks/Kryo.qll
index 16873fc751f..317148d56b5 100644
--- a/java/ql/src/semmle/code/java/frameworks/Kryo.qll
+++ b/java/ql/src/semmle/code/java/frameworks/Kryo.qll
@@ -47,7 +47,7 @@ class KryoPoolBuilder extends RefType {
 }
 
 /**
- * A Kryo pool builder method used a fluent API call chain.
+ * A Kryo pool builder method used in a fluent API call chain.
  */
 class KryoPoolBuilderMethod extends Method {
   KryoPoolBuilderMethod() {
diff --git a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
index def37c0964e..a1561c0e6cd 100644
--- a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
+++ b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
@@ -57,7 +57,7 @@ class SafeKryo extends DataFlow2::Configuration {
   }
 
   /**
-   * Holds when a funcitonal expression is used to create a `KryoPool.Builder`.
+   * Holds when a functional expression is used to create a `KryoPool.Builder`.
    * Eg. `new KryoPool.Builder(() -> new Kryo())`
    */
   private predicate stepKryoPoolBuilderFactoryArgToConstructor(

From 2e098f050e07a5647001e98694b83a13470b74e7 Mon Sep 17 00:00:00 2001
From: Marcono1234 <Marcono1234@users.noreply.github.com>
Date: Mon, 10 May 2021 18:33:07 +0200
Subject: [PATCH 0984/1429] Java: Ignore char array based closeables for
 CloseReader.ql and CloseWriter.ql

---
 java/ql/src/Likely Bugs/Resource Leaks/CloseReader.qhelp | 2 +-
 java/ql/src/Likely Bugs/Resource Leaks/CloseReader.ql    | 7 ++-----
 java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.qhelp | 2 +-
 java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.ql    | 8 ++------
 4 files changed, 6 insertions(+), 13 deletions(-)

diff --git a/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.qhelp b/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.qhelp
index b0ded8e53a1..e5574bfc179 100644
--- a/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.qhelp	
+++ b/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.qhelp	
@@ -14,7 +14,7 @@ but not closed may cause a resource leak.
 
 <p>Ensure that the resource is always closed to avoid a resource leak. Note that, because of exceptions,
 it is safest to close a resource in a <code>finally</code> block. (However, this is unnecessary for
-subclasses of <code>StringReader</code> and <code>ByteArrayInputStream</code>.)
+subclasses of <code>CharArrayReader</code>, <code>StringReader</code> and <code>ByteArrayInputStream</code>.)
 </p>
 
 <p>For Java 7 or later, the recommended way to close resources that implement <code>java.lang.AutoCloseable</code>
diff --git a/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.ql b/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.ql
index 9d62237bd71..5993bd1de2b 100644
--- a/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.ql	
+++ b/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.ql	
@@ -17,17 +17,14 @@ import CloseType
 
 predicate readerType(RefType t) {
   exists(RefType sup | sup = t.getASupertype*() |
-    sup.hasName("Reader") or
-    sup.hasName("InputStream") or
+    sup.hasName(["Reader", "InputStream"]) or
     sup.hasQualifiedName("java.util.zip", "ZipFile")
   )
 }
 
 predicate safeReaderType(RefType t) {
   exists(RefType sup | sup = t.getASupertype*() |
-    sup.hasName("StringReader") or
-    sup.hasName("ByteArrayInputStream") or
-    sup.hasName("StringInputStream")
+    sup.hasName(["CharArrayReader", "StringReader", "ByteArrayInputStream"])
   )
 }
 
diff --git a/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.qhelp b/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.qhelp
index 0b348a3f9b8..84a50f914f7 100644
--- a/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.qhelp	
+++ b/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.qhelp	
@@ -14,7 +14,7 @@ but not properly closed later may cause a resource leak.
 
 <p>Ensure that the resource is always closed to avoid a resource leak. Note that, because of exceptions,
 it is safest to close a resource properly in a <code>finally</code> block. (However, this is unnecessary for
-subclasses of <code>StringWriter</code> and <code>ByteArrayOutputStream</code>.)</p>
+subclasses of <code>CharArrayWriter</code>, <code>StringWriter</code> and <code>ByteArrayOutputStream</code>.)</p>
 
 <p>For Java 7 or later, the recommended way to close resources that implement <code>java.lang.AutoCloseable</code>
 is to declare them within a <code>try-with-resources</code> statement, so that they are closed implicitly.</p>
diff --git a/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.ql b/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.ql
index 113f3bd3267..824951f86f5 100644
--- a/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.ql	
+++ b/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.ql	
@@ -16,16 +16,12 @@
 import CloseType
 
 predicate writerType(RefType t) {
-  exists(RefType sup | sup = t.getASupertype*() |
-    sup.hasName("Writer") or
-    sup.hasName("OutputStream")
-  )
+  exists(RefType sup | sup = t.getASupertype*() | sup.hasName(["Writer", "OutputStream"]))
 }
 
 predicate safeWriterType(RefType t) {
   exists(RefType sup | sup = t.getASupertype*() |
-    sup.hasName("StringWriter") or
-    sup.hasName("ByteArrayOutputStream")
+    sup.hasName(["CharArrayWriter", "StringWriter", "ByteArrayOutputStream"])
   )
 }
 

From f85aff869c0bc802d17bdc1622646722fa7a281f Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Mon, 10 May 2021 16:37:23 -0400
Subject: [PATCH 0985/1429] Java: Fix PR feedback

---
 java/ql/src/semmle/code/FileSystem.qll | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/semmle/code/FileSystem.qll b/java/ql/src/semmle/code/FileSystem.qll
index 708348b85f5..986677dd2f0 100755
--- a/java/ql/src/semmle/code/FileSystem.qll
+++ b/java/ql/src/semmle/code/FileSystem.qll
@@ -148,8 +148,8 @@ class Container extends @container, Top {
   /**
    * Gets a textual representation of this container.
    *
-   * The default implementation returns the absolute path to the container, but subclasses may
-   * may override to provide a different result. To get the absolute path for any `Container`, call
+   * The default implementation gets the absolute path to the container, but subclasses may override
+   * to provide a different result. To get the absolute path of any `Container`, call
    * `Container.getAbsolutePath()` directly.
    */
   override string toString() { result = getAbsolutePath() }

From 54f191cfe37e136bcc7189b2fb01f44dbb01758b Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 11 May 2021 11:23:03 +0200
Subject: [PATCH 0986/1429] add support for rejected promise values in API
 graphs

---
 .../ql/src/semmle/javascript/ApiGraphs.qll    | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/ApiGraphs.qll b/javascript/ql/src/semmle/javascript/ApiGraphs.qll
index 385dc1e76d3..590142590a4 100644
--- a/javascript/ql/src/semmle/javascript/ApiGraphs.qll
+++ b/javascript/ql/src/semmle/javascript/ApiGraphs.qll
@@ -183,6 +183,11 @@ module API {
      */
     Node getPromised() { result = getASuccessor(Label::promised()) }
 
+    /**
+     * Gets a node representing the error wrapped in the `Promise` object represented by this node.
+     */
+    Node getPromisedError() { result = getASuccessor(Label::promisedError()) }
+
     /**
      * Gets a string representation of the lexicographically least among all shortest access paths
      * from the root to this node.
@@ -468,6 +473,9 @@ module API {
           or
           lbl = Label::promised() and
           PromiseFlow::storeStep(rhs, pred, Promises::valueProp())
+          or
+          lbl = Label::promisedError() and
+          PromiseFlow::storeStep(rhs, pred, Promises::errorProp())
         )
         or
         exists(DataFlow::ClassNode cls, string name |
@@ -482,6 +490,12 @@ module API {
           rhs = f.getAReturn()
         )
         or
+        exists(DataFlow::FunctionNode f |
+          base = MkAsyncFuncResult(f) and
+          lbl = Label::promisedError() and
+          rhs = f.getExceptionalReturn()
+        )
+        or
         exists(int i |
           lbl = Label::parameter(i) and
           argumentPassing(base, i, rhs)
@@ -559,6 +573,9 @@ module API {
           or
           lbl = Label::promised() and
           PromiseFlow::loadStep(pred, ref, Promises::valueProp())
+          or
+          lbl = Label::promisedError() and
+          PromiseFlow::loadStep(pred, ref, Promises::errorProp())
         )
         or
         exists(DataFlow::Node def, DataFlow::FunctionNode fn |
@@ -962,6 +979,9 @@ private module Label {
 
   /** Gets the `promised` edge label connecting a promise to its contained value. */
   string promised() { result = "promised" }
+
+  /** Gets the `promisedError` edge label connecting a promise to its rejected value. */
+  string promisedError() { result = "promisedError" }
 }
 
 private class NodeModuleSourcesNodes extends DataFlow::SourceNode::Range {

From 52991dc4a1ec07410fa2818776f756c12418f707 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 11 May 2021 11:23:51 +0200
Subject: [PATCH 0987/1429] rewrite the axios model to use API graphs

---
 .../javascript/frameworks/ClientRequests.qll  | 23 +++++++------------
 1 file changed, 8 insertions(+), 15 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
index 451ad3f24d2..78f7ec92a16 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
@@ -206,19 +206,14 @@ module ClientRequest {
   /**
    * A model of a URL request made using the `axios` library.
    */
-  class AxiosUrlRequest extends ClientRequest::Range {
+  class AxiosUrlRequest extends ClientRequest::Range, API::CallNode {
     string method;
 
     AxiosUrlRequest() {
-      exists(string moduleName, DataFlow::SourceNode callee | this = callee.getACall() |
-        moduleName = "axios" and
-        (
-          callee = DataFlow::moduleImport(moduleName) and method = "request"
-          or
-          callee = DataFlow::moduleMember(moduleName, method) and
-          (method = httpMethodName() or method = "request")
-        )
-      )
+      this = API::moduleImport("axios").getACall() and method = "request"
+      or
+      this = API::moduleImport("axios").getMember(method).getACall() and
+      method = [httpMethodName(), "request"]
     }
 
     private int getOptionsArgIndex() {
@@ -247,12 +242,10 @@ module ClientRequest {
       method = "request" and
       result = getOptionArgument(0, "data")
       or
-      (method = "post" or method = "put" or method = "put") and
-      (result = getArgument(1) or result = getOptionArgument(2, "data"))
+      method = ["post", "put", "put"] and
+      result = [getArgument(1), getOptionArgument(2, "data")]
       or
-      exists(string name | name = "headers" or name = "params" |
-        result = getOptionArgument([0 .. 2], name)
-      )
+      result = getOptionArgument([0 .. 2], ["headers", "params"])
     }
 
     /** Gets the response type from the options passed in. */

From 99e98419dc3e38c06c2cf6ec6136d88efeae7af6 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 11 May 2021 11:24:21 +0200
Subject: [PATCH 0988/1429] add support for error values in an axios client
 request

---
 .../semmle/javascript/frameworks/ClientRequests.qll |  5 +++++
 .../ClientRequests/ClientRequests.expected          |  5 +++++
 .../library-tests/frameworks/ClientRequests/tst.js  | 13 +++++++++++++
 3 files changed, 23 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
index 78f7ec92a16..477f9354d03 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
@@ -268,6 +268,11 @@ module ClientRequest {
       responseType = getResponseType() and
       promise = true and
       result = this
+      or
+      responseType = getResponseType() and
+      promise = false and
+      result =
+        getReturn().getPromisedError().getMember("response").getMember("data").getAnImmediateUse()
     }
   }
 
diff --git a/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected b/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected
index e448b888e12..c6542eb009d 100644
--- a/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected
+++ b/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected
@@ -87,6 +87,7 @@ test_ClientRequest
 | tst.js:271:3:271:61 | proxy.w ... 080' }) |
 | tst.js:274:1:283:2 | httpPro ... true\\n}) |
 | tst.js:286:20:286:55 | new Web ... :8080') |
+| tst.js:296:5:299:6 | axios({ ... \\n    }) |
 test_getADataNode
 | tst.js:53:5:53:23 | axios({data: data}) | tst.js:53:18:53:21 | data |
 | tst.js:57:5:57:39 | axios.p ... data2}) | tst.js:57:19:57:23 | data1 |
@@ -227,6 +228,8 @@ test_getUrl
 | tst.js:271:3:271:61 | proxy.w ... 080' }) | tst.js:271:33:271:58 | 'http:/ ... m:8080' |
 | tst.js:274:1:283:2 | httpPro ... true\\n}) | tst.js:275:13:281:5 | {\\n      ... ,\\n    } |
 | tst.js:286:20:286:55 | new Web ... :8080') | tst.js:286:34:286:54 | 'ws://l ... t:8080' |
+| tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:296:11:299:5 | {\\n      ... ,\\n    } |
+| tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:298:14:298:44 | "http:/ ... -axios" |
 test_getAResponseDataNode
 | tst.js:19:5:19:23 | requestPromise(url) | tst.js:19:5:19:23 | requestPromise(url) | text | true |
 | tst.js:21:5:21:23 | superagent.get(url) | tst.js:21:5:21:23 | superagent.get(url) | stream | true |
@@ -294,3 +297,5 @@ test_getAResponseDataNode
 | tst.js:235:5:237:6 | needle. ... \\n    }) | tst.js:235:67:235:70 | resp | fetch.response | false |
 | tst.js:235:5:237:6 | needle. ... \\n    }) | tst.js:235:73:235:76 | body | json | false |
 | tst.js:286:20:286:55 | new Web ... :8080') | tst.js:291:44:291:53 | event.data | json | false |
+| tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:296:5:299:6 | axios({ ... \\n    }) | json | true |
+| tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:303:26:303:42 | err.response.data | json | false |
diff --git a/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js b/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js
index bc15565c072..f284ffaa407 100644
--- a/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js
+++ b/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js
@@ -290,4 +290,17 @@ function webSocket() {
     socket.addEventListener('message', function (event) {
         console.log("Data from server: " + event.data);
     });
+}
+
+function moreAxios() {
+    axios({
+        method: 'GET',
+        url: "http://example.org/more-axios",
+    }).then(
+        x => res.send(x.data),
+        (err) => {
+            const status = err.response.status;
+            const data = err.response.data;
+        }
+    );
 }
\ No newline at end of file

From 717070c7e439a1d99512a1f4238d157daef4cbc3 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 11 May 2021 13:11:35 +0200
Subject: [PATCH 0989/1429] Fix/cleanup passed and default arguments values

---
 .../Entities/Types/FunctionPointerType.cs      |  2 +-
 .../Entities/Types/TupleType.cs                |  2 +-
 .../SymbolExtensions.cs                        | 18 +++++++++---------
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/FunctionPointerType.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/FunctionPointerType.cs
index 37ba909ec46..4c3ab516172 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/FunctionPointerType.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/FunctionPointerType.cs
@@ -13,7 +13,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void WriteId(EscapingTextWriter trapFile)
         {
-            Symbol.BuildTypeId(Context, trapFile, Symbol);
+            Symbol.BuildTypeId(Context, trapFile, Symbol, constructUnderlyingTupleType: false);
             trapFile.Write(";functionpointertype");
         }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TupleType.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TupleType.cs
index ddbf1ac52a6..56db07671d7 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TupleType.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Types/TupleType.cs
@@ -32,7 +32,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void WriteId(EscapingTextWriter trapFile)
         {
-            Symbol.BuildTypeId(Context, trapFile, Symbol);
+            Symbol.BuildTypeId(Context, trapFile, Symbol, constructUnderlyingTupleType: false);
             trapFile.Write(";tuple");
         }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs b/csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs
index 91f0d0edf20..0bda977a6d5 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs
@@ -158,7 +158,7 @@ namespace Semmle.Extraction.CSharp
         /// <param name="trapFile">The trap builder used to store the result.</param>
         /// <param name="symbolBeingDefined">The outer symbol being defined (to avoid recursive ids).</param>
         /// <param name="constructUnderlyingTupleType">Whether to build a type ID for the underlying `System.ValueTuple` struct in the case of tuple types.</param>
-        public static void BuildTypeId(this ITypeSymbol type, Context cx, EscapingTextWriter trapFile, ISymbol symbolBeingDefined, bool constructUnderlyingTupleType = false)
+        public static void BuildTypeId(this ITypeSymbol type, Context cx, EscapingTextWriter trapFile, ISymbol symbolBeingDefined, bool constructUnderlyingTupleType)
         {
             using (cx.StackGuard)
             {
@@ -166,7 +166,7 @@ namespace Semmle.Extraction.CSharp
                 {
                     case TypeKind.Array:
                         var array = (IArrayTypeSymbol)type;
-                        array.ElementType.BuildOrWriteId(cx, trapFile, symbolBeingDefined);
+                        array.ElementType.BuildOrWriteId(cx, trapFile, symbolBeingDefined, constructUnderlyingTupleType: false);
                         array.BuildArraySuffix(trapFile);
                         return;
                     case TypeKind.Class:
@@ -180,12 +180,12 @@ namespace Semmle.Extraction.CSharp
                         return;
                     case TypeKind.Pointer:
                         var ptr = (IPointerTypeSymbol)type;
-                        ptr.PointedAtType.BuildOrWriteId(cx, trapFile, symbolBeingDefined);
+                        ptr.PointedAtType.BuildOrWriteId(cx, trapFile, symbolBeingDefined, constructUnderlyingTupleType: false);
                         trapFile.Write('*');
                         return;
                     case TypeKind.TypeParameter:
                         var tp = (ITypeParameterSymbol)type;
-                        tp.ContainingSymbol.BuildOrWriteId(cx, trapFile, symbolBeingDefined);
+                        tp.ContainingSymbol.BuildOrWriteId(cx, trapFile, symbolBeingDefined, constructUnderlyingTupleType: false);
                         trapFile.Write('_');
                         trapFile.Write(tp.Name);
                         return;
@@ -202,7 +202,7 @@ namespace Semmle.Extraction.CSharp
             }
         }
 
-        private static void BuildOrWriteId(this ISymbol? symbol, Context cx, EscapingTextWriter trapFile, ISymbol symbolBeingDefined, bool constructUnderlyingTupleType = false)
+        private static void BuildOrWriteId(this ISymbol? symbol, Context cx, EscapingTextWriter trapFile, ISymbol symbolBeingDefined, bool constructUnderlyingTupleType)
         {
             if (symbol is null)
             {
@@ -245,7 +245,7 @@ namespace Semmle.Extraction.CSharp
         /// <paramref name="symbol" />.
         /// </summary>
         public static void BuildOrWriteId(this ISymbol? symbol, Context cx, EscapingTextWriter trapFile, ISymbol symbolBeingDefined) =>
-            symbol.BuildOrWriteId(cx, trapFile, symbolBeingDefined, true);
+            symbol.BuildOrWriteId(cx, trapFile, symbolBeingDefined, constructUnderlyingTupleType: false);
 
         /// <summary>
         /// Constructs an array suffix string for this array type symbol.
@@ -292,7 +292,7 @@ namespace Semmle.Extraction.CSharp
                     {
                         trapFile.Write((f.CorrespondingTupleField ?? f).Name);
                         trapFile.Write(":");
-                        f.Type.BuildOrWriteId(cx, trapFile, symbolBeingDefined);
+                        f.Type.BuildOrWriteId(cx, trapFile, symbolBeingDefined, constructUnderlyingTupleType: false);
                     }
                     );
                 trapFile.Write(")");
@@ -303,7 +303,7 @@ namespace Semmle.Extraction.CSharp
             {
                 if (named.ContainingType is not null)
                 {
-                    named.ContainingType.BuildOrWriteId(cx, trapFile, symbolBeingDefined);
+                    named.ContainingType.BuildOrWriteId(cx, trapFile, symbolBeingDefined, constructUnderlyingTupleType: false);
                     trapFile.Write('.');
                 }
                 else if (named.ContainingNamespace is not null)
@@ -335,7 +335,7 @@ namespace Semmle.Extraction.CSharp
                 // a constructed type with different nullability of its members and methods,
                 // so we need to create a distinct database entity for it.
                 trapFile.BuildList(",", named.GetAnnotatedTypeArguments(),
-                    ta => ta.Symbol.BuildOrWriteId(cx, trapFile, symbolBeingDefined)
+                    ta => ta.Symbol.BuildOrWriteId(cx, trapFile, symbolBeingDefined, constructUnderlyingTupleType: false)
                     );
                 trapFile.Write('>');
             }

From 24d8abd2c2337aa21c048fe4f1cffed5b55cb41a Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 11 May 2021 14:27:53 +0200
Subject: [PATCH 0990/1429] C++: Add false positive testcase when an absolute
 value is used in comparison.

---
 .../semmle/tainted/ArithmeticTainted.expected        |  4 ++++
 .../Security/CWE/CWE-190/semmle/tainted/test5.cpp    | 12 ++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
index bdf00e0a5df..ee55beac3a2 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
@@ -3,6 +3,10 @@
 | test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
 | test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
 | test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
+| test5.cpp:30:17:30:23 | tainted | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
+| test5.cpp:30:17:30:23 | tainted | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
+| test5.cpp:30:27:30:33 | tainted | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
+| test5.cpp:30:27:30:33 | tainted | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
 | test.c:14:15:14:28 | maxConnections | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:11:29:11:32 | argv | User-provided value |
 | test.c:14:15:14:28 | maxConnections | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:11:29:11:32 | argv | User-provided value |
 | test.c:44:7:44:10 | len2 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:41:17:41:20 | argv | User-provided value |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp
index 527c603d1b8..de0baa93bb1 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp
@@ -18,3 +18,15 @@ void useTaintedInt()
 	y = getTaintedInt();
 	y = y * 1024; // BAD: arithmetic on a tainted value
 }
+
+typedef long long int intmax_t;
+
+intmax_t imaxabs(intmax_t j);
+
+void useTaintedIntWithGuard() {
+	int tainted = getTaintedInt();
+
+	if(imaxabs(tainted) <= 100) {
+		int product = tainted * tainted; // GOOD: can't underflow/overflow [FALSE POSITIVE]
+	}
+}
\ No newline at end of file

From 0d9a85ca6b30511e41c1924161fae2193cec3b71 Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
Date: Tue, 11 May 2021 08:29:50 -0400
Subject: [PATCH 0991/1429] Update
 java/change-notes/2021-05-05-kryo-improvements.md

Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
---
 java/change-notes/2021-05-05-kryo-improvements.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/change-notes/2021-05-05-kryo-improvements.md b/java/change-notes/2021-05-05-kryo-improvements.md
index 5b39d1daae0..dbacb10099b 100644
--- a/java/change-notes/2021-05-05-kryo-improvements.md
+++ b/java/change-notes/2021-05-05-kryo-improvements.md
@@ -1,3 +1,3 @@
 lgtm,codescanning
-* Add support for version 5 of the Kryo serialzation/deserialization framework.
+* Add support for version 5 of the Kryo serialization/deserialization framework.
 * Add support for detecting safe uses of Kryo utilizing `KryoPool.Builder`. [#4992](https://github.com/github/codeql/issues/4992)

From 48e783184cd82692208d21d6286deeb38924804f Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 11 May 2021 14:30:28 +0200
Subject: [PATCH 0992/1429] C++: Fix false positive by recognizing more
 absolute value functions in Overflow.qll

---
 cpp/ql/src/semmle/code/cpp/security/Overflow.qll              | 2 +-
 .../CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected     | 4 ----
 .../query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp | 2 +-
 3 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/security/Overflow.qll b/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
index 6cf82791d52..b8ed406cb4a 100644
--- a/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Overflow.qll
@@ -12,7 +12,7 @@ import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
  * Holds if the value of `use` is guarded using `abs`.
  */
 predicate guardedAbs(Operation e, Expr use) {
-  exists(FunctionCall fc | fc.getTarget().getName() = "abs" |
+  exists(FunctionCall fc | fc.getTarget().getName() = ["abs", "labs", "llabs", "imaxabs"] |
     fc.getArgument(0).getAChild*() = use and
     guardedLesser(e, fc)
   )
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
index ee55beac3a2..bdf00e0a5df 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
@@ -3,10 +3,6 @@
 | test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
 | test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
 | test5.cpp:19:6:19:6 | y | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:30:17:30:23 | tainted | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:30:17:30:23 | tainted | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:30:27:30:33 | tainted | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:30:27:30:33 | tainted | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
 | test.c:14:15:14:28 | maxConnections | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:11:29:11:32 | argv | User-provided value |
 | test.c:14:15:14:28 | maxConnections | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:11:29:11:32 | argv | User-provided value |
 | test.c:44:7:44:10 | len2 | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:41:17:41:20 | argv | User-provided value |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp
index de0baa93bb1..92eb71ad541 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp
@@ -27,6 +27,6 @@ void useTaintedIntWithGuard() {
 	int tainted = getTaintedInt();
 
 	if(imaxabs(tainted) <= 100) {
-		int product = tainted * tainted; // GOOD: can't underflow/overflow [FALSE POSITIVE]
+		int product = tainted * tainted; // GOOD: can't underflow/overflow
 	}
 }
\ No newline at end of file

From d66506b0a388f40634f80318a4e8faedcf5909e7 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Tue, 11 May 2021 14:40:10 +0200
Subject: [PATCH 0993/1429] Data flow: Rename `{Argument,Parameter}NodeExt` to
 `{Arg,Param}Node`

---
 .../cpp/dataflow/internal/DataFlowImpl.qll    | 112 ++++++++----------
 .../cpp/dataflow/internal/DataFlowImpl2.qll   | 112 ++++++++----------
 .../cpp/dataflow/internal/DataFlowImpl3.qll   | 112 ++++++++----------
 .../cpp/dataflow/internal/DataFlowImpl4.qll   | 112 ++++++++----------
 .../dataflow/internal/DataFlowImplCommon.qll  |  94 +++++++--------
 .../dataflow/internal/DataFlowImplLocal.qll   | 112 ++++++++----------
 .../cpp/ir/dataflow/internal/DataFlowImpl.qll | 112 ++++++++----------
 .../ir/dataflow/internal/DataFlowImpl2.qll    | 112 ++++++++----------
 .../ir/dataflow/internal/DataFlowImpl3.qll    | 112 ++++++++----------
 .../ir/dataflow/internal/DataFlowImpl4.qll    | 112 ++++++++----------
 .../dataflow/internal/DataFlowImplCommon.qll  |  94 +++++++--------
 .../csharp/dataflow/internal/DataFlowImpl.qll | 112 ++++++++----------
 .../dataflow/internal/DataFlowImpl2.qll       | 112 ++++++++----------
 .../dataflow/internal/DataFlowImpl3.qll       | 112 ++++++++----------
 .../dataflow/internal/DataFlowImpl4.qll       | 112 ++++++++----------
 .../dataflow/internal/DataFlowImpl5.qll       | 112 ++++++++----------
 .../dataflow/internal/DataFlowImplCommon.qll  |  94 +++++++--------
 .../java/dataflow/internal/DataFlowImpl.qll   | 112 ++++++++----------
 .../java/dataflow/internal/DataFlowImpl2.qll  | 112 ++++++++----------
 .../java/dataflow/internal/DataFlowImpl3.qll  | 112 ++++++++----------
 .../java/dataflow/internal/DataFlowImpl4.qll  | 112 ++++++++----------
 .../java/dataflow/internal/DataFlowImpl5.qll  | 112 ++++++++----------
 .../java/dataflow/internal/DataFlowImpl6.qll  | 112 ++++++++----------
 .../dataflow/internal/DataFlowImplCommon.qll  |  94 +++++++--------
 .../dataflow/new/internal/DataFlowImpl.qll    | 112 ++++++++----------
 .../dataflow/new/internal/DataFlowImpl2.qll   | 112 ++++++++----------
 .../dataflow/new/internal/DataFlowImpl3.qll   | 112 ++++++++----------
 .../dataflow/new/internal/DataFlowImpl4.qll   | 112 ++++++++----------
 .../new/internal/DataFlowImplCommon.qll       |  94 +++++++--------
 29 files changed, 1372 insertions(+), 1786 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
index cf83530bcbd..058d66b1496 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
index cf83530bcbd..058d66b1496 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
index cf83530bcbd..058d66b1496 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
index cf83530bcbd..058d66b1496 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
index b5ceabc605d..b8e08408911 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
@@ -35,24 +35,22 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
  */
 private module LambdaFlow {
-  private predicate viableParamNonLambda(DataFlowCall call, int i, ParameterNodeExt p) {
+  private predicate viableParamNonLambda(DataFlowCall call, int i, ParamNode p) {
     p.isParameterOf(viableCallable(call), i)
   }
 
-  private predicate viableParamLambda(DataFlowCall call, int i, ParameterNodeExt p) {
+  private predicate viableParamLambda(DataFlowCall call, int i, ParamNode p) {
     p.isParameterOf(viableCallableLambda(call, _), i)
   }
 
-  private predicate viableParamArgNonLambda(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg
-  ) {
+  private predicate viableParamArgNonLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
     exists(int i |
       viableParamNonLambda(call, i, p) and
       arg.argumentOf(call, i)
     )
   }
 
-  private predicate viableParamArgLambda(DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg) {
+  private predicate viableParamArgLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
     exists(int i |
       viableParamLambda(call, i, p) and
       arg.argumentOf(call, i)
@@ -120,7 +118,7 @@ private module LambdaFlow {
     boolean toJump, DataFlowCallOption lastCall
   ) {
     revLambdaFlow0(lambdaCall, kind, node, t, toReturn, toJump, lastCall) and
-    if castNode(node) or node instanceof ArgumentNodeExt or node instanceof ReturnNode
+    if castNode(node) or node instanceof ArgNode or node instanceof ReturnNode
     then compatibleTypes(t, getNodeDataFlowType(node))
     else any()
   }
@@ -178,7 +176,7 @@ private module LambdaFlow {
     )
     or
     // flow into a callable
-    exists(ParameterNodeExt p, DataFlowCallOption lastCall0, DataFlowCall call |
+    exists(ParamNode p, DataFlowCallOption lastCall0, DataFlowCall call |
       revLambdaFlowIn(lambdaCall, kind, p, t, toJump, lastCall0) and
       (
         if lastCall0 = TDataFlowCallNone() and toJump = false
@@ -229,8 +227,8 @@ private module LambdaFlow {
 
   pragma[nomagic]
   predicate revLambdaFlowIn(
-    DataFlowCall lambdaCall, LambdaCallKind kind, ParameterNodeExt p, DataFlowType t,
-    boolean toJump, DataFlowCallOption lastCall
+    DataFlowCall lambdaCall, LambdaCallKind kind, ParamNode p, DataFlowType t, boolean toJump,
+    DataFlowCallOption lastCall
   ) {
     revLambdaFlow(lambdaCall, kind, p, t, false, toJump, lastCall)
   }
@@ -276,7 +274,7 @@ private module Cached {
   predicate outNodeExt(Node n) {
     n instanceof OutNode
     or
-    n.(PostUpdateNode).getPreUpdateNode() instanceof ArgumentNodeExt
+    n.(PostUpdateNode).getPreUpdateNode() instanceof ArgNode
   }
 
   cached
@@ -286,7 +284,7 @@ private module Cached {
   OutNodeExt getAnOutNodeExt(DataFlowCall call, ReturnKindExt k) {
     result = getAnOutNode(call, k.(ValueReturnKind).getKind())
     or
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       result.(PostUpdateNode).getPreUpdateNode() = arg and
       arg.argumentOf(call, k.(ParamUpdateReturnKind).getPosition())
     )
@@ -296,7 +294,7 @@ private module Cached {
   predicate returnNodeExt(Node n, ReturnKindExt k) {
     k = TValueReturn(n.(ReturnNode).getKind())
     or
-    exists(ParameterNodeExt p, int pos |
+    exists(ParamNode p, int pos |
       parameterValueFlowsToPreUpdate(p, n) and
       p.isParameterOf(_, pos) and
       k = TParamUpdate(pos)
@@ -309,7 +307,7 @@ private module Cached {
   cached
   predicate castingNode(Node n) {
     castNode(n) or
-    n instanceof ParameterNodeExt or
+    n instanceof ParamNode or
     n instanceof OutNodeExt or
     // For reads, `x.f`, we want to check that the tracked type after the read (which
     // is obtained by popping the head of the access path stack) is compatible with
@@ -346,7 +344,7 @@ private module Cached {
    * The instance parameter is considered to have index `-1`.
    */
   pragma[nomagic]
-  private predicate viableParam(DataFlowCall call, int i, ParameterNodeExt p) {
+  private predicate viableParam(DataFlowCall call, int i, ParamNode p) {
     p.isParameterOf(viableCallableExt(call), i)
   }
 
@@ -355,7 +353,7 @@ private module Cached {
    * dispatch into account.
    */
   cached
-  predicate viableParamArg(DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg) {
+  predicate viableParamArg(DataFlowCall call, ParamNode p, ArgNode arg) {
     exists(int i |
       viableParam(call, i, p) and
       arg.argumentOf(call, i) and
@@ -397,7 +395,7 @@ private module Cached {
        * `read` indicates whether it is contents of `p` that can flow to `node`.
        */
       pragma[nomagic]
-      private predicate parameterValueFlowCand(ParameterNodeExt p, Node node, boolean read) {
+      private predicate parameterValueFlowCand(ParamNode p, Node node, boolean read) {
         p = node and
         read = false
         or
@@ -415,27 +413,25 @@ private module Cached {
         )
         or
         // flow through: no prior read
-        exists(ArgumentNodeExt arg |
+        exists(ArgNode arg |
           parameterValueFlowArgCand(p, arg, false) and
           argumentValueFlowsThroughCand(arg, node, read)
         )
         or
         // flow through: no read inside method
-        exists(ArgumentNodeExt arg |
+        exists(ArgNode arg |
           parameterValueFlowArgCand(p, arg, read) and
           argumentValueFlowsThroughCand(arg, node, false)
         )
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlowArgCand(
-        ParameterNodeExt p, ArgumentNodeExt arg, boolean read
-      ) {
+      private predicate parameterValueFlowArgCand(ParamNode p, ArgNode arg, boolean read) {
         parameterValueFlowCand(p, arg, read)
       }
 
       pragma[nomagic]
-      predicate parameterValueFlowsToPreUpdateCand(ParameterNodeExt p, PostUpdateNode n) {
+      predicate parameterValueFlowsToPreUpdateCand(ParamNode p, PostUpdateNode n) {
         parameterValueFlowCand(p, n.getPreUpdateNode(), false)
       }
 
@@ -447,7 +443,7 @@ private module Cached {
        * `read` indicates whether it is contents of `p` that can flow to the return
        * node.
        */
-      predicate parameterValueFlowReturnCand(ParameterNodeExt p, ReturnKind kind, boolean read) {
+      predicate parameterValueFlowReturnCand(ParamNode p, ReturnKind kind, boolean read) {
         exists(ReturnNode ret |
           parameterValueFlowCand(p, ret, read) and
           kind = ret.getKind()
@@ -456,9 +452,9 @@ private module Cached {
 
       pragma[nomagic]
       private predicate argumentValueFlowsThroughCand0(
-        DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, boolean read
+        DataFlowCall call, ArgNode arg, ReturnKind kind, boolean read
       ) {
-        exists(ParameterNodeExt param | viableParamArg(call, param, arg) |
+        exists(ParamNode param | viableParamArg(call, param, arg) |
           parameterValueFlowReturnCand(param, kind, read)
         )
       }
@@ -469,14 +465,14 @@ private module Cached {
        *
        * `read` indicates whether it is contents of `arg` that can flow to `out`.
        */
-      predicate argumentValueFlowsThroughCand(ArgumentNodeExt arg, Node out, boolean read) {
+      predicate argumentValueFlowsThroughCand(ArgNode arg, Node out, boolean read) {
         exists(DataFlowCall call, ReturnKind kind |
           argumentValueFlowsThroughCand0(call, arg, kind, read) and
           out = getAnOutNode(call, kind)
         )
       }
 
-      predicate cand(ParameterNodeExt p, Node n) {
+      predicate cand(ParamNode p, Node n) {
         parameterValueFlowCand(p, n, _) and
         (
           parameterValueFlowReturnCand(p, _, _)
@@ -503,7 +499,7 @@ private module Cached {
        * If a read step was taken, then `read` captures the `Content`, the
        * container type, and the content type.
        */
-      predicate parameterValueFlow(ParameterNodeExt p, Node node, ReadStepTypesOption read) {
+      predicate parameterValueFlow(ParamNode p, Node node, ReadStepTypesOption read) {
         parameterValueFlow0(p, node, read) and
         if node instanceof CastingNode
         then
@@ -517,7 +513,7 @@ private module Cached {
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlow0(ParameterNodeExt p, Node node, ReadStepTypesOption read) {
+      private predicate parameterValueFlow0(ParamNode p, Node node, ReadStepTypesOption read) {
         p = node and
         Cand::cand(p, _) and
         read = TReadStepTypesNone()
@@ -542,34 +538,32 @@ private module Cached {
 
       pragma[nomagic]
       private predicate parameterValueFlow0_0(
-        ReadStepTypesOption mustBeNone, ParameterNodeExt p, Node node, ReadStepTypesOption read
+        ReadStepTypesOption mustBeNone, ParamNode p, Node node, ReadStepTypesOption read
       ) {
         // flow through: no prior read
-        exists(ArgumentNodeExt arg |
+        exists(ArgNode arg |
           parameterValueFlowArg(p, arg, mustBeNone) and
           argumentValueFlowsThrough(arg, read, node)
         )
         or
         // flow through: no read inside method
-        exists(ArgumentNodeExt arg |
+        exists(ArgNode arg |
           parameterValueFlowArg(p, arg, read) and
           argumentValueFlowsThrough(arg, mustBeNone, node)
         )
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlowArg(
-        ParameterNodeExt p, ArgumentNodeExt arg, ReadStepTypesOption read
-      ) {
+      private predicate parameterValueFlowArg(ParamNode p, ArgNode arg, ReadStepTypesOption read) {
         parameterValueFlow(p, arg, read) and
         Cand::argumentValueFlowsThroughCand(arg, _, _)
       }
 
       pragma[nomagic]
       private predicate argumentValueFlowsThrough0(
-        DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, ReadStepTypesOption read
+        DataFlowCall call, ArgNode arg, ReturnKind kind, ReadStepTypesOption read
       ) {
-        exists(ParameterNodeExt param | viableParamArg(call, param, arg) |
+        exists(ParamNode param | viableParamArg(call, param, arg) |
           parameterValueFlowReturn(param, kind, read)
         )
       }
@@ -583,7 +577,7 @@ private module Cached {
        * container type, and the content type.
        */
       pragma[nomagic]
-      predicate argumentValueFlowsThrough(ArgumentNodeExt arg, ReadStepTypesOption read, Node out) {
+      predicate argumentValueFlowsThrough(ArgNode arg, ReadStepTypesOption read, Node out) {
         exists(DataFlowCall call, ReturnKind kind |
           argumentValueFlowsThrough0(call, arg, kind, read) and
           out = getAnOutNode(call, kind)
@@ -603,7 +597,7 @@ private module Cached {
        * value-preserving steps and a single read step, not taking call
        * contexts into account, thus representing a getter-step.
        */
-      predicate getterStep(ArgumentNodeExt arg, Content c, Node out) {
+      predicate getterStep(ArgNode arg, Content c, Node out) {
         argumentValueFlowsThrough(arg, TReadStepTypesSome(_, c, _), out)
       }
 
@@ -616,7 +610,7 @@ private module Cached {
        * container type, and the content type.
        */
       private predicate parameterValueFlowReturn(
-        ParameterNodeExt p, ReturnKind kind, ReadStepTypesOption read
+        ParamNode p, ReturnKind kind, ReadStepTypesOption read
       ) {
         exists(ReturnNode ret |
           parameterValueFlow(p, ret, read) and
@@ -722,7 +716,7 @@ private module Cached {
    * Holds if `p` can flow to the pre-update node associated with post-update
    * node `n`, in the same callable, using only value-preserving steps.
    */
-  private predicate parameterValueFlowsToPreUpdate(ParameterNodeExt p, PostUpdateNode n) {
+  private predicate parameterValueFlowsToPreUpdate(ParamNode p, PostUpdateNode n) {
     parameterValueFlow(p, n.getPreUpdateNode(), TReadStepTypesNone())
   }
 
@@ -778,8 +772,8 @@ private module Cached {
         // Does the language-specific simpleLocalFlowStep already model flow
         // from function input to output?
         fromPre = getAnOutNode(c, _) and
-        toPre.(ArgumentNodeExt).argumentOf(c, _) and
-        simpleLocalFlowStep(toPre.(ArgumentNodeExt), fromPre)
+        toPre.(ArgNode).argumentOf(c, _) and
+        simpleLocalFlowStep(toPre.(ArgNode), fromPre)
       )
       or
       argumentValueFlowsThrough(toPre, TReadStepTypesNone(), fromPre)
@@ -827,7 +821,7 @@ private module Cached {
   cached
   newtype TReturnKindExt =
     TValueReturn(ReturnKind kind) or
-    TParamUpdate(int pos) { exists(ParameterNodeExt p | p.isParameterOf(_, pos)) }
+    TParamUpdate(int pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }
 
   cached
   newtype TBooleanOption =
@@ -942,7 +936,7 @@ class CallContextSomeCall extends CallContextCall, TSomeCall {
   override string toString() { result = "CcSomeCall" }
 
   override predicate relevantFor(DataFlowCallable callable) {
-    exists(ParameterNodeExt p | getNodeEnclosingCallable(p) = callable)
+    exists(ParamNode p | getNodeEnclosingCallable(p) = callable)
   }
 
   override predicate matchesCall(DataFlowCall call) { any() }
@@ -1005,8 +999,8 @@ LocalCallContext getLocalCallContext(CallContext ctx, DataFlowCallable callable)
  * The value of a parameter at function entry, viewed as a node in a data
  * flow graph.
  */
-class ParameterNodeExt extends Node {
-  ParameterNodeExt() { parameterNode(this, _, _) }
+class ParamNode extends Node {
+  ParamNode() { parameterNode(this, _, _) }
 
   /**
    * Holds if this node is the parameter of callable `c` at the specified
@@ -1016,8 +1010,8 @@ class ParameterNodeExt extends Node {
 }
 
 /** A data-flow node that represents a call argument. */
-class ArgumentNodeExt extends Node {
-  ArgumentNodeExt() { argumentNode(this, _, _) }
+class ArgNode extends Node {
+  ArgNode() { argumentNode(this, _, _) }
 
   /** Holds if this argument occurs at the given position in the given call. */
   final predicate argumentOf(DataFlowCall call, int pos) { argumentNode(this, call, pos) }
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
index cf83530bcbd..058d66b1496 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
index cf83530bcbd..058d66b1496 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
index cf83530bcbd..058d66b1496 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
index cf83530bcbd..058d66b1496 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
index cf83530bcbd..058d66b1496 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
index b5ceabc605d..b8e08408911 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
@@ -35,24 +35,22 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
  */
 private module LambdaFlow {
-  private predicate viableParamNonLambda(DataFlowCall call, int i, ParameterNodeExt p) {
+  private predicate viableParamNonLambda(DataFlowCall call, int i, ParamNode p) {
     p.isParameterOf(viableCallable(call), i)
   }
 
-  private predicate viableParamLambda(DataFlowCall call, int i, ParameterNodeExt p) {
+  private predicate viableParamLambda(DataFlowCall call, int i, ParamNode p) {
     p.isParameterOf(viableCallableLambda(call, _), i)
   }
 
-  private predicate viableParamArgNonLambda(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg
-  ) {
+  private predicate viableParamArgNonLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
     exists(int i |
       viableParamNonLambda(call, i, p) and
       arg.argumentOf(call, i)
     )
   }
 
-  private predicate viableParamArgLambda(DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg) {
+  private predicate viableParamArgLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
     exists(int i |
       viableParamLambda(call, i, p) and
       arg.argumentOf(call, i)
@@ -120,7 +118,7 @@ private module LambdaFlow {
     boolean toJump, DataFlowCallOption lastCall
   ) {
     revLambdaFlow0(lambdaCall, kind, node, t, toReturn, toJump, lastCall) and
-    if castNode(node) or node instanceof ArgumentNodeExt or node instanceof ReturnNode
+    if castNode(node) or node instanceof ArgNode or node instanceof ReturnNode
     then compatibleTypes(t, getNodeDataFlowType(node))
     else any()
   }
@@ -178,7 +176,7 @@ private module LambdaFlow {
     )
     or
     // flow into a callable
-    exists(ParameterNodeExt p, DataFlowCallOption lastCall0, DataFlowCall call |
+    exists(ParamNode p, DataFlowCallOption lastCall0, DataFlowCall call |
       revLambdaFlowIn(lambdaCall, kind, p, t, toJump, lastCall0) and
       (
         if lastCall0 = TDataFlowCallNone() and toJump = false
@@ -229,8 +227,8 @@ private module LambdaFlow {
 
   pragma[nomagic]
   predicate revLambdaFlowIn(
-    DataFlowCall lambdaCall, LambdaCallKind kind, ParameterNodeExt p, DataFlowType t,
-    boolean toJump, DataFlowCallOption lastCall
+    DataFlowCall lambdaCall, LambdaCallKind kind, ParamNode p, DataFlowType t, boolean toJump,
+    DataFlowCallOption lastCall
   ) {
     revLambdaFlow(lambdaCall, kind, p, t, false, toJump, lastCall)
   }
@@ -276,7 +274,7 @@ private module Cached {
   predicate outNodeExt(Node n) {
     n instanceof OutNode
     or
-    n.(PostUpdateNode).getPreUpdateNode() instanceof ArgumentNodeExt
+    n.(PostUpdateNode).getPreUpdateNode() instanceof ArgNode
   }
 
   cached
@@ -286,7 +284,7 @@ private module Cached {
   OutNodeExt getAnOutNodeExt(DataFlowCall call, ReturnKindExt k) {
     result = getAnOutNode(call, k.(ValueReturnKind).getKind())
     or
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       result.(PostUpdateNode).getPreUpdateNode() = arg and
       arg.argumentOf(call, k.(ParamUpdateReturnKind).getPosition())
     )
@@ -296,7 +294,7 @@ private module Cached {
   predicate returnNodeExt(Node n, ReturnKindExt k) {
     k = TValueReturn(n.(ReturnNode).getKind())
     or
-    exists(ParameterNodeExt p, int pos |
+    exists(ParamNode p, int pos |
       parameterValueFlowsToPreUpdate(p, n) and
       p.isParameterOf(_, pos) and
       k = TParamUpdate(pos)
@@ -309,7 +307,7 @@ private module Cached {
   cached
   predicate castingNode(Node n) {
     castNode(n) or
-    n instanceof ParameterNodeExt or
+    n instanceof ParamNode or
     n instanceof OutNodeExt or
     // For reads, `x.f`, we want to check that the tracked type after the read (which
     // is obtained by popping the head of the access path stack) is compatible with
@@ -346,7 +344,7 @@ private module Cached {
    * The instance parameter is considered to have index `-1`.
    */
   pragma[nomagic]
-  private predicate viableParam(DataFlowCall call, int i, ParameterNodeExt p) {
+  private predicate viableParam(DataFlowCall call, int i, ParamNode p) {
     p.isParameterOf(viableCallableExt(call), i)
   }
 
@@ -355,7 +353,7 @@ private module Cached {
    * dispatch into account.
    */
   cached
-  predicate viableParamArg(DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg) {
+  predicate viableParamArg(DataFlowCall call, ParamNode p, ArgNode arg) {
     exists(int i |
       viableParam(call, i, p) and
       arg.argumentOf(call, i) and
@@ -397,7 +395,7 @@ private module Cached {
        * `read` indicates whether it is contents of `p` that can flow to `node`.
        */
       pragma[nomagic]
-      private predicate parameterValueFlowCand(ParameterNodeExt p, Node node, boolean read) {
+      private predicate parameterValueFlowCand(ParamNode p, Node node, boolean read) {
         p = node and
         read = false
         or
@@ -415,27 +413,25 @@ private module Cached {
         )
         or
         // flow through: no prior read
-        exists(ArgumentNodeExt arg |
+        exists(ArgNode arg |
           parameterValueFlowArgCand(p, arg, false) and
           argumentValueFlowsThroughCand(arg, node, read)
         )
         or
         // flow through: no read inside method
-        exists(ArgumentNodeExt arg |
+        exists(ArgNode arg |
           parameterValueFlowArgCand(p, arg, read) and
           argumentValueFlowsThroughCand(arg, node, false)
         )
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlowArgCand(
-        ParameterNodeExt p, ArgumentNodeExt arg, boolean read
-      ) {
+      private predicate parameterValueFlowArgCand(ParamNode p, ArgNode arg, boolean read) {
         parameterValueFlowCand(p, arg, read)
       }
 
       pragma[nomagic]
-      predicate parameterValueFlowsToPreUpdateCand(ParameterNodeExt p, PostUpdateNode n) {
+      predicate parameterValueFlowsToPreUpdateCand(ParamNode p, PostUpdateNode n) {
         parameterValueFlowCand(p, n.getPreUpdateNode(), false)
       }
 
@@ -447,7 +443,7 @@ private module Cached {
        * `read` indicates whether it is contents of `p` that can flow to the return
        * node.
        */
-      predicate parameterValueFlowReturnCand(ParameterNodeExt p, ReturnKind kind, boolean read) {
+      predicate parameterValueFlowReturnCand(ParamNode p, ReturnKind kind, boolean read) {
         exists(ReturnNode ret |
           parameterValueFlowCand(p, ret, read) and
           kind = ret.getKind()
@@ -456,9 +452,9 @@ private module Cached {
 
       pragma[nomagic]
       private predicate argumentValueFlowsThroughCand0(
-        DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, boolean read
+        DataFlowCall call, ArgNode arg, ReturnKind kind, boolean read
       ) {
-        exists(ParameterNodeExt param | viableParamArg(call, param, arg) |
+        exists(ParamNode param | viableParamArg(call, param, arg) |
           parameterValueFlowReturnCand(param, kind, read)
         )
       }
@@ -469,14 +465,14 @@ private module Cached {
        *
        * `read` indicates whether it is contents of `arg` that can flow to `out`.
        */
-      predicate argumentValueFlowsThroughCand(ArgumentNodeExt arg, Node out, boolean read) {
+      predicate argumentValueFlowsThroughCand(ArgNode arg, Node out, boolean read) {
         exists(DataFlowCall call, ReturnKind kind |
           argumentValueFlowsThroughCand0(call, arg, kind, read) and
           out = getAnOutNode(call, kind)
         )
       }
 
-      predicate cand(ParameterNodeExt p, Node n) {
+      predicate cand(ParamNode p, Node n) {
         parameterValueFlowCand(p, n, _) and
         (
           parameterValueFlowReturnCand(p, _, _)
@@ -503,7 +499,7 @@ private module Cached {
        * If a read step was taken, then `read` captures the `Content`, the
        * container type, and the content type.
        */
-      predicate parameterValueFlow(ParameterNodeExt p, Node node, ReadStepTypesOption read) {
+      predicate parameterValueFlow(ParamNode p, Node node, ReadStepTypesOption read) {
         parameterValueFlow0(p, node, read) and
         if node instanceof CastingNode
         then
@@ -517,7 +513,7 @@ private module Cached {
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlow0(ParameterNodeExt p, Node node, ReadStepTypesOption read) {
+      private predicate parameterValueFlow0(ParamNode p, Node node, ReadStepTypesOption read) {
         p = node and
         Cand::cand(p, _) and
         read = TReadStepTypesNone()
@@ -542,34 +538,32 @@ private module Cached {
 
       pragma[nomagic]
       private predicate parameterValueFlow0_0(
-        ReadStepTypesOption mustBeNone, ParameterNodeExt p, Node node, ReadStepTypesOption read
+        ReadStepTypesOption mustBeNone, ParamNode p, Node node, ReadStepTypesOption read
       ) {
         // flow through: no prior read
-        exists(ArgumentNodeExt arg |
+        exists(ArgNode arg |
           parameterValueFlowArg(p, arg, mustBeNone) and
           argumentValueFlowsThrough(arg, read, node)
         )
         or
         // flow through: no read inside method
-        exists(ArgumentNodeExt arg |
+        exists(ArgNode arg |
           parameterValueFlowArg(p, arg, read) and
           argumentValueFlowsThrough(arg, mustBeNone, node)
         )
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlowArg(
-        ParameterNodeExt p, ArgumentNodeExt arg, ReadStepTypesOption read
-      ) {
+      private predicate parameterValueFlowArg(ParamNode p, ArgNode arg, ReadStepTypesOption read) {
         parameterValueFlow(p, arg, read) and
         Cand::argumentValueFlowsThroughCand(arg, _, _)
       }
 
       pragma[nomagic]
       private predicate argumentValueFlowsThrough0(
-        DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, ReadStepTypesOption read
+        DataFlowCall call, ArgNode arg, ReturnKind kind, ReadStepTypesOption read
       ) {
-        exists(ParameterNodeExt param | viableParamArg(call, param, arg) |
+        exists(ParamNode param | viableParamArg(call, param, arg) |
           parameterValueFlowReturn(param, kind, read)
         )
       }
@@ -583,7 +577,7 @@ private module Cached {
        * container type, and the content type.
        */
       pragma[nomagic]
-      predicate argumentValueFlowsThrough(ArgumentNodeExt arg, ReadStepTypesOption read, Node out) {
+      predicate argumentValueFlowsThrough(ArgNode arg, ReadStepTypesOption read, Node out) {
         exists(DataFlowCall call, ReturnKind kind |
           argumentValueFlowsThrough0(call, arg, kind, read) and
           out = getAnOutNode(call, kind)
@@ -603,7 +597,7 @@ private module Cached {
        * value-preserving steps and a single read step, not taking call
        * contexts into account, thus representing a getter-step.
        */
-      predicate getterStep(ArgumentNodeExt arg, Content c, Node out) {
+      predicate getterStep(ArgNode arg, Content c, Node out) {
         argumentValueFlowsThrough(arg, TReadStepTypesSome(_, c, _), out)
       }
 
@@ -616,7 +610,7 @@ private module Cached {
        * container type, and the content type.
        */
       private predicate parameterValueFlowReturn(
-        ParameterNodeExt p, ReturnKind kind, ReadStepTypesOption read
+        ParamNode p, ReturnKind kind, ReadStepTypesOption read
       ) {
         exists(ReturnNode ret |
           parameterValueFlow(p, ret, read) and
@@ -722,7 +716,7 @@ private module Cached {
    * Holds if `p` can flow to the pre-update node associated with post-update
    * node `n`, in the same callable, using only value-preserving steps.
    */
-  private predicate parameterValueFlowsToPreUpdate(ParameterNodeExt p, PostUpdateNode n) {
+  private predicate parameterValueFlowsToPreUpdate(ParamNode p, PostUpdateNode n) {
     parameterValueFlow(p, n.getPreUpdateNode(), TReadStepTypesNone())
   }
 
@@ -778,8 +772,8 @@ private module Cached {
         // Does the language-specific simpleLocalFlowStep already model flow
         // from function input to output?
         fromPre = getAnOutNode(c, _) and
-        toPre.(ArgumentNodeExt).argumentOf(c, _) and
-        simpleLocalFlowStep(toPre.(ArgumentNodeExt), fromPre)
+        toPre.(ArgNode).argumentOf(c, _) and
+        simpleLocalFlowStep(toPre.(ArgNode), fromPre)
       )
       or
       argumentValueFlowsThrough(toPre, TReadStepTypesNone(), fromPre)
@@ -827,7 +821,7 @@ private module Cached {
   cached
   newtype TReturnKindExt =
     TValueReturn(ReturnKind kind) or
-    TParamUpdate(int pos) { exists(ParameterNodeExt p | p.isParameterOf(_, pos)) }
+    TParamUpdate(int pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }
 
   cached
   newtype TBooleanOption =
@@ -942,7 +936,7 @@ class CallContextSomeCall extends CallContextCall, TSomeCall {
   override string toString() { result = "CcSomeCall" }
 
   override predicate relevantFor(DataFlowCallable callable) {
-    exists(ParameterNodeExt p | getNodeEnclosingCallable(p) = callable)
+    exists(ParamNode p | getNodeEnclosingCallable(p) = callable)
   }
 
   override predicate matchesCall(DataFlowCall call) { any() }
@@ -1005,8 +999,8 @@ LocalCallContext getLocalCallContext(CallContext ctx, DataFlowCallable callable)
  * The value of a parameter at function entry, viewed as a node in a data
  * flow graph.
  */
-class ParameterNodeExt extends Node {
-  ParameterNodeExt() { parameterNode(this, _, _) }
+class ParamNode extends Node {
+  ParamNode() { parameterNode(this, _, _) }
 
   /**
    * Holds if this node is the parameter of callable `c` at the specified
@@ -1016,8 +1010,8 @@ class ParameterNodeExt extends Node {
 }
 
 /** A data-flow node that represents a call argument. */
-class ArgumentNodeExt extends Node {
-  ArgumentNodeExt() { argumentNode(this, _, _) }
+class ArgNode extends Node {
+  ArgNode() { argumentNode(this, _, _) }
 
   /** Holds if this argument occurs at the given position in the given call. */
   final predicate argumentOf(DataFlowCall call, int pos) { argumentNode(this, call, pos) }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
index cf83530bcbd..058d66b1496 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
index cf83530bcbd..058d66b1496 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
index cf83530bcbd..058d66b1496 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
index cf83530bcbd..058d66b1496 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
index cf83530bcbd..058d66b1496 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
index b5ceabc605d..b8e08408911 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
@@ -35,24 +35,22 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
  */
 private module LambdaFlow {
-  private predicate viableParamNonLambda(DataFlowCall call, int i, ParameterNodeExt p) {
+  private predicate viableParamNonLambda(DataFlowCall call, int i, ParamNode p) {
     p.isParameterOf(viableCallable(call), i)
   }
 
-  private predicate viableParamLambda(DataFlowCall call, int i, ParameterNodeExt p) {
+  private predicate viableParamLambda(DataFlowCall call, int i, ParamNode p) {
     p.isParameterOf(viableCallableLambda(call, _), i)
   }
 
-  private predicate viableParamArgNonLambda(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg
-  ) {
+  private predicate viableParamArgNonLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
     exists(int i |
       viableParamNonLambda(call, i, p) and
       arg.argumentOf(call, i)
     )
   }
 
-  private predicate viableParamArgLambda(DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg) {
+  private predicate viableParamArgLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
     exists(int i |
       viableParamLambda(call, i, p) and
       arg.argumentOf(call, i)
@@ -120,7 +118,7 @@ private module LambdaFlow {
     boolean toJump, DataFlowCallOption lastCall
   ) {
     revLambdaFlow0(lambdaCall, kind, node, t, toReturn, toJump, lastCall) and
-    if castNode(node) or node instanceof ArgumentNodeExt or node instanceof ReturnNode
+    if castNode(node) or node instanceof ArgNode or node instanceof ReturnNode
     then compatibleTypes(t, getNodeDataFlowType(node))
     else any()
   }
@@ -178,7 +176,7 @@ private module LambdaFlow {
     )
     or
     // flow into a callable
-    exists(ParameterNodeExt p, DataFlowCallOption lastCall0, DataFlowCall call |
+    exists(ParamNode p, DataFlowCallOption lastCall0, DataFlowCall call |
       revLambdaFlowIn(lambdaCall, kind, p, t, toJump, lastCall0) and
       (
         if lastCall0 = TDataFlowCallNone() and toJump = false
@@ -229,8 +227,8 @@ private module LambdaFlow {
 
   pragma[nomagic]
   predicate revLambdaFlowIn(
-    DataFlowCall lambdaCall, LambdaCallKind kind, ParameterNodeExt p, DataFlowType t,
-    boolean toJump, DataFlowCallOption lastCall
+    DataFlowCall lambdaCall, LambdaCallKind kind, ParamNode p, DataFlowType t, boolean toJump,
+    DataFlowCallOption lastCall
   ) {
     revLambdaFlow(lambdaCall, kind, p, t, false, toJump, lastCall)
   }
@@ -276,7 +274,7 @@ private module Cached {
   predicate outNodeExt(Node n) {
     n instanceof OutNode
     or
-    n.(PostUpdateNode).getPreUpdateNode() instanceof ArgumentNodeExt
+    n.(PostUpdateNode).getPreUpdateNode() instanceof ArgNode
   }
 
   cached
@@ -286,7 +284,7 @@ private module Cached {
   OutNodeExt getAnOutNodeExt(DataFlowCall call, ReturnKindExt k) {
     result = getAnOutNode(call, k.(ValueReturnKind).getKind())
     or
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       result.(PostUpdateNode).getPreUpdateNode() = arg and
       arg.argumentOf(call, k.(ParamUpdateReturnKind).getPosition())
     )
@@ -296,7 +294,7 @@ private module Cached {
   predicate returnNodeExt(Node n, ReturnKindExt k) {
     k = TValueReturn(n.(ReturnNode).getKind())
     or
-    exists(ParameterNodeExt p, int pos |
+    exists(ParamNode p, int pos |
       parameterValueFlowsToPreUpdate(p, n) and
       p.isParameterOf(_, pos) and
       k = TParamUpdate(pos)
@@ -309,7 +307,7 @@ private module Cached {
   cached
   predicate castingNode(Node n) {
     castNode(n) or
-    n instanceof ParameterNodeExt or
+    n instanceof ParamNode or
     n instanceof OutNodeExt or
     // For reads, `x.f`, we want to check that the tracked type after the read (which
     // is obtained by popping the head of the access path stack) is compatible with
@@ -346,7 +344,7 @@ private module Cached {
    * The instance parameter is considered to have index `-1`.
    */
   pragma[nomagic]
-  private predicate viableParam(DataFlowCall call, int i, ParameterNodeExt p) {
+  private predicate viableParam(DataFlowCall call, int i, ParamNode p) {
     p.isParameterOf(viableCallableExt(call), i)
   }
 
@@ -355,7 +353,7 @@ private module Cached {
    * dispatch into account.
    */
   cached
-  predicate viableParamArg(DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg) {
+  predicate viableParamArg(DataFlowCall call, ParamNode p, ArgNode arg) {
     exists(int i |
       viableParam(call, i, p) and
       arg.argumentOf(call, i) and
@@ -397,7 +395,7 @@ private module Cached {
        * `read` indicates whether it is contents of `p` that can flow to `node`.
        */
       pragma[nomagic]
-      private predicate parameterValueFlowCand(ParameterNodeExt p, Node node, boolean read) {
+      private predicate parameterValueFlowCand(ParamNode p, Node node, boolean read) {
         p = node and
         read = false
         or
@@ -415,27 +413,25 @@ private module Cached {
         )
         or
         // flow through: no prior read
-        exists(ArgumentNodeExt arg |
+        exists(ArgNode arg |
           parameterValueFlowArgCand(p, arg, false) and
           argumentValueFlowsThroughCand(arg, node, read)
         )
         or
         // flow through: no read inside method
-        exists(ArgumentNodeExt arg |
+        exists(ArgNode arg |
           parameterValueFlowArgCand(p, arg, read) and
           argumentValueFlowsThroughCand(arg, node, false)
         )
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlowArgCand(
-        ParameterNodeExt p, ArgumentNodeExt arg, boolean read
-      ) {
+      private predicate parameterValueFlowArgCand(ParamNode p, ArgNode arg, boolean read) {
         parameterValueFlowCand(p, arg, read)
       }
 
       pragma[nomagic]
-      predicate parameterValueFlowsToPreUpdateCand(ParameterNodeExt p, PostUpdateNode n) {
+      predicate parameterValueFlowsToPreUpdateCand(ParamNode p, PostUpdateNode n) {
         parameterValueFlowCand(p, n.getPreUpdateNode(), false)
       }
 
@@ -447,7 +443,7 @@ private module Cached {
        * `read` indicates whether it is contents of `p` that can flow to the return
        * node.
        */
-      predicate parameterValueFlowReturnCand(ParameterNodeExt p, ReturnKind kind, boolean read) {
+      predicate parameterValueFlowReturnCand(ParamNode p, ReturnKind kind, boolean read) {
         exists(ReturnNode ret |
           parameterValueFlowCand(p, ret, read) and
           kind = ret.getKind()
@@ -456,9 +452,9 @@ private module Cached {
 
       pragma[nomagic]
       private predicate argumentValueFlowsThroughCand0(
-        DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, boolean read
+        DataFlowCall call, ArgNode arg, ReturnKind kind, boolean read
       ) {
-        exists(ParameterNodeExt param | viableParamArg(call, param, arg) |
+        exists(ParamNode param | viableParamArg(call, param, arg) |
           parameterValueFlowReturnCand(param, kind, read)
         )
       }
@@ -469,14 +465,14 @@ private module Cached {
        *
        * `read` indicates whether it is contents of `arg` that can flow to `out`.
        */
-      predicate argumentValueFlowsThroughCand(ArgumentNodeExt arg, Node out, boolean read) {
+      predicate argumentValueFlowsThroughCand(ArgNode arg, Node out, boolean read) {
         exists(DataFlowCall call, ReturnKind kind |
           argumentValueFlowsThroughCand0(call, arg, kind, read) and
           out = getAnOutNode(call, kind)
         )
       }
 
-      predicate cand(ParameterNodeExt p, Node n) {
+      predicate cand(ParamNode p, Node n) {
         parameterValueFlowCand(p, n, _) and
         (
           parameterValueFlowReturnCand(p, _, _)
@@ -503,7 +499,7 @@ private module Cached {
        * If a read step was taken, then `read` captures the `Content`, the
        * container type, and the content type.
        */
-      predicate parameterValueFlow(ParameterNodeExt p, Node node, ReadStepTypesOption read) {
+      predicate parameterValueFlow(ParamNode p, Node node, ReadStepTypesOption read) {
         parameterValueFlow0(p, node, read) and
         if node instanceof CastingNode
         then
@@ -517,7 +513,7 @@ private module Cached {
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlow0(ParameterNodeExt p, Node node, ReadStepTypesOption read) {
+      private predicate parameterValueFlow0(ParamNode p, Node node, ReadStepTypesOption read) {
         p = node and
         Cand::cand(p, _) and
         read = TReadStepTypesNone()
@@ -542,34 +538,32 @@ private module Cached {
 
       pragma[nomagic]
       private predicate parameterValueFlow0_0(
-        ReadStepTypesOption mustBeNone, ParameterNodeExt p, Node node, ReadStepTypesOption read
+        ReadStepTypesOption mustBeNone, ParamNode p, Node node, ReadStepTypesOption read
       ) {
         // flow through: no prior read
-        exists(ArgumentNodeExt arg |
+        exists(ArgNode arg |
           parameterValueFlowArg(p, arg, mustBeNone) and
           argumentValueFlowsThrough(arg, read, node)
         )
         or
         // flow through: no read inside method
-        exists(ArgumentNodeExt arg |
+        exists(ArgNode arg |
           parameterValueFlowArg(p, arg, read) and
           argumentValueFlowsThrough(arg, mustBeNone, node)
         )
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlowArg(
-        ParameterNodeExt p, ArgumentNodeExt arg, ReadStepTypesOption read
-      ) {
+      private predicate parameterValueFlowArg(ParamNode p, ArgNode arg, ReadStepTypesOption read) {
         parameterValueFlow(p, arg, read) and
         Cand::argumentValueFlowsThroughCand(arg, _, _)
       }
 
       pragma[nomagic]
       private predicate argumentValueFlowsThrough0(
-        DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, ReadStepTypesOption read
+        DataFlowCall call, ArgNode arg, ReturnKind kind, ReadStepTypesOption read
       ) {
-        exists(ParameterNodeExt param | viableParamArg(call, param, arg) |
+        exists(ParamNode param | viableParamArg(call, param, arg) |
           parameterValueFlowReturn(param, kind, read)
         )
       }
@@ -583,7 +577,7 @@ private module Cached {
        * container type, and the content type.
        */
       pragma[nomagic]
-      predicate argumentValueFlowsThrough(ArgumentNodeExt arg, ReadStepTypesOption read, Node out) {
+      predicate argumentValueFlowsThrough(ArgNode arg, ReadStepTypesOption read, Node out) {
         exists(DataFlowCall call, ReturnKind kind |
           argumentValueFlowsThrough0(call, arg, kind, read) and
           out = getAnOutNode(call, kind)
@@ -603,7 +597,7 @@ private module Cached {
        * value-preserving steps and a single read step, not taking call
        * contexts into account, thus representing a getter-step.
        */
-      predicate getterStep(ArgumentNodeExt arg, Content c, Node out) {
+      predicate getterStep(ArgNode arg, Content c, Node out) {
         argumentValueFlowsThrough(arg, TReadStepTypesSome(_, c, _), out)
       }
 
@@ -616,7 +610,7 @@ private module Cached {
        * container type, and the content type.
        */
       private predicate parameterValueFlowReturn(
-        ParameterNodeExt p, ReturnKind kind, ReadStepTypesOption read
+        ParamNode p, ReturnKind kind, ReadStepTypesOption read
       ) {
         exists(ReturnNode ret |
           parameterValueFlow(p, ret, read) and
@@ -722,7 +716,7 @@ private module Cached {
    * Holds if `p` can flow to the pre-update node associated with post-update
    * node `n`, in the same callable, using only value-preserving steps.
    */
-  private predicate parameterValueFlowsToPreUpdate(ParameterNodeExt p, PostUpdateNode n) {
+  private predicate parameterValueFlowsToPreUpdate(ParamNode p, PostUpdateNode n) {
     parameterValueFlow(p, n.getPreUpdateNode(), TReadStepTypesNone())
   }
 
@@ -778,8 +772,8 @@ private module Cached {
         // Does the language-specific simpleLocalFlowStep already model flow
         // from function input to output?
         fromPre = getAnOutNode(c, _) and
-        toPre.(ArgumentNodeExt).argumentOf(c, _) and
-        simpleLocalFlowStep(toPre.(ArgumentNodeExt), fromPre)
+        toPre.(ArgNode).argumentOf(c, _) and
+        simpleLocalFlowStep(toPre.(ArgNode), fromPre)
       )
       or
       argumentValueFlowsThrough(toPre, TReadStepTypesNone(), fromPre)
@@ -827,7 +821,7 @@ private module Cached {
   cached
   newtype TReturnKindExt =
     TValueReturn(ReturnKind kind) or
-    TParamUpdate(int pos) { exists(ParameterNodeExt p | p.isParameterOf(_, pos)) }
+    TParamUpdate(int pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }
 
   cached
   newtype TBooleanOption =
@@ -942,7 +936,7 @@ class CallContextSomeCall extends CallContextCall, TSomeCall {
   override string toString() { result = "CcSomeCall" }
 
   override predicate relevantFor(DataFlowCallable callable) {
-    exists(ParameterNodeExt p | getNodeEnclosingCallable(p) = callable)
+    exists(ParamNode p | getNodeEnclosingCallable(p) = callable)
   }
 
   override predicate matchesCall(DataFlowCall call) { any() }
@@ -1005,8 +999,8 @@ LocalCallContext getLocalCallContext(CallContext ctx, DataFlowCallable callable)
  * The value of a parameter at function entry, viewed as a node in a data
  * flow graph.
  */
-class ParameterNodeExt extends Node {
-  ParameterNodeExt() { parameterNode(this, _, _) }
+class ParamNode extends Node {
+  ParamNode() { parameterNode(this, _, _) }
 
   /**
    * Holds if this node is the parameter of callable `c` at the specified
@@ -1016,8 +1010,8 @@ class ParameterNodeExt extends Node {
 }
 
 /** A data-flow node that represents a call argument. */
-class ArgumentNodeExt extends Node {
-  ArgumentNodeExt() { argumentNode(this, _, _) }
+class ArgNode extends Node {
+  ArgNode() { argumentNode(this, _, _) }
 
   /** Holds if this argument occurs at the given position in the given call. */
   final predicate argumentOf(DataFlowCall call, int pos) { argumentNode(this, call, pos) }
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
index cf83530bcbd..058d66b1496 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
index cf83530bcbd..058d66b1496 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
index cf83530bcbd..058d66b1496 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
index cf83530bcbd..058d66b1496 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
index cf83530bcbd..058d66b1496 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
index cf83530bcbd..058d66b1496 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll
index b5ceabc605d..b8e08408911 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll
@@ -35,24 +35,22 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
  */
 private module LambdaFlow {
-  private predicate viableParamNonLambda(DataFlowCall call, int i, ParameterNodeExt p) {
+  private predicate viableParamNonLambda(DataFlowCall call, int i, ParamNode p) {
     p.isParameterOf(viableCallable(call), i)
   }
 
-  private predicate viableParamLambda(DataFlowCall call, int i, ParameterNodeExt p) {
+  private predicate viableParamLambda(DataFlowCall call, int i, ParamNode p) {
     p.isParameterOf(viableCallableLambda(call, _), i)
   }
 
-  private predicate viableParamArgNonLambda(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg
-  ) {
+  private predicate viableParamArgNonLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
     exists(int i |
       viableParamNonLambda(call, i, p) and
       arg.argumentOf(call, i)
     )
   }
 
-  private predicate viableParamArgLambda(DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg) {
+  private predicate viableParamArgLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
     exists(int i |
       viableParamLambda(call, i, p) and
       arg.argumentOf(call, i)
@@ -120,7 +118,7 @@ private module LambdaFlow {
     boolean toJump, DataFlowCallOption lastCall
   ) {
     revLambdaFlow0(lambdaCall, kind, node, t, toReturn, toJump, lastCall) and
-    if castNode(node) or node instanceof ArgumentNodeExt or node instanceof ReturnNode
+    if castNode(node) or node instanceof ArgNode or node instanceof ReturnNode
     then compatibleTypes(t, getNodeDataFlowType(node))
     else any()
   }
@@ -178,7 +176,7 @@ private module LambdaFlow {
     )
     or
     // flow into a callable
-    exists(ParameterNodeExt p, DataFlowCallOption lastCall0, DataFlowCall call |
+    exists(ParamNode p, DataFlowCallOption lastCall0, DataFlowCall call |
       revLambdaFlowIn(lambdaCall, kind, p, t, toJump, lastCall0) and
       (
         if lastCall0 = TDataFlowCallNone() and toJump = false
@@ -229,8 +227,8 @@ private module LambdaFlow {
 
   pragma[nomagic]
   predicate revLambdaFlowIn(
-    DataFlowCall lambdaCall, LambdaCallKind kind, ParameterNodeExt p, DataFlowType t,
-    boolean toJump, DataFlowCallOption lastCall
+    DataFlowCall lambdaCall, LambdaCallKind kind, ParamNode p, DataFlowType t, boolean toJump,
+    DataFlowCallOption lastCall
   ) {
     revLambdaFlow(lambdaCall, kind, p, t, false, toJump, lastCall)
   }
@@ -276,7 +274,7 @@ private module Cached {
   predicate outNodeExt(Node n) {
     n instanceof OutNode
     or
-    n.(PostUpdateNode).getPreUpdateNode() instanceof ArgumentNodeExt
+    n.(PostUpdateNode).getPreUpdateNode() instanceof ArgNode
   }
 
   cached
@@ -286,7 +284,7 @@ private module Cached {
   OutNodeExt getAnOutNodeExt(DataFlowCall call, ReturnKindExt k) {
     result = getAnOutNode(call, k.(ValueReturnKind).getKind())
     or
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       result.(PostUpdateNode).getPreUpdateNode() = arg and
       arg.argumentOf(call, k.(ParamUpdateReturnKind).getPosition())
     )
@@ -296,7 +294,7 @@ private module Cached {
   predicate returnNodeExt(Node n, ReturnKindExt k) {
     k = TValueReturn(n.(ReturnNode).getKind())
     or
-    exists(ParameterNodeExt p, int pos |
+    exists(ParamNode p, int pos |
       parameterValueFlowsToPreUpdate(p, n) and
       p.isParameterOf(_, pos) and
       k = TParamUpdate(pos)
@@ -309,7 +307,7 @@ private module Cached {
   cached
   predicate castingNode(Node n) {
     castNode(n) or
-    n instanceof ParameterNodeExt or
+    n instanceof ParamNode or
     n instanceof OutNodeExt or
     // For reads, `x.f`, we want to check that the tracked type after the read (which
     // is obtained by popping the head of the access path stack) is compatible with
@@ -346,7 +344,7 @@ private module Cached {
    * The instance parameter is considered to have index `-1`.
    */
   pragma[nomagic]
-  private predicate viableParam(DataFlowCall call, int i, ParameterNodeExt p) {
+  private predicate viableParam(DataFlowCall call, int i, ParamNode p) {
     p.isParameterOf(viableCallableExt(call), i)
   }
 
@@ -355,7 +353,7 @@ private module Cached {
    * dispatch into account.
    */
   cached
-  predicate viableParamArg(DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg) {
+  predicate viableParamArg(DataFlowCall call, ParamNode p, ArgNode arg) {
     exists(int i |
       viableParam(call, i, p) and
       arg.argumentOf(call, i) and
@@ -397,7 +395,7 @@ private module Cached {
        * `read` indicates whether it is contents of `p` that can flow to `node`.
        */
       pragma[nomagic]
-      private predicate parameterValueFlowCand(ParameterNodeExt p, Node node, boolean read) {
+      private predicate parameterValueFlowCand(ParamNode p, Node node, boolean read) {
         p = node and
         read = false
         or
@@ -415,27 +413,25 @@ private module Cached {
         )
         or
         // flow through: no prior read
-        exists(ArgumentNodeExt arg |
+        exists(ArgNode arg |
           parameterValueFlowArgCand(p, arg, false) and
           argumentValueFlowsThroughCand(arg, node, read)
         )
         or
         // flow through: no read inside method
-        exists(ArgumentNodeExt arg |
+        exists(ArgNode arg |
           parameterValueFlowArgCand(p, arg, read) and
           argumentValueFlowsThroughCand(arg, node, false)
         )
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlowArgCand(
-        ParameterNodeExt p, ArgumentNodeExt arg, boolean read
-      ) {
+      private predicate parameterValueFlowArgCand(ParamNode p, ArgNode arg, boolean read) {
         parameterValueFlowCand(p, arg, read)
       }
 
       pragma[nomagic]
-      predicate parameterValueFlowsToPreUpdateCand(ParameterNodeExt p, PostUpdateNode n) {
+      predicate parameterValueFlowsToPreUpdateCand(ParamNode p, PostUpdateNode n) {
         parameterValueFlowCand(p, n.getPreUpdateNode(), false)
       }
 
@@ -447,7 +443,7 @@ private module Cached {
        * `read` indicates whether it is contents of `p` that can flow to the return
        * node.
        */
-      predicate parameterValueFlowReturnCand(ParameterNodeExt p, ReturnKind kind, boolean read) {
+      predicate parameterValueFlowReturnCand(ParamNode p, ReturnKind kind, boolean read) {
         exists(ReturnNode ret |
           parameterValueFlowCand(p, ret, read) and
           kind = ret.getKind()
@@ -456,9 +452,9 @@ private module Cached {
 
       pragma[nomagic]
       private predicate argumentValueFlowsThroughCand0(
-        DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, boolean read
+        DataFlowCall call, ArgNode arg, ReturnKind kind, boolean read
       ) {
-        exists(ParameterNodeExt param | viableParamArg(call, param, arg) |
+        exists(ParamNode param | viableParamArg(call, param, arg) |
           parameterValueFlowReturnCand(param, kind, read)
         )
       }
@@ -469,14 +465,14 @@ private module Cached {
        *
        * `read` indicates whether it is contents of `arg` that can flow to `out`.
        */
-      predicate argumentValueFlowsThroughCand(ArgumentNodeExt arg, Node out, boolean read) {
+      predicate argumentValueFlowsThroughCand(ArgNode arg, Node out, boolean read) {
         exists(DataFlowCall call, ReturnKind kind |
           argumentValueFlowsThroughCand0(call, arg, kind, read) and
           out = getAnOutNode(call, kind)
         )
       }
 
-      predicate cand(ParameterNodeExt p, Node n) {
+      predicate cand(ParamNode p, Node n) {
         parameterValueFlowCand(p, n, _) and
         (
           parameterValueFlowReturnCand(p, _, _)
@@ -503,7 +499,7 @@ private module Cached {
        * If a read step was taken, then `read` captures the `Content`, the
        * container type, and the content type.
        */
-      predicate parameterValueFlow(ParameterNodeExt p, Node node, ReadStepTypesOption read) {
+      predicate parameterValueFlow(ParamNode p, Node node, ReadStepTypesOption read) {
         parameterValueFlow0(p, node, read) and
         if node instanceof CastingNode
         then
@@ -517,7 +513,7 @@ private module Cached {
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlow0(ParameterNodeExt p, Node node, ReadStepTypesOption read) {
+      private predicate parameterValueFlow0(ParamNode p, Node node, ReadStepTypesOption read) {
         p = node and
         Cand::cand(p, _) and
         read = TReadStepTypesNone()
@@ -542,34 +538,32 @@ private module Cached {
 
       pragma[nomagic]
       private predicate parameterValueFlow0_0(
-        ReadStepTypesOption mustBeNone, ParameterNodeExt p, Node node, ReadStepTypesOption read
+        ReadStepTypesOption mustBeNone, ParamNode p, Node node, ReadStepTypesOption read
       ) {
         // flow through: no prior read
-        exists(ArgumentNodeExt arg |
+        exists(ArgNode arg |
           parameterValueFlowArg(p, arg, mustBeNone) and
           argumentValueFlowsThrough(arg, read, node)
         )
         or
         // flow through: no read inside method
-        exists(ArgumentNodeExt arg |
+        exists(ArgNode arg |
           parameterValueFlowArg(p, arg, read) and
           argumentValueFlowsThrough(arg, mustBeNone, node)
         )
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlowArg(
-        ParameterNodeExt p, ArgumentNodeExt arg, ReadStepTypesOption read
-      ) {
+      private predicate parameterValueFlowArg(ParamNode p, ArgNode arg, ReadStepTypesOption read) {
         parameterValueFlow(p, arg, read) and
         Cand::argumentValueFlowsThroughCand(arg, _, _)
       }
 
       pragma[nomagic]
       private predicate argumentValueFlowsThrough0(
-        DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, ReadStepTypesOption read
+        DataFlowCall call, ArgNode arg, ReturnKind kind, ReadStepTypesOption read
       ) {
-        exists(ParameterNodeExt param | viableParamArg(call, param, arg) |
+        exists(ParamNode param | viableParamArg(call, param, arg) |
           parameterValueFlowReturn(param, kind, read)
         )
       }
@@ -583,7 +577,7 @@ private module Cached {
        * container type, and the content type.
        */
       pragma[nomagic]
-      predicate argumentValueFlowsThrough(ArgumentNodeExt arg, ReadStepTypesOption read, Node out) {
+      predicate argumentValueFlowsThrough(ArgNode arg, ReadStepTypesOption read, Node out) {
         exists(DataFlowCall call, ReturnKind kind |
           argumentValueFlowsThrough0(call, arg, kind, read) and
           out = getAnOutNode(call, kind)
@@ -603,7 +597,7 @@ private module Cached {
        * value-preserving steps and a single read step, not taking call
        * contexts into account, thus representing a getter-step.
        */
-      predicate getterStep(ArgumentNodeExt arg, Content c, Node out) {
+      predicate getterStep(ArgNode arg, Content c, Node out) {
         argumentValueFlowsThrough(arg, TReadStepTypesSome(_, c, _), out)
       }
 
@@ -616,7 +610,7 @@ private module Cached {
        * container type, and the content type.
        */
       private predicate parameterValueFlowReturn(
-        ParameterNodeExt p, ReturnKind kind, ReadStepTypesOption read
+        ParamNode p, ReturnKind kind, ReadStepTypesOption read
       ) {
         exists(ReturnNode ret |
           parameterValueFlow(p, ret, read) and
@@ -722,7 +716,7 @@ private module Cached {
    * Holds if `p` can flow to the pre-update node associated with post-update
    * node `n`, in the same callable, using only value-preserving steps.
    */
-  private predicate parameterValueFlowsToPreUpdate(ParameterNodeExt p, PostUpdateNode n) {
+  private predicate parameterValueFlowsToPreUpdate(ParamNode p, PostUpdateNode n) {
     parameterValueFlow(p, n.getPreUpdateNode(), TReadStepTypesNone())
   }
 
@@ -778,8 +772,8 @@ private module Cached {
         // Does the language-specific simpleLocalFlowStep already model flow
         // from function input to output?
         fromPre = getAnOutNode(c, _) and
-        toPre.(ArgumentNodeExt).argumentOf(c, _) and
-        simpleLocalFlowStep(toPre.(ArgumentNodeExt), fromPre)
+        toPre.(ArgNode).argumentOf(c, _) and
+        simpleLocalFlowStep(toPre.(ArgNode), fromPre)
       )
       or
       argumentValueFlowsThrough(toPre, TReadStepTypesNone(), fromPre)
@@ -827,7 +821,7 @@ private module Cached {
   cached
   newtype TReturnKindExt =
     TValueReturn(ReturnKind kind) or
-    TParamUpdate(int pos) { exists(ParameterNodeExt p | p.isParameterOf(_, pos)) }
+    TParamUpdate(int pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }
 
   cached
   newtype TBooleanOption =
@@ -942,7 +936,7 @@ class CallContextSomeCall extends CallContextCall, TSomeCall {
   override string toString() { result = "CcSomeCall" }
 
   override predicate relevantFor(DataFlowCallable callable) {
-    exists(ParameterNodeExt p | getNodeEnclosingCallable(p) = callable)
+    exists(ParamNode p | getNodeEnclosingCallable(p) = callable)
   }
 
   override predicate matchesCall(DataFlowCall call) { any() }
@@ -1005,8 +999,8 @@ LocalCallContext getLocalCallContext(CallContext ctx, DataFlowCallable callable)
  * The value of a parameter at function entry, viewed as a node in a data
  * flow graph.
  */
-class ParameterNodeExt extends Node {
-  ParameterNodeExt() { parameterNode(this, _, _) }
+class ParamNode extends Node {
+  ParamNode() { parameterNode(this, _, _) }
 
   /**
    * Holds if this node is the parameter of callable `c` at the specified
@@ -1016,8 +1010,8 @@ class ParameterNodeExt extends Node {
 }
 
 /** A data-flow node that represents a call argument. */
-class ArgumentNodeExt extends Node {
-  ArgumentNodeExt() { argumentNode(this, _, _) }
+class ArgNode extends Node {
+  ArgNode() { argumentNode(this, _, _) }
 
   /** Holds if this argument occurs at the given position in the given call. */
   final predicate argumentOf(DataFlowCall call, int pos) { argumentNode(this, call, pos) }
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
index cf83530bcbd..058d66b1496 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
index cf83530bcbd..058d66b1496 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
index cf83530bcbd..058d66b1496 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
index cf83530bcbd..058d66b1496 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
@@ -385,7 +385,7 @@ private module Stage1 {
    */
   pragma[nomagic]
   private predicate fwdFlowIsEntered(DataFlowCall call, Cc cc, Configuration config) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       fwdFlow(arg, cc, config) and
       viableParamArg(call, _, arg)
     )
@@ -512,24 +512,22 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate viableParamArgNodeCandFwd1(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+    DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
   ) {
     viableParamArg(call, p, arg) and
     fwdFlow(arg, config)
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, Configuration config
-  ) {
-    exists(ParameterNodeExt p |
+  private predicate revFlowIn(DataFlowCall call, ArgNode arg, boolean toReturn, Configuration config) {
+    exists(ParamNode p |
       revFlow(p, toReturn, config) and
       viableParamArgNodeCandFwd1(call, p, arg, config)
     )
   }
 
   pragma[nomagic]
-  private predicate revFlowInToReturn(DataFlowCall call, ArgumentNodeExt arg, Configuration config) {
+  private predicate revFlowInToReturn(DataFlowCall call, ArgNode arg, Configuration config) {
     revFlowIn(call, arg, true, config)
   }
 
@@ -594,9 +592,7 @@ private module Stage1 {
    * Holds if flow may enter through `p` and reach a return node making `p` a
    * candidate for the origin of a summary.
    */
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnKindExt kind |
       throughFlowNodeCand(p, config) and
       returnFlowCallableNodeCand(c, kind, config) and
@@ -662,7 +658,7 @@ private predicate flowOutOfCallNodeCand1(
 
 pragma[nomagic]
 private predicate viableParamArgNodeCand1(
-  DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg, Configuration config
+  DataFlowCall call, ParamNode p, ArgNode arg, Configuration config
 ) {
   Stage1::viableParamArgNodeCandFwd1(call, p, arg, config) and
   Stage1::revFlow(arg, config)
@@ -674,7 +670,7 @@ private predicate viableParamArgNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, Configuration config
 ) {
   viableParamArgNodeCand1(call, p, arg, config) and
   Stage1::revFlow(p, config) and
@@ -734,8 +730,7 @@ private predicate flowOutOfCallNodeCand1(
  */
 pragma[nomagic]
 private predicate flowIntoCallNodeCand1(
-  DataFlowCall call, ArgumentNodeExt arg, ParameterNodeExt p, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, arg, p, config) and
   exists(int b, int j |
@@ -943,10 +938,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -991,7 +986,7 @@ private module Stage2 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
     )
@@ -1132,10 +1127,9 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1145,7 +1139,7 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1198,15 +1192,13 @@ private module Stage2 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -1246,8 +1238,7 @@ private predicate flowOutOfCallNodeCand2(
 
 pragma[nomagic]
 private predicate flowIntoCallNodeCand2(
-  DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-  Configuration config
+  DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
 ) {
   flowIntoCallNodeCand1(call, node1, node2, allowsFieldFlow, config) and
   Stage2::revFlow(node2, pragma[only_bind_into](config)) and
@@ -1276,7 +1267,7 @@ private module LocalFlowBigStep {
       config.isSource(node) or
       jumpStep(_, node, config) or
       additionalJumpStep(_, node, config) or
-      node instanceof ParameterNodeExt or
+      node instanceof ParamNode or
       node instanceof OutNodeExt or
       store(_, _, node, _) or
       read(_, _, node) or
@@ -1586,10 +1577,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -1634,7 +1625,7 @@ private module Stage3 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -1775,10 +1766,9 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -1788,7 +1778,7 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -1841,15 +1831,13 @@ private module Stage3 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2160,8 +2148,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowIntoCall(
-    DataFlowCall call, ArgumentNodeExt node1, ParameterNodeExt node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
   ) {
     flowIntoCallNodeCand2(call, node1, node2, allowsFieldFlow, config) and
     PrevStage::revFlow(node2, _, _, _, pragma[only_bind_into](config)) and
@@ -2305,10 +2292,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate fwdFlowIn(
-    DataFlowCall call, ParameterNodeExt p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
+    DataFlowCall call, ParamNode p, Cc outercc, Cc innercc, ApOption argAp, Ap ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg, boolean allowsFieldFlow |
+    exists(ArgNode arg, boolean allowsFieldFlow |
       fwdFlow(arg, outercc, argAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config) and
       innercc = getCallContextCall(call, getNodeEnclosingCallable(p), outercc)
@@ -2353,7 +2340,7 @@ private module Stage4 {
   private predicate fwdFlowIsEntered(
     DataFlowCall call, Cc cc, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
       PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
@@ -2494,10 +2481,9 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowIn(
-    DataFlowCall call, ArgumentNodeExt arg, boolean toReturn, ApOption returnAp, Ap ap,
-    Configuration config
+    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, boolean allowsFieldFlow |
+    exists(ParamNode p, boolean allowsFieldFlow |
       revFlow(p, toReturn, returnAp, ap, config) and
       flowIntoCall(call, arg, p, allowsFieldFlow, config)
     |
@@ -2507,7 +2493,7 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate revFlowInToReturn(
-    DataFlowCall call, ArgumentNodeExt arg, Ap returnAp, Ap ap, Configuration config
+    DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
     revFlowIn(call, arg, true, apSome(returnAp), ap, config)
   }
@@ -2560,15 +2546,13 @@ private module Stage4 {
 
   pragma[noinline]
   private predicate parameterFlow(
-    ParameterNodeExt p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
+    ParamNode p, Ap ap, Ap ap0, DataFlowCallable c, Configuration config
   ) {
     revFlow(p, true, apSome(ap0), ap, config) and
     c = getNodeEnclosingCallable(p)
   }
 
-  predicate parameterMayFlowThrough(
-    ParameterNodeExt p, DataFlowCallable c, Ap ap, Configuration config
-  ) {
+  predicate parameterMayFlowThrough(ParamNode p, DataFlowCallable c, Ap ap, Configuration config) {
     exists(ReturnNodeExt ret, Ap ap0, ReturnKindExt kind, int pos |
       parameterFlow(p, ap, ap0, c, config) and
       c = getNodeEnclosingCallable(ret) and
@@ -2613,7 +2597,7 @@ private predicate nodeMayUseSummary(Node n, AccessPathApprox apa, Configuration
 
 private newtype TSummaryCtx =
   TSummaryCtxNone() or
-  TSummaryCtxSome(ParameterNodeExt p, AccessPath ap) {
+  TSummaryCtxSome(ParamNode p, AccessPath ap) {
     Stage4::parameterMayFlowThrough(p, _, ap.getApprox(), _)
   }
 
@@ -2634,7 +2618,7 @@ private class SummaryCtxNone extends SummaryCtx, TSummaryCtxNone {
 
 /** A summary context from which a flow summary can be generated. */
 private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {
-  private ParameterNodeExt p;
+  private ParamNode p;
   private AccessPath ap;
 
   SummaryCtxSome() { this = TSummaryCtxSome(p, ap) }
@@ -3242,7 +3226,7 @@ pragma[noinline]
 private predicate pathIntoArg(
   PathNodeMid mid, int i, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa
 ) {
-  exists(ArgumentNodeExt arg |
+  exists(ArgNode arg |
     arg = mid.getNode() and
     cc = mid.getCallContext() and
     arg.argumentOf(call, i) and
@@ -3255,7 +3239,7 @@ pragma[noinline]
 private predicate parameterCand(
   DataFlowCallable callable, int i, AccessPathApprox apa, Configuration config
 ) {
-  exists(ParameterNodeExt p |
+  exists(ParamNode p |
     Stage4::revFlow(p, _, _, apa, config) and
     p.isParameterOf(callable, i)
   )
@@ -3279,7 +3263,7 @@ private predicate pathIntoCallable0(
  * respectively.
  */
 private predicate pathIntoCallable(
-  PathNodeMid mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
+  PathNodeMid mid, ParamNode p, CallContext outercc, CallContextCall innercc, SummaryCtx sc,
   DataFlowCall call
 ) {
   exists(int i, DataFlowCallable callable, AccessPath ap |
@@ -3575,7 +3559,7 @@ private module FlowExploration {
 
   private newtype TSummaryCtx1 =
     TSummaryCtx1None() or
-    TSummaryCtx1Param(ParameterNodeExt p)
+    TSummaryCtx1Param(ParamNode p)
 
   private newtype TSummaryCtx2 =
     TSummaryCtx2None() or
@@ -3931,7 +3915,7 @@ private module FlowExploration {
     PartialPathNodeFwd mid, int i, CallContext cc, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       arg = mid.getNode() and
       cc = mid.getCallContext() and
       arg.argumentOf(call, i) and
@@ -3950,7 +3934,7 @@ private module FlowExploration {
   }
 
   private predicate partialPathIntoCallable(
-    PartialPathNodeFwd mid, ParameterNodeExt p, CallContext outercc, CallContextCall innercc,
+    PartialPathNodeFwd mid, ParamNode p, CallContext outercc, CallContextCall innercc,
     TSummaryCtx1 sc1, TSummaryCtx2 sc2, DataFlowCall call, PartialAccessPath ap,
     Configuration config
   ) {
@@ -3987,7 +3971,7 @@ private module FlowExploration {
     DataFlowCall call, PartialPathNodeFwd mid, ReturnKindExt kind, CallContext cc,
     PartialAccessPath ap, Configuration config
   ) {
-    exists(ParameterNodeExt p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
+    exists(ParamNode p, CallContext innercc, TSummaryCtx1 sc1, TSummaryCtx2 sc2 |
       partialPathIntoCallable(mid, p, cc, innercc, sc1, sc2, call, _, config) and
       paramFlowsThroughInPartialPath(kind, innercc, sc1, sc2, ap, config)
     )
@@ -4044,7 +4028,7 @@ private module FlowExploration {
       apConsRev(ap, c, ap0, config)
     )
     or
-    exists(ParameterNodeExt p |
+    exists(ParamNode p |
       mid.getNode() = p and
       viableParamArg(_, p, node) and
       sc1 = mid.getSummaryCtx1() and
@@ -4122,7 +4106,7 @@ private module FlowExploration {
     int pos, TRevSummaryCtx1Some sc1, TRevSummaryCtx2Some sc2, RevPartialAccessPath ap,
     Configuration config
   ) {
-    exists(PartialPathNodeRev mid, ParameterNodeExt p |
+    exists(PartialPathNodeRev mid, ParamNode p |
       mid.getNode() = p and
       p.isParameterOf(_, pos) and
       sc1 = mid.getSummaryCtx1() and
@@ -4145,7 +4129,7 @@ private module FlowExploration {
 
   pragma[nomagic]
   private predicate revPartialPathThroughCallable(
-    PartialPathNodeRev mid, ArgumentNodeExt node, RevPartialAccessPath ap, Configuration config
+    PartialPathNodeRev mid, ArgNode node, RevPartialAccessPath ap, Configuration config
   ) {
     exists(DataFlowCall call, int pos |
       revPartialPathThroughCallable0(call, mid, pos, ap, config) and
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll
index b5ceabc605d..b8e08408911 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll
@@ -35,24 +35,22 @@ predicate accessPathCostLimits(int apLimit, int tupleLimit) {
  * calls. For this reason, we cannot reuse the code from `DataFlowImpl.qll` directly.
  */
 private module LambdaFlow {
-  private predicate viableParamNonLambda(DataFlowCall call, int i, ParameterNodeExt p) {
+  private predicate viableParamNonLambda(DataFlowCall call, int i, ParamNode p) {
     p.isParameterOf(viableCallable(call), i)
   }
 
-  private predicate viableParamLambda(DataFlowCall call, int i, ParameterNodeExt p) {
+  private predicate viableParamLambda(DataFlowCall call, int i, ParamNode p) {
     p.isParameterOf(viableCallableLambda(call, _), i)
   }
 
-  private predicate viableParamArgNonLambda(
-    DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg
-  ) {
+  private predicate viableParamArgNonLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
     exists(int i |
       viableParamNonLambda(call, i, p) and
       arg.argumentOf(call, i)
     )
   }
 
-  private predicate viableParamArgLambda(DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg) {
+  private predicate viableParamArgLambda(DataFlowCall call, ParamNode p, ArgNode arg) {
     exists(int i |
       viableParamLambda(call, i, p) and
       arg.argumentOf(call, i)
@@ -120,7 +118,7 @@ private module LambdaFlow {
     boolean toJump, DataFlowCallOption lastCall
   ) {
     revLambdaFlow0(lambdaCall, kind, node, t, toReturn, toJump, lastCall) and
-    if castNode(node) or node instanceof ArgumentNodeExt or node instanceof ReturnNode
+    if castNode(node) or node instanceof ArgNode or node instanceof ReturnNode
     then compatibleTypes(t, getNodeDataFlowType(node))
     else any()
   }
@@ -178,7 +176,7 @@ private module LambdaFlow {
     )
     or
     // flow into a callable
-    exists(ParameterNodeExt p, DataFlowCallOption lastCall0, DataFlowCall call |
+    exists(ParamNode p, DataFlowCallOption lastCall0, DataFlowCall call |
       revLambdaFlowIn(lambdaCall, kind, p, t, toJump, lastCall0) and
       (
         if lastCall0 = TDataFlowCallNone() and toJump = false
@@ -229,8 +227,8 @@ private module LambdaFlow {
 
   pragma[nomagic]
   predicate revLambdaFlowIn(
-    DataFlowCall lambdaCall, LambdaCallKind kind, ParameterNodeExt p, DataFlowType t,
-    boolean toJump, DataFlowCallOption lastCall
+    DataFlowCall lambdaCall, LambdaCallKind kind, ParamNode p, DataFlowType t, boolean toJump,
+    DataFlowCallOption lastCall
   ) {
     revLambdaFlow(lambdaCall, kind, p, t, false, toJump, lastCall)
   }
@@ -276,7 +274,7 @@ private module Cached {
   predicate outNodeExt(Node n) {
     n instanceof OutNode
     or
-    n.(PostUpdateNode).getPreUpdateNode() instanceof ArgumentNodeExt
+    n.(PostUpdateNode).getPreUpdateNode() instanceof ArgNode
   }
 
   cached
@@ -286,7 +284,7 @@ private module Cached {
   OutNodeExt getAnOutNodeExt(DataFlowCall call, ReturnKindExt k) {
     result = getAnOutNode(call, k.(ValueReturnKind).getKind())
     or
-    exists(ArgumentNodeExt arg |
+    exists(ArgNode arg |
       result.(PostUpdateNode).getPreUpdateNode() = arg and
       arg.argumentOf(call, k.(ParamUpdateReturnKind).getPosition())
     )
@@ -296,7 +294,7 @@ private module Cached {
   predicate returnNodeExt(Node n, ReturnKindExt k) {
     k = TValueReturn(n.(ReturnNode).getKind())
     or
-    exists(ParameterNodeExt p, int pos |
+    exists(ParamNode p, int pos |
       parameterValueFlowsToPreUpdate(p, n) and
       p.isParameterOf(_, pos) and
       k = TParamUpdate(pos)
@@ -309,7 +307,7 @@ private module Cached {
   cached
   predicate castingNode(Node n) {
     castNode(n) or
-    n instanceof ParameterNodeExt or
+    n instanceof ParamNode or
     n instanceof OutNodeExt or
     // For reads, `x.f`, we want to check that the tracked type after the read (which
     // is obtained by popping the head of the access path stack) is compatible with
@@ -346,7 +344,7 @@ private module Cached {
    * The instance parameter is considered to have index `-1`.
    */
   pragma[nomagic]
-  private predicate viableParam(DataFlowCall call, int i, ParameterNodeExt p) {
+  private predicate viableParam(DataFlowCall call, int i, ParamNode p) {
     p.isParameterOf(viableCallableExt(call), i)
   }
 
@@ -355,7 +353,7 @@ private module Cached {
    * dispatch into account.
    */
   cached
-  predicate viableParamArg(DataFlowCall call, ParameterNodeExt p, ArgumentNodeExt arg) {
+  predicate viableParamArg(DataFlowCall call, ParamNode p, ArgNode arg) {
     exists(int i |
       viableParam(call, i, p) and
       arg.argumentOf(call, i) and
@@ -397,7 +395,7 @@ private module Cached {
        * `read` indicates whether it is contents of `p` that can flow to `node`.
        */
       pragma[nomagic]
-      private predicate parameterValueFlowCand(ParameterNodeExt p, Node node, boolean read) {
+      private predicate parameterValueFlowCand(ParamNode p, Node node, boolean read) {
         p = node and
         read = false
         or
@@ -415,27 +413,25 @@ private module Cached {
         )
         or
         // flow through: no prior read
-        exists(ArgumentNodeExt arg |
+        exists(ArgNode arg |
           parameterValueFlowArgCand(p, arg, false) and
           argumentValueFlowsThroughCand(arg, node, read)
         )
         or
         // flow through: no read inside method
-        exists(ArgumentNodeExt arg |
+        exists(ArgNode arg |
           parameterValueFlowArgCand(p, arg, read) and
           argumentValueFlowsThroughCand(arg, node, false)
         )
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlowArgCand(
-        ParameterNodeExt p, ArgumentNodeExt arg, boolean read
-      ) {
+      private predicate parameterValueFlowArgCand(ParamNode p, ArgNode arg, boolean read) {
         parameterValueFlowCand(p, arg, read)
       }
 
       pragma[nomagic]
-      predicate parameterValueFlowsToPreUpdateCand(ParameterNodeExt p, PostUpdateNode n) {
+      predicate parameterValueFlowsToPreUpdateCand(ParamNode p, PostUpdateNode n) {
         parameterValueFlowCand(p, n.getPreUpdateNode(), false)
       }
 
@@ -447,7 +443,7 @@ private module Cached {
        * `read` indicates whether it is contents of `p` that can flow to the return
        * node.
        */
-      predicate parameterValueFlowReturnCand(ParameterNodeExt p, ReturnKind kind, boolean read) {
+      predicate parameterValueFlowReturnCand(ParamNode p, ReturnKind kind, boolean read) {
         exists(ReturnNode ret |
           parameterValueFlowCand(p, ret, read) and
           kind = ret.getKind()
@@ -456,9 +452,9 @@ private module Cached {
 
       pragma[nomagic]
       private predicate argumentValueFlowsThroughCand0(
-        DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, boolean read
+        DataFlowCall call, ArgNode arg, ReturnKind kind, boolean read
       ) {
-        exists(ParameterNodeExt param | viableParamArg(call, param, arg) |
+        exists(ParamNode param | viableParamArg(call, param, arg) |
           parameterValueFlowReturnCand(param, kind, read)
         )
       }
@@ -469,14 +465,14 @@ private module Cached {
        *
        * `read` indicates whether it is contents of `arg` that can flow to `out`.
        */
-      predicate argumentValueFlowsThroughCand(ArgumentNodeExt arg, Node out, boolean read) {
+      predicate argumentValueFlowsThroughCand(ArgNode arg, Node out, boolean read) {
         exists(DataFlowCall call, ReturnKind kind |
           argumentValueFlowsThroughCand0(call, arg, kind, read) and
           out = getAnOutNode(call, kind)
         )
       }
 
-      predicate cand(ParameterNodeExt p, Node n) {
+      predicate cand(ParamNode p, Node n) {
         parameterValueFlowCand(p, n, _) and
         (
           parameterValueFlowReturnCand(p, _, _)
@@ -503,7 +499,7 @@ private module Cached {
        * If a read step was taken, then `read` captures the `Content`, the
        * container type, and the content type.
        */
-      predicate parameterValueFlow(ParameterNodeExt p, Node node, ReadStepTypesOption read) {
+      predicate parameterValueFlow(ParamNode p, Node node, ReadStepTypesOption read) {
         parameterValueFlow0(p, node, read) and
         if node instanceof CastingNode
         then
@@ -517,7 +513,7 @@ private module Cached {
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlow0(ParameterNodeExt p, Node node, ReadStepTypesOption read) {
+      private predicate parameterValueFlow0(ParamNode p, Node node, ReadStepTypesOption read) {
         p = node and
         Cand::cand(p, _) and
         read = TReadStepTypesNone()
@@ -542,34 +538,32 @@ private module Cached {
 
       pragma[nomagic]
       private predicate parameterValueFlow0_0(
-        ReadStepTypesOption mustBeNone, ParameterNodeExt p, Node node, ReadStepTypesOption read
+        ReadStepTypesOption mustBeNone, ParamNode p, Node node, ReadStepTypesOption read
       ) {
         // flow through: no prior read
-        exists(ArgumentNodeExt arg |
+        exists(ArgNode arg |
           parameterValueFlowArg(p, arg, mustBeNone) and
           argumentValueFlowsThrough(arg, read, node)
         )
         or
         // flow through: no read inside method
-        exists(ArgumentNodeExt arg |
+        exists(ArgNode arg |
           parameterValueFlowArg(p, arg, read) and
           argumentValueFlowsThrough(arg, mustBeNone, node)
         )
       }
 
       pragma[nomagic]
-      private predicate parameterValueFlowArg(
-        ParameterNodeExt p, ArgumentNodeExt arg, ReadStepTypesOption read
-      ) {
+      private predicate parameterValueFlowArg(ParamNode p, ArgNode arg, ReadStepTypesOption read) {
         parameterValueFlow(p, arg, read) and
         Cand::argumentValueFlowsThroughCand(arg, _, _)
       }
 
       pragma[nomagic]
       private predicate argumentValueFlowsThrough0(
-        DataFlowCall call, ArgumentNodeExt arg, ReturnKind kind, ReadStepTypesOption read
+        DataFlowCall call, ArgNode arg, ReturnKind kind, ReadStepTypesOption read
       ) {
-        exists(ParameterNodeExt param | viableParamArg(call, param, arg) |
+        exists(ParamNode param | viableParamArg(call, param, arg) |
           parameterValueFlowReturn(param, kind, read)
         )
       }
@@ -583,7 +577,7 @@ private module Cached {
        * container type, and the content type.
        */
       pragma[nomagic]
-      predicate argumentValueFlowsThrough(ArgumentNodeExt arg, ReadStepTypesOption read, Node out) {
+      predicate argumentValueFlowsThrough(ArgNode arg, ReadStepTypesOption read, Node out) {
         exists(DataFlowCall call, ReturnKind kind |
           argumentValueFlowsThrough0(call, arg, kind, read) and
           out = getAnOutNode(call, kind)
@@ -603,7 +597,7 @@ private module Cached {
        * value-preserving steps and a single read step, not taking call
        * contexts into account, thus representing a getter-step.
        */
-      predicate getterStep(ArgumentNodeExt arg, Content c, Node out) {
+      predicate getterStep(ArgNode arg, Content c, Node out) {
         argumentValueFlowsThrough(arg, TReadStepTypesSome(_, c, _), out)
       }
 
@@ -616,7 +610,7 @@ private module Cached {
        * container type, and the content type.
        */
       private predicate parameterValueFlowReturn(
-        ParameterNodeExt p, ReturnKind kind, ReadStepTypesOption read
+        ParamNode p, ReturnKind kind, ReadStepTypesOption read
       ) {
         exists(ReturnNode ret |
           parameterValueFlow(p, ret, read) and
@@ -722,7 +716,7 @@ private module Cached {
    * Holds if `p` can flow to the pre-update node associated with post-update
    * node `n`, in the same callable, using only value-preserving steps.
    */
-  private predicate parameterValueFlowsToPreUpdate(ParameterNodeExt p, PostUpdateNode n) {
+  private predicate parameterValueFlowsToPreUpdate(ParamNode p, PostUpdateNode n) {
     parameterValueFlow(p, n.getPreUpdateNode(), TReadStepTypesNone())
   }
 
@@ -778,8 +772,8 @@ private module Cached {
         // Does the language-specific simpleLocalFlowStep already model flow
         // from function input to output?
         fromPre = getAnOutNode(c, _) and
-        toPre.(ArgumentNodeExt).argumentOf(c, _) and
-        simpleLocalFlowStep(toPre.(ArgumentNodeExt), fromPre)
+        toPre.(ArgNode).argumentOf(c, _) and
+        simpleLocalFlowStep(toPre.(ArgNode), fromPre)
       )
       or
       argumentValueFlowsThrough(toPre, TReadStepTypesNone(), fromPre)
@@ -827,7 +821,7 @@ private module Cached {
   cached
   newtype TReturnKindExt =
     TValueReturn(ReturnKind kind) or
-    TParamUpdate(int pos) { exists(ParameterNodeExt p | p.isParameterOf(_, pos)) }
+    TParamUpdate(int pos) { exists(ParamNode p | p.isParameterOf(_, pos)) }
 
   cached
   newtype TBooleanOption =
@@ -942,7 +936,7 @@ class CallContextSomeCall extends CallContextCall, TSomeCall {
   override string toString() { result = "CcSomeCall" }
 
   override predicate relevantFor(DataFlowCallable callable) {
-    exists(ParameterNodeExt p | getNodeEnclosingCallable(p) = callable)
+    exists(ParamNode p | getNodeEnclosingCallable(p) = callable)
   }
 
   override predicate matchesCall(DataFlowCall call) { any() }
@@ -1005,8 +999,8 @@ LocalCallContext getLocalCallContext(CallContext ctx, DataFlowCallable callable)
  * The value of a parameter at function entry, viewed as a node in a data
  * flow graph.
  */
-class ParameterNodeExt extends Node {
-  ParameterNodeExt() { parameterNode(this, _, _) }
+class ParamNode extends Node {
+  ParamNode() { parameterNode(this, _, _) }
 
   /**
    * Holds if this node is the parameter of callable `c` at the specified
@@ -1016,8 +1010,8 @@ class ParameterNodeExt extends Node {
 }
 
 /** A data-flow node that represents a call argument. */
-class ArgumentNodeExt extends Node {
-  ArgumentNodeExt() { argumentNode(this, _, _) }
+class ArgNode extends Node {
+  ArgNode() { argumentNode(this, _, _) }
 
   /** Holds if this argument occurs at the given position in the given call. */
   final predicate argumentOf(DataFlowCall call, int pos) { argumentNode(this, call, pos) }

From 3e21f479a99e3bd5c85299755cc632c1c9da5383 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 11 May 2021 14:58:48 +0200
Subject: [PATCH 0994/1429] C++: Add change-note.

---
 cpp/change-notes/2021-03-11-overflow-abs.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 cpp/change-notes/2021-03-11-overflow-abs.md

diff --git a/cpp/change-notes/2021-03-11-overflow-abs.md b/cpp/change-notes/2021-03-11-overflow-abs.md
new file mode 100644
index 00000000000..66854412f72
--- /dev/null
+++ b/cpp/change-notes/2021-03-11-overflow-abs.md
@@ -0,0 +1,2 @@
+lgtm
+* The `cpp/tainted-arithmetic`, `cpp/arithmetic-with-extreme-values`, and `cpp/uncontrolled-arithmetic` queries now recognize more functions as returning the absolute value of their input. As a result, they produce fewer false positives.

From 56b1f15ddaaeb5b53267293933b3850058678f6c Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Fri, 30 Apr 2021 19:18:35 -0400
Subject: [PATCH 0995/1429] [Java] Add taint tracking through Jackson
 deserialization

---
 .../jackson/JacksonSerializability.qll        | 19 ++++++++
 .../dataflow/taint-jackson/Test.java          | 38 +++++++++++++--
 .../dataflow/taint-jackson/dataFlow.expected  | 48 -------------------
 .../dataflow/taint-jackson/dataFlow.ql        | 29 ++++++++---
 .../jackson/databind/ObjectMapper.java        |  4 ++
 .../jackson/databind/ObjectReader.java        | 45 +++++++++++++++++
 6 files changed, 125 insertions(+), 58 deletions(-)
 create mode 100644 java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectReader.java

diff --git a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
index 3356e31d965..c028af71d8d 100644
--- a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
+++ b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
@@ -50,6 +50,15 @@ library class JacksonWriteValueMethod extends Method, TaintPreservingCallable {
   }
 }
 
+library class JacksonReadValueMethod extends Method, TaintPreservingCallable {
+  JacksonReadValueMethod() {
+    getDeclaringType().hasQualifiedName("com.fasterxml.jackson.databind", "ObjectReader") and
+    hasName("readValue")
+  }
+
+  override predicate returnsTaintFrom(int arg) { arg = 0 }
+}
+
 /** A type whose values are explicitly serialized in a call to a Jackson method. */
 library class ExplicitlyWrittenJacksonSerializableType extends JacksonSerializableType {
   ExplicitlyWrittenJacksonSerializableType() {
@@ -135,6 +144,16 @@ class JacksonDeserializableField extends DeserializableField {
   }
 }
 
+class JacksonDeserializableFieldAccess extends FieldAccess {
+  JacksonDeserializableFieldAccess() { getField() instanceof JacksonDeserializableField }
+}
+
+class JacksonDeseializedTaintStep extends AdditionalTaintStep {
+  override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
+    node2.asExpr().(JacksonDeserializableFieldAccess).getQualifier() = node1.asExpr()
+  }
+}
+
 /**
  * A call to the `addMixInAnnotations` or `addMixIn` Jackson method.
  *
diff --git a/java/ql/test/library-tests/dataflow/taint-jackson/Test.java b/java/ql/test/library-tests/dataflow/taint-jackson/Test.java
index 2caf9e4ee80..16b223ed2e8 100644
--- a/java/ql/test/library-tests/dataflow/taint-jackson/Test.java
+++ b/java/ql/test/library-tests/dataflow/taint-jackson/Test.java
@@ -8,28 +8,44 @@ import com.fasterxml.jackson.core.JsonFactory;
 import com.fasterxml.jackson.core.JsonGenerator;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.ObjectWriter;
+import com.fasterxml.jackson.databind.ObjectReader;
 
 class Test {
+	public static class Potato {
+		private String name;
+
+		private String getName() {
+			return name;
+		}
+	}
+
 	public static String taint() {
 		return "tainted";
 	}
 
+	public static void sink(Object any) {}
+
 	public static void jacksonObjectMapper() throws java.io.FileNotFoundException, java.io.UnsupportedEncodingException {
 		String s = taint();
 		ObjectMapper om = new ObjectMapper();
 		File file = new File("testFile");
 		om.writeValue(file, s);
+		sink(file); //$hasTaintFlow
 		OutputStream out = new FileOutputStream(file);
 		om.writeValue(out, s);
+		sink(file); //$hasTaintFlow
 		Writer writer = new StringWriter();
 		om.writeValue(writer, s);
+		sink(writer); //$hasTaintFlow
 		JsonGenerator generator = new JsonFactory().createGenerator(new StringWriter());
 		om.writeValue(generator, s);
+		sink(generator); //$hasTaintFlow
 		String t = om.writeValueAsString(s);
-		System.out.println(t);
+		sink(t); //$hasTaintFlow
 		byte[] bs = om.writeValueAsBytes(s);
 		String reconstructed = new String(bs, "utf-8");
-		System.out.println(reconstructed);
+		sink(bs); //$hasTaintFlow
+		sink(reconstructed); //$hasTaintFlow
 	}
 
 	public static void jacksonObjectWriter() throws java.io.FileNotFoundException, java.io.UnsupportedEncodingException {
@@ -37,16 +53,30 @@ class Test {
 		ObjectWriter ow = new ObjectWriter();
 		File file = new File("testFile");
 		ow.writeValue(file, s);
+		sink(file); //$hasTaintFlow
 		OutputStream out = new FileOutputStream(file);
 		ow.writeValue(out, s);
+		sink(out); //$hasTaintFlow
 		Writer writer = new StringWriter();
 		ow.writeValue(writer, s);
+		sink(writer); //$hasTaintFlow
 		JsonGenerator generator = new JsonFactory().createGenerator(new StringWriter());
 		ow.writeValue(generator, s);
+		sink(generator); //$hasTaintFlow
 		String t = ow.writeValueAsString(s);
-		System.out.println(t);
+		sink(t); //$hasTaintFlow
 		byte[] bs = ow.writeValueAsBytes(s);
 		String reconstructed = new String(bs, "utf-8");
-		System.out.println(reconstructed);
+		sink(bs); //$hasTaintFlow
+		sink(reconstructed); //$hasTaintFlow
+	}
+
+	public static void jacksonObjectReader() throws java.io.IOException {
+		String s = taint();
+		ObjectMapper om = new ObjectMapper();
+		ObjectReader reader = om.readerFor(Potato.class);
+		sink(reader.readValue(s));  //$hasTaintFlow
+		sink(reader.readValue(s, Potato.class).name);  //$hasTaintFlow
+		sink(reader.readValue(s, Potato.class).getName());  //$hasTaintFlow
 	}
 }
diff --git a/java/ql/test/library-tests/dataflow/taint-jackson/dataFlow.expected b/java/ql/test/library-tests/dataflow/taint-jackson/dataFlow.expected
index 122b21d50fe..e69de29bb2d 100644
--- a/java/ql/test/library-tests/dataflow/taint-jackson/dataFlow.expected
+++ b/java/ql/test/library-tests/dataflow/taint-jackson/dataFlow.expected
@@ -1,48 +0,0 @@
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java:10:43:10:54 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java:13:73:13:84 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java:16:44:16:55 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java:19:36:19:47 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java:22:35:22:46 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java:26:36:26:47 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectWriter.java:10:43:10:54 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectWriter.java:13:73:13:84 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectWriter.java:16:44:16:55 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectWriter.java:19:36:19:47 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectWriter.java:22:35:22:46 | value |
-| ../../../stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectWriter.java:26:36:26:47 | value |
-| Test.java:18:14:18:20 | taint(...) |
-| Test.java:21:17:21:20 | file [post update] |
-| Test.java:21:23:21:23 | s |
-| Test.java:22:43:22:46 | file |
-| Test.java:23:17:23:19 | out [post update] |
-| Test.java:23:22:23:22 | s |
-| Test.java:25:17:25:22 | writer [post update] |
-| Test.java:25:25:25:25 | s |
-| Test.java:27:17:27:25 | generator [post update] |
-| Test.java:27:28:27:28 | s |
-| Test.java:28:14:28:37 | writeValueAsString(...) |
-| Test.java:28:36:28:36 | s |
-| Test.java:29:22:29:22 | t |
-| Test.java:30:15:30:37 | writeValueAsBytes(...) |
-| Test.java:30:36:30:36 | s |
-| Test.java:31:26:31:48 | new String(...) |
-| Test.java:31:37:31:38 | bs |
-| Test.java:32:22:32:34 | reconstructed |
-| Test.java:36:14:36:20 | taint(...) |
-| Test.java:39:17:39:20 | file [post update] |
-| Test.java:39:23:39:23 | s |
-| Test.java:40:43:40:46 | file |
-| Test.java:41:17:41:19 | out [post update] |
-| Test.java:41:22:41:22 | s |
-| Test.java:43:17:43:22 | writer [post update] |
-| Test.java:43:25:43:25 | s |
-| Test.java:45:17:45:25 | generator [post update] |
-| Test.java:45:28:45:28 | s |
-| Test.java:46:14:46:37 | writeValueAsString(...) |
-| Test.java:46:36:46:36 | s |
-| Test.java:47:22:47:22 | t |
-| Test.java:48:15:48:37 | writeValueAsBytes(...) |
-| Test.java:48:36:48:36 | s |
-| Test.java:49:26:49:48 | new String(...) |
-| Test.java:49:37:49:38 | bs |
-| Test.java:50:22:50:34 | reconstructed |
diff --git a/java/ql/test/library-tests/dataflow/taint-jackson/dataFlow.ql b/java/ql/test/library-tests/dataflow/taint-jackson/dataFlow.ql
index 333cf485f07..3ee51339b7b 100644
--- a/java/ql/test/library-tests/dataflow/taint-jackson/dataFlow.ql
+++ b/java/ql/test/library-tests/dataflow/taint-jackson/dataFlow.ql
@@ -1,17 +1,34 @@
+import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
+import TestUtilities.InlineExpectationsTest
 
 class Conf extends TaintTracking::Configuration {
   Conf() { this = "qltest:dataflow:jackson" }
 
-  override predicate isSource(DataFlow::Node source) {
-    source.asExpr().(MethodAccess).getMethod().hasName("taint")
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+    or
+    n instanceof RemoteFlowSource
   }
 
-  override predicate isSink(DataFlow::Node sink) { any() }
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+  }
 }
 
-from DataFlow::Node source, DataFlow::Node sink, Conf config
-where config.hasFlow(source, sink)
-select sink
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = "hasTaintFlow" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasTaintFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}
\ No newline at end of file
diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java
index 455e0c0d309..af6218e4146 100644
--- a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java
+++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java
@@ -26,4 +26,8 @@ public class ObjectMapper {
   public String writeValueAsString(Object value) {
     return null;
   }
+
+  public ObjectReader readerFor(Class<?> type) {
+    return null;
+  }
 }
diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectReader.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectReader.java
new file mode 100644
index 00000000000..1916730da36
--- /dev/null
+++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectReader.java
@@ -0,0 +1,45 @@
+package com.fasterxml.jackson.databind;
+
+import java.io.*;
+
+public class ObjectReader {
+    public ObjectReader forType(Class<?> valueType) {
+        return null;
+    }
+
+    public <T> T readValue(String src) {
+        return null;
+    }
+
+    public <T> T readValue(String src, Class<T> valueType) throws IOException {
+        return null;
+    }
+
+    public <T> T readValue(byte[] content) throws IOException {
+        return null;
+    }
+
+    public <T> T readValue(byte[] content, Class<T> valueType) throws IOException {
+        return null;
+    }
+
+    public <T> T readValue(File src) throws IOException {
+        return null;
+    }
+
+    public <T> T readValue(InputStream src) throws IOException {
+        return null;
+    }
+
+    public <T> T readValue(InputStream src, Class<T> valueType) throws IOException {
+        return null;
+    }
+
+    public <T> T readValue(Reader src) throws IOException {
+        return null;
+    }
+
+    public <T> T readValue(Reader src, Class<T> valueType) throws IOException {
+        return null;
+    }
+}
\ No newline at end of file

From d0638db6e72836399061b506d029ad8a7d0e2f9d Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Mon, 3 May 2021 12:02:40 -0400
Subject: [PATCH 0996/1429] [Java] Add data flow through Iterator deserializers
 for Jackson

---
 .../jackson/JacksonSerializability.qll        | 31 ++++++++++++----
 .../dataflow/taint-jackson/Test.java          | 15 ++++++++
 .../jackson/databind/MappingIterator.java     | 28 ++++++++++++++
 .../jackson/databind/ObjectReader.java        | 37 +++++++++++++++++++
 4 files changed, 104 insertions(+), 7 deletions(-)
 create mode 100644 java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/MappingIterator.java

diff --git a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
index c028af71d8d..1cfe34d7167 100644
--- a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
+++ b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
@@ -28,7 +28,7 @@ abstract class JacksonSerializableType extends Type { }
  * A method used for serializing objects using Jackson. The final parameter is the object to be
  * serialized.
  */
-library class JacksonWriteValueMethod extends Method, TaintPreservingCallable {
+private class JacksonWriteValueMethod extends Method, TaintPreservingCallable {
   JacksonWriteValueMethod() {
     (
       getDeclaringType().hasQualifiedName("com.fasterxml.jackson.databind", "ObjectWriter") or
@@ -50,17 +50,17 @@ library class JacksonWriteValueMethod extends Method, TaintPreservingCallable {
   }
 }
 
-library class JacksonReadValueMethod extends Method, TaintPreservingCallable {
+private class JacksonReadValueMethod extends Method, TaintPreservingCallable {
   JacksonReadValueMethod() {
     getDeclaringType().hasQualifiedName("com.fasterxml.jackson.databind", "ObjectReader") and
-    hasName("readValue")
+    hasName(["readValue", "readValues"])
   }
 
   override predicate returnsTaintFrom(int arg) { arg = 0 }
 }
 
 /** A type whose values are explicitly serialized in a call to a Jackson method. */
-library class ExplicitlyWrittenJacksonSerializableType extends JacksonSerializableType {
+private class ExplicitlyWrittenJacksonSerializableType extends JacksonSerializableType {
   ExplicitlyWrittenJacksonSerializableType() {
     exists(MethodAccess ma |
       // A call to a Jackson write method...
@@ -71,8 +71,20 @@ library class ExplicitlyWrittenJacksonSerializableType extends JacksonSerializab
   }
 }
 
+/** A type whose values are explicitly deserialized in a call to a Jackson method. */
+private class ExplicitlyReadJacksonSerializableType extends JacksonDeserializableType {
+  ExplicitlyReadJacksonSerializableType() {
+    exists(MethodAccess ma |
+      // A call to a Jackson write method...
+      ma.getMethod() instanceof JacksonReadValueMethod and
+      // ...where `this` is used in the final argument, indicating that this type will be deserialized.
+      usesType(ma.getArgument(ma.getNumArgument() - 1).getType(), this)
+    )
+  }
+}
+
 /** A type used in a `JacksonSerializableField` declaration. */
-library class FieldReferencedJacksonSerializableType extends JacksonSerializableType {
+private class FieldReferencedJacksonSerializableType extends JacksonSerializableType {
   FieldReferencedJacksonSerializableType() {
     exists(JacksonSerializableField f | usesType(f.getType(), this))
   }
@@ -105,7 +117,7 @@ private class TypeLiteralToJacksonDatabindFlowConfiguration extends DataFlow5::C
 }
 
 /** A type whose values are explicitly deserialized in a call to a Jackson method. */
-library class ExplicitlyReadJacksonDeserializableType extends JacksonDeserializableType {
+private class ExplicitlyReadJacksonDeserializableType extends JacksonDeserializableType {
   ExplicitlyReadJacksonDeserializableType() {
     exists(TypeLiteralToJacksonDatabindFlowConfiguration conf |
       usesType(conf.getSourceWithFlowToJacksonDatabind().getTypeName().getType(), this)
@@ -114,7 +126,7 @@ library class ExplicitlyReadJacksonDeserializableType extends JacksonDeserializa
 }
 
 /** A type used in a `JacksonDeserializableField` declaration. */
-library class FieldReferencedJacksonDeSerializableType extends JacksonDeserializableType {
+private class FieldReferencedJacksonDeSerializableType extends JacksonDeserializableType {
   FieldReferencedJacksonDeSerializableType() {
     exists(JacksonDeserializableField f | usesType(f.getType(), this))
   }
@@ -144,10 +156,15 @@ class JacksonDeserializableField extends DeserializableField {
   }
 }
 
+/** A call to a field that may be deserialized using the Jackson JSON framework. */
 class JacksonDeserializableFieldAccess extends FieldAccess {
   JacksonDeserializableFieldAccess() { getField() instanceof JacksonDeserializableField }
 }
 
+/**
+ * When an object is deserialized by the Jackson JSON framework using a tainted input source,
+ * the fields that the framework deserialized are themselves tainted input data.
+ */
 class JacksonDeseializedTaintStep extends AdditionalTaintStep {
   override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
     node2.asExpr().(JacksonDeserializableFieldAccess).getQualifier() = node1.asExpr()
diff --git a/java/ql/test/library-tests/dataflow/taint-jackson/Test.java b/java/ql/test/library-tests/dataflow/taint-jackson/Test.java
index 16b223ed2e8..26f9182339a 100644
--- a/java/ql/test/library-tests/dataflow/taint-jackson/Test.java
+++ b/java/ql/test/library-tests/dataflow/taint-jackson/Test.java
@@ -3,6 +3,7 @@ import java.io.FileOutputStream;
 import java.io.OutputStream;
 import java.io.StringWriter;
 import java.io.Writer;
+import java.util.Iterator;
 
 import com.fasterxml.jackson.core.JsonFactory;
 import com.fasterxml.jackson.core.JsonGenerator;
@@ -79,4 +80,18 @@ class Test {
 		sink(reader.readValue(s, Potato.class).name);  //$hasTaintFlow
 		sink(reader.readValue(s, Potato.class).getName());  //$hasTaintFlow
 	}
+
+	public static void jacksonObjectReaderIterable() throws java.io.IOException {
+		String s = taint();
+		ObjectMapper om = new ObjectMapper();
+		ObjectReader reader = om.readerFor(Potato.class);
+		sink(reader.readValues(s));  //$hasTaintFlow
+		Iterator<Potato> pIterator = reader.readValues(s, Potato.class);
+		while(pIterator.hasNext()) {
+			Potato p = pIterator.next();
+			sink(p); //$hasTaintFlow
+			sink(p.name); //$hasTaintFlow
+			sink(p.getName()); //$hasTaintFlow
+		}
+	}
 }
diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/MappingIterator.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/MappingIterator.java
new file mode 100644
index 00000000000..72e08df2719
--- /dev/null
+++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/MappingIterator.java
@@ -0,0 +1,28 @@
+package com.fasterxml.jackson.databind;
+
+import java.io.Closeable;
+import java.io.IOException;
+import java.util.*;
+
+public class MappingIterator<T> implements Iterator<T>, Closeable {
+
+    @Override
+    public boolean hasNext() {
+        return false;
+    }
+
+    @Override
+    public T next() {
+        return null;
+    }
+
+    @Override
+    public void remove() {
+        
+    }
+
+    @Override
+    public void close() throws IOException {
+        
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectReader.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectReader.java
index 1916730da36..875c07dace3 100644
--- a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectReader.java
+++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectReader.java
@@ -42,4 +42,41 @@ public class ObjectReader {
     public <T> T readValue(Reader src, Class<T> valueType) throws IOException {
         return null;
     }
+
+    public <T> MappingIterator<T> readValues(String src) {
+        return null;
+    }
+
+    public <T> MappingIterator<T> readValues(String src, Class<T> valueType) throws IOException {
+        return null;
+    }
+
+    public <T> MappingIterator<T> readValues(byte[] content) throws IOException {
+        return null;
+    }
+
+    public <T> MappingIterator<T> readValues(byte[] content, Class<T> valueType) throws IOException {
+        return null;
+    }
+
+    public <T> MappingIterator<T> readValues(File src) throws IOException {
+        return null;
+    }
+
+    public <T> MappingIterator<T> readValues(InputStream src) throws IOException {
+        return null;
+    }
+
+    public <T> MappingIterator<T> readValues(InputStream src, Class<T> valueType) throws IOException {
+        return null;
+    }
+
+    public <T> MappingIterator<T> readValues(Reader src) throws IOException {
+        return null;
+    }
+
+    public <T> MappingIterator<T> readValues(Reader src, Class<T> valueType) throws IOException {
+        return null;
+    }
+
 }
\ No newline at end of file

From d0b0b767a28d98ce40d3c2fddee477608757cdcd Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
Date: Mon, 3 May 2021 12:23:33 -0400
Subject: [PATCH 0997/1429] Apply suggestions from code review

Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
---
 .../code/java/frameworks/jackson/JacksonSerializability.qll | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
index 1cfe34d7167..2ddb12e828d 100644
--- a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
+++ b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
@@ -75,7 +75,7 @@ private class ExplicitlyWrittenJacksonSerializableType extends JacksonSerializab
 private class ExplicitlyReadJacksonSerializableType extends JacksonDeserializableType {
   ExplicitlyReadJacksonSerializableType() {
     exists(MethodAccess ma |
-      // A call to a Jackson write method...
+      // A call to a Jackson read method...
       ma.getMethod() instanceof JacksonReadValueMethod and
       // ...where `this` is used in the final argument, indicating that this type will be deserialized.
       usesType(ma.getArgument(ma.getNumArgument() - 1).getType(), this)
@@ -126,8 +126,8 @@ private class ExplicitlyReadJacksonDeserializableType extends JacksonDeserializa
 }
 
 /** A type used in a `JacksonDeserializableField` declaration. */
-private class FieldReferencedJacksonDeSerializableType extends JacksonDeserializableType {
-  FieldReferencedJacksonDeSerializableType() {
+private class FieldReferencedJacksonDeserializableType extends JacksonDeserializableType {
+  FieldReferencedJacksonDeserializableType() {
     exists(JacksonDeserializableField f | usesType(f.getType(), this))
   }
 }

From b871f48c509b960c75847903300f7cbf7664fb6a Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Mon, 3 May 2021 12:40:48 -0400
Subject: [PATCH 0998/1429] [Java] Add release note to Jackson change

---
 .../change-notes/2021-05-03-jackson-dataflow-deserialization.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 java/change-notes/2021-05-03-jackson-dataflow-deserialization.md

diff --git a/java/change-notes/2021-05-03-jackson-dataflow-deserialization.md b/java/change-notes/2021-05-03-jackson-dataflow-deserialization.md
new file mode 100644
index 00000000000..475f8dbee4f
--- /dev/null
+++ b/java/change-notes/2021-05-03-jackson-dataflow-deserialization.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Increase coverage of dataflow through Jackson JSON deserialized objects.

From 83d527ed190331f4ecdb165539423922ee1f704a Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
Date: Mon, 3 May 2021 13:39:54 -0400
Subject: [PATCH 0999/1429] Apply suggestions from code review

Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
---
 .../code/java/frameworks/jackson/JacksonSerializability.qll     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
index 2ddb12e828d..0b75aff2b24 100644
--- a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
+++ b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
@@ -165,7 +165,7 @@ class JacksonDeserializableFieldAccess extends FieldAccess {
  * When an object is deserialized by the Jackson JSON framework using a tainted input source,
  * the fields that the framework deserialized are themselves tainted input data.
  */
-class JacksonDeseializedTaintStep extends AdditionalTaintStep {
+class JacksonDeserializedTaintStep extends AdditionalTaintStep {
   override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
     node2.asExpr().(JacksonDeserializableFieldAccess).getQualifier() = node1.asExpr()
   }

From e97bad3b3395d3a6143b515bba1b12c344a881d2 Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Tue, 4 May 2021 10:58:20 -0400
Subject: [PATCH 1000/1429] Support field access data flow for
 JacksonDeserializedTaintStep

---
 .../code/java/frameworks/jackson/JacksonSerializability.qll     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
index 0b75aff2b24..8cc70c5f36a 100644
--- a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
+++ b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
@@ -167,7 +167,7 @@ class JacksonDeserializableFieldAccess extends FieldAccess {
  */
 class JacksonDeserializedTaintStep extends AdditionalTaintStep {
   override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
-    node2.asExpr().(JacksonDeserializableFieldAccess).getQualifier() = node1.asExpr()
+    DataFlow::getFieldQualifier(node2.asExpr().(JacksonDeserializableFieldAccess)) = node1
   }
 }
 

From bacc3ef5b3699f03bff628e8ca1196c0f7095342 Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Mon, 10 May 2021 17:20:14 -0400
Subject: [PATCH 1001/1429] [Java] Jackson add support for 2 step
 deserialization taint flow

---
 .../semmle/code/java/dataflow/ExternalFlow.qll    |  1 +
 .../frameworks/jackson/JacksonSerializability.qll | 11 +++++++++++
 .../dataflow/taint-jackson/Test.java              | 15 +++++++++++++++
 .../com/fasterxml/jackson/databind/JsonNode.java  |  4 +++-
 .../fasterxml/jackson/databind/ObjectMapper.java  |  8 ++++++++
 5 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index df529b49efb..1ec81d1e3ac 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -77,6 +77,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.ApacheHttp
   private import semmle.code.java.frameworks.apache.Lang
   private import semmle.code.java.frameworks.guava.Guava
+  private import semmle.code.java.frameworks.jackson.JacksonSerializability
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.XSS
   private import semmle.code.java.security.LdapInjection
diff --git a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
index 8cc70c5f36a..ad35a802d43 100644
--- a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
+++ b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
@@ -9,6 +9,7 @@ import semmle.code.java.Reflection
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.DataFlow5
 import semmle.code.java.dataflow.FlowSteps
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A `@com.fasterxml.jackson.annotation.JsonIgnore` annoation.
@@ -275,3 +276,13 @@ class JacksonMixedInCallable extends Callable {
     )
   }
 }
+
+private class JacksonModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "com.fasterxml.jackson.databind;ObjectMapper;true;valueToTree;;;Argument[0];ReturnValue;taint",
+        "com.fasterxml.jackson.databind;ObjectMapper;true;convertValue;;;Argument[0];ReturnValue;taint"
+      ]
+  }
+}
diff --git a/java/ql/test/library-tests/dataflow/taint-jackson/Test.java b/java/ql/test/library-tests/dataflow/taint-jackson/Test.java
index 26f9182339a..3be85336e26 100644
--- a/java/ql/test/library-tests/dataflow/taint-jackson/Test.java
+++ b/java/ql/test/library-tests/dataflow/taint-jackson/Test.java
@@ -4,9 +4,12 @@ import java.io.OutputStream;
 import java.io.StringWriter;
 import java.io.Writer;
 import java.util.Iterator;
+import java.util.HashMap;
+import java.util.Map;
 
 import com.fasterxml.jackson.core.JsonFactory;
 import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.ObjectWriter;
 import com.fasterxml.jackson.databind.ObjectReader;
@@ -94,4 +97,16 @@ class Test {
 			sink(p.getName()); //$hasTaintFlow
 		}
 	}
+
+	public static void jacksonTwoStepDeserialization() throws java.io.IOException {
+		String s = taint();
+		Map<String, Object> taintedParams = new HashMap<>();
+		taintedParams.put("name", s);
+		ObjectMapper om = new ObjectMapper();
+		JsonNode jn = om.valueToTree(taintedParams);
+		sink(jn); //$hasTaintFlow
+		Potato p = om.convertValue(jn, Potato.class);
+		sink(p); //$hasTaintFlow
+		sink(p.getName()); //$hasTaintFlow
+	}
 }
diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/JsonNode.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/JsonNode.java
index a26eb2592c6..ad3da15a26c 100644
--- a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/JsonNode.java
+++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/JsonNode.java
@@ -1,6 +1,8 @@
 package com.fasterxml.jackson.databind;
 
-public class JsonNode {
+import java.util.*;
+
+public abstract class JsonNode implements Iterable<JsonNode> {
     public JsonNode() {
     }
 }
\ No newline at end of file
diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java
index af6218e4146..71dc99a351d 100644
--- a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java
+++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectMapper.java
@@ -30,4 +30,12 @@ public class ObjectMapper {
   public ObjectReader readerFor(Class<?> type) {
     return null;
   }
+
+  public <T extends JsonNode> T valueToTree(Object fromValue) throws IllegalArgumentException {
+    return null;
+  }
+
+  public <T> T convertValue(Object fromValue, Class<T> toValueType) throws IllegalArgumentException {
+    return null;
+  }
 }

From 5a68ac88efdf272c2f3e6dd9a9c5393b582bbcec Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Tue, 11 May 2021 10:48:22 -0400
Subject: [PATCH 1002/1429] Cleanup Jackson logic after code review

---
 .../jackson/JacksonSerializability.qll        | 19 +++++++------------
 .../dataflow/taint-jackson/dataFlow.ql        |  2 +-
 .../fasterxml/jackson/databind/JsonNode.java  |  2 +-
 .../jackson/databind/MappingIterator.java     |  2 +-
 .../jackson/databind/ObjectReader.java        |  2 +-
 5 files changed, 11 insertions(+), 16 deletions(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
index ad35a802d43..09fd419642e 100644
--- a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
+++ b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
@@ -72,18 +72,6 @@ private class ExplicitlyWrittenJacksonSerializableType extends JacksonSerializab
   }
 }
 
-/** A type whose values are explicitly deserialized in a call to a Jackson method. */
-private class ExplicitlyReadJacksonSerializableType extends JacksonDeserializableType {
-  ExplicitlyReadJacksonSerializableType() {
-    exists(MethodAccess ma |
-      // A call to a Jackson read method...
-      ma.getMethod() instanceof JacksonReadValueMethod and
-      // ...where `this` is used in the final argument, indicating that this type will be deserialized.
-      usesType(ma.getArgument(ma.getNumArgument() - 1).getType(), this)
-    )
-  }
-}
-
 /** A type used in a `JacksonSerializableField` declaration. */
 private class FieldReferencedJacksonSerializableType extends JacksonSerializableType {
   FieldReferencedJacksonSerializableType() {
@@ -123,6 +111,13 @@ private class ExplicitlyReadJacksonDeserializableType extends JacksonDeserializa
     exists(TypeLiteralToJacksonDatabindFlowConfiguration conf |
       usesType(conf.getSourceWithFlowToJacksonDatabind().getTypeName().getType(), this)
     )
+    or
+    exists(MethodAccess ma |
+      // A call to a Jackson read method...
+      ma.getMethod() instanceof JacksonReadValueMethod and
+      // ...where `this` is used in the final argument, indicating that this type will be deserialized.
+      usesType(ma.getArgument(ma.getNumArgument() - 1).getType(), this)
+    )
   }
 }
 
diff --git a/java/ql/test/library-tests/dataflow/taint-jackson/dataFlow.ql b/java/ql/test/library-tests/dataflow/taint-jackson/dataFlow.ql
index 3ee51339b7b..0836906530b 100644
--- a/java/ql/test/library-tests/dataflow/taint-jackson/dataFlow.ql
+++ b/java/ql/test/library-tests/dataflow/taint-jackson/dataFlow.ql
@@ -31,4 +31,4 @@ class HasFlowTest extends InlineExpectationsTest {
       value = ""
     )
   }
-}
\ No newline at end of file
+}
diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/JsonNode.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/JsonNode.java
index ad3da15a26c..b04572cd4da 100644
--- a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/JsonNode.java
+++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/JsonNode.java
@@ -5,4 +5,4 @@ import java.util.*;
 public abstract class JsonNode implements Iterable<JsonNode> {
     public JsonNode() {
     }
-}
\ No newline at end of file
+}
diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/MappingIterator.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/MappingIterator.java
index 72e08df2719..ac427ef01c9 100644
--- a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/MappingIterator.java
+++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/MappingIterator.java
@@ -25,4 +25,4 @@ public class MappingIterator<T> implements Iterator<T>, Closeable {
     public void close() throws IOException {
         
     }
-}
\ No newline at end of file
+}
diff --git a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectReader.java b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectReader.java
index 875c07dace3..f067a3e95a4 100644
--- a/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectReader.java
+++ b/java/ql/test/stubs/jackson-databind-2.10/com/fasterxml/jackson/databind/ObjectReader.java
@@ -79,4 +79,4 @@ public class ObjectReader {
         return null;
     }
 
-}
\ No newline at end of file
+}

From e7cd6c997208b742129bd72c0715a27790130211 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Tue, 11 May 2021 16:56:12 +0000
Subject: [PATCH 1003/1429] Optimize the query

---
 .../Security/CWE/CWE-094/JythonInjection.java |  6 ++--
 .../Security/CWE/CWE-094/JythonInjection.ql   | 35 +++++++++----------
 .../security/CWE-094/JythonInjection.java     |  4 +--
 3 files changed, 22 insertions(+), 23 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.java b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.java
index fca518443d1..5c1796e1f60 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.java
@@ -1,3 +1,5 @@
+import org.python.util.PythonInterpreter;
+
 public class JythonInjection extends HttpServlet {
     protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
         response.setContentType("text/plain");
@@ -10,7 +12,7 @@ public class JythonInjection extends HttpServlet {
             interpreter.setOut(out);
             interpreter.setErr(out);
 
-            // BAD: allow arbitrary Jython expression to execute
+            // BAD: allow execution of arbitrary Python code
             interpreter.exec(code);
             out.flush();
 
@@ -32,7 +34,7 @@ public class JythonInjection extends HttpServlet {
 
         try {
             interpreter = new PythonInterpreter();
-            // BAD: allow arbitrary Jython expression to evaluate
+            // BAD: allow execution of arbitrary Python code
             PyObject py = interpreter.eval(code);
 
             response.getWriter().print(py.toString());
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
index 088c33e00fd..9991c0901dc 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
@@ -11,6 +11,7 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.frameworks.spring.SpringController
 import DataFlow::PathGraph
 
 /** The class `org.python.util.PythonInterpreter`. */
@@ -22,12 +23,7 @@ class PythonInterpreter extends RefType {
 class InterpretExprMethod extends Method {
   InterpretExprMethod() {
     this.getDeclaringType().getAnAncestor*() instanceof PythonInterpreter and
-    (
-      getName().matches("exec%") or
-      hasName("eval") or
-      hasName("compile") or
-      getName().matches("run%")
-    )
+    getName().matches(["exec%", "run%", "eval", "compile"])
   }
 }
 
@@ -48,14 +44,14 @@ predicate runCode(MethodAccess ma, Expr sink) {
 class LoadClassMethod extends Method {
   LoadClassMethod() {
     this.getDeclaringType().getAnAncestor*() instanceof BytecodeLoader and
-    (
-      hasName("makeClass") or
-      hasName("makeCode")
-    )
+    hasName(["makeClass", "makeCode"])
   }
 }
 
-/** Holds if a Java class file is loaded. */
+/**
+ * Holds if `ma` is a call to a class-loading method, and `sink` is the byte array
+ * representing the class to be loaded.
+ */
 predicate loadClass(MethodAccess ma, Expr sink) {
   exists(Method m, int i | m = ma.getMethod() |
     m instanceof LoadClassMethod and
@@ -69,7 +65,7 @@ class Py extends RefType {
   Py() { this.hasQualifiedName("org.python.core", "Py") }
 }
 
-/** A method that compiles code with `Py`. */
+/** A method declared on class `Py` or one of its descendants that compiles Python code. */
 class PyCompileMethod extends Method {
   PyCompileMethod() {
     this.getDeclaringType().getAnAncestor*() instanceof Py and
@@ -85,7 +81,7 @@ predicate compile(MethodAccess ma, Expr sink) {
   )
 }
 
-/** Sink of an expression loaded by Jython. */
+/** An expression loaded by Jython. */
 class CodeInjectionSink extends DataFlow::ExprNode {
   CodeInjectionSink() {
     runCode(_, this.getExpr()) or
@@ -103,17 +99,18 @@ class CodeInjectionSink extends DataFlow::ExprNode {
 class CodeInjectionConfiguration extends TaintTracking::Configuration {
   CodeInjectionConfiguration() { this = "CodeInjectionConfiguration" }
 
-  override predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource
-    or
-    source instanceof LocalUserInput
-  }
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink }
 
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
     // @RequestBody MyQueryObj query; interpreter.exec(query.getInterpreterCode());
-    exists(MethodAccess ma | ma.getQualifier() = node1.asExpr() and ma = node2.asExpr())
+    exists(MethodAccess ma |
+      ma.getMethod().getDeclaringType().getASubtype*() instanceof SpringUntrustedDataType and
+      not ma.getMethod().getDeclaringType() instanceof TypeObject and
+      ma.getQualifier() = node1.asExpr() and
+      ma = node2.asExpr()
+    )
   }
 }
 
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.java b/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.java
index 682e8af5113..f9b29fec6cc 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.java
@@ -22,7 +22,7 @@ public class JythonInjection extends HttpServlet {
         super();
     }
 
-    // BAD: allow arbitrary Jython expression to execute
+    // BAD: allow execution of arbitrary Python code
     protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
         response.setContentType("text/plain");
         String code = request.getParameter("code");
@@ -47,7 +47,7 @@ public class JythonInjection extends HttpServlet {
         }
     }
 
-    // BAD: allow arbitrary Jython expression to evaluate
+    // BAD: allow execution of arbitrary Python code
     protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
         response.setContentType("text/plain");
         String code = request.getParameter("code");

From 8969da7775e88116959fee9ff79c5d3396233d79 Mon Sep 17 00:00:00 2001
From: Marcono1234 <Marcono1234@users.noreply.github.com>
Date: Tue, 11 May 2021 19:21:40 +0200
Subject: [PATCH 1004/1429] Java: Improve not closing resource query; add tests

---
 .../Likely Bugs/Resource Leaks/CloseReader.ql |   4 +-
 .../Likely Bugs/Resource Leaks/CloseWriter.ql |   6 +-
 .../CloseReader/CloseReader.expected          |   6 +-
 .../CloseReader/CloseReader.java              |  89 ++++++++----
 .../CloseReader/CloseReader.qlref             |   2 +-
 .../CloseWriter/CloseWriter.expected          |   3 +
 .../CloseWriter/CloseWriter.java              | 131 ++++++++++++++++++
 .../CloseWriter/CloseWriter.qlref             |   1 +
 8 files changed, 205 insertions(+), 37 deletions(-)
 create mode 100644 java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.expected
 create mode 100644 java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.java
 create mode 100644 java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.qlref

diff --git a/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.ql b/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.ql
index 5993bd1de2b..73a9c81f343 100644
--- a/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.ql	
+++ b/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.ql	
@@ -17,14 +17,14 @@ import CloseType
 
 predicate readerType(RefType t) {
   exists(RefType sup | sup = t.getASupertype*() |
-    sup.hasName(["Reader", "InputStream"]) or
+    sup.hasQualifiedName("java.io", ["Reader", "InputStream"]) or
     sup.hasQualifiedName("java.util.zip", "ZipFile")
   )
 }
 
 predicate safeReaderType(RefType t) {
   exists(RefType sup | sup = t.getASupertype*() |
-    sup.hasName(["CharArrayReader", "StringReader", "ByteArrayInputStream"])
+    sup.hasQualifiedName("java.io", ["CharArrayReader", "StringReader", "ByteArrayInputStream"])
   )
 }
 
diff --git a/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.ql b/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.ql
index 824951f86f5..a0714fe3a2f 100644
--- a/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.ql	
+++ b/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.ql	
@@ -16,12 +16,14 @@
 import CloseType
 
 predicate writerType(RefType t) {
-  exists(RefType sup | sup = t.getASupertype*() | sup.hasName(["Writer", "OutputStream"]))
+  exists(RefType sup | sup = t.getASupertype*() |
+    sup.hasQualifiedName("java.io", ["Writer", "OutputStream"])
+  )
 }
 
 predicate safeWriterType(RefType t) {
   exists(RefType sup | sup = t.getASupertype*() |
-    sup.hasName(["CharArrayWriter", "StringWriter", "ByteArrayOutputStream"])
+    sup.hasQualifiedName("java.io", ["CharArrayWriter", "StringWriter", "ByteArrayOutputStream"])
   )
 }
 
diff --git a/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.expected b/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.expected
index 12d09e0d65a..e76a4c6d1e4 100644
--- a/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.expected
+++ b/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.expected
@@ -1,2 +1,4 @@
-| CloseReader.java:11:42:11:71 | new FileReader(...) | This FileReader is not always closed on method exit. |
-| CloseReader.java:44:6:44:40 | new FileInputStream(...) | This FileInputStream is not always closed on method exit. |
+| CloseReader.java:18:42:18:71 | new FileReader(...) | This FileReader is not always closed on method exit. |
+| CloseReader.java:23:20:23:50 | new FileInputStream(...) | This FileInputStream is not always closed on method exit. |
+| CloseReader.java:33:6:33:40 | new FileInputStream(...) | This FileInputStream is not always closed on method exit. |
+| CloseReader.java:43:21:43:43 | new ZipFile(...) | This ZipFile is not always closed on method exit. |
diff --git a/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.java b/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.java
index 7d78f8dbfef..b77afc49105 100644
--- a/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.java
+++ b/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.java
@@ -1,41 +1,30 @@
 import java.io.BufferedReader;
+import java.io.ByteArrayInputStream;
+import java.io.CharArrayReader;
+import java.io.Closeable;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FileReader;
-import java.io.IOException;
+import java.io.InputStream;
 import java.io.InputStreamReader;
+import java.io.IOException;
+import java.io.Reader;
+import java.io.StringReader;
+import java.util.zip.ZipFile;
 
 class CloseReader {
 
-	public static void test1() throws IOException {
+	void test1() throws IOException {
 		BufferedReader br = new BufferedReader(new FileReader("C:\\test.txt"));
 		System.out.println(br.readLine());
 	}
 
-	public static void test2() throws FileNotFoundException, IOException {
-		BufferedReader br = null;
-		try {
-			br = new BufferedReader(new FileReader("C:\\test.txt"));
-			System.out.println(br.readLine());
-		}
-		finally {
-			if(br != null)
-				br.close();  // 'br' is closed
-		}
+	void test2() throws IOException {
+		InputStream in = new FileInputStream("file.bin");
+		in.read();
 	}
 
-	public static void test3() throws IOException {
-		BufferedReader br = null;
-		try {
-			br = new BufferedReader(new FileReader("C:\\test.txt"));
-			System.out.println(br.readLine());
-		}
-		finally {
-			cleanup(br); // 'br' is closed within a helper method
-		}
-	}
-
-	public static void test4() throws IOException {
+	void test3() throws IOException {
 		InputStreamReader reader = null;
 		try {
 			// InputStreamReader may throw an exception, in which case the ...
@@ -50,7 +39,35 @@ class CloseReader {
 		}
 	}
 
-	public static void test5() throws IOException {
+	void test4() throws IOException {
+		ZipFile zipFile = new ZipFile("file.zip");
+		System.out.println(zipFile.getComment());
+	}
+
+	void testCorrect1() throws IOException {
+		BufferedReader br = null;
+		try {
+			br = new BufferedReader(new FileReader("C:\\test.txt"));
+			System.out.println(br.readLine());
+		}
+		finally {
+			if(br != null)
+				br.close();  // 'br' is closed
+		}
+	}
+
+	void testCorrect2() throws IOException {
+		BufferedReader br = null;
+		try {
+			br = new BufferedReader(new FileReader("C:\\test.txt"));
+			System.out.println(br.readLine());
+		}
+		finally {
+			cleanup(br); // 'br' is closed within a helper method
+		}
+	}
+
+	void testCorrect3() throws IOException {
 		FileInputStream fis = null;
 		InputStreamReader reader = null;
 		try {
@@ -66,7 +83,7 @@ class CloseReader {
 		}
 	}
 
-	public static void test6() throws IOException {
+	void testCorrect4() throws IOException {
 		BufferedReader br = null;
 		try {
 			br = new BufferedReader(new FileReader("C:\\test.txt"));
@@ -77,15 +94,15 @@ class CloseReader {
 		}
 	}
 
-	public static void cleanup(java.io.Closeable... closeables) throws IOException {
-		for (java.io.Closeable c : closeables) {
+	void cleanup(Closeable... closeables) throws IOException {
+		for (Closeable c : closeables) {
 			if (c != null) {
 				c.close();
 			}
 		}
 	}
 
-	public static class LogFile {
+	static class LogFile {
 		private BufferedReader fileRd;
 		LogFile(String path) {
 			FileReader fr = null;
@@ -100,9 +117,21 @@ class CloseReader {
 		private void init(InputStreamReader reader) {
 			fileRd = new BufferedReader(reader);
 		}
-		public void readStuff() throws java.io.IOException {
+		public void readStuff() throws IOException {
 			System.out.println(fileRd.readLine());
 			fileRd.close();
 		}
 	}
+
+	// Classes which should be ignored
+	void testIgnore() throws IOException {
+		Reader r1 = new CharArrayReader(new char[] {'a'});
+		r1.read();
+
+		Reader r2 = new StringReader("a");
+		r2.read();
+
+		InputStream i1 = new ByteArrayInputStream(new byte[] {1});
+		i1.read();
+	}
 }
diff --git a/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.qlref b/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.qlref
index 3c76645e809..1c808bb9f46 100644
--- a/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.qlref
+++ b/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.qlref
@@ -1 +1 @@
-Likely Bugs/Resource Leaks/CloseReader.ql
\ No newline at end of file
+Likely Bugs/Resource Leaks/CloseReader.ql
diff --git a/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.expected b/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.expected
new file mode 100644
index 00000000000..efbfe15f2c9
--- /dev/null
+++ b/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.expected
@@ -0,0 +1,3 @@
+| CloseWriter.java:17:42:17:71 | new FileWriter(...) | This FileWriter is not always closed on method exit. |
+| CloseWriter.java:22:22:22:53 | new FileOutputStream(...) | This FileOutputStream is not always closed on method exit. |
+| CloseWriter.java:32:6:32:41 | new FileOutputStream(...) | This FileOutputStream is not always closed on method exit. |
diff --git a/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.java b/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.java
new file mode 100644
index 00000000000..3733237b8de
--- /dev/null
+++ b/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.java
@@ -0,0 +1,131 @@
+import java.io.BufferedWriter;
+import java.io.ByteArrayOutputStream;
+import java.io.CharArrayWriter;
+import java.io.Closeable;
+import java.io.FileOutputStream;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.OutputStreamWriter;
+import java.io.StringWriter;
+import java.io.Writer;
+import java.util.zip.ZipFile;
+
+class CloseWriter {
+
+	void test1() throws IOException {
+		BufferedWriter bw = new BufferedWriter(new FileWriter("C:\\test.txt"));
+		bw.write("test");
+	}
+
+	void test2() throws IOException {
+		OutputStream out = new FileOutputStream("test.bin");
+		out.write(1);
+	}
+
+	void test3() throws IOException {
+		OutputStreamWriter writer = null;
+		try {
+			// OutputStreamWriter may throw an exception, in which case the ...
+			writer = new OutputStreamWriter(
+					// ... FileOutputStream is not closed by the finally block
+					new FileOutputStream("C:\\test.txt"), "UTF-8");
+			writer.write("test");
+		}
+		finally {
+			if (writer != null)
+				writer.close();
+		}
+	}
+
+	void testCorrect1() throws IOException {
+		BufferedWriter bw = null;
+		try {
+			bw = new BufferedWriter(new FileWriter("C:\\test.txt"));
+			bw.write("test");
+		}
+		finally {
+			if(bw != null)
+				bw.close();  // 'bw' is closed
+		}
+	}
+
+	void testCorrect2() throws IOException {
+		BufferedWriter bw = null;
+		try {
+			bw = new BufferedWriter(new FileWriter("C:\\test.txt"));
+			bw.write("test");
+		}
+		finally {
+			cleanup(bw); // 'bw' is closed within a helper method
+		}
+	}
+
+	void testCorrect3() throws IOException {
+		FileOutputStream fos = null;
+		OutputStreamWriter writer = null;
+		try {
+			fos = new FileOutputStream("C:\\test.txt");
+			writer = new OutputStreamWriter(fos);
+			writer.write("test");
+		}
+		finally {
+			if (fos != null)
+				fos.close();  // 'fos' is closed
+			if (writer != null)
+				writer.close();  // 'writer' is closed
+		}
+	}
+
+	void testCorrect4() throws IOException {
+		BufferedWriter bw = null;
+		try {
+			bw = new BufferedWriter(new FileWriter("C:\\test.txt"));
+			bw.write("test");
+		}
+		finally {
+			cleanup(null, bw); // 'bw' is closed within a varargs helper method, invoked with multiple args
+		}
+	}
+
+	void cleanup(Closeable... closeables) throws IOException {
+		for (Closeable c : closeables) {
+			if (c != null) {
+				c.close();
+			}
+		}
+	}
+
+	static class LogFile {
+		private BufferedWriter fileWr;
+		LogFile(String path) {
+			FileWriter fw = null;
+			try {
+				fw = new FileWriter(path);
+			} catch (IOException e) {
+				System.out.println("Error: File not readable: " + path);
+				System.exit(1);
+			}
+			init(fw);
+		}
+		private void init(OutputStreamWriter writer) {
+			fileWr = new BufferedWriter(writer);
+		}
+		public void writeStuff() throws IOException {
+			fileWr.write("test");
+			fileWr.close();
+		}
+	}
+
+	// Classes which should be ignored
+	void testIgnore() throws IOException {
+		Writer w1 = new CharArrayWriter();
+		w1.write("test");
+
+		Writer w2 = new StringWriter();
+		w2.write("test");
+
+		OutputStream o1 = new ByteArrayOutputStream();
+		o1.write(1);
+	}
+}
diff --git a/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.qlref b/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.qlref
new file mode 100644
index 00000000000..88008367363
--- /dev/null
+++ b/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.qlref
@@ -0,0 +1 @@
+Likely Bugs/Resource Leaks/CloseWriter.ql

From 948f1d8e344935c7b550450813e61f4df415ba6e Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 11 May 2021 19:43:21 +0200
Subject: [PATCH 1005/1429] C++: Add testcase with INTMAX_MIN.

---
 .../Security/CWE/CWE-190/semmle/tainted/test5.cpp      | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp
index 92eb71ad541..2ee675be6b5 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/test5.cpp
@@ -29,4 +29,14 @@ void useTaintedIntWithGuard() {
 	if(imaxabs(tainted) <= 100) {
 		int product = tainted * tainted; // GOOD: can't underflow/overflow
 	}
+}
+
+#define INTMAX_MIN (-0x7fffffffffffffff - 1)
+
+void useTaintedIntWithGuardIntMaxMin() {
+	intmax_t tainted = getTaintedInt();
+
+	if(imaxabs(tainted) <= INTMAX_MIN) {
+		int product = tainted * tainted; // BAD: imaxabs(INTMAX_MIN) == INTMAX_MIN [NOT DETECTED]
+	}
 }
\ No newline at end of file

From 8e371fd05a842648d78762238c4f2b8cd5c531f4 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 11 May 2021 21:54:05 +0200
Subject: [PATCH 1006/1429] Adjust expected IR test file

---
 csharp/ql/test/experimental/ir/ir/raw_ir.expected | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/csharp/ql/test/experimental/ir/ir/raw_ir.expected b/csharp/ql/test/experimental/ir/ir/raw_ir.expected
index 646cd0f26f9..c598a8778d9 100644
--- a/csharp/ql/test/experimental/ir/ir/raw_ir.expected
+++ b/csharp/ql/test/experimental/ir/ir/raw_ir.expected
@@ -613,13 +613,13 @@ foreach.cs:
 #    5|     r5_28(glval<Int32>)      = PointerAdd[4]                  : r5_1, r5_27
 #    5|     r5_29(Int32)             = Constant[7]                    : 
 #    5|     mu5_30(Int32)            = Store[?]                       : &:r5_28, r5_29
-#    7|     r7_1(glval<IEnumerator>) = VariableAddress[#temp7:9]      : 
+#    7|     r7_1(glval<Boolean>)     = VariableAddress[#temp7:9]      : 
 #    7|     r7_2(glval<Int32[]>)     = VariableAddress[a_array]       : 
 #    7|     r7_3(Int32[])            = Load[a_array]                  : &:r7_2, ~m?
 #    7|     r7_4(<funcaddr>)         = FunctionAddress[GetEnumerator] : 
 #    7|     r7_5(IEnumerator)        = Call[GetEnumerator]            : func:r7_4, this:r7_3
 #    7|     mu7_6(<unknown>)         = ^CallSideEffect                : ~m?
-#    7|     mu7_7(IEnumerator)       = Store[#temp7:9]                : &:r7_1, r7_5
+#    7|     mu7_7(Boolean)           = Store[#temp7:9]                : &:r7_1, r7_5
 #-----|   Goto -> Block 1
 
 #    7|   Block 1

From 961467e06e4142ca71d144ee5c1bb7ca993b706b Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Wed, 12 May 2021 10:15:04 +0200
Subject: [PATCH 1007/1429] C#: Always pass `/p:UseSharedCompilation=false` to
 `dotnet build` in auto builder

---
 .../BuildScripts.cs                           | 44 ++++-----------
 .../Semmle.Autobuild.CSharp/DotNetRule.cs     | 56 ++++---------------
 2 files changed, 21 insertions(+), 79 deletions(-)

diff --git a/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BuildScripts.cs b/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BuildScripts.cs
index 99ad4c8f963..197edc2c162 100644
--- a/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BuildScripts.cs
+++ b/csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BuildScripts.cs
@@ -415,7 +415,7 @@ namespace Semmle.Autobuild.CSharp.Tests
             actions.RunProcess["cmd.exe /C dotnet --info"] = 0;
             actions.RunProcess[@"cmd.exe /C dotnet clean C:\Project\test.csproj"] = 0;
             actions.RunProcess[@"cmd.exe /C dotnet restore C:\Project\test.csproj"] = 0;
-            actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --auto dotnet build --no-incremental C:\Project\test.csproj"] = 0;
+            actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --auto dotnet build --no-incremental /p:UseSharedCompilation=false C:\Project\test.csproj"] = 0;
             actions.FileExists["csharp.log"] = true;
             actions.FileExists[@"C:\Project\test.csproj"] = true;
             actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = "";
@@ -439,9 +439,6 @@ namespace Semmle.Autobuild.CSharp.Tests
         [Fact]
         public void TestLinuxCSharpAutoBuilder()
         {
-            actions.RunProcess["dotnet --list-runtimes"] = 0;
-            actions.RunProcessOut["dotnet --list-runtimes"] = @"Microsoft.AspNetCore.App 2.2.5 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
-Microsoft.NETCore.App 2.2.5 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]";
             actions.RunProcess["dotnet --info"] = 0;
             actions.RunProcess[@"dotnet clean C:\Project/test.csproj"] = 0;
             actions.RunProcess[@"dotnet restore C:\Project/test.csproj"] = 0;
@@ -463,7 +460,7 @@ Microsoft.NETCore.App 2.2.5 [/usr/local/share/dotnet/shared/Microsoft.NETCore.Ap
             actions.LoadXml[@"C:\Project/test.csproj"] = xml;
 
             var autobuilder = CreateAutoBuilder(false);
-            TestAutobuilderScript(autobuilder, 0, 5);
+            TestAutobuilderScript(autobuilder, 0, 4);
         }
 
         [Fact]
@@ -603,8 +600,6 @@ Microsoft.NETCore.App 2.2.5 [/usr/local/share/dotnet/shared/Microsoft.NETCore.Ap
         [Fact]
         public void TestLinuxBuildCommand()
         {
-            actions.RunProcess["dotnet --list-runtimes"] = 1;
-            actions.RunProcessOut["dotnet --list-runtimes"] = "";
             actions.RunProcess[@"C:\odasa/tools/odasa index --auto ""./build.sh --skip-tests"""] = 0;
             actions.FileExists["csharp.log"] = true;
             actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = "";
@@ -615,7 +610,7 @@ Microsoft.NETCore.App 2.2.5 [/usr/local/share/dotnet/shared/Microsoft.NETCore.Ap
             SkipVsWhere();
 
             var autobuilder = CreateAutoBuilder(false, buildCommand: "./build.sh --skip-tests");
-            TestAutobuilderScript(autobuilder, 0, 2);
+            TestAutobuilderScript(autobuilder, 0, 1);
         }
 
         [Fact]
@@ -626,14 +621,12 @@ Microsoft.NETCore.App 2.2.5 [/usr/local/share/dotnet/shared/Microsoft.NETCore.Ap
             actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = "";
             actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = "";
             actions.RunProcess[@"/bin/chmod u+x C:\Project/build/build.sh"] = 0;
-            actions.RunProcess["dotnet --list-runtimes"] = 1;
-            actions.RunProcessOut["dotnet --list-runtimes"] = "";
             actions.RunProcess[@"C:\odasa/tools/odasa index --auto C:\Project/build/build.sh"] = 0;
             actions.RunProcessWorkingDirectory[@"C:\odasa/tools/odasa index --auto C:\Project/build/build.sh"] = @"C:\Project/build";
             actions.FileExists["csharp.log"] = true;
 
             var autobuilder = CreateAutoBuilder(false);
-            TestAutobuilderScript(autobuilder, 0, 3);
+            TestAutobuilderScript(autobuilder, 0, 2);
         }
 
         [Fact]
@@ -645,14 +638,12 @@ Microsoft.NETCore.App 2.2.5 [/usr/local/share/dotnet/shared/Microsoft.NETCore.Ap
             actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = "";
 
             actions.RunProcess[@"/bin/chmod u+x C:\Project/build.sh"] = 0;
-            actions.RunProcess["dotnet --list-runtimes"] = 1;
-            actions.RunProcessOut["dotnet --list-runtimes"] = "";
             actions.RunProcess[@"C:\odasa/tools/odasa index --auto C:\Project/build.sh"] = 0;
             actions.RunProcessWorkingDirectory[@"C:\odasa/tools/odasa index --auto C:\Project/build.sh"] = @"C:\Project";
             actions.FileExists["csharp.log"] = false;
 
             var autobuilder = CreateAutoBuilder(false);
-            TestAutobuilderScript(autobuilder, 1, 3);
+            TestAutobuilderScript(autobuilder, 1, 2);
         }
 
         [Fact]
@@ -664,14 +655,12 @@ Microsoft.NETCore.App 2.2.5 [/usr/local/share/dotnet/shared/Microsoft.NETCore.Ap
             actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SOURCE_ARCHIVE_DIR"] = "";
 
             actions.RunProcess[@"/bin/chmod u+x C:\Project/build.sh"] = 0;
-            actions.RunProcess["dotnet --list-runtimes"] = 1;
-            actions.RunProcessOut["dotnet --list-runtimes"] = "";
             actions.RunProcess[@"C:\odasa/tools/odasa index --auto C:\Project/build.sh"] = 5;
             actions.RunProcessWorkingDirectory[@"C:\odasa/tools/odasa index --auto C:\Project/build.sh"] = @"C:\Project";
             actions.FileExists["csharp.log"] = true;
 
             var autobuilder = CreateAutoBuilder(false);
-            TestAutobuilderScript(autobuilder, 1, 3);
+            TestAutobuilderScript(autobuilder, 1, 2);
         }
 
         [Fact]
@@ -872,9 +861,6 @@ Microsoft.NETCore.App 2.2.5 [/usr/local/share/dotnet/shared/Microsoft.NETCore.Ap
         [Fact]
         public void TestSkipNugetDotnet()
         {
-            actions.RunProcess["dotnet --list-runtimes"] = 0;
-            actions.RunProcessOut["dotnet --list-runtimes"] = @"Microsoft.AspNetCore.App 2.1.3 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
-Microsoft.NETCore.App 2.1.3 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]";
             actions.RunProcess["dotnet --info"] = 0;
             actions.RunProcess[@"dotnet clean C:\Project/test.csproj"] = 0;
             actions.RunProcess[@"dotnet restore C:\Project/test.csproj"] = 0;
@@ -896,7 +882,7 @@ Microsoft.NETCore.App 2.1.3 [/usr/local/share/dotnet/shared/Microsoft.NETCore.Ap
             actions.LoadXml[@"C:\Project/test.csproj"] = xml;
 
             var autobuilder = CreateAutoBuilder(false, dotnetArguments: "--no-restore");  // nugetRestore=false does not work for now.
-            TestAutobuilderScript(autobuilder, 0, 5);
+            TestAutobuilderScript(autobuilder, 0, 4);
         }
 
         [Fact]
@@ -907,13 +893,10 @@ Microsoft.NETCore.App 2.1.3 [/usr/local/share/dotnet/shared/Microsoft.NETCore.Ap
             actions.RunProcess[@"chmod u+x dotnet-install.sh"] = 0;
             actions.RunProcess[@"./dotnet-install.sh --channel release --version 2.1.3 --install-dir C:\Project/.dotnet"] = 0;
             actions.RunProcess[@"rm dotnet-install.sh"] = 0;
-            actions.RunProcess[@"C:\Project/.dotnet/dotnet --list-runtimes"] = 0;
-            actions.RunProcessOut[@"C:\Project/.dotnet/dotnet --list-runtimes"] = @"Microsoft.AspNetCore.App 3.0.0 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
-Microsoft.NETCore.App 3.0.0 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]";
             actions.RunProcess[@"C:\Project/.dotnet/dotnet --info"] = 0;
             actions.RunProcess[@"C:\Project/.dotnet/dotnet clean C:\Project/test.csproj"] = 0;
             actions.RunProcess[@"C:\Project/.dotnet/dotnet restore C:\Project/test.csproj"] = 0;
-            actions.RunProcess[@"C:\odasa/tools/odasa index --auto C:\Project/.dotnet/dotnet build --no-incremental C:\Project/test.csproj"] = 0;
+            actions.RunProcess[@"C:\odasa/tools/odasa index --auto C:\Project/.dotnet/dotnet build --no-incremental /p:UseSharedCompilation=false C:\Project/test.csproj"] = 0;
             actions.FileExists["csharp.log"] = true;
             actions.FileExists["test.csproj"] = true;
             actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = "";
@@ -933,7 +916,7 @@ Microsoft.NETCore.App 3.0.0 [/usr/local/share/dotnet/shared/Microsoft.NETCore.Ap
             actions.DownloadFiles.Add(("https://dot.net/v1/dotnet-install.sh", "dotnet-install.sh"));
 
             var autobuilder = CreateAutoBuilder(false, dotnetVersion: "2.1.3");
-            TestAutobuilderScript(autobuilder, 0, 9);
+            TestAutobuilderScript(autobuilder, 0, 8);
         }
 
         [Fact]
@@ -945,11 +928,6 @@ Microsoft.NETCore.App 3.0.0 [/usr/local/share/dotnet/shared/Microsoft.NETCore.Ap
             actions.RunProcess[@"chmod u+x dotnet-install.sh"] = 0;
             actions.RunProcess[@"./dotnet-install.sh --channel release --version 2.1.3 --install-dir C:\Project/.dotnet"] = 0;
             actions.RunProcess[@"rm dotnet-install.sh"] = 0;
-            actions.RunProcess[@"C:\Project/.dotnet/dotnet --list-runtimes"] = 0;
-            actions.RunProcessOut[@"C:\Project/.dotnet/dotnet --list-runtimes"] = @"Microsoft.AspNetCore.App 2.1.3 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
-Microsoft.AspNetCore.App 2.1.4 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
-Microsoft.NETCore.App 2.1.3 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
-Microsoft.NETCore.App 2.1.4 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]";
             actions.RunProcess[@"C:\Project/.dotnet/dotnet --info"] = 0;
             actions.RunProcess[@"C:\Project/.dotnet/dotnet clean C:\Project/test.csproj"] = 0;
             actions.RunProcess[@"C:\Project/.dotnet/dotnet restore C:\Project/test.csproj"] = 0;
@@ -973,7 +951,7 @@ Microsoft.NETCore.App 2.1.4 [/usr/local/share/dotnet/shared/Microsoft.NETCore.Ap
             actions.DownloadFiles.Add(("https://dot.net/v1/dotnet-install.sh", "dotnet-install.sh"));
 
             var autobuilder = CreateAutoBuilder(false, dotnetVersion: "2.1.3");
-            TestAutobuilderScript(autobuilder, 0, 9);
+            TestAutobuilderScript(autobuilder, 0, 8);
         }
 
         private void TestDotnetVersionWindows(Action action, int commandsRun)
@@ -984,7 +962,7 @@ Microsoft.NETCore.App 2.1.4 [/usr/local/share/dotnet/shared/Microsoft.NETCore.Ap
             actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet --info"] = 0;
             actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet clean C:\Project\test.csproj"] = 0;
             actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet restore C:\Project\test.csproj"] = 0;
-            actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --auto C:\Project\.dotnet\dotnet build --no-incremental C:\Project\test.csproj"] = 0;
+            actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --auto C:\Project\.dotnet\dotnet build --no-incremental /p:UseSharedCompilation=false C:\Project\test.csproj"] = 0;
             actions.FileExists["csharp.log"] = true;
             actions.FileExists[@"C:\Project\test.csproj"] = true;
             actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_TRAP_DIR"] = "";
diff --git a/csharp/autobuilder/Semmle.Autobuild.CSharp/DotNetRule.cs b/csharp/autobuilder/Semmle.Autobuild.CSharp/DotNetRule.cs
index a456c9407db..955775d0f66 100644
--- a/csharp/autobuilder/Semmle.Autobuild.CSharp/DotNetRule.cs
+++ b/csharp/autobuilder/Semmle.Autobuild.CSharp/DotNetRule.cs
@@ -36,7 +36,7 @@ namespace Semmle.Autobuild.CSharp
                 builder.Log(Severity.Info, "Attempting to build using .NET Core");
             }
 
-            return WithDotNet(builder, (dotNetPath, environment, compatibleClr) =>
+            return WithDotNet(builder, (dotNetPath, environment) =>
                 {
                     var ret = GetInfoCommand(builder.Actions, dotNetPath, environment);
                     foreach (var projectOrSolution in builder.ProjectsOrSolutionsToBuild)
@@ -49,7 +49,7 @@ namespace Semmle.Autobuild.CSharp
                         restoreCommand.QuoteArgument(projectOrSolution.FullPath);
                         var restore = restoreCommand.Script;
 
-                        var build = GetBuildScript(builder, dotNetPath, environment, compatibleClr, projectOrSolution.FullPath);
+                        var build = GetBuildScript(builder, dotNetPath, environment, projectOrSolution.FullPath);
 
                         ret &= BuildScript.Try(clean) & BuildScript.Try(restore) & build;
                     }
@@ -57,7 +57,7 @@ namespace Semmle.Autobuild.CSharp
                 });
         }
 
-        private static BuildScript WithDotNet(Autobuilder builder, Func<string?, IDictionary<string, string>?, bool, BuildScript> f)
+        private static BuildScript WithDotNet(Autobuilder builder, Func<string?, IDictionary<string, string>?, BuildScript> f)
         {
             var installDir = builder.Actions.PathCombine(builder.Options.RootDirectory, ".dotnet");
             var installScript = DownloadDotNet(builder, installDir);
@@ -81,35 +81,10 @@ namespace Semmle.Autobuild.CSharp
                     env = null;
                 }
 
-                // The CLR tracer is always compatible on Windows
-                if (builder.Actions.IsWindows())
-                    return f(installDir, env, true);
-
-                // The CLR tracer is only compatible on .NET Core >= 3 on Linux and macOS (see
-                // https://github.com/dotnet/coreclr/issues/19622)
-                return BuildScript.Bind(GetInstalledRuntimesScript(builder.Actions, installDir, env), (runtimes, runtimesRet) =>
-                {
-                    var compatibleClr = false;
-                    if (runtimesRet == 0)
-                    {
-                        var minimumVersion = new Version(3, 0);
-                        var regex = new Regex(@"Microsoft\.NETCore\.App (\d\.\d\.\d)");
-                        compatibleClr = runtimes
-                            .Select(runtime => regex.Match(runtime))
-                            .Where(m => m.Success)
-                            .Select(m => m.Groups[1].Value)
-                            .Any(m => Version.TryParse(m, out var v) && v >= minimumVersion);
-                    }
-
-                    if (!compatibleClr)
-                    {
-                        if (env is null)
-                            env = new Dictionary<string, string>();
-                        env.Add("UseSharedCompilation", "false");
-                    }
-
-                    return f(installDir, env, compatibleClr);
-                });
+                if (env is null)
+                    env = new Dictionary<string, string>();
+                env.Add("UseSharedCompilation", "false");
+                return f(installDir, env);
             });
         }
 
@@ -122,7 +97,7 @@ namespace Semmle.Autobuild.CSharp
         /// are needed).
         /// </summary>
         public static BuildScript WithDotNet(Autobuilder builder, Func<IDictionary<string, string>?, BuildScript> f)
-            => WithDotNet(builder, (_1, env, _2) => f(env));
+            => WithDotNet(builder, (_1, env) => f(env));
 
         /// <summary>
         /// Returns a script for downloading relevant versions of the
@@ -259,14 +234,6 @@ namespace Semmle.Autobuild.CSharp
             return restore;
         }
 
-        private static BuildScript GetInstalledRuntimesScript(IBuildActions actions, string? dotNetPath, IDictionary<string, string>? environment)
-        {
-            var listSdks = new CommandBuilder(actions, environment: environment, silent: true).
-                RunCommand(DotNetCommand(actions, dotNetPath)).
-                Argument("--list-runtimes");
-            return listSdks.Script;
-        }
-
         /// <summary>
         /// Gets the `dotnet build` script.
         ///
@@ -276,17 +243,14 @@ namespace Semmle.Autobuild.CSharp
         /// hence the need for CLR tracing), by adding a
         /// `/p:UseSharedCompilation=false` argument.
         /// </summary>
-        private static BuildScript GetBuildScript(Autobuilder builder, string? dotNetPath, IDictionary<string, string>? environment, bool compatibleClr, string projOrSln)
+        private static BuildScript GetBuildScript(Autobuilder builder, string? dotNetPath, IDictionary<string, string>? environment, string projOrSln)
         {
             var build = new CommandBuilder(builder.Actions, null, environment);
             var script = builder.MaybeIndex(build, DotNetCommand(builder.Actions, dotNetPath)).
                 Argument("build").
                 Argument("--no-incremental");
 
-            return compatibleClr ?
-                script.Argument(builder.Options.DotNetArguments).
-                    QuoteArgument(projOrSln).
-                    Script :
+            return
                 script.Argument("/p:UseSharedCompilation=false").
                     Argument(builder.Options.DotNetArguments).
                     QuoteArgument(projOrSln).

From 07a70af3448c76e1ae31a886ac8ec13eafa26e6a Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Tue, 11 May 2021 19:41:39 +0000
Subject: [PATCH 1008/1429] Python: Limit set of globals that may be built-ins

I am very tempted to leave out the constants, or at the very least
`False`, `True`, and `None`, as these have _many_ occurrences in the
average codebase, and are not terribly useful at the API-graph level.

If we really do want to capture "nodes that refer to such and such
constant", then I think a better solution would be to create classes
extending `DataFlow::Node` to facilitate this.
---
 python/ql/src/semmle/python/ApiGraphs.qll | 70 ++++++++++++++++++++---
 1 file changed, 62 insertions(+), 8 deletions(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index a530e44e85d..86ad81e7454 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -351,20 +351,74 @@ module API {
 
     private import semmle.python.types.Builtins as Builtins
 
+    /** Returns the names of known built-ins. */
+    private string builtin_name() {
+      // Built-in functions shared between Python 2.7.6 and 3.9.5
+      result in [
+          "abs", "all", "any", "bin", "bool", "bytearray", "callable", "chr", "classmethod",
+          "compile", "complex", "delattr", "dict", "dir", "divmod", "enumerate", "eval", "filter",
+          "float", "format", "frozenset", "getattr", "globals", "hasattr", "hash", "help", "hex",
+          "id", "input", "int", "isinstance", "issubclass", "iter", "len", "list", "locals", "map",
+          "max", "memoryview", "min", "next", "object", "oct", "open", "ord", "pow", "print",
+          "property", "range", "repr", "reversed", "round", "set", "setattr", "slice", "sorted",
+          "staticmethod", "str", "sum", "super", "tuple", "type", "vars", "zip", "__import__"
+        ]
+      or
+      // Built-in constants shared between Python 2.7.6 and 3.9.5
+      result in ["False", "True", "None", "NotImplemented", "Ellipsis", "__debug__"]
+      or
+      // Python 3.9.5 only
+      major_version() = 3 and
+      result in ["ascii", "breakpoint", "bytes", "exec"]
+      or
+      // Python 2.7.6 only
+      major_version() = 2 and
+      result in [
+          "basestring", "cmp", "execfile", "file", "long", "raw_input", "reduce", "reload",
+          "unichr", "unicode", "xrange"
+        ]
+    }
+
     /**
      * Gets a data flow node that is likely to refer to a built-in with the name `name`.
      *
-     * Currently this is an over-approximation, and does not account for things like overwriting a
+     * Currently this is an over-approximation, and may not account for things like overwriting a
      * built-in with a different value.
      */
     private DataFlow::Node likely_builtin(string name) {
-      result.asCfgNode() =
-        any(NameNode n |
-          n.isGlobal() and
-          n.isLoad() and
-          name = n.getId() and
-          name in [any(Builtins::Builtin b).getName(), "None", "True", "False"]
-        )
+      exists(Module m |
+        result.asCfgNode() =
+          any(NameNode n |
+            possible_builtin_accessed_in_module(n, name, m) and
+            not possible_builtin_defined_in_module(name, m)
+          )
+      )
+    }
+
+    /**
+     * Holds if a global variable called `name` (which is also the name of a built-in) is assigned
+     * a value in the module `m`.
+     */
+    private predicate possible_builtin_defined_in_module(string name, Module m) {
+      exists(NameNode n |
+        n.isGlobal() and
+        n.isStore() and
+        name = n.getId() and
+        name = builtin_name() and
+        m = n.getEnclosingModule()
+      )
+    }
+
+    /**
+     * Holds if `n` is an access of a global variable called `name` (which is also the name of a
+     * built-in) inside the module `m`.
+     */
+    private predicate possible_builtin_accessed_in_module(NameNode n, string name, Module m) {
+      n.isGlobal() and
+      n.isLoad() and
+      name = n.getId() and
+      name = builtin_name() and
+      m = n.getEnclosingModule()
     }
 
     /**

From bf4d88175c9727414780b04802fa0e1ed8e92e71 Mon Sep 17 00:00:00 2001
From: Sebastian Bauersfeld <sebastian@semmle.com>
Date: Wed, 12 May 2021 16:40:00 +0700
Subject: [PATCH 1009/1429] Consider boxed booleans to avoid false positives
 for XXE.ql

---
 java/ql/src/semmle/code/java/security/XmlParsers.qll | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/semmle/code/java/security/XmlParsers.qll b/java/ql/src/semmle/code/java/security/XmlParsers.qll
index 685c5754fc9..5e2eb1caf8a 100644
--- a/java/ql/src/semmle/code/java/security/XmlParsers.qll
+++ b/java/ql/src/semmle/code/java/security/XmlParsers.qll
@@ -36,7 +36,10 @@ abstract class ParserConfig extends MethodAccess {
    */
   predicate disables(Expr e) {
     this.getArgument(0) = e and
-    this.getArgument(1).(BooleanLiteral).getBooleanValue() = false
+    (
+      this.getArgument(1).(BooleanLiteral).getBooleanValue() = false or
+      this.getArgument(1).(FieldAccess).getField().hasQualifiedName("java.lang", "Boolean", "FALSE")
+    )
   }
 
   /**
@@ -44,7 +47,10 @@ abstract class ParserConfig extends MethodAccess {
    */
   predicate enables(Expr e) {
     this.getArgument(0) = e and
-    this.getArgument(1).(BooleanLiteral).getBooleanValue() = true
+    (
+      this.getArgument(1).(BooleanLiteral).getBooleanValue() = true or
+      this.getArgument(1).(FieldAccess).getField().hasQualifiedName("java.lang", "Boolean", "TRUE")
+    )
   }
 }
 

From 5c7e73d4854ac817a10d32fb44e6b7272b5f11ef Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Wed, 12 May 2021 09:51:55 +0000
Subject: [PATCH 1010/1429] Python: Add exception types

---
 python/ql/src/semmle/python/ApiGraphs.qll | 31 ++++++++++++++++++-----
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 86ad81e7454..177d0f3998e 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -353,7 +353,7 @@ module API {
 
     /** Returns the names of known built-ins. */
     private string builtin_name() {
-      // Built-in functions shared between Python 2.7.6 and 3.9.5
+      // Built-in functions and exceptions shared between Python 2 and 3
       result in [
           "abs", "all", "any", "bin", "bool", "bytearray", "callable", "chr", "classmethod",
           "compile", "complex", "delattr", "dict", "dir", "divmod", "enumerate", "eval", "filter",
@@ -361,17 +361,36 @@ module API {
           "id", "input", "int", "isinstance", "issubclass", "iter", "len", "list", "locals", "map",
           "max", "memoryview", "min", "next", "object", "oct", "open", "ord", "pow", "print",
           "property", "range", "repr", "reversed", "round", "set", "setattr", "slice", "sorted",
-          "staticmethod", "str", "sum", "super", "tuple", "type", "vars", "zip", "__import__"
+          "staticmethod", "str", "sum", "super", "tuple", "type", "vars", "zip", "__import__",
+          // Exceptions
+          "ArithmeticError", "AssertionError", "AttributeError", "BaseException", "BufferError",
+          "BytesWarning", "DeprecationWarning", "EOFError", "EnvironmentError", "Exception",
+          "FloatingPointError", "FutureWarning", "GeneratorExit", "IOError", "ImportError",
+          "ImportWarning", "IndentationError", "IndexError", "KeyError", "KeyboardInterrupt",
+          "LookupError", "MemoryError", "NameError", "NotImplemented", "NotImplementedError",
+          "OSError", "OverflowError", "PendingDeprecationWarning", "ReferenceError", "RuntimeError",
+          "RuntimeWarning", "StandardError", "StopIteration", "SyntaxError", "SyntaxWarning",
+          "SystemError", "SystemExit", "TabError", "TypeError", "UnboundLocalError",
+          "UnicodeDecodeError", "UnicodeEncodeError", "UnicodeError", "UnicodeTranslateError",
+          "UnicodeWarning", "UserWarning", "ValueError", "Warning", "ZeroDivisionError"
         ]
       or
-      // Built-in constants shared between Python 2.7.6 and 3.9.5
+      // Built-in constants shared between Python 2 and 3
       result in ["False", "True", "None", "NotImplemented", "Ellipsis", "__debug__"]
       or
-      // Python 3.9.5 only
+      // Python 3 only
       major_version() = 3 and
-      result in ["ascii", "breakpoint", "bytes", "exec"]
+      result in [
+          "ascii", "breakpoint", "bytes", "exec",
+          // Exceptions
+          "BlockingIOError", "BrokenPipeError", "ChildProcessError", "ConnectionAbortedError",
+          "ConnectionError", "ConnectionRefusedError", "ConnectionResetError", "FileExistsError",
+          "FileNotFoundError", "InterruptedError", "IsADirectoryError", "ModuleNotFoundError",
+          "NotADirectoryError", "PermissionError", "ProcessLookupError", "RecursionError",
+          "ResourceWarning", "StopAsyncIteration", "TimeoutError"
+        ]
       or
-      // Python 2.7.6 only
+      // Python 2 only
       major_version() = 2 and
       result in [
           "basestring", "cmp", "execfile", "file", "long", "raw_input", "reduce", "reload",

From b05512a9585def1ecb9fd2c35cfebbcc70ab6ef8 Mon Sep 17 00:00:00 2001
From: Sebastian Bauersfeld <sebastian@semmle.com>
Date: Wed, 12 May 2021 16:58:24 +0700
Subject: [PATCH 1011/1429] Add change notes.

---
 java/change-notes/2021-05-12-xxe-fp-fix.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 java/change-notes/2021-05-12-xxe-fp-fix.md

diff --git a/java/change-notes/2021-05-12-xxe-fp-fix.md b/java/change-notes/2021-05-12-xxe-fp-fix.md
new file mode 100644
index 00000000000..dd42bc71256
--- /dev/null
+++ b/java/change-notes/2021-05-12-xxe-fp-fix.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Resolving XML external entity in user-controlled data" (`java/xxe`) has been improved to report fewer false positives when a Builder / Factory (e.g. an `XMLInputFactory`) is configured safely by using a boxed boolean as second argument to one or more of its configuration methods.

From 3d30efed112473c87e213f0e7feed3b0196fc8de Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Wed, 12 May 2021 11:07:16 +0000
Subject: [PATCH 1012/1429] Python: Add `exec` as a shared built-in

This is _slightly_ wrong, since `exec` isn't a built-in function in
Python 2. It should be harmless, however, since `exec` is a keyword,
and so cannot be redefined anyway.
---
 python/ql/src/semmle/python/ApiGraphs.qll | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 177d0f3998e..9ad125f86bc 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -372,7 +372,9 @@ module API {
           "RuntimeWarning", "StandardError", "StopIteration", "SyntaxError", "SyntaxWarning",
           "SystemError", "SystemExit", "TabError", "TypeError", "UnboundLocalError",
           "UnicodeDecodeError", "UnicodeEncodeError", "UnicodeError", "UnicodeTranslateError",
-          "UnicodeWarning", "UserWarning", "ValueError", "Warning", "ZeroDivisionError"
+          "UnicodeWarning", "UserWarning", "ValueError", "Warning", "ZeroDivisionError",
+          // Added for compatibility
+          "exec"
         ]
       or
       // Built-in constants shared between Python 2 and 3

From 48b50f93c27c60ad41ebd112f6b699ac987503fa Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
Date: Wed, 12 May 2021 08:58:01 -0400
Subject: [PATCH 1013/1429] Update
 java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll

Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
---
 .../code/java/frameworks/jackson/JacksonSerializability.qll  | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
index 09fd419642e..50266c377f8 100644
--- a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
+++ b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
@@ -53,7 +53,10 @@ private class JacksonWriteValueMethod extends Method, TaintPreservingCallable {
 
 private class JacksonReadValueMethod extends Method, TaintPreservingCallable {
   JacksonReadValueMethod() {
-    getDeclaringType().hasQualifiedName("com.fasterxml.jackson.databind", "ObjectReader") and
+    (
+      getDeclaringType().hasQualifiedName("com.fasterxml.jackson.databind", "ObjectReader") or
+      getDeclaringType().hasQualifiedName("com.fasterxml.jackson.databind", "ObjectMapper")
+    ) and
     hasName(["readValue", "readValues"])
   }
 

From e94dab70b50ce64f692fb6e8db93149ce063f9d5 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 12 May 2021 15:44:09 +0200
Subject: [PATCH 1014/1429] C++: Add sanitizers to cpp/uncontrolled-arithmetic.

---
 .../CWE/CWE-190/ArithmeticUncontrolled.ql     | 111 +++++++++++++-----
 .../ArithmeticUncontrolled.expected           |  46 --------
 .../CWE/CWE-190/semmle/uncontrolled/test.c    |   6 +-
 3 files changed, 84 insertions(+), 79 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
index a4b0f131d14..6aad6cca7ce 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -15,34 +15,99 @@ import cpp
 import semmle.code.cpp.security.Overflow
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.TaintTracking
+import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import TaintedWithPath
 
-predicate isRandCall(FunctionCall fc) { fc.getTarget().getName() = "rand" }
-
-predicate isRandCallOrParent(Expr e) {
-  isRandCall(e) or
-  isRandCallOrParent(e.getAChild())
+predicate isUnboundedRandCall(FunctionCall fc) {
+  fc.getTarget().getName() = "rand" and not bounded(fc)
 }
 
-predicate isRandValue(Expr e) {
-  isRandCall(e)
+/**
+ * An operand `e` of a division expression (i.e., `e` is an operand of either a `DivExpr` or
+ * a `AssignDivExpr`) is bounded when `e` is the left-hand side of the division.
+ */
+pragma[inline]
+predicate boundedDiv(Expr e, Expr left) { e = left }
+
+/**
+ * An operand `e` of a remainder expression `rem` (i.e., `rem` is either a `RemExpr` or
+ * an `AssignRemExpr`) with left-hand side `left` and right-ahnd side `right` is bounded
+ * when `e` is `left` and `right` is upper bounded by some number that is less than the maximum integer
+ * allowed by the result type of `rem`.
+ */
+pragma[inline]
+predicate boundedRem(Expr e, Expr rem, Expr left, Expr right) {
+  e = left and
+  upperBound(right.getFullyConverted()) < exprMaxVal(rem.getFullyConverted())
+}
+
+/**
+ * An operand `e` of a bitwise and expression `andExpr` (i.e., `andExpr` is either an `BitwiseAndExpr`
+ * or an `AssignAndExpr`) with operands `operand1` and `operand2` is the operand that is not `e` is upper
+ * bounded by some number that is less than the maximum integer allowed by the result type of `andExpr`.
+ */
+pragma[inline]
+predicate boundedBitwiseAnd(Expr e, Expr andExpr, Expr operand1, Expr operand2) {
+  operand1 != operand2 and
+  e = operand1 and
+  upperBound(operand2.getFullyConverted()) < exprMaxVal(andExpr.getFullyConverted())
+}
+
+/**
+ * Holds if `fc` is a part of the left operand of a binary operation that greatly reduces the range
+ * of possible values.
+ */
+predicate bounded(Expr e) {
+  //  For `%` and `&` we require that `e` is bounded by a value that is strictly smaller than the
+  //  maximum possible value of the result type of the operation.
+  //  For example, the function call `rand()` is considered bounded in the following program:
+  //  ```
+  //  int i = rand() % (UINT8_MAX + 1);
+  //  ```
+  //  but not in:
+  //  ```
+  //  unsigned char uc = rand() % (UINT8_MAX + 1);
+  //  ```
+  exists(RemExpr rem | boundedRem(e, rem, rem.getLeftOperand(), rem.getRightOperand()))
+  or
+  exists(AssignRemExpr rem | boundedRem(e, rem, rem.getLValue(), rem.getRValue()))
+  or
+  exists(BitwiseAndExpr andExpr |
+    boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
+  )
+  or
+  exists(AssignAndExpr andExpr |
+    boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
+  )
+  or
+  // Optimitically assume that a division always yields a much smaller value.
+  boundedDiv(e, any(DivExpr div).getLeftOperand())
+  or
+  boundedDiv(e, any(AssignDivExpr div).getLValue())
+}
+
+predicate isUnboundedRandCallOrParent(Expr e) {
+  isUnboundedRandCall(e)
+  or
+  isUnboundedRandCallOrParent(e.getAChild())
+}
+
+predicate isUnboundedRandValue(Expr e) {
+  isUnboundedRandCall(e)
   or
   exists(MacroInvocation mi |
     e = mi.getExpr() and
-    isRandCallOrParent(e)
+    isUnboundedRandCallOrParent(e)
   )
 }
 
 class SecurityOptionsArith extends SecurityOptions {
   override predicate isUserInput(Expr expr, string cause) {
-    isRandValue(expr) and
-    cause = "rand" and
-    not expr.getParent*() instanceof DivExpr
+    isUnboundedRandValue(expr) and
+    cause = "rand"
   }
 }
 
-predicate isDiv(VariableAccess va) { exists(AssignDivExpr div | div.getLValue() = va) }
-
 predicate missingGuard(VariableAccess va, string effect) {
   exists(Operation op | op.getAnOperand() = va |
     missingGuardAgainstUnderflow(op, va) and effect = "underflow"
@@ -52,29 +117,15 @@ predicate missingGuard(VariableAccess va, string effect) {
 }
 
 class Configuration extends TaintTrackingConfiguration {
-  override predicate isSink(Element e) {
-    isDiv(e)
-    or
-    missingGuard(e, _)
-  }
-}
+  override predicate isSink(Element e) { missingGuard(e, _) }
 
-/**
- * A value that undergoes division is likely to be bounded within a safe
- * range.
- */
-predicate guardedByAssignDiv(Expr origin) {
-  exists(VariableAccess va |
-    taintedWithPath(origin, va, _, _) and
-    isDiv(va)
-  )
+  override predicate isBarrier(Expr e) { super.isBarrier(e) or bounded(e) }
 }
 
 from Expr origin, VariableAccess va, string effect, PathNode sourceNode, PathNode sinkNode
 where
   taintedWithPath(origin, va, sourceNode, sinkNode) and
-  missingGuard(va, effect) and
-  not guardedByAssignDiv(origin)
+  missingGuard(va, effect)
 select va, sourceNode, sinkNode,
   "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin,
   "Uncontrolled value"
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
index ca8dd38fc3b..097efb73b9f 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
@@ -7,30 +7,10 @@ edges
 | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
 | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
 | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
-| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
-| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
-| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
-| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
 | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
 | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
 | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
 | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
-| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
-| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
-| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
-| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
-| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
-| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
-| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
-| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
-| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
-| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
-| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
-| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
-| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
-| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
-| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
-| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
 | test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
 | test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
 | test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
@@ -67,34 +47,11 @@ nodes
 | test.c:35:5:35:5 | r | semmle.label | r |
 | test.c:35:5:35:5 | r | semmle.label | r |
 | test.c:35:5:35:5 | r | semmle.label | r |
-| test.c:39:13:39:21 | ... % ... | semmle.label | ... % ... |
-| test.c:39:13:39:21 | ... % ... | semmle.label | ... % ... |
-| test.c:40:5:40:5 | r | semmle.label | r |
-| test.c:40:5:40:5 | r | semmle.label | r |
-| test.c:40:5:40:5 | r | semmle.label | r |
 | test.c:44:13:44:16 | call to rand | semmle.label | call to rand |
 | test.c:44:13:44:16 | call to rand | semmle.label | call to rand |
 | test.c:45:5:45:5 | r | semmle.label | r |
 | test.c:45:5:45:5 | r | semmle.label | r |
 | test.c:45:5:45:5 | r | semmle.label | r |
-| test.c:54:13:54:16 | call to rand | semmle.label | call to rand |
-| test.c:54:13:54:16 | call to rand | semmle.label | call to rand |
-| test.c:56:5:56:5 | r | semmle.label | r |
-| test.c:56:5:56:5 | r | semmle.label | r |
-| test.c:56:5:56:5 | r | semmle.label | r |
-| test.c:60:13:60:16 | call to rand | semmle.label | call to rand |
-| test.c:60:13:60:16 | call to rand | semmle.label | call to rand |
-| test.c:61:5:61:5 | r | semmle.label | r |
-| test.c:61:5:61:5 | r | semmle.label | r |
-| test.c:61:5:61:5 | r | semmle.label | r |
-| test.c:62:5:62:5 | r | semmle.label | r |
-| test.c:62:5:62:5 | r | semmle.label | r |
-| test.c:62:5:62:5 | r | semmle.label | r |
-| test.c:66:13:66:16 | call to rand | semmle.label | call to rand |
-| test.c:66:13:66:16 | call to rand | semmle.label | call to rand |
-| test.c:67:5:67:5 | r | semmle.label | r |
-| test.c:67:5:67:5 | r | semmle.label | r |
-| test.c:67:5:67:5 | r | semmle.label | r |
 | test.c:75:13:75:19 | ... ^ ... | semmle.label | ... ^ ... |
 | test.c:75:13:75:19 | ... ^ ... | semmle.label | ... ^ ... |
 | test.c:77:9:77:9 | r | semmle.label | r |
@@ -133,10 +90,7 @@ nodes
 #select
 | test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
 | test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
-| test.c:40:5:40:5 | r | test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:39:13:39:21 | ... % ... | Uncontrolled value |
 | test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | Uncontrolled value |
-| test.c:56:5:56:5 | r | test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:54:13:54:16 | call to rand | Uncontrolled value |
-| test.c:67:5:67:5 | r | test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:66:13:66:16 | call to rand | Uncontrolled value |
 | test.c:77:9:77:9 | r | test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | ... ^ ... | Uncontrolled value |
 | test.c:100:5:100:5 | r | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
 | test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c
index 2b67b499a3c..61f39a8e851 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c
@@ -37,7 +37,7 @@ void randomTester() {
 
   {
     int r = RANDN(100);
-    r += 100; // GOOD: The return from RANDN is bounded [FALSE POSITIVE]
+    r += 100; // GOOD: The return from RANDN is bounded
   }
 
   {
@@ -53,7 +53,7 @@ void randomTester() {
   {
     int r = rand();
     r = r / 10;
-    r += 100; // GOOD [FALSE POSITIVE]
+    r += 100; // GOOD
   }
   
   {
@@ -64,7 +64,7 @@ void randomTester() {
   
   {
     int r = rand() & 0xFF;
-    r += 100; // GOOD [FALSE POSITIVE]
+    r += 100; // GOOD
   }
 
   {

From e0f78dde56f7f31719c91cd0367922046edaa2ab Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 12 May 2021 16:23:37 +0200
Subject: [PATCH 1015/1429] make the axios error catch match the non-error case

---
 .../ql/src/semmle/javascript/frameworks/ClientRequests.qll    | 3 +--
 .../frameworks/ClientRequests/ClientRequests.expected         | 4 +++-
 .../ql/test/library-tests/frameworks/ClientRequests/tst.js    | 1 +
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
index 477f9354d03..bce5d6a36fc 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
@@ -271,8 +271,7 @@ module ClientRequest {
       or
       responseType = getResponseType() and
       promise = false and
-      result =
-        getReturn().getPromisedError().getMember("response").getMember("data").getAnImmediateUse()
+      result = getReturn().getPromisedError().getMember("response").getAnImmediateUse()
     }
   }
 
diff --git a/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected b/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected
index c6542eb009d..27a9fa10f72 100644
--- a/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected
+++ b/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected
@@ -298,4 +298,6 @@ test_getAResponseDataNode
 | tst.js:235:5:237:6 | needle. ... \\n    }) | tst.js:235:73:235:76 | body | json | false |
 | tst.js:286:20:286:55 | new Web ... :8080') | tst.js:291:44:291:53 | event.data | json | false |
 | tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:296:5:299:6 | axios({ ... \\n    }) | json | true |
-| tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:303:26:303:42 | err.response.data | json | false |
+| tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:302:28:302:39 | err.response | json | false |
+| tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:303:26:303:37 | err.response | json | false |
+| tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:304:27:304:38 | err.response | json | false |
diff --git a/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js b/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js
index f284ffaa407..40dcfc481f4 100644
--- a/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js
+++ b/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js
@@ -301,6 +301,7 @@ function moreAxios() {
         (err) => {
             const status = err.response.status;
             const data = err.response.data;
+            const agent = err.response.headers.useragent;
         }
     );
 }
\ No newline at end of file

From 7d26aca793353c8564d5cac8715dbcecd87aa917 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 12 May 2021 16:34:23 +0200
Subject: [PATCH 1016/1429] C++: Add change-note.

---
 cpp/change-notes/2021-12-05-uncontrolled-arithmetic.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 cpp/change-notes/2021-12-05-uncontrolled-arithmetic.md

diff --git a/cpp/change-notes/2021-12-05-uncontrolled-arithmetic.md b/cpp/change-notes/2021-12-05-uncontrolled-arithmetic.md
new file mode 100644
index 00000000000..56fbc9a44ce
--- /dev/null
+++ b/cpp/change-notes/2021-12-05-uncontrolled-arithmetic.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Uncontrolled arithmetic" (`cpp/uncontrolled-arithmetic`) has been improved to produce fewer false positives.

From ff2b6b9737b608c1d99752ba4a2df521863eb5ef Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Wed, 12 May 2021 18:07:18 +0000
Subject: [PATCH 1017/1429] Python: Correctly locate stores to built-ins

---
 python/ql/src/semmle/python/ApiGraphs.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 9ad125f86bc..080c967ed2d 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -422,7 +422,7 @@ module API {
      */
     private predicate possible_builtin_defined_in_module(string name, Module m) {
       exists(NameNode n |
-        n.isGlobal() and
+        not exists(LocalVariable v | n.defines(v)) and
         n.isStore() and
         name = n.getId() and
         name = builtin_name() and

From 109fa4d38e598ef7c8558afcbd0cd58655362067 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 12 May 2021 13:54:07 +0100
Subject: [PATCH 1018/1429] C++: Add test cases for BrokenCryptoAlgorithm.ql.

---
 .../CWE-327/BrokenCryptoAlgorithm.expected    |  29 ++
 .../CWE/CWE-327/BrokenCryptoAlgorithm.qlref   |   1 +
 .../query-tests/Security/CWE/CWE-327/test.cpp | 109 ++++++++
 .../Security/CWE/CWE-327/test2.cpp            | 254 ++++++++++++++++++
 4 files changed, 393 insertions(+)
 create mode 100644 cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
 create mode 100644 cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qlref
 create mode 100644 cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
 create mode 100644 cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
new file mode 100644
index 00000000000..47f6e1daa7e
--- /dev/null
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
@@ -0,0 +1,29 @@
+| test2.cpp:25:2:25:9 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:33:7:33:14 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:47:7:47:14 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This function call specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:62:33:62:40 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:124:4:124:24 | call to my_des_implementation | This function call specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:172:28:172:35 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:182:38:182:45 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:192:26:192:33 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:39:2:39:31 | ENCRYPT_WITH_RC2(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:41:2:41:32 | ENCRYPT_WITH_3DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:42:2:42:38 | ENCRYPT_WITH_TRIPLE_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:43:2:43:32 | ENCRYPT_WITH_RC20(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:44:2:44:39 | ENCRYPT_WITH_DES_REMOVED(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:49:2:49:26 | DES3ENCRYPT(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:51:2:51:32 | DES_DO_ENCRYPTION(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:52:2:52:31 | RUN_DES_ENCODING(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:53:2:53:25 | DES_ENCODE(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:54:2:54:26 | DES_SET_KEY(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:56:2:56:9 | DES(str) | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:59:12:59:25 | SORT_ORDER_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:88:2:88:11 | call to encryptDES | This function call specifies a broken or weak cryptographic algorithm. |
+| test.cpp:89:2:89:11 | call to encryptRC2 | This function call specifies a broken or weak cryptographic algorithm. |
+| test.cpp:91:2:91:12 | call to encrypt3DES | This function call specifies a broken or weak cryptographic algorithm. |
+| test.cpp:92:2:92:17 | call to encryptTripleDES | This function call specifies a broken or weak cryptographic algorithm. |
+| test.cpp:97:2:97:12 | call to DES3Encrypt | This function call specifies a broken or weak cryptographic algorithm. |
+| test.cpp:101:2:101:15 | call to do_des_encrypt | This function call specifies a broken or weak cryptographic algorithm. |
+| test.cpp:102:2:102:12 | call to DES_Set_Key | This function call specifies a broken or weak cryptographic algorithm. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qlref
new file mode 100644
index 00000000000..8424dee1a9b
--- /dev/null
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
\ No newline at end of file
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
new file mode 100644
index 00000000000..4a03b8a5261
--- /dev/null
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
@@ -0,0 +1,109 @@
+
+typedef unsigned long size_t;
+
+// --- simple encryption macro invocations ---
+
+void my_implementation1(void *data, size_t amount);
+void my_implementation2(void *data, size_t amount);
+void my_implementation3(void *data, size_t amount);
+void my_implementation4(void *data, size_t amount);
+void my_implementation5(void *data, size_t amount);
+void my_implementation6(const char *str);
+
+#define ENCRYPT_WITH_DES(data, amount) my_implementation1(data, amount)
+#define ENCRYPT_WITH_RC2(data, amount) my_implementation2(data, amount)
+#define ENCRYPT_WITH_AES(data, amount) my_implementation3(data, amount)
+#define ENCRYPT_WITH_3DES(data, amount) my_implementation4(data, amount)
+#define ENCRYPT_WITH_TRIPLE_DES(data, amount) my_implementation4(data, amount)
+#define ENCRYPT_WITH_RC20(data, amount) my_implementation5(data, amount)
+#define ENCRYPT_WITH_DES_REMOVED(data, amount)
+
+#define DESENCRYPT(data, amount) my_implementation1(data, amount)
+#define RC2ENCRYPT(data, amount) my_implementation2(data, amount)
+#define AESENCRYPT(data, amount) my_implementation3(data, amount)
+#define DES3ENCRYPT(data, amount) my_implementation4(data, amount)
+
+#define DES_DO_ENCRYPTION(data, amount) my_implementation1(data, amount)
+#define RUN_DES_ENCODING(data, amount) my_implementation1(data, amount)
+#define DES_ENCODE(data, amount) my_implementation1(data, amount)
+#define DES_SET_KEY(data, amount) my_implementation1(data, amount)
+
+#define DES(str) my_implementation6(str)
+#define DESMOND(str) my_implementation6(str)
+#define ANODES(str) my_implementation6(str)
+#define SORT_ORDER_DES (1)
+
+void test_macros(void *data, size_t amount, const char *str)
+{
+	ENCRYPT_WITH_DES(data, amount); // BAD
+	ENCRYPT_WITH_RC2(data, amount); // BAD
+	ENCRYPT_WITH_AES(data, amount); // GOOD (good algorithm)
+	ENCRYPT_WITH_3DES(data, amount); // GOOD (good enough algorithm) [FALSE POSITIVE]
+	ENCRYPT_WITH_TRIPLE_DES(data, amount); // GOOD (good enough algorithm) [FALSE POSITIVE]
+	ENCRYPT_WITH_RC20(data, amount); // GOOD (if there ever is an RC20 algorithm, we have no reason to believe it's weak) [FALSE POSITIVE]
+	ENCRYPT_WITH_DES_REMOVED(data, amount); // GOOD (implementation has been deleted) [FALSE POSITIVE]
+
+	DESENCRYPT(data, amount); // BAD [NOT DETECTED]
+	RC2ENCRYPT(data, amount); // BAD [NOT DETECTED]
+	AESENCRYPT(data, amount); // GOOD (good algorithm)
+	DES3ENCRYPT(data, amount); // GOOD (good enough algorithm) [FALSE POSITIVE]
+
+	DES_DO_ENCRYPTION(data, amount); // BAD
+	RUN_DES_ENCODING(data, amount); // BAD
+	DES_ENCODE(data, amount); // BAD
+	DES_SET_KEY(data, amount); // BAD
+
+	DES(str); // GOOD (probably nothing to do with encryption) [FALSE POSITIVE]
+	DESMOND(str); // GOOD (probably nothing to do with encryption)
+	ANODES(str); // GOOD (probably nothing to do with encryption)
+	int ord = SORT_ORDER_DES; // GOOD (probably nothing to do with encryption) [FALSE POSITIVE]
+}
+
+// --- simple encryption function calls ---
+
+void encryptDES(void *data, size_t amount);
+void encryptRC2(void *data, size_t amount);
+void encryptAES(void *data, size_t amount);
+void encrypt3DES(void *data, size_t amount);
+void encryptTripleDES(void *data, size_t amount);
+
+void DESEncrypt(void *data, size_t amount);
+void RC2Encrypt(void *data, size_t amount);
+void AESEncrypt(void *data, size_t amount);
+void DES3Encrypt(void *data, size_t amount);
+
+void DoDESEncryption(void *data, size_t amount);
+void encryptDes(void *data, size_t amount);
+void do_des_encrypt(void *data, size_t amount);
+void DES_Set_Key(const char *key);
+void DESSetKey(const char *key);
+
+int Des();
+void Desmond(const char *str);
+void Anodes(int i);
+void ConDes();
+
+void test_functions(void *data, size_t amount, const char *str)
+{
+	encryptDES(data, amount); // BAD
+	encryptRC2(data, amount); // BAD
+	encryptAES(data, amount); // GOOD (good algorithm)
+	encrypt3DES(data, amount); // GOOD (good enough algorithm) [FALSE POSITIVE]
+	encryptTripleDES(data, amount); // GOOD (good enough algorithm) [FALSE POSITIVE]
+
+	DESEncrypt(data, amount); // BAD
+	RC2Encrypt(data, amount); // BAD
+	AESEncrypt(data, amount); // GOOD (good algorithm)
+	DES3Encrypt(data, amount); // GOOD (good enough algorithm) [FALSE POSITIVE]
+
+	DoDESEncryption(data, amount); // BAD [NOT DETECTED]
+	encryptDes(data, amount); // BAD [NOT DETECTED]
+	do_des_encrypt(data, amount); // BAD
+	DES_Set_Key(str); // BAD
+	DESSetKey(str); // BAD [NOT DETECTED]
+
+	Des(); // GOOD (probably nothing to do with encryption)
+	Desmond(str); // GOOD (probably nothing to do with encryption)
+	Anodes(1); // GOOD (probably nothing to do with encryption)
+	ConDes(); // GOOD (probably nothing to do with encryption)
+}
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
new file mode 100644
index 00000000000..774d541950f
--- /dev/null
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
@@ -0,0 +1,254 @@
+
+typedef unsigned long size_t;
+
+int strcmp(const char *s1, const char *s2);
+void abort(void);
+
+struct keytype
+{
+    char data[16];
+};
+
+void my_des_implementation(char *data, size_t amount, keytype key);
+void my_rc2_implementation(char *data, size_t amount, keytype key);
+void my_aes_implementation(char *data, size_t amount, keytype key);
+void my_3des_implementation(char *data, size_t amount, keytype key);
+
+typedef void (*implementation_fn_ptr)(char *data, size_t amount, keytype key);
+
+// --- more involved C-style example ---
+
+#define ALGO_DES (1)
+#define ALGO_AES (2)
+
+int all_algos[] = {
+	ALGO_DES, // [FALSE POSITIVE]
+	ALGO_AES
+};
+
+void encrypt_good(char *data, size_t amount, keytype key, int algo)
+{
+	switch (algo)
+	{
+	case ALGO_DES: // [FALSE POSITIVE]
+		abort();
+
+	case ALGO_AES:
+		{
+			my_aes_implementation(data, amount, key); // GOOD
+		} break;
+	}
+};
+
+void encrypt_bad(char *data, size_t amount, keytype key, int algo)
+{
+	switch (algo)
+	{
+	case ALGO_DES:
+		{
+			my_des_implementation(data, amount, key); // BAD
+		} break;
+
+	case ALGO_AES:
+		{
+			my_aes_implementation(data, amount, key); // GOOD
+		} break;
+	}
+};
+
+void do_encrypts(char *data, size_t amount, keytype key)
+{
+	encrypt_good(data, amount, key, ALGO_AES); // GOOD
+	encrypt_bad(data, amount, key, ALGO_DES); // BAD
+}
+
+// --- more involved CPP-style example ---
+
+enum algorithm
+{
+	DES,
+	AES
+};
+
+algorithm all_algorithms[] = {
+	DES,
+	AES
+};
+
+class MyGoodEncryptor
+{
+public:
+	MyGoodEncryptor(keytype _key, algorithm _algo) : key(_key), algo(_algo) {};
+
+	void encrypt(char *data, size_t amount);
+
+private:
+	keytype key;
+	algorithm algo;
+};
+
+void MyGoodEncryptor :: encrypt(char *data, size_t amount)
+{
+	switch (algo)
+	{
+	case DES:
+		{
+			throw "DES is not a good choice of encryption algorithm!";
+		} break;
+
+	case AES:
+		{
+			my_aes_implementation(data, amount, key); // GOOD
+		} break;
+	}
+}
+
+class MyBadEncryptor
+{
+public:
+	MyBadEncryptor(keytype _key, algorithm _algo) : key(_key), algo(_algo) {};
+
+	void encrypt(char *data, size_t amount);
+
+private:
+	keytype key;
+	algorithm algo;
+};
+
+void MyBadEncryptor :: encrypt(char *data, size_t amount)
+{
+	switch (algo)
+	{
+	case DES:
+		{
+			my_des_implementation(data, amount, key); // BAD
+		} break;
+
+	case AES:
+		{
+			my_aes_implementation(data, amount, key); // GOOD
+		} break;
+	}
+}
+
+void do_class_encrypts(char *data, size_t amount, keytype key)
+{
+	{
+		MyGoodEncryptor mge(key, AES); // GOOD
+
+		mge.encrypt(data, amount);
+
+	}
+
+	{
+		MyBadEncryptor mbe(key, DES); // BAD [NOT DETECTED]
+
+		mbe.encrypt(data, amount);
+	}
+}
+
+// --- unseen implementation ---
+
+enum use_algorithm
+{
+	USE_DES,
+	USE_AES
+};
+
+void set_encryption_algorithm1(int algorithm);
+void set_encryption_algorithm2(use_algorithm algorithm);
+void set_encryption_algorithm3(const char *algorithm_str);
+
+void encryption_with1(char *data, size_t amount, keytype key, int algorithm);
+void encryption_with2(char *data, size_t amount, keytype key, use_algorithm algorithm);
+void encryption_with3(char *data, size_t amount, keytype key, const char *algorithm_str);
+
+int get_algorithm1();
+use_algorithm get_algorithm2();
+const char *get_algorithm3();
+
+void do_unseen_encrypts(char *data, size_t amount, keytype key)
+{
+	set_encryption_algorithm1(ALGO_DES); // BAD
+	set_encryption_algorithm1(ALGO_AES); // GOOD
+
+	set_encryption_algorithm2(USE_DES); // BAD [NOT DETECTED]
+	set_encryption_algorithm2(USE_AES); // GOOD
+
+	set_encryption_algorithm3("DES"); // BAD [NOT DETECTED]
+	set_encryption_algorithm3("AES"); // GOOD
+	set_encryption_algorithm3("AES-256"); // GOOD
+
+	encryption_with1(data, amount, key, ALGO_DES); // BAD
+	encryption_with1(data, amount, key, ALGO_AES); // GOOD
+
+	encryption_with2(data, amount, key, USE_DES); // BAD [NOT DETECTED]
+	encryption_with2(data, amount, key, USE_AES); // GOOD
+
+	encryption_with3(data, amount, key, "DES"); // BAD [NOT DETECTED]
+	encryption_with3(data, amount, key, "AES"); // GOOD
+	encryption_with3(data, amount, key, "AES-256"); // GOOD
+
+	if (get_algorithm1() == ALGO_DES) // GOOD [FALSE POSITIVE]
+	{
+		throw "DES is not a good choice of encryption algorithm!";
+	}
+	if (get_algorithm2() == USE_DES) // GOOD
+	{
+		throw "DES is not a good choice of encryption algorithm!";
+	}
+	if (strcmp(get_algorithm3(), "DES") == 0) // GOOD
+	{
+		throw "DES is not a good choice of encryption algorithm!";
+	}
+}
+
+// --- classes ---
+
+class desEncrypt
+{
+public:
+	static void encrypt(const char *data);
+};
+
+class aes256Encrypt
+{
+public:
+	static void encrypt(const char *data);
+};
+
+class desCipher
+{
+public:
+	void encrypt(const char *data);
+};
+
+class aesCipher
+{
+public:
+	void encrypt(const char *data);
+};
+
+void do_classes(const char *data)
+{
+	desEncrypt::encrypt(data); // BAD [NOT DETECTED]
+	aes256Encrypt::encrypt(data); // GOOD
+
+	desCipher dc;
+	aesCipher ac;
+	dc.encrypt(data); // BAD [NOT DETECTED]
+	ac.encrypt(data); // GOOD
+}
+
+// --- function pointer ---
+
+void do_fn_ptr(char *data, size_t amount, keytype key)
+{
+	implementation_fn_ptr impl;
+
+	impl = &my_des_implementation; // BAD [NOT DETECTED]
+	impl(data, amount, key);
+
+	impl = &my_aes_implementation; // GOOD
+	impl(data, amount, key);
+}

From b6d5f7c315b71b8ac135a53cf1796e86dd18fc03 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 12 May 2021 14:45:59 +0100
Subject: [PATCH 1019/1429] C++: Fix FPs caused by substring regexp.

---
 .../semmle/code/cpp/security/Encryption.qll   | 34 ++++++++++---------
 .../CWE-327/BrokenCryptoAlgorithm.expected    |  5 ---
 .../query-tests/Security/CWE/CWE-327/test.cpp | 10 +++---
 3 files changed, 23 insertions(+), 26 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
index 606242e833c..24c69f93758 100644
--- a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
@@ -27,14 +27,15 @@ string getAnInsecureHashAlgorithmName() { result = ["SHA1", "MD5"] }
 string getInsecureAlgorithmRegex() {
   result =
     // algorithms usually appear in names surrounded by characters that are not
-    // alphabetical characters in the same case. This handles the upper and lower
-    // case cases
-    "(^|.*[^A-Z])(" + strictconcat(getAnInsecureAlgorithmName(), "|") + ")([^A-Z].*|$)" + "|" +
-      // for lowercase, we want to be careful to avoid being confused by camelCase
-      // hence we require two preceding uppercase letters to be sure of a case switch,
-      // or a preceding non-alphabetic character
-      "(^|.*[A-Z]{2}|.*[^a-zA-Z])(" + strictconcat(getAnInsecureAlgorithmName().toLowerCase(), "|") +
-      ")([^a-z].*|$)"
+    // alphabetical characters in the same case or numerical digits. This
+    // handles the upper case:
+    "(^|.*[^A-Z0-9])(" + strictconcat(getAnInsecureAlgorithmName(), "|") + ")([^A-Z0-9].*|$)" + "|" +
+      // for lowercase, we want to be careful to avoid being confused by
+      //camelCase, hence we require two preceding uppercase letters to be
+      // sure of a case switch (or a preceding non-alphabetic, non-numeric
+      // character).
+      "(^|.*[A-Z]{2}|.*[^a-zA-Z0-9])(" +
+      strictconcat(getAnInsecureAlgorithmName().toLowerCase(), "|") + ")([^a-z0-9].*|$)"
 }
 
 /**
@@ -51,14 +52,15 @@ string getASecureAlgorithmName() {
 string getSecureAlgorithmRegex() {
   result =
     // algorithms usually appear in names surrounded by characters that are not
-    // alphabetical characters in the same case. This handles the upper and lower
-    // case cases
-    "(^|.*[^A-Z])(" + strictconcat(getASecureAlgorithmName(), "|") + ")([^A-Z].*|$)" + "|" +
-      // for lowercase, we want to be careful to avoid being confused by camelCase
-      // hence we require two preceding uppercase letters to be sure of a case
-      // switch, or a preceding non-alphabetic character
-      "(^|.*[A-Z]{2}|.*[^a-zA-Z])(" + strictconcat(getASecureAlgorithmName().toLowerCase(), "|") +
-      ")([^a-z].*|$)"
+    // alphabetical characters in the same case or numerical digits. This
+    // handles the upper case:
+    "(^|.*[^A-Z0-9])(" + strictconcat(getASecureAlgorithmName(), "|") + ")([^A-Z0-9].*|$)" + "|" +
+      // for lowercase, we want to be careful to avoid being confused by
+      //camelCase, hence we require two preceding uppercase letters to be
+      // sure of a case switch (or a preceding non-alphabetic, non-numeric
+      // character).
+      "(^|.*[A-Z]{2}|.*[^a-zA-Z0-9])(" + strictconcat(getASecureAlgorithmName().toLowerCase(), "|") +
+      ")([^a-z0-9].*|$)"
 }
 
 /**
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
index 47f6e1daa7e..f4ecaf8560f 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
@@ -9,11 +9,8 @@
 | test2.cpp:192:26:192:33 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:39:2:39:31 | ENCRYPT_WITH_RC2(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:41:2:41:32 | ENCRYPT_WITH_3DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:42:2:42:38 | ENCRYPT_WITH_TRIPLE_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:43:2:43:32 | ENCRYPT_WITH_RC20(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:44:2:44:39 | ENCRYPT_WITH_DES_REMOVED(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:49:2:49:26 | DES3ENCRYPT(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:51:2:51:32 | DES_DO_ENCRYPTION(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:52:2:52:31 | RUN_DES_ENCODING(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:53:2:53:25 | DES_ENCODE(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
@@ -22,8 +19,6 @@
 | test.cpp:59:12:59:25 | SORT_ORDER_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:88:2:88:11 | call to encryptDES | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:89:2:89:11 | call to encryptRC2 | This function call specifies a broken or weak cryptographic algorithm. |
-| test.cpp:91:2:91:12 | call to encrypt3DES | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:92:2:92:17 | call to encryptTripleDES | This function call specifies a broken or weak cryptographic algorithm. |
-| test.cpp:97:2:97:12 | call to DES3Encrypt | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:101:2:101:15 | call to do_des_encrypt | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:102:2:102:12 | call to DES_Set_Key | This function call specifies a broken or weak cryptographic algorithm. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
index 4a03b8a5261..da73b8b35fa 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
@@ -38,15 +38,15 @@ void test_macros(void *data, size_t amount, const char *str)
 	ENCRYPT_WITH_DES(data, amount); // BAD
 	ENCRYPT_WITH_RC2(data, amount); // BAD
 	ENCRYPT_WITH_AES(data, amount); // GOOD (good algorithm)
-	ENCRYPT_WITH_3DES(data, amount); // GOOD (good enough algorithm) [FALSE POSITIVE]
+	ENCRYPT_WITH_3DES(data, amount); // GOOD (good enough algorithm)
 	ENCRYPT_WITH_TRIPLE_DES(data, amount); // GOOD (good enough algorithm) [FALSE POSITIVE]
-	ENCRYPT_WITH_RC20(data, amount); // GOOD (if there ever is an RC20 algorithm, we have no reason to believe it's weak) [FALSE POSITIVE]
+	ENCRYPT_WITH_RC20(data, amount); // GOOD (if there ever is an RC20 algorithm, we have no reason to believe it's weak)
 	ENCRYPT_WITH_DES_REMOVED(data, amount); // GOOD (implementation has been deleted) [FALSE POSITIVE]
 
 	DESENCRYPT(data, amount); // BAD [NOT DETECTED]
 	RC2ENCRYPT(data, amount); // BAD [NOT DETECTED]
 	AESENCRYPT(data, amount); // GOOD (good algorithm)
-	DES3ENCRYPT(data, amount); // GOOD (good enough algorithm) [FALSE POSITIVE]
+	DES3ENCRYPT(data, amount); // GOOD (good enough algorithm)
 
 	DES_DO_ENCRYPTION(data, amount); // BAD
 	RUN_DES_ENCODING(data, amount); // BAD
@@ -88,13 +88,13 @@ void test_functions(void *data, size_t amount, const char *str)
 	encryptDES(data, amount); // BAD
 	encryptRC2(data, amount); // BAD
 	encryptAES(data, amount); // GOOD (good algorithm)
-	encrypt3DES(data, amount); // GOOD (good enough algorithm) [FALSE POSITIVE]
+	encrypt3DES(data, amount); // GOOD (good enough algorithm)
 	encryptTripleDES(data, amount); // GOOD (good enough algorithm) [FALSE POSITIVE]
 
 	DESEncrypt(data, amount); // BAD
 	RC2Encrypt(data, amount); // BAD
 	AESEncrypt(data, amount); // GOOD (good algorithm)
-	DES3Encrypt(data, amount); // GOOD (good enough algorithm) [FALSE POSITIVE]
+	DES3Encrypt(data, amount); // GOOD (good enough algorithm)
 
 	DoDESEncryption(data, amount); // BAD [NOT DETECTED]
 	encryptDes(data, amount); // BAD [NOT DETECTED]

From 9404d0676dc6a7ab4b8a3216cb65c07f8e627c19 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 12 May 2021 14:51:47 +0100
Subject: [PATCH 1020/1429] C++: Exclude macros that don't generate anything.

---
 .../Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql    | 12 ++++++++++--
 .../CWE/CWE-327/BrokenCryptoAlgorithm.expected       |  1 -
 .../test/query-tests/Security/CWE/CWE-327/test.cpp   |  2 +-
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
index af64a1789c3..b8f86381216 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -23,7 +23,10 @@ Function getAnInsecureFunction() {
 }
 
 class InsecureFunctionCall extends InsecureCryptoSpec, FunctionCall {
-  InsecureFunctionCall() { this.getTarget() = getAnInsecureFunction() }
+  InsecureFunctionCall() {
+    // the function name suggests it relates to an insecure crypto algorithm.
+    this.getTarget() = getAnInsecureFunction()
+  }
 
   override string description() { result = "function call" }
 
@@ -38,7 +41,12 @@ Macro getAnInsecureMacro() {
 }
 
 class InsecureMacroSpec extends InsecureCryptoSpec, MacroInvocation {
-  InsecureMacroSpec() { this.getMacro() = getAnInsecureMacro() }
+  InsecureMacroSpec() {
+    // the macro name suggests it relates to an insecure crypto algorithm.
+    this.getMacro() = getAnInsecureMacro() and
+    // the macro invocation generates something.
+    exists(this.getAGeneratedElement())
+  }
 
   override string description() { result = "macro invocation" }
 
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
index f4ecaf8560f..62fdec370ce 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
@@ -10,7 +10,6 @@
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:39:2:39:31 | ENCRYPT_WITH_RC2(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:42:2:42:38 | ENCRYPT_WITH_TRIPLE_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:44:2:44:39 | ENCRYPT_WITH_DES_REMOVED(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:51:2:51:32 | DES_DO_ENCRYPTION(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:52:2:52:31 | RUN_DES_ENCODING(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:53:2:53:25 | DES_ENCODE(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
index da73b8b35fa..2fbd9ae73d5 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
@@ -41,7 +41,7 @@ void test_macros(void *data, size_t amount, const char *str)
 	ENCRYPT_WITH_3DES(data, amount); // GOOD (good enough algorithm)
 	ENCRYPT_WITH_TRIPLE_DES(data, amount); // GOOD (good enough algorithm) [FALSE POSITIVE]
 	ENCRYPT_WITH_RC20(data, amount); // GOOD (if there ever is an RC20 algorithm, we have no reason to believe it's weak)
-	ENCRYPT_WITH_DES_REMOVED(data, amount); // GOOD (implementation has been deleted) [FALSE POSITIVE]
+	ENCRYPT_WITH_DES_REMOVED(data, amount); // GOOD (implementation has been deleted)
 
 	DESENCRYPT(data, amount); // BAD [NOT DETECTED]
 	RC2ENCRYPT(data, amount); // BAD [NOT DETECTED]

From 52a88af6c1e7f2ffbb51dfc3fe8f499ca95ba189 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 12 May 2021 14:58:21 +0100
Subject: [PATCH 1021/1429] C++: Exclude macro invocations in switch case
 expressions.

---
 cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql     | 5 ++++-
 .../Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected      | 3 ---
 cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp       | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
index b8f86381216..296f6bec3f8 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -45,7 +45,10 @@ class InsecureMacroSpec extends InsecureCryptoSpec, MacroInvocation {
     // the macro name suggests it relates to an insecure crypto algorithm.
     this.getMacro() = getAnInsecureMacro() and
     // the macro invocation generates something.
-    exists(this.getAGeneratedElement())
+    exists(this.getAGeneratedElement().(ControlFlowNode)) and
+    // exclude expressions controlling ifs/switches (as they may not be used).
+    not any(IfStmt c).getCondition().getAChild*() = this.getAGeneratedElement() and
+    not any(SwitchCase c).getExpr().getAChild*() = this.getAGeneratedElement()
   }
 
   override string description() { result = "macro invocation" }
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
index 62fdec370ce..35be30d162c 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
@@ -1,12 +1,9 @@
 | test2.cpp:25:2:25:9 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:33:7:33:14 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:47:7:47:14 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:49:4:49:24 | call to my_des_implementation | This function call specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:62:33:62:40 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:124:4:124:24 | call to my_des_implementation | This function call specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:172:28:172:35 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:182:38:182:45 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:192:26:192:33 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:39:2:39:31 | ENCRYPT_WITH_RC2(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:42:2:42:38 | ENCRYPT_WITH_TRIPLE_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
index 774d541950f..80e8691426c 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
@@ -30,7 +30,7 @@ void encrypt_good(char *data, size_t amount, keytype key, int algo)
 {
 	switch (algo)
 	{
-	case ALGO_DES: // [FALSE POSITIVE]
+	case ALGO_DES:
 		abort();
 
 	case ALGO_AES:
@@ -189,7 +189,7 @@ void do_unseen_encrypts(char *data, size_t amount, keytype key)
 	encryption_with3(data, amount, key, "AES"); // GOOD
 	encryption_with3(data, amount, key, "AES-256"); // GOOD
 
-	if (get_algorithm1() == ALGO_DES) // GOOD [FALSE POSITIVE]
+	if (get_algorithm1() == ALGO_DES) // GOOD
 	{
 		throw "DES is not a good choice of encryption algorithm!";
 	}

From 0450caa73df21b92914b4633ceba4f613aea8b74 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 12 May 2021 19:39:30 +0100
Subject: [PATCH 1022/1429] C++: Exclude array initializers.

---
 cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql      | 4 +++-
 .../Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected       | 1 -
 cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp        | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
index 296f6bec3f8..3015528114d 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -48,7 +48,9 @@ class InsecureMacroSpec extends InsecureCryptoSpec, MacroInvocation {
     exists(this.getAGeneratedElement().(ControlFlowNode)) and
     // exclude expressions controlling ifs/switches (as they may not be used).
     not any(IfStmt c).getCondition().getAChild*() = this.getAGeneratedElement() and
-    not any(SwitchCase c).getExpr().getAChild*() = this.getAGeneratedElement()
+    not any(SwitchCase c).getExpr().getAChild*() = this.getAGeneratedElement() and
+    // exclude expressions in array initializers (as they may not be used).
+    not any(AggregateLiteral i).getAChild*() = this.getAGeneratedElement() 
   }
 
   override string description() { result = "macro invocation" }
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
index 35be30d162c..8b17f1a83b7 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
@@ -1,4 +1,3 @@
-| test2.cpp:25:2:25:9 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:49:4:49:24 | call to my_des_implementation | This function call specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:62:33:62:40 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:124:4:124:24 | call to my_des_implementation | This function call specifies a broken or weak cryptographic algorithm. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
index 80e8691426c..622db3aff0e 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
@@ -22,7 +22,7 @@ typedef void (*implementation_fn_ptr)(char *data, size_t amount, keytype key);
 #define ALGO_AES (2)
 
 int all_algos[] = {
-	ALGO_DES, // [FALSE POSITIVE]
+	ALGO_DES,
 	ALGO_AES
 };
 

From fe12e620dde570aba2fea1746b460e61707c040d Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Wed, 12 May 2021 18:37:42 +0000
Subject: [PATCH 1023/1429] Python: Avoid clobbering `range` in test

This was an unwanted interaction between two unrelated tests, so I
switched to a different built-in in the second test. I also added a test
case that shows an unfortunate side effect of this more restricted
handling of built-ins.
---
 .../experimental/dataflow/ApiGraphs/test.py    | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/test.py b/python/ql/test/experimental/dataflow/ApiGraphs/test.py
index 5a382f3d6cc..f4988e41a0f 100644
--- a/python/ql/test/experimental/dataflow/ApiGraphs/test.py
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/test.py
@@ -122,14 +122,18 @@ def redefine_print():
     print = my_print
     print("these words")
 
-def local_redefine_range():
-    range = 5
-    return range
+def local_redefine_chr():
+    chr = 5
+    return chr
 
-def global_redefine_range():
-    global range
-    range = 6
-    return range #$ SPURIOUS: use=moduleImport("builtins").getMember("range")
+def global_redefine_chr():
+    global chr
+    chr = 6
+    return chr
+
+def what_is_chr_now():
+    # If global_redefine_chr has been run, then the following is _not_ a reference to the built-in chr
+    return chr(123) #$ MISSING: use=moduleImport("builtins").getMember("chr").getReturn()
 
 def obscured_print():
     p = print #$ use=moduleImport("builtins").getMember("print")

From 2efa0ad1055ca58ef492c639aa2b40c4c83dcb98 Mon Sep 17 00:00:00 2001
From: Evgenii Protsenko <procenkoeg@yandex.ru>
Date: Wed, 12 May 2021 22:36:24 +0300
Subject: [PATCH 1024/1429] [C++] Implement module ClickHouseDriver.qll

---
 .../CWE-089/ClickHouseSQLInjection.py         | 28 ++++++
 .../CWE-089/ClickHouseSQLInjection.qhelp      | 57 +++++++++++++
 .../CWE-089/ClickHouseSQLInjection.ql         | 22 +++++
 .../python/frameworks/ClickHouseDriver.qll    | 85 +++++++++++++++++++
 4 files changed, 192 insertions(+)
 create mode 100644 python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.py
 create mode 100644 python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.qhelp
 create mode 100644 python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.ql
 create mode 100644 python/ql/src/experimental/semmle/python/frameworks/ClickHouseDriver.qll

diff --git a/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.py b/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.py
new file mode 100644
index 00000000000..c6a2875df23
--- /dev/null
+++ b/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.py
@@ -0,0 +1,28 @@
+from django.conf.urls import url
+from clickhouse_driver import Client
+from clickhouse_driver import connect
+from aioch import Client as aiochClient
+
+def show_user(request, username):
+
+    # BAD -- async library 'aioch'
+    aclient = aiochClient("localhost")
+    progress = await aclient.execute_with_progress("SELECT * FROM users WHERE username = '%s'" % username)
+
+    # BAD -- client excute
+    client = Client('localhost')
+    client.execute("SELECT * FROM users WHERE username = '%s'" % username)
+
+    # BAD -- client excute oneliner
+    Client('localhost').execute("SELECT * FROM users WHERE username = '%s'" % username)
+
+    # GOOD -- send username through params
+    query = "SELECT * FROM users WHERE username = %(username)s"
+    Client('localhost').execute(query, {"username": username})
+
+    # BAD -- PEP249 interface
+    conn = connect('clickhouse://localhost')
+    cursor = conn.cursor()
+    cursor.execute("SELECT * FROM users WHERE username = '%s'" % username)
+
+urlpatterns = [url(r'^users/(?P<username>[^/]+)$', show_user)]
diff --git a/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.qhelp b/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.qhelp
new file mode 100644
index 00000000000..42edf58cd6e
--- /dev/null
+++ b/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.qhelp
@@ -0,0 +1,57 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+If a database query (such as a SQL or NoSQL query) is built from
+user-provided data without sufficient sanitization, a user
+may be able to run malicious database queries.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Most database connector libraries offer a way of safely
+embedding untrusted data into a query by means of query parameters
+or prepared statements.
+</p>
+</recommendation>
+
+<example>
+<p>
+In the following snippet, a user is fetched from the ClickHouse database
+using five different queries. In bad patterns query is build by formatting
+string with user-controlled data. In a qood pattern user-supplied parameter
+is send through a second argument (params) which is dict. Following cases
+show different types of communication with ClickHouse database.
+</p>
+
+<p>
+In the first case, the query executed via aioch Client. aioch - is a module
+for asynchronous queries to database.
+</p>
+
+<p>
+In the second and third cases, the connection is established via `Client` class.
+This class implement different method to execute a query.
+</p>
+
+<p>
+In the forth case, good pattern is presented. Query parameters are send through
+second dict-like argument.
+</p>
+
+<p>
+In the fifth case, there is example of PEP249 interface usage.
+</p>
+
+<sample src="ClickHouseSQLInjection.py" />
+</example>
+
+<references>
+<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/SQL_injection">SQL injection</a>.</li>
+<li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html">SQL Injection Prevention Cheat Sheet</a>.</li>
+</references>
+</qhelp>
diff --git a/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.ql b/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.ql
new file mode 100644
index 00000000000..f0efb523756
--- /dev/null
+++ b/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.ql
@@ -0,0 +1,22 @@
+/**
+ * @id py/yandex/clickhouse-sql-injection
+ * @name Clickhouse SQL query built from user-controlled sources
+ * @description Building a SQL query from user-controlled sources is vulnerable to insertion of
+ *              malicious SQL code by the user.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-089
+ *       external/owasp/owasp-a1
+ */
+
+import python
+import experimental.semmle.python.frameworks.ClickHouseDriver
+import semmle.python.security.dataflow.SqlInjection
+import DataFlow::PathGraph
+
+from SQLInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This SQL query depends on $@.", source.getNode(),
+  "a user-provided value"
diff --git a/python/ql/src/experimental/semmle/python/frameworks/ClickHouseDriver.qll b/python/ql/src/experimental/semmle/python/frameworks/ClickHouseDriver.qll
new file mode 100644
index 00000000000..592e003d35b
--- /dev/null
+++ b/python/ql/src/experimental/semmle/python/frameworks/ClickHouseDriver.qll
@@ -0,0 +1,85 @@
+/**
+ * Provides classes modeling security-relevant aspects of `clickhouse-driver` and `aioch` PyPI packages.
+ * See
+ * - https://pypi.org/project/clickhouse-driver/
+ * - https://pypi.org/project/aioch/
+ * - https://clickhouse-driver.readthedocs.io/en/latest/
+ */
+
+private import python
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.PEP249
+
+/**
+ * Provides models for `clickhouse-driver` and `aioch` PyPI packages.
+ * See
+ * - https://pypi.org/project/clickhouse-driver/
+ * - https://pypi.org/project/aioch/
+ * - https://clickhouse-driver.readthedocs.io/en/latest/
+ */
+module ClickHouseDriver {
+  /** Gets a reference to the `clickhouse_driver` module. */
+  API::Node clickhouse_driver() { result = API::moduleImport("clickhouse_driver") }
+
+  /** Gets a reference to the `aioch` module. This module allows to make async db queries. */
+  API::Node aioch() { result = API::moduleImport("aioch") }
+
+  /**
+   * `clickhouse_driver` implements PEP249,
+   * providing ways to execute SQL statements against a database.
+   */
+  class ClickHouseDriverPEP249 extends PEP249ModuleApiNode {
+    ClickHouseDriverPEP249() { this = clickhouse_driver() }
+  }
+
+  module Client {
+    /** Gets a reference to a Client call. */
+    private DataFlow::Node client_ref() {
+      result = clickhouse_driver().getMember("Client").getAUse()
+      or
+      result = aioch().getMember("Client").getAUse()
+    }
+
+    /** A direct instantiation of `clickhouse_driver.Client`. */
+    private class ClientInstantiation extends DataFlow::CallCfgNode {
+      ClientInstantiation() { this.getFunction() = client_ref() }
+    }
+
+    /** Gets a reference to an instance of `clickhouse_driver.Client`. */
+    private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
+      t.start() and
+      result instanceof ClientInstantiation
+      or
+      exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
+    }
+
+    /** Gets a reference to an instance of `clickhouse_driver.Client`. */
+    DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
+  }
+
+  /** clickhouse_driver.Client execute methods */
+  private string execute_function() {
+    result in ["execute_with_progress", "execute", "execute_iter"]
+  }
+
+  /** Gets a reference to the `clickhouse_driver.Client.execute` method */
+  private DataFlow::LocalSourceNode clickhouse_execute(DataFlow::TypeTracker t) {
+    t.startInAttr(execute_function()) and
+    result = Client::instance()
+    or
+    exists(DataFlow::TypeTracker t2 | result = clickhouse_execute(t2).track(t2, t))
+  }
+
+  /** Gets a reference to the `clickhouse_driver.Client.execute` method */
+  DataFlow::Node clickhouse_execute() {
+    clickhouse_execute(DataFlow::TypeTracker::end()).flowsTo(result)
+  }
+
+  /** A call to the `clickhouse_driver.Client.execute` method */
+  private class ExecuteCall extends SqlExecution::Range, DataFlow::CallCfgNode {
+    ExecuteCall() { this.getFunction() = clickhouse_execute() }
+
+    override DataFlow::Node getSql() { result.asCfgNode() = node.getArg(0) }
+  }
+}

From 34fbafafde8be89e1383b378c052cbcdcdcc7000 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 12 May 2021 22:34:44 +0200
Subject: [PATCH 1025/1429] remove redundant "put" case

---
 .../ql/src/semmle/javascript/frameworks/ClientRequests.qll      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
index bce5d6a36fc..18204c5b59b 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
@@ -242,7 +242,7 @@ module ClientRequest {
       method = "request" and
       result = getOptionArgument(0, "data")
       or
-      method = ["post", "put", "put"] and
+      method = ["post", "put"] and
       result = [getArgument(1), getOptionArgument(2, "data")]
       or
       result = getOptionArgument([0 .. 2], ["headers", "params"])

From 470e3eb08924f3b475cec215c9905d3603778280 Mon Sep 17 00:00:00 2001
From: Evgenii Protsenko <procenkoeg@yandex.ru>
Date: Thu, 13 May 2021 00:03:53 +0300
Subject: [PATCH 1026/1429] [python] ClickHouseDriver.qll: add support for
 subclasses

---
 .../Security/CWE-089/ClickHouseSQLInjection.py             | 7 +++++++
 .../Security/CWE-089/ClickHouseSQLInjection.qhelp          | 4 ++++
 .../semmle/python/frameworks/ClickHouseDriver.qll          | 4 ++--
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.py b/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.py
index c6a2875df23..0bd5cac7130 100644
--- a/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.py
+++ b/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.py
@@ -3,6 +3,10 @@ from clickhouse_driver import Client
 from clickhouse_driver import connect
 from aioch import Client as aiochClient
 
+class MyClient(Client):
+    def dummy(self):
+        return None
+
 def show_user(request, username):
 
     # BAD -- async library 'aioch'
@@ -25,4 +29,7 @@ def show_user(request, username):
     cursor = conn.cursor()
     cursor.execute("SELECT * FROM users WHERE username = '%s'" % username)
 
+    # BAD -- MyClient is a subclass of Client
+    MyClient('localhost').execute("SELECT * FROM users WHERE username = '%s'" % username)
+
 urlpatterns = [url(r'^users/(?P<username>[^/]+)$', show_user)]
diff --git a/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.qhelp b/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.qhelp
index 42edf58cd6e..a7077727991 100644
--- a/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.qhelp
+++ b/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.qhelp
@@ -47,6 +47,10 @@ second dict-like argument.
 In the fifth case, there is example of PEP249 interface usage.
 </p>
 
+<p>
+In the sixth case, there is custom Class usge which is a subclass of default Client.
+</p>
+
 <sample src="ClickHouseSQLInjection.py" />
 </example>
 
diff --git a/python/ql/src/experimental/semmle/python/frameworks/ClickHouseDriver.qll b/python/ql/src/experimental/semmle/python/frameworks/ClickHouseDriver.qll
index 592e003d35b..c456b6bdb89 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/ClickHouseDriver.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/ClickHouseDriver.qll
@@ -36,9 +36,9 @@ module ClickHouseDriver {
   module Client {
     /** Gets a reference to a Client call. */
     private DataFlow::Node client_ref() {
-      result = clickhouse_driver().getMember("Client").getAUse()
+      result = clickhouse_driver().getMember("Client").getASubclass*().getAUse()
       or
-      result = aioch().getMember("Client").getAUse()
+      result = aioch().getMember("Client").getASubclass*().getAUse()
     }
 
     /** A direct instantiation of `clickhouse_driver.Client`. */

From fad55b3635994ab25925548b62939e355d6eb474 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Wed, 12 May 2021 21:09:51 +0000
Subject: [PATCH 1027/1429] Python: Reimplement `py/use-of-input`

---
 python/ql/src/Expressions/UseofInput.ql | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/python/ql/src/Expressions/UseofInput.ql b/python/ql/src/Expressions/UseofInput.ql
index 2b11eecfa2b..db905818276 100644
--- a/python/ql/src/Expressions/UseofInput.ql
+++ b/python/ql/src/Expressions/UseofInput.ql
@@ -11,11 +11,11 @@
  */
 
 import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.ApiGraphs
 
-from CallNode call, Context context, ControlFlowNode func
+from DataFlow::CallCfgNode call
 where
-  context.getAVersion().includes(2, _) and
-  call.getFunction() = func and
-  func.pointsTo(context, Value::named("input"), _) and
-  not func.pointsTo(context, Value::named("raw_input"), _)
+  call = API::builtin("input").getACall() and
+  call != API::builtin("raw_input").getACall()
 select call, "The unsafe built-in function 'input' is used in Python 2."

From 79cfe5aca2b19193a1adce28e0cead35fad996a0 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Wed, 12 May 2021 21:23:16 +0000
Subject: [PATCH 1028/1429] Python: Limit `py/use-of-input` to Python 2

---
 python/ql/src/Expressions/UseofInput.ql | 1 +
 1 file changed, 1 insertion(+)

diff --git a/python/ql/src/Expressions/UseofInput.ql b/python/ql/src/Expressions/UseofInput.ql
index db905818276..bf2a71de22e 100644
--- a/python/ql/src/Expressions/UseofInput.ql
+++ b/python/ql/src/Expressions/UseofInput.ql
@@ -16,6 +16,7 @@ import semmle.python.ApiGraphs
 
 from DataFlow::CallCfgNode call
 where
+  major_version() = 2 and
   call = API::builtin("input").getACall() and
   call != API::builtin("raw_input").getACall()
 select call, "The unsafe built-in function 'input' is used in Python 2."

From effa2b162a77031186bf26114e2e6e0e6e847154 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Thu, 6 May 2021 12:05:26 +0800
Subject: [PATCH 1029/1429] Add spring url redirection detect

---
 .../CWE/CWE-601/SpringUrlRedirect.java        |  46 +++++++
 .../CWE/CWE-601/SpringUrlRedirect.qhelp       |  37 +++++
 .../Security/CWE/CWE-601/SpringUrlRedirect.ql |  42 ++++++
 .../CWE/CWE-601/SpringUrlRedirect.qll         |  91 ++++++++++++
 .../CWE-601/SpringUrlRedirect.expected        |  19 +++
 .../security/CWE-601/SpringUrlRedirect.java   |  52 +++++++
 .../security/CWE-601/SpringUrlRedirect.qlref  |   1 +
 .../query-tests/security/CWE-601/options      |   1 +
 .../web/servlet/ModelAndView.java             | 107 +++++++++++++++
 .../org/springframework/web/servlet/View.java |  20 +++
 .../servlet/view/AbstractUrlBasedView.java    |  39 ++++++
 .../web/servlet/view/RedirectView.java        | 129 ++++++++++++++++++
 12 files changed, 584 insertions(+)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.java
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qhelp
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.qlref
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-601/options
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/web/servlet/ModelAndView.java
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/web/servlet/View.java
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/web/servlet/view/AbstractUrlBasedView.java
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/web/servlet/view/RedirectView.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.java b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.java
new file mode 100644
index 00000000000..eba64aab6a8
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.java
@@ -0,0 +1,46 @@
+import javax.servlet.http.HttpServletResponse;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.servlet.ModelAndView;
+import org.springframework.web.servlet.view.RedirectView;
+
+@Controller
+public class SpringUrlRedirect {
+
+    private final static String VALID_REDIRECT = "http://127.0.0.1";
+
+    @GetMapping("url1")
+    public RedirectView bad1(String redirectUrl, HttpServletResponse response) throws Exception {
+        RedirectView rv = new RedirectView();
+        rv.setUrl(redirectUrl);
+        return rv;
+    }
+
+    @GetMapping("url2")
+    public String bad2(String redirectUrl) {
+        String url = "redirect:" + redirectUrl;
+        return url;
+    }
+
+    @GetMapping("url3")
+    public RedirectView bad3(String redirectUrl) {
+        RedirectView rv = new RedirectView(redirectUrl);
+        return rv;
+    }
+
+    @GetMapping("url4")
+    public ModelAndView bad4(String redirectUrl) {
+        return new ModelAndView("redirect:" + redirectUrl);
+    }
+
+    @GetMapping("url5")
+    public RedirectView good1(String redirectUrl) {
+        RedirectView rv = new RedirectView();
+        if (redirectUrl.startsWith(VALID_REDIRECT)){
+            rv.setUrl(redirectUrl);
+        }else {
+            rv.setUrl(VALID_REDIRECT);
+        }
+        return rv;
+    }
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qhelp b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qhelp
new file mode 100644
index 00000000000..6fe70dfb113
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qhelp
@@ -0,0 +1,37 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+
+<overview>
+<p>Directly incorporating user input into a URL redirect request without validating the input
+can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a
+malicious site that looks very similar to the real site they intend to visit, but which is
+controlled by the attacker.</p>
+
+</overview>
+<recommendation>
+
+<p>To guard against untrusted URL redirection, it is advisable to avoid putting user input
+directly into a redirect URL. Instead, maintain a list of authorized
+redirects on the server; then choose from that list based on the user input provided.</p>
+
+</recommendation>
+<example>
+
+<p>The following examples show the bad case and the good case respectively.
+In <code>bad1</code> method and <code>bad2</code> method and <code>bad3</code> method and 
+<code>bad4</code> method, shows an HTTP request parameter being used directly in a URL redirect 
+without validating the input, which facilitates phishing attacks. In <code>good1</code> method, 
+shows how to solve this problem by verifying whether the user input is a known fixed string beginning.
+</p>
+
+<sample src="SpringUrlRedirect.java" />
+
+</example>
+<references>
+<li>A Guide To Spring Redirects: <a href="https://www.baeldung.com/spring-redirect-and-forward">Spring Redirects</a>.</li>
+<li>Url redirection - attack and defense: <a href="https://www.virtuesecurity.com/kb/url-redirection-attack-and-defense/">Url Redirection</a>.</li>
+</references>
+</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
new file mode 100644
index 00000000000..138bce57ac9
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
@@ -0,0 +1,42 @@
+/**
+ * @name Spring url redirection from remote source
+ * @description Spring url redirection based on unvalidated user-input
+ *              may cause redirection to malicious web sites.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/spring-unvalidated-url-redirection
+ * @tags security
+ *       external/cwe-601
+ */
+
+import java
+import SpringUrlRedirect
+import semmle.code.java.dataflow.FlowSources
+import DataFlow::PathGraph
+
+class SpringUrlRedirectFlowConfig extends TaintTracking::Configuration {
+  SpringUrlRedirectFlowConfig() { this = "SpringUrlRedirectFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof SpringUrlRedirectSink }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof StartsWithSanitizer
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    // Exclude the case where the left side of the concatenated string is not `redirect:`.
+    // E.g: `String url = "/path?token=" + request.getParameter("token");`
+    exists(AddExpr ae |
+      ae.getRightOperand() = node.asExpr() and
+      not ae instanceof RedirectBuilderExpr
+    )
+  }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, SpringUrlRedirectFlowConfig conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Potentially untrusted URL redirection due to $@.",
+  source.getNode(), "user-provided value"
diff --git a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll
new file mode 100644
index 00000000000..0ea88e84673
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll
@@ -0,0 +1,91 @@
+import java
+import DataFlow
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.DataFlow2
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.frameworks.spring.SpringController
+
+class StartsWithSanitizer extends DataFlow::BarrierGuard {
+  StartsWithSanitizer() {
+    this.(MethodAccess).getMethod().hasName("startsWith") and
+    this.(MethodAccess).getMethod().getDeclaringType() instanceof TypeString and
+    this.(MethodAccess).getMethod().getNumberOfParameters() = 1
+  }
+
+  override predicate checks(Expr e, boolean branch) {
+    e = this.(MethodAccess).getQualifier() and branch = true
+  }
+}
+
+/**
+ * A concatenate expression using the string `redirect:` on the left.
+ *
+ * E.g: `"redirect:" + redirectUrl`
+ */
+class RedirectBuilderExpr extends AddExpr {
+  RedirectBuilderExpr() {
+    this.getLeftOperand().(CompileTimeConstantExpr).getStringValue() = "redirect:"
+  }
+}
+
+/** A URL redirection sink from spring controller method. */
+class SpringUrlRedirectSink extends DataFlow::Node {
+  SpringUrlRedirectSink() {
+    exists(RedirectBuilderExpr rbe | rbe.getRightOperand() = this.asExpr())
+    or
+    exists(MethodAccess ma |
+      ma.getMethod().hasName("setUrl") and
+      ma.getMethod()
+          .getDeclaringType()
+          .hasQualifiedName("org.springframework.web.servlet.view", "AbstractUrlBasedView") and
+      ma.getArgument(0) = this.asExpr() and
+      exists(RedirectViewFlowConfig rvfc | rvfc.hasFlowToExpr(ma.getQualifier()))
+    )
+    or
+    exists(ClassInstanceExpr cie |
+      cie.getConstructedType()
+          .hasQualifiedName("org.springframework.web.servlet.view", "RedirectView") and
+      cie.getArgument(0) = this.asExpr()
+    )
+    or
+    exists(ClassInstanceExpr cie |
+      cie.getConstructedType().hasQualifiedName("org.springframework.web.servlet", "ModelAndView") and
+      cie.getArgument(0) = this.asExpr() and
+      exists(RedirectBuilderFlowConfig rstrbfc | rstrbfc.hasFlowToExpr(cie.getArgument(0)))
+    )
+  }
+}
+
+/** A data flow configuration tracing flow from remote sources to redirect builder expression. */
+private class RedirectBuilderFlowConfig extends DataFlow2::Configuration {
+  RedirectBuilderFlowConfig() { this = "RedirectBuilderFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(RedirectBuilderExpr rbe | rbe.getRightOperand() = sink.asExpr())
+  }
+}
+
+/** A data flow configuration tracing flow from RedirectView object to calling setUrl method. */
+private class RedirectViewFlowConfig extends DataFlow2::Configuration {
+  RedirectViewFlowConfig() { this = "RedirectViewFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) {
+    exists(ClassInstanceExpr cie |
+      cie.getConstructedType()
+          .hasQualifiedName("org.springframework.web.servlet.view", "RedirectView") and
+      cie = src.asExpr()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma |
+      ma.getMethod().hasName("setUrl") and
+      ma.getMethod()
+          .getDeclaringType()
+          .hasQualifiedName("org.springframework.web.servlet.view", "AbstractUrlBasedView") and
+      ma.getQualifier() = sink.asExpr()
+    )
+  }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected b/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected
new file mode 100644
index 00000000000..fee0598bbee
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected
@@ -0,0 +1,19 @@
+edges
+| SpringUrlRedirect.java:13:30:13:47 | redirectUrl : String | SpringUrlRedirect.java:15:19:15:29 | redirectUrl |
+| SpringUrlRedirect.java:20:24:20:41 | redirectUrl : String | SpringUrlRedirect.java:21:36:21:46 | redirectUrl |
+| SpringUrlRedirect.java:26:30:26:47 | redirectUrl : String | SpringUrlRedirect.java:27:44:27:54 | redirectUrl |
+| SpringUrlRedirect.java:32:30:32:47 | redirectUrl : String | SpringUrlRedirect.java:33:47:33:57 | redirectUrl |
+nodes
+| SpringUrlRedirect.java:13:30:13:47 | redirectUrl : String | semmle.label | redirectUrl : String |
+| SpringUrlRedirect.java:15:19:15:29 | redirectUrl | semmle.label | redirectUrl |
+| SpringUrlRedirect.java:20:24:20:41 | redirectUrl : String | semmle.label | redirectUrl : String |
+| SpringUrlRedirect.java:21:36:21:46 | redirectUrl | semmle.label | redirectUrl |
+| SpringUrlRedirect.java:26:30:26:47 | redirectUrl : String | semmle.label | redirectUrl : String |
+| SpringUrlRedirect.java:27:44:27:54 | redirectUrl | semmle.label | redirectUrl |
+| SpringUrlRedirect.java:32:30:32:47 | redirectUrl : String | semmle.label | redirectUrl : String |
+| SpringUrlRedirect.java:33:47:33:57 | redirectUrl | semmle.label | redirectUrl |
+#select
+| SpringUrlRedirect.java:15:19:15:29 | redirectUrl | SpringUrlRedirect.java:13:30:13:47 | redirectUrl : String | SpringUrlRedirect.java:15:19:15:29 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:13:30:13:47 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:21:36:21:46 | redirectUrl | SpringUrlRedirect.java:20:24:20:41 | redirectUrl : String | SpringUrlRedirect.java:21:36:21:46 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:20:24:20:41 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:27:44:27:54 | redirectUrl | SpringUrlRedirect.java:26:30:26:47 | redirectUrl : String | SpringUrlRedirect.java:27:44:27:54 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:26:30:26:47 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:33:47:33:57 | redirectUrl | SpringUrlRedirect.java:32:30:32:47 | redirectUrl : String | SpringUrlRedirect.java:33:47:33:57 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:32:30:32:47 | redirectUrl | user-provided value |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.java b/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.java
new file mode 100644
index 00000000000..1438b0a63a1
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.java
@@ -0,0 +1,52 @@
+import javax.servlet.http.HttpServletResponse;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.servlet.ModelAndView;
+import org.springframework.web.servlet.view.RedirectView;
+
+@Controller
+public class SpringUrlRedirect {
+
+    private final static String VALID_REDIRECT = "http://127.0.0.1";
+
+    @GetMapping("url1")
+    public RedirectView bad1(String redirectUrl, HttpServletResponse response) throws Exception {
+        RedirectView rv = new RedirectView();
+        rv.setUrl(redirectUrl);
+        return rv;
+    }
+
+    @GetMapping("url2")
+    public String bad2(String redirectUrl) {
+        String url = "redirect:" + redirectUrl;
+        return url;
+    }
+
+    @GetMapping("url3")
+    public RedirectView bad3(String redirectUrl) {
+        RedirectView rv = new RedirectView(redirectUrl);
+        return rv;
+    }
+
+    @GetMapping("url4")
+    public ModelAndView bad4(String redirectUrl) {
+        return new ModelAndView("redirect:" + redirectUrl);
+    }
+
+    @GetMapping("url5")
+    public RedirectView good1(String redirectUrl) {
+        RedirectView rv = new RedirectView();
+        if (redirectUrl.startsWith(VALID_REDIRECT)){
+            rv.setUrl(redirectUrl);
+        }else {
+            rv.setUrl(VALID_REDIRECT);
+        }
+        return rv;
+    }
+
+    @GetMapping("url6")
+    public ModelAndView good2(String token) {
+        String url = "/edit?token=" + token;
+        return new ModelAndView("redirect:" + url);
+    }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.qlref b/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.qlref
new file mode 100644
index 00000000000..418be1d307b
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
diff --git a/java/ql/test/experimental/query-tests/security/CWE-601/options b/java/ql/test/experimental/query-tests/security/CWE-601/options
new file mode 100644
index 00000000000..a9289108747
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-601/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.2.3/
\ No newline at end of file
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/servlet/ModelAndView.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/servlet/ModelAndView.java
new file mode 100644
index 00000000000..53e337d5053
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/servlet/ModelAndView.java
@@ -0,0 +1,107 @@
+package org.springframework.web.servlet;
+
+import java.util.Map;
+import org.springframework.http.HttpStatus;
+import org.springframework.lang.Nullable;
+
+public class ModelAndView {
+    @Nullable
+    private Object view;
+    @Nullable
+    private HttpStatus status;
+    private boolean cleared = false;
+
+    public ModelAndView() {
+    }
+
+    public ModelAndView(String viewName) {
+        this.view = viewName;
+    }
+
+    public ModelAndView(View view) {
+        this.view = view;
+    }
+
+    public ModelAndView(String viewName, @Nullable Map<String, ?> model) { }
+
+    public ModelAndView(View view, @Nullable Map<String, ?> model) { }
+
+    public ModelAndView(String viewName, HttpStatus status) { }
+
+    public ModelAndView(@Nullable String viewName, @Nullable Map<String, ?> model, @Nullable HttpStatus status) { }
+
+    public ModelAndView(String viewName, String modelName, Object modelObject) { }
+
+    public ModelAndView(View view, String modelName, Object modelObject) { }
+
+    public void setViewName(@Nullable String viewName) {
+        this.view = viewName;
+    }
+
+    @Nullable
+    public String getViewName() {
+        return "";
+    }
+
+    public void setView(@Nullable View view) { }
+
+    @Nullable
+    public View getView() {
+        return null;
+    }
+
+    public boolean hasView() {
+        return true;
+    }
+
+    public boolean isReference() {
+        return true;
+    }
+
+    @Nullable
+    protected Map<String, Object> getModelInternal() {
+        return null;
+    }
+
+    public Map<String, Object> getModel() {
+        return null;
+    }
+
+    public void setStatus(@Nullable HttpStatus status) { }
+
+    @Nullable
+    public HttpStatus getStatus() {
+        return this.status;
+    }
+
+    public ModelAndView addObject(String attributeName, @Nullable Object attributeValue) {
+        return null;
+    }
+
+    public ModelAndView addObject(Object attributeValue) {
+        return null;
+    }
+
+    public ModelAndView addAllObjects(@Nullable Map<String, ?> modelMap) {
+        return null;
+    }
+
+    public void clear() { }
+
+    public boolean isEmpty() {
+        return true;
+    }
+
+    public boolean wasCleared() {
+        return true;
+    }
+
+    public String toString() {
+        return "";
+    }
+
+    private String formatView() {
+        return "";
+    }
+}
+
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/servlet/View.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/servlet/View.java
new file mode 100644
index 00000000000..b2281b8c250
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/servlet/View.java
@@ -0,0 +1,20 @@
+package org.springframework.web.servlet;
+
+import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.springframework.lang.Nullable;
+
+public interface View {
+    String RESPONSE_STATUS_ATTRIBUTE = View.class.getName() + ".responseStatus";
+    String PATH_VARIABLES = View.class.getName() + ".pathVariables";
+    String SELECTED_CONTENT_TYPE = View.class.getName() + ".selectedContentType";
+
+    @Nullable
+    default String getContentType() {
+        return null;
+    }
+
+    void render(@Nullable Map<String, ?> var1, HttpServletRequest var2, HttpServletResponse var3) throws Exception;
+}
+
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/servlet/view/AbstractUrlBasedView.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/servlet/view/AbstractUrlBasedView.java
new file mode 100644
index 00000000000..9efd87af12f
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/servlet/view/AbstractUrlBasedView.java
@@ -0,0 +1,39 @@
+package org.springframework.web.servlet.view;
+
+import java.util.Locale;
+import org.springframework.lang.Nullable;
+
+public abstract class AbstractUrlBasedView {
+    @Nullable
+    private String url;
+
+    protected AbstractUrlBasedView() { }
+
+    protected AbstractUrlBasedView(String url) {
+        this.url = url;
+    }
+
+    public void setUrl(@Nullable String url) {
+        this.url = url;
+    }
+
+    @Nullable
+    public String getUrl() {
+        return "";
+    }
+
+    public void afterPropertiesSet() throws Exception { }
+
+    protected boolean isUrlRequired() {
+        return true;
+    }
+
+    public boolean checkResource(Locale locale) throws Exception {
+        return true;
+    }
+
+    public String toString() {
+        return "";
+    }
+}
+
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/servlet/view/RedirectView.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/servlet/view/RedirectView.java
new file mode 100644
index 00000000000..ee18868231a
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/web/servlet/view/RedirectView.java
@@ -0,0 +1,129 @@
+package org.springframework.web.servlet.view;
+
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.lang.reflect.Array;
+import java.net.URLEncoder;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Iterator;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.springframework.http.HttpStatus;
+import org.springframework.lang.Nullable;
+
+public class RedirectView extends AbstractUrlBasedView {
+    private static final Pattern URI_TEMPLATE_VARIABLE_PATTERN = Pattern.compile("\\{([^/]+?)\\}");
+    private boolean contextRelative = false;
+    private boolean http10Compatible = true;
+    private boolean exposeModelAttributes = true;
+    @Nullable
+    private String encodingScheme;
+    @Nullable
+    private HttpStatus statusCode;
+    private boolean expandUriTemplateVariables = true;
+    private boolean propagateQueryParams = false;
+    @Nullable
+    private String[] hosts;
+
+    public RedirectView() { }
+
+    public RedirectView(String url) { }
+
+    public RedirectView(String url, boolean contextRelative) { }
+
+    public RedirectView(String url, boolean contextRelative, boolean http10Compatible) { }
+
+    public RedirectView(String url, boolean contextRelative, boolean http10Compatible, boolean exposeModelAttributes) { }
+
+    public void setContextRelative(boolean contextRelative) { }
+
+    public void setHttp10Compatible(boolean http10Compatible) { }
+
+    public void setExposeModelAttributes(boolean exposeModelAttributes) { }
+
+    public void setEncodingScheme(String encodingScheme) { }
+
+    public void setStatusCode(HttpStatus statusCode) { }
+
+    public void setExpandUriTemplateVariables(boolean expandUriTemplateVariables) { }
+
+    public void setPropagateQueryParams(boolean propagateQueryParams) { }
+
+    public boolean isPropagateQueryProperties() {
+        return true;
+    }
+
+    public void setHosts(@Nullable String... hosts) { }
+
+    @Nullable
+    public String[] getHosts() {
+        return this.hosts;
+    }
+
+    public boolean isRedirectView() {
+        return true;
+    }
+
+    protected boolean isContextRequired() {
+        return false;
+    }
+
+    protected void renderMergedOutputModel(Map<String, Object> model, HttpServletRequest request, HttpServletResponse response) throws IOException { }
+
+    protected final String createTargetUrl(Map<String, Object> model, HttpServletRequest request) throws UnsupportedEncodingException {
+        return "";
+    }
+
+    private String getContextPath(HttpServletRequest request) {
+        return "";
+    }
+
+    protected StringBuilder replaceUriTemplateVariables(String targetUrl, Map<String, Object> model, Map<String, String> currentUriVariables, String encodingScheme) throws UnsupportedEncodingException {
+        return null;
+    }
+
+    private Map<String, String> getCurrentRequestUriVariables(HttpServletRequest request) {
+        return null;
+    }
+
+    protected void appendCurrentQueryParams(StringBuilder targetUrl, HttpServletRequest request) { }
+
+    protected void appendQueryProperties(StringBuilder targetUrl, Map<String, Object> model, String encodingScheme) throws UnsupportedEncodingException { }
+
+    protected Map<String, Object> queryProperties(Map<String, Object> model) {
+        return null;
+    }
+
+    protected boolean isEligibleProperty(String key, @Nullable Object value) {
+        return true;
+    }
+
+    protected boolean isEligibleValue(@Nullable Object value) {
+        return true;
+    }
+
+    protected String urlEncode(String input, String encodingScheme) throws UnsupportedEncodingException {
+        return "";
+    }
+
+    protected String updateTargetUrl(String targetUrl, Map<String, Object> model, HttpServletRequest request, HttpServletResponse response) {
+        return "";
+    }
+
+    protected void sendRedirect(HttpServletRequest request, HttpServletResponse response, String targetUrl, boolean http10Compatible) throws IOException { }
+
+    protected boolean isRemoteHost(String targetUrl) {
+        return true;
+    }
+
+    protected HttpStatus getHttp11StatusCode(HttpServletRequest request, HttpServletResponse response, String targetUrl) {
+        return this.statusCode;
+    }
+}
+

From 40cf29b62521ada08c8dbfeffa28027c1f283045 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 13 May 2021 08:38:58 +0100
Subject: [PATCH 1030/1429] C++: Rearrange the library.

---
 .../Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql  |  4 ++--
 cpp/ql/src/semmle/code/cpp/security/Encryption.qll | 14 +++++++++++---
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
index 3015528114d..f1195a43736 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -18,7 +18,7 @@ abstract class InsecureCryptoSpec extends Locatable {
 }
 
 Function getAnInsecureFunction() {
-  result.getName().regexpMatch(getInsecureAlgorithmRegex()) and
+  isInsecureEncryption(result.getName()) and
   exists(result.getACallToThisFunction())
 }
 
@@ -36,7 +36,7 @@ class InsecureFunctionCall extends InsecureCryptoSpec, FunctionCall {
 }
 
 Macro getAnInsecureMacro() {
-  result.getName().regexpMatch(getInsecureAlgorithmRegex()) and
+  isInsecureEncryption(result.getName()) and
   exists(result.getAnInvocation())
 }
 
diff --git a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
index 24c69f93758..22ca62372fe 100644
--- a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
@@ -14,6 +14,13 @@ string getAnInsecureAlgorithmName() {
     ]
 }
 
+/**
+ * Gets the name of an algorithm that is known to be secure.
+ */
+string getASecureAlgorithmName() {
+  result = ["RSA", "SHA256", "CCM", "GCM", "AES", "Blowfish", "ECIES"]
+}
+
 /**
  * Gets the name of a hash algorithm that is insecure if it is being used for
  * encryption (but it is hard to know when that is happening).
@@ -39,10 +46,11 @@ string getInsecureAlgorithmRegex() {
 }
 
 /**
- * Gets the name of an algorithm that is known to be secure.
+ * Holds if `name` looks like it might be related to operations with an
+ * insecure encyption algorithm.
  */
-string getASecureAlgorithmName() {
-  result = ["RSA", "SHA256", "CCM", "GCM", "AES", "Blowfish", "ECIES"]
+bindingset[name] predicate isInsecureEncryption(string name) {
+  name.regexpMatch(getInsecureAlgorithmRegex())
 }
 
 /**

From 02e415045f04957a33049907bd3256ce84ad7378 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Thu, 13 May 2021 15:48:15 +0800
Subject: [PATCH 1031/1429] Delete RedirectBuilderFlowConfig

---
 .../Security/CWE/CWE-601/SpringUrlRedirect.qll      | 13 +------------
 1 file changed, 1 insertion(+), 12 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll
index 0ea88e84673..1ab5f3cd0b1 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll
@@ -51,22 +51,11 @@ class SpringUrlRedirectSink extends DataFlow::Node {
     exists(ClassInstanceExpr cie |
       cie.getConstructedType().hasQualifiedName("org.springframework.web.servlet", "ModelAndView") and
       cie.getArgument(0) = this.asExpr() and
-      exists(RedirectBuilderFlowConfig rstrbfc | rstrbfc.hasFlowToExpr(cie.getArgument(0)))
+      exists(RedirectBuilderExpr rbe | rbe.getRightOperand() = this.asExpr())
     )
   }
 }
 
-/** A data flow configuration tracing flow from remote sources to redirect builder expression. */
-private class RedirectBuilderFlowConfig extends DataFlow2::Configuration {
-  RedirectBuilderFlowConfig() { this = "RedirectBuilderFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(RedirectBuilderExpr rbe | rbe.getRightOperand() = sink.asExpr())
-  }
-}
-
 /** A data flow configuration tracing flow from RedirectView object to calling setUrl method. */
 private class RedirectViewFlowConfig extends DataFlow2::Configuration {
   RedirectViewFlowConfig() { this = "RedirectViewFlowConfig" }

From 123889a6716c16aee3febcbf820348f0c92c2e2d Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 13 May 2021 09:15:58 +0100
Subject: [PATCH 1032/1429] C++: Fix 'triple DES' false positives.

---
 cpp/ql/src/semmle/code/cpp/security/Encryption.qll    | 11 +++++++++--
 .../CWE/CWE-327/BrokenCryptoAlgorithm.expected        |  2 --
 cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp |  4 ++--
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
index 22ca62372fe..d2261df6bc8 100644
--- a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
@@ -30,6 +30,9 @@ string getAnInsecureHashAlgorithmName() { result = ["SHA1", "MD5"] }
 /**
  * Gets the regular expression used for matching strings that look like they
  * contain an algorithm that is known to be insecure.
+ *
+ * Consider using `isInsecureEncryption` rather than accessing this regular
+ * expression directly.
  */
 string getInsecureAlgorithmRegex() {
   result =
@@ -49,8 +52,12 @@ string getInsecureAlgorithmRegex() {
  * Holds if `name` looks like it might be related to operations with an
  * insecure encyption algorithm.
  */
-bindingset[name] predicate isInsecureEncryption(string name) {
-  name.regexpMatch(getInsecureAlgorithmRegex())
+bindingset[name]
+predicate isInsecureEncryption(string name) {
+  name.regexpMatch(getInsecureAlgorithmRegex()) and
+  // Check for evidence that an otherwise matching name may in fact not be
+  // related to insecure encrpytion, e.g. "Triple-DES" is not "DES".
+  not name.toUpperCase().regexpMatch(".*TRIPLE.*")
 }
 
 /**
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
index 8b17f1a83b7..53e9054a507 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
@@ -5,7 +5,6 @@
 | test2.cpp:182:38:182:45 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:39:2:39:31 | ENCRYPT_WITH_RC2(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:42:2:42:38 | ENCRYPT_WITH_TRIPLE_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:51:2:51:32 | DES_DO_ENCRYPTION(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:52:2:52:31 | RUN_DES_ENCODING(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:53:2:53:25 | DES_ENCODE(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
@@ -14,6 +13,5 @@
 | test.cpp:59:12:59:25 | SORT_ORDER_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:88:2:88:11 | call to encryptDES | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:89:2:89:11 | call to encryptRC2 | This function call specifies a broken or weak cryptographic algorithm. |
-| test.cpp:92:2:92:17 | call to encryptTripleDES | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:101:2:101:15 | call to do_des_encrypt | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:102:2:102:12 | call to DES_Set_Key | This function call specifies a broken or weak cryptographic algorithm. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
index 2fbd9ae73d5..8d16e5ed98e 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
@@ -39,7 +39,7 @@ void test_macros(void *data, size_t amount, const char *str)
 	ENCRYPT_WITH_RC2(data, amount); // BAD
 	ENCRYPT_WITH_AES(data, amount); // GOOD (good algorithm)
 	ENCRYPT_WITH_3DES(data, amount); // GOOD (good enough algorithm)
-	ENCRYPT_WITH_TRIPLE_DES(data, amount); // GOOD (good enough algorithm) [FALSE POSITIVE]
+	ENCRYPT_WITH_TRIPLE_DES(data, amount); // GOOD (good enough algorithm)
 	ENCRYPT_WITH_RC20(data, amount); // GOOD (if there ever is an RC20 algorithm, we have no reason to believe it's weak)
 	ENCRYPT_WITH_DES_REMOVED(data, amount); // GOOD (implementation has been deleted)
 
@@ -89,7 +89,7 @@ void test_functions(void *data, size_t amount, const char *str)
 	encryptRC2(data, amount); // BAD
 	encryptAES(data, amount); // GOOD (good algorithm)
 	encrypt3DES(data, amount); // GOOD (good enough algorithm)
-	encryptTripleDES(data, amount); // GOOD (good enough algorithm) [FALSE POSITIVE]
+	encryptTripleDES(data, amount); // GOOD (good enough algorithm)
 
 	DESEncrypt(data, amount); // BAD
 	RC2Encrypt(data, amount); // BAD

From e4d2c7cfc423ebd263bbc767c4ca829eb002b982 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 13 May 2021 10:04:57 +0100
Subject: [PATCH 1033/1429] C++: Rewrite so that we look for additional
 evidence.

---
 .../CWE/CWE-327/BrokenCryptoAlgorithm.ql      | 94 +++++++++++--------
 .../semmle/code/cpp/security/Encryption.qll   | 11 +++
 .../CWE-327/BrokenCryptoAlgorithm.expected    | 20 ++--
 .../query-tests/Security/CWE/CWE-327/test.cpp |  4 +-
 4 files changed, 79 insertions(+), 50 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
index f1195a43736..1b72331a6cc 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -13,52 +13,72 @@
 import cpp
 import semmle.code.cpp.security.Encryption
 
-abstract class InsecureCryptoSpec extends Locatable {
-  abstract string description();
-}
-
-Function getAnInsecureFunction() {
-  isInsecureEncryption(result.getName()) and
+/**
+ * A function which may relate to an insecure encryption algorithm.
+ */
+Function getAnInsecureEncryptionFunction() {
+  (
+    isInsecureEncryption(result.getName()) or
+    isInsecureEncryption(result.getAParameter().getName())
+  ) and
   exists(result.getACallToThisFunction())
 }
 
-class InsecureFunctionCall extends InsecureCryptoSpec, FunctionCall {
-  InsecureFunctionCall() {
-    // the function name suggests it relates to an insecure crypto algorithm.
-    this.getTarget() = getAnInsecureFunction()
-  }
-
-  override string description() { result = "function call" }
-
-  override string toString() { result = FunctionCall.super.toString() }
-
-  override Location getLocation() { result = FunctionCall.super.getLocation() }
+/**
+ * A function with additional evidence it is related to encryption.
+ */
+Function getAdditionalEvidenceFunction() {
+  (
+    isEncryptionAdditionalEvidence(result.getName()) or
+    isEncryptionAdditionalEvidence(result.getAParameter().getName())
+  ) and
+  exists(result.getACallToThisFunction())
 }
 
-Macro getAnInsecureMacro() {
+/**
+ * A macro which may relate to an insecure encryption algorithm.
+ */
+Macro getAnInsecureEncryptionMacro() {
   isInsecureEncryption(result.getName()) and
   exists(result.getAnInvocation())
 }
 
-class InsecureMacroSpec extends InsecureCryptoSpec, MacroInvocation {
-  InsecureMacroSpec() {
-    // the macro name suggests it relates to an insecure crypto algorithm.
-    this.getMacro() = getAnInsecureMacro() and
-    // the macro invocation generates something.
-    exists(this.getAGeneratedElement().(ControlFlowNode)) and
-    // exclude expressions controlling ifs/switches (as they may not be used).
-    not any(IfStmt c).getCondition().getAChild*() = this.getAGeneratedElement() and
-    not any(SwitchCase c).getExpr().getAChild*() = this.getAGeneratedElement() and
-    // exclude expressions in array initializers (as they may not be used).
-    not any(AggregateLiteral i).getAChild*() = this.getAGeneratedElement() 
-  }
-
-  override string description() { result = "macro invocation" }
-
-  override string toString() { result = MacroInvocation.super.toString() }
-
-  override Location getLocation() { result = MacroInvocation.super.getLocation() }
+/**
+ * A macro with additional evidence it is related to encryption.
+ */
+Macro getAdditionalEvidenceMacro() {
+  isEncryptionAdditionalEvidence(result.getName()) and
+  exists(result.getAnInvocation())
 }
 
-from InsecureCryptoSpec c
+/**
+ * A function call we have a high confidence is related to use of an insecure
+ * encryption algorithm.
+ */
+class InsecureFunctionCall extends FunctionCall {
+  InsecureFunctionCall() {
+    // find use of an insecure algorithm name
+    (
+      getTarget() = getAnInsecureEncryptionFunction()
+      or
+      exists(MacroInvocation mi |
+        mi.getAGeneratedElement() = this.getAChild*() and
+        mi.getMacro() = getAnInsecureEncryptionMacro()
+      )
+    ) and
+    // find additional evidence that this function is related to encryption.
+    (
+      getTarget() = getAdditionalEvidenceFunction()
+      or
+      exists(MacroInvocation mi |
+        mi.getAGeneratedElement() = this.getAChild*() and
+        mi.getMacro() = getAdditionalEvidenceMacro()
+      )
+    )
+  }
+
+  string description() { result = "function call" }
+}
+
+from InsecureFunctionCall c
 select c, "This " + c.description() + " specifies a broken or weak cryptographic algorithm."
diff --git a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
index d2261df6bc8..692b6ebeae9 100644
--- a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
@@ -60,6 +60,17 @@ predicate isInsecureEncryption(string name) {
   not name.toUpperCase().regexpMatch(".*TRIPLE.*")
 }
 
+ /**
+ * Holds if there is additional evidence that `name` looks like it might be
+ * related to operations with an encyption algorithm, besides the name of a
+ * specific algorithm. This can be used in conjuction with
+ * `isInsecureEncryption` to produce a stronger heuristic.
+ */
+bindingset[name]
+predicate isEncryptionAdditionalEvidence(string name) {
+  name.toUpperCase().regexpMatch(".*(CRYPT|CODE|CODING|CBC|KEY).*")
+}
+
 /**
  * Gets a regular expression for matching strings that look like they
  * contain an algorithm that is known to be secure.
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
index 53e9054a507..cf31479a533 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
@@ -1,16 +1,14 @@
 | test2.cpp:49:4:49:24 | call to my_des_implementation | This function call specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:62:33:62:40 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:62:2:62:12 | call to encrypt_bad | This function call specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:124:4:124:24 | call to my_des_implementation | This function call specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:172:28:172:35 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:182:38:182:45 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:39:2:39:31 | ENCRYPT_WITH_RC2(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:51:2:51:32 | DES_DO_ENCRYPTION(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:52:2:52:31 | RUN_DES_ENCODING(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:53:2:53:25 | DES_ENCODE(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:54:2:54:26 | DES_SET_KEY(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:56:2:56:9 | DES(str) | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:59:12:59:25 | SORT_ORDER_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:172:2:172:26 | call to set_encryption_algorithm1 | This function call specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:182:2:182:17 | call to encryption_with1 | This function call specifies a broken or weak cryptographic algorithm. |
+| test.cpp:38:2:38:31 | call to my_implementation1 | This function call specifies a broken or weak cryptographic algorithm. |
+| test.cpp:39:2:39:31 | call to my_implementation2 | This function call specifies a broken or weak cryptographic algorithm. |
+| test.cpp:51:2:51:32 | call to my_implementation1 | This function call specifies a broken or weak cryptographic algorithm. |
+| test.cpp:52:2:52:31 | call to my_implementation1 | This function call specifies a broken or weak cryptographic algorithm. |
+| test.cpp:53:2:53:25 | call to my_implementation1 | This function call specifies a broken or weak cryptographic algorithm. |
+| test.cpp:54:2:54:26 | call to my_implementation1 | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:88:2:88:11 | call to encryptDES | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:89:2:89:11 | call to encryptRC2 | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:101:2:101:15 | call to do_des_encrypt | This function call specifies a broken or weak cryptographic algorithm. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
index 8d16e5ed98e..ede8f19b761 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
@@ -53,10 +53,10 @@ void test_macros(void *data, size_t amount, const char *str)
 	DES_ENCODE(data, amount); // BAD
 	DES_SET_KEY(data, amount); // BAD
 
-	DES(str); // GOOD (probably nothing to do with encryption) [FALSE POSITIVE]
+	DES(str); // GOOD (probably nothing to do with encryption)
 	DESMOND(str); // GOOD (probably nothing to do with encryption)
 	ANODES(str); // GOOD (probably nothing to do with encryption)
-	int ord = SORT_ORDER_DES; // GOOD (probably nothing to do with encryption) [FALSE POSITIVE]
+	int ord = SORT_ORDER_DES; // GOOD (probably nothing to do with encryption)
 }
 
 // --- simple encryption function calls ---

From 5d1ef49f8feb2fd17ee6adb4dd3ea81c9e9d81e0 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 13 May 2021 15:42:42 +0100
Subject: [PATCH 1034/1429] C++: Add support for enum constants.

---
 .../CWE/CWE-327/BrokenCryptoAlgorithm.ql      | 24 +++++++++++++++++++
 .../CWE-327/BrokenCryptoAlgorithm.expected    |  3 +++
 .../Security/CWE/CWE-327/test2.cpp            |  6 ++---
 3 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
index 1b72331a6cc..b7a34ff8f97 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -51,6 +51,20 @@ Macro getAdditionalEvidenceMacro() {
   exists(result.getAnInvocation())
 }
 
+/**
+ * An enum constant which may relate to an insecure encryption algorithm.
+ */
+EnumConstant getAnInsecureEncryptionEnumConst() {
+  isInsecureEncryption(result.getName())
+}
+
+/**
+ * An enum constant with additional evidence it is related to encryption.
+ */
+EnumConstant getAdditionalEvidenceEnumConst() {
+  isEncryptionAdditionalEvidence(result.getName())
+}
+
 /**
  * A function call we have a high confidence is related to use of an insecure
  * encryption algorithm.
@@ -65,6 +79,11 @@ class InsecureFunctionCall extends FunctionCall {
         mi.getAGeneratedElement() = this.getAChild*() and
         mi.getMacro() = getAnInsecureEncryptionMacro()
       )
+      or
+      exists(EnumConstantAccess ec |
+        ec = this.getAChild*() and
+        ec.getTarget() = getAnInsecureEncryptionEnumConst()
+      )
     ) and
     // find additional evidence that this function is related to encryption.
     (
@@ -74,6 +93,11 @@ class InsecureFunctionCall extends FunctionCall {
         mi.getAGeneratedElement() = this.getAChild*() and
         mi.getMacro() = getAdditionalEvidenceMacro()
       )
+      or
+      exists(EnumConstantAccess ec |
+        ec = this.getAChild*() and
+        ec.getTarget() = getAdditionalEvidenceEnumConst()
+      )
     )
   }
 
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
index cf31479a533..1b85eae2d4c 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
@@ -1,8 +1,11 @@
 | test2.cpp:49:4:49:24 | call to my_des_implementation | This function call specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:62:2:62:12 | call to encrypt_bad | This function call specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:124:4:124:24 | call to my_des_implementation | This function call specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:144:22:144:30 | call to MyBadEncryptor | This function call specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:172:2:172:26 | call to set_encryption_algorithm1 | This function call specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:175:2:175:26 | call to set_encryption_algorithm2 | This function call specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:182:2:182:17 | call to encryption_with1 | This function call specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:185:2:185:17 | call to encryption_with2 | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:38:2:38:31 | call to my_implementation1 | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:39:2:39:31 | call to my_implementation2 | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:51:2:51:32 | call to my_implementation1 | This function call specifies a broken or weak cryptographic algorithm. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
index 622db3aff0e..def7e0ae808 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
@@ -141,7 +141,7 @@ void do_class_encrypts(char *data, size_t amount, keytype key)
 	}
 
 	{
-		MyBadEncryptor mbe(key, DES); // BAD [NOT DETECTED]
+		MyBadEncryptor mbe(key, DES); // BAD
 
 		mbe.encrypt(data, amount);
 	}
@@ -172,7 +172,7 @@ void do_unseen_encrypts(char *data, size_t amount, keytype key)
 	set_encryption_algorithm1(ALGO_DES); // BAD
 	set_encryption_algorithm1(ALGO_AES); // GOOD
 
-	set_encryption_algorithm2(USE_DES); // BAD [NOT DETECTED]
+	set_encryption_algorithm2(USE_DES); // BAD
 	set_encryption_algorithm2(USE_AES); // GOOD
 
 	set_encryption_algorithm3("DES"); // BAD [NOT DETECTED]
@@ -182,7 +182,7 @@ void do_unseen_encrypts(char *data, size_t amount, keytype key)
 	encryption_with1(data, amount, key, ALGO_DES); // BAD
 	encryption_with1(data, amount, key, ALGO_AES); // GOOD
 
-	encryption_with2(data, amount, key, USE_DES); // BAD [NOT DETECTED]
+	encryption_with2(data, amount, key, USE_DES); // BAD
 	encryption_with2(data, amount, key, USE_AES); // GOOD
 
 	encryption_with3(data, amount, key, "DES"); // BAD [NOT DETECTED]

From 2576075b989c05b91b37ef8798052fd944dffb19 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 13 May 2021 15:52:28 +0100
Subject: [PATCH 1035/1429] C++: Repair result message.

---
 .../CWE/CWE-327/BrokenCryptoAlgorithm.ql      | 25 +++++++++++++++----
 .../CWE-327/BrokenCryptoAlgorithm.expected    | 24 +++++++++---------
 2 files changed, 32 insertions(+), 17 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
index b7a34ff8f97..e96a803d7c0 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -70,19 +70,28 @@ EnumConstant getAdditionalEvidenceEnumConst() {
  * encryption algorithm.
  */
 class InsecureFunctionCall extends FunctionCall {
+  Element blame;
+  string explain;
+
   InsecureFunctionCall() {
     // find use of an insecure algorithm name
     (
-      getTarget() = getAnInsecureEncryptionFunction()
+      getTarget() = getAnInsecureEncryptionFunction() and
+      blame = this and
+      explain = "function call"
       or
       exists(MacroInvocation mi |
         mi.getAGeneratedElement() = this.getAChild*() and
-        mi.getMacro() = getAnInsecureEncryptionMacro()
+        mi.getMacro() = getAnInsecureEncryptionMacro() and
+        blame = mi and
+        explain = "macro invocation"
       )
       or
       exists(EnumConstantAccess ec |
         ec = this.getAChild*() and
-        ec.getTarget() = getAnInsecureEncryptionEnumConst()
+        ec.getTarget() = getAnInsecureEncryptionEnumConst() and
+        blame = ec and
+        explain = "enum constant access"
       )
     ) and
     // find additional evidence that this function is related to encryption.
@@ -101,8 +110,14 @@ class InsecureFunctionCall extends FunctionCall {
     )
   }
 
-  string description() { result = "function call" }
+  Element getBlame() {
+    result = blame
+  }
+
+  string getDescription() {
+     result = explain
+  }
 }
 
 from InsecureFunctionCall c
-select c, "This " + c.description() + " specifies a broken or weak cryptographic algorithm."
+select c.getBlame(), "This " + c.getDescription() + " specifies a broken or weak cryptographic algorithm."
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
index 1b85eae2d4c..197472977b4 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
@@ -1,17 +1,17 @@
 | test2.cpp:49:4:49:24 | call to my_des_implementation | This function call specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:62:2:62:12 | call to encrypt_bad | This function call specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:62:33:62:40 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:124:4:124:24 | call to my_des_implementation | This function call specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:144:22:144:30 | call to MyBadEncryptor | This function call specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:172:2:172:26 | call to set_encryption_algorithm1 | This function call specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:175:2:175:26 | call to set_encryption_algorithm2 | This function call specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:182:2:182:17 | call to encryption_with1 | This function call specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:185:2:185:17 | call to encryption_with2 | This function call specifies a broken or weak cryptographic algorithm. |
-| test.cpp:38:2:38:31 | call to my_implementation1 | This function call specifies a broken or weak cryptographic algorithm. |
-| test.cpp:39:2:39:31 | call to my_implementation2 | This function call specifies a broken or weak cryptographic algorithm. |
-| test.cpp:51:2:51:32 | call to my_implementation1 | This function call specifies a broken or weak cryptographic algorithm. |
-| test.cpp:52:2:52:31 | call to my_implementation1 | This function call specifies a broken or weak cryptographic algorithm. |
-| test.cpp:53:2:53:25 | call to my_implementation1 | This function call specifies a broken or weak cryptographic algorithm. |
-| test.cpp:54:2:54:26 | call to my_implementation1 | This function call specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:144:27:144:29 | DES | This enum constant access specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:172:28:172:35 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:175:28:175:34 | USE_DES | This enum constant access specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:182:38:182:45 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:185:38:185:44 | USE_DES | This enum constant access specifies a broken or weak cryptographic algorithm. |
+| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:39:2:39:31 | ENCRYPT_WITH_RC2(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:51:2:51:32 | DES_DO_ENCRYPTION(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:52:2:52:31 | RUN_DES_ENCODING(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:53:2:53:25 | DES_ENCODE(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:54:2:54:26 | DES_SET_KEY(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:88:2:88:11 | call to encryptDES | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:89:2:89:11 | call to encryptRC2 | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:101:2:101:15 | call to do_des_encrypt | This function call specifies a broken or weak cryptographic algorithm. |

From 3a83ff54e6c95dcbe878d61eee2dca06199cb10b Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 13 May 2021 16:02:00 +0100
Subject: [PATCH 1036/1429] C++: Add support for class methods.

---
 cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql      | 3 ++-
 .../Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected       | 2 ++
 cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp        | 4 ++--
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
index e96a803d7c0..71c835491f4 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -19,7 +19,8 @@ import semmle.code.cpp.security.Encryption
 Function getAnInsecureEncryptionFunction() {
   (
     isInsecureEncryption(result.getName()) or
-    isInsecureEncryption(result.getAParameter().getName())
+    isInsecureEncryption(result.getAParameter().getName()) or
+    isInsecureEncryption(result.getDeclaringType().getName())
   ) and
   exists(result.getACallToThisFunction())
 }
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
index 197472977b4..e213a6e92c3 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
@@ -6,6 +6,8 @@
 | test2.cpp:175:28:175:34 | USE_DES | This enum constant access specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:182:38:182:45 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:185:38:185:44 | USE_DES | This enum constant access specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:234:2:234:20 | call to encrypt | This function call specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:239:5:239:11 | call to encrypt | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:39:2:39:31 | ENCRYPT_WITH_RC2(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:51:2:51:32 | DES_DO_ENCRYPTION(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
index def7e0ae808..1cf18659242 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
@@ -231,12 +231,12 @@ public:
 
 void do_classes(const char *data)
 {
-	desEncrypt::encrypt(data); // BAD [NOT DETECTED]
+	desEncrypt::encrypt(data); // BAD
 	aes256Encrypt::encrypt(data); // GOOD
 
 	desCipher dc;
 	aesCipher ac;
-	dc.encrypt(data); // BAD [NOT DETECTED]
+	dc.encrypt(data); // BAD
 	ac.encrypt(data); // GOOD
 }
 

From a9d57450c89bb93b0882e9c723ebabc5684c0c52 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 13 May 2021 16:19:09 +0100
Subject: [PATCH 1037/1429] C++: Autoformat.

---
 .../CWE/CWE-327/BrokenCryptoAlgorithm.ql      | 19 ++++++-------------
 .../semmle/code/cpp/security/Encryption.qll   |  2 +-
 2 files changed, 7 insertions(+), 14 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
index 71c835491f4..2f1b7fed6f0 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -55,16 +55,12 @@ Macro getAdditionalEvidenceMacro() {
 /**
  * An enum constant which may relate to an insecure encryption algorithm.
  */
-EnumConstant getAnInsecureEncryptionEnumConst() {
-  isInsecureEncryption(result.getName())
-}
+EnumConstant getAnInsecureEncryptionEnumConst() { isInsecureEncryption(result.getName()) }
 
 /**
  * An enum constant with additional evidence it is related to encryption.
  */
-EnumConstant getAdditionalEvidenceEnumConst() {
-  isEncryptionAdditionalEvidence(result.getName())
-}
+EnumConstant getAdditionalEvidenceEnumConst() { isEncryptionAdditionalEvidence(result.getName()) }
 
 /**
  * A function call we have a high confidence is related to use of an insecure
@@ -111,14 +107,11 @@ class InsecureFunctionCall extends FunctionCall {
     )
   }
 
-  Element getBlame() {
-    result = blame
-  }
+  Element getBlame() { result = blame }
 
-  string getDescription() {
-     result = explain
-  }
+  string getDescription() { result = explain }
 }
 
 from InsecureFunctionCall c
-select c.getBlame(), "This " + c.getDescription() + " specifies a broken or weak cryptographic algorithm."
+select c.getBlame(),
+  "This " + c.getDescription() + " specifies a broken or weak cryptographic algorithm."
diff --git a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
index 692b6ebeae9..8c9c4b3beee 100644
--- a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
@@ -60,7 +60,7 @@ predicate isInsecureEncryption(string name) {
   not name.toUpperCase().regexpMatch(".*TRIPLE.*")
 }
 
- /**
+/**
  * Holds if there is additional evidence that `name` looks like it might be
  * related to operations with an encyption algorithm, besides the name of a
  * specific algorithm. This can be used in conjuction with

From 9cdf8389815e4bb97e3ed3dd18ae3820fadb17c9 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 13 May 2021 16:20:52 +0100
Subject: [PATCH 1038/1429] C++: Bug fix.

---
 cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
index 2f1b7fed6f0..0d311333fca 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -31,7 +31,8 @@ Function getAnInsecureEncryptionFunction() {
 Function getAdditionalEvidenceFunction() {
   (
     isEncryptionAdditionalEvidence(result.getName()) or
-    isEncryptionAdditionalEvidence(result.getAParameter().getName())
+    isEncryptionAdditionalEvidence(result.getAParameter().getName()) or
+    isInsecureEncryption(result.getDeclaringType().getName())
   ) and
   exists(result.getACallToThisFunction())
 }

From 51067af784f47fccb040a6d99ac16491b6a58cf6 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 13 May 2021 22:34:10 +0200
Subject: [PATCH 1039/1429] add "uid" (and friends) as maybe being sensitive
 account info

---
 .../internal/SensitiveDataHeuristics.qll      |  3 +-
 .../CWE-338/InsecureRandomness.expected       | 40 +++++++++++++++++++
 .../test/query-tests/Security/CWE-338/tst.js  |  9 ++++-
 3 files changed, 50 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll b/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll
index ddf95b1b534..9a3a306c159 100644
--- a/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll
+++ b/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll
@@ -58,7 +58,8 @@ module HeuristicNames {
    */
   string maybeAccountInfo() {
     result = "(?is).*acc(ou)?nt.*" or
-    result = "(?is).*(puid|username|userid).*"
+    result = "(?is).*(puid|username|userid).*" or
+    result = "(?is).*(u|^|_|[a-z(?=U)])(uid).*"
   }
 
   /**
diff --git a/javascript/ql/test/query-tests/Security/CWE-338/InsecureRandomness.expected b/javascript/ql/test/query-tests/Security/CWE-338/InsecureRandomness.expected
index e4ab385cc07..4db1bb3b088 100644
--- a/javascript/ql/test/query-tests/Security/CWE-338/InsecureRandomness.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-338/InsecureRandomness.expected
@@ -66,6 +66,26 @@ nodes
 | tst.js:95:33:95:45 | Math.random() |
 | tst.js:95:33:95:45 | Math.random() |
 | tst.js:95:33:95:45 | Math.random() |
+| tst.js:115:16:115:56 | Math.fl ... 00_000) |
+| tst.js:115:16:115:56 | Math.fl ... 00_000) |
+| tst.js:115:27:115:39 | Math.random() |
+| tst.js:115:27:115:39 | Math.random() |
+| tst.js:115:27:115:55 | Math.ra ... 000_000 |
+| tst.js:116:22:116:62 | Math.fl ... 00_000) |
+| tst.js:116:22:116:62 | Math.fl ... 00_000) |
+| tst.js:116:33:116:45 | Math.random() |
+| tst.js:116:33:116:45 | Math.random() |
+| tst.js:116:33:116:61 | Math.ra ... 000_000 |
+| tst.js:117:15:117:55 | Math.fl ... 00_000) |
+| tst.js:117:15:117:55 | Math.fl ... 00_000) |
+| tst.js:117:26:117:38 | Math.random() |
+| tst.js:117:26:117:38 | Math.random() |
+| tst.js:117:26:117:54 | Math.ra ... 000_000 |
+| tst.js:118:23:118:63 | Math.fl ... 00_000) |
+| tst.js:118:23:118:63 | Math.fl ... 00_000) |
+| tst.js:118:34:118:46 | Math.random() |
+| tst.js:118:34:118:46 | Math.random() |
+| tst.js:118:34:118:62 | Math.ra ... 000_000 |
 edges
 | tst.js:2:20:2:32 | Math.random() | tst.js:2:20:2:32 | Math.random() |
 | tst.js:6:31:6:43 | Math.random() | tst.js:6:20:6:43 | "prefix ... andom() |
@@ -114,6 +134,22 @@ edges
 | tst.js:84:19:84:31 | Math.random() | tst.js:84:19:84:31 | Math.random() |
 | tst.js:90:32:90:44 | Math.random() | tst.js:90:32:90:44 | Math.random() |
 | tst.js:95:33:95:45 | Math.random() | tst.js:95:33:95:45 | Math.random() |
+| tst.js:115:27:115:39 | Math.random() | tst.js:115:27:115:55 | Math.ra ... 000_000 |
+| tst.js:115:27:115:39 | Math.random() | tst.js:115:27:115:55 | Math.ra ... 000_000 |
+| tst.js:115:27:115:55 | Math.ra ... 000_000 | tst.js:115:16:115:56 | Math.fl ... 00_000) |
+| tst.js:115:27:115:55 | Math.ra ... 000_000 | tst.js:115:16:115:56 | Math.fl ... 00_000) |
+| tst.js:116:33:116:45 | Math.random() | tst.js:116:33:116:61 | Math.ra ... 000_000 |
+| tst.js:116:33:116:45 | Math.random() | tst.js:116:33:116:61 | Math.ra ... 000_000 |
+| tst.js:116:33:116:61 | Math.ra ... 000_000 | tst.js:116:22:116:62 | Math.fl ... 00_000) |
+| tst.js:116:33:116:61 | Math.ra ... 000_000 | tst.js:116:22:116:62 | Math.fl ... 00_000) |
+| tst.js:117:26:117:38 | Math.random() | tst.js:117:26:117:54 | Math.ra ... 000_000 |
+| tst.js:117:26:117:38 | Math.random() | tst.js:117:26:117:54 | Math.ra ... 000_000 |
+| tst.js:117:26:117:54 | Math.ra ... 000_000 | tst.js:117:15:117:55 | Math.fl ... 00_000) |
+| tst.js:117:26:117:54 | Math.ra ... 000_000 | tst.js:117:15:117:55 | Math.fl ... 00_000) |
+| tst.js:118:34:118:46 | Math.random() | tst.js:118:34:118:62 | Math.ra ... 000_000 |
+| tst.js:118:34:118:46 | Math.random() | tst.js:118:34:118:62 | Math.ra ... 000_000 |
+| tst.js:118:34:118:62 | Math.ra ... 000_000 | tst.js:118:23:118:63 | Math.fl ... 00_000) |
+| tst.js:118:34:118:62 | Math.ra ... 000_000 | tst.js:118:23:118:63 | Math.fl ... 00_000) |
 #select
 | tst.js:2:20:2:32 | Math.random() | tst.js:2:20:2:32 | Math.random() | tst.js:2:20:2:32 | Math.random() | Cryptographically insecure $@ in a security context. | tst.js:2:20:2:32 | Math.random() | random value |
 | tst.js:6:20:6:43 | "prefix ... andom() | tst.js:6:31:6:43 | Math.random() | tst.js:6:20:6:43 | "prefix ... andom() | Cryptographically insecure $@ in a security context. | tst.js:6:31:6:43 | Math.random() | random value |
@@ -131,3 +167,7 @@ edges
 | tst.js:84:19:84:31 | Math.random() | tst.js:84:19:84:31 | Math.random() | tst.js:84:19:84:31 | Math.random() | Cryptographically insecure $@ in a security context. | tst.js:84:19:84:31 | Math.random() | random value |
 | tst.js:90:32:90:44 | Math.random() | tst.js:90:32:90:44 | Math.random() | tst.js:90:32:90:44 | Math.random() | Cryptographically insecure $@ in a security context. | tst.js:90:32:90:44 | Math.random() | random value |
 | tst.js:95:33:95:45 | Math.random() | tst.js:95:33:95:45 | Math.random() | tst.js:95:33:95:45 | Math.random() | Cryptographically insecure $@ in a security context. | tst.js:95:33:95:45 | Math.random() | random value |
+| tst.js:115:16:115:56 | Math.fl ... 00_000) | tst.js:115:27:115:39 | Math.random() | tst.js:115:16:115:56 | Math.fl ... 00_000) | Cryptographically insecure $@ in a security context. | tst.js:115:27:115:39 | Math.random() | random value |
+| tst.js:116:22:116:62 | Math.fl ... 00_000) | tst.js:116:33:116:45 | Math.random() | tst.js:116:22:116:62 | Math.fl ... 00_000) | Cryptographically insecure $@ in a security context. | tst.js:116:33:116:45 | Math.random() | random value |
+| tst.js:117:15:117:55 | Math.fl ... 00_000) | tst.js:117:26:117:38 | Math.random() | tst.js:117:15:117:55 | Math.fl ... 00_000) | Cryptographically insecure $@ in a security context. | tst.js:117:26:117:38 | Math.random() | random value |
+| tst.js:118:23:118:63 | Math.fl ... 00_000) | tst.js:118:34:118:46 | Math.random() | tst.js:118:23:118:63 | Math.fl ... 00_000) | Cryptographically insecure $@ in a security context. | tst.js:118:34:118:46 | Math.random() | random value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-338/tst.js b/javascript/ql/test/query-tests/Security/CWE-338/tst.js
index 123799426b5..6a1abf1403c 100644
--- a/javascript/ql/test/query-tests/Security/CWE-338/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-338/tst.js
@@ -109,4 +109,11 @@ function f18() {
         }
     };
     var secret = genRandom(); // OK - Math.random() is only a fallback.
-})();
\ No newline at end of file
+})();
+
+function uid() {
+    var uuid = Math.floor(Math.random() * 4_000_000_000); // NOT OK
+    var sessionUid = Math.floor(Math.random() * 4_000_000_000); // NOT OK
+    var uid = Math.floor(Math.random() * 4_000_000_000); // NOT OK
+    var my_nice_uid = Math.floor(Math.random() * 4_000_000_000); // NOT OK
+}
\ No newline at end of file

From 662e335424a7205100388feaa263db724a850191 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 13 May 2021 22:54:39 +0200
Subject: [PATCH 1040/1429] keep python in sync

---
 .../python/security/internal/SensitiveDataHeuristics.qll       | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll b/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll
index ddf95b1b534..9a3a306c159 100644
--- a/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll
+++ b/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll
@@ -58,7 +58,8 @@ module HeuristicNames {
    */
   string maybeAccountInfo() {
     result = "(?is).*acc(ou)?nt.*" or
-    result = "(?is).*(puid|username|userid).*"
+    result = "(?is).*(puid|username|userid).*" or
+    result = "(?is).*(u|^|_|[a-z(?=U)])(uid).*"
   }
 
   /**

From 9d60ec035f991655e7ea4ead67552ec567df64c2 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 13 May 2021 23:04:30 +0200
Subject: [PATCH 1041/1429] fix casing on the uid regexp

---
 .../security/internal/SensitiveDataHeuristics.qll      |  2 +-
 .../Security/CWE-338/InsecureRandomness.expected       | 10 ++++++++++
 javascript/ql/test/query-tests/Security/CWE-338/tst.js |  3 +++
 .../security/internal/SensitiveDataHeuristics.qll      |  2 +-
 4 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll b/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll
index 9a3a306c159..589c37120b9 100644
--- a/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll
+++ b/javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll
@@ -59,7 +59,7 @@ module HeuristicNames {
   string maybeAccountInfo() {
     result = "(?is).*acc(ou)?nt.*" or
     result = "(?is).*(puid|username|userid).*" or
-    result = "(?is).*(u|^|_|[a-z(?=U)])(uid).*"
+    result = "(?s).*([uU]|^|_|[a-z](?=U))([uU][iI][dD]).*"
   }
 
   /**
diff --git a/javascript/ql/test/query-tests/Security/CWE-338/InsecureRandomness.expected b/javascript/ql/test/query-tests/Security/CWE-338/InsecureRandomness.expected
index 4db1bb3b088..42da210c266 100644
--- a/javascript/ql/test/query-tests/Security/CWE-338/InsecureRandomness.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-338/InsecureRandomness.expected
@@ -86,6 +86,12 @@ nodes
 | tst.js:118:34:118:46 | Math.random() |
 | tst.js:118:34:118:46 | Math.random() |
 | tst.js:118:34:118:62 | Math.ra ... 000_000 |
+| tst.js:120:16:120:28 | Math.random() |
+| tst.js:120:16:120:28 | Math.random() |
+| tst.js:120:16:120:28 | Math.random() |
+| tst.js:121:18:121:30 | Math.random() |
+| tst.js:121:18:121:30 | Math.random() |
+| tst.js:121:18:121:30 | Math.random() |
 edges
 | tst.js:2:20:2:32 | Math.random() | tst.js:2:20:2:32 | Math.random() |
 | tst.js:6:31:6:43 | Math.random() | tst.js:6:20:6:43 | "prefix ... andom() |
@@ -150,6 +156,8 @@ edges
 | tst.js:118:34:118:46 | Math.random() | tst.js:118:34:118:62 | Math.ra ... 000_000 |
 | tst.js:118:34:118:62 | Math.ra ... 000_000 | tst.js:118:23:118:63 | Math.fl ... 00_000) |
 | tst.js:118:34:118:62 | Math.ra ... 000_000 | tst.js:118:23:118:63 | Math.fl ... 00_000) |
+| tst.js:120:16:120:28 | Math.random() | tst.js:120:16:120:28 | Math.random() |
+| tst.js:121:18:121:30 | Math.random() | tst.js:121:18:121:30 | Math.random() |
 #select
 | tst.js:2:20:2:32 | Math.random() | tst.js:2:20:2:32 | Math.random() | tst.js:2:20:2:32 | Math.random() | Cryptographically insecure $@ in a security context. | tst.js:2:20:2:32 | Math.random() | random value |
 | tst.js:6:20:6:43 | "prefix ... andom() | tst.js:6:31:6:43 | Math.random() | tst.js:6:20:6:43 | "prefix ... andom() | Cryptographically insecure $@ in a security context. | tst.js:6:31:6:43 | Math.random() | random value |
@@ -171,3 +179,5 @@ edges
 | tst.js:116:22:116:62 | Math.fl ... 00_000) | tst.js:116:33:116:45 | Math.random() | tst.js:116:22:116:62 | Math.fl ... 00_000) | Cryptographically insecure $@ in a security context. | tst.js:116:33:116:45 | Math.random() | random value |
 | tst.js:117:15:117:55 | Math.fl ... 00_000) | tst.js:117:26:117:38 | Math.random() | tst.js:117:15:117:55 | Math.fl ... 00_000) | Cryptographically insecure $@ in a security context. | tst.js:117:26:117:38 | Math.random() | random value |
 | tst.js:118:23:118:63 | Math.fl ... 00_000) | tst.js:118:34:118:46 | Math.random() | tst.js:118:23:118:63 | Math.fl ... 00_000) | Cryptographically insecure $@ in a security context. | tst.js:118:34:118:46 | Math.random() | random value |
+| tst.js:120:16:120:28 | Math.random() | tst.js:120:16:120:28 | Math.random() | tst.js:120:16:120:28 | Math.random() | Cryptographically insecure $@ in a security context. | tst.js:120:16:120:28 | Math.random() | random value |
+| tst.js:121:18:121:30 | Math.random() | tst.js:121:18:121:30 | Math.random() | tst.js:121:18:121:30 | Math.random() | Cryptographically insecure $@ in a security context. | tst.js:121:18:121:30 | Math.random() | random value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-338/tst.js b/javascript/ql/test/query-tests/Security/CWE-338/tst.js
index 6a1abf1403c..77393b8983c 100644
--- a/javascript/ql/test/query-tests/Security/CWE-338/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-338/tst.js
@@ -116,4 +116,7 @@ function uid() {
     var sessionUid = Math.floor(Math.random() * 4_000_000_000); // NOT OK
     var uid = Math.floor(Math.random() * 4_000_000_000); // NOT OK
     var my_nice_uid = Math.floor(Math.random() * 4_000_000_000); // NOT OK
+    var liquid = Math.random(); // OK
+    var UUID = Math.random(); // NOT OK
+    var MY_UID = Math.random(); // NOK OK
 }
\ No newline at end of file
diff --git a/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll b/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll
index 9a3a306c159..589c37120b9 100644
--- a/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll
+++ b/python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll
@@ -59,7 +59,7 @@ module HeuristicNames {
   string maybeAccountInfo() {
     result = "(?is).*acc(ou)?nt.*" or
     result = "(?is).*(puid|username|userid).*" or
-    result = "(?is).*(u|^|_|[a-z(?=U)])(uid).*"
+    result = "(?s).*([uU]|^|_|[a-z](?=U))([uU][iI][dD]).*"
   }
 
   /**

From 406fb1e383dcf3408b43fc752bf608bdc3b68fda Mon Sep 17 00:00:00 2001
From: Ethan P <56270045+ethanpalm@users.noreply.github.com>
Date: Thu, 13 May 2021 17:29:34 -0400
Subject: [PATCH 1042/1429] Update with Go custom build options

---
 .../codeql-cli/creating-codeql-databases.rst      | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/docs/codeql/codeql-cli/creating-codeql-databases.rst b/docs/codeql/codeql-cli/creating-codeql-databases.rst
index 4f7212050df..a41727e1956 100644
--- a/docs/codeql/codeql-cli/creating-codeql-databases.rst
+++ b/docs/codeql/codeql-cli/creating-codeql-databases.rst
@@ -165,13 +165,14 @@ build steps, you may need to explicitly define each step in the command line.
 
 .. pull-quote:: Creating databases for Go
   
-   For Go, you should always use the CodeQL autobuilder. Install the Go
-   toolchain (version 1.11 or later) and, if there are dependencies, the
-   appropriate dependency manager (such as `dep
+   For Go, install the Go toolchain (version 1.11 or later) and, if there
+   are dependencies, the appropriate dependency manager (such as `dep
    <https://golang.github.io/dep/>`__).
    
-   Do not specify any build commands, as you will override the autobuilder
-   invocation, which will create an empty database.  
+   The Go autobuilder attempts to automatically detect Go code in a repository,
+   and only runs build scripts in an attempt to fetch dependencies. To force
+   CodeQL to use your build script, set the environment variable
+   `CODEQL_EXTRACTOR_GO_BUILD_TRACING=on` or pass a command.
 
 Specifying build commands
 ~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -200,6 +201,10 @@ commands that you can specify for compiled languages.
 
      codeql database create csharp-database --language=csharp --command='dotnet build /p:UseSharedCompilation=false /t:rebuild'
 
+- Go project built using a custom build script::
+
+   CODEQL_EXTRACTOR_GO_BUILD_TRACING=on codeql database create go-database --language=go --command='./scripts/build.sh'
+
 - Java project built using Gradle::
 
      codeql database create java-database --language=java --command='gradle clean test'

From 498c99e26ca556e466f00015a6203f3ce64a5362 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Fri, 14 May 2021 16:31:59 +0800
Subject: [PATCH 1043/1429] Add left value, Add return expression tracing flow

---
 .../CWE/CWE-601/SpringUrlRedirect.qll         | 70 +++++++++++++++++--
 .../CWE-601/SpringUrlRedirect.expected        |  8 +++
 .../security/CWE-601/SpringUrlRedirect.java   | 18 ++++-
 3 files changed, 90 insertions(+), 6 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll
index 1ab5f3cd0b1..866eaae1c34 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll
@@ -18,20 +18,48 @@ class StartsWithSanitizer extends DataFlow::BarrierGuard {
 }
 
 /**
- * A concatenate expression using the string `redirect:` on the left.
+ * A concatenate expression using the string `redirect:` or `ajaxredirect:` or `forward:` on the left.
  *
  * E.g: `"redirect:" + redirectUrl`
  */
 class RedirectBuilderExpr extends AddExpr {
   RedirectBuilderExpr() {
-    this.getLeftOperand().(CompileTimeConstantExpr).getStringValue() = "redirect:"
+    this.getLeftOperand().(CompileTimeConstantExpr).getStringValue() in [
+        "redirect:", "ajaxredirect:", "forward:"
+      ]
+  }
+}
+
+/**
+ * A call to `StringBuilder.append` or `StringBuffer.append` method, and the parameter value is
+ * `"redirect:"` or `"ajaxredirect:"` or `"forward:"`.
+ *
+ * E.g: `StringBuilder.append("redirect:")`
+ */
+class RedirectAppendCall extends MethodAccess {
+  RedirectAppendCall() {
+    this.getMethod().hasName("append") and
+    this.getMethod().getDeclaringType() instanceof StringBuildingType and
+    this.getArgument(0).(CompileTimeConstantExpr).getStringValue() in [
+        "redirect:", "ajaxredirect:", "forward:"
+      ]
   }
 }
 
 /** A URL redirection sink from spring controller method. */
 class SpringUrlRedirectSink extends DataFlow::Node {
   SpringUrlRedirectSink() {
-    exists(RedirectBuilderExpr rbe | rbe.getRightOperand() = this.asExpr())
+    exists(RedirectBuilderExpr rbe |
+      rbe.getRightOperand() = this.asExpr() and
+      exists(RedirectBuilderFlowConfig rbfc | rbfc.hasFlow(exprNode(rbe), _))
+    )
+    or
+    exists(MethodAccess ma, RedirectAppendCall rac |
+      DataFlow2::localExprFlow(rac.getQualifier(), ma.getQualifier()) and
+      ma.getMethod().hasName("append") and
+      ma.getArgument(0) = this.asExpr() and
+      exists(RedirectBuilderFlowConfig rbfc | rbfc.hasFlow(exprNode(ma.getQualifier()), _))
+    )
     or
     exists(MethodAccess ma |
       ma.getMethod().hasName("setUrl") and
@@ -50,8 +78,40 @@ class SpringUrlRedirectSink extends DataFlow::Node {
     or
     exists(ClassInstanceExpr cie |
       cie.getConstructedType().hasQualifiedName("org.springframework.web.servlet", "ModelAndView") and
-      cie.getArgument(0) = this.asExpr() and
-      exists(RedirectBuilderExpr rbe | rbe.getRightOperand() = this.asExpr())
+      exists(RedirectBuilderExpr rbe |
+        rbe = cie.getArgument(0) and rbe.getRightOperand() = this.asExpr()
+      )
+    )
+  }
+}
+
+/** A data flow configuration tracing flow from redirect builder expression to spring controller method return expression. */
+private class RedirectBuilderFlowConfig extends DataFlow2::Configuration {
+  RedirectBuilderFlowConfig() { this = "RedirectBuilderFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) {
+    exists(RedirectBuilderExpr rbe | rbe = src.asExpr())
+    or
+    exists(MethodAccess ma, RedirectAppendCall rac |
+      DataFlow2::localExprFlow(rac.getQualifier(), ma.getQualifier()) and
+      ma.getMethod().hasName("append") and
+      ma.getQualifier() = src.asExpr()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(ReturnStmt rs, SpringRequestMappingMethod sqmm |
+      rs.getResult() = sink.asExpr() and
+      sqmm.getBody().getAStmt() = rs
+    )
+  }
+
+  override predicate isAdditionalFlowStep(Node prod, Node succ) {
+    exists(MethodAccess ma |
+      ma.getMethod().hasName("toString") and
+      ma.getMethod().getDeclaringType() instanceof StringBuildingType and
+      ma.getQualifier() = prod.asExpr() and
+      ma = succ.asExpr()
     )
   }
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected b/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected
index fee0598bbee..26b8acd7770 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected
@@ -3,6 +3,8 @@ edges
 | SpringUrlRedirect.java:20:24:20:41 | redirectUrl : String | SpringUrlRedirect.java:21:36:21:46 | redirectUrl |
 | SpringUrlRedirect.java:26:30:26:47 | redirectUrl : String | SpringUrlRedirect.java:27:44:27:54 | redirectUrl |
 | SpringUrlRedirect.java:32:30:32:47 | redirectUrl : String | SpringUrlRedirect.java:33:47:33:57 | redirectUrl |
+| SpringUrlRedirect.java:37:24:37:41 | redirectUrl : String | SpringUrlRedirect.java:40:29:40:39 | redirectUrl |
+| SpringUrlRedirect.java:45:24:45:41 | redirectUrl : String | SpringUrlRedirect.java:48:30:48:40 | redirectUrl |
 nodes
 | SpringUrlRedirect.java:13:30:13:47 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:15:19:15:29 | redirectUrl | semmle.label | redirectUrl |
@@ -12,8 +14,14 @@ nodes
 | SpringUrlRedirect.java:27:44:27:54 | redirectUrl | semmle.label | redirectUrl |
 | SpringUrlRedirect.java:32:30:32:47 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:33:47:33:57 | redirectUrl | semmle.label | redirectUrl |
+| SpringUrlRedirect.java:37:24:37:41 | redirectUrl : String | semmle.label | redirectUrl : String |
+| SpringUrlRedirect.java:40:29:40:39 | redirectUrl | semmle.label | redirectUrl |
+| SpringUrlRedirect.java:45:24:45:41 | redirectUrl : String | semmle.label | redirectUrl : String |
+| SpringUrlRedirect.java:48:30:48:40 | redirectUrl | semmle.label | redirectUrl |
 #select
 | SpringUrlRedirect.java:15:19:15:29 | redirectUrl | SpringUrlRedirect.java:13:30:13:47 | redirectUrl : String | SpringUrlRedirect.java:15:19:15:29 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:13:30:13:47 | redirectUrl | user-provided value |
 | SpringUrlRedirect.java:21:36:21:46 | redirectUrl | SpringUrlRedirect.java:20:24:20:41 | redirectUrl : String | SpringUrlRedirect.java:21:36:21:46 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:20:24:20:41 | redirectUrl | user-provided value |
 | SpringUrlRedirect.java:27:44:27:54 | redirectUrl | SpringUrlRedirect.java:26:30:26:47 | redirectUrl : String | SpringUrlRedirect.java:27:44:27:54 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:26:30:26:47 | redirectUrl | user-provided value |
 | SpringUrlRedirect.java:33:47:33:57 | redirectUrl | SpringUrlRedirect.java:32:30:32:47 | redirectUrl : String | SpringUrlRedirect.java:33:47:33:57 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:32:30:32:47 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:40:29:40:39 | redirectUrl | SpringUrlRedirect.java:37:24:37:41 | redirectUrl : String | SpringUrlRedirect.java:40:29:40:39 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:37:24:37:41 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:48:30:48:40 | redirectUrl | SpringUrlRedirect.java:45:24:45:41 | redirectUrl : String | SpringUrlRedirect.java:48:30:48:40 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:45:24:45:41 | redirectUrl | user-provided value |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.java b/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.java
index 1438b0a63a1..5124d8cd8c6 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.java
@@ -34,6 +34,22 @@ public class SpringUrlRedirect {
     }
 
     @GetMapping("url5")
+    public String bad5(String redirectUrl) {
+        StringBuffer stringBuffer = new StringBuffer();
+        stringBuffer.append("redirect:");
+        stringBuffer.append(redirectUrl);
+        return stringBuffer.toString();
+    }
+
+    @GetMapping("url6")
+    public String bad6(String redirectUrl) {
+        StringBuilder stringBuilder = new StringBuilder();
+        stringBuilder.append("redirect:");
+        stringBuilder.append(redirectUrl);
+        return stringBuilder.toString();
+    }
+
+    @GetMapping("url7")
     public RedirectView good1(String redirectUrl) {
         RedirectView rv = new RedirectView();
         if (redirectUrl.startsWith(VALID_REDIRECT)){
@@ -44,7 +60,7 @@ public class SpringUrlRedirect {
         return rv;
     }
 
-    @GetMapping("url6")
+    @GetMapping("url8")
     public ModelAndView good2(String token) {
         String url = "/edit?token=" + token;
         return new ModelAndView("redirect:" + url);

From 33641c84f6e83964b59509c44ef3078ee6d4acb3 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Fri, 14 May 2021 11:58:27 +0200
Subject: [PATCH 1044/1429] recognize sanitizing string replace call for
 regexp-injection

---
 .../RegExpInjectionCustomizations.qll         | 23 +++++++++++++++++
 .../Security/CWE-730/RegExpInjection.expected | 24 ++++++++++++++++++
 .../Security/CWE-730/RegExpInjection.js       | 25 +++++++++++++++++++
 3 files changed, 72 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll
index df791146b21..af0488a7641 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll
@@ -55,4 +55,27 @@ module RegExpInjection {
       )
     }
   }
+
+  /**
+   * A global regexp replacement involving the `{`, `[`, or `+` meta-character, viewed as a sanitizer for
+   * regexp-injection vulnerabilities.
+   */
+  class MetacharEscapeSanitizer extends Sanitizer, StringReplaceCall {
+    MetacharEscapeSanitizer() {
+      isGlobal() and
+      (
+        RegExp::alwaysMatchesMetaCharacter(getRegExp().getRoot(), ["{", "[", "+"])
+        or
+        // or it's like a wild-card.
+        RegExp::isWildcardLike(getRegExp().getRoot())
+      )
+    }
+  }
+
+  /**
+   * Meta characters used in the above sanitizer.
+   */
+  private class RegexpMetaChars extends RegExp::MetaCharacter {
+    RegexpMetaChars() { this = ["{", "[", "+"] }
+  }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected b/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected
index 29bad1be0fb..1e0d857fbfb 100644
--- a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.expected
@@ -44,6 +44,18 @@ nodes
 | RegExpInjection.js:54:14:54:42 | key.spl ... x => x) |
 | RegExpInjection.js:54:14:54:52 | key.spl ... in("-") |
 | RegExpInjection.js:54:14:54:52 | key.spl ... in("-") |
+| RegExpInjection.js:60:31:60:56 | input |
+| RegExpInjection.js:60:39:60:56 | req.param("input") |
+| RegExpInjection.js:60:39:60:56 | req.param("input") |
+| RegExpInjection.js:64:14:64:18 | input |
+| RegExpInjection.js:64:14:64:18 | input |
+| RegExpInjection.js:82:7:82:32 | input |
+| RegExpInjection.js:82:15:82:32 | req.param("input") |
+| RegExpInjection.js:82:15:82:32 | req.param("input") |
+| RegExpInjection.js:87:14:87:55 | "^.*\\.( ...  + ")$" |
+| RegExpInjection.js:87:14:87:55 | "^.*\\.( ...  + ")$" |
+| RegExpInjection.js:87:25:87:29 | input |
+| RegExpInjection.js:87:25:87:48 | input.r ... g, "\|") |
 | tst.js:1:46:1:46 | e |
 | tst.js:1:46:1:46 | e |
 | tst.js:2:9:2:21 | data |
@@ -99,6 +111,16 @@ edges
 | RegExpInjection.js:54:14:54:27 | key.split(".") | RegExpInjection.js:54:14:54:42 | key.spl ... x => x) |
 | RegExpInjection.js:54:14:54:42 | key.spl ... x => x) | RegExpInjection.js:54:14:54:52 | key.spl ... in("-") |
 | RegExpInjection.js:54:14:54:42 | key.spl ... x => x) | RegExpInjection.js:54:14:54:52 | key.spl ... in("-") |
+| RegExpInjection.js:60:31:60:56 | input | RegExpInjection.js:64:14:64:18 | input |
+| RegExpInjection.js:60:31:60:56 | input | RegExpInjection.js:64:14:64:18 | input |
+| RegExpInjection.js:60:39:60:56 | req.param("input") | RegExpInjection.js:60:31:60:56 | input |
+| RegExpInjection.js:60:39:60:56 | req.param("input") | RegExpInjection.js:60:31:60:56 | input |
+| RegExpInjection.js:82:7:82:32 | input | RegExpInjection.js:87:25:87:29 | input |
+| RegExpInjection.js:82:15:82:32 | req.param("input") | RegExpInjection.js:82:7:82:32 | input |
+| RegExpInjection.js:82:15:82:32 | req.param("input") | RegExpInjection.js:82:7:82:32 | input |
+| RegExpInjection.js:87:25:87:29 | input | RegExpInjection.js:87:25:87:48 | input.r ... g, "\|") |
+| RegExpInjection.js:87:25:87:48 | input.r ... g, "\|") | RegExpInjection.js:87:14:87:55 | "^.*\\.( ...  + ")$" |
+| RegExpInjection.js:87:25:87:48 | input.r ... g, "\|") | RegExpInjection.js:87:14:87:55 | "^.*\\.( ...  + ")$" |
 | tst.js:1:46:1:46 | e | tst.js:2:16:2:16 | e |
 | tst.js:1:46:1:46 | e | tst.js:2:16:2:16 | e |
 | tst.js:2:9:2:21 | data | tst.js:3:21:3:24 | data |
@@ -122,4 +144,6 @@ edges
 | RegExpInjection.js:47:22:47:26 | input | RegExpInjection.js:5:39:5:56 | req.param("input") | RegExpInjection.js:47:22:47:26 | input | This regular expression is constructed from a $@. | RegExpInjection.js:5:39:5:56 | req.param("input") | user-provided value |
 | RegExpInjection.js:50:46:50:50 | input | RegExpInjection.js:5:39:5:56 | req.param("input") | RegExpInjection.js:50:46:50:50 | input | This regular expression is constructed from a $@. | RegExpInjection.js:5:39:5:56 | req.param("input") | user-provided value |
 | RegExpInjection.js:54:14:54:52 | key.spl ... in("-") | RegExpInjection.js:5:13:5:28 | req.param("key") | RegExpInjection.js:54:14:54:52 | key.spl ... in("-") | This regular expression is constructed from a $@. | RegExpInjection.js:5:13:5:28 | req.param("key") | user-provided value |
+| RegExpInjection.js:64:14:64:18 | input | RegExpInjection.js:60:39:60:56 | req.param("input") | RegExpInjection.js:64:14:64:18 | input | This regular expression is constructed from a $@. | RegExpInjection.js:60:39:60:56 | req.param("input") | user-provided value |
+| RegExpInjection.js:87:14:87:55 | "^.*\\.( ...  + ")$" | RegExpInjection.js:82:15:82:32 | req.param("input") | RegExpInjection.js:87:14:87:55 | "^.*\\.( ...  + ")$" | This regular expression is constructed from a $@. | RegExpInjection.js:82:15:82:32 | req.param("input") | user-provided value |
 | tst.js:3:16:3:35 | "^"+ data.name + "$" | tst.js:1:46:1:46 | e | tst.js:3:16:3:35 | "^"+ data.name + "$" | This regular expression is constructed from a $@. | tst.js:1:46:1:46 | e | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js b/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js
index dc1910b1ae5..e22ec9c6a17 100644
--- a/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js
+++ b/javascript/ql/test/query-tests/Security/CWE-730/RegExpInjection.js
@@ -60,4 +60,29 @@ app.get('/findKey', function(req, res) {
   var key = req.param("key"), input = req.param("input");
 
   Search.search(input); // OK!
+
+  new RegExp(input); // NOT OK
+  
+  var sanitized = input.replace(/[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g, "\\$&");
+  new RegExp(sanitized); // OK
+});
+
+function escape1(pattern) {
+  return pattern.replace(/[\x00-\x7f]/g,
+    function(s) { return '\\x' + ('00' + s.charCodeAt().toString(16)).substr(-2); });
+}
+
+function escape2(str){
+  return str.replace(/([\.$?*|{}\(\)\[\]\\\/\+\-^])/g, function(ch){
+    return "\\" + ch;
+});
+};
+
+app.get('/has-sanitizer', function(req, res) {
+  var input = req.param("input");
+
+  new RegExp(escape1(input)); // OK
+  new RegExp(escape2(input)); // OK
+
+  new RegExp("^.*\.(" + input.replace(/,/g, "|") + ")$"); // NOT OK
 });

From f378513ea39f33b15879653e489653d719633910 Mon Sep 17 00:00:00 2001
From: Robin Neatherway <rneatherway@github.com>
Date: Fri, 14 May 2021 11:19:20 +0100
Subject: [PATCH 1045/1429] Add lines-of-code tags

This is a proposed method for advertising which queries are measuring
the lines of code in a project in a more robust manner than inspecting
the rule id.

Note that the python "LinesOfUserCode" query should _not_ have this
property, as otherwise the results of the two queries will be summed.
---
 cpp/ql/src/Summary/LinesOfCode.ql              | 1 +
 csharp/ql/src/Metrics/Summaries/LinesOfCode.ql | 1 +
 java/ql/src/Metrics/Summaries/LinesOfCode.ql   | 1 +
 javascript/ql/src/Summary/LinesOfCode.ql       | 1 +
 python/ql/src/Summary/LinesOfCode.ql           | 1 +
 5 files changed, 5 insertions(+)

diff --git a/cpp/ql/src/Summary/LinesOfCode.ql b/cpp/ql/src/Summary/LinesOfCode.ql
index 3b2aa2ac4c9..2d816b349e8 100644
--- a/cpp/ql/src/Summary/LinesOfCode.ql
+++ b/cpp/ql/src/Summary/LinesOfCode.ql
@@ -4,6 +4,7 @@
  * @description The total number of lines of C/C++ code across all files, including system headers, libraries, and auto-generated files. This is a useful metric of the size of a database. For all files that were seen during the build, this query counts the lines of code, excluding whitespace or comments.
  * @kind metric
  * @tags summary
+ *       lines-of-code
  */
 
 import cpp
diff --git a/csharp/ql/src/Metrics/Summaries/LinesOfCode.ql b/csharp/ql/src/Metrics/Summaries/LinesOfCode.ql
index 9156a5e4a7f..e93e3c7416f 100644
--- a/csharp/ql/src/Metrics/Summaries/LinesOfCode.ql
+++ b/csharp/ql/src/Metrics/Summaries/LinesOfCode.ql
@@ -4,6 +4,7 @@
  * @description The total number of lines of code across all files. This is a useful metric of the size of a database. For all files that were seen during the build, this query counts the lines of code, excluding whitespace or comments.
  * @kind metric
  * @tags summary
+ *       lines-of-code
  */
 
 import csharp
diff --git a/java/ql/src/Metrics/Summaries/LinesOfCode.ql b/java/ql/src/Metrics/Summaries/LinesOfCode.ql
index d6db7c6ee6b..c622f8b08ba 100644
--- a/java/ql/src/Metrics/Summaries/LinesOfCode.ql
+++ b/java/ql/src/Metrics/Summaries/LinesOfCode.ql
@@ -6,6 +6,7 @@
  *              or comments.
  * @kind metric
  * @tags summary
+ *       lines-of-code
  */
 
 import java
diff --git a/javascript/ql/src/Summary/LinesOfCode.ql b/javascript/ql/src/Summary/LinesOfCode.ql
index 9f89e0e2163..cadf0a9cf8f 100644
--- a/javascript/ql/src/Summary/LinesOfCode.ql
+++ b/javascript/ql/src/Summary/LinesOfCode.ql
@@ -4,6 +4,7 @@
  * @description The total number of lines of JavaScript or TypeScript code across all files checked into the repository, except in `node_modules`. This is a useful metric of the size of a database. For all files that were seen during extraction, this query counts the lines of code, excluding whitespace or comments.
  * @kind metric
  * @tags summary
+ *       lines-of-code
  */
 
 import javascript
diff --git a/python/ql/src/Summary/LinesOfCode.ql b/python/ql/src/Summary/LinesOfCode.ql
index d9bfc4f872c..ad0b77730de 100644
--- a/python/ql/src/Summary/LinesOfCode.ql
+++ b/python/ql/src/Summary/LinesOfCode.ql
@@ -5,6 +5,7 @@
  *   database. This query counts the lines of code, excluding whitespace or comments.
  * @kind metric
  * @tags summary
+ *       lines-of-code
  * @id py/summary/lines-of-code
  */
 

From 3766678d60b7b47d5fb9a699155988f6c9ddf0e5 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Fri, 14 May 2021 13:23:36 +0200
Subject: [PATCH 1046/1429] move `RegexpMetaChars` into Regexp.qll

---
 javascript/ql/src/semmle/javascript/Regexp.qll     | 14 ++++++++++++--
 .../dataflow/RegExpInjectionCustomizations.qll     |  7 -------
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/Regexp.qll b/javascript/ql/src/semmle/javascript/Regexp.qll
index d3b7e9cac7e..c0f01fa130a 100644
--- a/javascript/ql/src/semmle/javascript/Regexp.qll
+++ b/javascript/ql/src/semmle/javascript/Regexp.qll
@@ -1237,8 +1237,18 @@ module RegExp {
     }
   }
 
-  private class DefaultMetaCharacter extends MetaCharacter {
-    DefaultMetaCharacter() { this = ["<", "'", "\""] }
+  /**
+   * A meta character used by HTML.
+   */
+  private class HTMLMetaCharacter extends MetaCharacter {
+    HTMLMetaCharacter() { this = ["<", "'", "\""] }
+  }
+
+  /**
+   * A meta character used by regular expressions.
+   */
+  private class RegexpMetaChars extends RegExp::MetaCharacter {
+    RegexpMetaChars() { this = ["{", "[", "+"] }
   }
 
   /**
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll
index af0488a7641..e4555bb5ca8 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll
@@ -71,11 +71,4 @@ module RegExpInjection {
       )
     }
   }
-
-  /**
-   * Meta characters used in the above sanitizer.
-   */
-  private class RegexpMetaChars extends RegExp::MetaCharacter {
-    RegexpMetaChars() { this = ["{", "[", "+"] }
-  }
 }

From 5031b73f3509e4d1c1ce21586dd1262502177670 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 14 May 2021 13:43:20 +0200
Subject: [PATCH 1047/1429] C++: Add barrier to
 cpp/uncontrolled-allocation-size that blocks flow when overflow isn't
 possible.

---
 .../CWE/CWE-190/TaintedAllocationSize.ql      | 16 ++++++++++
 .../TaintedAllocationSize.expected            | 30 -------------------
 .../semmle/TaintedAllocationSize/test.cpp     |  6 ++--
 3 files changed, 19 insertions(+), 33 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
index cc2d52385c7..859d56ec2a0 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
@@ -12,6 +12,7 @@
  */
 
 import cpp
+import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import semmle.code.cpp.security.TaintTracking
 import TaintedWithPath
 
@@ -27,6 +28,21 @@ predicate allocSink(Expr alloc, Expr tainted) {
 
 class TaintedAllocationSizeConfiguration extends TaintTrackingConfiguration {
   override predicate isSink(Element tainted) { allocSink(_, tainted) }
+
+  override predicate isBarrier(Expr e) {
+    super.isBarrier(e)
+    or
+    // There can be two separate reasons for `convertedExprMightOverflow` not holding:
+    // 1. `e` really cannot overflow.
+    // 2. `e` isn't analyzable.
+    // If we didn't rule out case 2 we would place barriers on anything that isn't analyzable.
+    (
+      e instanceof UnaryArithmeticOperation or
+      e instanceof BinaryArithmeticOperation or
+      e instanceof AssignArithmeticOperation
+    ) and
+    not convertedExprMightOverflow(e)
+  }
 }
 
 predicate taintedAllocSize(
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
index 25ff3162973..cdcf3aa6847 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
@@ -53,10 +53,6 @@ edges
 | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... |
 | test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:27 | ... * ... |
 | test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:27 | ... * ... |
-| test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... |
-| test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... |
-| test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:28 | ... * ... |
-| test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:28 | ... * ... |
 | test.cpp:201:9:201:42 | Store | test.cpp:231:9:231:24 | call to get_tainted_size |
 | test.cpp:201:9:201:42 | Store | test.cpp:231:9:231:24 | call to get_tainted_size |
 | test.cpp:201:14:201:19 | call to getenv | test.cpp:201:9:201:42 | Store |
@@ -91,14 +87,6 @@ edges
 | test.cpp:295:18:295:21 | Chi | test.cpp:298:10:298:27 | ... * ... |
 | test.cpp:295:18:295:21 | Chi | test.cpp:298:10:298:27 | ... * ... |
 | test.cpp:295:18:295:21 | get_size output argument [array content] | test.cpp:295:18:295:21 | Chi |
-| test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... |
-| test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... |
-| test.cpp:301:19:301:32 | (const char *)... | test.cpp:305:11:305:28 | ... * ... |
-| test.cpp:301:19:301:32 | (const char *)... | test.cpp:305:11:305:28 | ... * ... |
-| test.cpp:309:19:309:24 | call to getenv | test.cpp:314:10:314:27 | ... * ... |
-| test.cpp:309:19:309:24 | call to getenv | test.cpp:314:10:314:27 | ... * ... |
-| test.cpp:309:19:309:32 | (const char *)... | test.cpp:314:10:314:27 | ... * ... |
-| test.cpp:309:19:309:32 | (const char *)... | test.cpp:314:10:314:27 | ... * ... |
 nodes
 | test.cpp:39:21:39:24 | argv | semmle.label | argv |
 | test.cpp:39:21:39:24 | argv | semmle.label | argv |
@@ -149,11 +137,6 @@ nodes
 | test.cpp:134:10:134:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:134:10:134:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:134:10:134:27 | ... * ... | semmle.label | ... * ... |
-| test.cpp:138:19:138:24 | call to getenv | semmle.label | call to getenv |
-| test.cpp:138:19:138:32 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:142:11:142:28 | ... * ... | semmle.label | ... * ... |
-| test.cpp:142:11:142:28 | ... * ... | semmle.label | ... * ... |
-| test.cpp:142:11:142:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:201:9:201:42 | Store | semmle.label | Store |
 | test.cpp:201:14:201:19 | call to getenv | semmle.label | call to getenv |
 | test.cpp:201:14:201:27 | (const char *)... | semmle.label | (const char *)... |
@@ -196,16 +179,6 @@ nodes
 | test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
-| test.cpp:301:19:301:24 | call to getenv | semmle.label | call to getenv |
-| test.cpp:301:19:301:32 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:305:11:305:28 | ... * ... | semmle.label | ... * ... |
-| test.cpp:305:11:305:28 | ... * ... | semmle.label | ... * ... |
-| test.cpp:305:11:305:28 | ... * ... | semmle.label | ... * ... |
-| test.cpp:309:19:309:24 | call to getenv | semmle.label | call to getenv |
-| test.cpp:309:19:309:32 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:314:10:314:27 | ... * ... | semmle.label | ... * ... |
-| test.cpp:314:10:314:27 | ... * ... | semmle.label | ... * ... |
-| test.cpp:314:10:314:27 | ... * ... | semmle.label | ... * ... |
 #select
 | test.cpp:42:31:42:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:43:31:43:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
@@ -216,7 +189,6 @@ nodes
 | test.cpp:79:9:79:29 | new[] | test.cpp:97:18:97:23 | buffer | test.cpp:79:18:79:28 | ... - ... | This allocation size is derived from $@ and might overflow | test.cpp:97:18:97:23 | buffer | user input (fread) |
 | test.cpp:127:17:127:22 | call to malloc | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:123:18:123:23 | call to getenv | user input (getenv) |
 | test.cpp:134:3:134:8 | call to malloc | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:132:19:132:24 | call to getenv | user input (getenv) |
-| test.cpp:142:4:142:9 | call to malloc | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:138:19:138:24 | call to getenv | user input (getenv) |
 | test.cpp:215:14:215:19 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:215:21:215:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
 | test.cpp:221:14:221:19 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:221:21:221:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
 | test.cpp:229:2:229:7 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
@@ -224,5 +196,3 @@ nodes
 | test.cpp:253:4:253:9 | call to malloc | test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:249:20:249:25 | call to getenv | user input (getenv) |
 | test.cpp:281:4:281:9 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:281:11:281:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
 | test.cpp:298:3:298:8 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:298:10:298:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
-| test.cpp:305:4:305:9 | call to malloc | test.cpp:301:19:301:24 | call to getenv | test.cpp:305:11:305:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:301:19:301:24 | call to getenv | user input (getenv) |
-| test.cpp:314:3:314:8 | call to malloc | test.cpp:309:19:309:24 | call to getenv | test.cpp:314:10:314:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:309:19:309:24 | call to getenv | user input (getenv) |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
index 943bc3b1214..d00dc10a445 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
@@ -139,7 +139,7 @@ void more_bounded_tests() {
 
 		if (size > 0)
 		{
-			malloc(size * sizeof(int)); // BAD
+			malloc(size * sizeof(int)); // GOOD (overflow not possible)
 		}
 	}
 
@@ -302,7 +302,7 @@ void equality_cases() {
 
 		if ((size == 50) || (size == 100))
 		{
-			malloc(size * sizeof(int)); // GOOD [FALSE POSITIVE]
+			malloc(size * sizeof(int)); // GOOD
 		}
 	}
 	{
@@ -311,6 +311,6 @@ void equality_cases() {
 		if (size != 50 && size != 100)
 			return;
 
-		malloc(size * sizeof(int)); // GOOD [FALSE POSITIVE]
+		malloc(size * sizeof(int)); // GOOD
 	}
 }

From 1497fba6f249c757d0a37d832c49d712e879af34 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Fri, 14 May 2021 11:43:49 +0000
Subject: [PATCH 1048/1429] Remove the isAdditionalTaintStep predicate

---
 .../Security/CWE/CWE-094/JythonInjection.ql            | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
index 9991c0901dc..0f23edc69f4 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
@@ -102,16 +102,6 @@ class CodeInjectionConfiguration extends TaintTracking::Configuration {
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    // @RequestBody MyQueryObj query; interpreter.exec(query.getInterpreterCode());
-    exists(MethodAccess ma |
-      ma.getMethod().getDeclaringType().getASubtype*() instanceof SpringUntrustedDataType and
-      not ma.getMethod().getDeclaringType() instanceof TypeObject and
-      ma.getQualifier() = node1.asExpr() and
-      ma = node2.asExpr()
-    )
-  }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, CodeInjectionConfiguration conf

From c1d41b31695edc664e2b3d8b1ca10cac3dda721b Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 14 May 2021 13:47:23 +0200
Subject: [PATCH 1049/1429] C++: Add false positive result from
 pointer-difference expressions.

---
 .../TaintedAllocationSize.expected                 | 14 ++++++++++++++
 .../CWE-190/semmle/TaintedAllocationSize/test.cpp  |  9 +++++++++
 2 files changed, 23 insertions(+)

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
index cdcf3aa6847..a96865cae60 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
@@ -87,6 +87,12 @@ edges
 | test.cpp:295:18:295:21 | Chi | test.cpp:298:10:298:27 | ... * ... |
 | test.cpp:295:18:295:21 | Chi | test.cpp:298:10:298:27 | ... * ... |
 | test.cpp:295:18:295:21 | get_size output argument [array content] | test.cpp:295:18:295:21 | Chi |
+| test.cpp:321:15:321:20 | call to getenv | test.cpp:324:9:324:14 | (size_t)... |
+| test.cpp:321:15:321:20 | call to getenv | test.cpp:324:9:324:14 | (size_t)... |
+| test.cpp:321:15:321:20 | call to getenv | test.cpp:324:9:324:14 | offset |
+| test.cpp:321:15:321:20 | call to getenv | test.cpp:324:9:324:14 | offset |
+| test.cpp:321:15:321:20 | call to getenv | test.cpp:324:9:324:14 | offset |
+| test.cpp:321:15:321:20 | call to getenv | test.cpp:324:9:324:14 | offset |
 nodes
 | test.cpp:39:21:39:24 | argv | semmle.label | argv |
 | test.cpp:39:21:39:24 | argv | semmle.label | argv |
@@ -179,6 +185,13 @@ nodes
 | test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:321:15:321:20 | call to getenv | semmle.label | call to getenv |
+| test.cpp:321:15:321:20 | call to getenv | semmle.label | call to getenv |
+| test.cpp:324:9:324:14 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:324:9:324:14 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:324:9:324:14 | offset | semmle.label | offset |
+| test.cpp:324:9:324:14 | offset | semmle.label | offset |
+| test.cpp:324:9:324:14 | offset | semmle.label | offset |
 #select
 | test.cpp:42:31:42:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:43:31:43:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
@@ -196,3 +209,4 @@ nodes
 | test.cpp:253:4:253:9 | call to malloc | test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:249:20:249:25 | call to getenv | user input (getenv) |
 | test.cpp:281:4:281:9 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:281:11:281:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
 | test.cpp:298:3:298:8 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:298:10:298:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
+| test.cpp:324:2:324:7 | call to malloc | test.cpp:321:15:321:20 | call to getenv | test.cpp:324:9:324:14 | offset | This allocation size is derived from $@ and might overflow | test.cpp:321:15:321:20 | call to getenv | user input (getenv) |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
index d00dc10a445..0d630ac99cb 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
@@ -314,3 +314,12 @@ void equality_cases() {
 		malloc(size * sizeof(int)); // GOOD
 	}
 }
+
+char * strstr(char *, const char *);
+
+void ptr_diff_case() {
+	char* user = getenv("USER");
+	char* admin_begin_pos = strstr(user, "ADMIN");
+	int offset = admin_begin_pos ? user - admin_begin_pos : 0; 
+	malloc(offset); // GOOD [FALSE POSITIVE]
+}
\ No newline at end of file

From 2d0a56128d8f10acade04f99c73493671186d298 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 14 May 2021 13:49:48 +0200
Subject: [PATCH 1050/1429] C++: Prevent flow out of pointer-difference
 expressions.

---
 .../CWE/CWE-190/TaintedAllocationSize.ql      |  6 +++
 .../TaintedAllocationSize.expected            | 48 -------------------
 .../semmle/TaintedAllocationSize/test.cpp     |  4 +-
 3 files changed, 8 insertions(+), 50 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
index 859d56ec2a0..75cac365a1a 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
@@ -42,6 +42,12 @@ class TaintedAllocationSizeConfiguration extends TaintTrackingConfiguration {
       e instanceof AssignArithmeticOperation
     ) and
     not convertedExprMightOverflow(e)
+    or
+    // Subtracting two pointers is either well-defined (and the result will likely be small), or
+    // terribly undefined and dangerous. Here, we assume that the programmer has ensured that the
+    // result is well-defined (i.e., the two pointers point to the same object), and thus the result
+    // will likely be small.
+    e = any(PointerDiffExpr diff).getAnOperand()
   }
 }
 
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
index a96865cae60..234efe2c35b 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
@@ -27,24 +27,6 @@ edges
 | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
 | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
 | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
-| test.cpp:75:25:75:29 | start | test.cpp:79:18:79:28 | ... - ... |
-| test.cpp:75:25:75:29 | start | test.cpp:79:18:79:28 | ... - ... |
-| test.cpp:75:38:75:40 | end | test.cpp:79:18:79:28 | ... - ... |
-| test.cpp:75:38:75:40 | end | test.cpp:79:18:79:28 | ... - ... |
-| test.cpp:97:18:97:23 | buffer | test.cpp:100:4:100:15 | buffer |
-| test.cpp:97:18:97:23 | buffer | test.cpp:100:17:100:22 | buffer indirection |
-| test.cpp:97:18:97:23 | buffer | test.cpp:101:4:101:15 | ... + ... |
-| test.cpp:97:18:97:23 | buffer | test.cpp:101:4:101:15 | buffer |
-| test.cpp:97:18:97:23 | fread output argument | test.cpp:100:4:100:15 | buffer |
-| test.cpp:97:18:97:23 | fread output argument | test.cpp:100:17:100:22 | buffer indirection |
-| test.cpp:97:18:97:23 | fread output argument | test.cpp:101:4:101:15 | ... + ... |
-| test.cpp:97:18:97:23 | fread output argument | test.cpp:101:4:101:15 | buffer |
-| test.cpp:100:4:100:15 | buffer | test.cpp:100:17:100:22 | processData1 output argument |
-| test.cpp:100:17:100:22 | buffer indirection | test.cpp:100:17:100:22 | processData1 output argument |
-| test.cpp:100:17:100:22 | processData1 output argument | test.cpp:101:4:101:15 | ... + ... |
-| test.cpp:100:17:100:22 | processData1 output argument | test.cpp:101:4:101:15 | buffer |
-| test.cpp:101:4:101:15 | ... + ... | test.cpp:75:38:75:40 | end |
-| test.cpp:101:4:101:15 | buffer | test.cpp:75:25:75:29 | start |
 | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
 | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
 | test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:41 | ... * ... |
@@ -87,12 +69,6 @@ edges
 | test.cpp:295:18:295:21 | Chi | test.cpp:298:10:298:27 | ... * ... |
 | test.cpp:295:18:295:21 | Chi | test.cpp:298:10:298:27 | ... * ... |
 | test.cpp:295:18:295:21 | get_size output argument [array content] | test.cpp:295:18:295:21 | Chi |
-| test.cpp:321:15:321:20 | call to getenv | test.cpp:324:9:324:14 | (size_t)... |
-| test.cpp:321:15:321:20 | call to getenv | test.cpp:324:9:324:14 | (size_t)... |
-| test.cpp:321:15:321:20 | call to getenv | test.cpp:324:9:324:14 | offset |
-| test.cpp:321:15:321:20 | call to getenv | test.cpp:324:9:324:14 | offset |
-| test.cpp:321:15:321:20 | call to getenv | test.cpp:324:9:324:14 | offset |
-| test.cpp:321:15:321:20 | call to getenv | test.cpp:324:9:324:14 | offset |
 nodes
 | test.cpp:39:21:39:24 | argv | semmle.label | argv |
 | test.cpp:39:21:39:24 | argv | semmle.label | argv |
@@ -118,21 +94,6 @@ nodes
 | test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
 | test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
 | test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
-| test.cpp:64:25:64:30 | *buffer | semmle.label | *buffer |
-| test.cpp:64:25:64:30 | *buffer | semmle.label | *buffer |
-| test.cpp:64:25:64:30 | buffer | semmle.label | buffer |
-| test.cpp:75:25:75:29 | start | semmle.label | start |
-| test.cpp:75:38:75:40 | end | semmle.label | end |
-| test.cpp:79:18:79:28 | ... - ... | semmle.label | ... - ... |
-| test.cpp:79:18:79:28 | ... - ... | semmle.label | ... - ... |
-| test.cpp:79:18:79:28 | ... - ... | semmle.label | ... - ... |
-| test.cpp:97:18:97:23 | buffer | semmle.label | buffer |
-| test.cpp:97:18:97:23 | fread output argument | semmle.label | fread output argument |
-| test.cpp:100:4:100:15 | buffer | semmle.label | buffer |
-| test.cpp:100:17:100:22 | buffer indirection | semmle.label | buffer indirection |
-| test.cpp:100:17:100:22 | processData1 output argument | semmle.label | processData1 output argument |
-| test.cpp:101:4:101:15 | ... + ... | semmle.label | ... + ... |
-| test.cpp:101:4:101:15 | buffer | semmle.label | buffer |
 | test.cpp:123:18:123:23 | call to getenv | semmle.label | call to getenv |
 | test.cpp:123:18:123:31 | (const char *)... | semmle.label | (const char *)... |
 | test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
@@ -185,13 +146,6 @@ nodes
 | test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
 | test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
-| test.cpp:321:15:321:20 | call to getenv | semmle.label | call to getenv |
-| test.cpp:321:15:321:20 | call to getenv | semmle.label | call to getenv |
-| test.cpp:324:9:324:14 | (size_t)... | semmle.label | (size_t)... |
-| test.cpp:324:9:324:14 | (size_t)... | semmle.label | (size_t)... |
-| test.cpp:324:9:324:14 | offset | semmle.label | offset |
-| test.cpp:324:9:324:14 | offset | semmle.label | offset |
-| test.cpp:324:9:324:14 | offset | semmle.label | offset |
 #select
 | test.cpp:42:31:42:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:43:31:43:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
@@ -199,7 +153,6 @@ nodes
 | test.cpp:48:25:48:30 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:49:17:49:30 | new[] | test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:52:21:52:27 | call to realloc | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:79:9:79:29 | new[] | test.cpp:97:18:97:23 | buffer | test.cpp:79:18:79:28 | ... - ... | This allocation size is derived from $@ and might overflow | test.cpp:97:18:97:23 | buffer | user input (fread) |
 | test.cpp:127:17:127:22 | call to malloc | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:123:18:123:23 | call to getenv | user input (getenv) |
 | test.cpp:134:3:134:8 | call to malloc | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:132:19:132:24 | call to getenv | user input (getenv) |
 | test.cpp:215:14:215:19 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:215:21:215:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
@@ -209,4 +162,3 @@ nodes
 | test.cpp:253:4:253:9 | call to malloc | test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:249:20:249:25 | call to getenv | user input (getenv) |
 | test.cpp:281:4:281:9 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:281:11:281:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
 | test.cpp:298:3:298:8 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:298:10:298:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
-| test.cpp:324:2:324:7 | call to malloc | test.cpp:321:15:321:20 | call to getenv | test.cpp:324:9:324:14 | offset | This allocation size is derived from $@ and might overflow | test.cpp:321:15:321:20 | call to getenv | user input (getenv) |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
index 0d630ac99cb..57eb5b91a07 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
@@ -76,7 +76,7 @@ void processData2(char *start, char *end)
 {
 	char *copy;
 
-	copy = new char[end - start]; // GOOD [FALSE POSITIVE]
+	copy = new char[end - start]; // GOOD
 
 	// ...
 
@@ -321,5 +321,5 @@ void ptr_diff_case() {
 	char* user = getenv("USER");
 	char* admin_begin_pos = strstr(user, "ADMIN");
 	int offset = admin_begin_pos ? user - admin_begin_pos : 0; 
-	malloc(offset); // GOOD [FALSE POSITIVE]
+	malloc(offset); // GOOD
 }
\ No newline at end of file

From 58dde68b10d74d6d7ed4b7d206c1fe319b4e15ac Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 14 May 2021 14:16:00 +0200
Subject: [PATCH 1051/1429] C++: Add change-note.

---
 cpp/change-notes/2021-05-14-uncontrolled-allocation-size.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 cpp/change-notes/2021-05-14-uncontrolled-allocation-size.md

diff --git a/cpp/change-notes/2021-05-14-uncontrolled-allocation-size.md b/cpp/change-notes/2021-05-14-uncontrolled-allocation-size.md
new file mode 100644
index 00000000000..6f0c9d6fa98
--- /dev/null
+++ b/cpp/change-notes/2021-05-14-uncontrolled-allocation-size.md
@@ -0,0 +1,2 @@
+lgtm
+* The "Tainted allocation size" query (cpp/uncontrolled-allocation-size) has been improved to produce fewer false positives.

From 4cf695b5ab0a8a50e5143f298e8e1ff3e7ec3c30 Mon Sep 17 00:00:00 2001
From: Ethan Palm <56270045+ethanpalm@users.noreply.github.com>
Date: Fri, 14 May 2021 10:00:17 -0400
Subject: [PATCH 1052/1429] specify ``--command`` option

Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
---
 docs/codeql/codeql-cli/creating-codeql-databases.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/codeql/codeql-cli/creating-codeql-databases.rst b/docs/codeql/codeql-cli/creating-codeql-databases.rst
index a41727e1956..8810e3deb9d 100644
--- a/docs/codeql/codeql-cli/creating-codeql-databases.rst
+++ b/docs/codeql/codeql-cli/creating-codeql-databases.rst
@@ -172,7 +172,7 @@ build steps, you may need to explicitly define each step in the command line.
    The Go autobuilder attempts to automatically detect Go code in a repository,
    and only runs build scripts in an attempt to fetch dependencies. To force
    CodeQL to use your build script, set the environment variable
-   `CODEQL_EXTRACTOR_GO_BUILD_TRACING=on` or pass a command.
+   `CODEQL_EXTRACTOR_GO_BUILD_TRACING=on` or use the ``--command`` option.
 
 Specifying build commands
 ~~~~~~~~~~~~~~~~~~~~~~~~~

From 6dd30ee5e2a03fdffc8b7cb8bf23689bce2813b7 Mon Sep 17 00:00:00 2001
From: Ethan Palm <56270045+ethanpalm@users.noreply.github.com>
Date: Fri, 14 May 2021 14:00:33 -0400
Subject: [PATCH 1053/1429] clarify options for tracing

Co-authored-by: Chris Smowton <smowton@github.com>
---
 docs/codeql/codeql-cli/creating-codeql-databases.rst | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/codeql/codeql-cli/creating-codeql-databases.rst b/docs/codeql/codeql-cli/creating-codeql-databases.rst
index 8810e3deb9d..9cdd02f78fc 100644
--- a/docs/codeql/codeql-cli/creating-codeql-databases.rst
+++ b/docs/codeql/codeql-cli/creating-codeql-databases.rst
@@ -171,8 +171,9 @@ build steps, you may need to explicitly define each step in the command line.
    
    The Go autobuilder attempts to automatically detect Go code in a repository,
    and only runs build scripts in an attempt to fetch dependencies. To force
-   CodeQL to use your build script, set the environment variable
-   `CODEQL_EXTRACTOR_GO_BUILD_TRACING=on` or use the ``--command`` option.
+   CodeQL to limit extraction to the files compiled by your build script, set the environment variable
+   `CODEQL_EXTRACTOR_GO_BUILD_TRACING=on` or use the ``--command`` option to specify a
+   build command.
 
 Specifying build commands
 ~~~~~~~~~~~~~~~~~~~~~~~~~

From 0e99d5e379041cdffcaab2da4e57218648d1fd96 Mon Sep 17 00:00:00 2001
From: Ethan P <56270045+ethanpalm@users.noreply.github.com>
Date: Fri, 14 May 2021 14:05:55 -0400
Subject: [PATCH 1054/1429] Add examples of both tracing mechanisms

---
 docs/codeql/codeql-cli/creating-codeql-databases.rst | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/codeql/codeql-cli/creating-codeql-databases.rst b/docs/codeql/codeql-cli/creating-codeql-databases.rst
index 9cdd02f78fc..8658da9a1d4 100644
--- a/docs/codeql/codeql-cli/creating-codeql-databases.rst
+++ b/docs/codeql/codeql-cli/creating-codeql-databases.rst
@@ -202,9 +202,12 @@ commands that you can specify for compiled languages.
 
      codeql database create csharp-database --language=csharp --command='dotnet build /p:UseSharedCompilation=false /t:rebuild'
 
+- Go project built using the ``COEQL_EXTRACTOR_GO_BUILD_TRACING=on`` environment variable::
+   CODEQL_EXTRACTOR_GO_BUILD_TRACING=on codeql database create go-database --language=go
+
 - Go project built using a custom build script::
 
-   CODEQL_EXTRACTOR_GO_BUILD_TRACING=on codeql database create go-database --language=go --command='./scripts/build.sh'
+   codeql database create go-database --language=go --command='./scripts/build.sh'
 
 - Java project built using Gradle::
 

From 58c746e42b174c1ee4465569e832c7a7cb735d03 Mon Sep 17 00:00:00 2001
From: Ethan P <56270045+ethanpalm@users.noreply.github.com>
Date: Fri, 14 May 2021 14:09:07 -0400
Subject: [PATCH 1055/1429] fix formatting

---
 docs/codeql/codeql-cli/creating-codeql-databases.rst | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/codeql/codeql-cli/creating-codeql-databases.rst b/docs/codeql/codeql-cli/creating-codeql-databases.rst
index 8658da9a1d4..1552a077e24 100644
--- a/docs/codeql/codeql-cli/creating-codeql-databases.rst
+++ b/docs/codeql/codeql-cli/creating-codeql-databases.rst
@@ -203,6 +203,7 @@ commands that you can specify for compiled languages.
      codeql database create csharp-database --language=csharp --command='dotnet build /p:UseSharedCompilation=false /t:rebuild'
 
 - Go project built using the ``COEQL_EXTRACTOR_GO_BUILD_TRACING=on`` environment variable::
+
    CODEQL_EXTRACTOR_GO_BUILD_TRACING=on codeql database create go-database --language=go
 
 - Go project built using a custom build script::

From 73c7e15580bc9591842dcfc4fa872def88a74ecc Mon Sep 17 00:00:00 2001
From: Marcono1234 <Marcono1234@users.noreply.github.com>
Date: Fri, 14 May 2021 22:25:00 +0200
Subject: [PATCH 1056/1429] Java: Add back StringInputStream to CloseReader.ql

---
 java/ql/src/Likely Bugs/Resource Leaks/CloseReader.ql | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.ql b/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.ql
index 73a9c81f343..e93c59b0879 100644
--- a/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.ql	
+++ b/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.ql	
@@ -25,6 +25,9 @@ predicate readerType(RefType t) {
 predicate safeReaderType(RefType t) {
   exists(RefType sup | sup = t.getASupertype*() |
     sup.hasQualifiedName("java.io", ["CharArrayReader", "StringReader", "ByteArrayInputStream"])
+    or
+    // Note: It is unclear which specific class this is supposed to match
+    sup.hasName("StringInputStream")
   )
 }
 

From e205e4bbcee12e121669e661f288d4fc6806e89c Mon Sep 17 00:00:00 2001
From: Marcono1234 <Marcono1234@users.noreply.github.com>
Date: Fri, 14 May 2021 22:31:14 +0200
Subject: [PATCH 1057/1429] Java: Add change note for close resource query
 changes

---
 .../2021-05-14-close-resource-leaks-improvements.md             | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 java/change-notes/2021-05-14-close-resource-leaks-improvements.md

diff --git a/java/change-notes/2021-05-14-close-resource-leaks-improvements.md b/java/change-notes/2021-05-14-close-resource-leaks-improvements.md
new file mode 100644
index 00000000000..bae8640d85a
--- /dev/null
+++ b/java/change-notes/2021-05-14-close-resource-leaks-improvements.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The "Potential input resource leak" (`java/input-resource-leak`) and "Potential output resource leak" (`java/output-resource-leak`) queries have been made more specific to only consider JDK classes and subtypes. Additionally the number of false positives has been reduced.

From 31091c66c19fdb401967decc596621fa68db8d0a Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Mon, 17 May 2021 08:06:06 +0200
Subject: [PATCH 1058/1429] C++: Add a test containing a guarded long.

---
 .../TaintedAllocationSize.expected            | 332 +++++++++---------
 .../semmle/TaintedAllocationSize/test.cpp     |  10 +
 2 files changed, 181 insertions(+), 161 deletions(-)

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
index 234efe2c35b..752e9165c07 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
@@ -1,164 +1,174 @@
 edges
-| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | (size_t)... |
-| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | (size_t)... |
-| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
-| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
-| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
-| test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted |
-| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
-| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
-| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
-| test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... |
-| test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... |
-| test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... |
-| test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... |
-| test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... |
-| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | (size_t)... |
-| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | (size_t)... |
-| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
-| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
-| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
-| test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size |
-| test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size |
-| test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size |
-| test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size |
-| test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size |
-| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
-| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
-| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
-| test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... |
-| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
-| test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... |
-| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:41 | ... * ... |
-| test.cpp:123:18:123:31 | (const char *)... | test.cpp:127:24:127:41 | ... * ... |
-| test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... |
-| test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... |
-| test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:27 | ... * ... |
-| test.cpp:132:19:132:32 | (const char *)... | test.cpp:134:10:134:27 | ... * ... |
-| test.cpp:201:9:201:42 | Store | test.cpp:231:9:231:24 | call to get_tainted_size |
-| test.cpp:201:9:201:42 | Store | test.cpp:231:9:231:24 | call to get_tainted_size |
-| test.cpp:201:14:201:19 | call to getenv | test.cpp:201:9:201:42 | Store |
-| test.cpp:201:14:201:27 | (const char *)... | test.cpp:201:9:201:42 | Store |
-| test.cpp:214:23:214:23 | s | test.cpp:215:21:215:21 | s |
-| test.cpp:214:23:214:23 | s | test.cpp:215:21:215:21 | s |
-| test.cpp:220:21:220:21 | s | test.cpp:221:21:221:21 | s |
-| test.cpp:220:21:220:21 | s | test.cpp:221:21:221:21 | s |
-| test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | (size_t)... |
-| test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size |
-| test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size |
-| test.cpp:227:24:227:29 | call to getenv | test.cpp:235:2:235:9 | local_size |
-| test.cpp:227:24:227:29 | call to getenv | test.cpp:237:2:237:8 | local_size |
-| test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | (size_t)... |
-| test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | local_size |
-| test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | local_size |
-| test.cpp:227:24:227:37 | (const char *)... | test.cpp:235:2:235:9 | local_size |
-| test.cpp:227:24:227:37 | (const char *)... | test.cpp:237:2:237:8 | local_size |
-| test.cpp:235:2:235:9 | local_size | test.cpp:214:23:214:23 | s |
-| test.cpp:237:2:237:8 | local_size | test.cpp:220:21:220:21 | s |
-| test.cpp:241:2:241:32 | Chi [array content] | test.cpp:279:17:279:20 | get_size output argument [array content] |
-| test.cpp:241:2:241:32 | Chi [array content] | test.cpp:295:18:295:21 | get_size output argument [array content] |
-| test.cpp:241:18:241:23 | call to getenv | test.cpp:241:2:241:32 | Chi [array content] |
-| test.cpp:241:18:241:31 | (const char *)... | test.cpp:241:2:241:32 | Chi [array content] |
-| test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... |
-| test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... |
-| test.cpp:249:20:249:33 | (const char *)... | test.cpp:253:11:253:29 | ... * ... |
-| test.cpp:249:20:249:33 | (const char *)... | test.cpp:253:11:253:29 | ... * ... |
-| test.cpp:279:17:279:20 | Chi | test.cpp:281:11:281:28 | ... * ... |
-| test.cpp:279:17:279:20 | Chi | test.cpp:281:11:281:28 | ... * ... |
-| test.cpp:279:17:279:20 | get_size output argument [array content] | test.cpp:279:17:279:20 | Chi |
-| test.cpp:295:18:295:21 | Chi | test.cpp:298:10:298:27 | ... * ... |
-| test.cpp:295:18:295:21 | Chi | test.cpp:298:10:298:27 | ... * ... |
-| test.cpp:295:18:295:21 | get_size output argument [array content] | test.cpp:295:18:295:21 | Chi |
+| test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | (size_t)... |
+| test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | (size_t)... |
+| test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | tainted |
+| test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | tainted |
+| test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | tainted |
+| test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | tainted |
+| test.cpp:40:21:40:24 | argv | test.cpp:44:38:44:63 | ... * ... |
+| test.cpp:40:21:40:24 | argv | test.cpp:44:38:44:63 | ... * ... |
+| test.cpp:40:21:40:24 | argv | test.cpp:44:38:44:63 | ... * ... |
+| test.cpp:40:21:40:24 | argv | test.cpp:44:38:44:63 | ... * ... |
+| test.cpp:40:21:40:24 | argv | test.cpp:46:38:46:63 | ... + ... |
+| test.cpp:40:21:40:24 | argv | test.cpp:46:38:46:63 | ... + ... |
+| test.cpp:40:21:40:24 | argv | test.cpp:46:38:46:63 | ... + ... |
+| test.cpp:40:21:40:24 | argv | test.cpp:46:38:46:63 | ... + ... |
+| test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | (size_t)... |
+| test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | (size_t)... |
+| test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | size |
+| test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | size |
+| test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | size |
+| test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | size |
+| test.cpp:40:21:40:24 | argv | test.cpp:50:26:50:29 | size |
+| test.cpp:40:21:40:24 | argv | test.cpp:50:26:50:29 | size |
+| test.cpp:40:21:40:24 | argv | test.cpp:50:26:50:29 | size |
+| test.cpp:40:21:40:24 | argv | test.cpp:50:26:50:29 | size |
+| test.cpp:40:21:40:24 | argv | test.cpp:53:35:53:60 | ... * ... |
+| test.cpp:40:21:40:24 | argv | test.cpp:53:35:53:60 | ... * ... |
+| test.cpp:40:21:40:24 | argv | test.cpp:53:35:53:60 | ... * ... |
+| test.cpp:40:21:40:24 | argv | test.cpp:53:35:53:60 | ... * ... |
+| test.cpp:124:18:124:23 | call to getenv | test.cpp:128:24:128:41 | ... * ... |
+| test.cpp:124:18:124:23 | call to getenv | test.cpp:128:24:128:41 | ... * ... |
+| test.cpp:124:18:124:31 | (const char *)... | test.cpp:128:24:128:41 | ... * ... |
+| test.cpp:124:18:124:31 | (const char *)... | test.cpp:128:24:128:41 | ... * ... |
+| test.cpp:133:19:133:24 | call to getenv | test.cpp:135:10:135:27 | ... * ... |
+| test.cpp:133:19:133:24 | call to getenv | test.cpp:135:10:135:27 | ... * ... |
+| test.cpp:133:19:133:32 | (const char *)... | test.cpp:135:10:135:27 | ... * ... |
+| test.cpp:133:19:133:32 | (const char *)... | test.cpp:135:10:135:27 | ... * ... |
+| test.cpp:148:20:148:25 | call to getenv | test.cpp:152:11:152:28 | ... * ... |
+| test.cpp:148:20:148:25 | call to getenv | test.cpp:152:11:152:28 | ... * ... |
+| test.cpp:148:20:148:33 | (const char *)... | test.cpp:152:11:152:28 | ... * ... |
+| test.cpp:148:20:148:33 | (const char *)... | test.cpp:152:11:152:28 | ... * ... |
+| test.cpp:211:9:211:42 | Store | test.cpp:241:9:241:24 | call to get_tainted_size |
+| test.cpp:211:9:211:42 | Store | test.cpp:241:9:241:24 | call to get_tainted_size |
+| test.cpp:211:14:211:19 | call to getenv | test.cpp:211:9:211:42 | Store |
+| test.cpp:211:14:211:27 | (const char *)... | test.cpp:211:9:211:42 | Store |
+| test.cpp:224:23:224:23 | s | test.cpp:225:21:225:21 | s |
+| test.cpp:224:23:224:23 | s | test.cpp:225:21:225:21 | s |
+| test.cpp:230:21:230:21 | s | test.cpp:231:21:231:21 | s |
+| test.cpp:230:21:230:21 | s | test.cpp:231:21:231:21 | s |
+| test.cpp:237:24:237:29 | call to getenv | test.cpp:239:9:239:18 | (size_t)... |
+| test.cpp:237:24:237:29 | call to getenv | test.cpp:239:9:239:18 | local_size |
+| test.cpp:237:24:237:29 | call to getenv | test.cpp:239:9:239:18 | local_size |
+| test.cpp:237:24:237:29 | call to getenv | test.cpp:245:2:245:9 | local_size |
+| test.cpp:237:24:237:29 | call to getenv | test.cpp:247:2:247:8 | local_size |
+| test.cpp:237:24:237:37 | (const char *)... | test.cpp:239:9:239:18 | (size_t)... |
+| test.cpp:237:24:237:37 | (const char *)... | test.cpp:239:9:239:18 | local_size |
+| test.cpp:237:24:237:37 | (const char *)... | test.cpp:239:9:239:18 | local_size |
+| test.cpp:237:24:237:37 | (const char *)... | test.cpp:245:2:245:9 | local_size |
+| test.cpp:237:24:237:37 | (const char *)... | test.cpp:247:2:247:8 | local_size |
+| test.cpp:245:2:245:9 | local_size | test.cpp:224:23:224:23 | s |
+| test.cpp:247:2:247:8 | local_size | test.cpp:230:21:230:21 | s |
+| test.cpp:251:2:251:32 | Chi [array content] | test.cpp:289:17:289:20 | get_size output argument [array content] |
+| test.cpp:251:2:251:32 | Chi [array content] | test.cpp:305:18:305:21 | get_size output argument [array content] |
+| test.cpp:251:18:251:23 | call to getenv | test.cpp:251:2:251:32 | Chi [array content] |
+| test.cpp:251:18:251:31 | (const char *)... | test.cpp:251:2:251:32 | Chi [array content] |
+| test.cpp:259:20:259:25 | call to getenv | test.cpp:263:11:263:29 | ... * ... |
+| test.cpp:259:20:259:25 | call to getenv | test.cpp:263:11:263:29 | ... * ... |
+| test.cpp:259:20:259:33 | (const char *)... | test.cpp:263:11:263:29 | ... * ... |
+| test.cpp:259:20:259:33 | (const char *)... | test.cpp:263:11:263:29 | ... * ... |
+| test.cpp:289:17:289:20 | Chi | test.cpp:291:11:291:28 | ... * ... |
+| test.cpp:289:17:289:20 | Chi | test.cpp:291:11:291:28 | ... * ... |
+| test.cpp:289:17:289:20 | get_size output argument [array content] | test.cpp:289:17:289:20 | Chi |
+| test.cpp:305:18:305:21 | Chi | test.cpp:308:10:308:27 | ... * ... |
+| test.cpp:305:18:305:21 | Chi | test.cpp:308:10:308:27 | ... * ... |
+| test.cpp:305:18:305:21 | get_size output argument [array content] | test.cpp:305:18:305:21 | Chi |
 nodes
-| test.cpp:39:21:39:24 | argv | semmle.label | argv |
-| test.cpp:39:21:39:24 | argv | semmle.label | argv |
-| test.cpp:42:38:42:44 | (size_t)... | semmle.label | (size_t)... |
-| test.cpp:42:38:42:44 | (size_t)... | semmle.label | (size_t)... |
-| test.cpp:42:38:42:44 | tainted | semmle.label | tainted |
-| test.cpp:42:38:42:44 | tainted | semmle.label | tainted |
-| test.cpp:42:38:42:44 | tainted | semmle.label | tainted |
-| test.cpp:43:38:43:63 | ... * ... | semmle.label | ... * ... |
-| test.cpp:43:38:43:63 | ... * ... | semmle.label | ... * ... |
-| test.cpp:43:38:43:63 | ... * ... | semmle.label | ... * ... |
-| test.cpp:45:38:45:63 | ... + ... | semmle.label | ... + ... |
-| test.cpp:45:38:45:63 | ... + ... | semmle.label | ... + ... |
-| test.cpp:45:38:45:63 | ... + ... | semmle.label | ... + ... |
-| test.cpp:48:32:48:35 | (size_t)... | semmle.label | (size_t)... |
-| test.cpp:48:32:48:35 | (size_t)... | semmle.label | (size_t)... |
-| test.cpp:48:32:48:35 | size | semmle.label | size |
-| test.cpp:48:32:48:35 | size | semmle.label | size |
-| test.cpp:48:32:48:35 | size | semmle.label | size |
-| test.cpp:49:26:49:29 | size | semmle.label | size |
-| test.cpp:49:26:49:29 | size | semmle.label | size |
-| test.cpp:49:26:49:29 | size | semmle.label | size |
-| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
-| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
-| test.cpp:52:35:52:60 | ... * ... | semmle.label | ... * ... |
-| test.cpp:123:18:123:23 | call to getenv | semmle.label | call to getenv |
-| test.cpp:123:18:123:31 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
-| test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
-| test.cpp:127:24:127:41 | ... * ... | semmle.label | ... * ... |
-| test.cpp:132:19:132:24 | call to getenv | semmle.label | call to getenv |
-| test.cpp:132:19:132:32 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:134:10:134:27 | ... * ... | semmle.label | ... * ... |
-| test.cpp:134:10:134:27 | ... * ... | semmle.label | ... * ... |
-| test.cpp:134:10:134:27 | ... * ... | semmle.label | ... * ... |
-| test.cpp:201:9:201:42 | Store | semmle.label | Store |
-| test.cpp:201:14:201:19 | call to getenv | semmle.label | call to getenv |
-| test.cpp:201:14:201:27 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:214:23:214:23 | s | semmle.label | s |
-| test.cpp:215:21:215:21 | s | semmle.label | s |
-| test.cpp:215:21:215:21 | s | semmle.label | s |
-| test.cpp:215:21:215:21 | s | semmle.label | s |
-| test.cpp:220:21:220:21 | s | semmle.label | s |
-| test.cpp:221:21:221:21 | s | semmle.label | s |
-| test.cpp:221:21:221:21 | s | semmle.label | s |
-| test.cpp:221:21:221:21 | s | semmle.label | s |
-| test.cpp:227:24:227:29 | call to getenv | semmle.label | call to getenv |
-| test.cpp:227:24:227:37 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:229:9:229:18 | (size_t)... | semmle.label | (size_t)... |
-| test.cpp:229:9:229:18 | (size_t)... | semmle.label | (size_t)... |
-| test.cpp:229:9:229:18 | local_size | semmle.label | local_size |
-| test.cpp:229:9:229:18 | local_size | semmle.label | local_size |
-| test.cpp:229:9:229:18 | local_size | semmle.label | local_size |
-| test.cpp:231:9:231:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
-| test.cpp:231:9:231:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
-| test.cpp:231:9:231:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
-| test.cpp:235:2:235:9 | local_size | semmle.label | local_size |
-| test.cpp:237:2:237:8 | local_size | semmle.label | local_size |
-| test.cpp:241:2:241:32 | Chi [array content] | semmle.label | Chi [array content] |
-| test.cpp:241:2:241:32 | ChiPartial | semmle.label | ChiPartial |
-| test.cpp:241:18:241:23 | call to getenv | semmle.label | call to getenv |
-| test.cpp:241:18:241:31 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:249:20:249:25 | call to getenv | semmle.label | call to getenv |
-| test.cpp:249:20:249:33 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:253:11:253:29 | ... * ... | semmle.label | ... * ... |
-| test.cpp:253:11:253:29 | ... * ... | semmle.label | ... * ... |
-| test.cpp:253:11:253:29 | ... * ... | semmle.label | ... * ... |
-| test.cpp:279:17:279:20 | Chi | semmle.label | Chi |
-| test.cpp:279:17:279:20 | get_size output argument [array content] | semmle.label | get_size output argument [array content] |
-| test.cpp:281:11:281:28 | ... * ... | semmle.label | ... * ... |
-| test.cpp:281:11:281:28 | ... * ... | semmle.label | ... * ... |
-| test.cpp:281:11:281:28 | ... * ... | semmle.label | ... * ... |
-| test.cpp:295:18:295:21 | Chi | semmle.label | Chi |
-| test.cpp:295:18:295:21 | get_size output argument [array content] | semmle.label | get_size output argument [array content] |
-| test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
-| test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
-| test.cpp:298:10:298:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:40:21:40:24 | argv | semmle.label | argv |
+| test.cpp:40:21:40:24 | argv | semmle.label | argv |
+| test.cpp:43:38:43:44 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:43:38:43:44 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
+| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
+| test.cpp:43:38:43:44 | tainted | semmle.label | tainted |
+| test.cpp:44:38:44:63 | ... * ... | semmle.label | ... * ... |
+| test.cpp:44:38:44:63 | ... * ... | semmle.label | ... * ... |
+| test.cpp:44:38:44:63 | ... * ... | semmle.label | ... * ... |
+| test.cpp:46:38:46:63 | ... + ... | semmle.label | ... + ... |
+| test.cpp:46:38:46:63 | ... + ... | semmle.label | ... + ... |
+| test.cpp:46:38:46:63 | ... + ... | semmle.label | ... + ... |
+| test.cpp:49:32:49:35 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:49:32:49:35 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:49:32:49:35 | size | semmle.label | size |
+| test.cpp:49:32:49:35 | size | semmle.label | size |
+| test.cpp:49:32:49:35 | size | semmle.label | size |
+| test.cpp:50:26:50:29 | size | semmle.label | size |
+| test.cpp:50:26:50:29 | size | semmle.label | size |
+| test.cpp:50:26:50:29 | size | semmle.label | size |
+| test.cpp:53:35:53:60 | ... * ... | semmle.label | ... * ... |
+| test.cpp:53:35:53:60 | ... * ... | semmle.label | ... * ... |
+| test.cpp:53:35:53:60 | ... * ... | semmle.label | ... * ... |
+| test.cpp:124:18:124:23 | call to getenv | semmle.label | call to getenv |
+| test.cpp:124:18:124:31 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:128:24:128:41 | ... * ... | semmle.label | ... * ... |
+| test.cpp:128:24:128:41 | ... * ... | semmle.label | ... * ... |
+| test.cpp:128:24:128:41 | ... * ... | semmle.label | ... * ... |
+| test.cpp:133:19:133:24 | call to getenv | semmle.label | call to getenv |
+| test.cpp:133:19:133:32 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:135:10:135:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:135:10:135:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:135:10:135:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:148:20:148:25 | call to getenv | semmle.label | call to getenv |
+| test.cpp:148:20:148:33 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:152:11:152:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:152:11:152:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:152:11:152:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:211:9:211:42 | Store | semmle.label | Store |
+| test.cpp:211:14:211:19 | call to getenv | semmle.label | call to getenv |
+| test.cpp:211:14:211:27 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:224:23:224:23 | s | semmle.label | s |
+| test.cpp:225:21:225:21 | s | semmle.label | s |
+| test.cpp:225:21:225:21 | s | semmle.label | s |
+| test.cpp:225:21:225:21 | s | semmle.label | s |
+| test.cpp:230:21:230:21 | s | semmle.label | s |
+| test.cpp:231:21:231:21 | s | semmle.label | s |
+| test.cpp:231:21:231:21 | s | semmle.label | s |
+| test.cpp:231:21:231:21 | s | semmle.label | s |
+| test.cpp:237:24:237:29 | call to getenv | semmle.label | call to getenv |
+| test.cpp:237:24:237:37 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:239:9:239:18 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:239:9:239:18 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:239:9:239:18 | local_size | semmle.label | local_size |
+| test.cpp:239:9:239:18 | local_size | semmle.label | local_size |
+| test.cpp:239:9:239:18 | local_size | semmle.label | local_size |
+| test.cpp:241:9:241:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
+| test.cpp:241:9:241:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
+| test.cpp:241:9:241:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
+| test.cpp:245:2:245:9 | local_size | semmle.label | local_size |
+| test.cpp:247:2:247:8 | local_size | semmle.label | local_size |
+| test.cpp:251:2:251:32 | Chi [array content] | semmle.label | Chi [array content] |
+| test.cpp:251:2:251:32 | ChiPartial | semmle.label | ChiPartial |
+| test.cpp:251:18:251:23 | call to getenv | semmle.label | call to getenv |
+| test.cpp:251:18:251:31 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:259:20:259:25 | call to getenv | semmle.label | call to getenv |
+| test.cpp:259:20:259:33 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:263:11:263:29 | ... * ... | semmle.label | ... * ... |
+| test.cpp:263:11:263:29 | ... * ... | semmle.label | ... * ... |
+| test.cpp:263:11:263:29 | ... * ... | semmle.label | ... * ... |
+| test.cpp:289:17:289:20 | Chi | semmle.label | Chi |
+| test.cpp:289:17:289:20 | get_size output argument [array content] | semmle.label | get_size output argument [array content] |
+| test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:291:11:291:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:305:18:305:21 | Chi | semmle.label | Chi |
+| test.cpp:305:18:305:21 | get_size output argument [array content] | semmle.label | get_size output argument [array content] |
+| test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
+| test.cpp:308:10:308:27 | ... * ... | semmle.label | ... * ... |
 #select
-| test.cpp:42:31:42:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:43:31:43:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:45:31:45:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:45:38:45:63 | ... + ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:48:25:48:30 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:48:32:48:35 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:49:17:49:30 | new[] | test.cpp:39:21:39:24 | argv | test.cpp:49:26:49:29 | size | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:52:21:52:27 | call to realloc | test.cpp:39:21:39:24 | argv | test.cpp:52:35:52:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
-| test.cpp:127:17:127:22 | call to malloc | test.cpp:123:18:123:23 | call to getenv | test.cpp:127:24:127:41 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:123:18:123:23 | call to getenv | user input (getenv) |
-| test.cpp:134:3:134:8 | call to malloc | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:132:19:132:24 | call to getenv | user input (getenv) |
-| test.cpp:215:14:215:19 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:215:21:215:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
-| test.cpp:221:14:221:19 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:221:21:221:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
-| test.cpp:229:2:229:7 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
-| test.cpp:231:2:231:7 | call to malloc | test.cpp:201:14:201:19 | call to getenv | test.cpp:231:9:231:24 | call to get_tainted_size | This allocation size is derived from $@ and might overflow | test.cpp:201:14:201:19 | call to getenv | user input (getenv) |
-| test.cpp:253:4:253:9 | call to malloc | test.cpp:249:20:249:25 | call to getenv | test.cpp:253:11:253:29 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:249:20:249:25 | call to getenv | user input (getenv) |
-| test.cpp:281:4:281:9 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:281:11:281:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
-| test.cpp:298:3:298:8 | call to malloc | test.cpp:241:18:241:23 | call to getenv | test.cpp:298:10:298:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:241:18:241:23 | call to getenv | user input (getenv) |
+| test.cpp:43:31:43:36 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:43:38:43:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (argv) |
+| test.cpp:44:31:44:36 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:44:38:44:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (argv) |
+| test.cpp:46:31:46:36 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:46:38:46:63 | ... + ... | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (argv) |
+| test.cpp:49:25:49:30 | call to malloc | test.cpp:40:21:40:24 | argv | test.cpp:49:32:49:35 | size | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (argv) |
+| test.cpp:50:17:50:30 | new[] | test.cpp:40:21:40:24 | argv | test.cpp:50:26:50:29 | size | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (argv) |
+| test.cpp:53:21:53:27 | call to realloc | test.cpp:40:21:40:24 | argv | test.cpp:53:35:53:60 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:40:21:40:24 | argv | user input (argv) |
+| test.cpp:128:17:128:22 | call to malloc | test.cpp:124:18:124:23 | call to getenv | test.cpp:128:24:128:41 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:124:18:124:23 | call to getenv | user input (getenv) |
+| test.cpp:135:3:135:8 | call to malloc | test.cpp:133:19:133:24 | call to getenv | test.cpp:135:10:135:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:133:19:133:24 | call to getenv | user input (getenv) |
+| test.cpp:152:4:152:9 | call to malloc | test.cpp:148:20:148:25 | call to getenv | test.cpp:152:11:152:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:148:20:148:25 | call to getenv | user input (getenv) |
+| test.cpp:225:14:225:19 | call to malloc | test.cpp:237:24:237:29 | call to getenv | test.cpp:225:21:225:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:237:24:237:29 | call to getenv | user input (getenv) |
+| test.cpp:231:14:231:19 | call to malloc | test.cpp:237:24:237:29 | call to getenv | test.cpp:231:21:231:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:237:24:237:29 | call to getenv | user input (getenv) |
+| test.cpp:239:2:239:7 | call to malloc | test.cpp:237:24:237:29 | call to getenv | test.cpp:239:9:239:18 | local_size | This allocation size is derived from $@ and might overflow | test.cpp:237:24:237:29 | call to getenv | user input (getenv) |
+| test.cpp:241:2:241:7 | call to malloc | test.cpp:211:14:211:19 | call to getenv | test.cpp:241:9:241:24 | call to get_tainted_size | This allocation size is derived from $@ and might overflow | test.cpp:211:14:211:19 | call to getenv | user input (getenv) |
+| test.cpp:263:4:263:9 | call to malloc | test.cpp:259:20:259:25 | call to getenv | test.cpp:263:11:263:29 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:259:20:259:25 | call to getenv | user input (getenv) |
+| test.cpp:291:4:291:9 | call to malloc | test.cpp:251:18:251:23 | call to getenv | test.cpp:291:11:291:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:251:18:251:23 | call to getenv | user input (getenv) |
+| test.cpp:308:3:308:8 | call to malloc | test.cpp:251:18:251:23 | call to getenv | test.cpp:308:10:308:27 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:251:18:251:23 | call to getenv | user input (getenv) |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
index 57eb5b91a07..b11a136ed24 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
@@ -7,6 +7,7 @@ void *malloc(size_t size);
 void *realloc(void *ptr, size_t size);
 void free(void *ptr);
 int atoi(const char *nptr);
+long atol(const char *nptr);
 struct MyStruct
 {
 	char data[256];
@@ -143,6 +144,15 @@ void more_bounded_tests() {
 		}
 	}
 
+	{
+		long size = atol(getenv("USER"));
+
+		if (size > 0)
+		{
+			malloc(size * sizeof(int)); // BAD
+		}
+	}
+
 	{
 		int size = atoi(getenv("USER"));
 

From b142ecb1dbc73e269b912719ca41f9c3684e56e5 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Mon, 17 May 2021 10:33:06 +0200
Subject: [PATCH 1059/1429] C#: Address review comment

---
 csharp/autobuilder/Semmle.Autobuild.CSharp/DotNetRule.cs | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/csharp/autobuilder/Semmle.Autobuild.CSharp/DotNetRule.cs b/csharp/autobuilder/Semmle.Autobuild.CSharp/DotNetRule.cs
index 955775d0f66..3d7a1168e30 100644
--- a/csharp/autobuilder/Semmle.Autobuild.CSharp/DotNetRule.cs
+++ b/csharp/autobuilder/Semmle.Autobuild.CSharp/DotNetRule.cs
@@ -236,12 +236,6 @@ namespace Semmle.Autobuild.CSharp
 
         /// <summary>
         /// Gets the `dotnet build` script.
-        ///
-        /// The CLR tracer only works on .NET Core >= 3 on Linux and macOS (see
-        /// https://github.com/dotnet/coreclr/issues/19622), so in case we are
-        /// running on an older .NET Core, we disable shared compilation (and
-        /// hence the need for CLR tracing), by adding a
-        /// `/p:UseSharedCompilation=false` argument.
         /// </summary>
         private static BuildScript GetBuildScript(Autobuilder builder, string? dotNetPath, IDictionary<string, string>? environment, string projOrSln)
         {

From 77c93dcf26fa083cc7fffc8e6b53a8bc59c169e1 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
Date: Mon, 17 May 2021 10:35:04 +0200
Subject: [PATCH 1060/1429] Make private

---
 .../code/java/frameworks/jackson/JacksonSerializability.qll   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
index 50266c377f8..6cda84512a0 100644
--- a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
+++ b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
@@ -156,7 +156,7 @@ class JacksonDeserializableField extends DeserializableField {
 }
 
 /** A call to a field that may be deserialized using the Jackson JSON framework. */
-class JacksonDeserializableFieldAccess extends FieldAccess {
+private class JacksonDeserializableFieldAccess extends FieldAccess {
   JacksonDeserializableFieldAccess() { getField() instanceof JacksonDeserializableField }
 }
 
@@ -164,7 +164,7 @@ class JacksonDeserializableFieldAccess extends FieldAccess {
  * When an object is deserialized by the Jackson JSON framework using a tainted input source,
  * the fields that the framework deserialized are themselves tainted input data.
  */
-class JacksonDeserializedTaintStep extends AdditionalTaintStep {
+private class JacksonDeserializedTaintStep extends AdditionalTaintStep {
   override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
     DataFlow::getFieldQualifier(node2.asExpr().(JacksonDeserializableFieldAccess)) = node1
   }

From 6853f6affaf5e222c99dd4deb3ca1e73ba14f49e Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Mon, 17 May 2021 15:53:57 +0200
Subject: [PATCH 1061/1429] C#: Fix type of temp foreach variable in IR

---
 .../raw/internal/desugar/Common.qll           | 10 +++-
 .../raw/internal/desugar/Foreach.qll          | 27 ++++++++--
 .../test/experimental/ir/ir/raw_ir.expected   | 54 +++++++++----------
 .../ir/ir/raw_ir_consistency.expected         |  3 --
 .../ir/ir/unaliased_ssa_consistency.expected  |  3 --
 5 files changed, 59 insertions(+), 38 deletions(-)

diff --git a/csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/Common.qll b/csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/Common.qll
index 267cf903b00..ef40d716fea 100644
--- a/csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/Common.qll
+++ b/csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/Common.qll
@@ -182,15 +182,21 @@ abstract class TranslatedCompilerGeneratedVariableAccess extends TranslatedCompi
 
   override Instruction getChildSuccessor(TranslatedElement child) { none() }
 
+  /**
+   * Returns the type of the accessed variable. Can be overriden when the return
+   * type is different than the type of the underlying variable.
+   */
+  Type getVariableType() { result = getResultType() }
+
   override predicate hasInstruction(Opcode opcode, InstructionTag tag, CSharpType resultType) {
     tag = AddressTag() and
     opcode instanceof Opcode::VariableAddress and
-    resultType = getTypeForGLValue(getResultType())
+    resultType = getTypeForGLValue(getVariableType())
     or
     needsLoad() and
     tag = LoadTag() and
     opcode instanceof Opcode::Load and
-    resultType = getTypeForPRValue(getResultType())
+    resultType = getTypeForPRValue(getVariableType())
   }
 
   override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
diff --git a/csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/Foreach.qll b/csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/Foreach.qll
index a526ec5bdcd..195072ed124 100644
--- a/csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/Foreach.qll
+++ b/csharp/ql/src/experimental/ir/implementation/raw/internal/desugar/Foreach.qll
@@ -359,9 +359,16 @@ private class TranslatedMoveNextEnumAcc extends TTranslatedCompilerGeneratedElem
 
   override Type getResultType() { result instanceof BoolType }
 
+  override Type getVariableType() {
+    exists(TranslatedForeachGetEnumerator ge |
+      ge.getAST() = generatedBy and
+      result = ge.getCallResultType()
+    )
+  }
+
   override predicate hasTempVariable(TempVariableTag tag, CSharpType type) {
     tag = ForeachEnumTempVar() and
-    type = getTypeForPRValue(getResultType())
+    type = getTypeForPRValue(getVariableType())
   }
 
   override IRVariable getInstructionVariable(InstructionTag tag) {
@@ -384,9 +391,16 @@ private class TranslatedForeachCurrentEnumAcc extends TTranslatedCompilerGenerat
 
   override Type getResultType() { result instanceof BoolType }
 
+  override Type getVariableType() {
+    exists(TranslatedForeachGetEnumerator ge |
+      ge.getAST() = generatedBy and
+      result = ge.getCallResultType()
+    )
+  }
+
   override predicate hasTempVariable(TempVariableTag tag, CSharpType type) {
     tag = ForeachEnumTempVar() and
-    type = getTypeForPRValue(getResultType())
+    type = getTypeForPRValue(getVariableType())
   }
 
   override IRVariable getInstructionVariable(InstructionTag tag) {
@@ -409,9 +423,16 @@ private class TranslatedForeachDisposeEnumAcc extends TTranslatedCompilerGenerat
 
   override Type getResultType() { result instanceof BoolType }
 
+  override Type getVariableType() {
+    exists(TranslatedForeachGetEnumerator ge |
+      ge.getAST() = generatedBy and
+      result = ge.getCallResultType()
+    )
+  }
+
   override predicate hasTempVariable(TempVariableTag tag, CSharpType type) {
     tag = ForeachEnumTempVar() and
-    type = getTypeForPRValue(getResultType())
+    type = getTypeForPRValue(getVariableType())
   }
 
   override IRVariable getInstructionVariable(InstructionTag tag) {
diff --git a/csharp/ql/test/experimental/ir/ir/raw_ir.expected b/csharp/ql/test/experimental/ir/ir/raw_ir.expected
index c598a8778d9..5d3a1dfe6bf 100644
--- a/csharp/ql/test/experimental/ir/ir/raw_ir.expected
+++ b/csharp/ql/test/experimental/ir/ir/raw_ir.expected
@@ -613,48 +613,48 @@ foreach.cs:
 #    5|     r5_28(glval<Int32>)      = PointerAdd[4]                  : r5_1, r5_27
 #    5|     r5_29(Int32)             = Constant[7]                    : 
 #    5|     mu5_30(Int32)            = Store[?]                       : &:r5_28, r5_29
-#    7|     r7_1(glval<Boolean>)     = VariableAddress[#temp7:9]      : 
+#    7|     r7_1(glval<IEnumerator>) = VariableAddress[#temp7:9]      : 
 #    7|     r7_2(glval<Int32[]>)     = VariableAddress[a_array]       : 
 #    7|     r7_3(Int32[])            = Load[a_array]                  : &:r7_2, ~m?
 #    7|     r7_4(<funcaddr>)         = FunctionAddress[GetEnumerator] : 
 #    7|     r7_5(IEnumerator)        = Call[GetEnumerator]            : func:r7_4, this:r7_3
 #    7|     mu7_6(<unknown>)         = ^CallSideEffect                : ~m?
-#    7|     mu7_7(Boolean)           = Store[#temp7:9]                : &:r7_1, r7_5
+#    7|     mu7_7(IEnumerator)       = Store[#temp7:9]                : &:r7_1, r7_5
 #-----|   Goto -> Block 1
 
 #    7|   Block 1
-#    7|     r7_8(glval<Boolean>) = VariableAddress[#temp7:9] : 
-#    7|     r7_9(Boolean)        = Load[#temp7:9]            : &:r7_8, ~m?
-#    7|     r7_10(<funcaddr>)    = FunctionAddress[MoveNext] : 
-#    7|     r7_11(Boolean)       = Call[MoveNext]            : func:r7_10, this:r7_9
-#    7|     mu7_12(<unknown>)    = ^CallSideEffect           : ~m?
-#    7|     v7_13(Void)          = ConditionalBranch         : r7_11
+#    7|     r7_8(glval<IEnumerator>) = VariableAddress[#temp7:9] : 
+#    7|     r7_9(IEnumerator)        = Load[#temp7:9]            : &:r7_8, ~m?
+#    7|     r7_10(<funcaddr>)        = FunctionAddress[MoveNext] : 
+#    7|     r7_11(Boolean)           = Call[MoveNext]            : func:r7_10, this:r7_9
+#    7|     mu7_12(<unknown>)        = ^CallSideEffect           : ~m?
+#    7|     v7_13(Void)              = ConditionalBranch         : r7_11
 #-----|   False -> Block 3
 #-----|   True -> Block 2
 
 #    7|   Block 2
-#    7|     r7_14(glval<Int32>)   = VariableAddress[items]       : 
-#    7|     r7_15(glval<Boolean>) = VariableAddress[#temp7:9]    : 
-#    7|     r7_16(Boolean)        = Load[#temp7:9]               : &:r7_15, ~m?
-#    7|     r7_17(<funcaddr>)     = FunctionAddress[get_Current] : 
-#    7|     r7_18(Int32)          = Call[get_Current]            : func:r7_17, this:r7_16
-#    7|     mu7_19(<unknown>)     = ^CallSideEffect              : ~m?
-#    7|     mu7_20(Int32)         = Store[items]                 : &:r7_14, r7_18
-#    9|     r9_1(glval<Int32>)    = VariableAddress[x]           : 
-#    9|     r9_2(glval<Int32>)    = VariableAddress[items]       : 
-#    9|     r9_3(Int32)           = Load[items]                  : &:r9_2, ~m?
-#    9|     mu9_4(Int32)          = Store[x]                     : &:r9_1, r9_3
+#    7|     r7_14(glval<Int32>)       = VariableAddress[items]       : 
+#    7|     r7_15(glval<IEnumerator>) = VariableAddress[#temp7:9]    : 
+#    7|     r7_16(IEnumerator)        = Load[#temp7:9]               : &:r7_15, ~m?
+#    7|     r7_17(<funcaddr>)         = FunctionAddress[get_Current] : 
+#    7|     r7_18(Int32)              = Call[get_Current]            : func:r7_17, this:r7_16
+#    7|     mu7_19(<unknown>)         = ^CallSideEffect              : ~m?
+#    7|     mu7_20(Int32)             = Store[items]                 : &:r7_14, r7_18
+#    9|     r9_1(glval<Int32>)        = VariableAddress[x]           : 
+#    9|     r9_2(glval<Int32>)        = VariableAddress[items]       : 
+#    9|     r9_3(Int32)               = Load[items]                  : &:r9_2, ~m?
+#    9|     mu9_4(Int32)              = Store[x]                     : &:r9_1, r9_3
 #-----|   Goto (back edge) -> Block 1
 
 #    7|   Block 3
-#    7|     r7_21(glval<Boolean>) = VariableAddress[#temp7:9] : 
-#    7|     r7_22(Boolean)        = Load[#temp7:9]            : &:r7_21, ~m?
-#    7|     r7_23(<funcaddr>)     = FunctionAddress[Dispose]  : 
-#    7|     v7_24(Void)           = Call[Dispose]             : func:r7_23, this:r7_22
-#    7|     mu7_25(<unknown>)     = ^CallSideEffect           : ~m?
-#    4|     v4_3(Void)            = ReturnVoid                : 
-#    4|     v4_4(Void)            = AliasedUse                : ~m?
-#    4|     v4_5(Void)            = ExitFunction              : 
+#    7|     r7_21(glval<IEnumerator>) = VariableAddress[#temp7:9] : 
+#    7|     r7_22(IEnumerator)        = Load[#temp7:9]            : &:r7_21, ~m?
+#    7|     r7_23(<funcaddr>)         = FunctionAddress[Dispose]  : 
+#    7|     v7_24(Void)               = Call[Dispose]             : func:r7_23, this:r7_22
+#    7|     mu7_25(<unknown>)         = ^CallSideEffect           : ~m?
+#    4|     v4_3(Void)                = ReturnVoid                : 
+#    4|     v4_4(Void)                = AliasedUse                : ~m?
+#    4|     v4_5(Void)                = ExitFunction              : 
 
 func_with_param_call.cs:
 #    5| System.Int32 test_call_with_param.f(System.Int32,System.Int32)
diff --git a/csharp/ql/test/experimental/ir/ir/raw_ir_consistency.expected b/csharp/ql/test/experimental/ir/ir/raw_ir_consistency.expected
index b2f9c0da160..7231134d5e2 100644
--- a/csharp/ql/test/experimental/ir/ir/raw_ir_consistency.expected
+++ b/csharp/ql/test/experimental/ir/ir/raw_ir_consistency.expected
@@ -26,9 +26,6 @@ fieldAddressOnNonPointer
 | inoutref.cs:19:13:19:17 | FieldAddress: access to field fld | FieldAddress instruction 'FieldAddress: access to field fld' has an object address operand that is not an address, in function '$@'. | inoutref.cs:16:17:16:17 | System.Void InOutRef.F(System.Int32,MyStruct,MyStruct,MyClass,MyClass) | System.Void InOutRef.F(System.Int32,MyStruct,MyStruct,MyClass,MyClass) |
 | pointers.cs:35:17:35:24 | FieldAddress: access to field fld | FieldAddress instruction 'FieldAddress: access to field fld' has an object address operand that is not an address, in function '$@'. | pointers.cs:25:17:25:20 | System.Void Pointers.Main() | System.Void Pointers.Main() |
 thisArgumentIsNonPointer
-| foreach.cs:7:9:10:9 | Call: foreach (... ... in ...) ... | Call instruction 'Call: foreach (... ... in ...) ...' has a `this` argument operand that is not an address, in function '$@'. | foreach.cs:4:24:4:27 | System.Void ForEach.Main() | System.Void ForEach.Main() |
-| foreach.cs:7:9:10:9 | Call: foreach (... ... in ...) ... | Call instruction 'Call: foreach (... ... in ...) ...' has a `this` argument operand that is not an address, in function '$@'. | foreach.cs:4:24:4:27 | System.Void ForEach.Main() | System.Void ForEach.Main() |
-| foreach.cs:7:9:10:9 | Call: foreach (... ... in ...) ... | Call instruction 'Call: foreach (... ... in ...) ...' has a `this` argument operand that is not an address, in function '$@'. | foreach.cs:4:24:4:27 | System.Void ForEach.Main() | System.Void ForEach.Main() |
 | inoutref.cs:32:22:32:35 | Call: object creation of type MyStruct | Call instruction 'Call: object creation of type MyStruct' has a `this` argument operand that is not an address, in function '$@'. | inoutref.cs:29:17:29:20 | System.Void InOutRef.Main() | System.Void InOutRef.Main() |
 | pointers.cs:27:22:27:35 | Call: object creation of type MyStruct | Call instruction 'Call: object creation of type MyStruct' has a `this` argument operand that is not an address, in function '$@'. | pointers.cs:25:17:25:20 | System.Void Pointers.Main() | System.Void Pointers.Main() |
 missingCanonicalLanguageType
diff --git a/csharp/ql/test/experimental/ir/ir/unaliased_ssa_consistency.expected b/csharp/ql/test/experimental/ir/ir/unaliased_ssa_consistency.expected
index b2f9c0da160..7231134d5e2 100644
--- a/csharp/ql/test/experimental/ir/ir/unaliased_ssa_consistency.expected
+++ b/csharp/ql/test/experimental/ir/ir/unaliased_ssa_consistency.expected
@@ -26,9 +26,6 @@ fieldAddressOnNonPointer
 | inoutref.cs:19:13:19:17 | FieldAddress: access to field fld | FieldAddress instruction 'FieldAddress: access to field fld' has an object address operand that is not an address, in function '$@'. | inoutref.cs:16:17:16:17 | System.Void InOutRef.F(System.Int32,MyStruct,MyStruct,MyClass,MyClass) | System.Void InOutRef.F(System.Int32,MyStruct,MyStruct,MyClass,MyClass) |
 | pointers.cs:35:17:35:24 | FieldAddress: access to field fld | FieldAddress instruction 'FieldAddress: access to field fld' has an object address operand that is not an address, in function '$@'. | pointers.cs:25:17:25:20 | System.Void Pointers.Main() | System.Void Pointers.Main() |
 thisArgumentIsNonPointer
-| foreach.cs:7:9:10:9 | Call: foreach (... ... in ...) ... | Call instruction 'Call: foreach (... ... in ...) ...' has a `this` argument operand that is not an address, in function '$@'. | foreach.cs:4:24:4:27 | System.Void ForEach.Main() | System.Void ForEach.Main() |
-| foreach.cs:7:9:10:9 | Call: foreach (... ... in ...) ... | Call instruction 'Call: foreach (... ... in ...) ...' has a `this` argument operand that is not an address, in function '$@'. | foreach.cs:4:24:4:27 | System.Void ForEach.Main() | System.Void ForEach.Main() |
-| foreach.cs:7:9:10:9 | Call: foreach (... ... in ...) ... | Call instruction 'Call: foreach (... ... in ...) ...' has a `this` argument operand that is not an address, in function '$@'. | foreach.cs:4:24:4:27 | System.Void ForEach.Main() | System.Void ForEach.Main() |
 | inoutref.cs:32:22:32:35 | Call: object creation of type MyStruct | Call instruction 'Call: object creation of type MyStruct' has a `this` argument operand that is not an address, in function '$@'. | inoutref.cs:29:17:29:20 | System.Void InOutRef.Main() | System.Void InOutRef.Main() |
 | pointers.cs:27:22:27:35 | Call: object creation of type MyStruct | Call instruction 'Call: object creation of type MyStruct' has a `this` argument operand that is not an address, in function '$@'. | pointers.cs:25:17:25:20 | System.Void Pointers.Main() | System.Void Pointers.Main() |
 missingCanonicalLanguageType

From 9e75f53798d9093332d40deaeda645dd514ec05d Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 17 May 2021 15:35:19 +0100
Subject: [PATCH 1062/1429] C++: Prefer matches to regexpMatch.

---
 cpp/ql/src/semmle/code/cpp/security/Encryption.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
index 8c9c4b3beee..361eb5695d2 100644
--- a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
@@ -68,7 +68,7 @@ predicate isInsecureEncryption(string name) {
  */
 bindingset[name]
 predicate isEncryptionAdditionalEvidence(string name) {
-  name.toUpperCase().regexpMatch(".*(CRYPT|CODE|CODING|CBC|KEY).*")
+  name.toUpperCase().matches("%" + ["CRYPT", "CODE", "CODING", "CBC", "KEY"] + "%")
 }
 
 /**

From 57354def9ebaf4b4577e7e901e24dfa8ff3f1767 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 17 May 2021 15:36:27 +0100
Subject: [PATCH 1063/1429] C++: Real world diffs suggest that 'Cipher' should
 be an encryption word as well.

---
 cpp/ql/src/semmle/code/cpp/security/Encryption.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
index 361eb5695d2..49cdd2d7c63 100644
--- a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
@@ -68,7 +68,7 @@ predicate isInsecureEncryption(string name) {
  */
 bindingset[name]
 predicate isEncryptionAdditionalEvidence(string name) {
-  name.toUpperCase().matches("%" + ["CRYPT", "CODE", "CODING", "CBC", "KEY"] + "%")
+  name.toUpperCase().matches("%" + ["CRYPT", "CODE", "CODING", "CBC", "KEY", "CIPHER"] + "%")
 }
 
 /**

From 930b9fe3e5e1ed1b9b59987b97cd99ff05a6b647 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 17 May 2021 15:46:41 +0100
Subject: [PATCH 1064/1429] C++: Add triple-DES to the bad algorithms list.

---
 cpp/ql/src/semmle/code/cpp/security/Encryption.qll   | 10 +++-------
 .../CWE/CWE-327/BrokenCryptoAlgorithm.expected       |  4 ++++
 .../test/query-tests/Security/CWE/CWE-327/test.cpp   | 12 ++++++------
 3 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
index 49cdd2d7c63..68a3d841d01 100644
--- a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
@@ -10,7 +10,8 @@ import cpp
 string getAnInsecureAlgorithmName() {
   result =
     [
-      "DES", "RC2", "RC4", "RC5", "ARCFOUR" // ARCFOUR is a variant of RC4
+      "DES", "RC2", "RC4", "RC5", "ARCFOUR", // ARCFOUR is a variant of RC4
+      "3DES", "DES3" // also appears separated, e.g. "TRIPLE-DES", which will be matched as "DES".
     ]
 }
 
@@ -53,12 +54,7 @@ string getInsecureAlgorithmRegex() {
  * insecure encyption algorithm.
  */
 bindingset[name]
-predicate isInsecureEncryption(string name) {
-  name.regexpMatch(getInsecureAlgorithmRegex()) and
-  // Check for evidence that an otherwise matching name may in fact not be
-  // related to insecure encrpytion, e.g. "Triple-DES" is not "DES".
-  not name.toUpperCase().regexpMatch(".*TRIPLE.*")
-}
+predicate isInsecureEncryption(string name) { name.regexpMatch(getInsecureAlgorithmRegex()) }
 
 /**
  * Holds if there is additional evidence that `name` looks like it might be
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
index e213a6e92c3..79943db5f60 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
@@ -10,11 +10,15 @@
 | test2.cpp:239:5:239:11 | call to encrypt | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:39:2:39:31 | ENCRYPT_WITH_RC2(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:41:2:41:32 | ENCRYPT_WITH_3DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:42:2:42:38 | ENCRYPT_WITH_TRIPLE_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:51:2:51:32 | DES_DO_ENCRYPTION(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:52:2:52:31 | RUN_DES_ENCODING(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:53:2:53:25 | DES_ENCODE(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:54:2:54:26 | DES_SET_KEY(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:88:2:88:11 | call to encryptDES | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:89:2:89:11 | call to encryptRC2 | This function call specifies a broken or weak cryptographic algorithm. |
+| test.cpp:91:2:91:12 | call to encrypt3DES | This function call specifies a broken or weak cryptographic algorithm. |
+| test.cpp:92:2:92:17 | call to encryptTripleDES | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:101:2:101:15 | call to do_des_encrypt | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:102:2:102:12 | call to DES_Set_Key | This function call specifies a broken or weak cryptographic algorithm. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
index ede8f19b761..39005f63bd9 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
@@ -38,15 +38,15 @@ void test_macros(void *data, size_t amount, const char *str)
 	ENCRYPT_WITH_DES(data, amount); // BAD
 	ENCRYPT_WITH_RC2(data, amount); // BAD
 	ENCRYPT_WITH_AES(data, amount); // GOOD (good algorithm)
-	ENCRYPT_WITH_3DES(data, amount); // GOOD (good enough algorithm)
-	ENCRYPT_WITH_TRIPLE_DES(data, amount); // GOOD (good enough algorithm)
+	ENCRYPT_WITH_3DES(data, amount); // BAD
+	ENCRYPT_WITH_TRIPLE_DES(data, amount); // BAD
 	ENCRYPT_WITH_RC20(data, amount); // GOOD (if there ever is an RC20 algorithm, we have no reason to believe it's weak)
 	ENCRYPT_WITH_DES_REMOVED(data, amount); // GOOD (implementation has been deleted)
 
 	DESENCRYPT(data, amount); // BAD [NOT DETECTED]
 	RC2ENCRYPT(data, amount); // BAD [NOT DETECTED]
 	AESENCRYPT(data, amount); // GOOD (good algorithm)
-	DES3ENCRYPT(data, amount); // GOOD (good enough algorithm)
+	DES3ENCRYPT(data, amount); // BAD [NOT DETECTED]
 
 	DES_DO_ENCRYPTION(data, amount); // BAD
 	RUN_DES_ENCODING(data, amount); // BAD
@@ -88,13 +88,13 @@ void test_functions(void *data, size_t amount, const char *str)
 	encryptDES(data, amount); // BAD
 	encryptRC2(data, amount); // BAD
 	encryptAES(data, amount); // GOOD (good algorithm)
-	encrypt3DES(data, amount); // GOOD (good enough algorithm)
-	encryptTripleDES(data, amount); // GOOD (good enough algorithm)
+	encrypt3DES(data, amount); // BAD
+	encryptTripleDES(data, amount); // BAD
 
 	DESEncrypt(data, amount); // BAD
 	RC2Encrypt(data, amount); // BAD
 	AESEncrypt(data, amount); // GOOD (good algorithm)
-	DES3Encrypt(data, amount); // GOOD (good enough algorithm)
+	DES3Encrypt(data, amount); // BAD [NOT DETECTED]
 
 	DoDESEncryption(data, amount); // BAD [NOT DETECTED]
 	encryptDes(data, amount); // BAD [NOT DETECTED]

From 09d00b133e6d5d99472344b03787186d0cdbf011 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 17 May 2021 15:53:03 +0100
Subject: [PATCH 1065/1429] C++: Acknowledge another not detected result in
 tests.

---
 cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
index 39005f63bd9..76ab7ce3423 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
@@ -91,8 +91,8 @@ void test_functions(void *data, size_t amount, const char *str)
 	encrypt3DES(data, amount); // BAD
 	encryptTripleDES(data, amount); // BAD
 
-	DESEncrypt(data, amount); // BAD
-	RC2Encrypt(data, amount); // BAD
+	DESEncrypt(data, amount); // BAD [NOT DETECTED]
+	RC2Encrypt(data, amount); // BAD [NOT DETECTED]
 	AESEncrypt(data, amount); // GOOD (good algorithm)
 	DES3Encrypt(data, amount); // BAD [NOT DETECTED]
 

From 3b29920255f01305ee9890a8ad8dcee6cc2b5350 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 17 May 2021 16:10:39 +0100
Subject: [PATCH 1066/1429] C++: Replace getAChild with getAnArgument().

---
 cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
index 0d311333fca..04dda58cbf7 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -79,14 +79,14 @@ class InsecureFunctionCall extends FunctionCall {
       explain = "function call"
       or
       exists(MacroInvocation mi |
-        mi.getAGeneratedElement() = this.getAChild*() and
+        mi.getAGeneratedElement() = this.getAnArgument() and
         mi.getMacro() = getAnInsecureEncryptionMacro() and
         blame = mi and
         explain = "macro invocation"
       )
       or
       exists(EnumConstantAccess ec |
-        ec = this.getAChild*() and
+        ec = this.getAnArgument() and
         ec.getTarget() = getAnInsecureEncryptionEnumConst() and
         blame = ec and
         explain = "enum constant access"
@@ -97,12 +97,12 @@ class InsecureFunctionCall extends FunctionCall {
       getTarget() = getAdditionalEvidenceFunction()
       or
       exists(MacroInvocation mi |
-        mi.getAGeneratedElement() = this.getAChild*() and
+        mi.getAGeneratedElement() = this.getAnArgument() and
         mi.getMacro() = getAdditionalEvidenceMacro()
       )
       or
       exists(EnumConstantAccess ec |
-        ec = this.getAChild*() and
+        ec = this.getAnArgument() and
         ec.getTarget() = getAdditionalEvidenceEnumConst()
       )
     )

From 0ad69d11a8408625ea0a4e2b3ca8f6bf2bc87090 Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Mon, 17 May 2021 18:39:33 +0100
Subject: [PATCH 1067/1429] Code Scanning selectors: Include diagnostic queries

---
 misc/suite-helpers/code-scanning-selectors.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/misc/suite-helpers/code-scanning-selectors.yml b/misc/suite-helpers/code-scanning-selectors.yml
index a57aa15679e..116d7288ddf 100644
--- a/misc/suite-helpers/code-scanning-selectors.yml
+++ b/misc/suite-helpers/code-scanning-selectors.yml
@@ -13,6 +13,9 @@
     - warning
     tags contain:
     - security
+- include:
+    kind:
+    - diagnostic
 - include:
     kind:
     - metric

From ef410b998431c1467d10341e9581bf639f6f6b80 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Mon, 17 May 2021 19:27:10 +0100
Subject: [PATCH 1068/1429] Update
 java/change-notes/2021-05-14-close-resource-leaks-improvements.md

---
 .../2021-05-14-close-resource-leaks-improvements.md             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/change-notes/2021-05-14-close-resource-leaks-improvements.md b/java/change-notes/2021-05-14-close-resource-leaks-improvements.md
index bae8640d85a..08a77840a1f 100644
--- a/java/change-notes/2021-05-14-close-resource-leaks-improvements.md
+++ b/java/change-notes/2021-05-14-close-resource-leaks-improvements.md
@@ -1,2 +1,2 @@
 lgtm,codescanning
-* The "Potential input resource leak" (`java/input-resource-leak`) and "Potential output resource leak" (`java/output-resource-leak`) queries have been made more specific to only consider JDK classes and subtypes. Additionally the number of false positives has been reduced.
+* The "Potential input resource leak" (`java/input-resource-leak`) and "Potential output resource leak" (`java/output-resource-leak`) queries no longer confuse `java.io` classes such as `Reader` with others that happen to share the same base name. Additionally the number of false positives has been reduced by recognizing `CharArrayReader` and `CharArrayWriter` as types that don't need to be closed.

From e652d8771c343c819d62d1901593185af2506d25 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Mon, 17 May 2021 20:34:16 +0000
Subject: [PATCH 1069/1429] Update method name and qldoc

---
 .../Security/CWE/CWE-094/JythonInjection.ql            | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
index 0f23edc69f4..06b077446e2 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
@@ -52,7 +52,7 @@ class LoadClassMethod extends Method {
  * Holds if `ma` is a call to a class-loading method, and `sink` is the byte array
  * representing the class to be loaded.
  */
-predicate loadClass(MethodAccess ma, Expr sink) {
+predicate loadsClass(MethodAccess ma, Expr sink) {
   exists(Method m, int i | m = ma.getMethod() |
     m instanceof LoadClassMethod and
     m.getParameter(i).getType() instanceof Array and // makeClass(java.lang.String name, byte[] data, ...)
@@ -85,17 +85,21 @@ predicate compile(MethodAccess ma, Expr sink) {
 class CodeInjectionSink extends DataFlow::ExprNode {
   CodeInjectionSink() {
     runCode(_, this.getExpr()) or
-    loadClass(_, this.getExpr()) or
+    loadsClass(_, this.getExpr()) or
     compile(_, this.getExpr())
   }
 
   MethodAccess getMethodAccess() {
     runCode(result, this.getExpr()) or
-    loadClass(result, this.getExpr()) or
+    loadsClass(result, this.getExpr()) or
     compile(result, this.getExpr())
   }
 }
 
+/**
+ * A taint configuration for tracking flow from `RemoteFlowSource` to a Jython method call
+ * `CodeInjectionSink` that executes injected code.
+ */
 class CodeInjectionConfiguration extends TaintTracking::Configuration {
   CodeInjectionConfiguration() { this = "CodeInjectionConfiguration" }
 

From a0cd551bae9ae005c59657ef3463817e226cfe29 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Tue, 18 May 2021 11:05:10 +0800
Subject: [PATCH 1070/1429] Add filtering of String.format

---
 .../Security/CWE/CWE-601/SpringUrlRedirect.ql | 10 +++
 .../CWE/CWE-601/SpringUrlRedirect.qll         | 61 +------------------
 .../CWE-601/SpringUrlRedirect.expected        |  8 +++
 .../security/CWE-601/SpringUrlRedirect.java   | 17 +++++-
 4 files changed, 37 insertions(+), 59 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
index 138bce57ac9..5c8a8ea78d8 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
@@ -33,6 +33,16 @@ class SpringUrlRedirectFlowConfig extends TaintTracking::Configuration {
       ae.getRightOperand() = node.asExpr() and
       not ae instanceof RedirectBuilderExpr
     )
+    or
+    exists(MethodAccess ma, int index |
+      ma.getMethod().hasName("format") and
+      ma.getMethod().getDeclaringType() instanceof TypeString and
+      ma.getArgument(index) = node.asExpr() and
+      (
+        index != 0 and
+        not ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().regexpMatch("^%s.*")
+      )
+    )
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll
index 866eaae1c34..84bb5d9adf8 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll
@@ -51,14 +51,14 @@ class SpringUrlRedirectSink extends DataFlow::Node {
   SpringUrlRedirectSink() {
     exists(RedirectBuilderExpr rbe |
       rbe.getRightOperand() = this.asExpr() and
-      exists(RedirectBuilderFlowConfig rbfc | rbfc.hasFlow(exprNode(rbe), _))
+      any(SpringRequestMappingMethod sqmm).polyCalls*(this.getEnclosingCallable())
     )
     or
     exists(MethodAccess ma, RedirectAppendCall rac |
       DataFlow2::localExprFlow(rac.getQualifier(), ma.getQualifier()) and
       ma.getMethod().hasName("append") and
       ma.getArgument(0) = this.asExpr() and
-      exists(RedirectBuilderFlowConfig rbfc | rbfc.hasFlow(exprNode(ma.getQualifier()), _))
+      any(SpringRequestMappingMethod sqmm).polyCalls*(this.getEnclosingCallable())
     )
     or
     exists(MethodAccess ma |
@@ -66,8 +66,7 @@ class SpringUrlRedirectSink extends DataFlow::Node {
       ma.getMethod()
           .getDeclaringType()
           .hasQualifiedName("org.springframework.web.servlet.view", "AbstractUrlBasedView") and
-      ma.getArgument(0) = this.asExpr() and
-      exists(RedirectViewFlowConfig rvfc | rvfc.hasFlowToExpr(ma.getQualifier()))
+      ma.getArgument(0) = this.asExpr()
     )
     or
     exists(ClassInstanceExpr cie |
@@ -84,57 +83,3 @@ class SpringUrlRedirectSink extends DataFlow::Node {
     )
   }
 }
-
-/** A data flow configuration tracing flow from redirect builder expression to spring controller method return expression. */
-private class RedirectBuilderFlowConfig extends DataFlow2::Configuration {
-  RedirectBuilderFlowConfig() { this = "RedirectBuilderFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) {
-    exists(RedirectBuilderExpr rbe | rbe = src.asExpr())
-    or
-    exists(MethodAccess ma, RedirectAppendCall rac |
-      DataFlow2::localExprFlow(rac.getQualifier(), ma.getQualifier()) and
-      ma.getMethod().hasName("append") and
-      ma.getQualifier() = src.asExpr()
-    )
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(ReturnStmt rs, SpringRequestMappingMethod sqmm |
-      rs.getResult() = sink.asExpr() and
-      sqmm.getBody().getAStmt() = rs
-    )
-  }
-
-  override predicate isAdditionalFlowStep(Node prod, Node succ) {
-    exists(MethodAccess ma |
-      ma.getMethod().hasName("toString") and
-      ma.getMethod().getDeclaringType() instanceof StringBuildingType and
-      ma.getQualifier() = prod.asExpr() and
-      ma = succ.asExpr()
-    )
-  }
-}
-
-/** A data flow configuration tracing flow from RedirectView object to calling setUrl method. */
-private class RedirectViewFlowConfig extends DataFlow2::Configuration {
-  RedirectViewFlowConfig() { this = "RedirectViewFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) {
-    exists(ClassInstanceExpr cie |
-      cie.getConstructedType()
-          .hasQualifiedName("org.springframework.web.servlet.view", "RedirectView") and
-      cie = src.asExpr()
-    )
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma |
-      ma.getMethod().hasName("setUrl") and
-      ma.getMethod()
-          .getDeclaringType()
-          .hasQualifiedName("org.springframework.web.servlet.view", "AbstractUrlBasedView") and
-      ma.getQualifier() = sink.asExpr()
-    )
-  }
-}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected b/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected
index 26b8acd7770..bcf5e892e1b 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected
@@ -5,6 +5,8 @@ edges
 | SpringUrlRedirect.java:32:30:32:47 | redirectUrl : String | SpringUrlRedirect.java:33:47:33:57 | redirectUrl |
 | SpringUrlRedirect.java:37:24:37:41 | redirectUrl : String | SpringUrlRedirect.java:40:29:40:39 | redirectUrl |
 | SpringUrlRedirect.java:45:24:45:41 | redirectUrl : String | SpringUrlRedirect.java:48:30:48:40 | redirectUrl |
+| SpringUrlRedirect.java:53:24:53:41 | redirectUrl : String | SpringUrlRedirect.java:54:30:54:66 | format(...) |
+| SpringUrlRedirect.java:58:24:58:41 | redirectUrl : String | SpringUrlRedirect.java:59:30:59:76 | format(...) |
 nodes
 | SpringUrlRedirect.java:13:30:13:47 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:15:19:15:29 | redirectUrl | semmle.label | redirectUrl |
@@ -18,6 +20,10 @@ nodes
 | SpringUrlRedirect.java:40:29:40:39 | redirectUrl | semmle.label | redirectUrl |
 | SpringUrlRedirect.java:45:24:45:41 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:48:30:48:40 | redirectUrl | semmle.label | redirectUrl |
+| SpringUrlRedirect.java:53:24:53:41 | redirectUrl : String | semmle.label | redirectUrl : String |
+| SpringUrlRedirect.java:54:30:54:66 | format(...) | semmle.label | format(...) |
+| SpringUrlRedirect.java:58:24:58:41 | redirectUrl : String | semmle.label | redirectUrl : String |
+| SpringUrlRedirect.java:59:30:59:76 | format(...) | semmle.label | format(...) |
 #select
 | SpringUrlRedirect.java:15:19:15:29 | redirectUrl | SpringUrlRedirect.java:13:30:13:47 | redirectUrl : String | SpringUrlRedirect.java:15:19:15:29 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:13:30:13:47 | redirectUrl | user-provided value |
 | SpringUrlRedirect.java:21:36:21:46 | redirectUrl | SpringUrlRedirect.java:20:24:20:41 | redirectUrl : String | SpringUrlRedirect.java:21:36:21:46 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:20:24:20:41 | redirectUrl | user-provided value |
@@ -25,3 +31,5 @@ nodes
 | SpringUrlRedirect.java:33:47:33:57 | redirectUrl | SpringUrlRedirect.java:32:30:32:47 | redirectUrl : String | SpringUrlRedirect.java:33:47:33:57 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:32:30:32:47 | redirectUrl | user-provided value |
 | SpringUrlRedirect.java:40:29:40:39 | redirectUrl | SpringUrlRedirect.java:37:24:37:41 | redirectUrl : String | SpringUrlRedirect.java:40:29:40:39 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:37:24:37:41 | redirectUrl | user-provided value |
 | SpringUrlRedirect.java:48:30:48:40 | redirectUrl | SpringUrlRedirect.java:45:24:45:41 | redirectUrl : String | SpringUrlRedirect.java:48:30:48:40 | redirectUrl | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:45:24:45:41 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:54:30:54:66 | format(...) | SpringUrlRedirect.java:53:24:53:41 | redirectUrl : String | SpringUrlRedirect.java:54:30:54:66 | format(...) | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:53:24:53:41 | redirectUrl | user-provided value |
+| SpringUrlRedirect.java:59:30:59:76 | format(...) | SpringUrlRedirect.java:58:24:58:41 | redirectUrl : String | SpringUrlRedirect.java:59:30:59:76 | format(...) | Potentially untrusted URL redirection due to $@. | SpringUrlRedirect.java:58:24:58:41 | redirectUrl | user-provided value |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.java b/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.java
index 5124d8cd8c6..f3958cba102 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.java
@@ -50,6 +50,16 @@ public class SpringUrlRedirect {
     }
 
     @GetMapping("url7")
+    public String bad7(String redirectUrl) {
+        return "redirect:" + String.format("%s/?aaa", redirectUrl);
+    }
+
+    @GetMapping("url8")
+    public String bad8(String redirectUrl, String token) {
+        return "redirect:" + String.format(redirectUrl + "?token=%s", token);
+    }
+
+    @GetMapping("url9")
     public RedirectView good1(String redirectUrl) {
         RedirectView rv = new RedirectView();
         if (redirectUrl.startsWith(VALID_REDIRECT)){
@@ -60,9 +70,14 @@ public class SpringUrlRedirect {
         return rv;
     }
 
-    @GetMapping("url8")
+    @GetMapping("url10")
     public ModelAndView good2(String token) {
         String url = "/edit?token=" + token;
         return new ModelAndView("redirect:" + url);
     }
+
+    @GetMapping("url11")
+    public String good3(String status) {
+        return "redirect:" + String.format("/stories/search/criteria?status=%s", status);
+    }
 }

From cac0ab299ba20e838163d44b1ed9f41c0480f9d8 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 18 May 2021 10:25:25 +0200
Subject: [PATCH 1071/1429] add writes to textContent on a <script /> as a sink
 for code-injection

---
 .../dataflow/CodeInjectionCustomizations.qll  | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
index 9f083bcf6ef..c0dfa933f89 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
@@ -51,6 +51,37 @@ module CodeInjection {
     }
   }
 
+  /**
+   * Gets a reference to a `<script />` tag created using `document.createElement`.
+   */
+  private DataFlow::SourceNode scriptTag(DataFlow::TypeTracker t) {
+    t.start() and
+    exists(DataFlow::CallNode call | call = result |
+      call = DOM::documentRef().getAMethodCall("createElement") and
+      call.getArgument(0).mayHaveStringValue("script")
+    )
+    or
+    exists(DataFlow::TypeTracker t2 | result = scriptTag(t2).track(t2, t))
+  }
+
+  /**
+   * Gets a reference to a `<script />` tag created using `document.createElement`,
+   * or an element of type `HTMLScriptElement`.
+   */
+  private DataFlow::SourceNode scriptTag() {
+    result = scriptTag(DataFlow::TypeTracker::end())
+    or
+    result.hasUnderlyingType("HTMLScriptElement")
+  }
+
+  /**
+   * A write to the `textContent` property of a `<script />` tag,
+   * seen as a sink for code injection vulnerabilities.
+   */
+  class ScriptContentSink extends Sink {
+    ScriptContentSink() { this = scriptTag().getAPropertyWrite("textContent").getRhs() }
+  }
+
   /**
    * An expression which may be evaluated as JavaScript.
    */

From 0ade23ab2ad52a5cf99e1d9a56a6a9e11dfbb729 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
Date: Tue, 18 May 2021 11:49:59 +0200
Subject: [PATCH 1072/1429] Python: Apply suggestions from code review

Co-authored-by: yoff <lerchedahl@gmail.com>
---
 python/ql/src/semmle/python/frameworks/Cryptodome.qll    | 2 +-
 python/ql/test/library-tests/frameworks/crypto/README.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Cryptodome.qll b/python/ql/src/semmle/python/frameworks/Cryptodome.qll
index 719deeb2d6b..2de6173d01e 100644
--- a/python/ql/src/semmle/python/frameworks/Cryptodome.qll
+++ b/python/ql/src/semmle/python/frameworks/Cryptodome.qll
@@ -148,7 +148,7 @@ private module CryptodomeModel {
       result in [this.getArg(0), this.getArgByName("plaintext")]
       or
       methodName in ["decrypt_and_verify"] and
-      result in [this.getArg(0), this.getArgByName("ciphertext")]
+      result in [this.getArg(0), this.getArgByName("ciphertext"), this.getArg(1), this.getArgByName("mac_tag")]
     }
   }
 
diff --git a/python/ql/test/library-tests/frameworks/crypto/README.md b/python/ql/test/library-tests/frameworks/crypto/README.md
index d3f680504be..1c462b4aa42 100644
--- a/python/ql/test/library-tests/frameworks/crypto/README.md
+++ b/python/ql/test/library-tests/frameworks/crypto/README.md
@@ -6,7 +6,7 @@ You can run the following command to update the tests:
 rm *.py && cp ../cryptodome/*.py . && sed -i -e 's/Cryptodome/Crypto/' *.py
 ```
 
-The original [`pycrypto` PyPI package](https://pypi.org/project/pycrypto/) that provided the `Crypto` Python package has not been updated since 2013, so it is reasonable to assume that people will use the replacement [`pycryptodome` PyPI package](https://pypi.org/project/pycryptodome/) that has a (mostly) compatible API.
+The original [`pycrypto` PyPI package](https://pypi.org/project/pycrypto/) that provided the `Crypto` Python package has not been updated since 2013, so it is reasonable to assume that people will use the replacement [`pycryptodome` PyPI package](https://pypi.org/project/pycryptodome/) that also provides a `Crypto` Python package and has a (mostly) compatible API.
 
 The pycryptodome functionality is also available in the [`pycryptodomex` PyPI package](https://pypi.org/project/pycryptodomex/) which provides the `Cryptodome` Python package.
 

From 9156316b1499b125131d07ad3ce89d6552db125f Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
Date: Tue, 18 May 2021 11:53:11 +0200
Subject: [PATCH 1073/1429] Python: Apply suggestions from code review

Co-authored-by: yoff <lerchedahl@gmail.com>
---
 python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.qhelp | 4 ++--
 .../src/semmle/python/dataflow/new/SensitiveDataSources.qll   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.qhelp b/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.qhelp
index 1d7b5a4f456..484a55a1d0c 100644
--- a/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.qhelp
+++ b/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.qhelp
@@ -19,7 +19,7 @@
                <li>
                     collision attacks: if you know a hash value <code>h(x)</code>,
                     you should not be able to easily find a different input <code>y</code>
-                    such that hash value is the same <code>h(x) = h(y)</code>.
+                    with the same hash value <code>h(x) = h(y)</code>.
                </li>
           </ul>
           <p>
@@ -30,7 +30,7 @@
           </p>
 
           <p>
-               As an example, both MD5 and SHA-1 is known to be vulnerable to collision attacks.
+               As an example, both MD5 and SHA-1 are known to be vulnerable to collision attacks.
           </p>
 
           <p>
diff --git a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
index 2af11d7ecd0..42be7aacfe9 100644
--- a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
+++ b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
@@ -1,6 +1,6 @@
 /**
  * Provides an extension point for for modeling sensitive data, such as secrets, certificates, or passwords.
- * Sensitive data is can be interesting to use as data-flow sources in security queries.
+ * Sensitive data can be interesting to use as data-flow sources in security queries.
  */
 
 private import python

From 1435ac715ac6d7f3f5255c7069e305620cc6afd2 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 18 May 2021 12:46:34 +0200
Subject: [PATCH 1074/1429] add support for the clone library

---
 javascript/change-notes/2021-05-18-clone.md     |  4 ++++
 javascript/ql/src/javascript.qll                |  1 +
 .../src/semmle/javascript/frameworks/Clone.qll  | 15 +++++++++++++++
 .../CWE-079/ReflectedXss/ReflectedXss.expected  | 17 +++++++++++++++++
 .../ReflectedXssWithCustomSanitizer.expected    |  2 ++
 .../Security/CWE-079/ReflectedXss/tst2.js       | 14 ++++++++++++++
 6 files changed, 53 insertions(+)
 create mode 100644 javascript/change-notes/2021-05-18-clone.md
 create mode 100644 javascript/ql/src/semmle/javascript/frameworks/Clone.qll

diff --git a/javascript/change-notes/2021-05-18-clone.md b/javascript/change-notes/2021-05-18-clone.md
new file mode 100644
index 00000000000..42d52d72a3d
--- /dev/null
+++ b/javascript/change-notes/2021-05-18-clone.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The dataflow libraries now model dataflow in the `clone` library.
+  Affected packages are
+    [clone](https://npmjs.com/package/clone)
diff --git a/javascript/ql/src/javascript.qll b/javascript/ql/src/javascript.qll
index 95db948bbd4..a46313f47f0 100644
--- a/javascript/ql/src/javascript.qll
+++ b/javascript/ql/src/javascript.qll
@@ -78,6 +78,7 @@ import semmle.javascript.frameworks.ComposedFunctions
 import semmle.javascript.frameworks.Classnames
 import semmle.javascript.frameworks.ClassValidator
 import semmle.javascript.frameworks.ClientRequests
+import semmle.javascript.frameworks.Clone
 import semmle.javascript.frameworks.ClosureLibrary
 import semmle.javascript.frameworks.CookieLibraries
 import semmle.javascript.frameworks.Credentials
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Clone.qll b/javascript/ql/src/semmle/javascript/frameworks/Clone.qll
new file mode 100644
index 00000000000..5aabee438c5
--- /dev/null
+++ b/javascript/ql/src/semmle/javascript/frameworks/Clone.qll
@@ -0,0 +1,15 @@
+/**
+ * Provides a dataflow-step for the `clone` package.
+ */
+
+import javascript
+private import semmle.javascript.dataflow.internal.PreCallGraphStep
+
+private class CloneStep extends PreCallGraphStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::CallNode call | call = DataFlow::moduleImport("clone").getACall() |
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
index f8ceeb45b62..e8d093325ad 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
@@ -174,6 +174,14 @@ nodes
 | tst2.js:18:12:18:12 | p |
 | tst2.js:21:14:21:14 | p |
 | tst2.js:21:14:21:14 | p |
+| tst2.js:30:7:30:24 | p |
+| tst2.js:30:9:30:9 | p |
+| tst2.js:30:9:30:9 | p |
+| tst2.js:33:11:33:11 | p |
+| tst2.js:36:12:36:12 | p |
+| tst2.js:36:12:36:12 | p |
+| tst2.js:37:12:37:18 | other.p |
+| tst2.js:37:12:37:18 | other.p |
 edges
 | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id |
 | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id |
@@ -318,6 +326,13 @@ edges
 | tst2.js:14:7:14:24 | p | tst2.js:21:14:21:14 | p |
 | tst2.js:14:9:14:9 | p | tst2.js:14:7:14:24 | p |
 | tst2.js:14:9:14:9 | p | tst2.js:14:7:14:24 | p |
+| tst2.js:30:7:30:24 | p | tst2.js:33:11:33:11 | p |
+| tst2.js:30:7:30:24 | p | tst2.js:36:12:36:12 | p |
+| tst2.js:30:7:30:24 | p | tst2.js:36:12:36:12 | p |
+| tst2.js:30:9:30:9 | p | tst2.js:30:7:30:24 | p |
+| tst2.js:30:9:30:9 | p | tst2.js:30:7:30:24 | p |
+| tst2.js:33:11:33:11 | p | tst2.js:37:12:37:18 | other.p |
+| tst2.js:33:11:33:11 | p | tst2.js:37:12:37:18 | other.p |
 #select
 | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value |
 | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | ReflectedXss.js:17:31:17:39 | params.id | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:17:31:17:39 | params.id | user-provided value |
@@ -359,3 +374,5 @@ edges
 | tst2.js:8:12:8:12 | r | tst2.js:6:12:6:15 | q: r | tst2.js:8:12:8:12 | r | Cross-site scripting vulnerability due to $@. | tst2.js:6:12:6:15 | q: r | user-provided value |
 | tst2.js:18:12:18:12 | p | tst2.js:14:9:14:9 | p | tst2.js:18:12:18:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:14:9:14:9 | p | user-provided value |
 | tst2.js:21:14:21:14 | p | tst2.js:14:9:14:9 | p | tst2.js:21:14:21:14 | p | Cross-site scripting vulnerability due to $@. | tst2.js:14:9:14:9 | p | user-provided value |
+| tst2.js:36:12:36:12 | p | tst2.js:30:9:30:9 | p | tst2.js:36:12:36:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
+| tst2.js:37:12:37:18 | other.p | tst2.js:30:9:30:9 | p | tst2.js:37:12:37:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
index 719a82171a8..8ddc55dde36 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
@@ -37,3 +37,5 @@
 | tst2.js:8:12:8:12 | r | Cross-site scripting vulnerability due to $@. | tst2.js:6:12:6:15 | q: r | user-provided value |
 | tst2.js:18:12:18:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:14:9:14:9 | p | user-provided value |
 | tst2.js:21:14:21:14 | p | Cross-site scripting vulnerability due to $@. | tst2.js:14:9:14:9 | p | user-provided value |
+| tst2.js:36:12:36:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
+| tst2.js:37:12:37:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js
index 521b6b20a7c..034b0791217 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js
@@ -22,3 +22,17 @@ app.get('/bar', function(req, res) {
   else
     res.send(p); // OK
 });
+
+
+const clone = require('clone');
+
+app.get('/baz', function(req, res) {
+  let { p } = req.params;
+
+  var obj = {};
+  obj.p = p;
+  var other = clone(obj);
+
+  res.send(p); // NOT OK
+  res.send(other.p); // NOT OK
+});
\ No newline at end of file

From caf5f4d605bbdcb67fa65de5b65f9288a39d8ef4 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Tue, 18 May 2021 19:10:03 +0800
Subject: [PATCH 1075/1429] modified comment

---
 .../src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql  | 2 ++
 .../src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
index 5c8a8ea78d8..210067fde2a 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
@@ -29,6 +29,8 @@ class SpringUrlRedirectFlowConfig extends TaintTracking::Configuration {
   override predicate isSanitizer(DataFlow::Node node) {
     // Exclude the case where the left side of the concatenated string is not `redirect:`.
     // E.g: `String url = "/path?token=" + request.getParameter("token");`
+    // Note this is quite a broad sanitizer (it will also sanitize the right-hand side of `url = "http://" + request.getParameter("token")`);
+    // Consider making this stricter in future.
     exists(AddExpr ae |
       ae.getRightOperand() = node.asExpr() and
       not ae instanceof RedirectBuilderExpr
diff --git a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll
index 84bb5d9adf8..6ae87a37bcc 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll
@@ -5,7 +5,7 @@ import semmle.code.java.dataflow.DataFlow2
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.frameworks.spring.SpringController
 
-class StartsWithSanitizer extends DataFlow::BarrierGuard {
+private class StartsWithSanitizer extends DataFlow::BarrierGuard {
   StartsWithSanitizer() {
     this.(MethodAccess).getMethod().hasName("startsWith") and
     this.(MethodAccess).getMethod().getDeclaringType() instanceof TypeString and

From 06514a2bb6c3577269c312910e1d3c15764a6347 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 18 May 2021 13:16:41 +0200
Subject: [PATCH 1076/1429] move clone model to Extend.qll

---
 javascript/ql/src/javascript.qll                  |  1 -
 javascript/ql/src/semmle/javascript/Extend.qll    | 14 ++++++++++++++
 .../ql/src/semmle/javascript/frameworks/Clone.qll | 15 ---------------
 3 files changed, 14 insertions(+), 16 deletions(-)
 delete mode 100644 javascript/ql/src/semmle/javascript/frameworks/Clone.qll

diff --git a/javascript/ql/src/javascript.qll b/javascript/ql/src/javascript.qll
index a46313f47f0..95db948bbd4 100644
--- a/javascript/ql/src/javascript.qll
+++ b/javascript/ql/src/javascript.qll
@@ -78,7 +78,6 @@ import semmle.javascript.frameworks.ComposedFunctions
 import semmle.javascript.frameworks.Classnames
 import semmle.javascript.frameworks.ClassValidator
 import semmle.javascript.frameworks.ClientRequests
-import semmle.javascript.frameworks.Clone
 import semmle.javascript.frameworks.ClosureLibrary
 import semmle.javascript.frameworks.CookieLibraries
 import semmle.javascript.frameworks.Credentials
diff --git a/javascript/ql/src/semmle/javascript/Extend.qll b/javascript/ql/src/semmle/javascript/Extend.qll
index 9b7255983b9..d50054fc4ee 100644
--- a/javascript/ql/src/semmle/javascript/Extend.qll
+++ b/javascript/ql/src/semmle/javascript/Extend.qll
@@ -174,3 +174,17 @@ private class ExtendCallTaintStep extends TaintTracking::SharedTaintStep {
     )
   }
 }
+
+private import semmle.javascript.dataflow.internal.PreCallGraphStep
+
+/**
+ * A step for the `clone` package.
+ */
+private class CloneStep extends PreCallGraphStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::CallNode call | call = DataFlow::moduleImport("clone").getACall() |
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+}
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Clone.qll b/javascript/ql/src/semmle/javascript/frameworks/Clone.qll
deleted file mode 100644
index 5aabee438c5..00000000000
--- a/javascript/ql/src/semmle/javascript/frameworks/Clone.qll
+++ /dev/null
@@ -1,15 +0,0 @@
-/**
- * Provides a dataflow-step for the `clone` package.
- */
-
-import javascript
-private import semmle.javascript.dataflow.internal.PreCallGraphStep
-
-private class CloneStep extends PreCallGraphStep {
-  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(DataFlow::CallNode call | call = DataFlow::moduleImport("clone").getACall() |
-      pred = call.getArgument(0) and
-      succ = call
-    )
-  }
-}

From e46de44473791493bd73068dabced3be868da819 Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Tue, 18 May 2021 19:56:32 +0800
Subject: [PATCH 1077/1429] Solve errors caused by private ownership

---
 .../Security/CWE/CWE-601/SpringUrlRedirect.ql        | 12 ++++++++++++
 .../Security/CWE/CWE-601/SpringUrlRedirect.qll       | 12 ------------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
index 210067fde2a..b02bd3e4c30 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
@@ -15,6 +15,18 @@ import SpringUrlRedirect
 import semmle.code.java.dataflow.FlowSources
 import DataFlow::PathGraph
 
+private class StartsWithSanitizer extends DataFlow::BarrierGuard {
+  StartsWithSanitizer() {
+    this.(MethodAccess).getMethod().hasName("startsWith") and
+    this.(MethodAccess).getMethod().getDeclaringType() instanceof TypeString and
+    this.(MethodAccess).getMethod().getNumberOfParameters() = 1
+  }
+
+  override predicate checks(Expr e, boolean branch) {
+    e = this.(MethodAccess).getQualifier() and branch = true
+  }
+}
+
 class SpringUrlRedirectFlowConfig extends TaintTracking::Configuration {
   SpringUrlRedirectFlowConfig() { this = "SpringUrlRedirectFlowConfig" }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll
index 6ae87a37bcc..4a86640d4d4 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.qll
@@ -5,18 +5,6 @@ import semmle.code.java.dataflow.DataFlow2
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.frameworks.spring.SpringController
 
-private class StartsWithSanitizer extends DataFlow::BarrierGuard {
-  StartsWithSanitizer() {
-    this.(MethodAccess).getMethod().hasName("startsWith") and
-    this.(MethodAccess).getMethod().getDeclaringType() instanceof TypeString and
-    this.(MethodAccess).getMethod().getNumberOfParameters() = 1
-  }
-
-  override predicate checks(Expr e, boolean branch) {
-    e = this.(MethodAccess).getQualifier() and branch = true
-  }
-}
-
 /**
  * A concatenate expression using the string `redirect:` or `ajaxredirect:` or `forward:` on the left.
  *

From 770429fd6809809df616913fb3f9f73403bbf555 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 18 May 2021 14:02:46 +0200
Subject: [PATCH 1078/1429] Python: Autoformat

---
 python/ql/src/semmle/python/frameworks/Cryptodome.qll | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/frameworks/Cryptodome.qll b/python/ql/src/semmle/python/frameworks/Cryptodome.qll
index 2de6173d01e..8b012b47b3f 100644
--- a/python/ql/src/semmle/python/frameworks/Cryptodome.qll
+++ b/python/ql/src/semmle/python/frameworks/Cryptodome.qll
@@ -148,7 +148,10 @@ private module CryptodomeModel {
       result in [this.getArg(0), this.getArgByName("plaintext")]
       or
       methodName in ["decrypt_and_verify"] and
-      result in [this.getArg(0), this.getArgByName("ciphertext"), this.getArg(1), this.getArgByName("mac_tag")]
+      result in [
+          this.getArg(0), this.getArgByName("ciphertext"), this.getArg(1),
+          this.getArgByName("mac_tag")
+        ]
     }
   }
 

From 6c755024ac304d9a7af89174592a3a3dddb95de2 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 18 May 2021 14:03:36 +0200
Subject: [PATCH 1079/1429] Python: Refactor code, inline some type-tracking

---
 .../semmle/python/frameworks/Cryptography.qll | 92 +++++++++----------
 1 file changed, 41 insertions(+), 51 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Cryptography.qll b/python/ql/src/semmle/python/frameworks/Cryptography.qll
index 5ad6b9200c2..e9e0174cb37 100644
--- a/python/ql/src/semmle/python/frameworks/Cryptography.qll
+++ b/python/ql/src/semmle/python/frameworks/Cryptography.qll
@@ -183,64 +183,42 @@ private module CryptographyModel {
             .getMember(algorithmName)
     }
 
-    /**
-     * Internal module making it easy to hide verbose type-tracking helpers.
-     *
-     * These turned out to be so verbose, that it was impossible to get an overview of
-     * the relevant predicates without hiding them away.
-     */
-    private module InternalTypeTracking {
-      /** Gets a reference to a Cipher instance using algorithm with `algorithmName`. */
-      DataFlow::LocalSourceNode cipherInstance(DataFlow::TypeTracker t, string algorithmName) {
-        t.start() and
-        exists(DataFlow::CallCfgNode call | result = call |
-          call =
-            API::moduleImport("cryptography")
-                .getMember("hazmat")
-                .getMember("primitives")
-                .getMember("ciphers")
-                .getMember("Cipher")
-                .getACall() and
-          algorithmClassRef(algorithmName).getReturn().getAUse() in [
-              call.getArg(0), call.getArgByName("algorithm")
-            ]
-        )
-        or
-        exists(DataFlow::TypeTracker t2 | result = cipherInstance(t2, algorithmName).track(t2, t))
-      }
-
-      /** Gets a reference to the encryptor of a Cipher instance using algorithm with `algorithmName`. */
-      DataFlow::LocalSourceNode cipherEncryptor(DataFlow::TypeTracker t, string algorithmName) {
-        t.start() and
-        exists(DataFlow::AttrRead attr |
-          result.(DataFlow::CallCfgNode).getFunction() = attr and
-          attr.getAttributeName() = "encryptor" and
-          attr.getObject() = cipherInstance(algorithmName)
-        )
-        or
-        exists(DataFlow::TypeTracker t2 | result = cipherEncryptor(t2, algorithmName).track(t2, t))
-      }
-
-      /** Gets a reference to the dncryptor of a Cipher instance using algorithm with `algorithmName`. */
-      DataFlow::LocalSourceNode cipherDecryptor(DataFlow::TypeTracker t, string algorithmName) {
-        t.start() and
-        exists(DataFlow::AttrRead attr |
-          result.(DataFlow::CallCfgNode).getFunction() = attr and
-          attr.getAttributeName() = "decryptor" and
-          attr.getObject() = cipherInstance(algorithmName)
-        )
-        or
-        exists(DataFlow::TypeTracker t2 | result = cipherDecryptor(t2, algorithmName).track(t2, t))
-      }
+    /** Gets a reference to a Cipher instance using algorithm with `algorithmName`. */
+    DataFlow::LocalSourceNode cipherInstance(DataFlow::TypeTracker t, string algorithmName) {
+      t.start() and
+      exists(DataFlow::CallCfgNode call | result = call |
+        call =
+          API::moduleImport("cryptography")
+              .getMember("hazmat")
+              .getMember("primitives")
+              .getMember("ciphers")
+              .getMember("Cipher")
+              .getACall() and
+        algorithmClassRef(algorithmName).getReturn().getAUse() in [
+            call.getArg(0), call.getArgByName("algorithm")
+          ]
+      )
+      or
+      exists(DataFlow::TypeTracker t2 | result = cipherInstance(t2, algorithmName).track(t2, t))
     }
 
-    private import InternalTypeTracking
-
     /** Gets a reference to a Cipher instance using algorithm with `algorithmName`. */
     DataFlow::Node cipherInstance(string algorithmName) {
       cipherInstance(DataFlow::TypeTracker::end(), algorithmName).flowsTo(result)
     }
 
+    /** Gets a reference to the encryptor of a Cipher instance using algorithm with `algorithmName`. */
+    DataFlow::LocalSourceNode cipherEncryptor(DataFlow::TypeTracker t, string algorithmName) {
+      t.start() and
+      exists(DataFlow::AttrRead attr |
+        result.(DataFlow::CallCfgNode).getFunction() = attr and
+        attr.getAttributeName() = "encryptor" and
+        attr.getObject() = cipherInstance(algorithmName)
+      )
+      or
+      exists(DataFlow::TypeTracker t2 | result = cipherEncryptor(t2, algorithmName).track(t2, t))
+    }
+
     /**
      * Gets a reference to the encryptor of a Cipher instance using algorithm with `algorithmName`.
      *
@@ -250,6 +228,18 @@ private module CryptographyModel {
       cipherEncryptor(DataFlow::TypeTracker::end(), algorithmName).flowsTo(result)
     }
 
+    /** Gets a reference to the dncryptor of a Cipher instance using algorithm with `algorithmName`. */
+    DataFlow::LocalSourceNode cipherDecryptor(DataFlow::TypeTracker t, string algorithmName) {
+      t.start() and
+      exists(DataFlow::AttrRead attr |
+        result.(DataFlow::CallCfgNode).getFunction() = attr and
+        attr.getAttributeName() = "decryptor" and
+        attr.getObject() = cipherInstance(algorithmName)
+      )
+      or
+      exists(DataFlow::TypeTracker t2 | result = cipherDecryptor(t2, algorithmName).track(t2, t))
+    }
+
     /**
      * Gets a reference to the decryptor of a Cipher instance using algorithm with `algorithmName`.
      *

From 2a0721b2aeae25d99e1c5805311b8b6e46a735af Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Tue, 18 May 2021 12:18:14 +0000
Subject: [PATCH 1080/1429] Optimize the sink and update method name

---
 .../Security/CWE/CWE-094/JythonInjection.ql      | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
index 06b077446e2..c44eee23602 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
@@ -33,7 +33,7 @@ class BytecodeLoader extends RefType {
 }
 
 /** Holds if a Jython expression if evaluated, compiled or executed. */
-predicate runCode(MethodAccess ma, Expr sink) {
+predicate runsCode(MethodAccess ma, Expr sink) {
   exists(Method m | m = ma.getMethod() |
     m instanceof InterpretExprMethod and
     sink = ma.getArgument(0)
@@ -83,17 +83,15 @@ predicate compile(MethodAccess ma, Expr sink) {
 
 /** An expression loaded by Jython. */
 class CodeInjectionSink extends DataFlow::ExprNode {
+  MethodAccess methodAccess;
+
   CodeInjectionSink() {
-    runCode(_, this.getExpr()) or
-    loadsClass(_, this.getExpr()) or
-    compile(_, this.getExpr())
+    runsCode(methodAccess, this.getExpr()) or
+    loadsClass(methodAccess, this.getExpr()) or
+    compile(methodAccess, this.getExpr())
   }
 
-  MethodAccess getMethodAccess() {
-    runCode(result, this.getExpr()) or
-    loadsClass(result, this.getExpr()) or
-    compile(result, this.getExpr())
-  }
+  MethodAccess getMethodAccess() { result = methodAccess }
 }
 
 /**

From da83e9142bfb43f2a886e38bf5f7020b13160163 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 18 May 2021 13:23:41 +0100
Subject: [PATCH 1081/1429] C++: Replace getAnExpandedElement with
 getAGeneratedElement as it's all we really need.

---
 cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
index 04dda58cbf7..dda70c2cb06 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -79,7 +79,7 @@ class InsecureFunctionCall extends FunctionCall {
       explain = "function call"
       or
       exists(MacroInvocation mi |
-        mi.getAGeneratedElement() = this.getAnArgument() and
+        mi.getAnExpandedElement() = this.getAnArgument() and
         mi.getMacro() = getAnInsecureEncryptionMacro() and
         blame = mi and
         explain = "macro invocation"
@@ -97,7 +97,7 @@ class InsecureFunctionCall extends FunctionCall {
       getTarget() = getAdditionalEvidenceFunction()
       or
       exists(MacroInvocation mi |
-        mi.getAGeneratedElement() = this.getAnArgument() and
+        mi.getAnExpandedElement() = this.getAnArgument() and
         mi.getMacro() = getAdditionalEvidenceMacro()
       )
       or

From 3d8513c1e0fd547396b18efdfdba83198d3fb537 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 18 May 2021 13:24:51 +0100
Subject: [PATCH 1082/1429] C++: Add 'MAC' as additional evidence.

---
 cpp/ql/src/semmle/code/cpp/security/Encryption.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
index 68a3d841d01..55ef606483c 100644
--- a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
@@ -64,7 +64,7 @@ predicate isInsecureEncryption(string name) { name.regexpMatch(getInsecureAlgori
  */
 bindingset[name]
 predicate isEncryptionAdditionalEvidence(string name) {
-  name.toUpperCase().matches("%" + ["CRYPT", "CODE", "CODING", "CBC", "KEY", "CIPHER"] + "%")
+  name.toUpperCase().matches("%" + ["CRYPT", "CODE", "CODING", "CBC", "KEY", "CIPHER", "MAC"] + "%")
 }
 
 /**

From 012840e602298c066b08a93e7fd5a2d1beba5e09 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 18 May 2021 13:57:24 +0100
Subject: [PATCH 1083/1429] C++: Add more test cases.

---
 .../CWE/CWE-327/BrokenCryptoAlgorithm.expected   |  6 ++++--
 .../query-tests/Security/CWE/CWE-327/test.cpp    | 16 ++++++++++++++++
 .../query-tests/Security/CWE/CWE-327/test2.cpp   |  8 ++++++++
 3 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
index 79943db5f60..886044b9f1a 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
@@ -6,8 +6,10 @@
 | test2.cpp:175:28:175:34 | USE_DES | This enum constant access specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:182:38:182:45 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:185:38:185:44 | USE_DES | This enum constant access specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:234:2:234:20 | call to encrypt | This function call specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:239:5:239:11 | call to encrypt | This function call specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:238:2:238:20 | call to encrypt | This function call specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:240:2:240:28 | call to doSomethingElse | This function call specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:245:5:245:11 | call to encrypt | This function call specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:247:5:247:19 | call to doSomethingElse | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:39:2:39:31 | ENCRYPT_WITH_RC2(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:41:2:41:32 | ENCRYPT_WITH_3DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
index 76ab7ce3423..1c7c90f9c88 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
@@ -107,3 +107,19 @@ void test_functions(void *data, size_t amount, const char *str)
 	Anodes(1); // GOOD (probably nothing to do with encryption)
 	ConDes(); // GOOD (probably nothing to do with encryption)
 }
+
+// --- macros for functions with no arguments ---
+
+void my_implementation7();
+void my_implementation8();
+
+#define INIT_ENCRYPT_WITH_DES() my_implementation7()
+#define INIT_ENCRYPT_WITH_AES() my_implementation8()
+
+void test_macros2()
+{
+	INIT_ENCRYPT_WITH_DES(); // BAD [NOT DETECTED]
+	INIT_ENCRYPT_WITH_AES(); // GOOD (good algorithm)
+	
+	// ...
+}
\ No newline at end of file
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
index 1cf18659242..31fc3676bb8 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
@@ -209,35 +209,43 @@ class desEncrypt
 {
 public:
 	static void encrypt(const char *data);
+	static void doSomethingElse();
 };
 
 class aes256Encrypt
 {
 public:
 	static void encrypt(const char *data);
+	static void doSomethingElse();
 };
 
 class desCipher
 {
 public:
 	void encrypt(const char *data);
+	void doSomethingElse();
 };
 
 class aesCipher
 {
 public:
 	void encrypt(const char *data);
+	void doSomethingElse();
 };
 
 void do_classes(const char *data)
 {
 	desEncrypt::encrypt(data); // BAD
 	aes256Encrypt::encrypt(data); // GOOD
+	desEncrypt::doSomethingElse(); // GOOD [FALSE POSITIVE]
+	aes256Encrypt::doSomethingElse(); // GOOD
 
 	desCipher dc;
 	aesCipher ac;
 	dc.encrypt(data); // BAD
 	ac.encrypt(data); // GOOD
+	dc.doSomethingElse(); // GOOD [FALSE POSITIVE]
+	ac.doSomethingElse(); // GOOD
 }
 
 // --- function pointer ---

From c7382ee06d55fcf2df0f1a665ddae88a4a94c3fa Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 18 May 2021 13:40:53 +0100
Subject: [PATCH 1084/1429] C++: Repair for function call macros.

---
 .../src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql  | 10 ++++++++--
 .../CWE/CWE-327/BrokenCryptoAlgorithm.expected         |  1 +
 cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp  |  2 +-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
index dda70c2cb06..7abb71c5a6c 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -79,7 +79,10 @@ class InsecureFunctionCall extends FunctionCall {
       explain = "function call"
       or
       exists(MacroInvocation mi |
-        mi.getAnExpandedElement() = this.getAnArgument() and
+        (
+          mi.getAnExpandedElement() = this or
+          mi.getAnExpandedElement() = this.getAnArgument()
+        ) and
         mi.getMacro() = getAnInsecureEncryptionMacro() and
         blame = mi and
         explain = "macro invocation"
@@ -97,7 +100,10 @@ class InsecureFunctionCall extends FunctionCall {
       getTarget() = getAdditionalEvidenceFunction()
       or
       exists(MacroInvocation mi |
-        mi.getAnExpandedElement() = this.getAnArgument() and
+        (
+          mi.getAnExpandedElement() = this or
+          mi.getAnExpandedElement() = this.getAnArgument()
+        ) and
         mi.getMacro() = getAdditionalEvidenceMacro()
       )
       or
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
index 886044b9f1a..e1e177218fd 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
@@ -24,3 +24,4 @@
 | test.cpp:92:2:92:17 | call to encryptTripleDES | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:101:2:101:15 | call to do_des_encrypt | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:102:2:102:12 | call to DES_Set_Key | This function call specifies a broken or weak cryptographic algorithm. |
+| test.cpp:121:2:121:24 | INIT_ENCRYPT_WITH_DES() | This macro invocation specifies a broken or weak cryptographic algorithm. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
index 1c7c90f9c88..8af9868f1ee 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
@@ -118,7 +118,7 @@ void my_implementation8();
 
 void test_macros2()
 {
-	INIT_ENCRYPT_WITH_DES(); // BAD [NOT DETECTED]
+	INIT_ENCRYPT_WITH_DES(); // BAD
 	INIT_ENCRYPT_WITH_AES(); // GOOD (good algorithm)
 	
 	// ...

From 88dc0861ac0f3f5dbe15df07fa6010650032ecce Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 18 May 2021 14:18:59 +0100
Subject: [PATCH 1085/1429] C++: Fix copy-paste error.

---
 cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
index 7abb71c5a6c..9869aca2d70 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -32,7 +32,7 @@ Function getAdditionalEvidenceFunction() {
   (
     isEncryptionAdditionalEvidence(result.getName()) or
     isEncryptionAdditionalEvidence(result.getAParameter().getName()) or
-    isInsecureEncryption(result.getDeclaringType().getName())
+    isEncryptionAdditionalEvidence(result.getDeclaringType().getName())
   ) and
   exists(result.getACallToThisFunction())
 }

From cdf261b54b10538062a5cce22390487ce9544cb2 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 18 May 2021 14:30:48 +0100
Subject: [PATCH 1086/1429] C++: In fact it's just not good enough to get
 additional evidence from the declaring type.

---
 cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql      | 3 +--
 .../Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected       | 2 --
 cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp        | 4 ++--
 3 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
index 9869aca2d70..7162b000dfc 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -31,8 +31,7 @@ Function getAnInsecureEncryptionFunction() {
 Function getAdditionalEvidenceFunction() {
   (
     isEncryptionAdditionalEvidence(result.getName()) or
-    isEncryptionAdditionalEvidence(result.getAParameter().getName()) or
-    isEncryptionAdditionalEvidence(result.getDeclaringType().getName())
+    isEncryptionAdditionalEvidence(result.getAParameter().getName())
   ) and
   exists(result.getACallToThisFunction())
 }
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
index e1e177218fd..19cdfa5e9c7 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
@@ -7,9 +7,7 @@
 | test2.cpp:182:38:182:45 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:185:38:185:44 | USE_DES | This enum constant access specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:238:2:238:20 | call to encrypt | This function call specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:240:2:240:28 | call to doSomethingElse | This function call specifies a broken or weak cryptographic algorithm. |
 | test2.cpp:245:5:245:11 | call to encrypt | This function call specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:247:5:247:19 | call to doSomethingElse | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:39:2:39:31 | ENCRYPT_WITH_RC2(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:41:2:41:32 | ENCRYPT_WITH_3DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
index 31fc3676bb8..66d6f283ba3 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp
@@ -237,14 +237,14 @@ void do_classes(const char *data)
 {
 	desEncrypt::encrypt(data); // BAD
 	aes256Encrypt::encrypt(data); // GOOD
-	desEncrypt::doSomethingElse(); // GOOD [FALSE POSITIVE]
+	desEncrypt::doSomethingElse(); // GOOD
 	aes256Encrypt::doSomethingElse(); // GOOD
 
 	desCipher dc;
 	aesCipher ac;
 	dc.encrypt(data); // BAD
 	ac.encrypt(data); // GOOD
-	dc.doSomethingElse(); // GOOD [FALSE POSITIVE]
+	dc.doSomethingElse(); // GOOD
 	ac.doSomethingElse(); // GOOD
 }
 

From 610e041e28a3c1d417e1e1c56fbccc7a2cb60896 Mon Sep 17 00:00:00 2001
From: Ethan Palm <56270045+ethanpalm@users.noreply.github.com>
Date: Tue, 18 May 2021 11:42:08 -0400
Subject: [PATCH 1087/1429] Add reviewer feedback

Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
---
 docs/codeql/codeql-cli/creating-codeql-databases.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/codeql/codeql-cli/creating-codeql-databases.rst b/docs/codeql/codeql-cli/creating-codeql-databases.rst
index 1552a077e24..637df58555b 100644
--- a/docs/codeql/codeql-cli/creating-codeql-databases.rst
+++ b/docs/codeql/codeql-cli/creating-codeql-databases.rst
@@ -169,7 +169,7 @@ build steps, you may need to explicitly define each step in the command line.
    are dependencies, the appropriate dependency manager (such as `dep
    <https://golang.github.io/dep/>`__).
    
-   The Go autobuilder attempts to automatically detect Go code in a repository,
+   The Go autobuilder attempts to automatically detect code written in Go in a repository,
    and only runs build scripts in an attempt to fetch dependencies. To force
    CodeQL to limit extraction to the files compiled by your build script, set the environment variable
    `CODEQL_EXTRACTOR_GO_BUILD_TRACING=on` or use the ``--command`` option to specify a

From df9981de4fb2b01383dc1fc06d197f1b3b422e5b Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 18 May 2021 17:44:08 +0200
Subject: [PATCH 1088/1429] C++: Add testcases with false positives.

---
 .../semmle/tests/OverflowStatic.expected       |  2 ++
 .../CWE/CWE-119/semmle/tests/tests.cpp         | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowStatic.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowStatic.expected
index ef334a73a2c..0e137bb29d7 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowStatic.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowStatic.expected
@@ -5,6 +5,8 @@
 | tests.cpp:245:42:245:42 | 6 | Potential buffer-overflow: 'global_array_5' has size 5 not 6. |
 | tests.cpp:349:2:349:14 | access to array | Potential buffer-overflow: 'charArray' has size 10 but 'charArray[10]' is accessed here. |
 | tests.cpp:350:17:350:29 | access to array | Potential buffer-overflow: 'charArray' has size 10 but 'charArray[10]' is accessed here. |
+| tests.cpp:594:4:594:12 | access to array | Potential buffer-overflow: counter 'k' <= 100 but 'buffer' has 16 elements. |
+| tests.cpp:603:24:603:24 | n | Potential buffer-overflow: 'dest' has size 128 not 132. |
 | var_size_struct.cpp:54:5:54:14 | access to array | Potential buffer-overflow: 'str' has size 1 but 'str[1]' is accessed here. |
 | var_size_struct.cpp:55:5:55:14 | access to array | Potential buffer-overflow: 'str' has size 1 but 'str[1]' is accessed here. |
 | var_size_struct.cpp:103:39:103:41 | 129 | Potential buffer-overflow: 'str' has size 128 not 129. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
index c4ccdfad8b3..d18d60a2ed6 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
@@ -586,6 +586,23 @@ void test21(bool cond)
 	if (ptr[-1] == 0) { return; } // GOOD: accesses buffer[1]
 }
 
+void test22(bool b, const char* source) {
+	char buffer[16];
+	int k;
+	for (k = 0; k <= 100; k++) {
+		if(k < 16) {
+			buffer[k] = 'x'; // GOOD [FALSE POSITIVE]
+		}
+	}
+
+	char dest[128];
+	int n = b ? 1024 : 132;
+	if (n >= 128) {
+    return;
+  }
+  memcpy(dest, source, n); // GOOD [FALSE POSITIVE]
+}
+
 int main(int argc, char *argv[])
 {
 	long long arr17[19];
@@ -609,6 +626,7 @@ int main(int argc, char *argv[])
 	test19(argc == 0);
 	test20();
 	test21(argc == 0);
+	test22(argc == 0, argv[0]);
 
 	return 0;
 }

From 26c4a66dc407bd55b12d3afd83b80083708c85fc Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 18 May 2021 17:54:30 +0200
Subject: [PATCH 1089/1429] C++: Add range analysis to fix FPs.

---
 cpp/ql/src/Critical/OverflowStatic.ql            | 16 ++++++++++++----
 .../CWE-119/semmle/tests/OverflowStatic.expected |  2 --
 .../Security/CWE/CWE-119/semmle/tests/tests.cpp  |  4 ++--
 3 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/cpp/ql/src/Critical/OverflowStatic.ql b/cpp/ql/src/Critical/OverflowStatic.ql
index 833ee45499e..a7c1cb41cda 100644
--- a/cpp/ql/src/Critical/OverflowStatic.ql
+++ b/cpp/ql/src/Critical/OverflowStatic.ql
@@ -14,6 +14,7 @@
 
 import cpp
 import semmle.code.cpp.commons.Buffer
+import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import LoopBounds
 
 private predicate staticBufferBase(VariableAccess access, Variable v) {
@@ -51,6 +52,8 @@ predicate overflowOffsetInLoop(BufferAccess bufaccess, string msg) {
     loop.getStmt().getAChild*() = bufaccess.getEnclosingStmt() and
     loop.limit() >= bufaccess.bufferSize() and
     loop.counter().getAnAccess() = bufaccess.getArrayOffset() and
+    // Ensure that we don't have an upper bound on the array index that's less than the buffer size.
+    not upperBound(bufaccess.getArrayOffset().getFullyConverted()) < bufaccess.bufferSize() and
     msg =
       "Potential buffer-overflow: counter '" + loop.counter().toString() + "' <= " +
         loop.limit().toString() + " but '" + bufaccess.buffer().getName() + "' has " +
@@ -94,10 +97,15 @@ class CallWithBufferSize extends FunctionCall {
   }
 
   int statedSizeValue() {
-    exists(Expr statedSizeSrc |
-      DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr()) and
-      result = statedSizeSrc.getValue().toInt()
-    )
+    // `upperBound(e)` defaults to `exprMaxVal(e)` when `e` isn't analyzable. So to get a meaningful
+    // result in this case we pick the minimum value obtainable from dataflow and range analysis.
+    result =
+      upperBound(statedSizeExpr())
+          .minimum(any(Expr statedSizeSrc |
+              DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr())
+            |
+              statedSizeSrc.getValue().toInt()
+            ))
   }
 }
 
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowStatic.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowStatic.expected
index 0e137bb29d7..ef334a73a2c 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowStatic.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowStatic.expected
@@ -5,8 +5,6 @@
 | tests.cpp:245:42:245:42 | 6 | Potential buffer-overflow: 'global_array_5' has size 5 not 6. |
 | tests.cpp:349:2:349:14 | access to array | Potential buffer-overflow: 'charArray' has size 10 but 'charArray[10]' is accessed here. |
 | tests.cpp:350:17:350:29 | access to array | Potential buffer-overflow: 'charArray' has size 10 but 'charArray[10]' is accessed here. |
-| tests.cpp:594:4:594:12 | access to array | Potential buffer-overflow: counter 'k' <= 100 but 'buffer' has 16 elements. |
-| tests.cpp:603:24:603:24 | n | Potential buffer-overflow: 'dest' has size 128 not 132. |
 | var_size_struct.cpp:54:5:54:14 | access to array | Potential buffer-overflow: 'str' has size 1 but 'str[1]' is accessed here. |
 | var_size_struct.cpp:55:5:55:14 | access to array | Potential buffer-overflow: 'str' has size 1 but 'str[1]' is accessed here. |
 | var_size_struct.cpp:103:39:103:41 | 129 | Potential buffer-overflow: 'str' has size 128 not 129. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
index d18d60a2ed6..4f8bcc0fa59 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
@@ -591,7 +591,7 @@ void test22(bool b, const char* source) {
 	int k;
 	for (k = 0; k <= 100; k++) {
 		if(k < 16) {
-			buffer[k] = 'x'; // GOOD [FALSE POSITIVE]
+			buffer[k] = 'x'; // GOOD
 		}
 	}
 
@@ -600,7 +600,7 @@ void test22(bool b, const char* source) {
 	if (n >= 128) {
     return;
   }
-  memcpy(dest, source, n); // GOOD [FALSE POSITIVE]
+  memcpy(dest, source, n); // GOOD
 }
 
 int main(int argc, char *argv[])

From b0b5338359ce7da9525f705d77784545f6090c8e Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Thu, 29 Apr 2021 02:59:41 +0000
Subject: [PATCH 1090/1429] Rhino code injection

---
 .../Security/CWE/CWE-094/RhinoInjection.java  |  39 ++
 .../Security/CWE/CWE-094/RhinoInjection.qhelp |  51 ++
 .../Security/CWE/CWE-094/RhinoInjection.ql    |  17 +
 .../Security/CWE/CWE-094/RhinoInjection.qll   |  56 ++
 .../security/CWE-094/RhinoInjection.expected  |   7 +
 .../security/CWE-094/RhinoInjection.qlref     |   1 +
 .../security/CWE-094/RhinoServlet.java        |  78 +++
 .../query-tests/security/CWE-094/options      |   2 +-
 .../org/mozilla/javascript/ClassShutter.java  |  56 ++
 .../org/mozilla/javascript/Context.java       | 623 ++++++++++++++++++
 .../mozilla/javascript/ContextFactory.java    | 314 +++++++++
 .../mozilla/javascript/RhinoException.java    |  15 +
 .../org/mozilla/javascript/Scriptable.java    | 304 +++++++++
 .../mozilla/javascript/ScriptableObject.java  |  27 +
 14 files changed, 1589 insertions(+), 1 deletion(-)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.java
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.qhelp
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.ql
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.qll
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/RhinoInjection.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/RhinoInjection.qlref
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/RhinoServlet.java
 create mode 100644 java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/ClassShutter.java
 create mode 100644 java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/Context.java
 create mode 100644 java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/ContextFactory.java
 create mode 100644 java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/RhinoException.java
 create mode 100644 java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/Scriptable.java
 create mode 100644 java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/ScriptableObject.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.java b/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.java
new file mode 100644
index 00000000000..4a87d5bc354
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.java
@@ -0,0 +1,39 @@
+public class RhinoInjection extends HttpServlet {
+
+  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+    response.setContentType("text/plain");
+    String code = request.getParameter("code");
+    Context ctx = Context.enter();
+    try {
+      {
+        // BAD: allow arbitrary Java and JavaScript code to be executed
+        Scriptable scope = ctx.initStandardObjects();
+      }
+
+      {
+        // GOOD: enable the safe mode
+        Scriptable scope = ctx.initSafeStandardObjects();
+      }
+
+      {
+        // GOOD: enforce a constraint on allowed classes
+        Scriptable scope = ctx.initStandardObjects();
+        ctx.setClassShutter(new ClassShutter() {
+            public boolean visibleToScripts(String className) {
+                if(className.startsWith("com.example.")) {
+                    return true;
+                }
+                return false;
+            }
+        });
+      }
+
+      Object result = ctx.evaluateString(scope, code, "<code>", 1, null);
+      response.getWriter().print(Context.toString(result));
+    } catch(RhinoException ex) {
+      response.getWriter().println(ex.getMessage());
+    } finally {
+      Context.exit();
+    }
+  }
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.qhelp
new file mode 100644
index 00000000000..73c252ed54c
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.qhelp
@@ -0,0 +1,51 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Rhino is a JavaScript engine written fully in Java and managed by the Mozilla Foundation. 
+It serves as an embedded scripting engine inside Java applications which allows 
+Java-to-JavaScript interoperability and provides a seamless integration between the two 
+languages. If an expression is built using attacker-controlled data, and then evaluated in 
+a powerful context, it may allow the attacker to run arbitrary code.
+</p>
+<p>
+Typically an expression is evaluated in the powerful context initialized with 
+<code>initStandardObjects</code> that allows an expression of arbitrary Java code to
+execute in the JVM.
+</p>
+</overview>
+
+<recommendation>
+<p>
+In general, including user input in a Rhino expression should be avoided.
+If user input must be included in the expression, it should be then evaluated in a safe
+context that doesn't allow arbitrary code invocation.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example shows two ways of using Rhino expression. In the 'BAD' case,
+an unsafe context is initialized with <code>initStandardObjects</code>. In the 'GOOD' case,
+a safe context is initialized with <code>initSafeStandardObjects</code> or 
+<code>setClassShutter</code>.
+</p>
+<sample src="RhinoInjection.java" />
+</example>
+
+<references>
+<li>
+  Mozilla Rhino:
+  <a href="https://github.com/mozilla/rhino">Rhino: JavaScript in Java</a>
+</li>
+<li>
+  Rhino Sandbox:
+  <a href="https://github.com/javadelight/delight-rhino-sandbox">A sandbox to execute JavaScript code with Rhino in Java.</a>
+</li>
+<li>
+  GuardRails:
+  <a href="https://docs.guardrails.io/docs/en/vulnerabilities/java/insecure_use_of_dangerous_function">Code Injection</a>
+</li>
+</references>
+</qhelp>
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.ql
new file mode 100644
index 00000000000..cac41244aa2
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.ql
@@ -0,0 +1,17 @@
+/**
+ * @name Injection in Mozilla Rhino JavaScript Engine
+ * @description Evaluation of a user-controlled JavaScript or Java expression in Rhino
+ *              JavaScript Engine may lead to remote code execution.
+ * @kind path-problem
+ * @id java/rhino-injection
+ * @tags security
+ *       external/cwe/cwe-094
+ */
+
+import java
+import RhinoInjection
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, RhinoInjectionConfig conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Rhino injection from $@.", source.getNode(), " user input"
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.qll b/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.qll
new file mode 100644
index 00000000000..a560e340e85
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.qll
@@ -0,0 +1,56 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+
+/** The class `org.mozilla.javascript.Context`. */
+class Context extends RefType {
+  Context() { this.hasQualifiedName("org.mozilla.javascript", "Context") }
+}
+
+/**
+ * A method that evaluates a Rhino expression.
+ */
+class EvaluateExpressionMethod extends Method {
+  EvaluateExpressionMethod() {
+    this.getDeclaringType().getAnAncestor*() instanceof Context and
+    (
+      hasName("evaluateString") or
+      hasName("evaluateReader")
+    )
+  }
+}
+
+/**
+ * A taint-tracking configuration for unsafe user input that is used to evaluate
+ * a Rhino expression.
+ */
+class RhinoInjectionConfig extends TaintTracking::Configuration {
+  RhinoInjectionConfig() { this = "RhinoInjectionConfig" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource
+    or
+    source instanceof LocalUserInput
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof EvaluateExpressionSink }
+}
+
+/**
+ * A sink for Rhino code injection vulnerabilities.
+ */
+class EvaluateExpressionSink extends DataFlow::ExprNode {
+  EvaluateExpressionSink() {
+    exists(MethodAccess ea, EvaluateExpressionMethod m | m = ea.getMethod() |
+      this.asExpr() = ea.getArgument(1) and // The second argument is the JavaScript or Java input
+      not exists(MethodAccess ca |
+        (
+          ca.getMethod().hasName("initSafeStandardObjects") // safe mode
+          or
+          ca.getMethod().hasName("setClassShutter") // `ClassShutter` constraint is enforced
+        ) and
+        ea.getQualifier() = ca.getQualifier().(VarAccess).getVariable().getAnAccess()
+      )
+    )
+  }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/RhinoInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/RhinoInjection.expected
new file mode 100644
index 00000000000..4d2736c8230
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/RhinoInjection.expected
@@ -0,0 +1,7 @@
+edges
+| RhinoServlet.java:25:23:25:50 | getParameter(...) : String | RhinoServlet.java:29:55:29:58 | code |
+nodes
+| RhinoServlet.java:25:23:25:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RhinoServlet.java:29:55:29:58 | code | semmle.label | code |
+#select
+| RhinoServlet.java:29:55:29:58 | code | RhinoServlet.java:25:23:25:50 | getParameter(...) : String | RhinoServlet.java:29:55:29:58 | code | Rhino injection from $@. | RhinoServlet.java:25:23:25:50 | getParameter(...) |  user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/RhinoInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-094/RhinoInjection.qlref
new file mode 100644
index 00000000000..e306dda44df
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/RhinoInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-094/RhinoInjection.ql
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/RhinoServlet.java b/java/ql/test/experimental/query-tests/security/CWE-094/RhinoServlet.java
new file mode 100644
index 00000000000..f6f529785cc
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/RhinoServlet.java
@@ -0,0 +1,78 @@
+import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.mozilla.javascript.ClassShutter;
+import org.mozilla.javascript.Context;
+import org.mozilla.javascript.Scriptable;
+import org.mozilla.javascript.RhinoException;
+
+/**
+ * Servlet implementation class RhinoServlet
+ */
+public class RhinoServlet extends HttpServlet {
+    private static final long serialVersionUID = 1L;
+       
+    public RhinoServlet() {
+        super();
+    }
+
+    // BAD: allow arbitrary Java and JavaScript code to be executed
+    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        response.setContentType("text/plain");
+        String code = request.getParameter("code");
+        Context ctx = Context.enter();
+        try {
+            Scriptable scope = ctx.initStandardObjects();
+            Object result = ctx.evaluateString(scope, code, "<code>", 1, null);
+            response.getWriter().print(Context.toString(result));
+        } catch(RhinoException ex) {
+            response.getWriter().println(ex.getMessage());
+        } finally {
+            Context.exit();
+        }
+    }
+
+    // GOOD: enable the safe mode
+    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        response.setContentType("text/plain");
+        String code = request.getParameter("code");
+        Context ctx = Context.enter();
+        try {
+            Scriptable scope = ctx.initSafeStandardObjects();
+            Object result = ctx.evaluateString(scope, code, "<code>", 1, null);
+            response.getWriter().print(Context.toString(result));
+        } catch(RhinoException ex) {
+            response.getWriter().println(ex.getMessage());
+        } finally {
+            Context.exit();
+        }
+    }
+
+    // GOOD: enforce a constraint on allowed classes
+    protected void doPut(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        response.setContentType("text/plain");
+        String code = request.getParameter("code");
+        Context ctx = Context.enter();
+        try {
+            Scriptable scope = ctx.initStandardObjects();
+            ctx.setClassShutter(new ClassShutter() {
+                public boolean visibleToScripts(String className) {
+                    if(className.startsWith("com.example.")) {
+                        return true;
+                    }
+                    return false;
+                }
+            });
+
+            Object result = ctx.evaluateString(scope, code, "<code>", 1, null);
+            response.getWriter().print(Context.toString(result));
+        } catch(RhinoException ex) {
+            response.getWriter().println(ex.getMessage());
+        } finally {
+            Context.exit();
+        }
+    }    
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/options b/java/ql/test/experimental/query-tests/security/CWE-094/options
index 95bc9acaa08..48cc00e0a17 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/options
@@ -1,2 +1,2 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jython-2.7.2
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jython-2.7.2:${testdir}/../../../../experimental/stubs/rhino-1.7.13
 
diff --git a/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/ClassShutter.java b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/ClassShutter.java
new file mode 100644
index 00000000000..f425e08e966
--- /dev/null
+++ b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/ClassShutter.java
@@ -0,0 +1,56 @@
+/* -*- Mode: java; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// API class
+
+package org.mozilla.javascript;
+
+/**
+Embeddings that wish to filter Java classes that are visible to scripts
+through the LiveConnect, should implement this interface.
+
+@see Context#setClassShutter(ClassShutter)
+@since 1.5 Release 4
+@author Norris Boyd
+*/
+
+ public interface ClassShutter {
+
+    /**
+     * Return true iff the Java class with the given name should be exposed
+     * to scripts.
+     * <p>
+     * An embedding may filter which Java classes are exposed through
+     * LiveConnect to JavaScript scripts.
+     * <p>
+     * Due to the fact that there is no package reflection in Java,
+     * this method will also be called with package names. There
+     * is no way for Rhino to tell if "Packages.a.b" is a package name
+     * or a class that doesn't exist. What Rhino does is attempt
+     * to load each segment of "Packages.a.b.c": It first attempts to
+     * load class "a", then attempts to load class "a.b", then
+     * finally attempts to load class "a.b.c". On a Rhino installation
+     * without any ClassShutter set, and without any of the
+     * above classes, the expression "Packages.a.b.c" will result in
+     * a [JavaPackage a.b.c] and not an error.
+     * <p>
+     * With ClassShutter supplied, Rhino will first call
+     * visibleToScripts before attempting to look up the class name. If
+     * visibleToScripts returns false, the class name lookup is not
+     * performed and subsequent Rhino execution assumes the class is
+     * not present. So for "java.lang.System.out.println" the lookup
+     * of "java.lang.System" is skipped and thus Rhino assumes that
+     * "java.lang.System" doesn't exist. So then for "java.lang.System.out",
+     * Rhino attempts to load the class "java.lang.System.out" because
+     * it assumes that "java.lang.System" is a package name.
+     * <p>
+     * @param fullClassName the full name of the class (including the package
+     *                      name, with '.' as a delimiter). For example the
+     *                      standard string class is "java.lang.String"
+     * @return whether or not to reveal this class to scripts
+     */
+    public boolean visibleToScripts(String fullClassName);
+}
diff --git a/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/Context.java b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/Context.java
new file mode 100644
index 00000000000..57d30a3ab25
--- /dev/null
+++ b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/Context.java
@@ -0,0 +1,623 @@
+/* -*- Mode: java; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// API class
+
+package org.mozilla.javascript;
+
+import java.io.Closeable;
+import java.io.IOException;
+import java.io.Reader;
+import java.util.Locale;
+
+/**
+ * This class represents the runtime context of an executing script.
+ *
+ * Before executing a script, an instance of Context must be created
+ * and associated with the thread that will be executing the script.
+ * The Context will be used to store information about the executing
+ * of the script such as the call stack. Contexts are associated with
+ * the current thread  using the {@link #call(ContextAction)}
+ * or {@link #enter()} methods.<p>
+ *
+ * Different forms of script execution are supported. Scripts may be
+ * evaluated from the source directly, or first compiled and then later
+ * executed. Interactive execution is also supported.<p>
+ *
+ * Some aspects of script execution, such as type conversions and
+ * object creation, may be accessed directly through methods of
+ * Context.
+ *
+ * @see Scriptable
+ * @author Norris Boyd
+ * @author Brendan Eich
+ */
+
+public class Context
+    implements Closeable
+{
+    /**
+     * Creates a new Context. The context will be associated with the {@link
+     * ContextFactory#getGlobal() global context factory}.
+     *
+     * Note that the Context must be associated with a thread before
+     * it can be used to execute a script.
+     * @deprecated this constructor is deprecated because it creates a
+     * dependency on a static singleton context factory. Use
+     * {@link ContextFactory#enter()} or
+     * {@link ContextFactory#call(ContextAction)} instead. If you subclass
+     * this class, consider using {@link #Context(ContextFactory)} constructor
+     * instead in the subclasses' constructors.
+     */
+    @Deprecated
+    public Context()
+    {
+    }
+
+    /**
+     * Creates a new context. Provided as a preferred super constructor for
+     * subclasses in place of the deprecated default public constructor.
+     * @param factory the context factory associated with this context (most
+     * likely, the one that created the context). Can not be null. The context
+     * features are inherited from the factory, and the context will also
+     * otherwise use its factory's services.
+     * @throws IllegalArgumentException if factory parameter is null.
+     */
+    protected Context(ContextFactory factory)
+    {
+    }
+
+    /**
+     * Get the current Context.
+     *
+     * The current Context is per-thread; this method looks up
+     * the Context associated with the current thread. <p>
+     *
+     * @return the Context associated with the current thread, or
+     *         null if no context is associated with the current
+     *         thread.
+     * @see ContextFactory#enterContext()
+     * @see ContextFactory#call(ContextAction)
+     */
+    public static Context getCurrentContext()
+    {
+        return null;
+    }
+
+    /**
+     * Same as calling {@link ContextFactory#enterContext()} on the global
+     * ContextFactory instance.
+     * @return a Context associated with the current thread
+     * @see #getCurrentContext()
+     * @see #exit()
+     * @see #call(ContextAction)
+     */
+    public static Context enter()
+    {
+        return null;
+    }
+
+    /**
+     * Get a Context associated with the current thread, using
+     * the given Context if need be.
+     * <p>
+     * The same as <code>enter()</code> except that <code>cx</code>
+     * is associated with the current thread and returned if
+     * the current thread has no associated context and <code>cx</code>
+     * is not associated with any other thread.
+     * @param cx a Context to associate with the thread if possible
+     * @return a Context associated with the current thread
+     * @deprecated use {@link ContextFactory#enterContext(Context)} instead as
+     * this method relies on usage of a static singleton "global" ContextFactory.
+     * @see ContextFactory#enterContext(Context)
+     * @see ContextFactory#call(ContextAction)
+     */
+    @Deprecated
+    public static Context enter(Context cx)
+    {
+        return null;
+    }
+
+    static final Context enter(Context cx, ContextFactory factory)
+    {
+        return null;
+    }
+
+    /**
+     * Exit a block of code requiring a Context.
+     *
+     * Calling <code>exit()</code> will remove the association between
+     * the current thread and a Context if the prior call to
+     * {@link ContextFactory#enterContext()} on this thread newly associated a
+     * Context with this thread. Once the current thread no longer has an
+     * associated Context, it cannot be used to execute JavaScript until it is
+     * again associated with a Context.
+     * @see ContextFactory#enterContext()
+     */
+    public static void exit()
+    {
+    }
+
+    @Override
+    public void close() {
+    }
+
+    /**
+     * Return {@link ContextFactory} instance used to create this Context.
+     */
+    public final ContextFactory getFactory()
+    {
+        return null;
+    }
+
+    /**
+     * Checks if this is a sealed Context. A sealed Context instance does not
+     * allow to modify any of its properties and will throw an exception
+     * on any such attempt.
+     * @see #seal(Object sealKey)
+     */
+    public final boolean isSealed()
+    {
+        return false;
+    }
+
+    /**
+     * Seal this Context object so any attempt to modify any of its properties
+     * including calling {@link #enter()} and {@link #exit()} methods will
+     * throw an exception.
+     * <p>
+     * If <code>sealKey</code> is not null, calling
+     * {@link #unseal(Object sealKey)} with the same key unseals
+     * the object. If <code>sealKey</code> is null, unsealing is no longer possible.
+     *
+     * @see #isSealed()
+     * @see #unseal(Object)
+     */
+    public final void seal(Object sealKey)
+    {
+    }
+
+    /**
+     * Unseal previously sealed Context object.
+     * The <code>sealKey</code> argument should not be null and should match
+     * <code>sealKey</code> suplied with the last call to
+     * {@link #seal(Object)} or an exception will be thrown.
+     *
+     * @see #isSealed()
+     * @see #seal(Object sealKey)
+     */
+    public final void unseal(Object sealKey)
+    {
+    }
+
+    /**
+     * Get the current language version.
+     * <p>
+     * The language version number affects JavaScript semantics as detailed
+     * in the overview documentation.
+     *
+     * @return an integer that is one of VERSION_1_0, VERSION_1_1, etc.
+     */
+    public final int getLanguageVersion()
+    {
+       return -1;
+    }
+
+    /**
+     * Set the language version.
+     *
+     * <p>
+     * Setting the language version will affect functions and scripts compiled
+     * subsequently. See the overview documentation for version-specific
+     * behavior.
+     *
+     * @param version the version as specified by VERSION_1_0, VERSION_1_1, etc.
+     */
+    public void setLanguageVersion(int version)
+    {
+    }
+
+    public static boolean isValidLanguageVersion(int version)
+    {
+        return false;
+    }
+
+    public static void checkLanguageVersion(int version)
+    {
+    }
+
+    /**
+     * Get the implementation version.
+     *
+     * <p>
+     * The implementation version is of the form
+     * <pre>
+     *    "<i>name langVer</i> <code>release</code> <i>relNum date</i>"
+     * </pre>
+     * where <i>name</i> is the name of the product, <i>langVer</i> is
+     * the language version, <i>relNum</i> is the release number, and
+     * <i>date</i> is the release date for that specific
+     * release in the form "yyyy mm dd".
+     *
+     * @return a string that encodes the product, language version, release
+     *         number, and date.
+     */
+    public final String getImplementationVersion() {
+        return null;
+    }
+
+    /**
+     * Initialize the standard objects.
+     *
+     * Creates instances of the standard objects and their constructors
+     * (Object, String, Number, Date, etc.), setting up 'scope' to act
+     * as a global object as in ECMA 15.1.<p>
+     *
+     * This method must be called to initialize a scope before scripts
+     * can be evaluated in that scope.<p>
+     *
+     * This method does not affect the Context it is called upon.
+     *
+     * @return the initialized scope
+     */
+    public final ScriptableObject initStandardObjects()
+    {
+        return null;
+    }
+
+    /**
+     * Initialize the standard objects, leaving out those that offer access directly
+     * to Java classes. This sets up "scope" to have access to all the standard
+     * JavaScript classes, but does not create global objects for any top-level
+     * Java packages. In addition, the "Packages," "JavaAdapter," and
+     * "JavaImporter" classes, and the "getClass" function, are not
+     * initialized.
+     *
+     * The result of this function is a scope that may be safely used in a "sandbox"
+     * environment where it is not desirable to give access to Java code from JavaScript.
+     *
+     * Creates instances of the standard objects and their constructors
+     * (Object, String, Number, Date, etc.), setting up 'scope' to act
+     * as a global object as in ECMA 15.1.<p>
+     *
+     * This method must be called to initialize a scope before scripts
+     * can be evaluated in that scope.<p>
+     *
+     * This method does not affect the Context it is called upon.
+     *
+     * @return the initialized scope
+     */
+    public final ScriptableObject initSafeStandardObjects()
+    {
+        return null;
+    }
+
+    /**
+     * Initialize the standard objects.
+     *
+     * Creates instances of the standard objects and their constructors
+     * (Object, String, Number, Date, etc.), setting up 'scope' to act
+     * as a global object as in ECMA 15.1.<p>
+     *
+     * This method must be called to initialize a scope before scripts
+     * can be evaluated in that scope.<p>
+     *
+     * This method does not affect the Context it is called upon.
+     *
+     * @param scope the scope to initialize, or null, in which case a new
+     *        object will be created to serve as the scope
+     * @return the initialized scope. The method returns the value of the scope
+     *         argument if it is not null or newly allocated scope object which
+     *         is an instance {@link ScriptableObject}.
+     */
+    public final Scriptable initStandardObjects(ScriptableObject scope)
+    {
+        return null;
+    }
+
+    /**
+     * Initialize the standard objects, leaving out those that offer access directly
+     * to Java classes. This sets up "scope" to have access to all the standard
+     * JavaScript classes, but does not create global objects for any top-level
+     * Java packages. In addition, the "Packages," "JavaAdapter," and
+     * "JavaImporter" classes, and the "getClass" function, are not
+     * initialized.
+     *
+     * The result of this function is a scope that may be safely used in a "sandbox"
+     * environment where it is not desirable to give access to Java code from JavaScript.
+     *
+     * Creates instances of the standard objects and their constructors
+     * (Object, String, Number, Date, etc.), setting up 'scope' to act
+     * as a global object as in ECMA 15.1.<p>
+     *
+     * This method must be called to initialize a scope before scripts
+     * can be evaluated in that scope.<p>
+     *
+     * This method does not affect the Context it is called upon.
+     *
+     * @param scope the scope to initialize, or null, in which case a new
+     *        object will be created to serve as the scope
+     * @return the initialized scope. The method returns the value of the scope
+     *         argument if it is not null or newly allocated scope object which
+     *         is an instance {@link ScriptableObject}.
+     */
+    public final Scriptable initSafeStandardObjects(ScriptableObject scope)
+    {
+        return null;
+    }
+
+    /**
+     * Initialize the standard objects.
+     *
+     * Creates instances of the standard objects and their constructors
+     * (Object, String, Number, Date, etc.), setting up 'scope' to act
+     * as a global object as in ECMA 15.1.<p>
+     *
+     * This method must be called to initialize a scope before scripts
+     * can be evaluated in that scope.<p>
+     *
+     * This method does not affect the Context it is called upon.<p>
+     *
+     * This form of the method also allows for creating "sealed" standard
+     * objects. An object that is sealed cannot have properties added, changed,
+     * or removed. This is useful to create a "superglobal" that can be shared
+     * among several top-level objects. Note that sealing is not allowed in
+     * the current ECMA/ISO language specification, but is likely for
+     * the next version.
+     *
+     * @param scope the scope to initialize, or null, in which case a new
+     *        object will be created to serve as the scope
+     * @param sealed whether or not to create sealed standard objects that
+     *        cannot be modified.
+     * @return the initialized scope. The method returns the value of the scope
+     *         argument if it is not null or newly allocated scope object.
+     * @since 1.4R3
+     */
+    public ScriptableObject initStandardObjects(ScriptableObject scope,
+                                                boolean sealed)
+    {
+        return null;
+    }
+
+    /**
+     * Initialize the standard objects, leaving out those that offer access directly
+     * to Java classes. This sets up "scope" to have access to all the standard
+     * JavaScript classes, but does not create global objects for any top-level
+     * Java packages. In addition, the "Packages," "JavaAdapter," and
+     * "JavaImporter" classes, and the "getClass" function, are not
+     * initialized.
+     *
+     * The result of this function is a scope that may be safely used in a "sandbox"
+     * environment where it is not desirable to give access to Java code from JavaScript.
+     *
+     * Creates instances of the standard objects and their constructors
+     * (Object, String, Number, Date, etc.), setting up 'scope' to act
+     * as a global object as in ECMA 15.1.<p>
+     *
+     * This method must be called to initialize a scope before scripts
+     * can be evaluated in that scope.<p>
+     *
+     * This method does not affect the Context it is called upon.<p>
+     *
+     * This form of the method also allows for creating "sealed" standard
+     * objects. An object that is sealed cannot have properties added, changed,
+     * or removed. This is useful to create a "superglobal" that can be shared
+     * among several top-level objects. Note that sealing is not allowed in
+     * the current ECMA/ISO language specification, but is likely for
+     * the next version.
+     *
+     * @param scope the scope to initialize, or null, in which case a new
+     *        object will be created to serve as the scope
+     * @param sealed whether or not to create sealed standard objects that
+     *        cannot be modified.
+     * @return the initialized scope. The method returns the value of the scope
+     *         argument if it is not null or newly allocated scope object.
+     * @since 1.7.6
+     */
+    public ScriptableObject initSafeStandardObjects(ScriptableObject scope,
+                                                    boolean sealed)
+    {
+        return null;
+    }
+
+    /**
+     * Get the singleton object that represents the JavaScript Undefined value.
+     */
+    public static Object getUndefinedValue()
+    {
+        return null;
+    }
+
+    /**
+     * Evaluate a JavaScript source string.
+     *
+     * The provided source name and line number are used for error messages
+     * and for producing debug information.
+     *
+     * @param scope the scope to execute in
+     * @param source the JavaScript source
+     * @param sourceName a string describing the source, such as a filename
+     * @param lineno the starting line number
+     * @param securityDomain an arbitrary object that specifies security
+     *        information about the origin or owner of the script. For
+     *        implementations that don't care about security, this value
+     *        may be null.
+     * @return the result of evaluating the string
+     * @see org.mozilla.javascript.SecurityController
+     */
+    public final Object evaluateString(Scriptable scope, String source,
+                                       String sourceName, int lineno,
+                                       Object securityDomain)
+    {
+        return null;
+    }
+
+    /**
+     * Evaluate a reader as JavaScript source.
+     *
+     * All characters of the reader are consumed.
+     *
+     * @param scope the scope to execute in
+     * @param in the Reader to get JavaScript source from
+     * @param sourceName a string describing the source, such as a filename
+     * @param lineno the starting line number
+     * @param securityDomain an arbitrary object that specifies security
+     *        information about the origin or owner of the script. For
+     *        implementations that don't care about security, this value
+     *        may be null.
+     * @return the result of evaluating the source
+     *
+     * @exception IOException if an IOException was generated by the Reader
+     */
+    public final Object evaluateReader(Scriptable scope, Reader in,
+                                       String sourceName, int lineno,
+                                       Object securityDomain)
+        throws IOException
+    {
+        return null;
+    }
+
+    /**
+     * Convert the value to a JavaScript boolean value.
+     * <p>
+     * See ECMA 9.2.
+     *
+     * @param value a JavaScript value
+     * @return the corresponding boolean value converted using
+     *         the ECMA rules
+     */
+    public static boolean toBoolean(Object value)
+    {
+        return false;
+    }
+
+    /**
+     * Convert the value to a JavaScript Number value.
+     * <p>
+     * Returns a Java double for the JavaScript Number.
+     * <p>
+     * See ECMA 9.3.
+     *
+     * @param value a JavaScript value
+     * @return the corresponding double value converted using
+     *         the ECMA rules
+     */
+    public static double toNumber(Object value)
+    {
+        return -1;
+    }
+
+    /**
+     * Convert the value to a JavaScript String value.
+     * <p>
+     * See ECMA 9.8.
+     * <p>
+     * @param value a JavaScript value
+     * @return the corresponding String value converted using
+     *         the ECMA rules
+     */
+    public static String toString(Object value)
+    {
+        return null;
+    }
+
+    /**
+     * Convert the value to an JavaScript object value.
+     * <p>
+     * Note that a scope must be provided to look up the constructors
+     * for Number, Boolean, and String.
+     * <p>
+     * See ECMA 9.9.
+     * <p>
+     * Additionally, arbitrary Java objects and classes will be
+     * wrapped in a Scriptable object with its Java fields and methods
+     * reflected as JavaScript properties of the object.
+     *
+     * @param value any Java object
+     * @param scope global scope containing constructors for Number,
+     *              Boolean, and String
+     * @return new JavaScript object
+     */
+    public static Scriptable toObject(Object value, Scriptable scope)
+    {
+        return null;
+    }
+
+    /**
+     * Convenient method to convert java value to its closest representation
+     * in JavaScript.
+     * <p>
+     * If value is an instance of String, Number, Boolean, Function or
+     * Scriptable, it is returned as it and will be treated as the corresponding
+     * JavaScript type of string, number, boolean, function and object.
+     * <p>
+     * Note that for Number instances during any arithmetic operation in
+     * JavaScript the engine will always use the result of
+     * <code>Number.doubleValue()</code> resulting in a precision loss if
+     * the number can not fit into double.
+     * <p>
+     * If value is an instance of Character, it will be converted to string of
+     * length 1 and its JavaScript type will be string.
+     * <p>
+     * The rest of values will be wrapped as LiveConnect objects
+     * by calling {@link WrapFactory#wrap(Context cx, Scriptable scope,
+     * Object obj, Class staticType)} as in:
+     * <pre>
+     *    Context cx = Context.getCurrentContext();
+     *    return cx.getWrapFactory().wrap(cx, scope, value, null);
+     * </pre>
+     *
+     * @param value any Java object
+     * @param scope top scope object
+     * @return value suitable to pass to any API that takes JavaScript values.
+     */
+    public static Object javaToJS(Object value, Scriptable scope)
+    {
+        return null;
+    }
+
+    /**
+     * Convert a JavaScript value into the desired type.
+     * Uses the semantics defined with LiveConnect3 and throws an
+     * Illegal argument exception if the conversion cannot be performed.
+     * @param value the JavaScript value to convert
+     * @param desiredType the Java type to convert to. Primitive Java
+     *        types are represented using the TYPE fields in the corresponding
+     *        wrapper class in java.lang.
+     * @return the converted value
+     * @throws EvaluatorException if the conversion cannot be performed
+     */
+    public static Object jsToJava(Object value, Class<?> desiredType)
+    {
+        return null;
+    }
+
+    /**
+     * Set the LiveConnect access filter for this context.
+     * <p> {@link ClassShutter} may only be set if it is currently null.
+     * Otherwise a SecurityException is thrown.
+     * @param shutter a ClassShutter object
+     * @throws SecurityException if there is already a ClassShutter
+     *         object for this Context
+     */
+    public synchronized final void setClassShutter(ClassShutter shutter)
+    {
+    }
+
+    final synchronized ClassShutter getClassShutter()
+    {
+        return null;
+    }
+
+    public interface ClassShutterSetter {
+        public void setClassShutter(ClassShutter shutter);
+        public ClassShutter getClassShutter();
+    }
+
+    public final synchronized ClassShutterSetter getClassShutterSetter() {
+        return null;
+    }
+}
diff --git a/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/ContextFactory.java b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/ContextFactory.java
new file mode 100644
index 00000000000..a7f83f2095d
--- /dev/null
+++ b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/ContextFactory.java
@@ -0,0 +1,314 @@
+/* -*- Mode: java; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// API class
+
+package org.mozilla.javascript;
+
+/**
+ * Factory class that Rhino runtime uses to create new {@link Context}
+ * instances.  A <code>ContextFactory</code> can also notify listeners
+ * about context creation and release.
+ * <p>
+ * When the Rhino runtime needs to create new {@link Context} instance during
+ * execution of {@link Context#enter()} or {@link Context}, it will call
+ * {@link #makeContext()} of the current global ContextFactory.
+ * See {@link #getGlobal()} and {@link #initGlobal(ContextFactory)}.
+ * <p>
+ * It is also possible to use explicit ContextFactory instances for Context
+ * creation. This is useful to have a set of independent Rhino runtime
+ * instances under single JVM. See {@link #call(ContextAction)}.
+ * <p>
+ * The following example demonstrates Context customization to terminate
+ * scripts running more then 10 seconds and to provide better compatibility
+ * with JavaScript code using MSIE-specific features.
+ * <pre>
+ * import org.mozilla.javascript.*;
+ *
+ * class MyFactory extends ContextFactory
+ * {
+ *
+ *     // Custom {@link Context} to store execution time.
+ *     private static class MyContext extends Context
+ *     {
+ *         long startTime;
+ *     }
+ *
+ *     static {
+ *         // Initialize GlobalFactory with custom factory
+ *         ContextFactory.initGlobal(new MyFactory());
+ *     }
+ *
+ *     // Override {@link #makeContext()}
+ *     protected Context makeContext()
+ *     {
+ *         MyContext cx = new MyContext();
+ *         // Make Rhino runtime to call observeInstructionCount
+ *         // each 10000 bytecode instructions
+ *         cx.setInstructionObserverThreshold(10000);
+ *         return cx;
+ *     }
+ *
+ *     // Override {@link #hasFeature(Context, int)}
+ *     public boolean hasFeature(Context cx, int featureIndex)
+ *     {
+ *         // Turn on maximum compatibility with MSIE scripts
+ *         switch (featureIndex) {
+ *             case {@link Context#FEATURE_NON_ECMA_GET_YEAR}:
+ *                 return true;
+ *
+ *             case {@link Context#FEATURE_MEMBER_EXPR_AS_FUNCTION_NAME}:
+ *                 return true;
+ *
+ *             case {@link Context#FEATURE_RESERVED_KEYWORD_AS_IDENTIFIER}:
+ *                 return true;
+ *
+ *             case {@link Context#FEATURE_PARENT_PROTO_PROPERTIES}:
+ *                 return false;
+ *         }
+ *         return super.hasFeature(cx, featureIndex);
+ *     }
+ *
+ *     // Override {@link #observeInstructionCount(Context, int)}
+ *     protected void observeInstructionCount(Context cx, int instructionCount)
+ *     {
+ *         MyContext mcx = (MyContext)cx;
+ *         long currentTime = System.currentTimeMillis();
+ *         if (currentTime - mcx.startTime &gt; 10*1000) {
+ *             // More then 10 seconds from Context creation time:
+ *             // it is time to stop the script.
+ *             // Throw Error instance to ensure that script will never
+ *             // get control back through catch or finally.
+ *             throw new Error();
+ *         }
+ *     }
+ *
+ *     // Override {@link #doTopCall(Callable,
+                               Context, Scriptable,
+                               Scriptable, Object[])}
+ *     protected Object doTopCall(Callable callable,
+ *                                Context cx, Scriptable scope,
+ *                                Scriptable thisObj, Object[] args)
+ *     {
+ *         MyContext mcx = (MyContext)cx;
+ *         mcx.startTime = System.currentTimeMillis();
+ *
+ *         return super.doTopCall(callable, cx, scope, thisObj, args);
+ *     }
+ *
+ * }
+ * </pre>
+ */
+
+public class ContextFactory
+{
+
+    /**
+     * Listener of {@link Context} creation and release events.
+     */
+    public interface Listener
+    {
+        /**
+         * Notify about newly created {@link Context} object.
+         */
+        public void contextCreated(Context cx);
+
+        /**
+         * Notify that the specified {@link Context} instance is no longer
+         * associated with the current thread.
+         */
+        public void contextReleased(Context cx);
+    }
+
+    /**
+     * Get global ContextFactory.
+     *
+     * @see #hasExplicitGlobal()
+     * @see #initGlobal(ContextFactory)
+     */
+    public static ContextFactory getGlobal()
+    {
+        return null;
+    }
+
+    /**
+     * Check if global factory was set.
+     * Return true to indicate that {@link #initGlobal(ContextFactory)} was
+     * already called and false to indicate that the global factory was not
+     * explicitly set.
+     *
+     * @see #getGlobal()
+     * @see #initGlobal(ContextFactory)
+     */
+    public static boolean hasExplicitGlobal()
+    {
+        return false;
+    }
+
+    /**
+     * Set global ContextFactory.
+     * The method can only be called once.
+     *
+     * @see #getGlobal()
+     * @see #hasExplicitGlobal()
+     */
+    public synchronized static void initGlobal(ContextFactory factory)
+    {
+    }
+
+    public interface GlobalSetter {
+        public void setContextFactoryGlobal(ContextFactory factory);
+        public ContextFactory getContextFactoryGlobal();
+    }
+
+    public synchronized static GlobalSetter getGlobalSetter() {
+        return null;
+    }
+
+    /**
+     * Create new {@link Context} instance to be associated with the current
+     * thread.
+     * This is a callback method used by Rhino to create {@link Context}
+     * instance when it is necessary to associate one with the current
+     * execution thread. <code>makeContext()</code> is allowed to call
+     * {@link Context#seal(Object)} on the result to prevent
+     * {@link Context} changes by hostile scripts or applets.
+     */
+    protected Context makeContext()
+    {
+        return null;
+    }
+
+    /**
+     * Implementation of {@link Context#hasFeature(int featureIndex)}.
+     * This can be used to customize {@link Context} without introducing
+     * additional subclasses.
+     */
+    protected boolean hasFeature(Context cx, int featureIndex)
+    {
+        return false;
+    }
+
+    /**
+     * Get ClassLoader to use when searching for Java classes.
+     * Unless it was explicitly initialized with
+     * {@link #initApplicationClassLoader(ClassLoader)} the method returns
+     * null to indicate that Thread.getContextClassLoader() should be used.
+     */
+    public final ClassLoader getApplicationClassLoader()
+    {
+        return null;
+    }
+
+    /**
+     * Set explicit class loader to use when searching for Java classes.
+     *
+     * @see #getApplicationClassLoader()
+     */
+    public final void initApplicationClassLoader(ClassLoader loader)
+    {
+    }
+
+    /**
+     * Checks if this is a sealed ContextFactory.
+     * @see #seal()
+     */
+    public final boolean isSealed()
+    {
+        return false;
+    }
+
+    /**
+     * Seal this ContextFactory so any attempt to modify it like to add or
+     * remove its listeners will throw an exception.
+     * @see #isSealed()
+     */
+    public final void seal()
+    {
+    }
+
+    /**
+     * Get a context associated with the current thread, creating one if need
+     * be. The Context stores the execution state of the JavaScript engine, so
+     * it is required that the context be entered before execution may begin.
+     * Once a thread has entered a Context, then getCurrentContext() may be
+     * called to find the context that is associated with the current thread.
+     * <p>
+     * Calling <code>enterContext()</code> will return either the Context
+     * currently associated with the thread, or will create a new context and
+     * associate it with the current thread. Each call to
+     * <code>enterContext()</code> must have a matching call to
+     * {@link Context#exit()}.
+     * <pre>
+     *      Context cx = contextFactory.enterContext();
+     *      try {
+     *          ...
+     *          cx.evaluateString(...);
+     *      } finally {
+     *          Context.exit();
+     *      }
+     * </pre>
+     * Instead of using <code>enterContext()</code>, <code>exit()</code> pair consider
+     * using {@link #call(ContextAction)} which guarantees proper association
+     * of Context instances with the current thread.
+     * With this method the above example becomes:
+     * <pre>
+     *      ContextFactory.call(new ContextAction() {
+     *          public Object run(Context cx) {
+     *              ...
+     *              cx.evaluateString(...);
+     *              return null;
+     *          }
+     *      });
+     * </pre>
+     * @return a Context associated with the current thread
+     * @see Context#getCurrentContext()
+     * @see Context#exit()
+     * @see #call(ContextAction)
+     */
+    public Context enterContext()
+    {
+        return null;
+    }
+
+    /**
+     * @deprecated use {@link #enterContext()} instead
+     * @return a Context associated with the current thread
+     */
+    @Deprecated
+    public final Context enter()
+    {
+        return null;
+    }
+
+    /**
+     * @deprecated Use {@link Context#exit()} instead.
+     */
+    @Deprecated
+    public final void exit()
+    {
+    }
+
+    /**
+     * Get a Context associated with the current thread, using the given
+     * Context if need be.
+     * <p>
+     * The same as <code>enterContext()</code> except that <code>cx</code>
+     * is associated with the current thread and returned if the current thread
+     * has no associated context and <code>cx</code> is not associated with any
+     * other thread.
+     * @param cx a Context to associate with the thread if possible
+     * @return a Context associated with the current thread
+     * @see #enterContext()
+     * @see #call(ContextAction)
+     * @throws IllegalStateException if <code>cx</code> is already associated
+     * with a different thread
+     */
+    public final Context enterContext(Context cx)
+    {
+        return null;
+    }
+}
diff --git a/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/RhinoException.java b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/RhinoException.java
new file mode 100644
index 00000000000..b11befb4a63
--- /dev/null
+++ b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/RhinoException.java
@@ -0,0 +1,15 @@
+/* -*- Mode: java; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+
+package org.mozilla.javascript;
+
+/**
+ * The class of exceptions thrown by the JavaScript engine.
+ */
+public abstract class RhinoException extends RuntimeException
+{
+}
diff --git a/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/Scriptable.java b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/Scriptable.java
new file mode 100644
index 00000000000..34616f7ad74
--- /dev/null
+++ b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/Scriptable.java
@@ -0,0 +1,304 @@
+/* -*- Mode: java; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// API class
+
+package org.mozilla.javascript;
+
+/**
+ * This is interface that all objects in JavaScript must implement.
+ * The interface provides for the management of properties and for
+ * performing conversions.
+ * <p>
+ * Host system implementors may find it easier to extend the ScriptableObject
+ * class rather than implementing Scriptable when writing host objects.
+ * <p>
+ * There are many static methods defined in ScriptableObject that perform
+ * the multiple calls to the Scriptable interface needed in order to
+ * manipulate properties in prototype chains.
+ * <p>
+ *
+ * @see org.mozilla.javascript.ScriptableObject
+ * @author Norris Boyd
+ * @author Nick Thompson
+ * @author Brendan Eich
+ */
+
+public interface Scriptable {
+
+    /**
+     * Get the name of the set of objects implemented by this Java class.
+     * This corresponds to the [[Class]] operation in ECMA and is used
+     * by Object.prototype.toString() in ECMA.<p>
+     * See ECMA 8.6.2 and 15.2.4.2.
+     */
+    public String getClassName();
+
+    /**
+     * Get a named property from the object.
+     *
+     * Looks property up in this object and returns the associated value
+     * if found. Returns NOT_FOUND if not found.
+     * Note that this method is not expected to traverse the prototype
+     * chain. This is different from the ECMA [[Get]] operation.
+     *
+     * Depending on the property selector, the runtime will call
+     * this method or the form of <code>get</code> that takes an
+     * integer:
+     * <table>
+     * <tr><th>JavaScript code</th><th>Java code</th></tr>
+     * <tr><td>a.b      </td><td>a.get("b", a)</td></tr>
+     * <tr><td>a["foo"] </td><td>a.get("foo", a)</td></tr>
+     * <tr><td>a[3]     </td><td>a.get(3, a)</td></tr>
+     * <tr><td>a["3"]   </td><td>a.get(3, a)</td></tr>
+     * <tr><td>a[3.0]   </td><td>a.get(3, a)</td></tr>
+     * <tr><td>a["3.0"] </td><td>a.get("3.0", a)</td></tr>
+     * <tr><td>a[1.1]   </td><td>a.get("1.1", a)</td></tr>
+     * <tr><td>a[-4]    </td><td>a.get(-4, a)</td></tr>
+     * </table>
+     * <p>
+     * The values that may be returned are limited to the following:
+     * <UL>
+     * <LI>java.lang.Boolean objects</LI>
+     * <LI>java.lang.String objects</LI>
+     * <LI>java.lang.Number objects</LI>
+     * <LI>org.mozilla.javascript.Scriptable objects</LI>
+     * <LI>null</LI>
+     * <LI>The value returned by Context.getUndefinedValue()</LI>
+     * <LI>NOT_FOUND</LI>
+     * </UL>
+     * @param name the name of the property
+     * @param start the object in which the lookup began
+     * @return the value of the property (may be null), or NOT_FOUND
+     * @see org.mozilla.javascript.Context#getUndefinedValue
+     */
+    public Object get(String name, Scriptable start);
+
+    /**
+     * Get a property from the object selected by an integral index.
+     *
+     * Identical to <code>get(String, Scriptable)</code> except that
+     * an integral index is used to select the property.
+     *
+     * @param index the numeric index for the property
+     * @param start the object in which the lookup began
+     * @return the value of the property (may be null), or NOT_FOUND
+     * @see org.mozilla.javascript.Scriptable#get(String,Scriptable)
+     */
+    public Object get(int index, Scriptable start);
+
+    /**
+     * Indicates whether or not a named property is defined in an object.
+     *
+     * Does not traverse the prototype chain.<p>
+     *
+     * The property is specified by a String name
+     * as defined for the <code>get</code> method.<p>
+     *
+     * @param name the name of the property
+     * @param start the object in which the lookup began
+     * @return true if and only if the named property is found in the object
+     * @see org.mozilla.javascript.Scriptable#get(String, Scriptable)
+     * @see org.mozilla.javascript.ScriptableObject#getProperty(Scriptable, String)
+     */
+    public boolean has(String name, Scriptable start);
+
+    /**
+     * Indicates whether or not an indexed  property is defined in an object.
+     *
+     * Does not traverse the prototype chain.<p>
+     *
+     * The property is specified by an integral index
+     * as defined for the <code>get</code> method.<p>
+     *
+     * @param index the numeric index for the property
+     * @param start the object in which the lookup began
+     * @return true if and only if the indexed property is found in the object
+     * @see org.mozilla.javascript.Scriptable#get(int, Scriptable)
+     * @see org.mozilla.javascript.ScriptableObject#getProperty(Scriptable, int)
+     */
+    public boolean has(int index, Scriptable start);
+
+    /**
+     * Sets a named property in this object.
+     * <p>
+     * The property is specified by a string name
+     * as defined for <code>get</code>.
+     * <p>
+     * The possible values that may be passed in are as defined for
+     * <code>get</code>. A class that implements this method may choose
+     * to ignore calls to set certain properties, in which case those
+     * properties are effectively read-only.<p>
+     * For properties defined in a prototype chain,
+     * use <code>putProperty</code> in ScriptableObject. <p>
+     * Note that if a property <i>a</i> is defined in the prototype <i>p</i>
+     * of an object <i>o</i>, then evaluating <code>o.a = 23</code> will cause
+     * <code>set</code> to be called on the prototype <i>p</i> with
+     * <i>o</i> as the  <i>start</i> parameter.
+     * To preserve JavaScript semantics, it is the Scriptable
+     * object's responsibility to modify <i>o</i>. <p>
+     * This design allows properties to be defined in prototypes and implemented
+     * in terms of getters and setters of Java values without consuming slots
+     * in each instance.
+     * <p>
+     * The values that may be set are limited to the following:
+     * <UL>
+     * <LI>java.lang.Boolean objects</LI>
+     * <LI>java.lang.String objects</LI>
+     * <LI>java.lang.Number objects</LI>
+     * <LI>org.mozilla.javascript.Scriptable objects</LI>
+     * <LI>null</LI>
+     * <LI>The value returned by Context.getUndefinedValue()</LI>
+     * </UL><p>
+     * Arbitrary Java objects may be wrapped in a Scriptable by first calling
+     * <code>Context.toObject</code>. This allows the property of a JavaScript
+     * object to contain an arbitrary Java object as a value.<p>
+     * Note that <code>has</code> will be called by the runtime first before
+     * <code>set</code> is called to determine in which object the
+     * property is defined.
+     * Note that this method is not expected to traverse the prototype chain,
+     * which is different from the ECMA [[Put]] operation.
+     * @param name the name of the property
+     * @param start the object whose property is being set
+     * @param value value to set the property to
+     * @see org.mozilla.javascript.Scriptable#has(String, Scriptable)
+     * @see org.mozilla.javascript.Scriptable#get(String, Scriptable)
+     * @see org.mozilla.javascript.ScriptableObject#putProperty(Scriptable, String, Object)
+     * @see org.mozilla.javascript.Context#toObject(Object, Scriptable)
+     */
+    public void put(String name, Scriptable start, Object value);
+
+    /**
+     * Sets an indexed property in this object.
+     * <p>
+     * The property is specified by an integral index
+     * as defined for <code>get</code>.<p>
+     *
+     * Identical to <code>put(String, Scriptable, Object)</code> except that
+     * an integral index is used to select the property.
+     *
+     * @param index the numeric index for the property
+     * @param start the object whose property is being set
+     * @param value value to set the property to
+     * @see org.mozilla.javascript.Scriptable#has(int, Scriptable)
+     * @see org.mozilla.javascript.Scriptable#get(int, Scriptable)
+     * @see org.mozilla.javascript.ScriptableObject#putProperty(Scriptable, int, Object)
+     * @see org.mozilla.javascript.Context#toObject(Object, Scriptable)
+     */
+    public void put(int index, Scriptable start, Object value);
+
+    /**
+     * Removes a property from this object.
+     * This operation corresponds to the ECMA [[Delete]] except that
+     * the no result is returned. The runtime will guarantee that this
+     * method is called only if the property exists. After this method
+     * is called, the runtime will call Scriptable.has to see if the
+     * property has been removed in order to determine the boolean
+     * result of the delete operator as defined by ECMA 11.4.1.
+     * <p>
+     * A property can be made permanent by ignoring calls to remove
+     * it.<p>
+     * The property is specified by a String name
+     * as defined for <code>get</code>.
+     * <p>
+     * To delete properties defined in a prototype chain,
+     * see deleteProperty in ScriptableObject.
+     * @param name the identifier for the property
+     * @see org.mozilla.javascript.Scriptable#get(String, Scriptable)
+     * @see org.mozilla.javascript.ScriptableObject#deleteProperty(Scriptable, String)
+     */
+    public void delete(String name);
+
+    /**
+     * Removes a property from this object.
+     *
+     * The property is specified by an integral index
+     * as defined for <code>get</code>.
+     * <p>
+     * To delete properties defined in a prototype chain,
+     * see deleteProperty in ScriptableObject.
+     *
+     * Identical to <code>delete(String)</code> except that
+     * an integral index is used to select the property.
+     *
+     * @param index the numeric index for the property
+     * @see org.mozilla.javascript.Scriptable#get(int, Scriptable)
+     * @see org.mozilla.javascript.ScriptableObject#deleteProperty(Scriptable, int)
+     */
+    public void delete(int index);
+
+    /**
+     * Get the prototype of the object.
+     * @return the prototype
+     */
+    public Scriptable getPrototype();
+
+    /**
+     * Set the prototype of the object.
+     * @param prototype the prototype to set
+     */
+    public void setPrototype(Scriptable prototype);
+
+    /**
+     * Get the parent scope of the object.
+     * @return the parent scope
+     */
+    public Scriptable getParentScope();
+
+    /**
+     * Set the parent scope of the object.
+     * @param parent the parent scope to set
+     */
+    public void setParentScope(Scriptable parent);
+
+    /**
+     * Get an array of property ids.
+     *
+     * Not all property ids need be returned. Those properties
+     * whose ids are not returned are considered non-enumerable.
+     *
+     * @return an array of Objects. Each entry in the array is either
+     *         a java.lang.String or a java.lang.Number
+     */
+    public Object[] getIds();
+
+    /**
+     * Get the default value of the object with a given hint.
+     * The hints are String.class for type String, Number.class for type
+     * Number, Scriptable.class for type Object, and Boolean.class for
+     * type Boolean. <p>
+     *
+     * A <code>hint</code> of null means "no hint".
+     *
+     * See ECMA 8.6.2.6.
+     *
+     * @param hint the type hint
+     * @return the default value
+     */
+    public Object getDefaultValue(Class<?> hint);
+
+    /**
+     * The instanceof operator.
+     *
+     * <p>
+     * The JavaScript code "lhs instanceof rhs" causes rhs.hasInstance(lhs) to
+     * be called.
+     *
+     * <p>
+     * The return value is implementation dependent so that embedded host objects can
+     * return an appropriate value.  See the JS 1.3 language documentation for more
+     * detail.
+     *
+     * <p>This operator corresponds to the proposed EMCA [[HasInstance]] operator.
+     *
+     * @param instance The value that appeared on the LHS of the instanceof
+     *              operator
+     *
+     * @return an implementation dependent value
+     */
+    public boolean hasInstance(Scriptable instance);
+}
+
diff --git a/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/ScriptableObject.java b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/ScriptableObject.java
new file mode 100644
index 00000000000..298c4fc7fb0
--- /dev/null
+++ b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/ScriptableObject.java
@@ -0,0 +1,27 @@
+/* -*- Mode: java; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// API class
+
+package org.mozilla.javascript;
+
+/**
+ * This is the default implementation of the Scriptable interface. This
+ * class provides convenient default behavior that makes it easier to
+ * define host objects.
+ * <p>
+ * Various properties and methods of JavaScript objects can be conveniently
+ * defined using methods of ScriptableObject.
+ * <p>
+ * Classes extending ScriptableObject must define the getClassName method.
+ *
+ * @see org.mozilla.javascript.Scriptable
+ * @author Norris Boyd
+ */
+
+public abstract class ScriptableObject implements Scriptable
+{
+}

From 852bcfb5c7b35d98c99b0f4539f928fb8385058c Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Fri, 30 Apr 2021 03:46:23 +0000
Subject: [PATCH 1091/1429] Refactor the ScriptEngine query and the Rhino code
 injection query into one

---
 .../Security/CWE/CWE-094/RhinoInjection.qhelp | 51 ----------
 .../Security/CWE/CWE-094/RhinoInjection.ql    | 17 ----
 .../Security/CWE/CWE-094/RhinoInjection.qll   | 56 -----------
 .../Security/CWE/CWE-094/ScriptEngine.qhelp   | 26 ------
 .../Security/CWE/CWE-094/ScriptEngine.ql      | 51 ----------
 .../CWE/CWE-094/ScriptInjection.qhelp         | 49 ++++++++++
 .../Security/CWE/CWE-094/ScriptInjection.ql   | 93 +++++++++++++++++++
 .../security/CWE-094/RhinoInjection.expected  |  7 --
 .../security/CWE-094/RhinoInjection.qlref     |  1 -
 .../security/CWE-094/ScriptEngine.qlref       |  1 -
 ...gine.expected => ScriptInjection.expected} | 12 ++-
 .../security/CWE-094/ScriptInjection.qlref    |  1 +
 12 files changed, 151 insertions(+), 214 deletions(-)
 delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.qhelp
 delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.ql
 delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.qll
 delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/ScriptEngine.qhelp
 delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/ScriptEngine.ql
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.qhelp
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/RhinoInjection.expected
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/RhinoInjection.qlref
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngine.qlref
 rename java/ql/test/experimental/query-tests/security/CWE-094/{ScriptEngine.expected => ScriptInjection.expected} (75%)
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.qlref

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.qhelp
deleted file mode 100644
index 73c252ed54c..00000000000
--- a/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.qhelp
+++ /dev/null
@@ -1,51 +0,0 @@
-<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
-<qhelp>
-
-<overview>
-<p>
-Rhino is a JavaScript engine written fully in Java and managed by the Mozilla Foundation. 
-It serves as an embedded scripting engine inside Java applications which allows 
-Java-to-JavaScript interoperability and provides a seamless integration between the two 
-languages. If an expression is built using attacker-controlled data, and then evaluated in 
-a powerful context, it may allow the attacker to run arbitrary code.
-</p>
-<p>
-Typically an expression is evaluated in the powerful context initialized with 
-<code>initStandardObjects</code> that allows an expression of arbitrary Java code to
-execute in the JVM.
-</p>
-</overview>
-
-<recommendation>
-<p>
-In general, including user input in a Rhino expression should be avoided.
-If user input must be included in the expression, it should be then evaluated in a safe
-context that doesn't allow arbitrary code invocation.
-</p>
-</recommendation>
-
-<example>
-<p>
-The following example shows two ways of using Rhino expression. In the 'BAD' case,
-an unsafe context is initialized with <code>initStandardObjects</code>. In the 'GOOD' case,
-a safe context is initialized with <code>initSafeStandardObjects</code> or 
-<code>setClassShutter</code>.
-</p>
-<sample src="RhinoInjection.java" />
-</example>
-
-<references>
-<li>
-  Mozilla Rhino:
-  <a href="https://github.com/mozilla/rhino">Rhino: JavaScript in Java</a>
-</li>
-<li>
-  Rhino Sandbox:
-  <a href="https://github.com/javadelight/delight-rhino-sandbox">A sandbox to execute JavaScript code with Rhino in Java.</a>
-</li>
-<li>
-  GuardRails:
-  <a href="https://docs.guardrails.io/docs/en/vulnerabilities/java/insecure_use_of_dangerous_function">Code Injection</a>
-</li>
-</references>
-</qhelp>
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.ql
deleted file mode 100644
index cac41244aa2..00000000000
--- a/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.ql
+++ /dev/null
@@ -1,17 +0,0 @@
-/**
- * @name Injection in Mozilla Rhino JavaScript Engine
- * @description Evaluation of a user-controlled JavaScript or Java expression in Rhino
- *              JavaScript Engine may lead to remote code execution.
- * @kind path-problem
- * @id java/rhino-injection
- * @tags security
- *       external/cwe/cwe-094
- */
-
-import java
-import RhinoInjection
-import DataFlow::PathGraph
-
-from DataFlow::PathNode source, DataFlow::PathNode sink, RhinoInjectionConfig conf
-where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Rhino injection from $@.", source.getNode(), " user input"
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.qll b/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.qll
deleted file mode 100644
index a560e340e85..00000000000
--- a/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.qll
+++ /dev/null
@@ -1,56 +0,0 @@
-import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.dataflow.TaintTracking
-
-/** The class `org.mozilla.javascript.Context`. */
-class Context extends RefType {
-  Context() { this.hasQualifiedName("org.mozilla.javascript", "Context") }
-}
-
-/**
- * A method that evaluates a Rhino expression.
- */
-class EvaluateExpressionMethod extends Method {
-  EvaluateExpressionMethod() {
-    this.getDeclaringType().getAnAncestor*() instanceof Context and
-    (
-      hasName("evaluateString") or
-      hasName("evaluateReader")
-    )
-  }
-}
-
-/**
- * A taint-tracking configuration for unsafe user input that is used to evaluate
- * a Rhino expression.
- */
-class RhinoInjectionConfig extends TaintTracking::Configuration {
-  RhinoInjectionConfig() { this = "RhinoInjectionConfig" }
-
-  override predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource
-    or
-    source instanceof LocalUserInput
-  }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof EvaluateExpressionSink }
-}
-
-/**
- * A sink for Rhino code injection vulnerabilities.
- */
-class EvaluateExpressionSink extends DataFlow::ExprNode {
-  EvaluateExpressionSink() {
-    exists(MethodAccess ea, EvaluateExpressionMethod m | m = ea.getMethod() |
-      this.asExpr() = ea.getArgument(1) and // The second argument is the JavaScript or Java input
-      not exists(MethodAccess ca |
-        (
-          ca.getMethod().hasName("initSafeStandardObjects") // safe mode
-          or
-          ca.getMethod().hasName("setClassShutter") // `ClassShutter` constraint is enforced
-        ) and
-        ea.getQualifier() = ca.getQualifier().(VarAccess).getVariable().getAnAccess()
-      )
-    )
-  }
-}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptEngine.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptEngine.qhelp
deleted file mode 100644
index 74159c562c5..00000000000
--- a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptEngine.qhelp
+++ /dev/null
@@ -1,26 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-
-<overview>
-<p>The ScriptEngine API has been available since the release of Java 6.
-It allows applications to interact with scripts written in languages such as JavaScript.</p>
-</overview>
-
-<recommendation>
-<p>Use "Cloudbees Rhino Sandbox" or sandboxing with SecurityManager or use <a href="https://www.graalvm.org/">graalvm</a> instead.</p>
-</recommendation>
-
-<example>
-<p>The following code could execute random JavaScript code</p>
-<sample src="ScriptEngine.java" />
-<sample src="NashornScriptEngine.java" />
-</example>
-
-<references>
-<li>
-CERT coding standard: <a href="https://wiki.sei.cmu.edu/confluence/display/java/IDS52-J.+Prevent+code+injection">ScriptEngine code injection</a>
-</li>
-</references>
-</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptEngine.ql b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptEngine.ql
deleted file mode 100644
index 5e52a61b5c3..00000000000
--- a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptEngine.ql
+++ /dev/null
@@ -1,51 +0,0 @@
-/**
- * @name ScriptEngine evaluation
- * @description Malicious Javascript code could cause arbitrary command execution at the OS level
- * @kind path-problem
- * @problem.severity error
- * @precision high
- * @id java/unsafe-eval
- * @tags security
- *       external/cwe/cwe-094
- */
-
-import java
-import semmle.code.java.dataflow.FlowSources
-import DataFlow::PathGraph
-
-class ScriptEngineMethod extends Method {
-  ScriptEngineMethod() {
-    this.getDeclaringType().getASupertype*().hasQualifiedName("javax.script", "ScriptEngine") and
-    this.hasName("eval")
-  }
-}
-
-predicate scriptEngine(MethodAccess ma, Expr sink) {
-  exists(Method m | m = ma.getMethod() |
-    m instanceof ScriptEngineMethod and
-    sink = ma.getArgument(0)
-  )
-}
-
-class ScriptEngineSink extends DataFlow::ExprNode {
-  ScriptEngineSink() { scriptEngine(_, this.getExpr()) }
-
-  MethodAccess getMethodAccess() { scriptEngine(result, this.getExpr()) }
-}
-
-class ScriptEngineConfiguration extends TaintTracking::Configuration {
-  ScriptEngineConfiguration() { this = "ScriptEngineConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource
-    or
-    source instanceof LocalUserInput
-  }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof ScriptEngineSink }
-}
-
-from DataFlow::PathNode source, DataFlow::PathNode sink, ScriptEngineConfiguration conf
-where conf.hasFlowPath(source, sink)
-select sink.getNode().(ScriptEngineSink).getMethodAccess(), source, sink, "ScriptEngine eval $@.",
-  source.getNode(), "user input"
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.qhelp
new file mode 100644
index 00000000000..ddc011fa658
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.qhelp
@@ -0,0 +1,49 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>The JavaScript Engine API has been available since the release of Java 6, which allows
+  applications to interact with scripts written in languages such as JavaScript. It serves
+  as an embedded scripting engine inside Java applications which allows Java-to-JavaScript
+  interoperability and provides a seamless integration between the two languages. If an 
+  expression is built using attacker-controlled data, and then evaluated in a powerful 
+  context, it may allow the attacker to run arbitrary code.</p>
+</overview>
+
+<recommendation>
+<p>In general, including user input in a JavaScript Engine expression should be avoided.
+  If user input must be included in the expression, it should be then evaluated in a safe
+  context that doesn't allow arbitrary code invocation. Use "Cloudbees Rhino Sandbox" or 
+  sandboxing with SecurityManager or use <a href="https://www.graalvm.org/">graalvm</a> 
+  instead.</p>
+</recommendation>
+
+<example>
+<p>The following code could execute random JavaScript code in <code>ScriptEngine</code></p>
+<sample src="ScriptEngine.java" />
+<sample src="NashornScriptEngine.java" />
+
+<p>The following example shows two ways of using Rhino expression. In the 'BAD' case,
+  an unsafe context is initialized with <code>initStandardObjects</code> that allows arbitrary
+  Java code to be executed. In the 'GOOD' case, a safe context is initialized with 
+  <code>initSafeStandardObjects</code> or <code>setClassShutter</code>.</p>
+  <sample src="RhinoInjection.java" />
+</example>
+
+<references>
+<li>
+CERT coding standard: <a href="https://wiki.sei.cmu.edu/confluence/display/java/IDS52-J.+Prevent+code+injection">ScriptEngine code injection</a>
+</li>
+<li>
+  Mozilla Rhino: <a href="https://github.com/mozilla/rhino">Rhino: JavaScript in Java</a>
+</li>
+<li>
+  Rhino Sandbox: <a href="https://github.com/javadelight/delight-rhino-sandbox">A sandbox to execute JavaScript code with Rhino in Java</a>
+</li>
+<li>
+  GuardRails: <a href="https://docs.guardrails.io/docs/en/vulnerabilities/java/insecure_use_of_dangerous_function">Code Injection</a>
+</li>
+</references>
+</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
new file mode 100644
index 00000000000..35f73fd5270
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
@@ -0,0 +1,93 @@
+/**
+ * @name Injection in JavaScript Engine
+ * @description Evaluation of a user-controlled malicious JavaScript or Java expression in
+ *              JavaScript Engine may lead to remote code execution.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/unsafe-eval
+ * @tags security
+ *       external/cwe/cwe-094
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import DataFlow::PathGraph
+
+class ScriptEngineMethod extends Method {
+  ScriptEngineMethod() {
+    this.getDeclaringType().getASupertype*().hasQualifiedName("javax.script", "ScriptEngine") and
+    this.hasName("eval")
+  }
+}
+
+/** The context class `org.mozilla.javascript.Context` of Rhino JavaScript Engine. */
+class RhinoContext extends RefType {
+  RhinoContext() { this.hasQualifiedName("org.mozilla.javascript", "Context") }
+}
+
+/**
+ * A method that evaluates a Rhino expression.
+ */
+class RhinoEvaluateExpressionMethod extends Method {
+  RhinoEvaluateExpressionMethod() {
+    this.getDeclaringType().getAnAncestor*() instanceof RhinoContext and
+    (
+      hasName("evaluateString") or
+      hasName("evaluateReader")
+    )
+  }
+}
+
+predicate scriptEngine(MethodAccess ma, Expr sink) {
+  exists(Method m | m = ma.getMethod() |
+    m instanceof ScriptEngineMethod and
+    sink = ma.getArgument(0)
+  )
+}
+
+/**
+ * Holds if `ma` has Rhino code injection vulnerabilities.
+ */
+predicate evaluateRhinoExpression(MethodAccess ma, Expr sink) {
+  exists(RhinoEvaluateExpressionMethod m | m = ma.getMethod() |
+    sink = ma.getArgument(1) and // The second argument is the JavaScript or Java input
+    not exists(MethodAccess ca |
+      (
+        ca.getMethod().hasName("initSafeStandardObjects") // safe mode
+        or
+        ca.getMethod().hasName("setClassShutter") // `ClassShutter` constraint is enforced
+      ) and
+      ma.getQualifier() = ca.getQualifier().(VarAccess).getVariable().getAnAccess()
+    )
+  )
+}
+
+class ScriptInjectionSink extends DataFlow::ExprNode {
+  ScriptInjectionSink() {
+    scriptEngine(_, this.getExpr()) or
+    evaluateRhinoExpression(_, this.getExpr())
+  }
+
+  MethodAccess getMethodAccess() {
+    scriptEngine(result, this.getExpr()) or
+    evaluateRhinoExpression(result, this.getExpr())
+  }
+}
+
+class ScriptInjectionConfiguration extends TaintTracking::Configuration {
+  ScriptInjectionConfiguration() { this = "ScriptInjectionConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource
+    or
+    source instanceof LocalUserInput
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof ScriptInjectionSink }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, ScriptInjectionConfiguration conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode().(ScriptInjectionSink).getMethodAccess(), source, sink,
+  "JavaScript Engine evaluate $@.", source.getNode(), "user input"
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/RhinoInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/RhinoInjection.expected
deleted file mode 100644
index 4d2736c8230..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-094/RhinoInjection.expected
+++ /dev/null
@@ -1,7 +0,0 @@
-edges
-| RhinoServlet.java:25:23:25:50 | getParameter(...) : String | RhinoServlet.java:29:55:29:58 | code |
-nodes
-| RhinoServlet.java:25:23:25:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RhinoServlet.java:29:55:29:58 | code | semmle.label | code |
-#select
-| RhinoServlet.java:29:55:29:58 | code | RhinoServlet.java:25:23:25:50 | getParameter(...) : String | RhinoServlet.java:29:55:29:58 | code | Rhino injection from $@. | RhinoServlet.java:25:23:25:50 | getParameter(...) |  user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/RhinoInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-094/RhinoInjection.qlref
deleted file mode 100644
index e306dda44df..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-094/RhinoInjection.qlref
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-094/RhinoInjection.ql
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngine.qlref b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngine.qlref
deleted file mode 100644
index 9566c986778..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngine.qlref
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-094/ScriptEngine.ql
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngine.expected b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.expected
similarity index 75%
rename from java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngine.expected
rename to java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.expected
index a65faafc6bd..452c2d70c57 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngine.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.expected
@@ -1,4 +1,5 @@
 edges
+| RhinoServlet.java:25:23:25:50 | getParameter(...) : String | RhinoServlet.java:29:55:29:58 | code |
 | ScriptEngineTest.java:8:44:8:55 | input : String | ScriptEngineTest.java:12:37:12:41 | input |
 | ScriptEngineTest.java:15:51:15:62 | input : String | ScriptEngineTest.java:19:31:19:35 | input |
 | ScriptEngineTest.java:23:58:23:69 | input : String | ScriptEngineTest.java:27:31:27:35 | input |
@@ -12,6 +13,8 @@ edges
 | ScriptEngineTest.java:40:70:40:76 | ...[...] : String | ScriptEngineTest.java:23:58:23:69 | input : String |
 | ScriptEngineTest.java:41:58:41:64 | ...[...] : String | ScriptEngineTest.java:30:46:30:57 | input : String |
 nodes
+| RhinoServlet.java:25:23:25:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RhinoServlet.java:29:55:29:58 | code | semmle.label | code |
 | ScriptEngineTest.java:8:44:8:55 | input : String | semmle.label | input : String |
 | ScriptEngineTest.java:12:37:12:41 | input | semmle.label | input |
 | ScriptEngineTest.java:15:51:15:62 | input : String | semmle.label | input : String |
@@ -26,7 +29,8 @@ nodes
 | ScriptEngineTest.java:40:70:40:76 | ...[...] : String | semmle.label | ...[...] : String |
 | ScriptEngineTest.java:41:58:41:64 | ...[...] : String | semmle.label | ...[...] : String |
 #select
-| ScriptEngineTest.java:12:19:12:42 | eval(...) | ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:12:37:12:41 | input | ScriptEngine eval $@. | ScriptEngineTest.java:37:26:37:38 | args | user input |
-| ScriptEngineTest.java:19:19:19:36 | eval(...) | ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:19:31:19:35 | input | ScriptEngine eval $@. | ScriptEngineTest.java:37:26:37:38 | args | user input |
-| ScriptEngineTest.java:27:19:27:36 | eval(...) | ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:27:31:27:35 | input | ScriptEngine eval $@. | ScriptEngineTest.java:37:26:37:38 | args | user input |
-| ScriptEngineTest.java:34:19:34:36 | eval(...) | ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:34:31:34:35 | input | ScriptEngine eval $@. | ScriptEngineTest.java:37:26:37:38 | args | user input |
+| RhinoServlet.java:29:29:29:78 | evaluateString(...) | RhinoServlet.java:25:23:25:50 | getParameter(...) : String | RhinoServlet.java:29:55:29:58 | code | JavaScript Engine evaluate $@. | RhinoServlet.java:25:23:25:50 | getParameter(...) | user input |
+| ScriptEngineTest.java:12:19:12:42 | eval(...) | ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:12:37:12:41 | input | JavaScript Engine evaluate $@. | ScriptEngineTest.java:37:26:37:38 | args | user input |
+| ScriptEngineTest.java:19:19:19:36 | eval(...) | ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:19:31:19:35 | input | JavaScript Engine evaluate $@. | ScriptEngineTest.java:37:26:37:38 | args | user input |
+| ScriptEngineTest.java:27:19:27:36 | eval(...) | ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:27:31:27:35 | input | JavaScript Engine evaluate $@. | ScriptEngineTest.java:37:26:37:38 | args | user input |
+| ScriptEngineTest.java:34:19:34:36 | eval(...) | ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:34:31:34:35 | input | JavaScript Engine evaluate $@. | ScriptEngineTest.java:37:26:37:38 | args | user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.qlref
new file mode 100644
index 00000000000..da2b4287d0c
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-094/ScriptInjection.ql
\ No newline at end of file

From d664aa6d6add71d2b0d9287dcae665f8ea7df91f Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Wed, 5 May 2021 14:21:52 +0000
Subject: [PATCH 1092/1429] Include more scenarios and update qldoc

---
 .../CWE/CWE-094/ScriptInjection.qhelp         |  15 ++-
 .../Security/CWE/CWE-094/ScriptInjection.ql   |  86 +++++++++++---
 .../security/CWE-094/RhinoServlet.java        |  16 +++
 .../security/CWE-094/ScriptEngineTest.java    |  39 +++++-
 .../security/CWE-094/ScriptInjection.expected |  64 ++++++----
 .../mozilla/javascript/CompilerEnvirons.java  |  12 ++
 .../org/mozilla/javascript/Context.java       |  72 +++++++++++
 .../javascript/DefiningClassLoader.java       |  36 ++++++
 .../org/mozilla/javascript/Function.java      |  46 +++++++
 .../javascript/GeneratedClassLoader.java      |  34 ++++++
 .../org/mozilla/javascript/Script.java        |  41 +++++++
 .../javascript/optimizer/ClassCompiler.java   | 112 ++++++++++++++++++
 .../scriptengine/javax/script/Bindings.java   |  14 +++
 .../scriptengine/javax/script/Compilable.java |   9 ++
 .../javax/script/CompiledScript.java          |  17 +++
 .../javax/script/ScriptEngine.java            |   2 +
 .../javax/script/ScriptEngineFactory.java     |   7 +-
 .../nashorn/api/scripting/ClassFilter.java    |   5 +
 .../api/scripting/NashornScriptEngine.java    |  27 ++++-
 .../scripting/NashornScriptEngineFactory.java |  34 +++++-
 20 files changed, 633 insertions(+), 55 deletions(-)
 create mode 100644 java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/CompilerEnvirons.java
 create mode 100644 java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/DefiningClassLoader.java
 create mode 100644 java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/Function.java
 create mode 100644 java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/GeneratedClassLoader.java
 create mode 100644 java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/Script.java
 create mode 100644 java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/optimizer/ClassCompiler.java
 create mode 100644 java/ql/test/stubs/scriptengine/javax/script/Bindings.java
 create mode 100644 java/ql/test/stubs/scriptengine/javax/script/Compilable.java
 create mode 100644 java/ql/test/stubs/scriptengine/javax/script/CompiledScript.java
 create mode 100644 java/ql/test/stubs/scriptengine/jdk/nashorn/api/scripting/ClassFilter.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.qhelp
index ddc011fa658..586304ebb7c 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.qhelp
@@ -4,7 +4,7 @@
 <qhelp>
 
 <overview>
-<p>The JavaScript Engine API has been available since the release of Java 6, which allows
+<p>The Java Scripting API has been available since the release of Java 6, which allows
   applications to interact with scripts written in languages such as JavaScript. It serves
   as an embedded scripting engine inside Java applications which allows Java-to-JavaScript
   interoperability and provides a seamless integration between the two languages. If an 
@@ -13,11 +13,11 @@
 </overview>
 
 <recommendation>
-<p>In general, including user input in a JavaScript Engine expression should be avoided.
+<p>In general, including user input in a Java Script Engine expression should be avoided.
   If user input must be included in the expression, it should be then evaluated in a safe
-  context that doesn't allow arbitrary code invocation. Use "Cloudbees Rhino Sandbox" or 
-  sandboxing with SecurityManager or use <a href="https://www.graalvm.org/">graalvm</a> 
-  instead.</p>
+  context that doesn't allow arbitrary code invocation. Use "Cloudbees Rhino Sandbox" or
+  sandboxing with SecurityManager, which will be deprecated in a future release, or use
+  <a href="https://www.graalvm.org/">GraalVM</a> instead.</p>
 </recommendation>
 
 <example>
@@ -36,6 +36,9 @@
 <li>
 CERT coding standard: <a href="https://wiki.sei.cmu.edu/confluence/display/java/IDS52-J.+Prevent+code+injection">ScriptEngine code injection</a>
 </li>
+<li>
+GraalVM: <a href="https://www.graalvm.org/reference-manual/js/NashornMigrationGuide/#secure-by-default">Secure by Default</a>
+</li>
 <li>
   Mozilla Rhino: <a href="https://github.com/mozilla/rhino">Rhino: JavaScript in Java</a>
 </li>
@@ -43,7 +46,7 @@ CERT coding standard: <a href="https://wiki.sei.cmu.edu/confluence/display/java/
   Rhino Sandbox: <a href="https://github.com/javadelight/delight-rhino-sandbox">A sandbox to execute JavaScript code with Rhino in Java</a>
 </li>
 <li>
-  GuardRails: <a href="https://docs.guardrails.io/docs/en/vulnerabilities/java/insecure_use_of_dangerous_function">Code Injection</a>
+  GuardRails: <a href="https://docs.guardrails.io/docs/en/vulnerabilities/java/insecure_use_of_dangerous_function#code-injection">Code Injection</a>
 </li>
 </references>
 </qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
index 35f73fd5270..d4f8cfa5370 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
@@ -1,7 +1,7 @@
 /**
- * @name Injection in JavaScript Engine
+ * @name Injection in Java Script Engine
  * @description Evaluation of a user-controlled malicious JavaScript or Java expression in
- *              JavaScript Engine may lead to remote code execution.
+ *              Java Script Engine may lead to remote code execution.
  * @kind path-problem
  * @problem.severity error
  * @precision high
@@ -14,31 +14,62 @@ import java
 import semmle.code.java.dataflow.FlowSources
 import DataFlow::PathGraph
 
+/** A method of ScriptEngine that allows code injection. */
 class ScriptEngineMethod extends Method {
   ScriptEngineMethod() {
     this.getDeclaringType().getASupertype*().hasQualifiedName("javax.script", "ScriptEngine") and
     this.hasName("eval")
+    or
+    this.getDeclaringType().getASupertype*().hasQualifiedName("javax.script", "Compilable") and
+    this.hasName("compile")
+    or
+    this.getDeclaringType().getASupertype*().hasQualifiedName("javax.script", "ScriptEngineFactory") and
+    this.hasName(["getProgram", "getMethodCallSyntax"])
   }
 }
 
-/** The context class `org.mozilla.javascript.Context` of Rhino JavaScript Engine. */
+/** The context class `org.mozilla.javascript.Context` of Rhino Java Script Engine. */
 class RhinoContext extends RefType {
   RhinoContext() { this.hasQualifiedName("org.mozilla.javascript", "Context") }
 }
 
-/**
- * A method that evaluates a Rhino expression.
- */
+/** A method that evaluates a Rhino expression with `org.mozilla.javascript.Context`. */
 class RhinoEvaluateExpressionMethod extends Method {
   RhinoEvaluateExpressionMethod() {
     this.getDeclaringType().getAnAncestor*() instanceof RhinoContext and
-    (
-      hasName("evaluateString") or
-      hasName("evaluateReader")
-    )
+    this.hasName([
+        "evaluateString", "evaluateReader", "compileFunction", "compileReader", "compileString"
+      ])
   }
 }
 
+/**
+ * A method that compiles a Rhino expression with
+ * `org.mozilla.javascript.optimizer.ClassCompiler`.
+ */
+class RhinoCompileClassMethod extends Method {
+  RhinoCompileClassMethod() {
+    this.getDeclaringType()
+        .getASupertype*()
+        .hasQualifiedName("org.mozilla.javascript.optimizer", "ClassCompiler") and
+    this.hasName("compileToClassFiles")
+  }
+}
+
+/**
+ * A method that defines a Java class from a Rhino expression with
+ * `org.mozilla.javascript.GeneratedClassLoader`.
+ */
+class RhinoDefineClassMethod extends Method {
+  RhinoDefineClassMethod() {
+    this.getDeclaringType()
+        .getASupertype*()
+        .hasQualifiedName("org.mozilla.javascript", "GeneratedClassLoader") and
+    this.hasName("defineClass")
+  }
+}
+
+/** Holds if `ma` is a method access of `ScriptEngineMethod`. */
 predicate scriptEngine(MethodAccess ma, Expr sink) {
   exists(Method m | m = ma.getMethod() |
     m instanceof ScriptEngineMethod and
@@ -47,11 +78,17 @@ predicate scriptEngine(MethodAccess ma, Expr sink) {
 }
 
 /**
- * Holds if `ma` has Rhino code injection vulnerabilities.
+ * Holds if a Rhino expression evaluation method has the code injection vulnerability.
  */
 predicate evaluateRhinoExpression(MethodAccess ma, Expr sink) {
   exists(RhinoEvaluateExpressionMethod m | m = ma.getMethod() |
-    sink = ma.getArgument(1) and // The second argument is the JavaScript or Java input
+    (
+      sink = ma.getArgument(1) and // The second argument is the JavaScript or Java input
+      not ma.getMethod().getName() = "compileReader"
+      or
+      sink = ma.getArgument(0) and // The first argument is the input reader
+      ma.getMethod().getName() = "compileReader"
+    ) and
     not exists(MethodAccess ca |
       (
         ca.getMethod().hasName("initSafeStandardObjects") // safe mode
@@ -63,15 +100,34 @@ predicate evaluateRhinoExpression(MethodAccess ma, Expr sink) {
   )
 }
 
+/**
+ * Holds if a Rhino expression compilation method has the code injection vulnerability.
+ */
+predicate compileScript(MethodAccess ma, Expr sink) {
+  exists(RhinoCompileClassMethod m | m = ma.getMethod() | sink = ma.getArgument(0))
+}
+
+/**
+ * Holds if a Rhino class loading method has the code injection vulnerability.
+ */
+predicate defineClass(MethodAccess ma, Expr sink) {
+  exists(RhinoDefineClassMethod m | m = ma.getMethod() | sink = ma.getArgument(1))
+}
+
+/** A sink of script injection. */
 class ScriptInjectionSink extends DataFlow::ExprNode {
   ScriptInjectionSink() {
     scriptEngine(_, this.getExpr()) or
-    evaluateRhinoExpression(_, this.getExpr())
+    evaluateRhinoExpression(_, this.getExpr()) or
+    compileScript(_, this.getExpr()) or
+    defineClass(_, this.getExpr())
   }
 
   MethodAccess getMethodAccess() {
     scriptEngine(result, this.getExpr()) or
-    evaluateRhinoExpression(result, this.getExpr())
+    evaluateRhinoExpression(result, this.getExpr()) or
+    compileScript(result, this.getExpr()) or
+    defineClass(result, this.getExpr())
   }
 }
 
@@ -90,4 +146,4 @@ class ScriptInjectionConfiguration extends TaintTracking::Configuration {
 from DataFlow::PathNode source, DataFlow::PathNode sink, ScriptInjectionConfiguration conf
 where conf.hasFlowPath(source, sink)
 select sink.getNode().(ScriptInjectionSink).getMethodAccess(), source, sink,
-  "JavaScript Engine evaluate $@.", source.getNode(), "user input"
+  "Java Script Engine evaluate $@.", source.getNode(), "user input"
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/RhinoServlet.java b/java/ql/test/experimental/query-tests/security/CWE-094/RhinoServlet.java
index f6f529785cc..2c863b6f62f 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/RhinoServlet.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/RhinoServlet.java
@@ -5,9 +5,12 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.mozilla.javascript.ClassShutter;
+import org.mozilla.javascript.CompilerEnvirons;
 import org.mozilla.javascript.Context;
+import org.mozilla.javascript.DefiningClassLoader;
 import org.mozilla.javascript.Scriptable;
 import org.mozilla.javascript.RhinoException;
+import org.mozilla.javascript.optimizer.ClassCompiler;
 
 /**
  * Servlet implementation class RhinoServlet
@@ -75,4 +78,17 @@ public class RhinoServlet extends HttpServlet {
             Context.exit();
         }
     }    
+
+    // BAD: allow arbitrary code to be compiled for subsequent execution
+    protected void doGet2(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        String code = request.getParameter("code");
+        ClassCompiler compiler = new ClassCompiler(new CompilerEnvirons());
+        Object[] objs = compiler.compileToClassFiles(code, "/sourceLocation", 1, "mainClassName");
+    }
+
+    // BAD: allow arbitrary code to be loaded for subsequent execution
+    protected void doPost2(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        String code = request.getParameter("code");
+        Class clazz = new DefiningClassLoader().defineClass("Powerfunc", code.getBytes());
+    }
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngineTest.java b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngineTest.java
index e04ec615f30..42d9cad6e64 100755
--- a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngineTest.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngineTest.java
@@ -33,26 +33,53 @@ public class ScriptEngineTest {
 		MyCustomScriptEngine engine = (MyCustomScriptEngine) factory.getScriptEngine(new String[] { "-scripting" });
 		Object result = engine.eval(input);
 	}
+
+	public void testScriptEngineCompilable(String input) throws ScriptException {
+		NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
+		Compilable engine = (Compilable) factory.getScriptEngine(new String[] { "-scripting" });
+		CompiledScript script = engine.compile(input);
+		Object result = script.eval();
+	}
+
+	public void testScriptEngineGetProgram(String input) throws ScriptException {
+		ScriptEngineManager scriptEngineManager = new ScriptEngineManager();
+		ScriptEngine engine = scriptEngineManager.getEngineByName("nashorn");
+		String program = engine.getFactory().getProgram(input);
+		Object result = engine.eval(program);
+	}
 	
 	public static void main(String[] args) throws ScriptException {
 		new ScriptEngineTest().testWithScriptEngineReference(args[0]);
 		new ScriptEngineTest().testNashornWithScriptEngineReference(args[0]);
 		new ScriptEngineTest().testNashornWithNashornScriptEngineReference(args[0]);
 		new ScriptEngineTest().testCustomScriptEngineReference(args[0]);
+		new ScriptEngineTest().testScriptEngineCompilable(args[0]);
+		new ScriptEngineTest().testScriptEngineGetProgram(args[0]);
 	}
 	
 	private static class MyCustomScriptEngine extends AbstractScriptEngine {
-		public Object eval(String var1) throws ScriptException {
-			return null;
-		}
+		public Object eval(String var1) throws ScriptException { return null; }
+
+		@Override
+		public ScriptEngineFactory getFactory() { return null; }
 	}
 	
 	private static class MyCustomFactory implements ScriptEngineFactory {
 		public MyCustomFactory() {
-    		}
-    		
-    		public ScriptEngine getScriptEngine() { return null; }
+		}
+
+		@Override
+		public ScriptEngine getScriptEngine() { return null; }
 
 		public ScriptEngine getScriptEngine(String... args) { return null; }
+
+		@Override
+		public String getEngineName() { return null; }
+
+		@Override
+		public String getMethodCallSyntax(final String obj, final String method, final String... args) { return null; }
+
+		@Override
+		public String getProgram(final String... statements) { return null; }
 	}
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.expected
index 452c2d70c57..0c191a4f579 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.expected
@@ -1,20 +1,32 @@
 edges
-| RhinoServlet.java:25:23:25:50 | getParameter(...) : String | RhinoServlet.java:29:55:29:58 | code |
+| RhinoServlet.java:28:23:28:50 | getParameter(...) : String | RhinoServlet.java:32:55:32:58 | code |
+| RhinoServlet.java:84:23:84:50 | getParameter(...) : String | RhinoServlet.java:86:54:86:57 | code |
+| RhinoServlet.java:91:23:91:50 | getParameter(...) : String | RhinoServlet.java:92:74:92:88 | getBytes(...) |
 | ScriptEngineTest.java:8:44:8:55 | input : String | ScriptEngineTest.java:12:37:12:41 | input |
 | ScriptEngineTest.java:15:51:15:62 | input : String | ScriptEngineTest.java:19:31:19:35 | input |
 | ScriptEngineTest.java:23:58:23:69 | input : String | ScriptEngineTest.java:27:31:27:35 | input |
 | ScriptEngineTest.java:30:46:30:57 | input : String | ScriptEngineTest.java:34:31:34:35 | input |
-| ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:38:56:38:62 | ...[...] : String |
-| ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:39:63:39:69 | ...[...] : String |
-| ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:40:70:40:76 | ...[...] : String |
-| ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:41:58:41:64 | ...[...] : String |
-| ScriptEngineTest.java:38:56:38:62 | ...[...] : String | ScriptEngineTest.java:8:44:8:55 | input : String |
-| ScriptEngineTest.java:39:63:39:69 | ...[...] : String | ScriptEngineTest.java:15:51:15:62 | input : String |
-| ScriptEngineTest.java:40:70:40:76 | ...[...] : String | ScriptEngineTest.java:23:58:23:69 | input : String |
-| ScriptEngineTest.java:41:58:41:64 | ...[...] : String | ScriptEngineTest.java:30:46:30:57 | input : String |
+| ScriptEngineTest.java:37:41:37:52 | input : String | ScriptEngineTest.java:40:42:40:46 | input |
+| ScriptEngineTest.java:44:41:44:52 | input : String | ScriptEngineTest.java:47:51:47:55 | input |
+| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:52:56:52:62 | ...[...] : String |
+| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:53:63:53:69 | ...[...] : String |
+| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:54:70:54:76 | ...[...] : String |
+| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:55:58:55:64 | ...[...] : String |
+| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:56:53:56:59 | ...[...] : String |
+| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:57:53:57:59 | ...[...] : String |
+| ScriptEngineTest.java:52:56:52:62 | ...[...] : String | ScriptEngineTest.java:8:44:8:55 | input : String |
+| ScriptEngineTest.java:53:63:53:69 | ...[...] : String | ScriptEngineTest.java:15:51:15:62 | input : String |
+| ScriptEngineTest.java:54:70:54:76 | ...[...] : String | ScriptEngineTest.java:23:58:23:69 | input : String |
+| ScriptEngineTest.java:55:58:55:64 | ...[...] : String | ScriptEngineTest.java:30:46:30:57 | input : String |
+| ScriptEngineTest.java:56:53:56:59 | ...[...] : String | ScriptEngineTest.java:37:41:37:52 | input : String |
+| ScriptEngineTest.java:57:53:57:59 | ...[...] : String | ScriptEngineTest.java:44:41:44:52 | input : String |
 nodes
-| RhinoServlet.java:25:23:25:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RhinoServlet.java:29:55:29:58 | code | semmle.label | code |
+| RhinoServlet.java:28:23:28:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RhinoServlet.java:32:55:32:58 | code | semmle.label | code |
+| RhinoServlet.java:84:23:84:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RhinoServlet.java:86:54:86:57 | code | semmle.label | code |
+| RhinoServlet.java:91:23:91:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RhinoServlet.java:92:74:92:88 | getBytes(...) | semmle.label | getBytes(...) |
 | ScriptEngineTest.java:8:44:8:55 | input : String | semmle.label | input : String |
 | ScriptEngineTest.java:12:37:12:41 | input | semmle.label | input |
 | ScriptEngineTest.java:15:51:15:62 | input : String | semmle.label | input : String |
@@ -23,14 +35,24 @@ nodes
 | ScriptEngineTest.java:27:31:27:35 | input | semmle.label | input |
 | ScriptEngineTest.java:30:46:30:57 | input : String | semmle.label | input : String |
 | ScriptEngineTest.java:34:31:34:35 | input | semmle.label | input |
-| ScriptEngineTest.java:37:26:37:38 | args : String[] | semmle.label | args : String[] |
-| ScriptEngineTest.java:38:56:38:62 | ...[...] : String | semmle.label | ...[...] : String |
-| ScriptEngineTest.java:39:63:39:69 | ...[...] : String | semmle.label | ...[...] : String |
-| ScriptEngineTest.java:40:70:40:76 | ...[...] : String | semmle.label | ...[...] : String |
-| ScriptEngineTest.java:41:58:41:64 | ...[...] : String | semmle.label | ...[...] : String |
+| ScriptEngineTest.java:37:41:37:52 | input : String | semmle.label | input : String |
+| ScriptEngineTest.java:40:42:40:46 | input | semmle.label | input |
+| ScriptEngineTest.java:44:41:44:52 | input : String | semmle.label | input : String |
+| ScriptEngineTest.java:47:51:47:55 | input | semmle.label | input |
+| ScriptEngineTest.java:51:26:51:38 | args : String[] | semmle.label | args : String[] |
+| ScriptEngineTest.java:52:56:52:62 | ...[...] : String | semmle.label | ...[...] : String |
+| ScriptEngineTest.java:53:63:53:69 | ...[...] : String | semmle.label | ...[...] : String |
+| ScriptEngineTest.java:54:70:54:76 | ...[...] : String | semmle.label | ...[...] : String |
+| ScriptEngineTest.java:55:58:55:64 | ...[...] : String | semmle.label | ...[...] : String |
+| ScriptEngineTest.java:56:53:56:59 | ...[...] : String | semmle.label | ...[...] : String |
+| ScriptEngineTest.java:57:53:57:59 | ...[...] : String | semmle.label | ...[...] : String |
 #select
-| RhinoServlet.java:29:29:29:78 | evaluateString(...) | RhinoServlet.java:25:23:25:50 | getParameter(...) : String | RhinoServlet.java:29:55:29:58 | code | JavaScript Engine evaluate $@. | RhinoServlet.java:25:23:25:50 | getParameter(...) | user input |
-| ScriptEngineTest.java:12:19:12:42 | eval(...) | ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:12:37:12:41 | input | JavaScript Engine evaluate $@. | ScriptEngineTest.java:37:26:37:38 | args | user input |
-| ScriptEngineTest.java:19:19:19:36 | eval(...) | ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:19:31:19:35 | input | JavaScript Engine evaluate $@. | ScriptEngineTest.java:37:26:37:38 | args | user input |
-| ScriptEngineTest.java:27:19:27:36 | eval(...) | ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:27:31:27:35 | input | JavaScript Engine evaluate $@. | ScriptEngineTest.java:37:26:37:38 | args | user input |
-| ScriptEngineTest.java:34:19:34:36 | eval(...) | ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:34:31:34:35 | input | JavaScript Engine evaluate $@. | ScriptEngineTest.java:37:26:37:38 | args | user input |
+| RhinoServlet.java:32:29:32:78 | evaluateString(...) | RhinoServlet.java:28:23:28:50 | getParameter(...) : String | RhinoServlet.java:32:55:32:58 | code | Java Script Engine evaluate $@. | RhinoServlet.java:28:23:28:50 | getParameter(...) | user input |
+| RhinoServlet.java:86:25:86:97 | compileToClassFiles(...) | RhinoServlet.java:84:23:84:50 | getParameter(...) : String | RhinoServlet.java:86:54:86:57 | code | Java Script Engine evaluate $@. | RhinoServlet.java:84:23:84:50 | getParameter(...) | user input |
+| RhinoServlet.java:92:23:92:89 | defineClass(...) | RhinoServlet.java:91:23:91:50 | getParameter(...) : String | RhinoServlet.java:92:74:92:88 | getBytes(...) | Java Script Engine evaluate $@. | RhinoServlet.java:91:23:91:50 | getParameter(...) | user input |
+| ScriptEngineTest.java:12:19:12:42 | eval(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:12:37:12:41 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
+| ScriptEngineTest.java:19:19:19:36 | eval(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:19:31:19:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
+| ScriptEngineTest.java:27:19:27:36 | eval(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:27:31:27:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
+| ScriptEngineTest.java:34:19:34:36 | eval(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:34:31:34:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
+| ScriptEngineTest.java:40:27:40:47 | compile(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:40:42:40:46 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
+| ScriptEngineTest.java:47:20:47:56 | getProgram(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:47:51:47:55 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
diff --git a/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/CompilerEnvirons.java b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/CompilerEnvirons.java
new file mode 100644
index 00000000000..3cb0619499e
--- /dev/null
+++ b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/CompilerEnvirons.java
@@ -0,0 +1,12 @@
+/* -*- Mode: java; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+ package org.mozilla.javascript;
+ 
+ public class CompilerEnvirons {
+    public CompilerEnvirons() {
+    }
+ }
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/Context.java b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/Context.java
index 57d30a3ab25..1bda212cfa4 100644
--- a/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/Context.java
+++ b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/Context.java
@@ -480,6 +480,78 @@ public class Context
         return null;
     }
 
+    /**
+     * @deprecated
+     * @see #compileReader(Reader in, String sourceName, int lineno, Object securityDomain)
+     */
+    @Deprecated
+    public final Script compileReader(
+            Scriptable scope, Reader in, String sourceName, int lineno, Object securityDomain)
+            throws IOException {
+        return null;
+    }
+
+    /**
+     * Compiles the source in the given reader.
+     *
+     * <p>Returns a script that may later be executed. Will consume all the source in the reader.
+     *
+     * @param in the input reader
+     * @param sourceName a string describing the source, such as a filename
+     * @param lineno the starting line number for reporting errors
+     * @param securityDomain an arbitrary object that specifies security information about the
+     *     origin or owner of the script. For implementations that don't care about security, this
+     *     value may be null.
+     * @return a script that may later be executed
+     * @exception IOException if an IOException was generated by the Reader
+     * @see org.mozilla.javascript.Script
+     */
+    public final Script compileReader(
+            Reader in, String sourceName, int lineno, Object securityDomain) throws IOException {
+        return null;
+    }
+
+    /**
+     * Compiles the source in the given string.
+     *
+     * <p>Returns a script that may later be executed.
+     *
+     * @param source the source string
+     * @param sourceName a string describing the source, such as a filename
+     * @param lineno the starting line number for reporting errors. Use 0 if the line number is
+     *     unknown.
+     * @param securityDomain an arbitrary object that specifies security information about the
+     *     origin or owner of the script. For implementations that don't care about security, this
+     *     value may be null.
+     * @return a script that may later be executed
+     * @see org.mozilla.javascript.Script
+     */
+    public final Script compileString(
+            String source, String sourceName, int lineno, Object securityDomain) {
+        return null;
+    }
+
+    /**
+     * Compile a JavaScript function.
+     *
+     * <p>The function source must be a function definition as defined by ECMA (e.g., "function f(a)
+     * { return a; }").
+     *
+     * @param scope the scope to compile relative to
+     * @param source the function definition source
+     * @param sourceName a string describing the source, such as a filename
+     * @param lineno the starting line number
+     * @param securityDomain an arbitrary object that specifies security information about the
+     *     origin or owner of the script. For implementations that don't care about security, this
+     *     value may be null.
+     * @return a Function that may later be called
+     * @see org.mozilla.javascript.Function
+     */
+    public final Function compileFunction(
+            Scriptable scope, String source, String sourceName, int lineno, Object securityDomain) {
+        return null;
+    }
+
     /**
      * Convert the value to a JavaScript boolean value.
      * <p>
diff --git a/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/DefiningClassLoader.java b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/DefiningClassLoader.java
new file mode 100644
index 00000000000..3819798c351
--- /dev/null
+++ b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/DefiningClassLoader.java
@@ -0,0 +1,36 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+ package org.mozilla.javascript;
+
+ /**
+  * Load generated classes.
+  *
+  * @author Norris Boyd
+  */
+ public class DefiningClassLoader extends ClassLoader
+     implements GeneratedClassLoader
+ {
+     public DefiningClassLoader() {
+     }
+ 
+     public DefiningClassLoader(ClassLoader parentLoader) {
+     }
+ 
+     @Override
+     public Class<?> defineClass(String name, byte[] data) {
+         return null;
+     }
+ 
+     @Override
+     public void linkClass(Class<?> cl) {
+     }
+ 
+     @Override
+     public Class<?> loadClass(String name, boolean resolve)
+         throws ClassNotFoundException
+     {
+         return null;
+     }
+ }
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/Function.java b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/Function.java
new file mode 100644
index 00000000000..a35a7c2dfba
--- /dev/null
+++ b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/Function.java
@@ -0,0 +1,46 @@
+/* -*- Mode: java; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// API class
+
+package org.mozilla.javascript;
+
+/**
+ * This is interface that all functions in JavaScript must implement. The interface provides for
+ * calling functions and constructors.
+ *
+ * @see org.mozilla.javascript.Scriptable
+ * @author Norris Boyd
+ */
+public interface Function extends Scriptable {
+    /**
+     * Call the function.
+     *
+     * <p>Note that the array of arguments is not guaranteed to have length greater than 0.
+     *
+     * @param cx the current Context for this thread
+     * @param scope the scope to execute the function relative to. This is set to the value returned
+     *     by getParentScope() except when the function is called from a closure.
+     * @param thisObj the JavaScript <code>this</code> object
+     * @param args the array of arguments
+     * @return the result of the call
+     */
+    Object call(Context cx, Scriptable scope, Scriptable thisObj, Object[] args);
+
+    /**
+     * Call the function as a constructor.
+     *
+     * <p>This method is invoked by the runtime in order to satisfy a use of the JavaScript <code>
+     * new</code> operator. This method is expected to create a new object and return it.
+     *
+     * @param cx the current Context for this thread
+     * @param scope an enclosing scope of the caller except when the function is called from a
+     *     closure.
+     * @param args the array of arguments
+     * @return the allocated object
+     */
+    Scriptable construct(Context cx, Scriptable scope, Object[] args);
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/GeneratedClassLoader.java b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/GeneratedClassLoader.java
new file mode 100644
index 00000000000..c7450862917
--- /dev/null
+++ b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/GeneratedClassLoader.java
@@ -0,0 +1,34 @@
+/* -*- Mode: java; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// API class
+
+package org.mozilla.javascript;
+
+/**
+ * Interface to define classes from generated byte code.
+ */
+public interface GeneratedClassLoader {
+
+    /**
+     * Define a new Java class.
+     * Classes created via this method should have the same class loader.
+     *
+     * @param name fully qualified class name
+     * @param data class byte code
+     * @return new class object
+     */
+    public Class<?> defineClass(String name, byte[] data);
+
+    /**
+     * Link the given class.
+     *
+     * @param cl Class instance returned from the previous call to
+     *        {@link #defineClass(String, byte[])}
+     * @see java.lang.ClassLoader
+     */
+    public void linkClass(Class<?> cl);
+}
diff --git a/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/Script.java b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/Script.java
new file mode 100644
index 00000000000..824dc0241c1
--- /dev/null
+++ b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/Script.java
@@ -0,0 +1,41 @@
+/* -*- Mode: java; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// API class
+
+package org.mozilla.javascript;
+
+/**
+ * All compiled scripts implement this interface.
+ * <p>
+ * This class encapsulates script execution relative to an
+ * object scope.
+ * @since 1.3
+ * @author Norris Boyd
+ */
+
+public interface Script {
+
+    /**
+     * Execute the script.
+     * <p>
+     * The script is executed in a particular runtime Context, which
+     * must be associated with the current thread.
+     * The script is executed relative to a scope--definitions and
+     * uses of global top-level variables and functions will access
+     * properties of the scope object. For compliant ECMA
+     * programs, the scope must be an object that has been initialized
+     * as a global object using <code>Context.initStandardObjects</code>.
+     * <p>
+     *
+     * @param cx the Context associated with the current thread
+     * @param scope the scope to execute relative to
+     * @return the result of executing the script
+     * @see org.mozilla.javascript.Context#initStandardObjects()
+     */
+    public Object exec(Context cx, Scriptable scope);
+
+}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/optimizer/ClassCompiler.java b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/optimizer/ClassCompiler.java
new file mode 100644
index 00000000000..cb2332d3f61
--- /dev/null
+++ b/java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/optimizer/ClassCompiler.java
@@ -0,0 +1,112 @@
+/* -*- Mode: java; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+ package org.mozilla.javascript.optimizer;
+ 
+ import org.mozilla.javascript.CompilerEnvirons;
+
+ /**
+  * Generates class files from script sources.
+  *
+  * since 1.5 Release 5
+  * @author Igor Bukanov
+  */
+ 
+ public class ClassCompiler
+ {
+     /**
+      * Construct ClassCompiler that uses the specified compiler environment
+      * when generating classes.
+      */
+     public ClassCompiler(CompilerEnvirons compilerEnv)
+     {
+     }
+ 
+     /**
+      * Set the class name to use for main method implementation.
+      * The class must have a method matching
+      * <code>public static void main(Script sc, String[] args)</code>, it will be
+      * called when <code>main(String[] args)</code> is called in the generated
+      * class. The class name should be fully qulified name and include the
+      * package name like in <code>org.foo.Bar</code>.
+      */
+     public void setMainMethodClass(String className)
+     {
+     }
+ 
+     /**
+      * Get the name of the class for main method implementation.
+      * @see #setMainMethodClass(String)
+      */
+     public String getMainMethodClass()
+     {
+         return null;
+     }
+ 
+     /**
+      * Get the compiler environment the compiler uses.
+      */
+     public CompilerEnvirons getCompilerEnv()
+     {
+        return null;
+    }
+ 
+     /**
+      * Get the class that the generated target will extend.
+      */
+     public Class<?> getTargetExtends()
+     {
+        return null;
+    }
+ 
+     /**
+      * Set the class that the generated target will extend.
+      *
+      * @param extendsClass the class it extends
+      */
+     public void setTargetExtends(Class<?> extendsClass)
+     {
+     }
+ 
+     /**
+      * Get the interfaces that the generated target will implement.
+      */
+     public Class<?>[] getTargetImplements()
+     {
+        return null;
+    }
+ 
+     /**
+      * Set the interfaces that the generated target will implement.
+      *
+      * @param implementsClasses an array of Class objects, one for each
+      *                          interface the target will extend
+      */
+     public void setTargetImplements(Class<?>[] implementsClasses)
+     {
+     }
+  
+     /**
+      * Compile JavaScript source into one or more Java class files.
+      * The first compiled class will have name mainClassName.
+      * If the results of {@link #getTargetExtends()} or
+      * {@link #getTargetImplements()} are not null, then the first compiled
+      * class will extend the specified super class and implement
+      * specified interfaces.
+      *
+      * @return array where elements with even indexes specifies class name
+      *         and the following odd index gives class file body as byte[]
+      *         array. The initial element of the array always holds
+      *         mainClassName and array[1] holds its byte code.
+      */
+     public Object[] compileToClassFiles(String source,
+                                         String sourceLocation,
+                                         int lineno,
+                                         String mainClassName)
+     {
+        return null;
+     }
+ }
\ No newline at end of file
diff --git a/java/ql/test/stubs/scriptengine/javax/script/Bindings.java b/java/ql/test/stubs/scriptengine/javax/script/Bindings.java
new file mode 100644
index 00000000000..a8eeeb6fe5e
--- /dev/null
+++ b/java/ql/test/stubs/scriptengine/javax/script/Bindings.java
@@ -0,0 +1,14 @@
+package javax.script;
+import java.util.Map;
+
+public interface Bindings extends Map<String, Object> {
+    public Object put(String name, Object value);
+
+    public void putAll(Map<? extends String, ? extends Object> toMerge);
+
+    public boolean containsKey(Object key);
+
+    public Object get(Object key);
+
+    public Object remove(Object key);
+}
diff --git a/java/ql/test/stubs/scriptengine/javax/script/Compilable.java b/java/ql/test/stubs/scriptengine/javax/script/Compilable.java
new file mode 100644
index 00000000000..ce6700c5a66
--- /dev/null
+++ b/java/ql/test/stubs/scriptengine/javax/script/Compilable.java
@@ -0,0 +1,9 @@
+package javax.script;
+
+import java.io.Reader;
+
+public interface Compilable {
+    public CompiledScript compile(String script) throws ScriptException;
+
+    public CompiledScript compile(Reader script) throws ScriptException;
+}
diff --git a/java/ql/test/stubs/scriptengine/javax/script/CompiledScript.java b/java/ql/test/stubs/scriptengine/javax/script/CompiledScript.java
new file mode 100644
index 00000000000..2f03d58c9a7
--- /dev/null
+++ b/java/ql/test/stubs/scriptengine/javax/script/CompiledScript.java
@@ -0,0 +1,17 @@
+package javax.script;
+
+public abstract class CompiledScript {
+
+    public abstract Object eval(ScriptContext context) throws ScriptException;
+
+    public Object eval(Bindings bindings) throws ScriptException {
+        return null;
+    }
+
+    public Object eval() throws ScriptException {
+        return null;
+    }
+
+    public abstract ScriptEngine getEngine();
+
+}
\ No newline at end of file
diff --git a/java/ql/test/stubs/scriptengine/javax/script/ScriptEngine.java b/java/ql/test/stubs/scriptengine/javax/script/ScriptEngine.java
index 4dc4f8c3186..35b91119e4f 100644
--- a/java/ql/test/stubs/scriptengine/javax/script/ScriptEngine.java
+++ b/java/ql/test/stubs/scriptengine/javax/script/ScriptEngine.java
@@ -2,5 +2,7 @@ package javax.script;
 
 public interface ScriptEngine {
     Object eval(String var1) throws ScriptException;
+
+    public ScriptEngineFactory getFactory();
 }
 
diff --git a/java/ql/test/stubs/scriptengine/javax/script/ScriptEngineFactory.java b/java/ql/test/stubs/scriptengine/javax/script/ScriptEngineFactory.java
index 7441c8a4ade..f802d86f80b 100644
--- a/java/ql/test/stubs/scriptengine/javax/script/ScriptEngineFactory.java
+++ b/java/ql/test/stubs/scriptengine/javax/script/ScriptEngineFactory.java
@@ -1,6 +1,11 @@
 package javax.script;
 
 public interface ScriptEngineFactory {
+    public String getEngineName();
+
+    public String getMethodCallSyntax(String obj, String m, String... args);
+
+    public String getProgram(String... statements);
+
     ScriptEngine getScriptEngine();
 }
-
diff --git a/java/ql/test/stubs/scriptengine/jdk/nashorn/api/scripting/ClassFilter.java b/java/ql/test/stubs/scriptengine/jdk/nashorn/api/scripting/ClassFilter.java
new file mode 100644
index 00000000000..fcc624fc106
--- /dev/null
+++ b/java/ql/test/stubs/scriptengine/jdk/nashorn/api/scripting/ClassFilter.java
@@ -0,0 +1,5 @@
+package jdk.nashorn.api.scripting;
+
+public interface ClassFilter {
+     public boolean exposeToScripts(String className);
+}
diff --git a/java/ql/test/stubs/scriptengine/jdk/nashorn/api/scripting/NashornScriptEngine.java b/java/ql/test/stubs/scriptengine/jdk/nashorn/api/scripting/NashornScriptEngine.java
index 8dc3c1afa10..e89282dfa27 100644
--- a/java/ql/test/stubs/scriptengine/jdk/nashorn/api/scripting/NashornScriptEngine.java
+++ b/java/ql/test/stubs/scriptengine/jdk/nashorn/api/scripting/NashornScriptEngine.java
@@ -1,10 +1,31 @@
 package jdk.nashorn.api.scripting;
 
-import javax.script.*;
+import java.io.Reader;
 
-public final class NashornScriptEngine extends AbstractScriptEngine {
+import javax.script.AbstractScriptEngine;
+import javax.script.Compilable;
+import javax.script.CompiledScript;
+import javax.script.ScriptEngine;
+import javax.script.ScriptEngineFactory;
+import javax.script.ScriptException;
+
+public final class NashornScriptEngine extends AbstractScriptEngine implements Compilable {
 	public Object eval(String var1) throws ScriptException {
 		return null;
 	}
-}
 
+	@Override
+	public ScriptEngineFactory getFactory() {
+		return null;
+	}
+
+	@Override
+	public CompiledScript compile(final Reader reader) throws ScriptException {
+		return null;
+	}
+
+	@Override
+	public CompiledScript compile(final String str) throws ScriptException {
+		return null;
+	}
+}
diff --git a/java/ql/test/stubs/scriptengine/jdk/nashorn/api/scripting/NashornScriptEngineFactory.java b/java/ql/test/stubs/scriptengine/jdk/nashorn/api/scripting/NashornScriptEngineFactory.java
index 763e098ddbe..177bf463eb3 100644
--- a/java/ql/test/stubs/scriptengine/jdk/nashorn/api/scripting/NashornScriptEngineFactory.java
+++ b/java/ql/test/stubs/scriptengine/jdk/nashorn/api/scripting/NashornScriptEngineFactory.java
@@ -3,20 +3,48 @@ package jdk.nashorn.api.scripting;
 import javax.script.ScriptEngine;
 import javax.script.ScriptEngineFactory;
 
-
 public final class NashornScriptEngineFactory implements ScriptEngineFactory {
 
     public NashornScriptEngineFactory() {
     }
 
+    @Override
+    public String getEngineName() {
+        return null;
+    }
 
+    @Override
+    public String getMethodCallSyntax(final String obj, final String method, final String... args) {
+        return null;
+    }
+
+    @Override
+    public String getProgram(final String... statements) {
+        return null;
+    }
+
+    @Override
     public ScriptEngine getScriptEngine() {
         return null;
     }
 
+    public ScriptEngine getScriptEngine(final ClassLoader appLoader) {
+        return null;
+    }
 
-    public ScriptEngine getScriptEngine(String... args) {
+    public ScriptEngine getScriptEngine(final ClassFilter classFilter) {
+        return null;
+    }
+
+    public ScriptEngine getScriptEngine(final String... args) {
+        return null;
+    }
+
+    public ScriptEngine getScriptEngine(final String[] args, final ClassLoader appLoader) {
+        return null;
+    }
+
+    public ScriptEngine getScriptEngine(final String[] args, final ClassLoader appLoader, final ClassFilter classFilter) {
         return null;
     }
 }
-

From e4699f7fa9a142158c1207ccbc8ac31d667ed782 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Tue, 11 May 2021 20:09:37 +0000
Subject: [PATCH 1093/1429] Optimize the query

---
 .../Security/CWE/CWE-094/RhinoInjection.java  |   9 +-
 .../Security/CWE/CWE-094/ScriptInjection.ql   |  33 +++---
 .../security/CWE-094/RhinoServlet.java        |   5 +-
 .../security/CWE-094/ScriptEngineTest.java    |  42 +++++---
 .../security/CWE-094/ScriptInjection.expected | 102 +++++++++---------
 5 files changed, 99 insertions(+), 92 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.java b/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.java
index 4a87d5bc354..15adfbe4524 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.java
@@ -1,3 +1,7 @@
+import org.mozilla.javascript.ClassShutter;
+import org.mozilla.javascript.Context;
+import org.mozilla.javascript.Scriptable;
+
 public class RhinoInjection extends HttpServlet {
 
   protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
@@ -20,10 +24,7 @@ public class RhinoInjection extends HttpServlet {
         Scriptable scope = ctx.initStandardObjects();
         ctx.setClassShutter(new ClassShutter() {
             public boolean visibleToScripts(String className) {
-                if(className.startsWith("com.example.")) {
-                    return true;
-                }
-                return false;
+              return className.startsWith("com.example.");
             }
         });
       }
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
index d4f8cfa5370..0819f85c17e 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
@@ -1,7 +1,7 @@
 /**
  * @name Injection in Java Script Engine
- * @description Evaluation of a user-controlled malicious JavaScript or Java expression in
- *              Java Script Engine may lead to remote code execution.
+ * @description Evaluation of user-controlled data using the Java Script Engine may
+ *              lead to remote code execution.
  * @kind path-problem
  * @problem.severity error
  * @precision high
@@ -78,43 +78,37 @@ predicate scriptEngine(MethodAccess ma, Expr sink) {
 }
 
 /**
- * Holds if a Rhino expression evaluation method has the code injection vulnerability.
+ * Holds if a Rhino expression evaluation method is vulnerable to code injection.
  */
 predicate evaluateRhinoExpression(MethodAccess ma, Expr sink) {
   exists(RhinoEvaluateExpressionMethod m | m = ma.getMethod() |
     (
-      sink = ma.getArgument(1) and // The second argument is the JavaScript or Java input
-      not ma.getMethod().getName() = "compileReader"
-      or
-      sink = ma.getArgument(0) and // The first argument is the input reader
-      ma.getMethod().getName() = "compileReader"
+      if ma.getMethod().getName() = "compileReader"
+      then sink = ma.getArgument(0) // The first argument is the input reader
+      else sink = ma.getArgument(1) // The second argument is the JavaScript or Java input
     ) and
     not exists(MethodAccess ca |
-      (
-        ca.getMethod().hasName("initSafeStandardObjects") // safe mode
-        or
-        ca.getMethod().hasName("setClassShutter") // `ClassShutter` constraint is enforced
-      ) and
+      ca.getMethod().hasName(["initSafeStandardObjects", "setClassShutter"]) and // safe mode or `ClassShutter` constraint is enforced
       ma.getQualifier() = ca.getQualifier().(VarAccess).getVariable().getAnAccess()
     )
   )
 }
 
 /**
- * Holds if a Rhino expression compilation method has the code injection vulnerability.
+ * Holds if a Rhino expression compilation method is vulnerable to code injection.
  */
 predicate compileScript(MethodAccess ma, Expr sink) {
   exists(RhinoCompileClassMethod m | m = ma.getMethod() | sink = ma.getArgument(0))
 }
 
 /**
- * Holds if a Rhino class loading method has the code injection vulnerability.
+ * Holds if a Rhino class loading method is vulnerable to code injection.
  */
 predicate defineClass(MethodAccess ma, Expr sink) {
   exists(RhinoDefineClassMethod m | m = ma.getMethod() | sink = ma.getArgument(1))
 }
 
-/** A sink of script injection. */
+/** A script injection sink. */
 class ScriptInjectionSink extends DataFlow::ExprNode {
   ScriptInjectionSink() {
     scriptEngine(_, this.getExpr()) or
@@ -123,6 +117,7 @@ class ScriptInjectionSink extends DataFlow::ExprNode {
     defineClass(_, this.getExpr())
   }
 
+  /** An access to the method associated with this sink. */
   MethodAccess getMethodAccess() {
     scriptEngine(result, this.getExpr()) or
     evaluateRhinoExpression(result, this.getExpr()) or
@@ -134,11 +129,7 @@ class ScriptInjectionSink extends DataFlow::ExprNode {
 class ScriptInjectionConfiguration extends TaintTracking::Configuration {
   ScriptInjectionConfiguration() { this = "ScriptInjectionConfiguration" }
 
-  override predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource
-    or
-    source instanceof LocalUserInput
-  }
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof ScriptInjectionSink }
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/RhinoServlet.java b/java/ql/test/experimental/query-tests/security/CWE-094/RhinoServlet.java
index 2c863b6f62f..e76a9543f87 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/RhinoServlet.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/RhinoServlet.java
@@ -63,10 +63,7 @@ public class RhinoServlet extends HttpServlet {
             Scriptable scope = ctx.initStandardObjects();
             ctx.setClassShutter(new ClassShutter() {
                 public boolean visibleToScripts(String className) {
-                    if(className.startsWith("com.example.")) {
-                        return true;
-                    }
-                    return false;
+                    return className.startsWith("com.example.");
                 }
             });
 
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngineTest.java b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngineTest.java
index 42d9cad6e64..ed7099d7598 100755
--- a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngineTest.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngineTest.java
@@ -1,9 +1,21 @@
+import javax.script.AbstractScriptEngine;
+import javax.script.Compilable;
+import javax.script.CompiledScript;
+import javax.script.ScriptEngine;
+import javax.script.ScriptEngineManager;
+import javax.script.ScriptEngineFactory;
+import javax.script.ScriptException;
+
 import jdk.nashorn.api.scripting.NashornScriptEngine;
 import jdk.nashorn.api.scripting.NashornScriptEngineFactory;
-import javax.script.*;
 
+import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 
-public class ScriptEngineTest {
+public class ScriptEngineTest extends HttpServlet {
 
 	public void testWithScriptEngineReference(String input) throws ScriptException {
 		ScriptEngineManager scriptEngineManager = new ScriptEngineManager();
@@ -47,16 +59,7 @@ public class ScriptEngineTest {
 		String program = engine.getFactory().getProgram(input);
 		Object result = engine.eval(program);
 	}
-	
-	public static void main(String[] args) throws ScriptException {
-		new ScriptEngineTest().testWithScriptEngineReference(args[0]);
-		new ScriptEngineTest().testNashornWithScriptEngineReference(args[0]);
-		new ScriptEngineTest().testNashornWithNashornScriptEngineReference(args[0]);
-		new ScriptEngineTest().testCustomScriptEngineReference(args[0]);
-		new ScriptEngineTest().testScriptEngineCompilable(args[0]);
-		new ScriptEngineTest().testScriptEngineGetProgram(args[0]);
-	}
-	
+
 	private static class MyCustomScriptEngine extends AbstractScriptEngine {
 		public Object eval(String var1) throws ScriptException { return null; }
 
@@ -82,4 +85,19 @@ public class ScriptEngineTest {
 		@Override
 		public String getProgram(final String... statements) { return null; }
 	}
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+		try {
+			String code = request.getParameter("code");
+
+			new ScriptEngineTest().testWithScriptEngineReference(code);
+			new ScriptEngineTest().testNashornWithScriptEngineReference(code);
+			new ScriptEngineTest().testNashornWithNashornScriptEngineReference(code);
+			new ScriptEngineTest().testCustomScriptEngineReference(code);
+			new ScriptEngineTest().testScriptEngineCompilable(code);
+			new ScriptEngineTest().testScriptEngineGetProgram(code);
+		} catch (ScriptException se) {
+			throw new IOException(se.getMessage());
+		}
+	}
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.expected
index 0c191a4f579..5f1d250e9a2 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.expected
@@ -1,58 +1,58 @@
 edges
 | RhinoServlet.java:28:23:28:50 | getParameter(...) : String | RhinoServlet.java:32:55:32:58 | code |
-| RhinoServlet.java:84:23:84:50 | getParameter(...) : String | RhinoServlet.java:86:54:86:57 | code |
-| RhinoServlet.java:91:23:91:50 | getParameter(...) : String | RhinoServlet.java:92:74:92:88 | getBytes(...) |
-| ScriptEngineTest.java:8:44:8:55 | input : String | ScriptEngineTest.java:12:37:12:41 | input |
-| ScriptEngineTest.java:15:51:15:62 | input : String | ScriptEngineTest.java:19:31:19:35 | input |
-| ScriptEngineTest.java:23:58:23:69 | input : String | ScriptEngineTest.java:27:31:27:35 | input |
-| ScriptEngineTest.java:30:46:30:57 | input : String | ScriptEngineTest.java:34:31:34:35 | input |
-| ScriptEngineTest.java:37:41:37:52 | input : String | ScriptEngineTest.java:40:42:40:46 | input |
-| ScriptEngineTest.java:44:41:44:52 | input : String | ScriptEngineTest.java:47:51:47:55 | input |
-| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:52:56:52:62 | ...[...] : String |
-| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:53:63:53:69 | ...[...] : String |
-| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:54:70:54:76 | ...[...] : String |
-| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:55:58:55:64 | ...[...] : String |
-| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:56:53:56:59 | ...[...] : String |
-| ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:57:53:57:59 | ...[...] : String |
-| ScriptEngineTest.java:52:56:52:62 | ...[...] : String | ScriptEngineTest.java:8:44:8:55 | input : String |
-| ScriptEngineTest.java:53:63:53:69 | ...[...] : String | ScriptEngineTest.java:15:51:15:62 | input : String |
-| ScriptEngineTest.java:54:70:54:76 | ...[...] : String | ScriptEngineTest.java:23:58:23:69 | input : String |
-| ScriptEngineTest.java:55:58:55:64 | ...[...] : String | ScriptEngineTest.java:30:46:30:57 | input : String |
-| ScriptEngineTest.java:56:53:56:59 | ...[...] : String | ScriptEngineTest.java:37:41:37:52 | input : String |
-| ScriptEngineTest.java:57:53:57:59 | ...[...] : String | ScriptEngineTest.java:44:41:44:52 | input : String |
+| RhinoServlet.java:81:23:81:50 | getParameter(...) : String | RhinoServlet.java:83:54:83:57 | code |
+| RhinoServlet.java:88:23:88:50 | getParameter(...) : String | RhinoServlet.java:89:74:89:88 | getBytes(...) |
+| ScriptEngineTest.java:20:44:20:55 | input : String | ScriptEngineTest.java:24:37:24:41 | input |
+| ScriptEngineTest.java:27:51:27:62 | input : String | ScriptEngineTest.java:31:31:31:35 | input |
+| ScriptEngineTest.java:35:58:35:69 | input : String | ScriptEngineTest.java:39:31:39:35 | input |
+| ScriptEngineTest.java:42:46:42:57 | input : String | ScriptEngineTest.java:46:31:46:35 | input |
+| ScriptEngineTest.java:49:41:49:52 | input : String | ScriptEngineTest.java:52:42:52:46 | input |
+| ScriptEngineTest.java:56:41:56:52 | input : String | ScriptEngineTest.java:59:51:59:55 | input |
+| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:93:57:93:60 | code : String |
+| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:94:64:94:67 | code : String |
+| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:95:71:95:74 | code : String |
+| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:96:59:96:62 | code : String |
+| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:97:54:97:57 | code : String |
+| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:98:54:98:57 | code : String |
+| ScriptEngineTest.java:93:57:93:60 | code : String | ScriptEngineTest.java:20:44:20:55 | input : String |
+| ScriptEngineTest.java:94:64:94:67 | code : String | ScriptEngineTest.java:27:51:27:62 | input : String |
+| ScriptEngineTest.java:95:71:95:74 | code : String | ScriptEngineTest.java:35:58:35:69 | input : String |
+| ScriptEngineTest.java:96:59:96:62 | code : String | ScriptEngineTest.java:42:46:42:57 | input : String |
+| ScriptEngineTest.java:97:54:97:57 | code : String | ScriptEngineTest.java:49:41:49:52 | input : String |
+| ScriptEngineTest.java:98:54:98:57 | code : String | ScriptEngineTest.java:56:41:56:52 | input : String |
 nodes
 | RhinoServlet.java:28:23:28:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | RhinoServlet.java:32:55:32:58 | code | semmle.label | code |
-| RhinoServlet.java:84:23:84:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RhinoServlet.java:86:54:86:57 | code | semmle.label | code |
-| RhinoServlet.java:91:23:91:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RhinoServlet.java:92:74:92:88 | getBytes(...) | semmle.label | getBytes(...) |
-| ScriptEngineTest.java:8:44:8:55 | input : String | semmle.label | input : String |
-| ScriptEngineTest.java:12:37:12:41 | input | semmle.label | input |
-| ScriptEngineTest.java:15:51:15:62 | input : String | semmle.label | input : String |
-| ScriptEngineTest.java:19:31:19:35 | input | semmle.label | input |
-| ScriptEngineTest.java:23:58:23:69 | input : String | semmle.label | input : String |
-| ScriptEngineTest.java:27:31:27:35 | input | semmle.label | input |
-| ScriptEngineTest.java:30:46:30:57 | input : String | semmle.label | input : String |
-| ScriptEngineTest.java:34:31:34:35 | input | semmle.label | input |
-| ScriptEngineTest.java:37:41:37:52 | input : String | semmle.label | input : String |
-| ScriptEngineTest.java:40:42:40:46 | input | semmle.label | input |
-| ScriptEngineTest.java:44:41:44:52 | input : String | semmle.label | input : String |
-| ScriptEngineTest.java:47:51:47:55 | input | semmle.label | input |
-| ScriptEngineTest.java:51:26:51:38 | args : String[] | semmle.label | args : String[] |
-| ScriptEngineTest.java:52:56:52:62 | ...[...] : String | semmle.label | ...[...] : String |
-| ScriptEngineTest.java:53:63:53:69 | ...[...] : String | semmle.label | ...[...] : String |
-| ScriptEngineTest.java:54:70:54:76 | ...[...] : String | semmle.label | ...[...] : String |
-| ScriptEngineTest.java:55:58:55:64 | ...[...] : String | semmle.label | ...[...] : String |
-| ScriptEngineTest.java:56:53:56:59 | ...[...] : String | semmle.label | ...[...] : String |
-| ScriptEngineTest.java:57:53:57:59 | ...[...] : String | semmle.label | ...[...] : String |
+| RhinoServlet.java:81:23:81:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RhinoServlet.java:83:54:83:57 | code | semmle.label | code |
+| RhinoServlet.java:88:23:88:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RhinoServlet.java:89:74:89:88 | getBytes(...) | semmle.label | getBytes(...) |
+| ScriptEngineTest.java:20:44:20:55 | input : String | semmle.label | input : String |
+| ScriptEngineTest.java:24:37:24:41 | input | semmle.label | input |
+| ScriptEngineTest.java:27:51:27:62 | input : String | semmle.label | input : String |
+| ScriptEngineTest.java:31:31:31:35 | input | semmle.label | input |
+| ScriptEngineTest.java:35:58:35:69 | input : String | semmle.label | input : String |
+| ScriptEngineTest.java:39:31:39:35 | input | semmle.label | input |
+| ScriptEngineTest.java:42:46:42:57 | input : String | semmle.label | input : String |
+| ScriptEngineTest.java:46:31:46:35 | input | semmle.label | input |
+| ScriptEngineTest.java:49:41:49:52 | input : String | semmle.label | input : String |
+| ScriptEngineTest.java:52:42:52:46 | input | semmle.label | input |
+| ScriptEngineTest.java:56:41:56:52 | input : String | semmle.label | input : String |
+| ScriptEngineTest.java:59:51:59:55 | input | semmle.label | input |
+| ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| ScriptEngineTest.java:93:57:93:60 | code : String | semmle.label | code : String |
+| ScriptEngineTest.java:94:64:94:67 | code : String | semmle.label | code : String |
+| ScriptEngineTest.java:95:71:95:74 | code : String | semmle.label | code : String |
+| ScriptEngineTest.java:96:59:96:62 | code : String | semmle.label | code : String |
+| ScriptEngineTest.java:97:54:97:57 | code : String | semmle.label | code : String |
+| ScriptEngineTest.java:98:54:98:57 | code : String | semmle.label | code : String |
 #select
 | RhinoServlet.java:32:29:32:78 | evaluateString(...) | RhinoServlet.java:28:23:28:50 | getParameter(...) : String | RhinoServlet.java:32:55:32:58 | code | Java Script Engine evaluate $@. | RhinoServlet.java:28:23:28:50 | getParameter(...) | user input |
-| RhinoServlet.java:86:25:86:97 | compileToClassFiles(...) | RhinoServlet.java:84:23:84:50 | getParameter(...) : String | RhinoServlet.java:86:54:86:57 | code | Java Script Engine evaluate $@. | RhinoServlet.java:84:23:84:50 | getParameter(...) | user input |
-| RhinoServlet.java:92:23:92:89 | defineClass(...) | RhinoServlet.java:91:23:91:50 | getParameter(...) : String | RhinoServlet.java:92:74:92:88 | getBytes(...) | Java Script Engine evaluate $@. | RhinoServlet.java:91:23:91:50 | getParameter(...) | user input |
-| ScriptEngineTest.java:12:19:12:42 | eval(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:12:37:12:41 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
-| ScriptEngineTest.java:19:19:19:36 | eval(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:19:31:19:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
-| ScriptEngineTest.java:27:19:27:36 | eval(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:27:31:27:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
-| ScriptEngineTest.java:34:19:34:36 | eval(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:34:31:34:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
-| ScriptEngineTest.java:40:27:40:47 | compile(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:40:42:40:46 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
-| ScriptEngineTest.java:47:20:47:56 | getProgram(...) | ScriptEngineTest.java:51:26:51:38 | args : String[] | ScriptEngineTest.java:47:51:47:55 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:51:26:51:38 | args | user input |
+| RhinoServlet.java:83:25:83:97 | compileToClassFiles(...) | RhinoServlet.java:81:23:81:50 | getParameter(...) : String | RhinoServlet.java:83:54:83:57 | code | Java Script Engine evaluate $@. | RhinoServlet.java:81:23:81:50 | getParameter(...) | user input |
+| RhinoServlet.java:89:23:89:89 | defineClass(...) | RhinoServlet.java:88:23:88:50 | getParameter(...) : String | RhinoServlet.java:89:74:89:88 | getBytes(...) | Java Script Engine evaluate $@. | RhinoServlet.java:88:23:88:50 | getParameter(...) | user input |
+| ScriptEngineTest.java:24:19:24:42 | eval(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:24:37:24:41 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
+| ScriptEngineTest.java:31:19:31:36 | eval(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:31:31:31:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
+| ScriptEngineTest.java:39:19:39:36 | eval(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:39:31:39:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
+| ScriptEngineTest.java:46:19:46:36 | eval(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:46:31:46:35 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
+| ScriptEngineTest.java:52:27:52:47 | compile(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:52:42:52:46 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |
+| ScriptEngineTest.java:59:20:59:56 | getProgram(...) | ScriptEngineTest.java:91:18:91:45 | getParameter(...) : String | ScriptEngineTest.java:59:51:59:55 | input | Java Script Engine evaluate $@. | ScriptEngineTest.java:91:18:91:45 | getParameter(...) | user input |

From 0ac8453398d44181ba9c0334fc8dd3e82ff31298 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Fri, 14 May 2021 12:50:24 +0000
Subject: [PATCH 1094/1429] Allow all arguments of methods in
 ScriptEngineFactory

---
 .../Security/CWE/CWE-094/ScriptInjection.ql    | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
index 0819f85c17e..9faca9b8630 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
@@ -26,6 +26,17 @@ class ScriptEngineMethod extends Method {
     this.getDeclaringType().getASupertype*().hasQualifiedName("javax.script", "ScriptEngineFactory") and
     this.hasName(["getProgram", "getMethodCallSyntax"])
   }
+
+  /** Holds if the index is for an injectable parameter. */
+  bindingset[index]
+  predicate isInjectableArgIndex(int index) {
+    if
+      this.getDeclaringType()
+          .getASupertype*()
+          .hasQualifiedName("javax.script", "ScriptEngineFactory")
+    then any()
+    else index = 0
+  }
 }
 
 /** The context class `org.mozilla.javascript.Context` of Rhino Java Script Engine. */
@@ -71,9 +82,10 @@ class RhinoDefineClassMethod extends Method {
 
 /** Holds if `ma` is a method access of `ScriptEngineMethod`. */
 predicate scriptEngine(MethodAccess ma, Expr sink) {
-  exists(Method m | m = ma.getMethod() |
-    m instanceof ScriptEngineMethod and
-    sink = ma.getArgument(0)
+  exists(ScriptEngineMethod m, int index |
+    m = ma.getMethod() and
+    m.isInjectableArgIndex(index) and
+    sink = ma.getArgument(index)
   )
 }
 

From 2c1374bdcf416823fda65365d2296c0961537b31 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Fri, 14 May 2021 20:05:56 +0000
Subject: [PATCH 1095/1429] Use inline implementation for ScriptEngineFactory

---
 .../Security/CWE/CWE-094/ScriptInjection.ql    | 18 ++++--------------
 1 file changed, 4 insertions(+), 14 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
index 9faca9b8630..5274140158c 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
@@ -26,17 +26,6 @@ class ScriptEngineMethod extends Method {
     this.getDeclaringType().getASupertype*().hasQualifiedName("javax.script", "ScriptEngineFactory") and
     this.hasName(["getProgram", "getMethodCallSyntax"])
   }
-
-  /** Holds if the index is for an injectable parameter. */
-  bindingset[index]
-  predicate isInjectableArgIndex(int index) {
-    if
-      this.getDeclaringType()
-          .getASupertype*()
-          .hasQualifiedName("javax.script", "ScriptEngineFactory")
-    then any()
-    else index = 0
-  }
 }
 
 /** The context class `org.mozilla.javascript.Context` of Rhino Java Script Engine. */
@@ -82,10 +71,11 @@ class RhinoDefineClassMethod extends Method {
 
 /** Holds if `ma` is a method access of `ScriptEngineMethod`. */
 predicate scriptEngine(MethodAccess ma, Expr sink) {
-  exists(ScriptEngineMethod m, int index |
+  exists(ScriptEngineMethod m |
     m = ma.getMethod() and
-    m.isInjectableArgIndex(index) and
-    sink = ma.getArgument(index)
+    if m.getDeclaringType().getASupertype*().hasQualifiedName("javax.script", "ScriptEngineFactory")
+    then sink = ma.getArgument(_) // all arguments allow script injection
+    else sink = ma.getArgument(0)
   )
 }
 

From 2fa249a8eba1314acca9e7a953f5c3ed658c5b39 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Fri, 14 May 2021 20:31:05 +0000
Subject: [PATCH 1096/1429] Update method name and qldoc

---
 .../Security/CWE/CWE-094/ScriptInjection.ql           | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
index 5274140158c..71accb28c37 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
@@ -69,8 +69,11 @@ class RhinoDefineClassMethod extends Method {
   }
 }
 
-/** Holds if `ma` is a method access of `ScriptEngineMethod`. */
-predicate scriptEngine(MethodAccess ma, Expr sink) {
+/**
+ * Holds if `ma` is a call to a `ScriptEngineMethod` and `sink` is an argument that
+ * will be executed.
+ */
+predicate isScriptArgument(MethodAccess ma, Expr sink) {
   exists(ScriptEngineMethod m |
     m = ma.getMethod() and
     if m.getDeclaringType().getASupertype*().hasQualifiedName("javax.script", "ScriptEngineFactory")
@@ -113,7 +116,7 @@ predicate defineClass(MethodAccess ma, Expr sink) {
 /** A script injection sink. */
 class ScriptInjectionSink extends DataFlow::ExprNode {
   ScriptInjectionSink() {
-    scriptEngine(_, this.getExpr()) or
+    isScriptArgument(_, this.getExpr()) or
     evaluateRhinoExpression(_, this.getExpr()) or
     compileScript(_, this.getExpr()) or
     defineClass(_, this.getExpr())
@@ -121,7 +124,7 @@ class ScriptInjectionSink extends DataFlow::ExprNode {
 
   /** An access to the method associated with this sink. */
   MethodAccess getMethodAccess() {
-    scriptEngine(result, this.getExpr()) or
+    isScriptArgument(result, this.getExpr()) or
     evaluateRhinoExpression(result, this.getExpr()) or
     compileScript(result, this.getExpr()) or
     defineClass(result, this.getExpr())

From 9d392263a51e77783b78022839aa52ab37c7ba64 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Mon, 17 May 2021 16:07:00 +0000
Subject: [PATCH 1097/1429] Refactor inconsistent method names

---
 .../Security/CWE/CWE-094/ScriptInjection.ql    | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
index 71accb28c37..aa5a8b74f93 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
@@ -85,7 +85,7 @@ predicate isScriptArgument(MethodAccess ma, Expr sink) {
 /**
  * Holds if a Rhino expression evaluation method is vulnerable to code injection.
  */
-predicate evaluateRhinoExpression(MethodAccess ma, Expr sink) {
+predicate evaluatesRhinoExpression(MethodAccess ma, Expr sink) {
   exists(RhinoEvaluateExpressionMethod m | m = ma.getMethod() |
     (
       if ma.getMethod().getName() = "compileReader"
@@ -102,14 +102,14 @@ predicate evaluateRhinoExpression(MethodAccess ma, Expr sink) {
 /**
  * Holds if a Rhino expression compilation method is vulnerable to code injection.
  */
-predicate compileScript(MethodAccess ma, Expr sink) {
+predicate compilesScript(MethodAccess ma, Expr sink) {
   exists(RhinoCompileClassMethod m | m = ma.getMethod() | sink = ma.getArgument(0))
 }
 
 /**
  * Holds if a Rhino class loading method is vulnerable to code injection.
  */
-predicate defineClass(MethodAccess ma, Expr sink) {
+predicate definesRhinoClass(MethodAccess ma, Expr sink) {
   exists(RhinoDefineClassMethod m | m = ma.getMethod() | sink = ma.getArgument(1))
 }
 
@@ -117,17 +117,17 @@ predicate defineClass(MethodAccess ma, Expr sink) {
 class ScriptInjectionSink extends DataFlow::ExprNode {
   ScriptInjectionSink() {
     isScriptArgument(_, this.getExpr()) or
-    evaluateRhinoExpression(_, this.getExpr()) or
-    compileScript(_, this.getExpr()) or
-    defineClass(_, this.getExpr())
+    evaluatesRhinoExpression(_, this.getExpr()) or
+    compilesScript(_, this.getExpr()) or
+    definesRhinoClass(_, this.getExpr())
   }
 
   /** An access to the method associated with this sink. */
   MethodAccess getMethodAccess() {
     isScriptArgument(result, this.getExpr()) or
-    evaluateRhinoExpression(result, this.getExpr()) or
-    compileScript(result, this.getExpr()) or
-    defineClass(result, this.getExpr())
+    evaluatesRhinoExpression(result, this.getExpr()) or
+    compilesScript(result, this.getExpr()) or
+    definesRhinoClass(result, this.getExpr())
   }
 }
 

From d4323a4a540372b0d3a38ebe8a8e53d2af3de462 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Mon, 17 May 2021 20:15:09 +0000
Subject: [PATCH 1098/1429] Update qldoc

---
 .../experimental/Security/CWE/CWE-094/ScriptInjection.qhelp   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.qhelp
index 586304ebb7c..2683cf9ad29 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.qhelp
@@ -4,7 +4,7 @@
 <qhelp>
 
 <overview>
-<p>The Java Scripting API has been available since the release of Java 6, which allows
+<p>The Java Scripting API has been available since the release of Java 6. It allows
   applications to interact with scripts written in languages such as JavaScript. It serves
   as an embedded scripting engine inside Java applications which allows Java-to-JavaScript
   interoperability and provides a seamless integration between the two languages. If an 
@@ -21,7 +21,7 @@
 </recommendation>
 
 <example>
-<p>The following code could execute random JavaScript code in <code>ScriptEngine</code></p>
+<p>The following code could execute user-supplied JavaScript code in <code>ScriptEngine</code></p>
 <sample src="ScriptEngine.java" />
 <sample src="NashornScriptEngine.java" />
 

From 02aa9c6fc7bde93ab56a1dc78423499d023978fe Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Tue, 18 May 2021 12:09:52 +0000
Subject: [PATCH 1099/1429] Optimize the sink and update qldoc

---
 .../Security/CWE/CWE-094/ScriptInjection.ql   | 21 ++++++++++---------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
index aa5a8b74f93..fb8bf867501 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
@@ -115,22 +115,23 @@ predicate definesRhinoClass(MethodAccess ma, Expr sink) {
 
 /** A script injection sink. */
 class ScriptInjectionSink extends DataFlow::ExprNode {
+  MethodAccess methodAccess;
+
   ScriptInjectionSink() {
-    isScriptArgument(_, this.getExpr()) or
-    evaluatesRhinoExpression(_, this.getExpr()) or
-    compilesScript(_, this.getExpr()) or
-    definesRhinoClass(_, this.getExpr())
+    isScriptArgument(methodAccess, this.getExpr()) or
+    evaluatesRhinoExpression(methodAccess, this.getExpr()) or
+    compilesScript(methodAccess, this.getExpr()) or
+    definesRhinoClass(methodAccess, this.getExpr())
   }
 
   /** An access to the method associated with this sink. */
-  MethodAccess getMethodAccess() {
-    isScriptArgument(result, this.getExpr()) or
-    evaluatesRhinoExpression(result, this.getExpr()) or
-    compilesScript(result, this.getExpr()) or
-    definesRhinoClass(result, this.getExpr())
-  }
+  MethodAccess getMethodAccess() { result = methodAccess }
 }
 
+/**
+ * A taint tracking configuration that tracks flow from `RemoteFlowSource` to an argument
+ * of a method call that executes injected script.
+ */
 class ScriptInjectionConfiguration extends TaintTracking::Configuration {
   ScriptInjectionConfiguration() { this = "ScriptInjectionConfiguration" }
 

From 6103aabdce00d9c2d7683b47c8a71af86647cb32 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 18 May 2021 19:17:11 +0200
Subject: [PATCH 1100/1429] C++: Add change-note.

---
 cpp/change-notes/2021-05-18-static-buffer-overflow.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 cpp/change-notes/2021-05-18-static-buffer-overflow.md

diff --git a/cpp/change-notes/2021-05-18-static-buffer-overflow.md b/cpp/change-notes/2021-05-18-static-buffer-overflow.md
new file mode 100644
index 00000000000..f56040fe8aa
--- /dev/null
+++ b/cpp/change-notes/2021-05-18-static-buffer-overflow.md
@@ -0,0 +1,2 @@
+lgtm
+* The "Static buffer overflow" query (cpp/static-buffer-overflow) has been improved to produce fewer false positives.

From af75d85b2e986e24baa943a4b8d235b1c32e2093 Mon Sep 17 00:00:00 2001
From: Evgenii Protsenko <procenkoeg@yandex.ru>
Date: Tue, 18 May 2021 22:49:11 +0300
Subject: [PATCH 1101/1429] ClickHouseSQLInjection.qll : add tests

---
 .../CWE-089/ClickHouseSQLInjection.py         | 13 ++------
 .../CWE-089/ClickHouseSQLInjection.qhelp      |  8 ++---
 .../ClickHouseDriver.expected                 |  5 +++
 .../clickhouse-driver/ClickHouseDriver.py     | 32 +++++++++++++++++++
 .../clickhouse-driver/ClickHouseDriver.ql     |  6 ++++
 5 files changed, 49 insertions(+), 15 deletions(-)
 create mode 100644 python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.expected
 create mode 100644 python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.py
 create mode 100644 python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.ql

diff --git a/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.py b/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.py
index 0bd5cac7130..6668d8eb15f 100644
--- a/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.py
+++ b/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.py
@@ -9,18 +9,14 @@ class MyClient(Client):
 
 def show_user(request, username):
 
-    # BAD -- async library 'aioch'
+    # BAD -- Untrusted user input is directly injected into the sql query using async library 'aioch'
     aclient = aiochClient("localhost")
     progress = await aclient.execute_with_progress("SELECT * FROM users WHERE username = '%s'" % username)
 
-    # BAD -- client excute
-    client = Client('localhost')
-    client.execute("SELECT * FROM users WHERE username = '%s'" % username)
-
-    # BAD -- client excute oneliner
+    # BAD -- Untrusted user input is directly injected into the sql query using native client of library 'clickhouse_driver'
     Client('localhost').execute("SELECT * FROM users WHERE username = '%s'" % username)
 
-    # GOOD -- send username through params
+    # GOOD -- query uses prepared statements
     query = "SELECT * FROM users WHERE username = %(username)s"
     Client('localhost').execute(query, {"username": username})
 
@@ -29,7 +25,4 @@ def show_user(request, username):
     cursor = conn.cursor()
     cursor.execute("SELECT * FROM users WHERE username = '%s'" % username)
 
-    # BAD -- MyClient is a subclass of Client
-    MyClient('localhost').execute("SELECT * FROM users WHERE username = '%s'" % username)
-
 urlpatterns = [url(r'^users/(?P<username>[^/]+)$', show_user)]
diff --git a/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.qhelp b/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.qhelp
index a7077727991..be007545632 100644
--- a/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.qhelp
+++ b/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.qhelp
@@ -21,11 +21,9 @@ or prepared statements.
 
 <example>
 <p>
-In the following snippet, a user is fetched from the ClickHouse database
-using five different queries. In bad patterns query is build by formatting
-string with user-controlled data. In a qood pattern user-supplied parameter
-is send through a second argument (params) which is dict. Following cases
-show different types of communication with ClickHouse database.
+In the following snippet, a user is fetched from a <code>ClickHouse</code> database
+using five different queries. In the "BAD" cases the query is built directly from user-controlled data.
+In the "GOOD" case the user-controlled data is safely embedded into the query by using query parameters.
 </p>
 
 <p>
diff --git a/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.expected b/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.expected
new file mode 100644
index 00000000000..52aa30cb8c1
--- /dev/null
+++ b/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.expected
@@ -0,0 +1,5 @@
+| ClickHouseDriver.py:15:22:15:106 | ControlFlowNode for Attribute() | ClickHouseDriver.py:15:52:15:105 | ControlFlowNode for BinaryExpr |
+| ClickHouseDriver.py:18:5:18:87 | ControlFlowNode for Attribute() | ClickHouseDriver.py:18:33:18:86 | ControlFlowNode for BinaryExpr |
+| ClickHouseDriver.py:22:5:22:62 | ControlFlowNode for Attribute() | ClickHouseDriver.py:22:33:22:37 | ControlFlowNode for query |
+| ClickHouseDriver.py:27:5:27:74 | ControlFlowNode for Attribute() | ClickHouseDriver.py:27:20:27:73 | ControlFlowNode for BinaryExpr |
+| ClickHouseDriver.py:30:5:30:89 | ControlFlowNode for Attribute() | ClickHouseDriver.py:30:35:30:88 | ControlFlowNode for BinaryExpr |
diff --git a/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.py b/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.py
new file mode 100644
index 00000000000..7684f3df795
--- /dev/null
+++ b/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.py
@@ -0,0 +1,32 @@
+from django.conf.urls import url
+from clickhouse_driver import Client
+from clickhouse_driver import connect
+from aioch import Client as aiochClient
+
+# Dummy Client subclass
+class MyClient(Client):
+    def dummy(self):
+        return None
+
+def show_user(request, username):
+
+    # BAD -- Untrusted user input is directly injected into the sql query using async library 'aioch'
+    aclient = aiochClient("localhost")
+    progress = await aclient.execute_with_progress("SELECT * FROM users WHERE username = '%s'" % username)
+
+    # BAD -- Untrusted user input is directly injected into the sql query using native client of library 'clickhouse_driver'
+    Client('localhost').execute("SELECT * FROM users WHERE username = '%s'" % username)
+
+    # GOOD -- query uses prepared statements
+    query = "SELECT * FROM users WHERE username = %(username)s"
+    Client('localhost').execute(query, {"username": username})
+
+    # BAD -- Untrusted user input is directly injected into the sql query using PEP249 interface
+    conn = connect('clickhouse://localhost')
+    cursor = conn.cursor()
+    cursor.execute("SELECT * FROM users WHERE username = '%s'" % username)
+
+    # BAD -- Untrusted user input is directly injected into the sql query using MyClient, which is a subclass of Client
+    MyClient('localhost').execute("SELECT * FROM users WHERE username = '%s'" % username)
+
+urlpatterns = [url(r'^users/(?P<username>[^/]+)$', show_user)]
diff --git a/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.ql b/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.ql
new file mode 100644
index 00000000000..7ff45d8d822
--- /dev/null
+++ b/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.ql
@@ -0,0 +1,6 @@
+import python
+import experimental.semmle.python.frameworks.ClickHouseDriver
+import semmle.python.Concepts
+
+from SqlExecution::Range s
+select s, s.getSql()

From e590a7bc33ee9eb1655e0df56f2c43d09c715941 Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Tue, 18 May 2021 13:15:38 -0700
Subject: [PATCH 1102/1429] C++: Handle alias models for `this`/qualifiers

---
 .../aliased_ssa/internal/AliasAnalysis.qll         | 14 ++++++++++++--
 .../unaliased_ssa/internal/AliasAnalysis.qll       | 14 ++++++++++++--
 .../unaliased_ssa/internal/AliasAnalysis.qll       | 14 ++++++++++++--
 3 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
index 26f8a89a235..d2c2a7d6b64 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
@@ -287,14 +287,24 @@ private predicate isArgumentForParameter(
 private predicate isOnlyEscapesViaReturnArgument(Operand operand) {
   exists(AliasModels::AliasFunction f |
     f = operand.getUse().(CallInstruction).getStaticCallTarget() and
-    f.parameterEscapesOnlyViaReturn(operand.(PositionalArgumentOperand).getIndex())
+    (
+      f.parameterEscapesOnlyViaReturn(operand.(PositionalArgumentOperand).getIndex())
+      or
+      f.parameterEscapesOnlyViaReturn(-1) and
+      operand instanceof ThisArgumentOperand
+    )
   )
 }
 
 private predicate isNeverEscapesArgument(Operand operand) {
   exists(AliasModels::AliasFunction f |
     f = operand.getUse().(CallInstruction).getStaticCallTarget() and
-    f.parameterNeverEscapes(operand.(PositionalArgumentOperand).getIndex())
+    (
+      f.parameterNeverEscapes(operand.(PositionalArgumentOperand).getIndex())
+      or
+      f.parameterNeverEscapes(-1) and
+      operand instanceof ThisArgumentOperand
+    )
   )
 }
 
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
index 26f8a89a235..d2c2a7d6b64 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -287,14 +287,24 @@ private predicate isArgumentForParameter(
 private predicate isOnlyEscapesViaReturnArgument(Operand operand) {
   exists(AliasModels::AliasFunction f |
     f = operand.getUse().(CallInstruction).getStaticCallTarget() and
-    f.parameterEscapesOnlyViaReturn(operand.(PositionalArgumentOperand).getIndex())
+    (
+      f.parameterEscapesOnlyViaReturn(operand.(PositionalArgumentOperand).getIndex())
+      or
+      f.parameterEscapesOnlyViaReturn(-1) and
+      operand instanceof ThisArgumentOperand
+    )
   )
 }
 
 private predicate isNeverEscapesArgument(Operand operand) {
   exists(AliasModels::AliasFunction f |
     f = operand.getUse().(CallInstruction).getStaticCallTarget() and
-    f.parameterNeverEscapes(operand.(PositionalArgumentOperand).getIndex())
+    (
+      f.parameterNeverEscapes(operand.(PositionalArgumentOperand).getIndex())
+      or
+      f.parameterNeverEscapes(-1) and
+      operand instanceof ThisArgumentOperand
+    )
   )
 }
 
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
index 26f8a89a235..d2c2a7d6b64 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -287,14 +287,24 @@ private predicate isArgumentForParameter(
 private predicate isOnlyEscapesViaReturnArgument(Operand operand) {
   exists(AliasModels::AliasFunction f |
     f = operand.getUse().(CallInstruction).getStaticCallTarget() and
-    f.parameterEscapesOnlyViaReturn(operand.(PositionalArgumentOperand).getIndex())
+    (
+      f.parameterEscapesOnlyViaReturn(operand.(PositionalArgumentOperand).getIndex())
+      or
+      f.parameterEscapesOnlyViaReturn(-1) and
+      operand instanceof ThisArgumentOperand
+    )
   )
 }
 
 private predicate isNeverEscapesArgument(Operand operand) {
   exists(AliasModels::AliasFunction f |
     f = operand.getUse().(CallInstruction).getStaticCallTarget() and
-    f.parameterNeverEscapes(operand.(PositionalArgumentOperand).getIndex())
+    (
+      f.parameterNeverEscapes(operand.(PositionalArgumentOperand).getIndex())
+      or
+      f.parameterNeverEscapes(-1) and
+      operand instanceof ThisArgumentOperand
+    )
   )
 }
 

From db85a215ab3baac750cc7ddc673622a7fc57a159 Mon Sep 17 00:00:00 2001
From: Robert Marsh <rdmarsh@semmle.com>
Date: Tue, 18 May 2021 13:16:22 -0700
Subject: [PATCH 1103/1429] C++: fix alias model for smart pointer setters

---
 .../semmle/code/cpp/models/implementations/SmartPointer.qll    | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
index 7f9639f6373..065dc567120 100644
--- a/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/implementations/SmartPointer.qll
@@ -146,8 +146,7 @@ private class SmartPtrSetterFunction extends MemberFunction, AliasFunction, Side
   }
 
   private FunctionInput getPointerInput() {
-    exists(Parameter param0 |
-      param0 = this.getParameter(0) and
+    exists(Parameter param0 | param0 = this.getParameter(0) |
       (
         param0.getUnspecifiedType().(ReferenceType).getBaseType() instanceof SmartPtr and
         if this.getParameter(1).getUnspecifiedType() instanceof PointerType

From e9d2dd0b5709fa0015bc76415f5e29f24e1c32b6 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 18 May 2021 12:57:49 +0200
Subject: [PATCH 1104/1429] support the chaining methods on Express apps

---
 .../ql/src/semmle/javascript/frameworks/Express.qll    |  3 +++
 .../CWE-079/ReflectedXss/ReflectedXss.expected         | 10 ++++++++++
 .../ReflectedXssWithCustomSanitizer.expected           |  1 +
 .../query-tests/Security/CWE-079/ReflectedXss/tst3.js  |  7 +++++++
 4 files changed, 21 insertions(+)
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Express.qll b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
index 53266c10ef8..7ef4bf7525a 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Express.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
@@ -19,6 +19,9 @@ module Express {
     or
     // `app = express.createServer()`
     result = DataFlow::moduleMember("express", "createServer").getAnInvocation()
+    or
+    // `app = express().disable(x)`, and other chaining methods
+    result = appCreation().getAMemberCall(["engine", "set", "param", "enable", "disable", "on"])
   }
 
   /**
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
index e8d093325ad..b1d940b437c 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
@@ -182,6 +182,11 @@ nodes
 | tst2.js:36:12:36:12 | p |
 | tst2.js:37:12:37:18 | other.p |
 | tst2.js:37:12:37:18 | other.p |
+| tst3.js:5:7:5:24 | p |
+| tst3.js:5:9:5:9 | p |
+| tst3.js:5:9:5:9 | p |
+| tst3.js:6:12:6:12 | p |
+| tst3.js:6:12:6:12 | p |
 edges
 | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id |
 | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id |
@@ -333,6 +338,10 @@ edges
 | tst2.js:30:9:30:9 | p | tst2.js:30:7:30:24 | p |
 | tst2.js:33:11:33:11 | p | tst2.js:37:12:37:18 | other.p |
 | tst2.js:33:11:33:11 | p | tst2.js:37:12:37:18 | other.p |
+| tst3.js:5:7:5:24 | p | tst3.js:6:12:6:12 | p |
+| tst3.js:5:7:5:24 | p | tst3.js:6:12:6:12 | p |
+| tst3.js:5:9:5:9 | p | tst3.js:5:7:5:24 | p |
+| tst3.js:5:9:5:9 | p | tst3.js:5:7:5:24 | p |
 #select
 | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value |
 | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | ReflectedXss.js:17:31:17:39 | params.id | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:17:31:17:39 | params.id | user-provided value |
@@ -376,3 +385,4 @@ edges
 | tst2.js:21:14:21:14 | p | tst2.js:14:9:14:9 | p | tst2.js:21:14:21:14 | p | Cross-site scripting vulnerability due to $@. | tst2.js:14:9:14:9 | p | user-provided value |
 | tst2.js:36:12:36:12 | p | tst2.js:30:9:30:9 | p | tst2.js:36:12:36:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
 | tst2.js:37:12:37:18 | other.p | tst2.js:30:9:30:9 | p | tst2.js:37:12:37:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
+| tst3.js:6:12:6:12 | p | tst3.js:5:9:5:9 | p | tst3.js:6:12:6:12 | p | Cross-site scripting vulnerability due to $@. | tst3.js:5:9:5:9 | p | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
index 8ddc55dde36..6a919f7b43a 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
@@ -39,3 +39,4 @@
 | tst2.js:21:14:21:14 | p | Cross-site scripting vulnerability due to $@. | tst2.js:14:9:14:9 | p | user-provided value |
 | tst2.js:36:12:36:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
 | tst2.js:37:12:37:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
+| tst3.js:6:12:6:12 | p | Cross-site scripting vulnerability due to $@. | tst3.js:5:9:5:9 | p | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js
new file mode 100644
index 00000000000..1fa1758c41c
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js
@@ -0,0 +1,7 @@
+var express = require('express');
+
+var app = express();
+app.enable('x-powered-by').disable('x-powered-by').get('/', function (req, res) {
+  let { p } = req.params;
+  res.send(p); // NOT OK
+});

From 9a1f80aa93279249aea0709c0f227cff8d1dfc7e Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 18 May 2021 22:21:30 +0200
Subject: [PATCH 1105/1429] accept updated test output for express test

---
 .../ql/test/library-tests/frameworks/Express/tests.expected   | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/javascript/ql/test/library-tests/frameworks/Express/tests.expected b/javascript/ql/test/library-tests/frameworks/Express/tests.expected
index c6b9ec97fc0..586a404b48a 100644
--- a/javascript/ql/test/library-tests/frameworks/Express/tests.expected
+++ b/javascript/ql/test/library-tests/frameworks/Express/tests.expected
@@ -1422,6 +1422,7 @@ test_appCreation
 | src/express.js:2:11:2:19 | express() |
 | src/inheritedFromNode.js:2:11:2:19 | express() |
 | src/params.js:2:11:2:19 | express() |
+| src/params.js:4:1:12:2 | app.par ...    }\\n}) |
 | src/responseExprs.js:2:11:2:19 | express() |
 | src/routesetups.js:7:11:7:32 | express ... erver() |
 | src/subrouter.js:2:11:2:19 | express() |
@@ -1519,6 +1520,7 @@ test_RouteExpr
 | src/express.js:46:1:51:2 | app.pos ... me];\\n}) | src/express.js:2:11:2:19 | express() |
 | src/inheritedFromNode.js:4:1:8:2 | app.pos ... url;\\n}) | src/inheritedFromNode.js:2:11:2:19 | express() |
 | src/params.js:4:1:12:2 | app.par ...    }\\n}) | src/params.js:2:11:2:19 | express() |
+| src/params.js:4:1:12:2 | app.par ...    }\\n}) | src/params.js:4:1:12:2 | app.par ...    }\\n}) |
 | src/params.js:14:1:16:2 | app.get ... o");\\n}) | src/params.js:2:11:2:19 | express() |
 | src/responseExprs.js:4:1:6:2 | app.get ... res1\\n}) | src/responseExprs.js:2:11:2:19 | express() |
 | src/responseExprs.js:7:1:9:2 | app.get ... es2;\\n}) | src/responseExprs.js:2:11:2:19 | express() |
@@ -2174,6 +2176,7 @@ test_isRouterCreation
 | src/express.js:2:11:2:19 | express() |
 | src/inheritedFromNode.js:2:11:2:19 | express() |
 | src/params.js:2:11:2:19 | express() |
+| src/params.js:4:1:12:2 | app.par ...    }\\n}) |
 | src/responseExprs.js:2:11:2:19 | express() |
 | src/route.js:2:14:2:29 | express.Router() |
 | src/routesetups.js:3:1:3:16 | express.Router() |
@@ -2264,6 +2267,7 @@ test_RouterDefinition_RouterDefinition
 | src/express.js:2:11:2:19 | express() |
 | src/inheritedFromNode.js:2:11:2:19 | express() |
 | src/params.js:2:11:2:19 | express() |
+| src/params.js:4:1:12:2 | app.par ...    }\\n}) |
 | src/responseExprs.js:2:11:2:19 | express() |
 | src/route.js:2:14:2:29 | express.Router() |
 | src/routesetups.js:3:1:3:16 | express.Router() |

From 60da193620f48a2d6cafdea415b52b623ba779c6 Mon Sep 17 00:00:00 2001
From: yoff <lerchedahl@gmail.com>
Date: Wed, 19 May 2021 08:08:59 +0200
Subject: [PATCH 1106/1429] Update
 python/ql/src/semmle/python/frameworks/Cryptodome.qll

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
---
 python/ql/src/semmle/python/frameworks/Cryptodome.qll | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/python/ql/src/semmle/python/frameworks/Cryptodome.qll b/python/ql/src/semmle/python/frameworks/Cryptodome.qll
index 8b012b47b3f..4d108196148 100644
--- a/python/ql/src/semmle/python/frameworks/Cryptodome.qll
+++ b/python/ql/src/semmle/python/frameworks/Cryptodome.qll
@@ -138,6 +138,8 @@ private module CryptodomeModel {
       methodName in ["update"] and
       result in [this.getArg(0), this.getArgByName("data")]
       or
+      // although `mac_tag` is used as the parameter name in the spec above, some implementations use `received_mac_tag`, for an example, see
+      // https://github.com/Legrandin/pycryptodome/blob/5dace638b70ac35bb5d9b565f3e75f7869c9d851/lib/Crypto/Cipher/ChaCha20_Poly1305.py#L207
       methodName in ["verify"] and
       result in [this.getArg(0), this.getArgByName(["mac_tag", "received_mac_tag"])]
       or

From 741eed93b2ddde49d69413cdac4d4511018f40d8 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 19 May 2021 09:03:05 +0200
Subject: [PATCH 1107/1429] C++: Replace minimum(any(...)) with a min
 aggregate. Also removed the min aggregate further down since it's no longer
 needed.

---
 cpp/ql/src/Critical/OverflowStatic.ql | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/Critical/OverflowStatic.ql b/cpp/ql/src/Critical/OverflowStatic.ql
index a7c1cb41cda..011c38ff734 100644
--- a/cpp/ql/src/Critical/OverflowStatic.ql
+++ b/cpp/ql/src/Critical/OverflowStatic.ql
@@ -101,7 +101,7 @@ class CallWithBufferSize extends FunctionCall {
     // result in this case we pick the minimum value obtainable from dataflow and range analysis.
     result =
       upperBound(statedSizeExpr())
-          .minimum(any(Expr statedSizeSrc |
+          .minimum(min(Expr statedSizeSrc |
               DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr())
             |
               statedSizeSrc.getValue().toInt()
@@ -112,7 +112,7 @@ class CallWithBufferSize extends FunctionCall {
 predicate wrongBufferSize(Expr error, string msg) {
   exists(CallWithBufferSize call, int bufsize, Variable buf, int statedSize |
     staticBuffer(call.buffer(), buf, bufsize) and
-    statedSize = min(call.statedSizeValue()) and
+    statedSize = call.statedSizeValue() and
     statedSize > bufsize and
     error = call.statedSizeExpr() and
     msg =

From 4d0051360684e04731d26bfb5556c73b7b1f54de Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 19 May 2021 10:47:04 +0200
Subject: [PATCH 1108/1429] C++: Use the isParameterDerefOrQualifierObject
 predicate to remove a disjunction.

---
 .../semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
index 8ed61da4c92..6f0d6ff92ff 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -748,16 +748,10 @@ private predicate modelFlow(Operand opFrom, Instruction iTo) {
       )
       or
       exists(int index, ReadSideEffectInstruction read |
-        modelIn.isParameterDeref(index) and
+        modelIn.isParameterDerefOrQualifierObject(index) and
         read = getSideEffectFor(call, index) and
         opFrom = read.getSideEffectOperand()
       )
-      or
-      exists(ReadSideEffectInstruction read |
-        modelIn.isQualifierObject() and
-        read = getSideEffectFor(call, -1) and
-        opFrom = read.getSideEffectOperand()
-      )
     )
   )
 }

From 904eacf9a21ef22be6cb7dfe3f208d2162648fbd Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 19 May 2021 11:10:06 +0200
Subject: [PATCH 1109/1429] Python: Use absolute import for PEP249

---
 python/ql/src/semmle/python/frameworks/MySQLdb.qll              | 2 +-
 python/ql/src/semmle/python/frameworks/MysqlConnectorPython.qll | 2 +-
 python/ql/src/semmle/python/frameworks/Psycopg2.qll             | 2 +-
 python/ql/src/semmle/python/frameworks/PyMySQL.qll              | 2 +-
 python/ql/src/semmle/python/frameworks/Stdlib.qll               | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/MySQLdb.qll b/python/ql/src/semmle/python/frameworks/MySQLdb.qll
index b36bf87c7d9..4f9c799d640 100644
--- a/python/ql/src/semmle/python/frameworks/MySQLdb.qll
+++ b/python/ql/src/semmle/python/frameworks/MySQLdb.qll
@@ -10,7 +10,7 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
-private import PEP249
+private import semmle.python.frameworks.PEP249
 
 /**
  * Provides models for the `MySQLdb` PyPI package.
diff --git a/python/ql/src/semmle/python/frameworks/MysqlConnectorPython.qll b/python/ql/src/semmle/python/frameworks/MysqlConnectorPython.qll
index 97cd4fd162c..989fb668746 100644
--- a/python/ql/src/semmle/python/frameworks/MysqlConnectorPython.qll
+++ b/python/ql/src/semmle/python/frameworks/MysqlConnectorPython.qll
@@ -10,7 +10,7 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
-private import PEP249
+private import semmle.python.frameworks.PEP249
 
 /**
  * Provides models for the `mysql-connector-python` package.
diff --git a/python/ql/src/semmle/python/frameworks/Psycopg2.qll b/python/ql/src/semmle/python/frameworks/Psycopg2.qll
index 1cc20026801..d966776b082 100644
--- a/python/ql/src/semmle/python/frameworks/Psycopg2.qll
+++ b/python/ql/src/semmle/python/frameworks/Psycopg2.qll
@@ -10,7 +10,7 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
-private import PEP249
+private import semmle.python.frameworks.PEP249
 
 /**
  * Provides models for the `psycopg2` PyPI package.
diff --git a/python/ql/src/semmle/python/frameworks/PyMySQL.qll b/python/ql/src/semmle/python/frameworks/PyMySQL.qll
index c078302b73f..452b87ed030 100644
--- a/python/ql/src/semmle/python/frameworks/PyMySQL.qll
+++ b/python/ql/src/semmle/python/frameworks/PyMySQL.qll
@@ -8,7 +8,7 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
-private import PEP249
+private import semmle.python.frameworks.PEP249
 
 /**
  * Provides models for the `PyMySQL` PyPI package.
diff --git a/python/ql/src/semmle/python/frameworks/Stdlib.qll b/python/ql/src/semmle/python/frameworks/Stdlib.qll
index 07753e9fde5..7acbbcae31b 100644
--- a/python/ql/src/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/src/semmle/python/frameworks/Stdlib.qll
@@ -9,7 +9,7 @@ private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
-private import PEP249
+private import semmle.python.frameworks.PEP249
 
 /** Provides models for the Python standard library. */
 private module Stdlib {

From e985204a6247445891bef71ea2a5b73929939808 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Wed, 19 May 2021 11:14:23 +0100
Subject: [PATCH 1110/1429] C++: Add change note.

---
 cpp/change-notes/2021-05-19-weak-cryptographic-algorithm.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 cpp/change-notes/2021-05-19-weak-cryptographic-algorithm.md

diff --git a/cpp/change-notes/2021-05-19-weak-cryptographic-algorithm.md b/cpp/change-notes/2021-05-19-weak-cryptographic-algorithm.md
new file mode 100644
index 00000000000..5e48ba166b7
--- /dev/null
+++ b/cpp/change-notes/2021-05-19-weak-cryptographic-algorithm.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been enhanced to reduce false positive results, and (rarely) find more true positive results.

From 75a43e76e8873e6719c293a44007f20fcc214c69 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Wed, 19 May 2021 11:54:47 +0000
Subject: [PATCH 1111/1429] Python: Address review comments.

- Removes the version check on the set of built-in names.
- Renames the predicate used to represent said set.
- Documents how these lists of names were obtained.
- Gets rid of a superfluous import.
---
 python/ql/src/semmle/python/ApiGraphs.qll | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 080c967ed2d..ad10f9950ff 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -349,10 +349,10 @@ module API {
       )
     }
 
-    private import semmle.python.types.Builtins as Builtins
-
-    /** Returns the names of known built-ins. */
-    private string builtin_name() {
+    /** Gets the name of a known built-in. */
+    private string getBuiltInName() {
+      // These lists were created by inspecting the `builtins` and `__builtin__` modules in
+      // Python 2 and 3 respectively, using the `dir` built-in.
       // Built-in functions and exceptions shared between Python 2 and 3
       result in [
           "abs", "all", "any", "bin", "bool", "bytearray", "callable", "chr", "classmethod",
@@ -381,7 +381,6 @@ module API {
       result in ["False", "True", "None", "NotImplemented", "Ellipsis", "__debug__"]
       or
       // Python 3 only
-      major_version() = 3 and
       result in [
           "ascii", "breakpoint", "bytes", "exec",
           // Exceptions
@@ -393,7 +392,6 @@ module API {
         ]
       or
       // Python 2 only
-      major_version() = 2 and
       result in [
           "basestring", "cmp", "execfile", "file", "long", "raw_input", "reduce", "reload",
           "unichr", "unicode", "xrange"
@@ -425,7 +423,7 @@ module API {
         not exists(LocalVariable v | n.defines(v)) and
         n.isStore() and
         name = n.getId() and
-        name = builtin_name() and
+        name = getBuiltInName() and
         m = n.getEnclosingModule()
       )
     }
@@ -438,7 +436,7 @@ module API {
       n.isGlobal() and
       n.isLoad() and
       name = n.getId() and
-      name = builtin_name() and
+      name = getBuiltInName() and
       m = n.getEnclosingModule()
     }
 

From f66dccafda939f94740e9aaf1a5d44ca625bb647 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 11 May 2021 13:49:56 +0200
Subject: [PATCH 1112/1429] Python: Rename prettyExp => prettyExpr

So we're consistenly using `expr` and not leaving our the `r`.
---
 .../experimental/dataflow/TestUtil/PrintNode.qll     | 12 ++++++------
 .../dataflow/tainttracking/TestTaintLib.qll          |  2 +-
 python/ql/test/experimental/meta/InlineTaintTest.qll |  4 ++--
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/python/ql/test/experimental/dataflow/TestUtil/PrintNode.qll b/python/ql/test/experimental/dataflow/TestUtil/PrintNode.qll
index 84f97d3f6ff..46b1bfd9814 100644
--- a/python/ql/test/experimental/dataflow/TestUtil/PrintNode.qll
+++ b/python/ql/test/experimental/dataflow/TestUtil/PrintNode.qll
@@ -1,7 +1,7 @@
 import python
 import semmle.python.dataflow.new.DataFlow
 
-string prettyExp(Expr e) {
+string prettyExpr(Expr e) {
   not e instanceof Num and
   not e instanceof StrConst and
   not e instanceof Subscript and
@@ -15,17 +15,17 @@ string prettyExp(Expr e) {
     e.(StrConst).getPrefix() + e.(StrConst).getText() +
       e.(StrConst).getPrefix().regexpReplaceAll("[a-zA-Z]+", "")
   or
-  result = prettyExp(e.(Subscript).getObject()) + "[" + prettyExp(e.(Subscript).getIndex()) + "]"
+  result = prettyExpr(e.(Subscript).getObject()) + "[" + prettyExpr(e.(Subscript).getIndex()) + "]"
   or
   (
     if exists(e.(Call).getAnArg()) or exists(e.(Call).getANamedArg())
-    then result = prettyExp(e.(Call).getFunc()) + "(..)"
-    else result = prettyExp(e.(Call).getFunc()) + "()"
+    then result = prettyExpr(e.(Call).getFunc()) + "(..)"
+    else result = prettyExpr(e.(Call).getFunc()) + "()"
   )
   or
-  result = prettyExp(e.(Attribute).getObject()) + "." + e.(Attribute).getName()
+  result = prettyExpr(e.(Attribute).getObject()) + "." + e.(Attribute).getName()
 }
 
 string prettyNode(DataFlow::Node node) {
-  if exists(node.asExpr()) then result = prettyExp(node.asExpr()) else result = node.toString()
+  if exists(node.asExpr()) then result = prettyExpr(node.asExpr()) else result = node.toString()
 }
diff --git a/python/ql/test/experimental/dataflow/tainttracking/TestTaintLib.qll b/python/ql/test/experimental/dataflow/tainttracking/TestTaintLib.qll
index 32c04f3f3ab..f0e57d66787 100644
--- a/python/ql/test/experimental/dataflow/tainttracking/TestTaintLib.qll
+++ b/python/ql/test/experimental/dataflow/tainttracking/TestTaintLib.qll
@@ -46,6 +46,6 @@ query predicate test_taint(string arg_location, string test_res, string scope_na
     arg_location = arg.getLocation().toString() and
     test_res = test_res and
     scope_name = call.getScope().getName() and
-    repr = prettyExp(arg)
+    repr = prettyExpr(arg)
   )
 }
diff --git a/python/ql/test/experimental/meta/InlineTaintTest.qll b/python/ql/test/experimental/meta/InlineTaintTest.qll
index dd0865adc4b..da1f084f97d 100644
--- a/python/ql/test/experimental/meta/InlineTaintTest.qll
+++ b/python/ql/test/experimental/meta/InlineTaintTest.qll
@@ -58,7 +58,7 @@ class InlineTaintTest extends InlineExpectationsTest {
     exists(DataFlow::Node sink |
       any(TestTaintTrackingConfiguration config).hasFlow(_, sink) and
       location = sink.getLocation() and
-      element = prettyExp(sink.asExpr()) and
+      element = prettyExpr(sink.asExpr()) and
       value = "" and
       tag = "tainted"
     )
@@ -84,7 +84,7 @@ query predicate untaintedArgumentToEnsureTaintedNotMarkedAsMissing(
   error = "ERROR, you should add `# $ MISSING: tainted` annotation" and
   exists(DataFlow::Node sink |
     sink = shouldBeTainted() and
-    element = prettyExp(sink.asExpr()) and
+    element = prettyExpr(sink.asExpr()) and
     not any(TestTaintTrackingConfiguration config).hasFlow(_, sink) and
     location = sink.getLocation() and
     not exists(FalseNegativeExpectation missingResult |

From 1af6d97c5118e15811cdf347bf6155a9d5a57a84 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 11 May 2021 14:21:55 +0200
Subject: [PATCH 1113/1429] Python: Remove straggling f-: annotations

---
 python/ql/test/library-tests/frameworks/stdlib/Encoding.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/test/library-tests/frameworks/stdlib/Encoding.py b/python/ql/test/library-tests/frameworks/stdlib/Encoding.py
index 9a6923ce11f..5ab230ca20f 100644
--- a/python/ql/test/library-tests/frameworks/stdlib/Encoding.py
+++ b/python/ql/test/library-tests/frameworks/stdlib/Encoding.py
@@ -2,8 +2,8 @@ import pickle
 import marshal
 import base64
 
-pickle.dumps(obj)  # $ MISSING: f-:encodeInput=obj f-:encodeOutput=Attribute() f-:encodeFormat=pickle f-:encodeMayExecuteInput
-marshal.dumps(obj)  # $ MISSING: f-:encodeInput=obj f-:encodeOutput=Attribute() f-:encodeFormat=marshal f-:encodeMayExecuteInput
+pickle.dumps(obj)  # $ MISSING: encodeInput=obj encodeOutput=Attribute() encodeFormat=pickle encodeMayExecuteInput
+marshal.dumps(obj)  # $ MISSING: encodeInput=obj encodeOutput=Attribute() encodeFormat=marshal encodeMayExecuteInput
 
 # TODO: These tests should be merged with python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_string.py
 base64.b64encode(bs)  # $ encodeInput=bs encodeOutput=Attribute() encodeFormat=Base64

From 51a25e45fe55484f39e3ea3d42f0b2d16f045890 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 11 May 2021 14:45:34 +0200
Subject: [PATCH 1114/1429] Python: Use shared prettyExpr in ConceptsTest.qll

This required quite some changes in the expected output. I think it's much more
clear what the selected nodes are now :+1: (but it was a bit boring work to fix
this up)
---
 .../test/experimental/meta/ConceptsTest.qll   | 32 ++++++-------------
 .../library-tests/frameworks/dill/Decoding.py |  2 +-
 .../frameworks/django-v2-v3/response_test.py  | 10 +++---
 .../django-v2-v3/testproj/settings.py         |  2 +-
 .../frameworks/idna/taint_test.py             |  8 ++---
 .../frameworks/simplejson/taint_test.py       | 14 ++++----
 .../frameworks/stdlib-py3/Decoding.py         |  6 ++--
 .../frameworks/stdlib-py3/Encoding.py         |  6 ++--
 .../frameworks/stdlib/Decoding.py             | 16 +++++-----
 .../frameworks/stdlib/Encoding.py             | 16 +++++-----
 .../frameworks/ujson/taint_test.py            | 20 ++++++------
 .../library-tests/frameworks/yaml/Decoding.py | 32 +++++++++----------
 12 files changed, 76 insertions(+), 88 deletions(-)

diff --git a/python/ql/test/experimental/meta/ConceptsTest.qll b/python/ql/test/experimental/meta/ConceptsTest.qll
index 3800a4cd273..0a75937600f 100644
--- a/python/ql/test/experimental/meta/ConceptsTest.qll
+++ b/python/ql/test/experimental/meta/ConceptsTest.qll
@@ -2,19 +2,7 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.Concepts
 import TestUtilities.InlineExpectationsTest
-
-string value_from_expr(Expr e) {
-  // TODO: This one is starting to look like `repr` predicate from TestTaintLib
-  result =
-    e.(StrConst).getPrefix() + e.(StrConst).getText() +
-      e.(StrConst).getPrefix().regexpReplaceAll("[a-zA-Z]+", "")
-  or
-  result = e.(Name).getId()
-  or
-  not e instanceof StrConst and
-  not e instanceof Name and
-  result = e.toString()
-}
+import experimental.dataflow.TestUtil.PrintNode
 
 class SystemCommandExecutionTest extends InlineExpectationsTest {
   SystemCommandExecutionTest() { this = "SystemCommandExecutionTest" }
@@ -27,7 +15,7 @@ class SystemCommandExecutionTest extends InlineExpectationsTest {
       command = sce.getCommand() and
       location = command.getLocation() and
       element = command.toString() and
-      value = value_from_expr(command.asExpr()) and
+      value = prettyExpr(command.asExpr()) and
       tag = "getCommand"
     )
   }
@@ -46,7 +34,7 @@ class DecodingTest extends InlineExpectationsTest {
       exists(DataFlow::Node data |
         location = data.getLocation() and
         element = data.toString() and
-        value = value_from_expr(data.asExpr()) and
+        value = prettyExpr(data.asExpr()) and
         (
           data = d.getAnInput() and
           tag = "decodeInput"
@@ -84,7 +72,7 @@ class EncodingTest extends InlineExpectationsTest {
       exists(DataFlow::Node data |
         location = data.getLocation() and
         element = data.toString() and
-        value = value_from_expr(data.asExpr()) and
+        value = prettyExpr(data.asExpr()) and
         (
           data = e.getAnInput() and
           tag = "encodeInput"
@@ -117,7 +105,7 @@ class CodeExecutionTest extends InlineExpectationsTest {
       code = ce.getCode() and
       location = code.getLocation() and
       element = code.toString() and
-      value = value_from_expr(code.asExpr()) and
+      value = prettyExpr(code.asExpr()) and
       tag = "getCode"
     )
   }
@@ -135,7 +123,7 @@ class SqlExecutionTest extends InlineExpectationsTest {
       sql = e.getSql() and
       location = e.getLocation() and
       element = sql.toString() and
-      value = value_from_expr(sql.asExpr()) and
+      value = prettyExpr(sql.asExpr()) and
       tag = "getSql"
     )
   }
@@ -218,7 +206,7 @@ class HttpServerHttpResponseTest extends InlineExpectationsTest {
       exists(HTTP::Server::HttpResponse response |
         location = response.getLocation() and
         element = response.toString() and
-        value = value_from_expr(response.getBody().asExpr()) and
+        value = prettyExpr(response.getBody().asExpr()) and
         tag = "responseBody"
       )
       or
@@ -257,7 +245,7 @@ class HttpServerHttpRedirectResponseTest extends InlineExpectationsTest {
       exists(HTTP::Server::HttpRedirectResponse redirect |
         location = redirect.getLocation() and
         element = redirect.toString() and
-        value = value_from_expr(redirect.getRedirectLocation().asExpr()) and
+        value = prettyExpr(redirect.getRedirectLocation().asExpr()) and
         tag = "redirectLocation"
       )
     )
@@ -275,7 +263,7 @@ class FileSystemAccessTest extends InlineExpectationsTest {
       path = a.getAPathArgument() and
       location = a.getLocation() and
       element = path.toString() and
-      value = value_from_expr(path.asExpr()) and
+      value = prettyExpr(path.asExpr()) and
       tag = "getAPathArgument"
     )
   }
@@ -309,7 +297,7 @@ class SafeAccessCheckTest extends InlineExpectationsTest {
       location = c.getLocation() and
       (
         element = checks.toString() and
-        value = value_from_expr(checks.asExpr()) and
+        value = prettyExpr(checks.asExpr()) and
         tag = "checks"
         or
         element = branch.toString() and
diff --git a/python/ql/test/library-tests/frameworks/dill/Decoding.py b/python/ql/test/library-tests/frameworks/dill/Decoding.py
index a02b013104b..49eb551af04 100644
--- a/python/ql/test/library-tests/frameworks/dill/Decoding.py
+++ b/python/ql/test/library-tests/frameworks/dill/Decoding.py
@@ -1,3 +1,3 @@
 import dill
 
-dill.loads(payload)  # $decodeInput=payload decodeOutput=Attribute() decodeFormat=dill decodeMayExecuteInput
+dill.loads(payload)  # $decodeInput=payload decodeOutput=dill.loads(..) decodeFormat=dill decodeMayExecuteInput
diff --git a/python/ql/test/library-tests/frameworks/django-v2-v3/response_test.py b/python/ql/test/library-tests/frameworks/django-v2-v3/response_test.py
index feeb4d48b88..c7da2f35b6a 100644
--- a/python/ql/test/library-tests/frameworks/django-v2-v3/response_test.py
+++ b/python/ql/test/library-tests/frameworks/django-v2-v3/response_test.py
@@ -74,20 +74,20 @@ class CustomRedirectView(RedirectView):
 
 # Ensure that simple subclasses are still vuln to XSS
 def xss__not_found(request):
-    return HttpResponseNotFound(request.GET.get("name"))  # $HttpResponse mimetype=text/html responseBody=Attribute()
+    return HttpResponseNotFound(request.GET.get("name"))  # $HttpResponse mimetype=text/html responseBody=request.GET.get(..)
 
 # Ensure we still have an XSS sink when manually setting the content_type to HTML
 def xss__manual_response_type(request):
-    return HttpResponse(request.GET.get("name"), content_type="text/html; charset=utf-8")  # $HttpResponse mimetype=text/html responseBody=Attribute()
+    return HttpResponse(request.GET.get("name"), content_type="text/html; charset=utf-8")  # $HttpResponse mimetype=text/html responseBody=request.GET.get(..)
 
 def xss__write(request):
     response = HttpResponse()  # $HttpResponse mimetype=text/html
-    response.write(request.GET.get("name"))  # $HttpResponse mimetype=text/html responseBody=Attribute()
+    response.write(request.GET.get("name"))  # $HttpResponse mimetype=text/html responseBody=request.GET.get(..)
 
 # This is safe but probably a bug if the argument to `write` is not a result of `json.dumps` or similar.
 def safe__write_json(request):
     response = JsonResponse()  # $HttpResponse mimetype=application/json
-    response.write(request.GET.get("name"))  # $HttpResponse mimetype=application/json responseBody=Attribute()
+    response.write(request.GET.get("name"))  # $HttpResponse mimetype=application/json responseBody=request.GET.get(..)
 
 # Ensure manual subclasses are vulnerable
 class CustomResponse(HttpResponse):
@@ -95,7 +95,7 @@ class CustomResponse(HttpResponse):
         super().__init__(content, *args, content_type="text/html", **kwargs)
 
 def xss__custom_response(request):
-    return CustomResponse("ACME Responses", request.GET("name"))  # $HttpResponse MISSING: mimetype=text/html responseBody=Attribute() SPURIOUS: responseBody="ACME Responses"
+    return CustomResponse("ACME Responses", request.GET("name"))  # $HttpResponse MISSING: mimetype=text/html responseBody=request.GET.get(..) SPURIOUS: responseBody="ACME Responses"
 
 class CustomJsonResponse(JsonResponse):
     def __init__(self, banner, content, *args, **kwargs):
diff --git a/python/ql/test/library-tests/frameworks/django-v2-v3/testproj/settings.py b/python/ql/test/library-tests/frameworks/django-v2-v3/testproj/settings.py
index 1339a14312c..5343182c1c9 100644
--- a/python/ql/test/library-tests/frameworks/django-v2-v3/testproj/settings.py
+++ b/python/ql/test/library-tests/frameworks/django-v2-v3/testproj/settings.py
@@ -13,7 +13,7 @@ https://docs.djangoproject.com/en/3.1/ref/settings/
 from pathlib import Path
 
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
-BASE_DIR = Path(__file__).resolve().parent.parent  #$ getAPathArgument=Path()
+BASE_DIR = Path(__file__).resolve().parent.parent  #$ getAPathArgument=Path(..)
 
 
 # Quick-start development settings - unsuitable for production
diff --git a/python/ql/test/library-tests/frameworks/idna/taint_test.py b/python/ql/test/library-tests/frameworks/idna/taint_test.py
index 61b9dad166c..3b20b9e678e 100644
--- a/python/ql/test/library-tests/frameworks/idna/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/idna/taint_test.py
@@ -5,9 +5,9 @@ def test_idna():
     tb = TAINTED_BYTES
 
     ensure_tainted(
-        idna.encode(ts),  # $ tainted encodeInput=ts encodeOutput=Attribute() encodeFormat=IDNA
-        idna.encode(s=ts),  # $ tainted encodeInput=ts encodeOutput=Attribute() encodeFormat=IDNA
+        idna.encode(ts),  # $ tainted encodeInput=ts encodeOutput=idna.encode(..) encodeFormat=IDNA
+        idna.encode(s=ts),  # $ tainted encodeInput=ts encodeOutput=idna.encode(..) encodeFormat=IDNA
 
-        idna.decode(tb),  # $ tainted decodeInput=tb decodeOutput=Attribute() decodeFormat=IDNA
-        idna.decode(s=tb),  # $ tainted decodeInput=tb decodeOutput=Attribute() decodeFormat=IDNA
+        idna.decode(tb),  # $ tainted decodeInput=tb decodeOutput=idna.decode(..) decodeFormat=IDNA
+        idna.decode(s=tb),  # $ tainted decodeInput=tb decodeOutput=idna.decode(..) decodeFormat=IDNA
     )
diff --git a/python/ql/test/library-tests/frameworks/simplejson/taint_test.py b/python/ql/test/library-tests/frameworks/simplejson/taint_test.py
index 6f5d45b0b33..59bec5d6978 100644
--- a/python/ql/test/library-tests/frameworks/simplejson/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/simplejson/taint_test.py
@@ -5,14 +5,14 @@ def test():
     ts = TAINTED_STRING
     tainted_obj = {"foo": ts}
 
-    encoded = simplejson.dumps(tainted_obj) # $ encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
+    encoded = simplejson.dumps(tainted_obj) # $ encodeOutput=simplejson.dumps(..) encodeFormat=JSON encodeInput=tainted_obj
 
     ensure_tainted(
         encoded, # $ tainted
-        simplejson.dumps(tainted_obj), # $ tainted encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
-        simplejson.dumps(obj=tainted_obj), # $ tainted encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
-        simplejson.loads(encoded), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=encoded
-        simplejson.loads(s=encoded), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=encoded
+        simplejson.dumps(tainted_obj), # $ tainted encodeOutput=simplejson.dumps(..) encodeFormat=JSON encodeInput=tainted_obj
+        simplejson.dumps(obj=tainted_obj), # $ tainted encodeOutput=simplejson.dumps(..) encodeFormat=JSON encodeInput=tainted_obj
+        simplejson.loads(encoded), # $ tainted decodeOutput=simplejson.loads(..) decodeFormat=JSON decodeInput=encoded
+        simplejson.loads(s=encoded), # $ tainted decodeOutput=simplejson.loads(..) decodeFormat=JSON decodeInput=encoded
     )
 
     # load/dump with file-like
@@ -22,7 +22,7 @@ def test():
     tainted_filelike.seek(0)
     ensure_tainted(
         tainted_filelike, # $ MISSING: tainted
-        simplejson.load(tainted_filelike), # $ decodeOutput=Attribute() decodeFormat=JSON decodeInput=tainted_filelike MISSING: tainted
+        simplejson.load(tainted_filelike), # $ decodeOutput=simplejson.load(..) decodeFormat=JSON decodeInput=tainted_filelike MISSING: tainted
     )
 
     # load/dump with file-like using keyword-args
@@ -32,7 +32,7 @@ def test():
     tainted_filelike.seek(0)
     ensure_tainted(
         tainted_filelike, # $ MISSING: tainted
-        simplejson.load(fp=tainted_filelike), # $ decodeOutput=Attribute() decodeFormat=JSON decodeInput=tainted_filelike MISSING: tainted
+        simplejson.load(fp=tainted_filelike), # $ decodeOutput=simplejson.load(..) decodeFormat=JSON decodeInput=tainted_filelike MISSING: tainted
     )
 
 # To make things runable
diff --git a/python/ql/test/library-tests/frameworks/stdlib-py3/Decoding.py b/python/ql/test/library-tests/frameworks/stdlib-py3/Decoding.py
index 886932495f2..11cca46bdf7 100644
--- a/python/ql/test/library-tests/frameworks/stdlib-py3/Decoding.py
+++ b/python/ql/test/library-tests/frameworks/stdlib-py3/Decoding.py
@@ -1,6 +1,6 @@
 import base64
 
 # TODO: These tests should be merged with python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_string.py
-base64.a85decode(payload)  # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=Ascii85
-base64.b85decode(payload)  # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=Base85
-base64.decodebytes(payload)  # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=Base64
+base64.a85decode(payload)  # $ decodeInput=payload decodeOutput=base64.a85decode(..) decodeFormat=Ascii85
+base64.b85decode(payload)  # $ decodeInput=payload decodeOutput=base64.b85decode(..) decodeFormat=Base85
+base64.decodebytes(payload)  # $ decodeInput=payload decodeOutput=base64.decodebytes(..) decodeFormat=Base64
diff --git a/python/ql/test/library-tests/frameworks/stdlib-py3/Encoding.py b/python/ql/test/library-tests/frameworks/stdlib-py3/Encoding.py
index 79fd3a2cd76..7aea6a5e579 100644
--- a/python/ql/test/library-tests/frameworks/stdlib-py3/Encoding.py
+++ b/python/ql/test/library-tests/frameworks/stdlib-py3/Encoding.py
@@ -1,6 +1,6 @@
 import base64
 
 # TODO: These tests should be merged with python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/test_string.py
-base64.a85encode(bs) # $ encodeInput=bs encodeOutput=Attribute() encodeFormat=Ascii85
-base64.b85encode(bs)# $ encodeInput=bs encodeOutput=Attribute() encodeFormat=Base85
-base64.encodebytes(bs)# $ encodeInput=bs encodeOutput=Attribute() encodeFormat=Base64
+base64.a85encode(bs) # $ encodeInput=bs encodeOutput=base64.a85encode(..) encodeFormat=Ascii85
+base64.b85encode(bs)# $ encodeInput=bs encodeOutput=base64.b85encode(..) encodeFormat=Base85
+base64.encodebytes(bs)# $ encodeInput=bs encodeOutput=base64.encodebytes(..) encodeFormat=Base64
diff --git a/python/ql/test/library-tests/frameworks/stdlib/Decoding.py b/python/ql/test/library-tests/frameworks/stdlib/Decoding.py
index baf97c90c4d..5d157a61f6e 100644
--- a/python/ql/test/library-tests/frameworks/stdlib/Decoding.py
+++ b/python/ql/test/library-tests/frameworks/stdlib/Decoding.py
@@ -2,14 +2,14 @@ import pickle
 import marshal
 import base64
 
-pickle.loads(payload)  # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=pickle decodeMayExecuteInput
-marshal.loads(payload)  # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=marshal decodeMayExecuteInput
+pickle.loads(payload)  # $ decodeInput=payload decodeOutput=pickle.loads(..) decodeFormat=pickle decodeMayExecuteInput
+marshal.loads(payload)  # $ decodeInput=payload decodeOutput=marshal.loads(..) decodeFormat=marshal decodeMayExecuteInput
 
 # TODO: These tests should be merged with python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_string.py
-base64.b64decode(payload)  # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=Base64
-base64.standard_b64decode(payload)  # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=Base64
-base64.urlsafe_b64decode(payload)  # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=Base64
-base64.b32decode(payload)  # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=Base32
-base64.b16decode(payload)  # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=Base16
+base64.b64decode(payload)  # $ decodeInput=payload decodeOutput=base64.b64decode(..) decodeFormat=Base64
+base64.standard_b64decode(payload)  # $ decodeInput=payload decodeOutput=base64.standard_b64decode(..) decodeFormat=Base64
+base64.urlsafe_b64decode(payload)  # $ decodeInput=payload decodeOutput=base64.urlsafe_b64decode(..) decodeFormat=Base64
+base64.b32decode(payload)  # $ decodeInput=payload decodeOutput=base64.b32decode(..) decodeFormat=Base32
+base64.b16decode(payload)  # $ decodeInput=payload decodeOutput=base64.b16decode(..) decodeFormat=Base16
 # deprecated since Python 3.1, but still works
-base64.decodestring(payload)  # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=Base64
+base64.decodestring(payload)  # $ decodeInput=payload decodeOutput=base64.decodestring(..) decodeFormat=Base64
diff --git a/python/ql/test/library-tests/frameworks/stdlib/Encoding.py b/python/ql/test/library-tests/frameworks/stdlib/Encoding.py
index 5ab230ca20f..2ad51e66fc1 100644
--- a/python/ql/test/library-tests/frameworks/stdlib/Encoding.py
+++ b/python/ql/test/library-tests/frameworks/stdlib/Encoding.py
@@ -2,14 +2,14 @@ import pickle
 import marshal
 import base64
 
-pickle.dumps(obj)  # $ MISSING: encodeInput=obj encodeOutput=Attribute() encodeFormat=pickle encodeMayExecuteInput
-marshal.dumps(obj)  # $ MISSING: encodeInput=obj encodeOutput=Attribute() encodeFormat=marshal encodeMayExecuteInput
+pickle.dumps(obj)  # $ MISSING: encodeInput=obj encodeOutput=pickle.dumps(..) encodeFormat=pickle encodeMayExecuteInput
+marshal.dumps(obj)  # $ MISSING: encodeInput=obj encodeOutput=marshal.dumps(..) encodeFormat=marshal encodeMayExecuteInput
 
 # TODO: These tests should be merged with python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_string.py
-base64.b64encode(bs)  # $ encodeInput=bs encodeOutput=Attribute() encodeFormat=Base64
-base64.standard_b64encode(bs)  # $ encodeInput=bs encodeOutput=Attribute() encodeFormat=Base64
-base64.urlsafe_b64encode(bs)  # $ encodeInput=bs encodeOutput=Attribute() encodeFormat=Base64
-base64.b32encode(bs)  # $ encodeInput=bs encodeOutput=Attribute() encodeFormat=Base32
-base64.b16encode(bs)  # $ encodeInput=bs encodeOutput=Attribute() encodeFormat=Base16
+base64.b64encode(bs)  # $ encodeInput=bs encodeOutput=base64.b64encode(..) encodeFormat=Base64
+base64.standard_b64encode(bs)  # $ encodeInput=bs encodeOutput=base64.standard_b64encode(..) encodeFormat=Base64
+base64.urlsafe_b64encode(bs)  # $ encodeInput=bs encodeOutput=base64.urlsafe_b64encode(..) encodeFormat=Base64
+base64.b32encode(bs)  # $ encodeInput=bs encodeOutput=base64.b32encode(..) encodeFormat=Base32
+base64.b16encode(bs)  # $ encodeInput=bs encodeOutput=base64.b16encode(..) encodeFormat=Base16
 # deprecated since Python 3.1, but still works
-base64.encodestring(bs)  # $ encodeInput=bs encodeOutput=Attribute() encodeFormat=Base64
+base64.encodestring(bs)  # $ encodeInput=bs encodeOutput=base64.encodestring(..) encodeFormat=Base64
diff --git a/python/ql/test/library-tests/frameworks/ujson/taint_test.py b/python/ql/test/library-tests/frameworks/ujson/taint_test.py
index 2c965518393..49423625a58 100644
--- a/python/ql/test/library-tests/frameworks/ujson/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/ujson/taint_test.py
@@ -5,19 +5,19 @@ def test():
     ts = TAINTED_STRING
     tainted_obj = {"foo": ts}
 
-    encoded = ujson.dumps(tainted_obj) # $ encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
+    encoded = ujson.dumps(tainted_obj) # $ encodeOutput=ujson.dumps(..) encodeFormat=JSON encodeInput=tainted_obj
 
     ensure_tainted(
         encoded, # $ tainted
-        ujson.dumps(tainted_obj), # $ tainted encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
-        ujson.dumps(obj=tainted_obj), # $ tainted encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
-        ujson.loads(encoded), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=encoded
-        ujson.loads(obj=encoded), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=encoded
+        ujson.dumps(tainted_obj), # $ tainted encodeOutput=ujson.dumps(..) encodeFormat=JSON encodeInput=tainted_obj
+        ujson.dumps(obj=tainted_obj), # $ tainted encodeOutput=ujson.dumps(..) encodeFormat=JSON encodeInput=tainted_obj
+        ujson.loads(encoded), # $ tainted decodeOutput=ujson.loads(..) decodeFormat=JSON decodeInput=encoded
+        ujson.loads(obj=encoded), # $ tainted decodeOutput=ujson.loads(..) decodeFormat=JSON decodeInput=encoded
 
-        ujson.encode(tainted_obj), # $ tainted encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
-        ujson.encode(obj=tainted_obj), # $ tainted encodeOutput=Attribute() encodeFormat=JSON encodeInput=tainted_obj
-        ujson.decode(encoded), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=encoded
-        ujson.decode(obj=encoded), # $ tainted decodeOutput=Attribute() decodeFormat=JSON decodeInput=encoded
+        ujson.encode(tainted_obj), # $ tainted encodeOutput=ujson.encode(..) encodeFormat=JSON encodeInput=tainted_obj
+        ujson.encode(obj=tainted_obj), # $ tainted encodeOutput=ujson.encode(..) encodeFormat=JSON encodeInput=tainted_obj
+        ujson.decode(encoded), # $ tainted decodeOutput=ujson.decode(..) decodeFormat=JSON decodeInput=encoded
+        ujson.decode(obj=encoded), # $ tainted decodeOutput=ujson.decode(..) decodeFormat=JSON decodeInput=encoded
     )
 
     # load/dump with file-like
@@ -27,7 +27,7 @@ def test():
     tainted_filelike.seek(0)
     ensure_tainted(
         tainted_filelike, # $ MISSING: tainted
-        ujson.load(tainted_filelike), # $ decodeOutput=Attribute() decodeFormat=JSON decodeInput=tainted_filelike MISSING: tainted
+        ujson.load(tainted_filelike), # $ decodeOutput=ujson.load(..) decodeFormat=JSON decodeInput=tainted_filelike MISSING: tainted
     )
 
     # load/dump with file-like using keyword-args does not work in `ujson`
diff --git a/python/ql/test/library-tests/frameworks/yaml/Decoding.py b/python/ql/test/library-tests/frameworks/yaml/Decoding.py
index 987ea76552a..b3cc627883d 100644
--- a/python/ql/test/library-tests/frameworks/yaml/Decoding.py
+++ b/python/ql/test/library-tests/frameworks/yaml/Decoding.py
@@ -1,37 +1,37 @@
 import yaml
 
 # Unsafe:
-yaml.load(payload)  # $decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML decodeMayExecuteInput
-yaml.load(payload, yaml.Loader)  # $decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML decodeMayExecuteInput
-yaml.unsafe_load(payload) # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML decodeMayExecuteInput
-yaml.full_load(payload) # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML decodeMayExecuteInput
+yaml.load(payload)  # $decodeInput=payload decodeOutput=yaml.load(..) decodeFormat=YAML decodeMayExecuteInput
+yaml.load(payload, yaml.Loader)  # $decodeInput=payload decodeOutput=yaml.load(..) decodeFormat=YAML decodeMayExecuteInput
+yaml.unsafe_load(payload) # $ decodeInput=payload decodeOutput=yaml.unsafe_load(..) decodeFormat=YAML decodeMayExecuteInput
+yaml.full_load(payload) # $ decodeInput=payload decodeOutput=yaml.full_load(..) decodeFormat=YAML decodeMayExecuteInput
 
 # Safe:
-yaml.load(payload, yaml.SafeLoader)  # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML
-yaml.load(payload, Loader=yaml.SafeLoader)  # $decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML
-yaml.load(payload, yaml.BaseLoader)  # $decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML
-yaml.safe_load(payload) # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML
+yaml.load(payload, yaml.SafeLoader)  # $ decodeInput=payload decodeOutput=yaml.load(..) decodeFormat=YAML
+yaml.load(payload, Loader=yaml.SafeLoader)  # $decodeInput=payload decodeOutput=yaml.load(..) decodeFormat=YAML
+yaml.load(payload, yaml.BaseLoader)  # $decodeInput=payload decodeOutput=yaml.load(..) decodeFormat=YAML
+yaml.safe_load(payload) # $ decodeInput=payload decodeOutput=yaml.safe_load(..) decodeFormat=YAML
 
 ################################################################################
 # load_all variants
 ################################################################################
 
 # Unsafe:
-yaml.load_all(payload) # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML decodeMayExecuteInput
-yaml.unsafe_load_all(payload) # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML decodeMayExecuteInput
-yaml.full_load_all(payload) # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML decodeMayExecuteInput
+yaml.load_all(payload) # $ decodeInput=payload decodeOutput=yaml.load_all(..) decodeFormat=YAML decodeMayExecuteInput
+yaml.unsafe_load_all(payload) # $ decodeInput=payload decodeOutput=yaml.unsafe_load_all(..) decodeFormat=YAML decodeMayExecuteInput
+yaml.full_load_all(payload) # $ decodeInput=payload decodeOutput=yaml.full_load_all(..) decodeFormat=YAML decodeMayExecuteInput
 
 # Safe:
-yaml.safe_load_all(payload) # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML
+yaml.safe_load_all(payload) # $ decodeInput=payload decodeOutput=yaml.safe_load_all(..) decodeFormat=YAML
 
 ################################################################################
 # C-based loaders with `libyaml`
 ################################################################################
 
 # Unsafe:
-yaml.load(payload, yaml.CLoader)  # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML decodeMayExecuteInput
-yaml.load(payload, yaml.CFullLoader)  # $ decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML decodeMayExecuteInput
+yaml.load(payload, yaml.CLoader)  # $ decodeInput=payload decodeOutput=yaml.load(..) decodeFormat=YAML decodeMayExecuteInput
+yaml.load(payload, yaml.CFullLoader)  # $ decodeInput=payload decodeOutput=yaml.load(..) decodeFormat=YAML decodeMayExecuteInput
 
 # Safe:
-yaml.load(payload, yaml.CSafeLoader)  # $decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML
-yaml.load(payload, yaml.CBaseLoader)  # $decodeInput=payload decodeOutput=Attribute() decodeFormat=YAML
+yaml.load(payload, yaml.CSafeLoader)  # $decodeInput=payload decodeOutput=yaml.load(..) decodeFormat=YAML
+yaml.load(payload, yaml.CBaseLoader)  # $decodeInput=payload decodeOutput=yaml.load(..) decodeFormat=YAML

From 9dbb364ccab04f03d81666f2845cb16921700f28 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 11 May 2021 15:19:06 +0200
Subject: [PATCH 1115/1429] Python: Move json tests to be part of stdlib

This is better, since the modeling is also part of Stdlib.qll
---
 .../defaultAdditionalTaintStep/test_json.py   | 53 -------------------
 .../frameworks/stdlib/test_json.py            | 40 ++++++++++++++
 2 files changed, 40 insertions(+), 53 deletions(-)
 delete mode 100644 python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py
 create mode 100644 python/ql/test/library-tests/frameworks/stdlib/test_json.py

diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py
deleted file mode 100644
index b1b0536b03b..00000000000
--- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/test_json.py
+++ /dev/null
@@ -1,53 +0,0 @@
-# Add taintlib to PATH so it can be imported during runtime without any hassle
-import sys; import os; sys.path.append(os.path.dirname(os.path.dirname((__file__))))
-from taintlib import *
-
-# This has no runtime impact, but allows autocomplete to work
-from typing import TYPE_CHECKING
-if TYPE_CHECKING:
-    from ..taintlib import *
-
-
-# Actual tests
-
-from io import StringIO
-import json
-
-def test():
-    print("\n# test")
-    ts = TAINTED_STRING
-
-    encoded = json.dumps(ts)
-
-    ensure_tainted(
-        encoded, # $ tainted
-        json.dumps(ts), # $ tainted
-        json.dumps(obj=ts), # $ tainted
-        json.loads(encoded), # $ tainted
-        json.loads(s=encoded), # $ tainted
-    )
-
-    # load/dump with file-like
-    tainted_filelike = StringIO()
-    json.dump(ts, tainted_filelike)
-
-    tainted_filelike.seek(0)
-    ensure_tainted(
-        tainted_filelike, # $ tainted
-        json.load(tainted_filelike), # $ tainted
-    )
-
-    # load/dump with file-like using keyword-args
-    tainted_filelike = StringIO()
-    json.dump(obj=ts, fp=tainted_filelike)
-
-    tainted_filelike.seek(0)
-    ensure_tainted(
-        tainted_filelike, # $ tainted
-        json.load(fp=tainted_filelike), # $ tainted
-    )
-
-
-# Make tests runable
-
-test()
diff --git a/python/ql/test/library-tests/frameworks/stdlib/test_json.py b/python/ql/test/library-tests/frameworks/stdlib/test_json.py
new file mode 100644
index 00000000000..34f15391f56
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/stdlib/test_json.py
@@ -0,0 +1,40 @@
+from io import StringIO
+import json
+
+def test():
+    print("\n# test")
+    ts = TAINTED_STRING
+
+    encoded = json.dumps(ts) # $ encodeOutput=json.dumps(..) encodeFormat=JSON encodeInput=ts
+
+    ensure_tainted(
+        encoded, # $ tainted
+        json.dumps(ts), # $ tainted encodeOutput=json.dumps(..) encodeFormat=JSON encodeInput=ts
+        json.dumps(obj=ts), # $ tainted encodeOutput=json.dumps(..) encodeFormat=JSON encodeInput=ts
+        json.loads(encoded), # $ tainted decodeOutput=json.loads(..) decodeFormat=JSON decodeInput=encoded
+        json.loads(s=encoded), # $ tainted decodeOutput=json.loads(..) decodeFormat=JSON decodeInput=encoded
+    )
+
+    # load/dump with file-like
+    tainted_filelike = StringIO()
+    json.dump(ts, tainted_filelike) # $ encodeFormat=JSON encodeInput=ts
+
+    tainted_filelike.seek(0)
+    ensure_tainted(
+        tainted_filelike, # $ tainted
+        json.load(tainted_filelike), # $ tainted decodeOutput=json.load(..) decodeFormat=JSON decodeInput=tainted_filelike
+    )
+
+    # load/dump with file-like using keyword-args
+    tainted_filelike = StringIO()
+    json.dump(obj=ts, fp=tainted_filelike) # $ encodeFormat=JSON encodeInput=ts
+
+    tainted_filelike.seek(0)
+    ensure_tainted(
+        tainted_filelike, # $ tainted
+        json.load(fp=tainted_filelike), # $ tainted decodeOutput=json.load(..) decodeFormat=JSON decodeInput=tainted_filelike
+    )
+
+
+# Make tests runable
+test()

From 61ad5d0673915ded9fc65ffbaf5b4ae73de1b74a Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 11 May 2021 14:59:35 +0200
Subject: [PATCH 1116/1429] Python: Allow printing PostUpdateNode in
 ConceptsTest.qll

See how this works in `test_json.py`
---
 .../dataflow/TestUtil/PrintNode.qll           | 24 +++++++++++++++++++
 .../test/experimental/meta/ConceptsTest.qll   | 18 +++++++-------
 .../frameworks/stdlib/test_json.py            |  4 ++--
 3 files changed, 35 insertions(+), 11 deletions(-)

diff --git a/python/ql/test/experimental/dataflow/TestUtil/PrintNode.qll b/python/ql/test/experimental/dataflow/TestUtil/PrintNode.qll
index 46b1bfd9814..6b55beada17 100644
--- a/python/ql/test/experimental/dataflow/TestUtil/PrintNode.qll
+++ b/python/ql/test/experimental/dataflow/TestUtil/PrintNode.qll
@@ -26,6 +26,30 @@ string prettyExpr(Expr e) {
   result = prettyExpr(e.(Attribute).getObject()) + "." + e.(Attribute).getName()
 }
 
+/**
+ * Gets pretty-printed version of the DataFlow::Node `node`
+ */
+bindingset[node]
 string prettyNode(DataFlow::Node node) {
   if exists(node.asExpr()) then result = prettyExpr(node.asExpr()) else result = node.toString()
 }
+
+/**
+ * Gets pretty-printed version of the DataFlow::Node `node`, that is suitable for use
+ * with `TestUtilities.InlineExpectationsTest` (that is, no spaces unless required).
+ */
+bindingset[node]
+string prettyNodeForInlineTest(DataFlow::Node node) {
+  exists(node.asExpr()) and
+  result = prettyExpr(node.asExpr())
+  or
+  exists(Expr e | e = node.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() |
+    // since PostUpdateNode both has space in the `[post <thing>]` annotation, and does
+    // not pretty print the pre-update node, we do custom handling of this.
+    result = "[post]" + prettyExpr(e)
+  )
+  or
+  not exists(node.asExpr()) and
+  not exists(Expr e | e = node.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr()) and
+  result = node.toString()
+}
diff --git a/python/ql/test/experimental/meta/ConceptsTest.qll b/python/ql/test/experimental/meta/ConceptsTest.qll
index 0a75937600f..6c97662feea 100644
--- a/python/ql/test/experimental/meta/ConceptsTest.qll
+++ b/python/ql/test/experimental/meta/ConceptsTest.qll
@@ -15,7 +15,7 @@ class SystemCommandExecutionTest extends InlineExpectationsTest {
       command = sce.getCommand() and
       location = command.getLocation() and
       element = command.toString() and
-      value = prettyExpr(command.asExpr()) and
+      value = prettyNodeForInlineTest(command) and
       tag = "getCommand"
     )
   }
@@ -34,7 +34,7 @@ class DecodingTest extends InlineExpectationsTest {
       exists(DataFlow::Node data |
         location = data.getLocation() and
         element = data.toString() and
-        value = prettyExpr(data.asExpr()) and
+        value = prettyNodeForInlineTest(data) and
         (
           data = d.getAnInput() and
           tag = "decodeInput"
@@ -72,7 +72,7 @@ class EncodingTest extends InlineExpectationsTest {
       exists(DataFlow::Node data |
         location = data.getLocation() and
         element = data.toString() and
-        value = prettyExpr(data.asExpr()) and
+        value = prettyNodeForInlineTest(data) and
         (
           data = e.getAnInput() and
           tag = "encodeInput"
@@ -105,7 +105,7 @@ class CodeExecutionTest extends InlineExpectationsTest {
       code = ce.getCode() and
       location = code.getLocation() and
       element = code.toString() and
-      value = prettyExpr(code.asExpr()) and
+      value = prettyNodeForInlineTest(code) and
       tag = "getCode"
     )
   }
@@ -123,7 +123,7 @@ class SqlExecutionTest extends InlineExpectationsTest {
       sql = e.getSql() and
       location = e.getLocation() and
       element = sql.toString() and
-      value = prettyExpr(sql.asExpr()) and
+      value = prettyNodeForInlineTest(sql) and
       tag = "getSql"
     )
   }
@@ -206,7 +206,7 @@ class HttpServerHttpResponseTest extends InlineExpectationsTest {
       exists(HTTP::Server::HttpResponse response |
         location = response.getLocation() and
         element = response.toString() and
-        value = prettyExpr(response.getBody().asExpr()) and
+        value = prettyNodeForInlineTest(response.getBody()) and
         tag = "responseBody"
       )
       or
@@ -245,7 +245,7 @@ class HttpServerHttpRedirectResponseTest extends InlineExpectationsTest {
       exists(HTTP::Server::HttpRedirectResponse redirect |
         location = redirect.getLocation() and
         element = redirect.toString() and
-        value = prettyExpr(redirect.getRedirectLocation().asExpr()) and
+        value = prettyNodeForInlineTest(redirect.getRedirectLocation()) and
         tag = "redirectLocation"
       )
     )
@@ -263,7 +263,7 @@ class FileSystemAccessTest extends InlineExpectationsTest {
       path = a.getAPathArgument() and
       location = a.getLocation() and
       element = path.toString() and
-      value = prettyExpr(path.asExpr()) and
+      value = prettyNodeForInlineTest(path) and
       tag = "getAPathArgument"
     )
   }
@@ -297,7 +297,7 @@ class SafeAccessCheckTest extends InlineExpectationsTest {
       location = c.getLocation() and
       (
         element = checks.toString() and
-        value = prettyExpr(checks.asExpr()) and
+        value = prettyNodeForInlineTest(checks) and
         tag = "checks"
         or
         element = branch.toString() and
diff --git a/python/ql/test/library-tests/frameworks/stdlib/test_json.py b/python/ql/test/library-tests/frameworks/stdlib/test_json.py
index 34f15391f56..113065c77fd 100644
--- a/python/ql/test/library-tests/frameworks/stdlib/test_json.py
+++ b/python/ql/test/library-tests/frameworks/stdlib/test_json.py
@@ -17,7 +17,7 @@ def test():
 
     # load/dump with file-like
     tainted_filelike = StringIO()
-    json.dump(ts, tainted_filelike) # $ encodeFormat=JSON encodeInput=ts
+    json.dump(ts, tainted_filelike) # $ encodeOutput=[post]tainted_filelike encodeFormat=JSON encodeInput=ts
 
     tainted_filelike.seek(0)
     ensure_tainted(
@@ -27,7 +27,7 @@ def test():
 
     # load/dump with file-like using keyword-args
     tainted_filelike = StringIO()
-    json.dump(obj=ts, fp=tainted_filelike) # $ encodeFormat=JSON encodeInput=ts
+    json.dump(obj=ts, fp=tainted_filelike) # $ encodeOutput=[post]tainted_filelike encodeFormat=JSON encodeInput=ts
 
     tainted_filelike.seek(0)
     ensure_tainted(

From 8d1e7da8512336d96acd7473eae695771c339fa8 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
Date: Wed, 19 May 2021 17:42:46 +0200
Subject: [PATCH 1117/1429] Python: Apply suggestions from code review

Co-authored-by: yoff <lerchedahl@gmail.com>
---
 .../dataflow/WeakSensitiveDataHashingCustomizations.qll         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashingCustomizations.qll b/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashingCustomizations.qll
index e388c46d601..8b9d6f4e83f 100644
--- a/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashingCustomizations.qll
+++ b/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashingCustomizations.qll
@@ -140,7 +140,7 @@ module ComputationallyExpensiveHashFunction {
         algorithm instanceof Cryptography::PasswordHashingAlgorithm and
         algorithm.isWeak()
         or
-        algorithm instanceof Cryptography::HashingAlgorithm
+        algorithm instanceof Cryptography::HashingAlgorithm // Note that HashingAlgorithm and PasswordHashingAlgorithm are disjoint
       ) and
       exists(Cryptography::CryptographicOperation operation |
         algorithm = operation.getAlgorithm() and

From 22d4d7956a180f7a8de33e36b3f9b5ac40e88203 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 19 May 2021 17:43:26 +0200
Subject: [PATCH 1118/1429] Python: Fix typo in QLDoc

---
 .../python/security/dataflow/WeakSensitiveDataHashing.qll       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashing.qll b/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashing.qll
index 49634d52a4e..59cd69db4b2 100644
--- a/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashing.qll
+++ b/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashing.qll
@@ -4,7 +4,7 @@
  *
  * Note, for performance reasons: only import this file if
  * `WeakSensitiveDataHashing::Configuration` is needed, otherwise
- * `SqlInjectionCustomizations` should be imported instead.
+ * `WeakSensitiveDataHashingCustomizations` should be imported instead.
  */
 
 private import python

From 753dca91b10b121303d0cccc27b8e689ca42e5ae Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 19 May 2021 17:46:10 +0200
Subject: [PATCH 1119/1429] Python: weak-crypto: Make algorithm selection less
 brittle

As discussed in https://github.com/github/codeql/pull/5635#discussion_r633477154
---
 python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
index 66f07ea2c7b..731b0730bfb 100644
--- a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
@@ -16,8 +16,9 @@ from Cryptography::CryptographicOperation operation, Cryptography::Cryptographic
 where
   algorithm = operation.getAlgorithm() and
   algorithm.isWeak() and
-  not algorithm instanceof Cryptography::HashingAlgorithm and // handled by `py/weak-sensitive-data-hashing`
-  not algorithm instanceof Cryptography::PasswordHashingAlgorithm // handled by `py/weak-sensitive-data-hashing`
+  // `Cryptography::HashingAlgorithm` and `Cryptography::PasswordHashingAlgorithm` are
+  // handled by `py/weak-sensitive-data-hashing`
+  algorithm instanceof Cryptography::EncryptionAlgorithm
 select operation,
   "The cryptographic algorithm " + algorithm.getName() +
     " is broken or weak, and should not be used."

From bb258813a15401eaa1920c442b6dac94617a90ce Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Tue, 18 May 2021 11:15:55 +0200
Subject: [PATCH 1120/1429] Dataflow: Improve performance for dispatch-join in
 flow-through.

---
 .../java/dataflow/internal/DataFlowImpl.qll   | 317 ++++++++++++------
 1 file changed, 222 insertions(+), 95 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
index 058d66b1496..c60bb107fdf 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and

From 4406b8e33979eed493326c005c0dbc5e5cf6d689 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Wed, 19 May 2021 19:22:36 +0200
Subject: [PATCH 1121/1429] Dataflow: Sync.

---
 .../cpp/dataflow/internal/DataFlowImpl.qll    | 317 ++++++++++++------
 .../cpp/dataflow/internal/DataFlowImpl2.qll   | 317 ++++++++++++------
 .../cpp/dataflow/internal/DataFlowImpl3.qll   | 317 ++++++++++++------
 .../cpp/dataflow/internal/DataFlowImpl4.qll   | 317 ++++++++++++------
 .../dataflow/internal/DataFlowImplLocal.qll   | 317 ++++++++++++------
 .../cpp/ir/dataflow/internal/DataFlowImpl.qll | 317 ++++++++++++------
 .../ir/dataflow/internal/DataFlowImpl2.qll    | 317 ++++++++++++------
 .../ir/dataflow/internal/DataFlowImpl3.qll    | 317 ++++++++++++------
 .../ir/dataflow/internal/DataFlowImpl4.qll    | 317 ++++++++++++------
 .../csharp/dataflow/internal/DataFlowImpl.qll | 317 ++++++++++++------
 .../dataflow/internal/DataFlowImpl2.qll       | 317 ++++++++++++------
 .../dataflow/internal/DataFlowImpl3.qll       | 317 ++++++++++++------
 .../dataflow/internal/DataFlowImpl4.qll       | 317 ++++++++++++------
 .../dataflow/internal/DataFlowImpl5.qll       | 317 ++++++++++++------
 .../java/dataflow/internal/DataFlowImpl2.qll  | 317 ++++++++++++------
 .../java/dataflow/internal/DataFlowImpl3.qll  | 317 ++++++++++++------
 .../java/dataflow/internal/DataFlowImpl4.qll  | 317 ++++++++++++------
 .../java/dataflow/internal/DataFlowImpl5.qll  | 317 ++++++++++++------
 .../java/dataflow/internal/DataFlowImpl6.qll  | 317 ++++++++++++------
 .../dataflow/new/internal/DataFlowImpl.qll    | 317 ++++++++++++------
 .../dataflow/new/internal/DataFlowImpl2.qll   | 317 ++++++++++++------
 .../dataflow/new/internal/DataFlowImpl3.qll   | 317 ++++++++++++------
 .../dataflow/new/internal/DataFlowImpl4.qll   | 317 ++++++++++++------
 23 files changed, 5106 insertions(+), 2185 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
index 058d66b1496..c60bb107fdf 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
index 058d66b1496..c60bb107fdf 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
index 058d66b1496..c60bb107fdf 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
index 058d66b1496..c60bb107fdf 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
index 058d66b1496..c60bb107fdf 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
index 058d66b1496..c60bb107fdf 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
index 058d66b1496..c60bb107fdf 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
index 058d66b1496..c60bb107fdf 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
index 058d66b1496..c60bb107fdf 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
index 058d66b1496..c60bb107fdf 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
index 058d66b1496..c60bb107fdf 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
index 058d66b1496..c60bb107fdf 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
index 058d66b1496..c60bb107fdf 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
index 058d66b1496..c60bb107fdf 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
index 058d66b1496..c60bb107fdf 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
index 058d66b1496..c60bb107fdf 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
index 058d66b1496..c60bb107fdf 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
index 058d66b1496..c60bb107fdf 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
index 058d66b1496..c60bb107fdf 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
index 058d66b1496..c60bb107fdf 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
index 058d66b1496..c60bb107fdf 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
index 058d66b1496..c60bb107fdf 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
index 058d66b1496..c60bb107fdf 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
@@ -605,6 +605,15 @@ private module Stage1 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Node node, boolean toReturn |
+      revFlow(node, toReturn, config) and
+      revFlowInToReturn(call, node, config) and
+      revFlowIsReturned(call, toReturn, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, config)) and
@@ -827,6 +836,16 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -893,13 +912,11 @@ private module Stage2 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -950,17 +967,14 @@ private module Stage2 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -975,7 +989,13 @@ private module Stage2 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1006,6 +1026,25 @@ private module Stage2 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1071,14 +1110,12 @@ private module Stage2 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1126,12 +1163,10 @@ private module Stage2 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1141,7 +1176,12 @@ private module Stage2 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1211,6 +1251,15 @@ private module Stage2 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -1459,6 +1508,16 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -1532,13 +1591,11 @@ private module Stage3 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -1589,17 +1646,14 @@ private module Stage3 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -1614,7 +1668,13 @@ private module Stage3 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1645,6 +1705,25 @@ private module Stage3 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -1710,14 +1789,12 @@ private module Stage3 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -1765,12 +1842,10 @@ private module Stage3 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -1780,7 +1855,12 @@ private module Stage3 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -1850,6 +1930,15 @@ private module Stage3 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and
@@ -2120,8 +2209,6 @@ private module Stage4 {
   bindingset[innercc, inner, call]
   private predicate checkCallContextReturn(Cc innercc, DataFlowCallable inner, DataFlowCall call) {
     resolveReturn(innercc, inner, call)
-    or
-    innercc.(CallContextCall).matchesCall(call)
   }
 
   bindingset[node, cc, config]
@@ -2174,6 +2261,16 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  private predicate flowThroughOutOfCall(
+    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
+    Configuration config
+  ) {
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
+    PrevStage::callMayFlowThroughRev(call, config) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+  }
+
   /**
    * Holds if `node` is reachable with access path `ap` from a source in the
    * configuration `config`.
@@ -2247,13 +2344,11 @@ private module Stage4 {
     )
     or
     // flow out of a callable
-    exists(DataFlowCall call |
-      fwdFlowOut(call, node, any(CcNoCall innercc), cc, argAp, ap, config)
-      or
-      exists(Ap argAp0 |
-        fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-        fwdFlowIsEntered(call, cc, argAp, argAp0, config)
-      )
+    fwdFlowOutNotFromArg(node, cc, argAp, ap, config)
+    or
+    exists(DataFlowCall call, Ap argAp0 |
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
     )
   }
 
@@ -2304,17 +2399,14 @@ private module Stage4 {
     )
   }
 
-  /**
-   * Holds if flow may exit from `call` at `out` with access path `ap`. The
-   * inner call context is `innercc`, but `ccOut` is just the call context
-   * based on the return step. In the case of through-flow `ccOut` is discarded
-   * and replaced by the outer call context as tracked by `fwdFlowIsEntered`.
-   */
   pragma[nomagic]
-  private predicate fwdFlowOut(
-    DataFlowCall call, Node out, Cc innercc, Cc ccOut, ApOption argAp, Ap ap, Configuration config
+  private predicate fwdFlowOutNotFromArg(
+    Node out, Cc ccOut, ApOption argAp, Ap ap, Configuration config
   ) {
-    exists(ReturnNodeExt ret, boolean allowsFieldFlow, DataFlowCallable inner |
+    exists(
+      DataFlowCall call, ReturnNodeExt ret, boolean allowsFieldFlow, CcNoCall innercc,
+      DataFlowCallable inner
+    |
       fwdFlow(ret, innercc, argAp, ap, config) and
       flowOutOfCall(call, ret, out, allowsFieldFlow, config) and
       inner = getNodeEnclosingCallable(ret) and
@@ -2329,7 +2421,13 @@ private module Stage4 {
   private predicate fwdFlowOutFromArg(
     DataFlowCall call, Node out, Ap argAp, Ap ap, Configuration config
   ) {
-    fwdFlowOut(call, out, any(CcCall ccc), _, apSome(argAp), ap, config)
+    exists(ReturnNodeExt ret, boolean allowsFieldFlow, CcCall ccc |
+      fwdFlow(ret, ccc, apSome(argAp), ap, config) and
+      flowThroughOutOfCall(call, ret, out, allowsFieldFlow, config) and
+      ccc.matchesCall(call)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2360,6 +2458,25 @@ private module Stage4 {
     fwdFlowConsCand(ap1, c, ap2, config)
   }
 
+  pragma[nomagic]
+  private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
+    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+    )
+  }
+
+  pragma[nomagic]
+  private predicate flowThroughIntoCall(
+    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+  ) {
+    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
+    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    callMayFlowThroughFwd(call, pragma[only_bind_into](config))
+  }
+
   /**
    * Holds if `node` with access path `ap` is part of a path from a source to a
    * sink in the configuration `config`.
@@ -2425,14 +2542,12 @@ private module Stage4 {
     )
     or
     // flow into a callable
-    exists(DataFlowCall call |
-      revFlowIn(call, node, toReturn, returnAp, ap, config) and
-      toReturn = false
-      or
-      exists(Ap returnAp0 |
-        revFlowInToReturn(call, node, returnAp0, ap, config) and
-        revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
-      )
+    revFlowInNotToReturn(node, returnAp, ap, config) and
+    toReturn = false
+    or
+    exists(DataFlowCall call, Ap returnAp0 |
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
     or
     // flow out of a callable
@@ -2480,12 +2595,10 @@ private module Stage4 {
   }
 
   pragma[nomagic]
-  private predicate revFlowIn(
-    DataFlowCall call, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap, Configuration config
-  ) {
+  private predicate revFlowInNotToReturn(ArgNode arg, ApOption returnAp, Ap ap, Configuration config) {
     exists(ParamNode p, boolean allowsFieldFlow |
-      revFlow(p, toReturn, returnAp, ap, config) and
-      flowIntoCall(call, arg, p, allowsFieldFlow, config)
+      revFlow(p, false, returnAp, ap, config) and
+      flowIntoCall(_, arg, p, allowsFieldFlow, config)
     |
       ap instanceof ApNil or allowsFieldFlow = true
     )
@@ -2495,7 +2608,12 @@ private module Stage4 {
   private predicate revFlowInToReturn(
     DataFlowCall call, ArgNode arg, Ap returnAp, Ap ap, Configuration config
   ) {
-    revFlowIn(call, arg, true, apSome(returnAp), ap, config)
+    exists(ParamNode p, boolean allowsFieldFlow |
+      revFlow(p, true, apSome(returnAp), ap, config) and
+      flowThroughIntoCall(call, arg, p, allowsFieldFlow, config)
+    |
+      ap instanceof ApNil or allowsFieldFlow = true
+    )
   }
 
   /**
@@ -2565,6 +2683,15 @@ private module Stage4 {
     )
   }
 
+  pragma[nomagic]
+  predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
+    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(node, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, node, returnAp0, ap, config) and
+      revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
+    )
+  }
+
   predicate stats(boolean fwd, int nodes, int fields, int conscand, int tuples, Configuration config) {
     fwd = true and
     nodes = count(Node node | fwdFlow(node, _, _, _, config)) and

From f63c1d2383ef6b227b94ced88c641d666ab93e28 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Wed, 19 May 2021 19:59:25 +0200
Subject: [PATCH 1122/1429] Python: Split up `(small)step` into
 intra/interprocedural predicates

---
 .../experimental/typetracking/TypeTracker.qll | 53 +++++++++++++------
 1 file changed, 38 insertions(+), 15 deletions(-)

diff --git a/python/ql/src/experimental/typetracking/TypeTracker.qll b/python/ql/src/experimental/typetracking/TypeTracker.qll
index 3dba23fc0c1..05f446b11fa 100644
--- a/python/ql/src/experimental/typetracking/TypeTracker.qll
+++ b/python/ql/src/experimental/typetracking/TypeTracker.qll
@@ -55,13 +55,46 @@ class StepSummary extends TStepSummary {
 
 /** Provides predicates for updating step summaries (`StepSummary`s). */
 module StepSummary {
+  cached
+  private predicate stepNoCall(LocalSourceNode nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {
+    exists(Node mid | nodeFrom.flowsTo(mid) and smallstepNoCall(mid, nodeTo, summary))
+  }
+
+  cached
+  private predicate stepCall(LocalSourceNode nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {
+    exists(Node mid | nodeFrom.flowsTo(mid) and smallstepCall(mid, nodeTo, summary))
+  }
+
   /**
    * Gets the summary that corresponds to having taken a forwards
    * heap and/or inter-procedural step from `nodeFrom` to `nodeTo`.
    */
-  cached
+  pragma[inline]
   predicate step(LocalSourceNode nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {
-    exists(Node mid | nodeFrom.flowsTo(mid) and smallstep(mid, nodeTo, summary))
+    stepNoCall(nodeFrom, nodeTo, summary)
+    or
+    stepCall(nodeFrom, nodeTo, summary)
+  }
+
+  pragma[noinline]
+  private predicate smallstepNoCall(Node nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {
+    jumpStep(nodeFrom, nodeTo) and
+    summary = LevelStep()
+    or
+    exists(string content |
+      localSourceStoreStep(nodeFrom, nodeTo, content) and
+      summary = StoreStep(content)
+      or
+      basicLoadStep(nodeFrom, nodeTo, content) and summary = LoadStep(content)
+    )
+  }
+
+  pragma[noinline]
+  private predicate smallstepCall(Node nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {
+    callStep(nodeFrom, nodeTo) and summary = CallStep()
+    or
+    returnStep(nodeFrom, nodeTo) and
+    summary = ReturnStep()
   }
 
   /**
@@ -71,21 +104,11 @@ module StepSummary {
    * Unlike `StepSummary::step`, this predicate does not compress
    * type-preserving steps.
    */
+  pragma[inline]
   predicate smallstep(Node nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {
-    jumpStep(nodeFrom, nodeTo) and
-    summary = LevelStep()
+    smallstepNoCall(nodeFrom, nodeTo, summary)
     or
-    callStep(nodeFrom, nodeTo) and summary = CallStep()
-    or
-    returnStep(nodeFrom, nodeTo) and
-    summary = ReturnStep()
-    or
-    exists(string content |
-      localSourceStoreStep(nodeFrom, nodeTo, content) and
-      summary = StoreStep(content)
-      or
-      basicLoadStep(nodeFrom, nodeTo, content) and summary = LoadStep(content)
-    )
+    smallstepCall(nodeFrom, nodeTo, summary)
   }
 
   /**

From 95045929096f4b96eaedefb816ed42515b079583 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 20 May 2021 09:46:06 +0200
Subject: [PATCH 1123/1429] C++: Promote
 cpp/incorrect-allocation-error-handling out of experimental.

---
 .../IncorrectAllocationErrorHandling.cpp      |   0
 .../IncorrectAllocationErrorHandling.qhelp    |  31 +++
 .../IncorrectAllocationErrorHandling.ql       | 224 ++++++++++++++++++
 .../IncorrectAllocationErrorHandling.qhelp    |  31 ---
 .../IncorrectAllocationErrorHandling.ql       | 224 ------------------
 .../IncorrectAllocationErrorHandling.qlref    |   1 -
 .../IncorrectAllocationErrorHandling.expected |   0
 .../IncorrectAllocationErrorHandling.qlref    |   1 +
 .../Security/CWE/CWE-570}/test.cpp            |   0
 9 files changed, 256 insertions(+), 256 deletions(-)
 rename cpp/ql/src/{experimental => }/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.cpp (100%)
 create mode 100644 cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qhelp
 create mode 100644 cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
 delete mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qhelp
 delete mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
 delete mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.qlref
 rename cpp/ql/test/{experimental/query-tests/Security/CWE/CWE-570/semmle/tests => query-tests/Security/CWE/CWE-570}/IncorrectAllocationErrorHandling.expected (100%)
 create mode 100644 cpp/ql/test/query-tests/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qlref
 rename cpp/ql/test/{experimental/query-tests/Security/CWE/CWE-570/semmle/tests => query-tests/Security/CWE/CWE-570}/test.cpp (100%)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.cpp b/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.cpp
similarity index 100%
rename from cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.cpp
rename to cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.cpp
diff --git a/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qhelp b/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qhelp
new file mode 100644
index 00000000000..a6850fe399d
--- /dev/null
+++ b/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qhelp
@@ -0,0 +1,31 @@
+  <!DOCTYPE qhelp PUBLIC
+    "-//Semmle//qhelp//EN"
+    "qhelp.dtd">
+  <qhelp>
+  <overview>
+  <p>Different overloads of the <code>new</code> operator handle allocation failures in different ways.
+  If <code>new T</code> fails for some type <code>T</code>, it throws a <code>std::bad_alloc</code> exception,
+  but <code>new(std::nothrow) T</code> returns a null pointer. If the programmer does not use the corresponding
+  method of error handling, allocation failure may go unhandled and could cause the program to behave in
+  unexpected ways.</p>
+
+  </overview>
+  <recommendation>
+
+  <p>Make sure that exceptions are handled appropriately if <code>new T</code> is used. On the other hand,
+  make sure to handle the possibility of null pointers if <code>new(std::nothrow) T</code> is used.</p>
+
+  </recommendation>
+  <example>
+  <sample src="IncorrectAllocationErrorHandling.cpp" />
+
+  </example>
+  <references>
+
+  <li>
+    CERT C++ Coding Standard:
+  <a href="https://wiki.sei.cmu.edu/confluence/display/cplusplus/MEM52-CPP.+Detect+and+handle+memory+allocation+errors">MEM52-CPP. Detect and handle memory allocation errors</a>.
+  </li>
+
+  </references>
+  </qhelp>
diff --git a/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql b/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
new file mode 100644
index 00000000000..0a0f00921ee
--- /dev/null
+++ b/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
@@ -0,0 +1,224 @@
+  /**
+   * @name Incorrect allocation-error handling
+   * @description `operator new` throws an exception on allocation failures, while `operator new(std::nothrow)` returns a null pointer. Mixing up these two failure conditions can result in unexpected behavior.
+   * @kind problem
+   * @id cpp/incorrect-allocation-error-handling
+   * @problem.severity warning
+   * @precision medium
+   * @tags correctness
+   *       security
+   *       external/cwe/cwe-570
+   */
+
+  import cpp
+  import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+  import semmle.code.cpp.controlflow.Guards
+
+  /**
+   * A C++ `delete` or `delete[]` expression.
+   */
+  class DeleteOrDeleteArrayExpr extends Expr {
+    DeleteOrDeleteArrayExpr() { this instanceof DeleteExpr or this instanceof DeleteArrayExpr }
+
+    DeallocationFunction getDeallocator() {
+      result = [this.(DeleteExpr).getDeallocator(), this.(DeleteArrayExpr).getDeallocator()]
+    }
+
+    Destructor getDestructor() {
+      result = [this.(DeleteExpr).getDestructor(), this.(DeleteArrayExpr).getDestructor()]
+    }
+  }
+
+  /** Gets the `Constructor` invoked when `newExpr` allocates memory. */
+  Constructor getConstructorForAllocation(NewOrNewArrayExpr newExpr) {
+    result.getACallToThisFunction() = newExpr.getInitializer()
+  }
+
+  /** Gets the `Destructor` invoked when `deleteExpr` deallocates memory. */
+  Destructor getDestructorForDeallocation(DeleteOrDeleteArrayExpr deleteExpr) {
+    result = deleteExpr.getDestructor()
+  }
+
+  /** Holds if the evaluation of `newExpr` may throw an exception. */
+  predicate newMayThrow(NewOrNewArrayExpr newExpr) {
+    functionMayThrow(newExpr.getAllocator()) or
+    functionMayThrow(getConstructorForAllocation(newExpr))
+  }
+
+  /** Holds if the evaluation of `deleteExpr` may throw an exception. */
+  predicate deleteMayThrow(DeleteOrDeleteArrayExpr deleteExpr) {
+    functionMayThrow(deleteExpr.getDeallocator()) or
+    functionMayThrow(getDestructorForDeallocation(deleteExpr))
+  }
+
+  /**
+   * Holds if the function may throw an exception when called. That is, if the body of the function looks
+   * like it might throw an exception, and the function does not have a `noexcept` or `throw()` specifier.
+   */
+  predicate functionMayThrow(Function f) {
+    (not exists(f.getBlock()) or stmtMayThrow(f.getBlock())) and
+    not f.isNoExcept() and
+    not f.isNoThrow()
+  }
+
+  /** Holds if the evaluation of `stmt` may throw an exception. */
+  predicate stmtMayThrow(Stmt stmt) {
+    stmtMayThrow(stmt.(BlockStmt).getAStmt())
+    or
+    convertedExprMayThrow(stmt.(ExprStmt).getExpr())
+    or
+    convertedExprMayThrow(stmt.(DeclStmt).getADeclaration().(Variable).getInitializer().getExpr())
+    or
+    exists(IfStmt ifStmt | ifStmt = stmt |
+      convertedExprMayThrow(ifStmt.getCondition()) or
+      stmtMayThrow([ifStmt.getThen(), ifStmt.getElse()])
+    )
+    or
+    exists(ConstexprIfStmt constIfStmt | constIfStmt = stmt |
+      stmtMayThrow([constIfStmt.getThen(), constIfStmt.getElse()])
+    )
+    or
+    exists(Loop loop | loop = stmt |
+      convertedExprMayThrow(loop.getCondition()) or
+      stmtMayThrow(loop.getStmt())
+    )
+    or
+    // The case for `Loop` already checked the condition and the statement.
+    convertedExprMayThrow(stmt.(RangeBasedForStmt).getUpdate())
+    or
+    // The case for `Loop` already checked the condition and the statement.
+    exists(ForStmt forStmt | forStmt = stmt |
+      stmtMayThrow(forStmt.getInitialization())
+      or
+      convertedExprMayThrow(forStmt.getUpdate())
+    )
+    or
+    exists(SwitchStmt switchStmt | switchStmt = stmt |
+      convertedExprMayThrow(switchStmt.getExpr()) or
+      stmtMayThrow(switchStmt.getStmt())
+    )
+    or
+    // NOTE: We don't include `TryStmt` as those exceptions are not "observable" outside the function.
+    stmtMayThrow(stmt.(Handler).getBlock())
+    or
+    convertedExprMayThrow(stmt.(CoReturnStmt).getExpr())
+    or
+    convertedExprMayThrow(stmt.(ReturnStmt).getExpr())
+  }
+
+  /** Holds if the evaluation of `e` (including conversions) may throw an exception. */
+  predicate convertedExprMayThrow(Expr e) {
+    exprMayThrow(e)
+    or
+    convertedExprMayThrow(e.getConversion())
+  }
+
+  /** Holds if the evaluation of `e` may throw an exception. */
+  predicate exprMayThrow(Expr e) {
+    e instanceof DynamicCast
+    or
+    e instanceof TypeidOperator
+    or
+    e instanceof ThrowExpr
+    or
+    newMayThrow(e)
+    or
+    deleteMayThrow(e)
+    or
+    convertedExprMayThrow(e.(UnaryOperation).getOperand())
+    or
+    exists(BinaryOperation binOp | binOp = e |
+      convertedExprMayThrow([binOp.getLeftOperand(), binOp.getRightOperand()])
+    )
+    or
+    exists(Assignment assign | assign = e |
+      convertedExprMayThrow([assign.getLValue(), assign.getRValue()])
+    )
+    or
+    exists(CommaExpr comma | comma = e |
+      convertedExprMayThrow([comma.getLeftOperand(), comma.getRightOperand()])
+    )
+    or
+    exists(StmtExpr stmtExpr | stmtExpr = e |
+      convertedExprMayThrow(stmtExpr.getResultExpr()) or
+      stmtMayThrow(stmtExpr.getStmt())
+    )
+    or
+    convertedExprMayThrow(e.(Conversion).getExpr())
+    or
+    exists(FunctionCall fc | fc = e |
+      not exists(fc.getTarget()) or
+      functionMayThrow(fc.getTarget()) or
+      convertedExprMayThrow(fc.getAnArgument())
+    )
+  }
+
+  /** An allocator that might throw an exception. */
+  class ThrowingAllocator extends Function {
+    ThrowingAllocator() {
+      exists(NewOrNewArrayExpr newExpr |
+        newExpr.getAllocator() = this and
+        functionMayThrow(this)
+      )
+    }
+  }
+
+  /** The `std::bad_alloc` exception and its `bsl` variant. */
+  class BadAllocType extends Class {
+    BadAllocType() { this.hasGlobalOrStdOrBslName("bad_alloc") }
+  }
+
+  /**
+   * A catch block that catches a `std::bad_alloc` (or any of its superclasses), or a catch
+   * block that catches every exception (i.e., `catch(...)`).
+   */
+  class BadAllocCatchBlock extends CatchBlock {
+    BadAllocCatchBlock() {
+      this.getParameter().getUnspecifiedType().stripType() =
+        any(BadAllocType badAlloc).getABaseClass*()
+      or
+      not exists(this.getParameter())
+    }
+  }
+
+  /**
+   * Holds if `newExpr` is embedded in a `try` statement with a catch block `catchBlock` that
+   * catches a `std::bad_alloc` exception, but nothing in the `try` block (including the `newExpr`)
+   * will throw that exception.
+   */
+  predicate noThrowInTryBlock(NewOrNewArrayExpr newExpr, BadAllocCatchBlock catchBlock) {
+    exists(TryStmt try |
+      not stmtMayThrow(try.getStmt()) and
+      try.getACatchClause() = catchBlock and
+      newExpr.getEnclosingBlock().getEnclosingBlock*() = try.getStmt()
+    )
+  }
+
+  /**
+   * Holds if `newExpr` is handles allocation failures by throwing an exception, yet
+   * the guard condition `guard` compares the result of `newExpr` to a null value.
+   */
+  predicate nullCheckInThrowingNew(NewOrNewArrayExpr newExpr, GuardCondition guard) {
+    newExpr.getAllocator() instanceof ThrowingAllocator and
+    (
+      // Handles null comparisons.
+      guard.ensuresEq(globalValueNumber(newExpr).getAnExpr(), any(NullValue null), _, _, _)
+      or
+      // Handles `if(ptr)` and `if(!ptr)` cases.
+      guard = globalValueNumber(newExpr).getAnExpr()
+    )
+  }
+
+  from NewOrNewArrayExpr newExpr, Element element, string msg, string elementString
+  where
+    not newExpr.isFromUninstantiatedTemplate(_) and
+    (
+      noThrowInTryBlock(newExpr, element) and
+      msg = "This allocation cannot throw. $@ is unnecessary." and
+      elementString = "This catch block"
+      or
+      nullCheckInThrowingNew(newExpr, element) and
+      msg = "This allocation cannot return null. $@ is unnecessary." and
+      elementString = "This check"
+    )
+  select newExpr, msg, element, elementString
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qhelp
deleted file mode 100644
index 9e131e75d4e..00000000000
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qhelp
+++ /dev/null
@@ -1,31 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<overview>
-<p>Different overloads of the <code>new</code> operator handle allocation failures in different ways.
-If <code>new T</code> fails for some type <code>T</code>, it throws a <code>std::bad_alloc</code> exception,
-but <code>new(std::nothrow) T</code> returns a null pointer. If the programmer does not use the corresponding
-method of error handling, allocation failure may go unhandled and could cause the program to behave in
-unexpected ways.</p>
-
-</overview>
-<recommendation>
-
-<p>Make sure that exceptions are handled appropriately if <code>new T</code> is used. On the other hand,
-make sure to handle the possibility of null pointers if <code>new(std::nothrow) T</code> is used.</p>
-
-</recommendation>
-<example>
-<sample src="IncorrectAllocationErrorHandling.cpp" />
-
-</example>
-<references>
-
-<li>
-  CERT C++ Coding Standard:
-<a href="https://wiki.sei.cmu.edu/confluence/display/cplusplus/MEM52-CPP.+Detect+and+handle+memory+allocation+errors">MEM52-CPP. Detect and handle memory allocation errors</a>.
-</li>
-
-</references>
-</qhelp>
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql b/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
deleted file mode 100644
index 2f67b02e856..00000000000
--- a/cpp/ql/src/experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+++ /dev/null
@@ -1,224 +0,0 @@
-/**
- * @name Incorrect allocation-error handling
- * @description `operator new` throws an exception on allocation failures, while `operator new(std::nothrow)` returns a null pointer. Mixing up these two failure conditions can result in unexpected behavior.
- * @kind problem
- * @id cpp/incorrect-allocation-error-handling
- * @problem.severity warning
- * @precision medium
- * @tags correctness
- *       security
- *       external/cwe/cwe-570
- */
-
-import cpp
-import semmle.code.cpp.valuenumbering.GlobalValueNumbering
-import semmle.code.cpp.controlflow.Guards
-
-/**
- * A C++ `delete` or `delete[]` expression.
- */
-class DeleteOrDeleteArrayExpr extends Expr {
-  DeleteOrDeleteArrayExpr() { this instanceof DeleteExpr or this instanceof DeleteArrayExpr }
-
-  DeallocationFunction getDeallocator() {
-    result = [this.(DeleteExpr).getDeallocator(), this.(DeleteArrayExpr).getDeallocator()]
-  }
-
-  Destructor getDestructor() {
-    result = [this.(DeleteExpr).getDestructor(), this.(DeleteArrayExpr).getDestructor()]
-  }
-}
-
-/** Gets the `Constructor` invoked when `newExpr` allocates memory. */
-Constructor getConstructorForAllocation(NewOrNewArrayExpr newExpr) {
-  result.getACallToThisFunction() = newExpr.getInitializer()
-}
-
-/** Gets the `Destructor` invoked when `deleteExpr` deallocates memory. */
-Destructor getDestructorForDeallocation(DeleteOrDeleteArrayExpr deleteExpr) {
-  result = deleteExpr.getDestructor()
-}
-
-/** Holds if the evaluation of `newExpr` may throw an exception. */
-predicate newMayThrow(NewOrNewArrayExpr newExpr) {
-  functionMayThrow(newExpr.getAllocator()) or
-  functionMayThrow(getConstructorForAllocation(newExpr))
-}
-
-/** Holds if the evaluation of `deleteExpr` may throw an exception. */
-predicate deleteMayThrow(DeleteOrDeleteArrayExpr deleteExpr) {
-  functionMayThrow(deleteExpr.getDeallocator()) or
-  functionMayThrow(getDestructorForDeallocation(deleteExpr))
-}
-
-/**
- * Holds if the function may throw an exception when called. That is, if the body of the function looks
- * like it might throw an exception, and the function does not have a `noexcept` or `throw()` specifier.
- */
-predicate functionMayThrow(Function f) {
-  (not exists(f.getBlock()) or stmtMayThrow(f.getBlock())) and
-  not f.isNoExcept() and
-  not f.isNoThrow()
-}
-
-/** Holds if the evaluation of `stmt` may throw an exception. */
-predicate stmtMayThrow(Stmt stmt) {
-  stmtMayThrow(stmt.(BlockStmt).getAStmt())
-  or
-  convertedExprMayThrow(stmt.(ExprStmt).getExpr())
-  or
-  convertedExprMayThrow(stmt.(DeclStmt).getADeclaration().(Variable).getInitializer().getExpr())
-  or
-  exists(IfStmt ifStmt | ifStmt = stmt |
-    convertedExprMayThrow(ifStmt.getCondition()) or
-    stmtMayThrow([ifStmt.getThen(), ifStmt.getElse()])
-  )
-  or
-  exists(ConstexprIfStmt constIfStmt | constIfStmt = stmt |
-    stmtMayThrow([constIfStmt.getThen(), constIfStmt.getElse()])
-  )
-  or
-  exists(Loop loop | loop = stmt |
-    convertedExprMayThrow(loop.getCondition()) or
-    stmtMayThrow(loop.getStmt())
-  )
-  or
-  // The case for `Loop` already checked the condition and the statement.
-  convertedExprMayThrow(stmt.(RangeBasedForStmt).getUpdate())
-  or
-  // The case for `Loop` already checked the condition and the statement.
-  exists(ForStmt forStmt | forStmt = stmt |
-    stmtMayThrow(forStmt.getInitialization())
-    or
-    convertedExprMayThrow(forStmt.getUpdate())
-  )
-  or
-  exists(SwitchStmt switchStmt | switchStmt = stmt |
-    convertedExprMayThrow(switchStmt.getExpr()) or
-    stmtMayThrow(switchStmt.getStmt())
-  )
-  or
-  // NOTE: We don't include `TryStmt` as those exceptions are not "observable" outside the function.
-  stmtMayThrow(stmt.(Handler).getBlock())
-  or
-  convertedExprMayThrow(stmt.(CoReturnStmt).getExpr())
-  or
-  convertedExprMayThrow(stmt.(ReturnStmt).getExpr())
-}
-
-/** Holds if the evaluation of `e` (including conversions) may throw an exception. */
-predicate convertedExprMayThrow(Expr e) {
-  exprMayThrow(e)
-  or
-  convertedExprMayThrow(e.getConversion())
-}
-
-/** Holds if the evaluation of `e` may throw an exception. */
-predicate exprMayThrow(Expr e) {
-  e instanceof DynamicCast
-  or
-  e instanceof TypeidOperator
-  or
-  e instanceof ThrowExpr
-  or
-  newMayThrow(e)
-  or
-  deleteMayThrow(e)
-  or
-  convertedExprMayThrow(e.(UnaryOperation).getOperand())
-  or
-  exists(BinaryOperation binOp | binOp = e |
-    convertedExprMayThrow([binOp.getLeftOperand(), binOp.getRightOperand()])
-  )
-  or
-  exists(Assignment assign | assign = e |
-    convertedExprMayThrow([assign.getLValue(), assign.getRValue()])
-  )
-  or
-  exists(CommaExpr comma | comma = e |
-    convertedExprMayThrow([comma.getLeftOperand(), comma.getRightOperand()])
-  )
-  or
-  exists(StmtExpr stmtExpr | stmtExpr = e |
-    convertedExprMayThrow(stmtExpr.getResultExpr()) or
-    stmtMayThrow(stmtExpr.getStmt())
-  )
-  or
-  convertedExprMayThrow(e.(Conversion).getExpr())
-  or
-  exists(FunctionCall fc | fc = e |
-    not exists(fc.getTarget()) or
-    functionMayThrow(fc.getTarget()) or
-    convertedExprMayThrow(fc.getAnArgument())
-  )
-}
-
-/** An allocator that might throw an exception. */
-class ThrowingAllocator extends Function {
-  ThrowingAllocator() {
-    exists(NewOrNewArrayExpr newExpr |
-      newExpr.getAllocator() = this and
-      functionMayThrow(this)
-    )
-  }
-}
-
-/** The `std::bad_alloc` exception and its `bsl` variant. */
-class BadAllocType extends Class {
-  BadAllocType() { this.hasGlobalOrStdOrBslName("bad_alloc") }
-}
-
-/**
- * A catch block that catches a `std::bad_alloc` (or any of its superclasses), or a catch
- * block that catches every exception (i.e., `catch(...)`).
- */
-class BadAllocCatchBlock extends CatchBlock {
-  BadAllocCatchBlock() {
-    this.getParameter().getUnspecifiedType().stripType() =
-      any(BadAllocType badAlloc).getABaseClass*()
-    or
-    not exists(this.getParameter())
-  }
-}
-
-/**
- * Holds if `newExpr` is embedded in a `try` statement with a catch block `catchBlock` that
- * catches a `std::bad_alloc` exception, but nothing in the `try` block (including the `newExpr`)
- * will throw that exception.
- */
-predicate noThrowInTryBlock(NewOrNewArrayExpr newExpr, BadAllocCatchBlock catchBlock) {
-  exists(TryStmt try |
-    not stmtMayThrow(try.getStmt()) and
-    try.getACatchClause() = catchBlock and
-    newExpr.getEnclosingBlock().getEnclosingBlock*() = try.getStmt()
-  )
-}
-
-/**
- * Holds if `newExpr` is handles allocation failures by throwing an exception, yet
- * the guard condition `guard` compares the result of `newExpr` to a null value.
- */
-predicate nullCheckInThrowingNew(NewOrNewArrayExpr newExpr, GuardCondition guard) {
-  newExpr.getAllocator() instanceof ThrowingAllocator and
-  (
-    // Handles null comparisons.
-    guard.ensuresEq(globalValueNumber(newExpr).getAnExpr(), any(NullValue null), _, _, _)
-    or
-    // Handles `if(ptr)` and `if(!ptr)` cases.
-    guard = globalValueNumber(newExpr).getAnExpr()
-  )
-}
-
-from NewOrNewArrayExpr newExpr, Element element, string msg, string elementString
-where
-  not newExpr.isFromUninstantiatedTemplate(_) and
-  (
-    noThrowInTryBlock(newExpr, element) and
-    msg = "This allocation cannot throw. $@ is unnecessary." and
-    elementString = "This catch block"
-    or
-    nullCheckInThrowingNew(newExpr, element) and
-    msg = "This allocation cannot return null. $@ is unnecessary." and
-    elementString = "This check"
-  )
-select newExpr, msg, element, elementString
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.qlref
deleted file mode 100644
index 4bba5039aea..00000000000
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.qlref
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.expected
similarity index 100%
rename from cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/IncorrectAllocationErrorHandling.expected
rename to cpp/ql/test/query-tests/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.expected
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qlref b/cpp/ql/test/query-tests/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qlref
new file mode 100644
index 00000000000..fe4bb214bb4
--- /dev/null
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-570/test.cpp
similarity index 100%
rename from cpp/ql/test/experimental/query-tests/Security/CWE/CWE-570/semmle/tests/test.cpp
rename to cpp/ql/test/query-tests/Security/CWE/CWE-570/test.cpp

From 152c0161a2674c545e6cbcc56a57c1103aeea5d6 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 20 May 2021 09:48:32 +0200
Subject: [PATCH 1124/1429] C++: Fix formatting.

---
 .../IncorrectAllocationErrorHandling.qhelp    |  50 +--
 .../IncorrectAllocationErrorHandling.ql       | 406 +++++++++---------
 2 files changed, 228 insertions(+), 228 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qhelp b/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qhelp
index a6850fe399d..9e131e75d4e 100644
--- a/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.qhelp
@@ -1,31 +1,31 @@
-  <!DOCTYPE qhelp PUBLIC
-    "-//Semmle//qhelp//EN"
-    "qhelp.dtd">
-  <qhelp>
-  <overview>
-  <p>Different overloads of the <code>new</code> operator handle allocation failures in different ways.
-  If <code>new T</code> fails for some type <code>T</code>, it throws a <code>std::bad_alloc</code> exception,
-  but <code>new(std::nothrow) T</code> returns a null pointer. If the programmer does not use the corresponding
-  method of error handling, allocation failure may go unhandled and could cause the program to behave in
-  unexpected ways.</p>
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Different overloads of the <code>new</code> operator handle allocation failures in different ways.
+If <code>new T</code> fails for some type <code>T</code>, it throws a <code>std::bad_alloc</code> exception,
+but <code>new(std::nothrow) T</code> returns a null pointer. If the programmer does not use the corresponding
+method of error handling, allocation failure may go unhandled and could cause the program to behave in
+unexpected ways.</p>
 
-  </overview>
-  <recommendation>
+</overview>
+<recommendation>
 
-  <p>Make sure that exceptions are handled appropriately if <code>new T</code> is used. On the other hand,
-  make sure to handle the possibility of null pointers if <code>new(std::nothrow) T</code> is used.</p>
+<p>Make sure that exceptions are handled appropriately if <code>new T</code> is used. On the other hand,
+make sure to handle the possibility of null pointers if <code>new(std::nothrow) T</code> is used.</p>
 
-  </recommendation>
-  <example>
-  <sample src="IncorrectAllocationErrorHandling.cpp" />
+</recommendation>
+<example>
+<sample src="IncorrectAllocationErrorHandling.cpp" />
 
-  </example>
-  <references>
+</example>
+<references>
 
-  <li>
-    CERT C++ Coding Standard:
-  <a href="https://wiki.sei.cmu.edu/confluence/display/cplusplus/MEM52-CPP.+Detect+and+handle+memory+allocation+errors">MEM52-CPP. Detect and handle memory allocation errors</a>.
-  </li>
+<li>
+  CERT C++ Coding Standard:
+<a href="https://wiki.sei.cmu.edu/confluence/display/cplusplus/MEM52-CPP.+Detect+and+handle+memory+allocation+errors">MEM52-CPP. Detect and handle memory allocation errors</a>.
+</li>
 
-  </references>
-  </qhelp>
+</references>
+</qhelp>
diff --git a/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql b/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
index 0a0f00921ee..2f67b02e856 100644
--- a/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+++ b/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
@@ -1,224 +1,224 @@
-  /**
-   * @name Incorrect allocation-error handling
-   * @description `operator new` throws an exception on allocation failures, while `operator new(std::nothrow)` returns a null pointer. Mixing up these two failure conditions can result in unexpected behavior.
-   * @kind problem
-   * @id cpp/incorrect-allocation-error-handling
-   * @problem.severity warning
-   * @precision medium
-   * @tags correctness
-   *       security
-   *       external/cwe/cwe-570
-   */
+/**
+ * @name Incorrect allocation-error handling
+ * @description `operator new` throws an exception on allocation failures, while `operator new(std::nothrow)` returns a null pointer. Mixing up these two failure conditions can result in unexpected behavior.
+ * @kind problem
+ * @id cpp/incorrect-allocation-error-handling
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-570
+ */
 
-  import cpp
-  import semmle.code.cpp.valuenumbering.GlobalValueNumbering
-  import semmle.code.cpp.controlflow.Guards
+import cpp
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+import semmle.code.cpp.controlflow.Guards
 
-  /**
-   * A C++ `delete` or `delete[]` expression.
-   */
-  class DeleteOrDeleteArrayExpr extends Expr {
-    DeleteOrDeleteArrayExpr() { this instanceof DeleteExpr or this instanceof DeleteArrayExpr }
+/**
+ * A C++ `delete` or `delete[]` expression.
+ */
+class DeleteOrDeleteArrayExpr extends Expr {
+  DeleteOrDeleteArrayExpr() { this instanceof DeleteExpr or this instanceof DeleteArrayExpr }
 
-    DeallocationFunction getDeallocator() {
-      result = [this.(DeleteExpr).getDeallocator(), this.(DeleteArrayExpr).getDeallocator()]
-    }
-
-    Destructor getDestructor() {
-      result = [this.(DeleteExpr).getDestructor(), this.(DeleteArrayExpr).getDestructor()]
-    }
+  DeallocationFunction getDeallocator() {
+    result = [this.(DeleteExpr).getDeallocator(), this.(DeleteArrayExpr).getDeallocator()]
   }
 
-  /** Gets the `Constructor` invoked when `newExpr` allocates memory. */
-  Constructor getConstructorForAllocation(NewOrNewArrayExpr newExpr) {
-    result.getACallToThisFunction() = newExpr.getInitializer()
+  Destructor getDestructor() {
+    result = [this.(DeleteExpr).getDestructor(), this.(DeleteArrayExpr).getDestructor()]
   }
+}
 
-  /** Gets the `Destructor` invoked when `deleteExpr` deallocates memory. */
-  Destructor getDestructorForDeallocation(DeleteOrDeleteArrayExpr deleteExpr) {
-    result = deleteExpr.getDestructor()
-  }
+/** Gets the `Constructor` invoked when `newExpr` allocates memory. */
+Constructor getConstructorForAllocation(NewOrNewArrayExpr newExpr) {
+  result.getACallToThisFunction() = newExpr.getInitializer()
+}
 
-  /** Holds if the evaluation of `newExpr` may throw an exception. */
-  predicate newMayThrow(NewOrNewArrayExpr newExpr) {
-    functionMayThrow(newExpr.getAllocator()) or
-    functionMayThrow(getConstructorForAllocation(newExpr))
-  }
+/** Gets the `Destructor` invoked when `deleteExpr` deallocates memory. */
+Destructor getDestructorForDeallocation(DeleteOrDeleteArrayExpr deleteExpr) {
+  result = deleteExpr.getDestructor()
+}
 
-  /** Holds if the evaluation of `deleteExpr` may throw an exception. */
-  predicate deleteMayThrow(DeleteOrDeleteArrayExpr deleteExpr) {
-    functionMayThrow(deleteExpr.getDeallocator()) or
-    functionMayThrow(getDestructorForDeallocation(deleteExpr))
-  }
+/** Holds if the evaluation of `newExpr` may throw an exception. */
+predicate newMayThrow(NewOrNewArrayExpr newExpr) {
+  functionMayThrow(newExpr.getAllocator()) or
+  functionMayThrow(getConstructorForAllocation(newExpr))
+}
 
-  /**
-   * Holds if the function may throw an exception when called. That is, if the body of the function looks
-   * like it might throw an exception, and the function does not have a `noexcept` or `throw()` specifier.
-   */
-  predicate functionMayThrow(Function f) {
-    (not exists(f.getBlock()) or stmtMayThrow(f.getBlock())) and
-    not f.isNoExcept() and
-    not f.isNoThrow()
-  }
+/** Holds if the evaluation of `deleteExpr` may throw an exception. */
+predicate deleteMayThrow(DeleteOrDeleteArrayExpr deleteExpr) {
+  functionMayThrow(deleteExpr.getDeallocator()) or
+  functionMayThrow(getDestructorForDeallocation(deleteExpr))
+}
 
-  /** Holds if the evaluation of `stmt` may throw an exception. */
-  predicate stmtMayThrow(Stmt stmt) {
-    stmtMayThrow(stmt.(BlockStmt).getAStmt())
-    or
-    convertedExprMayThrow(stmt.(ExprStmt).getExpr())
-    or
-    convertedExprMayThrow(stmt.(DeclStmt).getADeclaration().(Variable).getInitializer().getExpr())
-    or
-    exists(IfStmt ifStmt | ifStmt = stmt |
-      convertedExprMayThrow(ifStmt.getCondition()) or
-      stmtMayThrow([ifStmt.getThen(), ifStmt.getElse()])
-    )
-    or
-    exists(ConstexprIfStmt constIfStmt | constIfStmt = stmt |
-      stmtMayThrow([constIfStmt.getThen(), constIfStmt.getElse()])
-    )
-    or
-    exists(Loop loop | loop = stmt |
-      convertedExprMayThrow(loop.getCondition()) or
-      stmtMayThrow(loop.getStmt())
-    )
-    or
-    // The case for `Loop` already checked the condition and the statement.
-    convertedExprMayThrow(stmt.(RangeBasedForStmt).getUpdate())
-    or
-    // The case for `Loop` already checked the condition and the statement.
-    exists(ForStmt forStmt | forStmt = stmt |
-      stmtMayThrow(forStmt.getInitialization())
-      or
-      convertedExprMayThrow(forStmt.getUpdate())
-    )
-    or
-    exists(SwitchStmt switchStmt | switchStmt = stmt |
-      convertedExprMayThrow(switchStmt.getExpr()) or
-      stmtMayThrow(switchStmt.getStmt())
-    )
-    or
-    // NOTE: We don't include `TryStmt` as those exceptions are not "observable" outside the function.
-    stmtMayThrow(stmt.(Handler).getBlock())
-    or
-    convertedExprMayThrow(stmt.(CoReturnStmt).getExpr())
-    or
-    convertedExprMayThrow(stmt.(ReturnStmt).getExpr())
-  }
+/**
+ * Holds if the function may throw an exception when called. That is, if the body of the function looks
+ * like it might throw an exception, and the function does not have a `noexcept` or `throw()` specifier.
+ */
+predicate functionMayThrow(Function f) {
+  (not exists(f.getBlock()) or stmtMayThrow(f.getBlock())) and
+  not f.isNoExcept() and
+  not f.isNoThrow()
+}
 
-  /** Holds if the evaluation of `e` (including conversions) may throw an exception. */
-  predicate convertedExprMayThrow(Expr e) {
-    exprMayThrow(e)
+/** Holds if the evaluation of `stmt` may throw an exception. */
+predicate stmtMayThrow(Stmt stmt) {
+  stmtMayThrow(stmt.(BlockStmt).getAStmt())
+  or
+  convertedExprMayThrow(stmt.(ExprStmt).getExpr())
+  or
+  convertedExprMayThrow(stmt.(DeclStmt).getADeclaration().(Variable).getInitializer().getExpr())
+  or
+  exists(IfStmt ifStmt | ifStmt = stmt |
+    convertedExprMayThrow(ifStmt.getCondition()) or
+    stmtMayThrow([ifStmt.getThen(), ifStmt.getElse()])
+  )
+  or
+  exists(ConstexprIfStmt constIfStmt | constIfStmt = stmt |
+    stmtMayThrow([constIfStmt.getThen(), constIfStmt.getElse()])
+  )
+  or
+  exists(Loop loop | loop = stmt |
+    convertedExprMayThrow(loop.getCondition()) or
+    stmtMayThrow(loop.getStmt())
+  )
+  or
+  // The case for `Loop` already checked the condition and the statement.
+  convertedExprMayThrow(stmt.(RangeBasedForStmt).getUpdate())
+  or
+  // The case for `Loop` already checked the condition and the statement.
+  exists(ForStmt forStmt | forStmt = stmt |
+    stmtMayThrow(forStmt.getInitialization())
     or
-    convertedExprMayThrow(e.getConversion())
-  }
+    convertedExprMayThrow(forStmt.getUpdate())
+  )
+  or
+  exists(SwitchStmt switchStmt | switchStmt = stmt |
+    convertedExprMayThrow(switchStmt.getExpr()) or
+    stmtMayThrow(switchStmt.getStmt())
+  )
+  or
+  // NOTE: We don't include `TryStmt` as those exceptions are not "observable" outside the function.
+  stmtMayThrow(stmt.(Handler).getBlock())
+  or
+  convertedExprMayThrow(stmt.(CoReturnStmt).getExpr())
+  or
+  convertedExprMayThrow(stmt.(ReturnStmt).getExpr())
+}
 
-  /** Holds if the evaluation of `e` may throw an exception. */
-  predicate exprMayThrow(Expr e) {
-    e instanceof DynamicCast
-    or
-    e instanceof TypeidOperator
-    or
-    e instanceof ThrowExpr
-    or
-    newMayThrow(e)
-    or
-    deleteMayThrow(e)
-    or
-    convertedExprMayThrow(e.(UnaryOperation).getOperand())
-    or
-    exists(BinaryOperation binOp | binOp = e |
-      convertedExprMayThrow([binOp.getLeftOperand(), binOp.getRightOperand()])
-    )
-    or
-    exists(Assignment assign | assign = e |
-      convertedExprMayThrow([assign.getLValue(), assign.getRValue()])
-    )
-    or
-    exists(CommaExpr comma | comma = e |
-      convertedExprMayThrow([comma.getLeftOperand(), comma.getRightOperand()])
-    )
-    or
-    exists(StmtExpr stmtExpr | stmtExpr = e |
-      convertedExprMayThrow(stmtExpr.getResultExpr()) or
-      stmtMayThrow(stmtExpr.getStmt())
-    )
-    or
-    convertedExprMayThrow(e.(Conversion).getExpr())
-    or
-    exists(FunctionCall fc | fc = e |
-      not exists(fc.getTarget()) or
-      functionMayThrow(fc.getTarget()) or
-      convertedExprMayThrow(fc.getAnArgument())
+/** Holds if the evaluation of `e` (including conversions) may throw an exception. */
+predicate convertedExprMayThrow(Expr e) {
+  exprMayThrow(e)
+  or
+  convertedExprMayThrow(e.getConversion())
+}
+
+/** Holds if the evaluation of `e` may throw an exception. */
+predicate exprMayThrow(Expr e) {
+  e instanceof DynamicCast
+  or
+  e instanceof TypeidOperator
+  or
+  e instanceof ThrowExpr
+  or
+  newMayThrow(e)
+  or
+  deleteMayThrow(e)
+  or
+  convertedExprMayThrow(e.(UnaryOperation).getOperand())
+  or
+  exists(BinaryOperation binOp | binOp = e |
+    convertedExprMayThrow([binOp.getLeftOperand(), binOp.getRightOperand()])
+  )
+  or
+  exists(Assignment assign | assign = e |
+    convertedExprMayThrow([assign.getLValue(), assign.getRValue()])
+  )
+  or
+  exists(CommaExpr comma | comma = e |
+    convertedExprMayThrow([comma.getLeftOperand(), comma.getRightOperand()])
+  )
+  or
+  exists(StmtExpr stmtExpr | stmtExpr = e |
+    convertedExprMayThrow(stmtExpr.getResultExpr()) or
+    stmtMayThrow(stmtExpr.getStmt())
+  )
+  or
+  convertedExprMayThrow(e.(Conversion).getExpr())
+  or
+  exists(FunctionCall fc | fc = e |
+    not exists(fc.getTarget()) or
+    functionMayThrow(fc.getTarget()) or
+    convertedExprMayThrow(fc.getAnArgument())
+  )
+}
+
+/** An allocator that might throw an exception. */
+class ThrowingAllocator extends Function {
+  ThrowingAllocator() {
+    exists(NewOrNewArrayExpr newExpr |
+      newExpr.getAllocator() = this and
+      functionMayThrow(this)
     )
   }
+}
 
-  /** An allocator that might throw an exception. */
-  class ThrowingAllocator extends Function {
-    ThrowingAllocator() {
-      exists(NewOrNewArrayExpr newExpr |
-        newExpr.getAllocator() = this and
-        functionMayThrow(this)
-      )
-    }
+/** The `std::bad_alloc` exception and its `bsl` variant. */
+class BadAllocType extends Class {
+  BadAllocType() { this.hasGlobalOrStdOrBslName("bad_alloc") }
+}
+
+/**
+ * A catch block that catches a `std::bad_alloc` (or any of its superclasses), or a catch
+ * block that catches every exception (i.e., `catch(...)`).
+ */
+class BadAllocCatchBlock extends CatchBlock {
+  BadAllocCatchBlock() {
+    this.getParameter().getUnspecifiedType().stripType() =
+      any(BadAllocType badAlloc).getABaseClass*()
+    or
+    not exists(this.getParameter())
   }
+}
 
-  /** The `std::bad_alloc` exception and its `bsl` variant. */
-  class BadAllocType extends Class {
-    BadAllocType() { this.hasGlobalOrStdOrBslName("bad_alloc") }
-  }
+/**
+ * Holds if `newExpr` is embedded in a `try` statement with a catch block `catchBlock` that
+ * catches a `std::bad_alloc` exception, but nothing in the `try` block (including the `newExpr`)
+ * will throw that exception.
+ */
+predicate noThrowInTryBlock(NewOrNewArrayExpr newExpr, BadAllocCatchBlock catchBlock) {
+  exists(TryStmt try |
+    not stmtMayThrow(try.getStmt()) and
+    try.getACatchClause() = catchBlock and
+    newExpr.getEnclosingBlock().getEnclosingBlock*() = try.getStmt()
+  )
+}
 
-  /**
-   * A catch block that catches a `std::bad_alloc` (or any of its superclasses), or a catch
-   * block that catches every exception (i.e., `catch(...)`).
-   */
-  class BadAllocCatchBlock extends CatchBlock {
-    BadAllocCatchBlock() {
-      this.getParameter().getUnspecifiedType().stripType() =
-        any(BadAllocType badAlloc).getABaseClass*()
-      or
-      not exists(this.getParameter())
-    }
-  }
+/**
+ * Holds if `newExpr` is handles allocation failures by throwing an exception, yet
+ * the guard condition `guard` compares the result of `newExpr` to a null value.
+ */
+predicate nullCheckInThrowingNew(NewOrNewArrayExpr newExpr, GuardCondition guard) {
+  newExpr.getAllocator() instanceof ThrowingAllocator and
+  (
+    // Handles null comparisons.
+    guard.ensuresEq(globalValueNumber(newExpr).getAnExpr(), any(NullValue null), _, _, _)
+    or
+    // Handles `if(ptr)` and `if(!ptr)` cases.
+    guard = globalValueNumber(newExpr).getAnExpr()
+  )
+}
 
-  /**
-   * Holds if `newExpr` is embedded in a `try` statement with a catch block `catchBlock` that
-   * catches a `std::bad_alloc` exception, but nothing in the `try` block (including the `newExpr`)
-   * will throw that exception.
-   */
-  predicate noThrowInTryBlock(NewOrNewArrayExpr newExpr, BadAllocCatchBlock catchBlock) {
-    exists(TryStmt try |
-      not stmtMayThrow(try.getStmt()) and
-      try.getACatchClause() = catchBlock and
-      newExpr.getEnclosingBlock().getEnclosingBlock*() = try.getStmt()
-    )
-  }
-
-  /**
-   * Holds if `newExpr` is handles allocation failures by throwing an exception, yet
-   * the guard condition `guard` compares the result of `newExpr` to a null value.
-   */
-  predicate nullCheckInThrowingNew(NewOrNewArrayExpr newExpr, GuardCondition guard) {
-    newExpr.getAllocator() instanceof ThrowingAllocator and
-    (
-      // Handles null comparisons.
-      guard.ensuresEq(globalValueNumber(newExpr).getAnExpr(), any(NullValue null), _, _, _)
-      or
-      // Handles `if(ptr)` and `if(!ptr)` cases.
-      guard = globalValueNumber(newExpr).getAnExpr()
-    )
-  }
-
-  from NewOrNewArrayExpr newExpr, Element element, string msg, string elementString
-  where
-    not newExpr.isFromUninstantiatedTemplate(_) and
-    (
-      noThrowInTryBlock(newExpr, element) and
-      msg = "This allocation cannot throw. $@ is unnecessary." and
-      elementString = "This catch block"
-      or
-      nullCheckInThrowingNew(newExpr, element) and
-      msg = "This allocation cannot return null. $@ is unnecessary." and
-      elementString = "This check"
-    )
-  select newExpr, msg, element, elementString
+from NewOrNewArrayExpr newExpr, Element element, string msg, string elementString
+where
+  not newExpr.isFromUninstantiatedTemplate(_) and
+  (
+    noThrowInTryBlock(newExpr, element) and
+    msg = "This allocation cannot throw. $@ is unnecessary." and
+    elementString = "This catch block"
+    or
+    nullCheckInThrowingNew(newExpr, element) and
+    msg = "This allocation cannot return null. $@ is unnecessary." and
+    elementString = "This check"
+  )
+select newExpr, msg, element, elementString

From b2432158a8ec851415c1a53c364defecf4466435 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 20 May 2021 10:00:32 +0200
Subject: [PATCH 1125/1429] C++: Add change-note.

---
 .../2021-05-20-incorrect-allocation-error-handling.md           | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 cpp/change-notes/2021-05-20-incorrect-allocation-error-handling.md

diff --git a/cpp/change-notes/2021-05-20-incorrect-allocation-error-handling.md b/cpp/change-notes/2021-05-20-incorrect-allocation-error-handling.md
new file mode 100644
index 00000000000..8ad67264528
--- /dev/null
+++ b/cpp/change-notes/2021-05-20-incorrect-allocation-error-handling.md
@@ -0,0 +1,2 @@
+lgtm
+* A new query (`cpp/incorrect-allocation-error-handling`) has been added. The query finds incorrect error-handling of calls to `operator new`.

From ab23507e3fdd1436cbc0c47c2f24a52eb5947ed1 Mon Sep 17 00:00:00 2001
From: Alex Denisov <alex@lowlevelbits.org>
Date: Tue, 18 May 2021 15:50:05 +0200
Subject: [PATCH 1126/1429] C++: Add ref qualifiers

---
 cpp/change-notes/2021-05-20-ref-qualifiers.md | 2 ++
 cpp/ql/src/semmle/code/cpp/MemberFunction.qll | 9 +++++++++
 2 files changed, 11 insertions(+)
 create mode 100644 cpp/change-notes/2021-05-20-ref-qualifiers.md

diff --git a/cpp/change-notes/2021-05-20-ref-qualifiers.md b/cpp/change-notes/2021-05-20-ref-qualifiers.md
new file mode 100644
index 00000000000..e4b394a2173
--- /dev/null
+++ b/cpp/change-notes/2021-05-20-ref-qualifiers.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* lvalue/rvalue ref qualifiers are now accessible via the new predicates on `MemberFunction`(`.isLValueRefQualified`, `.isRValueRefQualified`, and `isRefQualified`).
diff --git a/cpp/ql/src/semmle/code/cpp/MemberFunction.qll b/cpp/ql/src/semmle/code/cpp/MemberFunction.qll
index 9dc1bbc7346..63c1406d8a5 100644
--- a/cpp/ql/src/semmle/code/cpp/MemberFunction.qll
+++ b/cpp/ql/src/semmle/code/cpp/MemberFunction.qll
@@ -48,6 +48,15 @@ class MemberFunction extends Function {
   /** Holds if this member is public. */
   predicate isPublic() { this.hasSpecifier("public") }
 
+  /** Holds if this declaration has the lvalue ref-qualifier */
+  predicate isLValueRefQualified() { hasSpecifier("&") }
+
+  /** Holds if this declaration has the rvalue ref-qualifier */
+  predicate isRValueRefQualified() { hasSpecifier("&&") }
+
+  /** Holds if this declaration has a ref-qualifier */
+  predicate isRefQualified() { isLValueRefQualified() or isRValueRefQualified() }
+
   /** Holds if this function overrides that function. */
   predicate overrides(MemberFunction that) {
     overrides(underlyingElement(this), unresolveElement(that))

From 694eba66f3d8593ebf386e6fe4d0e13a48353416 Mon Sep 17 00:00:00 2001
From: Alex Denisov <alex@lowlevelbits.org>
Date: Thu, 20 May 2021 10:49:20 +0200
Subject: [PATCH 1127/1429] C++: Adjust tests for new specifiers

---
 cpp/ql/test/library-tests/clang_ms/element.expected             | 2 ++
 cpp/ql/test/library-tests/conditions/elements.expected          | 2 ++
 .../templates/instantiations_functions/elements.expected        | 2 ++
 cpp/ql/test/library-tests/unnamed/elements.expected             | 2 ++
 4 files changed, 8 insertions(+)

diff --git a/cpp/ql/test/library-tests/clang_ms/element.expected b/cpp/ql/test/library-tests/clang_ms/element.expected
index 11e28a50670..8ca381ef406 100644
--- a/cpp/ql/test/library-tests/clang_ms/element.expected
+++ b/cpp/ql/test/library-tests/clang_ms/element.expected
@@ -26,6 +26,8 @@
 | clang_ms.cpp:17:1:17:32 | #pragma |
 | clang_ms.cpp:18:1:18:31 | #pragma |
 | file://:0:0:0:0 |  |
+| file://:0:0:0:0 | & |
+| file://:0:0:0:0 | && |
 | file://:0:0:0:0 | (global namespace) |
 | file://:0:0:0:0 | (unnamed parameter 0) |
 | file://:0:0:0:0 | (unnamed parameter 0) |
diff --git a/cpp/ql/test/library-tests/conditions/elements.expected b/cpp/ql/test/library-tests/conditions/elements.expected
index 483f5ad22ed..cdab5557305 100644
--- a/cpp/ql/test/library-tests/conditions/elements.expected
+++ b/cpp/ql/test/library-tests/conditions/elements.expected
@@ -1,4 +1,6 @@
 | file://:0:0:0:0 |  |
+| file://:0:0:0:0 | & |
+| file://:0:0:0:0 | && |
 | file://:0:0:0:0 | (global namespace) |
 | file://:0:0:0:0 | (unnamed parameter 0) |
 | file://:0:0:0:0 | (unnamed parameter 0) |
diff --git a/cpp/ql/test/library-tests/templates/instantiations_functions/elements.expected b/cpp/ql/test/library-tests/templates/instantiations_functions/elements.expected
index 2a7165a8419..44d8ff0cb83 100644
--- a/cpp/ql/test/library-tests/templates/instantiations_functions/elements.expected
+++ b/cpp/ql/test/library-tests/templates/instantiations_functions/elements.expected
@@ -1,4 +1,6 @@
 | file://:0:0:0:0 |  |
+| file://:0:0:0:0 | & |
+| file://:0:0:0:0 | && |
 | file://:0:0:0:0 | (composite<int> *)... |
 | file://:0:0:0:0 | (composite<int> *)... |
 | file://:0:0:0:0 | (global namespace) |
diff --git a/cpp/ql/test/library-tests/unnamed/elements.expected b/cpp/ql/test/library-tests/unnamed/elements.expected
index 37695f5e837..2b32306fbac 100644
--- a/cpp/ql/test/library-tests/unnamed/elements.expected
+++ b/cpp/ql/test/library-tests/unnamed/elements.expected
@@ -1,4 +1,6 @@
 | file://:0:0:0:0 |  | Other |
+| file://:0:0:0:0 | & | Other |
+| file://:0:0:0:0 | && | Other |
 | file://:0:0:0:0 | (global namespace) | Other |
 | file://:0:0:0:0 | (unnamed global/namespace variable) | Other |
 | file://:0:0:0:0 | _Complex __float128 | Other |

From c4bb3c27e0f7c729a397ebab7daa2a1a4451acea Mon Sep 17 00:00:00 2001
From: Taus <tausbn@gmail.com>
Date: Thu, 20 May 2021 13:14:09 +0200
Subject: [PATCH 1128/1429] Python: Update
 python/ql/src/semmle/python/ApiGraphs.qll

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
---
 python/ql/src/semmle/python/ApiGraphs.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index ad10f9950ff..61c9f4c1c7f 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -352,7 +352,7 @@ module API {
     /** Gets the name of a known built-in. */
     private string getBuiltInName() {
       // These lists were created by inspecting the `builtins` and `__builtin__` modules in
-      // Python 2 and 3 respectively, using the `dir` built-in.
+      // Python 3 and 2 respectively, using the `dir` built-in.
       // Built-in functions and exceptions shared between Python 2 and 3
       result in [
           "abs", "all", "any", "bin", "bool", "bytearray", "callable", "chr", "classmethod",

From 1fc95a68ca7d98294d1dab619d93003a3c34341e Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Thu, 20 May 2021 13:47:23 +0200
Subject: [PATCH 1129/1429] Python: Add more type tracking QL doc

---
 .../experimental/typetracking/TypeTracker.qll    | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/python/ql/src/experimental/typetracking/TypeTracker.qll b/python/ql/src/experimental/typetracking/TypeTracker.qll
index 05f446b11fa..48627668fb3 100644
--- a/python/ql/src/experimental/typetracking/TypeTracker.qll
+++ b/python/ql/src/experimental/typetracking/TypeTracker.qll
@@ -55,11 +55,21 @@ class StepSummary extends TStepSummary {
 
 /** Provides predicates for updating step summaries (`StepSummary`s). */
 module StepSummary {
+  /**
+   * Gets the summary that corresponds to having taken a forwards
+   * heap and/or intra-procedural step from `nodeFrom` to `nodeTo`.
+   *
+   * Steps contained in this predicate should _not_ depend on the call graph.
+   */
   cached
   private predicate stepNoCall(LocalSourceNode nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {
     exists(Node mid | nodeFrom.flowsTo(mid) and smallstepNoCall(mid, nodeTo, summary))
   }
 
+  /**
+   * Gets the summary that corresponds to having taken a forwards
+   * inter-procedural step from `nodeFrom` to `nodeTo`.
+   */
   cached
   private predicate stepCall(LocalSourceNode nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {
     exists(Node mid | nodeFrom.flowsTo(mid) and smallstepCall(mid, nodeTo, summary))
@@ -68,6 +78,12 @@ module StepSummary {
   /**
    * Gets the summary that corresponds to having taken a forwards
    * heap and/or inter-procedural step from `nodeFrom` to `nodeTo`.
+   *
+   * This predicate is inlined, which enables better join-orders when
+   * the call graph construction and type tracking are mutually recursive.
+   * In such cases, non-linear recursion involving `step` will be limited
+   * to non-linear recursion for the parts of `step` that involve the
+   * call graph.
    */
   pragma[inline]
   predicate step(LocalSourceNode nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {

From f17fe442a27a217bec0c8770cd1ef49b49cd3cb4 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 20 May 2021 14:52:10 +0200
Subject: [PATCH 1130/1429] Python: Expand test of py/use-of-input

---
 .../query-tests/Expressions/UseofApply.expected |  2 +-
 .../query-tests/Expressions/expressions_test.py | 17 ++++++++++++++---
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/python/ql/test/2/query-tests/Expressions/UseofApply.expected b/python/ql/test/2/query-tests/Expressions/UseofApply.expected
index aac8fbcda88..0c5e28c9494 100644
--- a/python/ql/test/2/query-tests/Expressions/UseofApply.expected
+++ b/python/ql/test/2/query-tests/Expressions/UseofApply.expected
@@ -1,2 +1,2 @@
 | UseofApply.py:19:3:19:17 | ControlFlowNode for apply() | Call to the obsolete builtin function 'apply'. |
-| expressions_test.py:3:5:3:21 | ControlFlowNode for apply() | Call to the obsolete builtin function 'apply'. |
+| expressions_test.py:2:5:2:21 | ControlFlowNode for apply() | Call to the obsolete builtin function 'apply'. |
diff --git a/python/ql/test/2/query-tests/Expressions/expressions_test.py b/python/ql/test/2/query-tests/Expressions/expressions_test.py
index 943bcea98a8..c31681e3535 100644
--- a/python/ql/test/2/query-tests/Expressions/expressions_test.py
+++ b/python/ql/test/2/query-tests/Expressions/expressions_test.py
@@ -1,7 +1,18 @@
-
 def use_of_apply(func, args):
     apply(func, args)
 
-def use_of_input():
-    return input()
 
+def use_of_input():
+    return input() # NOT OK
+
+
+def not_use_of_input():
+    input = raw_input
+    return input() # OK
+
+
+if __name__ == "__main__":
+    # if you enter 4+4 each time, you'll see that results are: 8, '4+4', 8
+    print("result:", use_of_input())
+    print("result:", not_use_of_input())
+    print("result:", use_of_input())

From 28f597440f9ffed66041bf206c41d09d99685d7a Mon Sep 17 00:00:00 2001
From: Sebastian Bauersfeld <sebastian@semmle.com>
Date: Thu, 20 May 2021 18:47:50 +0700
Subject: [PATCH 1131/1429] Add method invocations of Spring's SavedRequest as
 a remote sources.

---
 .../code/java/dataflow/ExternalFlow.qll       |   7 ++
 .../taintsources/SpringSavedRequest.java      |  26 +++++
 .../dataflow/taintsources/remote.expected     |  12 ++
 .../web/savedrequest/SavedRequest.java        |  56 ++++++++++
 .../web/savedrequest/SimpleSavedRequest.java  | 103 ++++++++++++++++++
 5 files changed, 204 insertions(+)
 create mode 100644 java/ql/test/library-tests/dataflow/taintsources/SpringSavedRequest.java
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/security/web/savedrequest/SavedRequest.java
 create mode 100644 java/ql/test/stubs/springframework-5.2.3/org/springframework/security/web/savedrequest/SimpleSavedRequest.java

diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index 76f685e7d20..33a146d07fe 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -87,6 +87,13 @@ private module Frameworks {
 private predicate sourceModelCsv(string row) {
   row =
     [
+      // org.springframework.security.web.savedrequest.SavedRequest
+      "org.springframework.security.web.savedrequest;SavedRequest;true;getRedirectUrl;;;ReturnValue;remote",
+      "org.springframework.security.web.savedrequest;SavedRequest;true;getCookies;;;ReturnValue;remote",
+      "org.springframework.security.web.savedrequest;SavedRequest;true;getHeaderValues;;;ReturnValue;remote",
+      "org.springframework.security.web.savedrequest;SavedRequest;true;getHeaderNames;;;ReturnValue;remote",
+      "org.springframework.security.web.savedrequest;SavedRequest;true;getParameterValues;;;ReturnValue;remote",
+      "org.springframework.security.web.savedrequest;SavedRequest;true;getParameterMap;;;ReturnValue;remote",
       // ServletRequestGetParameterMethod
       "javax.servlet;ServletRequest;false;getParameter;(String);;ReturnValue;remote",
       "javax.servlet;ServletRequest;false;getParameterValues;(String);;ReturnValue;remote",
diff --git a/java/ql/test/library-tests/dataflow/taintsources/SpringSavedRequest.java b/java/ql/test/library-tests/dataflow/taintsources/SpringSavedRequest.java
new file mode 100644
index 00000000000..a4ee8c018a2
--- /dev/null
+++ b/java/ql/test/library-tests/dataflow/taintsources/SpringSavedRequest.java
@@ -0,0 +1,26 @@
+import org.springframework.security.web.savedrequest.SavedRequest;
+import org.springframework.security.web.savedrequest.SimpleSavedRequest;
+
+public class SpringSavedRequest {
+	SavedRequest sr;
+
+	public void test() {
+		sr.getRedirectUrl();
+		sr.getCookies();
+		sr.getHeaderValues("name");
+		sr.getHeaderNames();
+		sr.getParameterValues("name");
+		sr.getParameterMap();
+	}
+
+	SimpleSavedRequest ssr;
+
+	public void test2() {
+		ssr.getRedirectUrl();
+		ssr.getCookies();
+		ssr.getHeaderValues("name");
+		ssr.getHeaderNames();
+		ssr.getParameterValues("name");
+		ssr.getParameterMap();
+	}
+}
diff --git a/java/ql/test/library-tests/dataflow/taintsources/remote.expected b/java/ql/test/library-tests/dataflow/taintsources/remote.expected
index ba615b628cc..f3b5685d4b9 100644
--- a/java/ql/test/library-tests/dataflow/taintsources/remote.expected
+++ b/java/ql/test/library-tests/dataflow/taintsources/remote.expected
@@ -47,3 +47,15 @@
 | SpringMultiPart.java:21:3:21:26 | getFiles(...) | SpringMultiPart.java:21:3:21:26 | getFiles(...) |
 | SpringMultiPart.java:22:3:22:27 | getMultiFileMap(...) | SpringMultiPart.java:22:3:22:27 | getMultiFileMap(...) |
 | SpringMultiPart.java:23:3:23:41 | getMultipartContentType(...) | SpringMultiPart.java:23:3:23:41 | getMultipartContentType(...) |
+| SpringSavedRequest.java:8:3:8:21 | getRedirectUrl(...) | SpringSavedRequest.java:8:3:8:21 | getRedirectUrl(...) |
+| SpringSavedRequest.java:9:3:9:17 | getCookies(...) | SpringSavedRequest.java:9:3:9:17 | getCookies(...) |
+| SpringSavedRequest.java:10:3:10:28 | getHeaderValues(...) | SpringSavedRequest.java:10:3:10:28 | getHeaderValues(...) |
+| SpringSavedRequest.java:11:3:11:21 | getHeaderNames(...) | SpringSavedRequest.java:11:3:11:21 | getHeaderNames(...) |
+| SpringSavedRequest.java:12:3:12:31 | getParameterValues(...) | SpringSavedRequest.java:12:3:12:31 | getParameterValues(...) |
+| SpringSavedRequest.java:13:3:13:22 | getParameterMap(...) | SpringSavedRequest.java:13:3:13:22 | getParameterMap(...) |
+| SpringSavedRequest.java:19:3:19:22 | getRedirectUrl(...) | SpringSavedRequest.java:19:3:19:22 | getRedirectUrl(...) |
+| SpringSavedRequest.java:20:3:20:18 | getCookies(...) | SpringSavedRequest.java:20:3:20:18 | getCookies(...) |
+| SpringSavedRequest.java:21:3:21:29 | getHeaderValues(...) | SpringSavedRequest.java:21:3:21:29 | getHeaderValues(...) |
+| SpringSavedRequest.java:22:3:22:22 | getHeaderNames(...) | SpringSavedRequest.java:22:3:22:22 | getHeaderNames(...) |
+| SpringSavedRequest.java:23:3:23:32 | getParameterValues(...) | SpringSavedRequest.java:23:3:23:32 | getParameterValues(...) |
+| SpringSavedRequest.java:24:3:24:23 | getParameterMap(...) | SpringSavedRequest.java:24:3:24:23 | getParameterMap(...) |
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/security/web/savedrequest/SavedRequest.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/security/web/savedrequest/SavedRequest.java
new file mode 100644
index 00000000000..6a2984c7329
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/security/web/savedrequest/SavedRequest.java
@@ -0,0 +1,56 @@
+/*
+ * Copyright 2002-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.savedrequest;
+
+import java.util.Collection;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+
+import javax.servlet.http.Cookie;
+
+/**
+ * Encapsulates the functionality required of a cached request for both an authentication
+ * mechanism (typically form-based login) to redirect to the original URL and for a
+ * <tt>RequestCache</tt> to build a wrapped request, reproducing the original request
+ * data.
+ *
+ * @author Luke Taylor
+ * @since 3.0
+ */
+public interface SavedRequest extends java.io.Serializable {
+
+	/**
+	 * @return the URL for the saved request, allowing a redirect to be performed.
+	 */
+	String getRedirectUrl();
+
+	List<Cookie> getCookies();
+
+	String getMethod();
+
+	List<String> getHeaderValues(String name);
+
+	Collection<String> getHeaderNames();
+
+	List<Locale> getLocales();
+
+	String[] getParameterValues(String name);
+
+	Map<String, String[]> getParameterMap();
+
+}
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/security/web/savedrequest/SimpleSavedRequest.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/security/web/savedrequest/SimpleSavedRequest.java
new file mode 100644
index 00000000000..b18dbb3ab39
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/security/web/savedrequest/SimpleSavedRequest.java
@@ -0,0 +1,103 @@
+/*
+ * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.savedrequest;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+
+import javax.servlet.http.Cookie;
+
+/**
+ * A Bean implementation of SavedRequest
+ *
+ * @author Rob Winch
+ * @since 5.1
+ */
+public class SimpleSavedRequest implements SavedRequest {
+
+	public SimpleSavedRequest() {
+	}
+
+	public SimpleSavedRequest(String redirectUrl) {
+	}
+
+	public SimpleSavedRequest(SavedRequest request) {
+	}
+
+	@Override
+	public String getRedirectUrl() {
+		return null;
+	}
+
+	@Override
+	public List<Cookie> getCookies() {
+		return null;
+	}
+
+	@Override
+	public String getMethod() {
+		return null;
+	}
+
+	@Override
+	public List<String> getHeaderValues(String name) {
+		return null;
+	}
+
+	@Override
+	public Collection<String> getHeaderNames() {
+		return null;
+	}
+
+	@Override
+	public List<Locale> getLocales() {
+		return null;
+	}
+
+	@Override
+	public String[] getParameterValues(String name) {
+		return null;
+	}
+
+	@Override
+	public Map<String, String[]> getParameterMap() {
+		return null;
+	}
+
+	public void setRedirectUrl(String redirectUrl) {
+	}
+
+	public void setCookies(List<Cookie> cookies) {
+	}
+
+	public void setMethod(String method) {
+	}
+
+	public void setHeaders(Map<String, List<String>> headers) {
+	}
+
+	public void setLocales(List<Locale> locales) {
+	}
+
+	public void setParameters(Map<String, String[]> parameters) {
+	}
+
+}

From ffcca4d5e9e570c574549a85a577fccbb18e44ca Mon Sep 17 00:00:00 2001
From: Sebastian Bauersfeld <sebastian@semmle.com>
Date: Thu, 20 May 2021 20:07:14 +0700
Subject: [PATCH 1132/1429] Add change note.

---
 java/change-notes/2021-05-20-savedrequest-taintsources.md | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 java/change-notes/2021-05-20-savedrequest-taintsources.md

diff --git a/java/change-notes/2021-05-20-savedrequest-taintsources.md b/java/change-notes/2021-05-20-savedrequest-taintsources.md
new file mode 100644
index 00000000000..d22cb000c64
--- /dev/null
+++ b/java/change-notes/2021-05-20-savedrequest-taintsources.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Invocations of methods from `org.springframework.security.web.savedrequest.SavedRequest`
+  have been added as sources of tainted data for all security queries.

From 1e40213abb8a9ae7368cff27606194838661d0c2 Mon Sep 17 00:00:00 2001
From: Evgenii Protsenko <procenkoeg@yandex.ru>
Date: Thu, 20 May 2021 22:56:08 +0300
Subject: [PATCH 1133/1429] use <class> instead of <class>::Range

---
 .../python/frameworks/clickhouse-driver/ClickHouseDriver.ql     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.ql b/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.ql
index 7ff45d8d822..bedd47c0af6 100644
--- a/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.ql
+++ b/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.ql
@@ -2,5 +2,5 @@ import python
 import experimental.semmle.python.frameworks.ClickHouseDriver
 import semmle.python.Concepts
 
-from SqlExecution::Range s
+from SqlExecution s
 select s, s.getSql()

From 5300dd2fa85b93cc2e03ec899b5abb0588b5888b Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 21 May 2021 10:33:56 +0200
Subject: [PATCH 1134/1429] C++: Merge the experimental query
 'cpp/access-memory-location-after-end-buffer-strncat' into
 'cpp/unsafe-strncat'.

---
 .../SuspiciousCallToStrncat.cpp               |  4 ++
 .../SuspiciousCallToStrncat.qhelp             | 10 ++-
 .../SuspiciousCallToStrncat.ql                | 61 ++++++++++++++++---
 3 files changed, 66 insertions(+), 9 deletions(-)

diff --git a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.cpp b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.cpp
index c5cbcd2d7f1..d15a123ce66 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.cpp	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.cpp	
@@ -2,3 +2,7 @@ strncat(dest, src, strlen(dest)); //wrong: should use remaining size of dest
 
 strncat(dest, src, sizeof(dest)); //wrong: should use remaining size of dest. 
                                   //Also fails if dest is a pointer and not an array.
+ 
+strncat(dest, source, sizeof(dest) - strlen(dest)); // wrong: writes a zero byte past the `dest` buffer.
+
+strncat(dest, source, sizeof(dest) - strlen(dest) - 1); // correct: reserves space for the zero byte.
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.qhelp b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.qhelp
index 5424338e1d1..605d2a0f841 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.qhelp	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.qhelp	
@@ -4,7 +4,11 @@
 <qhelp>
 <overview>
 <p>The standard library function <code>strncat</code> appends a source string to a target string. 
-The third argument defines the maximum number of characters to append and should be less than or equal to the remaining space in the destination buffer. Calls of the form <code>strncat(dest, src, strlen(dest))</code> or <code>strncat(dest, src, sizeof(dest))</code> set the third argument to the entire size of the destination buffer. Executing a call of this type may cause a buffer overflow unless the buffer is known to be empty. Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.</p>
+The third argument defines the maximum number of characters to append and should be less than or equal to the remaining space in the destination buffer.
+Calls of the form <code>strncat(dest, src, strlen(dest))</code> or <code>strncat(dest, src, sizeof(dest))</code> set the third argument to the entire size of the destination buffer.
+Executing a call of this type may cause a buffer overflow unless the buffer is known to be empty.
+Similarly, calls of the form <code>strncat(dest, src, sizeof (dest) - strlen (dest))</code> allows one byte to be written ouside the `dest` buffer.
+Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.</p>
 
 </overview>
 <recommendation>
@@ -25,6 +29,10 @@ The third argument defines the maximum number of characters to append and should
 <li>
   M. Donaldson, <em>Inside the Buffer Overflow Attack: Mechanism, Method &amp; Prevention</em>. SANS Institute InfoSec Reading Room, 2002.
 </li>
+<li>
+  CERT C Coding Standard:
+<a href="https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator">STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator</a>.
+</li>
 
 
 </references>
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
index eae20876e35..98b007640a5 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql	
@@ -1,7 +1,7 @@
 /**
  * @name Potentially unsafe call to strncat
- * @description Calling 'strncat' with the size of the destination buffer
- *              as the third argument may result in a buffer overflow.
+ * @description Calling `strncat` with the size of the destination buffer as the third argument may result in a buffer overflow.
+ *              Similarly, calling `strncat` with `sizeof (dest) - strlen (dest)` as the third argument may result in a buffer overflow.
  * @kind problem
  * @problem.severity warning
  * @precision medium
@@ -9,6 +9,7 @@
  * @tags reliability
  *       correctness
  *       security
+ *       external/cwe/cwe-788
  *       external/cwe/cwe-676
  *       external/cwe/cwe-119
  *       external/cwe/cwe-251
@@ -16,11 +17,55 @@
 
 import cpp
 import Buffer
+import semmle.code.cpp.models.implementations.Strcat
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
 
-from FunctionCall fc, VariableAccess va1, VariableAccess va2
-where
-  fc.getTarget().(Function).hasName("strncat") and
-  va1 = fc.getArgument(0) and
-  va2 = fc.getArgument(2).(BufferSizeExpr).getArg() and
-  va1.getTarget() = va2.getTarget()
+/**
+ * Holds if `call` is a call to `strncat` such that `sizeArg` and `destArg` are the size and
+ * destination arguments, respectively.
+ */
+predicate interestringCallWithArgs(Call call, Expr sizeArg, Expr destArg) {
+  exists(StrcatFunction strcat |
+    strcat = call.getTarget() and
+    sizeArg = call.getArgument(strcat.getParamSize()) and
+    destArg = call.getArgument(strcat.getParamDest())
+  )
+}
+
+/**
+ * Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination
+ * argument `destArg`, and `destArg` is the size of the buffer pointed to by `destArg`.
+ */
+predicate case1(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
+  interestringCallWithArgs(fc, sizeArg, destArg) and
+  exists(StrcatFunction strncat, VariableAccess va |
+    fc.getTarget() = strncat and
+    destArg = fc.getArgument(strncat.getParamDest()) and
+    va = sizeArg.(BufferSizeExpr).getArg() and
+    destArg.getTarget() = va.getTarget()
+  )
+}
+
+/**
+ * Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination
+ * argument `destArg`, and `sizeArg` computes the value `sizeof (dest) - strlen (dest)`.
+ */
+predicate case2(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
+  interestringCallWithArgs(fc, sizeArg, destArg) and
+  exists(SubExpr sub, int n |
+    // The destination buffer is an array of size n
+    destArg.getUnspecifiedType().(ArrayType).getSize() = n and
+    // The size argument is equivalent to a subtraction
+    globalValueNumber(sizeArg).getAnExpr() = sub and
+    // ... where the left side of the subtraction is the constant n
+    globalValueNumber(sub.getLeftOperand()).getAnExpr().getValue().toInt() = n and
+    // ... and the right side of the subtraction is a call to `strlen` where the argument is the
+    // destination buffer.
+    globalValueNumber(sub.getRightOperand()).getAnExpr().(StrlenCall).getStringExpr() =
+      globalValueNumber(destArg).getAnExpr()
+  )
+}
+
+from FunctionCall fc, Expr sizeArg, Expr destArg
+where case1(fc, sizeArg, destArg) or case2(fc, sizeArg, destArg)
 select fc, "Potentially unsafe call to strncat."

From 8d0cfb4e9186edfc575f8b07569ccffc12a619ba Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 21 May 2021 10:34:59 +0200
Subject: [PATCH 1135/1429] C++: Merge tests from
 'cpp/access-memory-location-after-end-buffer-strncat' into the tests from
 'cpp/unsafe-strncat'.

---
 .../SuspiciousCallToStrncat.expected          |  2 ++
 .../SuspiciousCallToStrncat/test.c            | 28 +++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/SuspiciousCallToStrncat.expected b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/SuspiciousCallToStrncat.expected
index b4f8836dbe3..91cccc10f10 100644
--- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/SuspiciousCallToStrncat.expected	
+++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/SuspiciousCallToStrncat.expected	
@@ -1 +1,3 @@
 | test.c:24:2:24:8 | call to strncat | Potentially unsafe call to strncat. |
+| test.c:46:3:46:9 | call to strncat | Potentially unsafe call to strncat. |
+| test.c:68:3:68:9 | call to strncat | Potentially unsafe call to strncat. |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/test.c b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/test.c
index 3c41316aaf2..153c0a22178 100644
--- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/test.c	
+++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/test.c	
@@ -39,3 +39,31 @@ void bad1(char *s) {
 	strncat(buf, ".", 1); // BAD [NOT DETECTED] -- Need to check if any space is left
 }
 
+
+void strncat_test1(char *s) {
+  char buf[80];
+  strncat(buf, s, sizeof(buf) - strlen(buf) - 1); // GOOD
+  strncat(buf, s, sizeof(buf) - strlen(buf));  // BAD
+}
+
+void* malloc(size_t);
+
+void strncat_test2(char *s) {
+  int len = 80;
+  char* buf = (char *)malloc(len);
+  strncat(buf, s, len - strlen(buf) - 1); // GOOD
+  strncat(buf, s, len - strlen(buf));  // BAD [NOT DETECTED]
+}
+
+struct buffers
+{
+  char array[50];
+  char* pointer;
+};
+
+void strncat_test3(char* s, struct buffers* buffers) {
+  unsigned len_array = strlen(buffers->array);
+  unsigned max_size = sizeof(buffers->array);
+  unsigned free_size = max_size - len_array;
+  strncat(buffers->array, s, free_size); // BAD
+}
\ No newline at end of file

From 12cd09d5d4fcc41a3b632dc816abf569478181bb Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 21 May 2021 10:35:57 +0200
Subject: [PATCH 1136/1429] C++: Delete the experimental query and its tests,
 and accept the test changes.

---
 ...moryLocationAfterEndOfBufferUsingStrncat.c |  4 --
 ...LocationAfterEndOfBufferUsingStrncat.qhelp | 32 --------------
 ...oryLocationAfterEndOfBufferUsingStrncat.ql | 42 -------------------
 ...cationAfterEndOfBufferUsingStrlen.expected | 18 ++++----
 ...ationAfterEndOfBufferUsingStrncat.expected |  5 ---
 ...LocationAfterEndOfBufferUsingStrncat.qlref |  1 -
 .../Security/CWE/CWE-788/semmle/tests/test.c  | 38 -----------------
 7 files changed, 9 insertions(+), 131 deletions(-)
 delete mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.c
 delete mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.qhelp
 delete mode 100644 cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql
 delete mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.expected
 delete mode 100644 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.qlref

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.c b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.c
deleted file mode 100644
index 060a22b5c18..00000000000
--- a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.c
+++ /dev/null
@@ -1,4 +0,0 @@
- 
-strncat(dest, source, sizeof(dest) - strlen(dest)); // BAD: writes a zero byte past the `dest` buffer.
-
-strncat(dest, source, sizeof(dest) - strlen(dest) -1); // GOOD: Reserves space for the zero byte.
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.qhelp
deleted file mode 100644
index 5c2154097ec..00000000000
--- a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.qhelp
+++ /dev/null
@@ -1,32 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<overview>
-<p>The standard library function <code>strncat(dest, source, count)</code> appends the <code>source</code> string to the <code>dest</code> string. <code>count</code> specifies the maximum number of characters to append and must be less than the remaining space in the target buffer. Calls of the form <code> strncat (dest, source, sizeof (dest) - strlen (dest)) </code> set the third argument to one more than possible. So when the <code>dest</code> is full, the expression <code> sizeof (dest) - strlen (dest) </code> will be equal to one, and not zero as the programmer might think. Making a call of this type may result in a zero byte being written just outside the <code>dest</code> buffer.</p>
-
-
-</overview>
-<recommendation>
-
-<p>We recommend subtracting one from the third argument. For example, replace <code>strncat(dest, source, sizeof(dest)-strlen(dest))</code> with <code>strncat(dest, source, sizeof(dest)-strlen(dest)-1)</code>.</p>
-
-</recommendation>
-<example>
-<p>The following example demonstrates an erroneous and corrected use of the <code>strncat</code> function.</p>
-<sample src="AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.c" />
-
-</example>
-<references>
-
-<li>
-  CERT C Coding Standard:
-<a href="https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator">STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator</a>.
-</li>
-<li>
-  CERT C Coding Standard:
-  <a href="https://wiki.sei.cmu.edu/confluence/display/c/ARR30-C.+Do+not+form+or+use+out-of-bounds+pointers+or+array+subscripts">ARR30-C. Do not form or use out-of-bounds pointers or array subscripts</a>.
-</li>
-
-</references>
-</qhelp>
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql
deleted file mode 100644
index f68395f29bf..00000000000
--- a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql
+++ /dev/null
@@ -1,42 +0,0 @@
-/**
- * @name Access Of Memory Location After The End Of A Buffer Using Strncat
- * @description Calls of the form `strncat(dest, source, sizeof (dest) - strlen (dest))` set the third argument to one more than possible. So when `dest` is full, the expression `sizeof(dest) - strlen (dest)` will be equal to one, and not zero as the programmer might think. Making a call of this type may result in a zero byte being written just outside the `dest` buffer.
- * @kind problem
- * @id cpp/access-memory-location-after-end-buffer-strncat
- * @problem.severity warning
- * @precision medium
- * @tags correctness
- *       security
- *       external/cwe/cwe-788
- */
-
-import cpp
-import semmle.code.cpp.models.implementations.Strcat
-import semmle.code.cpp.valuenumbering.GlobalValueNumbering
-
-/**
- * Holds if `call` is a call to `strncat` such that `sizeArg` and `destArg` are the size and
- * destination arguments, respectively.
- */
-predicate interestringCallWithArgs(Call call, Expr sizeArg, Expr destArg) {
-  exists(StrcatFunction strcat |
-    strcat = call.getTarget() and
-    sizeArg = call.getArgument(strcat.getParamSize()) and
-    destArg = call.getArgument(strcat.getParamDest())
-  )
-}
-
-from FunctionCall call, Expr sizeArg, Expr destArg, SubExpr sub, int n
-where
-  interestringCallWithArgs(call, sizeArg, destArg) and
-  // The destination buffer is an array of size n
-  destArg.getUnspecifiedType().(ArrayType).getSize() = n and
-  // The size argument is equivalent to a subtraction
-  globalValueNumber(sizeArg).getAnExpr() = sub and
-  // ... where the left side of the subtraction is the constant n
-  globalValueNumber(sub.getLeftOperand()).getAnExpr().getValue().toInt() = n and
-  // ... and the right side of the subtraction is a call to `strlen` where the argument is the
-  // destination buffer.
-  globalValueNumber(sub.getRightOperand()).getAnExpr().(StrlenCall).getStringExpr() =
-    globalValueNumber(destArg).getAnExpr()
-select call, "Possible out-of-bounds write due to incorrect size argument."
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
index cd160a70638..75e40fb96b3 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
@@ -1,9 +1,9 @@
-| test.c:54:3:54:24 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:55:3:55:40 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:56:3:56:44 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:57:3:57:44 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:58:3:58:48 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:59:3:59:48 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:60:3:60:52 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:61:3:61:50 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:62:3:62:54 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:16:3:16:24 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:17:3:17:40 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:18:3:18:44 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:19:3:19:44 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:20:3:20:48 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:21:3:21:48 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:22:3:22:52 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:23:3:23:50 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:24:3:24:54 | ... = ... | potential unsafe or redundant assignment. |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.expected b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.expected
deleted file mode 100644
index 3e9791e1024..00000000000
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.expected
+++ /dev/null
@@ -1,5 +0,0 @@
-| test.c:8:3:8:9 | call to strncat | Possible out-of-bounds write due to incorrect size argument. |
-| test.c:9:3:9:9 | call to strncat | Possible out-of-bounds write due to incorrect size argument. |
-| test.c:17:3:17:9 | call to strncat | Possible out-of-bounds write due to incorrect size argument. |
-| test.c:18:3:18:9 | call to strncat | Possible out-of-bounds write due to incorrect size argument. |
-| test.c:46:3:46:9 | call to strncat | Possible out-of-bounds write due to incorrect size argument. |
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.qlref b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.qlref
deleted file mode 100644
index 8fd8b1b3217..00000000000
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.qlref
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql
diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
index 6d310875630..a204aa4db29 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
@@ -2,50 +2,12 @@ char * strncat(char*, const char*, unsigned);
 unsigned strlen(const char*);
 void* malloc(unsigned);
 
-void strncat_test1(char *s) {
-  char buf[80];
-  strncat(buf, s, sizeof(buf) - strlen(buf) - 1); // GOOD
-  strncat(buf, s, sizeof(buf) - strlen(buf));  // BAD
-  strncat(buf, "fix", sizeof(buf)-strlen(buf)); // BAD
-}
-
-#define MAX_SIZE 80
-
-void strncat_test2(char *s) {
-  char buf[MAX_SIZE];
-  strncat(buf, s, MAX_SIZE - strlen(buf) - 1); // GOOD
-  strncat(buf, s, MAX_SIZE - strlen(buf));  // BAD
-  strncat(buf, "fix", MAX_SIZE - strlen(buf)); // BAD
-}
-
-void strncat_test3(char *s) {
-  int len = 80;
-  char* buf = (char *) malloc(len);
-  strncat(buf, s, len - strlen(buf) - 1); // GOOD
-  strncat(buf, s, len - strlen(buf));  // BAD [NOT DETECTED]
-  strncat(buf, "fix", len - strlen(buf)); // BAD [NOT DETECTED]
-}
-
-void strncat_test4(char *s) {
-  int len = 80;
-  char* buf = (char *) malloc(len + 1);
-  strncat(buf, s, len - strlen(buf) - 1); // GOOD
-  strncat(buf, s, len - strlen(buf)); // GOOD
-}
-
 struct buffers
 {
     unsigned char array[50];
     unsigned char *pointer;
 } globalBuff1,*globalBuff2,globalBuff1_c,*globalBuff2_c;
 
-void strncat_test5(char* s, struct buffers* buffers) {
-  unsigned len_array = strlen(buffers->array);
-  unsigned max_size = sizeof(buffers->array);
-  unsigned free_size = max_size - len_array;
-  strncat(buffers->array, s, free_size); // BAD
-}
-
 void strlen_test1(){
   unsigned char buff1[12];
   struct buffers buffAll;

From 6e34784fc5b919b6f0bbe8d73242325e0cbe35bf Mon Sep 17 00:00:00 2001
From: Max Schaefer <max-schaefer@github.com>
Date: Fri, 21 May 2021 09:54:41 +0100
Subject: [PATCH 1137/1429] Add new experimental query
 `MultipleArgumentsToSetConstructor`.

---
 .../MultipleArgumentsToSetConstructor.qhelp   | 43 +++++++++++++++++++
 .../MultipleArgumentsToSetConstructor.ql      | 22 ++++++++++
 .../MultipleArgumentsToSetConstructorBad.js   |  5 +++
 .../MultipleArgumentsToSetConstructorGood.js  |  5 +++
 ...MultipleArgumentsToSetConstructor.expected |  6 +++
 .../MultipleArgumentsToSetConstructor.qlref   |  1 +
 .../MultipleArgumentsToSetConstructorBad.js   |  5 +++
 .../MultipleArgumentsToSetConstructorGood.js  |  5 +++
 .../MultipleArgumentsToSetConstructor/tst.js  |  6 +++
 9 files changed, 98 insertions(+)
 create mode 100644 javascript/ql/src/experimental/StandardLibrary/MultipleArgumentsToSetConstructor.qhelp
 create mode 100644 javascript/ql/src/experimental/StandardLibrary/MultipleArgumentsToSetConstructor.ql
 create mode 100644 javascript/ql/src/experimental/StandardLibrary/examples/MultipleArgumentsToSetConstructorBad.js
 create mode 100644 javascript/ql/src/experimental/StandardLibrary/examples/MultipleArgumentsToSetConstructorGood.js
 create mode 100644 javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructor.expected
 create mode 100644 javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructor.qlref
 create mode 100644 javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructorBad.js
 create mode 100644 javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructorGood.js
 create mode 100644 javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/tst.js

diff --git a/javascript/ql/src/experimental/StandardLibrary/MultipleArgumentsToSetConstructor.qhelp b/javascript/ql/src/experimental/StandardLibrary/MultipleArgumentsToSetConstructor.qhelp
new file mode 100644
index 00000000000..22890d6c3cf
--- /dev/null
+++ b/javascript/ql/src/experimental/StandardLibrary/MultipleArgumentsToSetConstructor.qhelp
@@ -0,0 +1,43 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+The <code>Set</code> constructor accepts an arbitrary number of arguments, but only the first one
+is used to construct the set. The remaining arguments are ignored.
+Code that invokes the <code>Set</code> constructor with multiple arguments is therefore likely to
+be incorrect.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Only pass a single argument to the <code>Set</code> constructor, which should be an iterable object
+(such as an array).
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example creates a set containing the vowels in the English language, and defines
+a function that returns a boolean indicating whether a given character is a vowel:
+</p>
+<sample src="examples/MultipleArgumentsToSetConstructorBad.js"/>
+
+<p>
+However, this code does not work as intended: the <code>Set</code> constructor ignores all but
+the first argument, so the <code>vowels</code> set only contains the letter <code>a</code>.
+</p>
+
+<p>
+Instead, the list of vowels should be wrapped into an array:
+</p>
+<sample src="examples/MultipleArgumentsToSetConstructorGood.js"/>
+</example>
+
+<references>
+<li><a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Set/Set">MDN Web Docs: Set() constructor</a></li>
+</references>
+</qhelp>
diff --git a/javascript/ql/src/experimental/StandardLibrary/MultipleArgumentsToSetConstructor.ql b/javascript/ql/src/experimental/StandardLibrary/MultipleArgumentsToSetConstructor.ql
new file mode 100644
index 00000000000..6ee75dce7a6
--- /dev/null
+++ b/javascript/ql/src/experimental/StandardLibrary/MultipleArgumentsToSetConstructor.ql
@@ -0,0 +1,22 @@
+/**
+ * @name Multiple arguments to `Set` constructor
+ * @description The `Set` constructor ignores all but the first argument, so passing multiple
+ *              arguments may indicate a mistake.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id js/multiple-arguments-to-set-constructor
+ * @tags correctness
+ */
+
+import javascript
+
+from DataFlow::NewNode newSet, DataFlow::Node ignoredArg
+where
+  newSet = DataFlow::globalVarRef("Set").getAnInstantiation() and
+  (
+    ignoredArg = newSet.getArgument(any(int n | n > 0))
+    or
+    ignoredArg = newSet.getASpreadArgument()
+  )
+select ignoredArg, "All but the first argument to the Set constructor are ignored."
diff --git a/javascript/ql/src/experimental/StandardLibrary/examples/MultipleArgumentsToSetConstructorBad.js b/javascript/ql/src/experimental/StandardLibrary/examples/MultipleArgumentsToSetConstructorBad.js
new file mode 100644
index 00000000000..4bce4b54c1b
--- /dev/null
+++ b/javascript/ql/src/experimental/StandardLibrary/examples/MultipleArgumentsToSetConstructorBad.js
@@ -0,0 +1,5 @@
+const vowels = new Set('a', 'e', 'i', 'o', 'u');
+
+function isVowel(char) {
+  return vowels.has(char.toLowerCase());
+}
diff --git a/javascript/ql/src/experimental/StandardLibrary/examples/MultipleArgumentsToSetConstructorGood.js b/javascript/ql/src/experimental/StandardLibrary/examples/MultipleArgumentsToSetConstructorGood.js
new file mode 100644
index 00000000000..36ab0f01c1d
--- /dev/null
+++ b/javascript/ql/src/experimental/StandardLibrary/examples/MultipleArgumentsToSetConstructorGood.js
@@ -0,0 +1,5 @@
+const vowels = new Set(['a', 'e', 'i', 'o', 'u']);
+
+function isVowel(char) {
+  return vowels.has(char.toLowerCase());
+}
diff --git a/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructor.expected b/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructor.expected
new file mode 100644
index 00000000000..43a25330e40
--- /dev/null
+++ b/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructor.expected
@@ -0,0 +1,6 @@
+| MultipleArgumentsToSetConstructorBad.js:1:29:1:31 | 'e' | All but the first argument to the Set constructor are ignored. |
+| MultipleArgumentsToSetConstructorBad.js:1:34:1:36 | 'i' | All but the first argument to the Set constructor are ignored. |
+| MultipleArgumentsToSetConstructorBad.js:1:39:1:41 | 'o' | All but the first argument to the Set constructor are ignored. |
+| MultipleArgumentsToSetConstructorBad.js:1:44:1:46 | 'u' | All but the first argument to the Set constructor are ignored. |
+| tst.js:3:12:3:13 | xs | All but the first argument to the Set constructor are ignored. |
+| tst.js:3:19:3:20 | ys | All but the first argument to the Set constructor are ignored. |
diff --git a/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructor.qlref b/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructor.qlref
new file mode 100644
index 00000000000..3cba54a3a0c
--- /dev/null
+++ b/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructor.qlref
@@ -0,0 +1 @@
+experimental/StandardLibrary/MultipleArgumentsToSetConstructor.ql
diff --git a/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructorBad.js b/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructorBad.js
new file mode 100644
index 00000000000..4bce4b54c1b
--- /dev/null
+++ b/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructorBad.js
@@ -0,0 +1,5 @@
+const vowels = new Set('a', 'e', 'i', 'o', 'u');
+
+function isVowel(char) {
+  return vowels.has(char.toLowerCase());
+}
diff --git a/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructorGood.js b/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructorGood.js
new file mode 100644
index 00000000000..36ab0f01c1d
--- /dev/null
+++ b/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/MultipleArgumentsToSetConstructorGood.js
@@ -0,0 +1,5 @@
+const vowels = new Set(['a', 'e', 'i', 'o', 'u']);
+
+function isVowel(char) {
+  return vowels.has(char.toLowerCase());
+}
diff --git a/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/tst.js b/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/tst.js
new file mode 100644
index 00000000000..7f43ae5f966
--- /dev/null
+++ b/javascript/ql/test/experimental/StandardLibrary/MultipleArgumentsToSetConstructor/tst.js
@@ -0,0 +1,6 @@
+let xs = [1, 2, 3];
+let ys = [4, 5, 6];
+new Set(...xs, ...ys); // NOT OK
+new Set([...xs, ...ys]); // OK
+new Set(xs); // OK
+new Set(); // OK
\ No newline at end of file

From 84b0b8c2bdfb9c029b526856f953bdbbf8a466d8 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 21 May 2021 10:57:23 +0200
Subject: [PATCH 1138/1429] C++: Add change-note.

---
 cpp/change-notes/2021-05-21-unsafe-strncat.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 cpp/change-notes/2021-05-21-unsafe-strncat.md

diff --git a/cpp/change-notes/2021-05-21-unsafe-strncat.md b/cpp/change-notes/2021-05-21-unsafe-strncat.md
new file mode 100644
index 00000000000..135b5278df4
--- /dev/null
+++ b/cpp/change-notes/2021-05-21-unsafe-strncat.md
@@ -0,0 +1,2 @@
+lgtm
+* The "Potentially unsafe call to strncat" query (cpp/unsafe-strncat) query has been improved to detect more cases of unsafe calls to `strncat`.

From 3662ec4c83c07ff74055d91e99f67fe2db3480c1 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 21 May 2021 11:12:19 +0200
Subject: [PATCH 1139/1429] C++: Credit the original query author in
 change-note.

---
 .../2021-05-20-incorrect-allocation-error-handling.md           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/change-notes/2021-05-20-incorrect-allocation-error-handling.md b/cpp/change-notes/2021-05-20-incorrect-allocation-error-handling.md
index 8ad67264528..f00856ed711 100644
--- a/cpp/change-notes/2021-05-20-incorrect-allocation-error-handling.md
+++ b/cpp/change-notes/2021-05-20-incorrect-allocation-error-handling.md
@@ -1,2 +1,2 @@
 lgtm
-* A new query (`cpp/incorrect-allocation-error-handling`) has been added. The query finds incorrect error-handling of calls to `operator new`.
+* A new query (`cpp/incorrect-allocation-error-handling`) has been added. The query finds incorrect error-handling of calls to `operator new`. This query was originally [submitted as an experimental query by @ihsinme](https://github.com/github/codeql/pull/5010).

From d00618f4f4776180fc43d2b0fc80330990a5d8b8 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Fri, 21 May 2021 14:56:47 +0200
Subject: [PATCH 1140/1429] Java: Improve performance of virtual dispatch
 calculation.

---
 .../dataflow/internal/DataFlowDispatch.qll    |  2 +-
 .../code/java/dispatch/VirtualDispatch.qll    | 19 +++++++++++--------
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowDispatch.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowDispatch.qll
index 3a98ed62847..2b6179bfc96 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowDispatch.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowDispatch.qll
@@ -106,7 +106,7 @@ private module DispatchImpl {
       mayBenefitFromCallContext(ma, c, i) and
       c = viableCallable(ctx) and
       contextArgHasType(ctx, i, t, exact) and
-      ma.getMethod() = def
+      ma.getMethod().getSourceDeclaration() = def
     |
       exact = true and result = VirtualDispatch::exactMethodImpl(def, t.getSourceDeclaration())
       or
diff --git a/java/ql/src/semmle/code/java/dispatch/VirtualDispatch.qll b/java/ql/src/semmle/code/java/dispatch/VirtualDispatch.qll
index bb6884ced06..46c29c386b2 100644
--- a/java/ql/src/semmle/code/java/dispatch/VirtualDispatch.qll
+++ b/java/ql/src/semmle/code/java/dispatch/VirtualDispatch.qll
@@ -39,9 +39,12 @@ Callable viableCallable(Call c) {
   c instanceof ConstructorCall and result = c.getCallee().getSourceDeclaration()
 }
 
-/** A method that is the target of a call. */
-class CalledMethod extends Method {
-  CalledMethod() { exists(MethodAccess ma | ma.getMethod() = this) }
+/** The source declaration of a method that is the target of a virtual call. */
+class VirtCalledSrcMethod extends SrcMethod {
+  pragma[nomagic]
+  VirtCalledSrcMethod() {
+    exists(VirtualMethodAccess ma | ma.getMethod().getSourceDeclaration() = this)
+  }
 }
 
 cached
@@ -185,8 +188,8 @@ private module Dispatch {
     not result.isAbstract() and
     if source instanceof VirtualMethodAccess
     then
-      exists(CalledMethod def, RefType t, boolean exact |
-        source.getMethod() = def and
+      exists(VirtCalledSrcMethod def, RefType t, boolean exact |
+        source.getMethod().getSourceDeclaration() = def and
         hasQualifierType(source, t, exact)
       |
         exact = true and result = exactMethodImpl(def, t.getSourceDeclaration())
@@ -301,14 +304,14 @@ private module Dispatch {
 
   /** Gets the implementation of `top` present on a value of precisely type `t`. */
   cached
-  Method exactMethodImpl(CalledMethod top, SrcRefType t) {
+  Method exactMethodImpl(VirtCalledSrcMethod top, SrcRefType t) {
     hasSrcMethod(t, result) and
-    top.getAPossibleImplementation() = result
+    top.getAPossibleImplementationOfSrcMethod() = result
   }
 
   /** Gets the implementations of `top` present on viable subtypes of `t`. */
   cached
-  Method viableMethodImpl(CalledMethod top, SrcRefType tsrc, RefType t) {
+  Method viableMethodImpl(VirtCalledSrcMethod top, SrcRefType tsrc, RefType t) {
     exists(SrcRefType sub |
       result = exactMethodImpl(top, sub) and
       tsrc = t.getSourceDeclaration() and

From 9e9678b3ca7c2f84cd1b0941cf8deb8e72a88193 Mon Sep 17 00:00:00 2001
From: Jorge <46056498+jorgectf@users.noreply.github.com>
Date: Fri, 21 May 2021 16:17:39 +0200
Subject: [PATCH 1141/1429] Apply documentation suggestions

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
---
 python/ql/src/experimental/semmle/python/frameworks/LDAP.qll | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/frameworks/LDAP.qll b/python/ql/src/experimental/semmle/python/frameworks/LDAP.qll
index 6c3e03cb267..2843a695b18 100644
--- a/python/ql/src/experimental/semmle/python/frameworks/LDAP.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/LDAP.qll
@@ -14,7 +14,7 @@ private import semmle.python.ApiGraphs
  */
 private module LDAP {
   /**
-   * Provides models for Python's `ldap` library.
+   * Provides models for the `python-ldap` PyPI package (imported as `ldap`).
    *
    * See https://www.python-ldap.org/en/python-ldap-3.3.0/index.html
    */
@@ -87,7 +87,7 @@ private module LDAP {
   }
 
   /**
-   * Provides models for Python's `ldap3` library.
+   * Provides models for the `ldap3` PyPI package
    *
    * See https://pypi.org/project/ldap3/
    */

From d086ba618f23ed3cfacbaebdbffb9be71723f2ce Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 21 May 2021 16:24:15 +0200
Subject: [PATCH 1142/1429] C++: Convert the yyyy-dd-mm change-notes to
 yyyy-mm-dd.

---
 ...t-overflow.md => 2021-04-26-more-sound-expr-might-overflow.md} | 0
 ...ith-wider-type.md => 2021-05-10-comparison-with-wider-type.md} | 0
 ...rolled-arithmetic.md => 2021-05-12-uncontrolled-arithmetic.md} | 0
 3 files changed, 0 insertions(+), 0 deletions(-)
 rename cpp/change-notes/{2021-26-04-more-sound-expr-might-overflow.md => 2021-04-26-more-sound-expr-might-overflow.md} (100%)
 rename cpp/change-notes/{2021-10-05-comparison-with-wider-type.md => 2021-05-10-comparison-with-wider-type.md} (100%)
 rename cpp/change-notes/{2021-12-05-uncontrolled-arithmetic.md => 2021-05-12-uncontrolled-arithmetic.md} (100%)

diff --git a/cpp/change-notes/2021-26-04-more-sound-expr-might-overflow.md b/cpp/change-notes/2021-04-26-more-sound-expr-might-overflow.md
similarity index 100%
rename from cpp/change-notes/2021-26-04-more-sound-expr-might-overflow.md
rename to cpp/change-notes/2021-04-26-more-sound-expr-might-overflow.md
diff --git a/cpp/change-notes/2021-10-05-comparison-with-wider-type.md b/cpp/change-notes/2021-05-10-comparison-with-wider-type.md
similarity index 100%
rename from cpp/change-notes/2021-10-05-comparison-with-wider-type.md
rename to cpp/change-notes/2021-05-10-comparison-with-wider-type.md
diff --git a/cpp/change-notes/2021-12-05-uncontrolled-arithmetic.md b/cpp/change-notes/2021-05-12-uncontrolled-arithmetic.md
similarity index 100%
rename from cpp/change-notes/2021-12-05-uncontrolled-arithmetic.md
rename to cpp/change-notes/2021-05-12-uncontrolled-arithmetic.md

From 6f50b1233344fc49e8012246bffa4789f09dd2d0 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Fri, 21 May 2021 17:16:09 +0200
Subject: [PATCH 1143/1429] Python: Fix QLDoc for Werkzeug

---
 python/ql/src/semmle/python/frameworks/Werkzeug.qll | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/frameworks/Werkzeug.qll b/python/ql/src/semmle/python/frameworks/Werkzeug.qll
index 63b8067b266..9fa3461a048 100644
--- a/python/ql/src/semmle/python/frameworks/Werkzeug.qll
+++ b/python/ql/src/semmle/python/frameworks/Werkzeug.qll
@@ -1,5 +1,8 @@
 /**
- * Provides classes modeling security-relevant aspects of the `flask` package.
+ * Provides classes modeling security-relevant aspects of the `Werkzeug` PyPI package.
+ * See
+ * - https://pypi.org/project/Werkzeug/
+ * - https://werkzeug.palletsprojects.com/en/1.0.x/#werkzeug
  */
 
 private import python

From 71a93ad311e6ea49ceecd1187ddb502d42021df3 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Fri, 21 May 2021 17:17:23 +0200
Subject: [PATCH 1144/1429] Python: Fix QLDoc for PyYAML to follow convention

---
 python/ql/src/semmle/python/frameworks/Yaml.qll | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Yaml.qll b/python/ql/src/semmle/python/frameworks/Yaml.qll
index f7ac0a9fda7..e818b2e95ec 100644
--- a/python/ql/src/semmle/python/frameworks/Yaml.qll
+++ b/python/ql/src/semmle/python/frameworks/Yaml.qll
@@ -1,6 +1,6 @@
 /**
- * Provides classes modeling security-relevant aspects of the PyYAML package (obtained
- * via `import yaml`)
+ * Provides classes modeling security-relevant aspects of the `PyYAML` PyPI package
+ * (imported as `yaml`)
  *
  * See
  * - https://pyyaml.org/wiki/PyYAMLDocumentation
@@ -14,8 +14,8 @@ private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 
 /**
- * Provides classes modeling security-relevant aspects of the PyYAML package (obtained
- * via `import yaml`)
+ * Provides classes modeling security-relevant aspects of the `PyYAML` PyPI package
+ * (imported as `yaml`)
  *
  * See
  * - https://pyyaml.org/wiki/PyYAMLDocumentation

From 37d6ff76a38433cd5c05bd39eec3cce086c3ec22 Mon Sep 17 00:00:00 2001
From: jorgectf <jorgectf@protonmail.com>
Date: Fri, 21 May 2021 17:47:53 +0200
Subject: [PATCH 1145/1429] Update tests and .expected

---
 .../Security/CWE-090/examples/example_bad1.py |  11 +-
 .../Security/CWE-090/examples/example_bad2.py |  13 +-
 .../CWE-090/examples/example_good1.py         |  13 +-
 .../CWE-090/examples/example_good2.py         |  15 +-
 .../Security/CWE-090/LDAPInjection.expected   | 190 +++++++++---------
 .../query-tests/Security/CWE-090/ldap3_bad.py |  26 ++-
 .../Security/CWE-090/ldap3_good.py            |  30 +--
 .../query-tests/Security/CWE-090/ldap_bad.py  |  33 +--
 .../query-tests/Security/CWE-090/ldap_good.py |  39 ++--
 9 files changed, 206 insertions(+), 164 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-090/examples/example_bad1.py b/python/ql/src/experimental/Security/CWE-090/examples/example_bad1.py
index 4a1f86fd981..580f2aea555 100644
--- a/python/ql/src/experimental/Security/CWE-090/examples/example_bad1.py
+++ b/python/ql/src/experimental/Security/CWE-090/examples/example_bad1.py
@@ -4,9 +4,12 @@ import ldap
 
 @app.route("/normal")
 def normal():
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    dn = "dc={}".format(unsafe_dc)
+    search_filter = "(user={})".format(unsafe_filter)
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1")
     user = ldap_connection.search_s(
-        unsafe_dn, ldap.SCOPE_SUBTREE, unsafe_filter)
+        dn, ldap.SCOPE_SUBTREE, search_filter)
diff --git a/python/ql/src/experimental/Security/CWE-090/examples/example_bad2.py b/python/ql/src/experimental/Security/CWE-090/examples/example_bad2.py
index 87cb4a65b8b..5f43236e5c5 100644
--- a/python/ql/src/experimental/Security/CWE-090/examples/example_bad2.py
+++ b/python/ql/src/experimental/Security/CWE-090/examples/example_bad2.py
@@ -4,9 +4,12 @@ import ldap3
 
 @app.route("/normal")
 def normal():
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True)
-    conn.search(unsafe_dn, unsafe_filter)
+    dn = "dc={}".format(unsafe_dc)
+    search_filter = "(user={})".format(unsafe_filter)
+
+    srv = ldap3.Server('ldap://127.0.0.1')
+    conn = ldap3.Connection(srv, user=dn, auto_bind=True)
+    conn.search(dn, search_filter)
diff --git a/python/ql/src/experimental/Security/CWE-090/examples/example_good1.py b/python/ql/src/experimental/Security/CWE-090/examples/example_good1.py
index ad9e9fe84f5..4bf73839c44 100644
--- a/python/ql/src/experimental/Security/CWE-090/examples/example_good1.py
+++ b/python/ql/src/experimental/Security/CWE-090/examples/example_good1.py
@@ -6,12 +6,15 @@ import ldap.dn
 
 @app.route("/normal")
 def normal():
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
+    safe_dc = ldap.dn.escape_dn_chars(unsafe_dc)
     safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
 
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    dn = "dc={}".format(safe_dc)
+    search_filter = "(user={})".format(safe_filter)
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1")
     user = ldap_connection.search_s(
-        safe_dn, ldap.SCOPE_SUBTREE, safe_filter)
+        dn, ldap.SCOPE_SUBTREE, search_filter)
diff --git a/python/ql/src/experimental/Security/CWE-090/examples/example_good2.py b/python/ql/src/experimental/Security/CWE-090/examples/example_good2.py
index c86db178040..dced25873e8 100644
--- a/python/ql/src/experimental/Security/CWE-090/examples/example_good2.py
+++ b/python/ql/src/experimental/Security/CWE-090/examples/example_good2.py
@@ -6,12 +6,15 @@ from ldap3.utils.conv import escape_filter_chars
 
 @app.route("/normal")
 def normal():
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    safe_dn = escape_rdn(unsafe_dn)
+    safe_dc = escape_rdn(unsafe_dc)
     safe_filter = escape_filter_chars(unsafe_filter)
 
-    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=safe_dn, auto_bind=True)
-    conn.search(safe_dn, safe_filter)
+    dn = "dc={}".format(safe_dc)
+    search_filter = "(user={})".format(safe_filter)
+
+    srv = ldap3.Server('ldap://127.0.0.1')
+    conn = ldap3.Connection(srv, user=dn, auto_bind=True)
+    conn.search(dn, search_filter)
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-090/LDAPInjection.expected b/python/ql/test/experimental/query-tests/Security/CWE-090/LDAPInjection.expected
index 07f46fbecdc..403cc05c30e 100644
--- a/python/ql/test/experimental/query-tests/Security/CWE-090/LDAPInjection.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-090/LDAPInjection.expected
@@ -1,98 +1,98 @@
 edges
-| ldap3_bad.py:13:27:13:33 | ControlFlowNode for request | ldap3_bad.py:13:27:13:38 | ControlFlowNode for Attribute |
-| ldap3_bad.py:13:27:13:33 | ControlFlowNode for request | ldap3_bad.py:14:35:14:41 | ControlFlowNode for request |
-| ldap3_bad.py:13:27:13:33 | ControlFlowNode for request | ldap3_bad.py:14:35:14:46 | ControlFlowNode for Attribute |
-| ldap3_bad.py:13:27:13:38 | ControlFlowNode for Attribute | ldap3_bad.py:13:27:13:44 | ControlFlowNode for Subscript |
-| ldap3_bad.py:13:27:13:44 | ControlFlowNode for Subscript | ldap3_bad.py:18:17:18:25 | ControlFlowNode for unsafe_dn |
-| ldap3_bad.py:14:35:14:41 | ControlFlowNode for request | ldap3_bad.py:14:35:14:46 | ControlFlowNode for Attribute |
-| ldap3_bad.py:14:35:14:46 | ControlFlowNode for Attribute | ldap3_bad.py:14:35:14:58 | ControlFlowNode for Subscript |
-| ldap3_bad.py:14:35:14:58 | ControlFlowNode for Subscript | ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter |
-| ldap3_bad.py:27:27:27:33 | ControlFlowNode for request | ldap3_bad.py:27:27:27:38 | ControlFlowNode for Attribute |
-| ldap3_bad.py:27:27:27:33 | ControlFlowNode for request | ldap3_bad.py:28:35:28:41 | ControlFlowNode for request |
-| ldap3_bad.py:27:27:27:33 | ControlFlowNode for request | ldap3_bad.py:28:35:28:46 | ControlFlowNode for Attribute |
-| ldap3_bad.py:27:27:27:38 | ControlFlowNode for Attribute | ldap3_bad.py:27:27:27:44 | ControlFlowNode for Subscript |
-| ldap3_bad.py:27:27:27:44 | ControlFlowNode for Subscript | ldap3_bad.py:32:9:32:17 | ControlFlowNode for unsafe_dn |
-| ldap3_bad.py:28:35:28:41 | ControlFlowNode for request | ldap3_bad.py:28:35:28:46 | ControlFlowNode for Attribute |
-| ldap3_bad.py:28:35:28:46 | ControlFlowNode for Attribute | ldap3_bad.py:28:35:28:58 | ControlFlowNode for Subscript |
-| ldap3_bad.py:28:35:28:58 | ControlFlowNode for Subscript | ldap3_bad.py:32:20:32:32 | ControlFlowNode for unsafe_filter |
-| ldap_bad.py:13:27:13:33 | ControlFlowNode for request | ldap_bad.py:13:27:13:38 | ControlFlowNode for Attribute |
-| ldap_bad.py:13:27:13:33 | ControlFlowNode for request | ldap_bad.py:14:35:14:41 | ControlFlowNode for request |
-| ldap_bad.py:13:27:13:33 | ControlFlowNode for request | ldap_bad.py:14:35:14:46 | ControlFlowNode for Attribute |
-| ldap_bad.py:13:27:13:38 | ControlFlowNode for Attribute | ldap_bad.py:13:27:13:44 | ControlFlowNode for Subscript |
-| ldap_bad.py:13:27:13:44 | ControlFlowNode for Subscript | ldap_bad.py:18:9:18:17 | ControlFlowNode for unsafe_dn |
-| ldap_bad.py:14:35:14:41 | ControlFlowNode for request | ldap_bad.py:14:35:14:46 | ControlFlowNode for Attribute |
-| ldap_bad.py:14:35:14:46 | ControlFlowNode for Attribute | ldap_bad.py:14:35:14:58 | ControlFlowNode for Subscript |
-| ldap_bad.py:14:35:14:58 | ControlFlowNode for Subscript | ldap_bad.py:18:40:18:52 | ControlFlowNode for unsafe_filter |
-| ldap_bad.py:27:27:27:33 | ControlFlowNode for request | ldap_bad.py:27:27:27:38 | ControlFlowNode for Attribute |
-| ldap_bad.py:27:27:27:33 | ControlFlowNode for request | ldap_bad.py:28:35:28:41 | ControlFlowNode for request |
-| ldap_bad.py:27:27:27:33 | ControlFlowNode for request | ldap_bad.py:28:35:28:46 | ControlFlowNode for Attribute |
-| ldap_bad.py:27:27:27:38 | ControlFlowNode for Attribute | ldap_bad.py:27:27:27:44 | ControlFlowNode for Subscript |
-| ldap_bad.py:27:27:27:44 | ControlFlowNode for Subscript | ldap_bad.py:31:9:31:17 | ControlFlowNode for unsafe_dn |
-| ldap_bad.py:28:35:28:41 | ControlFlowNode for request | ldap_bad.py:28:35:28:46 | ControlFlowNode for Attribute |
-| ldap_bad.py:28:35:28:46 | ControlFlowNode for Attribute | ldap_bad.py:28:35:28:58 | ControlFlowNode for Subscript |
-| ldap_bad.py:28:35:28:58 | ControlFlowNode for Subscript | ldap_bad.py:31:40:31:52 | ControlFlowNode for unsafe_filter |
-| ldap_bad.py:41:27:41:33 | ControlFlowNode for request | ldap_bad.py:41:27:41:38 | ControlFlowNode for Attribute |
-| ldap_bad.py:41:27:41:33 | ControlFlowNode for request | ldap_bad.py:42:35:42:41 | ControlFlowNode for request |
-| ldap_bad.py:41:27:41:33 | ControlFlowNode for request | ldap_bad.py:42:35:42:46 | ControlFlowNode for Attribute |
-| ldap_bad.py:41:27:41:38 | ControlFlowNode for Attribute | ldap_bad.py:41:27:41:44 | ControlFlowNode for Subscript |
-| ldap_bad.py:41:27:41:44 | ControlFlowNode for Subscript | ldap_bad.py:46:9:46:17 | ControlFlowNode for unsafe_dn |
-| ldap_bad.py:42:35:42:41 | ControlFlowNode for request | ldap_bad.py:42:35:42:46 | ControlFlowNode for Attribute |
-| ldap_bad.py:42:35:42:46 | ControlFlowNode for Attribute | ldap_bad.py:42:35:42:58 | ControlFlowNode for Subscript |
-| ldap_bad.py:42:35:42:58 | ControlFlowNode for Subscript | ldap_bad.py:46:50:46:62 | ControlFlowNode for unsafe_filter |
+| ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | ldap3_bad.py:13:17:13:28 | ControlFlowNode for Attribute |
+| ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | ldap3_bad.py:14:21:14:27 | ControlFlowNode for request |
+| ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | ldap3_bad.py:14:21:14:32 | ControlFlowNode for Attribute |
+| ldap3_bad.py:13:17:13:28 | ControlFlowNode for Attribute | ldap3_bad.py:13:17:13:34 | ControlFlowNode for Subscript |
+| ldap3_bad.py:13:17:13:34 | ControlFlowNode for Subscript | ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn |
+| ldap3_bad.py:14:21:14:27 | ControlFlowNode for request | ldap3_bad.py:14:21:14:32 | ControlFlowNode for Attribute |
+| ldap3_bad.py:14:21:14:32 | ControlFlowNode for Attribute | ldap3_bad.py:14:21:14:44 | ControlFlowNode for Subscript |
+| ldap3_bad.py:14:21:14:44 | ControlFlowNode for Subscript | ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter |
+| ldap3_bad.py:30:17:30:23 | ControlFlowNode for request | ldap3_bad.py:30:17:30:28 | ControlFlowNode for Attribute |
+| ldap3_bad.py:30:17:30:23 | ControlFlowNode for request | ldap3_bad.py:31:21:31:27 | ControlFlowNode for request |
+| ldap3_bad.py:30:17:30:23 | ControlFlowNode for request | ldap3_bad.py:31:21:31:32 | ControlFlowNode for Attribute |
+| ldap3_bad.py:30:17:30:28 | ControlFlowNode for Attribute | ldap3_bad.py:30:17:30:34 | ControlFlowNode for Subscript |
+| ldap3_bad.py:30:17:30:34 | ControlFlowNode for Subscript | ldap3_bad.py:38:9:38:10 | ControlFlowNode for dn |
+| ldap3_bad.py:31:21:31:27 | ControlFlowNode for request | ldap3_bad.py:31:21:31:32 | ControlFlowNode for Attribute |
+| ldap3_bad.py:31:21:31:32 | ControlFlowNode for Attribute | ldap3_bad.py:31:21:31:44 | ControlFlowNode for Subscript |
+| ldap3_bad.py:31:21:31:44 | ControlFlowNode for Subscript | ldap3_bad.py:38:13:38:25 | ControlFlowNode for search_filter |
+| ldap_bad.py:13:17:13:23 | ControlFlowNode for request | ldap_bad.py:13:17:13:28 | ControlFlowNode for Attribute |
+| ldap_bad.py:13:17:13:23 | ControlFlowNode for request | ldap_bad.py:14:21:14:27 | ControlFlowNode for request |
+| ldap_bad.py:13:17:13:23 | ControlFlowNode for request | ldap_bad.py:14:21:14:32 | ControlFlowNode for Attribute |
+| ldap_bad.py:13:17:13:28 | ControlFlowNode for Attribute | ldap_bad.py:13:17:13:34 | ControlFlowNode for Subscript |
+| ldap_bad.py:13:17:13:34 | ControlFlowNode for Subscript | ldap_bad.py:21:9:21:10 | ControlFlowNode for dn |
+| ldap_bad.py:14:21:14:27 | ControlFlowNode for request | ldap_bad.py:14:21:14:32 | ControlFlowNode for Attribute |
+| ldap_bad.py:14:21:14:32 | ControlFlowNode for Attribute | ldap_bad.py:14:21:14:44 | ControlFlowNode for Subscript |
+| ldap_bad.py:14:21:14:44 | ControlFlowNode for Subscript | ldap_bad.py:21:33:21:45 | ControlFlowNode for search_filter |
+| ldap_bad.py:30:17:30:23 | ControlFlowNode for request | ldap_bad.py:30:17:30:28 | ControlFlowNode for Attribute |
+| ldap_bad.py:30:17:30:23 | ControlFlowNode for request | ldap_bad.py:31:21:31:27 | ControlFlowNode for request |
+| ldap_bad.py:30:17:30:23 | ControlFlowNode for request | ldap_bad.py:31:21:31:32 | ControlFlowNode for Attribute |
+| ldap_bad.py:30:17:30:28 | ControlFlowNode for Attribute | ldap_bad.py:30:17:30:34 | ControlFlowNode for Subscript |
+| ldap_bad.py:30:17:30:34 | ControlFlowNode for Subscript | ldap_bad.py:37:9:37:10 | ControlFlowNode for dn |
+| ldap_bad.py:31:21:31:27 | ControlFlowNode for request | ldap_bad.py:31:21:31:32 | ControlFlowNode for Attribute |
+| ldap_bad.py:31:21:31:32 | ControlFlowNode for Attribute | ldap_bad.py:31:21:31:44 | ControlFlowNode for Subscript |
+| ldap_bad.py:31:21:31:44 | ControlFlowNode for Subscript | ldap_bad.py:37:33:37:45 | ControlFlowNode for search_filter |
+| ldap_bad.py:47:17:47:23 | ControlFlowNode for request | ldap_bad.py:47:17:47:28 | ControlFlowNode for Attribute |
+| ldap_bad.py:47:17:47:23 | ControlFlowNode for request | ldap_bad.py:48:21:48:27 | ControlFlowNode for request |
+| ldap_bad.py:47:17:47:23 | ControlFlowNode for request | ldap_bad.py:48:21:48:32 | ControlFlowNode for Attribute |
+| ldap_bad.py:47:17:47:28 | ControlFlowNode for Attribute | ldap_bad.py:47:17:47:34 | ControlFlowNode for Subscript |
+| ldap_bad.py:47:17:47:34 | ControlFlowNode for Subscript | ldap_bad.py:55:9:55:10 | ControlFlowNode for dn |
+| ldap_bad.py:48:21:48:27 | ControlFlowNode for request | ldap_bad.py:48:21:48:32 | ControlFlowNode for Attribute |
+| ldap_bad.py:48:21:48:32 | ControlFlowNode for Attribute | ldap_bad.py:48:21:48:44 | ControlFlowNode for Subscript |
+| ldap_bad.py:48:21:48:44 | ControlFlowNode for Subscript | ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter |
 nodes
-| ldap3_bad.py:13:27:13:33 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| ldap3_bad.py:13:27:13:38 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| ldap3_bad.py:13:27:13:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
-| ldap3_bad.py:14:35:14:41 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| ldap3_bad.py:14:35:14:46 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| ldap3_bad.py:14:35:14:58 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
-| ldap3_bad.py:18:17:18:25 | ControlFlowNode for unsafe_dn | semmle.label | ControlFlowNode for unsafe_dn |
-| ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | semmle.label | ControlFlowNode for unsafe_filter |
-| ldap3_bad.py:27:27:27:33 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| ldap3_bad.py:27:27:27:38 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| ldap3_bad.py:27:27:27:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
-| ldap3_bad.py:28:35:28:41 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| ldap3_bad.py:28:35:28:46 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| ldap3_bad.py:28:35:28:58 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
-| ldap3_bad.py:32:9:32:17 | ControlFlowNode for unsafe_dn | semmle.label | ControlFlowNode for unsafe_dn |
-| ldap3_bad.py:32:20:32:32 | ControlFlowNode for unsafe_filter | semmle.label | ControlFlowNode for unsafe_filter |
-| ldap_bad.py:13:27:13:33 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| ldap_bad.py:13:27:13:38 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| ldap_bad.py:13:27:13:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
-| ldap_bad.py:14:35:14:41 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| ldap_bad.py:14:35:14:46 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| ldap_bad.py:14:35:14:58 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
-| ldap_bad.py:18:9:18:17 | ControlFlowNode for unsafe_dn | semmle.label | ControlFlowNode for unsafe_dn |
-| ldap_bad.py:18:40:18:52 | ControlFlowNode for unsafe_filter | semmle.label | ControlFlowNode for unsafe_filter |
-| ldap_bad.py:27:27:27:33 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| ldap_bad.py:27:27:27:38 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| ldap_bad.py:27:27:27:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
-| ldap_bad.py:28:35:28:41 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| ldap_bad.py:28:35:28:46 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| ldap_bad.py:28:35:28:58 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
-| ldap_bad.py:31:9:31:17 | ControlFlowNode for unsafe_dn | semmle.label | ControlFlowNode for unsafe_dn |
-| ldap_bad.py:31:40:31:52 | ControlFlowNode for unsafe_filter | semmle.label | ControlFlowNode for unsafe_filter |
-| ldap_bad.py:41:27:41:33 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| ldap_bad.py:41:27:41:38 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| ldap_bad.py:41:27:41:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
-| ldap_bad.py:42:35:42:41 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| ldap_bad.py:42:35:42:46 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| ldap_bad.py:42:35:42:58 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
-| ldap_bad.py:46:9:46:17 | ControlFlowNode for unsafe_dn | semmle.label | ControlFlowNode for unsafe_dn |
-| ldap_bad.py:46:50:46:62 | ControlFlowNode for unsafe_filter | semmle.label | ControlFlowNode for unsafe_filter |
+| ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap3_bad.py:13:17:13:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| ldap3_bad.py:13:17:13:34 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| ldap3_bad.py:14:21:14:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap3_bad.py:14:21:14:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| ldap3_bad.py:14:21:14:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn |
+| ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter |
+| ldap3_bad.py:30:17:30:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap3_bad.py:30:17:30:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| ldap3_bad.py:30:17:30:34 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| ldap3_bad.py:31:21:31:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap3_bad.py:31:21:31:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| ldap3_bad.py:31:21:31:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| ldap3_bad.py:38:9:38:10 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn |
+| ldap3_bad.py:38:13:38:25 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter |
+| ldap_bad.py:13:17:13:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap_bad.py:13:17:13:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| ldap_bad.py:13:17:13:34 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| ldap_bad.py:14:21:14:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap_bad.py:14:21:14:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| ldap_bad.py:14:21:14:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| ldap_bad.py:21:9:21:10 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn |
+| ldap_bad.py:21:33:21:45 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter |
+| ldap_bad.py:30:17:30:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap_bad.py:30:17:30:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| ldap_bad.py:30:17:30:34 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| ldap_bad.py:31:21:31:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap_bad.py:31:21:31:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| ldap_bad.py:31:21:31:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| ldap_bad.py:37:9:37:10 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn |
+| ldap_bad.py:37:33:37:45 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter |
+| ldap_bad.py:47:17:47:23 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap_bad.py:47:17:47:28 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| ldap_bad.py:47:17:47:34 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| ldap_bad.py:48:21:48:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| ldap_bad.py:48:21:48:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| ldap_bad.py:48:21:48:44 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| ldap_bad.py:55:9:55:10 | ControlFlowNode for dn | semmle.label | ControlFlowNode for dn |
+| ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | semmle.label | ControlFlowNode for search_filter |
 #select
-| ldap3_bad.py:18:17:18:25 | ControlFlowNode for unsafe_dn | ldap3_bad.py:13:27:13:33 | ControlFlowNode for request | ldap3_bad.py:18:17:18:25 | ControlFlowNode for unsafe_dn | $@ LDAP query parameter comes from $@. | ldap3_bad.py:18:17:18:25 | ControlFlowNode for unsafe_dn | This | ldap3_bad.py:13:27:13:33 | ControlFlowNode for request | a user-provided value |
-| ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | ldap3_bad.py:13:27:13:33 | ControlFlowNode for request | ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | This | ldap3_bad.py:13:27:13:33 | ControlFlowNode for request | a user-provided value |
-| ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | ldap3_bad.py:14:35:14:41 | ControlFlowNode for request | ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap3_bad.py:18:28:18:40 | ControlFlowNode for unsafe_filter | This | ldap3_bad.py:14:35:14:41 | ControlFlowNode for request | a user-provided value |
-| ldap3_bad.py:32:9:32:17 | ControlFlowNode for unsafe_dn | ldap3_bad.py:27:27:27:33 | ControlFlowNode for request | ldap3_bad.py:32:9:32:17 | ControlFlowNode for unsafe_dn | $@ LDAP query parameter comes from $@. | ldap3_bad.py:32:9:32:17 | ControlFlowNode for unsafe_dn | This | ldap3_bad.py:27:27:27:33 | ControlFlowNode for request | a user-provided value |
-| ldap3_bad.py:32:20:32:32 | ControlFlowNode for unsafe_filter | ldap3_bad.py:27:27:27:33 | ControlFlowNode for request | ldap3_bad.py:32:20:32:32 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap3_bad.py:32:20:32:32 | ControlFlowNode for unsafe_filter | This | ldap3_bad.py:27:27:27:33 | ControlFlowNode for request | a user-provided value |
-| ldap3_bad.py:32:20:32:32 | ControlFlowNode for unsafe_filter | ldap3_bad.py:28:35:28:41 | ControlFlowNode for request | ldap3_bad.py:32:20:32:32 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap3_bad.py:32:20:32:32 | ControlFlowNode for unsafe_filter | This | ldap3_bad.py:28:35:28:41 | ControlFlowNode for request | a user-provided value |
-| ldap_bad.py:18:9:18:17 | ControlFlowNode for unsafe_dn | ldap_bad.py:13:27:13:33 | ControlFlowNode for request | ldap_bad.py:18:9:18:17 | ControlFlowNode for unsafe_dn | $@ LDAP query parameter comes from $@. | ldap_bad.py:18:9:18:17 | ControlFlowNode for unsafe_dn | This | ldap_bad.py:13:27:13:33 | ControlFlowNode for request | a user-provided value |
-| ldap_bad.py:18:40:18:52 | ControlFlowNode for unsafe_filter | ldap_bad.py:13:27:13:33 | ControlFlowNode for request | ldap_bad.py:18:40:18:52 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap_bad.py:18:40:18:52 | ControlFlowNode for unsafe_filter | This | ldap_bad.py:13:27:13:33 | ControlFlowNode for request | a user-provided value |
-| ldap_bad.py:18:40:18:52 | ControlFlowNode for unsafe_filter | ldap_bad.py:14:35:14:41 | ControlFlowNode for request | ldap_bad.py:18:40:18:52 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap_bad.py:18:40:18:52 | ControlFlowNode for unsafe_filter | This | ldap_bad.py:14:35:14:41 | ControlFlowNode for request | a user-provided value |
-| ldap_bad.py:31:9:31:17 | ControlFlowNode for unsafe_dn | ldap_bad.py:27:27:27:33 | ControlFlowNode for request | ldap_bad.py:31:9:31:17 | ControlFlowNode for unsafe_dn | $@ LDAP query parameter comes from $@. | ldap_bad.py:31:9:31:17 | ControlFlowNode for unsafe_dn | This | ldap_bad.py:27:27:27:33 | ControlFlowNode for request | a user-provided value |
-| ldap_bad.py:31:40:31:52 | ControlFlowNode for unsafe_filter | ldap_bad.py:27:27:27:33 | ControlFlowNode for request | ldap_bad.py:31:40:31:52 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap_bad.py:31:40:31:52 | ControlFlowNode for unsafe_filter | This | ldap_bad.py:27:27:27:33 | ControlFlowNode for request | a user-provided value |
-| ldap_bad.py:31:40:31:52 | ControlFlowNode for unsafe_filter | ldap_bad.py:28:35:28:41 | ControlFlowNode for request | ldap_bad.py:31:40:31:52 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap_bad.py:31:40:31:52 | ControlFlowNode for unsafe_filter | This | ldap_bad.py:28:35:28:41 | ControlFlowNode for request | a user-provided value |
-| ldap_bad.py:46:9:46:17 | ControlFlowNode for unsafe_dn | ldap_bad.py:41:27:41:33 | ControlFlowNode for request | ldap_bad.py:46:9:46:17 | ControlFlowNode for unsafe_dn | $@ LDAP query parameter comes from $@. | ldap_bad.py:46:9:46:17 | ControlFlowNode for unsafe_dn | This | ldap_bad.py:41:27:41:33 | ControlFlowNode for request | a user-provided value |
-| ldap_bad.py:46:50:46:62 | ControlFlowNode for unsafe_filter | ldap_bad.py:41:27:41:33 | ControlFlowNode for request | ldap_bad.py:46:50:46:62 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap_bad.py:46:50:46:62 | ControlFlowNode for unsafe_filter | This | ldap_bad.py:41:27:41:33 | ControlFlowNode for request | a user-provided value |
-| ldap_bad.py:46:50:46:62 | ControlFlowNode for unsafe_filter | ldap_bad.py:42:35:42:41 | ControlFlowNode for request | ldap_bad.py:46:50:46:62 | ControlFlowNode for unsafe_filter | $@ LDAP query parameter comes from $@. | ldap_bad.py:46:50:46:62 | ControlFlowNode for unsafe_filter | This | ldap_bad.py:42:35:42:41 | ControlFlowNode for request | a user-provided value |
+| ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | $@ LDAP query parameter comes from $@. | ldap3_bad.py:21:17:21:18 | ControlFlowNode for dn | This | ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | a user-provided value |
+| ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | $@ LDAP query parameter comes from $@. | ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | This | ldap3_bad.py:13:17:13:23 | ControlFlowNode for request | a user-provided value |
+| ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | ldap3_bad.py:14:21:14:27 | ControlFlowNode for request | ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | $@ LDAP query parameter comes from $@. | ldap3_bad.py:21:21:21:33 | ControlFlowNode for search_filter | This | ldap3_bad.py:14:21:14:27 | ControlFlowNode for request | a user-provided value |
+| ldap3_bad.py:38:9:38:10 | ControlFlowNode for dn | ldap3_bad.py:30:17:30:23 | ControlFlowNode for request | ldap3_bad.py:38:9:38:10 | ControlFlowNode for dn | $@ LDAP query parameter comes from $@. | ldap3_bad.py:38:9:38:10 | ControlFlowNode for dn | This | ldap3_bad.py:30:17:30:23 | ControlFlowNode for request | a user-provided value |
+| ldap3_bad.py:38:13:38:25 | ControlFlowNode for search_filter | ldap3_bad.py:30:17:30:23 | ControlFlowNode for request | ldap3_bad.py:38:13:38:25 | ControlFlowNode for search_filter | $@ LDAP query parameter comes from $@. | ldap3_bad.py:38:13:38:25 | ControlFlowNode for search_filter | This | ldap3_bad.py:30:17:30:23 | ControlFlowNode for request | a user-provided value |
+| ldap3_bad.py:38:13:38:25 | ControlFlowNode for search_filter | ldap3_bad.py:31:21:31:27 | ControlFlowNode for request | ldap3_bad.py:38:13:38:25 | ControlFlowNode for search_filter | $@ LDAP query parameter comes from $@. | ldap3_bad.py:38:13:38:25 | ControlFlowNode for search_filter | This | ldap3_bad.py:31:21:31:27 | ControlFlowNode for request | a user-provided value |
+| ldap_bad.py:21:9:21:10 | ControlFlowNode for dn | ldap_bad.py:13:17:13:23 | ControlFlowNode for request | ldap_bad.py:21:9:21:10 | ControlFlowNode for dn | $@ LDAP query parameter comes from $@. | ldap_bad.py:21:9:21:10 | ControlFlowNode for dn | This | ldap_bad.py:13:17:13:23 | ControlFlowNode for request | a user-provided value |
+| ldap_bad.py:21:33:21:45 | ControlFlowNode for search_filter | ldap_bad.py:13:17:13:23 | ControlFlowNode for request | ldap_bad.py:21:33:21:45 | ControlFlowNode for search_filter | $@ LDAP query parameter comes from $@. | ldap_bad.py:21:33:21:45 | ControlFlowNode for search_filter | This | ldap_bad.py:13:17:13:23 | ControlFlowNode for request | a user-provided value |
+| ldap_bad.py:21:33:21:45 | ControlFlowNode for search_filter | ldap_bad.py:14:21:14:27 | ControlFlowNode for request | ldap_bad.py:21:33:21:45 | ControlFlowNode for search_filter | $@ LDAP query parameter comes from $@. | ldap_bad.py:21:33:21:45 | ControlFlowNode for search_filter | This | ldap_bad.py:14:21:14:27 | ControlFlowNode for request | a user-provided value |
+| ldap_bad.py:37:9:37:10 | ControlFlowNode for dn | ldap_bad.py:30:17:30:23 | ControlFlowNode for request | ldap_bad.py:37:9:37:10 | ControlFlowNode for dn | $@ LDAP query parameter comes from $@. | ldap_bad.py:37:9:37:10 | ControlFlowNode for dn | This | ldap_bad.py:30:17:30:23 | ControlFlowNode for request | a user-provided value |
+| ldap_bad.py:37:33:37:45 | ControlFlowNode for search_filter | ldap_bad.py:30:17:30:23 | ControlFlowNode for request | ldap_bad.py:37:33:37:45 | ControlFlowNode for search_filter | $@ LDAP query parameter comes from $@. | ldap_bad.py:37:33:37:45 | ControlFlowNode for search_filter | This | ldap_bad.py:30:17:30:23 | ControlFlowNode for request | a user-provided value |
+| ldap_bad.py:37:33:37:45 | ControlFlowNode for search_filter | ldap_bad.py:31:21:31:27 | ControlFlowNode for request | ldap_bad.py:37:33:37:45 | ControlFlowNode for search_filter | $@ LDAP query parameter comes from $@. | ldap_bad.py:37:33:37:45 | ControlFlowNode for search_filter | This | ldap_bad.py:31:21:31:27 | ControlFlowNode for request | a user-provided value |
+| ldap_bad.py:55:9:55:10 | ControlFlowNode for dn | ldap_bad.py:47:17:47:23 | ControlFlowNode for request | ldap_bad.py:55:9:55:10 | ControlFlowNode for dn | $@ LDAP query parameter comes from $@. | ldap_bad.py:55:9:55:10 | ControlFlowNode for dn | This | ldap_bad.py:47:17:47:23 | ControlFlowNode for request | a user-provided value |
+| ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | ldap_bad.py:47:17:47:23 | ControlFlowNode for request | ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | $@ LDAP query parameter comes from $@. | ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | This | ldap_bad.py:47:17:47:23 | ControlFlowNode for request | a user-provided value |
+| ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | ldap_bad.py:48:21:48:27 | ControlFlowNode for request | ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | $@ LDAP query parameter comes from $@. | ldap_bad.py:55:43:55:55 | ControlFlowNode for search_filter | This | ldap_bad.py:48:21:48:27 | ControlFlowNode for request | a user-provided value |
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-090/ldap3_bad.py b/python/ql/test/experimental/query-tests/Security/CWE-090/ldap3_bad.py
index a5b4748c146..2edb986fccf 100644
--- a/python/ql/test/experimental/query-tests/Security/CWE-090/ldap3_bad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-090/ldap3_bad.py
@@ -10,12 +10,15 @@ def normal():
     A RemoteFlowSource is used directly as DN and search filter
     """
 
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True)
-    conn.search(unsafe_dn, unsafe_filter)
+    dn = "dc={}".format(unsafe_dc)
+    search_filter = "(user={})".format(unsafe_filter)
+
+    srv = ldap3.Server('ldap://127.0.0.1')
+    conn = ldap3.Connection(srv, user=dn, auto_bind=True)
+    conn.search(dn, search_filter)
 
 
 @app.route("/direct")
@@ -24,12 +27,15 @@ def direct():
     A RemoteFlowSource is used directly as DN and search filter using a oneline call to .search
     """
 
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=unsafe_dn, auto_bind=True).search(
-        unsafe_dn, unsafe_filter)
+    dn = "dc={}".format(unsafe_dc)
+    search_filter = "(user={})".format(unsafe_filter)
+
+    srv = ldap3.Server('ldap://127.0.0.1')
+    conn = ldap3.Connection(srv, user=dn, auto_bind=True).search(
+        dn, search_filter)
 
 # if __name__ == "__main__":
 #     app.run(debug=True)
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-090/ldap3_good.py b/python/ql/test/experimental/query-tests/Security/CWE-090/ldap3_good.py
index a4fbb718c5b..bb2e6d7af83 100644
--- a/python/ql/test/experimental/query-tests/Security/CWE-090/ldap3_good.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-090/ldap3_good.py
@@ -12,15 +12,18 @@ def normal():
     A RemoteFlowSource is sanitized and used as DN and search filter
     """
 
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    safe_dn = escape_rdn(unsafe_dn)
+    safe_dc = escape_rdn(unsafe_dc)
     safe_filter = escape_filter_chars(unsafe_filter)
 
-    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=safe_dn, auto_bind=True)
-    conn.search(safe_dn, safe_filter)
+    dn = "dc={}".format(safe_dc)
+    search_filter = "(user={})".format(safe_filter)
+
+    srv = ldap3.Server('ldap://127.0.0.1')
+    conn = ldap3.Connection(srv, user=dn, auto_bind=True)
+    conn.search(dn, search_filter)
 
 
 @app.route("/direct")
@@ -29,15 +32,18 @@ def direct():
     A RemoteFlowSource is sanitized and used as DN and search filter using a oneline call to .search
     """
 
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    safe_dn = escape_rdn(unsafe_dn)
+    safe_dc = escape_rdn(unsafe_dc)
     safe_filter = escape_filter_chars(unsafe_filter)
 
-    srv = ldap3.Server('ldap://127.0.0.1', port=1337)
-    conn = ldap3.Connection(srv, user=safe_dn, auto_bind=True).search(
-        safe_dn, safe_filter)
+    dn = "dc={}".format(safe_dc)
+    search_filter = "(user={})".format(safe_filter)
+
+    srv = ldap3.Server('ldap://127.0.0.1')
+    conn = ldap3.Connection(srv, user=dn, auto_bind=True).search(
+        dn, search_filter)
 
 # if __name__ == "__main__":
 #     app.run(debug=True)
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-090/ldap_bad.py b/python/ql/test/experimental/query-tests/Security/CWE-090/ldap_bad.py
index 728a9179c7a..133b0baaf9c 100644
--- a/python/ql/test/experimental/query-tests/Security/CWE-090/ldap_bad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-090/ldap_bad.py
@@ -10,12 +10,15 @@ def normal():
     A RemoteFlowSource is used directly as DN and search filter
     """
 
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    dn = "dc={}".format(unsafe_dc)
+    search_filter = "(user={})".format(unsafe_filter)
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1")
     user = ldap_connection.search_s(
-        unsafe_dn, ldap.SCOPE_SUBTREE, unsafe_filter)
+        dn, ldap.SCOPE_SUBTREE, search_filter)
 
 
 @app.route("/direct")
@@ -24,11 +27,14 @@ def direct():
     A RemoteFlowSource is used directly as DN and search filter using a oneline call to .search_s
     """
 
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    user = ldap.initialize("ldap://127.0.0.1:1337").search_s(
-        unsafe_dn, ldap.SCOPE_SUBTREE, unsafe_filter)
+    dn = "dc={}".format(unsafe_dc)
+    search_filter = "(user={})".format(unsafe_filter)
+
+    user = ldap.initialize("ldap://127.0.0.1").search_s(
+        dn, ldap.SCOPE_SUBTREE, search_filter)
 
 
 @app.route("/normal_argbyname")
@@ -38,12 +44,15 @@ def normal_argbyname():
     an argument by name
     """
 
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    dn = "dc={}".format(unsafe_dc)
+    search_filter = "(user={})".format(unsafe_filter)
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1")
     user = ldap_connection.search_s(
-        unsafe_dn, ldap.SCOPE_SUBTREE, filterstr=unsafe_filter)
+        dn, ldap.SCOPE_SUBTREE, filterstr=search_filter)
 
 
 # if __name__ == "__main__":
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-090/ldap_good.py b/python/ql/test/experimental/query-tests/Security/CWE-090/ldap_good.py
index b2c00cc04cb..dfc6f91d045 100644
--- a/python/ql/test/experimental/query-tests/Security/CWE-090/ldap_good.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-090/ldap_good.py
@@ -12,15 +12,18 @@ def normal():
     A RemoteFlowSource is sanitized and used as DN and search filter
     """
 
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
+    safe_dc = ldap.dn.escape_dn_chars(unsafe_dc)
     safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
 
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    dn = "dc={}".format(safe_dc)
+    search_filter = "(user={})".format(safe_filter)
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1")
     user = ldap_connection.search_s(
-        safe_dn, ldap.SCOPE_SUBTREE, safe_filter)
+        dn, ldap.SCOPE_SUBTREE, search_filter)
 
 
 @app.route("/direct")
@@ -29,14 +32,17 @@ def direct():
     A RemoteFlowSource is sanitized and used as DN and search filter using a oneline call to .search_s
     """
 
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
+    safe_dc = ldap.dn.escape_dn_chars(unsafe_dc)
     safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
 
-    user = ldap.initialize("ldap://127.0.0.1:1337").search_s(
-        safe_dn, ldap.SCOPE_SUBTREE, safe_filter, ["testAttr1", "testAttr2"])
+    dn = "dc={}".format(safe_dc)
+    search_filter = "(user={})".format(safe_filter)
+
+    user = ldap.initialize("ldap://127.0.0.1").search_s(
+        dn, ldap.SCOPE_SUBTREE, search_filter, ["testAttr1", "testAttr2"])
 
 
 @app.route("/normal_argbyname")
@@ -46,15 +52,18 @@ def normal_argbyname():
     an argument by name
     """
 
-    unsafe_dn = "dc=%s" % request.args['dc']
-    unsafe_filter = "(user=%s)" % request.args['username']
+    unsafe_dc = request.args['dc']
+    unsafe_filter = request.args['username']
 
-    safe_dn = ldap.dn.escape_dn_chars(unsafe_dn)
+    safe_dc = ldap.dn.escape_dn_chars(unsafe_dc)
     safe_filter = ldap.filter.escape_filter_chars(unsafe_filter)
 
-    ldap_connection = ldap.initialize("ldap://127.0.0.1:1337")
+    dn = "dc={}".format(safe_dc)
+    search_filter = "(user={})".format(safe_filter)
+
+    ldap_connection = ldap.initialize("ldap://127.0.0.1")
     user = ldap_connection.search_s(
-        safe_dn, ldap.SCOPE_SUBTREE, filterstr=safe_filter)
+        dn, ldap.SCOPE_SUBTREE, filterstr=search_filter)
 
 
 # if __name__ == "__main__":

From 254c769089f9187a0ed6a148b3d6d40980c76e22 Mon Sep 17 00:00:00 2001
From: shati-patel <42641846+shati-patel@users.noreply.github.com>
Date: Fri, 21 May 2021 21:41:09 +0100
Subject: [PATCH 1146/1429] Docs: Describe custom log directory setting in VS
 Code extension

---
 .../codeql-for-visual-studio-code/customizing-settings.rst    | 4 ++++
 .../troubleshooting-codeql-for-visual-studio-code.rst         | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/docs/codeql/codeql-for-visual-studio-code/customizing-settings.rst b/docs/codeql/codeql-for-visual-studio-code/customizing-settings.rst
index 8197858d3ab..10c0fb12744 100644
--- a/docs/codeql/codeql-for-visual-studio-code/customizing-settings.rst
+++ b/docs/codeql/codeql-for-visual-studio-code/customizing-settings.rst
@@ -46,6 +46,8 @@ The query history **Format** setting controls how the extension lists queries in
 
 To override the default label, you can specify a different format for the query history items.
 
+.. _configuring-settings-for-running-queries:
+
 Configuring settings for running queries
 -----------------------------------------
 
@@ -53,6 +55,8 @@ There are a number of settings for **Running Queries**. If your queries run too
 
 .. include:: ../reusables/running-queries-debug.rst
 
+To save CodeQL Query Server logs in a custom location, edit the **Running Queries: Custom Log Directory** setting. If you use a custom log directory, the extension doesn't automatically delete the CodeQL Query Server logs. This is useful if you want to investigate these logs to improve the performance of your queries.
+
 Configuring settings for testing queries
 -----------------------------------------
 
diff --git a/docs/codeql/codeql-for-visual-studio-code/troubleshooting-codeql-for-visual-studio-code.rst b/docs/codeql/codeql-for-visual-studio-code/troubleshooting-codeql-for-visual-studio-code.rst
index 80fc5efea0f..3f50d29604b 100644
--- a/docs/codeql/codeql-for-visual-studio-code/troubleshooting-codeql-for-visual-studio-code.rst
+++ b/docs/codeql/codeql-for-visual-studio-code/troubleshooting-codeql-for-visual-studio-code.rst
@@ -38,6 +38,8 @@ You are most likely to need to restart the query server if you make external cha
 To see the logs from running a particular query, right-click the query in the Query History and select **Show Query Log**.
 If the log file is too large for the extension to open in the VS Code editor, the file will be displayed in your file explorer so you can open it with an external program.
 
+By default, the extension deletes logs after each workspace session. To override this behavior, you can specify a custom directory for query server logs. For more information, see ":ref:`Customizing settings <configuring-settings-for-running-queries>`."
+
 Exploring problems with running tests
 ----------------------------------------------
 

From 8b96ff96013dca8039333bfe83fcc5f978eef91a Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Mon, 12 Apr 2021 21:21:13 +0300
Subject: [PATCH 1147/1429] First draft of RmiUnsafeDeserialization.ql

---
 .../CWE/CWE-502/RmiUnsafeDeserialization.ql   | 52 +++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql

diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql b/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql
new file mode 100644
index 00000000000..ddb5cf26f09
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql
@@ -0,0 +1,52 @@
+/**
+ * @name Unsafe deserialization with RMI.
+ * @description TBD
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id java/unsafe-deserialization-rmi
+ * @tags security
+ *       external/cwe/cwe-502
+ */
+
+import java
+import semmle.code.java.frameworks.Rmi
+
+private class ObjectInputStream extends RefType {
+  ObjectInputStream() { hasQualifiedName("java.io", "ObjectInputStream") }
+}
+
+private class BindMethod extends Method {
+  BindMethod() {
+    getDeclaringType().hasQualifiedName("java.rmi", "Naming") and
+    hasName(["bind", "rebind"])
+  }
+}
+
+private Method getVulnerableMethod(Type type) {
+  type.(RefType).getASupertype*() instanceof TypeRemote and
+  exists(Method m, Type parameterType |
+    m.getDeclaringType() = type and parameterType = m.getAParamType()
+  |
+    not parameterType instanceof PrimitiveType and
+    not parameterType instanceof TypeString and
+    not parameterType instanceof ObjectInputStream and
+    result = m
+  )
+}
+
+private class UnsafeRmiBinding extends MethodAccess {
+  Method vulnerableMethod;
+
+  UnsafeRmiBinding() {
+    this.getMethod() instanceof BindMethod and
+    vulnerableMethod = getVulnerableMethod(this.getArgument(1).getType())
+  }
+
+  Method getVulnerableMethod() { result = vulnerableMethod }
+}
+
+// TODO: Cover Registry.bind() and rebind() -- test these sinks first
+
+from UnsafeRmiBinding call
+select call, "Unsafe deserialization with RMI in '" + call.getVulnerableMethod() + "' method"

From efa4b4f414b73ec078b7740d178576bd2ce690b8 Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Thu, 15 Apr 2021 15:37:20 +0300
Subject: [PATCH 1148/1429] Cover Registry in RmiUnsafeDeserialization.ql

---
 .../CWE/CWE-502/RmiUnsafeDeserialization.ql   | 21 +++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql b/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql
index ddb5cf26f09..e90e6704428 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql
@@ -1,6 +1,9 @@
 /**
  * @name Unsafe deserialization with RMI.
- * @description TBD
+ * @description Java RMI uses native Java serialization mechanism.
+ *              If a registered remote object has a method that takes a complex object,
+ *              an attacker can take advantage of unsafe Java deserialization mechanism.
+ *              In the worst case, it results in remote code execution.
  * @kind problem
  * @problem.severity error
  * @precision high
@@ -16,13 +19,22 @@ private class ObjectInputStream extends RefType {
   ObjectInputStream() { hasQualifiedName("java.io", "ObjectInputStream") }
 }
 
+/**
+ * A method that binds a name to a remote object.
+ */
 private class BindMethod extends Method {
   BindMethod() {
-    getDeclaringType().hasQualifiedName("java.rmi", "Naming") and
+    (
+      getDeclaringType().hasQualifiedName("java.rmi", "Naming") or
+      getDeclaringType().hasQualifiedName("java.rmi.registry", "Registry")
+    ) and
     hasName(["bind", "rebind"])
   }
 }
 
+/**
+ * Looks for a vulnerable method in a `Remote` object.
+ */
 private Method getVulnerableMethod(Type type) {
   type.(RefType).getASupertype*() instanceof TypeRemote and
   exists(Method m, Type parameterType |
@@ -35,6 +47,9 @@ private Method getVulnerableMethod(Type type) {
   )
 }
 
+/**
+ * A method call that registers a remote object that has a vulnerable method.
+ */
 private class UnsafeRmiBinding extends MethodAccess {
   Method vulnerableMethod;
 
@@ -46,7 +61,5 @@ private class UnsafeRmiBinding extends MethodAccess {
   Method getVulnerableMethod() { result = vulnerableMethod }
 }
 
-// TODO: Cover Registry.bind() and rebind() -- test these sinks first
-
 from UnsafeRmiBinding call
 select call, "Unsafe deserialization with RMI in '" + call.getVulnerableMethod() + "' method"

From ec6186a1c5d91d8f68c92da45bac985fdd897ec1 Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Thu, 15 Apr 2021 16:18:39 +0300
Subject: [PATCH 1149/1429] Draft of tests for RmiUnsafeDeserialization.ql

---
 .../CWE-502/RmiUnsafeDeserialization.expected |  0
 .../CWE-502/RmiUnsafeDeserialization.java     | 24 +++++++++++++++++++
 .../CWE-502/RmiUnsafeDeserialization.qlref    |  1 +
 3 files changed, 25 insertions(+)
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.expected
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.java
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.qlref

diff --git a/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.expected b/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.java b/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.java
new file mode 100644
index 00000000000..f3495404e44
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.java
@@ -0,0 +1,24 @@
+import java.rmi.Naming;
+import java.rmi.Remote;
+import java.rmi.RemoteException;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+
+public class RmiUnsafeDeserialization {
+    
+    // BAD (bind a remote object that has a vulnerable method that takes Object)
+    public static void testRegistryBindWithObjectParameter() throws Exception {
+        Registry registry = LocateRegistry.createRegistry(1099);
+        registry.bind("test", new RemoteObjectWithObject());
+    }
+}
+
+interface RemoteObjectWithObjectInterface extends Remote {
+
+    void take(Object obj) throws RemoteException;
+}
+
+class RemoteObjectWithObject implements RemoteObjectWithObjectInterface {
+
+    public void take(Object obj) throws RemoteException {}
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.qlref b/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.qlref
new file mode 100644
index 00000000000..d750f371002
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql
\ No newline at end of file

From 3d20330a92144a49b8f564aa8c25a773b38926a1 Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Thu, 15 Apr 2021 22:13:19 +0300
Subject: [PATCH 1150/1429] More tests for RmiUnsafeDeserialization

---
 .../CWE-502/RmiUnsafeDeserialization.java     | 37 ++++++++++++++++++-
 1 file changed, 35 insertions(+), 2 deletions(-)

diff --git a/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.java b/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.java
index f3495404e44..60c073916b7 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.java
@@ -1,3 +1,4 @@
+import java.io.ObjectInputStream;
 import java.rmi.Naming;
 import java.rmi.Remote;
 import java.rmi.RemoteException;
@@ -10,15 +11,47 @@ public class RmiUnsafeDeserialization {
     public static void testRegistryBindWithObjectParameter() throws Exception {
         Registry registry = LocateRegistry.createRegistry(1099);
         registry.bind("test", new RemoteObjectWithObject());
+        registry.rebind("test", new RemoteObjectWithObject());
+    }
+
+    // GOOD (bind a remote object that has methods that takes safe parameters)
+    public static void testRegistryBindWithIntParameter() throws Exception {
+        Registry registry = LocateRegistry.createRegistry(1099);
+        registry.bind("test", new SafeRemoteObject());
+        registry.rebind("test", new SafeRemoteObject());
+    }
+
+    // BAD (bind a remote object that has a vulnerable method that takes Object)
+    public static void testNamingBindWithObjectParameter() throws Exception {
+        Naming.bind("test", new RemoteObjectWithObject());
+        Naming.rebind("test", new RemoteObjectWithObject());
+    }
+
+    // GOOD (bind a remote object that has methods that takes safe parameters)
+    public static void testNamingBindWithIntParameter() throws Exception {
+        Naming.bind("test", new SafeRemoteObject());
+        Naming.rebind("test", new SafeRemoteObject());
     }
 }
 
 interface RemoteObjectWithObjectInterface extends Remote {
-
     void take(Object obj) throws RemoteException;
 }
 
 class RemoteObjectWithObject implements RemoteObjectWithObjectInterface {
-
     public void take(Object obj) throws RemoteException {}
 }
+
+interface SafeRemoteObjectInterface extends Remote {
+    void take(int n) throws RemoteException;
+    void take(double n) throws RemoteException;
+    void take(String s) throws RemoteException;
+    void take(ObjectInputStream ois) throws RemoteException;
+}
+
+class SafeRemoteObject implements SafeRemoteObjectInterface {
+    public void take(int n) throws RemoteException {}
+    public void take(double n) throws RemoteException {}
+    public void take(String s) throws RemoteException {}
+    public void take(ObjectInputStream ois) throws RemoteException {}
+}
\ No newline at end of file

From 5ffe04d6a507ac264dbde5c9da4626a33e42d929 Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Thu, 15 Apr 2021 22:21:39 +0300
Subject: [PATCH 1151/1429] Updated expected output for
 RmiUnsafeDeserialization.java test

---
 .../security/CWE-502/RmiUnsafeDeserialization.expected        | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.expected b/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.expected
index e69de29bb2d..fb91691cc47 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.expected
@@ -0,0 +1,4 @@
+| RmiUnsafeDeserialization.java:13:9:13:59 | bind(...) | Unsafe deserialization with RMI in 'take' method |
+| RmiUnsafeDeserialization.java:14:9:14:61 | rebind(...) | Unsafe deserialization with RMI in 'take' method |
+| RmiUnsafeDeserialization.java:26:9:26:57 | bind(...) | Unsafe deserialization with RMI in 'take' method |
+| RmiUnsafeDeserialization.java:27:9:27:59 | rebind(...) | Unsafe deserialization with RMI in 'take' method |

From 0182dfe1c04cd915871655977f4f57b9e2121fdc Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Fri, 16 Apr 2021 16:55:00 +0300
Subject: [PATCH 1152/1429] Added RmiUnsafeDeserialization.qhelp

---
 .../CWE/CWE-502/RmiSafeRemoteObject.java      | 15 ++++
 .../CWE-502/RmiUnsafeDeserialization.qhelp    | 68 +++++++++++++++++++
 .../CWE/CWE-502/RmiUnsafeDeserialization.ql   |  6 +-
 .../CWE/CWE-502/RmiUnsafeRemoteObject.java    | 14 ++++
 4 files changed, 100 insertions(+), 3 deletions(-)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-502/RmiSafeRemoteObject.java
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.qhelp
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeRemoteObject.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/RmiSafeRemoteObject.java b/java/ql/src/experimental/Security/CWE/CWE-502/RmiSafeRemoteObject.java
new file mode 100644
index 00000000000..60a1b49d2fe
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/RmiSafeRemoteObject.java
@@ -0,0 +1,15 @@
+public class Server {
+    public static void main(String... args) throws Exception {
+        Registry registry = LocateRegistry.createRegistry(1099);
+        registry.bind("unsafe", new RemoteObjectImpl());
+    }
+}
+
+interface RemoteObject extends Remote {
+    void calculate(int a, double b) throws RemoteException;
+    void save(String s) throws RemoteException;
+}
+
+class RemoteObjectImpl implements RemoteObject {
+    // ...
+}
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.qhelp b/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.qhelp
new file mode 100644
index 00000000000..1921476ffbd
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.qhelp
@@ -0,0 +1,68 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Java RMI uses the default Java serialization mechanism (in other words, <code>ObjectInputStream</code>)
+to pass parameters in remote method invocations. This mechanism is known to be unsafe when deserializing 
+untrusted data. If a registered remote object has a method that accepts a complex object,
+an attacker can take advantage of the unsafe deserialization mechanism.
+In the worst case, it results in remote code execution.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Use only strings and primitive types in parameters of remote objects.
+</p>
+<p>
+Java RMI does not offer API for specifying classes which are only allowed for deserialization.
+However, it is possible to set a process-wide deserialization filter that was introduced in JEP 290.
+The filter can be set via system or security property <code>jdk.serialFilter</code>.
+Make sure that you use the latest Java versions that include JEP 290.
+</p>
+<p>
+Consider using other implementations of remote procedure calls. For example, HTTP API with JSON.
+Make sure that the underlying deserialization mechanism is properly configured
+so that deserialization attacks are not possible.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following code registers a vulnerable remote object 
+which has a method that accepts a complex object:
+</p>
+<sample src="RmiUnsafeRemoteObject.java" />
+
+<p>
+The next example registers a safe remote object
+which has methods that use only primitive types and strings:
+</p>
+<sample src="RmiSafeRemoteObject.java" />
+
+</example>
+
+<references>
+<li>
+Oracle:
+<a href="https://www.oracle.com/java/technologies/javase/remote-method-invocation-home.html">Remote Method Invocation (RMI)</a>.
+</li>
+<li>
+ITNEXT:
+<a href="https://itnext.io/java-rmi-for-pentesters-part-two-reconnaissance-attack-against-non-jmx-registries-187a6561314d">Java RMI for pentesters part two — reconnaissance & attack against non-JMX registries</a>.
+</li>
+<li>
+MOGWAI LABS:
+<a href="https://mogwailabs.de/en/blog/2019/03/attacking-java-rmi-services-after-jep-290/">Attacking Java RMI services after JEP 290</a>
+</li>
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/Deserialization_of_untrusted_data">Deserialization of untrusted data</a>.
+</li>
+<li>
+OpenJDK:
+<a href="https://openjdk.java.net/jeps/290">JEP 290: Filter Incoming Serialization Data</a>
+</li>
+</references>
+</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql b/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql
index e90e6704428..1ece9d14fd9 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql
@@ -1,8 +1,8 @@
 /**
  * @name Unsafe deserialization with RMI.
- * @description Java RMI uses native Java serialization mechanism.
- *              If a registered remote object has a method that takes a complex object,
- *              an attacker can take advantage of unsafe Java deserialization mechanism.
+ * @description If a registered remote object has a method that accepts a complex object,
+ *              an attacker can take advantage of the unsafe deserialization mechanism
+ *              which is used to pass parameters in RMI.
  *              In the worst case, it results in remote code execution.
  * @kind problem
  * @problem.severity error
diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeRemoteObject.java b/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeRemoteObject.java
new file mode 100644
index 00000000000..4c04b57cde9
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeRemoteObject.java
@@ -0,0 +1,14 @@
+public class Server {
+    public static void main(String... args) throws Exception {
+        Registry registry = LocateRegistry.createRegistry(1099);
+        registry.bind("unsafe", new RemoteObjectImpl());
+    }
+}
+
+interface RemoteObject extends Remote {
+    void action(Object obj) throws RemoteException;
+}
+
+class RemoteObjectImpl implements RemoteObject {
+    // ...
+}
\ No newline at end of file

From e28f919f3dc88ecf295e01cfa4ac71911735f61e Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Mon, 17 May 2021 13:19:08 +0200
Subject: [PATCH 1153/1429] Look for remote callable method only in
 RmiUnsafeDeserialization.ql

---
 .../Security/CWE/CWE-502/RmiSafeRemoteObject.java   |  2 +-
 .../CWE/CWE-502/RmiUnsafeDeserialization.ql         | 13 +++++++------
 .../CWE-502/RmiUnsafeDeserialization.expected       |  8 ++++----
 .../security/CWE-502/RmiUnsafeDeserialization.java  |  1 +
 4 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/RmiSafeRemoteObject.java b/java/ql/src/experimental/Security/CWE/CWE-502/RmiSafeRemoteObject.java
index 60a1b49d2fe..2f30bc1f3ba 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-502/RmiSafeRemoteObject.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/RmiSafeRemoteObject.java
@@ -1,7 +1,7 @@
 public class Server {
     public static void main(String... args) throws Exception {
         Registry registry = LocateRegistry.createRegistry(1099);
-        registry.bind("unsafe", new RemoteObjectImpl());
+        registry.bind("safe", new RemoteObjectImpl());
     }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql b/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql
index 1ece9d14fd9..52c637ebc9f 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql
@@ -15,7 +15,7 @@
 import java
 import semmle.code.java.frameworks.Rmi
 
-private class ObjectInputStream extends RefType {
+private class ObjectInputStream extends Class {
   ObjectInputStream() { hasQualifiedName("java.io", "ObjectInputStream") }
 }
 
@@ -35,9 +35,8 @@ private class BindMethod extends Method {
 /**
  * Looks for a vulnerable method in a `Remote` object.
  */
-private Method getVulnerableMethod(Type type) {
-  type.(RefType).getASupertype*() instanceof TypeRemote and
-  exists(Method m, Type parameterType |
+private Method getVulnerableMethod(RefType type) {
+  exists(RemoteCallableMethod m, Type parameterType |
     m.getDeclaringType() = type and parameterType = m.getAParamType()
   |
     not parameterType instanceof PrimitiveType and
@@ -61,5 +60,7 @@ private class UnsafeRmiBinding extends MethodAccess {
   Method getVulnerableMethod() { result = vulnerableMethod }
 }
 
-from UnsafeRmiBinding call
-select call, "Unsafe deserialization with RMI in '" + call.getVulnerableMethod() + "' method"
+from UnsafeRmiBinding call, Method vulnerableMethod
+where vulnerableMethod = call.getVulnerableMethod()
+select call, "Unsafe deserialization with RMI in '$@' method", vulnerableMethod,
+  vulnerableMethod.getStringSignature()
diff --git a/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.expected b/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.expected
index fb91691cc47..52bcccb15c5 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.expected
@@ -1,4 +1,4 @@
-| RmiUnsafeDeserialization.java:13:9:13:59 | bind(...) | Unsafe deserialization with RMI in 'take' method |
-| RmiUnsafeDeserialization.java:14:9:14:61 | rebind(...) | Unsafe deserialization with RMI in 'take' method |
-| RmiUnsafeDeserialization.java:26:9:26:57 | bind(...) | Unsafe deserialization with RMI in 'take' method |
-| RmiUnsafeDeserialization.java:27:9:27:59 | rebind(...) | Unsafe deserialization with RMI in 'take' method |
+| RmiUnsafeDeserialization.java:13:9:13:59 | bind(...) | Unsafe deserialization with RMI in '$@' method | RmiUnsafeDeserialization.java:42:17:42:20 | take | take(Object) |
+| RmiUnsafeDeserialization.java:14:9:14:61 | rebind(...) | Unsafe deserialization with RMI in '$@' method | RmiUnsafeDeserialization.java:42:17:42:20 | take | take(Object) |
+| RmiUnsafeDeserialization.java:26:9:26:57 | bind(...) | Unsafe deserialization with RMI in '$@' method | RmiUnsafeDeserialization.java:42:17:42:20 | take | take(Object) |
+| RmiUnsafeDeserialization.java:27:9:27:59 | rebind(...) | Unsafe deserialization with RMI in '$@' method | RmiUnsafeDeserialization.java:42:17:42:20 | take | take(Object) |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.java b/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.java
index 60c073916b7..f8921eda6ce 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.java
@@ -54,4 +54,5 @@ class SafeRemoteObject implements SafeRemoteObjectInterface {
     public void take(double n) throws RemoteException {}
     public void take(String s) throws RemoteException {}
     public void take(ObjectInputStream ois) throws RemoteException {}
+    public void safeMethod(Object object) {} // this method is not declared in SafeRemoteObjectInterface
 }
\ No newline at end of file

From 2d93eeae33f44c89e2f3d87e21471641f1b5dd58 Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Sat, 22 May 2021 20:06:17 +0200
Subject: [PATCH 1154/1429] Covered deserialization filters in
 RmiUnsafeDeserialization.ql

---
 .../CWE/CWE-502/RmiUnsafeDeserialization.ql   | 58 ++++++++++++-------
 1 file changed, 37 insertions(+), 21 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql b/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql
index 52c637ebc9f..55932027996 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql
@@ -1,10 +1,10 @@
 /**
- * @name Unsafe deserialization with RMI.
+ * @name Unsafe remote object.
  * @description If a registered remote object has a method that accepts a complex object,
  *              an attacker can take advantage of the unsafe deserialization mechanism
  *              which is used to pass parameters in RMI.
  *              In the worst case, it results in remote code execution.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id java/unsafe-deserialization-rmi
@@ -13,11 +13,9 @@
  */
 
 import java
+import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.frameworks.Rmi
-
-private class ObjectInputStream extends Class {
-  ObjectInputStream() { hasQualifiedName("java.io", "ObjectInputStream") }
-}
+import DataFlow::PathGraph
 
 /**
  * A method that binds a name to a remote object.
@@ -33,34 +31,52 @@ private class BindMethod extends Method {
 }
 
 /**
- * Looks for a vulnerable method in a `Remote` object.
+ * Holds if `type` has an unsafe remote method.
  */
-private Method getVulnerableMethod(RefType type) {
+private predicate hasVulnerableMethod(RefType type) {
   exists(RemoteCallableMethod m, Type parameterType |
     m.getDeclaringType() = type and parameterType = m.getAParamType()
   |
     not parameterType instanceof PrimitiveType and
     not parameterType instanceof TypeString and
-    not parameterType instanceof ObjectInputStream and
-    result = m
+    not parameterType.(RefType).hasQualifiedName("java.io", "ObjectInputStream")
   )
 }
 
 /**
- * A method call that registers a remote object that has a vulnerable method.
+ * A taint-tracking configuration for unsafe remote objects
+ * that are vulnerable to deserialization attacks.
  */
-private class UnsafeRmiBinding extends MethodAccess {
-  Method vulnerableMethod;
+private class BindingUnsafeRemoteObjectConfig extends TaintTracking::Configuration {
+  BindingUnsafeRemoteObjectConfig() { this = "BindingUnsafeRemoteObjectConfig" }
 
-  UnsafeRmiBinding() {
-    this.getMethod() instanceof BindMethod and
-    vulnerableMethod = getVulnerableMethod(this.getArgument(1).getType())
+  override predicate isSource(DataFlow::Node source) {
+    exists(ConstructorCall cc | cc = source.asExpr() |
+      hasVulnerableMethod(cc.getConstructedType().getASupertype*())
+    )
   }
 
-  Method getVulnerableMethod() { result = vulnerableMethod }
+  override predicate isSink(DataFlow::Node sink) {
+    exists(StaticMethodAccess ma | ma.getArgument(1) = sink.asExpr() |
+      ma.getMethod() instanceof BindMethod
+    )
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
+    exists(StaticMethodAccess ma, Method m | m = ma.getMethod() |
+      m.getDeclaringType().hasQualifiedName("java.rmi.server", "UnicastRemoteObject") and
+      m.hasName("exportObject") and
+      not ma.getArgument([2, 4])
+          .getType()
+          .(RefType)
+          .getASupertype*()
+          .hasQualifiedName("java.io", "ObjectInputFilter") and
+      ma.getArgument(0) = fromNode.asExpr() and
+      ma = toNode.asExpr()
+    )
+  }
 }
 
-from UnsafeRmiBinding call, Method vulnerableMethod
-where vulnerableMethod = call.getVulnerableMethod()
-select call, "Unsafe deserialization with RMI in '$@' method", vulnerableMethod,
-  vulnerableMethod.getStringSignature()
+from DataFlow::PathNode source, DataFlow::PathNode sink, BindingUnsafeRemoteObjectConfig conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Binding an unsafe remote object."

From d2e29fc72c00c56bdb8002ab92798a67b85b2ef4 Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Sun, 23 May 2021 10:18:40 +0200
Subject: [PATCH 1155/1429] Renamed RmiUnsafeDeserialization.ql ->
 UnsafeDeserializationRmi.ql

---
 ...Deserialization.qhelp => UnsafeDeserializationRmi.qhelp} | 0
 ...UnsafeDeserialization.ql => UnsafeDeserializationRmi.ql} | 0
 .../security/CWE-502/RmiUnsafeDeserialization.qlref         | 1 -
 ...alization.expected => UnsafeDeserializationRmi.expected} | 0
 ...feDeserialization.java => UnsafeDeserializationRmi.java} | 6 +++---
 .../security/CWE-502/UnsafeDeserializationRmi.qlref         | 1 +
 6 files changed, 4 insertions(+), 4 deletions(-)
 rename java/ql/src/experimental/Security/CWE/CWE-502/{RmiUnsafeDeserialization.qhelp => UnsafeDeserializationRmi.qhelp} (100%)
 rename java/ql/src/experimental/Security/CWE/CWE-502/{RmiUnsafeDeserialization.ql => UnsafeDeserializationRmi.ql} (100%)
 delete mode 100644 java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.qlref
 rename java/ql/test/experimental/query-tests/security/CWE-502/{RmiUnsafeDeserialization.expected => UnsafeDeserializationRmi.expected} (100%)
 rename java/ql/test/experimental/query-tests/security/CWE-502/{RmiUnsafeDeserialization.java => UnsafeDeserializationRmi.java} (98%)
 create mode 100644 java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.qlref

diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.qhelp b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.qhelp
similarity index 100%
rename from java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.qhelp
rename to java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.qhelp
diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql
similarity index 100%
rename from java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql
rename to java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql
diff --git a/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.qlref b/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.qlref
deleted file mode 100644
index d750f371002..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.qlref
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-502/RmiUnsafeDeserialization.ql
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.expected b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.expected
similarity index 100%
rename from java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.expected
rename to java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.expected
diff --git a/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.java b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.java
similarity index 98%
rename from java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.java
rename to java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.java
index f8921eda6ce..ee0bc3a1989 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-502/RmiUnsafeDeserialization.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.java
@@ -5,8 +5,8 @@ import java.rmi.RemoteException;
 import java.rmi.registry.LocateRegistry;
 import java.rmi.registry.Registry;
 
-public class RmiUnsafeDeserialization {
-    
+public class UnsafeDeserializationRmi {
+
     // BAD (bind a remote object that has a vulnerable method that takes Object)
     public static void testRegistryBindWithObjectParameter() throws Exception {
         Registry registry = LocateRegistry.createRegistry(1099);
@@ -55,4 +55,4 @@ class SafeRemoteObject implements SafeRemoteObjectInterface {
     public void take(String s) throws RemoteException {}
     public void take(ObjectInputStream ois) throws RemoteException {}
     public void safeMethod(Object object) {} // this method is not declared in SafeRemoteObjectInterface
-}
\ No newline at end of file
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.qlref b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.qlref
new file mode 100644
index 00000000000..fce2e6c6a4a
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql
\ No newline at end of file

From c837605c856868368deff452eef3b041579b23dc Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Sun, 23 May 2021 13:01:22 +0200
Subject: [PATCH 1156/1429] Added test cases with sanitizers for
 UnsafeDeserializationRmi.ql

---
 .../CWE/CWE-502/UnsafeDeserializationRmi.ql   | 10 ++---
 .../CWE-502/UnsafeDeserializationRmi.expected | 19 ++++++--
 .../CWE-502/UnsafeDeserializationRmi.java     | 45 ++++++++++++-------
 3 files changed, 50 insertions(+), 24 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql
index 55932027996..91e38cc373e 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql
@@ -1,5 +1,5 @@
 /**
- * @name Unsafe remote object.
+ * @name Unsafe deserialization in a remotely callable method.
  * @description If a registered remote object has a method that accepts a complex object,
  *              an attacker can take advantage of the unsafe deserialization mechanism
  *              which is used to pass parameters in RMI.
@@ -31,7 +31,7 @@ private class BindMethod extends Method {
 }
 
 /**
- * Holds if `type` has an unsafe remote method.
+ * Holds if `type` has an vulnerable remote method.
  */
 private predicate hasVulnerableMethod(RefType type) {
   exists(RemoteCallableMethod m, Type parameterType |
@@ -57,13 +57,13 @@ private class BindingUnsafeRemoteObjectConfig extends TaintTracking::Configurati
   }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(StaticMethodAccess ma | ma.getArgument(1) = sink.asExpr() |
+    exists(MethodAccess ma | ma.getArgument(1) = sink.asExpr() |
       ma.getMethod() instanceof BindMethod
     )
   }
 
   override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
-    exists(StaticMethodAccess ma, Method m | m = ma.getMethod() |
+    exists(MethodAccess ma, Method m | m = ma.getMethod() |
       m.getDeclaringType().hasQualifiedName("java.rmi.server", "UnicastRemoteObject") and
       m.hasName("exportObject") and
       not ma.getArgument([2, 4])
@@ -79,4 +79,4 @@ private class BindingUnsafeRemoteObjectConfig extends TaintTracking::Configurati
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, BindingUnsafeRemoteObjectConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Binding an unsafe remote object."
+select sink.getNode(), source, sink, "Unsafe deserialization in a remote object."
diff --git a/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.expected b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.expected
index 52bcccb15c5..188a8649d98 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.expected
@@ -1,4 +1,15 @@
-| RmiUnsafeDeserialization.java:13:9:13:59 | bind(...) | Unsafe deserialization with RMI in '$@' method | RmiUnsafeDeserialization.java:42:17:42:20 | take | take(Object) |
-| RmiUnsafeDeserialization.java:14:9:14:61 | rebind(...) | Unsafe deserialization with RMI in '$@' method | RmiUnsafeDeserialization.java:42:17:42:20 | take | take(Object) |
-| RmiUnsafeDeserialization.java:26:9:26:57 | bind(...) | Unsafe deserialization with RMI in '$@' method | RmiUnsafeDeserialization.java:42:17:42:20 | take | take(Object) |
-| RmiUnsafeDeserialization.java:27:9:27:59 | rebind(...) | Unsafe deserialization with RMI in '$@' method | RmiUnsafeDeserialization.java:42:17:42:20 | take | take(Object) |
+edges
+| UnsafeDeserializationRmi.java:17:68:17:95 | new UnsafeRemoteObjectImpl(...) : UnsafeRemoteObjectImpl | UnsafeDeserializationRmi.java:17:35:17:96 | exportObject(...) |
+nodes
+| UnsafeDeserializationRmi.java:15:33:15:60 | new UnsafeRemoteObjectImpl(...) | semmle.label | new UnsafeRemoteObjectImpl(...) |
+| UnsafeDeserializationRmi.java:16:35:16:62 | new UnsafeRemoteObjectImpl(...) | semmle.label | new UnsafeRemoteObjectImpl(...) |
+| UnsafeDeserializationRmi.java:17:35:17:96 | exportObject(...) | semmle.label | exportObject(...) |
+| UnsafeDeserializationRmi.java:17:68:17:95 | new UnsafeRemoteObjectImpl(...) : UnsafeRemoteObjectImpl | semmle.label | new UnsafeRemoteObjectImpl(...) : UnsafeRemoteObjectImpl |
+| UnsafeDeserializationRmi.java:29:31:29:58 | new UnsafeRemoteObjectImpl(...) | semmle.label | new UnsafeRemoteObjectImpl(...) |
+| UnsafeDeserializationRmi.java:30:33:30:60 | new UnsafeRemoteObjectImpl(...) | semmle.label | new UnsafeRemoteObjectImpl(...) |
+#select
+| UnsafeDeserializationRmi.java:15:33:15:60 | new UnsafeRemoteObjectImpl(...) | UnsafeDeserializationRmi.java:15:33:15:60 | new UnsafeRemoteObjectImpl(...) | UnsafeDeserializationRmi.java:15:33:15:60 | new UnsafeRemoteObjectImpl(...) | Unsafe deserialization in a remote object. |
+| UnsafeDeserializationRmi.java:16:35:16:62 | new UnsafeRemoteObjectImpl(...) | UnsafeDeserializationRmi.java:16:35:16:62 | new UnsafeRemoteObjectImpl(...) | UnsafeDeserializationRmi.java:16:35:16:62 | new UnsafeRemoteObjectImpl(...) | Unsafe deserialization in a remote object. |
+| UnsafeDeserializationRmi.java:17:35:17:96 | exportObject(...) | UnsafeDeserializationRmi.java:17:68:17:95 | new UnsafeRemoteObjectImpl(...) : UnsafeRemoteObjectImpl | UnsafeDeserializationRmi.java:17:35:17:96 | exportObject(...) | Unsafe deserialization in a remote object. |
+| UnsafeDeserializationRmi.java:29:31:29:58 | new UnsafeRemoteObjectImpl(...) | UnsafeDeserializationRmi.java:29:31:29:58 | new UnsafeRemoteObjectImpl(...) | UnsafeDeserializationRmi.java:29:31:29:58 | new UnsafeRemoteObjectImpl(...) | Unsafe deserialization in a remote object. |
+| UnsafeDeserializationRmi.java:30:33:30:60 | new UnsafeRemoteObjectImpl(...) | UnsafeDeserializationRmi.java:30:33:30:60 | new UnsafeRemoteObjectImpl(...) | UnsafeDeserializationRmi.java:30:33:30:60 | new UnsafeRemoteObjectImpl(...) | Unsafe deserialization in a remote object. |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.java b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.java
index ee0bc3a1989..197a1c47843 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.java
@@ -1,58 +1,73 @@
+import java.io.ObjectInputFilter;
 import java.io.ObjectInputStream;
 import java.rmi.Naming;
 import java.rmi.Remote;
 import java.rmi.RemoteException;
 import java.rmi.registry.LocateRegistry;
 import java.rmi.registry.Registry;
+import java.rmi.server.UnicastRemoteObject;
 
 public class UnsafeDeserializationRmi {
 
-    // BAD (bind a remote object that has a vulnerable method that takes Object)
+    // BAD (bind a remote object that has a vulnerable method)
     public static void testRegistryBindWithObjectParameter() throws Exception {
         Registry registry = LocateRegistry.createRegistry(1099);
-        registry.bind("test", new RemoteObjectWithObject());
-        registry.rebind("test", new RemoteObjectWithObject());
+        registry.bind("unsafe", new UnsafeRemoteObjectImpl());
+        registry.rebind("unsafe", new UnsafeRemoteObjectImpl());
+        registry.rebind("unsafe", UnicastRemoteObject.exportObject(new UnsafeRemoteObjectImpl()));
     }
 
     // GOOD (bind a remote object that has methods that takes safe parameters)
     public static void testRegistryBindWithIntParameter() throws Exception {
         Registry registry = LocateRegistry.createRegistry(1099);
-        registry.bind("test", new SafeRemoteObject());
-        registry.rebind("test", new SafeRemoteObject());
+        registry.bind("safe", new SafeRemoteObjectImpl());
+        registry.rebind("safe", new SafeRemoteObjectImpl());
     }
 
-    // BAD (bind a remote object that has a vulnerable method that takes Object)
+    // BAD (bind a remote object that has a vulnerable method)
     public static void testNamingBindWithObjectParameter() throws Exception {
-        Naming.bind("test", new RemoteObjectWithObject());
-        Naming.rebind("test", new RemoteObjectWithObject());
+        Naming.bind("unsafe", new UnsafeRemoteObjectImpl());
+        Naming.rebind("unsafe", new UnsafeRemoteObjectImpl());
     }
 
     // GOOD (bind a remote object that has methods that takes safe parameters)
     public static void testNamingBindWithIntParameter() throws Exception {
-        Naming.bind("test", new SafeRemoteObject());
-        Naming.rebind("test", new SafeRemoteObject());
+        Naming.bind("safe", new SafeRemoteObjectImpl());
+        Naming.rebind("safe", new SafeRemoteObjectImpl());
+    }
+
+    // GOOD (bind a remote object with a deserialization filter)
+    public static void testRegistryBindWithDeserializationFilter() throws Exception {
+        Registry registry = LocateRegistry.createRegistry(1099);
+        ObjectInputFilter filter = info -> {
+            if (info.serialClass().getCanonicalName().startsWith("com.safe.package.")) {
+                return ObjectInputFilter.Status.ALLOWED;
+            }
+            return ObjectInputFilter.Status.REJECTED;
+        };
+        registry.rebind("safe", UnicastRemoteObject.exportObject(new UnsafeRemoteObjectImpl(), 12345, filter));
     }
 }
 
-interface RemoteObjectWithObjectInterface extends Remote {
+interface UnsafeRemoteObject extends Remote {
     void take(Object obj) throws RemoteException;
 }
 
-class RemoteObjectWithObject implements RemoteObjectWithObjectInterface {
+class UnsafeRemoteObjectImpl implements UnsafeRemoteObject {
     public void take(Object obj) throws RemoteException {}
 }
 
-interface SafeRemoteObjectInterface extends Remote {
+interface SafeRemoteObject extends Remote {
     void take(int n) throws RemoteException;
     void take(double n) throws RemoteException;
     void take(String s) throws RemoteException;
     void take(ObjectInputStream ois) throws RemoteException;
 }
 
-class SafeRemoteObject implements SafeRemoteObjectInterface {
+class SafeRemoteObjectImpl implements SafeRemoteObject {
     public void take(int n) throws RemoteException {}
     public void take(double n) throws RemoteException {}
     public void take(String s) throws RemoteException {}
     public void take(ObjectInputStream ois) throws RemoteException {}
-    public void safeMethod(Object object) {} // this method is not declared in SafeRemoteObjectInterface
+    public void safeMethod(Object object) {} // this method is not declared in SafeRemoteObject
 }

From 1b51dd47ec2717f0da468af752134042cbf9abc3 Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Sun, 23 May 2021 13:24:42 +0200
Subject: [PATCH 1157/1429] Added an example with deserialization filter to
 UnsafeDeserializationRmi.qhelp

---
 .../CWE-502/RmiRemoteObjectWithFilter.java    |  9 +++++++
 .../CWE/CWE-502/RmiSafeRemoteObject.java      |  3 +--
 .../CWE/CWE-502/RmiUnsafeRemoteObject.java    |  3 +--
 .../CWE-502/UnsafeDeserializationRmi.qhelp    | 26 ++++++++++++++-----
 4 files changed, 30 insertions(+), 11 deletions(-)
 create mode 100644 java/ql/src/experimental/Security/CWE/CWE-502/RmiRemoteObjectWithFilter.java

diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/RmiRemoteObjectWithFilter.java b/java/ql/src/experimental/Security/CWE/CWE-502/RmiRemoteObjectWithFilter.java
new file mode 100644
index 00000000000..6d4d2a5357f
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/RmiRemoteObjectWithFilter.java
@@ -0,0 +1,9 @@
+public void bindRemoteObject(Registry registry, int port) throws Exception {
+    ObjectInputFilter filter = info -> {
+        if (info.serialClass().getCanonicalName().startsWith("com.safe.package.")) {
+            return ObjectInputFilter.Status.ALLOWED;
+        }
+        return ObjectInputFilter.Status.REJECTED;
+    };
+    registry.bind("safer", UnicastRemoteObject.exportObject(new RemoteObjectImpl(), port, filter));
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/RmiSafeRemoteObject.java b/java/ql/src/experimental/Security/CWE/CWE-502/RmiSafeRemoteObject.java
index 2f30bc1f3ba..0c8836522ca 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-502/RmiSafeRemoteObject.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/RmiSafeRemoteObject.java
@@ -1,6 +1,5 @@
 public class Server {
-    public static void main(String... args) throws Exception {
-        Registry registry = LocateRegistry.createRegistry(1099);
+    public void bindRemoteObject(Registry registry) throws Exception {
         registry.bind("safe", new RemoteObjectImpl());
     }
 }
diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeRemoteObject.java b/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeRemoteObject.java
index 4c04b57cde9..96d48e9c9af 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeRemoteObject.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/RmiUnsafeRemoteObject.java
@@ -1,6 +1,5 @@
 public class Server {
-    public static void main(String... args) throws Exception {
-        Registry registry = LocateRegistry.createRegistry(1099);
+    public void bindRemoteObject(Registry registry) throws Exception {
         registry.bind("unsafe", new RemoteObjectImpl());
     }
 }
diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.qhelp b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.qhelp
index 1921476ffbd..985e3a4c08d 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.qhelp
@@ -15,14 +15,21 @@ In the worst case, it results in remote code execution.
 <p>
 Use only strings and primitive types in parameters of remote objects.
 </p>
+</p>
+Set a filter for incoming serialized data by wrapping remote objects using either <code>UnicastRemoteObject.exportObject(Remote, int, ObjectInputFilter)</code>
+or <code>UnicastRemoteObject.exportObject(Remote, int, RMIClientSocketFactory, RMIServerSocketFactory, ObjectInputFilter)</code> methods.
+Those methods accept an <code>ObjectInputFilter</code> that decides which classes are allowed for deserialization.
+The filter should allow deserializing only safe classes.
+</p>
 <p>
-Java RMI does not offer API for specifying classes which are only allowed for deserialization.
-However, it is possible to set a process-wide deserialization filter that was introduced in JEP 290.
-The filter can be set via system or security property <code>jdk.serialFilter</code>.
+It is also possible to set a process-wide deserialization filter.
+The filter can be set by with <code>ObjectInputFilter.Config.setSerialFilter(ObjectInputFilter)</code> method,
+or by setting system or security property <code>jdk.serialFilter</code>.
 Make sure that you use the latest Java versions that include JEP 290.
 </p>
 <p>
-Consider using other implementations of remote procedure calls. For example, HTTP API with JSON.
+If switching to the latest Java versions is not possible,
+consider using other implementations of remote procedure calls. For example, HTTP API with JSON.
 Make sure that the underlying deserialization mechanism is properly configured
 so that deserialization attacks are not possible.
 </p>
@@ -30,17 +37,22 @@ so that deserialization attacks are not possible.
 
 <example>
 <p>
-The following code registers a vulnerable remote object 
-which has a method that accepts a complex object:
+The following code registers a remote object
+with a vulnerable method that accepts a complex object:
 </p>
 <sample src="RmiUnsafeRemoteObject.java" />
 
 <p>
 The next example registers a safe remote object
-which has methods that use only primitive types and strings:
+whose methods use only primitive types and strings:
 </p>
 <sample src="RmiSafeRemoteObject.java" />
 
+<p>
+The next example shows how to set a deserilization filter for a remote object:
+</p>
+<sample src="RmiRemoteObjectWithFilter.java" />
+
 </example>
 
 <references>

From 2361476966d467a0fe282bafe315e715b8cc8cf5 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Thu, 20 May 2021 10:51:26 +0200
Subject: [PATCH 1158/1429] C#: Improve join-order in `SplitImpl::hasSuccessor`

Joining on `succ` first gets rid of bad join-orders like

```
Tuple counts for Splitting::SplitImpl::hasSuccessor_dispred#ffff/4@i4#f49ebw:
                      59306        ~2%          {3} r1 = JOIN Splitting::SplitImpl::appliesTo#ff#prev_delta WITH Splitting::Cached::TAssertionSplit#ffff_30#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.0 'this', Lhs.1 'pred'
                      454395       ~0%          {3} r2 = JOIN r1 WITH Splitting::AssertionSplitting::getAnAssertionDescendant#ff ON FIRST 1 OUTPUT Lhs.2 'pred', Rhs.1 'succ', Lhs.1 'this'
                      12157        ~0%          {4} r3 = JOIN r2 WITH ControlFlowGraphImpl::succ#fff ON FIRST 2 OUTPUT Lhs.2 'this', Lhs.0 'pred', Lhs.1 'succ', Rhs.2 'c'

                      0            ~0%          {4} r4 = JOIN Splitting::LoopSplitting::LoopUnrollingSplitImpl::appliesToPredecessor_dispred#fff#prev_delta WITH Splitting::Cached::TLoopSplit#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.1 'pred', Lhs.2 'c', Rhs.1, Rhs.0
                      0            ~0%          {5} r5 = JOIN r4 WITH ControlFlowGraphImpl::succ#fff_021#join_rhs ON FIRST 2 OUTPUT Lhs.2, Lhs.3 'this', Lhs.0 'pred', Lhs.1 'c', Rhs.2 'succ'
                      0            ~0%          {5} r6 = r5 AND NOT Splitting::SplitImpl::hasSuccessor_dispred#ffff#antijoin_rhs#2(Lhs.2 'pred', Lhs.4 'succ', Lhs.3 'c', Lhs.0)
                      0            ~0%          {4} r7 = SCAN r6 OUTPUT In.1 'this', In.2 'pred', In.4 'succ', In.3 'c'

                      12157        ~0%          {4} r8 = r3 UNION r7

                      0            ~0%          {3} r9 = SCAN Splitting::BooleanSplitting::BooleanSplitImpl::appliesToBlock_dispred#fff#prev_delta OUTPUT In.1, In.0 'this', In.2

                      0            ~0%          {4} r10 = JOIN r9 WITH project#PreBasicBlocks::PreBasicBlock::getElement_dispred#fff ON FIRST 1 OUTPUT Rhs.1 'pred', Lhs.1 'this', Lhs.0, Lhs.2
                      0            ~0%          {6} r11 = JOIN r10 WITH ControlFlowGraphImpl::succ#fff ON FIRST 1 OUTPUT Lhs.1 'this', Lhs.2, Lhs.3, Lhs.0 'pred', Rhs.1, Rhs.2 'c'
                      0            ~0%          {6} r12 = r11 AND NOT PreBasicBlocks::PreBasicBlock::getLastElement_dispred#ff(Lhs.1, Lhs.3 'pred')
                      0            ~0%          {4} r13 = SCAN r12 OUTPUT In.0 'this', In.3 'pred', In.4 'succ', In.5 'c'

                      35244        ~1%          {3} r14 = JOIN Splitting::SplitImpl::appliesTo#ff#prev_delta WITH Splitting::Cached::TInitializerSplit#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.0 'this', Lhs.1 'pred'
                      24640675     ~6%          {3} r15 = JOIN r14 WITH Splitting::InitializerSplitting::constructorInitializes#ff ON FIRST 1 OUTPUT Rhs.1, Lhs.1 'this', Lhs.2 'pred'
                      24640675     ~21147%      {3} r16 = JOIN r15 WITH Splitting::InitializerSplitting::InitializedInstanceMember::getInitializer_dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1 'this', Lhs.2 'pred'
                      470227342920 ~481608%     {3} r17 = JOIN r16 WITH Splitting::InitializerSplitting::InitializedInstanceMember::getAnInitializerDescendant#ff ON FIRST 1 OUTPUT Lhs.2 'pred', Rhs.1 'succ', Lhs.1 'this'
                      24560447     ~66468%      {4} r18 = JOIN r17 WITH ControlFlowGraphImpl::succ#fff ON FIRST 2 OUTPUT Lhs.2 'this', Lhs.0 'pred', Lhs.1 'succ', Rhs.2 'c'

                      24560447     ~66468%      {4} r19 = r13 UNION r18
                      24572604     ~48162%      {4} r20 = r8 UNION r19

                      0            ~0%          {3} r21 = JOIN r9 WITH project#PreBasicBlocks::PreBasicBlock::getElement_dispred#fff ON FIRST 1 OUTPUT Rhs.1 'pred', Lhs.2, Lhs.1 'this'
                      0            ~0%          {4} r22 = JOIN r21 WITH ControlFlowGraphImpl::succ#fff_021#join_rhs ON FIRST 2 OUTPUT Lhs.2 'this', Lhs.0 'pred', Rhs.2 'succ', Rhs.1
                      0            ~0%          {5} r23 = JOIN r22 WITH Splitting::Cached::TBooleanSplit#fff_20#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.2 'succ', Lhs.0 'this', Lhs.1 'pred', Lhs.3 'c'
                      0            ~0%          {4} r24 = JOIN r23 WITH Splitting::BooleanSplitting::SsaBooleanSplitSubKind::canReachCorrelatedCondition#ff ON FIRST 2 OUTPUT Lhs.2 'this', Lhs.3 'pred', Lhs.1 'succ', Lhs.4 'c'

                      0            ~0%          {2} r25 = SCAN Splitting::FinallySplitting::FinallySplitImpl::appliesToPredecessor_dispred#ff#prev_delta OUTPUT In.1 'pred', In.0 'this'

                      0            ~0%          {4} r26 = JOIN r25 WITH ControlFlowGraphImpl::succ#fff ON FIRST 1 OUTPUT Lhs.1 'this', Lhs.0 'pred', Rhs.1, Rhs.2 'c'
                      0            ~0%          {4} r27 = r26 AND NOT Splitting::FinallySplitting::FinallyControlFlowElement::isEntryNode_dispred#f(Lhs.2 'succ')
                      0            ~0%          {5} r28 = JOIN r27 WITH Splitting::Cached::TFinallySplit#fff_21#join_rhs ON FIRST 1 OUTPUT Lhs.2 'succ', Lhs.0 'this', Lhs.1 'pred', Lhs.3 'c', Rhs.1
                      0            ~0%          {6} r29 = JOIN r28 WITH ControlFlowGraphImpl::Statements::TryStmtTree::getAFinallyDescendant#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1 'this', Lhs.2 'pred', Lhs.0 'succ', Lhs.3 'c', Lhs.4
                      0            ~0%          {7} r30 = JOIN r29 WITH ControlFlowGraphImpl::Statements::TryStmtTree::nestLevel_dispred#ff ON FIRST 1 OUTPUT Lhs.1 'this', Lhs.2 'pred', Lhs.3 'succ', Lhs.4 'c', Lhs.5, Lhs.0, Rhs.1
                      0            ~0%          {7} r31 = SELECT r30 ON In.6 >= In.4
                      0            ~0%          {4} r32 = SCAN r31 OUTPUT In.0 'this', In.1 'pred', In.2 'succ', In.3 'c'

                      0            ~0%          {4} r33 = r24 UNION r32

                      0            ~0%          {4} r34 = JOIN r25 WITH ControlFlowGraphImpl::succ#fff ON FIRST 1 OUTPUT Rhs.1, Lhs.1 'this', Lhs.0 'pred', Rhs.2 'c'
                      0            ~0%          {4} r35 = JOIN r34 WITH Splitting::FinallySplitting::FinallyControlFlowElement::isEntryNode_dispred#f ON FIRST 1 OUTPUT Lhs.1 'this', Lhs.2 'pred', Lhs.0 'succ', Lhs.3 'c'
                      0            ~0%          {5} r36 = JOIN r35 WITH Splitting::Cached::TFinallySplit#fff_21#join_rhs ON FIRST 1 OUTPUT Lhs.2 'succ', Lhs.0 'this', Lhs.1 'pred', Lhs.3 'c', Rhs.1
                      0            ~0%          {6} r37 = JOIN r36 WITH ControlFlowGraphImpl::Statements::TryStmtTree::getAFinallyDescendant#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1 'this', Lhs.2 'pred', Lhs.0 'succ', Lhs.3 'c', Lhs.4
                      0            ~0%          {7} r38 = JOIN r37 WITH ControlFlowGraphImpl::Statements::TryStmtTree::nestLevel_dispred#ff ON FIRST 1 OUTPUT Lhs.1 'this', Lhs.2 'pred', Lhs.3 'succ', Lhs.4 'c', Lhs.5, Lhs.0, Rhs.1
                      0            ~0%          {7} r39 = SELECT r38 ON In.6 > In.4
                      0            ~0%          {4} r40 = SCAN r39 OUTPUT In.0 'this', In.1 'pred', In.2 'succ', In.3 'c'

                      0            ~0%          {3} r41 = SCAN Splitting::ExceptionHandlerSplitting::ExceptionHandlerSplitImpl::appliesToPredecessor_dispred#fff#prev_delta OUTPUT In.1 'pred', In.2 'c', In.0 'this'
                      0            ~0%          {4} r42 = JOIN r41 WITH ControlFlowGraphImpl::last#fff_120#join_rhs ON FIRST 2 OUTPUT Rhs.2, Lhs.2 'this', Lhs.0 'pred', Lhs.1 'c'
                      0            ~0%          {5} r43 = JOIN r42 WITH Stmt::TryStmt::getCatchClause_dispred#fff_201#join_rhs ON FIRST 1 OUTPUT Rhs.1, Rhs.2, Lhs.1 'this', Lhs.2 'pred', Lhs.3 'c'
                      0            ~0%          {4} r44 = JOIN r43 WITH Stmt::TryStmt::getCatchClause_dispred#fff ON FIRST 2 OUTPUT Rhs.2, Lhs.2 'this', Lhs.3 'pred', Lhs.4 'c'
                      0            ~0%          {5} r45 = JOIN r44 WITH Stmt::CatchClause::isLast_dispred#f ON FIRST 1 OUTPUT Lhs.0, 1, Lhs.1 'this', Lhs.2 'pred', Lhs.3 'c'
                      0            ~0%          {3} r46 = JOIN r45 WITH catch_type_02#join_rhs ON FIRST 2 OUTPUT Lhs.2 'this', Lhs.3 'pred', Lhs.4 'c'
                      0                         {3} r47 = MATERIALIZE r46 AS unknown

                      0            ~0%          {3} r48 = Splitting::ExceptionHandlerSplitting::ExceptionHandlerSplitImpl::appliesToPredecessor_dispred#fff#prev_delta AND NOT r47(Lhs.0 'this', Lhs.1 'pred', Lhs.2 'c')
                      0            ~0%          {3} r49 = SCAN r48 OUTPUT In.1 'pred', In.2 'c', In.0 'this'

                      0            ~0%          {4} r50 = JOIN r49 WITH ControlFlowGraphImpl::succ#fff_021#join_rhs ON FIRST 2 OUTPUT Lhs.2 'this', Lhs.0 'pred', Lhs.1 'c', Rhs.2 'succ'

                      0            ~0%          {4} r51 = JOIN r49 WITH ControlFlowGraphImpl::succ#fff_021#join_rhs ON FIRST 2 OUTPUT Rhs.2 'succ', Lhs.2 'this', Lhs.0 'pred', Lhs.1 'c'
                      0            ~0%          {5} r52 = JOIN r51 WITH ControlFlowGraphImpl::ControlFlowTree::first_dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1 'this', Lhs.2 'pred', Lhs.3 'c', Lhs.0 'succ'
                      0            ~0%          {6} r53 = JOIN r52 WITH Stmt::CatchClause::getBlock_dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, 1, Lhs.1 'this', Lhs.2 'pred', Lhs.3 'c', Lhs.4 'succ'
                      0            ~0%          {4} r54 = JOIN r53 WITH catch_type_02#join_rhs ON FIRST 2 OUTPUT Lhs.2 'this', Lhs.3 'pred', Lhs.4 'c', Lhs.5 'succ'
                      0                         {4} r55 = MATERIALIZE r54 AS unknown

                      0            ~0%          {4} r56 = r50 AND NOT r55(Lhs.0 'this', Lhs.1 'pred', Lhs.2 'c', Lhs.3 'succ')
                      0            ~0%          {4} r57 = r56 AND NOT ControlFlowGraphImpl::Statements::StandardStmt::getChildElement0_dispred#fff#antijoin_rhs#2(Lhs.3 'succ')
                      0            ~0%          {4} r58 = SCAN r57 OUTPUT In.0 'this', In.1 'pred', In.3 'succ', In.2 'c'

                      0            ~0%          {4} r59 = r40 UNION r58
                      0            ~0%          {4} r60 = r33 UNION r59
                      24572604     ~48162%      {4} r61 = r20 UNION r60
                      24572604     ~48162%      {4} r62 = r61 AND NOT Splitting::SplitImpl::hasSuccessor_dispred#ffff#prev(Lhs.0 'this', Lhs.1 'pred', Lhs.2 'succ', Lhs.3 'c')
                                                return r62
```
---
 .../csharp/controlflow/internal/Splitting.qll | 22 +++++++++++--------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/controlflow/internal/Splitting.qll b/csharp/ql/src/semmle/code/csharp/controlflow/internal/Splitting.qll
index 8826ee7c1be..8ca77a4775e 100644
--- a/csharp/ql/src/semmle/code/csharp/controlflow/internal/Splitting.qll
+++ b/csharp/ql/src/semmle/code/csharp/controlflow/internal/Splitting.qll
@@ -209,6 +209,13 @@ abstract class SplitImpl extends Split {
     or
     exists(ControlFlowElement pred | this.appliesTo(pred) | this.hasSuccessor(pred, cfe, _))
   }
+
+  /** The `succ` relation restricted to predecessors `pred` that this split applies to. */
+  pragma[noinline]
+  final predicate appliesSucc(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
+    this.appliesTo(pred) and
+    succ(pred, succ, c)
+  }
 }
 
 module InitializerSplitting {
@@ -382,8 +389,7 @@ module InitializerSplitting {
     }
 
     override predicate hasSuccessor(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
-      this.appliesTo(pred) and
-      succ(pred, succ, c) and
+      this.appliesSucc(pred, succ, c) and
       succ =
         any(InitializedInstanceMember m |
           constructorInitializes(this.getConstructor(), m.getInitializer())
@@ -620,8 +626,7 @@ module AssertionSplitting {
     }
 
     override predicate hasSuccessor(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
-      this.appliesTo(pred) and
-      succ(pred, succ, c) and
+      this.appliesSucc(pred, succ, c) and
       succ = getAnAssertionDescendant(a)
     }
   }
@@ -858,8 +863,7 @@ module FinallySplitting {
     }
 
     override predicate hasSuccessor(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
-      this.appliesToPredecessor(pred) and
-      succ(pred, succ, c) and
+      this.appliesSucc(pred, succ, c) and
       succ =
         any(FinallyControlFlowElement fcfe |
           if fcfe.isEntryNode()
@@ -1037,7 +1041,7 @@ module ExceptionHandlerSplitting {
 
     override predicate hasSuccessor(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
       this.appliesToPredecessor(pred, c) and
-      succ(pred, succ, c) and
+      this.appliesSucc(pred, succ, c) and
       not first(any(SpecificCatchClause scc).getBlock(), succ) and
       not succ instanceof GeneralCatchClause and
       not exists(TryStmt ts, SpecificCatchClause scc, int last |
@@ -1298,7 +1302,7 @@ module BooleanSplitting {
     override predicate hasSuccessor(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
       exists(PreBasicBlock bb, Completion c0 | this.appliesToBlock(bb, c0) |
         pred = bb.getAnElement() and
-        succ(pred, succ, c) and
+        this.appliesSucc(pred, succ, c) and
         (
           pred = bb.getLastElement()
           implies
@@ -1489,7 +1493,7 @@ module LoopSplitting {
 
     override predicate hasSuccessor(ControlFlowElement pred, ControlFlowElement succ, Completion c) {
       this.appliesToPredecessor(pred, c) and
-      succ(pred, succ, c) and
+      this.appliesSucc(pred, succ, c) and
       not loop.stop(pred, succ, c)
     }
   }

From 5102fcd5f3f22827a0a166fd8811f2af8aae3175 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Fri, 21 May 2021 09:44:21 +0200
Subject: [PATCH 1159/1429] C#: Rewrite predicates from using `forall` to using
 `unique`

This avoids generation of expensive anti-join predicates with Cartesian products.
---
 .../semmle/code/csharp/controlflow/Guards.qll | 30 ++++++++++------
 .../internal/pressa/SsaImplSpecific.qll       | 36 +++++++++++++++----
 2 files changed, 50 insertions(+), 16 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll b/csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll
index 8a721da5293..5a402717401 100644
--- a/csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll
+++ b/csharp/ql/src/semmle/code/csharp/controlflow/Guards.qll
@@ -1466,8 +1466,10 @@ module Internal {
         PreSsa::Definition def, AssignableRead read
       ) {
         read = def.getAFirstRead() and
-        not exists(AssignableRead other | PreSsa::adjacentReadPairSameVar(other, read) |
-          other != read
+        (
+          not PreSsa::adjacentReadPairSameVar(_, read)
+          or
+          read = unique(AssignableRead read0 | PreSsa::adjacentReadPairSameVar(read0, read))
         )
       }
 
@@ -1651,10 +1653,14 @@ module Internal {
         AssignableRead read1, AssignableRead read2
       ) {
         PreSsa::adjacentReadPairSameVar(read1, read2) and
-        not exists(AssignableRead other |
-          PreSsa::adjacentReadPairSameVar(other, read2) and
-          other != read1 and
-          other != read2
+        (
+          read1 = read2 and
+          read1 = unique(AssignableRead other | PreSsa::adjacentReadPairSameVar(other, read2))
+          or
+          read1 =
+            unique(AssignableRead other |
+              PreSsa::adjacentReadPairSameVar(other, read2) and other != read2
+            )
         )
       }
 
@@ -1887,10 +1893,14 @@ module Internal {
       Ssa::Definition def, ControlFlow::Node cfn1, ControlFlow::Node cfn2
     ) {
       SsaImpl::adjacentReadPairSameVar(def, cfn1, cfn2) and
-      not exists(ControlFlow::Node other |
-        SsaImpl::adjacentReadPairSameVar(def, other, cfn2) and
-        other != cfn1 and
-        other != cfn2
+      (
+        cfn1 = cfn2 and
+        cfn1 = unique(ControlFlow::Node other | SsaImpl::adjacentReadPairSameVar(def, other, cfn2))
+        or
+        cfn1 =
+          unique(ControlFlow::Node other |
+            SsaImpl::adjacentReadPairSameVar(def, other, cfn2) and other != cfn2
+          )
       )
     }
 
diff --git a/csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplSpecific.qll b/csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplSpecific.qll
index 610e808a640..ad64c38973a 100644
--- a/csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplSpecific.qll
+++ b/csharp/ql/src/semmle/code/csharp/controlflow/internal/pressa/SsaImplSpecific.qll
@@ -15,13 +15,37 @@ class ExitBasicBlock extends BasicBlock {
   ExitBasicBlock() { scopeLast(_, this.getLastElement(), _) }
 }
 
-pragma[noinline]
+/** Holds if `a` is assigned in non-constructor callable `c`. */
+pragma[nomagic]
+private predicate assignableDefinition(Assignable a, Callable c) {
+  exists(AssignableDefinition def | def.getTarget() = a |
+    c = def.getEnclosingCallable() and
+    not c instanceof Constructor
+  )
+}
+
+/** Holds if `a` is accessed in callable `c`. */
+pragma[nomagic]
+private predicate assignableAccess(Assignable a, Callable c) {
+  exists(AssignableAccess aa | aa.getTarget() = a | c = aa.getEnclosingCallable())
+}
+
+pragma[nomagic]
 private predicate assignableNoCapturing(Assignable a, Callable c) {
-  exists(AssignableAccess aa | aa.getTarget() = a | c = aa.getEnclosingCallable()) and
-  forall(AssignableDefinition def | def.getTarget() = a |
-    c = def.getEnclosingCallable()
+  assignableAccess(a, c) and
+  /*
+   * The code below is equivalent to
+   * ```ql
+   * not exists(Callable other | assignableDefinition(a, other) | other != c)
+   * ```
+   * but it avoids a Cartesian product in the compiler generated antijoin
+   * predicate.
+   */
+
+  (
+    not assignableDefinition(a, _)
     or
-    def.getEnclosingCallable() instanceof Constructor
+    c = unique(Callable c0 | assignableDefinition(a, c0) | c0)
   )
 }
 
@@ -41,7 +65,7 @@ class SourceVariable extends Assignable {
     (
       this instanceof LocalScopeVariable
       or
-      this instanceof Field
+      this = any(Field f | not f.isVolatile())
       or
       this = any(TrivialProperty tp | not tp.isOverridableOrImplementable())
     ) and

From 3162e12082b731e913d1d11d933113014c822b84 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Thu, 20 May 2021 10:48:14 +0200
Subject: [PATCH 1160/1429] C#: Redefine `ControlFlowElement::getAssembly`

---
 .../semmle/code/csharp/controlflow/ControlFlowElement.qll | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/csharp/ql/src/semmle/code/csharp/controlflow/ControlFlowElement.qll b/csharp/ql/src/semmle/code/csharp/controlflow/ControlFlowElement.qll
index dcae798813a..7601b83f6b8 100644
--- a/csharp/ql/src/semmle/code/csharp/controlflow/ControlFlowElement.qll
+++ b/csharp/ql/src/semmle/code/csharp/controlflow/ControlFlowElement.qll
@@ -2,6 +2,7 @@
 
 import csharp
 private import semmle.code.csharp.ExprOrStmtParent
+private import semmle.code.csharp.commons.Compilation
 private import ControlFlow
 private import ControlFlow::BasicBlocks
 private import SuccessorTypes
@@ -22,7 +23,12 @@ class ControlFlowElement extends ExprOrStmtParent, @control_flow_element {
   Callable getEnclosingCallable() { none() }
 
   /** Gets the assembly that this element was compiled into. */
-  Assembly getAssembly() { result = this.getEnclosingCallable().getDeclaringType().getALocation() }
+  Assembly getAssembly() {
+    exists(Compilation c |
+      c.getAFileCompiled() = this.getFile() and
+      result = c.getOutputAssembly()
+    )
+  }
 
   /**
    * Gets a control flow node for this element. That is, a node in the

From 088a1a970784626991bad38295b62e5a33f06336 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Fri, 21 May 2021 08:55:33 +0200
Subject: [PATCH 1161/1429] C#: Simplify
 `TriedControlFlowElement::getAThrownException()`

---
 .../controlflow/internal/Completion.qll       | 49 +------------------
 1 file changed, 1 insertion(+), 48 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/controlflow/internal/Completion.qll b/csharp/ql/src/semmle/code/csharp/controlflow/internal/Completion.qll
index 089339ba1b8..bda14e0b4ae 100644
--- a/csharp/ql/src/semmle/code/csharp/controlflow/internal/Completion.qll
+++ b/csharp/ql/src/semmle/code/csharp/controlflow/internal/Completion.qll
@@ -293,18 +293,6 @@ private class Overflowable extends UnaryOperation {
   }
 }
 
-private class CoreLib extends Assembly {
-  CoreLib() { this = any(SystemExceptionClass c).getALocation() }
-}
-
-/**
- * Holds if assembly `a` was definitely compiled with core library `core`.
- */
-pragma[noinline]
-private predicate assemblyCompiledWithCoreLib(Assembly a, CoreLib core) {
-  a.getAnAttribute().getType().getBaseClass*().(SystemAttributeClass).getALocation() = core
-}
-
 /** A control flow element that is inside a `try` block. */
 private class TriedControlFlowElement extends ControlFlowElement {
   TryStmt try;
@@ -317,7 +305,7 @@ private class TriedControlFlowElement extends ControlFlowElement {
   /**
    * Gets an exception class that is potentially thrown by this element, if any.
    */
-  private Class getAThrownException0() {
+  Class getAThrownException() {
     this instanceof Overflowable and
     result instanceof SystemOverflowExceptionClass
     or
@@ -376,41 +364,6 @@ private class TriedControlFlowElement extends ControlFlowElement {
     this instanceof DynamicExpr and
     result instanceof SystemExceptionClass
   }
-
-  private CoreLib getCoreLibFromACatchClause() {
-    exists(SpecificCatchClause scc | scc = try.getACatchClause() |
-      result = scc.getCaughtExceptionType().getBaseClass*().(SystemExceptionClass).getALocation()
-    )
-  }
-
-  private CoreLib getCoreLib() {
-    result = this.getCoreLibFromACatchClause()
-    or
-    not exists(this.getCoreLibFromACatchClause()) and
-    assemblyCompiledWithCoreLib(this.getAssembly(), result)
-  }
-
-  pragma[noinline]
-  private Class getAThrownExceptionFromPlausibleCoreLib(string name) {
-    result = this.getAThrownException0() and
-    name = result.getQualifiedName() and
-    (
-      not exists(this.getCoreLib())
-      or
-      this.getCoreLib() = result.getALocation()
-    )
-  }
-
-  Class getAThrownException() {
-    exists(string name | result = this.getAThrownExceptionFromPlausibleCoreLib(name) |
-      result =
-        min(Class c |
-          c = this.getAThrownExceptionFromPlausibleCoreLib(name)
-        |
-          c order by c.getLocation().(Assembly).getFullName()
-        )
-    )
-  }
 }
 
 pragma[nomagic]

From 0d14b9413de210cabd06932dcdc5073e9b9b9c41 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Fri, 21 May 2021 09:44:41 +0200
Subject: [PATCH 1162/1429] C#: Avoid recomputing `ControlFlowTree::Range`
 outside the CFG construction stage

---
 .../ql/src/semmle/code/csharp/controlflow/BasicBlocks.qll   | 2 +-
 .../csharp/controlflow/internal/ControlFlowGraphImpl.qll    | 6 +++---
 .../internal/rangeanalysis/ModulusAnalysisSpecific.qll      | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/controlflow/BasicBlocks.qll b/csharp/ql/src/semmle/code/csharp/controlflow/BasicBlocks.qll
index 8b20ccb3c22..b4448a71380 100644
--- a/csharp/ql/src/semmle/code/csharp/controlflow/BasicBlocks.qll
+++ b/csharp/ql/src/semmle/code/csharp/controlflow/BasicBlocks.qll
@@ -403,7 +403,7 @@ private module JoinBlockPredecessors {
   private import semmle.code.csharp.controlflow.internal.ControlFlowGraphImpl
 
   int getId(JoinBlockPredecessor jbp) {
-    exists(ControlFlowTree::Range t | ControlFlowTree::idOf(t, result) |
+    exists(ControlFlowTree::Range_ t | ControlFlowTree::idOf(t, result) |
       t = jbp.getFirstNode().getElement()
       or
       t = jbp.(EntryBasicBlock).getCallable()
diff --git a/csharp/ql/src/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll b/csharp/ql/src/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
index 6a5944db3a2..63f6943a29c 100644
--- a/csharp/ql/src/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
@@ -77,7 +77,7 @@ class CfgScope extends Element, @top_level_exprorstmt_parent {
 }
 
 module ControlFlowTree {
-  private class Range_ = @callable or @control_flow_element;
+  class Range_ = @callable or @control_flow_element;
 
   class Range extends Element, Range_ {
     Range() { this = getAChild*(any(CfgScope scope)) }
@@ -88,9 +88,9 @@ module ControlFlowTree {
     result = p.(AssignOperation).getExpandedAssignment()
   }
 
-  private predicate id(Range x, Range y) { x = y }
+  private predicate id(Range_ x, Range_ y) { x = y }
 
-  predicate idOf(Range x, int y) = equivalenceRelation(id/2)(x, y)
+  predicate idOf(Range_ x, int y) = equivalenceRelation(id/2)(x, y)
 }
 
 abstract private class ControlFlowTree extends ControlFlowTree::Range {
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/ModulusAnalysisSpecific.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/ModulusAnalysisSpecific.qll
index f71b0d0ffcd..030020ede63 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/ModulusAnalysisSpecific.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/rangeanalysis/ModulusAnalysisSpecific.qll
@@ -49,7 +49,7 @@ module Private {
   }
 
   int getId(PhiInputEdgeBlock bb) {
-    exists(CfgImpl::ControlFlowTree::Range t | CfgImpl::ControlFlowTree::idOf(t, result) |
+    exists(CfgImpl::ControlFlowTree::Range_ t | CfgImpl::ControlFlowTree::idOf(t, result) |
       t = bb.getFirstNode().getElement()
       or
       t = bb.(CS::ControlFlow::BasicBlocks::EntryBlock).getCallable()

From 2a33756bdf3f97d993401a749b1ae7c2d56f7428 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Sun, 23 May 2021 14:37:05 +0200
Subject: [PATCH 1163/1429] C#: Encode `"` in `BuildDisplayName`

---
 csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs | 4 ++--
 csharp/extractor/Semmle.Extraction/TrapExtensions.cs          | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs b/csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs
index 0bda977a6d5..c3bc02bf480 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/SymbolExtensions.cs
@@ -373,7 +373,7 @@ namespace Semmle.Extraction.CSharp
                         var elementType = array.ElementType;
                         if (elementType.MetadataName.Contains("`"))
                         {
-                            trapFile.Write(elementType.Name);
+                            trapFile.Write(TrapExtensions.EncodeString(elementType.Name));
                             return;
                         }
                         elementType.BuildDisplayName(cx, trapFile);
@@ -480,7 +480,7 @@ namespace Semmle.Extraction.CSharp
             }
             else
             {
-                trapFile.Write(namedType.Name);
+                trapFile.Write(TrapExtensions.EncodeString(namedType.Name));
             }
 
             if (namedType.IsGenericType && namedType.TypeKind != TypeKind.Error && namedType.TypeArguments.Any())
diff --git a/csharp/extractor/Semmle.Extraction/TrapExtensions.cs b/csharp/extractor/Semmle.Extraction/TrapExtensions.cs
index e7d3fcec6b5..e1343019335 100644
--- a/csharp/extractor/Semmle.Extraction/TrapExtensions.cs
+++ b/csharp/extractor/Semmle.Extraction/TrapExtensions.cs
@@ -117,7 +117,7 @@ namespace Semmle.Extraction
             return s;
         }
 
-        private static string EncodeString(string s) => s.Replace("\"", "\"\"");
+        public static string EncodeString(string s) => s.Replace("\"", "\"\"");
 
         /// <summary>
         /// Output a string to the trap file, such that the encoded output does not exceed

From e857ac11490878f3a2de7c31f9f6214386073947 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 25 May 2021 09:17:42 +0200
Subject: [PATCH 1164/1429] C++: Add more tests and remove redundant conjunct.

---
 .../SuspiciousCallToStrncat.ql                |  4 +---
 .../SuspiciousCallToStrncat.expected          |  6 ++++--
 .../SuspiciousCallToStrncat/test.c            | 19 +++++++++++++++++--
 3 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
index 98b007640a5..34ce582fedb 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql	
@@ -38,9 +38,7 @@ predicate interestringCallWithArgs(Call call, Expr sizeArg, Expr destArg) {
  */
 predicate case1(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
   interestringCallWithArgs(fc, sizeArg, destArg) and
-  exists(StrcatFunction strncat, VariableAccess va |
-    fc.getTarget() = strncat and
-    destArg = fc.getArgument(strncat.getParamDest()) and
+  exists(VariableAccess va |
     va = sizeArg.(BufferSizeExpr).getArg() and
     destArg.getTarget() = va.getTarget()
   )
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/SuspiciousCallToStrncat.expected b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/SuspiciousCallToStrncat.expected
index 91cccc10f10..114cddb11a5 100644
--- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/SuspiciousCallToStrncat.expected	
+++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/SuspiciousCallToStrncat.expected	
@@ -1,3 +1,5 @@
 | test.c:24:2:24:8 | call to strncat | Potentially unsafe call to strncat. |
-| test.c:46:3:46:9 | call to strncat | Potentially unsafe call to strncat. |
-| test.c:68:3:68:9 | call to strncat | Potentially unsafe call to strncat. |
+| test.c:45:3:45:9 | call to strncat | Potentially unsafe call to strncat. |
+| test.c:67:3:67:9 | call to strncat | Potentially unsafe call to strncat. |
+| test.c:75:3:75:9 | call to strncat | Potentially unsafe call to strncat. |
+| test.c:76:3:76:9 | call to strncat | Potentially unsafe call to strncat. |
diff --git a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/test.c b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/test.c
index 153c0a22178..f166e5c5ab9 100644
--- a/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/test.c	
+++ b/cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/test.c	
@@ -39,7 +39,6 @@ void bad1(char *s) {
 	strncat(buf, ".", 1); // BAD [NOT DETECTED] -- Need to check if any space is left
 }
 
-
 void strncat_test1(char *s) {
   char buf[80];
   strncat(buf, s, sizeof(buf) - strlen(buf) - 1); // GOOD
@@ -66,4 +65,20 @@ void strncat_test3(char* s, struct buffers* buffers) {
   unsigned max_size = sizeof(buffers->array);
   unsigned free_size = max_size - len_array;
   strncat(buffers->array, s, free_size); // BAD
-}
\ No newline at end of file
+}
+
+#define MAX_SIZE 80
+
+void strncat_test4(char *s) {
+  char buf[MAX_SIZE];
+  strncat(buf, s, MAX_SIZE - strlen(buf) - 1); // GOOD
+  strncat(buf, s, MAX_SIZE - strlen(buf));  // BAD
+  strncat(buf, "...", MAX_SIZE - strlen(buf)); // BAD
+}
+
+void strncat_test5(char *s) {
+  int len = 80;
+  char* buf = (char *) malloc(len + 1);
+  strncat(buf, s, len - strlen(buf) - 1); // GOOD
+  strncat(buf, s, len - strlen(buf)); // GOOD
+}

From eb244c0eb2ddb6d4d88fc1f3f127a072920b6389 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 25 May 2021 10:16:22 +0200
Subject: [PATCH 1165/1429] C++: Fix documentation.

---
 .../Security/CWE/CWE-570/IncorrectAllocationErrorHandling.cpp | 4 ++--
 .../Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.cpp b/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.cpp
index 60f8c7cc9b7..055aadcedb6 100644
--- a/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.cpp
+++ b/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.cpp
@@ -21,7 +21,7 @@ void bad2(std::size_t length) noexcept {
   }
 }
 
-// GOOD: the allocation failure is handled appropiately.
+// GOOD: the allocation failure is handled appropriately.
 void good1(std::size_t length) noexcept {
   try {
     int* dest = new int[length];
@@ -32,7 +32,7 @@ void good1(std::size_t length) noexcept {
   }
 }
 
-// GOOD: the allocation failure is handled appropiately.
+// GOOD: the allocation failure is handled appropriately.
 void good2(std::size_t length) noexcept {
   int* dest = new int[length];
   if(!dest) {
diff --git a/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql b/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
index 2f67b02e856..2e966166330 100644
--- a/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+++ b/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
@@ -1,6 +1,6 @@
 /**
  * @name Incorrect allocation-error handling
- * @description `operator new` throws an exception on allocation failures, while `operator new(std::nothrow)` returns a null pointer. Mixing up these two failure conditions can result in unexpected behavior.
+ * @description Mixing up the failure conditions of 'operator new' and 'operator new(std::nothrow)' can result in unexpected behavior.
  * @kind problem
  * @id cpp/incorrect-allocation-error-handling
  * @problem.severity warning

From b55bce46f87075802f76a38d1b926b7b5b2fefba Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Tue, 25 May 2021 10:41:58 +0200
Subject: [PATCH 1166/1429] C#: Restrict non-returning CIL analysis to methods
 not from source

---
 .../code/csharp/controlflow/internal/NonReturning.qll       | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/controlflow/internal/NonReturning.qll b/csharp/ql/src/semmle/code/csharp/controlflow/internal/NonReturning.qll
index 6d075d031f5..fe9f1148a6d 100644
--- a/csharp/ql/src/semmle/code/csharp/controlflow/internal/NonReturning.qll
+++ b/csharp/ql/src/semmle/code/csharp/controlflow/internal/NonReturning.qll
@@ -39,8 +39,10 @@ private class ThrowingCall extends NonReturningCall {
       or
       this.(FailingAssertion).getAssertionFailure().isException(c.getExceptionClass())
       or
-      exists(CIL::Method m, CIL::Type ex |
-        this.getTarget().matchesHandle(m) and
+      exists(Callable target, CIL::Method m, CIL::Type ex |
+        target = this.getTarget() and
+        not target.hasBody() and
+        target.matchesHandle(m) and
         alwaysThrowsException(m, ex) and
         c.getExceptionClass().matchesHandle(ex) and
         not m.isVirtual()

From 017bf68906ad9418b087ff6c5f40752d8e1140dc Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Tue, 25 May 2021 11:40:53 +0200
Subject: [PATCH 1167/1429] Dataflow: Fix bad join order.

---
 .../cpp/dataflow/internal/DataFlowImpl.qll     | 18 ++++++++++++------
 .../cpp/dataflow/internal/DataFlowImpl2.qll    | 18 ++++++++++++------
 .../cpp/dataflow/internal/DataFlowImpl3.qll    | 18 ++++++++++++------
 .../cpp/dataflow/internal/DataFlowImpl4.qll    | 18 ++++++++++++------
 .../dataflow/internal/DataFlowImplLocal.qll    | 18 ++++++++++++------
 .../cpp/ir/dataflow/internal/DataFlowImpl.qll  | 18 ++++++++++++------
 .../cpp/ir/dataflow/internal/DataFlowImpl2.qll | 18 ++++++++++++------
 .../cpp/ir/dataflow/internal/DataFlowImpl3.qll | 18 ++++++++++++------
 .../cpp/ir/dataflow/internal/DataFlowImpl4.qll | 18 ++++++++++++------
 .../csharp/dataflow/internal/DataFlowImpl.qll  | 18 ++++++++++++------
 .../csharp/dataflow/internal/DataFlowImpl2.qll | 18 ++++++++++++------
 .../csharp/dataflow/internal/DataFlowImpl3.qll | 18 ++++++++++++------
 .../csharp/dataflow/internal/DataFlowImpl4.qll | 18 ++++++++++++------
 .../csharp/dataflow/internal/DataFlowImpl5.qll | 18 ++++++++++++------
 .../java/dataflow/internal/DataFlowImpl.qll    | 18 ++++++++++++------
 .../java/dataflow/internal/DataFlowImpl2.qll   | 18 ++++++++++++------
 .../java/dataflow/internal/DataFlowImpl3.qll   | 18 ++++++++++++------
 .../java/dataflow/internal/DataFlowImpl4.qll   | 18 ++++++++++++------
 .../java/dataflow/internal/DataFlowImpl5.qll   | 18 ++++++++++++------
 .../java/dataflow/internal/DataFlowImpl6.qll   | 18 ++++++++++++------
 .../dataflow/new/internal/DataFlowImpl.qll     | 18 ++++++++++++------
 .../dataflow/new/internal/DataFlowImpl2.qll    | 18 ++++++++++++------
 .../dataflow/new/internal/DataFlowImpl3.qll    | 18 ++++++++++++------
 .../dataflow/new/internal/DataFlowImpl4.qll    | 18 ++++++++++++------
 24 files changed, 288 insertions(+), 144 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
index c60bb107fdf..dc9583c6653 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
index c60bb107fdf..dc9583c6653 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
index c60bb107fdf..dc9583c6653 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
index c60bb107fdf..dc9583c6653 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
index c60bb107fdf..dc9583c6653 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
index c60bb107fdf..dc9583c6653 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
index c60bb107fdf..dc9583c6653 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
index c60bb107fdf..dc9583c6653 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
index c60bb107fdf..dc9583c6653 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
index c60bb107fdf..dc9583c6653 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
index c60bb107fdf..dc9583c6653 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
index c60bb107fdf..dc9583c6653 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
index c60bb107fdf..dc9583c6653 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
index c60bb107fdf..dc9583c6653 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
index c60bb107fdf..dc9583c6653 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
index c60bb107fdf..dc9583c6653 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
index c60bb107fdf..dc9583c6653 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
index c60bb107fdf..dc9583c6653 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
index c60bb107fdf..dc9583c6653 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
index c60bb107fdf..dc9583c6653 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
index c60bb107fdf..dc9583c6653 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
index c60bb107fdf..dc9583c6653 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
index c60bb107fdf..dc9583c6653 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
index c60bb107fdf..dc9583c6653 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
@@ -1029,9 +1029,11 @@ private module Stage2 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -1708,9 +1710,11 @@ private module Stage3 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 
@@ -2461,9 +2465,11 @@ private module Stage4 {
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
     exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, cc, argAp, ap, config) and
+      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+        pragma[only_bind_into](config)) and
       fwdFlowOutFromArg(call, node, argAp0, ap, config) and
-      fwdFlowIsEntered(call, cc, argAp, argAp0, config)
+      fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
+        pragma[only_bind_into](config))
     )
   }
 

From 4884da363f41dd73521f62b8de0ce918955afcfe Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Tue, 25 May 2021 11:48:35 +0200
Subject: [PATCH 1168/1429] Java: Bugfix.

---
 java/ql/src/semmle/code/java/dispatch/VirtualDispatch.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/dispatch/VirtualDispatch.qll b/java/ql/src/semmle/code/java/dispatch/VirtualDispatch.qll
index 46c29c386b2..a26ff92b704 100644
--- a/java/ql/src/semmle/code/java/dispatch/VirtualDispatch.qll
+++ b/java/ql/src/semmle/code/java/dispatch/VirtualDispatch.qll
@@ -76,7 +76,7 @@ private module Dispatch {
     (
       exists(Method def, RefType t, boolean exact |
         qualType(ma, t, exact) and
-        def = ma.getMethod()
+        def = ma.getMethod().getSourceDeclaration()
       |
         exact = true and result = exactMethodImpl(def, t.getSourceDeclaration())
         or

From c70651b6feaea545e04107f39dffac31be71a799 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 25 May 2021 11:48:54 +0200
Subject: [PATCH 1169/1429] always have `arrayLikeElement` as TypeTracking
 properties

---
 .../ql/src/semmle/javascript/dataflow/internal/StepSummary.qll  | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/StepSummary.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/StepSummary.qll
index 2c1362c871d..14a6cdf0d1e 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/internal/StepSummary.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/internal/StepSummary.qll
@@ -27,6 +27,8 @@ private module Cached {
         SharedTypeTrackingStep::loadStoreStep(_, _, this, _)
         or
         SharedTypeTrackingStep::loadStoreStep(_, _, _, this)
+        or
+        this = DataFlow::PseudoProperties::arrayLikeElement()
       }
     }
 

From bfc8845f23daecfaa14f6ac7ba79d7a653577cfd Mon Sep 17 00:00:00 2001
From: shati-patel <42641846+shati-patel@users.noreply.github.com>
Date: Tue, 25 May 2021 11:36:18 +0100
Subject: [PATCH 1170/1429] Update wording

---
 .../codeql-for-visual-studio-code/customizing-settings.rst      | 2 +-
 docs/codeql/reusables/running-queries-debug.rst                 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/codeql/codeql-for-visual-studio-code/customizing-settings.rst b/docs/codeql/codeql-for-visual-studio-code/customizing-settings.rst
index 10c0fb12744..6b1b820b6aa 100644
--- a/docs/codeql/codeql-for-visual-studio-code/customizing-settings.rst
+++ b/docs/codeql/codeql-for-visual-studio-code/customizing-settings.rst
@@ -55,7 +55,7 @@ There are a number of settings for **Running Queries**. If your queries run too
 
 .. include:: ../reusables/running-queries-debug.rst
 
-To save CodeQL Query Server logs in a custom location, edit the **Running Queries: Custom Log Directory** setting. If you use a custom log directory, the extension doesn't automatically delete the CodeQL Query Server logs. This is useful if you want to investigate these logs to improve the performance of your queries.
+To save query server logs in a custom location, edit the **Running Queries: Custom Log Directory** setting. If you use a custom log directory, the extension saves the logs permanently, instead of deleting them automatically after each workspace session. This is useful if you want to investigate these logs to improve the performance of your queries.
 
 Configuring settings for testing queries
 -----------------------------------------
diff --git a/docs/codeql/reusables/running-queries-debug.rst b/docs/codeql/reusables/running-queries-debug.rst
index d7515fc4236..26e7162aa2b 100644
--- a/docs/codeql/reusables/running-queries-debug.rst
+++ b/docs/codeql/reusables/running-queries-debug.rst
@@ -1 +1 @@
-If you want to examine query performance, enable the **Running Queries: Debug** setting to include timing and tuple counts in the CodeQL Query Server logs shown in the Output view. The tuple count is useful because it indicates the size of the :ref:`predicates <predicates>` computed by the query.
\ No newline at end of file
+If you want to examine query performance, enable the **Running Queries: Debug** setting to include timing and tuple counts. This is shown in the logs in the CodeQL Query Server tab of the Output view. The tuple count is useful because it indicates the size of the :ref:`predicates <predicates>` computed by the query.
\ No newline at end of file

From f842d09a162717c1ce155867f09fce8956c3842e Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 25 May 2021 13:16:04 +0200
Subject: [PATCH 1171/1429] Apply suggestions from code review

Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
---
 .../Likely Bugs/Memory Management/SuspiciousCallToStrncat.qhelp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.qhelp b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.qhelp
index 605d2a0f841..93645b2fc05 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.qhelp	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.qhelp	
@@ -7,7 +7,7 @@
 The third argument defines the maximum number of characters to append and should be less than or equal to the remaining space in the destination buffer.
 Calls of the form <code>strncat(dest, src, strlen(dest))</code> or <code>strncat(dest, src, sizeof(dest))</code> set the third argument to the entire size of the destination buffer.
 Executing a call of this type may cause a buffer overflow unless the buffer is known to be empty.
-Similarly, calls of the form <code>strncat(dest, src, sizeof (dest) - strlen (dest))</code> allows one byte to be written ouside the `dest` buffer.
+Similarly, calls of the form <code>strncat(dest, src, sizeof (dest) - strlen (dest))</code> allow one byte to be written ouside the `dest` buffer.
 Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.</p>
 
 </overview>

From 5382ef7761c32025a5a63344934ae51330ddbf6d Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 25 May 2021 13:18:15 +0200
Subject: [PATCH 1172/1429] C++: Split the overview section of qhelp into a
 couple of paragraphs.

---
 .../SuspiciousCallToStrncat.qhelp                | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.qhelp b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.qhelp
index 93645b2fc05..13c1e6d2710 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.qhelp	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.qhelp	
@@ -4,11 +4,17 @@
 <qhelp>
 <overview>
 <p>The standard library function <code>strncat</code> appends a source string to a target string. 
-The third argument defines the maximum number of characters to append and should be less than or equal to the remaining space in the destination buffer.
-Calls of the form <code>strncat(dest, src, strlen(dest))</code> or <code>strncat(dest, src, sizeof(dest))</code> set the third argument to the entire size of the destination buffer.
-Executing a call of this type may cause a buffer overflow unless the buffer is known to be empty.
-Similarly, calls of the form <code>strncat(dest, src, sizeof (dest) - strlen (dest))</code> allow one byte to be written ouside the `dest` buffer.
-Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.</p>
+The third argument defines the maximum number of characters to append and should be less than or equal
+to the remaining space in the destination buffer.</p>
+
+<p>Calls of the form <code>strncat(dest, src, strlen(dest))</code> or <code>strncat(dest, src, sizeof(dest))</code> set
+the third argument to the entire size of the destination buffer.
+Executing a call of this type may cause a buffer overflow unless the buffer is known to be empty.</p>
+
+<p>Similarly, calls of the form <code>strncat(dest, src, sizeof (dest) - strlen (dest))</code> allow one
+byte to be written ouside the <code>dest</code> buffer.</p>
+
+<p>Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.</p>
 
 </overview>
 <recommendation>

From 979034a17fad4951f138506a7b787abfd745fc4c Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 4 May 2021 16:20:35 +0200
Subject: [PATCH 1173/1429] Add github action to generate CSV coverage report

---
 .github/workflows/csv-coverage.yml           |  44 +++++++
 misc/scripts/generate-csv-coverage-report.py | 116 +++++++++++++++++++
 2 files changed, 160 insertions(+)
 create mode 100644 .github/workflows/csv-coverage.yml
 create mode 100644 misc/scripts/generate-csv-coverage-report.py

diff --git a/.github/workflows/csv-coverage.yml b/.github/workflows/csv-coverage.yml
new file mode 100644
index 00000000000..01a24860698
--- /dev/null
+++ b/.github/workflows/csv-coverage.yml
@@ -0,0 +1,44 @@
+name: Build CSV flow coverage report
+
+on:
+  push:
+    branches:
+     - main
+     - 'rc/**'
+  pull_request:
+    paths:
+      - '.github/workflows/csv-coverage.yml'
+      - 'misc/scripts/generate-csv-coverage-report.py'
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Clone self (github/codeql)
+      uses: actions/checkout@v2
+      with:
+        path: codeql
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+    - name: Download CodeQL CLI
+      uses: dsaltares/fetch-gh-release-asset@aa37ae5c44d3c9820bc12fe675e8670ecd93bd1c
+      with:
+        repo: "github/codeql-cli-binaries"
+        version: "latest"
+        file: "codeql-linux64.zip"
+        token: ${{ secrets.GITHUB_TOKEN }}
+    - name: Unzip CodeQL CLI
+      run: unzip -d codeql-cli codeql-linux64.zip
+    - name: Build modeled package list
+      run: |
+        PATH="$PATH:codeql-cli/codeql" python codeql/misc/scripts/generate-csv-coverage-report.py codeql
+    - name: Upload modeled package list
+      uses: actions/upload-artifact@v2
+      with:
+        name: csv-flow-model-coverage
+        path: csv-flow-model-coverage-*.csv
+
diff --git a/misc/scripts/generate-csv-coverage-report.py b/misc/scripts/generate-csv-coverage-report.py
new file mode 100644
index 00000000000..014ab170716
--- /dev/null
+++ b/misc/scripts/generate-csv-coverage-report.py
@@ -0,0 +1,116 @@
+import subprocess
+import json
+import csv
+import sys
+import os
+
+"""
+This script runs the CSV coverage report QL query, and transforms it to a more readable format.
+"""
+
+
+def subprocess_run(cmd):
+    """Runs a command through subprocess.run, with a few tweaks. Raises an Exception if exit code != 0."""
+    return subprocess.run(cmd, capture_output=True, text=True, env=os.environ.copy(), check=True)
+
+
+def create_empty_database(lang, extension, database):
+    """Creates an empty database for the given language."""
+    subprocess_run(["codeql", "database", "init", "--language=" + lang,
+                   "--source-root=/tmp/empty", "--allow-missing-source-root", database])
+    subprocess_run(["mkdir", "-p", database + "/src/tmp/empty"])
+    subprocess_run(["touch", database + "/src/tmp/empty/empty." + extension])
+    subprocess_run(["codeql", "database", "finalize",
+                   database, "--no-pre-finalize"])
+
+
+def run_codeql_query(query, database, output):
+    """Runs a codeql query on the given database."""
+    subprocess_run(["codeql", "query", "run", query,
+                   "--database", database, "--output", output + ".bqrs"])
+    subprocess_run(["codeql", "bqrs", "decode", output + ".bqrs",
+                   "--format=csv", "--no-titles", "--output", output])
+
+
+class LanguageConfig:
+    def __init__(self, lang, ext, ql_path):
+        self.lang = lang
+        self.ext = ext
+        self.ql_path = ql_path
+
+
+try:  # Check for `codeql` on path
+    subprocess_run(["codeql", "--version"])
+except Exception as e:
+    print("Error: couldn't invoke CodeQL CLI 'codeql'. Is it on the path? Aborting.", file=sys.stderr)
+    raise e
+
+prefix = ""
+if len(sys.argv) > 1:
+    prefix = sys.argv[1] + "/"
+
+# Languages for which we want to generate coverage reports.
+configs = [
+    LanguageConfig(
+        "java", "java", prefix + "java/ql/src/meta/frameworks/Coverage.ql")
+]
+
+for config in configs:
+    lang = config.lang
+    ext = config.ext
+    query_path = config.ql_path
+    db = "empty-" + lang
+    ql_output = "output-" + lang + ".csv"
+    create_empty_database(lang, ext, db)
+    run_codeql_query(query_path, db, ql_output)
+
+    packages = {}
+    parts = set()
+    kinds = set()
+
+    with open(ql_output) as csvfile:
+        reader = csv.reader(csvfile)
+        for row in reader:
+            package = row[0]
+            if package not in packages:
+                packages[package] = {
+                    "count": row[1],
+                    "part": {},
+                    "kind": {}
+                }
+            part = row[3]
+            parts.add(part)
+            if part not in packages[package]["part"]:
+                packages[package]["part"][part] = 0
+            packages[package]["part"][part] += int(row[4])
+            kind = part + ":" + row[2]
+            kinds.add(kind)
+            if kind not in packages[package]["kind"]:
+                packages[package]["kind"][kind] = 0
+            packages[package]["kind"][kind] += int(row[4])
+
+    with open("csv-flow-model-coverage-" + lang + ".csv", 'w', newline='') as csvfile:
+        csvwriter = csv.writer(csvfile)
+
+        parts = sorted(parts)
+        kinds = sorted(kinds)
+
+        columns = ["package"]
+        columns.extend(parts)
+        columns.extend(kinds)
+
+        csvwriter.writerow(columns)
+
+        for package in sorted(packages):
+            row = [package]
+            for part in parts:
+                if part in packages[package]["part"]:
+                    row.append(packages[package]["part"][part])
+                else:
+                    row.append(None)
+            for kind in kinds:
+                if kind in packages[package]["kind"]:
+                    row.append(packages[package]["kind"][kind])
+                else:
+                    row.append(None)
+            csvwriter.writerow(row)

From beea36191bdbd81632516e2e869fc6622fbcf689 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 5 May 2021 14:58:57 +0200
Subject: [PATCH 1174/1429] Add CSV file with framework and CWE info to be used
 in RST file

---
 misc/scripts/cwe-sink-java.csv               |   3 +
 misc/scripts/frameworks-java.csv             |   5 +
 misc/scripts/generate-csv-coverage-report.py | 160 +++++++++++++++++--
 3 files changed, 159 insertions(+), 9 deletions(-)
 create mode 100644 misc/scripts/cwe-sink-java.csv
 create mode 100644 misc/scripts/frameworks-java.csv

diff --git a/misc/scripts/cwe-sink-java.csv b/misc/scripts/cwe-sink-java.csv
new file mode 100644
index 00000000000..c8a43fa8d08
--- /dev/null
+++ b/misc/scripts/cwe-sink-java.csv
@@ -0,0 +1,3 @@
+CWE,Sink identifier,Label
+CWE-89,sql,SQL injection
+CWE-22,create-file,Path injection
\ No newline at end of file
diff --git a/misc/scripts/frameworks-java.csv b/misc/scripts/frameworks-java.csv
new file mode 100644
index 00000000000..cd01b8d8949
--- /dev/null
+++ b/misc/scripts/frameworks-java.csv
@@ -0,0 +1,5 @@
+Framework name,URL,Package prefix
+Hibernate,https://hibernate.org/,org.hibernate
+Java Standard Library,,java.*
+Google,,com.google.common.*
+Apache,,org.apache.*
\ No newline at end of file
diff --git a/misc/scripts/generate-csv-coverage-report.py b/misc/scripts/generate-csv-coverage-report.py
index 014ab170716..353bae0cbee 100644
--- a/misc/scripts/generate-csv-coverage-report.py
+++ b/misc/scripts/generate-csv-coverage-report.py
@@ -32,6 +32,62 @@ def run_codeql_query(query, database, output):
                    "--format=csv", "--no-titles", "--output", output])
 
 
+def append_csv_number(list, value):
+    """Adds a number to the list or None if the value is not greater than 0."""
+    if value > 0:
+        list.append(value)
+    else:
+        list.append(None)
+
+
+def append_csv_dict_item(list, dictionary, key):
+    """Adds a dictionary item to the list if the key is in the dictionary."""
+    if key in dictionary:
+        list.append(dictionary[key])
+    else:
+        list.append(None)
+
+
+def collect_package_stats(packages, filter):
+    """Collects coverage statistics for packages matching the given filter."""
+    sources = 0
+    steps = 0
+    sinks = 0
+    framework_cwes = {}
+    processed_packages = set()
+
+    for package in packages:
+        if filter(package):
+            processed_packages.add(package)
+            sources += int(packages[package]["kind"].get("source:remote", 0))
+            steps += int(packages[package]["part"].get("summary", 0))
+            sinks += int(packages[package]["part"].get("sink", 0))
+
+            for cwe in cwes:
+                sink = "sink:" + cwes[cwe]["sink"]
+                if sink in packages[package]["kind"]:
+                    if cwe not in framework_cwes:
+                        framework_cwes[cwe] = 0
+                    framework_cwes[cwe] += int(
+                        packages[package]["kind"][sink])
+
+    return sources, steps, sinks, framework_cwes, processed_packages
+
+
+def add_package_stats_to_row(row, sorted_cwes, collect):
+    """ Adds collected statistic to the row. """
+    sources, steps, sinks, framework_cwes, processed_packages = collect()
+
+    append_csv_number(row, sources)
+    append_csv_number(row, steps)
+    append_csv_number(row, sinks)
+
+    for cwe in sorted_cwes:
+        append_csv_dict_item(row, framework_cwes, cwe)
+
+    return row, processed_packages
+
+
 class LanguageConfig:
     def __init__(self, lang, ext, ql_path):
         self.lang = lang
@@ -61,13 +117,14 @@ for config in configs:
     query_path = config.ql_path
     db = "empty-" + lang
     ql_output = "output-" + lang + ".csv"
-    create_empty_database(lang, ext, db)
+    # create_empty_database(lang, ext, db)
     run_codeql_query(query_path, db, ql_output)
 
     packages = {}
     parts = set()
     kinds = set()
 
+    # Read the generated CSV file, and collect package statistics.
     with open(ql_output) as csvfile:
         reader = csv.reader(csvfile)
         for row in reader:
@@ -89,6 +146,7 @@ for config in configs:
                 packages[package]["kind"][kind] = 0
             packages[package]["kind"][kind] += int(row[4])
 
+    # Write the denormalized package statistics to a CSV file.
     with open("csv-flow-model-coverage-" + lang + ".csv", 'w', newline='') as csvfile:
         csvwriter = csv.writer(csvfile)
 
@@ -104,13 +162,97 @@ for config in configs:
         for package in sorted(packages):
             row = [package]
             for part in parts:
-                if part in packages[package]["part"]:
-                    row.append(packages[package]["part"][part])
-                else:
-                    row.append(None)
+                append_csv_dict_item(row, packages[package]["part"], part)
             for kind in kinds:
-                if kind in packages[package]["kind"]:
-                    row.append(packages[package]["kind"][kind])
-                else:
-                    row.append(None)
+                append_csv_dict_item(row, packages[package]["kind"], kind)
             csvwriter.writerow(row)
+
+    # Read the additional framework data, such as URL, friendly name
+    frameworks = {}
+
+    with open(prefix + "misc/scripts/frameworks-" + lang + ".csv") as csvfile:
+        reader = csv.reader(csvfile)
+        next(reader)
+        for row in reader:
+            framwork = row[0]
+            if framwork not in frameworks:
+                frameworks[framwork] = {
+                    "package": row[2],
+                    "url": row[1]
+                }
+
+    # Read the additional CWE data
+    cwes = {}
+
+    with open(prefix + "misc/scripts/cwe-sink-" + lang + ".csv") as csvfile:
+        reader = csv.reader(csvfile)
+        next(reader)
+        for row in reader:
+            cwe = row[0]
+            if cwe not in cwes:
+                cwes[cwe] = {
+                    "sink": row[1],
+                    "label": row[2]
+                }
+
+    with open("rst-csv-flow-model-coverage-" + lang + ".csv", 'w', newline='') as csvfile:
+        csvwriter = csv.writer(csvfile)
+
+        columns = ["Framework / library", "package",
+                   "remote flow sources", "taint & value steps", "sinks (total)"]
+        for cwe in sorted(cwes):
+            columns.append("`" + cwe + "` :sub:`" + cwes[cwe]["label"] + "`")
+        csvwriter.writerow(columns)
+
+        processed_packages = set()
+
+        for framework in sorted(frameworks):
+            row = []
+            # Add the framework name to the row
+            if not frameworks[framework]["url"]:
+                row.append(framework)
+            else:
+                row.append(
+                    "`" + framework + " <" + frameworks[framework]["url"] + ">`_")
+
+            # Add the package name to the row
+            row.append(frameworks[framework]["package"])
+
+            prefix = frameworks[framework]["package"]
+
+            # Collect statistics on the current framework
+            def collect_framework(): return collect_package_stats(
+                packages,
+                lambda p: (prefix.endswith("*") and p.startswith(prefix[:-1])) or (not prefix.endswith("*") and prefix == p))
+
+            row, f_processed_packages = add_package_stats_to_row(
+                row, sorted(cwes), collect_framework)
+
+            csvwriter.writerow(row)
+            processed_packages.update(f_processed_packages)
+
+        # Collect statistics on all packages that are not part of a framework
+        row = ["Others", None]
+
+        def collect_others(): return collect_package_stats(
+            packages,
+            lambda p: p not in processed_packages)
+
+        row, _ = add_package_stats_to_row(
+            row, sorted(cwes), collect_others)
+
+        csvwriter.writerow(row)
+
+        # Collect statistics on all packages
+        row = ["Total", None]
+
+        def collect_total(): return collect_package_stats(
+            packages,
+            lambda p: True)
+
+        row, _ = add_package_stats_to_row(
+            row, sorted(cwes), collect_total)
+
+        csvwriter.writerow(row)
+
+# todo: generate rst page referencing the csv files

From ef414681be2b849d5a58cea6c62cd81ce8d3e2fc Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 5 May 2021 16:17:18 +0200
Subject: [PATCH 1175/1429] Add RST documentation page

---
 misc/scripts/generate-csv-coverage-report.py | 257 ++++++++++---------
 1 file changed, 135 insertions(+), 122 deletions(-)

diff --git a/misc/scripts/generate-csv-coverage-report.py b/misc/scripts/generate-csv-coverage-report.py
index 353bae0cbee..c0a9019115c 100644
--- a/misc/scripts/generate-csv-coverage-report.py
+++ b/misc/scripts/generate-csv-coverage-report.py
@@ -19,7 +19,7 @@ def create_empty_database(lang, extension, database):
     subprocess_run(["codeql", "database", "init", "--language=" + lang,
                    "--source-root=/tmp/empty", "--allow-missing-source-root", database])
     subprocess_run(["mkdir", "-p", database + "/src/tmp/empty"])
-    subprocess_run(["touch", database + "/src/tmp/empty/empty." + extension])
+    subprocess_run(["touch", database + "/src/tmp/empty/empty" + extension])
     subprocess_run(["codeql", "database", "finalize",
                    database, "--no-pre-finalize"])
 
@@ -89,8 +89,9 @@ def add_package_stats_to_row(row, sorted_cwes, collect):
 
 
 class LanguageConfig:
-    def __init__(self, lang, ext, ql_path):
+    def __init__(self, lang, capitalized_lang, ext, ql_path):
         self.lang = lang
+        self.capitalized_lang = capitalized_lang
         self.ext = ext
         self.ql_path = ql_path
 
@@ -108,151 +109,163 @@ if len(sys.argv) > 1:
 # Languages for which we want to generate coverage reports.
 configs = [
     LanguageConfig(
-        "java", "java", prefix + "java/ql/src/meta/frameworks/Coverage.ql")
+        "java", "Java", ".java", prefix + "java/ql/src/meta/frameworks/Coverage.ql")
 ]
 
-for config in configs:
-    lang = config.lang
-    ext = config.ext
-    query_path = config.ql_path
-    db = "empty-" + lang
-    ql_output = "output-" + lang + ".csv"
-    # create_empty_database(lang, ext, db)
-    run_codeql_query(query_path, db, ql_output)
+with open("csv-flow-model-coverage.rst", 'w') as rst_file:
+    for config in configs:
+        lang = config.lang
+        db = "empty-" + lang
+        ql_output = "output-" + lang + ".csv"
+        create_empty_database(lang, config.ext, db)
+        run_codeql_query(config.ql_path, db, ql_output)
 
-    packages = {}
-    parts = set()
-    kinds = set()
+        packages = {}
+        parts = set()
+        kinds = set()
 
-    # Read the generated CSV file, and collect package statistics.
-    with open(ql_output) as csvfile:
-        reader = csv.reader(csvfile)
-        for row in reader:
-            package = row[0]
-            if package not in packages:
-                packages[package] = {
-                    "count": row[1],
-                    "part": {},
-                    "kind": {}
-                }
-            part = row[3]
-            parts.add(part)
-            if part not in packages[package]["part"]:
-                packages[package]["part"][part] = 0
-            packages[package]["part"][part] += int(row[4])
-            kind = part + ":" + row[2]
-            kinds.add(kind)
-            if kind not in packages[package]["kind"]:
-                packages[package]["kind"][kind] = 0
-            packages[package]["kind"][kind] += int(row[4])
+        # Read the generated CSV file, and collect package statistics.
+        with open(ql_output) as csvfile:
+            reader = csv.reader(csvfile)
+            for row in reader:
+                package = row[0]
+                if package not in packages:
+                    packages[package] = {
+                        "count": row[1],
+                        "part": {},
+                        "kind": {}
+                    }
+                part = row[3]
+                parts.add(part)
+                if part not in packages[package]["part"]:
+                    packages[package]["part"][part] = 0
+                packages[package]["part"][part] += int(row[4])
+                kind = part + ":" + row[2]
+                kinds.add(kind)
+                if kind not in packages[package]["kind"]:
+                    packages[package]["kind"][kind] = 0
+                packages[package]["kind"][kind] += int(row[4])
 
-    # Write the denormalized package statistics to a CSV file.
-    with open("csv-flow-model-coverage-" + lang + ".csv", 'w', newline='') as csvfile:
-        csvwriter = csv.writer(csvfile)
+        # Write the denormalized package statistics to a CSV file.
+        with open("csv-flow-model-coverage-" + lang + ".csv", 'w', newline='') as csvfile:
+            csvwriter = csv.writer(csvfile)
 
-        parts = sorted(parts)
-        kinds = sorted(kinds)
+            parts = sorted(parts)
+            kinds = sorted(kinds)
 
-        columns = ["package"]
-        columns.extend(parts)
-        columns.extend(kinds)
+            columns = ["package"]
+            columns.extend(parts)
+            columns.extend(kinds)
 
-        csvwriter.writerow(columns)
+            csvwriter.writerow(columns)
 
-        for package in sorted(packages):
-            row = [package]
-            for part in parts:
-                append_csv_dict_item(row, packages[package]["part"], part)
-            for kind in kinds:
-                append_csv_dict_item(row, packages[package]["kind"], kind)
-            csvwriter.writerow(row)
+            for package in sorted(packages):
+                row = [package]
+                for part in parts:
+                    append_csv_dict_item(row, packages[package]["part"], part)
+                for kind in kinds:
+                    append_csv_dict_item(row, packages[package]["kind"], kind)
+                csvwriter.writerow(row)
 
-    # Read the additional framework data, such as URL, friendly name
-    frameworks = {}
+        # Read the additional framework data, such as URL, friendly name
+        frameworks = {}
 
-    with open(prefix + "misc/scripts/frameworks-" + lang + ".csv") as csvfile:
-        reader = csv.reader(csvfile)
-        next(reader)
-        for row in reader:
-            framwork = row[0]
-            if framwork not in frameworks:
-                frameworks[framwork] = {
-                    "package": row[2],
-                    "url": row[1]
-                }
+        with open(prefix + "misc/scripts/frameworks-" + lang + ".csv") as csvfile:
+            reader = csv.reader(csvfile)
+            next(reader)
+            for row in reader:
+                framwork = row[0]
+                if framwork not in frameworks:
+                    frameworks[framwork] = {
+                        "package": row[2],
+                        "url": row[1]
+                    }
 
-    # Read the additional CWE data
-    cwes = {}
+        # Read the additional CWE data
+        cwes = {}
 
-    with open(prefix + "misc/scripts/cwe-sink-" + lang + ".csv") as csvfile:
-        reader = csv.reader(csvfile)
-        next(reader)
-        for row in reader:
-            cwe = row[0]
-            if cwe not in cwes:
-                cwes[cwe] = {
-                    "sink": row[1],
-                    "label": row[2]
-                }
+        with open(prefix + "misc/scripts/cwe-sink-" + lang + ".csv") as csvfile:
+            reader = csv.reader(csvfile)
+            next(reader)
+            for row in reader:
+                cwe = row[0]
+                if cwe not in cwes:
+                    cwes[cwe] = {
+                        "sink": row[1],
+                        "label": row[2]
+                    }
 
-    with open("rst-csv-flow-model-coverage-" + lang + ".csv", 'w', newline='') as csvfile:
-        csvwriter = csv.writer(csvfile)
+        file_name = "rst-csv-flow-model-coverage-" + lang + ".csv"
 
-        columns = ["Framework / library", "package",
-                   "remote flow sources", "taint & value steps", "sinks (total)"]
-        for cwe in sorted(cwes):
-            columns.append("`" + cwe + "` :sub:`" + cwes[cwe]["label"] + "`")
-        csvwriter.writerow(columns)
+        rst_file.write(
+            config.capitalized_lang + " framework & library support\n")
+        rst_file.write("================================\n\n")
+        rst_file.write(".. csv-table:: \n")
+        rst_file.write("     :file: " + file_name + "\n")
+        rst_file.write("     :header-rows: 1\n")
+        rst_file.write("     :class: fullWidthTable\n")
+        rst_file.write("     :widths: auto\n\n")
 
-        processed_packages = set()
+        # Write CSV file with package statistics and framework data to be used in RST file.
+        with open(file_name, 'w', newline='') as csvfile:
+            csvwriter = csv.writer(csvfile)
 
-        for framework in sorted(frameworks):
-            row = []
-            # Add the framework name to the row
-            if not frameworks[framework]["url"]:
-                row.append(framework)
-            else:
-                row.append(
-                    "`" + framework + " <" + frameworks[framework]["url"] + ">`_")
+            columns = ["Framework / library", "package",
+                       "remote flow sources", "taint & value steps", "sinks (total)"]
+            for cwe in sorted(cwes):
+                columns.append("`" + cwe + "` :sub:`" +
+                               cwes[cwe]["label"] + "`")
+            csvwriter.writerow(columns)
 
-            # Add the package name to the row
-            row.append(frameworks[framework]["package"])
+            processed_packages = set()
 
-            prefix = frameworks[framework]["package"]
+            for framework in sorted(frameworks):
+                row = []
+                # Add the framework name to the row
+                if not frameworks[framework]["url"]:
+                    row.append(framework)
+                else:
+                    row.append(
+                        "`" + framework + " <" + frameworks[framework]["url"] + ">`_")
 
-            # Collect statistics on the current framework
-            def collect_framework(): return collect_package_stats(
+                # Add the package name to the row
+                row.append(frameworks[framework]["package"])
+
+                prefix = frameworks[framework]["package"]
+
+                # Collect statistics on the current framework
+                def collect_framework(): return collect_package_stats(
+                    packages,
+                    lambda p: (prefix.endswith("*") and p.startswith(prefix[:-1])) or (not prefix.endswith("*") and prefix == p))
+
+                row, f_processed_packages = add_package_stats_to_row(
+                    row, sorted(cwes), collect_framework)
+
+                csvwriter.writerow(row)
+                processed_packages.update(f_processed_packages)
+
+            # Collect statistics on all packages that are not part of a framework
+            row = ["Others", None]
+
+            def collect_others(): return collect_package_stats(
                 packages,
-                lambda p: (prefix.endswith("*") and p.startswith(prefix[:-1])) or (not prefix.endswith("*") and prefix == p))
+                lambda p: p not in processed_packages)
 
-            row, f_processed_packages = add_package_stats_to_row(
-                row, sorted(cwes), collect_framework)
+            row, other_packages = add_package_stats_to_row(
+                row, sorted(cwes), collect_others)
+
+            row[1] = ", ".join(sorted(other_packages))
 
             csvwriter.writerow(row)
-            processed_packages.update(f_processed_packages)
 
-        # Collect statistics on all packages that are not part of a framework
-        row = ["Others", None]
+            # Collect statistics on all packages
+            row = ["Total", None]
 
-        def collect_others(): return collect_package_stats(
-            packages,
-            lambda p: p not in processed_packages)
+            def collect_total(): return collect_package_stats(
+                packages,
+                lambda p: True)
 
-        row, _ = add_package_stats_to_row(
-            row, sorted(cwes), collect_others)
+            row, _ = add_package_stats_to_row(
+                row, sorted(cwes), collect_total)
 
-        csvwriter.writerow(row)
-
-        # Collect statistics on all packages
-        row = ["Total", None]
-
-        def collect_total(): return collect_package_stats(
-            packages,
-            lambda p: True)
-
-        row, _ = add_package_stats_to_row(
-            row, sorted(cwes), collect_total)
-
-        csvwriter.writerow(row)
-
-# todo: generate rst page referencing the csv files
+            csvwriter.writerow(row)

From 564fca0da40d83ef3450a92412b2964e15e9ee02 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 5 May 2021 16:21:02 +0200
Subject: [PATCH 1176/1429] Adjust workflow triggers and uploads

---
 .github/workflows/csv-coverage.yml           | 12 +++++++++++-
 misc/scripts/generate-csv-coverage-report.py |  2 +-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/csv-coverage.yml b/.github/workflows/csv-coverage.yml
index 01a24860698..db53413f85f 100644
--- a/.github/workflows/csv-coverage.yml
+++ b/.github/workflows/csv-coverage.yml
@@ -9,6 +9,9 @@ on:
     paths:
       - '.github/workflows/csv-coverage.yml'
       - 'misc/scripts/generate-csv-coverage-report.py'
+      - 'misc/scripts/cwe-sink-*.csv'
+      - 'misc/scripts/frameworks-*.csv'
+      - 'java/ql/src/meta/frameworks/Coverage.ql'
 
 jobs:
   build:
@@ -36,9 +39,16 @@ jobs:
     - name: Build modeled package list
       run: |
         PATH="$PATH:codeql-cli/codeql" python codeql/misc/scripts/generate-csv-coverage-report.py codeql
-    - name: Upload modeled package list
+    - name: Upload CSV package list
       uses: actions/upload-artifact@v2
       with:
         name: csv-flow-model-coverage
         path: csv-flow-model-coverage-*.csv
+    - name: Upload RST package list
+      uses: actions/upload-artifact@v2
+      with:
+        name: rst-flow-model-coverage
+        path: |
+          flow-model-coverage.rst
+          rst-csv-flow-model-coverage-*.csv
 
diff --git a/misc/scripts/generate-csv-coverage-report.py b/misc/scripts/generate-csv-coverage-report.py
index c0a9019115c..c4873991abe 100644
--- a/misc/scripts/generate-csv-coverage-report.py
+++ b/misc/scripts/generate-csv-coverage-report.py
@@ -112,7 +112,7 @@ configs = [
         "java", "Java", ".java", prefix + "java/ql/src/meta/frameworks/Coverage.ql")
 ]
 
-with open("csv-flow-model-coverage.rst", 'w') as rst_file:
+with open("flow-model-coverage.rst", 'w') as rst_file:
     for config in configs:
         lang = config.lang
         db = "empty-" + lang

From f26dba67acea1440c961d23b5cadef92751c9ee0 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 5 May 2021 16:33:00 +0200
Subject: [PATCH 1177/1429] Adjust 'Total' label to 'Totals'

---
 misc/scripts/generate-csv-coverage-report.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misc/scripts/generate-csv-coverage-report.py b/misc/scripts/generate-csv-coverage-report.py
index c4873991abe..62fd88f8f0e 100644
--- a/misc/scripts/generate-csv-coverage-report.py
+++ b/misc/scripts/generate-csv-coverage-report.py
@@ -259,7 +259,7 @@ with open("flow-model-coverage.rst", 'w') as rst_file:
             csvwriter.writerow(row)
 
             # Collect statistics on all packages
-            row = ["Total", None]
+            row = ["Totals", None]
 
             def collect_total(): return collect_package_stats(
                 packages,

From d0a46eb7b7a708b32c8c4bd5019e610d7a410c45 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 5 May 2021 16:39:49 +0200
Subject: [PATCH 1178/1429] Adjust formatting

---
 misc/scripts/generate-csv-coverage-report.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/misc/scripts/generate-csv-coverage-report.py b/misc/scripts/generate-csv-coverage-report.py
index 62fd88f8f0e..6a3762b2017 100644
--- a/misc/scripts/generate-csv-coverage-report.py
+++ b/misc/scripts/generate-csv-coverage-report.py
@@ -229,7 +229,7 @@ with open("flow-model-coverage.rst", 'w') as rst_file:
                         "`" + framework + " <" + frameworks[framework]["url"] + ">`_")
 
                 # Add the package name to the row
-                row.append(frameworks[framework]["package"])
+                row.append("``" + frameworks[framework]["package"] + "``")
 
                 prefix = frameworks[framework]["package"]
 
@@ -254,7 +254,8 @@ with open("flow-model-coverage.rst", 'w') as rst_file:
             row, other_packages = add_package_stats_to_row(
                 row, sorted(cwes), collect_others)
 
-            row[1] = ", ".join(sorted(other_packages))
+            row[1] = ", ".join("``{0}``".format(p)
+                               for p in sorted(other_packages))
 
             csvwriter.writerow(row)
 

From 2adb3e992aba9304d62dd07cc673e7b107274295 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 6 May 2021 11:03:05 +0200
Subject: [PATCH 1179/1429] Code quality improvements on coverage report
 generator script

---
 misc/scripts/generate-csv-coverage-report.py | 112 ++++++++++++-------
 1 file changed, 73 insertions(+), 39 deletions(-)

diff --git a/misc/scripts/generate-csv-coverage-report.py b/misc/scripts/generate-csv-coverage-report.py
index 6a3762b2017..ce34053d77f 100644
--- a/misc/scripts/generate-csv-coverage-report.py
+++ b/misc/scripts/generate-csv-coverage-report.py
@@ -6,7 +6,9 @@ import os
 
 """
 This script runs the CSV coverage report QL query, and transforms it to a more readable format.
-"""
+There are two main outputs: (i) a CSV file containing the coverage data, and (ii) an RST page containing the coverage
+data.
+ """
 
 
 def subprocess_run(cmd):
@@ -48,8 +50,20 @@ def append_csv_dict_item(list, dictionary, key):
         list.append(None)
 
 
-def collect_package_stats(packages, filter):
-    """Collects coverage statistics for packages matching the given filter."""
+def increment_dict_item(value, dictionary, key):
+    """Increments the value of the dictionary[key] by value."""
+    if key not in dictionary:
+        dictionary[key] = 0
+    dictionary[key] += int(value)
+
+
+def collect_package_stats(packages, cwes, filter):
+    """
+    Collects coverage statistics for packages matching the given filter. `filter` is a `lambda` that for example (i) matches
+    packages to frameworks, or (2) matches packages that were previously not processed.
+
+    The returned statistics are used to generate a single row in a CSV file.
+    """
     sources = 0
     steps = 0
     sinks = 0
@@ -75,7 +89,11 @@ def collect_package_stats(packages, filter):
 
 
 def add_package_stats_to_row(row, sorted_cwes, collect):
-    """ Adds collected statistic to the row. """
+    """
+    Adds collected statistic to the row. `collect` is a `lambda` that returns the statistics for example for (i) individual
+    frameworks, (ii) leftout frameworks summarized in the 'Others' row, or (iii) all frameworks summarized in the 'Totals'
+    row.
+    """
     sources, steps, sinks, framework_cwes, processed_packages = collect()
 
     append_csv_number(row, sources)
@@ -112,11 +130,19 @@ configs = [
         "java", "Java", ".java", prefix + "java/ql/src/meta/frameworks/Coverage.ql")
 ]
 
-with open("flow-model-coverage.rst", 'w') as rst_file:
+# The names of input and output files. The placeholder {language} is replaced with the language name.
+output_rst = "flow-model-coverage.rst"
+output_rst_csv = "rst-csv-flow-model-coverage-{language}.csv"
+output_ql_csv = "output-{language}.csv"
+output_csv = "csv-flow-model-coverage-{language}.csv"
+input_framework_csv = prefix + "misc/scripts/frameworks-{language}.csv"
+input_cwe_sink_csv = prefix + "misc/scripts/cwe-sink-{language}.csv"
+
+with open(output_rst, 'w') as rst_file:
     for config in configs:
         lang = config.lang
         db = "empty-" + lang
-        ql_output = "output-" + lang + ".csv"
+        ql_output = output_ql_csv.format(language=lang)
         create_empty_database(lang, config.ext, db)
         run_codeql_query(config.ql_path, db, ql_output)
 
@@ -128,36 +154,37 @@ with open("flow-model-coverage.rst", 'w') as rst_file:
         with open(ql_output) as csvfile:
             reader = csv.reader(csvfile)
             for row in reader:
+                # row: "android.util",1,"remote","source",16
                 package = row[0]
                 if package not in packages:
                     packages[package] = {
                         "count": row[1],
+                        # part: "summary", "sink", or "source"
                         "part": {},
+                        # kind: "source:remote", "sink:create-file", ...
                         "kind": {}
                     }
+
                 part = row[3]
                 parts.add(part)
-                if part not in packages[package]["part"]:
-                    packages[package]["part"][part] = 0
-                packages[package]["part"][part] += int(row[4])
+                increment_dict_item(row[4], packages[package]["part"], part)
+
                 kind = part + ":" + row[2]
                 kinds.add(kind)
-                if kind not in packages[package]["kind"]:
-                    packages[package]["kind"][kind] = 0
-                packages[package]["kind"][kind] += int(row[4])
+                increment_dict_item(row[4], packages[package]["kind"], kind)
+
+        parts = sorted(parts)
+        kinds = sorted(kinds)
 
         # Write the denormalized package statistics to a CSV file.
-        with open("csv-flow-model-coverage-" + lang + ".csv", 'w', newline='') as csvfile:
+        with open(output_csv.format(language=lang), 'w', newline='') as csvfile:
             csvwriter = csv.writer(csvfile)
 
-            parts = sorted(parts)
-            kinds = sorted(kinds)
+            headers = ["package"]
+            headers.extend(parts)
+            headers.extend(kinds)
 
-            columns = ["package"]
-            columns.extend(parts)
-            columns.extend(kinds)
-
-            csvwriter.writerow(columns)
+            csvwriter.writerow(headers)
 
             for package in sorted(packages):
                 row = [package]
@@ -170,10 +197,11 @@ with open("flow-model-coverage.rst", 'w') as rst_file:
         # Read the additional framework data, such as URL, friendly name
         frameworks = {}
 
-        with open(prefix + "misc/scripts/frameworks-" + lang + ".csv") as csvfile:
+        with open(input_framework_csv.format(language=lang)) as csvfile:
             reader = csv.reader(csvfile)
             next(reader)
             for row in reader:
+                # row: Hibernate,https://hibernate.org/,org.hibernate
                 framwork = row[0]
                 if framwork not in frameworks:
                     frameworks[framwork] = {
@@ -184,10 +212,11 @@ with open("flow-model-coverage.rst", 'w') as rst_file:
         # Read the additional CWE data
         cwes = {}
 
-        with open(prefix + "misc/scripts/cwe-sink-" + lang + ".csv") as csvfile:
+        with open(input_cwe_sink_csv.format(language=lang)) as csvfile:
             reader = csv.reader(csvfile)
             next(reader)
             for row in reader:
+                # row: CWE-89,sql,SQL injection
                 cwe = row[0]
                 if cwe not in cwes:
                     cwes[cwe] = {
@@ -195,7 +224,9 @@ with open("flow-model-coverage.rst", 'w') as rst_file:
                         "label": row[2]
                     }
 
-        file_name = "rst-csv-flow-model-coverage-" + lang + ".csv"
+        sorted_cwes = sorted(cwes)
+
+        file_name = output_rst_csv.format(language=lang)
 
         rst_file.write(
             config.capitalized_lang + " framework & library support\n")
@@ -210,17 +241,23 @@ with open("flow-model-coverage.rst", 'w') as rst_file:
         with open(file_name, 'w', newline='') as csvfile:
             csvwriter = csv.writer(csvfile)
 
-            columns = ["Framework / library", "package",
-                       "remote flow sources", "taint & value steps", "sinks (total)"]
-            for cwe in sorted(cwes):
-                columns.append("`" + cwe + "` :sub:`" +
-                               cwes[cwe]["label"] + "`")
-            csvwriter.writerow(columns)
+            # Write CSV header.
+            headers = ["Framework / library",
+                       "Package",
+                       "Remote flow sources",
+                       "Taint & value steps",
+                       "Sinks (total)"]
+            for cwe in sorted_cwes:
+                headers.append(
+                    "`{0}` :sub:`{1}`".format(cwe, cwes[cwe]["label"]))
+            csvwriter.writerow(headers)
 
             processed_packages = set()
 
+            # Write a row for each framework.
             for framework in sorted(frameworks):
                 row = []
+
                 # Add the framework name to the row
                 if not frameworks[framework]["url"]:
                     row.append(framework)
@@ -234,12 +271,12 @@ with open("flow-model-coverage.rst", 'w') as rst_file:
                 prefix = frameworks[framework]["package"]
 
                 # Collect statistics on the current framework
+                # package name is either full name, such as "org.hibernate", or a prefix, such as "java.*"
                 def collect_framework(): return collect_package_stats(
-                    packages,
-                    lambda p: (prefix.endswith("*") and p.startswith(prefix[:-1])) or (not prefix.endswith("*") and prefix == p))
+                    packages, cwes, lambda p: (prefix.endswith("*") and p.startswith(prefix[:-1])) or (not prefix.endswith("*") and prefix == p))
 
                 row, f_processed_packages = add_package_stats_to_row(
-                    row, sorted(cwes), collect_framework)
+                    row, sorted_cwes, collect_framework)
 
                 csvwriter.writerow(row)
                 processed_packages.update(f_processed_packages)
@@ -248,11 +285,10 @@ with open("flow-model-coverage.rst", 'w') as rst_file:
             row = ["Others", None]
 
             def collect_others(): return collect_package_stats(
-                packages,
-                lambda p: p not in processed_packages)
+                packages, cwes, lambda p: p not in processed_packages)
 
             row, other_packages = add_package_stats_to_row(
-                row, sorted(cwes), collect_others)
+                row, sorted_cwes, collect_others)
 
             row[1] = ", ".join("``{0}``".format(p)
                                for p in sorted(other_packages))
@@ -262,11 +298,9 @@ with open("flow-model-coverage.rst", 'w') as rst_file:
             # Collect statistics on all packages
             row = ["Totals", None]
 
-            def collect_total(): return collect_package_stats(
-                packages,
-                lambda p: True)
+            def collect_total(): return collect_package_stats(packages, cwes, lambda p: True)
 
             row, _ = add_package_stats_to_row(
-                row, sorted(cwes), collect_total)
+                row, sorted_cwes, collect_total)
 
             csvwriter.writerow(row)

From 1297d1c7442e942b5eff07a02f721ff13a586b79 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 6 May 2021 11:26:30 +0200
Subject: [PATCH 1180/1429] Add framework and cwe static data

---
 misc/scripts/cwe-sink-java.csv   | 9 +++++++--
 misc/scripts/frameworks-java.csv | 6 ++++--
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/misc/scripts/cwe-sink-java.csv b/misc/scripts/cwe-sink-java.csv
index c8a43fa8d08..541b9c32e33 100644
--- a/misc/scripts/cwe-sink-java.csv
+++ b/misc/scripts/cwe-sink-java.csv
@@ -1,3 +1,8 @@
 CWE,Sink identifier,Label
-CWE-89,sql,SQL injection
-CWE-22,create-file,Path injection
\ No newline at end of file
+CWE-089,sql,SQL injection
+CWE-022,create-file,Path injection
+CWE-036,url-open-stream,Path traversal
+CWE-094,bean-validation,Code injection
+CWE-319,open-url,Cleartext transmission
+CWE-079,xss,Cross-site scripting
+CWE-090,ldap,LDAP injection
\ No newline at end of file
diff --git a/misc/scripts/frameworks-java.csv b/misc/scripts/frameworks-java.csv
index cd01b8d8949..12346349791 100644
--- a/misc/scripts/frameworks-java.csv
+++ b/misc/scripts/frameworks-java.csv
@@ -1,5 +1,7 @@
 Framework name,URL,Package prefix
-Hibernate,https://hibernate.org/,org.hibernate
 Java Standard Library,,java.*
 Google,,com.google.common.*
-Apache,,org.apache.*
\ No newline at end of file
+Apache,,org.apache.*
+Android,,android.*
+Spring,https://spring.io/,org.springframework.*
+Java extensions,,javax.*
\ No newline at end of file

From 2e67a3216c7ab6b08fafe10c4834e18b14a490a5 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 6 May 2021 12:51:53 +0200
Subject: [PATCH 1181/1429] Add option to manually trigger the workflow

---
 .github/workflows/csv-coverage.yml           | 20 ++++++++++++++++++--
 misc/scripts/generate-csv-coverage-report.py | 14 +++++++++-----
 2 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/csv-coverage.yml b/.github/workflows/csv-coverage.yml
index db53413f85f..ae4d93f8992 100644
--- a/.github/workflows/csv-coverage.yml
+++ b/.github/workflows/csv-coverage.yml
@@ -1,6 +1,11 @@
 name: Build CSV flow coverage report
 
 on:
+  workflow_dispatch:
+    inputs:
+      qlModelShaOverride:
+        description: 'github/codeql repo SHA used for looking up the CSV models'
+        required: false
   push:
     branches:
      - main
@@ -22,7 +27,18 @@ jobs:
     - name: Clone self (github/codeql)
       uses: actions/checkout@v2
       with:
-        path: codeql
+        path: script
+    - name: Clone self (github/codeql) at a given SHA for analysis
+      if: github.event.inputs.qlModelShaOverride != ''
+      uses: actions/checkout@v2
+      with:
+        path: codeqlModels
+        ref: github.event.inputs.qlModelShaOverride
+    - name: Clone self (github/codeql) for analysis
+      if: github.event.inputs.qlModelShaOverride == ''
+      uses: actions/checkout@v2
+      with:
+        path: codeqlModels
     - name: Set up Python 3.8
       uses: actions/setup-python@v2
       with:
@@ -38,7 +54,7 @@ jobs:
       run: unzip -d codeql-cli codeql-linux64.zip
     - name: Build modeled package list
       run: |
-        PATH="$PATH:codeql-cli/codeql" python codeql/misc/scripts/generate-csv-coverage-report.py codeql
+        PATH="$PATH:codeql-cli/codeql" python script/misc/scripts/generate-csv-coverage-report.py codeqlModels script
     - name: Upload CSV package list
       uses: actions/upload-artifact@v2
       with:
diff --git a/misc/scripts/generate-csv-coverage-report.py b/misc/scripts/generate-csv-coverage-report.py
index ce34053d77f..65ade295ca6 100644
--- a/misc/scripts/generate-csv-coverage-report.py
+++ b/misc/scripts/generate-csv-coverage-report.py
@@ -120,14 +120,18 @@ except Exception as e:
     print("Error: couldn't invoke CodeQL CLI 'codeql'. Is it on the path? Aborting.", file=sys.stderr)
     raise e
 
-prefix = ""
+query_prefix = ""
+data_prefix = ""
 if len(sys.argv) > 1:
-    prefix = sys.argv[1] + "/"
+    query_prefix = sys.argv[1] + "/"
+
+if len(sys.argv) > 2:
+    data_prefix = sys.argv[2] + "/"
 
 # Languages for which we want to generate coverage reports.
 configs = [
     LanguageConfig(
-        "java", "Java", ".java", prefix + "java/ql/src/meta/frameworks/Coverage.ql")
+        "java", "Java", ".java", query_prefix + "java/ql/src/meta/frameworks/Coverage.ql")
 ]
 
 # The names of input and output files. The placeholder {language} is replaced with the language name.
@@ -135,8 +139,8 @@ output_rst = "flow-model-coverage.rst"
 output_rst_csv = "rst-csv-flow-model-coverage-{language}.csv"
 output_ql_csv = "output-{language}.csv"
 output_csv = "csv-flow-model-coverage-{language}.csv"
-input_framework_csv = prefix + "misc/scripts/frameworks-{language}.csv"
-input_cwe_sink_csv = prefix + "misc/scripts/cwe-sink-{language}.csv"
+input_framework_csv = data_prefix + "misc/scripts/frameworks-{language}.csv"
+input_cwe_sink_csv = data_prefix + "misc/scripts/cwe-sink-{language}.csv"
 
 with open(output_rst, 'w') as rst_file:
     for config in configs:

From dda401f62a3c5a025bdaf28eebb2c6b5a3113027 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 11 May 2021 09:05:25 +0200
Subject: [PATCH 1182/1429] Inline CSV table into RST page

---
 .github/workflows/csv-coverage.yml           |   1 -
 misc/scripts/generate-csv-coverage-report.py | 119 +++++++++----------
 2 files changed, 59 insertions(+), 61 deletions(-)

diff --git a/.github/workflows/csv-coverage.yml b/.github/workflows/csv-coverage.yml
index ae4d93f8992..accaf8ebf3b 100644
--- a/.github/workflows/csv-coverage.yml
+++ b/.github/workflows/csv-coverage.yml
@@ -66,5 +66,4 @@ jobs:
         name: rst-flow-model-coverage
         path: |
           flow-model-coverage.rst
-          rst-csv-flow-model-coverage-*.csv
 
diff --git a/misc/scripts/generate-csv-coverage-report.py b/misc/scripts/generate-csv-coverage-report.py
index 65ade295ca6..1489d8fa629 100644
--- a/misc/scripts/generate-csv-coverage-report.py
+++ b/misc/scripts/generate-csv-coverage-report.py
@@ -136,13 +136,12 @@ configs = [
 
 # The names of input and output files. The placeholder {language} is replaced with the language name.
 output_rst = "flow-model-coverage.rst"
-output_rst_csv = "rst-csv-flow-model-coverage-{language}.csv"
 output_ql_csv = "output-{language}.csv"
 output_csv = "csv-flow-model-coverage-{language}.csv"
 input_framework_csv = data_prefix + "misc/scripts/frameworks-{language}.csv"
 input_cwe_sink_csv = data_prefix + "misc/scripts/cwe-sink-{language}.csv"
 
-with open(output_rst, 'w') as rst_file:
+with open(output_rst, 'w', newline='') as rst_file:
     for config in configs:
         lang = config.lang
         db = "empty-" + lang
@@ -230,81 +229,81 @@ with open(output_rst, 'w') as rst_file:
 
         sorted_cwes = sorted(cwes)
 
-        file_name = output_rst_csv.format(language=lang)
-
         rst_file.write(
             config.capitalized_lang + " framework & library support\n")
         rst_file.write("================================\n\n")
         rst_file.write(".. csv-table:: \n")
-        rst_file.write("     :file: " + file_name + "\n")
-        rst_file.write("     :header-rows: 1\n")
-        rst_file.write("     :class: fullWidthTable\n")
-        rst_file.write("     :widths: auto\n\n")
+        rst_file.write("   :header-rows: 1\n")
+        rst_file.write("   :class: fullWidthTable\n")
+        rst_file.write("   :widths: auto\n\n")
+
+        row_prefix = "   "
 
         # Write CSV file with package statistics and framework data to be used in RST file.
-        with open(file_name, 'w', newline='') as csvfile:
-            csvwriter = csv.writer(csvfile)
+        csvwriter = csv.writer(rst_file)
 
-            # Write CSV header.
-            headers = ["Framework / library",
-                       "Package",
-                       "Remote flow sources",
-                       "Taint & value steps",
-                       "Sinks (total)"]
-            for cwe in sorted_cwes:
-                headers.append(
-                    "`{0}` :sub:`{1}`".format(cwe, cwes[cwe]["label"]))
-            csvwriter.writerow(headers)
+        # Write CSV header.
+        headers = [row_prefix + "Framework / library",
+                   "Package",
+                   "Remote flow sources",
+                   "Taint & value steps",
+                   "Sinks (total)"]
+        for cwe in sorted_cwes:
+            headers.append(
+                "`{0}` :sub:`{1}`".format(cwe, cwes[cwe]["label"]))
+        csvwriter.writerow(headers)
 
-            processed_packages = set()
+        processed_packages = set()
 
-            # Write a row for each framework.
-            for framework in sorted(frameworks):
-                row = []
+        # Write a row for each framework.
+        for framework in sorted(frameworks):
+            row = []
 
-                # Add the framework name to the row
-                if not frameworks[framework]["url"]:
-                    row.append(framework)
-                else:
-                    row.append(
-                        "`" + framework + " <" + frameworks[framework]["url"] + ">`_")
+            # Add the framework name to the row
+            if not frameworks[framework]["url"]:
+                row.append(row_prefix + framework)
+            else:
+                row.append(
+                    row_prefix + "`" + framework + " <" + frameworks[framework]["url"] + ">`_")
 
-                # Add the package name to the row
-                row.append("``" + frameworks[framework]["package"] + "``")
+            # Add the package name to the row
+            row.append("``" + frameworks[framework]["package"] + "``")
 
-                prefix = frameworks[framework]["package"]
+            prefix = frameworks[framework]["package"]
 
-                # Collect statistics on the current framework
-                # package name is either full name, such as "org.hibernate", or a prefix, such as "java.*"
-                def collect_framework(): return collect_package_stats(
-                    packages, cwes, lambda p: (prefix.endswith("*") and p.startswith(prefix[:-1])) or (not prefix.endswith("*") and prefix == p))
+            # Collect statistics on the current framework
+            # package name is either full name, such as "org.hibernate", or a prefix, such as "java.*"
+            def collect_framework(): return collect_package_stats(
+                packages, cwes, lambda p: (prefix.endswith("*") and p.startswith(prefix[:-1])) or (not prefix.endswith("*") and prefix == p))
 
-                row, f_processed_packages = add_package_stats_to_row(
-                    row, sorted_cwes, collect_framework)
-
-                csvwriter.writerow(row)
-                processed_packages.update(f_processed_packages)
-
-            # Collect statistics on all packages that are not part of a framework
-            row = ["Others", None]
-
-            def collect_others(): return collect_package_stats(
-                packages, cwes, lambda p: p not in processed_packages)
-
-            row, other_packages = add_package_stats_to_row(
-                row, sorted_cwes, collect_others)
-
-            row[1] = ", ".join("``{0}``".format(p)
-                               for p in sorted(other_packages))
+            row, f_processed_packages = add_package_stats_to_row(
+                row, sorted_cwes, collect_framework)
 
             csvwriter.writerow(row)
+            processed_packages.update(f_processed_packages)
 
-            # Collect statistics on all packages
-            row = ["Totals", None]
+        # Collect statistics on all packages that are not part of a framework
+        row = [row_prefix + "Others", None]
 
-            def collect_total(): return collect_package_stats(packages, cwes, lambda p: True)
+        def collect_others(): return collect_package_stats(
+            packages, cwes, lambda p: p not in processed_packages)
 
-            row, _ = add_package_stats_to_row(
-                row, sorted_cwes, collect_total)
+        row, other_packages = add_package_stats_to_row(
+            row, sorted_cwes, collect_others)
 
-            csvwriter.writerow(row)
+        row[1] = ", ".join("``{0}``".format(p)
+                           for p in sorted(other_packages))
+
+        csvwriter.writerow(row)
+
+        # Collect statistics on all packages
+        row = [row_prefix + "Totals", None]
+
+        def collect_total(): return collect_package_stats(packages, cwes, lambda p: True)
+
+        row, _ = add_package_stats_to_row(
+            row, sorted_cwes, collect_total)
+
+        csvwriter.writerow(row)
+
+        rst_file.write("\n\n")

From 663e6a8d738005b6f9279d86998917d4b5c78b2b Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 18 May 2021 10:01:02 +0200
Subject: [PATCH 1183/1429] Use non-breaking hyphen in CWE identifier

---
 misc/scripts/cwe-sink-java.csv | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/misc/scripts/cwe-sink-java.csv b/misc/scripts/cwe-sink-java.csv
index 541b9c32e33..796f237c313 100644
--- a/misc/scripts/cwe-sink-java.csv
+++ b/misc/scripts/cwe-sink-java.csv
@@ -1,8 +1,8 @@
 CWE,Sink identifier,Label
-CWE-089,sql,SQL injection
-CWE-022,create-file,Path injection
-CWE-036,url-open-stream,Path traversal
-CWE-094,bean-validation,Code injection
-CWE-319,open-url,Cleartext transmission
-CWE-079,xss,Cross-site scripting
-CWE-090,ldap,LDAP injection
\ No newline at end of file
+CWE‑089,sql,SQL injection
+CWE‑022,create-file,Path injection
+CWE‑036,url-open-stream,Path traversal
+CWE‑094,bean-validation,Code injection
+CWE‑319,open-url,Cleartext transmission
+CWE‑079,xss,Cross-site scripting
+CWE‑090,ldap,LDAP injection
\ No newline at end of file

From 6dc46ec1ee592579fe1798ca732d08e4585c4225 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 18 May 2021 10:42:06 +0200
Subject: [PATCH 1184/1429] Add org.apache.commons.io to frameworks, and handle
 overlapping package prefixes

---
 misc/scripts/frameworks-java.csv             |  1 +
 misc/scripts/generate-csv-coverage-report.py | 14 +++++++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/misc/scripts/frameworks-java.csv b/misc/scripts/frameworks-java.csv
index 12346349791..0e39bc51836 100644
--- a/misc/scripts/frameworks-java.csv
+++ b/misc/scripts/frameworks-java.csv
@@ -2,6 +2,7 @@ Framework name,URL,Package prefix
 Java Standard Library,,java.*
 Google,,com.google.common.*
 Apache,,org.apache.*
+Apache Commons IO,https://commons.apache.org/proper/commons-io/,org.apache.commons.io
 Android,,android.*
 Spring,https://spring.io/,org.springframework.*
 Java extensions,,javax.*
\ No newline at end of file
diff --git a/misc/scripts/generate-csv-coverage-report.py b/misc/scripts/generate-csv-coverage-report.py
index 1489d8fa629..65ca697e352 100644
--- a/misc/scripts/generate-csv-coverage-report.py
+++ b/misc/scripts/generate-csv-coverage-report.py
@@ -255,6 +255,9 @@ with open(output_rst, 'w', newline='') as rst_file:
 
         processed_packages = set()
 
+        all_package_patterns = set(
+            (frameworks[fr]["package"] for fr in frameworks))
+
         # Write a row for each framework.
         for framework in sorted(frameworks):
             row = []
@@ -269,12 +272,17 @@ with open(output_rst, 'w', newline='') as rst_file:
             # Add the package name to the row
             row.append("``" + frameworks[framework]["package"] + "``")
 
-            prefix = frameworks[framework]["package"]
+            current_package_pattern = frameworks[framework]["package"]
 
             # Collect statistics on the current framework
-            # package name is either full name, such as "org.hibernate", or a prefix, such as "java.*"
+            # current_package_pattern is either full name, such as "org.hibernate", or a prefix, such as "java.*"
+            # Package patterns might overlap, in case of 'org.apache.commons.io' and 'org.apache.*', the statistics for
+            # the latter will not include the statistics for the former.
+            def package_match(package_name, pattern): return (pattern.endswith(
+                "*") and package_name.startswith(pattern[:-1])) or (not pattern.endswith("*") and pattern == package_name)
+
             def collect_framework(): return collect_package_stats(
-                packages, cwes, lambda p: (prefix.endswith("*") and p.startswith(prefix[:-1])) or (not prefix.endswith("*") and prefix == p))
+                packages, cwes, lambda p: package_match(p, current_package_pattern) and all(len(current_package_pattern) >= len(pattern) or not package_match(p, pattern) for pattern in all_package_patterns))
 
             row, f_processed_packages = add_package_stats_to_row(
                 row, sorted_cwes, collect_framework)

From f1911e338da9150db477182c3963640a7f9aadac Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 18 May 2021 11:41:39 +0200
Subject: [PATCH 1185/1429] Move and generate files to documentation folder +
 clean up after the script is executed

---
 .github/workflows/csv-coverage.yml            |  11 +-
 .../library-coverage/cwe-sink.csv             |   0
 .../library-coverage/frameworks.csv           |   0
 misc/scripts/generate-csv-coverage-report.py  | 190 ++++++++++--------
 4 files changed, 112 insertions(+), 89 deletions(-)
 rename misc/scripts/cwe-sink-java.csv => java/documentation/library-coverage/cwe-sink.csv (100%)
 rename misc/scripts/frameworks-java.csv => java/documentation/library-coverage/frameworks.csv (100%)

diff --git a/.github/workflows/csv-coverage.yml b/.github/workflows/csv-coverage.yml
index accaf8ebf3b..8c2f9d1222c 100644
--- a/.github/workflows/csv-coverage.yml
+++ b/.github/workflows/csv-coverage.yml
@@ -14,9 +14,9 @@ on:
     paths:
       - '.github/workflows/csv-coverage.yml'
       - 'misc/scripts/generate-csv-coverage-report.py'
-      - 'misc/scripts/cwe-sink-*.csv'
-      - 'misc/scripts/frameworks-*.csv'
       - 'java/ql/src/meta/frameworks/Coverage.ql'
+      - 'java/documentation/library-coverage/cwe-sink.csv'
+      - 'java/documentation/library-coverage/frameworks.csv'
 
 jobs:
   build:
@@ -54,16 +54,15 @@ jobs:
       run: unzip -d codeql-cli codeql-linux64.zip
     - name: Build modeled package list
       run: |
-        PATH="$PATH:codeql-cli/codeql" python script/misc/scripts/generate-csv-coverage-report.py codeqlModels script
+        PATH="$PATH:codeql-cli/codeql" python script/misc/scripts/generate-csv-coverage-report.py ci codeqlModels script
     - name: Upload CSV package list
       uses: actions/upload-artifact@v2
       with:
         name: csv-flow-model-coverage
-        path: csv-flow-model-coverage-*.csv
+        path: flow-model-coverage-*.csv
     - name: Upload RST package list
       uses: actions/upload-artifact@v2
       with:
         name: rst-flow-model-coverage
-        path: |
-          flow-model-coverage.rst
+        path: flow-model-coverage-*.rst
 
diff --git a/misc/scripts/cwe-sink-java.csv b/java/documentation/library-coverage/cwe-sink.csv
similarity index 100%
rename from misc/scripts/cwe-sink-java.csv
rename to java/documentation/library-coverage/cwe-sink.csv
diff --git a/misc/scripts/frameworks-java.csv b/java/documentation/library-coverage/frameworks.csv
similarity index 100%
rename from misc/scripts/frameworks-java.csv
rename to java/documentation/library-coverage/frameworks.csv
diff --git a/misc/scripts/generate-csv-coverage-report.py b/misc/scripts/generate-csv-coverage-report.py
index 65ca697e352..d67b5f33c07 100644
--- a/misc/scripts/generate-csv-coverage-report.py
+++ b/misc/scripts/generate-csv-coverage-report.py
@@ -1,8 +1,8 @@
 import subprocess
-import json
 import csv
 import sys
 import os
+import shutil
 
 """
 This script runs the CSV coverage report QL query, and transforms it to a more readable format.
@@ -32,6 +32,7 @@ def run_codeql_query(query, database, output):
                    "--database", database, "--output", output + ".bqrs"])
     subprocess_run(["codeql", "bqrs", "decode", output + ".bqrs",
                    "--format=csv", "--no-titles", "--output", output])
+    os.remove(output + ".bqrs")
 
 
 def append_csv_number(list, value):
@@ -120,13 +121,27 @@ except Exception as e:
     print("Error: couldn't invoke CodeQL CLI 'codeql'. Is it on the path? Aborting.", file=sys.stderr)
     raise e
 
+# The script can be run in two modes:
+# (i) dev: run on the local developer machine, and collect the coverage data. The output is generated into the expected
+#          folders: {language}/documentation/library-coverage/
+# (ii) ci: run in a CI action. The output is generated to the root folder, and then in a subsequent step packaged as a
+#          build artifact.
+mode = "dev"
+if len(sys.argv) > 1:
+    mode = sys.argv[1]
+
+if mode != "dev" and mode != "ci":
+    print("Unknown execution mode: " + mode +
+          ". Expected either 'dev' or 'ci'.", file=sys.stderr)
+    exit(1)
+
 query_prefix = ""
 data_prefix = ""
-if len(sys.argv) > 1:
-    query_prefix = sys.argv[1] + "/"
-
 if len(sys.argv) > 2:
-    data_prefix = sys.argv[2] + "/"
+    query_prefix = sys.argv[2] + "/"
+
+if len(sys.argv) > 3:
+    data_prefix = sys.argv[3] + "/"
 
 # Languages for which we want to generate coverage reports.
 configs = [
@@ -135,100 +150,109 @@ configs = [
 ]
 
 # The names of input and output files. The placeholder {language} is replaced with the language name.
-output_rst = "flow-model-coverage.rst"
+documentation_folder = "{language}/documentation/library-coverage/"
 output_ql_csv = "output-{language}.csv"
-output_csv = "csv-flow-model-coverage-{language}.csv"
-input_framework_csv = data_prefix + "misc/scripts/frameworks-{language}.csv"
-input_cwe_sink_csv = data_prefix + "misc/scripts/cwe-sink-{language}.csv"
+input_framework_csv = data_prefix + documentation_folder + "frameworks.csv"
+input_cwe_sink_csv = data_prefix + documentation_folder + "cwe-sink.csv"
 
-with open(output_rst, 'w', newline='') as rst_file:
-    for config in configs:
-        lang = config.lang
-        db = "empty-" + lang
-        ql_output = output_ql_csv.format(language=lang)
-        create_empty_database(lang, config.ext, db)
-        run_codeql_query(config.ql_path, db, ql_output)
+if mode == "dev":
+    output_rst = data_prefix + documentation_folder + "flow-model-coverage.rst"
+    output_csv = data_prefix + documentation_folder + "flow-model-coverage.csv"
+else:
+    output_rst = "flow-model-coverage-{language}.rst"
+    output_csv = "flow-model-coverage-{language}.csv"
 
-        packages = {}
-        parts = set()
-        kinds = set()
+for config in configs:
+    lang = config.lang
+    db = "empty-" + lang
+    ql_output = output_ql_csv.format(language=lang)
+    create_empty_database(lang, config.ext, db)
+    run_codeql_query(config.ql_path, db, ql_output)
+    shutil.rmtree(db)
 
-        # Read the generated CSV file, and collect package statistics.
-        with open(ql_output) as csvfile:
-            reader = csv.reader(csvfile)
-            for row in reader:
-                # row: "android.util",1,"remote","source",16
-                package = row[0]
-                if package not in packages:
-                    packages[package] = {
-                        "count": row[1],
-                        # part: "summary", "sink", or "source"
-                        "part": {},
-                        # kind: "source:remote", "sink:create-file", ...
-                        "kind": {}
-                    }
+    packages = {}
+    parts = set()
+    kinds = set()
 
-                part = row[3]
-                parts.add(part)
-                increment_dict_item(row[4], packages[package]["part"], part)
+    # Read the generated CSV file, and collect package statistics.
+    with open(ql_output) as csvfile:
+        reader = csv.reader(csvfile)
+        for row in reader:
+            # row: "android.util",1,"remote","source",16
+            package = row[0]
+            if package not in packages:
+                packages[package] = {
+                    "count": row[1],
+                    # part: "summary", "sink", or "source"
+                    "part": {},
+                    # kind: "source:remote", "sink:create-file", ...
+                    "kind": {}
+                }
 
-                kind = part + ":" + row[2]
-                kinds.add(kind)
-                increment_dict_item(row[4], packages[package]["kind"], kind)
+            part = row[3]
+            parts.add(part)
+            increment_dict_item(row[4], packages[package]["part"], part)
 
-        parts = sorted(parts)
-        kinds = sorted(kinds)
+            kind = part + ":" + row[2]
+            kinds.add(kind)
+            increment_dict_item(row[4], packages[package]["kind"], kind)
 
-        # Write the denormalized package statistics to a CSV file.
-        with open(output_csv.format(language=lang), 'w', newline='') as csvfile:
-            csvwriter = csv.writer(csvfile)
+    os.remove(ql_output)
 
-            headers = ["package"]
-            headers.extend(parts)
-            headers.extend(kinds)
+    parts = sorted(parts)
+    kinds = sorted(kinds)
 
-            csvwriter.writerow(headers)
+    # Write the denormalized package statistics to a CSV file.
+    with open(output_csv.format(language=lang), 'w', newline='') as csvfile:
+        csvwriter = csv.writer(csvfile)
 
-            for package in sorted(packages):
-                row = [package]
-                for part in parts:
-                    append_csv_dict_item(row, packages[package]["part"], part)
-                for kind in kinds:
-                    append_csv_dict_item(row, packages[package]["kind"], kind)
-                csvwriter.writerow(row)
+        headers = ["package"]
+        headers.extend(parts)
+        headers.extend(kinds)
 
-        # Read the additional framework data, such as URL, friendly name
-        frameworks = {}
+        csvwriter.writerow(headers)
 
-        with open(input_framework_csv.format(language=lang)) as csvfile:
-            reader = csv.reader(csvfile)
-            next(reader)
-            for row in reader:
-                # row: Hibernate,https://hibernate.org/,org.hibernate
-                framwork = row[0]
-                if framwork not in frameworks:
-                    frameworks[framwork] = {
-                        "package": row[2],
-                        "url": row[1]
-                    }
+        for package in sorted(packages):
+            row = [package]
+            for part in parts:
+                append_csv_dict_item(row, packages[package]["part"], part)
+            for kind in kinds:
+                append_csv_dict_item(row, packages[package]["kind"], kind)
+            csvwriter.writerow(row)
 
-        # Read the additional CWE data
-        cwes = {}
+    # Read the additional framework data, such as URL, friendly name
+    frameworks = {}
 
-        with open(input_cwe_sink_csv.format(language=lang)) as csvfile:
-            reader = csv.reader(csvfile)
-            next(reader)
-            for row in reader:
-                # row: CWE-89,sql,SQL injection
-                cwe = row[0]
-                if cwe not in cwes:
-                    cwes[cwe] = {
-                        "sink": row[1],
-                        "label": row[2]
-                    }
+    with open(input_framework_csv.format(language=lang)) as csvfile:
+        reader = csv.reader(csvfile)
+        next(reader)
+        for row in reader:
+            # row: Hibernate,https://hibernate.org/,org.hibernate
+            framwork = row[0]
+            if framwork not in frameworks:
+                frameworks[framwork] = {
+                    "package": row[2],
+                    "url": row[1]
+                }
 
-        sorted_cwes = sorted(cwes)
+    # Read the additional CWE data
+    cwes = {}
 
+    with open(input_cwe_sink_csv.format(language=lang)) as csvfile:
+        reader = csv.reader(csvfile)
+        next(reader)
+        for row in reader:
+            # row: CWE-89,sql,SQL injection
+            cwe = row[0]
+            if cwe not in cwes:
+                cwes[cwe] = {
+                    "sink": row[1],
+                    "label": row[2]
+                }
+
+    sorted_cwes = sorted(cwes)
+
+    with open(output_rst.format(language=lang), 'w', newline='') as rst_file:
         rst_file.write(
             config.capitalized_lang + " framework & library support\n")
         rst_file.write("================================\n\n")
@@ -314,4 +338,4 @@ with open(output_rst, 'w', newline='') as rst_file:
 
         csvwriter.writerow(row)
 
-        rst_file.write("\n\n")
+        rst_file.write("\n")

From f09352620f2e24128fd64a773157bb124d73b6c3 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 18 May 2021 13:48:57 +0200
Subject: [PATCH 1186/1429] Add comparison step to workflow

---
 .github/workflows/csv-coverage.yml            | 18 ++++++---
 .../scripts/library-coverage/compare-files.py | 38 +++++++++++++++++++
 .../generate-report.py}                       | 19 +++++-----
 misc/scripts/library-coverage/settings.py     | 23 +++++++++++
 4 files changed, 83 insertions(+), 15 deletions(-)
 create mode 100644 misc/scripts/library-coverage/compare-files.py
 rename misc/scripts/{generate-csv-coverage-report.py => library-coverage/generate-report.py} (95%)
 create mode 100644 misc/scripts/library-coverage/settings.py

diff --git a/.github/workflows/csv-coverage.yml b/.github/workflows/csv-coverage.yml
index 8c2f9d1222c..2ecb3bdeb06 100644
--- a/.github/workflows/csv-coverage.yml
+++ b/.github/workflows/csv-coverage.yml
@@ -1,4 +1,4 @@
-name: Build CSV flow coverage report
+name: Build/check CSV flow coverage report
 
 on:
   workflow_dispatch:
@@ -13,10 +13,14 @@ on:
   pull_request:
     paths:
       - '.github/workflows/csv-coverage.yml'
-      - 'misc/scripts/generate-csv-coverage-report.py'
       - 'java/ql/src/meta/frameworks/Coverage.ql'
-      - 'java/documentation/library-coverage/cwe-sink.csv'
-      - 'java/documentation/library-coverage/frameworks.csv'
+      - 'misc/scripts/library-coverage/*.py'
+      # input data files
+      - '*/documentation/library-coverage/cwe-sink.csv'
+      - '*/documentation/library-coverage/frameworks.csv'
+      # coverage report files
+      - '*/documentation/library-coverage/flow-model-coverage.csv'
+      - '*/documentation/library-coverage/flow-model-coverage.rst'
 
 jobs:
   build:
@@ -54,7 +58,7 @@ jobs:
       run: unzip -d codeql-cli codeql-linux64.zip
     - name: Build modeled package list
       run: |
-        PATH="$PATH:codeql-cli/codeql" python script/misc/scripts/generate-csv-coverage-report.py ci codeqlModels script
+        PATH="$PATH:codeql-cli/codeql" python script/misc/scripts/library-coverage/generate-report.py ci codeqlModels script
     - name: Upload CSV package list
       uses: actions/upload-artifact@v2
       with:
@@ -65,4 +69,8 @@ jobs:
       with:
         name: rst-flow-model-coverage
         path: flow-model-coverage-*.rst
+    - name: Check coverage files
+      if: github.event.pull_request
+      run: |
+        python script/misc/scripts/library-coverage/compare-files.py codeqlModels
 
diff --git a/misc/scripts/library-coverage/compare-files.py b/misc/scripts/library-coverage/compare-files.py
new file mode 100644
index 00000000000..2c11fee72ac
--- /dev/null
+++ b/misc/scripts/library-coverage/compare-files.py
@@ -0,0 +1,38 @@
+import sys
+import os
+import settings
+import filecmp
+
+"""
+This script compares the generated CSV coverage files with the ones in the codebase.
+"""
+
+
+def check_file_exists(file):
+    if not os.path.exists(file):
+        print("Expected file '" + file + "' doesn't exist.", file=sys.stderr)
+        sys.exit(1)
+
+
+languages = ['java']
+
+for lang in languages:
+    repo_output_rst = settings.repo_output_rst.format(language=lang)
+    repo_output_csv = settings.repo_output_csv.format(language=lang)
+
+    generated_output_rst = settings.generated_output_rst.format(language=lang)
+    generated_output_csv = settings.generated_output_csv.format(language=lang)
+
+    check_file_exists(repo_output_rst)
+    check_file_exists(repo_output_csv)
+    check_file_exists(generated_output_rst)
+    check_file_exists(generated_output_csv)
+
+    filecmp.clear_cache()
+    if not filecmp.cmp(repo_output_rst, generated_output_rst, shallow=False) or not filecmp.cmp(repo_output_csv, generated_output_csv, shallow=False):
+        print("Error: The generated files for '" + lang +
+              "' do not match the ones in the codebase. Please check and fix.", file=sys.stderr)
+        sys.exit(1)
+
+    print("The generated files for '" + lang +
+          "' match the ones in the codebase.")
diff --git a/misc/scripts/generate-csv-coverage-report.py b/misc/scripts/library-coverage/generate-report.py
similarity index 95%
rename from misc/scripts/generate-csv-coverage-report.py
rename to misc/scripts/library-coverage/generate-report.py
index d67b5f33c07..985080d5124 100644
--- a/misc/scripts/generate-csv-coverage-report.py
+++ b/misc/scripts/library-coverage/generate-report.py
@@ -3,6 +3,7 @@ import csv
 import sys
 import os
 import shutil
+import settings
 
 """
 This script runs the CSV coverage report QL query, and transforms it to a more readable format.
@@ -135,13 +136,12 @@ if mode != "dev" and mode != "ci":
           ". Expected either 'dev' or 'ci'.", file=sys.stderr)
     exit(1)
 
+# The QL model holding the CSV info can come from directly a PR or the main branch, but optionally we can use an earlier
+# SHA too, therefore it's checked out seperately into a dedicated subfolder.
 query_prefix = ""
-data_prefix = ""
 if len(sys.argv) > 2:
     query_prefix = sys.argv[2] + "/"
 
-if len(sys.argv) > 3:
-    data_prefix = sys.argv[3] + "/"
 
 # Languages for which we want to generate coverage reports.
 configs = [
@@ -150,17 +150,16 @@ configs = [
 ]
 
 # The names of input and output files. The placeholder {language} is replaced with the language name.
-documentation_folder = "{language}/documentation/library-coverage/"
 output_ql_csv = "output-{language}.csv"
-input_framework_csv = data_prefix + documentation_folder + "frameworks.csv"
-input_cwe_sink_csv = data_prefix + documentation_folder + "cwe-sink.csv"
+input_framework_csv = settings.documentation_folder + "frameworks.csv"
+input_cwe_sink_csv = settings.documentation_folder + "cwe-sink.csv"
 
 if mode == "dev":
-    output_rst = data_prefix + documentation_folder + "flow-model-coverage.rst"
-    output_csv = data_prefix + documentation_folder + "flow-model-coverage.csv"
+    output_rst = settings.repo_output_rst
+    output_csv = settings.repo_output_csv
 else:
-    output_rst = "flow-model-coverage-{language}.rst"
-    output_csv = "flow-model-coverage-{language}.csv"
+    output_rst = settings.generated_output_rst
+    output_csv = settings.generated_output_csv
 
 for config in configs:
     lang = config.lang
diff --git a/misc/scripts/library-coverage/settings.py b/misc/scripts/library-coverage/settings.py
new file mode 100644
index 00000000000..bda1140fc21
--- /dev/null
+++ b/misc/scripts/library-coverage/settings.py
@@ -0,0 +1,23 @@
+import sys
+
+
+generated_output_rst = "flow-model-coverage-{language}.rst"
+generated_output_csv = "flow-model-coverage-{language}.csv"
+
+
+# The CI job checks out the codebase to a subfolder
+data_prefix = ""
+
+index = 1
+if sys.argv[0].endswith("generate-report.py"):
+    index = 3
+
+if len(sys.argv) > index:
+    data_prefix = sys.argv[index] + "/"
+
+
+documentation_folder = data_prefix + \
+    "{language}/documentation/library-coverage/"
+
+repo_output_rst = documentation_folder + "flow-model-coverage.rst"
+repo_output_csv = documentation_folder + "flow-model-coverage.csv"

From 3db22ba48229c64cd2a3eb1301b55549484c0708 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 18 May 2021 14:05:32 +0200
Subject: [PATCH 1187/1429] Add Java coverage report files

---
 .../library-coverage/flow-model-coverage.csv  | 37 +++++++++++++++++++
 .../library-coverage/flow-model-coverage.rst  | 19 ++++++++++
 .../library-coverage/generate-report.py       |  2 +-
 3 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 java/documentation/library-coverage/flow-model-coverage.csv
 create mode 100644 java/documentation/library-coverage/flow-model-coverage.rst

diff --git a/java/documentation/library-coverage/flow-model-coverage.csv b/java/documentation/library-coverage/flow-model-coverage.csv
new file mode 100644
index 00000000000..2d625689457
--- /dev/null
+++ b/java/documentation/library-coverage/flow-model-coverage.csv
@@ -0,0 +1,37 @@
+package,sink,source,summary,sink:bean-validation,sink:create-file,sink:header-splitting,sink:ldap,sink:open-url,sink:set-hostname-verifier,sink:url-open-stream,sink:xss,source:remote,summary:taint,summary:value
+android.util,,16,,,,,,,,,,16,,
+android.webkit,3,2,,,,,,,,,3,2,,
+com.esotericsoftware.kryo.io,,,1,,,,,,,,,,1,
+com.google.common.base,,,27,,,,,,,,,,22,5
+com.google.common.io,6,,69,,,,,,,6,,,68,1
+com.unboundid.ldap.sdk,17,,,,,,17,,,,,,,
+java.beans,,,1,,,,,,,,,,1,
+java.io,3,,20,,3,,,,,,,,20,
+java.lang,,,1,,,,,,,,,,1,
+java.net,2,3,4,,,,,2,,,,3,4,
+java.nio,10,,2,,10,,,,,,,,2,
+java.util,,,13,,,,,,,,,,13,
+javax.naming.directory,1,,,,,,1,,,,,,,
+javax.net.ssl,2,,,,,,,,2,,,,,
+javax.servlet,4,21,2,,,3,,,,,1,21,2,
+javax.validation,1,1,,1,,,,,,,,1,,
+javax.ws.rs.core,1,,,,,1,,,,,,,,
+javax.xml.transform.sax,,,4,,,,,,,,,,4,
+javax.xml.transform.stream,,,2,,,,,,,,,,2,
+org.apache.commons.codec,,,2,,,,,,,,,,2,
+org.apache.commons.io,,,22,,,,,,,,,,22,
+org.apache.commons.lang3,,,313,,,,,,,,,,299,14
+org.apache.commons.text,,,203,,,,,,,,,,203,
+org.apache.directory.ldap.client.api,1,,,,,,1,,,,,,,
+org.apache.hc.core5.function,,,1,,,,,,,,,,1,
+org.apache.hc.core5.http,1,2,39,,,,,,,,1,2,39,
+org.apache.hc.core5.net,,,2,,,,,,,,,,2,
+org.apache.hc.core5.util,,,22,,,,,,,,,,18,4
+org.apache.http,2,3,66,,,,,,,,2,3,59,7
+org.springframework.ldap.core,14,,,,,,14,,,,,,,
+org.springframework.web.client,,3,,,,,,,,,,3,,
+org.springframework.web.context.request,,8,,,,,,,,,,8,,
+org.springframework.web.multipart,,12,,,,,,,,,,12,,
+org.xml.sax,,,1,,,,,,,,,,1,
+org.xmlpull.v1,,3,,,,,,,,,,3,,
+play.mvc,,4,,,,,,,,,,4,,
diff --git a/java/documentation/library-coverage/flow-model-coverage.rst b/java/documentation/library-coverage/flow-model-coverage.rst
new file mode 100644
index 00000000000..9fb925458a7
--- /dev/null
+++ b/java/documentation/library-coverage/flow-model-coverage.rst
@@ -0,0 +1,19 @@
+Java framework & library support
+================================
+
+.. csv-table::
+   :header-rows: 1
+   :class: fullWidthTable
+   :widths: auto
+
+   Framework / library,Package,Remote flow sources,Taint & value steps,Sinks (total),`CWE‑022` :sub:`Path injection`,`CWE‑036` :sub:`Path traversal`,`CWE‑079` :sub:`Cross-site scripting`,`CWE‑089` :sub:`SQL injection`,`CWE‑090` :sub:`LDAP injection`,`CWE‑094` :sub:`Code injection`,`CWE‑319` :sub:`Cleartext transmission`
+   Android,``android.*``,18,,3,,,3,,,,
+   Apache,``org.apache.*``,5,648,4,,,3,,1,,
+   `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,22,,,,,,,,
+   Google,``com.google.common.*``,,96,6,,6,,,,,
+   Java Standard Library,``java.*``,3,41,15,13,,,,,,2
+   Java extensions,``javax.*``,22,8,9,,,1,,1,1,
+   `Spring <https://spring.io/>`_,``org.springframework.*``,23,,14,,,,,14,,
+   Others,"``com.esotericsoftware.kryo.io``, ``com.unboundid.ldap.sdk``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``",7,2,17,,,,,17,,
+   Totals,,78,817,68,13,6,7,,33,1,2
+
diff --git a/misc/scripts/library-coverage/generate-report.py b/misc/scripts/library-coverage/generate-report.py
index 985080d5124..ffcc654a728 100644
--- a/misc/scripts/library-coverage/generate-report.py
+++ b/misc/scripts/library-coverage/generate-report.py
@@ -255,7 +255,7 @@ for config in configs:
         rst_file.write(
             config.capitalized_lang + " framework & library support\n")
         rst_file.write("================================\n\n")
-        rst_file.write(".. csv-table:: \n")
+        rst_file.write(".. csv-table::\n")
         rst_file.write("   :header-rows: 1\n")
         rst_file.write("   :class: fullWidthTable\n")
         rst_file.write("   :widths: auto\n\n")

From ce53586002727f301fc163a953e23e016c194215 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 18 May 2021 14:19:16 +0200
Subject: [PATCH 1188/1429] Refactor file comparison

---
 misc/scripts/library-coverage/compare-files.py | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/misc/scripts/library-coverage/compare-files.py b/misc/scripts/library-coverage/compare-files.py
index 2c11fee72ac..9a6934d6f4d 100644
--- a/misc/scripts/library-coverage/compare-files.py
+++ b/misc/scripts/library-coverage/compare-files.py
@@ -14,6 +14,14 @@ def check_file_exists(file):
         sys.exit(1)
 
 
+def compare_files(file1, file2):
+    filecmp.clear_cache()
+    if not filecmp.cmp(file1, file2):
+        print("Error: The generated files do not match the ones in the codebase. Please check and fix file '" +
+              file1 + "'.", file=sys.stderr)
+        sys.exit(1)
+
+
 languages = ['java']
 
 for lang in languages:
@@ -28,11 +36,8 @@ for lang in languages:
     check_file_exists(generated_output_rst)
     check_file_exists(generated_output_csv)
 
-    filecmp.clear_cache()
-    if not filecmp.cmp(repo_output_rst, generated_output_rst, shallow=False) or not filecmp.cmp(repo_output_csv, generated_output_csv, shallow=False):
-        print("Error: The generated files for '" + lang +
-              "' do not match the ones in the codebase. Please check and fix.", file=sys.stderr)
-        sys.exit(1)
+    compare_files(repo_output_rst, generated_output_rst)
+    compare_files(repo_output_csv, generated_output_csv)
 
     print("The generated files for '" + lang +
           "' match the ones in the codebase.")

From 511486d0455e27cc03072b447d7d0094e9e1ad14 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 18 May 2021 14:31:02 +0200
Subject: [PATCH 1189/1429] Rework file diff (show line differences)

---
 .../scripts/library-coverage/compare-files.py | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/misc/scripts/library-coverage/compare-files.py b/misc/scripts/library-coverage/compare-files.py
index 9a6934d6f4d..5e00d4af2e9 100644
--- a/misc/scripts/library-coverage/compare-files.py
+++ b/misc/scripts/library-coverage/compare-files.py
@@ -1,7 +1,7 @@
 import sys
 import os
 import settings
-import filecmp
+import difflib
 
 """
 This script compares the generated CSV coverage files with the ones in the codebase.
@@ -14,10 +14,21 @@ def check_file_exists(file):
         sys.exit(1)
 
 
+def ignore_line_ending(ch):
+    return difflib.IS_CHARACTER_JUNK(ch, ws=" \r\n")
+
+
 def compare_files(file1, file2):
-    filecmp.clear_cache()
-    if not filecmp.cmp(file1, file2):
-        print("Error: The generated files do not match the ones in the codebase. Please check and fix file '" +
+    has_differences = False
+    diff = difflib.ndiff(open(file1).readlines(),
+                         open(file2).readlines(), None, ignore_line_ending)
+    for line in diff:
+        if line.startswith("+") or line.startswith("-"):
+            print(line, end="", file=sys.stderr)
+            has_differences = True
+
+    if has_differences:
+        print("Error: The generated file doesn't match the one in the codebase. Please check and fix file '" +
               file1 + "'.", file=sys.stderr)
         sys.exit(1)
 

From d4f1cbe8d8af5f31958c058a3427964cea327164 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 18 May 2021 15:13:09 +0200
Subject: [PATCH 1190/1429] Add updated coverage report

---
 .../library-coverage/flow-model-coverage.csv  | 78 ++++++++++---------
 .../library-coverage/flow-model-coverage.rst  |  8 +-
 2 files changed, 45 insertions(+), 41 deletions(-)

diff --git a/java/documentation/library-coverage/flow-model-coverage.csv b/java/documentation/library-coverage/flow-model-coverage.csv
index 2d625689457..3f8b62f2efa 100644
--- a/java/documentation/library-coverage/flow-model-coverage.csv
+++ b/java/documentation/library-coverage/flow-model-coverage.csv
@@ -1,37 +1,41 @@
-package,sink,source,summary,sink:bean-validation,sink:create-file,sink:header-splitting,sink:ldap,sink:open-url,sink:set-hostname-verifier,sink:url-open-stream,sink:xss,source:remote,summary:taint,summary:value
-android.util,,16,,,,,,,,,,16,,
-android.webkit,3,2,,,,,,,,,3,2,,
-com.esotericsoftware.kryo.io,,,1,,,,,,,,,,1,
-com.google.common.base,,,27,,,,,,,,,,22,5
-com.google.common.io,6,,69,,,,,,,6,,,68,1
-com.unboundid.ldap.sdk,17,,,,,,17,,,,,,,
-java.beans,,,1,,,,,,,,,,1,
-java.io,3,,20,,3,,,,,,,,20,
-java.lang,,,1,,,,,,,,,,1,
-java.net,2,3,4,,,,,2,,,,3,4,
-java.nio,10,,2,,10,,,,,,,,2,
-java.util,,,13,,,,,,,,,,13,
-javax.naming.directory,1,,,,,,1,,,,,,,
-javax.net.ssl,2,,,,,,,,2,,,,,
-javax.servlet,4,21,2,,,3,,,,,1,21,2,
-javax.validation,1,1,,1,,,,,,,,1,,
-javax.ws.rs.core,1,,,,,1,,,,,,,,
-javax.xml.transform.sax,,,4,,,,,,,,,,4,
-javax.xml.transform.stream,,,2,,,,,,,,,,2,
-org.apache.commons.codec,,,2,,,,,,,,,,2,
-org.apache.commons.io,,,22,,,,,,,,,,22,
-org.apache.commons.lang3,,,313,,,,,,,,,,299,14
-org.apache.commons.text,,,203,,,,,,,,,,203,
-org.apache.directory.ldap.client.api,1,,,,,,1,,,,,,,
-org.apache.hc.core5.function,,,1,,,,,,,,,,1,
-org.apache.hc.core5.http,1,2,39,,,,,,,,1,2,39,
-org.apache.hc.core5.net,,,2,,,,,,,,,,2,
-org.apache.hc.core5.util,,,22,,,,,,,,,,18,4
-org.apache.http,2,3,66,,,,,,,,2,3,59,7
-org.springframework.ldap.core,14,,,,,,14,,,,,,,
-org.springframework.web.client,,3,,,,,,,,,,3,,
-org.springframework.web.context.request,,8,,,,,,,,,,8,,
-org.springframework.web.multipart,,12,,,,,,,,,,12,,
-org.xml.sax,,,1,,,,,,,,,,1,
-org.xmlpull.v1,,3,,,,,,,,,,3,,
-play.mvc,,4,,,,,,,,,,4,,
+package,sink,source,summary,sink:bean-validation,sink:create-file,sink:header-splitting,sink:ldap,sink:open-url,sink:set-hostname-verifier,sink:url-open-stream,sink:xpath,sink:xss,source:remote,summary:taint,summary:value
+android.util,,16,,,,,,,,,,,16,,
+android.webkit,3,2,,,,,,,,,,3,2,,
+com.esotericsoftware.kryo.io,,,1,,,,,,,,,,,1,
+com.esotericsoftware.kryo5.io,,,1,,,,,,,,,,,1,
+com.fasterxml.jackson.databind,,,2,,,,,,,,,,,2,
+com.google.common.base,,,28,,,,,,,,,,,22,6
+com.google.common.io,6,,69,,,,,,,6,,,,68,1
+com.unboundid.ldap.sdk,17,,,,,,17,,,,,,,,
+java.beans,,,1,,,,,,,,,,,1,
+java.io,3,,20,,3,,,,,,,,,20,
+java.lang,,,1,,,,,,,,,,,1,
+java.net,2,3,4,,,,,2,,,,,3,4,
+java.nio,10,,2,,10,,,,,,,,,2,
+java.util,,,13,,,,,,,,,,,13,
+javax.naming.directory,1,,,,,,1,,,,,,,,
+javax.net.ssl,2,,,,,,,,2,,,,,,
+javax.servlet,4,21,2,,,3,,,,,,1,21,2,
+javax.validation,1,1,,1,,,,,,,,,1,,
+javax.ws.rs.core,1,,,,,1,,,,,,,,,
+javax.xml.transform.sax,,,4,,,,,,,,,,,4,
+javax.xml.transform.stream,,,2,,,,,,,,,,,2,
+javax.xml.xpath,3,,,,,,,,,,3,,,,
+org.apache.commons.codec,,,2,,,,,,,,,,,2,
+org.apache.commons.io,,,22,,,,,,,,,,,22,
+org.apache.commons.lang3,,,313,,,,,,,,,,,299,14
+org.apache.commons.text,,,203,,,,,,,,,,,203,
+org.apache.directory.ldap.client.api,1,,,,,,1,,,,,,,,
+org.apache.hc.core5.function,,,1,,,,,,,,,,,1,
+org.apache.hc.core5.http,1,2,39,,,,,,,,,1,2,39,
+org.apache.hc.core5.net,,,2,,,,,,,,,,,2,
+org.apache.hc.core5.util,,,22,,,,,,,,,,,18,4
+org.apache.http,2,3,66,,,,,,,,,2,3,59,7
+org.dom4j,20,,,,,,,,,,20,,,,
+org.springframework.ldap.core,14,,,,,,14,,,,,,,,
+org.springframework.web.client,,3,,,,,,,,,,,3,,
+org.springframework.web.context.request,,8,,,,,,,,,,,8,,
+org.springframework.web.multipart,,12,,,,,,,,,,,12,,
+org.xml.sax,,,1,,,,,,,,,,,1,
+org.xmlpull.v1,,3,,,,,,,,,,,3,,
+play.mvc,,4,,,,,,,,,,,4,,
diff --git a/java/documentation/library-coverage/flow-model-coverage.rst b/java/documentation/library-coverage/flow-model-coverage.rst
index 9fb925458a7..59bfbf73676 100644
--- a/java/documentation/library-coverage/flow-model-coverage.rst
+++ b/java/documentation/library-coverage/flow-model-coverage.rst
@@ -10,10 +10,10 @@ Java framework & library support
    Android,``android.*``,18,,3,,,3,,,,
    Apache,``org.apache.*``,5,648,4,,,3,,1,,
    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,22,,,,,,,,
-   Google,``com.google.common.*``,,96,6,,6,,,,,
+   Google,``com.google.common.*``,,97,6,,6,,,,,
    Java Standard Library,``java.*``,3,41,15,13,,,,,,2
-   Java extensions,``javax.*``,22,8,9,,,1,,1,1,
+   Java extensions,``javax.*``,22,8,12,,,1,,1,1,
    `Spring <https://spring.io/>`_,``org.springframework.*``,23,,14,,,,,14,,
-   Others,"``com.esotericsoftware.kryo.io``, ``com.unboundid.ldap.sdk``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``",7,2,17,,,,,17,,
-   Totals,,78,817,68,13,6,7,,33,1,2
+   Others,"``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.databind``, ``com.unboundid.ldap.sdk``, ``org.dom4j``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``",7,5,37,,,,,17,,
+   Totals,,78,821,91,13,6,7,,33,1,2
 

From b17ffbd2a409dcda7724526f92488f27d09fcf22 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 18 May 2021 15:25:42 +0200
Subject: [PATCH 1191/1429] Include all .ql and .qll files in PR path triggers

---
 .github/workflows/csv-coverage.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/csv-coverage.yml b/.github/workflows/csv-coverage.yml
index 2ecb3bdeb06..093d6ead060 100644
--- a/.github/workflows/csv-coverage.yml
+++ b/.github/workflows/csv-coverage.yml
@@ -13,7 +13,8 @@ on:
   pull_request:
     paths:
       - '.github/workflows/csv-coverage.yml'
-      - 'java/ql/src/meta/frameworks/Coverage.ql'
+      - '*/ql/src/**/*.ql'
+      - '*/ql/src/**/*.qll'
       - 'misc/scripts/library-coverage/*.py'
       # input data files
       - '*/documentation/library-coverage/cwe-sink.csv'

From 8880d0055e5dbebe501703660bbe4223663184f2 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 19 May 2021 09:45:44 +0200
Subject: [PATCH 1192/1429] Fix file formatting

---
 misc/scripts/library-coverage/settings.py | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/misc/scripts/library-coverage/settings.py b/misc/scripts/library-coverage/settings.py
index bda1140fc21..4e00a24edb8 100644
--- a/misc/scripts/library-coverage/settings.py
+++ b/misc/scripts/library-coverage/settings.py
@@ -1,10 +1,8 @@
 import sys
 
-
 generated_output_rst = "flow-model-coverage-{language}.rst"
 generated_output_csv = "flow-model-coverage-{language}.csv"
 
-
 # The CI job checks out the codebase to a subfolder
 data_prefix = ""
 
@@ -15,7 +13,6 @@ if sys.argv[0].endswith("generate-report.py"):
 if len(sys.argv) > index:
     data_prefix = sys.argv[index] + "/"
 
-
 documentation_folder = data_prefix + \
     "{language}/documentation/library-coverage/"
 

From 70b3066bb89b1660d8a819742f086c543ed1679c Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 25 May 2021 13:38:22 +0200
Subject: [PATCH 1193/1429] Add regenerated CSV reports

---
 java/documentation/library-coverage/flow-model-coverage.csv | 1 +
 java/documentation/library-coverage/flow-model-coverage.rst | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/java/documentation/library-coverage/flow-model-coverage.csv b/java/documentation/library-coverage/flow-model-coverage.csv
index 3f8b62f2efa..cf97071ad92 100644
--- a/java/documentation/library-coverage/flow-model-coverage.csv
+++ b/java/documentation/library-coverage/flow-model-coverage.csv
@@ -33,6 +33,7 @@ org.apache.hc.core5.util,,,22,,,,,,,,,,,18,4
 org.apache.http,2,3,66,,,,,,,,,2,3,59,7
 org.dom4j,20,,,,,,,,,,20,,,,
 org.springframework.ldap.core,14,,,,,,14,,,,,,,,
+org.springframework.security.web.savedrequest,,6,,,,,,,,,,,6,,
 org.springframework.web.client,,3,,,,,,,,,,,3,,
 org.springframework.web.context.request,,8,,,,,,,,,,,8,,
 org.springframework.web.multipart,,12,,,,,,,,,,,12,,
diff --git a/java/documentation/library-coverage/flow-model-coverage.rst b/java/documentation/library-coverage/flow-model-coverage.rst
index 59bfbf73676..8bb20a9b6c3 100644
--- a/java/documentation/library-coverage/flow-model-coverage.rst
+++ b/java/documentation/library-coverage/flow-model-coverage.rst
@@ -13,7 +13,7 @@ Java framework & library support
    Google,``com.google.common.*``,,97,6,,6,,,,,
    Java Standard Library,``java.*``,3,41,15,13,,,,,,2
    Java extensions,``javax.*``,22,8,12,,,1,,1,1,
-   `Spring <https://spring.io/>`_,``org.springframework.*``,23,,14,,,,,14,,
+   `Spring <https://spring.io/>`_,``org.springframework.*``,29,,14,,,,,14,,
    Others,"``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.databind``, ``com.unboundid.ldap.sdk``, ``org.dom4j``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``",7,5,37,,,,,17,,
-   Totals,,78,821,91,13,6,7,,33,1,2
+   Totals,,84,821,91,13,6,7,,33,1,2
 

From 78cc8f01d683b78a643937d77137870f574742a6 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 25 May 2021 14:11:03 +0200
Subject: [PATCH 1194/1429] C++: Shorter description.

---
 .../Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql   | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
index 34ce582fedb..5e211fc3da6 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql	
@@ -1,7 +1,6 @@
 /**
  * @name Potentially unsafe call to strncat
- * @description Calling `strncat` with the size of the destination buffer as the third argument may result in a buffer overflow.
- *              Similarly, calling `strncat` with `sizeof (dest) - strlen (dest)` as the third argument may result in a buffer overflow.
+ * @description Calling 'strncat' with an incorrect size argument may result in a buffer overflow.
  * @kind problem
  * @problem.severity warning
  * @precision medium

From b2bdf95a9dc368045c56ab08f325889f271238cd Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 25 May 2021 17:25:42 +0200
Subject: [PATCH 1195/1429] C++: Remove large antijoin in
 SwitchCase.getAStmt().

---
 cpp/ql/src/semmle/code/cpp/stmts/Stmt.qll | 37 +++++++++++++++++------
 1 file changed, 28 insertions(+), 9 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/stmts/Stmt.qll b/cpp/ql/src/semmle/code/cpp/stmts/Stmt.qll
index 0d555a6d340..e5caf0fd177 100644
--- a/cpp/ql/src/semmle/code/cpp/stmts/Stmt.qll
+++ b/cpp/ql/src/semmle/code/cpp/stmts/Stmt.qll
@@ -1136,6 +1136,22 @@ private predicate inForUpdate(Expr forUpdate, Expr child) {
   exists(Expr mid | inForUpdate(forUpdate, mid) and child.getParent() = mid)
 }
 
+/**
+ * Holds if `next` is the first `SwitchCase` after `case` that is enclosed by the `BlockStmt` `b`.
+ */
+pragma[nomagic]
+private predicate nextSwitchCaseInSameBlock(BlockStmt b, SwitchCase case, SwitchCase next) {
+  // If the next switch case is in the block `b` we're done.
+  case.getNextSwitchCase() = next and
+  next.getEnclosingBlock() = b
+  or
+  // Otherwise, skip past the next switch block when it's not enclosed in the block `b`.
+  exists(SwitchCase mid | mid = case.getNextSwitchCase() |
+    not mid.getEnclosingBlock() = b and
+    nextSwitchCaseInSameBlock(b, mid, next)
+  )
+}
+
 /**
  * A C/C++ 'switch case' statement.
  *
@@ -1331,16 +1347,19 @@ class SwitchCase extends Stmt, @stmt_switch_case {
    * `default:` has results `{ x = 3; }, `x = 4;` and `break;`.
    */
   Stmt getAStmt() {
-    exists(BlockStmt b, int i, int j |
-      b.getStmt(i) = this and
-      b.getStmt(j) = result and
-      i < j and
-      not result instanceof SwitchCase and
-      not exists(SwitchCase sc, int k |
-        b.getStmt(k) = sc and
-        i < k and
-        j > k
+    exists(BlockStmt b, int i | this = b.getStmt(i) |
+      // This is the most usual case:
+      // We locate the next `SwitchCase` and pick a statement between this `SwitchCase` and the `SwitchCase`
+      // in the `j`'th position in the block `b`.
+      exists(int j |
+        nextSwitchCaseInSameBlock(b, this,
+          pragma[only_bind_into](b).getStmt(pragma[only_bind_into](j))) and
+        result = b.getStmt(any(int k | i < k and k < j))
       )
+      or
+      // If there is no next switch case we pick any subsequent statement in the block `b`.
+      not nextSwitchCaseInSameBlock(b, this, _) and
+      result = b.getStmt(any(int k | i < k))
     )
   }
 

From 55045626df5f48f9acb5912491505d1910803c56 Mon Sep 17 00:00:00 2001
From: Evgenii Protsenko <procenkoeg@yandex.ru>
Date: Tue, 25 May 2021 22:38:27 +0300
Subject: [PATCH 1196/1429] C++: SqlPqxxTainted.ql style fixes

---
 .../Security/CWE/CWE-089/SqlPqxxTainted.qhelp |  4 +-
 .../Security/CWE/CWE-089/SqlPqxxTainted.ql    | 49 ++++---------------
 2 files changed, 12 insertions(+), 41 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.qhelp
index e92015edecf..1c01b3e4f3a 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.qhelp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.qhelp
@@ -12,11 +12,11 @@ to <code>sprintf</code>. This leaves the code vulnerable to attack by SQL Inject
 <recommendation>
 
 <p>Use a library routine to escape characters in the user-supplied
-string before converting it to SQL. Use esc and quote pqxx library functions.</p>
+string before converting it to SQL. Use <code>esc</code> and <code>quote</code> pqxx library functions.</p>
 
 </recommendation>
 <example>
-<sample src="SqlPqxxTainted.c" />
+<sample src="SqlPqxxTainted.cpp" />
 
 </example>
 <references>
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql b/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql
index 9048c8fdab1..d1bbeaad490 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql
@@ -16,32 +16,17 @@ import semmle.code.cpp.security.Security
 import semmle.code.cpp.dataflow.TaintTracking
 import DataFlow::PathGraph
 
-predicate pqxxTransationClassNames(string class_name, string namespace) {
-  class_name = "dbtransaction" and namespace = "pqxx"
-  or
-  class_name = "nontransaction" and namespace = "pqxx"
-  or
-  class_name = "basic_robusttransaction" and namespace = "pqxx"
-  or
-  class_name = "robusttransaction" and namespace = "pqxx"
-  or
-  class_name = "subtransaction" and namespace = "pqxx"
-  or
-  class_name = "transaction" and namespace = "pqxx"
-  or
-  class_name = "basic_transaction" and namespace = "pqxx"
-  or
-  class_name = "transaction_base" and namespace = "pqxx"
-  or
-  class_name = "work" and namespace = "pqxx"
+predicate pqxxTransationClassNames(string className, string namespace) {
+  namespace = "pqxx" and
+  className in [
+      "dbtransaction", "nontransaction", "basic_robusttransaction", "robusttransaction",
+      "subtransaction", "transaction", "basic_transaction", "transaction_base", "work"
+    ]
 }
 
-predicate pqxxConnectionClassNames(string class_name, string namespace) {
-  class_name = "connection_base" and namespace = "pqxx"
-  or
-  class_name = "basic_connection" and namespace = "pqxx"
-  or
-  class_name = "connection" and namespace = "pqxx"
+predicate pqxxConnectionClassNames(string className, string namespace) {
+  namespace = "pqxx" and
+  className in ["connection_base", "basic_connection", "connection"]
 }
 
 predicate pqxxTransactionSqlArgument(string function, int arg) {
@@ -89,21 +74,7 @@ Expr getPqxxSqlArgument() {
 
 predicate pqxxEscapeArgument(string function, int arg) {
   arg = 0 and
-  (
-    function = "esc"
-    or
-    function = "esc_raw"
-    or
-    function = "quote"
-    or
-    function = "quote_raw"
-    or
-    function = "quote_name"
-    or
-    function = "quote_table"
-    or
-    function = "esc_like"
-  )
+  function in ["esc", "esc_raw", "quote", "quote_raw", "quote_name", "quote_table", "esc_like"]
 }
 
 predicate isEscapedPqxxArgument(Expr argExpr) {

From 7c2100efd95fdd76e0d8ace99a7b6cbb26d72c63 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Wed, 26 May 2021 09:15:46 +0300
Subject: [PATCH 1197/1429] Apply suggestions from code review

thanks for your corrections.
and of course sorry for my text.

Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
---
 .../src/experimental/Security/CWE/CWE-415/DoubleFree.qhelp   | 2 +-
 cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql   | 5 ++---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.qhelp
index f30d2f2c48b..23d2e99aad1 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.qhelp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.qhelp
@@ -3,7 +3,7 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>Double freeing of a previously allocated resource can lead to various vulnerabilities in the program. Requires the attention of developers.</p>
+<p>Freeing a previously allocated resource twice can lead to various vulnerabilities in the program.</p>
 
 </overview>
 <recommendation>
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql b/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql
index bb799ec4d52..0544c2aefd5 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql
@@ -1,9 +1,8 @@
 /**
  * @name Errors When Double Free
- * @description Double freeing of a previously allocated resource can lead to various vulnerabilities in the program
- *              and requires the attention of the developer.
+ * @description Freeing a previously allocated resource twice can lead to various vulnerabilities in the program.
  * @kind problem
- * @id cpp/errors-when-double-free
+ * @id cpp/double-free
  * @problem.severity warning
  * @precision medium
  * @tags security

From fbf95df537fba486782038c21b44df0ebc042e03 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Wed, 26 May 2021 09:27:20 +0300
Subject: [PATCH 1198/1429] Update DoubleFree.c

---
 cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.c b/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.c
index 978ca445215..ce7fcc6846e 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.c
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.c
@@ -2,7 +2,8 @@
   buf = malloc(intSize);
 ...
   free(buf); 
-  buf = NULL; // GOOD
+  buf = NULL;
+  if(buf) free(buf); // GOOD
 ...
 
 ...

From 2909dde1798290c51469a69a02d68157e59dc15f Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Wed, 26 May 2021 09:31:15 +0300
Subject: [PATCH 1199/1429] Update test.c

---
 .../query-tests/Security/CWE/CWE-415/semmle/tests/test.c  | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c
index 22cd6a536f4..15ef179a0cd 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c
@@ -46,21 +46,21 @@ void workFunction_4(char *s) {
   buf = tmpbuf;
   free(buf); // GOOD
 }
-void workFunction_5(char *s) {
+void workFunction_5(char *s, int intFlag) {
   int intSize = 10;
   char *buf;
-  int intFlag;
+
   buf = (char *) malloc(intSize);
   if(intFlag) {
     free(buf); // GOOD
   }
   free(buf); // BAD
 }
-void workFunction_6(char *s) {
+void workFunction_6(char *s, int intFlag;) {
   int intSize = 10;
   char *buf;
   char *tmpbuf;
-  int intFlag;
+
   tmpbuf = (char *) malloc(intSize);
   buf = (char *) malloc(intSize);
   if(intFlag) {

From 9088475339391bf4ac9e0e7c79a0d8d1bb4bf043 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Wed, 26 May 2021 09:44:03 +0300
Subject: [PATCH 1200/1429] Update DoubleFree.qhelp

---
 cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.qhelp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.qhelp
index 23d2e99aad1..69ef348be34 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.qhelp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.qhelp
@@ -7,7 +7,7 @@
 
 </overview>
 <recommendation>
-<p>We recommend that you exclude situations of possible double release.</p>
+<p>We recommend that you exclude situations of possible double release. For example, use the assignment NULL to a freed variable.</p>
 
 </recommendation>
 <example>

From f807c2f52b9ce04ba63831d5dbe8cbdb9cc54dae Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 26 May 2021 11:07:48 +0200
Subject: [PATCH 1201/1429] Python: autoformat

---
 python/ql/src/experimental/semmle/python/Frameworks.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/experimental/semmle/python/Frameworks.qll b/python/ql/src/experimental/semmle/python/Frameworks.qll
index b64532dda7c..5a77fc63a7d 100644
--- a/python/ql/src/experimental/semmle/python/Frameworks.qll
+++ b/python/ql/src/experimental/semmle/python/Frameworks.qll
@@ -3,4 +3,4 @@
  */
 
 private import experimental.semmle.python.frameworks.Stdlib
-private import experimental.semmle.python.frameworks.LDAP
\ No newline at end of file
+private import experimental.semmle.python.frameworks.LDAP

From f9ede97fcd1dc552de4a152f2a39dcbc6229a53c Mon Sep 17 00:00:00 2001
From: Ian Lynagh <igfoo@github.com>
Date: Wed, 26 May 2021 17:38:49 +0100
Subject: [PATCH 1202/1429] C++: Update the ReturnValueIgnored.qhelp docs to
 match the code

---
 cpp/ql/src/Critical/ReturnValueIgnored.qhelp | 2 +-
 cpp/ql/src/Critical/ReturnValueIgnored.ql    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/Critical/ReturnValueIgnored.qhelp b/cpp/ql/src/Critical/ReturnValueIgnored.qhelp
index de0636987a0..d82daf6d149 100644
--- a/cpp/ql/src/Critical/ReturnValueIgnored.qhelp
+++ b/cpp/ql/src/Critical/ReturnValueIgnored.qhelp
@@ -7,7 +7,7 @@
 <overview>
 <p>
 This rule finds calls to a function that ignore the return value. A function call is only marked 
-as a violation if at least 80% of the total calls to that function check the return value. Not 
+as a violation if at least 90% of the total calls to that function check the return value. Not
 checking a return value is a common source of defects from standard library functions like <code>malloc</code> or <code>fread</code>.
 These functions return the status information and the return values should always be checked 
 to see if the operation succeeded before operating on any data modified or resources allocated by these functions.
diff --git a/cpp/ql/src/Critical/ReturnValueIgnored.ql b/cpp/ql/src/Critical/ReturnValueIgnored.ql
index b9143085720..b4a4a044068 100644
--- a/cpp/ql/src/Critical/ReturnValueIgnored.ql
+++ b/cpp/ql/src/Critical/ReturnValueIgnored.ql
@@ -1,6 +1,6 @@
 /**
  * @name Return value of a function is ignored
- * @description A call to a function ignores its return value, but more than 80% of the total number of calls to the function check the return value. Check the return value of functions consistently, especially for functions like 'fread' or the 'scanf' functions that return the status of the operation.
+ * @description A call to a function ignores its return value, but at least 90% of the total number of calls to the function check the return value. Check the return value of functions consistently, especially for functions like 'fread' or the 'scanf' functions that return the status of the operation.
  * @kind problem
  * @id cpp/return-value-ignored
  * @problem.severity recommendation

From f0bec74ce33db3f4defc65716c5dfcf0889bfcba Mon Sep 17 00:00:00 2001
From: Ian Lynagh <igfoo@github.com>
Date: Wed, 26 May 2021 17:40:39 +0100
Subject: [PATCH 1203/1429] python: Correct the ReturnValueIgnored.qhelp docs

---
 python/ql/src/Functions/ReturnValueIgnored.qhelp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/Functions/ReturnValueIgnored.qhelp b/python/ql/src/Functions/ReturnValueIgnored.qhelp
index 7081d247112..4c0862fea46 100644
--- a/python/ql/src/Functions/ReturnValueIgnored.qhelp
+++ b/python/ql/src/Functions/ReturnValueIgnored.qhelp
@@ -9,7 +9,7 @@ information being thrown away.</p>
 
 <p>A return value is considered to be trivial if it is <code>None</code> or it is a parameter (parameters, usually <code>self</code> are often
 returned to assist with method chaining, but can be ignored).
-A return value is also assumed to be trivial if it is ignored for 75% or more of calls.
+A return value is also assumed to be trivial if it is ignored for more than 25% of calls.
 </p>
 
 </overview>

From efa657d47cfa818623cf1ec6c72b8990e78ec7b6 Mon Sep 17 00:00:00 2001
From: Evgenii Protsenko <procenkoeg@yandex.ru>
Date: Thu, 27 May 2021 00:13:54 +0300
Subject: [PATCH 1204/1429] C++: SqlPqxxTainted.ql Add namespace check

---
 .../Security/CWE/CWE-089/SqlPqxxTainted.ql          | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql b/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql
index d1bbeaad490..8de55953b15 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql
@@ -54,7 +54,7 @@ predicate pqxxTransactionSqlArgument(string function, int arg) {
 predicate pqxxConnectionSqlArgument(string function, int arg) { function = "prepare" and arg = 1 }
 
 Expr getPqxxSqlArgument() {
-  exists(FunctionCall fc, Expr e, int argIndex, Type t |
+  exists(FunctionCall fc, Expr e, int argIndex, UserType t |
     // examples: 'work' for 'work.exec(...)'; '->' for 'tx->exec()'.
     e = fc.getQualifier() and
     // to find ConnectionHandle/TransationHandle and similar classes which override '->' operator behavior
@@ -62,10 +62,10 @@ Expr getPqxxSqlArgument() {
     e.getType().refersTo(t) and
     // transaction exec and connection prepare variations
     (
-      pqxxTransationClassNames(t.getName(), _) and
+      pqxxTransationClassNames(t.getName(), t.getNamespace().getName()) and
       pqxxTransactionSqlArgument(fc.getTarget().getName(), argIndex)
       or
-      pqxxConnectionClassNames(t.getName(), _) and
+      pqxxConnectionClassNames(t.getName(), t.getNamespace().getName()) and
       pqxxConnectionSqlArgument(fc.getTarget().getName(), argIndex)
     ) and
     result = fc.getArgument(argIndex)
@@ -78,14 +78,17 @@ predicate pqxxEscapeArgument(string function, int arg) {
 }
 
 predicate isEscapedPqxxArgument(Expr argExpr) {
-  exists(FunctionCall fc, Expr e, int argIndex, Type t |
+  exists(FunctionCall fc, Expr e, int argIndex, UserType t |
     // examples: 'work' for 'work.exec(...)'; '->' for 'tx->exec()'.
     e = fc.getQualifier() and
     // to find ConnectionHandle/TransationHandle and similar classes which override '->' operator behavior
     // and return pointer to a connection/transation object
     e.getType().refersTo(t) and
     // transaction and connection escape functions
-    (pqxxTransationClassNames(t.getName(), _) or pqxxConnectionClassNames(t.getName(), _)) and
+    (
+      pqxxTransationClassNames(t.getName(), t.getNamespace().getName()) or
+      pqxxConnectionClassNames(t.getName(), t.getNamespace().getName())
+    ) and
     pqxxEscapeArgument(fc.getTarget().getName(), argIndex) and
     // is escaped arg == argExpr
     argExpr = fc.getArgument(argIndex)

From 71a860a356a46740a84d0be73f69776f12e0b601 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 27 May 2021 11:23:11 +0200
Subject: [PATCH 1205/1429] C++: Exclude custom operator new allocators from
 the ThrowingAllocator class.

---
 .../IncorrectAllocationErrorHandling.ql       | 28 ++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql b/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
index 2e966166330..14d5d644a79 100644
--- a/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+++ b/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
@@ -153,12 +153,38 @@ predicate exprMayThrow(Expr e) {
   )
 }
 
+class NoThrowType extends Struct {
+  NoThrowType() { this.hasGlobalOrStdOrBslName("nothrow_t") }
+}
+
 /** An allocator that might throw an exception. */
 class ThrowingAllocator extends Function {
   ThrowingAllocator() {
     exists(NewOrNewArrayExpr newExpr |
       newExpr.getAllocator() = this and
-      functionMayThrow(this)
+      // Exclude custom overloads of `operator new`.
+      // What we really want here is to only include the functions that satisfy `functionMayThrow`, but
+      // there seems to be examples where `throw()` isn't extracted (which causes false positives).
+      //
+      // As noted in the QLDoc for `Function.getAllocatorCall`:
+      //
+      // "As a rule of thumb, there will be an allocator call precisely when the type
+      // being allocated has a custom `operator new`, or when an argument list appears
+      // after the `new` keyword and before the name of the type being allocated.
+      //
+      // In particular note that uses of placement-new and nothrow-new will have an
+      // allocator call."
+      //
+      // So we say an allocator might throw if:
+      // 1. It doesn't have a body
+      // 2. there is a parameter that is not `nothrow`
+      // 3. the allocator isn't marked with `throw()` or `noexcept`.
+      not exists(this.getBlock()) and
+      exists(Parameter p | p = this.getAParameter() |
+        not p.getUnspecifiedType() instanceof NoThrowType
+      ) and
+      not this.isNoExcept() and
+      not this.isNoThrow()
     )
   }
 }

From 4107e350cb39dee631ad69ab8c4926c3566d94d7 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Thu, 27 May 2021 11:39:03 +0200
Subject: [PATCH 1206/1429] C++: Add qldoc to NoThrowType.

---
 .../src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql b/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
index 14d5d644a79..777da533560 100644
--- a/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+++ b/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
@@ -153,6 +153,7 @@ predicate exprMayThrow(Expr e) {
   )
 }
 
+/** The `std::nothrow_t` class and its `bsl` variant. */
 class NoThrowType extends Struct {
   NoThrowType() { this.hasGlobalOrStdOrBslName("nothrow_t") }
 }

From 79989cc3f463fa0b83c6f29d36532e58ba95611f Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 27 May 2021 21:36:27 +0200
Subject: [PATCH 1207/1429] CPP/Java: Fix getAPrimaryQlClass implementations

---
 cpp/ql/src/semmle/code/cpp/Specifier.qll   | 2 +-
 java/ql/src/semmle/code/java/Statement.qll | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/Specifier.qll b/cpp/ql/src/semmle/code/cpp/Specifier.qll
index 1c1eb0c090a..4a425b690f4 100644
--- a/cpp/ql/src/semmle/code/cpp/Specifier.qll
+++ b/cpp/ql/src/semmle/code/cpp/Specifier.qll
@@ -37,7 +37,7 @@ class FunctionSpecifier extends Specifier {
     this.hasName("explicit")
   }
 
-  override string getAPrimaryQlClass() { result = "FunctionSpecifier)" }
+  override string getAPrimaryQlClass() { result = "FunctionSpecifier" }
 }
 
 /**
diff --git a/java/ql/src/semmle/code/java/Statement.qll b/java/ql/src/semmle/code/java/Statement.qll
index ba56564ae51..97a09ac4e6b 100755
--- a/java/ql/src/semmle/code/java/Statement.qll
+++ b/java/ql/src/semmle/code/java/Statement.qll
@@ -739,7 +739,7 @@ class LabeledStmt extends Stmt, @labeledstmt {
   /** This statement's Halstead ID (used to compute Halstead metrics). */
   override string getHalsteadID() { result = this.getLabel() + ":" }
 
-  override string getAPrimaryQlClass() { result = "LabelStmt" }
+  override string getAPrimaryQlClass() { result = "LabeledStmt" }
 }
 
 /** An `assert` statement. */

From b41a06a15ca9138f69ff503952e26732af85228d Mon Sep 17 00:00:00 2001
From: Aditya Sharad <adityasharad@github.com>
Date: Thu, 27 May 2021 13:20:22 -0700
Subject: [PATCH 1208/1429] Python: Treat `py/summary/lines-of-user-code` as
 the primary summary metric

Move the `lines-of-code` tag from `py/summary/lines-of-code`.
Code Scanning will eventually look for this tag.

The intent is to treat the number of lines of user code for Python as the summary of
how much code was analysed, ignoring both external libraries and generated code.
This matches the current baseline metric the CodeQL Action computes for Python.
We'll revisit this decision, and the baseline, if necessary.
---
 python/ql/src/Summary/LinesOfCode.ql     | 1 -
 python/ql/src/Summary/LinesOfUserCode.ql | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/src/Summary/LinesOfCode.ql b/python/ql/src/Summary/LinesOfCode.ql
index ad0b77730de..d9bfc4f872c 100644
--- a/python/ql/src/Summary/LinesOfCode.ql
+++ b/python/ql/src/Summary/LinesOfCode.ql
@@ -5,7 +5,6 @@
  *   database. This query counts the lines of code, excluding whitespace or comments.
  * @kind metric
  * @tags summary
- *       lines-of-code
  * @id py/summary/lines-of-code
  */
 
diff --git a/python/ql/src/Summary/LinesOfUserCode.ql b/python/ql/src/Summary/LinesOfUserCode.ql
index 94940d5fa18..528ae948cd7 100644
--- a/python/ql/src/Summary/LinesOfUserCode.ql
+++ b/python/ql/src/Summary/LinesOfUserCode.ql
@@ -7,6 +7,7 @@
  *   be counted as user written code.
  * @kind metric
  * @tags summary
+ *       lines-of-code
  * @id py/summary/lines-of-user-code
  */
 

From 706874491bf8bb59e1d4bc8633421dfd63e67150 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= <alvaro@pwntester.com>
Date: Fri, 21 May 2021 13:44:03 +0200
Subject: [PATCH 1209/1429] Remove XSS sink for Java

---
 java/ql/src/semmle/code/java/security/XSS.qll | 1 -
 1 file changed, 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/security/XSS.qll b/java/ql/src/semmle/code/java/security/XSS.qll
index 486e8053953..14f10cad9c8 100644
--- a/java/ql/src/semmle/code/java/security/XSS.qll
+++ b/java/ql/src/semmle/code/java/security/XSS.qll
@@ -34,7 +34,6 @@ private class DefaultXssSinkModel extends SinkModelCsv {
   override predicate row(string row) {
     row =
       [
-        "javax.servlet.http;HttpServletResponse;false;sendError;(int,String);;Argument[1];xss",
         "android.webkit;WebView;false;loadData;;;Argument[0];xss",
         "android.webkit;WebView;false;loadUrl;;;Argument[0];xss",
         "android.webkit;WebView;false;loadDataWithBaseURL;;;Argument[1];xss"

From 735e4e4b7bcf0e55811652e7fd02639c51eb312b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= <alvaro@pwntester.com>
Date: Fri, 28 May 2021 13:44:16 +0200
Subject: [PATCH 1210/1429] update failing tests

---
 .../query-tests/security/CWE-079/semmle/tests/XSS.expected    | 4 ----
 .../test/query-tests/security/CWE-079/semmle/tests/XSS.java   | 4 ++--
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.expected b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.expected
index ed67a987e84..c800f627c64 100644
--- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.expected
+++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.expected
@@ -1,19 +1,15 @@
 edges
 | XSS.java:23:21:23:48 | getParameter(...) : String | XSS.java:23:5:23:70 | ... + ... |
-| XSS.java:27:21:27:48 | getParameter(...) : String | XSS.java:27:5:27:70 | ... + ... |
 | XSS.java:38:67:38:87 | getPathInfo(...) : String | XSS.java:38:30:38:87 | ... + ... |
 | XSS.java:41:36:41:56 | getPathInfo(...) : String | XSS.java:41:36:41:67 | getBytes(...) |
 nodes
 | XSS.java:23:5:23:70 | ... + ... | semmle.label | ... + ... |
 | XSS.java:23:21:23:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| XSS.java:27:5:27:70 | ... + ... | semmle.label | ... + ... |
-| XSS.java:27:21:27:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | XSS.java:38:30:38:87 | ... + ... | semmle.label | ... + ... |
 | XSS.java:38:67:38:87 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
 | XSS.java:41:36:41:56 | getPathInfo(...) : String | semmle.label | getPathInfo(...) : String |
 | XSS.java:41:36:41:67 | getBytes(...) | semmle.label | getBytes(...) |
 #select
 | XSS.java:23:5:23:70 | ... + ... | XSS.java:23:21:23:48 | getParameter(...) : String | XSS.java:23:5:23:70 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:23:21:23:48 | getParameter(...) | user-provided value |
-| XSS.java:27:5:27:70 | ... + ... | XSS.java:27:21:27:48 | getParameter(...) : String | XSS.java:27:5:27:70 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:27:21:27:48 | getParameter(...) | user-provided value |
 | XSS.java:38:30:38:87 | ... + ... | XSS.java:38:67:38:87 | getPathInfo(...) : String | XSS.java:38:30:38:87 | ... + ... | Cross-site scripting vulnerability due to $@. | XSS.java:38:67:38:87 | getPathInfo(...) | user-provided value |
 | XSS.java:41:36:41:67 | getBytes(...) | XSS.java:41:36:41:56 | getPathInfo(...) : String | XSS.java:41:36:41:67 | getBytes(...) | Cross-site scripting vulnerability due to $@. | XSS.java:41:36:41:56 | getPathInfo(...) | user-provided value |
diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java
index 54e60a13086..3ebaac47819 100644
--- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java
+++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java
@@ -22,7 +22,7 @@ public class XSS extends HttpServlet {
 		response.getWriter().print(
 				"The page \"" + request.getParameter("page") + "\" was not found.");
 
-		// BAD: a request parameter is written directly to an error response page
+		// GOOD: servlet API encodes the error message HTML for the HTML context
 		response.sendError(HttpServletResponse.SC_NOT_FOUND,
 				"The page \"" + request.getParameter("page") + "\" was not found.");
 
@@ -30,7 +30,7 @@ public class XSS extends HttpServlet {
 		response.sendError(HttpServletResponse.SC_NOT_FOUND,
 				"The page \"" + encodeForHtml(request.getParameter("page")) + "\" was not found.");
 		
-		// FALSE NEGATIVE: passed through function that is not a secure check
+		// GOOD: servlet API encodes the error message HTML for the HTML context
 		response.sendError(HttpServletResponse.SC_NOT_FOUND,
 				"The page \"" + capitalizeName(request.getParameter("page")) + "\" was not found.");
 		

From db2f05ac248566ed9612bd615879e97a3381f424 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= <alvaro@pwntester.com>
Date: Fri, 28 May 2021 13:48:48 +0200
Subject: [PATCH 1211/1429] Updated Java change notes

---
 java/change-notes/2021-05-28-remove-senderror-xss-sink.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 java/change-notes/2021-05-28-remove-senderror-xss-sink.md

diff --git a/java/change-notes/2021-05-28-remove-senderror-xss-sink.md b/java/change-notes/2021-05-28-remove-senderror-xss-sink.md
new file mode 100644
index 00000000000..7b4959f7056
--- /dev/null
+++ b/java/change-notes/2021-05-28-remove-senderror-xss-sink.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Cross-site scripting" (`java/xss`) has been improved to report fewer false positives by removing the `javax.servlet.http.HttpServletResponse.sendError` sink since the Servlet API implementations already encode the error message for the HTML context.

From 5a894ac7f78c4617d242d719581452df7bc2148b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= <alvaro@pwntester.com>
Date: Fri, 28 May 2021 14:07:12 +0200
Subject: [PATCH 1212/1429] update java library coverage documentation

---
 java/documentation/library-coverage/flow-model-coverage.csv | 2 +-
 java/documentation/library-coverage/flow-model-coverage.rst | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/java/documentation/library-coverage/flow-model-coverage.csv b/java/documentation/library-coverage/flow-model-coverage.csv
index cf97071ad92..73f06306193 100644
--- a/java/documentation/library-coverage/flow-model-coverage.csv
+++ b/java/documentation/library-coverage/flow-model-coverage.csv
@@ -15,7 +15,7 @@ java.nio,10,,2,,10,,,,,,,,,2,
 java.util,,,13,,,,,,,,,,,13,
 javax.naming.directory,1,,,,,,1,,,,,,,,
 javax.net.ssl,2,,,,,,,,2,,,,,,
-javax.servlet,4,21,2,,,3,,,,,,1,21,2,
+javax.servlet,3,21,2,,,3,,,,,,,21,2,
 javax.validation,1,1,,1,,,,,,,,,1,,
 javax.ws.rs.core,1,,,,,1,,,,,,,,,
 javax.xml.transform.sax,,,4,,,,,,,,,,,4,
diff --git a/java/documentation/library-coverage/flow-model-coverage.rst b/java/documentation/library-coverage/flow-model-coverage.rst
index 8bb20a9b6c3..bad79a93c06 100644
--- a/java/documentation/library-coverage/flow-model-coverage.rst
+++ b/java/documentation/library-coverage/flow-model-coverage.rst
@@ -12,8 +12,8 @@ Java framework & library support
    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,22,,,,,,,,
    Google,``com.google.common.*``,,97,6,,6,,,,,
    Java Standard Library,``java.*``,3,41,15,13,,,,,,2
-   Java extensions,``javax.*``,22,8,12,,,1,,1,1,
+   Java extensions,``javax.*``,22,8,11,,,,,1,1,
    `Spring <https://spring.io/>`_,``org.springframework.*``,29,,14,,,,,14,,
    Others,"``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.databind``, ``com.unboundid.ldap.sdk``, ``org.dom4j``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``",7,5,37,,,,,17,,
-   Totals,,84,821,91,13,6,7,,33,1,2
+   Totals,,84,821,90,13,6,6,,33,1,2
 

From f60df3b26a315d665df05edf7bdb99cfa59341be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= <pwntester@github.com>
Date: Fri, 28 May 2021 13:52:31 +0200
Subject: [PATCH 1213/1429] Update
 java/change-notes/2021-05-28-remove-senderror-xss-sink.md

Co-authored-by: Chris Smowton <smowton@github.com>
---
 java/change-notes/2021-05-28-remove-senderror-xss-sink.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/change-notes/2021-05-28-remove-senderror-xss-sink.md b/java/change-notes/2021-05-28-remove-senderror-xss-sink.md
index 7b4959f7056..5dd245bcb52 100644
--- a/java/change-notes/2021-05-28-remove-senderror-xss-sink.md
+++ b/java/change-notes/2021-05-28-remove-senderror-xss-sink.md
@@ -1,2 +1,2 @@
 lgtm,codescanning
-* The query "Cross-site scripting" (`java/xss`) has been improved to report fewer false positives by removing the `javax.servlet.http.HttpServletResponse.sendError` sink since the Servlet API implementations already encode the error message for the HTML context.
+* The query "Cross-site scripting" (`java/xss`) has been improved to report fewer false positives by removing the `javax.servlet.http.HttpServletResponse.sendError` sink since Servlet API implementations generally already escape the error message, preventing script injection.

From b947334eeac04443603bc64bd21bc515037423ee Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Fri, 28 May 2021 16:48:47 +0200
Subject: [PATCH 1214/1429] CPP: make some parameter names consistent with the
 names used in the super class

---
 .../semmle/code/cpp/controlflow/IRGuards.qll  | 20 +++++++++----------
 .../raw/internal/TranslatedFunction.qll       |  4 ++--
 .../src/experimental/ir/internal/IRGuards.qll | 20 +++++++++----------
 3 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/controlflow/IRGuards.qll b/cpp/ql/src/semmle/code/cpp/controlflow/IRGuards.qll
index 656496325af..d96fc34259c 100644
--- a/cpp/ql/src/semmle/code/cpp/controlflow/IRGuards.qll
+++ b/cpp/ql/src/semmle/code/cpp/controlflow/IRGuards.qll
@@ -125,17 +125,17 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardCondition {
     )
   }
 
-  override predicate comparesEq(Expr left, Expr right, int k, boolean isLessThan, boolean testIsTrue) {
+  override predicate comparesEq(Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue) {
     exists(boolean partIsTrue, GuardCondition part |
       this.(BinaryLogicalOperation).impliesValue(part, partIsTrue, testIsTrue)
     |
-      part.comparesEq(left, right, k, isLessThan, partIsTrue)
+      part.comparesEq(left, right, k, areEqual, partIsTrue)
     )
   }
 
-  override predicate ensuresEq(Expr left, Expr right, int k, BasicBlock block, boolean isLessThan) {
+  override predicate ensuresEq(Expr left, Expr right, int k, BasicBlock block, boolean areEqual) {
     exists(boolean testIsTrue |
-      comparesEq(left, right, k, isLessThan, testIsTrue) and this.controls(block, testIsTrue)
+      comparesEq(left, right, k, areEqual, testIsTrue) and this.controls(block, testIsTrue)
     )
   }
 }
@@ -154,20 +154,20 @@ private class GuardConditionFromShortCircuitNot extends GuardCondition, NotExpr
     getOperand().(GuardCondition).controls(controlled, testIsTrue.booleanNot())
   }
 
-  override predicate comparesLt(Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue) {
-    getOperand().(GuardCondition).comparesLt(left, right, k, areEqual, testIsTrue.booleanNot())
+  override predicate comparesLt(Expr left, Expr right, int k, boolean isLessThan, boolean testIsTrue) {
+    getOperand().(GuardCondition).comparesLt(left, right, k, isLessThan, testIsTrue.booleanNot())
   }
 
-  override predicate ensuresLt(Expr left, Expr right, int k, BasicBlock block, boolean testIsTrue) {
-    getOperand().(GuardCondition).ensuresLt(left, right, k, block, testIsTrue.booleanNot())
+  override predicate ensuresLt(Expr left, Expr right, int k, BasicBlock block, boolean isLessThan) {
+    getOperand().(GuardCondition).ensuresLt(left, right, k, block, isLessThan.booleanNot())
   }
 
   override predicate comparesEq(Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue) {
     getOperand().(GuardCondition).comparesEq(left, right, k, areEqual, testIsTrue.booleanNot())
   }
 
-  override predicate ensuresEq(Expr left, Expr right, int k, BasicBlock block, boolean testIsTrue) {
-    getOperand().(GuardCondition).ensuresEq(left, right, k, block, testIsTrue.booleanNot())
+  override predicate ensuresEq(Expr left, Expr right, int k, BasicBlock block, boolean areEqual) {
+    getOperand().(GuardCondition).ensuresEq(left, right, k, block, areEqual.booleanNot())
   }
 }
 
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
index f55d661b202..2a0b58ce96a 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll
@@ -725,9 +725,9 @@ abstract class TranslatedReadEffect extends TranslatedElement {
 
   override Instruction getChildSuccessor(TranslatedElement child) { none() }
 
-  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind edge) {
+  override Instruction getInstructionSuccessor(InstructionTag tag, EdgeKind kind) {
     tag = OnlyInstructionTag() and
-    edge = EdgeKind::gotoEdge() and
+    kind = EdgeKind::gotoEdge() and
     result = getParent().getChildSuccessor(this)
   }
 
diff --git a/csharp/ql/src/experimental/ir/internal/IRGuards.qll b/csharp/ql/src/experimental/ir/internal/IRGuards.qll
index a505e54c37e..d01dcbed1e1 100644
--- a/csharp/ql/src/experimental/ir/internal/IRGuards.qll
+++ b/csharp/ql/src/experimental/ir/internal/IRGuards.qll
@@ -151,17 +151,17 @@ private class GuardConditionFromBinaryLogicalOperator extends GuardCondition {
     )
   }
 
-  override predicate comparesEq(Expr left, Expr right, int k, boolean isLessThan, boolean testIsTrue) {
+  override predicate comparesEq(Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue) {
     exists(boolean partIsTrue, GuardCondition part |
       impliesValue(this.(BinaryLogicalOperation), part, partIsTrue, testIsTrue)
     |
-      part.comparesEq(left, right, k, isLessThan, partIsTrue)
+      part.comparesEq(left, right, k, areEqual, partIsTrue)
     )
   }
 
-  override predicate ensuresEq(Expr left, Expr right, int k, BasicBlock block, boolean isLessThan) {
+  override predicate ensuresEq(Expr left, Expr right, int k, BasicBlock block, boolean areEqual) {
     exists(boolean testIsTrue |
-      comparesEq(left, right, k, isLessThan, testIsTrue) and this.controls(block, testIsTrue)
+      comparesEq(left, right, k, areEqual, testIsTrue) and this.controls(block, testIsTrue)
     )
   }
 }
@@ -180,20 +180,20 @@ private class GuardConditionFromShortCircuitNot extends GuardCondition, LogicalN
     getOperand().(GuardCondition).controls(controlled, testIsTrue.booleanNot())
   }
 
-  override predicate comparesLt(Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue) {
-    getOperand().(GuardCondition).comparesLt(left, right, k, areEqual, testIsTrue.booleanNot())
+  override predicate comparesLt(Expr left, Expr right, int k, boolean isLessThan, boolean testIsTrue) {
+    getOperand().(GuardCondition).comparesLt(left, right, k, isLessThan, testIsTrue.booleanNot())
   }
 
-  override predicate ensuresLt(Expr left, Expr right, int k, BasicBlock block, boolean testIsTrue) {
-    getOperand().(GuardCondition).ensuresLt(left, right, k, block, testIsTrue.booleanNot())
+  override predicate ensuresLt(Expr left, Expr right, int k, BasicBlock block, boolean isLessThan) {
+    getOperand().(GuardCondition).ensuresLt(left, right, k, block, isLessThan.booleanNot())
   }
 
   override predicate comparesEq(Expr left, Expr right, int k, boolean areEqual, boolean testIsTrue) {
     getOperand().(GuardCondition).comparesEq(left, right, k, areEqual, testIsTrue.booleanNot())
   }
 
-  override predicate ensuresEq(Expr left, Expr right, int k, BasicBlock block, boolean testIsTrue) {
-    getOperand().(GuardCondition).ensuresEq(left, right, k, block, testIsTrue.booleanNot())
+  override predicate ensuresEq(Expr left, Expr right, int k, BasicBlock block, boolean areEqual) {
+    getOperand().(GuardCondition).ensuresEq(left, right, k, block, areEqual.booleanNot())
   }
 }
 

From 62c6bee5f89cf3a2edf9a82bfaf675c78f9b772f Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Sat, 29 May 2021 09:21:20 +0200
Subject: [PATCH 1215/1429] Simplified UnsafeDeserializationRmi.ql

---
 .../Security/CWE/CWE-502/UnsafeDeserializationRmi.ql        | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql
index 91e38cc373e..f870d6f423e 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql
@@ -66,11 +66,7 @@ private class BindingUnsafeRemoteObjectConfig extends TaintTracking::Configurati
     exists(MethodAccess ma, Method m | m = ma.getMethod() |
       m.getDeclaringType().hasQualifiedName("java.rmi.server", "UnicastRemoteObject") and
       m.hasName("exportObject") and
-      not ma.getArgument([2, 4])
-          .getType()
-          .(RefType)
-          .getASupertype*()
-          .hasQualifiedName("java.io", "ObjectInputFilter") and
+      not m.getParameterType([2, 4]).(RefType).hasQualifiedName("java.io", "ObjectInputFilter") and
       ma.getArgument(0) = fromNode.asExpr() and
       ma = toNode.asExpr()
     )

From b28d6391666f53767b85209138759fbf5922e7f5 Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@gmail.com>
Date: Sat, 29 May 2021 09:32:08 +0200
Subject: [PATCH 1216/1429] Fixed errors in UnsafeDeserializationRmi.qhelp

---
 .../Security/CWE/CWE-502/UnsafeDeserializationRmi.qhelp    | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.qhelp b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.qhelp
index 985e3a4c08d..ea06f315cc4 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.qhelp
@@ -15,7 +15,7 @@ In the worst case, it results in remote code execution.
 <p>
 Use only strings and primitive types in parameters of remote objects.
 </p>
-</p>
+<p>
 Set a filter for incoming serialized data by wrapping remote objects using either <code>UnicastRemoteObject.exportObject(Remote, int, ObjectInputFilter)</code>
 or <code>UnicastRemoteObject.exportObject(Remote, int, RMIClientSocketFactory, RMIServerSocketFactory, ObjectInputFilter)</code> methods.
 Those methods accept an <code>ObjectInputFilter</code> that decides which classes are allowed for deserialization.
@@ -26,6 +26,7 @@ It is also possible to set a process-wide deserialization filter.
 The filter can be set by with <code>ObjectInputFilter.Config.setSerialFilter(ObjectInputFilter)</code> method,
 or by setting system or security property <code>jdk.serialFilter</code>.
 Make sure that you use the latest Java versions that include JEP 290.
+Please note that the query is not sensitive to this mitigation.
 </p>
 <p>
 If switching to the latest Java versions is not possible,
@@ -62,11 +63,11 @@ Oracle:
 </li>
 <li>
 ITNEXT:
-<a href="https://itnext.io/java-rmi-for-pentesters-part-two-reconnaissance-attack-against-non-jmx-registries-187a6561314d">Java RMI for pentesters part two — reconnaissance & attack against non-JMX registries</a>.
+<a href="https://itnext.io/java-rmi-for-pentesters-part-two-reconnaissance-attack-against-non-jmx-registries-187a6561314d">Java RMI for pentesters part two - reconnaissance &amp; attack against non-JMX registries</a>.
 </li>
 <li>
 MOGWAI LABS:
-<a href="https://mogwailabs.de/en/blog/2019/03/attacking-java-rmi-services-after-jep-290/">Attacking Java RMI services after JEP 290</a>
+<a href="https://mogwailabs.de/en/blog/2019/03/attacking-java-rmi-services-after-jep-290">Attacking Java RMI services after JEP 290</a>
 </li>
 <li>
 OWASP:

From 41d034d5a0fda510d4a5461dc3558e3136ca8edd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= <alvaro@pwntester.com>
Date: Sun, 30 May 2021 00:22:40 +0200
Subject: [PATCH 1217/1429] Attempt to use information-leak sink category

---
 .../CWE/CWE-209/StackTraceExposure.ql         | 14 +++++++----
 .../code/java/dataflow/ExternalFlow.qll       |  1 +
 .../code/java/security/InformationLeak.qll    | 23 +++++++++++++++++++
 3 files changed, 33 insertions(+), 5 deletions(-)
 create mode 100644 java/ql/src/semmle/code/java/security/InformationLeak.qll

diff --git a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
index 3426d9f6f62..b82edc2efc6 100644
--- a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
+++ b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
@@ -16,6 +16,7 @@ import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.XSS
+import semmle.code.java.security.InformationLeak
 
 /**
  * One of the `printStackTrace()` overloads on `Throwable`.
@@ -83,14 +84,17 @@ predicate stackTraceExpr(Expr exception, MethodAccess stackTraceString) {
   )
 }
 
-class StackTraceStringToXssSinkFlowConfig extends TaintTracking::Configuration {
-  StackTraceStringToXssSinkFlowConfig() {
-    this = "StackTraceExposure::StackTraceStringToXssSinkFlowConfig"
+class StackTraceStringToHTTPResponseSinkFlowConfig extends TaintTracking::Configuration {
+  StackTraceStringToHTTPResponseSinkFlowConfig() {
+    this = "StackTraceExposure::StackTraceStringToHTTPResponseSinkFlowConfig"
   }
 
   override predicate isSource(DataFlow::Node src) { stackTraceExpr(_, src.asExpr()) }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
+  override predicate isSink(DataFlow::Node sink) {
+    sink instanceof XssSink or
+    sink instanceof InformationLeakSink
+  }
 }
 
 /**
@@ -106,7 +110,7 @@ predicate printsStackExternally(MethodAccess call, Expr stackTrace) {
  * A stringified stack trace flows to an external sink.
  */
 predicate stringifiedStackFlowsExternally(XssSink externalExpr, Expr stackTrace) {
-  exists(MethodAccess stackTraceString, StackTraceStringToXssSinkFlowConfig conf |
+  exists(MethodAccess stackTraceString, StackTraceStringToHTTPResponseSinkFlowConfig conf |
     stackTraceExpr(stackTrace, stackTraceString) and
     conf.hasFlow(DataFlow::exprNode(stackTraceString), externalExpr)
   )
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index 33a146d07fe..92dfb5a733c 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -79,6 +79,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.guava.Guava
   private import semmle.code.java.frameworks.jackson.JacksonSerializability
   private import semmle.code.java.security.ResponseSplitting
+  private import semmle.code.java.security.InformationLeak
   private import semmle.code.java.security.XSS
   private import semmle.code.java.security.LdapInjection
   private import semmle.code.java.security.XPath
diff --git a/java/ql/src/semmle/code/java/security/InformationLeak.qll b/java/ql/src/semmle/code/java/security/InformationLeak.qll
new file mode 100644
index 00000000000..4cb12c3d3d9
--- /dev/null
+++ b/java/ql/src/semmle/code/java/security/InformationLeak.qll
@@ -0,0 +1,23 @@
+/** Provides classes to reason about System Information Leak vulnerabilities. */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.ExternalFlow
+
+/** CSV sink models representing methods not susceptible to XSS but outputing to an HTTP response body. */
+private class DefaultInformationLeakSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.servlet.http;HttpServletResponse;false;sendError;(int,String);;Argument[1];information-leak"
+      ]
+  }
+}
+
+/** A sink that represent a method that outputs data to an HTTP response. */
+abstract class InformationLeakSink extends DataFlow::Node { }
+
+/** A default sink representing methods outputing data to an HTTP response. */
+private class DefaultInformationLeakSink extends InformationLeakSink {
+  DefaultInformationLeakSink() { sinkNode(this, "information-leak") }
+}

From 18931e39c8e7f976d638cde9fd2862107add7529 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Mon, 31 May 2021 09:52:14 +0200
Subject: [PATCH 1218/1429] Improve error reporting in CI check for CSV
 coverage report comparison

---
 .../scripts/library-coverage/compare-files.py | 31 ++++++++++++++-----
 misc/scripts/library-coverage/settings.py     | 10 +++---
 2 files changed, 29 insertions(+), 12 deletions(-)

diff --git a/misc/scripts/library-coverage/compare-files.py b/misc/scripts/library-coverage/compare-files.py
index 5e00d4af2e9..ae1f2dac42b 100644
--- a/misc/scripts/library-coverage/compare-files.py
+++ b/misc/scripts/library-coverage/compare-files.py
@@ -18,7 +18,7 @@ def ignore_line_ending(ch):
     return difflib.IS_CHARACTER_JUNK(ch, ws=" \r\n")
 
 
-def compare_files(file1, file2):
+def compare_files(file1, file2, path_to_report):
     has_differences = False
     diff = difflib.ndiff(open(file1).readlines(),
                          open(file2).readlines(), None, ignore_line_ending)
@@ -28,13 +28,16 @@ def compare_files(file1, file2):
             has_differences = True
 
     if has_differences:
-        print("Error: The generated file doesn't match the one in the codebase. Please check and fix file '" +
-              file1 + "'.", file=sys.stderr)
-        sys.exit(1)
+        print("The generated file doesn't match the one in the codebase. Please check and fix file '" +
+              path_to_report + "'.", file=sys.stderr)
+        return False
+    return True
 
 
 languages = ['java']
 
+all_ok = True
+
 for lang in languages:
     repo_output_rst = settings.repo_output_rst.format(language=lang)
     repo_output_csv = settings.repo_output_csv.format(language=lang)
@@ -47,8 +50,20 @@ for lang in languages:
     check_file_exists(generated_output_rst)
     check_file_exists(generated_output_csv)
 
-    compare_files(repo_output_rst, generated_output_rst)
-    compare_files(repo_output_csv, generated_output_csv)
+    docs_folder = settings.documentation_folder_no_prefix.format(language=lang)
 
-    print("The generated files for '" + lang +
-          "' match the ones in the codebase.")
+    rst_ok = compare_files(repo_output_rst, generated_output_rst,
+                           docs_folder + settings.output_rst_file_name)
+    csv_ok = compare_files(repo_output_csv, generated_output_csv,
+                           docs_folder + settings.output_csv_file_name)
+
+    if not rst_ok or not csv_ok:
+        print("The generated CSV coverage report files for '" + lang + "' don't match the ones in the codebase. Please update the files in '" +
+              docs_folder + "'. The new files can be downloaded from the artifacts of this job.", file=sys.stderr)
+        all_ok = False
+    else:
+        print("The generated files for '" + lang +
+              "' match the ones in the codebase.")
+
+if not all_ok:
+    sys.exit(1)
diff --git a/misc/scripts/library-coverage/settings.py b/misc/scripts/library-coverage/settings.py
index 4e00a24edb8..787f7253bba 100644
--- a/misc/scripts/library-coverage/settings.py
+++ b/misc/scripts/library-coverage/settings.py
@@ -13,8 +13,10 @@ if sys.argv[0].endswith("generate-report.py"):
 if len(sys.argv) > index:
     data_prefix = sys.argv[index] + "/"
 
-documentation_folder = data_prefix + \
-    "{language}/documentation/library-coverage/"
+documentation_folder_no_prefix = "{language}/documentation/library-coverage/"
+documentation_folder = data_prefix + documentation_folder_no_prefix
 
-repo_output_rst = documentation_folder + "flow-model-coverage.rst"
-repo_output_csv = documentation_folder + "flow-model-coverage.csv"
+output_rst_file_name = "flow-model-coverage.rst"
+output_csv_file_name = "flow-model-coverage.csv"
+repo_output_rst = documentation_folder + output_rst_file_name
+repo_output_csv = documentation_folder + output_csv_file_name

From 175fdbb1051759e1336971f8aadbc2d6dc51841b Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Mon, 31 May 2021 09:54:24 +0200
Subject: [PATCH 1219/1429] C++: Replace exists(not ...) with not exists(...).

---
 .../CWE/CWE-570/IncorrectAllocationErrorHandling.ql         | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql b/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
index 777da533560..b06df90c860 100644
--- a/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+++ b/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
@@ -178,11 +178,11 @@ class ThrowingAllocator extends Function {
       //
       // So we say an allocator might throw if:
       // 1. It doesn't have a body
-      // 2. there is a parameter that is not `nothrow`
+      // 2. there isn't a parameter with type `nothrow_t`
       // 3. the allocator isn't marked with `throw()` or `noexcept`.
       not exists(this.getBlock()) and
-      exists(Parameter p | p = this.getAParameter() |
-        not p.getUnspecifiedType() instanceof NoThrowType
+      not exists(Parameter p | p = this.getAParameter() |
+        p.getUnspecifiedType() instanceof NoThrowType
       ) and
       not this.isNoExcept() and
       not this.isNoThrow()

From d808a5b13186df03cf03c463fb0b0ca5b2777b16 Mon Sep 17 00:00:00 2001
From: ihsinme <ihsinme@gmail.com>
Date: Mon, 31 May 2021 11:16:38 +0300
Subject: [PATCH 1220/1429] Update
 cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c

Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
---
 .../query-tests/Security/CWE/CWE-415/semmle/tests/test.c        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c
index 15ef179a0cd..1c154c03094 100644
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-415/semmle/tests/test.c
@@ -56,7 +56,7 @@ void workFunction_5(char *s, int intFlag) {
   }
   free(buf); // BAD
 }
-void workFunction_6(char *s, int intFlag;) {
+void workFunction_6(char *s, int intFlag) {
   int intSize = 10;
   char *buf;
   char *tmpbuf;

From b4e4c12d0fc79d55f5925d3ec05e6b46c5f3cdd4 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Mon, 31 May 2021 11:17:09 +0200
Subject: [PATCH 1221/1429] C++: Use a rank aggregate for a much better
 implementation.

---
 cpp/ql/src/semmle/code/cpp/stmts/Stmt.qll | 36 +++++++----------------
 1 file changed, 10 insertions(+), 26 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/stmts/Stmt.qll b/cpp/ql/src/semmle/code/cpp/stmts/Stmt.qll
index e5caf0fd177..ed1fb4fbb50 100644
--- a/cpp/ql/src/semmle/code/cpp/stmts/Stmt.qll
+++ b/cpp/ql/src/semmle/code/cpp/stmts/Stmt.qll
@@ -1136,20 +1136,9 @@ private predicate inForUpdate(Expr forUpdate, Expr child) {
   exists(Expr mid | inForUpdate(forUpdate, mid) and child.getParent() = mid)
 }
 
-/**
- * Holds if `next` is the first `SwitchCase` after `case` that is enclosed by the `BlockStmt` `b`.
- */
-pragma[nomagic]
-private predicate nextSwitchCaseInSameBlock(BlockStmt b, SwitchCase case, SwitchCase next) {
-  // If the next switch case is in the block `b` we're done.
-  case.getNextSwitchCase() = next and
-  next.getEnclosingBlock() = b
-  or
-  // Otherwise, skip past the next switch block when it's not enclosed in the block `b`.
-  exists(SwitchCase mid | mid = case.getNextSwitchCase() |
-    not mid.getEnclosingBlock() = b and
-    nextSwitchCaseInSameBlock(b, mid, next)
-  )
+/** Gets the `rnk`'th `case` statement in `b`. */
+private int indexOfSwitchCaseRank(BlockStmt b, int rnk) {
+  result = rank[rnk](int i | b.getStmt(i) instanceof SwitchCase)
 }
 
 /**
@@ -1347,19 +1336,14 @@ class SwitchCase extends Stmt, @stmt_switch_case {
    * `default:` has results `{ x = 3; }, `x = 4;` and `break;`.
    */
   Stmt getAStmt() {
-    exists(BlockStmt b, int i | this = b.getStmt(i) |
-      // This is the most usual case:
-      // We locate the next `SwitchCase` and pick a statement between this `SwitchCase` and the `SwitchCase`
-      // in the `j`'th position in the block `b`.
-      exists(int j |
-        nextSwitchCaseInSameBlock(b, this,
-          pragma[only_bind_into](b).getStmt(pragma[only_bind_into](j))) and
-        result = b.getStmt(any(int k | i < k and k < j))
-      )
+    exists(BlockStmt b, int rnk, int i |
+      b.getStmt(i) = this and
+      i = indexOfSwitchCaseRank(b, rnk)
+    |
+      pragma[only_bind_into](b).getStmt([i + 1 .. indexOfSwitchCaseRank(b, rnk + 1) - 1]) = result
       or
-      // If there is no next switch case we pick any subsequent statement in the block `b`.
-      not nextSwitchCaseInSameBlock(b, this, _) and
-      result = b.getStmt(any(int k | i < k))
+      not exists(indexOfSwitchCaseRank(b, rnk + 1)) and
+      b.getStmt([i + 1 .. b.getNumStmt() + 1]) = result
     )
   }
 

From 35d7fda5e2fb4325933ea39b728498f0bea8049f Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 31 May 2021 13:08:09 +0200
Subject: [PATCH 1222/1429] update typescript to 4.3 in the extractor

---
 javascript/extractor/lib/typescript/package.json | 2 +-
 javascript/extractor/lib/typescript/yarn.lock    | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/javascript/extractor/lib/typescript/package.json b/javascript/extractor/lib/typescript/package.json
index cb3119c7ab2..953f69edb1e 100644
--- a/javascript/extractor/lib/typescript/package.json
+++ b/javascript/extractor/lib/typescript/package.json
@@ -2,7 +2,7 @@
     "name": "typescript-parser-wrapper",
     "private": true,
     "dependencies": {
-        "typescript": "4.2.2"
+        "typescript": "^4.3.2"
     },
     "scripts": {
         "build": "tsc --project tsconfig.json",
diff --git a/javascript/extractor/lib/typescript/yarn.lock b/javascript/extractor/lib/typescript/yarn.lock
index 84f20b2c51c..7488658d581 100644
--- a/javascript/extractor/lib/typescript/yarn.lock
+++ b/javascript/extractor/lib/typescript/yarn.lock
@@ -6,7 +6,7 @@
   version "12.7.11"
   resolved node-12.7.11.tgz#be879b52031cfb5d295b047f5462d8ef1a716446
 
-typescript@4.2.2:
-  version "4.2.2"
-  resolved "https://registry.yarnpkg.com/typescript/-/typescript-4.2.2.tgz#1450f020618f872db0ea17317d16d8da8ddb8c4c"
-  integrity sha512-tbb+NVrLfnsJy3M59lsDgrzWIflR4d4TIUjz+heUnHZwdF7YsrMTKoRERiIvI2lvBG95dfpLxB21WZhys1bgaQ==
+typescript@4.3.2:
+  version "4.3.2"
+  resolved "https://registry.yarnpkg.com/typescript/-/typescript-4.3.2.tgz#399ab18aac45802d6f2498de5054fcbbe716a805"
+  integrity sha512-zZ4hShnmnoVnAHpVHWpTcxdv7dWP60S2FsydQLV8V5PbS3FifjWFFRiHSWpDJahly88PRyV5teTSLoq4eG7mKw==

From 2cc2d116bc80d6c1b4ceda7fe67311a0170ddbd4 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 31 May 2021 13:08:24 +0200
Subject: [PATCH 1223/1429] bump extractor version

---
 javascript/extractor/src/com/semmle/js/extractor/Main.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/extractor/src/com/semmle/js/extractor/Main.java b/javascript/extractor/src/com/semmle/js/extractor/Main.java
index 7c5a8a25984..5d417940d75 100644
--- a/javascript/extractor/src/com/semmle/js/extractor/Main.java
+++ b/javascript/extractor/src/com/semmle/js/extractor/Main.java
@@ -43,7 +43,7 @@ public class Main {
    * A version identifier that should be updated every time the extractor changes in such a way that
    * it may produce different tuples for the same file under the same {@link ExtractorConfig}.
    */
-  public static final String EXTRACTOR_VERSION = "2021-03-19";
+  public static final String EXTRACTOR_VERSION = "2021-05-31";
 
   public static final Pattern NEWLINE = Pattern.compile("\n");
 

From e6b1c61e816c5e6afc47eb1438f2222d75e9b2c7 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 31 May 2021 13:08:43 +0200
Subject: [PATCH 1224/1429] add tests for TypeScript 4.3

---
 .../TypeScript/IndexTypes/test.expected       |  2 +
 .../TypeScript/IndexTypes/test.ql             |  3 +
 .../TypeScript/IndexTypes/tsconfig.json       |  1 +
 .../TypeScript/IndexTypes/tst.ts              |  8 ++
 .../TypeScript/Types/tests.expected           | 87 +++++++++++++++++++
 .../library-tests/TypeScript/Types/tst.ts     | 63 +++++++++++++-
 6 files changed, 163 insertions(+), 1 deletion(-)
 create mode 100644 javascript/ql/test/library-tests/TypeScript/IndexTypes/test.expected
 create mode 100644 javascript/ql/test/library-tests/TypeScript/IndexTypes/test.ql
 create mode 100644 javascript/ql/test/library-tests/TypeScript/IndexTypes/tsconfig.json
 create mode 100644 javascript/ql/test/library-tests/TypeScript/IndexTypes/tst.ts

diff --git a/javascript/ql/test/library-tests/TypeScript/IndexTypes/test.expected b/javascript/ql/test/library-tests/TypeScript/IndexTypes/test.expected
new file mode 100644
index 00000000000..4779b178e4f
--- /dev/null
+++ b/javascript/ql/test/library-tests/TypeScript/IndexTypes/test.expected
@@ -0,0 +1,2 @@
+| Foo | boolean |
+| typeof Foo in global scope | string |
diff --git a/javascript/ql/test/library-tests/TypeScript/IndexTypes/test.ql b/javascript/ql/test/library-tests/TypeScript/IndexTypes/test.ql
new file mode 100644
index 00000000000..ff6a2a4836f
--- /dev/null
+++ b/javascript/ql/test/library-tests/TypeScript/IndexTypes/test.ql
@@ -0,0 +1,3 @@
+import javascript
+
+query Type stringIndexType(Type t) { result = t.getStringIndexType() }
diff --git a/javascript/ql/test/library-tests/TypeScript/IndexTypes/tsconfig.json b/javascript/ql/test/library-tests/TypeScript/IndexTypes/tsconfig.json
new file mode 100644
index 00000000000..9e26dfeeb6e
--- /dev/null
+++ b/javascript/ql/test/library-tests/TypeScript/IndexTypes/tsconfig.json
@@ -0,0 +1 @@
+{}
\ No newline at end of file
diff --git a/javascript/ql/test/library-tests/TypeScript/IndexTypes/tst.ts b/javascript/ql/test/library-tests/TypeScript/IndexTypes/tst.ts
new file mode 100644
index 00000000000..9035ff2b2ac
--- /dev/null
+++ b/javascript/ql/test/library-tests/TypeScript/IndexTypes/tst.ts
@@ -0,0 +1,8 @@
+  // static index signature
+  class Foo {
+    static hello = "world";
+    static [n: string]: string;
+    [n: string]: boolean;
+  }
+  Foo["whatever"] = "foo";
+  new Foo()["something"] = true;
\ No newline at end of file
diff --git a/javascript/ql/test/library-tests/TypeScript/Types/tests.expected b/javascript/ql/test/library-tests/TypeScript/Types/tests.expected
index 7c8159a9b10..187c0c7e6ce 100644
--- a/javascript/ql/test/library-tests/TypeScript/Types/tests.expected
+++ b/javascript/ql/test/library-tests/TypeScript/Types/tests.expected
@@ -127,6 +127,54 @@ getExprType
 | tst.ts:69:24:69:45 | {yetAno ... : true} | MyUnion2 |
 | tst.ts:69:25:69:38 | yetAnotherType | true |
 | tst.ts:69:41:69:44 | true | true |
+| tst.ts:71:8:71:11 | TS43 | typeof TS43 in library-tests/TypeScript/Types/tst.ts |
+| tst.ts:74:5:74:22 | get size(): number | number |
+| tst.ts:74:9:74:12 | size | number |
+| tst.ts:75:5:75:47 | set siz ... olean); | number |
+| tst.ts:75:9:75:12 | size | number |
+| tst.ts:75:14:75:18 | value | string \| number \| boolean |
+| tst.ts:78:16:78:20 | Thing | Thing |
+| tst.ts:79:13:79:13 | 0 | 0 |
+| tst.ts:81:5:83:5 | get siz ... ;\\n    } | number |
+| tst.ts:81:9:81:12 | size | number |
+| tst.ts:82:14:82:23 | this.#size | number |
+| tst.ts:85:5:87:5 | set siz ... ;\\n    } | number |
+| tst.ts:85:9:85:12 | size | number |
+| tst.ts:85:14:85:18 | value | string \| number \| boolean |
+| tst.ts:86:7:86:16 | this.#size | number |
+| tst.ts:86:7:86:32 | this.#s ... (value) | number |
+| tst.ts:86:20:86:25 | Number | NumberConstructor |
+| tst.ts:86:20:86:32 | Number(value) | number |
+| tst.ts:86:27:86:31 | value | string \| number \| boolean |
+| tst.ts:91:9:91:13 | Super | Super |
+| tst.ts:92:5:92:10 | random | () => number |
+| tst.ts:92:5:94:5 | random( ... ;\\n    } | () => number |
+| tst.ts:93:14:93:14 | 4 | 4 |
+| tst.ts:97:9:97:11 | Sub | Sub |
+| tst.ts:97:21:97:25 | Super | Super |
+| tst.ts:98:5:100:5 | overrid ... ;\\n    } | () => number |
+| tst.ts:98:14:98:19 | random | () => number |
+| tst.ts:99:14:99:25 | super.random | () => number |
+| tst.ts:99:14:99:27 | super.random() | number |
+| tst.ts:99:14:99:32 | super.random() * 10 | number |
+| tst.ts:99:20:99:25 | random | () => number |
+| tst.ts:99:31:99:32 | 10 | 10 |
+| tst.ts:104:16:104:16 | s | string |
+| tst.ts:106:13:106:18 | hello  | any |
+| tst.ts:106:21:106:21 | s | string |
+| tst.ts:110:15:110:16 | s2 | "1-2-3" |
+| tst.ts:112:3:112:9 | s1 = s2 | "1-2-3" |
+| tst.ts:112:8:112:9 | s2 | "1-2-3" |
+| tst.ts:116:9:116:11 | Foo | Foo |
+| tst.ts:117:5:119:5 | #someMe ... ;\\n    } | () => number |
+| tst.ts:118:14:118:15 | 42 | 42 |
+| tst.ts:121:5:123:5 | get #so ... ;\\n    } | number |
+| tst.ts:122:14:122:16 | 100 | 100 |
+| tst.ts:125:5:125:16 | publicMethod | () => number |
+| tst.ts:125:5:128:5 | publicM ... ;\\n    } | () => number |
+| tst.ts:126:7:126:22 | this.#someMethod | () => number |
+| tst.ts:126:7:126:24 | this.#someMethod() | number |
+| tst.ts:127:14:127:28 | this.#someValue | number |
 | type_alias.ts:3:5:3:5 | b | boolean |
 | type_alias.ts:7:5:7:5 | c | ValueOrArray<number> |
 | type_alias.ts:14:9:14:32 | [proper ... ]: Json | any |
@@ -180,6 +228,11 @@ getTypeDefinitionType
 | tst.ts:58:1:60:1 | interfa ... mber;\\n} | HasArea |
 | tst.ts:65:1:65:54 | type My ...  true}; | MyUnion |
 | tst.ts:68:1:68:49 | type My ...  true}; | MyUnion2 |
+| tst.ts:73:3:76:3 | interfa ... n);\\n  } | ThingI |
+| tst.ts:78:10:88:3 | class T ...   }\\n  } | Thing |
+| tst.ts:91:3:95:3 | class S ...   }\\n  } | Super |
+| tst.ts:97:3:101:3 | class S ...   }\\n  } | Sub |
+| tst.ts:116:3:129:3 | class F ...   }\\n  } | Foo |
 | type_alias.ts:1:1:1:17 | type B = boolean; | boolean |
 | type_alias.ts:5:1:5:50 | type Va ... ay<T>>; | ValueOrArray<T> |
 | type_alias.ts:9:1:15:13 | type Js ... Json[]; | Json |
@@ -288,6 +341,34 @@ getTypeExprType
 | tst.ts:68:27:68:48 | {yetAno ... : true} | { yetAnotherType: true; } |
 | tst.ts:68:44:68:47 | true | true |
 | tst.ts:69:13:69:20 | MyUnion2 | MyUnion2 |
+| tst.ts:73:13:73:18 | ThingI | ThingI |
+| tst.ts:74:17:74:22 | number | number |
+| tst.ts:75:21:75:26 | number | number |
+| tst.ts:75:21:75:45 | number  ... boolean | string \| number \| boolean |
+| tst.ts:75:30:75:35 | string | string |
+| tst.ts:75:39:75:45 | boolean | boolean |
+| tst.ts:78:33:78:38 | ThingI | ThingI |
+| tst.ts:81:17:81:22 | number | number |
+| tst.ts:85:21:85:26 | string | string |
+| tst.ts:85:21:85:45 | string  ... boolean | string \| number \| boolean |
+| tst.ts:85:30:85:35 | number | number |
+| tst.ts:85:39:85:45 | boolean | boolean |
+| tst.ts:92:15:92:20 | number | number |
+| tst.ts:98:24:98:29 | number | number |
+| tst.ts:104:19:104:24 | string | string |
+| tst.ts:104:29:104:34 | hello  | any |
+| tst.ts:104:37:104:42 | string | string |
+| tst.ts:109:22:109:27 | number | number |
+| tst.ts:109:29:109:29 | - | any |
+| tst.ts:109:32:109:37 | number | number |
+| tst.ts:109:39:109:39 | - | any |
+| tst.ts:109:42:109:47 | number | number |
+| tst.ts:110:19:110:25 | `1-2-3` | "1-2-3" |
+| tst.ts:110:19:110:25 | `1-2-3` | any |
+| tst.ts:111:22:111:27 | number | number |
+| tst.ts:111:29:111:32 | -2-3 | any |
+| tst.ts:117:20:117:25 | number | number |
+| tst.ts:121:23:121:28 | number | number |
 | type_alias.ts:1:6:1:6 | B | boolean |
 | type_alias.ts:1:10:1:16 | boolean | boolean |
 | type_alias.ts:3:8:3:8 | B | boolean |
@@ -360,6 +441,7 @@ referenceDefinition
 | Color.red | type_definitions.ts:14:3:14:5 | red |
 | E | type_definition_objects.ts:6:8:6:16 | enum E {} |
 | EnumWithOneMember | type_definitions.ts:18:26:18:31 | member |
+| Foo | tst.ts:116:3:129:3 | class F ...   }\\n  } |
 | HasArea | tst.ts:58:1:60:1 | interfa ... mber;\\n} |
 | I<S> | type_definitions.ts:3:1:5:1 | interfa ... x: S;\\n} |
 | I<number> | type_definitions.ts:3:1:5:1 | interfa ... x: S;\\n} |
@@ -367,6 +449,11 @@ referenceDefinition
 | MyUnion | tst.ts:65:1:65:54 | type My ...  true}; |
 | MyUnion2 | tst.ts:68:1:68:49 | type My ...  true}; |
 | NonAbstractDummy | tst.ts:54:1:56:1 | interfa ... mber;\\n} |
+| Sub | tst.ts:97:3:101:3 | class S ...   }\\n  } |
+| Super | tst.ts:91:3:95:3 | class S ...   }\\n  } |
+| Super | tst.ts:91:3:95:3 | class S ...   }\\n  } |
+| Thing | tst.ts:78:10:88:3 | class T ...   }\\n  } |
+| ThingI | tst.ts:73:3:76:3 | interfa ... n);\\n  } |
 | ValueOrArray<T> | type_alias.ts:5:1:5:50 | type Va ... ay<T>>; |
 | ValueOrArray<number> | type_alias.ts:5:1:5:50 | type Va ... ay<T>>; |
 | VirtualNode | type_alias.ts:19:1:21:57 | type Vi ... ode[]]; |
diff --git a/javascript/ql/test/library-tests/TypeScript/Types/tst.ts b/javascript/ql/test/library-tests/TypeScript/Types/tst.ts
index 68c4ca6ebdd..389770984fd 100644
--- a/javascript/ql/test/library-tests/TypeScript/Types/tst.ts
+++ b/javascript/ql/test/library-tests/TypeScript/Types/tst.ts
@@ -66,4 +66,65 @@ type MyUnion = {myUnion: true} | {stillMyUnion: true};
 let union1: MyUnion = {myUnion: true};
 
 type MyUnion2 = MyUnion | {yetAnotherType: true};
-let union2: MyUnion2 = {yetAnotherType: true};
\ No newline at end of file
+let union2: MyUnion2 = {yetAnotherType: true};
+
+module TS43 {
+  // TypeScript 4.3 setter/getter types
+  interface ThingI {
+    get size(): number
+    set size(value: number | string | boolean);
+  }
+
+  export class Thing implements ThingI {
+    #size = 0;
+
+    get size(): number {
+      return this.#size;
+    }
+
+    set size(value: string | number | boolean) {
+      this.#size = Number(value);
+    }
+  }
+
+  // overrides
+  class Super {
+    random(): number {
+      return 4;
+    }
+  }
+
+  class Sub extends Super {
+    override random(): number {
+      return super.random() * 10;
+    }
+  }
+
+  // inference of template strings.
+  function bar(s: string): `hello ${string}` {
+    // Previously an error, now works!
+    return `hello ${s}`;
+  }
+
+  declare let s1: `${number}-${number}-${number}`;
+  declare let s2: `1-2-3`;
+  declare let s3: `${number}-2-3`;
+  s1 = s2;
+  s1 = s3;
+
+  // private methods
+  class Foo {
+    #someMethod(): number {
+      return 42;
+    }
+
+    get #someValue(): number {
+      return 100;
+    }
+
+    publicMethod() {
+      this.#someMethod();
+      return this.#someValue;
+    }
+  } 
+}
\ No newline at end of file

From 85bd8f1020768178915853df4b2f76622cd2d845 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 31 May 2021 13:08:52 +0200
Subject: [PATCH 1225/1429] add change-note for TypeScript 4.3

---
 javascript/change-notes/2021-05-31-typescript-4.3.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 javascript/change-notes/2021-05-31-typescript-4.3.md

diff --git a/javascript/change-notes/2021-05-31-typescript-4.3.md b/javascript/change-notes/2021-05-31-typescript-4.3.md
new file mode 100644
index 00000000000..21960a98dce
--- /dev/null
+++ b/javascript/change-notes/2021-05-31-typescript-4.3.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* TypeScript 4.3 is now supported.

From 683f853fa515afe3e4eb5ff29015b21052f86169 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Mon, 31 May 2021 15:14:13 +0200
Subject: [PATCH 1226/1429] Dataflow: Fix another bad join order.

---
 .../cpp/dataflow/internal/DataFlowImpl.qll    | 21 +++++++++++--------
 .../cpp/dataflow/internal/DataFlowImpl2.qll   | 21 +++++++++++--------
 .../cpp/dataflow/internal/DataFlowImpl3.qll   | 21 +++++++++++--------
 .../cpp/dataflow/internal/DataFlowImpl4.qll   | 21 +++++++++++--------
 .../dataflow/internal/DataFlowImplLocal.qll   | 21 +++++++++++--------
 .../cpp/ir/dataflow/internal/DataFlowImpl.qll | 21 +++++++++++--------
 .../ir/dataflow/internal/DataFlowImpl2.qll    | 21 +++++++++++--------
 .../ir/dataflow/internal/DataFlowImpl3.qll    | 21 +++++++++++--------
 .../ir/dataflow/internal/DataFlowImpl4.qll    | 21 +++++++++++--------
 .../csharp/dataflow/internal/DataFlowImpl.qll | 21 +++++++++++--------
 .../dataflow/internal/DataFlowImpl2.qll       | 21 +++++++++++--------
 .../dataflow/internal/DataFlowImpl3.qll       | 21 +++++++++++--------
 .../dataflow/internal/DataFlowImpl4.qll       | 21 +++++++++++--------
 .../dataflow/internal/DataFlowImpl5.qll       | 21 +++++++++++--------
 .../java/dataflow/internal/DataFlowImpl.qll   | 21 +++++++++++--------
 .../java/dataflow/internal/DataFlowImpl2.qll  | 21 +++++++++++--------
 .../java/dataflow/internal/DataFlowImpl3.qll  | 21 +++++++++++--------
 .../java/dataflow/internal/DataFlowImpl4.qll  | 21 +++++++++++--------
 .../java/dataflow/internal/DataFlowImpl5.qll  | 21 +++++++++++--------
 .../java/dataflow/internal/DataFlowImpl6.qll  | 21 +++++++++++--------
 .../dataflow/new/internal/DataFlowImpl.qll    | 21 +++++++++++--------
 .../dataflow/new/internal/DataFlowImpl2.qll   | 21 +++++++++++--------
 .../dataflow/new/internal/DataFlowImpl3.qll   | 21 +++++++++++--------
 .../dataflow/new/internal/DataFlowImpl4.qll   | 21 +++++++++++--------
 24 files changed, 288 insertions(+), 216 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
index dc9583c6653..d992b601c22 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
index dc9583c6653..d992b601c22 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
index dc9583c6653..d992b601c22 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
index dc9583c6653..d992b601c22 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
index dc9583c6653..d992b601c22 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
index dc9583c6653..d992b601c22 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
index dc9583c6653..d992b601c22 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
index dc9583c6653..d992b601c22 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
index dc9583c6653..d992b601c22 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
index dc9583c6653..d992b601c22 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
index dc9583c6653..d992b601c22 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
index dc9583c6653..d992b601c22 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
index dc9583c6653..d992b601c22 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
index dc9583c6653..d992b601c22 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
index dc9583c6653..d992b601c22 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
index dc9583c6653..d992b601c22 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
index dc9583c6653..d992b601c22 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
index dc9583c6653..d992b601c22 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
index dc9583c6653..d992b601c22 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
index dc9583c6653..d992b601c22 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
index dc9583c6653..d992b601c22 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
index dc9583c6653..d992b601c22 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
index dc9583c6653..d992b601c22 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
index dc9583c6653..d992b601c22 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
@@ -841,9 +841,10 @@ private module Stage2 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -1515,9 +1516,10 @@ private module Stage3 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**
@@ -2270,9 +2272,10 @@ private module Stage4 {
     DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
     Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, config) and
-    PrevStage::callMayFlowThroughRev(call, config) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _, config)
+    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+      pragma[only_bind_into](config))
   }
 
   /**

From 10755ece88de52805de7e026329af316a4ec7fdd Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Mon, 31 May 2021 15:33:39 +0200
Subject: [PATCH 1227/1429] C++: Add testcase with bounded randomness source.

---
 .../ArithmeticUncontrolled.expected           | 20 +++++++++++++++++++
 .../CWE/CWE-190/semmle/uncontrolled/test.cpp  | 11 ++++++++++
 2 files changed, 31 insertions(+)

diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
index 097efb73b9f..5e56c4afe31 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
@@ -36,6 +36,14 @@ edges
 | test.cpp:36:13:36:13 | Chi | test.cpp:37:7:37:7 | r |
 | test.cpp:36:13:36:13 | Chi | test.cpp:37:7:37:7 | r |
 | test.cpp:36:13:36:13 | get_rand3 output argument [array content] | test.cpp:36:13:36:13 | Chi |
+| test.cpp:45:11:45:14 | call to rand | test.cpp:46:3:46:3 | r |
+| test.cpp:45:11:45:14 | call to rand | test.cpp:46:3:46:3 | r |
+| test.cpp:45:11:45:14 | call to rand | test.cpp:46:3:46:3 | r |
+| test.cpp:45:11:45:14 | call to rand | test.cpp:46:3:46:3 | r |
+| test.cpp:48:24:48:27 | call to rand | test.cpp:49:2:49:11 | unsigned_r |
+| test.cpp:48:24:48:27 | call to rand | test.cpp:49:2:49:11 | unsigned_r |
+| test.cpp:48:24:48:27 | call to rand | test.cpp:49:2:49:11 | unsigned_r |
+| test.cpp:48:24:48:27 | call to rand | test.cpp:49:2:49:11 | unsigned_r |
 nodes
 | test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
 | test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
@@ -87,6 +95,16 @@ nodes
 | test.cpp:37:7:37:7 | r | semmle.label | r |
 | test.cpp:37:7:37:7 | r | semmle.label | r |
 | test.cpp:37:7:37:7 | r | semmle.label | r |
+| test.cpp:45:11:45:14 | call to rand | semmle.label | call to rand |
+| test.cpp:45:11:45:14 | call to rand | semmle.label | call to rand |
+| test.cpp:46:3:46:3 | r | semmle.label | r |
+| test.cpp:46:3:46:3 | r | semmle.label | r |
+| test.cpp:46:3:46:3 | r | semmle.label | r |
+| test.cpp:48:24:48:27 | call to rand | semmle.label | call to rand |
+| test.cpp:48:24:48:27 | call to rand | semmle.label | call to rand |
+| test.cpp:49:2:49:11 | unsigned_r | semmle.label | unsigned_r |
+| test.cpp:49:2:49:11 | unsigned_r | semmle.label | unsigned_r |
+| test.cpp:49:2:49:11 | unsigned_r | semmle.label | unsigned_r |
 #select
 | test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
 | test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
@@ -96,3 +114,5 @@ nodes
 | test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
 | test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | Uncontrolled value |
 | test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | Uncontrolled value |
+| test.cpp:46:3:46:3 | r | test.cpp:45:11:45:14 | call to rand | test.cpp:46:3:46:3 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:45:11:45:14 | call to rand | Uncontrolled value |
+| test.cpp:49:2:49:11 | unsigned_r | test.cpp:48:24:48:27 | call to rand | test.cpp:49:2:49:11 | unsigned_r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:48:24:48:27 | call to rand | Uncontrolled value |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp
index d3dc3352a29..0f9e509e684 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp
@@ -37,3 +37,14 @@ void randomTester2()
 		r = r + 100; // BAD
 	}
 }
+
+int rand(int min, int max);
+unsigned rand(int max);
+
+void test_with_bounded_randomness() {
+  int r = rand(0, 10);
+  r++; // GOOD [FALSE POSITIVE]
+
+	unsigned unsigned_r = rand(10);
+	unsigned_r++; // GOOD [FALSE POSITIVE]
+}
\ No newline at end of file

From 41c93d92d7d1b5b3ff6662511ac075dd99c19dc7 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Mon, 31 May 2021 15:40:02 +0200
Subject: [PATCH 1228/1429] C++: Remove FPs from right shifts and explicitly
 bounded random functions.

---
 .../CWE/CWE-190/ArithmeticUncontrolled.ql     | 14 ++++++++++++-
 .../ArithmeticUncontrolled.expected           | 20 -------------------
 .../CWE/CWE-190/semmle/uncontrolled/test.cpp  |  4 ++--
 3 files changed, 15 insertions(+), 23 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
index 6aad6cca7ce..632f7274464 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -18,8 +18,16 @@ import semmle.code.cpp.security.TaintTracking
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import TaintedWithPath
 
+string getAMinPattern() { result = ["%min%", "l%"] }
+
+string getAMaxPattern() { result = ["%max%", "%bound%", "h%"] }
+
 predicate isUnboundedRandCall(FunctionCall fc) {
-  fc.getTarget().getName() = "rand" and not bounded(fc)
+  exists(Function func | func = fc.getTarget() |
+    func.getName() = "rand" and
+    not bounded(fc) and
+    not func.getAParameter().getName().toLowerCase().matches([getAMinPattern(), getAMaxPattern()])
+  )
 }
 
 /**
@@ -84,6 +92,10 @@ predicate bounded(Expr e) {
   boundedDiv(e, any(DivExpr div).getLeftOperand())
   or
   boundedDiv(e, any(AssignDivExpr div).getLValue())
+  or
+  boundedDiv(e, any(RShiftExpr shift).getLeftOperand())
+  or
+  boundedDiv(e, any(AssignRShiftExpr div).getLValue())
 }
 
 predicate isUnboundedRandCallOrParent(Expr e) {
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
index 5e56c4afe31..097efb73b9f 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
@@ -36,14 +36,6 @@ edges
 | test.cpp:36:13:36:13 | Chi | test.cpp:37:7:37:7 | r |
 | test.cpp:36:13:36:13 | Chi | test.cpp:37:7:37:7 | r |
 | test.cpp:36:13:36:13 | get_rand3 output argument [array content] | test.cpp:36:13:36:13 | Chi |
-| test.cpp:45:11:45:14 | call to rand | test.cpp:46:3:46:3 | r |
-| test.cpp:45:11:45:14 | call to rand | test.cpp:46:3:46:3 | r |
-| test.cpp:45:11:45:14 | call to rand | test.cpp:46:3:46:3 | r |
-| test.cpp:45:11:45:14 | call to rand | test.cpp:46:3:46:3 | r |
-| test.cpp:48:24:48:27 | call to rand | test.cpp:49:2:49:11 | unsigned_r |
-| test.cpp:48:24:48:27 | call to rand | test.cpp:49:2:49:11 | unsigned_r |
-| test.cpp:48:24:48:27 | call to rand | test.cpp:49:2:49:11 | unsigned_r |
-| test.cpp:48:24:48:27 | call to rand | test.cpp:49:2:49:11 | unsigned_r |
 nodes
 | test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
 | test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
@@ -95,16 +87,6 @@ nodes
 | test.cpp:37:7:37:7 | r | semmle.label | r |
 | test.cpp:37:7:37:7 | r | semmle.label | r |
 | test.cpp:37:7:37:7 | r | semmle.label | r |
-| test.cpp:45:11:45:14 | call to rand | semmle.label | call to rand |
-| test.cpp:45:11:45:14 | call to rand | semmle.label | call to rand |
-| test.cpp:46:3:46:3 | r | semmle.label | r |
-| test.cpp:46:3:46:3 | r | semmle.label | r |
-| test.cpp:46:3:46:3 | r | semmle.label | r |
-| test.cpp:48:24:48:27 | call to rand | semmle.label | call to rand |
-| test.cpp:48:24:48:27 | call to rand | semmle.label | call to rand |
-| test.cpp:49:2:49:11 | unsigned_r | semmle.label | unsigned_r |
-| test.cpp:49:2:49:11 | unsigned_r | semmle.label | unsigned_r |
-| test.cpp:49:2:49:11 | unsigned_r | semmle.label | unsigned_r |
 #select
 | test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
 | test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
@@ -114,5 +96,3 @@ nodes
 | test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
 | test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | Uncontrolled value |
 | test.cpp:37:7:37:7 | r | test.cpp:18:9:18:12 | call to rand | test.cpp:37:7:37:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:18:9:18:12 | call to rand | Uncontrolled value |
-| test.cpp:46:3:46:3 | r | test.cpp:45:11:45:14 | call to rand | test.cpp:46:3:46:3 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:45:11:45:14 | call to rand | Uncontrolled value |
-| test.cpp:49:2:49:11 | unsigned_r | test.cpp:48:24:48:27 | call to rand | test.cpp:49:2:49:11 | unsigned_r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:48:24:48:27 | call to rand | Uncontrolled value |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp
index 0f9e509e684..78a285fffaf 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.cpp
@@ -43,8 +43,8 @@ unsigned rand(int max);
 
 void test_with_bounded_randomness() {
   int r = rand(0, 10);
-  r++; // GOOD [FALSE POSITIVE]
+  r++; // GOOD
 
 	unsigned unsigned_r = rand(10);
-	unsigned_r++; // GOOD [FALSE POSITIVE]
+	unsigned_r++; // GOOD
 }
\ No newline at end of file

From 70b9739d2d54a79b4eb8afae2ac13a3134b0f942 Mon Sep 17 00:00:00 2001
From: Henning Makholm <hmakholm@github.com>
Date: Thu, 20 May 2021 18:54:04 +0200
Subject: [PATCH 1229/1429] QL language reference: add monotonic aggregate
 example

It's easier to understand what's going on if we start with a
(contrived) example that _doesn't_ involve recursion.
---
 .../ql-language-reference/expressions.rst     | 95 +++++++++++++++++++
 1 file changed, 95 insertions(+)

diff --git a/docs/codeql/ql-language-reference/expressions.rst b/docs/codeql/ql-language-reference/expressions.rst
index a9facb0dec1..f8869e427a0 100644
--- a/docs/codeql/ql-language-reference/expressions.rst
+++ b/docs/codeql/ql-language-reference/expressions.rst
@@ -488,6 +488,101 @@ value for each value generated by the ``<formula>``:
   value generated by the ``<formula>``. Here, the aggregation function is applied to each of the 
   resulting combinations.
 
+Example of monotonic aggregates
+-------------------------------
+
+Consider this query:
+
+.. code-block:: ql
+
+   string getPerson() { result = "Alice" or
+                        result = "Bob" or
+                        result = "Charles" or
+                        result = "Diane"
+                      }
+   string getFruit(string p) { p = "Alice"   and result = "Orange" or
+                               p = "Alice"   and result = "Apple" or
+                               p = "Bob"     and result = "Apple" or
+                               p = "Charles" and result = "Apple" or
+                               p = "Charles" and result = "Banana"
+                             }
+   int getPrice(string f) { f = "Apple"  and result = 100 or
+                            f = "Orange" and result = 100 or
+                            f = "Orange" and result =   1
+                          }
+
+   predicate nonmono(string p, int cost) {
+     p = getPerson() and cost = sum(string f | f = getFruit(p) | getPrice(f))
+   }
+
+   language[monotonicAggregates]
+   predicate mono(string p, int cost) {
+     p = getPerson() and cost = sum(string f | f = getFruit(p) | getPrice(f))
+   }
+
+   from string variant, string person, int cost
+   where variant = "default"  and nonmono(person, cost) or
+         variant = "monotonic" and mono(person, cost)
+   select variant, person, cost
+   order by variant, person
+
+The query produces these results:
+
++-----------+---------+------+
+|  variant  | person  | cost |
++-----------+---------+------+
+| default   | Alice   | 201  |
+| default   | Bob     | 100  |
+| default   | Charles | 100  |
+| default   | Diane   | 0    |
+| monotonic | Alice   | 101  |
+| monotonic | Alice   | 200  |
+| monotonic | Bob     | 100  |
+| monotonic | Diane   | 0    |
++-----------+---------+------+
+
+The two variants of the aggregate semantics differ in what happens
+when ``getPrice(f)`` has either multiple results or no results
+for a given ``f``.
+
+In this query, oranges are available at two different prices, and the
+default ``sum`` aggregate returns a single line where Alice buys an
+orange at a price of 100, another orange at a price of 1, and an apple
+at a price of 100, totalling 201. On the other hand, in the the
+*monotonic* semantics for ``sum``, Alice always buys one orange and
+one apple, and a line of output is produced for each *way* she can
+complete her shopping list.
+
+If there had been two different prices for apples too, the monotonic
+``sum`` would have produced *four* output lines for Alice.
+
+Charles wants to buy a banana, which is not for sale at all. In the
+default case, the sum produced for Charles includes the cost of the
+apple he *can* buy, but there's no line for Charles in the monontonic
+``sum`` output, because there *is no way* for Charles to buy one apple
+plus one banana.
+
+(Diane buys no fruit at all, and in both variants her total cost
+is 0. The ``strictsum`` aggregate would have excluded her from the
+results in both cases).
+
+In actual QL practice, it is quite rare to use monotonic aggregates
+with the *goal* of having multiple output lines, as in the "Alice"
+case of this example. The more significant point is the "Charles"
+case: As long as there's no price for bananas, no output is produced
+for him. This means that if we later do learn of a banana price, we
+don't need to *remove* any output tuple already produced. The
+importance of this is that the monotonic aggregate behavior works well
+with a fixpoint-based semantics for recursion, so it will be meaningul
+to let the ``getPrice`` predicate be mutually recursive with the count
+aggregate itself. (On the other hand, ``getFruit`` still cannot be
+allowed to be recursive, because adding another fruit to someone's
+shopping list would invalidate the total costs we already knew for
+them).
+
+This opportunity to use recursion is the main practical reason for
+requesting monotonic semantics of aggregates.
+
 Recursive monotonic aggregates
 ------------------------------
 

From 615c805b2ce0395b9761e4ca03e472f59c999abe Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 1 Jun 2021 09:28:06 +0200
Subject: [PATCH 1230/1429] C++: Only use std::rand as a source of randomness.

---
 .../src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
index 632f7274464..3c8dd9930fe 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -18,16 +18,8 @@ import semmle.code.cpp.security.TaintTracking
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import TaintedWithPath
 
-string getAMinPattern() { result = ["%min%", "l%"] }
-
-string getAMaxPattern() { result = ["%max%", "%bound%", "h%"] }
-
 predicate isUnboundedRandCall(FunctionCall fc) {
-  exists(Function func | func = fc.getTarget() |
-    func.getName() = "rand" and
-    not bounded(fc) and
-    not func.getAParameter().getName().toLowerCase().matches([getAMinPattern(), getAMaxPattern()])
-  )
+  fc.getTarget().hasGlobalOrStdOrBslName("rand") and not bounded(fc)
 }
 
 /**

From 975355de4a0d2e7a771403e2b11110ba0474c908 Mon Sep 17 00:00:00 2001
From: Ishaq Mohammed <shaikhishaq201@gmail.com>
Date: Tue, 1 Jun 2021 13:41:25 +0530
Subject: [PATCH 1231/1429] Adding reference link for csurf

---
 javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.qhelp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.qhelp b/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.qhelp
index 11e48e98c74..6a75696bac8 100644
--- a/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.qhelp
+++ b/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.qhelp
@@ -58,5 +58,6 @@
 
 <references>
 	<li>OWASP: <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)">Cross-Site Request Forgery (CSRF)</a></li>
+	<li>< ahref ="https://www.npmjs.com/package/csurf"</a></li>
 </references>
 </qhelp>

From 96150a455d9e704f8ebdbbe22d015753a9651b71 Mon Sep 17 00:00:00 2001
From: Ishaq Mohammed <shaikhishaq201@gmail.com>
Date: Tue, 1 Jun 2021 13:47:43 +0530
Subject: [PATCH 1232/1429] Update
 javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.qhelp

Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
---
 javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.qhelp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.qhelp b/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.qhelp
index 6a75696bac8..a019d65c02b 100644
--- a/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.qhelp
+++ b/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.qhelp
@@ -58,6 +58,6 @@
 
 <references>
 	<li>OWASP: <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)">Cross-Site Request Forgery (CSRF)</a></li>
-	<li>< ahref ="https://www.npmjs.com/package/csurf"</a></li>
+	<li>NPM: <a href="https://www.npmjs.com/package/csurf">csurf</a></li>
 </references>
 </qhelp>

From 8765c33847b5b22db8ef0508323bb27a11fb3d0c Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Tue, 1 Jun 2021 10:17:57 +0200
Subject: [PATCH 1233/1429] C++: Also check the number of parameters to keep
 the tests happy.

---
 cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
index 3c8dd9930fe..0899c7dff1a 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -19,7 +19,11 @@ import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import TaintedWithPath
 
 predicate isUnboundedRandCall(FunctionCall fc) {
-  fc.getTarget().hasGlobalOrStdOrBslName("rand") and not bounded(fc)
+  exists(Function func | func = fc.getTarget() |
+    func.hasGlobalOrStdOrBslName("rand") and
+    not bounded(fc) and
+    func.getNumberOfParameters() = 0
+  )
 }
 
 /**

From 4f9a6c151bb6c045d262b4e0da893ddfe562b563 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Tue, 1 Jun 2021 10:29:17 +0200
Subject: [PATCH 1234/1429] Dataflow: Code review fixes.

---
 .../cpp/dataflow/internal/DataFlowImpl.qll    | 87 +++++++++----------
 .../cpp/dataflow/internal/DataFlowImpl2.qll   | 87 +++++++++----------
 .../cpp/dataflow/internal/DataFlowImpl3.qll   | 87 +++++++++----------
 .../cpp/dataflow/internal/DataFlowImpl4.qll   | 87 +++++++++----------
 .../dataflow/internal/DataFlowImplLocal.qll   | 87 +++++++++----------
 .../cpp/ir/dataflow/internal/DataFlowImpl.qll | 87 +++++++++----------
 .../ir/dataflow/internal/DataFlowImpl2.qll    | 87 +++++++++----------
 .../ir/dataflow/internal/DataFlowImpl3.qll    | 87 +++++++++----------
 .../ir/dataflow/internal/DataFlowImpl4.qll    | 87 +++++++++----------
 .../csharp/dataflow/internal/DataFlowImpl.qll | 87 +++++++++----------
 .../dataflow/internal/DataFlowImpl2.qll       | 87 +++++++++----------
 .../dataflow/internal/DataFlowImpl3.qll       | 87 +++++++++----------
 .../dataflow/internal/DataFlowImpl4.qll       | 87 +++++++++----------
 .../dataflow/internal/DataFlowImpl5.qll       | 87 +++++++++----------
 .../java/dataflow/internal/DataFlowImpl.qll   | 87 +++++++++----------
 .../java/dataflow/internal/DataFlowImpl2.qll  | 87 +++++++++----------
 .../java/dataflow/internal/DataFlowImpl3.qll  | 87 +++++++++----------
 .../java/dataflow/internal/DataFlowImpl4.qll  | 87 +++++++++----------
 .../java/dataflow/internal/DataFlowImpl5.qll  | 87 +++++++++----------
 .../java/dataflow/internal/DataFlowImpl6.qll  | 87 +++++++++----------
 .../dataflow/new/internal/DataFlowImpl.qll    | 87 +++++++++----------
 .../dataflow/new/internal/DataFlowImpl2.qll   | 87 +++++++++----------
 .../dataflow/new/internal/DataFlowImpl3.qll   | 87 +++++++++----------
 .../dataflow/new/internal/DataFlowImpl4.qll   | 87 +++++++++----------
 24 files changed, 1008 insertions(+), 1080 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
index d992b601c22..2638d093be4 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
index d992b601c22..2638d093be4 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
index d992b601c22..2638d093be4 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
index d992b601c22..2638d093be4 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
index d992b601c22..2638d093be4 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
index d992b601c22..2638d093be4 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
index d992b601c22..2638d093be4 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
index d992b601c22..2638d093be4 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
index d992b601c22..2638d093be4 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
index d992b601c22..2638d093be4 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
index d992b601c22..2638d093be4 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
index d992b601c22..2638d093be4 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
index d992b601c22..2638d093be4 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
index d992b601c22..2638d093be4 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
index d992b601c22..2638d093be4 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
index d992b601c22..2638d093be4 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
index d992b601c22..2638d093be4 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
index d992b601c22..2638d093be4 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
index d992b601c22..2638d093be4 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
index d992b601c22..2638d093be4 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
index d992b601c22..2638d093be4 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
index d992b601c22..2638d093be4 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
index d992b601c22..2638d093be4 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
index d992b601c22..2638d093be4 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
@@ -607,9 +607,9 @@ private module Stage1 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Node node, boolean toReturn |
-      revFlow(node, toReturn, config) and
-      revFlowInToReturn(call, node, config) and
+    exists(ArgNode arg, boolean toReturn |
+      revFlow(arg, toReturn, config) and
+      revFlowInToReturn(call, arg, config) and
       revFlowIsReturned(call, toReturn, config)
     )
   }
@@ -838,12 +838,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1029,10 +1028,10 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1040,11 +1039,11 @@ private module Stage2 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1256,9 +1255,9 @@ private module Stage2 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -1513,12 +1512,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -1711,10 +1709,10 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -1722,11 +1720,11 @@ private module Stage3 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -1938,9 +1936,9 @@ private module Stage3 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }
@@ -2269,12 +2267,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
-    DataFlowCall call, ReturnNodeExt node1, Node node2, boolean allowsFieldFlow,
-    Configuration config
+    DataFlowCall call, ReturnNodeExt ret, Node out, boolean allowsFieldFlow, Configuration config
   ) {
-    flowOutOfCall(call, node1, node2, allowsFieldFlow, pragma[only_bind_into](config)) and
+    flowOutOfCall(call, ret, out, allowsFieldFlow, pragma[only_bind_into](config)) and
     PrevStage::callMayFlowThroughRev(call, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(node1), _,
+    PrevStage::parameterMayFlowThrough(_, getNodeEnclosingCallable(ret), _,
       pragma[only_bind_into](config))
   }
 
@@ -2467,10 +2464,10 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate callMayFlowThroughFwd(DataFlowCall call, Configuration config) {
-    exists(Ap argAp0, Node node, Cc cc, ApOption argAp, Ap ap |
-      fwdFlow(node, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
+    exists(Ap argAp0, Node out, Cc cc, ApOption argAp, Ap ap |
+      fwdFlow(out, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), ap,
         pragma[only_bind_into](config)) and
-      fwdFlowOutFromArg(call, node, argAp0, ap, config) and
+      fwdFlowOutFromArg(call, out, argAp0, ap, config) and
       fwdFlowIsEntered(call, pragma[only_bind_into](cc), pragma[only_bind_into](argAp), argAp0,
         pragma[only_bind_into](config))
     )
@@ -2478,11 +2475,11 @@ private module Stage4 {
 
   pragma[nomagic]
   private predicate flowThroughIntoCall(
-    DataFlowCall call, ArgNode node1, ParamNode node2, boolean allowsFieldFlow, Configuration config
+    DataFlowCall call, ArgNode arg, ParamNode p, boolean allowsFieldFlow, Configuration config
   ) {
-    flowIntoCall(call, node1, node2, allowsFieldFlow, config) and
-    fwdFlow(node1, _, _, _, pragma[only_bind_into](config)) and
-    PrevStage::parameterMayFlowThrough(node2, _, _, pragma[only_bind_into](config)) and
+    flowIntoCall(call, arg, p, allowsFieldFlow, config) and
+    fwdFlow(arg, _, _, _, pragma[only_bind_into](config)) and
+    PrevStage::parameterMayFlowThrough(p, _, _, pragma[only_bind_into](config)) and
     callMayFlowThroughFwd(call, pragma[only_bind_into](config))
   }
 
@@ -2694,9 +2691,9 @@ private module Stage4 {
 
   pragma[nomagic]
   predicate callMayFlowThroughRev(DataFlowCall call, Configuration config) {
-    exists(Ap returnAp0, Node node, boolean toReturn, ApOption returnAp, Ap ap |
-      revFlow(node, toReturn, returnAp, ap, config) and
-      revFlowInToReturn(call, node, returnAp0, ap, config) and
+    exists(Ap returnAp0, ArgNode arg, boolean toReturn, ApOption returnAp, Ap ap |
+      revFlow(arg, toReturn, returnAp, ap, config) and
+      revFlowInToReturn(call, arg, returnAp0, ap, config) and
       revFlowIsReturned(call, toReturn, returnAp, returnAp0, config)
     )
   }

From bc02f28ddd7f93e1d426b704d6605af5215be998 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 1 Jun 2021 10:44:44 +0200
Subject: [PATCH 1235/1429] Fix change note workflow to handle paginated
 results

---
 .github/workflows/check-change-note.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/check-change-note.yml b/.github/workflows/check-change-note.yml
index 0b90ffbc668..8c036c2f1b3 100644
--- a/.github/workflows/check-change-note.yml
+++ b/.github/workflows/check-change-note.yml
@@ -19,5 +19,5 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate |
-          jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' --exit-status
+          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
+          grep true -c

From 5d21c64247b7bba2adad03c08cdf8341f68f836d Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Tue, 1 Jun 2021 10:49:47 +0200
Subject: [PATCH 1236/1429] Dataflow: qldoc fix.

---
 cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll | 4 +++-
 .../src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll   | 4 +++-
 .../src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll   | 4 +++-
 .../src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll   | 4 +++-
 .../semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll   | 4 +++-
 .../src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll | 4 +++-
 .../semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll    | 4 +++-
 .../semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll    | 4 +++-
 .../semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll    | 4 +++-
 .../src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll | 4 +++-
 .../semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll    | 4 +++-
 .../semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll    | 4 +++-
 .../semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll    | 4 +++-
 .../semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll    | 4 +++-
 .../src/semmle/code/java/dataflow/internal/DataFlowImpl.qll   | 4 +++-
 .../src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll  | 4 +++-
 .../src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll  | 4 +++-
 .../src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll  | 4 +++-
 .../src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll  | 4 +++-
 .../src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll  | 4 +++-
 .../src/semmle/python/dataflow/new/internal/DataFlowImpl.qll  | 4 +++-
 .../src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll | 4 +++-
 .../src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll | 4 +++-
 .../src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll | 4 +++-
 24 files changed, 72 insertions(+), 24 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
index 2638d093be4..9b14db7ef88 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
index 2638d093be4..9b14db7ef88 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
index 2638d093be4..9b14db7ef88 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
index 2638d093be4..9b14db7ef88 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
index 2638d093be4..9b14db7ef88 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
index 2638d093be4..9b14db7ef88 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
index 2638d093be4..9b14db7ef88 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
index 2638d093be4..9b14db7ef88 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
index 2638d093be4..9b14db7ef88 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
index 2638d093be4..9b14db7ef88 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
index 2638d093be4..9b14db7ef88 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
index 2638d093be4..9b14db7ef88 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
index 2638d093be4..9b14db7ef88 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
index 2638d093be4..9b14db7ef88 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
index 2638d093be4..9b14db7ef88 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
index 2638d093be4..9b14db7ef88 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
index 2638d093be4..9b14db7ef88 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
index 2638d093be4..9b14db7ef88 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
index 2638d093be4..9b14db7ef88 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
index 2638d093be4..9b14db7ef88 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
index 2638d093be4..9b14db7ef88 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
index 2638d093be4..9b14db7ef88 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
index 2638d093be4..9b14db7ef88 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
index 2638d093be4..9b14db7ef88 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
@@ -532,7 +532,9 @@ private module Stage1 {
   }
 
   /**
-   * Holds if an output from `call` is reached in the flow covered by `revFlow`.
+   * Holds if an output from `call` is reached in the flow covered by `revFlow`
+   * and data might flow through the target callable resulting in reverse flow
+   * reaching an argument of `call`.
    */
   pragma[nomagic]
   private predicate revFlowIsReturned(DataFlowCall call, boolean toReturn, Configuration config) {

From 8dc1451d42f2eefce0e62ee5a7a1b198272abad3 Mon Sep 17 00:00:00 2001
From: Artem Smotrakov <artem.smotrakov@sap.com>
Date: Tue, 1 Jun 2021 12:16:09 +0300
Subject: [PATCH 1237/1429] Better recommendation in
 UnsafeDeserializationRmi.qhelp

Co-authored-by: Chris Smowton <smowton@github.com>
---
 .../Security/CWE/CWE-502/UnsafeDeserializationRmi.qhelp         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.qhelp b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.qhelp
index ea06f315cc4..02ee7d7dab1 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.qhelp
@@ -13,7 +13,7 @@ In the worst case, it results in remote code execution.
 
 <recommendation>
 <p>
-Use only strings and primitive types in parameters of remote objects.
+Use only strings and primitive types for parameters of remotely invokable methods.
 </p>
 <p>
 Set a filter for incoming serialized data by wrapping remote objects using either <code>UnicastRemoteObject.exportObject(Remote, int, ObjectInputFilter)</code>

From 1001dd84e65a7a9dfbb0be8a27bdbb3dc3f18e9d Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Wed, 19 May 2021 10:45:02 +0200
Subject: [PATCH 1238/1429] Java: Switch array steps and one containerstep.

---
 .../java/dataflow/internal/ContainerFlow.qll  | 43 +++++++++++++++++++
 .../dataflow/internal/DataFlowPrivate.qll     | 11 ++++-
 .../java/dataflow/internal/DataFlowUtil.qll   |  2 +
 .../internal/FlowSummaryImplSpecific.qll      |  6 +++
 .../dataflow/internal/TaintTrackingUtil.qll   | 22 ----------
 5 files changed, 60 insertions(+), 24 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll b/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
index 5425471ca44..52a9b1704dd 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
@@ -1,6 +1,8 @@
 import java
 import semmle.code.java.Collections
 import semmle.code.java.Maps
+private import semmle.code.java.dataflow.SSA
+private import DataFlowUtil
 
 private class EntryType extends RefType {
   EntryType() {
@@ -426,3 +428,44 @@ predicate containerStep(Expr n1, Expr n2) {
   containerReturnValueStep(n1, n2) or
   containerUpdateStep(n1, n2)
 }
+
+predicate arrayStoreStep(Node node1, Node node2) {
+  exists(Argument arg |
+    node1.asExpr() = arg and
+    arg.isVararg() and
+    node2.(ImplicitVarargsArray).getCall() = arg.getCall()
+  )
+  or
+  node2.asExpr().(ArrayInit).getAnInit() = node1.asExpr()
+  or
+  exists(Assignment assign | assign.getSource() = node1.asExpr() |
+    node2.(PostUpdateNode).getPreUpdateNode().asExpr() = assign.getDest().(ArrayAccess).getArray()
+  )
+}
+
+private predicate enhancedForStmtStep(Node node1, Node node2, Type containerType) {
+  exists(EnhancedForStmt for, Expr e, SsaExplicitUpdate v |
+    for.getExpr() = e and
+    node1.asExpr() = e and
+    containerType = e.getType() and
+    v.getDefiningExpr() = for.getVariable() and
+    v.getAFirstUse() = node2.asExpr()
+  )
+}
+
+predicate arrayReadStep(Node node1, Node node2, Type elemType) {
+  exists(ArrayAccess aa |
+    aa.getArray() = node1.asExpr() and
+    aa.getType() = elemType and
+    node2.asExpr() = aa
+  )
+  or
+  exists(Array arr |
+    enhancedForStmtStep(node1, node2, arr) and
+    arr.getComponentType() = elemType
+  )
+}
+
+predicate collectionReadStep(Node node1, Node node2) {
+  enhancedForStmtStep(node1, node2, any(Type t | not t instanceof Array))
+}
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
index e3ab07fce1f..54c4b775272 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
@@ -4,6 +4,7 @@ private import DataFlowImplCommon
 private import DataFlowDispatch
 private import semmle.code.java.controlflow.Guards
 private import semmle.code.java.dataflow.SSA
+private import ContainerFlow
 private import FlowSummaryImpl as FlowSummaryImpl
 import DataFlowNodes::Private
 
@@ -137,13 +138,15 @@ class MapValueContent extends Content, TMapValueContent {
  * Thus, `node2` references an object with a field `f` that contains the
  * value of `node1`.
  */
-predicate storeStep(Node node1, Content f, PostUpdateNode node2) {
+predicate storeStep(Node node1, Content f, Node node2) {
   exists(FieldAccess fa |
     instanceFieldAssign(node1.asExpr(), fa) and
-    node2.getPreUpdateNode() = getFieldQualifier(fa) and
+    node2.(PostUpdateNode).getPreUpdateNode() = getFieldQualifier(fa) and
     f.(FieldContent).getField() = fa.getField()
   )
   or
+  f instanceof ArrayContent and arrayStoreStep(node1, node2)
+  or
   FlowSummaryImpl::Private::Steps::summaryStoreStep(node1, f, node2)
 }
 
@@ -171,6 +174,10 @@ predicate readStep(Node node1, Content f, Node node2) {
     node2.asExpr() = get
   )
   or
+  f instanceof ArrayContent and arrayReadStep(node1, node2, _)
+  or
+  f instanceof CollectionContent and collectionReadStep(node1, node2)
+  or
   FlowSummaryImpl::Private::Steps::summaryReadStep(node1, f, node2)
 }
 
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
index e25ab24cfbb..e3ee2ddd595 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
@@ -144,6 +144,8 @@ predicate simpleLocalFlowStep(Node node1, Node node2) {
   or
   node2.asExpr().(AssignExpr).getSource() = node1.asExpr()
   or
+  node2.asExpr().(ArrayCreationExpr).getInit() = node1.asExpr()
+  or
   exists(MethodAccess ma, ValuePreservingMethod m, int argNo |
     ma.getCallee().getSourceDeclaration() = m and m.returnsValue(argNo)
   |
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
index dae0571f0fa..6f127c4b92d 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
@@ -30,6 +30,12 @@ DataFlowType getContentType(Content c) {
   or
   c instanceof ArrayContent and
   result instanceof TypeObject
+  or
+  c instanceof MapKeyContent and
+  result instanceof TypeObject
+  or
+  c instanceof MapValueContent and
+  result instanceof TypeObject
 }
 
 /** Gets the return type of kind `rk` for callable `c`. */
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
index 8c514e357d2..339e0f05e1e 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -60,12 +60,6 @@ private module Cached {
     localAdditionalTaintUpdateStep(src.asExpr(),
       sink.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr())
     or
-    exists(Argument arg |
-      src.asExpr() = arg and
-      arg.isVararg() and
-      sink.(DataFlow::ImplicitVarargsArray).getCall() = arg.getCall()
-    )
-    or
     FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, false)
   }
 
@@ -103,20 +97,8 @@ private predicate localAdditionalTaintExprStep(Expr src, Expr sink) {
   or
   sink.(AssignAddExpr).getSource() = src and sink.getType() instanceof TypeString
   or
-  sink.(ArrayCreationExpr).getInit() = src
-  or
-  sink.(ArrayInit).getAnInit() = src
-  or
-  sink.(ArrayAccess).getArray() = src
-  or
   sink.(LogicExpr).getAnOperand() = src
   or
-  exists(EnhancedForStmt for, SsaExplicitUpdate v |
-    for.getExpr() = src and
-    v.getDefiningExpr() = for.getVariable() and
-    v.getAFirstUse() = sink
-  )
-  or
   containerReturnValueStep(src, sink)
   or
   constructorStep(src, sink)
@@ -141,10 +123,6 @@ private predicate localAdditionalTaintExprStep(Expr src, Expr sink) {
  * This is restricted to cases where the step updates the value of `sink`.
  */
 private predicate localAdditionalTaintUpdateStep(Expr src, Expr sink) {
-  exists(Assignment assign | assign.getSource() = src |
-    sink = assign.getDest().(ArrayAccess).getArray()
-  )
-  or
   containerUpdateStep(src, sink)
   or
   qualifierToArgumentStep(src, sink)

From ffd52bb673f9cdcc0237bcfb7e93098a6f94110d Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Thu, 22 Apr 2021 11:00:31 +0200
Subject: [PATCH 1239/1429] Java: Fix bug in matching generic signatures.

---
 java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index 33a146d07fe..8aa8447f7fb 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -561,7 +561,7 @@ private RefType interpretType(string namespace, string type, boolean subtypes) {
 private string paramsStringPart(Callable c, int i) {
   i = -1 and result = "("
   or
-  exists(int n, string p | c.getParameterType(n).toString() = p |
+  exists(int n, string p | c.getParameterType(n).getErasure().toString() = p |
     i = 2 * n and result = p
     or
     i = 2 * n - 1 and result = "," and n != 0

From 3b6cef4f7464a9396483a0022503c82f92ed04e3 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Fri, 9 Apr 2021 15:32:28 +0200
Subject: [PATCH 1240/1429] Java: Add container flow models.

---
 .../code/java/dataflow/ExternalFlow.qll       |   1 +
 .../java/dataflow/internal/ContainerFlow.qll  | 281 ++++++++++++++++++
 2 files changed, 282 insertions(+)

diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index 8aa8447f7fb..34fa8d66dd3 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -74,6 +74,7 @@ private import FlowSummary
  * ensuring that they are visible to the taint tracking / data flow library.
  */
 private module Frameworks {
+  private import internal.ContainerFlow
   private import semmle.code.java.frameworks.ApacheHttp
   private import semmle.code.java.frameworks.apache.Lang
   private import semmle.code.java.frameworks.guava.Guava
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll b/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
index 52a9b1704dd..667ae024b37 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
@@ -3,6 +3,7 @@ import semmle.code.java.Collections
 import semmle.code.java.Maps
 private import semmle.code.java.dataflow.SSA
 private import DataFlowUtil
+private import semmle.code.java.dataflow.ExternalFlow
 
 private class EntryType extends RefType {
   EntryType() {
@@ -90,6 +91,286 @@ class ContainerType extends RefType {
   }
 }
 
+private class ContainerFlowSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "java.util;Map<>$Entry;true;getValue;;;MapValue of Argument[-1];ReturnValue;value",
+        "java.util;Map<>$Entry;true;setValue;;;MapValue of Argument[-1];ReturnValue;value",
+        "java.util;Map<>$Entry;true;setValue;;;Argument[0];MapValue of Argument[-1];value",
+        "java.lang;Iterable;true;iterator;();;Element of Argument[-1];Element of ReturnValue;value",
+        "java.lang;Iterable;true;spliterator;();;Element of Argument[-1];Element of ReturnValue;value",
+        "java.util;Iterator;true;next;;;Element of Argument[-1];ReturnValue;value",
+        "java.util;ListIterator;true;previous;;;Element of Argument[-1];ReturnValue;value",
+        "java.util;ListIterator;true;add;(Object);;Argument[0];Element of Argument[-1];value",
+        "java.util;ListIterator;true;set;(Object);;Argument[0];Element of Argument[-1];value",
+        "java.util;Enumeration;true;asIterator;;;Element of Argument[-1];Element of ReturnValue;value",
+        "java.util;Enumeration;true;nextElement;;;Element of Argument[-1];ReturnValue;value",
+        "java.util;Map;true;computeIfAbsent;;;MapValue of Argument[-1];ReturnValue;value",
+        "java.util;Map;true;computeIfAbsent;;;ReturnValue of Argument[1];ReturnValue;value",
+        "java.util;Map;true;computeIfAbsent;;;ReturnValue of Argument[1];MapValue of Argument[-1];value",
+        "java.util;Map;true;entrySet;;;MapValue of Argument[-1];MapValue of Element of ReturnValue;value",
+        "java.util;Map;true;entrySet;;;MapKey of Argument[-1];MapKey of Element of ReturnValue;value",
+        "java.util;Map;true;get;;;MapValue of Argument[-1];ReturnValue;value",
+        "java.util;Map;true;getOrDefault;;;MapValue of Argument[-1];ReturnValue;value",
+        "java.util;Map;true;getOrDefault;;;Argument[1];ReturnValue;value",
+        "java.util;Map;true;put;;;MapValue of Argument[-1];ReturnValue;value",
+        "java.util;Map;true;put;;;Argument[0];MapKey of Argument[-1];value",
+        "java.util;Map;true;put;;;Argument[1];MapValue of Argument[-1];value",
+        "java.util;Map;true;putIfAbsent;;;MapValue of Argument[-1];ReturnValue;value",
+        "java.util;Map;true;putIfAbsent;;;Argument[0];MapKey of Argument[-1];value",
+        "java.util;Map;true;putIfAbsent;;;Argument[1];MapValue of Argument[-1];value",
+        "java.util;Map;true;remove;(Object);;MapValue of Argument[-1];ReturnValue;value",
+        "java.util;Map;true;replace;(Object,Object);;MapValue of Argument[-1];ReturnValue;value",
+        "java.util;Map;true;replace;(Object,Object);;Argument[0];MapKey of Argument[-1];value",
+        "java.util;Map;true;replace;(Object,Object);;Argument[1];MapValue of Argument[-1];value",
+        "java.util;Map;true;replace;(Object,Object,Object);;Argument[0];MapKey of Argument[-1];value",
+        "java.util;Map;true;replace;(Object,Object,Object);;Argument[2];MapValue of Argument[-1];value",
+        "java.util;Map;true;keySet;();;MapKey of Argument[-1];Element of ReturnValue;value",
+        "java.util;Map;true;values;();;MapValue of Argument[-1];Element of ReturnValue;value",
+        "java.util;Map;true;merge;(Object,Object,BiFunction);;Argument[1];MapValue of Argument[-1];value",
+        "java.util;Map;true;putAll;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "java.util;Map;true;putAll;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "java.util;Collection;true;parallelStream;();;Element of Argument[-1];Element of ReturnValue;value",
+        "java.util;Collection;true;stream;();;Element of Argument[-1];Element of ReturnValue;value",
+        "java.util;Collection;true;toArray;;;Element of Argument[-1];ArrayElement of ReturnValue;value",
+        "java.util;Collection;true;toArray;;;Element of Argument[-1];ArrayElement of Argument[0];value",
+        "java.util;Collection;true;add;;;Argument[0];Element of Argument[-1];value",
+        "java.util;Collection;true;addAll;;;Element of Argument[0];Element of Argument[-1];value",
+        "java.util;List;true;get;(int);;Element of Argument[-1];ReturnValue;value",
+        "java.util;List;true;listIterator;;;Element of Argument[-1];Element of ReturnValue;value",
+        "java.util;List;true;remove;(int);;Element of Argument[-1];ReturnValue;value",
+        "java.util;List;true;set;(int,Object);;Element of Argument[-1];ReturnValue;value",
+        "java.util;List;true;set;(int,Object);;Argument[1];Element of Argument[-1];value",
+        "java.util;List;true;subList;;;Element of Argument[-1];Element of ReturnValue;value",
+        "java.util;List;true;add;(int,Object);;Argument[1];Element of Argument[-1];value",
+        "java.util;List;true;addAll;(int,Collection);;Element of Argument[1];Element of Argument[-1];value",
+        "java.util;Vector;true;elementAt;(int);;Element of Argument[-1];ReturnValue;value",
+        "java.util;Vector;true;elements;();;Element of Argument[-1];Element of ReturnValue;value",
+        "java.util;Vector;true;firstElement;();;Element of Argument[-1];ReturnValue;value",
+        "java.util;Vector;true;lastElement;();;Element of Argument[-1];ReturnValue;value",
+        "java.util;Vector;true;addElement;(Object);;Argument[0];Element of Argument[-1];value",
+        "java.util;Vector;true;insertElementAt;(Object,int);;Argument[0];Element of Argument[-1];value",
+        "java.util;Vector;true;setElementAt;(Object,int);;Argument[0];Element of Argument[-1];value",
+        "java.util;Vector;true;copyInto;(Object[]);;Element of Argument[-1];ArrayElement of Argument[0];value",
+        "java.util;Stack;true;peek;();;Element of Argument[-1];ReturnValue;value",
+        "java.util;Stack;true;pop;();;Element of Argument[-1];ReturnValue;value",
+        "java.util;Stack;true;push;(Object);;Argument[0];Element of Argument[-1];value",
+        "java.util;Queue;true;element;();;Element of Argument[-1];ReturnValue;value",
+        "java.util;Queue;true;peek;();;Element of Argument[-1];ReturnValue;value",
+        "java.util;Queue;true;poll;();;Element of Argument[-1];ReturnValue;value",
+        "java.util;Queue;true;remove;();;Element of Argument[-1];ReturnValue;value",
+        "java.util;Queue;true;offer;(Object);;Argument[0];Element of Argument[-1];value",
+        "java.util;Deque;true;descendingIterator;();;Element of Argument[-1];Element of ReturnValue;value",
+        "java.util;Deque;true;getFirst;();;Element of Argument[-1];ReturnValue;value",
+        "java.util;Deque;true;getLast;();;Element of Argument[-1];ReturnValue;value",
+        "java.util;Deque;true;peekFirst;();;Element of Argument[-1];ReturnValue;value",
+        "java.util;Deque;true;peekLast;();;Element of Argument[-1];ReturnValue;value",
+        "java.util;Deque;true;pollFirst;();;Element of Argument[-1];ReturnValue;value",
+        "java.util;Deque;true;pollLast;();;Element of Argument[-1];ReturnValue;value",
+        "java.util;Deque;true;pop;();;Element of Argument[-1];ReturnValue;value",
+        "java.util;Deque;true;removeFirst;();;Element of Argument[-1];ReturnValue;value",
+        "java.util;Deque;true;removeLast;();;Element of Argument[-1];ReturnValue;value",
+        "java.util;Deque;true;push;(Object);;Argument[0];Element of Argument[-1];value",
+        "java.util;Deque;true;offerLast;(Object);;Argument[0];Element of Argument[-1];value",
+        "java.util;Deque;true;offerFirst;(Object);;Argument[0];Element of Argument[-1];value",
+        "java.util;Deque;true;addLast;(Object);;Argument[0];Element of Argument[-1];value",
+        "java.util;Deque;true;addFirst;(Object);;Argument[0];Element of Argument[-1];value",
+        "java.util.concurrent;BlockingDeque;true;pollFirst;(long,TimeUnit);;Element of Argument[-1];ReturnValue;value",
+        "java.util.concurrent;BlockingDeque;true;pollLast;(long,TimeUnit);;Element of Argument[-1];ReturnValue;value",
+        "java.util.concurrent;BlockingDeque;true;takeFirst;();;Element of Argument[-1];ReturnValue;value",
+        "java.util.concurrent;BlockingDeque;true;takeLast;();;Element of Argument[-1];ReturnValue;value",
+        "java.util.concurrent;BlockingQueue;true;poll;(long,TimeUnit);;Element of Argument[-1];ReturnValue;value",
+        "java.util.concurrent;BlockingQueue;true;take;();;Element of Argument[-1];ReturnValue;value",
+        "java.util.concurrent;BlockingQueue;true;offer;(Object,long,TimeUnit);;Argument[0];Element of Argument[-1];value",
+        "java.util.concurrent;BlockingQueue;true;put;(Object);;Argument[0];Element of Argument[-1];value",
+        "java.util.concurrent;BlockingDeque;true;offerLast;(Object,long,TimeUnit);;Argument[0];Element of Argument[-1];value",
+        "java.util.concurrent;BlockingDeque;true;offerFirst;(Object,long,TimeUnit);;Argument[0];Element of Argument[-1];value",
+        "java.util.concurrent;BlockingDeque;true;putLast;(Object);;Argument[0];Element of Argument[-1];value",
+        "java.util.concurrent;BlockingDeque;true;putFirst;(Object);;Argument[0];Element of Argument[-1];value",
+        "java.util.concurrent;BlockingQueue;true;drainTo;(Collection,int);;Element of Argument[-1];Element of Argument[0];value",
+        "java.util.concurrent;BlockingQueue;true;drainTo;(Collection);;Element of Argument[-1];Element of Argument[0];value",
+        "java.util.concurrent;ConcurrentHashMap;true;elements;();;MapValue of Argument[-1];Element of ReturnValue;value",
+        "java.util;Dictionary;true;elements;();;MapValue of Argument[-1];Element of ReturnValue;value",
+        "java.util;Dictionary;true;get;(Object);;MapValue of Argument[-1];ReturnValue;value",
+        "java.util;Dictionary;true;put;(Object,Object);;MapValue of Argument[-1];ReturnValue;value",
+        "java.util;Dictionary;true;put;(Object,Object);;Argument[0];MapKey of Argument[-1];value",
+        "java.util;Dictionary;true;put;(Object,Object);;Argument[1];MapValue of Argument[-1];value",
+        "java.util;Dictionary;true;remove;(Object);;MapValue of Argument[-1];ReturnValue;value",
+        "java.util;NavigableMap;true;ceilingEntry;(Object);;MapKey of Argument[-1];MapKey of ReturnValue;value",
+        "java.util;NavigableMap;true;ceilingEntry;(Object);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+        "java.util;NavigableMap;true;descendingMap;();;MapKey of Argument[-1];MapKey of ReturnValue;value",
+        "java.util;NavigableMap;true;descendingMap;();;MapValue of Argument[-1];MapValue of ReturnValue;value",
+        "java.util;NavigableMap;true;firstEntry;();;MapKey of Argument[-1];MapKey of ReturnValue;value",
+        "java.util;NavigableMap;true;firstEntry;();;MapValue of Argument[-1];MapValue of ReturnValue;value",
+        "java.util;NavigableMap;true;floorEntry;(Object);;MapKey of Argument[-1];MapKey of ReturnValue;value",
+        "java.util;NavigableMap;true;floorEntry;(Object);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+        "java.util;NavigableMap;true;headMap;(Object,boolean);;MapKey of Argument[-1];MapKey of ReturnValue;value",
+        "java.util;NavigableMap;true;headMap;(Object,boolean);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+        "java.util;NavigableMap;true;higherEntry;(Object);;MapKey of Argument[-1];MapKey of ReturnValue;value",
+        "java.util;NavigableMap;true;higherEntry;(Object);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+        "java.util;NavigableMap;true;lastEntry;();;MapKey of Argument[-1];MapKey of ReturnValue;value",
+        "java.util;NavigableMap;true;lastEntry;();;MapValue of Argument[-1];MapValue of ReturnValue;value",
+        "java.util;NavigableMap;true;lowerEntry;(Object);;MapKey of Argument[-1];MapKey of ReturnValue;value",
+        "java.util;NavigableMap;true;lowerEntry;(Object);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+        "java.util;NavigableMap;true;pollFirstEntry;();;MapKey of Argument[-1];MapKey of ReturnValue;value",
+        "java.util;NavigableMap;true;pollFirstEntry;();;MapValue of Argument[-1];MapValue of ReturnValue;value",
+        "java.util;NavigableMap;true;pollLastEntry;();;MapKey of Argument[-1];MapKey of ReturnValue;value",
+        "java.util;NavigableMap;true;pollLastEntry;();;MapValue of Argument[-1];MapValue of ReturnValue;value",
+        "java.util;NavigableMap;true;subMap;(Object,boolean,Object,boolean);;MapKey of Argument[-1];MapKey of ReturnValue;value",
+        "java.util;NavigableMap;true;subMap;(Object,boolean,Object,boolean);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+        "java.util;NavigableMap;true;tailMap;(Object,boolean);;MapKey of Argument[-1];MapKey of ReturnValue;value",
+        "java.util;NavigableMap;true;tailMap;(Object,boolean);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+        "java.util;NavigableSet;true;ceiling;(Object);;Element of Argument[-1];ReturnValue;value",
+        "java.util;NavigableSet;true;descendingIterator;();;Element of Argument[-1];Element of ReturnValue;value",
+        "java.util;NavigableSet;true;descendingSet;();;Element of Argument[-1];Element of ReturnValue;value",
+        "java.util;NavigableSet;true;floor;(Object);;Element of Argument[-1];ReturnValue;value",
+        "java.util;NavigableSet;true;headSet;(Object,boolean);;Element of Argument[-1];Element of ReturnValue;value",
+        "java.util;NavigableSet;true;higher;(Object);;Element of Argument[-1];ReturnValue;value",
+        "java.util;NavigableSet;true;lower;(Object);;Element of Argument[-1];ReturnValue;value",
+        "java.util;NavigableSet;true;pollFirst;();;Element of Argument[-1];ReturnValue;value",
+        "java.util;NavigableSet;true;pollLast;();;Element of Argument[-1];ReturnValue;value",
+        "java.util;NavigableSet;true;subSet;(Object,boolean,Object,boolean);;Element of Argument[-1];Element of ReturnValue;value",
+        "java.util;NavigableSet;true;tailSet;(Object,boolean);;Element of Argument[-1];Element of ReturnValue;value",
+        "java.util;Scanner;true;next;(Pattern);;Argument[-1];ReturnValue;taint",
+        "java.util;Scanner;true;next;(String);;Argument[-1];ReturnValue;taint",
+        "java.util;SortedMap;true;headMap;(Object);;MapKey of Argument[-1];MapKey of ReturnValue;value",
+        "java.util;SortedMap;true;headMap;(Object);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+        "java.util;SortedMap;true;subMap;(Object,Object);;MapKey of Argument[-1];MapKey of ReturnValue;value",
+        "java.util;SortedMap;true;subMap;(Object,Object);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+        "java.util;SortedMap;true;tailMap;(Object);;MapKey of Argument[-1];MapKey of ReturnValue;value",
+        "java.util;SortedMap;true;tailMap;(Object);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+        "java.util;SortedSet;true;first;();;Element of Argument[-1];ReturnValue;value",
+        "java.util;SortedSet;true;headSet;(Object);;Element of Argument[-1];Element of ReturnValue;value",
+        "java.util;SortedSet;true;last;();;Element of Argument[-1];ReturnValue;value",
+        "java.util;SortedSet;true;subSet;(Object,Object);;Element of Argument[-1];Element of ReturnValue;value",
+        "java.util;SortedSet;true;tailSet;(Object);;Element of Argument[-1];Element of ReturnValue;value",
+        "java.util.concurrent;TransferQueue;true;tryTransfer;(Object,long,TimeUnit);;Argument[0];Element of Argument[-1];value",
+        "java.util.concurrent;TransferQueue;true;transfer;(Object);;Argument[0];Element of Argument[-1];value",
+        "java.util.concurrent;TransferQueue;true;tryTransfer;(Object);;Argument[0];Element of Argument[-1];value",
+        "java.util;List;false;copyOf;(Collection);;Element of Argument[0];Element of ReturnValue;value",
+        "java.util;List;false;of;(Object[]);;ArrayElement of Argument[0];Element of ReturnValue;value",
+        "java.util;List;false;of;(Object);;Argument[0];Element of ReturnValue;value",
+        "java.util;List;false;of;(Object,Object);;Argument[0..1];Element of ReturnValue;value",
+        "java.util;List;false;of;(Object,Object,Object);;Argument[0..2];Element of ReturnValue;value",
+        "java.util;List;false;of;(Object,Object,Object,Object);;Argument[0..3];Element of ReturnValue;value",
+        "java.util;List;false;of;(Object,Object,Object,Object,Object);;Argument[0..4];Element of ReturnValue;value",
+        "java.util;List;false;of;(Object,Object,Object,Object,Object,Object);;Argument[0..5];Element of ReturnValue;value",
+        "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object);;Argument[0..6];Element of ReturnValue;value",
+        "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0..7];Element of ReturnValue;value",
+        "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0..8];Element of ReturnValue;value",
+        "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0..9];Element of ReturnValue;value",
+        "java.util;Map;false;copyOf;(Map);;MapKey of Argument[0];MapKey of ReturnValue;value",
+        "java.util;Map;false;copyOf;(Map);;MapValue of Argument[0];MapValue of ReturnValue;value",
+        "java.util;Map;false;entry;(Object,Object);;Argument[0];MapKey of ReturnValue;value",
+        "java.util;Map;false;entry;(Object,Object);;Argument[1];MapValue of ReturnValue;value",
+        "java.util;Map;false;of;;;Argument[0];MapKey of ReturnValue;value",
+        "java.util;Map;false;of;;;Argument[1];MapValue of ReturnValue;value",
+        "java.util;Map;false;of;;;Argument[2];MapKey of ReturnValue;value",
+        "java.util;Map;false;of;;;Argument[3];MapValue of ReturnValue;value",
+        "java.util;Map;false;of;;;Argument[4];MapKey of ReturnValue;value",
+        "java.util;Map;false;of;;;Argument[5];MapValue of ReturnValue;value",
+        "java.util;Map;false;of;;;Argument[6];MapKey of ReturnValue;value",
+        "java.util;Map;false;of;;;Argument[7];MapValue of ReturnValue;value",
+        "java.util;Map;false;of;;;Argument[8];MapKey of ReturnValue;value",
+        "java.util;Map;false;of;;;Argument[9];MapValue of ReturnValue;value",
+        "java.util;Map;false;of;;;Argument[10];MapKey of ReturnValue;value",
+        "java.util;Map;false;of;;;Argument[11];MapValue of ReturnValue;value",
+        "java.util;Map;false;of;;;Argument[12];MapKey of ReturnValue;value",
+        "java.util;Map;false;of;;;Argument[13];MapValue of ReturnValue;value",
+        "java.util;Map;false;of;;;Argument[14];MapKey of ReturnValue;value",
+        "java.util;Map;false;of;;;Argument[15];MapValue of ReturnValue;value",
+        "java.util;Map;false;of;;;Argument[16];MapKey of ReturnValue;value",
+        "java.util;Map;false;of;;;Argument[17];MapValue of ReturnValue;value",
+        "java.util;Map;false;of;;;Argument[18];MapKey of ReturnValue;value",
+        "java.util;Map;false;of;;;Argument[19];MapValue of ReturnValue;value",
+        "java.util;Map;false;ofEntries;;;MapKey of ArrayElement of Argument[0];MapKey of ReturnValue;value",
+        "java.util;Map;false;ofEntries;;;MapValue of ArrayElement of Argument[0];MapValue of ReturnValue;value",
+        "java.util;Set;false;copyOf;(Collection);;Element of Argument[0];Element of ReturnValue;value",
+        "java.util;Set;false;of;(Object[]);;ArrayElement of Argument[0];Element of ReturnValue;value",
+        "java.util;Set;false;of;(Object);;Argument[0];Element of ReturnValue;value",
+        "java.util;Set;false;of;(Object,Object);;Argument[0..1];Element of ReturnValue;value",
+        "java.util;Set;false;of;(Object,Object,Object);;Argument[0..2];Element of ReturnValue;value",
+        "java.util;Set;false;of;(Object,Object,Object,Object);;Argument[0..3];Element of ReturnValue;value",
+        "java.util;Set;false;of;(Object,Object,Object,Object,Object);;Argument[0..4];Element of ReturnValue;value",
+        "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object);;Argument[0..5];Element of ReturnValue;value",
+        "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object);;Argument[0..6];Element of ReturnValue;value",
+        "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0..7];Element of ReturnValue;value",
+        "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0..8];Element of ReturnValue;value",
+        "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0..9];Element of ReturnValue;value",
+        "java.util;Arrays;false;stream;;;ArrayElement of Argument[0];Element of ReturnValue;value",
+        "java.util;Arrays;false;spliterator;;;ArrayElement of Argument[0];Element of ReturnValue;value",
+        "java.util;Arrays;false;copyOfRange;;;ArrayElement of Argument[0];ArrayElement of ReturnValue;value",
+        "java.util;Arrays;false;copyOf;;;ArrayElement of Argument[0];ArrayElement of ReturnValue;value",
+        "java.util;Collections;false;list;(Enumeration);;Element of Argument[0];Element of ReturnValue;value",
+        "java.util;Collections;false;enumeration;(Collection);;Element of Argument[0];Element of ReturnValue;value",
+        "java.util;Collections;false;nCopies;(int,Object);;Argument[1];Element of ReturnValue;value",
+        "java.util;Collections;false;singletonMap;(Object,Object);;Argument[0];MapKey of ReturnValue;value",
+        "java.util;Collections;false;singletonMap;(Object,Object);;Argument[1];MapValue of ReturnValue;value",
+        "java.util;Collections;false;singletonList;(Object);;Argument[0];Element of ReturnValue;value",
+        "java.util;Collections;false;singleton;(Object);;Argument[0];Element of ReturnValue;value",
+        "java.util;Collections;false;checkedNavigableMap;(NavigableMap,Class,Class);;MapKey of Argument[0];MapKey of ReturnValue;value",
+        "java.util;Collections;false;checkedNavigableMap;(NavigableMap,Class,Class);;MapValue of Argument[0];MapValue of ReturnValue;value",
+        "java.util;Collections;false;checkedSortedMap;(SortedMap,Class,Class);;MapKey of Argument[0];MapKey of ReturnValue;value",
+        "java.util;Collections;false;checkedSortedMap;(SortedMap,Class,Class);;MapValue of Argument[0];MapValue of ReturnValue;value",
+        "java.util;Collections;false;checkedMap;(Map,Class,Class);;MapKey of Argument[0];MapKey of ReturnValue;value",
+        "java.util;Collections;false;checkedMap;(Map,Class,Class);;MapValue of Argument[0];MapValue of ReturnValue;value",
+        "java.util;Collections;false;checkedList;(List,Class);;Element of Argument[0];Element of ReturnValue;value",
+        "java.util;Collections;false;checkedNavigableSet;(NavigableSet,Class);;Element of Argument[0];Element of ReturnValue;value",
+        "java.util;Collections;false;checkedSortedSet;(SortedSet,Class);;Element of Argument[0];Element of ReturnValue;value",
+        "java.util;Collections;false;checkedSet;(Set,Class);;Element of Argument[0];Element of ReturnValue;value",
+        "java.util;Collections;false;checkedCollection;(Collection,Class);;Element of Argument[0];Element of ReturnValue;value",
+        "java.util;Collections;false;synchronizedNavigableMap;(NavigableMap);;MapKey of Argument[0];MapKey of ReturnValue;value",
+        "java.util;Collections;false;synchronizedNavigableMap;(NavigableMap);;MapValue of Argument[0];MapValue of ReturnValue;value",
+        "java.util;Collections;false;synchronizedSortedMap;(SortedMap);;MapKey of Argument[0];MapKey of ReturnValue;value",
+        "java.util;Collections;false;synchronizedSortedMap;(SortedMap);;MapValue of Argument[0];MapValue of ReturnValue;value",
+        "java.util;Collections;false;synchronizedMap;(Map);;MapKey of Argument[0];MapKey of ReturnValue;value",
+        "java.util;Collections;false;synchronizedMap;(Map);;MapValue of Argument[0];MapValue of ReturnValue;value",
+        "java.util;Collections;false;synchronizedList;(List);;Element of Argument[0];Element of ReturnValue;value",
+        "java.util;Collections;false;synchronizedNavigableSet;(NavigableSet);;Element of Argument[0];Element of ReturnValue;value",
+        "java.util;Collections;false;synchronizedSortedSet;(SortedSet);;Element of Argument[0];Element of ReturnValue;value",
+        "java.util;Collections;false;synchronizedSet;(Set);;Element of Argument[0];Element of ReturnValue;value",
+        "java.util;Collections;false;synchronizedCollection;(Collection);;Element of Argument[0];Element of ReturnValue;value",
+        "java.util;Collections;false;unmodifiableNavigableMap;(NavigableMap);;MapKey of Argument[0];MapKey of ReturnValue;value",
+        "java.util;Collections;false;unmodifiableNavigableMap;(NavigableMap);;MapValue of Argument[0];MapValue of ReturnValue;value",
+        "java.util;Collections;false;unmodifiableSortedMap;(SortedMap);;MapKey of Argument[0];MapKey of ReturnValue;value",
+        "java.util;Collections;false;unmodifiableSortedMap;(SortedMap);;MapValue of Argument[0];MapValue of ReturnValue;value",
+        "java.util;Collections;false;unmodifiableMap;(Map);;MapKey of Argument[0];MapKey of ReturnValue;value",
+        "java.util;Collections;false;unmodifiableMap;(Map);;MapValue of Argument[0];MapValue of ReturnValue;value",
+        "java.util;Collections;false;unmodifiableList;(List);;Element of Argument[0];Element of ReturnValue;value",
+        "java.util;Collections;false;unmodifiableNavigableSet;(NavigableSet);;Element of Argument[0];Element of ReturnValue;value",
+        "java.util;Collections;false;unmodifiableSortedSet;(SortedSet);;Element of Argument[0];Element of ReturnValue;value",
+        "java.util;Collections;false;unmodifiableSet;(Set);;Element of Argument[0];Element of ReturnValue;value",
+        "java.util;Collections;false;unmodifiableCollection;(Collection);;Element of Argument[0];Element of ReturnValue;value",
+        "java.util;Collections;false;max;;;Element of Argument[0];ReturnValue;value",
+        "java.util;Collections;false;min;;;Element of Argument[0];ReturnValue;value",
+        "java.util;Arrays;false;fill;(Object[],int,int,Object);;Argument[3];ArrayElement of Argument[0];value",
+        "java.util;Arrays;false;fill;(Object[],Object);;Argument[1];ArrayElement of Argument[0];value",
+        "java.util;Arrays;false;fill;(float[],int,int,float);;Argument[3];ArrayElement of Argument[0];value",
+        "java.util;Arrays;false;fill;(float[],float);;Argument[1];ArrayElement of Argument[0];value",
+        "java.util;Arrays;false;fill;(double[],int,int,double);;Argument[3];ArrayElement of Argument[0];value",
+        "java.util;Arrays;false;fill;(double[],double);;Argument[1];ArrayElement of Argument[0];value",
+        "java.util;Arrays;false;fill;(boolean[],int,int,boolean);;Argument[3];ArrayElement of Argument[0];value",
+        "java.util;Arrays;false;fill;(boolean[],boolean);;Argument[1];ArrayElement of Argument[0];value",
+        "java.util;Arrays;false;fill;(byte[],int,int,byte);;Argument[3];ArrayElement of Argument[0];value",
+        "java.util;Arrays;false;fill;(byte[],byte);;Argument[1];ArrayElement of Argument[0];value",
+        "java.util;Arrays;false;fill;(char[],int,int,char);;Argument[3];ArrayElement of Argument[0];value",
+        "java.util;Arrays;false;fill;(char[],char);;Argument[1];ArrayElement of Argument[0];value",
+        "java.util;Arrays;false;fill;(short[],int,int,short);;Argument[3];ArrayElement of Argument[0];value",
+        "java.util;Arrays;false;fill;(short[],short);;Argument[1];ArrayElement of Argument[0];value",
+        "java.util;Arrays;false;fill;(int[],int,int,int);;Argument[3];ArrayElement of Argument[0];value",
+        "java.util;Arrays;false;fill;(int[],int);;Argument[1];ArrayElement of Argument[0];value",
+        "java.util;Arrays;false;fill;(long[],int,int,long);;Argument[3];ArrayElement of Argument[0];value",
+        "java.util;Arrays;false;fill;(long[],long);;Argument[1];ArrayElement of Argument[0];value",
+        "java.util;Collections;false;replaceAll;(List,Object,Object);;Argument[2];Element of Argument[0];value",
+        "java.util;Collections;false;copy;(List,List);;Element of Argument[1];Element of Argument[0];value",
+        "java.util;Collections;false;fill;(List,Object);;Argument[1];Element of Argument[0];value",
+        "java.util;Arrays;false;asList;;;ArrayElement of Argument[0];Element of ReturnValue;value",
+        "java.util;Collections;false;addAll;(Collection,Object[]);;ArrayElement of Argument[1];Element of Argument[0];value"
+      ]
+  }
+}
+
 private predicate taintPreservingQualifierToMethod(Method m) {
   // java.util.Map.Entry
   m.getDeclaringType() instanceof EntryType and

From 9e313d0cf6817201b96181463bc01ecc13cb1ead Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Thu, 22 Apr 2021 16:57:41 +0200
Subject: [PATCH 1241/1429] Java: Remove container taint steps.

---
 .../semmle/code/java/dataflow/internal/TaintTrackingUtil.qll  | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
index 339e0f05e1e..079d61809db 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -99,8 +99,6 @@ private predicate localAdditionalTaintExprStep(Expr src, Expr sink) {
   or
   sink.(LogicExpr).getAnOperand() = src
   or
-  containerReturnValueStep(src, sink)
-  or
   constructorStep(src, sink)
   or
   qualifierToMethodStep(src, sink)
@@ -123,8 +121,6 @@ private predicate localAdditionalTaintExprStep(Expr src, Expr sink) {
  * This is restricted to cases where the step updates the value of `sink`.
  */
 private predicate localAdditionalTaintUpdateStep(Expr src, Expr sink) {
-  containerUpdateStep(src, sink)
-  or
   qualifierToArgumentStep(src, sink)
   or
   argToArgStep(src, sink)

From 3f538e7fac175e8d2778586f4da161105f745962 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Tue, 4 May 2021 10:48:28 +0200
Subject: [PATCH 1242/1429] Java: Update some models.

---
 .../code/java/frameworks/ApacheHttp.qll       |  19 ++--
 .../code/java/frameworks/apache/Lang.qll      | 107 +++++++++++-------
 .../code/java/frameworks/guava/Base.qll       |   8 +-
 .../semmle/code/java/frameworks/guava/IO.qll  |   8 +-
 4 files changed, 93 insertions(+), 49 deletions(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll b/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll
index 8378f1e7260..80cb589e6f2 100644
--- a/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll
+++ b/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll
@@ -165,14 +165,17 @@ private class ApacheHttpFlowStep extends SummaryModelCsv {
         "org.apache.http.util;EncodingUtils;true;getAsciiString;;;Argument[0];ReturnValue;taint",
         "org.apache.http.util;EncodingUtils;true;getBytes;(String,String);;Argument[0];ReturnValue;taint",
         "org.apache.http.util;EncodingUtils;true;getString;;;Argument[0];ReturnValue;taint",
-        "org.apache.http.util;Args;true;containsNoBlanks;(T,String);;Argument[0];ReturnValue;value",
-        "org.apache.http.util;Args;true;notNull;(T,String);;Argument[0];ReturnValue;value",
-        "org.apache.http.util;Args;true;notEmpty;(T,String);;Argument[0];ReturnValue;value",
-        "org.apache.http.util;Args;true;notBlank;(T,String);;Argument[0];ReturnValue;value",
-        "org.apache.hc.core5.util;Args;true;containsNoBlanks;(T,String);;Argument[0];ReturnValue;value",
-        "org.apache.hc.core5.util;Args;true;notNull;(T,String);;Argument[0];ReturnValue;value",
-        "org.apache.hc.core5.util;Args;true;notEmpty;(T,String);;Argument[0];ReturnValue;value",
-        "org.apache.hc.core5.util;Args;true;notBlank;(T,String);;Argument[0];ReturnValue;value",
+        "org.apache.http.util;Args;true;containsNoBlanks;(CharSequence,String);;Argument[0];ReturnValue;value",
+        "org.apache.http.util;Args;true;notNull;(Object,String);;Argument[0];ReturnValue;value",
+        "org.apache.http.util;Args;true;notEmpty;(CharSequence,String);;Argument[0];ReturnValue;value",
+        "org.apache.http.util;Args;true;notEmpty;(Collection,String);;Argument[0];ReturnValue;value",
+        "org.apache.http.util;Args;true;notBlank;(CharSequence,String);;Argument[0];ReturnValue;value",
+        "org.apache.hc.core5.util;Args;true;containsNoBlanks;(CharSequence,String);;Argument[0];ReturnValue;value",
+        "org.apache.hc.core5.util;Args;true;notNull;(Object,String);;Argument[0];ReturnValue;value",
+        "org.apache.hc.core5.util;Args;true;notEmpty;(Collection,String);;Argument[0];ReturnValue;value",
+        "org.apache.hc.core5.util;Args;true;notEmpty;(CharSequence,String);;Argument[0];ReturnValue;value",
+        "org.apache.hc.core5.util;Args;true;notEmpty;(Object,String);;Argument[0];ReturnValue;value",
+        "org.apache.hc.core5.util;Args;true;notBlank;(CharSequence,String);;Argument[0];ReturnValue;value",
         "org.apache.hc.core5.http.io.entity;HttpEntities;true;create;;;Argument[0];ReturnValue;taint",
         "org.apache.hc.core5.http.io.entity;HttpEntities;true;createGzipped;;;Argument[0];ReturnValue;taint",
         "org.apache.hc.core5.http.io.entity;HttpEntities;true;createUrlEncoded;;;Argument[0];ReturnValue;taint",
diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
index 670014e0f8f..ab411c5ce48 100644
--- a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
+++ b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
@@ -94,29 +94,33 @@ private class ApacheStringUtilsModel extends SummaryModelCsv {
         "org.apache.commons.lang3;StringUtils;false;defaultString;;;Argument[0..1];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;deleteWhitespace;;;Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;difference;;;Argument[0..1];ReturnValue;taint",
-        "org.apache.commons.lang3;StringUtils;false;firstNonBlank;;;Argument[0];ReturnValue;taint",
-        "org.apache.commons.lang3;StringUtils;false;firstNonEmpty;;;Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3;StringUtils;false;firstNonBlank;;;ArrayElement of Argument[0];ReturnValue;value",
+        "org.apache.commons.lang3;StringUtils;false;firstNonEmpty;;;ArrayElement of Argument[0];ReturnValue;value",
         "org.apache.commons.lang3;StringUtils;false;getBytes;;;Argument[0];ReturnValue;taint",
-        "org.apache.commons.lang3;StringUtils;false;getCommonPrefix;;;Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3;StringUtils;false;getCommonPrefix;;;ArrayElement of Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;getDigits;;;Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;getIfBlank;;;Argument[0..1];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;getIfEmpty;;;Argument[0..1];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;join;(char[],char);;Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;join;(char[],char,int,int);;Argument[0];ReturnValue;taint",
-        "org.apache.commons.lang3;StringUtils;false;join;(java.lang.Iterable,char);;Argument[0];ReturnValue;taint",
-        "org.apache.commons.lang3;StringUtils;false;join;(java.lang.Iterable,java.lang.String);;Argument[0..1];ReturnValue;taint",
-        "org.apache.commons.lang3;StringUtils;false;join;(java.lang.Object[]);;Argument[0];ReturnValue;taint",
-        "org.apache.commons.lang3;StringUtils;false;join;(java.lang.Object[],char);;Argument[0];ReturnValue;taint",
-        "org.apache.commons.lang3;StringUtils;false;join;(java.lang.Object[],char,int,int);;Argument[0];ReturnValue;taint",
-        "org.apache.commons.lang3;StringUtils;false;join;(java.lang.Object[],java.lang.String);;Argument[0..1];ReturnValue;taint",
-        "org.apache.commons.lang3;StringUtils;false;join;(java.lang.Object[],java.lang.String,int,int);;Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3;StringUtils;false;join;(java.lang.Iterable,char);;Element of Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3;StringUtils;false;join;(java.lang.Iterable,java.lang.String);;Element of Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3;StringUtils;false;join;(java.lang.Iterable,java.lang.String);;Argument[1];ReturnValue;taint",
+        "org.apache.commons.lang3;StringUtils;false;join;(java.lang.Object[]);;ArrayElement of Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3;StringUtils;false;join;(java.lang.Object[],char);;ArrayElement of Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3;StringUtils;false;join;(java.lang.Object[],char,int,int);;ArrayElement of Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3;StringUtils;false;join;(java.lang.Object[],java.lang.String);;ArrayElement of Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3;StringUtils;false;join;(java.lang.Object[],java.lang.String);;Argument[1];ReturnValue;taint",
+        "org.apache.commons.lang3;StringUtils;false;join;(java.lang.Object[],java.lang.String,int,int);;ArrayElement of Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;join;(java.lang.Object[],java.lang.String,int,int);;Argument[1];ReturnValue;taint",
-        "org.apache.commons.lang3;StringUtils;false;join;(java.util.Iterator,char);;Argument[0];ReturnValue;taint",
-        "org.apache.commons.lang3;StringUtils;false;join;(java.util.Iterator,java.lang.String);;Argument[0..1];ReturnValue;taint",
-        "org.apache.commons.lang3;StringUtils;false;join;(java.util.List,char,int,int);;Argument[0];ReturnValue;taint",
-        "org.apache.commons.lang3;StringUtils;false;join;(java.util.List,java.lang.String,int,int);;Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3;StringUtils;false;join;(java.util.Iterator,char);;Element of Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3;StringUtils;false;join;(java.util.Iterator,java.lang.String);;Element of Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3;StringUtils;false;join;(java.util.Iterator,java.lang.String);;Argument[1];ReturnValue;taint",
+        "org.apache.commons.lang3;StringUtils;false;join;(java.util.List,char,int,int);;Element of Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3;StringUtils;false;join;(java.util.List,java.lang.String,int,int);;Element of Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;join;(java.util.List,java.lang.String,int,int);;Argument[1];ReturnValue;taint",
-        "org.apache.commons.lang3;StringUtils;false;joinWith;;;Argument[0..1];ReturnValue;taint",
+        "org.apache.commons.lang3;StringUtils;false;joinWith;;;Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3;StringUtils;false;joinWith;;;ArrayElement of Argument[1];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;left;;;Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;leftPad;(java.lang.String,int,java.lang.String);;Argument[2];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;leftPad;;;Argument[0];ReturnValue;taint",
@@ -148,9 +152,9 @@ private class ApacheStringUtilsModel extends SummaryModelCsv {
         "org.apache.commons.lang3;StringUtils;false;replaceChars;(java.lang.String,java.lang.String,java.lang.String);;Argument[2];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;replaceChars;;;Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;replaceEach;;;Argument[0];ReturnValue;taint",
-        "org.apache.commons.lang3;StringUtils;false;replaceEach;;;Argument[2];ReturnValue;taint",
+        "org.apache.commons.lang3;StringUtils;false;replaceEach;;;ArrayElement of Argument[2];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;replaceEachRepeatedly;;;Argument[0];ReturnValue;taint",
-        "org.apache.commons.lang3;StringUtils;false;replaceEachRepeatedly;;;Argument[2];ReturnValue;taint",
+        "org.apache.commons.lang3;StringUtils;false;replaceEachRepeatedly;;;ArrayElement of Argument[2];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;replaceFirst;;;Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;replaceFirst;;;Argument[2];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;replaceIgnoreCase;;;Argument[0];ReturnValue;taint",
@@ -182,7 +186,7 @@ private class ApacheStringUtilsModel extends SummaryModelCsv {
         "org.apache.commons.lang3;StringUtils;false;strip;(java.lang.String);;Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;strip;(java.lang.String,java.lang.String);;Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;stripAccents;;;Argument[0];ReturnValue;taint",
-        "org.apache.commons.lang3;StringUtils;false;stripAll;;;Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3;StringUtils;false;stripAll;;;ArrayElement of Argument[0];ArrayElement of ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;stripEnd;;;Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;stripStart;;;Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3;StringUtils;false;stripToEmpty;;;Argument[0];ReturnValue;taint",
@@ -229,7 +233,8 @@ private class ApacheStrBuilderModel extends SummaryModelCsv {
         "org.apache.commons.lang3.text;StrBuilder;false;append;(java.lang.Object);;Argument[0];Argument[-1];taint",
         "org.apache.commons.lang3.text;StrBuilder;false;append;(java.lang.String);;Argument[0];Argument[-1];taint",
         "org.apache.commons.lang3.text;StrBuilder;false;append;(java.lang.String,int,int);;Argument[0];Argument[-1];taint",
-        "org.apache.commons.lang3.text;StrBuilder;false;append;(java.lang.String,java.lang.Object[]);;Argument[0..1];Argument[-1];taint",
+        "org.apache.commons.lang3.text;StrBuilder;false;append;(java.lang.String,java.lang.Object[]);;Argument[0];Argument[-1];taint",
+        "org.apache.commons.lang3.text;StrBuilder;false;append;(java.lang.String,java.lang.Object[]);;ArrayElement of Argument[1];Argument[-1];taint",
         "org.apache.commons.lang3.text;StrBuilder;false;append;(java.lang.StringBuffer);;Argument[0];Argument[-1];taint",
         "org.apache.commons.lang3.text;StrBuilder;false;append;(java.lang.StringBuffer,int,int);;Argument[0];Argument[-1];taint",
         "org.apache.commons.lang3.text;StrBuilder;false;append;(java.lang.StringBuilder);;Argument[0];Argument[-1];taint",
@@ -238,7 +243,9 @@ private class ApacheStrBuilderModel extends SummaryModelCsv {
         "org.apache.commons.lang3.text;StrBuilder;false;append;(java.nio.CharBuffer,int,int);;Argument[0];Argument[-1];taint",
         "org.apache.commons.lang3.text;StrBuilder;false;append;(org.apache.commons.lang3.text.StrBuilder);;Argument[0];Argument[-1];taint",
         "org.apache.commons.lang3.text;StrBuilder;false;append;;;Argument[-1];ReturnValue;taint",
-        "org.apache.commons.lang3.text;StrBuilder;false;appendAll;;;Argument[0];Argument[-1];taint",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendAll;(Iterable);;Element of Argument[0];Argument[-1];taint",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendAll;(Iterator);;Element of Argument[0];Argument[-1];taint",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendAll;(Object[]);;ArrayElement of Argument[0];Argument[-1];taint",
         "org.apache.commons.lang3.text;StrBuilder;false;appendAll;;;Argument[-1];ReturnValue;taint",
         "org.apache.commons.lang3.text;StrBuilder;false;appendFixedWidthPadLeft;;;Argument[-1];ReturnValue;taint",
         "org.apache.commons.lang3.text;StrBuilder;false;appendFixedWidthPadLeft;;;Argument[0];Argument[-1];taint",
@@ -249,14 +256,18 @@ private class ApacheStrBuilderModel extends SummaryModelCsv {
         "org.apache.commons.lang3.text;StrBuilder;false;appendSeparator;(java.lang.String,java.lang.String);;Argument[0..1];Argument[-1];taint",
         "org.apache.commons.lang3.text;StrBuilder;false;appendSeparator;;;Argument[-1];ReturnValue;taint",
         "org.apache.commons.lang3.text;StrBuilder;false;appendTo;;;Argument[-1];Argument[0];taint",
-        "org.apache.commons.lang3.text;StrBuilder;false;appendWithSeparators;;;Argument[0..1];Argument[-1];taint",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendWithSeparators;(Iterable,String);;Element of Argument[0];Argument[-1];taint",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendWithSeparators;(Iterator,String);;Element of Argument[0];Argument[-1];taint",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendWithSeparators;(Object[],String);;ArrayElement of Argument[0];Argument[-1];taint",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendWithSeparators;;;Argument[1];Argument[-1];taint",
         "org.apache.commons.lang3.text;StrBuilder;false;appendWithSeparators;;;Argument[-1];ReturnValue;taint",
         "org.apache.commons.lang3.text;StrBuilder;false;appendln;(char[]);;Argument[0];Argument[-1];taint",
         "org.apache.commons.lang3.text;StrBuilder;false;appendln;(char[],int,int);;Argument[0];Argument[-1];taint",
         "org.apache.commons.lang3.text;StrBuilder;false;appendln;(java.lang.Object);;Argument[0];Argument[-1];taint",
         "org.apache.commons.lang3.text;StrBuilder;false;appendln;(java.lang.String);;Argument[0];Argument[-1];taint",
         "org.apache.commons.lang3.text;StrBuilder;false;appendln;(java.lang.String,int,int);;Argument[0];Argument[-1];taint",
-        "org.apache.commons.lang3.text;StrBuilder;false;appendln;(java.lang.String,java.lang.Object[]);;Argument[0..1];Argument[-1];taint",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendln;(java.lang.String,java.lang.Object[]);;Argument[0];Argument[-1];taint",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendln;(java.lang.String,java.lang.Object[]);;ArrayElement of Argument[1];Argument[-1];taint",
         "org.apache.commons.lang3.text;StrBuilder;false;appendln;(java.lang.StringBuffer);;Argument[0];Argument[-1];taint",
         "org.apache.commons.lang3.text;StrBuilder;false;appendln;(java.lang.StringBuffer,int,int);;Argument[0];Argument[-1];taint",
         "org.apache.commons.lang3.text;StrBuilder;false;appendln;(java.lang.StringBuilder);;Argument[0];Argument[-1];taint",
@@ -296,7 +307,8 @@ private class ApacheStrBuilderModel extends SummaryModelCsv {
         "org.apache.commons.text;StrBuilder;false;append;(java.lang.Object);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;StrBuilder;false;append;(java.lang.String);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;StrBuilder;false;append;(java.lang.String,int,int);;Argument[0];Argument[-1];taint",
-        "org.apache.commons.text;StrBuilder;false;append;(java.lang.String,java.lang.Object[]);;Argument[0..1];Argument[-1];taint",
+        "org.apache.commons.text;StrBuilder;false;append;(java.lang.String,java.lang.Object[]);;Argument[0];Argument[-1];taint",
+        "org.apache.commons.text;StrBuilder;false;append;(java.lang.String,java.lang.Object[]);;ArrayElement of Argument[1];Argument[-1];taint",
         "org.apache.commons.text;StrBuilder;false;append;(java.lang.StringBuffer);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;StrBuilder;false;append;(java.lang.StringBuffer,int,int);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;StrBuilder;false;append;(java.lang.StringBuilder);;Argument[0];Argument[-1];taint",
@@ -305,7 +317,9 @@ private class ApacheStrBuilderModel extends SummaryModelCsv {
         "org.apache.commons.text;StrBuilder;false;append;(java.nio.CharBuffer,int,int);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;StrBuilder;false;append;(org.apache.commons.text.StrBuilder);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;StrBuilder;false;append;;;Argument[-1];ReturnValue;taint",
-        "org.apache.commons.text;StrBuilder;false;appendAll;;;Argument[0];Argument[-1];taint",
+        "org.apache.commons.text;StrBuilder;false;appendAll;(Iterable);;Element of Argument[0];Argument[-1];taint",
+        "org.apache.commons.text;StrBuilder;false;appendAll;(Iterator);;Element of Argument[0];Argument[-1];taint",
+        "org.apache.commons.text;StrBuilder;false;appendAll;(Object[]);;ArrayElement of Argument[0];Argument[-1];taint",
         "org.apache.commons.text;StrBuilder;false;appendAll;;;Argument[-1];ReturnValue;taint",
         "org.apache.commons.text;StrBuilder;false;appendFixedWidthPadLeft;;;Argument[-1];ReturnValue;taint",
         "org.apache.commons.text;StrBuilder;false;appendFixedWidthPadLeft;;;Argument[0];Argument[-1];taint",
@@ -316,14 +330,18 @@ private class ApacheStrBuilderModel extends SummaryModelCsv {
         "org.apache.commons.text;StrBuilder;false;appendSeparator;(java.lang.String,java.lang.String);;Argument[0..1];Argument[-1];taint",
         "org.apache.commons.text;StrBuilder;false;appendSeparator;;;Argument[-1];ReturnValue;taint",
         "org.apache.commons.text;StrBuilder;false;appendTo;;;Argument[-1];Argument[0];taint",
-        "org.apache.commons.text;StrBuilder;false;appendWithSeparators;;;Argument[0..1];Argument[-1];taint",
+        "org.apache.commons.text;StrBuilder;false;appendWithSeparators;(Iterable,String);;Element of Argument[0];Argument[-1];taint",
+        "org.apache.commons.text;StrBuilder;false;appendWithSeparators;(Iterator,String);;Element of Argument[0];Argument[-1];taint",
+        "org.apache.commons.text;StrBuilder;false;appendWithSeparators;(Object[],String);;ArrayElement of Argument[0];Argument[-1];taint",
+        "org.apache.commons.text;StrBuilder;false;appendWithSeparators;;;Argument[1];Argument[-1];taint",
         "org.apache.commons.text;StrBuilder;false;appendWithSeparators;;;Argument[-1];ReturnValue;taint",
         "org.apache.commons.text;StrBuilder;false;appendln;(char[]);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;StrBuilder;false;appendln;(char[],int,int);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;StrBuilder;false;appendln;(java.lang.Object);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;StrBuilder;false;appendln;(java.lang.String);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;StrBuilder;false;appendln;(java.lang.String,int,int);;Argument[0];Argument[-1];taint",
-        "org.apache.commons.text;StrBuilder;false;appendln;(java.lang.String,java.lang.Object[]);;Argument[0..1];Argument[-1];taint",
+        "org.apache.commons.text;StrBuilder;false;appendln;(java.lang.String,java.lang.Object[]);;Argument[0];Argument[-1];taint",
+        "org.apache.commons.text;StrBuilder;false;appendln;(java.lang.String,java.lang.Object[]);;ArrayElement of Argument[1];Argument[-1];taint",
         "org.apache.commons.text;StrBuilder;false;appendln;(java.lang.StringBuffer);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;StrBuilder;false;appendln;(java.lang.StringBuffer,int,int);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;StrBuilder;false;appendln;(java.lang.StringBuilder);;Argument[0];Argument[-1];taint",
@@ -364,7 +382,8 @@ private class ApacheStrBuilderModel extends SummaryModelCsv {
         "org.apache.commons.text;TextStringBuilder;false;append;(java.lang.Object);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;TextStringBuilder;false;append;(java.lang.String);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;TextStringBuilder;false;append;(java.lang.String,int,int);;Argument[0];Argument[-1];taint",
-        "org.apache.commons.text;TextStringBuilder;false;append;(java.lang.String,java.lang.Object[]);;Argument[0..1];Argument[-1];taint",
+        "org.apache.commons.text;TextStringBuilder;false;append;(java.lang.String,java.lang.Object[]);;Argument[0];Argument[-1];taint",
+        "org.apache.commons.text;TextStringBuilder;false;append;(java.lang.String,java.lang.Object[]);;ArrayElement of Argument[1];Argument[-1];taint",
         "org.apache.commons.text;TextStringBuilder;false;append;(java.lang.StringBuffer);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;TextStringBuilder;false;append;(java.lang.StringBuffer,int,int);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;TextStringBuilder;false;append;(java.lang.StringBuilder);;Argument[0];Argument[-1];taint",
@@ -373,7 +392,9 @@ private class ApacheStrBuilderModel extends SummaryModelCsv {
         "org.apache.commons.text;TextStringBuilder;false;append;(java.nio.CharBuffer,int,int);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;TextStringBuilder;false;append;(org.apache.commons.text.TextStringBuilder);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;TextStringBuilder;false;append;;;Argument[-1];ReturnValue;taint",
-        "org.apache.commons.text;TextStringBuilder;false;appendAll;;;Argument[0];Argument[-1];taint",
+        "org.apache.commons.text;TextStringBuilder;false;appendAll;(Iterable);;Element of Argument[0];Argument[-1];taint",
+        "org.apache.commons.text;TextStringBuilder;false;appendAll;(Iterator);;Element of Argument[0];Argument[-1];taint",
+        "org.apache.commons.text;TextStringBuilder;false;appendAll;(Object[]);;ArrayElement of Argument[0];Argument[-1];taint",
         "org.apache.commons.text;TextStringBuilder;false;appendAll;;;Argument[-1];ReturnValue;taint",
         "org.apache.commons.text;TextStringBuilder;false;appendFixedWidthPadLeft;;;Argument[-1];ReturnValue;taint",
         "org.apache.commons.text;TextStringBuilder;false;appendFixedWidthPadLeft;;;Argument[0];Argument[-1];taint",
@@ -384,14 +405,18 @@ private class ApacheStrBuilderModel extends SummaryModelCsv {
         "org.apache.commons.text;TextStringBuilder;false;appendSeparator;(java.lang.String,java.lang.String);;Argument[0..1];Argument[-1];taint",
         "org.apache.commons.text;TextStringBuilder;false;appendSeparator;;;Argument[-1];ReturnValue;taint",
         "org.apache.commons.text;TextStringBuilder;false;appendTo;;;Argument[-1];Argument[0];taint",
-        "org.apache.commons.text;TextStringBuilder;false;appendWithSeparators;;;Argument[0..1];Argument[-1];taint",
+        "org.apache.commons.text;TextStringBuilder;false;appendWithSeparators;(Iterable,String);;Element of Argument[0];Argument[-1];taint",
+        "org.apache.commons.text;TextStringBuilder;false;appendWithSeparators;(Iterator,String);;Element of Argument[0];Argument[-1];taint",
+        "org.apache.commons.text;TextStringBuilder;false;appendWithSeparators;(Object[],String);;ArrayElement of Argument[0];Argument[-1];taint",
+        "org.apache.commons.text;TextStringBuilder;false;appendWithSeparators;;;Argument[1];Argument[-1];taint",
         "org.apache.commons.text;TextStringBuilder;false;appendWithSeparators;;;Argument[-1];ReturnValue;taint",
         "org.apache.commons.text;TextStringBuilder;false;appendln;(char[]);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;TextStringBuilder;false;appendln;(char[],int,int);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;TextStringBuilder;false;appendln;(java.lang.Object);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;TextStringBuilder;false;appendln;(java.lang.String);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;TextStringBuilder;false;appendln;(java.lang.String,int,int);;Argument[0];Argument[-1];taint",
-        "org.apache.commons.text;TextStringBuilder;false;appendln;(java.lang.String,java.lang.Object[]);;Argument[0..1];Argument[-1];taint",
+        "org.apache.commons.text;TextStringBuilder;false;appendln;(java.lang.String,java.lang.Object[]);;Argument[0];Argument[-1];taint",
+        "org.apache.commons.text;TextStringBuilder;false;appendln;(java.lang.String,java.lang.Object[]);;ArrayElement of Argument[1];Argument[-1];taint",
         "org.apache.commons.text;TextStringBuilder;false;appendln;(java.lang.StringBuffer);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;TextStringBuilder;false;appendln;(java.lang.StringBuffer,int,int);;Argument[0];Argument[-1];taint",
         "org.apache.commons.text;TextStringBuilder;false;appendln;(java.lang.StringBuilder);;Argument[0];Argument[-1];taint",
@@ -525,9 +550,9 @@ private class ApacheStrLookupModel extends SummaryModelCsv {
     row =
       [
         "org.apache.commons.lang3.text;StrLookup;false;lookup;;;Argument[-1];ReturnValue;taint",
-        "org.apache.commons.lang3.text;StrLookup;false;mapLookup;;;Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3.text;StrLookup;false;mapLookup;;;MapValue of Argument[0];ReturnValue;taint",
         "org.apache.commons.text.lookup;StringLookup;true;lookup;;;Argument[-1];ReturnValue;taint",
-        "org.apache.commons.text.lookup;StringLookupFactory;false;mapStringLookup;;;Argument[0];ReturnValue;taint"
+        "org.apache.commons.text.lookup;StringLookupFactory;false;mapStringLookup;;;MapValue of Argument[0];ReturnValue;taint"
       ]
   }
 }
@@ -540,6 +565,7 @@ private class ApacheStrSubstitutorModel extends SummaryModelCsv {
     row =
       [
         "org.apache.commons.lang3.text;StrSubstitutor;false;StrSubstitutor;;;Argument[0];Argument[-1];taint",
+        "org.apache.commons.lang3.text;StrSubstitutor;false;StrSubstitutor;;;MapValue of Argument[0];Argument[-1];taint",
         "org.apache.commons.lang3.text;StrSubstitutor;false;replace;;;Argument[-1];ReturnValue;taint",
         "org.apache.commons.lang3.text;StrSubstitutor;false;replace;(java.lang.Object);;Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3.text;StrSubstitutor;false;replace;(char[]);;Argument[0];ReturnValue;taint",
@@ -552,10 +578,12 @@ private class ApacheStrSubstitutorModel extends SummaryModelCsv {
         "org.apache.commons.lang3.text;StrSubstitutor;false;replace;(java.lang.StringBuffer,int,int);;Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3.text;StrSubstitutor;false;replace;(java.lang.String,int,int);;Argument[0];ReturnValue;taint",
         "org.apache.commons.lang3.text;StrSubstitutor;false;replace;(org.apache.commons.lang3.text.StrBuilder,int,int);;Argument[0];ReturnValue;taint",
-        "org.apache.commons.lang3.text;StrSubstitutor;false;replace;(java.lang.Object,java.util.Map);;Argument[0..1];ReturnValue;taint",
+        "org.apache.commons.lang3.text;StrSubstitutor;false;replace;(java.lang.Object,java.util.Map);;Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3.text;StrSubstitutor;false;replace;(java.lang.Object,java.util.Map);;MapValue of Argument[1];ReturnValue;taint",
         "org.apache.commons.lang3.text;StrSubstitutor;false;replace;(java.lang.Object,java.util.Map,java.lang.String,java.lang.String);;Argument[0];ReturnValue;taint",
-        "org.apache.commons.lang3.text;StrSubstitutor;false;replace;(java.lang.Object,java.util.Map,java.lang.String,java.lang.String);;Argument[1];ReturnValue;taint",
-        "org.apache.commons.lang3.text;StrSubstitutor;false;replace;(java.lang.Object,java.util.Properties);;Argument[0..1];ReturnValue;taint",
+        "org.apache.commons.lang3.text;StrSubstitutor;false;replace;(java.lang.Object,java.util.Map,java.lang.String,java.lang.String);;MapValue of Argument[1];ReturnValue;taint",
+        "org.apache.commons.lang3.text;StrSubstitutor;false;replace;(java.lang.Object,java.util.Properties);;Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3.text;StrSubstitutor;false;replace;(java.lang.Object,java.util.Properties);;MapValue of Argument[1];ReturnValue;taint",
         "org.apache.commons.lang3.text;StrSubstitutor;false;setVariableResolver;;;Argument[0];Argument[-1];taint",
         "org.apache.commons.lang3.text;StrSubstitutor;false;replaceIn;(org.apache.commons.lang3.text.StrBuilder);;Argument[-1];Argument[0];taint",
         "org.apache.commons.lang3.text;StrSubstitutor;false;replaceIn;(java.lang.StringBuffer);;Argument[-1];Argument[0];taint",
@@ -564,6 +592,7 @@ private class ApacheStrSubstitutorModel extends SummaryModelCsv {
         "org.apache.commons.lang3.text;StrSubstitutor;false;replaceIn;(java.lang.StringBuilder,int,int);;Argument[-1];Argument[0];taint",
         "org.apache.commons.lang3.text;StrSubstitutor;false;replaceIn;(org.apache.commons.lang3.text.StrBuilder,int,int);;Argument[-1];Argument[0];taint",
         "org.apache.commons.text;StringSubstitutor;false;StringSubstitutor;;;Argument[0];Argument[-1];taint",
+        "org.apache.commons.text;StringSubstitutor;false;StringSubstitutor;;;MapValue of Argument[0];Argument[-1];taint",
         "org.apache.commons.text;StringSubstitutor;false;replace;;;Argument[-1];ReturnValue;taint",
         "org.apache.commons.text;StringSubstitutor;false;replace;(java.lang.Object);;Argument[0];ReturnValue;taint",
         "org.apache.commons.text;StringSubstitutor;false;replace;(char[]);;Argument[0];ReturnValue;taint",
@@ -574,10 +603,12 @@ private class ApacheStrSubstitutorModel extends SummaryModelCsv {
         "org.apache.commons.text;StringSubstitutor;false;replace;(java.lang.StringBuffer);;Argument[0];ReturnValue;taint",
         "org.apache.commons.text;StringSubstitutor;false;replace;(java.lang.StringBuffer,int,int);;Argument[0];ReturnValue;taint",
         "org.apache.commons.text;StringSubstitutor;false;replace;(java.lang.String,int,int);;Argument[0];ReturnValue;taint",
-        "org.apache.commons.text;StringSubstitutor;false;replace;(java.lang.Object,java.util.Map);;Argument[0..1];ReturnValue;taint",
+        "org.apache.commons.text;StringSubstitutor;false;replace;(java.lang.Object,java.util.Map);;Argument[0];ReturnValue;taint",
+        "org.apache.commons.text;StringSubstitutor;false;replace;(java.lang.Object,java.util.Map);;MapValue of Argument[1];ReturnValue;taint",
         "org.apache.commons.text;StringSubstitutor;false;replace;(java.lang.Object,java.util.Map,java.lang.String,java.lang.String);;Argument[0];ReturnValue;taint",
-        "org.apache.commons.text;StringSubstitutor;false;replace;(java.lang.Object,java.util.Map,java.lang.String,java.lang.String);;Argument[1];ReturnValue;taint",
-        "org.apache.commons.text;StringSubstitutor;false;replace;(java.lang.Object,java.util.Properties);;Argument[0..1];ReturnValue;taint",
+        "org.apache.commons.text;StringSubstitutor;false;replace;(java.lang.Object,java.util.Map,java.lang.String,java.lang.String);;MapValue of Argument[1];ReturnValue;taint",
+        "org.apache.commons.text;StringSubstitutor;false;replace;(java.lang.Object,java.util.Properties);;Argument[0];ReturnValue;taint",
+        "org.apache.commons.text;StringSubstitutor;false;replace;(java.lang.Object,java.util.Properties);;MapValue of Argument[1];ReturnValue;taint",
         "org.apache.commons.text;StringSubstitutor;false;replace;(org.apache.commons.text.TextStringBuilder);;Argument[0];ReturnValue;taint",
         "org.apache.commons.text;StringSubstitutor;false;replace;(org.apache.commons.text.TextStringBuilder,int,int);;Argument[0];ReturnValue;taint",
         "org.apache.commons.text;StringSubstitutor;false;setVariableResolver;;;Argument[0];Argument[-1];taint",
diff --git a/java/ql/src/semmle/code/java/frameworks/guava/Base.qll b/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
index 04a97f79f53..fc1ee0e6cb7 100644
--- a/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
+++ b/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
@@ -30,7 +30,13 @@ private class GuavaBaseCsv extends SummaryModelCsv {
         "com.google.common.base;Joiner$MapJoiner;false;useForNull;(String);;Argument[-1];ReturnValue;taint",
         "com.google.common.base;Joiner$MapJoiner;false;appendTo;;;Argument[1];Argument[0];taint",
         "com.google.common.base;Joiner$MapJoiner;false;appendTo;;;Argument[0];ReturnValue;value",
-        "com.google.common.base;Joiner$MapJoiner;false;join;;;Argument[-1..0];ReturnValue;taint",
+        "com.google.common.base;Joiner$MapJoiner;false;join;;;Argument[-1];ReturnValue;taint",
+        "com.google.common.base;Joiner$MapJoiner;false;join;(Iterable);;MapKey of Element of Argument[0];ReturnValue;taint",
+        "com.google.common.base;Joiner$MapJoiner;false;join;(Iterable);;MapValue of Element of Argument[0];ReturnValue;taint",
+        "com.google.common.base;Joiner$MapJoiner;false;join;(Iterator);;MapKey of Element of Argument[0];ReturnValue;taint",
+        "com.google.common.base;Joiner$MapJoiner;false;join;(Iterator);;MapValue of Element of Argument[0];ReturnValue;taint",
+        "com.google.common.base;Joiner$MapJoiner;false;join;(Map);;MapKey of Argument[0];ReturnValue;taint",
+        "com.google.common.base;Joiner$MapJoiner;false;join;(Map);;MapValue of Argument[0];ReturnValue;taint",
         "com.google.common.base;Splitter;false;split;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Splitter;false;splitToList;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Splitter;false;splitToStream;(CharSequence);;Argument[0];ReturnValue;taint",
diff --git a/java/ql/src/semmle/code/java/frameworks/guava/IO.qll b/java/ql/src/semmle/code/java/frameworks/guava/IO.qll
index fac9ab9d48d..305b4fbcfb7 100644
--- a/java/ql/src/semmle/code/java/frameworks/guava/IO.qll
+++ b/java/ql/src/semmle/code/java/frameworks/guava/IO.qll
@@ -24,7 +24,9 @@ private class GuavaIoCsv extends SummaryModelCsv {
         "com.google.common.io;BaseEncoding;true;omitPadding;();;Argument[-1];ReturnValue;taint",
         "com.google.common.io;BaseEncoding;true;encode;(byte[],int,int);;Argument[-1];ReturnValue;taint",
         "com.google.common.io;ByteSource;true;asCharSource;(Charset);;Argument[-1];ReturnValue;taint",
-        "com.google.common.io;ByteSource;true;concat;;;Argument[0];ReturnValue;taint",
+        "com.google.common.io;ByteSource;true;concat;(ByteSource[]);;ArrayElement of Argument[0];ReturnValue;taint",
+        "com.google.common.io;ByteSource;true;concat;(Iterable);;Element of Argument[0];ReturnValue;taint",
+        "com.google.common.io;ByteSource;true;concat;(Iterator);;Element of Argument[0];ReturnValue;taint",
         "com.google.common.io;ByteSource;true;copyTo;(OutputStream);;Argument[-1];Argument[0];taint",
         "com.google.common.io;ByteSource;true;openStream;();;Argument[-1];ReturnValue;taint",
         "com.google.common.io;ByteSource;true;openBufferedStream;();;Argument[-1];ReturnValue;taint",
@@ -43,7 +45,9 @@ private class GuavaIoCsv extends SummaryModelCsv {
         "com.google.common.io;ByteStreams;false;readFully;(InputStream,byte[],int,int);;Argument[0];Argument[1];taint",
         "com.google.common.io;ByteStreams;false;toByteArray;(InputStream);;Argument[0];ReturnValue;taint",
         "com.google.common.io;CharSource;true;asByteSource;(Charset);;Argument[-1];ReturnValue;taint",
-        "com.google.common.io;CharSource;true;concat;;;Argument[0];ReturnValue;taint",
+        "com.google.common.io;CharSource;true;concat;(CharSource[]);;ArrayElement of Argument[0];ReturnValue;taint",
+        "com.google.common.io;CharSource;true;concat;(Iterable);;Element of Argument[0];ReturnValue;taint",
+        "com.google.common.io;CharSource;true;concat;(Iterator);;Element of Argument[0];ReturnValue;taint",
         "com.google.common.io;CharSource;true;copyTo;(Appendable);;Argument[-1];Argument[0];taint",
         "com.google.common.io;CharSource;true;openStream;();;Argument[-1];ReturnValue;taint",
         "com.google.common.io;CharSource;true;openBufferedStream;();;Argument[-1];ReturnValue;taint",

From 2f087e17cb1b328a87c2ea998bf1cdf4f052e663 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Wed, 5 May 2021 15:07:31 +0200
Subject: [PATCH 1243/1429] Java: Allow <> in types for now.

---
 java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index 34fa8d66dd3..d4b2c917148 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -481,7 +481,7 @@ module CsvValidation {
       not namespace.regexpMatch("[a-zA-Z0-9_\\.]+") and
       msg = "Dubious namespace \"" + namespace + "\" in " + pred + " model."
       or
-      not type.regexpMatch("[a-zA-Z0-9_\\$]+") and
+      not type.regexpMatch("[a-zA-Z0-9_\\$<>]+") and
       msg = "Dubious type \"" + type + "\" in " + pred + " model."
       or
       not name.regexpMatch("[a-zA-Z0-9_]*") and

From a40880af70524e581811eb87b40b9e3d00e27dd6 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Wed, 19 May 2021 10:45:54 +0200
Subject: [PATCH 1244/1429] Java: Add read-as-taint and config-dependent
 store-as-taint.

---
 .../dataflow/internal/TaintTrackingUtil.qll   | 86 +++++++++++++++++++
 1 file changed, 86 insertions(+)

diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
index 079d61809db..719b89fbf2a 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -60,6 +60,17 @@ private module Cached {
     localAdditionalTaintUpdateStep(src.asExpr(),
       sink.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr())
     or
+    exists(Content f |
+      readStep(src, f, sink) and
+      not sink.getTypeBound() instanceof PrimitiveType and
+      not sink.getTypeBound() instanceof BoxedType and
+      not sink.getTypeBound() instanceof NumberType
+    |
+      f instanceof ArrayContent or
+      f instanceof CollectionContent or
+      f instanceof MapValueContent
+    )
+    or
     FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, false)
   }
 
@@ -87,6 +98,81 @@ private module Cached {
 
 import Cached
 
+private module StoreTaintSteps {
+  private import semmle.code.java.dataflow.TaintTracking
+  private import semmle.code.java.dataflow.TaintTracking2
+
+  private class StoreTaintConfig extends TaintTracking::Configuration {
+    StoreTaintConfig() { this instanceof TaintTracking::Configuration or none() }
+
+    override predicate isSource(DataFlow::Node n) { none() }
+
+    override predicate isSink(DataFlow::Node n) { none() }
+
+    private predicate needsTaintStore(RefType container, Type elem, Content f) {
+      exists(DataFlow::Node arg |
+        (isSink(arg) or isAdditionalTaintStep(arg, _)) and
+        (arg.asExpr() instanceof Argument or arg instanceof ArgumentNode) and
+        arg.getType() = container
+        or
+        needsTaintStore(_, container, _)
+      |
+        container.(Array).getComponentType() = elem and
+        f instanceof ArrayContent
+        or
+        container.(CollectionType).getElementType() = elem and
+        f instanceof CollectionContent
+        or
+        container.(MapType).getValueType() = elem and
+        f instanceof MapValueContent
+      )
+    }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+      exists(Content f, Type elem |
+        storeStep(node1, f, node2) and
+        needsTaintStore(_, elem, f) and
+        not exists(Type srctyp | srctyp = node1.getTypeBound() | not compatibleTypes(srctyp, elem))
+      )
+    }
+  }
+
+  private class StoreTaintConfig2 extends TaintTracking2::Configuration {
+    StoreTaintConfig2() { this instanceof TaintTracking2::Configuration or none() }
+
+    override predicate isSource(DataFlow::Node n) { none() }
+
+    override predicate isSink(DataFlow::Node n) { none() }
+
+    private predicate needsTaintStore(RefType container, Type elem, Content f) {
+      exists(DataFlow::Node arg |
+        (isSink(arg) or isAdditionalTaintStep(arg, _)) and
+        (arg.asExpr() instanceof Argument or arg instanceof ArgumentNode) and
+        arg.getType() = container
+        or
+        needsTaintStore(_, container, _)
+      |
+        container.(Array).getComponentType() = elem and
+        f instanceof ArrayContent
+        or
+        container.(CollectionType).getElementType() = elem and
+        f instanceof CollectionContent
+        or
+        container.(MapType).getValueType() = elem and
+        f instanceof MapValueContent
+      )
+    }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+      exists(Content f, Type elem |
+        storeStep(node1, f, node2) and
+        needsTaintStore(_, elem, f) and
+        not exists(Type srctyp | srctyp = node1.getTypeBound() | not compatibleTypes(srctyp, elem))
+      )
+    }
+  }
+}
+
 /**
  * Holds if taint can flow in one local step from `src` to `sink` excluding
  * local data flow steps. That is, `src` and `sink` are likely to represent

From 43d1b0ab273f5b5aea3942174839d60a2b1a3c9f Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Tue, 4 May 2021 10:48:43 +0200
Subject: [PATCH 1245/1429] Java: Update qltests.

---
 ...ientSuppliedIpUsedInSecurityCheck.expected |  3 ++
 .../CWE-522/InsecureLdapAuth.expected         | 40 +++++++++++++++++++
 .../CWE-598/SensitiveGetQuery.expected        |  6 ++-
 .../CWE-927/SensitiveBroadcast.expected       |  4 +-
 .../dataflow/collections/flow.expected        |  3 --
 .../library-tests/dataflow/getter/getter.ql   |  7 +++-
 .../localAdditionalTaintStep.expected         | 19 +++++----
 .../localAdditionalTaintStep.ql               | 28 ++++++++++++-
 .../dataflow/taint-ioutils/Test.java          | 10 +++--
 .../dataflow/taint-ioutils/dataFlow.expected  |  8 +---
 .../dataflow/taint/test.expected              |  1 -
 .../apache-commons-lang3/ObjectUtilsTest.java | 30 +++++++-------
 .../frameworks/apache-commons-lang3/Test.java | 14 +++----
 .../frameworks/guava/TestBase.java            |  2 +-
 .../CWE-078/ExecTaintedLocal.expected         |  6 ++-
 15 files changed, 128 insertions(+), 53 deletions(-)

diff --git a/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected b/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected
index 5627f9541f1..160654628fe 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.expected
@@ -1,7 +1,9 @@
 edges
 | ClientSuppliedIpUsedInSecurityCheck.java:16:21:16:33 | getClientIP(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:17:37:17:38 | ip |
 | ClientSuppliedIpUsedInSecurityCheck.java:24:21:24:33 | getClientIP(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:25:33:25:34 | ip |
+| ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:34 | split(...) : String[] |
 | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:37 | ...[...] : String |
+| ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:34 | split(...) : String[] | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:37 | ...[...] : String |
 | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:37 | ...[...] : String | ClientSuppliedIpUsedInSecurityCheck.java:16:21:16:33 | getClientIP(...) : String |
 | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:37 | ...[...] : String | ClientSuppliedIpUsedInSecurityCheck.java:24:21:24:33 | getClientIP(...) : String |
 nodes
@@ -10,6 +12,7 @@ nodes
 | ClientSuppliedIpUsedInSecurityCheck.java:24:21:24:33 | getClientIP(...) : String | semmle.label | getClientIP(...) : String |
 | ClientSuppliedIpUsedInSecurityCheck.java:25:33:25:34 | ip | semmle.label | ip |
 | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:34 | split(...) : String[] | semmle.label | split(...) : String[] |
 | ClientSuppliedIpUsedInSecurityCheck.java:47:16:47:37 | ...[...] : String | semmle.label | ...[...] : String |
 #select
 | ClientSuppliedIpUsedInSecurityCheck.java:17:37:17:38 | ip | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) : String | ClientSuppliedIpUsedInSecurityCheck.java:17:37:17:38 | ip | IP address spoofing might include code from $@. | ClientSuppliedIpUsedInSecurityCheck.java:43:27:43:62 | getHeader(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
index 863e8e55dcf..a3b12510626 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
@@ -1,52 +1,88 @@
 edges
+| InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:15:41:15:47 | ldapUrl : String |
 | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:20:49:20:59 | environment |
+| InsecureLdapAuth.java:15:3:15:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:20:49:20:59 | environment |
+| InsecureLdapAuth.java:15:41:15:47 | ldapUrl : String | InsecureLdapAuth.java:15:3:15:13 | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:17:3:17:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:20:49:20:59 | environment |
+| InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:29:41:29:47 | ldapUrl : String |
 | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:34:49:34:59 | environment |
+| InsecureLdapAuth.java:29:3:29:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:34:49:34:59 | environment |
+| InsecureLdapAuth.java:29:41:29:47 | ldapUrl : String | InsecureLdapAuth.java:29:3:29:13 | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:31:3:31:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:34:49:34:59 | environment |
 | InsecureLdapAuth.java:45:3:45:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:48:49:48:59 | environment |
+| InsecureLdapAuth.java:53:20:53:50 | "ldap://ad.your-server.com:636" : String | InsecureLdapAuth.java:57:41:57:47 | ldapUrl : String |
 | InsecureLdapAuth.java:53:20:53:50 | "ldap://ad.your-server.com:636" : String | InsecureLdapAuth.java:63:49:63:59 | environment |
+| InsecureLdapAuth.java:57:3:57:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:63:49:63:59 | environment |
+| InsecureLdapAuth.java:57:41:57:47 | ldapUrl : String | InsecureLdapAuth.java:57:3:57:13 | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:59:3:59:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:63:49:63:59 | environment |
 | InsecureLdapAuth.java:62:3:62:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:63:49:63:59 | environment |
+| InsecureLdapAuth.java:68:20:68:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:72:41:72:47 | ldapUrl : String |
 | InsecureLdapAuth.java:68:20:68:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:77:49:77:59 | environment |
+| InsecureLdapAuth.java:72:3:72:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:77:49:77:59 | environment |
+| InsecureLdapAuth.java:72:41:72:47 | ldapUrl : String | InsecureLdapAuth.java:72:3:72:13 | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:88:3:88:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:91:49:91:59 | environment |
+| InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:100:41:100:47 | ldapUrl : String |
 | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:105:59:105:69 | environment |
+| InsecureLdapAuth.java:100:3:100:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:105:59:105:69 | environment |
+| InsecureLdapAuth.java:100:41:100:47 | ldapUrl : String | InsecureLdapAuth.java:100:3:100:13 | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:102:3:102:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:105:59:105:69 | environment |
+| InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:115:47:115:53 | ldapUrl : String |
 | InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:120:49:120:59 | environment |
+| InsecureLdapAuth.java:115:3:115:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:120:49:120:59 | environment |
+| InsecureLdapAuth.java:115:47:115:53 | ldapUrl : String | InsecureLdapAuth.java:115:3:115:13 | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:117:3:117:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:120:49:120:59 | environment |
 | InsecureLdapAuth.java:124:3:124:5 | env [post update] : Hashtable | InsecureLdapAuth.java:137:10:137:20 | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:128:3:128:5 | env [post update] : Hashtable | InsecureLdapAuth.java:141:16:141:26 | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:128:3:128:5 | env [post update] : Hashtable | InsecureLdapAuth.java:152:16:152:26 | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:135:20:135:39 | ... + ... : String | InsecureLdapAuth.java:140:41:140:47 | ldapUrl : String |
 | InsecureLdapAuth.java:135:20:135:39 | ... + ... : String | InsecureLdapAuth.java:142:50:142:60 | environment |
 | InsecureLdapAuth.java:137:10:137:20 | environment [post update] : Hashtable | InsecureLdapAuth.java:142:50:142:60 | environment |
+| InsecureLdapAuth.java:140:3:140:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:142:50:142:60 | environment |
+| InsecureLdapAuth.java:140:41:140:47 | ldapUrl : String | InsecureLdapAuth.java:140:3:140:13 | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:141:16:141:26 | environment [post update] : Hashtable | InsecureLdapAuth.java:142:50:142:60 | environment |
+| InsecureLdapAuth.java:147:20:147:39 | ... + ... : String | InsecureLdapAuth.java:151:41:151:47 | ldapUrl : String |
 | InsecureLdapAuth.java:147:20:147:39 | ... + ... : String | InsecureLdapAuth.java:153:50:153:60 | environment |
+| InsecureLdapAuth.java:151:3:151:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:153:50:153:60 | environment |
+| InsecureLdapAuth.java:151:41:151:47 | ldapUrl : String | InsecureLdapAuth.java:151:3:151:13 | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:152:16:152:26 | environment [post update] : Hashtable | InsecureLdapAuth.java:153:50:153:60 | environment |
 nodes
 | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
+| InsecureLdapAuth.java:15:3:15:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:15:41:15:47 | ldapUrl : String | semmle.label | ldapUrl : String |
 | InsecureLdapAuth.java:17:3:17:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:20:49:20:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:20:49:20:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | semmle.label | ... + ... : String |
+| InsecureLdapAuth.java:29:3:29:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:29:41:29:47 | ldapUrl : String | semmle.label | ldapUrl : String |
 | InsecureLdapAuth.java:31:3:31:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:34:49:34:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:34:49:34:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:45:3:45:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:48:49:48:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:53:20:53:50 | "ldap://ad.your-server.com:636" : String | semmle.label | "ldap://ad.your-server.com:636" : String |
+| InsecureLdapAuth.java:57:3:57:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:57:41:57:47 | ldapUrl : String | semmle.label | ldapUrl : String |
 | InsecureLdapAuth.java:59:3:59:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:62:3:62:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:63:49:63:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:63:49:63:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:63:49:63:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:68:20:68:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
+| InsecureLdapAuth.java:72:3:72:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:72:41:72:47 | ldapUrl : String | semmle.label | ldapUrl : String |
 | InsecureLdapAuth.java:77:49:77:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:88:3:88:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:91:49:91:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
+| InsecureLdapAuth.java:100:3:100:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:100:41:100:47 | ldapUrl : String | semmle.label | ldapUrl : String |
 | InsecureLdapAuth.java:102:3:102:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:105:59:105:69 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:105:59:105:69 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
+| InsecureLdapAuth.java:115:3:115:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:115:47:115:53 | ldapUrl : String | semmle.label | ldapUrl : String |
 | InsecureLdapAuth.java:117:3:117:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:120:49:120:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:120:49:120:59 | environment | semmle.label | environment |
@@ -54,11 +90,15 @@ nodes
 | InsecureLdapAuth.java:128:3:128:5 | env [post update] : Hashtable | semmle.label | env [post update] : Hashtable |
 | InsecureLdapAuth.java:135:20:135:39 | ... + ... : String | semmle.label | ... + ... : String |
 | InsecureLdapAuth.java:137:10:137:20 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:140:3:140:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:140:41:140:47 | ldapUrl : String | semmle.label | ldapUrl : String |
 | InsecureLdapAuth.java:141:16:141:26 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:142:50:142:60 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:142:50:142:60 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:142:50:142:60 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:147:20:147:39 | ... + ... : String | semmle.label | ... + ... : String |
+| InsecureLdapAuth.java:151:3:151:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:151:41:151:47 | ldapUrl : String | semmle.label | ldapUrl : String |
 | InsecureLdapAuth.java:152:16:152:26 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:153:50:153:60 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:153:50:153:60 | environment | semmle.label | environment |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.expected b/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.expected
index 8e96a3ebfc0..2790e9f77d3 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.expected
@@ -1,7 +1,9 @@
 edges
-| SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object |
+| SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:14:30:14:32 | map : Map |
 | SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | SensitiveGetQuery2.java:15:29:15:36 | password |
 | SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | SensitiveGetQuery2.java:15:29:15:36 | password : Object |
+| SensitiveGetQuery2.java:14:30:14:32 | map : Map | SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object |
+| SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object | SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object |
 | SensitiveGetQuery2.java:15:29:15:36 | password : Object | SensitiveGetQuery2.java:18:40:18:54 | password : Object |
 | SensitiveGetQuery2.java:18:40:18:54 | password : Object | SensitiveGetQuery2.java:19:61:19:68 | password |
 | SensitiveGetQuery3.java:12:21:12:60 | getRequestParameter(...) : String | SensitiveGetQuery3.java:13:57:13:64 | password |
@@ -15,6 +17,8 @@ edges
 nodes
 | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | semmle.label | getParameterMap(...) : Map |
 | SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | semmle.label | (...)... : Object |
+| SensitiveGetQuery2.java:14:30:14:32 | map : Map | semmle.label | map : Map |
+| SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object | semmle.label | get(...) : Object |
 | SensitiveGetQuery2.java:15:29:15:36 | password | semmle.label | password |
 | SensitiveGetQuery2.java:15:29:15:36 | password : Object | semmle.label | password : Object |
 | SensitiveGetQuery2.java:18:40:18:54 | password : Object | semmle.label | password : Object |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.expected b/java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.expected
index 2b1384b845b..29482ca006d 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.expected
@@ -3,7 +3,8 @@ edges
 | SensitiveBroadcast.java:13:41:13:52 | refreshToken : String | SensitiveBroadcast.java:14:31:14:36 | intent |
 | SensitiveBroadcast.java:25:32:25:39 | password : String | SensitiveBroadcast.java:26:31:26:36 | intent |
 | SensitiveBroadcast.java:36:35:36:39 | email : String | SensitiveBroadcast.java:38:31:38:36 | intent |
-| SensitiveBroadcast.java:50:22:50:29 | password : String | SensitiveBroadcast.java:52:31:52:36 | intent |
+| SensitiveBroadcast.java:50:9:50:16 | userinfo [post update] : ArrayList | SensitiveBroadcast.java:52:31:52:36 | intent |
+| SensitiveBroadcast.java:50:22:50:29 | password : String | SensitiveBroadcast.java:50:9:50:16 | userinfo [post update] : ArrayList |
 | SensitiveBroadcast.java:97:35:97:40 | ticket : String | SensitiveBroadcast.java:98:54:98:59 | intent |
 | SensitiveBroadcast.java:109:32:109:39 | passcode : String | SensitiveBroadcast.java:111:54:111:59 | intent |
 | SensitiveBroadcast.java:136:33:136:38 | passwd : String | SensitiveBroadcast.java:140:54:140:59 | intent |
@@ -15,6 +16,7 @@ nodes
 | SensitiveBroadcast.java:26:31:26:36 | intent | semmle.label | intent |
 | SensitiveBroadcast.java:36:35:36:39 | email : String | semmle.label | email : String |
 | SensitiveBroadcast.java:38:31:38:36 | intent | semmle.label | intent |
+| SensitiveBroadcast.java:50:9:50:16 | userinfo [post update] : ArrayList | semmle.label | userinfo [post update] : ArrayList |
 | SensitiveBroadcast.java:50:22:50:29 | password : String | semmle.label | password : String |
 | SensitiveBroadcast.java:52:31:52:36 | intent | semmle.label | intent |
 | SensitiveBroadcast.java:97:35:97:40 | ticket : String | semmle.label | ticket : String |
diff --git a/java/ql/test/library-tests/dataflow/collections/flow.expected b/java/ql/test/library-tests/dataflow/collections/flow.expected
index d54e9921856..293e82c9759 100644
--- a/java/ql/test/library-tests/dataflow/collections/flow.expected
+++ b/java/ql/test/library-tests/dataflow/collections/flow.expected
@@ -85,9 +85,6 @@
 | ContainterTest.java:46:4:46:38 | navMap | ContainterTest.java:199:8:199:48 | subMap(...) |
 | ContainterTest.java:46:4:46:38 | navMap | ContainterTest.java:200:8:200:34 | tailMap(...) |
 | ContainterTest.java:47:4:47:48 | syncHashMap | ContainterTest.java:203:8:203:29 | elements(...) |
-| ContainterTest.java:47:4:47:48 | syncHashMap | ContainterTest.java:204:8:204:42 | search(...) |
-| ContainterTest.java:47:4:47:48 | syncHashMap | ContainterTest.java:205:8:205:55 | searchEntries(...) |
-| ContainterTest.java:47:4:47:48 | syncHashMap | ContainterTest.java:206:8:206:43 | searchValues(...) |
 | ContainterTest.java:48:4:48:34 | dict | ContainterTest.java:209:8:209:22 | elements(...) |
 | ContainterTest.java:48:4:48:34 | dict | ContainterTest.java:210:8:210:25 | get(...) |
 | ContainterTest.java:48:4:48:34 | dict | ContainterTest.java:211:8:211:31 | put(...) |
diff --git a/java/ql/test/library-tests/dataflow/getter/getter.ql b/java/ql/test/library-tests/dataflow/getter/getter.ql
index 02e6920fc7e..e218ccbcee5 100644
--- a/java/ql/test/library-tests/dataflow/getter/getter.ql
+++ b/java/ql/test/library-tests/dataflow/getter/getter.ql
@@ -5,6 +5,9 @@ import semmle.code.java.dataflow.internal.DataFlowImplSpecific::Private
 
 from Node n1, Content f, Node n2
 where
-  read(n1, f, n2) or
-  getterStep(n1, f, n2)
+  (
+    read(n1, f, n2) or
+    getterStep(n1, f, n2)
+  ) and
+  n1.getEnclosingCallable().fromSource()
 select n1, n2, f
diff --git a/java/ql/test/library-tests/dataflow/local-additional-taint/localAdditionalTaintStep.expected b/java/ql/test/library-tests/dataflow/local-additional-taint/localAdditionalTaintStep.expected
index 1973eb91fe4..75b743dcaab 100644
--- a/java/ql/test/library-tests/dataflow/local-additional-taint/localAdditionalTaintStep.expected
+++ b/java/ql/test/library-tests/dataflow/local-additional-taint/localAdditionalTaintStep.expected
@@ -1,8 +1,8 @@
-| ArraysTest.java:7:17:7:21 | "one" | ArraysTest.java:7:3:7:22 | asList(...) |
+| ArraysTest.java:6:3:6:17 | new ..[] { .. } | ArraysTest.java:6:3:6:17 | asList(...) |
+| ArraysTest.java:7:3:7:22 | new ..[] { .. } | ArraysTest.java:7:3:7:22 | asList(...) |
 | ArraysTest.java:7:17:7:21 | "one" | ArraysTest.java:7:3:7:22 | new ..[] { .. } |
-| ArraysTest.java:8:17:8:21 | "two" | ArraysTest.java:8:3:8:31 | asList(...) |
+| ArraysTest.java:8:3:8:31 | new ..[] { .. } | ArraysTest.java:8:3:8:31 | asList(...) |
 | ArraysTest.java:8:17:8:21 | "two" | ArraysTest.java:8:3:8:31 | new ..[] { .. } |
-| ArraysTest.java:8:24:8:30 | "three" | ArraysTest.java:8:3:8:31 | asList(...) |
 | ArraysTest.java:8:24:8:30 | "three" | ArraysTest.java:8:3:8:31 | new ..[] { .. } |
 | ArraysTest.java:9:17:9:22 | source | ArraysTest.java:9:3:9:27 | copyOf(...) |
 | ArraysTest.java:10:22:10:27 | source | ArraysTest.java:10:3:10:35 | copyOfRange(...) |
@@ -18,14 +18,13 @@
 | ArraysTest.java:19:55:19:55 | x | ArraysTest.java:19:38:19:56 | toString(...) |
 | ArraysTest.java:20:30:20:36 | Integer | ArraysTest.java:20:30:20:48 | toString(...) |
 | ArraysTest.java:20:47:20:47 | x | ArraysTest.java:20:30:20:48 | toString(...) |
+| CollectionsTest.java:9:3:9:26 | new ..[] { .. } | CollectionsTest.java:9:22:9:25 | list [post update] |
+| CollectionsTest.java:10:3:10:33 | new ..[] { .. } | CollectionsTest.java:10:22:10:25 | list [post update] |
 | CollectionsTest.java:10:28:10:32 | "one" | CollectionsTest.java:10:3:10:33 | new ..[] { .. } |
-| CollectionsTest.java:10:28:10:32 | "one" | CollectionsTest.java:10:22:10:25 | list [post update] |
+| CollectionsTest.java:11:3:11:42 | new ..[] { .. } | CollectionsTest.java:11:22:11:25 | list [post update] |
 | CollectionsTest.java:11:28:11:32 | "two" | CollectionsTest.java:11:3:11:42 | new ..[] { .. } |
-| CollectionsTest.java:11:28:11:32 | "two" | CollectionsTest.java:11:22:11:25 | list [post update] |
 | CollectionsTest.java:11:35:11:41 | "three" | CollectionsTest.java:11:3:11:42 | new ..[] { .. } |
-| CollectionsTest.java:11:35:11:41 | "three" | CollectionsTest.java:11:22:11:25 | list [post update] |
 | CollectionsTest.java:12:28:12:49 | new String[] | CollectionsTest.java:12:22:12:25 | list [post update] |
-| CollectionsTest.java:12:28:12:49 | {...} | CollectionsTest.java:12:28:12:49 | new String[] |
 | CollectionsTest.java:12:42:12:47 | "four" | CollectionsTest.java:12:28:12:49 | {...} |
 | CollectionsTest.java:14:27:14:30 | list | CollectionsTest.java:14:3:14:45 | checkedList(...) |
 | CollectionsTest.java:15:19:15:22 | list | CollectionsTest.java:15:3:15:23 | min(...) |
@@ -47,14 +46,14 @@
 | CollectionsTest.java:33:16:33:19 | "v1" | CollectionsTest.java:33:3:33:32 | of(...) |
 | CollectionsTest.java:33:28:33:31 | "v2" | CollectionsTest.java:33:3:33:32 | of(...) |
 | CollectionsTest.java:34:14:34:16 | map | CollectionsTest.java:34:3:34:17 | copyOf(...) |
+| CollectionsTest.java:35:3:35:17 | new ..[] { .. } | CollectionsTest.java:35:3:35:17 | ofEntries(...) |
+| CollectionsTest.java:36:3:36:38 | new ..[] { .. } | CollectionsTest.java:36:3:36:38 | ofEntries(...) |
 | CollectionsTest.java:36:17:36:37 | entry(...) | CollectionsTest.java:36:3:36:38 | new ..[] { .. } |
-| CollectionsTest.java:36:17:36:37 | entry(...) | CollectionsTest.java:36:3:36:38 | ofEntries(...) |
 | CollectionsTest.java:36:33:36:36 | "v3" | CollectionsTest.java:36:17:36:37 | entry(...) |
+| CollectionsTest.java:37:3:37:61 | new ..[] { .. } | CollectionsTest.java:37:3:37:61 | ofEntries(...) |
 | CollectionsTest.java:37:17:37:37 | entry(...) | CollectionsTest.java:37:3:37:61 | new ..[] { .. } |
-| CollectionsTest.java:37:17:37:37 | entry(...) | CollectionsTest.java:37:3:37:61 | ofEntries(...) |
 | CollectionsTest.java:37:33:37:36 | "v4" | CollectionsTest.java:37:17:37:37 | entry(...) |
 | CollectionsTest.java:37:40:37:60 | entry(...) | CollectionsTest.java:37:3:37:61 | new ..[] { .. } |
-| CollectionsTest.java:37:40:37:60 | entry(...) | CollectionsTest.java:37:3:37:61 | ofEntries(...) |
 | CollectionsTest.java:37:56:37:59 | "v5" | CollectionsTest.java:37:40:37:60 | entry(...) |
 | Test.java:24:32:24:38 | string2 | Test.java:24:17:24:39 | decode(...) |
 | Test.java:25:46:25:51 | bytes2 | Test.java:25:31:25:52 | encode(...) |
diff --git a/java/ql/test/library-tests/dataflow/local-additional-taint/localAdditionalTaintStep.ql b/java/ql/test/library-tests/dataflow/local-additional-taint/localAdditionalTaintStep.ql
index 1520ea7347d..8e2f6ef2646 100644
--- a/java/ql/test/library-tests/dataflow/local-additional-taint/localAdditionalTaintStep.ql
+++ b/java/ql/test/library-tests/dataflow/local-additional-taint/localAdditionalTaintStep.ql
@@ -1,12 +1,38 @@
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.internal.TaintTrackingUtil
+import semmle.code.java.dataflow.internal.DataFlowNodes::Private
 import semmle.code.java.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 
+predicate taintFlowThrough(DataFlow::ParameterNode p) {
+  exists(ReturnNode ret | localTaint(p, ret))
+}
+
+predicate taintFlowUpdate(DataFlow::ParameterNode p1, DataFlow::ParameterNode p2) {
+  exists(DataFlow::PostUpdateNode ret | localTaint(p1, ret) | ret.getPreUpdateNode() = p2)
+}
+
 from DataFlow::Node src, DataFlow::Node sink
 where
   (
     localAdditionalTaintStep(src, sink) or
     FlowSummaryImpl::Private::Steps::summaryThroughStep(src, sink, false)
   ) and
-  not FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, false)
+  not FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, false) and
+  not FlowSummaryImpl::Private::Steps::summaryReadStep(src, _, sink) and
+  not FlowSummaryImpl::Private::Steps::summaryStoreStep(src, _, sink)
+  or
+  exists(ArgumentNode arg, MethodAccess call, DataFlow::ParameterNode p, int i |
+    src = arg and
+    p.isParameterOf(call.getMethod().getSourceDeclaration(), i) and
+    arg.argumentOf(call, i)
+  |
+    sink.asExpr() = call and
+    taintFlowThrough(p)
+    or
+    exists(DataFlow::ParameterNode p2, int j |
+      sink.(DataFlow::PostUpdateNode).getPreUpdateNode().(ArgumentNode).argumentOf(call, j) and
+      taintFlowUpdate(p, p2) and
+      p2.isParameterOf(_, j)
+    )
+  )
 select src, sink
diff --git a/java/ql/test/library-tests/dataflow/taint-ioutils/Test.java b/java/ql/test/library-tests/dataflow/taint-ioutils/Test.java
index a6660c87252..3e45989d1c9 100644
--- a/java/ql/test/library-tests/dataflow/taint-ioutils/Test.java
+++ b/java/ql/test/library-tests/dataflow/taint-ioutils/Test.java
@@ -33,14 +33,14 @@ class Test {
 
 		byte x;
 		byte[] tgt = new byte[100];
-		x = tgt[0]; // not tainted
+		sink(tgt); // not tainted
 		IOUtils.read(inp, tgt);
-		x = tgt[0]; // tainted
+		sink(tgt); // tainted
 
 		tgt = new byte[100];
-		x = tgt[0]; // not tainted
+		sink(tgt); // not tainted
 		IOUtils.readFully(inp, tgt);
-		x = tgt[0]; // tainted
+		sink(tgt); // tainted
 
 		writer = new StringWriter();
 		writer.toString(); // not tainted
@@ -62,4 +62,6 @@ class Test {
 		IOUtils.writeLines(new ArrayList<String>(), s, writer);
 		writer.toString(); // tainted
 	}
+
+    static void sink(Object o) { }
 }
diff --git a/java/ql/test/library-tests/dataflow/taint-ioutils/dataFlow.expected b/java/ql/test/library-tests/dataflow/taint-ioutils/dataFlow.expected
index 1a736aa24c9..1902605e618 100644
--- a/java/ql/test/library-tests/dataflow/taint-ioutils/dataFlow.expected
+++ b/java/ql/test/library-tests/dataflow/taint-ioutils/dataFlow.expected
@@ -28,14 +28,10 @@
 | Test.java:32:3:32:19 | toString(...) |
 | Test.java:37:16:37:18 | inp |
 | Test.java:37:21:37:23 | tgt [post update] |
-| Test.java:38:3:38:12 | ...=... |
-| Test.java:38:7:38:9 | tgt |
-| Test.java:38:7:38:12 | ...[...] |
+| Test.java:38:8:38:10 | tgt |
 | Test.java:42:21:42:23 | inp |
 | Test.java:42:26:42:28 | tgt [post update] |
-| Test.java:43:3:43:12 | ...=... |
-| Test.java:43:7:43:9 | tgt |
-| Test.java:43:7:43:12 | ...[...] |
+| Test.java:43:8:43:10 | tgt |
 | Test.java:47:17:47:21 | chars |
 | Test.java:47:24:47:29 | writer [post update] |
 | Test.java:48:3:48:8 | writer |
diff --git a/java/ql/test/library-tests/dataflow/taint/test.expected b/java/ql/test/library-tests/dataflow/taint/test.expected
index 54aafdb26e7..0953353f363 100644
--- a/java/ql/test/library-tests/dataflow/taint/test.expected
+++ b/java/ql/test/library-tests/dataflow/taint/test.expected
@@ -3,7 +3,6 @@
 | A.java:33:23:33:29 | taint(...) | A.java:34:10:34:27 | toByteArray(...) |
 | A.java:46:27:46:33 | taint(...) | A.java:47:10:47:30 | toByteArray(...) |
 | A.java:55:58:55:64 | taint(...) | A.java:61:10:61:16 | dh.data |
-| A.java:72:16:72:22 | taint(...) | A.java:73:10:73:10 | b |
 | B.java:15:21:15:27 | taint(...) | B.java:18:10:18:16 | aaaargs |
 | B.java:15:21:15:27 | taint(...) | B.java:21:10:21:10 | s |
 | B.java:15:21:15:27 | taint(...) | B.java:24:10:24:15 | concat |
diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/ObjectUtilsTest.java b/java/ql/test/library-tests/frameworks/apache-commons-lang3/ObjectUtilsTest.java
index 58ee4d262e6..5b2eda3c30f 100644
--- a/java/ql/test/library-tests/frameworks/apache-commons-lang3/ObjectUtilsTest.java
+++ b/java/ql/test/library-tests/frameworks/apache-commons-lang3/ObjectUtilsTest.java
@@ -17,22 +17,22 @@ public class ObjectUtilsTest {
     sink(ObjectUtils.CONST_BYTE(IntSource.taint())); // $hasValueFlow
     sink(ObjectUtils.defaultIfNull(taint(), null)); // $hasValueFlow
     sink(ObjectUtils.defaultIfNull(null, taint())); // $hasValueFlow
-    sink(ObjectUtils.firstNonNull(taint(), null, null)); // $ MISSING:hasValueFlow
-    sink(ObjectUtils.firstNonNull(null, taint(), null)); // $ MISSING:hasValueFlow
-    sink(ObjectUtils.firstNonNull(null, null, taint())); // $ MISSING:hasValueFlow
+    sink(ObjectUtils.firstNonNull(taint(), null, null)); // $ hasValueFlow
+    sink(ObjectUtils.firstNonNull(null, taint(), null)); // $ hasValueFlow
+    sink(ObjectUtils.firstNonNull(null, null, taint())); // $ hasValueFlow
     sink(ObjectUtils.getIfNull(taint(), null)); // $hasValueFlow
-    sink(ObjectUtils.max(taint(), null, null)); // $ MISSING:hasValueFlow
-    sink(ObjectUtils.max(null, taint(), null)); // $ MISSING:hasValueFlow
-    sink(ObjectUtils.max(null, null, taint())); // $ MISSING:hasValueFlow
-    sink(ObjectUtils.median(taint(), null, null)); // $ MISSING:hasValueFlow
-    sink(ObjectUtils.median((String)null, taint(), null)); // $ MISSING:hasValueFlow
-    sink(ObjectUtils.median((String)null, null, taint())); // $ MISSING:hasValueFlow
-    sink(ObjectUtils.min(taint(), null, null)); // $ MISSING:hasValueFlow
-    sink(ObjectUtils.min(null, taint(), null)); // $ MISSING:hasValueFlow
-    sink(ObjectUtils.min(null, null, taint())); // $ MISSING:hasValueFlow
-    sink(ObjectUtils.mode(taint(), null, null)); // $ MISSING:hasValueFlow
-    sink(ObjectUtils.mode(null, taint(), null)); // $ MISSING:hasValueFlow
-    sink(ObjectUtils.mode(null, null, taint())); // $ MISSING:hasValueFlow
+    sink(ObjectUtils.max(taint(), null, null)); // $ hasValueFlow
+    sink(ObjectUtils.max(null, taint(), null)); // $ hasValueFlow
+    sink(ObjectUtils.max(null, null, taint())); // $ hasValueFlow
+    sink(ObjectUtils.median(taint(), null, null)); // $ hasValueFlow
+    sink(ObjectUtils.median((String)null, taint(), null)); // $ hasValueFlow
+    sink(ObjectUtils.median((String)null, null, taint())); // $ hasValueFlow
+    sink(ObjectUtils.min(taint(), null, null)); // $ hasValueFlow
+    sink(ObjectUtils.min(null, taint(), null)); // $ hasValueFlow
+    sink(ObjectUtils.min(null, null, taint())); // $ hasValueFlow
+    sink(ObjectUtils.mode(taint(), null, null)); // $ hasValueFlow
+    sink(ObjectUtils.mode(null, taint(), null)); // $ hasValueFlow
+    sink(ObjectUtils.mode(null, null, taint())); // $ hasValueFlow
     sink(ObjectUtils.requireNonEmpty(taint(), "message")); // $hasValueFlow
     sink(ObjectUtils.requireNonEmpty("not null", taint())); // GOOD (message doesn't propagate to the return)
     sink(ObjectUtils.toString(taint(), "default string")); // GOOD (first argument is stringified)
diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/Test.java b/java/ql/test/library-tests/frameworks/apache-commons-lang3/Test.java
index 28cbf5178b8..3d3e47b2bd0 100644
--- a/java/ql/test/library-tests/frameworks/apache-commons-lang3/Test.java
+++ b/java/ql/test/library-tests/frameworks/apache-commons-lang3/Test.java
@@ -50,10 +50,10 @@ class Test {
         sink(StringUtils.deleteWhitespace(taint())); // $hasTaintFlow
         sink(StringUtils.difference(taint(), "rhs")); // $hasTaintFlow
         sink(StringUtils.difference("lhs", taint())); // $hasTaintFlow
-        sink(StringUtils.firstNonBlank(taint(), "second string")); // $hasTaintFlow
-        sink(StringUtils.firstNonBlank("first string", taint())); // $hasTaintFlow
-        sink(StringUtils.firstNonEmpty(taint(), "second string")); // $hasTaintFlow
-        sink(StringUtils.firstNonEmpty("first string", taint())); // $hasTaintFlow
+        sink(StringUtils.firstNonBlank(taint(), "second string")); // $hasValueFlow
+        sink(StringUtils.firstNonBlank("first string", taint())); // $hasValueFlow
+        sink(StringUtils.firstNonEmpty(taint(), "second string")); // $hasValueFlow
+        sink(StringUtils.firstNonEmpty("first string", taint())); // $hasValueFlow
         sink(StringUtils.getBytes(taint(), (Charset)null)); // $hasTaintFlow
         sink(StringUtils.getBytes(taint(), "some charset")); // $hasTaintFlow
         // GOOD: charset names are not a source of taint
@@ -216,12 +216,12 @@ class Test {
         sink(StringUtils.strip(taint())); // $hasTaintFlow
         sink(StringUtils.strip(taint(), "charstoremove")); // $hasTaintFlow
         sink(StringUtils.stripAccents(taint())); // $hasTaintFlow
-        sink(StringUtils.stripAll(new String[] { taint() }, "charstoremove")); // $hasTaintFlow
+        sink(StringUtils.stripAll(new String[] { taint() }, "charstoremove")[0]); // $hasTaintFlow
         sink(StringUtils.stripEnd(taint(), "charstoremove")); // $hasTaintFlow
         sink(StringUtils.stripStart(taint(), "charstoremove")); // $hasTaintFlow
         // GOOD (next 4 calls): stripped chars do not flow to the return value.
         sink(StringUtils.strip("original text", taint()));
-        sink(StringUtils.stripAll(new String[] { "original text" }, taint()));
+        sink(StringUtils.stripAll(new String[] { "original text" }, taint())[0]);
         sink(StringUtils.stripEnd("original text", taint()));
         sink(StringUtils.stripStart("original text", taint()));
         sink(StringUtils.stripToEmpty(taint())); // $hasTaintFlow
@@ -275,4 +275,4 @@ class Test {
 
     }
 
-}
\ No newline at end of file
+}
diff --git a/java/ql/test/library-tests/frameworks/guava/TestBase.java b/java/ql/test/library-tests/frameworks/guava/TestBase.java
index ad75f5cafbf..8da63965d58 100644
--- a/java/ql/test/library-tests/frameworks/guava/TestBase.java
+++ b/java/ql/test/library-tests/frameworks/guava/TestBase.java
@@ -18,7 +18,7 @@ class TestBase {
         sink(Strings.lenientFormat(x, 3)); // $numTaintFlow=1
         sink(Strings.commonPrefix(x, "abc")); 
         sink(Strings.commonSuffix(x, "cde")); 
-        sink(Strings.lenientFormat("%s = %s", x, 3)); // $ MISSING:numTaintFlow=1
+        sink(Strings.lenientFormat("%s = %s", x, 3)); // $ numTaintFlow=1
     }
 
     void test2() {
diff --git a/java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.expected b/java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.expected
index 4a29161c63c..ea822181844 100644
--- a/java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.expected
+++ b/java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.expected
@@ -1,8 +1,10 @@
 edges
 | Test.java:6:35:6:44 | arg : String | Test.java:7:44:7:69 | ... + ... |
 | Test.java:6:35:6:44 | arg : String | Test.java:10:29:10:74 | new String[] |
-| Test.java:6:35:6:44 | arg : String | Test.java:18:29:18:31 | cmd |
+| Test.java:6:35:6:44 | arg : String | Test.java:16:13:16:25 | ... + ... : String |
 | Test.java:6:35:6:44 | arg : String | Test.java:24:29:24:32 | cmd1 |
+| Test.java:16:5:16:7 | cmd [post update] : List | Test.java:18:29:18:31 | cmd |
+| Test.java:16:13:16:25 | ... + ... : String | Test.java:16:5:16:7 | cmd [post update] : List |
 | Test.java:28:38:28:47 | arg : String | Test.java:29:44:29:64 | ... + ... |
 | Test.java:57:27:57:39 | args : String[] | Test.java:60:20:60:22 | arg : String |
 | Test.java:57:27:57:39 | args : String[] | Test.java:61:23:61:25 | arg : String |
@@ -12,6 +14,8 @@ nodes
 | Test.java:6:35:6:44 | arg : String | semmle.label | arg : String |
 | Test.java:7:44:7:69 | ... + ... | semmle.label | ... + ... |
 | Test.java:10:29:10:74 | new String[] | semmle.label | new String[] |
+| Test.java:16:5:16:7 | cmd [post update] : List | semmle.label | cmd [post update] : List |
+| Test.java:16:13:16:25 | ... + ... : String | semmle.label | ... + ... : String |
 | Test.java:18:29:18:31 | cmd | semmle.label | cmd |
 | Test.java:24:29:24:32 | cmd1 | semmle.label | cmd1 |
 | Test.java:28:38:28:47 | arg : String | semmle.label | arg : String |

From 901996f9fdf7eb94c65b8f9e95253f11843539fd Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Wed, 12 May 2021 18:04:20 +0200
Subject: [PATCH 1246/1429] Java: Add collection flow test.

---
 .../library-tests/dataflow/collections/B.java | 1821 +++++++++++++++++
 .../dataflow/collections/ContainterTest.java  |    2 +-
 .../collections/containerflow.expected        |    0
 .../dataflow/collections/containerflow.ql     |   45 +
 4 files changed, 1867 insertions(+), 1 deletion(-)
 create mode 100644 java/ql/test/library-tests/dataflow/collections/B.java
 create mode 100644 java/ql/test/library-tests/dataflow/collections/containerflow.expected
 create mode 100644 java/ql/test/library-tests/dataflow/collections/containerflow.ql

diff --git a/java/ql/test/library-tests/dataflow/collections/B.java b/java/ql/test/library-tests/dataflow/collections/B.java
new file mode 100644
index 00000000000..1c0384a71c6
--- /dev/null
+++ b/java/ql/test/library-tests/dataflow/collections/B.java
@@ -0,0 +1,1821 @@
+import java.util.*;
+import java.util.concurrent.*;
+import java.util.regex.*;
+
+public class B {
+  static Object source() { return null; }
+
+  static void sink(Object obj) { }
+
+  static Object[] storeArrayElement(Object obj) { return null; }
+  static Object storeElement(Object obj) { return null; }
+  static Object storeMapKey(Object obj) { return null; }
+  static Object storeMapValue(Object obj) { return null; }
+
+  static Object readArrayElement(Object obj) { return null; }
+  static Object readElement(Object obj) { return null; }
+  static Object readMapKey(Object obj) { return null; }
+  static Object readMapValue(Object obj) { return null; }
+
+  void foo() throws InterruptedException {
+    {
+      // "java.util;Map<>$Entry;true;getValue;;;MapValue of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Map.Entry)in).getValue(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map<>$Entry;true;setValue;;;MapValue of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Map.Entry)in).setValue(null); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map<>$Entry;true;setValue;;;Argument[0];MapValue of Argument[-1];value",
+      Map.Entry out = null;
+      Object in = source(); out.setValue(in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.lang;Iterable;true;iterator;();;Element of Argument[-1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Iterable)in).iterator(); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.lang;Iterable;true;spliterator;();;Element of Argument[-1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Iterable)in).spliterator(); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Iterator;true;next;;;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Iterator)in).next(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;ListIterator;true;previous;;;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((ListIterator)in).previous(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;ListIterator;true;add;(Object);;Argument[0];Element of Argument[-1];value",
+      ListIterator out = null;
+      Object in = source(); out.add(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;ListIterator;true;set;(Object);;Argument[0];Element of Argument[-1];value",
+      ListIterator out = null;
+      Object in = source(); out.set(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Enumeration;true;asIterator;;;Element of Argument[-1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Enumeration)in).asIterator(); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Enumeration;true;nextElement;;;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Enumeration)in).nextElement(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;computeIfAbsent;;;MapValue of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Map)in).computeIfAbsent(null,null); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;computeIfAbsent;;;ReturnValue of Argument[1];ReturnValue;value",
+      Object out = ((Map)null).computeIfAbsent(null,k -> source()); sink(out);
+    }
+    {
+      // "java.util;Map;true;computeIfAbsent;;;ReturnValue of Argument[1];MapValue of Argument[-1];value",
+      Object out = null;
+      ((Map)out).computeIfAbsent(null,k -> source()); sink(readMapValue(out));
+    }
+    {
+      // "java.util;Map;true;entrySet;;;MapValue of Argument[-1];MapValue of Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Map)in).entrySet(); sink(readMapValue(readElement(out))); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;entrySet;;;MapKey of Argument[-1];MapKey of Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((Map)in).entrySet(); sink(readMapKey(readElement(out))); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;get;;;MapValue of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Map)in).get(null); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;getOrDefault;;;MapValue of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Map)in).getOrDefault(null,null); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;getOrDefault;;;Argument[1];ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = ((Map)null).getOrDefault(null,in); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;put;;;MapValue of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Map)in).put(null,null); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;put;;;Argument[0];MapKey of Argument[-1];value",
+      Map out = null;
+      Object in = source(); out.put(in,null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;put;;;Argument[1];MapValue of Argument[-1];value",
+      Map out = null;
+      Object in = source(); out.put(null,in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;putIfAbsent;;;MapValue of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Map)in).putIfAbsent(null,null); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;putIfAbsent;;;Argument[0];MapKey of Argument[-1];value",
+      Map out = null;
+      Object in = source(); out.putIfAbsent(in,null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;putIfAbsent;;;Argument[1];MapValue of Argument[-1];value",
+      Map out = null;
+      Object in = source(); out.putIfAbsent(null,in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;remove;(Object);;MapValue of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Map)in).remove(null); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;replace;(Object,Object);;MapValue of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Map)in).replace(null,null); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;replace;(Object,Object);;Argument[0];MapKey of Argument[-1];value",
+      Map out = null;
+      Object in = source(); out.replace(in,null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;replace;(Object,Object);;Argument[1];MapValue of Argument[-1];value",
+      Map out = null;
+      Object in = source(); out.replace(null,in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;replace;(Object,Object,Object);;Argument[0];MapKey of Argument[-1];value",
+      Map out = null;
+      Object in = source(); out.replace(in,null,null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;replace;(Object,Object,Object);;Argument[2];MapValue of Argument[-1];value",
+      Map out = null;
+      Object in = source(); out.replace(null,null,in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;keySet;();;MapKey of Argument[-1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((Map)in).keySet(); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;values;();;MapValue of Argument[-1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Map)in).values(); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;merge;(Object,Object,BiFunction);;Argument[1];MapValue of Argument[-1];value",
+      Map out = null;
+      Object in = source(); out.merge(null,in,null); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;putAll;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value",
+      Map out = null;
+      Object in = storeMapKey(source()); out.putAll((Map)in); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;true;putAll;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value",
+      Map out = null;
+      Object in = storeMapValue(source()); out.putAll((Map)in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collection;true;parallelStream;();;Element of Argument[-1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collection)in).parallelStream(); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collection;true;stream;();;Element of Argument[-1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collection)in).stream(); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collection;true;toArray;;;Element of Argument[-1];ArrayElement of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collection)in).toArray(); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collection;true;toArray;;;Element of Argument[-1];ArrayElement of Argument[0];value",
+      Object[] out = null;
+      Object in = storeElement(source()); ((Collection)in).toArray(out); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collection;true;add;;;Argument[0];Element of Argument[-1];value",
+      Collection out = null;
+      Object in = source(); out.add(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collection;true;addAll;;;Element of Argument[0];Element of Argument[-1];value",
+      Collection out = null;
+      Object in = storeElement(source()); out.addAll((Collection)in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;true;get;(int);;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((List)in).get(0); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;true;listIterator;;;Element of Argument[-1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((List)in).listIterator(); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;true;remove;(int);;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((List)in).remove(0); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;true;set;(int,Object);;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((List)in).set(0,null); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;true;set;(int,Object);;Argument[1];Element of Argument[-1];value",
+      List out = null;
+      Object in = source(); out.set(0,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;true;subList;;;Element of Argument[-1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((List)in).subList(0,0); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;true;add;(int,Object);;Argument[1];Element of Argument[-1];value",
+      List out = null;
+      Object in = source(); out.add(0,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;true;addAll;(int,Collection);;Element of Argument[1];Element of Argument[-1];value",
+      List out = null;
+      Object in = storeElement(source()); out.addAll(0,(Collection)in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Vector;true;elementAt;(int);;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Vector)in).elementAt(0); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Vector;true;elements;();;Element of Argument[-1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Vector)in).elements(); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Vector;true;firstElement;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Vector)in).firstElement(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Vector;true;lastElement;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Vector)in).lastElement(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Vector;true;addElement;(Object);;Argument[0];Element of Argument[-1];value",
+      Vector out = null;
+      Object in = source(); out.addElement(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Vector;true;insertElementAt;(Object,int);;Argument[0];Element of Argument[-1];value",
+      Vector out = null;
+      Object in = source(); out.insertElementAt(in,0); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Vector;true;setElementAt;(Object,int);;Argument[0];Element of Argument[-1];value",
+      Vector out = null;
+      Object in = source(); out.setElementAt(in,0); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Vector;true;copyInto;(Object[]);;Element of Argument[-1];ArrayElement of Argument[0];value",
+      Object[] out = null;
+      Object in = storeElement(source()); ((Vector)in).copyInto(out); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Stack;true;peek;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Stack)in).peek(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Stack;true;pop;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Stack)in).pop(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Stack;true;push;(Object);;Argument[0];Element of Argument[-1];value",
+      Stack out = null;
+      Object in = source(); out.push(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Queue;true;element;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Queue)in).element(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Queue;true;peek;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Queue)in).peek(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Queue;true;poll;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Queue)in).poll(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Queue;true;remove;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Queue)in).remove(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Queue;true;offer;(Object);;Argument[0];Element of Argument[-1];value",
+      Queue out = null;
+      Object in = source(); out.offer(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Deque;true;descendingIterator;();;Element of Argument[-1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Deque)in).descendingIterator(); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Deque;true;getFirst;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Deque)in).getFirst(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Deque;true;getLast;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Deque)in).getLast(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Deque;true;peekFirst;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Deque)in).peekFirst(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Deque;true;peekLast;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Deque)in).peekLast(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Deque;true;pollFirst;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Deque)in).pollFirst(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Deque;true;pollLast;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Deque)in).pollLast(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Deque;true;pop;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Deque)in).pop(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Deque;true;removeFirst;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Deque)in).removeFirst(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Deque;true;removeLast;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Deque)in).removeLast(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Deque;true;push;(Object);;Argument[0];Element of Argument[-1];value",
+      Deque out = null;
+      Object in = source(); out.push(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Deque;true;offerLast;(Object);;Argument[0];Element of Argument[-1];value",
+      Deque out = null;
+      Object in = source(); out.offerLast(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Deque;true;offerFirst;(Object);;Argument[0];Element of Argument[-1];value",
+      Deque out = null;
+      Object in = source(); out.offerFirst(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Deque;true;addLast;(Object);;Argument[0];Element of Argument[-1];value",
+      Deque out = null;
+      Object in = source(); out.addLast(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Deque;true;addFirst;(Object);;Argument[0];Element of Argument[-1];value",
+      Deque out = null;
+      Object in = source(); out.addFirst(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util.concurrent;BlockingDeque;true;pollFirst;(long,TimeUnit);;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((BlockingDeque)in).pollFirst(0,null); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util.concurrent;BlockingDeque;true;pollLast;(long,TimeUnit);;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((BlockingDeque)in).pollLast(0,null); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util.concurrent;BlockingDeque;true;takeFirst;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((BlockingDeque)in).takeFirst(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util.concurrent;BlockingDeque;true;takeLast;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((BlockingDeque)in).takeLast(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util.concurrent;BlockingQueue;true;poll;(long,TimeUnit);;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((BlockingQueue)in).poll(0,null); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util.concurrent;BlockingQueue;true;take;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((BlockingQueue)in).take(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util.concurrent;BlockingQueue;true;offer;(Object,long,TimeUnit);;Argument[0];Element of Argument[-1];value",
+      BlockingQueue out = null;
+      Object in = source(); out.offer(in,0,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util.concurrent;BlockingQueue;true;put;(Object);;Argument[0];Element of Argument[-1];value",
+      BlockingQueue out = null;
+      Object in = source(); out.put(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util.concurrent;BlockingDeque;true;offerLast;(Object,long,TimeUnit);;Argument[0];Element of Argument[-1];value",
+      BlockingDeque out = null;
+      Object in = source(); out.offerLast(in,0,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util.concurrent;BlockingDeque;true;offerFirst;(Object,long,TimeUnit);;Argument[0];Element of Argument[-1];value",
+      BlockingDeque out = null;
+      Object in = source(); out.offerFirst(in,0,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util.concurrent;BlockingDeque;true;putLast;(Object);;Argument[0];Element of Argument[-1];value",
+      BlockingDeque out = null;
+      Object in = source(); out.putLast(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util.concurrent;BlockingDeque;true;putFirst;(Object);;Argument[0];Element of Argument[-1];value",
+      BlockingDeque out = null;
+      Object in = source(); out.putFirst(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util.concurrent;BlockingQueue;true;drainTo;(Collection,int);;Element of Argument[-1];Element of Argument[0];value",
+      Collection out = null;
+      Object in = storeElement(source()); ((BlockingQueue)in).drainTo(out,0); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util.concurrent;BlockingQueue;true;drainTo;(Collection);;Element of Argument[-1];Element of Argument[0];value",
+      Collection out = null;
+      Object in = storeElement(source()); ((BlockingQueue)in).drainTo(out); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util.concurrent;ConcurrentHashMap;true;elements;();;MapValue of Argument[-1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((ConcurrentHashMap)in).elements(); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Dictionary;true;elements;();;MapValue of Argument[-1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Dictionary)in).elements(); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Dictionary;true;get;(Object);;MapValue of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Dictionary)in).get(null); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Dictionary;true;put;(Object,Object);;MapValue of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Dictionary)in).put(null,null); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Dictionary;true;put;(Object,Object);;Argument[0];MapKey of Argument[-1];value",
+      Dictionary out = null;
+      Object in = source(); out.put(in,null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Dictionary;true;put;(Object,Object);;Argument[1];MapValue of Argument[-1];value",
+      Dictionary out = null;
+      Object in = source(); out.put(null,in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Dictionary;true;remove;(Object);;MapValue of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Dictionary)in).remove(null); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;ceilingEntry;(Object);;MapKey of Argument[-1];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((NavigableMap)in).ceilingEntry(null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;ceilingEntry;(Object);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((NavigableMap)in).ceilingEntry(null); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;descendingMap;();;MapKey of Argument[-1];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((NavigableMap)in).descendingMap(); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;descendingMap;();;MapValue of Argument[-1];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((NavigableMap)in).descendingMap(); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;firstEntry;();;MapKey of Argument[-1];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((NavigableMap)in).firstEntry(); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;firstEntry;();;MapValue of Argument[-1];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((NavigableMap)in).firstEntry(); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;floorEntry;(Object);;MapKey of Argument[-1];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((NavigableMap)in).floorEntry(null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;floorEntry;(Object);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((NavigableMap)in).floorEntry(null); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;headMap;(Object,boolean);;MapKey of Argument[-1];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((NavigableMap)in).headMap(null,true); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;headMap;(Object,boolean);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((NavigableMap)in).headMap(null,true); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;higherEntry;(Object);;MapKey of Argument[-1];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((NavigableMap)in).higherEntry(null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;higherEntry;(Object);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((NavigableMap)in).higherEntry(null); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;lastEntry;();;MapKey of Argument[-1];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((NavigableMap)in).lastEntry(); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;lastEntry;();;MapValue of Argument[-1];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((NavigableMap)in).lastEntry(); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;lowerEntry;(Object);;MapKey of Argument[-1];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((NavigableMap)in).lowerEntry(null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;lowerEntry;(Object);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((NavigableMap)in).lowerEntry(null); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;pollFirstEntry;();;MapKey of Argument[-1];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((NavigableMap)in).pollFirstEntry(); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;pollFirstEntry;();;MapValue of Argument[-1];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((NavigableMap)in).pollFirstEntry(); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;pollLastEntry;();;MapKey of Argument[-1];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((NavigableMap)in).pollLastEntry(); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;pollLastEntry;();;MapValue of Argument[-1];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((NavigableMap)in).pollLastEntry(); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;subMap;(Object,boolean,Object,boolean);;MapKey of Argument[-1];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((NavigableMap)in).subMap(null,true,null,true); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;subMap;(Object,boolean,Object,boolean);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((NavigableMap)in).subMap(null,true,null,true); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;tailMap;(Object,boolean);;MapKey of Argument[-1];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((NavigableMap)in).tailMap(null,true); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableMap;true;tailMap;(Object,boolean);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((NavigableMap)in).tailMap(null,true); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableSet;true;ceiling;(Object);;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((NavigableSet)in).ceiling(null); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableSet;true;descendingIterator;();;Element of Argument[-1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((NavigableSet)in).descendingIterator(); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableSet;true;descendingSet;();;Element of Argument[-1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((NavigableSet)in).descendingSet(); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableSet;true;floor;(Object);;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((NavigableSet)in).floor(null); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableSet;true;headSet;(Object,boolean);;Element of Argument[-1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((NavigableSet)in).headSet(null,true); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableSet;true;higher;(Object);;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((NavigableSet)in).higher(null); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableSet;true;lower;(Object);;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((NavigableSet)in).lower(null); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableSet;true;pollFirst;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((NavigableSet)in).pollFirst(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableSet;true;pollLast;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((NavigableSet)in).pollLast(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableSet;true;subSet;(Object,boolean,Object,boolean);;Element of Argument[-1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((NavigableSet)in).subSet(null,true,null,true); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;NavigableSet;true;tailSet;(Object,boolean);;Element of Argument[-1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((NavigableSet)in).tailSet(null,true); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;SortedMap;true;headMap;(Object);;MapKey of Argument[-1];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((SortedMap)in).headMap(null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;SortedMap;true;headMap;(Object);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((SortedMap)in).headMap(null); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;SortedMap;true;subMap;(Object,Object);;MapKey of Argument[-1];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((SortedMap)in).subMap(null,null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;SortedMap;true;subMap;(Object,Object);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((SortedMap)in).subMap(null,null); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;SortedMap;true;tailMap;(Object);;MapKey of Argument[-1];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((SortedMap)in).tailMap(null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;SortedMap;true;tailMap;(Object);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((SortedMap)in).tailMap(null); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;SortedSet;true;first;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((SortedSet)in).first(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;SortedSet;true;headSet;(Object);;Element of Argument[-1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((SortedSet)in).headSet(null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;SortedSet;true;last;();;Element of Argument[-1];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((SortedSet)in).last(); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;SortedSet;true;subSet;(Object,Object);;Element of Argument[-1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((SortedSet)in).subSet(null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;SortedSet;true;tailSet;(Object);;Element of Argument[-1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((SortedSet)in).tailSet(null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util.concurrent;TransferQueue;true;tryTransfer;(Object,long,TimeUnit);;Argument[0];Element of Argument[-1];value",
+      TransferQueue out = null;
+      Object in = source(); out.tryTransfer(in,0,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util.concurrent;TransferQueue;true;transfer;(Object);;Argument[0];Element of Argument[-1];value",
+      TransferQueue out = null;
+      Object in = source(); out.transfer(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util.concurrent;TransferQueue;true;tryTransfer;(Object);;Argument[0];Element of Argument[-1];value",
+      TransferQueue out = null;
+      Object in = source(); out.tryTransfer(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;copyOf;(Collection);;Element of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = List.copyOf((Collection)in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object[]);;ArrayElement of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object[] in = storeArrayElement(source()); out = List.of(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object);;Argument[1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(in,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object);;Argument[1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object);;Argument[2];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(in,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object);;Argument[1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,in,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object);;Argument[2];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object);;Argument[3];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(in,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object);;Argument[1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,in,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object);;Argument[2];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,in,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object);;Argument[3];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object);;Argument[4];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,null,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(in,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object);;Argument[1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,in,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object);;Argument[2];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,in,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object);;Argument[3];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,in,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object);;Argument[4];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,null,in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object);;Argument[5];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,null,null,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(in,null,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object);;Argument[1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,in,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object);;Argument[2];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,in,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object);;Argument[3];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,in,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object);;Argument[4];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,null,in,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object);;Argument[5];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,null,null,in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object);;Argument[6];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,null,null,null,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(in,null,null,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object);;Argument[1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,in,null,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object);;Argument[2];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,in,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object);;Argument[3];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,in,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object);;Argument[4];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,null,in,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object);;Argument[5];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,null,null,in,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object);;Argument[6];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,null,null,null,in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object);;Argument[7];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,null,null,null,null,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(in,null,null,null,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,in,null,null,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[2];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,in,null,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[3];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,in,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[4];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,null,in,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[5];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,null,null,in,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[6];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,null,null,null,in,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[7];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,null,null,null,null,in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[8];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,null,null,null,null,null,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(in,null,null,null,null,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,in,null,null,null,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[2];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,in,null,null,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[3];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,in,null,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[4];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,null,in,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[5];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,null,null,in,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[6];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,null,null,null,in,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[7];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,null,null,null,null,in,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[8];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,null,null,null,null,null,in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;List;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[9];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = List.of(null,null,null,null,null,null,null,null,null,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;copyOf;(Map);;MapKey of Argument[0];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = Map.copyOf((Map)in); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;copyOf;(Map);;MapValue of Argument[0];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = Map.copyOf((Map)in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;entry;(Object,Object);;Argument[0];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.entry(in,null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;entry;(Object,Object);;Argument[1];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.entry(null,in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;of;;;Argument[0];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.of(in,null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;of;;;Argument[1];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.of(null,in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;of;;;Argument[2];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.of(null,null,in,null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;of;;;Argument[3];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.of(null,null,null,in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;of;;;Argument[4];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.of(null,null,null,null,in,null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;of;;;Argument[5];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.of(null,null,null,null,null,in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;of;;;Argument[6];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.of(null,null,null,null,null,null,in,null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;of;;;Argument[7];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.of(null,null,null,null,null,null,null,in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;of;;;Argument[8];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.of(null,null,null,null,null,null,null,null,in,null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;of;;;Argument[9];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.of(null,null,null,null,null,null,null,null,null,in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;of;;;Argument[10];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.of(null,null,null,null,null,null,null,null,null,null,in,null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;of;;;Argument[11];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.of(null,null,null,null,null,null,null,null,null,null,null,in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;of;;;Argument[12];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.of(null,null,null,null,null,null,null,null,null,null,null,null,in,null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;of;;;Argument[13];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.of(null,null,null,null,null,null,null,null,null,null,null,null,null,in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;of;;;Argument[14];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.of(null,null,null,null,null,null,null,null,null,null,null,null,null,null,in,null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;of;;;Argument[15];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.of(null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;of;;;Argument[16];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.of(null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,in,null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;of;;;Argument[17];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.of(null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;of;;;Argument[18];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.of(null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,in,null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;of;;;Argument[19];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Map.of(null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;ofEntries;;;MapKey of ArrayElement of Argument[0];MapKey of ReturnValue;value",
+      Object out = null;
+      Object[] in = storeArrayElement(storeMapKey(source())); out = Map.ofEntries((Map.Entry[])in); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Map;false;ofEntries;;;MapValue of ArrayElement of Argument[0];MapValue of ReturnValue;value",
+      Object out = null;
+      Object[] in = storeArrayElement(storeMapValue(source())); out = Map.ofEntries((Map.Entry[])in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;copyOf;(Collection);;Element of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = Set.copyOf((Collection)in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object[]);;ArrayElement of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object[] in = storeArrayElement(source()); out = Set.of(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object);;Argument[1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(in,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object);;Argument[1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object);;Argument[2];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(in,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object);;Argument[1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,in,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object);;Argument[2];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object);;Argument[3];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(in,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object);;Argument[1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,in,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object);;Argument[2];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,in,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object);;Argument[3];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object);;Argument[4];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,null,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(in,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object);;Argument[1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,in,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object);;Argument[2];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,in,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object);;Argument[3];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,in,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object);;Argument[4];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,null,in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object);;Argument[5];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,null,null,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(in,null,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object);;Argument[1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,in,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object);;Argument[2];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,in,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object);;Argument[3];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,in,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object);;Argument[4];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,null,in,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object);;Argument[5];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,null,null,in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object);;Argument[6];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,null,null,null,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(in,null,null,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object);;Argument[1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,in,null,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object);;Argument[2];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,in,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object);;Argument[3];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,in,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object);;Argument[4];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,null,in,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object);;Argument[5];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,null,null,in,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object);;Argument[6];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,null,null,null,in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object);;Argument[7];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,null,null,null,null,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(in,null,null,null,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,in,null,null,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[2];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,in,null,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[3];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,in,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[4];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,null,in,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[5];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,null,null,in,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[6];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,null,null,null,in,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[7];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,null,null,null,null,in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[8];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,null,null,null,null,null,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(in,null,null,null,null,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,in,null,null,null,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[2];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,in,null,null,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[3];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,in,null,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[4];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,null,in,null,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[5];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,null,null,in,null,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[6];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,null,null,null,in,null,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[7];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,null,null,null,null,in,null,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[8];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,null,null,null,null,null,in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Set;false;of;(Object,Object,Object,Object,Object,Object,Object,Object,Object,Object);;Argument[9];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = Set.of(null,null,null,null,null,null,null,null,null,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;stream;;;ArrayElement of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object[] in = storeArrayElement(source()); out = ((Arrays)null).stream(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;spliterator;;;ArrayElement of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object[] in = storeArrayElement(source()); out = ((Arrays)null).spliterator(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;copyOfRange;;;ArrayElement of Argument[0];ArrayElement of ReturnValue;value",
+      Object out = null;
+      Object[] in = storeArrayElement(source()); out = ((Arrays)null).copyOfRange(in,0,0); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;copyOf;;;ArrayElement of Argument[0];ArrayElement of ReturnValue;value",
+      Object out = null;
+      Object[] in = storeArrayElement(source()); out = ((Arrays)null).copyOf(in,0); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;list;(Enumeration);;Element of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collections)null).list((Enumeration)in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;enumeration;(Collection);;Element of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collections)null).enumeration((Collection)in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;nCopies;(int,Object);;Argument[1];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = ((Collections)null).nCopies(0,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;singletonMap;(Object,Object);;Argument[0];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = ((Collections)null).singletonMap(in,null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;singletonMap;(Object,Object);;Argument[1];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = ((Collections)null).singletonMap(null,in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;singletonList;(Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = ((Collections)null).singletonList(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;singleton;(Object);;Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = source(); out = ((Collections)null).singleton(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;checkedNavigableMap;(NavigableMap,Class,Class);;MapKey of Argument[0];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((Collections)null).checkedNavigableMap((NavigableMap)in,null,null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;checkedNavigableMap;(NavigableMap,Class,Class);;MapValue of Argument[0];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Collections)null).checkedNavigableMap((NavigableMap)in,null,null); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;checkedSortedMap;(SortedMap,Class,Class);;MapKey of Argument[0];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((Collections)null).checkedSortedMap((SortedMap)in,null,null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;checkedSortedMap;(SortedMap,Class,Class);;MapValue of Argument[0];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Collections)null).checkedSortedMap((SortedMap)in,null,null); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;checkedMap;(Map,Class,Class);;MapKey of Argument[0];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((Collections)null).checkedMap((Map)in,null,null); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;checkedMap;(Map,Class,Class);;MapValue of Argument[0];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Collections)null).checkedMap((Map)in,null,null); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;checkedList;(List,Class);;Element of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collections)null).checkedList((List)in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;checkedNavigableSet;(NavigableSet,Class);;Element of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collections)null).checkedNavigableSet((NavigableSet)in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;checkedSortedSet;(SortedSet,Class);;Element of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collections)null).checkedSortedSet((SortedSet)in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;checkedSet;(Set,Class);;Element of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collections)null).checkedSet((Set)in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;checkedCollection;(Collection,Class);;Element of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collections)null).checkedCollection((Collection)in,null); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;synchronizedNavigableMap;(NavigableMap);;MapKey of Argument[0];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((Collections)null).synchronizedNavigableMap((NavigableMap)in); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;synchronizedNavigableMap;(NavigableMap);;MapValue of Argument[0];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Collections)null).synchronizedNavigableMap((NavigableMap)in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;synchronizedSortedMap;(SortedMap);;MapKey of Argument[0];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((Collections)null).synchronizedSortedMap((SortedMap)in); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;synchronizedSortedMap;(SortedMap);;MapValue of Argument[0];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Collections)null).synchronizedSortedMap((SortedMap)in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;synchronizedMap;(Map);;MapKey of Argument[0];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((Collections)null).synchronizedMap((Map)in); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;synchronizedMap;(Map);;MapValue of Argument[0];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Collections)null).synchronizedMap((Map)in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;synchronizedList;(List);;Element of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collections)null).synchronizedList((List)in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;synchronizedNavigableSet;(NavigableSet);;Element of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collections)null).synchronizedNavigableSet((NavigableSet)in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;synchronizedSortedSet;(SortedSet);;Element of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collections)null).synchronizedSortedSet((SortedSet)in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;synchronizedSet;(Set);;Element of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collections)null).synchronizedSet((Set)in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;synchronizedCollection;(Collection);;Element of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collections)null).synchronizedCollection((Collection)in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;unmodifiableNavigableMap;(NavigableMap);;MapKey of Argument[0];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((Collections)null).unmodifiableNavigableMap((NavigableMap)in); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;unmodifiableNavigableMap;(NavigableMap);;MapValue of Argument[0];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Collections)null).unmodifiableNavigableMap((NavigableMap)in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;unmodifiableSortedMap;(SortedMap);;MapKey of Argument[0];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((Collections)null).unmodifiableSortedMap((SortedMap)in); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;unmodifiableSortedMap;(SortedMap);;MapValue of Argument[0];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Collections)null).unmodifiableSortedMap((SortedMap)in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;unmodifiableMap;(Map);;MapKey of Argument[0];MapKey of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapKey(source()); out = ((Collections)null).unmodifiableMap((Map)in); sink(readMapKey(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;unmodifiableMap;(Map);;MapValue of Argument[0];MapValue of ReturnValue;value",
+      Object out = null;
+      Object in = storeMapValue(source()); out = ((Collections)null).unmodifiableMap((Map)in); sink(readMapValue(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;unmodifiableList;(List);;Element of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collections)null).unmodifiableList((List)in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;unmodifiableNavigableSet;(NavigableSet);;Element of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collections)null).unmodifiableNavigableSet((NavigableSet)in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;unmodifiableSortedSet;(SortedSet);;Element of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collections)null).unmodifiableSortedSet((SortedSet)in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;unmodifiableSet;(Set);;Element of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collections)null).unmodifiableSet((Set)in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;unmodifiableCollection;(Collection);;Element of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collections)null).unmodifiableCollection((Collection)in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;max;;;Element of Argument[0];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collections)null).max((Collection)in); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;min;;;Element of Argument[0];ReturnValue;value",
+      Object out = null;
+      Object in = storeElement(source()); out = ((Collections)null).min((Collection)in); sink(out); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;fill;(Object[],int,int,Object);;Argument[3];ArrayElement of Argument[0];value",
+      Object[] out = null;
+      Object in = source(); ((Arrays)null).fill(out,0,0,in); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;fill;(Object[],Object);;Argument[1];ArrayElement of Argument[0];value",
+      Object[] out = null;
+      Object in = source(); ((Arrays)null).fill(out,in); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;fill;(float[],int,int,float);;Argument[3];ArrayElement of Argument[0];value",
+      float[] out = null;
+      float in = (Float)source(); ((Arrays)null).fill(out,0,0,in); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;fill;(float[],float);;Argument[1];ArrayElement of Argument[0];value",
+      float[] out = null;
+      float in = (Float)source(); ((Arrays)null).fill(out,in); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;fill;(double[],int,int,double);;Argument[3];ArrayElement of Argument[0];value",
+      double[] out = null;
+      double in = (Double)source(); ((Arrays)null).fill(out,0,0,in); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;fill;(double[],double);;Argument[1];ArrayElement of Argument[0];value",
+      double[] out = null;
+      double in = (Double)source(); ((Arrays)null).fill(out,in); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;fill;(boolean[],int,int,boolean);;Argument[3];ArrayElement of Argument[0];value",
+      boolean[] out = null;
+      boolean in = (Boolean)source(); ((Arrays)null).fill(out,0,0,in); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;fill;(boolean[],boolean);;Argument[1];ArrayElement of Argument[0];value",
+      boolean[] out = null;
+      boolean in = (Boolean)source(); ((Arrays)null).fill(out,in); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;fill;(byte[],int,int,byte);;Argument[3];ArrayElement of Argument[0];value",
+      byte[] out = null;
+      byte in = (Byte)source(); ((Arrays)null).fill(out,0,0,in); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;fill;(byte[],byte);;Argument[1];ArrayElement of Argument[0];value",
+      byte[] out = null;
+      byte in = (Byte)source(); ((Arrays)null).fill(out,in); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;fill;(char[],int,int,char);;Argument[3];ArrayElement of Argument[0];value",
+      char[] out = null;
+      char in = (Character)source(); ((Arrays)null).fill(out,0,0,in); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;fill;(char[],char);;Argument[1];ArrayElement of Argument[0];value",
+      char[] out = null;
+      char in = (Character)source(); ((Arrays)null).fill(out,in); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;fill;(short[],int,int,short);;Argument[3];ArrayElement of Argument[0];value",
+      short[] out = null;
+      short in = (Short)source(); ((Arrays)null).fill(out,0,0,in); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;fill;(short[],short);;Argument[1];ArrayElement of Argument[0];value",
+      short[] out = null;
+      short in = (Short)source(); ((Arrays)null).fill(out,in); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;fill;(int[],int,int,int);;Argument[3];ArrayElement of Argument[0];value",
+      int[] out = null;
+      int in = (Integer)source(); ((Arrays)null).fill(out,0,0,in); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;fill;(int[],int);;Argument[1];ArrayElement of Argument[0];value",
+      int[] out = null;
+      int in = (Integer)source(); ((Arrays)null).fill(out,in); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;fill;(long[],int,int,long);;Argument[3];ArrayElement of Argument[0];value",
+      long[] out = null;
+      long in = (Long)source(); ((Arrays)null).fill(out,0,0,in); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;fill;(long[],long);;Argument[1];ArrayElement of Argument[0];value",
+      long[] out = null;
+      long in = (Long)source(); ((Arrays)null).fill(out,in); sink(readArrayElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;replaceAll;(List,Object,Object);;Argument[2];Element of Argument[0];value",
+      List out = null;
+      Object in = source(); ((Collections)null).replaceAll(out,null,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;copy;(List,List);;Element of Argument[1];Element of Argument[0];value",
+      List out = null;
+      Object in = storeElement(source()); ((Collections)null).copy(out,(List)in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;fill;(List,Object);;Argument[1];Element of Argument[0];value",
+      List out = null;
+      Object in = source(); ((Collections)null).fill(out,in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Arrays;false;asList;;;ArrayElement of Argument[0];Element of ReturnValue;value",
+      Object out = null;
+      Object[] in = storeArrayElement(source()); out = ((Arrays)null).asList(in); sink(readElement(out)); // $ hasValueFlow
+    }
+    {
+      // "java.util;Collections;false;addAll;(Collection,Object[]);;ArrayElement of Argument[1];Element of Argument[0];value"
+      Collection out = null;
+      Object[] in = storeArrayElement(source()); ((Collections)null).addAll(out,in); sink(readElement(out)); // $ hasValueFlow
+    }
+  }
+}
diff --git a/java/ql/test/library-tests/dataflow/collections/ContainterTest.java b/java/ql/test/library-tests/dataflow/collections/ContainterTest.java
index ab9b699be9b..9c291a7b2a3 100644
--- a/java/ql/test/library-tests/dataflow/collections/ContainterTest.java
+++ b/java/ql/test/library-tests/dataflow/collections/ContainterTest.java
@@ -89,7 +89,7 @@ class ContainerTest {
 		sink(stack.peek());
 		sink(stack.pop());
 		sink(stack.push("value")); // not tainted
-		sink(new Stack().push(source("value")));
+		sink(new Stack().push(source("value"))); // $ hasValueFlow
 		mkSink(Stack.class).push(source("value"));
 
 		// java.util.Queue
diff --git a/java/ql/test/library-tests/dataflow/collections/containerflow.expected b/java/ql/test/library-tests/dataflow/collections/containerflow.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/java/ql/test/library-tests/dataflow/collections/containerflow.ql b/java/ql/test/library-tests/dataflow/collections/containerflow.ql
new file mode 100644
index 00000000000..409ff5c0107
--- /dev/null
+++ b/java/ql/test/library-tests/dataflow/collections/containerflow.ql
@@ -0,0 +1,45 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.ExternalFlow
+import TestUtilities.InlineExpectationsTest
+import DataFlow
+
+class SummaryModelTest extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //"package;type;overrides;name;signature;ext;inputspec;outputspec;kind",
+        ";B;false;storeArrayElement;(Object);;Argument[0];ArrayElement of ReturnValue;value",
+        ";B;false;storeElement;(Object);;Argument[0];Element of ReturnValue;value",
+        ";B;false;storeMapKey;(Object);;Argument[0];MapKey of ReturnValue;value",
+        ";B;false;storeMapValue;(Object);;Argument[0];MapValue of ReturnValue;value",
+        ";B;false;readArrayElement;(Object);;ArrayElement of Argument[0];ReturnValue;value",
+        ";B;false;readElement;(Object);;Element of Argument[0];ReturnValue;value",
+        ";B;false;readMapKey;(Object);;MapKey of Argument[0];ReturnValue;value",
+        ";B;false;readMapValue;(Object);;MapValue of Argument[0];ReturnValue;value"
+      ]
+  }
+}
+
+class ContainerFlowConf extends Configuration {
+  ContainerFlowConf() { this = "qltest:ContainerFlowConf" }
+
+  override predicate isSource(Node n) { n.asExpr().(MethodAccess).getMethod().hasName("source") }
+
+  override predicate isSink(Node n) { n.asExpr().(Argument).getCall().getCallee().hasName("sink") }
+}
+
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = "hasValueFlow" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasValueFlow" and
+    exists(Node src, Node sink, ContainerFlowConf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}

From dbe352f3ff11bbe9b7c55a9556d42dc9bc7a7822 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Thu, 20 May 2021 12:55:31 +0200
Subject: [PATCH 1247/1429] Java: Remove deprecated tests.

---
 .../local-additional-taint/ArraysTest.java    | 18 +++----
 .../CollectionsTest.java                      | 40 ---------------
 .../localAdditionalTaintStep.expected         | 49 -------------------
 3 files changed, 9 insertions(+), 98 deletions(-)
 delete mode 100644 java/ql/test/library-tests/dataflow/local-additional-taint/CollectionsTest.java

diff --git a/java/ql/test/library-tests/dataflow/local-additional-taint/ArraysTest.java b/java/ql/test/library-tests/dataflow/local-additional-taint/ArraysTest.java
index f016cb63fd3..45190248a45 100644
--- a/java/ql/test/library-tests/dataflow/local-additional-taint/ArraysTest.java
+++ b/java/ql/test/library-tests/dataflow/local-additional-taint/ArraysTest.java
@@ -3,17 +3,17 @@ import java.util.List;
 
 class ArraysTest {
 	public static void taintSteps(String[] source) {
-		Arrays.asList();
-		Arrays.asList("one");
-		Arrays.asList("two", "three");
-		Arrays.copyOf(source, 10);
-		Arrays.copyOfRange(source, 0, 10);
+
+
+
+
+
 		Arrays.deepToString(source);
-		Arrays.spliterator(source);
-		Arrays.stream(source);
+
+
 		Arrays.toString(source);
-		Arrays.fill(source, "value");
-		Arrays.fill(source, 0, 10, "data");
+
+
 		Arrays.parallelPrefix(source, (x, y) -> x + y);
 		Arrays.parallelPrefix(source, 0, 10, (x, y) -> x + y);
 		Arrays.parallelSetAll(source, x -> Integer.toString(x));
diff --git a/java/ql/test/library-tests/dataflow/local-additional-taint/CollectionsTest.java b/java/ql/test/library-tests/dataflow/local-additional-taint/CollectionsTest.java
deleted file mode 100644
index 7132e0051f0..00000000000
--- a/java/ql/test/library-tests/dataflow/local-additional-taint/CollectionsTest.java
+++ /dev/null
@@ -1,40 +0,0 @@
-import java.util.Collections;
-import java.util.Enumeration;
-import java.util.List;
-import java.util.Set;
-import java.util.Map;
-
-class CollectionsTest {
-	public static void taintSteps(List<String> list, List<String> other, Enumeration enumeration, Map<String,String> map) {
-		Collections.addAll(list);
-		Collections.addAll(list, "one");
-		Collections.addAll(list, "two", "three");
-		Collections.addAll(list, new String[]{ "four" });
-
-		Collections.checkedList(list, String.class);
-		Collections.min(list);
-		Collections.enumeration(list);
-		Collections.list(enumeration);
-		Collections.singletonMap("key", "value");
-		Collections.copy(list, other);
-		Collections.nCopies(10, "item");
-		Collections.replaceAll(list, "search", "replace");
-
-		List.of();
-		java.util.List.of("a");
-		List.of("b", "c");
-		java.util.List.copyOf(list);
-		Set.of();
-		Set.of("d");
-		Set.of("e" , "f");
-		Set.copyOf(list);
-		Map.of();
-		Map.of("k", "v");
-		Map.of("k1", "v1", "k2", "v2");
-		Map.copyOf(map);
-		Map.ofEntries();
-		Map.ofEntries(Map.entry("k3", "v3"));
-		Map.ofEntries(Map.entry("k4", "v4"), Map.entry("k5", "v5"));
-	}
-}
-
diff --git a/java/ql/test/library-tests/dataflow/local-additional-taint/localAdditionalTaintStep.expected b/java/ql/test/library-tests/dataflow/local-additional-taint/localAdditionalTaintStep.expected
index 75b743dcaab..b55cd7f9a5c 100644
--- a/java/ql/test/library-tests/dataflow/local-additional-taint/localAdditionalTaintStep.expected
+++ b/java/ql/test/library-tests/dataflow/local-additional-taint/localAdditionalTaintStep.expected
@@ -1,15 +1,3 @@
-| ArraysTest.java:6:3:6:17 | new ..[] { .. } | ArraysTest.java:6:3:6:17 | asList(...) |
-| ArraysTest.java:7:3:7:22 | new ..[] { .. } | ArraysTest.java:7:3:7:22 | asList(...) |
-| ArraysTest.java:7:17:7:21 | "one" | ArraysTest.java:7:3:7:22 | new ..[] { .. } |
-| ArraysTest.java:8:3:8:31 | new ..[] { .. } | ArraysTest.java:8:3:8:31 | asList(...) |
-| ArraysTest.java:8:17:8:21 | "two" | ArraysTest.java:8:3:8:31 | new ..[] { .. } |
-| ArraysTest.java:8:24:8:30 | "three" | ArraysTest.java:8:3:8:31 | new ..[] { .. } |
-| ArraysTest.java:9:17:9:22 | source | ArraysTest.java:9:3:9:27 | copyOf(...) |
-| ArraysTest.java:10:22:10:27 | source | ArraysTest.java:10:3:10:35 | copyOfRange(...) |
-| ArraysTest.java:12:22:12:27 | source | ArraysTest.java:12:3:12:28 | spliterator(...) |
-| ArraysTest.java:13:17:13:22 | source | ArraysTest.java:13:3:13:23 | stream(...) |
-| ArraysTest.java:15:23:15:29 | "value" | ArraysTest.java:15:15:15:20 | source [post update] |
-| ArraysTest.java:16:30:16:35 | "data" | ArraysTest.java:16:15:16:20 | source [post update] |
 | ArraysTest.java:17:43:17:43 | x | ArraysTest.java:17:43:17:47 | ... + ... |
 | ArraysTest.java:17:47:17:47 | y | ArraysTest.java:17:43:17:47 | ... + ... |
 | ArraysTest.java:18:50:18:50 | x | ArraysTest.java:18:50:18:54 | ... + ... |
@@ -18,43 +6,6 @@
 | ArraysTest.java:19:55:19:55 | x | ArraysTest.java:19:38:19:56 | toString(...) |
 | ArraysTest.java:20:30:20:36 | Integer | ArraysTest.java:20:30:20:48 | toString(...) |
 | ArraysTest.java:20:47:20:47 | x | ArraysTest.java:20:30:20:48 | toString(...) |
-| CollectionsTest.java:9:3:9:26 | new ..[] { .. } | CollectionsTest.java:9:22:9:25 | list [post update] |
-| CollectionsTest.java:10:3:10:33 | new ..[] { .. } | CollectionsTest.java:10:22:10:25 | list [post update] |
-| CollectionsTest.java:10:28:10:32 | "one" | CollectionsTest.java:10:3:10:33 | new ..[] { .. } |
-| CollectionsTest.java:11:3:11:42 | new ..[] { .. } | CollectionsTest.java:11:22:11:25 | list [post update] |
-| CollectionsTest.java:11:28:11:32 | "two" | CollectionsTest.java:11:3:11:42 | new ..[] { .. } |
-| CollectionsTest.java:11:35:11:41 | "three" | CollectionsTest.java:11:3:11:42 | new ..[] { .. } |
-| CollectionsTest.java:12:28:12:49 | new String[] | CollectionsTest.java:12:22:12:25 | list [post update] |
-| CollectionsTest.java:12:42:12:47 | "four" | CollectionsTest.java:12:28:12:49 | {...} |
-| CollectionsTest.java:14:27:14:30 | list | CollectionsTest.java:14:3:14:45 | checkedList(...) |
-| CollectionsTest.java:15:19:15:22 | list | CollectionsTest.java:15:3:15:23 | min(...) |
-| CollectionsTest.java:16:27:16:30 | list | CollectionsTest.java:16:3:16:31 | enumeration(...) |
-| CollectionsTest.java:17:20:17:30 | enumeration | CollectionsTest.java:17:3:17:31 | list(...) |
-| CollectionsTest.java:18:35:18:41 | "value" | CollectionsTest.java:18:3:18:42 | singletonMap(...) |
-| CollectionsTest.java:19:26:19:30 | other | CollectionsTest.java:19:20:19:23 | list [post update] |
-| CollectionsTest.java:20:27:20:32 | "item" | CollectionsTest.java:20:3:20:33 | nCopies(...) |
-| CollectionsTest.java:21:42:21:50 | "replace" | CollectionsTest.java:21:26:21:29 | list [post update] |
-| CollectionsTest.java:24:21:24:23 | "a" | CollectionsTest.java:24:3:24:24 | of(...) |
-| CollectionsTest.java:25:11:25:13 | "b" | CollectionsTest.java:25:3:25:19 | of(...) |
-| CollectionsTest.java:25:16:25:18 | "c" | CollectionsTest.java:25:3:25:19 | of(...) |
-| CollectionsTest.java:26:25:26:28 | list | CollectionsTest.java:26:3:26:29 | copyOf(...) |
-| CollectionsTest.java:28:10:28:12 | "d" | CollectionsTest.java:28:3:28:13 | of(...) |
-| CollectionsTest.java:29:10:29:12 | "e" | CollectionsTest.java:29:3:29:19 | of(...) |
-| CollectionsTest.java:29:16:29:18 | "f" | CollectionsTest.java:29:3:29:19 | of(...) |
-| CollectionsTest.java:30:14:30:17 | list | CollectionsTest.java:30:3:30:18 | copyOf(...) |
-| CollectionsTest.java:32:15:32:17 | "v" | CollectionsTest.java:32:3:32:18 | of(...) |
-| CollectionsTest.java:33:16:33:19 | "v1" | CollectionsTest.java:33:3:33:32 | of(...) |
-| CollectionsTest.java:33:28:33:31 | "v2" | CollectionsTest.java:33:3:33:32 | of(...) |
-| CollectionsTest.java:34:14:34:16 | map | CollectionsTest.java:34:3:34:17 | copyOf(...) |
-| CollectionsTest.java:35:3:35:17 | new ..[] { .. } | CollectionsTest.java:35:3:35:17 | ofEntries(...) |
-| CollectionsTest.java:36:3:36:38 | new ..[] { .. } | CollectionsTest.java:36:3:36:38 | ofEntries(...) |
-| CollectionsTest.java:36:17:36:37 | entry(...) | CollectionsTest.java:36:3:36:38 | new ..[] { .. } |
-| CollectionsTest.java:36:33:36:36 | "v3" | CollectionsTest.java:36:17:36:37 | entry(...) |
-| CollectionsTest.java:37:3:37:61 | new ..[] { .. } | CollectionsTest.java:37:3:37:61 | ofEntries(...) |
-| CollectionsTest.java:37:17:37:37 | entry(...) | CollectionsTest.java:37:3:37:61 | new ..[] { .. } |
-| CollectionsTest.java:37:33:37:36 | "v4" | CollectionsTest.java:37:17:37:37 | entry(...) |
-| CollectionsTest.java:37:40:37:60 | entry(...) | CollectionsTest.java:37:3:37:61 | new ..[] { .. } |
-| CollectionsTest.java:37:56:37:59 | "v5" | CollectionsTest.java:37:40:37:60 | entry(...) |
 | Test.java:24:32:24:38 | string2 | Test.java:24:17:24:39 | decode(...) |
 | Test.java:25:46:25:51 | bytes2 | Test.java:25:31:25:52 | encode(...) |
 | Test.java:27:34:27:40 | string2 | Test.java:27:13:27:41 | decode(...) |

From fc913e744e57fb16a54de16668278fa61dbe5f52 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Thu, 20 May 2021 15:29:08 +0200
Subject: [PATCH 1248/1429] Java: Minor model fix.

---
 .../code/java/frameworks/jackson/JacksonSerializability.qll      | 1 +
 1 file changed, 1 insertion(+)

diff --git a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
index 6cda84512a0..618fc1d2710 100644
--- a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
+++ b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
@@ -280,6 +280,7 @@ private class JacksonModel extends SummaryModelCsv {
     row =
       [
         "com.fasterxml.jackson.databind;ObjectMapper;true;valueToTree;;;Argument[0];ReturnValue;taint",
+        "com.fasterxml.jackson.databind;ObjectMapper;true;valueToTree;;;MapValue of Argument[0];ReturnValue;taint",
         "com.fasterxml.jackson.databind;ObjectMapper;true;convertValue;;;Argument[0];ReturnValue;taint"
       ]
   }

From 14f9a5c280b65e1e32868176cfe32a6cd2fe2490 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Tue, 1 Jun 2021 13:08:42 +0200
Subject: [PATCH 1249/1429] Java: Move some CSV flow summary code into shared
 library

---
 .../code/java/dataflow/ExternalFlow.qll       | 147 +++-------------
 .../dataflow/internal/FlowSummaryImpl.qll     | 162 ++++++++++--------
 .../internal/FlowSummaryImplSpecific.qll      |  26 +++
 3 files changed, 143 insertions(+), 192 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index 33a146d07fe..57ab641483f 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -67,6 +67,7 @@
 import java
 private import semmle.code.java.dataflow.DataFlow::DataFlow
 private import internal.DataFlowPrivate
+private import internal.FlowSummaryImpl::Private::External
 private import FlowSummary
 
 /**
@@ -498,10 +499,15 @@ module CsvValidation {
       or
       summaryModel(_, _, _, _, _, _, input, _, _) and pred = "summary"
     |
-      specSplit(input, part, _) and
-      not part.regexpMatch("|ReturnValue|ArrayElement|Element|MapKey|MapValue") and
-      not (part = "Argument" and pred = "sink") and
-      not parseArg(part, _) and
+      (
+        invalidSpecComponent(input, part) and
+        not part = "" and
+        not (part = "Argument" and pred = "sink") and
+        not parseArg(part, _)
+        or
+        specSplit(input, part, _) and
+        parseParam(part, _)
+      ) and
       msg = "Unrecognized input specification \"" + part + "\" in " + pred + " model."
     )
     or
@@ -510,11 +516,9 @@ module CsvValidation {
       or
       summaryModel(_, _, _, _, _, _, _, output, _) and pred = "summary"
     |
-      specSplit(output, part, _) and
-      not part.regexpMatch("|ReturnValue|ArrayElement|Element|MapKey|MapValue") and
+      invalidSpecComponent(output, part) and
+      not part = "" and
       not (part = ["Argument", "Parameter"] and pred = "source") and
-      not parseArg(part, _) and
-      not parseParam(part, _) and
       msg = "Unrecognized output specification \"" + part + "\" in " + pred + " model."
     )
     or
@@ -624,7 +628,11 @@ private predicate sinkElement(Element e, string input, string kind) {
   )
 }
 
-private predicate summaryElement(Element e, string input, string output, string kind) {
+/**
+ * Holds if an external flow summary exists for `e` with input specification
+ * `input`, output specification `output`, and kind `kind`.
+ */
+predicate summaryElement(Element e, string input, string output, string kind) {
   exists(
     string namespace, string type, boolean subtypes, string name, string signature, string ext
   |
@@ -633,52 +641,14 @@ private predicate summaryElement(Element e, string input, string output, string
   )
 }
 
-private string inOutSpec() {
+/** Gets a specification used in a source model, sink model, or summary model. */
+string inOutSpec() {
   sourceModel(_, _, _, _, _, _, result, _) or
   sinkModel(_, _, _, _, _, _, result, _) or
   summaryModel(_, _, _, _, _, _, result, _, _) or
   summaryModel(_, _, _, _, _, _, _, result, _)
 }
 
-private predicate specSplit(string s, string c, int n) {
-  inOutSpec() = s and s.splitAt(" of ", n) = c
-}
-
-private predicate len(string s, int len) { len = 1 + max(int n | specSplit(s, _, n)) }
-
-private string getLast(string s) {
-  exists(int len |
-    len(s, len) and
-    specSplit(s, result, len - 1)
-  )
-}
-
-private predicate parseParam(string c, int n) {
-  specSplit(_, c, _) and
-  (
-    c.regexpCapture("Parameter\\[([-0-9]+)\\]", 1).toInt() = n
-    or
-    exists(int n1, int n2 |
-      c.regexpCapture("Parameter\\[([-0-9]+)\\.\\.([0-9]+)\\]", 1).toInt() = n1 and
-      c.regexpCapture("Parameter\\[([-0-9]+)\\.\\.([0-9]+)\\]", 2).toInt() = n2 and
-      n = [n1 .. n2]
-    )
-  )
-}
-
-private predicate parseArg(string c, int n) {
-  specSplit(_, c, _) and
-  (
-    c.regexpCapture("Argument\\[([-0-9]+)\\]", 1).toInt() = n
-    or
-    exists(int n1, int n2 |
-      c.regexpCapture("Argument\\[([-0-9]+)\\.\\.([0-9]+)\\]", 1).toInt() = n1 and
-      c.regexpCapture("Argument\\[([-0-9]+)\\.\\.([0-9]+)\\]", 2).toInt() = n2 and
-      n = [n1 .. n2]
-    )
-  )
-}
-
 private predicate inputNeedsReference(string c) {
   c = "Argument" or
   parseArg(c, _)
@@ -693,7 +663,7 @@ private predicate outputNeedsReference(string c) {
 private predicate sourceElementRef(Top ref, string output, string kind) {
   exists(Element e |
     sourceElement(e, output, kind) and
-    if outputNeedsReference(getLast(output))
+    if outputNeedsReference(specLast(output))
     then ref.(Call).getCallee().getSourceDeclaration() = e
     else ref = e
   )
@@ -702,7 +672,7 @@ private predicate sourceElementRef(Top ref, string output, string kind) {
 private predicate sinkElementRef(Top ref, string input, string kind) {
   exists(Element e |
     sinkElement(e, input, kind) and
-    if inputNeedsReference(getLast(input))
+    if inputNeedsReference(specLast(input))
     then ref.(Call).getCallee().getSourceDeclaration() = e
     else ref = e
   )
@@ -711,81 +681,12 @@ private predicate sinkElementRef(Top ref, string input, string kind) {
 private predicate summaryElementRef(Top ref, string input, string output, string kind) {
   exists(Element e |
     summaryElement(e, input, output, kind) and
-    if inputNeedsReference(getLast(input))
+    if inputNeedsReference(specLast(input))
     then ref.(Call).getCallee().getSourceDeclaration() = e
     else ref = e
   )
 }
 
-private SummaryComponent interpretComponent(string c) {
-  specSplit(_, c, _) and
-  (
-    exists(int pos | parseArg(c, pos) and result = SummaryComponent::argument(pos))
-    or
-    exists(int pos | parseParam(c, pos) and result = SummaryComponent::parameter(pos))
-    or
-    c = "ReturnValue" and result = SummaryComponent::return()
-    or
-    c = "ArrayElement" and result = SummaryComponent::content(any(ArrayContent c0))
-    or
-    c = "Element" and result = SummaryComponent::content(any(CollectionContent c0))
-    or
-    c = "MapKey" and result = SummaryComponent::content(any(MapKeyContent c0))
-    or
-    c = "MapValue" and result = SummaryComponent::content(any(MapValueContent c0))
-  )
-}
-
-private predicate interpretSpec(string spec, int idx, SummaryComponentStack stack) {
-  exists(string c |
-    summaryElement(_, spec, _, _) or
-    summaryElement(_, _, spec, _)
-  |
-    len(spec, idx + 1) and
-    specSplit(spec, c, idx) and
-    stack = SummaryComponentStack::singleton(interpretComponent(c))
-  )
-  or
-  exists(SummaryComponent head, SummaryComponentStack tail |
-    interpretSpec(spec, idx, head, tail) and
-    stack = SummaryComponentStack::push(head, tail)
-  )
-}
-
-private predicate interpretSpec(
-  string output, int idx, SummaryComponent head, SummaryComponentStack tail
-) {
-  exists(string c |
-    interpretSpec(output, idx + 1, tail) and
-    specSplit(output, c, idx) and
-    head = interpretComponent(c)
-  )
-}
-
-private class MkStack extends RequiredSummaryComponentStack {
-  MkStack() { interpretSpec(_, _, _, this) }
-
-  override predicate required(SummaryComponent c) { interpretSpec(_, _, c, this) }
-}
-
-private class SummarizedCallableExternal extends SummarizedCallable {
-  SummarizedCallableExternal() { summaryElement(this, _, _, _) }
-
-  override predicate propagatesFlow(
-    SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
-  ) {
-    exists(string inSpec, string outSpec, string kind |
-      summaryElement(this, inSpec, outSpec, kind) and
-      interpretSpec(inSpec, 0, input) and
-      interpretSpec(outSpec, 0, output)
-    |
-      kind = "value" and preservesValue = true
-      or
-      kind = "taint" and preservesValue = false
-    )
-  }
-}
-
 private newtype TAstOrNode =
   TAst(Top t) or
   TNode(Node n)
@@ -795,7 +696,7 @@ private predicate interpretOutput(string output, int idx, Top ref, TAstOrNode no
     sourceElementRef(ref, output, _) or
     summaryElementRef(ref, _, output, _)
   ) and
-  len(output, idx) and
+  specLength(output, idx) and
   node = TAst(ref)
   or
   exists(Top mid, string c, Node n |
@@ -827,7 +728,7 @@ private predicate interpretInput(string input, int idx, Top ref, TAstOrNode node
     sinkElementRef(ref, input, _) or
     summaryElementRef(ref, input, _, _)
   ) and
-  len(input, idx) and
+  specLength(input, idx) and
   node = TAst(ref)
   or
   exists(Top mid, string c, Node n |
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
index bdf5498d8c6..da6f89071ef 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
@@ -580,88 +580,112 @@ module Private {
    * summaries into a `SummarizedCallable`s.
    */
   module External {
-    /**
-     * Provides a means of translating an externally (e.g., CSV) defined flow
-     * summary into a `SummarizedCallable`.
-     */
-    abstract class ExternalSummaryCompilation extends string {
-      bindingset[this]
-      ExternalSummaryCompilation() { any() }
+    /** Holds if the `n`th component of specification `s` is `c`. */
+    predicate specSplit(string s, string c, int n) { relevantSpec(s) and s.splitAt(" of ", n) = c }
 
-      /** Holds if this flow summary is for callable `c`. */
-      abstract predicate callable(DataFlowCallable c, boolean preservesValue);
+    /** Holds if specification `s` has length `len`. */
+    predicate specLength(string s, int len) { len = 1 + max(int n | specSplit(s, _, n)) }
 
-      /** Holds if the `i`th input component is `c`. */
-      abstract predicate input(int i, SummaryComponent c);
-
-      /** Holds if the `i`th output component is `c`. */
-      abstract predicate output(int i, SummaryComponent c);
-
-      /**
-       * Holds if the input components starting from index `i` translate into `suffix`.
-       */
-      final predicate translateInput(int i, SummaryComponentStack suffix) {
-        exists(SummaryComponent comp | this.input(i, comp) |
-          i = max(int j | this.input(j, _)) and
-          suffix = TSingletonSummaryComponentStack(comp)
-          or
-          exists(TSummaryComponent head, SummaryComponentStack tail |
-            this.translateInputCons(i, head, tail) and
-            suffix = TConsSummaryComponentStack(head, tail)
-          )
-        )
-      }
-
-      final predicate translateInputCons(int i, SummaryComponent head, SummaryComponentStack tail) {
-        this.input(i, head) and
-        this.translateInput(i + 1, tail)
-      }
-
-      /**
-       * Holds if the output components starting from index `i` translate into `suffix`.
-       */
-      predicate translateOutput(int i, SummaryComponentStack suffix) {
-        exists(SummaryComponent comp | this.output(i, comp) |
-          i = max(int j | this.output(j, _)) and
-          suffix = TSingletonSummaryComponentStack(comp)
-          or
-          exists(TSummaryComponent head, SummaryComponentStack tail |
-            this.translateOutputCons(i, head, tail) and
-            suffix = TConsSummaryComponentStack(head, tail)
-          )
-        )
-      }
-
-      predicate translateOutputCons(int i, SummaryComponent head, SummaryComponentStack tail) {
-        this.output(i, head) and
-        this.translateOutput(i + 1, tail)
-      }
+    /** Gets the last component of specification `s`. */
+    string specLast(string s) {
+      exists(int len |
+        specLength(s, len) and
+        specSplit(s, result, len - 1)
+      )
     }
 
-    private class ExternalRequiredSummaryComponentStack extends RequiredSummaryComponentStack {
-      private SummaryComponent head;
-
-      ExternalRequiredSummaryComponentStack() {
-        any(ExternalSummaryCompilation s).translateInputCons(_, head, this) or
-        any(ExternalSummaryCompilation s).translateOutputCons(_, head, this)
-      }
-
-      override predicate required(SummaryComponent c) { c = head }
+    /** Holds if specification component `c` parses as parameter `n`. */
+    predicate parseParam(string c, int n) {
+      specSplit(_, c, _) and
+      (
+        c.regexpCapture("Parameter\\[([-0-9]+)\\]", 1).toInt() = n
+        or
+        exists(int n1, int n2 |
+          c.regexpCapture("Parameter\\[([-0-9]+)\\.\\.([0-9]+)\\]", 1).toInt() = n1 and
+          c.regexpCapture("Parameter\\[([-0-9]+)\\.\\.([0-9]+)\\]", 2).toInt() = n2 and
+          n = [n1 .. n2]
+        )
+      )
     }
 
-    class ExternalSummarizedCallableAdaptor extends SummarizedCallable {
-      ExternalSummarizedCallableAdaptor() { any(ExternalSummaryCompilation s).callable(this, _) }
+    /** Holds if specification component `c` parses as argument `n`. */
+    predicate parseArg(string c, int n) {
+      specSplit(_, c, _) and
+      (
+        c.regexpCapture("Argument\\[([-0-9]+)\\]", 1).toInt() = n
+        or
+        exists(int n1, int n2 |
+          c.regexpCapture("Argument\\[([-0-9]+)\\.\\.([0-9]+)\\]", 1).toInt() = n1 and
+          c.regexpCapture("Argument\\[([-0-9]+)\\.\\.([0-9]+)\\]", 2).toInt() = n2 and
+          n = [n1 .. n2]
+        )
+      )
+    }
+
+    private SummaryComponent interpretComponent(string c) {
+      specSplit(_, c, _) and
+      (
+        exists(int pos | parseArg(c, pos) and result = SummaryComponent::argument(pos))
+        or
+        exists(int pos | parseParam(c, pos) and result = SummaryComponent::parameter(pos))
+        or
+        result = interpretComponentSpecific(c)
+      )
+    }
+
+    private predicate interpretSpec(string spec, int idx, SummaryComponentStack stack) {
+      exists(string c |
+        relevantSpec(spec) and
+        specLength(spec, idx + 1) and
+        specSplit(spec, c, idx) and
+        stack = SummaryComponentStack::singleton(interpretComponent(c))
+      )
+      or
+      exists(SummaryComponent head, SummaryComponentStack tail |
+        interpretSpec(spec, idx, head, tail) and
+        stack = SummaryComponentStack::push(head, tail)
+      )
+    }
+
+    private predicate interpretSpec(
+      string output, int idx, SummaryComponent head, SummaryComponentStack tail
+    ) {
+      exists(string c |
+        interpretSpec(output, idx + 1, tail) and
+        specSplit(output, c, idx) and
+        head = interpretComponent(c)
+      )
+    }
+
+    private class MkStack extends RequiredSummaryComponentStack {
+      MkStack() { interpretSpec(_, _, _, this) }
+
+      override predicate required(SummaryComponent c) { interpretSpec(_, _, c, this) }
+    }
+
+    private class SummarizedCallableExternal extends SummarizedCallable {
+      SummarizedCallableExternal() { externalSummary(this, _, _, _) }
 
       override predicate propagatesFlow(
         SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
       ) {
-        exists(ExternalSummaryCompilation s |
-          s.callable(this, preservesValue) and
-          s.translateInput(0, input) and
-          s.translateOutput(0, output)
+        exists(string inSpec, string outSpec, string kind |
+          externalSummary(this, inSpec, outSpec, kind) and
+          interpretSpec(inSpec, 0, input) and
+          interpretSpec(outSpec, 0, output)
+        |
+          kind = "value" and preservesValue = true
+          or
+          kind = "taint" and preservesValue = false
         )
       }
     }
+
+    /** Holds if component `c` of specification `spec` cannot be parsed. */
+    predicate invalidSpecComponent(string spec, string c) {
+      specSplit(spec, c, _) and
+      not exists(interpretComponent(c))
+    }
   }
 
   /** Provides a query predicate for outputting a set of relevant flow summaries. */
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
index dae0571f0fa..327ddfb50dd 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
@@ -7,6 +7,7 @@ private import DataFlowPrivate
 private import DataFlowUtil
 private import FlowSummaryImpl::Private
 private import FlowSummaryImpl::Public
+private import semmle.code.java.dataflow.ExternalFlow
 
 private module FlowSummaries {
   private import semmle.code.java.dataflow.FlowSummary as F
@@ -49,3 +50,28 @@ DataFlowType getCallbackParameterType(DataFlowType t, int i) { none() }
  * callback of type `t`.
  */
 DataFlowType getCallbackReturnType(DataFlowType t, ReturnKind rk) { none() }
+
+/** Holds if `spec` is a relevant external specification. */
+predicate relevantSpec(string spec) { spec = inOutSpec() }
+
+/**
+ * Holds if an external flow summary exists for `c` with input specification
+ * `input`, output specification `output`, and kind `kind`.
+ */
+predicate externalSummary(DataFlowCallable c, string input, string output, string kind) {
+  summaryElement(c, input, output, kind)
+}
+
+/** Gets the summary component for specification component `c`, if any. */
+bindingset[c]
+SummaryComponent interpretComponentSpecific(string c) {
+  c = "ReturnValue" and result = SummaryComponent::return(_)
+  or
+  c = "ArrayElement" and result = SummaryComponent::content(any(ArrayContent c0))
+  or
+  c = "Element" and result = SummaryComponent::content(any(CollectionContent c0))
+  or
+  c = "MapKey" and result = SummaryComponent::content(any(MapKeyContent c0))
+  or
+  c = "MapValue" and result = SummaryComponent::content(any(MapValueContent c0))
+}

From ecf7f24cde1a3b721f006733e6a5f57878c55f1e Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Tue, 1 Jun 2021 13:09:27 +0200
Subject: [PATCH 1250/1429] C#: Sync latest `FlowSummaryImpl.qll` changes

---
 .../dataflow/internal/FlowSummaryImpl.qll     | 162 ++++++++++--------
 .../internal/FlowSummaryImplSpecific.qll      |  27 +++
 2 files changed, 120 insertions(+), 69 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
index bdf5498d8c6..da6f89071ef 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
@@ -580,88 +580,112 @@ module Private {
    * summaries into a `SummarizedCallable`s.
    */
   module External {
-    /**
-     * Provides a means of translating an externally (e.g., CSV) defined flow
-     * summary into a `SummarizedCallable`.
-     */
-    abstract class ExternalSummaryCompilation extends string {
-      bindingset[this]
-      ExternalSummaryCompilation() { any() }
+    /** Holds if the `n`th component of specification `s` is `c`. */
+    predicate specSplit(string s, string c, int n) { relevantSpec(s) and s.splitAt(" of ", n) = c }
 
-      /** Holds if this flow summary is for callable `c`. */
-      abstract predicate callable(DataFlowCallable c, boolean preservesValue);
+    /** Holds if specification `s` has length `len`. */
+    predicate specLength(string s, int len) { len = 1 + max(int n | specSplit(s, _, n)) }
 
-      /** Holds if the `i`th input component is `c`. */
-      abstract predicate input(int i, SummaryComponent c);
-
-      /** Holds if the `i`th output component is `c`. */
-      abstract predicate output(int i, SummaryComponent c);
-
-      /**
-       * Holds if the input components starting from index `i` translate into `suffix`.
-       */
-      final predicate translateInput(int i, SummaryComponentStack suffix) {
-        exists(SummaryComponent comp | this.input(i, comp) |
-          i = max(int j | this.input(j, _)) and
-          suffix = TSingletonSummaryComponentStack(comp)
-          or
-          exists(TSummaryComponent head, SummaryComponentStack tail |
-            this.translateInputCons(i, head, tail) and
-            suffix = TConsSummaryComponentStack(head, tail)
-          )
-        )
-      }
-
-      final predicate translateInputCons(int i, SummaryComponent head, SummaryComponentStack tail) {
-        this.input(i, head) and
-        this.translateInput(i + 1, tail)
-      }
-
-      /**
-       * Holds if the output components starting from index `i` translate into `suffix`.
-       */
-      predicate translateOutput(int i, SummaryComponentStack suffix) {
-        exists(SummaryComponent comp | this.output(i, comp) |
-          i = max(int j | this.output(j, _)) and
-          suffix = TSingletonSummaryComponentStack(comp)
-          or
-          exists(TSummaryComponent head, SummaryComponentStack tail |
-            this.translateOutputCons(i, head, tail) and
-            suffix = TConsSummaryComponentStack(head, tail)
-          )
-        )
-      }
-
-      predicate translateOutputCons(int i, SummaryComponent head, SummaryComponentStack tail) {
-        this.output(i, head) and
-        this.translateOutput(i + 1, tail)
-      }
+    /** Gets the last component of specification `s`. */
+    string specLast(string s) {
+      exists(int len |
+        specLength(s, len) and
+        specSplit(s, result, len - 1)
+      )
     }
 
-    private class ExternalRequiredSummaryComponentStack extends RequiredSummaryComponentStack {
-      private SummaryComponent head;
-
-      ExternalRequiredSummaryComponentStack() {
-        any(ExternalSummaryCompilation s).translateInputCons(_, head, this) or
-        any(ExternalSummaryCompilation s).translateOutputCons(_, head, this)
-      }
-
-      override predicate required(SummaryComponent c) { c = head }
+    /** Holds if specification component `c` parses as parameter `n`. */
+    predicate parseParam(string c, int n) {
+      specSplit(_, c, _) and
+      (
+        c.regexpCapture("Parameter\\[([-0-9]+)\\]", 1).toInt() = n
+        or
+        exists(int n1, int n2 |
+          c.regexpCapture("Parameter\\[([-0-9]+)\\.\\.([0-9]+)\\]", 1).toInt() = n1 and
+          c.regexpCapture("Parameter\\[([-0-9]+)\\.\\.([0-9]+)\\]", 2).toInt() = n2 and
+          n = [n1 .. n2]
+        )
+      )
     }
 
-    class ExternalSummarizedCallableAdaptor extends SummarizedCallable {
-      ExternalSummarizedCallableAdaptor() { any(ExternalSummaryCompilation s).callable(this, _) }
+    /** Holds if specification component `c` parses as argument `n`. */
+    predicate parseArg(string c, int n) {
+      specSplit(_, c, _) and
+      (
+        c.regexpCapture("Argument\\[([-0-9]+)\\]", 1).toInt() = n
+        or
+        exists(int n1, int n2 |
+          c.regexpCapture("Argument\\[([-0-9]+)\\.\\.([0-9]+)\\]", 1).toInt() = n1 and
+          c.regexpCapture("Argument\\[([-0-9]+)\\.\\.([0-9]+)\\]", 2).toInt() = n2 and
+          n = [n1 .. n2]
+        )
+      )
+    }
+
+    private SummaryComponent interpretComponent(string c) {
+      specSplit(_, c, _) and
+      (
+        exists(int pos | parseArg(c, pos) and result = SummaryComponent::argument(pos))
+        or
+        exists(int pos | parseParam(c, pos) and result = SummaryComponent::parameter(pos))
+        or
+        result = interpretComponentSpecific(c)
+      )
+    }
+
+    private predicate interpretSpec(string spec, int idx, SummaryComponentStack stack) {
+      exists(string c |
+        relevantSpec(spec) and
+        specLength(spec, idx + 1) and
+        specSplit(spec, c, idx) and
+        stack = SummaryComponentStack::singleton(interpretComponent(c))
+      )
+      or
+      exists(SummaryComponent head, SummaryComponentStack tail |
+        interpretSpec(spec, idx, head, tail) and
+        stack = SummaryComponentStack::push(head, tail)
+      )
+    }
+
+    private predicate interpretSpec(
+      string output, int idx, SummaryComponent head, SummaryComponentStack tail
+    ) {
+      exists(string c |
+        interpretSpec(output, idx + 1, tail) and
+        specSplit(output, c, idx) and
+        head = interpretComponent(c)
+      )
+    }
+
+    private class MkStack extends RequiredSummaryComponentStack {
+      MkStack() { interpretSpec(_, _, _, this) }
+
+      override predicate required(SummaryComponent c) { interpretSpec(_, _, c, this) }
+    }
+
+    private class SummarizedCallableExternal extends SummarizedCallable {
+      SummarizedCallableExternal() { externalSummary(this, _, _, _) }
 
       override predicate propagatesFlow(
         SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
       ) {
-        exists(ExternalSummaryCompilation s |
-          s.callable(this, preservesValue) and
-          s.translateInput(0, input) and
-          s.translateOutput(0, output)
+        exists(string inSpec, string outSpec, string kind |
+          externalSummary(this, inSpec, outSpec, kind) and
+          interpretSpec(inSpec, 0, input) and
+          interpretSpec(outSpec, 0, output)
+        |
+          kind = "value" and preservesValue = true
+          or
+          kind = "taint" and preservesValue = false
         )
       }
     }
+
+    /** Holds if component `c` of specification `spec` cannot be parsed. */
+    predicate invalidSpecComponent(string spec, string c) {
+      specSplit(spec, c, _) and
+      not exists(interpretComponent(c))
+    }
   }
 
   /** Provides a query predicate for outputting a set of relevant flow summaries. */
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll
index 01e3a2e1633..5568b8d3368 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll
@@ -77,3 +77,30 @@ DataFlowType getCallbackReturnType(DataFlowType t, ReturnKind rk) {
     result = Gvn::getGlobalValueNumber(dt.getDelegateType().getReturnType())
   )
 }
+
+/** Holds if `spec` is a relevant external specification. */
+predicate relevantSpec(string spec) { none() }
+
+/**
+ * Holds if an external flow summary exists for `c` with input specification
+ * `input`, output specification `output`, and kind `kind`.
+ */
+predicate externalSummary(DataFlowCallable c, string input, string output, string kind) { none() }
+
+/** Gets the summary component for specification component `c`, if any. */
+bindingset[c]
+SummaryComponent interpretComponentSpecific(string c) {
+  c = "ReturnValue" and result = SummaryComponent::return(any(NormalReturnKind nrk))
+  or
+  c = "Element" and result = SummaryComponent::content(any(ElementContent ec))
+  or
+  exists(Field f |
+    c.regexpCapture("Field\\[(.+)\\]", 1) = f.getQualifiedName() and
+    result = SummaryComponent::content(any(FieldContent fc | fc.getField() = f))
+  )
+  or
+  exists(Property p |
+    c.regexpCapture("Property\\[(.+)\\]", 1) = p.getQualifiedName() and
+    result = SummaryComponent::content(any(PropertyContent pc | pc.getProperty() = p))
+  )
+}

From 0fb692400cff3f22a2929f673da18b4b91379b00 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= <alvaro@pwntester.com>
Date: Tue, 1 Jun 2021 13:57:13 +0200
Subject: [PATCH 1251/1429] fix failing test

---
 .../Security/CWE/CWE-209/StackTraceExposure.ql  | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
index b82edc2efc6..4f2753b9723 100644
--- a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
+++ b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
@@ -109,7 +109,7 @@ predicate printsStackExternally(MethodAccess call, Expr stackTrace) {
 /**
  * A stringified stack trace flows to an external sink.
  */
-predicate stringifiedStackFlowsExternally(XssSink externalExpr, Expr stackTrace) {
+predicate stringifiedStackFlowsExternally(DataFlow::Node externalExpr, Expr stackTrace) {
   exists(MethodAccess stackTraceString, StackTraceStringToHTTPResponseSinkFlowConfig conf |
     stackTraceExpr(stackTrace, stackTraceString) and
     conf.hasFlow(DataFlow::exprNode(stackTraceString), externalExpr)
@@ -127,21 +127,24 @@ class GetMessageFlowSource extends MethodAccess {
   }
 }
 
-class GetMessageFlowSourceToXssSinkFlowConfig extends TaintTracking::Configuration {
-  GetMessageFlowSourceToXssSinkFlowConfig() {
-    this = "StackTraceExposure::GetMessageFlowSourceToXssSinkFlowConfig"
+class GetMessageFlowSourceToHTTPResponseSinkFlowConfig extends TaintTracking::Configuration {
+  GetMessageFlowSourceToHTTPResponseSinkFlowConfig() {
+    this = "StackTraceExposure::GetMessageFlowSourceToHTTPResponseSinkFlowConfig"
   }
 
   override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof GetMessageFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
+  override predicate isSink(DataFlow::Node sink) {
+    sink instanceof XssSink or
+    sink instanceof InformationLeakSink
+  }
 }
 
 /**
  * A call to `getMessage()` that then flows to a servlet response.
  */
-predicate getMessageFlowsExternally(XssSink externalExpr, GetMessageFlowSource getMessage) {
-  any(GetMessageFlowSourceToXssSinkFlowConfig conf)
+predicate getMessageFlowsExternally(DataFlow::Node externalExpr, GetMessageFlowSource getMessage) {
+  any(GetMessageFlowSourceToHTTPResponseSinkFlowConfig conf)
       .hasFlow(DataFlow::exprNode(getMessage), externalExpr)
 }
 

From 1c081eeaedb27332623e67231bf21c1f5d8a62d5 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Tue, 1 Jun 2021 13:51:16 +0200
Subject: [PATCH 1252/1429] Java: Update coverage.

---
 .../library-coverage/flow-model-coverage.csv   | 18 +++++++++---------
 .../library-coverage/flow-model-coverage.rst   | 10 +++++-----
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/java/documentation/library-coverage/flow-model-coverage.csv b/java/documentation/library-coverage/flow-model-coverage.csv
index cf97071ad92..a66f7880221 100644
--- a/java/documentation/library-coverage/flow-model-coverage.csv
+++ b/java/documentation/library-coverage/flow-model-coverage.csv
@@ -3,16 +3,16 @@ android.util,,16,,,,,,,,,,,16,,
 android.webkit,3,2,,,,,,,,,,3,2,,
 com.esotericsoftware.kryo.io,,,1,,,,,,,,,,,1,
 com.esotericsoftware.kryo5.io,,,1,,,,,,,,,,,1,
-com.fasterxml.jackson.databind,,,2,,,,,,,,,,,2,
-com.google.common.base,,,28,,,,,,,,,,,22,6
-com.google.common.io,6,,69,,,,,,,6,,,,68,1
+com.fasterxml.jackson.databind,,,3,,,,,,,,,,,3,
+com.google.common.base,,,34,,,,,,,,,,,28,6
+com.google.common.io,6,,73,,,,,,,6,,,,72,1
 com.unboundid.ldap.sdk,17,,,,,,17,,,,,,,,
 java.beans,,,1,,,,,,,,,,,1,
 java.io,3,,20,,3,,,,,,,,,20,
-java.lang,,,1,,,,,,,,,,,1,
+java.lang,,,3,,,,,,,,,,,1,2
 java.net,2,3,4,,,,,2,,,,,3,4,
 java.nio,10,,2,,10,,,,,,,,,2,
-java.util,,,13,,,,,,,,,,,13,
+java.util,,,283,,,,,,,,,,,15,268
 javax.naming.directory,1,,,,,,1,,,,,,,,
 javax.net.ssl,2,,,,,,,,2,,,,,,
 javax.servlet,4,21,2,,,3,,,,,,1,21,2,
@@ -23,14 +23,14 @@ javax.xml.transform.stream,,,2,,,,,,,,,,,2,
 javax.xml.xpath,3,,,,,,,,,,3,,,,
 org.apache.commons.codec,,,2,,,,,,,,,,,2,
 org.apache.commons.io,,,22,,,,,,,,,,,22,
-org.apache.commons.lang3,,,313,,,,,,,,,,,299,14
-org.apache.commons.text,,,203,,,,,,,,,,,203,
+org.apache.commons.lang3,,,327,,,,,,,,,,,311,16
+org.apache.commons.text,,,220,,,,,,,,,,,220,
 org.apache.directory.ldap.client.api,1,,,,,,1,,,,,,,,
 org.apache.hc.core5.function,,,1,,,,,,,,,,,1,
 org.apache.hc.core5.http,1,2,39,,,,,,,,,1,2,39,
 org.apache.hc.core5.net,,,2,,,,,,,,,,,2,
-org.apache.hc.core5.util,,,22,,,,,,,,,,,18,4
-org.apache.http,2,3,66,,,,,,,,,2,3,59,7
+org.apache.hc.core5.util,,,24,,,,,,,,,,,18,6
+org.apache.http,2,3,67,,,,,,,,,2,3,59,8
 org.dom4j,20,,,,,,,,,,20,,,,
 org.springframework.ldap.core,14,,,,,,14,,,,,,,,
 org.springframework.security.web.savedrequest,,6,,,,,,,,,,,6,,
diff --git a/java/documentation/library-coverage/flow-model-coverage.rst b/java/documentation/library-coverage/flow-model-coverage.rst
index 8bb20a9b6c3..6e46c906b07 100644
--- a/java/documentation/library-coverage/flow-model-coverage.rst
+++ b/java/documentation/library-coverage/flow-model-coverage.rst
@@ -8,12 +8,12 @@ Java framework & library support
 
    Framework / library,Package,Remote flow sources,Taint & value steps,Sinks (total),`CWE‑022` :sub:`Path injection`,`CWE‑036` :sub:`Path traversal`,`CWE‑079` :sub:`Cross-site scripting`,`CWE‑089` :sub:`SQL injection`,`CWE‑090` :sub:`LDAP injection`,`CWE‑094` :sub:`Code injection`,`CWE‑319` :sub:`Cleartext transmission`
    Android,``android.*``,18,,3,,,3,,,,
-   Apache,``org.apache.*``,5,648,4,,,3,,1,,
+   Apache,``org.apache.*``,5,682,4,,,3,,1,,
    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,22,,,,,,,,
-   Google,``com.google.common.*``,,97,6,,6,,,,,
-   Java Standard Library,``java.*``,3,41,15,13,,,,,,2
+   Google,``com.google.common.*``,,107,6,,6,,,,,
+   Java Standard Library,``java.*``,3,313,15,13,,,,,,2
    Java extensions,``javax.*``,22,8,12,,,1,,1,1,
    `Spring <https://spring.io/>`_,``org.springframework.*``,29,,14,,,,,14,,
-   Others,"``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.databind``, ``com.unboundid.ldap.sdk``, ``org.dom4j``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``",7,5,37,,,,,17,,
-   Totals,,84,821,91,13,6,7,,33,1,2
+   Others,"``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.databind``, ``com.unboundid.ldap.sdk``, ``org.dom4j``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``",7,6,37,,,,,17,,
+   Totals,,84,1138,91,13,6,7,,33,1,2
 

From 922b421a45388be29efdb5d91b2031add1133df4 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Tue, 1 Jun 2021 14:33:52 +0200
Subject: [PATCH 1253/1429] Java: Add change note.

---
 java/change-notes/2021-06-01-collection-flow.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 java/change-notes/2021-06-01-collection-flow.md

diff --git a/java/change-notes/2021-06-01-collection-flow.md b/java/change-notes/2021-06-01-collection-flow.md
new file mode 100644
index 00000000000..5da2e78d1df
--- /dev/null
+++ b/java/change-notes/2021-06-01-collection-flow.md
@@ -0,0 +1,5 @@
+lgtm,codescanning
+* Data flow now tracks steps through collections and arrays more precisely.
+  That means that collection and array read steps are now matched up with
+  preceding store steps. This results in increased precision for all flow-based
+  queries, in particular most of the security queries.

From 970b4e7d6a49a95f6d6a5577cd7ac315065f5553 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= <alvaro@pwntester.com>
Date: Tue, 1 Jun 2021 14:54:31 +0200
Subject: [PATCH 1254/1429] update java library coverage documentation

---
 .../library-coverage/flow-model-coverage.csv  | 84 +++++++++----------
 .../library-coverage/flow-model-coverage.rst  |  4 +-
 2 files changed, 44 insertions(+), 44 deletions(-)

diff --git a/java/documentation/library-coverage/flow-model-coverage.csv b/java/documentation/library-coverage/flow-model-coverage.csv
index 73f06306193..464228bb022 100644
--- a/java/documentation/library-coverage/flow-model-coverage.csv
+++ b/java/documentation/library-coverage/flow-model-coverage.csv
@@ -1,42 +1,42 @@
-package,sink,source,summary,sink:bean-validation,sink:create-file,sink:header-splitting,sink:ldap,sink:open-url,sink:set-hostname-verifier,sink:url-open-stream,sink:xpath,sink:xss,source:remote,summary:taint,summary:value
-android.util,,16,,,,,,,,,,,16,,
-android.webkit,3,2,,,,,,,,,,3,2,,
-com.esotericsoftware.kryo.io,,,1,,,,,,,,,,,1,
-com.esotericsoftware.kryo5.io,,,1,,,,,,,,,,,1,
-com.fasterxml.jackson.databind,,,2,,,,,,,,,,,2,
-com.google.common.base,,,28,,,,,,,,,,,22,6
-com.google.common.io,6,,69,,,,,,,6,,,,68,1
-com.unboundid.ldap.sdk,17,,,,,,17,,,,,,,,
-java.beans,,,1,,,,,,,,,,,1,
-java.io,3,,20,,3,,,,,,,,,20,
-java.lang,,,1,,,,,,,,,,,1,
-java.net,2,3,4,,,,,2,,,,,3,4,
-java.nio,10,,2,,10,,,,,,,,,2,
-java.util,,,13,,,,,,,,,,,13,
-javax.naming.directory,1,,,,,,1,,,,,,,,
-javax.net.ssl,2,,,,,,,,2,,,,,,
-javax.servlet,3,21,2,,,3,,,,,,,21,2,
-javax.validation,1,1,,1,,,,,,,,,1,,
-javax.ws.rs.core,1,,,,,1,,,,,,,,,
-javax.xml.transform.sax,,,4,,,,,,,,,,,4,
-javax.xml.transform.stream,,,2,,,,,,,,,,,2,
-javax.xml.xpath,3,,,,,,,,,,3,,,,
-org.apache.commons.codec,,,2,,,,,,,,,,,2,
-org.apache.commons.io,,,22,,,,,,,,,,,22,
-org.apache.commons.lang3,,,313,,,,,,,,,,,299,14
-org.apache.commons.text,,,203,,,,,,,,,,,203,
-org.apache.directory.ldap.client.api,1,,,,,,1,,,,,,,,
-org.apache.hc.core5.function,,,1,,,,,,,,,,,1,
-org.apache.hc.core5.http,1,2,39,,,,,,,,,1,2,39,
-org.apache.hc.core5.net,,,2,,,,,,,,,,,2,
-org.apache.hc.core5.util,,,22,,,,,,,,,,,18,4
-org.apache.http,2,3,66,,,,,,,,,2,3,59,7
-org.dom4j,20,,,,,,,,,,20,,,,
-org.springframework.ldap.core,14,,,,,,14,,,,,,,,
-org.springframework.security.web.savedrequest,,6,,,,,,,,,,,6,,
-org.springframework.web.client,,3,,,,,,,,,,,3,,
-org.springframework.web.context.request,,8,,,,,,,,,,,8,,
-org.springframework.web.multipart,,12,,,,,,,,,,,12,,
-org.xml.sax,,,1,,,,,,,,,,,1,
-org.xmlpull.v1,,3,,,,,,,,,,,3,,
-play.mvc,,4,,,,,,,,,,,4,,
+package,sink,source,summary,sink:bean-validation,sink:create-file,sink:header-splitting,sink:information-leak,sink:ldap,sink:open-url,sink:set-hostname-verifier,sink:url-open-stream,sink:xpath,sink:xss,source:remote,summary:taint,summary:value
+android.util,,16,,,,,,,,,,,,16,,
+android.webkit,3,2,,,,,,,,,,,3,2,,
+com.esotericsoftware.kryo.io,,,1,,,,,,,,,,,,1,
+com.esotericsoftware.kryo5.io,,,1,,,,,,,,,,,,1,
+com.fasterxml.jackson.databind,,,2,,,,,,,,,,,,2,
+com.google.common.base,,,28,,,,,,,,,,,,22,6
+com.google.common.io,6,,69,,,,,,,,6,,,,68,1
+com.unboundid.ldap.sdk,17,,,,,,,17,,,,,,,,
+java.beans,,,1,,,,,,,,,,,,1,
+java.io,3,,20,,3,,,,,,,,,,20,
+java.lang,,,1,,,,,,,,,,,,1,
+java.net,2,3,4,,,,,,2,,,,,3,4,
+java.nio,10,,2,,10,,,,,,,,,,2,
+java.util,,,13,,,,,,,,,,,,13,
+javax.naming.directory,1,,,,,,,1,,,,,,,,
+javax.net.ssl,2,,,,,,,,,2,,,,,,
+javax.servlet,4,21,2,,,3,1,,,,,,,21,2,
+javax.validation,1,1,,1,,,,,,,,,,1,,
+javax.ws.rs.core,1,,,,,1,,,,,,,,,,
+javax.xml.transform.sax,,,4,,,,,,,,,,,,4,
+javax.xml.transform.stream,,,2,,,,,,,,,,,,2,
+javax.xml.xpath,3,,,,,,,,,,,3,,,,
+org.apache.commons.codec,,,2,,,,,,,,,,,,2,
+org.apache.commons.io,,,22,,,,,,,,,,,,22,
+org.apache.commons.lang3,,,313,,,,,,,,,,,,299,14
+org.apache.commons.text,,,203,,,,,,,,,,,,203,
+org.apache.directory.ldap.client.api,1,,,,,,,1,,,,,,,,
+org.apache.hc.core5.function,,,1,,,,,,,,,,,,1,
+org.apache.hc.core5.http,1,2,39,,,,,,,,,,1,2,39,
+org.apache.hc.core5.net,,,2,,,,,,,,,,,,2,
+org.apache.hc.core5.util,,,22,,,,,,,,,,,,18,4
+org.apache.http,2,3,66,,,,,,,,,,2,3,59,7
+org.dom4j,20,,,,,,,,,,,20,,,,
+org.springframework.ldap.core,14,,,,,,,14,,,,,,,,
+org.springframework.security.web.savedrequest,,6,,,,,,,,,,,,6,,
+org.springframework.web.client,,3,,,,,,,,,,,,3,,
+org.springframework.web.context.request,,8,,,,,,,,,,,,8,,
+org.springframework.web.multipart,,12,,,,,,,,,,,,12,,
+org.xml.sax,,,1,,,,,,,,,,,,1,
+org.xmlpull.v1,,3,,,,,,,,,,,,3,,
+play.mvc,,4,,,,,,,,,,,,4,,
diff --git a/java/documentation/library-coverage/flow-model-coverage.rst b/java/documentation/library-coverage/flow-model-coverage.rst
index bad79a93c06..b9b54aad158 100644
--- a/java/documentation/library-coverage/flow-model-coverage.rst
+++ b/java/documentation/library-coverage/flow-model-coverage.rst
@@ -12,8 +12,8 @@ Java framework & library support
    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,22,,,,,,,,
    Google,``com.google.common.*``,,97,6,,6,,,,,
    Java Standard Library,``java.*``,3,41,15,13,,,,,,2
-   Java extensions,``javax.*``,22,8,11,,,,,1,1,
+   Java extensions,``javax.*``,22,8,12,,,,,1,1,
    `Spring <https://spring.io/>`_,``org.springframework.*``,29,,14,,,,,14,,
    Others,"``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.databind``, ``com.unboundid.ldap.sdk``, ``org.dom4j``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``",7,5,37,,,,,17,,
-   Totals,,84,821,90,13,6,6,,33,1,2
+   Totals,,84,821,91,13,6,6,,33,1,2
 

From 650c4f19d2088b446523b3ec29ed3aae13ccad72 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Tue, 1 Jun 2021 16:09:17 +0200
Subject: [PATCH 1255/1429] Java: More qldoc.

---
 .../code/java/dataflow/internal/ContainerFlow.qll  | 14 ++++++++++++++
 .../java/dataflow/internal/TaintTrackingUtil.qll   | 11 +++++++++++
 2 files changed, 25 insertions(+)

diff --git a/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll b/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
index 667ae024b37..d57c68bf007 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
@@ -710,6 +710,11 @@ predicate containerStep(Expr n1, Expr n2) {
   containerUpdateStep(n1, n2)
 }
 
+/**
+ * Holds if the step from `node1` to `node2` stores a value in an array.
+ * This covers array assignments and initializers as well as implicit array
+ * creations for varargs.
+ */
 predicate arrayStoreStep(Node node1, Node node2) {
   exists(Argument arg |
     node1.asExpr() = arg and
@@ -734,6 +739,11 @@ private predicate enhancedForStmtStep(Node node1, Node node2, Type containerType
   )
 }
 
+/**
+ * Holds if the step from `node1` to `node2` reads a value from an array.
+ * This covers ordinary array reads as well as array iteration through enhanced
+ * `for` statements.
+ */
 predicate arrayReadStep(Node node1, Node node2, Type elemType) {
   exists(ArrayAccess aa |
     aa.getArray() = node1.asExpr() and
@@ -747,6 +757,10 @@ predicate arrayReadStep(Node node1, Node node2, Type elemType) {
   )
 }
 
+/**
+ * Holds if the step from `node1` to `node2` reads a value from a collection.
+ * This only covers iteration through enhanced `for` statements.
+ */
 predicate collectionReadStep(Node node1, Node node2) {
   enhancedForStmtStep(node1, node2, any(Type t | not t instanceof Array))
 }
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
index 719b89fbf2a..d2322eca983 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -98,6 +98,17 @@ private module Cached {
 
 import Cached
 
+/**
+ * These configurations add a number of configuration-dependent additional taint
+ * steps to all taint configurations. For each sink or additional step provided
+ * by a given configuration the types are inspected to find those implicit
+ * collection or array read steps that might be required at the sink or step
+ * input. The corresponding store steps are then added as additional taint steps
+ * to provide backwards-compatible taint flow to such sinks and steps.
+ *
+ * This is a temporary measure until support is added for such sinks that
+ * require implicit read steps.
+ */
 private module StoreTaintSteps {
   private import semmle.code.java.dataflow.TaintTracking
   private import semmle.code.java.dataflow.TaintTracking2

From 9aba92397dbc686eb15e83e0df401d8eb7299606 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= <alvaro@pwntester.com>
Date: Tue, 1 Jun 2021 17:16:41 +0200
Subject: [PATCH 1256/1429] lift XssSink check to InformationLeakSink

---
 .../ql/src/Security/CWE/CWE-209/StackTraceExposure.ql | 11 ++---------
 .../src/semmle/code/java/security/InformationLeak.qll |  6 +++++-
 2 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
index 4f2753b9723..78a6b9108e3 100644
--- a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
+++ b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
@@ -15,7 +15,6 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.security.XSS
 import semmle.code.java.security.InformationLeak
 
 /**
@@ -91,10 +90,7 @@ class StackTraceStringToHTTPResponseSinkFlowConfig extends TaintTracking::Config
 
   override predicate isSource(DataFlow::Node src) { stackTraceExpr(_, src.asExpr()) }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink instanceof XssSink or
-    sink instanceof InformationLeakSink
-  }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink }
 }
 
 /**
@@ -134,10 +130,7 @@ class GetMessageFlowSourceToHTTPResponseSinkFlowConfig extends TaintTracking::Co
 
   override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof GetMessageFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink instanceof XssSink or
-    sink instanceof InformationLeakSink
-  }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink }
 }
 
 /**
diff --git a/java/ql/src/semmle/code/java/security/InformationLeak.qll b/java/ql/src/semmle/code/java/security/InformationLeak.qll
index 4cb12c3d3d9..f68ddd5b121 100644
--- a/java/ql/src/semmle/code/java/security/InformationLeak.qll
+++ b/java/ql/src/semmle/code/java/security/InformationLeak.qll
@@ -3,6 +3,7 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.ExternalFlow
+import semmle.code.java.security.XSS
 
 /** CSV sink models representing methods not susceptible to XSS but outputing to an HTTP response body. */
 private class DefaultInformationLeakSinkModel extends SinkModelCsv {
@@ -19,5 +20,8 @@ abstract class InformationLeakSink extends DataFlow::Node { }
 
 /** A default sink representing methods outputing data to an HTTP response. */
 private class DefaultInformationLeakSink extends InformationLeakSink {
-  DefaultInformationLeakSink() { sinkNode(this, "information-leak") }
+  DefaultInformationLeakSink() {
+    sinkNode(this, "information-leak") or
+    this instanceof XssSink
+  }
 }

From 5e96e28792037cb8a289bab7c6c47f16342f7c4e Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Wed, 2 Jun 2021 10:24:46 +0200
Subject: [PATCH 1257/1429] Java: Add missing metadata.

---
 .../ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
index c44eee23602..c6a7f583b14 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
@@ -3,6 +3,8 @@
  * @description Evaluation of a user-controlled malicious expression in Java Python
  *              interpreter may lead to remote code execution.
  * @kind path-problem
+ * @problem.severity error
+ * @precision high
  * @id java/jython-injection
  * @tags security
  *       external/cwe/cwe-094

From a3a215afea122df02b5a52bb2ff21e7c45affb18 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= <alvaro@pwntester.com>
Date: Wed, 2 Jun 2021 11:12:39 +0200
Subject: [PATCH 1258/1429] HTTP -> Http

---
 .../Security/CWE/CWE-209/StackTraceExposure.ql   | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
index 78a6b9108e3..233e2694afa 100644
--- a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
+++ b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
@@ -83,9 +83,9 @@ predicate stackTraceExpr(Expr exception, MethodAccess stackTraceString) {
   )
 }
 
-class StackTraceStringToHTTPResponseSinkFlowConfig extends TaintTracking::Configuration {
-  StackTraceStringToHTTPResponseSinkFlowConfig() {
-    this = "StackTraceExposure::StackTraceStringToHTTPResponseSinkFlowConfig"
+class StackTraceStringToHttpResponseSinkFlowConfig extends TaintTracking::Configuration {
+  StackTraceStringToHttpResponseSinkFlowConfig() {
+    this = "StackTraceExposure::StackTraceStringToHttpResponseSinkFlowConfig"
   }
 
   override predicate isSource(DataFlow::Node src) { stackTraceExpr(_, src.asExpr()) }
@@ -106,7 +106,7 @@ predicate printsStackExternally(MethodAccess call, Expr stackTrace) {
  * A stringified stack trace flows to an external sink.
  */
 predicate stringifiedStackFlowsExternally(DataFlow::Node externalExpr, Expr stackTrace) {
-  exists(MethodAccess stackTraceString, StackTraceStringToHTTPResponseSinkFlowConfig conf |
+  exists(MethodAccess stackTraceString, StackTraceStringToHttpResponseSinkFlowConfig conf |
     stackTraceExpr(stackTrace, stackTraceString) and
     conf.hasFlow(DataFlow::exprNode(stackTraceString), externalExpr)
   )
@@ -123,9 +123,9 @@ class GetMessageFlowSource extends MethodAccess {
   }
 }
 
-class GetMessageFlowSourceToHTTPResponseSinkFlowConfig extends TaintTracking::Configuration {
-  GetMessageFlowSourceToHTTPResponseSinkFlowConfig() {
-    this = "StackTraceExposure::GetMessageFlowSourceToHTTPResponseSinkFlowConfig"
+class GetMessageFlowSourceToHttpResponseSinkFlowConfig extends TaintTracking::Configuration {
+  GetMessageFlowSourceToHttpResponseSinkFlowConfig() {
+    this = "StackTraceExposure::GetMessageFlowSourceToHttpResponseSinkFlowConfig"
   }
 
   override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof GetMessageFlowSource }
@@ -137,7 +137,7 @@ class GetMessageFlowSourceToHTTPResponseSinkFlowConfig extends TaintTracking::Co
  * A call to `getMessage()` that then flows to a servlet response.
  */
 predicate getMessageFlowsExternally(DataFlow::Node externalExpr, GetMessageFlowSource getMessage) {
-  any(GetMessageFlowSourceToHTTPResponseSinkFlowConfig conf)
+  any(GetMessageFlowSourceToHttpResponseSinkFlowConfig conf)
       .hasFlow(DataFlow::exprNode(getMessage), externalExpr)
 }
 

From f9ede137f9fc86548fdc24af45034f4b317f70a4 Mon Sep 17 00:00:00 2001
From: AlonaHlobina <54394529+AlonaHlobina@users.noreply.github.com>
Date: Wed, 2 Jun 2021 14:19:18 +0200
Subject: [PATCH 1259/1429] Update versions-compilers.rst

---
 docs/codeql/support/reusables/versions-compilers.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/codeql/support/reusables/versions-compilers.rst b/docs/codeql/support/reusables/versions-compilers.rst
index 9bc3c855e58..330922fd876 100644
--- a/docs/codeql/support/reusables/versions-compilers.rst
+++ b/docs/codeql/support/reusables/versions-compilers.rst
@@ -17,11 +17,11 @@
 
    .NET 5","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
    Go (aka Golang), "Go up to 1.16", "Go 1.11 or more recent", ``.go``
-   Java,"Java 7 to 15 [3]_","javac (OpenJDK and Oracle JDK),
+   Java,"Java 7 to 15 [3]_, Java 16 (partially)","javac (OpenJDK and Oracle JDK),
 
    Eclipse compiler for Java (ECJ) [4]_",``.java``
    JavaScript,ECMAScript 2021 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhm``, ``.xhtml``, ``.vue``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [5]_"
-   Python,"2.7, 3.5, 3.6, 3.7, 3.8",Not applicable,``.py``
+   Python,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9",Not applicable,``.py``
    TypeScript [6]_,"2.6-4.2",Standard TypeScript compiler,"``.ts``, ``.tsx``"
 
 .. container:: footnote-group

From 788c5ba70124c4f766c1c49d1217f612ca63da11 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 2 Jun 2021 15:33:08 +0200
Subject: [PATCH 1260/1429] add support for the prettier API

---
 javascript/ql/src/javascript.qll              |  1 +
 .../semmle/javascript/frameworks/Prettier.qll | 52 +++++++++++++++++++
 .../CWE-022/TaintedPath/TaintedPath.expected  | 45 ++++++++++++++++
 .../Security/CWE-022/TaintedPath/prettier.js  | 14 +++++
 .../ReflectedXss/ReflectedXss.expected        | 12 +++++
 .../ReflectedXssWithCustomSanitizer.expected  |  1 +
 .../Security/CWE-079/ReflectedXss/tst3.js     |  6 +++
 7 files changed, 131 insertions(+)
 create mode 100644 javascript/ql/src/semmle/javascript/frameworks/Prettier.qll
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js

diff --git a/javascript/ql/src/javascript.qll b/javascript/ql/src/javascript.qll
index 95db948bbd4..e3b202bf89b 100644
--- a/javascript/ql/src/javascript.qll
+++ b/javascript/ql/src/javascript.qll
@@ -104,6 +104,7 @@ import semmle.javascript.frameworks.Nest
 import semmle.javascript.frameworks.Next
 import semmle.javascript.frameworks.NoSQL
 import semmle.javascript.frameworks.PkgCloud
+import semmle.javascript.frameworks.Prettier
 import semmle.javascript.frameworks.PropertyProjection
 import semmle.javascript.frameworks.Puppeteer
 import semmle.javascript.frameworks.React
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Prettier.qll b/javascript/ql/src/semmle/javascript/frameworks/Prettier.qll
new file mode 100644
index 00000000000..eeb8d1cdb87
--- /dev/null
+++ b/javascript/ql/src/semmle/javascript/frameworks/Prettier.qll
@@ -0,0 +1,52 @@
+/**
+ * Provides classes and predicates for working with the [prettier](https://www.npmjs.com/package/prettier) library.
+ */
+
+import javascript
+
+/** Provides classes and predicates modelling aspects of the [prettier](https://www.npmjs.com/package/prettier) library. */
+private module Prettier {
+  /**
+   * A taint step from the [prettier API](https://prettier.io/docs/en/api.html).
+   */
+  private class PrettierTaintStep extends TaintTracking::SharedTaintStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(API::CallNode call |
+        call = API::moduleImport("prettier").getMember("format").getACall()
+      |
+        pred = call.getArgument(0) and
+        succ = call
+      )
+      or
+      exists(API::CallNode call |
+        call = API::moduleImport("prettier").getMember("formatWithCursor").getACall()
+      |
+        pred = call.getArgument(0) and
+        succ = call.getReturn().getMember("formatted").getAnImmediateUse()
+      )
+    }
+  }
+
+  private import semmle.javascript.security.dataflow.TaintedPathCustomizations::TaintedPath as TaintedPath
+
+  /**
+   * An argument given to the `prettier` library specificing the location of a config file.
+   */
+  private class PrettierFileSink extends TaintedPath::Sink {
+    PrettierFileSink() {
+      this =
+        API::moduleImport("prettier")
+            .getMember(["resolveConfig", "resolveConfigFile", "getFileInfo"])
+            .getACall()
+            .getArgument(0)
+      or
+      this =
+        API::moduleImport("prettier")
+            .getMember("resolveConfig")
+            .getACall()
+            .getParameter(1)
+            .getMember("config")
+            .getARhs()
+    }
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
index 5d8806c0501..24beed4007f 100644
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -2271,6 +2271,25 @@ nodes
 | other-fs-libraries.js:52:24:52:27 | path |
 | other-fs-libraries.js:52:24:52:27 | path |
 | other-fs-libraries.js:52:24:52:27 | path |
+| prettier.js:6:11:6:28 | p |
+| prettier.js:6:11:6:28 | p |
+| prettier.js:6:11:6:28 | p |
+| prettier.js:6:11:6:28 | p |
+| prettier.js:6:13:6:13 | p |
+| prettier.js:6:13:6:13 | p |
+| prettier.js:6:13:6:13 | p |
+| prettier.js:6:13:6:13 | p |
+| prettier.js:6:13:6:13 | p |
+| prettier.js:7:28:7:28 | p |
+| prettier.js:7:28:7:28 | p |
+| prettier.js:7:28:7:28 | p |
+| prettier.js:7:28:7:28 | p |
+| prettier.js:7:28:7:28 | p |
+| prettier.js:11:44:11:44 | p |
+| prettier.js:11:44:11:44 | p |
+| prettier.js:11:44:11:44 | p |
+| prettier.js:11:44:11:44 | p |
+| prettier.js:11:44:11:44 | p |
 | pupeteer.js:5:9:5:71 | tainted |
 | pupeteer.js:5:9:5:71 | tainted |
 | pupeteer.js:5:9:5:71 | tainted |
@@ -6668,6 +6687,30 @@ edges
 | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:49:14:49:37 | url.par ... , true) |
 | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:49:14:49:37 | url.par ... , true) |
 | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:49:14:49:37 | url.par ... , true) |
+| prettier.js:6:11:6:28 | p | prettier.js:7:28:7:28 | p |
+| prettier.js:6:11:6:28 | p | prettier.js:7:28:7:28 | p |
+| prettier.js:6:11:6:28 | p | prettier.js:7:28:7:28 | p |
+| prettier.js:6:11:6:28 | p | prettier.js:7:28:7:28 | p |
+| prettier.js:6:11:6:28 | p | prettier.js:7:28:7:28 | p |
+| prettier.js:6:11:6:28 | p | prettier.js:7:28:7:28 | p |
+| prettier.js:6:11:6:28 | p | prettier.js:7:28:7:28 | p |
+| prettier.js:6:11:6:28 | p | prettier.js:7:28:7:28 | p |
+| prettier.js:6:11:6:28 | p | prettier.js:11:44:11:44 | p |
+| prettier.js:6:11:6:28 | p | prettier.js:11:44:11:44 | p |
+| prettier.js:6:11:6:28 | p | prettier.js:11:44:11:44 | p |
+| prettier.js:6:11:6:28 | p | prettier.js:11:44:11:44 | p |
+| prettier.js:6:11:6:28 | p | prettier.js:11:44:11:44 | p |
+| prettier.js:6:11:6:28 | p | prettier.js:11:44:11:44 | p |
+| prettier.js:6:11:6:28 | p | prettier.js:11:44:11:44 | p |
+| prettier.js:6:11:6:28 | p | prettier.js:11:44:11:44 | p |
+| prettier.js:6:13:6:13 | p | prettier.js:6:11:6:28 | p |
+| prettier.js:6:13:6:13 | p | prettier.js:6:11:6:28 | p |
+| prettier.js:6:13:6:13 | p | prettier.js:6:11:6:28 | p |
+| prettier.js:6:13:6:13 | p | prettier.js:6:11:6:28 | p |
+| prettier.js:6:13:6:13 | p | prettier.js:6:11:6:28 | p |
+| prettier.js:6:13:6:13 | p | prettier.js:6:11:6:28 | p |
+| prettier.js:6:13:6:13 | p | prettier.js:6:11:6:28 | p |
+| prettier.js:6:13:6:13 | p | prettier.js:6:11:6:28 | p |
 | pupeteer.js:5:9:5:71 | tainted | pupeteer.js:9:28:9:34 | tainted |
 | pupeteer.js:5:9:5:71 | tainted | pupeteer.js:9:28:9:34 | tainted |
 | pupeteer.js:5:9:5:71 | tainted | pupeteer.js:9:28:9:34 | tainted |
@@ -8295,6 +8338,8 @@ edges
 | other-fs-libraries.js:42:53:42:56 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:42:53:42:56 | path | This path depends on $@. | other-fs-libraries.js:38:24:38:30 | req.url | a user-provided value |
 | other-fs-libraries.js:51:19:51:22 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:51:19:51:22 | path | This path depends on $@. | other-fs-libraries.js:49:24:49:30 | req.url | a user-provided value |
 | other-fs-libraries.js:52:24:52:27 | path | other-fs-libraries.js:49:24:49:30 | req.url | other-fs-libraries.js:52:24:52:27 | path | This path depends on $@. | other-fs-libraries.js:49:24:49:30 | req.url | a user-provided value |
+| prettier.js:7:28:7:28 | p | prettier.js:6:13:6:13 | p | prettier.js:7:28:7:28 | p | This path depends on $@. | prettier.js:6:13:6:13 | p | a user-provided value |
+| prettier.js:11:44:11:44 | p | prettier.js:6:13:6:13 | p | prettier.js:11:44:11:44 | p | This path depends on $@. | prettier.js:6:13:6:13 | p | a user-provided value |
 | pupeteer.js:9:28:9:34 | tainted | pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:9:28:9:34 | tainted | This path depends on $@. | pupeteer.js:5:28:5:53 | parseTo ... t).name | a user-provided value |
 | pupeteer.js:13:37:13:43 | tainted | pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:13:37:13:43 | tainted | This path depends on $@. | pupeteer.js:5:28:5:53 | parseTo ... t).name | a user-provided value |
 | tainted-access-paths.js:8:19:8:22 | path | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:8:19:8:22 | path | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js
new file mode 100644
index 00000000000..7546bb2c293
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/prettier.js
@@ -0,0 +1,14 @@
+const express = require('express');
+const prettier = require("prettier");
+
+const app = express();
+app.get('/some/path', function (req, res) {
+    const { p } = req.params;
+    prettier.resolveConfig(p).then((options) => { // NOT OK
+        const formatted = prettier.format("foo", options);
+    });
+
+    prettier.resolveConfig("foo", {config: p}).then((options) => { // NOT OK
+        const formatted = prettier.format("bar", options);
+    });
+});
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
index b1d940b437c..c0955082e00 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
@@ -187,6 +187,12 @@ nodes
 | tst3.js:5:9:5:9 | p |
 | tst3.js:6:12:6:12 | p |
 | tst3.js:6:12:6:12 | p |
+| tst3.js:11:9:11:74 | code |
+| tst3.js:11:16:11:74 | prettie ... bel" }) |
+| tst3.js:11:32:11:39 | reg.body |
+| tst3.js:11:32:11:39 | reg.body |
+| tst3.js:12:12:12:15 | code |
+| tst3.js:12:12:12:15 | code |
 edges
 | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id |
 | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id |
@@ -342,6 +348,11 @@ edges
 | tst3.js:5:7:5:24 | p | tst3.js:6:12:6:12 | p |
 | tst3.js:5:9:5:9 | p | tst3.js:5:7:5:24 | p |
 | tst3.js:5:9:5:9 | p | tst3.js:5:7:5:24 | p |
+| tst3.js:11:9:11:74 | code | tst3.js:12:12:12:15 | code |
+| tst3.js:11:9:11:74 | code | tst3.js:12:12:12:15 | code |
+| tst3.js:11:16:11:74 | prettie ... bel" }) | tst3.js:11:9:11:74 | code |
+| tst3.js:11:32:11:39 | reg.body | tst3.js:11:16:11:74 | prettie ... bel" }) |
+| tst3.js:11:32:11:39 | reg.body | tst3.js:11:16:11:74 | prettie ... bel" }) |
 #select
 | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value |
 | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | ReflectedXss.js:17:31:17:39 | params.id | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:17:31:17:39 | params.id | user-provided value |
@@ -386,3 +397,4 @@ edges
 | tst2.js:36:12:36:12 | p | tst2.js:30:9:30:9 | p | tst2.js:36:12:36:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
 | tst2.js:37:12:37:18 | other.p | tst2.js:30:9:30:9 | p | tst2.js:37:12:37:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
 | tst3.js:6:12:6:12 | p | tst3.js:5:9:5:9 | p | tst3.js:6:12:6:12 | p | Cross-site scripting vulnerability due to $@. | tst3.js:5:9:5:9 | p | user-provided value |
+| tst3.js:12:12:12:15 | code | tst3.js:11:32:11:39 | reg.body | tst3.js:12:12:12:15 | code | Cross-site scripting vulnerability due to $@. | tst3.js:11:32:11:39 | reg.body | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
index 6a919f7b43a..db284911aaf 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
@@ -40,3 +40,4 @@
 | tst2.js:36:12:36:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
 | tst2.js:37:12:37:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
 | tst3.js:6:12:6:12 | p | Cross-site scripting vulnerability due to $@. | tst3.js:5:9:5:9 | p | user-provided value |
+| tst3.js:12:12:12:15 | code | Cross-site scripting vulnerability due to $@. | tst3.js:11:32:11:39 | reg.body | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js
index 1fa1758c41c..c7d0fd91a4a 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js
@@ -5,3 +5,9 @@ app.enable('x-powered-by').disable('x-powered-by').get('/', function (req, res)
   let { p } = req.params;
   res.send(p); // NOT OK
 });
+
+const prettier = require("prettier");
+app.post("foobar", function (reg, res) {
+  const code = prettier.format(reg.body, { semi: false, parser: "babel" });
+  res.send(code); // NOT OK
+});
\ No newline at end of file

From 27ff256b0e86c71f5a7f2483433029dfbb712945 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 2 Jun 2021 15:34:01 +0200
Subject: [PATCH 1261/1429] add change note

---
 javascript/change-notes/2021-06-02-prettier.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 javascript/change-notes/2021-06-02-prettier.md

diff --git a/javascript/change-notes/2021-06-02-prettier.md b/javascript/change-notes/2021-06-02-prettier.md
new file mode 100644
index 00000000000..ce4277c5e33
--- /dev/null
+++ b/javascript/change-notes/2021-06-02-prettier.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The dataflow libraries now model dataflow in the prettier library.
+  Affected packages are
+    [prettier](https://npmjs.com/package/prettier)

From daf2cc3d53d61b933a96f4f89f41af0812e62a47 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Wed, 2 Jun 2021 20:39:05 +0200
Subject: [PATCH 1262/1429] Java: Improve performance of
 `isUnreachableInCall()`

---
 .../semmle/code/java/dataflow/internal/DataFlowPrivate.qll    | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
index e3ab07fce1f..c20fa87af6c 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
@@ -296,7 +296,9 @@ predicate isUnreachableInCall(Node n, DataFlowCall call) {
     // which is used in a guard
     param.getAUse() = guard and
     // which controls `n` with the opposite value of `arg`
-    guard.controls(n.asExpr().getBasicBlock(), arg.getBooleanValue().booleanNot())
+    guard
+        .controls(n.asExpr().getBasicBlock(),
+          pragma[only_bind_out](arg.getBooleanValue()).booleanNot())
   )
 }
 

From 98ee763d576c24bcca83f5ea30115e9f4d68b41d Mon Sep 17 00:00:00 2001
From: AlonaHlobina <54394529+AlonaHlobina@users.noreply.github.com>
Date: Wed, 2 Jun 2021 20:56:06 +0200
Subject: [PATCH 1263/1429] Update
 docs/codeql/support/reusables/versions-compilers.rst

Co-authored-by: yo-h <55373593+yo-h@users.noreply.github.com>
---
 docs/codeql/support/reusables/versions-compilers.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/codeql/support/reusables/versions-compilers.rst b/docs/codeql/support/reusables/versions-compilers.rst
index 330922fd876..f983b5e0114 100644
--- a/docs/codeql/support/reusables/versions-compilers.rst
+++ b/docs/codeql/support/reusables/versions-compilers.rst
@@ -17,7 +17,7 @@
 
    .NET 5","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
    Go (aka Golang), "Go up to 1.16", "Go 1.11 or more recent", ``.go``
-   Java,"Java 7 to 15 [3]_, Java 16 (partially)","javac (OpenJDK and Oracle JDK),
+   Java,"Java 7 to 16 [3]_","javac (OpenJDK and Oracle JDK),
 
    Eclipse compiler for Java (ECJ) [4]_",``.java``
    JavaScript,ECMAScript 2021 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhm``, ``.xhtml``, ``.vue``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [5]_"

From 1e19da155c6a0785156d4fb4255979480000b570 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 2 Jun 2021 21:25:48 +0200
Subject: [PATCH 1264/1429] move TaintedPath sink into
 TaintedPathCustomizations to avoid side-effects

---
 .../semmle/javascript/frameworks/Prettier.qll | 23 -------------------
 .../dataflow/TaintedPathCustomizations.qll    | 21 +++++++++++++++++
 2 files changed, 21 insertions(+), 23 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Prettier.qll b/javascript/ql/src/semmle/javascript/frameworks/Prettier.qll
index eeb8d1cdb87..81a1d596c14 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Prettier.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Prettier.qll
@@ -26,27 +26,4 @@ private module Prettier {
       )
     }
   }
-
-  private import semmle.javascript.security.dataflow.TaintedPathCustomizations::TaintedPath as TaintedPath
-
-  /**
-   * An argument given to the `prettier` library specificing the location of a config file.
-   */
-  private class PrettierFileSink extends TaintedPath::Sink {
-    PrettierFileSink() {
-      this =
-        API::moduleImport("prettier")
-            .getMember(["resolveConfig", "resolveConfigFile", "getFileInfo"])
-            .getACall()
-            .getArgument(0)
-      or
-      this =
-        API::moduleImport("prettier")
-            .getMember("resolveConfig")
-            .getACall()
-            .getParameter(1)
-            .getMember("config")
-            .getARhs()
-    }
-  }
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
index ebc877e0e25..d0814cd51d3 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -650,6 +650,27 @@ module TaintedPath {
     }
   }
 
+  /**
+   * An argument given to the `prettier` library specificing the location of a config file.
+   */
+  private class PrettierFileSink extends TaintedPath::Sink {
+    PrettierFileSink() {
+      this =
+        API::moduleImport("prettier")
+            .getMember(["resolveConfig", "resolveConfigFile", "getFileInfo"])
+            .getACall()
+            .getArgument(0)
+      or
+      this =
+        API::moduleImport("prettier")
+            .getMember("resolveConfig")
+            .getACall()
+            .getParameter(1)
+            .getMember("config")
+            .getARhs()
+    }
+  }
+
   /**
    * Holds if there is a step `src -> dst` mapping `srclabel` to `dstlabel` relevant for path traversal vulnerabilities.
    */

From 69d6c74e7e8eb193f51fc7bb27a4b083b7da56fc Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 2 Jun 2021 21:56:47 +0200
Subject: [PATCH 1265/1429] fix typescript version

---
 javascript/extractor/lib/typescript/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/extractor/lib/typescript/package.json b/javascript/extractor/lib/typescript/package.json
index 953f69edb1e..22b130f3bec 100644
--- a/javascript/extractor/lib/typescript/package.json
+++ b/javascript/extractor/lib/typescript/package.json
@@ -2,7 +2,7 @@
     "name": "typescript-parser-wrapper",
     "private": true,
     "dependencies": {
-        "typescript": "^4.3.2"
+        "typescript": "4.3.2"
     },
     "scripts": {
         "build": "tsc --project tsconfig.json",

From 431c9951319a254f9ead87d76c9997d9da7eb970 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 2 Jun 2021 23:11:15 +0200
Subject: [PATCH 1266/1429] add support for the debug library

---
 javascript/change-notes/2021-06-02-debug.md    |  4 ++++
 .../semmle/javascript/frameworks/Logging.qll   |  9 +++++++++
 .../Security/CWE-312/CleartextLogging.expected | 18 ++++++++++++++++++
 .../query-tests/Security/CWE-312/passwords.js  |  8 +++++++-
 4 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 javascript/change-notes/2021-06-02-debug.md

diff --git a/javascript/change-notes/2021-06-02-debug.md b/javascript/change-notes/2021-06-02-debug.md
new file mode 100644
index 00000000000..324ea96e2bf
--- /dev/null
+++ b/javascript/change-notes/2021-06-02-debug.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Logging calls using the [debug](https://npmjs.com/package/immutable) library are now recognized.
+  Affected packages are
+    [debug](https://npmjs.com/package/debug)
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Logging.qll b/javascript/ql/src/semmle/javascript/frameworks/Logging.qll
index cf632cc6e1e..f6c02a54e8c 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Logging.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Logging.qll
@@ -192,3 +192,12 @@ private module Fancylog {
     override DataFlow::Node getAMessageComponent() { result = getAnArgument() }
   }
 }
+
+/**
+ * A class modelling [debug](https://npmjs.org/package/debug) as a logging mechanism.
+ */
+private class DebugLoggerCall extends LoggerCall, API::CallNode {
+  DebugLoggerCall() { this = API::moduleImport("debug").getReturn().getACall() }
+
+  override DataFlow::Node getAMessageComponent() { result = getAnArgument() }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected b/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
index 85b1f872b52..6fc52f66868 100644
--- a/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
@@ -125,6 +125,14 @@ nodes
 | passwords.js:164:14:164:21 | password |
 | passwords.js:164:14:164:42 | passwor ... g, "*") |
 | passwords.js:164:14:164:42 | passwor ... g, "*") |
+| passwords.js:169:17:169:24 | password |
+| passwords.js:169:17:169:24 | password |
+| passwords.js:169:17:169:45 | passwor ... g, "*") |
+| passwords.js:169:17:169:45 | passwor ... g, "*") |
+| passwords.js:170:11:170:18 | password |
+| passwords.js:170:11:170:18 | password |
+| passwords.js:170:11:170:39 | passwor ... g, "*") |
+| passwords.js:170:11:170:39 | passwor ... g, "*") |
 | passwords_in_browser1.js:2:13:2:20 | password |
 | passwords_in_browser1.js:2:13:2:20 | password |
 | passwords_in_browser1.js:2:13:2:20 | password |
@@ -261,6 +269,14 @@ edges
 | passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") |
 | passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") |
 | passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") |
+| passwords.js:169:17:169:24 | password | passwords.js:169:17:169:45 | passwor ... g, "*") |
+| passwords.js:169:17:169:24 | password | passwords.js:169:17:169:45 | passwor ... g, "*") |
+| passwords.js:169:17:169:24 | password | passwords.js:169:17:169:45 | passwor ... g, "*") |
+| passwords.js:169:17:169:24 | password | passwords.js:169:17:169:45 | passwor ... g, "*") |
+| passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") |
+| passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") |
+| passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") |
+| passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") |
 | passwords_in_browser1.js:2:13:2:20 | password | passwords_in_browser1.js:2:13:2:20 | password |
 | passwords_in_browser2.js:2:13:2:20 | password | passwords_in_browser2.js:2:13:2:20 | password |
 | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password |
@@ -304,6 +320,8 @@ edges
 | passwords.js:156:17:156:27 | process.env | passwords.js:156:17:156:27 | process.env | passwords.js:156:17:156:27 | process.env | Sensitive data returned by $@ is logged here. | passwords.js:156:17:156:27 | process.env | process environment |
 | passwords.js:163:14:163:41 | passwor ... g, "*") | passwords.js:163:14:163:21 | password | passwords.js:163:14:163:41 | passwor ... g, "*") | Sensitive data returned by $@ is logged here. | passwords.js:163:14:163:21 | password | an access to password |
 | passwords.js:164:14:164:42 | passwor ... g, "*") | passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") | Sensitive data returned by $@ is logged here. | passwords.js:164:14:164:21 | password | an access to password |
+| passwords.js:169:17:169:45 | passwor ... g, "*") | passwords.js:169:17:169:24 | password | passwords.js:169:17:169:45 | passwor ... g, "*") | Sensitive data returned by $@ is logged here. | passwords.js:169:17:169:24 | password | an access to password |
+| passwords.js:170:11:170:39 | passwor ... g, "*") | passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") | Sensitive data returned by $@ is logged here. | passwords.js:170:11:170:18 | password | an access to password |
 | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_1.js:6:13:6:20 | password | an access to password |
 | passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_2.js:3:13:3:20 | password | an access to password |
 | passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_3.js:2:13:2:20 | password | an access to password |
diff --git a/javascript/ql/test/query-tests/Security/CWE-312/passwords.js b/javascript/ql/test/query-tests/Security/CWE-312/passwords.js
index 50dc80a65d0..3c9f7d32464 100644
--- a/javascript/ql/test/query-tests/Security/CWE-312/passwords.js
+++ b/javascript/ql/test/query-tests/Security/CWE-312/passwords.js
@@ -162,4 +162,10 @@ var Util = require('util');
 	console.log(password.replace(/./g, "*")); // OK!
 	console.log(password.replace(/\./g, "*")); // NOT OK!
 	console.log(password.replace(/foo/g, "*")); // NOT OK!
-})();
\ No newline at end of file
+})();
+
+const debug = require('debug')('test');
+(function () {
+    console.log(password.replace(/foo/g, "*")); // NOT OK
+    debug(password.replace(/foo/g, "*")); // NOT OK
+});
\ No newline at end of file

From 185811ee227ad7f212b530fa8d29dac80e67ea6f Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 2 Jun 2021 23:23:30 +0200
Subject: [PATCH 1267/1429] make MongooseFunction abstract

---
 javascript/ql/src/semmle/javascript/frameworks/NoSQL.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/NoSQL.qll b/javascript/ql/src/semmle/javascript/frameworks/NoSQL.qll
index f48dacea700..b27641e313b 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/NoSQL.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/NoSQL.qll
@@ -166,7 +166,7 @@ private module Mongoose {
   /**
    * A Mongoose function.
    */
-  private class MongooseFunction extends API::Node {
+  abstract private class MongooseFunction extends API::Node {
     /**
      * Gets the API-graph node for the result from this function (if the function returns a `Query`).
      */

From 48ab6305592dd9691e971f229caf4b31d17fccbc Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 2 Jun 2021 23:43:40 +0200
Subject: [PATCH 1268/1429] model webpack-merge as an extend call

---
 .../ql/src/semmle/javascript/Extend.qll       | 20 +++++++++++++++++++
 .../library-tests/Extend/ExtendCalls.expected |  2 ++
 .../ql/test/library-tests/Extend/tst.js       |  5 +++++
 3 files changed, 27 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/Extend.qll b/javascript/ql/src/semmle/javascript/Extend.qll
index d50054fc4ee..d6c2087e39b 100644
--- a/javascript/ql/src/semmle/javascript/Extend.qll
+++ b/javascript/ql/src/semmle/javascript/Extend.qll
@@ -188,3 +188,23 @@ private class CloneStep extends PreCallGraphStep {
     )
   }
 }
+
+/**
+ * A deep extend call from the [webpack-merge](https://npmjs.org/package/webpack-merge) library.
+ */
+private class WebpackMergeDeep extends ExtendCall, DataFlow::CallNode {
+  WebpackMergeDeep() {
+    this = DataFlow::moduleMember("webpack-merge", "merge").getACall()
+    or
+    this =
+      DataFlow::moduleMember("webpack-merge", ["mergeWithCustomize", "mergeWithRules"])
+          .getACall()
+          .getACall()
+  }
+
+  override DataFlow::Node getASourceOperand() { result = getAnArgument() }
+
+  override DataFlow::Node getDestinationOperand() { none() }
+
+  override predicate isDeep() { any() }
+}
diff --git a/javascript/ql/test/library-tests/Extend/ExtendCalls.expected b/javascript/ql/test/library-tests/Extend/ExtendCalls.expected
index 89449bc4ff1..a4c66634f7c 100644
--- a/javascript/ql/test/library-tests/Extend/ExtendCalls.expected
+++ b/javascript/ql/test/library-tests/Extend/ExtendCalls.expected
@@ -41,3 +41,5 @@
 | tst.js:79:1:79:45 | checkSh ... arg())) | OK |
 | tst.js:80:1:80:55 | checkSh ... arg())) | OK |
 | tst.js:81:1:81:51 | checkSh ... arg())) | OK |
+| tst.js:85:1:85:44 | checkDe ... arg())) | OK |
+| tst.js:86:1:86:61 | checkDe ... arg())) | OK |
diff --git a/javascript/ql/test/library-tests/Extend/tst.js b/javascript/ql/test/library-tests/Extend/tst.js
index 287fe57cdba..500178e3e5d 100644
--- a/javascript/ql/test/library-tests/Extend/tst.js
+++ b/javascript/ql/test/library-tests/Extend/tst.js
@@ -79,3 +79,8 @@ checkShallow(require('lodash').extend(base(), arg()));
 checkShallow(require("xtend")(base(), arg()));
 checkShallow(require("xtend/immutable")(base(), arg()));
 checkShallow(require("ramda").merge(base(), arg()));
+
+// webpack-merge. deep. 
+const webpackMerge = require('webpack-merge');
+checkDeep(webpackMerge.merge(base(), arg()));
+checkDeep(webpackMerge.mergeWithCustomize({})(base(), arg()));

From 143bf9de14730c032db33226bda612345054cd26 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 2 Jun 2021 23:48:29 +0200
Subject: [PATCH 1269/1429] add change note

---
 javascript/change-notes/2021-06-02-webpack-merge.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 javascript/change-notes/2021-06-02-webpack-merge.md

diff --git a/javascript/change-notes/2021-06-02-webpack-merge.md b/javascript/change-notes/2021-06-02-webpack-merge.md
new file mode 100644
index 00000000000..87ab83fffa6
--- /dev/null
+++ b/javascript/change-notes/2021-06-02-webpack-merge.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The security queries recognize the merge call from [webpack-merge](https://npmjs.com/package/webpack-merge). 
+  Affected packages are
+    [webpack-merge](https://npmjs.com/package/webpack-merge)

From 3bda1f2e264c3d470339a78ac8d6b9ca08b70e9f Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 3 Jun 2021 00:43:41 +0200
Subject: [PATCH 1270/1429] update expected test output

---
 .../CallResolution/CallResolution.expected    |   8 +-
 .../TypeScript/Types/printAst.expected        | 561 +++++++++++++++++-
 2 files changed, 539 insertions(+), 30 deletions(-)

diff --git a/javascript/ql/test/library-tests/TypeScript/CallResolution/CallResolution.expected b/javascript/ql/test/library-tests/TypeScript/CallResolution/CallResolution.expected
index 96b0086480e..a942a68076b 100644
--- a/javascript/ql/test/library-tests/TypeScript/CallResolution/CallResolution.expected
+++ b/javascript/ql/test/library-tests/TypeScript/CallResolution/CallResolution.expected
@@ -4,16 +4,16 @@
 | tst.ts:55:3:55:27 | obj.ove ... od(num) | (x: number): number | 0 |
 | tst.ts:56:3:56:27 | obj.ove ... od(str) | (x: string): string | 1 |
 | tst.ts:57:3:57:26 | obj.ove ... hod([]) | (x: any): any | 2 |
-| tst.ts:58:3:58:36 | obj.gen ... ([num]) | (x: number[]): T | 0 |
-| tst.ts:59:3:59:39 | obj.gen ... : str}) | (x: Box<string>): T | 1 |
+| tst.ts:58:3:58:36 | obj.gen ... ([num]) | (x: number[]): number | 0 |
+| tst.ts:59:3:59:39 | obj.gen ... : str}) | (x: Box<string>): string | 1 |
 | tst.ts:60:3:60:34 | obj.gen ... od(num) | (x: any): any | 2 |
 | tst.ts:64:3:64:23 | obj.sim ... od(str) | (x: string): number | 0 |
 | tst.ts:65:3:65:24 | obj.gen ... od(str) | (x: string): string | 0 |
 | tst.ts:66:3:66:24 | obj.gen ... od(num) | (x: number): number | 0 |
 | tst.ts:67:3:67:27 | obj.ove ... od(num) | (x: number): number | 0 |
 | tst.ts:68:3:68:27 | obj.ove ... od(str) | (x: string): string | 1 |
-| tst.ts:69:3:69:36 | obj.gen ... ([num]) | (x: number[]): T | 0 |
-| tst.ts:70:3:70:39 | obj.gen ... : str}) | (x: Box<string>): T | 1 |
+| tst.ts:69:3:69:36 | obj.gen ... ([num]) | (x: number[]): number | 0 |
+| tst.ts:70:3:70:39 | obj.gen ... : str}) | (x: Box<string>): string | 1 |
 | tst.ts:74:3:74:28 | new Sim ... or(str) | new (x: string): SimpleConstructor | 0 |
 | tst.ts:75:3:75:29 | new Gen ... or(str) | new (x: string): GenericConstructor<string> | 0 |
 | tst.ts:76:3:76:29 | new Gen ... or(num) | new (x: number): GenericConstructor<number> | 0 |
diff --git a/javascript/ql/test/library-tests/TypeScript/Types/printAst.expected b/javascript/ql/test/library-tests/TypeScript/Types/printAst.expected
index 1f39b308479..d05b3228025 100644
--- a/javascript/ql/test/library-tests/TypeScript/Types/printAst.expected
+++ b/javascript/ql/test/library-tests/TypeScript/Types/printAst.expected
@@ -85,6 +85,12 @@ nodes
 | dummy.ts:4:20:4:20 | [RegExpNormalConstant] b | semmle.label | [RegExpNormalConstant] b |
 | dummy.ts:4:20:4:21 | [RegExpPlus] b+ | semmle.label | [RegExpPlus] b+ |
 | dummy.ts:4:22:4:22 | [RegExpNormalConstant] c | semmle.label | [RegExpNormalConstant] c |
+| file://:0:0:0:0 | (Arguments) | semmle.label | (Arguments) |
+| file://:0:0:0:0 | (Arguments) | semmle.label | (Arguments) |
+| file://:0:0:0:0 | (Parameters) | semmle.label | (Parameters) |
+| file://:0:0:0:0 | (Parameters) | semmle.label | (Parameters) |
+| file://:0:0:0:0 | (Parameters) | semmle.label | (Parameters) |
+| file://:0:0:0:0 | (Parameters) | semmle.label | (Parameters) |
 | file://:0:0:0:0 | (Parameters) | semmle.label | (Parameters) |
 | file://:0:0:0:0 | (Parameters) | semmle.label | (Parameters) |
 | file://:0:0:0:0 | (Parameters) | semmle.label | (Parameters) |
@@ -420,17 +426,182 @@ nodes
 | tst.ts:69:25:69:38 | [Label] yetAnotherType | semmle.label | [Label] yetAnotherType |
 | tst.ts:69:25:69:44 | [Property] yetAnotherType: true | semmle.label | [Property] yetAnotherType: true |
 | tst.ts:69:41:69:44 | [Literal] true | semmle.label | [Literal] true |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | semmle.label | [NamespaceDeclaration] module ... } } |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | semmle.order | 55 |
+| tst.ts:71:8:71:11 | [VarDecl] TS43 | semmle.label | [VarDecl] TS43 |
+| tst.ts:73:3:76:3 | [InterfaceDeclaration,TypeDefinition] interfa ... n); } | semmle.label | [InterfaceDeclaration,TypeDefinition] interfa ... n); } |
+| tst.ts:73:13:73:18 | [Identifier] ThingI | semmle.label | [Identifier] ThingI |
+| tst.ts:74:5:74:22 | [FunctionExpr] get size(): number | semmle.label | [FunctionExpr] get size(): number |
+| tst.ts:74:5:74:22 | [GetterMethodSignature] get size(): number | semmle.label | [GetterMethodSignature] get size(): number |
+| tst.ts:74:9:74:12 | [Label] size | semmle.label | [Label] size |
+| tst.ts:74:17:74:22 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
+| tst.ts:75:5:75:47 | [FunctionExpr] set siz ... olean); | semmle.label | [FunctionExpr] set siz ... olean); |
+| tst.ts:75:5:75:47 | [SetterMethodSignature] set siz ... olean); | semmle.label | [SetterMethodSignature] set siz ... olean); |
+| tst.ts:75:9:75:12 | [Label] size | semmle.label | [Label] size |
+| tst.ts:75:14:75:18 | [SimpleParameter] value | semmle.label | [SimpleParameter] value |
+| tst.ts:75:21:75:26 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
+| tst.ts:75:21:75:45 | [UnionTypeExpr] number ... boolean | semmle.label | [UnionTypeExpr] number ... boolean |
+| tst.ts:75:30:75:35 | [KeywordTypeExpr] string | semmle.label | [KeywordTypeExpr] string |
+| tst.ts:75:39:75:45 | [KeywordTypeExpr] boolean | semmle.label | [KeywordTypeExpr] boolean |
+| tst.ts:78:3:88:3 | [ExportDeclaration] export ... } } | semmle.label | [ExportDeclaration] export ... } } |
+| tst.ts:78:10:88:3 | [ClassDefinition,TypeDefinition] class T ... } } | semmle.label | [ClassDefinition,TypeDefinition] class T ... } } |
+| tst.ts:78:16:78:20 | [VarDecl] Thing | semmle.label | [VarDecl] Thing |
+| tst.ts:78:33:78:38 | [LocalTypeAccess] ThingI | semmle.label | [LocalTypeAccess] ThingI |
+| tst.ts:78:40:78:39 | [BlockStmt] {} | semmle.label | [BlockStmt] {} |
+| tst.ts:78:40:78:39 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | semmle.label | [ClassInitializedMember,ConstructorDefinition] constructor() {} |
+| tst.ts:78:40:78:39 | [FunctionExpr] () {} | semmle.label | [FunctionExpr] () {} |
+| tst.ts:78:40:78:39 | [Label] constructor | semmle.label | [Label] constructor |
+| tst.ts:79:5:79:9 | [Label] #size | semmle.label | [Label] #size |
+| tst.ts:79:5:79:14 | [FieldDeclaration] #size = 0; | semmle.label | [FieldDeclaration] #size = 0; |
+| tst.ts:79:13:79:13 | [Literal] 0 | semmle.label | [Literal] 0 |
+| tst.ts:81:5:83:5 | [ClassInitializedMember,GetterMethodDefinition] get siz ... ; } | semmle.label | [ClassInitializedMember,GetterMethodDefinition] get siz ... ; } |
+| tst.ts:81:5:83:5 | [FunctionExpr] get siz ... ; } | semmle.label | [FunctionExpr] get siz ... ; } |
+| tst.ts:81:9:81:12 | [Label] size | semmle.label | [Label] size |
+| tst.ts:81:17:81:22 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
+| tst.ts:81:24:83:5 | [BlockStmt] { ... ; } | semmle.label | [BlockStmt] { ... ; } |
+| tst.ts:82:7:82:24 | [ReturnStmt] return this.#size; | semmle.label | [ReturnStmt] return this.#size; |
+| tst.ts:82:14:82:17 | [ThisExpr] this | semmle.label | [ThisExpr] this |
+| tst.ts:82:14:82:23 | [DotExpr] this.#size | semmle.label | [DotExpr] this.#size |
+| tst.ts:82:19:82:23 | [Label] #size | semmle.label | [Label] #size |
+| tst.ts:85:5:87:5 | [ClassInitializedMember,SetterMethodDefinition] set siz ... ; } | semmle.label | [ClassInitializedMember,SetterMethodDefinition] set siz ... ; } |
+| tst.ts:85:5:87:5 | [FunctionExpr] set siz ... ; } | semmle.label | [FunctionExpr] set siz ... ; } |
+| tst.ts:85:9:85:12 | [Label] size | semmle.label | [Label] size |
+| tst.ts:85:14:85:18 | [SimpleParameter] value | semmle.label | [SimpleParameter] value |
+| tst.ts:85:21:85:26 | [KeywordTypeExpr] string | semmle.label | [KeywordTypeExpr] string |
+| tst.ts:85:21:85:45 | [UnionTypeExpr] string ... boolean | semmle.label | [UnionTypeExpr] string ... boolean |
+| tst.ts:85:30:85:35 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
+| tst.ts:85:39:85:45 | [KeywordTypeExpr] boolean | semmle.label | [KeywordTypeExpr] boolean |
+| tst.ts:85:48:87:5 | [BlockStmt] { ... ; } | semmle.label | [BlockStmt] { ... ; } |
+| tst.ts:86:7:86:10 | [ThisExpr] this | semmle.label | [ThisExpr] this |
+| tst.ts:86:7:86:16 | [DotExpr] this.#size | semmle.label | [DotExpr] this.#size |
+| tst.ts:86:7:86:32 | [AssignExpr] this.#s ... (value) | semmle.label | [AssignExpr] this.#s ... (value) |
+| tst.ts:86:7:86:33 | [ExprStmt] this.#s ... value); | semmle.label | [ExprStmt] this.#s ... value); |
+| tst.ts:86:12:86:16 | [Label] #size | semmle.label | [Label] #size |
+| tst.ts:86:20:86:25 | [VarRef] Number | semmle.label | [VarRef] Number |
+| tst.ts:86:20:86:32 | [CallExpr] Number(value) | semmle.label | [CallExpr] Number(value) |
+| tst.ts:86:27:86:31 | [VarRef] value | semmle.label | [VarRef] value |
+| tst.ts:91:3:95:3 | [ClassDefinition,TypeDefinition] class S ... } } | semmle.label | [ClassDefinition,TypeDefinition] class S ... } } |
+| tst.ts:91:9:91:13 | [VarDecl] Super | semmle.label | [VarDecl] Super |
+| tst.ts:91:15:91:14 | [BlockStmt] {} | semmle.label | [BlockStmt] {} |
+| tst.ts:91:15:91:14 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | semmle.label | [ClassInitializedMember,ConstructorDefinition] constructor() {} |
+| tst.ts:91:15:91:14 | [FunctionExpr] () {} | semmle.label | [FunctionExpr] () {} |
+| tst.ts:91:15:91:14 | [Label] constructor | semmle.label | [Label] constructor |
+| tst.ts:92:5:92:10 | [Label] random | semmle.label | [Label] random |
+| tst.ts:92:5:94:5 | [ClassInitializedMember,MethodDefinition] random( ... ; } | semmle.label | [ClassInitializedMember,MethodDefinition] random( ... ; } |
+| tst.ts:92:5:94:5 | [FunctionExpr] random( ... ; } | semmle.label | [FunctionExpr] random( ... ; } |
+| tst.ts:92:15:92:20 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
+| tst.ts:92:22:94:5 | [BlockStmt] { ... ; } | semmle.label | [BlockStmt] { ... ; } |
+| tst.ts:93:7:93:15 | [ReturnStmt] return 4; | semmle.label | [ReturnStmt] return 4; |
+| tst.ts:93:14:93:14 | [Literal] 4 | semmle.label | [Literal] 4 |
+| tst.ts:97:3:101:3 | [ClassDefinition,TypeDefinition] class S ... } } | semmle.label | [ClassDefinition,TypeDefinition] class S ... } } |
+| tst.ts:97:9:97:11 | [VarDecl] Sub | semmle.label | [VarDecl] Sub |
+| tst.ts:97:21:97:25 | [VarRef] Super | semmle.label | [VarRef] Super |
+| tst.ts:97:27:97:26 | [BlockStmt] { super(...args); } | semmle.label | [BlockStmt] { super(...args); } |
+| tst.ts:97:27:97:26 | [CallExpr] super(...args) | semmle.label | [CallExpr] super(...args) |
+| tst.ts:97:27:97:26 | [ClassInitializedMember,ConstructorDefinition] constru ... rgs); } | semmle.label | [ClassInitializedMember,ConstructorDefinition] constru ... rgs); } |
+| tst.ts:97:27:97:26 | [ExprStmt] super(...args); | semmle.label | [ExprStmt] super(...args); |
+| tst.ts:97:27:97:26 | [FunctionExpr] (...arg ... rgs); } | semmle.label | [FunctionExpr] (...arg ... rgs); } |
+| tst.ts:97:27:97:26 | [Label] constructor | semmle.label | [Label] constructor |
+| tst.ts:97:27:97:26 | [SimpleParameter] args | semmle.label | [SimpleParameter] args |
+| tst.ts:97:27:97:26 | [SpreadElement] ...args | semmle.label | [SpreadElement] ...args |
+| tst.ts:97:27:97:26 | [SuperExpr] super | semmle.label | [SuperExpr] super |
+| tst.ts:97:27:97:26 | [VarRef] args | semmle.label | [VarRef] args |
+| tst.ts:98:5:100:5 | [ClassInitializedMember,MethodDefinition] overrid ... ; } | semmle.label | [ClassInitializedMember,MethodDefinition] overrid ... ; } |
+| tst.ts:98:5:100:5 | [FunctionExpr] overrid ... ; } | semmle.label | [FunctionExpr] overrid ... ; } |
+| tst.ts:98:14:98:19 | [Label] random | semmle.label | [Label] random |
+| tst.ts:98:24:98:29 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
+| tst.ts:98:31:100:5 | [BlockStmt] { ... ; } | semmle.label | [BlockStmt] { ... ; } |
+| tst.ts:99:7:99:33 | [ReturnStmt] return ... ) * 10; | semmle.label | [ReturnStmt] return ... ) * 10; |
+| tst.ts:99:14:99:18 | [SuperExpr] super | semmle.label | [SuperExpr] super |
+| tst.ts:99:14:99:25 | [DotExpr] super.random | semmle.label | [DotExpr] super.random |
+| tst.ts:99:14:99:27 | [MethodCallExpr] super.random() | semmle.label | [MethodCallExpr] super.random() |
+| tst.ts:99:14:99:32 | [BinaryExpr] super.random() * 10 | semmle.label | [BinaryExpr] super.random() * 10 |
+| tst.ts:99:20:99:25 | [Label] random | semmle.label | [Label] random |
+| tst.ts:99:31:99:32 | [Literal] 10 | semmle.label | [Literal] 10 |
+| tst.ts:104:3:107:3 | [FunctionDeclStmt] functio ... }`; } | semmle.label | [FunctionDeclStmt] functio ... }`; } |
+| tst.ts:104:12:104:14 | [VarDecl] bar | semmle.label | [VarDecl] bar |
+| tst.ts:104:16:104:16 | [SimpleParameter] s | semmle.label | [SimpleParameter] s |
+| tst.ts:104:19:104:24 | [KeywordTypeExpr] string | semmle.label | [KeywordTypeExpr] string |
+| tst.ts:104:28:104:44 | [TemplateLiteralTypeExpr] `hello ${string}` | semmle.label | [TemplateLiteralTypeExpr] `hello ${string}` |
+| tst.ts:104:29:104:34 | [LiteralTypeExpr] hello  | semmle.label | [LiteralTypeExpr] hello  |
+| tst.ts:104:37:104:42 | [KeywordTypeExpr] string | semmle.label | [KeywordTypeExpr] string |
+| tst.ts:104:46:107:3 | [BlockStmt] { / ... }`; } | semmle.label | [BlockStmt] { / ... }`; } |
+| tst.ts:106:5:106:24 | [ReturnStmt] return `hello ${s}`; | semmle.label | [ReturnStmt] return `hello ${s}`; |
+| tst.ts:106:12:106:23 | [TemplateLiteral] `hello ${s}` | semmle.label | [TemplateLiteral] `hello ${s}` |
+| tst.ts:106:13:106:18 | [TemplateElement] hello  | semmle.label | [TemplateElement] hello  |
+| tst.ts:106:21:106:21 | [VarRef] s | semmle.label | [VarRef] s |
+| tst.ts:109:3:109:50 | [DeclStmt] let s1 = ... | semmle.label | [DeclStmt] let s1 = ... |
+| tst.ts:109:15:109:16 | [VarDecl] s1 | semmle.label | [VarDecl] s1 |
+| tst.ts:109:15:109:49 | [VariableDeclarator] s1: `${ ... umber}` | semmle.label | [VariableDeclarator] s1: `${ ... umber}` |
+| tst.ts:109:19:109:49 | [TemplateLiteralTypeExpr] `${numb ... umber}` | semmle.label | [TemplateLiteralTypeExpr] `${numb ... umber}` |
+| tst.ts:109:22:109:27 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
+| tst.ts:109:29:109:29 | [LiteralTypeExpr] - | semmle.label | [LiteralTypeExpr] - |
+| tst.ts:109:32:109:37 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
+| tst.ts:109:39:109:39 | [LiteralTypeExpr] - | semmle.label | [LiteralTypeExpr] - |
+| tst.ts:109:42:109:47 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
+| tst.ts:110:3:110:26 | [DeclStmt] let s2 = ... | semmle.label | [DeclStmt] let s2 = ... |
+| tst.ts:110:15:110:16 | [VarDecl] s2 | semmle.label | [VarDecl] s2 |
+| tst.ts:110:15:110:25 | [VariableDeclarator] s2: `1-2-3` | semmle.label | [VariableDeclarator] s2: `1-2-3` |
+| tst.ts:110:19:110:25 | [LiteralTypeExpr] `1-2-3` | semmle.label | [LiteralTypeExpr] `1-2-3` |
+| tst.ts:110:19:110:25 | [TemplateLiteralTypeExpr] `1-2-3` | semmle.label | [TemplateLiteralTypeExpr] `1-2-3` |
+| tst.ts:111:3:111:34 | [DeclStmt] let s3 = ... | semmle.label | [DeclStmt] let s3 = ... |
+| tst.ts:111:15:111:16 | [VarDecl] s3 | semmle.label | [VarDecl] s3 |
+| tst.ts:111:15:111:33 | [VariableDeclarator] s3: `${number}-2-3` | semmle.label | [VariableDeclarator] s3: `${number}-2-3` |
+| tst.ts:111:19:111:33 | [TemplateLiteralTypeExpr] `${number}-2-3` | semmle.label | [TemplateLiteralTypeExpr] `${number}-2-3` |
+| tst.ts:111:22:111:27 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
+| tst.ts:111:29:111:32 | [LiteralTypeExpr] -2-3 | semmle.label | [LiteralTypeExpr] -2-3 |
+| tst.ts:112:3:112:4 | [VarRef] s1 | semmle.label | [VarRef] s1 |
+| tst.ts:112:3:112:9 | [AssignExpr] s1 = s2 | semmle.label | [AssignExpr] s1 = s2 |
+| tst.ts:112:3:112:10 | [ExprStmt] s1 = s2; | semmle.label | [ExprStmt] s1 = s2; |
+| tst.ts:112:8:112:9 | [VarRef] s2 | semmle.label | [VarRef] s2 |
+| tst.ts:113:3:113:4 | [VarRef] s1 | semmle.label | [VarRef] s1 |
+| tst.ts:113:3:113:9 | [AssignExpr] s1 = s3 | semmle.label | [AssignExpr] s1 = s3 |
+| tst.ts:113:3:113:10 | [ExprStmt] s1 = s3; | semmle.label | [ExprStmt] s1 = s3; |
+| tst.ts:113:8:113:9 | [VarRef] s3 | semmle.label | [VarRef] s3 |
+| tst.ts:116:3:129:3 | [ClassDefinition,TypeDefinition] class F ... } } | semmle.label | [ClassDefinition,TypeDefinition] class F ... } } |
+| tst.ts:116:9:116:11 | [VarDecl] Foo | semmle.label | [VarDecl] Foo |
+| tst.ts:116:13:116:12 | [BlockStmt] {} | semmle.label | [BlockStmt] {} |
+| tst.ts:116:13:116:12 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | semmle.label | [ClassInitializedMember,ConstructorDefinition] constructor() {} |
+| tst.ts:116:13:116:12 | [FunctionExpr] () {} | semmle.label | [FunctionExpr] () {} |
+| tst.ts:116:13:116:12 | [Label] constructor | semmle.label | [Label] constructor |
+| tst.ts:117:5:117:15 | [Label] #someMethod | semmle.label | [Label] #someMethod |
+| tst.ts:117:5:119:5 | [ClassInitializedMember,MethodDefinition] #someMe ... ; } | semmle.label | [ClassInitializedMember,MethodDefinition] #someMe ... ; } |
+| tst.ts:117:5:119:5 | [FunctionExpr] #someMe ... ; } | semmle.label | [FunctionExpr] #someMe ... ; } |
+| tst.ts:117:20:117:25 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
+| tst.ts:117:27:119:5 | [BlockStmt] { ... ; } | semmle.label | [BlockStmt] { ... ; } |
+| tst.ts:118:7:118:16 | [ReturnStmt] return 42; | semmle.label | [ReturnStmt] return 42; |
+| tst.ts:118:14:118:15 | [Literal] 42 | semmle.label | [Literal] 42 |
+| tst.ts:121:5:123:5 | [ClassInitializedMember,GetterMethodDefinition] get #so ... ; } | semmle.label | [ClassInitializedMember,GetterMethodDefinition] get #so ... ; } |
+| tst.ts:121:5:123:5 | [FunctionExpr] get #so ... ; } | semmle.label | [FunctionExpr] get #so ... ; } |
+| tst.ts:121:9:121:18 | [Label] #someValue | semmle.label | [Label] #someValue |
+| tst.ts:121:23:121:28 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
+| tst.ts:121:30:123:5 | [BlockStmt] { ... ; } | semmle.label | [BlockStmt] { ... ; } |
+| tst.ts:122:7:122:17 | [ReturnStmt] return 100; | semmle.label | [ReturnStmt] return 100; |
+| tst.ts:122:14:122:16 | [Literal] 100 | semmle.label | [Literal] 100 |
+| tst.ts:125:5:125:16 | [Label] publicMethod | semmle.label | [Label] publicMethod |
+| tst.ts:125:5:128:5 | [ClassInitializedMember,MethodDefinition] publicM ... ; } | semmle.label | [ClassInitializedMember,MethodDefinition] publicM ... ; } |
+| tst.ts:125:5:128:5 | [FunctionExpr] publicM ... ; } | semmle.label | [FunctionExpr] publicM ... ; } |
+| tst.ts:125:20:128:5 | [BlockStmt] { ... ; } | semmle.label | [BlockStmt] { ... ; } |
+| tst.ts:126:7:126:10 | [ThisExpr] this | semmle.label | [ThisExpr] this |
+| tst.ts:126:7:126:22 | [DotExpr] this.#someMethod | semmle.label | [DotExpr] this.#someMethod |
+| tst.ts:126:7:126:24 | [MethodCallExpr] this.#someMethod() | semmle.label | [MethodCallExpr] this.#someMethod() |
+| tst.ts:126:7:126:25 | [ExprStmt] this.#someMethod(); | semmle.label | [ExprStmt] this.#someMethod(); |
+| tst.ts:126:12:126:22 | [Label] #someMethod | semmle.label | [Label] #someMethod |
+| tst.ts:127:7:127:29 | [ReturnStmt] return ... eValue; | semmle.label | [ReturnStmt] return ... eValue; |
+| tst.ts:127:14:127:17 | [ThisExpr] this | semmle.label | [ThisExpr] this |
+| tst.ts:127:14:127:28 | [DotExpr] this.#someValue | semmle.label | [DotExpr] this.#someValue |
+| tst.ts:127:19:127:28 | [Label] #someValue | semmle.label | [Label] #someValue |
 | type_alias.ts:1:1:1:17 | [TypeAliasDeclaration,TypeDefinition] type B = boolean; | semmle.label | [TypeAliasDeclaration,TypeDefinition] type B = boolean; |
-| type_alias.ts:1:1:1:17 | [TypeAliasDeclaration,TypeDefinition] type B = boolean; | semmle.order | 55 |
+| type_alias.ts:1:1:1:17 | [TypeAliasDeclaration,TypeDefinition] type B = boolean; | semmle.order | 56 |
 | type_alias.ts:1:6:1:6 | [Identifier] B | semmle.label | [Identifier] B |
 | type_alias.ts:1:10:1:16 | [KeywordTypeExpr] boolean | semmle.label | [KeywordTypeExpr] boolean |
 | type_alias.ts:3:1:3:9 | [DeclStmt] var b = ... | semmle.label | [DeclStmt] var b = ... |
-| type_alias.ts:3:1:3:9 | [DeclStmt] var b = ... | semmle.order | 56 |
+| type_alias.ts:3:1:3:9 | [DeclStmt] var b = ... | semmle.order | 57 |
 | type_alias.ts:3:5:3:5 | [VarDecl] b | semmle.label | [VarDecl] b |
 | type_alias.ts:3:5:3:8 | [VariableDeclarator] b: B | semmle.label | [VariableDeclarator] b: B |
 | type_alias.ts:3:8:3:8 | [LocalTypeAccess] B | semmle.label | [LocalTypeAccess] B |
 | type_alias.ts:5:1:5:50 | [TypeAliasDeclaration,TypeDefinition] type Va ... ay<T>>; | semmle.label | [TypeAliasDeclaration,TypeDefinition] type Va ... ay<T>>; |
-| type_alias.ts:5:1:5:50 | [TypeAliasDeclaration,TypeDefinition] type Va ... ay<T>>; | semmle.order | 57 |
+| type_alias.ts:5:1:5:50 | [TypeAliasDeclaration,TypeDefinition] type Va ... ay<T>>; | semmle.order | 58 |
 | type_alias.ts:5:6:5:17 | [Identifier] ValueOrArray | semmle.label | [Identifier] ValueOrArray |
 | type_alias.ts:5:19:5:19 | [Identifier] T | semmle.label | [Identifier] T |
 | type_alias.ts:5:19:5:19 | [TypeParameter] T | semmle.label | [TypeParameter] T |
@@ -442,14 +613,14 @@ nodes
 | type_alias.ts:5:34:5:48 | [GenericTypeExpr] ValueOrArray<T> | semmle.label | [GenericTypeExpr] ValueOrArray<T> |
 | type_alias.ts:5:47:5:47 | [LocalTypeAccess] T | semmle.label | [LocalTypeAccess] T |
 | type_alias.ts:7:1:7:28 | [DeclStmt] var c = ... | semmle.label | [DeclStmt] var c = ... |
-| type_alias.ts:7:1:7:28 | [DeclStmt] var c = ... | semmle.order | 58 |
+| type_alias.ts:7:1:7:28 | [DeclStmt] var c = ... | semmle.order | 59 |
 | type_alias.ts:7:5:7:5 | [VarDecl] c | semmle.label | [VarDecl] c |
 | type_alias.ts:7:5:7:27 | [VariableDeclarator] c: Valu ... number> | semmle.label | [VariableDeclarator] c: Valu ... number> |
 | type_alias.ts:7:8:7:19 | [LocalTypeAccess] ValueOrArray | semmle.label | [LocalTypeAccess] ValueOrArray |
 | type_alias.ts:7:8:7:27 | [GenericTypeExpr] ValueOrArray<number> | semmle.label | [GenericTypeExpr] ValueOrArray<number> |
 | type_alias.ts:7:21:7:26 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
 | type_alias.ts:9:1:15:13 | [TypeAliasDeclaration,TypeDefinition] type Js ... Json[]; | semmle.label | [TypeAliasDeclaration,TypeDefinition] type Js ... Json[]; |
-| type_alias.ts:9:1:15:13 | [TypeAliasDeclaration,TypeDefinition] type Js ... Json[]; | semmle.order | 59 |
+| type_alias.ts:9:1:15:13 | [TypeAliasDeclaration,TypeDefinition] type Js ... Json[]; | semmle.order | 60 |
 | type_alias.ts:9:6:9:9 | [Identifier] Json | semmle.label | [Identifier] Json |
 | type_alias.ts:10:5:15:12 | [UnionTypeExpr] \| strin ... Json[] | semmle.label | [UnionTypeExpr] \| strin ... Json[] |
 | type_alias.ts:10:7:10:12 | [KeywordTypeExpr] string | semmle.label | [KeywordTypeExpr] string |
@@ -465,12 +636,12 @@ nodes
 | type_alias.ts:15:7:15:10 | [LocalTypeAccess] Json | semmle.label | [LocalTypeAccess] Json |
 | type_alias.ts:15:7:15:12 | [ArrayTypeExpr] Json[] | semmle.label | [ArrayTypeExpr] Json[] |
 | type_alias.ts:17:1:17:15 | [DeclStmt] var json = ... | semmle.label | [DeclStmt] var json = ... |
-| type_alias.ts:17:1:17:15 | [DeclStmt] var json = ... | semmle.order | 60 |
+| type_alias.ts:17:1:17:15 | [DeclStmt] var json = ... | semmle.order | 61 |
 | type_alias.ts:17:5:17:8 | [VarDecl] json | semmle.label | [VarDecl] json |
 | type_alias.ts:17:5:17:14 | [VariableDeclarator] json: Json | semmle.label | [VariableDeclarator] json: Json |
 | type_alias.ts:17:11:17:14 | [LocalTypeAccess] Json | semmle.label | [LocalTypeAccess] Json |
 | type_alias.ts:19:1:21:57 | [TypeAliasDeclaration,TypeDefinition] type Vi ... ode[]]; | semmle.label | [TypeAliasDeclaration,TypeDefinition] type Vi ... ode[]]; |
-| type_alias.ts:19:1:21:57 | [TypeAliasDeclaration,TypeDefinition] type Vi ... ode[]]; | semmle.order | 61 |
+| type_alias.ts:19:1:21:57 | [TypeAliasDeclaration,TypeDefinition] type Vi ... ode[]]; | semmle.order | 62 |
 | type_alias.ts:19:6:19:16 | [Identifier] VirtualNode | semmle.label | [Identifier] VirtualNode |
 | type_alias.ts:20:5:21:56 | [UnionTypeExpr] \| strin ... Node[]] | semmle.label | [UnionTypeExpr] \| strin ... Node[]] |
 | type_alias.ts:20:7:20:12 | [KeywordTypeExpr] string | semmle.label | [KeywordTypeExpr] string |
@@ -486,7 +657,7 @@ nodes
 | type_alias.ts:21:43:21:53 | [LocalTypeAccess] VirtualNode | semmle.label | [LocalTypeAccess] VirtualNode |
 | type_alias.ts:21:43:21:55 | [ArrayTypeExpr] VirtualNode[] | semmle.label | [ArrayTypeExpr] VirtualNode[] |
 | type_alias.ts:23:1:27:6 | [DeclStmt] const myNode = ... | semmle.label | [DeclStmt] const myNode = ... |
-| type_alias.ts:23:1:27:6 | [DeclStmt] const myNode = ... | semmle.order | 62 |
+| type_alias.ts:23:1:27:6 | [DeclStmt] const myNode = ... | semmle.order | 63 |
 | type_alias.ts:23:7:23:12 | [VarDecl] myNode | semmle.label | [VarDecl] myNode |
 | type_alias.ts:23:7:27:5 | [VariableDeclarator] myNode: ... ] ] | semmle.label | [VariableDeclarator] myNode: ... ] ] |
 | type_alias.ts:23:15:23:25 | [LocalTypeAccess] VirtualNode | semmle.label | [LocalTypeAccess] VirtualNode |
@@ -511,12 +682,12 @@ nodes
 | type_alias.ts:26:23:26:36 | [Literal] "second-child" | semmle.label | [Literal] "second-child" |
 | type_alias.ts:26:41:26:62 | [Literal] "I'm the second child" | semmle.label | [Literal] "I'm the second child" |
 | type_definition_objects.ts:1:1:1:33 | [ImportDeclaration] import ... dummy"; | semmle.label | [ImportDeclaration] import ... dummy"; |
-| type_definition_objects.ts:1:1:1:33 | [ImportDeclaration] import ... dummy"; | semmle.order | 63 |
+| type_definition_objects.ts:1:1:1:33 | [ImportDeclaration] import ... dummy"; | semmle.order | 64 |
 | type_definition_objects.ts:1:8:1:17 | [ImportSpecifier] * as dummy | semmle.label | [ImportSpecifier] * as dummy |
 | type_definition_objects.ts:1:13:1:17 | [VarDecl] dummy | semmle.label | [VarDecl] dummy |
 | type_definition_objects.ts:1:24:1:32 | [Literal] "./dummy" | semmle.label | [Literal] "./dummy" |
 | type_definition_objects.ts:3:1:3:17 | [ExportDeclaration] export class C {} | semmle.label | [ExportDeclaration] export class C {} |
-| type_definition_objects.ts:3:1:3:17 | [ExportDeclaration] export class C {} | semmle.order | 64 |
+| type_definition_objects.ts:3:1:3:17 | [ExportDeclaration] export class C {} | semmle.order | 65 |
 | type_definition_objects.ts:3:8:3:17 | [ClassDefinition,TypeDefinition] class C {} | semmle.label | [ClassDefinition,TypeDefinition] class C {} |
 | type_definition_objects.ts:3:14:3:14 | [VarDecl] C | semmle.label | [VarDecl] C |
 | type_definition_objects.ts:3:16:3:15 | [BlockStmt] {} | semmle.label | [BlockStmt] {} |
@@ -524,36 +695,36 @@ nodes
 | type_definition_objects.ts:3:16:3:15 | [FunctionExpr] () {} | semmle.label | [FunctionExpr] () {} |
 | type_definition_objects.ts:3:16:3:15 | [Label] constructor | semmle.label | [Label] constructor |
 | type_definition_objects.ts:4:1:4:17 | [DeclStmt] let classObj = ... | semmle.label | [DeclStmt] let classObj = ... |
-| type_definition_objects.ts:4:1:4:17 | [DeclStmt] let classObj = ... | semmle.order | 65 |
+| type_definition_objects.ts:4:1:4:17 | [DeclStmt] let classObj = ... | semmle.order | 66 |
 | type_definition_objects.ts:4:5:4:12 | [VarDecl] classObj | semmle.label | [VarDecl] classObj |
 | type_definition_objects.ts:4:5:4:16 | [VariableDeclarator] classObj = C | semmle.label | [VariableDeclarator] classObj = C |
 | type_definition_objects.ts:4:16:4:16 | [VarRef] C | semmle.label | [VarRef] C |
 | type_definition_objects.ts:6:1:6:16 | [ExportDeclaration] export enum E {} | semmle.label | [ExportDeclaration] export enum E {} |
-| type_definition_objects.ts:6:1:6:16 | [ExportDeclaration] export enum E {} | semmle.order | 66 |
+| type_definition_objects.ts:6:1:6:16 | [ExportDeclaration] export enum E {} | semmle.order | 67 |
 | type_definition_objects.ts:6:8:6:16 | [EnumDeclaration,TypeDefinition] enum E {} | semmle.label | [EnumDeclaration,TypeDefinition] enum E {} |
 | type_definition_objects.ts:6:13:6:13 | [VarDecl] E | semmle.label | [VarDecl] E |
 | type_definition_objects.ts:7:1:7:16 | [DeclStmt] let enumObj = ... | semmle.label | [DeclStmt] let enumObj = ... |
-| type_definition_objects.ts:7:1:7:16 | [DeclStmt] let enumObj = ... | semmle.order | 67 |
+| type_definition_objects.ts:7:1:7:16 | [DeclStmt] let enumObj = ... | semmle.order | 68 |
 | type_definition_objects.ts:7:5:7:11 | [VarDecl] enumObj | semmle.label | [VarDecl] enumObj |
 | type_definition_objects.ts:7:5:7:15 | [VariableDeclarator] enumObj = E | semmle.label | [VariableDeclarator] enumObj = E |
 | type_definition_objects.ts:7:15:7:15 | [VarRef] E | semmle.label | [VarRef] E |
 | type_definition_objects.ts:9:1:9:22 | [ExportDeclaration] export ... e N {;} | semmle.label | [ExportDeclaration] export ... e N {;} |
-| type_definition_objects.ts:9:1:9:22 | [ExportDeclaration] export ... e N {;} | semmle.order | 68 |
+| type_definition_objects.ts:9:1:9:22 | [ExportDeclaration] export ... e N {;} | semmle.order | 69 |
 | type_definition_objects.ts:9:8:9:22 | [NamespaceDeclaration] namespace N {;} | semmle.label | [NamespaceDeclaration] namespace N {;} |
 | type_definition_objects.ts:9:18:9:18 | [VarDecl] N | semmle.label | [VarDecl] N |
 | type_definition_objects.ts:9:21:9:21 | [EmptyStmt] ; | semmle.label | [EmptyStmt] ; |
 | type_definition_objects.ts:10:1:10:21 | [DeclStmt] let namespaceObj = ... | semmle.label | [DeclStmt] let namespaceObj = ... |
-| type_definition_objects.ts:10:1:10:21 | [DeclStmt] let namespaceObj = ... | semmle.order | 69 |
+| type_definition_objects.ts:10:1:10:21 | [DeclStmt] let namespaceObj = ... | semmle.order | 70 |
 | type_definition_objects.ts:10:5:10:16 | [VarDecl] namespaceObj | semmle.label | [VarDecl] namespaceObj |
 | type_definition_objects.ts:10:5:10:20 | [VariableDeclarator] namespaceObj = N | semmle.label | [VariableDeclarator] namespaceObj = N |
 | type_definition_objects.ts:10:20:10:20 | [VarRef] N | semmle.label | [VarRef] N |
 | type_definitions.ts:1:1:1:33 | [ImportDeclaration] import ... dummy"; | semmle.label | [ImportDeclaration] import ... dummy"; |
-| type_definitions.ts:1:1:1:33 | [ImportDeclaration] import ... dummy"; | semmle.order | 70 |
+| type_definitions.ts:1:1:1:33 | [ImportDeclaration] import ... dummy"; | semmle.order | 71 |
 | type_definitions.ts:1:8:1:17 | [ImportSpecifier] * as dummy | semmle.label | [ImportSpecifier] * as dummy |
 | type_definitions.ts:1:13:1:17 | [VarDecl] dummy | semmle.label | [VarDecl] dummy |
 | type_definitions.ts:1:24:1:32 | [Literal] "./dummy" | semmle.label | [Literal] "./dummy" |
 | type_definitions.ts:3:1:5:1 | [InterfaceDeclaration,TypeDefinition] interfa ... x: S; } | semmle.label | [InterfaceDeclaration,TypeDefinition] interfa ... x: S; } |
-| type_definitions.ts:3:1:5:1 | [InterfaceDeclaration,TypeDefinition] interfa ... x: S; } | semmle.order | 71 |
+| type_definitions.ts:3:1:5:1 | [InterfaceDeclaration,TypeDefinition] interfa ... x: S; } | semmle.order | 72 |
 | type_definitions.ts:3:11:3:11 | [Identifier] I | semmle.label | [Identifier] I |
 | type_definitions.ts:3:13:3:13 | [Identifier] S | semmle.label | [Identifier] S |
 | type_definitions.ts:3:13:3:13 | [TypeParameter] S | semmle.label | [TypeParameter] S |
@@ -561,14 +732,14 @@ nodes
 | type_definitions.ts:4:3:4:7 | [FieldDeclaration] x: S; | semmle.label | [FieldDeclaration] x: S; |
 | type_definitions.ts:4:6:4:6 | [LocalTypeAccess] S | semmle.label | [LocalTypeAccess] S |
 | type_definitions.ts:6:1:6:16 | [DeclStmt] let i = ... | semmle.label | [DeclStmt] let i = ... |
-| type_definitions.ts:6:1:6:16 | [DeclStmt] let i = ... | semmle.order | 72 |
+| type_definitions.ts:6:1:6:16 | [DeclStmt] let i = ... | semmle.order | 73 |
 | type_definitions.ts:6:5:6:5 | [VarDecl] i | semmle.label | [VarDecl] i |
 | type_definitions.ts:6:5:6:16 | [VariableDeclarator] i: I<number> | semmle.label | [VariableDeclarator] i: I<number> |
 | type_definitions.ts:6:8:6:8 | [LocalTypeAccess] I | semmle.label | [LocalTypeAccess] I |
 | type_definitions.ts:6:8:6:16 | [GenericTypeExpr] I<number> | semmle.label | [GenericTypeExpr] I<number> |
 | type_definitions.ts:6:10:6:15 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
 | type_definitions.ts:8:1:10:1 | [ClassDefinition,TypeDefinition] class C ... x: T } | semmle.label | [ClassDefinition,TypeDefinition] class C ... x: T } |
-| type_definitions.ts:8:1:10:1 | [ClassDefinition,TypeDefinition] class C ... x: T } | semmle.order | 73 |
+| type_definitions.ts:8:1:10:1 | [ClassDefinition,TypeDefinition] class C ... x: T } | semmle.order | 74 |
 | type_definitions.ts:8:7:8:7 | [VarDecl] C | semmle.label | [VarDecl] C |
 | type_definitions.ts:8:8:8:7 | [BlockStmt] {} | semmle.label | [BlockStmt] {} |
 | type_definitions.ts:8:8:8:7 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | semmle.label | [ClassInitializedMember,ConstructorDefinition] constructor() {} |
@@ -580,14 +751,14 @@ nodes
 | type_definitions.ts:9:3:9:6 | [FieldDeclaration] x: T | semmle.label | [FieldDeclaration] x: T |
 | type_definitions.ts:9:6:9:6 | [LocalTypeAccess] T | semmle.label | [LocalTypeAccess] T |
 | type_definitions.ts:11:1:11:17 | [DeclStmt] let c = ... | semmle.label | [DeclStmt] let c = ... |
-| type_definitions.ts:11:1:11:17 | [DeclStmt] let c = ... | semmle.order | 74 |
+| type_definitions.ts:11:1:11:17 | [DeclStmt] let c = ... | semmle.order | 75 |
 | type_definitions.ts:11:5:11:5 | [VarDecl] c | semmle.label | [VarDecl] c |
 | type_definitions.ts:11:5:11:16 | [VariableDeclarator] c: C<number> | semmle.label | [VariableDeclarator] c: C<number> |
 | type_definitions.ts:11:8:11:8 | [LocalTypeAccess] C | semmle.label | [LocalTypeAccess] C |
 | type_definitions.ts:11:8:11:16 | [GenericTypeExpr] C<number> | semmle.label | [GenericTypeExpr] C<number> |
 | type_definitions.ts:11:10:11:15 | [KeywordTypeExpr] number | semmle.label | [KeywordTypeExpr] number |
 | type_definitions.ts:13:1:15:1 | [EnumDeclaration,TypeDefinition] enum Co ... blue } | semmle.label | [EnumDeclaration,TypeDefinition] enum Co ... blue } |
-| type_definitions.ts:13:1:15:1 | [EnumDeclaration,TypeDefinition] enum Co ... blue } | semmle.order | 75 |
+| type_definitions.ts:13:1:15:1 | [EnumDeclaration,TypeDefinition] enum Co ... blue } | semmle.order | 76 |
 | type_definitions.ts:13:6:13:10 | [VarDecl] Color | semmle.label | [VarDecl] Color |
 | type_definitions.ts:14:3:14:5 | [EnumMember,TypeDefinition] red | semmle.label | [EnumMember,TypeDefinition] red |
 | type_definitions.ts:14:3:14:5 | [VarDecl] red | semmle.label | [VarDecl] red |
@@ -596,29 +767,29 @@ nodes
 | type_definitions.ts:14:15:14:18 | [EnumMember,TypeDefinition] blue | semmle.label | [EnumMember,TypeDefinition] blue |
 | type_definitions.ts:14:15:14:18 | [VarDecl] blue | semmle.label | [VarDecl] blue |
 | type_definitions.ts:16:1:16:17 | [DeclStmt] let color = ... | semmle.label | [DeclStmt] let color = ... |
-| type_definitions.ts:16:1:16:17 | [DeclStmt] let color = ... | semmle.order | 76 |
+| type_definitions.ts:16:1:16:17 | [DeclStmt] let color = ... | semmle.order | 77 |
 | type_definitions.ts:16:5:16:9 | [VarDecl] color | semmle.label | [VarDecl] color |
 | type_definitions.ts:16:5:16:16 | [VariableDeclarator] color: Color | semmle.label | [VariableDeclarator] color: Color |
 | type_definitions.ts:16:12:16:16 | [LocalTypeAccess] Color | semmle.label | [LocalTypeAccess] Color |
 | type_definitions.ts:18:1:18:33 | [EnumDeclaration,TypeDefinition] enum En ... ember } | semmle.label | [EnumDeclaration,TypeDefinition] enum En ... ember } |
-| type_definitions.ts:18:1:18:33 | [EnumDeclaration,TypeDefinition] enum En ... ember } | semmle.order | 77 |
+| type_definitions.ts:18:1:18:33 | [EnumDeclaration,TypeDefinition] enum En ... ember } | semmle.order | 78 |
 | type_definitions.ts:18:6:18:22 | [VarDecl] EnumWithOneMember | semmle.label | [VarDecl] EnumWithOneMember |
 | type_definitions.ts:18:26:18:31 | [EnumMember,TypeDefinition] member | semmle.label | [EnumMember,TypeDefinition] member |
 | type_definitions.ts:18:26:18:31 | [VarDecl] member | semmle.label | [VarDecl] member |
 | type_definitions.ts:19:1:19:25 | [DeclStmt] let e = ... | semmle.label | [DeclStmt] let e = ... |
-| type_definitions.ts:19:1:19:25 | [DeclStmt] let e = ... | semmle.order | 78 |
+| type_definitions.ts:19:1:19:25 | [DeclStmt] let e = ... | semmle.order | 79 |
 | type_definitions.ts:19:5:19:5 | [VarDecl] e | semmle.label | [VarDecl] e |
 | type_definitions.ts:19:5:19:24 | [VariableDeclarator] e: EnumWithOneMember | semmle.label | [VariableDeclarator] e: EnumWithOneMember |
 | type_definitions.ts:19:8:19:24 | [LocalTypeAccess] EnumWithOneMember | semmle.label | [LocalTypeAccess] EnumWithOneMember |
 | type_definitions.ts:21:1:21:20 | [TypeAliasDeclaration,TypeDefinition] type Alias<T> = T[]; | semmle.label | [TypeAliasDeclaration,TypeDefinition] type Alias<T> = T[]; |
-| type_definitions.ts:21:1:21:20 | [TypeAliasDeclaration,TypeDefinition] type Alias<T> = T[]; | semmle.order | 79 |
+| type_definitions.ts:21:1:21:20 | [TypeAliasDeclaration,TypeDefinition] type Alias<T> = T[]; | semmle.order | 80 |
 | type_definitions.ts:21:6:21:10 | [Identifier] Alias | semmle.label | [Identifier] Alias |
 | type_definitions.ts:21:12:21:12 | [Identifier] T | semmle.label | [Identifier] T |
 | type_definitions.ts:21:12:21:12 | [TypeParameter] T | semmle.label | [TypeParameter] T |
 | type_definitions.ts:21:17:21:17 | [LocalTypeAccess] T | semmle.label | [LocalTypeAccess] T |
 | type_definitions.ts:21:17:21:19 | [ArrayTypeExpr] T[] | semmle.label | [ArrayTypeExpr] T[] |
 | type_definitions.ts:22:1:22:39 | [DeclStmt] let aliasForNumberArray = ... | semmle.label | [DeclStmt] let aliasForNumberArray = ... |
-| type_definitions.ts:22:1:22:39 | [DeclStmt] let aliasForNumberArray = ... | semmle.order | 80 |
+| type_definitions.ts:22:1:22:39 | [DeclStmt] let aliasForNumberArray = ... | semmle.order | 81 |
 | type_definitions.ts:22:5:22:23 | [VarDecl] aliasForNumberArray | semmle.label | [VarDecl] aliasForNumberArray |
 | type_definitions.ts:22:5:22:38 | [VariableDeclarator] aliasFo ... number> | semmle.label | [VariableDeclarator] aliasFo ... number> |
 | type_definitions.ts:22:26:22:30 | [LocalTypeAccess] Alias | semmle.label | [LocalTypeAccess] Alias |
@@ -745,6 +916,10 @@ edges
 | dummy.ts:4:19:4:22 | [RegExpSequence] ab+c | dummy.ts:4:22:4:22 | [RegExpNormalConstant] c | semmle.order | 2 |
 | dummy.ts:4:20:4:21 | [RegExpPlus] b+ | dummy.ts:4:20:4:20 | [RegExpNormalConstant] b | semmle.label | 0 |
 | dummy.ts:4:20:4:21 | [RegExpPlus] b+ | dummy.ts:4:20:4:20 | [RegExpNormalConstant] b | semmle.order | 0 |
+| file://:0:0:0:0 | (Arguments) | tst.ts:86:27:86:31 | [VarRef] value | semmle.label | 0 |
+| file://:0:0:0:0 | (Arguments) | tst.ts:86:27:86:31 | [VarRef] value | semmle.order | 0 |
+| file://:0:0:0:0 | (Arguments) | tst.ts:97:27:97:26 | [SpreadElement] ...args | semmle.label | 0 |
+| file://:0:0:0:0 | (Arguments) | tst.ts:97:27:97:26 | [SpreadElement] ...args | semmle.order | 0 |
 | file://:0:0:0:0 | (Parameters) | tst.ts:14:17:14:17 | [SimpleParameter] x | semmle.label | 0 |
 | file://:0:0:0:0 | (Parameters) | tst.ts:14:17:14:17 | [SimpleParameter] x | semmle.order | 0 |
 | file://:0:0:0:0 | (Parameters) | tst.ts:14:28:14:28 | [SimpleParameter] y | semmle.label | 1 |
@@ -761,6 +936,14 @@ edges
 | file://:0:0:0:0 | (Parameters) | tst.ts:20:23:20:23 | [SimpleParameter] x | semmle.order | 0 |
 | file://:0:0:0:0 | (Parameters) | tst.ts:20:26:20:26 | [SimpleParameter] y | semmle.label | 1 |
 | file://:0:0:0:0 | (Parameters) | tst.ts:20:26:20:26 | [SimpleParameter] y | semmle.order | 1 |
+| file://:0:0:0:0 | (Parameters) | tst.ts:75:14:75:18 | [SimpleParameter] value | semmle.label | 0 |
+| file://:0:0:0:0 | (Parameters) | tst.ts:75:14:75:18 | [SimpleParameter] value | semmle.order | 0 |
+| file://:0:0:0:0 | (Parameters) | tst.ts:85:14:85:18 | [SimpleParameter] value | semmle.label | 0 |
+| file://:0:0:0:0 | (Parameters) | tst.ts:85:14:85:18 | [SimpleParameter] value | semmle.order | 0 |
+| file://:0:0:0:0 | (Parameters) | tst.ts:97:27:97:26 | [SimpleParameter] args | semmle.label | 0 |
+| file://:0:0:0:0 | (Parameters) | tst.ts:97:27:97:26 | [SimpleParameter] args | semmle.order | 0 |
+| file://:0:0:0:0 | (Parameters) | tst.ts:104:16:104:16 | [SimpleParameter] s | semmle.label | 0 |
+| file://:0:0:0:0 | (Parameters) | tst.ts:104:16:104:16 | [SimpleParameter] s | semmle.order | 0 |
 | file://:0:0:0:0 | (Parameters) | type_alias.ts:14:10:14:17 | [SimpleParameter] property | semmle.label | 0 |
 | file://:0:0:0:0 | (Parameters) | type_alias.ts:14:10:14:17 | [SimpleParameter] property | semmle.order | 0 |
 | file://:0:0:0:0 | (Parameters) | type_alias.ts:21:19:21:21 | [SimpleParameter] key | semmle.label | 0 |
@@ -1251,6 +1434,332 @@ edges
 | tst.ts:69:25:69:44 | [Property] yetAnotherType: true | tst.ts:69:25:69:38 | [Label] yetAnotherType | semmle.order | 1 |
 | tst.ts:69:25:69:44 | [Property] yetAnotherType: true | tst.ts:69:41:69:44 | [Literal] true | semmle.label | 2 |
 | tst.ts:69:25:69:44 | [Property] yetAnotherType: true | tst.ts:69:41:69:44 | [Literal] true | semmle.order | 2 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:71:8:71:11 | [VarDecl] TS43 | semmle.label | 1 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:71:8:71:11 | [VarDecl] TS43 | semmle.order | 1 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:73:3:76:3 | [InterfaceDeclaration,TypeDefinition] interfa ... n); } | semmle.label | 2 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:73:3:76:3 | [InterfaceDeclaration,TypeDefinition] interfa ... n); } | semmle.order | 2 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:78:3:88:3 | [ExportDeclaration] export ... } } | semmle.label | 3 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:78:3:88:3 | [ExportDeclaration] export ... } } | semmle.order | 3 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:91:3:95:3 | [ClassDefinition,TypeDefinition] class S ... } } | semmle.label | 4 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:91:3:95:3 | [ClassDefinition,TypeDefinition] class S ... } } | semmle.order | 4 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:97:3:101:3 | [ClassDefinition,TypeDefinition] class S ... } } | semmle.label | 5 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:97:3:101:3 | [ClassDefinition,TypeDefinition] class S ... } } | semmle.order | 5 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:104:3:107:3 | [FunctionDeclStmt] functio ... }`; } | semmle.label | 6 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:104:3:107:3 | [FunctionDeclStmt] functio ... }`; } | semmle.order | 6 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:109:3:109:50 | [DeclStmt] let s1 = ... | semmle.label | 7 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:109:3:109:50 | [DeclStmt] let s1 = ... | semmle.order | 7 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:110:3:110:26 | [DeclStmt] let s2 = ... | semmle.label | 8 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:110:3:110:26 | [DeclStmt] let s2 = ... | semmle.order | 8 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:111:3:111:34 | [DeclStmt] let s3 = ... | semmle.label | 9 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:111:3:111:34 | [DeclStmt] let s3 = ... | semmle.order | 9 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:112:3:112:10 | [ExprStmt] s1 = s2; | semmle.label | 10 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:112:3:112:10 | [ExprStmt] s1 = s2; | semmle.order | 10 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:113:3:113:10 | [ExprStmt] s1 = s3; | semmle.label | 11 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:113:3:113:10 | [ExprStmt] s1 = s3; | semmle.order | 11 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:116:3:129:3 | [ClassDefinition,TypeDefinition] class F ... } } | semmle.label | 12 |
+| tst.ts:71:1:130:1 | [NamespaceDeclaration] module ... } } | tst.ts:116:3:129:3 | [ClassDefinition,TypeDefinition] class F ... } } | semmle.order | 12 |
+| tst.ts:73:3:76:3 | [InterfaceDeclaration,TypeDefinition] interfa ... n); } | tst.ts:73:13:73:18 | [Identifier] ThingI | semmle.label | 1 |
+| tst.ts:73:3:76:3 | [InterfaceDeclaration,TypeDefinition] interfa ... n); } | tst.ts:73:13:73:18 | [Identifier] ThingI | semmle.order | 1 |
+| tst.ts:73:3:76:3 | [InterfaceDeclaration,TypeDefinition] interfa ... n); } | tst.ts:74:5:74:22 | [GetterMethodSignature] get size(): number | semmle.label | 2 |
+| tst.ts:73:3:76:3 | [InterfaceDeclaration,TypeDefinition] interfa ... n); } | tst.ts:74:5:74:22 | [GetterMethodSignature] get size(): number | semmle.order | 2 |
+| tst.ts:73:3:76:3 | [InterfaceDeclaration,TypeDefinition] interfa ... n); } | tst.ts:75:5:75:47 | [SetterMethodSignature] set siz ... olean); | semmle.label | 3 |
+| tst.ts:73:3:76:3 | [InterfaceDeclaration,TypeDefinition] interfa ... n); } | tst.ts:75:5:75:47 | [SetterMethodSignature] set siz ... olean); | semmle.order | 3 |
+| tst.ts:74:5:74:22 | [FunctionExpr] get size(): number | tst.ts:74:17:74:22 | [KeywordTypeExpr] number | semmle.label | 4 |
+| tst.ts:74:5:74:22 | [FunctionExpr] get size(): number | tst.ts:74:17:74:22 | [KeywordTypeExpr] number | semmle.order | 4 |
+| tst.ts:74:5:74:22 | [GetterMethodSignature] get size(): number | tst.ts:74:5:74:22 | [FunctionExpr] get size(): number | semmle.label | 1 |
+| tst.ts:74:5:74:22 | [GetterMethodSignature] get size(): number | tst.ts:74:5:74:22 | [FunctionExpr] get size(): number | semmle.order | 1 |
+| tst.ts:74:5:74:22 | [GetterMethodSignature] get size(): number | tst.ts:74:9:74:12 | [Label] size | semmle.label | 2 |
+| tst.ts:74:5:74:22 | [GetterMethodSignature] get size(): number | tst.ts:74:9:74:12 | [Label] size | semmle.order | 2 |
+| tst.ts:75:5:75:47 | [FunctionExpr] set siz ... olean); | file://:0:0:0:0 | (Parameters) | semmle.label | 1 |
+| tst.ts:75:5:75:47 | [FunctionExpr] set siz ... olean); | file://:0:0:0:0 | (Parameters) | semmle.order | 1 |
+| tst.ts:75:5:75:47 | [SetterMethodSignature] set siz ... olean); | tst.ts:75:5:75:47 | [FunctionExpr] set siz ... olean); | semmle.label | 1 |
+| tst.ts:75:5:75:47 | [SetterMethodSignature] set siz ... olean); | tst.ts:75:5:75:47 | [FunctionExpr] set siz ... olean); | semmle.order | 1 |
+| tst.ts:75:5:75:47 | [SetterMethodSignature] set siz ... olean); | tst.ts:75:9:75:12 | [Label] size | semmle.label | 2 |
+| tst.ts:75:5:75:47 | [SetterMethodSignature] set siz ... olean); | tst.ts:75:9:75:12 | [Label] size | semmle.order | 2 |
+| tst.ts:75:14:75:18 | [SimpleParameter] value | tst.ts:75:21:75:45 | [UnionTypeExpr] number ... boolean | semmle.label | 0 |
+| tst.ts:75:14:75:18 | [SimpleParameter] value | tst.ts:75:21:75:45 | [UnionTypeExpr] number ... boolean | semmle.order | 0 |
+| tst.ts:75:21:75:45 | [UnionTypeExpr] number ... boolean | tst.ts:75:21:75:26 | [KeywordTypeExpr] number | semmle.label | 1 |
+| tst.ts:75:21:75:45 | [UnionTypeExpr] number ... boolean | tst.ts:75:21:75:26 | [KeywordTypeExpr] number | semmle.order | 1 |
+| tst.ts:75:21:75:45 | [UnionTypeExpr] number ... boolean | tst.ts:75:30:75:35 | [KeywordTypeExpr] string | semmle.label | 2 |
+| tst.ts:75:21:75:45 | [UnionTypeExpr] number ... boolean | tst.ts:75:30:75:35 | [KeywordTypeExpr] string | semmle.order | 2 |
+| tst.ts:75:21:75:45 | [UnionTypeExpr] number ... boolean | tst.ts:75:39:75:45 | [KeywordTypeExpr] boolean | semmle.label | 3 |
+| tst.ts:75:21:75:45 | [UnionTypeExpr] number ... boolean | tst.ts:75:39:75:45 | [KeywordTypeExpr] boolean | semmle.order | 3 |
+| tst.ts:78:3:88:3 | [ExportDeclaration] export ... } } | tst.ts:78:10:88:3 | [ClassDefinition,TypeDefinition] class T ... } } | semmle.label | 1 |
+| tst.ts:78:3:88:3 | [ExportDeclaration] export ... } } | tst.ts:78:10:88:3 | [ClassDefinition,TypeDefinition] class T ... } } | semmle.order | 1 |
+| tst.ts:78:10:88:3 | [ClassDefinition,TypeDefinition] class T ... } } | tst.ts:78:16:78:20 | [VarDecl] Thing | semmle.label | 1 |
+| tst.ts:78:10:88:3 | [ClassDefinition,TypeDefinition] class T ... } } | tst.ts:78:16:78:20 | [VarDecl] Thing | semmle.order | 1 |
+| tst.ts:78:10:88:3 | [ClassDefinition,TypeDefinition] class T ... } } | tst.ts:78:33:78:38 | [LocalTypeAccess] ThingI | semmle.label | 2 |
+| tst.ts:78:10:88:3 | [ClassDefinition,TypeDefinition] class T ... } } | tst.ts:78:33:78:38 | [LocalTypeAccess] ThingI | semmle.order | 2 |
+| tst.ts:78:10:88:3 | [ClassDefinition,TypeDefinition] class T ... } } | tst.ts:78:40:78:39 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | semmle.label | 3 |
+| tst.ts:78:10:88:3 | [ClassDefinition,TypeDefinition] class T ... } } | tst.ts:78:40:78:39 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | semmle.order | 3 |
+| tst.ts:78:10:88:3 | [ClassDefinition,TypeDefinition] class T ... } } | tst.ts:79:5:79:14 | [FieldDeclaration] #size = 0; | semmle.label | 4 |
+| tst.ts:78:10:88:3 | [ClassDefinition,TypeDefinition] class T ... } } | tst.ts:79:5:79:14 | [FieldDeclaration] #size = 0; | semmle.order | 4 |
+| tst.ts:78:10:88:3 | [ClassDefinition,TypeDefinition] class T ... } } | tst.ts:81:5:83:5 | [ClassInitializedMember,GetterMethodDefinition] get siz ... ; } | semmle.label | 5 |
+| tst.ts:78:10:88:3 | [ClassDefinition,TypeDefinition] class T ... } } | tst.ts:81:5:83:5 | [ClassInitializedMember,GetterMethodDefinition] get siz ... ; } | semmle.order | 5 |
+| tst.ts:78:10:88:3 | [ClassDefinition,TypeDefinition] class T ... } } | tst.ts:85:5:87:5 | [ClassInitializedMember,SetterMethodDefinition] set siz ... ; } | semmle.label | 6 |
+| tst.ts:78:10:88:3 | [ClassDefinition,TypeDefinition] class T ... } } | tst.ts:85:5:87:5 | [ClassInitializedMember,SetterMethodDefinition] set siz ... ; } | semmle.order | 6 |
+| tst.ts:78:40:78:39 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | tst.ts:78:40:78:39 | [FunctionExpr] () {} | semmle.label | 2 |
+| tst.ts:78:40:78:39 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | tst.ts:78:40:78:39 | [FunctionExpr] () {} | semmle.order | 2 |
+| tst.ts:78:40:78:39 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | tst.ts:78:40:78:39 | [Label] constructor | semmle.label | 1 |
+| tst.ts:78:40:78:39 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | tst.ts:78:40:78:39 | [Label] constructor | semmle.order | 1 |
+| tst.ts:78:40:78:39 | [FunctionExpr] () {} | tst.ts:78:40:78:39 | [BlockStmt] {} | semmle.label | 5 |
+| tst.ts:78:40:78:39 | [FunctionExpr] () {} | tst.ts:78:40:78:39 | [BlockStmt] {} | semmle.order | 5 |
+| tst.ts:79:5:79:14 | [FieldDeclaration] #size = 0; | tst.ts:79:5:79:9 | [Label] #size | semmle.label | 1 |
+| tst.ts:79:5:79:14 | [FieldDeclaration] #size = 0; | tst.ts:79:5:79:9 | [Label] #size | semmle.order | 1 |
+| tst.ts:79:5:79:14 | [FieldDeclaration] #size = 0; | tst.ts:79:13:79:13 | [Literal] 0 | semmle.label | 2 |
+| tst.ts:79:5:79:14 | [FieldDeclaration] #size = 0; | tst.ts:79:13:79:13 | [Literal] 0 | semmle.order | 2 |
+| tst.ts:81:5:83:5 | [ClassInitializedMember,GetterMethodDefinition] get siz ... ; } | tst.ts:81:5:83:5 | [FunctionExpr] get siz ... ; } | semmle.label | 1 |
+| tst.ts:81:5:83:5 | [ClassInitializedMember,GetterMethodDefinition] get siz ... ; } | tst.ts:81:5:83:5 | [FunctionExpr] get siz ... ; } | semmle.order | 1 |
+| tst.ts:81:5:83:5 | [ClassInitializedMember,GetterMethodDefinition] get siz ... ; } | tst.ts:81:9:81:12 | [Label] size | semmle.label | 2 |
+| tst.ts:81:5:83:5 | [ClassInitializedMember,GetterMethodDefinition] get siz ... ; } | tst.ts:81:9:81:12 | [Label] size | semmle.order | 2 |
+| tst.ts:81:5:83:5 | [FunctionExpr] get siz ... ; } | tst.ts:81:17:81:22 | [KeywordTypeExpr] number | semmle.label | 4 |
+| tst.ts:81:5:83:5 | [FunctionExpr] get siz ... ; } | tst.ts:81:17:81:22 | [KeywordTypeExpr] number | semmle.order | 4 |
+| tst.ts:81:5:83:5 | [FunctionExpr] get siz ... ; } | tst.ts:81:24:83:5 | [BlockStmt] { ... ; } | semmle.label | 5 |
+| tst.ts:81:5:83:5 | [FunctionExpr] get siz ... ; } | tst.ts:81:24:83:5 | [BlockStmt] { ... ; } | semmle.order | 5 |
+| tst.ts:81:24:83:5 | [BlockStmt] { ... ; } | tst.ts:82:7:82:24 | [ReturnStmt] return this.#size; | semmle.label | 1 |
+| tst.ts:81:24:83:5 | [BlockStmt] { ... ; } | tst.ts:82:7:82:24 | [ReturnStmt] return this.#size; | semmle.order | 1 |
+| tst.ts:82:7:82:24 | [ReturnStmt] return this.#size; | tst.ts:82:14:82:23 | [DotExpr] this.#size | semmle.label | 1 |
+| tst.ts:82:7:82:24 | [ReturnStmt] return this.#size; | tst.ts:82:14:82:23 | [DotExpr] this.#size | semmle.order | 1 |
+| tst.ts:82:14:82:23 | [DotExpr] this.#size | tst.ts:82:14:82:17 | [ThisExpr] this | semmle.label | 1 |
+| tst.ts:82:14:82:23 | [DotExpr] this.#size | tst.ts:82:14:82:17 | [ThisExpr] this | semmle.order | 1 |
+| tst.ts:82:14:82:23 | [DotExpr] this.#size | tst.ts:82:19:82:23 | [Label] #size | semmle.label | 2 |
+| tst.ts:82:14:82:23 | [DotExpr] this.#size | tst.ts:82:19:82:23 | [Label] #size | semmle.order | 2 |
+| tst.ts:85:5:87:5 | [ClassInitializedMember,SetterMethodDefinition] set siz ... ; } | tst.ts:85:5:87:5 | [FunctionExpr] set siz ... ; } | semmle.label | 1 |
+| tst.ts:85:5:87:5 | [ClassInitializedMember,SetterMethodDefinition] set siz ... ; } | tst.ts:85:5:87:5 | [FunctionExpr] set siz ... ; } | semmle.order | 1 |
+| tst.ts:85:5:87:5 | [ClassInitializedMember,SetterMethodDefinition] set siz ... ; } | tst.ts:85:9:85:12 | [Label] size | semmle.label | 2 |
+| tst.ts:85:5:87:5 | [ClassInitializedMember,SetterMethodDefinition] set siz ... ; } | tst.ts:85:9:85:12 | [Label] size | semmle.order | 2 |
+| tst.ts:85:5:87:5 | [FunctionExpr] set siz ... ; } | file://:0:0:0:0 | (Parameters) | semmle.label | 1 |
+| tst.ts:85:5:87:5 | [FunctionExpr] set siz ... ; } | file://:0:0:0:0 | (Parameters) | semmle.order | 1 |
+| tst.ts:85:5:87:5 | [FunctionExpr] set siz ... ; } | tst.ts:85:48:87:5 | [BlockStmt] { ... ; } | semmle.label | 5 |
+| tst.ts:85:5:87:5 | [FunctionExpr] set siz ... ; } | tst.ts:85:48:87:5 | [BlockStmt] { ... ; } | semmle.order | 5 |
+| tst.ts:85:14:85:18 | [SimpleParameter] value | tst.ts:85:21:85:45 | [UnionTypeExpr] string ... boolean | semmle.label | 0 |
+| tst.ts:85:14:85:18 | [SimpleParameter] value | tst.ts:85:21:85:45 | [UnionTypeExpr] string ... boolean | semmle.order | 0 |
+| tst.ts:85:21:85:45 | [UnionTypeExpr] string ... boolean | tst.ts:85:21:85:26 | [KeywordTypeExpr] string | semmle.label | 1 |
+| tst.ts:85:21:85:45 | [UnionTypeExpr] string ... boolean | tst.ts:85:21:85:26 | [KeywordTypeExpr] string | semmle.order | 1 |
+| tst.ts:85:21:85:45 | [UnionTypeExpr] string ... boolean | tst.ts:85:30:85:35 | [KeywordTypeExpr] number | semmle.label | 2 |
+| tst.ts:85:21:85:45 | [UnionTypeExpr] string ... boolean | tst.ts:85:30:85:35 | [KeywordTypeExpr] number | semmle.order | 2 |
+| tst.ts:85:21:85:45 | [UnionTypeExpr] string ... boolean | tst.ts:85:39:85:45 | [KeywordTypeExpr] boolean | semmle.label | 3 |
+| tst.ts:85:21:85:45 | [UnionTypeExpr] string ... boolean | tst.ts:85:39:85:45 | [KeywordTypeExpr] boolean | semmle.order | 3 |
+| tst.ts:85:48:87:5 | [BlockStmt] { ... ; } | tst.ts:86:7:86:33 | [ExprStmt] this.#s ... value); | semmle.label | 1 |
+| tst.ts:85:48:87:5 | [BlockStmt] { ... ; } | tst.ts:86:7:86:33 | [ExprStmt] this.#s ... value); | semmle.order | 1 |
+| tst.ts:86:7:86:16 | [DotExpr] this.#size | tst.ts:86:7:86:10 | [ThisExpr] this | semmle.label | 1 |
+| tst.ts:86:7:86:16 | [DotExpr] this.#size | tst.ts:86:7:86:10 | [ThisExpr] this | semmle.order | 1 |
+| tst.ts:86:7:86:16 | [DotExpr] this.#size | tst.ts:86:12:86:16 | [Label] #size | semmle.label | 2 |
+| tst.ts:86:7:86:16 | [DotExpr] this.#size | tst.ts:86:12:86:16 | [Label] #size | semmle.order | 2 |
+| tst.ts:86:7:86:32 | [AssignExpr] this.#s ... (value) | tst.ts:86:7:86:16 | [DotExpr] this.#size | semmle.label | 1 |
+| tst.ts:86:7:86:32 | [AssignExpr] this.#s ... (value) | tst.ts:86:7:86:16 | [DotExpr] this.#size | semmle.order | 1 |
+| tst.ts:86:7:86:32 | [AssignExpr] this.#s ... (value) | tst.ts:86:20:86:32 | [CallExpr] Number(value) | semmle.label | 2 |
+| tst.ts:86:7:86:32 | [AssignExpr] this.#s ... (value) | tst.ts:86:20:86:32 | [CallExpr] Number(value) | semmle.order | 2 |
+| tst.ts:86:7:86:33 | [ExprStmt] this.#s ... value); | tst.ts:86:7:86:32 | [AssignExpr] this.#s ... (value) | semmle.label | 1 |
+| tst.ts:86:7:86:33 | [ExprStmt] this.#s ... value); | tst.ts:86:7:86:32 | [AssignExpr] this.#s ... (value) | semmle.order | 1 |
+| tst.ts:86:20:86:32 | [CallExpr] Number(value) | file://:0:0:0:0 | (Arguments) | semmle.label | 1 |
+| tst.ts:86:20:86:32 | [CallExpr] Number(value) | file://:0:0:0:0 | (Arguments) | semmle.order | 1 |
+| tst.ts:86:20:86:32 | [CallExpr] Number(value) | tst.ts:86:20:86:25 | [VarRef] Number | semmle.label | 0 |
+| tst.ts:86:20:86:32 | [CallExpr] Number(value) | tst.ts:86:20:86:25 | [VarRef] Number | semmle.order | 0 |
+| tst.ts:91:3:95:3 | [ClassDefinition,TypeDefinition] class S ... } } | tst.ts:91:9:91:13 | [VarDecl] Super | semmle.label | 1 |
+| tst.ts:91:3:95:3 | [ClassDefinition,TypeDefinition] class S ... } } | tst.ts:91:9:91:13 | [VarDecl] Super | semmle.order | 1 |
+| tst.ts:91:3:95:3 | [ClassDefinition,TypeDefinition] class S ... } } | tst.ts:91:15:91:14 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | semmle.label | 2 |
+| tst.ts:91:3:95:3 | [ClassDefinition,TypeDefinition] class S ... } } | tst.ts:91:15:91:14 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | semmle.order | 2 |
+| tst.ts:91:3:95:3 | [ClassDefinition,TypeDefinition] class S ... } } | tst.ts:92:5:94:5 | [ClassInitializedMember,MethodDefinition] random( ... ; } | semmle.label | 3 |
+| tst.ts:91:3:95:3 | [ClassDefinition,TypeDefinition] class S ... } } | tst.ts:92:5:94:5 | [ClassInitializedMember,MethodDefinition] random( ... ; } | semmle.order | 3 |
+| tst.ts:91:15:91:14 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | tst.ts:91:15:91:14 | [FunctionExpr] () {} | semmle.label | 2 |
+| tst.ts:91:15:91:14 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | tst.ts:91:15:91:14 | [FunctionExpr] () {} | semmle.order | 2 |
+| tst.ts:91:15:91:14 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | tst.ts:91:15:91:14 | [Label] constructor | semmle.label | 1 |
+| tst.ts:91:15:91:14 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | tst.ts:91:15:91:14 | [Label] constructor | semmle.order | 1 |
+| tst.ts:91:15:91:14 | [FunctionExpr] () {} | tst.ts:91:15:91:14 | [BlockStmt] {} | semmle.label | 5 |
+| tst.ts:91:15:91:14 | [FunctionExpr] () {} | tst.ts:91:15:91:14 | [BlockStmt] {} | semmle.order | 5 |
+| tst.ts:92:5:94:5 | [ClassInitializedMember,MethodDefinition] random( ... ; } | tst.ts:92:5:92:10 | [Label] random | semmle.label | 1 |
+| tst.ts:92:5:94:5 | [ClassInitializedMember,MethodDefinition] random( ... ; } | tst.ts:92:5:92:10 | [Label] random | semmle.order | 1 |
+| tst.ts:92:5:94:5 | [ClassInitializedMember,MethodDefinition] random( ... ; } | tst.ts:92:5:94:5 | [FunctionExpr] random( ... ; } | semmle.label | 2 |
+| tst.ts:92:5:94:5 | [ClassInitializedMember,MethodDefinition] random( ... ; } | tst.ts:92:5:94:5 | [FunctionExpr] random( ... ; } | semmle.order | 2 |
+| tst.ts:92:5:94:5 | [FunctionExpr] random( ... ; } | tst.ts:92:15:92:20 | [KeywordTypeExpr] number | semmle.label | 4 |
+| tst.ts:92:5:94:5 | [FunctionExpr] random( ... ; } | tst.ts:92:15:92:20 | [KeywordTypeExpr] number | semmle.order | 4 |
+| tst.ts:92:5:94:5 | [FunctionExpr] random( ... ; } | tst.ts:92:22:94:5 | [BlockStmt] { ... ; } | semmle.label | 5 |
+| tst.ts:92:5:94:5 | [FunctionExpr] random( ... ; } | tst.ts:92:22:94:5 | [BlockStmt] { ... ; } | semmle.order | 5 |
+| tst.ts:92:22:94:5 | [BlockStmt] { ... ; } | tst.ts:93:7:93:15 | [ReturnStmt] return 4; | semmle.label | 1 |
+| tst.ts:92:22:94:5 | [BlockStmt] { ... ; } | tst.ts:93:7:93:15 | [ReturnStmt] return 4; | semmle.order | 1 |
+| tst.ts:93:7:93:15 | [ReturnStmt] return 4; | tst.ts:93:14:93:14 | [Literal] 4 | semmle.label | 1 |
+| tst.ts:93:7:93:15 | [ReturnStmt] return 4; | tst.ts:93:14:93:14 | [Literal] 4 | semmle.order | 1 |
+| tst.ts:97:3:101:3 | [ClassDefinition,TypeDefinition] class S ... } } | tst.ts:97:9:97:11 | [VarDecl] Sub | semmle.label | 1 |
+| tst.ts:97:3:101:3 | [ClassDefinition,TypeDefinition] class S ... } } | tst.ts:97:9:97:11 | [VarDecl] Sub | semmle.order | 1 |
+| tst.ts:97:3:101:3 | [ClassDefinition,TypeDefinition] class S ... } } | tst.ts:97:21:97:25 | [VarRef] Super | semmle.label | 2 |
+| tst.ts:97:3:101:3 | [ClassDefinition,TypeDefinition] class S ... } } | tst.ts:97:21:97:25 | [VarRef] Super | semmle.order | 2 |
+| tst.ts:97:3:101:3 | [ClassDefinition,TypeDefinition] class S ... } } | tst.ts:97:27:97:26 | [ClassInitializedMember,ConstructorDefinition] constru ... rgs); } | semmle.label | 3 |
+| tst.ts:97:3:101:3 | [ClassDefinition,TypeDefinition] class S ... } } | tst.ts:97:27:97:26 | [ClassInitializedMember,ConstructorDefinition] constru ... rgs); } | semmle.order | 3 |
+| tst.ts:97:3:101:3 | [ClassDefinition,TypeDefinition] class S ... } } | tst.ts:98:5:100:5 | [ClassInitializedMember,MethodDefinition] overrid ... ; } | semmle.label | 4 |
+| tst.ts:97:3:101:3 | [ClassDefinition,TypeDefinition] class S ... } } | tst.ts:98:5:100:5 | [ClassInitializedMember,MethodDefinition] overrid ... ; } | semmle.order | 4 |
+| tst.ts:97:27:97:26 | [BlockStmt] { super(...args); } | tst.ts:97:27:97:26 | [ExprStmt] super(...args); | semmle.label | 1 |
+| tst.ts:97:27:97:26 | [BlockStmt] { super(...args); } | tst.ts:97:27:97:26 | [ExprStmt] super(...args); | semmle.order | 1 |
+| tst.ts:97:27:97:26 | [CallExpr] super(...args) | file://:0:0:0:0 | (Arguments) | semmle.label | 1 |
+| tst.ts:97:27:97:26 | [CallExpr] super(...args) | file://:0:0:0:0 | (Arguments) | semmle.order | 1 |
+| tst.ts:97:27:97:26 | [CallExpr] super(...args) | tst.ts:97:27:97:26 | [SuperExpr] super | semmle.label | 0 |
+| tst.ts:97:27:97:26 | [CallExpr] super(...args) | tst.ts:97:27:97:26 | [SuperExpr] super | semmle.order | 0 |
+| tst.ts:97:27:97:26 | [ClassInitializedMember,ConstructorDefinition] constru ... rgs); } | tst.ts:97:27:97:26 | [FunctionExpr] (...arg ... rgs); } | semmle.label | 2 |
+| tst.ts:97:27:97:26 | [ClassInitializedMember,ConstructorDefinition] constru ... rgs); } | tst.ts:97:27:97:26 | [FunctionExpr] (...arg ... rgs); } | semmle.order | 2 |
+| tst.ts:97:27:97:26 | [ClassInitializedMember,ConstructorDefinition] constru ... rgs); } | tst.ts:97:27:97:26 | [Label] constructor | semmle.label | 1 |
+| tst.ts:97:27:97:26 | [ClassInitializedMember,ConstructorDefinition] constru ... rgs); } | tst.ts:97:27:97:26 | [Label] constructor | semmle.order | 1 |
+| tst.ts:97:27:97:26 | [ExprStmt] super(...args); | tst.ts:97:27:97:26 | [CallExpr] super(...args) | semmle.label | 1 |
+| tst.ts:97:27:97:26 | [ExprStmt] super(...args); | tst.ts:97:27:97:26 | [CallExpr] super(...args) | semmle.order | 1 |
+| tst.ts:97:27:97:26 | [FunctionExpr] (...arg ... rgs); } | file://:0:0:0:0 | (Parameters) | semmle.label | 1 |
+| tst.ts:97:27:97:26 | [FunctionExpr] (...arg ... rgs); } | file://:0:0:0:0 | (Parameters) | semmle.order | 1 |
+| tst.ts:97:27:97:26 | [FunctionExpr] (...arg ... rgs); } | tst.ts:97:27:97:26 | [BlockStmt] { super(...args); } | semmle.label | 5 |
+| tst.ts:97:27:97:26 | [FunctionExpr] (...arg ... rgs); } | tst.ts:97:27:97:26 | [BlockStmt] { super(...args); } | semmle.order | 5 |
+| tst.ts:97:27:97:26 | [SpreadElement] ...args | tst.ts:97:27:97:26 | [VarRef] args | semmle.label | 1 |
+| tst.ts:97:27:97:26 | [SpreadElement] ...args | tst.ts:97:27:97:26 | [VarRef] args | semmle.order | 1 |
+| tst.ts:98:5:100:5 | [ClassInitializedMember,MethodDefinition] overrid ... ; } | tst.ts:98:5:100:5 | [FunctionExpr] overrid ... ; } | semmle.label | 1 |
+| tst.ts:98:5:100:5 | [ClassInitializedMember,MethodDefinition] overrid ... ; } | tst.ts:98:5:100:5 | [FunctionExpr] overrid ... ; } | semmle.order | 1 |
+| tst.ts:98:5:100:5 | [ClassInitializedMember,MethodDefinition] overrid ... ; } | tst.ts:98:14:98:19 | [Label] random | semmle.label | 2 |
+| tst.ts:98:5:100:5 | [ClassInitializedMember,MethodDefinition] overrid ... ; } | tst.ts:98:14:98:19 | [Label] random | semmle.order | 2 |
+| tst.ts:98:5:100:5 | [FunctionExpr] overrid ... ; } | tst.ts:98:24:98:29 | [KeywordTypeExpr] number | semmle.label | 4 |
+| tst.ts:98:5:100:5 | [FunctionExpr] overrid ... ; } | tst.ts:98:24:98:29 | [KeywordTypeExpr] number | semmle.order | 4 |
+| tst.ts:98:5:100:5 | [FunctionExpr] overrid ... ; } | tst.ts:98:31:100:5 | [BlockStmt] { ... ; } | semmle.label | 5 |
+| tst.ts:98:5:100:5 | [FunctionExpr] overrid ... ; } | tst.ts:98:31:100:5 | [BlockStmt] { ... ; } | semmle.order | 5 |
+| tst.ts:98:31:100:5 | [BlockStmt] { ... ; } | tst.ts:99:7:99:33 | [ReturnStmt] return ... ) * 10; | semmle.label | 1 |
+| tst.ts:98:31:100:5 | [BlockStmt] { ... ; } | tst.ts:99:7:99:33 | [ReturnStmt] return ... ) * 10; | semmle.order | 1 |
+| tst.ts:99:7:99:33 | [ReturnStmt] return ... ) * 10; | tst.ts:99:14:99:32 | [BinaryExpr] super.random() * 10 | semmle.label | 1 |
+| tst.ts:99:7:99:33 | [ReturnStmt] return ... ) * 10; | tst.ts:99:14:99:32 | [BinaryExpr] super.random() * 10 | semmle.order | 1 |
+| tst.ts:99:14:99:25 | [DotExpr] super.random | tst.ts:99:14:99:18 | [SuperExpr] super | semmle.label | 1 |
+| tst.ts:99:14:99:25 | [DotExpr] super.random | tst.ts:99:14:99:18 | [SuperExpr] super | semmle.order | 1 |
+| tst.ts:99:14:99:25 | [DotExpr] super.random | tst.ts:99:20:99:25 | [Label] random | semmle.label | 2 |
+| tst.ts:99:14:99:25 | [DotExpr] super.random | tst.ts:99:20:99:25 | [Label] random | semmle.order | 2 |
+| tst.ts:99:14:99:27 | [MethodCallExpr] super.random() | tst.ts:99:14:99:25 | [DotExpr] super.random | semmle.label | 0 |
+| tst.ts:99:14:99:27 | [MethodCallExpr] super.random() | tst.ts:99:14:99:25 | [DotExpr] super.random | semmle.order | 0 |
+| tst.ts:99:14:99:32 | [BinaryExpr] super.random() * 10 | tst.ts:99:14:99:27 | [MethodCallExpr] super.random() | semmle.label | 1 |
+| tst.ts:99:14:99:32 | [BinaryExpr] super.random() * 10 | tst.ts:99:14:99:27 | [MethodCallExpr] super.random() | semmle.order | 1 |
+| tst.ts:99:14:99:32 | [BinaryExpr] super.random() * 10 | tst.ts:99:31:99:32 | [Literal] 10 | semmle.label | 2 |
+| tst.ts:99:14:99:32 | [BinaryExpr] super.random() * 10 | tst.ts:99:31:99:32 | [Literal] 10 | semmle.order | 2 |
+| tst.ts:104:3:107:3 | [FunctionDeclStmt] functio ... }`; } | file://:0:0:0:0 | (Parameters) | semmle.label | 1 |
+| tst.ts:104:3:107:3 | [FunctionDeclStmt] functio ... }`; } | file://:0:0:0:0 | (Parameters) | semmle.order | 1 |
+| tst.ts:104:3:107:3 | [FunctionDeclStmt] functio ... }`; } | tst.ts:104:12:104:14 | [VarDecl] bar | semmle.label | 0 |
+| tst.ts:104:3:107:3 | [FunctionDeclStmt] functio ... }`; } | tst.ts:104:12:104:14 | [VarDecl] bar | semmle.order | 0 |
+| tst.ts:104:3:107:3 | [FunctionDeclStmt] functio ... }`; } | tst.ts:104:28:104:44 | [TemplateLiteralTypeExpr] `hello ${string}` | semmle.label | 4 |
+| tst.ts:104:3:107:3 | [FunctionDeclStmt] functio ... }`; } | tst.ts:104:28:104:44 | [TemplateLiteralTypeExpr] `hello ${string}` | semmle.order | 4 |
+| tst.ts:104:3:107:3 | [FunctionDeclStmt] functio ... }`; } | tst.ts:104:46:107:3 | [BlockStmt] { / ... }`; } | semmle.label | 5 |
+| tst.ts:104:3:107:3 | [FunctionDeclStmt] functio ... }`; } | tst.ts:104:46:107:3 | [BlockStmt] { / ... }`; } | semmle.order | 5 |
+| tst.ts:104:16:104:16 | [SimpleParameter] s | tst.ts:104:19:104:24 | [KeywordTypeExpr] string | semmle.label | 0 |
+| tst.ts:104:16:104:16 | [SimpleParameter] s | tst.ts:104:19:104:24 | [KeywordTypeExpr] string | semmle.order | 0 |
+| tst.ts:104:28:104:44 | [TemplateLiteralTypeExpr] `hello ${string}` | tst.ts:104:29:104:34 | [LiteralTypeExpr] hello  | semmle.label | 1 |
+| tst.ts:104:28:104:44 | [TemplateLiteralTypeExpr] `hello ${string}` | tst.ts:104:29:104:34 | [LiteralTypeExpr] hello  | semmle.order | 1 |
+| tst.ts:104:28:104:44 | [TemplateLiteralTypeExpr] `hello ${string}` | tst.ts:104:37:104:42 | [KeywordTypeExpr] string | semmle.label | 2 |
+| tst.ts:104:28:104:44 | [TemplateLiteralTypeExpr] `hello ${string}` | tst.ts:104:37:104:42 | [KeywordTypeExpr] string | semmle.order | 2 |
+| tst.ts:104:46:107:3 | [BlockStmt] { / ... }`; } | tst.ts:106:5:106:24 | [ReturnStmt] return `hello ${s}`; | semmle.label | 1 |
+| tst.ts:104:46:107:3 | [BlockStmt] { / ... }`; } | tst.ts:106:5:106:24 | [ReturnStmt] return `hello ${s}`; | semmle.order | 1 |
+| tst.ts:106:5:106:24 | [ReturnStmt] return `hello ${s}`; | tst.ts:106:12:106:23 | [TemplateLiteral] `hello ${s}` | semmle.label | 1 |
+| tst.ts:106:5:106:24 | [ReturnStmt] return `hello ${s}`; | tst.ts:106:12:106:23 | [TemplateLiteral] `hello ${s}` | semmle.order | 1 |
+| tst.ts:106:12:106:23 | [TemplateLiteral] `hello ${s}` | tst.ts:106:13:106:18 | [TemplateElement] hello  | semmle.label | 1 |
+| tst.ts:106:12:106:23 | [TemplateLiteral] `hello ${s}` | tst.ts:106:13:106:18 | [TemplateElement] hello  | semmle.order | 1 |
+| tst.ts:106:12:106:23 | [TemplateLiteral] `hello ${s}` | tst.ts:106:21:106:21 | [VarRef] s | semmle.label | 2 |
+| tst.ts:106:12:106:23 | [TemplateLiteral] `hello ${s}` | tst.ts:106:21:106:21 | [VarRef] s | semmle.order | 2 |
+| tst.ts:109:3:109:50 | [DeclStmt] let s1 = ... | tst.ts:109:15:109:49 | [VariableDeclarator] s1: `${ ... umber}` | semmle.label | 1 |
+| tst.ts:109:3:109:50 | [DeclStmt] let s1 = ... | tst.ts:109:15:109:49 | [VariableDeclarator] s1: `${ ... umber}` | semmle.order | 1 |
+| tst.ts:109:15:109:49 | [VariableDeclarator] s1: `${ ... umber}` | tst.ts:109:15:109:16 | [VarDecl] s1 | semmle.label | 1 |
+| tst.ts:109:15:109:49 | [VariableDeclarator] s1: `${ ... umber}` | tst.ts:109:15:109:16 | [VarDecl] s1 | semmle.order | 1 |
+| tst.ts:109:15:109:49 | [VariableDeclarator] s1: `${ ... umber}` | tst.ts:109:19:109:49 | [TemplateLiteralTypeExpr] `${numb ... umber}` | semmle.label | 2 |
+| tst.ts:109:15:109:49 | [VariableDeclarator] s1: `${ ... umber}` | tst.ts:109:19:109:49 | [TemplateLiteralTypeExpr] `${numb ... umber}` | semmle.order | 2 |
+| tst.ts:109:19:109:49 | [TemplateLiteralTypeExpr] `${numb ... umber}` | tst.ts:109:22:109:27 | [KeywordTypeExpr] number | semmle.label | 1 |
+| tst.ts:109:19:109:49 | [TemplateLiteralTypeExpr] `${numb ... umber}` | tst.ts:109:22:109:27 | [KeywordTypeExpr] number | semmle.order | 1 |
+| tst.ts:109:19:109:49 | [TemplateLiteralTypeExpr] `${numb ... umber}` | tst.ts:109:29:109:29 | [LiteralTypeExpr] - | semmle.label | 2 |
+| tst.ts:109:19:109:49 | [TemplateLiteralTypeExpr] `${numb ... umber}` | tst.ts:109:29:109:29 | [LiteralTypeExpr] - | semmle.order | 2 |
+| tst.ts:109:19:109:49 | [TemplateLiteralTypeExpr] `${numb ... umber}` | tst.ts:109:32:109:37 | [KeywordTypeExpr] number | semmle.label | 3 |
+| tst.ts:109:19:109:49 | [TemplateLiteralTypeExpr] `${numb ... umber}` | tst.ts:109:32:109:37 | [KeywordTypeExpr] number | semmle.order | 3 |
+| tst.ts:109:19:109:49 | [TemplateLiteralTypeExpr] `${numb ... umber}` | tst.ts:109:39:109:39 | [LiteralTypeExpr] - | semmle.label | 4 |
+| tst.ts:109:19:109:49 | [TemplateLiteralTypeExpr] `${numb ... umber}` | tst.ts:109:39:109:39 | [LiteralTypeExpr] - | semmle.order | 4 |
+| tst.ts:109:19:109:49 | [TemplateLiteralTypeExpr] `${numb ... umber}` | tst.ts:109:42:109:47 | [KeywordTypeExpr] number | semmle.label | 5 |
+| tst.ts:109:19:109:49 | [TemplateLiteralTypeExpr] `${numb ... umber}` | tst.ts:109:42:109:47 | [KeywordTypeExpr] number | semmle.order | 5 |
+| tst.ts:110:3:110:26 | [DeclStmt] let s2 = ... | tst.ts:110:15:110:25 | [VariableDeclarator] s2: `1-2-3` | semmle.label | 1 |
+| tst.ts:110:3:110:26 | [DeclStmt] let s2 = ... | tst.ts:110:15:110:25 | [VariableDeclarator] s2: `1-2-3` | semmle.order | 1 |
+| tst.ts:110:15:110:25 | [VariableDeclarator] s2: `1-2-3` | tst.ts:110:15:110:16 | [VarDecl] s2 | semmle.label | 1 |
+| tst.ts:110:15:110:25 | [VariableDeclarator] s2: `1-2-3` | tst.ts:110:15:110:16 | [VarDecl] s2 | semmle.order | 1 |
+| tst.ts:110:15:110:25 | [VariableDeclarator] s2: `1-2-3` | tst.ts:110:19:110:25 | [TemplateLiteralTypeExpr] `1-2-3` | semmle.label | 2 |
+| tst.ts:110:15:110:25 | [VariableDeclarator] s2: `1-2-3` | tst.ts:110:19:110:25 | [TemplateLiteralTypeExpr] `1-2-3` | semmle.order | 2 |
+| tst.ts:110:19:110:25 | [TemplateLiteralTypeExpr] `1-2-3` | tst.ts:110:19:110:25 | [LiteralTypeExpr] `1-2-3` | semmle.label | 1 |
+| tst.ts:110:19:110:25 | [TemplateLiteralTypeExpr] `1-2-3` | tst.ts:110:19:110:25 | [LiteralTypeExpr] `1-2-3` | semmle.order | 1 |
+| tst.ts:111:3:111:34 | [DeclStmt] let s3 = ... | tst.ts:111:15:111:33 | [VariableDeclarator] s3: `${number}-2-3` | semmle.label | 1 |
+| tst.ts:111:3:111:34 | [DeclStmt] let s3 = ... | tst.ts:111:15:111:33 | [VariableDeclarator] s3: `${number}-2-3` | semmle.order | 1 |
+| tst.ts:111:15:111:33 | [VariableDeclarator] s3: `${number}-2-3` | tst.ts:111:15:111:16 | [VarDecl] s3 | semmle.label | 1 |
+| tst.ts:111:15:111:33 | [VariableDeclarator] s3: `${number}-2-3` | tst.ts:111:15:111:16 | [VarDecl] s3 | semmle.order | 1 |
+| tst.ts:111:15:111:33 | [VariableDeclarator] s3: `${number}-2-3` | tst.ts:111:19:111:33 | [TemplateLiteralTypeExpr] `${number}-2-3` | semmle.label | 2 |
+| tst.ts:111:15:111:33 | [VariableDeclarator] s3: `${number}-2-3` | tst.ts:111:19:111:33 | [TemplateLiteralTypeExpr] `${number}-2-3` | semmle.order | 2 |
+| tst.ts:111:19:111:33 | [TemplateLiteralTypeExpr] `${number}-2-3` | tst.ts:111:22:111:27 | [KeywordTypeExpr] number | semmle.label | 1 |
+| tst.ts:111:19:111:33 | [TemplateLiteralTypeExpr] `${number}-2-3` | tst.ts:111:22:111:27 | [KeywordTypeExpr] number | semmle.order | 1 |
+| tst.ts:111:19:111:33 | [TemplateLiteralTypeExpr] `${number}-2-3` | tst.ts:111:29:111:32 | [LiteralTypeExpr] -2-3 | semmle.label | 2 |
+| tst.ts:111:19:111:33 | [TemplateLiteralTypeExpr] `${number}-2-3` | tst.ts:111:29:111:32 | [LiteralTypeExpr] -2-3 | semmle.order | 2 |
+| tst.ts:112:3:112:9 | [AssignExpr] s1 = s2 | tst.ts:112:3:112:4 | [VarRef] s1 | semmle.label | 1 |
+| tst.ts:112:3:112:9 | [AssignExpr] s1 = s2 | tst.ts:112:3:112:4 | [VarRef] s1 | semmle.order | 1 |
+| tst.ts:112:3:112:9 | [AssignExpr] s1 = s2 | tst.ts:112:8:112:9 | [VarRef] s2 | semmle.label | 2 |
+| tst.ts:112:3:112:9 | [AssignExpr] s1 = s2 | tst.ts:112:8:112:9 | [VarRef] s2 | semmle.order | 2 |
+| tst.ts:112:3:112:10 | [ExprStmt] s1 = s2; | tst.ts:112:3:112:9 | [AssignExpr] s1 = s2 | semmle.label | 1 |
+| tst.ts:112:3:112:10 | [ExprStmt] s1 = s2; | tst.ts:112:3:112:9 | [AssignExpr] s1 = s2 | semmle.order | 1 |
+| tst.ts:113:3:113:9 | [AssignExpr] s1 = s3 | tst.ts:113:3:113:4 | [VarRef] s1 | semmle.label | 1 |
+| tst.ts:113:3:113:9 | [AssignExpr] s1 = s3 | tst.ts:113:3:113:4 | [VarRef] s1 | semmle.order | 1 |
+| tst.ts:113:3:113:9 | [AssignExpr] s1 = s3 | tst.ts:113:8:113:9 | [VarRef] s3 | semmle.label | 2 |
+| tst.ts:113:3:113:9 | [AssignExpr] s1 = s3 | tst.ts:113:8:113:9 | [VarRef] s3 | semmle.order | 2 |
+| tst.ts:113:3:113:10 | [ExprStmt] s1 = s3; | tst.ts:113:3:113:9 | [AssignExpr] s1 = s3 | semmle.label | 1 |
+| tst.ts:113:3:113:10 | [ExprStmt] s1 = s3; | tst.ts:113:3:113:9 | [AssignExpr] s1 = s3 | semmle.order | 1 |
+| tst.ts:116:3:129:3 | [ClassDefinition,TypeDefinition] class F ... } } | tst.ts:116:9:116:11 | [VarDecl] Foo | semmle.label | 1 |
+| tst.ts:116:3:129:3 | [ClassDefinition,TypeDefinition] class F ... } } | tst.ts:116:9:116:11 | [VarDecl] Foo | semmle.order | 1 |
+| tst.ts:116:3:129:3 | [ClassDefinition,TypeDefinition] class F ... } } | tst.ts:116:13:116:12 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | semmle.label | 2 |
+| tst.ts:116:3:129:3 | [ClassDefinition,TypeDefinition] class F ... } } | tst.ts:116:13:116:12 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | semmle.order | 2 |
+| tst.ts:116:3:129:3 | [ClassDefinition,TypeDefinition] class F ... } } | tst.ts:117:5:119:5 | [ClassInitializedMember,MethodDefinition] #someMe ... ; } | semmle.label | 3 |
+| tst.ts:116:3:129:3 | [ClassDefinition,TypeDefinition] class F ... } } | tst.ts:117:5:119:5 | [ClassInitializedMember,MethodDefinition] #someMe ... ; } | semmle.order | 3 |
+| tst.ts:116:3:129:3 | [ClassDefinition,TypeDefinition] class F ... } } | tst.ts:121:5:123:5 | [ClassInitializedMember,GetterMethodDefinition] get #so ... ; } | semmle.label | 4 |
+| tst.ts:116:3:129:3 | [ClassDefinition,TypeDefinition] class F ... } } | tst.ts:121:5:123:5 | [ClassInitializedMember,GetterMethodDefinition] get #so ... ; } | semmle.order | 4 |
+| tst.ts:116:3:129:3 | [ClassDefinition,TypeDefinition] class F ... } } | tst.ts:125:5:128:5 | [ClassInitializedMember,MethodDefinition] publicM ... ; } | semmle.label | 5 |
+| tst.ts:116:3:129:3 | [ClassDefinition,TypeDefinition] class F ... } } | tst.ts:125:5:128:5 | [ClassInitializedMember,MethodDefinition] publicM ... ; } | semmle.order | 5 |
+| tst.ts:116:13:116:12 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | tst.ts:116:13:116:12 | [FunctionExpr] () {} | semmle.label | 2 |
+| tst.ts:116:13:116:12 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | tst.ts:116:13:116:12 | [FunctionExpr] () {} | semmle.order | 2 |
+| tst.ts:116:13:116:12 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | tst.ts:116:13:116:12 | [Label] constructor | semmle.label | 1 |
+| tst.ts:116:13:116:12 | [ClassInitializedMember,ConstructorDefinition] constructor() {} | tst.ts:116:13:116:12 | [Label] constructor | semmle.order | 1 |
+| tst.ts:116:13:116:12 | [FunctionExpr] () {} | tst.ts:116:13:116:12 | [BlockStmt] {} | semmle.label | 5 |
+| tst.ts:116:13:116:12 | [FunctionExpr] () {} | tst.ts:116:13:116:12 | [BlockStmt] {} | semmle.order | 5 |
+| tst.ts:117:5:119:5 | [ClassInitializedMember,MethodDefinition] #someMe ... ; } | tst.ts:117:5:117:15 | [Label] #someMethod | semmle.label | 1 |
+| tst.ts:117:5:119:5 | [ClassInitializedMember,MethodDefinition] #someMe ... ; } | tst.ts:117:5:117:15 | [Label] #someMethod | semmle.order | 1 |
+| tst.ts:117:5:119:5 | [ClassInitializedMember,MethodDefinition] #someMe ... ; } | tst.ts:117:5:119:5 | [FunctionExpr] #someMe ... ; } | semmle.label | 2 |
+| tst.ts:117:5:119:5 | [ClassInitializedMember,MethodDefinition] #someMe ... ; } | tst.ts:117:5:119:5 | [FunctionExpr] #someMe ... ; } | semmle.order | 2 |
+| tst.ts:117:5:119:5 | [FunctionExpr] #someMe ... ; } | tst.ts:117:20:117:25 | [KeywordTypeExpr] number | semmle.label | 4 |
+| tst.ts:117:5:119:5 | [FunctionExpr] #someMe ... ; } | tst.ts:117:20:117:25 | [KeywordTypeExpr] number | semmle.order | 4 |
+| tst.ts:117:5:119:5 | [FunctionExpr] #someMe ... ; } | tst.ts:117:27:119:5 | [BlockStmt] { ... ; } | semmle.label | 5 |
+| tst.ts:117:5:119:5 | [FunctionExpr] #someMe ... ; } | tst.ts:117:27:119:5 | [BlockStmt] { ... ; } | semmle.order | 5 |
+| tst.ts:117:27:119:5 | [BlockStmt] { ... ; } | tst.ts:118:7:118:16 | [ReturnStmt] return 42; | semmle.label | 1 |
+| tst.ts:117:27:119:5 | [BlockStmt] { ... ; } | tst.ts:118:7:118:16 | [ReturnStmt] return 42; | semmle.order | 1 |
+| tst.ts:118:7:118:16 | [ReturnStmt] return 42; | tst.ts:118:14:118:15 | [Literal] 42 | semmle.label | 1 |
+| tst.ts:118:7:118:16 | [ReturnStmt] return 42; | tst.ts:118:14:118:15 | [Literal] 42 | semmle.order | 1 |
+| tst.ts:121:5:123:5 | [ClassInitializedMember,GetterMethodDefinition] get #so ... ; } | tst.ts:121:5:123:5 | [FunctionExpr] get #so ... ; } | semmle.label | 1 |
+| tst.ts:121:5:123:5 | [ClassInitializedMember,GetterMethodDefinition] get #so ... ; } | tst.ts:121:5:123:5 | [FunctionExpr] get #so ... ; } | semmle.order | 1 |
+| tst.ts:121:5:123:5 | [ClassInitializedMember,GetterMethodDefinition] get #so ... ; } | tst.ts:121:9:121:18 | [Label] #someValue | semmle.label | 2 |
+| tst.ts:121:5:123:5 | [ClassInitializedMember,GetterMethodDefinition] get #so ... ; } | tst.ts:121:9:121:18 | [Label] #someValue | semmle.order | 2 |
+| tst.ts:121:5:123:5 | [FunctionExpr] get #so ... ; } | tst.ts:121:23:121:28 | [KeywordTypeExpr] number | semmle.label | 4 |
+| tst.ts:121:5:123:5 | [FunctionExpr] get #so ... ; } | tst.ts:121:23:121:28 | [KeywordTypeExpr] number | semmle.order | 4 |
+| tst.ts:121:5:123:5 | [FunctionExpr] get #so ... ; } | tst.ts:121:30:123:5 | [BlockStmt] { ... ; } | semmle.label | 5 |
+| tst.ts:121:5:123:5 | [FunctionExpr] get #so ... ; } | tst.ts:121:30:123:5 | [BlockStmt] { ... ; } | semmle.order | 5 |
+| tst.ts:121:30:123:5 | [BlockStmt] { ... ; } | tst.ts:122:7:122:17 | [ReturnStmt] return 100; | semmle.label | 1 |
+| tst.ts:121:30:123:5 | [BlockStmt] { ... ; } | tst.ts:122:7:122:17 | [ReturnStmt] return 100; | semmle.order | 1 |
+| tst.ts:122:7:122:17 | [ReturnStmt] return 100; | tst.ts:122:14:122:16 | [Literal] 100 | semmle.label | 1 |
+| tst.ts:122:7:122:17 | [ReturnStmt] return 100; | tst.ts:122:14:122:16 | [Literal] 100 | semmle.order | 1 |
+| tst.ts:125:5:128:5 | [ClassInitializedMember,MethodDefinition] publicM ... ; } | tst.ts:125:5:125:16 | [Label] publicMethod | semmle.label | 1 |
+| tst.ts:125:5:128:5 | [ClassInitializedMember,MethodDefinition] publicM ... ; } | tst.ts:125:5:125:16 | [Label] publicMethod | semmle.order | 1 |
+| tst.ts:125:5:128:5 | [ClassInitializedMember,MethodDefinition] publicM ... ; } | tst.ts:125:5:128:5 | [FunctionExpr] publicM ... ; } | semmle.label | 2 |
+| tst.ts:125:5:128:5 | [ClassInitializedMember,MethodDefinition] publicM ... ; } | tst.ts:125:5:128:5 | [FunctionExpr] publicM ... ; } | semmle.order | 2 |
+| tst.ts:125:5:128:5 | [FunctionExpr] publicM ... ; } | tst.ts:125:20:128:5 | [BlockStmt] { ... ; } | semmle.label | 5 |
+| tst.ts:125:5:128:5 | [FunctionExpr] publicM ... ; } | tst.ts:125:20:128:5 | [BlockStmt] { ... ; } | semmle.order | 5 |
+| tst.ts:125:20:128:5 | [BlockStmt] { ... ; } | tst.ts:126:7:126:25 | [ExprStmt] this.#someMethod(); | semmle.label | 1 |
+| tst.ts:125:20:128:5 | [BlockStmt] { ... ; } | tst.ts:126:7:126:25 | [ExprStmt] this.#someMethod(); | semmle.order | 1 |
+| tst.ts:125:20:128:5 | [BlockStmt] { ... ; } | tst.ts:127:7:127:29 | [ReturnStmt] return ... eValue; | semmle.label | 2 |
+| tst.ts:125:20:128:5 | [BlockStmt] { ... ; } | tst.ts:127:7:127:29 | [ReturnStmt] return ... eValue; | semmle.order | 2 |
+| tst.ts:126:7:126:22 | [DotExpr] this.#someMethod | tst.ts:126:7:126:10 | [ThisExpr] this | semmle.label | 1 |
+| tst.ts:126:7:126:22 | [DotExpr] this.#someMethod | tst.ts:126:7:126:10 | [ThisExpr] this | semmle.order | 1 |
+| tst.ts:126:7:126:22 | [DotExpr] this.#someMethod | tst.ts:126:12:126:22 | [Label] #someMethod | semmle.label | 2 |
+| tst.ts:126:7:126:22 | [DotExpr] this.#someMethod | tst.ts:126:12:126:22 | [Label] #someMethod | semmle.order | 2 |
+| tst.ts:126:7:126:24 | [MethodCallExpr] this.#someMethod() | tst.ts:126:7:126:22 | [DotExpr] this.#someMethod | semmle.label | 0 |
+| tst.ts:126:7:126:24 | [MethodCallExpr] this.#someMethod() | tst.ts:126:7:126:22 | [DotExpr] this.#someMethod | semmle.order | 0 |
+| tst.ts:126:7:126:25 | [ExprStmt] this.#someMethod(); | tst.ts:126:7:126:24 | [MethodCallExpr] this.#someMethod() | semmle.label | 1 |
+| tst.ts:126:7:126:25 | [ExprStmt] this.#someMethod(); | tst.ts:126:7:126:24 | [MethodCallExpr] this.#someMethod() | semmle.order | 1 |
+| tst.ts:127:7:127:29 | [ReturnStmt] return ... eValue; | tst.ts:127:14:127:28 | [DotExpr] this.#someValue | semmle.label | 1 |
+| tst.ts:127:7:127:29 | [ReturnStmt] return ... eValue; | tst.ts:127:14:127:28 | [DotExpr] this.#someValue | semmle.order | 1 |
+| tst.ts:127:14:127:28 | [DotExpr] this.#someValue | tst.ts:127:14:127:17 | [ThisExpr] this | semmle.label | 1 |
+| tst.ts:127:14:127:28 | [DotExpr] this.#someValue | tst.ts:127:14:127:17 | [ThisExpr] this | semmle.order | 1 |
+| tst.ts:127:14:127:28 | [DotExpr] this.#someValue | tst.ts:127:19:127:28 | [Label] #someValue | semmle.label | 2 |
+| tst.ts:127:14:127:28 | [DotExpr] this.#someValue | tst.ts:127:19:127:28 | [Label] #someValue | semmle.order | 2 |
 | type_alias.ts:1:1:1:17 | [TypeAliasDeclaration,TypeDefinition] type B = boolean; | type_alias.ts:1:6:1:6 | [Identifier] B | semmle.label | 1 |
 | type_alias.ts:1:1:1:17 | [TypeAliasDeclaration,TypeDefinition] type B = boolean; | type_alias.ts:1:6:1:6 | [Identifier] B | semmle.order | 1 |
 | type_alias.ts:1:1:1:17 | [TypeAliasDeclaration,TypeDefinition] type B = boolean; | type_alias.ts:1:10:1:16 | [KeywordTypeExpr] boolean | semmle.label | 2 |

From 374adc88194f6e82ddd72fa3a021fc9342adc0e9 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 3 Jun 2021 08:17:17 +0200
Subject: [PATCH 1271/1429] Temporarily disable CSV coverage PR file comparison
 step

---
 .github/workflows/csv-coverage.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/csv-coverage.yml b/.github/workflows/csv-coverage.yml
index 093d6ead060..54c172d66d3 100644
--- a/.github/workflows/csv-coverage.yml
+++ b/.github/workflows/csv-coverage.yml
@@ -70,8 +70,8 @@ jobs:
       with:
         name: rst-flow-model-coverage
         path: flow-model-coverage-*.rst
-    - name: Check coverage files
-      if: github.event.pull_request
-      run: |
-        python script/misc/scripts/library-coverage/compare-files.py codeqlModels
+    # - name: Check coverage files
+    #   if: github.event.pull_request
+    #   run: |
+    #     python script/misc/scripts/library-coverage/compare-files.py codeqlModels
 

From e86c534c48d6362be4d58a2e50cfa122f8315212 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Thu, 3 Jun 2021 09:02:49 +0200
Subject: [PATCH 1272/1429] Revert "Java: Update coverage."

This reverts commit 1c081eeaedb27332623e67231bf21c1f5d8a62d5.
---
 .../library-coverage/flow-model-coverage.csv   | 18 +++++++++---------
 .../library-coverage/flow-model-coverage.rst   | 10 +++++-----
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/java/documentation/library-coverage/flow-model-coverage.csv b/java/documentation/library-coverage/flow-model-coverage.csv
index a66f7880221..cf97071ad92 100644
--- a/java/documentation/library-coverage/flow-model-coverage.csv
+++ b/java/documentation/library-coverage/flow-model-coverage.csv
@@ -3,16 +3,16 @@ android.util,,16,,,,,,,,,,,16,,
 android.webkit,3,2,,,,,,,,,,3,2,,
 com.esotericsoftware.kryo.io,,,1,,,,,,,,,,,1,
 com.esotericsoftware.kryo5.io,,,1,,,,,,,,,,,1,
-com.fasterxml.jackson.databind,,,3,,,,,,,,,,,3,
-com.google.common.base,,,34,,,,,,,,,,,28,6
-com.google.common.io,6,,73,,,,,,,6,,,,72,1
+com.fasterxml.jackson.databind,,,2,,,,,,,,,,,2,
+com.google.common.base,,,28,,,,,,,,,,,22,6
+com.google.common.io,6,,69,,,,,,,6,,,,68,1
 com.unboundid.ldap.sdk,17,,,,,,17,,,,,,,,
 java.beans,,,1,,,,,,,,,,,1,
 java.io,3,,20,,3,,,,,,,,,20,
-java.lang,,,3,,,,,,,,,,,1,2
+java.lang,,,1,,,,,,,,,,,1,
 java.net,2,3,4,,,,,2,,,,,3,4,
 java.nio,10,,2,,10,,,,,,,,,2,
-java.util,,,283,,,,,,,,,,,15,268
+java.util,,,13,,,,,,,,,,,13,
 javax.naming.directory,1,,,,,,1,,,,,,,,
 javax.net.ssl,2,,,,,,,,2,,,,,,
 javax.servlet,4,21,2,,,3,,,,,,1,21,2,
@@ -23,14 +23,14 @@ javax.xml.transform.stream,,,2,,,,,,,,,,,2,
 javax.xml.xpath,3,,,,,,,,,,3,,,,
 org.apache.commons.codec,,,2,,,,,,,,,,,2,
 org.apache.commons.io,,,22,,,,,,,,,,,22,
-org.apache.commons.lang3,,,327,,,,,,,,,,,311,16
-org.apache.commons.text,,,220,,,,,,,,,,,220,
+org.apache.commons.lang3,,,313,,,,,,,,,,,299,14
+org.apache.commons.text,,,203,,,,,,,,,,,203,
 org.apache.directory.ldap.client.api,1,,,,,,1,,,,,,,,
 org.apache.hc.core5.function,,,1,,,,,,,,,,,1,
 org.apache.hc.core5.http,1,2,39,,,,,,,,,1,2,39,
 org.apache.hc.core5.net,,,2,,,,,,,,,,,2,
-org.apache.hc.core5.util,,,24,,,,,,,,,,,18,6
-org.apache.http,2,3,67,,,,,,,,,2,3,59,8
+org.apache.hc.core5.util,,,22,,,,,,,,,,,18,4
+org.apache.http,2,3,66,,,,,,,,,2,3,59,7
 org.dom4j,20,,,,,,,,,,20,,,,
 org.springframework.ldap.core,14,,,,,,14,,,,,,,,
 org.springframework.security.web.savedrequest,,6,,,,,,,,,,,6,,
diff --git a/java/documentation/library-coverage/flow-model-coverage.rst b/java/documentation/library-coverage/flow-model-coverage.rst
index 6e46c906b07..8bb20a9b6c3 100644
--- a/java/documentation/library-coverage/flow-model-coverage.rst
+++ b/java/documentation/library-coverage/flow-model-coverage.rst
@@ -8,12 +8,12 @@ Java framework & library support
 
    Framework / library,Package,Remote flow sources,Taint & value steps,Sinks (total),`CWE‑022` :sub:`Path injection`,`CWE‑036` :sub:`Path traversal`,`CWE‑079` :sub:`Cross-site scripting`,`CWE‑089` :sub:`SQL injection`,`CWE‑090` :sub:`LDAP injection`,`CWE‑094` :sub:`Code injection`,`CWE‑319` :sub:`Cleartext transmission`
    Android,``android.*``,18,,3,,,3,,,,
-   Apache,``org.apache.*``,5,682,4,,,3,,1,,
+   Apache,``org.apache.*``,5,648,4,,,3,,1,,
    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,22,,,,,,,,
-   Google,``com.google.common.*``,,107,6,,6,,,,,
-   Java Standard Library,``java.*``,3,313,15,13,,,,,,2
+   Google,``com.google.common.*``,,97,6,,6,,,,,
+   Java Standard Library,``java.*``,3,41,15,13,,,,,,2
    Java extensions,``javax.*``,22,8,12,,,1,,1,1,
    `Spring <https://spring.io/>`_,``org.springframework.*``,29,,14,,,,,14,,
-   Others,"``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.databind``, ``com.unboundid.ldap.sdk``, ``org.dom4j``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``",7,6,37,,,,,17,,
-   Totals,,84,1138,91,13,6,7,,33,1,2
+   Others,"``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.databind``, ``com.unboundid.ldap.sdk``, ``org.dom4j``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``",7,5,37,,,,,17,,
+   Totals,,84,821,91,13,6,7,,33,1,2
 

From 99708c33fd5347d9b7edba7346a04774dbab1e51 Mon Sep 17 00:00:00 2001
From: AlonaHlobina <54394529+AlonaHlobina@users.noreply.github.com>
Date: Thu, 3 Jun 2021 09:50:18 +0200
Subject: [PATCH 1273/1429] Update versions-compilers.rst

---
 docs/codeql/support/reusables/versions-compilers.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/codeql/support/reusables/versions-compilers.rst b/docs/codeql/support/reusables/versions-compilers.rst
index f983b5e0114..52253cb5ab4 100644
--- a/docs/codeql/support/reusables/versions-compilers.rst
+++ b/docs/codeql/support/reusables/versions-compilers.rst
@@ -28,7 +28,7 @@
 
     .. [1] Support for the clang-cl compiler is preliminary.
     .. [2] Support for the Arm Compiler (armcc) is preliminary.
-    .. [3] Builds that execute on Java 7 to 15 can be analyzed. The analysis understands Java 15 standard language features.
+    .. [3] Builds that execute on Java 7 to 16 can be analyzed. The analysis understands Java 16 standard language features.
     .. [4] ECJ is supported when the build invokes it via the Maven Compiler plugin or the Takari Lifecycle plugin.
     .. [5] JSX and Flow code, YAML, JSON, HTML, and XML files may also be analyzed with JavaScript files.
     .. [6] TypeScript analysis is performed by running the JavaScript extractor with TypeScript enabled. This is the default for LGTM.

From 2833f8daa4092aa496c204c7313a1f42f19b3693 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Thu, 3 Jun 2021 10:42:41 +0200
Subject: [PATCH 1274/1429] Change predicate isUnsafeEngine -> isSafeEngine to
 improve performance

---
 .../src/semmle/code/java/security/JexlInjection.qll  | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/java/ql/src/semmle/code/java/security/JexlInjection.qll b/java/ql/src/semmle/code/java/security/JexlInjection.qll
index d36fa0aad9b..b975e6f2bdb 100644
--- a/java/ql/src/semmle/code/java/security/JexlInjection.qll
+++ b/java/ql/src/semmle/code/java/security/JexlInjection.qll
@@ -83,7 +83,7 @@ private class DefaultJexlInjectionAdditionalTaintStep extends JexlInjectionAddit
  */
 private predicate createJexlScriptStep(DataFlow::Node n1, DataFlow::Node n2) {
   exists(MethodAccess ma, Method m | m = ma.getMethod() and n2.asExpr() = ma |
-    isUnsafeEngine(ma.getQualifier()) and
+    not isSafeEngine(ma.getQualifier()) and
     m instanceof CreateJexlScriptMethod and
     n1.asExpr() = ma.getArgument(0) and
     n1.asExpr().getType() instanceof TypeString
@@ -96,7 +96,7 @@ private predicate createJexlScriptStep(DataFlow::Node n1, DataFlow::Node n2) {
  */
 private predicate createJexlExpressionStep(DataFlow::Node n1, DataFlow::Node n2) {
   exists(MethodAccess ma, Method m | m = ma.getMethod() and n2.asExpr() = ma |
-    isUnsafeEngine(ma.getQualifier()) and
+    not isSafeEngine(ma.getQualifier()) and
     m instanceof CreateJexlExpressionMethod and
     n1.asExpr() = ma.getAnArgument() and
     n1.asExpr().getType() instanceof TypeString
@@ -111,7 +111,7 @@ private predicate createJexlTemplateStep(DataFlow::Node n1, DataFlow::Node n2) {
   exists(MethodAccess ma, Method m, RefType taintType |
     m = ma.getMethod() and n2.asExpr() = ma and taintType = n1.asExpr().getType()
   |
-    isUnsafeEngine(ma.getQualifier()) and
+    not isSafeEngine(ma.getQualifier()) and
     m instanceof CreateJexlTemplateMethod and
     n1.asExpr() = ma.getArgument([0, 1]) and
     (taintType instanceof TypeString or taintType instanceof Reader)
@@ -119,10 +119,10 @@ private predicate createJexlTemplateStep(DataFlow::Node n1, DataFlow::Node n2) {
 }
 
 /**
- * Holds if `expr` is a JEXL engine that is not configured with a sandbox.
+ * Holds if `expr` is a JEXL engine that is configured with a sandbox.
  */
-private predicate isUnsafeEngine(Expr expr) {
-  not exists(SandboxedJexlFlowConfig config | config.hasFlowTo(DataFlow::exprNode(expr)))
+private predicate isSafeEngine(Expr expr) {
+  exists(SandboxedJexlFlowConfig config | config.hasFlowTo(DataFlow::exprNode(expr)))
 }
 
 /**

From 00836c4bacbbd2ad127849eacc57fafb71b99f14 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Thu, 3 Jun 2021 10:52:52 +0200
Subject: [PATCH 1275/1429] Fix QLDocs

---
 java/ql/src/semmle/code/java/security/JexlInjection.qll | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/java/ql/src/semmle/code/java/security/JexlInjection.qll b/java/ql/src/semmle/code/java/security/JexlInjection.qll
index b975e6f2bdb..8e8923a746b 100644
--- a/java/ql/src/semmle/code/java/security/JexlInjection.qll
+++ b/java/ql/src/semmle/code/java/security/JexlInjection.qll
@@ -6,7 +6,7 @@ private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * A sink for Expresssion Language injection vulnerabilities via Jexl,
- * i.e. method calls that run evaluation of a JEXL expression.
+ * that is, method calls that run evaluation of a JEXL expression.
  */
 abstract class JexlEvaluationSink extends DataFlow::ExprNode { }
 
@@ -79,7 +79,7 @@ private class DefaultJexlInjectionAdditionalTaintStep extends JexlInjectionAddit
 
 /**
  * Holds if `n1` to `n2` is a dataflow step that creates a JEXL script using an unsafe engine
- * i.e. `tainted.createScript(jexlExpr)`.
+ * by calling `tainted.createScript(jexlExpr)`.
  */
 private predicate createJexlScriptStep(DataFlow::Node n1, DataFlow::Node n2) {
   exists(MethodAccess ma, Method m | m = ma.getMethod() and n2.asExpr() = ma |
@@ -92,7 +92,7 @@ private predicate createJexlScriptStep(DataFlow::Node n1, DataFlow::Node n2) {
 
 /**
  * Holds if `n1` to `n2` is a dataflow step that creates a JEXL expression using an unsafe engine
- * i.e. `tainted.createExpression(jexlExpr)`.
+ * by calling `tainted.createExpression(jexlExpr)`.
  */
 private predicate createJexlExpressionStep(DataFlow::Node n1, DataFlow::Node n2) {
   exists(MethodAccess ma, Method m | m = ma.getMethod() and n2.asExpr() = ma |
@@ -105,7 +105,7 @@ private predicate createJexlExpressionStep(DataFlow::Node n1, DataFlow::Node n2)
 
 /**
  * Holds if `n1` to `n2` is a dataflow step that creates a JEXL template using an unsafe engine
- * i.e. `tainted.createTemplate(jexlExpr)`.
+ * by calling `tainted.createTemplate(jexlExpr)`.
  */
 private predicate createJexlTemplateStep(DataFlow::Node n1, DataFlow::Node n2) {
   exists(MethodAccess ma, Method m, RefType taintType |

From 85d9483c7b412728eb7624570d07299c15070fe8 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 12 May 2021 12:11:25 +0200
Subject: [PATCH 1276/1429] Python: Add basic aiohttp tests

---
 .../frameworks/aiohttp/ConceptsTest.expected  |   0
 .../frameworks/aiohttp/ConceptsTest.ql        |  12 ++
 .../aiohttp/InlineTaintTest.expected          |   3 +
 .../frameworks/aiohttp/InlineTaintTest.ql     |   1 +
 .../library-tests/frameworks/aiohttp/options  |   1 +
 .../frameworks/aiohttp/response_test.py       |   0
 .../frameworks/aiohttp/routing_test.py        | 169 ++++++++++++++++++
 .../frameworks/aiohttp/taint_test.py          |   0
 8 files changed, 186 insertions(+)
 create mode 100644 python/ql/test/library-tests/frameworks/aiohttp/ConceptsTest.expected
 create mode 100644 python/ql/test/library-tests/frameworks/aiohttp/ConceptsTest.ql
 create mode 100644 python/ql/test/library-tests/frameworks/aiohttp/InlineTaintTest.expected
 create mode 100644 python/ql/test/library-tests/frameworks/aiohttp/InlineTaintTest.ql
 create mode 100644 python/ql/test/library-tests/frameworks/aiohttp/options
 create mode 100644 python/ql/test/library-tests/frameworks/aiohttp/response_test.py
 create mode 100644 python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
 create mode 100644 python/ql/test/library-tests/frameworks/aiohttp/taint_test.py

diff --git a/python/ql/test/library-tests/frameworks/aiohttp/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/aiohttp/ConceptsTest.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/aiohttp/ConceptsTest.ql
new file mode 100644
index 00000000000..1e2c1fab3ee
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/aiohttp/ConceptsTest.ql
@@ -0,0 +1,12 @@
+import python
+import experimental.meta.ConceptsTest
+
+class DedicatedResponseTest extends HttpServerHttpResponseTest {
+  DedicatedResponseTest() { file.getShortName() = "response_test.py" }
+}
+
+class OtherResponseTest extends HttpServerHttpResponseTest {
+  OtherResponseTest() { not this instanceof DedicatedResponseTest }
+
+  override string getARelevantTag() { result = "HttpResponse" }
+}
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/InlineTaintTest.expected b/python/ql/test/library-tests/frameworks/aiohttp/InlineTaintTest.expected
new file mode 100644
index 00000000000..79d760d87f4
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/aiohttp/InlineTaintTest.expected
@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/InlineTaintTest.ql b/python/ql/test/library-tests/frameworks/aiohttp/InlineTaintTest.ql
new file mode 100644
index 00000000000..027ad8667be
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/aiohttp/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/options b/python/ql/test/library-tests/frameworks/aiohttp/options
new file mode 100644
index 00000000000..cfef58cf2b2
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/aiohttp/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=1 --lang=3
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/response_test.py b/python/ql/test/library-tests/frameworks/aiohttp/response_test.py
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py b/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
new file mode 100644
index 00000000000..6a8b98cfca6
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
@@ -0,0 +1,169 @@
+# Inspired by https://docs.aiohttp.org/en/stable/web_quickstart.html
+# and https://docs.aiohttp.org/en/stable/web_quickstart.html#resources-and-routes
+
+from aiohttp import web
+
+
+app = web.Application()
+
+
+## ================================= ##
+## Ways to specify routes / handlers ##
+## ================================= ##
+
+## Using coroutines
+if True:
+
+    # `app.add_routes` with list
+    async def foo(request):  # $ MISSING: requestHandler
+        return web.Response(text="foo")
+
+    async def foo2(request):  # $ MISSING: requestHandler
+        return web.Response(text="foo2")
+
+    async def foo3(request):  # $ MISSING: requestHandler
+        return web.Response(text="foo3")
+
+    app.add_routes([
+        web.get("/foo", foo),  # $ MISSING: routeSetup
+        web.route("*", "/foo2", foo2), # $ MISSING: routeSetup
+        web.get(path="/foo3", handler=foo3), # $ MISSING: routeSetup
+    ])
+
+
+    # using decorator
+    routes = web.RouteTableDef()
+
+    @routes.get("/bar")  # $ MISSING: routeSetup
+    async def bar(request):  # $ MISSING: requestHandler
+        return web.Response(text="bar")
+
+    @routes.route("*", "/bar2")  # $ MISSING: routeSetup
+    async def bar2(request):  # $ MISSING: requestHandler
+        return web.Response(text="bar2")
+
+    @routes.get(path="/bar3")  # $ MISSING: routeSetup
+    async def bar3(request):  # $ MISSING: requestHandler
+        return web.Response(text="bar3")
+
+    app.add_routes(routes)
+
+
+    # `app.router.add_get` / `app.router.add_route`
+    async def baz(request):  # $ MISSING: requestHandler
+        return web.Response(text="baz")
+
+    app.router.add_get("/baz", baz)  # $ MISSING: routeSetup
+
+    async def baz2(request):  # $ MISSING: requestHandler
+        return web.Response(text="baz2")
+
+    app.router.add_route("*", "/baz2", baz2)  # $ MISSING: routeSetup
+
+    async def baz3(request):  # $ MISSING: requestHandler
+        return web.Response(text="baz3")
+
+    app.router.add_get(path="/baz3", handler=baz3)  # $ MISSING: routeSetup
+
+
+## Using classes / views
+if True:
+    # see https://docs.aiohttp.org/en/stable/web_quickstart.html#organizing-handlers-in-classes
+
+    class MyCustomHandlerClass:
+
+        async def foo_handler(self, request):  # $ MISSING: requestHandler
+            return web.Response(text="MyCustomHandlerClass.foo")
+
+    my_custom_handler = MyCustomHandlerClass()
+    app.router.add_get("/MyCustomHandlerClass/foo", my_custom_handler.foo_handler)   # $ MISSING: routeSetup
+
+    # Using `web.View`
+    # ---------------
+
+    # `app.add_routes` with list
+    class MyWebView1(web.View):
+        async def get(self):  # $ MISSING: requestHandler
+            return web.Response(text="MyWebView1.get")
+
+    app.add_routes([
+        web.view("/MyWebView1", MyWebView1)   # $ MISSING: routeSetup
+    ])
+
+
+    # using decorator
+    routes = web.RouteTableDef()
+
+    @routes.view("/MyWebView2")  # $ MISSING: routeSetup
+    class MyWebView2(web.View):
+        async def get(self):  # $ MISSING: requestHandler
+            return web.Response(text="MyWebView2.get")
+
+    app.add_routes(routes)
+
+
+    # `app.router.add_view`
+    class MyWebView3(web.View):
+        async def get(self):  # $ MISSING: requestHandler
+            return web.Response(text="MyWebView3.get")
+
+    app.router.add_view("/MyWebView3", MyWebView3)  # $ MISSING: routeSetup
+
+## =================== ##
+## "Routed parameters" ##
+## =================== ##
+
+if True:
+    # see https://docs.aiohttp.org/en/stable/web_quickstart.html#variable-resources
+
+    async def matching(request: web.Request):  # $ MISSING: requestHandler
+        name = request.match_info['name']
+        number = request.match_info['number']
+        return web.Response(text="matching name={} number={}".format(name, number))
+
+    app.router.add_get("/matching/{name}/{number:\d+}", matching)  # $ MISSING: routeSetup
+
+## ======= ##
+## subapps ##
+## ======= ##
+
+if True:
+    subapp = web.Application()
+
+    async def subapp_handler(request):  # $ MISSING: requestHandler
+        return web.Response(text="subapp_handler")
+
+    subapp.router.add_get("/subapp_handler", subapp_handler)  # $ MISSING: routeSetup
+
+    app.add_subapp("/my_subapp", subapp)
+
+    # similar behavior is possible with `app.add_domain`, but since I don't think we'll have special handling
+    # for any kind of subapps, I have not created a test for this.
+
+
+## ================================ ##
+## Constructing UrlDispatcher first ##
+## ================================ ##
+
+if True:
+    async def manual_dispatcher_instance(request):  # $ MISSING: requestHandler
+        return web.Response(text="manual_dispatcher_instance")
+
+    url_dispatcher = web.UrlDispatcher()
+    url_dispatcher.add_get("/manual_dispatcher_instance", manual_dispatcher_instance)  # $ MISSING: routeSetup
+
+    subapp2 = web.Application(router=url_dispatcher)
+    app.add_subapp("/manual_dispatcher_instance_app", subapp2)
+
+
+## =========== ##
+## Run the app ##
+## =========== ##
+
+if __name__ == "__main__":
+    print("For auto-reloading server you can use:")
+    print(f"aiohttp-devtools runserver {__file__}")
+    print("after doing `pip install aiohttp-devtools`")
+    print()
+
+    web.run_app(app)
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
new file mode 100644
index 00000000000..e69de29bb2d

From fa1d4e6de781c935ba5894a52a6ce758fdfff17e Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 20 May 2021 10:59:06 +0200
Subject: [PATCH 1277/1429] Python: Extract poor mans function resolution (from
 django)

Since I also want to use this for aiohttp.web modeling
---
 .../src/semmle/python/frameworks/Django.qll   | 51 +----------
 .../internal/PoorMansFunctionResolution.qll   | 90 +++++++++++++++++++
 2 files changed, 93 insertions(+), 48 deletions(-)
 create mode 100644 python/ql/src/semmle/python/frameworks/internal/PoorMansFunctionResolution.qll

diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index 93aa921e496..f1ae74bc8b5 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -11,6 +11,7 @@ private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.PEP249
 private import semmle.python.regex
+private import semmle.python.frameworks.internal.PoorMansFunctionResolution
 
 /**
  * Provides models for the `django` PyPI package.
@@ -1386,13 +1387,6 @@ private module PrivateDjango {
   // ---------------------------------------------------------------------------
   // Helpers
   // ---------------------------------------------------------------------------
-  /**
-   * Gets the last decorator call for the function `func`, if `func` has decorators.
-   */
-  private Expr lastDecoratorCall(Function func) {
-    result = func.getDefinition().(FunctionExpr).getADecoratorCall() and
-    not exists(Call other_decorator | other_decorator.getArg(0) = result)
-  }
 
   /** Adds the `getASelfRef` member predicate when modeling a class. */
   abstract private class SelfRefMixin extends Class {
@@ -1487,45 +1481,6 @@ private module PrivateDjango {
   // ---------------------------------------------------------------------------
   // routing modeling
   // ---------------------------------------------------------------------------
-  /**
-   * Gets a reference to the Function `func`.
-   *
-   * The idea is that this function should be used as a route handler when setting up a
-   * route, but currently it just tracks all functions, since we can't do type-tracking
-   * backwards yet (TODO).
-   */
-  private DataFlow::LocalSourceNode djangoRouteHandlerFunctionTracker(
-    DataFlow::TypeTracker t, Function func
-  ) {
-    t.start() and
-    (
-      not exists(func.getADecorator()) and
-      result.asExpr() = func.getDefinition()
-      or
-      // If the function has decorators, we still want to model the function as being
-      // the request handler for a route setup. In such situations, we must track the
-      // last decorator call instead of the function itself.
-      //
-      // Note that this means that we blindly ignore what the decorator actually does to
-      // the function, which seems like an OK tradeoff.
-      result.asExpr() = lastDecoratorCall(func)
-    )
-    or
-    exists(DataFlow::TypeTracker t2 |
-      result = djangoRouteHandlerFunctionTracker(t2, func).track(t2, t)
-    )
-  }
-
-  /**
-   * Gets a reference to the Function `func`.
-   *
-   * The idea is that this function should be used as a route handler when setting up a
-   * route, but currently it just tracks all functions, since we can't do type-tracking
-   * backwards yet (TODO).
-   */
-  private DataFlow::Node djangoRouteHandlerFunctionTracker(Function func) {
-    djangoRouteHandlerFunctionTracker(DataFlow::TypeTracker::end(), func).flowsTo(result)
-  }
 
   /**
    * In order to recognize a class as being a django view class, based on the `as_view`
@@ -1613,7 +1568,7 @@ private module PrivateDjango {
    */
   private class DjangoRouteHandler extends Function {
     DjangoRouteHandler() {
-      exists(DjangoRouteSetup route | route.getViewArg() = djangoRouteHandlerFunctionTracker(this))
+      exists(DjangoRouteSetup route | route.getViewArg() = poorMansFunctionTracker(this))
       or
       any(DjangoViewClass vc).getARequestHandler() = this
     }
@@ -1663,7 +1618,7 @@ private module PrivateDjango {
     abstract DataFlow::Node getViewArg();
 
     final override DjangoRouteHandler getARequestHandler() {
-      djangoRouteHandlerFunctionTracker(result) = getViewArg()
+      poorMansFunctionTracker(result) = getViewArg()
       or
       exists(DjangoViewClass vc |
         getViewArg() = vc.asViewResult() and
diff --git a/python/ql/src/semmle/python/frameworks/internal/PoorMansFunctionResolution.qll b/python/ql/src/semmle/python/frameworks/internal/PoorMansFunctionResolution.qll
new file mode 100644
index 00000000000..78764bf53bc
--- /dev/null
+++ b/python/ql/src/semmle/python/frameworks/internal/PoorMansFunctionResolution.qll
@@ -0,0 +1,90 @@
+/**
+ * INTERNAL: Do not use.
+ *
+ * Notice: The predicates provided in this module is a poor mans solution for function
+ * resolution, and does not handle anything but the most simple cases.
+ *
+ * For example, in the code below, we're not able to tell anything about
+ * `inst.my_method` (which is a bound-method)
+ * ```py
+ * class MyClass:
+ *     def my_method(self):
+ *         pass
+ *
+ * inst = MyClass()
+ * print(inst.my_method)
+ * ```
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+
+/**
+ * Gets the last decorator call for the function `func`, if `func` has decorators.
+ */
+private Expr lastDecoratorCall(Function func) {
+  result = func.getDefinition().(FunctionExpr).getADecoratorCall() and
+  not exists(Call other_decorator | other_decorator.getArg(0) = result)
+}
+
+/**
+ * Gets a reference to the Function `func`.
+ *
+ * Notice: This is a poor mans solution for function resolution, and does not handle
+ * anything but the most simple cases.
+ *
+ * For example, in the code below, we're not able to tell anything about
+ * `inst.my_method` (which is a bound-method)
+ * ```py
+ * class MyClass:
+ *     def my_method(self):
+ *         pass
+ *
+ * inst = MyClass()
+ * print(inst.my_method)
+ * ```
+ */
+private DataFlow::LocalSourceNode poorMansFunctionTracker(
+  DataFlow::TypeTracker t, Function func
+) {
+  t.start() and
+  (
+    not exists(func.getADecorator()) and
+    result.asExpr() = func.getDefinition()
+    or
+    // If the function has decorators, we still want to model the function as being
+    // the request handler for a route setup. In such situations, we must track the
+    // last decorator call instead of the function itself.
+    //
+    // Note that this means that we blindly ignore what the decorator actually does to
+    // the function, which seems like an OK tradeoff.
+    result.asExpr() = lastDecoratorCall(func)
+  )
+  or
+  exists(DataFlow::TypeTracker t2 |
+    result = poorMansFunctionTracker(t2, func).track(t2, t)
+  )
+}
+
+/**
+ * INTERNAL: Do not use.
+ *
+ * Gets a reference to the Function `func`.
+ *
+ * Notice: This is a poor mans solution for function resolution, and does not handle
+ * anything but the most simple cases.
+ *
+ * For example, in the code below, we're not able to tell anything about
+ * `inst.my_method` (which is a bound-method)
+ * ```py
+ * class MyClass:
+ *     def my_method(self):
+ *         pass
+ *
+ * inst = MyClass()
+ * print(inst.my_method)
+ * ```
+ */
+DataFlow::Node poorMansFunctionTracker(Function func) {
+  poorMansFunctionTracker(DataFlow::TypeTracker::end(), func).flowsTo(result)
+}

From 3cbb909a3a4ae8f736d10bd3e1175f1a388c6af3 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 20 May 2021 11:12:28 +0200
Subject: [PATCH 1278/1429] Python: Add modeling of coroutine routes in
 aiohttp.web

---
 docs/codeql/support/reusables/frameworks.rst  |   1 +
 python/ql/src/semmle/python/Frameworks.qll    |   1 +
 .../src/semmle/python/frameworks/Aiohttp.qll  | 141 ++++++++++++++++++
 .../frameworks/aiohttp/routing_test.py        |  50 +++----
 4 files changed, 168 insertions(+), 25 deletions(-)
 create mode 100644 python/ql/src/semmle/python/frameworks/Aiohttp.qll

diff --git a/docs/codeql/support/reusables/frameworks.rst b/docs/codeql/support/reusables/frameworks.rst
index be9949aad77..41680cffe0e 100644
--- a/docs/codeql/support/reusables/frameworks.rst
+++ b/docs/codeql/support/reusables/frameworks.rst
@@ -152,6 +152,7 @@ Python built-in support
    :widths: auto
 
    Name, Category
+   aiohttp.web, Web framework
    Django, Web framework
    Flask, Web framework
    Tornado, Web framework
diff --git a/python/ql/src/semmle/python/Frameworks.qll b/python/ql/src/semmle/python/Frameworks.qll
index 3115c3ffac6..172f3d11bfb 100644
--- a/python/ql/src/semmle/python/Frameworks.qll
+++ b/python/ql/src/semmle/python/Frameworks.qll
@@ -4,6 +4,7 @@
 
 // If you add modeling of a new framework/library, remember to add it it to the docs in
 // `docs/codeql/support/reusables/frameworks.rst`
+private import semmle.python.frameworks.Aiohttp
 private import semmle.python.frameworks.Cryptodome
 private import semmle.python.frameworks.Cryptography
 private import semmle.python.frameworks.Dill
diff --git a/python/ql/src/semmle/python/frameworks/Aiohttp.qll b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
new file mode 100644
index 00000000000..b73610c06b1
--- /dev/null
+++ b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -0,0 +1,141 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `aiohttp` PyPI package.
+ * See https://docs.aiohttp.org/en/stable/index.html
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.internal.PoorMansFunctionResolution
+
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides models for the web server part (`aiohttp.web`) of the `aiohttp` PyPI package.
+ * See https://docs.aiohttp.org/en/stable/web.html
+ */
+module AiohttpWebModel {
+  /** Gets a reference to a `aiohttp.web.Application` instance. */
+  API::Node applicationInstance() {
+    // Not sure whether you're allowed to add routes _after_ starting the app, for
+    // example in the middle of handling a http request... but I'm guessing that for 99%
+    // for all code, not modeling that `request.app` is a reference to an application
+    // should be good enough for the route-setup part of the modeling :+1:
+    result = API::moduleImport("aiohttp").getMember("web").getMember("Application").getReturn()
+  }
+
+  /** Gets a reference to a `aiohttp.web.UrlDispatcher` instance. */
+  API::Node urlDispathcerInstance() {
+    result = API::moduleImport("aiohttp").getMember("web").getMember("UrlDispatcher").getReturn()
+    or
+    result = applicationInstance().getMember("router")
+  }
+
+  // -- route modeling --
+
+  /** A route setup in `aiohttp.web` */
+  abstract class AiohttpRouteSetup extends HTTP::Server::RouteSetup::Range {
+    override Parameter getARoutedParameter() { none() }
+
+    override string getFramework() { result = "aiohttp.web" }
+  }
+
+  /** An aiohttp route setup that uses coroutines (async function) as request handler. */
+  abstract class AiohttpCoroutineRouteSetup extends AiohttpRouteSetup {
+    /** Gets the argument specifying the request handler (which is a coroutine/async function) */
+    abstract DataFlow::Node getRequestHandlerArg();
+
+    override Function getARequestHandler() {
+      this.getRequestHandlerArg() = poorMansFunctionTracker(result)
+    }
+  }
+
+  /**
+   * A route-setup from `add_route` or any of `add_get`, `add_post`, etc. on an
+   *    `aiohttp.web.UrlDispatcher`.
+   */
+  class AiohttpUrlDispatcherAddRouteCall extends AiohttpCoroutineRouteSetup, DataFlow::CallCfgNode {
+    /** At what index route arguments starts, so we can handle "route" version together with get/post/... */
+    int routeArgsStart;
+
+    AiohttpUrlDispatcherAddRouteCall() {
+      this = urlDispathcerInstance().getMember("add_" + HTTP::httpVerbLower()).getACall() and
+      routeArgsStart = 0
+      or
+      this = urlDispathcerInstance().getMember("add_route").getACall() and
+      routeArgsStart = 1
+    }
+
+    override DataFlow::Node getUrlPatternArg() {
+      result in [this.getArg(routeArgsStart + 0), this.getArgByName("path")]
+    }
+
+    override DataFlow::Node getRequestHandlerArg() {
+      result in [this.getArg(routeArgsStart + 1), this.getArgByName("handler")]
+    }
+  }
+
+  /**
+   * A route-setup from using `route` or any of `get`, `post`, etc. functions from `aiohttp.web`.
+   *
+   * Note that technically, this does not set up a route in itself (since it needs to be added to an application first).
+   * However, modeling this way makes it easier, and we don't expect it to lead to many problems.
+   */
+  class AiohttpWebRouteCall extends AiohttpCoroutineRouteSetup, DataFlow::CallCfgNode {
+    /** At what index route arguments starts, so we can handle "route" version together with get/post/... */
+    int routeArgsStart;
+
+    AiohttpWebRouteCall() {
+      exists(string funcName |
+        funcName = HTTP::httpVerbLower() and
+        routeArgsStart = 0
+        or
+        funcName = "route" and
+        routeArgsStart = 1
+      |
+        this = API::moduleImport("aiohttp").getMember("web").getMember(funcName).getACall()
+      )
+    }
+
+    override DataFlow::Node getUrlPatternArg() {
+      result in [this.getArg(routeArgsStart + 0), this.getArgByName("path")]
+    }
+
+    override DataFlow::Node getRequestHandlerArg() {
+      result in [this.getArg(routeArgsStart + 1), this.getArgByName("handler")]
+    }
+  }
+
+  /** A route-setup from using a `route` or any of `get`, `post`, etc. decorators from a `aiohttp.web.RouteTableDef`. */
+  class AiohttpRouteTableDefRouteCall extends AiohttpCoroutineRouteSetup, DataFlow::CallCfgNode {
+    /** At what index route arguments starts, so we can handle "route" version together with get/post/... */
+    int routeArgsStart;
+
+    AiohttpRouteTableDefRouteCall() {
+      exists(string decoratorName |
+        decoratorName = HTTP::httpVerbLower() and
+        routeArgsStart = 0
+        or
+        decoratorName = "route" and
+        routeArgsStart = 1
+      |
+        this =
+          API::moduleImport("aiohttp")
+              .getMember("web")
+              .getMember("RouteTableDef")
+              .getReturn()
+              .getMember(decoratorName)
+              .getACall()
+      )
+    }
+
+    override DataFlow::Node getUrlPatternArg() {
+      result in [this.getArg(routeArgsStart + 0), this.getArgByName("path")]
+    }
+
+    override DataFlow::Node getRequestHandlerArg() { none() }
+
+    override Function getARequestHandler() { result.getADecorator() = this.asExpr() }
+  }
+}
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py b/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
index 6a8b98cfca6..880a7f8cb87 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
@@ -15,55 +15,55 @@ app = web.Application()
 if True:
 
     # `app.add_routes` with list
-    async def foo(request):  # $ MISSING: requestHandler
+    async def foo(request):  # $ requestHandler
         return web.Response(text="foo")
 
-    async def foo2(request):  # $ MISSING: requestHandler
+    async def foo2(request):  # $ requestHandler
         return web.Response(text="foo2")
 
-    async def foo3(request):  # $ MISSING: requestHandler
+    async def foo3(request):  # $ requestHandler
         return web.Response(text="foo3")
 
     app.add_routes([
-        web.get("/foo", foo),  # $ MISSING: routeSetup
-        web.route("*", "/foo2", foo2), # $ MISSING: routeSetup
-        web.get(path="/foo3", handler=foo3), # $ MISSING: routeSetup
+        web.get("/foo", foo),  # $ routeSetup="/foo"
+        web.route("*", "/foo2", foo2), # $ routeSetup="/foo2"
+        web.get(path="/foo3", handler=foo3), # $ routeSetup="/foo3"
     ])
 
 
     # using decorator
     routes = web.RouteTableDef()
 
-    @routes.get("/bar")  # $ MISSING: routeSetup
-    async def bar(request):  # $ MISSING: requestHandler
+    @routes.get("/bar")  # $ routeSetup="/bar"
+    async def bar(request):  # $ requestHandler
         return web.Response(text="bar")
 
-    @routes.route("*", "/bar2")  # $ MISSING: routeSetup
-    async def bar2(request):  # $ MISSING: requestHandler
+    @routes.route("*", "/bar2")  # $ routeSetup="/bar2"
+    async def bar2(request):  # $ requestHandler
         return web.Response(text="bar2")
 
-    @routes.get(path="/bar3")  # $ MISSING: routeSetup
-    async def bar3(request):  # $ MISSING: requestHandler
+    @routes.get(path="/bar3")  # $ routeSetup="/bar3"
+    async def bar3(request):  # $ requestHandler
         return web.Response(text="bar3")
 
     app.add_routes(routes)
 
 
     # `app.router.add_get` / `app.router.add_route`
-    async def baz(request):  # $ MISSING: requestHandler
+    async def baz(request):  # $ requestHandler
         return web.Response(text="baz")
 
-    app.router.add_get("/baz", baz)  # $ MISSING: routeSetup
+    app.router.add_get("/baz", baz)  # $ routeSetup="/baz"
 
-    async def baz2(request):  # $ MISSING: requestHandler
+    async def baz2(request):  # $ requestHandler
         return web.Response(text="baz2")
 
-    app.router.add_route("*", "/baz2", baz2)  # $ MISSING: routeSetup
+    app.router.add_route("*", "/baz2", baz2)  # $ routeSetup="/baz2"
 
-    async def baz3(request):  # $ MISSING: requestHandler
+    async def baz3(request):  # $ requestHandler
         return web.Response(text="baz3")
 
-    app.router.add_get(path="/baz3", handler=baz3)  # $ MISSING: routeSetup
+    app.router.add_get(path="/baz3", handler=baz3)  # $ routeSetup="/baz3"
 
 
 ## Using classes / views
@@ -76,7 +76,7 @@ if True:
             return web.Response(text="MyCustomHandlerClass.foo")
 
     my_custom_handler = MyCustomHandlerClass()
-    app.router.add_get("/MyCustomHandlerClass/foo", my_custom_handler.foo_handler)   # $ MISSING: routeSetup
+    app.router.add_get("/MyCustomHandlerClass/foo", my_custom_handler.foo_handler)   # $ routeSetup="/MyCustomHandlerClass/foo"
 
     # Using `web.View`
     # ---------------
@@ -116,12 +116,12 @@ if True:
 if True:
     # see https://docs.aiohttp.org/en/stable/web_quickstart.html#variable-resources
 
-    async def matching(request: web.Request):  # $ MISSING: requestHandler
+    async def matching(request: web.Request):  # $ requestHandler
         name = request.match_info['name']
         number = request.match_info['number']
         return web.Response(text="matching name={} number={}".format(name, number))
 
-    app.router.add_get("/matching/{name}/{number:\d+}", matching)  # $ MISSING: routeSetup
+    app.router.add_get(r"/matching/{name}/{number:\d+}", matching)  # $ routeSetup="/matching/{name}/{number:\d+}"
 
 ## ======= ##
 ## subapps ##
@@ -130,10 +130,10 @@ if True:
 if True:
     subapp = web.Application()
 
-    async def subapp_handler(request):  # $ MISSING: requestHandler
+    async def subapp_handler(request):  # $ requestHandler
         return web.Response(text="subapp_handler")
 
-    subapp.router.add_get("/subapp_handler", subapp_handler)  # $ MISSING: routeSetup
+    subapp.router.add_get("/subapp_handler", subapp_handler)  # $ routeSetup="/subapp_handler"
 
     app.add_subapp("/my_subapp", subapp)
 
@@ -146,11 +146,11 @@ if True:
 ## ================================ ##
 
 if True:
-    async def manual_dispatcher_instance(request):  # $ MISSING: requestHandler
+    async def manual_dispatcher_instance(request):  # $ requestHandler
         return web.Response(text="manual_dispatcher_instance")
 
     url_dispatcher = web.UrlDispatcher()
-    url_dispatcher.add_get("/manual_dispatcher_instance", manual_dispatcher_instance)  # $ MISSING: routeSetup
+    url_dispatcher.add_get("/manual_dispatcher_instance", manual_dispatcher_instance)  # $ routeSetup="/manual_dispatcher_instance"
 
     subapp2 = web.Application(router=url_dispatcher)
     app.add_subapp("/manual_dispatcher_instance_app", subapp2)

From 2b992a635a1c3ff42d45b826353a919f7f0d4aa5 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 26 May 2021 14:54:20 +0200
Subject: [PATCH 1279/1429] Python: Add aiohttp taint tests

---
 .../frameworks/aiohttp/taint_test.py          | 196 ++++++++++++++++++
 1 file changed, 196 insertions(+)

diff --git a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
index e69de29bb2d..ba24f59a702 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -0,0 +1,196 @@
+from aiohttp import web
+
+async def test_taint(request: web.Request): # $ requestHandler
+
+    ensure_tainted(
+        request, # $ MISSING: tainted
+
+        # yarl.URL instances
+        # https://yarl.readthedocs.io/en/stable/api.html#yarl.URL
+        # see below
+        request.url, # $ MISSING: tainted
+        request.rel_url, # $ MISSING: tainted
+
+        request.forwarded, # $ MISSING: tainted
+
+        request.host, # $ MISSING: tainted
+        request.remote, # $ MISSING: tainted
+        request.path, # $ MISSING: tainted
+        request.path_qs, # $ MISSING: tainted
+        request.raw_path, # $ MISSING: tainted
+
+        # multidict.MultiDictProxy[str]
+        # see https://multidict.readthedocs.io/en/stable/multidict.html#multidict.MultiDictProxy
+        # TODO: Should have a better way to capture that we in fact _do_ model this as a
+        # an instance of the right class, and have the actual taint_test for that in a
+        # different file!
+        request.query, # $ MISSING: tainted
+        request.query["key"], # $ MISSING: tainted
+        request.query.get("key"), # $ MISSING: tainted
+        request.query.getone("key"), # $ MISSING: tainted
+        request.query.getall("key"), # $ MISSING: tainted
+        request.query.keys(), # $ MISSING: tainted
+        request.query.values(), # $ MISSING: tainted
+        request.query.items(), # $ MISSING: tainted
+        request.query.copy(), # $ MISSING: tainted
+        list(request.query), # $ MISSING: tainted
+        iter(request.query), # $ MISSING: tainted
+
+        # multidict.CIMultiDictProxy[str]
+        # see https://multidict.readthedocs.io/en/stable/multidict.html#multidict.CIMultiDictProxy
+        # TODO: Should have a better way to capture that we in fact _do_ model this as a
+        # an instance of the right class, and have the actual taint_test for that in a
+        # different file!
+        request.headers, # $ MISSING: tainted
+        request.query.getone("key"), # $ MISSING: tainted
+
+        # https://docs.python.org/3/library/asyncio-protocol.html#asyncio-transport
+        # TODO
+        request.transport, # $ MISSING: tainted
+        request.transport.get_extra_info("key"), # $ MISSING: tainted
+
+        # dict-like (readonly)
+        request.cookies, # $ MISSING: tainted
+        request.cookies["key"], # $ MISSING: tainted
+        request.cookies.get("key"), # $ MISSING: tainted
+        request.cookies.keys(), # $ MISSING: tainted
+        request.cookies.values(), # $ MISSING: tainted
+        request.cookies.items(), # $ MISSING: tainted
+        list(request.cookies), # $ MISSING: tainted
+        iter(request.cookies), # $ MISSING: tainted
+
+
+        # aiohttp.StreamReader
+        # see https://docs.aiohttp.org/en/stable/streams.html#aiohttp.StreamReader
+        # TODO
+        request.content, # $ MISSING: tainted
+        request._payload, # $ MISSING: tainted
+
+        request.body_exists, # $ MISSING: tainted
+        request.has_body, # $ MISSING: tainted
+
+        request.content_type, # $ MISSING: tainted
+        request.charset, # $ MISSING: tainted
+
+        request.http_range, # $ MISSING: tainted
+
+        # Optional[datetime]
+        request.if_modified_since, # $ MISSING: tainted
+        request.if_unmodified_since, # $ MISSING: tainted
+        request.if_range, # $ MISSING: tainted
+
+        request.clone(scheme="https"), # $ MISSING: tainted
+
+        # TODO: like request.transport.get_extra_info
+        request.get_extra_info("key"), # $ MISSING: tainted
+
+        # bytes
+        await request.read(), # $ MISSING: tainted
+
+        # str
+        await request.text(), # $ MISSING: tainted
+
+        # obj
+        await request.json(), # $ MISSING: tainted
+
+        # aiohttp.multipart.MultipartReader
+        await request.multipart(), # $ MISSING: tainted
+
+        # multidict.MultiDictProxy[str]
+        await request.post(), # $ MISSING: tainted
+        (await request.post()).getone("key"), # $ MISSING: tainted
+    )
+
+    import yarl
+    assert isinstance(request.url, yarl.URL)
+    assert isinstance(request.rel_url, yarl.URL)
+
+
+    # things that are technically controlled by sender of request,
+    # but doesn't seem that likely for exploitation.
+    ensure_not_tainted(
+        request.method,
+        request.version,
+        request.scheme,
+        request.secure,
+        request.keep_alive,
+
+        request.content_length,
+    )
+
+    ensure_not_tainted(
+        request.loop,
+
+        request.match_info,
+        request.app,
+        request.config_dict,
+    )
+
+    # TODO: Should have a better way to capture that we in fact _do_ model this as a
+    # an instance of the right class, and have the actual taint_test for that in a
+    # different file!
+    import yarl
+
+    ensure_tainted(
+        request.url.user, # $ MISSING: tainted
+        request.url.raw_user, # $ MISSING: tainted
+
+        request.url.password, # $ MISSING: tainted
+        request.url.raw_password, # $ MISSING: tainted
+
+        request.url.host, # $ MISSING: tainted
+        request.url.raw_host, # $ MISSING: tainted
+
+        request.url.port, # $ MISSING: tainted
+        request.url.explicit_port, # $ MISSING: tainted
+
+        request.url.authority, # $ MISSING: tainted
+        request.url.raw_authority, # $ MISSING: tainted
+
+        request.url.path, # $ MISSING: tainted
+        request.url.raw_path, # $ MISSING: tainted
+
+        request.url.path_qs, # $ MISSING: tainted
+        request.url.raw_path_qs, # $ MISSING: tainted
+
+        request.url.query_string, # $ MISSING: tainted
+        request.url.raw_query_string, # $ MISSING: tainted
+
+        request.url.fragment, # $ MISSING: tainted
+        request.url.raw_fragment, # $ MISSING: tainted
+
+        request.url.parts, # $ MISSING: tainted
+        request.url.raw_parts, # $ MISSING: tainted
+
+        request.url.name, # $ MISSING: tainted
+        request.url.raw_name, # $ MISSING: tainted
+
+        # multidict.MultiDictProxy[str]
+        request.url.query, # $ MISSING: tainted
+        request.url.query.getone("key"), # $ MISSING: tainted
+
+        request.url.with_scheme("foo"), # $ MISSING: tainted
+        request.url.with_user("foo"), # $ MISSING: tainted
+        request.url.with_password("foo"), # $ MISSING: tainted
+        request.url.with_host("foo"), # $ MISSING: tainted
+        request.url.with_port("foo"), # $ MISSING: tainted
+        request.url.with_path("foo"), # $ MISSING: tainted
+        request.url.with_query({"foo": 42}), # $ MISSING: tainted
+        request.url.with_query(foo=42), # $ MISSING: tainted
+        request.url.update_query({"foo": 42}), # $ MISSING: tainted
+        request.url.update_query(foo=42), # $ MISSING: tainted
+        request.url.with_fragment("foo"), # $ MISSING: tainted
+        request.url.with_name("foo"), # $ MISSING: tainted
+
+        request.url.join(yarl.URL("wat.html")), # $ MISSING: tainted
+
+        request.url.human_repr(), # $ MISSING: tainted
+    )
+
+
+app = web.Application()
+app.router.add_get(r"/test_taint/{name}/{number:\d+}", test_taint)  # $ routeSetup="/test_taint/{name}/{number:\d+}"
+
+
+if __name__ == "__main__":
+    web.run_app(app)

From 88158e7414ff45206a71b8f9a7cc84cea33d653c Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 26 May 2021 15:24:52 +0200
Subject: [PATCH 1280/1429] Python: Add basic model setup for
 aiohttp.web.Request

---
 .../src/semmle/python/frameworks/Aiohttp.qll  | 67 ++++++++++++++++++-
 .../frameworks/aiohttp/taint_test.py          |  2 +-
 2 files changed, 67 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Aiohttp.qll b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
index b73610c06b1..e7131e2c409 100644
--- a/python/ql/src/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -5,6 +5,8 @@
 
 private import python
 private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.internal.PoorMansFunctionResolution
@@ -33,7 +35,6 @@ module AiohttpWebModel {
   }
 
   // -- route modeling --
-
   /** A route setup in `aiohttp.web` */
   abstract class AiohttpRouteSetup extends HTTP::Server::RouteSetup::Range {
     override Parameter getARoutedParameter() { none() }
@@ -138,4 +139,68 @@ module AiohttpWebModel {
 
     override Function getARequestHandler() { result.getADecorator() = this.asExpr() }
   }
+
+  // ---------------------------------------------------------------------------
+  // aiohttp.web.Request taint modeling
+  // ---------------------------------------------------------------------------
+  /**
+   * Provides models for the `aiohttp.web.Request` class
+   *
+   * See https://docs.aiohttp.org/en/stable/web_reference.html#request-and-base-request
+   */
+  module Request {
+    /**
+     * A source of instances of `aiohttp.web.Request`, extend this class to model new instances.
+     *
+     * This can include instantiations of the class, return values from function
+     * calls, or a special parameter that will be set when functions are called by an external
+     * library.
+     *
+     * Use `Request::instance()` predicate to get
+     * references to instances of `aiohttp.web.Request`.
+     */
+    abstract class InstanceSource extends DataFlow::Node { }
+
+    /** Gets a reference to an instance of `aiohttp.web.Request`. */
+    private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
+      t.start() and
+      result instanceof InstanceSource
+      or
+      exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
+    }
+
+    /** Gets a reference to an instance of `aiohttp.web.Request`. */
+    DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
+  }
+
+  /**
+   * A parameter that will receive a `aiohttp.web.Request` instance when a request
+   * handler is invoked.
+   */
+  class AiohttpRequestHandlerRequestParam extends Request::InstanceSource, RemoteFlowSource::Range,
+    DataFlow::ParameterNode {
+    AiohttpRequestHandlerRequestParam() {
+      exists(Function requestHandler |
+        requestHandler = any(AiohttpRouteSetup setup).getARequestHandler() and
+        // We select the _last_ parameter for the request since that is what they do in
+        // `aiohttp-jinja2`.
+        // https://github.com/aio-libs/aiohttp-jinja2/blob/7fb4daf2c3003921d34031d38c2311ee0e02c18b/aiohttp_jinja2/__init__.py#L235
+        //
+        // I assume that is just to handle cases such as the one below
+        // ```py
+        // class MyCustomHandlerClass:
+        //     async def foo_handler(self, request):
+        //            ...
+        //
+        // my_custom_handler = MyCustomHandlerClass()
+        // app.router.add_get("/MyCustomHandlerClass/foo", my_custom_handler.foo_handler)
+        // ```
+        this.getParameter() =
+          max(Parameter param, int i | param = requestHandler.getArg(i) | param order by i)
+
+      )
+    }
+
+    override string getSourceType() { result = "aiohttp.web.Request" }
+  }
 }
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
index ba24f59a702..d996d07ead2 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -3,7 +3,7 @@ from aiohttp import web
 async def test_taint(request: web.Request): # $ requestHandler
 
     ensure_tainted(
-        request, # $ MISSING: tainted
+        request, # $ tainted
 
         # yarl.URL instances
         # https://yarl.readthedocs.io/en/stable/api.html#yarl.URL

From d953ea47d4718d55300c273f409eb7b2168d4652 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 26 May 2021 15:53:33 +0200
Subject: [PATCH 1281/1429] Python: Basic handling of tainted attributes in
 aiohttp

---
 .../src/semmle/python/frameworks/Aiohttp.qll  | 29 +++++++-
 .../frameworks/aiohttp/taint_test.py          | 74 +++++++++----------
 2 files changed, 65 insertions(+), 38 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Aiohttp.qll b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
index e7131e2c409..7e2c9dc8424 100644
--- a/python/ql/src/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -197,10 +197,37 @@ module AiohttpWebModel {
         // ```
         this.getParameter() =
           max(Parameter param, int i | param = requestHandler.getArg(i) | param order by i)
-
       )
     }
 
     override string getSourceType() { result = "aiohttp.web.Request" }
   }
+
+  /**
+   * Taint propagation for `aiohttp.web.Request`.
+   *
+   * See https://docs.aiohttp.org/en/stable/web_reference.html#request-and-base-request
+   */
+  private class AiohttpRequestAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+      // Methods
+      exists(string method_name | method_name in ["TODO"] |
+        // Method access (obj -> obj.meth)
+        none()
+        or
+        // Method call (obj.meth -> obj.meth())
+        none()
+      )
+      or
+      // Attributes
+      nodeFrom = Request::instance() and
+      nodeTo.(DataFlow::AttrRead).getObject() = nodeFrom and
+      nodeTo.(DataFlow::AttrRead).getAttributeName() in [
+          "url", "rel_url", "forwarded", "host", "remote", "path", "path_qs", "raw_path", "query",
+          "headers", "transport", "cookies", "content", "_payload", "body_exists", "has_body",
+          "content_type", "charset", "http_range", "if_modified_since", "if_unmodified_since",
+          "if_range"
+        ]
+    }
+  }
 }
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
index d996d07ead2..39c814564ce 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -8,76 +8,76 @@ async def test_taint(request: web.Request): # $ requestHandler
         # yarl.URL instances
         # https://yarl.readthedocs.io/en/stable/api.html#yarl.URL
         # see below
-        request.url, # $ MISSING: tainted
-        request.rel_url, # $ MISSING: tainted
+        request.url, # $ tainted
+        request.rel_url, # $ tainted
 
-        request.forwarded, # $ MISSING: tainted
+        request.forwarded, # $ tainted
 
-        request.host, # $ MISSING: tainted
-        request.remote, # $ MISSING: tainted
-        request.path, # $ MISSING: tainted
-        request.path_qs, # $ MISSING: tainted
-        request.raw_path, # $ MISSING: tainted
+        request.host, # $ tainted
+        request.remote, # $ tainted
+        request.path, # $ tainted
+        request.path_qs, # $ tainted
+        request.raw_path, # $ tainted
 
         # multidict.MultiDictProxy[str]
         # see https://multidict.readthedocs.io/en/stable/multidict.html#multidict.MultiDictProxy
         # TODO: Should have a better way to capture that we in fact _do_ model this as a
         # an instance of the right class, and have the actual taint_test for that in a
         # different file!
-        request.query, # $ MISSING: tainted
-        request.query["key"], # $ MISSING: tainted
-        request.query.get("key"), # $ MISSING: tainted
+        request.query, # $ tainted
+        request.query["key"], # $ tainted
+        request.query.get("key"), # $ tainted
         request.query.getone("key"), # $ MISSING: tainted
         request.query.getall("key"), # $ MISSING: tainted
         request.query.keys(), # $ MISSING: tainted
-        request.query.values(), # $ MISSING: tainted
-        request.query.items(), # $ MISSING: tainted
-        request.query.copy(), # $ MISSING: tainted
-        list(request.query), # $ MISSING: tainted
-        iter(request.query), # $ MISSING: tainted
+        request.query.values(), # $ tainted
+        request.query.items(), # $ tainted
+        request.query.copy(), # $ tainted
+        list(request.query), # $ tainted
+        iter(request.query), # $ tainted
 
         # multidict.CIMultiDictProxy[str]
         # see https://multidict.readthedocs.io/en/stable/multidict.html#multidict.CIMultiDictProxy
         # TODO: Should have a better way to capture that we in fact _do_ model this as a
         # an instance of the right class, and have the actual taint_test for that in a
         # different file!
-        request.headers, # $ MISSING: tainted
-        request.query.getone("key"), # $ MISSING: tainted
+        request.headers, # $ tainted
+        request.headers.getone("key"), # $ MISSING: tainted
 
         # https://docs.python.org/3/library/asyncio-protocol.html#asyncio-transport
         # TODO
-        request.transport, # $ MISSING: tainted
+        request.transport, # $ tainted
         request.transport.get_extra_info("key"), # $ MISSING: tainted
 
         # dict-like (readonly)
-        request.cookies, # $ MISSING: tainted
-        request.cookies["key"], # $ MISSING: tainted
-        request.cookies.get("key"), # $ MISSING: tainted
+        request.cookies, # $ tainted
+        request.cookies["key"], # $ tainted
+        request.cookies.get("key"), # $ tainted
         request.cookies.keys(), # $ MISSING: tainted
-        request.cookies.values(), # $ MISSING: tainted
-        request.cookies.items(), # $ MISSING: tainted
-        list(request.cookies), # $ MISSING: tainted
-        iter(request.cookies), # $ MISSING: tainted
+        request.cookies.values(), # $ tainted
+        request.cookies.items(), # $ tainted
+        list(request.cookies), # $ tainted
+        iter(request.cookies), # $ tainted
 
 
         # aiohttp.StreamReader
         # see https://docs.aiohttp.org/en/stable/streams.html#aiohttp.StreamReader
         # TODO
-        request.content, # $ MISSING: tainted
-        request._payload, # $ MISSING: tainted
+        request.content, # $ tainted
+        request._payload, # $ tainted
 
-        request.body_exists, # $ MISSING: tainted
-        request.has_body, # $ MISSING: tainted
+        request.body_exists, # $ tainted
+        request.has_body, # $ tainted
 
-        request.content_type, # $ MISSING: tainted
-        request.charset, # $ MISSING: tainted
+        request.content_type, # $ tainted
+        request.charset, # $ tainted
 
-        request.http_range, # $ MISSING: tainted
+        request.http_range, # $ tainted
 
         # Optional[datetime]
-        request.if_modified_since, # $ MISSING: tainted
-        request.if_unmodified_since, # $ MISSING: tainted
-        request.if_range, # $ MISSING: tainted
+        request.if_modified_since, # $ tainted
+        request.if_unmodified_since, # $ tainted
+        request.if_range, # $ tainted
 
         request.clone(scheme="https"), # $ MISSING: tainted
 
@@ -182,7 +182,7 @@ async def test_taint(request: web.Request): # $ requestHandler
         request.url.with_fragment("foo"), # $ MISSING: tainted
         request.url.with_name("foo"), # $ MISSING: tainted
 
-        request.url.join(yarl.URL("wat.html")), # $ MISSING: tainted
+        request.url.join(yarl.URL("wat.html")), # $ tainted
 
         request.url.human_repr(), # $ MISSING: tainted
     )

From 597a9dfc80051c3652132a2ecf59f9808ded98be Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 26 May 2021 15:57:02 +0200
Subject: [PATCH 1282/1429] Python: Don't consider has_body tainted

Although it technically is, I think it belong in the section of things
that are unlikely to be exploitable
---
 python/ql/src/semmle/python/frameworks/Aiohttp.qll          | 5 ++---
 .../ql/test/library-tests/frameworks/aiohttp/taint_test.py  | 6 +++---
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Aiohttp.qll b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
index 7e2c9dc8424..1a2a8e64bf5 100644
--- a/python/ql/src/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -224,9 +224,8 @@ module AiohttpWebModel {
       nodeTo.(DataFlow::AttrRead).getObject() = nodeFrom and
       nodeTo.(DataFlow::AttrRead).getAttributeName() in [
           "url", "rel_url", "forwarded", "host", "remote", "path", "path_qs", "raw_path", "query",
-          "headers", "transport", "cookies", "content", "_payload", "body_exists", "has_body",
-          "content_type", "charset", "http_range", "if_modified_since", "if_unmodified_since",
-          "if_range"
+          "headers", "transport", "cookies", "content", "_payload", "content_type", "charset",
+          "http_range", "if_modified_since", "if_unmodified_since", "if_range"
         ]
     }
   }
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
index 39c814564ce..a3d0e30fb42 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -66,9 +66,6 @@ async def test_taint(request: web.Request): # $ requestHandler
         request.content, # $ tainted
         request._payload, # $ tainted
 
-        request.body_exists, # $ tainted
-        request.has_body, # $ tainted
-
         request.content_type, # $ tainted
         request.charset, # $ tainted
 
@@ -116,6 +113,9 @@ async def test_taint(request: web.Request): # $ requestHandler
         request.keep_alive,
 
         request.content_length,
+        request.body_exists,
+        request.has_body,
+        request.can_read_body,
     )
 
     ensure_not_tainted(

From 63c7fa0c2ca12453c1a1fea16bd85c2ec55a23ea Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 26 May 2021 16:05:36 +0200
Subject: [PATCH 1283/1429] Python: aiohttp match_info should be tainted

Whoops
---
 python/ql/src/semmle/python/frameworks/Aiohttp.qll          | 2 +-
 .../ql/test/library-tests/frameworks/aiohttp/taint_test.py  | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Aiohttp.qll b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
index 1a2a8e64bf5..6455bf79c3c 100644
--- a/python/ql/src/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -225,7 +225,7 @@ module AiohttpWebModel {
       nodeTo.(DataFlow::AttrRead).getAttributeName() in [
           "url", "rel_url", "forwarded", "host", "remote", "path", "path_qs", "raw_path", "query",
           "headers", "transport", "cookies", "content", "_payload", "content_type", "charset",
-          "http_range", "if_modified_since", "if_unmodified_since", "if_range"
+          "http_range", "if_modified_since", "if_unmodified_since", "if_range", "match_info"
         ]
     }
   }
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
index a3d0e30fb42..33cee33c3a5 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -19,6 +19,11 @@ async def test_taint(request: web.Request): # $ requestHandler
         request.path_qs, # $ tainted
         request.raw_path, # $ tainted
 
+        # dict-like for captured parts of the URL
+        request.match_info, # $ tainted
+        request.match_info["key"], # $ tainted
+        request.match_info.get("key"), # $ tainted
+
         # multidict.MultiDictProxy[str]
         # see https://multidict.readthedocs.io/en/stable/multidict.html#multidict.MultiDictProxy
         # TODO: Should have a better way to capture that we in fact _do_ model this as a
@@ -121,7 +126,6 @@ async def test_taint(request: web.Request): # $ requestHandler
     ensure_not_tainted(
         request.loop,
 
-        request.match_info,
         request.app,
         request.config_dict,
     )

From dd131e6bf79c6458d1eece2c9e27d2abe1189edb Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 27 May 2021 10:28:07 +0200
Subject: [PATCH 1284/1429] Python: Add taint-step for methods on
 aiohttp.web.Request

---
 .../src/semmle/python/frameworks/Aiohttp.qll  | 21 ++++++++++++++-----
 .../frameworks/aiohttp/taint_test.py          | 14 ++++++-------
 2 files changed, 23 insertions(+), 12 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Aiohttp.qll b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
index 6455bf79c3c..6f36f31a5b9 100644
--- a/python/ql/src/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -211,12 +211,23 @@ module AiohttpWebModel {
   private class AiohttpRequestAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
     override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
       // Methods
-      exists(string method_name | method_name in ["TODO"] |
-        // Method access (obj -> obj.meth)
-        none()
+      //
+      // TODO: When we have tools that make it easy, model these properly to handle
+      // `meth = obj.meth; meth()`. Until then, we'll use this more syntactic approach
+      // (since it allows us to at least capture the most common cases).
+      nodeFrom = Request::instance() and
+      exists(DataFlow::AttrRead attr | attr.getObject() = nodeFrom |
+        // normal methods
+        attr.getAttributeName() in ["clone", "get_extra_info"] and
+        nodeTo.(DataFlow::CallCfgNode).getFunction() = attr
         or
-        // Method call (obj.meth -> obj.meth())
-        none()
+        // async methods
+        exists(Await await, DataFlow::CallCfgNode call |
+          attr.getAttributeName() in ["read", "text", "json", "multipart", "post"] and
+          call.getFunction() = attr and
+          await.getValue() = call.asExpr() and
+          nodeTo.asExpr() = await
+        )
       )
       or
       // Attributes
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
index 33cee33c3a5..e16a2d79d66 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -81,25 +81,25 @@ async def test_taint(request: web.Request): # $ requestHandler
         request.if_unmodified_since, # $ tainted
         request.if_range, # $ tainted
 
-        request.clone(scheme="https"), # $ MISSING: tainted
+        request.clone(scheme="https"), # $ tainted
 
         # TODO: like request.transport.get_extra_info
-        request.get_extra_info("key"), # $ MISSING: tainted
+        request.get_extra_info("key"), # $ tainted
 
         # bytes
-        await request.read(), # $ MISSING: tainted
+        await request.read(), # $ tainted
 
         # str
-        await request.text(), # $ MISSING: tainted
+        await request.text(), # $ tainted
 
         # obj
-        await request.json(), # $ MISSING: tainted
+        await request.json(), # $ tainted
 
         # aiohttp.multipart.MultipartReader
-        await request.multipart(), # $ MISSING: tainted
+        await request.multipart(), # $ tainted
 
         # multidict.MultiDictProxy[str]
-        await request.post(), # $ MISSING: tainted
+        await request.post(), # $ tainted
         (await request.post()).getone("key"), # $ MISSING: tainted
     )
 

From e76f02b016cadd7f2a5852d665b91b37a686b40a Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 27 May 2021 10:29:39 +0200
Subject: [PATCH 1285/1429] Python: Minor refactor to use LocalSourceNode

This just more correctly reflects the reality, since the type-tracking
predicate just below only holds for LocalSourceNode anyway.
---
 python/ql/src/semmle/python/frameworks/Aiohttp.qll | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/frameworks/Aiohttp.qll b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
index 6f36f31a5b9..074c64dae8f 100644
--- a/python/ql/src/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -159,7 +159,7 @@ module AiohttpWebModel {
      * Use `Request::instance()` predicate to get
      * references to instances of `aiohttp.web.Request`.
      */
-    abstract class InstanceSource extends DataFlow::Node { }
+    abstract class InstanceSource extends DataFlow::LocalSourceNode { }
 
     /** Gets a reference to an instance of `aiohttp.web.Request`. */
     private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
@@ -240,4 +240,6 @@ module AiohttpWebModel {
         ]
     }
   }
+
+
 }

From 72e6a1489c047d9a169695964923cd2f952cdfa2 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 27 May 2021 10:49:50 +0200
Subject: [PATCH 1286/1429] Python: Add taint-steps for MultiDictProxy

---
 docs/codeql/support/reusables/frameworks.rst  |  3 +-
 python/ql/src/semmle/python/Frameworks.qll    |  1 +
 .../src/semmle/python/frameworks/Aiohttp.qll  |  8 ++-
 .../semmle/python/frameworks/Multidict.qll    | 72 +++++++++++++++++++
 .../frameworks/aiohttp/taint_test.py          |  6 +-
 5 files changed, 85 insertions(+), 5 deletions(-)
 create mode 100644 python/ql/src/semmle/python/frameworks/Multidict.qll

diff --git a/docs/codeql/support/reusables/frameworks.rst b/docs/codeql/support/reusables/frameworks.rst
index 41680cffe0e..ac93993ec7d 100644
--- a/docs/codeql/support/reusables/frameworks.rst
+++ b/docs/codeql/support/reusables/frameworks.rst
@@ -161,8 +161,9 @@ Python built-in support
    simplejson, Serialization
    ujson, Serialization
    fabric, Utility library
-   invoke, Utility library
    idna, Utility library
+   invoke, Utility library
+   multidict, Utility library
    mysql-connector-python, Database
    MySQLdb, Database
    psycopg2, Database
diff --git a/python/ql/src/semmle/python/Frameworks.qll b/python/ql/src/semmle/python/Frameworks.qll
index 172f3d11bfb..065ec5d69f9 100644
--- a/python/ql/src/semmle/python/Frameworks.qll
+++ b/python/ql/src/semmle/python/Frameworks.qll
@@ -13,6 +13,7 @@ private import semmle.python.frameworks.Fabric
 private import semmle.python.frameworks.Flask
 private import semmle.python.frameworks.Idna
 private import semmle.python.frameworks.Invoke
+private import semmle.python.frameworks.Multidict
 private import semmle.python.frameworks.MysqlConnectorPython
 private import semmle.python.frameworks.MySQLdb
 private import semmle.python.frameworks.Psycopg2
diff --git a/python/ql/src/semmle/python/frameworks/Aiohttp.qll b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
index 074c64dae8f..0f2d3d5d18c 100644
--- a/python/ql/src/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -10,6 +10,7 @@ private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.internal.PoorMansFunctionResolution
+private import semmle.python.frameworks.Multidict
 
 /**
  * INTERNAL: Do not use.
@@ -241,5 +242,10 @@ module AiohttpWebModel {
     }
   }
 
-
+  class AiohttpRequestMultiDictProxyInstances extends Multidict::MultiDictProxy::InstanceSource {
+    AiohttpRequestMultiDictProxyInstances() {
+      this.(DataFlow::AttrRead).getObject() = Request::instance() and
+      this.(DataFlow::AttrRead).getAttributeName() in ["query", "headers"]
+    }
+  }
 }
diff --git a/python/ql/src/semmle/python/frameworks/Multidict.qll b/python/ql/src/semmle/python/frameworks/Multidict.qll
new file mode 100644
index 00000000000..7a2c2bf0751
--- /dev/null
+++ b/python/ql/src/semmle/python/frameworks/Multidict.qll
@@ -0,0 +1,72 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `multidict` PyPI package.
+ * See https://multidict.readthedocs.io/en/stable/.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides models for the `multidict` PyPI package.
+ * See https://multidict.readthedocs.io/en/stable/.
+ */
+module Multidict {
+  /**
+   * Provides models for a `MultiDictProxy` class:
+   * - `multidict.MultiDictProxy`
+   * - `multidict.CIMultiDictProxy`
+   *
+   * See https://multidict.readthedocs.io/en/stable/multidict.html#multidictproxy
+   */
+  module MultiDictProxy {
+    /**
+     * A source of instances of `multidict.MultiDictProxy`, extend this class to model
+     * new instances.
+     *
+     * This can include instantiations of the class, return values from function
+     * calls, or a special parameter that will be set when functions are called by an external
+     * library.
+     *
+     * Use `MultiDictProxy::instance()` predicate to get
+     * references to instances of `multidict.MultiDictProxy`.
+     */
+    abstract class InstanceSource extends DataFlow::LocalSourceNode { }
+
+    /** Gets a reference to an instance of `multidict.MultiDictProxy`. */
+    private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
+      t.start() and
+      result instanceof InstanceSource
+      or
+      exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
+    }
+
+    /** Gets a reference to an instance of `multidict.MultiDictProxy`. */
+    DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
+
+    /**
+     * Taint propagation for `multidict.MultiDictProxy`.
+     *
+     * See https://multidict.readthedocs.io/en/stable/multidict.html#multidictproxy
+     */
+    class MultiDictProxyAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
+      override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+        // Methods
+        //
+        // TODO: When we have tools that make it easy, model these properly to handle
+        // `meth = obj.meth; meth()`. Until then, we'll use this more syntactic approach
+        // (since it allows us to at least capture the most common cases).
+        nodeFrom = instance() and
+        exists(DataFlow::AttrRead attr | attr.getObject() = nodeFrom |
+          // methods (non-async)
+          attr.getAttributeName() in ["getone", "getall"] and
+          nodeTo.(DataFlow::CallCfgNode).getFunction() = attr
+        )
+      }
+    }
+  }
+}
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
index e16a2d79d66..eab09f17e74 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -32,8 +32,8 @@ async def test_taint(request: web.Request): # $ requestHandler
         request.query, # $ tainted
         request.query["key"], # $ tainted
         request.query.get("key"), # $ tainted
-        request.query.getone("key"), # $ MISSING: tainted
-        request.query.getall("key"), # $ MISSING: tainted
+        request.query.getone("key"), # $ tainted
+        request.query.getall("key"), # $ tainted
         request.query.keys(), # $ MISSING: tainted
         request.query.values(), # $ tainted
         request.query.items(), # $ tainted
@@ -47,7 +47,7 @@ async def test_taint(request: web.Request): # $ requestHandler
         # an instance of the right class, and have the actual taint_test for that in a
         # different file!
         request.headers, # $ tainted
-        request.headers.getone("key"), # $ MISSING: tainted
+        request.headers.getone("key"), # $ tainted
 
         # https://docs.python.org/3/library/asyncio-protocol.html#asyncio-transport
         # TODO

From fb21bc04fa5c5d6996d387c99e1e7f3d22891252 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 27 May 2021 20:23:36 +0200
Subject: [PATCH 1287/1429] Python: Add taint-steps for `yarl.URL`

---
 docs/codeql/support/reusables/frameworks.rst  |   1 +
 python/ql/src/semmle/python/Frameworks.qll    |   1 +
 .../src/semmle/python/frameworks/Aiohttp.qll  |   8 ++
 .../ql/src/semmle/python/frameworks/Yarl.qll  | 110 ++++++++++++++++++
 .../frameworks/aiohttp/taint_test.py          |  75 ++++++------
 5 files changed, 158 insertions(+), 37 deletions(-)
 create mode 100644 python/ql/src/semmle/python/frameworks/Yarl.qll

diff --git a/docs/codeql/support/reusables/frameworks.rst b/docs/codeql/support/reusables/frameworks.rst
index ac93993ec7d..d39b85931ce 100644
--- a/docs/codeql/support/reusables/frameworks.rst
+++ b/docs/codeql/support/reusables/frameworks.rst
@@ -164,6 +164,7 @@ Python built-in support
    idna, Utility library
    invoke, Utility library
    multidict, Utility library
+   yarl, Utility library
    mysql-connector-python, Database
    MySQLdb, Database
    psycopg2, Database
diff --git a/python/ql/src/semmle/python/Frameworks.qll b/python/ql/src/semmle/python/Frameworks.qll
index 065ec5d69f9..523f844954b 100644
--- a/python/ql/src/semmle/python/Frameworks.qll
+++ b/python/ql/src/semmle/python/Frameworks.qll
@@ -23,3 +23,4 @@ private import semmle.python.frameworks.Stdlib
 private import semmle.python.frameworks.Tornado
 private import semmle.python.frameworks.Ujson
 private import semmle.python.frameworks.Yaml
+private import semmle.python.frameworks.Yarl
diff --git a/python/ql/src/semmle/python/frameworks/Aiohttp.qll b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
index 0f2d3d5d18c..c6616b93712 100644
--- a/python/ql/src/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -11,6 +11,7 @@ private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.internal.PoorMansFunctionResolution
 private import semmle.python.frameworks.Multidict
+private import semmle.python.frameworks.Yarl
 
 /**
  * INTERNAL: Do not use.
@@ -248,4 +249,11 @@ module AiohttpWebModel {
       this.(DataFlow::AttrRead).getAttributeName() in ["query", "headers"]
     }
   }
+
+  class AiohttpRequestYarlUrlInstances extends Yarl::Url::InstanceSource {
+    AiohttpRequestYarlUrlInstances() {
+      this.(DataFlow::AttrRead).getObject() = Request::instance() and
+      this.(DataFlow::AttrRead).getAttributeName() in ["url", "rel_url"]
+    }
+  }
 }
diff --git a/python/ql/src/semmle/python/frameworks/Yarl.qll b/python/ql/src/semmle/python/frameworks/Yarl.qll
new file mode 100644
index 00000000000..a998d8e0ca1
--- /dev/null
+++ b/python/ql/src/semmle/python/frameworks/Yarl.qll
@@ -0,0 +1,110 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `yarl` PyPI package.
+ * See https://yarl.readthedocs.io/en/stable/.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.Multidict
+
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides models for the `yarl` PyPI package.
+ * See https://multidict.readthedocs.io/en/stable/.
+ */
+module Yarl {
+  /**
+   * Provides models for a the `yarl.URL` class:
+   *
+   * See https://yarl.readthedocs.io/en/stable/api.html#yarl.URL
+   */
+  module Url {
+    /**
+     * A source of instances of `yarl.URL`, extend this class to model new instances.
+     *
+     * This can include instantiations of the class, return values from function
+     * calls, or a special parameter that will be set when functions are called by an external
+     * library.
+     *
+     * Use `Url::instance()` predicate to get references to instances of `yarl.URL`.
+     */
+    abstract class InstanceSource extends DataFlow::LocalSourceNode { }
+
+    /** Gets a reference to an instance of `yarl.URL`. */
+    private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
+      t.start() and
+      result instanceof InstanceSource
+      or
+      exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
+    }
+
+    /** Gets a reference to an instance of `yarl.URL`. */
+    DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
+
+    /**
+     * Taint propagation for `yarl.URL`.
+     *
+     * See https://yarl.readthedocs.io/en/stable/api.html#yarl.URL
+     */
+    class YarlUrlAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
+      override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+        // Methods
+        //
+        // TODO: When we have tools that make it easy, model these properly to handle
+        // `meth = obj.meth; meth()`. Until then, we'll use this more syntactic approach
+        // (since it allows us to at least capture the most common cases).
+        exists(DataFlow::AttrRead attr |
+          // methods (that replaces part of URL, taken as only arguments)
+          attr.getAttributeName() in [
+              "with_scheme", "with_user", "with_password", "with_host", "with_port", "with_path",
+              "with_query", "with_query", "update_query", "update_query", "with_fragment",
+              "with_name",
+              // join is a bit different, but is still correct to add here :+1:
+              "join"
+            ] and
+          (
+            // obj -> obj.meth()
+            nodeFrom = instance() and
+            attr.getObject() = nodeFrom and
+            nodeTo.(DataFlow::CallCfgNode).getFunction() = attr
+            or
+            // argument of obj.meth() -> obj.meth()
+            attr.getObject() = instance() and
+            nodeTo.(DataFlow::CallCfgNode).getFunction() = attr and
+            nodeFrom in [
+                nodeTo.(DataFlow::CallCfgNode).getArg(_),
+                nodeTo.(DataFlow::CallCfgNode).getArgByName(_)
+              ]
+          )
+          or
+          // other methods
+          nodeFrom = instance() and
+          attr.getObject() = nodeFrom and
+          attr.getAttributeName() in ["human_repr"] and
+          nodeTo.(DataFlow::CallCfgNode).getFunction() = attr
+        )
+        or
+        // Attributes
+        nodeFrom = instance() and
+        nodeTo.(DataFlow::AttrRead).getObject() = nodeFrom and
+        nodeTo.(DataFlow::AttrRead).getAttributeName() in [
+            "user", "raw_user", "password", "raw_password", "host", "raw_host", "port",
+            "explicit_port", "authority", "raw_authority", "path", "raw_path", "path_qs",
+            "raw_path_qs", "query_string", "raw_query_string", "fragment", "raw_fragment", "parts",
+            "raw_parts", "name", "raw_name", "query"
+          ]
+      }
+    }
+
+    class YarlUrlMultiDictProxyInstance extends Multidict::MultiDictProxy::InstanceSource {
+      YarlUrlMultiDictProxyInstance() {
+        this.(DataFlow::AttrRead).getObject() = Yarl::Url::instance() and
+        this.(DataFlow::AttrRead).getAttributeName() = "query"
+      }
+    }
+  }
+}
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
index eab09f17e74..30e42cc3f3b 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -136,59 +136,60 @@ async def test_taint(request: web.Request): # $ requestHandler
     import yarl
 
     ensure_tainted(
-        request.url.user, # $ MISSING: tainted
-        request.url.raw_user, # $ MISSING: tainted
+        # see https://yarl.readthedocs.io/en/stable/api.html#yarl.URL
+        request.url.user, # $ tainted
+        request.url.raw_user, # $ tainted
 
-        request.url.password, # $ MISSING: tainted
-        request.url.raw_password, # $ MISSING: tainted
+        request.url.password, # $ tainted
+        request.url.raw_password, # $ tainted
 
-        request.url.host, # $ MISSING: tainted
-        request.url.raw_host, # $ MISSING: tainted
+        request.url.host, # $ tainted
+        request.url.raw_host, # $ tainted
 
-        request.url.port, # $ MISSING: tainted
-        request.url.explicit_port, # $ MISSING: tainted
+        request.url.port, # $ tainted
+        request.url.explicit_port, # $ tainted
 
-        request.url.authority, # $ MISSING: tainted
-        request.url.raw_authority, # $ MISSING: tainted
+        request.url.authority, # $ tainted
+        request.url.raw_authority, # $ tainted
 
-        request.url.path, # $ MISSING: tainted
-        request.url.raw_path, # $ MISSING: tainted
+        request.url.path, # $ tainted
+        request.url.raw_path, # $ tainted
 
-        request.url.path_qs, # $ MISSING: tainted
-        request.url.raw_path_qs, # $ MISSING: tainted
+        request.url.path_qs, # $ tainted
+        request.url.raw_path_qs, # $ tainted
 
-        request.url.query_string, # $ MISSING: tainted
-        request.url.raw_query_string, # $ MISSING: tainted
+        request.url.query_string, # $ tainted
+        request.url.raw_query_string, # $ tainted
 
-        request.url.fragment, # $ MISSING: tainted
-        request.url.raw_fragment, # $ MISSING: tainted
+        request.url.fragment, # $ tainted
+        request.url.raw_fragment, # $ tainted
 
-        request.url.parts, # $ MISSING: tainted
-        request.url.raw_parts, # $ MISSING: tainted
+        request.url.parts, # $ tainted
+        request.url.raw_parts, # $ tainted
 
-        request.url.name, # $ MISSING: tainted
-        request.url.raw_name, # $ MISSING: tainted
+        request.url.name, # $ tainted
+        request.url.raw_name, # $ tainted
 
         # multidict.MultiDictProxy[str]
-        request.url.query, # $ MISSING: tainted
-        request.url.query.getone("key"), # $ MISSING: tainted
+        request.url.query, # $ tainted
+        request.url.query.getone("key"), # $ tainted
 
-        request.url.with_scheme("foo"), # $ MISSING: tainted
-        request.url.with_user("foo"), # $ MISSING: tainted
-        request.url.with_password("foo"), # $ MISSING: tainted
-        request.url.with_host("foo"), # $ MISSING: tainted
-        request.url.with_port("foo"), # $ MISSING: tainted
-        request.url.with_path("foo"), # $ MISSING: tainted
-        request.url.with_query({"foo": 42}), # $ MISSING: tainted
-        request.url.with_query(foo=42), # $ MISSING: tainted
-        request.url.update_query({"foo": 42}), # $ MISSING: tainted
-        request.url.update_query(foo=42), # $ MISSING: tainted
-        request.url.with_fragment("foo"), # $ MISSING: tainted
-        request.url.with_name("foo"), # $ MISSING: tainted
+        request.url.with_scheme("foo"), # $ tainted
+        request.url.with_user("foo"), # $ tainted
+        request.url.with_password("foo"), # $ tainted
+        request.url.with_host("foo"), # $ tainted
+        request.url.with_port("foo"), # $ tainted
+        request.url.with_path("foo"), # $ tainted
+        request.url.with_query({"foo": 42}), # $ tainted
+        request.url.with_query(foo=42), # $ tainted
+        request.url.update_query({"foo": 42}), # $ tainted
+        request.url.update_query(foo=42), # $ tainted
+        request.url.with_fragment("foo"), # $ tainted
+        request.url.with_name("foo"), # $ tainted
 
         request.url.join(yarl.URL("wat.html")), # $ tainted
 
-        request.url.human_repr(), # $ MISSING: tainted
+        request.url.human_repr(), # $ tainted
     )
 
 

From 1aa222d7ccfafb8c7caaba18c00875325ffaf0db Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 1 Jun 2021 12:59:37 +0200
Subject: [PATCH 1288/1429] Python: Add taint-test for class-based view

---
 .../test/library-tests/frameworks/aiohttp/taint_test.py   | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
index 30e42cc3f3b..16d4fc27412 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -193,8 +193,16 @@ async def test_taint(request: web.Request): # $ requestHandler
     )
 
 
+class TaintTestClass(web.View):
+    def get(self):
+        ensure_tainted(
+            self.request, # $ MISSING: tainted
+        )
+
+
 app = web.Application()
 app.router.add_get(r"/test_taint/{name}/{number:\d+}", test_taint)  # $ routeSetup="/test_taint/{name}/{number:\d+}"
+app.router.add_view(r"/test_taint_class", TaintTestClass)  # $ routeSetup="/test_taint_class"
 
 
 if __name__ == "__main__":

From 8c039d56881ea381d65e018faadb71b8b5d4b21f Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 1 Jun 2021 13:13:04 +0200
Subject: [PATCH 1289/1429] Python: Add more aiohttp view routing tests

---
 .../frameworks/aiohttp/routing_test.py              | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py b/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
index 880a7f8cb87..ffd339a4d1a 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
@@ -109,6 +109,19 @@ if True:
 
     app.router.add_view("/MyWebView3", MyWebView3)  # $ MISSING: routeSetup
 
+    # no route-setup
+    class MyWebViewNoRoute(web.View):
+        async def get(self):  # $ MISSING: requestHandler
+            return web.Response(text="MyWebViewNoRoute.get")
+
+    if len(__name__) < 0: # avoid running, but fool analysis to not consider dead code
+        # no explicit-view subclass (but route-setup)
+        class MyWebViewNoSubclassButRoute(somelib.someclass):
+            async def get(self):  # $ MISSING: requestHandler
+                return web.Response(text="MyWebViewNoSubclassButRoute.get")
+
+        app.router.add_view("/MyWebViewNoSubclassButRoute", MyWebViewNoSubclassButRoute)  # $ MISSING: routeSetup
+
 ## =================== ##
 ## "Routed parameters" ##
 ## =================== ##

From c4b618dcf5d3b54a85208ffba9ba5c0a7ece0879 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 1 Jun 2021 17:21:41 +0200
Subject: [PATCH 1290/1429] Python: Model view-classes in aiohttp.web

No taint modeling of them yet though
---
 .../src/semmle/python/frameworks/Aiohttp.qll  | 150 +++++++++++++++++-
 .../frameworks/aiohttp/routing_test.py        |  18 +--
 .../frameworks/aiohttp/taint_test.py          |   2 +-
 3 files changed, 158 insertions(+), 12 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Aiohttp.qll b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
index c6616b93712..8ea5121d25c 100644
--- a/python/ql/src/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -20,6 +20,19 @@ private import semmle.python.frameworks.Yarl
  * See https://docs.aiohttp.org/en/stable/web.html
  */
 module AiohttpWebModel {
+  /**
+   * Provides models for the `aiohttp.web.View` class and subclasses.
+   *
+   * See https://docs.aiohttp.org/en/stable/web_reference.html#view.
+   */
+  module View {
+    /** Gets a reference to the `flask.views.View` class or any subclass. */
+    API::Node subclassRef() {
+      result = API::moduleImport("aiohttp").getMember("web").getMember("View").getASubclass*()
+    }
+  }
+
+  // -- route modeling --
   /** Gets a reference to a `aiohttp.web.Application` instance. */
   API::Node applicationInstance() {
     // Not sure whether you're allowed to add routes _after_ starting the app, for
@@ -36,7 +49,6 @@ module AiohttpWebModel {
     result = applicationInstance().getMember("router")
   }
 
-  // -- route modeling --
   /** A route setup in `aiohttp.web` */
   abstract class AiohttpRouteSetup extends HTTP::Server::RouteSetup::Range {
     override Parameter getARoutedParameter() { none() }
@@ -54,6 +66,50 @@ module AiohttpWebModel {
     }
   }
 
+  /**
+   * Gets a reference to a class, that has been backtracked from the view-class handler
+   * argument `origin` (to a route-setup for view-classes).
+   */
+  private DataFlow::LocalSourceNode viewClassBackTracker(
+    DataFlow::TypeBackTracker t, DataFlow::Node origin
+  ) {
+    t.start() and
+    origin = any(AiohttpViewRouteSetup rs).getViewClassArg() and
+    result = origin.getALocalSource()
+    or
+    exists(DataFlow::TypeBackTracker t2 |
+      result = viewClassBackTracker(t2, origin).backtrack(t2, t)
+    )
+  }
+
+  /**
+   * Gets a reference to a class, that has been backtracked from the view-class handler
+   * argument `origin` (to a route-setup for view-classes).
+   */
+  DataFlow::LocalSourceNode viewClassBackTracker(DataFlow::Node origin) {
+    result = viewClassBackTracker(DataFlow::TypeBackTracker::end(), origin)
+  }
+
+  Class getBackTrackedViewClass(DataFlow::Node origin) {
+    result.getParent() = viewClassBackTracker(origin).asExpr()
+  }
+
+  /** An aiohttp route setup that uses view-classes as request handlers. */
+  abstract class AiohttpViewRouteSetup extends AiohttpRouteSetup {
+    /** Gets the argument specifying the view-class handler. */
+    abstract DataFlow::Node getViewClassArg();
+
+    /** Gets the view-class that is referenced in the view-class handler argument. */
+    Class getViewClass() { result = getBackTrackedViewClass(this.getViewClassArg()) }
+
+    override Function getARequestHandler() {
+      exists(AiohttpViewClass cls |
+        cls = this.getViewClass() and
+        result = cls.getARequestHandler()
+      )
+    }
+  }
+
   /**
    * A route-setup from `add_route` or any of `add_get`, `add_post`, etc. on an
    *    `aiohttp.web.UrlDispatcher`.
@@ -142,6 +198,91 @@ module AiohttpWebModel {
     override Function getARequestHandler() { result.getADecorator() = this.asExpr() }
   }
 
+  /**
+   * A view-class route-setup from either:
+   * - `add_view` method on a `aiohttp.web.UrlDispatcher`
+   * - `view` function from `aiohttp.web`
+   */
+  class AiohttpViewRouteSetupFromFunction extends AiohttpViewRouteSetup, DataFlow::CallCfgNode {
+    AiohttpViewRouteSetupFromFunction() {
+      this = urlDispathcerInstance().getMember("add_view").getACall()
+      or
+      this = API::moduleImport("aiohttp").getMember("web").getMember("view").getACall()
+      or
+      this =
+        API::moduleImport("aiohttp")
+            .getMember("web")
+            .getMember("RouteTableDef")
+            .getReturn()
+            .getMember("view")
+            .getACall()
+    }
+
+    override DataFlow::Node getUrlPatternArg() {
+      result in [this.getArg(0), this.getArgByName("path")]
+    }
+
+    override DataFlow::Node getViewClassArg() {
+      result in [this.getArg(1), this.getArgByName("handler")]
+    }
+  }
+
+  /**
+   * A view-class route-setup from the `view` decorator from a `aiohttp.web.RouteTableDef`.
+   */
+  class AiohttpViewRouteSetupFromDecorator extends AiohttpViewRouteSetup, DataFlow::CallCfgNode {
+    AiohttpViewRouteSetupFromDecorator() {
+      this =
+        API::moduleImport("aiohttp")
+            .getMember("web")
+            .getMember("RouteTableDef")
+            .getReturn()
+            .getMember("view")
+            .getACall()
+    }
+
+    override DataFlow::Node getUrlPatternArg() {
+      result in [this.getArg(0), this.getArgByName("path")]
+    }
+
+    override DataFlow::Node getViewClassArg() { none() }
+
+    override Class getViewClass() { result.getADecorator() = this.asExpr() }
+  }
+
+  /** A class that we consider a aiohttp.web View class. */
+  abstract class AiohttpViewClass extends Class {
+    /** Gets a function that could handle incoming requests, if any. */
+    Function getARequestHandler() {
+      // TODO: This doesn't handle attribute assignment. Should be OK, but analysis is not as complete as with
+      // points-to and `.lookup`, which would handle `post = my_post_handler` inside class def
+      result = this.getAMethod() and
+      result.getName() = HTTP::httpVerbLower()
+    }
+  }
+
+  /** A class that has a super-type which is a aiohttp.web View class. */
+  class AiohttpViewClassFromSuperClass extends AiohttpViewClass {
+    AiohttpViewClassFromSuperClass() { this.getABase() = View::subclassRef().getAUse().asExpr() }
+  }
+
+  /** A class that is used in a route-setup, therefore being considered a aiohttp.web View class. */
+  class AiohttpViewClassFromRouteSetup extends AiohttpViewClass {
+    AiohttpViewClassFromRouteSetup() { this = any(AiohttpViewRouteSetup rs).getViewClass() }
+  }
+
+  /** A request handler defined in an `aiohttp.web` view class, that has no known route. */
+  private class AiohttpViewClassRequestHandlerWithoutKnownRoute extends HTTP::Server::RequestHandler::Range {
+    AiohttpViewClassRequestHandlerWithoutKnownRoute() {
+      exists(AiohttpViewClass vc | vc.getARequestHandler() = this) and
+      not exists(AiohttpRouteSetup setup | setup.getARequestHandler() = this)
+    }
+
+    override Parameter getARoutedParameter() { none() }
+
+    override string getFramework() { result = "aiohttp.web" }
+  }
+
   // ---------------------------------------------------------------------------
   // aiohttp.web.Request taint modeling
   // ---------------------------------------------------------------------------
@@ -183,7 +324,7 @@ module AiohttpWebModel {
     DataFlow::ParameterNode {
     AiohttpRequestHandlerRequestParam() {
       exists(Function requestHandler |
-        requestHandler = any(AiohttpRouteSetup setup).getARequestHandler() and
+        requestHandler = any(AiohttpCoroutineRouteSetup setup).getARequestHandler() and
         // We select the _last_ parameter for the request since that is what they do in
         // `aiohttp-jinja2`.
         // https://github.com/aio-libs/aiohttp-jinja2/blob/7fb4daf2c3003921d34031d38c2311ee0e02c18b/aiohttp_jinja2/__init__.py#L235
@@ -200,6 +341,11 @@ module AiohttpWebModel {
         this.getParameter() =
           max(Parameter param, int i | param = requestHandler.getArg(i) | param order by i)
       )
+      or
+      exists(AiohttpViewClass vc |
+        // TODO
+        none()
+      )
     }
 
     override string getSourceType() { result = "aiohttp.web.Request" }
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py b/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
index ffd339a4d1a..934d7673718 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
@@ -83,20 +83,20 @@ if True:
 
     # `app.add_routes` with list
     class MyWebView1(web.View):
-        async def get(self):  # $ MISSING: requestHandler
+        async def get(self):  # $ requestHandler
             return web.Response(text="MyWebView1.get")
 
     app.add_routes([
-        web.view("/MyWebView1", MyWebView1)   # $ MISSING: routeSetup
+        web.view("/MyWebView1", MyWebView1)   # $ routeSetup="/MyWebView1"
     ])
 
 
     # using decorator
     routes = web.RouteTableDef()
 
-    @routes.view("/MyWebView2")  # $ MISSING: routeSetup
+    @routes.view("/MyWebView2")  # $ routeSetup="/MyWebView2"
     class MyWebView2(web.View):
-        async def get(self):  # $ MISSING: requestHandler
+        async def get(self):  # $ requestHandler
             return web.Response(text="MyWebView2.get")
 
     app.add_routes(routes)
@@ -104,23 +104,23 @@ if True:
 
     # `app.router.add_view`
     class MyWebView3(web.View):
-        async def get(self):  # $ MISSING: requestHandler
+        async def get(self):  # $ requestHandler
             return web.Response(text="MyWebView3.get")
 
-    app.router.add_view("/MyWebView3", MyWebView3)  # $ MISSING: routeSetup
+    app.router.add_view("/MyWebView3", MyWebView3)  # $ routeSetup="/MyWebView3"
 
     # no route-setup
     class MyWebViewNoRoute(web.View):
-        async def get(self):  # $ MISSING: requestHandler
+        async def get(self):  # $ requestHandler
             return web.Response(text="MyWebViewNoRoute.get")
 
     if len(__name__) < 0: # avoid running, but fool analysis to not consider dead code
         # no explicit-view subclass (but route-setup)
         class MyWebViewNoSubclassButRoute(somelib.someclass):
-            async def get(self):  # $ MISSING: requestHandler
+            async def get(self):  # $ requestHandler
                 return web.Response(text="MyWebViewNoSubclassButRoute.get")
 
-        app.router.add_view("/MyWebViewNoSubclassButRoute", MyWebViewNoSubclassButRoute)  # $ MISSING: routeSetup
+        app.router.add_view("/MyWebViewNoSubclassButRoute", MyWebViewNoSubclassButRoute)  # $ routeSetup="/MyWebViewNoSubclassButRoute"
 
 ## =================== ##
 ## "Routed parameters" ##
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
index 16d4fc27412..28ff33b15a6 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -194,7 +194,7 @@ async def test_taint(request: web.Request): # $ requestHandler
 
 
 class TaintTestClass(web.View):
-    def get(self):
+    def get(self): # $ requestHandler
         ensure_tainted(
             self.request, # $ MISSING: tainted
         )

From c69b85766261e64b47707f76ae1bf0dd0e3f6168 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 1 Jun 2021 17:32:56 +0200
Subject: [PATCH 1291/1429] Python: Add self.request as RemoteFlowSource for
 aiohttp View

Just like we do for Django in
https://github.com/github/codeql/blob/7393443f8ca0b51a55f2aa5cca9595ab35fb92dc/python/ql/src/semmle/python/frameworks/Django.qll#L1786-L1804
---
 .../src/semmle/python/frameworks/Aiohttp.qll  | 20 +++++++---
 .../src/semmle/python/frameworks/Django.qll   | 25 +-----------
 .../frameworks/internal/SelfRefMixin.qll      | 38 +++++++++++++++++++
 .../frameworks/aiohttp/taint_test.py          |  3 +-
 4 files changed, 55 insertions(+), 31 deletions(-)
 create mode 100644 python/ql/src/semmle/python/frameworks/internal/SelfRefMixin.qll

diff --git a/python/ql/src/semmle/python/frameworks/Aiohttp.qll b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
index 8ea5121d25c..3a8989e2c4c 100644
--- a/python/ql/src/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -10,6 +10,7 @@ private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.internal.PoorMansFunctionResolution
+private import semmle.python.frameworks.internal.SelfRefMixin
 private import semmle.python.frameworks.Multidict
 private import semmle.python.frameworks.Yarl
 
@@ -251,7 +252,7 @@ module AiohttpWebModel {
   }
 
   /** A class that we consider a aiohttp.web View class. */
-  abstract class AiohttpViewClass extends Class {
+  abstract class AiohttpViewClass extends Class, SelfRefMixin {
     /** Gets a function that could handle incoming requests, if any. */
     Function getARequestHandler() {
       // TODO: This doesn't handle attribute assignment. Should be OK, but analysis is not as complete as with
@@ -341,16 +342,23 @@ module AiohttpWebModel {
         this.getParameter() =
           max(Parameter param, int i | param = requestHandler.getArg(i) | param order by i)
       )
-      or
-      exists(AiohttpViewClass vc |
-        // TODO
-        none()
-      )
     }
 
     override string getSourceType() { result = "aiohttp.web.Request" }
   }
 
+  class AiohttpViewClassRequestAttributeRead extends Request::InstanceSource,
+    RemoteFlowSource::Range, DataFlow::Node {
+    AiohttpViewClassRequestAttributeRead() {
+      this.(DataFlow::AttrRead).getObject() = any(AiohttpViewClass vc).getASelfRef() and
+      this.(DataFlow::AttrRead).getAttributeName() = "request"
+    }
+
+    override string getSourceType() {
+      result = "aiohttp.web.Request from self.request in View class"
+    }
+  }
+
   /**
    * Taint propagation for `aiohttp.web.Request`.
    *
diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index f1ae74bc8b5..fbe967d629f 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -12,6 +12,7 @@ private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.PEP249
 private import semmle.python.regex
 private import semmle.python.frameworks.internal.PoorMansFunctionResolution
+private import semmle.python.frameworks.internal.SelfRefMixin
 
 /**
  * Provides models for the `django` PyPI package.
@@ -1388,31 +1389,7 @@ private module PrivateDjango {
   // Helpers
   // ---------------------------------------------------------------------------
 
-  /** Adds the `getASelfRef` member predicate when modeling a class. */
-  abstract private class SelfRefMixin extends Class {
-    /**
-     * Gets a reference to instances of this class, originating from a self parameter of
-     * a method defined on this class.
-     *
-     * Note: TODO: This doesn't take MRO into account
-     * Note: TODO: This doesn't take staticmethod/classmethod into account
-     */
-    private DataFlow::LocalSourceNode getASelfRef(DataFlow::TypeTracker t) {
-      t.start() and
-      result.(DataFlow::ParameterNode).getParameter() = this.getAMethod().getArg(0)
-      or
-      exists(DataFlow::TypeTracker t2 | result = this.getASelfRef(t2).track(t2, t))
-    }
 
-    /**
-     * Gets a reference to instances of this class, originating from a self parameter of
-     * a method defined on this class.
-     *
-     * Note: TODO: This doesn't take MRO into account
-     * Note: TODO: This doesn't take staticmethod/classmethod into account
-     */
-    DataFlow::Node getASelfRef() { this.getASelfRef(DataFlow::TypeTracker::end()).flowsTo(result) }
-  }
 
   // ---------------------------------------------------------------------------
   // Form and form field modeling
diff --git a/python/ql/src/semmle/python/frameworks/internal/SelfRefMixin.qll b/python/ql/src/semmle/python/frameworks/internal/SelfRefMixin.qll
new file mode 100644
index 00000000000..d43d6b54bfb
--- /dev/null
+++ b/python/ql/src/semmle/python/frameworks/internal/SelfRefMixin.qll
@@ -0,0 +1,38 @@
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides the `SelfRefMixin` class.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+
+/**
+ * INTERNAL: Do not use.
+ *
+ * Adds the `getASelfRef` member predicate when modeling a class.
+ */
+abstract class SelfRefMixin extends Class {
+  /**
+   * Gets a reference to instances of this class, originating from a self parameter of
+   * a method defined on this class.
+   *
+   * Note: TODO: This doesn't take MRO into account
+   * Note: TODO: This doesn't take staticmethod/classmethod into account
+   */
+  private DataFlow::LocalSourceNode getASelfRef(DataFlow::TypeTracker t) {
+    t.start() and
+    result.(DataFlow::ParameterNode).getParameter() = this.getAMethod().getArg(0)
+    or
+    exists(DataFlow::TypeTracker t2 | result = this.getASelfRef(t2).track(t2, t))
+  }
+
+  /**
+   * Gets a reference to instances of this class, originating from a self parameter of
+   * a method defined on this class.
+   *
+   * Note: TODO: This doesn't take MRO into account
+   * Note: TODO: This doesn't take staticmethod/classmethod into account
+   */
+  DataFlow::Node getASelfRef() { this.getASelfRef(DataFlow::TypeTracker::end()).flowsTo(result) }
+}
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
index 28ff33b15a6..dcf21f92687 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -196,7 +196,8 @@ async def test_taint(request: web.Request): # $ requestHandler
 class TaintTestClass(web.View):
     def get(self): # $ requestHandler
         ensure_tainted(
-            self.request, # $ MISSING: tainted
+            self.request, # $ tainted
+            self.request.url # $ tainted
         )
 
 

From 919a0b6b84489488c1dcb1de41e0097f01ccddca Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 1 Jun 2021 17:51:19 +0200
Subject: [PATCH 1292/1429] Python: aiohttp route setup is more complicated
 than expected

---
 .../frameworks/aiohttp/routing_test.py          | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py b/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
index 934d7673718..ad1883b5828 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
@@ -122,6 +122,23 @@ if True:
 
         app.router.add_view("/MyWebViewNoSubclassButRoute", MyWebViewNoSubclassButRoute)  # $ routeSetup="/MyWebViewNoSubclassButRoute"
 
+
+# Apparently there is no enforcement that `add_view` is only for views, and vice-versa
+# for `add_get` only being for async functions.
+if True:
+    async def no_rules(request): # $ MISSING: requestHandler
+        return web.Response(text="no_rules")
+
+    app.router.add_view("/no_rules", no_rules) # $ routeSetup="/no_rules"
+
+
+    class NoRulesView(web.View):
+        async def get(self):  # $ requestHandler
+            return web.Response(text="NoRulesView.get")
+
+    app.router.add_get("/NoRulesView", NoRulesView) # $ routeSetup="/NoRulesView"
+
+
 ## =================== ##
 ## "Routed parameters" ##
 ## =================== ##

From 5d4140d3e2d26a81db5bdd859d97ca7b752425a1 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 1 Jun 2021 18:40:20 +0200
Subject: [PATCH 1293/1429] Python: Handle more complicated route-setup in
 aiohttp

Since we want to be able to easy select request-handlers that are not
set up as part of a view-class, we need to easily be able to identify
those. To handle cases like the one below, we _can't_ just define these
to be all the async functions that are not methods on a class :(

```py
    # see https://docs.aiohttp.org/en/stable/web_quickstart.html#organizing-handlers-in-classes

    class MyCustomHandlerClass:

        async def foo_handler(self, request):  # $ MISSING: requestHandler
            return web.Response(text="MyCustomHandlerClass.foo")

    my_custom_handler = MyCustomHandlerClass()
    app.router.add_get("/MyCustomHandlerClass/foo", my_custom_handler.foo_handler)   # $ routeSetup="/MyCustomHandlerClass/foo"
```

So it seemed easiest to narrow down the route-setups, but that means we
want both refinement and extensibility... so `::Range` pattern to the
rescue :tada:

The important piece of code that still works after this commit, but
which hasn't been changed, is the one below:

```codeql
  /**
   * A parameter that will receive a `aiohttp.web.Request` instance when a request
   * handler is invoked.
   */
  class AiohttpRequestHandlerRequestParam extends Request::InstanceSource, RemoteFlowSource::Range,
    DataFlow::ParameterNode {
    AiohttpRequestHandlerRequestParam() {
      exists(Function requestHandler |
        requestHandler = any(AiohttpCoroutineRouteSetup setup).getARequestHandler() and
```
---
 .../src/semmle/python/frameworks/Aiohttp.qll  | 259 ++++++++----------
 .../frameworks/aiohttp/routing_test.py        |   2 +-
 2 files changed, 121 insertions(+), 140 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Aiohttp.qll b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
index 3a8989e2c4c..f85071adaa2 100644
--- a/python/ql/src/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -50,110 +50,130 @@ module AiohttpWebModel {
     result = applicationInstance().getMember("router")
   }
 
-  /** A route setup in `aiohttp.web` */
-  abstract class AiohttpRouteSetup extends HTTP::Server::RouteSetup::Range {
+  /**
+   * A route setup in `aiohttp.web`. Since all route-setups can technically use either
+   * coroutines or view-classes as the handler argument (although that's not how you're
+   * **supposed** to do things), we also need to handle this.
+   *
+   * Extend this class to refine existing API models. If you want to model new APIs,
+   * extend `AiohttpRouteSetup::Range` instead.
+   */
+  class AiohttpRouteSetup extends HTTP::Server::RouteSetup::Range {
+    AiohttpRouteSetup::Range range;
+
+    AiohttpRouteSetup() { this = range }
+
     override Parameter getARoutedParameter() { none() }
 
     override string getFramework() { result = "aiohttp.web" }
+
+    /** Gets the argument specifying the handler (either a coroutine or a view-class). */
+    DataFlow::Node getHandlerArg() { result = range.getHandlerArg() }
+
+    override DataFlow::Node getUrlPatternArg() { result = range.getUrlPatternArg() }
+
+    /** Gets the view-class that is referenced in the view-class handler argument, if any. */
+    Class getViewClass() { result = range.getViewClass() }
+
+    override Function getARequestHandler() { result = range.getARequestHandler() }
+  }
+
+  /** Provides a class for modeling new aiohttp.web route setups. */
+  private module AiohttpRouteSetup {
+    /**
+     * A route setup in `aiohttp.web`. Since all route-setups can technically use either
+     * coroutines or view-classes as the handler argument (although that's not how you're
+     * **supposed** to do things), we also need to handle this.
+     *
+     * Extend this class to model new APIs. If you want to refine existing API models,
+     * extend `AiohttpRouteSetup` instead.
+     */
+    abstract class Range extends DataFlow::Node {
+      /** Gets the argument used to set the URL pattern. */
+      abstract DataFlow::Node getUrlPatternArg();
+
+      /** Gets the argument specifying the handler (either a coroutine or a view-class). */
+      abstract DataFlow::Node getHandlerArg();
+
+      /** Gets the view-class that is referenced in the view-class handler argument, if any. */
+      Class getViewClass() { result = getBackTrackedViewClass(this.getHandlerArg()) }
+
+      /**
+       * Gets a function that will handle incoming requests for this route, if any.
+       *
+       * NOTE: This will be modified in the near future to have a `RequestHandler` result, instead of a `Function`.
+       */
+      Function getARequestHandler() {
+        this.getHandlerArg() = poorMansFunctionTracker(result)
+        or
+        exists(AiohttpViewClass cls |
+          cls = this.getViewClass() and
+          result = cls.getARequestHandler()
+        )
+      }
+    }
+
+    /**
+     * Gets a reference to a class, that has been backtracked from the view-class handler
+     * argument `origin` (to a route-setup for view-classes).
+     */
+    private DataFlow::LocalSourceNode viewClassBackTracker(
+      DataFlow::TypeBackTracker t, DataFlow::Node origin
+    ) {
+      t.start() and
+      origin = any(Range rs).getHandlerArg() and
+      result = origin.getALocalSource()
+      or
+      exists(DataFlow::TypeBackTracker t2 |
+        result = viewClassBackTracker(t2, origin).backtrack(t2, t)
+      )
+    }
+
+    /**
+     * Gets a reference to a class, that has been backtracked from the view-class handler
+     * argument `origin` (to a route-setup for view-classes).
+     */
+    DataFlow::LocalSourceNode viewClassBackTracker(DataFlow::Node origin) {
+      result = viewClassBackTracker(DataFlow::TypeBackTracker::end(), origin)
+    }
+
+    Class getBackTrackedViewClass(DataFlow::Node origin) {
+      result.getParent() = viewClassBackTracker(origin).asExpr()
+    }
   }
 
   /** An aiohttp route setup that uses coroutines (async function) as request handler. */
-  abstract class AiohttpCoroutineRouteSetup extends AiohttpRouteSetup {
-    /** Gets the argument specifying the request handler (which is a coroutine/async function) */
-    abstract DataFlow::Node getRequestHandlerArg();
-
-    override Function getARequestHandler() {
-      this.getRequestHandlerArg() = poorMansFunctionTracker(result)
-    }
-  }
-
-  /**
-   * Gets a reference to a class, that has been backtracked from the view-class handler
-   * argument `origin` (to a route-setup for view-classes).
-   */
-  private DataFlow::LocalSourceNode viewClassBackTracker(
-    DataFlow::TypeBackTracker t, DataFlow::Node origin
-  ) {
-    t.start() and
-    origin = any(AiohttpViewRouteSetup rs).getViewClassArg() and
-    result = origin.getALocalSource()
-    or
-    exists(DataFlow::TypeBackTracker t2 |
-      result = viewClassBackTracker(t2, origin).backtrack(t2, t)
-    )
-  }
-
-  /**
-   * Gets a reference to a class, that has been backtracked from the view-class handler
-   * argument `origin` (to a route-setup for view-classes).
-   */
-  DataFlow::LocalSourceNode viewClassBackTracker(DataFlow::Node origin) {
-    result = viewClassBackTracker(DataFlow::TypeBackTracker::end(), origin)
-  }
-
-  Class getBackTrackedViewClass(DataFlow::Node origin) {
-    result.getParent() = viewClassBackTracker(origin).asExpr()
+  class AiohttpCoroutineRouteSetup extends AiohttpRouteSetup {
+    AiohttpCoroutineRouteSetup() { this.getHandlerArg() = poorMansFunctionTracker(_) }
   }
 
   /** An aiohttp route setup that uses view-classes as request handlers. */
-  abstract class AiohttpViewRouteSetup extends AiohttpRouteSetup {
-    /** Gets the argument specifying the view-class handler. */
-    abstract DataFlow::Node getViewClassArg();
-
-    /** Gets the view-class that is referenced in the view-class handler argument. */
-    Class getViewClass() { result = getBackTrackedViewClass(this.getViewClassArg()) }
-
-    override Function getARequestHandler() {
-      exists(AiohttpViewClass cls |
-        cls = this.getViewClass() and
-        result = cls.getARequestHandler()
-      )
-    }
+  class AiohttpViewRouteSetup extends AiohttpRouteSetup {
+    AiohttpViewRouteSetup() { exists(this.getViewClass()) }
   }
 
   /**
-   * A route-setup from `add_route` or any of `add_get`, `add_post`, etc. on an
-   *    `aiohttp.web.UrlDispatcher`.
+   * A route-setup from
+   * - `add_route`, `add_view`, `add_get`, `add_post`, , etc. on an `aiohttp.web.UrlDispatcher`.
+   * - `route`, `view`, `get`, `post`, etc. functions from `aiohttp.web`.
    */
-  class AiohttpUrlDispatcherAddRouteCall extends AiohttpCoroutineRouteSetup, DataFlow::CallCfgNode {
+  class AiohttpAddRouteCall extends AiohttpRouteSetup::Range, DataFlow::CallCfgNode {
     /** At what index route arguments starts, so we can handle "route" version together with get/post/... */
     int routeArgsStart;
 
-    AiohttpUrlDispatcherAddRouteCall() {
-      this = urlDispathcerInstance().getMember("add_" + HTTP::httpVerbLower()).getACall() and
-      routeArgsStart = 0
-      or
-      this = urlDispathcerInstance().getMember("add_route").getACall() and
-      routeArgsStart = 1
-    }
-
-    override DataFlow::Node getUrlPatternArg() {
-      result in [this.getArg(routeArgsStart + 0), this.getArgByName("path")]
-    }
-
-    override DataFlow::Node getRequestHandlerArg() {
-      result in [this.getArg(routeArgsStart + 1), this.getArgByName("handler")]
-    }
-  }
-
-  /**
-   * A route-setup from using `route` or any of `get`, `post`, etc. functions from `aiohttp.web`.
-   *
-   * Note that technically, this does not set up a route in itself (since it needs to be added to an application first).
-   * However, modeling this way makes it easier, and we don't expect it to lead to many problems.
-   */
-  class AiohttpWebRouteCall extends AiohttpCoroutineRouteSetup, DataFlow::CallCfgNode {
-    /** At what index route arguments starts, so we can handle "route" version together with get/post/... */
-    int routeArgsStart;
-
-    AiohttpWebRouteCall() {
+    AiohttpAddRouteCall() {
       exists(string funcName |
         funcName = HTTP::httpVerbLower() and
         routeArgsStart = 0
         or
+        funcName = "view" and
+        routeArgsStart = 0
+        or
         funcName = "route" and
         routeArgsStart = 1
       |
+        this = urlDispathcerInstance().getMember("add_" + funcName).getACall()
+        or
         this = API::moduleImport("aiohttp").getMember("web").getMember(funcName).getACall()
       )
     }
@@ -162,21 +182,24 @@ module AiohttpWebModel {
       result in [this.getArg(routeArgsStart + 0), this.getArgByName("path")]
     }
 
-    override DataFlow::Node getRequestHandlerArg() {
+    override DataFlow::Node getHandlerArg() {
       result in [this.getArg(routeArgsStart + 1), this.getArgByName("handler")]
     }
   }
 
-  /** A route-setup from using a `route` or any of `get`, `post`, etc. decorators from a `aiohttp.web.RouteTableDef`. */
-  class AiohttpRouteTableDefRouteCall extends AiohttpCoroutineRouteSetup, DataFlow::CallCfgNode {
+  /** A route-setup using a decorator, such as `route`, `view`, `get`, `post`, etc. on a `aiohttp.web.RouteTableDef`. */
+  class AiohttpDecoratorRouteSetup extends AiohttpRouteSetup::Range, DataFlow::CallCfgNode {
     /** At what index route arguments starts, so we can handle "route" version together with get/post/... */
     int routeArgsStart;
 
-    AiohttpRouteTableDefRouteCall() {
+    AiohttpDecoratorRouteSetup() {
       exists(string decoratorName |
         decoratorName = HTTP::httpVerbLower() and
         routeArgsStart = 0
         or
+        decoratorName = "view" and
+        routeArgsStart = 0
+        or
         decoratorName = "route" and
         routeArgsStart = 1
       |
@@ -194,61 +217,19 @@ module AiohttpWebModel {
       result in [this.getArg(routeArgsStart + 0), this.getArgByName("path")]
     }
 
-    override DataFlow::Node getRequestHandlerArg() { none() }
-
-    override Function getARequestHandler() { result.getADecorator() = this.asExpr() }
-  }
-
-  /**
-   * A view-class route-setup from either:
-   * - `add_view` method on a `aiohttp.web.UrlDispatcher`
-   * - `view` function from `aiohttp.web`
-   */
-  class AiohttpViewRouteSetupFromFunction extends AiohttpViewRouteSetup, DataFlow::CallCfgNode {
-    AiohttpViewRouteSetupFromFunction() {
-      this = urlDispathcerInstance().getMember("add_view").getACall()
-      or
-      this = API::moduleImport("aiohttp").getMember("web").getMember("view").getACall()
-      or
-      this =
-        API::moduleImport("aiohttp")
-            .getMember("web")
-            .getMember("RouteTableDef")
-            .getReturn()
-            .getMember("view")
-            .getACall()
-    }
-
-    override DataFlow::Node getUrlPatternArg() {
-      result in [this.getArg(0), this.getArgByName("path")]
-    }
-
-    override DataFlow::Node getViewClassArg() {
-      result in [this.getArg(1), this.getArgByName("handler")]
-    }
-  }
-
-  /**
-   * A view-class route-setup from the `view` decorator from a `aiohttp.web.RouteTableDef`.
-   */
-  class AiohttpViewRouteSetupFromDecorator extends AiohttpViewRouteSetup, DataFlow::CallCfgNode {
-    AiohttpViewRouteSetupFromDecorator() {
-      this =
-        API::moduleImport("aiohttp")
-            .getMember("web")
-            .getMember("RouteTableDef")
-            .getReturn()
-            .getMember("view")
-            .getACall()
-    }
-
-    override DataFlow::Node getUrlPatternArg() {
-      result in [this.getArg(0), this.getArgByName("path")]
-    }
-
-    override DataFlow::Node getViewClassArg() { none() }
+    override DataFlow::Node getHandlerArg() { none() }
 
     override Class getViewClass() { result.getADecorator() = this.asExpr() }
+
+    override Function getARequestHandler() {
+      // we're decorating a class
+      exists(this.getViewClass()) and
+      result = super.getARequestHandler()
+      or
+      // we're decorating a function
+      not exists(this.getViewClass()) and
+      result.getADecorator() = this.asExpr()
+    }
   }
 
   /** A class that we consider a aiohttp.web View class. */
@@ -269,7 +250,7 @@ module AiohttpWebModel {
 
   /** A class that is used in a route-setup, therefore being considered a aiohttp.web View class. */
   class AiohttpViewClassFromRouteSetup extends AiohttpViewClass {
-    AiohttpViewClassFromRouteSetup() { this = any(AiohttpViewRouteSetup rs).getViewClass() }
+    AiohttpViewClassFromRouteSetup() { this = any(AiohttpRouteSetup rs).getViewClass() }
   }
 
   /** A request handler defined in an `aiohttp.web` view class, that has no known route. */
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py b/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
index ad1883b5828..eac030ec02a 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
@@ -126,7 +126,7 @@ if True:
 # Apparently there is no enforcement that `add_view` is only for views, and vice-versa
 # for `add_get` only being for async functions.
 if True:
-    async def no_rules(request): # $ MISSING: requestHandler
+    async def no_rules(request): # $ requestHandler
         return web.Response(text="no_rules")
 
     app.router.add_view("/no_rules", no_rules) # $ routeSetup="/no_rules"

From 735df4597f7563528062cf5eb6579ad12680a2a5 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 2 Jun 2021 10:58:04 +0200
Subject: [PATCH 1294/1429] Python: Aiohttp add response tests

---
 .../frameworks/aiohttp/response_test.py       | 72 +++++++++++++++++++
 1 file changed, 72 insertions(+)

diff --git a/python/ql/test/library-tests/frameworks/aiohttp/response_test.py b/python/ql/test/library-tests/frameworks/aiohttp/response_test.py
index e69de29bb2d..e58d0c6c189 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/response_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/response_test.py
@@ -0,0 +1,72 @@
+from aiohttp import web
+
+
+routes = web.RouteTableDef()
+
+
+@routes.get("/raw_text") # $ routeSetup="/raw_text"
+async def raw_text(request): # $ requestHandler
+    return web.Response(text="foo") # $ MISSING: HttpResponse
+
+
+@routes.get("/raw_body") # $ routeSetup="/raw_body"
+async def raw_body(request): # $ requestHandler
+    return web.Response(body=b"foo") # $ MISSING: HttpResponse
+
+
+@routes.get("/html_text") # $ routeSetup="/html_text"
+async def html_text(request): # $ requestHandler
+    return web.Response(text="foo", content_type="text/html") # $ MISSING: HttpResponse
+
+
+@routes.get("/html_body") # $ routeSetup="/html_body"
+async def html_body(request): # $ requestHandler
+    return web.Response(body=b"foo", content_type="text/html") # $ MISSING: HttpResponse
+
+
+@routes.get("/html_body_set_later") # $ routeSetup="/html_body_set_later"
+async def html_body_set_later(request): # $ requestHandler
+    resp = web.Response(body=b"foo") # $ MISSING: HttpResponse
+    resp.content_type = "text/html"
+    return resp
+
+# Each HTTP status code has an exception
+# see https://docs.aiohttp.org/en/stable/web_quickstart.html#exceptions
+
+@routes.get("/through_200_exception") # $ routeSetup="/through_200_exception"
+async def through_200_exception(request): # $ requestHandler
+    raise web.HTTPOk(text="foo") # $ MISSING: HttpResponse
+
+
+@routes.get("/through_200_exception_html") # $ routeSetup="/through_200_exception_html"
+async def through_200_exception(request): # $ requestHandler
+    exception = web.HTTPOk(text="foo") # $ MISSING: HttpResponse
+    exception.content_type = "text/html"
+    raise exception
+
+
+@routes.get("/through_404_exception") # $ routeSetup="/through_404_exception"
+async def through_404_exception(request): # $ requestHandler
+    raise web.HTTPNotFound(text="foo") # $ MISSING: HttpResponse
+
+
+@routes.get("/redirect_301") # $ routeSetup="/redirect_301"
+async def redirect_301(request): # $ requestHandler
+    if not "kwarg" in request.url.query:
+        raise web.HTTPMovedPermanently("/login") # $ MISSING: HttpResponse HttpRedirectResponse
+    else:
+        raise web.HTTPMovedPermanently(location="/logout") # $ MISSING: HttpResponse HttpRedirectResponse
+
+
+@routes.get("/redirect_302") # $ routeSetup="/redirect_302"
+async def redirect_302(request): # $ requestHandler
+    if not "kwarg" in request.url.query:
+        raise web.HTTPFound("/login") # $ MISSING: HttpResponse HttpRedirectResponse
+    else:
+        raise web.HTTPFound(location="/logout") # $ MISSING: HttpResponse HttpRedirectResponse
+
+
+if __name__ == "__main__":
+    app = web.Application()
+    app.add_routes(routes)
+    web.run_app(app)

From 2dbbf52903bd32439c337f7e31c52313aa6f49ff Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 2 Jun 2021 18:08:13 +0200
Subject: [PATCH 1295/1429] Python: Model HTTP responses in aiohttp.web

---
 .../src/semmle/python/frameworks/Aiohttp.qll  | 85 +++++++++++++++++++
 .../frameworks/aiohttp/response_test.py       | 28 +++---
 .../frameworks/aiohttp/routing_test.py        | 40 ++++-----
 3 files changed, 119 insertions(+), 34 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Aiohttp.qll b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
index f85071adaa2..24f141807ba 100644
--- a/python/ql/src/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -391,4 +391,89 @@ module AiohttpWebModel {
       this.(DataFlow::AttrRead).getAttributeName() in ["url", "rel_url"]
     }
   }
+
+  // ---------------------------------------------------------------------------
+  // aiohttp.web Response modeling
+  // ---------------------------------------------------------------------------
+  /**
+   * An instantiation of `aiohttp.web.Response`.
+   *
+   * Note that `aiohttp.web.HTTPException` (and it's subclasses) is a subclass of `aiohttp.web.Response`.
+   *
+   * See
+   * - https://docs.aiohttp.org/en/stable/web_reference.html#aiohttp.web.Response
+   * - https://docs.aiohttp.org/en/stable/web_quickstart.html#aiohttp-web-exceptions
+   */
+  class AiohttpWebResponseInstantiation extends HTTP::Server::HttpResponse::Range,
+    DataFlow::CallCfgNode {
+    AiohttpWebResponseInstantiation() {
+      this = API::moduleImport("aiohttp").getMember("web").getMember("Response").getACall()
+      or
+      exists(string httpExceptionClassName |
+        httpExceptionClassName in [
+            "HTTPException", "HTTPSuccessful", "HTTPOk", "HTTPCreated", "HTTPAccepted",
+            "HTTPNonAuthoritativeInformation", "HTTPNoContent", "HTTPResetContent",
+            "HTTPPartialContent", "HTTPRedirection", "HTTPMultipleChoices", "HTTPMovedPermanently",
+            "HTTPFound", "HTTPSeeOther", "HTTPNotModified", "HTTPUseProxy", "HTTPTemporaryRedirect",
+            "HTTPPermanentRedirect", "HTTPError", "HTTPClientError", "HTTPBadRequest",
+            "HTTPUnauthorized", "HTTPPaymentRequired", "HTTPForbidden", "HTTPNotFound",
+            "HTTPMethodNotAllowed", "HTTPNotAcceptable", "HTTPProxyAuthenticationRequired",
+            "HTTPRequestTimeout", "HTTPConflict", "HTTPGone", "HTTPLengthRequired",
+            "HTTPPreconditionFailed", "HTTPRequestEntityTooLarge", "HTTPRequestURITooLong",
+            "HTTPUnsupportedMediaType", "HTTPRequestRangeNotSatisfiable", "HTTPExpectationFailed",
+            "HTTPMisdirectedRequest", "HTTPUnprocessableEntity", "HTTPFailedDependency",
+            "HTTPUpgradeRequired", "HTTPPreconditionRequired", "HTTPTooManyRequests",
+            "HTTPRequestHeaderFieldsTooLarge", "HTTPUnavailableForLegalReasons", "HTTPServerError",
+            "HTTPInternalServerError", "HTTPNotImplemented", "HTTPBadGateway",
+            "HTTPServiceUnavailable", "HTTPGatewayTimeout", "HTTPVersionNotSupported",
+            "HTTPVariantAlsoNegotiates", "HTTPInsufficientStorage", "HTTPNotExtended",
+            "HTTPNetworkAuthenticationRequired"
+          ] and
+        this =
+          API::moduleImport("aiohttp").getMember("web").getMember(httpExceptionClassName).getACall()
+      )
+    }
+
+    override DataFlow::Node getBody() {
+      result in [this.getArgByName("text"), this.getArgByName("body")]
+    }
+
+    override DataFlow::Node getMimetypeOrContentTypeArg() {
+      result = this.getArgByName("content_type")
+    }
+
+    override string getMimetypeDefault() {
+      exists(this.getArgByName("text")) and
+      result = "text/plain"
+      or
+      not exists(this.getArgByName("text")) and
+      result = "application/octet-stream"
+    }
+  }
+
+  /**
+   * An instantiation of aiohttp.web HTTP redirect exception.
+   *
+   * See the part about redirects at https://docs.aiohttp.org/en/stable/web_quickstart.html#aiohttp-web-exceptions
+   */
+  class AiohttpRedirectExceptionInstantiation extends AiohttpWebResponseInstantiation,
+    HTTP::Server::HttpRedirectResponse::Range {
+    AiohttpRedirectExceptionInstantiation() {
+      exists(string httpRedirectExceptionClassName |
+        httpRedirectExceptionClassName in [
+            "HTTPMultipleChoices", "HTTPMovedPermanently", "HTTPFound", "HTTPSeeOther",
+            "HTTPNotModified", "HTTPUseProxy", "HTTPTemporaryRedirect", "HTTPPermanentRedirect"
+          ] and
+        this =
+          API::moduleImport("aiohttp")
+              .getMember("web")
+              .getMember(httpRedirectExceptionClassName)
+              .getACall()
+      )
+    }
+
+    override DataFlow::Node getRedirectLocation() {
+      result in [this.getArg(0), this.getArgByName("location")]
+    }
+  }
 }
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/response_test.py b/python/ql/test/library-tests/frameworks/aiohttp/response_test.py
index e58d0c6c189..1988f443560 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/response_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/response_test.py
@@ -6,28 +6,28 @@ routes = web.RouteTableDef()
 
 @routes.get("/raw_text") # $ routeSetup="/raw_text"
 async def raw_text(request): # $ requestHandler
-    return web.Response(text="foo") # $ MISSING: HttpResponse
+    return web.Response(text="foo") # $ HttpResponse mimetype=text/plain responseBody="foo"
 
 
 @routes.get("/raw_body") # $ routeSetup="/raw_body"
 async def raw_body(request): # $ requestHandler
-    return web.Response(body=b"foo") # $ MISSING: HttpResponse
+    return web.Response(body=b"foo") # $ HttpResponse mimetype=application/octet-stream responseBody=b"foo"
 
 
 @routes.get("/html_text") # $ routeSetup="/html_text"
 async def html_text(request): # $ requestHandler
-    return web.Response(text="foo", content_type="text/html") # $ MISSING: HttpResponse
+    return web.Response(text="foo", content_type="text/html") # $ HttpResponse mimetype=text/html responseBody="foo"
 
 
 @routes.get("/html_body") # $ routeSetup="/html_body"
 async def html_body(request): # $ requestHandler
-    return web.Response(body=b"foo", content_type="text/html") # $ MISSING: HttpResponse
+    return web.Response(body=b"foo", content_type="text/html") # $ HttpResponse mimetype=text/html responseBody=b"foo"
 
 
 @routes.get("/html_body_set_later") # $ routeSetup="/html_body_set_later"
 async def html_body_set_later(request): # $ requestHandler
-    resp = web.Response(body=b"foo") # $ MISSING: HttpResponse
-    resp.content_type = "text/html"
+    resp = web.Response(body=b"foo") # $ HttpResponse mimetype=application/octet-stream responseBody=b"foo"
+    resp.content_type = "text/html" # $ MISSING: mimetype=text/html
     return resp
 
 # Each HTTP status code has an exception
@@ -35,35 +35,35 @@ async def html_body_set_later(request): # $ requestHandler
 
 @routes.get("/through_200_exception") # $ routeSetup="/through_200_exception"
 async def through_200_exception(request): # $ requestHandler
-    raise web.HTTPOk(text="foo") # $ MISSING: HttpResponse
+    raise web.HTTPOk(text="foo") # $ HttpResponse mimetype=text/plain responseBody="foo"
 
 
 @routes.get("/through_200_exception_html") # $ routeSetup="/through_200_exception_html"
 async def through_200_exception(request): # $ requestHandler
-    exception = web.HTTPOk(text="foo") # $ MISSING: HttpResponse
-    exception.content_type = "text/html"
+    exception = web.HTTPOk(text="foo") # $ HttpResponse mimetype=text/plain responseBody="foo"
+    exception.content_type = "text/html" # $ MISSING: mimetype=text/html
     raise exception
 
 
 @routes.get("/through_404_exception") # $ routeSetup="/through_404_exception"
 async def through_404_exception(request): # $ requestHandler
-    raise web.HTTPNotFound(text="foo") # $ MISSING: HttpResponse
+    raise web.HTTPNotFound(text="foo") # $ HttpResponse mimetype=text/plain responseBody="foo"
 
 
 @routes.get("/redirect_301") # $ routeSetup="/redirect_301"
 async def redirect_301(request): # $ requestHandler
     if not "kwarg" in request.url.query:
-        raise web.HTTPMovedPermanently("/login") # $ MISSING: HttpResponse HttpRedirectResponse
+        raise web.HTTPMovedPermanently("/login") # $ HttpResponse HttpRedirectResponse mimetype=application/octet-stream redirectLocation="/login"
     else:
-        raise web.HTTPMovedPermanently(location="/logout") # $ MISSING: HttpResponse HttpRedirectResponse
+        raise web.HTTPMovedPermanently(location="/logout") # $ HttpResponse HttpRedirectResponse mimetype=application/octet-stream redirectLocation="/logout"
 
 
 @routes.get("/redirect_302") # $ routeSetup="/redirect_302"
 async def redirect_302(request): # $ requestHandler
     if not "kwarg" in request.url.query:
-        raise web.HTTPFound("/login") # $ MISSING: HttpResponse HttpRedirectResponse
+        raise web.HTTPFound("/login") # $ HttpResponse HttpRedirectResponse mimetype=application/octet-stream redirectLocation="/login"
     else:
-        raise web.HTTPFound(location="/logout") # $ MISSING: HttpResponse HttpRedirectResponse
+        raise web.HTTPFound(location="/logout") # $ HttpResponse HttpRedirectResponse mimetype=application/octet-stream redirectLocation="/logout"
 
 
 if __name__ == "__main__":
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py b/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
index eac030ec02a..23bd9c93a3c 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/routing_test.py
@@ -16,13 +16,13 @@ if True:
 
     # `app.add_routes` with list
     async def foo(request):  # $ requestHandler
-        return web.Response(text="foo")
+        return web.Response(text="foo") # $ HttpResponse
 
     async def foo2(request):  # $ requestHandler
-        return web.Response(text="foo2")
+        return web.Response(text="foo2") # $ HttpResponse
 
     async def foo3(request):  # $ requestHandler
-        return web.Response(text="foo3")
+        return web.Response(text="foo3") # $ HttpResponse
 
     app.add_routes([
         web.get("/foo", foo),  # $ routeSetup="/foo"
@@ -36,32 +36,32 @@ if True:
 
     @routes.get("/bar")  # $ routeSetup="/bar"
     async def bar(request):  # $ requestHandler
-        return web.Response(text="bar")
+        return web.Response(text="bar") # $ HttpResponse
 
     @routes.route("*", "/bar2")  # $ routeSetup="/bar2"
     async def bar2(request):  # $ requestHandler
-        return web.Response(text="bar2")
+        return web.Response(text="bar2") # $ HttpResponse
 
     @routes.get(path="/bar3")  # $ routeSetup="/bar3"
     async def bar3(request):  # $ requestHandler
-        return web.Response(text="bar3")
+        return web.Response(text="bar3") # $ HttpResponse
 
     app.add_routes(routes)
 
 
     # `app.router.add_get` / `app.router.add_route`
     async def baz(request):  # $ requestHandler
-        return web.Response(text="baz")
+        return web.Response(text="baz") # $ HttpResponse
 
     app.router.add_get("/baz", baz)  # $ routeSetup="/baz"
 
     async def baz2(request):  # $ requestHandler
-        return web.Response(text="baz2")
+        return web.Response(text="baz2") # $ HttpResponse
 
     app.router.add_route("*", "/baz2", baz2)  # $ routeSetup="/baz2"
 
     async def baz3(request):  # $ requestHandler
-        return web.Response(text="baz3")
+        return web.Response(text="baz3") # $ HttpResponse
 
     app.router.add_get(path="/baz3", handler=baz3)  # $ routeSetup="/baz3"
 
@@ -73,7 +73,7 @@ if True:
     class MyCustomHandlerClass:
 
         async def foo_handler(self, request):  # $ MISSING: requestHandler
-            return web.Response(text="MyCustomHandlerClass.foo")
+            return web.Response(text="MyCustomHandlerClass.foo") # $ HttpResponse
 
     my_custom_handler = MyCustomHandlerClass()
     app.router.add_get("/MyCustomHandlerClass/foo", my_custom_handler.foo_handler)   # $ routeSetup="/MyCustomHandlerClass/foo"
@@ -84,7 +84,7 @@ if True:
     # `app.add_routes` with list
     class MyWebView1(web.View):
         async def get(self):  # $ requestHandler
-            return web.Response(text="MyWebView1.get")
+            return web.Response(text="MyWebView1.get") # $ HttpResponse
 
     app.add_routes([
         web.view("/MyWebView1", MyWebView1)   # $ routeSetup="/MyWebView1"
@@ -97,7 +97,7 @@ if True:
     @routes.view("/MyWebView2")  # $ routeSetup="/MyWebView2"
     class MyWebView2(web.View):
         async def get(self):  # $ requestHandler
-            return web.Response(text="MyWebView2.get")
+            return web.Response(text="MyWebView2.get") # $ HttpResponse
 
     app.add_routes(routes)
 
@@ -105,20 +105,20 @@ if True:
     # `app.router.add_view`
     class MyWebView3(web.View):
         async def get(self):  # $ requestHandler
-            return web.Response(text="MyWebView3.get")
+            return web.Response(text="MyWebView3.get") # $ HttpResponse
 
     app.router.add_view("/MyWebView3", MyWebView3)  # $ routeSetup="/MyWebView3"
 
     # no route-setup
     class MyWebViewNoRoute(web.View):
         async def get(self):  # $ requestHandler
-            return web.Response(text="MyWebViewNoRoute.get")
+            return web.Response(text="MyWebViewNoRoute.get") # $ HttpResponse
 
     if len(__name__) < 0: # avoid running, but fool analysis to not consider dead code
         # no explicit-view subclass (but route-setup)
         class MyWebViewNoSubclassButRoute(somelib.someclass):
             async def get(self):  # $ requestHandler
-                return web.Response(text="MyWebViewNoSubclassButRoute.get")
+                return web.Response(text="MyWebViewNoSubclassButRoute.get") # $ HttpResponse
 
         app.router.add_view("/MyWebViewNoSubclassButRoute", MyWebViewNoSubclassButRoute)  # $ routeSetup="/MyWebViewNoSubclassButRoute"
 
@@ -127,14 +127,14 @@ if True:
 # for `add_get` only being for async functions.
 if True:
     async def no_rules(request): # $ requestHandler
-        return web.Response(text="no_rules")
+        return web.Response(text="no_rules") # $ HttpResponse
 
     app.router.add_view("/no_rules", no_rules) # $ routeSetup="/no_rules"
 
 
     class NoRulesView(web.View):
         async def get(self):  # $ requestHandler
-            return web.Response(text="NoRulesView.get")
+            return web.Response(text="NoRulesView.get") # $ HttpResponse
 
     app.router.add_get("/NoRulesView", NoRulesView) # $ routeSetup="/NoRulesView"
 
@@ -149,7 +149,7 @@ if True:
     async def matching(request: web.Request):  # $ requestHandler
         name = request.match_info['name']
         number = request.match_info['number']
-        return web.Response(text="matching name={} number={}".format(name, number))
+        return web.Response(text="matching name={} number={}".format(name, number)) # $ HttpResponse
 
     app.router.add_get(r"/matching/{name}/{number:\d+}", matching)  # $ routeSetup="/matching/{name}/{number:\d+}"
 
@@ -161,7 +161,7 @@ if True:
     subapp = web.Application()
 
     async def subapp_handler(request):  # $ requestHandler
-        return web.Response(text="subapp_handler")
+        return web.Response(text="subapp_handler") # $ HttpResponse
 
     subapp.router.add_get("/subapp_handler", subapp_handler)  # $ routeSetup="/subapp_handler"
 
@@ -177,7 +177,7 @@ if True:
 
 if True:
     async def manual_dispatcher_instance(request):  # $ requestHandler
-        return web.Response(text="manual_dispatcher_instance")
+        return web.Response(text="manual_dispatcher_instance") # $ HttpResponse
 
     url_dispatcher = web.UrlDispatcher()
     url_dispatcher.add_get("/manual_dispatcher_instance", manual_dispatcher_instance)  # $ routeSetup="/manual_dispatcher_instance"

From 3c47e583d82911967103f13148f6ece78ded09bb Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 3 Jun 2021 10:54:36 +0200
Subject: [PATCH 1296/1429] Python: Add test for missing data-flow step in
 aiohttp.web

---
 .../frameworks/aiohttp/app_conf_test.py       | 48 +++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 python/ql/test/library-tests/frameworks/aiohttp/app_conf_test.py

diff --git a/python/ql/test/library-tests/frameworks/aiohttp/app_conf_test.py b/python/ql/test/library-tests/frameworks/aiohttp/app_conf_test.py
new file mode 100644
index 00000000000..ce15e2110ab
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/aiohttp/app_conf_test.py
@@ -0,0 +1,48 @@
+"""
+This file is a test of an extra data-flow step that we want to have for
+aiohttp.web.Application
+
+We don't really have an established way to test extra data-flow steps in external
+libraries right now, so for now I've just used our normal taint-flow testing ¯\_(ツ)_/¯
+
+see https://docs.aiohttp.org/en/stable/web_advanced.html#application-s-config
+"""
+
+from aiohttp import web
+
+# to make code runable
+TAINTED_STRING = "TAINTED_STRING"
+def ensure_tainted(*args, **kwargs):
+    pass
+
+ensure_tainted(
+    TAINTED_STRING # $ tainted
+)
+
+
+async def example(request: web.Request): # $ requestHandler
+    return web.Response(text=f'example {request.app["foo"]=}') # $ HttpResponse
+
+
+async def also_works(request: web.Request): # $ requestHandler
+    return web.Response(text=f'also_works {request.config_dict["foo"]=}') # $ HttpResponse
+
+
+async def taint_test(request: web.Request): # $ requestHandler
+    ensure_tainted(
+        request.app["ts"], # $ MISSING: tainted
+        request.config_dict["ts"], # $ MISSING: tainted
+    )
+    return web.Response(text="ok") # $ HttpResponse
+
+
+app = web.Application()
+app.router.add_get("", example) # $ routeSetup=""
+app.router.add_get("/also-works", also_works) # $ routeSetup="/also-works"
+app.router.add_get("/taint-test", taint_test) # $ routeSetup="/taint-test"
+app["foo"] = 42
+app["ts"] = TAINTED_STRING
+
+
+if __name__ == "__main__":
+    web.run_app(app)

From 607dcd4a277776fcf91405b13b0cf24dbeaf2735 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Thu, 3 Jun 2021 11:05:13 +0200
Subject: [PATCH 1297/1429] Don't use CSV models for private flow configs

---
 .../code/java/security/JexlInjection.qll      | 64 ++++++++++---------
 1 file changed, 34 insertions(+), 30 deletions(-)

diff --git a/java/ql/src/semmle/code/java/security/JexlInjection.qll b/java/ql/src/semmle/code/java/security/JexlInjection.qll
index 8e8923a746b..2328a4d4cbb 100644
--- a/java/ql/src/semmle/code/java/security/JexlInjection.qll
+++ b/java/ql/src/semmle/code/java/security/JexlInjection.qll
@@ -131,43 +131,40 @@ private predicate isSafeEngine(Expr expr) {
 private class SandboxedJexlFlowConfig extends DataFlow2::Configuration {
   SandboxedJexlFlowConfig() { this = "JexlInjection::SandboxedJexlFlowConfig" }
 
-  override predicate isSource(DataFlow::Node node) { sourceNode(node, "sandboxed-jexl") }
+  override predicate isSource(DataFlow::Node node) { node instanceof SandboxedJexlSource }
 
-  override predicate isSink(DataFlow::Node node) { sinkNode(node, "sandboxed-jexl") }
+  override predicate isSink(DataFlow::Node node) {
+    exists(MethodAccess ma, Method m |
+      m instanceof CreateJexlScriptMethod or
+      m instanceof CreateJexlExpressionMethod or
+      m instanceof CreateJexlTemplateMethod
+    |
+      ma.getMethod() = m and ma.getQualifier() = node.asExpr()
+    )
+  }
 
   override predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
     createJexlEngineStep(fromNode, toNode)
   }
 }
 
-private class SandoboxedJexlSourceModel extends SourceModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        // JEXL2
-        "org.apache.commons.jexl2;JexlEngine;false;JexlEngine;(Uberspect,JexlArithmetic,Map<String,Object>,Log);;ReturnValue;sandboxed-jexl",
-        // JEXL3
-        "org.apache.commons.jexl3;JexlBuilder;false;uberspect;(JexlUberspect);;ReturnValue;sandboxed-jexl",
-        "org.apache.commons.jexl3;JexlBuilder;false;sandbox;(JexlSandbox);;ReturnValue;sandboxed-jexl"
-      ]
-  }
-}
-
-private class SandoboxedJexlSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        // JEXL2
-        "org.apache.commons.jexl2;JexlEngine;false;createScript;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl2;JexlEngine;false;createExpression;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl2;UnifiedJEXL;false;parse;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl2;UnifiedJEXL;false;createTemplate;;;Argument[-1];sandboxed-jexl",
-        // JEXL3
-        "org.apache.commons.jexl3;JexlEngine;false;createScript;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl3;JexlEngine;false;createExpression;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl3;JxltEngine;false;createExpression;;;Argument[-1];sandboxed-jexl",
-        "org.apache.commons.jexl3;JxltEngine;false;createTemplate;;;Argument[-1];sandboxed-jexl"
-      ]
+/**
+ * Defines a data flow source for JEXL engines configured with a sandbox.
+ */
+private class SandboxedJexlSource extends DataFlow::ExprNode {
+  SandboxedJexlSource() {
+    exists(MethodAccess ma, Method m | m = ma.getMethod() |
+      m.getDeclaringType() instanceof JexlBuilder and
+      m.hasName(["uberspect", "sandbox"]) and
+      m.getReturnType() instanceof JexlBuilder and
+      this.asExpr() = [ma, ma.getQualifier()]
+    )
+    or
+    exists(ConstructorCall cc |
+      cc.getConstructedType() instanceof JexlEngine and
+      cc.getArgument(0).getType() instanceof JexlUberspect and
+      cc = this.asExpr()
+    )
   }
 }
 
@@ -238,6 +235,13 @@ private class UnifiedJexl extends JexlRefType {
   UnifiedJexl() { hasName("UnifiedJEXL") }
 }
 
+private class JexlUberspect extends Interface {
+  JexlUberspect() {
+    hasQualifiedName("org.apache.commons.jexl2.introspection", "Uberspect") or
+    hasQualifiedName("org.apache.commons.jexl3.introspection", "JexlUberspect")
+  }
+}
+
 private class Reader extends RefType {
   Reader() { hasQualifiedName("java.io", "Reader") }
 }

From d044b155338fa184f3069a5e943e6273776f96f5 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 3 Jun 2021 10:54:45 +0200
Subject: [PATCH 1298/1429] C#: Add colliding method ID tests

---
 .../library-tests/methods/DB-CHECK.expected   | 130 +++
 .../methods/ExtensionMethods.expected         |  24 +-
 .../library-tests/methods/Methods1.expected   |   2 +-
 .../library-tests/methods/Methods2.expected   |   2 +-
 .../library-tests/methods/Methods3.expected   |   2 +-
 .../library-tests/methods/Methods4.expected   |   2 +-
 .../library-tests/methods/Methods5.expected   |  52 +-
 .../methods/Parameters1.expected              |   4 +-
 .../methods/Parameters2.expected              |   8 +-
 .../methods/Parameters3.expected              |   4 +-
 .../methods/Parameters5.expected              |  14 +-
 .../methods/Parameters6.expected              |   4 +-
 .../methods/Parameters7.expected              |   2 +-
 .../methods/Parameters8.expected              | 102 +-
 .../methods/Parameters9.expected              |  14 +-
 .../library-tests/methods/PrintAst.expected   | 931 ++++++++++--------
 .../ql/test/library-tests/methods/methods.cs  |  28 +
 17 files changed, 798 insertions(+), 527 deletions(-)
 create mode 100644 csharp/ql/test/library-tests/methods/DB-CHECK.expected

diff --git a/csharp/ql/test/library-tests/methods/DB-CHECK.expected b/csharp/ql/test/library-tests/methods/DB-CHECK.expected
new file mode 100644
index 00000000000..4a99289a434
--- /dev/null
+++ b/csharp/ql/test/library-tests/methods/DB-CHECK.expected
@@ -0,0 +1,130 @@
+[INVALID_KEY] predicate methods(@method id, string name, @type declaring_type_id, @type_or_ref type_id, @method unbound_id): The key set {id} does not functionally determine all fields.
+Here is a pair of tuples that agree on the key set but differ at index 4:
+Tuple 1 in row 28: (828,"M",827,1087,813)
+Tuple 2 in row 29: (828,"M",827,1087,1135)
+	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
+	Relevant element: Full ID for 827: @"(294)<(366)>;type". The ID may expand to @"{@"{@"{@";namespace"}.Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"{@";namespace"}.System;namespace"}.Int32;type"}>;type"
+	Relevant element: Full ID for 1087: @"(365);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"};typeRef"
+	Relevant element: Full ID for 813: @"(365) (294).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@";namespace"}.Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
+	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
+	Relevant element: Full ID for 827: @"(294)<(366)>;type". The ID may expand to @"{@"{@"{@";namespace"}.Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"{@";namespace"}.System;namespace"}.Int32;type"}>;type"
+	Relevant element: Full ID for 1087: @"(365);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"};typeRef"
+	Relevant element: Full ID for 1135: @"(365) (294).M((296) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@";namespace"}.Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}_0;typeparameter"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
+[INVALID_KEY] predicate constructors(@constructor id, string name, @type declaring_type_id, @constructor unbound_id): The key set {id} does not functionally determine all fields.
+Here is a pair of tuples that agree on the key set but differ at index 3:
+Tuple 1 in row 14: (897,"Nested",830,332)
+Tuple 2 in row 15: (897,"Nested",830,1143)
+	Relevant element: Full ID for 897: @"(830)((366) p1);constructor". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.Nested;type"}({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1);constructor"
+	Relevant element: Full ID for 830: @"(827).Nested;type". The ID may expand to @"{@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.Nested;type"
+	Relevant element: Full ID for 332: @"(297)((296) p1);constructor". The ID may expand to @"{@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.Nested;type"}({@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}_0;typeparameter"} p1);constructor"
+	Relevant element: Full ID for 897: @"(830)((366) p1);constructor". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.Nested;type"}({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1);constructor"
+	Relevant element: Full ID for 830: @"(827).Nested;type". The ID may expand to @"{@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.Nested;type"
+	Relevant element: Full ID for 1143: @"(297)((366) p1);constructor". The ID may expand to @"{@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.Nested;type"}({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1);constructor"
+[INVALID_KEY_SET] predicate params(@parameter id, string name, @type_or_ref type_id, int index, int mode, @parameterizable parent_id, @parameter unbound_id): The key set {name, parent_id} does not functionally determine all fields.
+Here is a pair of tuples that agree on the key set but differ at index 6:
+Tuple 1 in row 34: (1005,"p1",1083,0,0,828,1138)
+Tuple 2 in row 35: (1005,"p1",1083,0,0,828,1348)
+	Relevant element: Full ID for 1005: @"(828)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
+	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
+	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
+	Relevant element: Full ID for 1138: @"(1135)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(130).TestCollidingMethods`1;type"}_0;typeparameter"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
+	Relevant element: Full ID for 1005: @"(828)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
+	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
+	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
+	Relevant element: Full ID for 1348: @"(813)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
+[INVALID_KEY_SET] predicate params(@parameter id, string name, @type_or_ref type_id, int index, int mode, @parameterizable parent_id, @parameter unbound_id): The key set {name, parent_id} does not functionally determine all fields.
+Here is a pair of tuples that agree on the key set but differ at index 6:
+Tuple 1 in row 42: (1031,"p1",1083,0,0,897,335)
+Tuple 2 in row 43: (1031,"p1",1083,0,0,897,1146)
+	Relevant element: Full ID for 1031: @"(897)_0;parameter". The ID may expand to @"{@"{@"{@"(294)<(366)>;type"}.Nested;type"}({@"{@"(111).System;namespace"}.Int32;type"} p1);constructor"}_0;parameter"
+	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
+	Relevant element: Full ID for 897: @"(830)((366) p1);constructor". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.Nested;type"}({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1);constructor"
+	Relevant element: Full ID for 335: @"(332)_0;parameter". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}.Nested;type"}({@"{@"(130).TestCollidingMethods`1;type"}_0;typeparameter"} p1);constructor"}_0;parameter"
+	Relevant element: Full ID for 1031: @"(897)_0;parameter". The ID may expand to @"{@"{@"{@"(294)<(366)>;type"}.Nested;type"}({@"{@"(111).System;namespace"}.Int32;type"} p1);constructor"}_0;parameter"
+	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
+	Relevant element: Full ID for 897: @"(830)((366) p1);constructor". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.Nested;type"}({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1);constructor"
+	Relevant element: Full ID for 1146: @"(1143)_0;parameter". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}.Nested;type"}({@"{@"(111).System;namespace"}.Int32;type"} p1);constructor"}_0;parameter"
+[INVALID_KEY_SET] predicate params(@parameter id, string name, @type_or_ref type_id, int index, int mode, @parameterizable parent_id, @parameter unbound_id): The key set {name, parent_id} does not functionally determine all fields.
+Here is a pair of tuples that agree on the key set but differ at index 6:
+Tuple 1 in row 36: (1006,"p2",1083,1,0,828,1140)
+Tuple 2 in row 37: (1006,"p2",1083,1,0,828,1350)
+	Relevant element: Full ID for 1006: @"(828)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
+	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
+	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
+	Relevant element: Full ID for 1140: @"(1135)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(130).TestCollidingMethods`1;type"}_0;typeparameter"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
+	Relevant element: Full ID for 1006: @"(828)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
+	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
+	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
+	Relevant element: Full ID for 1350: @"(813)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
+[INVALID_KEY_SET] predicate params(@parameter id, string name, @type_or_ref type_id, int index, int mode, @parameterizable parent_id, @parameter unbound_id): The key set {index, parent_id} does not functionally determine all fields.
+Here is a pair of tuples that agree on the key set but differ at index 6:
+Tuple 1 in row 34: (1005,"p1",1083,0,0,828,1138)
+Tuple 2 in row 35: (1005,"p1",1083,0,0,828,1348)
+	Relevant element: Full ID for 1005: @"(828)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
+	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
+	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
+	Relevant element: Full ID for 1138: @"(1135)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(130).TestCollidingMethods`1;type"}_0;typeparameter"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
+	Relevant element: Full ID for 1005: @"(828)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
+	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
+	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
+	Relevant element: Full ID for 1348: @"(813)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
+[INVALID_KEY_SET] predicate params(@parameter id, string name, @type_or_ref type_id, int index, int mode, @parameterizable parent_id, @parameter unbound_id): The key set {index, parent_id} does not functionally determine all fields.
+Here is a pair of tuples that agree on the key set but differ at index 6:
+Tuple 1 in row 42: (1031,"p1",1083,0,0,897,335)
+Tuple 2 in row 43: (1031,"p1",1083,0,0,897,1146)
+	Relevant element: Full ID for 1031: @"(897)_0;parameter". The ID may expand to @"{@"{@"{@"(294)<(366)>;type"}.Nested;type"}({@"{@"(111).System;namespace"}.Int32;type"} p1);constructor"}_0;parameter"
+	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
+	Relevant element: Full ID for 897: @"(830)((366) p1);constructor". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.Nested;type"}({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1);constructor"
+	Relevant element: Full ID for 335: @"(332)_0;parameter". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}.Nested;type"}({@"{@"(130).TestCollidingMethods`1;type"}_0;typeparameter"} p1);constructor"}_0;parameter"
+	Relevant element: Full ID for 1031: @"(897)_0;parameter". The ID may expand to @"{@"{@"{@"(294)<(366)>;type"}.Nested;type"}({@"{@"(111).System;namespace"}.Int32;type"} p1);constructor"}_0;parameter"
+	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
+	Relevant element: Full ID for 897: @"(830)((366) p1);constructor". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.Nested;type"}({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1);constructor"
+	Relevant element: Full ID for 1146: @"(1143)_0;parameter". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}.Nested;type"}({@"{@"(111).System;namespace"}.Int32;type"} p1);constructor"}_0;parameter"
+[INVALID_KEY_SET] predicate params(@parameter id, string name, @type_or_ref type_id, int index, int mode, @parameterizable parent_id, @parameter unbound_id): The key set {index, parent_id} does not functionally determine all fields.
+Here is a pair of tuples that agree on the key set but differ at index 6:
+Tuple 1 in row 36: (1006,"p2",1083,1,0,828,1140)
+Tuple 2 in row 37: (1006,"p2",1083,1,0,828,1350)
+	Relevant element: Full ID for 1006: @"(828)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
+	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
+	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
+	Relevant element: Full ID for 1140: @"(1135)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(130).TestCollidingMethods`1;type"}_0;typeparameter"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
+	Relevant element: Full ID for 1006: @"(828)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
+	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
+	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
+	Relevant element: Full ID for 1350: @"(813)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
+[INVALID_KEY] predicate params(@parameter id, string name, @type_or_ref type_id, int index, int mode, @parameterizable parent_id, @parameter unbound_id): The key set {id} does not functionally determine all fields.
+Here is a pair of tuples that agree on the key set but differ at index 6:
+Tuple 1 in row 34: (1005,"p1",1083,0,0,828,1138)
+Tuple 2 in row 35: (1005,"p1",1083,0,0,828,1348)
+	Relevant element: Full ID for 1005: @"(828)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
+	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
+	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
+	Relevant element: Full ID for 1138: @"(1135)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(130).TestCollidingMethods`1;type"}_0;typeparameter"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
+	Relevant element: Full ID for 1005: @"(828)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
+	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
+	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
+	Relevant element: Full ID for 1348: @"(813)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
+[INVALID_KEY] predicate params(@parameter id, string name, @type_or_ref type_id, int index, int mode, @parameterizable parent_id, @parameter unbound_id): The key set {id} does not functionally determine all fields.
+Here is a pair of tuples that agree on the key set but differ at index 6:
+Tuple 1 in row 36: (1006,"p2",1083,1,0,828,1140)
+Tuple 2 in row 37: (1006,"p2",1083,1,0,828,1350)
+	Relevant element: Full ID for 1006: @"(828)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
+	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
+	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
+	Relevant element: Full ID for 1140: @"(1135)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(130).TestCollidingMethods`1;type"}_0;typeparameter"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
+	Relevant element: Full ID for 1006: @"(828)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
+	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
+	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
+	Relevant element: Full ID for 1350: @"(813)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
+[INVALID_KEY] predicate params(@parameter id, string name, @type_or_ref type_id, int index, int mode, @parameterizable parent_id, @parameter unbound_id): The key set {id} does not functionally determine all fields.
+Here is a pair of tuples that agree on the key set but differ at index 6:
+Tuple 1 in row 42: (1031,"p1",1083,0,0,897,335)
+Tuple 2 in row 43: (1031,"p1",1083,0,0,897,1146)
+	Relevant element: Full ID for 1031: @"(897)_0;parameter". The ID may expand to @"{@"{@"{@"(294)<(366)>;type"}.Nested;type"}({@"{@"(111).System;namespace"}.Int32;type"} p1);constructor"}_0;parameter"
+	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
+	Relevant element: Full ID for 897: @"(830)((366) p1);constructor". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.Nested;type"}({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1);constructor"
+	Relevant element: Full ID for 335: @"(332)_0;parameter". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}.Nested;type"}({@"{@"(130).TestCollidingMethods`1;type"}_0;typeparameter"} p1);constructor"}_0;parameter"
+	Relevant element: Full ID for 1031: @"(897)_0;parameter". The ID may expand to @"{@"{@"{@"(294)<(366)>;type"}.Nested;type"}({@"{@"(111).System;namespace"}.Int32;type"} p1);constructor"}_0;parameter"
+	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
+	Relevant element: Full ID for 897: @"(830)((366) p1);constructor". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.Nested;type"}({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1);constructor"
+	Relevant element: Full ID for 1146: @"(1143)_0;parameter". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}.Nested;type"}({@"{@"(111).System;namespace"}.Int32;type"} p1);constructor"}_0;parameter"
diff --git a/csharp/ql/test/library-tests/methods/ExtensionMethods.expected b/csharp/ql/test/library-tests/methods/ExtensionMethods.expected
index d7593f8f223..795014ea078 100644
--- a/csharp/ql/test/library-tests/methods/ExtensionMethods.expected
+++ b/csharp/ql/test/library-tests/methods/ExtensionMethods.expected
@@ -1,12 +1,12 @@
-| methods.cs:118:44:118:55 | call to method ToInt32 | 0 | methods.cs:118:52:118:54 | "0" |
-| methods.cs:127:34:127:52 | call to method Slice | 0 | methods.cs:127:34:127:40 | access to local variable strings |
-| methods.cs:127:34:127:52 | call to method Slice | 1 | methods.cs:127:48:127:48 | 1 |
-| methods.cs:127:34:127:52 | call to method Slice | 2 | methods.cs:127:51:127:51 | 2 |
-| methods.cs:129:42:129:52 | call to method ToInt32 | 0 | methods.cs:129:42:129:42 | access to local variable s |
-| methods.cs:132:13:132:34 | call to method ToInt32 | 0 | methods.cs:132:32:132:33 | "" |
-| methods.cs:132:13:132:34 | call to method ToInt32 | -1 | methods.cs:132:13:132:22 | access to type Extensions |
-| methods.cs:134:13:134:49 | call to method ToBool | 0 | methods.cs:134:31:134:36 | "true" |
-| methods.cs:134:13:134:49 | call to method ToBool | 1 | methods.cs:134:39:134:48 | delegate creation of type Func<String,Boolean> |
-| methods.cs:134:13:134:49 | call to method ToBool | -1 | methods.cs:134:13:134:22 | access to type Extensions |
-| methods.cs:180:20:180:39 | call to method SkipTwo | 0 | methods.cs:180:20:180:23 | access to parameter list |
-| methods.cs:180:20:180:39 | call to method SkipTwo | 1 | methods.cs:180:38:180:38 | access to parameter i |
+| methods.cs:119:44:119:55 | call to method ToInt32 | 0 | methods.cs:119:52:119:54 | "0" |
+| methods.cs:128:34:128:52 | call to method Slice | 0 | methods.cs:128:34:128:40 | access to local variable strings |
+| methods.cs:128:34:128:52 | call to method Slice | 1 | methods.cs:128:48:128:48 | 1 |
+| methods.cs:128:34:128:52 | call to method Slice | 2 | methods.cs:128:51:128:51 | 2 |
+| methods.cs:130:42:130:52 | call to method ToInt32 | 0 | methods.cs:130:42:130:42 | access to local variable s |
+| methods.cs:133:13:133:34 | call to method ToInt32 | 0 | methods.cs:133:32:133:33 | "" |
+| methods.cs:133:13:133:34 | call to method ToInt32 | -1 | methods.cs:133:13:133:22 | access to type Extensions |
+| methods.cs:135:13:135:49 | call to method ToBool | 0 | methods.cs:135:31:135:36 | "true" |
+| methods.cs:135:13:135:49 | call to method ToBool | 1 | methods.cs:135:39:135:48 | delegate creation of type Func<String,Boolean> |
+| methods.cs:135:13:135:49 | call to method ToBool | -1 | methods.cs:135:13:135:22 | access to type Extensions |
+| methods.cs:181:20:181:39 | call to method SkipTwo | 0 | methods.cs:181:20:181:23 | access to parameter list |
+| methods.cs:181:20:181:39 | call to method SkipTwo | 1 | methods.cs:181:38:181:38 | access to parameter i |
diff --git a/csharp/ql/test/library-tests/methods/Methods1.expected b/csharp/ql/test/library-tests/methods/Methods1.expected
index be14a801185..054f358330f 100644
--- a/csharp/ql/test/library-tests/methods/Methods1.expected
+++ b/csharp/ql/test/library-tests/methods/Methods1.expected
@@ -1 +1 @@
-| methods.cs:9:21:9:24 | Swap |
+| methods.cs:10:21:10:24 | Swap |
diff --git a/csharp/ql/test/library-tests/methods/Methods2.expected b/csharp/ql/test/library-tests/methods/Methods2.expected
index b9fad0aa394..d0dc1559fa6 100644
--- a/csharp/ql/test/library-tests/methods/Methods2.expected
+++ b/csharp/ql/test/library-tests/methods/Methods2.expected
@@ -1 +1 @@
-| methods.cs:28:28:28:33 | Divide |
+| methods.cs:29:28:29:33 | Divide |
diff --git a/csharp/ql/test/library-tests/methods/Methods3.expected b/csharp/ql/test/library-tests/methods/Methods3.expected
index 8c726a4b6ff..1fb5f1dd0ba 100644
--- a/csharp/ql/test/library-tests/methods/Methods3.expected
+++ b/csharp/ql/test/library-tests/methods/Methods3.expected
@@ -1 +1 @@
-| methods.cs:49:11:49:25 | TestOverloading |
+| methods.cs:50:11:50:25 | TestOverloading |
diff --git a/csharp/ql/test/library-tests/methods/Methods4.expected b/csharp/ql/test/library-tests/methods/Methods4.expected
index f709606a238..6eaa7230538 100644
--- a/csharp/ql/test/library-tests/methods/Methods4.expected
+++ b/csharp/ql/test/library-tests/methods/Methods4.expected
@@ -1 +1 @@
-| methods.cs:49:11:49:25 | TestOverloading | methods.cs:57:21:57:21 | F | Object |
+| methods.cs:50:11:50:25 | TestOverloading | methods.cs:58:21:58:21 | F | Object |
diff --git a/csharp/ql/test/library-tests/methods/Methods5.expected b/csharp/ql/test/library-tests/methods/Methods5.expected
index 4f7e31d5bee..03638800b01 100644
--- a/csharp/ql/test/library-tests/methods/Methods5.expected
+++ b/csharp/ql/test/library-tests/methods/Methods5.expected
@@ -1,22 +1,30 @@
-| methods.cs:16:14:16:17 | Main | methods.cs:9:21:9:24 | Swap | methods.cs:6:18:6:24 | TestRef |
-| methods.cs:16:14:16:17 | Main | methods.cs:46:28:46:36 | WriteLine | methods.cs:6:18:6:24 | TestRef |
-| methods.cs:34:14:34:17 | Main | methods.cs:28:28:28:33 | Divide | methods.cs:25:18:25:24 | TestOut |
-| methods.cs:34:14:34:17 | Main | methods.cs:46:28:46:36 | WriteLine | methods.cs:25:18:25:24 | TestOut |
-| methods.cs:52:21:52:21 | F | methods.cs:46:28:46:36 | WriteLine | methods.cs:49:11:49:25 | TestOverloading |
-| methods.cs:57:21:57:21 | F | methods.cs:46:28:46:36 | WriteLine | methods.cs:49:11:49:25 | TestOverloading |
-| methods.cs:62:21:62:21 | F | methods.cs:46:28:46:36 | WriteLine | methods.cs:49:11:49:25 | TestOverloading |
-| methods.cs:67:21:67:21 | F | methods.cs:46:28:46:36 | WriteLine | methods.cs:49:11:49:25 | TestOverloading |
-| methods.cs:72:21:72:24 | F | methods.cs:46:28:46:36 | WriteLine | methods.cs:49:11:49:25 | TestOverloading |
-| methods.cs:77:21:77:21 | F | methods.cs:46:28:46:36 | WriteLine | methods.cs:49:11:49:25 | TestOverloading |
-| methods.cs:82:14:82:17 | Main | methods.cs:52:21:52:21 | F | methods.cs:49:11:49:25 | TestOverloading |
-| methods.cs:82:14:82:17 | Main | methods.cs:57:21:57:21 | F | methods.cs:49:11:49:25 | TestOverloading |
-| methods.cs:82:14:82:17 | Main | methods.cs:62:21:62:21 | F | methods.cs:49:11:49:25 | TestOverloading |
-| methods.cs:82:14:82:17 | Main | methods.cs:67:21:67:21 | F | methods.cs:49:11:49:25 | TestOverloading |
-| methods.cs:82:14:82:17 | Main | methods.cs:72:21:72:24 | F | methods.cs:49:11:49:25 | TestOverloading |
-| methods.cs:82:14:82:17 | Main | methods.cs:72:21:72:24 | F | methods.cs:49:11:49:25 | TestOverloading |
-| methods.cs:82:14:82:17 | Main | methods.cs:77:21:77:21 | F | methods.cs:49:11:49:25 | TestOverloading |
-| methods.cs:118:27:118:37 | CallToInt32 | methods.cs:99:27:99:33 | ToInt32 | methods.cs:96:25:96:34 | Extensions |
-| methods.cs:124:21:124:24 | Main | methods.cs:99:27:99:33 | ToInt32 | methods.cs:121:18:121:31 | TestExtensions |
-| methods.cs:124:21:124:24 | Main | methods.cs:104:28:104:33 | ToBool | methods.cs:121:18:121:31 | TestExtensions |
-| methods.cs:124:21:124:24 | Main | methods.cs:109:27:109:34 | Slice | methods.cs:121:18:121:31 | TestExtensions |
-| methods.cs:178:67:178:76 | SkipTwoInt | methods.cs:173:65:173:74 | SkipTwo | methods.cs:166:18:166:47 | TestDefaultExtensionParameters |
+| methods.cs:17:14:17:17 | Main | methods.cs:10:21:10:24 | Swap | methods.cs:7:18:7:24 | TestRef |
+| methods.cs:17:14:17:17 | Main | methods.cs:47:28:47:36 | WriteLine | methods.cs:7:18:7:24 | TestRef |
+| methods.cs:35:14:35:17 | Main | methods.cs:29:28:29:33 | Divide | methods.cs:26:18:26:24 | TestOut |
+| methods.cs:35:14:35:17 | Main | methods.cs:47:28:47:36 | WriteLine | methods.cs:26:18:26:24 | TestOut |
+| methods.cs:53:21:53:21 | F | methods.cs:47:28:47:36 | WriteLine | methods.cs:50:11:50:25 | TestOverloading |
+| methods.cs:58:21:58:21 | F | methods.cs:47:28:47:36 | WriteLine | methods.cs:50:11:50:25 | TestOverloading |
+| methods.cs:63:21:63:21 | F | methods.cs:47:28:47:36 | WriteLine | methods.cs:50:11:50:25 | TestOverloading |
+| methods.cs:68:21:68:21 | F | methods.cs:47:28:47:36 | WriteLine | methods.cs:50:11:50:25 | TestOverloading |
+| methods.cs:73:21:73:24 | F | methods.cs:47:28:47:36 | WriteLine | methods.cs:50:11:50:25 | TestOverloading |
+| methods.cs:78:21:78:21 | F | methods.cs:47:28:47:36 | WriteLine | methods.cs:50:11:50:25 | TestOverloading |
+| methods.cs:83:14:83:17 | Main | methods.cs:53:21:53:21 | F | methods.cs:50:11:50:25 | TestOverloading |
+| methods.cs:83:14:83:17 | Main | methods.cs:58:21:58:21 | F | methods.cs:50:11:50:25 | TestOverloading |
+| methods.cs:83:14:83:17 | Main | methods.cs:63:21:63:21 | F | methods.cs:50:11:50:25 | TestOverloading |
+| methods.cs:83:14:83:17 | Main | methods.cs:68:21:68:21 | F | methods.cs:50:11:50:25 | TestOverloading |
+| methods.cs:83:14:83:17 | Main | methods.cs:73:21:73:24 | F | methods.cs:50:11:50:25 | TestOverloading |
+| methods.cs:83:14:83:17 | Main | methods.cs:73:21:73:24 | F | methods.cs:50:11:50:25 | TestOverloading |
+| methods.cs:83:14:83:17 | Main | methods.cs:78:21:78:21 | F | methods.cs:50:11:50:25 | TestOverloading |
+| methods.cs:119:27:119:37 | CallToInt32 | methods.cs:100:27:100:33 | ToInt32 | methods.cs:97:25:97:34 | Extensions |
+| methods.cs:125:21:125:24 | Main | methods.cs:100:27:100:33 | ToInt32 | methods.cs:122:18:122:31 | TestExtensions |
+| methods.cs:125:21:125:24 | Main | methods.cs:105:28:105:33 | ToBool | methods.cs:122:18:122:31 | TestExtensions |
+| methods.cs:125:21:125:24 | Main | methods.cs:110:27:110:34 | Slice | methods.cs:122:18:122:31 | TestExtensions |
+| methods.cs:179:67:179:76 | SkipTwoInt | methods.cs:174:65:174:74 | SkipTwo | methods.cs:167:18:167:47 | TestDefaultExtensionParameters |
+| methods.cs:190:21:190:25 | Calls | methods.cs:187:21:187:21 | M | methods.cs:185:18:185:40 | TestCollidingMethods<> |
+| methods.cs:190:21:190:25 | Calls | methods.cs:187:21:187:21 | M | methods.cs:185:18:185:40 | TestCollidingMethods<> |
+| methods.cs:190:21:190:25 | Calls | methods.cs:188:21:188:21 | M | methods.cs:185:18:185:40 | TestCollidingMethods<> |
+| methods.cs:190:21:190:25 | Calls | methods.cs:188:21:188:21 | M | methods.cs:185:18:185:40 | TestCollidingMethods<> |
+| methods.cs:203:20:203:25 | Nested | methods.cs:202:20:202:25 | Nested | methods.cs:200:22:200:27 | Nested |
+| methods.cs:203:20:203:25 | Nested | methods.cs:202:20:202:25 | Nested | methods.cs:200:22:200:27 | Nested |
+| methods.cs:203:20:203:25 | Nested | methods.cs:203:20:203:25 | Nested | methods.cs:200:22:200:27 | Nested |
+| methods.cs:203:20:203:25 | Nested | methods.cs:203:20:203:25 | Nested | methods.cs:200:22:200:27 | Nested |
diff --git a/csharp/ql/test/library-tests/methods/Parameters1.expected b/csharp/ql/test/library-tests/methods/Parameters1.expected
index 9d9948f38dd..e4e643616f6 100644
--- a/csharp/ql/test/library-tests/methods/Parameters1.expected
+++ b/csharp/ql/test/library-tests/methods/Parameters1.expected
@@ -1,2 +1,2 @@
-| methods.cs:9:21:9:24 | Swap | methods.cs:9:34:9:34 | x |
-| methods.cs:9:21:9:24 | Swap | methods.cs:9:45:9:45 | y |
+| methods.cs:10:21:10:24 | Swap | methods.cs:10:34:10:34 | x |
+| methods.cs:10:21:10:24 | Swap | methods.cs:10:45:10:45 | y |
diff --git a/csharp/ql/test/library-tests/methods/Parameters2.expected b/csharp/ql/test/library-tests/methods/Parameters2.expected
index 645af10244f..30a7ca05274 100644
--- a/csharp/ql/test/library-tests/methods/Parameters2.expected
+++ b/csharp/ql/test/library-tests/methods/Parameters2.expected
@@ -1,4 +1,4 @@
-| methods.cs:28:28:28:33 | Divide | methods.cs:28:39:28:39 | x |
-| methods.cs:28:28:28:33 | Divide | methods.cs:28:46:28:46 | y |
-| methods.cs:28:28:28:33 | Divide | methods.cs:28:57:28:62 | result |
-| methods.cs:28:28:28:33 | Divide | methods.cs:28:73:28:81 | remainder |
+| methods.cs:29:28:29:33 | Divide | methods.cs:29:39:29:39 | x |
+| methods.cs:29:28:29:33 | Divide | methods.cs:29:46:29:46 | y |
+| methods.cs:29:28:29:33 | Divide | methods.cs:29:57:29:62 | result |
+| methods.cs:29:28:29:33 | Divide | methods.cs:29:73:29:81 | remainder |
diff --git a/csharp/ql/test/library-tests/methods/Parameters3.expected b/csharp/ql/test/library-tests/methods/Parameters3.expected
index 68936353065..ae1c5c02e80 100644
--- a/csharp/ql/test/library-tests/methods/Parameters3.expected
+++ b/csharp/ql/test/library-tests/methods/Parameters3.expected
@@ -1,2 +1,2 @@
-| methods.cs:45:28:45:32 | Write | Object[] |
-| methods.cs:45:28:45:32 | Write | String |
+| methods.cs:46:28:46:32 | Write | Object[] |
+| methods.cs:46:28:46:32 | Write | String |
diff --git a/csharp/ql/test/library-tests/methods/Parameters5.expected b/csharp/ql/test/library-tests/methods/Parameters5.expected
index 823329fe908..1fd039430b1 100644
--- a/csharp/ql/test/library-tests/methods/Parameters5.expected
+++ b/csharp/ql/test/library-tests/methods/Parameters5.expected
@@ -1,7 +1,7 @@
-| methods.cs:145:40:145:40 | c | methods.cs:145:44:145:44 | 1 | 1 |
-| methods.cs:145:51:145:51 | d | methods.cs:145:55:145:55 | 2 | 2 |
-| methods.cs:145:65:145:65 | e | methods.cs:145:69:145:77 | ... + ... | ab |
-| methods.cs:153:45:153:45 | x | methods.cs:153:49:153:53 | "abc" | abc |
-| methods.cs:153:63:153:63 | y | methods.cs:153:67:153:78 | object creation of type Double | 0 |
-| methods.cs:159:36:159:36 | y | methods.cs:159:40:159:40 | 0 | 0 |
-| methods.cs:159:36:159:36 | y | methods.cs:159:40:159:40 | 0 | 0 |
+| methods.cs:146:40:146:40 | c | methods.cs:146:44:146:44 | 1 | 1 |
+| methods.cs:146:51:146:51 | d | methods.cs:146:55:146:55 | 2 | 2 |
+| methods.cs:146:65:146:65 | e | methods.cs:146:69:146:77 | ... + ... | ab |
+| methods.cs:154:45:154:45 | x | methods.cs:154:49:154:53 | "abc" | abc |
+| methods.cs:154:63:154:63 | y | methods.cs:154:67:154:78 | object creation of type Double | 0 |
+| methods.cs:160:36:160:36 | y | methods.cs:160:40:160:40 | 0 | 0 |
+| methods.cs:160:36:160:36 | y | methods.cs:160:40:160:40 | 0 | 0 |
diff --git a/csharp/ql/test/library-tests/methods/Parameters6.expected b/csharp/ql/test/library-tests/methods/Parameters6.expected
index 25c2a9e1e9f..c431492acd1 100644
--- a/csharp/ql/test/library-tests/methods/Parameters6.expected
+++ b/csharp/ql/test/library-tests/methods/Parameters6.expected
@@ -1,2 +1,2 @@
-| methods.cs:157:40:157:40 | b | methods.cs:157:44:157:45 | 12 | 12 |
-| methods.cs:157:55:157:55 | c | methods.cs:157:59:157:70 | object creation of type Double | 0 |
+| methods.cs:158:40:158:40 | b | methods.cs:158:44:158:45 | 12 | 12 |
+| methods.cs:158:55:158:55 | c | methods.cs:158:59:158:70 | object creation of type Double | 0 |
diff --git a/csharp/ql/test/library-tests/methods/Parameters7.expected b/csharp/ql/test/library-tests/methods/Parameters7.expected
index 372d22c8dfd..bbc0f36bae0 100644
--- a/csharp/ql/test/library-tests/methods/Parameters7.expected
+++ b/csharp/ql/test/library-tests/methods/Parameters7.expected
@@ -1 +1 @@
-| methods.cs:162:13:162:15 | value |
+| methods.cs:163:13:163:15 | value |
diff --git a/csharp/ql/test/library-tests/methods/Parameters8.expected b/csharp/ql/test/library-tests/methods/Parameters8.expected
index d6bebaf61cc..6efd343a538 100644
--- a/csharp/ql/test/library-tests/methods/Parameters8.expected
+++ b/csharp/ql/test/library-tests/methods/Parameters8.expected
@@ -1,43 +1,59 @@
-| methods.cs:9:21:9:24 | Swap | methods.cs:9:34:9:34 | x |
-| methods.cs:9:21:9:24 | Swap | methods.cs:9:45:9:45 | y |
-| methods.cs:28:28:28:33 | Divide | methods.cs:28:39:28:39 | x |
-| methods.cs:28:28:28:33 | Divide | methods.cs:28:46:28:46 | y |
-| methods.cs:28:28:28:33 | Divide | methods.cs:28:57:28:62 | result |
-| methods.cs:28:28:28:33 | Divide | methods.cs:28:73:28:81 | remainder |
-| methods.cs:45:28:45:32 | Write | methods.cs:45:41:45:43 | fmt |
-| methods.cs:45:28:45:32 | Write | methods.cs:45:62:45:65 | args |
-| methods.cs:46:28:46:36 | WriteLine | methods.cs:46:45:46:47 | fmt |
-| methods.cs:46:28:46:36 | WriteLine | methods.cs:46:66:46:69 | args |
-| methods.cs:57:21:57:21 | F | methods.cs:57:30:57:30 | x |
-| methods.cs:62:21:62:21 | F | methods.cs:62:27:62:27 | x |
-| methods.cs:67:21:67:21 | F | methods.cs:67:30:67:30 | x |
-| methods.cs:72:21:72:24 | F | methods.cs:72:28:72:28 | x |
-| methods.cs:72:21:72:24 | F | methods.cs:72:28:72:28 | x |
-| methods.cs:72:21:72:24 | F | methods.cs:72:28:72:28 | x |
-| methods.cs:77:21:77:21 | F | methods.cs:77:30:77:30 | x |
-| methods.cs:77:21:77:21 | F | methods.cs:77:40:77:40 | y |
-| methods.cs:99:27:99:33 | ToInt32 | methods.cs:99:35:99:47 | s |
-| methods.cs:99:27:99:33 | ToInt32 | methods.cs:99:47:99:47 | s |
-| methods.cs:104:28:104:33 | ToBool | methods.cs:104:47:104:47 | s |
-| methods.cs:104:28:104:33 | ToBool | methods.cs:104:69:104:69 | f |
-| methods.cs:109:27:109:34 | Slice | methods.cs:109:36:109:50 | source |
-| methods.cs:109:27:109:34 | Slice | methods.cs:109:45:109:50 | source |
-| methods.cs:109:27:109:34 | Slice | methods.cs:109:57:109:61 | index |
-| methods.cs:109:27:109:34 | Slice | methods.cs:109:57:109:61 | index |
-| methods.cs:109:27:109:34 | Slice | methods.cs:109:68:109:72 | count |
-| methods.cs:109:27:109:34 | Slice | methods.cs:109:68:109:72 | count |
-| methods.cs:141:14:141:20 | Method1 | methods.cs:141:26:141:26 | x |
-| methods.cs:141:14:141:20 | Method1 | methods.cs:141:33:141:33 | y |
-| methods.cs:145:14:145:20 | Method2 | methods.cs:145:26:145:26 | a |
-| methods.cs:145:14:145:20 | Method2 | methods.cs:145:33:145:33 | b |
-| methods.cs:145:14:145:20 | Method2 | methods.cs:145:40:145:40 | c |
-| methods.cs:145:14:145:20 | Method2 | methods.cs:145:51:145:51 | d |
-| methods.cs:145:14:145:20 | Method2 | methods.cs:145:65:145:65 | e |
-| methods.cs:168:27:168:30 | Plus | methods.cs:168:41:168:44 | left |
-| methods.cs:168:27:168:30 | Plus | methods.cs:168:51:168:55 | right |
-| methods.cs:173:65:173:74 | SkipTwo | methods.cs:173:76:173:126 | list |
-| methods.cs:173:65:173:74 | SkipTwo | methods.cs:173:123:173:126 | list |
-| methods.cs:173:65:173:74 | SkipTwo | methods.cs:173:133:173:133 | i |
-| methods.cs:173:65:173:74 | SkipTwo | methods.cs:173:133:173:133 | i |
-| methods.cs:178:67:178:76 | SkipTwoInt | methods.cs:178:127:178:130 | list |
-| methods.cs:178:67:178:76 | SkipTwoInt | methods.cs:178:137:178:137 | i |
+| methods.cs:10:21:10:24 | Swap | methods.cs:10:34:10:34 | x |
+| methods.cs:10:21:10:24 | Swap | methods.cs:10:45:10:45 | y |
+| methods.cs:29:28:29:33 | Divide | methods.cs:29:39:29:39 | x |
+| methods.cs:29:28:29:33 | Divide | methods.cs:29:46:29:46 | y |
+| methods.cs:29:28:29:33 | Divide | methods.cs:29:57:29:62 | result |
+| methods.cs:29:28:29:33 | Divide | methods.cs:29:73:29:81 | remainder |
+| methods.cs:46:28:46:32 | Write | methods.cs:46:41:46:43 | fmt |
+| methods.cs:46:28:46:32 | Write | methods.cs:46:62:46:65 | args |
+| methods.cs:47:28:47:36 | WriteLine | methods.cs:47:45:47:47 | fmt |
+| methods.cs:47:28:47:36 | WriteLine | methods.cs:47:66:47:69 | args |
+| methods.cs:58:21:58:21 | F | methods.cs:58:30:58:30 | x |
+| methods.cs:63:21:63:21 | F | methods.cs:63:27:63:27 | x |
+| methods.cs:68:21:68:21 | F | methods.cs:68:30:68:30 | x |
+| methods.cs:73:21:73:24 | F | methods.cs:73:28:73:28 | x |
+| methods.cs:73:21:73:24 | F | methods.cs:73:28:73:28 | x |
+| methods.cs:73:21:73:24 | F | methods.cs:73:28:73:28 | x |
+| methods.cs:78:21:78:21 | F | methods.cs:78:30:78:30 | x |
+| methods.cs:78:21:78:21 | F | methods.cs:78:40:78:40 | y |
+| methods.cs:100:27:100:33 | ToInt32 | methods.cs:100:35:100:47 | s |
+| methods.cs:100:27:100:33 | ToInt32 | methods.cs:100:47:100:47 | s |
+| methods.cs:105:28:105:33 | ToBool | methods.cs:105:47:105:47 | s |
+| methods.cs:105:28:105:33 | ToBool | methods.cs:105:69:105:69 | f |
+| methods.cs:110:27:110:34 | Slice | methods.cs:110:36:110:50 | source |
+| methods.cs:110:27:110:34 | Slice | methods.cs:110:45:110:50 | source |
+| methods.cs:110:27:110:34 | Slice | methods.cs:110:57:110:61 | index |
+| methods.cs:110:27:110:34 | Slice | methods.cs:110:57:110:61 | index |
+| methods.cs:110:27:110:34 | Slice | methods.cs:110:68:110:72 | count |
+| methods.cs:110:27:110:34 | Slice | methods.cs:110:68:110:72 | count |
+| methods.cs:142:14:142:20 | Method1 | methods.cs:142:26:142:26 | x |
+| methods.cs:142:14:142:20 | Method1 | methods.cs:142:33:142:33 | y |
+| methods.cs:146:14:146:20 | Method2 | methods.cs:146:26:146:26 | a |
+| methods.cs:146:14:146:20 | Method2 | methods.cs:146:33:146:33 | b |
+| methods.cs:146:14:146:20 | Method2 | methods.cs:146:40:146:40 | c |
+| methods.cs:146:14:146:20 | Method2 | methods.cs:146:51:146:51 | d |
+| methods.cs:146:14:146:20 | Method2 | methods.cs:146:65:146:65 | e |
+| methods.cs:169:27:169:30 | Plus | methods.cs:169:41:169:44 | left |
+| methods.cs:169:27:169:30 | Plus | methods.cs:169:51:169:55 | right |
+| methods.cs:174:65:174:74 | SkipTwo | methods.cs:174:76:174:126 | list |
+| methods.cs:174:65:174:74 | SkipTwo | methods.cs:174:123:174:126 | list |
+| methods.cs:174:65:174:74 | SkipTwo | methods.cs:174:133:174:133 | i |
+| methods.cs:174:65:174:74 | SkipTwo | methods.cs:174:133:174:133 | i |
+| methods.cs:179:67:179:76 | SkipTwoInt | methods.cs:179:127:179:130 | list |
+| methods.cs:179:67:179:76 | SkipTwoInt | methods.cs:179:137:179:137 | i |
+| methods.cs:187:21:187:21 | M | methods.cs:187:25:187:26 | p1 |
+| methods.cs:187:21:187:21 | M | methods.cs:187:25:187:26 | p1 |
+| methods.cs:187:21:187:21 | M | methods.cs:187:25:187:26 | p1 |
+| methods.cs:187:21:187:21 | M | methods.cs:187:33:187:34 | p2 |
+| methods.cs:187:21:187:21 | M | methods.cs:187:33:187:34 | p2 |
+| methods.cs:187:21:187:21 | M | methods.cs:187:33:187:34 | p2 |
+| methods.cs:187:21:187:21 | M | methods.cs:188:27:188:28 | p1 |
+| methods.cs:187:21:187:21 | M | methods.cs:188:35:188:36 | p2 |
+| methods.cs:188:21:188:21 | M | methods.cs:187:25:187:26 | p1 |
+| methods.cs:188:21:188:21 | M | methods.cs:187:33:187:34 | p2 |
+| methods.cs:188:21:188:21 | M | methods.cs:188:27:188:28 | p1 |
+| methods.cs:188:21:188:21 | M | methods.cs:188:27:188:28 | p1 |
+| methods.cs:188:21:188:21 | M | methods.cs:188:27:188:28 | p1 |
+| methods.cs:188:21:188:21 | M | methods.cs:188:35:188:36 | p2 |
+| methods.cs:188:21:188:21 | M | methods.cs:188:35:188:36 | p2 |
+| methods.cs:188:21:188:21 | M | methods.cs:188:35:188:36 | p2 |
diff --git a/csharp/ql/test/library-tests/methods/Parameters9.expected b/csharp/ql/test/library-tests/methods/Parameters9.expected
index 2af714b9abc..ee0a6ef0e53 100644
--- a/csharp/ql/test/library-tests/methods/Parameters9.expected
+++ b/csharp/ql/test/library-tests/methods/Parameters9.expected
@@ -1,7 +1,7 @@
-| methods.cs:145:40:145:40 | c | methods.cs:145:44:145:44 | 1 | Method2(int, int, int, int, string) |
-| methods.cs:145:51:145:51 | d | methods.cs:145:55:145:55 | 2 | Method2(int, int, int, int, string) |
-| methods.cs:145:65:145:65 | e | methods.cs:145:69:145:77 | ... + ... | Method2(int, int, int, int, string) |
-| methods.cs:168:51:168:55 | right | methods.cs:168:59:168:59 | 0 | Plus(int, int) |
-| methods.cs:173:133:173:133 | i | methods.cs:173:137:173:137 | 1 | SkipTwo<T>(IEnumerable<T>, int) |
-| methods.cs:173:133:173:133 | i | methods.cs:173:137:173:137 | 1 | SkipTwo<int>(IEnumerable<Int32>, int) |
-| methods.cs:178:137:178:137 | i | methods.cs:178:141:178:141 | 1 | SkipTwoInt(IEnumerable<Int32>, int) |
+| methods.cs:146:40:146:40 | c | methods.cs:146:44:146:44 | 1 | Method2(int, int, int, int, string) |
+| methods.cs:146:51:146:51 | d | methods.cs:146:55:146:55 | 2 | Method2(int, int, int, int, string) |
+| methods.cs:146:65:146:65 | e | methods.cs:146:69:146:77 | ... + ... | Method2(int, int, int, int, string) |
+| methods.cs:169:51:169:55 | right | methods.cs:169:59:169:59 | 0 | Plus(int, int) |
+| methods.cs:174:133:174:133 | i | methods.cs:174:137:174:137 | 1 | SkipTwo<T>(IEnumerable<T>, int) |
+| methods.cs:174:133:174:133 | i | methods.cs:174:137:174:137 | 1 | SkipTwo<int>(IEnumerable<Int32>, int) |
+| methods.cs:179:137:179:137 | i | methods.cs:179:141:179:141 | 1 | SkipTwoInt(IEnumerable<Int32>, int) |
diff --git a/csharp/ql/test/library-tests/methods/PrintAst.expected b/csharp/ql/test/library-tests/methods/PrintAst.expected
index a41e0362094..a2220c63ea0 100644
--- a/csharp/ql/test/library-tests/methods/PrintAst.expected
+++ b/csharp/ql/test/library-tests/methods/PrintAst.expected
@@ -1,53 +1,44 @@
 methods.cs:
-#    3| [NamespaceDeclaration] namespace ... { ... }
-#    6|   1: [Class] TestRef
-#    9|     5: [Method] Swap
-#    9|       -1: [TypeMention] Void
+#    4| [NamespaceDeclaration] namespace ... { ... }
+#    7|   1: [Class] TestRef
+#   10|     5: [Method] Swap
+#   10|       -1: [TypeMention] Void
 #-----|       2: (Parameters)
-#    9|         0: [Parameter] x
-#    9|           -1: [TypeMention] int
-#    9|         1: [Parameter] y
-#    9|           -1: [TypeMention] int
-#   10|       4: [BlockStmt] {...}
-#   11|         0: [LocalVariableDeclStmt] ... ...;
-#   11|           0: [LocalVariableDeclAndInitExpr] Int32 temp = ...
-#   11|             -1: [TypeMention] int
-#   11|             0: [LocalVariableAccess] access to local variable temp
-#   11|             1: [ParameterAccess] access to parameter x
-#   12|         1: [ExprStmt] ...;
-#   12|           0: [AssignExpr] ... = ...
-#   12|             0: [ParameterAccess] access to parameter x
-#   12|             1: [ParameterAccess] access to parameter y
-#   13|         2: [ExprStmt] ...;
+#   10|         0: [Parameter] x
+#   10|           -1: [TypeMention] int
+#   10|         1: [Parameter] y
+#   10|           -1: [TypeMention] int
+#   11|       4: [BlockStmt] {...}
+#   12|         0: [LocalVariableDeclStmt] ... ...;
+#   12|           0: [LocalVariableDeclAndInitExpr] Int32 temp = ...
+#   12|             -1: [TypeMention] int
+#   12|             0: [LocalVariableAccess] access to local variable temp
+#   12|             1: [ParameterAccess] access to parameter x
+#   13|         1: [ExprStmt] ...;
 #   13|           0: [AssignExpr] ... = ...
-#   13|             0: [ParameterAccess] access to parameter y
-#   13|             1: [LocalVariableAccess] access to local variable temp
-#   16|     6: [Method] Main
-#   16|       -1: [TypeMention] Void
-#   17|       4: [BlockStmt] {...}
-#   18|         0: [LocalVariableDeclStmt] ... ...;
-#   18|           0: [LocalVariableDeclAndInitExpr] Int32 i = ...
-#   18|             -1: [TypeMention] int
-#   18|             0: [LocalVariableAccess] access to local variable i
-#   18|             1: [IntLiteral] 1
-#   18|           1: [LocalVariableDeclAndInitExpr] Int32 j = ...
-#   18|             -1: [TypeMention] int
-#   18|             0: [LocalVariableAccess] access to local variable j
-#   18|             1: [IntLiteral] 2
-#   19|         1: [ExprStmt] ...;
-#   19|           0: [MethodCall] call to method Swap
+#   13|             0: [ParameterAccess] access to parameter x
+#   13|             1: [ParameterAccess] access to parameter y
+#   14|         2: [ExprStmt] ...;
+#   14|           0: [AssignExpr] ... = ...
+#   14|             0: [ParameterAccess] access to parameter y
+#   14|             1: [LocalVariableAccess] access to local variable temp
+#   17|     6: [Method] Main
+#   17|       -1: [TypeMention] Void
+#   18|       4: [BlockStmt] {...}
+#   19|         0: [LocalVariableDeclStmt] ... ...;
+#   19|           0: [LocalVariableDeclAndInitExpr] Int32 i = ...
+#   19|             -1: [TypeMention] int
 #   19|             0: [LocalVariableAccess] access to local variable i
-#   19|             1: [LocalVariableAccess] access to local variable j
-#   20|         2: [ExprStmt] ...;
-#   20|           0: [MethodCall] call to method WriteLine
-#   20|             -1: [TypeAccess] access to type Console
-#   20|               0: [TypeMention] Console
-#   20|             0: [StringLiteral] "{0} {1}"
-#   20|             1: [CastExpr] (...) ...
-#   20|               1: [LocalVariableAccess] access to local variable i
-#   20|             2: [CastExpr] (...) ...
-#   20|               1: [LocalVariableAccess] access to local variable j
-#   21|         3: [ExprStmt] ...;
+#   19|             1: [IntLiteral] 1
+#   19|           1: [LocalVariableDeclAndInitExpr] Int32 j = ...
+#   19|             -1: [TypeMention] int
+#   19|             0: [LocalVariableAccess] access to local variable j
+#   19|             1: [IntLiteral] 2
+#   20|         1: [ExprStmt] ...;
+#   20|           0: [MethodCall] call to method Swap
+#   20|             0: [LocalVariableAccess] access to local variable i
+#   20|             1: [LocalVariableAccess] access to local variable j
+#   21|         2: [ExprStmt] ...;
 #   21|           0: [MethodCall] call to method WriteLine
 #   21|             -1: [TypeAccess] access to type Console
 #   21|               0: [TypeMention] Console
@@ -56,65 +47,65 @@ methods.cs:
 #   21|               1: [LocalVariableAccess] access to local variable i
 #   21|             2: [CastExpr] (...) ...
 #   21|               1: [LocalVariableAccess] access to local variable j
-#   25|   2: [Class] TestOut
-#   28|     5: [Method] Divide
-#   28|       -1: [TypeMention] Void
+#   22|         3: [ExprStmt] ...;
+#   22|           0: [MethodCall] call to method WriteLine
+#   22|             -1: [TypeAccess] access to type Console
+#   22|               0: [TypeMention] Console
+#   22|             0: [StringLiteral] "{0} {1}"
+#   22|             1: [CastExpr] (...) ...
+#   22|               1: [LocalVariableAccess] access to local variable i
+#   22|             2: [CastExpr] (...) ...
+#   22|               1: [LocalVariableAccess] access to local variable j
+#   26|   2: [Class] TestOut
+#   29|     5: [Method] Divide
+#   29|       -1: [TypeMention] Void
 #-----|       2: (Parameters)
-#   28|         0: [Parameter] x
-#   28|           -1: [TypeMention] int
-#   28|         1: [Parameter] y
-#   28|           -1: [TypeMention] int
-#   28|         2: [Parameter] result
-#   28|           -1: [TypeMention] int
-#   28|         3: [Parameter] remainder
-#   28|           -1: [TypeMention] int
-#   29|       4: [BlockStmt] {...}
-#   30|         0: [ExprStmt] ...;
-#   30|           0: [AssignExpr] ... = ...
-#   30|             0: [ParameterAccess] access to parameter result
-#   30|             1: [DivExpr] ... / ...
-#   30|               0: [ParameterAccess] access to parameter x
-#   30|               1: [ParameterAccess] access to parameter y
-#   31|         1: [ExprStmt] ...;
+#   29|         0: [Parameter] x
+#   29|           -1: [TypeMention] int
+#   29|         1: [Parameter] y
+#   29|           -1: [TypeMention] int
+#   29|         2: [Parameter] result
+#   29|           -1: [TypeMention] int
+#   29|         3: [Parameter] remainder
+#   29|           -1: [TypeMention] int
+#   30|       4: [BlockStmt] {...}
+#   31|         0: [ExprStmt] ...;
 #   31|           0: [AssignExpr] ... = ...
-#   31|             0: [ParameterAccess] access to parameter remainder
-#   31|             1: [RemExpr] ... % ...
+#   31|             0: [ParameterAccess] access to parameter result
+#   31|             1: [DivExpr] ... / ...
 #   31|               0: [ParameterAccess] access to parameter x
 #   31|               1: [ParameterAccess] access to parameter y
-#   34|     6: [Method] Main
-#   34|       -1: [TypeMention] Void
-#   35|       4: [BlockStmt] {...}
-#   36|         0: [LocalVariableDeclStmt] ... ...;
-#   36|           0: [LocalVariableDeclExpr] Int32 res
-#   36|             0: [TypeMention] int
-#   36|           1: [LocalVariableDeclExpr] Int32 rem
-#   36|             0: [TypeMention] int
-#   37|         1: [ExprStmt] ...;
-#   37|           0: [MethodCall] call to method Divide
-#   37|             0: [IntLiteral] 10
-#   37|             1: [IntLiteral] 3
-#   37|             2: [LocalVariableAccess] access to local variable res
-#   37|             3: [LocalVariableAccess] access to local variable rem
-#   38|         2: [ExprStmt] ...;
-#   38|           0: [MethodCall] call to method WriteLine
-#   38|             -1: [TypeAccess] access to type Console
-#   38|               0: [TypeMention] Console
-#   38|             0: [StringLiteral] "{0} {1}"
-#   38|             1: [CastExpr] (...) ...
-#   38|               1: [LocalVariableAccess] access to local variable res
-#   38|             2: [CastExpr] (...) ...
-#   38|               1: [LocalVariableAccess] access to local variable rem
-#   42|   3: [Class] Console
-#   45|     5: [Method] Write
-#   45|       -1: [TypeMention] Void
-#-----|       2: (Parameters)
-#   45|         0: [Parameter] fmt
-#   45|           -1: [TypeMention] string
-#   45|         1: [Parameter] args
-#   45|           -1: [TypeMention] Object[]
-#   45|             1: [TypeMention] object
-#   45|       4: [BlockStmt] {...}
-#   46|     6: [Method] WriteLine
+#   32|         1: [ExprStmt] ...;
+#   32|           0: [AssignExpr] ... = ...
+#   32|             0: [ParameterAccess] access to parameter remainder
+#   32|             1: [RemExpr] ... % ...
+#   32|               0: [ParameterAccess] access to parameter x
+#   32|               1: [ParameterAccess] access to parameter y
+#   35|     6: [Method] Main
+#   35|       -1: [TypeMention] Void
+#   36|       4: [BlockStmt] {...}
+#   37|         0: [LocalVariableDeclStmt] ... ...;
+#   37|           0: [LocalVariableDeclExpr] Int32 res
+#   37|             0: [TypeMention] int
+#   37|           1: [LocalVariableDeclExpr] Int32 rem
+#   37|             0: [TypeMention] int
+#   38|         1: [ExprStmt] ...;
+#   38|           0: [MethodCall] call to method Divide
+#   38|             0: [IntLiteral] 10
+#   38|             1: [IntLiteral] 3
+#   38|             2: [LocalVariableAccess] access to local variable res
+#   38|             3: [LocalVariableAccess] access to local variable rem
+#   39|         2: [ExprStmt] ...;
+#   39|           0: [MethodCall] call to method WriteLine
+#   39|             -1: [TypeAccess] access to type Console
+#   39|               0: [TypeMention] Console
+#   39|             0: [StringLiteral] "{0} {1}"
+#   39|             1: [CastExpr] (...) ...
+#   39|               1: [LocalVariableAccess] access to local variable res
+#   39|             2: [CastExpr] (...) ...
+#   39|               1: [LocalVariableAccess] access to local variable rem
+#   43|   3: [Class] Console
+#   46|     5: [Method] Write
 #   46|       -1: [TypeMention] Void
 #-----|       2: (Parameters)
 #   46|         0: [Parameter] fmt
@@ -123,354 +114,452 @@ methods.cs:
 #   46|           -1: [TypeMention] Object[]
 #   46|             1: [TypeMention] object
 #   46|       4: [BlockStmt] {...}
-#   49|   4: [Class] TestOverloading
-#   52|     5: [Method] F
-#   52|       -1: [TypeMention] Void
-#   53|       4: [BlockStmt] {...}
-#   54|         0: [ExprStmt] ...;
-#   54|           0: [MethodCall] call to method WriteLine
-#   54|             -1: [TypeAccess] access to type Console
-#   54|               0: [TypeMention] Console
-#   54|             0: [StringLiteral] "F()"
-#   57|     6: [Method] F
-#   57|       -1: [TypeMention] Void
+#   47|     6: [Method] WriteLine
+#   47|       -1: [TypeMention] Void
 #-----|       2: (Parameters)
-#   57|         0: [Parameter] x
-#   57|           -1: [TypeMention] object
-#   58|       4: [BlockStmt] {...}
-#   59|         0: [ExprStmt] ...;
-#   59|           0: [MethodCall] call to method WriteLine
-#   59|             -1: [TypeAccess] access to type Console
-#   59|               0: [TypeMention] Console
-#   59|             0: [StringLiteral] "F(object)"
-#   62|     7: [Method] F
-#   62|       -1: [TypeMention] Void
+#   47|         0: [Parameter] fmt
+#   47|           -1: [TypeMention] string
+#   47|         1: [Parameter] args
+#   47|           -1: [TypeMention] Object[]
+#   47|             1: [TypeMention] object
+#   47|       4: [BlockStmt] {...}
+#   50|   4: [Class] TestOverloading
+#   53|     5: [Method] F
+#   53|       -1: [TypeMention] Void
+#   54|       4: [BlockStmt] {...}
+#   55|         0: [ExprStmt] ...;
+#   55|           0: [MethodCall] call to method WriteLine
+#   55|             -1: [TypeAccess] access to type Console
+#   55|               0: [TypeMention] Console
+#   55|             0: [StringLiteral] "F()"
+#   58|     6: [Method] F
+#   58|       -1: [TypeMention] Void
 #-----|       2: (Parameters)
-#   62|         0: [Parameter] x
-#   62|           -1: [TypeMention] int
-#   63|       4: [BlockStmt] {...}
-#   64|         0: [ExprStmt] ...;
-#   64|           0: [MethodCall] call to method WriteLine
-#   64|             -1: [TypeAccess] access to type Console
-#   64|               0: [TypeMention] Console
-#   64|             0: [StringLiteral] "F(int)"
-#   67|     8: [Method] F
-#   67|       -1: [TypeMention] Void
+#   58|         0: [Parameter] x
+#   58|           -1: [TypeMention] object
+#   59|       4: [BlockStmt] {...}
+#   60|         0: [ExprStmt] ...;
+#   60|           0: [MethodCall] call to method WriteLine
+#   60|             -1: [TypeAccess] access to type Console
+#   60|               0: [TypeMention] Console
+#   60|             0: [StringLiteral] "F(object)"
+#   63|     7: [Method] F
+#   63|       -1: [TypeMention] Void
 #-----|       2: (Parameters)
-#   67|         0: [Parameter] x
-#   67|           -1: [TypeMention] double
-#   68|       4: [BlockStmt] {...}
-#   69|         0: [ExprStmt] ...;
-#   69|           0: [MethodCall] call to method WriteLine
-#   69|             -1: [TypeAccess] access to type Console
-#   69|               0: [TypeMention] Console
-#   69|             0: [StringLiteral] "F(double)"
-#   72|     9: [Method] F
-#   72|       -1: [TypeMention] Void
+#   63|         0: [Parameter] x
+#   63|           -1: [TypeMention] int
+#   64|       4: [BlockStmt] {...}
+#   65|         0: [ExprStmt] ...;
+#   65|           0: [MethodCall] call to method WriteLine
+#   65|             -1: [TypeAccess] access to type Console
+#   65|               0: [TypeMention] Console
+#   65|             0: [StringLiteral] "F(int)"
+#   68|     8: [Method] F
+#   68|       -1: [TypeMention] Void
+#-----|       2: (Parameters)
+#   68|         0: [Parameter] x
+#   68|           -1: [TypeMention] double
+#   69|       4: [BlockStmt] {...}
+#   70|         0: [ExprStmt] ...;
+#   70|           0: [MethodCall] call to method WriteLine
+#   70|             -1: [TypeAccess] access to type Console
+#   70|               0: [TypeMention] Console
+#   70|             0: [StringLiteral] "F(double)"
+#   73|     9: [Method] F
+#   73|       -1: [TypeMention] Void
 #-----|       1: (Type parameters)
-#   72|         0: [TypeParameter] T
+#   73|         0: [TypeParameter] T
 #-----|       2: (Parameters)
-#   72|         0: [Parameter] x
-#   72|           -1: [TypeMention] T
-#   73|       4: [BlockStmt] {...}
-#   74|         0: [ExprStmt] ...;
-#   74|           0: [MethodCall] call to method WriteLine
-#   74|             -1: [TypeAccess] access to type Console
-#   74|               0: [TypeMention] Console
-#   74|             0: [StringLiteral] "F<T>(T)"
-#   77|     12: [Method] F
-#   77|       -1: [TypeMention] Void
+#   73|         0: [Parameter] x
+#   73|           -1: [TypeMention] T
+#   74|       4: [BlockStmt] {...}
+#   75|         0: [ExprStmt] ...;
+#   75|           0: [MethodCall] call to method WriteLine
+#   75|             -1: [TypeAccess] access to type Console
+#   75|               0: [TypeMention] Console
+#   75|             0: [StringLiteral] "F<T>(T)"
+#   78|     12: [Method] F
+#   78|       -1: [TypeMention] Void
 #-----|       2: (Parameters)
-#   77|         0: [Parameter] x
-#   77|           -1: [TypeMention] double
-#   77|         1: [Parameter] y
-#   77|           -1: [TypeMention] double
-#   78|       4: [BlockStmt] {...}
-#   79|         0: [ExprStmt] ...;
-#   79|           0: [MethodCall] call to method WriteLine
-#   79|             -1: [TypeAccess] access to type Console
-#   79|               0: [TypeMention] Console
-#   79|             0: [StringLiteral] "F(double, double)"
-#   82|     13: [Method] Main
-#   82|       -1: [TypeMention] Void
-#   83|       4: [BlockStmt] {...}
-#   84|         0: [ExprStmt] ...;
-#   84|           0: [MethodCall] call to method F
-#   85|         1: [ExprStmt] ...;
+#   78|         0: [Parameter] x
+#   78|           -1: [TypeMention] double
+#   78|         1: [Parameter] y
+#   78|           -1: [TypeMention] double
+#   79|       4: [BlockStmt] {...}
+#   80|         0: [ExprStmt] ...;
+#   80|           0: [MethodCall] call to method WriteLine
+#   80|             -1: [TypeAccess] access to type Console
+#   80|               0: [TypeMention] Console
+#   80|             0: [StringLiteral] "F(double, double)"
+#   83|     13: [Method] Main
+#   83|       -1: [TypeMention] Void
+#   84|       4: [BlockStmt] {...}
+#   85|         0: [ExprStmt] ...;
 #   85|           0: [MethodCall] call to method F
-#   85|             0: [IntLiteral] 1
-#   86|         2: [ExprStmt] ...;
+#   86|         1: [ExprStmt] ...;
 #   86|           0: [MethodCall] call to method F
-#   86|             0: [DoubleLiteral] 1
-#   87|         3: [ExprStmt] ...;
+#   86|             0: [IntLiteral] 1
+#   87|         2: [ExprStmt] ...;
 #   87|           0: [MethodCall] call to method F
-#   87|             0: [StringLiteral] "abc"
-#   88|         4: [ExprStmt] ...;
+#   87|             0: [DoubleLiteral] 1
+#   88|         3: [ExprStmt] ...;
 #   88|           0: [MethodCall] call to method F
-#   88|             0: [CastExpr] (...) ...
-#   88|               0: [TypeAccess] access to type Double
-#   88|                 0: [TypeMention] double
-#   88|               1: [IntLiteral] 1
-#   89|         5: [ExprStmt] ...;
+#   88|             0: [StringLiteral] "abc"
+#   89|         4: [ExprStmt] ...;
 #   89|           0: [MethodCall] call to method F
 #   89|             0: [CastExpr] (...) ...
-#   89|               0: [TypeAccess] access to type Object
-#   89|                 0: [TypeMention] object
+#   89|               0: [TypeAccess] access to type Double
+#   89|                 0: [TypeMention] double
 #   89|               1: [IntLiteral] 1
-#   90|         6: [ExprStmt] ...;
+#   90|         5: [ExprStmt] ...;
 #   90|           0: [MethodCall] call to method F
-#   90|             0: [IntLiteral] 1
-#   91|         7: [ExprStmt] ...;
+#   90|             0: [CastExpr] (...) ...
+#   90|               0: [TypeAccess] access to type Object
+#   90|                 0: [TypeMention] object
+#   90|               1: [IntLiteral] 1
+#   91|         6: [ExprStmt] ...;
 #   91|           0: [MethodCall] call to method F
-#   91|             0: [CastExpr] (...) ...
-#   91|               1: [IntLiteral] 1
-#   91|             1: [CastExpr] (...) ...
-#   91|               1: [IntLiteral] 1
-#   96|   5: [Class] Extensions
-#   99|     4: [ExtensionMethod] ToInt32
-#   99|       -1: [TypeMention] int
+#   91|             0: [IntLiteral] 1
+#   92|         7: [ExprStmt] ...;
+#   92|           0: [MethodCall] call to method F
+#   92|             0: [CastExpr] (...) ...
+#   92|               1: [IntLiteral] 1
+#   92|             1: [CastExpr] (...) ...
+#   92|               1: [IntLiteral] 1
+#   97|   5: [Class] Extensions
+#  100|     4: [ExtensionMethod] ToInt32
+#  100|       -1: [TypeMention] int
 #-----|       2: (Parameters)
-#   99|         0: [Parameter] s
-#   99|           -1: [TypeMention] string
-#  100|       4: [BlockStmt] {...}
-#  101|         0: [ReturnStmt] return ...;
-#  101|           0: [MethodCall] call to method Parse
-#  101|             -1: [TypeAccess] access to type Int32
-#  101|               0: [TypeMention] int
-#  101|             0: [ParameterAccess] access to parameter s
-#  104|     5: [ExtensionMethod] ToBool
-#  104|       -1: [TypeMention] bool
+#  100|         0: [Parameter] s
+#  100|           -1: [TypeMention] string
+#  101|       4: [BlockStmt] {...}
+#  102|         0: [ReturnStmt] return ...;
+#  102|           0: [MethodCall] call to method Parse
+#  102|             -1: [TypeAccess] access to type Int32
+#  102|               0: [TypeMention] int
+#  102|             0: [ParameterAccess] access to parameter s
+#  105|     5: [ExtensionMethod] ToBool
+#  105|       -1: [TypeMention] bool
 #-----|       2: (Parameters)
-#  104|         0: [Parameter] s
-#  104|           -1: [TypeMention] string
-#  104|         1: [Parameter] f
-#  104|           -1: [TypeMention] Func<String, Boolean>
-#  104|             1: [TypeMention] string
-#  104|             2: [TypeMention] bool
-#  105|       4: [BlockStmt] {...}
-#  106|         0: [ReturnStmt] return ...;
-#  106|           0: [DelegateCall] delegate call
-#  106|             -1: [ParameterAccess] access to parameter f
-#  106|             0: [ParameterAccess] access to parameter s
-#  109|     6: [ExtensionMethod] Slice
-#  109|       -1: [TypeMention] T[]
-#  109|         1: [TypeMention] T
+#  105|         0: [Parameter] s
+#  105|           -1: [TypeMention] string
+#  105|         1: [Parameter] f
+#  105|           -1: [TypeMention] Func<String, Boolean>
+#  105|             1: [TypeMention] string
+#  105|             2: [TypeMention] bool
+#  106|       4: [BlockStmt] {...}
+#  107|         0: [ReturnStmt] return ...;
+#  107|           0: [DelegateCall] delegate call
+#  107|             -1: [ParameterAccess] access to parameter f
+#  107|             0: [ParameterAccess] access to parameter s
+#  110|     6: [ExtensionMethod] Slice
+#  110|       -1: [TypeMention] T[]
+#  110|         1: [TypeMention] T
 #-----|       1: (Type parameters)
-#  109|         0: [TypeParameter] T
+#  110|         0: [TypeParameter] T
 #-----|       2: (Parameters)
-#  109|         0: [Parameter] source
-#  109|           -1: [TypeMention] T[]
-#  109|             1: [TypeMention] T
-#  109|         1: [Parameter] index
-#  109|           -1: [TypeMention] int
-#  109|         2: [Parameter] count
-#  109|           -1: [TypeMention] int
-#  110|       4: [BlockStmt] {...}
-#  111|         0: [IfStmt] if (...) ...
-#  111|           0: [LogicalOrExpr] ... || ...
-#  111|             0: [LogicalOrExpr] ... || ...
-#  111|               0: [LTExpr] ... < ...
-#  111|                 0: [ParameterAccess] access to parameter index
-#  111|                 1: [IntLiteral] 0
-#  111|               1: [LTExpr] ... < ...
-#  111|                 0: [ParameterAccess] access to parameter count
-#  111|                 1: [IntLiteral] 0
-#  111|             1: [LTExpr] ... < ...
-#  111|               0: [SubExpr] ... - ...
-#  111|                 0: [PropertyCall] access to property Length
-#  111|                   -1: [ParameterAccess] access to parameter source
-#  111|                 1: [ParameterAccess] access to parameter index
-#  111|               1: [ParameterAccess] access to parameter count
-#  112|           1: [ThrowStmt] throw ...;
-#  112|             0: [ObjectCreation] object creation of type ArgumentException
-#  112|               0: [TypeMention] ArgumentException
-#  113|         1: [LocalVariableDeclStmt] ... ...;
-#  113|           0: [LocalVariableDeclAndInitExpr] T[] result = ...
-#  113|             -1: [TypeMention] T[]
-#  113|               1: [TypeMention] T
-#  113|             0: [LocalVariableAccess] access to local variable result
-#  113|             1: [ArrayCreation] array creation of type T[]
-#  113|               -1: [TypeMention] T[]
-#  113|                 1: [TypeMention] T
-#  113|               0: [ParameterAccess] access to parameter count
-#  114|         2: [ExprStmt] ...;
-#  114|           0: [MethodCall] call to method Copy
-#  114|             -1: [TypeAccess] access to type Array
-#  114|               0: [TypeMention] Array
-#  114|             0: [ParameterAccess] access to parameter source
-#  114|             1: [ParameterAccess] access to parameter index
-#  114|             2: [LocalVariableAccess] access to local variable result
-#  114|             3: [IntLiteral] 0
-#  114|             4: [ParameterAccess] access to parameter count
-#  115|         3: [ReturnStmt] return ...;
-#  115|           0: [LocalVariableAccess] access to local variable result
-#  118|     8: [Method] CallToInt32
-#  118|       -1: [TypeMention] int
-#  118|       4: [MethodCall] call to method ToInt32
-#  118|         0: [StringLiteral] "0"
-#  121|   6: [Class] TestExtensions
-#  124|     4: [Method] Main
-#  124|       -1: [TypeMention] Void
-#  125|       4: [BlockStmt] {...}
-#  126|         0: [LocalVariableDeclStmt] ... ...;
-#  126|           0: [LocalVariableDeclAndInitExpr] String[] strings = ...
-#  126|             -1: [TypeMention] String[]
-#  126|               1: [TypeMention] string
-#  126|             0: [LocalVariableAccess] access to local variable strings
-#  126|             1: [ArrayCreation] array creation of type String[]
-#  126|               -1: [ArrayInitializer] { ..., ... }
-#  126|                 0: [StringLiteral] "1"
-#  126|                 1: [StringLiteral] "22"
-#  126|                 2: [StringLiteral] "333"
-#  126|                 3: [StringLiteral] "4444"
-#  127|         1: [ForeachStmt] foreach (... ... in ...) ...
-#  127|           0: [LocalVariableDeclExpr] String s
-#  127|             0: [TypeMention] string
-#  127|           1: [MethodCall] call to method Slice
-#  127|             -1: [LocalVariableAccess] access to local variable strings
-#  127|             0: [IntLiteral] 1
-#  127|             1: [IntLiteral] 2
-#  128|           2: [BlockStmt] {...}
-#  129|             0: [ExprStmt] ...;
-#  129|               0: [MethodCall] call to method WriteLine
-#  129|                 -1: [TypeAccess] access to type Console
-#  129|                   0: [TypeMention] Console
-#  129|                 0: [MethodCall] call to method ToInt32
-#  129|                   -1: [LocalVariableAccess] access to local variable s
-#  132|         2: [ExprStmt] ...;
-#  132|           0: [MethodCall] call to method ToInt32
-#  132|             -1: [TypeAccess] access to type Extensions
-#  132|               0: [TypeMention] Extensions
-#  132|             0: [StringLiteral] ""
-#  134|         3: [ExprStmt] ...;
-#  134|           0: [MethodCall] call to method ToBool
-#  134|             -1: [TypeAccess] access to type Extensions
-#  134|               0: [TypeMention] Extensions
-#  134|             0: [StringLiteral] "true"
-#  134|             1: [ImplicitDelegateCreation] delegate creation of type Func<String,Boolean>
-#  134|               0: [MethodAccess] access to method Parse
-#  134|                 -1: [TypeAccess] access to type Boolean
-#  134|                   0: [TypeMention] bool
-#  139|   7: [Class] TestDefaultParameters
-#  141|     4: [Method] Method1
-#  141|       -1: [TypeMention] Void
+#  110|         0: [Parameter] source
+#  110|           -1: [TypeMention] T[]
+#  110|             1: [TypeMention] T
+#  110|         1: [Parameter] index
+#  110|           -1: [TypeMention] int
+#  110|         2: [Parameter] count
+#  110|           -1: [TypeMention] int
+#  111|       4: [BlockStmt] {...}
+#  112|         0: [IfStmt] if (...) ...
+#  112|           0: [LogicalOrExpr] ... || ...
+#  112|             0: [LogicalOrExpr] ... || ...
+#  112|               0: [LTExpr] ... < ...
+#  112|                 0: [ParameterAccess] access to parameter index
+#  112|                 1: [IntLiteral] 0
+#  112|               1: [LTExpr] ... < ...
+#  112|                 0: [ParameterAccess] access to parameter count
+#  112|                 1: [IntLiteral] 0
+#  112|             1: [LTExpr] ... < ...
+#  112|               0: [SubExpr] ... - ...
+#  112|                 0: [PropertyCall] access to property Length
+#  112|                   -1: [ParameterAccess] access to parameter source
+#  112|                 1: [ParameterAccess] access to parameter index
+#  112|               1: [ParameterAccess] access to parameter count
+#  113|           1: [ThrowStmt] throw ...;
+#  113|             0: [ObjectCreation] object creation of type ArgumentException
+#  113|               0: [TypeMention] ArgumentException
+#  114|         1: [LocalVariableDeclStmt] ... ...;
+#  114|           0: [LocalVariableDeclAndInitExpr] T[] result = ...
+#  114|             -1: [TypeMention] T[]
+#  114|               1: [TypeMention] T
+#  114|             0: [LocalVariableAccess] access to local variable result
+#  114|             1: [ArrayCreation] array creation of type T[]
+#  114|               -1: [TypeMention] T[]
+#  114|                 1: [TypeMention] T
+#  114|               0: [ParameterAccess] access to parameter count
+#  115|         2: [ExprStmt] ...;
+#  115|           0: [MethodCall] call to method Copy
+#  115|             -1: [TypeAccess] access to type Array
+#  115|               0: [TypeMention] Array
+#  115|             0: [ParameterAccess] access to parameter source
+#  115|             1: [ParameterAccess] access to parameter index
+#  115|             2: [LocalVariableAccess] access to local variable result
+#  115|             3: [IntLiteral] 0
+#  115|             4: [ParameterAccess] access to parameter count
+#  116|         3: [ReturnStmt] return ...;
+#  116|           0: [LocalVariableAccess] access to local variable result
+#  119|     8: [Method] CallToInt32
+#  119|       -1: [TypeMention] int
+#  119|       4: [MethodCall] call to method ToInt32
+#  119|         0: [StringLiteral] "0"
+#  122|   6: [Class] TestExtensions
+#  125|     4: [Method] Main
+#  125|       -1: [TypeMention] Void
+#  126|       4: [BlockStmt] {...}
+#  127|         0: [LocalVariableDeclStmt] ... ...;
+#  127|           0: [LocalVariableDeclAndInitExpr] String[] strings = ...
+#  127|             -1: [TypeMention] String[]
+#  127|               1: [TypeMention] string
+#  127|             0: [LocalVariableAccess] access to local variable strings
+#  127|             1: [ArrayCreation] array creation of type String[]
+#  127|               -1: [ArrayInitializer] { ..., ... }
+#  127|                 0: [StringLiteral] "1"
+#  127|                 1: [StringLiteral] "22"
+#  127|                 2: [StringLiteral] "333"
+#  127|                 3: [StringLiteral] "4444"
+#  128|         1: [ForeachStmt] foreach (... ... in ...) ...
+#  128|           0: [LocalVariableDeclExpr] String s
+#  128|             0: [TypeMention] string
+#  128|           1: [MethodCall] call to method Slice
+#  128|             -1: [LocalVariableAccess] access to local variable strings
+#  128|             0: [IntLiteral] 1
+#  128|             1: [IntLiteral] 2
+#  129|           2: [BlockStmt] {...}
+#  130|             0: [ExprStmt] ...;
+#  130|               0: [MethodCall] call to method WriteLine
+#  130|                 -1: [TypeAccess] access to type Console
+#  130|                   0: [TypeMention] Console
+#  130|                 0: [MethodCall] call to method ToInt32
+#  130|                   -1: [LocalVariableAccess] access to local variable s
+#  133|         2: [ExprStmt] ...;
+#  133|           0: [MethodCall] call to method ToInt32
+#  133|             -1: [TypeAccess] access to type Extensions
+#  133|               0: [TypeMention] Extensions
+#  133|             0: [StringLiteral] ""
+#  135|         3: [ExprStmt] ...;
+#  135|           0: [MethodCall] call to method ToBool
+#  135|             -1: [TypeAccess] access to type Extensions
+#  135|               0: [TypeMention] Extensions
+#  135|             0: [StringLiteral] "true"
+#  135|             1: [ImplicitDelegateCreation] delegate creation of type Func<String,Boolean>
+#  135|               0: [MethodAccess] access to method Parse
+#  135|                 -1: [TypeAccess] access to type Boolean
+#  135|                   0: [TypeMention] bool
+#  140|   7: [Class] TestDefaultParameters
+#  142|     4: [Method] Method1
+#  142|       -1: [TypeMention] Void
 #-----|       2: (Parameters)
-#  141|         0: [Parameter] x
-#  141|           -1: [TypeMention] int
-#  141|         1: [Parameter] y
-#  141|           -1: [TypeMention] int
-#  142|       4: [BlockStmt] {...}
-#  145|     5: [Method] Method2
-#  145|       -1: [TypeMention] Void
+#  142|         0: [Parameter] x
+#  142|           -1: [TypeMention] int
+#  142|         1: [Parameter] y
+#  142|           -1: [TypeMention] int
+#  143|       4: [BlockStmt] {...}
+#  146|     5: [Method] Method2
+#  146|       -1: [TypeMention] Void
 #-----|       2: (Parameters)
-#  145|         0: [Parameter] a
-#  145|           -1: [TypeMention] int
-#  145|         1: [Parameter] b
-#  145|           -1: [TypeMention] int
-#  145|         2: [Parameter] c
-#  145|           -1: [TypeMention] int
-#  145|           1: [IntLiteral] 1
-#  145|         3: [Parameter] d
-#  145|           -1: [TypeMention] int
-#  145|           1: [IntLiteral] 2
-#  145|         4: [Parameter] e
-#  145|           -1: [TypeMention] string
-#  145|           1: [AddExpr] ... + ...
-#  145|             0: [StringLiteral] "a"
-#  145|             1: [StringLiteral] "b"
-#  146|       4: [BlockStmt] {...}
-#  149|     6: [InstanceConstructor] TestDefaultParameters
+#  146|         0: [Parameter] a
+#  146|           -1: [TypeMention] int
+#  146|         1: [Parameter] b
+#  146|           -1: [TypeMention] int
+#  146|         2: [Parameter] c
+#  146|           -1: [TypeMention] int
+#  146|           1: [IntLiteral] 1
+#  146|         3: [Parameter] d
+#  146|           -1: [TypeMention] int
+#  146|           1: [IntLiteral] 2
+#  146|         4: [Parameter] e
+#  146|           -1: [TypeMention] string
+#  146|           1: [AddExpr] ... + ...
+#  146|             0: [StringLiteral] "a"
+#  146|             1: [StringLiteral] "b"
+#  147|       4: [BlockStmt] {...}
+#  150|     6: [InstanceConstructor] TestDefaultParameters
 #-----|       2: (Parameters)
-#  149|         0: [Parameter] x
-#  149|           -1: [TypeMention] int
-#  150|       4: [BlockStmt] {...}
-#  153|     7: [InstanceConstructor] TestDefaultParameters
+#  150|         0: [Parameter] x
+#  150|           -1: [TypeMention] int
+#  151|       4: [BlockStmt] {...}
+#  154|     7: [InstanceConstructor] TestDefaultParameters
 #-----|       2: (Parameters)
-#  153|         0: [Parameter] x
-#  153|           -1: [TypeMention] string
-#  153|           1: [StringLiteral] "abc"
-#  153|         1: [Parameter] y
-#  153|           -1: [TypeMention] double
-#  153|           1: [ObjectCreation] object creation of type Double
-#  153|             0: [TypeMention] double
-#  154|       4: [BlockStmt] {...}
-#  157|     8: [DelegateType] Del
+#  154|         0: [Parameter] x
+#  154|           -1: [TypeMention] string
+#  154|           1: [StringLiteral] "abc"
+#  154|         1: [Parameter] y
+#  154|           -1: [TypeMention] double
+#  154|           1: [ObjectCreation] object creation of type Double
+#  154|             0: [TypeMention] double
+#  155|       4: [BlockStmt] {...}
+#  158|     8: [DelegateType] Del
 #-----|       2: (Parameters)
-#  157|         0: [Parameter] a
-#  157|           -1: [TypeMention] string
-#  157|         1: [Parameter] b
-#  157|           -1: [TypeMention] int
-#  157|           1: [IntLiteral] 12
-#  157|         2: [Parameter] c
-#  157|           -1: [TypeMention] double
-#  157|           1: [ObjectCreation] object creation of type Double
-#  157|             0: [TypeMention] double
-#  159|     9: [Indexer] Item
-#  159|       -1: [TypeMention] int
+#  158|         0: [Parameter] a
+#  158|           -1: [TypeMention] string
+#  158|         1: [Parameter] b
+#  158|           -1: [TypeMention] int
+#  158|           1: [IntLiteral] 12
+#  158|         2: [Parameter] c
+#  158|           -1: [TypeMention] double
+#  158|           1: [ObjectCreation] object creation of type Double
+#  158|             0: [TypeMention] double
+#  160|     9: [Indexer] Item
+#  160|       -1: [TypeMention] int
 #-----|       1: (Parameters)
-#  159|         0: [Parameter] x
-#  159|           -1: [TypeMention] int
-#  159|         1: [Parameter] y
-#  159|           -1: [TypeMention] int
-#  159|           1: [IntLiteral] 0
-#  161|       3: [Getter] get_Item
+#  160|         0: [Parameter] x
+#  160|           -1: [TypeMention] int
+#  160|         1: [Parameter] y
+#  160|           -1: [TypeMention] int
+#  160|           1: [IntLiteral] 0
+#  162|       3: [Getter] get_Item
 #-----|         2: (Parameters)
-#  159|           0: [Parameter] x
-#  159|           1: [Parameter] y
-#  159|             1: [IntLiteral] 0
-#  161|         4: [BlockStmt] {...}
-#  161|           0: [ReturnStmt] return ...;
-#  161|             0: [AddExpr] ... + ...
-#  161|               0: [ParameterAccess] access to parameter x
-#  161|               1: [ParameterAccess] access to parameter y
-#  162|       4: [Setter] set_Item
-#-----|         2: (Parameters)
-#  159|           0: [Parameter] x
-#  159|           1: [Parameter] y
-#  159|             1: [IntLiteral] 0
-#  162|           2: [Parameter] value
+#  160|           0: [Parameter] x
+#  160|           1: [Parameter] y
+#  160|             1: [IntLiteral] 0
 #  162|         4: [BlockStmt] {...}
-#  166|   8: [Class] TestDefaultExtensionParameters
-#  168|     4: [ExtensionMethod] Plus
-#  168|       -1: [TypeMention] int
+#  162|           0: [ReturnStmt] return ...;
+#  162|             0: [AddExpr] ... + ...
+#  162|               0: [ParameterAccess] access to parameter x
+#  162|               1: [ParameterAccess] access to parameter y
+#  163|       4: [Setter] set_Item
+#-----|         2: (Parameters)
+#  160|           0: [Parameter] x
+#  160|           1: [Parameter] y
+#  160|             1: [IntLiteral] 0
+#  163|           2: [Parameter] value
+#  163|         4: [BlockStmt] {...}
+#  167|   8: [Class] TestDefaultExtensionParameters
+#  169|     4: [ExtensionMethod] Plus
+#  169|       -1: [TypeMention] int
 #-----|       2: (Parameters)
-#  168|         0: [Parameter] left
-#  168|           -1: [TypeMention] int
-#  168|         1: [Parameter] right
-#  168|           -1: [TypeMention] int
-#  168|           1: [IntLiteral] 0
-#  169|       4: [BlockStmt] {...}
-#  170|         0: [ReturnStmt] return ...;
-#  170|           0: [AddExpr] ... + ...
-#  170|             0: [ParameterAccess] access to parameter left
-#  170|             1: [ParameterAccess] access to parameter right
-#  173|     5: [ExtensionMethod] SkipTwo
-#  173|       -1: [TypeMention] IEnumerable<T>
-#  173|         1: [TypeMention] T
+#  169|         0: [Parameter] left
+#  169|           -1: [TypeMention] int
+#  169|         1: [Parameter] right
+#  169|           -1: [TypeMention] int
+#  169|           1: [IntLiteral] 0
+#  170|       4: [BlockStmt] {...}
+#  171|         0: [ReturnStmt] return ...;
+#  171|           0: [AddExpr] ... + ...
+#  171|             0: [ParameterAccess] access to parameter left
+#  171|             1: [ParameterAccess] access to parameter right
+#  174|     5: [ExtensionMethod] SkipTwo
+#  174|       -1: [TypeMention] IEnumerable<T>
+#  174|         1: [TypeMention] T
 #-----|       1: (Type parameters)
-#  173|         0: [TypeParameter] T
+#  174|         0: [TypeParameter] T
 #-----|       2: (Parameters)
-#  173|         0: [Parameter] list
-#  173|           -1: [TypeMention] IEnumerable<T>
-#  173|             1: [TypeMention] T
-#  173|         1: [Parameter] i
-#  173|           -1: [TypeMention] int
-#  173|           1: [IntLiteral] 1
-#  174|       4: [BlockStmt] {...}
-#  175|         0: [ReturnStmt] return ...;
-#  175|           0: [ParameterAccess] access to parameter list
-#  178|     7: [ExtensionMethod] SkipTwoInt
-#  178|       -1: [TypeMention] IEnumerable<Int32>
-#  178|         1: [TypeMention] int
+#  174|         0: [Parameter] list
+#  174|           -1: [TypeMention] IEnumerable<T>
+#  174|             1: [TypeMention] T
+#  174|         1: [Parameter] i
+#  174|           -1: [TypeMention] int
+#  174|           1: [IntLiteral] 1
+#  175|       4: [BlockStmt] {...}
+#  176|         0: [ReturnStmt] return ...;
+#  176|           0: [ParameterAccess] access to parameter list
+#  179|     7: [ExtensionMethod] SkipTwoInt
+#  179|       -1: [TypeMention] IEnumerable<Int32>
+#  179|         1: [TypeMention] int
 #-----|       2: (Parameters)
-#  178|         0: [Parameter] list
-#  178|           -1: [TypeMention] IEnumerable<Int32>
-#  178|             1: [TypeMention] int
-#  178|         1: [Parameter] i
-#  178|           -1: [TypeMention] int
-#  178|           1: [IntLiteral] 1
-#  179|       4: [BlockStmt] {...}
-#  180|         0: [ReturnStmt] return ...;
-#  180|           0: [MethodCall] call to method SkipTwo
-#  180|             -1: [ParameterAccess] access to parameter list
-#  180|             0: [ParameterAccess] access to parameter i
+#  179|         0: [Parameter] list
+#  179|           -1: [TypeMention] IEnumerable<Int32>
+#  179|             1: [TypeMention] int
+#  179|         1: [Parameter] i
+#  179|           -1: [TypeMention] int
+#  179|           1: [IntLiteral] 1
+#  180|       4: [BlockStmt] {...}
+#  181|         0: [ReturnStmt] return ...;
+#  181|           0: [MethodCall] call to method SkipTwo
+#  181|             -1: [ParameterAccess] access to parameter list
+#  181|             0: [ParameterAccess] access to parameter i
+#  185|   9: [Class] TestCollidingMethods<>
+#-----|     1: (Type parameters)
+#  185|       0: [TypeParameter] T
+#  187|     5: [Method] M
+#  187|       -1: [TypeMention] Void
+#-----|       2: (Parameters)
+#  187|         0: [Parameter] p1
+#  187|           -1: [TypeMention] T
+#  187|         1: [Parameter] p2
+#  187|           -1: [TypeMention] int
+#  187|       4: [BlockStmt] {...}
+#  188|     6: [Method] M
+#  188|       -1: [TypeMention] Void
+#-----|       2: (Parameters)
+#  188|         0: [Parameter] p1
+#  188|           -1: [TypeMention] int
+#  188|         1: [Parameter] p2
+#  188|           -1: [TypeMention] int
+#  188|       4: [BlockStmt] {...}
+#  190|     7: [Method] Calls
+#  190|       -1: [TypeMention] Void
+#  191|       4: [BlockStmt] {...}
+#  192|         0: [LocalVariableDeclStmt] ... ...;
+#  192|           0: [LocalVariableDeclAndInitExpr] TestCollidingMethods<Int32> x = ...
+#  192|             -1: [TypeMention] TestCollidingMethods<Int32>
+#  192|             0: [LocalVariableAccess] access to local variable x
+#  192|             1: [ObjectCreation] object creation of type TestCollidingMethods<Int32>
+#  192|               0: [TypeMention] TestCollidingMethods<Int32>
+#  192|                 1: [TypeMention] int
+#  193|         1: [ExprStmt] ...;
+#  193|           0: [MethodCall] call to method M
+#  193|             -1: [LocalVariableAccess] access to local variable x
+#  193|             0: [IntLiteral] 1
+#  193|             1: [IntLiteral] 1
+#  195|         2: [LocalVariableDeclStmt] ... ...;
+#  195|           0: [LocalVariableDeclAndInitExpr] TestCollidingMethods<Double> y = ...
+#  195|             -1: [TypeMention] TestCollidingMethods<Double>
+#  195|             0: [LocalVariableAccess] access to local variable y
+#  195|             1: [ObjectCreation] object creation of type TestCollidingMethods<Double>
+#  195|               0: [TypeMention] TestCollidingMethods<Double>
+#  195|                 1: [TypeMention] double
+#  196|         3: [ExprStmt] ...;
+#  196|           0: [MethodCall] call to method M
+#  196|             -1: [LocalVariableAccess] access to local variable y
+#  196|             0: [DoubleLiteral] 1
+#  196|             1: [IntLiteral] 1
+#  197|         4: [ExprStmt] ...;
+#  197|           0: [MethodCall] call to method M
+#  197|             -1: [LocalVariableAccess] access to local variable y
+#  197|             0: [IntLiteral] 1
+#  197|             1: [IntLiteral] 1
+#  200|     8: [Class] Nested
+#  202|       4: [InstanceConstructor] Nested
+#-----|         2: (Parameters)
+#  202|           0: [Parameter] p1
+#  202|             -1: [TypeMention] int
+#  202|         4: [BlockStmt] {...}
+#  203|       5: [InstanceConstructor] Nested
+#-----|         2: (Parameters)
+#  203|           0: [Parameter] p1
+#  203|             -1: [TypeMention] T
+#  204|         4: [BlockStmt] {...}
+#  205|           0: [LocalVariableDeclStmt] ... ...;
+#  205|             0: [LocalVariableDeclAndInitExpr] Nested x = ...
+#  205|               -1: [TypeMention] Nested
+#  205|               0: [LocalVariableAccess] access to local variable x
+#  205|               1: [ObjectCreation] object creation of type Nested
+#  205|                 -1: [TypeMention] Nested
+#  205|                   1: [TypeMention] TestCollidingMethods<Int32>
+#  205|                     1: [TypeMention] int
+#  205|                 0: [IntLiteral] 1
+#  206|           1: [LocalVariableDeclStmt] ... ...;
+#  206|             0: [LocalVariableDeclAndInitExpr] Nested y = ...
+#  206|               -1: [TypeMention] Nested
+#  206|               0: [LocalVariableAccess] access to local variable y
+#  206|               1: [ObjectCreation] object creation of type Nested
+#  206|                 -1: [TypeMention] Nested
+#  206|                   1: [TypeMention] TestCollidingMethods<Double>
+#  206|                     1: [TypeMention] double
+#  206|                 0: [DoubleLiteral] 1
+#  207|           2: [LocalVariableDeclStmt] ... ...;
+#  207|             0: [LocalVariableDeclAndInitExpr] Nested z = ...
+#  207|               -1: [TypeMention] Nested
+#  207|               0: [LocalVariableAccess] access to local variable z
+#  207|               1: [ObjectCreation] object creation of type Nested
+#  207|                 -1: [TypeMention] Nested
+#  207|                   1: [TypeMention] TestCollidingMethods<Double>
+#  207|                     1: [TypeMention] double
+#  207|                 0: [IntLiteral] 1
diff --git a/csharp/ql/test/library-tests/methods/methods.cs b/csharp/ql/test/library-tests/methods/methods.cs
index f67676cad46..72e9b0409c0 100644
--- a/csharp/ql/test/library-tests/methods/methods.cs
+++ b/csharp/ql/test/library-tests/methods/methods.cs
@@ -1,4 +1,5 @@
 using System;
+using System.Collections.Generic;
 
 namespace Methods
 {
@@ -180,4 +181,31 @@ namespace Methods
             return list.SkipTwo<int>(i);
         }
     }
+
+    public class TestCollidingMethods<T>
+    {
+        public void M(T p1, int p2) { }
+        public void M(int p1, int p2) { }
+
+        public void Calls()
+        {
+            var x = new TestCollidingMethods<int>();
+            x.M(1, 1);
+
+            var y = new TestCollidingMethods<double>();
+            y.M(1.0, 1);
+            y.M(1, 1);
+        }
+
+        public class Nested
+        {
+            public Nested(int p1) { }
+            public Nested(T p1)
+            {
+                var x = new TestCollidingMethods<int>.Nested(1);
+                var y = new TestCollidingMethods<double>.Nested(1.0);
+                var z = new TestCollidingMethods<double>.Nested(1);
+            }
+        }
+    }
 }

From 3d60c146ad2cb31bb576cfd79085626e28d77c7a Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Tue, 25 May 2021 13:40:30 +0200
Subject: [PATCH 1299/1429] C#: Base IDs for constructed methods on their
 unconstructed counterparts

---
 .../Entities/Constructor.cs                   |  9 ++++
 .../Entities/Method.cs                        | 46 +++++++++++++------
 2 files changed, 40 insertions(+), 15 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs
index 3f31108b57e..e3f77d9407e 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs
@@ -146,6 +146,15 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public override void WriteId(EscapingTextWriter trapFile)
         {
+            if (!SymbolEqualityComparer.Default.Equals(Symbol, Symbol.OriginalDefinition))
+            {
+                trapFile.WriteSubId(ContainingType!);
+                trapFile.Write(".");
+                trapFile.WriteSubId(OriginalDefinition);
+                trapFile.Write(";constructor");
+                return;
+            }
+
             if (Symbol.IsStatic)
                 trapFile.Write("static");
             trapFile.WriteSubId(ContainingType!);
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
index 12d0ce4cc10..e5822ccbf58 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
@@ -129,6 +129,30 @@ namespace Semmle.Extraction.CSharp.Entities
         /// </summary>
         private static void BuildMethodId(Method m, EscapingTextWriter trapFile)
         {
+            if (!SymbolEqualityComparer.Default.Equals(m.Symbol, m.Symbol.OriginalDefinition))
+            {
+                if (!SymbolEqualityComparer.Default.Equals(m.Symbol, m.ConstructedFromSymbol))
+                {
+                    trapFile.WriteSubId(Create(m.Context, m.ConstructedFromSymbol));
+                    trapFile.Write('<');
+                    // Encode the nullability of the type arguments in the label.
+                    // Type arguments with different nullability can result in
+                    // a constructed method with different nullability of its parameters and return type,
+                    // so we need to create a distinct database entity for it.
+                    trapFile.BuildList(",", m.Symbol.GetAnnotatedTypeArguments(), ta => { ta.Symbol.BuildOrWriteId(m.Context, trapFile, m.Symbol); trapFile.Write((int)ta.Nullability); });
+                    trapFile.Write('>');
+                }
+                else
+                {
+                    trapFile.WriteSubId(m.ContainingType!);
+                    trapFile.Write(".");
+                    trapFile.WriteSubId(m.OriginalDefinition);
+                }
+
+                WritePostfix(m, trapFile);
+                return;
+            }
+
             m.Symbol.ReturnType.BuildOrWriteId(m.Context, trapFile, m.Symbol);
             trapFile.Write(" ");
 
@@ -141,24 +165,16 @@ namespace Semmle.Extraction.CSharp.Entities
 
             if (m.Symbol.IsGenericMethod)
             {
-                if (SymbolEqualityComparer.Default.Equals(m.Symbol, m.Symbol.OriginalDefinition))
-                {
-                    trapFile.Write('`');
-                    trapFile.Write(m.Symbol.TypeParameters.Length);
-                }
-                else
-                {
-                    trapFile.Write('<');
-                    // Encode the nullability of the type arguments in the label.
-                    // Type arguments with different nullability can result in
-                    // a constructed method with different nullability of its parameters and return type,
-                    // so we need to create a distinct database entity for it.
-                    trapFile.BuildList(",", m.Symbol.GetAnnotatedTypeArguments(), ta => { ta.Symbol.BuildOrWriteId(m.Context, trapFile, m.Symbol); trapFile.Write((int)ta.Nullability); });
-                    trapFile.Write('>');
-                }
+                trapFile.Write('`');
+                trapFile.Write(m.Symbol.TypeParameters.Length);
             }
 
             AddParametersToId(m.Context, trapFile, m.Symbol);
+            WritePostfix(m, trapFile);
+        }
+
+        private static void WritePostfix(Method m, EscapingTextWriter trapFile)
+        {
             switch (m.Symbol.MethodKind)
             {
                 case MethodKind.PropertyGet:

From 5a3a011b8e4b0b578f58b13f2e1ba7dce96c2d58 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 3 Jun 2021 11:17:01 +0200
Subject: [PATCH 1300/1429] Fix test results

---
 .../library-tests/methods/DB-CHECK.expected   | 130 ------------------
 .../library-tests/methods/Methods5.expected   |   2 -
 .../methods/Parameters8.expected              |   4 -
 3 files changed, 136 deletions(-)
 delete mode 100644 csharp/ql/test/library-tests/methods/DB-CHECK.expected

diff --git a/csharp/ql/test/library-tests/methods/DB-CHECK.expected b/csharp/ql/test/library-tests/methods/DB-CHECK.expected
deleted file mode 100644
index 4a99289a434..00000000000
--- a/csharp/ql/test/library-tests/methods/DB-CHECK.expected
+++ /dev/null
@@ -1,130 +0,0 @@
-[INVALID_KEY] predicate methods(@method id, string name, @type declaring_type_id, @type_or_ref type_id, @method unbound_id): The key set {id} does not functionally determine all fields.
-Here is a pair of tuples that agree on the key set but differ at index 4:
-Tuple 1 in row 28: (828,"M",827,1087,813)
-Tuple 2 in row 29: (828,"M",827,1087,1135)
-	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
-	Relevant element: Full ID for 827: @"(294)<(366)>;type". The ID may expand to @"{@"{@"{@";namespace"}.Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"{@";namespace"}.System;namespace"}.Int32;type"}>;type"
-	Relevant element: Full ID for 1087: @"(365);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"};typeRef"
-	Relevant element: Full ID for 813: @"(365) (294).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@";namespace"}.Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
-	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
-	Relevant element: Full ID for 827: @"(294)<(366)>;type". The ID may expand to @"{@"{@"{@";namespace"}.Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"{@";namespace"}.System;namespace"}.Int32;type"}>;type"
-	Relevant element: Full ID for 1087: @"(365);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"};typeRef"
-	Relevant element: Full ID for 1135: @"(365) (294).M((296) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@";namespace"}.Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}_0;typeparameter"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
-[INVALID_KEY] predicate constructors(@constructor id, string name, @type declaring_type_id, @constructor unbound_id): The key set {id} does not functionally determine all fields.
-Here is a pair of tuples that agree on the key set but differ at index 3:
-Tuple 1 in row 14: (897,"Nested",830,332)
-Tuple 2 in row 15: (897,"Nested",830,1143)
-	Relevant element: Full ID for 897: @"(830)((366) p1);constructor". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.Nested;type"}({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1);constructor"
-	Relevant element: Full ID for 830: @"(827).Nested;type". The ID may expand to @"{@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.Nested;type"
-	Relevant element: Full ID for 332: @"(297)((296) p1);constructor". The ID may expand to @"{@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.Nested;type"}({@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}_0;typeparameter"} p1);constructor"
-	Relevant element: Full ID for 897: @"(830)((366) p1);constructor". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.Nested;type"}({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1);constructor"
-	Relevant element: Full ID for 830: @"(827).Nested;type". The ID may expand to @"{@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.Nested;type"
-	Relevant element: Full ID for 1143: @"(297)((366) p1);constructor". The ID may expand to @"{@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.Nested;type"}({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1);constructor"
-[INVALID_KEY_SET] predicate params(@parameter id, string name, @type_or_ref type_id, int index, int mode, @parameterizable parent_id, @parameter unbound_id): The key set {name, parent_id} does not functionally determine all fields.
-Here is a pair of tuples that agree on the key set but differ at index 6:
-Tuple 1 in row 34: (1005,"p1",1083,0,0,828,1138)
-Tuple 2 in row 35: (1005,"p1",1083,0,0,828,1348)
-	Relevant element: Full ID for 1005: @"(828)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
-	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
-	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
-	Relevant element: Full ID for 1138: @"(1135)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(130).TestCollidingMethods`1;type"}_0;typeparameter"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
-	Relevant element: Full ID for 1005: @"(828)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
-	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
-	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
-	Relevant element: Full ID for 1348: @"(813)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
-[INVALID_KEY_SET] predicate params(@parameter id, string name, @type_or_ref type_id, int index, int mode, @parameterizable parent_id, @parameter unbound_id): The key set {name, parent_id} does not functionally determine all fields.
-Here is a pair of tuples that agree on the key set but differ at index 6:
-Tuple 1 in row 42: (1031,"p1",1083,0,0,897,335)
-Tuple 2 in row 43: (1031,"p1",1083,0,0,897,1146)
-	Relevant element: Full ID for 1031: @"(897)_0;parameter". The ID may expand to @"{@"{@"{@"(294)<(366)>;type"}.Nested;type"}({@"{@"(111).System;namespace"}.Int32;type"} p1);constructor"}_0;parameter"
-	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
-	Relevant element: Full ID for 897: @"(830)((366) p1);constructor". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.Nested;type"}({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1);constructor"
-	Relevant element: Full ID for 335: @"(332)_0;parameter". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}.Nested;type"}({@"{@"(130).TestCollidingMethods`1;type"}_0;typeparameter"} p1);constructor"}_0;parameter"
-	Relevant element: Full ID for 1031: @"(897)_0;parameter". The ID may expand to @"{@"{@"{@"(294)<(366)>;type"}.Nested;type"}({@"{@"(111).System;namespace"}.Int32;type"} p1);constructor"}_0;parameter"
-	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
-	Relevant element: Full ID for 897: @"(830)((366) p1);constructor". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.Nested;type"}({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1);constructor"
-	Relevant element: Full ID for 1146: @"(1143)_0;parameter". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}.Nested;type"}({@"{@"(111).System;namespace"}.Int32;type"} p1);constructor"}_0;parameter"
-[INVALID_KEY_SET] predicate params(@parameter id, string name, @type_or_ref type_id, int index, int mode, @parameterizable parent_id, @parameter unbound_id): The key set {name, parent_id} does not functionally determine all fields.
-Here is a pair of tuples that agree on the key set but differ at index 6:
-Tuple 1 in row 36: (1006,"p2",1083,1,0,828,1140)
-Tuple 2 in row 37: (1006,"p2",1083,1,0,828,1350)
-	Relevant element: Full ID for 1006: @"(828)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
-	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
-	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
-	Relevant element: Full ID for 1140: @"(1135)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(130).TestCollidingMethods`1;type"}_0;typeparameter"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
-	Relevant element: Full ID for 1006: @"(828)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
-	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
-	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
-	Relevant element: Full ID for 1350: @"(813)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
-[INVALID_KEY_SET] predicate params(@parameter id, string name, @type_or_ref type_id, int index, int mode, @parameterizable parent_id, @parameter unbound_id): The key set {index, parent_id} does not functionally determine all fields.
-Here is a pair of tuples that agree on the key set but differ at index 6:
-Tuple 1 in row 34: (1005,"p1",1083,0,0,828,1138)
-Tuple 2 in row 35: (1005,"p1",1083,0,0,828,1348)
-	Relevant element: Full ID for 1005: @"(828)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
-	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
-	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
-	Relevant element: Full ID for 1138: @"(1135)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(130).TestCollidingMethods`1;type"}_0;typeparameter"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
-	Relevant element: Full ID for 1005: @"(828)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
-	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
-	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
-	Relevant element: Full ID for 1348: @"(813)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
-[INVALID_KEY_SET] predicate params(@parameter id, string name, @type_or_ref type_id, int index, int mode, @parameterizable parent_id, @parameter unbound_id): The key set {index, parent_id} does not functionally determine all fields.
-Here is a pair of tuples that agree on the key set but differ at index 6:
-Tuple 1 in row 42: (1031,"p1",1083,0,0,897,335)
-Tuple 2 in row 43: (1031,"p1",1083,0,0,897,1146)
-	Relevant element: Full ID for 1031: @"(897)_0;parameter". The ID may expand to @"{@"{@"{@"(294)<(366)>;type"}.Nested;type"}({@"{@"(111).System;namespace"}.Int32;type"} p1);constructor"}_0;parameter"
-	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
-	Relevant element: Full ID for 897: @"(830)((366) p1);constructor". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.Nested;type"}({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1);constructor"
-	Relevant element: Full ID for 335: @"(332)_0;parameter". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}.Nested;type"}({@"{@"(130).TestCollidingMethods`1;type"}_0;typeparameter"} p1);constructor"}_0;parameter"
-	Relevant element: Full ID for 1031: @"(897)_0;parameter". The ID may expand to @"{@"{@"{@"(294)<(366)>;type"}.Nested;type"}({@"{@"(111).System;namespace"}.Int32;type"} p1);constructor"}_0;parameter"
-	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
-	Relevant element: Full ID for 897: @"(830)((366) p1);constructor". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.Nested;type"}({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1);constructor"
-	Relevant element: Full ID for 1146: @"(1143)_0;parameter". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}.Nested;type"}({@"{@"(111).System;namespace"}.Int32;type"} p1);constructor"}_0;parameter"
-[INVALID_KEY_SET] predicate params(@parameter id, string name, @type_or_ref type_id, int index, int mode, @parameterizable parent_id, @parameter unbound_id): The key set {index, parent_id} does not functionally determine all fields.
-Here is a pair of tuples that agree on the key set but differ at index 6:
-Tuple 1 in row 36: (1006,"p2",1083,1,0,828,1140)
-Tuple 2 in row 37: (1006,"p2",1083,1,0,828,1350)
-	Relevant element: Full ID for 1006: @"(828)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
-	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
-	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
-	Relevant element: Full ID for 1140: @"(1135)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(130).TestCollidingMethods`1;type"}_0;typeparameter"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
-	Relevant element: Full ID for 1006: @"(828)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
-	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
-	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
-	Relevant element: Full ID for 1350: @"(813)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
-[INVALID_KEY] predicate params(@parameter id, string name, @type_or_ref type_id, int index, int mode, @parameterizable parent_id, @parameter unbound_id): The key set {id} does not functionally determine all fields.
-Here is a pair of tuples that agree on the key set but differ at index 6:
-Tuple 1 in row 34: (1005,"p1",1083,0,0,828,1138)
-Tuple 2 in row 35: (1005,"p1",1083,0,0,828,1348)
-	Relevant element: Full ID for 1005: @"(828)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
-	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
-	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
-	Relevant element: Full ID for 1138: @"(1135)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(130).TestCollidingMethods`1;type"}_0;typeparameter"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
-	Relevant element: Full ID for 1005: @"(828)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
-	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
-	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
-	Relevant element: Full ID for 1348: @"(813)_0;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_0;parameter"
-[INVALID_KEY] predicate params(@parameter id, string name, @type_or_ref type_id, int index, int mode, @parameterizable parent_id, @parameter unbound_id): The key set {id} does not functionally determine all fields.
-Here is a pair of tuples that agree on the key set but differ at index 6:
-Tuple 1 in row 36: (1006,"p2",1083,1,0,828,1140)
-Tuple 2 in row 37: (1006,"p2",1083,1,0,828,1350)
-	Relevant element: Full ID for 1006: @"(828)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
-	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
-	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
-	Relevant element: Full ID for 1140: @"(1135)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(130).TestCollidingMethods`1;type"}_0;typeparameter"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
-	Relevant element: Full ID for 1006: @"(828)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
-	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
-	Relevant element: Full ID for 828: @"(365) (827).M((366) p1,(366) p2);method". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Void;type"} {@"{@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}<{@"{@"(111).System;namespace"}.Int32;type"}>;type"}.M({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1,{@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p2);method"
-	Relevant element: Full ID for 1350: @"(813)_1;parameter". The ID may expand to @"{@"{@"{@"(111).System;namespace"}.Void;type"} {@"{@"(111).Methods;namespace"}.TestCollidingMethods`1;type"}.M({@"{@"(111).System;namespace"}.Int32;type"} p1,{@"{@"(111).System;namespace"}.Int32;type"} p2);method"}_1;parameter"
-[INVALID_KEY] predicate params(@parameter id, string name, @type_or_ref type_id, int index, int mode, @parameterizable parent_id, @parameter unbound_id): The key set {id} does not functionally determine all fields.
-Here is a pair of tuples that agree on the key set but differ at index 6:
-Tuple 1 in row 42: (1031,"p1",1083,0,0,897,335)
-Tuple 2 in row 43: (1031,"p1",1083,0,0,897,1146)
-	Relevant element: Full ID for 1031: @"(897)_0;parameter". The ID may expand to @"{@"{@"{@"(294)<(366)>;type"}.Nested;type"}({@"{@"(111).System;namespace"}.Int32;type"} p1);constructor"}_0;parameter"
-	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
-	Relevant element: Full ID for 897: @"(830)((366) p1);constructor". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.Nested;type"}({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1);constructor"
-	Relevant element: Full ID for 335: @"(332)_0;parameter". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}.Nested;type"}({@"{@"(130).TestCollidingMethods`1;type"}_0;typeparameter"} p1);constructor"}_0;parameter"
-	Relevant element: Full ID for 1031: @"(897)_0;parameter". The ID may expand to @"{@"{@"{@"(294)<(366)>;type"}.Nested;type"}({@"{@"(111).System;namespace"}.Int32;type"} p1);constructor"}_0;parameter"
-	Relevant element: Full ID for 1083: @"(366);typeRef". The ID may expand to @"{@"{@"{@";namespace"}.System;namespace"}.Int32;type"};typeRef"
-	Relevant element: Full ID for 897: @"(830)((366) p1);constructor". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}<{@"(112).Int32;type"}>;type"}.Nested;type"}({@"{@"{@";namespace"}.System;namespace"}.Int32;type"} p1);constructor"
-	Relevant element: Full ID for 1146: @"(1143)_0;parameter". The ID may expand to @"{@"{@"{@"(130).TestCollidingMethods`1;type"}.Nested;type"}({@"{@"(111).System;namespace"}.Int32;type"} p1);constructor"}_0;parameter"
diff --git a/csharp/ql/test/library-tests/methods/Methods5.expected b/csharp/ql/test/library-tests/methods/Methods5.expected
index 03638800b01..01beaa41f6e 100644
--- a/csharp/ql/test/library-tests/methods/Methods5.expected
+++ b/csharp/ql/test/library-tests/methods/Methods5.expected
@@ -21,10 +21,8 @@
 | methods.cs:125:21:125:24 | Main | methods.cs:110:27:110:34 | Slice | methods.cs:122:18:122:31 | TestExtensions |
 | methods.cs:179:67:179:76 | SkipTwoInt | methods.cs:174:65:174:74 | SkipTwo | methods.cs:167:18:167:47 | TestDefaultExtensionParameters |
 | methods.cs:190:21:190:25 | Calls | methods.cs:187:21:187:21 | M | methods.cs:185:18:185:40 | TestCollidingMethods<> |
-| methods.cs:190:21:190:25 | Calls | methods.cs:187:21:187:21 | M | methods.cs:185:18:185:40 | TestCollidingMethods<> |
 | methods.cs:190:21:190:25 | Calls | methods.cs:188:21:188:21 | M | methods.cs:185:18:185:40 | TestCollidingMethods<> |
 | methods.cs:190:21:190:25 | Calls | methods.cs:188:21:188:21 | M | methods.cs:185:18:185:40 | TestCollidingMethods<> |
 | methods.cs:203:20:203:25 | Nested | methods.cs:202:20:202:25 | Nested | methods.cs:200:22:200:27 | Nested |
 | methods.cs:203:20:203:25 | Nested | methods.cs:202:20:202:25 | Nested | methods.cs:200:22:200:27 | Nested |
 | methods.cs:203:20:203:25 | Nested | methods.cs:203:20:203:25 | Nested | methods.cs:200:22:200:27 | Nested |
-| methods.cs:203:20:203:25 | Nested | methods.cs:203:20:203:25 | Nested | methods.cs:200:22:200:27 | Nested |
diff --git a/csharp/ql/test/library-tests/methods/Parameters8.expected b/csharp/ql/test/library-tests/methods/Parameters8.expected
index 6efd343a538..62c4d495009 100644
--- a/csharp/ql/test/library-tests/methods/Parameters8.expected
+++ b/csharp/ql/test/library-tests/methods/Parameters8.expected
@@ -47,10 +47,6 @@
 | methods.cs:187:21:187:21 | M | methods.cs:187:33:187:34 | p2 |
 | methods.cs:187:21:187:21 | M | methods.cs:187:33:187:34 | p2 |
 | methods.cs:187:21:187:21 | M | methods.cs:187:33:187:34 | p2 |
-| methods.cs:187:21:187:21 | M | methods.cs:188:27:188:28 | p1 |
-| methods.cs:187:21:187:21 | M | methods.cs:188:35:188:36 | p2 |
-| methods.cs:188:21:188:21 | M | methods.cs:187:25:187:26 | p1 |
-| methods.cs:188:21:188:21 | M | methods.cs:187:33:187:34 | p2 |
 | methods.cs:188:21:188:21 | M | methods.cs:188:27:188:28 | p1 |
 | methods.cs:188:21:188:21 | M | methods.cs:188:27:188:28 | p1 |
 | methods.cs:188:21:188:21 | M | methods.cs:188:27:188:28 | p1 |

From 9372e3b284188503b91666a128c6da25fc29a36b Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 3 Jun 2021 11:23:28 +0200
Subject: [PATCH 1301/1429] Python: Add aiohttp.web change-note

---
 python/change-notes/2021-06-03-aiohttp-webserver-modeling.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 python/change-notes/2021-06-03-aiohttp-webserver-modeling.md

diff --git a/python/change-notes/2021-06-03-aiohttp-webserver-modeling.md b/python/change-notes/2021-06-03-aiohttp-webserver-modeling.md
new file mode 100644
index 00000000000..a62a9c4b75e
--- /dev/null
+++ b/python/change-notes/2021-06-03-aiohttp-webserver-modeling.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added modeling of sources/sinks when using `aiohttp.web` to create web servers.

From 2e851cd5f04be353d0f1b94821d39719b554d900 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 3 Jun 2021 11:38:15 +0200
Subject: [PATCH 1302/1429] Python: Improve `yarl.URL` modeling

---
 .../ql/src/semmle/python/frameworks/Yarl.qll  | 11 +++
 .../frameworks/aiohttp/taint_test.py          | 67 +------------------
 .../frameworks/yarl/ConceptsTest.expected     |  0
 .../frameworks/yarl/ConceptsTest.ql           |  2 +
 .../frameworks/yarl/InlineTaintTest.expected  |  3 +
 .../frameworks/yarl/InlineTaintTest.ql        |  1 +
 .../library-tests/frameworks/yarl/options     |  1 +
 .../frameworks/yarl/taint_test.py             | 64 ++++++++++++++++++
 8 files changed, 85 insertions(+), 64 deletions(-)
 create mode 100644 python/ql/test/library-tests/frameworks/yarl/ConceptsTest.expected
 create mode 100644 python/ql/test/library-tests/frameworks/yarl/ConceptsTest.ql
 create mode 100644 python/ql/test/library-tests/frameworks/yarl/InlineTaintTest.expected
 create mode 100644 python/ql/test/library-tests/frameworks/yarl/InlineTaintTest.ql
 create mode 100644 python/ql/test/library-tests/frameworks/yarl/options
 create mode 100644 python/ql/test/library-tests/frameworks/yarl/taint_test.py

diff --git a/python/ql/src/semmle/python/frameworks/Yarl.qll b/python/ql/src/semmle/python/frameworks/Yarl.qll
index a998d8e0ca1..b91a407832f 100644
--- a/python/ql/src/semmle/python/frameworks/Yarl.qll
+++ b/python/ql/src/semmle/python/frameworks/Yarl.qll
@@ -34,6 +34,11 @@ module Yarl {
      */
     abstract class InstanceSource extends DataFlow::LocalSourceNode { }
 
+    /** A direct instantiation of `yarl.URL`. */
+    private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
+      ClassInstantiation() { this = API::moduleImport("yarl").getMember("URL").getACall() }
+    }
+
     /** Gets a reference to an instance of `yarl.URL`. */
     private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
       t.start() and
@@ -52,6 +57,12 @@ module Yarl {
      */
     class YarlUrlAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
       override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+        // class instantiation
+        exists(ClassInstantiation call |
+          nodeFrom in [call.getArg(0), call.getArgByName("val")] and
+          nodeTo = call
+        )
+        or
         // Methods
         //
         // TODO: When we have tools that make it easy, model these properly to handle
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
index dcf21f92687..1b70879d6d3 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -5,11 +5,12 @@ async def test_taint(request: web.Request): # $ requestHandler
     ensure_tainted(
         request, # $ tainted
 
-        # yarl.URL instances
+        # yarl.URL instances, see tests under `yarl` framework tests
         # https://yarl.readthedocs.io/en/stable/api.html#yarl.URL
-        # see below
         request.url, # $ tainted
+        request.url.human_repr(), # $ tainted
         request.rel_url, # $ tainted
+        request.rel_url.human_repr(), # $ tainted
 
         request.forwarded, # $ tainted
 
@@ -130,68 +131,6 @@ async def test_taint(request: web.Request): # $ requestHandler
         request.config_dict,
     )
 
-    # TODO: Should have a better way to capture that we in fact _do_ model this as a
-    # an instance of the right class, and have the actual taint_test for that in a
-    # different file!
-    import yarl
-
-    ensure_tainted(
-        # see https://yarl.readthedocs.io/en/stable/api.html#yarl.URL
-        request.url.user, # $ tainted
-        request.url.raw_user, # $ tainted
-
-        request.url.password, # $ tainted
-        request.url.raw_password, # $ tainted
-
-        request.url.host, # $ tainted
-        request.url.raw_host, # $ tainted
-
-        request.url.port, # $ tainted
-        request.url.explicit_port, # $ tainted
-
-        request.url.authority, # $ tainted
-        request.url.raw_authority, # $ tainted
-
-        request.url.path, # $ tainted
-        request.url.raw_path, # $ tainted
-
-        request.url.path_qs, # $ tainted
-        request.url.raw_path_qs, # $ tainted
-
-        request.url.query_string, # $ tainted
-        request.url.raw_query_string, # $ tainted
-
-        request.url.fragment, # $ tainted
-        request.url.raw_fragment, # $ tainted
-
-        request.url.parts, # $ tainted
-        request.url.raw_parts, # $ tainted
-
-        request.url.name, # $ tainted
-        request.url.raw_name, # $ tainted
-
-        # multidict.MultiDictProxy[str]
-        request.url.query, # $ tainted
-        request.url.query.getone("key"), # $ tainted
-
-        request.url.with_scheme("foo"), # $ tainted
-        request.url.with_user("foo"), # $ tainted
-        request.url.with_password("foo"), # $ tainted
-        request.url.with_host("foo"), # $ tainted
-        request.url.with_port("foo"), # $ tainted
-        request.url.with_path("foo"), # $ tainted
-        request.url.with_query({"foo": 42}), # $ tainted
-        request.url.with_query(foo=42), # $ tainted
-        request.url.update_query({"foo": 42}), # $ tainted
-        request.url.update_query(foo=42), # $ tainted
-        request.url.with_fragment("foo"), # $ tainted
-        request.url.with_name("foo"), # $ tainted
-
-        request.url.join(yarl.URL("wat.html")), # $ tainted
-
-        request.url.human_repr(), # $ tainted
-    )
-
 
 class TaintTestClass(web.View):
     def get(self): # $ requestHandler
diff --git a/python/ql/test/library-tests/frameworks/yarl/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/yarl/ConceptsTest.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/python/ql/test/library-tests/frameworks/yarl/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/yarl/ConceptsTest.ql
new file mode 100644
index 00000000000..b557a0bccb6
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/yarl/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
diff --git a/python/ql/test/library-tests/frameworks/yarl/InlineTaintTest.expected b/python/ql/test/library-tests/frameworks/yarl/InlineTaintTest.expected
new file mode 100644
index 00000000000..79d760d87f4
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/yarl/InlineTaintTest.expected
@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
diff --git a/python/ql/test/library-tests/frameworks/yarl/InlineTaintTest.ql b/python/ql/test/library-tests/frameworks/yarl/InlineTaintTest.ql
new file mode 100644
index 00000000000..027ad8667be
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/yarl/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
diff --git a/python/ql/test/library-tests/frameworks/yarl/options b/python/ql/test/library-tests/frameworks/yarl/options
new file mode 100644
index 00000000000..cfef58cf2b2
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/yarl/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=1 --lang=3
diff --git a/python/ql/test/library-tests/frameworks/yarl/taint_test.py b/python/ql/test/library-tests/frameworks/yarl/taint_test.py
new file mode 100644
index 00000000000..9fa012a9f2f
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/yarl/taint_test.py
@@ -0,0 +1,64 @@
+import yarl
+
+
+url = yarl.URL(TAINTED_STRING)
+
+
+ensure_tainted(
+    url, # $ tainted
+
+    # see https://yarl.readthedocs.io/en/stable/api.html#yarl.URL
+    url.user, # $ tainted
+    url.raw_user, # $ tainted
+
+    url.password, # $ tainted
+    url.raw_password, # $ tainted
+
+    url.host, # $ tainted
+    url.raw_host, # $ tainted
+
+    url.port, # $ tainted
+    url.explicit_port, # $ tainted
+
+    url.authority, # $ tainted
+    url.raw_authority, # $ tainted
+
+    url.path, # $ tainted
+    url.raw_path, # $ tainted
+
+    url.path_qs, # $ tainted
+    url.raw_path_qs, # $ tainted
+
+    url.query_string, # $ tainted
+    url.raw_query_string, # $ tainted
+
+    url.fragment, # $ tainted
+    url.raw_fragment, # $ tainted
+
+    url.parts, # $ tainted
+    url.raw_parts, # $ tainted
+
+    url.name, # $ tainted
+    url.raw_name, # $ tainted
+
+    # multidict.MultiDictProxy[str]
+    url.query, # $ tainted
+    url.query.getone("key"), # $ tainted
+
+    url.with_scheme("foo"), # $ tainted
+    url.with_user("foo"), # $ tainted
+    url.with_password("foo"), # $ tainted
+    url.with_host("foo"), # $ tainted
+    url.with_port("foo"), # $ tainted
+    url.with_path("foo"), # $ tainted
+    url.with_query({"foo": 42}), # $ tainted
+    url.with_query(foo=42), # $ tainted
+    url.update_query({"foo": 42}), # $ tainted
+    url.update_query(foo=42), # $ tainted
+    url.with_fragment("foo"), # $ tainted
+    url.with_name("foo"), # $ tainted
+
+    url.join(yarl.URL("wat.html")), # $ tainted
+
+    url.human_repr(), # $ tainted
+)

From e9acea8643c3ccac3568134c938fcb6509c942d5 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 3 Jun 2021 11:50:49 +0200
Subject: [PATCH 1303/1429] Python: Improve `multidict` modeling

---
 .../semmle/python/frameworks/Multidict.qll    | 20 ++++++++-
 .../frameworks/aiohttp/taint_test.py          | 26 ++----------
 .../multidict/ConceptsTest.expected           |  0
 .../frameworks/multidict/ConceptsTest.ql      |  2 +
 .../multidict/InlineTaintTest.expected        |  3 ++
 .../frameworks/multidict/InlineTaintTest.ql   |  1 +
 .../frameworks/multidict/options              |  1 +
 .../frameworks/multidict/taint_test.py        | 41 +++++++++++++++++++
 8 files changed, 70 insertions(+), 24 deletions(-)
 create mode 100644 python/ql/test/library-tests/frameworks/multidict/ConceptsTest.expected
 create mode 100644 python/ql/test/library-tests/frameworks/multidict/ConceptsTest.ql
 create mode 100644 python/ql/test/library-tests/frameworks/multidict/InlineTaintTest.expected
 create mode 100644 python/ql/test/library-tests/frameworks/multidict/InlineTaintTest.ql
 create mode 100644 python/ql/test/library-tests/frameworks/multidict/options
 create mode 100644 python/ql/test/library-tests/frameworks/multidict/taint_test.py

diff --git a/python/ql/src/semmle/python/frameworks/Multidict.qll b/python/ql/src/semmle/python/frameworks/Multidict.qll
index 7a2c2bf0751..6a04bd2b8d2 100644
--- a/python/ql/src/semmle/python/frameworks/Multidict.qll
+++ b/python/ql/src/semmle/python/frameworks/Multidict.qll
@@ -24,6 +24,11 @@ module Multidict {
    * See https://multidict.readthedocs.io/en/stable/multidict.html#multidictproxy
    */
   module MultiDictProxy {
+    /** Gets a reference to a `MultiDictProxy` class. */
+    API::Node classRef() {
+      result = API::moduleImport("multidict").getMember(["MultiDictProxy", "CIMultiDictProxy"])
+    }
+
     /**
      * A source of instances of `multidict.MultiDictProxy`, extend this class to model
      * new instances.
@@ -37,7 +42,12 @@ module Multidict {
      */
     abstract class InstanceSource extends DataFlow::LocalSourceNode { }
 
-    /** Gets a reference to an instance of `multidict.MultiDictProxy`. */
+    /** A direct instantiation of a `MultiDictProxy` class. */
+    private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
+      ClassInstantiation() { this = classRef().getACall() }
+    }
+
+    /** Gets a reference to an instance of a `MultiDictProxy` class. */
     private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
       t.start() and
       result instanceof InstanceSource
@@ -45,7 +55,7 @@ module Multidict {
       exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
     }
 
-    /** Gets a reference to an instance of `multidict.MultiDictProxy`. */
+    /** Gets a reference to an instance of a `MultiDictProxy` class. */
     DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
 
     /**
@@ -55,6 +65,12 @@ module Multidict {
      */
     class MultiDictProxyAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
       override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+        // class instantiation
+        exists(ClassInstantiation call |
+          nodeFrom = call.getArg(0) and
+          nodeTo = call
+        )
+        or
         // Methods
         //
         // TODO: When we have tools that make it easy, model these properly to handle
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
index 1b70879d6d3..2bc3e529402 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -5,8 +5,7 @@ async def test_taint(request: web.Request): # $ requestHandler
     ensure_tainted(
         request, # $ tainted
 
-        # yarl.URL instances, see tests under `yarl` framework tests
-        # https://yarl.readthedocs.io/en/stable/api.html#yarl.URL
+        # yarl.URL (see `yarl` framework tests)
         request.url, # $ tainted
         request.url.human_repr(), # $ tainted
         request.rel_url, # $ tainted
@@ -25,28 +24,11 @@ async def test_taint(request: web.Request): # $ requestHandler
         request.match_info["key"], # $ tainted
         request.match_info.get("key"), # $ tainted
 
-        # multidict.MultiDictProxy[str]
-        # see https://multidict.readthedocs.io/en/stable/multidict.html#multidict.MultiDictProxy
-        # TODO: Should have a better way to capture that we in fact _do_ model this as a
-        # an instance of the right class, and have the actual taint_test for that in a
-        # different file!
+        # multidict.MultiDictProxy[str] (see `multidict` framework tests)
         request.query, # $ tainted
-        request.query["key"], # $ tainted
-        request.query.get("key"), # $ tainted
         request.query.getone("key"), # $ tainted
-        request.query.getall("key"), # $ tainted
-        request.query.keys(), # $ MISSING: tainted
-        request.query.values(), # $ tainted
-        request.query.items(), # $ tainted
-        request.query.copy(), # $ tainted
-        list(request.query), # $ tainted
-        iter(request.query), # $ tainted
 
-        # multidict.CIMultiDictProxy[str]
-        # see https://multidict.readthedocs.io/en/stable/multidict.html#multidict.CIMultiDictProxy
-        # TODO: Should have a better way to capture that we in fact _do_ model this as a
-        # an instance of the right class, and have the actual taint_test for that in a
-        # different file!
+        # multidict.CIMultiDictProxy[str] (see `multidict` framework tests)
         request.headers, # $ tainted
         request.headers.getone("key"), # $ tainted
 
@@ -99,7 +81,7 @@ async def test_taint(request: web.Request): # $ requestHandler
         # aiohttp.multipart.MultipartReader
         await request.multipart(), # $ tainted
 
-        # multidict.MultiDictProxy[str]
+        # multidict.MultiDictProxy[str] (see `multidict` framework tests)
         await request.post(), # $ tainted
         (await request.post()).getone("key"), # $ MISSING: tainted
     )
diff --git a/python/ql/test/library-tests/frameworks/multidict/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/multidict/ConceptsTest.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/python/ql/test/library-tests/frameworks/multidict/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/multidict/ConceptsTest.ql
new file mode 100644
index 00000000000..b557a0bccb6
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/multidict/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
diff --git a/python/ql/test/library-tests/frameworks/multidict/InlineTaintTest.expected b/python/ql/test/library-tests/frameworks/multidict/InlineTaintTest.expected
new file mode 100644
index 00000000000..79d760d87f4
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/multidict/InlineTaintTest.expected
@@ -0,0 +1,3 @@
+argumentToEnsureNotTaintedNotMarkedAsSpurious
+untaintedArgumentToEnsureTaintedNotMarkedAsMissing
+failures
diff --git a/python/ql/test/library-tests/frameworks/multidict/InlineTaintTest.ql b/python/ql/test/library-tests/frameworks/multidict/InlineTaintTest.ql
new file mode 100644
index 00000000000..027ad8667be
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/multidict/InlineTaintTest.ql
@@ -0,0 +1 @@
+import experimental.meta.InlineTaintTest
diff --git a/python/ql/test/library-tests/frameworks/multidict/options b/python/ql/test/library-tests/frameworks/multidict/options
new file mode 100644
index 00000000000..cfef58cf2b2
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/multidict/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=1 --lang=3
diff --git a/python/ql/test/library-tests/frameworks/multidict/taint_test.py b/python/ql/test/library-tests/frameworks/multidict/taint_test.py
new file mode 100644
index 00000000000..8fbac79888f
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/multidict/taint_test.py
@@ -0,0 +1,41 @@
+import multidict
+
+# TODO: This is an invalid MultiDictProxy construction... but for the purpose of
+# taint-test, this should be good enough.
+mdp = multidict.MultiDictProxy(TAINTED_STRING)
+
+ensure_tainted(
+    # see https://multidict.readthedocs.io/en/stable/multidict.html#multidict.MultiDictProxy
+
+    mdp, # $ tainted
+    mdp["key"], # $ tainted
+    mdp.get("key"), # $ tainted
+    mdp.getone("key"), # $ tainted
+    mdp.getall("key"), # $ tainted
+    mdp.keys(), # $ MISSING: tainted
+    mdp.values(), # $ tainted
+    mdp.items(), # $ tainted
+    mdp.copy(), # $ tainted
+    list(mdp), # $ tainted
+    iter(mdp), # $ tainted
+)
+
+# TODO: This is an invalid CIMultiDictProxy construction... but for the purpose of
+# taint-test, this should be good enough.
+ci_mdp = multidict.CIMultiDictProxy(TAINTED_STRING)
+
+ensure_tainted(
+    # see https://multidict.readthedocs.io/en/stable/multidict.html#multidict.CIMultiDictProxy
+
+    ci_mdp, # $ tainted
+    ci_mdp["key"], # $ tainted
+    ci_mdp.get("key"), # $ tainted
+    ci_mdp.getone("key"), # $ tainted
+    ci_mdp.getall("key"), # $ tainted
+    ci_mdp.keys(), # $ MISSING: tainted
+    ci_mdp.values(), # $ tainted
+    ci_mdp.items(), # $ tainted
+    ci_mdp.copy(), # $ tainted
+    list(ci_mdp), # $ tainted
+    iter(ci_mdp), # $ tainted
+)

From 793e3db085b34191836c2cf31661f70243e2cb1e Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 3 Jun 2021 11:54:05 +0200
Subject: [PATCH 1304/1429] C#: Change compilation settings to include all
 non-public symbols

---
 .../Semmle.Extraction.CSharp/Extractor/Extractor.cs        | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Extractor.cs b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Extractor.cs
index 179d1f14de5..1dd6d817b01 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Extractor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Extractor/Extractor.cs
@@ -416,9 +416,10 @@ namespace Semmle.Extraction.CSharp
                         compilerArguments.CompilationName,
                         syntaxTrees,
                         references,
-                        compilerArguments.CompilationOptions.
-                            WithAssemblyIdentityComparer(DesktopAssemblyIdentityComparer.Default).
-                            WithStrongNameProvider(new DesktopStrongNameProvider(compilerArguments.KeyFileSearchPaths))
+                        compilerArguments.CompilationOptions
+                            .WithAssemblyIdentityComparer(DesktopAssemblyIdentityComparer.Default)
+                            .WithStrongNameProvider(new DesktopStrongNameProvider(compilerArguments.KeyFileSearchPaths))
+                            .WithMetadataImportOptions(MetadataImportOptions.All)
                         );
                 },
                 (compilation, options) => analyser.EndInitialize(compilerArguments, options, compilation),

From 79bef11cf7cc888fb828f750216b41b87320f7d3 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 3 Jun 2021 12:10:29 +0200
Subject: [PATCH 1305/1429] Python: Use "new" SensitiveDataHeuristics

---
 .../dataflow/new/SensitiveDataSources.qll     | 21 +++++++++----------
 ...WeakSensitiveDataHashingCustomizations.qll | 12 ++++++-----
 2 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
index 42be7aacfe9..ea3f135ed98 100644
--- a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
+++ b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
@@ -9,6 +9,12 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.Frameworks
 private import semmle.python.Concepts
 private import semmle.python.security.SensitiveData as OldSensitiveData
+private import semmle.python.security.internal.SensitiveDataHeuristics as SensitiveDataHeuristics
+
+// We export these explicitly, so we don't also export the `HeuristicNames` module.
+class SensitiveDataClassification = SensitiveDataHeuristics::SensitiveDataClassification;
+
+module SensitiveDataClassification = SensitiveDataHeuristics::SensitiveDataClassification;
 
 /**
  * A data flow source of sensitive data, such as secrets, certificates, or passwords.
@@ -22,13 +28,9 @@ class SensitiveDataSource extends DataFlow::Node {
   SensitiveDataSource() { this = range }
 
   /**
-   * INTERNAL: Do not use.
-   *
-   * This will be rewritten to have better types soon, and therefore should only be used internally until then.
-   *
    * Gets the classification of the sensitive data.
    */
-  string getClassification() { result = range.getClassification() }
+  SensitiveDataClassification getClassification() { result = range.getClassification() }
 }
 
 /** Provides a class for modeling new sources of sensitive data, such as secrets, certificates, or passwords. */
@@ -41,22 +43,19 @@ module SensitiveDataSource {
    */
   abstract class Range extends DataFlow::Node {
     /**
-     * INTERNAL: Do not use.
-     *
-     * This will be rewritten to have better types soon, and therefore should only be used internally until then.
-     *
      * Gets the classification of the sensitive data.
      */
-    abstract string getClassification();
+    abstract SensitiveDataClassification getClassification();
   }
 }
 
+// TODO: rewrite this to not rely on the old points-to implementation
 private class PortOfOldModeling extends SensitiveDataSource::Range {
   OldSensitiveData::SensitiveData::Source oldSensitiveSource;
 
   PortOfOldModeling() { this.asCfgNode() = oldSensitiveSource }
 
-  override string getClassification() {
+  override SensitiveDataClassification getClassification() {
     exists(OldSensitiveData::SensitiveData classification |
       oldSensitiveSource.isSourceOf(classification)
     |
diff --git a/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashingCustomizations.qll b/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashingCustomizations.qll
index 8b9d6f4e83f..c867c1e9924 100644
--- a/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashingCustomizations.qll
+++ b/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashingCustomizations.qll
@@ -52,7 +52,9 @@ module NormalHashFunction {
    * A source of sensitive data, considered as a flow source.
    */
   class SensitiveDataSourceAsSource extends Source, SensitiveDataSource {
-    override string getClassification() { result = SensitiveDataSource.super.getClassification() }
+    override SensitiveDataClassification getClassification() {
+      result = SensitiveDataSource.super.getClassification()
+    }
   }
 
   /** The input to a hashing operation using a weak algorithm, considered as a flow sink. */
@@ -120,12 +122,12 @@ module ComputationallyExpensiveHashFunction {
    */
   class PasswordSourceAsSource extends Source, SensitiveDataSource {
     PasswordSourceAsSource() {
-      // TODO: once https://github.com/github/codeql/pull/5739 has been merged,
-      // don't use hardcoded value anymore
-      SensitiveDataSource.super.getClassification() = "password"
+      SensitiveDataSource.super.getClassification() = SensitiveDataClassification::password()
     }
 
-    override string getClassification() { result = SensitiveDataSource.super.getClassification() }
+    override SensitiveDataClassification getClassification() {
+      result = SensitiveDataSource.super.getClassification()
+    }
   }
 
   /**

From e543c6c6659322e41cae74868b26d34f921f4c1d Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 3 Jun 2021 12:23:05 +0200
Subject: [PATCH 1306/1429] add a `js/client-side-unvalidated-url-redirection`
 sink for the `history` library

---
 .../ClientSideUrlRedirectCustomizations.qll       | 15 +++++++++++++++
 .../ClientSideUrlRedirect.expected                | 12 ++++++++++++
 .../CWE-601/ClientSideUrlRedirect/tst13.js        |  7 +++++++
 3 files changed, 34 insertions(+)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
index ed182831eea..9bca989e984 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
@@ -191,6 +191,21 @@ module ClientSideUrlRedirect {
     }
   }
 
+  /**
+   * A write to the location using the [history](https://npmjs.com/package/history) library
+   */
+  class HistoryWriteUrlSink extends ScriptUrlSink {
+    HistoryWriteUrlSink() {
+      this =
+        API::moduleImport("history")
+            .getMember(["createBrowserHistory", "createHashHistory"])
+            .getReturn()
+            .getMember(["push", "replace"])
+            .getACall()
+            .getArgument(0)
+    }
+  }
+
   /**
    * A call to change the current url with a Next.js router.
    */
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
index e835fa95acc..a7148512587 100644
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
@@ -129,6 +129,12 @@ nodes
 | tst13.js:52:34:52:34 | e |
 | tst13.js:53:28:53:28 | e |
 | tst13.js:53:28:53:28 | e |
+| tst13.js:59:9:59:52 | payload |
+| tst13.js:59:19:59:42 | documen ... .search |
+| tst13.js:59:19:59:42 | documen ... .search |
+| tst13.js:59:19:59:52 | documen ... bstr(1) |
+| tst13.js:61:18:61:24 | payload |
+| tst13.js:61:18:61:24 | payload |
 | tst.js:2:19:2:69 | /.*redi ... n.href) |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
@@ -306,6 +312,11 @@ edges
 | tst13.js:52:34:52:34 | e | tst13.js:53:28:53:28 | e |
 | tst13.js:52:34:52:34 | e | tst13.js:53:28:53:28 | e |
 | tst13.js:52:34:52:34 | e | tst13.js:53:28:53:28 | e |
+| tst13.js:59:9:59:52 | payload | tst13.js:61:18:61:24 | payload |
+| tst13.js:59:9:59:52 | payload | tst13.js:61:18:61:24 | payload |
+| tst13.js:59:19:59:42 | documen ... .search | tst13.js:59:19:59:52 | documen ... bstr(1) |
+| tst13.js:59:19:59:42 | documen ... .search | tst13.js:59:19:59:52 | documen ... bstr(1) |
+| tst13.js:59:19:59:52 | documen ... bstr(1) | tst13.js:59:9:59:52 | payload |
 | tst.js:2:19:2:69 | /.*redi ... n.href) | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
 | tst.js:2:19:2:69 | /.*redi ... n.href) | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
 | tst.js:2:47:2:63 | document.location | tst.js:2:47:2:68 | documen ... on.href |
@@ -397,6 +408,7 @@ edges
 | tst13.js:44:14:44:20 | payload | tst13.js:2:19:2:42 | documen ... .search | tst13.js:44:14:44:20 | payload | Untrusted URL redirection due to $@. | tst13.js:2:19:2:42 | documen ... .search | user-provided value |
 | tst13.js:50:23:50:23 | e | tst13.js:49:32:49:32 | e | tst13.js:50:23:50:23 | e | Untrusted URL redirection due to $@. | tst13.js:49:32:49:32 | e | user-provided value |
 | tst13.js:53:28:53:28 | e | tst13.js:52:34:52:34 | e | tst13.js:53:28:53:28 | e | Untrusted URL redirection due to $@. | tst13.js:52:34:52:34 | e | user-provided value |
+| tst13.js:61:18:61:24 | payload | tst13.js:59:19:59:42 | documen ... .search | tst13.js:61:18:61:24 | payload | Untrusted URL redirection due to $@. | tst13.js:59:19:59:42 | documen ... .search | user-provided value |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] | tst.js:2:47:2:63 | document.location | tst.js:2:19:2:72 | /.*redi ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:2:47:2:63 | document.location | user-provided value |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] | tst.js:2:47:2:68 | documen ... on.href | tst.js:2:19:2:72 | /.*redi ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:2:47:2:68 | documen ... on.href | user-provided value |
 | tst.js:6:20:6:59 | indirec ... ref)[1] | tst.js:6:34:6:50 | document.location | tst.js:6:20:6:59 | indirec ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:6:34:6:50 | document.location | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js
index 7a71cf06c08..873001ca626 100644
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js
@@ -53,3 +53,10 @@ function foo() {
         self.importScripts(e); // NOT OK
     }
 })();
+
+const history = require('history').createBrowserHistory();
+function bar() {
+    var payload = document.location.search.substr(1);
+
+    history.push(payload); // NOT OK
+}
\ No newline at end of file

From 608a0314df72762f48f5da40351fd8952d7e4dd5 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 3 Jun 2021 12:33:25 +0200
Subject: [PATCH 1307/1429] add location reads from the `history` libary as
 client-side remote flow

---
 .../javascript/security/dataflow/DOM.qll      | 27 +++++++++++++++++++
 .../ClientSideUrlRedirect.expected            | 12 +++++++++
 .../CWE-601/ClientSideUrlRedirect/tst13.js    |  8 +++++-
 3 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll b/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
index 204f04e9c52..42f5924f6aa 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
@@ -272,3 +272,30 @@ private class WindowLocationFlowSource extends ClientSideRemoteFlowSource {
 
   override ClientSideRemoteFlowKind getKind() { result = kind }
 }
+
+/**
+ * A user-controlled location value read from the [history](http://npmjs.org/package/history) library.
+ */
+private class HistoryLibaryRemoteFlow extends ClientSideRemoteFlowSource {
+  ClientSideRemoteFlowKind kind;
+
+  HistoryLibaryRemoteFlow() {
+    exists(API::Node loc |
+      loc =
+        API::moduleImport("history")
+            .getMember(["createBrowserHistory", "createHashHistory"])
+            .getReturn()
+            .getMember("location")
+    |
+      this = loc.getMember("hash").getAnImmediateUse() and kind.isFragment()
+      or
+      this = loc.getMember("pathname").getAnImmediateUse() and kind.isPath()
+      or
+      this = loc.getMember("search").getAnImmediateUse() and kind.isQuery()
+    )
+  }
+
+  override string getSourceType() { result = "Window location" }
+
+  override ClientSideRemoteFlowKind getKind() { result = kind }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
index a7148512587..d3edd76979b 100644
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
@@ -135,6 +135,12 @@ nodes
 | tst13.js:59:19:59:52 | documen ... bstr(1) |
 | tst13.js:61:18:61:24 | payload |
 | tst13.js:61:18:61:24 | payload |
+| tst13.js:65:9:65:49 | payload |
+| tst13.js:65:19:65:39 | history ... on.hash |
+| tst13.js:65:19:65:39 | history ... on.hash |
+| tst13.js:65:19:65:49 | history ... bstr(1) |
+| tst13.js:67:21:67:27 | payload |
+| tst13.js:67:21:67:27 | payload |
 | tst.js:2:19:2:69 | /.*redi ... n.href) |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
@@ -317,6 +323,11 @@ edges
 | tst13.js:59:19:59:42 | documen ... .search | tst13.js:59:19:59:52 | documen ... bstr(1) |
 | tst13.js:59:19:59:42 | documen ... .search | tst13.js:59:19:59:52 | documen ... bstr(1) |
 | tst13.js:59:19:59:52 | documen ... bstr(1) | tst13.js:59:9:59:52 | payload |
+| tst13.js:65:9:65:49 | payload | tst13.js:67:21:67:27 | payload |
+| tst13.js:65:9:65:49 | payload | tst13.js:67:21:67:27 | payload |
+| tst13.js:65:19:65:39 | history ... on.hash | tst13.js:65:19:65:49 | history ... bstr(1) |
+| tst13.js:65:19:65:39 | history ... on.hash | tst13.js:65:19:65:49 | history ... bstr(1) |
+| tst13.js:65:19:65:49 | history ... bstr(1) | tst13.js:65:9:65:49 | payload |
 | tst.js:2:19:2:69 | /.*redi ... n.href) | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
 | tst.js:2:19:2:69 | /.*redi ... n.href) | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
 | tst.js:2:47:2:63 | document.location | tst.js:2:47:2:68 | documen ... on.href |
@@ -409,6 +420,7 @@ edges
 | tst13.js:50:23:50:23 | e | tst13.js:49:32:49:32 | e | tst13.js:50:23:50:23 | e | Untrusted URL redirection due to $@. | tst13.js:49:32:49:32 | e | user-provided value |
 | tst13.js:53:28:53:28 | e | tst13.js:52:34:52:34 | e | tst13.js:53:28:53:28 | e | Untrusted URL redirection due to $@. | tst13.js:52:34:52:34 | e | user-provided value |
 | tst13.js:61:18:61:24 | payload | tst13.js:59:19:59:42 | documen ... .search | tst13.js:61:18:61:24 | payload | Untrusted URL redirection due to $@. | tst13.js:59:19:59:42 | documen ... .search | user-provided value |
+| tst13.js:67:21:67:27 | payload | tst13.js:65:19:65:39 | history ... on.hash | tst13.js:67:21:67:27 | payload | Untrusted URL redirection due to $@. | tst13.js:65:19:65:39 | history ... on.hash | user-provided value |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] | tst.js:2:47:2:63 | document.location | tst.js:2:19:2:72 | /.*redi ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:2:47:2:63 | document.location | user-provided value |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] | tst.js:2:47:2:68 | documen ... on.href | tst.js:2:19:2:72 | /.*redi ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:2:47:2:68 | documen ... on.href | user-provided value |
 | tst.js:6:20:6:59 | indirec ... ref)[1] | tst.js:6:34:6:50 | document.location | tst.js:6:20:6:59 | indirec ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:6:34:6:50 | document.location | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js
index 873001ca626..63956a651a2 100644
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js
@@ -54,9 +54,15 @@ function foo() {
     }
 })();
 
-const history = require('history').createBrowserHistory();
 function bar() {
+    const history = require('history').createBrowserHistory();
     var payload = document.location.search.substr(1);
 
     history.push(payload); // NOT OK
+}
+function baz() {
+    const history = require('history').createHashHistory();
+    var payload = history.location.hash.substr(1);
+
+    history.replace(payload); // NOT OK
 }
\ No newline at end of file

From d30f53a21ab199a8dbfeb9c99e6bab5d6584086c Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Thu, 3 Jun 2021 12:35:39 +0200
Subject: [PATCH 1308/1429] add change note

---
 javascript/change-notes/2021-06-03-history.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 javascript/change-notes/2021-06-03-history.md

diff --git a/javascript/change-notes/2021-06-03-history.md b/javascript/change-notes/2021-06-03-history.md
new file mode 100644
index 00000000000..da5054a2630
--- /dev/null
+++ b/javascript/change-notes/2021-06-03-history.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Taint sources and sinks from the [history](https://npmjs.com/package/history) library are now recognized.
+  Affected packages are
+    [history](https://www.npmjs.com/package/history)
\ No newline at end of file

From 1ce7c631ffacb593c8ae75ea521b10b3f11abce6 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 3 Jun 2021 13:01:42 +0200
Subject: [PATCH 1309/1429] Fix failing tests

---
 .../conversion/reftype/RefType.expected       |  9 +++
 .../csharp8/UnmanagedGenericStructs.ql        |  2 +-
 .../dataflow/global/GetAnOutNode.expected     |  6 ++
 .../dataflow/library/FlowSummaries.expected   | 70 +++++++++++++++++++
 .../ql/test/library-tests/methods/Methods1.ql |  3 +-
 .../Stubs/MinimalStubsFromSource.expected     |  2 +-
 6 files changed, 89 insertions(+), 3 deletions(-)

diff --git a/csharp/ql/test/library-tests/conversion/reftype/RefType.expected b/csharp/ql/test/library-tests/conversion/reftype/RefType.expected
index cdcfcf78f96..88f34c17293 100644
--- a/csharp/ql/test/library-tests/conversion/reftype/RefType.expected
+++ b/csharp/ql/test/library-tests/conversion/reftype/RefType.expected
@@ -1,5 +1,7 @@
 | Byte[] | Object |
 | Byte[] | dynamic |
+| Byte[][] | Object |
+| Byte[][] | dynamic |
 | C1 | Object |
 | C1 | dynamic |
 | C1[] | ICollection<C1> |
@@ -183,6 +185,8 @@
 | IReadOnlyList<T4> | dynamic |
 | Int16[] | Object |
 | Int16[] | dynamic |
+| Int32[,] | Object |
+| Int32[,] | dynamic |
 | Int32[] | Object |
 | Int32[] | dynamic |
 | Int64[] | Object |
@@ -221,12 +225,15 @@
 | T5 | C1 |
 | T5 | Object |
 | T5 | dynamic |
+| UInt16[][] | Object |
+| UInt16[][] | dynamic |
 | UInt32[] | Object |
 | UInt32[] | dynamic |
 | UInt64[] | Object |
 | UInt64[] | dynamic |
 | dynamic | Object |
 | null | Byte[] |
+| null | Byte[][] |
 | null | C1 |
 | null | C1[] |
 | null | C2 |
@@ -279,6 +286,7 @@
 | null | IReadOnlyList<T3> |
 | null | IReadOnlyList<T4> |
 | null | Int16[] |
+| null | Int32[,] |
 | null | Int32[] |
 | null | Int64[] |
 | null | Object |
@@ -289,6 +297,7 @@
 | null | T4 |
 | null | T4[] |
 | null | T5 |
+| null | UInt16[][] |
 | null | UInt32[] |
 | null | UInt64[] |
 | null | dynamic |
diff --git a/csharp/ql/test/library-tests/csharp8/UnmanagedGenericStructs.ql b/csharp/ql/test/library-tests/csharp8/UnmanagedGenericStructs.ql
index 316e9458ae6..640454a71f9 100644
--- a/csharp/ql/test/library-tests/csharp8/UnmanagedGenericStructs.ql
+++ b/csharp/ql/test/library-tests/csharp8/UnmanagedGenericStructs.ql
@@ -1,5 +1,5 @@
 import csharp
 
 from TypeParameter tp
-where tp.getConstraints().hasUnmanagedTypeConstraint()
+where tp.getConstraints().hasUnmanagedTypeConstraint() and tp.fromSource()
 select tp, "This type parameter is unmanaged."
diff --git a/csharp/ql/test/library-tests/dataflow/global/GetAnOutNode.expected b/csharp/ql/test/library-tests/dataflow/global/GetAnOutNode.expected
index 7f8a89af2e2..db98e8b9d0b 100644
--- a/csharp/ql/test/library-tests/dataflow/global/GetAnOutNode.expected
+++ b/csharp/ql/test/library-tests/dataflow/global/GetAnOutNode.expected
@@ -227,6 +227,10 @@
 | file://:0:0:0:0 | [summary] call to continuationFunction in ContinueWith | normal | file://:0:0:0:0 | [summary] read: return (normal) of argument 0 in ContinueWith |
 | file://:0:0:0:0 | [summary] call to continuationFunction in ContinueWith | normal | file://:0:0:0:0 | [summary] read: return (normal) of argument 0 in ContinueWith |
 | file://:0:0:0:0 | [summary] call to continuationFunction in ContinueWith | normal | file://:0:0:0:0 | [summary] read: return (normal) of argument 0 in ContinueWith |
+| file://:0:0:0:0 | [summary] call to continuationFunction in ContinueWith | normal | file://:0:0:0:0 | [summary] read: return (normal) of argument 0 in ContinueWith |
+| file://:0:0:0:0 | [summary] call to continuationFunction in ContinueWith | normal | file://:0:0:0:0 | [summary] read: return (normal) of argument 0 in ContinueWith |
+| file://:0:0:0:0 | [summary] call to continuationFunction in ContinueWith | normal | file://:0:0:0:0 | [summary] read: return (normal) of argument 0 in ContinueWith |
+| file://:0:0:0:0 | [summary] call to continuationFunction in ContinueWith | normal | file://:0:0:0:0 | [summary] read: return (normal) of argument 0 in ContinueWith |
 | file://:0:0:0:0 | [summary] call to elementSelector in GroupBy | normal | file://:0:0:0:0 | [summary] read: return (normal) of argument 2 in GroupBy |
 | file://:0:0:0:0 | [summary] call to elementSelector in GroupBy | normal | file://:0:0:0:0 | [summary] read: return (normal) of argument 2 in GroupBy |
 | file://:0:0:0:0 | [summary] call to elementSelector in GroupBy | normal | file://:0:0:0:0 | [summary] read: return (normal) of argument 2 in GroupBy |
@@ -313,3 +317,5 @@
 | file://:0:0:0:0 | [summary] call to valueFactory in Lazy | normal | file://:0:0:0:0 | [summary] read: return (normal) of argument 0 in Lazy |
 | file://:0:0:0:0 | [summary] call to valueFactory in Lazy | normal | file://:0:0:0:0 | [summary] read: return (normal) of argument 0 in Lazy |
 | file://:0:0:0:0 | [summary] call to valueFactory in Lazy | normal | file://:0:0:0:0 | [summary] read: return (normal) of argument 0 in Lazy |
+| file://:0:0:0:0 | [summary] call to valueFactory in Lazy | normal | file://:0:0:0:0 | [summary] read: return (normal) of argument 0 in Lazy |
+| file://:0:0:0:0 | [summary] call to valueSelector in Task | normal | file://:0:0:0:0 | [summary] read: return (normal) of argument 0 in Task |
diff --git a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected
index faaef439eb5..81782ee2d7c 100644
--- a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected
+++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected
@@ -255,6 +255,7 @@
 | System.Collections.Concurrent.ConcurrentStack<>.CopyTo(Array, int) | element of argument -1 -> element of return (out parameter 0) | true |
 | System.Collections.Concurrent.ConcurrentStack<>.CopyTo(T[], int) | element of argument -1 -> element of return (out parameter 0) | true |
 | System.Collections.Concurrent.ConcurrentStack<>.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
+| System.Collections.Concurrent.ConcurrentStack<>.GetEnumerator(Node) | element of argument -1 -> property Current of return (normal) | true |
 | System.Collections.Concurrent.IProducerConsumerCollection<>.CopyTo(T[], int) | element of argument -1 -> element of return (out parameter 0) | true |
 | System.Collections.Concurrent.OrderablePartitioner<>.EnumerableDropIndices.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
 | System.Collections.Concurrent.Partitioner.<CreateRanges>d__7.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
@@ -405,6 +406,7 @@
 | System.Collections.Generic.SortedList<,>.Add(object, object) | argument 1 -> property Value of element of argument -1 | true |
 | System.Collections.Generic.SortedList<,>.CopyTo(Array, int) | element of argument -1 -> element of return (out parameter 0) | true |
 | System.Collections.Generic.SortedList<,>.CopyTo(KeyValuePair<TKey,TValue>[], int) | element of argument -1 -> element of return (out parameter 0) | true |
+| System.Collections.Generic.SortedList<,>.GetByIndex(int) | property Value of element of argument -1 -> return (normal) | true |
 | System.Collections.Generic.SortedList<,>.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
 | System.Collections.Generic.SortedList<,>.KeyList.Add(TKey) | argument 0 -> element of argument -1 | true |
 | System.Collections.Generic.SortedList<,>.KeyList.CopyTo(Array, int) | element of argument -1 -> element of return (out parameter 0) | true |
@@ -467,6 +469,8 @@
 | System.Collections.Hashtable.SyncHashtable.Clone() | element of argument 0 -> element of return (normal) | true |
 | System.Collections.Hashtable.SyncHashtable.CopyTo(Array, int) | element of argument -1 -> element of return (out parameter 0) | true |
 | System.Collections.Hashtable.SyncHashtable.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
+| System.Collections.Hashtable.SyncHashtable.SyncHashtable(Hashtable) | property Key of element of argument 0 -> property Key of element of return (normal) | true |
+| System.Collections.Hashtable.SyncHashtable.SyncHashtable(Hashtable) | property Value of element of argument 0 -> property Value of element of return (normal) | true |
 | System.Collections.Hashtable.SyncHashtable.get_Item(object) | property Value of element of argument -1 -> return (normal) | true |
 | System.Collections.Hashtable.SyncHashtable.get_Keys() | property Key of element of argument -1 -> element of return (normal) | true |
 | System.Collections.Hashtable.SyncHashtable.get_Values() | property Value of element of argument -1 -> element of return (normal) | true |
@@ -585,6 +589,8 @@
 | System.Collections.SortedList.SyncSortedList.CopyTo(Array, int) | element of argument -1 -> element of return (out parameter 0) | true |
 | System.Collections.SortedList.SyncSortedList.GetByIndex(int) | property Value of element of argument -1 -> return (normal) | true |
 | System.Collections.SortedList.SyncSortedList.GetValueList() | property Value of element of argument -1 -> element of return (normal) | true |
+| System.Collections.SortedList.SyncSortedList.SyncSortedList(SortedList) | property Key of element of argument 0 -> property Key of element of return (normal) | true |
+| System.Collections.SortedList.SyncSortedList.SyncSortedList(SortedList) | property Value of element of argument 0 -> property Value of element of return (normal) | true |
 | System.Collections.SortedList.SyncSortedList.get_Item(object) | property Value of element of argument -1 -> return (normal) | true |
 | System.Collections.SortedList.SyncSortedList.set_Item(object, object) | argument 0 -> property Key of element of argument -1 | true |
 | System.Collections.SortedList.SyncSortedList.set_Item(object, object) | argument 1 -> property Value of element of argument -1 | true |
@@ -633,6 +639,8 @@
 | System.Collections.Specialized.OrderedDictionary.AsReadOnly() | element of argument 0 -> element of return (normal) | true |
 | System.Collections.Specialized.OrderedDictionary.CopyTo(Array, int) | element of argument -1 -> element of return (out parameter 0) | true |
 | System.Collections.Specialized.OrderedDictionary.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
+| System.Collections.Specialized.OrderedDictionary.OrderedDictionary(OrderedDictionary) | property Key of element of argument 0 -> property Key of element of return (normal) | true |
+| System.Collections.Specialized.OrderedDictionary.OrderedDictionary(OrderedDictionary) | property Value of element of argument 0 -> property Value of element of return (normal) | true |
 | System.Collections.Specialized.OrderedDictionary.OrderedDictionaryKeyValueCollection.CopyTo(Array, int) | element of argument -1 -> element of return (out parameter 0) | true |
 | System.Collections.Specialized.OrderedDictionary.OrderedDictionaryKeyValueCollection.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
 | System.Collections.Specialized.OrderedDictionary.get_Item(int) | property Value of element of argument -1 -> return (normal) | true |
@@ -725,6 +733,10 @@
 | System.ComponentModel.PropertyDescriptorCollection.PropertyDescriptorCollection(PropertyDescriptor[]) | property Value of element of argument 0 -> property Value of element of return (normal) | true |
 | System.ComponentModel.PropertyDescriptorCollection.PropertyDescriptorCollection(PropertyDescriptor[], bool) | property Key of element of argument 0 -> property Key of element of return (normal) | true |
 | System.ComponentModel.PropertyDescriptorCollection.PropertyDescriptorCollection(PropertyDescriptor[], bool) | property Value of element of argument 0 -> property Value of element of return (normal) | true |
+| System.ComponentModel.PropertyDescriptorCollection.PropertyDescriptorCollection(PropertyDescriptor[], int, String[], IComparer) | property Key of element of argument 0 -> property Key of element of return (normal) | true |
+| System.ComponentModel.PropertyDescriptorCollection.PropertyDescriptorCollection(PropertyDescriptor[], int, String[], IComparer) | property Key of element of argument 2 -> property Key of element of return (normal) | true |
+| System.ComponentModel.PropertyDescriptorCollection.PropertyDescriptorCollection(PropertyDescriptor[], int, String[], IComparer) | property Value of element of argument 0 -> property Value of element of return (normal) | true |
+| System.ComponentModel.PropertyDescriptorCollection.PropertyDescriptorCollection(PropertyDescriptor[], int, String[], IComparer) | property Value of element of argument 2 -> property Value of element of return (normal) | true |
 | System.ComponentModel.PropertyDescriptorCollection.get_Item(int) | element of argument -1 -> return (normal) | true |
 | System.ComponentModel.PropertyDescriptorCollection.get_Item(int) | property Value of element of argument -1 -> return (normal) | true |
 | System.ComponentModel.PropertyDescriptorCollection.get_Item(object) | element of argument -1 -> return (normal) | true |
@@ -747,12 +759,28 @@
 | System.Convert.ChangeType(object, Type, IFormatProvider) | argument 0 -> return (normal) | false |
 | System.Convert.ChangeType(object, TypeCode) | argument 0 -> return (normal) | false |
 | System.Convert.ChangeType(object, TypeCode, IFormatProvider) | argument 0 -> return (normal) | false |
+| System.Convert.ConvertToBase64Array(char*, byte*, int, int, bool) | argument 0 -> return (normal) | false |
+| System.Convert.CopyToTempBufferWithoutWhiteSpace(ReadOnlySpan<Char>, Span<Char>, out int, out int) | argument 0 -> return (normal) | false |
+| System.Convert.Decode(ref char, ref sbyte) | argument 0 -> return (normal) | false |
+| System.Convert.DefaultToType(IConvertible, Type, IFormatProvider) | argument 0 -> return (normal) | false |
 | System.Convert.FromBase64CharArray(Char[], int, int) | argument 0 -> return (normal) | false |
+| System.Convert.FromBase64CharPtr(char*, int) | argument 0 -> return (normal) | false |
 | System.Convert.FromBase64String(string) | argument 0 -> return (normal) | false |
+| System.Convert.FromBase64_ComputeResultLength(char*, int) | argument 0 -> return (normal) | false |
 | System.Convert.FromHexString(ReadOnlySpan<Char>) | argument 0 -> return (normal) | false |
 | System.Convert.FromHexString(string) | argument 0 -> return (normal) | false |
 | System.Convert.GetTypeCode(object) | argument 0 -> return (normal) | false |
 | System.Convert.IsDBNull(object) | argument 0 -> return (normal) | false |
+| System.Convert.IsSpace(char) | argument 0 -> return (normal) | false |
+| System.Convert.ThrowByteOverflowException() | argument 0 -> return (normal) | false |
+| System.Convert.ThrowCharOverflowException() | argument 0 -> return (normal) | false |
+| System.Convert.ThrowInt16OverflowException() | argument 0 -> return (normal) | false |
+| System.Convert.ThrowInt32OverflowException() | argument 0 -> return (normal) | false |
+| System.Convert.ThrowInt64OverflowException() | argument 0 -> return (normal) | false |
+| System.Convert.ThrowSByteOverflowException() | argument 0 -> return (normal) | false |
+| System.Convert.ThrowUInt16OverflowException() | argument 0 -> return (normal) | false |
+| System.Convert.ThrowUInt32OverflowException() | argument 0 -> return (normal) | false |
+| System.Convert.ThrowUInt64OverflowException() | argument 0 -> return (normal) | false |
 | System.Convert.ToBase64CharArray(Byte[], int, int, Char[], int) | argument 0 -> return (normal) | false |
 | System.Convert.ToBase64CharArray(Byte[], int, int, Char[], int, Base64FormattingOptions) | argument 0 -> return (normal) | false |
 | System.Convert.ToBase64String(Byte[]) | argument 0 -> return (normal) | false |
@@ -760,6 +788,7 @@
 | System.Convert.ToBase64String(Byte[], int, int) | argument 0 -> return (normal) | false |
 | System.Convert.ToBase64String(Byte[], int, int, Base64FormattingOptions) | argument 0 -> return (normal) | false |
 | System.Convert.ToBase64String(ReadOnlySpan<Byte>, Base64FormattingOptions) | argument 0 -> return (normal) | false |
+| System.Convert.ToBase64_CalculateAndValidateOutputLength(int, bool) | argument 0 -> return (normal) | false |
 | System.Convert.ToBoolean(DateTime) | argument 0 -> return (normal) | false |
 | System.Convert.ToBoolean(bool) | argument 0 -> return (normal) | false |
 | System.Convert.ToBoolean(byte) | argument 0 -> return (normal) | false |
@@ -1059,9 +1088,11 @@
 | System.Convert.ToUInt64(uint) | argument 0 -> return (normal) | false |
 | System.Convert.ToUInt64(ulong) | argument 0 -> return (normal) | false |
 | System.Convert.ToUInt64(ushort) | argument 0 -> return (normal) | false |
+| System.Convert.TryDecodeFromUtf16(ReadOnlySpan<Char>, Span<Byte>, out int, out int) | argument 0 -> return (normal) | false |
 | System.Convert.TryFromBase64Chars(ReadOnlySpan<Char>, Span<Byte>, out int) | argument 0 -> return (normal) | false |
 | System.Convert.TryFromBase64String(string, Span<Byte>, out int) | argument 0 -> return (normal) | false |
 | System.Convert.TryToBase64Chars(ReadOnlySpan<Byte>, Span<Char>, out int, Base64FormattingOptions) | argument 0 -> return (normal) | false |
+| System.Convert.WriteThreeLowOrderBytes(ref byte, int) | argument 0 -> return (normal) | false |
 | System.Diagnostics.Tracing.CounterPayload.<get_ForEnumeration>d__51.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
 | System.Diagnostics.Tracing.CounterPayload.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
 | System.Diagnostics.Tracing.EventPayload.Add(KeyValuePair<String, Object>) | argument 0 -> element of argument -1 | true |
@@ -1070,6 +1101,10 @@
 | System.Diagnostics.Tracing.EventPayload.Add(string, object) | argument 0 -> property Key of element of argument -1 | true |
 | System.Diagnostics.Tracing.EventPayload.Add(string, object) | argument 1 -> property Value of element of argument -1 | true |
 | System.Diagnostics.Tracing.EventPayload.CopyTo(KeyValuePair<String,Object>[], int) | element of argument -1 -> element of return (out parameter 0) | true |
+| System.Diagnostics.Tracing.EventPayload.EventPayload(List<String>, List<Object>) | property Key of element of argument 0 -> property Key of element of return (normal) | true |
+| System.Diagnostics.Tracing.EventPayload.EventPayload(List<String>, List<Object>) | property Key of element of argument 1 -> property Key of element of return (normal) | true |
+| System.Diagnostics.Tracing.EventPayload.EventPayload(List<String>, List<Object>) | property Value of element of argument 0 -> property Value of element of return (normal) | true |
+| System.Diagnostics.Tracing.EventPayload.EventPayload(List<String>, List<Object>) | property Value of element of argument 1 -> property Value of element of return (normal) | true |
 | System.Diagnostics.Tracing.EventPayload.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
 | System.Diagnostics.Tracing.EventPayload.get_Item(string) | property Value of element of argument -1 -> return (normal) | true |
 | System.Diagnostics.Tracing.EventPayload.get_Keys() | property Key of element of argument -1 -> element of return (normal) | true |
@@ -1126,8 +1161,11 @@
 | System.IO.Compression.DeflateStream.CopyToStream.WriteAsync(Byte[], int, int, CancellationToken) | argument 0 -> argument -1 | false |
 | System.IO.Compression.DeflateStream.DeflateStream(Stream, CompressionLevel) | argument 0 -> return (normal) | false |
 | System.IO.Compression.DeflateStream.DeflateStream(Stream, CompressionLevel, bool) | argument 0 -> return (normal) | false |
+| System.IO.Compression.DeflateStream.DeflateStream(Stream, CompressionLevel, bool, int) | argument 0 -> return (normal) | false |
 | System.IO.Compression.DeflateStream.DeflateStream(Stream, CompressionMode) | argument 0 -> return (normal) | false |
 | System.IO.Compression.DeflateStream.DeflateStream(Stream, CompressionMode, bool) | argument 0 -> return (normal) | false |
+| System.IO.Compression.DeflateStream.DeflateStream(Stream, CompressionMode, bool, int, long) | argument 0 -> return (normal) | false |
+| System.IO.Compression.DeflateStream.DeflateStream(Stream, CompressionMode, long) | argument 0 -> return (normal) | false |
 | System.IO.Compression.DeflateStream.Read(Byte[], int, int) | argument -1 -> return (out parameter 0) | false |
 | System.IO.Compression.DeflateStream.ReadAsync(Byte[], int, int, CancellationToken) | argument -1 -> return (out parameter 0) | false |
 | System.IO.Compression.DeflateStream.Write(Byte[], int, int) | argument 0 -> argument -1 | false |
@@ -1181,6 +1219,7 @@
 | System.IO.Path.Combine(string, string, string, string) | argument 3 -> return (normal) | false |
 | System.IO.Path.GetDirectoryName(ReadOnlySpan<Char>) | argument 0 -> return (normal) | false |
 | System.IO.Path.GetDirectoryName(string) | argument 0 -> return (normal) | false |
+| System.IO.Path.GetDirectoryNameOffset(ReadOnlySpan<Char>) | argument 0 -> return (normal) | false |
 | System.IO.Path.GetExtension(ReadOnlySpan<Char>) | argument 0 -> return (normal) | false |
 | System.IO.Path.GetExtension(string) | argument 0 -> return (normal) | false |
 | System.IO.Path.GetFileName(ReadOnlySpan<Char>) | argument 0 -> return (normal) | false |
@@ -1192,20 +1231,28 @@
 | System.IO.Path.GetPathRoot(ReadOnlySpan<Char>) | argument 0 -> return (normal) | false |
 | System.IO.Path.GetPathRoot(string) | argument 0 -> return (normal) | false |
 | System.IO.Path.GetRelativePath(string, string) | argument 1 -> return (normal) | false |
+| System.IO.Path.GetRelativePath(string, string, StringComparison) | argument 1 -> return (normal) | false |
 | System.IO.Pipes.PipeStream.BeginRead(Byte[], int, int, AsyncCallback, object) | argument -1 -> return (out parameter 0) | false |
 | System.IO.Pipes.PipeStream.BeginWrite(Byte[], int, int, AsyncCallback, object) | argument 0 -> argument -1 | false |
 | System.IO.Pipes.PipeStream.Read(Byte[], int, int) | argument -1 -> return (out parameter 0) | false |
 | System.IO.Pipes.PipeStream.ReadAsync(Byte[], int, int, CancellationToken) | argument -1 -> return (out parameter 0) | false |
 | System.IO.Pipes.PipeStream.Write(Byte[], int, int) | argument 0 -> argument -1 | false |
 | System.IO.Pipes.PipeStream.WriteAsync(Byte[], int, int, CancellationToken) | argument 0 -> argument -1 | false |
+| System.IO.Stream.BeginEndReadAsync(Byte[], int, int) | argument -1 -> return (out parameter 0) | false |
+| System.IO.Stream.BeginEndWriteAsync(Byte[], int, int) | argument 0 -> argument -1 | false |
 | System.IO.Stream.BeginRead(Byte[], int, int, AsyncCallback, object) | argument -1 -> return (out parameter 0) | false |
+| System.IO.Stream.BeginReadInternal(Byte[], int, int, AsyncCallback, object, bool, bool) | argument -1 -> return (out parameter 0) | false |
 | System.IO.Stream.BeginWrite(Byte[], int, int, AsyncCallback, object) | argument 0 -> argument -1 | false |
+| System.IO.Stream.BeginWriteInternal(Byte[], int, int, AsyncCallback, object, bool, bool) | argument 0 -> argument -1 | false |
+| System.IO.Stream.BlockingBeginRead(Byte[], int, int, AsyncCallback, object) | argument -1 -> return (out parameter 0) | false |
+| System.IO.Stream.BlockingBeginWrite(Byte[], int, int, AsyncCallback, object) | argument 0 -> argument -1 | false |
 | System.IO.Stream.CopyTo(Stream) | argument -1 -> return (out parameter 0) | false |
 | System.IO.Stream.CopyTo(Stream, int) | argument -1 -> return (out parameter 0) | false |
 | System.IO.Stream.CopyToAsync(Stream) | argument -1 -> return (out parameter 0) | false |
 | System.IO.Stream.CopyToAsync(Stream, CancellationToken) | argument -1 -> return (out parameter 0) | false |
 | System.IO.Stream.CopyToAsync(Stream, int) | argument -1 -> return (out parameter 0) | false |
 | System.IO.Stream.CopyToAsync(Stream, int, CancellationToken) | argument -1 -> return (out parameter 0) | false |
+| System.IO.Stream.CopyToAsyncInternal(Stream, int, CancellationToken) | argument -1 -> return (out parameter 0) | false |
 | System.IO.Stream.NullStream.BeginRead(Byte[], int, int, AsyncCallback, object) | argument -1 -> return (out parameter 0) | false |
 | System.IO.Stream.NullStream.BeginWrite(Byte[], int, int, AsyncCallback, object) | argument 0 -> argument -1 | false |
 | System.IO.Stream.NullStream.CopyTo(Stream, int) | argument -1 -> return (out parameter 0) | false |
@@ -1247,6 +1294,7 @@
 | System.IO.TextReader.ReadBlock(Span<Char>) | argument -1 -> return (normal) | false |
 | System.IO.TextReader.ReadBlockAsync(Char[], int, int) | argument -1 -> return (normal) | false |
 | System.IO.TextReader.ReadBlockAsync(Memory<Char>, CancellationToken) | argument -1 -> return (normal) | false |
+| System.IO.TextReader.ReadBlockAsyncInternal(Memory<Char>, CancellationToken) | argument -1 -> return (normal) | false |
 | System.IO.TextReader.ReadLine() | argument -1 -> return (normal) | false |
 | System.IO.TextReader.ReadLineAsync() | argument -1 -> return (normal) | false |
 | System.IO.TextReader.ReadToEnd() | argument -1 -> return (normal) | false |
@@ -1271,6 +1319,7 @@
 | System.Int32.TryParse(string, out int) | argument 0 -> return (out parameter 1) | false |
 | System.Lazy<>.Lazy(Func<T>) | return (normal) of argument 0 -> property Value of return (normal) | true |
 | System.Lazy<>.Lazy(Func<T>, LazyThreadSafetyMode) | return (normal) of argument 0 -> property Value of return (normal) | true |
+| System.Lazy<>.Lazy(Func<T>, LazyThreadSafetyMode, bool) | return (normal) of argument 0 -> property Value of return (normal) | true |
 | System.Lazy<>.Lazy(Func<T>, bool) | return (normal) of argument 0 -> property Value of return (normal) | true |
 | System.Lazy<>.get_Value() | argument -1 -> return (normal) | false |
 | System.Linq.EmptyPartition<>.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
@@ -1529,13 +1578,16 @@
 | System.Linq.Lookup<,>.<ApplyResultSelector>d__19<>.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
 | System.Linq.Lookup<,>.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
 | System.Linq.OrderedEnumerable<>.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
+| System.Linq.OrderedEnumerable<>.GetEnumerator(int, int) | element of argument -1 -> property Current of return (normal) | true |
 | System.Linq.OrderedPartition<>.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
 | System.Linq.Parallel.CancellableEnumerable.<Wrap>d__0<>.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
 | System.Linq.Parallel.EnumerableWrapperWeakToStrong.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
 | System.Linq.Parallel.ExceptionAggregator.<WrapEnumerable>d__0<>.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
 | System.Linq.Parallel.ExceptionAggregator.<WrapQueryEnumerator>d__1<,>.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
 | System.Linq.Parallel.GroupByGrouping<,>.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
+| System.Linq.Parallel.ListChunk<>.Add(TInputOutput) | argument 0 -> element of argument -1 | true |
 | System.Linq.Parallel.ListChunk<>.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
+| System.Linq.Parallel.Lookup<,>.Add(IGrouping<TKey, TElement>) | argument 0 -> element of argument -1 | true |
 | System.Linq.Parallel.Lookup<,>.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
 | System.Linq.Parallel.MergeExecutor<>.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
 | System.Linq.Parallel.OrderedGroupByGrouping<,,>.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
@@ -1556,8 +1608,12 @@
 | System.Linq.ParallelEnumerable.Aggregate<TSource, TAccumulate>(ParallelQuery<TSource>, TAccumulate, Func<TAccumulate, TSource, TAccumulate>) | argument 1 -> parameter 0 of argument 2 | true |
 | System.Linq.ParallelEnumerable.Aggregate<TSource, TAccumulate>(ParallelQuery<TSource>, TAccumulate, Func<TAccumulate, TSource, TAccumulate>) | element of argument 0 -> parameter 1 of argument 2 | true |
 | System.Linq.ParallelEnumerable.Aggregate<TSource, TAccumulate>(ParallelQuery<TSource>, TAccumulate, Func<TAccumulate, TSource, TAccumulate>) | return (normal) of argument 2 -> return (normal) | true |
+| System.Linq.ParallelEnumerable.Aggregate<TSource, TAccumulate>(ParallelQuery<TSource>, TAccumulate, Func<TAccumulate, TSource, TAccumulate>, QueryAggregationOptions) | argument 1 -> parameter 0 of argument 2 | true |
+| System.Linq.ParallelEnumerable.Aggregate<TSource, TAccumulate>(ParallelQuery<TSource>, TAccumulate, Func<TAccumulate, TSource, TAccumulate>, QueryAggregationOptions) | element of argument 0 -> parameter 1 of argument 2 | true |
+| System.Linq.ParallelEnumerable.Aggregate<TSource, TAccumulate>(ParallelQuery<TSource>, TAccumulate, Func<TAccumulate, TSource, TAccumulate>, QueryAggregationOptions) | return (normal) of argument 3 -> return (normal) | true |
 | System.Linq.ParallelEnumerable.Aggregate<TSource>(ParallelQuery<TSource>, Func<TSource, TSource, TSource>) | element of argument 0 -> parameter 1 of argument 1 | true |
 | System.Linq.ParallelEnumerable.Aggregate<TSource>(ParallelQuery<TSource>, Func<TSource, TSource, TSource>) | return (normal) of argument 1 -> return (normal) | true |
+| System.Linq.ParallelEnumerable.Aggregate<TSource>(ParallelQuery<TSource>, Func<TSource, TSource, TSource>, QueryAggregationOptions) | return (normal) of argument 2 -> return (normal) | true |
 | System.Linq.ParallelEnumerable.All<TSource>(ParallelQuery<TSource>, Func<TSource, Boolean>) | element of argument 0 -> parameter 0 of argument 1 | true |
 | System.Linq.ParallelEnumerable.Any<TSource>(ParallelQuery<TSource>, Func<TSource, Boolean>) | element of argument 0 -> parameter 0 of argument 1 | true |
 | System.Linq.ParallelEnumerable.AsEnumerable<TSource>(ParallelQuery<TSource>) | element of argument 0 -> element of return (normal) | true |
@@ -2000,6 +2056,7 @@
 | System.Net.Security.SslStream.ReadAsync(Byte[], int, int, CancellationToken) | argument -1 -> return (out parameter 0) | false |
 | System.Net.Security.SslStream.Write(Byte[], int, int) | argument 0 -> argument -1 | false |
 | System.Net.Security.SslStream.WriteAsync(Byte[], int, int, CancellationToken) | argument 0 -> argument -1 | false |
+| System.Net.WebUtility.HtmlEncode(ReadOnlySpan<Char>, ref ValueStringBuilder) | argument 0 -> return (normal) | false |
 | System.Net.WebUtility.HtmlEncode(string) | argument 0 -> return (normal) | false |
 | System.Net.WebUtility.HtmlEncode(string, TextWriter) | argument 0 -> return (normal) | false |
 | System.Net.WebUtility.UrlEncode(string) | argument 0 -> return (normal) | false |
@@ -2305,6 +2362,7 @@
 | System.Threading.Tasks.Task.ContinueWith(Action<Task, Object>, object, CancellationToken, TaskContinuationOptions, TaskScheduler) | argument 1 -> parameter 1 of argument 0 | true |
 | System.Threading.Tasks.Task.ContinueWith(Action<Task, Object>, object, TaskContinuationOptions) | argument 1 -> parameter 1 of argument 0 | true |
 | System.Threading.Tasks.Task.ContinueWith(Action<Task, Object>, object, TaskScheduler) | argument 1 -> parameter 1 of argument 0 | true |
+| System.Threading.Tasks.Task.ContinueWith(Action<Task, Object>, object, TaskScheduler, CancellationToken, TaskContinuationOptions) | argument 1 -> parameter 1 of argument 0 | true |
 | System.Threading.Tasks.Task.ContinueWith<TResult>(Func<Task, Object, TResult>, object) | argument 1 -> parameter 1 of argument 0 | true |
 | System.Threading.Tasks.Task.ContinueWith<TResult>(Func<Task, Object, TResult>, object) | return (normal) of argument 0 -> property Result of return (normal) | true |
 | System.Threading.Tasks.Task.ContinueWith<TResult>(Func<Task, Object, TResult>, object, CancellationToken) | argument 1 -> parameter 1 of argument 0 | true |
@@ -2315,11 +2373,14 @@
 | System.Threading.Tasks.Task.ContinueWith<TResult>(Func<Task, Object, TResult>, object, TaskContinuationOptions) | return (normal) of argument 0 -> property Result of return (normal) | true |
 | System.Threading.Tasks.Task.ContinueWith<TResult>(Func<Task, Object, TResult>, object, TaskScheduler) | argument 1 -> parameter 1 of argument 0 | true |
 | System.Threading.Tasks.Task.ContinueWith<TResult>(Func<Task, Object, TResult>, object, TaskScheduler) | return (normal) of argument 0 -> property Result of return (normal) | true |
+| System.Threading.Tasks.Task.ContinueWith<TResult>(Func<Task, Object, TResult>, object, TaskScheduler, CancellationToken, TaskContinuationOptions) | argument 1 -> parameter 1 of argument 0 | true |
+| System.Threading.Tasks.Task.ContinueWith<TResult>(Func<Task, Object, TResult>, object, TaskScheduler, CancellationToken, TaskContinuationOptions) | return (normal) of argument 0 -> property Result of return (normal) | true |
 | System.Threading.Tasks.Task.ContinueWith<TResult>(Func<Task, TResult>) | return (normal) of argument 0 -> property Result of return (normal) | true |
 | System.Threading.Tasks.Task.ContinueWith<TResult>(Func<Task, TResult>, CancellationToken) | return (normal) of argument 0 -> property Result of return (normal) | true |
 | System.Threading.Tasks.Task.ContinueWith<TResult>(Func<Task, TResult>, CancellationToken, TaskContinuationOptions, TaskScheduler) | return (normal) of argument 0 -> property Result of return (normal) | true |
 | System.Threading.Tasks.Task.ContinueWith<TResult>(Func<Task, TResult>, TaskContinuationOptions) | return (normal) of argument 0 -> property Result of return (normal) | true |
 | System.Threading.Tasks.Task.ContinueWith<TResult>(Func<Task, TResult>, TaskScheduler) | return (normal) of argument 0 -> property Result of return (normal) | true |
+| System.Threading.Tasks.Task.ContinueWith<TResult>(Func<Task, TResult>, TaskScheduler, CancellationToken, TaskContinuationOptions) | return (normal) of argument 0 -> property Result of return (normal) | true |
 | System.Threading.Tasks.Task.FromResult<TResult>(TResult) | argument 0 -> property Result of return (normal) | true |
 | System.Threading.Tasks.Task.Run<TResult>(Func<TResult>) | return (normal) of argument 0 -> property Result of return (normal) | true |
 | System.Threading.Tasks.Task.Run<TResult>(Func<TResult>, CancellationToken) | return (normal) of argument 0 -> property Result of return (normal) | true |
@@ -2346,11 +2407,14 @@
 | System.Threading.Tasks.Task<>.ContinueWith(Action<Task<>, Object>, object, TaskContinuationOptions) | argument -1 -> parameter 0 of argument 0 | true |
 | System.Threading.Tasks.Task<>.ContinueWith(Action<Task<>, Object>, object, TaskScheduler) | argument 1 -> parameter 1 of argument 0 | true |
 | System.Threading.Tasks.Task<>.ContinueWith(Action<Task<>, Object>, object, TaskScheduler) | argument -1 -> parameter 0 of argument 0 | true |
+| System.Threading.Tasks.Task<>.ContinueWith(Action<Task<>, Object>, object, TaskScheduler, CancellationToken, TaskContinuationOptions) | argument 1 -> parameter 1 of argument 0 | true |
+| System.Threading.Tasks.Task<>.ContinueWith(Action<Task<>, Object>, object, TaskScheduler, CancellationToken, TaskContinuationOptions) | argument -1 -> parameter 0 of argument 0 | true |
 | System.Threading.Tasks.Task<>.ContinueWith(Action<Task<>>) | argument -1 -> parameter 0 of argument 0 | true |
 | System.Threading.Tasks.Task<>.ContinueWith(Action<Task<>>, CancellationToken) | argument -1 -> parameter 0 of argument 0 | true |
 | System.Threading.Tasks.Task<>.ContinueWith(Action<Task<>>, CancellationToken, TaskContinuationOptions, TaskScheduler) | argument -1 -> parameter 0 of argument 0 | true |
 | System.Threading.Tasks.Task<>.ContinueWith(Action<Task<>>, TaskContinuationOptions) | argument -1 -> parameter 0 of argument 0 | true |
 | System.Threading.Tasks.Task<>.ContinueWith(Action<Task<>>, TaskScheduler) | argument -1 -> parameter 0 of argument 0 | true |
+| System.Threading.Tasks.Task<>.ContinueWith(Action<Task<>>, TaskScheduler, CancellationToken, TaskContinuationOptions) | argument -1 -> parameter 0 of argument 0 | true |
 | System.Threading.Tasks.Task<>.ContinueWith<TNewResult>(Func<Task<>, Object, TNewResult>, object) | argument 1 -> parameter 1 of argument 0 | true |
 | System.Threading.Tasks.Task<>.ContinueWith<TNewResult>(Func<Task<>, Object, TNewResult>, object) | argument -1 -> parameter 0 of argument 0 | true |
 | System.Threading.Tasks.Task<>.ContinueWith<TNewResult>(Func<Task<>, Object, TNewResult>, object) | return (normal) of argument 0 -> property Result of return (normal) | true |
@@ -2366,6 +2430,9 @@
 | System.Threading.Tasks.Task<>.ContinueWith<TNewResult>(Func<Task<>, Object, TNewResult>, object, TaskScheduler) | argument 1 -> parameter 1 of argument 0 | true |
 | System.Threading.Tasks.Task<>.ContinueWith<TNewResult>(Func<Task<>, Object, TNewResult>, object, TaskScheduler) | argument -1 -> parameter 0 of argument 0 | true |
 | System.Threading.Tasks.Task<>.ContinueWith<TNewResult>(Func<Task<>, Object, TNewResult>, object, TaskScheduler) | return (normal) of argument 0 -> property Result of return (normal) | true |
+| System.Threading.Tasks.Task<>.ContinueWith<TNewResult>(Func<Task<>, Object, TNewResult>, object, TaskScheduler, CancellationToken, TaskContinuationOptions) | argument 1 -> parameter 1 of argument 0 | true |
+| System.Threading.Tasks.Task<>.ContinueWith<TNewResult>(Func<Task<>, Object, TNewResult>, object, TaskScheduler, CancellationToken, TaskContinuationOptions) | argument -1 -> parameter 0 of argument 0 | true |
+| System.Threading.Tasks.Task<>.ContinueWith<TNewResult>(Func<Task<>, Object, TNewResult>, object, TaskScheduler, CancellationToken, TaskContinuationOptions) | return (normal) of argument 0 -> property Result of return (normal) | true |
 | System.Threading.Tasks.Task<>.ContinueWith<TNewResult>(Func<Task<>, TNewResult>) | argument -1 -> parameter 0 of argument 0 | true |
 | System.Threading.Tasks.Task<>.ContinueWith<TNewResult>(Func<Task<>, TNewResult>) | return (normal) of argument 0 -> property Result of return (normal) | true |
 | System.Threading.Tasks.Task<>.ContinueWith<TNewResult>(Func<Task<>, TNewResult>, CancellationToken) | argument -1 -> parameter 0 of argument 0 | true |
@@ -2376,6 +2443,8 @@
 | System.Threading.Tasks.Task<>.ContinueWith<TNewResult>(Func<Task<>, TNewResult>, TaskContinuationOptions) | return (normal) of argument 0 -> property Result of return (normal) | true |
 | System.Threading.Tasks.Task<>.ContinueWith<TNewResult>(Func<Task<>, TNewResult>, TaskScheduler) | argument -1 -> parameter 0 of argument 0 | true |
 | System.Threading.Tasks.Task<>.ContinueWith<TNewResult>(Func<Task<>, TNewResult>, TaskScheduler) | return (normal) of argument 0 -> property Result of return (normal) | true |
+| System.Threading.Tasks.Task<>.ContinueWith<TNewResult>(Func<Task<>, TNewResult>, TaskScheduler, CancellationToken, TaskContinuationOptions) | argument -1 -> parameter 0 of argument 0 | true |
+| System.Threading.Tasks.Task<>.ContinueWith<TNewResult>(Func<Task<>, TNewResult>, TaskScheduler, CancellationToken, TaskContinuationOptions) | return (normal) of argument 0 -> property Result of return (normal) | true |
 | System.Threading.Tasks.Task<>.GetAwaiter() | argument -1 -> field m_task of return (normal) | true |
 | System.Threading.Tasks.Task<>.Task(Func<Object, TResult>, object) | argument 1 -> parameter 0 of argument 0 | true |
 | System.Threading.Tasks.Task<>.Task(Func<Object, TResult>, object) | return (normal) of argument 0 -> property Result of return (normal) | true |
@@ -2388,6 +2457,7 @@
 | System.Threading.Tasks.Task<>.Task(Func<TResult>) | return (normal) of argument 0 -> property Result of return (normal) | true |
 | System.Threading.Tasks.Task<>.Task(Func<TResult>, CancellationToken) | return (normal) of argument 0 -> property Result of return (normal) | true |
 | System.Threading.Tasks.Task<>.Task(Func<TResult>, CancellationToken, TaskCreationOptions) | return (normal) of argument 0 -> property Result of return (normal) | true |
+| System.Threading.Tasks.Task<>.Task(Func<TResult>, Task, CancellationToken, TaskCreationOptions, InternalTaskOptions, TaskScheduler) | return (normal) of argument 0 -> property Result of return (normal) | true |
 | System.Threading.Tasks.Task<>.Task(Func<TResult>, TaskCreationOptions) | return (normal) of argument 0 -> property Result of return (normal) | true |
 | System.Threading.Tasks.Task<>.get_Result() | argument -1 -> return (normal) | false |
 | System.Threading.Tasks.TaskFactory.ContinueWhenAll<TAntecedentResult, TResult>(Task<TAntecedentResult>[], Func<Task, TResult>) | argument 0 -> parameter 0 of argument 1 | true |
diff --git a/csharp/ql/test/library-tests/methods/Methods1.ql b/csharp/ql/test/library-tests/methods/Methods1.ql
index fb8c2d4cdf9..09560396bd2 100644
--- a/csharp/ql/test/library-tests/methods/Methods1.ql
+++ b/csharp/ql/test/library-tests/methods/Methods1.ql
@@ -7,5 +7,6 @@ import csharp
 from Method s
 where
   s.hasName("Swap") and
-  s.isStatic()
+  s.isStatic() and
+  s.fromSource()
 select s
diff --git a/csharp/ql/test/query-tests/Stubs/MinimalStubsFromSource.expected b/csharp/ql/test/query-tests/Stubs/MinimalStubsFromSource.expected
index d4a68c97906..8159a38c348 100644
--- a/csharp/ql/test/query-tests/Stubs/MinimalStubsFromSource.expected
+++ b/csharp/ql/test/query-tests/Stubs/MinimalStubsFromSource.expected
@@ -1 +1 @@
-| // This file contains auto-generated code.\n// original-extractor-options: /r:System.Text.RegularExpressions.dll /r:System.Collections.Specialized.dll /r:System.Net.dll /r:System.Web.dll /r:System.Net.HttpListener.dll /r:System.Collections.Specialized.dll /r:System.Private.Uri.dll /r:System.Runtime.Extensions.dll /r:System.Linq.Parallel.dll /r:System.Collections.Concurrent.dll /r:System.Linq.Expressions.dll /r:System.Collections.dll /r:System.Linq.Queryable.dll /r:System.Linq.dll /r:System.Collections.NonGeneric.dll /r:System.ObjectModel.dll /r:System.ComponentModel.TypeConverter.dll /r:System.IO.Compression.dll /r:System.IO.Pipes.dll /r:System.Net.Primitives.dll /r:System.Net.Security.dll /r:System.Security.Cryptography.Primitives.dll /r:System.Text.RegularExpressions.dll ${testdir}/../../resources/stubs/System.Web.cs /r:System.Runtime.Serialization.Primitives.dll\n\nnamespace System\n{\n// Generated from `System.Uri` in `System.Private.Uri, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Uri : System.Runtime.Serialization.ISerializable\n{\n    public override bool Equals(object comparand) => throw null;\n    public override int GetHashCode() => throw null;\n    public override string ToString() => throw null;\n    void System.Runtime.Serialization.ISerializable.GetObjectData(System.Runtime.Serialization.SerializationInfo serializationInfo, System.Runtime.Serialization.StreamingContext streamingContext) => throw null;\n}\n\nnamespace Collections\n{\n// Generated from `System.Collections.Queue` in `System.Collections.NonGeneric, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Queue : System.ICloneable, System.Collections.IEnumerable, System.Collections.ICollection\n{\n    public virtual System.Collections.IEnumerator GetEnumerator() => throw null;\n    public virtual bool IsSynchronized { get => throw null; }\n    public virtual int Count { get => throw null; }\n    public virtual object Clone() => throw null;\n    public virtual object SyncRoot { get => throw null; }\n    public virtual void CopyTo(System.Array array, int index) => throw null;\n}\n\n// Generated from `System.Collections.SortedList` in `System.Collections.NonGeneric, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class SortedList : System.ICloneable, System.Collections.IEnumerable, System.Collections.IDictionary, System.Collections.ICollection\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public virtual System.Collections.ICollection Keys { get => throw null; }\n    public virtual System.Collections.ICollection Values { get => throw null; }\n    public virtual System.Collections.IDictionaryEnumerator GetEnumerator() => throw null;\n    public virtual bool Contains(object key) => throw null;\n    public virtual bool IsFixedSize { get => throw null; }\n    public virtual bool IsReadOnly { get => throw null; }\n    public virtual bool IsSynchronized { get => throw null; }\n    public virtual int Count { get => throw null; }\n    public virtual object Clone() => throw null;\n    public virtual object GetByIndex(int index) => throw null;\n    public virtual object SyncRoot { get => throw null; }\n    public virtual object this[object key] { get => throw null; set => throw null; }\n    public virtual void Add(object key, object value) => throw null;\n    public virtual void Clear() => throw null;\n    public virtual void CopyTo(System.Array array, int arrayIndex) => throw null;\n    public virtual void Remove(object key) => throw null;\n}\n\n// Generated from `System.Collections.Stack` in `System.Collections.NonGeneric, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Stack : System.ICloneable, System.Collections.IEnumerable, System.Collections.ICollection\n{\n    public virtual System.Collections.IEnumerator GetEnumerator() => throw null;\n    public virtual bool IsSynchronized { get => throw null; }\n    public virtual int Count { get => throw null; }\n    public virtual object Clone() => throw null;\n    public virtual object SyncRoot { get => throw null; }\n    public virtual void CopyTo(System.Array array, int index) => throw null;\n}\n\nnamespace Concurrent\n{\n// Generated from `System.Collections.Concurrent.BlockingCollection<>` in `System.Collections.Concurrent, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class BlockingCollection<T> : System.IDisposable, System.Collections.IEnumerable, System.Collections.ICollection, System.Collections.Generic.IReadOnlyCollection<T>, System.Collections.Generic.IEnumerable<T>\n{\n    System.Collections.Generic.IEnumerator<T> System.Collections.Generic.IEnumerable<T>.GetEnumerator() => throw null;\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    bool System.Collections.ICollection.IsSynchronized { get => throw null; }\n    object System.Collections.ICollection.SyncRoot { get => throw null; }\n    public int Count { get => throw null; }\n    public void Dispose() => throw null;\n    void System.Collections.ICollection.CopyTo(System.Array array, int index) => throw null;\n}\n\n// Generated from `System.Collections.Concurrent.BlockingCollectionDebugView<>` in `System.Collections.Concurrent, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass BlockingCollectionDebugView<T>\n{\n}\n\n// Generated from `System.Collections.Concurrent.IDictionaryDebugView<,>` in `System.Collections.Concurrent, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass IDictionaryDebugView<TKey,TValue>\n{\n}\n\n}\nnamespace Generic\n{\n// Generated from `System.Collections.Generic.CollectionDebugView<>` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass CollectionDebugView<T>\n{\n}\n\n// Generated from `System.Collections.Generic.DictionaryDebugView<,>` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass DictionaryDebugView<K,V>\n{\n}\n\n// Generated from `System.Collections.Generic.QueueDebugView<>` in `System.Collections, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass QueueDebugView<T>\n{\n}\n\n// Generated from `System.Collections.Generic.SortedSet<>` in `System.Collections, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class SortedSet<T> : System.Runtime.Serialization.ISerializable, System.Runtime.Serialization.IDeserializationCallback, System.Collections.IEnumerable, System.Collections.ICollection, System.Collections.Generic.ISet<T>, System.Collections.Generic.IReadOnlySet<T>, System.Collections.Generic.IReadOnlyCollection<T>, System.Collections.Generic.IEnumerable<T>, System.Collections.Generic.ICollection<T>\n{\n    System.Collections.Generic.IEnumerator<T> System.Collections.Generic.IEnumerable<T>.GetEnumerator() => throw null;\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    bool System.Collections.Generic.ICollection<T>.IsReadOnly { get => throw null; }\n    bool System.Collections.ICollection.IsSynchronized { get => throw null; }\n    object System.Collections.ICollection.SyncRoot { get => throw null; }\n    public bool Add(T item) => throw null;\n    public bool IsProperSubsetOf(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public bool IsProperSupersetOf(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public bool IsSubsetOf(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public bool IsSupersetOf(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public bool Overlaps(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public bool Remove(T item) => throw null;\n    public bool SetEquals(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public int Count { get => throw null; }\n    public virtual bool Contains(T item) => throw null;\n    public virtual void Clear() => throw null;\n    public virtual void IntersectWith(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public void CopyTo(T[] array, int index) => throw null;\n    public void ExceptWith(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public void SymmetricExceptWith(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public void UnionWith(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    void System.Collections.Generic.ICollection<T>.Add(T item) => throw null;\n    void System.Collections.ICollection.CopyTo(System.Array array, int index) => throw null;\n    void System.Runtime.Serialization.IDeserializationCallback.OnDeserialization(object sender) => throw null;\n    void System.Runtime.Serialization.ISerializable.GetObjectData(System.Runtime.Serialization.SerializationInfo info, System.Runtime.Serialization.StreamingContext context) => throw null;\n}\n\n// Generated from `System.Collections.Generic.Stack<>` in `System.Collections, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Stack<T> : System.Collections.IEnumerable, System.Collections.ICollection, System.Collections.Generic.IReadOnlyCollection<T>, System.Collections.Generic.IEnumerable<T>\n{\n    System.Collections.Generic.IEnumerator<T> System.Collections.Generic.IEnumerable<T>.GetEnumerator() => throw null;\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    bool System.Collections.ICollection.IsSynchronized { get => throw null; }\n    object System.Collections.ICollection.SyncRoot { get => throw null; }\n    public T Peek() => throw null;\n    public int Count { get => throw null; }\n    void System.Collections.ICollection.CopyTo(System.Array array, int arrayIndex) => throw null;\n}\n\n// Generated from `System.Collections.Generic.StackDebugView<>` in `System.Collections, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass StackDebugView<T>\n{\n}\n\n}\nnamespace Specialized\n{\n// Generated from `System.Collections.Specialized.NameObjectCollectionBase` in `System.Collections.Specialized, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class NameObjectCollectionBase : System.Runtime.Serialization.ISerializable, System.Runtime.Serialization.IDeserializationCallback, System.Collections.IEnumerable, System.Collections.ICollection\n{\n    bool System.Collections.ICollection.IsSynchronized { get => throw null; }\n    object System.Collections.ICollection.SyncRoot { get => throw null; }\n    public virtual System.Collections.IEnumerator GetEnumerator() => throw null;\n    public virtual int Count { get => throw null; }\n    public virtual void GetObjectData(System.Runtime.Serialization.SerializationInfo info, System.Runtime.Serialization.StreamingContext context) => throw null;\n    public virtual void OnDeserialization(object sender) => throw null;\n    void System.Collections.ICollection.CopyTo(System.Array array, int index) => throw null;\n}\n\n// Generated from `System.Collections.Specialized.NameValueCollection` in `System.Collections.Specialized, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class NameValueCollection : System.Collections.Specialized.NameObjectCollectionBase\n{\n    public string this[string name] { get => throw null; set => throw null; }\n}\n\n}\n}\nnamespace ComponentModel\n{\n// Generated from `System.ComponentModel.ComponentConverter` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ComponentConverter : System.ComponentModel.ReferenceConverter\n{\n}\n\n// Generated from `System.ComponentModel.DefaultEventAttribute` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class DefaultEventAttribute : System.Attribute\n{\n    public DefaultEventAttribute(string name) => throw null;\n    public override bool Equals(object obj) => throw null;\n    public override int GetHashCode() => throw null;\n}\n\n// Generated from `System.ComponentModel.DefaultPropertyAttribute` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class DefaultPropertyAttribute : System.Attribute\n{\n    public DefaultPropertyAttribute(string name) => throw null;\n    public override bool Equals(object obj) => throw null;\n    public override int GetHashCode() => throw null;\n}\n\n// Generated from `System.ComponentModel.INotifyPropertyChanged` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface INotifyPropertyChanged\n{\n}\n\n// Generated from `System.ComponentModel.ReferenceConverter` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ReferenceConverter : System.ComponentModel.TypeConverter\n{\n}\n\n// Generated from `System.ComponentModel.TypeConverterAttribute` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class TypeConverterAttribute : System.Attribute\n{\n    public TypeConverterAttribute() => throw null;\n    public TypeConverterAttribute(System.Type type) => throw null;\n    public TypeConverterAttribute(string typeName) => throw null;\n    public override bool Equals(object obj) => throw null;\n    public override int GetHashCode() => throw null;\n}\n\n// Generated from `System.ComponentModel.TypeConverter` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class TypeConverter\n{\n}\n\n// Generated from `System.ComponentModel.TypeDescriptionProviderAttribute` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class TypeDescriptionProviderAttribute : System.Attribute\n{\n    public TypeDescriptionProviderAttribute(System.Type type) => throw null;\n    public TypeDescriptionProviderAttribute(string typeName) => throw null;\n}\n\n// Generated from `System.ComponentModel.TypeDescriptionProvider` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class TypeDescriptionProvider\n{\n}\n\n// Generated from `System.ComponentModel.TypeDescriptor` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class TypeDescriptor\n{\n}\n\nnamespace Design\n{\n// Generated from `System.ComponentModel.Design.DesignerOptionService` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class DesignerOptionService : System.ComponentModel.Design.IDesignerOptionService\n{\n}\n\n// Generated from `System.ComponentModel.Design.IDesignerOptionService` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface IDesignerOptionService\n{\n}\n\n}\n}\nnamespace Dynamic\n{\n// Generated from `System.Dynamic.DynamicMetaObject` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class DynamicMetaObject\n{\n}\n\n// Generated from `System.Dynamic.ExpandoObject` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ExpandoObject : System.Dynamic.IDynamicMetaObjectProvider, System.ComponentModel.INotifyPropertyChanged, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<System.Collections.Generic.KeyValuePair<string,object>>, System.Collections.Generic.IDictionary<string,object>, System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>\n{\n    System.Collections.Generic.ICollection<object> System.Collections.Generic.IDictionary<string,object>.Values { get => throw null; }\n    System.Collections.Generic.ICollection<string> System.Collections.Generic.IDictionary<string,object>.Keys { get => throw null; }\n    System.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<string,object>> System.Collections.Generic.IEnumerable<System.Collections.Generic.KeyValuePair<string,object>>.GetEnumerator() => throw null;\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    bool System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.Contains(System.Collections.Generic.KeyValuePair<string,object> item) => throw null;\n    bool System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.IsReadOnly { get => throw null; }\n    bool System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.Remove(System.Collections.Generic.KeyValuePair<string,object> item) => throw null;\n    bool System.Collections.Generic.IDictionary<string,object>.ContainsKey(string key) => throw null;\n    bool System.Collections.Generic.IDictionary<string,object>.Remove(string key) => throw null;\n    bool System.Collections.Generic.IDictionary<string,object>.TryGetValue(string key, out object value) => throw null;\n    int System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.Count { get => throw null; }\n    object this[string key] { get => throw null; set => throw null; }\n    void System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.Add(System.Collections.Generic.KeyValuePair<string,object> item) => throw null;\n    void System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.Clear() => throw null;\n    void System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.CopyTo(System.Collections.Generic.KeyValuePair<string,object>[] array, int arrayIndex) => throw null;\n    void System.Collections.Generic.IDictionary<string,object>.Add(string key, object value) => throw null;\n}\n\n// Generated from `System.Dynamic.IDynamicMetaObjectProvider` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface IDynamicMetaObjectProvider\n{\n}\n\nnamespace Utils\n{\n// Generated from `System.Dynamic.Utils.ListProvider<>` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract class ListProvider<T> : System.Collections.IEnumerable, System.Collections.Generic.IList<T>, System.Collections.Generic.IEnumerable<T>, System.Collections.Generic.ICollection<T> where T: class\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<T> GetEnumerator() => throw null;\n    public T this[int index] { get => throw null; set => throw null; }\n    public bool Contains(T item) => throw null;\n    public bool IsReadOnly { get => throw null; }\n    public bool Remove(T item) => throw null;\n    public int Count { get => throw null; }\n    public int IndexOf(T item) => throw null;\n    public void Add(T item) => throw null;\n    public void Clear() => throw null;\n    public void CopyTo(T[] array, int index) => throw null;\n    public void Insert(int index, T item) => throw null;\n    public void RemoveAt(int index) => throw null;\n}\n\n}\n}\nnamespace IO\n{\nnamespace Compression\n{\n// Generated from `System.IO.Compression.DeflateStream` in `System.IO.Compression, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089`\npublic class DeflateStream : System.IO.Stream\n{\n    protected override void Dispose(bool disposing) => throw null;\n    public override System.IAsyncResult BeginRead(System.Byte[] buffer, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.IAsyncResult BeginWrite(System.Byte[] array, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.Int64 Length { get => throw null; }\n    public override System.Int64 Position { get => throw null; set => throw null; }\n    public override System.Int64 Seek(System.Int64 offset, System.IO.SeekOrigin origin) => throw null;\n    public override System.Threading.Tasks.Task CopyToAsync(System.IO.Stream destination, int bufferSize, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task FlushAsync(System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task WriteAsync(System.Byte[] array, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task<int> ReadAsync(System.Byte[] array, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.ValueTask DisposeAsync() => throw null;\n    public override System.Threading.Tasks.ValueTask WriteAsync(System.ReadOnlyMemory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.ValueTask<int> ReadAsync(System.Memory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) => throw null;\n    public override bool CanRead { get => throw null; }\n    public override bool CanSeek { get => throw null; }\n    public override bool CanWrite { get => throw null; }\n    public override int EndRead(System.IAsyncResult asyncResult) => throw null;\n    public override int Read(System.Byte[] array, int offset, int count) => throw null;\n    public override int Read(System.Span<System.Byte> buffer) => throw null;\n    public override int ReadByte() => throw null;\n    public override void CopyTo(System.IO.Stream destination, int bufferSize) => throw null;\n    public override void EndWrite(System.IAsyncResult asyncResult) => throw null;\n    public override void Flush() => throw null;\n    public override void SetLength(System.Int64 value) => throw null;\n    public override void Write(System.Byte[] array, int offset, int count) => throw null;\n    public override void Write(System.ReadOnlySpan<System.Byte> buffer) => throw null;\n}\n\n}\n}\nnamespace Linq\n{\n// Generated from `System.Linq.Enumerable` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstatic public class Enumerable\n{\n    public static System.Collections.Generic.IEnumerable<TResult> Select<TSource,TResult>(this System.Collections.Generic.IEnumerable<TSource> source, System.Func<TSource,TResult> selector) => throw null;\n}\n\n// Generated from `System.Linq.Grouping<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Grouping<TKey,TElement> : System.Linq.IGrouping<TKey,TElement>, System.Collections.IEnumerable, System.Collections.Generic.IList<TElement>, System.Collections.Generic.IEnumerable<TElement>, System.Collections.Generic.ICollection<TElement>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    TElement this[int index] { get => throw null; set => throw null; }\n    bool System.Collections.Generic.ICollection<TElement>.Contains(TElement item) => throw null;\n    bool System.Collections.Generic.ICollection<TElement>.IsReadOnly { get => throw null; }\n    bool System.Collections.Generic.ICollection<TElement>.Remove(TElement item) => throw null;\n    int System.Collections.Generic.ICollection<TElement>.Count { get => throw null; }\n    int System.Collections.Generic.IList<TElement>.IndexOf(TElement item) => throw null;\n    public System.Collections.Generic.IEnumerator<TElement> GetEnumerator() => throw null;\n    void System.Collections.Generic.ICollection<TElement>.Add(TElement item) => throw null;\n    void System.Collections.Generic.ICollection<TElement>.Clear() => throw null;\n    void System.Collections.Generic.ICollection<TElement>.CopyTo(TElement[] array, int arrayIndex) => throw null;\n    void System.Collections.Generic.IList<TElement>.Insert(int index, TElement item) => throw null;\n    void System.Collections.Generic.IList<TElement>.RemoveAt(int index) => throw null;\n}\n\n// Generated from `System.Linq.IGrouping<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface IGrouping<TKey,TElement> : System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TElement>\n{\n}\n\n// Generated from `System.Linq.IIListProvider<>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\ninterface IIListProvider<TElement> : System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TElement>\n{\n}\n\n// Generated from `System.Linq.ILookup<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface ILookup<TKey,TElement> : System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<System.Linq.IGrouping<TKey,TElement>>\n{\n}\n\n// Generated from `System.Linq.IOrderedEnumerable<>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface IOrderedEnumerable<TElement> : System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TElement>\n{\n}\n\n// Generated from `System.Linq.IPartition<>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\ninterface IPartition<TElement> : System.Linq.IIListProvider<TElement>, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TElement>\n{\n}\n\n// Generated from `System.Linq.IQueryable` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface IQueryable : System.Collections.IEnumerable\n{\n}\n\n// Generated from `System.Linq.Lookup<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Lookup<TKey,TElement> : System.Linq.ILookup<TKey,TElement>, System.Linq.IIListProvider<System.Linq.IGrouping<TKey,TElement>>, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<System.Linq.IGrouping<TKey,TElement>>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<System.Linq.IGrouping<TKey,TElement>> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.OrderedEnumerable<>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract class OrderedEnumerable<TElement> : System.Linq.IPartition<TElement>, System.Linq.IOrderedEnumerable<TElement>, System.Linq.IIListProvider<TElement>, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TElement>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<TElement> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.ParallelEnumerable` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstatic public class ParallelEnumerable\n{\n    public static System.Linq.ParallelQuery AsParallel(this System.Collections.IEnumerable source) => throw null;\n}\n\n// Generated from `System.Linq.ParallelQuery<>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ParallelQuery<TSource> : System.Linq.ParallelQuery, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TSource>\n{\n    public virtual System.Collections.Generic.IEnumerator<TSource> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.ParallelQuery` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ParallelQuery : System.Collections.IEnumerable\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.Queryable` in `System.Linq.Queryable, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstatic public class Queryable\n{\n    public static System.Linq.IQueryable AsQueryable(this System.Collections.IEnumerable source) => throw null;\n}\n\n// Generated from `System.Linq.SystemLinq_GroupingDebugView<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass SystemLinq_GroupingDebugView<TKey,TElement>\n{\n}\n\n// Generated from `System.Linq.SystemLinq_LookupDebugView<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass SystemLinq_LookupDebugView<TKey,TElement>\n{\n}\n\nnamespace Expressions\n{\n// Generated from `System.Linq.Expressions.BlockExpressionList` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass BlockExpressionList : System.Collections.IEnumerable, System.Collections.Generic.IList<System.Linq.Expressions.Expression>, System.Collections.Generic.IEnumerable<System.Linq.Expressions.Expression>, System.Collections.Generic.ICollection<System.Linq.Expressions.Expression>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<System.Linq.Expressions.Expression> GetEnumerator() => throw null;\n    public System.Linq.Expressions.Expression this[int index] { get => throw null; set => throw null; }\n    public bool Contains(System.Linq.Expressions.Expression item) => throw null;\n    public bool IsReadOnly { get => throw null; }\n    public bool Remove(System.Linq.Expressions.Expression item) => throw null;\n    public int Count { get => throw null; }\n    public int IndexOf(System.Linq.Expressions.Expression item) => throw null;\n    public void Add(System.Linq.Expressions.Expression item) => throw null;\n    public void Clear() => throw null;\n    public void CopyTo(System.Linq.Expressions.Expression[] array, int index) => throw null;\n    public void Insert(int index, System.Linq.Expressions.Expression item) => throw null;\n    public void RemoveAt(int index) => throw null;\n}\n\n// Generated from `System.Linq.Expressions.Expression` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class Expression\n{\n    public override string ToString() => throw null;\n}\n\n// Generated from `System.Linq.Expressions.ParameterExpression` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ParameterExpression : System.Linq.Expressions.Expression\n{\n}\n\nnamespace Compiler\n{\n// Generated from `System.Linq.Expressions.Compiler.ParameterList` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass ParameterList : System.Collections.IEnumerable, System.Collections.Generic.IReadOnlyList<System.Linq.Expressions.ParameterExpression>, System.Collections.Generic.IReadOnlyCollection<System.Linq.Expressions.ParameterExpression>, System.Collections.Generic.IEnumerable<System.Linq.Expressions.ParameterExpression>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<System.Linq.Expressions.ParameterExpression> GetEnumerator() => throw null;\n    public System.Linq.Expressions.ParameterExpression this[int index] { get => throw null; }\n    public int Count { get => throw null; }\n}\n\n}\nnamespace Interpreter\n{\n// Generated from `System.Linq.Expressions.Interpreter.InstructionArray` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstruct InstructionArray\n{\n}\n\n// Generated from `System.Linq.Expressions.Interpreter.InstructionList` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass InstructionList\n{\n}\n\n// Generated from `System.Linq.Expressions.Interpreter.InterpretedFrameInfo` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstruct InterpretedFrameInfo\n{\n    public override string ToString() => throw null;\n}\n\n// Generated from `System.Linq.Expressions.Interpreter.InterpretedFrame` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass InterpretedFrame\n{\n}\n\n}\n}\nnamespace Parallel\n{\n// Generated from `System.Linq.Parallel.ListChunk<>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass ListChunk<TInputOutput> : System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TInputOutput>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<TInputOutput> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.Parallel.Lookup<,>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass Lookup<TKey,TElement> : System.Linq.ILookup<TKey,TElement>, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<System.Linq.IGrouping<TKey,TElement>>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<System.Linq.IGrouping<TKey,TElement>> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.Parallel.PartitionerQueryOperator<>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass PartitionerQueryOperator<TElement> : System.Linq.Parallel.QueryOperator<TElement>\n{\n}\n\n// Generated from `System.Linq.Parallel.QueryOperator<>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract class QueryOperator<TOutput> : System.Linq.ParallelQuery<TOutput>\n{\n    public override System.Collections.Generic.IEnumerator<TOutput> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.Parallel.QueryResults<>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract class QueryResults<T> : System.Collections.IEnumerable, System.Collections.Generic.IList<T>, System.Collections.Generic.IEnumerable<T>, System.Collections.Generic.ICollection<T>\n{\n    System.Collections.Generic.IEnumerator<T> System.Collections.Generic.IEnumerable<T>.GetEnumerator() => throw null;\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    bool System.Collections.Generic.ICollection<T>.Contains(T item) => throw null;\n    bool System.Collections.Generic.ICollection<T>.IsReadOnly { get => throw null; }\n    bool System.Collections.Generic.ICollection<T>.Remove(T item) => throw null;\n    int System.Collections.Generic.IList<T>.IndexOf(T item) => throw null;\n    public T this[int index] { get => throw null; set => throw null; }\n    public int Count { get => throw null; }\n    void System.Collections.Generic.ICollection<T>.Add(T item) => throw null;\n    void System.Collections.Generic.ICollection<T>.Clear() => throw null;\n    void System.Collections.Generic.ICollection<T>.CopyTo(T[] array, int arrayIndex) => throw null;\n    void System.Collections.Generic.IList<T>.Insert(int index, T item) => throw null;\n    void System.Collections.Generic.IList<T>.RemoveAt(int index) => throw null;\n}\n\n// Generated from `System.Linq.Parallel.ZipQueryOperator<,,>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass ZipQueryOperator<TLeftInput,TRightInput,TOutput> : System.Linq.Parallel.QueryOperator<TOutput>\n{\n}\n\n}\n}\nnamespace Net\n{\n// Generated from `System.Net.CookieCollection` in `System.Net.Primitives, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class CookieCollection : System.Collections.IEnumerable, System.Collections.ICollection, System.Collections.Generic.IReadOnlyCollection<System.Net.Cookie>, System.Collections.Generic.IEnumerable<System.Net.Cookie>, System.Collections.Generic.ICollection<System.Net.Cookie>\n{\n    System.Collections.Generic.IEnumerator<System.Net.Cookie> System.Collections.Generic.IEnumerable<System.Net.Cookie>.GetEnumerator() => throw null;\n    public System.Collections.IEnumerator GetEnumerator() => throw null;\n    public bool Contains(System.Net.Cookie cookie) => throw null;\n    public bool IsReadOnly { get => throw null; }\n    public bool IsSynchronized { get => throw null; }\n    public bool Remove(System.Net.Cookie cookie) => throw null;\n    public int Count { get => throw null; }\n    public object SyncRoot { get => throw null; }\n    public void Add(System.Net.Cookie cookie) => throw null;\n    public void Clear() => throw null;\n    public void CopyTo(System.Array array, int index) => throw null;\n    public void CopyTo(System.Net.Cookie[] array, int index) => throw null;\n}\n\n// Generated from `System.Net.Cookie` in `System.Net.Primitives, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Cookie\n{\n    public override bool Equals(object comparand) => throw null;\n    public override int GetHashCode() => throw null;\n    public override string ToString() => throw null;\n}\n\n// Generated from `System.Net.StreamFramer` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass StreamFramer\n{\n}\n\nnamespace Security\n{\n// Generated from `System.Net.Security.AuthenticatedStream` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class AuthenticatedStream : System.IO.Stream\n{\n    protected override void Dispose(bool disposing) => throw null;\n    public override System.Threading.Tasks.ValueTask DisposeAsync() => throw null;\n}\n\n// Generated from `System.Net.Security.CipherSuitesPolicy` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class CipherSuitesPolicy\n{\n}\n\n// Generated from `System.Net.Security.NegotiateStream` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class NegotiateStream : System.Net.Security.AuthenticatedStream\n{\n    protected override void Dispose(bool disposing) => throw null;\n    public override System.IAsyncResult BeginRead(System.Byte[] buffer, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.IAsyncResult BeginWrite(System.Byte[] buffer, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.Int64 Length { get => throw null; }\n    public override System.Int64 Position { get => throw null; set => throw null; }\n    public override System.Int64 Seek(System.Int64 offset, System.IO.SeekOrigin origin) => throw null;\n    public override System.Threading.Tasks.Task FlushAsync(System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task WriteAsync(System.Byte[] buffer, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task<int> ReadAsync(System.Byte[] buffer, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.ValueTask DisposeAsync() => throw null;\n    public override System.Threading.Tasks.ValueTask WriteAsync(System.ReadOnlyMemory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) => throw null;\n    public override System.Threading.Tasks.ValueTask<int> ReadAsync(System.Memory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) => throw null;\n    public override bool CanRead { get => throw null; }\n    public override bool CanSeek { get => throw null; }\n    public override bool CanTimeout { get => throw null; }\n    public override bool CanWrite { get => throw null; }\n    public override int EndRead(System.IAsyncResult asyncResult) => throw null;\n    public override int Read(System.Byte[] buffer, int offset, int count) => throw null;\n    public override int ReadTimeout { get => throw null; set => throw null; }\n    public override int WriteTimeout { get => throw null; set => throw null; }\n    public override void EndWrite(System.IAsyncResult asyncResult) => throw null;\n    public override void Flush() => throw null;\n    public override void SetLength(System.Int64 value) => throw null;\n    public override void Write(System.Byte[] buffer, int offset, int count) => throw null;\n}\n\n// Generated from `System.Net.Security.SslStream` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class SslStream : System.Net.Security.AuthenticatedStream\n{\n    protected override void Dispose(bool disposing) => throw null;\n    public override System.IAsyncResult BeginRead(System.Byte[] buffer, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.IAsyncResult BeginWrite(System.Byte[] buffer, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.Int64 Length { get => throw null; }\n    public override System.Int64 Position { get => throw null; set => throw null; }\n    public override System.Int64 Seek(System.Int64 offset, System.IO.SeekOrigin origin) => throw null;\n    public override System.Threading.Tasks.Task FlushAsync(System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task WriteAsync(System.Byte[] buffer, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task<int> ReadAsync(System.Byte[] buffer, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.ValueTask DisposeAsync() => throw null;\n    public override System.Threading.Tasks.ValueTask WriteAsync(System.ReadOnlyMemory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) => throw null;\n    public override System.Threading.Tasks.ValueTask<int> ReadAsync(System.Memory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) => throw null;\n    public override bool CanRead { get => throw null; }\n    public override bool CanSeek { get => throw null; }\n    public override bool CanTimeout { get => throw null; }\n    public override bool CanWrite { get => throw null; }\n    public override int EndRead(System.IAsyncResult asyncResult) => throw null;\n    public override int Read(System.Byte[] buffer, int offset, int count) => throw null;\n    public override int ReadByte() => throw null;\n    public override int ReadTimeout { get => throw null; set => throw null; }\n    public override int WriteTimeout { get => throw null; set => throw null; }\n    public override void EndWrite(System.IAsyncResult asyncResult) => throw null;\n    public override void Flush() => throw null;\n    public override void SetLength(System.Int64 value) => throw null;\n    public override void Write(System.Byte[] buffer, int offset, int count) => throw null;\n}\n\n// Generated from `System.Net.Security.TlsCipherSuite` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic enum TlsCipherSuite\n{\n}\n\n// Generated from `System.Net.Security.TlsFrameHelper` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass TlsFrameHelper\n{\n}\n\n}\n}\nnamespace Runtime\n{\nnamespace Serialization\n{\n// Generated from `System.Runtime.Serialization.DataContractAttribute` in `System.Runtime.Serialization.Primitives, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class DataContractAttribute : System.Attribute\n{\n    public DataContractAttribute() => throw null;\n}\n\n// Generated from `System.Runtime.Serialization.DataMemberAttribute` in `System.Runtime.Serialization.Primitives, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class DataMemberAttribute : System.Attribute\n{\n    public DataMemberAttribute() => throw null;\n}\n\n}\n}\nnamespace Text\n{\nnamespace RegularExpressions\n{\n// Generated from `System.Text.RegularExpressions.Capture` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Capture\n{\n    public override string ToString() => throw null;\n}\n\n// Generated from `System.Text.RegularExpressions.CollectionDebuggerProxy<>` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass CollectionDebuggerProxy<T>\n{\n}\n\n// Generated from `System.Text.RegularExpressions.GroupCollection` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class GroupCollection : System.Collections.IList, System.Collections.IEnumerable, System.Collections.ICollection, System.Collections.Generic.IReadOnlyList<System.Text.RegularExpressions.Group>, System.Collections.Generic.IReadOnlyDictionary<string,System.Text.RegularExpressions.Group>, System.Collections.Generic.IReadOnlyCollection<System.Text.RegularExpressions.Group>, System.Collections.Generic.IReadOnlyCollection<System.Collections.Generic.KeyValuePair<string,System.Text.RegularExpressions.Group>>, System.Collections.Generic.IList<System.Text.RegularExpressions.Group>, System.Collections.Generic.IEnumerable<System.Text.RegularExpressions.Group>, System.Collections.Generic.IEnumerable<System.Collections.Generic.KeyValuePair<string,System.Text.RegularExpressions.Group>>, System.Collections.Generic.ICollection<System.Text.RegularExpressions.Group>\n{\n    System.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<string,System.Text.RegularExpressions.Group>> System.Collections.Generic.IEnumerable<System.Collections.Generic.KeyValuePair<string,System.Text.RegularExpressions.Group>>.GetEnumerator() => throw null;\n    System.Collections.Generic.IEnumerator<System.Text.RegularExpressions.Group> System.Collections.Generic.IEnumerable<System.Text.RegularExpressions.Group>.GetEnumerator() => throw null;\n    System.Text.RegularExpressions.Group this[int index] { get => throw null; set => throw null; }\n    bool System.Collections.Generic.ICollection<System.Text.RegularExpressions.Group>.Contains(System.Text.RegularExpressions.Group item) => throw null;\n    bool System.Collections.Generic.ICollection<System.Text.RegularExpressions.Group>.Remove(System.Text.RegularExpressions.Group item) => throw null;\n    bool System.Collections.IList.Contains(object value) => throw null;\n    bool System.Collections.IList.IsFixedSize { get => throw null; }\n    int System.Collections.Generic.IList<System.Text.RegularExpressions.Group>.IndexOf(System.Text.RegularExpressions.Group item) => throw null;\n    int System.Collections.IList.Add(object value) => throw null;\n    int System.Collections.IList.IndexOf(object value) => throw null;\n    object this[int index] { get => throw null; set => throw null; }\n    public System.Collections.Generic.IEnumerable<System.Text.RegularExpressions.Group> Values { get => throw null; }\n    public System.Collections.Generic.IEnumerable<string> Keys { get => throw null; }\n    public System.Collections.IEnumerator GetEnumerator() => throw null;\n    public System.Text.RegularExpressions.Group this[string groupname] { get => throw null; }\n    public bool ContainsKey(string key) => throw null;\n    public bool IsReadOnly { get => throw null; }\n    public bool IsSynchronized { get => throw null; }\n    public bool TryGetValue(string key, out System.Text.RegularExpressions.Group value) => throw null;\n    public int Count { get => throw null; }\n    public object SyncRoot { get => throw null; }\n    public void CopyTo(System.Array array, int arrayIndex) => throw null;\n    public void CopyTo(System.Text.RegularExpressions.Group[] array, int arrayIndex) => throw null;\n    void System.Collections.Generic.ICollection<System.Text.RegularExpressions.Group>.Add(System.Text.RegularExpressions.Group item) => throw null;\n    void System.Collections.Generic.ICollection<System.Text.RegularExpressions.Group>.Clear() => throw null;\n    void System.Collections.Generic.IList<System.Text.RegularExpressions.Group>.Insert(int index, System.Text.RegularExpressions.Group item) => throw null;\n    void System.Collections.Generic.IList<System.Text.RegularExpressions.Group>.RemoveAt(int index) => throw null;\n    void System.Collections.IList.Clear() => throw null;\n    void System.Collections.IList.Insert(int index, object value) => throw null;\n    void System.Collections.IList.Remove(object value) => throw null;\n    void System.Collections.IList.RemoveAt(int index) => throw null;\n}\n\n// Generated from `System.Text.RegularExpressions.Group` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Group : System.Text.RegularExpressions.Capture\n{\n}\n\n// Generated from `System.Text.RegularExpressions.Match` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Match : System.Text.RegularExpressions.Group\n{\n}\n\n// Generated from `System.Text.RegularExpressions.RegexOptions` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\n[System.Flags]\npublic enum RegexOptions\n{\n    IgnoreCase,\n}\n\n// Generated from `System.Text.RegularExpressions.Regex` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Regex : System.Runtime.Serialization.ISerializable\n{\n    public Regex(string pattern) => throw null;\n    public Regex(string pattern, System.Text.RegularExpressions.RegexOptions options, System.TimeSpan matchTimeout) => throw null;\n    public System.Text.RegularExpressions.Match Match(string input) => throw null;\n    public override string ToString() => throw null;\n    public static System.Text.RegularExpressions.Match Match(string input, string pattern) => throw null;\n    public static System.Text.RegularExpressions.Match Match(string input, string pattern, System.Text.RegularExpressions.RegexOptions options, System.TimeSpan matchTimeout) => throw null;\n    public string Replace(string input, string replacement) => throw null;\n    void System.Runtime.Serialization.ISerializable.GetObjectData(System.Runtime.Serialization.SerializationInfo si, System.Runtime.Serialization.StreamingContext context) => throw null;\n}\n\n}\n}\nnamespace Timers\n{\n// Generated from `System.Timers.TimersDescriptionAttribute` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class TimersDescriptionAttribute\n{\n    public TimersDescriptionAttribute(string description) => throw null;\n}\n\n}\nnamespace Windows\n{\nnamespace Markup\n{\n// Generated from `System.Windows.Markup.ValueSerializerAttribute` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ValueSerializerAttribute : System.Attribute\n{\n    public ValueSerializerAttribute(System.Type valueSerializerType) => throw null;\n    public ValueSerializerAttribute(string valueSerializerTypeName) => throw null;\n}\n\n}\n}\n}\n |
+| // This file contains auto-generated code.\n// original-extractor-options: /r:System.Text.RegularExpressions.dll /r:System.Collections.Specialized.dll /r:System.Net.dll /r:System.Web.dll /r:System.Net.HttpListener.dll /r:System.Collections.Specialized.dll /r:System.Private.Uri.dll /r:System.Runtime.Extensions.dll /r:System.Linq.Parallel.dll /r:System.Collections.Concurrent.dll /r:System.Linq.Expressions.dll /r:System.Collections.dll /r:System.Linq.Queryable.dll /r:System.Linq.dll /r:System.Collections.NonGeneric.dll /r:System.ObjectModel.dll /r:System.ComponentModel.TypeConverter.dll /r:System.IO.Compression.dll /r:System.IO.Pipes.dll /r:System.Net.Primitives.dll /r:System.Net.Security.dll /r:System.Security.Cryptography.Primitives.dll /r:System.Text.RegularExpressions.dll ${testdir}/../../resources/stubs/System.Web.cs /r:System.Runtime.Serialization.Primitives.dll\n\nnamespace System\n{\n// Generated from `System.Uri` in `System.Private.Uri, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Uri : System.Runtime.Serialization.ISerializable\n{\n    public override bool Equals(object comparand) => throw null;\n    public override int GetHashCode() => throw null;\n    public override string ToString() => throw null;\n    void System.Runtime.Serialization.ISerializable.GetObjectData(System.Runtime.Serialization.SerializationInfo serializationInfo, System.Runtime.Serialization.StreamingContext streamingContext) => throw null;\n}\n\nnamespace Collections\n{\n// Generated from `System.Collections.Queue` in `System.Collections.NonGeneric, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Queue : System.ICloneable, System.Collections.IEnumerable, System.Collections.ICollection\n{\n    public virtual System.Collections.IEnumerator GetEnumerator() => throw null;\n    public virtual bool IsSynchronized { get => throw null; }\n    public virtual int Count { get => throw null; }\n    public virtual object Clone() => throw null;\n    public virtual object SyncRoot { get => throw null; }\n    public virtual void CopyTo(System.Array array, int index) => throw null;\n}\n\n// Generated from `System.Collections.SortedList` in `System.Collections.NonGeneric, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class SortedList : System.ICloneable, System.Collections.IEnumerable, System.Collections.IDictionary, System.Collections.ICollection\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public virtual System.Collections.ICollection Keys { get => throw null; }\n    public virtual System.Collections.ICollection Values { get => throw null; }\n    public virtual System.Collections.IDictionaryEnumerator GetEnumerator() => throw null;\n    public virtual bool Contains(object key) => throw null;\n    public virtual bool IsFixedSize { get => throw null; }\n    public virtual bool IsReadOnly { get => throw null; }\n    public virtual bool IsSynchronized { get => throw null; }\n    public virtual int Count { get => throw null; }\n    public virtual object Clone() => throw null;\n    public virtual object GetByIndex(int index) => throw null;\n    public virtual object SyncRoot { get => throw null; }\n    public virtual object this[object key] { get => throw null; set => throw null; }\n    public virtual void Add(object key, object value) => throw null;\n    public virtual void Clear() => throw null;\n    public virtual void CopyTo(System.Array array, int arrayIndex) => throw null;\n    public virtual void Remove(object key) => throw null;\n}\n\n// Generated from `System.Collections.Stack` in `System.Collections.NonGeneric, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Stack : System.ICloneable, System.Collections.IEnumerable, System.Collections.ICollection\n{\n    public virtual System.Collections.IEnumerator GetEnumerator() => throw null;\n    public virtual bool IsSynchronized { get => throw null; }\n    public virtual int Count { get => throw null; }\n    public virtual object Clone() => throw null;\n    public virtual object SyncRoot { get => throw null; }\n    public virtual void CopyTo(System.Array array, int index) => throw null;\n}\n\nnamespace Concurrent\n{\n// Generated from `System.Collections.Concurrent.BlockingCollection<>` in `System.Collections.Concurrent, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class BlockingCollection<T> : System.IDisposable, System.Collections.IEnumerable, System.Collections.ICollection, System.Collections.Generic.IReadOnlyCollection<T>, System.Collections.Generic.IEnumerable<T>\n{\n    System.Collections.Generic.IEnumerator<T> System.Collections.Generic.IEnumerable<T>.GetEnumerator() => throw null;\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    bool System.Collections.ICollection.IsSynchronized { get => throw null; }\n    object System.Collections.ICollection.SyncRoot { get => throw null; }\n    public int Count { get => throw null; }\n    public void Dispose() => throw null;\n    void System.Collections.ICollection.CopyTo(System.Array array, int index) => throw null;\n}\n\n// Generated from `System.Collections.Concurrent.BlockingCollectionDebugView<>` in `System.Collections.Concurrent, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass BlockingCollectionDebugView<T>\n{\n}\n\n// Generated from `System.Collections.Concurrent.ConcurrentStack<>` in `System.Collections.Concurrent, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ConcurrentStack<T> : System.Collections.IEnumerable, System.Collections.ICollection, System.Collections.Generic.IReadOnlyCollection<T>, System.Collections.Generic.IEnumerable<T>, System.Collections.Concurrent.IProducerConsumerCollection<T>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    bool System.Collections.Concurrent.IProducerConsumerCollection<T>.TryAdd(T item) => throw null;\n    bool System.Collections.Concurrent.IProducerConsumerCollection<T>.TryTake(out T item) => throw null;\n    bool System.Collections.ICollection.IsSynchronized { get => throw null; }\n    object System.Collections.ICollection.SyncRoot { get => throw null; }\n    public System.Collections.Generic.IEnumerator<T> GetEnumerator() => throw null;\n    public T[] ToArray() => throw null;\n    public int Count { get => throw null; }\n    public void CopyTo(T[] array, int index) => throw null;\n    void System.Collections.ICollection.CopyTo(System.Array array, int index) => throw null;\n}\n\n// Generated from `System.Collections.Concurrent.IDictionaryDebugView<,>` in `System.Collections.Concurrent, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass IDictionaryDebugView<TKey,TValue>\n{\n}\n\n// Generated from `System.Collections.Concurrent.Partitioner` in `System.Collections.Concurrent, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstatic public class Partitioner\n{\n}\n\n}\nnamespace Generic\n{\n// Generated from `System.Collections.Generic.CollectionDebugView<>` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass CollectionDebugView<T>\n{\n}\n\n// Generated from `System.Collections.Generic.DictionaryDebugView<,>` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass DictionaryDebugView<K,V>\n{\n}\n\n// Generated from `System.Collections.Generic.QueueDebugView<>` in `System.Collections, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass QueueDebugView<T>\n{\n}\n\n// Generated from `System.Collections.Generic.SortedSet<>` in `System.Collections, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class SortedSet<T> : System.Runtime.Serialization.ISerializable, System.Runtime.Serialization.IDeserializationCallback, System.Collections.IEnumerable, System.Collections.ICollection, System.Collections.Generic.ISet<T>, System.Collections.Generic.IReadOnlySet<T>, System.Collections.Generic.IReadOnlyCollection<T>, System.Collections.Generic.IEnumerable<T>, System.Collections.Generic.ICollection<T>\n{\n    System.Collections.Generic.IEnumerator<T> System.Collections.Generic.IEnumerable<T>.GetEnumerator() => throw null;\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    bool System.Collections.Generic.ICollection<T>.IsReadOnly { get => throw null; }\n    bool System.Collections.ICollection.IsSynchronized { get => throw null; }\n    object System.Collections.ICollection.SyncRoot { get => throw null; }\n    public bool Add(T item) => throw null;\n    public bool IsProperSubsetOf(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public bool IsProperSupersetOf(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public bool IsSubsetOf(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public bool IsSupersetOf(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public bool Overlaps(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public bool Remove(T item) => throw null;\n    public bool SetEquals(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public int Count { get => throw null; }\n    public virtual bool Contains(T item) => throw null;\n    public virtual void Clear() => throw null;\n    public virtual void IntersectWith(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public void CopyTo(T[] array, int index) => throw null;\n    public void ExceptWith(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public void SymmetricExceptWith(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    public void UnionWith(System.Collections.Generic.IEnumerable<T> other) => throw null;\n    void System.Collections.Generic.ICollection<T>.Add(T item) => throw null;\n    void System.Collections.ICollection.CopyTo(System.Array array, int index) => throw null;\n    void System.Runtime.Serialization.IDeserializationCallback.OnDeserialization(object sender) => throw null;\n    void System.Runtime.Serialization.ISerializable.GetObjectData(System.Runtime.Serialization.SerializationInfo info, System.Runtime.Serialization.StreamingContext context) => throw null;\n}\n\n// Generated from `System.Collections.Generic.Stack<>` in `System.Collections, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Stack<T> : System.Collections.IEnumerable, System.Collections.ICollection, System.Collections.Generic.IReadOnlyCollection<T>, System.Collections.Generic.IEnumerable<T>\n{\n    System.Collections.Generic.IEnumerator<T> System.Collections.Generic.IEnumerable<T>.GetEnumerator() => throw null;\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    bool System.Collections.ICollection.IsSynchronized { get => throw null; }\n    object System.Collections.ICollection.SyncRoot { get => throw null; }\n    public T Peek() => throw null;\n    public int Count { get => throw null; }\n    void System.Collections.ICollection.CopyTo(System.Array array, int arrayIndex) => throw null;\n}\n\n// Generated from `System.Collections.Generic.StackDebugView<>` in `System.Collections, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass StackDebugView<T>\n{\n}\n\n}\nnamespace Specialized\n{\n// Generated from `System.Collections.Specialized.NameObjectCollectionBase` in `System.Collections.Specialized, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class NameObjectCollectionBase : System.Runtime.Serialization.ISerializable, System.Runtime.Serialization.IDeserializationCallback, System.Collections.IEnumerable, System.Collections.ICollection\n{\n    bool System.Collections.ICollection.IsSynchronized { get => throw null; }\n    object System.Collections.ICollection.SyncRoot { get => throw null; }\n    public virtual System.Collections.IEnumerator GetEnumerator() => throw null;\n    public virtual int Count { get => throw null; }\n    public virtual void GetObjectData(System.Runtime.Serialization.SerializationInfo info, System.Runtime.Serialization.StreamingContext context) => throw null;\n    public virtual void OnDeserialization(object sender) => throw null;\n    void System.Collections.ICollection.CopyTo(System.Array array, int index) => throw null;\n}\n\n// Generated from `System.Collections.Specialized.NameValueCollection` in `System.Collections.Specialized, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class NameValueCollection : System.Collections.Specialized.NameObjectCollectionBase\n{\n    public string this[string name] { get => throw null; set => throw null; }\n}\n\n}\n}\nnamespace ComponentModel\n{\n// Generated from `System.ComponentModel.ComponentConverter` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ComponentConverter : System.ComponentModel.ReferenceConverter\n{\n}\n\n// Generated from `System.ComponentModel.DefaultEventAttribute` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class DefaultEventAttribute : System.Attribute\n{\n    private static DefaultEventAttribute() => throw null;\n    public DefaultEventAttribute(string name) => throw null;\n    public override bool Equals(object obj) => throw null;\n    public override int GetHashCode() => throw null;\n}\n\n// Generated from `System.ComponentModel.DefaultPropertyAttribute` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class DefaultPropertyAttribute : System.Attribute\n{\n    private static DefaultPropertyAttribute() => throw null;\n    public DefaultPropertyAttribute(string name) => throw null;\n    public override bool Equals(object obj) => throw null;\n    public override int GetHashCode() => throw null;\n}\n\n// Generated from `System.ComponentModel.INotifyPropertyChanged` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface INotifyPropertyChanged\n{\n}\n\n// Generated from `System.ComponentModel.ReferenceConverter` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ReferenceConverter : System.ComponentModel.TypeConverter\n{\n}\n\n// Generated from `System.ComponentModel.TypeConverterAttribute` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class TypeConverterAttribute : System.Attribute\n{\n    private static TypeConverterAttribute() => throw null;\n    public TypeConverterAttribute() => throw null;\n    public TypeConverterAttribute(System.Type type) => throw null;\n    public TypeConverterAttribute(string typeName) => throw null;\n    public override bool Equals(object obj) => throw null;\n    public override int GetHashCode() => throw null;\n}\n\n// Generated from `System.ComponentModel.TypeConverter` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class TypeConverter\n{\n}\n\n// Generated from `System.ComponentModel.TypeDescriptionProviderAttribute` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class TypeDescriptionProviderAttribute : System.Attribute\n{\n    public TypeDescriptionProviderAttribute(System.Type type) => throw null;\n    public TypeDescriptionProviderAttribute(string typeName) => throw null;\n}\n\n// Generated from `System.ComponentModel.TypeDescriptionProvider` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class TypeDescriptionProvider\n{\n}\n\n// Generated from `System.ComponentModel.TypeDescriptor` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class TypeDescriptor\n{\n}\n\nnamespace Design\n{\n// Generated from `System.ComponentModel.Design.DesignerOptionService` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class DesignerOptionService : System.ComponentModel.Design.IDesignerOptionService\n{\n}\n\n// Generated from `System.ComponentModel.Design.IDesignerOptionService` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface IDesignerOptionService\n{\n}\n\n}\n}\nnamespace Dynamic\n{\n// Generated from `System.Dynamic.BindingRestrictions` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class BindingRestrictions\n{\n}\n\n// Generated from `System.Dynamic.DynamicMetaObject` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class DynamicMetaObject\n{\n}\n\n// Generated from `System.Dynamic.ExpandoObject` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ExpandoObject : System.Dynamic.IDynamicMetaObjectProvider, System.ComponentModel.INotifyPropertyChanged, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<System.Collections.Generic.KeyValuePair<string,object>>, System.Collections.Generic.IDictionary<string,object>, System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>\n{\n    System.Collections.Generic.ICollection<object> System.Collections.Generic.IDictionary<string,object>.Values { get => throw null; }\n    System.Collections.Generic.ICollection<string> System.Collections.Generic.IDictionary<string,object>.Keys { get => throw null; }\n    System.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<string,object>> System.Collections.Generic.IEnumerable<System.Collections.Generic.KeyValuePair<string,object>>.GetEnumerator() => throw null;\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    bool System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.Contains(System.Collections.Generic.KeyValuePair<string,object> item) => throw null;\n    bool System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.IsReadOnly { get => throw null; }\n    bool System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.Remove(System.Collections.Generic.KeyValuePair<string,object> item) => throw null;\n    bool System.Collections.Generic.IDictionary<string,object>.ContainsKey(string key) => throw null;\n    bool System.Collections.Generic.IDictionary<string,object>.Remove(string key) => throw null;\n    bool System.Collections.Generic.IDictionary<string,object>.TryGetValue(string key, out object value) => throw null;\n    int System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.Count { get => throw null; }\n    object this[string key] { get => throw null; set => throw null; }\n    void System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.Add(System.Collections.Generic.KeyValuePair<string,object> item) => throw null;\n    void System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.Clear() => throw null;\n    void System.Collections.Generic.ICollection<System.Collections.Generic.KeyValuePair<string,object>>.CopyTo(System.Collections.Generic.KeyValuePair<string,object>[] array, int arrayIndex) => throw null;\n    void System.Collections.Generic.IDictionary<string,object>.Add(string key, object value) => throw null;\n}\n\n// Generated from `System.Dynamic.IDynamicMetaObjectProvider` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface IDynamicMetaObjectProvider\n{\n}\n\n// Generated from `System.Dynamic.UpdateDelegates` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstatic class UpdateDelegates\n{\n}\n\nnamespace Utils\n{\n// Generated from `System.Dynamic.Utils.ListProvider<>` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract class ListProvider<T> : System.Collections.IEnumerable, System.Collections.Generic.IList<T>, System.Collections.Generic.IEnumerable<T>, System.Collections.Generic.ICollection<T> where T: class\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<T> GetEnumerator() => throw null;\n    public T this[int index] { get => throw null; set => throw null; }\n    public bool Contains(T item) => throw null;\n    public bool IsReadOnly { get => throw null; }\n    public bool Remove(T item) => throw null;\n    public int Count { get => throw null; }\n    public int IndexOf(T item) => throw null;\n    public void Add(T item) => throw null;\n    public void Clear() => throw null;\n    public void CopyTo(T[] array, int index) => throw null;\n    public void Insert(int index, T item) => throw null;\n    public void RemoveAt(int index) => throw null;\n}\n\n}\n}\nnamespace IO\n{\nnamespace Compression\n{\n// Generated from `System.IO.Compression.DeflateManagedStream` in `System.IO.Compression, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089`\nclass DeflateManagedStream : System.IO.Stream\n{\n    protected override void Dispose(bool disposing) => throw null;\n    public override System.IAsyncResult BeginRead(System.Byte[] buffer, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.Int64 Length { get => throw null; }\n    public override System.Int64 Position { get => throw null; set => throw null; }\n    public override System.Int64 Seek(System.Int64 offset, System.IO.SeekOrigin origin) => throw null;\n    public override System.Threading.Tasks.Task FlushAsync(System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task<int> ReadAsync(System.Byte[] array, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override bool CanRead { get => throw null; }\n    public override bool CanSeek { get => throw null; }\n    public override bool CanWrite { get => throw null; }\n    public override int EndRead(System.IAsyncResult asyncResult) => throw null;\n    public override int Read(System.Byte[] array, int offset, int count) => throw null;\n    public override void Flush() => throw null;\n    public override void SetLength(System.Int64 value) => throw null;\n    public override void Write(System.Byte[] array, int offset, int count) => throw null;\n}\n\n// Generated from `System.IO.Compression.DeflateStream` in `System.IO.Compression, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089`\npublic class DeflateStream : System.IO.Stream\n{\n    protected override void Dispose(bool disposing) => throw null;\n    public override System.IAsyncResult BeginRead(System.Byte[] buffer, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.IAsyncResult BeginWrite(System.Byte[] array, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.Int64 Length { get => throw null; }\n    public override System.Int64 Position { get => throw null; set => throw null; }\n    public override System.Int64 Seek(System.Int64 offset, System.IO.SeekOrigin origin) => throw null;\n    public override System.Threading.Tasks.Task CopyToAsync(System.IO.Stream destination, int bufferSize, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task FlushAsync(System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task WriteAsync(System.Byte[] array, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task<int> ReadAsync(System.Byte[] array, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.ValueTask DisposeAsync() => throw null;\n    public override System.Threading.Tasks.ValueTask WriteAsync(System.ReadOnlyMemory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.ValueTask<int> ReadAsync(System.Memory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) => throw null;\n    public override bool CanRead { get => throw null; }\n    public override bool CanSeek { get => throw null; }\n    public override bool CanWrite { get => throw null; }\n    public override int EndRead(System.IAsyncResult asyncResult) => throw null;\n    public override int Read(System.Byte[] array, int offset, int count) => throw null;\n    public override int Read(System.Span<System.Byte> buffer) => throw null;\n    public override int ReadByte() => throw null;\n    public override void CopyTo(System.IO.Stream destination, int bufferSize) => throw null;\n    public override void EndWrite(System.IAsyncResult asyncResult) => throw null;\n    public override void Flush() => throw null;\n    public override void SetLength(System.Int64 value) => throw null;\n    public override void Write(System.Byte[] array, int offset, int count) => throw null;\n    public override void Write(System.ReadOnlySpan<System.Byte> buffer) => throw null;\n}\n\n}\nnamespace Pipes\n{\n// Generated from `System.IO.Pipes.NamedPipeServerStream` in `System.IO.Pipes, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class NamedPipeServerStream : System.IO.Pipes.PipeStream\n{\n}\n\n// Generated from `System.IO.Pipes.PipeStream` in `System.IO.Pipes, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class PipeStream : System.IO.Stream\n{\n    protected override void Dispose(bool disposing) => throw null;\n    public override System.IAsyncResult BeginRead(System.Byte[] buffer, int offset, int count, System.AsyncCallback callback, object state) => throw null;\n    public override System.IAsyncResult BeginWrite(System.Byte[] buffer, int offset, int count, System.AsyncCallback callback, object state) => throw null;\n    public override System.Int64 Length { get => throw null; }\n    public override System.Int64 Position { get => throw null; set => throw null; }\n    public override System.Int64 Seek(System.Int64 offset, System.IO.SeekOrigin origin) => throw null;\n    public override System.Threading.Tasks.Task FlushAsync(System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task WriteAsync(System.Byte[] buffer, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task<int> ReadAsync(System.Byte[] buffer, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.ValueTask WriteAsync(System.ReadOnlyMemory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) => throw null;\n    public override System.Threading.Tasks.ValueTask<int> ReadAsync(System.Memory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) => throw null;\n    public override bool CanRead { get => throw null; }\n    public override bool CanSeek { get => throw null; }\n    public override bool CanWrite { get => throw null; }\n    public override int EndRead(System.IAsyncResult asyncResult) => throw null;\n    public override int Read(System.Byte[] buffer, int offset, int count) => throw null;\n    public override int Read(System.Span<System.Byte> buffer) => throw null;\n    public override int ReadByte() => throw null;\n    public override void EndWrite(System.IAsyncResult asyncResult) => throw null;\n    public override void Flush() => throw null;\n    public override void SetLength(System.Int64 value) => throw null;\n    public override void Write(System.Byte[] buffer, int offset, int count) => throw null;\n    public override void Write(System.ReadOnlySpan<System.Byte> buffer) => throw null;\n    public override void WriteByte(System.Byte value) => throw null;\n}\n\n}\n}\nnamespace Linq\n{\n// Generated from `System.Linq.Enumerable` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstatic public class Enumerable\n{\n    public static System.Collections.Generic.IEnumerable<TResult> Select<TSource,TResult>(this System.Collections.Generic.IEnumerable<TSource> source, System.Func<TSource,TResult> selector) => throw null;\n}\n\n// Generated from `System.Linq.Grouping<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Grouping<TKey,TElement> : System.Linq.IGrouping<TKey,TElement>, System.Collections.IEnumerable, System.Collections.Generic.IList<TElement>, System.Collections.Generic.IEnumerable<TElement>, System.Collections.Generic.ICollection<TElement>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    TElement this[int index] { get => throw null; set => throw null; }\n    bool System.Collections.Generic.ICollection<TElement>.Contains(TElement item) => throw null;\n    bool System.Collections.Generic.ICollection<TElement>.IsReadOnly { get => throw null; }\n    bool System.Collections.Generic.ICollection<TElement>.Remove(TElement item) => throw null;\n    int System.Collections.Generic.ICollection<TElement>.Count { get => throw null; }\n    int System.Collections.Generic.IList<TElement>.IndexOf(TElement item) => throw null;\n    public System.Collections.Generic.IEnumerator<TElement> GetEnumerator() => throw null;\n    void System.Collections.Generic.ICollection<TElement>.Add(TElement item) => throw null;\n    void System.Collections.Generic.ICollection<TElement>.Clear() => throw null;\n    void System.Collections.Generic.ICollection<TElement>.CopyTo(TElement[] array, int arrayIndex) => throw null;\n    void System.Collections.Generic.IList<TElement>.Insert(int index, TElement item) => throw null;\n    void System.Collections.Generic.IList<TElement>.RemoveAt(int index) => throw null;\n}\n\n// Generated from `System.Linq.IGrouping<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface IGrouping<TKey,TElement> : System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TElement>\n{\n}\n\n// Generated from `System.Linq.IIListProvider<>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\ninterface IIListProvider<TElement> : System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TElement>\n{\n}\n\n// Generated from `System.Linq.ILookup<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface ILookup<TKey,TElement> : System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<System.Linq.IGrouping<TKey,TElement>>\n{\n}\n\n// Generated from `System.Linq.IOrderedEnumerable<>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface IOrderedEnumerable<TElement> : System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TElement>\n{\n}\n\n// Generated from `System.Linq.IPartition<>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\ninterface IPartition<TElement> : System.Linq.IIListProvider<TElement>, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TElement>\n{\n}\n\n// Generated from `System.Linq.IQueryable` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface IQueryable : System.Collections.IEnumerable\n{\n}\n\n// Generated from `System.Linq.Lookup<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Lookup<TKey,TElement> : System.Linq.ILookup<TKey,TElement>, System.Linq.IIListProvider<System.Linq.IGrouping<TKey,TElement>>, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<System.Linq.IGrouping<TKey,TElement>>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<System.Linq.IGrouping<TKey,TElement>> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.OrderedEnumerable<>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract class OrderedEnumerable<TElement> : System.Linq.IPartition<TElement>, System.Linq.IOrderedEnumerable<TElement>, System.Linq.IIListProvider<TElement>, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TElement>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<TElement> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.ParallelEnumerable` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstatic public class ParallelEnumerable\n{\n    public static System.Linq.ParallelQuery AsParallel(this System.Collections.IEnumerable source) => throw null;\n}\n\n// Generated from `System.Linq.ParallelQuery<>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ParallelQuery<TSource> : System.Linq.ParallelQuery, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TSource>\n{\n    public virtual System.Collections.Generic.IEnumerator<TSource> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.ParallelQuery` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ParallelQuery : System.Collections.IEnumerable\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.Queryable` in `System.Linq.Queryable, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstatic public class Queryable\n{\n    public static System.Linq.IQueryable AsQueryable(this System.Collections.IEnumerable source) => throw null;\n}\n\n// Generated from `System.Linq.SystemLinq_GroupingDebugView<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass SystemLinq_GroupingDebugView<TKey,TElement>\n{\n}\n\n// Generated from `System.Linq.SystemLinq_LookupDebugView<,>` in `System.Linq, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass SystemLinq_LookupDebugView<TKey,TElement>\n{\n}\n\nnamespace Expressions\n{\n// Generated from `System.Linq.Expressions.BlockExpressionList` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass BlockExpressionList : System.Collections.IEnumerable, System.Collections.Generic.IList<System.Linq.Expressions.Expression>, System.Collections.Generic.IEnumerable<System.Linq.Expressions.Expression>, System.Collections.Generic.ICollection<System.Linq.Expressions.Expression>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<System.Linq.Expressions.Expression> GetEnumerator() => throw null;\n    public System.Linq.Expressions.Expression this[int index] { get => throw null; set => throw null; }\n    public bool Contains(System.Linq.Expressions.Expression item) => throw null;\n    public bool IsReadOnly { get => throw null; }\n    public bool Remove(System.Linq.Expressions.Expression item) => throw null;\n    public int Count { get => throw null; }\n    public int IndexOf(System.Linq.Expressions.Expression item) => throw null;\n    public void Add(System.Linq.Expressions.Expression item) => throw null;\n    public void Clear() => throw null;\n    public void CopyTo(System.Linq.Expressions.Expression[] array, int index) => throw null;\n    public void Insert(int index, System.Linq.Expressions.Expression item) => throw null;\n    public void RemoveAt(int index) => throw null;\n}\n\n// Generated from `System.Linq.Expressions.Expression` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class Expression\n{\n    public override string ToString() => throw null;\n}\n\n// Generated from `System.Linq.Expressions.ParameterExpression` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ParameterExpression : System.Linq.Expressions.Expression\n{\n}\n\nnamespace Compiler\n{\n// Generated from `System.Linq.Expressions.Compiler.CompilerScope` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass CompilerScope\n{\n}\n\n// Generated from `System.Linq.Expressions.Compiler.ParameterList` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass ParameterList : System.Collections.IEnumerable, System.Collections.Generic.IReadOnlyList<System.Linq.Expressions.ParameterExpression>, System.Collections.Generic.IReadOnlyCollection<System.Linq.Expressions.ParameterExpression>, System.Collections.Generic.IEnumerable<System.Linq.Expressions.ParameterExpression>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<System.Linq.Expressions.ParameterExpression> GetEnumerator() => throw null;\n    public System.Linq.Expressions.ParameterExpression this[int index] { get => throw null; }\n    public int Count { get => throw null; }\n}\n\n}\nnamespace Interpreter\n{\n// Generated from `System.Linq.Expressions.Interpreter.HybridReferenceDictionary<,>` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass HybridReferenceDictionary<TKey,TValue> where TKey: class\n{\n}\n\n// Generated from `System.Linq.Expressions.Interpreter.InstructionArray` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstruct InstructionArray\n{\n}\n\n// Generated from `System.Linq.Expressions.Interpreter.InstructionList` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass InstructionList\n{\n}\n\n// Generated from `System.Linq.Expressions.Interpreter.InterpretedFrameInfo` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstruct InterpretedFrameInfo\n{\n    public override string ToString() => throw null;\n}\n\n// Generated from `System.Linq.Expressions.Interpreter.InterpretedFrame` in `System.Linq.Expressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass InterpretedFrame\n{\n}\n\n}\n}\nnamespace Parallel\n{\n// Generated from `System.Linq.Parallel.CancellableEnumerable` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstatic class CancellableEnumerable\n{\n}\n\n// Generated from `System.Linq.Parallel.ExceptionAggregator` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nstatic class ExceptionAggregator\n{\n}\n\n// Generated from `System.Linq.Parallel.ListChunk<>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass ListChunk<TInputOutput> : System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<TInputOutput>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<TInputOutput> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.Parallel.Lookup<,>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass Lookup<TKey,TElement> : System.Linq.ILookup<TKey,TElement>, System.Collections.IEnumerable, System.Collections.Generic.IEnumerable<System.Linq.IGrouping<TKey,TElement>>\n{\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    public System.Collections.Generic.IEnumerator<System.Linq.IGrouping<TKey,TElement>> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.Parallel.PartitionerQueryOperator<>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass PartitionerQueryOperator<TElement> : System.Linq.Parallel.QueryOperator<TElement>\n{\n}\n\n// Generated from `System.Linq.Parallel.QueryOperator<>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract class QueryOperator<TOutput> : System.Linq.ParallelQuery<TOutput>\n{\n    public override System.Collections.Generic.IEnumerator<TOutput> GetEnumerator() => throw null;\n}\n\n// Generated from `System.Linq.Parallel.QueryResults<>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract class QueryResults<T> : System.Collections.IEnumerable, System.Collections.Generic.IList<T>, System.Collections.Generic.IEnumerable<T>, System.Collections.Generic.ICollection<T>\n{\n    System.Collections.Generic.IEnumerator<T> System.Collections.Generic.IEnumerable<T>.GetEnumerator() => throw null;\n    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator() => throw null;\n    bool System.Collections.Generic.ICollection<T>.Contains(T item) => throw null;\n    bool System.Collections.Generic.ICollection<T>.IsReadOnly { get => throw null; }\n    bool System.Collections.Generic.ICollection<T>.Remove(T item) => throw null;\n    int System.Collections.Generic.IList<T>.IndexOf(T item) => throw null;\n    public T this[int index] { get => throw null; set => throw null; }\n    public int Count { get => throw null; }\n    void System.Collections.Generic.ICollection<T>.Add(T item) => throw null;\n    void System.Collections.Generic.ICollection<T>.Clear() => throw null;\n    void System.Collections.Generic.ICollection<T>.CopyTo(T[] array, int arrayIndex) => throw null;\n    void System.Collections.Generic.IList<T>.Insert(int index, T item) => throw null;\n    void System.Collections.Generic.IList<T>.RemoveAt(int index) => throw null;\n}\n\n// Generated from `System.Linq.Parallel.ZipQueryOperator<,,>` in `System.Linq.Parallel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass ZipQueryOperator<TLeftInput,TRightInput,TOutput> : System.Linq.Parallel.QueryOperator<TOutput>\n{\n}\n\n}\n}\nnamespace Net\n{\n// Generated from `System.Net.CookieCollection` in `System.Net.Primitives, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class CookieCollection : System.Collections.IEnumerable, System.Collections.ICollection, System.Collections.Generic.IReadOnlyCollection<System.Net.Cookie>, System.Collections.Generic.IEnumerable<System.Net.Cookie>, System.Collections.Generic.ICollection<System.Net.Cookie>\n{\n    System.Collections.Generic.IEnumerator<System.Net.Cookie> System.Collections.Generic.IEnumerable<System.Net.Cookie>.GetEnumerator() => throw null;\n    public System.Collections.IEnumerator GetEnumerator() => throw null;\n    public bool Contains(System.Net.Cookie cookie) => throw null;\n    public bool IsReadOnly { get => throw null; }\n    public bool IsSynchronized { get => throw null; }\n    public bool Remove(System.Net.Cookie cookie) => throw null;\n    public int Count { get => throw null; }\n    public object SyncRoot { get => throw null; }\n    public void Add(System.Net.Cookie cookie) => throw null;\n    public void Clear() => throw null;\n    public void CopyTo(System.Array array, int index) => throw null;\n    public void CopyTo(System.Net.Cookie[] array, int index) => throw null;\n}\n\n// Generated from `System.Net.Cookie` in `System.Net.Primitives, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Cookie\n{\n    public override bool Equals(object comparand) => throw null;\n    public override int GetHashCode() => throw null;\n    public override string ToString() => throw null;\n}\n\n// Generated from `System.Net.HttpResponseStream` in `System.Net.HttpListener, Version=5.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51`\nclass HttpResponseStream : System.IO.Stream\n{\n    protected override void Dispose(bool disposing) => throw null;\n    public override System.IAsyncResult BeginRead(System.Byte[] buffer, int offset, int size, System.AsyncCallback callback, object state) => throw null;\n    public override System.IAsyncResult BeginWrite(System.Byte[] buffer, int offset, int size, System.AsyncCallback callback, object state) => throw null;\n    public override System.Int64 Length { get => throw null; }\n    public override System.Int64 Position { get => throw null; set => throw null; }\n    public override System.Int64 Seek(System.Int64 offset, System.IO.SeekOrigin origin) => throw null;\n    public override System.Threading.Tasks.Task FlushAsync(System.Threading.CancellationToken cancellationToken) => throw null;\n    public override bool CanRead { get => throw null; }\n    public override bool CanSeek { get => throw null; }\n    public override bool CanWrite { get => throw null; }\n    public override int EndRead(System.IAsyncResult asyncResult) => throw null;\n    public override int Read(System.Byte[] buffer, int offset, int size) => throw null;\n    public override void EndWrite(System.IAsyncResult asyncResult) => throw null;\n    public override void Flush() => throw null;\n    public override void SetLength(System.Int64 value) => throw null;\n    public override void Write(System.Byte[] buffer, int offset, int size) => throw null;\n}\n\n// Generated from `System.Net.StreamFramer` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass StreamFramer\n{\n}\n\nnamespace Security\n{\n// Generated from `System.Net.Security.AuthenticatedStream` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class AuthenticatedStream : System.IO.Stream\n{\n    protected override void Dispose(bool disposing) => throw null;\n    public override System.Threading.Tasks.ValueTask DisposeAsync() => throw null;\n}\n\n// Generated from `System.Net.Security.CipherSuitesPolicy` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class CipherSuitesPolicy\n{\n}\n\n// Generated from `System.Net.Security.NegotiateStream` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class NegotiateStream : System.Net.Security.AuthenticatedStream\n{\n    protected override void Dispose(bool disposing) => throw null;\n    public override System.IAsyncResult BeginRead(System.Byte[] buffer, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.IAsyncResult BeginWrite(System.Byte[] buffer, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.Int64 Length { get => throw null; }\n    public override System.Int64 Position { get => throw null; set => throw null; }\n    public override System.Int64 Seek(System.Int64 offset, System.IO.SeekOrigin origin) => throw null;\n    public override System.Threading.Tasks.Task FlushAsync(System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task WriteAsync(System.Byte[] buffer, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task<int> ReadAsync(System.Byte[] buffer, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.ValueTask DisposeAsync() => throw null;\n    public override System.Threading.Tasks.ValueTask WriteAsync(System.ReadOnlyMemory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) => throw null;\n    public override System.Threading.Tasks.ValueTask<int> ReadAsync(System.Memory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) => throw null;\n    public override bool CanRead { get => throw null; }\n    public override bool CanSeek { get => throw null; }\n    public override bool CanTimeout { get => throw null; }\n    public override bool CanWrite { get => throw null; }\n    public override int EndRead(System.IAsyncResult asyncResult) => throw null;\n    public override int Read(System.Byte[] buffer, int offset, int count) => throw null;\n    public override int ReadTimeout { get => throw null; set => throw null; }\n    public override int WriteTimeout { get => throw null; set => throw null; }\n    public override void EndWrite(System.IAsyncResult asyncResult) => throw null;\n    public override void Flush() => throw null;\n    public override void SetLength(System.Int64 value) => throw null;\n    public override void Write(System.Byte[] buffer, int offset, int count) => throw null;\n}\n\n// Generated from `System.Net.Security.SslStream` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class SslStream : System.Net.Security.AuthenticatedStream\n{\n    protected override void Dispose(bool disposing) => throw null;\n    public override System.IAsyncResult BeginRead(System.Byte[] buffer, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.IAsyncResult BeginWrite(System.Byte[] buffer, int offset, int count, System.AsyncCallback asyncCallback, object asyncState) => throw null;\n    public override System.Int64 Length { get => throw null; }\n    public override System.Int64 Position { get => throw null; set => throw null; }\n    public override System.Int64 Seek(System.Int64 offset, System.IO.SeekOrigin origin) => throw null;\n    public override System.Threading.Tasks.Task FlushAsync(System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task WriteAsync(System.Byte[] buffer, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task<int> ReadAsync(System.Byte[] buffer, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.ValueTask DisposeAsync() => throw null;\n    public override System.Threading.Tasks.ValueTask WriteAsync(System.ReadOnlyMemory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) => throw null;\n    public override System.Threading.Tasks.ValueTask<int> ReadAsync(System.Memory<System.Byte> buffer, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) => throw null;\n    public override bool CanRead { get => throw null; }\n    public override bool CanSeek { get => throw null; }\n    public override bool CanTimeout { get => throw null; }\n    public override bool CanWrite { get => throw null; }\n    public override int EndRead(System.IAsyncResult asyncResult) => throw null;\n    public override int Read(System.Byte[] buffer, int offset, int count) => throw null;\n    public override int ReadByte() => throw null;\n    public override int ReadTimeout { get => throw null; set => throw null; }\n    public override int WriteTimeout { get => throw null; set => throw null; }\n    public override void EndWrite(System.IAsyncResult asyncResult) => throw null;\n    public override void Flush() => throw null;\n    public override void SetLength(System.Int64 value) => throw null;\n    public override void Write(System.Byte[] buffer, int offset, int count) => throw null;\n}\n\n// Generated from `System.Net.Security.TlsCipherSuite` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic enum TlsCipherSuite\n{\n}\n\n// Generated from `System.Net.Security.TlsFrameHelper` in `System.Net.Security, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass TlsFrameHelper\n{\n}\n\n}\nnamespace WebSockets\n{\n// Generated from `System.Net.WebSockets.HttpWebSocket` in `System.Net.HttpListener, Version=5.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51`\nstatic class HttpWebSocket\n{\n}\n\n}\n}\nnamespace Runtime\n{\nnamespace Serialization\n{\n// Generated from `System.Runtime.Serialization.DataContractAttribute` in `System.Runtime.Serialization.Primitives, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class DataContractAttribute : System.Attribute\n{\n    public DataContractAttribute() => throw null;\n}\n\n// Generated from `System.Runtime.Serialization.DataMemberAttribute` in `System.Runtime.Serialization.Primitives, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class DataMemberAttribute : System.Attribute\n{\n    public DataMemberAttribute() => throw null;\n}\n\n}\n}\nnamespace Security\n{\nnamespace Cryptography\n{\n// Generated from `System.Security.Cryptography.CryptoStream` in `System.Security.Cryptography.Primitives, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class CryptoStream : System.IO.Stream, System.IDisposable\n{\n    protected override void Dispose(bool disposing) => throw null;\n    public override System.IAsyncResult BeginRead(System.Byte[] buffer, int offset, int count, System.AsyncCallback callback, object state) => throw null;\n    public override System.IAsyncResult BeginWrite(System.Byte[] buffer, int offset, int count, System.AsyncCallback callback, object state) => throw null;\n    public override System.Int64 Length { get => throw null; }\n    public override System.Int64 Position { get => throw null; set => throw null; }\n    public override System.Int64 Seek(System.Int64 offset, System.IO.SeekOrigin origin) => throw null;\n    public override System.Threading.Tasks.Task FlushAsync(System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task WriteAsync(System.Byte[] buffer, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.Task<int> ReadAsync(System.Byte[] buffer, int offset, int count, System.Threading.CancellationToken cancellationToken) => throw null;\n    public override System.Threading.Tasks.ValueTask DisposeAsync() => throw null;\n    public override bool CanRead { get => throw null; }\n    public override bool CanSeek { get => throw null; }\n    public override bool CanWrite { get => throw null; }\n    public override int EndRead(System.IAsyncResult asyncResult) => throw null;\n    public override int Read(System.Byte[] buffer, int offset, int count) => throw null;\n    public override int ReadByte() => throw null;\n    public override void EndWrite(System.IAsyncResult asyncResult) => throw null;\n    public override void Flush() => throw null;\n    public override void SetLength(System.Int64 value) => throw null;\n    public override void Write(System.Byte[] buffer, int offset, int count) => throw null;\n    public override void WriteByte(System.Byte value) => throw null;\n}\n\n// Generated from `System.Security.Cryptography.HashAlgorithm` in `System.Security.Cryptography.Primitives, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nabstract public class HashAlgorithm : System.Security.Cryptography.ICryptoTransform, System.IDisposable\n{\n    public void Dispose() => throw null;\n}\n\n// Generated from `System.Security.Cryptography.ICryptoTransform` in `System.Security.Cryptography.Primitives, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic interface ICryptoTransform : System.IDisposable\n{\n}\n\n}\n}\nnamespace Text\n{\nnamespace RegularExpressions\n{\n// Generated from `System.Text.RegularExpressions.Capture` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Capture\n{\n    public override string ToString() => throw null;\n}\n\n// Generated from `System.Text.RegularExpressions.CollectionDebuggerProxy<>` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\nclass CollectionDebuggerProxy<T>\n{\n}\n\n// Generated from `System.Text.RegularExpressions.GroupCollection` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class GroupCollection : System.Collections.IList, System.Collections.IEnumerable, System.Collections.ICollection, System.Collections.Generic.IReadOnlyList<System.Text.RegularExpressions.Group>, System.Collections.Generic.IReadOnlyDictionary<string,System.Text.RegularExpressions.Group>, System.Collections.Generic.IReadOnlyCollection<System.Text.RegularExpressions.Group>, System.Collections.Generic.IReadOnlyCollection<System.Collections.Generic.KeyValuePair<string,System.Text.RegularExpressions.Group>>, System.Collections.Generic.IList<System.Text.RegularExpressions.Group>, System.Collections.Generic.IEnumerable<System.Text.RegularExpressions.Group>, System.Collections.Generic.IEnumerable<System.Collections.Generic.KeyValuePair<string,System.Text.RegularExpressions.Group>>, System.Collections.Generic.ICollection<System.Text.RegularExpressions.Group>\n{\n    System.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<string,System.Text.RegularExpressions.Group>> System.Collections.Generic.IEnumerable<System.Collections.Generic.KeyValuePair<string,System.Text.RegularExpressions.Group>>.GetEnumerator() => throw null;\n    System.Collections.Generic.IEnumerator<System.Text.RegularExpressions.Group> System.Collections.Generic.IEnumerable<System.Text.RegularExpressions.Group>.GetEnumerator() => throw null;\n    System.Text.RegularExpressions.Group this[int index] { get => throw null; set => throw null; }\n    bool System.Collections.Generic.ICollection<System.Text.RegularExpressions.Group>.Contains(System.Text.RegularExpressions.Group item) => throw null;\n    bool System.Collections.Generic.ICollection<System.Text.RegularExpressions.Group>.Remove(System.Text.RegularExpressions.Group item) => throw null;\n    bool System.Collections.IList.Contains(object value) => throw null;\n    bool System.Collections.IList.IsFixedSize { get => throw null; }\n    int System.Collections.Generic.IList<System.Text.RegularExpressions.Group>.IndexOf(System.Text.RegularExpressions.Group item) => throw null;\n    int System.Collections.IList.Add(object value) => throw null;\n    int System.Collections.IList.IndexOf(object value) => throw null;\n    object this[int index] { get => throw null; set => throw null; }\n    public System.Collections.Generic.IEnumerable<System.Text.RegularExpressions.Group> Values { get => throw null; }\n    public System.Collections.Generic.IEnumerable<string> Keys { get => throw null; }\n    public System.Collections.IEnumerator GetEnumerator() => throw null;\n    public System.Text.RegularExpressions.Group this[string groupname] { get => throw null; }\n    public bool ContainsKey(string key) => throw null;\n    public bool IsReadOnly { get => throw null; }\n    public bool IsSynchronized { get => throw null; }\n    public bool TryGetValue(string key, out System.Text.RegularExpressions.Group value) => throw null;\n    public int Count { get => throw null; }\n    public object SyncRoot { get => throw null; }\n    public void CopyTo(System.Array array, int arrayIndex) => throw null;\n    public void CopyTo(System.Text.RegularExpressions.Group[] array, int arrayIndex) => throw null;\n    void System.Collections.Generic.ICollection<System.Text.RegularExpressions.Group>.Add(System.Text.RegularExpressions.Group item) => throw null;\n    void System.Collections.Generic.ICollection<System.Text.RegularExpressions.Group>.Clear() => throw null;\n    void System.Collections.Generic.IList<System.Text.RegularExpressions.Group>.Insert(int index, System.Text.RegularExpressions.Group item) => throw null;\n    void System.Collections.Generic.IList<System.Text.RegularExpressions.Group>.RemoveAt(int index) => throw null;\n    void System.Collections.IList.Clear() => throw null;\n    void System.Collections.IList.Insert(int index, object value) => throw null;\n    void System.Collections.IList.Remove(object value) => throw null;\n    void System.Collections.IList.RemoveAt(int index) => throw null;\n}\n\n// Generated from `System.Text.RegularExpressions.Group` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Group : System.Text.RegularExpressions.Capture\n{\n}\n\n// Generated from `System.Text.RegularExpressions.Match` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Match : System.Text.RegularExpressions.Group\n{\n}\n\n// Generated from `System.Text.RegularExpressions.RegexOptions` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\n[System.Flags]\npublic enum RegexOptions\n{\n    IgnoreCase,\n}\n\n// Generated from `System.Text.RegularExpressions.Regex` in `System.Text.RegularExpressions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class Regex : System.Runtime.Serialization.ISerializable\n{\n    public Regex(string pattern) => throw null;\n    public Regex(string pattern, System.Text.RegularExpressions.RegexOptions options, System.TimeSpan matchTimeout) => throw null;\n    public System.Text.RegularExpressions.Match Match(string input) => throw null;\n    public override string ToString() => throw null;\n    public static System.Text.RegularExpressions.Match Match(string input, string pattern) => throw null;\n    public static System.Text.RegularExpressions.Match Match(string input, string pattern, System.Text.RegularExpressions.RegexOptions options, System.TimeSpan matchTimeout) => throw null;\n    public string Replace(string input, string replacement) => throw null;\n    void System.Runtime.Serialization.ISerializable.GetObjectData(System.Runtime.Serialization.SerializationInfo si, System.Runtime.Serialization.StreamingContext context) => throw null;\n}\n\n}\n}\nnamespace Timers\n{\n// Generated from `System.Timers.TimersDescriptionAttribute` in `System.ComponentModel.TypeConverter, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class TimersDescriptionAttribute\n{\n    internal TimersDescriptionAttribute(string description, string defaultValue) => throw null;\n    public TimersDescriptionAttribute(string description) => throw null;\n}\n\n}\nnamespace Windows\n{\nnamespace Markup\n{\n// Generated from `System.Windows.Markup.ValueSerializerAttribute` in `System.ObjectModel, Version=5.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`\npublic class ValueSerializerAttribute : System.Attribute\n{\n    public ValueSerializerAttribute(System.Type valueSerializerType) => throw null;\n    public ValueSerializerAttribute(string valueSerializerTypeName) => throw null;\n}\n\n}\n}\n}\n |

From 3b68c87b6ca85e308a648de716ac94517dc089de Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 3 Jun 2021 13:25:36 +0200
Subject: [PATCH 1310/1429] Python: Add sensitive data test-cases

---
 .../test/experimental/dataflow/sensitive-data/test.py  | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/python/ql/test/experimental/dataflow/sensitive-data/test.py b/python/ql/test/experimental/dataflow/sensitive-data/test.py
index 7db57fff2fa..75e0367e776 100644
--- a/python/ql/test/experimental/dataflow/sensitive-data/test.py
+++ b/python/ql/test/experimental/dataflow/sensitive-data/test.py
@@ -20,14 +20,24 @@ fetch_certificate() # $ SensitiveDataSource=certificate
 account_id() # $ SensitiveDataSource=id
 safe_to_store = encrypt_password(pwd)
 
+f = get_password
+f() # $ SensitiveDataSource=password
+
 # attributes
 foo = ObjectFromDatabase()
 foo.secret # $ SensitiveDataSource=secret
 foo.username # $ SensitiveDataSource=id
 
+# plain variables
+password = some_function()
+print(password) # $ MISSING: SensitiveDataSource=password
+
 # Special handling of lookups of sensitive properties
 request.args["password"], # $ MISSING: SensitiveDataSource=password
 request.args.get("password") # $ SensitiveDataSource=password
 
+x = "password"
+request.args.get(x) # $ SensitiveDataSource=password
+
 # I don't think handling `getlist` is super important, just included it to show what we don't handle
 request.args.getlist("password")[0] # $ MISSING: SensitiveDataSource=password

From d0b6808299d1469e9c9a11f76dca36fcea4deb93 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Wed, 2 Jun 2021 15:52:44 +0200
Subject: [PATCH 1311/1429] Java: Move common CSV logic for sources and sinks
 into shared library

---
 .../code/java/dataflow/ExternalFlow.qll       | 194 +++---------------
 .../dataflow/internal/DataFlowDispatch.qll    |  10 +-
 .../java/dataflow/internal/DataFlowUtil.qll   |   3 +-
 .../dataflow/internal/FlowSummaryImpl.qll     | 121 ++++++++++-
 .../internal/FlowSummaryImplSpecific.qll      | 103 +++++++++-
 .../code/java/dispatch/DispatchFlow.qll       |   1 +
 .../src/semmle/code/java/dispatch/ObjFlow.qll |   1 +
 7 files changed, 256 insertions(+), 177 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index 21aa7610de7..45d7dafb7f4 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -68,6 +68,7 @@ import java
 private import semmle.code.java.dataflow.DataFlow::DataFlow
 private import internal.DataFlowPrivate
 private import internal.FlowSummaryImpl::Private::External
+private import internal.FlowSummaryImplSpecific
 private import FlowSummary
 
 /**
@@ -359,7 +360,8 @@ private predicate summaryModel(string row) {
   any(SummaryModelCsv s).row(row)
 }
 
-private predicate sourceModel(
+/** Holds if a source model exists for the given parameters. */
+predicate sourceModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
   string output, string kind
 ) {
@@ -377,7 +379,8 @@ private predicate sourceModel(
   )
 }
 
-private predicate sinkModel(
+/** Holds if a sink model exists for the given parameters. */
+predicate sinkModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
   string input, string kind
 ) {
@@ -395,7 +398,8 @@ private predicate sinkModel(
   )
 }
 
-private predicate summaryModel(
+/** Holds if a summary model exists for the given parameters. */
+predicate summaryModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
   string input, string output, string kind
 ) {
@@ -600,7 +604,8 @@ private Element interpretElement0(
   )
 }
 
-private Element interpretElement(
+/** Gets the source/sink/summary element corresponding to the supplied parameters. */
+Element interpretElement(
   string namespace, string type, boolean subtypes, string name, string signature, string ext
 ) {
   elementSpec(namespace, type, subtypes, name, signature, ext) and
@@ -611,166 +616,25 @@ private Element interpretElement(
   )
 }
 
-private predicate sourceElement(Element e, string output, string kind) {
-  exists(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext
-  |
-    sourceModel(namespace, type, subtypes, name, signature, ext, output, kind) and
-    e = interpretElement(namespace, type, subtypes, name, signature, ext)
-  )
+cached
+private module Cached {
+  /**
+   * Holds if `node` is specified as a source with the given kind in a CSV flow
+   * model.
+   */
+  cached
+  predicate sourceNode(Node node, string kind) {
+    exists(InterpretNode n | isSourceNode(n, kind) and n.asNode() = node)
+  }
+
+  /**
+   * Holds if `node` is specified as a sink with the given kind in a CSV flow
+   * model.
+   */
+  cached
+  predicate sinkNode(Node node, string kind) {
+    exists(InterpretNode n | isSinkNode(n, kind) and n.asNode() = node)
+  }
 }
 
-private predicate sinkElement(Element e, string input, string kind) {
-  exists(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext
-  |
-    sinkModel(namespace, type, subtypes, name, signature, ext, input, kind) and
-    e = interpretElement(namespace, type, subtypes, name, signature, ext)
-  )
-}
-
-/**
- * Holds if an external flow summary exists for `e` with input specification
- * `input`, output specification `output`, and kind `kind`.
- */
-predicate summaryElement(Element e, string input, string output, string kind) {
-  exists(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext
-  |
-    summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind) and
-    e = interpretElement(namespace, type, subtypes, name, signature, ext)
-  )
-}
-
-/** Gets a specification used in a source model, sink model, or summary model. */
-string inOutSpec() {
-  sourceModel(_, _, _, _, _, _, result, _) or
-  sinkModel(_, _, _, _, _, _, result, _) or
-  summaryModel(_, _, _, _, _, _, result, _, _) or
-  summaryModel(_, _, _, _, _, _, _, result, _)
-}
-
-private predicate inputNeedsReference(string c) {
-  c = "Argument" or
-  parseArg(c, _)
-}
-
-private predicate outputNeedsReference(string c) {
-  c = "Argument" or
-  parseArg(c, _) or
-  c = "ReturnValue"
-}
-
-private predicate sourceElementRef(Top ref, string output, string kind) {
-  exists(Element e |
-    sourceElement(e, output, kind) and
-    if outputNeedsReference(specLast(output))
-    then ref.(Call).getCallee().getSourceDeclaration() = e
-    else ref = e
-  )
-}
-
-private predicate sinkElementRef(Top ref, string input, string kind) {
-  exists(Element e |
-    sinkElement(e, input, kind) and
-    if inputNeedsReference(specLast(input))
-    then ref.(Call).getCallee().getSourceDeclaration() = e
-    else ref = e
-  )
-}
-
-private predicate summaryElementRef(Top ref, string input, string output, string kind) {
-  exists(Element e |
-    summaryElement(e, input, output, kind) and
-    if inputNeedsReference(specLast(input))
-    then ref.(Call).getCallee().getSourceDeclaration() = e
-    else ref = e
-  )
-}
-
-private newtype TAstOrNode =
-  TAst(Top t) or
-  TNode(Node n)
-
-private predicate interpretOutput(string output, int idx, Top ref, TAstOrNode node) {
-  (
-    sourceElementRef(ref, output, _) or
-    summaryElementRef(ref, _, output, _)
-  ) and
-  specLength(output, idx) and
-  node = TAst(ref)
-  or
-  exists(Top mid, string c, Node n |
-    interpretOutput(output, idx + 1, ref, TAst(mid)) and
-    specSplit(output, c, idx) and
-    node = TNode(n)
-  |
-    exists(int pos | n.(PostUpdateNode).getPreUpdateNode().(ArgumentNode).argumentOf(mid, pos) |
-      c = "Argument" or parseArg(c, pos)
-    )
-    or
-    exists(int pos | n.(ParameterNode).isParameterOf(mid, pos) |
-      c = "Parameter" or parseParam(c, pos)
-    )
-    or
-    (c = "Parameter" or c = "") and
-    n.asParameter() = mid
-    or
-    c = "ReturnValue" and
-    n.asExpr().(Call) = mid
-    or
-    c = "" and
-    n.asExpr().(FieldRead).getField() = mid
-  )
-}
-
-private predicate interpretInput(string input, int idx, Top ref, TAstOrNode node) {
-  (
-    sinkElementRef(ref, input, _) or
-    summaryElementRef(ref, input, _, _)
-  ) and
-  specLength(input, idx) and
-  node = TAst(ref)
-  or
-  exists(Top mid, string c, Node n |
-    interpretInput(input, idx + 1, ref, TAst(mid)) and
-    specSplit(input, c, idx) and
-    node = TNode(n)
-  |
-    exists(int pos | n.(ArgumentNode).argumentOf(mid, pos) | c = "Argument" or parseArg(c, pos))
-    or
-    exists(ReturnStmt ret |
-      c = "ReturnValue" and
-      n.asExpr() = ret.getResult() and
-      mid = ret.getEnclosingCallable()
-    )
-    or
-    exists(FieldWrite fw |
-      c = "" and
-      fw.getField() = mid and
-      n.asExpr() = fw.getRHS()
-    )
-  )
-}
-
-/**
- * Holds if `node` is specified as a source with the given kind in a CSV flow
- * model.
- */
-predicate sourceNode(Node node, string kind) {
-  exists(Top ref, string output |
-    sourceElementRef(ref, output, kind) and
-    interpretOutput(output, 0, ref, TNode(node))
-  )
-}
-
-/**
- * Holds if `node` is specified as a sink with the given kind in a CSV flow
- * model.
- */
-predicate sinkNode(Node node, string kind) {
-  exists(Top ref, string input |
-    sinkElementRef(ref, input, kind) and
-    interpretInput(input, 0, ref, TNode(node))
-  )
-}
+import Cached
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowDispatch.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowDispatch.qll
index 2b6179bfc96..8324959190a 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowDispatch.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowDispatch.qll
@@ -4,13 +4,21 @@ private import DataFlowUtil
 private import semmle.code.java.dataflow.InstanceAccess
 private import semmle.code.java.dataflow.FlowSummary
 private import semmle.code.java.dispatch.VirtualDispatch as VirtualDispatch
+private import semmle.code.java.dataflow.internal.FlowSummaryImplSpecific
 
 private module DispatchImpl {
   /** Gets a viable implementation of the target of the given `Call`. */
   Callable viableCallable(Call c) {
     result = VirtualDispatch::viableCallable(c)
     or
-    result.(SummarizedCallable) = c.getCallee().getSourceDeclaration()
+    result = c.getCallee().getSourceDeclaration() and
+    (
+      result instanceof SummarizedCallable
+      or
+      sourceElement(result, _, _)
+      or
+      sinkElement(result, _, _)
+    )
   }
 
   /**
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
index e25ab24cfbb..c630af42acb 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
@@ -9,10 +9,11 @@ private import semmle.code.java.controlflow.Guards
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSteps
 private import semmle.code.java.dataflow.FlowSummary
-import semmle.code.java.dataflow.InstanceAccess
+private import semmle.code.java.dataflow.InstanceAccess
 private import FlowSummaryImpl as FlowSummaryImpl
 private import TaintTrackingUtil as TaintTrackingUtil
 import DataFlowNodes::Public
+import semmle.code.Unit
 
 /** Holds if `n` is an access to an unqualified `this` at `cfgnode`. */
 private predicate thisAccess(Node n, ControlFlowNode cfgnode) {
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
index da6f89071ef..22b4b343524 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
@@ -9,6 +9,7 @@
 private import FlowSummaryImplSpecific
 private import DataFlowImplSpecific::Private
 private import DataFlowImplSpecific::Public
+private import DataFlowImplCommon as DataFlowImplCommon
 
 /** Provides classes and predicates for defining flow summaries. */
 module Public {
@@ -178,7 +179,6 @@ module Public {
  */
 module Private {
   private import Public
-  private import DataFlowImplCommon as DataFlowImplCommon
 
   newtype TSummaryComponent =
     TContentSummaryComponent(Content c) or
@@ -580,6 +580,14 @@ module Private {
    * summaries into a `SummarizedCallable`s.
    */
   module External {
+    /** Holds if `spec` is a relevant external specification. */
+    private predicate relevantSpec(string spec) {
+      summaryElement(_, spec, _, _) or
+      summaryElement(_, _, spec, _) or
+      sourceElement(_, spec, _) or
+      sinkElement(_, spec, _)
+    }
+
     /** Holds if the `n`th component of specification `s` is `c`. */
     predicate specSplit(string s, string c, int n) { relevantSpec(s) and s.splitAt(" of ", n) = c }
 
@@ -629,6 +637,8 @@ module Private {
         or
         exists(int pos | parseParam(c, pos) and result = SummaryComponent::parameter(pos))
         or
+        c = "ReturnValue" and result = SummaryComponent::return(getReturnValueKind())
+        or
         result = interpretComponentSpecific(c)
       )
     }
@@ -664,13 +674,13 @@ module Private {
     }
 
     private class SummarizedCallableExternal extends SummarizedCallable {
-      SummarizedCallableExternal() { externalSummary(this, _, _, _) }
+      SummarizedCallableExternal() { summaryElement(this, _, _, _) }
 
       override predicate propagatesFlow(
         SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
       ) {
         exists(string inSpec, string outSpec, string kind |
-          externalSummary(this, inSpec, outSpec, kind) and
+          summaryElement(this, inSpec, outSpec, kind) and
           interpretSpec(inSpec, 0, input) and
           interpretSpec(outSpec, 0, output)
         |
@@ -686,6 +696,111 @@ module Private {
       specSplit(spec, c, _) and
       not exists(interpretComponent(c))
     }
+
+    private predicate inputNeedsReference(string c) {
+      c = "Argument" or
+      parseArg(c, _)
+    }
+
+    private predicate outputNeedsReference(string c) {
+      c = "Argument" or
+      parseArg(c, _) or
+      c = "ReturnValue"
+    }
+
+    private predicate sourceElementRef(InterpretNode ref, string output, string kind) {
+      exists(SourceOrSinkElement e |
+        sourceElement(e, output, kind) and
+        if outputNeedsReference(specLast(output))
+        then viableCallable(ref.asCall()) = any(InterpretNode n | n.asElement() = e).asCallable()
+        else ref.asElement() = e
+      )
+    }
+
+    private predicate sinkElementRef(InterpretNode ref, string input, string kind) {
+      exists(SourceOrSinkElement e |
+        sinkElement(e, input, kind) and
+        if inputNeedsReference(specLast(input))
+        then viableCallable(ref.asCall()) = any(InterpretNode n | n.asElement() = e).asCallable()
+        else ref.asElement() = e
+      )
+    }
+
+    private predicate interpretOutput(string output, int idx, InterpretNode ref, InterpretNode node) {
+      sourceElementRef(ref, output, _) and
+      specLength(output, idx) and
+      node = ref
+      or
+      exists(InterpretNode mid, string c |
+        interpretOutput(output, idx + 1, ref, mid) and
+        specSplit(output, c, idx)
+      |
+        exists(int pos |
+          node.asNode()
+              .(PostUpdateNode)
+              .getPreUpdateNode()
+              .(ArgumentNode)
+              .argumentOf(mid.asCall(), pos)
+        |
+          c = "Argument" or parseArg(c, pos)
+        )
+        or
+        exists(int pos | node.asNode().(ParameterNode).isParameterOf(mid.asCallable(), pos) |
+          c = "Parameter" or parseParam(c, pos)
+        )
+        or
+        c = "ReturnValue" and
+        node.asNode() = getAnOutNode(mid.asCall(), getReturnValueKind())
+        or
+        interpretOutputSpecific(c, mid, node)
+      )
+    }
+
+    private predicate interpretInput(string input, int idx, InterpretNode ref, InterpretNode node) {
+      sinkElementRef(ref, input, _) and
+      specLength(input, idx) and
+      node = ref
+      or
+      exists(InterpretNode mid, string c |
+        interpretInput(input, idx + 1, ref, mid) and
+        specSplit(input, c, idx)
+      |
+        exists(int pos | node.asNode().(ArgumentNode).argumentOf(mid.asCall(), pos) |
+          c = "Argument" or parseArg(c, pos)
+        )
+        or
+        exists(ReturnNode ret |
+          c = "ReturnValue" and
+          ret = node.asNode() and
+          ret.getKind() = getReturnValueKind() and
+          mid.asCallable() = DataFlowImplCommon::getNodeEnclosingCallable(ret)
+        )
+        or
+        interpretInputSpecific(c, mid, node)
+      )
+    }
+
+    /**
+     * Holds if `node` is specified as a source with the given kind in a CSV flow
+     * model.
+     */
+    predicate isSourceNode(InterpretNode node, string kind) {
+      exists(InterpretNode ref, string output |
+        sourceElementRef(ref, output, kind) and
+        interpretOutput(output, 0, ref, node)
+      )
+    }
+
+    /**
+     * Holds if `node` is specified as a sink with the given kind in a CSV flow
+     * model.
+     */
+    predicate isSinkNode(InterpretNode node, string kind) {
+      exists(InterpretNode ref, string input |
+        sinkElementRef(ref, input, kind) and
+        interpretInput(input, 0, ref, node)
+      )
+    }
   }
 
   /** Provides a query predicate for outputting a set of relevant flow summaries. */
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
index 327ddfb50dd..61e04946a4e 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
@@ -51,22 +51,22 @@ DataFlowType getCallbackParameterType(DataFlowType t, int i) { none() }
  */
 DataFlowType getCallbackReturnType(DataFlowType t, ReturnKind rk) { none() }
 
-/** Holds if `spec` is a relevant external specification. */
-predicate relevantSpec(string spec) { spec = inOutSpec() }
-
 /**
  * Holds if an external flow summary exists for `c` with input specification
  * `input`, output specification `output`, and kind `kind`.
  */
-predicate externalSummary(DataFlowCallable c, string input, string output, string kind) {
-  summaryElement(c, input, output, kind)
+predicate summaryElement(DataFlowCallable c, string input, string output, string kind) {
+  exists(
+    string namespace, string type, boolean subtypes, string name, string signature, string ext
+  |
+    summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind) and
+    c = interpretElement(namespace, type, subtypes, name, signature, ext)
+  )
 }
 
 /** Gets the summary component for specification component `c`, if any. */
 bindingset[c]
 SummaryComponent interpretComponentSpecific(string c) {
-  c = "ReturnValue" and result = SummaryComponent::return(_)
-  or
   c = "ArrayElement" and result = SummaryComponent::content(any(ArrayContent c0))
   or
   c = "Element" and result = SummaryComponent::content(any(CollectionContent c0))
@@ -75,3 +75,92 @@ SummaryComponent interpretComponentSpecific(string c) {
   or
   c = "MapValue" and result = SummaryComponent::content(any(MapValueContent c0))
 }
+
+class SourceOrSinkElement = Top;
+
+/**
+ * Holds if an external source specification exists for `e` with output specification
+ * `output` and kind `kind`.
+ */
+predicate sourceElement(SourceOrSinkElement e, string output, string kind) {
+  exists(
+    string namespace, string type, boolean subtypes, string name, string signature, string ext
+  |
+    sourceModel(namespace, type, subtypes, name, signature, ext, output, kind) and
+    e = interpretElement(namespace, type, subtypes, name, signature, ext)
+  )
+}
+
+/**
+ * Holds if an external sink specification exists for `e` with input specification
+ * `input` and kind `kind`.
+ */
+predicate sinkElement(SourceOrSinkElement e, string input, string kind) {
+  exists(
+    string namespace, string type, boolean subtypes, string name, string signature, string ext
+  |
+    sinkModel(namespace, type, subtypes, name, signature, ext, input, kind) and
+    e = interpretElement(namespace, type, subtypes, name, signature, ext)
+  )
+}
+
+/** Gets the return kind corresponding to specification `"ReturnValue"`. */
+ReturnKind getReturnValueKind() { any() }
+
+private newtype TInterpretNode =
+  TElement(SourceOrSinkElement n) or
+  TNode(Node n)
+
+/** An entity used to interpret a source/sink specification. */
+class InterpretNode extends TInterpretNode {
+  /** Gets the element that this node corresponds to, if any. */
+  SourceOrSinkElement asElement() { this = TElement(result) }
+
+  /** Gets the data-flow node that this node corresponds to, if any. */
+  Node asNode() { this = TNode(result) }
+
+  /** Gets the call that this node corresponds to, if any. */
+  DataFlowCall asCall() { result = this.asElement() }
+
+  /** Gets the callable that this node corresponds to, if any. */
+  DataFlowCallable asCallable() { result = this.asElement() }
+
+  /** Gets a textual representation of this node. */
+  string toString() {
+    result = this.asElement().toString()
+    or
+    result = this.asNode().toString()
+  }
+
+  /** Gets the location of this node. */
+  Location getLocation() {
+    result = this.asElement().getLocation()
+    or
+    result = this.asNode().getLocation()
+  }
+}
+
+/** Provides additional sink specification logic required for annotations. */
+pragma[inline]
+predicate interpretOutputSpecific(string c, InterpretNode mid, InterpretNode node) {
+  exists(Node n, Top ast |
+    n = node.asNode() and
+    ast = mid.asElement()
+  |
+    (c = "Parameter" or c = "") and
+    node.asNode().asParameter() = mid.asElement()
+    or
+    c = "" and
+    n.asExpr().(FieldRead).getField() = ast
+  )
+}
+
+/** Provides additional source specification logic required for annotations. */
+pragma[inline]
+predicate interpretInputSpecific(string c, InterpretNode mid, InterpretNode n) {
+  exists(FieldWrite fw |
+    c = "" and
+    fw.getField() = mid.asElement() and
+    n.asNode().asExpr() = fw.getRHS()
+  )
+}
diff --git a/java/ql/src/semmle/code/java/dispatch/DispatchFlow.qll b/java/ql/src/semmle/code/java/dispatch/DispatchFlow.qll
index 28de0cf8eed..45b41bff87c 100644
--- a/java/ql/src/semmle/code/java/dispatch/DispatchFlow.qll
+++ b/java/ql/src/semmle/code/java/dispatch/DispatchFlow.qll
@@ -11,6 +11,7 @@ private import VirtualDispatch
 private import semmle.code.java.dataflow.internal.BaseSSA
 private import semmle.code.java.dataflow.internal.DataFlowUtil
 private import semmle.code.java.dataflow.internal.DataFlowPrivate
+private import semmle.code.java.dataflow.InstanceAccess
 private import semmle.code.java.Collections
 private import semmle.code.java.Maps
 
diff --git a/java/ql/src/semmle/code/java/dispatch/ObjFlow.qll b/java/ql/src/semmle/code/java/dispatch/ObjFlow.qll
index 9ec77acf2c7..44a2d47ca41 100644
--- a/java/ql/src/semmle/code/java/dispatch/ObjFlow.qll
+++ b/java/ql/src/semmle/code/java/dispatch/ObjFlow.qll
@@ -14,6 +14,7 @@ private import semmle.code.java.dataflow.internal.BaseSSA
 private import semmle.code.java.dataflow.internal.DataFlowUtil
 private import semmle.code.java.dataflow.internal.DataFlowPrivate
 private import semmle.code.java.dataflow.internal.ContainerFlow
+private import semmle.code.java.dataflow.InstanceAccess
 
 /**
  * Gets a viable dispatch target for `ma`. This is the input dispatch relation.

From cc02c95092900962a4c41c3ebd3128484973f61a Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Wed, 2 Jun 2021 15:58:00 +0200
Subject: [PATCH 1312/1429] C#: Sync files

---
 .../dataflow/internal/FlowSummaryImpl.qll     | 121 +++++++++++++++++-
 .../internal/FlowSummaryImplSpecific.qll      |  82 +++++++++++-
 2 files changed, 194 insertions(+), 9 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
index da6f89071ef..22b4b343524 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
@@ -9,6 +9,7 @@
 private import FlowSummaryImplSpecific
 private import DataFlowImplSpecific::Private
 private import DataFlowImplSpecific::Public
+private import DataFlowImplCommon as DataFlowImplCommon
 
 /** Provides classes and predicates for defining flow summaries. */
 module Public {
@@ -178,7 +179,6 @@ module Public {
  */
 module Private {
   private import Public
-  private import DataFlowImplCommon as DataFlowImplCommon
 
   newtype TSummaryComponent =
     TContentSummaryComponent(Content c) or
@@ -580,6 +580,14 @@ module Private {
    * summaries into a `SummarizedCallable`s.
    */
   module External {
+    /** Holds if `spec` is a relevant external specification. */
+    private predicate relevantSpec(string spec) {
+      summaryElement(_, spec, _, _) or
+      summaryElement(_, _, spec, _) or
+      sourceElement(_, spec, _) or
+      sinkElement(_, spec, _)
+    }
+
     /** Holds if the `n`th component of specification `s` is `c`. */
     predicate specSplit(string s, string c, int n) { relevantSpec(s) and s.splitAt(" of ", n) = c }
 
@@ -629,6 +637,8 @@ module Private {
         or
         exists(int pos | parseParam(c, pos) and result = SummaryComponent::parameter(pos))
         or
+        c = "ReturnValue" and result = SummaryComponent::return(getReturnValueKind())
+        or
         result = interpretComponentSpecific(c)
       )
     }
@@ -664,13 +674,13 @@ module Private {
     }
 
     private class SummarizedCallableExternal extends SummarizedCallable {
-      SummarizedCallableExternal() { externalSummary(this, _, _, _) }
+      SummarizedCallableExternal() { summaryElement(this, _, _, _) }
 
       override predicate propagatesFlow(
         SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
       ) {
         exists(string inSpec, string outSpec, string kind |
-          externalSummary(this, inSpec, outSpec, kind) and
+          summaryElement(this, inSpec, outSpec, kind) and
           interpretSpec(inSpec, 0, input) and
           interpretSpec(outSpec, 0, output)
         |
@@ -686,6 +696,111 @@ module Private {
       specSplit(spec, c, _) and
       not exists(interpretComponent(c))
     }
+
+    private predicate inputNeedsReference(string c) {
+      c = "Argument" or
+      parseArg(c, _)
+    }
+
+    private predicate outputNeedsReference(string c) {
+      c = "Argument" or
+      parseArg(c, _) or
+      c = "ReturnValue"
+    }
+
+    private predicate sourceElementRef(InterpretNode ref, string output, string kind) {
+      exists(SourceOrSinkElement e |
+        sourceElement(e, output, kind) and
+        if outputNeedsReference(specLast(output))
+        then viableCallable(ref.asCall()) = any(InterpretNode n | n.asElement() = e).asCallable()
+        else ref.asElement() = e
+      )
+    }
+
+    private predicate sinkElementRef(InterpretNode ref, string input, string kind) {
+      exists(SourceOrSinkElement e |
+        sinkElement(e, input, kind) and
+        if inputNeedsReference(specLast(input))
+        then viableCallable(ref.asCall()) = any(InterpretNode n | n.asElement() = e).asCallable()
+        else ref.asElement() = e
+      )
+    }
+
+    private predicate interpretOutput(string output, int idx, InterpretNode ref, InterpretNode node) {
+      sourceElementRef(ref, output, _) and
+      specLength(output, idx) and
+      node = ref
+      or
+      exists(InterpretNode mid, string c |
+        interpretOutput(output, idx + 1, ref, mid) and
+        specSplit(output, c, idx)
+      |
+        exists(int pos |
+          node.asNode()
+              .(PostUpdateNode)
+              .getPreUpdateNode()
+              .(ArgumentNode)
+              .argumentOf(mid.asCall(), pos)
+        |
+          c = "Argument" or parseArg(c, pos)
+        )
+        or
+        exists(int pos | node.asNode().(ParameterNode).isParameterOf(mid.asCallable(), pos) |
+          c = "Parameter" or parseParam(c, pos)
+        )
+        or
+        c = "ReturnValue" and
+        node.asNode() = getAnOutNode(mid.asCall(), getReturnValueKind())
+        or
+        interpretOutputSpecific(c, mid, node)
+      )
+    }
+
+    private predicate interpretInput(string input, int idx, InterpretNode ref, InterpretNode node) {
+      sinkElementRef(ref, input, _) and
+      specLength(input, idx) and
+      node = ref
+      or
+      exists(InterpretNode mid, string c |
+        interpretInput(input, idx + 1, ref, mid) and
+        specSplit(input, c, idx)
+      |
+        exists(int pos | node.asNode().(ArgumentNode).argumentOf(mid.asCall(), pos) |
+          c = "Argument" or parseArg(c, pos)
+        )
+        or
+        exists(ReturnNode ret |
+          c = "ReturnValue" and
+          ret = node.asNode() and
+          ret.getKind() = getReturnValueKind() and
+          mid.asCallable() = DataFlowImplCommon::getNodeEnclosingCallable(ret)
+        )
+        or
+        interpretInputSpecific(c, mid, node)
+      )
+    }
+
+    /**
+     * Holds if `node` is specified as a source with the given kind in a CSV flow
+     * model.
+     */
+    predicate isSourceNode(InterpretNode node, string kind) {
+      exists(InterpretNode ref, string output |
+        sourceElementRef(ref, output, kind) and
+        interpretOutput(output, 0, ref, node)
+      )
+    }
+
+    /**
+     * Holds if `node` is specified as a sink with the given kind in a CSV flow
+     * model.
+     */
+    predicate isSinkNode(InterpretNode node, string kind) {
+      exists(InterpretNode ref, string input |
+        sinkElementRef(ref, input, kind) and
+        interpretInput(input, 0, ref, node)
+      )
+    }
   }
 
   /** Provides a query predicate for outputting a set of relevant flow summaries. */
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll
index 5568b8d3368..4764ed17c22 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll
@@ -78,20 +78,15 @@ DataFlowType getCallbackReturnType(DataFlowType t, ReturnKind rk) {
   )
 }
 
-/** Holds if `spec` is a relevant external specification. */
-predicate relevantSpec(string spec) { none() }
-
 /**
  * Holds if an external flow summary exists for `c` with input specification
  * `input`, output specification `output`, and kind `kind`.
  */
-predicate externalSummary(DataFlowCallable c, string input, string output, string kind) { none() }
+predicate summaryElement(DataFlowCallable c, string input, string output, string kind) { none() }
 
 /** Gets the summary component for specification component `c`, if any. */
 bindingset[c]
 SummaryComponent interpretComponentSpecific(string c) {
-  c = "ReturnValue" and result = SummaryComponent::return(any(NormalReturnKind nrk))
-  or
   c = "Element" and result = SummaryComponent::content(any(ElementContent ec))
   or
   exists(Field f |
@@ -104,3 +99,78 @@ SummaryComponent interpretComponentSpecific(string c) {
     result = SummaryComponent::content(any(PropertyContent pc | pc.getProperty() = p))
   )
 }
+
+class SourceOrSinkElement = Element;
+
+/**
+ * Holds if an external source specification exists for `e` with output specification
+ * `output` and kind `kind`.
+ */
+predicate sourceElement(Element e, string output, string kind) { none() }
+
+/**
+ * Holds if an external sink specification exists for `n` with input specification
+ * `input` and kind `kind`.
+ */
+predicate sinkElement(Element e, string input, string kind) { none() }
+
+/** Gets the return kind corresponding to specification `"ReturnValue"`. */
+NormalReturnKind getReturnValueKind() { any() }
+
+private newtype TInterpretNode =
+  TElement_(Element n) or
+  TNode_(Node n) or
+  TDataFlowCall_(DataFlowCall c)
+
+/** An entity used to interpret a source/sink specification. */
+class InterpretNode extends TInterpretNode {
+  /** Gets the element that this node corresponds to, if any. */
+  SourceOrSinkElement asElement() { this = TElement_(result) }
+
+  /** Gets the data-flow node that this node corresponds to, if any. */
+  Node asNode() { this = TNode_(result) }
+
+  /** Gets the call that this node corresponds to, if any. */
+  DataFlowCall asCall() { this = TDataFlowCall_(result) }
+
+  /** Gets the callable that this node corresponds to, if any. */
+  DataFlowCallable asCallable() { result = this.asElement() }
+
+  /** Gets a textual representation of this node. */
+  string toString() {
+    result = this.asElement().toString()
+    or
+    result = this.asNode().toString()
+    or
+    result = this.asCall().toString()
+  }
+
+  /** Gets the location of this node. */
+  Location getLocation() {
+    result = this.asElement().getLocation()
+    or
+    result = this.asNode().getLocation()
+    or
+    result = this.asCall().getLocation()
+  }
+}
+
+/** Provides additional sink specification logic required for attributes. */
+predicate interpretOutputSpecific(string c, InterpretNode mid, InterpretNode node) {
+  exists(Node n | n = node.asNode() |
+    (c = "Parameter" or c = "") and
+    n.asParameter() = mid.asElement()
+    or
+    c = "" and
+    n.asExpr().(AssignableRead).getTarget().getUnboundDeclaration() = mid.asElement()
+  )
+}
+
+/** Provides additional sink specification logic required for attributes. */
+predicate interpretInputSpecific(string c, InterpretNode mid, InterpretNode n) {
+  c = "" and
+  exists(Assignable a |
+    n.asNode().asExpr() = a.getAnAssignedValue() and
+    a.getUnboundDeclaration() = mid.asElement()
+  )
+}

From 7e778bc008243f56cd2d8de78b64d161a3ec34ff Mon Sep 17 00:00:00 2001
From: Marcono1234 <Marcono1234@users.noreply.github.com>
Date: Tue, 27 Apr 2021 18:54:52 +0200
Subject: [PATCH 1313/1429] Java: Override toString() for statements

Additionally remove redundant QLDoc which is inherited anyways.
---
 java/ql/src/semmle/code/java/Statement.qll    |  102 +-
 .../test/library-tests/JDK/PrintAst.expected  |   32 +-
 .../library-tests/arrays/PrintAst.expected    |    8 +-
 .../collections/PrintAst.expected             |    4 +-
 .../library-tests/comments/PrintAst.expected  |    8 +-
 .../library-tests/constants/PrintAst.expected |  188 +--
 .../constructors/PrintAst.expected            |   16 +-
 .../controlflow/basic/bbStmts.expected        |  248 ++--
 .../basic/bbStrictDominance.expected          |  242 ++--
 .../controlflow/basic/bbSuccessor.expected    |   58 +-
 .../basic/strictDominance.expected            | 1256 ++++++++---------
 .../basic/strictPostDominance.expected        |  464 +++---
 .../controlflow/dominance/dominator.expected  |  206 +--
 .../dependency/PrintAst.expected              |   10 +-
 .../library-tests/generics/PrintAst.expected  |    4 +-
 .../test/library-tests/guards/guards.expected |   70 +-
 .../library-tests/guards/guardslogic.expected |   76 +-
 .../library-tests/guards12/PrintAst.expected  |   10 +-
 .../library-tests/guards12/guard.expected     |    2 +-
 .../java7/MultiCatch/MultiCatch.expected      |    8 +-
 .../MultiCatch/MultiCatchControlFlow.expected |   80 +-
 .../java7/MultiCatch/PrintAst.expected        |   52 +-
 .../library-tests/javadoc/PrintAst.expected   |    6 +-
 .../LocalVarDeclStmtChildren.expected         |   22 +-
 .../localvars/TypeAccesses.expected           |   16 +-
 .../library-tests/modifiers/PrintAst.expected |    4 +-
 .../library-tests/printAst/PrintAst.expected  |   50 +-
 .../reflection/PrintAst.expected              |   12 +-
 .../ql/test/library-tests/ssa/ssaDef.expected |   54 +-
 .../ql/test/library-tests/ssa/ssaPhi.expected |   34 +-
 .../ql/test/library-tests/ssa/ssaUse.expected |   56 +-
 .../library-tests/stmts/JumpTargets.expected  |   18 +-
 .../library-tests/stmts/SwitchCases.expected  |   12 +-
 .../CloseReaderTest/TestSucc.expected         |   36 +-
 .../LoopVarReadTest/FalseSuccessors.expected  |    2 +-
 .../LoopVarReadTest/TestSucc.expected         |   24 +-
 .../SaveFileTest/FalseSuccessors.expected     |    4 +-
 .../successors/SaveFileTest/TestSucc.expected |  112 +-
 .../SchackTest/FalseSuccessors.expected       |   10 +-
 .../successors/SchackTest/TestSucc.expected   |   96 +-
 .../TestBreak/FalseSuccessors.expected        |   10 +-
 .../successors/TestBreak/TestSucc.expected    |  200 +--
 .../TestContinue/FalseSuccessors.expected     |   18 +-
 .../successors/TestContinue/TestSucc.expected |  134 +-
 .../TestDeclarations/FalseSuccessors.expected |    4 +-
 .../TestDeclarations/TestSucc.expected        |   70 +-
 .../TestFinally/FalseSuccessors.expected      |   30 +-
 .../successors/TestFinally/TestSucc.expected  |  444 +++---
 .../FalseSuccessors.expected                  |   12 +-
 .../TestSucc.expected                         |  212 +--
 .../TestLoopBranch/FalseSuccessors.expected   |   10 +-
 .../TestLoopBranch/TestSucc.expected          |  286 ++--
 .../TestThrow/FalseSuccessors.expected        |   24 +-
 .../successors/TestThrow/TestSucc.expected    |  348 ++---
 .../successors/TestThrow2/TestSucc.expected   |   26 +-
 .../TestTryCatch/FalseSuccessors.expected     |    2 +-
 .../successors/TestTryCatch/TestSucc.expected |  122 +-
 .../TestTryWithResources/TestSucc.expected    |   42 +-
 .../typeaccesses/PrintAst.expected            |   36 +-
 .../UnreachableBlocks.expected                |   18 +-
 .../library-tests/varargs/PrintAst.expected   |   16 +-
 .../query-tests/BusyWait/BusyWait.expected    |    4 +-
 .../ConstantLoopCondition.expected            |    8 +-
 .../ContinueInFalseLoop.expected              |    6 +-
 .../Declarations/BreakInSwitchCase.expected   |    4 +-
 .../DoubleCheckedLocking.expected             |    6 +-
 .../Finally/FinallyMayNotComplete.expected    |   14 +-
 .../MissedTernaryOpportunity.expected         |   12 +-
 .../PartiallyMaskedCatch.expected             |   12 +-
 .../query-tests/UseBraces/UseBraces.expected  |   28 +-
 .../returnstatement.expected                  |    2 +-
 .../semmle/tests/InfiniteLoop.expected        |    2 +-
 72 files changed, 2935 insertions(+), 2939 deletions(-)

diff --git a/java/ql/src/semmle/code/java/Statement.qll b/java/ql/src/semmle/code/java/Statement.qll
index 97a09ac4e6b..12e894cf073 100755
--- a/java/ql/src/semmle/code/java/Statement.qll
+++ b/java/ql/src/semmle/code/java/Statement.qll
@@ -73,10 +73,10 @@ class BlockStmt extends Stmt, @block {
   /** Gets the last statement in this block. */
   Stmt getLastStmt() { result = getStmt(getNumStmt() - 1) }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() { result = "{ ... }" }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
+  override string toString() { result = "{ ... }" }
+
   override string getHalsteadID() { result = "BlockStmt" }
 
   override string getAPrimaryQlClass() { result = "BlockStmt" }
@@ -130,14 +130,14 @@ class IfStmt extends ConditionalStmt, @ifstmt {
   /** Gets the `else` branch of this `if` statement. */
   Stmt getElse() { result.isNthChildOf(this, 2) }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() {
     result = "if (...) " + this.getThen().pp() + " else " + this.getElse().pp()
     or
     not exists(this.getElse()) and result = "if (...) " + this.getThen().pp()
   }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
+  override string toString() { result = "if (...)" }
+
   override string getHalsteadID() { result = "IfStmt" }
 
   override string getAPrimaryQlClass() { result = "IfStmt" }
@@ -201,10 +201,10 @@ class ForStmt extends ConditionalStmt, @forstmt {
     getCondition().getAChildExpr*() = result.getAnAccess()
   }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() { result = "for (...;...;...) " + this.getStmt().pp() }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
+  override string toString() { result = "for (...)" }
+
   override string getHalsteadID() { result = "ForStmt" }
 
   override string getAPrimaryQlClass() { result = "ForStmt" }
@@ -221,10 +221,10 @@ class EnhancedForStmt extends Stmt, @enhancedforstmt {
   /** Gets the body of this enhanced `for` loop. */
   Stmt getStmt() { result.getParent() = this }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
-  override string pp() { result = "for (...) " + this.getStmt().pp() }
+  override string pp() { result = "for (... : ...) " + this.getStmt().pp() }
+
+  override string toString() { result = "for (... : ...)" }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
   override string getHalsteadID() { result = "EnhancedForStmt" }
 
   override string getAPrimaryQlClass() { result = "EnhancedForStmt" }
@@ -244,10 +244,10 @@ class WhileStmt extends ConditionalStmt, @whilestmt {
    */
   deprecated override Stmt getTrueSuccessor() { result = getStmt() }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() { result = "while (...) " + this.getStmt().pp() }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
+  override string toString() { result = "while (...)" }
+
   override string getHalsteadID() { result = "WhileStmt" }
 
   override string getAPrimaryQlClass() { result = "WhileStmt" }
@@ -267,10 +267,10 @@ class DoStmt extends ConditionalStmt, @dostmt {
    */
   deprecated override Stmt getTrueSuccessor() { result = getStmt() }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() { result = "do " + this.getStmt().pp() + " while (...)" }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
+  override string toString() { result = "do ... while (...)" }
+
   override string getHalsteadID() { result = "DoStmt" }
 
   override string getAPrimaryQlClass() { result = "DoStmt" }
@@ -356,10 +356,10 @@ class TryStmt extends Stmt, @trystmt {
     result = getAResourceExpr().getVariable()
   }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() { result = "try " + this.getBlock().pp() + " catch (...)" }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
+  override string toString() { result = "try ..." }
+
   override string getHalsteadID() { result = "TryStmt" }
 
   override string getAPrimaryQlClass() { result = "TryStmt" }
@@ -387,10 +387,10 @@ class CatchClause extends Stmt, @catchclause {
     )
   }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() { result = "catch (...) " + this.getBlock().pp() }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
+  override string toString() { result = "catch (...)" }
+
   override string getHalsteadID() { result = "CatchClause" }
 
   override string getAPrimaryQlClass() { result = "CatchClause" }
@@ -422,10 +422,10 @@ class SwitchStmt extends Stmt, @switchstmt {
   /** Gets the expression of this `switch` statement. */
   Expr getExpr() { result.getParent() = this }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() { result = "switch (...)" }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
+  override string toString() { result = "switch (...)" }
+
   override string getHalsteadID() { result = "SwitchStmt" }
 
   override string getAPrimaryQlClass() { result = "SwitchStmt" }
@@ -485,10 +485,10 @@ class ConstCase extends SwitchCase {
    */
   Expr getValue(int i) { result.getParent() = this and result.getIndex() = i and i >= 0 }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() { result = "case ..." }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
+  override string toString() { result = "case ..." }
+
   override string getHalsteadID() { result = "ConstCase" }
 
   override string getAPrimaryQlClass() { result = "ConstCase" }
@@ -498,10 +498,10 @@ class ConstCase extends SwitchCase {
 class DefaultCase extends SwitchCase {
   DefaultCase() { not exists(Expr e | e.getParent() = this | e.getIndex() >= 0) }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() { result = "default" }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
+  override string toString() { result = "default" }
+
   override string getHalsteadID() { result = "DefaultCase" }
 
   override string getAPrimaryQlClass() { result = "DefaultCase" }
@@ -515,10 +515,10 @@ class SynchronizedStmt extends Stmt, @synchronizedstmt {
   /** Gets the block of this `synchronized` statement. */
   Stmt getBlock() { result.getParent() = this }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() { result = "synchronized (...) " + this.getBlock().pp() }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
+  override string toString() { result = "synchronized (...)" }
+
   override string getHalsteadID() { result = "SynchronizedStmt" }
 
   override string getAPrimaryQlClass() { result = "SynchronizedStmt" }
@@ -529,10 +529,10 @@ class ReturnStmt extends Stmt, @returnstmt {
   /** Gets the expression returned by this `return` statement, if any. */
   Expr getResult() { result.getParent() = this }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() { result = "return ..." }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
+  override string toString() { result = "return ..." }
+
   override string getHalsteadID() { result = "ReturnStmt" }
 
   override string getAPrimaryQlClass() { result = "ReturnStmt" }
@@ -543,10 +543,10 @@ class ThrowStmt extends Stmt, @throwstmt {
   /** Gets the expression thrown by this `throw` statement. */
   Expr getExpr() { result.getParent() = this }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() { result = "throw ..." }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
+  override string toString() { result = "throw ..." }
+
   override string getHalsteadID() { result = "ThrowStmt" }
 
   /** Gets the type of the expression thrown by this `throw` statement. */
@@ -638,12 +638,12 @@ class BreakStmt extends Stmt, @breakstmt {
   /** Holds if this `break` statement has an explicit label. */
   predicate hasLabel() { exists(string s | s = this.getLabel()) }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() {
     if this.hasLabel() then result = "break " + this.getLabel() else result = "break"
   }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
+  override string toString() { result = "break" }
+
   override string getHalsteadID() { result = "BreakStmt" }
 
   override string getAPrimaryQlClass() { result = "BreakStmt" }
@@ -660,6 +660,8 @@ class YieldStmt extends Stmt, @yieldstmt {
 
   override string pp() { result = "yield ..." }
 
+  override string toString() { result = "yield ..." }
+
   override string getHalsteadID() { result = "YieldStmt" }
 
   override string getAPrimaryQlClass() { result = "YieldStmt" }
@@ -673,12 +675,12 @@ class ContinueStmt extends Stmt, @continuestmt {
   /** Holds if this `continue` statement has an explicit label. */
   predicate hasLabel() { exists(string s | s = this.getLabel()) }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() {
     if this.hasLabel() then result = "continue " + this.getLabel() else result = "continue"
   }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
+  override string toString() { result = "continue" }
+
   override string getHalsteadID() { result = "ContinueStmt" }
 
   override string getAPrimaryQlClass() { result = "ContinueStmt" }
@@ -686,10 +688,10 @@ class ContinueStmt extends Stmt, @continuestmt {
 
 /** The empty statement. */
 class EmptyStmt extends Stmt, @emptystmt {
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() { result = ";" }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
+  override string toString() { result = ";" }
+
   override string getHalsteadID() { result = "EmptyStmt" }
 
   override string getAPrimaryQlClass() { result = "EmptyStmt" }
@@ -704,10 +706,10 @@ class ExprStmt extends Stmt, @exprstmt {
   /** Gets the expression of this expression statement. */
   Expr getExpr() { result.getParent() = this }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() { result = "...;" }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
+  override string toString() { result = "...;" }
+
   override string getHalsteadID() { result = "ExprStmt" }
 
   /** Holds if this statement represents a field declaration with an initializer. */
@@ -733,12 +735,12 @@ class LabeledStmt extends Stmt, @labeledstmt {
   /** Gets the label of this labeled statement. */
   string getLabel() { namestrings(result, _, this) }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() { result = this.getLabel() + ": " + this.getStmt().pp() }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
   override string getHalsteadID() { result = this.getLabel() + ":" }
 
+  override string toString() { result = "labeled statement" }
+
   override string getAPrimaryQlClass() { result = "LabeledStmt" }
 }
 
@@ -750,12 +752,12 @@ class AssertStmt extends Stmt, @assertstmt {
   /** Gets the assertion message expression, if any. */
   Expr getMessage() { exprs(result, _, _, this, _) and result.getIndex() = 1 }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() {
     if exists(this.getMessage()) then result = "assert ... : ..." else result = "assert ..."
   }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
+  override string toString() { result = "assert ..." }
+
   override string getHalsteadID() { result = "AssertStmt" }
 
   override string getAPrimaryQlClass() { result = "AssertStmt" }
@@ -775,10 +777,10 @@ class LocalVariableDeclStmt extends Stmt, @localvariabledeclstmt {
   /** Gets an index of a variable declared in this local variable declaration statement. */
   int getAVariableIndex() { exists(getVariable(result)) }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() { result = "local variable declaration" }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
+  override string toString() { result = "local variable declaration" }
+
   override string getHalsteadID() { result = "LocalVariableDeclStmt" }
 
   override string getAPrimaryQlClass() { result = "LocalVariableDeclStmt" }
@@ -789,10 +791,10 @@ class LocalClassDeclStmt extends Stmt, @localclassdeclstmt {
   /** Gets the local class declared by this statement. */
   LocalClass getLocalClass() { isLocalClass(result, this) }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() { result = "local class declaration: " + this.getLocalClass().toString() }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
+  override string toString() { result = "local class declaration" }
+
   override string getHalsteadID() { result = "LocalClassDeclStmt" }
 
   override string getAPrimaryQlClass() { result = "LocalClassDeclStmt" }
@@ -829,13 +831,10 @@ class ThisConstructorInvocationStmt extends Stmt, ConstructorCall, @constructori
   /** Gets the immediately enclosing statement of this constructor invocation. */
   override Stmt getEnclosingStmt() { result = this }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() { result = "this(...)" }
 
-  /** Gets a printable representation of this statement. */
-  override string toString() { result = pp() }
+  override string toString() { result = "this(...)" }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
   override string getHalsteadID() { result = "ConstructorInvocationStmt" }
 
   override string getAPrimaryQlClass() { result = "ThisConstructorInvocationStmt" }
@@ -873,13 +872,10 @@ class SuperConstructorInvocationStmt extends Stmt, ConstructorCall, @superconstr
   /** Gets the immediately enclosing statement of this constructor invocation. */
   override Stmt getEnclosingStmt() { result = this }
 
-  /** Gets a printable representation of this statement. May include more detail than `toString()`. */
   override string pp() { result = "super(...)" }
 
-  /** Gets a printable representation of this statement. */
-  override string toString() { result = pp() }
+  override string toString() { result = "super(...)" }
 
-  /** This statement's Halstead ID (used to compute Halstead metrics). */
   override string getHalsteadID() { result = "SuperConstructorInvocationStmt" }
 
   override string getAPrimaryQlClass() { result = "SuperConstructorInvocationStmt" }
diff --git a/java/ql/test/library-tests/JDK/PrintAst.expected b/java/ql/test/library-tests/JDK/PrintAst.expected
index 74967e122e3..1b3d63c4b74 100644
--- a/java/ql/test/library-tests/JDK/PrintAst.expected
+++ b/java/ql/test/library-tests/JDK/PrintAst.expected
@@ -7,7 +7,7 @@ jdk/A.java:
 #    4|         0: [Parameter] args
 #    4|           0: [ArrayTypeAccess] ...[]
 #    4|             0: [TypeAccess] String
-#    4|       5: [BlockStmt] stmt
+#    4|       5: [BlockStmt] { ... }
 #    7|   2: [Class] B
 #    8|     2: [Method] main
 #    8|       3: [TypeAccess] void
@@ -15,7 +15,7 @@ jdk/A.java:
 #    8|         0: [Parameter] args
 #    8|           0: [ArrayTypeAccess] ...[]
 #    8|             0: [TypeAccess] String
-#    8|       5: [BlockStmt] stmt
+#    8|       5: [BlockStmt] { ... }
 #   11|   3: [Class] C
 #   12|     2: [Method] main
 #   12|       3: [TypeAccess] void
@@ -23,7 +23,7 @@ jdk/A.java:
 #   12|         0: [Parameter] args
 #   12|           0: [ArrayTypeAccess] ...[]
 #   12|             0: [TypeAccess] String
-#   12|       5: [BlockStmt] stmt
+#   12|       5: [BlockStmt] { ... }
 #   15|   4: [Class] D
 #   16|     2: [Method] main
 #   16|       3: [TypeAccess] int
@@ -31,8 +31,8 @@ jdk/A.java:
 #   16|         0: [Parameter] args
 #   16|           0: [ArrayTypeAccess] ...[]
 #   16|             0: [TypeAccess] String
-#   16|       5: [BlockStmt] stmt
-#   16|         0: [ReturnStmt] stmt
+#   16|       5: [BlockStmt] { ... }
+#   16|         0: [ReturnStmt] return ...
 #   16|           0: [IntegerLiteral] 0
 #   19|   5: [Class] E
 #   20|     2: [Method] main
@@ -43,14 +43,14 @@ jdk/A.java:
 #   20|         1: [Parameter] args
 #   20|           0: [ArrayTypeAccess] ...[]
 #   20|             0: [TypeAccess] String
-#   20|       5: [BlockStmt] stmt
+#   20|       5: [BlockStmt] { ... }
 #   23|   6: [Class] F
 #   24|     2: [Method] main
 #   24|       3: [TypeAccess] void
 #-----|       4: (Parameters)
 #   24|         0: [Parameter] arg
 #   24|           0: [TypeAccess] String
-#   24|       5: [BlockStmt] stmt
+#   24|       5: [BlockStmt] { ... }
 #   27|   7: [Class] G
 #   28|     2: [Method] main
 #   28|       3: [TypeAccess] void
@@ -59,7 +59,7 @@ jdk/A.java:
 #   28|           0: [ArrayTypeAccess] ...[]
 #   28|             0: [ArrayTypeAccess] ...[]
 #   28|               0: [TypeAccess] String
-#   28|       5: [BlockStmt] stmt
+#   28|       5: [BlockStmt] { ... }
 jdk/SystemGetPropertyCall.java:
 #    0| [CompilationUnit] SystemGetPropertyCall
 #    3|   1: [Class] SystemGetPropertyCall
@@ -68,30 +68,30 @@ jdk/SystemGetPropertyCall.java:
 #    4|       0: [StringLiteral] "user.dir"
 #    6|     4: [Method] a
 #    6|       3: [TypeAccess] void
-#    6|       5: [BlockStmt] stmt
-#    7|         0: [ExprStmt] stmt
+#    6|       5: [BlockStmt] { ... }
+#    7|         0: [ExprStmt] ...;
 #    7|           0: [MethodAccess] getProperty(...)
 #    7|             -1: [TypeAccess] System
 #    7|             0: [StringLiteral] "user.dir"
 #   10|     5: [Method] b
 #   10|       3: [TypeAccess] void
-#   10|       5: [BlockStmt] stmt
-#   11|         0: [ExprStmt] stmt
+#   10|       5: [BlockStmt] { ... }
+#   11|         0: [ExprStmt] ...;
 #   11|           0: [MethodAccess] getProperty(...)
 #   11|             -1: [TypeAccess] System
 #   11|             0: [StringLiteral] "user.dir"
 #   11|             1: [StringLiteral] "HOME"
 #   14|     6: [Method] c
 #   14|       3: [TypeAccess] void
-#   14|       5: [BlockStmt] stmt
-#   15|         0: [ExprStmt] stmt
+#   14|       5: [BlockStmt] { ... }
+#   15|         0: [ExprStmt] ...;
 #   15|           0: [MethodAccess] getProperty(...)
 #   15|             -1: [TypeAccess] System
 #   15|             0: [VarAccess] USER_DIR_PROPERTY
 #   18|     7: [Method] d
 #   18|       3: [TypeAccess] void
-#   18|       5: [BlockStmt] stmt
-#   19|         0: [ExprStmt] stmt
+#   18|       5: [BlockStmt] { ... }
+#   19|         0: [ExprStmt] ...;
 #   19|           0: [MethodAccess] getProperty(...)
 #   19|             -1: [TypeAccess] System
 #   19|             0: [StringLiteral] "random.property"
diff --git a/java/ql/test/library-tests/arrays/PrintAst.expected b/java/ql/test/library-tests/arrays/PrintAst.expected
index 2fd1eb3d7d8..25edb648e1b 100644
--- a/java/ql/test/library-tests/arrays/PrintAst.expected
+++ b/java/ql/test/library-tests/arrays/PrintAst.expected
@@ -16,8 +16,8 @@ arrays/B.java:
 #-----|       4: (Parameters)
 #    4|         0: [Parameter] a
 #    4|           0: [TypeAccess] A
-#    4|       5: [BlockStmt] stmt
-#    5|         0: [LocalVariableDeclStmt] stmt
+#    4|       5: [BlockStmt] { ... }
+#    5|         0: [LocalVariableDeclStmt] local variable declaration
 #    5|           0: [ArrayTypeAccess] ...[]
 #    5|             0: [TypeAccess] A
 #    5|           1: [LocalVariableDeclExpr] aa
@@ -25,7 +25,7 @@ arrays/B.java:
 #    5|               -2: [ArrayInit] {...}
 #    5|                 0: [VarAccess] a
 #    5|               -1: [TypeAccess] A
-#    6|         1: [LocalVariableDeclStmt] stmt
+#    6|         1: [LocalVariableDeclStmt] local variable declaration
 #    6|           0: [ArrayTypeAccess] ...[]
 #    6|             0: [ArrayTypeAccess] ...[]
 #    6|               0: [TypeAccess] A
@@ -36,7 +36,7 @@ arrays/B.java:
 #    6|                   0: [VarAccess] a
 #    6|               -1: [ArrayTypeAccess] ...[]
 #    6|                 0: [TypeAccess] A
-#    7|         2: [LocalVariableDeclStmt] stmt
+#    7|         2: [LocalVariableDeclStmt] local variable declaration
 #    7|           0: [ArrayTypeAccess] ...[]
 #    7|             0: [ArrayTypeAccess] ...[]
 #    7|               0: [ArrayTypeAccess] ...[]
diff --git a/java/ql/test/library-tests/collections/PrintAst.expected b/java/ql/test/library-tests/collections/PrintAst.expected
index 0198acb2561..942bfca360e 100644
--- a/java/ql/test/library-tests/collections/PrintAst.expected
+++ b/java/ql/test/library-tests/collections/PrintAst.expected
@@ -11,8 +11,8 @@ collections/Test.java:
 #    6|         -3: [TypeAccess] LinkedHashMap<String,Integer>
 #    6|           0: [TypeAccess] String
 #    6|           1: [TypeAccess] Integer
-#    8|     4: [BlockStmt] stmt
-#    9|       0: [ExprStmt] stmt
+#    8|     4: [BlockStmt] { ... }
+#    9|       0: [ExprStmt] ...;
 #    9|         0: [MethodAccess] put(...)
 #    9|           -1: [VarAccess] m
 #    9|           0: [StringLiteral] "key"
diff --git a/java/ql/test/library-tests/comments/PrintAst.expected b/java/ql/test/library-tests/comments/PrintAst.expected
index dce19c722e7..be018582311 100644
--- a/java/ql/test/library-tests/comments/PrintAst.expected
+++ b/java/ql/test/library-tests/comments/PrintAst.expected
@@ -10,10 +10,10 @@ Test.java:
 #    6|         1: [Javadoc] /** A JavaDoc comment with a single line. */
 #    6|           0: [JavadocText] A JavaDoc comment with a single line.
 #    7|       3: [TypeAccess] void
-#    7|       5: [BlockStmt] stmt
+#    7|       5: [BlockStmt] { ... }
 #   21|     3: [Method] test
 #   21|       3: [TypeAccess] void
-#   21|       5: [BlockStmt] stmt
+#   21|       5: [BlockStmt] { ... }
 TestWindows.java:
 #    0| [CompilationUnit] TestWindows
 #    5|   1: [Class] TestWindows
@@ -26,7 +26,7 @@ TestWindows.java:
 #    6|         1: [Javadoc] /** A JavaDoc comment with a single line. */
 #    6|           0: [JavadocText] A JavaDoc comment with a single line.
 #    7|       3: [TypeAccess] void
-#    7|       5: [BlockStmt] stmt
+#    7|       5: [BlockStmt] { ... }
 #   21|     3: [Method] test
 #   21|       3: [TypeAccess] void
-#   21|       5: [BlockStmt] stmt
+#   21|       5: [BlockStmt] { ... }
diff --git a/java/ql/test/library-tests/constants/PrintAst.expected b/java/ql/test/library-tests/constants/PrintAst.expected
index d2420e71ada..51f079eac2a 100644
--- a/java/ql/test/library-tests/constants/PrintAst.expected
+++ b/java/ql/test/library-tests/constants/PrintAst.expected
@@ -6,58 +6,58 @@ constants/Constants.java:
 #-----|       4: (Parameters)
 #    4|         0: [Parameter] notConstant
 #    4|           0: [TypeAccess] int
-#    4|       5: [BlockStmt] stmt
-#    5|         0: [LocalVariableDeclStmt] stmt
+#    4|       5: [BlockStmt] { ... }
+#    5|         0: [LocalVariableDeclStmt] local variable declaration
 #    5|           0: [TypeAccess] int
 #    5|           1: [LocalVariableDeclExpr] sfield
 #    5|             0: [VarAccess] Initializers.SFIELD
 #    5|               -1: [TypeAccess] Initializers
-#    6|         1: [LocalVariableDeclStmt] stmt
+#    6|         1: [LocalVariableDeclStmt] local variable declaration
 #    6|           0: [TypeAccess] int
 #    6|           1: [LocalVariableDeclExpr] ifield
 #    6|             0: [VarAccess] new Initializers(...).IFIELD
 #    6|               -1: [ClassInstanceExpr] new Initializers(...)
 #    6|                 -3: [TypeAccess] Initializers
-#    9|         2: [LocalVariableDeclStmt] stmt
+#    9|         2: [LocalVariableDeclStmt] local variable declaration
 #    9|           0: [TypeAccess] Object
 #    9|           1: [LocalVariableDeclExpr] staticObjectField
 #    9|             0: [VarAccess] Initializers.SFIELD_OBJECT
 #    9|               -1: [TypeAccess] Initializers
-#   11|         3: [LocalVariableDeclStmt] stmt
+#   11|         3: [LocalVariableDeclStmt] local variable declaration
 #   11|           0: [TypeAccess] int
 #   11|           1: [LocalVariableDeclExpr] x
 #   11|             0: [IntegerLiteral] 3
-#   12|         4: [LocalVariableDeclStmt] stmt
+#   12|         4: [LocalVariableDeclStmt] local variable declaration
 #   12|           0: [TypeAccess] int
 #   12|           1: [LocalVariableDeclExpr] y
 #   12|             0: [VarAccess] x
-#   13|         5: [LocalVariableDeclStmt] stmt
+#   13|         5: [LocalVariableDeclStmt] local variable declaration
 #   13|           0: [TypeAccess] int
 #   13|           1: [LocalVariableDeclExpr] z
 #   13|             0: [VarAccess] y
-#   15|         6: [LocalVariableDeclStmt] stmt
+#   15|         6: [LocalVariableDeclStmt] local variable declaration
 #   15|           0: [TypeAccess] int
 #   15|           1: [LocalVariableDeclExpr] binop
 #   15|             0: [AddExpr] ... + ...
 #   15|               0: [VarAccess] Initializers.SFIELD
 #   15|                 -1: [TypeAccess] Initializers
 #   15|               1: [IntegerLiteral] 1
-#   16|         7: [LocalVariableDeclStmt] stmt
+#   16|         7: [LocalVariableDeclStmt] local variable declaration
 #   16|           0: [TypeAccess] int
 #   16|           1: [LocalVariableDeclExpr] binopNonConst
 #   16|             0: [AddExpr] ... + ...
 #   16|               0: [VarAccess] Initializers.SFIELD
 #   16|                 -1: [TypeAccess] Initializers
 #   16|               1: [VarAccess] notConstant
-#   18|         8: [LocalVariableDeclStmt] stmt
+#   18|         8: [LocalVariableDeclStmt] local variable declaration
 #   18|           0: [TypeAccess] int
 #   18|           1: [LocalVariableDeclExpr] paren
 #   18|             0: [IntegerLiteral] 12
-#   19|         9: [LocalVariableDeclStmt] stmt
+#   19|         9: [LocalVariableDeclStmt] local variable declaration
 #   19|           0: [TypeAccess] String
 #   19|           1: [LocalVariableDeclExpr] string
 #   19|             0: [StringLiteral] "a string"
-#   20|         10: [LocalVariableDeclStmt] stmt
+#   20|         10: [LocalVariableDeclStmt] local variable declaration
 #   20|           0: [TypeAccess] int
 #   20|           1: [LocalVariableDeclExpr] ternary
 #   20|             0: [ConditionalExpr] ...?...:...
@@ -66,7 +66,7 @@ constants/Constants.java:
 #   20|                 1: [IntegerLiteral] 5
 #   20|               1: [IntegerLiteral] 1
 #   20|               2: [IntegerLiteral] 2
-#   22|         11: [ReturnStmt] stmt
+#   22|         11: [ReturnStmt] return ...
 constants/Initializers.java:
 #    0| [CompilationUnit] Initializers
 #    3|   1: [Class] Initializers
@@ -79,22 +79,22 @@ constants/Initializers.java:
 #    8|     5: [FieldDeclaration] int IFIELD2, ...;
 #    8|       -1: [TypeAccess] int
 #   10|     6: [Constructor] Initializers
-#   10|       5: [BlockStmt] stmt
-#   12|         2: [ExprStmt] stmt
+#   10|       5: [BlockStmt] { ... }
+#   12|         2: [ExprStmt] ...;
 #   12|           0: [AssignExpr] ...=...
 #   12|             0: [VarAccess] IFIELD2
 #   12|             1: [IntegerLiteral] 22
 #   15|     7: [Method] stuff
 #   15|       3: [TypeAccess] void
-#   15|       5: [BlockStmt] stmt
-#   16|         0: [LocalVariableDeclStmt] stmt
+#   15|       5: [BlockStmt] { ... }
+#   16|         0: [LocalVariableDeclStmt] local variable declaration
 #   16|           0: [TypeAccess] int
 #   16|           1: [LocalVariableDeclExpr] x
 #   16|             0: [IntegerLiteral] 300
-#   17|         1: [LocalVariableDeclStmt] stmt
+#   17|         1: [LocalVariableDeclStmt] local variable declaration
 #   17|           0: [TypeAccess] int
 #   17|           1: [LocalVariableDeclExpr] y
-#   18|         2: [ExprStmt] stmt
+#   18|         2: [ExprStmt] ...;
 #   18|           0: [AssignExpr] ...=...
 #   18|             0: [VarAccess] y
 #   18|             1: [IntegerLiteral] 400
@@ -111,21 +111,21 @@ constants/Initializers.java:
 #   26|     12: [FieldDeclaration] int f, ...;
 #   26|       -1: [TypeAccess] int
 #   26|       0: [IntegerLiteral] 4
-#   28|     13: [BlockStmt] stmt
-#   30|       0: [ExprStmt] stmt
+#   28|     13: [BlockStmt] { ... }
+#   30|       0: [ExprStmt] ...;
 #   30|         0: [AssignExpr] ...=...
 #   30|           0: [VarAccess] fsf
 #   30|           1: [IntegerLiteral] 42
-#   31|       1: [ExprStmt] stmt
+#   31|       1: [ExprStmt] ...;
 #   31|         0: [AssignExpr] ...=...
 #   31|           0: [VarAccess] sf
 #   31|           1: [IntegerLiteral] 42
-#   34|     14: [BlockStmt] stmt
-#   36|       0: [ExprStmt] stmt
+#   34|     14: [BlockStmt] { ... }
+#   36|       0: [ExprStmt] ...;
 #   36|         0: [AssignExpr] ...=...
 #   36|           0: [VarAccess] ff
 #   36|           1: [IntegerLiteral] 42
-#   37|       1: [ExprStmt] stmt
+#   37|       1: [ExprStmt] ...;
 #   37|         0: [AssignExpr] ...=...
 #   37|           0: [VarAccess] f
 #   37|           1: [IntegerLiteral] 42
@@ -143,372 +143,372 @@ constants/Values.java:
 #-----|       4: (Parameters)
 #    8|         0: [Parameter] notConstant
 #    8|           0: [TypeAccess] int
-#    8|       5: [BlockStmt] stmt
-#    9|         0: [LocalVariableDeclStmt] stmt
+#    8|       5: [BlockStmt] { ... }
+#    9|         0: [LocalVariableDeclStmt] local variable declaration
 #    9|           0: [TypeAccess] int
 #    9|           1: [LocalVariableDeclExpr] int_literal
 #    9|             0: [IntegerLiteral] 42
-#   10|         1: [LocalVariableDeclStmt] stmt
+#   10|         1: [LocalVariableDeclStmt] local variable declaration
 #   10|           0: [TypeAccess] int
 #   10|           1: [LocalVariableDeclExpr] negative_int_literal
 #   10|             0: [IntegerLiteral] -2147483648
-#   11|         2: [LocalVariableDeclStmt] stmt
+#   11|         2: [LocalVariableDeclStmt] local variable declaration
 #   11|           0: [TypeAccess] int
 #   11|           1: [LocalVariableDeclExpr] octal_literal
 #   11|             0: [IntegerLiteral] 052
-#   12|         3: [LocalVariableDeclStmt] stmt
+#   12|         3: [LocalVariableDeclStmt] local variable declaration
 #   12|           0: [TypeAccess] int
 #   12|           1: [LocalVariableDeclExpr] negative_octal_literal
 #   12|             0: [MinusExpr] -...
 #   12|               0: [IntegerLiteral] 052
-#   13|         4: [LocalVariableDeclStmt] stmt
+#   13|         4: [LocalVariableDeclStmt] local variable declaration
 #   13|           0: [TypeAccess] int
 #   13|           1: [LocalVariableDeclExpr] hex_literal
 #   13|             0: [IntegerLiteral] 0x2A
-#   14|         5: [LocalVariableDeclStmt] stmt
+#   14|         5: [LocalVariableDeclStmt] local variable declaration
 #   14|           0: [TypeAccess] int
 #   14|           1: [LocalVariableDeclExpr] negative_hex_literal
 #   14|             0: [MinusExpr] -...
 #   14|               0: [IntegerLiteral] 0x2A
-#   15|         6: [LocalVariableDeclStmt] stmt
+#   15|         6: [LocalVariableDeclStmt] local variable declaration
 #   15|           0: [TypeAccess] int
 #   15|           1: [LocalVariableDeclExpr] hex_literal_underscores
 #   15|             0: [IntegerLiteral] 0x2_A
-#   16|         7: [LocalVariableDeclStmt] stmt
+#   16|         7: [LocalVariableDeclStmt] local variable declaration
 #   16|           0: [TypeAccess] int
 #   16|           1: [LocalVariableDeclExpr] binary_literal
 #   16|             0: [IntegerLiteral] 0b101010
-#   17|         8: [LocalVariableDeclStmt] stmt
+#   17|         8: [LocalVariableDeclStmt] local variable declaration
 #   17|           0: [TypeAccess] int
 #   17|           1: [LocalVariableDeclExpr] negative_binary_literal
 #   17|             0: [MinusExpr] -...
 #   17|               0: [IntegerLiteral] 0b101010
-#   18|         9: [LocalVariableDeclStmt] stmt
+#   18|         9: [LocalVariableDeclStmt] local variable declaration
 #   18|           0: [TypeAccess] int
 #   18|           1: [LocalVariableDeclExpr] binary_literal_underscores
 #   18|             0: [IntegerLiteral] 0b1_0101_0
-#   19|         10: [LocalVariableDeclStmt] stmt
+#   19|         10: [LocalVariableDeclStmt] local variable declaration
 #   19|           0: [TypeAccess] char
 #   19|           1: [LocalVariableDeclExpr] char_literal
 #   19|             0: [CharacterLiteral] '*'
-#   20|         11: [LocalVariableDeclStmt] stmt
+#   20|         11: [LocalVariableDeclStmt] local variable declaration
 #   20|           0: [TypeAccess] long
 #   20|           1: [LocalVariableDeclExpr] long_literal
 #   20|             0: [LongLiteral] 42L
-#   21|         12: [LocalVariableDeclStmt] stmt
+#   21|         12: [LocalVariableDeclStmt] local variable declaration
 #   21|           0: [TypeAccess] boolean
 #   21|           1: [LocalVariableDeclExpr] boolean_literal
 #   21|             0: [BooleanLiteral] true
-#   22|         13: [LocalVariableDeclStmt] stmt
+#   22|         13: [LocalVariableDeclStmt] local variable declaration
 #   22|           0: [TypeAccess] Integer
 #   22|           1: [LocalVariableDeclExpr] boxed_int
 #   22|             0: [ClassInstanceExpr] new Integer(...)
 #   22|               -3: [TypeAccess] Integer
 #   22|               0: [IntegerLiteral] 42
-#   23|         14: [LocalVariableDeclStmt] stmt
+#   23|         14: [LocalVariableDeclStmt] local variable declaration
 #   23|           0: [TypeAccess] int
 #   23|           1: [LocalVariableDeclExpr] parameter
 #   23|             0: [VarAccess] notConstant
-#   25|         15: [LocalVariableDeclStmt] stmt
+#   25|         15: [LocalVariableDeclStmt] local variable declaration
 #   25|           0: [TypeAccess] int
 #   25|           1: [LocalVariableDeclExpr] cast
 #   25|             0: [CastExpr] (...)...
 #   25|               0: [TypeAccess] int
 #   25|               1: [IntegerLiteral] 42
-#   26|         16: [LocalVariableDeclStmt] stmt
+#   26|         16: [LocalVariableDeclStmt] local variable declaration
 #   26|           0: [TypeAccess] char
 #   26|           1: [LocalVariableDeclExpr] downcast
 #   26|             0: [CastExpr] (...)...
 #   26|               0: [TypeAccess] char
 #   26|               1: [IntegerLiteral] 42
-#   27|         17: [LocalVariableDeclStmt] stmt
+#   27|         17: [LocalVariableDeclStmt] local variable declaration
 #   27|           0: [TypeAccess] byte
 #   27|           1: [LocalVariableDeclExpr] downcast_byte_1
 #   27|             0: [CastExpr] (...)...
 #   27|               0: [TypeAccess] byte
 #   27|               1: [MinusExpr] -...
 #   27|                 0: [IntegerLiteral] 42
-#   28|         18: [LocalVariableDeclStmt] stmt
+#   28|         18: [LocalVariableDeclStmt] local variable declaration
 #   28|           0: [TypeAccess] byte
 #   28|           1: [LocalVariableDeclExpr] downcast_byte_2
 #   28|             0: [CastExpr] (...)...
 #   28|               0: [TypeAccess] byte
 #   28|               1: [IntegerLiteral] 42
-#   29|         19: [LocalVariableDeclStmt] stmt
+#   29|         19: [LocalVariableDeclStmt] local variable declaration
 #   29|           0: [TypeAccess] byte
 #   29|           1: [LocalVariableDeclExpr] downcast_byte_3
 #   29|             0: [CastExpr] (...)...
 #   29|               0: [TypeAccess] byte
 #   29|               1: [IntegerLiteral] 298
-#   30|         20: [LocalVariableDeclStmt] stmt
+#   30|         20: [LocalVariableDeclStmt] local variable declaration
 #   30|           0: [TypeAccess] byte
 #   30|           1: [LocalVariableDeclExpr] downcast_byte_4
 #   30|             0: [CastExpr] (...)...
 #   30|               0: [TypeAccess] byte
 #   30|               1: [IntegerLiteral] 214
-#   31|         21: [LocalVariableDeclStmt] stmt
+#   31|         21: [LocalVariableDeclStmt] local variable declaration
 #   31|           0: [TypeAccess] byte
 #   31|           1: [LocalVariableDeclExpr] downcast_byte_5
 #   31|             0: [CastExpr] (...)...
 #   31|               0: [TypeAccess] byte
 #   31|               1: [MinusExpr] -...
 #   31|                 0: [IntegerLiteral] 214
-#   32|         22: [LocalVariableDeclStmt] stmt
+#   32|         22: [LocalVariableDeclStmt] local variable declaration
 #   32|           0: [TypeAccess] short
 #   32|           1: [LocalVariableDeclExpr] downcast_short
 #   32|             0: [CastExpr] (...)...
 #   32|               0: [TypeAccess] short
 #   32|               1: [IntegerLiteral] 32768
-#   33|         23: [LocalVariableDeclStmt] stmt
+#   33|         23: [LocalVariableDeclStmt] local variable declaration
 #   33|           0: [TypeAccess] int
 #   33|           1: [LocalVariableDeclExpr] cast_of_non_constant
 #   33|             0: [CastExpr] (...)...
 #   33|               0: [TypeAccess] int
 #   33|               1: [CharacterLiteral] '*'
-#   34|         24: [LocalVariableDeclStmt] stmt
+#   34|         24: [LocalVariableDeclStmt] local variable declaration
 #   34|           0: [TypeAccess] long
 #   34|           1: [LocalVariableDeclExpr] cast_to_long
 #   34|             0: [CastExpr] (...)...
 #   34|               0: [TypeAccess] long
 #   34|               1: [IntegerLiteral] 42
-#   36|         25: [LocalVariableDeclStmt] stmt
+#   36|         25: [LocalVariableDeclStmt] local variable declaration
 #   36|           0: [TypeAccess] int
 #   36|           1: [LocalVariableDeclExpr] unary_plus
 #   36|             0: [PlusExpr] +...
 #   36|               0: [IntegerLiteral] 42
-#   37|         26: [LocalVariableDeclStmt] stmt
+#   37|         26: [LocalVariableDeclStmt] local variable declaration
 #   37|           0: [TypeAccess] int
 #   37|           1: [LocalVariableDeclExpr] parameter_plus
 #   37|             0: [PlusExpr] +...
 #   37|               0: [VarAccess] notConstant
-#   39|         27: [LocalVariableDeclStmt] stmt
+#   39|         27: [LocalVariableDeclStmt] local variable declaration
 #   39|           0: [TypeAccess] int
 #   39|           1: [LocalVariableDeclExpr] unary_minus
 #   39|             0: [MinusExpr] -...
 #   39|               0: [IntegerLiteral] 42
-#   40|         28: [LocalVariableDeclStmt] stmt
+#   40|         28: [LocalVariableDeclStmt] local variable declaration
 #   40|           0: [TypeAccess] int
 #   40|           1: [LocalVariableDeclExpr] parameter_minus
 #   40|             0: [MinusExpr] -...
 #   40|               0: [VarAccess] notConstant
-#   42|         29: [LocalVariableDeclStmt] stmt
+#   42|         29: [LocalVariableDeclStmt] local variable declaration
 #   42|           0: [TypeAccess] boolean
 #   42|           1: [LocalVariableDeclExpr] not
 #   42|             0: [LogNotExpr] !...
 #   42|               0: [BooleanLiteral] true
-#   43|         30: [LocalVariableDeclStmt] stmt
+#   43|         30: [LocalVariableDeclStmt] local variable declaration
 #   43|           0: [TypeAccess] int
 #   43|           1: [LocalVariableDeclExpr] bitwise_not
 #   43|             0: [BitNotExpr] ~...
 #   43|               0: [IntegerLiteral] 0
-#   45|         31: [LocalVariableDeclStmt] stmt
+#   45|         31: [LocalVariableDeclStmt] local variable declaration
 #   45|           0: [TypeAccess] int
 #   45|           1: [LocalVariableDeclExpr] mul
 #   45|             0: [MulExpr] ... * ...
 #   45|               0: [IntegerLiteral] 7
 #   45|               1: [IntegerLiteral] 9
-#   46|         32: [LocalVariableDeclStmt] stmt
+#   46|         32: [LocalVariableDeclStmt] local variable declaration
 #   46|           0: [TypeAccess] int
 #   46|           1: [LocalVariableDeclExpr] mul_parameter
 #   46|             0: [MulExpr] ... * ...
 #   46|               0: [VarAccess] notConstant
 #   46|               1: [VarAccess] notConstant
-#   48|         33: [LocalVariableDeclStmt] stmt
+#   48|         33: [LocalVariableDeclStmt] local variable declaration
 #   48|           0: [TypeAccess] int
 #   48|           1: [LocalVariableDeclExpr] div
 #   48|             0: [DivExpr] ... / ...
 #   48|               0: [IntegerLiteral] 168
 #   48|               1: [IntegerLiteral] 4
-#   49|         34: [LocalVariableDeclStmt] stmt
+#   49|         34: [LocalVariableDeclStmt] local variable declaration
 #   49|           0: [TypeAccess] int
 #   49|           1: [LocalVariableDeclExpr] div_by_zero
 #   49|             0: [DivExpr] ... / ...
 #   49|               0: [IntegerLiteral] 42
 #   49|               1: [IntegerLiteral] 0
-#   50|         35: [LocalVariableDeclStmt] stmt
+#   50|         35: [LocalVariableDeclStmt] local variable declaration
 #   50|           0: [TypeAccess] int
 #   50|           1: [LocalVariableDeclExpr] div_parameter
 #   50|             0: [DivExpr] ... / ...
 #   50|               0: [VarAccess] notConstant
 #   50|               1: [VarAccess] notConstant
-#   52|         36: [LocalVariableDeclStmt] stmt
+#   52|         36: [LocalVariableDeclStmt] local variable declaration
 #   52|           0: [TypeAccess] int
 #   52|           1: [LocalVariableDeclExpr] rem
 #   52|             0: [RemExpr] ... % ...
 #   52|               0: [IntegerLiteral] 168
 #   52|               1: [IntegerLiteral] 63
-#   53|         37: [LocalVariableDeclStmt] stmt
+#   53|         37: [LocalVariableDeclStmt] local variable declaration
 #   53|           0: [TypeAccess] int
 #   53|           1: [LocalVariableDeclExpr] rem_by_zero
 #   53|             0: [RemExpr] ... % ...
 #   53|               0: [IntegerLiteral] 42
 #   53|               1: [IntegerLiteral] 0
-#   54|         38: [LocalVariableDeclStmt] stmt
+#   54|         38: [LocalVariableDeclStmt] local variable declaration
 #   54|           0: [TypeAccess] int
 #   54|           1: [LocalVariableDeclExpr] rem_parameter
 #   54|             0: [RemExpr] ... % ...
 #   54|               0: [VarAccess] notConstant
 #   54|               1: [VarAccess] notConstant
-#   56|         39: [LocalVariableDeclStmt] stmt
+#   56|         39: [LocalVariableDeclStmt] local variable declaration
 #   56|           0: [TypeAccess] int
 #   56|           1: [LocalVariableDeclExpr] plus
 #   56|             0: [AddExpr] ... + ...
 #   56|               0: [IntegerLiteral] 10
 #   56|               1: [IntegerLiteral] 32
-#   57|         40: [LocalVariableDeclStmt] stmt
+#   57|         40: [LocalVariableDeclStmt] local variable declaration
 #   57|           0: [TypeAccess] int
 #   57|           1: [LocalVariableDeclExpr] plus_parameter
 #   57|             0: [AddExpr] ... + ...
 #   57|               0: [VarAccess] notConstant
 #   57|               1: [VarAccess] notConstant
-#   59|         41: [LocalVariableDeclStmt] stmt
+#   59|         41: [LocalVariableDeclStmt] local variable declaration
 #   59|           0: [TypeAccess] int
 #   59|           1: [LocalVariableDeclExpr] minus
 #   59|             0: [SubExpr] ... - ...
 #   59|               0: [IntegerLiteral] 168
 #   59|               1: [IntegerLiteral] 126
-#   60|         42: [LocalVariableDeclStmt] stmt
+#   60|         42: [LocalVariableDeclStmt] local variable declaration
 #   60|           0: [TypeAccess] int
 #   60|           1: [LocalVariableDeclExpr] minus_parameter
 #   60|             0: [SubExpr] ... - ...
 #   60|               0: [VarAccess] notConstant
 #   60|               1: [VarAccess] notConstant
-#   62|         43: [LocalVariableDeclStmt] stmt
+#   62|         43: [LocalVariableDeclStmt] local variable declaration
 #   62|           0: [TypeAccess] int
 #   62|           1: [LocalVariableDeclExpr] lshift
 #   62|             0: [LShiftExpr] ... << ...
 #   62|               0: [IntegerLiteral] 21
 #   62|               1: [IntegerLiteral] 2
-#   63|         44: [LocalVariableDeclStmt] stmt
+#   63|         44: [LocalVariableDeclStmt] local variable declaration
 #   63|           0: [TypeAccess] int
 #   63|           1: [LocalVariableDeclExpr] lshift_parameter
 #   63|             0: [LShiftExpr] ... << ...
 #   63|               0: [VarAccess] notConstant
 #   63|               1: [VarAccess] notConstant
-#   65|         45: [LocalVariableDeclStmt] stmt
+#   65|         45: [LocalVariableDeclStmt] local variable declaration
 #   65|           0: [TypeAccess] int
 #   65|           1: [LocalVariableDeclExpr] rshift
 #   65|             0: [RShiftExpr] ... >> ...
 #   65|               0: [MinusExpr] -...
 #   65|                 0: [IntegerLiteral] 1
 #   65|               1: [IntegerLiteral] 2
-#   66|         46: [LocalVariableDeclStmt] stmt
+#   66|         46: [LocalVariableDeclStmt] local variable declaration
 #   66|           0: [TypeAccess] int
 #   66|           1: [LocalVariableDeclExpr] urshift
 #   66|             0: [URShiftExpr] ... >>> ...
 #   66|               0: [MinusExpr] -...
 #   66|                 0: [IntegerLiteral] 1
 #   66|               1: [IntegerLiteral] 1
-#   67|         47: [LocalVariableDeclStmt] stmt
+#   67|         47: [LocalVariableDeclStmt] local variable declaration
 #   67|           0: [TypeAccess] int
 #   67|           1: [LocalVariableDeclExpr] bitwise_and
 #   67|             0: [AndBitwiseExpr] ... & ...
 #   67|               0: [IntegerLiteral] 63
 #   67|               1: [IntegerLiteral] 42
-#   68|         48: [LocalVariableDeclStmt] stmt
+#   68|         48: [LocalVariableDeclStmt] local variable declaration
 #   68|           0: [TypeAccess] int
 #   68|           1: [LocalVariableDeclExpr] bitwise_or
 #   68|             0: [OrBitwiseExpr] ... | ...
 #   68|               0: [IntegerLiteral] 32
 #   68|               1: [IntegerLiteral] 42
-#   69|         49: [LocalVariableDeclStmt] stmt
+#   69|         49: [LocalVariableDeclStmt] local variable declaration
 #   69|           0: [TypeAccess] int
 #   69|           1: [LocalVariableDeclExpr] bitwise_xor
 #   69|             0: [XorBitwiseExpr] ... ^ ...
 #   69|               0: [IntegerLiteral] 48
 #   69|               1: [IntegerLiteral] 26
-#   70|         50: [LocalVariableDeclStmt] stmt
+#   70|         50: [LocalVariableDeclStmt] local variable declaration
 #   70|           0: [TypeAccess] boolean
 #   70|           1: [LocalVariableDeclExpr] and
 #   70|             0: [AndLogicalExpr] ... && ...
 #   70|               0: [BooleanLiteral] true
 #   70|               1: [BooleanLiteral] false
-#   71|         51: [LocalVariableDeclStmt] stmt
+#   71|         51: [LocalVariableDeclStmt] local variable declaration
 #   71|           0: [TypeAccess] boolean
 #   71|           1: [LocalVariableDeclExpr] or
 #   71|             0: [OrLogicalExpr] ... || ...
 #   71|               0: [BooleanLiteral] true
 #   71|               1: [BooleanLiteral] false
-#   72|         52: [LocalVariableDeclStmt] stmt
+#   72|         52: [LocalVariableDeclStmt] local variable declaration
 #   72|           0: [TypeAccess] boolean
 #   72|           1: [LocalVariableDeclExpr] lt
 #   72|             0: [LTExpr] ... < ...
 #   72|               0: [IntegerLiteral] 42
 #   72|               1: [IntegerLiteral] 42
-#   73|         53: [LocalVariableDeclStmt] stmt
+#   73|         53: [LocalVariableDeclStmt] local variable declaration
 #   73|           0: [TypeAccess] boolean
 #   73|           1: [LocalVariableDeclExpr] le
 #   73|             0: [LEExpr] ... <= ...
 #   73|               0: [IntegerLiteral] 42
 #   73|               1: [IntegerLiteral] 42
-#   74|         54: [LocalVariableDeclStmt] stmt
+#   74|         54: [LocalVariableDeclStmt] local variable declaration
 #   74|           0: [TypeAccess] boolean
 #   74|           1: [LocalVariableDeclExpr] gt
 #   74|             0: [GTExpr] ... > ...
 #   74|               0: [IntegerLiteral] 42
 #   74|               1: [IntegerLiteral] 42
-#   75|         55: [LocalVariableDeclStmt] stmt
+#   75|         55: [LocalVariableDeclStmt] local variable declaration
 #   75|           0: [TypeAccess] boolean
 #   75|           1: [LocalVariableDeclExpr] gle
 #   75|             0: [GEExpr] ... >= ...
 #   75|               0: [IntegerLiteral] 42
 #   75|               1: [IntegerLiteral] 42
-#   76|         56: [LocalVariableDeclStmt] stmt
+#   76|         56: [LocalVariableDeclStmt] local variable declaration
 #   76|           0: [TypeAccess] boolean
 #   76|           1: [LocalVariableDeclExpr] eq
 #   76|             0: [EQExpr] ... == ...
 #   76|               0: [IntegerLiteral] 42
 #   76|               1: [IntegerLiteral] 42
-#   77|         57: [LocalVariableDeclStmt] stmt
+#   77|         57: [LocalVariableDeclStmt] local variable declaration
 #   77|           0: [TypeAccess] boolean
 #   77|           1: [LocalVariableDeclExpr] ne
 #   77|             0: [NEExpr] ... != ...
 #   77|               0: [IntegerLiteral] 42
 #   77|               1: [IntegerLiteral] 42
-#   78|         58: [LocalVariableDeclStmt] stmt
+#   78|         58: [LocalVariableDeclStmt] local variable declaration
 #   78|           0: [TypeAccess] boolean
 #   78|           1: [LocalVariableDeclExpr] ter
 #   78|             0: [ConditionalExpr] ...?...:...
 #   78|               0: [BooleanLiteral] true
 #   78|               1: [BooleanLiteral] false
 #   78|               2: [BooleanLiteral] true
-#   80|         59: [LocalVariableDeclStmt] stmt
+#   80|         59: [LocalVariableDeclStmt] local variable declaration
 #   80|           0: [TypeAccess] boolean
 #   80|           1: [LocalVariableDeclExpr] seq
 #   80|             0: [EQExpr] ... == ...
 #   80|               0: [StringLiteral] "foo"
 #   80|               1: [StringLiteral] "foo"
-#   81|         60: [LocalVariableDeclStmt] stmt
+#   81|         60: [LocalVariableDeclStmt] local variable declaration
 #   81|           0: [TypeAccess] boolean
 #   81|           1: [LocalVariableDeclExpr] sneq
 #   81|             0: [NEExpr] ... != ...
 #   81|               0: [StringLiteral] "foo"
 #   81|               1: [StringLiteral] "foo"
-#   83|         61: [LocalVariableDeclStmt] stmt
+#   83|         61: [LocalVariableDeclStmt] local variable declaration
 #   83|           0: [TypeAccess] int
 #   83|           1: [LocalVariableDeclExpr] par
 #   83|             0: [IntegerLiteral] 42
-#   84|         62: [LocalVariableDeclStmt] stmt
+#   84|         62: [LocalVariableDeclStmt] local variable declaration
 #   84|           0: [TypeAccess] int
 #   84|           1: [LocalVariableDeclExpr] par_not_constant
 #   84|             0: [VarAccess] notConstant
-#   86|         63: [LocalVariableDeclStmt] stmt
+#   86|         63: [LocalVariableDeclStmt] local variable declaration
 #   86|           0: [TypeAccess] int
 #   86|           1: [LocalVariableDeclExpr] var_field
 #   86|             0: [VarAccess] final_field
-#   87|         64: [LocalVariableDeclStmt] stmt
+#   87|         64: [LocalVariableDeclStmt] local variable declaration
 #   87|           0: [TypeAccess] int
 #   87|           1: [LocalVariableDeclExpr] final_local
 #   87|             0: [IntegerLiteral] 42
-#   88|         65: [LocalVariableDeclStmt] stmt
+#   88|         65: [LocalVariableDeclStmt] local variable declaration
 #   88|           0: [TypeAccess] int
 #   88|           1: [LocalVariableDeclExpr] var_local
 #   88|             0: [VarAccess] final_local
-#   89|         66: [LocalVariableDeclStmt] stmt
+#   89|         66: [LocalVariableDeclStmt] local variable declaration
 #   89|           0: [TypeAccess] int
 #   89|           1: [LocalVariableDeclExpr] var_param
 #   89|             0: [VarAccess] notConstant
-#   90|         67: [LocalVariableDeclStmt] stmt
+#   90|         67: [LocalVariableDeclStmt] local variable declaration
 #   90|           0: [TypeAccess] int
 #   90|           1: [LocalVariableDeclExpr] var_nonfinald_local
 #   90|             0: [VarAccess] var_field
diff --git a/java/ql/test/library-tests/constructors/PrintAst.expected b/java/ql/test/library-tests/constructors/PrintAst.expected
index 6dc34314b0b..db3907670c4 100644
--- a/java/ql/test/library-tests/constructors/PrintAst.expected
+++ b/java/ql/test/library-tests/constructors/PrintAst.expected
@@ -2,22 +2,22 @@ constructors/A.java:
 #    0| [CompilationUnit] A
 #    3|   1: [Class] A
 #    4|     3: [Constructor] A
-#    4|       5: [BlockStmt] stmt
+#    4|       5: [BlockStmt] { ... }
 #    5|         0: [ThisConstructorInvocationStmt] this(...)
 #    5|           0: [IntegerLiteral] 42
 #    8|     4: [Constructor] A
 #-----|       4: (Parameters)
 #    8|         0: [Parameter] i
 #    8|           0: [TypeAccess] int
-#    8|       5: [BlockStmt] stmt
+#    8|       5: [BlockStmt] { ... }
 #   10|     5: [Method] main
 #   10|       3: [TypeAccess] void
 #-----|       4: (Parameters)
 #   10|         0: [Parameter] args
 #   10|           0: [ArrayTypeAccess] ...[]
 #   10|             0: [TypeAccess] String
-#   10|       5: [BlockStmt] stmt
-#   11|         0: [ExprStmt] stmt
+#   10|       5: [BlockStmt] { ... }
+#   11|         0: [ExprStmt] ...;
 #   11|           0: [ClassInstanceExpr] new A(...)
 #   11|             -3: [TypeAccess] A
 #   14|     6: [FieldDeclaration] String STATIC, ...;
@@ -26,14 +26,14 @@ constructors/A.java:
 #   15|     7: [FieldDeclaration] String INSTANCE, ...;
 #   15|       -1: [TypeAccess] String
 #   15|       0: [StringLiteral] "instance string"
-#   17|     8: [BlockStmt] stmt
-#   18|       0: [ExprStmt] stmt
+#   17|     8: [BlockStmt] { ... }
+#   18|       0: [ExprStmt] ...;
 #   18|         0: [MethodAccess] println(...)
 #   18|           -1: [VarAccess] System.out
 #   18|             -1: [TypeAccess] System
 #   18|           0: [StringLiteral] "<obinit>"
-#   21|     9: [BlockStmt] stmt
-#   22|       0: [ExprStmt] stmt
+#   21|     9: [BlockStmt] { ... }
+#   22|       0: [ExprStmt] ...;
 #   22|         0: [MethodAccess] println(...)
 #   22|           -1: [VarAccess] System.out
 #   22|             -1: [TypeAccess] System
diff --git a/java/ql/test/library-tests/controlflow/basic/bbStmts.expected b/java/ql/test/library-tests/controlflow/basic/bbStmts.expected
index 1b239e1dd29..a23a14afbe9 100644
--- a/java/ql/test/library-tests/controlflow/basic/bbStmts.expected
+++ b/java/ql/test/library-tests/controlflow/basic/bbStmts.expected
@@ -1,136 +1,136 @@
-| Test.java:3:14:3:17 | stmt | Test.java:3:14:3:17 | Test | 2 |
-| Test.java:3:14:3:17 | stmt | Test.java:3:14:3:17 | stmt | 0 |
-| Test.java:3:14:3:17 | stmt | Test.java:3:14:3:17 | super(...) | 1 |
+| Test.java:3:14:3:17 | { ... } | Test.java:3:14:3:17 | Test | 2 |
+| Test.java:3:14:3:17 | { ... } | Test.java:3:14:3:17 | super(...) | 1 |
+| Test.java:3:14:3:17 | { ... } | Test.java:3:14:3:17 | { ... } | 0 |
 | Test.java:4:14:4:17 | test | Test.java:4:14:4:17 | test | 0 |
-| Test.java:4:21:76:2 | stmt | Test.java:4:21:76:2 | stmt | 0 |
-| Test.java:4:21:76:2 | stmt | Test.java:5:3:5:12 | stmt | 1 |
-| Test.java:4:21:76:2 | stmt | Test.java:5:7:5:11 | x | 3 |
-| Test.java:4:21:76:2 | stmt | Test.java:5:11:5:11 | 0 | 2 |
-| Test.java:4:21:76:2 | stmt | Test.java:6:3:6:14 | stmt | 4 |
-| Test.java:4:21:76:2 | stmt | Test.java:6:8:6:13 | y | 6 |
-| Test.java:4:21:76:2 | stmt | Test.java:6:12:6:13 | 50 | 5 |
-| Test.java:4:21:76:2 | stmt | Test.java:7:3:7:12 | stmt | 7 |
-| Test.java:4:21:76:2 | stmt | Test.java:7:7:7:11 | z | 9 |
-| Test.java:4:21:76:2 | stmt | Test.java:7:11:7:11 | 0 | 8 |
-| Test.java:4:21:76:2 | stmt | Test.java:8:3:8:12 | stmt | 10 |
-| Test.java:4:21:76:2 | stmt | Test.java:8:7:8:11 | w | 12 |
-| Test.java:4:21:76:2 | stmt | Test.java:8:11:8:11 | 0 | 11 |
-| Test.java:4:21:76:2 | stmt | Test.java:11:3:11:12 | stmt | 13 |
-| Test.java:4:21:76:2 | stmt | Test.java:11:7:11:7 | x | 14 |
-| Test.java:4:21:76:2 | stmt | Test.java:11:7:11:11 | ... > ... | 16 |
-| Test.java:4:21:76:2 | stmt | Test.java:11:11:11:11 | 0 | 15 |
-| Test.java:11:14:14:3 | stmt | Test.java:11:14:14:3 | stmt | 0 |
-| Test.java:11:14:14:3 | stmt | Test.java:12:4:12:9 | ...=... | 3 |
-| Test.java:11:14:14:3 | stmt | Test.java:12:4:12:10 | stmt | 1 |
-| Test.java:11:14:14:3 | stmt | Test.java:12:8:12:9 | 20 | 2 |
-| Test.java:11:14:14:3 | stmt | Test.java:13:4:13:9 | ...=... | 6 |
-| Test.java:11:14:14:3 | stmt | Test.java:13:4:13:10 | stmt | 4 |
-| Test.java:11:14:14:3 | stmt | Test.java:13:8:13:9 | 10 | 5 |
-| Test.java:14:10:16:3 | stmt | Test.java:14:10:16:3 | stmt | 0 |
-| Test.java:14:10:16:3 | stmt | Test.java:15:4:15:9 | ...=... | 3 |
-| Test.java:14:10:16:3 | stmt | Test.java:15:4:15:10 | stmt | 1 |
-| Test.java:14:10:16:3 | stmt | Test.java:15:8:15:9 | 30 | 2 |
-| Test.java:18:3:18:8 | stmt | Test.java:18:3:18:7 | ...=... | 2 |
-| Test.java:18:3:18:8 | stmt | Test.java:18:3:18:8 | stmt | 0 |
-| Test.java:18:3:18:8 | stmt | Test.java:18:7:18:7 | 0 | 1 |
-| Test.java:18:3:18:8 | stmt | Test.java:21:3:21:11 | stmt | 3 |
-| Test.java:18:3:18:8 | stmt | Test.java:21:6:21:6 | x | 4 |
-| Test.java:18:3:18:8 | stmt | Test.java:21:6:21:10 | ... < ... | 6 |
-| Test.java:18:3:18:8 | stmt | Test.java:21:10:21:10 | 0 | 5 |
-| Test.java:22:4:22:10 | stmt | Test.java:22:4:22:9 | ...=... | 2 |
-| Test.java:22:4:22:10 | stmt | Test.java:22:4:22:10 | stmt | 0 |
-| Test.java:22:4:22:10 | stmt | Test.java:22:8:22:9 | 40 | 1 |
-| Test.java:22:4:22:10 | stmt | Test.java:27:3:27:8 | ...=... | 5 |
-| Test.java:22:4:22:10 | stmt | Test.java:27:3:27:9 | stmt | 3 |
-| Test.java:22:4:22:10 | stmt | Test.java:27:7:27:8 | 10 | 4 |
-| Test.java:22:4:22:10 | stmt | Test.java:30:3:30:13 | stmt | 6 |
-| Test.java:22:4:22:10 | stmt | Test.java:30:7:30:7 | x | 7 |
-| Test.java:22:4:22:10 | stmt | Test.java:30:7:30:12 | ... == ... | 9 |
-| Test.java:22:4:22:10 | stmt | Test.java:30:12:30:12 | 0 | 8 |
-| Test.java:24:4:24:10 | stmt | Test.java:24:4:24:10 | stmt | 0 |
-| Test.java:30:15:33:3 | stmt | Test.java:30:15:33:3 | stmt | 0 |
-| Test.java:30:15:33:3 | stmt | Test.java:31:4:31:9 | ...=... | 3 |
-| Test.java:30:15:33:3 | stmt | Test.java:31:4:31:10 | stmt | 1 |
-| Test.java:30:15:33:3 | stmt | Test.java:31:8:31:9 | 60 | 2 |
-| Test.java:30:15:33:3 | stmt | Test.java:32:4:32:9 | ...=... | 6 |
-| Test.java:30:15:33:3 | stmt | Test.java:32:4:32:10 | stmt | 4 |
-| Test.java:30:15:33:3 | stmt | Test.java:32:8:32:9 | 10 | 5 |
-| Test.java:35:3:35:9 | stmt | Test.java:35:3:35:8 | ...=... | 2 |
-| Test.java:35:3:35:9 | stmt | Test.java:35:3:35:9 | stmt | 0 |
-| Test.java:35:3:35:9 | stmt | Test.java:35:7:35:8 | 20 | 1 |
-| Test.java:35:3:35:9 | stmt | Test.java:38:3:38:14 | stmt | 3 |
+| Test.java:4:21:76:2 | { ... } | Test.java:4:21:76:2 | { ... } | 0 |
+| Test.java:4:21:76:2 | { ... } | Test.java:5:3:5:12 | local variable declaration | 1 |
+| Test.java:4:21:76:2 | { ... } | Test.java:5:7:5:11 | x | 3 |
+| Test.java:4:21:76:2 | { ... } | Test.java:5:11:5:11 | 0 | 2 |
+| Test.java:4:21:76:2 | { ... } | Test.java:6:3:6:14 | local variable declaration | 4 |
+| Test.java:4:21:76:2 | { ... } | Test.java:6:8:6:13 | y | 6 |
+| Test.java:4:21:76:2 | { ... } | Test.java:6:12:6:13 | 50 | 5 |
+| Test.java:4:21:76:2 | { ... } | Test.java:7:3:7:12 | local variable declaration | 7 |
+| Test.java:4:21:76:2 | { ... } | Test.java:7:7:7:11 | z | 9 |
+| Test.java:4:21:76:2 | { ... } | Test.java:7:11:7:11 | 0 | 8 |
+| Test.java:4:21:76:2 | { ... } | Test.java:8:3:8:12 | local variable declaration | 10 |
+| Test.java:4:21:76:2 | { ... } | Test.java:8:7:8:11 | w | 12 |
+| Test.java:4:21:76:2 | { ... } | Test.java:8:11:8:11 | 0 | 11 |
+| Test.java:4:21:76:2 | { ... } | Test.java:11:3:11:12 | if (...) | 13 |
+| Test.java:4:21:76:2 | { ... } | Test.java:11:7:11:7 | x | 14 |
+| Test.java:4:21:76:2 | { ... } | Test.java:11:7:11:11 | ... > ... | 16 |
+| Test.java:4:21:76:2 | { ... } | Test.java:11:11:11:11 | 0 | 15 |
+| Test.java:11:14:14:3 | { ... } | Test.java:11:14:14:3 | { ... } | 0 |
+| Test.java:11:14:14:3 | { ... } | Test.java:12:4:12:9 | ...=... | 3 |
+| Test.java:11:14:14:3 | { ... } | Test.java:12:4:12:10 | ...; | 1 |
+| Test.java:11:14:14:3 | { ... } | Test.java:12:8:12:9 | 20 | 2 |
+| Test.java:11:14:14:3 | { ... } | Test.java:13:4:13:9 | ...=... | 6 |
+| Test.java:11:14:14:3 | { ... } | Test.java:13:4:13:10 | ...; | 4 |
+| Test.java:11:14:14:3 | { ... } | Test.java:13:8:13:9 | 10 | 5 |
+| Test.java:14:10:16:3 | { ... } | Test.java:14:10:16:3 | { ... } | 0 |
+| Test.java:14:10:16:3 | { ... } | Test.java:15:4:15:9 | ...=... | 3 |
+| Test.java:14:10:16:3 | { ... } | Test.java:15:4:15:10 | ...; | 1 |
+| Test.java:14:10:16:3 | { ... } | Test.java:15:8:15:9 | 30 | 2 |
+| Test.java:18:3:18:8 | ...; | Test.java:18:3:18:7 | ...=... | 2 |
+| Test.java:18:3:18:8 | ...; | Test.java:18:3:18:8 | ...; | 0 |
+| Test.java:18:3:18:8 | ...; | Test.java:18:7:18:7 | 0 | 1 |
+| Test.java:18:3:18:8 | ...; | Test.java:21:3:21:11 | if (...) | 3 |
+| Test.java:18:3:18:8 | ...; | Test.java:21:6:21:6 | x | 4 |
+| Test.java:18:3:18:8 | ...; | Test.java:21:6:21:10 | ... < ... | 6 |
+| Test.java:18:3:18:8 | ...; | Test.java:21:10:21:10 | 0 | 5 |
+| Test.java:22:4:22:10 | ...; | Test.java:22:4:22:9 | ...=... | 2 |
+| Test.java:22:4:22:10 | ...; | Test.java:22:4:22:10 | ...; | 0 |
+| Test.java:22:4:22:10 | ...; | Test.java:22:8:22:9 | 40 | 1 |
+| Test.java:22:4:22:10 | ...; | Test.java:27:3:27:8 | ...=... | 5 |
+| Test.java:22:4:22:10 | ...; | Test.java:27:3:27:9 | ...; | 3 |
+| Test.java:22:4:22:10 | ...; | Test.java:27:7:27:8 | 10 | 4 |
+| Test.java:22:4:22:10 | ...; | Test.java:30:3:30:13 | if (...) | 6 |
+| Test.java:22:4:22:10 | ...; | Test.java:30:7:30:7 | x | 7 |
+| Test.java:22:4:22:10 | ...; | Test.java:30:7:30:12 | ... == ... | 9 |
+| Test.java:22:4:22:10 | ...; | Test.java:30:12:30:12 | 0 | 8 |
+| Test.java:24:4:24:10 | return ... | Test.java:24:4:24:10 | return ... | 0 |
+| Test.java:30:15:33:3 | { ... } | Test.java:30:15:33:3 | { ... } | 0 |
+| Test.java:30:15:33:3 | { ... } | Test.java:31:4:31:9 | ...=... | 3 |
+| Test.java:30:15:33:3 | { ... } | Test.java:31:4:31:10 | ...; | 1 |
+| Test.java:30:15:33:3 | { ... } | Test.java:31:8:31:9 | 60 | 2 |
+| Test.java:30:15:33:3 | { ... } | Test.java:32:4:32:9 | ...=... | 6 |
+| Test.java:30:15:33:3 | { ... } | Test.java:32:4:32:10 | ...; | 4 |
+| Test.java:30:15:33:3 | { ... } | Test.java:32:8:32:9 | 10 | 5 |
+| Test.java:35:3:35:9 | ...; | Test.java:35:3:35:8 | ...=... | 2 |
+| Test.java:35:3:35:9 | ...; | Test.java:35:3:35:9 | ...; | 0 |
+| Test.java:35:3:35:9 | ...; | Test.java:35:7:35:8 | 20 | 1 |
+| Test.java:35:3:35:9 | ...; | Test.java:38:3:38:14 | while (...) | 3 |
 | Test.java:38:9:38:9 | x | Test.java:38:9:38:9 | x | 0 |
 | Test.java:38:9:38:9 | x | Test.java:38:9:38:13 | ... > ... | 2 |
 | Test.java:38:9:38:9 | x | Test.java:38:13:38:13 | 0 | 1 |
-| Test.java:38:16:41:3 | stmt | Test.java:38:16:41:3 | stmt | 0 |
-| Test.java:38:16:41:3 | stmt | Test.java:39:4:39:9 | ...=... | 3 |
-| Test.java:38:16:41:3 | stmt | Test.java:39:4:39:10 | stmt | 1 |
-| Test.java:38:16:41:3 | stmt | Test.java:39:8:39:9 | 10 | 2 |
-| Test.java:38:16:41:3 | stmt | Test.java:40:4:40:4 | x | 5 |
-| Test.java:38:16:41:3 | stmt | Test.java:40:4:40:6 | ...-- | 6 |
-| Test.java:38:16:41:3 | stmt | Test.java:40:4:40:7 | stmt | 4 |
-| Test.java:43:3:43:9 | stmt | Test.java:43:3:43:8 | ...=... | 2 |
-| Test.java:43:3:43:9 | stmt | Test.java:43:3:43:9 | stmt | 0 |
-| Test.java:43:3:43:9 | stmt | Test.java:43:7:43:8 | 30 | 1 |
-| Test.java:43:3:43:9 | stmt | Test.java:46:3:46:29 | stmt | 3 |
-| Test.java:43:3:43:9 | stmt | Test.java:46:11:46:15 | j | 5 |
-| Test.java:43:3:43:9 | stmt | Test.java:46:15:46:15 | 0 | 4 |
+| Test.java:38:16:41:3 | { ... } | Test.java:38:16:41:3 | { ... } | 0 |
+| Test.java:38:16:41:3 | { ... } | Test.java:39:4:39:9 | ...=... | 3 |
+| Test.java:38:16:41:3 | { ... } | Test.java:39:4:39:10 | ...; | 1 |
+| Test.java:38:16:41:3 | { ... } | Test.java:39:8:39:9 | 10 | 2 |
+| Test.java:38:16:41:3 | { ... } | Test.java:40:4:40:4 | x | 5 |
+| Test.java:38:16:41:3 | { ... } | Test.java:40:4:40:6 | ...-- | 6 |
+| Test.java:38:16:41:3 | { ... } | Test.java:40:4:40:7 | ...; | 4 |
+| Test.java:43:3:43:9 | ...; | Test.java:43:3:43:8 | ...=... | 2 |
+| Test.java:43:3:43:9 | ...; | Test.java:43:3:43:9 | ...; | 0 |
+| Test.java:43:3:43:9 | ...; | Test.java:43:7:43:8 | 30 | 1 |
+| Test.java:43:3:43:9 | ...; | Test.java:46:3:46:29 | for (...) | 3 |
+| Test.java:43:3:43:9 | ...; | Test.java:46:11:46:15 | j | 5 |
+| Test.java:43:3:43:9 | ...; | Test.java:46:15:46:15 | 0 | 4 |
 | Test.java:46:18:46:18 | j | Test.java:46:18:46:18 | j | 0 |
 | Test.java:46:18:46:18 | j | Test.java:46:18:46:23 | ... < ... | 2 |
 | Test.java:46:18:46:18 | j | Test.java:46:22:46:23 | 10 | 1 |
-| Test.java:46:31:49:3 | stmt | Test.java:46:26:46:26 | j | 7 |
-| Test.java:46:31:49:3 | stmt | Test.java:46:26:46:28 | ...++ | 8 |
-| Test.java:46:31:49:3 | stmt | Test.java:46:31:49:3 | stmt | 0 |
-| Test.java:46:31:49:3 | stmt | Test.java:47:4:47:8 | ...=... | 3 |
-| Test.java:46:31:49:3 | stmt | Test.java:47:4:47:9 | stmt | 1 |
-| Test.java:46:31:49:3 | stmt | Test.java:47:8:47:8 | 0 | 2 |
-| Test.java:46:31:49:3 | stmt | Test.java:48:4:48:9 | ...=... | 6 |
-| Test.java:46:31:49:3 | stmt | Test.java:48:4:48:10 | stmt | 4 |
-| Test.java:46:31:49:3 | stmt | Test.java:48:8:48:9 | 10 | 5 |
-| Test.java:51:3:51:9 | stmt | Test.java:51:3:51:8 | ...=... | 2 |
-| Test.java:51:3:51:9 | stmt | Test.java:51:3:51:9 | stmt | 0 |
-| Test.java:51:3:51:9 | stmt | Test.java:51:7:51:8 | 40 | 1 |
-| Test.java:51:3:51:9 | stmt | Test.java:54:3:54:29 | stmt | 3 |
-| Test.java:51:3:51:9 | stmt | Test.java:54:11:54:15 | j | 5 |
-| Test.java:51:3:51:9 | stmt | Test.java:54:15:54:15 | 0 | 4 |
+| Test.java:46:31:49:3 | { ... } | Test.java:46:26:46:26 | j | 7 |
+| Test.java:46:31:49:3 | { ... } | Test.java:46:26:46:28 | ...++ | 8 |
+| Test.java:46:31:49:3 | { ... } | Test.java:46:31:49:3 | { ... } | 0 |
+| Test.java:46:31:49:3 | { ... } | Test.java:47:4:47:8 | ...=... | 3 |
+| Test.java:46:31:49:3 | { ... } | Test.java:47:4:47:9 | ...; | 1 |
+| Test.java:46:31:49:3 | { ... } | Test.java:47:8:47:8 | 0 | 2 |
+| Test.java:46:31:49:3 | { ... } | Test.java:48:4:48:9 | ...=... | 6 |
+| Test.java:46:31:49:3 | { ... } | Test.java:48:4:48:10 | ...; | 4 |
+| Test.java:46:31:49:3 | { ... } | Test.java:48:8:48:9 | 10 | 5 |
+| Test.java:51:3:51:9 | ...; | Test.java:51:3:51:8 | ...=... | 2 |
+| Test.java:51:3:51:9 | ...; | Test.java:51:3:51:9 | ...; | 0 |
+| Test.java:51:3:51:9 | ...; | Test.java:51:7:51:8 | 40 | 1 |
+| Test.java:51:3:51:9 | ...; | Test.java:54:3:54:29 | for (...) | 3 |
+| Test.java:51:3:51:9 | ...; | Test.java:54:11:54:15 | j | 5 |
+| Test.java:51:3:51:9 | ...; | Test.java:54:15:54:15 | 0 | 4 |
 | Test.java:54:18:54:18 | j | Test.java:54:18:54:18 | j | 0 |
 | Test.java:54:18:54:18 | j | Test.java:54:18:54:23 | ... < ... | 2 |
 | Test.java:54:18:54:18 | j | Test.java:54:22:54:23 | 10 | 1 |
 | Test.java:54:26:54:26 | j | Test.java:54:26:54:26 | j | 0 |
 | Test.java:54:26:54:26 | j | Test.java:54:26:54:28 | ...++ | 1 |
-| Test.java:54:31:68:3 | stmt | Test.java:54:31:68:3 | stmt | 0 |
-| Test.java:54:31:68:3 | stmt | Test.java:55:4:55:9 | ...=... | 3 |
-| Test.java:54:31:68:3 | stmt | Test.java:55:4:55:10 | stmt | 1 |
-| Test.java:54:31:68:3 | stmt | Test.java:55:8:55:9 | 30 | 2 |
-| Test.java:54:31:68:3 | stmt | Test.java:56:4:56:12 | stmt | 4 |
-| Test.java:54:31:68:3 | stmt | Test.java:56:7:56:7 | z | 5 |
-| Test.java:54:31:68:3 | stmt | Test.java:56:7:56:11 | ... > ... | 7 |
-| Test.java:54:31:68:3 | stmt | Test.java:56:11:56:11 | 0 | 6 |
-| Test.java:57:5:57:13 | stmt | Test.java:57:5:57:13 | stmt | 0 |
-| Test.java:57:5:57:13 | stmt | Test.java:57:8:57:8 | y | 1 |
-| Test.java:57:5:57:13 | stmt | Test.java:57:8:57:12 | ... > ... | 3 |
-| Test.java:57:5:57:13 | stmt | Test.java:57:12:57:12 | 0 | 2 |
-| Test.java:57:15:60:5 | stmt | Test.java:57:15:60:5 | stmt | 0 |
-| Test.java:57:15:60:5 | stmt | Test.java:58:6:58:10 | ...=... | 3 |
-| Test.java:57:15:60:5 | stmt | Test.java:58:6:58:11 | stmt | 1 |
-| Test.java:57:15:60:5 | stmt | Test.java:58:10:58:10 | 0 | 2 |
-| Test.java:57:15:60:5 | stmt | Test.java:59:6:59:11 | stmt | 4 |
-| Test.java:60:12:62:5 | stmt | Test.java:60:12:62:5 | stmt | 0 |
-| Test.java:60:12:62:5 | stmt | Test.java:61:6:61:11 | ...=... | 3 |
-| Test.java:60:12:62:5 | stmt | Test.java:61:6:61:12 | stmt | 1 |
-| Test.java:60:12:62:5 | stmt | Test.java:61:10:61:11 | 20 | 2 |
-| Test.java:60:12:62:5 | stmt | Test.java:67:4:67:8 | ...=... | 6 |
-| Test.java:60:12:62:5 | stmt | Test.java:67:4:67:9 | stmt | 4 |
-| Test.java:60:12:62:5 | stmt | Test.java:67:8:67:8 | 0 | 5 |
-| Test.java:63:9:66:4 | stmt | Test.java:63:9:66:4 | stmt | 0 |
-| Test.java:63:9:66:4 | stmt | Test.java:64:5:64:10 | ...=... | 3 |
-| Test.java:63:9:66:4 | stmt | Test.java:64:5:64:11 | stmt | 1 |
-| Test.java:63:9:66:4 | stmt | Test.java:64:9:64:10 | 10 | 2 |
-| Test.java:63:9:66:4 | stmt | Test.java:65:5:65:13 | stmt | 4 |
-| Test.java:70:3:70:9 | stmt | Test.java:70:3:70:8 | ...=... | 2 |
-| Test.java:70:3:70:9 | stmt | Test.java:70:3:70:9 | stmt | 0 |
-| Test.java:70:3:70:9 | stmt | Test.java:70:7:70:8 | 50 | 1 |
-| Test.java:70:3:70:9 | stmt | Test.java:74:3:74:8 | ...=... | 5 |
-| Test.java:70:3:70:9 | stmt | Test.java:74:3:74:9 | stmt | 3 |
-| Test.java:70:3:70:9 | stmt | Test.java:74:7:74:8 | 40 | 4 |
-| Test.java:70:3:70:9 | stmt | Test.java:75:3:75:9 | stmt | 6 |
+| Test.java:54:31:68:3 | { ... } | Test.java:54:31:68:3 | { ... } | 0 |
+| Test.java:54:31:68:3 | { ... } | Test.java:55:4:55:9 | ...=... | 3 |
+| Test.java:54:31:68:3 | { ... } | Test.java:55:4:55:10 | ...; | 1 |
+| Test.java:54:31:68:3 | { ... } | Test.java:55:8:55:9 | 30 | 2 |
+| Test.java:54:31:68:3 | { ... } | Test.java:56:4:56:12 | if (...) | 4 |
+| Test.java:54:31:68:3 | { ... } | Test.java:56:7:56:7 | z | 5 |
+| Test.java:54:31:68:3 | { ... } | Test.java:56:7:56:11 | ... > ... | 7 |
+| Test.java:54:31:68:3 | { ... } | Test.java:56:11:56:11 | 0 | 6 |
+| Test.java:57:5:57:13 | if (...) | Test.java:57:5:57:13 | if (...) | 0 |
+| Test.java:57:5:57:13 | if (...) | Test.java:57:8:57:8 | y | 1 |
+| Test.java:57:5:57:13 | if (...) | Test.java:57:8:57:12 | ... > ... | 3 |
+| Test.java:57:5:57:13 | if (...) | Test.java:57:12:57:12 | 0 | 2 |
+| Test.java:57:15:60:5 | { ... } | Test.java:57:15:60:5 | { ... } | 0 |
+| Test.java:57:15:60:5 | { ... } | Test.java:58:6:58:10 | ...=... | 3 |
+| Test.java:57:15:60:5 | { ... } | Test.java:58:6:58:11 | ...; | 1 |
+| Test.java:57:15:60:5 | { ... } | Test.java:58:10:58:10 | 0 | 2 |
+| Test.java:57:15:60:5 | { ... } | Test.java:59:6:59:11 | break | 4 |
+| Test.java:60:12:62:5 | { ... } | Test.java:60:12:62:5 | { ... } | 0 |
+| Test.java:60:12:62:5 | { ... } | Test.java:61:6:61:11 | ...=... | 3 |
+| Test.java:60:12:62:5 | { ... } | Test.java:61:6:61:12 | ...; | 1 |
+| Test.java:60:12:62:5 | { ... } | Test.java:61:10:61:11 | 20 | 2 |
+| Test.java:60:12:62:5 | { ... } | Test.java:67:4:67:8 | ...=... | 6 |
+| Test.java:60:12:62:5 | { ... } | Test.java:67:4:67:9 | ...; | 4 |
+| Test.java:60:12:62:5 | { ... } | Test.java:67:8:67:8 | 0 | 5 |
+| Test.java:63:9:66:4 | { ... } | Test.java:63:9:66:4 | { ... } | 0 |
+| Test.java:63:9:66:4 | { ... } | Test.java:64:5:64:10 | ...=... | 3 |
+| Test.java:63:9:66:4 | { ... } | Test.java:64:5:64:11 | ...; | 1 |
+| Test.java:63:9:66:4 | { ... } | Test.java:64:9:64:10 | 10 | 2 |
+| Test.java:63:9:66:4 | { ... } | Test.java:65:5:65:13 | continue | 4 |
+| Test.java:70:3:70:9 | ...; | Test.java:70:3:70:8 | ...=... | 2 |
+| Test.java:70:3:70:9 | ...; | Test.java:70:3:70:9 | ...; | 0 |
+| Test.java:70:3:70:9 | ...; | Test.java:70:7:70:8 | 50 | 1 |
+| Test.java:70:3:70:9 | ...; | Test.java:74:3:74:8 | ...=... | 5 |
+| Test.java:70:3:70:9 | ...; | Test.java:74:3:74:9 | ...; | 3 |
+| Test.java:70:3:70:9 | ...; | Test.java:74:7:74:8 | 40 | 4 |
+| Test.java:70:3:70:9 | ...; | Test.java:75:3:75:9 | return ... | 6 |
diff --git a/java/ql/test/library-tests/controlflow/basic/bbStrictDominance.expected b/java/ql/test/library-tests/controlflow/basic/bbStrictDominance.expected
index db369433527..cc15fb63a29 100644
--- a/java/ql/test/library-tests/controlflow/basic/bbStrictDominance.expected
+++ b/java/ql/test/library-tests/controlflow/basic/bbStrictDominance.expected
@@ -1,127 +1,127 @@
-| Test.java:4:21:76:2 | stmt | Test.java:4:14:4:17 | test |
-| Test.java:4:21:76:2 | stmt | Test.java:11:14:14:3 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:14:10:16:3 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:18:3:18:8 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:24:4:24:10 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:38:9:38:9 | x |
-| Test.java:4:21:76:2 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:46:18:46:18 | j |
-| Test.java:4:21:76:2 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:54:18:54:18 | j |
-| Test.java:4:21:76:2 | stmt | Test.java:54:26:54:26 | j |
-| Test.java:4:21:76:2 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:4:14:4:17 | test |
-| Test.java:18:3:18:8 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:24:4:24:10 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:38:9:38:9 | x |
-| Test.java:18:3:18:8 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:46:18:46:18 | j |
-| Test.java:18:3:18:8 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:54:18:54:18 | j |
-| Test.java:18:3:18:8 | stmt | Test.java:54:26:54:26 | j |
-| Test.java:18:3:18:8 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:38:9:38:9 | x |
-| Test.java:22:4:22:10 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:46:18:46:18 | j |
-| Test.java:22:4:22:10 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:54:18:54:18 | j |
-| Test.java:22:4:22:10 | stmt | Test.java:54:26:54:26 | j |
-| Test.java:22:4:22:10 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:38:9:38:9 | x |
-| Test.java:35:3:35:9 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:46:18:46:18 | j |
-| Test.java:35:3:35:9 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:54:18:54:18 | j |
-| Test.java:35:3:35:9 | stmt | Test.java:54:26:54:26 | j |
-| Test.java:35:3:35:9 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:38:9:38:9 | x | Test.java:38:16:41:3 | stmt |
-| Test.java:38:9:38:9 | x | Test.java:43:3:43:9 | stmt |
+| Test.java:4:21:76:2 | { ... } | Test.java:4:14:4:17 | test |
+| Test.java:4:21:76:2 | { ... } | Test.java:11:14:14:3 | { ... } |
+| Test.java:4:21:76:2 | { ... } | Test.java:14:10:16:3 | { ... } |
+| Test.java:4:21:76:2 | { ... } | Test.java:18:3:18:8 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:22:4:22:10 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:24:4:24:10 | return ... |
+| Test.java:4:21:76:2 | { ... } | Test.java:30:15:33:3 | { ... } |
+| Test.java:4:21:76:2 | { ... } | Test.java:35:3:35:9 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:38:9:38:9 | x |
+| Test.java:4:21:76:2 | { ... } | Test.java:38:16:41:3 | { ... } |
+| Test.java:4:21:76:2 | { ... } | Test.java:43:3:43:9 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:46:18:46:18 | j |
+| Test.java:4:21:76:2 | { ... } | Test.java:46:31:49:3 | { ... } |
+| Test.java:4:21:76:2 | { ... } | Test.java:51:3:51:9 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:54:18:54:18 | j |
+| Test.java:4:21:76:2 | { ... } | Test.java:54:26:54:26 | j |
+| Test.java:4:21:76:2 | { ... } | Test.java:54:31:68:3 | { ... } |
+| Test.java:4:21:76:2 | { ... } | Test.java:57:5:57:13 | if (...) |
+| Test.java:4:21:76:2 | { ... } | Test.java:57:15:60:5 | { ... } |
+| Test.java:4:21:76:2 | { ... } | Test.java:60:12:62:5 | { ... } |
+| Test.java:4:21:76:2 | { ... } | Test.java:63:9:66:4 | { ... } |
+| Test.java:4:21:76:2 | { ... } | Test.java:70:3:70:9 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:4:14:4:17 | test |
+| Test.java:18:3:18:8 | ...; | Test.java:22:4:22:10 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:24:4:24:10 | return ... |
+| Test.java:18:3:18:8 | ...; | Test.java:30:15:33:3 | { ... } |
+| Test.java:18:3:18:8 | ...; | Test.java:35:3:35:9 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:38:9:38:9 | x |
+| Test.java:18:3:18:8 | ...; | Test.java:38:16:41:3 | { ... } |
+| Test.java:18:3:18:8 | ...; | Test.java:43:3:43:9 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:46:18:46:18 | j |
+| Test.java:18:3:18:8 | ...; | Test.java:46:31:49:3 | { ... } |
+| Test.java:18:3:18:8 | ...; | Test.java:51:3:51:9 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:54:18:54:18 | j |
+| Test.java:18:3:18:8 | ...; | Test.java:54:26:54:26 | j |
+| Test.java:18:3:18:8 | ...; | Test.java:54:31:68:3 | { ... } |
+| Test.java:18:3:18:8 | ...; | Test.java:57:5:57:13 | if (...) |
+| Test.java:18:3:18:8 | ...; | Test.java:57:15:60:5 | { ... } |
+| Test.java:18:3:18:8 | ...; | Test.java:60:12:62:5 | { ... } |
+| Test.java:18:3:18:8 | ...; | Test.java:63:9:66:4 | { ... } |
+| Test.java:18:3:18:8 | ...; | Test.java:70:3:70:9 | ...; |
+| Test.java:22:4:22:10 | ...; | Test.java:30:15:33:3 | { ... } |
+| Test.java:22:4:22:10 | ...; | Test.java:35:3:35:9 | ...; |
+| Test.java:22:4:22:10 | ...; | Test.java:38:9:38:9 | x |
+| Test.java:22:4:22:10 | ...; | Test.java:38:16:41:3 | { ... } |
+| Test.java:22:4:22:10 | ...; | Test.java:43:3:43:9 | ...; |
+| Test.java:22:4:22:10 | ...; | Test.java:46:18:46:18 | j |
+| Test.java:22:4:22:10 | ...; | Test.java:46:31:49:3 | { ... } |
+| Test.java:22:4:22:10 | ...; | Test.java:51:3:51:9 | ...; |
+| Test.java:22:4:22:10 | ...; | Test.java:54:18:54:18 | j |
+| Test.java:22:4:22:10 | ...; | Test.java:54:26:54:26 | j |
+| Test.java:22:4:22:10 | ...; | Test.java:54:31:68:3 | { ... } |
+| Test.java:22:4:22:10 | ...; | Test.java:57:5:57:13 | if (...) |
+| Test.java:22:4:22:10 | ...; | Test.java:57:15:60:5 | { ... } |
+| Test.java:22:4:22:10 | ...; | Test.java:60:12:62:5 | { ... } |
+| Test.java:22:4:22:10 | ...; | Test.java:63:9:66:4 | { ... } |
+| Test.java:22:4:22:10 | ...; | Test.java:70:3:70:9 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:38:9:38:9 | x |
+| Test.java:35:3:35:9 | ...; | Test.java:38:16:41:3 | { ... } |
+| Test.java:35:3:35:9 | ...; | Test.java:43:3:43:9 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:46:18:46:18 | j |
+| Test.java:35:3:35:9 | ...; | Test.java:46:31:49:3 | { ... } |
+| Test.java:35:3:35:9 | ...; | Test.java:51:3:51:9 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:54:18:54:18 | j |
+| Test.java:35:3:35:9 | ...; | Test.java:54:26:54:26 | j |
+| Test.java:35:3:35:9 | ...; | Test.java:54:31:68:3 | { ... } |
+| Test.java:35:3:35:9 | ...; | Test.java:57:5:57:13 | if (...) |
+| Test.java:35:3:35:9 | ...; | Test.java:57:15:60:5 | { ... } |
+| Test.java:35:3:35:9 | ...; | Test.java:60:12:62:5 | { ... } |
+| Test.java:35:3:35:9 | ...; | Test.java:63:9:66:4 | { ... } |
+| Test.java:35:3:35:9 | ...; | Test.java:70:3:70:9 | ...; |
+| Test.java:38:9:38:9 | x | Test.java:38:16:41:3 | { ... } |
+| Test.java:38:9:38:9 | x | Test.java:43:3:43:9 | ...; |
 | Test.java:38:9:38:9 | x | Test.java:46:18:46:18 | j |
-| Test.java:38:9:38:9 | x | Test.java:46:31:49:3 | stmt |
-| Test.java:38:9:38:9 | x | Test.java:51:3:51:9 | stmt |
+| Test.java:38:9:38:9 | x | Test.java:46:31:49:3 | { ... } |
+| Test.java:38:9:38:9 | x | Test.java:51:3:51:9 | ...; |
 | Test.java:38:9:38:9 | x | Test.java:54:18:54:18 | j |
 | Test.java:38:9:38:9 | x | Test.java:54:26:54:26 | j |
-| Test.java:38:9:38:9 | x | Test.java:54:31:68:3 | stmt |
-| Test.java:38:9:38:9 | x | Test.java:57:5:57:13 | stmt |
-| Test.java:38:9:38:9 | x | Test.java:57:15:60:5 | stmt |
-| Test.java:38:9:38:9 | x | Test.java:60:12:62:5 | stmt |
-| Test.java:38:9:38:9 | x | Test.java:63:9:66:4 | stmt |
-| Test.java:38:9:38:9 | x | Test.java:70:3:70:9 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:46:18:46:18 | j |
-| Test.java:43:3:43:9 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:54:18:54:18 | j |
-| Test.java:43:3:43:9 | stmt | Test.java:54:26:54:26 | j |
-| Test.java:43:3:43:9 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:46:18:46:18 | j | Test.java:46:31:49:3 | stmt |
-| Test.java:46:18:46:18 | j | Test.java:51:3:51:9 | stmt |
+| Test.java:38:9:38:9 | x | Test.java:54:31:68:3 | { ... } |
+| Test.java:38:9:38:9 | x | Test.java:57:5:57:13 | if (...) |
+| Test.java:38:9:38:9 | x | Test.java:57:15:60:5 | { ... } |
+| Test.java:38:9:38:9 | x | Test.java:60:12:62:5 | { ... } |
+| Test.java:38:9:38:9 | x | Test.java:63:9:66:4 | { ... } |
+| Test.java:38:9:38:9 | x | Test.java:70:3:70:9 | ...; |
+| Test.java:43:3:43:9 | ...; | Test.java:46:18:46:18 | j |
+| Test.java:43:3:43:9 | ...; | Test.java:46:31:49:3 | { ... } |
+| Test.java:43:3:43:9 | ...; | Test.java:51:3:51:9 | ...; |
+| Test.java:43:3:43:9 | ...; | Test.java:54:18:54:18 | j |
+| Test.java:43:3:43:9 | ...; | Test.java:54:26:54:26 | j |
+| Test.java:43:3:43:9 | ...; | Test.java:54:31:68:3 | { ... } |
+| Test.java:43:3:43:9 | ...; | Test.java:57:5:57:13 | if (...) |
+| Test.java:43:3:43:9 | ...; | Test.java:57:15:60:5 | { ... } |
+| Test.java:43:3:43:9 | ...; | Test.java:60:12:62:5 | { ... } |
+| Test.java:43:3:43:9 | ...; | Test.java:63:9:66:4 | { ... } |
+| Test.java:43:3:43:9 | ...; | Test.java:70:3:70:9 | ...; |
+| Test.java:46:18:46:18 | j | Test.java:46:31:49:3 | { ... } |
+| Test.java:46:18:46:18 | j | Test.java:51:3:51:9 | ...; |
 | Test.java:46:18:46:18 | j | Test.java:54:18:54:18 | j |
 | Test.java:46:18:46:18 | j | Test.java:54:26:54:26 | j |
-| Test.java:46:18:46:18 | j | Test.java:54:31:68:3 | stmt |
-| Test.java:46:18:46:18 | j | Test.java:57:5:57:13 | stmt |
-| Test.java:46:18:46:18 | j | Test.java:57:15:60:5 | stmt |
-| Test.java:46:18:46:18 | j | Test.java:60:12:62:5 | stmt |
-| Test.java:46:18:46:18 | j | Test.java:63:9:66:4 | stmt |
-| Test.java:46:18:46:18 | j | Test.java:70:3:70:9 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:54:18:54:18 | j |
-| Test.java:51:3:51:9 | stmt | Test.java:54:26:54:26 | j |
-| Test.java:51:3:51:9 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:70:3:70:9 | stmt |
+| Test.java:46:18:46:18 | j | Test.java:54:31:68:3 | { ... } |
+| Test.java:46:18:46:18 | j | Test.java:57:5:57:13 | if (...) |
+| Test.java:46:18:46:18 | j | Test.java:57:15:60:5 | { ... } |
+| Test.java:46:18:46:18 | j | Test.java:60:12:62:5 | { ... } |
+| Test.java:46:18:46:18 | j | Test.java:63:9:66:4 | { ... } |
+| Test.java:46:18:46:18 | j | Test.java:70:3:70:9 | ...; |
+| Test.java:51:3:51:9 | ...; | Test.java:54:18:54:18 | j |
+| Test.java:51:3:51:9 | ...; | Test.java:54:26:54:26 | j |
+| Test.java:51:3:51:9 | ...; | Test.java:54:31:68:3 | { ... } |
+| Test.java:51:3:51:9 | ...; | Test.java:57:5:57:13 | if (...) |
+| Test.java:51:3:51:9 | ...; | Test.java:57:15:60:5 | { ... } |
+| Test.java:51:3:51:9 | ...; | Test.java:60:12:62:5 | { ... } |
+| Test.java:51:3:51:9 | ...; | Test.java:63:9:66:4 | { ... } |
+| Test.java:51:3:51:9 | ...; | Test.java:70:3:70:9 | ...; |
 | Test.java:54:18:54:18 | j | Test.java:54:26:54:26 | j |
-| Test.java:54:18:54:18 | j | Test.java:54:31:68:3 | stmt |
-| Test.java:54:18:54:18 | j | Test.java:57:5:57:13 | stmt |
-| Test.java:54:18:54:18 | j | Test.java:57:15:60:5 | stmt |
-| Test.java:54:18:54:18 | j | Test.java:60:12:62:5 | stmt |
-| Test.java:54:18:54:18 | j | Test.java:63:9:66:4 | stmt |
-| Test.java:54:18:54:18 | j | Test.java:70:3:70:9 | stmt |
-| Test.java:54:31:68:3 | stmt | Test.java:54:26:54:26 | j |
-| Test.java:54:31:68:3 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:54:31:68:3 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:54:31:68:3 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:54:31:68:3 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:57:5:57:13 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:57:5:57:13 | stmt | Test.java:60:12:62:5 | stmt |
+| Test.java:54:18:54:18 | j | Test.java:54:31:68:3 | { ... } |
+| Test.java:54:18:54:18 | j | Test.java:57:5:57:13 | if (...) |
+| Test.java:54:18:54:18 | j | Test.java:57:15:60:5 | { ... } |
+| Test.java:54:18:54:18 | j | Test.java:60:12:62:5 | { ... } |
+| Test.java:54:18:54:18 | j | Test.java:63:9:66:4 | { ... } |
+| Test.java:54:18:54:18 | j | Test.java:70:3:70:9 | ...; |
+| Test.java:54:31:68:3 | { ... } | Test.java:54:26:54:26 | j |
+| Test.java:54:31:68:3 | { ... } | Test.java:57:5:57:13 | if (...) |
+| Test.java:54:31:68:3 | { ... } | Test.java:57:15:60:5 | { ... } |
+| Test.java:54:31:68:3 | { ... } | Test.java:60:12:62:5 | { ... } |
+| Test.java:54:31:68:3 | { ... } | Test.java:63:9:66:4 | { ... } |
+| Test.java:57:5:57:13 | if (...) | Test.java:57:15:60:5 | { ... } |
+| Test.java:57:5:57:13 | if (...) | Test.java:60:12:62:5 | { ... } |
diff --git a/java/ql/test/library-tests/controlflow/basic/bbSuccessor.expected b/java/ql/test/library-tests/controlflow/basic/bbSuccessor.expected
index 3aeb7b5553d..85e440eb5b1 100644
--- a/java/ql/test/library-tests/controlflow/basic/bbSuccessor.expected
+++ b/java/ql/test/library-tests/controlflow/basic/bbSuccessor.expected
@@ -1,30 +1,30 @@
-| Test.java:4:21:76:2 | stmt | Test.java:11:14:14:3 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:14:10:16:3 | stmt |
-| Test.java:11:14:14:3 | stmt | Test.java:18:3:18:8 | stmt |
-| Test.java:14:10:16:3 | stmt | Test.java:18:3:18:8 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:24:4:24:10 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:24:4:24:10 | stmt | Test.java:4:14:4:17 | test |
-| Test.java:30:15:33:3 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:38:9:38:9 | x |
-| Test.java:38:9:38:9 | x | Test.java:38:16:41:3 | stmt |
-| Test.java:38:9:38:9 | x | Test.java:43:3:43:9 | stmt |
-| Test.java:38:16:41:3 | stmt | Test.java:38:9:38:9 | x |
-| Test.java:43:3:43:9 | stmt | Test.java:46:18:46:18 | j |
-| Test.java:46:18:46:18 | j | Test.java:46:31:49:3 | stmt |
-| Test.java:46:18:46:18 | j | Test.java:51:3:51:9 | stmt |
-| Test.java:46:31:49:3 | stmt | Test.java:46:18:46:18 | j |
-| Test.java:51:3:51:9 | stmt | Test.java:54:18:54:18 | j |
-| Test.java:54:18:54:18 | j | Test.java:54:31:68:3 | stmt |
-| Test.java:54:18:54:18 | j | Test.java:70:3:70:9 | stmt |
+| Test.java:4:21:76:2 | { ... } | Test.java:11:14:14:3 | { ... } |
+| Test.java:4:21:76:2 | { ... } | Test.java:14:10:16:3 | { ... } |
+| Test.java:11:14:14:3 | { ... } | Test.java:18:3:18:8 | ...; |
+| Test.java:14:10:16:3 | { ... } | Test.java:18:3:18:8 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:22:4:22:10 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:24:4:24:10 | return ... |
+| Test.java:22:4:22:10 | ...; | Test.java:30:15:33:3 | { ... } |
+| Test.java:22:4:22:10 | ...; | Test.java:35:3:35:9 | ...; |
+| Test.java:24:4:24:10 | return ... | Test.java:4:14:4:17 | test |
+| Test.java:30:15:33:3 | { ... } | Test.java:35:3:35:9 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:38:9:38:9 | x |
+| Test.java:38:9:38:9 | x | Test.java:38:16:41:3 | { ... } |
+| Test.java:38:9:38:9 | x | Test.java:43:3:43:9 | ...; |
+| Test.java:38:16:41:3 | { ... } | Test.java:38:9:38:9 | x |
+| Test.java:43:3:43:9 | ...; | Test.java:46:18:46:18 | j |
+| Test.java:46:18:46:18 | j | Test.java:46:31:49:3 | { ... } |
+| Test.java:46:18:46:18 | j | Test.java:51:3:51:9 | ...; |
+| Test.java:46:31:49:3 | { ... } | Test.java:46:18:46:18 | j |
+| Test.java:51:3:51:9 | ...; | Test.java:54:18:54:18 | j |
+| Test.java:54:18:54:18 | j | Test.java:54:31:68:3 | { ... } |
+| Test.java:54:18:54:18 | j | Test.java:70:3:70:9 | ...; |
 | Test.java:54:26:54:26 | j | Test.java:54:18:54:18 | j |
-| Test.java:54:31:68:3 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:54:31:68:3 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:57:5:57:13 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:57:5:57:13 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:57:15:60:5 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:60:12:62:5 | stmt | Test.java:54:26:54:26 | j |
-| Test.java:63:9:66:4 | stmt | Test.java:54:26:54:26 | j |
-| Test.java:70:3:70:9 | stmt | Test.java:4:14:4:17 | test |
+| Test.java:54:31:68:3 | { ... } | Test.java:57:5:57:13 | if (...) |
+| Test.java:54:31:68:3 | { ... } | Test.java:63:9:66:4 | { ... } |
+| Test.java:57:5:57:13 | if (...) | Test.java:57:15:60:5 | { ... } |
+| Test.java:57:5:57:13 | if (...) | Test.java:60:12:62:5 | { ... } |
+| Test.java:57:15:60:5 | { ... } | Test.java:70:3:70:9 | ...; |
+| Test.java:60:12:62:5 | { ... } | Test.java:54:26:54:26 | j |
+| Test.java:63:9:66:4 | { ... } | Test.java:54:26:54:26 | j |
+| Test.java:70:3:70:9 | ...; | Test.java:4:14:4:17 | test |
diff --git a/java/ql/test/library-tests/controlflow/basic/strictDominance.expected b/java/ql/test/library-tests/controlflow/basic/strictDominance.expected
index 10dedd2727a..6db49af5ad8 100644
--- a/java/ql/test/library-tests/controlflow/basic/strictDominance.expected
+++ b/java/ql/test/library-tests/controlflow/basic/strictDominance.expected
@@ -1,628 +1,628 @@
-| Test.java:3:14:3:17 | stmt | Test.java:3:14:3:17 | super(...) |
-| Test.java:4:21:76:2 | stmt | Test.java:5:3:5:12 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:6:3:6:14 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:7:3:7:12 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:8:3:8:12 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:11:3:11:12 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:11:14:14:3 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:12:4:12:10 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:13:4:13:10 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:14:10:16:3 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:15:4:15:10 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:18:3:18:8 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:21:3:21:11 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:24:4:24:10 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:27:3:27:9 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:30:3:30:13 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:38:3:38:14 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:46:3:46:29 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:54:3:54:29 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:74:3:74:9 | stmt |
-| Test.java:4:21:76:2 | stmt | Test.java:75:3:75:9 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:6:3:6:14 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:7:3:7:12 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:8:3:8:12 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:11:3:11:12 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:11:14:14:3 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:12:4:12:10 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:13:4:13:10 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:14:10:16:3 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:15:4:15:10 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:18:3:18:8 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:21:3:21:11 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:24:4:24:10 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:27:3:27:9 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:30:3:30:13 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:38:3:38:14 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:46:3:46:29 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:54:3:54:29 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:74:3:74:9 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:75:3:75:9 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:7:3:7:12 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:8:3:8:12 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:11:3:11:12 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:11:14:14:3 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:12:4:12:10 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:13:4:13:10 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:14:10:16:3 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:15:4:15:10 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:18:3:18:8 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:21:3:21:11 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:24:4:24:10 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:27:3:27:9 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:30:3:30:13 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:38:3:38:14 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:46:3:46:29 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:54:3:54:29 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:74:3:74:9 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:75:3:75:9 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:8:3:8:12 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:11:3:11:12 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:11:14:14:3 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:12:4:12:10 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:13:4:13:10 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:14:10:16:3 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:15:4:15:10 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:18:3:18:8 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:21:3:21:11 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:24:4:24:10 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:27:3:27:9 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:30:3:30:13 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:38:3:38:14 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:46:3:46:29 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:54:3:54:29 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:74:3:74:9 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:75:3:75:9 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:11:3:11:12 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:11:14:14:3 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:12:4:12:10 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:13:4:13:10 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:14:10:16:3 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:15:4:15:10 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:18:3:18:8 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:21:3:21:11 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:24:4:24:10 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:27:3:27:9 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:30:3:30:13 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:38:3:38:14 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:46:3:46:29 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:54:3:54:29 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:74:3:74:9 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:75:3:75:9 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:11:14:14:3 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:12:4:12:10 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:13:4:13:10 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:14:10:16:3 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:15:4:15:10 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:18:3:18:8 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:21:3:21:11 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:24:4:24:10 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:27:3:27:9 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:30:3:30:13 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:38:3:38:14 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:46:3:46:29 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:54:3:54:29 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:74:3:74:9 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:75:3:75:9 | stmt |
-| Test.java:11:14:14:3 | stmt | Test.java:12:4:12:10 | stmt |
-| Test.java:11:14:14:3 | stmt | Test.java:13:4:13:10 | stmt |
-| Test.java:12:4:12:10 | stmt | Test.java:13:4:13:10 | stmt |
-| Test.java:14:10:16:3 | stmt | Test.java:15:4:15:10 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:21:3:21:11 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:24:4:24:10 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:27:3:27:9 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:30:3:30:13 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:38:3:38:14 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:46:3:46:29 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:54:3:54:29 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:74:3:74:9 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:75:3:75:9 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:24:4:24:10 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:27:3:27:9 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:30:3:30:13 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:38:3:38:14 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:46:3:46:29 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:54:3:54:29 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:74:3:74:9 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:75:3:75:9 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:27:3:27:9 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:30:3:30:13 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:38:3:38:14 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:46:3:46:29 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:54:3:54:29 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:74:3:74:9 | stmt |
-| Test.java:22:4:22:10 | stmt | Test.java:75:3:75:9 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:30:3:30:13 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:38:3:38:14 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:46:3:46:29 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:54:3:54:29 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:74:3:74:9 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:75:3:75:9 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:38:3:38:14 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:46:3:46:29 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:54:3:54:29 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:74:3:74:9 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:75:3:75:9 | stmt |
-| Test.java:30:15:33:3 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:30:15:33:3 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:31:4:31:10 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:38:3:38:14 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:46:3:46:29 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:54:3:54:29 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:74:3:74:9 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:75:3:75:9 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:46:3:46:29 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:54:3:54:29 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:74:3:74:9 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:75:3:75:9 | stmt |
-| Test.java:38:16:41:3 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:38:16:41:3 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:39:4:39:10 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:46:3:46:29 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:54:3:54:29 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:74:3:74:9 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:75:3:75:9 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:54:3:54:29 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:74:3:74:9 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:75:3:75:9 | stmt |
-| Test.java:46:31:49:3 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:46:31:49:3 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:47:4:47:9 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:54:3:54:29 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:74:3:74:9 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:75:3:75:9 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:74:3:74:9 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:75:3:75:9 | stmt |
-| Test.java:54:31:68:3 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:54:31:68:3 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:54:31:68:3 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:54:31:68:3 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:54:31:68:3 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:54:31:68:3 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:54:31:68:3 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:54:31:68:3 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:54:31:68:3 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:54:31:68:3 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:54:31:68:3 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:54:31:68:3 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:55:4:55:10 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:55:4:55:10 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:55:4:55:10 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:55:4:55:10 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:55:4:55:10 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:55:4:55:10 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:55:4:55:10 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:55:4:55:10 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:55:4:55:10 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:55:4:55:10 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:55:4:55:10 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:56:4:56:12 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:56:4:56:12 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:56:4:56:12 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:56:4:56:12 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:56:4:56:12 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:56:4:56:12 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:56:4:56:12 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:56:4:56:12 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:56:4:56:12 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:56:4:56:12 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:57:5:57:13 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:57:5:57:13 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:57:5:57:13 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:57:5:57:13 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:57:5:57:13 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:57:5:57:13 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:57:15:60:5 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:57:15:60:5 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:58:6:58:11 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:60:12:62:5 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:60:12:62:5 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:61:6:61:12 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:63:9:66:4 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:63:9:66:4 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:64:5:64:11 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:74:3:74:9 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:75:3:75:9 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:75:3:75:9 | stmt |
+| Test.java:3:14:3:17 | { ... } | Test.java:3:14:3:17 | super(...) |
+| Test.java:4:21:76:2 | { ... } | Test.java:5:3:5:12 | local variable declaration |
+| Test.java:4:21:76:2 | { ... } | Test.java:6:3:6:14 | local variable declaration |
+| Test.java:4:21:76:2 | { ... } | Test.java:7:3:7:12 | local variable declaration |
+| Test.java:4:21:76:2 | { ... } | Test.java:8:3:8:12 | local variable declaration |
+| Test.java:4:21:76:2 | { ... } | Test.java:11:3:11:12 | if (...) |
+| Test.java:4:21:76:2 | { ... } | Test.java:11:14:14:3 | { ... } |
+| Test.java:4:21:76:2 | { ... } | Test.java:12:4:12:10 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:13:4:13:10 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:14:10:16:3 | { ... } |
+| Test.java:4:21:76:2 | { ... } | Test.java:15:4:15:10 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:18:3:18:8 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:21:3:21:11 | if (...) |
+| Test.java:4:21:76:2 | { ... } | Test.java:22:4:22:10 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:24:4:24:10 | return ... |
+| Test.java:4:21:76:2 | { ... } | Test.java:27:3:27:9 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:30:3:30:13 | if (...) |
+| Test.java:4:21:76:2 | { ... } | Test.java:30:15:33:3 | { ... } |
+| Test.java:4:21:76:2 | { ... } | Test.java:31:4:31:10 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:32:4:32:10 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:35:3:35:9 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:38:3:38:14 | while (...) |
+| Test.java:4:21:76:2 | { ... } | Test.java:38:16:41:3 | { ... } |
+| Test.java:4:21:76:2 | { ... } | Test.java:39:4:39:10 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:40:4:40:7 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:43:3:43:9 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:46:3:46:29 | for (...) |
+| Test.java:4:21:76:2 | { ... } | Test.java:46:31:49:3 | { ... } |
+| Test.java:4:21:76:2 | { ... } | Test.java:47:4:47:9 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:48:4:48:10 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:51:3:51:9 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:54:3:54:29 | for (...) |
+| Test.java:4:21:76:2 | { ... } | Test.java:54:31:68:3 | { ... } |
+| Test.java:4:21:76:2 | { ... } | Test.java:55:4:55:10 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:56:4:56:12 | if (...) |
+| Test.java:4:21:76:2 | { ... } | Test.java:57:5:57:13 | if (...) |
+| Test.java:4:21:76:2 | { ... } | Test.java:57:15:60:5 | { ... } |
+| Test.java:4:21:76:2 | { ... } | Test.java:58:6:58:11 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:59:6:59:11 | break |
+| Test.java:4:21:76:2 | { ... } | Test.java:60:12:62:5 | { ... } |
+| Test.java:4:21:76:2 | { ... } | Test.java:61:6:61:12 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:63:9:66:4 | { ... } |
+| Test.java:4:21:76:2 | { ... } | Test.java:64:5:64:11 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:65:5:65:13 | continue |
+| Test.java:4:21:76:2 | { ... } | Test.java:67:4:67:9 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:70:3:70:9 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:74:3:74:9 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:75:3:75:9 | return ... |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:6:3:6:14 | local variable declaration |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:7:3:7:12 | local variable declaration |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:8:3:8:12 | local variable declaration |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:11:3:11:12 | if (...) |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:11:14:14:3 | { ... } |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:12:4:12:10 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:13:4:13:10 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:14:10:16:3 | { ... } |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:15:4:15:10 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:18:3:18:8 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:21:3:21:11 | if (...) |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:22:4:22:10 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:24:4:24:10 | return ... |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:27:3:27:9 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:30:3:30:13 | if (...) |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:30:15:33:3 | { ... } |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:31:4:31:10 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:32:4:32:10 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:35:3:35:9 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:38:3:38:14 | while (...) |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:38:16:41:3 | { ... } |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:39:4:39:10 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:40:4:40:7 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:43:3:43:9 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:46:3:46:29 | for (...) |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:46:31:49:3 | { ... } |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:47:4:47:9 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:48:4:48:10 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:51:3:51:9 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:54:3:54:29 | for (...) |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:54:31:68:3 | { ... } |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:55:4:55:10 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:56:4:56:12 | if (...) |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:57:5:57:13 | if (...) |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:57:15:60:5 | { ... } |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:58:6:58:11 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:59:6:59:11 | break |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:60:12:62:5 | { ... } |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:61:6:61:12 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:63:9:66:4 | { ... } |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:64:5:64:11 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:65:5:65:13 | continue |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:67:4:67:9 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:70:3:70:9 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:74:3:74:9 | ...; |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:75:3:75:9 | return ... |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:7:3:7:12 | local variable declaration |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:8:3:8:12 | local variable declaration |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:11:3:11:12 | if (...) |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:11:14:14:3 | { ... } |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:12:4:12:10 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:13:4:13:10 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:14:10:16:3 | { ... } |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:15:4:15:10 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:18:3:18:8 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:21:3:21:11 | if (...) |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:22:4:22:10 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:24:4:24:10 | return ... |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:27:3:27:9 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:30:3:30:13 | if (...) |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:30:15:33:3 | { ... } |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:31:4:31:10 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:32:4:32:10 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:35:3:35:9 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:38:3:38:14 | while (...) |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:38:16:41:3 | { ... } |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:39:4:39:10 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:40:4:40:7 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:43:3:43:9 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:46:3:46:29 | for (...) |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:46:31:49:3 | { ... } |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:47:4:47:9 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:48:4:48:10 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:51:3:51:9 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:54:3:54:29 | for (...) |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:54:31:68:3 | { ... } |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:55:4:55:10 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:56:4:56:12 | if (...) |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:57:5:57:13 | if (...) |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:57:15:60:5 | { ... } |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:58:6:58:11 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:59:6:59:11 | break |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:60:12:62:5 | { ... } |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:61:6:61:12 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:63:9:66:4 | { ... } |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:64:5:64:11 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:65:5:65:13 | continue |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:67:4:67:9 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:70:3:70:9 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:74:3:74:9 | ...; |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:75:3:75:9 | return ... |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:8:3:8:12 | local variable declaration |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:11:3:11:12 | if (...) |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:11:14:14:3 | { ... } |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:12:4:12:10 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:13:4:13:10 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:14:10:16:3 | { ... } |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:15:4:15:10 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:18:3:18:8 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:21:3:21:11 | if (...) |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:22:4:22:10 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:24:4:24:10 | return ... |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:27:3:27:9 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:30:3:30:13 | if (...) |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:30:15:33:3 | { ... } |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:31:4:31:10 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:32:4:32:10 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:35:3:35:9 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:38:3:38:14 | while (...) |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:38:16:41:3 | { ... } |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:39:4:39:10 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:40:4:40:7 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:43:3:43:9 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:46:3:46:29 | for (...) |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:46:31:49:3 | { ... } |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:47:4:47:9 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:48:4:48:10 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:51:3:51:9 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:54:3:54:29 | for (...) |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:54:31:68:3 | { ... } |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:55:4:55:10 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:56:4:56:12 | if (...) |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:57:5:57:13 | if (...) |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:57:15:60:5 | { ... } |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:58:6:58:11 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:59:6:59:11 | break |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:60:12:62:5 | { ... } |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:61:6:61:12 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:63:9:66:4 | { ... } |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:64:5:64:11 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:65:5:65:13 | continue |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:67:4:67:9 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:70:3:70:9 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:74:3:74:9 | ...; |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:75:3:75:9 | return ... |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:11:3:11:12 | if (...) |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:11:14:14:3 | { ... } |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:12:4:12:10 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:13:4:13:10 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:14:10:16:3 | { ... } |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:15:4:15:10 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:18:3:18:8 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:21:3:21:11 | if (...) |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:22:4:22:10 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:24:4:24:10 | return ... |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:27:3:27:9 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:30:3:30:13 | if (...) |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:30:15:33:3 | { ... } |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:31:4:31:10 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:32:4:32:10 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:35:3:35:9 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:38:3:38:14 | while (...) |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:38:16:41:3 | { ... } |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:39:4:39:10 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:40:4:40:7 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:43:3:43:9 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:46:3:46:29 | for (...) |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:46:31:49:3 | { ... } |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:47:4:47:9 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:48:4:48:10 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:51:3:51:9 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:54:3:54:29 | for (...) |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:54:31:68:3 | { ... } |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:55:4:55:10 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:56:4:56:12 | if (...) |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:57:5:57:13 | if (...) |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:57:15:60:5 | { ... } |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:58:6:58:11 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:59:6:59:11 | break |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:60:12:62:5 | { ... } |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:61:6:61:12 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:63:9:66:4 | { ... } |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:64:5:64:11 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:65:5:65:13 | continue |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:67:4:67:9 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:70:3:70:9 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:74:3:74:9 | ...; |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:75:3:75:9 | return ... |
+| Test.java:11:3:11:12 | if (...) | Test.java:11:14:14:3 | { ... } |
+| Test.java:11:3:11:12 | if (...) | Test.java:12:4:12:10 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:13:4:13:10 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:14:10:16:3 | { ... } |
+| Test.java:11:3:11:12 | if (...) | Test.java:15:4:15:10 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:18:3:18:8 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:21:3:21:11 | if (...) |
+| Test.java:11:3:11:12 | if (...) | Test.java:22:4:22:10 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:24:4:24:10 | return ... |
+| Test.java:11:3:11:12 | if (...) | Test.java:27:3:27:9 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:30:3:30:13 | if (...) |
+| Test.java:11:3:11:12 | if (...) | Test.java:30:15:33:3 | { ... } |
+| Test.java:11:3:11:12 | if (...) | Test.java:31:4:31:10 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:32:4:32:10 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:35:3:35:9 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:38:3:38:14 | while (...) |
+| Test.java:11:3:11:12 | if (...) | Test.java:38:16:41:3 | { ... } |
+| Test.java:11:3:11:12 | if (...) | Test.java:39:4:39:10 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:40:4:40:7 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:43:3:43:9 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:46:3:46:29 | for (...) |
+| Test.java:11:3:11:12 | if (...) | Test.java:46:31:49:3 | { ... } |
+| Test.java:11:3:11:12 | if (...) | Test.java:47:4:47:9 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:48:4:48:10 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:51:3:51:9 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:54:3:54:29 | for (...) |
+| Test.java:11:3:11:12 | if (...) | Test.java:54:31:68:3 | { ... } |
+| Test.java:11:3:11:12 | if (...) | Test.java:55:4:55:10 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:56:4:56:12 | if (...) |
+| Test.java:11:3:11:12 | if (...) | Test.java:57:5:57:13 | if (...) |
+| Test.java:11:3:11:12 | if (...) | Test.java:57:15:60:5 | { ... } |
+| Test.java:11:3:11:12 | if (...) | Test.java:58:6:58:11 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:59:6:59:11 | break |
+| Test.java:11:3:11:12 | if (...) | Test.java:60:12:62:5 | { ... } |
+| Test.java:11:3:11:12 | if (...) | Test.java:61:6:61:12 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:63:9:66:4 | { ... } |
+| Test.java:11:3:11:12 | if (...) | Test.java:64:5:64:11 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:65:5:65:13 | continue |
+| Test.java:11:3:11:12 | if (...) | Test.java:67:4:67:9 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:70:3:70:9 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:74:3:74:9 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:75:3:75:9 | return ... |
+| Test.java:11:14:14:3 | { ... } | Test.java:12:4:12:10 | ...; |
+| Test.java:11:14:14:3 | { ... } | Test.java:13:4:13:10 | ...; |
+| Test.java:12:4:12:10 | ...; | Test.java:13:4:13:10 | ...; |
+| Test.java:14:10:16:3 | { ... } | Test.java:15:4:15:10 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:21:3:21:11 | if (...) |
+| Test.java:18:3:18:8 | ...; | Test.java:22:4:22:10 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:24:4:24:10 | return ... |
+| Test.java:18:3:18:8 | ...; | Test.java:27:3:27:9 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:30:3:30:13 | if (...) |
+| Test.java:18:3:18:8 | ...; | Test.java:30:15:33:3 | { ... } |
+| Test.java:18:3:18:8 | ...; | Test.java:31:4:31:10 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:32:4:32:10 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:35:3:35:9 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:38:3:38:14 | while (...) |
+| Test.java:18:3:18:8 | ...; | Test.java:38:16:41:3 | { ... } |
+| Test.java:18:3:18:8 | ...; | Test.java:39:4:39:10 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:40:4:40:7 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:43:3:43:9 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:46:3:46:29 | for (...) |
+| Test.java:18:3:18:8 | ...; | Test.java:46:31:49:3 | { ... } |
+| Test.java:18:3:18:8 | ...; | Test.java:47:4:47:9 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:48:4:48:10 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:51:3:51:9 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:54:3:54:29 | for (...) |
+| Test.java:18:3:18:8 | ...; | Test.java:54:31:68:3 | { ... } |
+| Test.java:18:3:18:8 | ...; | Test.java:55:4:55:10 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:56:4:56:12 | if (...) |
+| Test.java:18:3:18:8 | ...; | Test.java:57:5:57:13 | if (...) |
+| Test.java:18:3:18:8 | ...; | Test.java:57:15:60:5 | { ... } |
+| Test.java:18:3:18:8 | ...; | Test.java:58:6:58:11 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:59:6:59:11 | break |
+| Test.java:18:3:18:8 | ...; | Test.java:60:12:62:5 | { ... } |
+| Test.java:18:3:18:8 | ...; | Test.java:61:6:61:12 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:63:9:66:4 | { ... } |
+| Test.java:18:3:18:8 | ...; | Test.java:64:5:64:11 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:65:5:65:13 | continue |
+| Test.java:18:3:18:8 | ...; | Test.java:67:4:67:9 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:70:3:70:9 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:74:3:74:9 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:75:3:75:9 | return ... |
+| Test.java:21:3:21:11 | if (...) | Test.java:22:4:22:10 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:24:4:24:10 | return ... |
+| Test.java:21:3:21:11 | if (...) | Test.java:27:3:27:9 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:30:3:30:13 | if (...) |
+| Test.java:21:3:21:11 | if (...) | Test.java:30:15:33:3 | { ... } |
+| Test.java:21:3:21:11 | if (...) | Test.java:31:4:31:10 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:32:4:32:10 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:35:3:35:9 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:38:3:38:14 | while (...) |
+| Test.java:21:3:21:11 | if (...) | Test.java:38:16:41:3 | { ... } |
+| Test.java:21:3:21:11 | if (...) | Test.java:39:4:39:10 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:40:4:40:7 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:43:3:43:9 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:46:3:46:29 | for (...) |
+| Test.java:21:3:21:11 | if (...) | Test.java:46:31:49:3 | { ... } |
+| Test.java:21:3:21:11 | if (...) | Test.java:47:4:47:9 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:48:4:48:10 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:51:3:51:9 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:54:3:54:29 | for (...) |
+| Test.java:21:3:21:11 | if (...) | Test.java:54:31:68:3 | { ... } |
+| Test.java:21:3:21:11 | if (...) | Test.java:55:4:55:10 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:56:4:56:12 | if (...) |
+| Test.java:21:3:21:11 | if (...) | Test.java:57:5:57:13 | if (...) |
+| Test.java:21:3:21:11 | if (...) | Test.java:57:15:60:5 | { ... } |
+| Test.java:21:3:21:11 | if (...) | Test.java:58:6:58:11 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:59:6:59:11 | break |
+| Test.java:21:3:21:11 | if (...) | Test.java:60:12:62:5 | { ... } |
+| Test.java:21:3:21:11 | if (...) | Test.java:61:6:61:12 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:63:9:66:4 | { ... } |
+| Test.java:21:3:21:11 | if (...) | Test.java:64:5:64:11 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:65:5:65:13 | continue |
+| Test.java:21:3:21:11 | if (...) | Test.java:67:4:67:9 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:70:3:70:9 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:74:3:74:9 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:75:3:75:9 | return ... |
+| Test.java:22:4:22:10 | ...; | Test.java:27:3:27:9 | ...; |
+| Test.java:22:4:22:10 | ...; | Test.java:30:3:30:13 | if (...) |
+| Test.java:22:4:22:10 | ...; | Test.java:30:15:33:3 | { ... } |
+| Test.java:22:4:22:10 | ...; | Test.java:31:4:31:10 | ...; |
+| Test.java:22:4:22:10 | ...; | Test.java:32:4:32:10 | ...; |
+| Test.java:22:4:22:10 | ...; | Test.java:35:3:35:9 | ...; |
+| Test.java:22:4:22:10 | ...; | Test.java:38:3:38:14 | while (...) |
+| Test.java:22:4:22:10 | ...; | Test.java:38:16:41:3 | { ... } |
+| Test.java:22:4:22:10 | ...; | Test.java:39:4:39:10 | ...; |
+| Test.java:22:4:22:10 | ...; | Test.java:40:4:40:7 | ...; |
+| Test.java:22:4:22:10 | ...; | Test.java:43:3:43:9 | ...; |
+| Test.java:22:4:22:10 | ...; | Test.java:46:3:46:29 | for (...) |
+| Test.java:22:4:22:10 | ...; | Test.java:46:31:49:3 | { ... } |
+| Test.java:22:4:22:10 | ...; | Test.java:47:4:47:9 | ...; |
+| Test.java:22:4:22:10 | ...; | Test.java:48:4:48:10 | ...; |
+| Test.java:22:4:22:10 | ...; | Test.java:51:3:51:9 | ...; |
+| Test.java:22:4:22:10 | ...; | Test.java:54:3:54:29 | for (...) |
+| Test.java:22:4:22:10 | ...; | Test.java:54:31:68:3 | { ... } |
+| Test.java:22:4:22:10 | ...; | Test.java:55:4:55:10 | ...; |
+| Test.java:22:4:22:10 | ...; | Test.java:56:4:56:12 | if (...) |
+| Test.java:22:4:22:10 | ...; | Test.java:57:5:57:13 | if (...) |
+| Test.java:22:4:22:10 | ...; | Test.java:57:15:60:5 | { ... } |
+| Test.java:22:4:22:10 | ...; | Test.java:58:6:58:11 | ...; |
+| Test.java:22:4:22:10 | ...; | Test.java:59:6:59:11 | break |
+| Test.java:22:4:22:10 | ...; | Test.java:60:12:62:5 | { ... } |
+| Test.java:22:4:22:10 | ...; | Test.java:61:6:61:12 | ...; |
+| Test.java:22:4:22:10 | ...; | Test.java:63:9:66:4 | { ... } |
+| Test.java:22:4:22:10 | ...; | Test.java:64:5:64:11 | ...; |
+| Test.java:22:4:22:10 | ...; | Test.java:65:5:65:13 | continue |
+| Test.java:22:4:22:10 | ...; | Test.java:67:4:67:9 | ...; |
+| Test.java:22:4:22:10 | ...; | Test.java:70:3:70:9 | ...; |
+| Test.java:22:4:22:10 | ...; | Test.java:74:3:74:9 | ...; |
+| Test.java:22:4:22:10 | ...; | Test.java:75:3:75:9 | return ... |
+| Test.java:27:3:27:9 | ...; | Test.java:30:3:30:13 | if (...) |
+| Test.java:27:3:27:9 | ...; | Test.java:30:15:33:3 | { ... } |
+| Test.java:27:3:27:9 | ...; | Test.java:31:4:31:10 | ...; |
+| Test.java:27:3:27:9 | ...; | Test.java:32:4:32:10 | ...; |
+| Test.java:27:3:27:9 | ...; | Test.java:35:3:35:9 | ...; |
+| Test.java:27:3:27:9 | ...; | Test.java:38:3:38:14 | while (...) |
+| Test.java:27:3:27:9 | ...; | Test.java:38:16:41:3 | { ... } |
+| Test.java:27:3:27:9 | ...; | Test.java:39:4:39:10 | ...; |
+| Test.java:27:3:27:9 | ...; | Test.java:40:4:40:7 | ...; |
+| Test.java:27:3:27:9 | ...; | Test.java:43:3:43:9 | ...; |
+| Test.java:27:3:27:9 | ...; | Test.java:46:3:46:29 | for (...) |
+| Test.java:27:3:27:9 | ...; | Test.java:46:31:49:3 | { ... } |
+| Test.java:27:3:27:9 | ...; | Test.java:47:4:47:9 | ...; |
+| Test.java:27:3:27:9 | ...; | Test.java:48:4:48:10 | ...; |
+| Test.java:27:3:27:9 | ...; | Test.java:51:3:51:9 | ...; |
+| Test.java:27:3:27:9 | ...; | Test.java:54:3:54:29 | for (...) |
+| Test.java:27:3:27:9 | ...; | Test.java:54:31:68:3 | { ... } |
+| Test.java:27:3:27:9 | ...; | Test.java:55:4:55:10 | ...; |
+| Test.java:27:3:27:9 | ...; | Test.java:56:4:56:12 | if (...) |
+| Test.java:27:3:27:9 | ...; | Test.java:57:5:57:13 | if (...) |
+| Test.java:27:3:27:9 | ...; | Test.java:57:15:60:5 | { ... } |
+| Test.java:27:3:27:9 | ...; | Test.java:58:6:58:11 | ...; |
+| Test.java:27:3:27:9 | ...; | Test.java:59:6:59:11 | break |
+| Test.java:27:3:27:9 | ...; | Test.java:60:12:62:5 | { ... } |
+| Test.java:27:3:27:9 | ...; | Test.java:61:6:61:12 | ...; |
+| Test.java:27:3:27:9 | ...; | Test.java:63:9:66:4 | { ... } |
+| Test.java:27:3:27:9 | ...; | Test.java:64:5:64:11 | ...; |
+| Test.java:27:3:27:9 | ...; | Test.java:65:5:65:13 | continue |
+| Test.java:27:3:27:9 | ...; | Test.java:67:4:67:9 | ...; |
+| Test.java:27:3:27:9 | ...; | Test.java:70:3:70:9 | ...; |
+| Test.java:27:3:27:9 | ...; | Test.java:74:3:74:9 | ...; |
+| Test.java:27:3:27:9 | ...; | Test.java:75:3:75:9 | return ... |
+| Test.java:30:3:30:13 | if (...) | Test.java:30:15:33:3 | { ... } |
+| Test.java:30:3:30:13 | if (...) | Test.java:31:4:31:10 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:32:4:32:10 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:35:3:35:9 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:38:3:38:14 | while (...) |
+| Test.java:30:3:30:13 | if (...) | Test.java:38:16:41:3 | { ... } |
+| Test.java:30:3:30:13 | if (...) | Test.java:39:4:39:10 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:40:4:40:7 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:43:3:43:9 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:46:3:46:29 | for (...) |
+| Test.java:30:3:30:13 | if (...) | Test.java:46:31:49:3 | { ... } |
+| Test.java:30:3:30:13 | if (...) | Test.java:47:4:47:9 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:48:4:48:10 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:51:3:51:9 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:54:3:54:29 | for (...) |
+| Test.java:30:3:30:13 | if (...) | Test.java:54:31:68:3 | { ... } |
+| Test.java:30:3:30:13 | if (...) | Test.java:55:4:55:10 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:56:4:56:12 | if (...) |
+| Test.java:30:3:30:13 | if (...) | Test.java:57:5:57:13 | if (...) |
+| Test.java:30:3:30:13 | if (...) | Test.java:57:15:60:5 | { ... } |
+| Test.java:30:3:30:13 | if (...) | Test.java:58:6:58:11 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:59:6:59:11 | break |
+| Test.java:30:3:30:13 | if (...) | Test.java:60:12:62:5 | { ... } |
+| Test.java:30:3:30:13 | if (...) | Test.java:61:6:61:12 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:63:9:66:4 | { ... } |
+| Test.java:30:3:30:13 | if (...) | Test.java:64:5:64:11 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:65:5:65:13 | continue |
+| Test.java:30:3:30:13 | if (...) | Test.java:67:4:67:9 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:70:3:70:9 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:74:3:74:9 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:75:3:75:9 | return ... |
+| Test.java:30:15:33:3 | { ... } | Test.java:31:4:31:10 | ...; |
+| Test.java:30:15:33:3 | { ... } | Test.java:32:4:32:10 | ...; |
+| Test.java:31:4:31:10 | ...; | Test.java:32:4:32:10 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:38:3:38:14 | while (...) |
+| Test.java:35:3:35:9 | ...; | Test.java:38:16:41:3 | { ... } |
+| Test.java:35:3:35:9 | ...; | Test.java:39:4:39:10 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:40:4:40:7 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:43:3:43:9 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:46:3:46:29 | for (...) |
+| Test.java:35:3:35:9 | ...; | Test.java:46:31:49:3 | { ... } |
+| Test.java:35:3:35:9 | ...; | Test.java:47:4:47:9 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:48:4:48:10 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:51:3:51:9 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:54:3:54:29 | for (...) |
+| Test.java:35:3:35:9 | ...; | Test.java:54:31:68:3 | { ... } |
+| Test.java:35:3:35:9 | ...; | Test.java:55:4:55:10 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:56:4:56:12 | if (...) |
+| Test.java:35:3:35:9 | ...; | Test.java:57:5:57:13 | if (...) |
+| Test.java:35:3:35:9 | ...; | Test.java:57:15:60:5 | { ... } |
+| Test.java:35:3:35:9 | ...; | Test.java:58:6:58:11 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:59:6:59:11 | break |
+| Test.java:35:3:35:9 | ...; | Test.java:60:12:62:5 | { ... } |
+| Test.java:35:3:35:9 | ...; | Test.java:61:6:61:12 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:63:9:66:4 | { ... } |
+| Test.java:35:3:35:9 | ...; | Test.java:64:5:64:11 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:65:5:65:13 | continue |
+| Test.java:35:3:35:9 | ...; | Test.java:67:4:67:9 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:70:3:70:9 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:74:3:74:9 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:75:3:75:9 | return ... |
+| Test.java:38:3:38:14 | while (...) | Test.java:38:16:41:3 | { ... } |
+| Test.java:38:3:38:14 | while (...) | Test.java:39:4:39:10 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:40:4:40:7 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:43:3:43:9 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:46:3:46:29 | for (...) |
+| Test.java:38:3:38:14 | while (...) | Test.java:46:31:49:3 | { ... } |
+| Test.java:38:3:38:14 | while (...) | Test.java:47:4:47:9 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:48:4:48:10 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:51:3:51:9 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:54:3:54:29 | for (...) |
+| Test.java:38:3:38:14 | while (...) | Test.java:54:31:68:3 | { ... } |
+| Test.java:38:3:38:14 | while (...) | Test.java:55:4:55:10 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:56:4:56:12 | if (...) |
+| Test.java:38:3:38:14 | while (...) | Test.java:57:5:57:13 | if (...) |
+| Test.java:38:3:38:14 | while (...) | Test.java:57:15:60:5 | { ... } |
+| Test.java:38:3:38:14 | while (...) | Test.java:58:6:58:11 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:59:6:59:11 | break |
+| Test.java:38:3:38:14 | while (...) | Test.java:60:12:62:5 | { ... } |
+| Test.java:38:3:38:14 | while (...) | Test.java:61:6:61:12 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:63:9:66:4 | { ... } |
+| Test.java:38:3:38:14 | while (...) | Test.java:64:5:64:11 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:65:5:65:13 | continue |
+| Test.java:38:3:38:14 | while (...) | Test.java:67:4:67:9 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:70:3:70:9 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:74:3:74:9 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:75:3:75:9 | return ... |
+| Test.java:38:16:41:3 | { ... } | Test.java:39:4:39:10 | ...; |
+| Test.java:38:16:41:3 | { ... } | Test.java:40:4:40:7 | ...; |
+| Test.java:39:4:39:10 | ...; | Test.java:40:4:40:7 | ...; |
+| Test.java:43:3:43:9 | ...; | Test.java:46:3:46:29 | for (...) |
+| Test.java:43:3:43:9 | ...; | Test.java:46:31:49:3 | { ... } |
+| Test.java:43:3:43:9 | ...; | Test.java:47:4:47:9 | ...; |
+| Test.java:43:3:43:9 | ...; | Test.java:48:4:48:10 | ...; |
+| Test.java:43:3:43:9 | ...; | Test.java:51:3:51:9 | ...; |
+| Test.java:43:3:43:9 | ...; | Test.java:54:3:54:29 | for (...) |
+| Test.java:43:3:43:9 | ...; | Test.java:54:31:68:3 | { ... } |
+| Test.java:43:3:43:9 | ...; | Test.java:55:4:55:10 | ...; |
+| Test.java:43:3:43:9 | ...; | Test.java:56:4:56:12 | if (...) |
+| Test.java:43:3:43:9 | ...; | Test.java:57:5:57:13 | if (...) |
+| Test.java:43:3:43:9 | ...; | Test.java:57:15:60:5 | { ... } |
+| Test.java:43:3:43:9 | ...; | Test.java:58:6:58:11 | ...; |
+| Test.java:43:3:43:9 | ...; | Test.java:59:6:59:11 | break |
+| Test.java:43:3:43:9 | ...; | Test.java:60:12:62:5 | { ... } |
+| Test.java:43:3:43:9 | ...; | Test.java:61:6:61:12 | ...; |
+| Test.java:43:3:43:9 | ...; | Test.java:63:9:66:4 | { ... } |
+| Test.java:43:3:43:9 | ...; | Test.java:64:5:64:11 | ...; |
+| Test.java:43:3:43:9 | ...; | Test.java:65:5:65:13 | continue |
+| Test.java:43:3:43:9 | ...; | Test.java:67:4:67:9 | ...; |
+| Test.java:43:3:43:9 | ...; | Test.java:70:3:70:9 | ...; |
+| Test.java:43:3:43:9 | ...; | Test.java:74:3:74:9 | ...; |
+| Test.java:43:3:43:9 | ...; | Test.java:75:3:75:9 | return ... |
+| Test.java:46:3:46:29 | for (...) | Test.java:46:31:49:3 | { ... } |
+| Test.java:46:3:46:29 | for (...) | Test.java:47:4:47:9 | ...; |
+| Test.java:46:3:46:29 | for (...) | Test.java:48:4:48:10 | ...; |
+| Test.java:46:3:46:29 | for (...) | Test.java:51:3:51:9 | ...; |
+| Test.java:46:3:46:29 | for (...) | Test.java:54:3:54:29 | for (...) |
+| Test.java:46:3:46:29 | for (...) | Test.java:54:31:68:3 | { ... } |
+| Test.java:46:3:46:29 | for (...) | Test.java:55:4:55:10 | ...; |
+| Test.java:46:3:46:29 | for (...) | Test.java:56:4:56:12 | if (...) |
+| Test.java:46:3:46:29 | for (...) | Test.java:57:5:57:13 | if (...) |
+| Test.java:46:3:46:29 | for (...) | Test.java:57:15:60:5 | { ... } |
+| Test.java:46:3:46:29 | for (...) | Test.java:58:6:58:11 | ...; |
+| Test.java:46:3:46:29 | for (...) | Test.java:59:6:59:11 | break |
+| Test.java:46:3:46:29 | for (...) | Test.java:60:12:62:5 | { ... } |
+| Test.java:46:3:46:29 | for (...) | Test.java:61:6:61:12 | ...; |
+| Test.java:46:3:46:29 | for (...) | Test.java:63:9:66:4 | { ... } |
+| Test.java:46:3:46:29 | for (...) | Test.java:64:5:64:11 | ...; |
+| Test.java:46:3:46:29 | for (...) | Test.java:65:5:65:13 | continue |
+| Test.java:46:3:46:29 | for (...) | Test.java:67:4:67:9 | ...; |
+| Test.java:46:3:46:29 | for (...) | Test.java:70:3:70:9 | ...; |
+| Test.java:46:3:46:29 | for (...) | Test.java:74:3:74:9 | ...; |
+| Test.java:46:3:46:29 | for (...) | Test.java:75:3:75:9 | return ... |
+| Test.java:46:31:49:3 | { ... } | Test.java:47:4:47:9 | ...; |
+| Test.java:46:31:49:3 | { ... } | Test.java:48:4:48:10 | ...; |
+| Test.java:47:4:47:9 | ...; | Test.java:48:4:48:10 | ...; |
+| Test.java:51:3:51:9 | ...; | Test.java:54:3:54:29 | for (...) |
+| Test.java:51:3:51:9 | ...; | Test.java:54:31:68:3 | { ... } |
+| Test.java:51:3:51:9 | ...; | Test.java:55:4:55:10 | ...; |
+| Test.java:51:3:51:9 | ...; | Test.java:56:4:56:12 | if (...) |
+| Test.java:51:3:51:9 | ...; | Test.java:57:5:57:13 | if (...) |
+| Test.java:51:3:51:9 | ...; | Test.java:57:15:60:5 | { ... } |
+| Test.java:51:3:51:9 | ...; | Test.java:58:6:58:11 | ...; |
+| Test.java:51:3:51:9 | ...; | Test.java:59:6:59:11 | break |
+| Test.java:51:3:51:9 | ...; | Test.java:60:12:62:5 | { ... } |
+| Test.java:51:3:51:9 | ...; | Test.java:61:6:61:12 | ...; |
+| Test.java:51:3:51:9 | ...; | Test.java:63:9:66:4 | { ... } |
+| Test.java:51:3:51:9 | ...; | Test.java:64:5:64:11 | ...; |
+| Test.java:51:3:51:9 | ...; | Test.java:65:5:65:13 | continue |
+| Test.java:51:3:51:9 | ...; | Test.java:67:4:67:9 | ...; |
+| Test.java:51:3:51:9 | ...; | Test.java:70:3:70:9 | ...; |
+| Test.java:51:3:51:9 | ...; | Test.java:74:3:74:9 | ...; |
+| Test.java:51:3:51:9 | ...; | Test.java:75:3:75:9 | return ... |
+| Test.java:54:3:54:29 | for (...) | Test.java:54:31:68:3 | { ... } |
+| Test.java:54:3:54:29 | for (...) | Test.java:55:4:55:10 | ...; |
+| Test.java:54:3:54:29 | for (...) | Test.java:56:4:56:12 | if (...) |
+| Test.java:54:3:54:29 | for (...) | Test.java:57:5:57:13 | if (...) |
+| Test.java:54:3:54:29 | for (...) | Test.java:57:15:60:5 | { ... } |
+| Test.java:54:3:54:29 | for (...) | Test.java:58:6:58:11 | ...; |
+| Test.java:54:3:54:29 | for (...) | Test.java:59:6:59:11 | break |
+| Test.java:54:3:54:29 | for (...) | Test.java:60:12:62:5 | { ... } |
+| Test.java:54:3:54:29 | for (...) | Test.java:61:6:61:12 | ...; |
+| Test.java:54:3:54:29 | for (...) | Test.java:63:9:66:4 | { ... } |
+| Test.java:54:3:54:29 | for (...) | Test.java:64:5:64:11 | ...; |
+| Test.java:54:3:54:29 | for (...) | Test.java:65:5:65:13 | continue |
+| Test.java:54:3:54:29 | for (...) | Test.java:67:4:67:9 | ...; |
+| Test.java:54:3:54:29 | for (...) | Test.java:70:3:70:9 | ...; |
+| Test.java:54:3:54:29 | for (...) | Test.java:74:3:74:9 | ...; |
+| Test.java:54:3:54:29 | for (...) | Test.java:75:3:75:9 | return ... |
+| Test.java:54:31:68:3 | { ... } | Test.java:55:4:55:10 | ...; |
+| Test.java:54:31:68:3 | { ... } | Test.java:56:4:56:12 | if (...) |
+| Test.java:54:31:68:3 | { ... } | Test.java:57:5:57:13 | if (...) |
+| Test.java:54:31:68:3 | { ... } | Test.java:57:15:60:5 | { ... } |
+| Test.java:54:31:68:3 | { ... } | Test.java:58:6:58:11 | ...; |
+| Test.java:54:31:68:3 | { ... } | Test.java:59:6:59:11 | break |
+| Test.java:54:31:68:3 | { ... } | Test.java:60:12:62:5 | { ... } |
+| Test.java:54:31:68:3 | { ... } | Test.java:61:6:61:12 | ...; |
+| Test.java:54:31:68:3 | { ... } | Test.java:63:9:66:4 | { ... } |
+| Test.java:54:31:68:3 | { ... } | Test.java:64:5:64:11 | ...; |
+| Test.java:54:31:68:3 | { ... } | Test.java:65:5:65:13 | continue |
+| Test.java:54:31:68:3 | { ... } | Test.java:67:4:67:9 | ...; |
+| Test.java:55:4:55:10 | ...; | Test.java:56:4:56:12 | if (...) |
+| Test.java:55:4:55:10 | ...; | Test.java:57:5:57:13 | if (...) |
+| Test.java:55:4:55:10 | ...; | Test.java:57:15:60:5 | { ... } |
+| Test.java:55:4:55:10 | ...; | Test.java:58:6:58:11 | ...; |
+| Test.java:55:4:55:10 | ...; | Test.java:59:6:59:11 | break |
+| Test.java:55:4:55:10 | ...; | Test.java:60:12:62:5 | { ... } |
+| Test.java:55:4:55:10 | ...; | Test.java:61:6:61:12 | ...; |
+| Test.java:55:4:55:10 | ...; | Test.java:63:9:66:4 | { ... } |
+| Test.java:55:4:55:10 | ...; | Test.java:64:5:64:11 | ...; |
+| Test.java:55:4:55:10 | ...; | Test.java:65:5:65:13 | continue |
+| Test.java:55:4:55:10 | ...; | Test.java:67:4:67:9 | ...; |
+| Test.java:56:4:56:12 | if (...) | Test.java:57:5:57:13 | if (...) |
+| Test.java:56:4:56:12 | if (...) | Test.java:57:15:60:5 | { ... } |
+| Test.java:56:4:56:12 | if (...) | Test.java:58:6:58:11 | ...; |
+| Test.java:56:4:56:12 | if (...) | Test.java:59:6:59:11 | break |
+| Test.java:56:4:56:12 | if (...) | Test.java:60:12:62:5 | { ... } |
+| Test.java:56:4:56:12 | if (...) | Test.java:61:6:61:12 | ...; |
+| Test.java:56:4:56:12 | if (...) | Test.java:63:9:66:4 | { ... } |
+| Test.java:56:4:56:12 | if (...) | Test.java:64:5:64:11 | ...; |
+| Test.java:56:4:56:12 | if (...) | Test.java:65:5:65:13 | continue |
+| Test.java:56:4:56:12 | if (...) | Test.java:67:4:67:9 | ...; |
+| Test.java:57:5:57:13 | if (...) | Test.java:57:15:60:5 | { ... } |
+| Test.java:57:5:57:13 | if (...) | Test.java:58:6:58:11 | ...; |
+| Test.java:57:5:57:13 | if (...) | Test.java:59:6:59:11 | break |
+| Test.java:57:5:57:13 | if (...) | Test.java:60:12:62:5 | { ... } |
+| Test.java:57:5:57:13 | if (...) | Test.java:61:6:61:12 | ...; |
+| Test.java:57:5:57:13 | if (...) | Test.java:67:4:67:9 | ...; |
+| Test.java:57:15:60:5 | { ... } | Test.java:58:6:58:11 | ...; |
+| Test.java:57:15:60:5 | { ... } | Test.java:59:6:59:11 | break |
+| Test.java:58:6:58:11 | ...; | Test.java:59:6:59:11 | break |
+| Test.java:60:12:62:5 | { ... } | Test.java:61:6:61:12 | ...; |
+| Test.java:60:12:62:5 | { ... } | Test.java:67:4:67:9 | ...; |
+| Test.java:61:6:61:12 | ...; | Test.java:67:4:67:9 | ...; |
+| Test.java:63:9:66:4 | { ... } | Test.java:64:5:64:11 | ...; |
+| Test.java:63:9:66:4 | { ... } | Test.java:65:5:65:13 | continue |
+| Test.java:64:5:64:11 | ...; | Test.java:65:5:65:13 | continue |
+| Test.java:70:3:70:9 | ...; | Test.java:74:3:74:9 | ...; |
+| Test.java:70:3:70:9 | ...; | Test.java:75:3:75:9 | return ... |
+| Test.java:74:3:74:9 | ...; | Test.java:75:3:75:9 | return ... |
diff --git a/java/ql/test/library-tests/controlflow/basic/strictPostDominance.expected b/java/ql/test/library-tests/controlflow/basic/strictPostDominance.expected
index b5a1d80647a..83e141e63a5 100644
--- a/java/ql/test/library-tests/controlflow/basic/strictPostDominance.expected
+++ b/java/ql/test/library-tests/controlflow/basic/strictPostDominance.expected
@@ -1,232 +1,232 @@
-| Test.java:3:14:3:17 | super(...) | Test.java:3:14:3:17 | stmt |
-| Test.java:5:3:5:12 | stmt | Test.java:4:21:76:2 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:4:21:76:2 | stmt |
-| Test.java:6:3:6:14 | stmt | Test.java:5:3:5:12 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:4:21:76:2 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:5:3:5:12 | stmt |
-| Test.java:7:3:7:12 | stmt | Test.java:6:3:6:14 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:4:21:76:2 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:5:3:5:12 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:6:3:6:14 | stmt |
-| Test.java:8:3:8:12 | stmt | Test.java:7:3:7:12 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:4:21:76:2 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:5:3:5:12 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:6:3:6:14 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:7:3:7:12 | stmt |
-| Test.java:11:3:11:12 | stmt | Test.java:8:3:8:12 | stmt |
-| Test.java:12:4:12:10 | stmt | Test.java:11:14:14:3 | stmt |
-| Test.java:13:4:13:10 | stmt | Test.java:11:14:14:3 | stmt |
-| Test.java:13:4:13:10 | stmt | Test.java:12:4:12:10 | stmt |
-| Test.java:15:4:15:10 | stmt | Test.java:14:10:16:3 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:4:21:76:2 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:5:3:5:12 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:6:3:6:14 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:7:3:7:12 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:8:3:8:12 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:11:3:11:12 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:11:14:14:3 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:12:4:12:10 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:13:4:13:10 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:14:10:16:3 | stmt |
-| Test.java:18:3:18:8 | stmt | Test.java:15:4:15:10 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:4:21:76:2 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:5:3:5:12 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:6:3:6:14 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:7:3:7:12 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:8:3:8:12 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:11:3:11:12 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:11:14:14:3 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:12:4:12:10 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:13:4:13:10 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:14:10:16:3 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:15:4:15:10 | stmt |
-| Test.java:21:3:21:11 | stmt | Test.java:18:3:18:8 | stmt |
-| Test.java:27:3:27:9 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:30:3:30:13 | stmt | Test.java:27:3:27:9 | stmt |
-| Test.java:31:4:31:10 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:32:4:32:10 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:32:4:32:10 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:27:3:27:9 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:30:3:30:13 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:35:3:35:9 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:27:3:27:9 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:30:3:30:13 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:38:3:38:14 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:39:4:39:10 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:40:4:40:7 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:40:4:40:7 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:27:3:27:9 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:30:3:30:13 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:38:3:38:14 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:43:3:43:9 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:27:3:27:9 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:30:3:30:13 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:38:3:38:14 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:46:3:46:29 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:47:4:47:9 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:48:4:48:10 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:48:4:48:10 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:27:3:27:9 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:30:3:30:13 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:38:3:38:14 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:46:3:46:29 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:51:3:51:9 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:27:3:27:9 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:30:3:30:13 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:38:3:38:14 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:46:3:46:29 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:54:3:54:29 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:55:4:55:10 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:56:4:56:12 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:56:4:56:12 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:58:6:58:11 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:59:6:59:11 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:59:6:59:11 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:61:6:61:12 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:64:5:64:11 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:65:5:65:13 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:65:5:65:13 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:67:4:67:9 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:67:4:67:9 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:27:3:27:9 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:30:3:30:13 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:38:3:38:14 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:46:3:46:29 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:54:3:54:29 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:70:3:70:9 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:27:3:27:9 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:30:3:30:13 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:38:3:38:14 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:46:3:46:29 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:54:3:54:29 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:74:3:74:9 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:22:4:22:10 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:27:3:27:9 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:30:3:30:13 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:30:15:33:3 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:31:4:31:10 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:32:4:32:10 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:35:3:35:9 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:38:3:38:14 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:38:16:41:3 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:39:4:39:10 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:40:4:40:7 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:43:3:43:9 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:46:3:46:29 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:46:31:49:3 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:47:4:47:9 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:48:4:48:10 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:51:3:51:9 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:54:3:54:29 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:54:31:68:3 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:55:4:55:10 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:56:4:56:12 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:57:5:57:13 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:57:15:60:5 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:58:6:58:11 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:59:6:59:11 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:60:12:62:5 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:61:6:61:12 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:63:9:66:4 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:64:5:64:11 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:65:5:65:13 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:67:4:67:9 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:70:3:70:9 | stmt |
-| Test.java:75:3:75:9 | stmt | Test.java:74:3:74:9 | stmt |
+| Test.java:3:14:3:17 | super(...) | Test.java:3:14:3:17 | { ... } |
+| Test.java:5:3:5:12 | local variable declaration | Test.java:4:21:76:2 | { ... } |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:4:21:76:2 | { ... } |
+| Test.java:6:3:6:14 | local variable declaration | Test.java:5:3:5:12 | local variable declaration |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:4:21:76:2 | { ... } |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:5:3:5:12 | local variable declaration |
+| Test.java:7:3:7:12 | local variable declaration | Test.java:6:3:6:14 | local variable declaration |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:4:21:76:2 | { ... } |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:5:3:5:12 | local variable declaration |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:6:3:6:14 | local variable declaration |
+| Test.java:8:3:8:12 | local variable declaration | Test.java:7:3:7:12 | local variable declaration |
+| Test.java:11:3:11:12 | if (...) | Test.java:4:21:76:2 | { ... } |
+| Test.java:11:3:11:12 | if (...) | Test.java:5:3:5:12 | local variable declaration |
+| Test.java:11:3:11:12 | if (...) | Test.java:6:3:6:14 | local variable declaration |
+| Test.java:11:3:11:12 | if (...) | Test.java:7:3:7:12 | local variable declaration |
+| Test.java:11:3:11:12 | if (...) | Test.java:8:3:8:12 | local variable declaration |
+| Test.java:12:4:12:10 | ...; | Test.java:11:14:14:3 | { ... } |
+| Test.java:13:4:13:10 | ...; | Test.java:11:14:14:3 | { ... } |
+| Test.java:13:4:13:10 | ...; | Test.java:12:4:12:10 | ...; |
+| Test.java:15:4:15:10 | ...; | Test.java:14:10:16:3 | { ... } |
+| Test.java:18:3:18:8 | ...; | Test.java:4:21:76:2 | { ... } |
+| Test.java:18:3:18:8 | ...; | Test.java:5:3:5:12 | local variable declaration |
+| Test.java:18:3:18:8 | ...; | Test.java:6:3:6:14 | local variable declaration |
+| Test.java:18:3:18:8 | ...; | Test.java:7:3:7:12 | local variable declaration |
+| Test.java:18:3:18:8 | ...; | Test.java:8:3:8:12 | local variable declaration |
+| Test.java:18:3:18:8 | ...; | Test.java:11:3:11:12 | if (...) |
+| Test.java:18:3:18:8 | ...; | Test.java:11:14:14:3 | { ... } |
+| Test.java:18:3:18:8 | ...; | Test.java:12:4:12:10 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:13:4:13:10 | ...; |
+| Test.java:18:3:18:8 | ...; | Test.java:14:10:16:3 | { ... } |
+| Test.java:18:3:18:8 | ...; | Test.java:15:4:15:10 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:4:21:76:2 | { ... } |
+| Test.java:21:3:21:11 | if (...) | Test.java:5:3:5:12 | local variable declaration |
+| Test.java:21:3:21:11 | if (...) | Test.java:6:3:6:14 | local variable declaration |
+| Test.java:21:3:21:11 | if (...) | Test.java:7:3:7:12 | local variable declaration |
+| Test.java:21:3:21:11 | if (...) | Test.java:8:3:8:12 | local variable declaration |
+| Test.java:21:3:21:11 | if (...) | Test.java:11:3:11:12 | if (...) |
+| Test.java:21:3:21:11 | if (...) | Test.java:11:14:14:3 | { ... } |
+| Test.java:21:3:21:11 | if (...) | Test.java:12:4:12:10 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:13:4:13:10 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:14:10:16:3 | { ... } |
+| Test.java:21:3:21:11 | if (...) | Test.java:15:4:15:10 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:18:3:18:8 | ...; |
+| Test.java:27:3:27:9 | ...; | Test.java:22:4:22:10 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:22:4:22:10 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:27:3:27:9 | ...; |
+| Test.java:31:4:31:10 | ...; | Test.java:30:15:33:3 | { ... } |
+| Test.java:32:4:32:10 | ...; | Test.java:30:15:33:3 | { ... } |
+| Test.java:32:4:32:10 | ...; | Test.java:31:4:31:10 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:22:4:22:10 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:27:3:27:9 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:30:3:30:13 | if (...) |
+| Test.java:35:3:35:9 | ...; | Test.java:30:15:33:3 | { ... } |
+| Test.java:35:3:35:9 | ...; | Test.java:31:4:31:10 | ...; |
+| Test.java:35:3:35:9 | ...; | Test.java:32:4:32:10 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:22:4:22:10 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:27:3:27:9 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:30:3:30:13 | if (...) |
+| Test.java:38:3:38:14 | while (...) | Test.java:30:15:33:3 | { ... } |
+| Test.java:38:3:38:14 | while (...) | Test.java:31:4:31:10 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:32:4:32:10 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:35:3:35:9 | ...; |
+| Test.java:39:4:39:10 | ...; | Test.java:38:16:41:3 | { ... } |
+| Test.java:40:4:40:7 | ...; | Test.java:38:16:41:3 | { ... } |
+| Test.java:40:4:40:7 | ...; | Test.java:39:4:39:10 | ...; |
+| Test.java:43:3:43:9 | ...; | Test.java:22:4:22:10 | ...; |
+| Test.java:43:3:43:9 | ...; | Test.java:27:3:27:9 | ...; |
+| Test.java:43:3:43:9 | ...; | Test.java:30:3:30:13 | if (...) |
+| Test.java:43:3:43:9 | ...; | Test.java:30:15:33:3 | { ... } |
+| Test.java:43:3:43:9 | ...; | Test.java:31:4:31:10 | ...; |
+| Test.java:43:3:43:9 | ...; | Test.java:32:4:32:10 | ...; |
+| Test.java:43:3:43:9 | ...; | Test.java:35:3:35:9 | ...; |
+| Test.java:43:3:43:9 | ...; | Test.java:38:3:38:14 | while (...) |
+| Test.java:43:3:43:9 | ...; | Test.java:38:16:41:3 | { ... } |
+| Test.java:43:3:43:9 | ...; | Test.java:39:4:39:10 | ...; |
+| Test.java:43:3:43:9 | ...; | Test.java:40:4:40:7 | ...; |
+| Test.java:46:3:46:29 | for (...) | Test.java:22:4:22:10 | ...; |
+| Test.java:46:3:46:29 | for (...) | Test.java:27:3:27:9 | ...; |
+| Test.java:46:3:46:29 | for (...) | Test.java:30:3:30:13 | if (...) |
+| Test.java:46:3:46:29 | for (...) | Test.java:30:15:33:3 | { ... } |
+| Test.java:46:3:46:29 | for (...) | Test.java:31:4:31:10 | ...; |
+| Test.java:46:3:46:29 | for (...) | Test.java:32:4:32:10 | ...; |
+| Test.java:46:3:46:29 | for (...) | Test.java:35:3:35:9 | ...; |
+| Test.java:46:3:46:29 | for (...) | Test.java:38:3:38:14 | while (...) |
+| Test.java:46:3:46:29 | for (...) | Test.java:38:16:41:3 | { ... } |
+| Test.java:46:3:46:29 | for (...) | Test.java:39:4:39:10 | ...; |
+| Test.java:46:3:46:29 | for (...) | Test.java:40:4:40:7 | ...; |
+| Test.java:46:3:46:29 | for (...) | Test.java:43:3:43:9 | ...; |
+| Test.java:47:4:47:9 | ...; | Test.java:46:31:49:3 | { ... } |
+| Test.java:48:4:48:10 | ...; | Test.java:46:31:49:3 | { ... } |
+| Test.java:48:4:48:10 | ...; | Test.java:47:4:47:9 | ...; |
+| Test.java:51:3:51:9 | ...; | Test.java:22:4:22:10 | ...; |
+| Test.java:51:3:51:9 | ...; | Test.java:27:3:27:9 | ...; |
+| Test.java:51:3:51:9 | ...; | Test.java:30:3:30:13 | if (...) |
+| Test.java:51:3:51:9 | ...; | Test.java:30:15:33:3 | { ... } |
+| Test.java:51:3:51:9 | ...; | Test.java:31:4:31:10 | ...; |
+| Test.java:51:3:51:9 | ...; | Test.java:32:4:32:10 | ...; |
+| Test.java:51:3:51:9 | ...; | Test.java:35:3:35:9 | ...; |
+| Test.java:51:3:51:9 | ...; | Test.java:38:3:38:14 | while (...) |
+| Test.java:51:3:51:9 | ...; | Test.java:38:16:41:3 | { ... } |
+| Test.java:51:3:51:9 | ...; | Test.java:39:4:39:10 | ...; |
+| Test.java:51:3:51:9 | ...; | Test.java:40:4:40:7 | ...; |
+| Test.java:51:3:51:9 | ...; | Test.java:43:3:43:9 | ...; |
+| Test.java:51:3:51:9 | ...; | Test.java:46:3:46:29 | for (...) |
+| Test.java:51:3:51:9 | ...; | Test.java:46:31:49:3 | { ... } |
+| Test.java:51:3:51:9 | ...; | Test.java:47:4:47:9 | ...; |
+| Test.java:51:3:51:9 | ...; | Test.java:48:4:48:10 | ...; |
+| Test.java:54:3:54:29 | for (...) | Test.java:22:4:22:10 | ...; |
+| Test.java:54:3:54:29 | for (...) | Test.java:27:3:27:9 | ...; |
+| Test.java:54:3:54:29 | for (...) | Test.java:30:3:30:13 | if (...) |
+| Test.java:54:3:54:29 | for (...) | Test.java:30:15:33:3 | { ... } |
+| Test.java:54:3:54:29 | for (...) | Test.java:31:4:31:10 | ...; |
+| Test.java:54:3:54:29 | for (...) | Test.java:32:4:32:10 | ...; |
+| Test.java:54:3:54:29 | for (...) | Test.java:35:3:35:9 | ...; |
+| Test.java:54:3:54:29 | for (...) | Test.java:38:3:38:14 | while (...) |
+| Test.java:54:3:54:29 | for (...) | Test.java:38:16:41:3 | { ... } |
+| Test.java:54:3:54:29 | for (...) | Test.java:39:4:39:10 | ...; |
+| Test.java:54:3:54:29 | for (...) | Test.java:40:4:40:7 | ...; |
+| Test.java:54:3:54:29 | for (...) | Test.java:43:3:43:9 | ...; |
+| Test.java:54:3:54:29 | for (...) | Test.java:46:3:46:29 | for (...) |
+| Test.java:54:3:54:29 | for (...) | Test.java:46:31:49:3 | { ... } |
+| Test.java:54:3:54:29 | for (...) | Test.java:47:4:47:9 | ...; |
+| Test.java:54:3:54:29 | for (...) | Test.java:48:4:48:10 | ...; |
+| Test.java:54:3:54:29 | for (...) | Test.java:51:3:51:9 | ...; |
+| Test.java:55:4:55:10 | ...; | Test.java:54:31:68:3 | { ... } |
+| Test.java:56:4:56:12 | if (...) | Test.java:54:31:68:3 | { ... } |
+| Test.java:56:4:56:12 | if (...) | Test.java:55:4:55:10 | ...; |
+| Test.java:58:6:58:11 | ...; | Test.java:57:15:60:5 | { ... } |
+| Test.java:59:6:59:11 | break | Test.java:57:15:60:5 | { ... } |
+| Test.java:59:6:59:11 | break | Test.java:58:6:58:11 | ...; |
+| Test.java:61:6:61:12 | ...; | Test.java:60:12:62:5 | { ... } |
+| Test.java:64:5:64:11 | ...; | Test.java:63:9:66:4 | { ... } |
+| Test.java:65:5:65:13 | continue | Test.java:63:9:66:4 | { ... } |
+| Test.java:65:5:65:13 | continue | Test.java:64:5:64:11 | ...; |
+| Test.java:67:4:67:9 | ...; | Test.java:60:12:62:5 | { ... } |
+| Test.java:67:4:67:9 | ...; | Test.java:61:6:61:12 | ...; |
+| Test.java:70:3:70:9 | ...; | Test.java:22:4:22:10 | ...; |
+| Test.java:70:3:70:9 | ...; | Test.java:27:3:27:9 | ...; |
+| Test.java:70:3:70:9 | ...; | Test.java:30:3:30:13 | if (...) |
+| Test.java:70:3:70:9 | ...; | Test.java:30:15:33:3 | { ... } |
+| Test.java:70:3:70:9 | ...; | Test.java:31:4:31:10 | ...; |
+| Test.java:70:3:70:9 | ...; | Test.java:32:4:32:10 | ...; |
+| Test.java:70:3:70:9 | ...; | Test.java:35:3:35:9 | ...; |
+| Test.java:70:3:70:9 | ...; | Test.java:38:3:38:14 | while (...) |
+| Test.java:70:3:70:9 | ...; | Test.java:38:16:41:3 | { ... } |
+| Test.java:70:3:70:9 | ...; | Test.java:39:4:39:10 | ...; |
+| Test.java:70:3:70:9 | ...; | Test.java:40:4:40:7 | ...; |
+| Test.java:70:3:70:9 | ...; | Test.java:43:3:43:9 | ...; |
+| Test.java:70:3:70:9 | ...; | Test.java:46:3:46:29 | for (...) |
+| Test.java:70:3:70:9 | ...; | Test.java:46:31:49:3 | { ... } |
+| Test.java:70:3:70:9 | ...; | Test.java:47:4:47:9 | ...; |
+| Test.java:70:3:70:9 | ...; | Test.java:48:4:48:10 | ...; |
+| Test.java:70:3:70:9 | ...; | Test.java:51:3:51:9 | ...; |
+| Test.java:70:3:70:9 | ...; | Test.java:54:3:54:29 | for (...) |
+| Test.java:70:3:70:9 | ...; | Test.java:54:31:68:3 | { ... } |
+| Test.java:70:3:70:9 | ...; | Test.java:55:4:55:10 | ...; |
+| Test.java:70:3:70:9 | ...; | Test.java:56:4:56:12 | if (...) |
+| Test.java:70:3:70:9 | ...; | Test.java:57:5:57:13 | if (...) |
+| Test.java:70:3:70:9 | ...; | Test.java:57:15:60:5 | { ... } |
+| Test.java:70:3:70:9 | ...; | Test.java:58:6:58:11 | ...; |
+| Test.java:70:3:70:9 | ...; | Test.java:59:6:59:11 | break |
+| Test.java:70:3:70:9 | ...; | Test.java:60:12:62:5 | { ... } |
+| Test.java:70:3:70:9 | ...; | Test.java:61:6:61:12 | ...; |
+| Test.java:70:3:70:9 | ...; | Test.java:63:9:66:4 | { ... } |
+| Test.java:70:3:70:9 | ...; | Test.java:64:5:64:11 | ...; |
+| Test.java:70:3:70:9 | ...; | Test.java:65:5:65:13 | continue |
+| Test.java:70:3:70:9 | ...; | Test.java:67:4:67:9 | ...; |
+| Test.java:74:3:74:9 | ...; | Test.java:22:4:22:10 | ...; |
+| Test.java:74:3:74:9 | ...; | Test.java:27:3:27:9 | ...; |
+| Test.java:74:3:74:9 | ...; | Test.java:30:3:30:13 | if (...) |
+| Test.java:74:3:74:9 | ...; | Test.java:30:15:33:3 | { ... } |
+| Test.java:74:3:74:9 | ...; | Test.java:31:4:31:10 | ...; |
+| Test.java:74:3:74:9 | ...; | Test.java:32:4:32:10 | ...; |
+| Test.java:74:3:74:9 | ...; | Test.java:35:3:35:9 | ...; |
+| Test.java:74:3:74:9 | ...; | Test.java:38:3:38:14 | while (...) |
+| Test.java:74:3:74:9 | ...; | Test.java:38:16:41:3 | { ... } |
+| Test.java:74:3:74:9 | ...; | Test.java:39:4:39:10 | ...; |
+| Test.java:74:3:74:9 | ...; | Test.java:40:4:40:7 | ...; |
+| Test.java:74:3:74:9 | ...; | Test.java:43:3:43:9 | ...; |
+| Test.java:74:3:74:9 | ...; | Test.java:46:3:46:29 | for (...) |
+| Test.java:74:3:74:9 | ...; | Test.java:46:31:49:3 | { ... } |
+| Test.java:74:3:74:9 | ...; | Test.java:47:4:47:9 | ...; |
+| Test.java:74:3:74:9 | ...; | Test.java:48:4:48:10 | ...; |
+| Test.java:74:3:74:9 | ...; | Test.java:51:3:51:9 | ...; |
+| Test.java:74:3:74:9 | ...; | Test.java:54:3:54:29 | for (...) |
+| Test.java:74:3:74:9 | ...; | Test.java:54:31:68:3 | { ... } |
+| Test.java:74:3:74:9 | ...; | Test.java:55:4:55:10 | ...; |
+| Test.java:74:3:74:9 | ...; | Test.java:56:4:56:12 | if (...) |
+| Test.java:74:3:74:9 | ...; | Test.java:57:5:57:13 | if (...) |
+| Test.java:74:3:74:9 | ...; | Test.java:57:15:60:5 | { ... } |
+| Test.java:74:3:74:9 | ...; | Test.java:58:6:58:11 | ...; |
+| Test.java:74:3:74:9 | ...; | Test.java:59:6:59:11 | break |
+| Test.java:74:3:74:9 | ...; | Test.java:60:12:62:5 | { ... } |
+| Test.java:74:3:74:9 | ...; | Test.java:61:6:61:12 | ...; |
+| Test.java:74:3:74:9 | ...; | Test.java:63:9:66:4 | { ... } |
+| Test.java:74:3:74:9 | ...; | Test.java:64:5:64:11 | ...; |
+| Test.java:74:3:74:9 | ...; | Test.java:65:5:65:13 | continue |
+| Test.java:74:3:74:9 | ...; | Test.java:67:4:67:9 | ...; |
+| Test.java:74:3:74:9 | ...; | Test.java:70:3:70:9 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:22:4:22:10 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:27:3:27:9 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:30:3:30:13 | if (...) |
+| Test.java:75:3:75:9 | return ... | Test.java:30:15:33:3 | { ... } |
+| Test.java:75:3:75:9 | return ... | Test.java:31:4:31:10 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:32:4:32:10 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:35:3:35:9 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:38:3:38:14 | while (...) |
+| Test.java:75:3:75:9 | return ... | Test.java:38:16:41:3 | { ... } |
+| Test.java:75:3:75:9 | return ... | Test.java:39:4:39:10 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:40:4:40:7 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:43:3:43:9 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:46:3:46:29 | for (...) |
+| Test.java:75:3:75:9 | return ... | Test.java:46:31:49:3 | { ... } |
+| Test.java:75:3:75:9 | return ... | Test.java:47:4:47:9 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:48:4:48:10 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:51:3:51:9 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:54:3:54:29 | for (...) |
+| Test.java:75:3:75:9 | return ... | Test.java:54:31:68:3 | { ... } |
+| Test.java:75:3:75:9 | return ... | Test.java:55:4:55:10 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:56:4:56:12 | if (...) |
+| Test.java:75:3:75:9 | return ... | Test.java:57:5:57:13 | if (...) |
+| Test.java:75:3:75:9 | return ... | Test.java:57:15:60:5 | { ... } |
+| Test.java:75:3:75:9 | return ... | Test.java:58:6:58:11 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:59:6:59:11 | break |
+| Test.java:75:3:75:9 | return ... | Test.java:60:12:62:5 | { ... } |
+| Test.java:75:3:75:9 | return ... | Test.java:61:6:61:12 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:63:9:66:4 | { ... } |
+| Test.java:75:3:75:9 | return ... | Test.java:64:5:64:11 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:65:5:65:13 | continue |
+| Test.java:75:3:75:9 | return ... | Test.java:67:4:67:9 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:70:3:70:9 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:74:3:74:9 | ...; |
diff --git a/java/ql/test/library-tests/controlflow/dominance/dominator.expected b/java/ql/test/library-tests/controlflow/dominance/dominator.expected
index 36d5a3f38db..3fbd1f806f3 100644
--- a/java/ql/test/library-tests/controlflow/dominance/dominator.expected
+++ b/java/ql/test/library-tests/controlflow/dominance/dominator.expected
@@ -1,176 +1,176 @@
-| Test.java:2:32:72:2 | stmt | Test.java:3:3:3:8 | stmt |
-| Test.java:3:3:3:8 | stmt | Test.java:3:7:3:7 | j |
-| Test.java:3:7:3:7 | j | Test.java:4:3:4:14 | stmt |
-| Test.java:4:3:4:14 | stmt | Test.java:4:12:4:13 | 50 |
-| Test.java:4:8:4:13 | y | Test.java:7:3:7:12 | stmt |
+| Test.java:2:32:72:2 | { ... } | Test.java:3:3:3:8 | local variable declaration |
+| Test.java:3:3:3:8 | local variable declaration | Test.java:3:7:3:7 | j |
+| Test.java:3:7:3:7 | j | Test.java:4:3:4:14 | local variable declaration |
+| Test.java:4:3:4:14 | local variable declaration | Test.java:4:12:4:13 | 50 |
+| Test.java:4:8:4:13 | y | Test.java:7:3:7:12 | if (...) |
 | Test.java:4:12:4:13 | 50 | Test.java:4:8:4:13 | y |
-| Test.java:7:3:7:12 | stmt | Test.java:7:7:7:7 | x |
+| Test.java:7:3:7:12 | if (...) | Test.java:7:7:7:7 | x |
 | Test.java:7:7:7:7 | x | Test.java:7:11:7:11 | 0 |
-| Test.java:7:7:7:11 | ... > ... | Test.java:7:14:10:3 | stmt |
-| Test.java:7:7:7:11 | ... > ... | Test.java:10:10:12:3 | stmt |
-| Test.java:7:7:7:11 | ... > ... | Test.java:14:3:14:20 | stmt |
+| Test.java:7:7:7:11 | ... > ... | Test.java:7:14:10:3 | { ... } |
+| Test.java:7:7:7:11 | ... > ... | Test.java:10:10:12:3 | { ... } |
+| Test.java:7:7:7:11 | ... > ... | Test.java:14:3:14:20 | ...; |
 | Test.java:7:11:7:11 | 0 | Test.java:7:7:7:11 | ... > ... |
-| Test.java:7:14:10:3 | stmt | Test.java:8:4:8:10 | stmt |
-| Test.java:8:4:8:9 | ...=... | Test.java:9:4:9:10 | stmt |
-| Test.java:8:4:8:10 | stmt | Test.java:8:8:8:9 | 20 |
+| Test.java:7:14:10:3 | { ... } | Test.java:8:4:8:10 | ...; |
+| Test.java:8:4:8:9 | ...=... | Test.java:9:4:9:10 | ...; |
+| Test.java:8:4:8:10 | ...; | Test.java:8:8:8:9 | 20 |
 | Test.java:8:8:8:9 | 20 | Test.java:8:4:8:9 | ...=... |
-| Test.java:9:4:9:10 | stmt | Test.java:9:8:9:9 | 10 |
+| Test.java:9:4:9:10 | ...; | Test.java:9:8:9:9 | 10 |
 | Test.java:9:8:9:9 | 10 | Test.java:9:4:9:9 | ...=... |
-| Test.java:10:10:12:3 | stmt | Test.java:11:4:11:10 | stmt |
-| Test.java:11:4:11:10 | stmt | Test.java:11:8:11:9 | 30 |
+| Test.java:10:10:12:3 | { ... } | Test.java:11:4:11:10 | ...; |
+| Test.java:11:4:11:10 | ...; | Test.java:11:8:11:9 | 30 |
 | Test.java:11:8:11:9 | 30 | Test.java:11:4:11:9 | ...=... |
-| Test.java:14:3:14:19 | ...=... | Test.java:17:3:17:12 | stmt |
-| Test.java:14:3:14:20 | stmt | Test.java:14:14:14:14 | x |
+| Test.java:14:3:14:19 | ...=... | Test.java:17:3:17:12 | if (...) |
+| Test.java:14:3:14:20 | ...; | Test.java:14:14:14:14 | x |
 | Test.java:14:7:14:19 | (...)... | Test.java:14:3:14:19 | ...=... |
 | Test.java:14:14:14:14 | x | Test.java:14:18:14:18 | y |
 | Test.java:14:14:14:18 | ... + ... | Test.java:14:7:14:19 | (...)... |
 | Test.java:14:18:14:18 | y | Test.java:14:14:14:18 | ... + ... |
-| Test.java:17:3:17:12 | stmt | Test.java:17:7:17:7 | x |
+| Test.java:17:3:17:12 | if (...) | Test.java:17:7:17:7 | x |
 | Test.java:17:7:17:7 | x | Test.java:17:11:17:11 | 0 |
 | Test.java:17:7:17:11 | ... < ... | Test.java:2:6:2:9 | test |
-| Test.java:17:7:17:11 | ... < ... | Test.java:18:4:18:10 | stmt |
+| Test.java:17:7:17:11 | ... < ... | Test.java:18:4:18:10 | ...; |
 | Test.java:17:7:17:11 | ... < ... | Test.java:20:11:20:11 | z |
 | Test.java:17:11:17:11 | 0 | Test.java:17:7:17:11 | ... < ... |
-| Test.java:18:4:18:9 | ...=... | Test.java:23:3:23:9 | stmt |
-| Test.java:18:4:18:10 | stmt | Test.java:18:8:18:9 | 40 |
+| Test.java:18:4:18:9 | ...=... | Test.java:23:3:23:9 | ...; |
+| Test.java:18:4:18:10 | ...; | Test.java:18:8:18:9 | 40 |
 | Test.java:18:8:18:9 | 40 | Test.java:18:4:18:9 | ...=... |
-| Test.java:20:11:20:11 | z | Test.java:20:4:20:12 | stmt |
-| Test.java:23:3:23:8 | ...=... | Test.java:26:3:26:13 | stmt |
-| Test.java:23:3:23:9 | stmt | Test.java:23:7:23:8 | 10 |
+| Test.java:20:11:20:11 | z | Test.java:20:4:20:12 | return ... |
+| Test.java:23:3:23:8 | ...=... | Test.java:26:3:26:13 | if (...) |
+| Test.java:23:3:23:9 | ...; | Test.java:23:7:23:8 | 10 |
 | Test.java:23:7:23:8 | 10 | Test.java:23:3:23:8 | ...=... |
-| Test.java:26:3:26:13 | stmt | Test.java:26:7:26:7 | x |
+| Test.java:26:3:26:13 | if (...) | Test.java:26:7:26:7 | x |
 | Test.java:26:7:26:7 | x | Test.java:26:12:26:12 | 0 |
-| Test.java:26:7:26:12 | ... == ... | Test.java:26:15:29:3 | stmt |
-| Test.java:26:7:26:12 | ... == ... | Test.java:31:3:31:9 | stmt |
+| Test.java:26:7:26:12 | ... == ... | Test.java:26:15:29:3 | { ... } |
+| Test.java:26:7:26:12 | ... == ... | Test.java:31:3:31:9 | ...; |
 | Test.java:26:12:26:12 | 0 | Test.java:26:7:26:12 | ... == ... |
-| Test.java:26:15:29:3 | stmt | Test.java:27:4:27:10 | stmt |
-| Test.java:27:4:27:9 | ...=... | Test.java:28:4:28:10 | stmt |
-| Test.java:27:4:27:10 | stmt | Test.java:27:8:27:9 | 60 |
+| Test.java:26:15:29:3 | { ... } | Test.java:27:4:27:10 | ...; |
+| Test.java:27:4:27:9 | ...=... | Test.java:28:4:28:10 | ...; |
+| Test.java:27:4:27:10 | ...; | Test.java:27:8:27:9 | 60 |
 | Test.java:27:8:27:9 | 60 | Test.java:27:4:27:9 | ...=... |
-| Test.java:28:4:28:10 | stmt | Test.java:28:8:28:9 | 10 |
+| Test.java:28:4:28:10 | ...; | Test.java:28:8:28:9 | 10 |
 | Test.java:28:8:28:9 | 10 | Test.java:28:4:28:9 | ...=... |
 | Test.java:31:3:31:3 | z | Test.java:31:8:31:8 | x |
-| Test.java:31:3:31:8 | ...+=... | Test.java:34:3:34:15 | stmt |
-| Test.java:31:3:31:9 | stmt | Test.java:31:3:31:3 | z |
+| Test.java:31:3:31:8 | ...+=... | Test.java:34:3:34:15 | while (...) |
+| Test.java:31:3:31:9 | ...; | Test.java:31:3:31:3 | z |
 | Test.java:31:8:31:8 | x | Test.java:31:3:31:8 | ...+=... |
-| Test.java:34:3:34:15 | stmt | Test.java:34:10:34:10 | x |
+| Test.java:34:3:34:15 | while (...) | Test.java:34:10:34:10 | x |
 | Test.java:34:10:34:10 | x | Test.java:34:14:34:14 | 0 |
-| Test.java:34:10:34:14 | ... > ... | Test.java:34:17:37:3 | stmt |
-| Test.java:34:10:34:14 | ... > ... | Test.java:39:3:39:9 | stmt |
+| Test.java:34:10:34:14 | ... > ... | Test.java:34:17:37:3 | { ... } |
+| Test.java:34:10:34:14 | ... > ... | Test.java:39:3:39:9 | ...; |
 | Test.java:34:14:34:14 | 0 | Test.java:34:10:34:14 | ... > ... |
-| Test.java:34:17:37:3 | stmt | Test.java:35:4:35:10 | stmt |
-| Test.java:35:4:35:9 | ...=... | Test.java:36:4:36:7 | stmt |
-| Test.java:35:4:35:10 | stmt | Test.java:35:8:35:9 | 10 |
+| Test.java:34:17:37:3 | { ... } | Test.java:35:4:35:10 | ...; |
+| Test.java:35:4:35:9 | ...=... | Test.java:36:4:36:7 | ...; |
+| Test.java:35:4:35:10 | ...; | Test.java:35:8:35:9 | 10 |
 | Test.java:35:8:35:9 | 10 | Test.java:35:4:35:9 | ...=... |
 | Test.java:36:4:36:4 | x | Test.java:36:4:36:6 | ...-- |
-| Test.java:36:4:36:7 | stmt | Test.java:36:4:36:4 | x |
+| Test.java:36:4:36:7 | ...; | Test.java:36:4:36:4 | x |
 | Test.java:39:3:39:3 | z | Test.java:39:8:39:8 | y |
-| Test.java:39:3:39:8 | ...+=... | Test.java:42:3:42:26 | stmt |
-| Test.java:39:3:39:9 | stmt | Test.java:39:3:39:3 | z |
+| Test.java:39:3:39:8 | ...+=... | Test.java:42:3:42:26 | for (...) |
+| Test.java:39:3:39:9 | ...; | Test.java:39:3:39:3 | z |
 | Test.java:39:8:39:8 | y | Test.java:39:3:39:8 | ...+=... |
-| Test.java:42:3:42:26 | stmt | Test.java:42:12:42:12 | 0 |
+| Test.java:42:3:42:26 | for (...) | Test.java:42:12:42:12 | 0 |
 | Test.java:42:8:42:12 | ...=... | Test.java:42:15:42:15 | j |
 | Test.java:42:12:42:12 | 0 | Test.java:42:8:42:12 | ...=... |
 | Test.java:42:15:42:15 | j | Test.java:42:19:42:20 | 10 |
-| Test.java:42:15:42:20 | ... < ... | Test.java:42:28:45:3 | stmt |
-| Test.java:42:15:42:20 | ... < ... | Test.java:47:3:47:9 | stmt |
+| Test.java:42:15:42:20 | ... < ... | Test.java:42:28:45:3 | { ... } |
+| Test.java:42:15:42:20 | ... < ... | Test.java:47:3:47:9 | ...; |
 | Test.java:42:19:42:20 | 10 | Test.java:42:15:42:20 | ... < ... |
 | Test.java:42:23:42:23 | j | Test.java:42:23:42:25 | ...++ |
-| Test.java:42:28:45:3 | stmt | Test.java:43:4:43:9 | stmt |
-| Test.java:43:4:43:8 | ...=... | Test.java:44:4:44:10 | stmt |
-| Test.java:43:4:43:9 | stmt | Test.java:43:8:43:8 | 0 |
+| Test.java:42:28:45:3 | { ... } | Test.java:43:4:43:9 | ...; |
+| Test.java:43:4:43:8 | ...=... | Test.java:44:4:44:10 | ...; |
+| Test.java:43:4:43:9 | ...; | Test.java:43:8:43:8 | 0 |
 | Test.java:43:8:43:8 | 0 | Test.java:43:4:43:8 | ...=... |
 | Test.java:44:4:44:9 | ...=... | Test.java:42:23:42:23 | j |
-| Test.java:44:4:44:10 | stmt | Test.java:44:8:44:9 | 10 |
+| Test.java:44:4:44:10 | ...; | Test.java:44:8:44:9 | 10 |
 | Test.java:44:8:44:9 | 10 | Test.java:44:4:44:9 | ...=... |
 | Test.java:47:3:47:3 | z | Test.java:47:8:47:8 | w |
-| Test.java:47:3:47:8 | ...+=... | Test.java:50:3:50:26 | stmt |
-| Test.java:47:3:47:9 | stmt | Test.java:47:3:47:3 | z |
+| Test.java:47:3:47:8 | ...+=... | Test.java:50:3:50:26 | for (...) |
+| Test.java:47:3:47:9 | ...; | Test.java:47:3:47:3 | z |
 | Test.java:47:8:47:8 | w | Test.java:47:3:47:8 | ...+=... |
-| Test.java:50:3:50:26 | stmt | Test.java:50:12:50:12 | 0 |
+| Test.java:50:3:50:26 | for (...) | Test.java:50:12:50:12 | 0 |
 | Test.java:50:8:50:12 | ...=... | Test.java:50:15:50:15 | j |
 | Test.java:50:12:50:12 | 0 | Test.java:50:8:50:12 | ...=... |
 | Test.java:50:15:50:15 | j | Test.java:50:19:50:20 | 10 |
-| Test.java:50:15:50:20 | ... < ... | Test.java:50:28:64:3 | stmt |
-| Test.java:50:15:50:20 | ... < ... | Test.java:66:3:66:17 | stmt |
+| Test.java:50:15:50:20 | ... < ... | Test.java:50:28:64:3 | { ... } |
+| Test.java:50:15:50:20 | ... < ... | Test.java:66:3:66:17 | ...; |
 | Test.java:50:19:50:20 | 10 | Test.java:50:15:50:20 | ... < ... |
 | Test.java:50:23:50:23 | j | Test.java:50:23:50:25 | ...++ |
-| Test.java:50:28:64:3 | stmt | Test.java:51:4:51:10 | stmt |
-| Test.java:51:4:51:9 | ...=... | Test.java:52:4:52:13 | stmt |
-| Test.java:51:4:51:10 | stmt | Test.java:51:8:51:9 | 30 |
+| Test.java:50:28:64:3 | { ... } | Test.java:51:4:51:10 | ...; |
+| Test.java:51:4:51:9 | ...=... | Test.java:52:4:52:13 | if (...) |
+| Test.java:51:4:51:10 | ...; | Test.java:51:8:51:9 | 30 |
 | Test.java:51:8:51:9 | 30 | Test.java:51:4:51:9 | ...=... |
-| Test.java:52:4:52:13 | stmt | Test.java:52:8:52:8 | z |
+| Test.java:52:4:52:13 | if (...) | Test.java:52:8:52:8 | z |
 | Test.java:52:8:52:8 | z | Test.java:52:12:52:12 | 0 |
 | Test.java:52:8:52:12 | ... > ... | Test.java:50:23:50:23 | j |
-| Test.java:52:8:52:12 | ... > ... | Test.java:53:5:53:14 | stmt |
-| Test.java:52:8:52:12 | ... > ... | Test.java:59:9:62:4 | stmt |
+| Test.java:52:8:52:12 | ... > ... | Test.java:53:5:53:14 | if (...) |
+| Test.java:52:8:52:12 | ... > ... | Test.java:59:9:62:4 | { ... } |
 | Test.java:52:12:52:12 | 0 | Test.java:52:8:52:12 | ... > ... |
-| Test.java:53:5:53:14 | stmt | Test.java:53:9:53:9 | y |
+| Test.java:53:5:53:14 | if (...) | Test.java:53:9:53:9 | y |
 | Test.java:53:9:53:9 | y | Test.java:53:13:53:13 | 0 |
-| Test.java:53:9:53:13 | ... > ... | Test.java:53:16:56:5 | stmt |
-| Test.java:53:9:53:13 | ... > ... | Test.java:56:12:58:5 | stmt |
+| Test.java:53:9:53:13 | ... > ... | Test.java:53:16:56:5 | { ... } |
+| Test.java:53:9:53:13 | ... > ... | Test.java:56:12:58:5 | { ... } |
 | Test.java:53:13:53:13 | 0 | Test.java:53:9:53:13 | ... > ... |
-| Test.java:53:16:56:5 | stmt | Test.java:54:6:54:11 | stmt |
-| Test.java:54:6:54:10 | ...=... | Test.java:55:6:55:11 | stmt |
-| Test.java:54:6:54:11 | stmt | Test.java:54:10:54:10 | 0 |
+| Test.java:53:16:56:5 | { ... } | Test.java:54:6:54:11 | ...; |
+| Test.java:54:6:54:10 | ...=... | Test.java:55:6:55:11 | break |
+| Test.java:54:6:54:11 | ...; | Test.java:54:10:54:10 | 0 |
 | Test.java:54:10:54:10 | 0 | Test.java:54:6:54:10 | ...=... |
-| Test.java:56:12:58:5 | stmt | Test.java:57:6:57:12 | stmt |
-| Test.java:57:6:57:11 | ...=... | Test.java:63:4:63:9 | stmt |
-| Test.java:57:6:57:12 | stmt | Test.java:57:10:57:11 | 20 |
+| Test.java:56:12:58:5 | { ... } | Test.java:57:6:57:12 | ...; |
+| Test.java:57:6:57:11 | ...=... | Test.java:63:4:63:9 | ...; |
+| Test.java:57:6:57:12 | ...; | Test.java:57:10:57:11 | 20 |
 | Test.java:57:10:57:11 | 20 | Test.java:57:6:57:11 | ...=... |
-| Test.java:59:9:62:4 | stmt | Test.java:60:5:60:11 | stmt |
-| Test.java:60:5:60:10 | ...=... | Test.java:61:5:61:13 | stmt |
-| Test.java:60:5:60:11 | stmt | Test.java:60:9:60:10 | 10 |
+| Test.java:59:9:62:4 | { ... } | Test.java:60:5:60:11 | ...; |
+| Test.java:60:5:60:10 | ...=... | Test.java:61:5:61:13 | continue |
+| Test.java:60:5:60:11 | ...; | Test.java:60:9:60:10 | 10 |
 | Test.java:60:9:60:10 | 10 | Test.java:60:5:60:10 | ...=... |
-| Test.java:63:4:63:9 | stmt | Test.java:63:8:63:8 | 0 |
+| Test.java:63:4:63:9 | ...; | Test.java:63:8:63:8 | 0 |
 | Test.java:63:8:63:8 | 0 | Test.java:63:4:63:8 | ...=... |
 | Test.java:66:3:66:3 | z | Test.java:66:8:66:8 | x |
-| Test.java:66:3:66:16 | ...+=... | Test.java:70:3:70:9 | stmt |
-| Test.java:66:3:66:17 | stmt | Test.java:66:3:66:3 | z |
+| Test.java:66:3:66:16 | ...+=... | Test.java:70:3:70:9 | ...; |
+| Test.java:66:3:66:17 | ...; | Test.java:66:3:66:3 | z |
 | Test.java:66:8:66:8 | x | Test.java:66:12:66:12 | y |
 | Test.java:66:8:66:12 | ... + ... | Test.java:66:16:66:16 | w |
 | Test.java:66:8:66:16 | ... + ... | Test.java:66:3:66:16 | ...+=... |
 | Test.java:66:12:66:12 | y | Test.java:66:8:66:12 | ... + ... |
 | Test.java:66:16:66:16 | w | Test.java:66:8:66:16 | ... + ... |
 | Test.java:70:3:70:8 | ...=... | Test.java:71:10:71:10 | w |
-| Test.java:70:3:70:9 | stmt | Test.java:70:7:70:8 | 40 |
+| Test.java:70:3:70:9 | ...; | Test.java:70:7:70:8 | 40 |
 | Test.java:70:7:70:8 | 40 | Test.java:70:3:70:8 | ...=... |
-| Test.java:71:10:71:10 | w | Test.java:71:3:71:11 | stmt |
-| Test.java:74:19:91:2 | stmt | Test.java:76:3:76:8 | stmt |
-| Test.java:76:3:76:8 | stmt | Test.java:76:7:76:7 | b |
-| Test.java:76:7:76:7 | b | Test.java:77:3:77:8 | stmt |
-| Test.java:77:3:77:8 | stmt | Test.java:77:7:77:7 | c |
-| Test.java:77:7:77:7 | c | Test.java:78:3:78:8 | stmt |
-| Test.java:78:3:78:7 | ...=... | Test.java:79:3:79:13 | stmt |
-| Test.java:78:3:78:8 | stmt | Test.java:78:7:78:7 | 0 |
+| Test.java:71:10:71:10 | w | Test.java:71:3:71:11 | return ... |
+| Test.java:74:19:91:2 | { ... } | Test.java:76:3:76:8 | local variable declaration |
+| Test.java:76:3:76:8 | local variable declaration | Test.java:76:7:76:7 | b |
+| Test.java:76:7:76:7 | b | Test.java:77:3:77:8 | local variable declaration |
+| Test.java:77:3:77:8 | local variable declaration | Test.java:77:7:77:7 | c |
+| Test.java:77:7:77:7 | c | Test.java:78:3:78:8 | ...; |
+| Test.java:78:3:78:7 | ...=... | Test.java:79:3:79:13 | while (...) |
+| Test.java:78:3:78:8 | ...; | Test.java:78:7:78:7 | 0 |
 | Test.java:78:7:78:7 | 0 | Test.java:78:3:78:7 | ...=... |
-| Test.java:79:3:79:13 | stmt | Test.java:79:9:79:12 | true |
-| Test.java:79:9:79:12 | true | Test.java:79:15:89:3 | stmt |
-| Test.java:79:15:89:3 | stmt | Test.java:80:4:80:10 | stmt |
-| Test.java:80:4:80:9 | ...=... | Test.java:81:4:81:15 | stmt |
-| Test.java:80:4:80:10 | stmt | Test.java:80:8:80:9 | 10 |
+| Test.java:79:3:79:13 | while (...) | Test.java:79:9:79:12 | true |
+| Test.java:79:9:79:12 | true | Test.java:79:15:89:3 | { ... } |
+| Test.java:79:15:89:3 | { ... } | Test.java:80:4:80:10 | ...; |
+| Test.java:80:4:80:9 | ...=... | Test.java:81:4:81:15 | if (...) |
+| Test.java:80:4:80:10 | ...; | Test.java:80:8:80:9 | 10 |
 | Test.java:80:8:80:9 | 10 | Test.java:80:4:80:9 | ...=... |
-| Test.java:81:4:81:15 | stmt | Test.java:81:8:81:8 | a |
+| Test.java:81:4:81:15 | if (...) | Test.java:81:8:81:8 | a |
 | Test.java:81:8:81:8 | a | Test.java:81:12:81:14 | 100 |
-| Test.java:81:8:81:14 | ... > ... | Test.java:81:17:84:4 | stmt |
-| Test.java:81:8:81:14 | ... > ... | Test.java:85:4:85:15 | stmt |
+| Test.java:81:8:81:14 | ... > ... | Test.java:81:17:84:4 | { ... } |
+| Test.java:81:8:81:14 | ... > ... | Test.java:85:4:85:15 | if (...) |
 | Test.java:81:12:81:14 | 100 | Test.java:81:8:81:14 | ... > ... |
-| Test.java:81:17:84:4 | stmt | Test.java:82:5:82:11 | stmt |
-| Test.java:82:5:82:10 | ...=... | Test.java:83:5:83:10 | stmt |
-| Test.java:82:5:82:11 | stmt | Test.java:82:9:82:10 | 10 |
+| Test.java:81:17:84:4 | { ... } | Test.java:82:5:82:11 | ...; |
+| Test.java:82:5:82:10 | ...=... | Test.java:83:5:83:10 | ...; |
+| Test.java:82:5:82:11 | ...; | Test.java:82:9:82:10 | 10 |
 | Test.java:82:9:82:10 | 10 | Test.java:82:5:82:10 | ...=... |
-| Test.java:83:5:83:10 | stmt | Test.java:83:9:83:9 | c |
+| Test.java:83:5:83:10 | ...; | Test.java:83:9:83:9 | c |
 | Test.java:83:9:83:9 | c | Test.java:83:5:83:9 | ...=... |
-| Test.java:85:4:85:15 | stmt | Test.java:85:8:85:8 | a |
+| Test.java:85:4:85:15 | if (...) | Test.java:85:8:85:8 | a |
 | Test.java:85:8:85:8 | a | Test.java:85:13:85:14 | 10 |
 | Test.java:85:8:85:14 | ... == ... | Test.java:74:6:74:10 | test2 |
-| Test.java:85:8:85:14 | ... == ... | Test.java:86:5:86:10 | stmt |
-| Test.java:85:8:85:14 | ... == ... | Test.java:87:4:87:15 | stmt |
+| Test.java:85:8:85:14 | ... == ... | Test.java:86:5:86:10 | break |
+| Test.java:85:8:85:14 | ... == ... | Test.java:87:4:87:15 | if (...) |
 | Test.java:85:13:85:14 | 10 | Test.java:85:8:85:14 | ... == ... |
-| Test.java:86:5:86:10 | stmt | Test.java:90:10:90:10 | b |
-| Test.java:87:4:87:15 | stmt | Test.java:87:8:87:8 | a |
+| Test.java:86:5:86:10 | break | Test.java:90:10:90:10 | b |
+| Test.java:87:4:87:15 | if (...) | Test.java:87:8:87:8 | a |
 | Test.java:87:8:87:8 | a | Test.java:87:13:87:14 | 20 |
 | Test.java:87:8:87:14 | ... == ... | Test.java:88:12:88:12 | c |
 | Test.java:87:13:87:14 | 20 | Test.java:87:8:87:14 | ... == ... |
-| Test.java:88:12:88:12 | c | Test.java:88:5:88:13 | stmt |
-| Test.java:90:10:90:10 | b | Test.java:90:3:90:11 | stmt |
+| Test.java:88:12:88:12 | c | Test.java:88:5:88:13 | return ... |
+| Test.java:90:10:90:10 | b | Test.java:90:3:90:11 | return ... |
diff --git a/java/ql/test/library-tests/dependency/PrintAst.expected b/java/ql/test/library-tests/dependency/PrintAst.expected
index e9eeb6f75b4..828b2be3199 100644
--- a/java/ql/test/library-tests/dependency/PrintAst.expected
+++ b/java/ql/test/library-tests/dependency/PrintAst.expected
@@ -22,8 +22,8 @@ dependency/A.java:
 #   16|           0: [Parameter] f
 #   16|             0: [TypeAccess] A<F>
 #   16|               0: [TypeAccess] F
-#   16|         5: [BlockStmt] stmt
-#   17|           0: [ReturnStmt] stmt
+#   16|         5: [BlockStmt] { ... }
+#   17|           0: [ReturnStmt] return ...
 #   17|             0: [NullLiteral] null
 #   22|   5: [Class] F
 #   24|   6: [Class] G
@@ -38,8 +38,8 @@ dependency/A.java:
 #-----|       4: (Parameters)
 #   27|         0: [Parameter] t
 #   27|           0: [TypeAccess] T
-#   27|       5: [BlockStmt] stmt
-#   27|         0: [ReturnStmt] stmt
+#   27|       5: [BlockStmt] { ... }
+#   27|         0: [ReturnStmt] return ...
 #   27|           0: [VarAccess] t
 #   28|     3: [Method] test2
 #   28|       3: [TypeAccess] void
@@ -48,4 +48,4 @@ dependency/A.java:
 #   28|           0: [TypeAccess] Collection<? extends Number>
 #   28|             0: [WildcardTypeAccess] ? ...
 #   28|               0: [TypeAccess] Number
-#   28|       5: [BlockStmt] stmt
+#   28|       5: [BlockStmt] { ... }
diff --git a/java/ql/test/library-tests/generics/PrintAst.expected b/java/ql/test/library-tests/generics/PrintAst.expected
index 7c4932a6f50..dc03f48d03e 100644
--- a/java/ql/test/library-tests/generics/PrintAst.expected
+++ b/java/ql/test/library-tests/generics/PrintAst.expected
@@ -42,7 +42,7 @@ generics/A.java:
 #   20|       -1: [TypeAccess] D<? super Double>
 #   20|         0: [WildcardTypeAccess] ? ...
 #   20|           1: [TypeAccess] Double
-#   21|     7: [BlockStmt] stmt
-#   21|       0: [ExprStmt] stmt
+#   21|     7: [BlockStmt] { ... }
+#   21|       0: [ExprStmt] ...;
 #   21|         0: [MethodAccess] asList(...)
 #   21|           -1: [TypeAccess] Arrays
diff --git a/java/ql/test/library-tests/guards/guards.expected b/java/ql/test/library-tests/guards/guards.expected
index 7d8beb623ed..1b7b7d4273d 100644
--- a/java/ql/test/library-tests/guards/guards.expected
+++ b/java/ql/test/library-tests/guards/guards.expected
@@ -1,41 +1,41 @@
-| Test.java:5:7:5:11 | ... < ... | false | Test.java:8:3:8:12 | stmt |
+| Test.java:5:7:5:11 | ... < ... | false | Test.java:8:3:8:12 | local variable declaration |
 | Test.java:5:7:5:11 | ... < ... | false | Test.java:9:9:9:9 | x |
-| Test.java:5:7:5:11 | ... < ... | false | Test.java:9:17:22:3 | stmt |
-| Test.java:5:7:5:11 | ... < ... | false | Test.java:11:5:11:8 | stmt |
-| Test.java:5:7:5:11 | ... < ... | false | Test.java:12:4:12:14 | stmt |
-| Test.java:5:7:5:11 | ... < ... | false | Test.java:12:16:16:4 | stmt |
-| Test.java:5:7:5:11 | ... < ... | false | Test.java:16:11:16:21 | stmt |
-| Test.java:5:7:5:11 | ... < ... | false | Test.java:16:23:18:4 | stmt |
-| Test.java:5:7:5:11 | ... < ... | false | Test.java:18:11:18:22 | stmt |
-| Test.java:5:7:5:11 | ... < ... | false | Test.java:18:24:20:4 | stmt |
-| Test.java:5:7:5:11 | ... < ... | false | Test.java:21:4:21:7 | stmt |
-| Test.java:5:7:5:11 | ... < ... | true | Test.java:5:14:7:3 | stmt |
-| Test.java:9:9:9:14 | ... >= ... | true | Test.java:9:17:22:3 | stmt |
-| Test.java:9:9:9:14 | ... >= ... | true | Test.java:11:5:11:8 | stmt |
-| Test.java:9:9:9:14 | ... >= ... | true | Test.java:12:4:12:14 | stmt |
-| Test.java:9:9:9:14 | ... >= ... | true | Test.java:12:16:16:4 | stmt |
-| Test.java:9:9:9:14 | ... >= ... | true | Test.java:16:11:16:21 | stmt |
-| Test.java:9:9:9:14 | ... >= ... | true | Test.java:16:23:18:4 | stmt |
-| Test.java:9:9:9:14 | ... >= ... | true | Test.java:18:11:18:22 | stmt |
-| Test.java:9:9:9:14 | ... >= ... | true | Test.java:18:24:20:4 | stmt |
-| Test.java:9:9:9:14 | ... >= ... | true | Test.java:21:4:21:7 | stmt |
-| Test.java:10:8:10:13 | ... >= ... | true | Test.java:11:5:11:8 | stmt |
-| Test.java:12:8:12:13 | ... > ... | false | Test.java:16:11:16:21 | stmt |
-| Test.java:12:8:12:13 | ... > ... | false | Test.java:16:23:18:4 | stmt |
-| Test.java:12:8:12:13 | ... > ... | false | Test.java:18:11:18:22 | stmt |
-| Test.java:12:8:12:13 | ... > ... | false | Test.java:18:24:20:4 | stmt |
-| Test.java:12:8:12:13 | ... > ... | true | Test.java:12:16:16:4 | stmt |
-| Test.java:16:15:16:20 | ... < ... | false | Test.java:18:11:18:22 | stmt |
-| Test.java:16:15:16:20 | ... < ... | false | Test.java:18:24:20:4 | stmt |
-| Test.java:16:15:16:20 | ... < ... | true | Test.java:16:23:18:4 | stmt |
-| Test.java:18:15:18:21 | ... == ... | true | Test.java:18:24:20:4 | stmt |
-| Test.java:27:7:27:11 | ... > ... | false | Test.java:31:10:36:3 | stmt |
-| Test.java:27:7:27:11 | ... > ... | false | Test.java:34:5:34:8 | stmt |
-| Test.java:27:7:27:11 | ... > ... | false | Test.java:35:4:35:10 | stmt |
-| Test.java:27:7:27:11 | ... > ... | true | Test.java:27:14:31:3 | stmt |
+| Test.java:5:7:5:11 | ... < ... | false | Test.java:9:17:22:3 | { ... } |
+| Test.java:5:7:5:11 | ... < ... | false | Test.java:11:5:11:8 | ...; |
+| Test.java:5:7:5:11 | ... < ... | false | Test.java:12:4:12:14 | if (...) |
+| Test.java:5:7:5:11 | ... < ... | false | Test.java:12:16:16:4 | { ... } |
+| Test.java:5:7:5:11 | ... < ... | false | Test.java:16:11:16:21 | if (...) |
+| Test.java:5:7:5:11 | ... < ... | false | Test.java:16:23:18:4 | { ... } |
+| Test.java:5:7:5:11 | ... < ... | false | Test.java:18:11:18:22 | if (...) |
+| Test.java:5:7:5:11 | ... < ... | false | Test.java:18:24:20:4 | { ... } |
+| Test.java:5:7:5:11 | ... < ... | false | Test.java:21:4:21:7 | ...; |
+| Test.java:5:7:5:11 | ... < ... | true | Test.java:5:14:7:3 | { ... } |
+| Test.java:9:9:9:14 | ... >= ... | true | Test.java:9:17:22:3 | { ... } |
+| Test.java:9:9:9:14 | ... >= ... | true | Test.java:11:5:11:8 | ...; |
+| Test.java:9:9:9:14 | ... >= ... | true | Test.java:12:4:12:14 | if (...) |
+| Test.java:9:9:9:14 | ... >= ... | true | Test.java:12:16:16:4 | { ... } |
+| Test.java:9:9:9:14 | ... >= ... | true | Test.java:16:11:16:21 | if (...) |
+| Test.java:9:9:9:14 | ... >= ... | true | Test.java:16:23:18:4 | { ... } |
+| Test.java:9:9:9:14 | ... >= ... | true | Test.java:18:11:18:22 | if (...) |
+| Test.java:9:9:9:14 | ... >= ... | true | Test.java:18:24:20:4 | { ... } |
+| Test.java:9:9:9:14 | ... >= ... | true | Test.java:21:4:21:7 | ...; |
+| Test.java:10:8:10:13 | ... >= ... | true | Test.java:11:5:11:8 | ...; |
+| Test.java:12:8:12:13 | ... > ... | false | Test.java:16:11:16:21 | if (...) |
+| Test.java:12:8:12:13 | ... > ... | false | Test.java:16:23:18:4 | { ... } |
+| Test.java:12:8:12:13 | ... > ... | false | Test.java:18:11:18:22 | if (...) |
+| Test.java:12:8:12:13 | ... > ... | false | Test.java:18:24:20:4 | { ... } |
+| Test.java:12:8:12:13 | ... > ... | true | Test.java:12:16:16:4 | { ... } |
+| Test.java:16:15:16:20 | ... < ... | false | Test.java:18:11:18:22 | if (...) |
+| Test.java:16:15:16:20 | ... < ... | false | Test.java:18:24:20:4 | { ... } |
+| Test.java:16:15:16:20 | ... < ... | true | Test.java:16:23:18:4 | { ... } |
+| Test.java:18:15:18:21 | ... == ... | true | Test.java:18:24:20:4 | { ... } |
+| Test.java:27:7:27:11 | ... > ... | false | Test.java:31:10:36:3 | { ... } |
+| Test.java:27:7:27:11 | ... > ... | false | Test.java:34:5:34:8 | ...; |
+| Test.java:27:7:27:11 | ... > ... | false | Test.java:35:4:35:10 | ...; |
+| Test.java:27:7:27:11 | ... > ... | true | Test.java:27:14:31:3 | { ... } |
 | Test.java:27:7:27:11 | ... > ... | true | Test.java:29:8:29:28 | w |
 | Test.java:27:7:27:11 | ... > ... | true | Test.java:29:24:29:24 | 0 |
 | Test.java:27:7:27:11 | ... > ... | true | Test.java:29:28:29:28 | 1 |
 | Test.java:29:13:29:19 | ... < ... | false | Test.java:29:28:29:28 | 1 |
 | Test.java:29:13:29:19 | ... < ... | true | Test.java:29:24:29:24 | 0 |
-| Test.java:33:8:33:18 | ... < ... | true | Test.java:34:5:34:8 | stmt |
+| Test.java:33:8:33:18 | ... < ... | true | Test.java:34:5:34:8 | ...; |
diff --git a/java/ql/test/library-tests/guards/guardslogic.expected b/java/ql/test/library-tests/guards/guardslogic.expected
index 5ed4a95c5b7..f92d61148fe 100644
--- a/java/ql/test/library-tests/guards/guardslogic.expected
+++ b/java/ql/test/library-tests/guards/guardslogic.expected
@@ -1,48 +1,48 @@
-| Logic.java:8:10:10:12 | ...?...:... | false | Logic.java:12:12:13:5 | stmt |
-| Logic.java:8:10:10:12 | ...?...:... | true | Logic.java:11:21:12:5 | stmt |
+| Logic.java:8:10:10:12 | ...?...:... | false | Logic.java:12:12:13:5 | { ... } |
+| Logic.java:8:10:10:12 | ...?...:... | true | Logic.java:11:21:12:5 | { ... } |
 | Logic.java:8:11:8:14 | g(...) | false | Logic.java:10:9:10:12 | true |
 | Logic.java:8:11:8:14 | g(...) | true | Logic.java:9:11:9:11 | 2 |
-| Logic.java:8:11:8:14 | g(...) | true | Logic.java:12:12:13:5 | stmt |
-| Logic.java:9:9:9:12 | g(...) | false | Logic.java:12:12:13:5 | stmt |
-| Logic.java:11:9:11:9 | b | false | Logic.java:12:12:13:5 | stmt |
-| Logic.java:11:9:11:9 | b | true | Logic.java:11:21:12:5 | stmt |
-| Logic.java:11:9:11:18 | ... != ... | false | Logic.java:12:12:13:5 | stmt |
-| Logic.java:11:9:11:18 | ... != ... | true | Logic.java:11:21:12:5 | stmt |
+| Logic.java:8:11:8:14 | g(...) | true | Logic.java:12:12:13:5 | { ... } |
+| Logic.java:9:9:9:12 | g(...) | false | Logic.java:12:12:13:5 | { ... } |
+| Logic.java:11:9:11:9 | b | false | Logic.java:12:12:13:5 | { ... } |
+| Logic.java:11:9:11:9 | b | true | Logic.java:11:21:12:5 | { ... } |
+| Logic.java:11:9:11:18 | ... != ... | false | Logic.java:12:12:13:5 | { ... } |
+| Logic.java:11:9:11:18 | ... != ... | true | Logic.java:11:21:12:5 | { ... } |
 | Logic.java:14:14:14:22 | ... != ... | false | Logic.java:14:37:14:37 | 0 |
 | Logic.java:14:14:14:22 | ... != ... | true | Logic.java:14:26:14:26 | a |
 | Logic.java:14:14:14:22 | ... != ... | true | Logic.java:15:29:15:29 | i |
-| Logic.java:14:14:14:22 | ... != ... | true | Logic.java:15:34:18:5 | stmt |
-| Logic.java:14:14:14:22 | ... != ... | true | Logic.java:17:18:17:23 | stmt |
+| Logic.java:14:14:14:22 | ... != ... | true | Logic.java:15:34:18:5 | { ... } |
+| Logic.java:14:14:14:22 | ... != ... | true | Logic.java:17:18:17:23 | break |
 | Logic.java:15:21:15:26 | ... < ... | true | Logic.java:15:29:15:29 | i |
-| Logic.java:15:21:15:26 | ... < ... | true | Logic.java:15:34:18:5 | stmt |
-| Logic.java:15:21:15:26 | ... < ... | true | Logic.java:17:18:17:23 | stmt |
+| Logic.java:15:21:15:26 | ... < ... | true | Logic.java:15:34:18:5 | { ... } |
+| Logic.java:15:21:15:26 | ... < ... | true | Logic.java:17:18:17:23 | break |
 | Logic.java:17:11:17:15 | ... > ... | false | Logic.java:15:29:15:29 | i |
-| Logic.java:17:11:17:15 | ... > ... | true | Logic.java:17:18:17:23 | stmt |
-| Logic.java:19:9:19:12 | g(...) | false | Logic.java:24:7:24:17 | stmt |
-| Logic.java:19:9:19:12 | g(...) | false | Logic.java:26:7:26:14 | stmt |
-| Logic.java:19:9:19:12 | g(...) | true | Logic.java:20:7:20:16 | stmt |
-| Logic.java:22:7:22:17 | stmt | false | Logic.java:26:7:26:14 | stmt |
-| Logic.java:22:7:22:17 | stmt | true | Logic.java:22:7:22:17 | stmt |
-| Logic.java:24:7:24:17 | stmt | false | Logic.java:26:7:26:14 | stmt |
-| Logic.java:24:7:24:17 | stmt | true | Logic.java:24:7:24:17 | stmt |
-| Logic.java:26:7:26:14 | stmt | true | Logic.java:26:7:26:14 | stmt |
+| Logic.java:17:11:17:15 | ... > ... | true | Logic.java:17:18:17:23 | break |
+| Logic.java:19:9:19:12 | g(...) | false | Logic.java:24:7:24:17 | case ... |
+| Logic.java:19:9:19:12 | g(...) | false | Logic.java:26:7:26:14 | default |
+| Logic.java:19:9:19:12 | g(...) | true | Logic.java:20:7:20:16 | ...; |
+| Logic.java:22:7:22:17 | case ... | false | Logic.java:26:7:26:14 | default |
+| Logic.java:22:7:22:17 | case ... | true | Logic.java:22:7:22:17 | case ... |
+| Logic.java:24:7:24:17 | case ... | false | Logic.java:26:7:26:14 | default |
+| Logic.java:24:7:24:17 | case ... | true | Logic.java:24:7:24:17 | case ... |
+| Logic.java:26:7:26:14 | default | true | Logic.java:26:7:26:14 | default |
 | Logic.java:29:16:29:19 | g(...) | false | Logic.java:29:30:29:30 | s |
-| Logic.java:29:16:29:19 | g(...) | false | Logic.java:30:30:31:5 | stmt |
+| Logic.java:29:16:29:19 | g(...) | false | Logic.java:30:30:31:5 | { ... } |
 | Logic.java:29:16:29:19 | g(...) | true | Logic.java:29:23:29:26 | null |
-| Logic.java:30:9:30:27 | ...instanceof... | true | Logic.java:30:30:31:5 | stmt |
-| Logic.java:35:5:35:29 | checkTrue(...) | true | Logic.java:36:5:36:28 | stmt |
-| Logic.java:35:5:35:29 | checkTrue(...) | true | Logic.java:37:5:37:15 | stmt |
-| Logic.java:35:5:35:29 | checkTrue(...) | true | Logic.java:37:17:39:5 | stmt |
-| Logic.java:35:5:35:29 | checkTrue(...) | true | Logic.java:40:5:40:18 | stmt |
-| Logic.java:35:15:35:19 | ... > ... | true | Logic.java:36:5:36:28 | stmt |
-| Logic.java:35:15:35:19 | ... > ... | true | Logic.java:37:5:37:15 | stmt |
-| Logic.java:35:15:35:19 | ... > ... | true | Logic.java:37:17:39:5 | stmt |
-| Logic.java:35:15:35:19 | ... > ... | true | Logic.java:40:5:40:18 | stmt |
-| Logic.java:36:5:36:27 | checkFalse(...) | false | Logic.java:37:5:37:15 | stmt |
-| Logic.java:36:5:36:27 | checkFalse(...) | false | Logic.java:37:17:39:5 | stmt |
-| Logic.java:36:5:36:27 | checkFalse(...) | false | Logic.java:40:5:40:18 | stmt |
-| Logic.java:36:16:36:21 | g(...) | false | Logic.java:37:5:37:15 | stmt |
-| Logic.java:36:16:36:21 | g(...) | false | Logic.java:37:17:39:5 | stmt |
-| Logic.java:36:16:36:21 | g(...) | false | Logic.java:40:5:40:18 | stmt |
-| Logic.java:37:9:37:14 | ... > ... | true | Logic.java:37:17:39:5 | stmt |
+| Logic.java:30:9:30:27 | ...instanceof... | true | Logic.java:30:30:31:5 | { ... } |
+| Logic.java:35:5:35:29 | checkTrue(...) | true | Logic.java:36:5:36:28 | ...; |
+| Logic.java:35:5:35:29 | checkTrue(...) | true | Logic.java:37:5:37:15 | if (...) |
+| Logic.java:35:5:35:29 | checkTrue(...) | true | Logic.java:37:17:39:5 | { ... } |
+| Logic.java:35:5:35:29 | checkTrue(...) | true | Logic.java:40:5:40:18 | local variable declaration |
+| Logic.java:35:15:35:19 | ... > ... | true | Logic.java:36:5:36:28 | ...; |
+| Logic.java:35:15:35:19 | ... > ... | true | Logic.java:37:5:37:15 | if (...) |
+| Logic.java:35:15:35:19 | ... > ... | true | Logic.java:37:17:39:5 | { ... } |
+| Logic.java:35:15:35:19 | ... > ... | true | Logic.java:40:5:40:18 | local variable declaration |
+| Logic.java:36:5:36:27 | checkFalse(...) | false | Logic.java:37:5:37:15 | if (...) |
+| Logic.java:36:5:36:27 | checkFalse(...) | false | Logic.java:37:17:39:5 | { ... } |
+| Logic.java:36:5:36:27 | checkFalse(...) | false | Logic.java:40:5:40:18 | local variable declaration |
+| Logic.java:36:16:36:21 | g(...) | false | Logic.java:37:5:37:15 | if (...) |
+| Logic.java:36:16:36:21 | g(...) | false | Logic.java:37:17:39:5 | { ... } |
+| Logic.java:36:16:36:21 | g(...) | false | Logic.java:40:5:40:18 | local variable declaration |
+| Logic.java:37:9:37:14 | ... > ... | true | Logic.java:37:17:39:5 | { ... } |
 | Logic.java:44:10:44:10 | b | false | Logic.java:44:33:44:35 | msg |
diff --git a/java/ql/test/library-tests/guards12/PrintAst.expected b/java/ql/test/library-tests/guards12/PrintAst.expected
index 5ef51e2fd7e..4b28449b418 100644
--- a/java/ql/test/library-tests/guards12/PrintAst.expected
+++ b/java/ql/test/library-tests/guards12/PrintAst.expected
@@ -6,18 +6,18 @@ Test.java:
 #-----|       4: (Parameters)
 #    2|         0: [Parameter] s
 #    2|           0: [TypeAccess] String
-#    2|       5: [BlockStmt] stmt
-#    3|         0: [LocalVariableDeclStmt] stmt
+#    2|       5: [BlockStmt] { ... }
+#    3|         0: [LocalVariableDeclStmt] local variable declaration
 #    3|           0: [TypeAccess] int
 #    3|           1: [LocalVariableDeclExpr] x
 #    3|             0: [SwitchExpr] switch (...)
 #    3|               -1: [VarAccess] s
-#    4|               0: [ConstCase] stmt
+#    4|               0: [ConstCase] case ...
 #    4|                 -1: [IntegerLiteral] 1
 #    4|                 0: [StringLiteral] "a"
 #    4|                 1: [StringLiteral] "b"
-#    5|               1: [ConstCase] stmt
+#    5|               1: [ConstCase] case ...
 #    5|                 -1: [IntegerLiteral] 2
 #    5|                 0: [StringLiteral] "c"
-#    6|               2: [DefaultCase] stmt
+#    6|               2: [DefaultCase] default
 #    6|                 -1: [IntegerLiteral] 3
diff --git a/java/ql/test/library-tests/guards12/guard.expected b/java/ql/test/library-tests/guards12/guard.expected
index d578ba1141d..4befc404376 100644
--- a/java/ql/test/library-tests/guards12/guard.expected
+++ b/java/ql/test/library-tests/guards12/guard.expected
@@ -1 +1 @@
-| Test.java:5:7:5:17 | stmt | Test.java:3:20:3:20 | s | Test.java:5:12:5:14 | "c" | true | true | Test.java:5:7:5:17 | stmt |
+| Test.java:5:7:5:17 | case ... | Test.java:3:20:3:20 | s | Test.java:5:12:5:14 | "c" | true | true | Test.java:5:7:5:17 | case ... |
diff --git a/java/ql/test/library-tests/java7/MultiCatch/MultiCatch.expected b/java/ql/test/library-tests/java7/MultiCatch/MultiCatch.expected
index 73cdcb4209b..85996112d82 100644
--- a/java/ql/test/library-tests/java7/MultiCatch/MultiCatch.expected
+++ b/java/ql/test/library-tests/java7/MultiCatch/MultiCatch.expected
@@ -1,4 +1,4 @@
-| MultiCatch.java:15:5:15:37 | stmt | MultiCatch.java:15:11:15:21 | IOException | Exception |
-| MultiCatch.java:15:5:15:37 | stmt | MultiCatch.java:15:23:15:34 | SQLException | Exception |
-| MultiCatch.java:31:5:31:37 | stmt | MultiCatch.java:31:11:31:21 | IOException | Exception |
-| MultiCatch.java:31:5:31:37 | stmt | MultiCatch.java:31:23:31:34 | SQLException | Exception |
+| MultiCatch.java:15:5:15:37 | catch (...) | MultiCatch.java:15:11:15:21 | IOException | Exception |
+| MultiCatch.java:15:5:15:37 | catch (...) | MultiCatch.java:15:23:15:34 | SQLException | Exception |
+| MultiCatch.java:31:5:31:37 | catch (...) | MultiCatch.java:31:11:31:21 | IOException | Exception |
+| MultiCatch.java:31:5:31:37 | catch (...) | MultiCatch.java:31:23:31:34 | SQLException | Exception |
diff --git a/java/ql/test/library-tests/java7/MultiCatch/MultiCatchControlFlow.expected b/java/ql/test/library-tests/java7/MultiCatch/MultiCatchControlFlow.expected
index 624f3a90f7a..29e14d3c120 100644
--- a/java/ql/test/library-tests/java7/MultiCatch/MultiCatchControlFlow.expected
+++ b/java/ql/test/library-tests/java7/MultiCatch/MultiCatchControlFlow.expected
@@ -1,48 +1,48 @@
-| MultiCatch.java:6:14:6:23 | stmt | MultiCatch.java:6:14:6:23 | super(...) |
 | MultiCatch.java:6:14:6:23 | super(...) | MultiCatch.java:6:14:6:23 | MultiCatch |
-| MultiCatch.java:8:2:20:2 | stmt | MultiCatch.java:9:3:19:3 | stmt |
-| MultiCatch.java:9:3:19:3 | stmt | MultiCatch.java:10:3:15:3 | stmt |
-| MultiCatch.java:10:3:15:3 | stmt | MultiCatch.java:11:4:11:8 | stmt |
-| MultiCatch.java:11:4:11:8 | stmt | MultiCatch.java:11:7:11:7 | b |
+| MultiCatch.java:6:14:6:23 | { ... } | MultiCatch.java:6:14:6:23 | super(...) |
+| MultiCatch.java:8:2:20:2 | { ... } | MultiCatch.java:9:3:19:3 | try ... |
+| MultiCatch.java:9:3:19:3 | try ... | MultiCatch.java:10:3:15:3 | { ... } |
+| MultiCatch.java:10:3:15:3 | { ... } | MultiCatch.java:11:4:11:8 | if (...) |
+| MultiCatch.java:11:4:11:8 | if (...) | MultiCatch.java:11:7:11:7 | b |
 | MultiCatch.java:11:7:11:7 | b | MultiCatch.java:12:11:12:27 | new IOException(...) |
 | MultiCatch.java:11:7:11:7 | b | MultiCatch.java:14:11:14:28 | new SQLException(...) |
-| MultiCatch.java:12:5:12:28 | stmt | MultiCatch.java:15:5:15:37 | stmt |
-| MultiCatch.java:12:11:12:27 | new IOException(...) | MultiCatch.java:12:5:12:28 | stmt |
-| MultiCatch.java:14:5:14:29 | stmt | MultiCatch.java:15:5:15:37 | stmt |
-| MultiCatch.java:14:11:14:28 | new SQLException(...) | MultiCatch.java:14:5:14:29 | stmt |
-| MultiCatch.java:15:5:15:37 | stmt | MultiCatch.java:15:36:15:36 | e |
-| MultiCatch.java:15:36:15:36 | e | MultiCatch.java:16:3:19:3 | stmt |
-| MultiCatch.java:16:3:19:3 | stmt | MultiCatch.java:17:4:17:23 | stmt |
+| MultiCatch.java:12:5:12:28 | throw ... | MultiCatch.java:15:5:15:37 | catch (...) |
+| MultiCatch.java:12:11:12:27 | new IOException(...) | MultiCatch.java:12:5:12:28 | throw ... |
+| MultiCatch.java:14:5:14:29 | throw ... | MultiCatch.java:15:5:15:37 | catch (...) |
+| MultiCatch.java:14:11:14:28 | new SQLException(...) | MultiCatch.java:14:5:14:29 | throw ... |
+| MultiCatch.java:15:5:15:37 | catch (...) | MultiCatch.java:15:36:15:36 | e |
+| MultiCatch.java:15:36:15:36 | e | MultiCatch.java:16:3:19:3 | { ... } |
+| MultiCatch.java:16:3:19:3 | { ... } | MultiCatch.java:17:4:17:23 | ...; |
 | MultiCatch.java:17:4:17:4 | e | MultiCatch.java:17:4:17:22 | printStackTrace(...) |
 | MultiCatch.java:17:4:17:22 | printStackTrace(...) | MultiCatch.java:18:10:18:10 | e |
-| MultiCatch.java:17:4:17:23 | stmt | MultiCatch.java:17:4:17:4 | e |
-| MultiCatch.java:18:4:18:11 | stmt | MultiCatch.java:7:14:7:23 | multiCatch |
-| MultiCatch.java:18:10:18:10 | e | MultiCatch.java:18:4:18:11 | stmt |
-| MultiCatch.java:23:2:33:2 | stmt | MultiCatch.java:24:3:32:4 | stmt |
-| MultiCatch.java:24:3:32:4 | stmt | MultiCatch.java:25:3:31:3 | stmt |
-| MultiCatch.java:25:3:31:3 | stmt | MultiCatch.java:26:4:26:8 | stmt |
-| MultiCatch.java:26:4:26:8 | stmt | MultiCatch.java:26:7:26:7 | b |
+| MultiCatch.java:17:4:17:23 | ...; | MultiCatch.java:17:4:17:4 | e |
+| MultiCatch.java:18:4:18:11 | throw ... | MultiCatch.java:7:14:7:23 | multiCatch |
+| MultiCatch.java:18:10:18:10 | e | MultiCatch.java:18:4:18:11 | throw ... |
+| MultiCatch.java:23:2:33:2 | { ... } | MultiCatch.java:24:3:32:4 | try ... |
+| MultiCatch.java:24:3:32:4 | try ... | MultiCatch.java:25:3:31:3 | { ... } |
+| MultiCatch.java:25:3:31:3 | { ... } | MultiCatch.java:26:4:26:8 | if (...) |
+| MultiCatch.java:26:4:26:8 | if (...) | MultiCatch.java:26:7:26:7 | b |
 | MultiCatch.java:26:7:26:7 | b | MultiCatch.java:27:11:27:27 | new IOException(...) |
-| MultiCatch.java:26:7:26:7 | b | MultiCatch.java:28:9:28:13 | stmt |
-| MultiCatch.java:27:5:27:28 | stmt | MultiCatch.java:31:5:31:37 | stmt |
-| MultiCatch.java:27:11:27:27 | new IOException(...) | MultiCatch.java:27:5:27:28 | stmt |
-| MultiCatch.java:28:9:28:13 | stmt | MultiCatch.java:28:12:28:12 | c |
+| MultiCatch.java:26:7:26:7 | b | MultiCatch.java:28:9:28:13 | if (...) |
+| MultiCatch.java:27:5:27:28 | throw ... | MultiCatch.java:31:5:31:37 | catch (...) |
+| MultiCatch.java:27:11:27:27 | new IOException(...) | MultiCatch.java:27:5:27:28 | throw ... |
+| MultiCatch.java:28:9:28:13 | if (...) | MultiCatch.java:28:12:28:12 | c |
 | MultiCatch.java:28:12:28:12 | c | MultiCatch.java:29:11:29:28 | new SQLException(...) |
 | MultiCatch.java:28:12:28:12 | c | MultiCatch.java:30:10:30:24 | new Exception(...) |
-| MultiCatch.java:29:5:29:29 | stmt | MultiCatch.java:31:5:31:37 | stmt |
-| MultiCatch.java:29:11:29:28 | new SQLException(...) | MultiCatch.java:29:5:29:29 | stmt |
-| MultiCatch.java:30:4:30:25 | stmt | MultiCatch.java:22:14:22:24 | multiCatch2 |
-| MultiCatch.java:30:4:30:25 | stmt | MultiCatch.java:31:5:31:37 | stmt |
-| MultiCatch.java:30:10:30:24 | new Exception(...) | MultiCatch.java:30:4:30:25 | stmt |
-| MultiCatch.java:31:5:31:37 | stmt | MultiCatch.java:31:36:31:36 | e |
-| MultiCatch.java:31:36:31:36 | e | MultiCatch.java:32:3:32:4 | stmt |
-| MultiCatch.java:32:3:32:4 | stmt | MultiCatch.java:22:14:22:24 | multiCatch2 |
-| MultiCatch.java:36:2:42:2 | stmt | MultiCatch.java:37:3:41:4 | stmt |
-| MultiCatch.java:37:3:41:4 | stmt | MultiCatch.java:38:3:40:3 | stmt |
-| MultiCatch.java:38:3:40:3 | stmt | MultiCatch.java:39:10:39:26 | new IOException(...) |
-| MultiCatch.java:39:4:39:27 | stmt | MultiCatch.java:40:5:40:22 | stmt |
-| MultiCatch.java:39:10:39:26 | new IOException(...) | MultiCatch.java:39:4:39:27 | stmt |
-| MultiCatch.java:39:10:39:26 | new IOException(...) | MultiCatch.java:40:5:40:22 | stmt |
-| MultiCatch.java:40:5:40:22 | stmt | MultiCatch.java:40:21:40:21 | e |
-| MultiCatch.java:40:21:40:21 | e | MultiCatch.java:41:3:41:4 | stmt |
-| MultiCatch.java:41:3:41:4 | stmt | MultiCatch.java:35:14:35:26 | ordinaryCatch |
+| MultiCatch.java:29:5:29:29 | throw ... | MultiCatch.java:31:5:31:37 | catch (...) |
+| MultiCatch.java:29:11:29:28 | new SQLException(...) | MultiCatch.java:29:5:29:29 | throw ... |
+| MultiCatch.java:30:4:30:25 | throw ... | MultiCatch.java:22:14:22:24 | multiCatch2 |
+| MultiCatch.java:30:4:30:25 | throw ... | MultiCatch.java:31:5:31:37 | catch (...) |
+| MultiCatch.java:30:10:30:24 | new Exception(...) | MultiCatch.java:30:4:30:25 | throw ... |
+| MultiCatch.java:31:5:31:37 | catch (...) | MultiCatch.java:31:36:31:36 | e |
+| MultiCatch.java:31:36:31:36 | e | MultiCatch.java:32:3:32:4 | { ... } |
+| MultiCatch.java:32:3:32:4 | { ... } | MultiCatch.java:22:14:22:24 | multiCatch2 |
+| MultiCatch.java:36:2:42:2 | { ... } | MultiCatch.java:37:3:41:4 | try ... |
+| MultiCatch.java:37:3:41:4 | try ... | MultiCatch.java:38:3:40:3 | { ... } |
+| MultiCatch.java:38:3:40:3 | { ... } | MultiCatch.java:39:10:39:26 | new IOException(...) |
+| MultiCatch.java:39:4:39:27 | throw ... | MultiCatch.java:40:5:40:22 | catch (...) |
+| MultiCatch.java:39:10:39:26 | new IOException(...) | MultiCatch.java:39:4:39:27 | throw ... |
+| MultiCatch.java:39:10:39:26 | new IOException(...) | MultiCatch.java:40:5:40:22 | catch (...) |
+| MultiCatch.java:40:5:40:22 | catch (...) | MultiCatch.java:40:21:40:21 | e |
+| MultiCatch.java:40:21:40:21 | e | MultiCatch.java:41:3:41:4 | { ... } |
+| MultiCatch.java:41:3:41:4 | { ... } | MultiCatch.java:35:14:35:26 | ordinaryCatch |
diff --git a/java/ql/test/library-tests/java7/MultiCatch/PrintAst.expected b/java/ql/test/library-tests/java7/MultiCatch/PrintAst.expected
index bba3b450e3e..c1ef98d7ef8 100644
--- a/java/ql/test/library-tests/java7/MultiCatch/PrintAst.expected
+++ b/java/ql/test/library-tests/java7/MultiCatch/PrintAst.expected
@@ -9,28 +9,28 @@ MultiCatch.java:
 #-----|       4: (Parameters)
 #    7|         0: [Parameter] b
 #    7|           0: [TypeAccess] boolean
-#    8|       5: [BlockStmt] stmt
-#    9|         0: [TryStmt] stmt
-#   10|           -1: [BlockStmt] stmt
-#   11|             0: [IfStmt] stmt
+#    8|       5: [BlockStmt] { ... }
+#    9|         0: [TryStmt] try ...
+#   10|           -1: [BlockStmt] { ... }
+#   11|             0: [IfStmt] if (...)
 #   11|               0: [VarAccess] b
-#   12|               1: [ThrowStmt] stmt
+#   12|               1: [ThrowStmt] throw ...
 #   12|                 0: [ClassInstanceExpr] new IOException(...)
 #   12|                   -3: [TypeAccess] IOException
-#   14|               2: [ThrowStmt] stmt
+#   14|               2: [ThrowStmt] throw ...
 #   14|                 0: [ClassInstanceExpr] new SQLException(...)
 #   14|                   -3: [TypeAccess] SQLException
-#   15|           0: [CatchClause] stmt
+#   15|           0: [CatchClause] catch (...)
 #-----|             0: (Single Local Variable Declaration)
 #   15|               0: [UnionTypeAccess] ...|...
 #   15|                 0: [TypeAccess] IOException
 #   15|                 1: [TypeAccess] SQLException
 #   15|               1: [LocalVariableDeclExpr] e
-#   16|             1: [BlockStmt] stmt
-#   17|               0: [ExprStmt] stmt
+#   16|             1: [BlockStmt] { ... }
+#   17|               0: [ExprStmt] ...;
 #   17|                 0: [MethodAccess] printStackTrace(...)
 #   17|                   -1: [VarAccess] e
-#   18|               1: [ThrowStmt] stmt
+#   18|               1: [ThrowStmt] throw ...
 #   18|                 0: [VarAccess] e
 #   22|     3: [Method] multiCatch2
 #   22|       3: [TypeAccess] void
@@ -39,39 +39,39 @@ MultiCatch.java:
 #   22|           0: [TypeAccess] boolean
 #   22|         1: [Parameter] c
 #   22|           0: [TypeAccess] boolean
-#   23|       5: [BlockStmt] stmt
-#   24|         0: [TryStmt] stmt
-#   25|           -1: [BlockStmt] stmt
-#   26|             0: [IfStmt] stmt
+#   23|       5: [BlockStmt] { ... }
+#   24|         0: [TryStmt] try ...
+#   25|           -1: [BlockStmt] { ... }
+#   26|             0: [IfStmt] if (...)
 #   26|               0: [VarAccess] b
-#   27|               1: [ThrowStmt] stmt
+#   27|               1: [ThrowStmt] throw ...
 #   27|                 0: [ClassInstanceExpr] new IOException(...)
 #   27|                   -3: [TypeAccess] IOException
-#   28|               2: [IfStmt] stmt
+#   28|               2: [IfStmt] if (...)
 #   28|                 0: [VarAccess] c
-#   29|                 1: [ThrowStmt] stmt
+#   29|                 1: [ThrowStmt] throw ...
 #   29|                   0: [ClassInstanceExpr] new SQLException(...)
 #   29|                     -3: [TypeAccess] SQLException
-#   30|             1: [ThrowStmt] stmt
+#   30|             1: [ThrowStmt] throw ...
 #   30|               0: [ClassInstanceExpr] new Exception(...)
 #   30|                 -3: [TypeAccess] Exception
-#   31|           0: [CatchClause] stmt
+#   31|           0: [CatchClause] catch (...)
 #-----|             0: (Single Local Variable Declaration)
 #   31|               0: [UnionTypeAccess] ...|...
 #   31|                 0: [TypeAccess] IOException
 #   31|                 1: [TypeAccess] SQLException
 #   31|               1: [LocalVariableDeclExpr] e
-#   32|             1: [BlockStmt] stmt
+#   32|             1: [BlockStmt] { ... }
 #   35|     4: [Method] ordinaryCatch
 #   35|       3: [TypeAccess] void
-#   36|       5: [BlockStmt] stmt
-#   37|         0: [TryStmt] stmt
-#   38|           -1: [BlockStmt] stmt
-#   39|             0: [ThrowStmt] stmt
+#   36|       5: [BlockStmt] { ... }
+#   37|         0: [TryStmt] try ...
+#   38|           -1: [BlockStmt] { ... }
+#   39|             0: [ThrowStmt] throw ...
 #   39|               0: [ClassInstanceExpr] new IOException(...)
 #   39|                 -3: [TypeAccess] IOException
-#   40|           0: [CatchClause] stmt
+#   40|           0: [CatchClause] catch (...)
 #-----|             0: (Single Local Variable Declaration)
 #   40|               0: [TypeAccess] Exception
 #   40|               1: [LocalVariableDeclExpr] e
-#   41|             1: [BlockStmt] stmt
+#   41|             1: [BlockStmt] { ... }
diff --git a/java/ql/test/library-tests/javadoc/PrintAst.expected b/java/ql/test/library-tests/javadoc/PrintAst.expected
index 5543dceaf01..84228fe83b3 100644
--- a/java/ql/test/library-tests/javadoc/PrintAst.expected
+++ b/java/ql/test/library-tests/javadoc/PrintAst.expected
@@ -10,13 +10,13 @@ javadoc/Test.java:
 #    5|           0: [JavadocText] A javadoc
 #    6|           1: [JavadocText] comment
 #    7|       3: [TypeAccess] void
-#    7|       5: [BlockStmt] stmt
+#    7|       5: [BlockStmt] { ... }
 #   11|     3: [Method] g
 #-----|       0: (Javadoc)
 #    9|         1: [Javadoc] /** Another javadoc comment */
 #    9|           0: [JavadocText] Another javadoc comment
 #   11|       3: [TypeAccess] void
-#   11|       5: [BlockStmt] stmt
+#   11|       5: [BlockStmt] { ... }
 #   14|     4: [FieldDeclaration] int x, ...;
 #   14|       -1: [TypeAccess] int
 #   15|     5: [FieldDeclaration] int y, ...;
@@ -26,4 +26,4 @@ javadoc/Test.java:
 #   17|         1: [Javadoc] /** @deprecated */
 #   17|           0: [JavadocTag] @deprecated
 #   18|       3: [TypeAccess] void
-#   18|       5: [BlockStmt] stmt
+#   18|       5: [BlockStmt] { ... }
diff --git a/java/ql/test/library-tests/localvars/LocalVarDeclStmtChildren.expected b/java/ql/test/library-tests/localvars/LocalVarDeclStmtChildren.expected
index 88d42af095e..79c41ba9e46 100644
--- a/java/ql/test/library-tests/localvars/LocalVarDeclStmtChildren.expected
+++ b/java/ql/test/library-tests/localvars/LocalVarDeclStmtChildren.expected
@@ -1,11 +1,11 @@
-| localvars/LocalVarTest.java:7:9:7:28 | stmt | 0 | localvars/LocalVarTest.java:7:9:7:11 | int |
-| localvars/LocalVarTest.java:7:9:7:28 | stmt | 1 | localvars/LocalVarTest.java:7:13:7:18 | x |
-| localvars/LocalVarTest.java:7:9:7:28 | stmt | 2 | localvars/LocalVarTest.java:7:22:7:27 | y |
-| localvars/LocalVarTest.java:8:9:8:20 | stmt | 0 | localvars/LocalVarTest.java:8:9:8:11 | int |
-| localvars/LocalVarTest.java:8:9:8:20 | stmt | 1 | localvars/LocalVarTest.java:8:13:8:18 | z |
-| localvars/LocalVarTest.java:9:9:9:35 | stmt | 0 | localvars/LocalVarTest.java:9:9:9:20 | List<String> |
-| localvars/LocalVarTest.java:9:9:9:35 | stmt | 1 | localvars/LocalVarTest.java:9:22:9:23 | l1 |
-| localvars/LocalVarTest.java:9:9:9:35 | stmt | 2 | localvars/LocalVarTest.java:9:26:9:34 | l2 |
-| localvars/LocalVarTest.java:12:13:12:33 | stmt | 0 | localvars/LocalVarTest.java:12:13:12:18 | Object |
-| localvars/LocalVarTest.java:12:13:12:33 | stmt | 1 | localvars/LocalVarTest.java:12:20:12:27 | o |
-| localvars/LocalVarTest.java:12:13:12:33 | stmt | 2 | localvars/LocalVarTest.java:12:30:12:30 | p |
+| localvars/LocalVarTest.java:7:9:7:28 | local variable declaration | 0 | localvars/LocalVarTest.java:7:9:7:11 | int |
+| localvars/LocalVarTest.java:7:9:7:28 | local variable declaration | 1 | localvars/LocalVarTest.java:7:13:7:18 | x |
+| localvars/LocalVarTest.java:7:9:7:28 | local variable declaration | 2 | localvars/LocalVarTest.java:7:22:7:27 | y |
+| localvars/LocalVarTest.java:8:9:8:20 | local variable declaration | 0 | localvars/LocalVarTest.java:8:9:8:11 | int |
+| localvars/LocalVarTest.java:8:9:8:20 | local variable declaration | 1 | localvars/LocalVarTest.java:8:13:8:18 | z |
+| localvars/LocalVarTest.java:9:9:9:35 | local variable declaration | 0 | localvars/LocalVarTest.java:9:9:9:20 | List<String> |
+| localvars/LocalVarTest.java:9:9:9:35 | local variable declaration | 1 | localvars/LocalVarTest.java:9:22:9:23 | l1 |
+| localvars/LocalVarTest.java:9:9:9:35 | local variable declaration | 2 | localvars/LocalVarTest.java:9:26:9:34 | l2 |
+| localvars/LocalVarTest.java:12:13:12:33 | local variable declaration | 0 | localvars/LocalVarTest.java:12:13:12:18 | Object |
+| localvars/LocalVarTest.java:12:13:12:33 | local variable declaration | 1 | localvars/LocalVarTest.java:12:20:12:27 | o |
+| localvars/LocalVarTest.java:12:13:12:33 | local variable declaration | 2 | localvars/LocalVarTest.java:12:30:12:30 | p |
diff --git a/java/ql/test/library-tests/localvars/TypeAccesses.expected b/java/ql/test/library-tests/localvars/TypeAccesses.expected
index 12070ce34d0..cf3ac2eb017 100644
--- a/java/ql/test/library-tests/localvars/TypeAccesses.expected
+++ b/java/ql/test/library-tests/localvars/TypeAccesses.expected
@@ -1,13 +1,13 @@
 | localvars/LocalVarTest.java:6:9:6:11 | int | localvars/LocalVarTest.java:6:13:6:17 | test1 | -1 |
-| localvars/LocalVarTest.java:7:9:7:11 | int | localvars/LocalVarTest.java:7:9:7:28 | stmt | 0 |
-| localvars/LocalVarTest.java:8:9:8:11 | int | localvars/LocalVarTest.java:8:9:8:20 | stmt | 0 |
-| localvars/LocalVarTest.java:9:9:9:20 | List<String> | localvars/LocalVarTest.java:9:9:9:35 | stmt | 0 |
+| localvars/LocalVarTest.java:7:9:7:11 | int | localvars/LocalVarTest.java:7:9:7:28 | local variable declaration | 0 |
+| localvars/LocalVarTest.java:8:9:8:11 | int | localvars/LocalVarTest.java:8:9:8:20 | local variable declaration | 0 |
+| localvars/LocalVarTest.java:9:9:9:20 | List<String> | localvars/LocalVarTest.java:9:9:9:35 | local variable declaration | 0 |
 | localvars/LocalVarTest.java:9:14:9:19 | String | localvars/LocalVarTest.java:9:9:9:20 | List<String> | 0 |
-| localvars/LocalVarTest.java:12:13:12:18 | Object | localvars/LocalVarTest.java:12:13:12:33 | stmt | 0 |
+| localvars/LocalVarTest.java:12:13:12:18 | Object | localvars/LocalVarTest.java:12:13:12:33 | local variable declaration | 0 |
 | localvars/LocalVarTest.java:17:9:17:12 | void | localvars/LocalVarTest.java:17:14:17:18 | test2 | -1 |
 | localvars/LocalVarTest.java:17:20:17:31 | List<String> | localvars/LocalVarTest.java:17:20:17:33 | l | -1 |
 | localvars/LocalVarTest.java:17:25:17:30 | String | localvars/LocalVarTest.java:17:20:17:31 | List<String> | 0 |
-| localvars/LocalVarTest.java:18:13:18:15 | int | localvars/LocalVarTest.java:18:9:18:29 | stmt | 0 |
-| localvars/LocalVarTest.java:19:13:19:15 | int | localvars/LocalVarTest.java:19:9:19:37 | stmt | 0 |
-| localvars/LocalVarTest.java:20:13:20:18 | String | localvars/LocalVarTest.java:20:9:20:25 | stmt | -1 |
-| localvars/LocalVarTest.java:22:17:22:32 | RuntimeException | localvars/LocalVarTest.java:22:11:22:35 | stmt | -1 |
+| localvars/LocalVarTest.java:18:13:18:15 | int | localvars/LocalVarTest.java:18:9:18:29 | for (...) | 0 |
+| localvars/LocalVarTest.java:19:13:19:15 | int | localvars/LocalVarTest.java:19:9:19:37 | for (...) | 0 |
+| localvars/LocalVarTest.java:20:13:20:18 | String | localvars/LocalVarTest.java:20:9:20:25 | for (... : ...) | -1 |
+| localvars/LocalVarTest.java:22:17:22:32 | RuntimeException | localvars/LocalVarTest.java:22:11:22:35 | catch (...) | -1 |
diff --git a/java/ql/test/library-tests/modifiers/PrintAst.expected b/java/ql/test/library-tests/modifiers/PrintAst.expected
index 6bf393864a0..1fb34c954aa 100644
--- a/java/ql/test/library-tests/modifiers/PrintAst.expected
+++ b/java/ql/test/library-tests/modifiers/PrintAst.expected
@@ -23,8 +23,8 @@ Test.java:
 #-----|               1: (Annotations)
 #    4|                 1: [Annotation] Override
 #    4|               3: [TypeAccess] String
-#    4|               5: [BlockStmt] stmt
-#    4|                 0: [ReturnStmt] stmt
+#    4|               5: [BlockStmt] { ... }
+#    4|                 0: [ReturnStmt] return ...
 #    4|                   0: [StringLiteral] "red"
 #    4|           -3: [TypeAccess] NonFinalEnum
 #    5|       4: [FieldDeclaration] NonFinalEnum GREEN, ...;
diff --git a/java/ql/test/library-tests/printAst/PrintAst.expected b/java/ql/test/library-tests/printAst/PrintAst.expected
index 922acc4011a..b89a04e5ffc 100644
--- a/java/ql/test/library-tests/printAst/PrintAst.expected
+++ b/java/ql/test/library-tests/printAst/PrintAst.expected
@@ -30,14 +30,14 @@ A.java:
 #   20|             1: [Annotation] SuppressWarnings
 #   20|               1: [StringLiteral] "all"
 #   20|           0: [TypeAccess] String
-#   20|       5: [BlockStmt] stmt
-#   21|         0: [LocalVariableDeclStmt] stmt
+#   20|       5: [BlockStmt] { ... }
+#   21|         0: [LocalVariableDeclStmt] local variable declaration
 #   21|           0: [TypeAccess] int
 #   21|           1: [LocalVariableDeclExpr] i
 #   21|             0: [IntegerLiteral] 0
 #   21|           2: [LocalVariableDeclExpr] j
 #   21|             0: [IntegerLiteral] 1
-#   23|         1: [ForStmt] stmt
+#   23|         1: [ForStmt] for (...)
 #-----|           0: (For Initializers) 
 #   23|             1: [AssignExpr] ...=...
 #   23|               0: [VarAccess] i
@@ -48,10 +48,10 @@ A.java:
 #   23|           1: [LTExpr] ... < ...
 #   23|             0: [VarAccess] i
 #   23|             1: [IntegerLiteral] 3
-#   23|           2: [BlockStmt] stmt
+#   23|           2: [BlockStmt] { ... }
 #   23|           3: [PostIncExpr] ...++
 #   23|             0: [VarAccess] i
-#   25|         2: [ForStmt] stmt
+#   25|         2: [ForStmt] for (...)
 #-----|           0: (For Initializers) 
 #   25|             0: [TypeAccess] int
 #   25|             1: [LocalVariableDeclExpr] m
@@ -61,16 +61,16 @@ A.java:
 #   25|           1: [LTExpr] ... < ...
 #   25|             0: [VarAccess] m
 #   25|             1: [IntegerLiteral] 3
-#   25|           2: [BlockStmt] stmt
+#   25|           2: [BlockStmt] { ... }
 #   25|           3: [PostIncExpr] ...++
 #   25|             0: [VarAccess] m
-#   27|         3: [ReturnStmt] stmt
+#   27|         3: [ReturnStmt] return ...
 #   27|           0: [IntegerLiteral] 0
 #   30|     6: [FieldDeclaration] int counter, ...;
 #   30|       -1: [TypeAccess] int
 #   30|       0: [IntegerLiteral] 1
-#   32|     7: [BlockStmt] stmt
-#   33|       0: [ExprStmt] stmt
+#   32|     7: [BlockStmt] { ... }
+#   33|       0: [ExprStmt] ...;
 #   33|         0: [AssignExpr] ...=...
 #   33|           0: [VarAccess] counter
 #   33|           1: [MethodAccess] doSomething(...)
@@ -84,8 +84,8 @@ A.java:
 #   40|             2: [Annotation] Ann2
 #   40|               1: [IntegerLiteral] 7
 #   42|       3: [TypeAccess] String
-#   42|       5: [BlockStmt] stmt
-#   42|         0: [ReturnStmt] stmt
+#   42|       5: [BlockStmt] { ... }
+#   42|         0: [ReturnStmt] return ...
 #   42|           0: [StringLiteral] "c"
 #   44|     9: [Method] varDecls
 #   44|       3: [TypeAccess] void
@@ -93,35 +93,35 @@ A.java:
 #   44|         0: [Parameter] things
 #   44|           0: [ArrayTypeAccess] ...[]
 #   44|             0: [TypeAccess] Object
-#   44|       5: [BlockStmt] stmt
-#   45|         0: [TryStmt] stmt
-#   45|           -1: [BlockStmt] stmt
-#   46|             0: [EnhancedForStmt] stmt
+#   44|       5: [BlockStmt] { ... }
+#   45|         0: [TryStmt] try ...
+#   45|           -1: [BlockStmt] { ... }
+#   46|             0: [EnhancedForStmt] for (... : ...)
 #-----|               0: (Single Local Variable Declaration)
 #   46|                 0: [TypeAccess] Object
 #   46|                 1: [LocalVariableDeclExpr] thing
 #   46|               1: [VarAccess] things
-#   46|               2: [BlockStmt] stmt
-#   47|                 0: [IfStmt] stmt
+#   46|               2: [BlockStmt] { ... }
+#   47|                 0: [IfStmt] if (...)
 #   47|                   0: [InstanceOfExpr] ...instanceof...
 #   47|                     0: [VarAccess] thing
 #   47|                     1: [TypeAccess] Integer
-#   47|                   1: [BlockStmt] stmt
-#   48|                     0: [ReturnStmt] stmt
-#   50|                 1: [IfStmt] stmt
+#   47|                   1: [BlockStmt] { ... }
+#   48|                     0: [ReturnStmt] return ...
+#   50|                 1: [IfStmt] if (...)
 #   50|                   0: [InstanceOfExpr] ...instanceof...
 #-----|                     0: (Single Local Variable Declaration)
 #   50|                       0: [TypeAccess] String
 #   50|                       1: [LocalVariableDeclExpr] s
 #   50|                         0: [VarAccess] thing
-#   50|                   1: [BlockStmt] stmt
-#   51|                     0: [ThrowStmt] stmt
+#   50|                   1: [BlockStmt] { ... }
+#   51|                     0: [ThrowStmt] throw ...
 #   51|                       0: [ClassInstanceExpr] new RuntimeException(...)
 #   51|                         -3: [TypeAccess] RuntimeException
 #   51|                         0: [VarAccess] s
-#   55|           0: [CatchClause] stmt
+#   55|           0: [CatchClause] catch (...)
 #-----|             0: (Single Local Variable Declaration)
 #   55|               0: [TypeAccess] RuntimeException
 #   55|               1: [LocalVariableDeclExpr] rte
-#   55|             1: [BlockStmt] stmt
-#   56|               0: [ReturnStmt] stmt
+#   55|             1: [BlockStmt] { ... }
+#   56|               0: [ReturnStmt] return ...
diff --git a/java/ql/test/library-tests/reflection/PrintAst.expected b/java/ql/test/library-tests/reflection/PrintAst.expected
index ede39cfcde5..76560acf118 100644
--- a/java/ql/test/library-tests/reflection/PrintAst.expected
+++ b/java/ql/test/library-tests/reflection/PrintAst.expected
@@ -19,8 +19,8 @@ reflection/ReflectiveAccess.java:
 #   13|         1: [Parameter] annotationClass
 #   13|           0: [TypeAccess] Class<A>
 #   13|             0: [TypeAccess] A
-#   13|       5: [BlockStmt] stmt
-#   14|         0: [ReturnStmt] stmt
+#   13|       5: [BlockStmt] { ... }
+#   14|         0: [ReturnStmt] return ...
 #   14|           0: [MethodAccess] getAnnotation(...)
 #   14|             -1: [VarAccess] classContainingAnnotation
 #   14|             0: [VarAccess] annotationClass
@@ -30,18 +30,18 @@ reflection/ReflectiveAccess.java:
 #   17|         0: [Parameter] args
 #   17|           0: [ArrayTypeAccess] ...[]
 #   17|             0: [TypeAccess] String
-#   17|       5: [BlockStmt] stmt
-#   18|         0: [LocalVariableDeclStmt] stmt
+#   17|       5: [BlockStmt] { ... }
+#   18|         0: [LocalVariableDeclStmt] local variable declaration
 #   18|           0: [TypeAccess] Class<?>
 #   18|             0: [WildcardTypeAccess] ? ...
 #   18|           1: [LocalVariableDeclExpr] testClass
 #   18|             0: [MethodAccess] forName(...)
 #   18|               -1: [TypeAccess] Class<>
 #   18|               0: [StringLiteral] "reflection.ReflectiveAccess$TestClass"
-#   20|         1: [ExprStmt] stmt
+#   20|         1: [ExprStmt] ...;
 #   20|           0: [MethodAccess] newInstance(...)
 #   20|             -1: [VarAccess] testClass
-#   22|         2: [ExprStmt] stmt
+#   22|         2: [ExprStmt] ...;
 #   22|           0: [MethodAccess] getAnnotation(...)
 #   22|             0: [TypeLiteral] TestClass.class
 #   22|               0: [TypeAccess] TestClass
diff --git a/java/ql/test/library-tests/ssa/ssaDef.expected b/java/ql/test/library-tests/ssa/ssaDef.expected
index f3acbc1c2f9..8c9e9cfec51 100644
--- a/java/ql/test/library-tests/ssa/ssaDef.expected
+++ b/java/ql/test/library-tests/ssa/ssaDef.expected
@@ -2,14 +2,14 @@
 | Fields.java:13:5:13:17 | x | Fields.java:15:5:15:10 | ...=... | SSA def(x) |
 | Fields.java:13:5:13:17 | x | Fields.java:18:5:18:15 | ...=... | SSA def(x) |
 | Fields.java:13:5:13:17 | x | Fields.java:20:5:20:10 | ...=... | SSA def(x) |
-| Fields.java:13:15:13:16 | this.xs | Fields.java:12:19:21:3 | stmt | SSA init(this.xs) |
+| Fields.java:13:15:13:16 | this.xs | Fields.java:12:19:21:3 | { ... } | SSA init(this.xs) |
 | Fields.java:13:15:13:16 | this.xs | Fields.java:14:5:14:9 | upd(...) | SSA impl upd[nonlocal](this.xs) |
 | Fields.java:13:15:13:16 | this.xs | Fields.java:17:7:17:11 | upd(...) | SSA impl upd[nonlocal](this.xs) |
-| Fields.java:13:15:13:16 | this.xs | Fields.java:18:5:18:16 | stmt | SSA phi(this.xs) |
+| Fields.java:13:15:13:16 | this.xs | Fields.java:18:5:18:16 | ...; | SSA phi(this.xs) |
 | Fields.java:13:15:13:16 | this.xs | Fields.java:19:5:19:19 | ...=... | SSA def(this.xs) |
 | Fields.java:24:5:24:28 | f | Fields.java:24:12:24:27 | f | SSA def(f) |
 | Fields.java:24:5:24:28 | f | Fields.java:43:7:43:22 | ...=... | SSA def(f) |
-| Fields.java:24:5:24:28 | f | Fields.java:44:5:44:13 | stmt | SSA phi(f) |
+| Fields.java:24:5:24:28 | f | Fields.java:44:5:44:13 | ...; | SSA phi(f) |
 | Fields.java:25:5:25:19 | y | Fields.java:25:11:25:18 | y | SSA def(y) |
 | Fields.java:25:5:25:19 | y | Fields.java:29:5:29:12 | ...=... | SSA def(y) |
 | Fields.java:25:5:25:19 | y | Fields.java:33:5:33:12 | ...=... | SSA def(y) |
@@ -22,14 +22,14 @@
 | Fields.java:25:15:25:18 | f.xs | Fields.java:32:5:32:9 | f(...) | SSA impl upd[nonlocal](f.xs) |
 | Fields.java:25:15:25:18 | f.xs | Fields.java:39:5:39:21 | ...=... | SSA def(f.xs) |
 | Fields.java:25:15:25:18 | f.xs | Fields.java:43:7:43:22 | ...=... | SSA impl upd[explicit qualifier](f.xs) |
-| Fields.java:25:15:25:18 | f.xs | Fields.java:44:5:44:13 | stmt | SSA phi(f.xs) |
+| Fields.java:25:15:25:18 | f.xs | Fields.java:44:5:44:13 | ...; | SSA phi(f.xs) |
 | Fields.java:26:5:26:17 | z | Fields.java:26:11:26:16 | z | SSA def(z) |
 | Fields.java:26:5:26:17 | z | Fields.java:30:5:30:10 | ...=... | SSA def(z) |
 | Fields.java:26:5:26:17 | z | Fields.java:34:5:34:10 | ...=... | SSA def(z) |
 | Fields.java:26:5:26:17 | z | Fields.java:38:5:38:10 | ...=... | SSA def(z) |
 | Fields.java:26:5:26:17 | z | Fields.java:41:5:41:10 | ...=... | SSA def(z) |
 | Fields.java:26:5:26:17 | z | Fields.java:47:5:47:10 | ...=... | SSA def(z) |
-| Fields.java:26:15:26:16 | this.xs | Fields.java:23:19:49:3 | stmt | SSA init(this.xs) |
+| Fields.java:26:15:26:16 | this.xs | Fields.java:23:19:49:3 | { ... } | SSA init(this.xs) |
 | Fields.java:26:15:26:16 | this.xs | Fields.java:28:5:28:12 | f(...) | SSA impl upd[nonlocal](this.xs) |
 | Fields.java:26:15:26:16 | this.xs | Fields.java:32:5:32:9 | f(...) | SSA impl upd[nonlocal](this.xs) |
 | Fields.java:26:15:26:16 | this.xs | Fields.java:36:5:36:19 | ...=... | SSA def(this.xs) |
@@ -37,52 +37,52 @@
 | Fields.java:27:5:27:19 | w | Fields.java:31:5:31:12 | ...=... | SSA def(w) |
 | Fields.java:27:5:27:19 | w | Fields.java:35:5:35:12 | ...=... | SSA def(w) |
 | Fields.java:27:5:27:19 | w | Fields.java:48:5:48:12 | ...=... | SSA def(w) |
-| Fields.java:27:15:27:18 | Fields.stat | Fields.java:23:19:49:3 | stmt | SSA init(Fields.stat) |
+| Fields.java:27:15:27:18 | Fields.stat | Fields.java:23:19:49:3 | { ... } | SSA init(Fields.stat) |
 | Fields.java:27:15:27:18 | Fields.stat | Fields.java:24:16:24:27 | new Fields(...) | SSA impl upd[nonlocal](Fields.stat) |
 | Fields.java:27:15:27:18 | Fields.stat | Fields.java:28:5:28:12 | f(...) | SSA impl upd[nonlocal](Fields.stat) |
 | Fields.java:27:15:27:18 | Fields.stat | Fields.java:32:5:32:9 | f(...) | SSA impl upd[nonlocal](Fields.stat) |
 | Fields.java:27:15:27:18 | Fields.stat | Fields.java:43:11:43:22 | new Fields(...) | SSA impl upd[nonlocal](Fields.stat) |
-| Fields.java:27:15:27:18 | Fields.stat | Fields.java:44:5:44:13 | stmt | SSA phi(Fields.stat) |
+| Fields.java:27:15:27:18 | Fields.stat | Fields.java:44:5:44:13 | ...; | SSA phi(Fields.stat) |
 | Fields.java:27:15:27:18 | Fields.stat | Fields.java:45:5:45:16 | new Fields(...) | SSA impl upd[nonlocal](Fields.stat) |
-| Nested.java:4:26:4:31 | next(..).p1 | Nested.java:8:29:8:57 | stmt | SSA init(next(..).p1) |
-| Nested.java:4:26:4:31 | p1 | Nested.java:4:34:10:3 | stmt | SSA init(p1) |
-| Nested.java:5:5:5:15 | next(..).x1 | Nested.java:8:29:8:57 | stmt | SSA init(next(..).x1) |
+| Nested.java:4:26:4:31 | next(..).p1 | Nested.java:8:29:8:57 | { ... } | SSA init(next(..).p1) |
+| Nested.java:4:26:4:31 | p1 | Nested.java:4:34:10:3 | { ... } | SSA init(p1) |
+| Nested.java:5:5:5:15 | next(..).x1 | Nested.java:8:29:8:57 | { ... } | SSA init(next(..).x1) |
 | Nested.java:5:5:5:15 | x1 | Nested.java:5:9:5:14 | x1 | SSA def(x1) |
-| Nested.java:15:5:15:30 | getInt(..).obj | Nested.java:16:22:16:34 | stmt | SSA init(getInt(..).obj) |
-| Nested.java:15:5:15:30 | getInt(..).obj | Nested.java:20:27:20:39 | stmt | SSA init(getInt(..).obj) |
+| Nested.java:15:5:15:30 | getInt(..).obj | Nested.java:16:22:16:34 | { ... } | SSA init(getInt(..).obj) |
+| Nested.java:15:5:15:30 | getInt(..).obj | Nested.java:20:27:20:39 | { ... } | SSA init(getInt(..).obj) |
 | Nested.java:15:5:15:30 | obj | Nested.java:15:12:15:29 | obj | SSA def(obj) |
-| Nested.java:16:5:16:35 | getInt(..).hash | Nested.java:19:27:22:7 | stmt | SSA init(getInt(..).hash) |
+| Nested.java:16:5:16:35 | getInt(..).hash | Nested.java:19:27:22:7 | { ... } | SSA init(getInt(..).hash) |
 | Nested.java:16:5:16:35 | hash | Nested.java:16:15:16:34 | hash | SSA def(hash) |
-| Nested.java:17:5:17:16 | getInt(..).x2 | Nested.java:19:27:22:7 | stmt | SSA init(getInt(..).x2) |
+| Nested.java:17:5:17:16 | getInt(..).x2 | Nested.java:19:27:22:7 | { ... } | SSA init(getInt(..).x2) |
 | Nested.java:17:5:17:16 | x2 | Nested.java:17:9:17:15 | x2 | SSA def(x2) |
 | Nested.java:18:5:23:6 | h2 | Nested.java:18:15:23:5 | h2 | SSA def(h2) |
 | Nested.java:20:9:20:40 | hnest | Nested.java:20:19:20:39 | hnest | SSA def(hnest) |
-| Nested.java:24:5:24:31 | getInt(..).obj2 | Nested.java:30:23:30:36 | stmt | SSA init(getInt(..).obj2) |
+| Nested.java:24:5:24:31 | getInt(..).obj2 | Nested.java:30:23:30:36 | { ... } | SSA init(getInt(..).obj2) |
 | Nested.java:24:5:24:31 | obj2 | Nested.java:24:12:24:30 | obj2 | SSA def(obj2) |
 | Nested.java:24:5:24:31 | obj2 | Nested.java:26:7:26:25 | ...=... | SSA def(obj2) |
 | Nested.java:24:5:24:31 | obj2 | Nested.java:28:7:28:25 | ...=... | SSA def(obj2) |
-| Nested.java:24:5:24:31 | obj2 | Nested.java:30:5:30:37 | stmt | SSA phi(obj2) |
+| Nested.java:24:5:24:31 | obj2 | Nested.java:30:5:30:37 | local variable declaration | SSA phi(obj2) |
 | Nested.java:30:5:30:37 | hash2 | Nested.java:30:15:30:36 | hash2 | SSA def(hash2) |
-| Nested.java:33:21:33:26 | p3 | Nested.java:33:29:42:3 | stmt | SSA init(p3) |
-| Nested.java:34:5:34:11 | getInt(..).x3 | Nested.java:37:20:37:25 | stmt | SSA init(getInt(..).x3) |
-| Nested.java:34:5:34:11 | getInt(..).x3 | Nested.java:40:20:40:25 | stmt | SSA init(getInt(..).x3) |
+| Nested.java:33:21:33:26 | p3 | Nested.java:33:29:42:3 | { ... } | SSA init(p3) |
+| Nested.java:34:5:34:11 | getInt(..).x3 | Nested.java:37:20:37:25 | { ... } | SSA init(getInt(..).x3) |
+| Nested.java:34:5:34:11 | getInt(..).x3 | Nested.java:40:20:40:25 | { ... } | SSA init(getInt(..).x3) |
 | Nested.java:34:5:34:11 | x3 | Nested.java:34:9:34:10 | x3 | SSA def(x3) |
 | Nested.java:34:5:34:11 | x3 | Nested.java:36:7:36:12 | ...=... | SSA def(x3) |
 | Nested.java:34:5:34:11 | x3 | Nested.java:39:7:39:12 | ...=... | SSA def(x3) |
-| Test.java:4:8:4:16 | param | Test.java:4:19:32:2 | stmt | SSA init(param) |
+| Test.java:4:8:4:16 | param | Test.java:4:19:32:2 | { ... } | SSA init(param) |
 | Test.java:4:8:4:16 | param | Test.java:20:10:20:10 | x | SSA phi(param) |
 | Test.java:4:8:4:16 | param | Test.java:21:8:21:14 | ...++ | SSA def(param) |
 | Test.java:6:3:6:12 | x | Test.java:6:7:6:11 | x | SSA def(x) |
 | Test.java:6:3:6:12 | x | Test.java:10:4:10:6 | ...++ | SSA def(x) |
 | Test.java:6:3:6:12 | x | Test.java:11:8:11:10 | ++... | SSA def(x) |
-| Test.java:6:3:6:12 | x | Test.java:19:3:19:3 | stmt | SSA phi(x) |
+| Test.java:6:3:6:12 | x | Test.java:19:3:19:3 | ; | SSA phi(x) |
 | Test.java:6:3:6:12 | x | Test.java:27:19:27:19 | i | SSA phi(x) |
 | Test.java:6:3:6:12 | x | Test.java:28:4:28:9 | ...+=... | SSA def(x) |
 | Test.java:7:3:7:8 | y | Test.java:7:7:7:7 | y | SSA def(y) |
 | Test.java:7:3:7:8 | y | Test.java:11:4:11:10 | ...=... | SSA def(y) |
 | Test.java:7:3:7:8 | y | Test.java:14:4:14:8 | ...=... | SSA def(y) |
 | Test.java:7:3:7:8 | y | Test.java:15:4:15:9 | ...+=... | SSA def(y) |
-| Test.java:7:3:7:8 | y | Test.java:19:3:19:3 | stmt | SSA phi(y) |
+| Test.java:7:3:7:8 | y | Test.java:19:3:19:3 | ; | SSA phi(y) |
 | Test.java:7:3:7:8 | y | Test.java:20:10:20:10 | x | SSA phi(y) |
 | Test.java:7:3:7:8 | y | Test.java:24:4:24:9 | ...-=... | SSA def(y) |
 | Test.java:8:3:8:8 | z | Test.java:8:7:8:7 | z | SSA def(z) |
@@ -91,15 +91,15 @@
 | Test.java:27:8:27:16 | i | Test.java:27:12:27:16 | i | SSA def(i) |
 | Test.java:27:8:27:16 | i | Test.java:27:19:27:19 | i | SSA phi(i) |
 | Test.java:27:8:27:16 | i | Test.java:27:25:27:27 | ...++ | SSA def(i) |
-| TestInstanceOfPattern.java:3:12:3:21 | obj | TestInstanceOfPattern.java:3:24:9:2 | stmt | SSA init(obj) |
+| TestInstanceOfPattern.java:3:12:3:21 | obj | TestInstanceOfPattern.java:3:24:9:2 | { ... } | SSA init(obj) |
 | TestInstanceOfPattern.java:4:22:4:29 | s | TestInstanceOfPattern.java:4:29:4:29 | s | SSA def(s) |
 | TestInstanceOfPattern.java:7:8:7:8 | this.s | TestInstanceOfPattern.java:7:8:7:8 | s | SSA impl upd[untracked](this.s) |
-| TestInstanceOfPattern.java:10:13:10:22 | obj | TestInstanceOfPattern.java:10:25:16:2 | stmt | SSA init(obj) |
+| TestInstanceOfPattern.java:10:13:10:22 | obj | TestInstanceOfPattern.java:10:25:16:2 | { ... } | SSA init(obj) |
 | TestInstanceOfPattern.java:11:24:11:31 | s | TestInstanceOfPattern.java:11:31:11:31 | s | SSA def(s) |
 | TestInstanceOfPattern.java:12:8:12:8 | this.s | TestInstanceOfPattern.java:12:8:12:8 | s | SSA impl upd[untracked](this.s) |
-| TestInstanceOfPattern.java:17:13:17:22 | obj | TestInstanceOfPattern.java:17:25:23:2 | stmt | SSA init(obj) |
+| TestInstanceOfPattern.java:17:13:17:22 | obj | TestInstanceOfPattern.java:17:25:23:2 | { ... } | SSA init(obj) |
 | TestInstanceOfPattern.java:18:22:18:29 | s | TestInstanceOfPattern.java:18:29:18:29 | s | SSA def(s) |
 | TestInstanceOfPattern.java:21:8:21:8 | this.s | TestInstanceOfPattern.java:21:8:21:8 | s | SSA impl upd[untracked](this.s) |
-| TestInstanceOfPattern.java:24:13:24:22 | obj | TestInstanceOfPattern.java:24:25:30:2 | stmt | SSA init(obj) |
+| TestInstanceOfPattern.java:24:13:24:22 | obj | TestInstanceOfPattern.java:24:25:30:2 | { ... } | SSA init(obj) |
 | TestInstanceOfPattern.java:25:22:25:29 | s | TestInstanceOfPattern.java:25:29:25:29 | s | SSA def(s) |
-| TestInstanceOfPattern.java:25:34:25:34 | this.s | TestInstanceOfPattern.java:24:25:30:2 | stmt | SSA init(this.s) |
+| TestInstanceOfPattern.java:25:34:25:34 | this.s | TestInstanceOfPattern.java:24:25:30:2 | { ... } | SSA init(this.s) |
diff --git a/java/ql/test/library-tests/ssa/ssaPhi.expected b/java/ql/test/library-tests/ssa/ssaPhi.expected
index db7e81d98e1..fd9f2902f2e 100644
--- a/java/ql/test/library-tests/ssa/ssaPhi.expected
+++ b/java/ql/test/library-tests/ssa/ssaPhi.expected
@@ -1,22 +1,22 @@
-| Fields.java:13:15:13:16 | this.xs | Fields.java:18:5:18:16 | stmt | Fields.java:14:5:14:9 | upd(...) |
-| Fields.java:13:15:13:16 | this.xs | Fields.java:18:5:18:16 | stmt | Fields.java:17:7:17:11 | upd(...) |
-| Fields.java:24:5:24:28 | f | Fields.java:44:5:44:13 | stmt | Fields.java:24:12:24:27 | f |
-| Fields.java:24:5:24:28 | f | Fields.java:44:5:44:13 | stmt | Fields.java:43:7:43:22 | ...=... |
-| Fields.java:25:15:25:18 | f.xs | Fields.java:44:5:44:13 | stmt | Fields.java:39:5:39:21 | ...=... |
-| Fields.java:25:15:25:18 | f.xs | Fields.java:44:5:44:13 | stmt | Fields.java:43:7:43:22 | ...=... |
-| Fields.java:27:15:27:18 | Fields.stat | Fields.java:44:5:44:13 | stmt | Fields.java:32:5:32:9 | f(...) |
-| Fields.java:27:15:27:18 | Fields.stat | Fields.java:44:5:44:13 | stmt | Fields.java:43:11:43:22 | new Fields(...) |
-| Nested.java:24:5:24:31 | obj2 | Nested.java:30:5:30:37 | stmt | Nested.java:26:7:26:25 | ...=... |
-| Nested.java:24:5:24:31 | obj2 | Nested.java:30:5:30:37 | stmt | Nested.java:28:7:28:25 | ...=... |
-| Test.java:4:8:4:16 | param | Test.java:20:10:20:10 | x | Test.java:4:19:32:2 | stmt |
+| Fields.java:13:15:13:16 | this.xs | Fields.java:18:5:18:16 | ...; | Fields.java:14:5:14:9 | upd(...) |
+| Fields.java:13:15:13:16 | this.xs | Fields.java:18:5:18:16 | ...; | Fields.java:17:7:17:11 | upd(...) |
+| Fields.java:24:5:24:28 | f | Fields.java:44:5:44:13 | ...; | Fields.java:24:12:24:27 | f |
+| Fields.java:24:5:24:28 | f | Fields.java:44:5:44:13 | ...; | Fields.java:43:7:43:22 | ...=... |
+| Fields.java:25:15:25:18 | f.xs | Fields.java:44:5:44:13 | ...; | Fields.java:39:5:39:21 | ...=... |
+| Fields.java:25:15:25:18 | f.xs | Fields.java:44:5:44:13 | ...; | Fields.java:43:7:43:22 | ...=... |
+| Fields.java:27:15:27:18 | Fields.stat | Fields.java:44:5:44:13 | ...; | Fields.java:32:5:32:9 | f(...) |
+| Fields.java:27:15:27:18 | Fields.stat | Fields.java:44:5:44:13 | ...; | Fields.java:43:11:43:22 | new Fields(...) |
+| Nested.java:24:5:24:31 | obj2 | Nested.java:30:5:30:37 | local variable declaration | Nested.java:26:7:26:25 | ...=... |
+| Nested.java:24:5:24:31 | obj2 | Nested.java:30:5:30:37 | local variable declaration | Nested.java:28:7:28:25 | ...=... |
+| Test.java:4:8:4:16 | param | Test.java:20:10:20:10 | x | Test.java:4:19:32:2 | { ... } |
 | Test.java:4:8:4:16 | param | Test.java:20:10:20:10 | x | Test.java:21:8:21:14 | ...++ |
-| Test.java:6:3:6:12 | x | Test.java:19:3:19:3 | stmt | Test.java:6:7:6:11 | x |
-| Test.java:6:3:6:12 | x | Test.java:19:3:19:3 | stmt | Test.java:11:8:11:10 | ++... |
-| Test.java:6:3:6:12 | x | Test.java:27:19:27:19 | i | Test.java:19:3:19:3 | stmt |
+| Test.java:6:3:6:12 | x | Test.java:19:3:19:3 | ; | Test.java:6:7:6:11 | x |
+| Test.java:6:3:6:12 | x | Test.java:19:3:19:3 | ; | Test.java:11:8:11:10 | ++... |
+| Test.java:6:3:6:12 | x | Test.java:27:19:27:19 | i | Test.java:19:3:19:3 | ; |
 | Test.java:6:3:6:12 | x | Test.java:27:19:27:19 | i | Test.java:28:4:28:9 | ...+=... |
-| Test.java:7:3:7:8 | y | Test.java:19:3:19:3 | stmt | Test.java:11:4:11:10 | ...=... |
-| Test.java:7:3:7:8 | y | Test.java:19:3:19:3 | stmt | Test.java:15:4:15:9 | ...+=... |
-| Test.java:7:3:7:8 | y | Test.java:20:10:20:10 | x | Test.java:19:3:19:3 | stmt |
+| Test.java:7:3:7:8 | y | Test.java:19:3:19:3 | ; | Test.java:11:4:11:10 | ...=... |
+| Test.java:7:3:7:8 | y | Test.java:19:3:19:3 | ; | Test.java:15:4:15:9 | ...+=... |
+| Test.java:7:3:7:8 | y | Test.java:20:10:20:10 | x | Test.java:19:3:19:3 | ; |
 | Test.java:7:3:7:8 | y | Test.java:20:10:20:10 | x | Test.java:24:4:24:9 | ...-=... |
 | Test.java:27:8:27:16 | i | Test.java:27:19:27:19 | i | Test.java:27:12:27:16 | i |
 | Test.java:27:8:27:16 | i | Test.java:27:19:27:19 | i | Test.java:27:25:27:27 | ...++ |
diff --git a/java/ql/test/library-tests/ssa/ssaUse.expected b/java/ql/test/library-tests/ssa/ssaUse.expected
index b06f5eaf649..f500ebbaa9c 100644
--- a/java/ql/test/library-tests/ssa/ssaUse.expected
+++ b/java/ql/test/library-tests/ssa/ssaUse.expected
@@ -1,7 +1,7 @@
 | Fields.java:13:5:13:17 | x | Fields.java:15:5:15:10 | ...=... | SSA def(x) | Fields.java:16:9:16:9 | x |
-| Fields.java:13:15:13:16 | this.xs | Fields.java:12:19:21:3 | stmt | SSA init(this.xs) | Fields.java:13:15:13:16 | xs |
+| Fields.java:13:15:13:16 | this.xs | Fields.java:12:19:21:3 | { ... } | SSA init(this.xs) | Fields.java:13:15:13:16 | xs |
 | Fields.java:13:15:13:16 | this.xs | Fields.java:14:5:14:9 | upd(...) | SSA impl upd[nonlocal](this.xs) | Fields.java:15:9:15:10 | xs |
-| Fields.java:13:15:13:16 | this.xs | Fields.java:18:5:18:16 | stmt | SSA phi(this.xs) | Fields.java:18:9:18:15 | this.xs |
+| Fields.java:13:15:13:16 | this.xs | Fields.java:18:5:18:16 | ...; | SSA phi(this.xs) | Fields.java:18:9:18:15 | this.xs |
 | Fields.java:13:15:13:16 | this.xs | Fields.java:19:5:19:19 | ...=... | SSA def(this.xs) | Fields.java:20:9:20:10 | xs |
 | Fields.java:24:5:24:28 | f | Fields.java:24:12:24:27 | f | SSA def(f) | Fields.java:25:15:25:15 | f |
 | Fields.java:24:5:24:28 | f | Fields.java:24:12:24:27 | f | SSA def(f) | Fields.java:29:9:29:9 | f |
@@ -10,17 +10,17 @@
 | Fields.java:24:5:24:28 | f | Fields.java:24:12:24:27 | f | SSA def(f) | Fields.java:37:9:37:9 | f |
 | Fields.java:24:5:24:28 | f | Fields.java:24:12:24:27 | f | SSA def(f) | Fields.java:39:5:39:5 | f |
 | Fields.java:24:5:24:28 | f | Fields.java:24:12:24:27 | f | SSA def(f) | Fields.java:40:9:40:9 | f |
-| Fields.java:24:5:24:28 | f | Fields.java:44:5:44:13 | stmt | SSA phi(f) | Fields.java:44:9:44:9 | f |
-| Fields.java:24:5:24:28 | f | Fields.java:44:5:44:13 | stmt | SSA phi(f) | Fields.java:46:9:46:9 | f |
+| Fields.java:24:5:24:28 | f | Fields.java:44:5:44:13 | ...; | SSA phi(f) | Fields.java:44:9:44:9 | f |
+| Fields.java:24:5:24:28 | f | Fields.java:44:5:44:13 | ...; | SSA phi(f) | Fields.java:46:9:46:9 | f |
 | Fields.java:25:15:25:18 | f.xs | Fields.java:24:12:24:27 | f | SSA impl upd[explicit qualifier](f.xs) | Fields.java:25:15:25:18 | f.xs |
 | Fields.java:25:15:25:18 | f.xs | Fields.java:28:5:28:12 | f(...) | SSA impl upd[nonlocal](f.xs) | Fields.java:29:9:29:12 | f.xs |
 | Fields.java:25:15:25:18 | f.xs | Fields.java:32:5:32:9 | f(...) | SSA impl upd[nonlocal](f.xs) | Fields.java:33:9:33:12 | f.xs |
 | Fields.java:25:15:25:18 | f.xs | Fields.java:32:5:32:9 | f(...) | SSA impl upd[nonlocal](f.xs) | Fields.java:37:9:37:12 | f.xs |
 | Fields.java:25:15:25:18 | f.xs | Fields.java:39:5:39:21 | ...=... | SSA def(f.xs) | Fields.java:40:9:40:12 | f.xs |
-| Fields.java:25:15:25:18 | f.xs | Fields.java:44:5:44:13 | stmt | SSA phi(f.xs) | Fields.java:44:9:44:12 | f.xs |
-| Fields.java:25:15:25:18 | f.xs | Fields.java:44:5:44:13 | stmt | SSA phi(f.xs) | Fields.java:46:9:46:12 | f.xs |
+| Fields.java:25:15:25:18 | f.xs | Fields.java:44:5:44:13 | ...; | SSA phi(f.xs) | Fields.java:44:9:44:12 | f.xs |
+| Fields.java:25:15:25:18 | f.xs | Fields.java:44:5:44:13 | ...; | SSA phi(f.xs) | Fields.java:46:9:46:12 | f.xs |
 | Fields.java:26:5:26:17 | z | Fields.java:41:5:41:10 | ...=... | SSA def(z) | Fields.java:42:9:42:9 | z |
-| Fields.java:26:15:26:16 | this.xs | Fields.java:23:19:49:3 | stmt | SSA init(this.xs) | Fields.java:26:15:26:16 | xs |
+| Fields.java:26:15:26:16 | this.xs | Fields.java:23:19:49:3 | { ... } | SSA init(this.xs) | Fields.java:26:15:26:16 | xs |
 | Fields.java:26:15:26:16 | this.xs | Fields.java:28:5:28:12 | f(...) | SSA impl upd[nonlocal](this.xs) | Fields.java:30:9:30:10 | xs |
 | Fields.java:26:15:26:16 | this.xs | Fields.java:32:5:32:9 | f(...) | SSA impl upd[nonlocal](this.xs) | Fields.java:34:9:34:10 | xs |
 | Fields.java:26:15:26:16 | this.xs | Fields.java:36:5:36:19 | ...=... | SSA def(this.xs) | Fields.java:38:9:38:10 | xs |
@@ -30,25 +30,25 @@
 | Fields.java:27:15:27:18 | Fields.stat | Fields.java:28:5:28:12 | f(...) | SSA impl upd[nonlocal](Fields.stat) | Fields.java:31:9:31:12 | stat |
 | Fields.java:27:15:27:18 | Fields.stat | Fields.java:32:5:32:9 | f(...) | SSA impl upd[nonlocal](Fields.stat) | Fields.java:35:9:35:12 | stat |
 | Fields.java:27:15:27:18 | Fields.stat | Fields.java:45:5:45:16 | new Fields(...) | SSA impl upd[nonlocal](Fields.stat) | Fields.java:48:9:48:12 | stat |
-| Nested.java:4:26:4:31 | next(..).p1 | Nested.java:8:29:8:57 | stmt | SSA init(next(..).p1) | Nested.java:8:38:8:39 | p1 |
-| Nested.java:5:5:5:15 | next(..).x1 | Nested.java:8:29:8:57 | stmt | SSA init(next(..).x1) | Nested.java:8:43:8:44 | x1 |
-| Nested.java:5:5:5:15 | next(..).x1 | Nested.java:8:29:8:57 | stmt | SSA init(next(..).x1) | Nested.java:8:48:8:49 | x1 |
-| Nested.java:5:5:5:15 | next(..).x1 | Nested.java:8:29:8:57 | stmt | SSA init(next(..).x1) | Nested.java:8:53:8:54 | x1 |
-| Nested.java:15:5:15:30 | getInt(..).obj | Nested.java:16:22:16:34 | stmt | SSA init(getInt(..).obj) | Nested.java:16:22:16:24 | obj |
-| Nested.java:15:5:15:30 | getInt(..).obj | Nested.java:20:27:20:39 | stmt | SSA init(getInt(..).obj) | Nested.java:20:27:20:29 | obj |
-| Nested.java:16:5:16:35 | getInt(..).hash | Nested.java:19:27:22:7 | stmt | SSA init(getInt(..).hash) | Nested.java:21:21:21:24 | hash |
-| Nested.java:17:5:17:16 | getInt(..).x2 | Nested.java:19:27:22:7 | stmt | SSA init(getInt(..).x2) | Nested.java:21:16:21:17 | x2 |
+| Nested.java:4:26:4:31 | next(..).p1 | Nested.java:8:29:8:57 | { ... } | SSA init(next(..).p1) | Nested.java:8:38:8:39 | p1 |
+| Nested.java:5:5:5:15 | next(..).x1 | Nested.java:8:29:8:57 | { ... } | SSA init(next(..).x1) | Nested.java:8:43:8:44 | x1 |
+| Nested.java:5:5:5:15 | next(..).x1 | Nested.java:8:29:8:57 | { ... } | SSA init(next(..).x1) | Nested.java:8:48:8:49 | x1 |
+| Nested.java:5:5:5:15 | next(..).x1 | Nested.java:8:29:8:57 | { ... } | SSA init(next(..).x1) | Nested.java:8:53:8:54 | x1 |
+| Nested.java:15:5:15:30 | getInt(..).obj | Nested.java:16:22:16:34 | { ... } | SSA init(getInt(..).obj) | Nested.java:16:22:16:24 | obj |
+| Nested.java:15:5:15:30 | getInt(..).obj | Nested.java:20:27:20:39 | { ... } | SSA init(getInt(..).obj) | Nested.java:20:27:20:29 | obj |
+| Nested.java:16:5:16:35 | getInt(..).hash | Nested.java:19:27:22:7 | { ... } | SSA init(getInt(..).hash) | Nested.java:21:21:21:24 | hash |
+| Nested.java:17:5:17:16 | getInt(..).x2 | Nested.java:19:27:22:7 | { ... } | SSA init(getInt(..).x2) | Nested.java:21:16:21:17 | x2 |
 | Nested.java:18:5:23:6 | h2 | Nested.java:18:15:23:5 | h2 | SSA def(h2) | Nested.java:25:9:25:10 | h2 |
 | Nested.java:20:9:20:40 | hnest | Nested.java:20:19:20:39 | hnest | SSA def(hnest) | Nested.java:21:37:21:41 | hnest |
-| Nested.java:24:5:24:31 | getInt(..).obj2 | Nested.java:30:23:30:36 | stmt | SSA init(getInt(..).obj2) | Nested.java:30:23:30:26 | obj2 |
-| Nested.java:33:21:33:26 | p3 | Nested.java:33:29:42:3 | stmt | SSA init(p3) | Nested.java:35:9:35:10 | p3 |
-| Nested.java:34:5:34:11 | getInt(..).x3 | Nested.java:37:20:37:25 | stmt | SSA init(getInt(..).x3) | Nested.java:37:20:37:21 | x3 |
-| Nested.java:34:5:34:11 | getInt(..).x3 | Nested.java:40:20:40:25 | stmt | SSA init(getInt(..).x3) | Nested.java:40:20:40:21 | x3 |
-| Test.java:4:8:4:16 | param | Test.java:4:19:32:2 | stmt | SSA init(param) | Test.java:9:7:9:11 | param |
+| Nested.java:24:5:24:31 | getInt(..).obj2 | Nested.java:30:23:30:36 | { ... } | SSA init(getInt(..).obj2) | Nested.java:30:23:30:26 | obj2 |
+| Nested.java:33:21:33:26 | p3 | Nested.java:33:29:42:3 | { ... } | SSA init(p3) | Nested.java:35:9:35:10 | p3 |
+| Nested.java:34:5:34:11 | getInt(..).x3 | Nested.java:37:20:37:25 | { ... } | SSA init(getInt(..).x3) | Nested.java:37:20:37:21 | x3 |
+| Nested.java:34:5:34:11 | getInt(..).x3 | Nested.java:40:20:40:25 | { ... } | SSA init(getInt(..).x3) | Nested.java:40:20:40:21 | x3 |
+| Test.java:4:8:4:16 | param | Test.java:4:19:32:2 | { ... } | SSA init(param) | Test.java:9:7:9:11 | param |
 | Test.java:4:8:4:16 | param | Test.java:20:10:20:10 | x | SSA phi(param) | Test.java:21:8:21:12 | param |
 | Test.java:6:3:6:12 | x | Test.java:6:7:6:11 | x | SSA def(x) | Test.java:10:4:10:4 | x |
 | Test.java:6:3:6:12 | x | Test.java:10:4:10:6 | ...++ | SSA def(x) | Test.java:11:10:11:10 | x |
-| Test.java:6:3:6:12 | x | Test.java:19:3:19:3 | stmt | SSA phi(x) | Test.java:20:10:20:10 | x |
+| Test.java:6:3:6:12 | x | Test.java:19:3:19:3 | ; | SSA phi(x) | Test.java:20:10:20:10 | x |
 | Test.java:6:3:6:12 | x | Test.java:27:19:27:19 | i | SSA phi(x) | Test.java:28:4:28:4 | x |
 | Test.java:6:3:6:12 | x | Test.java:27:19:27:19 | i | SSA phi(x) | Test.java:31:10:31:10 | x |
 | Test.java:7:3:7:8 | y | Test.java:14:4:14:8 | ...=... | SSA def(y) | Test.java:15:4:15:4 | y |
@@ -58,17 +58,17 @@
 | Test.java:27:8:27:16 | i | Test.java:27:19:27:19 | i | SSA phi(i) | Test.java:27:19:27:19 | i |
 | Test.java:27:8:27:16 | i | Test.java:27:19:27:19 | i | SSA phi(i) | Test.java:27:25:27:25 | i |
 | Test.java:27:8:27:16 | i | Test.java:27:19:27:19 | i | SSA phi(i) | Test.java:28:9:28:9 | i |
-| TestInstanceOfPattern.java:3:12:3:21 | obj | TestInstanceOfPattern.java:3:24:9:2 | stmt | SSA init(obj) | TestInstanceOfPattern.java:4:7:4:9 | obj |
+| TestInstanceOfPattern.java:3:12:3:21 | obj | TestInstanceOfPattern.java:3:24:9:2 | { ... } | SSA init(obj) | TestInstanceOfPattern.java:4:7:4:9 | obj |
 | TestInstanceOfPattern.java:4:22:4:29 | s | TestInstanceOfPattern.java:4:29:4:29 | s | SSA def(s) | TestInstanceOfPattern.java:5:8:5:8 | s |
 | TestInstanceOfPattern.java:7:8:7:8 | this.s | TestInstanceOfPattern.java:7:8:7:8 | s | SSA impl upd[untracked](this.s) | TestInstanceOfPattern.java:7:8:7:8 | s |
-| TestInstanceOfPattern.java:10:13:10:22 | obj | TestInstanceOfPattern.java:10:25:16:2 | stmt | SSA init(obj) | TestInstanceOfPattern.java:11:9:11:11 | obj |
+| TestInstanceOfPattern.java:10:13:10:22 | obj | TestInstanceOfPattern.java:10:25:16:2 | { ... } | SSA init(obj) | TestInstanceOfPattern.java:11:9:11:11 | obj |
 | TestInstanceOfPattern.java:11:24:11:31 | s | TestInstanceOfPattern.java:11:31:11:31 | s | SSA def(s) | TestInstanceOfPattern.java:14:8:14:8 | s |
 | TestInstanceOfPattern.java:12:8:12:8 | this.s | TestInstanceOfPattern.java:12:8:12:8 | s | SSA impl upd[untracked](this.s) | TestInstanceOfPattern.java:12:8:12:8 | s |
-| TestInstanceOfPattern.java:17:13:17:22 | obj | TestInstanceOfPattern.java:17:25:23:2 | stmt | SSA init(obj) | TestInstanceOfPattern.java:18:7:18:9 | obj |
+| TestInstanceOfPattern.java:17:13:17:22 | obj | TestInstanceOfPattern.java:17:25:23:2 | { ... } | SSA init(obj) | TestInstanceOfPattern.java:18:7:18:9 | obj |
 | TestInstanceOfPattern.java:18:22:18:29 | s | TestInstanceOfPattern.java:18:29:18:29 | s | SSA def(s) | TestInstanceOfPattern.java:18:34:18:34 | s |
 | TestInstanceOfPattern.java:18:22:18:29 | s | TestInstanceOfPattern.java:18:29:18:29 | s | SSA def(s) | TestInstanceOfPattern.java:19:8:19:8 | s |
 | TestInstanceOfPattern.java:21:8:21:8 | this.s | TestInstanceOfPattern.java:21:8:21:8 | s | SSA impl upd[untracked](this.s) | TestInstanceOfPattern.java:21:8:21:8 | s |
-| TestInstanceOfPattern.java:24:13:24:22 | obj | TestInstanceOfPattern.java:24:25:30:2 | stmt | SSA init(obj) | TestInstanceOfPattern.java:25:7:25:9 | obj |
-| TestInstanceOfPattern.java:25:34:25:34 | this.s | TestInstanceOfPattern.java:24:25:30:2 | stmt | SSA init(this.s) | TestInstanceOfPattern.java:25:34:25:34 | s |
-| TestInstanceOfPattern.java:25:34:25:34 | this.s | TestInstanceOfPattern.java:24:25:30:2 | stmt | SSA init(this.s) | TestInstanceOfPattern.java:26:8:26:8 | s |
-| TestInstanceOfPattern.java:25:34:25:34 | this.s | TestInstanceOfPattern.java:24:25:30:2 | stmt | SSA init(this.s) | TestInstanceOfPattern.java:28:8:28:8 | s |
+| TestInstanceOfPattern.java:24:13:24:22 | obj | TestInstanceOfPattern.java:24:25:30:2 | { ... } | SSA init(obj) | TestInstanceOfPattern.java:25:7:25:9 | obj |
+| TestInstanceOfPattern.java:25:34:25:34 | this.s | TestInstanceOfPattern.java:24:25:30:2 | { ... } | SSA init(this.s) | TestInstanceOfPattern.java:25:34:25:34 | s |
+| TestInstanceOfPattern.java:25:34:25:34 | this.s | TestInstanceOfPattern.java:24:25:30:2 | { ... } | SSA init(this.s) | TestInstanceOfPattern.java:26:8:26:8 | s |
+| TestInstanceOfPattern.java:25:34:25:34 | this.s | TestInstanceOfPattern.java:24:25:30:2 | { ... } | SSA init(this.s) | TestInstanceOfPattern.java:28:8:28:8 | s |
diff --git a/java/ql/test/library-tests/stmts/JumpTargets.expected b/java/ql/test/library-tests/stmts/JumpTargets.expected
index 1718522d99c..c05796398e3 100644
--- a/java/ql/test/library-tests/stmts/JumpTargets.expected
+++ b/java/ql/test/library-tests/stmts/JumpTargets.expected
@@ -1,9 +1,9 @@
-| stmts/B.java:8:5:8:10 | stmt | stmts/B.java:6:3:6:26 | stmt |
-| stmts/B.java:10:5:10:13 | stmt | stmts/B.java:6:3:6:26 | stmt |
-| stmts/B.java:13:6:13:11 | stmt | stmts/B.java:11:4:11:17 | stmt |
-| stmts/B.java:15:6:15:17 | stmt | stmts/B.java:6:3:6:26 | stmt |
-| stmts/B.java:17:6:17:14 | stmt | stmts/B.java:11:4:11:17 | stmt |
-| stmts/B.java:19:6:19:20 | stmt | stmts/B.java:6:3:6:26 | stmt |
-| stmts/B.java:22:6:22:11 | stmt | stmts/B.java:20:5:20:14 | stmt |
-| stmts/B.java:24:6:24:17 | stmt | stmts/B.java:6:3:6:26 | stmt |
-| stmts/B.java:26:6:26:14 | stmt | stmts/B.java:11:4:11:17 | stmt |
\ No newline at end of file
+| stmts/B.java:8:5:8:10 | break | stmts/B.java:6:3:6:26 | for (...) |
+| stmts/B.java:10:5:10:13 | continue | stmts/B.java:6:3:6:26 | for (...) |
+| stmts/B.java:13:6:13:11 | break | stmts/B.java:11:4:11:17 | while (...) |
+| stmts/B.java:15:6:15:17 | break | stmts/B.java:6:3:6:26 | for (...) |
+| stmts/B.java:17:6:17:14 | continue | stmts/B.java:11:4:11:17 | while (...) |
+| stmts/B.java:19:6:19:20 | continue | stmts/B.java:6:3:6:26 | for (...) |
+| stmts/B.java:22:6:22:11 | break | stmts/B.java:20:5:20:14 | switch (...) |
+| stmts/B.java:24:6:24:17 | break | stmts/B.java:6:3:6:26 | for (...) |
+| stmts/B.java:26:6:26:14 | continue | stmts/B.java:11:4:11:17 | while (...) |
diff --git a/java/ql/test/library-tests/stmts/SwitchCases.expected b/java/ql/test/library-tests/stmts/SwitchCases.expected
index 9bbb5fe61bf..e10bb74d654 100644
--- a/java/ql/test/library-tests/stmts/SwitchCases.expected
+++ b/java/ql/test/library-tests/stmts/SwitchCases.expected
@@ -1,6 +1,6 @@
-| stmts/A.java:6:3:6:10 | stmt |
-| stmts/A.java:8:3:8:10 | stmt |
-| stmts/A.java:10:3:10:10 | stmt |
-| stmts/B.java:21:5:21:12 | stmt |
-| stmts/B.java:23:5:23:12 | stmt |
-| stmts/B.java:25:5:25:12 | stmt |
\ No newline at end of file
+| stmts/A.java:6:3:6:10 | case ... |
+| stmts/A.java:8:3:8:10 | case ... |
+| stmts/A.java:10:3:10:10 | default |
+| stmts/B.java:21:5:21:12 | case ... |
+| stmts/B.java:23:5:23:12 | case ... |
+| stmts/B.java:25:5:25:12 | case ... |
diff --git a/java/ql/test/library-tests/successors/CloseReaderTest/TestSucc.expected b/java/ql/test/library-tests/successors/CloseReaderTest/TestSucc.expected
index b5b5f262f47..2e465783264 100644
--- a/java/ql/test/library-tests/successors/CloseReaderTest/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/CloseReaderTest/TestSucc.expected
@@ -1,30 +1,30 @@
-| CloseReaderTest.java:8:14:8:28 | stmt | CloseReaderTest.java:8:14:8:28 | super(...) |
 | CloseReaderTest.java:8:14:8:28 | super(...) | CloseReaderTest.java:8:14:8:28 | CloseReaderTest |
-| CloseReaderTest.java:10:2:24:2 | stmt | CloseReaderTest.java:12:3:13:42 | stmt |
+| CloseReaderTest.java:8:14:8:28 | { ... } | CloseReaderTest.java:8:14:8:28 | super(...) |
+| CloseReaderTest.java:10:2:24:2 | { ... } | CloseReaderTest.java:12:3:13:42 | ...; |
 | CloseReaderTest.java:12:3:12:12 | System.out | CloseReaderTest.java:12:20:12:40 | "Enter password for " |
-| CloseReaderTest.java:12:3:13:41 | print(...) | CloseReaderTest.java:14:3:14:21 | stmt |
-| CloseReaderTest.java:12:3:13:42 | stmt | CloseReaderTest.java:12:3:12:12 | System.out |
+| CloseReaderTest.java:12:3:13:41 | print(...) | CloseReaderTest.java:14:3:14:21 | ...; |
+| CloseReaderTest.java:12:3:13:42 | ...; | CloseReaderTest.java:12:3:12:12 | System.out |
 | CloseReaderTest.java:12:20:12:40 | "Enter password for " | CloseReaderTest.java:12:44:12:50 | keyFile |
 | CloseReaderTest.java:12:20:12:50 | ... + ... | CloseReaderTest.java:13:7:13:40 | " (password will not be hidden): " |
 | CloseReaderTest.java:12:20:13:40 | ... + ... | CloseReaderTest.java:12:3:13:41 | print(...) |
 | CloseReaderTest.java:12:44:12:50 | keyFile | CloseReaderTest.java:12:20:12:50 | ... + ... |
 | CloseReaderTest.java:13:7:13:40 | " (password will not be hidden): " | CloseReaderTest.java:12:20:13:40 | ... + ... |
 | CloseReaderTest.java:14:3:14:12 | System.out | CloseReaderTest.java:14:3:14:20 | flush(...) |
-| CloseReaderTest.java:14:3:14:20 | flush(...) | CloseReaderTest.java:15:3:16:16 | stmt |
-| CloseReaderTest.java:14:3:14:21 | stmt | CloseReaderTest.java:14:3:14:12 | System.out |
-| CloseReaderTest.java:15:3:16:16 | stmt | CloseReaderTest.java:16:5:16:13 | System.in |
-| CloseReaderTest.java:15:18:16:15 | stdin | CloseReaderTest.java:17:3:23:3 | stmt |
+| CloseReaderTest.java:14:3:14:20 | flush(...) | CloseReaderTest.java:15:3:16:16 | local variable declaration |
+| CloseReaderTest.java:14:3:14:21 | ...; | CloseReaderTest.java:14:3:14:12 | System.out |
+| CloseReaderTest.java:15:3:16:16 | local variable declaration | CloseReaderTest.java:16:5:16:13 | System.in |
+| CloseReaderTest.java:15:18:16:15 | stdin | CloseReaderTest.java:17:3:23:3 | try ... |
 | CloseReaderTest.java:15:26:16:15 | new BufferedReader(...) | CloseReaderTest.java:15:18:16:15 | stdin |
 | CloseReaderTest.java:15:45:16:14 | new InputStreamReader(...) | CloseReaderTest.java:15:26:16:15 | new BufferedReader(...) |
 | CloseReaderTest.java:16:5:16:13 | System.in | CloseReaderTest.java:15:45:16:14 | new InputStreamReader(...) |
-| CloseReaderTest.java:17:3:23:3 | stmt | CloseReaderTest.java:18:3:20:3 | stmt |
-| CloseReaderTest.java:18:3:20:3 | stmt | CloseReaderTest.java:19:11:19:15 | stdin |
-| CloseReaderTest.java:19:4:19:27 | stmt | CloseReaderTest.java:9:23:9:34 | readPassword |
+| CloseReaderTest.java:17:3:23:3 | try ... | CloseReaderTest.java:18:3:20:3 | { ... } |
+| CloseReaderTest.java:18:3:20:3 | { ... } | CloseReaderTest.java:19:11:19:15 | stdin |
+| CloseReaderTest.java:19:4:19:27 | return ... | CloseReaderTest.java:9:23:9:34 | readPassword |
 | CloseReaderTest.java:19:11:19:15 | stdin | CloseReaderTest.java:19:11:19:26 | readLine(...) |
-| CloseReaderTest.java:19:11:19:26 | readLine(...) | CloseReaderTest.java:19:4:19:27 | stmt |
-| CloseReaderTest.java:19:11:19:26 | readLine(...) | CloseReaderTest.java:20:5:20:26 | stmt |
-| CloseReaderTest.java:20:5:20:26 | stmt | CloseReaderTest.java:20:24:20:25 | ex |
-| CloseReaderTest.java:20:24:20:25 | ex | CloseReaderTest.java:21:3:23:3 | stmt |
-| CloseReaderTest.java:21:3:23:3 | stmt | CloseReaderTest.java:22:11:22:14 | null |
-| CloseReaderTest.java:22:4:22:15 | stmt | CloseReaderTest.java:9:23:9:34 | readPassword |
-| CloseReaderTest.java:22:11:22:14 | null | CloseReaderTest.java:22:4:22:15 | stmt |
+| CloseReaderTest.java:19:11:19:26 | readLine(...) | CloseReaderTest.java:19:4:19:27 | return ... |
+| CloseReaderTest.java:19:11:19:26 | readLine(...) | CloseReaderTest.java:20:5:20:26 | catch (...) |
+| CloseReaderTest.java:20:5:20:26 | catch (...) | CloseReaderTest.java:20:24:20:25 | ex |
+| CloseReaderTest.java:20:24:20:25 | ex | CloseReaderTest.java:21:3:23:3 | { ... } |
+| CloseReaderTest.java:21:3:23:3 | { ... } | CloseReaderTest.java:22:11:22:14 | null |
+| CloseReaderTest.java:22:4:22:15 | return ... | CloseReaderTest.java:9:23:9:34 | readPassword |
+| CloseReaderTest.java:22:11:22:14 | null | CloseReaderTest.java:22:4:22:15 | return ... |
diff --git a/java/ql/test/library-tests/successors/LoopVarReadTest/FalseSuccessors.expected b/java/ql/test/library-tests/successors/LoopVarReadTest/FalseSuccessors.expected
index 3b2f6de1c72..5452af82eb5 100644
--- a/java/ql/test/library-tests/successors/LoopVarReadTest/FalseSuccessors.expected
+++ b/java/ql/test/library-tests/successors/LoopVarReadTest/FalseSuccessors.expected
@@ -1 +1 @@
-| LoopVarReadTest.java:7:19:7:24 | ... < ... | LoopVarReadTest.java:12:3:12:13 | stmt |
+| LoopVarReadTest.java:7:19:7:24 | ... < ... | LoopVarReadTest.java:12:3:12:13 | local variable declaration |
diff --git a/java/ql/test/library-tests/successors/LoopVarReadTest/TestSucc.expected b/java/ql/test/library-tests/successors/LoopVarReadTest/TestSucc.expected
index f03586c25e8..a9e30fb2b7e 100644
--- a/java/ql/test/library-tests/successors/LoopVarReadTest/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/LoopVarReadTest/TestSucc.expected
@@ -1,28 +1,28 @@
-| LoopVarReadTest.java:3:14:3:28 | stmt | LoopVarReadTest.java:3:14:3:28 | super(...) |
 | LoopVarReadTest.java:3:14:3:28 | super(...) | LoopVarReadTest.java:3:14:3:28 | LoopVarReadTest |
-| LoopVarReadTest.java:5:2:15:2 | stmt | LoopVarReadTest.java:6:3:6:12 | stmt |
-| LoopVarReadTest.java:6:3:6:12 | stmt | LoopVarReadTest.java:6:11:6:11 | 2 |
-| LoopVarReadTest.java:6:7:6:11 | x | LoopVarReadTest.java:7:3:7:33 | stmt |
+| LoopVarReadTest.java:3:14:3:28 | { ... } | LoopVarReadTest.java:3:14:3:28 | super(...) |
+| LoopVarReadTest.java:5:2:15:2 | { ... } | LoopVarReadTest.java:6:3:6:12 | local variable declaration |
+| LoopVarReadTest.java:6:3:6:12 | local variable declaration | LoopVarReadTest.java:6:11:6:11 | 2 |
+| LoopVarReadTest.java:6:7:6:11 | x | LoopVarReadTest.java:7:3:7:33 | for (...) |
 | LoopVarReadTest.java:6:11:6:11 | 2 | LoopVarReadTest.java:6:7:6:11 | x |
-| LoopVarReadTest.java:7:3:7:33 | stmt | LoopVarReadTest.java:7:16:7:16 | 0 |
+| LoopVarReadTest.java:7:3:7:33 | for (...) | LoopVarReadTest.java:7:16:7:16 | 0 |
 | LoopVarReadTest.java:7:12:7:16 | y | LoopVarReadTest.java:7:19:7:19 | y |
 | LoopVarReadTest.java:7:16:7:16 | 0 | LoopVarReadTest.java:7:12:7:16 | y |
 | LoopVarReadTest.java:7:19:7:19 | y | LoopVarReadTest.java:7:23:7:24 | 10 |
-| LoopVarReadTest.java:7:19:7:24 | ... < ... | LoopVarReadTest.java:8:3:10:3 | stmt |
-| LoopVarReadTest.java:7:19:7:24 | ... < ... | LoopVarReadTest.java:12:3:12:13 | stmt |
+| LoopVarReadTest.java:7:19:7:24 | ... < ... | LoopVarReadTest.java:8:3:10:3 | { ... } |
+| LoopVarReadTest.java:7:19:7:24 | ... < ... | LoopVarReadTest.java:12:3:12:13 | local variable declaration |
 | LoopVarReadTest.java:7:23:7:24 | 10 | LoopVarReadTest.java:7:19:7:24 | ... < ... |
 | LoopVarReadTest.java:7:27:7:27 | y | LoopVarReadTest.java:7:32:7:32 | x |
 | LoopVarReadTest.java:7:27:7:32 | ...+=... | LoopVarReadTest.java:7:19:7:19 | y |
 | LoopVarReadTest.java:7:32:7:32 | x | LoopVarReadTest.java:7:27:7:32 | ...+=... |
-| LoopVarReadTest.java:8:3:10:3 | stmt | LoopVarReadTest.java:9:4:9:29 | stmt |
+| LoopVarReadTest.java:8:3:10:3 | { ... } | LoopVarReadTest.java:9:4:9:29 | ...; |
 | LoopVarReadTest.java:9:4:9:13 | System.out | LoopVarReadTest.java:9:23:9:27 | "Foo" |
 | LoopVarReadTest.java:9:4:9:28 | println(...) | LoopVarReadTest.java:7:27:7:27 | y |
-| LoopVarReadTest.java:9:4:9:29 | stmt | LoopVarReadTest.java:9:4:9:13 | System.out |
+| LoopVarReadTest.java:9:4:9:29 | ...; | LoopVarReadTest.java:9:4:9:13 | System.out |
 | LoopVarReadTest.java:9:23:9:27 | "Foo" | LoopVarReadTest.java:9:4:9:28 | println(...) |
-| LoopVarReadTest.java:12:3:12:13 | stmt | LoopVarReadTest.java:12:11:12:12 | 10 |
-| LoopVarReadTest.java:12:7:12:12 | q | LoopVarReadTest.java:14:3:14:28 | stmt |
+| LoopVarReadTest.java:12:3:12:13 | local variable declaration | LoopVarReadTest.java:12:11:12:12 | 10 |
+| LoopVarReadTest.java:12:7:12:12 | q | LoopVarReadTest.java:14:3:14:28 | ...; |
 | LoopVarReadTest.java:12:11:12:12 | 10 | LoopVarReadTest.java:12:7:12:12 | q |
 | LoopVarReadTest.java:14:3:14:12 | System.out | LoopVarReadTest.java:14:22:14:26 | "foo" |
 | LoopVarReadTest.java:14:3:14:27 | println(...) | LoopVarReadTest.java:4:21:4:28 | testLoop |
-| LoopVarReadTest.java:14:3:14:28 | stmt | LoopVarReadTest.java:14:3:14:12 | System.out |
+| LoopVarReadTest.java:14:3:14:28 | ...; | LoopVarReadTest.java:14:3:14:12 | System.out |
 | LoopVarReadTest.java:14:22:14:26 | "foo" | LoopVarReadTest.java:14:3:14:27 | println(...) |
diff --git a/java/ql/test/library-tests/successors/SaveFileTest/FalseSuccessors.expected b/java/ql/test/library-tests/successors/SaveFileTest/FalseSuccessors.expected
index 9a8ca853b27..b51304c1866 100644
--- a/java/ql/test/library-tests/successors/SaveFileTest/FalseSuccessors.expected
+++ b/java/ql/test/library-tests/successors/SaveFileTest/FalseSuccessors.expected
@@ -1,2 +1,2 @@
-| SaveFileTest.java:18:7:18:26 | startsWith(...) | SaveFileTest.java:24:3:24:33 | stmt |
-| SaveFileTest.java:34:11:34:54 | ... != ... | SaveFileTest.java:39:4:40:41 | stmt |
+| SaveFileTest.java:18:7:18:26 | startsWith(...) | SaveFileTest.java:24:3:24:33 | local variable declaration |
+| SaveFileTest.java:34:11:34:54 | ... != ... | SaveFileTest.java:39:4:40:41 | ...; |
diff --git a/java/ql/test/library-tests/successors/SaveFileTest/TestSucc.expected b/java/ql/test/library-tests/successors/SaveFileTest/TestSucc.expected
index fe6dc51a0c9..3e4ca761fd1 100644
--- a/java/ql/test/library-tests/successors/SaveFileTest/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/SaveFileTest/TestSucc.expected
@@ -1,26 +1,26 @@
-| SaveFileTest.java:11:14:11:25 | stmt | SaveFileTest.java:11:14:11:25 | super(...) |
 | SaveFileTest.java:11:14:11:25 | super(...) | SaveFileTest.java:11:14:11:25 | SaveFileTest |
-| SaveFileTest.java:15:2:55:2 | stmt | SaveFileTest.java:17:3:17:25 | stmt |
-| SaveFileTest.java:17:3:17:25 | stmt | SaveFileTest.java:17:21:17:24 | path |
-| SaveFileTest.java:17:10:17:24 | savePath | SaveFileTest.java:18:3:18:27 | stmt |
+| SaveFileTest.java:11:14:11:25 | { ... } | SaveFileTest.java:11:14:11:25 | super(...) |
+| SaveFileTest.java:15:2:55:2 | { ... } | SaveFileTest.java:17:3:17:25 | local variable declaration |
+| SaveFileTest.java:17:3:17:25 | local variable declaration | SaveFileTest.java:17:21:17:24 | path |
+| SaveFileTest.java:17:10:17:24 | savePath | SaveFileTest.java:18:3:18:27 | if (...) |
 | SaveFileTest.java:17:21:17:24 | path | SaveFileTest.java:17:10:17:24 | savePath |
-| SaveFileTest.java:18:3:18:27 | stmt | SaveFileTest.java:18:7:18:10 | path |
+| SaveFileTest.java:18:3:18:27 | if (...) | SaveFileTest.java:18:7:18:10 | path |
 | SaveFileTest.java:18:7:18:10 | path | SaveFileTest.java:18:23:18:25 | "/" |
-| SaveFileTest.java:18:7:18:26 | startsWith(...) | SaveFileTest.java:19:3:21:3 | stmt |
-| SaveFileTest.java:18:7:18:26 | startsWith(...) | SaveFileTest.java:24:3:24:33 | stmt |
+| SaveFileTest.java:18:7:18:26 | startsWith(...) | SaveFileTest.java:19:3:21:3 | { ... } |
+| SaveFileTest.java:18:7:18:26 | startsWith(...) | SaveFileTest.java:24:3:24:33 | local variable declaration |
 | SaveFileTest.java:18:23:18:25 | "/" | SaveFileTest.java:18:7:18:26 | startsWith(...) |
-| SaveFileTest.java:19:3:21:3 | stmt | SaveFileTest.java:20:4:20:32 | stmt |
-| SaveFileTest.java:20:4:20:31 | ...=... | SaveFileTest.java:24:3:24:33 | stmt |
-| SaveFileTest.java:20:4:20:32 | stmt | SaveFileTest.java:20:15:20:18 | path |
+| SaveFileTest.java:19:3:21:3 | { ... } | SaveFileTest.java:20:4:20:32 | ...; |
+| SaveFileTest.java:20:4:20:31 | ...=... | SaveFileTest.java:24:3:24:33 | local variable declaration |
+| SaveFileTest.java:20:4:20:32 | ...; | SaveFileTest.java:20:15:20:18 | path |
 | SaveFileTest.java:20:15:20:18 | path | SaveFileTest.java:20:30:20:30 | 1 |
 | SaveFileTest.java:20:15:20:31 | substring(...) | SaveFileTest.java:20:4:20:31 | ...=... |
 | SaveFileTest.java:20:30:20:30 | 1 | SaveFileTest.java:20:15:20:31 | substring(...) |
-| SaveFileTest.java:24:3:24:33 | stmt | SaveFileTest.java:24:27:24:31 | "foo" |
-| SaveFileTest.java:24:8:24:32 | dirPath | SaveFileTest.java:25:3:26:16 | stmt |
+| SaveFileTest.java:24:3:24:33 | local variable declaration | SaveFileTest.java:24:27:24:31 | "foo" |
+| SaveFileTest.java:24:8:24:32 | dirPath | SaveFileTest.java:25:3:26:16 | local variable declaration |
 | SaveFileTest.java:24:18:24:32 | new File(...) | SaveFileTest.java:24:8:24:32 | dirPath |
 | SaveFileTest.java:24:27:24:31 | "foo" | SaveFileTest.java:24:18:24:32 | new File(...) |
-| SaveFileTest.java:25:3:26:16 | stmt | SaveFileTest.java:25:28:25:34 | dirPath |
-| SaveFileTest.java:25:8:26:15 | saveFile | SaveFileTest.java:28:3:28:33 | stmt |
+| SaveFileTest.java:25:3:26:16 | local variable declaration | SaveFileTest.java:25:28:25:34 | dirPath |
+| SaveFileTest.java:25:8:26:15 | saveFile | SaveFileTest.java:28:3:28:33 | local variable declaration |
 | SaveFileTest.java:25:19:26:15 | new File(...) | SaveFileTest.java:25:8:26:15 | saveFile |
 | SaveFileTest.java:25:28:25:34 | dirPath | SaveFileTest.java:25:28:25:52 | getAbsolutePath(...) |
 | SaveFileTest.java:25:28:25:52 | getAbsolutePath(...) | SaveFileTest.java:25:56:25:69 | File.separator |
@@ -28,76 +28,76 @@
 | SaveFileTest.java:25:28:26:14 | ... + ... | SaveFileTest.java:25:19:26:15 | new File(...) |
 | SaveFileTest.java:25:56:25:69 | File.separator | SaveFileTest.java:25:28:25:69 | ... + ... |
 | SaveFileTest.java:26:7:26:14 | savePath | SaveFileTest.java:25:28:26:14 | ... + ... |
-| SaveFileTest.java:28:3:28:33 | stmt | SaveFileTest.java:28:28:28:31 | 8192 |
-| SaveFileTest.java:28:10:28:32 | buffer | SaveFileTest.java:29:3:29:20 | stmt |
+| SaveFileTest.java:28:3:28:33 | local variable declaration | SaveFileTest.java:28:28:28:31 | 8192 |
+| SaveFileTest.java:28:10:28:32 | buffer | SaveFileTest.java:29:3:29:20 | local variable declaration |
 | SaveFileTest.java:28:19:28:32 | new byte[] | SaveFileTest.java:28:10:28:32 | buffer |
 | SaveFileTest.java:28:28:28:31 | 8192 | SaveFileTest.java:28:19:28:32 | new byte[] |
-| SaveFileTest.java:29:3:29:20 | stmt | SaveFileTest.java:29:19:29:19 | 0 |
-| SaveFileTest.java:29:7:29:19 | bytesRead | SaveFileTest.java:30:3:30:26 | stmt |
+| SaveFileTest.java:29:3:29:20 | local variable declaration | SaveFileTest.java:29:19:29:19 | 0 |
+| SaveFileTest.java:29:7:29:19 | bytesRead | SaveFileTest.java:30:3:30:26 | local variable declaration |
 | SaveFileTest.java:29:19:29:19 | 0 | SaveFileTest.java:29:7:29:19 | bytesRead |
-| SaveFileTest.java:30:3:30:26 | stmt | SaveFileTest.java:30:22:30:25 | null |
-| SaveFileTest.java:30:16:30:25 | bos | SaveFileTest.java:31:3:53:3 | stmt |
+| SaveFileTest.java:30:3:30:26 | local variable declaration | SaveFileTest.java:30:22:30:25 | null |
+| SaveFileTest.java:30:16:30:25 | bos | SaveFileTest.java:31:3:53:3 | try ... |
 | SaveFileTest.java:30:22:30:25 | null | SaveFileTest.java:30:16:30:25 | bos |
-| SaveFileTest.java:31:3:53:3 | stmt | SaveFileTest.java:32:3:41:3 | stmt |
-| SaveFileTest.java:32:3:41:3 | stmt | SaveFileTest.java:33:4:33:40 | stmt |
-| SaveFileTest.java:33:4:33:39 | ...=... | SaveFileTest.java:34:4:34:55 | stmt |
-| SaveFileTest.java:33:4:33:40 | stmt | SaveFileTest.java:33:31:33:38 | saveFile |
+| SaveFileTest.java:31:3:53:3 | try ... | SaveFileTest.java:32:3:41:3 | { ... } |
+| SaveFileTest.java:32:3:41:3 | { ... } | SaveFileTest.java:33:4:33:40 | ...; |
+| SaveFileTest.java:33:4:33:39 | ...=... | SaveFileTest.java:34:4:34:55 | while (...) |
+| SaveFileTest.java:33:4:33:40 | ...; | SaveFileTest.java:33:31:33:38 | saveFile |
 | SaveFileTest.java:33:10:33:39 | new FileOutputStream(...) | SaveFileTest.java:33:4:33:39 | ...=... |
-| SaveFileTest.java:33:10:33:39 | new FileOutputStream(...) | SaveFileTest.java:41:5:41:23 | stmt |
-| SaveFileTest.java:33:10:33:39 | new FileOutputStream(...) | SaveFileTest.java:45:3:53:3 | stmt |
+| SaveFileTest.java:33:10:33:39 | new FileOutputStream(...) | SaveFileTest.java:41:5:41:23 | catch (...) |
+| SaveFileTest.java:33:10:33:39 | new FileOutputStream(...) | SaveFileTest.java:45:3:53:3 | { ... } |
 | SaveFileTest.java:33:31:33:38 | saveFile | SaveFileTest.java:33:10:33:39 | new FileOutputStream(...) |
-| SaveFileTest.java:34:4:34:55 | stmt | SaveFileTest.java:34:24:34:25 | is |
-| SaveFileTest.java:34:11:34:54 | ... != ... | SaveFileTest.java:35:4:37:4 | stmt |
-| SaveFileTest.java:34:11:34:54 | ... != ... | SaveFileTest.java:39:4:40:41 | stmt |
+| SaveFileTest.java:34:4:34:55 | while (...) | SaveFileTest.java:34:24:34:25 | is |
+| SaveFileTest.java:34:11:34:54 | ... != ... | SaveFileTest.java:35:4:37:4 | { ... } |
+| SaveFileTest.java:34:11:34:54 | ... != ... | SaveFileTest.java:39:4:40:41 | ...; |
 | SaveFileTest.java:34:12:34:47 | ...=... | SaveFileTest.java:34:54:34:54 | 1 |
 | SaveFileTest.java:34:24:34:25 | is | SaveFileTest.java:34:32:34:37 | buffer |
 | SaveFileTest.java:34:24:34:47 | read(...) | SaveFileTest.java:34:12:34:47 | ...=... |
-| SaveFileTest.java:34:24:34:47 | read(...) | SaveFileTest.java:41:5:41:23 | stmt |
-| SaveFileTest.java:34:24:34:47 | read(...) | SaveFileTest.java:45:3:53:3 | stmt |
+| SaveFileTest.java:34:24:34:47 | read(...) | SaveFileTest.java:41:5:41:23 | catch (...) |
+| SaveFileTest.java:34:24:34:47 | read(...) | SaveFileTest.java:45:3:53:3 | { ... } |
 | SaveFileTest.java:34:32:34:37 | buffer | SaveFileTest.java:34:40:34:40 | 0 |
 | SaveFileTest.java:34:40:34:40 | 0 | SaveFileTest.java:34:43:34:46 | 8192 |
 | SaveFileTest.java:34:43:34:46 | 8192 | SaveFileTest.java:34:24:34:47 | read(...) |
 | SaveFileTest.java:34:53:34:54 | -... | SaveFileTest.java:34:11:34:54 | ... != ... |
 | SaveFileTest.java:34:54:34:54 | 1 | SaveFileTest.java:34:53:34:54 | -... |
-| SaveFileTest.java:35:4:37:4 | stmt | SaveFileTest.java:36:5:36:36 | stmt |
+| SaveFileTest.java:35:4:37:4 | { ... } | SaveFileTest.java:36:5:36:36 | ...; |
 | SaveFileTest.java:36:5:36:7 | bos | SaveFileTest.java:36:15:36:20 | buffer |
 | SaveFileTest.java:36:5:36:35 | write(...) | SaveFileTest.java:34:24:34:25 | is |
-| SaveFileTest.java:36:5:36:35 | write(...) | SaveFileTest.java:41:5:41:23 | stmt |
-| SaveFileTest.java:36:5:36:35 | write(...) | SaveFileTest.java:45:3:53:3 | stmt |
-| SaveFileTest.java:36:5:36:36 | stmt | SaveFileTest.java:36:5:36:7 | bos |
+| SaveFileTest.java:36:5:36:35 | write(...) | SaveFileTest.java:41:5:41:23 | catch (...) |
+| SaveFileTest.java:36:5:36:35 | write(...) | SaveFileTest.java:45:3:53:3 | { ... } |
+| SaveFileTest.java:36:5:36:36 | ...; | SaveFileTest.java:36:5:36:7 | bos |
 | SaveFileTest.java:36:15:36:20 | buffer | SaveFileTest.java:36:23:36:23 | 0 |
 | SaveFileTest.java:36:23:36:23 | 0 | SaveFileTest.java:36:26:36:34 | bytesRead |
 | SaveFileTest.java:36:26:36:34 | bytesRead | SaveFileTest.java:36:5:36:35 | write(...) |
 | SaveFileTest.java:39:4:39:13 | System.out | SaveFileTest.java:39:23:39:54 | "The file has been written to [" |
-| SaveFileTest.java:39:4:40:40 | println(...) | SaveFileTest.java:41:5:41:23 | stmt |
-| SaveFileTest.java:39:4:40:40 | println(...) | SaveFileTest.java:45:3:53:3 | stmt |
-| SaveFileTest.java:39:4:40:41 | stmt | SaveFileTest.java:39:4:39:13 | System.out |
+| SaveFileTest.java:39:4:40:40 | println(...) | SaveFileTest.java:41:5:41:23 | catch (...) |
+| SaveFileTest.java:39:4:40:40 | println(...) | SaveFileTest.java:45:3:53:3 | { ... } |
+| SaveFileTest.java:39:4:40:41 | ...; | SaveFileTest.java:39:4:39:13 | System.out |
 | SaveFileTest.java:39:23:39:54 | "The file has been written to [" | SaveFileTest.java:40:8:40:15 | saveFile |
 | SaveFileTest.java:39:23:40:33 | ... + ... | SaveFileTest.java:40:37:40:39 | "]" |
 | SaveFileTest.java:39:23:40:39 | ... + ... | SaveFileTest.java:39:4:40:40 | println(...) |
 | SaveFileTest.java:40:8:40:15 | saveFile | SaveFileTest.java:40:8:40:33 | getAbsolutePath(...) |
 | SaveFileTest.java:40:8:40:33 | getAbsolutePath(...) | SaveFileTest.java:39:23:40:33 | ... + ... |
-| SaveFileTest.java:40:8:40:33 | getAbsolutePath(...) | SaveFileTest.java:41:5:41:23 | stmt |
-| SaveFileTest.java:40:8:40:33 | getAbsolutePath(...) | SaveFileTest.java:45:3:53:3 | stmt |
+| SaveFileTest.java:40:8:40:33 | getAbsolutePath(...) | SaveFileTest.java:41:5:41:23 | catch (...) |
+| SaveFileTest.java:40:8:40:33 | getAbsolutePath(...) | SaveFileTest.java:45:3:53:3 | { ... } |
 | SaveFileTest.java:40:37:40:39 | "]" | SaveFileTest.java:39:23:40:39 | ... + ... |
-| SaveFileTest.java:41:5:41:23 | stmt | SaveFileTest.java:41:22:41:22 | e |
-| SaveFileTest.java:41:22:41:22 | e | SaveFileTest.java:42:3:44:3 | stmt |
-| SaveFileTest.java:42:3:44:3 | stmt | SaveFileTest.java:43:26:43:47 | "ERROR uploading file" |
-| SaveFileTest.java:43:4:43:52 | stmt | SaveFileTest.java:45:3:53:3 | stmt |
-| SaveFileTest.java:43:10:43:51 | new IOException(...) | SaveFileTest.java:43:4:43:52 | stmt |
+| SaveFileTest.java:41:5:41:23 | catch (...) | SaveFileTest.java:41:22:41:22 | e |
+| SaveFileTest.java:41:22:41:22 | e | SaveFileTest.java:42:3:44:3 | { ... } |
+| SaveFileTest.java:42:3:44:3 | { ... } | SaveFileTest.java:43:26:43:47 | "ERROR uploading file" |
+| SaveFileTest.java:43:4:43:52 | throw ... | SaveFileTest.java:45:3:53:3 | { ... } |
+| SaveFileTest.java:43:10:43:51 | new IOException(...) | SaveFileTest.java:43:4:43:52 | throw ... |
 | SaveFileTest.java:43:26:43:47 | "ERROR uploading file" | SaveFileTest.java:43:50:43:50 | e |
 | SaveFileTest.java:43:50:43:50 | e | SaveFileTest.java:43:10:43:51 | new IOException(...) |
-| SaveFileTest.java:45:3:53:3 | stmt | SaveFileTest.java:46:4:52:4 | stmt |
-| SaveFileTest.java:46:4:52:4 | stmt | SaveFileTest.java:47:4:50:4 | stmt |
-| SaveFileTest.java:47:4:50:4 | stmt | SaveFileTest.java:48:5:48:16 | stmt |
+| SaveFileTest.java:45:3:53:3 | { ... } | SaveFileTest.java:46:4:52:4 | try ... |
+| SaveFileTest.java:46:4:52:4 | try ... | SaveFileTest.java:47:4:50:4 | { ... } |
+| SaveFileTest.java:47:4:50:4 | { ... } | SaveFileTest.java:48:5:48:16 | ...; |
 | SaveFileTest.java:48:5:48:7 | bos | SaveFileTest.java:48:5:48:15 | flush(...) |
-| SaveFileTest.java:48:5:48:15 | flush(...) | SaveFileTest.java:49:5:49:16 | stmt |
-| SaveFileTest.java:48:5:48:15 | flush(...) | SaveFileTest.java:50:6:50:30 | stmt |
-| SaveFileTest.java:48:5:48:16 | stmt | SaveFileTest.java:48:5:48:7 | bos |
+| SaveFileTest.java:48:5:48:15 | flush(...) | SaveFileTest.java:49:5:49:16 | ...; |
+| SaveFileTest.java:48:5:48:15 | flush(...) | SaveFileTest.java:50:6:50:30 | catch (...) |
+| SaveFileTest.java:48:5:48:16 | ...; | SaveFileTest.java:48:5:48:7 | bos |
 | SaveFileTest.java:49:5:49:7 | bos | SaveFileTest.java:49:5:49:15 | close(...) |
 | SaveFileTest.java:49:5:49:15 | close(...) | SaveFileTest.java:12:14:12:21 | saveFile |
-| SaveFileTest.java:49:5:49:15 | close(...) | SaveFileTest.java:50:6:50:30 | stmt |
-| SaveFileTest.java:49:5:49:16 | stmt | SaveFileTest.java:49:5:49:7 | bos |
-| SaveFileTest.java:50:6:50:30 | stmt | SaveFileTest.java:50:23:50:29 | ignored |
-| SaveFileTest.java:50:23:50:29 | ignored | SaveFileTest.java:51:4:52:4 | stmt |
-| SaveFileTest.java:51:4:52:4 | stmt | SaveFileTest.java:12:14:12:21 | saveFile |
+| SaveFileTest.java:49:5:49:15 | close(...) | SaveFileTest.java:50:6:50:30 | catch (...) |
+| SaveFileTest.java:49:5:49:16 | ...; | SaveFileTest.java:49:5:49:7 | bos |
+| SaveFileTest.java:50:6:50:30 | catch (...) | SaveFileTest.java:50:23:50:29 | ignored |
+| SaveFileTest.java:50:23:50:29 | ignored | SaveFileTest.java:51:4:52:4 | { ... } |
+| SaveFileTest.java:51:4:52:4 | { ... } | SaveFileTest.java:12:14:12:21 | saveFile |
diff --git a/java/ql/test/library-tests/successors/SchackTest/FalseSuccessors.expected b/java/ql/test/library-tests/successors/SchackTest/FalseSuccessors.expected
index 1a8a401b08e..fb487c6715b 100644
--- a/java/ql/test/library-tests/successors/SchackTest/FalseSuccessors.expected
+++ b/java/ql/test/library-tests/successors/SchackTest/FalseSuccessors.expected
@@ -1,6 +1,6 @@
-| SchackTest.java:8:9:8:12 | ... == ... | SchackTest.java:10:5:10:13 | stmt |
-| SchackTest.java:10:9:10:12 | ... == ... | SchackTest.java:12:14:15:4 | stmt |
-| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:16:4:16:41 | stmt |
-| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:17:5:17:17 | stmt |
-| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:21:13:23:3 | stmt |
+| SchackTest.java:8:9:8:12 | ... == ... | SchackTest.java:10:5:10:13 | if (...) |
+| SchackTest.java:10:9:10:12 | ... == ... | SchackTest.java:12:14:15:4 | { ... } |
+| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:16:4:16:41 | ...; |
+| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:17:5:17:17 | catch (...) |
+| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:21:13:23:3 | { ... } |
 | SchackTest.java:27:7:27:24 | ... > ... | SchackTest.java:29:10:29:22 | random(...) |
diff --git a/java/ql/test/library-tests/successors/SchackTest/TestSucc.expected b/java/ql/test/library-tests/successors/SchackTest/TestSucc.expected
index 9cd1d76f24f..5137de0a73f 100644
--- a/java/ql/test/library-tests/successors/SchackTest/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/SchackTest/TestSucc.expected
@@ -1,73 +1,73 @@
-| SchackTest.java:1:14:1:23 | stmt | SchackTest.java:1:14:1:23 | super(...) |
 | SchackTest.java:1:14:1:23 | super(...) | SchackTest.java:1:14:1:23 | SchackTest |
-| SchackTest.java:2:8:2:10 | stmt | SchackTest.java:2:8:2:10 | super(...) |
+| SchackTest.java:1:14:1:23 | { ... } | SchackTest.java:1:14:1:23 | super(...) |
 | SchackTest.java:2:8:2:10 | super(...) | SchackTest.java:2:8:2:10 | ExA |
-| SchackTest.java:3:8:3:10 | stmt | SchackTest.java:3:8:3:10 | super(...) |
+| SchackTest.java:2:8:2:10 | { ... } | SchackTest.java:2:8:2:10 | super(...) |
 | SchackTest.java:3:8:3:10 | super(...) | SchackTest.java:3:8:3:10 | ExB |
-| SchackTest.java:5:18:24:2 | stmt | SchackTest.java:6:3:23:3 | stmt |
-| SchackTest.java:6:3:23:3 | stmt | SchackTest.java:6:7:17:3 | stmt |
-| SchackTest.java:6:7:17:3 | stmt | SchackTest.java:7:4:15:4 | stmt |
-| SchackTest.java:7:4:15:4 | stmt | SchackTest.java:7:8:12:4 | stmt |
-| SchackTest.java:7:8:12:4 | stmt | SchackTest.java:8:5:8:13 | stmt |
-| SchackTest.java:8:5:8:13 | stmt | SchackTest.java:8:9:8:9 | x |
+| SchackTest.java:3:8:3:10 | { ... } | SchackTest.java:3:8:3:10 | super(...) |
+| SchackTest.java:5:18:24:2 | { ... } | SchackTest.java:6:3:23:3 | try ... |
+| SchackTest.java:6:3:23:3 | try ... | SchackTest.java:6:7:17:3 | { ... } |
+| SchackTest.java:6:7:17:3 | { ... } | SchackTest.java:7:4:15:4 | try ... |
+| SchackTest.java:7:4:15:4 | try ... | SchackTest.java:7:8:12:4 | { ... } |
+| SchackTest.java:7:8:12:4 | { ... } | SchackTest.java:8:5:8:13 | if (...) |
+| SchackTest.java:8:5:8:13 | if (...) | SchackTest.java:8:9:8:9 | x |
 | SchackTest.java:8:9:8:9 | x | SchackTest.java:8:12:8:12 | 1 |
 | SchackTest.java:8:9:8:12 | ... == ... | SchackTest.java:9:12:9:20 | new ExA(...) |
-| SchackTest.java:8:9:8:12 | ... == ... | SchackTest.java:10:5:10:13 | stmt |
+| SchackTest.java:8:9:8:12 | ... == ... | SchackTest.java:10:5:10:13 | if (...) |
 | SchackTest.java:8:12:8:12 | 1 | SchackTest.java:8:9:8:12 | ... == ... |
-| SchackTest.java:9:6:9:21 | stmt | SchackTest.java:12:14:15:4 | stmt |
-| SchackTest.java:9:12:9:20 | new ExA(...) | SchackTest.java:9:6:9:21 | stmt |
-| SchackTest.java:9:12:9:20 | new ExA(...) | SchackTest.java:12:14:15:4 | stmt |
-| SchackTest.java:10:5:10:13 | stmt | SchackTest.java:10:9:10:9 | x |
+| SchackTest.java:9:6:9:21 | throw ... | SchackTest.java:12:14:15:4 | { ... } |
+| SchackTest.java:9:12:9:20 | new ExA(...) | SchackTest.java:9:6:9:21 | throw ... |
+| SchackTest.java:9:12:9:20 | new ExA(...) | SchackTest.java:12:14:15:4 | { ... } |
+| SchackTest.java:10:5:10:13 | if (...) | SchackTest.java:10:9:10:9 | x |
 | SchackTest.java:10:9:10:9 | x | SchackTest.java:10:12:10:12 | 2 |
-| SchackTest.java:10:9:10:12 | ... == ... | SchackTest.java:11:6:11:12 | stmt |
-| SchackTest.java:10:9:10:12 | ... == ... | SchackTest.java:12:14:15:4 | stmt |
+| SchackTest.java:10:9:10:12 | ... == ... | SchackTest.java:11:6:11:12 | return ... |
+| SchackTest.java:10:9:10:12 | ... == ... | SchackTest.java:12:14:15:4 | { ... } |
 | SchackTest.java:10:12:10:12 | 2 | SchackTest.java:10:9:10:12 | ... == ... |
-| SchackTest.java:11:6:11:12 | stmt | SchackTest.java:12:14:15:4 | stmt |
-| SchackTest.java:12:14:15:4 | stmt | SchackTest.java:13:5:13:14 | stmt |
-| SchackTest.java:13:5:13:14 | stmt | SchackTest.java:13:9:13:13 | bar(...) |
-| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:14:6:14:42 | stmt |
-| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:16:4:16:41 | stmt |
-| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:17:5:17:17 | stmt |
-| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:19:5:19:17 | stmt |
-| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:21:13:23:3 | stmt |
+| SchackTest.java:11:6:11:12 | return ... | SchackTest.java:12:14:15:4 | { ... } |
+| SchackTest.java:12:14:15:4 | { ... } | SchackTest.java:13:5:13:14 | if (...) |
+| SchackTest.java:13:5:13:14 | if (...) | SchackTest.java:13:9:13:13 | bar(...) |
+| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:14:6:14:42 | ...; |
+| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:16:4:16:41 | ...; |
+| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:17:5:17:17 | catch (...) |
+| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:19:5:19:17 | catch (...) |
+| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:21:13:23:3 | { ... } |
 | SchackTest.java:14:6:14:15 | System.out | SchackTest.java:14:25:14:40 | "true successor" |
-| SchackTest.java:14:6:14:41 | println(...) | SchackTest.java:16:4:16:41 | stmt |
-| SchackTest.java:14:6:14:41 | println(...) | SchackTest.java:17:5:17:17 | stmt |
-| SchackTest.java:14:6:14:41 | println(...) | SchackTest.java:21:13:23:3 | stmt |
-| SchackTest.java:14:6:14:42 | stmt | SchackTest.java:14:6:14:15 | System.out |
+| SchackTest.java:14:6:14:41 | println(...) | SchackTest.java:16:4:16:41 | ...; |
+| SchackTest.java:14:6:14:41 | println(...) | SchackTest.java:17:5:17:17 | catch (...) |
+| SchackTest.java:14:6:14:41 | println(...) | SchackTest.java:21:13:23:3 | { ... } |
+| SchackTest.java:14:6:14:42 | ...; | SchackTest.java:14:6:14:15 | System.out |
 | SchackTest.java:14:25:14:40 | "true successor" | SchackTest.java:14:6:14:41 | println(...) |
 | SchackTest.java:16:4:16:13 | System.out | SchackTest.java:16:23:16:39 | "false successor" |
-| SchackTest.java:16:4:16:40 | println(...) | SchackTest.java:21:13:23:3 | stmt |
-| SchackTest.java:16:4:16:41 | stmt | SchackTest.java:16:4:16:13 | System.out |
+| SchackTest.java:16:4:16:40 | println(...) | SchackTest.java:21:13:23:3 | { ... } |
+| SchackTest.java:16:4:16:41 | ...; | SchackTest.java:16:4:16:13 | System.out |
 | SchackTest.java:16:23:16:39 | "false successor" | SchackTest.java:16:4:16:40 | println(...) |
-| SchackTest.java:17:5:17:17 | stmt | SchackTest.java:17:16:17:16 | e |
-| SchackTest.java:17:16:17:16 | e | SchackTest.java:17:19:19:3 | stmt |
-| SchackTest.java:17:19:19:3 | stmt | SchackTest.java:18:4:18:41 | stmt |
+| SchackTest.java:17:5:17:17 | catch (...) | SchackTest.java:17:16:17:16 | e |
+| SchackTest.java:17:16:17:16 | e | SchackTest.java:17:19:19:3 | { ... } |
+| SchackTest.java:17:19:19:3 | { ... } | SchackTest.java:18:4:18:41 | ...; |
 | SchackTest.java:18:4:18:13 | System.out | SchackTest.java:18:23:18:39 | "false successor" |
-| SchackTest.java:18:4:18:40 | println(...) | SchackTest.java:21:13:23:3 | stmt |
-| SchackTest.java:18:4:18:41 | stmt | SchackTest.java:18:4:18:13 | System.out |
+| SchackTest.java:18:4:18:40 | println(...) | SchackTest.java:21:13:23:3 | { ... } |
+| SchackTest.java:18:4:18:41 | ...; | SchackTest.java:18:4:18:13 | System.out |
 | SchackTest.java:18:23:18:39 | "false successor" | SchackTest.java:18:4:18:40 | println(...) |
-| SchackTest.java:19:5:19:17 | stmt | SchackTest.java:19:16:19:16 | e |
-| SchackTest.java:19:16:19:16 | e | SchackTest.java:19:19:21:3 | stmt |
-| SchackTest.java:19:19:21:3 | stmt | SchackTest.java:20:4:20:74 | stmt |
+| SchackTest.java:19:5:19:17 | catch (...) | SchackTest.java:19:16:19:16 | e |
+| SchackTest.java:19:16:19:16 | e | SchackTest.java:19:19:21:3 | { ... } |
+| SchackTest.java:19:19:21:3 | { ... } | SchackTest.java:20:4:20:74 | ...; |
 | SchackTest.java:20:4:20:13 | System.out | SchackTest.java:20:23:20:72 | "successor (but neither true nor false successor)" |
-| SchackTest.java:20:4:20:73 | println(...) | SchackTest.java:21:13:23:3 | stmt |
-| SchackTest.java:20:4:20:74 | stmt | SchackTest.java:20:4:20:13 | System.out |
+| SchackTest.java:20:4:20:73 | println(...) | SchackTest.java:21:13:23:3 | { ... } |
+| SchackTest.java:20:4:20:74 | ...; | SchackTest.java:20:4:20:13 | System.out |
 | SchackTest.java:20:23:20:72 | "successor (but neither true nor false successor)" | SchackTest.java:20:4:20:73 | println(...) |
-| SchackTest.java:21:13:23:3 | stmt | SchackTest.java:22:4:22:41 | stmt |
+| SchackTest.java:21:13:23:3 | { ... } | SchackTest.java:22:4:22:41 | ...; |
 | SchackTest.java:22:4:22:13 | System.out | SchackTest.java:22:23:22:39 | "false successor" |
 | SchackTest.java:22:4:22:40 | println(...) | SchackTest.java:5:7:5:9 | foo |
-| SchackTest.java:22:4:22:41 | stmt | SchackTest.java:22:4:22:13 | System.out |
+| SchackTest.java:22:4:22:41 | ...; | SchackTest.java:22:4:22:13 | System.out |
 | SchackTest.java:22:23:22:39 | "false successor" | SchackTest.java:22:4:22:40 | println(...) |
-| SchackTest.java:26:35:30:2 | stmt | SchackTest.java:27:3:27:25 | stmt |
-| SchackTest.java:27:3:27:25 | stmt | SchackTest.java:27:7:27:19 | random(...) |
+| SchackTest.java:26:35:30:2 | { ... } | SchackTest.java:27:3:27:25 | if (...) |
+| SchackTest.java:27:3:27:25 | if (...) | SchackTest.java:27:7:27:19 | random(...) |
 | SchackTest.java:27:7:27:19 | random(...) | SchackTest.java:27:23:27:24 | .5 |
 | SchackTest.java:27:7:27:24 | ... > ... | SchackTest.java:28:10:28:18 | new ExB(...) |
 | SchackTest.java:27:7:27:24 | ... > ... | SchackTest.java:29:10:29:22 | random(...) |
 | SchackTest.java:27:23:27:24 | .5 | SchackTest.java:27:7:27:24 | ... > ... |
-| SchackTest.java:28:4:28:19 | stmt | SchackTest.java:26:18:26:20 | bar |
-| SchackTest.java:28:10:28:18 | new ExB(...) | SchackTest.java:28:4:28:19 | stmt |
-| SchackTest.java:29:3:29:28 | stmt | SchackTest.java:26:18:26:20 | bar |
+| SchackTest.java:28:4:28:19 | throw ... | SchackTest.java:26:18:26:20 | bar |
+| SchackTest.java:28:10:28:18 | new ExB(...) | SchackTest.java:28:4:28:19 | throw ... |
+| SchackTest.java:29:3:29:28 | return ... | SchackTest.java:26:18:26:20 | bar |
 | SchackTest.java:29:10:29:22 | random(...) | SchackTest.java:29:26:29:27 | .3 |
-| SchackTest.java:29:10:29:27 | ... > ... | SchackTest.java:29:3:29:28 | stmt |
+| SchackTest.java:29:10:29:27 | ... > ... | SchackTest.java:29:3:29:28 | return ... |
 | SchackTest.java:29:26:29:27 | .3 | SchackTest.java:29:10:29:27 | ... > ... |
diff --git a/java/ql/test/library-tests/successors/TestBreak/FalseSuccessors.expected b/java/ql/test/library-tests/successors/TestBreak/FalseSuccessors.expected
index 0cf3efedda5..8a8db779bd0 100644
--- a/java/ql/test/library-tests/successors/TestBreak/FalseSuccessors.expected
+++ b/java/ql/test/library-tests/successors/TestBreak/FalseSuccessors.expected
@@ -1,5 +1,5 @@
-| TestBreak.java:12:9:12:14 | ... == ... | TestBreak.java:16:5:27:5 | stmt |
-| TestBreak.java:19:11:19:16 | ... == ... | TestBreak.java:23:7:25:7 | stmt |
-| TestBreak.java:32:8:32:13 | ... == ... | TestBreak.java:36:4:46:4 | stmt |
-| TestBreak.java:39:10:39:15 | ... == ... | TestBreak.java:43:6:43:15 | stmt |
-| TestBreak.java:44:14:44:19 | ... == ... | TestBreak.java:45:5:45:11 | stmt |
+| TestBreak.java:12:9:12:14 | ... == ... | TestBreak.java:16:5:27:5 | { ... } |
+| TestBreak.java:19:11:19:16 | ... == ... | TestBreak.java:23:7:25:7 | { ... } |
+| TestBreak.java:32:8:32:13 | ... == ... | TestBreak.java:36:4:46:4 | { ... } |
+| TestBreak.java:39:10:39:15 | ... == ... | TestBreak.java:43:6:43:15 | ...; |
+| TestBreak.java:44:14:44:19 | ... == ... | TestBreak.java:45:5:45:11 | ...; |
diff --git a/java/ql/test/library-tests/successors/TestBreak/TestSucc.expected b/java/ql/test/library-tests/successors/TestBreak/TestSucc.expected
index bfc01664042..3e08d2159f1 100644
--- a/java/ql/test/library-tests/successors/TestBreak/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/TestBreak/TestSucc.expected
@@ -1,155 +1,155 @@
-| TestBreak.java:3:14:3:22 | stmt | TestBreak.java:3:14:3:22 | super(...) |
 | TestBreak.java:3:14:3:22 | super(...) | TestBreak.java:3:14:3:22 | TestBreak |
-| TestBreak.java:5:2:85:2 | stmt | TestBreak.java:7:3:8:11 | stmt |
-| TestBreak.java:7:3:8:11 | stmt | TestBreak.java:8:4:8:11 | stmt |
-| TestBreak.java:8:4:8:11 | stmt | TestBreak.java:9:4:28:4 | stmt |
-| TestBreak.java:9:4:28:4 | stmt | TestBreak.java:10:5:10:14 | stmt |
-| TestBreak.java:10:5:10:14 | stmt | TestBreak.java:10:13:10:13 | 1 |
-| TestBreak.java:10:9:10:13 | x | TestBreak.java:11:5:11:14 | stmt |
+| TestBreak.java:3:14:3:22 | { ... } | TestBreak.java:3:14:3:22 | super(...) |
+| TestBreak.java:5:2:85:2 | { ... } | TestBreak.java:7:3:8:11 | labeled statement |
+| TestBreak.java:7:3:8:11 | labeled statement | TestBreak.java:8:4:8:11 | for (...) |
+| TestBreak.java:8:4:8:11 | for (...) | TestBreak.java:9:4:28:4 | { ... } |
+| TestBreak.java:9:4:28:4 | { ... } | TestBreak.java:10:5:10:14 | local variable declaration |
+| TestBreak.java:10:5:10:14 | local variable declaration | TestBreak.java:10:13:10:13 | 1 |
+| TestBreak.java:10:9:10:13 | x | TestBreak.java:11:5:11:14 | ...; |
 | TestBreak.java:10:13:10:13 | 1 | TestBreak.java:10:9:10:13 | x |
-| TestBreak.java:11:5:11:13 | ...=... | TestBreak.java:12:5:12:15 | stmt |
-| TestBreak.java:11:5:11:14 | stmt | TestBreak.java:11:9:11:9 | x |
+| TestBreak.java:11:5:11:13 | ...=... | TestBreak.java:12:5:12:15 | if (...) |
+| TestBreak.java:11:5:11:14 | ...; | TestBreak.java:11:9:11:9 | x |
 | TestBreak.java:11:9:11:9 | x | TestBreak.java:11:13:11:13 | 1 |
 | TestBreak.java:11:9:11:13 | ... + ... | TestBreak.java:11:5:11:13 | ...=... |
 | TestBreak.java:11:13:11:13 | 1 | TestBreak.java:11:9:11:13 | ... + ... |
-| TestBreak.java:12:5:12:15 | stmt | TestBreak.java:12:9:12:9 | x |
+| TestBreak.java:12:5:12:15 | if (...) | TestBreak.java:12:9:12:9 | x |
 | TestBreak.java:12:9:12:9 | x | TestBreak.java:12:14:12:14 | 1 |
-| TestBreak.java:12:9:12:14 | ... == ... | TestBreak.java:13:5:15:5 | stmt |
-| TestBreak.java:12:9:12:14 | ... == ... | TestBreak.java:16:5:27:5 | stmt |
+| TestBreak.java:12:9:12:14 | ... == ... | TestBreak.java:13:5:15:5 | { ... } |
+| TestBreak.java:12:9:12:14 | ... == ... | TestBreak.java:16:5:27:5 | { ... } |
 | TestBreak.java:12:14:12:14 | 1 | TestBreak.java:12:9:12:14 | ... == ... |
-| TestBreak.java:13:5:15:5 | stmt | TestBreak.java:14:6:14:11 | stmt |
-| TestBreak.java:14:6:14:11 | stmt | TestBreak.java:29:3:29:13 | stmt |
-| TestBreak.java:16:5:27:5 | stmt | TestBreak.java:17:6:17:30 | stmt |
-| TestBreak.java:17:6:17:30 | stmt | TestBreak.java:17:27:17:28 | 20 |
-| TestBreak.java:17:15:17:15 | q | TestBreak.java:18:6:26:6 | stmt |
-| TestBreak.java:17:19:17:29 | new int[] | TestBreak.java:9:4:28:4 | stmt |
+| TestBreak.java:13:5:15:5 | { ... } | TestBreak.java:14:6:14:11 | break |
+| TestBreak.java:14:6:14:11 | break | TestBreak.java:29:3:29:13 | local variable declaration |
+| TestBreak.java:16:5:27:5 | { ... } | TestBreak.java:17:6:17:30 | for (... : ...) |
+| TestBreak.java:17:6:17:30 | for (... : ...) | TestBreak.java:17:27:17:28 | 20 |
+| TestBreak.java:17:15:17:15 | q | TestBreak.java:18:6:26:6 | { ... } |
+| TestBreak.java:17:19:17:29 | new int[] | TestBreak.java:9:4:28:4 | { ... } |
 | TestBreak.java:17:19:17:29 | new int[] | TestBreak.java:17:15:17:15 | q |
 | TestBreak.java:17:27:17:28 | 20 | TestBreak.java:17:19:17:29 | new int[] |
-| TestBreak.java:18:6:26:6 | stmt | TestBreak.java:19:7:19:17 | stmt |
-| TestBreak.java:19:7:19:17 | stmt | TestBreak.java:19:11:19:11 | q |
+| TestBreak.java:18:6:26:6 | { ... } | TestBreak.java:19:7:19:17 | if (...) |
+| TestBreak.java:19:7:19:17 | if (...) | TestBreak.java:19:11:19:11 | q |
 | TestBreak.java:19:11:19:11 | q | TestBreak.java:19:16:19:16 | 1 |
-| TestBreak.java:19:11:19:16 | ... == ... | TestBreak.java:20:7:22:7 | stmt |
-| TestBreak.java:19:11:19:16 | ... == ... | TestBreak.java:23:7:25:7 | stmt |
+| TestBreak.java:19:11:19:16 | ... == ... | TestBreak.java:20:7:22:7 | { ... } |
+| TestBreak.java:19:11:19:16 | ... == ... | TestBreak.java:23:7:25:7 | { ... } |
 | TestBreak.java:19:16:19:16 | 1 | TestBreak.java:19:11:19:16 | ... == ... |
-| TestBreak.java:20:7:22:7 | stmt | TestBreak.java:21:8:21:13 | stmt |
-| TestBreak.java:21:8:21:13 | stmt | TestBreak.java:9:4:28:4 | stmt |
-| TestBreak.java:23:7:25:7 | stmt | TestBreak.java:24:8:24:15 | stmt |
-| TestBreak.java:24:8:24:15 | stmt | TestBreak.java:29:3:29:13 | stmt |
-| TestBreak.java:29:3:29:13 | stmt | TestBreak.java:29:11:29:12 | 12 |
-| TestBreak.java:29:7:29:12 | y | TestBreak.java:30:3:30:14 | stmt |
+| TestBreak.java:20:7:22:7 | { ... } | TestBreak.java:21:8:21:13 | break |
+| TestBreak.java:21:8:21:13 | break | TestBreak.java:9:4:28:4 | { ... } |
+| TestBreak.java:23:7:25:7 | { ... } | TestBreak.java:24:8:24:15 | break |
+| TestBreak.java:24:8:24:15 | break | TestBreak.java:29:3:29:13 | local variable declaration |
+| TestBreak.java:29:3:29:13 | local variable declaration | TestBreak.java:29:11:29:12 | 12 |
+| TestBreak.java:29:7:29:12 | y | TestBreak.java:30:3:30:14 | while (...) |
 | TestBreak.java:29:11:29:12 | 12 | TestBreak.java:29:7:29:12 | y |
-| TestBreak.java:30:3:30:14 | stmt | TestBreak.java:30:10:30:13 | true |
-| TestBreak.java:30:10:30:13 | true | TestBreak.java:31:3:47:3 | stmt |
-| TestBreak.java:31:3:47:3 | stmt | TestBreak.java:32:4:32:14 | stmt |
-| TestBreak.java:32:4:32:14 | stmt | TestBreak.java:32:8:32:8 | y |
+| TestBreak.java:30:3:30:14 | while (...) | TestBreak.java:30:10:30:13 | true |
+| TestBreak.java:30:10:30:13 | true | TestBreak.java:31:3:47:3 | { ... } |
+| TestBreak.java:31:3:47:3 | { ... } | TestBreak.java:32:4:32:14 | if (...) |
+| TestBreak.java:32:4:32:14 | if (...) | TestBreak.java:32:8:32:8 | y |
 | TestBreak.java:32:8:32:8 | y | TestBreak.java:32:13:32:13 | 1 |
-| TestBreak.java:32:8:32:13 | ... == ... | TestBreak.java:33:4:35:4 | stmt |
-| TestBreak.java:32:8:32:13 | ... == ... | TestBreak.java:36:4:46:4 | stmt |
+| TestBreak.java:32:8:32:13 | ... == ... | TestBreak.java:33:4:35:4 | { ... } |
+| TestBreak.java:32:8:32:13 | ... == ... | TestBreak.java:36:4:46:4 | { ... } |
 | TestBreak.java:32:13:32:13 | 1 | TestBreak.java:32:8:32:13 | ... == ... |
-| TestBreak.java:33:4:35:4 | stmt | TestBreak.java:34:5:34:10 | stmt |
-| TestBreak.java:34:5:34:10 | stmt | TestBreak.java:48:3:48:9 | stmt |
-| TestBreak.java:36:4:46:4 | stmt | TestBreak.java:37:5:44:21 | stmt |
-| TestBreak.java:37:5:44:21 | stmt | TestBreak.java:38:5:44:5 | stmt |
-| TestBreak.java:38:5:44:5 | stmt | TestBreak.java:39:6:39:16 | stmt |
-| TestBreak.java:39:6:39:16 | stmt | TestBreak.java:39:10:39:10 | y |
+| TestBreak.java:33:4:35:4 | { ... } | TestBreak.java:34:5:34:10 | break |
+| TestBreak.java:34:5:34:10 | break | TestBreak.java:48:3:48:9 | ...; |
+| TestBreak.java:36:4:46:4 | { ... } | TestBreak.java:37:5:44:21 | do ... while (...) |
+| TestBreak.java:37:5:44:21 | do ... while (...) | TestBreak.java:38:5:44:5 | { ... } |
+| TestBreak.java:38:5:44:5 | { ... } | TestBreak.java:39:6:39:16 | if (...) |
+| TestBreak.java:39:6:39:16 | if (...) | TestBreak.java:39:10:39:10 | y |
 | TestBreak.java:39:10:39:10 | y | TestBreak.java:39:15:39:15 | 2 |
-| TestBreak.java:39:10:39:15 | ... == ... | TestBreak.java:40:6:42:6 | stmt |
-| TestBreak.java:39:10:39:15 | ... == ... | TestBreak.java:43:6:43:15 | stmt |
+| TestBreak.java:39:10:39:15 | ... == ... | TestBreak.java:40:6:42:6 | { ... } |
+| TestBreak.java:39:10:39:15 | ... == ... | TestBreak.java:43:6:43:15 | ...; |
 | TestBreak.java:39:15:39:15 | 2 | TestBreak.java:39:10:39:15 | ... == ... |
-| TestBreak.java:40:6:42:6 | stmt | TestBreak.java:41:7:41:12 | stmt |
-| TestBreak.java:41:7:41:12 | stmt | TestBreak.java:45:5:45:11 | stmt |
+| TestBreak.java:40:6:42:6 | { ... } | TestBreak.java:41:7:41:12 | break |
+| TestBreak.java:41:7:41:12 | break | TestBreak.java:45:5:45:11 | ...; |
 | TestBreak.java:43:6:43:14 | ...=... | TestBreak.java:44:14:44:14 | y |
-| TestBreak.java:43:6:43:15 | stmt | TestBreak.java:43:10:43:10 | y |
+| TestBreak.java:43:6:43:15 | ...; | TestBreak.java:43:10:43:10 | y |
 | TestBreak.java:43:10:43:10 | y | TestBreak.java:43:14:43:14 | 2 |
 | TestBreak.java:43:10:43:14 | ... + ... | TestBreak.java:43:6:43:14 | ...=... |
 | TestBreak.java:43:14:43:14 | 2 | TestBreak.java:43:10:43:14 | ... + ... |
 | TestBreak.java:44:14:44:14 | y | TestBreak.java:44:19:44:19 | 1 |
-| TestBreak.java:44:14:44:19 | ... == ... | TestBreak.java:38:5:44:5 | stmt |
-| TestBreak.java:44:14:44:19 | ... == ... | TestBreak.java:45:5:45:11 | stmt |
+| TestBreak.java:44:14:44:19 | ... == ... | TestBreak.java:38:5:44:5 | { ... } |
+| TestBreak.java:44:14:44:19 | ... == ... | TestBreak.java:45:5:45:11 | ...; |
 | TestBreak.java:44:19:44:19 | 1 | TestBreak.java:44:14:44:19 | ... == ... |
 | TestBreak.java:45:5:45:10 | ...=... | TestBreak.java:30:10:30:13 | true |
-| TestBreak.java:45:5:45:11 | stmt | TestBreak.java:45:9:45:10 | 12 |
+| TestBreak.java:45:5:45:11 | ...; | TestBreak.java:45:9:45:10 | 12 |
 | TestBreak.java:45:9:45:10 | 12 | TestBreak.java:45:5:45:10 | ...=... |
-| TestBreak.java:48:3:48:8 | ...=... | TestBreak.java:51:3:51:12 | stmt |
-| TestBreak.java:48:3:48:9 | stmt | TestBreak.java:48:7:48:8 | 13 |
+| TestBreak.java:48:3:48:8 | ...=... | TestBreak.java:51:3:51:12 | local variable declaration |
+| TestBreak.java:48:3:48:9 | ...; | TestBreak.java:48:7:48:8 | 13 |
 | TestBreak.java:48:7:48:8 | 13 | TestBreak.java:48:3:48:8 | ...=... |
-| TestBreak.java:51:3:51:12 | stmt | TestBreak.java:51:10:51:11 | 12 |
-| TestBreak.java:51:7:51:11 | x | TestBreak.java:52:3:52:12 | stmt |
+| TestBreak.java:51:3:51:12 | local variable declaration | TestBreak.java:51:10:51:11 | 12 |
+| TestBreak.java:51:7:51:11 | x | TestBreak.java:52:3:52:12 | switch (...) |
 | TestBreak.java:51:10:51:11 | 12 | TestBreak.java:51:7:51:11 | x |
-| TestBreak.java:52:3:52:12 | stmt | TestBreak.java:52:11:52:11 | x |
-| TestBreak.java:52:11:52:11 | x | TestBreak.java:54:3:54:9 | stmt |
-| TestBreak.java:52:11:52:11 | x | TestBreak.java:57:3:57:9 | stmt |
-| TestBreak.java:52:11:52:11 | x | TestBreak.java:61:3:61:9 | stmt |
-| TestBreak.java:52:11:52:11 | x | TestBreak.java:62:3:62:9 | stmt |
-| TestBreak.java:52:11:52:11 | x | TestBreak.java:66:3:66:9 | stmt |
-| TestBreak.java:52:11:52:11 | x | TestBreak.java:67:3:67:9 | stmt |
-| TestBreak.java:52:11:52:11 | x | TestBreak.java:70:3:70:10 | stmt |
-| TestBreak.java:54:3:54:9 | stmt | TestBreak.java:55:4:55:13 | stmt |
-| TestBreak.java:55:4:55:12 | ...=... | TestBreak.java:56:4:56:13 | stmt |
-| TestBreak.java:55:4:55:13 | stmt | TestBreak.java:55:8:55:8 | x |
+| TestBreak.java:52:3:52:12 | switch (...) | TestBreak.java:52:11:52:11 | x |
+| TestBreak.java:52:11:52:11 | x | TestBreak.java:54:3:54:9 | case ... |
+| TestBreak.java:52:11:52:11 | x | TestBreak.java:57:3:57:9 | case ... |
+| TestBreak.java:52:11:52:11 | x | TestBreak.java:61:3:61:9 | case ... |
+| TestBreak.java:52:11:52:11 | x | TestBreak.java:62:3:62:9 | case ... |
+| TestBreak.java:52:11:52:11 | x | TestBreak.java:66:3:66:9 | case ... |
+| TestBreak.java:52:11:52:11 | x | TestBreak.java:67:3:67:9 | case ... |
+| TestBreak.java:52:11:52:11 | x | TestBreak.java:70:3:70:10 | default |
+| TestBreak.java:54:3:54:9 | case ... | TestBreak.java:55:4:55:13 | ...; |
+| TestBreak.java:55:4:55:12 | ...=... | TestBreak.java:56:4:56:13 | ...; |
+| TestBreak.java:55:4:55:13 | ...; | TestBreak.java:55:8:55:8 | x |
 | TestBreak.java:55:8:55:8 | x | TestBreak.java:55:12:55:12 | 1 |
 | TestBreak.java:55:8:55:12 | ... + ... | TestBreak.java:55:4:55:12 | ...=... |
 | TestBreak.java:55:12:55:12 | 1 | TestBreak.java:55:8:55:12 | ... + ... |
-| TestBreak.java:56:4:56:12 | ...=... | TestBreak.java:57:3:57:9 | stmt |
-| TestBreak.java:56:4:56:13 | stmt | TestBreak.java:56:8:56:8 | y |
+| TestBreak.java:56:4:56:12 | ...=... | TestBreak.java:57:3:57:9 | case ... |
+| TestBreak.java:56:4:56:13 | ...; | TestBreak.java:56:8:56:8 | y |
 | TestBreak.java:56:8:56:8 | y | TestBreak.java:56:12:56:12 | 1 |
 | TestBreak.java:56:8:56:12 | ... + ... | TestBreak.java:56:4:56:12 | ...=... |
 | TestBreak.java:56:12:56:12 | 1 | TestBreak.java:56:8:56:12 | ... + ... |
-| TestBreak.java:57:3:57:9 | stmt | TestBreak.java:58:4:58:13 | stmt |
-| TestBreak.java:58:4:58:12 | ...=... | TestBreak.java:59:4:59:13 | stmt |
-| TestBreak.java:58:4:58:13 | stmt | TestBreak.java:58:8:58:8 | x |
+| TestBreak.java:57:3:57:9 | case ... | TestBreak.java:58:4:58:13 | ...; |
+| TestBreak.java:58:4:58:12 | ...=... | TestBreak.java:59:4:59:13 | ...; |
+| TestBreak.java:58:4:58:13 | ...; | TestBreak.java:58:8:58:8 | x |
 | TestBreak.java:58:8:58:8 | x | TestBreak.java:58:12:58:12 | 2 |
 | TestBreak.java:58:8:58:12 | ... + ... | TestBreak.java:58:4:58:12 | ...=... |
 | TestBreak.java:58:12:58:12 | 2 | TestBreak.java:58:8:58:12 | ... + ... |
-| TestBreak.java:59:4:59:12 | ...=... | TestBreak.java:60:4:60:9 | stmt |
-| TestBreak.java:59:4:59:13 | stmt | TestBreak.java:59:8:59:8 | y |
+| TestBreak.java:59:4:59:12 | ...=... | TestBreak.java:60:4:60:9 | break |
+| TestBreak.java:59:4:59:13 | ...; | TestBreak.java:59:8:59:8 | y |
 | TestBreak.java:59:8:59:8 | y | TestBreak.java:59:12:59:12 | 2 |
 | TestBreak.java:59:8:59:12 | ... + ... | TestBreak.java:59:4:59:12 | ...=... |
 | TestBreak.java:59:12:59:12 | 2 | TestBreak.java:59:8:59:12 | ... + ... |
-| TestBreak.java:60:4:60:9 | stmt | TestBreak.java:76:3:76:11 | stmt |
-| TestBreak.java:61:3:61:9 | stmt | TestBreak.java:62:3:62:9 | stmt |
-| TestBreak.java:62:3:62:9 | stmt | TestBreak.java:63:4:63:13 | stmt |
-| TestBreak.java:63:4:63:12 | ...=... | TestBreak.java:64:4:64:13 | stmt |
-| TestBreak.java:63:4:63:13 | stmt | TestBreak.java:63:8:63:8 | x |
+| TestBreak.java:60:4:60:9 | break | TestBreak.java:76:3:76:11 | switch (...) |
+| TestBreak.java:61:3:61:9 | case ... | TestBreak.java:62:3:62:9 | case ... |
+| TestBreak.java:62:3:62:9 | case ... | TestBreak.java:63:4:63:13 | ...; |
+| TestBreak.java:63:4:63:12 | ...=... | TestBreak.java:64:4:64:13 | ...; |
+| TestBreak.java:63:4:63:13 | ...; | TestBreak.java:63:8:63:8 | x |
 | TestBreak.java:63:8:63:8 | x | TestBreak.java:63:12:63:12 | 3 |
 | TestBreak.java:63:8:63:12 | ... + ... | TestBreak.java:63:4:63:12 | ...=... |
 | TestBreak.java:63:12:63:12 | 3 | TestBreak.java:63:8:63:12 | ... + ... |
-| TestBreak.java:64:4:64:12 | ...=... | TestBreak.java:65:4:65:9 | stmt |
-| TestBreak.java:64:4:64:13 | stmt | TestBreak.java:64:8:64:8 | y |
+| TestBreak.java:64:4:64:12 | ...=... | TestBreak.java:65:4:65:9 | break |
+| TestBreak.java:64:4:64:13 | ...; | TestBreak.java:64:8:64:8 | y |
 | TestBreak.java:64:8:64:8 | y | TestBreak.java:64:12:64:12 | 4 |
 | TestBreak.java:64:8:64:12 | ... + ... | TestBreak.java:64:4:64:12 | ...=... |
 | TestBreak.java:64:12:64:12 | 4 | TestBreak.java:64:8:64:12 | ... + ... |
-| TestBreak.java:65:4:65:9 | stmt | TestBreak.java:76:3:76:11 | stmt |
-| TestBreak.java:66:3:66:9 | stmt | TestBreak.java:67:3:67:9 | stmt |
-| TestBreak.java:67:3:67:9 | stmt | TestBreak.java:68:4:68:13 | stmt |
-| TestBreak.java:68:4:68:12 | ...=... | TestBreak.java:69:4:69:13 | stmt |
-| TestBreak.java:68:4:68:13 | stmt | TestBreak.java:68:8:68:8 | x |
+| TestBreak.java:65:4:65:9 | break | TestBreak.java:76:3:76:11 | switch (...) |
+| TestBreak.java:66:3:66:9 | case ... | TestBreak.java:67:3:67:9 | case ... |
+| TestBreak.java:67:3:67:9 | case ... | TestBreak.java:68:4:68:13 | ...; |
+| TestBreak.java:68:4:68:12 | ...=... | TestBreak.java:69:4:69:13 | ...; |
+| TestBreak.java:68:4:68:13 | ...; | TestBreak.java:68:8:68:8 | x |
 | TestBreak.java:68:8:68:8 | x | TestBreak.java:68:12:68:12 | 5 |
 | TestBreak.java:68:8:68:12 | ... + ... | TestBreak.java:68:4:68:12 | ...=... |
 | TestBreak.java:68:12:68:12 | 5 | TestBreak.java:68:8:68:12 | ... + ... |
-| TestBreak.java:69:4:69:12 | ...=... | TestBreak.java:70:3:70:10 | stmt |
-| TestBreak.java:69:4:69:13 | stmt | TestBreak.java:69:8:69:8 | y |
+| TestBreak.java:69:4:69:12 | ...=... | TestBreak.java:70:3:70:10 | default |
+| TestBreak.java:69:4:69:13 | ...; | TestBreak.java:69:8:69:8 | y |
 | TestBreak.java:69:8:69:8 | y | TestBreak.java:69:12:69:12 | 6 |
 | TestBreak.java:69:8:69:12 | ... + ... | TestBreak.java:69:4:69:12 | ...=... |
 | TestBreak.java:69:12:69:12 | 6 | TestBreak.java:69:8:69:12 | ... + ... |
-| TestBreak.java:70:3:70:10 | stmt | TestBreak.java:71:4:71:9 | stmt |
-| TestBreak.java:71:4:71:8 | ...=... | TestBreak.java:72:4:72:9 | stmt |
-| TestBreak.java:71:4:71:9 | stmt | TestBreak.java:71:8:71:8 | y |
+| TestBreak.java:70:3:70:10 | default | TestBreak.java:71:4:71:9 | ...; |
+| TestBreak.java:71:4:71:8 | ...=... | TestBreak.java:72:4:72:9 | ...; |
+| TestBreak.java:71:4:71:9 | ...; | TestBreak.java:71:8:71:8 | y |
 | TestBreak.java:71:8:71:8 | y | TestBreak.java:71:4:71:8 | ...=... |
-| TestBreak.java:72:4:72:8 | ...=... | TestBreak.java:76:3:76:11 | stmt |
-| TestBreak.java:72:4:72:9 | stmt | TestBreak.java:72:8:72:8 | x |
+| TestBreak.java:72:4:72:8 | ...=... | TestBreak.java:76:3:76:11 | switch (...) |
+| TestBreak.java:72:4:72:9 | ...; | TestBreak.java:72:8:72:8 | x |
 | TestBreak.java:72:8:72:8 | x | TestBreak.java:72:4:72:8 | ...=... |
-| TestBreak.java:76:3:76:11 | stmt | TestBreak.java:76:10:76:10 | x |
+| TestBreak.java:76:3:76:11 | switch (...) | TestBreak.java:76:10:76:10 | x |
 | TestBreak.java:76:10:76:10 | x | TestBreak.java:4:14:4:14 | f |
-| TestBreak.java:76:10:76:10 | x | TestBreak.java:78:3:78:9 | stmt |
-| TestBreak.java:76:10:76:10 | x | TestBreak.java:81:3:81:9 | stmt |
-| TestBreak.java:78:3:78:9 | stmt | TestBreak.java:79:4:79:9 | stmt |
-| TestBreak.java:79:4:79:8 | ...=... | TestBreak.java:80:4:80:9 | stmt |
-| TestBreak.java:79:4:79:9 | stmt | TestBreak.java:79:8:79:8 | 1 |
+| TestBreak.java:76:10:76:10 | x | TestBreak.java:78:3:78:9 | case ... |
+| TestBreak.java:76:10:76:10 | x | TestBreak.java:81:3:81:9 | case ... |
+| TestBreak.java:78:3:78:9 | case ... | TestBreak.java:79:4:79:9 | ...; |
+| TestBreak.java:79:4:79:8 | ...=... | TestBreak.java:80:4:80:9 | break |
+| TestBreak.java:79:4:79:9 | ...; | TestBreak.java:79:8:79:8 | 1 |
 | TestBreak.java:79:8:79:8 | 1 | TestBreak.java:79:4:79:8 | ...=... |
-| TestBreak.java:80:4:80:9 | stmt | TestBreak.java:4:14:4:14 | f |
-| TestBreak.java:81:3:81:9 | stmt | TestBreak.java:82:4:82:9 | stmt |
-| TestBreak.java:82:4:82:8 | ...=... | TestBreak.java:83:4:83:9 | stmt |
-| TestBreak.java:82:4:82:9 | stmt | TestBreak.java:82:8:82:8 | 2 |
+| TestBreak.java:80:4:80:9 | break | TestBreak.java:4:14:4:14 | f |
+| TestBreak.java:81:3:81:9 | case ... | TestBreak.java:82:4:82:9 | ...; |
+| TestBreak.java:82:4:82:8 | ...=... | TestBreak.java:83:4:83:9 | break |
+| TestBreak.java:82:4:82:9 | ...; | TestBreak.java:82:8:82:8 | 2 |
 | TestBreak.java:82:8:82:8 | 2 | TestBreak.java:82:4:82:8 | ...=... |
-| TestBreak.java:83:4:83:9 | stmt | TestBreak.java:4:14:4:14 | f |
+| TestBreak.java:83:4:83:9 | break | TestBreak.java:4:14:4:14 | f |
diff --git a/java/ql/test/library-tests/successors/TestContinue/FalseSuccessors.expected b/java/ql/test/library-tests/successors/TestContinue/FalseSuccessors.expected
index 046cece6f7f..a5da44bd900 100644
--- a/java/ql/test/library-tests/successors/TestContinue/FalseSuccessors.expected
+++ b/java/ql/test/library-tests/successors/TestContinue/FalseSuccessors.expected
@@ -1,10 +1,10 @@
-| TestContinue.java:8:20:8:25 | ... < ... | TestContinue.java:30:3:30:13 | stmt |
-| TestContinue.java:12:9:12:14 | ... == ... | TestContinue.java:16:5:28:5 | stmt |
-| TestContinue.java:19:11:19:16 | ... == ... | TestContinue.java:22:14:22:24 | stmt |
-| TestContinue.java:22:18:22:23 | ... == ... | TestContinue.java:26:7:26:13 | stmt |
-| TestContinue.java:31:10:31:16 | ... != ... | TestContinue.java:50:3:50:9 | stmt |
-| TestContinue.java:33:8:33:13 | ... == ... | TestContinue.java:37:4:47:4 | stmt |
-| TestContinue.java:40:10:40:15 | ... == ... | TestContinue.java:44:6:44:15 | stmt |
-| TestContinue.java:45:14:45:19 | ... == ... | TestContinue.java:46:5:46:11 | stmt |
+| TestContinue.java:8:20:8:25 | ... < ... | TestContinue.java:30:3:30:13 | local variable declaration |
+| TestContinue.java:12:9:12:14 | ... == ... | TestContinue.java:16:5:28:5 | { ... } |
+| TestContinue.java:19:11:19:16 | ... == ... | TestContinue.java:22:14:22:24 | if (...) |
+| TestContinue.java:22:18:22:23 | ... == ... | TestContinue.java:26:7:26:13 | ...; |
+| TestContinue.java:31:10:31:16 | ... != ... | TestContinue.java:50:3:50:9 | ...; |
+| TestContinue.java:33:8:33:13 | ... == ... | TestContinue.java:37:4:47:4 | { ... } |
+| TestContinue.java:40:10:40:15 | ... == ... | TestContinue.java:44:6:44:15 | ...; |
+| TestContinue.java:45:14:45:19 | ... == ... | TestContinue.java:46:5:46:11 | ...; |
 | TestContinue.java:51:10:51:16 | ... != ... | TestContinue.java:4:14:4:14 | f |
-| TestContinue.java:53:8:53:13 | ... != ... | TestContinue.java:56:5:56:10 | stmt |
+| TestContinue.java:53:8:53:13 | ... != ... | TestContinue.java:56:5:56:10 | break |
diff --git a/java/ql/test/library-tests/successors/TestContinue/TestSucc.expected b/java/ql/test/library-tests/successors/TestContinue/TestSucc.expected
index c12e88e7080..50ce7f6a524 100644
--- a/java/ql/test/library-tests/successors/TestContinue/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/TestContinue/TestSucc.expected
@@ -1,110 +1,110 @@
-| TestContinue.java:3:14:3:25 | stmt | TestContinue.java:3:14:3:25 | super(...) |
 | TestContinue.java:3:14:3:25 | super(...) | TestContinue.java:3:14:3:25 | TestContinue |
-| TestContinue.java:5:2:58:2 | stmt | TestContinue.java:7:3:8:27 | stmt |
-| TestContinue.java:7:3:8:27 | stmt | TestContinue.java:8:4:8:27 | stmt |
-| TestContinue.java:8:4:8:27 | stmt | TestContinue.java:8:17:8:17 | 0 |
+| TestContinue.java:3:14:3:25 | { ... } | TestContinue.java:3:14:3:25 | super(...) |
+| TestContinue.java:5:2:58:2 | { ... } | TestContinue.java:7:3:8:27 | labeled statement |
+| TestContinue.java:7:3:8:27 | labeled statement | TestContinue.java:8:4:8:27 | for (...) |
+| TestContinue.java:8:4:8:27 | for (...) | TestContinue.java:8:17:8:17 | 0 |
 | TestContinue.java:8:13:8:17 | p | TestContinue.java:8:20:8:20 | p |
 | TestContinue.java:8:17:8:17 | 0 | TestContinue.java:8:13:8:17 | p |
 | TestContinue.java:8:20:8:20 | p | TestContinue.java:8:24:8:25 | 10 |
-| TestContinue.java:8:20:8:25 | ... < ... | TestContinue.java:9:4:29:4 | stmt |
-| TestContinue.java:8:20:8:25 | ... < ... | TestContinue.java:30:3:30:13 | stmt |
+| TestContinue.java:8:20:8:25 | ... < ... | TestContinue.java:9:4:29:4 | { ... } |
+| TestContinue.java:8:20:8:25 | ... < ... | TestContinue.java:30:3:30:13 | local variable declaration |
 | TestContinue.java:8:24:8:25 | 10 | TestContinue.java:8:20:8:25 | ... < ... |
-| TestContinue.java:9:4:29:4 | stmt | TestContinue.java:10:5:10:14 | stmt |
-| TestContinue.java:10:5:10:14 | stmt | TestContinue.java:10:13:10:13 | 1 |
-| TestContinue.java:10:9:10:13 | x | TestContinue.java:11:5:11:14 | stmt |
+| TestContinue.java:9:4:29:4 | { ... } | TestContinue.java:10:5:10:14 | local variable declaration |
+| TestContinue.java:10:5:10:14 | local variable declaration | TestContinue.java:10:13:10:13 | 1 |
+| TestContinue.java:10:9:10:13 | x | TestContinue.java:11:5:11:14 | ...; |
 | TestContinue.java:10:13:10:13 | 1 | TestContinue.java:10:9:10:13 | x |
-| TestContinue.java:11:5:11:13 | ...=... | TestContinue.java:12:5:12:15 | stmt |
-| TestContinue.java:11:5:11:14 | stmt | TestContinue.java:11:9:11:9 | x |
+| TestContinue.java:11:5:11:13 | ...=... | TestContinue.java:12:5:12:15 | if (...) |
+| TestContinue.java:11:5:11:14 | ...; | TestContinue.java:11:9:11:9 | x |
 | TestContinue.java:11:9:11:9 | x | TestContinue.java:11:13:11:13 | 1 |
 | TestContinue.java:11:9:11:13 | ... + ... | TestContinue.java:11:5:11:13 | ...=... |
 | TestContinue.java:11:13:11:13 | 1 | TestContinue.java:11:9:11:13 | ... + ... |
-| TestContinue.java:12:5:12:15 | stmt | TestContinue.java:12:9:12:9 | x |
+| TestContinue.java:12:5:12:15 | if (...) | TestContinue.java:12:9:12:9 | x |
 | TestContinue.java:12:9:12:9 | x | TestContinue.java:12:14:12:14 | 1 |
-| TestContinue.java:12:9:12:14 | ... == ... | TestContinue.java:13:5:15:5 | stmt |
-| TestContinue.java:12:9:12:14 | ... == ... | TestContinue.java:16:5:28:5 | stmt |
+| TestContinue.java:12:9:12:14 | ... == ... | TestContinue.java:13:5:15:5 | { ... } |
+| TestContinue.java:12:9:12:14 | ... == ... | TestContinue.java:16:5:28:5 | { ... } |
 | TestContinue.java:12:14:12:14 | 1 | TestContinue.java:12:9:12:14 | ... == ... |
-| TestContinue.java:13:5:15:5 | stmt | TestContinue.java:14:6:14:14 | stmt |
-| TestContinue.java:14:6:14:14 | stmt | TestContinue.java:8:20:8:20 | p |
-| TestContinue.java:16:5:28:5 | stmt | TestContinue.java:17:6:17:30 | stmt |
-| TestContinue.java:17:6:17:30 | stmt | TestContinue.java:17:27:17:28 | 20 |
-| TestContinue.java:17:15:17:15 | q | TestContinue.java:18:6:27:6 | stmt |
+| TestContinue.java:13:5:15:5 | { ... } | TestContinue.java:14:6:14:14 | continue |
+| TestContinue.java:14:6:14:14 | continue | TestContinue.java:8:20:8:20 | p |
+| TestContinue.java:16:5:28:5 | { ... } | TestContinue.java:17:6:17:30 | for (... : ...) |
+| TestContinue.java:17:6:17:30 | for (... : ...) | TestContinue.java:17:27:17:28 | 20 |
+| TestContinue.java:17:15:17:15 | q | TestContinue.java:18:6:27:6 | { ... } |
 | TestContinue.java:17:19:17:29 | new int[] | TestContinue.java:8:20:8:20 | p |
 | TestContinue.java:17:19:17:29 | new int[] | TestContinue.java:17:15:17:15 | q |
 | TestContinue.java:17:27:17:28 | 20 | TestContinue.java:17:19:17:29 | new int[] |
-| TestContinue.java:18:6:27:6 | stmt | TestContinue.java:19:7:19:17 | stmt |
-| TestContinue.java:19:7:19:17 | stmt | TestContinue.java:19:11:19:11 | q |
+| TestContinue.java:18:6:27:6 | { ... } | TestContinue.java:19:7:19:17 | if (...) |
+| TestContinue.java:19:7:19:17 | if (...) | TestContinue.java:19:11:19:11 | q |
 | TestContinue.java:19:11:19:11 | q | TestContinue.java:19:16:19:16 | 1 |
-| TestContinue.java:19:11:19:16 | ... == ... | TestContinue.java:20:7:22:7 | stmt |
-| TestContinue.java:19:11:19:16 | ... == ... | TestContinue.java:22:14:22:24 | stmt |
+| TestContinue.java:19:11:19:16 | ... == ... | TestContinue.java:20:7:22:7 | { ... } |
+| TestContinue.java:19:11:19:16 | ... == ... | TestContinue.java:22:14:22:24 | if (...) |
 | TestContinue.java:19:16:19:16 | 1 | TestContinue.java:19:11:19:16 | ... == ... |
-| TestContinue.java:20:7:22:7 | stmt | TestContinue.java:21:8:21:16 | stmt |
-| TestContinue.java:21:8:21:16 | stmt | TestContinue.java:8:20:8:20 | p |
-| TestContinue.java:21:8:21:16 | stmt | TestContinue.java:17:15:17:15 | q |
-| TestContinue.java:22:14:22:24 | stmt | TestContinue.java:22:18:22:18 | q |
+| TestContinue.java:20:7:22:7 | { ... } | TestContinue.java:21:8:21:16 | continue |
+| TestContinue.java:21:8:21:16 | continue | TestContinue.java:8:20:8:20 | p |
+| TestContinue.java:21:8:21:16 | continue | TestContinue.java:17:15:17:15 | q |
+| TestContinue.java:22:14:22:24 | if (...) | TestContinue.java:22:18:22:18 | q |
 | TestContinue.java:22:18:22:18 | q | TestContinue.java:22:23:22:23 | 2 |
-| TestContinue.java:22:18:22:23 | ... == ... | TestContinue.java:23:7:25:7 | stmt |
-| TestContinue.java:22:18:22:23 | ... == ... | TestContinue.java:26:7:26:13 | stmt |
+| TestContinue.java:22:18:22:23 | ... == ... | TestContinue.java:23:7:25:7 | { ... } |
+| TestContinue.java:22:18:22:23 | ... == ... | TestContinue.java:26:7:26:13 | ...; |
 | TestContinue.java:22:23:22:23 | 2 | TestContinue.java:22:18:22:23 | ... == ... |
-| TestContinue.java:23:7:25:7 | stmt | TestContinue.java:24:8:24:18 | stmt |
-| TestContinue.java:24:8:24:18 | stmt | TestContinue.java:8:20:8:20 | p |
+| TestContinue.java:23:7:25:7 | { ... } | TestContinue.java:24:8:24:18 | continue |
+| TestContinue.java:24:8:24:18 | continue | TestContinue.java:8:20:8:20 | p |
 | TestContinue.java:26:7:26:12 | ...=... | TestContinue.java:8:20:8:20 | p |
 | TestContinue.java:26:7:26:12 | ...=... | TestContinue.java:17:15:17:15 | q |
-| TestContinue.java:26:7:26:13 | stmt | TestContinue.java:26:11:26:12 | 12 |
+| TestContinue.java:26:7:26:13 | ...; | TestContinue.java:26:11:26:12 | 12 |
 | TestContinue.java:26:11:26:12 | 12 | TestContinue.java:26:7:26:12 | ...=... |
-| TestContinue.java:30:3:30:13 | stmt | TestContinue.java:30:11:30:12 | 12 |
-| TestContinue.java:30:7:30:12 | y | TestContinue.java:31:3:31:17 | stmt |
+| TestContinue.java:30:3:30:13 | local variable declaration | TestContinue.java:30:11:30:12 | 12 |
+| TestContinue.java:30:7:30:12 | y | TestContinue.java:31:3:31:17 | while (...) |
 | TestContinue.java:30:11:30:12 | 12 | TestContinue.java:30:7:30:12 | y |
-| TestContinue.java:31:3:31:17 | stmt | TestContinue.java:31:10:31:10 | y |
+| TestContinue.java:31:3:31:17 | while (...) | TestContinue.java:31:10:31:10 | y |
 | TestContinue.java:31:10:31:10 | y | TestContinue.java:31:15:31:16 | 13 |
-| TestContinue.java:31:10:31:16 | ... != ... | TestContinue.java:32:3:49:3 | stmt |
-| TestContinue.java:31:10:31:16 | ... != ... | TestContinue.java:50:3:50:9 | stmt |
+| TestContinue.java:31:10:31:16 | ... != ... | TestContinue.java:32:3:49:3 | { ... } |
+| TestContinue.java:31:10:31:16 | ... != ... | TestContinue.java:50:3:50:9 | ...; |
 | TestContinue.java:31:15:31:16 | 13 | TestContinue.java:31:10:31:16 | ... != ... |
-| TestContinue.java:32:3:49:3 | stmt | TestContinue.java:33:4:33:14 | stmt |
-| TestContinue.java:33:4:33:14 | stmt | TestContinue.java:33:8:33:8 | y |
+| TestContinue.java:32:3:49:3 | { ... } | TestContinue.java:33:4:33:14 | if (...) |
+| TestContinue.java:33:4:33:14 | if (...) | TestContinue.java:33:8:33:8 | y |
 | TestContinue.java:33:8:33:8 | y | TestContinue.java:33:13:33:13 | 1 |
-| TestContinue.java:33:8:33:13 | ... == ... | TestContinue.java:34:4:36:4 | stmt |
-| TestContinue.java:33:8:33:13 | ... == ... | TestContinue.java:37:4:47:4 | stmt |
+| TestContinue.java:33:8:33:13 | ... == ... | TestContinue.java:34:4:36:4 | { ... } |
+| TestContinue.java:33:8:33:13 | ... == ... | TestContinue.java:37:4:47:4 | { ... } |
 | TestContinue.java:33:13:33:13 | 1 | TestContinue.java:33:8:33:13 | ... == ... |
-| TestContinue.java:34:4:36:4 | stmt | TestContinue.java:35:5:35:13 | stmt |
-| TestContinue.java:35:5:35:13 | stmt | TestContinue.java:31:10:31:10 | y |
-| TestContinue.java:37:4:47:4 | stmt | TestContinue.java:38:5:45:21 | stmt |
-| TestContinue.java:38:5:45:21 | stmt | TestContinue.java:39:5:45:5 | stmt |
-| TestContinue.java:39:5:45:5 | stmt | TestContinue.java:40:6:40:16 | stmt |
-| TestContinue.java:40:6:40:16 | stmt | TestContinue.java:40:10:40:10 | y |
+| TestContinue.java:34:4:36:4 | { ... } | TestContinue.java:35:5:35:13 | continue |
+| TestContinue.java:35:5:35:13 | continue | TestContinue.java:31:10:31:10 | y |
+| TestContinue.java:37:4:47:4 | { ... } | TestContinue.java:38:5:45:21 | do ... while (...) |
+| TestContinue.java:38:5:45:21 | do ... while (...) | TestContinue.java:39:5:45:5 | { ... } |
+| TestContinue.java:39:5:45:5 | { ... } | TestContinue.java:40:6:40:16 | if (...) |
+| TestContinue.java:40:6:40:16 | if (...) | TestContinue.java:40:10:40:10 | y |
 | TestContinue.java:40:10:40:10 | y | TestContinue.java:40:15:40:15 | 2 |
-| TestContinue.java:40:10:40:15 | ... == ... | TestContinue.java:41:6:43:6 | stmt |
-| TestContinue.java:40:10:40:15 | ... == ... | TestContinue.java:44:6:44:15 | stmt |
+| TestContinue.java:40:10:40:15 | ... == ... | TestContinue.java:41:6:43:6 | { ... } |
+| TestContinue.java:40:10:40:15 | ... == ... | TestContinue.java:44:6:44:15 | ...; |
 | TestContinue.java:40:15:40:15 | 2 | TestContinue.java:40:10:40:15 | ... == ... |
-| TestContinue.java:41:6:43:6 | stmt | TestContinue.java:42:7:42:15 | stmt |
-| TestContinue.java:42:7:42:15 | stmt | TestContinue.java:45:14:45:14 | y |
+| TestContinue.java:41:6:43:6 | { ... } | TestContinue.java:42:7:42:15 | continue |
+| TestContinue.java:42:7:42:15 | continue | TestContinue.java:45:14:45:14 | y |
 | TestContinue.java:44:6:44:14 | ...=... | TestContinue.java:45:14:45:14 | y |
-| TestContinue.java:44:6:44:15 | stmt | TestContinue.java:44:10:44:10 | y |
+| TestContinue.java:44:6:44:15 | ...; | TestContinue.java:44:10:44:10 | y |
 | TestContinue.java:44:10:44:10 | y | TestContinue.java:44:14:44:14 | 2 |
 | TestContinue.java:44:10:44:14 | ... + ... | TestContinue.java:44:6:44:14 | ...=... |
 | TestContinue.java:44:14:44:14 | 2 | TestContinue.java:44:10:44:14 | ... + ... |
 | TestContinue.java:45:14:45:14 | y | TestContinue.java:45:19:45:19 | 1 |
-| TestContinue.java:45:14:45:19 | ... == ... | TestContinue.java:39:5:45:5 | stmt |
-| TestContinue.java:45:14:45:19 | ... == ... | TestContinue.java:46:5:46:11 | stmt |
+| TestContinue.java:45:14:45:19 | ... == ... | TestContinue.java:39:5:45:5 | { ... } |
+| TestContinue.java:45:14:45:19 | ... == ... | TestContinue.java:46:5:46:11 | ...; |
 | TestContinue.java:45:19:45:19 | 1 | TestContinue.java:45:14:45:19 | ... == ... |
-| TestContinue.java:46:5:46:10 | ...=... | TestContinue.java:48:4:48:10 | stmt |
-| TestContinue.java:46:5:46:11 | stmt | TestContinue.java:46:9:46:10 | 12 |
+| TestContinue.java:46:5:46:10 | ...=... | TestContinue.java:48:4:48:10 | ...; |
+| TestContinue.java:46:5:46:11 | ...; | TestContinue.java:46:9:46:10 | 12 |
 | TestContinue.java:46:9:46:10 | 12 | TestContinue.java:46:5:46:10 | ...=... |
 | TestContinue.java:48:4:48:9 | ...=... | TestContinue.java:31:10:31:10 | y |
-| TestContinue.java:48:4:48:10 | stmt | TestContinue.java:48:8:48:9 | 15 |
+| TestContinue.java:48:4:48:10 | ...; | TestContinue.java:48:8:48:9 | 15 |
 | TestContinue.java:48:8:48:9 | 15 | TestContinue.java:48:4:48:9 | ...=... |
-| TestContinue.java:50:3:50:8 | ...=... | TestContinue.java:51:3:51:17 | stmt |
-| TestContinue.java:50:3:50:9 | stmt | TestContinue.java:50:7:50:8 | 13 |
+| TestContinue.java:50:3:50:8 | ...=... | TestContinue.java:51:3:51:17 | while (...) |
+| TestContinue.java:50:3:50:9 | ...; | TestContinue.java:50:7:50:8 | 13 |
 | TestContinue.java:50:7:50:8 | 13 | TestContinue.java:50:3:50:8 | ...=... |
-| TestContinue.java:51:3:51:17 | stmt | TestContinue.java:51:10:51:10 | y |
+| TestContinue.java:51:3:51:17 | while (...) | TestContinue.java:51:10:51:10 | y |
 | TestContinue.java:51:10:51:10 | y | TestContinue.java:51:15:51:16 | 12 |
 | TestContinue.java:51:10:51:16 | ... != ... | TestContinue.java:4:14:4:14 | f |
-| TestContinue.java:51:10:51:16 | ... != ... | TestContinue.java:52:3:57:3 | stmt |
+| TestContinue.java:51:10:51:16 | ... != ... | TestContinue.java:52:3:57:3 | { ... } |
 | TestContinue.java:51:15:51:16 | 12 | TestContinue.java:51:10:51:16 | ... != ... |
-| TestContinue.java:52:3:57:3 | stmt | TestContinue.java:53:4:53:14 | stmt |
-| TestContinue.java:53:4:53:14 | stmt | TestContinue.java:53:8:53:8 | y |
+| TestContinue.java:52:3:57:3 | { ... } | TestContinue.java:53:4:53:14 | if (...) |
+| TestContinue.java:53:4:53:14 | if (...) | TestContinue.java:53:8:53:8 | y |
 | TestContinue.java:53:8:53:8 | y | TestContinue.java:53:13:53:13 | 6 |
-| TestContinue.java:53:8:53:13 | ... != ... | TestContinue.java:54:5:54:13 | stmt |
-| TestContinue.java:53:8:53:13 | ... != ... | TestContinue.java:56:5:56:10 | stmt |
+| TestContinue.java:53:8:53:13 | ... != ... | TestContinue.java:54:5:54:13 | continue |
+| TestContinue.java:53:8:53:13 | ... != ... | TestContinue.java:56:5:56:10 | break |
 | TestContinue.java:53:13:53:13 | 6 | TestContinue.java:53:8:53:13 | ... != ... |
-| TestContinue.java:54:5:54:13 | stmt | TestContinue.java:51:10:51:10 | y |
-| TestContinue.java:56:5:56:10 | stmt | TestContinue.java:4:14:4:14 | f |
+| TestContinue.java:54:5:54:13 | continue | TestContinue.java:51:10:51:10 | y |
+| TestContinue.java:56:5:56:10 | break | TestContinue.java:4:14:4:14 | f |
diff --git a/java/ql/test/library-tests/successors/TestDeclarations/FalseSuccessors.expected b/java/ql/test/library-tests/successors/TestDeclarations/FalseSuccessors.expected
index b5b153e709a..c7e0cec8183 100644
--- a/java/ql/test/library-tests/successors/TestDeclarations/FalseSuccessors.expected
+++ b/java/ql/test/library-tests/successors/TestDeclarations/FalseSuccessors.expected
@@ -1,3 +1,3 @@
-| TestDeclarations.java:10:8:10:14 | ... > ... | TestDeclarations.java:15:4:15:15 | stmt |
-| TestDeclarations.java:15:8:15:14 | ... == ... | TestDeclarations.java:17:4:17:15 | stmt |
+| TestDeclarations.java:10:8:10:14 | ... > ... | TestDeclarations.java:15:4:15:15 | if (...) |
+| TestDeclarations.java:15:8:15:14 | ... == ... | TestDeclarations.java:17:4:17:15 | if (...) |
 | TestDeclarations.java:17:8:17:14 | ... == ... | TestDeclarations.java:7:9:7:12 | true |
diff --git a/java/ql/test/library-tests/successors/TestDeclarations/TestSucc.expected b/java/ql/test/library-tests/successors/TestDeclarations/TestSucc.expected
index 73b0df6ab8a..9a05b5bb02d 100644
--- a/java/ql/test/library-tests/successors/TestDeclarations/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/TestDeclarations/TestSucc.expected
@@ -1,54 +1,54 @@
-| TestDeclarations.java:1:7:1:22 | stmt | TestDeclarations.java:1:7:1:22 | super(...) |
 | TestDeclarations.java:1:7:1:22 | super(...) | TestDeclarations.java:1:7:1:22 | TestDeclarations |
-| TestDeclarations.java:2:30:24:2 | stmt | TestDeclarations.java:4:3:4:11 | stmt |
-| TestDeclarations.java:4:3:4:11 | stmt | TestDeclarations.java:4:7:4:7 | b |
+| TestDeclarations.java:1:7:1:22 | { ... } | TestDeclarations.java:1:7:1:22 | super(...) |
+| TestDeclarations.java:2:30:24:2 | { ... } | TestDeclarations.java:4:3:4:11 | local variable declaration |
+| TestDeclarations.java:4:3:4:11 | local variable declaration | TestDeclarations.java:4:7:4:7 | b |
 | TestDeclarations.java:4:7:4:7 | b | TestDeclarations.java:4:10:4:10 | c |
-| TestDeclarations.java:4:10:4:10 | c | TestDeclarations.java:5:3:5:8 | stmt |
-| TestDeclarations.java:5:3:5:7 | ...=... | TestDeclarations.java:6:3:6:8 | stmt |
-| TestDeclarations.java:5:3:5:8 | stmt | TestDeclarations.java:5:7:5:7 | 0 |
+| TestDeclarations.java:4:10:4:10 | c | TestDeclarations.java:5:3:5:8 | ...; |
+| TestDeclarations.java:5:3:5:7 | ...=... | TestDeclarations.java:6:3:6:8 | ...; |
+| TestDeclarations.java:5:3:5:8 | ...; | TestDeclarations.java:5:7:5:7 | 0 |
 | TestDeclarations.java:5:7:5:7 | 0 | TestDeclarations.java:5:3:5:7 | ...=... |
-| TestDeclarations.java:6:3:6:7 | ...=... | TestDeclarations.java:7:3:7:13 | stmt |
-| TestDeclarations.java:6:3:6:8 | stmt | TestDeclarations.java:6:7:6:7 | 0 |
+| TestDeclarations.java:6:3:6:7 | ...=... | TestDeclarations.java:7:3:7:13 | while (...) |
+| TestDeclarations.java:6:3:6:8 | ...; | TestDeclarations.java:6:7:6:7 | 0 |
 | TestDeclarations.java:6:7:6:7 | 0 | TestDeclarations.java:6:3:6:7 | ...=... |
-| TestDeclarations.java:7:3:7:13 | stmt | TestDeclarations.java:7:9:7:12 | true |
-| TestDeclarations.java:7:9:7:12 | true | TestDeclarations.java:8:3:19:3 | stmt |
-| TestDeclarations.java:8:3:19:3 | stmt | TestDeclarations.java:9:4:9:10 | stmt |
-| TestDeclarations.java:9:4:9:9 | ...=... | TestDeclarations.java:10:4:10:15 | stmt |
-| TestDeclarations.java:9:4:9:10 | stmt | TestDeclarations.java:9:8:9:9 | 10 |
+| TestDeclarations.java:7:3:7:13 | while (...) | TestDeclarations.java:7:9:7:12 | true |
+| TestDeclarations.java:7:9:7:12 | true | TestDeclarations.java:8:3:19:3 | { ... } |
+| TestDeclarations.java:8:3:19:3 | { ... } | TestDeclarations.java:9:4:9:10 | ...; |
+| TestDeclarations.java:9:4:9:9 | ...=... | TestDeclarations.java:10:4:10:15 | if (...) |
+| TestDeclarations.java:9:4:9:10 | ...; | TestDeclarations.java:9:8:9:9 | 10 |
 | TestDeclarations.java:9:8:9:9 | 10 | TestDeclarations.java:9:4:9:9 | ...=... |
-| TestDeclarations.java:10:4:10:15 | stmt | TestDeclarations.java:10:8:10:8 | a |
+| TestDeclarations.java:10:4:10:15 | if (...) | TestDeclarations.java:10:8:10:8 | a |
 | TestDeclarations.java:10:8:10:8 | a | TestDeclarations.java:10:12:10:14 | 100 |
-| TestDeclarations.java:10:8:10:14 | ... > ... | TestDeclarations.java:11:4:14:4 | stmt |
-| TestDeclarations.java:10:8:10:14 | ... > ... | TestDeclarations.java:15:4:15:15 | stmt |
+| TestDeclarations.java:10:8:10:14 | ... > ... | TestDeclarations.java:11:4:14:4 | { ... } |
+| TestDeclarations.java:10:8:10:14 | ... > ... | TestDeclarations.java:15:4:15:15 | if (...) |
 | TestDeclarations.java:10:12:10:14 | 100 | TestDeclarations.java:10:8:10:14 | ... > ... |
-| TestDeclarations.java:11:4:14:4 | stmt | TestDeclarations.java:12:5:12:11 | stmt |
-| TestDeclarations.java:12:5:12:10 | ...=... | TestDeclarations.java:13:5:13:10 | stmt |
-| TestDeclarations.java:12:5:12:11 | stmt | TestDeclarations.java:12:9:12:10 | 10 |
+| TestDeclarations.java:11:4:14:4 | { ... } | TestDeclarations.java:12:5:12:11 | ...; |
+| TestDeclarations.java:12:5:12:10 | ...=... | TestDeclarations.java:13:5:13:10 | ...; |
+| TestDeclarations.java:12:5:12:11 | ...; | TestDeclarations.java:12:9:12:10 | 10 |
 | TestDeclarations.java:12:9:12:10 | 10 | TestDeclarations.java:12:5:12:10 | ...=... |
-| TestDeclarations.java:13:5:13:9 | ...=... | TestDeclarations.java:15:4:15:15 | stmt |
-| TestDeclarations.java:13:5:13:10 | stmt | TestDeclarations.java:13:9:13:9 | c |
+| TestDeclarations.java:13:5:13:9 | ...=... | TestDeclarations.java:15:4:15:15 | if (...) |
+| TestDeclarations.java:13:5:13:10 | ...; | TestDeclarations.java:13:9:13:9 | c |
 | TestDeclarations.java:13:9:13:9 | c | TestDeclarations.java:13:5:13:9 | ...=... |
-| TestDeclarations.java:15:4:15:15 | stmt | TestDeclarations.java:15:8:15:8 | a |
+| TestDeclarations.java:15:4:15:15 | if (...) | TestDeclarations.java:15:8:15:8 | a |
 | TestDeclarations.java:15:8:15:8 | a | TestDeclarations.java:15:13:15:14 | 10 |
-| TestDeclarations.java:15:8:15:14 | ... == ... | TestDeclarations.java:16:5:16:10 | stmt |
-| TestDeclarations.java:15:8:15:14 | ... == ... | TestDeclarations.java:17:4:17:15 | stmt |
+| TestDeclarations.java:15:8:15:14 | ... == ... | TestDeclarations.java:16:5:16:10 | break |
+| TestDeclarations.java:15:8:15:14 | ... == ... | TestDeclarations.java:17:4:17:15 | if (...) |
 | TestDeclarations.java:15:13:15:14 | 10 | TestDeclarations.java:15:8:15:14 | ... == ... |
-| TestDeclarations.java:16:5:16:10 | stmt | TestDeclarations.java:20:3:20:10 | stmt |
-| TestDeclarations.java:17:4:17:15 | stmt | TestDeclarations.java:17:8:17:8 | a |
+| TestDeclarations.java:16:5:16:10 | break | TestDeclarations.java:20:3:20:10 | local variable declaration |
+| TestDeclarations.java:17:4:17:15 | if (...) | TestDeclarations.java:17:8:17:8 | a |
 | TestDeclarations.java:17:8:17:8 | a | TestDeclarations.java:17:13:17:14 | 20 |
 | TestDeclarations.java:17:8:17:14 | ... == ... | TestDeclarations.java:7:9:7:12 | true |
 | TestDeclarations.java:17:8:17:14 | ... == ... | TestDeclarations.java:18:12:18:12 | c |
 | TestDeclarations.java:17:13:17:14 | 20 | TestDeclarations.java:17:8:17:14 | ... == ... |
-| TestDeclarations.java:18:5:18:13 | stmt | TestDeclarations.java:2:6:2:21 | declarationTests |
-| TestDeclarations.java:18:12:18:12 | c | TestDeclarations.java:18:5:18:13 | stmt |
-| TestDeclarations.java:20:3:20:10 | stmt | TestDeclarations.java:20:7:20:7 | x |
+| TestDeclarations.java:18:5:18:13 | return ... | TestDeclarations.java:2:6:2:21 | declarationTests |
+| TestDeclarations.java:18:12:18:12 | c | TestDeclarations.java:18:5:18:13 | return ... |
+| TestDeclarations.java:20:3:20:10 | local variable declaration | TestDeclarations.java:20:7:20:7 | x |
 | TestDeclarations.java:20:7:20:7 | x | TestDeclarations.java:20:9:20:9 | y |
-| TestDeclarations.java:20:9:20:9 | y | TestDeclarations.java:21:3:21:8 | stmt |
-| TestDeclarations.java:21:3:21:7 | ...=... | TestDeclarations.java:22:3:22:8 | stmt |
-| TestDeclarations.java:21:3:21:8 | stmt | TestDeclarations.java:21:7:21:7 | 3 |
+| TestDeclarations.java:20:9:20:9 | y | TestDeclarations.java:21:3:21:8 | ...; |
+| TestDeclarations.java:21:3:21:7 | ...=... | TestDeclarations.java:22:3:22:8 | ...; |
+| TestDeclarations.java:21:3:21:8 | ...; | TestDeclarations.java:21:7:21:7 | 3 |
 | TestDeclarations.java:21:7:21:7 | 3 | TestDeclarations.java:21:3:21:7 | ...=... |
 | TestDeclarations.java:22:3:22:7 | ...=... | TestDeclarations.java:23:10:23:10 | b |
-| TestDeclarations.java:22:3:22:8 | stmt | TestDeclarations.java:22:7:22:7 | 4 |
+| TestDeclarations.java:22:3:22:8 | ...; | TestDeclarations.java:22:7:22:7 | 4 |
 | TestDeclarations.java:22:7:22:7 | 4 | TestDeclarations.java:22:3:22:7 | ...=... |
-| TestDeclarations.java:23:3:23:11 | stmt | TestDeclarations.java:2:6:2:21 | declarationTests |
-| TestDeclarations.java:23:10:23:10 | b | TestDeclarations.java:23:3:23:11 | stmt |
+| TestDeclarations.java:23:3:23:11 | return ... | TestDeclarations.java:2:6:2:21 | declarationTests |
+| TestDeclarations.java:23:10:23:10 | b | TestDeclarations.java:23:3:23:11 | return ... |
diff --git a/java/ql/test/library-tests/successors/TestFinally/FalseSuccessors.expected b/java/ql/test/library-tests/successors/TestFinally/FalseSuccessors.expected
index f94fa777023..de8e32d0b38 100644
--- a/java/ql/test/library-tests/successors/TestFinally/FalseSuccessors.expected
+++ b/java/ql/test/library-tests/successors/TestFinally/FalseSuccessors.expected
@@ -1,15 +1,15 @@
-| TestFinally.java:12:9:12:14 | ... == ... | TestFinally.java:16:5:39:5 | stmt |
-| TestFinally.java:19:10:19:15 | ... == ... | TestFinally.java:23:6:23:32 | stmt |
-| TestFinally.java:27:10:27:15 | ... == ... | TestFinally.java:32:5:39:5 | stmt |
-| TestFinally.java:34:10:34:15 | ... == ... | TestFinally.java:38:6:38:36 | stmt |
-| TestFinally.java:47:10:47:15 | ... == ... | TestFinally.java:51:6:51:32 | stmt |
-| TestFinally.java:55:10:55:15 | ... == ... | TestFinally.java:60:5:67:5 | stmt |
-| TestFinally.java:62:10:62:15 | ... == ... | TestFinally.java:66:6:66:36 | stmt |
-| TestFinally.java:68:9:68:14 | ... == ... | TestFinally.java:73:4:80:4 | stmt |
-| TestFinally.java:75:9:75:14 | ... == ... | TestFinally.java:79:5:79:35 | stmt |
-| TestFinally.java:91:9:91:14 | ... == ... | TestFinally.java:95:5:95:31 | stmt |
-| TestFinally.java:99:9:99:14 | ... == ... | TestFinally.java:104:4:111:4 | stmt |
-| TestFinally.java:106:9:106:14 | ... == ... | TestFinally.java:110:5:110:35 | stmt |
-| TestFinally.java:126:8:126:13 | ... == ... | TestFinally.java:130:4:130:30 | stmt |
-| TestFinally.java:134:8:134:13 | ... == ... | TestFinally.java:139:3:146:3 | stmt |
-| TestFinally.java:141:8:141:13 | ... == ... | TestFinally.java:145:4:145:34 | stmt |
+| TestFinally.java:12:9:12:14 | ... == ... | TestFinally.java:16:5:39:5 | try ... |
+| TestFinally.java:19:10:19:15 | ... == ... | TestFinally.java:23:6:23:32 | ...; |
+| TestFinally.java:27:10:27:15 | ... == ... | TestFinally.java:32:5:39:5 | { ... } |
+| TestFinally.java:34:10:34:15 | ... == ... | TestFinally.java:38:6:38:36 | ...; |
+| TestFinally.java:47:10:47:15 | ... == ... | TestFinally.java:51:6:51:32 | ...; |
+| TestFinally.java:55:10:55:15 | ... == ... | TestFinally.java:60:5:67:5 | { ... } |
+| TestFinally.java:62:10:62:15 | ... == ... | TestFinally.java:66:6:66:36 | ...; |
+| TestFinally.java:68:9:68:14 | ... == ... | TestFinally.java:73:4:80:4 | { ... } |
+| TestFinally.java:75:9:75:14 | ... == ... | TestFinally.java:79:5:79:35 | ...; |
+| TestFinally.java:91:9:91:14 | ... == ... | TestFinally.java:95:5:95:31 | ...; |
+| TestFinally.java:99:9:99:14 | ... == ... | TestFinally.java:104:4:111:4 | { ... } |
+| TestFinally.java:106:9:106:14 | ... == ... | TestFinally.java:110:5:110:35 | ...; |
+| TestFinally.java:126:8:126:13 | ... == ... | TestFinally.java:130:4:130:30 | ...; |
+| TestFinally.java:134:8:134:13 | ... == ... | TestFinally.java:139:3:146:3 | { ... } |
+| TestFinally.java:141:8:141:13 | ... == ... | TestFinally.java:145:4:145:34 | ...; |
diff --git a/java/ql/test/library-tests/successors/TestFinally/TestSucc.expected b/java/ql/test/library-tests/successors/TestFinally/TestSucc.expected
index df7b4e57ebf..baf6e960eb8 100644
--- a/java/ql/test/library-tests/successors/TestFinally/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/TestFinally/TestSucc.expected
@@ -1,337 +1,337 @@
-| TestFinally.java:3:14:3:24 | stmt | TestFinally.java:3:14:3:24 | super(...) |
 | TestFinally.java:3:14:3:24 | super(...) | TestFinally.java:3:14:3:24 | TestFinally |
-| TestFinally.java:5:2:149:2 | stmt | TestFinally.java:6:3:6:13 | stmt |
-| TestFinally.java:6:3:6:13 | stmt | TestFinally.java:6:11:6:12 | 12 |
-| TestFinally.java:6:7:6:12 | z | TestFinally.java:7:3:120:3 | stmt |
+| TestFinally.java:3:14:3:24 | { ... } | TestFinally.java:3:14:3:24 | super(...) |
+| TestFinally.java:5:2:149:2 | { ... } | TestFinally.java:6:3:6:13 | local variable declaration |
+| TestFinally.java:6:3:6:13 | local variable declaration | TestFinally.java:6:11:6:12 | 12 |
+| TestFinally.java:6:7:6:12 | z | TestFinally.java:7:3:120:3 | try ... |
 | TestFinally.java:6:11:6:12 | 12 | TestFinally.java:6:7:6:12 | z |
-| TestFinally.java:7:3:120:3 | stmt | TestFinally.java:8:3:86:3 | stmt |
-| TestFinally.java:8:3:86:3 | stmt | TestFinally.java:9:4:80:4 | stmt |
-| TestFinally.java:9:4:80:4 | stmt | TestFinally.java:10:4:41:4 | stmt |
-| TestFinally.java:10:4:41:4 | stmt | TestFinally.java:11:5:11:31 | stmt |
+| TestFinally.java:7:3:120:3 | try ... | TestFinally.java:8:3:86:3 | { ... } |
+| TestFinally.java:8:3:86:3 | { ... } | TestFinally.java:9:4:80:4 | try ... |
+| TestFinally.java:9:4:80:4 | try ... | TestFinally.java:10:4:41:4 | { ... } |
+| TestFinally.java:10:4:41:4 | { ... } | TestFinally.java:11:5:11:31 | ...; |
 | TestFinally.java:11:5:11:14 | System.out | TestFinally.java:11:24:11:29 | "Try1" |
-| TestFinally.java:11:5:11:30 | println(...) | TestFinally.java:12:5:12:15 | stmt |
-| TestFinally.java:11:5:11:30 | println(...) | TestFinally.java:41:6:41:25 | stmt |
-| TestFinally.java:11:5:11:30 | println(...) | TestFinally.java:73:4:80:4 | stmt |
-| TestFinally.java:11:5:11:31 | stmt | TestFinally.java:11:5:11:14 | System.out |
+| TestFinally.java:11:5:11:30 | println(...) | TestFinally.java:12:5:12:15 | if (...) |
+| TestFinally.java:11:5:11:30 | println(...) | TestFinally.java:41:6:41:25 | catch (...) |
+| TestFinally.java:11:5:11:30 | println(...) | TestFinally.java:73:4:80:4 | { ... } |
+| TestFinally.java:11:5:11:31 | ...; | TestFinally.java:11:5:11:14 | System.out |
 | TestFinally.java:11:24:11:29 | "Try1" | TestFinally.java:11:5:11:30 | println(...) |
-| TestFinally.java:12:5:12:15 | stmt | TestFinally.java:12:9:12:9 | z |
+| TestFinally.java:12:5:12:15 | if (...) | TestFinally.java:12:9:12:9 | z |
 | TestFinally.java:12:9:12:9 | z | TestFinally.java:12:14:12:14 | 1 |
-| TestFinally.java:12:9:12:14 | ... == ... | TestFinally.java:13:5:15:5 | stmt |
-| TestFinally.java:12:9:12:14 | ... == ... | TestFinally.java:16:5:39:5 | stmt |
+| TestFinally.java:12:9:12:14 | ... == ... | TestFinally.java:13:5:15:5 | { ... } |
+| TestFinally.java:12:9:12:14 | ... == ... | TestFinally.java:16:5:39:5 | try ... |
 | TestFinally.java:12:14:12:14 | 1 | TestFinally.java:12:9:12:14 | ... == ... |
-| TestFinally.java:13:5:15:5 | stmt | TestFinally.java:14:6:14:12 | stmt |
-| TestFinally.java:14:6:14:12 | stmt | TestFinally.java:73:4:80:4 | stmt |
-| TestFinally.java:16:5:39:5 | stmt | TestFinally.java:17:5:24:5 | stmt |
-| TestFinally.java:17:5:24:5 | stmt | TestFinally.java:18:6:18:32 | stmt |
+| TestFinally.java:13:5:15:5 | { ... } | TestFinally.java:14:6:14:12 | return ... |
+| TestFinally.java:14:6:14:12 | return ... | TestFinally.java:73:4:80:4 | { ... } |
+| TestFinally.java:16:5:39:5 | try ... | TestFinally.java:17:5:24:5 | { ... } |
+| TestFinally.java:17:5:24:5 | { ... } | TestFinally.java:18:6:18:32 | ...; |
 | TestFinally.java:18:6:18:15 | System.out | TestFinally.java:18:25:18:30 | "Try1" |
-| TestFinally.java:18:6:18:31 | println(...) | TestFinally.java:19:6:19:16 | stmt |
-| TestFinally.java:18:6:18:31 | println(...) | TestFinally.java:24:7:24:26 | stmt |
-| TestFinally.java:18:6:18:31 | println(...) | TestFinally.java:32:5:39:5 | stmt |
-| TestFinally.java:18:6:18:32 | stmt | TestFinally.java:18:6:18:15 | System.out |
+| TestFinally.java:18:6:18:31 | println(...) | TestFinally.java:19:6:19:16 | if (...) |
+| TestFinally.java:18:6:18:31 | println(...) | TestFinally.java:24:7:24:26 | catch (...) |
+| TestFinally.java:18:6:18:31 | println(...) | TestFinally.java:32:5:39:5 | { ... } |
+| TestFinally.java:18:6:18:32 | ...; | TestFinally.java:18:6:18:15 | System.out |
 | TestFinally.java:18:25:18:30 | "Try1" | TestFinally.java:18:6:18:31 | println(...) |
-| TestFinally.java:19:6:19:16 | stmt | TestFinally.java:19:10:19:10 | z |
+| TestFinally.java:19:6:19:16 | if (...) | TestFinally.java:19:10:19:10 | z |
 | TestFinally.java:19:10:19:10 | z | TestFinally.java:19:15:19:15 | 1 |
-| TestFinally.java:19:10:19:15 | ... == ... | TestFinally.java:20:6:22:6 | stmt |
-| TestFinally.java:19:10:19:15 | ... == ... | TestFinally.java:23:6:23:32 | stmt |
+| TestFinally.java:19:10:19:15 | ... == ... | TestFinally.java:20:6:22:6 | { ... } |
+| TestFinally.java:19:10:19:15 | ... == ... | TestFinally.java:23:6:23:32 | ...; |
 | TestFinally.java:19:15:19:15 | 1 | TestFinally.java:19:10:19:15 | ... == ... |
-| TestFinally.java:20:6:22:6 | stmt | TestFinally.java:21:7:21:13 | stmt |
-| TestFinally.java:21:7:21:13 | stmt | TestFinally.java:32:5:39:5 | stmt |
+| TestFinally.java:20:6:22:6 | { ... } | TestFinally.java:21:7:21:13 | return ... |
+| TestFinally.java:21:7:21:13 | return ... | TestFinally.java:32:5:39:5 | { ... } |
 | TestFinally.java:23:6:23:15 | System.out | TestFinally.java:23:25:23:30 | "Try2" |
-| TestFinally.java:23:6:23:31 | println(...) | TestFinally.java:24:7:24:26 | stmt |
-| TestFinally.java:23:6:23:31 | println(...) | TestFinally.java:32:5:39:5 | stmt |
-| TestFinally.java:23:6:23:32 | stmt | TestFinally.java:23:6:23:15 | System.out |
+| TestFinally.java:23:6:23:31 | println(...) | TestFinally.java:24:7:24:26 | catch (...) |
+| TestFinally.java:23:6:23:31 | println(...) | TestFinally.java:32:5:39:5 | { ... } |
+| TestFinally.java:23:6:23:32 | ...; | TestFinally.java:23:6:23:15 | System.out |
 | TestFinally.java:23:25:23:30 | "Try2" | TestFinally.java:23:6:23:31 | println(...) |
-| TestFinally.java:24:7:24:26 | stmt | TestFinally.java:24:24:24:25 | ex |
-| TestFinally.java:24:24:24:25 | ex | TestFinally.java:25:5:31:5 | stmt |
-| TestFinally.java:25:5:31:5 | stmt | TestFinally.java:26:6:26:37 | stmt |
+| TestFinally.java:24:7:24:26 | catch (...) | TestFinally.java:24:24:24:25 | ex |
+| TestFinally.java:24:24:24:25 | ex | TestFinally.java:25:5:31:5 | { ... } |
+| TestFinally.java:25:5:31:5 | { ... } | TestFinally.java:26:6:26:37 | ...; |
 | TestFinally.java:26:6:26:15 | System.out | TestFinally.java:26:25:26:35 | "Exception" |
-| TestFinally.java:26:6:26:36 | println(...) | TestFinally.java:27:6:27:16 | stmt |
-| TestFinally.java:26:6:26:36 | println(...) | TestFinally.java:32:5:39:5 | stmt |
-| TestFinally.java:26:6:26:37 | stmt | TestFinally.java:26:6:26:15 | System.out |
+| TestFinally.java:26:6:26:36 | println(...) | TestFinally.java:27:6:27:16 | if (...) |
+| TestFinally.java:26:6:26:36 | println(...) | TestFinally.java:32:5:39:5 | { ... } |
+| TestFinally.java:26:6:26:37 | ...; | TestFinally.java:26:6:26:15 | System.out |
 | TestFinally.java:26:25:26:35 | "Exception" | TestFinally.java:26:6:26:36 | println(...) |
-| TestFinally.java:27:6:27:16 | stmt | TestFinally.java:27:10:27:10 | z |
+| TestFinally.java:27:6:27:16 | if (...) | TestFinally.java:27:10:27:10 | z |
 | TestFinally.java:27:10:27:10 | z | TestFinally.java:27:15:27:15 | 1 |
-| TestFinally.java:27:10:27:15 | ... == ... | TestFinally.java:28:6:30:6 | stmt |
-| TestFinally.java:27:10:27:15 | ... == ... | TestFinally.java:32:5:39:5 | stmt |
+| TestFinally.java:27:10:27:15 | ... == ... | TestFinally.java:28:6:30:6 | { ... } |
+| TestFinally.java:27:10:27:15 | ... == ... | TestFinally.java:32:5:39:5 | { ... } |
 | TestFinally.java:27:15:27:15 | 1 | TestFinally.java:27:10:27:15 | ... == ... |
-| TestFinally.java:28:6:30:6 | stmt | TestFinally.java:29:7:29:13 | stmt |
-| TestFinally.java:29:7:29:13 | stmt | TestFinally.java:32:5:39:5 | stmt |
-| TestFinally.java:32:5:39:5 | stmt | TestFinally.java:33:6:33:35 | stmt |
+| TestFinally.java:28:6:30:6 | { ... } | TestFinally.java:29:7:29:13 | return ... |
+| TestFinally.java:29:7:29:13 | return ... | TestFinally.java:32:5:39:5 | { ... } |
+| TestFinally.java:32:5:39:5 | { ... } | TestFinally.java:33:6:33:35 | ...; |
 | TestFinally.java:33:6:33:15 | System.out | TestFinally.java:33:25:33:33 | "Finally" |
-| TestFinally.java:33:6:33:34 | println(...) | TestFinally.java:34:6:34:16 | stmt |
-| TestFinally.java:33:6:33:34 | println(...) | TestFinally.java:41:6:41:25 | stmt |
-| TestFinally.java:33:6:33:34 | println(...) | TestFinally.java:73:4:80:4 | stmt |
-| TestFinally.java:33:6:33:35 | stmt | TestFinally.java:33:6:33:15 | System.out |
+| TestFinally.java:33:6:33:34 | println(...) | TestFinally.java:34:6:34:16 | if (...) |
+| TestFinally.java:33:6:33:34 | println(...) | TestFinally.java:41:6:41:25 | catch (...) |
+| TestFinally.java:33:6:33:34 | println(...) | TestFinally.java:73:4:80:4 | { ... } |
+| TestFinally.java:33:6:33:35 | ...; | TestFinally.java:33:6:33:15 | System.out |
 | TestFinally.java:33:25:33:33 | "Finally" | TestFinally.java:33:6:33:34 | println(...) |
-| TestFinally.java:34:6:34:16 | stmt | TestFinally.java:34:10:34:10 | z |
+| TestFinally.java:34:6:34:16 | if (...) | TestFinally.java:34:10:34:10 | z |
 | TestFinally.java:34:10:34:10 | z | TestFinally.java:34:15:34:15 | 1 |
-| TestFinally.java:34:10:34:15 | ... == ... | TestFinally.java:35:6:37:6 | stmt |
-| TestFinally.java:34:10:34:15 | ... == ... | TestFinally.java:38:6:38:36 | stmt |
+| TestFinally.java:34:10:34:15 | ... == ... | TestFinally.java:35:6:37:6 | { ... } |
+| TestFinally.java:34:10:34:15 | ... == ... | TestFinally.java:38:6:38:36 | ...; |
 | TestFinally.java:34:15:34:15 | 1 | TestFinally.java:34:10:34:15 | ... == ... |
-| TestFinally.java:35:6:37:6 | stmt | TestFinally.java:36:7:36:13 | stmt |
-| TestFinally.java:36:7:36:13 | stmt | TestFinally.java:73:4:80:4 | stmt |
+| TestFinally.java:35:6:37:6 | { ... } | TestFinally.java:36:7:36:13 | return ... |
+| TestFinally.java:36:7:36:13 | return ... | TestFinally.java:73:4:80:4 | { ... } |
 | TestFinally.java:38:6:38:15 | System.out | TestFinally.java:38:25:38:34 | "Finally2" |
-| TestFinally.java:38:6:38:35 | println(...) | TestFinally.java:40:5:40:31 | stmt |
-| TestFinally.java:38:6:38:35 | println(...) | TestFinally.java:41:6:41:25 | stmt |
-| TestFinally.java:38:6:38:35 | println(...) | TestFinally.java:73:4:80:4 | stmt |
-| TestFinally.java:38:6:38:36 | stmt | TestFinally.java:38:6:38:15 | System.out |
+| TestFinally.java:38:6:38:35 | println(...) | TestFinally.java:40:5:40:31 | ...; |
+| TestFinally.java:38:6:38:35 | println(...) | TestFinally.java:41:6:41:25 | catch (...) |
+| TestFinally.java:38:6:38:35 | println(...) | TestFinally.java:73:4:80:4 | { ... } |
+| TestFinally.java:38:6:38:36 | ...; | TestFinally.java:38:6:38:15 | System.out |
 | TestFinally.java:38:25:38:34 | "Finally2" | TestFinally.java:38:6:38:35 | println(...) |
 | TestFinally.java:40:5:40:14 | System.out | TestFinally.java:40:24:40:29 | "Try2" |
-| TestFinally.java:40:5:40:30 | println(...) | TestFinally.java:41:6:41:25 | stmt |
-| TestFinally.java:40:5:40:30 | println(...) | TestFinally.java:73:4:80:4 | stmt |
-| TestFinally.java:40:5:40:31 | stmt | TestFinally.java:40:5:40:14 | System.out |
+| TestFinally.java:40:5:40:30 | println(...) | TestFinally.java:41:6:41:25 | catch (...) |
+| TestFinally.java:40:5:40:30 | println(...) | TestFinally.java:73:4:80:4 | { ... } |
+| TestFinally.java:40:5:40:31 | ...; | TestFinally.java:40:5:40:14 | System.out |
 | TestFinally.java:40:24:40:29 | "Try2" | TestFinally.java:40:5:40:30 | println(...) |
-| TestFinally.java:41:6:41:25 | stmt | TestFinally.java:41:23:41:24 | ex |
-| TestFinally.java:41:23:41:24 | ex | TestFinally.java:42:4:72:4 | stmt |
-| TestFinally.java:42:4:72:4 | stmt | TestFinally.java:43:5:43:36 | stmt |
+| TestFinally.java:41:6:41:25 | catch (...) | TestFinally.java:41:23:41:24 | ex |
+| TestFinally.java:41:23:41:24 | ex | TestFinally.java:42:4:72:4 | { ... } |
+| TestFinally.java:42:4:72:4 | { ... } | TestFinally.java:43:5:43:36 | ...; |
 | TestFinally.java:43:5:43:14 | System.out | TestFinally.java:43:24:43:34 | "Exception" |
-| TestFinally.java:43:5:43:35 | println(...) | TestFinally.java:44:5:67:5 | stmt |
-| TestFinally.java:43:5:43:35 | println(...) | TestFinally.java:73:4:80:4 | stmt |
-| TestFinally.java:43:5:43:36 | stmt | TestFinally.java:43:5:43:14 | System.out |
+| TestFinally.java:43:5:43:35 | println(...) | TestFinally.java:44:5:67:5 | try ... |
+| TestFinally.java:43:5:43:35 | println(...) | TestFinally.java:73:4:80:4 | { ... } |
+| TestFinally.java:43:5:43:36 | ...; | TestFinally.java:43:5:43:14 | System.out |
 | TestFinally.java:43:24:43:34 | "Exception" | TestFinally.java:43:5:43:35 | println(...) |
-| TestFinally.java:44:5:67:5 | stmt | TestFinally.java:45:5:52:5 | stmt |
-| TestFinally.java:45:5:52:5 | stmt | TestFinally.java:46:6:46:32 | stmt |
+| TestFinally.java:44:5:67:5 | try ... | TestFinally.java:45:5:52:5 | { ... } |
+| TestFinally.java:45:5:52:5 | { ... } | TestFinally.java:46:6:46:32 | ...; |
 | TestFinally.java:46:6:46:15 | System.out | TestFinally.java:46:25:46:30 | "Try1" |
-| TestFinally.java:46:6:46:31 | println(...) | TestFinally.java:47:6:47:16 | stmt |
-| TestFinally.java:46:6:46:31 | println(...) | TestFinally.java:52:7:52:27 | stmt |
-| TestFinally.java:46:6:46:31 | println(...) | TestFinally.java:60:5:67:5 | stmt |
-| TestFinally.java:46:6:46:32 | stmt | TestFinally.java:46:6:46:15 | System.out |
+| TestFinally.java:46:6:46:31 | println(...) | TestFinally.java:47:6:47:16 | if (...) |
+| TestFinally.java:46:6:46:31 | println(...) | TestFinally.java:52:7:52:27 | catch (...) |
+| TestFinally.java:46:6:46:31 | println(...) | TestFinally.java:60:5:67:5 | { ... } |
+| TestFinally.java:46:6:46:32 | ...; | TestFinally.java:46:6:46:15 | System.out |
 | TestFinally.java:46:25:46:30 | "Try1" | TestFinally.java:46:6:46:31 | println(...) |
-| TestFinally.java:47:6:47:16 | stmt | TestFinally.java:47:10:47:10 | z |
+| TestFinally.java:47:6:47:16 | if (...) | TestFinally.java:47:10:47:10 | z |
 | TestFinally.java:47:10:47:10 | z | TestFinally.java:47:15:47:15 | 1 |
-| TestFinally.java:47:10:47:15 | ... == ... | TestFinally.java:48:6:50:6 | stmt |
-| TestFinally.java:47:10:47:15 | ... == ... | TestFinally.java:51:6:51:32 | stmt |
+| TestFinally.java:47:10:47:15 | ... == ... | TestFinally.java:48:6:50:6 | { ... } |
+| TestFinally.java:47:10:47:15 | ... == ... | TestFinally.java:51:6:51:32 | ...; |
 | TestFinally.java:47:15:47:15 | 1 | TestFinally.java:47:10:47:15 | ... == ... |
-| TestFinally.java:48:6:50:6 | stmt | TestFinally.java:49:7:49:13 | stmt |
-| TestFinally.java:49:7:49:13 | stmt | TestFinally.java:60:5:67:5 | stmt |
+| TestFinally.java:48:6:50:6 | { ... } | TestFinally.java:49:7:49:13 | return ... |
+| TestFinally.java:49:7:49:13 | return ... | TestFinally.java:60:5:67:5 | { ... } |
 | TestFinally.java:51:6:51:15 | System.out | TestFinally.java:51:25:51:30 | "Try2" |
-| TestFinally.java:51:6:51:31 | println(...) | TestFinally.java:52:7:52:27 | stmt |
-| TestFinally.java:51:6:51:31 | println(...) | TestFinally.java:60:5:67:5 | stmt |
-| TestFinally.java:51:6:51:32 | stmt | TestFinally.java:51:6:51:15 | System.out |
+| TestFinally.java:51:6:51:31 | println(...) | TestFinally.java:52:7:52:27 | catch (...) |
+| TestFinally.java:51:6:51:31 | println(...) | TestFinally.java:60:5:67:5 | { ... } |
+| TestFinally.java:51:6:51:32 | ...; | TestFinally.java:51:6:51:15 | System.out |
 | TestFinally.java:51:25:51:30 | "Try2" | TestFinally.java:51:6:51:31 | println(...) |
-| TestFinally.java:52:7:52:27 | stmt | TestFinally.java:52:24:52:26 | ex2 |
-| TestFinally.java:52:24:52:26 | ex2 | TestFinally.java:53:5:59:5 | stmt |
-| TestFinally.java:53:5:59:5 | stmt | TestFinally.java:54:6:54:37 | stmt |
+| TestFinally.java:52:7:52:27 | catch (...) | TestFinally.java:52:24:52:26 | ex2 |
+| TestFinally.java:52:24:52:26 | ex2 | TestFinally.java:53:5:59:5 | { ... } |
+| TestFinally.java:53:5:59:5 | { ... } | TestFinally.java:54:6:54:37 | ...; |
 | TestFinally.java:54:6:54:15 | System.out | TestFinally.java:54:25:54:35 | "Exception" |
-| TestFinally.java:54:6:54:36 | println(...) | TestFinally.java:55:6:55:16 | stmt |
-| TestFinally.java:54:6:54:36 | println(...) | TestFinally.java:60:5:67:5 | stmt |
-| TestFinally.java:54:6:54:37 | stmt | TestFinally.java:54:6:54:15 | System.out |
+| TestFinally.java:54:6:54:36 | println(...) | TestFinally.java:55:6:55:16 | if (...) |
+| TestFinally.java:54:6:54:36 | println(...) | TestFinally.java:60:5:67:5 | { ... } |
+| TestFinally.java:54:6:54:37 | ...; | TestFinally.java:54:6:54:15 | System.out |
 | TestFinally.java:54:25:54:35 | "Exception" | TestFinally.java:54:6:54:36 | println(...) |
-| TestFinally.java:55:6:55:16 | stmt | TestFinally.java:55:10:55:10 | z |
+| TestFinally.java:55:6:55:16 | if (...) | TestFinally.java:55:10:55:10 | z |
 | TestFinally.java:55:10:55:10 | z | TestFinally.java:55:15:55:15 | 1 |
-| TestFinally.java:55:10:55:15 | ... == ... | TestFinally.java:56:6:58:6 | stmt |
-| TestFinally.java:55:10:55:15 | ... == ... | TestFinally.java:60:5:67:5 | stmt |
+| TestFinally.java:55:10:55:15 | ... == ... | TestFinally.java:56:6:58:6 | { ... } |
+| TestFinally.java:55:10:55:15 | ... == ... | TestFinally.java:60:5:67:5 | { ... } |
 | TestFinally.java:55:15:55:15 | 1 | TestFinally.java:55:10:55:15 | ... == ... |
-| TestFinally.java:56:6:58:6 | stmt | TestFinally.java:57:7:57:13 | stmt |
-| TestFinally.java:57:7:57:13 | stmt | TestFinally.java:60:5:67:5 | stmt |
-| TestFinally.java:60:5:67:5 | stmt | TestFinally.java:61:6:61:35 | stmt |
+| TestFinally.java:56:6:58:6 | { ... } | TestFinally.java:57:7:57:13 | return ... |
+| TestFinally.java:57:7:57:13 | return ... | TestFinally.java:60:5:67:5 | { ... } |
+| TestFinally.java:60:5:67:5 | { ... } | TestFinally.java:61:6:61:35 | ...; |
 | TestFinally.java:61:6:61:15 | System.out | TestFinally.java:61:25:61:33 | "Finally" |
-| TestFinally.java:61:6:61:34 | println(...) | TestFinally.java:62:6:62:16 | stmt |
-| TestFinally.java:61:6:61:34 | println(...) | TestFinally.java:73:4:80:4 | stmt |
-| TestFinally.java:61:6:61:35 | stmt | TestFinally.java:61:6:61:15 | System.out |
+| TestFinally.java:61:6:61:34 | println(...) | TestFinally.java:62:6:62:16 | if (...) |
+| TestFinally.java:61:6:61:34 | println(...) | TestFinally.java:73:4:80:4 | { ... } |
+| TestFinally.java:61:6:61:35 | ...; | TestFinally.java:61:6:61:15 | System.out |
 | TestFinally.java:61:25:61:33 | "Finally" | TestFinally.java:61:6:61:34 | println(...) |
-| TestFinally.java:62:6:62:16 | stmt | TestFinally.java:62:10:62:10 | z |
+| TestFinally.java:62:6:62:16 | if (...) | TestFinally.java:62:10:62:10 | z |
 | TestFinally.java:62:10:62:10 | z | TestFinally.java:62:15:62:15 | 1 |
-| TestFinally.java:62:10:62:15 | ... == ... | TestFinally.java:63:6:65:6 | stmt |
-| TestFinally.java:62:10:62:15 | ... == ... | TestFinally.java:66:6:66:36 | stmt |
+| TestFinally.java:62:10:62:15 | ... == ... | TestFinally.java:63:6:65:6 | { ... } |
+| TestFinally.java:62:10:62:15 | ... == ... | TestFinally.java:66:6:66:36 | ...; |
 | TestFinally.java:62:15:62:15 | 1 | TestFinally.java:62:10:62:15 | ... == ... |
-| TestFinally.java:63:6:65:6 | stmt | TestFinally.java:64:7:64:13 | stmt |
-| TestFinally.java:64:7:64:13 | stmt | TestFinally.java:73:4:80:4 | stmt |
+| TestFinally.java:63:6:65:6 | { ... } | TestFinally.java:64:7:64:13 | return ... |
+| TestFinally.java:64:7:64:13 | return ... | TestFinally.java:73:4:80:4 | { ... } |
 | TestFinally.java:66:6:66:15 | System.out | TestFinally.java:66:25:66:34 | "Finally2" |
-| TestFinally.java:66:6:66:35 | println(...) | TestFinally.java:68:5:68:15 | stmt |
-| TestFinally.java:66:6:66:35 | println(...) | TestFinally.java:73:4:80:4 | stmt |
-| TestFinally.java:66:6:66:36 | stmt | TestFinally.java:66:6:66:15 | System.out |
+| TestFinally.java:66:6:66:35 | println(...) | TestFinally.java:68:5:68:15 | if (...) |
+| TestFinally.java:66:6:66:35 | println(...) | TestFinally.java:73:4:80:4 | { ... } |
+| TestFinally.java:66:6:66:36 | ...; | TestFinally.java:66:6:66:15 | System.out |
 | TestFinally.java:66:25:66:34 | "Finally2" | TestFinally.java:66:6:66:35 | println(...) |
-| TestFinally.java:68:5:68:15 | stmt | TestFinally.java:68:9:68:9 | z |
+| TestFinally.java:68:5:68:15 | if (...) | TestFinally.java:68:9:68:9 | z |
 | TestFinally.java:68:9:68:9 | z | TestFinally.java:68:14:68:14 | 1 |
-| TestFinally.java:68:9:68:14 | ... == ... | TestFinally.java:69:5:71:5 | stmt |
-| TestFinally.java:68:9:68:14 | ... == ... | TestFinally.java:73:4:80:4 | stmt |
+| TestFinally.java:68:9:68:14 | ... == ... | TestFinally.java:69:5:71:5 | { ... } |
+| TestFinally.java:68:9:68:14 | ... == ... | TestFinally.java:73:4:80:4 | { ... } |
 | TestFinally.java:68:14:68:14 | 1 | TestFinally.java:68:9:68:14 | ... == ... |
-| TestFinally.java:69:5:71:5 | stmt | TestFinally.java:70:6:70:12 | stmt |
-| TestFinally.java:70:6:70:12 | stmt | TestFinally.java:73:4:80:4 | stmt |
-| TestFinally.java:73:4:80:4 | stmt | TestFinally.java:74:5:74:34 | stmt |
+| TestFinally.java:69:5:71:5 | { ... } | TestFinally.java:70:6:70:12 | return ... |
+| TestFinally.java:70:6:70:12 | return ... | TestFinally.java:73:4:80:4 | { ... } |
+| TestFinally.java:73:4:80:4 | { ... } | TestFinally.java:74:5:74:34 | ...; |
 | TestFinally.java:74:5:74:14 | System.out | TestFinally.java:74:24:74:32 | "Finally" |
-| TestFinally.java:74:5:74:33 | println(...) | TestFinally.java:75:5:75:15 | stmt |
-| TestFinally.java:74:5:74:33 | println(...) | TestFinally.java:86:5:86:23 | stmt |
-| TestFinally.java:74:5:74:33 | println(...) | TestFinally.java:116:3:120:3 | stmt |
-| TestFinally.java:74:5:74:34 | stmt | TestFinally.java:74:5:74:14 | System.out |
+| TestFinally.java:74:5:74:33 | println(...) | TestFinally.java:75:5:75:15 | if (...) |
+| TestFinally.java:74:5:74:33 | println(...) | TestFinally.java:86:5:86:23 | catch (...) |
+| TestFinally.java:74:5:74:33 | println(...) | TestFinally.java:116:3:120:3 | { ... } |
+| TestFinally.java:74:5:74:34 | ...; | TestFinally.java:74:5:74:14 | System.out |
 | TestFinally.java:74:24:74:32 | "Finally" | TestFinally.java:74:5:74:33 | println(...) |
-| TestFinally.java:75:5:75:15 | stmt | TestFinally.java:75:9:75:9 | z |
+| TestFinally.java:75:5:75:15 | if (...) | TestFinally.java:75:9:75:9 | z |
 | TestFinally.java:75:9:75:9 | z | TestFinally.java:75:14:75:14 | 1 |
-| TestFinally.java:75:9:75:14 | ... == ... | TestFinally.java:76:5:78:5 | stmt |
-| TestFinally.java:75:9:75:14 | ... == ... | TestFinally.java:79:5:79:35 | stmt |
+| TestFinally.java:75:9:75:14 | ... == ... | TestFinally.java:76:5:78:5 | { ... } |
+| TestFinally.java:75:9:75:14 | ... == ... | TestFinally.java:79:5:79:35 | ...; |
 | TestFinally.java:75:14:75:14 | 1 | TestFinally.java:75:9:75:14 | ... == ... |
-| TestFinally.java:76:5:78:5 | stmt | TestFinally.java:77:6:77:12 | stmt |
-| TestFinally.java:77:6:77:12 | stmt | TestFinally.java:116:3:120:3 | stmt |
+| TestFinally.java:76:5:78:5 | { ... } | TestFinally.java:77:6:77:12 | return ... |
+| TestFinally.java:77:6:77:12 | return ... | TestFinally.java:116:3:120:3 | { ... } |
 | TestFinally.java:79:5:79:14 | System.out | TestFinally.java:79:24:79:33 | "Finally2" |
-| TestFinally.java:79:5:79:34 | println(...) | TestFinally.java:81:4:81:29 | stmt |
-| TestFinally.java:79:5:79:34 | println(...) | TestFinally.java:86:5:86:23 | stmt |
-| TestFinally.java:79:5:79:34 | println(...) | TestFinally.java:116:3:120:3 | stmt |
-| TestFinally.java:79:5:79:35 | stmt | TestFinally.java:79:5:79:14 | System.out |
+| TestFinally.java:79:5:79:34 | println(...) | TestFinally.java:81:4:81:29 | ...; |
+| TestFinally.java:79:5:79:34 | println(...) | TestFinally.java:86:5:86:23 | catch (...) |
+| TestFinally.java:79:5:79:34 | println(...) | TestFinally.java:116:3:120:3 | { ... } |
+| TestFinally.java:79:5:79:35 | ...; | TestFinally.java:79:5:79:14 | System.out |
 | TestFinally.java:79:24:79:33 | "Finally2" | TestFinally.java:79:5:79:34 | println(...) |
 | TestFinally.java:81:4:81:13 | System.out | TestFinally.java:81:23:81:27 | "Foo" |
-| TestFinally.java:81:4:81:28 | println(...) | TestFinally.java:82:4:82:18 | stmt |
-| TestFinally.java:81:4:81:28 | println(...) | TestFinally.java:86:5:86:23 | stmt |
-| TestFinally.java:81:4:81:28 | println(...) | TestFinally.java:116:3:120:3 | stmt |
-| TestFinally.java:81:4:81:29 | stmt | TestFinally.java:81:4:81:13 | System.out |
+| TestFinally.java:81:4:81:28 | println(...) | TestFinally.java:82:4:82:18 | local variable declaration |
+| TestFinally.java:81:4:81:28 | println(...) | TestFinally.java:86:5:86:23 | catch (...) |
+| TestFinally.java:81:4:81:28 | println(...) | TestFinally.java:116:3:120:3 | { ... } |
+| TestFinally.java:81:4:81:29 | ...; | TestFinally.java:81:4:81:13 | System.out |
 | TestFinally.java:81:23:81:27 | "Foo" | TestFinally.java:81:4:81:28 | println(...) |
-| TestFinally.java:82:4:82:18 | stmt | TestFinally.java:82:12:82:13 | 12 |
-| TestFinally.java:82:8:82:17 | y | TestFinally.java:83:4:83:29 | stmt |
+| TestFinally.java:82:4:82:18 | local variable declaration | TestFinally.java:82:12:82:13 | 12 |
+| TestFinally.java:82:8:82:17 | y | TestFinally.java:83:4:83:29 | ...; |
 | TestFinally.java:82:12:82:13 | 12 | TestFinally.java:82:17:82:17 | 3 |
 | TestFinally.java:82:12:82:17 | ... + ... | TestFinally.java:82:8:82:17 | y |
 | TestFinally.java:82:17:82:17 | 3 | TestFinally.java:82:12:82:17 | ... + ... |
 | TestFinally.java:83:4:83:13 | System.out | TestFinally.java:83:23:83:27 | "Bar" |
-| TestFinally.java:83:4:83:28 | println(...) | TestFinally.java:84:4:84:13 | stmt |
-| TestFinally.java:83:4:83:28 | println(...) | TestFinally.java:86:5:86:23 | stmt |
-| TestFinally.java:83:4:83:28 | println(...) | TestFinally.java:116:3:120:3 | stmt |
-| TestFinally.java:83:4:83:29 | stmt | TestFinally.java:83:4:83:13 | System.out |
+| TestFinally.java:83:4:83:28 | println(...) | TestFinally.java:84:4:84:13 | ...; |
+| TestFinally.java:83:4:83:28 | println(...) | TestFinally.java:86:5:86:23 | catch (...) |
+| TestFinally.java:83:4:83:28 | println(...) | TestFinally.java:116:3:120:3 | { ... } |
+| TestFinally.java:83:4:83:29 | ...; | TestFinally.java:83:4:83:13 | System.out |
 | TestFinally.java:83:23:83:27 | "Bar" | TestFinally.java:83:4:83:28 | println(...) |
-| TestFinally.java:84:4:84:12 | ...=... | TestFinally.java:85:4:85:10 | stmt |
-| TestFinally.java:84:4:84:13 | stmt | TestFinally.java:84:8:84:8 | y |
+| TestFinally.java:84:4:84:12 | ...=... | TestFinally.java:85:4:85:10 | return ... |
+| TestFinally.java:84:4:84:13 | ...; | TestFinally.java:84:8:84:8 | y |
 | TestFinally.java:84:8:84:8 | y | TestFinally.java:84:12:84:12 | 1 |
 | TestFinally.java:84:8:84:12 | ... + ... | TestFinally.java:84:4:84:12 | ...=... |
 | TestFinally.java:84:12:84:12 | 1 | TestFinally.java:84:8:84:12 | ... + ... |
-| TestFinally.java:85:4:85:10 | stmt | TestFinally.java:116:3:120:3 | stmt |
-| TestFinally.java:86:5:86:23 | stmt | TestFinally.java:86:22:86:22 | e |
-| TestFinally.java:86:22:86:22 | e | TestFinally.java:87:3:115:3 | stmt |
-| TestFinally.java:87:3:115:3 | stmt | TestFinally.java:88:4:111:4 | stmt |
-| TestFinally.java:88:4:111:4 | stmt | TestFinally.java:89:4:96:4 | stmt |
-| TestFinally.java:89:4:96:4 | stmt | TestFinally.java:90:5:90:31 | stmt |
+| TestFinally.java:85:4:85:10 | return ... | TestFinally.java:116:3:120:3 | { ... } |
+| TestFinally.java:86:5:86:23 | catch (...) | TestFinally.java:86:22:86:22 | e |
+| TestFinally.java:86:22:86:22 | e | TestFinally.java:87:3:115:3 | { ... } |
+| TestFinally.java:87:3:115:3 | { ... } | TestFinally.java:88:4:111:4 | try ... |
+| TestFinally.java:88:4:111:4 | try ... | TestFinally.java:89:4:96:4 | { ... } |
+| TestFinally.java:89:4:96:4 | { ... } | TestFinally.java:90:5:90:31 | ...; |
 | TestFinally.java:90:5:90:14 | System.out | TestFinally.java:90:24:90:29 | "Try1" |
-| TestFinally.java:90:5:90:30 | println(...) | TestFinally.java:91:5:91:15 | stmt |
-| TestFinally.java:90:5:90:30 | println(...) | TestFinally.java:96:6:96:25 | stmt |
-| TestFinally.java:90:5:90:30 | println(...) | TestFinally.java:104:4:111:4 | stmt |
-| TestFinally.java:90:5:90:31 | stmt | TestFinally.java:90:5:90:14 | System.out |
+| TestFinally.java:90:5:90:30 | println(...) | TestFinally.java:91:5:91:15 | if (...) |
+| TestFinally.java:90:5:90:30 | println(...) | TestFinally.java:96:6:96:25 | catch (...) |
+| TestFinally.java:90:5:90:30 | println(...) | TestFinally.java:104:4:111:4 | { ... } |
+| TestFinally.java:90:5:90:31 | ...; | TestFinally.java:90:5:90:14 | System.out |
 | TestFinally.java:90:24:90:29 | "Try1" | TestFinally.java:90:5:90:30 | println(...) |
-| TestFinally.java:91:5:91:15 | stmt | TestFinally.java:91:9:91:9 | z |
+| TestFinally.java:91:5:91:15 | if (...) | TestFinally.java:91:9:91:9 | z |
 | TestFinally.java:91:9:91:9 | z | TestFinally.java:91:14:91:14 | 1 |
-| TestFinally.java:91:9:91:14 | ... == ... | TestFinally.java:92:5:94:5 | stmt |
-| TestFinally.java:91:9:91:14 | ... == ... | TestFinally.java:95:5:95:31 | stmt |
+| TestFinally.java:91:9:91:14 | ... == ... | TestFinally.java:92:5:94:5 | { ... } |
+| TestFinally.java:91:9:91:14 | ... == ... | TestFinally.java:95:5:95:31 | ...; |
 | TestFinally.java:91:14:91:14 | 1 | TestFinally.java:91:9:91:14 | ... == ... |
-| TestFinally.java:92:5:94:5 | stmt | TestFinally.java:93:6:93:12 | stmt |
-| TestFinally.java:93:6:93:12 | stmt | TestFinally.java:104:4:111:4 | stmt |
+| TestFinally.java:92:5:94:5 | { ... } | TestFinally.java:93:6:93:12 | return ... |
+| TestFinally.java:93:6:93:12 | return ... | TestFinally.java:104:4:111:4 | { ... } |
 | TestFinally.java:95:5:95:14 | System.out | TestFinally.java:95:24:95:29 | "Try2" |
-| TestFinally.java:95:5:95:30 | println(...) | TestFinally.java:96:6:96:25 | stmt |
-| TestFinally.java:95:5:95:30 | println(...) | TestFinally.java:104:4:111:4 | stmt |
-| TestFinally.java:95:5:95:31 | stmt | TestFinally.java:95:5:95:14 | System.out |
+| TestFinally.java:95:5:95:30 | println(...) | TestFinally.java:96:6:96:25 | catch (...) |
+| TestFinally.java:95:5:95:30 | println(...) | TestFinally.java:104:4:111:4 | { ... } |
+| TestFinally.java:95:5:95:31 | ...; | TestFinally.java:95:5:95:14 | System.out |
 | TestFinally.java:95:24:95:29 | "Try2" | TestFinally.java:95:5:95:30 | println(...) |
-| TestFinally.java:96:6:96:25 | stmt | TestFinally.java:96:23:96:24 | ex |
-| TestFinally.java:96:23:96:24 | ex | TestFinally.java:97:4:103:4 | stmt |
-| TestFinally.java:97:4:103:4 | stmt | TestFinally.java:98:5:98:36 | stmt |
+| TestFinally.java:96:6:96:25 | catch (...) | TestFinally.java:96:23:96:24 | ex |
+| TestFinally.java:96:23:96:24 | ex | TestFinally.java:97:4:103:4 | { ... } |
+| TestFinally.java:97:4:103:4 | { ... } | TestFinally.java:98:5:98:36 | ...; |
 | TestFinally.java:98:5:98:14 | System.out | TestFinally.java:98:24:98:34 | "Exception" |
-| TestFinally.java:98:5:98:35 | println(...) | TestFinally.java:99:5:99:15 | stmt |
-| TestFinally.java:98:5:98:36 | stmt | TestFinally.java:98:5:98:14 | System.out |
+| TestFinally.java:98:5:98:35 | println(...) | TestFinally.java:99:5:99:15 | if (...) |
+| TestFinally.java:98:5:98:36 | ...; | TestFinally.java:98:5:98:14 | System.out |
 | TestFinally.java:98:24:98:34 | "Exception" | TestFinally.java:98:5:98:35 | println(...) |
-| TestFinally.java:99:5:99:15 | stmt | TestFinally.java:99:9:99:9 | z |
+| TestFinally.java:99:5:99:15 | if (...) | TestFinally.java:99:9:99:9 | z |
 | TestFinally.java:99:9:99:9 | z | TestFinally.java:99:14:99:14 | 1 |
-| TestFinally.java:99:9:99:14 | ... == ... | TestFinally.java:100:5:102:5 | stmt |
-| TestFinally.java:99:9:99:14 | ... == ... | TestFinally.java:104:4:111:4 | stmt |
+| TestFinally.java:99:9:99:14 | ... == ... | TestFinally.java:100:5:102:5 | { ... } |
+| TestFinally.java:99:9:99:14 | ... == ... | TestFinally.java:104:4:111:4 | { ... } |
 | TestFinally.java:99:14:99:14 | 1 | TestFinally.java:99:9:99:14 | ... == ... |
-| TestFinally.java:100:5:102:5 | stmt | TestFinally.java:101:6:101:12 | stmt |
-| TestFinally.java:101:6:101:12 | stmt | TestFinally.java:104:4:111:4 | stmt |
-| TestFinally.java:104:4:111:4 | stmt | TestFinally.java:105:5:105:34 | stmt |
+| TestFinally.java:100:5:102:5 | { ... } | TestFinally.java:101:6:101:12 | return ... |
+| TestFinally.java:101:6:101:12 | return ... | TestFinally.java:104:4:111:4 | { ... } |
+| TestFinally.java:104:4:111:4 | { ... } | TestFinally.java:105:5:105:34 | ...; |
 | TestFinally.java:105:5:105:14 | System.out | TestFinally.java:105:24:105:32 | "Finally" |
-| TestFinally.java:105:5:105:33 | println(...) | TestFinally.java:106:5:106:15 | stmt |
-| TestFinally.java:105:5:105:34 | stmt | TestFinally.java:105:5:105:14 | System.out |
+| TestFinally.java:105:5:105:33 | println(...) | TestFinally.java:106:5:106:15 | if (...) |
+| TestFinally.java:105:5:105:34 | ...; | TestFinally.java:105:5:105:14 | System.out |
 | TestFinally.java:105:24:105:32 | "Finally" | TestFinally.java:105:5:105:33 | println(...) |
-| TestFinally.java:106:5:106:15 | stmt | TestFinally.java:106:9:106:9 | z |
+| TestFinally.java:106:5:106:15 | if (...) | TestFinally.java:106:9:106:9 | z |
 | TestFinally.java:106:9:106:9 | z | TestFinally.java:106:14:106:14 | 1 |
-| TestFinally.java:106:9:106:14 | ... == ... | TestFinally.java:107:5:109:5 | stmt |
-| TestFinally.java:106:9:106:14 | ... == ... | TestFinally.java:110:5:110:35 | stmt |
+| TestFinally.java:106:9:106:14 | ... == ... | TestFinally.java:107:5:109:5 | { ... } |
+| TestFinally.java:106:9:106:14 | ... == ... | TestFinally.java:110:5:110:35 | ...; |
 | TestFinally.java:106:14:106:14 | 1 | TestFinally.java:106:9:106:14 | ... == ... |
-| TestFinally.java:107:5:109:5 | stmt | TestFinally.java:108:6:108:12 | stmt |
-| TestFinally.java:108:6:108:12 | stmt | TestFinally.java:116:3:120:3 | stmt |
+| TestFinally.java:107:5:109:5 | { ... } | TestFinally.java:108:6:108:12 | return ... |
+| TestFinally.java:108:6:108:12 | return ... | TestFinally.java:116:3:120:3 | { ... } |
 | TestFinally.java:110:5:110:14 | System.out | TestFinally.java:110:24:110:33 | "Finally2" |
-| TestFinally.java:110:5:110:34 | println(...) | TestFinally.java:112:4:112:13 | stmt |
-| TestFinally.java:110:5:110:34 | println(...) | TestFinally.java:116:3:120:3 | stmt |
-| TestFinally.java:110:5:110:35 | stmt | TestFinally.java:110:5:110:14 | System.out |
+| TestFinally.java:110:5:110:34 | println(...) | TestFinally.java:112:4:112:13 | local variable declaration |
+| TestFinally.java:110:5:110:34 | println(...) | TestFinally.java:116:3:120:3 | { ... } |
+| TestFinally.java:110:5:110:35 | ...; | TestFinally.java:110:5:110:14 | System.out |
 | TestFinally.java:110:24:110:33 | "Finally2" | TestFinally.java:110:5:110:34 | println(...) |
-| TestFinally.java:112:4:112:13 | stmt | TestFinally.java:112:12:112:12 | 1 |
-| TestFinally.java:112:8:112:12 | x | TestFinally.java:113:4:113:37 | stmt |
+| TestFinally.java:112:4:112:13 | local variable declaration | TestFinally.java:112:12:112:12 | 1 |
+| TestFinally.java:112:8:112:12 | x | TestFinally.java:113:4:113:37 | ...; |
 | TestFinally.java:112:12:112:12 | 1 | TestFinally.java:112:8:112:12 | x |
 | TestFinally.java:113:4:113:13 | System.out | TestFinally.java:113:23:113:31 | "Error: " |
-| TestFinally.java:113:4:113:36 | println(...) | TestFinally.java:114:4:114:13 | stmt |
-| TestFinally.java:113:4:113:37 | stmt | TestFinally.java:113:4:113:13 | System.out |
+| TestFinally.java:113:4:113:36 | println(...) | TestFinally.java:114:4:114:13 | ...; |
+| TestFinally.java:113:4:113:37 | ...; | TestFinally.java:113:4:113:13 | System.out |
 | TestFinally.java:113:23:113:31 | "Error: " | TestFinally.java:113:35:113:35 | e |
 | TestFinally.java:113:23:113:35 | ... + ... | TestFinally.java:113:4:113:36 | println(...) |
 | TestFinally.java:113:35:113:35 | e | TestFinally.java:113:23:113:35 | ... + ... |
-| TestFinally.java:114:4:114:12 | ...=... | TestFinally.java:116:3:120:3 | stmt |
-| TestFinally.java:114:4:114:13 | stmt | TestFinally.java:114:8:114:8 | x |
+| TestFinally.java:114:4:114:12 | ...=... | TestFinally.java:116:3:120:3 | { ... } |
+| TestFinally.java:114:4:114:13 | ...; | TestFinally.java:114:8:114:8 | x |
 | TestFinally.java:114:8:114:8 | x | TestFinally.java:114:12:114:12 | 1 |
 | TestFinally.java:114:8:114:12 | ... + ... | TestFinally.java:114:4:114:12 | ...=... |
 | TestFinally.java:114:12:114:12 | 1 | TestFinally.java:114:8:114:12 | ... + ... |
-| TestFinally.java:116:3:120:3 | stmt | TestFinally.java:117:4:117:14 | stmt |
-| TestFinally.java:117:4:117:14 | stmt | TestFinally.java:117:12:117:13 | 12 |
-| TestFinally.java:117:8:117:13 | y | TestFinally.java:118:4:118:33 | stmt |
+| TestFinally.java:116:3:120:3 | { ... } | TestFinally.java:117:4:117:14 | local variable declaration |
+| TestFinally.java:117:4:117:14 | local variable declaration | TestFinally.java:117:12:117:13 | 12 |
+| TestFinally.java:117:8:117:13 | y | TestFinally.java:118:4:118:33 | ...; |
 | TestFinally.java:117:12:117:13 | 12 | TestFinally.java:117:8:117:13 | y |
 | TestFinally.java:118:4:118:13 | System.out | TestFinally.java:118:23:118:31 | "Finally" |
-| TestFinally.java:118:4:118:32 | println(...) | TestFinally.java:119:4:119:13 | stmt |
-| TestFinally.java:118:4:118:33 | stmt | TestFinally.java:118:4:118:13 | System.out |
+| TestFinally.java:118:4:118:32 | println(...) | TestFinally.java:119:4:119:13 | ...; |
+| TestFinally.java:118:4:118:33 | ...; | TestFinally.java:118:4:118:13 | System.out |
 | TestFinally.java:118:23:118:31 | "Finally" | TestFinally.java:118:4:118:32 | println(...) |
 | TestFinally.java:119:4:119:12 | ...=... | TestFinally.java:4:14:4:14 | f |
-| TestFinally.java:119:4:119:12 | ...=... | TestFinally.java:121:3:121:12 | stmt |
-| TestFinally.java:119:4:119:13 | stmt | TestFinally.java:119:8:119:8 | y |
+| TestFinally.java:119:4:119:12 | ...=... | TestFinally.java:121:3:121:12 | ...; |
+| TestFinally.java:119:4:119:13 | ...; | TestFinally.java:119:8:119:8 | y |
 | TestFinally.java:119:8:119:8 | y | TestFinally.java:119:12:119:12 | 1 |
 | TestFinally.java:119:8:119:12 | ... + ... | TestFinally.java:119:4:119:12 | ...=... |
 | TestFinally.java:119:12:119:12 | 1 | TestFinally.java:119:8:119:12 | ... + ... |
-| TestFinally.java:121:3:121:11 | ...=... | TestFinally.java:123:3:146:3 | stmt |
-| TestFinally.java:121:3:121:12 | stmt | TestFinally.java:121:7:121:7 | z |
+| TestFinally.java:121:3:121:11 | ...=... | TestFinally.java:123:3:146:3 | try ... |
+| TestFinally.java:121:3:121:12 | ...; | TestFinally.java:121:7:121:7 | z |
 | TestFinally.java:121:7:121:7 | z | TestFinally.java:121:11:121:11 | 1 |
 | TestFinally.java:121:7:121:11 | ... + ... | TestFinally.java:121:3:121:11 | ...=... |
 | TestFinally.java:121:11:121:11 | 1 | TestFinally.java:121:7:121:11 | ... + ... |
-| TestFinally.java:123:3:146:3 | stmt | TestFinally.java:124:3:131:3 | stmt |
-| TestFinally.java:124:3:131:3 | stmt | TestFinally.java:125:4:125:30 | stmt |
+| TestFinally.java:123:3:146:3 | try ... | TestFinally.java:124:3:131:3 | { ... } |
+| TestFinally.java:124:3:131:3 | { ... } | TestFinally.java:125:4:125:30 | ...; |
 | TestFinally.java:125:4:125:13 | System.out | TestFinally.java:125:23:125:28 | "Try1" |
-| TestFinally.java:125:4:125:29 | println(...) | TestFinally.java:126:4:126:14 | stmt |
-| TestFinally.java:125:4:125:29 | println(...) | TestFinally.java:131:5:131:24 | stmt |
-| TestFinally.java:125:4:125:29 | println(...) | TestFinally.java:139:3:146:3 | stmt |
-| TestFinally.java:125:4:125:30 | stmt | TestFinally.java:125:4:125:13 | System.out |
+| TestFinally.java:125:4:125:29 | println(...) | TestFinally.java:126:4:126:14 | if (...) |
+| TestFinally.java:125:4:125:29 | println(...) | TestFinally.java:131:5:131:24 | catch (...) |
+| TestFinally.java:125:4:125:29 | println(...) | TestFinally.java:139:3:146:3 | { ... } |
+| TestFinally.java:125:4:125:30 | ...; | TestFinally.java:125:4:125:13 | System.out |
 | TestFinally.java:125:23:125:28 | "Try1" | TestFinally.java:125:4:125:29 | println(...) |
-| TestFinally.java:126:4:126:14 | stmt | TestFinally.java:126:8:126:8 | z |
+| TestFinally.java:126:4:126:14 | if (...) | TestFinally.java:126:8:126:8 | z |
 | TestFinally.java:126:8:126:8 | z | TestFinally.java:126:13:126:13 | 1 |
-| TestFinally.java:126:8:126:13 | ... == ... | TestFinally.java:127:4:129:4 | stmt |
-| TestFinally.java:126:8:126:13 | ... == ... | TestFinally.java:130:4:130:30 | stmt |
+| TestFinally.java:126:8:126:13 | ... == ... | TestFinally.java:127:4:129:4 | { ... } |
+| TestFinally.java:126:8:126:13 | ... == ... | TestFinally.java:130:4:130:30 | ...; |
 | TestFinally.java:126:13:126:13 | 1 | TestFinally.java:126:8:126:13 | ... == ... |
-| TestFinally.java:127:4:129:4 | stmt | TestFinally.java:128:5:128:11 | stmt |
-| TestFinally.java:128:5:128:11 | stmt | TestFinally.java:139:3:146:3 | stmt |
+| TestFinally.java:127:4:129:4 | { ... } | TestFinally.java:128:5:128:11 | return ... |
+| TestFinally.java:128:5:128:11 | return ... | TestFinally.java:139:3:146:3 | { ... } |
 | TestFinally.java:130:4:130:13 | System.out | TestFinally.java:130:23:130:28 | "Try2" |
-| TestFinally.java:130:4:130:29 | println(...) | TestFinally.java:131:5:131:24 | stmt |
-| TestFinally.java:130:4:130:29 | println(...) | TestFinally.java:139:3:146:3 | stmt |
-| TestFinally.java:130:4:130:30 | stmt | TestFinally.java:130:4:130:13 | System.out |
+| TestFinally.java:130:4:130:29 | println(...) | TestFinally.java:131:5:131:24 | catch (...) |
+| TestFinally.java:130:4:130:29 | println(...) | TestFinally.java:139:3:146:3 | { ... } |
+| TestFinally.java:130:4:130:30 | ...; | TestFinally.java:130:4:130:13 | System.out |
 | TestFinally.java:130:23:130:28 | "Try2" | TestFinally.java:130:4:130:29 | println(...) |
-| TestFinally.java:131:5:131:24 | stmt | TestFinally.java:131:22:131:23 | ex |
-| TestFinally.java:131:22:131:23 | ex | TestFinally.java:132:3:138:3 | stmt |
-| TestFinally.java:132:3:138:3 | stmt | TestFinally.java:133:4:133:35 | stmt |
+| TestFinally.java:131:5:131:24 | catch (...) | TestFinally.java:131:22:131:23 | ex |
+| TestFinally.java:131:22:131:23 | ex | TestFinally.java:132:3:138:3 | { ... } |
+| TestFinally.java:132:3:138:3 | { ... } | TestFinally.java:133:4:133:35 | ...; |
 | TestFinally.java:133:4:133:13 | System.out | TestFinally.java:133:23:133:33 | "Exception" |
-| TestFinally.java:133:4:133:34 | println(...) | TestFinally.java:134:4:134:14 | stmt |
-| TestFinally.java:133:4:133:35 | stmt | TestFinally.java:133:4:133:13 | System.out |
+| TestFinally.java:133:4:133:34 | println(...) | TestFinally.java:134:4:134:14 | if (...) |
+| TestFinally.java:133:4:133:35 | ...; | TestFinally.java:133:4:133:13 | System.out |
 | TestFinally.java:133:23:133:33 | "Exception" | TestFinally.java:133:4:133:34 | println(...) |
-| TestFinally.java:134:4:134:14 | stmt | TestFinally.java:134:8:134:8 | z |
+| TestFinally.java:134:4:134:14 | if (...) | TestFinally.java:134:8:134:8 | z |
 | TestFinally.java:134:8:134:8 | z | TestFinally.java:134:13:134:13 | 1 |
-| TestFinally.java:134:8:134:13 | ... == ... | TestFinally.java:135:4:137:4 | stmt |
-| TestFinally.java:134:8:134:13 | ... == ... | TestFinally.java:139:3:146:3 | stmt |
+| TestFinally.java:134:8:134:13 | ... == ... | TestFinally.java:135:4:137:4 | { ... } |
+| TestFinally.java:134:8:134:13 | ... == ... | TestFinally.java:139:3:146:3 | { ... } |
 | TestFinally.java:134:13:134:13 | 1 | TestFinally.java:134:8:134:13 | ... == ... |
-| TestFinally.java:135:4:137:4 | stmt | TestFinally.java:136:5:136:11 | stmt |
-| TestFinally.java:136:5:136:11 | stmt | TestFinally.java:139:3:146:3 | stmt |
-| TestFinally.java:139:3:146:3 | stmt | TestFinally.java:140:4:140:33 | stmt |
+| TestFinally.java:135:4:137:4 | { ... } | TestFinally.java:136:5:136:11 | return ... |
+| TestFinally.java:136:5:136:11 | return ... | TestFinally.java:139:3:146:3 | { ... } |
+| TestFinally.java:139:3:146:3 | { ... } | TestFinally.java:140:4:140:33 | ...; |
 | TestFinally.java:140:4:140:13 | System.out | TestFinally.java:140:23:140:31 | "Finally" |
-| TestFinally.java:140:4:140:32 | println(...) | TestFinally.java:141:4:141:14 | stmt |
-| TestFinally.java:140:4:140:33 | stmt | TestFinally.java:140:4:140:13 | System.out |
+| TestFinally.java:140:4:140:32 | println(...) | TestFinally.java:141:4:141:14 | if (...) |
+| TestFinally.java:140:4:140:33 | ...; | TestFinally.java:140:4:140:13 | System.out |
 | TestFinally.java:140:23:140:31 | "Finally" | TestFinally.java:140:4:140:32 | println(...) |
-| TestFinally.java:141:4:141:14 | stmt | TestFinally.java:141:8:141:8 | z |
+| TestFinally.java:141:4:141:14 | if (...) | TestFinally.java:141:8:141:8 | z |
 | TestFinally.java:141:8:141:8 | z | TestFinally.java:141:13:141:13 | 1 |
-| TestFinally.java:141:8:141:13 | ... == ... | TestFinally.java:142:4:144:4 | stmt |
-| TestFinally.java:141:8:141:13 | ... == ... | TestFinally.java:145:4:145:34 | stmt |
+| TestFinally.java:141:8:141:13 | ... == ... | TestFinally.java:142:4:144:4 | { ... } |
+| TestFinally.java:141:8:141:13 | ... == ... | TestFinally.java:145:4:145:34 | ...; |
 | TestFinally.java:141:13:141:13 | 1 | TestFinally.java:141:8:141:13 | ... == ... |
-| TestFinally.java:142:4:144:4 | stmt | TestFinally.java:143:5:143:11 | stmt |
-| TestFinally.java:143:5:143:11 | stmt | TestFinally.java:4:14:4:14 | f |
+| TestFinally.java:142:4:144:4 | { ... } | TestFinally.java:143:5:143:11 | return ... |
+| TestFinally.java:143:5:143:11 | return ... | TestFinally.java:4:14:4:14 | f |
 | TestFinally.java:145:4:145:13 | System.out | TestFinally.java:145:23:145:32 | "Finally2" |
 | TestFinally.java:145:4:145:33 | println(...) | TestFinally.java:4:14:4:14 | f |
-| TestFinally.java:145:4:145:33 | println(...) | TestFinally.java:148:3:148:12 | stmt |
-| TestFinally.java:145:4:145:34 | stmt | TestFinally.java:145:4:145:13 | System.out |
+| TestFinally.java:145:4:145:33 | println(...) | TestFinally.java:148:3:148:12 | ...; |
+| TestFinally.java:145:4:145:34 | ...; | TestFinally.java:145:4:145:13 | System.out |
 | TestFinally.java:145:23:145:32 | "Finally2" | TestFinally.java:145:4:145:33 | println(...) |
 | TestFinally.java:148:3:148:11 | ...=... | TestFinally.java:4:14:4:14 | f |
-| TestFinally.java:148:3:148:12 | stmt | TestFinally.java:148:7:148:7 | z |
+| TestFinally.java:148:3:148:12 | ...; | TestFinally.java:148:7:148:7 | z |
 | TestFinally.java:148:7:148:7 | z | TestFinally.java:148:11:148:11 | 2 |
 | TestFinally.java:148:7:148:11 | ... + ... | TestFinally.java:148:3:148:11 | ...=... |
 | TestFinally.java:148:11:148:11 | 2 | TestFinally.java:148:7:148:11 | ... + ... |
diff --git a/java/ql/test/library-tests/successors/TestFinallyBreakContinue/FalseSuccessors.expected b/java/ql/test/library-tests/successors/TestFinallyBreakContinue/FalseSuccessors.expected
index c2e6008f52d..1de80850858 100644
--- a/java/ql/test/library-tests/successors/TestFinallyBreakContinue/FalseSuccessors.expected
+++ b/java/ql/test/library-tests/successors/TestFinallyBreakContinue/FalseSuccessors.expected
@@ -1,6 +1,6 @@
-| TestFinallyBreakContinue.java:12:9:12:14 | ... == ... | TestFinallyBreakContinue.java:16:5:18:5 | stmt |
-| TestFinallyBreakContinue.java:21:9:21:14 | ... == ... | TestFinallyBreakContinue.java:25:5:27:5 | stmt |
-| TestFinallyBreakContinue.java:40:10:40:15 | ... == ... | TestFinallyBreakContinue.java:44:6:46:6 | stmt |
-| TestFinallyBreakContinue.java:49:10:49:15 | ... == ... | TestFinallyBreakContinue.java:53:6:55:6 | stmt |
-| TestFinallyBreakContinue.java:78:11:78:16 | ... == ... | TestFinallyBreakContinue.java:82:7:84:7 | stmt |
-| TestFinallyBreakContinue.java:87:11:87:16 | ... == ... | TestFinallyBreakContinue.java:91:7:93:7 | stmt |
+| TestFinallyBreakContinue.java:12:9:12:14 | ... == ... | TestFinallyBreakContinue.java:16:5:18:5 | { ... } |
+| TestFinallyBreakContinue.java:21:9:21:14 | ... == ... | TestFinallyBreakContinue.java:25:5:27:5 | { ... } |
+| TestFinallyBreakContinue.java:40:10:40:15 | ... == ... | TestFinallyBreakContinue.java:44:6:46:6 | { ... } |
+| TestFinallyBreakContinue.java:49:10:49:15 | ... == ... | TestFinallyBreakContinue.java:53:6:55:6 | { ... } |
+| TestFinallyBreakContinue.java:78:11:78:16 | ... == ... | TestFinallyBreakContinue.java:82:7:84:7 | { ... } |
+| TestFinallyBreakContinue.java:87:11:87:16 | ... == ... | TestFinallyBreakContinue.java:91:7:93:7 | { ... } |
diff --git a/java/ql/test/library-tests/successors/TestFinallyBreakContinue/TestSucc.expected b/java/ql/test/library-tests/successors/TestFinallyBreakContinue/TestSucc.expected
index 9ef9bab4172..2beed591041 100644
--- a/java/ql/test/library-tests/successors/TestFinallyBreakContinue/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/TestFinallyBreakContinue/TestSucc.expected
@@ -1,141 +1,141 @@
-| TestFinallyBreakContinue.java:3:14:3:37 | stmt | TestFinallyBreakContinue.java:3:14:3:37 | super(...) |
 | TestFinallyBreakContinue.java:3:14:3:37 | super(...) | TestFinallyBreakContinue.java:3:14:3:37 | TestFinallyBreakContinue |
-| TestFinallyBreakContinue.java:5:2:107:2 | stmt | TestFinallyBreakContinue.java:6:3:6:12 | stmt |
-| TestFinallyBreakContinue.java:6:3:6:12 | stmt | TestFinallyBreakContinue.java:6:11:6:11 | 1 |
-| TestFinallyBreakContinue.java:6:7:6:11 | x | TestFinallyBreakContinue.java:7:3:8:10 | stmt |
+| TestFinallyBreakContinue.java:3:14:3:37 | { ... } | TestFinallyBreakContinue.java:3:14:3:37 | super(...) |
+| TestFinallyBreakContinue.java:5:2:107:2 | { ... } | TestFinallyBreakContinue.java:6:3:6:12 | local variable declaration |
+| TestFinallyBreakContinue.java:6:3:6:12 | local variable declaration | TestFinallyBreakContinue.java:6:11:6:11 | 1 |
+| TestFinallyBreakContinue.java:6:7:6:11 | x | TestFinallyBreakContinue.java:7:3:8:10 | labeled statement |
 | TestFinallyBreakContinue.java:6:11:6:11 | 1 | TestFinallyBreakContinue.java:6:7:6:11 | x |
-| TestFinallyBreakContinue.java:7:3:8:10 | stmt | TestFinallyBreakContinue.java:8:3:8:10 | stmt |
-| TestFinallyBreakContinue.java:8:3:8:10 | stmt | TestFinallyBreakContinue.java:9:3:32:3 | stmt |
-| TestFinallyBreakContinue.java:9:3:32:3 | stmt | TestFinallyBreakContinue.java:10:4:31:4 | stmt |
-| TestFinallyBreakContinue.java:10:4:31:4 | stmt | TestFinallyBreakContinue.java:11:4:19:4 | stmt |
-| TestFinallyBreakContinue.java:11:4:19:4 | stmt | TestFinallyBreakContinue.java:12:5:12:15 | stmt |
-| TestFinallyBreakContinue.java:12:5:12:15 | stmt | TestFinallyBreakContinue.java:12:9:12:9 | x |
+| TestFinallyBreakContinue.java:7:3:8:10 | labeled statement | TestFinallyBreakContinue.java:8:3:8:10 | for (...) |
+| TestFinallyBreakContinue.java:8:3:8:10 | for (...) | TestFinallyBreakContinue.java:9:3:32:3 | { ... } |
+| TestFinallyBreakContinue.java:9:3:32:3 | { ... } | TestFinallyBreakContinue.java:10:4:31:4 | try ... |
+| TestFinallyBreakContinue.java:10:4:31:4 | try ... | TestFinallyBreakContinue.java:11:4:19:4 | { ... } |
+| TestFinallyBreakContinue.java:11:4:19:4 | { ... } | TestFinallyBreakContinue.java:12:5:12:15 | if (...) |
+| TestFinallyBreakContinue.java:12:5:12:15 | if (...) | TestFinallyBreakContinue.java:12:9:12:9 | x |
 | TestFinallyBreakContinue.java:12:9:12:9 | x | TestFinallyBreakContinue.java:12:14:12:14 | 1 |
-| TestFinallyBreakContinue.java:12:9:12:14 | ... == ... | TestFinallyBreakContinue.java:13:5:15:5 | stmt |
-| TestFinallyBreakContinue.java:12:9:12:14 | ... == ... | TestFinallyBreakContinue.java:16:5:18:5 | stmt |
+| TestFinallyBreakContinue.java:12:9:12:14 | ... == ... | TestFinallyBreakContinue.java:13:5:15:5 | { ... } |
+| TestFinallyBreakContinue.java:12:9:12:14 | ... == ... | TestFinallyBreakContinue.java:16:5:18:5 | { ... } |
 | TestFinallyBreakContinue.java:12:14:12:14 | 1 | TestFinallyBreakContinue.java:12:9:12:14 | ... == ... |
-| TestFinallyBreakContinue.java:13:5:15:5 | stmt | TestFinallyBreakContinue.java:14:6:14:11 | stmt |
-| TestFinallyBreakContinue.java:14:6:14:11 | stmt | TestFinallyBreakContinue.java:29:4:31:4 | stmt |
-| TestFinallyBreakContinue.java:16:5:18:5 | stmt | TestFinallyBreakContinue.java:17:6:17:14 | stmt |
-| TestFinallyBreakContinue.java:17:6:17:14 | stmt | TestFinallyBreakContinue.java:29:4:31:4 | stmt |
-| TestFinallyBreakContinue.java:19:6:19:24 | stmt | TestFinallyBreakContinue.java:19:23:19:23 | e |
-| TestFinallyBreakContinue.java:19:23:19:23 | e | TestFinallyBreakContinue.java:20:4:28:4 | stmt |
-| TestFinallyBreakContinue.java:20:4:28:4 | stmt | TestFinallyBreakContinue.java:21:5:21:15 | stmt |
-| TestFinallyBreakContinue.java:21:5:21:15 | stmt | TestFinallyBreakContinue.java:21:9:21:9 | x |
+| TestFinallyBreakContinue.java:13:5:15:5 | { ... } | TestFinallyBreakContinue.java:14:6:14:11 | break |
+| TestFinallyBreakContinue.java:14:6:14:11 | break | TestFinallyBreakContinue.java:29:4:31:4 | { ... } |
+| TestFinallyBreakContinue.java:16:5:18:5 | { ... } | TestFinallyBreakContinue.java:17:6:17:14 | continue |
+| TestFinallyBreakContinue.java:17:6:17:14 | continue | TestFinallyBreakContinue.java:29:4:31:4 | { ... } |
+| TestFinallyBreakContinue.java:19:6:19:24 | catch (...) | TestFinallyBreakContinue.java:19:23:19:23 | e |
+| TestFinallyBreakContinue.java:19:23:19:23 | e | TestFinallyBreakContinue.java:20:4:28:4 | { ... } |
+| TestFinallyBreakContinue.java:20:4:28:4 | { ... } | TestFinallyBreakContinue.java:21:5:21:15 | if (...) |
+| TestFinallyBreakContinue.java:21:5:21:15 | if (...) | TestFinallyBreakContinue.java:21:9:21:9 | x |
 | TestFinallyBreakContinue.java:21:9:21:9 | x | TestFinallyBreakContinue.java:21:14:21:14 | 1 |
-| TestFinallyBreakContinue.java:21:9:21:14 | ... == ... | TestFinallyBreakContinue.java:22:5:24:5 | stmt |
-| TestFinallyBreakContinue.java:21:9:21:14 | ... == ... | TestFinallyBreakContinue.java:25:5:27:5 | stmt |
+| TestFinallyBreakContinue.java:21:9:21:14 | ... == ... | TestFinallyBreakContinue.java:22:5:24:5 | { ... } |
+| TestFinallyBreakContinue.java:21:9:21:14 | ... == ... | TestFinallyBreakContinue.java:25:5:27:5 | { ... } |
 | TestFinallyBreakContinue.java:21:14:21:14 | 1 | TestFinallyBreakContinue.java:21:9:21:14 | ... == ... |
-| TestFinallyBreakContinue.java:22:5:24:5 | stmt | TestFinallyBreakContinue.java:23:6:23:11 | stmt |
-| TestFinallyBreakContinue.java:23:6:23:11 | stmt | TestFinallyBreakContinue.java:29:4:31:4 | stmt |
-| TestFinallyBreakContinue.java:25:5:27:5 | stmt | TestFinallyBreakContinue.java:26:6:26:14 | stmt |
-| TestFinallyBreakContinue.java:26:6:26:14 | stmt | TestFinallyBreakContinue.java:29:4:31:4 | stmt |
-| TestFinallyBreakContinue.java:29:4:31:4 | stmt | TestFinallyBreakContinue.java:30:5:30:34 | stmt |
+| TestFinallyBreakContinue.java:22:5:24:5 | { ... } | TestFinallyBreakContinue.java:23:6:23:11 | break |
+| TestFinallyBreakContinue.java:23:6:23:11 | break | TestFinallyBreakContinue.java:29:4:31:4 | { ... } |
+| TestFinallyBreakContinue.java:25:5:27:5 | { ... } | TestFinallyBreakContinue.java:26:6:26:14 | continue |
+| TestFinallyBreakContinue.java:26:6:26:14 | continue | TestFinallyBreakContinue.java:29:4:31:4 | { ... } |
+| TestFinallyBreakContinue.java:29:4:31:4 | { ... } | TestFinallyBreakContinue.java:30:5:30:34 | ...; |
 | TestFinallyBreakContinue.java:30:5:30:14 | System.out | TestFinallyBreakContinue.java:30:24:30:32 | "finally" |
-| TestFinallyBreakContinue.java:30:5:30:33 | println(...) | TestFinallyBreakContinue.java:9:3:32:3 | stmt |
-| TestFinallyBreakContinue.java:30:5:30:33 | println(...) | TestFinallyBreakContinue.java:34:3:34:14 | stmt |
-| TestFinallyBreakContinue.java:30:5:30:34 | stmt | TestFinallyBreakContinue.java:30:5:30:14 | System.out |
+| TestFinallyBreakContinue.java:30:5:30:33 | println(...) | TestFinallyBreakContinue.java:9:3:32:3 | { ... } |
+| TestFinallyBreakContinue.java:30:5:30:33 | println(...) | TestFinallyBreakContinue.java:34:3:34:14 | while (...) |
+| TestFinallyBreakContinue.java:30:5:30:34 | ...; | TestFinallyBreakContinue.java:30:5:30:14 | System.out |
 | TestFinallyBreakContinue.java:30:24:30:32 | "finally" | TestFinallyBreakContinue.java:30:5:30:33 | println(...) |
-| TestFinallyBreakContinue.java:34:3:34:14 | stmt | TestFinallyBreakContinue.java:34:10:34:13 | true |
-| TestFinallyBreakContinue.java:34:10:34:13 | true | TestFinallyBreakContinue.java:35:3:67:3 | stmt |
-| TestFinallyBreakContinue.java:35:3:67:3 | stmt | TestFinallyBreakContinue.java:36:4:66:4 | stmt |
-| TestFinallyBreakContinue.java:36:4:66:4 | stmt | TestFinallyBreakContinue.java:37:4:60:4 | stmt |
-| TestFinallyBreakContinue.java:37:4:60:4 | stmt | TestFinallyBreakContinue.java:38:5:59:5 | stmt |
-| TestFinallyBreakContinue.java:38:5:59:5 | stmt | TestFinallyBreakContinue.java:39:5:47:5 | stmt |
-| TestFinallyBreakContinue.java:39:5:47:5 | stmt | TestFinallyBreakContinue.java:40:6:40:16 | stmt |
-| TestFinallyBreakContinue.java:40:6:40:16 | stmt | TestFinallyBreakContinue.java:40:10:40:10 | x |
+| TestFinallyBreakContinue.java:34:3:34:14 | while (...) | TestFinallyBreakContinue.java:34:10:34:13 | true |
+| TestFinallyBreakContinue.java:34:10:34:13 | true | TestFinallyBreakContinue.java:35:3:67:3 | { ... } |
+| TestFinallyBreakContinue.java:35:3:67:3 | { ... } | TestFinallyBreakContinue.java:36:4:66:4 | try ... |
+| TestFinallyBreakContinue.java:36:4:66:4 | try ... | TestFinallyBreakContinue.java:37:4:60:4 | { ... } |
+| TestFinallyBreakContinue.java:37:4:60:4 | { ... } | TestFinallyBreakContinue.java:38:5:59:5 | try ... |
+| TestFinallyBreakContinue.java:38:5:59:5 | try ... | TestFinallyBreakContinue.java:39:5:47:5 | { ... } |
+| TestFinallyBreakContinue.java:39:5:47:5 | { ... } | TestFinallyBreakContinue.java:40:6:40:16 | if (...) |
+| TestFinallyBreakContinue.java:40:6:40:16 | if (...) | TestFinallyBreakContinue.java:40:10:40:10 | x |
 | TestFinallyBreakContinue.java:40:10:40:10 | x | TestFinallyBreakContinue.java:40:15:40:15 | 1 |
-| TestFinallyBreakContinue.java:40:10:40:15 | ... == ... | TestFinallyBreakContinue.java:41:6:43:6 | stmt |
-| TestFinallyBreakContinue.java:40:10:40:15 | ... == ... | TestFinallyBreakContinue.java:44:6:46:6 | stmt |
+| TestFinallyBreakContinue.java:40:10:40:15 | ... == ... | TestFinallyBreakContinue.java:41:6:43:6 | { ... } |
+| TestFinallyBreakContinue.java:40:10:40:15 | ... == ... | TestFinallyBreakContinue.java:44:6:46:6 | { ... } |
 | TestFinallyBreakContinue.java:40:15:40:15 | 1 | TestFinallyBreakContinue.java:40:10:40:15 | ... == ... |
-| TestFinallyBreakContinue.java:41:6:43:6 | stmt | TestFinallyBreakContinue.java:42:7:42:12 | stmt |
-| TestFinallyBreakContinue.java:42:7:42:12 | stmt | TestFinallyBreakContinue.java:57:5:59:5 | stmt |
-| TestFinallyBreakContinue.java:44:6:46:6 | stmt | TestFinallyBreakContinue.java:45:7:45:15 | stmt |
-| TestFinallyBreakContinue.java:45:7:45:15 | stmt | TestFinallyBreakContinue.java:57:5:59:5 | stmt |
-| TestFinallyBreakContinue.java:47:7:47:25 | stmt | TestFinallyBreakContinue.java:47:24:47:24 | e |
-| TestFinallyBreakContinue.java:47:24:47:24 | e | TestFinallyBreakContinue.java:48:5:56:5 | stmt |
-| TestFinallyBreakContinue.java:48:5:56:5 | stmt | TestFinallyBreakContinue.java:49:6:49:16 | stmt |
-| TestFinallyBreakContinue.java:49:6:49:16 | stmt | TestFinallyBreakContinue.java:49:10:49:10 | x |
+| TestFinallyBreakContinue.java:41:6:43:6 | { ... } | TestFinallyBreakContinue.java:42:7:42:12 | break |
+| TestFinallyBreakContinue.java:42:7:42:12 | break | TestFinallyBreakContinue.java:57:5:59:5 | { ... } |
+| TestFinallyBreakContinue.java:44:6:46:6 | { ... } | TestFinallyBreakContinue.java:45:7:45:15 | continue |
+| TestFinallyBreakContinue.java:45:7:45:15 | continue | TestFinallyBreakContinue.java:57:5:59:5 | { ... } |
+| TestFinallyBreakContinue.java:47:7:47:25 | catch (...) | TestFinallyBreakContinue.java:47:24:47:24 | e |
+| TestFinallyBreakContinue.java:47:24:47:24 | e | TestFinallyBreakContinue.java:48:5:56:5 | { ... } |
+| TestFinallyBreakContinue.java:48:5:56:5 | { ... } | TestFinallyBreakContinue.java:49:6:49:16 | if (...) |
+| TestFinallyBreakContinue.java:49:6:49:16 | if (...) | TestFinallyBreakContinue.java:49:10:49:10 | x |
 | TestFinallyBreakContinue.java:49:10:49:10 | x | TestFinallyBreakContinue.java:49:15:49:15 | 1 |
-| TestFinallyBreakContinue.java:49:10:49:15 | ... == ... | TestFinallyBreakContinue.java:50:6:52:6 | stmt |
-| TestFinallyBreakContinue.java:49:10:49:15 | ... == ... | TestFinallyBreakContinue.java:53:6:55:6 | stmt |
+| TestFinallyBreakContinue.java:49:10:49:15 | ... == ... | TestFinallyBreakContinue.java:50:6:52:6 | { ... } |
+| TestFinallyBreakContinue.java:49:10:49:15 | ... == ... | TestFinallyBreakContinue.java:53:6:55:6 | { ... } |
 | TestFinallyBreakContinue.java:49:15:49:15 | 1 | TestFinallyBreakContinue.java:49:10:49:15 | ... == ... |
-| TestFinallyBreakContinue.java:50:6:52:6 | stmt | TestFinallyBreakContinue.java:51:7:51:12 | stmt |
-| TestFinallyBreakContinue.java:51:7:51:12 | stmt | TestFinallyBreakContinue.java:57:5:59:5 | stmt |
-| TestFinallyBreakContinue.java:53:6:55:6 | stmt | TestFinallyBreakContinue.java:54:7:54:15 | stmt |
-| TestFinallyBreakContinue.java:54:7:54:15 | stmt | TestFinallyBreakContinue.java:57:5:59:5 | stmt |
-| TestFinallyBreakContinue.java:57:5:59:5 | stmt | TestFinallyBreakContinue.java:58:6:58:35 | stmt |
+| TestFinallyBreakContinue.java:50:6:52:6 | { ... } | TestFinallyBreakContinue.java:51:7:51:12 | break |
+| TestFinallyBreakContinue.java:51:7:51:12 | break | TestFinallyBreakContinue.java:57:5:59:5 | { ... } |
+| TestFinallyBreakContinue.java:53:6:55:6 | { ... } | TestFinallyBreakContinue.java:54:7:54:15 | continue |
+| TestFinallyBreakContinue.java:54:7:54:15 | continue | TestFinallyBreakContinue.java:57:5:59:5 | { ... } |
+| TestFinallyBreakContinue.java:57:5:59:5 | { ... } | TestFinallyBreakContinue.java:58:6:58:35 | ...; |
 | TestFinallyBreakContinue.java:58:6:58:15 | System.out | TestFinallyBreakContinue.java:58:25:58:33 | "finally" |
-| TestFinallyBreakContinue.java:58:6:58:34 | println(...) | TestFinallyBreakContinue.java:60:6:60:24 | stmt |
-| TestFinallyBreakContinue.java:58:6:58:34 | println(...) | TestFinallyBreakContinue.java:64:4:66:4 | stmt |
-| TestFinallyBreakContinue.java:58:6:58:35 | stmt | TestFinallyBreakContinue.java:58:6:58:15 | System.out |
+| TestFinallyBreakContinue.java:58:6:58:34 | println(...) | TestFinallyBreakContinue.java:60:6:60:24 | catch (...) |
+| TestFinallyBreakContinue.java:58:6:58:34 | println(...) | TestFinallyBreakContinue.java:64:4:66:4 | { ... } |
+| TestFinallyBreakContinue.java:58:6:58:35 | ...; | TestFinallyBreakContinue.java:58:6:58:15 | System.out |
 | TestFinallyBreakContinue.java:58:25:58:33 | "finally" | TestFinallyBreakContinue.java:58:6:58:34 | println(...) |
-| TestFinallyBreakContinue.java:60:6:60:24 | stmt | TestFinallyBreakContinue.java:60:23:60:23 | e |
-| TestFinallyBreakContinue.java:60:23:60:23 | e | TestFinallyBreakContinue.java:61:4:63:4 | stmt |
-| TestFinallyBreakContinue.java:61:4:63:4 | stmt | TestFinallyBreakContinue.java:62:5:62:36 | stmt |
+| TestFinallyBreakContinue.java:60:6:60:24 | catch (...) | TestFinallyBreakContinue.java:60:23:60:23 | e |
+| TestFinallyBreakContinue.java:60:23:60:23 | e | TestFinallyBreakContinue.java:61:4:63:4 | { ... } |
+| TestFinallyBreakContinue.java:61:4:63:4 | { ... } | TestFinallyBreakContinue.java:62:5:62:36 | ...; |
 | TestFinallyBreakContinue.java:62:5:62:14 | System.out | TestFinallyBreakContinue.java:62:24:62:34 | "Exception" |
-| TestFinallyBreakContinue.java:62:5:62:35 | println(...) | TestFinallyBreakContinue.java:64:4:66:4 | stmt |
-| TestFinallyBreakContinue.java:62:5:62:36 | stmt | TestFinallyBreakContinue.java:62:5:62:14 | System.out |
+| TestFinallyBreakContinue.java:62:5:62:35 | println(...) | TestFinallyBreakContinue.java:64:4:66:4 | { ... } |
+| TestFinallyBreakContinue.java:62:5:62:36 | ...; | TestFinallyBreakContinue.java:62:5:62:14 | System.out |
 | TestFinallyBreakContinue.java:62:24:62:34 | "Exception" | TestFinallyBreakContinue.java:62:5:62:35 | println(...) |
-| TestFinallyBreakContinue.java:64:4:66:4 | stmt | TestFinallyBreakContinue.java:65:5:65:34 | stmt |
+| TestFinallyBreakContinue.java:64:4:66:4 | { ... } | TestFinallyBreakContinue.java:65:5:65:34 | ...; |
 | TestFinallyBreakContinue.java:65:5:65:14 | System.out | TestFinallyBreakContinue.java:65:24:65:32 | "finally" |
 | TestFinallyBreakContinue.java:65:5:65:33 | println(...) | TestFinallyBreakContinue.java:4:14:4:14 | f |
 | TestFinallyBreakContinue.java:65:5:65:33 | println(...) | TestFinallyBreakContinue.java:34:10:34:13 | true |
-| TestFinallyBreakContinue.java:65:5:65:33 | println(...) | TestFinallyBreakContinue.java:69:3:106:17 | stmt |
-| TestFinallyBreakContinue.java:65:5:65:34 | stmt | TestFinallyBreakContinue.java:65:5:65:14 | System.out |
+| TestFinallyBreakContinue.java:65:5:65:33 | println(...) | TestFinallyBreakContinue.java:69:3:106:17 | labeled statement |
+| TestFinallyBreakContinue.java:65:5:65:34 | ...; | TestFinallyBreakContinue.java:65:5:65:14 | System.out |
 | TestFinallyBreakContinue.java:65:24:65:32 | "finally" | TestFinallyBreakContinue.java:65:5:65:33 | println(...) |
-| TestFinallyBreakContinue.java:69:3:106:17 | stmt | TestFinallyBreakContinue.java:70:3:106:17 | stmt |
-| TestFinallyBreakContinue.java:70:3:106:17 | stmt | TestFinallyBreakContinue.java:71:3:106:3 | stmt |
-| TestFinallyBreakContinue.java:71:3:106:3 | stmt | TestFinallyBreakContinue.java:72:4:105:4 | stmt |
-| TestFinallyBreakContinue.java:72:4:105:4 | stmt | TestFinallyBreakContinue.java:73:4:99:4 | stmt |
-| TestFinallyBreakContinue.java:73:4:99:4 | stmt | TestFinallyBreakContinue.java:74:5:74:29 | stmt |
-| TestFinallyBreakContinue.java:74:5:74:29 | stmt | TestFinallyBreakContinue.java:74:26:74:27 | 20 |
-| TestFinallyBreakContinue.java:74:14:74:14 | i | TestFinallyBreakContinue.java:75:5:98:5 | stmt |
+| TestFinallyBreakContinue.java:69:3:106:17 | labeled statement | TestFinallyBreakContinue.java:70:3:106:17 | do ... while (...) |
+| TestFinallyBreakContinue.java:70:3:106:17 | do ... while (...) | TestFinallyBreakContinue.java:71:3:106:3 | { ... } |
+| TestFinallyBreakContinue.java:71:3:106:3 | { ... } | TestFinallyBreakContinue.java:72:4:105:4 | try ... |
+| TestFinallyBreakContinue.java:72:4:105:4 | try ... | TestFinallyBreakContinue.java:73:4:99:4 | { ... } |
+| TestFinallyBreakContinue.java:73:4:99:4 | { ... } | TestFinallyBreakContinue.java:74:5:74:29 | for (... : ...) |
+| TestFinallyBreakContinue.java:74:5:74:29 | for (... : ...) | TestFinallyBreakContinue.java:74:26:74:27 | 20 |
+| TestFinallyBreakContinue.java:74:14:74:14 | i | TestFinallyBreakContinue.java:75:5:98:5 | { ... } |
 | TestFinallyBreakContinue.java:74:18:74:28 | new int[] | TestFinallyBreakContinue.java:74:14:74:14 | i |
-| TestFinallyBreakContinue.java:74:18:74:28 | new int[] | TestFinallyBreakContinue.java:103:4:105:4 | stmt |
+| TestFinallyBreakContinue.java:74:18:74:28 | new int[] | TestFinallyBreakContinue.java:103:4:105:4 | { ... } |
 | TestFinallyBreakContinue.java:74:26:74:27 | 20 | TestFinallyBreakContinue.java:74:18:74:28 | new int[] |
-| TestFinallyBreakContinue.java:75:5:98:5 | stmt | TestFinallyBreakContinue.java:76:6:97:6 | stmt |
-| TestFinallyBreakContinue.java:76:6:97:6 | stmt | TestFinallyBreakContinue.java:77:6:85:6 | stmt |
-| TestFinallyBreakContinue.java:77:6:85:6 | stmt | TestFinallyBreakContinue.java:78:7:78:17 | stmt |
-| TestFinallyBreakContinue.java:78:7:78:17 | stmt | TestFinallyBreakContinue.java:78:11:78:11 | x |
+| TestFinallyBreakContinue.java:75:5:98:5 | { ... } | TestFinallyBreakContinue.java:76:6:97:6 | try ... |
+| TestFinallyBreakContinue.java:76:6:97:6 | try ... | TestFinallyBreakContinue.java:77:6:85:6 | { ... } |
+| TestFinallyBreakContinue.java:77:6:85:6 | { ... } | TestFinallyBreakContinue.java:78:7:78:17 | if (...) |
+| TestFinallyBreakContinue.java:78:7:78:17 | if (...) | TestFinallyBreakContinue.java:78:11:78:11 | x |
 | TestFinallyBreakContinue.java:78:11:78:11 | x | TestFinallyBreakContinue.java:78:16:78:16 | 1 |
-| TestFinallyBreakContinue.java:78:11:78:16 | ... == ... | TestFinallyBreakContinue.java:79:7:81:7 | stmt |
-| TestFinallyBreakContinue.java:78:11:78:16 | ... == ... | TestFinallyBreakContinue.java:82:7:84:7 | stmt |
+| TestFinallyBreakContinue.java:78:11:78:16 | ... == ... | TestFinallyBreakContinue.java:79:7:81:7 | { ... } |
+| TestFinallyBreakContinue.java:78:11:78:16 | ... == ... | TestFinallyBreakContinue.java:82:7:84:7 | { ... } |
 | TestFinallyBreakContinue.java:78:16:78:16 | 1 | TestFinallyBreakContinue.java:78:11:78:16 | ... == ... |
-| TestFinallyBreakContinue.java:79:7:81:7 | stmt | TestFinallyBreakContinue.java:80:8:80:13 | stmt |
-| TestFinallyBreakContinue.java:80:8:80:13 | stmt | TestFinallyBreakContinue.java:95:6:97:6 | stmt |
-| TestFinallyBreakContinue.java:82:7:84:7 | stmt | TestFinallyBreakContinue.java:83:8:83:16 | stmt |
-| TestFinallyBreakContinue.java:83:8:83:16 | stmt | TestFinallyBreakContinue.java:95:6:97:6 | stmt |
-| TestFinallyBreakContinue.java:85:8:85:26 | stmt | TestFinallyBreakContinue.java:85:25:85:25 | e |
-| TestFinallyBreakContinue.java:85:25:85:25 | e | TestFinallyBreakContinue.java:86:6:94:6 | stmt |
-| TestFinallyBreakContinue.java:86:6:94:6 | stmt | TestFinallyBreakContinue.java:87:7:87:17 | stmt |
-| TestFinallyBreakContinue.java:87:7:87:17 | stmt | TestFinallyBreakContinue.java:87:11:87:11 | x |
+| TestFinallyBreakContinue.java:79:7:81:7 | { ... } | TestFinallyBreakContinue.java:80:8:80:13 | break |
+| TestFinallyBreakContinue.java:80:8:80:13 | break | TestFinallyBreakContinue.java:95:6:97:6 | { ... } |
+| TestFinallyBreakContinue.java:82:7:84:7 | { ... } | TestFinallyBreakContinue.java:83:8:83:16 | continue |
+| TestFinallyBreakContinue.java:83:8:83:16 | continue | TestFinallyBreakContinue.java:95:6:97:6 | { ... } |
+| TestFinallyBreakContinue.java:85:8:85:26 | catch (...) | TestFinallyBreakContinue.java:85:25:85:25 | e |
+| TestFinallyBreakContinue.java:85:25:85:25 | e | TestFinallyBreakContinue.java:86:6:94:6 | { ... } |
+| TestFinallyBreakContinue.java:86:6:94:6 | { ... } | TestFinallyBreakContinue.java:87:7:87:17 | if (...) |
+| TestFinallyBreakContinue.java:87:7:87:17 | if (...) | TestFinallyBreakContinue.java:87:11:87:11 | x |
 | TestFinallyBreakContinue.java:87:11:87:11 | x | TestFinallyBreakContinue.java:87:16:87:16 | 1 |
-| TestFinallyBreakContinue.java:87:11:87:16 | ... == ... | TestFinallyBreakContinue.java:88:7:90:7 | stmt |
-| TestFinallyBreakContinue.java:87:11:87:16 | ... == ... | TestFinallyBreakContinue.java:91:7:93:7 | stmt |
+| TestFinallyBreakContinue.java:87:11:87:16 | ... == ... | TestFinallyBreakContinue.java:88:7:90:7 | { ... } |
+| TestFinallyBreakContinue.java:87:11:87:16 | ... == ... | TestFinallyBreakContinue.java:91:7:93:7 | { ... } |
 | TestFinallyBreakContinue.java:87:16:87:16 | 1 | TestFinallyBreakContinue.java:87:11:87:16 | ... == ... |
-| TestFinallyBreakContinue.java:88:7:90:7 | stmt | TestFinallyBreakContinue.java:89:8:89:15 | stmt |
-| TestFinallyBreakContinue.java:89:8:89:15 | stmt | TestFinallyBreakContinue.java:95:6:97:6 | stmt |
-| TestFinallyBreakContinue.java:91:7:93:7 | stmt | TestFinallyBreakContinue.java:92:8:92:18 | stmt |
-| TestFinallyBreakContinue.java:92:8:92:18 | stmt | TestFinallyBreakContinue.java:95:6:97:6 | stmt |
-| TestFinallyBreakContinue.java:95:6:97:6 | stmt | TestFinallyBreakContinue.java:96:7:96:36 | stmt |
+| TestFinallyBreakContinue.java:88:7:90:7 | { ... } | TestFinallyBreakContinue.java:89:8:89:15 | break |
+| TestFinallyBreakContinue.java:89:8:89:15 | break | TestFinallyBreakContinue.java:95:6:97:6 | { ... } |
+| TestFinallyBreakContinue.java:91:7:93:7 | { ... } | TestFinallyBreakContinue.java:92:8:92:18 | continue |
+| TestFinallyBreakContinue.java:92:8:92:18 | continue | TestFinallyBreakContinue.java:95:6:97:6 | { ... } |
+| TestFinallyBreakContinue.java:95:6:97:6 | { ... } | TestFinallyBreakContinue.java:96:7:96:36 | ...; |
 | TestFinallyBreakContinue.java:96:7:96:16 | System.out | TestFinallyBreakContinue.java:96:26:96:34 | "finally" |
 | TestFinallyBreakContinue.java:96:7:96:35 | println(...) | TestFinallyBreakContinue.java:74:14:74:14 | i |
-| TestFinallyBreakContinue.java:96:7:96:35 | println(...) | TestFinallyBreakContinue.java:99:6:99:24 | stmt |
-| TestFinallyBreakContinue.java:96:7:96:35 | println(...) | TestFinallyBreakContinue.java:103:4:105:4 | stmt |
-| TestFinallyBreakContinue.java:96:7:96:36 | stmt | TestFinallyBreakContinue.java:96:7:96:16 | System.out |
+| TestFinallyBreakContinue.java:96:7:96:35 | println(...) | TestFinallyBreakContinue.java:99:6:99:24 | catch (...) |
+| TestFinallyBreakContinue.java:96:7:96:35 | println(...) | TestFinallyBreakContinue.java:103:4:105:4 | { ... } |
+| TestFinallyBreakContinue.java:96:7:96:36 | ...; | TestFinallyBreakContinue.java:96:7:96:16 | System.out |
 | TestFinallyBreakContinue.java:96:26:96:34 | "finally" | TestFinallyBreakContinue.java:96:7:96:35 | println(...) |
-| TestFinallyBreakContinue.java:99:6:99:24 | stmt | TestFinallyBreakContinue.java:99:23:99:23 | e |
-| TestFinallyBreakContinue.java:99:23:99:23 | e | TestFinallyBreakContinue.java:100:4:102:4 | stmt |
-| TestFinallyBreakContinue.java:100:4:102:4 | stmt | TestFinallyBreakContinue.java:101:5:101:36 | stmt |
+| TestFinallyBreakContinue.java:99:6:99:24 | catch (...) | TestFinallyBreakContinue.java:99:23:99:23 | e |
+| TestFinallyBreakContinue.java:99:23:99:23 | e | TestFinallyBreakContinue.java:100:4:102:4 | { ... } |
+| TestFinallyBreakContinue.java:100:4:102:4 | { ... } | TestFinallyBreakContinue.java:101:5:101:36 | ...; |
 | TestFinallyBreakContinue.java:101:5:101:14 | System.out | TestFinallyBreakContinue.java:101:24:101:34 | "Exception" |
-| TestFinallyBreakContinue.java:101:5:101:35 | println(...) | TestFinallyBreakContinue.java:103:4:105:4 | stmt |
-| TestFinallyBreakContinue.java:101:5:101:36 | stmt | TestFinallyBreakContinue.java:101:5:101:14 | System.out |
+| TestFinallyBreakContinue.java:101:5:101:35 | println(...) | TestFinallyBreakContinue.java:103:4:105:4 | { ... } |
+| TestFinallyBreakContinue.java:101:5:101:36 | ...; | TestFinallyBreakContinue.java:101:5:101:14 | System.out |
 | TestFinallyBreakContinue.java:101:24:101:34 | "Exception" | TestFinallyBreakContinue.java:101:5:101:35 | println(...) |
-| TestFinallyBreakContinue.java:103:4:105:4 | stmt | TestFinallyBreakContinue.java:104:5:104:34 | stmt |
+| TestFinallyBreakContinue.java:103:4:105:4 | { ... } | TestFinallyBreakContinue.java:104:5:104:34 | ...; |
 | TestFinallyBreakContinue.java:104:5:104:14 | System.out | TestFinallyBreakContinue.java:104:24:104:32 | "finally" |
 | TestFinallyBreakContinue.java:104:5:104:33 | println(...) | TestFinallyBreakContinue.java:4:14:4:14 | f |
 | TestFinallyBreakContinue.java:104:5:104:33 | println(...) | TestFinallyBreakContinue.java:106:12:106:15 | true |
-| TestFinallyBreakContinue.java:104:5:104:34 | stmt | TestFinallyBreakContinue.java:104:5:104:14 | System.out |
+| TestFinallyBreakContinue.java:104:5:104:34 | ...; | TestFinallyBreakContinue.java:104:5:104:14 | System.out |
 | TestFinallyBreakContinue.java:104:24:104:32 | "finally" | TestFinallyBreakContinue.java:104:5:104:33 | println(...) |
-| TestFinallyBreakContinue.java:106:12:106:15 | true | TestFinallyBreakContinue.java:71:3:106:3 | stmt |
+| TestFinallyBreakContinue.java:106:12:106:15 | true | TestFinallyBreakContinue.java:71:3:106:3 | { ... } |
diff --git a/java/ql/test/library-tests/successors/TestLoopBranch/FalseSuccessors.expected b/java/ql/test/library-tests/successors/TestLoopBranch/FalseSuccessors.expected
index f64781efc9f..266d4ab24ab 100644
--- a/java/ql/test/library-tests/successors/TestLoopBranch/FalseSuccessors.expected
+++ b/java/ql/test/library-tests/successors/TestLoopBranch/FalseSuccessors.expected
@@ -1,5 +1,5 @@
-| TestLoopBranch.java:17:12:17:17 | ... == ... | TestLoopBranch.java:19:3:22:3 | stmt |
-| TestLoopBranch.java:24:10:24:15 | ... == ... | TestLoopBranch.java:31:3:31:30 | stmt |
-| TestLoopBranch.java:31:19:31:24 | ... < ... | TestLoopBranch.java:37:3:37:3 | stmt |
-| TestLoopBranch.java:46:7:46:13 | ... == ... | TestLoopBranch.java:51:3:51:14 | stmt |
-| TestLoopBranch.java:51:7:51:13 | ... == ... | TestLoopBranch.java:56:3:60:3 | stmt |
+| TestLoopBranch.java:17:12:17:17 | ... == ... | TestLoopBranch.java:19:3:22:3 | { ... } |
+| TestLoopBranch.java:24:10:24:15 | ... == ... | TestLoopBranch.java:31:3:31:30 | for (...) |
+| TestLoopBranch.java:31:19:31:24 | ... < ... | TestLoopBranch.java:37:3:37:3 | ; |
+| TestLoopBranch.java:46:7:46:13 | ... == ... | TestLoopBranch.java:51:3:51:14 | if (...) |
+| TestLoopBranch.java:51:7:51:13 | ... == ... | TestLoopBranch.java:56:3:60:3 | { ... } |
diff --git a/java/ql/test/library-tests/successors/TestLoopBranch/TestSucc.expected b/java/ql/test/library-tests/successors/TestLoopBranch/TestSucc.expected
index d487429aff1..65617702a28 100644
--- a/java/ql/test/library-tests/successors/TestLoopBranch/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/TestLoopBranch/TestSucc.expected
@@ -1,251 +1,251 @@
-| TestLoopBranch.java:3:14:3:27 | stmt | TestLoopBranch.java:4:2:4:13 | stmt |
-| TestLoopBranch.java:4:2:4:13 | ...=... | TestLoopBranch.java:5:2:5:13 | stmt |
-| TestLoopBranch.java:4:2:4:13 | stmt | TestLoopBranch.java:4:11:4:12 | 12 |
+| TestLoopBranch.java:3:14:3:27 | { ... } | TestLoopBranch.java:4:2:4:13 | ...; |
+| TestLoopBranch.java:4:2:4:13 | ...; | TestLoopBranch.java:4:11:4:12 | 12 |
+| TestLoopBranch.java:4:2:4:13 | ...=... | TestLoopBranch.java:5:2:5:13 | ...; |
 | TestLoopBranch.java:4:11:4:12 | 12 | TestLoopBranch.java:4:2:4:13 | ...=... |
+| TestLoopBranch.java:5:2:5:13 | ...; | TestLoopBranch.java:5:11:5:12 | 13 |
 | TestLoopBranch.java:5:2:5:13 | ...=... | TestLoopBranch.java:3:14:3:27 | <obinit> |
-| TestLoopBranch.java:5:2:5:13 | stmt | TestLoopBranch.java:5:11:5:12 | 13 |
 | TestLoopBranch.java:5:11:5:12 | 13 | TestLoopBranch.java:5:2:5:13 | ...=... |
-| TestLoopBranch.java:8:2:107:2 | stmt | TestLoopBranch.java:9:3:9:12 | stmt |
-| TestLoopBranch.java:9:3:9:12 | stmt | TestLoopBranch.java:9:11:9:11 | 1 |
-| TestLoopBranch.java:9:7:9:11 | x | TestLoopBranch.java:10:3:10:12 | stmt |
+| TestLoopBranch.java:8:2:107:2 | { ... } | TestLoopBranch.java:9:3:9:12 | local variable declaration |
+| TestLoopBranch.java:9:3:9:12 | local variable declaration | TestLoopBranch.java:9:11:9:11 | 1 |
+| TestLoopBranch.java:9:7:9:11 | x | TestLoopBranch.java:10:3:10:12 | local variable declaration |
 | TestLoopBranch.java:9:11:9:11 | 1 | TestLoopBranch.java:9:7:9:11 | x |
-| TestLoopBranch.java:10:3:10:12 | stmt | TestLoopBranch.java:10:11:10:11 | 2 |
-| TestLoopBranch.java:10:7:10:11 | y | TestLoopBranch.java:11:3:11:28 | stmt |
+| TestLoopBranch.java:10:3:10:12 | local variable declaration | TestLoopBranch.java:10:11:10:11 | 2 |
+| TestLoopBranch.java:10:7:10:11 | y | TestLoopBranch.java:11:3:11:28 | ...; |
 | TestLoopBranch.java:10:11:10:11 | 2 | TestLoopBranch.java:10:7:10:11 | y |
 | TestLoopBranch.java:11:3:11:12 | System.out | TestLoopBranch.java:11:22:11:26 | "foo" |
-| TestLoopBranch.java:11:3:11:27 | println(...) | TestLoopBranch.java:13:3:17:19 | stmt |
-| TestLoopBranch.java:11:3:11:28 | stmt | TestLoopBranch.java:11:3:11:12 | System.out |
+| TestLoopBranch.java:11:3:11:27 | println(...) | TestLoopBranch.java:13:3:17:19 | do ... while (...) |
+| TestLoopBranch.java:11:3:11:28 | ...; | TestLoopBranch.java:11:3:11:12 | System.out |
 | TestLoopBranch.java:11:22:11:26 | "foo" | TestLoopBranch.java:11:3:11:27 | println(...) |
-| TestLoopBranch.java:13:3:17:19 | stmt | TestLoopBranch.java:14:3:17:3 | stmt |
-| TestLoopBranch.java:14:3:17:3 | stmt | TestLoopBranch.java:15:4:15:29 | stmt |
+| TestLoopBranch.java:13:3:17:19 | do ... while (...) | TestLoopBranch.java:14:3:17:3 | { ... } |
+| TestLoopBranch.java:14:3:17:3 | { ... } | TestLoopBranch.java:15:4:15:29 | ...; |
 | TestLoopBranch.java:15:4:15:13 | System.out | TestLoopBranch.java:15:23:15:27 | "bar" |
-| TestLoopBranch.java:15:4:15:28 | println(...) | TestLoopBranch.java:16:4:16:32 | stmt |
-| TestLoopBranch.java:15:4:15:29 | stmt | TestLoopBranch.java:15:4:15:13 | System.out |
+| TestLoopBranch.java:15:4:15:28 | println(...) | TestLoopBranch.java:16:4:16:32 | ...; |
+| TestLoopBranch.java:15:4:15:29 | ...; | TestLoopBranch.java:15:4:15:13 | System.out |
 | TestLoopBranch.java:15:23:15:27 | "bar" | TestLoopBranch.java:15:4:15:28 | println(...) |
 | TestLoopBranch.java:16:4:16:13 | System.out | TestLoopBranch.java:16:23:16:30 | "foobar" |
 | TestLoopBranch.java:16:4:16:31 | println(...) | TestLoopBranch.java:17:12:17:12 | x |
-| TestLoopBranch.java:16:4:16:32 | stmt | TestLoopBranch.java:16:4:16:13 | System.out |
+| TestLoopBranch.java:16:4:16:32 | ...; | TestLoopBranch.java:16:4:16:13 | System.out |
 | TestLoopBranch.java:16:23:16:30 | "foobar" | TestLoopBranch.java:16:4:16:31 | println(...) |
 | TestLoopBranch.java:17:12:17:12 | x | TestLoopBranch.java:17:17:17:17 | 2 |
-| TestLoopBranch.java:17:12:17:17 | ... == ... | TestLoopBranch.java:14:3:17:3 | stmt |
-| TestLoopBranch.java:17:12:17:17 | ... == ... | TestLoopBranch.java:19:3:22:3 | stmt |
+| TestLoopBranch.java:17:12:17:17 | ... == ... | TestLoopBranch.java:14:3:17:3 | { ... } |
+| TestLoopBranch.java:17:12:17:17 | ... == ... | TestLoopBranch.java:19:3:22:3 | { ... } |
 | TestLoopBranch.java:17:17:17:17 | 2 | TestLoopBranch.java:17:12:17:17 | ... == ... |
-| TestLoopBranch.java:19:3:22:3 | stmt | TestLoopBranch.java:20:4:20:32 | stmt |
+| TestLoopBranch.java:19:3:22:3 | { ... } | TestLoopBranch.java:20:4:20:32 | ...; |
 | TestLoopBranch.java:20:4:20:13 | System.out | TestLoopBranch.java:20:23:20:30 | "shazam" |
-| TestLoopBranch.java:20:4:20:31 | println(...) | TestLoopBranch.java:21:4:21:32 | stmt |
-| TestLoopBranch.java:20:4:20:32 | stmt | TestLoopBranch.java:20:4:20:13 | System.out |
+| TestLoopBranch.java:20:4:20:31 | println(...) | TestLoopBranch.java:21:4:21:32 | ...; |
+| TestLoopBranch.java:20:4:20:32 | ...; | TestLoopBranch.java:20:4:20:13 | System.out |
 | TestLoopBranch.java:20:23:20:30 | "shazam" | TestLoopBranch.java:20:4:20:31 | println(...) |
 | TestLoopBranch.java:21:4:21:13 | System.out | TestLoopBranch.java:21:23:21:30 | "boogie" |
-| TestLoopBranch.java:21:4:21:31 | println(...) | TestLoopBranch.java:24:3:24:16 | stmt |
-| TestLoopBranch.java:21:4:21:32 | stmt | TestLoopBranch.java:21:4:21:13 | System.out |
+| TestLoopBranch.java:21:4:21:31 | println(...) | TestLoopBranch.java:24:3:24:16 | while (...) |
+| TestLoopBranch.java:21:4:21:32 | ...; | TestLoopBranch.java:21:4:21:13 | System.out |
 | TestLoopBranch.java:21:23:21:30 | "boogie" | TestLoopBranch.java:21:4:21:31 | println(...) |
-| TestLoopBranch.java:24:3:24:16 | stmt | TestLoopBranch.java:24:10:24:10 | x |
+| TestLoopBranch.java:24:3:24:16 | while (...) | TestLoopBranch.java:24:10:24:10 | x |
 | TestLoopBranch.java:24:10:24:10 | x | TestLoopBranch.java:24:15:24:15 | 1 |
-| TestLoopBranch.java:24:10:24:15 | ... == ... | TestLoopBranch.java:25:3:29:3 | stmt |
-| TestLoopBranch.java:24:10:24:15 | ... == ... | TestLoopBranch.java:31:3:31:30 | stmt |
+| TestLoopBranch.java:24:10:24:15 | ... == ... | TestLoopBranch.java:25:3:29:3 | { ... } |
+| TestLoopBranch.java:24:10:24:15 | ... == ... | TestLoopBranch.java:31:3:31:30 | for (...) |
 | TestLoopBranch.java:24:15:24:15 | 1 | TestLoopBranch.java:24:10:24:15 | ... == ... |
-| TestLoopBranch.java:25:3:29:3 | stmt | TestLoopBranch.java:26:4:26:36 | stmt |
+| TestLoopBranch.java:25:3:29:3 | { ... } | TestLoopBranch.java:26:4:26:36 | ...; |
 | TestLoopBranch.java:26:4:26:13 | System.out | TestLoopBranch.java:26:23:26:34 | "wonderland" |
-| TestLoopBranch.java:26:4:26:35 | println(...) | TestLoopBranch.java:27:4:27:32 | stmt |
-| TestLoopBranch.java:26:4:26:36 | stmt | TestLoopBranch.java:26:4:26:13 | System.out |
+| TestLoopBranch.java:26:4:26:35 | println(...) | TestLoopBranch.java:27:4:27:32 | ...; |
+| TestLoopBranch.java:26:4:26:36 | ...; | TestLoopBranch.java:26:4:26:13 | System.out |
 | TestLoopBranch.java:26:23:26:34 | "wonderland" | TestLoopBranch.java:26:4:26:35 | println(...) |
 | TestLoopBranch.java:27:4:27:13 | System.out | TestLoopBranch.java:27:23:27:30 | "shodan" |
-| TestLoopBranch.java:27:4:27:31 | println(...) | TestLoopBranch.java:28:4:28:13 | stmt |
-| TestLoopBranch.java:27:4:27:32 | stmt | TestLoopBranch.java:27:4:27:13 | System.out |
+| TestLoopBranch.java:27:4:27:31 | println(...) | TestLoopBranch.java:28:4:28:13 | ...; |
+| TestLoopBranch.java:27:4:27:32 | ...; | TestLoopBranch.java:27:4:27:13 | System.out |
 | TestLoopBranch.java:27:23:27:30 | "shodan" | TestLoopBranch.java:27:4:27:31 | println(...) |
 | TestLoopBranch.java:28:4:28:12 | ...=... | TestLoopBranch.java:24:10:24:10 | x |
-| TestLoopBranch.java:28:4:28:13 | stmt | TestLoopBranch.java:28:8:28:8 | x |
+| TestLoopBranch.java:28:4:28:13 | ...; | TestLoopBranch.java:28:8:28:8 | x |
 | TestLoopBranch.java:28:8:28:8 | x | TestLoopBranch.java:28:12:28:12 | 1 |
 | TestLoopBranch.java:28:8:28:12 | ... + ... | TestLoopBranch.java:28:4:28:12 | ...=... |
 | TestLoopBranch.java:28:12:28:12 | 1 | TestLoopBranch.java:28:8:28:12 | ... + ... |
-| TestLoopBranch.java:31:3:31:30 | stmt | TestLoopBranch.java:31:16:31:16 | 0 |
+| TestLoopBranch.java:31:3:31:30 | for (...) | TestLoopBranch.java:31:16:31:16 | 0 |
 | TestLoopBranch.java:31:12:31:16 | i | TestLoopBranch.java:31:19:31:19 | i |
 | TestLoopBranch.java:31:16:31:16 | 0 | TestLoopBranch.java:31:12:31:16 | i |
 | TestLoopBranch.java:31:19:31:19 | i | TestLoopBranch.java:31:23:31:24 | 10 |
-| TestLoopBranch.java:31:19:31:24 | ... < ... | TestLoopBranch.java:32:3:35:3 | stmt |
-| TestLoopBranch.java:31:19:31:24 | ... < ... | TestLoopBranch.java:37:3:37:3 | stmt |
+| TestLoopBranch.java:31:19:31:24 | ... < ... | TestLoopBranch.java:32:3:35:3 | { ... } |
+| TestLoopBranch.java:31:19:31:24 | ... < ... | TestLoopBranch.java:37:3:37:3 | ; |
 | TestLoopBranch.java:31:23:31:24 | 10 | TestLoopBranch.java:31:19:31:24 | ... < ... |
 | TestLoopBranch.java:31:27:31:27 | i | TestLoopBranch.java:31:27:31:29 | ...++ |
 | TestLoopBranch.java:31:27:31:29 | ...++ | TestLoopBranch.java:31:19:31:19 | i |
-| TestLoopBranch.java:32:3:35:3 | stmt | TestLoopBranch.java:33:4:33:33 | stmt |
+| TestLoopBranch.java:32:3:35:3 | { ... } | TestLoopBranch.java:33:4:33:33 | ...; |
 | TestLoopBranch.java:33:4:33:13 | System.out | TestLoopBranch.java:33:23:33:31 | "rapture" |
-| TestLoopBranch.java:33:4:33:32 | println(...) | TestLoopBranch.java:34:4:34:13 | stmt |
-| TestLoopBranch.java:33:4:33:33 | stmt | TestLoopBranch.java:33:4:33:13 | System.out |
+| TestLoopBranch.java:33:4:33:32 | println(...) | TestLoopBranch.java:34:4:34:13 | ...; |
+| TestLoopBranch.java:33:4:33:33 | ...; | TestLoopBranch.java:33:4:33:13 | System.out |
 | TestLoopBranch.java:33:23:33:31 | "rapture" | TestLoopBranch.java:33:4:33:32 | println(...) |
 | TestLoopBranch.java:34:4:34:12 | ...=... | TestLoopBranch.java:31:27:31:27 | i |
-| TestLoopBranch.java:34:4:34:13 | stmt | TestLoopBranch.java:34:8:34:8 | x |
+| TestLoopBranch.java:34:4:34:13 | ...; | TestLoopBranch.java:34:8:34:8 | x |
 | TestLoopBranch.java:34:8:34:8 | x | TestLoopBranch.java:34:12:34:12 | 2 |
 | TestLoopBranch.java:34:8:34:12 | ... - ... | TestLoopBranch.java:34:4:34:12 | ...=... |
 | TestLoopBranch.java:34:12:34:12 | 2 | TestLoopBranch.java:34:8:34:12 | ... - ... |
-| TestLoopBranch.java:37:3:37:3 | stmt | TestLoopBranch.java:38:3:38:3 | stmt |
-| TestLoopBranch.java:38:3:38:3 | stmt | TestLoopBranch.java:40:3:40:27 | stmt |
-| TestLoopBranch.java:40:3:40:27 | stmt | TestLoopBranch.java:40:24:40:25 | 20 |
-| TestLoopBranch.java:40:12:40:12 | j | TestLoopBranch.java:41:3:44:3 | stmt |
+| TestLoopBranch.java:37:3:37:3 | ; | TestLoopBranch.java:38:3:38:3 | ; |
+| TestLoopBranch.java:38:3:38:3 | ; | TestLoopBranch.java:40:3:40:27 | for (... : ...) |
+| TestLoopBranch.java:40:3:40:27 | for (... : ...) | TestLoopBranch.java:40:24:40:25 | 20 |
+| TestLoopBranch.java:40:12:40:12 | j | TestLoopBranch.java:41:3:44:3 | { ... } |
 | TestLoopBranch.java:40:16:40:26 | new int[] | TestLoopBranch.java:40:12:40:12 | j |
-| TestLoopBranch.java:40:16:40:26 | new int[] | TestLoopBranch.java:46:3:46:14 | stmt |
+| TestLoopBranch.java:40:16:40:26 | new int[] | TestLoopBranch.java:46:3:46:14 | if (...) |
 | TestLoopBranch.java:40:24:40:25 | 20 | TestLoopBranch.java:40:16:40:26 | new int[] |
-| TestLoopBranch.java:41:3:44:3 | stmt | TestLoopBranch.java:42:4:42:37 | stmt |
+| TestLoopBranch.java:41:3:44:3 | { ... } | TestLoopBranch.java:42:4:42:37 | ...; |
 | TestLoopBranch.java:42:4:42:13 | System.out | TestLoopBranch.java:42:23:42:31 | "Zero : " |
-| TestLoopBranch.java:42:4:42:36 | println(...) | TestLoopBranch.java:43:4:43:13 | stmt |
-| TestLoopBranch.java:42:4:42:37 | stmt | TestLoopBranch.java:42:4:42:13 | System.out |
+| TestLoopBranch.java:42:4:42:36 | println(...) | TestLoopBranch.java:43:4:43:13 | ...; |
+| TestLoopBranch.java:42:4:42:37 | ...; | TestLoopBranch.java:42:4:42:13 | System.out |
 | TestLoopBranch.java:42:23:42:31 | "Zero : " | TestLoopBranch.java:42:35:42:35 | j |
 | TestLoopBranch.java:42:23:42:35 | ... + ... | TestLoopBranch.java:42:4:42:36 | println(...) |
 | TestLoopBranch.java:42:35:42:35 | j | TestLoopBranch.java:42:23:42:35 | ... + ... |
 | TestLoopBranch.java:43:4:43:12 | ...=... | TestLoopBranch.java:40:12:40:12 | j |
-| TestLoopBranch.java:43:4:43:12 | ...=... | TestLoopBranch.java:46:3:46:14 | stmt |
-| TestLoopBranch.java:43:4:43:13 | stmt | TestLoopBranch.java:43:8:43:8 | j |
+| TestLoopBranch.java:43:4:43:12 | ...=... | TestLoopBranch.java:46:3:46:14 | if (...) |
+| TestLoopBranch.java:43:4:43:13 | ...; | TestLoopBranch.java:43:8:43:8 | j |
 | TestLoopBranch.java:43:8:43:8 | j | TestLoopBranch.java:43:12:43:12 | x |
 | TestLoopBranch.java:43:8:43:12 | ... + ... | TestLoopBranch.java:43:4:43:12 | ...=... |
 | TestLoopBranch.java:43:12:43:12 | x | TestLoopBranch.java:43:8:43:12 | ... + ... |
-| TestLoopBranch.java:46:3:46:14 | stmt | TestLoopBranch.java:46:7:46:7 | y |
+| TestLoopBranch.java:46:3:46:14 | if (...) | TestLoopBranch.java:46:7:46:7 | y |
 | TestLoopBranch.java:46:7:46:7 | y | TestLoopBranch.java:46:13:46:13 | 1 |
-| TestLoopBranch.java:46:7:46:13 | ... == ... | TestLoopBranch.java:47:3:49:3 | stmt |
-| TestLoopBranch.java:46:7:46:13 | ... == ... | TestLoopBranch.java:51:3:51:14 | stmt |
+| TestLoopBranch.java:46:7:46:13 | ... == ... | TestLoopBranch.java:47:3:49:3 | { ... } |
+| TestLoopBranch.java:46:7:46:13 | ... == ... | TestLoopBranch.java:51:3:51:14 | if (...) |
 | TestLoopBranch.java:46:12:46:13 | -... | TestLoopBranch.java:46:7:46:13 | ... == ... |
 | TestLoopBranch.java:46:13:46:13 | 1 | TestLoopBranch.java:46:12:46:13 | -... |
-| TestLoopBranch.java:47:3:49:3 | stmt | TestLoopBranch.java:48:4:48:35 | stmt |
+| TestLoopBranch.java:47:3:49:3 | { ... } | TestLoopBranch.java:48:4:48:35 | ...; |
 | TestLoopBranch.java:48:4:48:13 | System.out | TestLoopBranch.java:48:23:48:33 | "i squared" |
-| TestLoopBranch.java:48:4:48:34 | println(...) | TestLoopBranch.java:51:3:51:14 | stmt |
-| TestLoopBranch.java:48:4:48:35 | stmt | TestLoopBranch.java:48:4:48:13 | System.out |
+| TestLoopBranch.java:48:4:48:34 | println(...) | TestLoopBranch.java:51:3:51:14 | if (...) |
+| TestLoopBranch.java:48:4:48:35 | ...; | TestLoopBranch.java:48:4:48:13 | System.out |
 | TestLoopBranch.java:48:23:48:33 | "i squared" | TestLoopBranch.java:48:4:48:34 | println(...) |
-| TestLoopBranch.java:51:3:51:14 | stmt | TestLoopBranch.java:51:7:51:7 | x |
+| TestLoopBranch.java:51:3:51:14 | if (...) | TestLoopBranch.java:51:7:51:7 | x |
 | TestLoopBranch.java:51:7:51:7 | x | TestLoopBranch.java:51:12:51:13 | 42 |
-| TestLoopBranch.java:51:7:51:13 | ... == ... | TestLoopBranch.java:52:3:55:3 | stmt |
-| TestLoopBranch.java:51:7:51:13 | ... == ... | TestLoopBranch.java:56:3:60:3 | stmt |
+| TestLoopBranch.java:51:7:51:13 | ... == ... | TestLoopBranch.java:52:3:55:3 | { ... } |
+| TestLoopBranch.java:51:7:51:13 | ... == ... | TestLoopBranch.java:56:3:60:3 | { ... } |
 | TestLoopBranch.java:51:12:51:13 | 42 | TestLoopBranch.java:51:7:51:13 | ... == ... |
-| TestLoopBranch.java:52:3:55:3 | stmt | TestLoopBranch.java:53:4:53:29 | stmt |
+| TestLoopBranch.java:52:3:55:3 | { ... } | TestLoopBranch.java:53:4:53:29 | ...; |
 | TestLoopBranch.java:53:4:53:13 | System.out | TestLoopBranch.java:53:23:53:27 | "rat" |
-| TestLoopBranch.java:53:4:53:28 | println(...) | TestLoopBranch.java:54:4:54:13 | stmt |
-| TestLoopBranch.java:53:4:53:29 | stmt | TestLoopBranch.java:53:4:53:13 | System.out |
+| TestLoopBranch.java:53:4:53:28 | println(...) | TestLoopBranch.java:54:4:54:13 | ...; |
+| TestLoopBranch.java:53:4:53:29 | ...; | TestLoopBranch.java:53:4:53:13 | System.out |
 | TestLoopBranch.java:53:23:53:27 | "rat" | TestLoopBranch.java:53:4:53:28 | println(...) |
-| TestLoopBranch.java:54:4:54:12 | ...=... | TestLoopBranch.java:62:3:62:12 | stmt |
-| TestLoopBranch.java:54:4:54:13 | stmt | TestLoopBranch.java:54:8:54:8 | 6 |
+| TestLoopBranch.java:54:4:54:12 | ...=... | TestLoopBranch.java:62:3:62:12 | switch (...) |
+| TestLoopBranch.java:54:4:54:13 | ...; | TestLoopBranch.java:54:8:54:8 | 6 |
 | TestLoopBranch.java:54:8:54:8 | 6 | TestLoopBranch.java:54:12:54:12 | 9 |
 | TestLoopBranch.java:54:8:54:12 | ... * ... | TestLoopBranch.java:54:4:54:12 | ...=... |
 | TestLoopBranch.java:54:12:54:12 | 9 | TestLoopBranch.java:54:8:54:12 | ... * ... |
-| TestLoopBranch.java:56:3:60:3 | stmt | TestLoopBranch.java:57:4:57:29 | stmt |
+| TestLoopBranch.java:56:3:60:3 | { ... } | TestLoopBranch.java:57:4:57:29 | ...; |
 | TestLoopBranch.java:57:4:57:13 | System.out | TestLoopBranch.java:57:23:57:27 | "arr" |
-| TestLoopBranch.java:57:4:57:28 | println(...) | TestLoopBranch.java:58:4:58:13 | stmt |
-| TestLoopBranch.java:57:4:57:29 | stmt | TestLoopBranch.java:57:4:57:13 | System.out |
+| TestLoopBranch.java:57:4:57:28 | println(...) | TestLoopBranch.java:58:4:58:13 | ...; |
+| TestLoopBranch.java:57:4:57:29 | ...; | TestLoopBranch.java:57:4:57:13 | System.out |
 | TestLoopBranch.java:57:23:57:27 | "arr" | TestLoopBranch.java:57:4:57:28 | println(...) |
-| TestLoopBranch.java:58:4:58:12 | ...=... | TestLoopBranch.java:59:4:59:10 | stmt |
-| TestLoopBranch.java:58:4:58:13 | stmt | TestLoopBranch.java:58:8:58:8 | y |
+| TestLoopBranch.java:58:4:58:12 | ...=... | TestLoopBranch.java:59:4:59:10 | return ... |
+| TestLoopBranch.java:58:4:58:13 | ...; | TestLoopBranch.java:58:8:58:8 | y |
 | TestLoopBranch.java:58:8:58:8 | y | TestLoopBranch.java:58:12:58:12 | x |
 | TestLoopBranch.java:58:8:58:12 | ... * ... | TestLoopBranch.java:58:4:58:12 | ...=... |
 | TestLoopBranch.java:58:12:58:12 | x | TestLoopBranch.java:58:8:58:12 | ... * ... |
-| TestLoopBranch.java:59:4:59:10 | stmt | TestLoopBranch.java:7:14:7:14 | f |
-| TestLoopBranch.java:62:3:62:12 | stmt | TestLoopBranch.java:62:11:62:11 | x |
-| TestLoopBranch.java:62:11:62:11 | x | TestLoopBranch.java:64:3:64:9 | stmt |
-| TestLoopBranch.java:62:11:62:11 | x | TestLoopBranch.java:67:3:67:9 | stmt |
-| TestLoopBranch.java:62:11:62:11 | x | TestLoopBranch.java:71:3:71:9 | stmt |
-| TestLoopBranch.java:62:11:62:11 | x | TestLoopBranch.java:72:3:72:9 | stmt |
-| TestLoopBranch.java:62:11:62:11 | x | TestLoopBranch.java:76:3:76:9 | stmt |
-| TestLoopBranch.java:62:11:62:11 | x | TestLoopBranch.java:77:3:77:9 | stmt |
-| TestLoopBranch.java:62:11:62:11 | x | TestLoopBranch.java:80:3:80:10 | stmt |
-| TestLoopBranch.java:64:3:64:9 | stmt | TestLoopBranch.java:65:4:65:13 | stmt |
-| TestLoopBranch.java:65:4:65:12 | ...=... | TestLoopBranch.java:66:4:66:13 | stmt |
-| TestLoopBranch.java:65:4:65:13 | stmt | TestLoopBranch.java:65:8:65:8 | x |
+| TestLoopBranch.java:59:4:59:10 | return ... | TestLoopBranch.java:7:14:7:14 | f |
+| TestLoopBranch.java:62:3:62:12 | switch (...) | TestLoopBranch.java:62:11:62:11 | x |
+| TestLoopBranch.java:62:11:62:11 | x | TestLoopBranch.java:64:3:64:9 | case ... |
+| TestLoopBranch.java:62:11:62:11 | x | TestLoopBranch.java:67:3:67:9 | case ... |
+| TestLoopBranch.java:62:11:62:11 | x | TestLoopBranch.java:71:3:71:9 | case ... |
+| TestLoopBranch.java:62:11:62:11 | x | TestLoopBranch.java:72:3:72:9 | case ... |
+| TestLoopBranch.java:62:11:62:11 | x | TestLoopBranch.java:76:3:76:9 | case ... |
+| TestLoopBranch.java:62:11:62:11 | x | TestLoopBranch.java:77:3:77:9 | case ... |
+| TestLoopBranch.java:62:11:62:11 | x | TestLoopBranch.java:80:3:80:10 | default |
+| TestLoopBranch.java:64:3:64:9 | case ... | TestLoopBranch.java:65:4:65:13 | ...; |
+| TestLoopBranch.java:65:4:65:12 | ...=... | TestLoopBranch.java:66:4:66:13 | ...; |
+| TestLoopBranch.java:65:4:65:13 | ...; | TestLoopBranch.java:65:8:65:8 | x |
 | TestLoopBranch.java:65:8:65:8 | x | TestLoopBranch.java:65:12:65:12 | 1 |
 | TestLoopBranch.java:65:8:65:12 | ... + ... | TestLoopBranch.java:65:4:65:12 | ...=... |
 | TestLoopBranch.java:65:12:65:12 | 1 | TestLoopBranch.java:65:8:65:12 | ... + ... |
-| TestLoopBranch.java:66:4:66:12 | ...=... | TestLoopBranch.java:67:3:67:9 | stmt |
-| TestLoopBranch.java:66:4:66:13 | stmt | TestLoopBranch.java:66:8:66:8 | y |
+| TestLoopBranch.java:66:4:66:12 | ...=... | TestLoopBranch.java:67:3:67:9 | case ... |
+| TestLoopBranch.java:66:4:66:13 | ...; | TestLoopBranch.java:66:8:66:8 | y |
 | TestLoopBranch.java:66:8:66:8 | y | TestLoopBranch.java:66:12:66:12 | 1 |
 | TestLoopBranch.java:66:8:66:12 | ... + ... | TestLoopBranch.java:66:4:66:12 | ...=... |
 | TestLoopBranch.java:66:12:66:12 | 1 | TestLoopBranch.java:66:8:66:12 | ... + ... |
-| TestLoopBranch.java:67:3:67:9 | stmt | TestLoopBranch.java:68:4:68:13 | stmt |
-| TestLoopBranch.java:68:4:68:12 | ...=... | TestLoopBranch.java:69:4:69:13 | stmt |
-| TestLoopBranch.java:68:4:68:13 | stmt | TestLoopBranch.java:68:8:68:8 | x |
+| TestLoopBranch.java:67:3:67:9 | case ... | TestLoopBranch.java:68:4:68:13 | ...; |
+| TestLoopBranch.java:68:4:68:12 | ...=... | TestLoopBranch.java:69:4:69:13 | ...; |
+| TestLoopBranch.java:68:4:68:13 | ...; | TestLoopBranch.java:68:8:68:8 | x |
 | TestLoopBranch.java:68:8:68:8 | x | TestLoopBranch.java:68:12:68:12 | 2 |
 | TestLoopBranch.java:68:8:68:12 | ... + ... | TestLoopBranch.java:68:4:68:12 | ...=... |
 | TestLoopBranch.java:68:12:68:12 | 2 | TestLoopBranch.java:68:8:68:12 | ... + ... |
-| TestLoopBranch.java:69:4:69:12 | ...=... | TestLoopBranch.java:70:4:70:9 | stmt |
-| TestLoopBranch.java:69:4:69:13 | stmt | TestLoopBranch.java:69:8:69:8 | y |
+| TestLoopBranch.java:69:4:69:12 | ...=... | TestLoopBranch.java:70:4:70:9 | break |
+| TestLoopBranch.java:69:4:69:13 | ...; | TestLoopBranch.java:69:8:69:8 | y |
 | TestLoopBranch.java:69:8:69:8 | y | TestLoopBranch.java:69:12:69:12 | 2 |
 | TestLoopBranch.java:69:8:69:12 | ... + ... | TestLoopBranch.java:69:4:69:12 | ...=... |
 | TestLoopBranch.java:69:12:69:12 | 2 | TestLoopBranch.java:69:8:69:12 | ... + ... |
-| TestLoopBranch.java:70:4:70:9 | stmt | TestLoopBranch.java:86:3:86:11 | stmt |
-| TestLoopBranch.java:71:3:71:9 | stmt | TestLoopBranch.java:72:3:72:9 | stmt |
-| TestLoopBranch.java:72:3:72:9 | stmt | TestLoopBranch.java:73:4:73:13 | stmt |
-| TestLoopBranch.java:73:4:73:12 | ...=... | TestLoopBranch.java:74:4:74:13 | stmt |
-| TestLoopBranch.java:73:4:73:13 | stmt | TestLoopBranch.java:73:8:73:8 | x |
+| TestLoopBranch.java:70:4:70:9 | break | TestLoopBranch.java:86:3:86:11 | switch (...) |
+| TestLoopBranch.java:71:3:71:9 | case ... | TestLoopBranch.java:72:3:72:9 | case ... |
+| TestLoopBranch.java:72:3:72:9 | case ... | TestLoopBranch.java:73:4:73:13 | ...; |
+| TestLoopBranch.java:73:4:73:12 | ...=... | TestLoopBranch.java:74:4:74:13 | ...; |
+| TestLoopBranch.java:73:4:73:13 | ...; | TestLoopBranch.java:73:8:73:8 | x |
 | TestLoopBranch.java:73:8:73:8 | x | TestLoopBranch.java:73:12:73:12 | 3 |
 | TestLoopBranch.java:73:8:73:12 | ... + ... | TestLoopBranch.java:73:4:73:12 | ...=... |
 | TestLoopBranch.java:73:12:73:12 | 3 | TestLoopBranch.java:73:8:73:12 | ... + ... |
-| TestLoopBranch.java:74:4:74:12 | ...=... | TestLoopBranch.java:75:4:75:9 | stmt |
-| TestLoopBranch.java:74:4:74:13 | stmt | TestLoopBranch.java:74:8:74:8 | y |
+| TestLoopBranch.java:74:4:74:12 | ...=... | TestLoopBranch.java:75:4:75:9 | break |
+| TestLoopBranch.java:74:4:74:13 | ...; | TestLoopBranch.java:74:8:74:8 | y |
 | TestLoopBranch.java:74:8:74:8 | y | TestLoopBranch.java:74:12:74:12 | 4 |
 | TestLoopBranch.java:74:8:74:12 | ... + ... | TestLoopBranch.java:74:4:74:12 | ...=... |
 | TestLoopBranch.java:74:12:74:12 | 4 | TestLoopBranch.java:74:8:74:12 | ... + ... |
-| TestLoopBranch.java:75:4:75:9 | stmt | TestLoopBranch.java:86:3:86:11 | stmt |
-| TestLoopBranch.java:76:3:76:9 | stmt | TestLoopBranch.java:77:3:77:9 | stmt |
-| TestLoopBranch.java:77:3:77:9 | stmt | TestLoopBranch.java:78:4:78:13 | stmt |
-| TestLoopBranch.java:78:4:78:12 | ...=... | TestLoopBranch.java:79:4:79:13 | stmt |
-| TestLoopBranch.java:78:4:78:13 | stmt | TestLoopBranch.java:78:8:78:8 | x |
+| TestLoopBranch.java:75:4:75:9 | break | TestLoopBranch.java:86:3:86:11 | switch (...) |
+| TestLoopBranch.java:76:3:76:9 | case ... | TestLoopBranch.java:77:3:77:9 | case ... |
+| TestLoopBranch.java:77:3:77:9 | case ... | TestLoopBranch.java:78:4:78:13 | ...; |
+| TestLoopBranch.java:78:4:78:12 | ...=... | TestLoopBranch.java:79:4:79:13 | ...; |
+| TestLoopBranch.java:78:4:78:13 | ...; | TestLoopBranch.java:78:8:78:8 | x |
 | TestLoopBranch.java:78:8:78:8 | x | TestLoopBranch.java:78:12:78:12 | 5 |
 | TestLoopBranch.java:78:8:78:12 | ... + ... | TestLoopBranch.java:78:4:78:12 | ...=... |
 | TestLoopBranch.java:78:12:78:12 | 5 | TestLoopBranch.java:78:8:78:12 | ... + ... |
-| TestLoopBranch.java:79:4:79:12 | ...=... | TestLoopBranch.java:80:3:80:10 | stmt |
-| TestLoopBranch.java:79:4:79:13 | stmt | TestLoopBranch.java:79:8:79:8 | y |
+| TestLoopBranch.java:79:4:79:12 | ...=... | TestLoopBranch.java:80:3:80:10 | default |
+| TestLoopBranch.java:79:4:79:13 | ...; | TestLoopBranch.java:79:8:79:8 | y |
 | TestLoopBranch.java:79:8:79:8 | y | TestLoopBranch.java:79:12:79:12 | 6 |
 | TestLoopBranch.java:79:8:79:12 | ... + ... | TestLoopBranch.java:79:4:79:12 | ...=... |
 | TestLoopBranch.java:79:12:79:12 | 6 | TestLoopBranch.java:79:8:79:12 | ... + ... |
-| TestLoopBranch.java:80:3:80:10 | stmt | TestLoopBranch.java:81:4:81:9 | stmt |
-| TestLoopBranch.java:81:4:81:8 | ...=... | TestLoopBranch.java:82:4:82:9 | stmt |
-| TestLoopBranch.java:81:4:81:9 | stmt | TestLoopBranch.java:81:8:81:8 | y |
+| TestLoopBranch.java:80:3:80:10 | default | TestLoopBranch.java:81:4:81:9 | ...; |
+| TestLoopBranch.java:81:4:81:8 | ...=... | TestLoopBranch.java:82:4:82:9 | ...; |
+| TestLoopBranch.java:81:4:81:9 | ...; | TestLoopBranch.java:81:8:81:8 | y |
 | TestLoopBranch.java:81:8:81:8 | y | TestLoopBranch.java:81:4:81:8 | ...=... |
-| TestLoopBranch.java:82:4:82:8 | ...=... | TestLoopBranch.java:86:3:86:11 | stmt |
-| TestLoopBranch.java:82:4:82:9 | stmt | TestLoopBranch.java:82:8:82:8 | x |
+| TestLoopBranch.java:82:4:82:8 | ...=... | TestLoopBranch.java:86:3:86:11 | switch (...) |
+| TestLoopBranch.java:82:4:82:9 | ...; | TestLoopBranch.java:82:8:82:8 | x |
 | TestLoopBranch.java:82:8:82:8 | x | TestLoopBranch.java:82:4:82:8 | ...=... |
-| TestLoopBranch.java:86:3:86:11 | stmt | TestLoopBranch.java:86:10:86:10 | x |
-| TestLoopBranch.java:86:10:86:10 | x | TestLoopBranch.java:88:3:88:9 | stmt |
-| TestLoopBranch.java:86:10:86:10 | x | TestLoopBranch.java:91:3:91:9 | stmt |
-| TestLoopBranch.java:86:10:86:10 | x | TestLoopBranch.java:96:3:102:4 | stmt |
-| TestLoopBranch.java:88:3:88:9 | stmt | TestLoopBranch.java:89:4:89:9 | stmt |
-| TestLoopBranch.java:89:4:89:8 | ...=... | TestLoopBranch.java:90:4:90:9 | stmt |
-| TestLoopBranch.java:89:4:89:9 | stmt | TestLoopBranch.java:89:8:89:8 | 1 |
+| TestLoopBranch.java:86:3:86:11 | switch (...) | TestLoopBranch.java:86:10:86:10 | x |
+| TestLoopBranch.java:86:10:86:10 | x | TestLoopBranch.java:88:3:88:9 | case ... |
+| TestLoopBranch.java:86:10:86:10 | x | TestLoopBranch.java:91:3:91:9 | case ... |
+| TestLoopBranch.java:86:10:86:10 | x | TestLoopBranch.java:96:3:102:4 | local variable declaration |
+| TestLoopBranch.java:88:3:88:9 | case ... | TestLoopBranch.java:89:4:89:9 | ...; |
+| TestLoopBranch.java:89:4:89:8 | ...=... | TestLoopBranch.java:90:4:90:9 | break |
+| TestLoopBranch.java:89:4:89:9 | ...; | TestLoopBranch.java:89:8:89:8 | 1 |
 | TestLoopBranch.java:89:8:89:8 | 1 | TestLoopBranch.java:89:4:89:8 | ...=... |
-| TestLoopBranch.java:90:4:90:9 | stmt | TestLoopBranch.java:96:3:102:4 | stmt |
-| TestLoopBranch.java:91:3:91:9 | stmt | TestLoopBranch.java:92:4:92:9 | stmt |
-| TestLoopBranch.java:92:4:92:8 | ...=... | TestLoopBranch.java:93:4:93:9 | stmt |
-| TestLoopBranch.java:92:4:92:9 | stmt | TestLoopBranch.java:92:8:92:8 | 2 |
+| TestLoopBranch.java:90:4:90:9 | break | TestLoopBranch.java:96:3:102:4 | local variable declaration |
+| TestLoopBranch.java:91:3:91:9 | case ... | TestLoopBranch.java:92:4:92:9 | ...; |
+| TestLoopBranch.java:92:4:92:8 | ...=... | TestLoopBranch.java:93:4:93:9 | break |
+| TestLoopBranch.java:92:4:92:9 | ...; | TestLoopBranch.java:92:8:92:8 | 2 |
 | TestLoopBranch.java:92:8:92:8 | 2 | TestLoopBranch.java:92:4:92:8 | ...=... |
-| TestLoopBranch.java:93:4:93:9 | stmt | TestLoopBranch.java:96:3:102:4 | stmt |
-| TestLoopBranch.java:96:3:102:4 | stmt | TestLoopBranch.java:96:26:102:3 | new (...) |
-| TestLoopBranch.java:96:22:102:3 | b | TestLoopBranch.java:103:3:103:21 | stmt |
+| TestLoopBranch.java:93:4:93:9 | break | TestLoopBranch.java:96:3:102:4 | local variable declaration |
+| TestLoopBranch.java:96:3:102:4 | local variable declaration | TestLoopBranch.java:96:26:102:3 | new (...) |
+| TestLoopBranch.java:96:22:102:3 | b | TestLoopBranch.java:103:3:103:21 | ...; |
 | TestLoopBranch.java:96:26:102:3 | new (...) | TestLoopBranch.java:96:22:102:3 | b |
-| TestLoopBranch.java:96:30:96:47 | stmt | TestLoopBranch.java:96:30:96:47 | super(...) |
 | TestLoopBranch.java:96:30:96:47 | super(...) | TestLoopBranch.java:96:30:96:47 |  |
-| TestLoopBranch.java:99:4:101:4 | stmt | TestLoopBranch.java:100:12:100:12 | 0 |
-| TestLoopBranch.java:100:5:100:13 | stmt | TestLoopBranch.java:98:15:98:23 | compareTo |
-| TestLoopBranch.java:100:12:100:12 | 0 | TestLoopBranch.java:100:5:100:13 | stmt |
+| TestLoopBranch.java:96:30:96:47 | { ... } | TestLoopBranch.java:96:30:96:47 | super(...) |
+| TestLoopBranch.java:99:4:101:4 | { ... } | TestLoopBranch.java:100:12:100:12 | 0 |
+| TestLoopBranch.java:100:5:100:13 | return ... | TestLoopBranch.java:98:15:98:23 | compareTo |
+| TestLoopBranch.java:100:12:100:12 | 0 | TestLoopBranch.java:100:5:100:13 | return ... |
 | TestLoopBranch.java:103:3:103:3 | b | TestLoopBranch.java:103:15:103:19 | "Foo" |
-| TestLoopBranch.java:103:3:103:20 | compareTo(...) | TestLoopBranch.java:105:3:105:12 | stmt |
-| TestLoopBranch.java:103:3:103:21 | stmt | TestLoopBranch.java:103:3:103:3 | b |
+| TestLoopBranch.java:103:3:103:20 | compareTo(...) | TestLoopBranch.java:105:3:105:12 | ...; |
+| TestLoopBranch.java:103:3:103:21 | ...; | TestLoopBranch.java:103:3:103:3 | b |
 | TestLoopBranch.java:103:15:103:19 | "Foo" | TestLoopBranch.java:103:3:103:20 | compareTo(...) |
-| TestLoopBranch.java:105:3:105:11 | ...=... | TestLoopBranch.java:106:3:106:9 | stmt |
-| TestLoopBranch.java:105:3:105:12 | stmt | TestLoopBranch.java:105:7:105:7 | x |
+| TestLoopBranch.java:105:3:105:11 | ...=... | TestLoopBranch.java:106:3:106:9 | return ... |
+| TestLoopBranch.java:105:3:105:12 | ...; | TestLoopBranch.java:105:7:105:7 | x |
 | TestLoopBranch.java:105:7:105:7 | x | TestLoopBranch.java:105:11:105:11 | y |
 | TestLoopBranch.java:105:7:105:11 | ... + ... | TestLoopBranch.java:105:3:105:11 | ...=... |
 | TestLoopBranch.java:105:11:105:11 | y | TestLoopBranch.java:105:7:105:11 | ... + ... |
-| TestLoopBranch.java:106:3:106:9 | stmt | TestLoopBranch.java:7:14:7:14 | f |
-| TestLoopBranch.java:109:9:109:22 | <obinit>(...) | TestLoopBranch.java:111:3:111:10 | stmt |
-| TestLoopBranch.java:109:9:109:22 | stmt | TestLoopBranch.java:109:9:109:22 | <obinit>(...) |
-| TestLoopBranch.java:109:9:109:22 | super(...) | TestLoopBranch.java:109:9:109:22 | stmt |
-| TestLoopBranch.java:110:2:113:2 | stmt | TestLoopBranch.java:109:9:109:22 | super(...) |
-| TestLoopBranch.java:111:3:111:9 | ...=... | TestLoopBranch.java:112:3:112:10 | stmt |
-| TestLoopBranch.java:111:3:111:10 | stmt | TestLoopBranch.java:111:8:111:9 | 33 |
+| TestLoopBranch.java:106:3:106:9 | return ... | TestLoopBranch.java:7:14:7:14 | f |
+| TestLoopBranch.java:109:9:109:22 | ...; | TestLoopBranch.java:109:9:109:22 | <obinit>(...) |
+| TestLoopBranch.java:109:9:109:22 | <obinit>(...) | TestLoopBranch.java:111:3:111:10 | ...; |
+| TestLoopBranch.java:109:9:109:22 | super(...) | TestLoopBranch.java:109:9:109:22 | ...; |
+| TestLoopBranch.java:110:2:113:2 | { ... } | TestLoopBranch.java:109:9:109:22 | super(...) |
+| TestLoopBranch.java:111:3:111:9 | ...=... | TestLoopBranch.java:112:3:112:10 | ...; |
+| TestLoopBranch.java:111:3:111:10 | ...; | TestLoopBranch.java:111:8:111:9 | 33 |
 | TestLoopBranch.java:111:8:111:9 | 33 | TestLoopBranch.java:111:3:111:9 | ...=... |
 | TestLoopBranch.java:112:3:112:9 | ...=... | TestLoopBranch.java:109:9:109:22 | TestLoopBranch |
-| TestLoopBranch.java:112:3:112:10 | stmt | TestLoopBranch.java:112:8:112:9 | 44 |
+| TestLoopBranch.java:112:3:112:10 | ...; | TestLoopBranch.java:112:8:112:9 | 44 |
 | TestLoopBranch.java:112:8:112:9 | 44 | TestLoopBranch.java:112:3:112:9 | ...=... |
-| TestLoopBranch.java:115:9:115:22 | <obinit>(...) | TestLoopBranch.java:117:3:117:9 | stmt |
-| TestLoopBranch.java:115:9:115:22 | stmt | TestLoopBranch.java:115:9:115:22 | <obinit>(...) |
-| TestLoopBranch.java:115:9:115:22 | super(...) | TestLoopBranch.java:115:9:115:22 | stmt |
-| TestLoopBranch.java:116:2:119:2 | stmt | TestLoopBranch.java:115:9:115:22 | super(...) |
-| TestLoopBranch.java:117:3:117:8 | ...=... | TestLoopBranch.java:118:3:118:9 | stmt |
-| TestLoopBranch.java:117:3:117:9 | stmt | TestLoopBranch.java:117:8:117:8 | i |
+| TestLoopBranch.java:115:9:115:22 | ...; | TestLoopBranch.java:115:9:115:22 | <obinit>(...) |
+| TestLoopBranch.java:115:9:115:22 | <obinit>(...) | TestLoopBranch.java:117:3:117:9 | ...; |
+| TestLoopBranch.java:115:9:115:22 | super(...) | TestLoopBranch.java:115:9:115:22 | ...; |
+| TestLoopBranch.java:116:2:119:2 | { ... } | TestLoopBranch.java:115:9:115:22 | super(...) |
+| TestLoopBranch.java:117:3:117:8 | ...=... | TestLoopBranch.java:118:3:118:9 | ...; |
+| TestLoopBranch.java:117:3:117:9 | ...; | TestLoopBranch.java:117:8:117:8 | i |
 | TestLoopBranch.java:117:8:117:8 | i | TestLoopBranch.java:117:3:117:8 | ...=... |
 | TestLoopBranch.java:118:3:118:8 | ...=... | TestLoopBranch.java:115:9:115:22 | TestLoopBranch |
-| TestLoopBranch.java:118:3:118:9 | stmt | TestLoopBranch.java:118:8:118:8 | i |
+| TestLoopBranch.java:118:3:118:9 | ...; | TestLoopBranch.java:118:8:118:8 | i |
 | TestLoopBranch.java:118:8:118:8 | i | TestLoopBranch.java:118:3:118:8 | ...=... |
diff --git a/java/ql/test/library-tests/successors/TestThrow/FalseSuccessors.expected b/java/ql/test/library-tests/successors/TestThrow/FalseSuccessors.expected
index 750ad61ecfa..4c6234e019d 100644
--- a/java/ql/test/library-tests/successors/TestThrow/FalseSuccessors.expected
+++ b/java/ql/test/library-tests/successors/TestThrow/FalseSuccessors.expected
@@ -1,12 +1,12 @@
-| TestThrow.java:33:8:33:13 | ... == ... | TestThrow.java:36:11:36:21 | stmt |
-| TestThrow.java:36:15:36:20 | ... == ... | TestThrow.java:39:11:39:21 | stmt |
-| TestThrow.java:39:15:39:20 | ... == ... | TestThrow.java:43:4:45:4 | stmt |
-| TestThrow.java:58:8:58:13 | ... == ... | TestThrow.java:62:9:62:19 | stmt |
-| TestThrow.java:62:13:62:18 | ... == ... | TestThrow.java:66:4:68:4 | stmt |
-| TestThrow.java:78:8:78:13 | ... == ... | TestThrow.java:81:3:83:3 | stmt |
-| TestThrow.java:89:9:89:14 | ... == ... | TestThrow.java:92:12:92:22 | stmt |
-| TestThrow.java:92:16:92:21 | ... == ... | TestThrow.java:96:5:98:5 | stmt |
-| TestThrow.java:108:9:108:14 | ... == ... | TestThrow.java:111:12:111:22 | stmt |
-| TestThrow.java:111:16:111:21 | ... == ... | TestThrow.java:114:12:114:22 | stmt |
-| TestThrow.java:114:16:114:21 | ... == ... | TestThrow.java:124:3:126:3 | stmt |
-| TestThrow.java:128:7:128:12 | ... == ... | TestThrow.java:133:3:133:9 | stmt |
+| TestThrow.java:33:8:33:13 | ... == ... | TestThrow.java:36:11:36:21 | if (...) |
+| TestThrow.java:36:15:36:20 | ... == ... | TestThrow.java:39:11:39:21 | if (...) |
+| TestThrow.java:39:15:39:20 | ... == ... | TestThrow.java:43:4:45:4 | { ... } |
+| TestThrow.java:58:8:58:13 | ... == ... | TestThrow.java:62:9:62:19 | if (...) |
+| TestThrow.java:62:13:62:18 | ... == ... | TestThrow.java:66:4:68:4 | { ... } |
+| TestThrow.java:78:8:78:13 | ... == ... | TestThrow.java:81:3:83:3 | { ... } |
+| TestThrow.java:89:9:89:14 | ... == ... | TestThrow.java:92:12:92:22 | if (...) |
+| TestThrow.java:92:16:92:21 | ... == ... | TestThrow.java:96:5:98:5 | { ... } |
+| TestThrow.java:108:9:108:14 | ... == ... | TestThrow.java:111:12:111:22 | if (...) |
+| TestThrow.java:111:16:111:21 | ... == ... | TestThrow.java:114:12:114:22 | if (...) |
+| TestThrow.java:114:16:114:21 | ... == ... | TestThrow.java:124:3:126:3 | { ... } |
+| TestThrow.java:128:7:128:12 | ... == ... | TestThrow.java:133:3:133:9 | ...; |
diff --git a/java/ql/test/library-tests/successors/TestThrow/TestSucc.expected b/java/ql/test/library-tests/successors/TestThrow/TestSucc.expected
index e9d360286d4..aee048401b9 100644
--- a/java/ql/test/library-tests/successors/TestThrow/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/TestThrow/TestSucc.expected
@@ -1,229 +1,229 @@
 | TestThrow.java:7:10:7:18 | super(...) | TestThrow.java:7:10:7:18 | TestThrow |
-| TestThrow.java:8:2:9:2 | stmt | TestThrow.java:7:10:7:18 | super(...) |
-| TestThrow.java:12:2:13:2 | stmt | TestThrow.java:11:15:11:21 | thrower |
-| TestThrow.java:16:2:134:2 | stmt | TestThrow.java:17:3:17:12 | stmt |
-| TestThrow.java:17:3:17:12 | stmt | TestThrow.java:17:11:17:11 | 0 |
-| TestThrow.java:17:7:17:11 | z | TestThrow.java:18:3:27:3 | stmt |
+| TestThrow.java:8:2:9:2 | { ... } | TestThrow.java:7:10:7:18 | super(...) |
+| TestThrow.java:12:2:13:2 | { ... } | TestThrow.java:11:15:11:21 | thrower |
+| TestThrow.java:16:2:134:2 | { ... } | TestThrow.java:17:3:17:12 | local variable declaration |
+| TestThrow.java:17:3:17:12 | local variable declaration | TestThrow.java:17:11:17:11 | 0 |
+| TestThrow.java:17:7:17:11 | z | TestThrow.java:18:3:27:3 | try ... |
 | TestThrow.java:17:11:17:11 | 0 | TestThrow.java:17:7:17:11 | z |
-| TestThrow.java:18:3:27:3 | stmt | TestThrow.java:19:3:21:3 | stmt |
-| TestThrow.java:19:3:21:3 | stmt | TestThrow.java:20:10:20:31 | new RuntimeException(...) |
-| TestThrow.java:20:4:20:32 | stmt | TestThrow.java:21:5:21:30 | stmt |
-| TestThrow.java:20:10:20:31 | new RuntimeException(...) | TestThrow.java:20:4:20:32 | stmt |
-| TestThrow.java:20:10:20:31 | new RuntimeException(...) | TestThrow.java:21:5:21:30 | stmt |
-| TestThrow.java:21:5:21:30 | stmt | TestThrow.java:21:29:21:29 | e |
-| TestThrow.java:21:29:21:29 | e | TestThrow.java:22:3:24:3 | stmt |
-| TestThrow.java:22:3:24:3 | stmt | TestThrow.java:23:4:23:9 | stmt |
-| TestThrow.java:23:4:23:8 | ...=... | TestThrow.java:29:3:29:9 | stmt |
-| TestThrow.java:23:4:23:9 | stmt | TestThrow.java:23:8:23:8 | 1 |
+| TestThrow.java:18:3:27:3 | try ... | TestThrow.java:19:3:21:3 | { ... } |
+| TestThrow.java:19:3:21:3 | { ... } | TestThrow.java:20:10:20:31 | new RuntimeException(...) |
+| TestThrow.java:20:4:20:32 | throw ... | TestThrow.java:21:5:21:30 | catch (...) |
+| TestThrow.java:20:10:20:31 | new RuntimeException(...) | TestThrow.java:20:4:20:32 | throw ... |
+| TestThrow.java:20:10:20:31 | new RuntimeException(...) | TestThrow.java:21:5:21:30 | catch (...) |
+| TestThrow.java:21:5:21:30 | catch (...) | TestThrow.java:21:29:21:29 | e |
+| TestThrow.java:21:29:21:29 | e | TestThrow.java:22:3:24:3 | { ... } |
+| TestThrow.java:22:3:24:3 | { ... } | TestThrow.java:23:4:23:9 | ...; |
+| TestThrow.java:23:4:23:8 | ...=... | TestThrow.java:29:3:29:9 | ...; |
+| TestThrow.java:23:4:23:9 | ...; | TestThrow.java:23:8:23:8 | 1 |
 | TestThrow.java:23:8:23:8 | 1 | TestThrow.java:23:4:23:8 | ...=... |
-| TestThrow.java:24:5:24:23 | stmt | TestThrow.java:24:22:24:22 | e |
-| TestThrow.java:24:22:24:22 | e | TestThrow.java:25:3:27:3 | stmt |
-| TestThrow.java:25:3:27:3 | stmt | TestThrow.java:26:4:26:9 | stmt |
-| TestThrow.java:26:4:26:8 | ...=... | TestThrow.java:29:3:29:9 | stmt |
-| TestThrow.java:26:4:26:9 | stmt | TestThrow.java:26:8:26:8 | 2 |
+| TestThrow.java:24:5:24:23 | catch (...) | TestThrow.java:24:22:24:22 | e |
+| TestThrow.java:24:22:24:22 | e | TestThrow.java:25:3:27:3 | { ... } |
+| TestThrow.java:25:3:27:3 | { ... } | TestThrow.java:26:4:26:9 | ...; |
+| TestThrow.java:26:4:26:8 | ...=... | TestThrow.java:29:3:29:9 | ...; |
+| TestThrow.java:26:4:26:9 | ...; | TestThrow.java:26:8:26:8 | 2 |
 | TestThrow.java:26:8:26:8 | 2 | TestThrow.java:26:4:26:8 | ...=... |
-| TestThrow.java:29:3:29:8 | ...=... | TestThrow.java:31:3:52:3 | stmt |
-| TestThrow.java:29:3:29:9 | stmt | TestThrow.java:29:8:29:8 | 1 |
+| TestThrow.java:29:3:29:8 | ...=... | TestThrow.java:31:3:52:3 | try ... |
+| TestThrow.java:29:3:29:9 | ...; | TestThrow.java:29:8:29:8 | 1 |
 | TestThrow.java:29:7:29:8 | -... | TestThrow.java:29:3:29:8 | ...=... |
 | TestThrow.java:29:8:29:8 | 1 | TestThrow.java:29:7:29:8 | -... |
-| TestThrow.java:31:3:52:3 | stmt | TestThrow.java:32:3:46:3 | stmt |
-| TestThrow.java:32:3:46:3 | stmt | TestThrow.java:33:4:33:14 | stmt |
-| TestThrow.java:33:4:33:14 | stmt | TestThrow.java:33:8:33:8 | z |
+| TestThrow.java:31:3:52:3 | try ... | TestThrow.java:32:3:46:3 | { ... } |
+| TestThrow.java:32:3:46:3 | { ... } | TestThrow.java:33:4:33:14 | if (...) |
+| TestThrow.java:33:4:33:14 | if (...) | TestThrow.java:33:8:33:8 | z |
 | TestThrow.java:33:8:33:8 | z | TestThrow.java:33:13:33:13 | 1 |
-| TestThrow.java:33:8:33:13 | ... == ... | TestThrow.java:34:4:36:4 | stmt |
-| TestThrow.java:33:8:33:13 | ... == ... | TestThrow.java:36:11:36:21 | stmt |
+| TestThrow.java:33:8:33:13 | ... == ... | TestThrow.java:34:4:36:4 | { ... } |
+| TestThrow.java:33:8:33:13 | ... == ... | TestThrow.java:36:11:36:21 | if (...) |
 | TestThrow.java:33:13:33:13 | 1 | TestThrow.java:33:8:33:13 | ... == ... |
-| TestThrow.java:34:4:36:4 | stmt | TestThrow.java:35:11:35:32 | new RuntimeException(...) |
-| TestThrow.java:35:5:35:33 | stmt | TestThrow.java:46:5:46:30 | stmt |
-| TestThrow.java:35:11:35:32 | new RuntimeException(...) | TestThrow.java:35:5:35:33 | stmt |
-| TestThrow.java:35:11:35:32 | new RuntimeException(...) | TestThrow.java:46:5:46:30 | stmt |
-| TestThrow.java:35:11:35:32 | new RuntimeException(...) | TestThrow.java:50:3:52:3 | stmt |
-| TestThrow.java:36:11:36:21 | stmt | TestThrow.java:36:15:36:15 | z |
+| TestThrow.java:34:4:36:4 | { ... } | TestThrow.java:35:11:35:32 | new RuntimeException(...) |
+| TestThrow.java:35:5:35:33 | throw ... | TestThrow.java:46:5:46:30 | catch (...) |
+| TestThrow.java:35:11:35:32 | new RuntimeException(...) | TestThrow.java:35:5:35:33 | throw ... |
+| TestThrow.java:35:11:35:32 | new RuntimeException(...) | TestThrow.java:46:5:46:30 | catch (...) |
+| TestThrow.java:35:11:35:32 | new RuntimeException(...) | TestThrow.java:50:3:52:3 | { ... } |
+| TestThrow.java:36:11:36:21 | if (...) | TestThrow.java:36:15:36:15 | z |
 | TestThrow.java:36:15:36:15 | z | TestThrow.java:36:20:36:20 | 2 |
-| TestThrow.java:36:15:36:20 | ... == ... | TestThrow.java:37:4:39:4 | stmt |
-| TestThrow.java:36:15:36:20 | ... == ... | TestThrow.java:39:11:39:21 | stmt |
+| TestThrow.java:36:15:36:20 | ... == ... | TestThrow.java:37:4:39:4 | { ... } |
+| TestThrow.java:36:15:36:20 | ... == ... | TestThrow.java:39:11:39:21 | if (...) |
 | TestThrow.java:36:20:36:20 | 2 | TestThrow.java:36:15:36:20 | ... == ... |
-| TestThrow.java:37:4:39:4 | stmt | TestThrow.java:38:11:38:25 | new Exception(...) |
-| TestThrow.java:38:5:38:26 | stmt | TestThrow.java:46:5:46:30 | stmt |
-| TestThrow.java:38:5:38:26 | stmt | TestThrow.java:50:3:52:3 | stmt |
-| TestThrow.java:38:11:38:25 | new Exception(...) | TestThrow.java:38:5:38:26 | stmt |
-| TestThrow.java:38:11:38:25 | new Exception(...) | TestThrow.java:46:5:46:30 | stmt |
-| TestThrow.java:38:11:38:25 | new Exception(...) | TestThrow.java:50:3:52:3 | stmt |
-| TestThrow.java:39:11:39:21 | stmt | TestThrow.java:39:15:39:15 | z |
+| TestThrow.java:37:4:39:4 | { ... } | TestThrow.java:38:11:38:25 | new Exception(...) |
+| TestThrow.java:38:5:38:26 | throw ... | TestThrow.java:46:5:46:30 | catch (...) |
+| TestThrow.java:38:5:38:26 | throw ... | TestThrow.java:50:3:52:3 | { ... } |
+| TestThrow.java:38:11:38:25 | new Exception(...) | TestThrow.java:38:5:38:26 | throw ... |
+| TestThrow.java:38:11:38:25 | new Exception(...) | TestThrow.java:46:5:46:30 | catch (...) |
+| TestThrow.java:38:11:38:25 | new Exception(...) | TestThrow.java:50:3:52:3 | { ... } |
+| TestThrow.java:39:11:39:21 | if (...) | TestThrow.java:39:15:39:15 | z |
 | TestThrow.java:39:15:39:15 | z | TestThrow.java:39:20:39:20 | 3 |
-| TestThrow.java:39:15:39:20 | ... == ... | TestThrow.java:40:4:42:4 | stmt |
-| TestThrow.java:39:15:39:20 | ... == ... | TestThrow.java:43:4:45:4 | stmt |
+| TestThrow.java:39:15:39:20 | ... == ... | TestThrow.java:40:4:42:4 | { ... } |
+| TestThrow.java:39:15:39:20 | ... == ... | TestThrow.java:43:4:45:4 | { ... } |
 | TestThrow.java:39:20:39:20 | 3 | TestThrow.java:39:15:39:20 | ... == ... |
-| TestThrow.java:40:4:42:4 | stmt | TestThrow.java:41:5:41:20 | stmt |
-| TestThrow.java:41:5:41:19 | new TestThrow(...) | TestThrow.java:46:5:46:30 | stmt |
-| TestThrow.java:41:5:41:19 | new TestThrow(...) | TestThrow.java:50:3:52:3 | stmt |
-| TestThrow.java:41:5:41:20 | stmt | TestThrow.java:41:5:41:19 | new TestThrow(...) |
-| TestThrow.java:43:4:45:4 | stmt | TestThrow.java:44:5:44:14 | stmt |
-| TestThrow.java:44:5:44:13 | thrower(...) | TestThrow.java:46:5:46:30 | stmt |
-| TestThrow.java:44:5:44:13 | thrower(...) | TestThrow.java:50:3:52:3 | stmt |
-| TestThrow.java:44:5:44:14 | stmt | TestThrow.java:44:5:44:13 | thrower(...) |
-| TestThrow.java:46:5:46:30 | stmt | TestThrow.java:46:29:46:29 | e |
-| TestThrow.java:46:29:46:29 | e | TestThrow.java:47:3:49:3 | stmt |
-| TestThrow.java:47:3:49:3 | stmt | TestThrow.java:48:4:48:9 | stmt |
-| TestThrow.java:48:4:48:8 | ...=... | TestThrow.java:50:3:52:3 | stmt |
-| TestThrow.java:48:4:48:9 | stmt | TestThrow.java:48:8:48:8 | 1 |
+| TestThrow.java:40:4:42:4 | { ... } | TestThrow.java:41:5:41:20 | ...; |
+| TestThrow.java:41:5:41:19 | new TestThrow(...) | TestThrow.java:46:5:46:30 | catch (...) |
+| TestThrow.java:41:5:41:19 | new TestThrow(...) | TestThrow.java:50:3:52:3 | { ... } |
+| TestThrow.java:41:5:41:20 | ...; | TestThrow.java:41:5:41:19 | new TestThrow(...) |
+| TestThrow.java:43:4:45:4 | { ... } | TestThrow.java:44:5:44:14 | ...; |
+| TestThrow.java:44:5:44:13 | thrower(...) | TestThrow.java:46:5:46:30 | catch (...) |
+| TestThrow.java:44:5:44:13 | thrower(...) | TestThrow.java:50:3:52:3 | { ... } |
+| TestThrow.java:44:5:44:14 | ...; | TestThrow.java:44:5:44:13 | thrower(...) |
+| TestThrow.java:46:5:46:30 | catch (...) | TestThrow.java:46:29:46:29 | e |
+| TestThrow.java:46:29:46:29 | e | TestThrow.java:47:3:49:3 | { ... } |
+| TestThrow.java:47:3:49:3 | { ... } | TestThrow.java:48:4:48:9 | ...; |
+| TestThrow.java:48:4:48:8 | ...=... | TestThrow.java:50:3:52:3 | { ... } |
+| TestThrow.java:48:4:48:9 | ...; | TestThrow.java:48:8:48:8 | 1 |
 | TestThrow.java:48:8:48:8 | 1 | TestThrow.java:48:4:48:8 | ...=... |
-| TestThrow.java:50:3:52:3 | stmt | TestThrow.java:51:4:51:9 | stmt |
+| TestThrow.java:50:3:52:3 | { ... } | TestThrow.java:51:4:51:9 | ...; |
 | TestThrow.java:51:4:51:8 | ...=... | TestThrow.java:15:14:15:14 | f |
-| TestThrow.java:51:4:51:8 | ...=... | TestThrow.java:54:3:54:9 | stmt |
-| TestThrow.java:51:4:51:9 | stmt | TestThrow.java:51:8:51:8 | 2 |
+| TestThrow.java:51:4:51:8 | ...=... | TestThrow.java:54:3:54:9 | ...; |
+| TestThrow.java:51:4:51:9 | ...; | TestThrow.java:51:8:51:8 | 2 |
 | TestThrow.java:51:8:51:8 | 2 | TestThrow.java:51:4:51:8 | ...=... |
-| TestThrow.java:54:3:54:8 | ...=... | TestThrow.java:56:3:72:3 | stmt |
-| TestThrow.java:54:3:54:9 | stmt | TestThrow.java:54:8:54:8 | 1 |
+| TestThrow.java:54:3:54:8 | ...=... | TestThrow.java:56:3:72:3 | try ... |
+| TestThrow.java:54:3:54:9 | ...; | TestThrow.java:54:8:54:8 | 1 |
 | TestThrow.java:54:7:54:8 | -... | TestThrow.java:54:3:54:8 | ...=... |
 | TestThrow.java:54:8:54:8 | 1 | TestThrow.java:54:7:54:8 | -... |
-| TestThrow.java:56:3:72:3 | stmt | TestThrow.java:57:3:69:3 | stmt |
-| TestThrow.java:57:3:69:3 | stmt | TestThrow.java:58:4:58:14 | stmt |
-| TestThrow.java:58:4:58:14 | stmt | TestThrow.java:58:8:58:8 | z |
+| TestThrow.java:56:3:72:3 | try ... | TestThrow.java:57:3:69:3 | { ... } |
+| TestThrow.java:57:3:69:3 | { ... } | TestThrow.java:58:4:58:14 | if (...) |
+| TestThrow.java:58:4:58:14 | if (...) | TestThrow.java:58:8:58:8 | z |
 | TestThrow.java:58:8:58:8 | z | TestThrow.java:58:13:58:13 | 1 |
-| TestThrow.java:58:8:58:13 | ... == ... | TestThrow.java:59:4:61:4 | stmt |
-| TestThrow.java:58:8:58:13 | ... == ... | TestThrow.java:62:9:62:19 | stmt |
+| TestThrow.java:58:8:58:13 | ... == ... | TestThrow.java:59:4:61:4 | { ... } |
+| TestThrow.java:58:8:58:13 | ... == ... | TestThrow.java:62:9:62:19 | if (...) |
 | TestThrow.java:58:13:58:13 | 1 | TestThrow.java:58:8:58:13 | ... == ... |
-| TestThrow.java:59:4:61:4 | stmt | TestThrow.java:60:11:60:25 | new Exception(...) |
-| TestThrow.java:60:5:60:26 | stmt | TestThrow.java:15:14:15:14 | f |
-| TestThrow.java:60:5:60:26 | stmt | TestThrow.java:69:5:69:30 | stmt |
-| TestThrow.java:60:11:60:25 | new Exception(...) | TestThrow.java:60:5:60:26 | stmt |
-| TestThrow.java:60:11:60:25 | new Exception(...) | TestThrow.java:69:5:69:30 | stmt |
-| TestThrow.java:62:9:62:19 | stmt | TestThrow.java:62:13:62:13 | z |
+| TestThrow.java:59:4:61:4 | { ... } | TestThrow.java:60:11:60:25 | new Exception(...) |
+| TestThrow.java:60:5:60:26 | throw ... | TestThrow.java:15:14:15:14 | f |
+| TestThrow.java:60:5:60:26 | throw ... | TestThrow.java:69:5:69:30 | catch (...) |
+| TestThrow.java:60:11:60:25 | new Exception(...) | TestThrow.java:60:5:60:26 | throw ... |
+| TestThrow.java:60:11:60:25 | new Exception(...) | TestThrow.java:69:5:69:30 | catch (...) |
+| TestThrow.java:62:9:62:19 | if (...) | TestThrow.java:62:13:62:13 | z |
 | TestThrow.java:62:13:62:13 | z | TestThrow.java:62:18:62:18 | 2 |
-| TestThrow.java:62:13:62:18 | ... == ... | TestThrow.java:63:4:65:4 | stmt |
-| TestThrow.java:62:13:62:18 | ... == ... | TestThrow.java:66:4:68:4 | stmt |
+| TestThrow.java:62:13:62:18 | ... == ... | TestThrow.java:63:4:65:4 | { ... } |
+| TestThrow.java:62:13:62:18 | ... == ... | TestThrow.java:66:4:68:4 | { ... } |
 | TestThrow.java:62:18:62:18 | 2 | TestThrow.java:62:13:62:18 | ... == ... |
-| TestThrow.java:63:4:65:4 | stmt | TestThrow.java:64:5:64:20 | stmt |
+| TestThrow.java:63:4:65:4 | { ... } | TestThrow.java:64:5:64:20 | ...; |
 | TestThrow.java:64:5:64:19 | new TestThrow(...) | TestThrow.java:15:14:15:14 | f |
-| TestThrow.java:64:5:64:19 | new TestThrow(...) | TestThrow.java:69:5:69:30 | stmt |
-| TestThrow.java:64:5:64:19 | new TestThrow(...) | TestThrow.java:74:3:74:9 | stmt |
-| TestThrow.java:64:5:64:20 | stmt | TestThrow.java:64:5:64:19 | new TestThrow(...) |
-| TestThrow.java:66:4:68:4 | stmt | TestThrow.java:67:5:67:14 | stmt |
-| TestThrow.java:67:5:67:13 | thrower(...) | TestThrow.java:69:5:69:30 | stmt |
-| TestThrow.java:67:5:67:13 | thrower(...) | TestThrow.java:74:3:74:9 | stmt |
-| TestThrow.java:67:5:67:14 | stmt | TestThrow.java:67:5:67:13 | thrower(...) |
-| TestThrow.java:69:5:69:30 | stmt | TestThrow.java:69:29:69:29 | e |
-| TestThrow.java:69:29:69:29 | e | TestThrow.java:70:3:72:3 | stmt |
-| TestThrow.java:70:3:72:3 | stmt | TestThrow.java:71:4:71:9 | stmt |
-| TestThrow.java:71:4:71:8 | ...=... | TestThrow.java:74:3:74:9 | stmt |
-| TestThrow.java:71:4:71:9 | stmt | TestThrow.java:71:8:71:8 | 1 |
+| TestThrow.java:64:5:64:19 | new TestThrow(...) | TestThrow.java:69:5:69:30 | catch (...) |
+| TestThrow.java:64:5:64:19 | new TestThrow(...) | TestThrow.java:74:3:74:9 | ...; |
+| TestThrow.java:64:5:64:20 | ...; | TestThrow.java:64:5:64:19 | new TestThrow(...) |
+| TestThrow.java:66:4:68:4 | { ... } | TestThrow.java:67:5:67:14 | ...; |
+| TestThrow.java:67:5:67:13 | thrower(...) | TestThrow.java:69:5:69:30 | catch (...) |
+| TestThrow.java:67:5:67:13 | thrower(...) | TestThrow.java:74:3:74:9 | ...; |
+| TestThrow.java:67:5:67:14 | ...; | TestThrow.java:67:5:67:13 | thrower(...) |
+| TestThrow.java:69:5:69:30 | catch (...) | TestThrow.java:69:29:69:29 | e |
+| TestThrow.java:69:29:69:29 | e | TestThrow.java:70:3:72:3 | { ... } |
+| TestThrow.java:70:3:72:3 | { ... } | TestThrow.java:71:4:71:9 | ...; |
+| TestThrow.java:71:4:71:8 | ...=... | TestThrow.java:74:3:74:9 | ...; |
+| TestThrow.java:71:4:71:9 | ...; | TestThrow.java:71:8:71:8 | 1 |
 | TestThrow.java:71:8:71:8 | 1 | TestThrow.java:71:4:71:8 | ...=... |
-| TestThrow.java:74:3:74:8 | ...=... | TestThrow.java:76:3:83:3 | stmt |
-| TestThrow.java:74:3:74:9 | stmt | TestThrow.java:74:8:74:8 | 1 |
+| TestThrow.java:74:3:74:8 | ...=... | TestThrow.java:76:3:83:3 | try ... |
+| TestThrow.java:74:3:74:9 | ...; | TestThrow.java:74:8:74:8 | 1 |
 | TestThrow.java:74:7:74:8 | -... | TestThrow.java:74:3:74:8 | ...=... |
 | TestThrow.java:74:8:74:8 | 1 | TestThrow.java:74:7:74:8 | -... |
-| TestThrow.java:76:3:83:3 | stmt | TestThrow.java:77:3:80:3 | stmt |
-| TestThrow.java:77:3:80:3 | stmt | TestThrow.java:78:4:78:14 | stmt |
-| TestThrow.java:78:4:78:14 | stmt | TestThrow.java:78:8:78:8 | z |
+| TestThrow.java:76:3:83:3 | try ... | TestThrow.java:77:3:80:3 | { ... } |
+| TestThrow.java:77:3:80:3 | { ... } | TestThrow.java:78:4:78:14 | if (...) |
+| TestThrow.java:78:4:78:14 | if (...) | TestThrow.java:78:8:78:8 | z |
 | TestThrow.java:78:8:78:8 | z | TestThrow.java:78:13:78:13 | 1 |
 | TestThrow.java:78:8:78:13 | ... == ... | TestThrow.java:79:11:79:25 | new Exception(...) |
-| TestThrow.java:78:8:78:13 | ... == ... | TestThrow.java:81:3:83:3 | stmt |
+| TestThrow.java:78:8:78:13 | ... == ... | TestThrow.java:81:3:83:3 | { ... } |
 | TestThrow.java:78:13:78:13 | 1 | TestThrow.java:78:8:78:13 | ... == ... |
-| TestThrow.java:79:5:79:26 | stmt | TestThrow.java:81:3:83:3 | stmt |
-| TestThrow.java:79:11:79:25 | new Exception(...) | TestThrow.java:79:5:79:26 | stmt |
-| TestThrow.java:79:11:79:25 | new Exception(...) | TestThrow.java:81:3:83:3 | stmt |
-| TestThrow.java:81:3:83:3 | stmt | TestThrow.java:82:4:82:9 | stmt |
+| TestThrow.java:79:5:79:26 | throw ... | TestThrow.java:81:3:83:3 | { ... } |
+| TestThrow.java:79:11:79:25 | new Exception(...) | TestThrow.java:79:5:79:26 | throw ... |
+| TestThrow.java:79:11:79:25 | new Exception(...) | TestThrow.java:81:3:83:3 | { ... } |
+| TestThrow.java:81:3:83:3 | { ... } | TestThrow.java:82:4:82:9 | ...; |
 | TestThrow.java:82:4:82:8 | ...=... | TestThrow.java:15:14:15:14 | f |
-| TestThrow.java:82:4:82:8 | ...=... | TestThrow.java:85:3:126:3 | stmt |
-| TestThrow.java:82:4:82:9 | stmt | TestThrow.java:82:8:82:8 | 1 |
+| TestThrow.java:82:4:82:8 | ...=... | TestThrow.java:85:3:126:3 | try ... |
+| TestThrow.java:82:4:82:9 | ...; | TestThrow.java:82:8:82:8 | 1 |
 | TestThrow.java:82:8:82:8 | 1 | TestThrow.java:82:4:82:8 | ...=... |
-| TestThrow.java:85:3:126:3 | stmt | TestThrow.java:86:3:119:3 | stmt |
-| TestThrow.java:86:3:119:3 | stmt | TestThrow.java:87:4:102:4 | stmt |
-| TestThrow.java:87:4:102:4 | stmt | TestThrow.java:88:4:99:4 | stmt |
-| TestThrow.java:88:4:99:4 | stmt | TestThrow.java:89:5:89:15 | stmt |
-| TestThrow.java:89:5:89:15 | stmt | TestThrow.java:89:9:89:9 | z |
+| TestThrow.java:85:3:126:3 | try ... | TestThrow.java:86:3:119:3 | { ... } |
+| TestThrow.java:86:3:119:3 | { ... } | TestThrow.java:87:4:102:4 | try ... |
+| TestThrow.java:87:4:102:4 | try ... | TestThrow.java:88:4:99:4 | { ... } |
+| TestThrow.java:88:4:99:4 | { ... } | TestThrow.java:89:5:89:15 | if (...) |
+| TestThrow.java:89:5:89:15 | if (...) | TestThrow.java:89:9:89:9 | z |
 | TestThrow.java:89:9:89:9 | z | TestThrow.java:89:14:89:14 | 1 |
-| TestThrow.java:89:9:89:14 | ... == ... | TestThrow.java:90:5:92:5 | stmt |
-| TestThrow.java:89:9:89:14 | ... == ... | TestThrow.java:92:12:92:22 | stmt |
+| TestThrow.java:89:9:89:14 | ... == ... | TestThrow.java:90:5:92:5 | { ... } |
+| TestThrow.java:89:9:89:14 | ... == ... | TestThrow.java:92:12:92:22 | if (...) |
 | TestThrow.java:89:14:89:14 | 1 | TestThrow.java:89:9:89:14 | ... == ... |
-| TestThrow.java:90:5:92:5 | stmt | TestThrow.java:91:12:91:26 | new Exception(...) |
-| TestThrow.java:91:6:91:27 | stmt | TestThrow.java:99:6:99:31 | stmt |
-| TestThrow.java:91:6:91:27 | stmt | TestThrow.java:119:5:119:25 | stmt |
-| TestThrow.java:91:6:91:27 | stmt | TestThrow.java:124:3:126:3 | stmt |
-| TestThrow.java:91:12:91:26 | new Exception(...) | TestThrow.java:91:6:91:27 | stmt |
-| TestThrow.java:91:12:91:26 | new Exception(...) | TestThrow.java:99:6:99:31 | stmt |
-| TestThrow.java:91:12:91:26 | new Exception(...) | TestThrow.java:124:3:126:3 | stmt |
-| TestThrow.java:92:12:92:22 | stmt | TestThrow.java:92:16:92:16 | z |
+| TestThrow.java:90:5:92:5 | { ... } | TestThrow.java:91:12:91:26 | new Exception(...) |
+| TestThrow.java:91:6:91:27 | throw ... | TestThrow.java:99:6:99:31 | catch (...) |
+| TestThrow.java:91:6:91:27 | throw ... | TestThrow.java:119:5:119:25 | catch (...) |
+| TestThrow.java:91:6:91:27 | throw ... | TestThrow.java:124:3:126:3 | { ... } |
+| TestThrow.java:91:12:91:26 | new Exception(...) | TestThrow.java:91:6:91:27 | throw ... |
+| TestThrow.java:91:12:91:26 | new Exception(...) | TestThrow.java:99:6:99:31 | catch (...) |
+| TestThrow.java:91:12:91:26 | new Exception(...) | TestThrow.java:124:3:126:3 | { ... } |
+| TestThrow.java:92:12:92:22 | if (...) | TestThrow.java:92:16:92:16 | z |
 | TestThrow.java:92:16:92:16 | z | TestThrow.java:92:21:92:21 | 2 |
-| TestThrow.java:92:16:92:21 | ... == ... | TestThrow.java:93:5:95:5 | stmt |
-| TestThrow.java:92:16:92:21 | ... == ... | TestThrow.java:96:5:98:5 | stmt |
+| TestThrow.java:92:16:92:21 | ... == ... | TestThrow.java:93:5:95:5 | { ... } |
+| TestThrow.java:92:16:92:21 | ... == ... | TestThrow.java:96:5:98:5 | { ... } |
 | TestThrow.java:92:21:92:21 | 2 | TestThrow.java:92:16:92:21 | ... == ... |
-| TestThrow.java:93:5:95:5 | stmt | TestThrow.java:94:12:94:33 | new RuntimeException(...) |
-| TestThrow.java:94:6:94:34 | stmt | TestThrow.java:99:6:99:31 | stmt |
-| TestThrow.java:94:12:94:33 | new RuntimeException(...) | TestThrow.java:94:6:94:34 | stmt |
-| TestThrow.java:94:12:94:33 | new RuntimeException(...) | TestThrow.java:99:6:99:31 | stmt |
-| TestThrow.java:94:12:94:33 | new RuntimeException(...) | TestThrow.java:124:3:126:3 | stmt |
-| TestThrow.java:96:5:98:5 | stmt | TestThrow.java:97:28:97:36 | "Foo bar" |
-| TestThrow.java:97:6:97:44 | stmt | TestThrow.java:119:5:119:25 | stmt |
-| TestThrow.java:97:12:97:43 | new IOException(...) | TestThrow.java:97:6:97:44 | stmt |
-| TestThrow.java:97:12:97:43 | new IOException(...) | TestThrow.java:99:6:99:31 | stmt |
-| TestThrow.java:97:12:97:43 | new IOException(...) | TestThrow.java:124:3:126:3 | stmt |
+| TestThrow.java:93:5:95:5 | { ... } | TestThrow.java:94:12:94:33 | new RuntimeException(...) |
+| TestThrow.java:94:6:94:34 | throw ... | TestThrow.java:99:6:99:31 | catch (...) |
+| TestThrow.java:94:12:94:33 | new RuntimeException(...) | TestThrow.java:94:6:94:34 | throw ... |
+| TestThrow.java:94:12:94:33 | new RuntimeException(...) | TestThrow.java:99:6:99:31 | catch (...) |
+| TestThrow.java:94:12:94:33 | new RuntimeException(...) | TestThrow.java:124:3:126:3 | { ... } |
+| TestThrow.java:96:5:98:5 | { ... } | TestThrow.java:97:28:97:36 | "Foo bar" |
+| TestThrow.java:97:6:97:44 | throw ... | TestThrow.java:119:5:119:25 | catch (...) |
+| TestThrow.java:97:12:97:43 | new IOException(...) | TestThrow.java:97:6:97:44 | throw ... |
+| TestThrow.java:97:12:97:43 | new IOException(...) | TestThrow.java:99:6:99:31 | catch (...) |
+| TestThrow.java:97:12:97:43 | new IOException(...) | TestThrow.java:124:3:126:3 | { ... } |
 | TestThrow.java:97:28:97:36 | "Foo bar" | TestThrow.java:97:39:97:42 | null |
 | TestThrow.java:97:39:97:42 | null | TestThrow.java:97:12:97:43 | new IOException(...) |
-| TestThrow.java:99:6:99:31 | stmt | TestThrow.java:99:30:99:30 | e |
-| TestThrow.java:99:30:99:30 | e | TestThrow.java:100:4:102:4 | stmt |
-| TestThrow.java:100:4:102:4 | stmt | TestThrow.java:101:5:101:10 | stmt |
-| TestThrow.java:101:5:101:9 | ...=... | TestThrow.java:103:4:118:4 | stmt |
-| TestThrow.java:101:5:101:10 | stmt | TestThrow.java:101:9:101:9 | 1 |
+| TestThrow.java:99:6:99:31 | catch (...) | TestThrow.java:99:30:99:30 | e |
+| TestThrow.java:99:30:99:30 | e | TestThrow.java:100:4:102:4 | { ... } |
+| TestThrow.java:100:4:102:4 | { ... } | TestThrow.java:101:5:101:10 | ...; |
+| TestThrow.java:101:5:101:9 | ...=... | TestThrow.java:103:4:118:4 | try ... |
+| TestThrow.java:101:5:101:10 | ...; | TestThrow.java:101:9:101:9 | 1 |
 | TestThrow.java:101:9:101:9 | 1 | TestThrow.java:101:5:101:9 | ...=... |
-| TestThrow.java:103:4:118:4 | stmt | TestThrow.java:104:4:106:4 | stmt |
-| TestThrow.java:104:4:106:4 | stmt | TestThrow.java:105:5:105:11 | stmt |
-| TestThrow.java:105:5:105:10 | ...=... | TestThrow.java:107:4:118:4 | stmt |
-| TestThrow.java:105:5:105:11 | stmt | TestThrow.java:105:10:105:10 | 2 |
+| TestThrow.java:103:4:118:4 | try ... | TestThrow.java:104:4:106:4 | { ... } |
+| TestThrow.java:104:4:106:4 | { ... } | TestThrow.java:105:5:105:11 | ...; |
+| TestThrow.java:105:5:105:10 | ...=... | TestThrow.java:107:4:118:4 | { ... } |
+| TestThrow.java:105:5:105:11 | ...; | TestThrow.java:105:10:105:10 | 2 |
 | TestThrow.java:105:9:105:10 | -... | TestThrow.java:105:5:105:10 | ...=... |
 | TestThrow.java:105:10:105:10 | 2 | TestThrow.java:105:9:105:10 | -... |
-| TestThrow.java:107:4:118:4 | stmt | TestThrow.java:108:5:108:15 | stmt |
-| TestThrow.java:108:5:108:15 | stmt | TestThrow.java:108:9:108:9 | z |
+| TestThrow.java:107:4:118:4 | { ... } | TestThrow.java:108:5:108:15 | if (...) |
+| TestThrow.java:108:5:108:15 | if (...) | TestThrow.java:108:9:108:9 | z |
 | TestThrow.java:108:9:108:9 | z | TestThrow.java:108:14:108:14 | 1 |
-| TestThrow.java:108:9:108:14 | ... == ... | TestThrow.java:109:5:111:5 | stmt |
-| TestThrow.java:108:9:108:14 | ... == ... | TestThrow.java:111:12:111:22 | stmt |
+| TestThrow.java:108:9:108:14 | ... == ... | TestThrow.java:109:5:111:5 | { ... } |
+| TestThrow.java:108:9:108:14 | ... == ... | TestThrow.java:111:12:111:22 | if (...) |
 | TestThrow.java:108:14:108:14 | 1 | TestThrow.java:108:9:108:14 | ... == ... |
-| TestThrow.java:109:5:111:5 | stmt | TestThrow.java:110:12:110:26 | new Exception(...) |
-| TestThrow.java:110:6:110:27 | stmt | TestThrow.java:119:5:119:25 | stmt |
-| TestThrow.java:110:6:110:27 | stmt | TestThrow.java:124:3:126:3 | stmt |
-| TestThrow.java:110:12:110:26 | new Exception(...) | TestThrow.java:110:6:110:27 | stmt |
-| TestThrow.java:110:12:110:26 | new Exception(...) | TestThrow.java:124:3:126:3 | stmt |
-| TestThrow.java:111:12:111:22 | stmt | TestThrow.java:111:16:111:16 | z |
+| TestThrow.java:109:5:111:5 | { ... } | TestThrow.java:110:12:110:26 | new Exception(...) |
+| TestThrow.java:110:6:110:27 | throw ... | TestThrow.java:119:5:119:25 | catch (...) |
+| TestThrow.java:110:6:110:27 | throw ... | TestThrow.java:124:3:126:3 | { ... } |
+| TestThrow.java:110:12:110:26 | new Exception(...) | TestThrow.java:110:6:110:27 | throw ... |
+| TestThrow.java:110:12:110:26 | new Exception(...) | TestThrow.java:124:3:126:3 | { ... } |
+| TestThrow.java:111:12:111:22 | if (...) | TestThrow.java:111:16:111:16 | z |
 | TestThrow.java:111:16:111:16 | z | TestThrow.java:111:21:111:21 | 2 |
-| TestThrow.java:111:16:111:21 | ... == ... | TestThrow.java:112:5:114:5 | stmt |
-| TestThrow.java:111:16:111:21 | ... == ... | TestThrow.java:114:12:114:22 | stmt |
+| TestThrow.java:111:16:111:21 | ... == ... | TestThrow.java:112:5:114:5 | { ... } |
+| TestThrow.java:111:16:111:21 | ... == ... | TestThrow.java:114:12:114:22 | if (...) |
 | TestThrow.java:111:21:111:21 | 2 | TestThrow.java:111:16:111:21 | ... == ... |
-| TestThrow.java:112:5:114:5 | stmt | TestThrow.java:113:12:113:33 | new RuntimeException(...) |
-| TestThrow.java:113:6:113:34 | stmt | TestThrow.java:124:3:126:3 | stmt |
-| TestThrow.java:113:12:113:33 | new RuntimeException(...) | TestThrow.java:113:6:113:34 | stmt |
-| TestThrow.java:113:12:113:33 | new RuntimeException(...) | TestThrow.java:124:3:126:3 | stmt |
-| TestThrow.java:114:12:114:22 | stmt | TestThrow.java:114:16:114:16 | z |
+| TestThrow.java:112:5:114:5 | { ... } | TestThrow.java:113:12:113:33 | new RuntimeException(...) |
+| TestThrow.java:113:6:113:34 | throw ... | TestThrow.java:124:3:126:3 | { ... } |
+| TestThrow.java:113:12:113:33 | new RuntimeException(...) | TestThrow.java:113:6:113:34 | throw ... |
+| TestThrow.java:113:12:113:33 | new RuntimeException(...) | TestThrow.java:124:3:126:3 | { ... } |
+| TestThrow.java:114:12:114:22 | if (...) | TestThrow.java:114:16:114:16 | z |
 | TestThrow.java:114:16:114:16 | z | TestThrow.java:114:21:114:21 | 3 |
-| TestThrow.java:114:16:114:21 | ... == ... | TestThrow.java:115:5:117:5 | stmt |
-| TestThrow.java:114:16:114:21 | ... == ... | TestThrow.java:124:3:126:3 | stmt |
+| TestThrow.java:114:16:114:21 | ... == ... | TestThrow.java:115:5:117:5 | { ... } |
+| TestThrow.java:114:16:114:21 | ... == ... | TestThrow.java:124:3:126:3 | { ... } |
 | TestThrow.java:114:21:114:21 | 3 | TestThrow.java:114:16:114:21 | ... == ... |
-| TestThrow.java:115:5:117:5 | stmt | TestThrow.java:116:28:116:36 | "Foo bar" |
-| TestThrow.java:116:6:116:44 | stmt | TestThrow.java:119:5:119:25 | stmt |
-| TestThrow.java:116:12:116:43 | new IOException(...) | TestThrow.java:116:6:116:44 | stmt |
-| TestThrow.java:116:12:116:43 | new IOException(...) | TestThrow.java:124:3:126:3 | stmt |
+| TestThrow.java:115:5:117:5 | { ... } | TestThrow.java:116:28:116:36 | "Foo bar" |
+| TestThrow.java:116:6:116:44 | throw ... | TestThrow.java:119:5:119:25 | catch (...) |
+| TestThrow.java:116:12:116:43 | new IOException(...) | TestThrow.java:116:6:116:44 | throw ... |
+| TestThrow.java:116:12:116:43 | new IOException(...) | TestThrow.java:124:3:126:3 | { ... } |
 | TestThrow.java:116:28:116:36 | "Foo bar" | TestThrow.java:116:39:116:42 | null |
 | TestThrow.java:116:39:116:42 | null | TestThrow.java:116:12:116:43 | new IOException(...) |
-| TestThrow.java:119:5:119:25 | stmt | TestThrow.java:119:24:119:24 | e |
-| TestThrow.java:119:24:119:24 | e | TestThrow.java:120:3:122:3 | stmt |
-| TestThrow.java:120:3:122:3 | stmt | TestThrow.java:121:4:121:9 | stmt |
-| TestThrow.java:121:4:121:8 | ...=... | TestThrow.java:124:3:126:3 | stmt |
-| TestThrow.java:121:4:121:9 | stmt | TestThrow.java:121:8:121:8 | 2 |
+| TestThrow.java:119:5:119:25 | catch (...) | TestThrow.java:119:24:119:24 | e |
+| TestThrow.java:119:24:119:24 | e | TestThrow.java:120:3:122:3 | { ... } |
+| TestThrow.java:120:3:122:3 | { ... } | TestThrow.java:121:4:121:9 | ...; |
+| TestThrow.java:121:4:121:8 | ...=... | TestThrow.java:124:3:126:3 | { ... } |
+| TestThrow.java:121:4:121:9 | ...; | TestThrow.java:121:8:121:8 | 2 |
 | TestThrow.java:121:8:121:8 | 2 | TestThrow.java:121:4:121:8 | ...=... |
-| TestThrow.java:124:3:126:3 | stmt | TestThrow.java:125:4:125:9 | stmt |
+| TestThrow.java:124:3:126:3 | { ... } | TestThrow.java:125:4:125:9 | ...; |
 | TestThrow.java:125:4:125:8 | ...=... | TestThrow.java:15:14:15:14 | f |
-| TestThrow.java:125:4:125:8 | ...=... | TestThrow.java:128:3:128:13 | stmt |
-| TestThrow.java:125:4:125:9 | stmt | TestThrow.java:125:8:125:8 | 3 |
+| TestThrow.java:125:4:125:8 | ...=... | TestThrow.java:128:3:128:13 | if (...) |
+| TestThrow.java:125:4:125:9 | ...; | TestThrow.java:125:8:125:8 | 3 |
 | TestThrow.java:125:8:125:8 | 3 | TestThrow.java:125:4:125:8 | ...=... |
-| TestThrow.java:128:3:128:13 | stmt | TestThrow.java:128:7:128:7 | z |
+| TestThrow.java:128:3:128:13 | if (...) | TestThrow.java:128:7:128:7 | z |
 | TestThrow.java:128:7:128:7 | z | TestThrow.java:128:12:128:12 | 1 |
-| TestThrow.java:128:7:128:12 | ... == ... | TestThrow.java:129:3:131:3 | stmt |
-| TestThrow.java:128:7:128:12 | ... == ... | TestThrow.java:133:3:133:9 | stmt |
+| TestThrow.java:128:7:128:12 | ... == ... | TestThrow.java:129:3:131:3 | { ... } |
+| TestThrow.java:128:7:128:12 | ... == ... | TestThrow.java:133:3:133:9 | ...; |
 | TestThrow.java:128:12:128:12 | 1 | TestThrow.java:128:7:128:12 | ... == ... |
-| TestThrow.java:129:3:131:3 | stmt | TestThrow.java:130:10:130:24 | new Exception(...) |
-| TestThrow.java:130:4:130:25 | stmt | TestThrow.java:15:14:15:14 | f |
-| TestThrow.java:130:10:130:24 | new Exception(...) | TestThrow.java:130:4:130:25 | stmt |
+| TestThrow.java:129:3:131:3 | { ... } | TestThrow.java:130:10:130:24 | new Exception(...) |
+| TestThrow.java:130:4:130:25 | throw ... | TestThrow.java:15:14:15:14 | f |
+| TestThrow.java:130:10:130:24 | new Exception(...) | TestThrow.java:130:4:130:25 | throw ... |
 | TestThrow.java:133:3:133:8 | ...=... | TestThrow.java:15:14:15:14 | f |
-| TestThrow.java:133:3:133:9 | stmt | TestThrow.java:133:8:133:8 | 1 |
+| TestThrow.java:133:3:133:9 | ...; | TestThrow.java:133:8:133:8 | 1 |
 | TestThrow.java:133:7:133:8 | -... | TestThrow.java:133:3:133:8 | ...=... |
 | TestThrow.java:133:8:133:8 | 1 | TestThrow.java:133:7:133:8 | -... |
diff --git a/java/ql/test/library-tests/successors/TestThrow2/TestSucc.expected b/java/ql/test/library-tests/successors/TestThrow2/TestSucc.expected
index 6f8efd945d6..f1aebd2055f 100644
--- a/java/ql/test/library-tests/successors/TestThrow2/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/TestThrow2/TestSucc.expected
@@ -1,15 +1,15 @@
+| TestThrow2.java:3:7:3:16 | ...; | TestThrow2.java:3:7:3:16 | <obinit>(...) |
 | TestThrow2.java:3:7:3:16 | <obinit>(...) | TestThrow2.java:3:7:3:16 | TestThrow2 |
-| TestThrow2.java:3:7:3:16 | stmt | TestThrow2.java:3:7:3:16 | <obinit>(...) |
-| TestThrow2.java:3:7:3:16 | stmt | TestThrow2.java:3:7:3:16 | super(...) |
-| TestThrow2.java:3:7:3:16 | stmt | TestThrow2.java:5:2:11:2 | stmt |
-| TestThrow2.java:3:7:3:16 | super(...) | TestThrow2.java:3:7:3:16 | stmt |
-| TestThrow2.java:5:2:11:2 | stmt | TestThrow2.java:6:3:10:3 | stmt |
-| TestThrow2.java:6:3:10:3 | stmt | TestThrow2.java:6:7:8:3 | stmt |
-| TestThrow2.java:6:7:8:3 | stmt | TestThrow2.java:7:4:7:13 | stmt |
+| TestThrow2.java:3:7:3:16 | super(...) | TestThrow2.java:3:7:3:16 | ...; |
+| TestThrow2.java:3:7:3:16 | { ... } | TestThrow2.java:3:7:3:16 | super(...) |
+| TestThrow2.java:3:7:3:16 | { ... } | TestThrow2.java:5:2:11:2 | { ... } |
+| TestThrow2.java:5:2:11:2 | { ... } | TestThrow2.java:6:3:10:3 | try ... |
+| TestThrow2.java:6:3:10:3 | try ... | TestThrow2.java:6:7:8:3 | { ... } |
+| TestThrow2.java:6:7:8:3 | { ... } | TestThrow2.java:7:4:7:13 | ...; |
 | TestThrow2.java:7:4:7:12 | thrower(...) | TestThrow2.java:3:7:3:16 | <obinit> |
-| TestThrow2.java:7:4:7:12 | thrower(...) | TestThrow2.java:8:5:8:23 | stmt |
-| TestThrow2.java:7:4:7:13 | stmt | TestThrow2.java:7:4:7:12 | thrower(...) |
-| TestThrow2.java:8:5:8:23 | stmt | TestThrow2.java:8:22:8:22 | e |
-| TestThrow2.java:8:22:8:22 | e | TestThrow2.java:8:25:10:3 | stmt |
-| TestThrow2.java:8:25:10:3 | stmt | TestThrow2.java:9:4:9:4 | stmt |
-| TestThrow2.java:9:4:9:4 | stmt | TestThrow2.java:3:7:3:16 | <obinit> |
+| TestThrow2.java:7:4:7:12 | thrower(...) | TestThrow2.java:8:5:8:23 | catch (...) |
+| TestThrow2.java:7:4:7:13 | ...; | TestThrow2.java:7:4:7:12 | thrower(...) |
+| TestThrow2.java:8:5:8:23 | catch (...) | TestThrow2.java:8:22:8:22 | e |
+| TestThrow2.java:8:22:8:22 | e | TestThrow2.java:8:25:10:3 | { ... } |
+| TestThrow2.java:8:25:10:3 | { ... } | TestThrow2.java:9:4:9:4 | ; |
+| TestThrow2.java:9:4:9:4 | ; | TestThrow2.java:3:7:3:16 | <obinit> |
diff --git a/java/ql/test/library-tests/successors/TestTryCatch/FalseSuccessors.expected b/java/ql/test/library-tests/successors/TestTryCatch/FalseSuccessors.expected
index 427a1014398..cfe3896fb66 100644
--- a/java/ql/test/library-tests/successors/TestTryCatch/FalseSuccessors.expected
+++ b/java/ql/test/library-tests/successors/TestTryCatch/FalseSuccessors.expected
@@ -1 +1 @@
-| TestTryCatch.java:27:19:27:24 | ... < ... | TestTryCatch.java:42:3:42:12 | stmt |
+| TestTryCatch.java:27:19:27:24 | ... < ... | TestTryCatch.java:42:3:42:12 | ...; |
diff --git a/java/ql/test/library-tests/successors/TestTryCatch/TestSucc.expected b/java/ql/test/library-tests/successors/TestTryCatch/TestSucc.expected
index db1f8d15d83..205367d9bd9 100644
--- a/java/ql/test/library-tests/successors/TestTryCatch/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/TestTryCatch/TestSucc.expected
@@ -1,121 +1,121 @@
-| TestTryCatch.java:3:14:3:25 | stmt | TestTryCatch.java:3:14:3:25 | super(...) |
 | TestTryCatch.java:3:14:3:25 | super(...) | TestTryCatch.java:3:14:3:25 | TestTryCatch |
-| TestTryCatch.java:5:2:43:2 | stmt | TestTryCatch.java:6:3:23:3 | stmt |
-| TestTryCatch.java:6:3:23:3 | stmt | TestTryCatch.java:7:3:12:3 | stmt |
-| TestTryCatch.java:7:3:12:3 | stmt | TestTryCatch.java:8:4:8:29 | stmt |
+| TestTryCatch.java:3:14:3:25 | { ... } | TestTryCatch.java:3:14:3:25 | super(...) |
+| TestTryCatch.java:5:2:43:2 | { ... } | TestTryCatch.java:6:3:23:3 | try ... |
+| TestTryCatch.java:6:3:23:3 | try ... | TestTryCatch.java:7:3:12:3 | { ... } |
+| TestTryCatch.java:7:3:12:3 | { ... } | TestTryCatch.java:8:4:8:29 | ...; |
 | TestTryCatch.java:8:4:8:13 | System.out | TestTryCatch.java:8:23:8:27 | "Foo" |
-| TestTryCatch.java:8:4:8:28 | println(...) | TestTryCatch.java:9:4:9:18 | stmt |
-| TestTryCatch.java:8:4:8:28 | println(...) | TestTryCatch.java:12:5:12:23 | stmt |
-| TestTryCatch.java:8:4:8:28 | println(...) | TestTryCatch.java:19:3:23:3 | stmt |
-| TestTryCatch.java:8:4:8:29 | stmt | TestTryCatch.java:8:4:8:13 | System.out |
+| TestTryCatch.java:8:4:8:28 | println(...) | TestTryCatch.java:9:4:9:18 | local variable declaration |
+| TestTryCatch.java:8:4:8:28 | println(...) | TestTryCatch.java:12:5:12:23 | catch (...) |
+| TestTryCatch.java:8:4:8:28 | println(...) | TestTryCatch.java:19:3:23:3 | { ... } |
+| TestTryCatch.java:8:4:8:29 | ...; | TestTryCatch.java:8:4:8:13 | System.out |
 | TestTryCatch.java:8:23:8:27 | "Foo" | TestTryCatch.java:8:4:8:28 | println(...) |
-| TestTryCatch.java:9:4:9:18 | stmt | TestTryCatch.java:9:12:9:13 | 12 |
-| TestTryCatch.java:9:8:9:17 | y | TestTryCatch.java:10:4:10:29 | stmt |
+| TestTryCatch.java:9:4:9:18 | local variable declaration | TestTryCatch.java:9:12:9:13 | 12 |
+| TestTryCatch.java:9:8:9:17 | y | TestTryCatch.java:10:4:10:29 | ...; |
 | TestTryCatch.java:9:12:9:13 | 12 | TestTryCatch.java:9:17:9:17 | 3 |
 | TestTryCatch.java:9:12:9:17 | ... + ... | TestTryCatch.java:9:8:9:17 | y |
 | TestTryCatch.java:9:17:9:17 | 3 | TestTryCatch.java:9:12:9:17 | ... + ... |
 | TestTryCatch.java:10:4:10:13 | System.out | TestTryCatch.java:10:23:10:27 | "Bar" |
-| TestTryCatch.java:10:4:10:28 | println(...) | TestTryCatch.java:11:4:11:13 | stmt |
-| TestTryCatch.java:10:4:10:28 | println(...) | TestTryCatch.java:12:5:12:23 | stmt |
-| TestTryCatch.java:10:4:10:28 | println(...) | TestTryCatch.java:19:3:23:3 | stmt |
-| TestTryCatch.java:10:4:10:29 | stmt | TestTryCatch.java:10:4:10:13 | System.out |
+| TestTryCatch.java:10:4:10:28 | println(...) | TestTryCatch.java:11:4:11:13 | ...; |
+| TestTryCatch.java:10:4:10:28 | println(...) | TestTryCatch.java:12:5:12:23 | catch (...) |
+| TestTryCatch.java:10:4:10:28 | println(...) | TestTryCatch.java:19:3:23:3 | { ... } |
+| TestTryCatch.java:10:4:10:29 | ...; | TestTryCatch.java:10:4:10:13 | System.out |
 | TestTryCatch.java:10:23:10:27 | "Bar" | TestTryCatch.java:10:4:10:28 | println(...) |
-| TestTryCatch.java:11:4:11:12 | ...=... | TestTryCatch.java:19:3:23:3 | stmt |
-| TestTryCatch.java:11:4:11:13 | stmt | TestTryCatch.java:11:8:11:8 | y |
+| TestTryCatch.java:11:4:11:12 | ...=... | TestTryCatch.java:19:3:23:3 | { ... } |
+| TestTryCatch.java:11:4:11:13 | ...; | TestTryCatch.java:11:8:11:8 | y |
 | TestTryCatch.java:11:8:11:8 | y | TestTryCatch.java:11:12:11:12 | 1 |
 | TestTryCatch.java:11:8:11:12 | ... + ... | TestTryCatch.java:11:4:11:12 | ...=... |
 | TestTryCatch.java:11:12:11:12 | 1 | TestTryCatch.java:11:8:11:12 | ... + ... |
-| TestTryCatch.java:12:5:12:23 | stmt | TestTryCatch.java:12:22:12:22 | e |
-| TestTryCatch.java:12:22:12:22 | e | TestTryCatch.java:13:3:18:3 | stmt |
-| TestTryCatch.java:13:3:18:3 | stmt | TestTryCatch.java:14:4:14:13 | stmt |
-| TestTryCatch.java:14:4:14:13 | stmt | TestTryCatch.java:14:12:14:12 | 1 |
-| TestTryCatch.java:14:8:14:12 | x | TestTryCatch.java:15:4:15:37 | stmt |
+| TestTryCatch.java:12:5:12:23 | catch (...) | TestTryCatch.java:12:22:12:22 | e |
+| TestTryCatch.java:12:22:12:22 | e | TestTryCatch.java:13:3:18:3 | { ... } |
+| TestTryCatch.java:13:3:18:3 | { ... } | TestTryCatch.java:14:4:14:13 | local variable declaration |
+| TestTryCatch.java:14:4:14:13 | local variable declaration | TestTryCatch.java:14:12:14:12 | 1 |
+| TestTryCatch.java:14:8:14:12 | x | TestTryCatch.java:15:4:15:37 | ...; |
 | TestTryCatch.java:14:12:14:12 | 1 | TestTryCatch.java:14:8:14:12 | x |
 | TestTryCatch.java:15:4:15:13 | System.out | TestTryCatch.java:15:23:15:31 | "Error: " |
-| TestTryCatch.java:15:4:15:36 | println(...) | TestTryCatch.java:16:4:16:13 | stmt |
-| TestTryCatch.java:15:4:15:37 | stmt | TestTryCatch.java:15:4:15:13 | System.out |
+| TestTryCatch.java:15:4:15:36 | println(...) | TestTryCatch.java:16:4:16:13 | ...; |
+| TestTryCatch.java:15:4:15:37 | ...; | TestTryCatch.java:15:4:15:13 | System.out |
 | TestTryCatch.java:15:23:15:31 | "Error: " | TestTryCatch.java:15:35:15:35 | e |
 | TestTryCatch.java:15:23:15:35 | ... + ... | TestTryCatch.java:15:4:15:36 | println(...) |
 | TestTryCatch.java:15:35:15:35 | e | TestTryCatch.java:15:23:15:35 | ... + ... |
-| TestTryCatch.java:16:4:16:12 | ...=... | TestTryCatch.java:17:4:17:10 | stmt |
-| TestTryCatch.java:16:4:16:13 | stmt | TestTryCatch.java:16:8:16:8 | x |
+| TestTryCatch.java:16:4:16:12 | ...=... | TestTryCatch.java:17:4:17:10 | return ... |
+| TestTryCatch.java:16:4:16:13 | ...; | TestTryCatch.java:16:8:16:8 | x |
 | TestTryCatch.java:16:8:16:8 | x | TestTryCatch.java:16:12:16:12 | 1 |
 | TestTryCatch.java:16:8:16:12 | ... + ... | TestTryCatch.java:16:4:16:12 | ...=... |
 | TestTryCatch.java:16:12:16:12 | 1 | TestTryCatch.java:16:8:16:12 | ... + ... |
-| TestTryCatch.java:17:4:17:10 | stmt | TestTryCatch.java:19:3:23:3 | stmt |
-| TestTryCatch.java:19:3:23:3 | stmt | TestTryCatch.java:20:4:20:14 | stmt |
-| TestTryCatch.java:20:4:20:14 | stmt | TestTryCatch.java:20:12:20:13 | 12 |
-| TestTryCatch.java:20:8:20:13 | y | TestTryCatch.java:21:4:21:33 | stmt |
+| TestTryCatch.java:17:4:17:10 | return ... | TestTryCatch.java:19:3:23:3 | { ... } |
+| TestTryCatch.java:19:3:23:3 | { ... } | TestTryCatch.java:20:4:20:14 | local variable declaration |
+| TestTryCatch.java:20:4:20:14 | local variable declaration | TestTryCatch.java:20:12:20:13 | 12 |
+| TestTryCatch.java:20:8:20:13 | y | TestTryCatch.java:21:4:21:33 | ...; |
 | TestTryCatch.java:20:12:20:13 | 12 | TestTryCatch.java:20:8:20:13 | y |
 | TestTryCatch.java:21:4:21:13 | System.out | TestTryCatch.java:21:23:21:31 | "Finally" |
-| TestTryCatch.java:21:4:21:32 | println(...) | TestTryCatch.java:22:4:22:13 | stmt |
-| TestTryCatch.java:21:4:21:33 | stmt | TestTryCatch.java:21:4:21:13 | System.out |
+| TestTryCatch.java:21:4:21:32 | println(...) | TestTryCatch.java:22:4:22:13 | ...; |
+| TestTryCatch.java:21:4:21:33 | ...; | TestTryCatch.java:21:4:21:13 | System.out |
 | TestTryCatch.java:21:23:21:31 | "Finally" | TestTryCatch.java:21:4:21:32 | println(...) |
 | TestTryCatch.java:22:4:22:12 | ...=... | TestTryCatch.java:4:14:4:14 | f |
-| TestTryCatch.java:22:4:22:12 | ...=... | TestTryCatch.java:24:3:24:13 | stmt |
-| TestTryCatch.java:22:4:22:13 | stmt | TestTryCatch.java:22:8:22:8 | y |
+| TestTryCatch.java:22:4:22:12 | ...=... | TestTryCatch.java:24:3:24:13 | local variable declaration |
+| TestTryCatch.java:22:4:22:13 | ...; | TestTryCatch.java:22:8:22:8 | y |
 | TestTryCatch.java:22:8:22:8 | y | TestTryCatch.java:22:12:22:12 | 1 |
 | TestTryCatch.java:22:8:22:12 | ... + ... | TestTryCatch.java:22:4:22:12 | ...=... |
 | TestTryCatch.java:22:12:22:12 | 1 | TestTryCatch.java:22:8:22:12 | ... + ... |
-| TestTryCatch.java:24:3:24:13 | stmt | TestTryCatch.java:24:11:24:12 | 12 |
-| TestTryCatch.java:24:7:24:12 | z | TestTryCatch.java:25:3:25:12 | stmt |
+| TestTryCatch.java:24:3:24:13 | local variable declaration | TestTryCatch.java:24:11:24:12 | 12 |
+| TestTryCatch.java:24:7:24:12 | z | TestTryCatch.java:25:3:25:12 | ...; |
 | TestTryCatch.java:24:11:24:12 | 12 | TestTryCatch.java:24:7:24:12 | z |
-| TestTryCatch.java:25:3:25:11 | ...=... | TestTryCatch.java:27:3:27:30 | stmt |
-| TestTryCatch.java:25:3:25:12 | stmt | TestTryCatch.java:25:7:25:7 | z |
+| TestTryCatch.java:25:3:25:11 | ...=... | TestTryCatch.java:27:3:27:30 | for (...) |
+| TestTryCatch.java:25:3:25:12 | ...; | TestTryCatch.java:25:7:25:7 | z |
 | TestTryCatch.java:25:7:25:7 | z | TestTryCatch.java:25:11:25:11 | 1 |
 | TestTryCatch.java:25:7:25:11 | ... + ... | TestTryCatch.java:25:3:25:11 | ...=... |
 | TestTryCatch.java:25:11:25:11 | 1 | TestTryCatch.java:25:7:25:11 | ... + ... |
-| TestTryCatch.java:27:3:27:30 | stmt | TestTryCatch.java:27:16:27:16 | 0 |
+| TestTryCatch.java:27:3:27:30 | for (...) | TestTryCatch.java:27:16:27:16 | 0 |
 | TestTryCatch.java:27:12:27:16 | q | TestTryCatch.java:27:19:27:19 | q |
 | TestTryCatch.java:27:16:27:16 | 0 | TestTryCatch.java:27:12:27:16 | q |
 | TestTryCatch.java:27:19:27:19 | q | TestTryCatch.java:27:23:27:24 | 10 |
-| TestTryCatch.java:27:19:27:24 | ... < ... | TestTryCatch.java:28:3:41:3 | stmt |
-| TestTryCatch.java:27:19:27:24 | ... < ... | TestTryCatch.java:42:3:42:12 | stmt |
+| TestTryCatch.java:27:19:27:24 | ... < ... | TestTryCatch.java:28:3:41:3 | { ... } |
+| TestTryCatch.java:27:19:27:24 | ... < ... | TestTryCatch.java:42:3:42:12 | ...; |
 | TestTryCatch.java:27:23:27:24 | 10 | TestTryCatch.java:27:19:27:24 | ... < ... |
 | TestTryCatch.java:27:27:27:27 | q | TestTryCatch.java:27:27:27:29 | ...++ |
 | TestTryCatch.java:27:27:27:29 | ...++ | TestTryCatch.java:27:19:27:19 | q |
-| TestTryCatch.java:28:3:41:3 | stmt | TestTryCatch.java:29:4:40:4 | stmt |
-| TestTryCatch.java:29:4:40:4 | stmt | TestTryCatch.java:30:4:35:4 | stmt |
-| TestTryCatch.java:30:4:35:4 | stmt | TestTryCatch.java:31:5:31:30 | stmt |
+| TestTryCatch.java:28:3:41:3 | { ... } | TestTryCatch.java:29:4:40:4 | try ... |
+| TestTryCatch.java:29:4:40:4 | try ... | TestTryCatch.java:30:4:35:4 | { ... } |
+| TestTryCatch.java:30:4:35:4 | { ... } | TestTryCatch.java:31:5:31:30 | ...; |
 | TestTryCatch.java:31:5:31:14 | System.out | TestTryCatch.java:31:24:31:28 | "Foo" |
-| TestTryCatch.java:31:5:31:29 | println(...) | TestTryCatch.java:32:5:32:19 | stmt |
-| TestTryCatch.java:31:5:31:29 | println(...) | TestTryCatch.java:35:6:35:31 | stmt |
-| TestTryCatch.java:31:5:31:30 | stmt | TestTryCatch.java:31:5:31:14 | System.out |
+| TestTryCatch.java:31:5:31:29 | println(...) | TestTryCatch.java:32:5:32:19 | local variable declaration |
+| TestTryCatch.java:31:5:31:29 | println(...) | TestTryCatch.java:35:6:35:31 | catch (...) |
+| TestTryCatch.java:31:5:31:30 | ...; | TestTryCatch.java:31:5:31:14 | System.out |
 | TestTryCatch.java:31:24:31:28 | "Foo" | TestTryCatch.java:31:5:31:29 | println(...) |
-| TestTryCatch.java:32:5:32:19 | stmt | TestTryCatch.java:32:13:32:14 | 12 |
-| TestTryCatch.java:32:9:32:18 | y | TestTryCatch.java:33:5:33:30 | stmt |
+| TestTryCatch.java:32:5:32:19 | local variable declaration | TestTryCatch.java:32:13:32:14 | 12 |
+| TestTryCatch.java:32:9:32:18 | y | TestTryCatch.java:33:5:33:30 | ...; |
 | TestTryCatch.java:32:13:32:14 | 12 | TestTryCatch.java:32:18:32:18 | 3 |
 | TestTryCatch.java:32:13:32:18 | ... + ... | TestTryCatch.java:32:9:32:18 | y |
 | TestTryCatch.java:32:18:32:18 | 3 | TestTryCatch.java:32:13:32:18 | ... + ... |
 | TestTryCatch.java:33:5:33:14 | System.out | TestTryCatch.java:33:24:33:28 | "Bar" |
-| TestTryCatch.java:33:5:33:29 | println(...) | TestTryCatch.java:34:5:34:14 | stmt |
-| TestTryCatch.java:33:5:33:29 | println(...) | TestTryCatch.java:35:6:35:31 | stmt |
-| TestTryCatch.java:33:5:33:30 | stmt | TestTryCatch.java:33:5:33:14 | System.out |
+| TestTryCatch.java:33:5:33:29 | println(...) | TestTryCatch.java:34:5:34:14 | ...; |
+| TestTryCatch.java:33:5:33:29 | println(...) | TestTryCatch.java:35:6:35:31 | catch (...) |
+| TestTryCatch.java:33:5:33:30 | ...; | TestTryCatch.java:33:5:33:14 | System.out |
 | TestTryCatch.java:33:24:33:28 | "Bar" | TestTryCatch.java:33:5:33:29 | println(...) |
 | TestTryCatch.java:34:5:34:13 | ...=... | TestTryCatch.java:27:27:27:27 | q |
-| TestTryCatch.java:34:5:34:14 | stmt | TestTryCatch.java:34:9:34:9 | y |
+| TestTryCatch.java:34:5:34:14 | ...; | TestTryCatch.java:34:9:34:9 | y |
 | TestTryCatch.java:34:9:34:9 | y | TestTryCatch.java:34:13:34:13 | 1 |
 | TestTryCatch.java:34:9:34:13 | ... + ... | TestTryCatch.java:34:5:34:13 | ...=... |
 | TestTryCatch.java:34:13:34:13 | 1 | TestTryCatch.java:34:9:34:13 | ... + ... |
-| TestTryCatch.java:35:6:35:31 | stmt | TestTryCatch.java:35:30:35:30 | e |
-| TestTryCatch.java:35:30:35:30 | e | TestTryCatch.java:36:4:40:4 | stmt |
-| TestTryCatch.java:36:4:40:4 | stmt | TestTryCatch.java:37:5:37:14 | stmt |
-| TestTryCatch.java:37:5:37:14 | stmt | TestTryCatch.java:37:13:37:13 | 1 |
-| TestTryCatch.java:37:9:37:13 | x | TestTryCatch.java:38:5:38:38 | stmt |
+| TestTryCatch.java:35:6:35:31 | catch (...) | TestTryCatch.java:35:30:35:30 | e |
+| TestTryCatch.java:35:30:35:30 | e | TestTryCatch.java:36:4:40:4 | { ... } |
+| TestTryCatch.java:36:4:40:4 | { ... } | TestTryCatch.java:37:5:37:14 | local variable declaration |
+| TestTryCatch.java:37:5:37:14 | local variable declaration | TestTryCatch.java:37:13:37:13 | 1 |
+| TestTryCatch.java:37:9:37:13 | x | TestTryCatch.java:38:5:38:38 | ...; |
 | TestTryCatch.java:37:13:37:13 | 1 | TestTryCatch.java:37:9:37:13 | x |
 | TestTryCatch.java:38:5:38:14 | System.out | TestTryCatch.java:38:24:38:32 | "Error: " |
-| TestTryCatch.java:38:5:38:37 | println(...) | TestTryCatch.java:39:5:39:14 | stmt |
-| TestTryCatch.java:38:5:38:38 | stmt | TestTryCatch.java:38:5:38:14 | System.out |
+| TestTryCatch.java:38:5:38:37 | println(...) | TestTryCatch.java:39:5:39:14 | ...; |
+| TestTryCatch.java:38:5:38:38 | ...; | TestTryCatch.java:38:5:38:14 | System.out |
 | TestTryCatch.java:38:24:38:32 | "Error: " | TestTryCatch.java:38:36:38:36 | e |
 | TestTryCatch.java:38:24:38:36 | ... + ... | TestTryCatch.java:38:5:38:37 | println(...) |
 | TestTryCatch.java:38:36:38:36 | e | TestTryCatch.java:38:24:38:36 | ... + ... |
 | TestTryCatch.java:39:5:39:13 | ...=... | TestTryCatch.java:27:27:27:27 | q |
-| TestTryCatch.java:39:5:39:14 | stmt | TestTryCatch.java:39:9:39:9 | x |
+| TestTryCatch.java:39:5:39:14 | ...; | TestTryCatch.java:39:9:39:9 | x |
 | TestTryCatch.java:39:9:39:9 | x | TestTryCatch.java:39:13:39:13 | 1 |
 | TestTryCatch.java:39:9:39:13 | ... + ... | TestTryCatch.java:39:5:39:13 | ...=... |
 | TestTryCatch.java:39:13:39:13 | 1 | TestTryCatch.java:39:9:39:13 | ... + ... |
 | TestTryCatch.java:42:3:42:11 | ...=... | TestTryCatch.java:4:14:4:14 | f |
-| TestTryCatch.java:42:3:42:12 | stmt | TestTryCatch.java:42:7:42:7 | z |
+| TestTryCatch.java:42:3:42:12 | ...; | TestTryCatch.java:42:7:42:7 | z |
 | TestTryCatch.java:42:7:42:7 | z | TestTryCatch.java:42:11:42:11 | 2 |
 | TestTryCatch.java:42:7:42:11 | ... + ... | TestTryCatch.java:42:3:42:11 | ...=... |
 | TestTryCatch.java:42:11:42:11 | 2 | TestTryCatch.java:42:7:42:11 | ... + ... |
diff --git a/java/ql/test/library-tests/successors/TestTryWithResources/TestSucc.expected b/java/ql/test/library-tests/successors/TestTryWithResources/TestSucc.expected
index 86c3f054f15..8084acd7aa4 100644
--- a/java/ql/test/library-tests/successors/TestTryWithResources/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/TestTryWithResources/TestSucc.expected
@@ -1,37 +1,37 @@
-| TestTryWithResources.java:6:14:6:33 | stmt | TestTryWithResources.java:6:14:6:33 | super(...) |
 | TestTryWithResources.java:6:14:6:33 | super(...) | TestTryWithResources.java:6:14:6:33 | TestTryWithResources |
-| TestTryWithResources.java:7:60:16:2 | stmt | TestTryWithResources.java:8:3:15:3 | stmt |
-| TestTryWithResources.java:8:3:15:3 | stmt | TestTryWithResources.java:8:8:8:58 | stmt |
-| TestTryWithResources.java:8:8:8:58 | stmt | TestTryWithResources.java:8:50:8:53 | args |
-| TestTryWithResources.java:8:24:8:57 | fis | TestTryWithResources.java:9:4:9:55 | stmt |
+| TestTryWithResources.java:6:14:6:33 | { ... } | TestTryWithResources.java:6:14:6:33 | super(...) |
+| TestTryWithResources.java:7:60:16:2 | { ... } | TestTryWithResources.java:8:3:15:3 | try ... |
+| TestTryWithResources.java:8:3:15:3 | try ... | TestTryWithResources.java:8:8:8:58 | local variable declaration |
+| TestTryWithResources.java:8:8:8:58 | local variable declaration | TestTryWithResources.java:8:50:8:53 | args |
+| TestTryWithResources.java:8:24:8:57 | fis | TestTryWithResources.java:9:4:9:55 | local variable declaration |
 | TestTryWithResources.java:8:30:8:57 | new FileInputStream(...) | TestTryWithResources.java:8:24:8:57 | fis |
-| TestTryWithResources.java:8:30:8:57 | new FileInputStream(...) | TestTryWithResources.java:11:5:11:35 | stmt |
-| TestTryWithResources.java:8:30:8:57 | new FileInputStream(...) | TestTryWithResources.java:13:13:15:3 | stmt |
+| TestTryWithResources.java:8:30:8:57 | new FileInputStream(...) | TestTryWithResources.java:11:5:11:35 | catch (...) |
+| TestTryWithResources.java:8:30:8:57 | new FileInputStream(...) | TestTryWithResources.java:13:13:15:3 | { ... } |
 | TestTryWithResources.java:8:50:8:53 | args | TestTryWithResources.java:8:55:8:55 | 0 |
 | TestTryWithResources.java:8:50:8:56 | ...[...] | TestTryWithResources.java:8:30:8:57 | new FileInputStream(...) |
 | TestTryWithResources.java:8:55:8:55 | 0 | TestTryWithResources.java:8:50:8:56 | ...[...] |
-| TestTryWithResources.java:9:4:9:55 | stmt | TestTryWithResources.java:9:48:9:51 | args |
-| TestTryWithResources.java:9:21:9:55 | fos | TestTryWithResources.java:9:58:11:3 | stmt |
+| TestTryWithResources.java:9:4:9:55 | local variable declaration | TestTryWithResources.java:9:48:9:51 | args |
+| TestTryWithResources.java:9:21:9:55 | fos | TestTryWithResources.java:9:58:11:3 | { ... } |
 | TestTryWithResources.java:9:27:9:55 | new FileOutputStream(...) | TestTryWithResources.java:9:21:9:55 | fos |
-| TestTryWithResources.java:9:27:9:55 | new FileOutputStream(...) | TestTryWithResources.java:11:5:11:35 | stmt |
-| TestTryWithResources.java:9:27:9:55 | new FileOutputStream(...) | TestTryWithResources.java:13:13:15:3 | stmt |
+| TestTryWithResources.java:9:27:9:55 | new FileOutputStream(...) | TestTryWithResources.java:11:5:11:35 | catch (...) |
+| TestTryWithResources.java:9:27:9:55 | new FileOutputStream(...) | TestTryWithResources.java:13:13:15:3 | { ... } |
 | TestTryWithResources.java:9:48:9:51 | args | TestTryWithResources.java:9:53:9:53 | 1 |
 | TestTryWithResources.java:9:48:9:54 | ...[...] | TestTryWithResources.java:9:27:9:55 | new FileOutputStream(...) |
 | TestTryWithResources.java:9:53:9:53 | 1 | TestTryWithResources.java:9:48:9:54 | ...[...] |
-| TestTryWithResources.java:9:58:11:3 | stmt | TestTryWithResources.java:10:4:10:32 | stmt |
+| TestTryWithResources.java:9:58:11:3 | { ... } | TestTryWithResources.java:10:4:10:32 | ...; |
 | TestTryWithResources.java:10:4:10:13 | System.out | TestTryWithResources.java:10:23:10:30 | "worked" |
-| TestTryWithResources.java:10:4:10:31 | println(...) | TestTryWithResources.java:13:13:15:3 | stmt |
-| TestTryWithResources.java:10:4:10:32 | stmt | TestTryWithResources.java:10:4:10:13 | System.out |
+| TestTryWithResources.java:10:4:10:31 | println(...) | TestTryWithResources.java:13:13:15:3 | { ... } |
+| TestTryWithResources.java:10:4:10:32 | ...; | TestTryWithResources.java:10:4:10:13 | System.out |
 | TestTryWithResources.java:10:23:10:30 | "worked" | TestTryWithResources.java:10:4:10:31 | println(...) |
-| TestTryWithResources.java:11:5:11:35 | stmt | TestTryWithResources.java:11:34:11:34 | e |
-| TestTryWithResources.java:11:34:11:34 | e | TestTryWithResources.java:11:37:13:3 | stmt |
-| TestTryWithResources.java:11:37:13:3 | stmt | TestTryWithResources.java:12:4:12:40 | stmt |
+| TestTryWithResources.java:11:5:11:35 | catch (...) | TestTryWithResources.java:11:34:11:34 | e |
+| TestTryWithResources.java:11:34:11:34 | e | TestTryWithResources.java:11:37:13:3 | { ... } |
+| TestTryWithResources.java:11:37:13:3 | { ... } | TestTryWithResources.java:12:4:12:40 | ...; |
 | TestTryWithResources.java:12:4:12:13 | System.out | TestTryWithResources.java:12:23:12:38 | "file not found" |
-| TestTryWithResources.java:12:4:12:39 | println(...) | TestTryWithResources.java:13:13:15:3 | stmt |
-| TestTryWithResources.java:12:4:12:40 | stmt | TestTryWithResources.java:12:4:12:13 | System.out |
+| TestTryWithResources.java:12:4:12:39 | println(...) | TestTryWithResources.java:13:13:15:3 | { ... } |
+| TestTryWithResources.java:12:4:12:40 | ...; | TestTryWithResources.java:12:4:12:13 | System.out |
 | TestTryWithResources.java:12:23:12:38 | "file not found" | TestTryWithResources.java:12:4:12:39 | println(...) |
-| TestTryWithResources.java:13:13:15:3 | stmt | TestTryWithResources.java:14:4:14:33 | stmt |
+| TestTryWithResources.java:13:13:15:3 | { ... } | TestTryWithResources.java:14:4:14:33 | ...; |
 | TestTryWithResources.java:14:4:14:13 | System.out | TestTryWithResources.java:14:23:14:31 | "finally" |
 | TestTryWithResources.java:14:4:14:32 | println(...) | TestTryWithResources.java:7:21:7:24 | main |
-| TestTryWithResources.java:14:4:14:33 | stmt | TestTryWithResources.java:14:4:14:13 | System.out |
+| TestTryWithResources.java:14:4:14:33 | ...; | TestTryWithResources.java:14:4:14:13 | System.out |
 | TestTryWithResources.java:14:23:14:31 | "finally" | TestTryWithResources.java:14:4:14:32 | println(...) |
diff --git a/java/ql/test/library-tests/typeaccesses/PrintAst.expected b/java/ql/test/library-tests/typeaccesses/PrintAst.expected
index 6df9a49f2b2..f9c2c3c4fb6 100644
--- a/java/ql/test/library-tests/typeaccesses/PrintAst.expected
+++ b/java/ql/test/library-tests/typeaccesses/PrintAst.expected
@@ -12,8 +12,8 @@ typeaccesses/Outer.java:
 #    0| [CompilationUnit] Outer
 #    3|   1: [Class] Outer
 #    4|     3: [Class] Inner
-#    5|     4: [BlockStmt] stmt
-#    6|       0: [LocalVariableDeclStmt] stmt
+#    5|     4: [BlockStmt] { ... }
+#    6|       0: [LocalVariableDeclStmt] local variable declaration
 #    6|         0: [TypeAccess] Object
 #    6|         1: [LocalVariableDeclExpr] o
 #    6|           0: [ArrayCreationExpr] new Outer[]
@@ -38,8 +38,8 @@ typeaccesses/TA.java:
 #    7|     3: [Method] method1
 #    7|       3: [TypeAccess] ArrayList<TA>
 #    7|         0: [TypeAccess] TA
-#    7|       5: [BlockStmt] stmt
-#    7|         0: [ReturnStmt] stmt
+#    7|       5: [BlockStmt] { ... }
+#    7|         0: [ReturnStmt] return ...
 #    7|           0: [NullLiteral] null
 #    8|     4: [Method] method2
 #    8|       3: [TypeAccess] void
@@ -47,11 +47,11 @@ typeaccesses/TA.java:
 #    8|         0: [Parameter] param
 #    8|           0: [TypeAccess] ArrayList<TA>
 #    8|             0: [TypeAccess] TA
-#    8|       5: [BlockStmt] stmt
+#    8|       5: [BlockStmt] { ... }
 #    9|     5: [Method] method3
 #    9|       3: [TypeAccess] void
-#    9|       5: [BlockStmt] stmt
-#    9|         0: [LocalVariableDeclStmt] stmt
+#    9|       5: [BlockStmt] { ... }
+#    9|         0: [LocalVariableDeclStmt] local variable declaration
 #    9|           0: [TypeAccess] ArrayList<TA>
 #    9|             0: [TypeAccess] TA
 #    9|           1: [LocalVariableDeclExpr] local
@@ -61,11 +61,11 @@ typeaccesses/TA.java:
 #   10|           0: [TypeAccess] ArrayList<TA>
 #   10|             0: [TypeAccess] TA
 #   10|       3: [TypeAccess] void
-#   10|       5: [BlockStmt] stmt
+#   10|       5: [BlockStmt] { ... }
 #   11|     7: [Method] method5
 #   11|       3: [TypeAccess] void
-#   11|       5: [BlockStmt] stmt
-#   11|         0: [ExprStmt] stmt
+#   11|       5: [BlockStmt] { ... }
+#   11|         0: [ExprStmt] ...;
 #   11|           0: [MethodAccess] toString(...)
 #   11|             -1: [CastExpr] (...)...
 #   11|               0: [TypeAccess] ArrayList<TA>
@@ -73,15 +73,15 @@ typeaccesses/TA.java:
 #   11|               1: [NullLiteral] null
 #   12|     8: [Method] method6
 #   12|       3: [TypeAccess] void
-#   12|       5: [BlockStmt] stmt
-#   12|         0: [ExprStmt] stmt
+#   12|       5: [BlockStmt] { ... }
+#   12|         0: [ExprStmt] ...;
 #   12|           0: [ClassInstanceExpr] new ArrayList<TA>(...)
 #   12|             -3: [TypeAccess] ArrayList<TA>
 #   12|               0: [TypeAccess] TA
 #   13|     9: [Method] method7
 #   13|       3: [TypeAccess] void
-#   13|       5: [BlockStmt] stmt
-#   13|         0: [ExprStmt] stmt
+#   13|       5: [BlockStmt] { ... }
+#   13|         0: [ExprStmt] ...;
 #   13|           0: [MethodAccess] method3(...)
 #   13|             -1: [TypeAccess] TA
 #   14|     10: [Class] Inner
@@ -93,12 +93,12 @@ typeaccesses/TA.java:
 #   15|       3: [TypeAccess] TA.Inner<?>
 #   15|         -1: [TypeAccess] TA
 #   15|         0: [WildcardTypeAccess] ? ...
-#   15|       5: [BlockStmt] stmt
-#   15|         0: [ReturnStmt] stmt
+#   15|       5: [BlockStmt] { ... }
+#   15|         0: [ReturnStmt] return ...
 #   15|           0: [NullLiteral] null
 #   16|     12: [Method] method9
 #   16|       3: [TypeAccess] List<TA>
 #   16|         0: [TypeAccess] TA
-#   16|       5: [BlockStmt] stmt
-#   16|         0: [ReturnStmt] stmt
+#   16|       5: [BlockStmt] { ... }
+#   16|         0: [ReturnStmt] return ...
 #   16|           0: [NullLiteral] null
diff --git a/java/ql/test/library-tests/unreachableblocks/UnreachableBlocks.expected b/java/ql/test/library-tests/unreachableblocks/UnreachableBlocks.expected
index 2592d8fe1db..35178b0a349 100644
--- a/java/ql/test/library-tests/unreachableblocks/UnreachableBlocks.expected
+++ b/java/ql/test/library-tests/unreachableblocks/UnreachableBlocks.expected
@@ -1,9 +1,9 @@
-| unreachableblocks/Unreachable.java:6:14:8:3 | stmt |
-| unreachableblocks/Unreachable.java:9:21:11:3 | stmt |
-| unreachableblocks/Unreachable.java:12:22:14:3 | stmt |
-| unreachableblocks/Unreachable.java:17:3:17:9 | stmt |
-| unreachableblocks/Unreachable.java:19:3:19:9 | stmt |
-| unreachableblocks/Unreachable.java:22:3:22:9 | stmt |
-| unreachableblocks/Unreachable.java:24:3:24:9 | stmt |
-| unreachableblocks/Unreachable.java:26:3:26:10 | stmt |
-| unreachableblocks/Unreachable.java:27:3:27:10 | stmt |
+| unreachableblocks/Unreachable.java:6:14:8:3 | { ... } |
+| unreachableblocks/Unreachable.java:9:21:11:3 | { ... } |
+| unreachableblocks/Unreachable.java:12:22:14:3 | { ... } |
+| unreachableblocks/Unreachable.java:17:3:17:9 | case ... |
+| unreachableblocks/Unreachable.java:19:3:19:9 | case ... |
+| unreachableblocks/Unreachable.java:22:3:22:9 | case ... |
+| unreachableblocks/Unreachable.java:24:3:24:9 | case ... |
+| unreachableblocks/Unreachable.java:26:3:26:10 | case ... |
+| unreachableblocks/Unreachable.java:27:3:27:10 | default |
diff --git a/java/ql/test/library-tests/varargs/PrintAst.expected b/java/ql/test/library-tests/varargs/PrintAst.expected
index 285ef6fc051..793c97b413c 100644
--- a/java/ql/test/library-tests/varargs/PrintAst.expected
+++ b/java/ql/test/library-tests/varargs/PrintAst.expected
@@ -7,14 +7,14 @@ varargs/Test.java:
 #    4|         0: [Parameter] is
 #    4|           0: [ArrayTypeAccess] ...[]
 #    4|             0: [TypeAccess] int
-#    4|       5: [BlockStmt] stmt
+#    4|       5: [BlockStmt] { ... }
 #    5|     4: [Method] g
 #    5|       3: [TypeAccess] void
 #-----|       4: (Parameters)
 #    5|         0: [Parameter] os
 #    5|           0: [ArrayTypeAccess] ...[]
 #    5|             0: [TypeAccess] Object
-#    5|       5: [BlockStmt] stmt
+#    5|       5: [BlockStmt] { ... }
 #    6|     5: [Method] h
 #    6|       3: [TypeAccess] void
 #-----|       4: (Parameters)
@@ -23,21 +23,21 @@ varargs/Test.java:
 #    6|         1: [Parameter] ss
 #    6|           0: [ArrayTypeAccess] ...[]
 #    6|             0: [TypeAccess] String
-#    6|       5: [BlockStmt] stmt
+#    6|       5: [BlockStmt] { ... }
 #    8|     6: [Method] ff
 #    8|       3: [TypeAccess] void
 #-----|       4: (Parameters)
 #    8|         0: [Parameter] is
 #    8|           0: [ArrayTypeAccess] ...[]
 #    8|             0: [TypeAccess] int
-#    8|       5: [BlockStmt] stmt
+#    8|       5: [BlockStmt] { ... }
 #    9|     7: [Method] gg
 #    9|       3: [TypeAccess] void
 #-----|       4: (Parameters)
 #    9|         0: [Parameter] os
 #    9|           0: [ArrayTypeAccess] ...[]
 #    9|             0: [TypeAccess] Object
-#    9|       5: [BlockStmt] stmt
+#    9|       5: [BlockStmt] { ... }
 #   10|     8: [Method] hh
 #   10|       3: [TypeAccess] void
 #-----|       4: (Parameters)
@@ -46,9 +46,9 @@ varargs/Test.java:
 #   10|         1: [Parameter] ss
 #   10|           0: [ArrayTypeAccess] ...[]
 #   10|             0: [TypeAccess] String
-#   10|       5: [BlockStmt] stmt
-#   11|     9: [BlockStmt] stmt
-#   12|       0: [ExprStmt] stmt
+#   10|       5: [BlockStmt] { ... }
+#   11|     9: [BlockStmt] { ... }
+#   12|       0: [ExprStmt] ...;
 #   12|         0: [MethodAccess] asList(...)
 #   12|           -1: [TypeAccess] Arrays
 #   12|           0: [IntegerLiteral] 1
diff --git a/java/ql/test/query-tests/BusyWait/BusyWait.expected b/java/ql/test/query-tests/BusyWait/BusyWait.expected
index 981e383d61d..3a6139cba7a 100644
--- a/java/ql/test/query-tests/BusyWait/BusyWait.expected
+++ b/java/ql/test/query-tests/BusyWait/BusyWait.expected
@@ -1,2 +1,2 @@
-| BusyWaits.java:4:4:4:19 | stmt | Prefer wait/notify or java.util.concurrent to communicate between threads. |
-| BusyWaits.java:10:5:10:39 | stmt | Prefer wait/notify or java.util.concurrent to communicate between threads. |
+| BusyWaits.java:4:4:4:19 | ...; | Prefer wait/notify or java.util.concurrent to communicate between threads. |
+| BusyWaits.java:10:5:10:39 | ...; | Prefer wait/notify or java.util.concurrent to communicate between threads. |
diff --git a/java/ql/test/query-tests/ConstantLoopCondition/ConstantLoopCondition.expected b/java/ql/test/query-tests/ConstantLoopCondition/ConstantLoopCondition.expected
index 688cdd7f258..48fac80c81f 100644
--- a/java/ql/test/query-tests/ConstantLoopCondition/ConstantLoopCondition.expected
+++ b/java/ql/test/query-tests/ConstantLoopCondition/ConstantLoopCondition.expected
@@ -1,4 +1,4 @@
-| A.java:8:11:8:15 | !... | $@ might not terminate, as this loop condition is constant within the loop. | A.java:8:5:8:16 | stmt | Loop |
-| A.java:15:11:15:15 | ... > ... | $@ might not terminate, as this loop condition is constant within the loop. | A.java:14:5:14:19 | stmt | Loop |
-| A.java:29:20:29:32 | ... < ... | $@ might not terminate, as this loop condition is constant within the loop. | A.java:29:5:29:38 | stmt | Loop |
-| A.java:36:12:36:15 | cond | $@ might not terminate, as this loop condition is constant within the loop. | A.java:36:5:36:16 | stmt | Loop |
+| A.java:8:11:8:15 | !... | $@ might not terminate, as this loop condition is constant within the loop. | A.java:8:5:8:16 | while (...) | Loop |
+| A.java:15:11:15:15 | ... > ... | $@ might not terminate, as this loop condition is constant within the loop. | A.java:14:5:14:19 | for (...) | Loop |
+| A.java:29:20:29:32 | ... < ... | $@ might not terminate, as this loop condition is constant within the loop. | A.java:29:5:29:38 | for (...) | Loop |
+| A.java:36:12:36:15 | cond | $@ might not terminate, as this loop condition is constant within the loop. | A.java:36:5:36:16 | while (...) | Loop |
diff --git a/java/ql/test/query-tests/ContinueInFalseLoop/ContinueInFalseLoop.expected b/java/ql/test/query-tests/ContinueInFalseLoop/ContinueInFalseLoop.expected
index 2ce5be1ec66..969f23f3976 100644
--- a/java/ql/test/query-tests/ContinueInFalseLoop/ContinueInFalseLoop.expected
+++ b/java/ql/test/query-tests/ContinueInFalseLoop/ContinueInFalseLoop.expected
@@ -1,3 +1,3 @@
-| A.java:14:9:14:17 | stmt | This 'continue' never re-runs the loop - the $@ is always false. | A.java:17:14:17:18 | false | loop condition |
-| A.java:54:11:54:19 | stmt | This 'continue' never re-runs the loop - the $@ is always false. | A.java:57:16:57:20 | false | loop condition |
-| A.java:79:9:79:17 | stmt | This 'continue' never re-runs the loop - the $@ is always false. | A.java:82:14:82:18 | false | loop condition |
+| A.java:14:9:14:17 | continue | This 'continue' never re-runs the loop - the $@ is always false. | A.java:17:14:17:18 | false | loop condition |
+| A.java:54:11:54:19 | continue | This 'continue' never re-runs the loop - the $@ is always false. | A.java:57:16:57:20 | false | loop condition |
+| A.java:79:9:79:17 | continue | This 'continue' never re-runs the loop - the $@ is always false. | A.java:82:14:82:18 | false | loop condition |
diff --git a/java/ql/test/query-tests/Declarations/BreakInSwitchCase.expected b/java/ql/test/query-tests/Declarations/BreakInSwitchCase.expected
index 2800ea8afbb..a1f3e131c55 100644
--- a/java/ql/test/query-tests/Declarations/BreakInSwitchCase.expected
+++ b/java/ql/test/query-tests/Declarations/BreakInSwitchCase.expected
@@ -1,2 +1,2 @@
-| Test.java:14:4:14:10 | stmt | Switch case may fall through to the next case. Use a break or return to terminate this case. |
-| Test.java:20:4:20:10 | stmt | Switch case may fall through to the next case. Use a break or return to terminate this case. |
+| Test.java:14:4:14:10 | case ... | Switch case may fall through to the next case. Use a break or return to terminate this case. |
+| Test.java:20:4:20:10 | case ... | Switch case may fall through to the next case. Use a break or return to terminate this case. |
diff --git a/java/ql/test/query-tests/DoubleCheckedLocking/DoubleCheckedLocking.expected b/java/ql/test/query-tests/DoubleCheckedLocking/DoubleCheckedLocking.expected
index 4882d80f3d4..a0be819c198 100644
--- a/java/ql/test/query-tests/DoubleCheckedLocking/DoubleCheckedLocking.expected
+++ b/java/ql/test/query-tests/DoubleCheckedLocking/DoubleCheckedLocking.expected
@@ -1,3 +1,3 @@
-| A.java:12:7:16:7 | stmt | Double-checked locking on the non-volatile field $@ is not thread-safe. | A.java:9:18:9:19 | s1 | s1 |
-| A.java:40:7:45:7 | stmt | Double-checked locking on the non-volatile field $@ is not thread-safe. | A.java:36:13:36:14 | b1 | b1 |
-| A.java:101:7:106:7 | stmt | Double-checked locking on the non-volatile field $@ is not thread-safe. | A.java:98:26:98:27 | b5 | b5 |
+| A.java:12:7:16:7 | synchronized (...) | Double-checked locking on the non-volatile field $@ is not thread-safe. | A.java:9:18:9:19 | s1 | s1 |
+| A.java:40:7:45:7 | synchronized (...) | Double-checked locking on the non-volatile field $@ is not thread-safe. | A.java:36:13:36:14 | b1 | b1 |
+| A.java:101:7:106:7 | synchronized (...) | Double-checked locking on the non-volatile field $@ is not thread-safe. | A.java:98:26:98:27 | b5 | b5 |
diff --git a/java/ql/test/query-tests/Finally/FinallyMayNotComplete.expected b/java/ql/test/query-tests/Finally/FinallyMayNotComplete.expected
index 07956a735b2..dff7495a2db 100644
--- a/java/ql/test/query-tests/Finally/FinallyMayNotComplete.expected
+++ b/java/ql/test/query-tests/Finally/FinallyMayNotComplete.expected
@@ -1,7 +1,7 @@
-| Finally.java:6:4:6:10 | stmt | Leaving a finally-block with this statement can cause exceptions to silently disappear. |
-| Finally.java:17:5:17:13 | stmt | Leaving a finally-block with this statement can cause exceptions to silently disappear. |
-| Finally.java:30:5:30:40 | stmt | Leaving a finally-block with this statement can cause exceptions to silently disappear. |
-| Finally.java:63:6:63:11 | stmt | Leaving a finally-block with this statement can cause exceptions to silently disappear. |
-| Finally.java:77:7:77:12 | stmt | Leaving a finally-block with this statement can cause exceptions to silently disappear. |
-| Finally.java:111:6:111:14 | stmt | Leaving a finally-block with this statement can cause exceptions to silently disappear. |
-| Finally.java:125:7:125:15 | stmt | Leaving a finally-block with this statement can cause exceptions to silently disappear. |
+| Finally.java:6:4:6:10 | return ... | Leaving a finally-block with this statement can cause exceptions to silently disappear. |
+| Finally.java:17:5:17:13 | return ... | Leaving a finally-block with this statement can cause exceptions to silently disappear. |
+| Finally.java:30:5:30:40 | throw ... | Leaving a finally-block with this statement can cause exceptions to silently disappear. |
+| Finally.java:63:6:63:11 | break | Leaving a finally-block with this statement can cause exceptions to silently disappear. |
+| Finally.java:77:7:77:12 | break | Leaving a finally-block with this statement can cause exceptions to silently disappear. |
+| Finally.java:111:6:111:14 | continue | Leaving a finally-block with this statement can cause exceptions to silently disappear. |
+| Finally.java:125:7:125:15 | continue | Leaving a finally-block with this statement can cause exceptions to silently disappear. |
diff --git a/java/ql/test/query-tests/MissedTernaryOpportunity/MissedTernaryOpportunity.expected b/java/ql/test/query-tests/MissedTernaryOpportunity/MissedTernaryOpportunity.expected
index afdc5bbf405..5490aecb085 100644
--- a/java/ql/test/query-tests/MissedTernaryOpportunity/MissedTernaryOpportunity.expected
+++ b/java/ql/test/query-tests/MissedTernaryOpportunity/MissedTernaryOpportunity.expected
@@ -1,6 +1,6 @@
-| MissedTernaryOpportunityTest.java:6:3:6:13 | stmt | Both branches of this 'if' statement return - consider using '?' to express intent better. |
-| MissedTernaryOpportunityTest.java:32:3:32:13 | stmt | Both branches of this 'if' statement write to the same variable - consider using '?' to express intent better. |
-| MissedTernaryOpportunityTest.java:74:9:74:19 | stmt | Both branches of this 'if' statement return - consider using '?' to express intent better. |
-| MissedTernaryOpportunityTest.java:133:9:133:18 | stmt | Both branches of this 'if' statement write to the same variable - consider using '?' to express intent better. |
-| MissedTernaryOpportunityTest.java:145:13:145:23 | stmt | Both branches of this 'if' statement return - consider using '?' to express intent better. |
-| MissedTernaryOpportunityTest.java:155:13:155:23 | stmt | Both branches of this 'if' statement return - consider using '?' to express intent better. |
+| MissedTernaryOpportunityTest.java:6:3:6:13 | if (...) | Both branches of this 'if' statement return - consider using '?' to express intent better. |
+| MissedTernaryOpportunityTest.java:32:3:32:13 | if (...) | Both branches of this 'if' statement write to the same variable - consider using '?' to express intent better. |
+| MissedTernaryOpportunityTest.java:74:9:74:19 | if (...) | Both branches of this 'if' statement return - consider using '?' to express intent better. |
+| MissedTernaryOpportunityTest.java:133:9:133:18 | if (...) | Both branches of this 'if' statement write to the same variable - consider using '?' to express intent better. |
+| MissedTernaryOpportunityTest.java:145:13:145:23 | if (...) | Both branches of this 'if' statement return - consider using '?' to express intent better. |
+| MissedTernaryOpportunityTest.java:155:13:155:23 | if (...) | Both branches of this 'if' statement return - consider using '?' to express intent better. |
diff --git a/java/ql/test/query-tests/PartiallyMaskedCatch/PartiallyMaskedCatch.expected b/java/ql/test/query-tests/PartiallyMaskedCatch/PartiallyMaskedCatch.expected
index 91bef93e6d9..fb533a6802b 100644
--- a/java/ql/test/query-tests/PartiallyMaskedCatch/PartiallyMaskedCatch.expected
+++ b/java/ql/test/query-tests/PartiallyMaskedCatch/PartiallyMaskedCatch.expected
@@ -1,6 +1,6 @@
-| PartiallyMaskedCatchTest.java:16:5:16:25 | stmt | This catch-clause is unreachable; it is masked $@. | PartiallyMaskedCatchTest.java:12:5:12:24 | stmt | here for exceptions of type 'ExceptionB' |
-| PartiallyMaskedCatchTest.java:16:5:16:25 | stmt | This catch-clause is unreachable; it is masked $@. | PartiallyMaskedCatchTest.java:14:5:14:24 | stmt | here for exceptions of type 'ExceptionA' |
-| PartiallyMaskedCatchTest.java:26:5:26:25 | stmt | This catch-clause is unreachable; it is masked $@. | PartiallyMaskedCatchTest.java:22:5:22:47 | stmt | here for exceptions of type 'ExceptionB' |
-| PartiallyMaskedCatchTest.java:26:5:26:25 | stmt | This catch-clause is unreachable; it is masked $@. | PartiallyMaskedCatchTest.java:24:5:24:43 | stmt | here for exceptions of type 'ExceptionA' |
-| PartiallyMaskedCatchTest.java:36:5:36:44 | stmt | This catch-clause is unreachable for type IOException; it is masked $@. | PartiallyMaskedCatchTest.java:32:5:32:47 | stmt | here for exceptions of type 'ExceptionB' |
-| PartiallyMaskedCatchTest.java:36:5:36:44 | stmt | This catch-clause is unreachable for type IOException; it is masked $@. | PartiallyMaskedCatchTest.java:34:5:34:51 | stmt | here for exceptions of type 'ExceptionA' |
+| PartiallyMaskedCatchTest.java:16:5:16:25 | catch (...) | This catch-clause is unreachable; it is masked $@. | PartiallyMaskedCatchTest.java:12:5:12:24 | catch (...) | here for exceptions of type 'ExceptionB' |
+| PartiallyMaskedCatchTest.java:16:5:16:25 | catch (...) | This catch-clause is unreachable; it is masked $@. | PartiallyMaskedCatchTest.java:14:5:14:24 | catch (...) | here for exceptions of type 'ExceptionA' |
+| PartiallyMaskedCatchTest.java:26:5:26:25 | catch (...) | This catch-clause is unreachable; it is masked $@. | PartiallyMaskedCatchTest.java:22:5:22:47 | catch (...) | here for exceptions of type 'ExceptionB' |
+| PartiallyMaskedCatchTest.java:26:5:26:25 | catch (...) | This catch-clause is unreachable; it is masked $@. | PartiallyMaskedCatchTest.java:24:5:24:43 | catch (...) | here for exceptions of type 'ExceptionA' |
+| PartiallyMaskedCatchTest.java:36:5:36:44 | catch (...) | This catch-clause is unreachable for type IOException; it is masked $@. | PartiallyMaskedCatchTest.java:32:5:32:47 | catch (...) | here for exceptions of type 'ExceptionB' |
+| PartiallyMaskedCatchTest.java:36:5:36:44 | catch (...) | This catch-clause is unreachable for type IOException; it is masked $@. | PartiallyMaskedCatchTest.java:34:5:34:51 | catch (...) | here for exceptions of type 'ExceptionA' |
diff --git a/java/ql/test/query-tests/UseBraces/UseBraces.expected b/java/ql/test/query-tests/UseBraces/UseBraces.expected
index e81eb013fbe..1ef1a0380df 100644
--- a/java/ql/test/query-tests/UseBraces/UseBraces.expected
+++ b/java/ql/test/query-tests/UseBraces/UseBraces.expected
@@ -1,14 +1,14 @@
-| UseBraces.java:28:4:28:7 | stmt | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:29:4:29:7 | stmt | the next statement | UseBraces.java:27:3:27:10 | stmt | the control structure |
-| UseBraces.java:32:4:32:7 | stmt | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:32:9:32:12 | stmt | the next statement | UseBraces.java:31:3:31:10 | stmt | the control structure |
-| UseBraces.java:58:4:58:7 | stmt | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:59:4:59:7 | stmt | the next statement | UseBraces.java:53:3:53:10 | stmt | the control structure |
-| UseBraces.java:66:4:66:7 | stmt | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:66:10:66:13 | stmt | the next statement | UseBraces.java:61:3:61:10 | stmt | the control structure |
-| UseBraces.java:82:4:82:7 | stmt | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:83:4:83:7 | stmt | the next statement | UseBraces.java:81:3:81:14 | stmt | the control structure |
-| UseBraces.java:87:4:87:7 | stmt | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:87:9:87:12 | stmt | the next statement | UseBraces.java:86:3:86:14 | stmt | the control structure |
-| UseBraces.java:112:4:112:7 | stmt | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:113:4:113:7 | stmt | the next statement | UseBraces.java:111:3:111:25 | stmt | the control structure |
-| UseBraces.java:116:4:116:7 | stmt | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:116:9:116:12 | stmt | the next statement | UseBraces.java:115:3:115:25 | stmt | the control structure |
-| UseBraces.java:132:4:132:7 | stmt | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:133:4:133:7 | stmt | the next statement | UseBraces.java:131:3:131:24 | stmt | the control structure |
-| UseBraces.java:136:4:136:7 | stmt | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:136:9:136:12 | stmt | the next statement | UseBraces.java:135:3:135:24 | stmt | the control structure |
-| UseBraces.java:145:4:145:12 | stmt | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:147:4:147:7 | stmt | the next statement | UseBraces.java:144:3:144:12 | stmt | the control structure |
-| UseBraces.java:166:4:166:7 | stmt | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:167:4:167:7 | stmt | the next statement | UseBraces.java:165:8:165:17 | stmt | the control structure |
-| UseBraces.java:176:4:176:15 | stmt | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:178:4:178:7 | stmt | the next statement | UseBraces.java:175:3:175:11 | stmt | the control structure |
-| UseBraces.java:186:4:186:12 | stmt | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:188:4:188:7 | stmt | the next statement | UseBraces.java:185:3:185:14 | stmt | the control structure |
+| UseBraces.java:28:4:28:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:29:4:29:7 | ...; | the next statement | UseBraces.java:27:3:27:10 | if (...) | the control structure |
+| UseBraces.java:32:4:32:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:32:9:32:12 | ...; | the next statement | UseBraces.java:31:3:31:10 | if (...) | the control structure |
+| UseBraces.java:58:4:58:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:59:4:59:7 | ...; | the next statement | UseBraces.java:53:3:53:10 | if (...) | the control structure |
+| UseBraces.java:66:4:66:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:66:10:66:13 | ...; | the next statement | UseBraces.java:61:3:61:10 | if (...) | the control structure |
+| UseBraces.java:82:4:82:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:83:4:83:7 | ...; | the next statement | UseBraces.java:81:3:81:14 | while (...) | the control structure |
+| UseBraces.java:87:4:87:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:87:9:87:12 | ...; | the next statement | UseBraces.java:86:3:86:14 | while (...) | the control structure |
+| UseBraces.java:112:4:112:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:113:4:113:7 | ...; | the next statement | UseBraces.java:111:3:111:25 | for (...) | the control structure |
+| UseBraces.java:116:4:116:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:116:9:116:12 | ...; | the next statement | UseBraces.java:115:3:115:25 | for (...) | the control structure |
+| UseBraces.java:132:4:132:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:133:4:133:7 | ...; | the next statement | UseBraces.java:131:3:131:24 | for (... : ...) | the control structure |
+| UseBraces.java:136:4:136:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:136:9:136:12 | ...; | the next statement | UseBraces.java:135:3:135:24 | for (... : ...) | the control structure |
+| UseBraces.java:145:4:145:12 | if (...) | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:147:4:147:7 | ...; | the next statement | UseBraces.java:144:3:144:12 | if (...) | the control structure |
+| UseBraces.java:166:4:166:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:167:4:167:7 | ...; | the next statement | UseBraces.java:165:8:165:17 | if (...) | the control structure |
+| UseBraces.java:176:4:176:15 | while (...) | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:178:4:178:7 | ...; | the next statement | UseBraces.java:175:3:175:11 | if (...) | the control structure |
+| UseBraces.java:186:4:186:12 | if (...) | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:188:4:188:7 | ...; | the next statement | UseBraces.java:185:3:185:14 | while (...) | the control structure |
diff --git a/java/ql/test/query-tests/lgtm-example-queries/returnstatement.expected b/java/ql/test/query-tests/lgtm-example-queries/returnstatement.expected
index df91fd42f0a..c776293c8b8 100644
--- a/java/ql/test/query-tests/lgtm-example-queries/returnstatement.expected
+++ b/java/ql/test/query-tests/lgtm-example-queries/returnstatement.expected
@@ -1 +1 @@
-| Test.java:15:3:15:14 | stmt |
+| Test.java:15:3:15:14 | return ... |
diff --git a/java/ql/test/query-tests/security/CWE-835/semmle/tests/InfiniteLoop.expected b/java/ql/test/query-tests/security/CWE-835/semmle/tests/InfiniteLoop.expected
index 9231ab29aa6..cb902de9249 100644
--- a/java/ql/test/query-tests/security/CWE-835/semmle/tests/InfiniteLoop.expected
+++ b/java/ql/test/query-tests/security/CWE-835/semmle/tests/InfiniteLoop.expected
@@ -1 +1 @@
-| InfiniteLoop.java:4:13:4:36 | stmt | Loop might not terminate, as termination depends in part on $@ being false but it is always true. | InfiniteLoop.java:4:27:4:30 | ... < ... | this test |
+| InfiniteLoop.java:4:13:4:36 | for (...) | Loop might not terminate, as termination depends in part on $@ being false but it is always true. | InfiniteLoop.java:4:27:4:30 | ... < ... | this test |

From e0a45507f835fa44b61b743c60d88df769d00488 Mon Sep 17 00:00:00 2001
From: Marcono1234 <Marcono1234@users.noreply.github.com>
Date: Mon, 31 May 2021 01:24:24 +0200
Subject: [PATCH 1314/1429] Java: Adjust toString() for statements

---
 java/ql/src/semmle/code/java/Statement.qll    |   16 +-
 .../library-tests/arrays/PrintAst.expected    |    6 +-
 .../library-tests/constants/PrintAst.expected |  162 +--
 .../controlflow/basic/bbStmts.expected        |  116 +-
 .../basic/bbStrictDominance.expected          |  160 +--
 .../controlflow/basic/bbSuccessor.expected    |   30 +-
 .../basic/strictDominance.expected            | 1066 ++++++++---------
 .../basic/strictPostDominance.expected        |  416 +++----
 .../controlflow/dominance/dominator.expected  |  128 +-
 .../test/library-tests/guards/guards.expected |   18 +-
 .../library-tests/guards/guardslogic.expected |   14 +-
 .../library-tests/guards12/PrintAst.expected  |    2 +-
 .../MultiCatch/MultiCatchControlFlow.expected |    4 +-
 .../LocalVarDeclStmtChildren.expected         |   22 +-
 .../localvars/TypeAccesses.expected           |   12 +-
 .../library-tests/printAst/PrintAst.expected  |   14 +-
 .../reflection/PrintAst.expected              |    2 +-
 .../ql/test/library-tests/ssa/ssaDef.expected |   10 +-
 .../ql/test/library-tests/ssa/ssaPhi.expected |   20 +-
 .../ql/test/library-tests/ssa/ssaUse.expected |   10 +-
 .../library-tests/stmts/JumpTargets.expected  |   10 +-
 .../CloseReaderTest/TestSucc.expected         |   12 +-
 .../LoopVarReadTest/FalseSuccessors.expected  |    2 +-
 .../LoopVarReadTest/TestSucc.expected         |   20 +-
 .../SaveFileTest/FalseSuccessors.expected     |    4 +-
 .../successors/SaveFileTest/TestSucc.expected |   50 +-
 .../SchackTest/FalseSuccessors.expected       |    2 +-
 .../successors/SchackTest/TestSucc.expected   |   22 +-
 .../TestBreak/FalseSuccessors.expected        |    4 +-
 .../successors/TestBreak/TestSucc.expected    |   86 +-
 .../TestContinue/FalseSuccessors.expected     |   10 +-
 .../successors/TestContinue/TestSucc.expected |   38 +-
 .../TestDeclarations/TestSucc.expected        |   36 +-
 .../TestFinally/FalseSuccessors.expected      |   18 +-
 .../successors/TestFinally/TestSucc.expected  |  152 +--
 .../TestSucc.expected                         |   42 +-
 .../TestLoopBranch/FalseSuccessors.expected   |    2 +-
 .../TestLoopBranch/TestSucc.expected          |  176 +--
 .../TestThrow/FalseSuccessors.expected        |    2 +-
 .../successors/TestThrow/TestSucc.expected    |   82 +-
 .../successors/TestThrow2/TestSucc.expected   |    8 +-
 .../TestTryCatch/FalseSuccessors.expected     |    2 +-
 .../successors/TestTryCatch/TestSucc.expected |   84 +-
 .../TestTryWithResources/TestSucc.expected    |   20 +-
 .../typeaccesses/PrintAst.expected            |    4 +-
 .../query-tests/BusyWait/BusyWait.expected    |    4 +-
 .../ConstantLoopCondition.expected            |    4 +-
 .../query-tests/UseBraces/UseBraces.expected  |   28 +-
 .../semmle/tests/InfiniteLoop.expected        |    2 +-
 49 files changed, 1577 insertions(+), 1577 deletions(-)

diff --git a/java/ql/src/semmle/code/java/Statement.qll b/java/ql/src/semmle/code/java/Statement.qll
index 12e894cf073..ddae251a443 100755
--- a/java/ql/src/semmle/code/java/Statement.qll
+++ b/java/ql/src/semmle/code/java/Statement.qll
@@ -203,7 +203,7 @@ class ForStmt extends ConditionalStmt, @forstmt {
 
   override string pp() { result = "for (...;...;...) " + this.getStmt().pp() }
 
-  override string toString() { result = "for (...)" }
+  override string toString() { result = "for (...;...;...)" }
 
   override string getHalsteadID() { result = "ForStmt" }
 
@@ -706,9 +706,9 @@ class ExprStmt extends Stmt, @exprstmt {
   /** Gets the expression of this expression statement. */
   Expr getExpr() { result.getParent() = this }
 
-  override string pp() { result = "...;" }
+  override string pp() { result = "<Expr>;" }
 
-  override string toString() { result = "...;" }
+  override string toString() { result = "<Expr>;" }
 
   override string getHalsteadID() { result = "ExprStmt" }
 
@@ -739,7 +739,7 @@ class LabeledStmt extends Stmt, @labeledstmt {
 
   override string getHalsteadID() { result = this.getLabel() + ":" }
 
-  override string toString() { result = "labeled statement" }
+  override string toString() { result = "<Label>: ..." }
 
   override string getAPrimaryQlClass() { result = "LabeledStmt" }
 }
@@ -777,9 +777,9 @@ class LocalVariableDeclStmt extends Stmt, @localvariabledeclstmt {
   /** Gets an index of a variable declared in this local variable declaration statement. */
   int getAVariableIndex() { exists(getVariable(result)) }
 
-  override string pp() { result = "local variable declaration" }
+  override string pp() { result = "var ...;" }
 
-  override string toString() { result = "local variable declaration" }
+  override string toString() { result = "var ...;" }
 
   override string getHalsteadID() { result = "LocalVariableDeclStmt" }
 
@@ -791,9 +791,9 @@ class LocalClassDeclStmt extends Stmt, @localclassdeclstmt {
   /** Gets the local class declared by this statement. */
   LocalClass getLocalClass() { isLocalClass(result, this) }
 
-  override string pp() { result = "local class declaration: " + this.getLocalClass().toString() }
+  override string pp() { result = "class " + this.getLocalClass().toString() }
 
-  override string toString() { result = "local class declaration" }
+  override string toString() { result = "class ..." }
 
   override string getHalsteadID() { result = "LocalClassDeclStmt" }
 
diff --git a/java/ql/test/library-tests/arrays/PrintAst.expected b/java/ql/test/library-tests/arrays/PrintAst.expected
index 25edb648e1b..c62a28e8e2c 100644
--- a/java/ql/test/library-tests/arrays/PrintAst.expected
+++ b/java/ql/test/library-tests/arrays/PrintAst.expected
@@ -17,7 +17,7 @@ arrays/B.java:
 #    4|         0: [Parameter] a
 #    4|           0: [TypeAccess] A
 #    4|       5: [BlockStmt] { ... }
-#    5|         0: [LocalVariableDeclStmt] local variable declaration
+#    5|         0: [LocalVariableDeclStmt] var ...;
 #    5|           0: [ArrayTypeAccess] ...[]
 #    5|             0: [TypeAccess] A
 #    5|           1: [LocalVariableDeclExpr] aa
@@ -25,7 +25,7 @@ arrays/B.java:
 #    5|               -2: [ArrayInit] {...}
 #    5|                 0: [VarAccess] a
 #    5|               -1: [TypeAccess] A
-#    6|         1: [LocalVariableDeclStmt] local variable declaration
+#    6|         1: [LocalVariableDeclStmt] var ...;
 #    6|           0: [ArrayTypeAccess] ...[]
 #    6|             0: [ArrayTypeAccess] ...[]
 #    6|               0: [TypeAccess] A
@@ -36,7 +36,7 @@ arrays/B.java:
 #    6|                   0: [VarAccess] a
 #    6|               -1: [ArrayTypeAccess] ...[]
 #    6|                 0: [TypeAccess] A
-#    7|         2: [LocalVariableDeclStmt] local variable declaration
+#    7|         2: [LocalVariableDeclStmt] var ...;
 #    7|           0: [ArrayTypeAccess] ...[]
 #    7|             0: [ArrayTypeAccess] ...[]
 #    7|               0: [ArrayTypeAccess] ...[]
diff --git a/java/ql/test/library-tests/constants/PrintAst.expected b/java/ql/test/library-tests/constants/PrintAst.expected
index 51f079eac2a..225985f90c8 100644
--- a/java/ql/test/library-tests/constants/PrintAst.expected
+++ b/java/ql/test/library-tests/constants/PrintAst.expected
@@ -7,57 +7,57 @@ constants/Constants.java:
 #    4|         0: [Parameter] notConstant
 #    4|           0: [TypeAccess] int
 #    4|       5: [BlockStmt] { ... }
-#    5|         0: [LocalVariableDeclStmt] local variable declaration
+#    5|         0: [LocalVariableDeclStmt] var ...;
 #    5|           0: [TypeAccess] int
 #    5|           1: [LocalVariableDeclExpr] sfield
 #    5|             0: [VarAccess] Initializers.SFIELD
 #    5|               -1: [TypeAccess] Initializers
-#    6|         1: [LocalVariableDeclStmt] local variable declaration
+#    6|         1: [LocalVariableDeclStmt] var ...;
 #    6|           0: [TypeAccess] int
 #    6|           1: [LocalVariableDeclExpr] ifield
 #    6|             0: [VarAccess] new Initializers(...).IFIELD
 #    6|               -1: [ClassInstanceExpr] new Initializers(...)
 #    6|                 -3: [TypeAccess] Initializers
-#    9|         2: [LocalVariableDeclStmt] local variable declaration
+#    9|         2: [LocalVariableDeclStmt] var ...;
 #    9|           0: [TypeAccess] Object
 #    9|           1: [LocalVariableDeclExpr] staticObjectField
 #    9|             0: [VarAccess] Initializers.SFIELD_OBJECT
 #    9|               -1: [TypeAccess] Initializers
-#   11|         3: [LocalVariableDeclStmt] local variable declaration
+#   11|         3: [LocalVariableDeclStmt] var ...;
 #   11|           0: [TypeAccess] int
 #   11|           1: [LocalVariableDeclExpr] x
 #   11|             0: [IntegerLiteral] 3
-#   12|         4: [LocalVariableDeclStmt] local variable declaration
+#   12|         4: [LocalVariableDeclStmt] var ...;
 #   12|           0: [TypeAccess] int
 #   12|           1: [LocalVariableDeclExpr] y
 #   12|             0: [VarAccess] x
-#   13|         5: [LocalVariableDeclStmt] local variable declaration
+#   13|         5: [LocalVariableDeclStmt] var ...;
 #   13|           0: [TypeAccess] int
 #   13|           1: [LocalVariableDeclExpr] z
 #   13|             0: [VarAccess] y
-#   15|         6: [LocalVariableDeclStmt] local variable declaration
+#   15|         6: [LocalVariableDeclStmt] var ...;
 #   15|           0: [TypeAccess] int
 #   15|           1: [LocalVariableDeclExpr] binop
 #   15|             0: [AddExpr] ... + ...
 #   15|               0: [VarAccess] Initializers.SFIELD
 #   15|                 -1: [TypeAccess] Initializers
 #   15|               1: [IntegerLiteral] 1
-#   16|         7: [LocalVariableDeclStmt] local variable declaration
+#   16|         7: [LocalVariableDeclStmt] var ...;
 #   16|           0: [TypeAccess] int
 #   16|           1: [LocalVariableDeclExpr] binopNonConst
 #   16|             0: [AddExpr] ... + ...
 #   16|               0: [VarAccess] Initializers.SFIELD
 #   16|                 -1: [TypeAccess] Initializers
 #   16|               1: [VarAccess] notConstant
-#   18|         8: [LocalVariableDeclStmt] local variable declaration
+#   18|         8: [LocalVariableDeclStmt] var ...;
 #   18|           0: [TypeAccess] int
 #   18|           1: [LocalVariableDeclExpr] paren
 #   18|             0: [IntegerLiteral] 12
-#   19|         9: [LocalVariableDeclStmt] local variable declaration
+#   19|         9: [LocalVariableDeclStmt] var ...;
 #   19|           0: [TypeAccess] String
 #   19|           1: [LocalVariableDeclExpr] string
 #   19|             0: [StringLiteral] "a string"
-#   20|         10: [LocalVariableDeclStmt] local variable declaration
+#   20|         10: [LocalVariableDeclStmt] var ...;
 #   20|           0: [TypeAccess] int
 #   20|           1: [LocalVariableDeclExpr] ternary
 #   20|             0: [ConditionalExpr] ...?...:...
@@ -87,11 +87,11 @@ constants/Initializers.java:
 #   15|     7: [Method] stuff
 #   15|       3: [TypeAccess] void
 #   15|       5: [BlockStmt] { ... }
-#   16|         0: [LocalVariableDeclStmt] local variable declaration
+#   16|         0: [LocalVariableDeclStmt] var ...;
 #   16|           0: [TypeAccess] int
 #   16|           1: [LocalVariableDeclExpr] x
 #   16|             0: [IntegerLiteral] 300
-#   17|         1: [LocalVariableDeclStmt] local variable declaration
+#   17|         1: [LocalVariableDeclStmt] var ...;
 #   17|           0: [TypeAccess] int
 #   17|           1: [LocalVariableDeclExpr] y
 #   18|         2: [ExprStmt] ...;
@@ -144,371 +144,371 @@ constants/Values.java:
 #    8|         0: [Parameter] notConstant
 #    8|           0: [TypeAccess] int
 #    8|       5: [BlockStmt] { ... }
-#    9|         0: [LocalVariableDeclStmt] local variable declaration
+#    9|         0: [LocalVariableDeclStmt] var ...;
 #    9|           0: [TypeAccess] int
 #    9|           1: [LocalVariableDeclExpr] int_literal
 #    9|             0: [IntegerLiteral] 42
-#   10|         1: [LocalVariableDeclStmt] local variable declaration
+#   10|         1: [LocalVariableDeclStmt] var ...;
 #   10|           0: [TypeAccess] int
 #   10|           1: [LocalVariableDeclExpr] negative_int_literal
 #   10|             0: [IntegerLiteral] -2147483648
-#   11|         2: [LocalVariableDeclStmt] local variable declaration
+#   11|         2: [LocalVariableDeclStmt] var ...;
 #   11|           0: [TypeAccess] int
 #   11|           1: [LocalVariableDeclExpr] octal_literal
 #   11|             0: [IntegerLiteral] 052
-#   12|         3: [LocalVariableDeclStmt] local variable declaration
+#   12|         3: [LocalVariableDeclStmt] var ...;
 #   12|           0: [TypeAccess] int
 #   12|           1: [LocalVariableDeclExpr] negative_octal_literal
 #   12|             0: [MinusExpr] -...
 #   12|               0: [IntegerLiteral] 052
-#   13|         4: [LocalVariableDeclStmt] local variable declaration
+#   13|         4: [LocalVariableDeclStmt] var ...;
 #   13|           0: [TypeAccess] int
 #   13|           1: [LocalVariableDeclExpr] hex_literal
 #   13|             0: [IntegerLiteral] 0x2A
-#   14|         5: [LocalVariableDeclStmt] local variable declaration
+#   14|         5: [LocalVariableDeclStmt] var ...;
 #   14|           0: [TypeAccess] int
 #   14|           1: [LocalVariableDeclExpr] negative_hex_literal
 #   14|             0: [MinusExpr] -...
 #   14|               0: [IntegerLiteral] 0x2A
-#   15|         6: [LocalVariableDeclStmt] local variable declaration
+#   15|         6: [LocalVariableDeclStmt] var ...;
 #   15|           0: [TypeAccess] int
 #   15|           1: [LocalVariableDeclExpr] hex_literal_underscores
 #   15|             0: [IntegerLiteral] 0x2_A
-#   16|         7: [LocalVariableDeclStmt] local variable declaration
+#   16|         7: [LocalVariableDeclStmt] var ...;
 #   16|           0: [TypeAccess] int
 #   16|           1: [LocalVariableDeclExpr] binary_literal
 #   16|             0: [IntegerLiteral] 0b101010
-#   17|         8: [LocalVariableDeclStmt] local variable declaration
+#   17|         8: [LocalVariableDeclStmt] var ...;
 #   17|           0: [TypeAccess] int
 #   17|           1: [LocalVariableDeclExpr] negative_binary_literal
 #   17|             0: [MinusExpr] -...
 #   17|               0: [IntegerLiteral] 0b101010
-#   18|         9: [LocalVariableDeclStmt] local variable declaration
+#   18|         9: [LocalVariableDeclStmt] var ...;
 #   18|           0: [TypeAccess] int
 #   18|           1: [LocalVariableDeclExpr] binary_literal_underscores
 #   18|             0: [IntegerLiteral] 0b1_0101_0
-#   19|         10: [LocalVariableDeclStmt] local variable declaration
+#   19|         10: [LocalVariableDeclStmt] var ...;
 #   19|           0: [TypeAccess] char
 #   19|           1: [LocalVariableDeclExpr] char_literal
 #   19|             0: [CharacterLiteral] '*'
-#   20|         11: [LocalVariableDeclStmt] local variable declaration
+#   20|         11: [LocalVariableDeclStmt] var ...;
 #   20|           0: [TypeAccess] long
 #   20|           1: [LocalVariableDeclExpr] long_literal
 #   20|             0: [LongLiteral] 42L
-#   21|         12: [LocalVariableDeclStmt] local variable declaration
+#   21|         12: [LocalVariableDeclStmt] var ...;
 #   21|           0: [TypeAccess] boolean
 #   21|           1: [LocalVariableDeclExpr] boolean_literal
 #   21|             0: [BooleanLiteral] true
-#   22|         13: [LocalVariableDeclStmt] local variable declaration
+#   22|         13: [LocalVariableDeclStmt] var ...;
 #   22|           0: [TypeAccess] Integer
 #   22|           1: [LocalVariableDeclExpr] boxed_int
 #   22|             0: [ClassInstanceExpr] new Integer(...)
 #   22|               -3: [TypeAccess] Integer
 #   22|               0: [IntegerLiteral] 42
-#   23|         14: [LocalVariableDeclStmt] local variable declaration
+#   23|         14: [LocalVariableDeclStmt] var ...;
 #   23|           0: [TypeAccess] int
 #   23|           1: [LocalVariableDeclExpr] parameter
 #   23|             0: [VarAccess] notConstant
-#   25|         15: [LocalVariableDeclStmt] local variable declaration
+#   25|         15: [LocalVariableDeclStmt] var ...;
 #   25|           0: [TypeAccess] int
 #   25|           1: [LocalVariableDeclExpr] cast
 #   25|             0: [CastExpr] (...)...
 #   25|               0: [TypeAccess] int
 #   25|               1: [IntegerLiteral] 42
-#   26|         16: [LocalVariableDeclStmt] local variable declaration
+#   26|         16: [LocalVariableDeclStmt] var ...;
 #   26|           0: [TypeAccess] char
 #   26|           1: [LocalVariableDeclExpr] downcast
 #   26|             0: [CastExpr] (...)...
 #   26|               0: [TypeAccess] char
 #   26|               1: [IntegerLiteral] 42
-#   27|         17: [LocalVariableDeclStmt] local variable declaration
+#   27|         17: [LocalVariableDeclStmt] var ...;
 #   27|           0: [TypeAccess] byte
 #   27|           1: [LocalVariableDeclExpr] downcast_byte_1
 #   27|             0: [CastExpr] (...)...
 #   27|               0: [TypeAccess] byte
 #   27|               1: [MinusExpr] -...
 #   27|                 0: [IntegerLiteral] 42
-#   28|         18: [LocalVariableDeclStmt] local variable declaration
+#   28|         18: [LocalVariableDeclStmt] var ...;
 #   28|           0: [TypeAccess] byte
 #   28|           1: [LocalVariableDeclExpr] downcast_byte_2
 #   28|             0: [CastExpr] (...)...
 #   28|               0: [TypeAccess] byte
 #   28|               1: [IntegerLiteral] 42
-#   29|         19: [LocalVariableDeclStmt] local variable declaration
+#   29|         19: [LocalVariableDeclStmt] var ...;
 #   29|           0: [TypeAccess] byte
 #   29|           1: [LocalVariableDeclExpr] downcast_byte_3
 #   29|             0: [CastExpr] (...)...
 #   29|               0: [TypeAccess] byte
 #   29|               1: [IntegerLiteral] 298
-#   30|         20: [LocalVariableDeclStmt] local variable declaration
+#   30|         20: [LocalVariableDeclStmt] var ...;
 #   30|           0: [TypeAccess] byte
 #   30|           1: [LocalVariableDeclExpr] downcast_byte_4
 #   30|             0: [CastExpr] (...)...
 #   30|               0: [TypeAccess] byte
 #   30|               1: [IntegerLiteral] 214
-#   31|         21: [LocalVariableDeclStmt] local variable declaration
+#   31|         21: [LocalVariableDeclStmt] var ...;
 #   31|           0: [TypeAccess] byte
 #   31|           1: [LocalVariableDeclExpr] downcast_byte_5
 #   31|             0: [CastExpr] (...)...
 #   31|               0: [TypeAccess] byte
 #   31|               1: [MinusExpr] -...
 #   31|                 0: [IntegerLiteral] 214
-#   32|         22: [LocalVariableDeclStmt] local variable declaration
+#   32|         22: [LocalVariableDeclStmt] var ...;
 #   32|           0: [TypeAccess] short
 #   32|           1: [LocalVariableDeclExpr] downcast_short
 #   32|             0: [CastExpr] (...)...
 #   32|               0: [TypeAccess] short
 #   32|               1: [IntegerLiteral] 32768
-#   33|         23: [LocalVariableDeclStmt] local variable declaration
+#   33|         23: [LocalVariableDeclStmt] var ...;
 #   33|           0: [TypeAccess] int
 #   33|           1: [LocalVariableDeclExpr] cast_of_non_constant
 #   33|             0: [CastExpr] (...)...
 #   33|               0: [TypeAccess] int
 #   33|               1: [CharacterLiteral] '*'
-#   34|         24: [LocalVariableDeclStmt] local variable declaration
+#   34|         24: [LocalVariableDeclStmt] var ...;
 #   34|           0: [TypeAccess] long
 #   34|           1: [LocalVariableDeclExpr] cast_to_long
 #   34|             0: [CastExpr] (...)...
 #   34|               0: [TypeAccess] long
 #   34|               1: [IntegerLiteral] 42
-#   36|         25: [LocalVariableDeclStmt] local variable declaration
+#   36|         25: [LocalVariableDeclStmt] var ...;
 #   36|           0: [TypeAccess] int
 #   36|           1: [LocalVariableDeclExpr] unary_plus
 #   36|             0: [PlusExpr] +...
 #   36|               0: [IntegerLiteral] 42
-#   37|         26: [LocalVariableDeclStmt] local variable declaration
+#   37|         26: [LocalVariableDeclStmt] var ...;
 #   37|           0: [TypeAccess] int
 #   37|           1: [LocalVariableDeclExpr] parameter_plus
 #   37|             0: [PlusExpr] +...
 #   37|               0: [VarAccess] notConstant
-#   39|         27: [LocalVariableDeclStmt] local variable declaration
+#   39|         27: [LocalVariableDeclStmt] var ...;
 #   39|           0: [TypeAccess] int
 #   39|           1: [LocalVariableDeclExpr] unary_minus
 #   39|             0: [MinusExpr] -...
 #   39|               0: [IntegerLiteral] 42
-#   40|         28: [LocalVariableDeclStmt] local variable declaration
+#   40|         28: [LocalVariableDeclStmt] var ...;
 #   40|           0: [TypeAccess] int
 #   40|           1: [LocalVariableDeclExpr] parameter_minus
 #   40|             0: [MinusExpr] -...
 #   40|               0: [VarAccess] notConstant
-#   42|         29: [LocalVariableDeclStmt] local variable declaration
+#   42|         29: [LocalVariableDeclStmt] var ...;
 #   42|           0: [TypeAccess] boolean
 #   42|           1: [LocalVariableDeclExpr] not
 #   42|             0: [LogNotExpr] !...
 #   42|               0: [BooleanLiteral] true
-#   43|         30: [LocalVariableDeclStmt] local variable declaration
+#   43|         30: [LocalVariableDeclStmt] var ...;
 #   43|           0: [TypeAccess] int
 #   43|           1: [LocalVariableDeclExpr] bitwise_not
 #   43|             0: [BitNotExpr] ~...
 #   43|               0: [IntegerLiteral] 0
-#   45|         31: [LocalVariableDeclStmt] local variable declaration
+#   45|         31: [LocalVariableDeclStmt] var ...;
 #   45|           0: [TypeAccess] int
 #   45|           1: [LocalVariableDeclExpr] mul
 #   45|             0: [MulExpr] ... * ...
 #   45|               0: [IntegerLiteral] 7
 #   45|               1: [IntegerLiteral] 9
-#   46|         32: [LocalVariableDeclStmt] local variable declaration
+#   46|         32: [LocalVariableDeclStmt] var ...;
 #   46|           0: [TypeAccess] int
 #   46|           1: [LocalVariableDeclExpr] mul_parameter
 #   46|             0: [MulExpr] ... * ...
 #   46|               0: [VarAccess] notConstant
 #   46|               1: [VarAccess] notConstant
-#   48|         33: [LocalVariableDeclStmt] local variable declaration
+#   48|         33: [LocalVariableDeclStmt] var ...;
 #   48|           0: [TypeAccess] int
 #   48|           1: [LocalVariableDeclExpr] div
 #   48|             0: [DivExpr] ... / ...
 #   48|               0: [IntegerLiteral] 168
 #   48|               1: [IntegerLiteral] 4
-#   49|         34: [LocalVariableDeclStmt] local variable declaration
+#   49|         34: [LocalVariableDeclStmt] var ...;
 #   49|           0: [TypeAccess] int
 #   49|           1: [LocalVariableDeclExpr] div_by_zero
 #   49|             0: [DivExpr] ... / ...
 #   49|               0: [IntegerLiteral] 42
 #   49|               1: [IntegerLiteral] 0
-#   50|         35: [LocalVariableDeclStmt] local variable declaration
+#   50|         35: [LocalVariableDeclStmt] var ...;
 #   50|           0: [TypeAccess] int
 #   50|           1: [LocalVariableDeclExpr] div_parameter
 #   50|             0: [DivExpr] ... / ...
 #   50|               0: [VarAccess] notConstant
 #   50|               1: [VarAccess] notConstant
-#   52|         36: [LocalVariableDeclStmt] local variable declaration
+#   52|         36: [LocalVariableDeclStmt] var ...;
 #   52|           0: [TypeAccess] int
 #   52|           1: [LocalVariableDeclExpr] rem
 #   52|             0: [RemExpr] ... % ...
 #   52|               0: [IntegerLiteral] 168
 #   52|               1: [IntegerLiteral] 63
-#   53|         37: [LocalVariableDeclStmt] local variable declaration
+#   53|         37: [LocalVariableDeclStmt] var ...;
 #   53|           0: [TypeAccess] int
 #   53|           1: [LocalVariableDeclExpr] rem_by_zero
 #   53|             0: [RemExpr] ... % ...
 #   53|               0: [IntegerLiteral] 42
 #   53|               1: [IntegerLiteral] 0
-#   54|         38: [LocalVariableDeclStmt] local variable declaration
+#   54|         38: [LocalVariableDeclStmt] var ...;
 #   54|           0: [TypeAccess] int
 #   54|           1: [LocalVariableDeclExpr] rem_parameter
 #   54|             0: [RemExpr] ... % ...
 #   54|               0: [VarAccess] notConstant
 #   54|               1: [VarAccess] notConstant
-#   56|         39: [LocalVariableDeclStmt] local variable declaration
+#   56|         39: [LocalVariableDeclStmt] var ...;
 #   56|           0: [TypeAccess] int
 #   56|           1: [LocalVariableDeclExpr] plus
 #   56|             0: [AddExpr] ... + ...
 #   56|               0: [IntegerLiteral] 10
 #   56|               1: [IntegerLiteral] 32
-#   57|         40: [LocalVariableDeclStmt] local variable declaration
+#   57|         40: [LocalVariableDeclStmt] var ...;
 #   57|           0: [TypeAccess] int
 #   57|           1: [LocalVariableDeclExpr] plus_parameter
 #   57|             0: [AddExpr] ... + ...
 #   57|               0: [VarAccess] notConstant
 #   57|               1: [VarAccess] notConstant
-#   59|         41: [LocalVariableDeclStmt] local variable declaration
+#   59|         41: [LocalVariableDeclStmt] var ...;
 #   59|           0: [TypeAccess] int
 #   59|           1: [LocalVariableDeclExpr] minus
 #   59|             0: [SubExpr] ... - ...
 #   59|               0: [IntegerLiteral] 168
 #   59|               1: [IntegerLiteral] 126
-#   60|         42: [LocalVariableDeclStmt] local variable declaration
+#   60|         42: [LocalVariableDeclStmt] var ...;
 #   60|           0: [TypeAccess] int
 #   60|           1: [LocalVariableDeclExpr] minus_parameter
 #   60|             0: [SubExpr] ... - ...
 #   60|               0: [VarAccess] notConstant
 #   60|               1: [VarAccess] notConstant
-#   62|         43: [LocalVariableDeclStmt] local variable declaration
+#   62|         43: [LocalVariableDeclStmt] var ...;
 #   62|           0: [TypeAccess] int
 #   62|           1: [LocalVariableDeclExpr] lshift
 #   62|             0: [LShiftExpr] ... << ...
 #   62|               0: [IntegerLiteral] 21
 #   62|               1: [IntegerLiteral] 2
-#   63|         44: [LocalVariableDeclStmt] local variable declaration
+#   63|         44: [LocalVariableDeclStmt] var ...;
 #   63|           0: [TypeAccess] int
 #   63|           1: [LocalVariableDeclExpr] lshift_parameter
 #   63|             0: [LShiftExpr] ... << ...
 #   63|               0: [VarAccess] notConstant
 #   63|               1: [VarAccess] notConstant
-#   65|         45: [LocalVariableDeclStmt] local variable declaration
+#   65|         45: [LocalVariableDeclStmt] var ...;
 #   65|           0: [TypeAccess] int
 #   65|           1: [LocalVariableDeclExpr] rshift
 #   65|             0: [RShiftExpr] ... >> ...
 #   65|               0: [MinusExpr] -...
 #   65|                 0: [IntegerLiteral] 1
 #   65|               1: [IntegerLiteral] 2
-#   66|         46: [LocalVariableDeclStmt] local variable declaration
+#   66|         46: [LocalVariableDeclStmt] var ...;
 #   66|           0: [TypeAccess] int
 #   66|           1: [LocalVariableDeclExpr] urshift
 #   66|             0: [URShiftExpr] ... >>> ...
 #   66|               0: [MinusExpr] -...
 #   66|                 0: [IntegerLiteral] 1
 #   66|               1: [IntegerLiteral] 1
-#   67|         47: [LocalVariableDeclStmt] local variable declaration
+#   67|         47: [LocalVariableDeclStmt] var ...;
 #   67|           0: [TypeAccess] int
 #   67|           1: [LocalVariableDeclExpr] bitwise_and
 #   67|             0: [AndBitwiseExpr] ... & ...
 #   67|               0: [IntegerLiteral] 63
 #   67|               1: [IntegerLiteral] 42
-#   68|         48: [LocalVariableDeclStmt] local variable declaration
+#   68|         48: [LocalVariableDeclStmt] var ...;
 #   68|           0: [TypeAccess] int
 #   68|           1: [LocalVariableDeclExpr] bitwise_or
 #   68|             0: [OrBitwiseExpr] ... | ...
 #   68|               0: [IntegerLiteral] 32
 #   68|               1: [IntegerLiteral] 42
-#   69|         49: [LocalVariableDeclStmt] local variable declaration
+#   69|         49: [LocalVariableDeclStmt] var ...;
 #   69|           0: [TypeAccess] int
 #   69|           1: [LocalVariableDeclExpr] bitwise_xor
 #   69|             0: [XorBitwiseExpr] ... ^ ...
 #   69|               0: [IntegerLiteral] 48
 #   69|               1: [IntegerLiteral] 26
-#   70|         50: [LocalVariableDeclStmt] local variable declaration
+#   70|         50: [LocalVariableDeclStmt] var ...;
 #   70|           0: [TypeAccess] boolean
 #   70|           1: [LocalVariableDeclExpr] and
 #   70|             0: [AndLogicalExpr] ... && ...
 #   70|               0: [BooleanLiteral] true
 #   70|               1: [BooleanLiteral] false
-#   71|         51: [LocalVariableDeclStmt] local variable declaration
+#   71|         51: [LocalVariableDeclStmt] var ...;
 #   71|           0: [TypeAccess] boolean
 #   71|           1: [LocalVariableDeclExpr] or
 #   71|             0: [OrLogicalExpr] ... || ...
 #   71|               0: [BooleanLiteral] true
 #   71|               1: [BooleanLiteral] false
-#   72|         52: [LocalVariableDeclStmt] local variable declaration
+#   72|         52: [LocalVariableDeclStmt] var ...;
 #   72|           0: [TypeAccess] boolean
 #   72|           1: [LocalVariableDeclExpr] lt
 #   72|             0: [LTExpr] ... < ...
 #   72|               0: [IntegerLiteral] 42
 #   72|               1: [IntegerLiteral] 42
-#   73|         53: [LocalVariableDeclStmt] local variable declaration
+#   73|         53: [LocalVariableDeclStmt] var ...;
 #   73|           0: [TypeAccess] boolean
 #   73|           1: [LocalVariableDeclExpr] le
 #   73|             0: [LEExpr] ... <= ...
 #   73|               0: [IntegerLiteral] 42
 #   73|               1: [IntegerLiteral] 42
-#   74|         54: [LocalVariableDeclStmt] local variable declaration
+#   74|         54: [LocalVariableDeclStmt] var ...;
 #   74|           0: [TypeAccess] boolean
 #   74|           1: [LocalVariableDeclExpr] gt
 #   74|             0: [GTExpr] ... > ...
 #   74|               0: [IntegerLiteral] 42
 #   74|               1: [IntegerLiteral] 42
-#   75|         55: [LocalVariableDeclStmt] local variable declaration
+#   75|         55: [LocalVariableDeclStmt] var ...;
 #   75|           0: [TypeAccess] boolean
 #   75|           1: [LocalVariableDeclExpr] gle
 #   75|             0: [GEExpr] ... >= ...
 #   75|               0: [IntegerLiteral] 42
 #   75|               1: [IntegerLiteral] 42
-#   76|         56: [LocalVariableDeclStmt] local variable declaration
+#   76|         56: [LocalVariableDeclStmt] var ...;
 #   76|           0: [TypeAccess] boolean
 #   76|           1: [LocalVariableDeclExpr] eq
 #   76|             0: [EQExpr] ... == ...
 #   76|               0: [IntegerLiteral] 42
 #   76|               1: [IntegerLiteral] 42
-#   77|         57: [LocalVariableDeclStmt] local variable declaration
+#   77|         57: [LocalVariableDeclStmt] var ...;
 #   77|           0: [TypeAccess] boolean
 #   77|           1: [LocalVariableDeclExpr] ne
 #   77|             0: [NEExpr] ... != ...
 #   77|               0: [IntegerLiteral] 42
 #   77|               1: [IntegerLiteral] 42
-#   78|         58: [LocalVariableDeclStmt] local variable declaration
+#   78|         58: [LocalVariableDeclStmt] var ...;
 #   78|           0: [TypeAccess] boolean
 #   78|           1: [LocalVariableDeclExpr] ter
 #   78|             0: [ConditionalExpr] ...?...:...
 #   78|               0: [BooleanLiteral] true
 #   78|               1: [BooleanLiteral] false
 #   78|               2: [BooleanLiteral] true
-#   80|         59: [LocalVariableDeclStmt] local variable declaration
+#   80|         59: [LocalVariableDeclStmt] var ...;
 #   80|           0: [TypeAccess] boolean
 #   80|           1: [LocalVariableDeclExpr] seq
 #   80|             0: [EQExpr] ... == ...
 #   80|               0: [StringLiteral] "foo"
 #   80|               1: [StringLiteral] "foo"
-#   81|         60: [LocalVariableDeclStmt] local variable declaration
+#   81|         60: [LocalVariableDeclStmt] var ...;
 #   81|           0: [TypeAccess] boolean
 #   81|           1: [LocalVariableDeclExpr] sneq
 #   81|             0: [NEExpr] ... != ...
 #   81|               0: [StringLiteral] "foo"
 #   81|               1: [StringLiteral] "foo"
-#   83|         61: [LocalVariableDeclStmt] local variable declaration
+#   83|         61: [LocalVariableDeclStmt] var ...;
 #   83|           0: [TypeAccess] int
 #   83|           1: [LocalVariableDeclExpr] par
 #   83|             0: [IntegerLiteral] 42
-#   84|         62: [LocalVariableDeclStmt] local variable declaration
+#   84|         62: [LocalVariableDeclStmt] var ...;
 #   84|           0: [TypeAccess] int
 #   84|           1: [LocalVariableDeclExpr] par_not_constant
 #   84|             0: [VarAccess] notConstant
-#   86|         63: [LocalVariableDeclStmt] local variable declaration
+#   86|         63: [LocalVariableDeclStmt] var ...;
 #   86|           0: [TypeAccess] int
 #   86|           1: [LocalVariableDeclExpr] var_field
 #   86|             0: [VarAccess] final_field
-#   87|         64: [LocalVariableDeclStmt] local variable declaration
+#   87|         64: [LocalVariableDeclStmt] var ...;
 #   87|           0: [TypeAccess] int
 #   87|           1: [LocalVariableDeclExpr] final_local
 #   87|             0: [IntegerLiteral] 42
-#   88|         65: [LocalVariableDeclStmt] local variable declaration
+#   88|         65: [LocalVariableDeclStmt] var ...;
 #   88|           0: [TypeAccess] int
 #   88|           1: [LocalVariableDeclExpr] var_local
 #   88|             0: [VarAccess] final_local
-#   89|         66: [LocalVariableDeclStmt] local variable declaration
+#   89|         66: [LocalVariableDeclStmt] var ...;
 #   89|           0: [TypeAccess] int
 #   89|           1: [LocalVariableDeclExpr] var_param
 #   89|             0: [VarAccess] notConstant
-#   90|         67: [LocalVariableDeclStmt] local variable declaration
+#   90|         67: [LocalVariableDeclStmt] var ...;
 #   90|           0: [TypeAccess] int
 #   90|           1: [LocalVariableDeclExpr] var_nonfinald_local
 #   90|             0: [VarAccess] var_field
diff --git a/java/ql/test/library-tests/controlflow/basic/bbStmts.expected b/java/ql/test/library-tests/controlflow/basic/bbStmts.expected
index a23a14afbe9..fc1efcea747 100644
--- a/java/ql/test/library-tests/controlflow/basic/bbStmts.expected
+++ b/java/ql/test/library-tests/controlflow/basic/bbStmts.expected
@@ -3,16 +3,16 @@
 | Test.java:3:14:3:17 | { ... } | Test.java:3:14:3:17 | { ... } | 0 |
 | Test.java:4:14:4:17 | test | Test.java:4:14:4:17 | test | 0 |
 | Test.java:4:21:76:2 | { ... } | Test.java:4:21:76:2 | { ... } | 0 |
-| Test.java:4:21:76:2 | { ... } | Test.java:5:3:5:12 | local variable declaration | 1 |
+| Test.java:4:21:76:2 | { ... } | Test.java:5:3:5:12 | var ...; | 1 |
 | Test.java:4:21:76:2 | { ... } | Test.java:5:7:5:11 | x | 3 |
 | Test.java:4:21:76:2 | { ... } | Test.java:5:11:5:11 | 0 | 2 |
-| Test.java:4:21:76:2 | { ... } | Test.java:6:3:6:14 | local variable declaration | 4 |
+| Test.java:4:21:76:2 | { ... } | Test.java:6:3:6:14 | var ...; | 4 |
 | Test.java:4:21:76:2 | { ... } | Test.java:6:8:6:13 | y | 6 |
 | Test.java:4:21:76:2 | { ... } | Test.java:6:12:6:13 | 50 | 5 |
-| Test.java:4:21:76:2 | { ... } | Test.java:7:3:7:12 | local variable declaration | 7 |
+| Test.java:4:21:76:2 | { ... } | Test.java:7:3:7:12 | var ...; | 7 |
 | Test.java:4:21:76:2 | { ... } | Test.java:7:7:7:11 | z | 9 |
 | Test.java:4:21:76:2 | { ... } | Test.java:7:11:7:11 | 0 | 8 |
-| Test.java:4:21:76:2 | { ... } | Test.java:8:3:8:12 | local variable declaration | 10 |
+| Test.java:4:21:76:2 | { ... } | Test.java:8:3:8:12 | var ...; | 10 |
 | Test.java:4:21:76:2 | { ... } | Test.java:8:7:8:11 | w | 12 |
 | Test.java:4:21:76:2 | { ... } | Test.java:8:11:8:11 | 0 | 11 |
 | Test.java:4:21:76:2 | { ... } | Test.java:11:3:11:12 | if (...) | 13 |
@@ -21,60 +21,60 @@
 | Test.java:4:21:76:2 | { ... } | Test.java:11:11:11:11 | 0 | 15 |
 | Test.java:11:14:14:3 | { ... } | Test.java:11:14:14:3 | { ... } | 0 |
 | Test.java:11:14:14:3 | { ... } | Test.java:12:4:12:9 | ...=... | 3 |
-| Test.java:11:14:14:3 | { ... } | Test.java:12:4:12:10 | ...; | 1 |
+| Test.java:11:14:14:3 | { ... } | Test.java:12:4:12:10 | <Expr>; | 1 |
 | Test.java:11:14:14:3 | { ... } | Test.java:12:8:12:9 | 20 | 2 |
 | Test.java:11:14:14:3 | { ... } | Test.java:13:4:13:9 | ...=... | 6 |
-| Test.java:11:14:14:3 | { ... } | Test.java:13:4:13:10 | ...; | 4 |
+| Test.java:11:14:14:3 | { ... } | Test.java:13:4:13:10 | <Expr>; | 4 |
 | Test.java:11:14:14:3 | { ... } | Test.java:13:8:13:9 | 10 | 5 |
 | Test.java:14:10:16:3 | { ... } | Test.java:14:10:16:3 | { ... } | 0 |
 | Test.java:14:10:16:3 | { ... } | Test.java:15:4:15:9 | ...=... | 3 |
-| Test.java:14:10:16:3 | { ... } | Test.java:15:4:15:10 | ...; | 1 |
+| Test.java:14:10:16:3 | { ... } | Test.java:15:4:15:10 | <Expr>; | 1 |
 | Test.java:14:10:16:3 | { ... } | Test.java:15:8:15:9 | 30 | 2 |
-| Test.java:18:3:18:8 | ...; | Test.java:18:3:18:7 | ...=... | 2 |
-| Test.java:18:3:18:8 | ...; | Test.java:18:3:18:8 | ...; | 0 |
-| Test.java:18:3:18:8 | ...; | Test.java:18:7:18:7 | 0 | 1 |
-| Test.java:18:3:18:8 | ...; | Test.java:21:3:21:11 | if (...) | 3 |
-| Test.java:18:3:18:8 | ...; | Test.java:21:6:21:6 | x | 4 |
-| Test.java:18:3:18:8 | ...; | Test.java:21:6:21:10 | ... < ... | 6 |
-| Test.java:18:3:18:8 | ...; | Test.java:21:10:21:10 | 0 | 5 |
-| Test.java:22:4:22:10 | ...; | Test.java:22:4:22:9 | ...=... | 2 |
-| Test.java:22:4:22:10 | ...; | Test.java:22:4:22:10 | ...; | 0 |
-| Test.java:22:4:22:10 | ...; | Test.java:22:8:22:9 | 40 | 1 |
-| Test.java:22:4:22:10 | ...; | Test.java:27:3:27:8 | ...=... | 5 |
-| Test.java:22:4:22:10 | ...; | Test.java:27:3:27:9 | ...; | 3 |
-| Test.java:22:4:22:10 | ...; | Test.java:27:7:27:8 | 10 | 4 |
-| Test.java:22:4:22:10 | ...; | Test.java:30:3:30:13 | if (...) | 6 |
-| Test.java:22:4:22:10 | ...; | Test.java:30:7:30:7 | x | 7 |
-| Test.java:22:4:22:10 | ...; | Test.java:30:7:30:12 | ... == ... | 9 |
-| Test.java:22:4:22:10 | ...; | Test.java:30:12:30:12 | 0 | 8 |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:18:3:18:7 | ...=... | 2 |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:18:3:18:8 | <Expr>; | 0 |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:18:7:18:7 | 0 | 1 |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:21:3:21:11 | if (...) | 3 |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:21:6:21:6 | x | 4 |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:21:6:21:10 | ... < ... | 6 |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:21:10:21:10 | 0 | 5 |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:22:4:22:9 | ...=... | 2 |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:22:4:22:10 | <Expr>; | 0 |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:22:8:22:9 | 40 | 1 |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:27:3:27:8 | ...=... | 5 |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:27:3:27:9 | <Expr>; | 3 |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:27:7:27:8 | 10 | 4 |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:30:3:30:13 | if (...) | 6 |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:30:7:30:7 | x | 7 |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:30:7:30:12 | ... == ... | 9 |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:30:12:30:12 | 0 | 8 |
 | Test.java:24:4:24:10 | return ... | Test.java:24:4:24:10 | return ... | 0 |
 | Test.java:30:15:33:3 | { ... } | Test.java:30:15:33:3 | { ... } | 0 |
 | Test.java:30:15:33:3 | { ... } | Test.java:31:4:31:9 | ...=... | 3 |
-| Test.java:30:15:33:3 | { ... } | Test.java:31:4:31:10 | ...; | 1 |
+| Test.java:30:15:33:3 | { ... } | Test.java:31:4:31:10 | <Expr>; | 1 |
 | Test.java:30:15:33:3 | { ... } | Test.java:31:8:31:9 | 60 | 2 |
 | Test.java:30:15:33:3 | { ... } | Test.java:32:4:32:9 | ...=... | 6 |
-| Test.java:30:15:33:3 | { ... } | Test.java:32:4:32:10 | ...; | 4 |
+| Test.java:30:15:33:3 | { ... } | Test.java:32:4:32:10 | <Expr>; | 4 |
 | Test.java:30:15:33:3 | { ... } | Test.java:32:8:32:9 | 10 | 5 |
-| Test.java:35:3:35:9 | ...; | Test.java:35:3:35:8 | ...=... | 2 |
-| Test.java:35:3:35:9 | ...; | Test.java:35:3:35:9 | ...; | 0 |
-| Test.java:35:3:35:9 | ...; | Test.java:35:7:35:8 | 20 | 1 |
-| Test.java:35:3:35:9 | ...; | Test.java:38:3:38:14 | while (...) | 3 |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:35:3:35:8 | ...=... | 2 |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:35:3:35:9 | <Expr>; | 0 |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:35:7:35:8 | 20 | 1 |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:38:3:38:14 | while (...) | 3 |
 | Test.java:38:9:38:9 | x | Test.java:38:9:38:9 | x | 0 |
 | Test.java:38:9:38:9 | x | Test.java:38:9:38:13 | ... > ... | 2 |
 | Test.java:38:9:38:9 | x | Test.java:38:13:38:13 | 0 | 1 |
 | Test.java:38:16:41:3 | { ... } | Test.java:38:16:41:3 | { ... } | 0 |
 | Test.java:38:16:41:3 | { ... } | Test.java:39:4:39:9 | ...=... | 3 |
-| Test.java:38:16:41:3 | { ... } | Test.java:39:4:39:10 | ...; | 1 |
+| Test.java:38:16:41:3 | { ... } | Test.java:39:4:39:10 | <Expr>; | 1 |
 | Test.java:38:16:41:3 | { ... } | Test.java:39:8:39:9 | 10 | 2 |
 | Test.java:38:16:41:3 | { ... } | Test.java:40:4:40:4 | x | 5 |
 | Test.java:38:16:41:3 | { ... } | Test.java:40:4:40:6 | ...-- | 6 |
-| Test.java:38:16:41:3 | { ... } | Test.java:40:4:40:7 | ...; | 4 |
-| Test.java:43:3:43:9 | ...; | Test.java:43:3:43:8 | ...=... | 2 |
-| Test.java:43:3:43:9 | ...; | Test.java:43:3:43:9 | ...; | 0 |
-| Test.java:43:3:43:9 | ...; | Test.java:43:7:43:8 | 30 | 1 |
-| Test.java:43:3:43:9 | ...; | Test.java:46:3:46:29 | for (...) | 3 |
-| Test.java:43:3:43:9 | ...; | Test.java:46:11:46:15 | j | 5 |
-| Test.java:43:3:43:9 | ...; | Test.java:46:15:46:15 | 0 | 4 |
+| Test.java:38:16:41:3 | { ... } | Test.java:40:4:40:7 | <Expr>; | 4 |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:43:3:43:8 | ...=... | 2 |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:43:3:43:9 | <Expr>; | 0 |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:43:7:43:8 | 30 | 1 |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:46:3:46:29 | for (...;...;...) | 3 |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:46:11:46:15 | j | 5 |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:46:15:46:15 | 0 | 4 |
 | Test.java:46:18:46:18 | j | Test.java:46:18:46:18 | j | 0 |
 | Test.java:46:18:46:18 | j | Test.java:46:18:46:23 | ... < ... | 2 |
 | Test.java:46:18:46:18 | j | Test.java:46:22:46:23 | 10 | 1 |
@@ -82,17 +82,17 @@
 | Test.java:46:31:49:3 | { ... } | Test.java:46:26:46:28 | ...++ | 8 |
 | Test.java:46:31:49:3 | { ... } | Test.java:46:31:49:3 | { ... } | 0 |
 | Test.java:46:31:49:3 | { ... } | Test.java:47:4:47:8 | ...=... | 3 |
-| Test.java:46:31:49:3 | { ... } | Test.java:47:4:47:9 | ...; | 1 |
+| Test.java:46:31:49:3 | { ... } | Test.java:47:4:47:9 | <Expr>; | 1 |
 | Test.java:46:31:49:3 | { ... } | Test.java:47:8:47:8 | 0 | 2 |
 | Test.java:46:31:49:3 | { ... } | Test.java:48:4:48:9 | ...=... | 6 |
-| Test.java:46:31:49:3 | { ... } | Test.java:48:4:48:10 | ...; | 4 |
+| Test.java:46:31:49:3 | { ... } | Test.java:48:4:48:10 | <Expr>; | 4 |
 | Test.java:46:31:49:3 | { ... } | Test.java:48:8:48:9 | 10 | 5 |
-| Test.java:51:3:51:9 | ...; | Test.java:51:3:51:8 | ...=... | 2 |
-| Test.java:51:3:51:9 | ...; | Test.java:51:3:51:9 | ...; | 0 |
-| Test.java:51:3:51:9 | ...; | Test.java:51:7:51:8 | 40 | 1 |
-| Test.java:51:3:51:9 | ...; | Test.java:54:3:54:29 | for (...) | 3 |
-| Test.java:51:3:51:9 | ...; | Test.java:54:11:54:15 | j | 5 |
-| Test.java:51:3:51:9 | ...; | Test.java:54:15:54:15 | 0 | 4 |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:51:3:51:8 | ...=... | 2 |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:51:3:51:9 | <Expr>; | 0 |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:51:7:51:8 | 40 | 1 |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:54:3:54:29 | for (...;...;...) | 3 |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:54:11:54:15 | j | 5 |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:54:15:54:15 | 0 | 4 |
 | Test.java:54:18:54:18 | j | Test.java:54:18:54:18 | j | 0 |
 | Test.java:54:18:54:18 | j | Test.java:54:18:54:23 | ... < ... | 2 |
 | Test.java:54:18:54:18 | j | Test.java:54:22:54:23 | 10 | 1 |
@@ -100,7 +100,7 @@
 | Test.java:54:26:54:26 | j | Test.java:54:26:54:28 | ...++ | 1 |
 | Test.java:54:31:68:3 | { ... } | Test.java:54:31:68:3 | { ... } | 0 |
 | Test.java:54:31:68:3 | { ... } | Test.java:55:4:55:9 | ...=... | 3 |
-| Test.java:54:31:68:3 | { ... } | Test.java:55:4:55:10 | ...; | 1 |
+| Test.java:54:31:68:3 | { ... } | Test.java:55:4:55:10 | <Expr>; | 1 |
 | Test.java:54:31:68:3 | { ... } | Test.java:55:8:55:9 | 30 | 2 |
 | Test.java:54:31:68:3 | { ... } | Test.java:56:4:56:12 | if (...) | 4 |
 | Test.java:54:31:68:3 | { ... } | Test.java:56:7:56:7 | z | 5 |
@@ -112,25 +112,25 @@
 | Test.java:57:5:57:13 | if (...) | Test.java:57:12:57:12 | 0 | 2 |
 | Test.java:57:15:60:5 | { ... } | Test.java:57:15:60:5 | { ... } | 0 |
 | Test.java:57:15:60:5 | { ... } | Test.java:58:6:58:10 | ...=... | 3 |
-| Test.java:57:15:60:5 | { ... } | Test.java:58:6:58:11 | ...; | 1 |
+| Test.java:57:15:60:5 | { ... } | Test.java:58:6:58:11 | <Expr>; | 1 |
 | Test.java:57:15:60:5 | { ... } | Test.java:58:10:58:10 | 0 | 2 |
 | Test.java:57:15:60:5 | { ... } | Test.java:59:6:59:11 | break | 4 |
 | Test.java:60:12:62:5 | { ... } | Test.java:60:12:62:5 | { ... } | 0 |
 | Test.java:60:12:62:5 | { ... } | Test.java:61:6:61:11 | ...=... | 3 |
-| Test.java:60:12:62:5 | { ... } | Test.java:61:6:61:12 | ...; | 1 |
+| Test.java:60:12:62:5 | { ... } | Test.java:61:6:61:12 | <Expr>; | 1 |
 | Test.java:60:12:62:5 | { ... } | Test.java:61:10:61:11 | 20 | 2 |
 | Test.java:60:12:62:5 | { ... } | Test.java:67:4:67:8 | ...=... | 6 |
-| Test.java:60:12:62:5 | { ... } | Test.java:67:4:67:9 | ...; | 4 |
+| Test.java:60:12:62:5 | { ... } | Test.java:67:4:67:9 | <Expr>; | 4 |
 | Test.java:60:12:62:5 | { ... } | Test.java:67:8:67:8 | 0 | 5 |
 | Test.java:63:9:66:4 | { ... } | Test.java:63:9:66:4 | { ... } | 0 |
 | Test.java:63:9:66:4 | { ... } | Test.java:64:5:64:10 | ...=... | 3 |
-| Test.java:63:9:66:4 | { ... } | Test.java:64:5:64:11 | ...; | 1 |
+| Test.java:63:9:66:4 | { ... } | Test.java:64:5:64:11 | <Expr>; | 1 |
 | Test.java:63:9:66:4 | { ... } | Test.java:64:9:64:10 | 10 | 2 |
 | Test.java:63:9:66:4 | { ... } | Test.java:65:5:65:13 | continue | 4 |
-| Test.java:70:3:70:9 | ...; | Test.java:70:3:70:8 | ...=... | 2 |
-| Test.java:70:3:70:9 | ...; | Test.java:70:3:70:9 | ...; | 0 |
-| Test.java:70:3:70:9 | ...; | Test.java:70:7:70:8 | 50 | 1 |
-| Test.java:70:3:70:9 | ...; | Test.java:74:3:74:8 | ...=... | 5 |
-| Test.java:70:3:70:9 | ...; | Test.java:74:3:74:9 | ...; | 3 |
-| Test.java:70:3:70:9 | ...; | Test.java:74:7:74:8 | 40 | 4 |
-| Test.java:70:3:70:9 | ...; | Test.java:75:3:75:9 | return ... | 6 |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:70:3:70:8 | ...=... | 2 |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:70:3:70:9 | <Expr>; | 0 |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:70:7:70:8 | 50 | 1 |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:74:3:74:8 | ...=... | 5 |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:74:3:74:9 | <Expr>; | 3 |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:74:7:74:8 | 40 | 4 |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:75:3:75:9 | return ... | 6 |
diff --git a/java/ql/test/library-tests/controlflow/basic/bbStrictDominance.expected b/java/ql/test/library-tests/controlflow/basic/bbStrictDominance.expected
index cc15fb63a29..13382ba1fba 100644
--- a/java/ql/test/library-tests/controlflow/basic/bbStrictDominance.expected
+++ b/java/ql/test/library-tests/controlflow/basic/bbStrictDominance.expected
@@ -1,17 +1,17 @@
 | Test.java:4:21:76:2 | { ... } | Test.java:4:14:4:17 | test |
 | Test.java:4:21:76:2 | { ... } | Test.java:11:14:14:3 | { ... } |
 | Test.java:4:21:76:2 | { ... } | Test.java:14:10:16:3 | { ... } |
-| Test.java:4:21:76:2 | { ... } | Test.java:18:3:18:8 | ...; |
-| Test.java:4:21:76:2 | { ... } | Test.java:22:4:22:10 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:18:3:18:8 | <Expr>; |
+| Test.java:4:21:76:2 | { ... } | Test.java:22:4:22:10 | <Expr>; |
 | Test.java:4:21:76:2 | { ... } | Test.java:24:4:24:10 | return ... |
 | Test.java:4:21:76:2 | { ... } | Test.java:30:15:33:3 | { ... } |
-| Test.java:4:21:76:2 | { ... } | Test.java:35:3:35:9 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:35:3:35:9 | <Expr>; |
 | Test.java:4:21:76:2 | { ... } | Test.java:38:9:38:9 | x |
 | Test.java:4:21:76:2 | { ... } | Test.java:38:16:41:3 | { ... } |
-| Test.java:4:21:76:2 | { ... } | Test.java:43:3:43:9 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:43:3:43:9 | <Expr>; |
 | Test.java:4:21:76:2 | { ... } | Test.java:46:18:46:18 | j |
 | Test.java:4:21:76:2 | { ... } | Test.java:46:31:49:3 | { ... } |
-| Test.java:4:21:76:2 | { ... } | Test.java:51:3:51:9 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:51:3:51:9 | <Expr>; |
 | Test.java:4:21:76:2 | { ... } | Test.java:54:18:54:18 | j |
 | Test.java:4:21:76:2 | { ... } | Test.java:54:26:54:26 | j |
 | Test.java:4:21:76:2 | { ... } | Test.java:54:31:68:3 | { ... } |
@@ -19,61 +19,61 @@
 | Test.java:4:21:76:2 | { ... } | Test.java:57:15:60:5 | { ... } |
 | Test.java:4:21:76:2 | { ... } | Test.java:60:12:62:5 | { ... } |
 | Test.java:4:21:76:2 | { ... } | Test.java:63:9:66:4 | { ... } |
-| Test.java:4:21:76:2 | { ... } | Test.java:70:3:70:9 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:4:14:4:17 | test |
-| Test.java:18:3:18:8 | ...; | Test.java:22:4:22:10 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:24:4:24:10 | return ... |
-| Test.java:18:3:18:8 | ...; | Test.java:30:15:33:3 | { ... } |
-| Test.java:18:3:18:8 | ...; | Test.java:35:3:35:9 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:38:9:38:9 | x |
-| Test.java:18:3:18:8 | ...; | Test.java:38:16:41:3 | { ... } |
-| Test.java:18:3:18:8 | ...; | Test.java:43:3:43:9 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:46:18:46:18 | j |
-| Test.java:18:3:18:8 | ...; | Test.java:46:31:49:3 | { ... } |
-| Test.java:18:3:18:8 | ...; | Test.java:51:3:51:9 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:54:18:54:18 | j |
-| Test.java:18:3:18:8 | ...; | Test.java:54:26:54:26 | j |
-| Test.java:18:3:18:8 | ...; | Test.java:54:31:68:3 | { ... } |
-| Test.java:18:3:18:8 | ...; | Test.java:57:5:57:13 | if (...) |
-| Test.java:18:3:18:8 | ...; | Test.java:57:15:60:5 | { ... } |
-| Test.java:18:3:18:8 | ...; | Test.java:60:12:62:5 | { ... } |
-| Test.java:18:3:18:8 | ...; | Test.java:63:9:66:4 | { ... } |
-| Test.java:18:3:18:8 | ...; | Test.java:70:3:70:9 | ...; |
-| Test.java:22:4:22:10 | ...; | Test.java:30:15:33:3 | { ... } |
-| Test.java:22:4:22:10 | ...; | Test.java:35:3:35:9 | ...; |
-| Test.java:22:4:22:10 | ...; | Test.java:38:9:38:9 | x |
-| Test.java:22:4:22:10 | ...; | Test.java:38:16:41:3 | { ... } |
-| Test.java:22:4:22:10 | ...; | Test.java:43:3:43:9 | ...; |
-| Test.java:22:4:22:10 | ...; | Test.java:46:18:46:18 | j |
-| Test.java:22:4:22:10 | ...; | Test.java:46:31:49:3 | { ... } |
-| Test.java:22:4:22:10 | ...; | Test.java:51:3:51:9 | ...; |
-| Test.java:22:4:22:10 | ...; | Test.java:54:18:54:18 | j |
-| Test.java:22:4:22:10 | ...; | Test.java:54:26:54:26 | j |
-| Test.java:22:4:22:10 | ...; | Test.java:54:31:68:3 | { ... } |
-| Test.java:22:4:22:10 | ...; | Test.java:57:5:57:13 | if (...) |
-| Test.java:22:4:22:10 | ...; | Test.java:57:15:60:5 | { ... } |
-| Test.java:22:4:22:10 | ...; | Test.java:60:12:62:5 | { ... } |
-| Test.java:22:4:22:10 | ...; | Test.java:63:9:66:4 | { ... } |
-| Test.java:22:4:22:10 | ...; | Test.java:70:3:70:9 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:38:9:38:9 | x |
-| Test.java:35:3:35:9 | ...; | Test.java:38:16:41:3 | { ... } |
-| Test.java:35:3:35:9 | ...; | Test.java:43:3:43:9 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:46:18:46:18 | j |
-| Test.java:35:3:35:9 | ...; | Test.java:46:31:49:3 | { ... } |
-| Test.java:35:3:35:9 | ...; | Test.java:51:3:51:9 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:54:18:54:18 | j |
-| Test.java:35:3:35:9 | ...; | Test.java:54:26:54:26 | j |
-| Test.java:35:3:35:9 | ...; | Test.java:54:31:68:3 | { ... } |
-| Test.java:35:3:35:9 | ...; | Test.java:57:5:57:13 | if (...) |
-| Test.java:35:3:35:9 | ...; | Test.java:57:15:60:5 | { ... } |
-| Test.java:35:3:35:9 | ...; | Test.java:60:12:62:5 | { ... } |
-| Test.java:35:3:35:9 | ...; | Test.java:63:9:66:4 | { ... } |
-| Test.java:35:3:35:9 | ...; | Test.java:70:3:70:9 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:4:14:4:17 | test |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:22:4:22:10 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:24:4:24:10 | return ... |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:30:15:33:3 | { ... } |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:35:3:35:9 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:38:9:38:9 | x |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:38:16:41:3 | { ... } |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:46:18:46:18 | j |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:46:31:49:3 | { ... } |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:54:18:54:18 | j |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:54:26:54:26 | j |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:54:31:68:3 | { ... } |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:57:5:57:13 | if (...) |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:57:15:60:5 | { ... } |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:60:12:62:5 | { ... } |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:63:9:66:4 | { ... } |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:30:15:33:3 | { ... } |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:35:3:35:9 | <Expr>; |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:38:9:38:9 | x |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:38:16:41:3 | { ... } |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:46:18:46:18 | j |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:46:31:49:3 | { ... } |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:54:18:54:18 | j |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:54:26:54:26 | j |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:54:31:68:3 | { ... } |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:57:5:57:13 | if (...) |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:57:15:60:5 | { ... } |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:60:12:62:5 | { ... } |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:63:9:66:4 | { ... } |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:38:9:38:9 | x |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:38:16:41:3 | { ... } |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:46:18:46:18 | j |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:46:31:49:3 | { ... } |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:54:18:54:18 | j |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:54:26:54:26 | j |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:54:31:68:3 | { ... } |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:57:5:57:13 | if (...) |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:57:15:60:5 | { ... } |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:60:12:62:5 | { ... } |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:63:9:66:4 | { ... } |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:70:3:70:9 | <Expr>; |
 | Test.java:38:9:38:9 | x | Test.java:38:16:41:3 | { ... } |
-| Test.java:38:9:38:9 | x | Test.java:43:3:43:9 | ...; |
+| Test.java:38:9:38:9 | x | Test.java:43:3:43:9 | <Expr>; |
 | Test.java:38:9:38:9 | x | Test.java:46:18:46:18 | j |
 | Test.java:38:9:38:9 | x | Test.java:46:31:49:3 | { ... } |
-| Test.java:38:9:38:9 | x | Test.java:51:3:51:9 | ...; |
+| Test.java:38:9:38:9 | x | Test.java:51:3:51:9 | <Expr>; |
 | Test.java:38:9:38:9 | x | Test.java:54:18:54:18 | j |
 | Test.java:38:9:38:9 | x | Test.java:54:26:54:26 | j |
 | Test.java:38:9:38:9 | x | Test.java:54:31:68:3 | { ... } |
@@ -81,20 +81,20 @@
 | Test.java:38:9:38:9 | x | Test.java:57:15:60:5 | { ... } |
 | Test.java:38:9:38:9 | x | Test.java:60:12:62:5 | { ... } |
 | Test.java:38:9:38:9 | x | Test.java:63:9:66:4 | { ... } |
-| Test.java:38:9:38:9 | x | Test.java:70:3:70:9 | ...; |
-| Test.java:43:3:43:9 | ...; | Test.java:46:18:46:18 | j |
-| Test.java:43:3:43:9 | ...; | Test.java:46:31:49:3 | { ... } |
-| Test.java:43:3:43:9 | ...; | Test.java:51:3:51:9 | ...; |
-| Test.java:43:3:43:9 | ...; | Test.java:54:18:54:18 | j |
-| Test.java:43:3:43:9 | ...; | Test.java:54:26:54:26 | j |
-| Test.java:43:3:43:9 | ...; | Test.java:54:31:68:3 | { ... } |
-| Test.java:43:3:43:9 | ...; | Test.java:57:5:57:13 | if (...) |
-| Test.java:43:3:43:9 | ...; | Test.java:57:15:60:5 | { ... } |
-| Test.java:43:3:43:9 | ...; | Test.java:60:12:62:5 | { ... } |
-| Test.java:43:3:43:9 | ...; | Test.java:63:9:66:4 | { ... } |
-| Test.java:43:3:43:9 | ...; | Test.java:70:3:70:9 | ...; |
+| Test.java:38:9:38:9 | x | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:46:18:46:18 | j |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:46:31:49:3 | { ... } |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:54:18:54:18 | j |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:54:26:54:26 | j |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:54:31:68:3 | { ... } |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:57:5:57:13 | if (...) |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:57:15:60:5 | { ... } |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:60:12:62:5 | { ... } |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:63:9:66:4 | { ... } |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:70:3:70:9 | <Expr>; |
 | Test.java:46:18:46:18 | j | Test.java:46:31:49:3 | { ... } |
-| Test.java:46:18:46:18 | j | Test.java:51:3:51:9 | ...; |
+| Test.java:46:18:46:18 | j | Test.java:51:3:51:9 | <Expr>; |
 | Test.java:46:18:46:18 | j | Test.java:54:18:54:18 | j |
 | Test.java:46:18:46:18 | j | Test.java:54:26:54:26 | j |
 | Test.java:46:18:46:18 | j | Test.java:54:31:68:3 | { ... } |
@@ -102,22 +102,22 @@
 | Test.java:46:18:46:18 | j | Test.java:57:15:60:5 | { ... } |
 | Test.java:46:18:46:18 | j | Test.java:60:12:62:5 | { ... } |
 | Test.java:46:18:46:18 | j | Test.java:63:9:66:4 | { ... } |
-| Test.java:46:18:46:18 | j | Test.java:70:3:70:9 | ...; |
-| Test.java:51:3:51:9 | ...; | Test.java:54:18:54:18 | j |
-| Test.java:51:3:51:9 | ...; | Test.java:54:26:54:26 | j |
-| Test.java:51:3:51:9 | ...; | Test.java:54:31:68:3 | { ... } |
-| Test.java:51:3:51:9 | ...; | Test.java:57:5:57:13 | if (...) |
-| Test.java:51:3:51:9 | ...; | Test.java:57:15:60:5 | { ... } |
-| Test.java:51:3:51:9 | ...; | Test.java:60:12:62:5 | { ... } |
-| Test.java:51:3:51:9 | ...; | Test.java:63:9:66:4 | { ... } |
-| Test.java:51:3:51:9 | ...; | Test.java:70:3:70:9 | ...; |
+| Test.java:46:18:46:18 | j | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:54:18:54:18 | j |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:54:26:54:26 | j |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:54:31:68:3 | { ... } |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:57:5:57:13 | if (...) |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:57:15:60:5 | { ... } |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:60:12:62:5 | { ... } |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:63:9:66:4 | { ... } |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:70:3:70:9 | <Expr>; |
 | Test.java:54:18:54:18 | j | Test.java:54:26:54:26 | j |
 | Test.java:54:18:54:18 | j | Test.java:54:31:68:3 | { ... } |
 | Test.java:54:18:54:18 | j | Test.java:57:5:57:13 | if (...) |
 | Test.java:54:18:54:18 | j | Test.java:57:15:60:5 | { ... } |
 | Test.java:54:18:54:18 | j | Test.java:60:12:62:5 | { ... } |
 | Test.java:54:18:54:18 | j | Test.java:63:9:66:4 | { ... } |
-| Test.java:54:18:54:18 | j | Test.java:70:3:70:9 | ...; |
+| Test.java:54:18:54:18 | j | Test.java:70:3:70:9 | <Expr>; |
 | Test.java:54:31:68:3 | { ... } | Test.java:54:26:54:26 | j |
 | Test.java:54:31:68:3 | { ... } | Test.java:57:5:57:13 | if (...) |
 | Test.java:54:31:68:3 | { ... } | Test.java:57:15:60:5 | { ... } |
diff --git a/java/ql/test/library-tests/controlflow/basic/bbSuccessor.expected b/java/ql/test/library-tests/controlflow/basic/bbSuccessor.expected
index 85e440eb5b1..0cf2c96d022 100644
--- a/java/ql/test/library-tests/controlflow/basic/bbSuccessor.expected
+++ b/java/ql/test/library-tests/controlflow/basic/bbSuccessor.expected
@@ -1,30 +1,30 @@
 | Test.java:4:21:76:2 | { ... } | Test.java:11:14:14:3 | { ... } |
 | Test.java:4:21:76:2 | { ... } | Test.java:14:10:16:3 | { ... } |
-| Test.java:11:14:14:3 | { ... } | Test.java:18:3:18:8 | ...; |
-| Test.java:14:10:16:3 | { ... } | Test.java:18:3:18:8 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:22:4:22:10 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:24:4:24:10 | return ... |
-| Test.java:22:4:22:10 | ...; | Test.java:30:15:33:3 | { ... } |
-| Test.java:22:4:22:10 | ...; | Test.java:35:3:35:9 | ...; |
+| Test.java:11:14:14:3 | { ... } | Test.java:18:3:18:8 | <Expr>; |
+| Test.java:14:10:16:3 | { ... } | Test.java:18:3:18:8 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:22:4:22:10 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:24:4:24:10 | return ... |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:30:15:33:3 | { ... } |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:35:3:35:9 | <Expr>; |
 | Test.java:24:4:24:10 | return ... | Test.java:4:14:4:17 | test |
-| Test.java:30:15:33:3 | { ... } | Test.java:35:3:35:9 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:38:9:38:9 | x |
+| Test.java:30:15:33:3 | { ... } | Test.java:35:3:35:9 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:38:9:38:9 | x |
 | Test.java:38:9:38:9 | x | Test.java:38:16:41:3 | { ... } |
-| Test.java:38:9:38:9 | x | Test.java:43:3:43:9 | ...; |
+| Test.java:38:9:38:9 | x | Test.java:43:3:43:9 | <Expr>; |
 | Test.java:38:16:41:3 | { ... } | Test.java:38:9:38:9 | x |
-| Test.java:43:3:43:9 | ...; | Test.java:46:18:46:18 | j |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:46:18:46:18 | j |
 | Test.java:46:18:46:18 | j | Test.java:46:31:49:3 | { ... } |
-| Test.java:46:18:46:18 | j | Test.java:51:3:51:9 | ...; |
+| Test.java:46:18:46:18 | j | Test.java:51:3:51:9 | <Expr>; |
 | Test.java:46:31:49:3 | { ... } | Test.java:46:18:46:18 | j |
-| Test.java:51:3:51:9 | ...; | Test.java:54:18:54:18 | j |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:54:18:54:18 | j |
 | Test.java:54:18:54:18 | j | Test.java:54:31:68:3 | { ... } |
-| Test.java:54:18:54:18 | j | Test.java:70:3:70:9 | ...; |
+| Test.java:54:18:54:18 | j | Test.java:70:3:70:9 | <Expr>; |
 | Test.java:54:26:54:26 | j | Test.java:54:18:54:18 | j |
 | Test.java:54:31:68:3 | { ... } | Test.java:57:5:57:13 | if (...) |
 | Test.java:54:31:68:3 | { ... } | Test.java:63:9:66:4 | { ... } |
 | Test.java:57:5:57:13 | if (...) | Test.java:57:15:60:5 | { ... } |
 | Test.java:57:5:57:13 | if (...) | Test.java:60:12:62:5 | { ... } |
-| Test.java:57:15:60:5 | { ... } | Test.java:70:3:70:9 | ...; |
+| Test.java:57:15:60:5 | { ... } | Test.java:70:3:70:9 | <Expr>; |
 | Test.java:60:12:62:5 | { ... } | Test.java:54:26:54:26 | j |
 | Test.java:63:9:66:4 | { ... } | Test.java:54:26:54:26 | j |
-| Test.java:70:3:70:9 | ...; | Test.java:4:14:4:17 | test |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:4:14:4:17 | test |
diff --git a/java/ql/test/library-tests/controlflow/basic/strictDominance.expected b/java/ql/test/library-tests/controlflow/basic/strictDominance.expected
index 6db49af5ad8..4b34d8d90c3 100644
--- a/java/ql/test/library-tests/controlflow/basic/strictDominance.expected
+++ b/java/ql/test/library-tests/controlflow/basic/strictDominance.expected
@@ -1,628 +1,628 @@
 | Test.java:3:14:3:17 | { ... } | Test.java:3:14:3:17 | super(...) |
-| Test.java:4:21:76:2 | { ... } | Test.java:5:3:5:12 | local variable declaration |
-| Test.java:4:21:76:2 | { ... } | Test.java:6:3:6:14 | local variable declaration |
-| Test.java:4:21:76:2 | { ... } | Test.java:7:3:7:12 | local variable declaration |
-| Test.java:4:21:76:2 | { ... } | Test.java:8:3:8:12 | local variable declaration |
+| Test.java:4:21:76:2 | { ... } | Test.java:5:3:5:12 | var ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:6:3:6:14 | var ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:7:3:7:12 | var ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:8:3:8:12 | var ...; |
 | Test.java:4:21:76:2 | { ... } | Test.java:11:3:11:12 | if (...) |
 | Test.java:4:21:76:2 | { ... } | Test.java:11:14:14:3 | { ... } |
-| Test.java:4:21:76:2 | { ... } | Test.java:12:4:12:10 | ...; |
-| Test.java:4:21:76:2 | { ... } | Test.java:13:4:13:10 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:12:4:12:10 | <Expr>; |
+| Test.java:4:21:76:2 | { ... } | Test.java:13:4:13:10 | <Expr>; |
 | Test.java:4:21:76:2 | { ... } | Test.java:14:10:16:3 | { ... } |
-| Test.java:4:21:76:2 | { ... } | Test.java:15:4:15:10 | ...; |
-| Test.java:4:21:76:2 | { ... } | Test.java:18:3:18:8 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:15:4:15:10 | <Expr>; |
+| Test.java:4:21:76:2 | { ... } | Test.java:18:3:18:8 | <Expr>; |
 | Test.java:4:21:76:2 | { ... } | Test.java:21:3:21:11 | if (...) |
-| Test.java:4:21:76:2 | { ... } | Test.java:22:4:22:10 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:22:4:22:10 | <Expr>; |
 | Test.java:4:21:76:2 | { ... } | Test.java:24:4:24:10 | return ... |
-| Test.java:4:21:76:2 | { ... } | Test.java:27:3:27:9 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:27:3:27:9 | <Expr>; |
 | Test.java:4:21:76:2 | { ... } | Test.java:30:3:30:13 | if (...) |
 | Test.java:4:21:76:2 | { ... } | Test.java:30:15:33:3 | { ... } |
-| Test.java:4:21:76:2 | { ... } | Test.java:31:4:31:10 | ...; |
-| Test.java:4:21:76:2 | { ... } | Test.java:32:4:32:10 | ...; |
-| Test.java:4:21:76:2 | { ... } | Test.java:35:3:35:9 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:4:21:76:2 | { ... } | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:4:21:76:2 | { ... } | Test.java:35:3:35:9 | <Expr>; |
 | Test.java:4:21:76:2 | { ... } | Test.java:38:3:38:14 | while (...) |
 | Test.java:4:21:76:2 | { ... } | Test.java:38:16:41:3 | { ... } |
-| Test.java:4:21:76:2 | { ... } | Test.java:39:4:39:10 | ...; |
-| Test.java:4:21:76:2 | { ... } | Test.java:40:4:40:7 | ...; |
-| Test.java:4:21:76:2 | { ... } | Test.java:43:3:43:9 | ...; |
-| Test.java:4:21:76:2 | { ... } | Test.java:46:3:46:29 | for (...) |
+| Test.java:4:21:76:2 | { ... } | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:4:21:76:2 | { ... } | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:4:21:76:2 | { ... } | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:4:21:76:2 | { ... } | Test.java:46:3:46:29 | for (...;...;...) |
 | Test.java:4:21:76:2 | { ... } | Test.java:46:31:49:3 | { ... } |
-| Test.java:4:21:76:2 | { ... } | Test.java:47:4:47:9 | ...; |
-| Test.java:4:21:76:2 | { ... } | Test.java:48:4:48:10 | ...; |
-| Test.java:4:21:76:2 | { ... } | Test.java:51:3:51:9 | ...; |
-| Test.java:4:21:76:2 | { ... } | Test.java:54:3:54:29 | for (...) |
+| Test.java:4:21:76:2 | { ... } | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:4:21:76:2 | { ... } | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:4:21:76:2 | { ... } | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:4:21:76:2 | { ... } | Test.java:54:3:54:29 | for (...;...;...) |
 | Test.java:4:21:76:2 | { ... } | Test.java:54:31:68:3 | { ... } |
-| Test.java:4:21:76:2 | { ... } | Test.java:55:4:55:10 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:55:4:55:10 | <Expr>; |
 | Test.java:4:21:76:2 | { ... } | Test.java:56:4:56:12 | if (...) |
 | Test.java:4:21:76:2 | { ... } | Test.java:57:5:57:13 | if (...) |
 | Test.java:4:21:76:2 | { ... } | Test.java:57:15:60:5 | { ... } |
-| Test.java:4:21:76:2 | { ... } | Test.java:58:6:58:11 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:58:6:58:11 | <Expr>; |
 | Test.java:4:21:76:2 | { ... } | Test.java:59:6:59:11 | break |
 | Test.java:4:21:76:2 | { ... } | Test.java:60:12:62:5 | { ... } |
-| Test.java:4:21:76:2 | { ... } | Test.java:61:6:61:12 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:61:6:61:12 | <Expr>; |
 | Test.java:4:21:76:2 | { ... } | Test.java:63:9:66:4 | { ... } |
-| Test.java:4:21:76:2 | { ... } | Test.java:64:5:64:11 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:64:5:64:11 | <Expr>; |
 | Test.java:4:21:76:2 | { ... } | Test.java:65:5:65:13 | continue |
-| Test.java:4:21:76:2 | { ... } | Test.java:67:4:67:9 | ...; |
-| Test.java:4:21:76:2 | { ... } | Test.java:70:3:70:9 | ...; |
-| Test.java:4:21:76:2 | { ... } | Test.java:74:3:74:9 | ...; |
+| Test.java:4:21:76:2 | { ... } | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:4:21:76:2 | { ... } | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:4:21:76:2 | { ... } | Test.java:74:3:74:9 | <Expr>; |
 | Test.java:4:21:76:2 | { ... } | Test.java:75:3:75:9 | return ... |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:6:3:6:14 | local variable declaration |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:7:3:7:12 | local variable declaration |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:8:3:8:12 | local variable declaration |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:11:3:11:12 | if (...) |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:11:14:14:3 | { ... } |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:12:4:12:10 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:13:4:13:10 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:14:10:16:3 | { ... } |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:15:4:15:10 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:18:3:18:8 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:21:3:21:11 | if (...) |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:22:4:22:10 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:24:4:24:10 | return ... |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:27:3:27:9 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:30:3:30:13 | if (...) |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:30:15:33:3 | { ... } |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:31:4:31:10 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:32:4:32:10 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:35:3:35:9 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:38:3:38:14 | while (...) |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:38:16:41:3 | { ... } |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:39:4:39:10 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:40:4:40:7 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:43:3:43:9 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:46:3:46:29 | for (...) |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:46:31:49:3 | { ... } |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:47:4:47:9 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:48:4:48:10 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:51:3:51:9 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:54:3:54:29 | for (...) |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:54:31:68:3 | { ... } |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:55:4:55:10 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:56:4:56:12 | if (...) |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:57:5:57:13 | if (...) |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:57:15:60:5 | { ... } |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:58:6:58:11 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:59:6:59:11 | break |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:60:12:62:5 | { ... } |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:61:6:61:12 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:63:9:66:4 | { ... } |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:64:5:64:11 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:65:5:65:13 | continue |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:67:4:67:9 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:70:3:70:9 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:74:3:74:9 | ...; |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:75:3:75:9 | return ... |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:7:3:7:12 | local variable declaration |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:8:3:8:12 | local variable declaration |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:11:3:11:12 | if (...) |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:11:14:14:3 | { ... } |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:12:4:12:10 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:13:4:13:10 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:14:10:16:3 | { ... } |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:15:4:15:10 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:18:3:18:8 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:21:3:21:11 | if (...) |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:22:4:22:10 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:24:4:24:10 | return ... |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:27:3:27:9 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:30:3:30:13 | if (...) |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:30:15:33:3 | { ... } |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:31:4:31:10 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:32:4:32:10 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:35:3:35:9 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:38:3:38:14 | while (...) |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:38:16:41:3 | { ... } |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:39:4:39:10 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:40:4:40:7 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:43:3:43:9 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:46:3:46:29 | for (...) |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:46:31:49:3 | { ... } |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:47:4:47:9 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:48:4:48:10 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:51:3:51:9 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:54:3:54:29 | for (...) |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:54:31:68:3 | { ... } |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:55:4:55:10 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:56:4:56:12 | if (...) |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:57:5:57:13 | if (...) |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:57:15:60:5 | { ... } |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:58:6:58:11 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:59:6:59:11 | break |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:60:12:62:5 | { ... } |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:61:6:61:12 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:63:9:66:4 | { ... } |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:64:5:64:11 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:65:5:65:13 | continue |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:67:4:67:9 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:70:3:70:9 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:74:3:74:9 | ...; |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:75:3:75:9 | return ... |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:8:3:8:12 | local variable declaration |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:11:3:11:12 | if (...) |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:11:14:14:3 | { ... } |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:12:4:12:10 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:13:4:13:10 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:14:10:16:3 | { ... } |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:15:4:15:10 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:18:3:18:8 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:21:3:21:11 | if (...) |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:22:4:22:10 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:24:4:24:10 | return ... |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:27:3:27:9 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:30:3:30:13 | if (...) |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:30:15:33:3 | { ... } |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:31:4:31:10 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:32:4:32:10 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:35:3:35:9 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:38:3:38:14 | while (...) |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:38:16:41:3 | { ... } |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:39:4:39:10 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:40:4:40:7 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:43:3:43:9 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:46:3:46:29 | for (...) |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:46:31:49:3 | { ... } |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:47:4:47:9 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:48:4:48:10 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:51:3:51:9 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:54:3:54:29 | for (...) |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:54:31:68:3 | { ... } |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:55:4:55:10 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:56:4:56:12 | if (...) |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:57:5:57:13 | if (...) |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:57:15:60:5 | { ... } |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:58:6:58:11 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:59:6:59:11 | break |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:60:12:62:5 | { ... } |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:61:6:61:12 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:63:9:66:4 | { ... } |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:64:5:64:11 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:65:5:65:13 | continue |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:67:4:67:9 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:70:3:70:9 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:74:3:74:9 | ...; |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:75:3:75:9 | return ... |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:11:3:11:12 | if (...) |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:11:14:14:3 | { ... } |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:12:4:12:10 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:13:4:13:10 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:14:10:16:3 | { ... } |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:15:4:15:10 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:18:3:18:8 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:21:3:21:11 | if (...) |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:22:4:22:10 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:24:4:24:10 | return ... |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:27:3:27:9 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:30:3:30:13 | if (...) |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:30:15:33:3 | { ... } |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:31:4:31:10 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:32:4:32:10 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:35:3:35:9 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:38:3:38:14 | while (...) |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:38:16:41:3 | { ... } |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:39:4:39:10 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:40:4:40:7 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:43:3:43:9 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:46:3:46:29 | for (...) |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:46:31:49:3 | { ... } |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:47:4:47:9 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:48:4:48:10 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:51:3:51:9 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:54:3:54:29 | for (...) |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:54:31:68:3 | { ... } |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:55:4:55:10 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:56:4:56:12 | if (...) |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:57:5:57:13 | if (...) |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:57:15:60:5 | { ... } |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:58:6:58:11 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:59:6:59:11 | break |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:60:12:62:5 | { ... } |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:61:6:61:12 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:63:9:66:4 | { ... } |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:64:5:64:11 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:65:5:65:13 | continue |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:67:4:67:9 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:70:3:70:9 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:74:3:74:9 | ...; |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:75:3:75:9 | return ... |
+| Test.java:5:3:5:12 | var ...; | Test.java:6:3:6:14 | var ...; |
+| Test.java:5:3:5:12 | var ...; | Test.java:7:3:7:12 | var ...; |
+| Test.java:5:3:5:12 | var ...; | Test.java:8:3:8:12 | var ...; |
+| Test.java:5:3:5:12 | var ...; | Test.java:11:3:11:12 | if (...) |
+| Test.java:5:3:5:12 | var ...; | Test.java:11:14:14:3 | { ... } |
+| Test.java:5:3:5:12 | var ...; | Test.java:12:4:12:10 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:13:4:13:10 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:14:10:16:3 | { ... } |
+| Test.java:5:3:5:12 | var ...; | Test.java:15:4:15:10 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:18:3:18:8 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:21:3:21:11 | if (...) |
+| Test.java:5:3:5:12 | var ...; | Test.java:22:4:22:10 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:24:4:24:10 | return ... |
+| Test.java:5:3:5:12 | var ...; | Test.java:27:3:27:9 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:30:3:30:13 | if (...) |
+| Test.java:5:3:5:12 | var ...; | Test.java:30:15:33:3 | { ... } |
+| Test.java:5:3:5:12 | var ...; | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:35:3:35:9 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:38:3:38:14 | while (...) |
+| Test.java:5:3:5:12 | var ...; | Test.java:38:16:41:3 | { ... } |
+| Test.java:5:3:5:12 | var ...; | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:46:3:46:29 | for (...;...;...) |
+| Test.java:5:3:5:12 | var ...; | Test.java:46:31:49:3 | { ... } |
+| Test.java:5:3:5:12 | var ...; | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:54:3:54:29 | for (...;...;...) |
+| Test.java:5:3:5:12 | var ...; | Test.java:54:31:68:3 | { ... } |
+| Test.java:5:3:5:12 | var ...; | Test.java:55:4:55:10 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:56:4:56:12 | if (...) |
+| Test.java:5:3:5:12 | var ...; | Test.java:57:5:57:13 | if (...) |
+| Test.java:5:3:5:12 | var ...; | Test.java:57:15:60:5 | { ... } |
+| Test.java:5:3:5:12 | var ...; | Test.java:58:6:58:11 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:59:6:59:11 | break |
+| Test.java:5:3:5:12 | var ...; | Test.java:60:12:62:5 | { ... } |
+| Test.java:5:3:5:12 | var ...; | Test.java:61:6:61:12 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:63:9:66:4 | { ... } |
+| Test.java:5:3:5:12 | var ...; | Test.java:64:5:64:11 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:65:5:65:13 | continue |
+| Test.java:5:3:5:12 | var ...; | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:74:3:74:9 | <Expr>; |
+| Test.java:5:3:5:12 | var ...; | Test.java:75:3:75:9 | return ... |
+| Test.java:6:3:6:14 | var ...; | Test.java:7:3:7:12 | var ...; |
+| Test.java:6:3:6:14 | var ...; | Test.java:8:3:8:12 | var ...; |
+| Test.java:6:3:6:14 | var ...; | Test.java:11:3:11:12 | if (...) |
+| Test.java:6:3:6:14 | var ...; | Test.java:11:14:14:3 | { ... } |
+| Test.java:6:3:6:14 | var ...; | Test.java:12:4:12:10 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:13:4:13:10 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:14:10:16:3 | { ... } |
+| Test.java:6:3:6:14 | var ...; | Test.java:15:4:15:10 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:18:3:18:8 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:21:3:21:11 | if (...) |
+| Test.java:6:3:6:14 | var ...; | Test.java:22:4:22:10 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:24:4:24:10 | return ... |
+| Test.java:6:3:6:14 | var ...; | Test.java:27:3:27:9 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:30:3:30:13 | if (...) |
+| Test.java:6:3:6:14 | var ...; | Test.java:30:15:33:3 | { ... } |
+| Test.java:6:3:6:14 | var ...; | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:35:3:35:9 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:38:3:38:14 | while (...) |
+| Test.java:6:3:6:14 | var ...; | Test.java:38:16:41:3 | { ... } |
+| Test.java:6:3:6:14 | var ...; | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:46:3:46:29 | for (...;...;...) |
+| Test.java:6:3:6:14 | var ...; | Test.java:46:31:49:3 | { ... } |
+| Test.java:6:3:6:14 | var ...; | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:54:3:54:29 | for (...;...;...) |
+| Test.java:6:3:6:14 | var ...; | Test.java:54:31:68:3 | { ... } |
+| Test.java:6:3:6:14 | var ...; | Test.java:55:4:55:10 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:56:4:56:12 | if (...) |
+| Test.java:6:3:6:14 | var ...; | Test.java:57:5:57:13 | if (...) |
+| Test.java:6:3:6:14 | var ...; | Test.java:57:15:60:5 | { ... } |
+| Test.java:6:3:6:14 | var ...; | Test.java:58:6:58:11 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:59:6:59:11 | break |
+| Test.java:6:3:6:14 | var ...; | Test.java:60:12:62:5 | { ... } |
+| Test.java:6:3:6:14 | var ...; | Test.java:61:6:61:12 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:63:9:66:4 | { ... } |
+| Test.java:6:3:6:14 | var ...; | Test.java:64:5:64:11 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:65:5:65:13 | continue |
+| Test.java:6:3:6:14 | var ...; | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:74:3:74:9 | <Expr>; |
+| Test.java:6:3:6:14 | var ...; | Test.java:75:3:75:9 | return ... |
+| Test.java:7:3:7:12 | var ...; | Test.java:8:3:8:12 | var ...; |
+| Test.java:7:3:7:12 | var ...; | Test.java:11:3:11:12 | if (...) |
+| Test.java:7:3:7:12 | var ...; | Test.java:11:14:14:3 | { ... } |
+| Test.java:7:3:7:12 | var ...; | Test.java:12:4:12:10 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:13:4:13:10 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:14:10:16:3 | { ... } |
+| Test.java:7:3:7:12 | var ...; | Test.java:15:4:15:10 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:18:3:18:8 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:21:3:21:11 | if (...) |
+| Test.java:7:3:7:12 | var ...; | Test.java:22:4:22:10 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:24:4:24:10 | return ... |
+| Test.java:7:3:7:12 | var ...; | Test.java:27:3:27:9 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:30:3:30:13 | if (...) |
+| Test.java:7:3:7:12 | var ...; | Test.java:30:15:33:3 | { ... } |
+| Test.java:7:3:7:12 | var ...; | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:35:3:35:9 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:38:3:38:14 | while (...) |
+| Test.java:7:3:7:12 | var ...; | Test.java:38:16:41:3 | { ... } |
+| Test.java:7:3:7:12 | var ...; | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:46:3:46:29 | for (...;...;...) |
+| Test.java:7:3:7:12 | var ...; | Test.java:46:31:49:3 | { ... } |
+| Test.java:7:3:7:12 | var ...; | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:54:3:54:29 | for (...;...;...) |
+| Test.java:7:3:7:12 | var ...; | Test.java:54:31:68:3 | { ... } |
+| Test.java:7:3:7:12 | var ...; | Test.java:55:4:55:10 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:56:4:56:12 | if (...) |
+| Test.java:7:3:7:12 | var ...; | Test.java:57:5:57:13 | if (...) |
+| Test.java:7:3:7:12 | var ...; | Test.java:57:15:60:5 | { ... } |
+| Test.java:7:3:7:12 | var ...; | Test.java:58:6:58:11 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:59:6:59:11 | break |
+| Test.java:7:3:7:12 | var ...; | Test.java:60:12:62:5 | { ... } |
+| Test.java:7:3:7:12 | var ...; | Test.java:61:6:61:12 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:63:9:66:4 | { ... } |
+| Test.java:7:3:7:12 | var ...; | Test.java:64:5:64:11 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:65:5:65:13 | continue |
+| Test.java:7:3:7:12 | var ...; | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:74:3:74:9 | <Expr>; |
+| Test.java:7:3:7:12 | var ...; | Test.java:75:3:75:9 | return ... |
+| Test.java:8:3:8:12 | var ...; | Test.java:11:3:11:12 | if (...) |
+| Test.java:8:3:8:12 | var ...; | Test.java:11:14:14:3 | { ... } |
+| Test.java:8:3:8:12 | var ...; | Test.java:12:4:12:10 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:13:4:13:10 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:14:10:16:3 | { ... } |
+| Test.java:8:3:8:12 | var ...; | Test.java:15:4:15:10 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:18:3:18:8 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:21:3:21:11 | if (...) |
+| Test.java:8:3:8:12 | var ...; | Test.java:22:4:22:10 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:24:4:24:10 | return ... |
+| Test.java:8:3:8:12 | var ...; | Test.java:27:3:27:9 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:30:3:30:13 | if (...) |
+| Test.java:8:3:8:12 | var ...; | Test.java:30:15:33:3 | { ... } |
+| Test.java:8:3:8:12 | var ...; | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:35:3:35:9 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:38:3:38:14 | while (...) |
+| Test.java:8:3:8:12 | var ...; | Test.java:38:16:41:3 | { ... } |
+| Test.java:8:3:8:12 | var ...; | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:46:3:46:29 | for (...;...;...) |
+| Test.java:8:3:8:12 | var ...; | Test.java:46:31:49:3 | { ... } |
+| Test.java:8:3:8:12 | var ...; | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:54:3:54:29 | for (...;...;...) |
+| Test.java:8:3:8:12 | var ...; | Test.java:54:31:68:3 | { ... } |
+| Test.java:8:3:8:12 | var ...; | Test.java:55:4:55:10 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:56:4:56:12 | if (...) |
+| Test.java:8:3:8:12 | var ...; | Test.java:57:5:57:13 | if (...) |
+| Test.java:8:3:8:12 | var ...; | Test.java:57:15:60:5 | { ... } |
+| Test.java:8:3:8:12 | var ...; | Test.java:58:6:58:11 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:59:6:59:11 | break |
+| Test.java:8:3:8:12 | var ...; | Test.java:60:12:62:5 | { ... } |
+| Test.java:8:3:8:12 | var ...; | Test.java:61:6:61:12 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:63:9:66:4 | { ... } |
+| Test.java:8:3:8:12 | var ...; | Test.java:64:5:64:11 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:65:5:65:13 | continue |
+| Test.java:8:3:8:12 | var ...; | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:74:3:74:9 | <Expr>; |
+| Test.java:8:3:8:12 | var ...; | Test.java:75:3:75:9 | return ... |
 | Test.java:11:3:11:12 | if (...) | Test.java:11:14:14:3 | { ... } |
-| Test.java:11:3:11:12 | if (...) | Test.java:12:4:12:10 | ...; |
-| Test.java:11:3:11:12 | if (...) | Test.java:13:4:13:10 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:12:4:12:10 | <Expr>; |
+| Test.java:11:3:11:12 | if (...) | Test.java:13:4:13:10 | <Expr>; |
 | Test.java:11:3:11:12 | if (...) | Test.java:14:10:16:3 | { ... } |
-| Test.java:11:3:11:12 | if (...) | Test.java:15:4:15:10 | ...; |
-| Test.java:11:3:11:12 | if (...) | Test.java:18:3:18:8 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:15:4:15:10 | <Expr>; |
+| Test.java:11:3:11:12 | if (...) | Test.java:18:3:18:8 | <Expr>; |
 | Test.java:11:3:11:12 | if (...) | Test.java:21:3:21:11 | if (...) |
-| Test.java:11:3:11:12 | if (...) | Test.java:22:4:22:10 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:22:4:22:10 | <Expr>; |
 | Test.java:11:3:11:12 | if (...) | Test.java:24:4:24:10 | return ... |
-| Test.java:11:3:11:12 | if (...) | Test.java:27:3:27:9 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:27:3:27:9 | <Expr>; |
 | Test.java:11:3:11:12 | if (...) | Test.java:30:3:30:13 | if (...) |
 | Test.java:11:3:11:12 | if (...) | Test.java:30:15:33:3 | { ... } |
-| Test.java:11:3:11:12 | if (...) | Test.java:31:4:31:10 | ...; |
-| Test.java:11:3:11:12 | if (...) | Test.java:32:4:32:10 | ...; |
-| Test.java:11:3:11:12 | if (...) | Test.java:35:3:35:9 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:11:3:11:12 | if (...) | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:11:3:11:12 | if (...) | Test.java:35:3:35:9 | <Expr>; |
 | Test.java:11:3:11:12 | if (...) | Test.java:38:3:38:14 | while (...) |
 | Test.java:11:3:11:12 | if (...) | Test.java:38:16:41:3 | { ... } |
-| Test.java:11:3:11:12 | if (...) | Test.java:39:4:39:10 | ...; |
-| Test.java:11:3:11:12 | if (...) | Test.java:40:4:40:7 | ...; |
-| Test.java:11:3:11:12 | if (...) | Test.java:43:3:43:9 | ...; |
-| Test.java:11:3:11:12 | if (...) | Test.java:46:3:46:29 | for (...) |
+| Test.java:11:3:11:12 | if (...) | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:11:3:11:12 | if (...) | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:11:3:11:12 | if (...) | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:11:3:11:12 | if (...) | Test.java:46:3:46:29 | for (...;...;...) |
 | Test.java:11:3:11:12 | if (...) | Test.java:46:31:49:3 | { ... } |
-| Test.java:11:3:11:12 | if (...) | Test.java:47:4:47:9 | ...; |
-| Test.java:11:3:11:12 | if (...) | Test.java:48:4:48:10 | ...; |
-| Test.java:11:3:11:12 | if (...) | Test.java:51:3:51:9 | ...; |
-| Test.java:11:3:11:12 | if (...) | Test.java:54:3:54:29 | for (...) |
+| Test.java:11:3:11:12 | if (...) | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:11:3:11:12 | if (...) | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:11:3:11:12 | if (...) | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:11:3:11:12 | if (...) | Test.java:54:3:54:29 | for (...;...;...) |
 | Test.java:11:3:11:12 | if (...) | Test.java:54:31:68:3 | { ... } |
-| Test.java:11:3:11:12 | if (...) | Test.java:55:4:55:10 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:55:4:55:10 | <Expr>; |
 | Test.java:11:3:11:12 | if (...) | Test.java:56:4:56:12 | if (...) |
 | Test.java:11:3:11:12 | if (...) | Test.java:57:5:57:13 | if (...) |
 | Test.java:11:3:11:12 | if (...) | Test.java:57:15:60:5 | { ... } |
-| Test.java:11:3:11:12 | if (...) | Test.java:58:6:58:11 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:58:6:58:11 | <Expr>; |
 | Test.java:11:3:11:12 | if (...) | Test.java:59:6:59:11 | break |
 | Test.java:11:3:11:12 | if (...) | Test.java:60:12:62:5 | { ... } |
-| Test.java:11:3:11:12 | if (...) | Test.java:61:6:61:12 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:61:6:61:12 | <Expr>; |
 | Test.java:11:3:11:12 | if (...) | Test.java:63:9:66:4 | { ... } |
-| Test.java:11:3:11:12 | if (...) | Test.java:64:5:64:11 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:64:5:64:11 | <Expr>; |
 | Test.java:11:3:11:12 | if (...) | Test.java:65:5:65:13 | continue |
-| Test.java:11:3:11:12 | if (...) | Test.java:67:4:67:9 | ...; |
-| Test.java:11:3:11:12 | if (...) | Test.java:70:3:70:9 | ...; |
-| Test.java:11:3:11:12 | if (...) | Test.java:74:3:74:9 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:11:3:11:12 | if (...) | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:11:3:11:12 | if (...) | Test.java:74:3:74:9 | <Expr>; |
 | Test.java:11:3:11:12 | if (...) | Test.java:75:3:75:9 | return ... |
-| Test.java:11:14:14:3 | { ... } | Test.java:12:4:12:10 | ...; |
-| Test.java:11:14:14:3 | { ... } | Test.java:13:4:13:10 | ...; |
-| Test.java:12:4:12:10 | ...; | Test.java:13:4:13:10 | ...; |
-| Test.java:14:10:16:3 | { ... } | Test.java:15:4:15:10 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:21:3:21:11 | if (...) |
-| Test.java:18:3:18:8 | ...; | Test.java:22:4:22:10 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:24:4:24:10 | return ... |
-| Test.java:18:3:18:8 | ...; | Test.java:27:3:27:9 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:30:3:30:13 | if (...) |
-| Test.java:18:3:18:8 | ...; | Test.java:30:15:33:3 | { ... } |
-| Test.java:18:3:18:8 | ...; | Test.java:31:4:31:10 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:32:4:32:10 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:35:3:35:9 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:38:3:38:14 | while (...) |
-| Test.java:18:3:18:8 | ...; | Test.java:38:16:41:3 | { ... } |
-| Test.java:18:3:18:8 | ...; | Test.java:39:4:39:10 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:40:4:40:7 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:43:3:43:9 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:46:3:46:29 | for (...) |
-| Test.java:18:3:18:8 | ...; | Test.java:46:31:49:3 | { ... } |
-| Test.java:18:3:18:8 | ...; | Test.java:47:4:47:9 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:48:4:48:10 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:51:3:51:9 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:54:3:54:29 | for (...) |
-| Test.java:18:3:18:8 | ...; | Test.java:54:31:68:3 | { ... } |
-| Test.java:18:3:18:8 | ...; | Test.java:55:4:55:10 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:56:4:56:12 | if (...) |
-| Test.java:18:3:18:8 | ...; | Test.java:57:5:57:13 | if (...) |
-| Test.java:18:3:18:8 | ...; | Test.java:57:15:60:5 | { ... } |
-| Test.java:18:3:18:8 | ...; | Test.java:58:6:58:11 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:59:6:59:11 | break |
-| Test.java:18:3:18:8 | ...; | Test.java:60:12:62:5 | { ... } |
-| Test.java:18:3:18:8 | ...; | Test.java:61:6:61:12 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:63:9:66:4 | { ... } |
-| Test.java:18:3:18:8 | ...; | Test.java:64:5:64:11 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:65:5:65:13 | continue |
-| Test.java:18:3:18:8 | ...; | Test.java:67:4:67:9 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:70:3:70:9 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:74:3:74:9 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:75:3:75:9 | return ... |
-| Test.java:21:3:21:11 | if (...) | Test.java:22:4:22:10 | ...; |
+| Test.java:11:14:14:3 | { ... } | Test.java:12:4:12:10 | <Expr>; |
+| Test.java:11:14:14:3 | { ... } | Test.java:13:4:13:10 | <Expr>; |
+| Test.java:12:4:12:10 | <Expr>; | Test.java:13:4:13:10 | <Expr>; |
+| Test.java:14:10:16:3 | { ... } | Test.java:15:4:15:10 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:21:3:21:11 | if (...) |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:22:4:22:10 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:24:4:24:10 | return ... |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:27:3:27:9 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:30:3:30:13 | if (...) |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:30:15:33:3 | { ... } |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:35:3:35:9 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:38:3:38:14 | while (...) |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:38:16:41:3 | { ... } |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:46:3:46:29 | for (...;...;...) |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:46:31:49:3 | { ... } |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:54:3:54:29 | for (...;...;...) |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:54:31:68:3 | { ... } |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:55:4:55:10 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:56:4:56:12 | if (...) |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:57:5:57:13 | if (...) |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:57:15:60:5 | { ... } |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:58:6:58:11 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:59:6:59:11 | break |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:60:12:62:5 | { ... } |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:61:6:61:12 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:63:9:66:4 | { ... } |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:64:5:64:11 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:65:5:65:13 | continue |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:74:3:74:9 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:75:3:75:9 | return ... |
+| Test.java:21:3:21:11 | if (...) | Test.java:22:4:22:10 | <Expr>; |
 | Test.java:21:3:21:11 | if (...) | Test.java:24:4:24:10 | return ... |
-| Test.java:21:3:21:11 | if (...) | Test.java:27:3:27:9 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:27:3:27:9 | <Expr>; |
 | Test.java:21:3:21:11 | if (...) | Test.java:30:3:30:13 | if (...) |
 | Test.java:21:3:21:11 | if (...) | Test.java:30:15:33:3 | { ... } |
-| Test.java:21:3:21:11 | if (...) | Test.java:31:4:31:10 | ...; |
-| Test.java:21:3:21:11 | if (...) | Test.java:32:4:32:10 | ...; |
-| Test.java:21:3:21:11 | if (...) | Test.java:35:3:35:9 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:21:3:21:11 | if (...) | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:21:3:21:11 | if (...) | Test.java:35:3:35:9 | <Expr>; |
 | Test.java:21:3:21:11 | if (...) | Test.java:38:3:38:14 | while (...) |
 | Test.java:21:3:21:11 | if (...) | Test.java:38:16:41:3 | { ... } |
-| Test.java:21:3:21:11 | if (...) | Test.java:39:4:39:10 | ...; |
-| Test.java:21:3:21:11 | if (...) | Test.java:40:4:40:7 | ...; |
-| Test.java:21:3:21:11 | if (...) | Test.java:43:3:43:9 | ...; |
-| Test.java:21:3:21:11 | if (...) | Test.java:46:3:46:29 | for (...) |
+| Test.java:21:3:21:11 | if (...) | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:21:3:21:11 | if (...) | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:21:3:21:11 | if (...) | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:21:3:21:11 | if (...) | Test.java:46:3:46:29 | for (...;...;...) |
 | Test.java:21:3:21:11 | if (...) | Test.java:46:31:49:3 | { ... } |
-| Test.java:21:3:21:11 | if (...) | Test.java:47:4:47:9 | ...; |
-| Test.java:21:3:21:11 | if (...) | Test.java:48:4:48:10 | ...; |
-| Test.java:21:3:21:11 | if (...) | Test.java:51:3:51:9 | ...; |
-| Test.java:21:3:21:11 | if (...) | Test.java:54:3:54:29 | for (...) |
+| Test.java:21:3:21:11 | if (...) | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:21:3:21:11 | if (...) | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:21:3:21:11 | if (...) | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:21:3:21:11 | if (...) | Test.java:54:3:54:29 | for (...;...;...) |
 | Test.java:21:3:21:11 | if (...) | Test.java:54:31:68:3 | { ... } |
-| Test.java:21:3:21:11 | if (...) | Test.java:55:4:55:10 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:55:4:55:10 | <Expr>; |
 | Test.java:21:3:21:11 | if (...) | Test.java:56:4:56:12 | if (...) |
 | Test.java:21:3:21:11 | if (...) | Test.java:57:5:57:13 | if (...) |
 | Test.java:21:3:21:11 | if (...) | Test.java:57:15:60:5 | { ... } |
-| Test.java:21:3:21:11 | if (...) | Test.java:58:6:58:11 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:58:6:58:11 | <Expr>; |
 | Test.java:21:3:21:11 | if (...) | Test.java:59:6:59:11 | break |
 | Test.java:21:3:21:11 | if (...) | Test.java:60:12:62:5 | { ... } |
-| Test.java:21:3:21:11 | if (...) | Test.java:61:6:61:12 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:61:6:61:12 | <Expr>; |
 | Test.java:21:3:21:11 | if (...) | Test.java:63:9:66:4 | { ... } |
-| Test.java:21:3:21:11 | if (...) | Test.java:64:5:64:11 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:64:5:64:11 | <Expr>; |
 | Test.java:21:3:21:11 | if (...) | Test.java:65:5:65:13 | continue |
-| Test.java:21:3:21:11 | if (...) | Test.java:67:4:67:9 | ...; |
-| Test.java:21:3:21:11 | if (...) | Test.java:70:3:70:9 | ...; |
-| Test.java:21:3:21:11 | if (...) | Test.java:74:3:74:9 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:21:3:21:11 | if (...) | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:21:3:21:11 | if (...) | Test.java:74:3:74:9 | <Expr>; |
 | Test.java:21:3:21:11 | if (...) | Test.java:75:3:75:9 | return ... |
-| Test.java:22:4:22:10 | ...; | Test.java:27:3:27:9 | ...; |
-| Test.java:22:4:22:10 | ...; | Test.java:30:3:30:13 | if (...) |
-| Test.java:22:4:22:10 | ...; | Test.java:30:15:33:3 | { ... } |
-| Test.java:22:4:22:10 | ...; | Test.java:31:4:31:10 | ...; |
-| Test.java:22:4:22:10 | ...; | Test.java:32:4:32:10 | ...; |
-| Test.java:22:4:22:10 | ...; | Test.java:35:3:35:9 | ...; |
-| Test.java:22:4:22:10 | ...; | Test.java:38:3:38:14 | while (...) |
-| Test.java:22:4:22:10 | ...; | Test.java:38:16:41:3 | { ... } |
-| Test.java:22:4:22:10 | ...; | Test.java:39:4:39:10 | ...; |
-| Test.java:22:4:22:10 | ...; | Test.java:40:4:40:7 | ...; |
-| Test.java:22:4:22:10 | ...; | Test.java:43:3:43:9 | ...; |
-| Test.java:22:4:22:10 | ...; | Test.java:46:3:46:29 | for (...) |
-| Test.java:22:4:22:10 | ...; | Test.java:46:31:49:3 | { ... } |
-| Test.java:22:4:22:10 | ...; | Test.java:47:4:47:9 | ...; |
-| Test.java:22:4:22:10 | ...; | Test.java:48:4:48:10 | ...; |
-| Test.java:22:4:22:10 | ...; | Test.java:51:3:51:9 | ...; |
-| Test.java:22:4:22:10 | ...; | Test.java:54:3:54:29 | for (...) |
-| Test.java:22:4:22:10 | ...; | Test.java:54:31:68:3 | { ... } |
-| Test.java:22:4:22:10 | ...; | Test.java:55:4:55:10 | ...; |
-| Test.java:22:4:22:10 | ...; | Test.java:56:4:56:12 | if (...) |
-| Test.java:22:4:22:10 | ...; | Test.java:57:5:57:13 | if (...) |
-| Test.java:22:4:22:10 | ...; | Test.java:57:15:60:5 | { ... } |
-| Test.java:22:4:22:10 | ...; | Test.java:58:6:58:11 | ...; |
-| Test.java:22:4:22:10 | ...; | Test.java:59:6:59:11 | break |
-| Test.java:22:4:22:10 | ...; | Test.java:60:12:62:5 | { ... } |
-| Test.java:22:4:22:10 | ...; | Test.java:61:6:61:12 | ...; |
-| Test.java:22:4:22:10 | ...; | Test.java:63:9:66:4 | { ... } |
-| Test.java:22:4:22:10 | ...; | Test.java:64:5:64:11 | ...; |
-| Test.java:22:4:22:10 | ...; | Test.java:65:5:65:13 | continue |
-| Test.java:22:4:22:10 | ...; | Test.java:67:4:67:9 | ...; |
-| Test.java:22:4:22:10 | ...; | Test.java:70:3:70:9 | ...; |
-| Test.java:22:4:22:10 | ...; | Test.java:74:3:74:9 | ...; |
-| Test.java:22:4:22:10 | ...; | Test.java:75:3:75:9 | return ... |
-| Test.java:27:3:27:9 | ...; | Test.java:30:3:30:13 | if (...) |
-| Test.java:27:3:27:9 | ...; | Test.java:30:15:33:3 | { ... } |
-| Test.java:27:3:27:9 | ...; | Test.java:31:4:31:10 | ...; |
-| Test.java:27:3:27:9 | ...; | Test.java:32:4:32:10 | ...; |
-| Test.java:27:3:27:9 | ...; | Test.java:35:3:35:9 | ...; |
-| Test.java:27:3:27:9 | ...; | Test.java:38:3:38:14 | while (...) |
-| Test.java:27:3:27:9 | ...; | Test.java:38:16:41:3 | { ... } |
-| Test.java:27:3:27:9 | ...; | Test.java:39:4:39:10 | ...; |
-| Test.java:27:3:27:9 | ...; | Test.java:40:4:40:7 | ...; |
-| Test.java:27:3:27:9 | ...; | Test.java:43:3:43:9 | ...; |
-| Test.java:27:3:27:9 | ...; | Test.java:46:3:46:29 | for (...) |
-| Test.java:27:3:27:9 | ...; | Test.java:46:31:49:3 | { ... } |
-| Test.java:27:3:27:9 | ...; | Test.java:47:4:47:9 | ...; |
-| Test.java:27:3:27:9 | ...; | Test.java:48:4:48:10 | ...; |
-| Test.java:27:3:27:9 | ...; | Test.java:51:3:51:9 | ...; |
-| Test.java:27:3:27:9 | ...; | Test.java:54:3:54:29 | for (...) |
-| Test.java:27:3:27:9 | ...; | Test.java:54:31:68:3 | { ... } |
-| Test.java:27:3:27:9 | ...; | Test.java:55:4:55:10 | ...; |
-| Test.java:27:3:27:9 | ...; | Test.java:56:4:56:12 | if (...) |
-| Test.java:27:3:27:9 | ...; | Test.java:57:5:57:13 | if (...) |
-| Test.java:27:3:27:9 | ...; | Test.java:57:15:60:5 | { ... } |
-| Test.java:27:3:27:9 | ...; | Test.java:58:6:58:11 | ...; |
-| Test.java:27:3:27:9 | ...; | Test.java:59:6:59:11 | break |
-| Test.java:27:3:27:9 | ...; | Test.java:60:12:62:5 | { ... } |
-| Test.java:27:3:27:9 | ...; | Test.java:61:6:61:12 | ...; |
-| Test.java:27:3:27:9 | ...; | Test.java:63:9:66:4 | { ... } |
-| Test.java:27:3:27:9 | ...; | Test.java:64:5:64:11 | ...; |
-| Test.java:27:3:27:9 | ...; | Test.java:65:5:65:13 | continue |
-| Test.java:27:3:27:9 | ...; | Test.java:67:4:67:9 | ...; |
-| Test.java:27:3:27:9 | ...; | Test.java:70:3:70:9 | ...; |
-| Test.java:27:3:27:9 | ...; | Test.java:74:3:74:9 | ...; |
-| Test.java:27:3:27:9 | ...; | Test.java:75:3:75:9 | return ... |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:27:3:27:9 | <Expr>; |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:30:3:30:13 | if (...) |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:30:15:33:3 | { ... } |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:35:3:35:9 | <Expr>; |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:38:3:38:14 | while (...) |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:38:16:41:3 | { ... } |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:46:3:46:29 | for (...;...;...) |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:46:31:49:3 | { ... } |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:54:3:54:29 | for (...;...;...) |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:54:31:68:3 | { ... } |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:55:4:55:10 | <Expr>; |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:56:4:56:12 | if (...) |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:57:5:57:13 | if (...) |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:57:15:60:5 | { ... } |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:58:6:58:11 | <Expr>; |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:59:6:59:11 | break |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:60:12:62:5 | { ... } |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:61:6:61:12 | <Expr>; |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:63:9:66:4 | { ... } |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:64:5:64:11 | <Expr>; |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:65:5:65:13 | continue |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:74:3:74:9 | <Expr>; |
+| Test.java:22:4:22:10 | <Expr>; | Test.java:75:3:75:9 | return ... |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:30:3:30:13 | if (...) |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:30:15:33:3 | { ... } |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:35:3:35:9 | <Expr>; |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:38:3:38:14 | while (...) |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:38:16:41:3 | { ... } |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:46:3:46:29 | for (...;...;...) |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:46:31:49:3 | { ... } |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:54:3:54:29 | for (...;...;...) |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:54:31:68:3 | { ... } |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:55:4:55:10 | <Expr>; |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:56:4:56:12 | if (...) |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:57:5:57:13 | if (...) |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:57:15:60:5 | { ... } |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:58:6:58:11 | <Expr>; |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:59:6:59:11 | break |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:60:12:62:5 | { ... } |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:61:6:61:12 | <Expr>; |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:63:9:66:4 | { ... } |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:64:5:64:11 | <Expr>; |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:65:5:65:13 | continue |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:74:3:74:9 | <Expr>; |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:75:3:75:9 | return ... |
 | Test.java:30:3:30:13 | if (...) | Test.java:30:15:33:3 | { ... } |
-| Test.java:30:3:30:13 | if (...) | Test.java:31:4:31:10 | ...; |
-| Test.java:30:3:30:13 | if (...) | Test.java:32:4:32:10 | ...; |
-| Test.java:30:3:30:13 | if (...) | Test.java:35:3:35:9 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:30:3:30:13 | if (...) | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:30:3:30:13 | if (...) | Test.java:35:3:35:9 | <Expr>; |
 | Test.java:30:3:30:13 | if (...) | Test.java:38:3:38:14 | while (...) |
 | Test.java:30:3:30:13 | if (...) | Test.java:38:16:41:3 | { ... } |
-| Test.java:30:3:30:13 | if (...) | Test.java:39:4:39:10 | ...; |
-| Test.java:30:3:30:13 | if (...) | Test.java:40:4:40:7 | ...; |
-| Test.java:30:3:30:13 | if (...) | Test.java:43:3:43:9 | ...; |
-| Test.java:30:3:30:13 | if (...) | Test.java:46:3:46:29 | for (...) |
+| Test.java:30:3:30:13 | if (...) | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:30:3:30:13 | if (...) | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:30:3:30:13 | if (...) | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:30:3:30:13 | if (...) | Test.java:46:3:46:29 | for (...;...;...) |
 | Test.java:30:3:30:13 | if (...) | Test.java:46:31:49:3 | { ... } |
-| Test.java:30:3:30:13 | if (...) | Test.java:47:4:47:9 | ...; |
-| Test.java:30:3:30:13 | if (...) | Test.java:48:4:48:10 | ...; |
-| Test.java:30:3:30:13 | if (...) | Test.java:51:3:51:9 | ...; |
-| Test.java:30:3:30:13 | if (...) | Test.java:54:3:54:29 | for (...) |
+| Test.java:30:3:30:13 | if (...) | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:30:3:30:13 | if (...) | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:30:3:30:13 | if (...) | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:30:3:30:13 | if (...) | Test.java:54:3:54:29 | for (...;...;...) |
 | Test.java:30:3:30:13 | if (...) | Test.java:54:31:68:3 | { ... } |
-| Test.java:30:3:30:13 | if (...) | Test.java:55:4:55:10 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:55:4:55:10 | <Expr>; |
 | Test.java:30:3:30:13 | if (...) | Test.java:56:4:56:12 | if (...) |
 | Test.java:30:3:30:13 | if (...) | Test.java:57:5:57:13 | if (...) |
 | Test.java:30:3:30:13 | if (...) | Test.java:57:15:60:5 | { ... } |
-| Test.java:30:3:30:13 | if (...) | Test.java:58:6:58:11 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:58:6:58:11 | <Expr>; |
 | Test.java:30:3:30:13 | if (...) | Test.java:59:6:59:11 | break |
 | Test.java:30:3:30:13 | if (...) | Test.java:60:12:62:5 | { ... } |
-| Test.java:30:3:30:13 | if (...) | Test.java:61:6:61:12 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:61:6:61:12 | <Expr>; |
 | Test.java:30:3:30:13 | if (...) | Test.java:63:9:66:4 | { ... } |
-| Test.java:30:3:30:13 | if (...) | Test.java:64:5:64:11 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:64:5:64:11 | <Expr>; |
 | Test.java:30:3:30:13 | if (...) | Test.java:65:5:65:13 | continue |
-| Test.java:30:3:30:13 | if (...) | Test.java:67:4:67:9 | ...; |
-| Test.java:30:3:30:13 | if (...) | Test.java:70:3:70:9 | ...; |
-| Test.java:30:3:30:13 | if (...) | Test.java:74:3:74:9 | ...; |
+| Test.java:30:3:30:13 | if (...) | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:30:3:30:13 | if (...) | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:30:3:30:13 | if (...) | Test.java:74:3:74:9 | <Expr>; |
 | Test.java:30:3:30:13 | if (...) | Test.java:75:3:75:9 | return ... |
-| Test.java:30:15:33:3 | { ... } | Test.java:31:4:31:10 | ...; |
-| Test.java:30:15:33:3 | { ... } | Test.java:32:4:32:10 | ...; |
-| Test.java:31:4:31:10 | ...; | Test.java:32:4:32:10 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:38:3:38:14 | while (...) |
-| Test.java:35:3:35:9 | ...; | Test.java:38:16:41:3 | { ... } |
-| Test.java:35:3:35:9 | ...; | Test.java:39:4:39:10 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:40:4:40:7 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:43:3:43:9 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:46:3:46:29 | for (...) |
-| Test.java:35:3:35:9 | ...; | Test.java:46:31:49:3 | { ... } |
-| Test.java:35:3:35:9 | ...; | Test.java:47:4:47:9 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:48:4:48:10 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:51:3:51:9 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:54:3:54:29 | for (...) |
-| Test.java:35:3:35:9 | ...; | Test.java:54:31:68:3 | { ... } |
-| Test.java:35:3:35:9 | ...; | Test.java:55:4:55:10 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:56:4:56:12 | if (...) |
-| Test.java:35:3:35:9 | ...; | Test.java:57:5:57:13 | if (...) |
-| Test.java:35:3:35:9 | ...; | Test.java:57:15:60:5 | { ... } |
-| Test.java:35:3:35:9 | ...; | Test.java:58:6:58:11 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:59:6:59:11 | break |
-| Test.java:35:3:35:9 | ...; | Test.java:60:12:62:5 | { ... } |
-| Test.java:35:3:35:9 | ...; | Test.java:61:6:61:12 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:63:9:66:4 | { ... } |
-| Test.java:35:3:35:9 | ...; | Test.java:64:5:64:11 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:65:5:65:13 | continue |
-| Test.java:35:3:35:9 | ...; | Test.java:67:4:67:9 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:70:3:70:9 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:74:3:74:9 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:75:3:75:9 | return ... |
+| Test.java:30:15:33:3 | { ... } | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:30:15:33:3 | { ... } | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:31:4:31:10 | <Expr>; | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:38:3:38:14 | while (...) |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:38:16:41:3 | { ... } |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:46:3:46:29 | for (...;...;...) |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:46:31:49:3 | { ... } |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:54:3:54:29 | for (...;...;...) |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:54:31:68:3 | { ... } |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:55:4:55:10 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:56:4:56:12 | if (...) |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:57:5:57:13 | if (...) |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:57:15:60:5 | { ... } |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:58:6:58:11 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:59:6:59:11 | break |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:60:12:62:5 | { ... } |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:61:6:61:12 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:63:9:66:4 | { ... } |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:64:5:64:11 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:65:5:65:13 | continue |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:74:3:74:9 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:75:3:75:9 | return ... |
 | Test.java:38:3:38:14 | while (...) | Test.java:38:16:41:3 | { ... } |
-| Test.java:38:3:38:14 | while (...) | Test.java:39:4:39:10 | ...; |
-| Test.java:38:3:38:14 | while (...) | Test.java:40:4:40:7 | ...; |
-| Test.java:38:3:38:14 | while (...) | Test.java:43:3:43:9 | ...; |
-| Test.java:38:3:38:14 | while (...) | Test.java:46:3:46:29 | for (...) |
+| Test.java:38:3:38:14 | while (...) | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:38:3:38:14 | while (...) | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:38:3:38:14 | while (...) | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:38:3:38:14 | while (...) | Test.java:46:3:46:29 | for (...;...;...) |
 | Test.java:38:3:38:14 | while (...) | Test.java:46:31:49:3 | { ... } |
-| Test.java:38:3:38:14 | while (...) | Test.java:47:4:47:9 | ...; |
-| Test.java:38:3:38:14 | while (...) | Test.java:48:4:48:10 | ...; |
-| Test.java:38:3:38:14 | while (...) | Test.java:51:3:51:9 | ...; |
-| Test.java:38:3:38:14 | while (...) | Test.java:54:3:54:29 | for (...) |
+| Test.java:38:3:38:14 | while (...) | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:38:3:38:14 | while (...) | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:38:3:38:14 | while (...) | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:38:3:38:14 | while (...) | Test.java:54:3:54:29 | for (...;...;...) |
 | Test.java:38:3:38:14 | while (...) | Test.java:54:31:68:3 | { ... } |
-| Test.java:38:3:38:14 | while (...) | Test.java:55:4:55:10 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:55:4:55:10 | <Expr>; |
 | Test.java:38:3:38:14 | while (...) | Test.java:56:4:56:12 | if (...) |
 | Test.java:38:3:38:14 | while (...) | Test.java:57:5:57:13 | if (...) |
 | Test.java:38:3:38:14 | while (...) | Test.java:57:15:60:5 | { ... } |
-| Test.java:38:3:38:14 | while (...) | Test.java:58:6:58:11 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:58:6:58:11 | <Expr>; |
 | Test.java:38:3:38:14 | while (...) | Test.java:59:6:59:11 | break |
 | Test.java:38:3:38:14 | while (...) | Test.java:60:12:62:5 | { ... } |
-| Test.java:38:3:38:14 | while (...) | Test.java:61:6:61:12 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:61:6:61:12 | <Expr>; |
 | Test.java:38:3:38:14 | while (...) | Test.java:63:9:66:4 | { ... } |
-| Test.java:38:3:38:14 | while (...) | Test.java:64:5:64:11 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:64:5:64:11 | <Expr>; |
 | Test.java:38:3:38:14 | while (...) | Test.java:65:5:65:13 | continue |
-| Test.java:38:3:38:14 | while (...) | Test.java:67:4:67:9 | ...; |
-| Test.java:38:3:38:14 | while (...) | Test.java:70:3:70:9 | ...; |
-| Test.java:38:3:38:14 | while (...) | Test.java:74:3:74:9 | ...; |
+| Test.java:38:3:38:14 | while (...) | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:38:3:38:14 | while (...) | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:38:3:38:14 | while (...) | Test.java:74:3:74:9 | <Expr>; |
 | Test.java:38:3:38:14 | while (...) | Test.java:75:3:75:9 | return ... |
-| Test.java:38:16:41:3 | { ... } | Test.java:39:4:39:10 | ...; |
-| Test.java:38:16:41:3 | { ... } | Test.java:40:4:40:7 | ...; |
-| Test.java:39:4:39:10 | ...; | Test.java:40:4:40:7 | ...; |
-| Test.java:43:3:43:9 | ...; | Test.java:46:3:46:29 | for (...) |
-| Test.java:43:3:43:9 | ...; | Test.java:46:31:49:3 | { ... } |
-| Test.java:43:3:43:9 | ...; | Test.java:47:4:47:9 | ...; |
-| Test.java:43:3:43:9 | ...; | Test.java:48:4:48:10 | ...; |
-| Test.java:43:3:43:9 | ...; | Test.java:51:3:51:9 | ...; |
-| Test.java:43:3:43:9 | ...; | Test.java:54:3:54:29 | for (...) |
-| Test.java:43:3:43:9 | ...; | Test.java:54:31:68:3 | { ... } |
-| Test.java:43:3:43:9 | ...; | Test.java:55:4:55:10 | ...; |
-| Test.java:43:3:43:9 | ...; | Test.java:56:4:56:12 | if (...) |
-| Test.java:43:3:43:9 | ...; | Test.java:57:5:57:13 | if (...) |
-| Test.java:43:3:43:9 | ...; | Test.java:57:15:60:5 | { ... } |
-| Test.java:43:3:43:9 | ...; | Test.java:58:6:58:11 | ...; |
-| Test.java:43:3:43:9 | ...; | Test.java:59:6:59:11 | break |
-| Test.java:43:3:43:9 | ...; | Test.java:60:12:62:5 | { ... } |
-| Test.java:43:3:43:9 | ...; | Test.java:61:6:61:12 | ...; |
-| Test.java:43:3:43:9 | ...; | Test.java:63:9:66:4 | { ... } |
-| Test.java:43:3:43:9 | ...; | Test.java:64:5:64:11 | ...; |
-| Test.java:43:3:43:9 | ...; | Test.java:65:5:65:13 | continue |
-| Test.java:43:3:43:9 | ...; | Test.java:67:4:67:9 | ...; |
-| Test.java:43:3:43:9 | ...; | Test.java:70:3:70:9 | ...; |
-| Test.java:43:3:43:9 | ...; | Test.java:74:3:74:9 | ...; |
-| Test.java:43:3:43:9 | ...; | Test.java:75:3:75:9 | return ... |
-| Test.java:46:3:46:29 | for (...) | Test.java:46:31:49:3 | { ... } |
-| Test.java:46:3:46:29 | for (...) | Test.java:47:4:47:9 | ...; |
-| Test.java:46:3:46:29 | for (...) | Test.java:48:4:48:10 | ...; |
-| Test.java:46:3:46:29 | for (...) | Test.java:51:3:51:9 | ...; |
-| Test.java:46:3:46:29 | for (...) | Test.java:54:3:54:29 | for (...) |
-| Test.java:46:3:46:29 | for (...) | Test.java:54:31:68:3 | { ... } |
-| Test.java:46:3:46:29 | for (...) | Test.java:55:4:55:10 | ...; |
-| Test.java:46:3:46:29 | for (...) | Test.java:56:4:56:12 | if (...) |
-| Test.java:46:3:46:29 | for (...) | Test.java:57:5:57:13 | if (...) |
-| Test.java:46:3:46:29 | for (...) | Test.java:57:15:60:5 | { ... } |
-| Test.java:46:3:46:29 | for (...) | Test.java:58:6:58:11 | ...; |
-| Test.java:46:3:46:29 | for (...) | Test.java:59:6:59:11 | break |
-| Test.java:46:3:46:29 | for (...) | Test.java:60:12:62:5 | { ... } |
-| Test.java:46:3:46:29 | for (...) | Test.java:61:6:61:12 | ...; |
-| Test.java:46:3:46:29 | for (...) | Test.java:63:9:66:4 | { ... } |
-| Test.java:46:3:46:29 | for (...) | Test.java:64:5:64:11 | ...; |
-| Test.java:46:3:46:29 | for (...) | Test.java:65:5:65:13 | continue |
-| Test.java:46:3:46:29 | for (...) | Test.java:67:4:67:9 | ...; |
-| Test.java:46:3:46:29 | for (...) | Test.java:70:3:70:9 | ...; |
-| Test.java:46:3:46:29 | for (...) | Test.java:74:3:74:9 | ...; |
-| Test.java:46:3:46:29 | for (...) | Test.java:75:3:75:9 | return ... |
-| Test.java:46:31:49:3 | { ... } | Test.java:47:4:47:9 | ...; |
-| Test.java:46:31:49:3 | { ... } | Test.java:48:4:48:10 | ...; |
-| Test.java:47:4:47:9 | ...; | Test.java:48:4:48:10 | ...; |
-| Test.java:51:3:51:9 | ...; | Test.java:54:3:54:29 | for (...) |
-| Test.java:51:3:51:9 | ...; | Test.java:54:31:68:3 | { ... } |
-| Test.java:51:3:51:9 | ...; | Test.java:55:4:55:10 | ...; |
-| Test.java:51:3:51:9 | ...; | Test.java:56:4:56:12 | if (...) |
-| Test.java:51:3:51:9 | ...; | Test.java:57:5:57:13 | if (...) |
-| Test.java:51:3:51:9 | ...; | Test.java:57:15:60:5 | { ... } |
-| Test.java:51:3:51:9 | ...; | Test.java:58:6:58:11 | ...; |
-| Test.java:51:3:51:9 | ...; | Test.java:59:6:59:11 | break |
-| Test.java:51:3:51:9 | ...; | Test.java:60:12:62:5 | { ... } |
-| Test.java:51:3:51:9 | ...; | Test.java:61:6:61:12 | ...; |
-| Test.java:51:3:51:9 | ...; | Test.java:63:9:66:4 | { ... } |
-| Test.java:51:3:51:9 | ...; | Test.java:64:5:64:11 | ...; |
-| Test.java:51:3:51:9 | ...; | Test.java:65:5:65:13 | continue |
-| Test.java:51:3:51:9 | ...; | Test.java:67:4:67:9 | ...; |
-| Test.java:51:3:51:9 | ...; | Test.java:70:3:70:9 | ...; |
-| Test.java:51:3:51:9 | ...; | Test.java:74:3:74:9 | ...; |
-| Test.java:51:3:51:9 | ...; | Test.java:75:3:75:9 | return ... |
-| Test.java:54:3:54:29 | for (...) | Test.java:54:31:68:3 | { ... } |
-| Test.java:54:3:54:29 | for (...) | Test.java:55:4:55:10 | ...; |
-| Test.java:54:3:54:29 | for (...) | Test.java:56:4:56:12 | if (...) |
-| Test.java:54:3:54:29 | for (...) | Test.java:57:5:57:13 | if (...) |
-| Test.java:54:3:54:29 | for (...) | Test.java:57:15:60:5 | { ... } |
-| Test.java:54:3:54:29 | for (...) | Test.java:58:6:58:11 | ...; |
-| Test.java:54:3:54:29 | for (...) | Test.java:59:6:59:11 | break |
-| Test.java:54:3:54:29 | for (...) | Test.java:60:12:62:5 | { ... } |
-| Test.java:54:3:54:29 | for (...) | Test.java:61:6:61:12 | ...; |
-| Test.java:54:3:54:29 | for (...) | Test.java:63:9:66:4 | { ... } |
-| Test.java:54:3:54:29 | for (...) | Test.java:64:5:64:11 | ...; |
-| Test.java:54:3:54:29 | for (...) | Test.java:65:5:65:13 | continue |
-| Test.java:54:3:54:29 | for (...) | Test.java:67:4:67:9 | ...; |
-| Test.java:54:3:54:29 | for (...) | Test.java:70:3:70:9 | ...; |
-| Test.java:54:3:54:29 | for (...) | Test.java:74:3:74:9 | ...; |
-| Test.java:54:3:54:29 | for (...) | Test.java:75:3:75:9 | return ... |
-| Test.java:54:31:68:3 | { ... } | Test.java:55:4:55:10 | ...; |
+| Test.java:38:16:41:3 | { ... } | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:38:16:41:3 | { ... } | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:39:4:39:10 | <Expr>; | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:46:3:46:29 | for (...;...;...) |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:46:31:49:3 | { ... } |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:54:3:54:29 | for (...;...;...) |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:54:31:68:3 | { ... } |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:55:4:55:10 | <Expr>; |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:56:4:56:12 | if (...) |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:57:5:57:13 | if (...) |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:57:15:60:5 | { ... } |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:58:6:58:11 | <Expr>; |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:59:6:59:11 | break |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:60:12:62:5 | { ... } |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:61:6:61:12 | <Expr>; |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:63:9:66:4 | { ... } |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:64:5:64:11 | <Expr>; |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:65:5:65:13 | continue |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:74:3:74:9 | <Expr>; |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:75:3:75:9 | return ... |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:46:31:49:3 | { ... } |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:54:3:54:29 | for (...;...;...) |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:54:31:68:3 | { ... } |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:55:4:55:10 | <Expr>; |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:56:4:56:12 | if (...) |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:57:5:57:13 | if (...) |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:57:15:60:5 | { ... } |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:58:6:58:11 | <Expr>; |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:59:6:59:11 | break |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:60:12:62:5 | { ... } |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:61:6:61:12 | <Expr>; |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:63:9:66:4 | { ... } |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:64:5:64:11 | <Expr>; |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:65:5:65:13 | continue |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:74:3:74:9 | <Expr>; |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:75:3:75:9 | return ... |
+| Test.java:46:31:49:3 | { ... } | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:46:31:49:3 | { ... } | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:47:4:47:9 | <Expr>; | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:54:3:54:29 | for (...;...;...) |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:54:31:68:3 | { ... } |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:55:4:55:10 | <Expr>; |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:56:4:56:12 | if (...) |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:57:5:57:13 | if (...) |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:57:15:60:5 | { ... } |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:58:6:58:11 | <Expr>; |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:59:6:59:11 | break |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:60:12:62:5 | { ... } |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:61:6:61:12 | <Expr>; |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:63:9:66:4 | { ... } |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:64:5:64:11 | <Expr>; |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:65:5:65:13 | continue |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:74:3:74:9 | <Expr>; |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:75:3:75:9 | return ... |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:54:31:68:3 | { ... } |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:55:4:55:10 | <Expr>; |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:56:4:56:12 | if (...) |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:57:5:57:13 | if (...) |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:57:15:60:5 | { ... } |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:58:6:58:11 | <Expr>; |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:59:6:59:11 | break |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:60:12:62:5 | { ... } |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:61:6:61:12 | <Expr>; |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:63:9:66:4 | { ... } |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:64:5:64:11 | <Expr>; |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:65:5:65:13 | continue |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:74:3:74:9 | <Expr>; |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:75:3:75:9 | return ... |
+| Test.java:54:31:68:3 | { ... } | Test.java:55:4:55:10 | <Expr>; |
 | Test.java:54:31:68:3 | { ... } | Test.java:56:4:56:12 | if (...) |
 | Test.java:54:31:68:3 | { ... } | Test.java:57:5:57:13 | if (...) |
 | Test.java:54:31:68:3 | { ... } | Test.java:57:15:60:5 | { ... } |
-| Test.java:54:31:68:3 | { ... } | Test.java:58:6:58:11 | ...; |
+| Test.java:54:31:68:3 | { ... } | Test.java:58:6:58:11 | <Expr>; |
 | Test.java:54:31:68:3 | { ... } | Test.java:59:6:59:11 | break |
 | Test.java:54:31:68:3 | { ... } | Test.java:60:12:62:5 | { ... } |
-| Test.java:54:31:68:3 | { ... } | Test.java:61:6:61:12 | ...; |
+| Test.java:54:31:68:3 | { ... } | Test.java:61:6:61:12 | <Expr>; |
 | Test.java:54:31:68:3 | { ... } | Test.java:63:9:66:4 | { ... } |
-| Test.java:54:31:68:3 | { ... } | Test.java:64:5:64:11 | ...; |
+| Test.java:54:31:68:3 | { ... } | Test.java:64:5:64:11 | <Expr>; |
 | Test.java:54:31:68:3 | { ... } | Test.java:65:5:65:13 | continue |
-| Test.java:54:31:68:3 | { ... } | Test.java:67:4:67:9 | ...; |
-| Test.java:55:4:55:10 | ...; | Test.java:56:4:56:12 | if (...) |
-| Test.java:55:4:55:10 | ...; | Test.java:57:5:57:13 | if (...) |
-| Test.java:55:4:55:10 | ...; | Test.java:57:15:60:5 | { ... } |
-| Test.java:55:4:55:10 | ...; | Test.java:58:6:58:11 | ...; |
-| Test.java:55:4:55:10 | ...; | Test.java:59:6:59:11 | break |
-| Test.java:55:4:55:10 | ...; | Test.java:60:12:62:5 | { ... } |
-| Test.java:55:4:55:10 | ...; | Test.java:61:6:61:12 | ...; |
-| Test.java:55:4:55:10 | ...; | Test.java:63:9:66:4 | { ... } |
-| Test.java:55:4:55:10 | ...; | Test.java:64:5:64:11 | ...; |
-| Test.java:55:4:55:10 | ...; | Test.java:65:5:65:13 | continue |
-| Test.java:55:4:55:10 | ...; | Test.java:67:4:67:9 | ...; |
+| Test.java:54:31:68:3 | { ... } | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:55:4:55:10 | <Expr>; | Test.java:56:4:56:12 | if (...) |
+| Test.java:55:4:55:10 | <Expr>; | Test.java:57:5:57:13 | if (...) |
+| Test.java:55:4:55:10 | <Expr>; | Test.java:57:15:60:5 | { ... } |
+| Test.java:55:4:55:10 | <Expr>; | Test.java:58:6:58:11 | <Expr>; |
+| Test.java:55:4:55:10 | <Expr>; | Test.java:59:6:59:11 | break |
+| Test.java:55:4:55:10 | <Expr>; | Test.java:60:12:62:5 | { ... } |
+| Test.java:55:4:55:10 | <Expr>; | Test.java:61:6:61:12 | <Expr>; |
+| Test.java:55:4:55:10 | <Expr>; | Test.java:63:9:66:4 | { ... } |
+| Test.java:55:4:55:10 | <Expr>; | Test.java:64:5:64:11 | <Expr>; |
+| Test.java:55:4:55:10 | <Expr>; | Test.java:65:5:65:13 | continue |
+| Test.java:55:4:55:10 | <Expr>; | Test.java:67:4:67:9 | <Expr>; |
 | Test.java:56:4:56:12 | if (...) | Test.java:57:5:57:13 | if (...) |
 | Test.java:56:4:56:12 | if (...) | Test.java:57:15:60:5 | { ... } |
-| Test.java:56:4:56:12 | if (...) | Test.java:58:6:58:11 | ...; |
+| Test.java:56:4:56:12 | if (...) | Test.java:58:6:58:11 | <Expr>; |
 | Test.java:56:4:56:12 | if (...) | Test.java:59:6:59:11 | break |
 | Test.java:56:4:56:12 | if (...) | Test.java:60:12:62:5 | { ... } |
-| Test.java:56:4:56:12 | if (...) | Test.java:61:6:61:12 | ...; |
+| Test.java:56:4:56:12 | if (...) | Test.java:61:6:61:12 | <Expr>; |
 | Test.java:56:4:56:12 | if (...) | Test.java:63:9:66:4 | { ... } |
-| Test.java:56:4:56:12 | if (...) | Test.java:64:5:64:11 | ...; |
+| Test.java:56:4:56:12 | if (...) | Test.java:64:5:64:11 | <Expr>; |
 | Test.java:56:4:56:12 | if (...) | Test.java:65:5:65:13 | continue |
-| Test.java:56:4:56:12 | if (...) | Test.java:67:4:67:9 | ...; |
+| Test.java:56:4:56:12 | if (...) | Test.java:67:4:67:9 | <Expr>; |
 | Test.java:57:5:57:13 | if (...) | Test.java:57:15:60:5 | { ... } |
-| Test.java:57:5:57:13 | if (...) | Test.java:58:6:58:11 | ...; |
+| Test.java:57:5:57:13 | if (...) | Test.java:58:6:58:11 | <Expr>; |
 | Test.java:57:5:57:13 | if (...) | Test.java:59:6:59:11 | break |
 | Test.java:57:5:57:13 | if (...) | Test.java:60:12:62:5 | { ... } |
-| Test.java:57:5:57:13 | if (...) | Test.java:61:6:61:12 | ...; |
-| Test.java:57:5:57:13 | if (...) | Test.java:67:4:67:9 | ...; |
-| Test.java:57:15:60:5 | { ... } | Test.java:58:6:58:11 | ...; |
+| Test.java:57:5:57:13 | if (...) | Test.java:61:6:61:12 | <Expr>; |
+| Test.java:57:5:57:13 | if (...) | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:57:15:60:5 | { ... } | Test.java:58:6:58:11 | <Expr>; |
 | Test.java:57:15:60:5 | { ... } | Test.java:59:6:59:11 | break |
-| Test.java:58:6:58:11 | ...; | Test.java:59:6:59:11 | break |
-| Test.java:60:12:62:5 | { ... } | Test.java:61:6:61:12 | ...; |
-| Test.java:60:12:62:5 | { ... } | Test.java:67:4:67:9 | ...; |
-| Test.java:61:6:61:12 | ...; | Test.java:67:4:67:9 | ...; |
-| Test.java:63:9:66:4 | { ... } | Test.java:64:5:64:11 | ...; |
+| Test.java:58:6:58:11 | <Expr>; | Test.java:59:6:59:11 | break |
+| Test.java:60:12:62:5 | { ... } | Test.java:61:6:61:12 | <Expr>; |
+| Test.java:60:12:62:5 | { ... } | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:61:6:61:12 | <Expr>; | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:63:9:66:4 | { ... } | Test.java:64:5:64:11 | <Expr>; |
 | Test.java:63:9:66:4 | { ... } | Test.java:65:5:65:13 | continue |
-| Test.java:64:5:64:11 | ...; | Test.java:65:5:65:13 | continue |
-| Test.java:70:3:70:9 | ...; | Test.java:74:3:74:9 | ...; |
-| Test.java:70:3:70:9 | ...; | Test.java:75:3:75:9 | return ... |
-| Test.java:74:3:74:9 | ...; | Test.java:75:3:75:9 | return ... |
+| Test.java:64:5:64:11 | <Expr>; | Test.java:65:5:65:13 | continue |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:74:3:74:9 | <Expr>; |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:75:3:75:9 | return ... |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:75:3:75:9 | return ... |
diff --git a/java/ql/test/library-tests/controlflow/basic/strictPostDominance.expected b/java/ql/test/library-tests/controlflow/basic/strictPostDominance.expected
index 83e141e63a5..1b62a8c7b83 100644
--- a/java/ql/test/library-tests/controlflow/basic/strictPostDominance.expected
+++ b/java/ql/test/library-tests/controlflow/basic/strictPostDominance.expected
@@ -1,232 +1,232 @@
 | Test.java:3:14:3:17 | super(...) | Test.java:3:14:3:17 | { ... } |
-| Test.java:5:3:5:12 | local variable declaration | Test.java:4:21:76:2 | { ... } |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:4:21:76:2 | { ... } |
-| Test.java:6:3:6:14 | local variable declaration | Test.java:5:3:5:12 | local variable declaration |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:4:21:76:2 | { ... } |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:5:3:5:12 | local variable declaration |
-| Test.java:7:3:7:12 | local variable declaration | Test.java:6:3:6:14 | local variable declaration |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:4:21:76:2 | { ... } |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:5:3:5:12 | local variable declaration |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:6:3:6:14 | local variable declaration |
-| Test.java:8:3:8:12 | local variable declaration | Test.java:7:3:7:12 | local variable declaration |
+| Test.java:5:3:5:12 | var ...; | Test.java:4:21:76:2 | { ... } |
+| Test.java:6:3:6:14 | var ...; | Test.java:4:21:76:2 | { ... } |
+| Test.java:6:3:6:14 | var ...; | Test.java:5:3:5:12 | var ...; |
+| Test.java:7:3:7:12 | var ...; | Test.java:4:21:76:2 | { ... } |
+| Test.java:7:3:7:12 | var ...; | Test.java:5:3:5:12 | var ...; |
+| Test.java:7:3:7:12 | var ...; | Test.java:6:3:6:14 | var ...; |
+| Test.java:8:3:8:12 | var ...; | Test.java:4:21:76:2 | { ... } |
+| Test.java:8:3:8:12 | var ...; | Test.java:5:3:5:12 | var ...; |
+| Test.java:8:3:8:12 | var ...; | Test.java:6:3:6:14 | var ...; |
+| Test.java:8:3:8:12 | var ...; | Test.java:7:3:7:12 | var ...; |
 | Test.java:11:3:11:12 | if (...) | Test.java:4:21:76:2 | { ... } |
-| Test.java:11:3:11:12 | if (...) | Test.java:5:3:5:12 | local variable declaration |
-| Test.java:11:3:11:12 | if (...) | Test.java:6:3:6:14 | local variable declaration |
-| Test.java:11:3:11:12 | if (...) | Test.java:7:3:7:12 | local variable declaration |
-| Test.java:11:3:11:12 | if (...) | Test.java:8:3:8:12 | local variable declaration |
-| Test.java:12:4:12:10 | ...; | Test.java:11:14:14:3 | { ... } |
-| Test.java:13:4:13:10 | ...; | Test.java:11:14:14:3 | { ... } |
-| Test.java:13:4:13:10 | ...; | Test.java:12:4:12:10 | ...; |
-| Test.java:15:4:15:10 | ...; | Test.java:14:10:16:3 | { ... } |
-| Test.java:18:3:18:8 | ...; | Test.java:4:21:76:2 | { ... } |
-| Test.java:18:3:18:8 | ...; | Test.java:5:3:5:12 | local variable declaration |
-| Test.java:18:3:18:8 | ...; | Test.java:6:3:6:14 | local variable declaration |
-| Test.java:18:3:18:8 | ...; | Test.java:7:3:7:12 | local variable declaration |
-| Test.java:18:3:18:8 | ...; | Test.java:8:3:8:12 | local variable declaration |
-| Test.java:18:3:18:8 | ...; | Test.java:11:3:11:12 | if (...) |
-| Test.java:18:3:18:8 | ...; | Test.java:11:14:14:3 | { ... } |
-| Test.java:18:3:18:8 | ...; | Test.java:12:4:12:10 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:13:4:13:10 | ...; |
-| Test.java:18:3:18:8 | ...; | Test.java:14:10:16:3 | { ... } |
-| Test.java:18:3:18:8 | ...; | Test.java:15:4:15:10 | ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:5:3:5:12 | var ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:6:3:6:14 | var ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:7:3:7:12 | var ...; |
+| Test.java:11:3:11:12 | if (...) | Test.java:8:3:8:12 | var ...; |
+| Test.java:12:4:12:10 | <Expr>; | Test.java:11:14:14:3 | { ... } |
+| Test.java:13:4:13:10 | <Expr>; | Test.java:11:14:14:3 | { ... } |
+| Test.java:13:4:13:10 | <Expr>; | Test.java:12:4:12:10 | <Expr>; |
+| Test.java:15:4:15:10 | <Expr>; | Test.java:14:10:16:3 | { ... } |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:4:21:76:2 | { ... } |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:5:3:5:12 | var ...; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:6:3:6:14 | var ...; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:7:3:7:12 | var ...; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:8:3:8:12 | var ...; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:11:3:11:12 | if (...) |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:11:14:14:3 | { ... } |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:12:4:12:10 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:13:4:13:10 | <Expr>; |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:14:10:16:3 | { ... } |
+| Test.java:18:3:18:8 | <Expr>; | Test.java:15:4:15:10 | <Expr>; |
 | Test.java:21:3:21:11 | if (...) | Test.java:4:21:76:2 | { ... } |
-| Test.java:21:3:21:11 | if (...) | Test.java:5:3:5:12 | local variable declaration |
-| Test.java:21:3:21:11 | if (...) | Test.java:6:3:6:14 | local variable declaration |
-| Test.java:21:3:21:11 | if (...) | Test.java:7:3:7:12 | local variable declaration |
-| Test.java:21:3:21:11 | if (...) | Test.java:8:3:8:12 | local variable declaration |
+| Test.java:21:3:21:11 | if (...) | Test.java:5:3:5:12 | var ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:6:3:6:14 | var ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:7:3:7:12 | var ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:8:3:8:12 | var ...; |
 | Test.java:21:3:21:11 | if (...) | Test.java:11:3:11:12 | if (...) |
 | Test.java:21:3:21:11 | if (...) | Test.java:11:14:14:3 | { ... } |
-| Test.java:21:3:21:11 | if (...) | Test.java:12:4:12:10 | ...; |
-| Test.java:21:3:21:11 | if (...) | Test.java:13:4:13:10 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:12:4:12:10 | <Expr>; |
+| Test.java:21:3:21:11 | if (...) | Test.java:13:4:13:10 | <Expr>; |
 | Test.java:21:3:21:11 | if (...) | Test.java:14:10:16:3 | { ... } |
-| Test.java:21:3:21:11 | if (...) | Test.java:15:4:15:10 | ...; |
-| Test.java:21:3:21:11 | if (...) | Test.java:18:3:18:8 | ...; |
-| Test.java:27:3:27:9 | ...; | Test.java:22:4:22:10 | ...; |
-| Test.java:30:3:30:13 | if (...) | Test.java:22:4:22:10 | ...; |
-| Test.java:30:3:30:13 | if (...) | Test.java:27:3:27:9 | ...; |
-| Test.java:31:4:31:10 | ...; | Test.java:30:15:33:3 | { ... } |
-| Test.java:32:4:32:10 | ...; | Test.java:30:15:33:3 | { ... } |
-| Test.java:32:4:32:10 | ...; | Test.java:31:4:31:10 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:22:4:22:10 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:27:3:27:9 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:30:3:30:13 | if (...) |
-| Test.java:35:3:35:9 | ...; | Test.java:30:15:33:3 | { ... } |
-| Test.java:35:3:35:9 | ...; | Test.java:31:4:31:10 | ...; |
-| Test.java:35:3:35:9 | ...; | Test.java:32:4:32:10 | ...; |
-| Test.java:38:3:38:14 | while (...) | Test.java:22:4:22:10 | ...; |
-| Test.java:38:3:38:14 | while (...) | Test.java:27:3:27:9 | ...; |
+| Test.java:21:3:21:11 | if (...) | Test.java:15:4:15:10 | <Expr>; |
+| Test.java:21:3:21:11 | if (...) | Test.java:18:3:18:8 | <Expr>; |
+| Test.java:27:3:27:9 | <Expr>; | Test.java:22:4:22:10 | <Expr>; |
+| Test.java:30:3:30:13 | if (...) | Test.java:22:4:22:10 | <Expr>; |
+| Test.java:30:3:30:13 | if (...) | Test.java:27:3:27:9 | <Expr>; |
+| Test.java:31:4:31:10 | <Expr>; | Test.java:30:15:33:3 | { ... } |
+| Test.java:32:4:32:10 | <Expr>; | Test.java:30:15:33:3 | { ... } |
+| Test.java:32:4:32:10 | <Expr>; | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:22:4:22:10 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:27:3:27:9 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:30:3:30:13 | if (...) |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:30:15:33:3 | { ... } |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:35:3:35:9 | <Expr>; | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:38:3:38:14 | while (...) | Test.java:22:4:22:10 | <Expr>; |
+| Test.java:38:3:38:14 | while (...) | Test.java:27:3:27:9 | <Expr>; |
 | Test.java:38:3:38:14 | while (...) | Test.java:30:3:30:13 | if (...) |
 | Test.java:38:3:38:14 | while (...) | Test.java:30:15:33:3 | { ... } |
-| Test.java:38:3:38:14 | while (...) | Test.java:31:4:31:10 | ...; |
-| Test.java:38:3:38:14 | while (...) | Test.java:32:4:32:10 | ...; |
-| Test.java:38:3:38:14 | while (...) | Test.java:35:3:35:9 | ...; |
-| Test.java:39:4:39:10 | ...; | Test.java:38:16:41:3 | { ... } |
-| Test.java:40:4:40:7 | ...; | Test.java:38:16:41:3 | { ... } |
-| Test.java:40:4:40:7 | ...; | Test.java:39:4:39:10 | ...; |
-| Test.java:43:3:43:9 | ...; | Test.java:22:4:22:10 | ...; |
-| Test.java:43:3:43:9 | ...; | Test.java:27:3:27:9 | ...; |
-| Test.java:43:3:43:9 | ...; | Test.java:30:3:30:13 | if (...) |
-| Test.java:43:3:43:9 | ...; | Test.java:30:15:33:3 | { ... } |
-| Test.java:43:3:43:9 | ...; | Test.java:31:4:31:10 | ...; |
-| Test.java:43:3:43:9 | ...; | Test.java:32:4:32:10 | ...; |
-| Test.java:43:3:43:9 | ...; | Test.java:35:3:35:9 | ...; |
-| Test.java:43:3:43:9 | ...; | Test.java:38:3:38:14 | while (...) |
-| Test.java:43:3:43:9 | ...; | Test.java:38:16:41:3 | { ... } |
-| Test.java:43:3:43:9 | ...; | Test.java:39:4:39:10 | ...; |
-| Test.java:43:3:43:9 | ...; | Test.java:40:4:40:7 | ...; |
-| Test.java:46:3:46:29 | for (...) | Test.java:22:4:22:10 | ...; |
-| Test.java:46:3:46:29 | for (...) | Test.java:27:3:27:9 | ...; |
-| Test.java:46:3:46:29 | for (...) | Test.java:30:3:30:13 | if (...) |
-| Test.java:46:3:46:29 | for (...) | Test.java:30:15:33:3 | { ... } |
-| Test.java:46:3:46:29 | for (...) | Test.java:31:4:31:10 | ...; |
-| Test.java:46:3:46:29 | for (...) | Test.java:32:4:32:10 | ...; |
-| Test.java:46:3:46:29 | for (...) | Test.java:35:3:35:9 | ...; |
-| Test.java:46:3:46:29 | for (...) | Test.java:38:3:38:14 | while (...) |
-| Test.java:46:3:46:29 | for (...) | Test.java:38:16:41:3 | { ... } |
-| Test.java:46:3:46:29 | for (...) | Test.java:39:4:39:10 | ...; |
-| Test.java:46:3:46:29 | for (...) | Test.java:40:4:40:7 | ...; |
-| Test.java:46:3:46:29 | for (...) | Test.java:43:3:43:9 | ...; |
-| Test.java:47:4:47:9 | ...; | Test.java:46:31:49:3 | { ... } |
-| Test.java:48:4:48:10 | ...; | Test.java:46:31:49:3 | { ... } |
-| Test.java:48:4:48:10 | ...; | Test.java:47:4:47:9 | ...; |
-| Test.java:51:3:51:9 | ...; | Test.java:22:4:22:10 | ...; |
-| Test.java:51:3:51:9 | ...; | Test.java:27:3:27:9 | ...; |
-| Test.java:51:3:51:9 | ...; | Test.java:30:3:30:13 | if (...) |
-| Test.java:51:3:51:9 | ...; | Test.java:30:15:33:3 | { ... } |
-| Test.java:51:3:51:9 | ...; | Test.java:31:4:31:10 | ...; |
-| Test.java:51:3:51:9 | ...; | Test.java:32:4:32:10 | ...; |
-| Test.java:51:3:51:9 | ...; | Test.java:35:3:35:9 | ...; |
-| Test.java:51:3:51:9 | ...; | Test.java:38:3:38:14 | while (...) |
-| Test.java:51:3:51:9 | ...; | Test.java:38:16:41:3 | { ... } |
-| Test.java:51:3:51:9 | ...; | Test.java:39:4:39:10 | ...; |
-| Test.java:51:3:51:9 | ...; | Test.java:40:4:40:7 | ...; |
-| Test.java:51:3:51:9 | ...; | Test.java:43:3:43:9 | ...; |
-| Test.java:51:3:51:9 | ...; | Test.java:46:3:46:29 | for (...) |
-| Test.java:51:3:51:9 | ...; | Test.java:46:31:49:3 | { ... } |
-| Test.java:51:3:51:9 | ...; | Test.java:47:4:47:9 | ...; |
-| Test.java:51:3:51:9 | ...; | Test.java:48:4:48:10 | ...; |
-| Test.java:54:3:54:29 | for (...) | Test.java:22:4:22:10 | ...; |
-| Test.java:54:3:54:29 | for (...) | Test.java:27:3:27:9 | ...; |
-| Test.java:54:3:54:29 | for (...) | Test.java:30:3:30:13 | if (...) |
-| Test.java:54:3:54:29 | for (...) | Test.java:30:15:33:3 | { ... } |
-| Test.java:54:3:54:29 | for (...) | Test.java:31:4:31:10 | ...; |
-| Test.java:54:3:54:29 | for (...) | Test.java:32:4:32:10 | ...; |
-| Test.java:54:3:54:29 | for (...) | Test.java:35:3:35:9 | ...; |
-| Test.java:54:3:54:29 | for (...) | Test.java:38:3:38:14 | while (...) |
-| Test.java:54:3:54:29 | for (...) | Test.java:38:16:41:3 | { ... } |
-| Test.java:54:3:54:29 | for (...) | Test.java:39:4:39:10 | ...; |
-| Test.java:54:3:54:29 | for (...) | Test.java:40:4:40:7 | ...; |
-| Test.java:54:3:54:29 | for (...) | Test.java:43:3:43:9 | ...; |
-| Test.java:54:3:54:29 | for (...) | Test.java:46:3:46:29 | for (...) |
-| Test.java:54:3:54:29 | for (...) | Test.java:46:31:49:3 | { ... } |
-| Test.java:54:3:54:29 | for (...) | Test.java:47:4:47:9 | ...; |
-| Test.java:54:3:54:29 | for (...) | Test.java:48:4:48:10 | ...; |
-| Test.java:54:3:54:29 | for (...) | Test.java:51:3:51:9 | ...; |
-| Test.java:55:4:55:10 | ...; | Test.java:54:31:68:3 | { ... } |
+| Test.java:38:3:38:14 | while (...) | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:38:3:38:14 | while (...) | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:38:3:38:14 | while (...) | Test.java:35:3:35:9 | <Expr>; |
+| Test.java:39:4:39:10 | <Expr>; | Test.java:38:16:41:3 | { ... } |
+| Test.java:40:4:40:7 | <Expr>; | Test.java:38:16:41:3 | { ... } |
+| Test.java:40:4:40:7 | <Expr>; | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:22:4:22:10 | <Expr>; |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:27:3:27:9 | <Expr>; |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:30:3:30:13 | if (...) |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:30:15:33:3 | { ... } |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:35:3:35:9 | <Expr>; |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:38:3:38:14 | while (...) |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:38:16:41:3 | { ... } |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:43:3:43:9 | <Expr>; | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:22:4:22:10 | <Expr>; |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:27:3:27:9 | <Expr>; |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:30:3:30:13 | if (...) |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:30:15:33:3 | { ... } |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:35:3:35:9 | <Expr>; |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:38:3:38:14 | while (...) |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:38:16:41:3 | { ... } |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:46:3:46:29 | for (...;...;...) | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:47:4:47:9 | <Expr>; | Test.java:46:31:49:3 | { ... } |
+| Test.java:48:4:48:10 | <Expr>; | Test.java:46:31:49:3 | { ... } |
+| Test.java:48:4:48:10 | <Expr>; | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:22:4:22:10 | <Expr>; |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:27:3:27:9 | <Expr>; |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:30:3:30:13 | if (...) |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:30:15:33:3 | { ... } |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:35:3:35:9 | <Expr>; |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:38:3:38:14 | while (...) |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:38:16:41:3 | { ... } |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:46:3:46:29 | for (...;...;...) |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:46:31:49:3 | { ... } |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:51:3:51:9 | <Expr>; | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:22:4:22:10 | <Expr>; |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:27:3:27:9 | <Expr>; |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:30:3:30:13 | if (...) |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:30:15:33:3 | { ... } |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:35:3:35:9 | <Expr>; |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:38:3:38:14 | while (...) |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:38:16:41:3 | { ... } |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:46:3:46:29 | for (...;...;...) |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:46:31:49:3 | { ... } |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:54:3:54:29 | for (...;...;...) | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:55:4:55:10 | <Expr>; | Test.java:54:31:68:3 | { ... } |
 | Test.java:56:4:56:12 | if (...) | Test.java:54:31:68:3 | { ... } |
-| Test.java:56:4:56:12 | if (...) | Test.java:55:4:55:10 | ...; |
-| Test.java:58:6:58:11 | ...; | Test.java:57:15:60:5 | { ... } |
+| Test.java:56:4:56:12 | if (...) | Test.java:55:4:55:10 | <Expr>; |
+| Test.java:58:6:58:11 | <Expr>; | Test.java:57:15:60:5 | { ... } |
 | Test.java:59:6:59:11 | break | Test.java:57:15:60:5 | { ... } |
-| Test.java:59:6:59:11 | break | Test.java:58:6:58:11 | ...; |
-| Test.java:61:6:61:12 | ...; | Test.java:60:12:62:5 | { ... } |
-| Test.java:64:5:64:11 | ...; | Test.java:63:9:66:4 | { ... } |
+| Test.java:59:6:59:11 | break | Test.java:58:6:58:11 | <Expr>; |
+| Test.java:61:6:61:12 | <Expr>; | Test.java:60:12:62:5 | { ... } |
+| Test.java:64:5:64:11 | <Expr>; | Test.java:63:9:66:4 | { ... } |
 | Test.java:65:5:65:13 | continue | Test.java:63:9:66:4 | { ... } |
-| Test.java:65:5:65:13 | continue | Test.java:64:5:64:11 | ...; |
-| Test.java:67:4:67:9 | ...; | Test.java:60:12:62:5 | { ... } |
-| Test.java:67:4:67:9 | ...; | Test.java:61:6:61:12 | ...; |
-| Test.java:70:3:70:9 | ...; | Test.java:22:4:22:10 | ...; |
-| Test.java:70:3:70:9 | ...; | Test.java:27:3:27:9 | ...; |
-| Test.java:70:3:70:9 | ...; | Test.java:30:3:30:13 | if (...) |
-| Test.java:70:3:70:9 | ...; | Test.java:30:15:33:3 | { ... } |
-| Test.java:70:3:70:9 | ...; | Test.java:31:4:31:10 | ...; |
-| Test.java:70:3:70:9 | ...; | Test.java:32:4:32:10 | ...; |
-| Test.java:70:3:70:9 | ...; | Test.java:35:3:35:9 | ...; |
-| Test.java:70:3:70:9 | ...; | Test.java:38:3:38:14 | while (...) |
-| Test.java:70:3:70:9 | ...; | Test.java:38:16:41:3 | { ... } |
-| Test.java:70:3:70:9 | ...; | Test.java:39:4:39:10 | ...; |
-| Test.java:70:3:70:9 | ...; | Test.java:40:4:40:7 | ...; |
-| Test.java:70:3:70:9 | ...; | Test.java:43:3:43:9 | ...; |
-| Test.java:70:3:70:9 | ...; | Test.java:46:3:46:29 | for (...) |
-| Test.java:70:3:70:9 | ...; | Test.java:46:31:49:3 | { ... } |
-| Test.java:70:3:70:9 | ...; | Test.java:47:4:47:9 | ...; |
-| Test.java:70:3:70:9 | ...; | Test.java:48:4:48:10 | ...; |
-| Test.java:70:3:70:9 | ...; | Test.java:51:3:51:9 | ...; |
-| Test.java:70:3:70:9 | ...; | Test.java:54:3:54:29 | for (...) |
-| Test.java:70:3:70:9 | ...; | Test.java:54:31:68:3 | { ... } |
-| Test.java:70:3:70:9 | ...; | Test.java:55:4:55:10 | ...; |
-| Test.java:70:3:70:9 | ...; | Test.java:56:4:56:12 | if (...) |
-| Test.java:70:3:70:9 | ...; | Test.java:57:5:57:13 | if (...) |
-| Test.java:70:3:70:9 | ...; | Test.java:57:15:60:5 | { ... } |
-| Test.java:70:3:70:9 | ...; | Test.java:58:6:58:11 | ...; |
-| Test.java:70:3:70:9 | ...; | Test.java:59:6:59:11 | break |
-| Test.java:70:3:70:9 | ...; | Test.java:60:12:62:5 | { ... } |
-| Test.java:70:3:70:9 | ...; | Test.java:61:6:61:12 | ...; |
-| Test.java:70:3:70:9 | ...; | Test.java:63:9:66:4 | { ... } |
-| Test.java:70:3:70:9 | ...; | Test.java:64:5:64:11 | ...; |
-| Test.java:70:3:70:9 | ...; | Test.java:65:5:65:13 | continue |
-| Test.java:70:3:70:9 | ...; | Test.java:67:4:67:9 | ...; |
-| Test.java:74:3:74:9 | ...; | Test.java:22:4:22:10 | ...; |
-| Test.java:74:3:74:9 | ...; | Test.java:27:3:27:9 | ...; |
-| Test.java:74:3:74:9 | ...; | Test.java:30:3:30:13 | if (...) |
-| Test.java:74:3:74:9 | ...; | Test.java:30:15:33:3 | { ... } |
-| Test.java:74:3:74:9 | ...; | Test.java:31:4:31:10 | ...; |
-| Test.java:74:3:74:9 | ...; | Test.java:32:4:32:10 | ...; |
-| Test.java:74:3:74:9 | ...; | Test.java:35:3:35:9 | ...; |
-| Test.java:74:3:74:9 | ...; | Test.java:38:3:38:14 | while (...) |
-| Test.java:74:3:74:9 | ...; | Test.java:38:16:41:3 | { ... } |
-| Test.java:74:3:74:9 | ...; | Test.java:39:4:39:10 | ...; |
-| Test.java:74:3:74:9 | ...; | Test.java:40:4:40:7 | ...; |
-| Test.java:74:3:74:9 | ...; | Test.java:43:3:43:9 | ...; |
-| Test.java:74:3:74:9 | ...; | Test.java:46:3:46:29 | for (...) |
-| Test.java:74:3:74:9 | ...; | Test.java:46:31:49:3 | { ... } |
-| Test.java:74:3:74:9 | ...; | Test.java:47:4:47:9 | ...; |
-| Test.java:74:3:74:9 | ...; | Test.java:48:4:48:10 | ...; |
-| Test.java:74:3:74:9 | ...; | Test.java:51:3:51:9 | ...; |
-| Test.java:74:3:74:9 | ...; | Test.java:54:3:54:29 | for (...) |
-| Test.java:74:3:74:9 | ...; | Test.java:54:31:68:3 | { ... } |
-| Test.java:74:3:74:9 | ...; | Test.java:55:4:55:10 | ...; |
-| Test.java:74:3:74:9 | ...; | Test.java:56:4:56:12 | if (...) |
-| Test.java:74:3:74:9 | ...; | Test.java:57:5:57:13 | if (...) |
-| Test.java:74:3:74:9 | ...; | Test.java:57:15:60:5 | { ... } |
-| Test.java:74:3:74:9 | ...; | Test.java:58:6:58:11 | ...; |
-| Test.java:74:3:74:9 | ...; | Test.java:59:6:59:11 | break |
-| Test.java:74:3:74:9 | ...; | Test.java:60:12:62:5 | { ... } |
-| Test.java:74:3:74:9 | ...; | Test.java:61:6:61:12 | ...; |
-| Test.java:74:3:74:9 | ...; | Test.java:63:9:66:4 | { ... } |
-| Test.java:74:3:74:9 | ...; | Test.java:64:5:64:11 | ...; |
-| Test.java:74:3:74:9 | ...; | Test.java:65:5:65:13 | continue |
-| Test.java:74:3:74:9 | ...; | Test.java:67:4:67:9 | ...; |
-| Test.java:74:3:74:9 | ...; | Test.java:70:3:70:9 | ...; |
-| Test.java:75:3:75:9 | return ... | Test.java:22:4:22:10 | ...; |
-| Test.java:75:3:75:9 | return ... | Test.java:27:3:27:9 | ...; |
+| Test.java:65:5:65:13 | continue | Test.java:64:5:64:11 | <Expr>; |
+| Test.java:67:4:67:9 | <Expr>; | Test.java:60:12:62:5 | { ... } |
+| Test.java:67:4:67:9 | <Expr>; | Test.java:61:6:61:12 | <Expr>; |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:22:4:22:10 | <Expr>; |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:27:3:27:9 | <Expr>; |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:30:3:30:13 | if (...) |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:30:15:33:3 | { ... } |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:35:3:35:9 | <Expr>; |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:38:3:38:14 | while (...) |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:38:16:41:3 | { ... } |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:46:3:46:29 | for (...;...;...) |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:46:31:49:3 | { ... } |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:54:3:54:29 | for (...;...;...) |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:54:31:68:3 | { ... } |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:55:4:55:10 | <Expr>; |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:56:4:56:12 | if (...) |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:57:5:57:13 | if (...) |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:57:15:60:5 | { ... } |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:58:6:58:11 | <Expr>; |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:59:6:59:11 | break |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:60:12:62:5 | { ... } |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:61:6:61:12 | <Expr>; |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:63:9:66:4 | { ... } |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:64:5:64:11 | <Expr>; |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:65:5:65:13 | continue |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:22:4:22:10 | <Expr>; |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:27:3:27:9 | <Expr>; |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:30:3:30:13 | if (...) |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:30:15:33:3 | { ... } |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:35:3:35:9 | <Expr>; |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:38:3:38:14 | while (...) |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:38:16:41:3 | { ... } |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:46:3:46:29 | for (...;...;...) |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:46:31:49:3 | { ... } |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:54:3:54:29 | for (...;...;...) |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:54:31:68:3 | { ... } |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:55:4:55:10 | <Expr>; |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:56:4:56:12 | if (...) |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:57:5:57:13 | if (...) |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:57:15:60:5 | { ... } |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:58:6:58:11 | <Expr>; |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:59:6:59:11 | break |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:60:12:62:5 | { ... } |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:61:6:61:12 | <Expr>; |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:63:9:66:4 | { ... } |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:64:5:64:11 | <Expr>; |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:65:5:65:13 | continue |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:74:3:74:9 | <Expr>; | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:75:3:75:9 | return ... | Test.java:22:4:22:10 | <Expr>; |
+| Test.java:75:3:75:9 | return ... | Test.java:27:3:27:9 | <Expr>; |
 | Test.java:75:3:75:9 | return ... | Test.java:30:3:30:13 | if (...) |
 | Test.java:75:3:75:9 | return ... | Test.java:30:15:33:3 | { ... } |
-| Test.java:75:3:75:9 | return ... | Test.java:31:4:31:10 | ...; |
-| Test.java:75:3:75:9 | return ... | Test.java:32:4:32:10 | ...; |
-| Test.java:75:3:75:9 | return ... | Test.java:35:3:35:9 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:31:4:31:10 | <Expr>; |
+| Test.java:75:3:75:9 | return ... | Test.java:32:4:32:10 | <Expr>; |
+| Test.java:75:3:75:9 | return ... | Test.java:35:3:35:9 | <Expr>; |
 | Test.java:75:3:75:9 | return ... | Test.java:38:3:38:14 | while (...) |
 | Test.java:75:3:75:9 | return ... | Test.java:38:16:41:3 | { ... } |
-| Test.java:75:3:75:9 | return ... | Test.java:39:4:39:10 | ...; |
-| Test.java:75:3:75:9 | return ... | Test.java:40:4:40:7 | ...; |
-| Test.java:75:3:75:9 | return ... | Test.java:43:3:43:9 | ...; |
-| Test.java:75:3:75:9 | return ... | Test.java:46:3:46:29 | for (...) |
+| Test.java:75:3:75:9 | return ... | Test.java:39:4:39:10 | <Expr>; |
+| Test.java:75:3:75:9 | return ... | Test.java:40:4:40:7 | <Expr>; |
+| Test.java:75:3:75:9 | return ... | Test.java:43:3:43:9 | <Expr>; |
+| Test.java:75:3:75:9 | return ... | Test.java:46:3:46:29 | for (...;...;...) |
 | Test.java:75:3:75:9 | return ... | Test.java:46:31:49:3 | { ... } |
-| Test.java:75:3:75:9 | return ... | Test.java:47:4:47:9 | ...; |
-| Test.java:75:3:75:9 | return ... | Test.java:48:4:48:10 | ...; |
-| Test.java:75:3:75:9 | return ... | Test.java:51:3:51:9 | ...; |
-| Test.java:75:3:75:9 | return ... | Test.java:54:3:54:29 | for (...) |
+| Test.java:75:3:75:9 | return ... | Test.java:47:4:47:9 | <Expr>; |
+| Test.java:75:3:75:9 | return ... | Test.java:48:4:48:10 | <Expr>; |
+| Test.java:75:3:75:9 | return ... | Test.java:51:3:51:9 | <Expr>; |
+| Test.java:75:3:75:9 | return ... | Test.java:54:3:54:29 | for (...;...;...) |
 | Test.java:75:3:75:9 | return ... | Test.java:54:31:68:3 | { ... } |
-| Test.java:75:3:75:9 | return ... | Test.java:55:4:55:10 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:55:4:55:10 | <Expr>; |
 | Test.java:75:3:75:9 | return ... | Test.java:56:4:56:12 | if (...) |
 | Test.java:75:3:75:9 | return ... | Test.java:57:5:57:13 | if (...) |
 | Test.java:75:3:75:9 | return ... | Test.java:57:15:60:5 | { ... } |
-| Test.java:75:3:75:9 | return ... | Test.java:58:6:58:11 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:58:6:58:11 | <Expr>; |
 | Test.java:75:3:75:9 | return ... | Test.java:59:6:59:11 | break |
 | Test.java:75:3:75:9 | return ... | Test.java:60:12:62:5 | { ... } |
-| Test.java:75:3:75:9 | return ... | Test.java:61:6:61:12 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:61:6:61:12 | <Expr>; |
 | Test.java:75:3:75:9 | return ... | Test.java:63:9:66:4 | { ... } |
-| Test.java:75:3:75:9 | return ... | Test.java:64:5:64:11 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:64:5:64:11 | <Expr>; |
 | Test.java:75:3:75:9 | return ... | Test.java:65:5:65:13 | continue |
-| Test.java:75:3:75:9 | return ... | Test.java:67:4:67:9 | ...; |
-| Test.java:75:3:75:9 | return ... | Test.java:70:3:70:9 | ...; |
-| Test.java:75:3:75:9 | return ... | Test.java:74:3:74:9 | ...; |
+| Test.java:75:3:75:9 | return ... | Test.java:67:4:67:9 | <Expr>; |
+| Test.java:75:3:75:9 | return ... | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:75:3:75:9 | return ... | Test.java:74:3:74:9 | <Expr>; |
diff --git a/java/ql/test/library-tests/controlflow/dominance/dominator.expected b/java/ql/test/library-tests/controlflow/dominance/dominator.expected
index 3fbd1f806f3..e0f1596e42b 100644
--- a/java/ql/test/library-tests/controlflow/dominance/dominator.expected
+++ b/java/ql/test/library-tests/controlflow/dominance/dominator.expected
@@ -1,26 +1,26 @@
-| Test.java:2:32:72:2 | { ... } | Test.java:3:3:3:8 | local variable declaration |
-| Test.java:3:3:3:8 | local variable declaration | Test.java:3:7:3:7 | j |
-| Test.java:3:7:3:7 | j | Test.java:4:3:4:14 | local variable declaration |
-| Test.java:4:3:4:14 | local variable declaration | Test.java:4:12:4:13 | 50 |
+| Test.java:2:32:72:2 | { ... } | Test.java:3:3:3:8 | var ...; |
+| Test.java:3:3:3:8 | var ...; | Test.java:3:7:3:7 | j |
+| Test.java:3:7:3:7 | j | Test.java:4:3:4:14 | var ...; |
+| Test.java:4:3:4:14 | var ...; | Test.java:4:12:4:13 | 50 |
 | Test.java:4:8:4:13 | y | Test.java:7:3:7:12 | if (...) |
 | Test.java:4:12:4:13 | 50 | Test.java:4:8:4:13 | y |
 | Test.java:7:3:7:12 | if (...) | Test.java:7:7:7:7 | x |
 | Test.java:7:7:7:7 | x | Test.java:7:11:7:11 | 0 |
 | Test.java:7:7:7:11 | ... > ... | Test.java:7:14:10:3 | { ... } |
 | Test.java:7:7:7:11 | ... > ... | Test.java:10:10:12:3 | { ... } |
-| Test.java:7:7:7:11 | ... > ... | Test.java:14:3:14:20 | ...; |
+| Test.java:7:7:7:11 | ... > ... | Test.java:14:3:14:20 | <Expr>; |
 | Test.java:7:11:7:11 | 0 | Test.java:7:7:7:11 | ... > ... |
-| Test.java:7:14:10:3 | { ... } | Test.java:8:4:8:10 | ...; |
-| Test.java:8:4:8:9 | ...=... | Test.java:9:4:9:10 | ...; |
-| Test.java:8:4:8:10 | ...; | Test.java:8:8:8:9 | 20 |
+| Test.java:7:14:10:3 | { ... } | Test.java:8:4:8:10 | <Expr>; |
+| Test.java:8:4:8:9 | ...=... | Test.java:9:4:9:10 | <Expr>; |
+| Test.java:8:4:8:10 | <Expr>; | Test.java:8:8:8:9 | 20 |
 | Test.java:8:8:8:9 | 20 | Test.java:8:4:8:9 | ...=... |
-| Test.java:9:4:9:10 | ...; | Test.java:9:8:9:9 | 10 |
+| Test.java:9:4:9:10 | <Expr>; | Test.java:9:8:9:9 | 10 |
 | Test.java:9:8:9:9 | 10 | Test.java:9:4:9:9 | ...=... |
-| Test.java:10:10:12:3 | { ... } | Test.java:11:4:11:10 | ...; |
-| Test.java:11:4:11:10 | ...; | Test.java:11:8:11:9 | 30 |
+| Test.java:10:10:12:3 | { ... } | Test.java:11:4:11:10 | <Expr>; |
+| Test.java:11:4:11:10 | <Expr>; | Test.java:11:8:11:9 | 30 |
 | Test.java:11:8:11:9 | 30 | Test.java:11:4:11:9 | ...=... |
 | Test.java:14:3:14:19 | ...=... | Test.java:17:3:17:12 | if (...) |
-| Test.java:14:3:14:20 | ...; | Test.java:14:14:14:14 | x |
+| Test.java:14:3:14:20 | <Expr>; | Test.java:14:14:14:14 | x |
 | Test.java:14:7:14:19 | (...)... | Test.java:14:3:14:19 | ...=... |
 | Test.java:14:14:14:14 | x | Test.java:14:18:14:18 | y |
 | Test.java:14:14:14:18 | ... + ... | Test.java:14:7:14:19 | (...)... |
@@ -28,76 +28,76 @@
 | Test.java:17:3:17:12 | if (...) | Test.java:17:7:17:7 | x |
 | Test.java:17:7:17:7 | x | Test.java:17:11:17:11 | 0 |
 | Test.java:17:7:17:11 | ... < ... | Test.java:2:6:2:9 | test |
-| Test.java:17:7:17:11 | ... < ... | Test.java:18:4:18:10 | ...; |
+| Test.java:17:7:17:11 | ... < ... | Test.java:18:4:18:10 | <Expr>; |
 | Test.java:17:7:17:11 | ... < ... | Test.java:20:11:20:11 | z |
 | Test.java:17:11:17:11 | 0 | Test.java:17:7:17:11 | ... < ... |
-| Test.java:18:4:18:9 | ...=... | Test.java:23:3:23:9 | ...; |
-| Test.java:18:4:18:10 | ...; | Test.java:18:8:18:9 | 40 |
+| Test.java:18:4:18:9 | ...=... | Test.java:23:3:23:9 | <Expr>; |
+| Test.java:18:4:18:10 | <Expr>; | Test.java:18:8:18:9 | 40 |
 | Test.java:18:8:18:9 | 40 | Test.java:18:4:18:9 | ...=... |
 | Test.java:20:11:20:11 | z | Test.java:20:4:20:12 | return ... |
 | Test.java:23:3:23:8 | ...=... | Test.java:26:3:26:13 | if (...) |
-| Test.java:23:3:23:9 | ...; | Test.java:23:7:23:8 | 10 |
+| Test.java:23:3:23:9 | <Expr>; | Test.java:23:7:23:8 | 10 |
 | Test.java:23:7:23:8 | 10 | Test.java:23:3:23:8 | ...=... |
 | Test.java:26:3:26:13 | if (...) | Test.java:26:7:26:7 | x |
 | Test.java:26:7:26:7 | x | Test.java:26:12:26:12 | 0 |
 | Test.java:26:7:26:12 | ... == ... | Test.java:26:15:29:3 | { ... } |
-| Test.java:26:7:26:12 | ... == ... | Test.java:31:3:31:9 | ...; |
+| Test.java:26:7:26:12 | ... == ... | Test.java:31:3:31:9 | <Expr>; |
 | Test.java:26:12:26:12 | 0 | Test.java:26:7:26:12 | ... == ... |
-| Test.java:26:15:29:3 | { ... } | Test.java:27:4:27:10 | ...; |
-| Test.java:27:4:27:9 | ...=... | Test.java:28:4:28:10 | ...; |
-| Test.java:27:4:27:10 | ...; | Test.java:27:8:27:9 | 60 |
+| Test.java:26:15:29:3 | { ... } | Test.java:27:4:27:10 | <Expr>; |
+| Test.java:27:4:27:9 | ...=... | Test.java:28:4:28:10 | <Expr>; |
+| Test.java:27:4:27:10 | <Expr>; | Test.java:27:8:27:9 | 60 |
 | Test.java:27:8:27:9 | 60 | Test.java:27:4:27:9 | ...=... |
-| Test.java:28:4:28:10 | ...; | Test.java:28:8:28:9 | 10 |
+| Test.java:28:4:28:10 | <Expr>; | Test.java:28:8:28:9 | 10 |
 | Test.java:28:8:28:9 | 10 | Test.java:28:4:28:9 | ...=... |
 | Test.java:31:3:31:3 | z | Test.java:31:8:31:8 | x |
 | Test.java:31:3:31:8 | ...+=... | Test.java:34:3:34:15 | while (...) |
-| Test.java:31:3:31:9 | ...; | Test.java:31:3:31:3 | z |
+| Test.java:31:3:31:9 | <Expr>; | Test.java:31:3:31:3 | z |
 | Test.java:31:8:31:8 | x | Test.java:31:3:31:8 | ...+=... |
 | Test.java:34:3:34:15 | while (...) | Test.java:34:10:34:10 | x |
 | Test.java:34:10:34:10 | x | Test.java:34:14:34:14 | 0 |
 | Test.java:34:10:34:14 | ... > ... | Test.java:34:17:37:3 | { ... } |
-| Test.java:34:10:34:14 | ... > ... | Test.java:39:3:39:9 | ...; |
+| Test.java:34:10:34:14 | ... > ... | Test.java:39:3:39:9 | <Expr>; |
 | Test.java:34:14:34:14 | 0 | Test.java:34:10:34:14 | ... > ... |
-| Test.java:34:17:37:3 | { ... } | Test.java:35:4:35:10 | ...; |
-| Test.java:35:4:35:9 | ...=... | Test.java:36:4:36:7 | ...; |
-| Test.java:35:4:35:10 | ...; | Test.java:35:8:35:9 | 10 |
+| Test.java:34:17:37:3 | { ... } | Test.java:35:4:35:10 | <Expr>; |
+| Test.java:35:4:35:9 | ...=... | Test.java:36:4:36:7 | <Expr>; |
+| Test.java:35:4:35:10 | <Expr>; | Test.java:35:8:35:9 | 10 |
 | Test.java:35:8:35:9 | 10 | Test.java:35:4:35:9 | ...=... |
 | Test.java:36:4:36:4 | x | Test.java:36:4:36:6 | ...-- |
-| Test.java:36:4:36:7 | ...; | Test.java:36:4:36:4 | x |
+| Test.java:36:4:36:7 | <Expr>; | Test.java:36:4:36:4 | x |
 | Test.java:39:3:39:3 | z | Test.java:39:8:39:8 | y |
-| Test.java:39:3:39:8 | ...+=... | Test.java:42:3:42:26 | for (...) |
-| Test.java:39:3:39:9 | ...; | Test.java:39:3:39:3 | z |
+| Test.java:39:3:39:8 | ...+=... | Test.java:42:3:42:26 | for (...;...;...) |
+| Test.java:39:3:39:9 | <Expr>; | Test.java:39:3:39:3 | z |
 | Test.java:39:8:39:8 | y | Test.java:39:3:39:8 | ...+=... |
-| Test.java:42:3:42:26 | for (...) | Test.java:42:12:42:12 | 0 |
+| Test.java:42:3:42:26 | for (...;...;...) | Test.java:42:12:42:12 | 0 |
 | Test.java:42:8:42:12 | ...=... | Test.java:42:15:42:15 | j |
 | Test.java:42:12:42:12 | 0 | Test.java:42:8:42:12 | ...=... |
 | Test.java:42:15:42:15 | j | Test.java:42:19:42:20 | 10 |
 | Test.java:42:15:42:20 | ... < ... | Test.java:42:28:45:3 | { ... } |
-| Test.java:42:15:42:20 | ... < ... | Test.java:47:3:47:9 | ...; |
+| Test.java:42:15:42:20 | ... < ... | Test.java:47:3:47:9 | <Expr>; |
 | Test.java:42:19:42:20 | 10 | Test.java:42:15:42:20 | ... < ... |
 | Test.java:42:23:42:23 | j | Test.java:42:23:42:25 | ...++ |
-| Test.java:42:28:45:3 | { ... } | Test.java:43:4:43:9 | ...; |
-| Test.java:43:4:43:8 | ...=... | Test.java:44:4:44:10 | ...; |
-| Test.java:43:4:43:9 | ...; | Test.java:43:8:43:8 | 0 |
+| Test.java:42:28:45:3 | { ... } | Test.java:43:4:43:9 | <Expr>; |
+| Test.java:43:4:43:8 | ...=... | Test.java:44:4:44:10 | <Expr>; |
+| Test.java:43:4:43:9 | <Expr>; | Test.java:43:8:43:8 | 0 |
 | Test.java:43:8:43:8 | 0 | Test.java:43:4:43:8 | ...=... |
 | Test.java:44:4:44:9 | ...=... | Test.java:42:23:42:23 | j |
-| Test.java:44:4:44:10 | ...; | Test.java:44:8:44:9 | 10 |
+| Test.java:44:4:44:10 | <Expr>; | Test.java:44:8:44:9 | 10 |
 | Test.java:44:8:44:9 | 10 | Test.java:44:4:44:9 | ...=... |
 | Test.java:47:3:47:3 | z | Test.java:47:8:47:8 | w |
-| Test.java:47:3:47:8 | ...+=... | Test.java:50:3:50:26 | for (...) |
-| Test.java:47:3:47:9 | ...; | Test.java:47:3:47:3 | z |
+| Test.java:47:3:47:8 | ...+=... | Test.java:50:3:50:26 | for (...;...;...) |
+| Test.java:47:3:47:9 | <Expr>; | Test.java:47:3:47:3 | z |
 | Test.java:47:8:47:8 | w | Test.java:47:3:47:8 | ...+=... |
-| Test.java:50:3:50:26 | for (...) | Test.java:50:12:50:12 | 0 |
+| Test.java:50:3:50:26 | for (...;...;...) | Test.java:50:12:50:12 | 0 |
 | Test.java:50:8:50:12 | ...=... | Test.java:50:15:50:15 | j |
 | Test.java:50:12:50:12 | 0 | Test.java:50:8:50:12 | ...=... |
 | Test.java:50:15:50:15 | j | Test.java:50:19:50:20 | 10 |
 | Test.java:50:15:50:20 | ... < ... | Test.java:50:28:64:3 | { ... } |
-| Test.java:50:15:50:20 | ... < ... | Test.java:66:3:66:17 | ...; |
+| Test.java:50:15:50:20 | ... < ... | Test.java:66:3:66:17 | <Expr>; |
 | Test.java:50:19:50:20 | 10 | Test.java:50:15:50:20 | ... < ... |
 | Test.java:50:23:50:23 | j | Test.java:50:23:50:25 | ...++ |
-| Test.java:50:28:64:3 | { ... } | Test.java:51:4:51:10 | ...; |
+| Test.java:50:28:64:3 | { ... } | Test.java:51:4:51:10 | <Expr>; |
 | Test.java:51:4:51:9 | ...=... | Test.java:52:4:52:13 | if (...) |
-| Test.java:51:4:51:10 | ...; | Test.java:51:8:51:9 | 30 |
+| Test.java:51:4:51:10 | <Expr>; | Test.java:51:8:51:9 | 30 |
 | Test.java:51:8:51:9 | 30 | Test.java:51:4:51:9 | ...=... |
 | Test.java:52:4:52:13 | if (...) | Test.java:52:8:52:8 | z |
 | Test.java:52:8:52:8 | z | Test.java:52:12:52:12 | 0 |
@@ -110,56 +110,56 @@
 | Test.java:53:9:53:13 | ... > ... | Test.java:53:16:56:5 | { ... } |
 | Test.java:53:9:53:13 | ... > ... | Test.java:56:12:58:5 | { ... } |
 | Test.java:53:13:53:13 | 0 | Test.java:53:9:53:13 | ... > ... |
-| Test.java:53:16:56:5 | { ... } | Test.java:54:6:54:11 | ...; |
+| Test.java:53:16:56:5 | { ... } | Test.java:54:6:54:11 | <Expr>; |
 | Test.java:54:6:54:10 | ...=... | Test.java:55:6:55:11 | break |
-| Test.java:54:6:54:11 | ...; | Test.java:54:10:54:10 | 0 |
+| Test.java:54:6:54:11 | <Expr>; | Test.java:54:10:54:10 | 0 |
 | Test.java:54:10:54:10 | 0 | Test.java:54:6:54:10 | ...=... |
-| Test.java:56:12:58:5 | { ... } | Test.java:57:6:57:12 | ...; |
-| Test.java:57:6:57:11 | ...=... | Test.java:63:4:63:9 | ...; |
-| Test.java:57:6:57:12 | ...; | Test.java:57:10:57:11 | 20 |
+| Test.java:56:12:58:5 | { ... } | Test.java:57:6:57:12 | <Expr>; |
+| Test.java:57:6:57:11 | ...=... | Test.java:63:4:63:9 | <Expr>; |
+| Test.java:57:6:57:12 | <Expr>; | Test.java:57:10:57:11 | 20 |
 | Test.java:57:10:57:11 | 20 | Test.java:57:6:57:11 | ...=... |
-| Test.java:59:9:62:4 | { ... } | Test.java:60:5:60:11 | ...; |
+| Test.java:59:9:62:4 | { ... } | Test.java:60:5:60:11 | <Expr>; |
 | Test.java:60:5:60:10 | ...=... | Test.java:61:5:61:13 | continue |
-| Test.java:60:5:60:11 | ...; | Test.java:60:9:60:10 | 10 |
+| Test.java:60:5:60:11 | <Expr>; | Test.java:60:9:60:10 | 10 |
 | Test.java:60:9:60:10 | 10 | Test.java:60:5:60:10 | ...=... |
-| Test.java:63:4:63:9 | ...; | Test.java:63:8:63:8 | 0 |
+| Test.java:63:4:63:9 | <Expr>; | Test.java:63:8:63:8 | 0 |
 | Test.java:63:8:63:8 | 0 | Test.java:63:4:63:8 | ...=... |
 | Test.java:66:3:66:3 | z | Test.java:66:8:66:8 | x |
-| Test.java:66:3:66:16 | ...+=... | Test.java:70:3:70:9 | ...; |
-| Test.java:66:3:66:17 | ...; | Test.java:66:3:66:3 | z |
+| Test.java:66:3:66:16 | ...+=... | Test.java:70:3:70:9 | <Expr>; |
+| Test.java:66:3:66:17 | <Expr>; | Test.java:66:3:66:3 | z |
 | Test.java:66:8:66:8 | x | Test.java:66:12:66:12 | y |
 | Test.java:66:8:66:12 | ... + ... | Test.java:66:16:66:16 | w |
 | Test.java:66:8:66:16 | ... + ... | Test.java:66:3:66:16 | ...+=... |
 | Test.java:66:12:66:12 | y | Test.java:66:8:66:12 | ... + ... |
 | Test.java:66:16:66:16 | w | Test.java:66:8:66:16 | ... + ... |
 | Test.java:70:3:70:8 | ...=... | Test.java:71:10:71:10 | w |
-| Test.java:70:3:70:9 | ...; | Test.java:70:7:70:8 | 40 |
+| Test.java:70:3:70:9 | <Expr>; | Test.java:70:7:70:8 | 40 |
 | Test.java:70:7:70:8 | 40 | Test.java:70:3:70:8 | ...=... |
 | Test.java:71:10:71:10 | w | Test.java:71:3:71:11 | return ... |
-| Test.java:74:19:91:2 | { ... } | Test.java:76:3:76:8 | local variable declaration |
-| Test.java:76:3:76:8 | local variable declaration | Test.java:76:7:76:7 | b |
-| Test.java:76:7:76:7 | b | Test.java:77:3:77:8 | local variable declaration |
-| Test.java:77:3:77:8 | local variable declaration | Test.java:77:7:77:7 | c |
-| Test.java:77:7:77:7 | c | Test.java:78:3:78:8 | ...; |
+| Test.java:74:19:91:2 | { ... } | Test.java:76:3:76:8 | var ...; |
+| Test.java:76:3:76:8 | var ...; | Test.java:76:7:76:7 | b |
+| Test.java:76:7:76:7 | b | Test.java:77:3:77:8 | var ...; |
+| Test.java:77:3:77:8 | var ...; | Test.java:77:7:77:7 | c |
+| Test.java:77:7:77:7 | c | Test.java:78:3:78:8 | <Expr>; |
 | Test.java:78:3:78:7 | ...=... | Test.java:79:3:79:13 | while (...) |
-| Test.java:78:3:78:8 | ...; | Test.java:78:7:78:7 | 0 |
+| Test.java:78:3:78:8 | <Expr>; | Test.java:78:7:78:7 | 0 |
 | Test.java:78:7:78:7 | 0 | Test.java:78:3:78:7 | ...=... |
 | Test.java:79:3:79:13 | while (...) | Test.java:79:9:79:12 | true |
 | Test.java:79:9:79:12 | true | Test.java:79:15:89:3 | { ... } |
-| Test.java:79:15:89:3 | { ... } | Test.java:80:4:80:10 | ...; |
+| Test.java:79:15:89:3 | { ... } | Test.java:80:4:80:10 | <Expr>; |
 | Test.java:80:4:80:9 | ...=... | Test.java:81:4:81:15 | if (...) |
-| Test.java:80:4:80:10 | ...; | Test.java:80:8:80:9 | 10 |
+| Test.java:80:4:80:10 | <Expr>; | Test.java:80:8:80:9 | 10 |
 | Test.java:80:8:80:9 | 10 | Test.java:80:4:80:9 | ...=... |
 | Test.java:81:4:81:15 | if (...) | Test.java:81:8:81:8 | a |
 | Test.java:81:8:81:8 | a | Test.java:81:12:81:14 | 100 |
 | Test.java:81:8:81:14 | ... > ... | Test.java:81:17:84:4 | { ... } |
 | Test.java:81:8:81:14 | ... > ... | Test.java:85:4:85:15 | if (...) |
 | Test.java:81:12:81:14 | 100 | Test.java:81:8:81:14 | ... > ... |
-| Test.java:81:17:84:4 | { ... } | Test.java:82:5:82:11 | ...; |
-| Test.java:82:5:82:10 | ...=... | Test.java:83:5:83:10 | ...; |
-| Test.java:82:5:82:11 | ...; | Test.java:82:9:82:10 | 10 |
+| Test.java:81:17:84:4 | { ... } | Test.java:82:5:82:11 | <Expr>; |
+| Test.java:82:5:82:10 | ...=... | Test.java:83:5:83:10 | <Expr>; |
+| Test.java:82:5:82:11 | <Expr>; | Test.java:82:9:82:10 | 10 |
 | Test.java:82:9:82:10 | 10 | Test.java:82:5:82:10 | ...=... |
-| Test.java:83:5:83:10 | ...; | Test.java:83:9:83:9 | c |
+| Test.java:83:5:83:10 | <Expr>; | Test.java:83:9:83:9 | c |
 | Test.java:83:9:83:9 | c | Test.java:83:5:83:9 | ...=... |
 | Test.java:85:4:85:15 | if (...) | Test.java:85:8:85:8 | a |
 | Test.java:85:8:85:8 | a | Test.java:85:13:85:14 | 10 |
diff --git a/java/ql/test/library-tests/guards/guards.expected b/java/ql/test/library-tests/guards/guards.expected
index 1b7b7d4273d..2c5bff6233a 100644
--- a/java/ql/test/library-tests/guards/guards.expected
+++ b/java/ql/test/library-tests/guards/guards.expected
@@ -1,25 +1,25 @@
-| Test.java:5:7:5:11 | ... < ... | false | Test.java:8:3:8:12 | local variable declaration |
+| Test.java:5:7:5:11 | ... < ... | false | Test.java:8:3:8:12 | var ...; |
 | Test.java:5:7:5:11 | ... < ... | false | Test.java:9:9:9:9 | x |
 | Test.java:5:7:5:11 | ... < ... | false | Test.java:9:17:22:3 | { ... } |
-| Test.java:5:7:5:11 | ... < ... | false | Test.java:11:5:11:8 | ...; |
+| Test.java:5:7:5:11 | ... < ... | false | Test.java:11:5:11:8 | <Expr>; |
 | Test.java:5:7:5:11 | ... < ... | false | Test.java:12:4:12:14 | if (...) |
 | Test.java:5:7:5:11 | ... < ... | false | Test.java:12:16:16:4 | { ... } |
 | Test.java:5:7:5:11 | ... < ... | false | Test.java:16:11:16:21 | if (...) |
 | Test.java:5:7:5:11 | ... < ... | false | Test.java:16:23:18:4 | { ... } |
 | Test.java:5:7:5:11 | ... < ... | false | Test.java:18:11:18:22 | if (...) |
 | Test.java:5:7:5:11 | ... < ... | false | Test.java:18:24:20:4 | { ... } |
-| Test.java:5:7:5:11 | ... < ... | false | Test.java:21:4:21:7 | ...; |
+| Test.java:5:7:5:11 | ... < ... | false | Test.java:21:4:21:7 | <Expr>; |
 | Test.java:5:7:5:11 | ... < ... | true | Test.java:5:14:7:3 | { ... } |
 | Test.java:9:9:9:14 | ... >= ... | true | Test.java:9:17:22:3 | { ... } |
-| Test.java:9:9:9:14 | ... >= ... | true | Test.java:11:5:11:8 | ...; |
+| Test.java:9:9:9:14 | ... >= ... | true | Test.java:11:5:11:8 | <Expr>; |
 | Test.java:9:9:9:14 | ... >= ... | true | Test.java:12:4:12:14 | if (...) |
 | Test.java:9:9:9:14 | ... >= ... | true | Test.java:12:16:16:4 | { ... } |
 | Test.java:9:9:9:14 | ... >= ... | true | Test.java:16:11:16:21 | if (...) |
 | Test.java:9:9:9:14 | ... >= ... | true | Test.java:16:23:18:4 | { ... } |
 | Test.java:9:9:9:14 | ... >= ... | true | Test.java:18:11:18:22 | if (...) |
 | Test.java:9:9:9:14 | ... >= ... | true | Test.java:18:24:20:4 | { ... } |
-| Test.java:9:9:9:14 | ... >= ... | true | Test.java:21:4:21:7 | ...; |
-| Test.java:10:8:10:13 | ... >= ... | true | Test.java:11:5:11:8 | ...; |
+| Test.java:9:9:9:14 | ... >= ... | true | Test.java:21:4:21:7 | <Expr>; |
+| Test.java:10:8:10:13 | ... >= ... | true | Test.java:11:5:11:8 | <Expr>; |
 | Test.java:12:8:12:13 | ... > ... | false | Test.java:16:11:16:21 | if (...) |
 | Test.java:12:8:12:13 | ... > ... | false | Test.java:16:23:18:4 | { ... } |
 | Test.java:12:8:12:13 | ... > ... | false | Test.java:18:11:18:22 | if (...) |
@@ -30,12 +30,12 @@
 | Test.java:16:15:16:20 | ... < ... | true | Test.java:16:23:18:4 | { ... } |
 | Test.java:18:15:18:21 | ... == ... | true | Test.java:18:24:20:4 | { ... } |
 | Test.java:27:7:27:11 | ... > ... | false | Test.java:31:10:36:3 | { ... } |
-| Test.java:27:7:27:11 | ... > ... | false | Test.java:34:5:34:8 | ...; |
-| Test.java:27:7:27:11 | ... > ... | false | Test.java:35:4:35:10 | ...; |
+| Test.java:27:7:27:11 | ... > ... | false | Test.java:34:5:34:8 | <Expr>; |
+| Test.java:27:7:27:11 | ... > ... | false | Test.java:35:4:35:10 | <Expr>; |
 | Test.java:27:7:27:11 | ... > ... | true | Test.java:27:14:31:3 | { ... } |
 | Test.java:27:7:27:11 | ... > ... | true | Test.java:29:8:29:28 | w |
 | Test.java:27:7:27:11 | ... > ... | true | Test.java:29:24:29:24 | 0 |
 | Test.java:27:7:27:11 | ... > ... | true | Test.java:29:28:29:28 | 1 |
 | Test.java:29:13:29:19 | ... < ... | false | Test.java:29:28:29:28 | 1 |
 | Test.java:29:13:29:19 | ... < ... | true | Test.java:29:24:29:24 | 0 |
-| Test.java:33:8:33:18 | ... < ... | true | Test.java:34:5:34:8 | ...; |
+| Test.java:33:8:33:18 | ... < ... | true | Test.java:34:5:34:8 | <Expr>; |
diff --git a/java/ql/test/library-tests/guards/guardslogic.expected b/java/ql/test/library-tests/guards/guardslogic.expected
index f92d61148fe..a007f2ce896 100644
--- a/java/ql/test/library-tests/guards/guardslogic.expected
+++ b/java/ql/test/library-tests/guards/guardslogic.expected
@@ -20,7 +20,7 @@
 | Logic.java:17:11:17:15 | ... > ... | true | Logic.java:17:18:17:23 | break |
 | Logic.java:19:9:19:12 | g(...) | false | Logic.java:24:7:24:17 | case ... |
 | Logic.java:19:9:19:12 | g(...) | false | Logic.java:26:7:26:14 | default |
-| Logic.java:19:9:19:12 | g(...) | true | Logic.java:20:7:20:16 | ...; |
+| Logic.java:19:9:19:12 | g(...) | true | Logic.java:20:7:20:16 | <Expr>; |
 | Logic.java:22:7:22:17 | case ... | false | Logic.java:26:7:26:14 | default |
 | Logic.java:22:7:22:17 | case ... | true | Logic.java:22:7:22:17 | case ... |
 | Logic.java:24:7:24:17 | case ... | false | Logic.java:26:7:26:14 | default |
@@ -30,19 +30,19 @@
 | Logic.java:29:16:29:19 | g(...) | false | Logic.java:30:30:31:5 | { ... } |
 | Logic.java:29:16:29:19 | g(...) | true | Logic.java:29:23:29:26 | null |
 | Logic.java:30:9:30:27 | ...instanceof... | true | Logic.java:30:30:31:5 | { ... } |
-| Logic.java:35:5:35:29 | checkTrue(...) | true | Logic.java:36:5:36:28 | ...; |
+| Logic.java:35:5:35:29 | checkTrue(...) | true | Logic.java:36:5:36:28 | <Expr>; |
 | Logic.java:35:5:35:29 | checkTrue(...) | true | Logic.java:37:5:37:15 | if (...) |
 | Logic.java:35:5:35:29 | checkTrue(...) | true | Logic.java:37:17:39:5 | { ... } |
-| Logic.java:35:5:35:29 | checkTrue(...) | true | Logic.java:40:5:40:18 | local variable declaration |
-| Logic.java:35:15:35:19 | ... > ... | true | Logic.java:36:5:36:28 | ...; |
+| Logic.java:35:5:35:29 | checkTrue(...) | true | Logic.java:40:5:40:18 | var ...; |
+| Logic.java:35:15:35:19 | ... > ... | true | Logic.java:36:5:36:28 | <Expr>; |
 | Logic.java:35:15:35:19 | ... > ... | true | Logic.java:37:5:37:15 | if (...) |
 | Logic.java:35:15:35:19 | ... > ... | true | Logic.java:37:17:39:5 | { ... } |
-| Logic.java:35:15:35:19 | ... > ... | true | Logic.java:40:5:40:18 | local variable declaration |
+| Logic.java:35:15:35:19 | ... > ... | true | Logic.java:40:5:40:18 | var ...; |
 | Logic.java:36:5:36:27 | checkFalse(...) | false | Logic.java:37:5:37:15 | if (...) |
 | Logic.java:36:5:36:27 | checkFalse(...) | false | Logic.java:37:17:39:5 | { ... } |
-| Logic.java:36:5:36:27 | checkFalse(...) | false | Logic.java:40:5:40:18 | local variable declaration |
+| Logic.java:36:5:36:27 | checkFalse(...) | false | Logic.java:40:5:40:18 | var ...; |
 | Logic.java:36:16:36:21 | g(...) | false | Logic.java:37:5:37:15 | if (...) |
 | Logic.java:36:16:36:21 | g(...) | false | Logic.java:37:17:39:5 | { ... } |
-| Logic.java:36:16:36:21 | g(...) | false | Logic.java:40:5:40:18 | local variable declaration |
+| Logic.java:36:16:36:21 | g(...) | false | Logic.java:40:5:40:18 | var ...; |
 | Logic.java:37:9:37:14 | ... > ... | true | Logic.java:37:17:39:5 | { ... } |
 | Logic.java:44:10:44:10 | b | false | Logic.java:44:33:44:35 | msg |
diff --git a/java/ql/test/library-tests/guards12/PrintAst.expected b/java/ql/test/library-tests/guards12/PrintAst.expected
index 4b28449b418..1df3423239b 100644
--- a/java/ql/test/library-tests/guards12/PrintAst.expected
+++ b/java/ql/test/library-tests/guards12/PrintAst.expected
@@ -7,7 +7,7 @@ Test.java:
 #    2|         0: [Parameter] s
 #    2|           0: [TypeAccess] String
 #    2|       5: [BlockStmt] { ... }
-#    3|         0: [LocalVariableDeclStmt] local variable declaration
+#    3|         0: [LocalVariableDeclStmt] var ...;
 #    3|           0: [TypeAccess] int
 #    3|           1: [LocalVariableDeclExpr] x
 #    3|             0: [SwitchExpr] switch (...)
diff --git a/java/ql/test/library-tests/java7/MultiCatch/MultiCatchControlFlow.expected b/java/ql/test/library-tests/java7/MultiCatch/MultiCatchControlFlow.expected
index 29e14d3c120..40a8e58c4fe 100644
--- a/java/ql/test/library-tests/java7/MultiCatch/MultiCatchControlFlow.expected
+++ b/java/ql/test/library-tests/java7/MultiCatch/MultiCatchControlFlow.expected
@@ -12,10 +12,10 @@
 | MultiCatch.java:14:11:14:28 | new SQLException(...) | MultiCatch.java:14:5:14:29 | throw ... |
 | MultiCatch.java:15:5:15:37 | catch (...) | MultiCatch.java:15:36:15:36 | e |
 | MultiCatch.java:15:36:15:36 | e | MultiCatch.java:16:3:19:3 | { ... } |
-| MultiCatch.java:16:3:19:3 | { ... } | MultiCatch.java:17:4:17:23 | ...; |
+| MultiCatch.java:16:3:19:3 | { ... } | MultiCatch.java:17:4:17:23 | <Expr>; |
 | MultiCatch.java:17:4:17:4 | e | MultiCatch.java:17:4:17:22 | printStackTrace(...) |
 | MultiCatch.java:17:4:17:22 | printStackTrace(...) | MultiCatch.java:18:10:18:10 | e |
-| MultiCatch.java:17:4:17:23 | ...; | MultiCatch.java:17:4:17:4 | e |
+| MultiCatch.java:17:4:17:23 | <Expr>; | MultiCatch.java:17:4:17:4 | e |
 | MultiCatch.java:18:4:18:11 | throw ... | MultiCatch.java:7:14:7:23 | multiCatch |
 | MultiCatch.java:18:10:18:10 | e | MultiCatch.java:18:4:18:11 | throw ... |
 | MultiCatch.java:23:2:33:2 | { ... } | MultiCatch.java:24:3:32:4 | try ... |
diff --git a/java/ql/test/library-tests/localvars/LocalVarDeclStmtChildren.expected b/java/ql/test/library-tests/localvars/LocalVarDeclStmtChildren.expected
index 79c41ba9e46..31d1c66a1e4 100644
--- a/java/ql/test/library-tests/localvars/LocalVarDeclStmtChildren.expected
+++ b/java/ql/test/library-tests/localvars/LocalVarDeclStmtChildren.expected
@@ -1,11 +1,11 @@
-| localvars/LocalVarTest.java:7:9:7:28 | local variable declaration | 0 | localvars/LocalVarTest.java:7:9:7:11 | int |
-| localvars/LocalVarTest.java:7:9:7:28 | local variable declaration | 1 | localvars/LocalVarTest.java:7:13:7:18 | x |
-| localvars/LocalVarTest.java:7:9:7:28 | local variable declaration | 2 | localvars/LocalVarTest.java:7:22:7:27 | y |
-| localvars/LocalVarTest.java:8:9:8:20 | local variable declaration | 0 | localvars/LocalVarTest.java:8:9:8:11 | int |
-| localvars/LocalVarTest.java:8:9:8:20 | local variable declaration | 1 | localvars/LocalVarTest.java:8:13:8:18 | z |
-| localvars/LocalVarTest.java:9:9:9:35 | local variable declaration | 0 | localvars/LocalVarTest.java:9:9:9:20 | List<String> |
-| localvars/LocalVarTest.java:9:9:9:35 | local variable declaration | 1 | localvars/LocalVarTest.java:9:22:9:23 | l1 |
-| localvars/LocalVarTest.java:9:9:9:35 | local variable declaration | 2 | localvars/LocalVarTest.java:9:26:9:34 | l2 |
-| localvars/LocalVarTest.java:12:13:12:33 | local variable declaration | 0 | localvars/LocalVarTest.java:12:13:12:18 | Object |
-| localvars/LocalVarTest.java:12:13:12:33 | local variable declaration | 1 | localvars/LocalVarTest.java:12:20:12:27 | o |
-| localvars/LocalVarTest.java:12:13:12:33 | local variable declaration | 2 | localvars/LocalVarTest.java:12:30:12:30 | p |
+| localvars/LocalVarTest.java:7:9:7:28 | var ...; | 0 | localvars/LocalVarTest.java:7:9:7:11 | int |
+| localvars/LocalVarTest.java:7:9:7:28 | var ...; | 1 | localvars/LocalVarTest.java:7:13:7:18 | x |
+| localvars/LocalVarTest.java:7:9:7:28 | var ...; | 2 | localvars/LocalVarTest.java:7:22:7:27 | y |
+| localvars/LocalVarTest.java:8:9:8:20 | var ...; | 0 | localvars/LocalVarTest.java:8:9:8:11 | int |
+| localvars/LocalVarTest.java:8:9:8:20 | var ...; | 1 | localvars/LocalVarTest.java:8:13:8:18 | z |
+| localvars/LocalVarTest.java:9:9:9:35 | var ...; | 0 | localvars/LocalVarTest.java:9:9:9:20 | List<String> |
+| localvars/LocalVarTest.java:9:9:9:35 | var ...; | 1 | localvars/LocalVarTest.java:9:22:9:23 | l1 |
+| localvars/LocalVarTest.java:9:9:9:35 | var ...; | 2 | localvars/LocalVarTest.java:9:26:9:34 | l2 |
+| localvars/LocalVarTest.java:12:13:12:33 | var ...; | 0 | localvars/LocalVarTest.java:12:13:12:18 | Object |
+| localvars/LocalVarTest.java:12:13:12:33 | var ...; | 1 | localvars/LocalVarTest.java:12:20:12:27 | o |
+| localvars/LocalVarTest.java:12:13:12:33 | var ...; | 2 | localvars/LocalVarTest.java:12:30:12:30 | p |
diff --git a/java/ql/test/library-tests/localvars/TypeAccesses.expected b/java/ql/test/library-tests/localvars/TypeAccesses.expected
index cf3ac2eb017..3110b2c7965 100644
--- a/java/ql/test/library-tests/localvars/TypeAccesses.expected
+++ b/java/ql/test/library-tests/localvars/TypeAccesses.expected
@@ -1,13 +1,13 @@
 | localvars/LocalVarTest.java:6:9:6:11 | int | localvars/LocalVarTest.java:6:13:6:17 | test1 | -1 |
-| localvars/LocalVarTest.java:7:9:7:11 | int | localvars/LocalVarTest.java:7:9:7:28 | local variable declaration | 0 |
-| localvars/LocalVarTest.java:8:9:8:11 | int | localvars/LocalVarTest.java:8:9:8:20 | local variable declaration | 0 |
-| localvars/LocalVarTest.java:9:9:9:20 | List<String> | localvars/LocalVarTest.java:9:9:9:35 | local variable declaration | 0 |
+| localvars/LocalVarTest.java:7:9:7:11 | int | localvars/LocalVarTest.java:7:9:7:28 | var ...; | 0 |
+| localvars/LocalVarTest.java:8:9:8:11 | int | localvars/LocalVarTest.java:8:9:8:20 | var ...; | 0 |
+| localvars/LocalVarTest.java:9:9:9:20 | List<String> | localvars/LocalVarTest.java:9:9:9:35 | var ...; | 0 |
 | localvars/LocalVarTest.java:9:14:9:19 | String | localvars/LocalVarTest.java:9:9:9:20 | List<String> | 0 |
-| localvars/LocalVarTest.java:12:13:12:18 | Object | localvars/LocalVarTest.java:12:13:12:33 | local variable declaration | 0 |
+| localvars/LocalVarTest.java:12:13:12:18 | Object | localvars/LocalVarTest.java:12:13:12:33 | var ...; | 0 |
 | localvars/LocalVarTest.java:17:9:17:12 | void | localvars/LocalVarTest.java:17:14:17:18 | test2 | -1 |
 | localvars/LocalVarTest.java:17:20:17:31 | List<String> | localvars/LocalVarTest.java:17:20:17:33 | l | -1 |
 | localvars/LocalVarTest.java:17:25:17:30 | String | localvars/LocalVarTest.java:17:20:17:31 | List<String> | 0 |
-| localvars/LocalVarTest.java:18:13:18:15 | int | localvars/LocalVarTest.java:18:9:18:29 | for (...) | 0 |
-| localvars/LocalVarTest.java:19:13:19:15 | int | localvars/LocalVarTest.java:19:9:19:37 | for (...) | 0 |
+| localvars/LocalVarTest.java:18:13:18:15 | int | localvars/LocalVarTest.java:18:9:18:29 | for (...;...;...) | 0 |
+| localvars/LocalVarTest.java:19:13:19:15 | int | localvars/LocalVarTest.java:19:9:19:37 | for (...;...;...) | 0 |
 | localvars/LocalVarTest.java:20:13:20:18 | String | localvars/LocalVarTest.java:20:9:20:25 | for (... : ...) | -1 |
 | localvars/LocalVarTest.java:22:17:22:32 | RuntimeException | localvars/LocalVarTest.java:22:11:22:35 | catch (...) | -1 |
diff --git a/java/ql/test/library-tests/printAst/PrintAst.expected b/java/ql/test/library-tests/printAst/PrintAst.expected
index b89a04e5ffc..998717d5ea8 100644
--- a/java/ql/test/library-tests/printAst/PrintAst.expected
+++ b/java/ql/test/library-tests/printAst/PrintAst.expected
@@ -31,13 +31,13 @@ A.java:
 #   20|               1: [StringLiteral] "all"
 #   20|           0: [TypeAccess] String
 #   20|       5: [BlockStmt] { ... }
-#   21|         0: [LocalVariableDeclStmt] local variable declaration
+#   21|         0: [LocalVariableDeclStmt] var ...;
 #   21|           0: [TypeAccess] int
 #   21|           1: [LocalVariableDeclExpr] i
 #   21|             0: [IntegerLiteral] 0
 #   21|           2: [LocalVariableDeclExpr] j
 #   21|             0: [IntegerLiteral] 1
-#   23|         1: [ForStmt] for (...)
+#   23|         1: [ForStmt] for (...;...;...)
 #-----|           0: (For Initializers) 
 #   23|             1: [AssignExpr] ...=...
 #   23|               0: [VarAccess] i
@@ -51,7 +51,7 @@ A.java:
 #   23|           2: [BlockStmt] { ... }
 #   23|           3: [PostIncExpr] ...++
 #   23|             0: [VarAccess] i
-#   25|         2: [ForStmt] for (...)
+#   25|         2: [ForStmt] for (...;...;...)
 #-----|           0: (For Initializers) 
 #   25|             0: [TypeAccess] int
 #   25|             1: [LocalVariableDeclExpr] m
@@ -70,7 +70,7 @@ A.java:
 #   30|       -1: [TypeAccess] int
 #   30|       0: [IntegerLiteral] 1
 #   32|     7: [BlockStmt] { ... }
-#   33|       0: [ExprStmt] ...;
+#   33|       0: [ExprStmt] <Expr>;
 #   33|         0: [AssignExpr] ...=...
 #   33|           0: [VarAccess] counter
 #   33|           1: [MethodAccess] doSomething(...)
@@ -97,7 +97,7 @@ A.java:
 #   45|         0: [TryStmt] try ...
 #   45|           -1: [BlockStmt] { ... }
 #   46|             0: [EnhancedForStmt] for (... : ...)
-#-----|               0: (Single Local Variable Declaration)
+#-----|               0: (Single var ...;)
 #   46|                 0: [TypeAccess] Object
 #   46|                 1: [LocalVariableDeclExpr] thing
 #   46|               1: [VarAccess] things
@@ -110,7 +110,7 @@ A.java:
 #   48|                     0: [ReturnStmt] return ...
 #   50|                 1: [IfStmt] if (...)
 #   50|                   0: [InstanceOfExpr] ...instanceof...
-#-----|                     0: (Single Local Variable Declaration)
+#-----|                     0: (Single var ...;)
 #   50|                       0: [TypeAccess] String
 #   50|                       1: [LocalVariableDeclExpr] s
 #   50|                         0: [VarAccess] thing
@@ -120,7 +120,7 @@ A.java:
 #   51|                         -3: [TypeAccess] RuntimeException
 #   51|                         0: [VarAccess] s
 #   55|           0: [CatchClause] catch (...)
-#-----|             0: (Single Local Variable Declaration)
+#-----|             0: (Single var ...;)
 #   55|               0: [TypeAccess] RuntimeException
 #   55|               1: [LocalVariableDeclExpr] rte
 #   55|             1: [BlockStmt] { ... }
diff --git a/java/ql/test/library-tests/reflection/PrintAst.expected b/java/ql/test/library-tests/reflection/PrintAst.expected
index 76560acf118..5792e10b90f 100644
--- a/java/ql/test/library-tests/reflection/PrintAst.expected
+++ b/java/ql/test/library-tests/reflection/PrintAst.expected
@@ -31,7 +31,7 @@ reflection/ReflectiveAccess.java:
 #   17|           0: [ArrayTypeAccess] ...[]
 #   17|             0: [TypeAccess] String
 #   17|       5: [BlockStmt] { ... }
-#   18|         0: [LocalVariableDeclStmt] local variable declaration
+#   18|         0: [LocalVariableDeclStmt] var ...;
 #   18|           0: [TypeAccess] Class<?>
 #   18|             0: [WildcardTypeAccess] ? ...
 #   18|           1: [LocalVariableDeclExpr] testClass
diff --git a/java/ql/test/library-tests/ssa/ssaDef.expected b/java/ql/test/library-tests/ssa/ssaDef.expected
index 8c9e9cfec51..899ca19301a 100644
--- a/java/ql/test/library-tests/ssa/ssaDef.expected
+++ b/java/ql/test/library-tests/ssa/ssaDef.expected
@@ -5,11 +5,11 @@
 | Fields.java:13:15:13:16 | this.xs | Fields.java:12:19:21:3 | { ... } | SSA init(this.xs) |
 | Fields.java:13:15:13:16 | this.xs | Fields.java:14:5:14:9 | upd(...) | SSA impl upd[nonlocal](this.xs) |
 | Fields.java:13:15:13:16 | this.xs | Fields.java:17:7:17:11 | upd(...) | SSA impl upd[nonlocal](this.xs) |
-| Fields.java:13:15:13:16 | this.xs | Fields.java:18:5:18:16 | ...; | SSA phi(this.xs) |
+| Fields.java:13:15:13:16 | this.xs | Fields.java:18:5:18:16 | <Expr>; | SSA phi(this.xs) |
 | Fields.java:13:15:13:16 | this.xs | Fields.java:19:5:19:19 | ...=... | SSA def(this.xs) |
 | Fields.java:24:5:24:28 | f | Fields.java:24:12:24:27 | f | SSA def(f) |
 | Fields.java:24:5:24:28 | f | Fields.java:43:7:43:22 | ...=... | SSA def(f) |
-| Fields.java:24:5:24:28 | f | Fields.java:44:5:44:13 | ...; | SSA phi(f) |
+| Fields.java:24:5:24:28 | f | Fields.java:44:5:44:13 | <Expr>; | SSA phi(f) |
 | Fields.java:25:5:25:19 | y | Fields.java:25:11:25:18 | y | SSA def(y) |
 | Fields.java:25:5:25:19 | y | Fields.java:29:5:29:12 | ...=... | SSA def(y) |
 | Fields.java:25:5:25:19 | y | Fields.java:33:5:33:12 | ...=... | SSA def(y) |
@@ -22,7 +22,7 @@
 | Fields.java:25:15:25:18 | f.xs | Fields.java:32:5:32:9 | f(...) | SSA impl upd[nonlocal](f.xs) |
 | Fields.java:25:15:25:18 | f.xs | Fields.java:39:5:39:21 | ...=... | SSA def(f.xs) |
 | Fields.java:25:15:25:18 | f.xs | Fields.java:43:7:43:22 | ...=... | SSA impl upd[explicit qualifier](f.xs) |
-| Fields.java:25:15:25:18 | f.xs | Fields.java:44:5:44:13 | ...; | SSA phi(f.xs) |
+| Fields.java:25:15:25:18 | f.xs | Fields.java:44:5:44:13 | <Expr>; | SSA phi(f.xs) |
 | Fields.java:26:5:26:17 | z | Fields.java:26:11:26:16 | z | SSA def(z) |
 | Fields.java:26:5:26:17 | z | Fields.java:30:5:30:10 | ...=... | SSA def(z) |
 | Fields.java:26:5:26:17 | z | Fields.java:34:5:34:10 | ...=... | SSA def(z) |
@@ -42,7 +42,7 @@
 | Fields.java:27:15:27:18 | Fields.stat | Fields.java:28:5:28:12 | f(...) | SSA impl upd[nonlocal](Fields.stat) |
 | Fields.java:27:15:27:18 | Fields.stat | Fields.java:32:5:32:9 | f(...) | SSA impl upd[nonlocal](Fields.stat) |
 | Fields.java:27:15:27:18 | Fields.stat | Fields.java:43:11:43:22 | new Fields(...) | SSA impl upd[nonlocal](Fields.stat) |
-| Fields.java:27:15:27:18 | Fields.stat | Fields.java:44:5:44:13 | ...; | SSA phi(Fields.stat) |
+| Fields.java:27:15:27:18 | Fields.stat | Fields.java:44:5:44:13 | <Expr>; | SSA phi(Fields.stat) |
 | Fields.java:27:15:27:18 | Fields.stat | Fields.java:45:5:45:16 | new Fields(...) | SSA impl upd[nonlocal](Fields.stat) |
 | Nested.java:4:26:4:31 | next(..).p1 | Nested.java:8:29:8:57 | { ... } | SSA init(next(..).p1) |
 | Nested.java:4:26:4:31 | p1 | Nested.java:4:34:10:3 | { ... } | SSA init(p1) |
@@ -61,7 +61,7 @@
 | Nested.java:24:5:24:31 | obj2 | Nested.java:24:12:24:30 | obj2 | SSA def(obj2) |
 | Nested.java:24:5:24:31 | obj2 | Nested.java:26:7:26:25 | ...=... | SSA def(obj2) |
 | Nested.java:24:5:24:31 | obj2 | Nested.java:28:7:28:25 | ...=... | SSA def(obj2) |
-| Nested.java:24:5:24:31 | obj2 | Nested.java:30:5:30:37 | local variable declaration | SSA phi(obj2) |
+| Nested.java:24:5:24:31 | obj2 | Nested.java:30:5:30:37 | var ...; | SSA phi(obj2) |
 | Nested.java:30:5:30:37 | hash2 | Nested.java:30:15:30:36 | hash2 | SSA def(hash2) |
 | Nested.java:33:21:33:26 | p3 | Nested.java:33:29:42:3 | { ... } | SSA init(p3) |
 | Nested.java:34:5:34:11 | getInt(..).x3 | Nested.java:37:20:37:25 | { ... } | SSA init(getInt(..).x3) |
diff --git a/java/ql/test/library-tests/ssa/ssaPhi.expected b/java/ql/test/library-tests/ssa/ssaPhi.expected
index fd9f2902f2e..b002ee81b3e 100644
--- a/java/ql/test/library-tests/ssa/ssaPhi.expected
+++ b/java/ql/test/library-tests/ssa/ssaPhi.expected
@@ -1,13 +1,13 @@
-| Fields.java:13:15:13:16 | this.xs | Fields.java:18:5:18:16 | ...; | Fields.java:14:5:14:9 | upd(...) |
-| Fields.java:13:15:13:16 | this.xs | Fields.java:18:5:18:16 | ...; | Fields.java:17:7:17:11 | upd(...) |
-| Fields.java:24:5:24:28 | f | Fields.java:44:5:44:13 | ...; | Fields.java:24:12:24:27 | f |
-| Fields.java:24:5:24:28 | f | Fields.java:44:5:44:13 | ...; | Fields.java:43:7:43:22 | ...=... |
-| Fields.java:25:15:25:18 | f.xs | Fields.java:44:5:44:13 | ...; | Fields.java:39:5:39:21 | ...=... |
-| Fields.java:25:15:25:18 | f.xs | Fields.java:44:5:44:13 | ...; | Fields.java:43:7:43:22 | ...=... |
-| Fields.java:27:15:27:18 | Fields.stat | Fields.java:44:5:44:13 | ...; | Fields.java:32:5:32:9 | f(...) |
-| Fields.java:27:15:27:18 | Fields.stat | Fields.java:44:5:44:13 | ...; | Fields.java:43:11:43:22 | new Fields(...) |
-| Nested.java:24:5:24:31 | obj2 | Nested.java:30:5:30:37 | local variable declaration | Nested.java:26:7:26:25 | ...=... |
-| Nested.java:24:5:24:31 | obj2 | Nested.java:30:5:30:37 | local variable declaration | Nested.java:28:7:28:25 | ...=... |
+| Fields.java:13:15:13:16 | this.xs | Fields.java:18:5:18:16 | <Expr>; | Fields.java:14:5:14:9 | upd(...) |
+| Fields.java:13:15:13:16 | this.xs | Fields.java:18:5:18:16 | <Expr>; | Fields.java:17:7:17:11 | upd(...) |
+| Fields.java:24:5:24:28 | f | Fields.java:44:5:44:13 | <Expr>; | Fields.java:24:12:24:27 | f |
+| Fields.java:24:5:24:28 | f | Fields.java:44:5:44:13 | <Expr>; | Fields.java:43:7:43:22 | ...=... |
+| Fields.java:25:15:25:18 | f.xs | Fields.java:44:5:44:13 | <Expr>; | Fields.java:39:5:39:21 | ...=... |
+| Fields.java:25:15:25:18 | f.xs | Fields.java:44:5:44:13 | <Expr>; | Fields.java:43:7:43:22 | ...=... |
+| Fields.java:27:15:27:18 | Fields.stat | Fields.java:44:5:44:13 | <Expr>; | Fields.java:32:5:32:9 | f(...) |
+| Fields.java:27:15:27:18 | Fields.stat | Fields.java:44:5:44:13 | <Expr>; | Fields.java:43:11:43:22 | new Fields(...) |
+| Nested.java:24:5:24:31 | obj2 | Nested.java:30:5:30:37 | var ...; | Nested.java:26:7:26:25 | ...=... |
+| Nested.java:24:5:24:31 | obj2 | Nested.java:30:5:30:37 | var ...; | Nested.java:28:7:28:25 | ...=... |
 | Test.java:4:8:4:16 | param | Test.java:20:10:20:10 | x | Test.java:4:19:32:2 | { ... } |
 | Test.java:4:8:4:16 | param | Test.java:20:10:20:10 | x | Test.java:21:8:21:14 | ...++ |
 | Test.java:6:3:6:12 | x | Test.java:19:3:19:3 | ; | Test.java:6:7:6:11 | x |
diff --git a/java/ql/test/library-tests/ssa/ssaUse.expected b/java/ql/test/library-tests/ssa/ssaUse.expected
index f500ebbaa9c..f55797b309b 100644
--- a/java/ql/test/library-tests/ssa/ssaUse.expected
+++ b/java/ql/test/library-tests/ssa/ssaUse.expected
@@ -1,7 +1,7 @@
 | Fields.java:13:5:13:17 | x | Fields.java:15:5:15:10 | ...=... | SSA def(x) | Fields.java:16:9:16:9 | x |
 | Fields.java:13:15:13:16 | this.xs | Fields.java:12:19:21:3 | { ... } | SSA init(this.xs) | Fields.java:13:15:13:16 | xs |
 | Fields.java:13:15:13:16 | this.xs | Fields.java:14:5:14:9 | upd(...) | SSA impl upd[nonlocal](this.xs) | Fields.java:15:9:15:10 | xs |
-| Fields.java:13:15:13:16 | this.xs | Fields.java:18:5:18:16 | ...; | SSA phi(this.xs) | Fields.java:18:9:18:15 | this.xs |
+| Fields.java:13:15:13:16 | this.xs | Fields.java:18:5:18:16 | <Expr>; | SSA phi(this.xs) | Fields.java:18:9:18:15 | this.xs |
 | Fields.java:13:15:13:16 | this.xs | Fields.java:19:5:19:19 | ...=... | SSA def(this.xs) | Fields.java:20:9:20:10 | xs |
 | Fields.java:24:5:24:28 | f | Fields.java:24:12:24:27 | f | SSA def(f) | Fields.java:25:15:25:15 | f |
 | Fields.java:24:5:24:28 | f | Fields.java:24:12:24:27 | f | SSA def(f) | Fields.java:29:9:29:9 | f |
@@ -10,15 +10,15 @@
 | Fields.java:24:5:24:28 | f | Fields.java:24:12:24:27 | f | SSA def(f) | Fields.java:37:9:37:9 | f |
 | Fields.java:24:5:24:28 | f | Fields.java:24:12:24:27 | f | SSA def(f) | Fields.java:39:5:39:5 | f |
 | Fields.java:24:5:24:28 | f | Fields.java:24:12:24:27 | f | SSA def(f) | Fields.java:40:9:40:9 | f |
-| Fields.java:24:5:24:28 | f | Fields.java:44:5:44:13 | ...; | SSA phi(f) | Fields.java:44:9:44:9 | f |
-| Fields.java:24:5:24:28 | f | Fields.java:44:5:44:13 | ...; | SSA phi(f) | Fields.java:46:9:46:9 | f |
+| Fields.java:24:5:24:28 | f | Fields.java:44:5:44:13 | <Expr>; | SSA phi(f) | Fields.java:44:9:44:9 | f |
+| Fields.java:24:5:24:28 | f | Fields.java:44:5:44:13 | <Expr>; | SSA phi(f) | Fields.java:46:9:46:9 | f |
 | Fields.java:25:15:25:18 | f.xs | Fields.java:24:12:24:27 | f | SSA impl upd[explicit qualifier](f.xs) | Fields.java:25:15:25:18 | f.xs |
 | Fields.java:25:15:25:18 | f.xs | Fields.java:28:5:28:12 | f(...) | SSA impl upd[nonlocal](f.xs) | Fields.java:29:9:29:12 | f.xs |
 | Fields.java:25:15:25:18 | f.xs | Fields.java:32:5:32:9 | f(...) | SSA impl upd[nonlocal](f.xs) | Fields.java:33:9:33:12 | f.xs |
 | Fields.java:25:15:25:18 | f.xs | Fields.java:32:5:32:9 | f(...) | SSA impl upd[nonlocal](f.xs) | Fields.java:37:9:37:12 | f.xs |
 | Fields.java:25:15:25:18 | f.xs | Fields.java:39:5:39:21 | ...=... | SSA def(f.xs) | Fields.java:40:9:40:12 | f.xs |
-| Fields.java:25:15:25:18 | f.xs | Fields.java:44:5:44:13 | ...; | SSA phi(f.xs) | Fields.java:44:9:44:12 | f.xs |
-| Fields.java:25:15:25:18 | f.xs | Fields.java:44:5:44:13 | ...; | SSA phi(f.xs) | Fields.java:46:9:46:12 | f.xs |
+| Fields.java:25:15:25:18 | f.xs | Fields.java:44:5:44:13 | <Expr>; | SSA phi(f.xs) | Fields.java:44:9:44:12 | f.xs |
+| Fields.java:25:15:25:18 | f.xs | Fields.java:44:5:44:13 | <Expr>; | SSA phi(f.xs) | Fields.java:46:9:46:12 | f.xs |
 | Fields.java:26:5:26:17 | z | Fields.java:41:5:41:10 | ...=... | SSA def(z) | Fields.java:42:9:42:9 | z |
 | Fields.java:26:15:26:16 | this.xs | Fields.java:23:19:49:3 | { ... } | SSA init(this.xs) | Fields.java:26:15:26:16 | xs |
 | Fields.java:26:15:26:16 | this.xs | Fields.java:28:5:28:12 | f(...) | SSA impl upd[nonlocal](this.xs) | Fields.java:30:9:30:10 | xs |
diff --git a/java/ql/test/library-tests/stmts/JumpTargets.expected b/java/ql/test/library-tests/stmts/JumpTargets.expected
index c05796398e3..b9f21faa477 100644
--- a/java/ql/test/library-tests/stmts/JumpTargets.expected
+++ b/java/ql/test/library-tests/stmts/JumpTargets.expected
@@ -1,9 +1,9 @@
-| stmts/B.java:8:5:8:10 | break | stmts/B.java:6:3:6:26 | for (...) |
-| stmts/B.java:10:5:10:13 | continue | stmts/B.java:6:3:6:26 | for (...) |
+| stmts/B.java:8:5:8:10 | break | stmts/B.java:6:3:6:26 | for (...;...;...) |
+| stmts/B.java:10:5:10:13 | continue | stmts/B.java:6:3:6:26 | for (...;...;...) |
 | stmts/B.java:13:6:13:11 | break | stmts/B.java:11:4:11:17 | while (...) |
-| stmts/B.java:15:6:15:17 | break | stmts/B.java:6:3:6:26 | for (...) |
+| stmts/B.java:15:6:15:17 | break | stmts/B.java:6:3:6:26 | for (...;...;...) |
 | stmts/B.java:17:6:17:14 | continue | stmts/B.java:11:4:11:17 | while (...) |
-| stmts/B.java:19:6:19:20 | continue | stmts/B.java:6:3:6:26 | for (...) |
+| stmts/B.java:19:6:19:20 | continue | stmts/B.java:6:3:6:26 | for (...;...;...) |
 | stmts/B.java:22:6:22:11 | break | stmts/B.java:20:5:20:14 | switch (...) |
-| stmts/B.java:24:6:24:17 | break | stmts/B.java:6:3:6:26 | for (...) |
+| stmts/B.java:24:6:24:17 | break | stmts/B.java:6:3:6:26 | for (...;...;...) |
 | stmts/B.java:26:6:26:14 | continue | stmts/B.java:11:4:11:17 | while (...) |
diff --git a/java/ql/test/library-tests/successors/CloseReaderTest/TestSucc.expected b/java/ql/test/library-tests/successors/CloseReaderTest/TestSucc.expected
index 2e465783264..63af489090b 100644
--- a/java/ql/test/library-tests/successors/CloseReaderTest/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/CloseReaderTest/TestSucc.expected
@@ -1,18 +1,18 @@
 | CloseReaderTest.java:8:14:8:28 | super(...) | CloseReaderTest.java:8:14:8:28 | CloseReaderTest |
 | CloseReaderTest.java:8:14:8:28 | { ... } | CloseReaderTest.java:8:14:8:28 | super(...) |
-| CloseReaderTest.java:10:2:24:2 | { ... } | CloseReaderTest.java:12:3:13:42 | ...; |
+| CloseReaderTest.java:10:2:24:2 | { ... } | CloseReaderTest.java:12:3:13:42 | <Expr>; |
 | CloseReaderTest.java:12:3:12:12 | System.out | CloseReaderTest.java:12:20:12:40 | "Enter password for " |
-| CloseReaderTest.java:12:3:13:41 | print(...) | CloseReaderTest.java:14:3:14:21 | ...; |
-| CloseReaderTest.java:12:3:13:42 | ...; | CloseReaderTest.java:12:3:12:12 | System.out |
+| CloseReaderTest.java:12:3:13:41 | print(...) | CloseReaderTest.java:14:3:14:21 | <Expr>; |
+| CloseReaderTest.java:12:3:13:42 | <Expr>; | CloseReaderTest.java:12:3:12:12 | System.out |
 | CloseReaderTest.java:12:20:12:40 | "Enter password for " | CloseReaderTest.java:12:44:12:50 | keyFile |
 | CloseReaderTest.java:12:20:12:50 | ... + ... | CloseReaderTest.java:13:7:13:40 | " (password will not be hidden): " |
 | CloseReaderTest.java:12:20:13:40 | ... + ... | CloseReaderTest.java:12:3:13:41 | print(...) |
 | CloseReaderTest.java:12:44:12:50 | keyFile | CloseReaderTest.java:12:20:12:50 | ... + ... |
 | CloseReaderTest.java:13:7:13:40 | " (password will not be hidden): " | CloseReaderTest.java:12:20:13:40 | ... + ... |
 | CloseReaderTest.java:14:3:14:12 | System.out | CloseReaderTest.java:14:3:14:20 | flush(...) |
-| CloseReaderTest.java:14:3:14:20 | flush(...) | CloseReaderTest.java:15:3:16:16 | local variable declaration |
-| CloseReaderTest.java:14:3:14:21 | ...; | CloseReaderTest.java:14:3:14:12 | System.out |
-| CloseReaderTest.java:15:3:16:16 | local variable declaration | CloseReaderTest.java:16:5:16:13 | System.in |
+| CloseReaderTest.java:14:3:14:20 | flush(...) | CloseReaderTest.java:15:3:16:16 | var ...; |
+| CloseReaderTest.java:14:3:14:21 | <Expr>; | CloseReaderTest.java:14:3:14:12 | System.out |
+| CloseReaderTest.java:15:3:16:16 | var ...; | CloseReaderTest.java:16:5:16:13 | System.in |
 | CloseReaderTest.java:15:18:16:15 | stdin | CloseReaderTest.java:17:3:23:3 | try ... |
 | CloseReaderTest.java:15:26:16:15 | new BufferedReader(...) | CloseReaderTest.java:15:18:16:15 | stdin |
 | CloseReaderTest.java:15:45:16:14 | new InputStreamReader(...) | CloseReaderTest.java:15:26:16:15 | new BufferedReader(...) |
diff --git a/java/ql/test/library-tests/successors/LoopVarReadTest/FalseSuccessors.expected b/java/ql/test/library-tests/successors/LoopVarReadTest/FalseSuccessors.expected
index 5452af82eb5..9d836931bed 100644
--- a/java/ql/test/library-tests/successors/LoopVarReadTest/FalseSuccessors.expected
+++ b/java/ql/test/library-tests/successors/LoopVarReadTest/FalseSuccessors.expected
@@ -1 +1 @@
-| LoopVarReadTest.java:7:19:7:24 | ... < ... | LoopVarReadTest.java:12:3:12:13 | local variable declaration |
+| LoopVarReadTest.java:7:19:7:24 | ... < ... | LoopVarReadTest.java:12:3:12:13 | var ...; |
diff --git a/java/ql/test/library-tests/successors/LoopVarReadTest/TestSucc.expected b/java/ql/test/library-tests/successors/LoopVarReadTest/TestSucc.expected
index a9e30fb2b7e..4598c7e0e32 100644
--- a/java/ql/test/library-tests/successors/LoopVarReadTest/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/LoopVarReadTest/TestSucc.expected
@@ -1,28 +1,28 @@
 | LoopVarReadTest.java:3:14:3:28 | super(...) | LoopVarReadTest.java:3:14:3:28 | LoopVarReadTest |
 | LoopVarReadTest.java:3:14:3:28 | { ... } | LoopVarReadTest.java:3:14:3:28 | super(...) |
-| LoopVarReadTest.java:5:2:15:2 | { ... } | LoopVarReadTest.java:6:3:6:12 | local variable declaration |
-| LoopVarReadTest.java:6:3:6:12 | local variable declaration | LoopVarReadTest.java:6:11:6:11 | 2 |
-| LoopVarReadTest.java:6:7:6:11 | x | LoopVarReadTest.java:7:3:7:33 | for (...) |
+| LoopVarReadTest.java:5:2:15:2 | { ... } | LoopVarReadTest.java:6:3:6:12 | var ...; |
+| LoopVarReadTest.java:6:3:6:12 | var ...; | LoopVarReadTest.java:6:11:6:11 | 2 |
+| LoopVarReadTest.java:6:7:6:11 | x | LoopVarReadTest.java:7:3:7:33 | for (...;...;...) |
 | LoopVarReadTest.java:6:11:6:11 | 2 | LoopVarReadTest.java:6:7:6:11 | x |
-| LoopVarReadTest.java:7:3:7:33 | for (...) | LoopVarReadTest.java:7:16:7:16 | 0 |
+| LoopVarReadTest.java:7:3:7:33 | for (...;...;...) | LoopVarReadTest.java:7:16:7:16 | 0 |
 | LoopVarReadTest.java:7:12:7:16 | y | LoopVarReadTest.java:7:19:7:19 | y |
 | LoopVarReadTest.java:7:16:7:16 | 0 | LoopVarReadTest.java:7:12:7:16 | y |
 | LoopVarReadTest.java:7:19:7:19 | y | LoopVarReadTest.java:7:23:7:24 | 10 |
 | LoopVarReadTest.java:7:19:7:24 | ... < ... | LoopVarReadTest.java:8:3:10:3 | { ... } |
-| LoopVarReadTest.java:7:19:7:24 | ... < ... | LoopVarReadTest.java:12:3:12:13 | local variable declaration |
+| LoopVarReadTest.java:7:19:7:24 | ... < ... | LoopVarReadTest.java:12:3:12:13 | var ...; |
 | LoopVarReadTest.java:7:23:7:24 | 10 | LoopVarReadTest.java:7:19:7:24 | ... < ... |
 | LoopVarReadTest.java:7:27:7:27 | y | LoopVarReadTest.java:7:32:7:32 | x |
 | LoopVarReadTest.java:7:27:7:32 | ...+=... | LoopVarReadTest.java:7:19:7:19 | y |
 | LoopVarReadTest.java:7:32:7:32 | x | LoopVarReadTest.java:7:27:7:32 | ...+=... |
-| LoopVarReadTest.java:8:3:10:3 | { ... } | LoopVarReadTest.java:9:4:9:29 | ...; |
+| LoopVarReadTest.java:8:3:10:3 | { ... } | LoopVarReadTest.java:9:4:9:29 | <Expr>; |
 | LoopVarReadTest.java:9:4:9:13 | System.out | LoopVarReadTest.java:9:23:9:27 | "Foo" |
 | LoopVarReadTest.java:9:4:9:28 | println(...) | LoopVarReadTest.java:7:27:7:27 | y |
-| LoopVarReadTest.java:9:4:9:29 | ...; | LoopVarReadTest.java:9:4:9:13 | System.out |
+| LoopVarReadTest.java:9:4:9:29 | <Expr>; | LoopVarReadTest.java:9:4:9:13 | System.out |
 | LoopVarReadTest.java:9:23:9:27 | "Foo" | LoopVarReadTest.java:9:4:9:28 | println(...) |
-| LoopVarReadTest.java:12:3:12:13 | local variable declaration | LoopVarReadTest.java:12:11:12:12 | 10 |
-| LoopVarReadTest.java:12:7:12:12 | q | LoopVarReadTest.java:14:3:14:28 | ...; |
+| LoopVarReadTest.java:12:3:12:13 | var ...; | LoopVarReadTest.java:12:11:12:12 | 10 |
+| LoopVarReadTest.java:12:7:12:12 | q | LoopVarReadTest.java:14:3:14:28 | <Expr>; |
 | LoopVarReadTest.java:12:11:12:12 | 10 | LoopVarReadTest.java:12:7:12:12 | q |
 | LoopVarReadTest.java:14:3:14:12 | System.out | LoopVarReadTest.java:14:22:14:26 | "foo" |
 | LoopVarReadTest.java:14:3:14:27 | println(...) | LoopVarReadTest.java:4:21:4:28 | testLoop |
-| LoopVarReadTest.java:14:3:14:28 | ...; | LoopVarReadTest.java:14:3:14:12 | System.out |
+| LoopVarReadTest.java:14:3:14:28 | <Expr>; | LoopVarReadTest.java:14:3:14:12 | System.out |
 | LoopVarReadTest.java:14:22:14:26 | "foo" | LoopVarReadTest.java:14:3:14:27 | println(...) |
diff --git a/java/ql/test/library-tests/successors/SaveFileTest/FalseSuccessors.expected b/java/ql/test/library-tests/successors/SaveFileTest/FalseSuccessors.expected
index b51304c1866..8f3e2d0dd3e 100644
--- a/java/ql/test/library-tests/successors/SaveFileTest/FalseSuccessors.expected
+++ b/java/ql/test/library-tests/successors/SaveFileTest/FalseSuccessors.expected
@@ -1,2 +1,2 @@
-| SaveFileTest.java:18:7:18:26 | startsWith(...) | SaveFileTest.java:24:3:24:33 | local variable declaration |
-| SaveFileTest.java:34:11:34:54 | ... != ... | SaveFileTest.java:39:4:40:41 | ...; |
+| SaveFileTest.java:18:7:18:26 | startsWith(...) | SaveFileTest.java:24:3:24:33 | var ...; |
+| SaveFileTest.java:34:11:34:54 | ... != ... | SaveFileTest.java:39:4:40:41 | <Expr>; |
diff --git a/java/ql/test/library-tests/successors/SaveFileTest/TestSucc.expected b/java/ql/test/library-tests/successors/SaveFileTest/TestSucc.expected
index 3e4ca761fd1..2c6f433af5a 100644
--- a/java/ql/test/library-tests/successors/SaveFileTest/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/SaveFileTest/TestSucc.expected
@@ -1,26 +1,26 @@
 | SaveFileTest.java:11:14:11:25 | super(...) | SaveFileTest.java:11:14:11:25 | SaveFileTest |
 | SaveFileTest.java:11:14:11:25 | { ... } | SaveFileTest.java:11:14:11:25 | super(...) |
-| SaveFileTest.java:15:2:55:2 | { ... } | SaveFileTest.java:17:3:17:25 | local variable declaration |
-| SaveFileTest.java:17:3:17:25 | local variable declaration | SaveFileTest.java:17:21:17:24 | path |
+| SaveFileTest.java:15:2:55:2 | { ... } | SaveFileTest.java:17:3:17:25 | var ...; |
+| SaveFileTest.java:17:3:17:25 | var ...; | SaveFileTest.java:17:21:17:24 | path |
 | SaveFileTest.java:17:10:17:24 | savePath | SaveFileTest.java:18:3:18:27 | if (...) |
 | SaveFileTest.java:17:21:17:24 | path | SaveFileTest.java:17:10:17:24 | savePath |
 | SaveFileTest.java:18:3:18:27 | if (...) | SaveFileTest.java:18:7:18:10 | path |
 | SaveFileTest.java:18:7:18:10 | path | SaveFileTest.java:18:23:18:25 | "/" |
 | SaveFileTest.java:18:7:18:26 | startsWith(...) | SaveFileTest.java:19:3:21:3 | { ... } |
-| SaveFileTest.java:18:7:18:26 | startsWith(...) | SaveFileTest.java:24:3:24:33 | local variable declaration |
+| SaveFileTest.java:18:7:18:26 | startsWith(...) | SaveFileTest.java:24:3:24:33 | var ...; |
 | SaveFileTest.java:18:23:18:25 | "/" | SaveFileTest.java:18:7:18:26 | startsWith(...) |
-| SaveFileTest.java:19:3:21:3 | { ... } | SaveFileTest.java:20:4:20:32 | ...; |
-| SaveFileTest.java:20:4:20:31 | ...=... | SaveFileTest.java:24:3:24:33 | local variable declaration |
-| SaveFileTest.java:20:4:20:32 | ...; | SaveFileTest.java:20:15:20:18 | path |
+| SaveFileTest.java:19:3:21:3 | { ... } | SaveFileTest.java:20:4:20:32 | <Expr>; |
+| SaveFileTest.java:20:4:20:31 | ...=... | SaveFileTest.java:24:3:24:33 | var ...; |
+| SaveFileTest.java:20:4:20:32 | <Expr>; | SaveFileTest.java:20:15:20:18 | path |
 | SaveFileTest.java:20:15:20:18 | path | SaveFileTest.java:20:30:20:30 | 1 |
 | SaveFileTest.java:20:15:20:31 | substring(...) | SaveFileTest.java:20:4:20:31 | ...=... |
 | SaveFileTest.java:20:30:20:30 | 1 | SaveFileTest.java:20:15:20:31 | substring(...) |
-| SaveFileTest.java:24:3:24:33 | local variable declaration | SaveFileTest.java:24:27:24:31 | "foo" |
-| SaveFileTest.java:24:8:24:32 | dirPath | SaveFileTest.java:25:3:26:16 | local variable declaration |
+| SaveFileTest.java:24:3:24:33 | var ...; | SaveFileTest.java:24:27:24:31 | "foo" |
+| SaveFileTest.java:24:8:24:32 | dirPath | SaveFileTest.java:25:3:26:16 | var ...; |
 | SaveFileTest.java:24:18:24:32 | new File(...) | SaveFileTest.java:24:8:24:32 | dirPath |
 | SaveFileTest.java:24:27:24:31 | "foo" | SaveFileTest.java:24:18:24:32 | new File(...) |
-| SaveFileTest.java:25:3:26:16 | local variable declaration | SaveFileTest.java:25:28:25:34 | dirPath |
-| SaveFileTest.java:25:8:26:15 | saveFile | SaveFileTest.java:28:3:28:33 | local variable declaration |
+| SaveFileTest.java:25:3:26:16 | var ...; | SaveFileTest.java:25:28:25:34 | dirPath |
+| SaveFileTest.java:25:8:26:15 | saveFile | SaveFileTest.java:28:3:28:33 | var ...; |
 | SaveFileTest.java:25:19:26:15 | new File(...) | SaveFileTest.java:25:8:26:15 | saveFile |
 | SaveFileTest.java:25:28:25:34 | dirPath | SaveFileTest.java:25:28:25:52 | getAbsolutePath(...) |
 | SaveFileTest.java:25:28:25:52 | getAbsolutePath(...) | SaveFileTest.java:25:56:25:69 | File.separator |
@@ -28,27 +28,27 @@
 | SaveFileTest.java:25:28:26:14 | ... + ... | SaveFileTest.java:25:19:26:15 | new File(...) |
 | SaveFileTest.java:25:56:25:69 | File.separator | SaveFileTest.java:25:28:25:69 | ... + ... |
 | SaveFileTest.java:26:7:26:14 | savePath | SaveFileTest.java:25:28:26:14 | ... + ... |
-| SaveFileTest.java:28:3:28:33 | local variable declaration | SaveFileTest.java:28:28:28:31 | 8192 |
-| SaveFileTest.java:28:10:28:32 | buffer | SaveFileTest.java:29:3:29:20 | local variable declaration |
+| SaveFileTest.java:28:3:28:33 | var ...; | SaveFileTest.java:28:28:28:31 | 8192 |
+| SaveFileTest.java:28:10:28:32 | buffer | SaveFileTest.java:29:3:29:20 | var ...; |
 | SaveFileTest.java:28:19:28:32 | new byte[] | SaveFileTest.java:28:10:28:32 | buffer |
 | SaveFileTest.java:28:28:28:31 | 8192 | SaveFileTest.java:28:19:28:32 | new byte[] |
-| SaveFileTest.java:29:3:29:20 | local variable declaration | SaveFileTest.java:29:19:29:19 | 0 |
-| SaveFileTest.java:29:7:29:19 | bytesRead | SaveFileTest.java:30:3:30:26 | local variable declaration |
+| SaveFileTest.java:29:3:29:20 | var ...; | SaveFileTest.java:29:19:29:19 | 0 |
+| SaveFileTest.java:29:7:29:19 | bytesRead | SaveFileTest.java:30:3:30:26 | var ...; |
 | SaveFileTest.java:29:19:29:19 | 0 | SaveFileTest.java:29:7:29:19 | bytesRead |
-| SaveFileTest.java:30:3:30:26 | local variable declaration | SaveFileTest.java:30:22:30:25 | null |
+| SaveFileTest.java:30:3:30:26 | var ...; | SaveFileTest.java:30:22:30:25 | null |
 | SaveFileTest.java:30:16:30:25 | bos | SaveFileTest.java:31:3:53:3 | try ... |
 | SaveFileTest.java:30:22:30:25 | null | SaveFileTest.java:30:16:30:25 | bos |
 | SaveFileTest.java:31:3:53:3 | try ... | SaveFileTest.java:32:3:41:3 | { ... } |
-| SaveFileTest.java:32:3:41:3 | { ... } | SaveFileTest.java:33:4:33:40 | ...; |
+| SaveFileTest.java:32:3:41:3 | { ... } | SaveFileTest.java:33:4:33:40 | <Expr>; |
 | SaveFileTest.java:33:4:33:39 | ...=... | SaveFileTest.java:34:4:34:55 | while (...) |
-| SaveFileTest.java:33:4:33:40 | ...; | SaveFileTest.java:33:31:33:38 | saveFile |
+| SaveFileTest.java:33:4:33:40 | <Expr>; | SaveFileTest.java:33:31:33:38 | saveFile |
 | SaveFileTest.java:33:10:33:39 | new FileOutputStream(...) | SaveFileTest.java:33:4:33:39 | ...=... |
 | SaveFileTest.java:33:10:33:39 | new FileOutputStream(...) | SaveFileTest.java:41:5:41:23 | catch (...) |
 | SaveFileTest.java:33:10:33:39 | new FileOutputStream(...) | SaveFileTest.java:45:3:53:3 | { ... } |
 | SaveFileTest.java:33:31:33:38 | saveFile | SaveFileTest.java:33:10:33:39 | new FileOutputStream(...) |
 | SaveFileTest.java:34:4:34:55 | while (...) | SaveFileTest.java:34:24:34:25 | is |
 | SaveFileTest.java:34:11:34:54 | ... != ... | SaveFileTest.java:35:4:37:4 | { ... } |
-| SaveFileTest.java:34:11:34:54 | ... != ... | SaveFileTest.java:39:4:40:41 | ...; |
+| SaveFileTest.java:34:11:34:54 | ... != ... | SaveFileTest.java:39:4:40:41 | <Expr>; |
 | SaveFileTest.java:34:12:34:47 | ...=... | SaveFileTest.java:34:54:34:54 | 1 |
 | SaveFileTest.java:34:24:34:25 | is | SaveFileTest.java:34:32:34:37 | buffer |
 | SaveFileTest.java:34:24:34:47 | read(...) | SaveFileTest.java:34:12:34:47 | ...=... |
@@ -59,19 +59,19 @@
 | SaveFileTest.java:34:43:34:46 | 8192 | SaveFileTest.java:34:24:34:47 | read(...) |
 | SaveFileTest.java:34:53:34:54 | -... | SaveFileTest.java:34:11:34:54 | ... != ... |
 | SaveFileTest.java:34:54:34:54 | 1 | SaveFileTest.java:34:53:34:54 | -... |
-| SaveFileTest.java:35:4:37:4 | { ... } | SaveFileTest.java:36:5:36:36 | ...; |
+| SaveFileTest.java:35:4:37:4 | { ... } | SaveFileTest.java:36:5:36:36 | <Expr>; |
 | SaveFileTest.java:36:5:36:7 | bos | SaveFileTest.java:36:15:36:20 | buffer |
 | SaveFileTest.java:36:5:36:35 | write(...) | SaveFileTest.java:34:24:34:25 | is |
 | SaveFileTest.java:36:5:36:35 | write(...) | SaveFileTest.java:41:5:41:23 | catch (...) |
 | SaveFileTest.java:36:5:36:35 | write(...) | SaveFileTest.java:45:3:53:3 | { ... } |
-| SaveFileTest.java:36:5:36:36 | ...; | SaveFileTest.java:36:5:36:7 | bos |
+| SaveFileTest.java:36:5:36:36 | <Expr>; | SaveFileTest.java:36:5:36:7 | bos |
 | SaveFileTest.java:36:15:36:20 | buffer | SaveFileTest.java:36:23:36:23 | 0 |
 | SaveFileTest.java:36:23:36:23 | 0 | SaveFileTest.java:36:26:36:34 | bytesRead |
 | SaveFileTest.java:36:26:36:34 | bytesRead | SaveFileTest.java:36:5:36:35 | write(...) |
 | SaveFileTest.java:39:4:39:13 | System.out | SaveFileTest.java:39:23:39:54 | "The file has been written to [" |
 | SaveFileTest.java:39:4:40:40 | println(...) | SaveFileTest.java:41:5:41:23 | catch (...) |
 | SaveFileTest.java:39:4:40:40 | println(...) | SaveFileTest.java:45:3:53:3 | { ... } |
-| SaveFileTest.java:39:4:40:41 | ...; | SaveFileTest.java:39:4:39:13 | System.out |
+| SaveFileTest.java:39:4:40:41 | <Expr>; | SaveFileTest.java:39:4:39:13 | System.out |
 | SaveFileTest.java:39:23:39:54 | "The file has been written to [" | SaveFileTest.java:40:8:40:15 | saveFile |
 | SaveFileTest.java:39:23:40:33 | ... + ... | SaveFileTest.java:40:37:40:39 | "]" |
 | SaveFileTest.java:39:23:40:39 | ... + ... | SaveFileTest.java:39:4:40:40 | println(...) |
@@ -89,15 +89,15 @@
 | SaveFileTest.java:43:50:43:50 | e | SaveFileTest.java:43:10:43:51 | new IOException(...) |
 | SaveFileTest.java:45:3:53:3 | { ... } | SaveFileTest.java:46:4:52:4 | try ... |
 | SaveFileTest.java:46:4:52:4 | try ... | SaveFileTest.java:47:4:50:4 | { ... } |
-| SaveFileTest.java:47:4:50:4 | { ... } | SaveFileTest.java:48:5:48:16 | ...; |
+| SaveFileTest.java:47:4:50:4 | { ... } | SaveFileTest.java:48:5:48:16 | <Expr>; |
 | SaveFileTest.java:48:5:48:7 | bos | SaveFileTest.java:48:5:48:15 | flush(...) |
-| SaveFileTest.java:48:5:48:15 | flush(...) | SaveFileTest.java:49:5:49:16 | ...; |
+| SaveFileTest.java:48:5:48:15 | flush(...) | SaveFileTest.java:49:5:49:16 | <Expr>; |
 | SaveFileTest.java:48:5:48:15 | flush(...) | SaveFileTest.java:50:6:50:30 | catch (...) |
-| SaveFileTest.java:48:5:48:16 | ...; | SaveFileTest.java:48:5:48:7 | bos |
+| SaveFileTest.java:48:5:48:16 | <Expr>; | SaveFileTest.java:48:5:48:7 | bos |
 | SaveFileTest.java:49:5:49:7 | bos | SaveFileTest.java:49:5:49:15 | close(...) |
 | SaveFileTest.java:49:5:49:15 | close(...) | SaveFileTest.java:12:14:12:21 | saveFile |
 | SaveFileTest.java:49:5:49:15 | close(...) | SaveFileTest.java:50:6:50:30 | catch (...) |
-| SaveFileTest.java:49:5:49:16 | ...; | SaveFileTest.java:49:5:49:7 | bos |
+| SaveFileTest.java:49:5:49:16 | <Expr>; | SaveFileTest.java:49:5:49:7 | bos |
 | SaveFileTest.java:50:6:50:30 | catch (...) | SaveFileTest.java:50:23:50:29 | ignored |
 | SaveFileTest.java:50:23:50:29 | ignored | SaveFileTest.java:51:4:52:4 | { ... } |
 | SaveFileTest.java:51:4:52:4 | { ... } | SaveFileTest.java:12:14:12:21 | saveFile |
diff --git a/java/ql/test/library-tests/successors/SchackTest/FalseSuccessors.expected b/java/ql/test/library-tests/successors/SchackTest/FalseSuccessors.expected
index fb487c6715b..3f3f897cda8 100644
--- a/java/ql/test/library-tests/successors/SchackTest/FalseSuccessors.expected
+++ b/java/ql/test/library-tests/successors/SchackTest/FalseSuccessors.expected
@@ -1,6 +1,6 @@
 | SchackTest.java:8:9:8:12 | ... == ... | SchackTest.java:10:5:10:13 | if (...) |
 | SchackTest.java:10:9:10:12 | ... == ... | SchackTest.java:12:14:15:4 | { ... } |
-| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:16:4:16:41 | ...; |
+| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:16:4:16:41 | <Expr>; |
 | SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:17:5:17:17 | catch (...) |
 | SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:21:13:23:3 | { ... } |
 | SchackTest.java:27:7:27:24 | ... > ... | SchackTest.java:29:10:29:22 | random(...) |
diff --git a/java/ql/test/library-tests/successors/SchackTest/TestSucc.expected b/java/ql/test/library-tests/successors/SchackTest/TestSucc.expected
index 5137de0a73f..9bbb912e6d9 100644
--- a/java/ql/test/library-tests/successors/SchackTest/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/SchackTest/TestSucc.expected
@@ -25,39 +25,39 @@
 | SchackTest.java:11:6:11:12 | return ... | SchackTest.java:12:14:15:4 | { ... } |
 | SchackTest.java:12:14:15:4 | { ... } | SchackTest.java:13:5:13:14 | if (...) |
 | SchackTest.java:13:5:13:14 | if (...) | SchackTest.java:13:9:13:13 | bar(...) |
-| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:14:6:14:42 | ...; |
-| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:16:4:16:41 | ...; |
+| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:14:6:14:42 | <Expr>; |
+| SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:16:4:16:41 | <Expr>; |
 | SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:17:5:17:17 | catch (...) |
 | SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:19:5:19:17 | catch (...) |
 | SchackTest.java:13:9:13:13 | bar(...) | SchackTest.java:21:13:23:3 | { ... } |
 | SchackTest.java:14:6:14:15 | System.out | SchackTest.java:14:25:14:40 | "true successor" |
-| SchackTest.java:14:6:14:41 | println(...) | SchackTest.java:16:4:16:41 | ...; |
+| SchackTest.java:14:6:14:41 | println(...) | SchackTest.java:16:4:16:41 | <Expr>; |
 | SchackTest.java:14:6:14:41 | println(...) | SchackTest.java:17:5:17:17 | catch (...) |
 | SchackTest.java:14:6:14:41 | println(...) | SchackTest.java:21:13:23:3 | { ... } |
-| SchackTest.java:14:6:14:42 | ...; | SchackTest.java:14:6:14:15 | System.out |
+| SchackTest.java:14:6:14:42 | <Expr>; | SchackTest.java:14:6:14:15 | System.out |
 | SchackTest.java:14:25:14:40 | "true successor" | SchackTest.java:14:6:14:41 | println(...) |
 | SchackTest.java:16:4:16:13 | System.out | SchackTest.java:16:23:16:39 | "false successor" |
 | SchackTest.java:16:4:16:40 | println(...) | SchackTest.java:21:13:23:3 | { ... } |
-| SchackTest.java:16:4:16:41 | ...; | SchackTest.java:16:4:16:13 | System.out |
+| SchackTest.java:16:4:16:41 | <Expr>; | SchackTest.java:16:4:16:13 | System.out |
 | SchackTest.java:16:23:16:39 | "false successor" | SchackTest.java:16:4:16:40 | println(...) |
 | SchackTest.java:17:5:17:17 | catch (...) | SchackTest.java:17:16:17:16 | e |
 | SchackTest.java:17:16:17:16 | e | SchackTest.java:17:19:19:3 | { ... } |
-| SchackTest.java:17:19:19:3 | { ... } | SchackTest.java:18:4:18:41 | ...; |
+| SchackTest.java:17:19:19:3 | { ... } | SchackTest.java:18:4:18:41 | <Expr>; |
 | SchackTest.java:18:4:18:13 | System.out | SchackTest.java:18:23:18:39 | "false successor" |
 | SchackTest.java:18:4:18:40 | println(...) | SchackTest.java:21:13:23:3 | { ... } |
-| SchackTest.java:18:4:18:41 | ...; | SchackTest.java:18:4:18:13 | System.out |
+| SchackTest.java:18:4:18:41 | <Expr>; | SchackTest.java:18:4:18:13 | System.out |
 | SchackTest.java:18:23:18:39 | "false successor" | SchackTest.java:18:4:18:40 | println(...) |
 | SchackTest.java:19:5:19:17 | catch (...) | SchackTest.java:19:16:19:16 | e |
 | SchackTest.java:19:16:19:16 | e | SchackTest.java:19:19:21:3 | { ... } |
-| SchackTest.java:19:19:21:3 | { ... } | SchackTest.java:20:4:20:74 | ...; |
+| SchackTest.java:19:19:21:3 | { ... } | SchackTest.java:20:4:20:74 | <Expr>; |
 | SchackTest.java:20:4:20:13 | System.out | SchackTest.java:20:23:20:72 | "successor (but neither true nor false successor)" |
 | SchackTest.java:20:4:20:73 | println(...) | SchackTest.java:21:13:23:3 | { ... } |
-| SchackTest.java:20:4:20:74 | ...; | SchackTest.java:20:4:20:13 | System.out |
+| SchackTest.java:20:4:20:74 | <Expr>; | SchackTest.java:20:4:20:13 | System.out |
 | SchackTest.java:20:23:20:72 | "successor (but neither true nor false successor)" | SchackTest.java:20:4:20:73 | println(...) |
-| SchackTest.java:21:13:23:3 | { ... } | SchackTest.java:22:4:22:41 | ...; |
+| SchackTest.java:21:13:23:3 | { ... } | SchackTest.java:22:4:22:41 | <Expr>; |
 | SchackTest.java:22:4:22:13 | System.out | SchackTest.java:22:23:22:39 | "false successor" |
 | SchackTest.java:22:4:22:40 | println(...) | SchackTest.java:5:7:5:9 | foo |
-| SchackTest.java:22:4:22:41 | ...; | SchackTest.java:22:4:22:13 | System.out |
+| SchackTest.java:22:4:22:41 | <Expr>; | SchackTest.java:22:4:22:13 | System.out |
 | SchackTest.java:22:23:22:39 | "false successor" | SchackTest.java:22:4:22:40 | println(...) |
 | SchackTest.java:26:35:30:2 | { ... } | SchackTest.java:27:3:27:25 | if (...) |
 | SchackTest.java:27:3:27:25 | if (...) | SchackTest.java:27:7:27:19 | random(...) |
diff --git a/java/ql/test/library-tests/successors/TestBreak/FalseSuccessors.expected b/java/ql/test/library-tests/successors/TestBreak/FalseSuccessors.expected
index 8a8db779bd0..6d5fbfbded6 100644
--- a/java/ql/test/library-tests/successors/TestBreak/FalseSuccessors.expected
+++ b/java/ql/test/library-tests/successors/TestBreak/FalseSuccessors.expected
@@ -1,5 +1,5 @@
 | TestBreak.java:12:9:12:14 | ... == ... | TestBreak.java:16:5:27:5 | { ... } |
 | TestBreak.java:19:11:19:16 | ... == ... | TestBreak.java:23:7:25:7 | { ... } |
 | TestBreak.java:32:8:32:13 | ... == ... | TestBreak.java:36:4:46:4 | { ... } |
-| TestBreak.java:39:10:39:15 | ... == ... | TestBreak.java:43:6:43:15 | ...; |
-| TestBreak.java:44:14:44:19 | ... == ... | TestBreak.java:45:5:45:11 | ...; |
+| TestBreak.java:39:10:39:15 | ... == ... | TestBreak.java:43:6:43:15 | <Expr>; |
+| TestBreak.java:44:14:44:19 | ... == ... | TestBreak.java:45:5:45:11 | <Expr>; |
diff --git a/java/ql/test/library-tests/successors/TestBreak/TestSucc.expected b/java/ql/test/library-tests/successors/TestBreak/TestSucc.expected
index 3e08d2159f1..e871d474a81 100644
--- a/java/ql/test/library-tests/successors/TestBreak/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/TestBreak/TestSucc.expected
@@ -1,14 +1,14 @@
 | TestBreak.java:3:14:3:22 | super(...) | TestBreak.java:3:14:3:22 | TestBreak |
 | TestBreak.java:3:14:3:22 | { ... } | TestBreak.java:3:14:3:22 | super(...) |
-| TestBreak.java:5:2:85:2 | { ... } | TestBreak.java:7:3:8:11 | labeled statement |
-| TestBreak.java:7:3:8:11 | labeled statement | TestBreak.java:8:4:8:11 | for (...) |
-| TestBreak.java:8:4:8:11 | for (...) | TestBreak.java:9:4:28:4 | { ... } |
-| TestBreak.java:9:4:28:4 | { ... } | TestBreak.java:10:5:10:14 | local variable declaration |
-| TestBreak.java:10:5:10:14 | local variable declaration | TestBreak.java:10:13:10:13 | 1 |
-| TestBreak.java:10:9:10:13 | x | TestBreak.java:11:5:11:14 | ...; |
+| TestBreak.java:5:2:85:2 | { ... } | TestBreak.java:7:3:8:11 | <Label>: ... |
+| TestBreak.java:7:3:8:11 | <Label>: ... | TestBreak.java:8:4:8:11 | for (...;...;...) |
+| TestBreak.java:8:4:8:11 | for (...;...;...) | TestBreak.java:9:4:28:4 | { ... } |
+| TestBreak.java:9:4:28:4 | { ... } | TestBreak.java:10:5:10:14 | var ...; |
+| TestBreak.java:10:5:10:14 | var ...; | TestBreak.java:10:13:10:13 | 1 |
+| TestBreak.java:10:9:10:13 | x | TestBreak.java:11:5:11:14 | <Expr>; |
 | TestBreak.java:10:13:10:13 | 1 | TestBreak.java:10:9:10:13 | x |
 | TestBreak.java:11:5:11:13 | ...=... | TestBreak.java:12:5:12:15 | if (...) |
-| TestBreak.java:11:5:11:14 | ...; | TestBreak.java:11:9:11:9 | x |
+| TestBreak.java:11:5:11:14 | <Expr>; | TestBreak.java:11:9:11:9 | x |
 | TestBreak.java:11:9:11:9 | x | TestBreak.java:11:13:11:13 | 1 |
 | TestBreak.java:11:9:11:13 | ... + ... | TestBreak.java:11:5:11:13 | ...=... |
 | TestBreak.java:11:13:11:13 | 1 | TestBreak.java:11:9:11:13 | ... + ... |
@@ -18,7 +18,7 @@
 | TestBreak.java:12:9:12:14 | ... == ... | TestBreak.java:16:5:27:5 | { ... } |
 | TestBreak.java:12:14:12:14 | 1 | TestBreak.java:12:9:12:14 | ... == ... |
 | TestBreak.java:13:5:15:5 | { ... } | TestBreak.java:14:6:14:11 | break |
-| TestBreak.java:14:6:14:11 | break | TestBreak.java:29:3:29:13 | local variable declaration |
+| TestBreak.java:14:6:14:11 | break | TestBreak.java:29:3:29:13 | var ...; |
 | TestBreak.java:16:5:27:5 | { ... } | TestBreak.java:17:6:17:30 | for (... : ...) |
 | TestBreak.java:17:6:17:30 | for (... : ...) | TestBreak.java:17:27:17:28 | 20 |
 | TestBreak.java:17:15:17:15 | q | TestBreak.java:18:6:26:6 | { ... } |
@@ -34,8 +34,8 @@
 | TestBreak.java:20:7:22:7 | { ... } | TestBreak.java:21:8:21:13 | break |
 | TestBreak.java:21:8:21:13 | break | TestBreak.java:9:4:28:4 | { ... } |
 | TestBreak.java:23:7:25:7 | { ... } | TestBreak.java:24:8:24:15 | break |
-| TestBreak.java:24:8:24:15 | break | TestBreak.java:29:3:29:13 | local variable declaration |
-| TestBreak.java:29:3:29:13 | local variable declaration | TestBreak.java:29:11:29:12 | 12 |
+| TestBreak.java:24:8:24:15 | break | TestBreak.java:29:3:29:13 | var ...; |
+| TestBreak.java:29:3:29:13 | var ...; | TestBreak.java:29:11:29:12 | 12 |
 | TestBreak.java:29:7:29:12 | y | TestBreak.java:30:3:30:14 | while (...) |
 | TestBreak.java:29:11:29:12 | 12 | TestBreak.java:29:7:29:12 | y |
 | TestBreak.java:30:3:30:14 | while (...) | TestBreak.java:30:10:30:13 | true |
@@ -47,33 +47,33 @@
 | TestBreak.java:32:8:32:13 | ... == ... | TestBreak.java:36:4:46:4 | { ... } |
 | TestBreak.java:32:13:32:13 | 1 | TestBreak.java:32:8:32:13 | ... == ... |
 | TestBreak.java:33:4:35:4 | { ... } | TestBreak.java:34:5:34:10 | break |
-| TestBreak.java:34:5:34:10 | break | TestBreak.java:48:3:48:9 | ...; |
+| TestBreak.java:34:5:34:10 | break | TestBreak.java:48:3:48:9 | <Expr>; |
 | TestBreak.java:36:4:46:4 | { ... } | TestBreak.java:37:5:44:21 | do ... while (...) |
 | TestBreak.java:37:5:44:21 | do ... while (...) | TestBreak.java:38:5:44:5 | { ... } |
 | TestBreak.java:38:5:44:5 | { ... } | TestBreak.java:39:6:39:16 | if (...) |
 | TestBreak.java:39:6:39:16 | if (...) | TestBreak.java:39:10:39:10 | y |
 | TestBreak.java:39:10:39:10 | y | TestBreak.java:39:15:39:15 | 2 |
 | TestBreak.java:39:10:39:15 | ... == ... | TestBreak.java:40:6:42:6 | { ... } |
-| TestBreak.java:39:10:39:15 | ... == ... | TestBreak.java:43:6:43:15 | ...; |
+| TestBreak.java:39:10:39:15 | ... == ... | TestBreak.java:43:6:43:15 | <Expr>; |
 | TestBreak.java:39:15:39:15 | 2 | TestBreak.java:39:10:39:15 | ... == ... |
 | TestBreak.java:40:6:42:6 | { ... } | TestBreak.java:41:7:41:12 | break |
-| TestBreak.java:41:7:41:12 | break | TestBreak.java:45:5:45:11 | ...; |
+| TestBreak.java:41:7:41:12 | break | TestBreak.java:45:5:45:11 | <Expr>; |
 | TestBreak.java:43:6:43:14 | ...=... | TestBreak.java:44:14:44:14 | y |
-| TestBreak.java:43:6:43:15 | ...; | TestBreak.java:43:10:43:10 | y |
+| TestBreak.java:43:6:43:15 | <Expr>; | TestBreak.java:43:10:43:10 | y |
 | TestBreak.java:43:10:43:10 | y | TestBreak.java:43:14:43:14 | 2 |
 | TestBreak.java:43:10:43:14 | ... + ... | TestBreak.java:43:6:43:14 | ...=... |
 | TestBreak.java:43:14:43:14 | 2 | TestBreak.java:43:10:43:14 | ... + ... |
 | TestBreak.java:44:14:44:14 | y | TestBreak.java:44:19:44:19 | 1 |
 | TestBreak.java:44:14:44:19 | ... == ... | TestBreak.java:38:5:44:5 | { ... } |
-| TestBreak.java:44:14:44:19 | ... == ... | TestBreak.java:45:5:45:11 | ...; |
+| TestBreak.java:44:14:44:19 | ... == ... | TestBreak.java:45:5:45:11 | <Expr>; |
 | TestBreak.java:44:19:44:19 | 1 | TestBreak.java:44:14:44:19 | ... == ... |
 | TestBreak.java:45:5:45:10 | ...=... | TestBreak.java:30:10:30:13 | true |
-| TestBreak.java:45:5:45:11 | ...; | TestBreak.java:45:9:45:10 | 12 |
+| TestBreak.java:45:5:45:11 | <Expr>; | TestBreak.java:45:9:45:10 | 12 |
 | TestBreak.java:45:9:45:10 | 12 | TestBreak.java:45:5:45:10 | ...=... |
-| TestBreak.java:48:3:48:8 | ...=... | TestBreak.java:51:3:51:12 | local variable declaration |
-| TestBreak.java:48:3:48:9 | ...; | TestBreak.java:48:7:48:8 | 13 |
+| TestBreak.java:48:3:48:8 | ...=... | TestBreak.java:51:3:51:12 | var ...; |
+| TestBreak.java:48:3:48:9 | <Expr>; | TestBreak.java:48:7:48:8 | 13 |
 | TestBreak.java:48:7:48:8 | 13 | TestBreak.java:48:3:48:8 | ...=... |
-| TestBreak.java:51:3:51:12 | local variable declaration | TestBreak.java:51:10:51:11 | 12 |
+| TestBreak.java:51:3:51:12 | var ...; | TestBreak.java:51:10:51:11 | 12 |
 | TestBreak.java:51:7:51:11 | x | TestBreak.java:52:3:52:12 | switch (...) |
 | TestBreak.java:51:10:51:11 | 12 | TestBreak.java:51:7:51:11 | x |
 | TestBreak.java:52:3:52:12 | switch (...) | TestBreak.java:52:11:52:11 | x |
@@ -84,72 +84,72 @@
 | TestBreak.java:52:11:52:11 | x | TestBreak.java:66:3:66:9 | case ... |
 | TestBreak.java:52:11:52:11 | x | TestBreak.java:67:3:67:9 | case ... |
 | TestBreak.java:52:11:52:11 | x | TestBreak.java:70:3:70:10 | default |
-| TestBreak.java:54:3:54:9 | case ... | TestBreak.java:55:4:55:13 | ...; |
-| TestBreak.java:55:4:55:12 | ...=... | TestBreak.java:56:4:56:13 | ...; |
-| TestBreak.java:55:4:55:13 | ...; | TestBreak.java:55:8:55:8 | x |
+| TestBreak.java:54:3:54:9 | case ... | TestBreak.java:55:4:55:13 | <Expr>; |
+| TestBreak.java:55:4:55:12 | ...=... | TestBreak.java:56:4:56:13 | <Expr>; |
+| TestBreak.java:55:4:55:13 | <Expr>; | TestBreak.java:55:8:55:8 | x |
 | TestBreak.java:55:8:55:8 | x | TestBreak.java:55:12:55:12 | 1 |
 | TestBreak.java:55:8:55:12 | ... + ... | TestBreak.java:55:4:55:12 | ...=... |
 | TestBreak.java:55:12:55:12 | 1 | TestBreak.java:55:8:55:12 | ... + ... |
 | TestBreak.java:56:4:56:12 | ...=... | TestBreak.java:57:3:57:9 | case ... |
-| TestBreak.java:56:4:56:13 | ...; | TestBreak.java:56:8:56:8 | y |
+| TestBreak.java:56:4:56:13 | <Expr>; | TestBreak.java:56:8:56:8 | y |
 | TestBreak.java:56:8:56:8 | y | TestBreak.java:56:12:56:12 | 1 |
 | TestBreak.java:56:8:56:12 | ... + ... | TestBreak.java:56:4:56:12 | ...=... |
 | TestBreak.java:56:12:56:12 | 1 | TestBreak.java:56:8:56:12 | ... + ... |
-| TestBreak.java:57:3:57:9 | case ... | TestBreak.java:58:4:58:13 | ...; |
-| TestBreak.java:58:4:58:12 | ...=... | TestBreak.java:59:4:59:13 | ...; |
-| TestBreak.java:58:4:58:13 | ...; | TestBreak.java:58:8:58:8 | x |
+| TestBreak.java:57:3:57:9 | case ... | TestBreak.java:58:4:58:13 | <Expr>; |
+| TestBreak.java:58:4:58:12 | ...=... | TestBreak.java:59:4:59:13 | <Expr>; |
+| TestBreak.java:58:4:58:13 | <Expr>; | TestBreak.java:58:8:58:8 | x |
 | TestBreak.java:58:8:58:8 | x | TestBreak.java:58:12:58:12 | 2 |
 | TestBreak.java:58:8:58:12 | ... + ... | TestBreak.java:58:4:58:12 | ...=... |
 | TestBreak.java:58:12:58:12 | 2 | TestBreak.java:58:8:58:12 | ... + ... |
 | TestBreak.java:59:4:59:12 | ...=... | TestBreak.java:60:4:60:9 | break |
-| TestBreak.java:59:4:59:13 | ...; | TestBreak.java:59:8:59:8 | y |
+| TestBreak.java:59:4:59:13 | <Expr>; | TestBreak.java:59:8:59:8 | y |
 | TestBreak.java:59:8:59:8 | y | TestBreak.java:59:12:59:12 | 2 |
 | TestBreak.java:59:8:59:12 | ... + ... | TestBreak.java:59:4:59:12 | ...=... |
 | TestBreak.java:59:12:59:12 | 2 | TestBreak.java:59:8:59:12 | ... + ... |
 | TestBreak.java:60:4:60:9 | break | TestBreak.java:76:3:76:11 | switch (...) |
 | TestBreak.java:61:3:61:9 | case ... | TestBreak.java:62:3:62:9 | case ... |
-| TestBreak.java:62:3:62:9 | case ... | TestBreak.java:63:4:63:13 | ...; |
-| TestBreak.java:63:4:63:12 | ...=... | TestBreak.java:64:4:64:13 | ...; |
-| TestBreak.java:63:4:63:13 | ...; | TestBreak.java:63:8:63:8 | x |
+| TestBreak.java:62:3:62:9 | case ... | TestBreak.java:63:4:63:13 | <Expr>; |
+| TestBreak.java:63:4:63:12 | ...=... | TestBreak.java:64:4:64:13 | <Expr>; |
+| TestBreak.java:63:4:63:13 | <Expr>; | TestBreak.java:63:8:63:8 | x |
 | TestBreak.java:63:8:63:8 | x | TestBreak.java:63:12:63:12 | 3 |
 | TestBreak.java:63:8:63:12 | ... + ... | TestBreak.java:63:4:63:12 | ...=... |
 | TestBreak.java:63:12:63:12 | 3 | TestBreak.java:63:8:63:12 | ... + ... |
 | TestBreak.java:64:4:64:12 | ...=... | TestBreak.java:65:4:65:9 | break |
-| TestBreak.java:64:4:64:13 | ...; | TestBreak.java:64:8:64:8 | y |
+| TestBreak.java:64:4:64:13 | <Expr>; | TestBreak.java:64:8:64:8 | y |
 | TestBreak.java:64:8:64:8 | y | TestBreak.java:64:12:64:12 | 4 |
 | TestBreak.java:64:8:64:12 | ... + ... | TestBreak.java:64:4:64:12 | ...=... |
 | TestBreak.java:64:12:64:12 | 4 | TestBreak.java:64:8:64:12 | ... + ... |
 | TestBreak.java:65:4:65:9 | break | TestBreak.java:76:3:76:11 | switch (...) |
 | TestBreak.java:66:3:66:9 | case ... | TestBreak.java:67:3:67:9 | case ... |
-| TestBreak.java:67:3:67:9 | case ... | TestBreak.java:68:4:68:13 | ...; |
-| TestBreak.java:68:4:68:12 | ...=... | TestBreak.java:69:4:69:13 | ...; |
-| TestBreak.java:68:4:68:13 | ...; | TestBreak.java:68:8:68:8 | x |
+| TestBreak.java:67:3:67:9 | case ... | TestBreak.java:68:4:68:13 | <Expr>; |
+| TestBreak.java:68:4:68:12 | ...=... | TestBreak.java:69:4:69:13 | <Expr>; |
+| TestBreak.java:68:4:68:13 | <Expr>; | TestBreak.java:68:8:68:8 | x |
 | TestBreak.java:68:8:68:8 | x | TestBreak.java:68:12:68:12 | 5 |
 | TestBreak.java:68:8:68:12 | ... + ... | TestBreak.java:68:4:68:12 | ...=... |
 | TestBreak.java:68:12:68:12 | 5 | TestBreak.java:68:8:68:12 | ... + ... |
 | TestBreak.java:69:4:69:12 | ...=... | TestBreak.java:70:3:70:10 | default |
-| TestBreak.java:69:4:69:13 | ...; | TestBreak.java:69:8:69:8 | y |
+| TestBreak.java:69:4:69:13 | <Expr>; | TestBreak.java:69:8:69:8 | y |
 | TestBreak.java:69:8:69:8 | y | TestBreak.java:69:12:69:12 | 6 |
 | TestBreak.java:69:8:69:12 | ... + ... | TestBreak.java:69:4:69:12 | ...=... |
 | TestBreak.java:69:12:69:12 | 6 | TestBreak.java:69:8:69:12 | ... + ... |
-| TestBreak.java:70:3:70:10 | default | TestBreak.java:71:4:71:9 | ...; |
-| TestBreak.java:71:4:71:8 | ...=... | TestBreak.java:72:4:72:9 | ...; |
-| TestBreak.java:71:4:71:9 | ...; | TestBreak.java:71:8:71:8 | y |
+| TestBreak.java:70:3:70:10 | default | TestBreak.java:71:4:71:9 | <Expr>; |
+| TestBreak.java:71:4:71:8 | ...=... | TestBreak.java:72:4:72:9 | <Expr>; |
+| TestBreak.java:71:4:71:9 | <Expr>; | TestBreak.java:71:8:71:8 | y |
 | TestBreak.java:71:8:71:8 | y | TestBreak.java:71:4:71:8 | ...=... |
 | TestBreak.java:72:4:72:8 | ...=... | TestBreak.java:76:3:76:11 | switch (...) |
-| TestBreak.java:72:4:72:9 | ...; | TestBreak.java:72:8:72:8 | x |
+| TestBreak.java:72:4:72:9 | <Expr>; | TestBreak.java:72:8:72:8 | x |
 | TestBreak.java:72:8:72:8 | x | TestBreak.java:72:4:72:8 | ...=... |
 | TestBreak.java:76:3:76:11 | switch (...) | TestBreak.java:76:10:76:10 | x |
 | TestBreak.java:76:10:76:10 | x | TestBreak.java:4:14:4:14 | f |
 | TestBreak.java:76:10:76:10 | x | TestBreak.java:78:3:78:9 | case ... |
 | TestBreak.java:76:10:76:10 | x | TestBreak.java:81:3:81:9 | case ... |
-| TestBreak.java:78:3:78:9 | case ... | TestBreak.java:79:4:79:9 | ...; |
+| TestBreak.java:78:3:78:9 | case ... | TestBreak.java:79:4:79:9 | <Expr>; |
 | TestBreak.java:79:4:79:8 | ...=... | TestBreak.java:80:4:80:9 | break |
-| TestBreak.java:79:4:79:9 | ...; | TestBreak.java:79:8:79:8 | 1 |
+| TestBreak.java:79:4:79:9 | <Expr>; | TestBreak.java:79:8:79:8 | 1 |
 | TestBreak.java:79:8:79:8 | 1 | TestBreak.java:79:4:79:8 | ...=... |
 | TestBreak.java:80:4:80:9 | break | TestBreak.java:4:14:4:14 | f |
-| TestBreak.java:81:3:81:9 | case ... | TestBreak.java:82:4:82:9 | ...; |
+| TestBreak.java:81:3:81:9 | case ... | TestBreak.java:82:4:82:9 | <Expr>; |
 | TestBreak.java:82:4:82:8 | ...=... | TestBreak.java:83:4:83:9 | break |
-| TestBreak.java:82:4:82:9 | ...; | TestBreak.java:82:8:82:8 | 2 |
+| TestBreak.java:82:4:82:9 | <Expr>; | TestBreak.java:82:8:82:8 | 2 |
 | TestBreak.java:82:8:82:8 | 2 | TestBreak.java:82:4:82:8 | ...=... |
 | TestBreak.java:83:4:83:9 | break | TestBreak.java:4:14:4:14 | f |
diff --git a/java/ql/test/library-tests/successors/TestContinue/FalseSuccessors.expected b/java/ql/test/library-tests/successors/TestContinue/FalseSuccessors.expected
index a5da44bd900..0c49736d0dc 100644
--- a/java/ql/test/library-tests/successors/TestContinue/FalseSuccessors.expected
+++ b/java/ql/test/library-tests/successors/TestContinue/FalseSuccessors.expected
@@ -1,10 +1,10 @@
-| TestContinue.java:8:20:8:25 | ... < ... | TestContinue.java:30:3:30:13 | local variable declaration |
+| TestContinue.java:8:20:8:25 | ... < ... | TestContinue.java:30:3:30:13 | var ...; |
 | TestContinue.java:12:9:12:14 | ... == ... | TestContinue.java:16:5:28:5 | { ... } |
 | TestContinue.java:19:11:19:16 | ... == ... | TestContinue.java:22:14:22:24 | if (...) |
-| TestContinue.java:22:18:22:23 | ... == ... | TestContinue.java:26:7:26:13 | ...; |
-| TestContinue.java:31:10:31:16 | ... != ... | TestContinue.java:50:3:50:9 | ...; |
+| TestContinue.java:22:18:22:23 | ... == ... | TestContinue.java:26:7:26:13 | <Expr>; |
+| TestContinue.java:31:10:31:16 | ... != ... | TestContinue.java:50:3:50:9 | <Expr>; |
 | TestContinue.java:33:8:33:13 | ... == ... | TestContinue.java:37:4:47:4 | { ... } |
-| TestContinue.java:40:10:40:15 | ... == ... | TestContinue.java:44:6:44:15 | ...; |
-| TestContinue.java:45:14:45:19 | ... == ... | TestContinue.java:46:5:46:11 | ...; |
+| TestContinue.java:40:10:40:15 | ... == ... | TestContinue.java:44:6:44:15 | <Expr>; |
+| TestContinue.java:45:14:45:19 | ... == ... | TestContinue.java:46:5:46:11 | <Expr>; |
 | TestContinue.java:51:10:51:16 | ... != ... | TestContinue.java:4:14:4:14 | f |
 | TestContinue.java:53:8:53:13 | ... != ... | TestContinue.java:56:5:56:10 | break |
diff --git a/java/ql/test/library-tests/successors/TestContinue/TestSucc.expected b/java/ql/test/library-tests/successors/TestContinue/TestSucc.expected
index 50ce7f6a524..41c287291f2 100644
--- a/java/ql/test/library-tests/successors/TestContinue/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/TestContinue/TestSucc.expected
@@ -1,20 +1,20 @@
 | TestContinue.java:3:14:3:25 | super(...) | TestContinue.java:3:14:3:25 | TestContinue |
 | TestContinue.java:3:14:3:25 | { ... } | TestContinue.java:3:14:3:25 | super(...) |
-| TestContinue.java:5:2:58:2 | { ... } | TestContinue.java:7:3:8:27 | labeled statement |
-| TestContinue.java:7:3:8:27 | labeled statement | TestContinue.java:8:4:8:27 | for (...) |
-| TestContinue.java:8:4:8:27 | for (...) | TestContinue.java:8:17:8:17 | 0 |
+| TestContinue.java:5:2:58:2 | { ... } | TestContinue.java:7:3:8:27 | <Label>: ... |
+| TestContinue.java:7:3:8:27 | <Label>: ... | TestContinue.java:8:4:8:27 | for (...;...;...) |
+| TestContinue.java:8:4:8:27 | for (...;...;...) | TestContinue.java:8:17:8:17 | 0 |
 | TestContinue.java:8:13:8:17 | p | TestContinue.java:8:20:8:20 | p |
 | TestContinue.java:8:17:8:17 | 0 | TestContinue.java:8:13:8:17 | p |
 | TestContinue.java:8:20:8:20 | p | TestContinue.java:8:24:8:25 | 10 |
 | TestContinue.java:8:20:8:25 | ... < ... | TestContinue.java:9:4:29:4 | { ... } |
-| TestContinue.java:8:20:8:25 | ... < ... | TestContinue.java:30:3:30:13 | local variable declaration |
+| TestContinue.java:8:20:8:25 | ... < ... | TestContinue.java:30:3:30:13 | var ...; |
 | TestContinue.java:8:24:8:25 | 10 | TestContinue.java:8:20:8:25 | ... < ... |
-| TestContinue.java:9:4:29:4 | { ... } | TestContinue.java:10:5:10:14 | local variable declaration |
-| TestContinue.java:10:5:10:14 | local variable declaration | TestContinue.java:10:13:10:13 | 1 |
-| TestContinue.java:10:9:10:13 | x | TestContinue.java:11:5:11:14 | ...; |
+| TestContinue.java:9:4:29:4 | { ... } | TestContinue.java:10:5:10:14 | var ...; |
+| TestContinue.java:10:5:10:14 | var ...; | TestContinue.java:10:13:10:13 | 1 |
+| TestContinue.java:10:9:10:13 | x | TestContinue.java:11:5:11:14 | <Expr>; |
 | TestContinue.java:10:13:10:13 | 1 | TestContinue.java:10:9:10:13 | x |
 | TestContinue.java:11:5:11:13 | ...=... | TestContinue.java:12:5:12:15 | if (...) |
-| TestContinue.java:11:5:11:14 | ...; | TestContinue.java:11:9:11:9 | x |
+| TestContinue.java:11:5:11:14 | <Expr>; | TestContinue.java:11:9:11:9 | x |
 | TestContinue.java:11:9:11:9 | x | TestContinue.java:11:13:11:13 | 1 |
 | TestContinue.java:11:9:11:13 | ... + ... | TestContinue.java:11:5:11:13 | ...=... |
 | TestContinue.java:11:13:11:13 | 1 | TestContinue.java:11:9:11:13 | ... + ... |
@@ -43,21 +43,21 @@
 | TestContinue.java:22:14:22:24 | if (...) | TestContinue.java:22:18:22:18 | q |
 | TestContinue.java:22:18:22:18 | q | TestContinue.java:22:23:22:23 | 2 |
 | TestContinue.java:22:18:22:23 | ... == ... | TestContinue.java:23:7:25:7 | { ... } |
-| TestContinue.java:22:18:22:23 | ... == ... | TestContinue.java:26:7:26:13 | ...; |
+| TestContinue.java:22:18:22:23 | ... == ... | TestContinue.java:26:7:26:13 | <Expr>; |
 | TestContinue.java:22:23:22:23 | 2 | TestContinue.java:22:18:22:23 | ... == ... |
 | TestContinue.java:23:7:25:7 | { ... } | TestContinue.java:24:8:24:18 | continue |
 | TestContinue.java:24:8:24:18 | continue | TestContinue.java:8:20:8:20 | p |
 | TestContinue.java:26:7:26:12 | ...=... | TestContinue.java:8:20:8:20 | p |
 | TestContinue.java:26:7:26:12 | ...=... | TestContinue.java:17:15:17:15 | q |
-| TestContinue.java:26:7:26:13 | ...; | TestContinue.java:26:11:26:12 | 12 |
+| TestContinue.java:26:7:26:13 | <Expr>; | TestContinue.java:26:11:26:12 | 12 |
 | TestContinue.java:26:11:26:12 | 12 | TestContinue.java:26:7:26:12 | ...=... |
-| TestContinue.java:30:3:30:13 | local variable declaration | TestContinue.java:30:11:30:12 | 12 |
+| TestContinue.java:30:3:30:13 | var ...; | TestContinue.java:30:11:30:12 | 12 |
 | TestContinue.java:30:7:30:12 | y | TestContinue.java:31:3:31:17 | while (...) |
 | TestContinue.java:30:11:30:12 | 12 | TestContinue.java:30:7:30:12 | y |
 | TestContinue.java:31:3:31:17 | while (...) | TestContinue.java:31:10:31:10 | y |
 | TestContinue.java:31:10:31:10 | y | TestContinue.java:31:15:31:16 | 13 |
 | TestContinue.java:31:10:31:16 | ... != ... | TestContinue.java:32:3:49:3 | { ... } |
-| TestContinue.java:31:10:31:16 | ... != ... | TestContinue.java:50:3:50:9 | ...; |
+| TestContinue.java:31:10:31:16 | ... != ... | TestContinue.java:50:3:50:9 | <Expr>; |
 | TestContinue.java:31:15:31:16 | 13 | TestContinue.java:31:10:31:16 | ... != ... |
 | TestContinue.java:32:3:49:3 | { ... } | TestContinue.java:33:4:33:14 | if (...) |
 | TestContinue.java:33:4:33:14 | if (...) | TestContinue.java:33:8:33:8 | y |
@@ -73,27 +73,27 @@
 | TestContinue.java:40:6:40:16 | if (...) | TestContinue.java:40:10:40:10 | y |
 | TestContinue.java:40:10:40:10 | y | TestContinue.java:40:15:40:15 | 2 |
 | TestContinue.java:40:10:40:15 | ... == ... | TestContinue.java:41:6:43:6 | { ... } |
-| TestContinue.java:40:10:40:15 | ... == ... | TestContinue.java:44:6:44:15 | ...; |
+| TestContinue.java:40:10:40:15 | ... == ... | TestContinue.java:44:6:44:15 | <Expr>; |
 | TestContinue.java:40:15:40:15 | 2 | TestContinue.java:40:10:40:15 | ... == ... |
 | TestContinue.java:41:6:43:6 | { ... } | TestContinue.java:42:7:42:15 | continue |
 | TestContinue.java:42:7:42:15 | continue | TestContinue.java:45:14:45:14 | y |
 | TestContinue.java:44:6:44:14 | ...=... | TestContinue.java:45:14:45:14 | y |
-| TestContinue.java:44:6:44:15 | ...; | TestContinue.java:44:10:44:10 | y |
+| TestContinue.java:44:6:44:15 | <Expr>; | TestContinue.java:44:10:44:10 | y |
 | TestContinue.java:44:10:44:10 | y | TestContinue.java:44:14:44:14 | 2 |
 | TestContinue.java:44:10:44:14 | ... + ... | TestContinue.java:44:6:44:14 | ...=... |
 | TestContinue.java:44:14:44:14 | 2 | TestContinue.java:44:10:44:14 | ... + ... |
 | TestContinue.java:45:14:45:14 | y | TestContinue.java:45:19:45:19 | 1 |
 | TestContinue.java:45:14:45:19 | ... == ... | TestContinue.java:39:5:45:5 | { ... } |
-| TestContinue.java:45:14:45:19 | ... == ... | TestContinue.java:46:5:46:11 | ...; |
+| TestContinue.java:45:14:45:19 | ... == ... | TestContinue.java:46:5:46:11 | <Expr>; |
 | TestContinue.java:45:19:45:19 | 1 | TestContinue.java:45:14:45:19 | ... == ... |
-| TestContinue.java:46:5:46:10 | ...=... | TestContinue.java:48:4:48:10 | ...; |
-| TestContinue.java:46:5:46:11 | ...; | TestContinue.java:46:9:46:10 | 12 |
+| TestContinue.java:46:5:46:10 | ...=... | TestContinue.java:48:4:48:10 | <Expr>; |
+| TestContinue.java:46:5:46:11 | <Expr>; | TestContinue.java:46:9:46:10 | 12 |
 | TestContinue.java:46:9:46:10 | 12 | TestContinue.java:46:5:46:10 | ...=... |
 | TestContinue.java:48:4:48:9 | ...=... | TestContinue.java:31:10:31:10 | y |
-| TestContinue.java:48:4:48:10 | ...; | TestContinue.java:48:8:48:9 | 15 |
+| TestContinue.java:48:4:48:10 | <Expr>; | TestContinue.java:48:8:48:9 | 15 |
 | TestContinue.java:48:8:48:9 | 15 | TestContinue.java:48:4:48:9 | ...=... |
 | TestContinue.java:50:3:50:8 | ...=... | TestContinue.java:51:3:51:17 | while (...) |
-| TestContinue.java:50:3:50:9 | ...; | TestContinue.java:50:7:50:8 | 13 |
+| TestContinue.java:50:3:50:9 | <Expr>; | TestContinue.java:50:7:50:8 | 13 |
 | TestContinue.java:50:7:50:8 | 13 | TestContinue.java:50:3:50:8 | ...=... |
 | TestContinue.java:51:3:51:17 | while (...) | TestContinue.java:51:10:51:10 | y |
 | TestContinue.java:51:10:51:10 | y | TestContinue.java:51:15:51:16 | 12 |
diff --git a/java/ql/test/library-tests/successors/TestDeclarations/TestSucc.expected b/java/ql/test/library-tests/successors/TestDeclarations/TestSucc.expected
index 9a05b5bb02d..58deeeec5d7 100644
--- a/java/ql/test/library-tests/successors/TestDeclarations/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/TestDeclarations/TestSucc.expected
@@ -1,39 +1,39 @@
 | TestDeclarations.java:1:7:1:22 | super(...) | TestDeclarations.java:1:7:1:22 | TestDeclarations |
 | TestDeclarations.java:1:7:1:22 | { ... } | TestDeclarations.java:1:7:1:22 | super(...) |
-| TestDeclarations.java:2:30:24:2 | { ... } | TestDeclarations.java:4:3:4:11 | local variable declaration |
-| TestDeclarations.java:4:3:4:11 | local variable declaration | TestDeclarations.java:4:7:4:7 | b |
+| TestDeclarations.java:2:30:24:2 | { ... } | TestDeclarations.java:4:3:4:11 | var ...; |
+| TestDeclarations.java:4:3:4:11 | var ...; | TestDeclarations.java:4:7:4:7 | b |
 | TestDeclarations.java:4:7:4:7 | b | TestDeclarations.java:4:10:4:10 | c |
-| TestDeclarations.java:4:10:4:10 | c | TestDeclarations.java:5:3:5:8 | ...; |
-| TestDeclarations.java:5:3:5:7 | ...=... | TestDeclarations.java:6:3:6:8 | ...; |
-| TestDeclarations.java:5:3:5:8 | ...; | TestDeclarations.java:5:7:5:7 | 0 |
+| TestDeclarations.java:4:10:4:10 | c | TestDeclarations.java:5:3:5:8 | <Expr>; |
+| TestDeclarations.java:5:3:5:7 | ...=... | TestDeclarations.java:6:3:6:8 | <Expr>; |
+| TestDeclarations.java:5:3:5:8 | <Expr>; | TestDeclarations.java:5:7:5:7 | 0 |
 | TestDeclarations.java:5:7:5:7 | 0 | TestDeclarations.java:5:3:5:7 | ...=... |
 | TestDeclarations.java:6:3:6:7 | ...=... | TestDeclarations.java:7:3:7:13 | while (...) |
-| TestDeclarations.java:6:3:6:8 | ...; | TestDeclarations.java:6:7:6:7 | 0 |
+| TestDeclarations.java:6:3:6:8 | <Expr>; | TestDeclarations.java:6:7:6:7 | 0 |
 | TestDeclarations.java:6:7:6:7 | 0 | TestDeclarations.java:6:3:6:7 | ...=... |
 | TestDeclarations.java:7:3:7:13 | while (...) | TestDeclarations.java:7:9:7:12 | true |
 | TestDeclarations.java:7:9:7:12 | true | TestDeclarations.java:8:3:19:3 | { ... } |
-| TestDeclarations.java:8:3:19:3 | { ... } | TestDeclarations.java:9:4:9:10 | ...; |
+| TestDeclarations.java:8:3:19:3 | { ... } | TestDeclarations.java:9:4:9:10 | <Expr>; |
 | TestDeclarations.java:9:4:9:9 | ...=... | TestDeclarations.java:10:4:10:15 | if (...) |
-| TestDeclarations.java:9:4:9:10 | ...; | TestDeclarations.java:9:8:9:9 | 10 |
+| TestDeclarations.java:9:4:9:10 | <Expr>; | TestDeclarations.java:9:8:9:9 | 10 |
 | TestDeclarations.java:9:8:9:9 | 10 | TestDeclarations.java:9:4:9:9 | ...=... |
 | TestDeclarations.java:10:4:10:15 | if (...) | TestDeclarations.java:10:8:10:8 | a |
 | TestDeclarations.java:10:8:10:8 | a | TestDeclarations.java:10:12:10:14 | 100 |
 | TestDeclarations.java:10:8:10:14 | ... > ... | TestDeclarations.java:11:4:14:4 | { ... } |
 | TestDeclarations.java:10:8:10:14 | ... > ... | TestDeclarations.java:15:4:15:15 | if (...) |
 | TestDeclarations.java:10:12:10:14 | 100 | TestDeclarations.java:10:8:10:14 | ... > ... |
-| TestDeclarations.java:11:4:14:4 | { ... } | TestDeclarations.java:12:5:12:11 | ...; |
-| TestDeclarations.java:12:5:12:10 | ...=... | TestDeclarations.java:13:5:13:10 | ...; |
-| TestDeclarations.java:12:5:12:11 | ...; | TestDeclarations.java:12:9:12:10 | 10 |
+| TestDeclarations.java:11:4:14:4 | { ... } | TestDeclarations.java:12:5:12:11 | <Expr>; |
+| TestDeclarations.java:12:5:12:10 | ...=... | TestDeclarations.java:13:5:13:10 | <Expr>; |
+| TestDeclarations.java:12:5:12:11 | <Expr>; | TestDeclarations.java:12:9:12:10 | 10 |
 | TestDeclarations.java:12:9:12:10 | 10 | TestDeclarations.java:12:5:12:10 | ...=... |
 | TestDeclarations.java:13:5:13:9 | ...=... | TestDeclarations.java:15:4:15:15 | if (...) |
-| TestDeclarations.java:13:5:13:10 | ...; | TestDeclarations.java:13:9:13:9 | c |
+| TestDeclarations.java:13:5:13:10 | <Expr>; | TestDeclarations.java:13:9:13:9 | c |
 | TestDeclarations.java:13:9:13:9 | c | TestDeclarations.java:13:5:13:9 | ...=... |
 | TestDeclarations.java:15:4:15:15 | if (...) | TestDeclarations.java:15:8:15:8 | a |
 | TestDeclarations.java:15:8:15:8 | a | TestDeclarations.java:15:13:15:14 | 10 |
 | TestDeclarations.java:15:8:15:14 | ... == ... | TestDeclarations.java:16:5:16:10 | break |
 | TestDeclarations.java:15:8:15:14 | ... == ... | TestDeclarations.java:17:4:17:15 | if (...) |
 | TestDeclarations.java:15:13:15:14 | 10 | TestDeclarations.java:15:8:15:14 | ... == ... |
-| TestDeclarations.java:16:5:16:10 | break | TestDeclarations.java:20:3:20:10 | local variable declaration |
+| TestDeclarations.java:16:5:16:10 | break | TestDeclarations.java:20:3:20:10 | var ...; |
 | TestDeclarations.java:17:4:17:15 | if (...) | TestDeclarations.java:17:8:17:8 | a |
 | TestDeclarations.java:17:8:17:8 | a | TestDeclarations.java:17:13:17:14 | 20 |
 | TestDeclarations.java:17:8:17:14 | ... == ... | TestDeclarations.java:7:9:7:12 | true |
@@ -41,14 +41,14 @@
 | TestDeclarations.java:17:13:17:14 | 20 | TestDeclarations.java:17:8:17:14 | ... == ... |
 | TestDeclarations.java:18:5:18:13 | return ... | TestDeclarations.java:2:6:2:21 | declarationTests |
 | TestDeclarations.java:18:12:18:12 | c | TestDeclarations.java:18:5:18:13 | return ... |
-| TestDeclarations.java:20:3:20:10 | local variable declaration | TestDeclarations.java:20:7:20:7 | x |
+| TestDeclarations.java:20:3:20:10 | var ...; | TestDeclarations.java:20:7:20:7 | x |
 | TestDeclarations.java:20:7:20:7 | x | TestDeclarations.java:20:9:20:9 | y |
-| TestDeclarations.java:20:9:20:9 | y | TestDeclarations.java:21:3:21:8 | ...; |
-| TestDeclarations.java:21:3:21:7 | ...=... | TestDeclarations.java:22:3:22:8 | ...; |
-| TestDeclarations.java:21:3:21:8 | ...; | TestDeclarations.java:21:7:21:7 | 3 |
+| TestDeclarations.java:20:9:20:9 | y | TestDeclarations.java:21:3:21:8 | <Expr>; |
+| TestDeclarations.java:21:3:21:7 | ...=... | TestDeclarations.java:22:3:22:8 | <Expr>; |
+| TestDeclarations.java:21:3:21:8 | <Expr>; | TestDeclarations.java:21:7:21:7 | 3 |
 | TestDeclarations.java:21:7:21:7 | 3 | TestDeclarations.java:21:3:21:7 | ...=... |
 | TestDeclarations.java:22:3:22:7 | ...=... | TestDeclarations.java:23:10:23:10 | b |
-| TestDeclarations.java:22:3:22:8 | ...; | TestDeclarations.java:22:7:22:7 | 4 |
+| TestDeclarations.java:22:3:22:8 | <Expr>; | TestDeclarations.java:22:7:22:7 | 4 |
 | TestDeclarations.java:22:7:22:7 | 4 | TestDeclarations.java:22:3:22:7 | ...=... |
 | TestDeclarations.java:23:3:23:11 | return ... | TestDeclarations.java:2:6:2:21 | declarationTests |
 | TestDeclarations.java:23:10:23:10 | b | TestDeclarations.java:23:3:23:11 | return ... |
diff --git a/java/ql/test/library-tests/successors/TestFinally/FalseSuccessors.expected b/java/ql/test/library-tests/successors/TestFinally/FalseSuccessors.expected
index de8e32d0b38..03596ec8969 100644
--- a/java/ql/test/library-tests/successors/TestFinally/FalseSuccessors.expected
+++ b/java/ql/test/library-tests/successors/TestFinally/FalseSuccessors.expected
@@ -1,15 +1,15 @@
 | TestFinally.java:12:9:12:14 | ... == ... | TestFinally.java:16:5:39:5 | try ... |
-| TestFinally.java:19:10:19:15 | ... == ... | TestFinally.java:23:6:23:32 | ...; |
+| TestFinally.java:19:10:19:15 | ... == ... | TestFinally.java:23:6:23:32 | <Expr>; |
 | TestFinally.java:27:10:27:15 | ... == ... | TestFinally.java:32:5:39:5 | { ... } |
-| TestFinally.java:34:10:34:15 | ... == ... | TestFinally.java:38:6:38:36 | ...; |
-| TestFinally.java:47:10:47:15 | ... == ... | TestFinally.java:51:6:51:32 | ...; |
+| TestFinally.java:34:10:34:15 | ... == ... | TestFinally.java:38:6:38:36 | <Expr>; |
+| TestFinally.java:47:10:47:15 | ... == ... | TestFinally.java:51:6:51:32 | <Expr>; |
 | TestFinally.java:55:10:55:15 | ... == ... | TestFinally.java:60:5:67:5 | { ... } |
-| TestFinally.java:62:10:62:15 | ... == ... | TestFinally.java:66:6:66:36 | ...; |
+| TestFinally.java:62:10:62:15 | ... == ... | TestFinally.java:66:6:66:36 | <Expr>; |
 | TestFinally.java:68:9:68:14 | ... == ... | TestFinally.java:73:4:80:4 | { ... } |
-| TestFinally.java:75:9:75:14 | ... == ... | TestFinally.java:79:5:79:35 | ...; |
-| TestFinally.java:91:9:91:14 | ... == ... | TestFinally.java:95:5:95:31 | ...; |
+| TestFinally.java:75:9:75:14 | ... == ... | TestFinally.java:79:5:79:35 | <Expr>; |
+| TestFinally.java:91:9:91:14 | ... == ... | TestFinally.java:95:5:95:31 | <Expr>; |
 | TestFinally.java:99:9:99:14 | ... == ... | TestFinally.java:104:4:111:4 | { ... } |
-| TestFinally.java:106:9:106:14 | ... == ... | TestFinally.java:110:5:110:35 | ...; |
-| TestFinally.java:126:8:126:13 | ... == ... | TestFinally.java:130:4:130:30 | ...; |
+| TestFinally.java:106:9:106:14 | ... == ... | TestFinally.java:110:5:110:35 | <Expr>; |
+| TestFinally.java:126:8:126:13 | ... == ... | TestFinally.java:130:4:130:30 | <Expr>; |
 | TestFinally.java:134:8:134:13 | ... == ... | TestFinally.java:139:3:146:3 | { ... } |
-| TestFinally.java:141:8:141:13 | ... == ... | TestFinally.java:145:4:145:34 | ...; |
+| TestFinally.java:141:8:141:13 | ... == ... | TestFinally.java:145:4:145:34 | <Expr>; |
diff --git a/java/ql/test/library-tests/successors/TestFinally/TestSucc.expected b/java/ql/test/library-tests/successors/TestFinally/TestSucc.expected
index baf6e960eb8..9a72ba31737 100644
--- a/java/ql/test/library-tests/successors/TestFinally/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/TestFinally/TestSucc.expected
@@ -1,18 +1,18 @@
 | TestFinally.java:3:14:3:24 | super(...) | TestFinally.java:3:14:3:24 | TestFinally |
 | TestFinally.java:3:14:3:24 | { ... } | TestFinally.java:3:14:3:24 | super(...) |
-| TestFinally.java:5:2:149:2 | { ... } | TestFinally.java:6:3:6:13 | local variable declaration |
-| TestFinally.java:6:3:6:13 | local variable declaration | TestFinally.java:6:11:6:12 | 12 |
+| TestFinally.java:5:2:149:2 | { ... } | TestFinally.java:6:3:6:13 | var ...; |
+| TestFinally.java:6:3:6:13 | var ...; | TestFinally.java:6:11:6:12 | 12 |
 | TestFinally.java:6:7:6:12 | z | TestFinally.java:7:3:120:3 | try ... |
 | TestFinally.java:6:11:6:12 | 12 | TestFinally.java:6:7:6:12 | z |
 | TestFinally.java:7:3:120:3 | try ... | TestFinally.java:8:3:86:3 | { ... } |
 | TestFinally.java:8:3:86:3 | { ... } | TestFinally.java:9:4:80:4 | try ... |
 | TestFinally.java:9:4:80:4 | try ... | TestFinally.java:10:4:41:4 | { ... } |
-| TestFinally.java:10:4:41:4 | { ... } | TestFinally.java:11:5:11:31 | ...; |
+| TestFinally.java:10:4:41:4 | { ... } | TestFinally.java:11:5:11:31 | <Expr>; |
 | TestFinally.java:11:5:11:14 | System.out | TestFinally.java:11:24:11:29 | "Try1" |
 | TestFinally.java:11:5:11:30 | println(...) | TestFinally.java:12:5:12:15 | if (...) |
 | TestFinally.java:11:5:11:30 | println(...) | TestFinally.java:41:6:41:25 | catch (...) |
 | TestFinally.java:11:5:11:30 | println(...) | TestFinally.java:73:4:80:4 | { ... } |
-| TestFinally.java:11:5:11:31 | ...; | TestFinally.java:11:5:11:14 | System.out |
+| TestFinally.java:11:5:11:31 | <Expr>; | TestFinally.java:11:5:11:14 | System.out |
 | TestFinally.java:11:24:11:29 | "Try1" | TestFinally.java:11:5:11:30 | println(...) |
 | TestFinally.java:12:5:12:15 | if (...) | TestFinally.java:12:9:12:9 | z |
 | TestFinally.java:12:9:12:9 | z | TestFinally.java:12:14:12:14 | 1 |
@@ -22,32 +22,32 @@
 | TestFinally.java:13:5:15:5 | { ... } | TestFinally.java:14:6:14:12 | return ... |
 | TestFinally.java:14:6:14:12 | return ... | TestFinally.java:73:4:80:4 | { ... } |
 | TestFinally.java:16:5:39:5 | try ... | TestFinally.java:17:5:24:5 | { ... } |
-| TestFinally.java:17:5:24:5 | { ... } | TestFinally.java:18:6:18:32 | ...; |
+| TestFinally.java:17:5:24:5 | { ... } | TestFinally.java:18:6:18:32 | <Expr>; |
 | TestFinally.java:18:6:18:15 | System.out | TestFinally.java:18:25:18:30 | "Try1" |
 | TestFinally.java:18:6:18:31 | println(...) | TestFinally.java:19:6:19:16 | if (...) |
 | TestFinally.java:18:6:18:31 | println(...) | TestFinally.java:24:7:24:26 | catch (...) |
 | TestFinally.java:18:6:18:31 | println(...) | TestFinally.java:32:5:39:5 | { ... } |
-| TestFinally.java:18:6:18:32 | ...; | TestFinally.java:18:6:18:15 | System.out |
+| TestFinally.java:18:6:18:32 | <Expr>; | TestFinally.java:18:6:18:15 | System.out |
 | TestFinally.java:18:25:18:30 | "Try1" | TestFinally.java:18:6:18:31 | println(...) |
 | TestFinally.java:19:6:19:16 | if (...) | TestFinally.java:19:10:19:10 | z |
 | TestFinally.java:19:10:19:10 | z | TestFinally.java:19:15:19:15 | 1 |
 | TestFinally.java:19:10:19:15 | ... == ... | TestFinally.java:20:6:22:6 | { ... } |
-| TestFinally.java:19:10:19:15 | ... == ... | TestFinally.java:23:6:23:32 | ...; |
+| TestFinally.java:19:10:19:15 | ... == ... | TestFinally.java:23:6:23:32 | <Expr>; |
 | TestFinally.java:19:15:19:15 | 1 | TestFinally.java:19:10:19:15 | ... == ... |
 | TestFinally.java:20:6:22:6 | { ... } | TestFinally.java:21:7:21:13 | return ... |
 | TestFinally.java:21:7:21:13 | return ... | TestFinally.java:32:5:39:5 | { ... } |
 | TestFinally.java:23:6:23:15 | System.out | TestFinally.java:23:25:23:30 | "Try2" |
 | TestFinally.java:23:6:23:31 | println(...) | TestFinally.java:24:7:24:26 | catch (...) |
 | TestFinally.java:23:6:23:31 | println(...) | TestFinally.java:32:5:39:5 | { ... } |
-| TestFinally.java:23:6:23:32 | ...; | TestFinally.java:23:6:23:15 | System.out |
+| TestFinally.java:23:6:23:32 | <Expr>; | TestFinally.java:23:6:23:15 | System.out |
 | TestFinally.java:23:25:23:30 | "Try2" | TestFinally.java:23:6:23:31 | println(...) |
 | TestFinally.java:24:7:24:26 | catch (...) | TestFinally.java:24:24:24:25 | ex |
 | TestFinally.java:24:24:24:25 | ex | TestFinally.java:25:5:31:5 | { ... } |
-| TestFinally.java:25:5:31:5 | { ... } | TestFinally.java:26:6:26:37 | ...; |
+| TestFinally.java:25:5:31:5 | { ... } | TestFinally.java:26:6:26:37 | <Expr>; |
 | TestFinally.java:26:6:26:15 | System.out | TestFinally.java:26:25:26:35 | "Exception" |
 | TestFinally.java:26:6:26:36 | println(...) | TestFinally.java:27:6:27:16 | if (...) |
 | TestFinally.java:26:6:26:36 | println(...) | TestFinally.java:32:5:39:5 | { ... } |
-| TestFinally.java:26:6:26:37 | ...; | TestFinally.java:26:6:26:15 | System.out |
+| TestFinally.java:26:6:26:37 | <Expr>; | TestFinally.java:26:6:26:15 | System.out |
 | TestFinally.java:26:25:26:35 | "Exception" | TestFinally.java:26:6:26:36 | println(...) |
 | TestFinally.java:27:6:27:16 | if (...) | TestFinally.java:27:10:27:10 | z |
 | TestFinally.java:27:10:27:10 | z | TestFinally.java:27:15:27:15 | 1 |
@@ -56,66 +56,66 @@
 | TestFinally.java:27:15:27:15 | 1 | TestFinally.java:27:10:27:15 | ... == ... |
 | TestFinally.java:28:6:30:6 | { ... } | TestFinally.java:29:7:29:13 | return ... |
 | TestFinally.java:29:7:29:13 | return ... | TestFinally.java:32:5:39:5 | { ... } |
-| TestFinally.java:32:5:39:5 | { ... } | TestFinally.java:33:6:33:35 | ...; |
+| TestFinally.java:32:5:39:5 | { ... } | TestFinally.java:33:6:33:35 | <Expr>; |
 | TestFinally.java:33:6:33:15 | System.out | TestFinally.java:33:25:33:33 | "Finally" |
 | TestFinally.java:33:6:33:34 | println(...) | TestFinally.java:34:6:34:16 | if (...) |
 | TestFinally.java:33:6:33:34 | println(...) | TestFinally.java:41:6:41:25 | catch (...) |
 | TestFinally.java:33:6:33:34 | println(...) | TestFinally.java:73:4:80:4 | { ... } |
-| TestFinally.java:33:6:33:35 | ...; | TestFinally.java:33:6:33:15 | System.out |
+| TestFinally.java:33:6:33:35 | <Expr>; | TestFinally.java:33:6:33:15 | System.out |
 | TestFinally.java:33:25:33:33 | "Finally" | TestFinally.java:33:6:33:34 | println(...) |
 | TestFinally.java:34:6:34:16 | if (...) | TestFinally.java:34:10:34:10 | z |
 | TestFinally.java:34:10:34:10 | z | TestFinally.java:34:15:34:15 | 1 |
 | TestFinally.java:34:10:34:15 | ... == ... | TestFinally.java:35:6:37:6 | { ... } |
-| TestFinally.java:34:10:34:15 | ... == ... | TestFinally.java:38:6:38:36 | ...; |
+| TestFinally.java:34:10:34:15 | ... == ... | TestFinally.java:38:6:38:36 | <Expr>; |
 | TestFinally.java:34:15:34:15 | 1 | TestFinally.java:34:10:34:15 | ... == ... |
 | TestFinally.java:35:6:37:6 | { ... } | TestFinally.java:36:7:36:13 | return ... |
 | TestFinally.java:36:7:36:13 | return ... | TestFinally.java:73:4:80:4 | { ... } |
 | TestFinally.java:38:6:38:15 | System.out | TestFinally.java:38:25:38:34 | "Finally2" |
-| TestFinally.java:38:6:38:35 | println(...) | TestFinally.java:40:5:40:31 | ...; |
+| TestFinally.java:38:6:38:35 | println(...) | TestFinally.java:40:5:40:31 | <Expr>; |
 | TestFinally.java:38:6:38:35 | println(...) | TestFinally.java:41:6:41:25 | catch (...) |
 | TestFinally.java:38:6:38:35 | println(...) | TestFinally.java:73:4:80:4 | { ... } |
-| TestFinally.java:38:6:38:36 | ...; | TestFinally.java:38:6:38:15 | System.out |
+| TestFinally.java:38:6:38:36 | <Expr>; | TestFinally.java:38:6:38:15 | System.out |
 | TestFinally.java:38:25:38:34 | "Finally2" | TestFinally.java:38:6:38:35 | println(...) |
 | TestFinally.java:40:5:40:14 | System.out | TestFinally.java:40:24:40:29 | "Try2" |
 | TestFinally.java:40:5:40:30 | println(...) | TestFinally.java:41:6:41:25 | catch (...) |
 | TestFinally.java:40:5:40:30 | println(...) | TestFinally.java:73:4:80:4 | { ... } |
-| TestFinally.java:40:5:40:31 | ...; | TestFinally.java:40:5:40:14 | System.out |
+| TestFinally.java:40:5:40:31 | <Expr>; | TestFinally.java:40:5:40:14 | System.out |
 | TestFinally.java:40:24:40:29 | "Try2" | TestFinally.java:40:5:40:30 | println(...) |
 | TestFinally.java:41:6:41:25 | catch (...) | TestFinally.java:41:23:41:24 | ex |
 | TestFinally.java:41:23:41:24 | ex | TestFinally.java:42:4:72:4 | { ... } |
-| TestFinally.java:42:4:72:4 | { ... } | TestFinally.java:43:5:43:36 | ...; |
+| TestFinally.java:42:4:72:4 | { ... } | TestFinally.java:43:5:43:36 | <Expr>; |
 | TestFinally.java:43:5:43:14 | System.out | TestFinally.java:43:24:43:34 | "Exception" |
 | TestFinally.java:43:5:43:35 | println(...) | TestFinally.java:44:5:67:5 | try ... |
 | TestFinally.java:43:5:43:35 | println(...) | TestFinally.java:73:4:80:4 | { ... } |
-| TestFinally.java:43:5:43:36 | ...; | TestFinally.java:43:5:43:14 | System.out |
+| TestFinally.java:43:5:43:36 | <Expr>; | TestFinally.java:43:5:43:14 | System.out |
 | TestFinally.java:43:24:43:34 | "Exception" | TestFinally.java:43:5:43:35 | println(...) |
 | TestFinally.java:44:5:67:5 | try ... | TestFinally.java:45:5:52:5 | { ... } |
-| TestFinally.java:45:5:52:5 | { ... } | TestFinally.java:46:6:46:32 | ...; |
+| TestFinally.java:45:5:52:5 | { ... } | TestFinally.java:46:6:46:32 | <Expr>; |
 | TestFinally.java:46:6:46:15 | System.out | TestFinally.java:46:25:46:30 | "Try1" |
 | TestFinally.java:46:6:46:31 | println(...) | TestFinally.java:47:6:47:16 | if (...) |
 | TestFinally.java:46:6:46:31 | println(...) | TestFinally.java:52:7:52:27 | catch (...) |
 | TestFinally.java:46:6:46:31 | println(...) | TestFinally.java:60:5:67:5 | { ... } |
-| TestFinally.java:46:6:46:32 | ...; | TestFinally.java:46:6:46:15 | System.out |
+| TestFinally.java:46:6:46:32 | <Expr>; | TestFinally.java:46:6:46:15 | System.out |
 | TestFinally.java:46:25:46:30 | "Try1" | TestFinally.java:46:6:46:31 | println(...) |
 | TestFinally.java:47:6:47:16 | if (...) | TestFinally.java:47:10:47:10 | z |
 | TestFinally.java:47:10:47:10 | z | TestFinally.java:47:15:47:15 | 1 |
 | TestFinally.java:47:10:47:15 | ... == ... | TestFinally.java:48:6:50:6 | { ... } |
-| TestFinally.java:47:10:47:15 | ... == ... | TestFinally.java:51:6:51:32 | ...; |
+| TestFinally.java:47:10:47:15 | ... == ... | TestFinally.java:51:6:51:32 | <Expr>; |
 | TestFinally.java:47:15:47:15 | 1 | TestFinally.java:47:10:47:15 | ... == ... |
 | TestFinally.java:48:6:50:6 | { ... } | TestFinally.java:49:7:49:13 | return ... |
 | TestFinally.java:49:7:49:13 | return ... | TestFinally.java:60:5:67:5 | { ... } |
 | TestFinally.java:51:6:51:15 | System.out | TestFinally.java:51:25:51:30 | "Try2" |
 | TestFinally.java:51:6:51:31 | println(...) | TestFinally.java:52:7:52:27 | catch (...) |
 | TestFinally.java:51:6:51:31 | println(...) | TestFinally.java:60:5:67:5 | { ... } |
-| TestFinally.java:51:6:51:32 | ...; | TestFinally.java:51:6:51:15 | System.out |
+| TestFinally.java:51:6:51:32 | <Expr>; | TestFinally.java:51:6:51:15 | System.out |
 | TestFinally.java:51:25:51:30 | "Try2" | TestFinally.java:51:6:51:31 | println(...) |
 | TestFinally.java:52:7:52:27 | catch (...) | TestFinally.java:52:24:52:26 | ex2 |
 | TestFinally.java:52:24:52:26 | ex2 | TestFinally.java:53:5:59:5 | { ... } |
-| TestFinally.java:53:5:59:5 | { ... } | TestFinally.java:54:6:54:37 | ...; |
+| TestFinally.java:53:5:59:5 | { ... } | TestFinally.java:54:6:54:37 | <Expr>; |
 | TestFinally.java:54:6:54:15 | System.out | TestFinally.java:54:25:54:35 | "Exception" |
 | TestFinally.java:54:6:54:36 | println(...) | TestFinally.java:55:6:55:16 | if (...) |
 | TestFinally.java:54:6:54:36 | println(...) | TestFinally.java:60:5:67:5 | { ... } |
-| TestFinally.java:54:6:54:37 | ...; | TestFinally.java:54:6:54:15 | System.out |
+| TestFinally.java:54:6:54:37 | <Expr>; | TestFinally.java:54:6:54:15 | System.out |
 | TestFinally.java:54:25:54:35 | "Exception" | TestFinally.java:54:6:54:36 | println(...) |
 | TestFinally.java:55:6:55:16 | if (...) | TestFinally.java:55:10:55:10 | z |
 | TestFinally.java:55:10:55:10 | z | TestFinally.java:55:15:55:15 | 1 |
@@ -124,23 +124,23 @@
 | TestFinally.java:55:15:55:15 | 1 | TestFinally.java:55:10:55:15 | ... == ... |
 | TestFinally.java:56:6:58:6 | { ... } | TestFinally.java:57:7:57:13 | return ... |
 | TestFinally.java:57:7:57:13 | return ... | TestFinally.java:60:5:67:5 | { ... } |
-| TestFinally.java:60:5:67:5 | { ... } | TestFinally.java:61:6:61:35 | ...; |
+| TestFinally.java:60:5:67:5 | { ... } | TestFinally.java:61:6:61:35 | <Expr>; |
 | TestFinally.java:61:6:61:15 | System.out | TestFinally.java:61:25:61:33 | "Finally" |
 | TestFinally.java:61:6:61:34 | println(...) | TestFinally.java:62:6:62:16 | if (...) |
 | TestFinally.java:61:6:61:34 | println(...) | TestFinally.java:73:4:80:4 | { ... } |
-| TestFinally.java:61:6:61:35 | ...; | TestFinally.java:61:6:61:15 | System.out |
+| TestFinally.java:61:6:61:35 | <Expr>; | TestFinally.java:61:6:61:15 | System.out |
 | TestFinally.java:61:25:61:33 | "Finally" | TestFinally.java:61:6:61:34 | println(...) |
 | TestFinally.java:62:6:62:16 | if (...) | TestFinally.java:62:10:62:10 | z |
 | TestFinally.java:62:10:62:10 | z | TestFinally.java:62:15:62:15 | 1 |
 | TestFinally.java:62:10:62:15 | ... == ... | TestFinally.java:63:6:65:6 | { ... } |
-| TestFinally.java:62:10:62:15 | ... == ... | TestFinally.java:66:6:66:36 | ...; |
+| TestFinally.java:62:10:62:15 | ... == ... | TestFinally.java:66:6:66:36 | <Expr>; |
 | TestFinally.java:62:15:62:15 | 1 | TestFinally.java:62:10:62:15 | ... == ... |
 | TestFinally.java:63:6:65:6 | { ... } | TestFinally.java:64:7:64:13 | return ... |
 | TestFinally.java:64:7:64:13 | return ... | TestFinally.java:73:4:80:4 | { ... } |
 | TestFinally.java:66:6:66:15 | System.out | TestFinally.java:66:25:66:34 | "Finally2" |
 | TestFinally.java:66:6:66:35 | println(...) | TestFinally.java:68:5:68:15 | if (...) |
 | TestFinally.java:66:6:66:35 | println(...) | TestFinally.java:73:4:80:4 | { ... } |
-| TestFinally.java:66:6:66:36 | ...; | TestFinally.java:66:6:66:15 | System.out |
+| TestFinally.java:66:6:66:36 | <Expr>; | TestFinally.java:66:6:66:15 | System.out |
 | TestFinally.java:66:25:66:34 | "Finally2" | TestFinally.java:66:6:66:35 | println(...) |
 | TestFinally.java:68:5:68:15 | if (...) | TestFinally.java:68:9:68:9 | z |
 | TestFinally.java:68:9:68:9 | z | TestFinally.java:68:14:68:14 | 1 |
@@ -149,45 +149,45 @@
 | TestFinally.java:68:14:68:14 | 1 | TestFinally.java:68:9:68:14 | ... == ... |
 | TestFinally.java:69:5:71:5 | { ... } | TestFinally.java:70:6:70:12 | return ... |
 | TestFinally.java:70:6:70:12 | return ... | TestFinally.java:73:4:80:4 | { ... } |
-| TestFinally.java:73:4:80:4 | { ... } | TestFinally.java:74:5:74:34 | ...; |
+| TestFinally.java:73:4:80:4 | { ... } | TestFinally.java:74:5:74:34 | <Expr>; |
 | TestFinally.java:74:5:74:14 | System.out | TestFinally.java:74:24:74:32 | "Finally" |
 | TestFinally.java:74:5:74:33 | println(...) | TestFinally.java:75:5:75:15 | if (...) |
 | TestFinally.java:74:5:74:33 | println(...) | TestFinally.java:86:5:86:23 | catch (...) |
 | TestFinally.java:74:5:74:33 | println(...) | TestFinally.java:116:3:120:3 | { ... } |
-| TestFinally.java:74:5:74:34 | ...; | TestFinally.java:74:5:74:14 | System.out |
+| TestFinally.java:74:5:74:34 | <Expr>; | TestFinally.java:74:5:74:14 | System.out |
 | TestFinally.java:74:24:74:32 | "Finally" | TestFinally.java:74:5:74:33 | println(...) |
 | TestFinally.java:75:5:75:15 | if (...) | TestFinally.java:75:9:75:9 | z |
 | TestFinally.java:75:9:75:9 | z | TestFinally.java:75:14:75:14 | 1 |
 | TestFinally.java:75:9:75:14 | ... == ... | TestFinally.java:76:5:78:5 | { ... } |
-| TestFinally.java:75:9:75:14 | ... == ... | TestFinally.java:79:5:79:35 | ...; |
+| TestFinally.java:75:9:75:14 | ... == ... | TestFinally.java:79:5:79:35 | <Expr>; |
 | TestFinally.java:75:14:75:14 | 1 | TestFinally.java:75:9:75:14 | ... == ... |
 | TestFinally.java:76:5:78:5 | { ... } | TestFinally.java:77:6:77:12 | return ... |
 | TestFinally.java:77:6:77:12 | return ... | TestFinally.java:116:3:120:3 | { ... } |
 | TestFinally.java:79:5:79:14 | System.out | TestFinally.java:79:24:79:33 | "Finally2" |
-| TestFinally.java:79:5:79:34 | println(...) | TestFinally.java:81:4:81:29 | ...; |
+| TestFinally.java:79:5:79:34 | println(...) | TestFinally.java:81:4:81:29 | <Expr>; |
 | TestFinally.java:79:5:79:34 | println(...) | TestFinally.java:86:5:86:23 | catch (...) |
 | TestFinally.java:79:5:79:34 | println(...) | TestFinally.java:116:3:120:3 | { ... } |
-| TestFinally.java:79:5:79:35 | ...; | TestFinally.java:79:5:79:14 | System.out |
+| TestFinally.java:79:5:79:35 | <Expr>; | TestFinally.java:79:5:79:14 | System.out |
 | TestFinally.java:79:24:79:33 | "Finally2" | TestFinally.java:79:5:79:34 | println(...) |
 | TestFinally.java:81:4:81:13 | System.out | TestFinally.java:81:23:81:27 | "Foo" |
-| TestFinally.java:81:4:81:28 | println(...) | TestFinally.java:82:4:82:18 | local variable declaration |
+| TestFinally.java:81:4:81:28 | println(...) | TestFinally.java:82:4:82:18 | var ...; |
 | TestFinally.java:81:4:81:28 | println(...) | TestFinally.java:86:5:86:23 | catch (...) |
 | TestFinally.java:81:4:81:28 | println(...) | TestFinally.java:116:3:120:3 | { ... } |
-| TestFinally.java:81:4:81:29 | ...; | TestFinally.java:81:4:81:13 | System.out |
+| TestFinally.java:81:4:81:29 | <Expr>; | TestFinally.java:81:4:81:13 | System.out |
 | TestFinally.java:81:23:81:27 | "Foo" | TestFinally.java:81:4:81:28 | println(...) |
-| TestFinally.java:82:4:82:18 | local variable declaration | TestFinally.java:82:12:82:13 | 12 |
-| TestFinally.java:82:8:82:17 | y | TestFinally.java:83:4:83:29 | ...; |
+| TestFinally.java:82:4:82:18 | var ...; | TestFinally.java:82:12:82:13 | 12 |
+| TestFinally.java:82:8:82:17 | y | TestFinally.java:83:4:83:29 | <Expr>; |
 | TestFinally.java:82:12:82:13 | 12 | TestFinally.java:82:17:82:17 | 3 |
 | TestFinally.java:82:12:82:17 | ... + ... | TestFinally.java:82:8:82:17 | y |
 | TestFinally.java:82:17:82:17 | 3 | TestFinally.java:82:12:82:17 | ... + ... |
 | TestFinally.java:83:4:83:13 | System.out | TestFinally.java:83:23:83:27 | "Bar" |
-| TestFinally.java:83:4:83:28 | println(...) | TestFinally.java:84:4:84:13 | ...; |
+| TestFinally.java:83:4:83:28 | println(...) | TestFinally.java:84:4:84:13 | <Expr>; |
 | TestFinally.java:83:4:83:28 | println(...) | TestFinally.java:86:5:86:23 | catch (...) |
 | TestFinally.java:83:4:83:28 | println(...) | TestFinally.java:116:3:120:3 | { ... } |
-| TestFinally.java:83:4:83:29 | ...; | TestFinally.java:83:4:83:13 | System.out |
+| TestFinally.java:83:4:83:29 | <Expr>; | TestFinally.java:83:4:83:13 | System.out |
 | TestFinally.java:83:23:83:27 | "Bar" | TestFinally.java:83:4:83:28 | println(...) |
 | TestFinally.java:84:4:84:12 | ...=... | TestFinally.java:85:4:85:10 | return ... |
-| TestFinally.java:84:4:84:13 | ...; | TestFinally.java:84:8:84:8 | y |
+| TestFinally.java:84:4:84:13 | <Expr>; | TestFinally.java:84:8:84:8 | y |
 | TestFinally.java:84:8:84:8 | y | TestFinally.java:84:12:84:12 | 1 |
 | TestFinally.java:84:8:84:12 | ... + ... | TestFinally.java:84:4:84:12 | ...=... |
 | TestFinally.java:84:12:84:12 | 1 | TestFinally.java:84:8:84:12 | ... + ... |
@@ -196,31 +196,31 @@
 | TestFinally.java:86:22:86:22 | e | TestFinally.java:87:3:115:3 | { ... } |
 | TestFinally.java:87:3:115:3 | { ... } | TestFinally.java:88:4:111:4 | try ... |
 | TestFinally.java:88:4:111:4 | try ... | TestFinally.java:89:4:96:4 | { ... } |
-| TestFinally.java:89:4:96:4 | { ... } | TestFinally.java:90:5:90:31 | ...; |
+| TestFinally.java:89:4:96:4 | { ... } | TestFinally.java:90:5:90:31 | <Expr>; |
 | TestFinally.java:90:5:90:14 | System.out | TestFinally.java:90:24:90:29 | "Try1" |
 | TestFinally.java:90:5:90:30 | println(...) | TestFinally.java:91:5:91:15 | if (...) |
 | TestFinally.java:90:5:90:30 | println(...) | TestFinally.java:96:6:96:25 | catch (...) |
 | TestFinally.java:90:5:90:30 | println(...) | TestFinally.java:104:4:111:4 | { ... } |
-| TestFinally.java:90:5:90:31 | ...; | TestFinally.java:90:5:90:14 | System.out |
+| TestFinally.java:90:5:90:31 | <Expr>; | TestFinally.java:90:5:90:14 | System.out |
 | TestFinally.java:90:24:90:29 | "Try1" | TestFinally.java:90:5:90:30 | println(...) |
 | TestFinally.java:91:5:91:15 | if (...) | TestFinally.java:91:9:91:9 | z |
 | TestFinally.java:91:9:91:9 | z | TestFinally.java:91:14:91:14 | 1 |
 | TestFinally.java:91:9:91:14 | ... == ... | TestFinally.java:92:5:94:5 | { ... } |
-| TestFinally.java:91:9:91:14 | ... == ... | TestFinally.java:95:5:95:31 | ...; |
+| TestFinally.java:91:9:91:14 | ... == ... | TestFinally.java:95:5:95:31 | <Expr>; |
 | TestFinally.java:91:14:91:14 | 1 | TestFinally.java:91:9:91:14 | ... == ... |
 | TestFinally.java:92:5:94:5 | { ... } | TestFinally.java:93:6:93:12 | return ... |
 | TestFinally.java:93:6:93:12 | return ... | TestFinally.java:104:4:111:4 | { ... } |
 | TestFinally.java:95:5:95:14 | System.out | TestFinally.java:95:24:95:29 | "Try2" |
 | TestFinally.java:95:5:95:30 | println(...) | TestFinally.java:96:6:96:25 | catch (...) |
 | TestFinally.java:95:5:95:30 | println(...) | TestFinally.java:104:4:111:4 | { ... } |
-| TestFinally.java:95:5:95:31 | ...; | TestFinally.java:95:5:95:14 | System.out |
+| TestFinally.java:95:5:95:31 | <Expr>; | TestFinally.java:95:5:95:14 | System.out |
 | TestFinally.java:95:24:95:29 | "Try2" | TestFinally.java:95:5:95:30 | println(...) |
 | TestFinally.java:96:6:96:25 | catch (...) | TestFinally.java:96:23:96:24 | ex |
 | TestFinally.java:96:23:96:24 | ex | TestFinally.java:97:4:103:4 | { ... } |
-| TestFinally.java:97:4:103:4 | { ... } | TestFinally.java:98:5:98:36 | ...; |
+| TestFinally.java:97:4:103:4 | { ... } | TestFinally.java:98:5:98:36 | <Expr>; |
 | TestFinally.java:98:5:98:14 | System.out | TestFinally.java:98:24:98:34 | "Exception" |
 | TestFinally.java:98:5:98:35 | println(...) | TestFinally.java:99:5:99:15 | if (...) |
-| TestFinally.java:98:5:98:36 | ...; | TestFinally.java:98:5:98:14 | System.out |
+| TestFinally.java:98:5:98:36 | <Expr>; | TestFinally.java:98:5:98:14 | System.out |
 | TestFinally.java:98:24:98:34 | "Exception" | TestFinally.java:98:5:98:35 | println(...) |
 | TestFinally.java:99:5:99:15 | if (...) | TestFinally.java:99:9:99:9 | z |
 | TestFinally.java:99:9:99:9 | z | TestFinally.java:99:14:99:14 | 1 |
@@ -229,82 +229,82 @@
 | TestFinally.java:99:14:99:14 | 1 | TestFinally.java:99:9:99:14 | ... == ... |
 | TestFinally.java:100:5:102:5 | { ... } | TestFinally.java:101:6:101:12 | return ... |
 | TestFinally.java:101:6:101:12 | return ... | TestFinally.java:104:4:111:4 | { ... } |
-| TestFinally.java:104:4:111:4 | { ... } | TestFinally.java:105:5:105:34 | ...; |
+| TestFinally.java:104:4:111:4 | { ... } | TestFinally.java:105:5:105:34 | <Expr>; |
 | TestFinally.java:105:5:105:14 | System.out | TestFinally.java:105:24:105:32 | "Finally" |
 | TestFinally.java:105:5:105:33 | println(...) | TestFinally.java:106:5:106:15 | if (...) |
-| TestFinally.java:105:5:105:34 | ...; | TestFinally.java:105:5:105:14 | System.out |
+| TestFinally.java:105:5:105:34 | <Expr>; | TestFinally.java:105:5:105:14 | System.out |
 | TestFinally.java:105:24:105:32 | "Finally" | TestFinally.java:105:5:105:33 | println(...) |
 | TestFinally.java:106:5:106:15 | if (...) | TestFinally.java:106:9:106:9 | z |
 | TestFinally.java:106:9:106:9 | z | TestFinally.java:106:14:106:14 | 1 |
 | TestFinally.java:106:9:106:14 | ... == ... | TestFinally.java:107:5:109:5 | { ... } |
-| TestFinally.java:106:9:106:14 | ... == ... | TestFinally.java:110:5:110:35 | ...; |
+| TestFinally.java:106:9:106:14 | ... == ... | TestFinally.java:110:5:110:35 | <Expr>; |
 | TestFinally.java:106:14:106:14 | 1 | TestFinally.java:106:9:106:14 | ... == ... |
 | TestFinally.java:107:5:109:5 | { ... } | TestFinally.java:108:6:108:12 | return ... |
 | TestFinally.java:108:6:108:12 | return ... | TestFinally.java:116:3:120:3 | { ... } |
 | TestFinally.java:110:5:110:14 | System.out | TestFinally.java:110:24:110:33 | "Finally2" |
-| TestFinally.java:110:5:110:34 | println(...) | TestFinally.java:112:4:112:13 | local variable declaration |
+| TestFinally.java:110:5:110:34 | println(...) | TestFinally.java:112:4:112:13 | var ...; |
 | TestFinally.java:110:5:110:34 | println(...) | TestFinally.java:116:3:120:3 | { ... } |
-| TestFinally.java:110:5:110:35 | ...; | TestFinally.java:110:5:110:14 | System.out |
+| TestFinally.java:110:5:110:35 | <Expr>; | TestFinally.java:110:5:110:14 | System.out |
 | TestFinally.java:110:24:110:33 | "Finally2" | TestFinally.java:110:5:110:34 | println(...) |
-| TestFinally.java:112:4:112:13 | local variable declaration | TestFinally.java:112:12:112:12 | 1 |
-| TestFinally.java:112:8:112:12 | x | TestFinally.java:113:4:113:37 | ...; |
+| TestFinally.java:112:4:112:13 | var ...; | TestFinally.java:112:12:112:12 | 1 |
+| TestFinally.java:112:8:112:12 | x | TestFinally.java:113:4:113:37 | <Expr>; |
 | TestFinally.java:112:12:112:12 | 1 | TestFinally.java:112:8:112:12 | x |
 | TestFinally.java:113:4:113:13 | System.out | TestFinally.java:113:23:113:31 | "Error: " |
-| TestFinally.java:113:4:113:36 | println(...) | TestFinally.java:114:4:114:13 | ...; |
-| TestFinally.java:113:4:113:37 | ...; | TestFinally.java:113:4:113:13 | System.out |
+| TestFinally.java:113:4:113:36 | println(...) | TestFinally.java:114:4:114:13 | <Expr>; |
+| TestFinally.java:113:4:113:37 | <Expr>; | TestFinally.java:113:4:113:13 | System.out |
 | TestFinally.java:113:23:113:31 | "Error: " | TestFinally.java:113:35:113:35 | e |
 | TestFinally.java:113:23:113:35 | ... + ... | TestFinally.java:113:4:113:36 | println(...) |
 | TestFinally.java:113:35:113:35 | e | TestFinally.java:113:23:113:35 | ... + ... |
 | TestFinally.java:114:4:114:12 | ...=... | TestFinally.java:116:3:120:3 | { ... } |
-| TestFinally.java:114:4:114:13 | ...; | TestFinally.java:114:8:114:8 | x |
+| TestFinally.java:114:4:114:13 | <Expr>; | TestFinally.java:114:8:114:8 | x |
 | TestFinally.java:114:8:114:8 | x | TestFinally.java:114:12:114:12 | 1 |
 | TestFinally.java:114:8:114:12 | ... + ... | TestFinally.java:114:4:114:12 | ...=... |
 | TestFinally.java:114:12:114:12 | 1 | TestFinally.java:114:8:114:12 | ... + ... |
-| TestFinally.java:116:3:120:3 | { ... } | TestFinally.java:117:4:117:14 | local variable declaration |
-| TestFinally.java:117:4:117:14 | local variable declaration | TestFinally.java:117:12:117:13 | 12 |
-| TestFinally.java:117:8:117:13 | y | TestFinally.java:118:4:118:33 | ...; |
+| TestFinally.java:116:3:120:3 | { ... } | TestFinally.java:117:4:117:14 | var ...; |
+| TestFinally.java:117:4:117:14 | var ...; | TestFinally.java:117:12:117:13 | 12 |
+| TestFinally.java:117:8:117:13 | y | TestFinally.java:118:4:118:33 | <Expr>; |
 | TestFinally.java:117:12:117:13 | 12 | TestFinally.java:117:8:117:13 | y |
 | TestFinally.java:118:4:118:13 | System.out | TestFinally.java:118:23:118:31 | "Finally" |
-| TestFinally.java:118:4:118:32 | println(...) | TestFinally.java:119:4:119:13 | ...; |
-| TestFinally.java:118:4:118:33 | ...; | TestFinally.java:118:4:118:13 | System.out |
+| TestFinally.java:118:4:118:32 | println(...) | TestFinally.java:119:4:119:13 | <Expr>; |
+| TestFinally.java:118:4:118:33 | <Expr>; | TestFinally.java:118:4:118:13 | System.out |
 | TestFinally.java:118:23:118:31 | "Finally" | TestFinally.java:118:4:118:32 | println(...) |
 | TestFinally.java:119:4:119:12 | ...=... | TestFinally.java:4:14:4:14 | f |
-| TestFinally.java:119:4:119:12 | ...=... | TestFinally.java:121:3:121:12 | ...; |
-| TestFinally.java:119:4:119:13 | ...; | TestFinally.java:119:8:119:8 | y |
+| TestFinally.java:119:4:119:12 | ...=... | TestFinally.java:121:3:121:12 | <Expr>; |
+| TestFinally.java:119:4:119:13 | <Expr>; | TestFinally.java:119:8:119:8 | y |
 | TestFinally.java:119:8:119:8 | y | TestFinally.java:119:12:119:12 | 1 |
 | TestFinally.java:119:8:119:12 | ... + ... | TestFinally.java:119:4:119:12 | ...=... |
 | TestFinally.java:119:12:119:12 | 1 | TestFinally.java:119:8:119:12 | ... + ... |
 | TestFinally.java:121:3:121:11 | ...=... | TestFinally.java:123:3:146:3 | try ... |
-| TestFinally.java:121:3:121:12 | ...; | TestFinally.java:121:7:121:7 | z |
+| TestFinally.java:121:3:121:12 | <Expr>; | TestFinally.java:121:7:121:7 | z |
 | TestFinally.java:121:7:121:7 | z | TestFinally.java:121:11:121:11 | 1 |
 | TestFinally.java:121:7:121:11 | ... + ... | TestFinally.java:121:3:121:11 | ...=... |
 | TestFinally.java:121:11:121:11 | 1 | TestFinally.java:121:7:121:11 | ... + ... |
 | TestFinally.java:123:3:146:3 | try ... | TestFinally.java:124:3:131:3 | { ... } |
-| TestFinally.java:124:3:131:3 | { ... } | TestFinally.java:125:4:125:30 | ...; |
+| TestFinally.java:124:3:131:3 | { ... } | TestFinally.java:125:4:125:30 | <Expr>; |
 | TestFinally.java:125:4:125:13 | System.out | TestFinally.java:125:23:125:28 | "Try1" |
 | TestFinally.java:125:4:125:29 | println(...) | TestFinally.java:126:4:126:14 | if (...) |
 | TestFinally.java:125:4:125:29 | println(...) | TestFinally.java:131:5:131:24 | catch (...) |
 | TestFinally.java:125:4:125:29 | println(...) | TestFinally.java:139:3:146:3 | { ... } |
-| TestFinally.java:125:4:125:30 | ...; | TestFinally.java:125:4:125:13 | System.out |
+| TestFinally.java:125:4:125:30 | <Expr>; | TestFinally.java:125:4:125:13 | System.out |
 | TestFinally.java:125:23:125:28 | "Try1" | TestFinally.java:125:4:125:29 | println(...) |
 | TestFinally.java:126:4:126:14 | if (...) | TestFinally.java:126:8:126:8 | z |
 | TestFinally.java:126:8:126:8 | z | TestFinally.java:126:13:126:13 | 1 |
 | TestFinally.java:126:8:126:13 | ... == ... | TestFinally.java:127:4:129:4 | { ... } |
-| TestFinally.java:126:8:126:13 | ... == ... | TestFinally.java:130:4:130:30 | ...; |
+| TestFinally.java:126:8:126:13 | ... == ... | TestFinally.java:130:4:130:30 | <Expr>; |
 | TestFinally.java:126:13:126:13 | 1 | TestFinally.java:126:8:126:13 | ... == ... |
 | TestFinally.java:127:4:129:4 | { ... } | TestFinally.java:128:5:128:11 | return ... |
 | TestFinally.java:128:5:128:11 | return ... | TestFinally.java:139:3:146:3 | { ... } |
 | TestFinally.java:130:4:130:13 | System.out | TestFinally.java:130:23:130:28 | "Try2" |
 | TestFinally.java:130:4:130:29 | println(...) | TestFinally.java:131:5:131:24 | catch (...) |
 | TestFinally.java:130:4:130:29 | println(...) | TestFinally.java:139:3:146:3 | { ... } |
-| TestFinally.java:130:4:130:30 | ...; | TestFinally.java:130:4:130:13 | System.out |
+| TestFinally.java:130:4:130:30 | <Expr>; | TestFinally.java:130:4:130:13 | System.out |
 | TestFinally.java:130:23:130:28 | "Try2" | TestFinally.java:130:4:130:29 | println(...) |
 | TestFinally.java:131:5:131:24 | catch (...) | TestFinally.java:131:22:131:23 | ex |
 | TestFinally.java:131:22:131:23 | ex | TestFinally.java:132:3:138:3 | { ... } |
-| TestFinally.java:132:3:138:3 | { ... } | TestFinally.java:133:4:133:35 | ...; |
+| TestFinally.java:132:3:138:3 | { ... } | TestFinally.java:133:4:133:35 | <Expr>; |
 | TestFinally.java:133:4:133:13 | System.out | TestFinally.java:133:23:133:33 | "Exception" |
 | TestFinally.java:133:4:133:34 | println(...) | TestFinally.java:134:4:134:14 | if (...) |
-| TestFinally.java:133:4:133:35 | ...; | TestFinally.java:133:4:133:13 | System.out |
+| TestFinally.java:133:4:133:35 | <Expr>; | TestFinally.java:133:4:133:13 | System.out |
 | TestFinally.java:133:23:133:33 | "Exception" | TestFinally.java:133:4:133:34 | println(...) |
 | TestFinally.java:134:4:134:14 | if (...) | TestFinally.java:134:8:134:8 | z |
 | TestFinally.java:134:8:134:8 | z | TestFinally.java:134:13:134:13 | 1 |
@@ -313,25 +313,25 @@
 | TestFinally.java:134:13:134:13 | 1 | TestFinally.java:134:8:134:13 | ... == ... |
 | TestFinally.java:135:4:137:4 | { ... } | TestFinally.java:136:5:136:11 | return ... |
 | TestFinally.java:136:5:136:11 | return ... | TestFinally.java:139:3:146:3 | { ... } |
-| TestFinally.java:139:3:146:3 | { ... } | TestFinally.java:140:4:140:33 | ...; |
+| TestFinally.java:139:3:146:3 | { ... } | TestFinally.java:140:4:140:33 | <Expr>; |
 | TestFinally.java:140:4:140:13 | System.out | TestFinally.java:140:23:140:31 | "Finally" |
 | TestFinally.java:140:4:140:32 | println(...) | TestFinally.java:141:4:141:14 | if (...) |
-| TestFinally.java:140:4:140:33 | ...; | TestFinally.java:140:4:140:13 | System.out |
+| TestFinally.java:140:4:140:33 | <Expr>; | TestFinally.java:140:4:140:13 | System.out |
 | TestFinally.java:140:23:140:31 | "Finally" | TestFinally.java:140:4:140:32 | println(...) |
 | TestFinally.java:141:4:141:14 | if (...) | TestFinally.java:141:8:141:8 | z |
 | TestFinally.java:141:8:141:8 | z | TestFinally.java:141:13:141:13 | 1 |
 | TestFinally.java:141:8:141:13 | ... == ... | TestFinally.java:142:4:144:4 | { ... } |
-| TestFinally.java:141:8:141:13 | ... == ... | TestFinally.java:145:4:145:34 | ...; |
+| TestFinally.java:141:8:141:13 | ... == ... | TestFinally.java:145:4:145:34 | <Expr>; |
 | TestFinally.java:141:13:141:13 | 1 | TestFinally.java:141:8:141:13 | ... == ... |
 | TestFinally.java:142:4:144:4 | { ... } | TestFinally.java:143:5:143:11 | return ... |
 | TestFinally.java:143:5:143:11 | return ... | TestFinally.java:4:14:4:14 | f |
 | TestFinally.java:145:4:145:13 | System.out | TestFinally.java:145:23:145:32 | "Finally2" |
 | TestFinally.java:145:4:145:33 | println(...) | TestFinally.java:4:14:4:14 | f |
-| TestFinally.java:145:4:145:33 | println(...) | TestFinally.java:148:3:148:12 | ...; |
-| TestFinally.java:145:4:145:34 | ...; | TestFinally.java:145:4:145:13 | System.out |
+| TestFinally.java:145:4:145:33 | println(...) | TestFinally.java:148:3:148:12 | <Expr>; |
+| TestFinally.java:145:4:145:34 | <Expr>; | TestFinally.java:145:4:145:13 | System.out |
 | TestFinally.java:145:23:145:32 | "Finally2" | TestFinally.java:145:4:145:33 | println(...) |
 | TestFinally.java:148:3:148:11 | ...=... | TestFinally.java:4:14:4:14 | f |
-| TestFinally.java:148:3:148:12 | ...; | TestFinally.java:148:7:148:7 | z |
+| TestFinally.java:148:3:148:12 | <Expr>; | TestFinally.java:148:7:148:7 | z |
 | TestFinally.java:148:7:148:7 | z | TestFinally.java:148:11:148:11 | 2 |
 | TestFinally.java:148:7:148:11 | ... + ... | TestFinally.java:148:3:148:11 | ...=... |
 | TestFinally.java:148:11:148:11 | 2 | TestFinally.java:148:7:148:11 | ... + ... |
diff --git a/java/ql/test/library-tests/successors/TestFinallyBreakContinue/TestSucc.expected b/java/ql/test/library-tests/successors/TestFinallyBreakContinue/TestSucc.expected
index 2beed591041..c2278d60701 100644
--- a/java/ql/test/library-tests/successors/TestFinallyBreakContinue/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/TestFinallyBreakContinue/TestSucc.expected
@@ -1,11 +1,11 @@
 | TestFinallyBreakContinue.java:3:14:3:37 | super(...) | TestFinallyBreakContinue.java:3:14:3:37 | TestFinallyBreakContinue |
 | TestFinallyBreakContinue.java:3:14:3:37 | { ... } | TestFinallyBreakContinue.java:3:14:3:37 | super(...) |
-| TestFinallyBreakContinue.java:5:2:107:2 | { ... } | TestFinallyBreakContinue.java:6:3:6:12 | local variable declaration |
-| TestFinallyBreakContinue.java:6:3:6:12 | local variable declaration | TestFinallyBreakContinue.java:6:11:6:11 | 1 |
-| TestFinallyBreakContinue.java:6:7:6:11 | x | TestFinallyBreakContinue.java:7:3:8:10 | labeled statement |
+| TestFinallyBreakContinue.java:5:2:107:2 | { ... } | TestFinallyBreakContinue.java:6:3:6:12 | var ...; |
+| TestFinallyBreakContinue.java:6:3:6:12 | var ...; | TestFinallyBreakContinue.java:6:11:6:11 | 1 |
+| TestFinallyBreakContinue.java:6:7:6:11 | x | TestFinallyBreakContinue.java:7:3:8:10 | <Label>: ... |
 | TestFinallyBreakContinue.java:6:11:6:11 | 1 | TestFinallyBreakContinue.java:6:7:6:11 | x |
-| TestFinallyBreakContinue.java:7:3:8:10 | labeled statement | TestFinallyBreakContinue.java:8:3:8:10 | for (...) |
-| TestFinallyBreakContinue.java:8:3:8:10 | for (...) | TestFinallyBreakContinue.java:9:3:32:3 | { ... } |
+| TestFinallyBreakContinue.java:7:3:8:10 | <Label>: ... | TestFinallyBreakContinue.java:8:3:8:10 | for (...;...;...) |
+| TestFinallyBreakContinue.java:8:3:8:10 | for (...;...;...) | TestFinallyBreakContinue.java:9:3:32:3 | { ... } |
 | TestFinallyBreakContinue.java:9:3:32:3 | { ... } | TestFinallyBreakContinue.java:10:4:31:4 | try ... |
 | TestFinallyBreakContinue.java:10:4:31:4 | try ... | TestFinallyBreakContinue.java:11:4:19:4 | { ... } |
 | TestFinallyBreakContinue.java:11:4:19:4 | { ... } | TestFinallyBreakContinue.java:12:5:12:15 | if (...) |
@@ -30,11 +30,11 @@
 | TestFinallyBreakContinue.java:23:6:23:11 | break | TestFinallyBreakContinue.java:29:4:31:4 | { ... } |
 | TestFinallyBreakContinue.java:25:5:27:5 | { ... } | TestFinallyBreakContinue.java:26:6:26:14 | continue |
 | TestFinallyBreakContinue.java:26:6:26:14 | continue | TestFinallyBreakContinue.java:29:4:31:4 | { ... } |
-| TestFinallyBreakContinue.java:29:4:31:4 | { ... } | TestFinallyBreakContinue.java:30:5:30:34 | ...; |
+| TestFinallyBreakContinue.java:29:4:31:4 | { ... } | TestFinallyBreakContinue.java:30:5:30:34 | <Expr>; |
 | TestFinallyBreakContinue.java:30:5:30:14 | System.out | TestFinallyBreakContinue.java:30:24:30:32 | "finally" |
 | TestFinallyBreakContinue.java:30:5:30:33 | println(...) | TestFinallyBreakContinue.java:9:3:32:3 | { ... } |
 | TestFinallyBreakContinue.java:30:5:30:33 | println(...) | TestFinallyBreakContinue.java:34:3:34:14 | while (...) |
-| TestFinallyBreakContinue.java:30:5:30:34 | ...; | TestFinallyBreakContinue.java:30:5:30:14 | System.out |
+| TestFinallyBreakContinue.java:30:5:30:34 | <Expr>; | TestFinallyBreakContinue.java:30:5:30:14 | System.out |
 | TestFinallyBreakContinue.java:30:24:30:32 | "finally" | TestFinallyBreakContinue.java:30:5:30:33 | println(...) |
 | TestFinallyBreakContinue.java:34:3:34:14 | while (...) | TestFinallyBreakContinue.java:34:10:34:13 | true |
 | TestFinallyBreakContinue.java:34:10:34:13 | true | TestFinallyBreakContinue.java:35:3:67:3 | { ... } |
@@ -64,27 +64,27 @@
 | TestFinallyBreakContinue.java:51:7:51:12 | break | TestFinallyBreakContinue.java:57:5:59:5 | { ... } |
 | TestFinallyBreakContinue.java:53:6:55:6 | { ... } | TestFinallyBreakContinue.java:54:7:54:15 | continue |
 | TestFinallyBreakContinue.java:54:7:54:15 | continue | TestFinallyBreakContinue.java:57:5:59:5 | { ... } |
-| TestFinallyBreakContinue.java:57:5:59:5 | { ... } | TestFinallyBreakContinue.java:58:6:58:35 | ...; |
+| TestFinallyBreakContinue.java:57:5:59:5 | { ... } | TestFinallyBreakContinue.java:58:6:58:35 | <Expr>; |
 | TestFinallyBreakContinue.java:58:6:58:15 | System.out | TestFinallyBreakContinue.java:58:25:58:33 | "finally" |
 | TestFinallyBreakContinue.java:58:6:58:34 | println(...) | TestFinallyBreakContinue.java:60:6:60:24 | catch (...) |
 | TestFinallyBreakContinue.java:58:6:58:34 | println(...) | TestFinallyBreakContinue.java:64:4:66:4 | { ... } |
-| TestFinallyBreakContinue.java:58:6:58:35 | ...; | TestFinallyBreakContinue.java:58:6:58:15 | System.out |
+| TestFinallyBreakContinue.java:58:6:58:35 | <Expr>; | TestFinallyBreakContinue.java:58:6:58:15 | System.out |
 | TestFinallyBreakContinue.java:58:25:58:33 | "finally" | TestFinallyBreakContinue.java:58:6:58:34 | println(...) |
 | TestFinallyBreakContinue.java:60:6:60:24 | catch (...) | TestFinallyBreakContinue.java:60:23:60:23 | e |
 | TestFinallyBreakContinue.java:60:23:60:23 | e | TestFinallyBreakContinue.java:61:4:63:4 | { ... } |
-| TestFinallyBreakContinue.java:61:4:63:4 | { ... } | TestFinallyBreakContinue.java:62:5:62:36 | ...; |
+| TestFinallyBreakContinue.java:61:4:63:4 | { ... } | TestFinallyBreakContinue.java:62:5:62:36 | <Expr>; |
 | TestFinallyBreakContinue.java:62:5:62:14 | System.out | TestFinallyBreakContinue.java:62:24:62:34 | "Exception" |
 | TestFinallyBreakContinue.java:62:5:62:35 | println(...) | TestFinallyBreakContinue.java:64:4:66:4 | { ... } |
-| TestFinallyBreakContinue.java:62:5:62:36 | ...; | TestFinallyBreakContinue.java:62:5:62:14 | System.out |
+| TestFinallyBreakContinue.java:62:5:62:36 | <Expr>; | TestFinallyBreakContinue.java:62:5:62:14 | System.out |
 | TestFinallyBreakContinue.java:62:24:62:34 | "Exception" | TestFinallyBreakContinue.java:62:5:62:35 | println(...) |
-| TestFinallyBreakContinue.java:64:4:66:4 | { ... } | TestFinallyBreakContinue.java:65:5:65:34 | ...; |
+| TestFinallyBreakContinue.java:64:4:66:4 | { ... } | TestFinallyBreakContinue.java:65:5:65:34 | <Expr>; |
 | TestFinallyBreakContinue.java:65:5:65:14 | System.out | TestFinallyBreakContinue.java:65:24:65:32 | "finally" |
 | TestFinallyBreakContinue.java:65:5:65:33 | println(...) | TestFinallyBreakContinue.java:4:14:4:14 | f |
 | TestFinallyBreakContinue.java:65:5:65:33 | println(...) | TestFinallyBreakContinue.java:34:10:34:13 | true |
-| TestFinallyBreakContinue.java:65:5:65:33 | println(...) | TestFinallyBreakContinue.java:69:3:106:17 | labeled statement |
-| TestFinallyBreakContinue.java:65:5:65:34 | ...; | TestFinallyBreakContinue.java:65:5:65:14 | System.out |
+| TestFinallyBreakContinue.java:65:5:65:33 | println(...) | TestFinallyBreakContinue.java:69:3:106:17 | <Label>: ... |
+| TestFinallyBreakContinue.java:65:5:65:34 | <Expr>; | TestFinallyBreakContinue.java:65:5:65:14 | System.out |
 | TestFinallyBreakContinue.java:65:24:65:32 | "finally" | TestFinallyBreakContinue.java:65:5:65:33 | println(...) |
-| TestFinallyBreakContinue.java:69:3:106:17 | labeled statement | TestFinallyBreakContinue.java:70:3:106:17 | do ... while (...) |
+| TestFinallyBreakContinue.java:69:3:106:17 | <Label>: ... | TestFinallyBreakContinue.java:70:3:106:17 | do ... while (...) |
 | TestFinallyBreakContinue.java:70:3:106:17 | do ... while (...) | TestFinallyBreakContinue.java:71:3:106:3 | { ... } |
 | TestFinallyBreakContinue.java:71:3:106:3 | { ... } | TestFinallyBreakContinue.java:72:4:105:4 | try ... |
 | TestFinallyBreakContinue.java:72:4:105:4 | try ... | TestFinallyBreakContinue.java:73:4:99:4 | { ... } |
@@ -118,24 +118,24 @@
 | TestFinallyBreakContinue.java:89:8:89:15 | break | TestFinallyBreakContinue.java:95:6:97:6 | { ... } |
 | TestFinallyBreakContinue.java:91:7:93:7 | { ... } | TestFinallyBreakContinue.java:92:8:92:18 | continue |
 | TestFinallyBreakContinue.java:92:8:92:18 | continue | TestFinallyBreakContinue.java:95:6:97:6 | { ... } |
-| TestFinallyBreakContinue.java:95:6:97:6 | { ... } | TestFinallyBreakContinue.java:96:7:96:36 | ...; |
+| TestFinallyBreakContinue.java:95:6:97:6 | { ... } | TestFinallyBreakContinue.java:96:7:96:36 | <Expr>; |
 | TestFinallyBreakContinue.java:96:7:96:16 | System.out | TestFinallyBreakContinue.java:96:26:96:34 | "finally" |
 | TestFinallyBreakContinue.java:96:7:96:35 | println(...) | TestFinallyBreakContinue.java:74:14:74:14 | i |
 | TestFinallyBreakContinue.java:96:7:96:35 | println(...) | TestFinallyBreakContinue.java:99:6:99:24 | catch (...) |
 | TestFinallyBreakContinue.java:96:7:96:35 | println(...) | TestFinallyBreakContinue.java:103:4:105:4 | { ... } |
-| TestFinallyBreakContinue.java:96:7:96:36 | ...; | TestFinallyBreakContinue.java:96:7:96:16 | System.out |
+| TestFinallyBreakContinue.java:96:7:96:36 | <Expr>; | TestFinallyBreakContinue.java:96:7:96:16 | System.out |
 | TestFinallyBreakContinue.java:96:26:96:34 | "finally" | TestFinallyBreakContinue.java:96:7:96:35 | println(...) |
 | TestFinallyBreakContinue.java:99:6:99:24 | catch (...) | TestFinallyBreakContinue.java:99:23:99:23 | e |
 | TestFinallyBreakContinue.java:99:23:99:23 | e | TestFinallyBreakContinue.java:100:4:102:4 | { ... } |
-| TestFinallyBreakContinue.java:100:4:102:4 | { ... } | TestFinallyBreakContinue.java:101:5:101:36 | ...; |
+| TestFinallyBreakContinue.java:100:4:102:4 | { ... } | TestFinallyBreakContinue.java:101:5:101:36 | <Expr>; |
 | TestFinallyBreakContinue.java:101:5:101:14 | System.out | TestFinallyBreakContinue.java:101:24:101:34 | "Exception" |
 | TestFinallyBreakContinue.java:101:5:101:35 | println(...) | TestFinallyBreakContinue.java:103:4:105:4 | { ... } |
-| TestFinallyBreakContinue.java:101:5:101:36 | ...; | TestFinallyBreakContinue.java:101:5:101:14 | System.out |
+| TestFinallyBreakContinue.java:101:5:101:36 | <Expr>; | TestFinallyBreakContinue.java:101:5:101:14 | System.out |
 | TestFinallyBreakContinue.java:101:24:101:34 | "Exception" | TestFinallyBreakContinue.java:101:5:101:35 | println(...) |
-| TestFinallyBreakContinue.java:103:4:105:4 | { ... } | TestFinallyBreakContinue.java:104:5:104:34 | ...; |
+| TestFinallyBreakContinue.java:103:4:105:4 | { ... } | TestFinallyBreakContinue.java:104:5:104:34 | <Expr>; |
 | TestFinallyBreakContinue.java:104:5:104:14 | System.out | TestFinallyBreakContinue.java:104:24:104:32 | "finally" |
 | TestFinallyBreakContinue.java:104:5:104:33 | println(...) | TestFinallyBreakContinue.java:4:14:4:14 | f |
 | TestFinallyBreakContinue.java:104:5:104:33 | println(...) | TestFinallyBreakContinue.java:106:12:106:15 | true |
-| TestFinallyBreakContinue.java:104:5:104:34 | ...; | TestFinallyBreakContinue.java:104:5:104:14 | System.out |
+| TestFinallyBreakContinue.java:104:5:104:34 | <Expr>; | TestFinallyBreakContinue.java:104:5:104:14 | System.out |
 | TestFinallyBreakContinue.java:104:24:104:32 | "finally" | TestFinallyBreakContinue.java:104:5:104:33 | println(...) |
 | TestFinallyBreakContinue.java:106:12:106:15 | true | TestFinallyBreakContinue.java:71:3:106:3 | { ... } |
diff --git a/java/ql/test/library-tests/successors/TestLoopBranch/FalseSuccessors.expected b/java/ql/test/library-tests/successors/TestLoopBranch/FalseSuccessors.expected
index 266d4ab24ab..97278336764 100644
--- a/java/ql/test/library-tests/successors/TestLoopBranch/FalseSuccessors.expected
+++ b/java/ql/test/library-tests/successors/TestLoopBranch/FalseSuccessors.expected
@@ -1,5 +1,5 @@
 | TestLoopBranch.java:17:12:17:17 | ... == ... | TestLoopBranch.java:19:3:22:3 | { ... } |
-| TestLoopBranch.java:24:10:24:15 | ... == ... | TestLoopBranch.java:31:3:31:30 | for (...) |
+| TestLoopBranch.java:24:10:24:15 | ... == ... | TestLoopBranch.java:31:3:31:30 | for (...;...;...) |
 | TestLoopBranch.java:31:19:31:24 | ... < ... | TestLoopBranch.java:37:3:37:3 | ; |
 | TestLoopBranch.java:46:7:46:13 | ... == ... | TestLoopBranch.java:51:3:51:14 | if (...) |
 | TestLoopBranch.java:51:7:51:13 | ... == ... | TestLoopBranch.java:56:3:60:3 | { ... } |
diff --git a/java/ql/test/library-tests/successors/TestLoopBranch/TestSucc.expected b/java/ql/test/library-tests/successors/TestLoopBranch/TestSucc.expected
index 65617702a28..930da9a7132 100644
--- a/java/ql/test/library-tests/successors/TestLoopBranch/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/TestLoopBranch/TestSucc.expected
@@ -1,64 +1,64 @@
-| TestLoopBranch.java:3:14:3:27 | { ... } | TestLoopBranch.java:4:2:4:13 | ...; |
-| TestLoopBranch.java:4:2:4:13 | ...; | TestLoopBranch.java:4:11:4:12 | 12 |
-| TestLoopBranch.java:4:2:4:13 | ...=... | TestLoopBranch.java:5:2:5:13 | ...; |
+| TestLoopBranch.java:3:14:3:27 | { ... } | TestLoopBranch.java:4:2:4:13 | <Expr>; |
+| TestLoopBranch.java:4:2:4:13 | ...=... | TestLoopBranch.java:5:2:5:13 | <Expr>; |
+| TestLoopBranch.java:4:2:4:13 | <Expr>; | TestLoopBranch.java:4:11:4:12 | 12 |
 | TestLoopBranch.java:4:11:4:12 | 12 | TestLoopBranch.java:4:2:4:13 | ...=... |
-| TestLoopBranch.java:5:2:5:13 | ...; | TestLoopBranch.java:5:11:5:12 | 13 |
 | TestLoopBranch.java:5:2:5:13 | ...=... | TestLoopBranch.java:3:14:3:27 | <obinit> |
+| TestLoopBranch.java:5:2:5:13 | <Expr>; | TestLoopBranch.java:5:11:5:12 | 13 |
 | TestLoopBranch.java:5:11:5:12 | 13 | TestLoopBranch.java:5:2:5:13 | ...=... |
-| TestLoopBranch.java:8:2:107:2 | { ... } | TestLoopBranch.java:9:3:9:12 | local variable declaration |
-| TestLoopBranch.java:9:3:9:12 | local variable declaration | TestLoopBranch.java:9:11:9:11 | 1 |
-| TestLoopBranch.java:9:7:9:11 | x | TestLoopBranch.java:10:3:10:12 | local variable declaration |
+| TestLoopBranch.java:8:2:107:2 | { ... } | TestLoopBranch.java:9:3:9:12 | var ...; |
+| TestLoopBranch.java:9:3:9:12 | var ...; | TestLoopBranch.java:9:11:9:11 | 1 |
+| TestLoopBranch.java:9:7:9:11 | x | TestLoopBranch.java:10:3:10:12 | var ...; |
 | TestLoopBranch.java:9:11:9:11 | 1 | TestLoopBranch.java:9:7:9:11 | x |
-| TestLoopBranch.java:10:3:10:12 | local variable declaration | TestLoopBranch.java:10:11:10:11 | 2 |
-| TestLoopBranch.java:10:7:10:11 | y | TestLoopBranch.java:11:3:11:28 | ...; |
+| TestLoopBranch.java:10:3:10:12 | var ...; | TestLoopBranch.java:10:11:10:11 | 2 |
+| TestLoopBranch.java:10:7:10:11 | y | TestLoopBranch.java:11:3:11:28 | <Expr>; |
 | TestLoopBranch.java:10:11:10:11 | 2 | TestLoopBranch.java:10:7:10:11 | y |
 | TestLoopBranch.java:11:3:11:12 | System.out | TestLoopBranch.java:11:22:11:26 | "foo" |
 | TestLoopBranch.java:11:3:11:27 | println(...) | TestLoopBranch.java:13:3:17:19 | do ... while (...) |
-| TestLoopBranch.java:11:3:11:28 | ...; | TestLoopBranch.java:11:3:11:12 | System.out |
+| TestLoopBranch.java:11:3:11:28 | <Expr>; | TestLoopBranch.java:11:3:11:12 | System.out |
 | TestLoopBranch.java:11:22:11:26 | "foo" | TestLoopBranch.java:11:3:11:27 | println(...) |
 | TestLoopBranch.java:13:3:17:19 | do ... while (...) | TestLoopBranch.java:14:3:17:3 | { ... } |
-| TestLoopBranch.java:14:3:17:3 | { ... } | TestLoopBranch.java:15:4:15:29 | ...; |
+| TestLoopBranch.java:14:3:17:3 | { ... } | TestLoopBranch.java:15:4:15:29 | <Expr>; |
 | TestLoopBranch.java:15:4:15:13 | System.out | TestLoopBranch.java:15:23:15:27 | "bar" |
-| TestLoopBranch.java:15:4:15:28 | println(...) | TestLoopBranch.java:16:4:16:32 | ...; |
-| TestLoopBranch.java:15:4:15:29 | ...; | TestLoopBranch.java:15:4:15:13 | System.out |
+| TestLoopBranch.java:15:4:15:28 | println(...) | TestLoopBranch.java:16:4:16:32 | <Expr>; |
+| TestLoopBranch.java:15:4:15:29 | <Expr>; | TestLoopBranch.java:15:4:15:13 | System.out |
 | TestLoopBranch.java:15:23:15:27 | "bar" | TestLoopBranch.java:15:4:15:28 | println(...) |
 | TestLoopBranch.java:16:4:16:13 | System.out | TestLoopBranch.java:16:23:16:30 | "foobar" |
 | TestLoopBranch.java:16:4:16:31 | println(...) | TestLoopBranch.java:17:12:17:12 | x |
-| TestLoopBranch.java:16:4:16:32 | ...; | TestLoopBranch.java:16:4:16:13 | System.out |
+| TestLoopBranch.java:16:4:16:32 | <Expr>; | TestLoopBranch.java:16:4:16:13 | System.out |
 | TestLoopBranch.java:16:23:16:30 | "foobar" | TestLoopBranch.java:16:4:16:31 | println(...) |
 | TestLoopBranch.java:17:12:17:12 | x | TestLoopBranch.java:17:17:17:17 | 2 |
 | TestLoopBranch.java:17:12:17:17 | ... == ... | TestLoopBranch.java:14:3:17:3 | { ... } |
 | TestLoopBranch.java:17:12:17:17 | ... == ... | TestLoopBranch.java:19:3:22:3 | { ... } |
 | TestLoopBranch.java:17:17:17:17 | 2 | TestLoopBranch.java:17:12:17:17 | ... == ... |
-| TestLoopBranch.java:19:3:22:3 | { ... } | TestLoopBranch.java:20:4:20:32 | ...; |
+| TestLoopBranch.java:19:3:22:3 | { ... } | TestLoopBranch.java:20:4:20:32 | <Expr>; |
 | TestLoopBranch.java:20:4:20:13 | System.out | TestLoopBranch.java:20:23:20:30 | "shazam" |
-| TestLoopBranch.java:20:4:20:31 | println(...) | TestLoopBranch.java:21:4:21:32 | ...; |
-| TestLoopBranch.java:20:4:20:32 | ...; | TestLoopBranch.java:20:4:20:13 | System.out |
+| TestLoopBranch.java:20:4:20:31 | println(...) | TestLoopBranch.java:21:4:21:32 | <Expr>; |
+| TestLoopBranch.java:20:4:20:32 | <Expr>; | TestLoopBranch.java:20:4:20:13 | System.out |
 | TestLoopBranch.java:20:23:20:30 | "shazam" | TestLoopBranch.java:20:4:20:31 | println(...) |
 | TestLoopBranch.java:21:4:21:13 | System.out | TestLoopBranch.java:21:23:21:30 | "boogie" |
 | TestLoopBranch.java:21:4:21:31 | println(...) | TestLoopBranch.java:24:3:24:16 | while (...) |
-| TestLoopBranch.java:21:4:21:32 | ...; | TestLoopBranch.java:21:4:21:13 | System.out |
+| TestLoopBranch.java:21:4:21:32 | <Expr>; | TestLoopBranch.java:21:4:21:13 | System.out |
 | TestLoopBranch.java:21:23:21:30 | "boogie" | TestLoopBranch.java:21:4:21:31 | println(...) |
 | TestLoopBranch.java:24:3:24:16 | while (...) | TestLoopBranch.java:24:10:24:10 | x |
 | TestLoopBranch.java:24:10:24:10 | x | TestLoopBranch.java:24:15:24:15 | 1 |
 | TestLoopBranch.java:24:10:24:15 | ... == ... | TestLoopBranch.java:25:3:29:3 | { ... } |
-| TestLoopBranch.java:24:10:24:15 | ... == ... | TestLoopBranch.java:31:3:31:30 | for (...) |
+| TestLoopBranch.java:24:10:24:15 | ... == ... | TestLoopBranch.java:31:3:31:30 | for (...;...;...) |
 | TestLoopBranch.java:24:15:24:15 | 1 | TestLoopBranch.java:24:10:24:15 | ... == ... |
-| TestLoopBranch.java:25:3:29:3 | { ... } | TestLoopBranch.java:26:4:26:36 | ...; |
+| TestLoopBranch.java:25:3:29:3 | { ... } | TestLoopBranch.java:26:4:26:36 | <Expr>; |
 | TestLoopBranch.java:26:4:26:13 | System.out | TestLoopBranch.java:26:23:26:34 | "wonderland" |
-| TestLoopBranch.java:26:4:26:35 | println(...) | TestLoopBranch.java:27:4:27:32 | ...; |
-| TestLoopBranch.java:26:4:26:36 | ...; | TestLoopBranch.java:26:4:26:13 | System.out |
+| TestLoopBranch.java:26:4:26:35 | println(...) | TestLoopBranch.java:27:4:27:32 | <Expr>; |
+| TestLoopBranch.java:26:4:26:36 | <Expr>; | TestLoopBranch.java:26:4:26:13 | System.out |
 | TestLoopBranch.java:26:23:26:34 | "wonderland" | TestLoopBranch.java:26:4:26:35 | println(...) |
 | TestLoopBranch.java:27:4:27:13 | System.out | TestLoopBranch.java:27:23:27:30 | "shodan" |
-| TestLoopBranch.java:27:4:27:31 | println(...) | TestLoopBranch.java:28:4:28:13 | ...; |
-| TestLoopBranch.java:27:4:27:32 | ...; | TestLoopBranch.java:27:4:27:13 | System.out |
+| TestLoopBranch.java:27:4:27:31 | println(...) | TestLoopBranch.java:28:4:28:13 | <Expr>; |
+| TestLoopBranch.java:27:4:27:32 | <Expr>; | TestLoopBranch.java:27:4:27:13 | System.out |
 | TestLoopBranch.java:27:23:27:30 | "shodan" | TestLoopBranch.java:27:4:27:31 | println(...) |
 | TestLoopBranch.java:28:4:28:12 | ...=... | TestLoopBranch.java:24:10:24:10 | x |
-| TestLoopBranch.java:28:4:28:13 | ...; | TestLoopBranch.java:28:8:28:8 | x |
+| TestLoopBranch.java:28:4:28:13 | <Expr>; | TestLoopBranch.java:28:8:28:8 | x |
 | TestLoopBranch.java:28:8:28:8 | x | TestLoopBranch.java:28:12:28:12 | 1 |
 | TestLoopBranch.java:28:8:28:12 | ... + ... | TestLoopBranch.java:28:4:28:12 | ...=... |
 | TestLoopBranch.java:28:12:28:12 | 1 | TestLoopBranch.java:28:8:28:12 | ... + ... |
-| TestLoopBranch.java:31:3:31:30 | for (...) | TestLoopBranch.java:31:16:31:16 | 0 |
+| TestLoopBranch.java:31:3:31:30 | for (...;...;...) | TestLoopBranch.java:31:16:31:16 | 0 |
 | TestLoopBranch.java:31:12:31:16 | i | TestLoopBranch.java:31:19:31:19 | i |
 | TestLoopBranch.java:31:16:31:16 | 0 | TestLoopBranch.java:31:12:31:16 | i |
 | TestLoopBranch.java:31:19:31:19 | i | TestLoopBranch.java:31:23:31:24 | 10 |
@@ -67,13 +67,13 @@
 | TestLoopBranch.java:31:23:31:24 | 10 | TestLoopBranch.java:31:19:31:24 | ... < ... |
 | TestLoopBranch.java:31:27:31:27 | i | TestLoopBranch.java:31:27:31:29 | ...++ |
 | TestLoopBranch.java:31:27:31:29 | ...++ | TestLoopBranch.java:31:19:31:19 | i |
-| TestLoopBranch.java:32:3:35:3 | { ... } | TestLoopBranch.java:33:4:33:33 | ...; |
+| TestLoopBranch.java:32:3:35:3 | { ... } | TestLoopBranch.java:33:4:33:33 | <Expr>; |
 | TestLoopBranch.java:33:4:33:13 | System.out | TestLoopBranch.java:33:23:33:31 | "rapture" |
-| TestLoopBranch.java:33:4:33:32 | println(...) | TestLoopBranch.java:34:4:34:13 | ...; |
-| TestLoopBranch.java:33:4:33:33 | ...; | TestLoopBranch.java:33:4:33:13 | System.out |
+| TestLoopBranch.java:33:4:33:32 | println(...) | TestLoopBranch.java:34:4:34:13 | <Expr>; |
+| TestLoopBranch.java:33:4:33:33 | <Expr>; | TestLoopBranch.java:33:4:33:13 | System.out |
 | TestLoopBranch.java:33:23:33:31 | "rapture" | TestLoopBranch.java:33:4:33:32 | println(...) |
 | TestLoopBranch.java:34:4:34:12 | ...=... | TestLoopBranch.java:31:27:31:27 | i |
-| TestLoopBranch.java:34:4:34:13 | ...; | TestLoopBranch.java:34:8:34:8 | x |
+| TestLoopBranch.java:34:4:34:13 | <Expr>; | TestLoopBranch.java:34:8:34:8 | x |
 | TestLoopBranch.java:34:8:34:8 | x | TestLoopBranch.java:34:12:34:12 | 2 |
 | TestLoopBranch.java:34:8:34:12 | ... - ... | TestLoopBranch.java:34:4:34:12 | ...=... |
 | TestLoopBranch.java:34:12:34:12 | 2 | TestLoopBranch.java:34:8:34:12 | ... - ... |
@@ -84,16 +84,16 @@
 | TestLoopBranch.java:40:16:40:26 | new int[] | TestLoopBranch.java:40:12:40:12 | j |
 | TestLoopBranch.java:40:16:40:26 | new int[] | TestLoopBranch.java:46:3:46:14 | if (...) |
 | TestLoopBranch.java:40:24:40:25 | 20 | TestLoopBranch.java:40:16:40:26 | new int[] |
-| TestLoopBranch.java:41:3:44:3 | { ... } | TestLoopBranch.java:42:4:42:37 | ...; |
+| TestLoopBranch.java:41:3:44:3 | { ... } | TestLoopBranch.java:42:4:42:37 | <Expr>; |
 | TestLoopBranch.java:42:4:42:13 | System.out | TestLoopBranch.java:42:23:42:31 | "Zero : " |
-| TestLoopBranch.java:42:4:42:36 | println(...) | TestLoopBranch.java:43:4:43:13 | ...; |
-| TestLoopBranch.java:42:4:42:37 | ...; | TestLoopBranch.java:42:4:42:13 | System.out |
+| TestLoopBranch.java:42:4:42:36 | println(...) | TestLoopBranch.java:43:4:43:13 | <Expr>; |
+| TestLoopBranch.java:42:4:42:37 | <Expr>; | TestLoopBranch.java:42:4:42:13 | System.out |
 | TestLoopBranch.java:42:23:42:31 | "Zero : " | TestLoopBranch.java:42:35:42:35 | j |
 | TestLoopBranch.java:42:23:42:35 | ... + ... | TestLoopBranch.java:42:4:42:36 | println(...) |
 | TestLoopBranch.java:42:35:42:35 | j | TestLoopBranch.java:42:23:42:35 | ... + ... |
 | TestLoopBranch.java:43:4:43:12 | ...=... | TestLoopBranch.java:40:12:40:12 | j |
 | TestLoopBranch.java:43:4:43:12 | ...=... | TestLoopBranch.java:46:3:46:14 | if (...) |
-| TestLoopBranch.java:43:4:43:13 | ...; | TestLoopBranch.java:43:8:43:8 | j |
+| TestLoopBranch.java:43:4:43:13 | <Expr>; | TestLoopBranch.java:43:8:43:8 | j |
 | TestLoopBranch.java:43:8:43:8 | j | TestLoopBranch.java:43:12:43:12 | x |
 | TestLoopBranch.java:43:8:43:12 | ... + ... | TestLoopBranch.java:43:4:43:12 | ...=... |
 | TestLoopBranch.java:43:12:43:12 | x | TestLoopBranch.java:43:8:43:12 | ... + ... |
@@ -103,33 +103,33 @@
 | TestLoopBranch.java:46:7:46:13 | ... == ... | TestLoopBranch.java:51:3:51:14 | if (...) |
 | TestLoopBranch.java:46:12:46:13 | -... | TestLoopBranch.java:46:7:46:13 | ... == ... |
 | TestLoopBranch.java:46:13:46:13 | 1 | TestLoopBranch.java:46:12:46:13 | -... |
-| TestLoopBranch.java:47:3:49:3 | { ... } | TestLoopBranch.java:48:4:48:35 | ...; |
+| TestLoopBranch.java:47:3:49:3 | { ... } | TestLoopBranch.java:48:4:48:35 | <Expr>; |
 | TestLoopBranch.java:48:4:48:13 | System.out | TestLoopBranch.java:48:23:48:33 | "i squared" |
 | TestLoopBranch.java:48:4:48:34 | println(...) | TestLoopBranch.java:51:3:51:14 | if (...) |
-| TestLoopBranch.java:48:4:48:35 | ...; | TestLoopBranch.java:48:4:48:13 | System.out |
+| TestLoopBranch.java:48:4:48:35 | <Expr>; | TestLoopBranch.java:48:4:48:13 | System.out |
 | TestLoopBranch.java:48:23:48:33 | "i squared" | TestLoopBranch.java:48:4:48:34 | println(...) |
 | TestLoopBranch.java:51:3:51:14 | if (...) | TestLoopBranch.java:51:7:51:7 | x |
 | TestLoopBranch.java:51:7:51:7 | x | TestLoopBranch.java:51:12:51:13 | 42 |
 | TestLoopBranch.java:51:7:51:13 | ... == ... | TestLoopBranch.java:52:3:55:3 | { ... } |
 | TestLoopBranch.java:51:7:51:13 | ... == ... | TestLoopBranch.java:56:3:60:3 | { ... } |
 | TestLoopBranch.java:51:12:51:13 | 42 | TestLoopBranch.java:51:7:51:13 | ... == ... |
-| TestLoopBranch.java:52:3:55:3 | { ... } | TestLoopBranch.java:53:4:53:29 | ...; |
+| TestLoopBranch.java:52:3:55:3 | { ... } | TestLoopBranch.java:53:4:53:29 | <Expr>; |
 | TestLoopBranch.java:53:4:53:13 | System.out | TestLoopBranch.java:53:23:53:27 | "rat" |
-| TestLoopBranch.java:53:4:53:28 | println(...) | TestLoopBranch.java:54:4:54:13 | ...; |
-| TestLoopBranch.java:53:4:53:29 | ...; | TestLoopBranch.java:53:4:53:13 | System.out |
+| TestLoopBranch.java:53:4:53:28 | println(...) | TestLoopBranch.java:54:4:54:13 | <Expr>; |
+| TestLoopBranch.java:53:4:53:29 | <Expr>; | TestLoopBranch.java:53:4:53:13 | System.out |
 | TestLoopBranch.java:53:23:53:27 | "rat" | TestLoopBranch.java:53:4:53:28 | println(...) |
 | TestLoopBranch.java:54:4:54:12 | ...=... | TestLoopBranch.java:62:3:62:12 | switch (...) |
-| TestLoopBranch.java:54:4:54:13 | ...; | TestLoopBranch.java:54:8:54:8 | 6 |
+| TestLoopBranch.java:54:4:54:13 | <Expr>; | TestLoopBranch.java:54:8:54:8 | 6 |
 | TestLoopBranch.java:54:8:54:8 | 6 | TestLoopBranch.java:54:12:54:12 | 9 |
 | TestLoopBranch.java:54:8:54:12 | ... * ... | TestLoopBranch.java:54:4:54:12 | ...=... |
 | TestLoopBranch.java:54:12:54:12 | 9 | TestLoopBranch.java:54:8:54:12 | ... * ... |
-| TestLoopBranch.java:56:3:60:3 | { ... } | TestLoopBranch.java:57:4:57:29 | ...; |
+| TestLoopBranch.java:56:3:60:3 | { ... } | TestLoopBranch.java:57:4:57:29 | <Expr>; |
 | TestLoopBranch.java:57:4:57:13 | System.out | TestLoopBranch.java:57:23:57:27 | "arr" |
-| TestLoopBranch.java:57:4:57:28 | println(...) | TestLoopBranch.java:58:4:58:13 | ...; |
-| TestLoopBranch.java:57:4:57:29 | ...; | TestLoopBranch.java:57:4:57:13 | System.out |
+| TestLoopBranch.java:57:4:57:28 | println(...) | TestLoopBranch.java:58:4:58:13 | <Expr>; |
+| TestLoopBranch.java:57:4:57:29 | <Expr>; | TestLoopBranch.java:57:4:57:13 | System.out |
 | TestLoopBranch.java:57:23:57:27 | "arr" | TestLoopBranch.java:57:4:57:28 | println(...) |
 | TestLoopBranch.java:58:4:58:12 | ...=... | TestLoopBranch.java:59:4:59:10 | return ... |
-| TestLoopBranch.java:58:4:58:13 | ...; | TestLoopBranch.java:58:8:58:8 | y |
+| TestLoopBranch.java:58:4:58:13 | <Expr>; | TestLoopBranch.java:58:8:58:8 | y |
 | TestLoopBranch.java:58:8:58:8 | y | TestLoopBranch.java:58:12:58:12 | x |
 | TestLoopBranch.java:58:8:58:12 | ... * ... | TestLoopBranch.java:58:4:58:12 | ...=... |
 | TestLoopBranch.java:58:12:58:12 | x | TestLoopBranch.java:58:8:58:12 | ... * ... |
@@ -142,77 +142,77 @@
 | TestLoopBranch.java:62:11:62:11 | x | TestLoopBranch.java:76:3:76:9 | case ... |
 | TestLoopBranch.java:62:11:62:11 | x | TestLoopBranch.java:77:3:77:9 | case ... |
 | TestLoopBranch.java:62:11:62:11 | x | TestLoopBranch.java:80:3:80:10 | default |
-| TestLoopBranch.java:64:3:64:9 | case ... | TestLoopBranch.java:65:4:65:13 | ...; |
-| TestLoopBranch.java:65:4:65:12 | ...=... | TestLoopBranch.java:66:4:66:13 | ...; |
-| TestLoopBranch.java:65:4:65:13 | ...; | TestLoopBranch.java:65:8:65:8 | x |
+| TestLoopBranch.java:64:3:64:9 | case ... | TestLoopBranch.java:65:4:65:13 | <Expr>; |
+| TestLoopBranch.java:65:4:65:12 | ...=... | TestLoopBranch.java:66:4:66:13 | <Expr>; |
+| TestLoopBranch.java:65:4:65:13 | <Expr>; | TestLoopBranch.java:65:8:65:8 | x |
 | TestLoopBranch.java:65:8:65:8 | x | TestLoopBranch.java:65:12:65:12 | 1 |
 | TestLoopBranch.java:65:8:65:12 | ... + ... | TestLoopBranch.java:65:4:65:12 | ...=... |
 | TestLoopBranch.java:65:12:65:12 | 1 | TestLoopBranch.java:65:8:65:12 | ... + ... |
 | TestLoopBranch.java:66:4:66:12 | ...=... | TestLoopBranch.java:67:3:67:9 | case ... |
-| TestLoopBranch.java:66:4:66:13 | ...; | TestLoopBranch.java:66:8:66:8 | y |
+| TestLoopBranch.java:66:4:66:13 | <Expr>; | TestLoopBranch.java:66:8:66:8 | y |
 | TestLoopBranch.java:66:8:66:8 | y | TestLoopBranch.java:66:12:66:12 | 1 |
 | TestLoopBranch.java:66:8:66:12 | ... + ... | TestLoopBranch.java:66:4:66:12 | ...=... |
 | TestLoopBranch.java:66:12:66:12 | 1 | TestLoopBranch.java:66:8:66:12 | ... + ... |
-| TestLoopBranch.java:67:3:67:9 | case ... | TestLoopBranch.java:68:4:68:13 | ...; |
-| TestLoopBranch.java:68:4:68:12 | ...=... | TestLoopBranch.java:69:4:69:13 | ...; |
-| TestLoopBranch.java:68:4:68:13 | ...; | TestLoopBranch.java:68:8:68:8 | x |
+| TestLoopBranch.java:67:3:67:9 | case ... | TestLoopBranch.java:68:4:68:13 | <Expr>; |
+| TestLoopBranch.java:68:4:68:12 | ...=... | TestLoopBranch.java:69:4:69:13 | <Expr>; |
+| TestLoopBranch.java:68:4:68:13 | <Expr>; | TestLoopBranch.java:68:8:68:8 | x |
 | TestLoopBranch.java:68:8:68:8 | x | TestLoopBranch.java:68:12:68:12 | 2 |
 | TestLoopBranch.java:68:8:68:12 | ... + ... | TestLoopBranch.java:68:4:68:12 | ...=... |
 | TestLoopBranch.java:68:12:68:12 | 2 | TestLoopBranch.java:68:8:68:12 | ... + ... |
 | TestLoopBranch.java:69:4:69:12 | ...=... | TestLoopBranch.java:70:4:70:9 | break |
-| TestLoopBranch.java:69:4:69:13 | ...; | TestLoopBranch.java:69:8:69:8 | y |
+| TestLoopBranch.java:69:4:69:13 | <Expr>; | TestLoopBranch.java:69:8:69:8 | y |
 | TestLoopBranch.java:69:8:69:8 | y | TestLoopBranch.java:69:12:69:12 | 2 |
 | TestLoopBranch.java:69:8:69:12 | ... + ... | TestLoopBranch.java:69:4:69:12 | ...=... |
 | TestLoopBranch.java:69:12:69:12 | 2 | TestLoopBranch.java:69:8:69:12 | ... + ... |
 | TestLoopBranch.java:70:4:70:9 | break | TestLoopBranch.java:86:3:86:11 | switch (...) |
 | TestLoopBranch.java:71:3:71:9 | case ... | TestLoopBranch.java:72:3:72:9 | case ... |
-| TestLoopBranch.java:72:3:72:9 | case ... | TestLoopBranch.java:73:4:73:13 | ...; |
-| TestLoopBranch.java:73:4:73:12 | ...=... | TestLoopBranch.java:74:4:74:13 | ...; |
-| TestLoopBranch.java:73:4:73:13 | ...; | TestLoopBranch.java:73:8:73:8 | x |
+| TestLoopBranch.java:72:3:72:9 | case ... | TestLoopBranch.java:73:4:73:13 | <Expr>; |
+| TestLoopBranch.java:73:4:73:12 | ...=... | TestLoopBranch.java:74:4:74:13 | <Expr>; |
+| TestLoopBranch.java:73:4:73:13 | <Expr>; | TestLoopBranch.java:73:8:73:8 | x |
 | TestLoopBranch.java:73:8:73:8 | x | TestLoopBranch.java:73:12:73:12 | 3 |
 | TestLoopBranch.java:73:8:73:12 | ... + ... | TestLoopBranch.java:73:4:73:12 | ...=... |
 | TestLoopBranch.java:73:12:73:12 | 3 | TestLoopBranch.java:73:8:73:12 | ... + ... |
 | TestLoopBranch.java:74:4:74:12 | ...=... | TestLoopBranch.java:75:4:75:9 | break |
-| TestLoopBranch.java:74:4:74:13 | ...; | TestLoopBranch.java:74:8:74:8 | y |
+| TestLoopBranch.java:74:4:74:13 | <Expr>; | TestLoopBranch.java:74:8:74:8 | y |
 | TestLoopBranch.java:74:8:74:8 | y | TestLoopBranch.java:74:12:74:12 | 4 |
 | TestLoopBranch.java:74:8:74:12 | ... + ... | TestLoopBranch.java:74:4:74:12 | ...=... |
 | TestLoopBranch.java:74:12:74:12 | 4 | TestLoopBranch.java:74:8:74:12 | ... + ... |
 | TestLoopBranch.java:75:4:75:9 | break | TestLoopBranch.java:86:3:86:11 | switch (...) |
 | TestLoopBranch.java:76:3:76:9 | case ... | TestLoopBranch.java:77:3:77:9 | case ... |
-| TestLoopBranch.java:77:3:77:9 | case ... | TestLoopBranch.java:78:4:78:13 | ...; |
-| TestLoopBranch.java:78:4:78:12 | ...=... | TestLoopBranch.java:79:4:79:13 | ...; |
-| TestLoopBranch.java:78:4:78:13 | ...; | TestLoopBranch.java:78:8:78:8 | x |
+| TestLoopBranch.java:77:3:77:9 | case ... | TestLoopBranch.java:78:4:78:13 | <Expr>; |
+| TestLoopBranch.java:78:4:78:12 | ...=... | TestLoopBranch.java:79:4:79:13 | <Expr>; |
+| TestLoopBranch.java:78:4:78:13 | <Expr>; | TestLoopBranch.java:78:8:78:8 | x |
 | TestLoopBranch.java:78:8:78:8 | x | TestLoopBranch.java:78:12:78:12 | 5 |
 | TestLoopBranch.java:78:8:78:12 | ... + ... | TestLoopBranch.java:78:4:78:12 | ...=... |
 | TestLoopBranch.java:78:12:78:12 | 5 | TestLoopBranch.java:78:8:78:12 | ... + ... |
 | TestLoopBranch.java:79:4:79:12 | ...=... | TestLoopBranch.java:80:3:80:10 | default |
-| TestLoopBranch.java:79:4:79:13 | ...; | TestLoopBranch.java:79:8:79:8 | y |
+| TestLoopBranch.java:79:4:79:13 | <Expr>; | TestLoopBranch.java:79:8:79:8 | y |
 | TestLoopBranch.java:79:8:79:8 | y | TestLoopBranch.java:79:12:79:12 | 6 |
 | TestLoopBranch.java:79:8:79:12 | ... + ... | TestLoopBranch.java:79:4:79:12 | ...=... |
 | TestLoopBranch.java:79:12:79:12 | 6 | TestLoopBranch.java:79:8:79:12 | ... + ... |
-| TestLoopBranch.java:80:3:80:10 | default | TestLoopBranch.java:81:4:81:9 | ...; |
-| TestLoopBranch.java:81:4:81:8 | ...=... | TestLoopBranch.java:82:4:82:9 | ...; |
-| TestLoopBranch.java:81:4:81:9 | ...; | TestLoopBranch.java:81:8:81:8 | y |
+| TestLoopBranch.java:80:3:80:10 | default | TestLoopBranch.java:81:4:81:9 | <Expr>; |
+| TestLoopBranch.java:81:4:81:8 | ...=... | TestLoopBranch.java:82:4:82:9 | <Expr>; |
+| TestLoopBranch.java:81:4:81:9 | <Expr>; | TestLoopBranch.java:81:8:81:8 | y |
 | TestLoopBranch.java:81:8:81:8 | y | TestLoopBranch.java:81:4:81:8 | ...=... |
 | TestLoopBranch.java:82:4:82:8 | ...=... | TestLoopBranch.java:86:3:86:11 | switch (...) |
-| TestLoopBranch.java:82:4:82:9 | ...; | TestLoopBranch.java:82:8:82:8 | x |
+| TestLoopBranch.java:82:4:82:9 | <Expr>; | TestLoopBranch.java:82:8:82:8 | x |
 | TestLoopBranch.java:82:8:82:8 | x | TestLoopBranch.java:82:4:82:8 | ...=... |
 | TestLoopBranch.java:86:3:86:11 | switch (...) | TestLoopBranch.java:86:10:86:10 | x |
 | TestLoopBranch.java:86:10:86:10 | x | TestLoopBranch.java:88:3:88:9 | case ... |
 | TestLoopBranch.java:86:10:86:10 | x | TestLoopBranch.java:91:3:91:9 | case ... |
-| TestLoopBranch.java:86:10:86:10 | x | TestLoopBranch.java:96:3:102:4 | local variable declaration |
-| TestLoopBranch.java:88:3:88:9 | case ... | TestLoopBranch.java:89:4:89:9 | ...; |
+| TestLoopBranch.java:86:10:86:10 | x | TestLoopBranch.java:96:3:102:4 | var ...; |
+| TestLoopBranch.java:88:3:88:9 | case ... | TestLoopBranch.java:89:4:89:9 | <Expr>; |
 | TestLoopBranch.java:89:4:89:8 | ...=... | TestLoopBranch.java:90:4:90:9 | break |
-| TestLoopBranch.java:89:4:89:9 | ...; | TestLoopBranch.java:89:8:89:8 | 1 |
+| TestLoopBranch.java:89:4:89:9 | <Expr>; | TestLoopBranch.java:89:8:89:8 | 1 |
 | TestLoopBranch.java:89:8:89:8 | 1 | TestLoopBranch.java:89:4:89:8 | ...=... |
-| TestLoopBranch.java:90:4:90:9 | break | TestLoopBranch.java:96:3:102:4 | local variable declaration |
-| TestLoopBranch.java:91:3:91:9 | case ... | TestLoopBranch.java:92:4:92:9 | ...; |
+| TestLoopBranch.java:90:4:90:9 | break | TestLoopBranch.java:96:3:102:4 | var ...; |
+| TestLoopBranch.java:91:3:91:9 | case ... | TestLoopBranch.java:92:4:92:9 | <Expr>; |
 | TestLoopBranch.java:92:4:92:8 | ...=... | TestLoopBranch.java:93:4:93:9 | break |
-| TestLoopBranch.java:92:4:92:9 | ...; | TestLoopBranch.java:92:8:92:8 | 2 |
+| TestLoopBranch.java:92:4:92:9 | <Expr>; | TestLoopBranch.java:92:8:92:8 | 2 |
 | TestLoopBranch.java:92:8:92:8 | 2 | TestLoopBranch.java:92:4:92:8 | ...=... |
-| TestLoopBranch.java:93:4:93:9 | break | TestLoopBranch.java:96:3:102:4 | local variable declaration |
-| TestLoopBranch.java:96:3:102:4 | local variable declaration | TestLoopBranch.java:96:26:102:3 | new (...) |
-| TestLoopBranch.java:96:22:102:3 | b | TestLoopBranch.java:103:3:103:21 | ...; |
+| TestLoopBranch.java:93:4:93:9 | break | TestLoopBranch.java:96:3:102:4 | var ...; |
+| TestLoopBranch.java:96:3:102:4 | var ...; | TestLoopBranch.java:96:26:102:3 | new (...) |
+| TestLoopBranch.java:96:22:102:3 | b | TestLoopBranch.java:103:3:103:21 | <Expr>; |
 | TestLoopBranch.java:96:26:102:3 | new (...) | TestLoopBranch.java:96:22:102:3 | b |
 | TestLoopBranch.java:96:30:96:47 | super(...) | TestLoopBranch.java:96:30:96:47 |  |
 | TestLoopBranch.java:96:30:96:47 | { ... } | TestLoopBranch.java:96:30:96:47 | super(...) |
@@ -220,32 +220,32 @@
 | TestLoopBranch.java:100:5:100:13 | return ... | TestLoopBranch.java:98:15:98:23 | compareTo |
 | TestLoopBranch.java:100:12:100:12 | 0 | TestLoopBranch.java:100:5:100:13 | return ... |
 | TestLoopBranch.java:103:3:103:3 | b | TestLoopBranch.java:103:15:103:19 | "Foo" |
-| TestLoopBranch.java:103:3:103:20 | compareTo(...) | TestLoopBranch.java:105:3:105:12 | ...; |
-| TestLoopBranch.java:103:3:103:21 | ...; | TestLoopBranch.java:103:3:103:3 | b |
+| TestLoopBranch.java:103:3:103:20 | compareTo(...) | TestLoopBranch.java:105:3:105:12 | <Expr>; |
+| TestLoopBranch.java:103:3:103:21 | <Expr>; | TestLoopBranch.java:103:3:103:3 | b |
 | TestLoopBranch.java:103:15:103:19 | "Foo" | TestLoopBranch.java:103:3:103:20 | compareTo(...) |
 | TestLoopBranch.java:105:3:105:11 | ...=... | TestLoopBranch.java:106:3:106:9 | return ... |
-| TestLoopBranch.java:105:3:105:12 | ...; | TestLoopBranch.java:105:7:105:7 | x |
+| TestLoopBranch.java:105:3:105:12 | <Expr>; | TestLoopBranch.java:105:7:105:7 | x |
 | TestLoopBranch.java:105:7:105:7 | x | TestLoopBranch.java:105:11:105:11 | y |
 | TestLoopBranch.java:105:7:105:11 | ... + ... | TestLoopBranch.java:105:3:105:11 | ...=... |
 | TestLoopBranch.java:105:11:105:11 | y | TestLoopBranch.java:105:7:105:11 | ... + ... |
 | TestLoopBranch.java:106:3:106:9 | return ... | TestLoopBranch.java:7:14:7:14 | f |
-| TestLoopBranch.java:109:9:109:22 | ...; | TestLoopBranch.java:109:9:109:22 | <obinit>(...) |
-| TestLoopBranch.java:109:9:109:22 | <obinit>(...) | TestLoopBranch.java:111:3:111:10 | ...; |
-| TestLoopBranch.java:109:9:109:22 | super(...) | TestLoopBranch.java:109:9:109:22 | ...; |
+| TestLoopBranch.java:109:9:109:22 | <Expr>; | TestLoopBranch.java:109:9:109:22 | <obinit>(...) |
+| TestLoopBranch.java:109:9:109:22 | <obinit>(...) | TestLoopBranch.java:111:3:111:10 | <Expr>; |
+| TestLoopBranch.java:109:9:109:22 | super(...) | TestLoopBranch.java:109:9:109:22 | <Expr>; |
 | TestLoopBranch.java:110:2:113:2 | { ... } | TestLoopBranch.java:109:9:109:22 | super(...) |
-| TestLoopBranch.java:111:3:111:9 | ...=... | TestLoopBranch.java:112:3:112:10 | ...; |
-| TestLoopBranch.java:111:3:111:10 | ...; | TestLoopBranch.java:111:8:111:9 | 33 |
+| TestLoopBranch.java:111:3:111:9 | ...=... | TestLoopBranch.java:112:3:112:10 | <Expr>; |
+| TestLoopBranch.java:111:3:111:10 | <Expr>; | TestLoopBranch.java:111:8:111:9 | 33 |
 | TestLoopBranch.java:111:8:111:9 | 33 | TestLoopBranch.java:111:3:111:9 | ...=... |
 | TestLoopBranch.java:112:3:112:9 | ...=... | TestLoopBranch.java:109:9:109:22 | TestLoopBranch |
-| TestLoopBranch.java:112:3:112:10 | ...; | TestLoopBranch.java:112:8:112:9 | 44 |
+| TestLoopBranch.java:112:3:112:10 | <Expr>; | TestLoopBranch.java:112:8:112:9 | 44 |
 | TestLoopBranch.java:112:8:112:9 | 44 | TestLoopBranch.java:112:3:112:9 | ...=... |
-| TestLoopBranch.java:115:9:115:22 | ...; | TestLoopBranch.java:115:9:115:22 | <obinit>(...) |
-| TestLoopBranch.java:115:9:115:22 | <obinit>(...) | TestLoopBranch.java:117:3:117:9 | ...; |
-| TestLoopBranch.java:115:9:115:22 | super(...) | TestLoopBranch.java:115:9:115:22 | ...; |
+| TestLoopBranch.java:115:9:115:22 | <Expr>; | TestLoopBranch.java:115:9:115:22 | <obinit>(...) |
+| TestLoopBranch.java:115:9:115:22 | <obinit>(...) | TestLoopBranch.java:117:3:117:9 | <Expr>; |
+| TestLoopBranch.java:115:9:115:22 | super(...) | TestLoopBranch.java:115:9:115:22 | <Expr>; |
 | TestLoopBranch.java:116:2:119:2 | { ... } | TestLoopBranch.java:115:9:115:22 | super(...) |
-| TestLoopBranch.java:117:3:117:8 | ...=... | TestLoopBranch.java:118:3:118:9 | ...; |
-| TestLoopBranch.java:117:3:117:9 | ...; | TestLoopBranch.java:117:8:117:8 | i |
+| TestLoopBranch.java:117:3:117:8 | ...=... | TestLoopBranch.java:118:3:118:9 | <Expr>; |
+| TestLoopBranch.java:117:3:117:9 | <Expr>; | TestLoopBranch.java:117:8:117:8 | i |
 | TestLoopBranch.java:117:8:117:8 | i | TestLoopBranch.java:117:3:117:8 | ...=... |
 | TestLoopBranch.java:118:3:118:8 | ...=... | TestLoopBranch.java:115:9:115:22 | TestLoopBranch |
-| TestLoopBranch.java:118:3:118:9 | ...; | TestLoopBranch.java:118:8:118:8 | i |
+| TestLoopBranch.java:118:3:118:9 | <Expr>; | TestLoopBranch.java:118:8:118:8 | i |
 | TestLoopBranch.java:118:8:118:8 | i | TestLoopBranch.java:118:3:118:8 | ...=... |
diff --git a/java/ql/test/library-tests/successors/TestThrow/FalseSuccessors.expected b/java/ql/test/library-tests/successors/TestThrow/FalseSuccessors.expected
index 4c6234e019d..8164f4c6b5e 100644
--- a/java/ql/test/library-tests/successors/TestThrow/FalseSuccessors.expected
+++ b/java/ql/test/library-tests/successors/TestThrow/FalseSuccessors.expected
@@ -9,4 +9,4 @@
 | TestThrow.java:108:9:108:14 | ... == ... | TestThrow.java:111:12:111:22 | if (...) |
 | TestThrow.java:111:16:111:21 | ... == ... | TestThrow.java:114:12:114:22 | if (...) |
 | TestThrow.java:114:16:114:21 | ... == ... | TestThrow.java:124:3:126:3 | { ... } |
-| TestThrow.java:128:7:128:12 | ... == ... | TestThrow.java:133:3:133:9 | ...; |
+| TestThrow.java:128:7:128:12 | ... == ... | TestThrow.java:133:3:133:9 | <Expr>; |
diff --git a/java/ql/test/library-tests/successors/TestThrow/TestSucc.expected b/java/ql/test/library-tests/successors/TestThrow/TestSucc.expected
index aee048401b9..c6ec327804c 100644
--- a/java/ql/test/library-tests/successors/TestThrow/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/TestThrow/TestSucc.expected
@@ -1,8 +1,8 @@
 | TestThrow.java:7:10:7:18 | super(...) | TestThrow.java:7:10:7:18 | TestThrow |
 | TestThrow.java:8:2:9:2 | { ... } | TestThrow.java:7:10:7:18 | super(...) |
 | TestThrow.java:12:2:13:2 | { ... } | TestThrow.java:11:15:11:21 | thrower |
-| TestThrow.java:16:2:134:2 | { ... } | TestThrow.java:17:3:17:12 | local variable declaration |
-| TestThrow.java:17:3:17:12 | local variable declaration | TestThrow.java:17:11:17:11 | 0 |
+| TestThrow.java:16:2:134:2 | { ... } | TestThrow.java:17:3:17:12 | var ...; |
+| TestThrow.java:17:3:17:12 | var ...; | TestThrow.java:17:11:17:11 | 0 |
 | TestThrow.java:17:7:17:11 | z | TestThrow.java:18:3:27:3 | try ... |
 | TestThrow.java:17:11:17:11 | 0 | TestThrow.java:17:7:17:11 | z |
 | TestThrow.java:18:3:27:3 | try ... | TestThrow.java:19:3:21:3 | { ... } |
@@ -12,18 +12,18 @@
 | TestThrow.java:20:10:20:31 | new RuntimeException(...) | TestThrow.java:21:5:21:30 | catch (...) |
 | TestThrow.java:21:5:21:30 | catch (...) | TestThrow.java:21:29:21:29 | e |
 | TestThrow.java:21:29:21:29 | e | TestThrow.java:22:3:24:3 | { ... } |
-| TestThrow.java:22:3:24:3 | { ... } | TestThrow.java:23:4:23:9 | ...; |
-| TestThrow.java:23:4:23:8 | ...=... | TestThrow.java:29:3:29:9 | ...; |
-| TestThrow.java:23:4:23:9 | ...; | TestThrow.java:23:8:23:8 | 1 |
+| TestThrow.java:22:3:24:3 | { ... } | TestThrow.java:23:4:23:9 | <Expr>; |
+| TestThrow.java:23:4:23:8 | ...=... | TestThrow.java:29:3:29:9 | <Expr>; |
+| TestThrow.java:23:4:23:9 | <Expr>; | TestThrow.java:23:8:23:8 | 1 |
 | TestThrow.java:23:8:23:8 | 1 | TestThrow.java:23:4:23:8 | ...=... |
 | TestThrow.java:24:5:24:23 | catch (...) | TestThrow.java:24:22:24:22 | e |
 | TestThrow.java:24:22:24:22 | e | TestThrow.java:25:3:27:3 | { ... } |
-| TestThrow.java:25:3:27:3 | { ... } | TestThrow.java:26:4:26:9 | ...; |
-| TestThrow.java:26:4:26:8 | ...=... | TestThrow.java:29:3:29:9 | ...; |
-| TestThrow.java:26:4:26:9 | ...; | TestThrow.java:26:8:26:8 | 2 |
+| TestThrow.java:25:3:27:3 | { ... } | TestThrow.java:26:4:26:9 | <Expr>; |
+| TestThrow.java:26:4:26:8 | ...=... | TestThrow.java:29:3:29:9 | <Expr>; |
+| TestThrow.java:26:4:26:9 | <Expr>; | TestThrow.java:26:8:26:8 | 2 |
 | TestThrow.java:26:8:26:8 | 2 | TestThrow.java:26:4:26:8 | ...=... |
 | TestThrow.java:29:3:29:8 | ...=... | TestThrow.java:31:3:52:3 | try ... |
-| TestThrow.java:29:3:29:9 | ...; | TestThrow.java:29:8:29:8 | 1 |
+| TestThrow.java:29:3:29:9 | <Expr>; | TestThrow.java:29:8:29:8 | 1 |
 | TestThrow.java:29:7:29:8 | -... | TestThrow.java:29:3:29:8 | ...=... |
 | TestThrow.java:29:8:29:8 | 1 | TestThrow.java:29:7:29:8 | -... |
 | TestThrow.java:31:3:52:3 | try ... | TestThrow.java:32:3:46:3 | { ... } |
@@ -54,27 +54,27 @@
 | TestThrow.java:39:15:39:20 | ... == ... | TestThrow.java:40:4:42:4 | { ... } |
 | TestThrow.java:39:15:39:20 | ... == ... | TestThrow.java:43:4:45:4 | { ... } |
 | TestThrow.java:39:20:39:20 | 3 | TestThrow.java:39:15:39:20 | ... == ... |
-| TestThrow.java:40:4:42:4 | { ... } | TestThrow.java:41:5:41:20 | ...; |
+| TestThrow.java:40:4:42:4 | { ... } | TestThrow.java:41:5:41:20 | <Expr>; |
 | TestThrow.java:41:5:41:19 | new TestThrow(...) | TestThrow.java:46:5:46:30 | catch (...) |
 | TestThrow.java:41:5:41:19 | new TestThrow(...) | TestThrow.java:50:3:52:3 | { ... } |
-| TestThrow.java:41:5:41:20 | ...; | TestThrow.java:41:5:41:19 | new TestThrow(...) |
-| TestThrow.java:43:4:45:4 | { ... } | TestThrow.java:44:5:44:14 | ...; |
+| TestThrow.java:41:5:41:20 | <Expr>; | TestThrow.java:41:5:41:19 | new TestThrow(...) |
+| TestThrow.java:43:4:45:4 | { ... } | TestThrow.java:44:5:44:14 | <Expr>; |
 | TestThrow.java:44:5:44:13 | thrower(...) | TestThrow.java:46:5:46:30 | catch (...) |
 | TestThrow.java:44:5:44:13 | thrower(...) | TestThrow.java:50:3:52:3 | { ... } |
-| TestThrow.java:44:5:44:14 | ...; | TestThrow.java:44:5:44:13 | thrower(...) |
+| TestThrow.java:44:5:44:14 | <Expr>; | TestThrow.java:44:5:44:13 | thrower(...) |
 | TestThrow.java:46:5:46:30 | catch (...) | TestThrow.java:46:29:46:29 | e |
 | TestThrow.java:46:29:46:29 | e | TestThrow.java:47:3:49:3 | { ... } |
-| TestThrow.java:47:3:49:3 | { ... } | TestThrow.java:48:4:48:9 | ...; |
+| TestThrow.java:47:3:49:3 | { ... } | TestThrow.java:48:4:48:9 | <Expr>; |
 | TestThrow.java:48:4:48:8 | ...=... | TestThrow.java:50:3:52:3 | { ... } |
-| TestThrow.java:48:4:48:9 | ...; | TestThrow.java:48:8:48:8 | 1 |
+| TestThrow.java:48:4:48:9 | <Expr>; | TestThrow.java:48:8:48:8 | 1 |
 | TestThrow.java:48:8:48:8 | 1 | TestThrow.java:48:4:48:8 | ...=... |
-| TestThrow.java:50:3:52:3 | { ... } | TestThrow.java:51:4:51:9 | ...; |
+| TestThrow.java:50:3:52:3 | { ... } | TestThrow.java:51:4:51:9 | <Expr>; |
 | TestThrow.java:51:4:51:8 | ...=... | TestThrow.java:15:14:15:14 | f |
-| TestThrow.java:51:4:51:8 | ...=... | TestThrow.java:54:3:54:9 | ...; |
-| TestThrow.java:51:4:51:9 | ...; | TestThrow.java:51:8:51:8 | 2 |
+| TestThrow.java:51:4:51:8 | ...=... | TestThrow.java:54:3:54:9 | <Expr>; |
+| TestThrow.java:51:4:51:9 | <Expr>; | TestThrow.java:51:8:51:8 | 2 |
 | TestThrow.java:51:8:51:8 | 2 | TestThrow.java:51:4:51:8 | ...=... |
 | TestThrow.java:54:3:54:8 | ...=... | TestThrow.java:56:3:72:3 | try ... |
-| TestThrow.java:54:3:54:9 | ...; | TestThrow.java:54:8:54:8 | 1 |
+| TestThrow.java:54:3:54:9 | <Expr>; | TestThrow.java:54:8:54:8 | 1 |
 | TestThrow.java:54:7:54:8 | -... | TestThrow.java:54:3:54:8 | ...=... |
 | TestThrow.java:54:8:54:8 | 1 | TestThrow.java:54:7:54:8 | -... |
 | TestThrow.java:56:3:72:3 | try ... | TestThrow.java:57:3:69:3 | { ... } |
@@ -94,23 +94,23 @@
 | TestThrow.java:62:13:62:18 | ... == ... | TestThrow.java:63:4:65:4 | { ... } |
 | TestThrow.java:62:13:62:18 | ... == ... | TestThrow.java:66:4:68:4 | { ... } |
 | TestThrow.java:62:18:62:18 | 2 | TestThrow.java:62:13:62:18 | ... == ... |
-| TestThrow.java:63:4:65:4 | { ... } | TestThrow.java:64:5:64:20 | ...; |
+| TestThrow.java:63:4:65:4 | { ... } | TestThrow.java:64:5:64:20 | <Expr>; |
 | TestThrow.java:64:5:64:19 | new TestThrow(...) | TestThrow.java:15:14:15:14 | f |
 | TestThrow.java:64:5:64:19 | new TestThrow(...) | TestThrow.java:69:5:69:30 | catch (...) |
-| TestThrow.java:64:5:64:19 | new TestThrow(...) | TestThrow.java:74:3:74:9 | ...; |
-| TestThrow.java:64:5:64:20 | ...; | TestThrow.java:64:5:64:19 | new TestThrow(...) |
-| TestThrow.java:66:4:68:4 | { ... } | TestThrow.java:67:5:67:14 | ...; |
+| TestThrow.java:64:5:64:19 | new TestThrow(...) | TestThrow.java:74:3:74:9 | <Expr>; |
+| TestThrow.java:64:5:64:20 | <Expr>; | TestThrow.java:64:5:64:19 | new TestThrow(...) |
+| TestThrow.java:66:4:68:4 | { ... } | TestThrow.java:67:5:67:14 | <Expr>; |
 | TestThrow.java:67:5:67:13 | thrower(...) | TestThrow.java:69:5:69:30 | catch (...) |
-| TestThrow.java:67:5:67:13 | thrower(...) | TestThrow.java:74:3:74:9 | ...; |
-| TestThrow.java:67:5:67:14 | ...; | TestThrow.java:67:5:67:13 | thrower(...) |
+| TestThrow.java:67:5:67:13 | thrower(...) | TestThrow.java:74:3:74:9 | <Expr>; |
+| TestThrow.java:67:5:67:14 | <Expr>; | TestThrow.java:67:5:67:13 | thrower(...) |
 | TestThrow.java:69:5:69:30 | catch (...) | TestThrow.java:69:29:69:29 | e |
 | TestThrow.java:69:29:69:29 | e | TestThrow.java:70:3:72:3 | { ... } |
-| TestThrow.java:70:3:72:3 | { ... } | TestThrow.java:71:4:71:9 | ...; |
-| TestThrow.java:71:4:71:8 | ...=... | TestThrow.java:74:3:74:9 | ...; |
-| TestThrow.java:71:4:71:9 | ...; | TestThrow.java:71:8:71:8 | 1 |
+| TestThrow.java:70:3:72:3 | { ... } | TestThrow.java:71:4:71:9 | <Expr>; |
+| TestThrow.java:71:4:71:8 | ...=... | TestThrow.java:74:3:74:9 | <Expr>; |
+| TestThrow.java:71:4:71:9 | <Expr>; | TestThrow.java:71:8:71:8 | 1 |
 | TestThrow.java:71:8:71:8 | 1 | TestThrow.java:71:4:71:8 | ...=... |
 | TestThrow.java:74:3:74:8 | ...=... | TestThrow.java:76:3:83:3 | try ... |
-| TestThrow.java:74:3:74:9 | ...; | TestThrow.java:74:8:74:8 | 1 |
+| TestThrow.java:74:3:74:9 | <Expr>; | TestThrow.java:74:8:74:8 | 1 |
 | TestThrow.java:74:7:74:8 | -... | TestThrow.java:74:3:74:8 | ...=... |
 | TestThrow.java:74:8:74:8 | 1 | TestThrow.java:74:7:74:8 | -... |
 | TestThrow.java:76:3:83:3 | try ... | TestThrow.java:77:3:80:3 | { ... } |
@@ -123,10 +123,10 @@
 | TestThrow.java:79:5:79:26 | throw ... | TestThrow.java:81:3:83:3 | { ... } |
 | TestThrow.java:79:11:79:25 | new Exception(...) | TestThrow.java:79:5:79:26 | throw ... |
 | TestThrow.java:79:11:79:25 | new Exception(...) | TestThrow.java:81:3:83:3 | { ... } |
-| TestThrow.java:81:3:83:3 | { ... } | TestThrow.java:82:4:82:9 | ...; |
+| TestThrow.java:81:3:83:3 | { ... } | TestThrow.java:82:4:82:9 | <Expr>; |
 | TestThrow.java:82:4:82:8 | ...=... | TestThrow.java:15:14:15:14 | f |
 | TestThrow.java:82:4:82:8 | ...=... | TestThrow.java:85:3:126:3 | try ... |
-| TestThrow.java:82:4:82:9 | ...; | TestThrow.java:82:8:82:8 | 1 |
+| TestThrow.java:82:4:82:9 | <Expr>; | TestThrow.java:82:8:82:8 | 1 |
 | TestThrow.java:82:8:82:8 | 1 | TestThrow.java:82:4:82:8 | ...=... |
 | TestThrow.java:85:3:126:3 | try ... | TestThrow.java:86:3:119:3 | { ... } |
 | TestThrow.java:86:3:119:3 | { ... } | TestThrow.java:87:4:102:4 | try ... |
@@ -163,14 +163,14 @@
 | TestThrow.java:97:39:97:42 | null | TestThrow.java:97:12:97:43 | new IOException(...) |
 | TestThrow.java:99:6:99:31 | catch (...) | TestThrow.java:99:30:99:30 | e |
 | TestThrow.java:99:30:99:30 | e | TestThrow.java:100:4:102:4 | { ... } |
-| TestThrow.java:100:4:102:4 | { ... } | TestThrow.java:101:5:101:10 | ...; |
+| TestThrow.java:100:4:102:4 | { ... } | TestThrow.java:101:5:101:10 | <Expr>; |
 | TestThrow.java:101:5:101:9 | ...=... | TestThrow.java:103:4:118:4 | try ... |
-| TestThrow.java:101:5:101:10 | ...; | TestThrow.java:101:9:101:9 | 1 |
+| TestThrow.java:101:5:101:10 | <Expr>; | TestThrow.java:101:9:101:9 | 1 |
 | TestThrow.java:101:9:101:9 | 1 | TestThrow.java:101:5:101:9 | ...=... |
 | TestThrow.java:103:4:118:4 | try ... | TestThrow.java:104:4:106:4 | { ... } |
-| TestThrow.java:104:4:106:4 | { ... } | TestThrow.java:105:5:105:11 | ...; |
+| TestThrow.java:104:4:106:4 | { ... } | TestThrow.java:105:5:105:11 | <Expr>; |
 | TestThrow.java:105:5:105:10 | ...=... | TestThrow.java:107:4:118:4 | { ... } |
-| TestThrow.java:105:5:105:11 | ...; | TestThrow.java:105:10:105:10 | 2 |
+| TestThrow.java:105:5:105:11 | <Expr>; | TestThrow.java:105:10:105:10 | 2 |
 | TestThrow.java:105:9:105:10 | -... | TestThrow.java:105:5:105:10 | ...=... |
 | TestThrow.java:105:10:105:10 | 2 | TestThrow.java:105:9:105:10 | -... |
 | TestThrow.java:107:4:118:4 | { ... } | TestThrow.java:108:5:108:15 | if (...) |
@@ -206,24 +206,24 @@
 | TestThrow.java:116:39:116:42 | null | TestThrow.java:116:12:116:43 | new IOException(...) |
 | TestThrow.java:119:5:119:25 | catch (...) | TestThrow.java:119:24:119:24 | e |
 | TestThrow.java:119:24:119:24 | e | TestThrow.java:120:3:122:3 | { ... } |
-| TestThrow.java:120:3:122:3 | { ... } | TestThrow.java:121:4:121:9 | ...; |
+| TestThrow.java:120:3:122:3 | { ... } | TestThrow.java:121:4:121:9 | <Expr>; |
 | TestThrow.java:121:4:121:8 | ...=... | TestThrow.java:124:3:126:3 | { ... } |
-| TestThrow.java:121:4:121:9 | ...; | TestThrow.java:121:8:121:8 | 2 |
+| TestThrow.java:121:4:121:9 | <Expr>; | TestThrow.java:121:8:121:8 | 2 |
 | TestThrow.java:121:8:121:8 | 2 | TestThrow.java:121:4:121:8 | ...=... |
-| TestThrow.java:124:3:126:3 | { ... } | TestThrow.java:125:4:125:9 | ...; |
+| TestThrow.java:124:3:126:3 | { ... } | TestThrow.java:125:4:125:9 | <Expr>; |
 | TestThrow.java:125:4:125:8 | ...=... | TestThrow.java:15:14:15:14 | f |
 | TestThrow.java:125:4:125:8 | ...=... | TestThrow.java:128:3:128:13 | if (...) |
-| TestThrow.java:125:4:125:9 | ...; | TestThrow.java:125:8:125:8 | 3 |
+| TestThrow.java:125:4:125:9 | <Expr>; | TestThrow.java:125:8:125:8 | 3 |
 | TestThrow.java:125:8:125:8 | 3 | TestThrow.java:125:4:125:8 | ...=... |
 | TestThrow.java:128:3:128:13 | if (...) | TestThrow.java:128:7:128:7 | z |
 | TestThrow.java:128:7:128:7 | z | TestThrow.java:128:12:128:12 | 1 |
 | TestThrow.java:128:7:128:12 | ... == ... | TestThrow.java:129:3:131:3 | { ... } |
-| TestThrow.java:128:7:128:12 | ... == ... | TestThrow.java:133:3:133:9 | ...; |
+| TestThrow.java:128:7:128:12 | ... == ... | TestThrow.java:133:3:133:9 | <Expr>; |
 | TestThrow.java:128:12:128:12 | 1 | TestThrow.java:128:7:128:12 | ... == ... |
 | TestThrow.java:129:3:131:3 | { ... } | TestThrow.java:130:10:130:24 | new Exception(...) |
 | TestThrow.java:130:4:130:25 | throw ... | TestThrow.java:15:14:15:14 | f |
 | TestThrow.java:130:10:130:24 | new Exception(...) | TestThrow.java:130:4:130:25 | throw ... |
 | TestThrow.java:133:3:133:8 | ...=... | TestThrow.java:15:14:15:14 | f |
-| TestThrow.java:133:3:133:9 | ...; | TestThrow.java:133:8:133:8 | 1 |
+| TestThrow.java:133:3:133:9 | <Expr>; | TestThrow.java:133:8:133:8 | 1 |
 | TestThrow.java:133:7:133:8 | -... | TestThrow.java:133:3:133:8 | ...=... |
 | TestThrow.java:133:8:133:8 | 1 | TestThrow.java:133:7:133:8 | -... |
diff --git a/java/ql/test/library-tests/successors/TestThrow2/TestSucc.expected b/java/ql/test/library-tests/successors/TestThrow2/TestSucc.expected
index f1aebd2055f..e9622231a66 100644
--- a/java/ql/test/library-tests/successors/TestThrow2/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/TestThrow2/TestSucc.expected
@@ -1,14 +1,14 @@
-| TestThrow2.java:3:7:3:16 | ...; | TestThrow2.java:3:7:3:16 | <obinit>(...) |
+| TestThrow2.java:3:7:3:16 | <Expr>; | TestThrow2.java:3:7:3:16 | <obinit>(...) |
 | TestThrow2.java:3:7:3:16 | <obinit>(...) | TestThrow2.java:3:7:3:16 | TestThrow2 |
-| TestThrow2.java:3:7:3:16 | super(...) | TestThrow2.java:3:7:3:16 | ...; |
+| TestThrow2.java:3:7:3:16 | super(...) | TestThrow2.java:3:7:3:16 | <Expr>; |
 | TestThrow2.java:3:7:3:16 | { ... } | TestThrow2.java:3:7:3:16 | super(...) |
 | TestThrow2.java:3:7:3:16 | { ... } | TestThrow2.java:5:2:11:2 | { ... } |
 | TestThrow2.java:5:2:11:2 | { ... } | TestThrow2.java:6:3:10:3 | try ... |
 | TestThrow2.java:6:3:10:3 | try ... | TestThrow2.java:6:7:8:3 | { ... } |
-| TestThrow2.java:6:7:8:3 | { ... } | TestThrow2.java:7:4:7:13 | ...; |
+| TestThrow2.java:6:7:8:3 | { ... } | TestThrow2.java:7:4:7:13 | <Expr>; |
 | TestThrow2.java:7:4:7:12 | thrower(...) | TestThrow2.java:3:7:3:16 | <obinit> |
 | TestThrow2.java:7:4:7:12 | thrower(...) | TestThrow2.java:8:5:8:23 | catch (...) |
-| TestThrow2.java:7:4:7:13 | ...; | TestThrow2.java:7:4:7:12 | thrower(...) |
+| TestThrow2.java:7:4:7:13 | <Expr>; | TestThrow2.java:7:4:7:12 | thrower(...) |
 | TestThrow2.java:8:5:8:23 | catch (...) | TestThrow2.java:8:22:8:22 | e |
 | TestThrow2.java:8:22:8:22 | e | TestThrow2.java:8:25:10:3 | { ... } |
 | TestThrow2.java:8:25:10:3 | { ... } | TestThrow2.java:9:4:9:4 | ; |
diff --git a/java/ql/test/library-tests/successors/TestTryCatch/FalseSuccessors.expected b/java/ql/test/library-tests/successors/TestTryCatch/FalseSuccessors.expected
index cfe3896fb66..139e00728a7 100644
--- a/java/ql/test/library-tests/successors/TestTryCatch/FalseSuccessors.expected
+++ b/java/ql/test/library-tests/successors/TestTryCatch/FalseSuccessors.expected
@@ -1 +1 @@
-| TestTryCatch.java:27:19:27:24 | ... < ... | TestTryCatch.java:42:3:42:12 | ...; |
+| TestTryCatch.java:27:19:27:24 | ... < ... | TestTryCatch.java:42:3:42:12 | <Expr>; |
diff --git a/java/ql/test/library-tests/successors/TestTryCatch/TestSucc.expected b/java/ql/test/library-tests/successors/TestTryCatch/TestSucc.expected
index 205367d9bd9..bdb07f62613 100644
--- a/java/ql/test/library-tests/successors/TestTryCatch/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/TestTryCatch/TestSucc.expected
@@ -2,120 +2,120 @@
 | TestTryCatch.java:3:14:3:25 | { ... } | TestTryCatch.java:3:14:3:25 | super(...) |
 | TestTryCatch.java:5:2:43:2 | { ... } | TestTryCatch.java:6:3:23:3 | try ... |
 | TestTryCatch.java:6:3:23:3 | try ... | TestTryCatch.java:7:3:12:3 | { ... } |
-| TestTryCatch.java:7:3:12:3 | { ... } | TestTryCatch.java:8:4:8:29 | ...; |
+| TestTryCatch.java:7:3:12:3 | { ... } | TestTryCatch.java:8:4:8:29 | <Expr>; |
 | TestTryCatch.java:8:4:8:13 | System.out | TestTryCatch.java:8:23:8:27 | "Foo" |
-| TestTryCatch.java:8:4:8:28 | println(...) | TestTryCatch.java:9:4:9:18 | local variable declaration |
+| TestTryCatch.java:8:4:8:28 | println(...) | TestTryCatch.java:9:4:9:18 | var ...; |
 | TestTryCatch.java:8:4:8:28 | println(...) | TestTryCatch.java:12:5:12:23 | catch (...) |
 | TestTryCatch.java:8:4:8:28 | println(...) | TestTryCatch.java:19:3:23:3 | { ... } |
-| TestTryCatch.java:8:4:8:29 | ...; | TestTryCatch.java:8:4:8:13 | System.out |
+| TestTryCatch.java:8:4:8:29 | <Expr>; | TestTryCatch.java:8:4:8:13 | System.out |
 | TestTryCatch.java:8:23:8:27 | "Foo" | TestTryCatch.java:8:4:8:28 | println(...) |
-| TestTryCatch.java:9:4:9:18 | local variable declaration | TestTryCatch.java:9:12:9:13 | 12 |
-| TestTryCatch.java:9:8:9:17 | y | TestTryCatch.java:10:4:10:29 | ...; |
+| TestTryCatch.java:9:4:9:18 | var ...; | TestTryCatch.java:9:12:9:13 | 12 |
+| TestTryCatch.java:9:8:9:17 | y | TestTryCatch.java:10:4:10:29 | <Expr>; |
 | TestTryCatch.java:9:12:9:13 | 12 | TestTryCatch.java:9:17:9:17 | 3 |
 | TestTryCatch.java:9:12:9:17 | ... + ... | TestTryCatch.java:9:8:9:17 | y |
 | TestTryCatch.java:9:17:9:17 | 3 | TestTryCatch.java:9:12:9:17 | ... + ... |
 | TestTryCatch.java:10:4:10:13 | System.out | TestTryCatch.java:10:23:10:27 | "Bar" |
-| TestTryCatch.java:10:4:10:28 | println(...) | TestTryCatch.java:11:4:11:13 | ...; |
+| TestTryCatch.java:10:4:10:28 | println(...) | TestTryCatch.java:11:4:11:13 | <Expr>; |
 | TestTryCatch.java:10:4:10:28 | println(...) | TestTryCatch.java:12:5:12:23 | catch (...) |
 | TestTryCatch.java:10:4:10:28 | println(...) | TestTryCatch.java:19:3:23:3 | { ... } |
-| TestTryCatch.java:10:4:10:29 | ...; | TestTryCatch.java:10:4:10:13 | System.out |
+| TestTryCatch.java:10:4:10:29 | <Expr>; | TestTryCatch.java:10:4:10:13 | System.out |
 | TestTryCatch.java:10:23:10:27 | "Bar" | TestTryCatch.java:10:4:10:28 | println(...) |
 | TestTryCatch.java:11:4:11:12 | ...=... | TestTryCatch.java:19:3:23:3 | { ... } |
-| TestTryCatch.java:11:4:11:13 | ...; | TestTryCatch.java:11:8:11:8 | y |
+| TestTryCatch.java:11:4:11:13 | <Expr>; | TestTryCatch.java:11:8:11:8 | y |
 | TestTryCatch.java:11:8:11:8 | y | TestTryCatch.java:11:12:11:12 | 1 |
 | TestTryCatch.java:11:8:11:12 | ... + ... | TestTryCatch.java:11:4:11:12 | ...=... |
 | TestTryCatch.java:11:12:11:12 | 1 | TestTryCatch.java:11:8:11:12 | ... + ... |
 | TestTryCatch.java:12:5:12:23 | catch (...) | TestTryCatch.java:12:22:12:22 | e |
 | TestTryCatch.java:12:22:12:22 | e | TestTryCatch.java:13:3:18:3 | { ... } |
-| TestTryCatch.java:13:3:18:3 | { ... } | TestTryCatch.java:14:4:14:13 | local variable declaration |
-| TestTryCatch.java:14:4:14:13 | local variable declaration | TestTryCatch.java:14:12:14:12 | 1 |
-| TestTryCatch.java:14:8:14:12 | x | TestTryCatch.java:15:4:15:37 | ...; |
+| TestTryCatch.java:13:3:18:3 | { ... } | TestTryCatch.java:14:4:14:13 | var ...; |
+| TestTryCatch.java:14:4:14:13 | var ...; | TestTryCatch.java:14:12:14:12 | 1 |
+| TestTryCatch.java:14:8:14:12 | x | TestTryCatch.java:15:4:15:37 | <Expr>; |
 | TestTryCatch.java:14:12:14:12 | 1 | TestTryCatch.java:14:8:14:12 | x |
 | TestTryCatch.java:15:4:15:13 | System.out | TestTryCatch.java:15:23:15:31 | "Error: " |
-| TestTryCatch.java:15:4:15:36 | println(...) | TestTryCatch.java:16:4:16:13 | ...; |
-| TestTryCatch.java:15:4:15:37 | ...; | TestTryCatch.java:15:4:15:13 | System.out |
+| TestTryCatch.java:15:4:15:36 | println(...) | TestTryCatch.java:16:4:16:13 | <Expr>; |
+| TestTryCatch.java:15:4:15:37 | <Expr>; | TestTryCatch.java:15:4:15:13 | System.out |
 | TestTryCatch.java:15:23:15:31 | "Error: " | TestTryCatch.java:15:35:15:35 | e |
 | TestTryCatch.java:15:23:15:35 | ... + ... | TestTryCatch.java:15:4:15:36 | println(...) |
 | TestTryCatch.java:15:35:15:35 | e | TestTryCatch.java:15:23:15:35 | ... + ... |
 | TestTryCatch.java:16:4:16:12 | ...=... | TestTryCatch.java:17:4:17:10 | return ... |
-| TestTryCatch.java:16:4:16:13 | ...; | TestTryCatch.java:16:8:16:8 | x |
+| TestTryCatch.java:16:4:16:13 | <Expr>; | TestTryCatch.java:16:8:16:8 | x |
 | TestTryCatch.java:16:8:16:8 | x | TestTryCatch.java:16:12:16:12 | 1 |
 | TestTryCatch.java:16:8:16:12 | ... + ... | TestTryCatch.java:16:4:16:12 | ...=... |
 | TestTryCatch.java:16:12:16:12 | 1 | TestTryCatch.java:16:8:16:12 | ... + ... |
 | TestTryCatch.java:17:4:17:10 | return ... | TestTryCatch.java:19:3:23:3 | { ... } |
-| TestTryCatch.java:19:3:23:3 | { ... } | TestTryCatch.java:20:4:20:14 | local variable declaration |
-| TestTryCatch.java:20:4:20:14 | local variable declaration | TestTryCatch.java:20:12:20:13 | 12 |
-| TestTryCatch.java:20:8:20:13 | y | TestTryCatch.java:21:4:21:33 | ...; |
+| TestTryCatch.java:19:3:23:3 | { ... } | TestTryCatch.java:20:4:20:14 | var ...; |
+| TestTryCatch.java:20:4:20:14 | var ...; | TestTryCatch.java:20:12:20:13 | 12 |
+| TestTryCatch.java:20:8:20:13 | y | TestTryCatch.java:21:4:21:33 | <Expr>; |
 | TestTryCatch.java:20:12:20:13 | 12 | TestTryCatch.java:20:8:20:13 | y |
 | TestTryCatch.java:21:4:21:13 | System.out | TestTryCatch.java:21:23:21:31 | "Finally" |
-| TestTryCatch.java:21:4:21:32 | println(...) | TestTryCatch.java:22:4:22:13 | ...; |
-| TestTryCatch.java:21:4:21:33 | ...; | TestTryCatch.java:21:4:21:13 | System.out |
+| TestTryCatch.java:21:4:21:32 | println(...) | TestTryCatch.java:22:4:22:13 | <Expr>; |
+| TestTryCatch.java:21:4:21:33 | <Expr>; | TestTryCatch.java:21:4:21:13 | System.out |
 | TestTryCatch.java:21:23:21:31 | "Finally" | TestTryCatch.java:21:4:21:32 | println(...) |
 | TestTryCatch.java:22:4:22:12 | ...=... | TestTryCatch.java:4:14:4:14 | f |
-| TestTryCatch.java:22:4:22:12 | ...=... | TestTryCatch.java:24:3:24:13 | local variable declaration |
-| TestTryCatch.java:22:4:22:13 | ...; | TestTryCatch.java:22:8:22:8 | y |
+| TestTryCatch.java:22:4:22:12 | ...=... | TestTryCatch.java:24:3:24:13 | var ...; |
+| TestTryCatch.java:22:4:22:13 | <Expr>; | TestTryCatch.java:22:8:22:8 | y |
 | TestTryCatch.java:22:8:22:8 | y | TestTryCatch.java:22:12:22:12 | 1 |
 | TestTryCatch.java:22:8:22:12 | ... + ... | TestTryCatch.java:22:4:22:12 | ...=... |
 | TestTryCatch.java:22:12:22:12 | 1 | TestTryCatch.java:22:8:22:12 | ... + ... |
-| TestTryCatch.java:24:3:24:13 | local variable declaration | TestTryCatch.java:24:11:24:12 | 12 |
-| TestTryCatch.java:24:7:24:12 | z | TestTryCatch.java:25:3:25:12 | ...; |
+| TestTryCatch.java:24:3:24:13 | var ...; | TestTryCatch.java:24:11:24:12 | 12 |
+| TestTryCatch.java:24:7:24:12 | z | TestTryCatch.java:25:3:25:12 | <Expr>; |
 | TestTryCatch.java:24:11:24:12 | 12 | TestTryCatch.java:24:7:24:12 | z |
-| TestTryCatch.java:25:3:25:11 | ...=... | TestTryCatch.java:27:3:27:30 | for (...) |
-| TestTryCatch.java:25:3:25:12 | ...; | TestTryCatch.java:25:7:25:7 | z |
+| TestTryCatch.java:25:3:25:11 | ...=... | TestTryCatch.java:27:3:27:30 | for (...;...;...) |
+| TestTryCatch.java:25:3:25:12 | <Expr>; | TestTryCatch.java:25:7:25:7 | z |
 | TestTryCatch.java:25:7:25:7 | z | TestTryCatch.java:25:11:25:11 | 1 |
 | TestTryCatch.java:25:7:25:11 | ... + ... | TestTryCatch.java:25:3:25:11 | ...=... |
 | TestTryCatch.java:25:11:25:11 | 1 | TestTryCatch.java:25:7:25:11 | ... + ... |
-| TestTryCatch.java:27:3:27:30 | for (...) | TestTryCatch.java:27:16:27:16 | 0 |
+| TestTryCatch.java:27:3:27:30 | for (...;...;...) | TestTryCatch.java:27:16:27:16 | 0 |
 | TestTryCatch.java:27:12:27:16 | q | TestTryCatch.java:27:19:27:19 | q |
 | TestTryCatch.java:27:16:27:16 | 0 | TestTryCatch.java:27:12:27:16 | q |
 | TestTryCatch.java:27:19:27:19 | q | TestTryCatch.java:27:23:27:24 | 10 |
 | TestTryCatch.java:27:19:27:24 | ... < ... | TestTryCatch.java:28:3:41:3 | { ... } |
-| TestTryCatch.java:27:19:27:24 | ... < ... | TestTryCatch.java:42:3:42:12 | ...; |
+| TestTryCatch.java:27:19:27:24 | ... < ... | TestTryCatch.java:42:3:42:12 | <Expr>; |
 | TestTryCatch.java:27:23:27:24 | 10 | TestTryCatch.java:27:19:27:24 | ... < ... |
 | TestTryCatch.java:27:27:27:27 | q | TestTryCatch.java:27:27:27:29 | ...++ |
 | TestTryCatch.java:27:27:27:29 | ...++ | TestTryCatch.java:27:19:27:19 | q |
 | TestTryCatch.java:28:3:41:3 | { ... } | TestTryCatch.java:29:4:40:4 | try ... |
 | TestTryCatch.java:29:4:40:4 | try ... | TestTryCatch.java:30:4:35:4 | { ... } |
-| TestTryCatch.java:30:4:35:4 | { ... } | TestTryCatch.java:31:5:31:30 | ...; |
+| TestTryCatch.java:30:4:35:4 | { ... } | TestTryCatch.java:31:5:31:30 | <Expr>; |
 | TestTryCatch.java:31:5:31:14 | System.out | TestTryCatch.java:31:24:31:28 | "Foo" |
-| TestTryCatch.java:31:5:31:29 | println(...) | TestTryCatch.java:32:5:32:19 | local variable declaration |
+| TestTryCatch.java:31:5:31:29 | println(...) | TestTryCatch.java:32:5:32:19 | var ...; |
 | TestTryCatch.java:31:5:31:29 | println(...) | TestTryCatch.java:35:6:35:31 | catch (...) |
-| TestTryCatch.java:31:5:31:30 | ...; | TestTryCatch.java:31:5:31:14 | System.out |
+| TestTryCatch.java:31:5:31:30 | <Expr>; | TestTryCatch.java:31:5:31:14 | System.out |
 | TestTryCatch.java:31:24:31:28 | "Foo" | TestTryCatch.java:31:5:31:29 | println(...) |
-| TestTryCatch.java:32:5:32:19 | local variable declaration | TestTryCatch.java:32:13:32:14 | 12 |
-| TestTryCatch.java:32:9:32:18 | y | TestTryCatch.java:33:5:33:30 | ...; |
+| TestTryCatch.java:32:5:32:19 | var ...; | TestTryCatch.java:32:13:32:14 | 12 |
+| TestTryCatch.java:32:9:32:18 | y | TestTryCatch.java:33:5:33:30 | <Expr>; |
 | TestTryCatch.java:32:13:32:14 | 12 | TestTryCatch.java:32:18:32:18 | 3 |
 | TestTryCatch.java:32:13:32:18 | ... + ... | TestTryCatch.java:32:9:32:18 | y |
 | TestTryCatch.java:32:18:32:18 | 3 | TestTryCatch.java:32:13:32:18 | ... + ... |
 | TestTryCatch.java:33:5:33:14 | System.out | TestTryCatch.java:33:24:33:28 | "Bar" |
-| TestTryCatch.java:33:5:33:29 | println(...) | TestTryCatch.java:34:5:34:14 | ...; |
+| TestTryCatch.java:33:5:33:29 | println(...) | TestTryCatch.java:34:5:34:14 | <Expr>; |
 | TestTryCatch.java:33:5:33:29 | println(...) | TestTryCatch.java:35:6:35:31 | catch (...) |
-| TestTryCatch.java:33:5:33:30 | ...; | TestTryCatch.java:33:5:33:14 | System.out |
+| TestTryCatch.java:33:5:33:30 | <Expr>; | TestTryCatch.java:33:5:33:14 | System.out |
 | TestTryCatch.java:33:24:33:28 | "Bar" | TestTryCatch.java:33:5:33:29 | println(...) |
 | TestTryCatch.java:34:5:34:13 | ...=... | TestTryCatch.java:27:27:27:27 | q |
-| TestTryCatch.java:34:5:34:14 | ...; | TestTryCatch.java:34:9:34:9 | y |
+| TestTryCatch.java:34:5:34:14 | <Expr>; | TestTryCatch.java:34:9:34:9 | y |
 | TestTryCatch.java:34:9:34:9 | y | TestTryCatch.java:34:13:34:13 | 1 |
 | TestTryCatch.java:34:9:34:13 | ... + ... | TestTryCatch.java:34:5:34:13 | ...=... |
 | TestTryCatch.java:34:13:34:13 | 1 | TestTryCatch.java:34:9:34:13 | ... + ... |
 | TestTryCatch.java:35:6:35:31 | catch (...) | TestTryCatch.java:35:30:35:30 | e |
 | TestTryCatch.java:35:30:35:30 | e | TestTryCatch.java:36:4:40:4 | { ... } |
-| TestTryCatch.java:36:4:40:4 | { ... } | TestTryCatch.java:37:5:37:14 | local variable declaration |
-| TestTryCatch.java:37:5:37:14 | local variable declaration | TestTryCatch.java:37:13:37:13 | 1 |
-| TestTryCatch.java:37:9:37:13 | x | TestTryCatch.java:38:5:38:38 | ...; |
+| TestTryCatch.java:36:4:40:4 | { ... } | TestTryCatch.java:37:5:37:14 | var ...; |
+| TestTryCatch.java:37:5:37:14 | var ...; | TestTryCatch.java:37:13:37:13 | 1 |
+| TestTryCatch.java:37:9:37:13 | x | TestTryCatch.java:38:5:38:38 | <Expr>; |
 | TestTryCatch.java:37:13:37:13 | 1 | TestTryCatch.java:37:9:37:13 | x |
 | TestTryCatch.java:38:5:38:14 | System.out | TestTryCatch.java:38:24:38:32 | "Error: " |
-| TestTryCatch.java:38:5:38:37 | println(...) | TestTryCatch.java:39:5:39:14 | ...; |
-| TestTryCatch.java:38:5:38:38 | ...; | TestTryCatch.java:38:5:38:14 | System.out |
+| TestTryCatch.java:38:5:38:37 | println(...) | TestTryCatch.java:39:5:39:14 | <Expr>; |
+| TestTryCatch.java:38:5:38:38 | <Expr>; | TestTryCatch.java:38:5:38:14 | System.out |
 | TestTryCatch.java:38:24:38:32 | "Error: " | TestTryCatch.java:38:36:38:36 | e |
 | TestTryCatch.java:38:24:38:36 | ... + ... | TestTryCatch.java:38:5:38:37 | println(...) |
 | TestTryCatch.java:38:36:38:36 | e | TestTryCatch.java:38:24:38:36 | ... + ... |
 | TestTryCatch.java:39:5:39:13 | ...=... | TestTryCatch.java:27:27:27:27 | q |
-| TestTryCatch.java:39:5:39:14 | ...; | TestTryCatch.java:39:9:39:9 | x |
+| TestTryCatch.java:39:5:39:14 | <Expr>; | TestTryCatch.java:39:9:39:9 | x |
 | TestTryCatch.java:39:9:39:9 | x | TestTryCatch.java:39:13:39:13 | 1 |
 | TestTryCatch.java:39:9:39:13 | ... + ... | TestTryCatch.java:39:5:39:13 | ...=... |
 | TestTryCatch.java:39:13:39:13 | 1 | TestTryCatch.java:39:9:39:13 | ... + ... |
 | TestTryCatch.java:42:3:42:11 | ...=... | TestTryCatch.java:4:14:4:14 | f |
-| TestTryCatch.java:42:3:42:12 | ...; | TestTryCatch.java:42:7:42:7 | z |
+| TestTryCatch.java:42:3:42:12 | <Expr>; | TestTryCatch.java:42:7:42:7 | z |
 | TestTryCatch.java:42:7:42:7 | z | TestTryCatch.java:42:11:42:11 | 2 |
 | TestTryCatch.java:42:7:42:11 | ... + ... | TestTryCatch.java:42:3:42:11 | ...=... |
 | TestTryCatch.java:42:11:42:11 | 2 | TestTryCatch.java:42:7:42:11 | ... + ... |
diff --git a/java/ql/test/library-tests/successors/TestTryWithResources/TestSucc.expected b/java/ql/test/library-tests/successors/TestTryWithResources/TestSucc.expected
index 8084acd7aa4..9cdba0fd8c6 100644
--- a/java/ql/test/library-tests/successors/TestTryWithResources/TestSucc.expected
+++ b/java/ql/test/library-tests/successors/TestTryWithResources/TestSucc.expected
@@ -1,16 +1,16 @@
 | TestTryWithResources.java:6:14:6:33 | super(...) | TestTryWithResources.java:6:14:6:33 | TestTryWithResources |
 | TestTryWithResources.java:6:14:6:33 | { ... } | TestTryWithResources.java:6:14:6:33 | super(...) |
 | TestTryWithResources.java:7:60:16:2 | { ... } | TestTryWithResources.java:8:3:15:3 | try ... |
-| TestTryWithResources.java:8:3:15:3 | try ... | TestTryWithResources.java:8:8:8:58 | local variable declaration |
-| TestTryWithResources.java:8:8:8:58 | local variable declaration | TestTryWithResources.java:8:50:8:53 | args |
-| TestTryWithResources.java:8:24:8:57 | fis | TestTryWithResources.java:9:4:9:55 | local variable declaration |
+| TestTryWithResources.java:8:3:15:3 | try ... | TestTryWithResources.java:8:8:8:58 | var ...; |
+| TestTryWithResources.java:8:8:8:58 | var ...; | TestTryWithResources.java:8:50:8:53 | args |
+| TestTryWithResources.java:8:24:8:57 | fis | TestTryWithResources.java:9:4:9:55 | var ...; |
 | TestTryWithResources.java:8:30:8:57 | new FileInputStream(...) | TestTryWithResources.java:8:24:8:57 | fis |
 | TestTryWithResources.java:8:30:8:57 | new FileInputStream(...) | TestTryWithResources.java:11:5:11:35 | catch (...) |
 | TestTryWithResources.java:8:30:8:57 | new FileInputStream(...) | TestTryWithResources.java:13:13:15:3 | { ... } |
 | TestTryWithResources.java:8:50:8:53 | args | TestTryWithResources.java:8:55:8:55 | 0 |
 | TestTryWithResources.java:8:50:8:56 | ...[...] | TestTryWithResources.java:8:30:8:57 | new FileInputStream(...) |
 | TestTryWithResources.java:8:55:8:55 | 0 | TestTryWithResources.java:8:50:8:56 | ...[...] |
-| TestTryWithResources.java:9:4:9:55 | local variable declaration | TestTryWithResources.java:9:48:9:51 | args |
+| TestTryWithResources.java:9:4:9:55 | var ...; | TestTryWithResources.java:9:48:9:51 | args |
 | TestTryWithResources.java:9:21:9:55 | fos | TestTryWithResources.java:9:58:11:3 | { ... } |
 | TestTryWithResources.java:9:27:9:55 | new FileOutputStream(...) | TestTryWithResources.java:9:21:9:55 | fos |
 | TestTryWithResources.java:9:27:9:55 | new FileOutputStream(...) | TestTryWithResources.java:11:5:11:35 | catch (...) |
@@ -18,20 +18,20 @@
 | TestTryWithResources.java:9:48:9:51 | args | TestTryWithResources.java:9:53:9:53 | 1 |
 | TestTryWithResources.java:9:48:9:54 | ...[...] | TestTryWithResources.java:9:27:9:55 | new FileOutputStream(...) |
 | TestTryWithResources.java:9:53:9:53 | 1 | TestTryWithResources.java:9:48:9:54 | ...[...] |
-| TestTryWithResources.java:9:58:11:3 | { ... } | TestTryWithResources.java:10:4:10:32 | ...; |
+| TestTryWithResources.java:9:58:11:3 | { ... } | TestTryWithResources.java:10:4:10:32 | <Expr>; |
 | TestTryWithResources.java:10:4:10:13 | System.out | TestTryWithResources.java:10:23:10:30 | "worked" |
 | TestTryWithResources.java:10:4:10:31 | println(...) | TestTryWithResources.java:13:13:15:3 | { ... } |
-| TestTryWithResources.java:10:4:10:32 | ...; | TestTryWithResources.java:10:4:10:13 | System.out |
+| TestTryWithResources.java:10:4:10:32 | <Expr>; | TestTryWithResources.java:10:4:10:13 | System.out |
 | TestTryWithResources.java:10:23:10:30 | "worked" | TestTryWithResources.java:10:4:10:31 | println(...) |
 | TestTryWithResources.java:11:5:11:35 | catch (...) | TestTryWithResources.java:11:34:11:34 | e |
 | TestTryWithResources.java:11:34:11:34 | e | TestTryWithResources.java:11:37:13:3 | { ... } |
-| TestTryWithResources.java:11:37:13:3 | { ... } | TestTryWithResources.java:12:4:12:40 | ...; |
+| TestTryWithResources.java:11:37:13:3 | { ... } | TestTryWithResources.java:12:4:12:40 | <Expr>; |
 | TestTryWithResources.java:12:4:12:13 | System.out | TestTryWithResources.java:12:23:12:38 | "file not found" |
 | TestTryWithResources.java:12:4:12:39 | println(...) | TestTryWithResources.java:13:13:15:3 | { ... } |
-| TestTryWithResources.java:12:4:12:40 | ...; | TestTryWithResources.java:12:4:12:13 | System.out |
+| TestTryWithResources.java:12:4:12:40 | <Expr>; | TestTryWithResources.java:12:4:12:13 | System.out |
 | TestTryWithResources.java:12:23:12:38 | "file not found" | TestTryWithResources.java:12:4:12:39 | println(...) |
-| TestTryWithResources.java:13:13:15:3 | { ... } | TestTryWithResources.java:14:4:14:33 | ...; |
+| TestTryWithResources.java:13:13:15:3 | { ... } | TestTryWithResources.java:14:4:14:33 | <Expr>; |
 | TestTryWithResources.java:14:4:14:13 | System.out | TestTryWithResources.java:14:23:14:31 | "finally" |
 | TestTryWithResources.java:14:4:14:32 | println(...) | TestTryWithResources.java:7:21:7:24 | main |
-| TestTryWithResources.java:14:4:14:33 | ...; | TestTryWithResources.java:14:4:14:13 | System.out |
+| TestTryWithResources.java:14:4:14:33 | <Expr>; | TestTryWithResources.java:14:4:14:13 | System.out |
 | TestTryWithResources.java:14:23:14:31 | "finally" | TestTryWithResources.java:14:4:14:32 | println(...) |
diff --git a/java/ql/test/library-tests/typeaccesses/PrintAst.expected b/java/ql/test/library-tests/typeaccesses/PrintAst.expected
index f9c2c3c4fb6..c0afe1de4ea 100644
--- a/java/ql/test/library-tests/typeaccesses/PrintAst.expected
+++ b/java/ql/test/library-tests/typeaccesses/PrintAst.expected
@@ -13,7 +13,7 @@ typeaccesses/Outer.java:
 #    3|   1: [Class] Outer
 #    4|     3: [Class] Inner
 #    5|     4: [BlockStmt] { ... }
-#    6|       0: [LocalVariableDeclStmt] local variable declaration
+#    6|       0: [LocalVariableDeclStmt] var ...;
 #    6|         0: [TypeAccess] Object
 #    6|         1: [LocalVariableDeclExpr] o
 #    6|           0: [ArrayCreationExpr] new Outer[]
@@ -51,7 +51,7 @@ typeaccesses/TA.java:
 #    9|     5: [Method] method3
 #    9|       3: [TypeAccess] void
 #    9|       5: [BlockStmt] { ... }
-#    9|         0: [LocalVariableDeclStmt] local variable declaration
+#    9|         0: [LocalVariableDeclStmt] var ...;
 #    9|           0: [TypeAccess] ArrayList<TA>
 #    9|             0: [TypeAccess] TA
 #    9|           1: [LocalVariableDeclExpr] local
diff --git a/java/ql/test/query-tests/BusyWait/BusyWait.expected b/java/ql/test/query-tests/BusyWait/BusyWait.expected
index 3a6139cba7a..41bc2922cad 100644
--- a/java/ql/test/query-tests/BusyWait/BusyWait.expected
+++ b/java/ql/test/query-tests/BusyWait/BusyWait.expected
@@ -1,2 +1,2 @@
-| BusyWaits.java:4:4:4:19 | ...; | Prefer wait/notify or java.util.concurrent to communicate between threads. |
-| BusyWaits.java:10:5:10:39 | ...; | Prefer wait/notify or java.util.concurrent to communicate between threads. |
+| BusyWaits.java:4:4:4:19 | <Expr>; | Prefer wait/notify or java.util.concurrent to communicate between threads. |
+| BusyWaits.java:10:5:10:39 | <Expr>; | Prefer wait/notify or java.util.concurrent to communicate between threads. |
diff --git a/java/ql/test/query-tests/ConstantLoopCondition/ConstantLoopCondition.expected b/java/ql/test/query-tests/ConstantLoopCondition/ConstantLoopCondition.expected
index 48fac80c81f..ffc1dfec4c4 100644
--- a/java/ql/test/query-tests/ConstantLoopCondition/ConstantLoopCondition.expected
+++ b/java/ql/test/query-tests/ConstantLoopCondition/ConstantLoopCondition.expected
@@ -1,4 +1,4 @@
 | A.java:8:11:8:15 | !... | $@ might not terminate, as this loop condition is constant within the loop. | A.java:8:5:8:16 | while (...) | Loop |
-| A.java:15:11:15:15 | ... > ... | $@ might not terminate, as this loop condition is constant within the loop. | A.java:14:5:14:19 | for (...) | Loop |
-| A.java:29:20:29:32 | ... < ... | $@ might not terminate, as this loop condition is constant within the loop. | A.java:29:5:29:38 | for (...) | Loop |
+| A.java:15:11:15:15 | ... > ... | $@ might not terminate, as this loop condition is constant within the loop. | A.java:14:5:14:19 | for (...;...;...) | Loop |
+| A.java:29:20:29:32 | ... < ... | $@ might not terminate, as this loop condition is constant within the loop. | A.java:29:5:29:38 | for (...;...;...) | Loop |
 | A.java:36:12:36:15 | cond | $@ might not terminate, as this loop condition is constant within the loop. | A.java:36:5:36:16 | while (...) | Loop |
diff --git a/java/ql/test/query-tests/UseBraces/UseBraces.expected b/java/ql/test/query-tests/UseBraces/UseBraces.expected
index 1ef1a0380df..8c63f7555a5 100644
--- a/java/ql/test/query-tests/UseBraces/UseBraces.expected
+++ b/java/ql/test/query-tests/UseBraces/UseBraces.expected
@@ -1,14 +1,14 @@
-| UseBraces.java:28:4:28:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:29:4:29:7 | ...; | the next statement | UseBraces.java:27:3:27:10 | if (...) | the control structure |
-| UseBraces.java:32:4:32:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:32:9:32:12 | ...; | the next statement | UseBraces.java:31:3:31:10 | if (...) | the control structure |
-| UseBraces.java:58:4:58:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:59:4:59:7 | ...; | the next statement | UseBraces.java:53:3:53:10 | if (...) | the control structure |
-| UseBraces.java:66:4:66:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:66:10:66:13 | ...; | the next statement | UseBraces.java:61:3:61:10 | if (...) | the control structure |
-| UseBraces.java:82:4:82:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:83:4:83:7 | ...; | the next statement | UseBraces.java:81:3:81:14 | while (...) | the control structure |
-| UseBraces.java:87:4:87:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:87:9:87:12 | ...; | the next statement | UseBraces.java:86:3:86:14 | while (...) | the control structure |
-| UseBraces.java:112:4:112:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:113:4:113:7 | ...; | the next statement | UseBraces.java:111:3:111:25 | for (...) | the control structure |
-| UseBraces.java:116:4:116:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:116:9:116:12 | ...; | the next statement | UseBraces.java:115:3:115:25 | for (...) | the control structure |
-| UseBraces.java:132:4:132:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:133:4:133:7 | ...; | the next statement | UseBraces.java:131:3:131:24 | for (... : ...) | the control structure |
-| UseBraces.java:136:4:136:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:136:9:136:12 | ...; | the next statement | UseBraces.java:135:3:135:24 | for (... : ...) | the control structure |
-| UseBraces.java:145:4:145:12 | if (...) | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:147:4:147:7 | ...; | the next statement | UseBraces.java:144:3:144:12 | if (...) | the control structure |
-| UseBraces.java:166:4:166:7 | ...; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:167:4:167:7 | ...; | the next statement | UseBraces.java:165:8:165:17 | if (...) | the control structure |
-| UseBraces.java:176:4:176:15 | while (...) | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:178:4:178:7 | ...; | the next statement | UseBraces.java:175:3:175:11 | if (...) | the control structure |
-| UseBraces.java:186:4:186:12 | if (...) | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:188:4:188:7 | ...; | the next statement | UseBraces.java:185:3:185:14 | while (...) | the control structure |
+| UseBraces.java:28:4:28:7 | <Expr>; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:29:4:29:7 | <Expr>; | the next statement | UseBraces.java:27:3:27:10 | if (...) | the control structure |
+| UseBraces.java:32:4:32:7 | <Expr>; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:32:9:32:12 | <Expr>; | the next statement | UseBraces.java:31:3:31:10 | if (...) | the control structure |
+| UseBraces.java:58:4:58:7 | <Expr>; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:59:4:59:7 | <Expr>; | the next statement | UseBraces.java:53:3:53:10 | if (...) | the control structure |
+| UseBraces.java:66:4:66:7 | <Expr>; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:66:10:66:13 | <Expr>; | the next statement | UseBraces.java:61:3:61:10 | if (...) | the control structure |
+| UseBraces.java:82:4:82:7 | <Expr>; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:83:4:83:7 | <Expr>; | the next statement | UseBraces.java:81:3:81:14 | while (...) | the control structure |
+| UseBraces.java:87:4:87:7 | <Expr>; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:87:9:87:12 | <Expr>; | the next statement | UseBraces.java:86:3:86:14 | while (...) | the control structure |
+| UseBraces.java:112:4:112:7 | <Expr>; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:113:4:113:7 | <Expr>; | the next statement | UseBraces.java:111:3:111:25 | for (...;...;...) | the control structure |
+| UseBraces.java:116:4:116:7 | <Expr>; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:116:9:116:12 | <Expr>; | the next statement | UseBraces.java:115:3:115:25 | for (...;...;...) | the control structure |
+| UseBraces.java:132:4:132:7 | <Expr>; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:133:4:133:7 | <Expr>; | the next statement | UseBraces.java:131:3:131:24 | for (... : ...) | the control structure |
+| UseBraces.java:136:4:136:7 | <Expr>; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:136:9:136:12 | <Expr>; | the next statement | UseBraces.java:135:3:135:24 | for (... : ...) | the control structure |
+| UseBraces.java:145:4:145:12 | if (...) | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:147:4:147:7 | <Expr>; | the next statement | UseBraces.java:144:3:144:12 | if (...) | the control structure |
+| UseBraces.java:166:4:166:7 | <Expr>; | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:167:4:167:7 | <Expr>; | the next statement | UseBraces.java:165:8:165:17 | if (...) | the control structure |
+| UseBraces.java:176:4:176:15 | while (...) | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:178:4:178:7 | <Expr>; | the next statement | UseBraces.java:175:3:175:11 | if (...) | the control structure |
+| UseBraces.java:186:4:186:12 | if (...) | Indentation suggests that $@ belongs to $@, but this is not the case; consider adding braces or adjusting indentation. | UseBraces.java:188:4:188:7 | <Expr>; | the next statement | UseBraces.java:185:3:185:14 | while (...) | the control structure |
diff --git a/java/ql/test/query-tests/security/CWE-835/semmle/tests/InfiniteLoop.expected b/java/ql/test/query-tests/security/CWE-835/semmle/tests/InfiniteLoop.expected
index cb902de9249..eba0754a821 100644
--- a/java/ql/test/query-tests/security/CWE-835/semmle/tests/InfiniteLoop.expected
+++ b/java/ql/test/query-tests/security/CWE-835/semmle/tests/InfiniteLoop.expected
@@ -1 +1 @@
-| InfiniteLoop.java:4:13:4:36 | for (...) | Loop might not terminate, as termination depends in part on $@ being false but it is always true. | InfiniteLoop.java:4:27:4:30 | ... < ... | this test |
+| InfiniteLoop.java:4:13:4:36 | for (...;...;...) | Loop might not terminate, as termination depends in part on $@ being false but it is always true. | InfiniteLoop.java:4:27:4:30 | ... < ... | this test |

From 2889f941282577e656446b7f61bf24e69a6b6eaf Mon Sep 17 00:00:00 2001
From: Marcono1234 <Marcono1234@users.noreply.github.com>
Date: Tue, 1 Jun 2021 18:30:14 +0200
Subject: [PATCH 1315/1429] Java: Add change note for statement toString()
 changes

---
 java/change-notes/2021-06-01-statement-toString.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 java/change-notes/2021-06-01-statement-toString.md

diff --git a/java/change-notes/2021-06-01-statement-toString.md b/java/change-notes/2021-06-01-statement-toString.md
new file mode 100644
index 00000000000..f0d39126dd8
--- /dev/null
+++ b/java/change-notes/2021-06-01-statement-toString.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The CodeQL predicate `toString()` has been overridden for subclasses of `Stmt` to be more descriptive. Due to this, custom queries and `.expected` files of CodeQL tests for custom queries might have to be adjusted to match the new `toString()` results.

From 485b0be805063586d8130f1e300095b2d0d9bfd7 Mon Sep 17 00:00:00 2001
From: Marcono1234 <Marcono1234@users.noreply.github.com>
Date: Thu, 3 Jun 2021 17:15:00 +0200
Subject: [PATCH 1316/1429] Java: Fix expected test output

---
 java/ql/test/library-tests/JDK/PrintAst.expected     |  8 ++++----
 .../test/library-tests/collections/PrintAst.expected |  2 +-
 .../test/library-tests/constants/PrintAst.expected   | 12 ++++++------
 .../library-tests/constructors/PrintAst.expected     |  6 +++---
 .../ql/test/library-tests/generics/PrintAst.expected |  2 +-
 .../library-tests/java7/MultiCatch/PrintAst.expected |  2 +-
 .../ql/test/library-tests/printAst/PrintAst.expected |  6 +++---
 .../test/library-tests/reflection/PrintAst.expected  |  4 ++--
 .../library-tests/typeaccesses/PrintAst.expected     |  6 +++---
 java/ql/test/library-tests/varargs/PrintAst.expected |  2 +-
 10 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/java/ql/test/library-tests/JDK/PrintAst.expected b/java/ql/test/library-tests/JDK/PrintAst.expected
index 1b3d63c4b74..825b17f603e 100644
--- a/java/ql/test/library-tests/JDK/PrintAst.expected
+++ b/java/ql/test/library-tests/JDK/PrintAst.expected
@@ -69,14 +69,14 @@ jdk/SystemGetPropertyCall.java:
 #    6|     4: [Method] a
 #    6|       3: [TypeAccess] void
 #    6|       5: [BlockStmt] { ... }
-#    7|         0: [ExprStmt] ...;
+#    7|         0: [ExprStmt] <Expr>;
 #    7|           0: [MethodAccess] getProperty(...)
 #    7|             -1: [TypeAccess] System
 #    7|             0: [StringLiteral] "user.dir"
 #   10|     5: [Method] b
 #   10|       3: [TypeAccess] void
 #   10|       5: [BlockStmt] { ... }
-#   11|         0: [ExprStmt] ...;
+#   11|         0: [ExprStmt] <Expr>;
 #   11|           0: [MethodAccess] getProperty(...)
 #   11|             -1: [TypeAccess] System
 #   11|             0: [StringLiteral] "user.dir"
@@ -84,14 +84,14 @@ jdk/SystemGetPropertyCall.java:
 #   14|     6: [Method] c
 #   14|       3: [TypeAccess] void
 #   14|       5: [BlockStmt] { ... }
-#   15|         0: [ExprStmt] ...;
+#   15|         0: [ExprStmt] <Expr>;
 #   15|           0: [MethodAccess] getProperty(...)
 #   15|             -1: [TypeAccess] System
 #   15|             0: [VarAccess] USER_DIR_PROPERTY
 #   18|     7: [Method] d
 #   18|       3: [TypeAccess] void
 #   18|       5: [BlockStmt] { ... }
-#   19|         0: [ExprStmt] ...;
+#   19|         0: [ExprStmt] <Expr>;
 #   19|           0: [MethodAccess] getProperty(...)
 #   19|             -1: [TypeAccess] System
 #   19|             0: [StringLiteral] "random.property"
diff --git a/java/ql/test/library-tests/collections/PrintAst.expected b/java/ql/test/library-tests/collections/PrintAst.expected
index 942bfca360e..2c38c8321e4 100644
--- a/java/ql/test/library-tests/collections/PrintAst.expected
+++ b/java/ql/test/library-tests/collections/PrintAst.expected
@@ -12,7 +12,7 @@ collections/Test.java:
 #    6|           0: [TypeAccess] String
 #    6|           1: [TypeAccess] Integer
 #    8|     4: [BlockStmt] { ... }
-#    9|       0: [ExprStmt] ...;
+#    9|       0: [ExprStmt] <Expr>;
 #    9|         0: [MethodAccess] put(...)
 #    9|           -1: [VarAccess] m
 #    9|           0: [StringLiteral] "key"
diff --git a/java/ql/test/library-tests/constants/PrintAst.expected b/java/ql/test/library-tests/constants/PrintAst.expected
index 225985f90c8..2dd30d4b75f 100644
--- a/java/ql/test/library-tests/constants/PrintAst.expected
+++ b/java/ql/test/library-tests/constants/PrintAst.expected
@@ -80,7 +80,7 @@ constants/Initializers.java:
 #    8|       -1: [TypeAccess] int
 #   10|     6: [Constructor] Initializers
 #   10|       5: [BlockStmt] { ... }
-#   12|         2: [ExprStmt] ...;
+#   12|         2: [ExprStmt] <Expr>;
 #   12|           0: [AssignExpr] ...=...
 #   12|             0: [VarAccess] IFIELD2
 #   12|             1: [IntegerLiteral] 22
@@ -94,7 +94,7 @@ constants/Initializers.java:
 #   17|         1: [LocalVariableDeclStmt] var ...;
 #   17|           0: [TypeAccess] int
 #   17|           1: [LocalVariableDeclExpr] y
-#   18|         2: [ExprStmt] ...;
+#   18|         2: [ExprStmt] <Expr>;
 #   18|           0: [AssignExpr] ...=...
 #   18|             0: [VarAccess] y
 #   18|             1: [IntegerLiteral] 400
@@ -112,20 +112,20 @@ constants/Initializers.java:
 #   26|       -1: [TypeAccess] int
 #   26|       0: [IntegerLiteral] 4
 #   28|     13: [BlockStmt] { ... }
-#   30|       0: [ExprStmt] ...;
+#   30|       0: [ExprStmt] <Expr>;
 #   30|         0: [AssignExpr] ...=...
 #   30|           0: [VarAccess] fsf
 #   30|           1: [IntegerLiteral] 42
-#   31|       1: [ExprStmt] ...;
+#   31|       1: [ExprStmt] <Expr>;
 #   31|         0: [AssignExpr] ...=...
 #   31|           0: [VarAccess] sf
 #   31|           1: [IntegerLiteral] 42
 #   34|     14: [BlockStmt] { ... }
-#   36|       0: [ExprStmt] ...;
+#   36|       0: [ExprStmt] <Expr>;
 #   36|         0: [AssignExpr] ...=...
 #   36|           0: [VarAccess] ff
 #   36|           1: [IntegerLiteral] 42
-#   37|       1: [ExprStmt] ...;
+#   37|       1: [ExprStmt] <Expr>;
 #   37|         0: [AssignExpr] ...=...
 #   37|           0: [VarAccess] f
 #   37|           1: [IntegerLiteral] 42
diff --git a/java/ql/test/library-tests/constructors/PrintAst.expected b/java/ql/test/library-tests/constructors/PrintAst.expected
index db3907670c4..3c7fe041229 100644
--- a/java/ql/test/library-tests/constructors/PrintAst.expected
+++ b/java/ql/test/library-tests/constructors/PrintAst.expected
@@ -17,7 +17,7 @@ constructors/A.java:
 #   10|           0: [ArrayTypeAccess] ...[]
 #   10|             0: [TypeAccess] String
 #   10|       5: [BlockStmt] { ... }
-#   11|         0: [ExprStmt] ...;
+#   11|         0: [ExprStmt] <Expr>;
 #   11|           0: [ClassInstanceExpr] new A(...)
 #   11|             -3: [TypeAccess] A
 #   14|     6: [FieldDeclaration] String STATIC, ...;
@@ -27,13 +27,13 @@ constructors/A.java:
 #   15|       -1: [TypeAccess] String
 #   15|       0: [StringLiteral] "instance string"
 #   17|     8: [BlockStmt] { ... }
-#   18|       0: [ExprStmt] ...;
+#   18|       0: [ExprStmt] <Expr>;
 #   18|         0: [MethodAccess] println(...)
 #   18|           -1: [VarAccess] System.out
 #   18|             -1: [TypeAccess] System
 #   18|           0: [StringLiteral] "<obinit>"
 #   21|     9: [BlockStmt] { ... }
-#   22|       0: [ExprStmt] ...;
+#   22|       0: [ExprStmt] <Expr>;
 #   22|         0: [MethodAccess] println(...)
 #   22|           -1: [VarAccess] System.out
 #   22|             -1: [TypeAccess] System
diff --git a/java/ql/test/library-tests/generics/PrintAst.expected b/java/ql/test/library-tests/generics/PrintAst.expected
index dc03f48d03e..57a62932e73 100644
--- a/java/ql/test/library-tests/generics/PrintAst.expected
+++ b/java/ql/test/library-tests/generics/PrintAst.expected
@@ -43,6 +43,6 @@ generics/A.java:
 #   20|         0: [WildcardTypeAccess] ? ...
 #   20|           1: [TypeAccess] Double
 #   21|     7: [BlockStmt] { ... }
-#   21|       0: [ExprStmt] ...;
+#   21|       0: [ExprStmt] <Expr>;
 #   21|         0: [MethodAccess] asList(...)
 #   21|           -1: [TypeAccess] Arrays
diff --git a/java/ql/test/library-tests/java7/MultiCatch/PrintAst.expected b/java/ql/test/library-tests/java7/MultiCatch/PrintAst.expected
index c1ef98d7ef8..3c7aeb9b736 100644
--- a/java/ql/test/library-tests/java7/MultiCatch/PrintAst.expected
+++ b/java/ql/test/library-tests/java7/MultiCatch/PrintAst.expected
@@ -27,7 +27,7 @@ MultiCatch.java:
 #   15|                 1: [TypeAccess] SQLException
 #   15|               1: [LocalVariableDeclExpr] e
 #   16|             1: [BlockStmt] { ... }
-#   17|               0: [ExprStmt] ...;
+#   17|               0: [ExprStmt] <Expr>;
 #   17|                 0: [MethodAccess] printStackTrace(...)
 #   17|                   -1: [VarAccess] e
 #   18|               1: [ThrowStmt] throw ...
diff --git a/java/ql/test/library-tests/printAst/PrintAst.expected b/java/ql/test/library-tests/printAst/PrintAst.expected
index 998717d5ea8..6c8c425e997 100644
--- a/java/ql/test/library-tests/printAst/PrintAst.expected
+++ b/java/ql/test/library-tests/printAst/PrintAst.expected
@@ -97,7 +97,7 @@ A.java:
 #   45|         0: [TryStmt] try ...
 #   45|           -1: [BlockStmt] { ... }
 #   46|             0: [EnhancedForStmt] for (... : ...)
-#-----|               0: (Single var ...;)
+#-----|               0: (Single Local Variable Declaration)
 #   46|                 0: [TypeAccess] Object
 #   46|                 1: [LocalVariableDeclExpr] thing
 #   46|               1: [VarAccess] things
@@ -110,7 +110,7 @@ A.java:
 #   48|                     0: [ReturnStmt] return ...
 #   50|                 1: [IfStmt] if (...)
 #   50|                   0: [InstanceOfExpr] ...instanceof...
-#-----|                     0: (Single var ...;)
+#-----|                     0: (Single Local Variable Declaration)
 #   50|                       0: [TypeAccess] String
 #   50|                       1: [LocalVariableDeclExpr] s
 #   50|                         0: [VarAccess] thing
@@ -120,7 +120,7 @@ A.java:
 #   51|                         -3: [TypeAccess] RuntimeException
 #   51|                         0: [VarAccess] s
 #   55|           0: [CatchClause] catch (...)
-#-----|             0: (Single var ...;)
+#-----|             0: (Single Local Variable Declaration)
 #   55|               0: [TypeAccess] RuntimeException
 #   55|               1: [LocalVariableDeclExpr] rte
 #   55|             1: [BlockStmt] { ... }
diff --git a/java/ql/test/library-tests/reflection/PrintAst.expected b/java/ql/test/library-tests/reflection/PrintAst.expected
index 5792e10b90f..bfd415a7ce1 100644
--- a/java/ql/test/library-tests/reflection/PrintAst.expected
+++ b/java/ql/test/library-tests/reflection/PrintAst.expected
@@ -38,10 +38,10 @@ reflection/ReflectiveAccess.java:
 #   18|             0: [MethodAccess] forName(...)
 #   18|               -1: [TypeAccess] Class<>
 #   18|               0: [StringLiteral] "reflection.ReflectiveAccess$TestClass"
-#   20|         1: [ExprStmt] ...;
+#   20|         1: [ExprStmt] <Expr>;
 #   20|           0: [MethodAccess] newInstance(...)
 #   20|             -1: [VarAccess] testClass
-#   22|         2: [ExprStmt] ...;
+#   22|         2: [ExprStmt] <Expr>;
 #   22|           0: [MethodAccess] getAnnotation(...)
 #   22|             0: [TypeLiteral] TestClass.class
 #   22|               0: [TypeAccess] TestClass
diff --git a/java/ql/test/library-tests/typeaccesses/PrintAst.expected b/java/ql/test/library-tests/typeaccesses/PrintAst.expected
index c0afe1de4ea..3134e9d44ba 100644
--- a/java/ql/test/library-tests/typeaccesses/PrintAst.expected
+++ b/java/ql/test/library-tests/typeaccesses/PrintAst.expected
@@ -65,7 +65,7 @@ typeaccesses/TA.java:
 #   11|     7: [Method] method5
 #   11|       3: [TypeAccess] void
 #   11|       5: [BlockStmt] { ... }
-#   11|         0: [ExprStmt] ...;
+#   11|         0: [ExprStmt] <Expr>;
 #   11|           0: [MethodAccess] toString(...)
 #   11|             -1: [CastExpr] (...)...
 #   11|               0: [TypeAccess] ArrayList<TA>
@@ -74,14 +74,14 @@ typeaccesses/TA.java:
 #   12|     8: [Method] method6
 #   12|       3: [TypeAccess] void
 #   12|       5: [BlockStmt] { ... }
-#   12|         0: [ExprStmt] ...;
+#   12|         0: [ExprStmt] <Expr>;
 #   12|           0: [ClassInstanceExpr] new ArrayList<TA>(...)
 #   12|             -3: [TypeAccess] ArrayList<TA>
 #   12|               0: [TypeAccess] TA
 #   13|     9: [Method] method7
 #   13|       3: [TypeAccess] void
 #   13|       5: [BlockStmt] { ... }
-#   13|         0: [ExprStmt] ...;
+#   13|         0: [ExprStmt] <Expr>;
 #   13|           0: [MethodAccess] method3(...)
 #   13|             -1: [TypeAccess] TA
 #   14|     10: [Class] Inner
diff --git a/java/ql/test/library-tests/varargs/PrintAst.expected b/java/ql/test/library-tests/varargs/PrintAst.expected
index 793c97b413c..b00b4a33d67 100644
--- a/java/ql/test/library-tests/varargs/PrintAst.expected
+++ b/java/ql/test/library-tests/varargs/PrintAst.expected
@@ -48,7 +48,7 @@ varargs/Test.java:
 #   10|             0: [TypeAccess] String
 #   10|       5: [BlockStmt] { ... }
 #   11|     9: [BlockStmt] { ... }
-#   12|       0: [ExprStmt] ...;
+#   12|       0: [ExprStmt] <Expr>;
 #   12|         0: [MethodAccess] asList(...)
 #   12|           -1: [TypeAccess] Arrays
 #   12|           0: [IntegerLiteral] 1

From 6003b6edd2fae1227c226c787a64a1c80f5ce413 Mon Sep 17 00:00:00 2001
From: Marcono1234 <Marcono1234@users.noreply.github.com>
Date: Thu, 3 Jun 2021 17:17:00 +0200
Subject: [PATCH 1317/1429] Java: Adjust change note for statement `toString()`
 changes

Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
---
 java/change-notes/2021-06-01-statement-toString.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/change-notes/2021-06-01-statement-toString.md b/java/change-notes/2021-06-01-statement-toString.md
index f0d39126dd8..2410214db80 100644
--- a/java/change-notes/2021-06-01-statement-toString.md
+++ b/java/change-notes/2021-06-01-statement-toString.md
@@ -1,2 +1,2 @@
 lgtm,codescanning
-* The CodeQL predicate `toString()` has been overridden for subclasses of `Stmt` to be more descriptive. Due to this, custom queries and `.expected` files of CodeQL tests for custom queries might have to be adjusted to match the new `toString()` results.
+* The CodeQL predicate `toString()` has been overridden for subclasses of `Stmt` to be more descriptive.

From c0aadcf8ba6b0514284c7c84bc5f49c4f3bb8db9 Mon Sep 17 00:00:00 2001
From: yo-h <55373593+yo-h@users.noreply.github.com>
Date: Thu, 3 Jun 2021 13:49:57 -0400
Subject: [PATCH 1318/1429] Update
 docs/codeql/support/reusables/versions-compilers.rst

---
 docs/codeql/support/reusables/versions-compilers.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/codeql/support/reusables/versions-compilers.rst b/docs/codeql/support/reusables/versions-compilers.rst
index 52253cb5ab4..74b9c196564 100644
--- a/docs/codeql/support/reusables/versions-compilers.rst
+++ b/docs/codeql/support/reusables/versions-compilers.rst
@@ -28,7 +28,7 @@
 
     .. [1] Support for the clang-cl compiler is preliminary.
     .. [2] Support for the Arm Compiler (armcc) is preliminary.
-    .. [3] Builds that execute on Java 7 to 16 can be analyzed. The analysis understands Java 16 standard language features.
+    .. [3] Builds that execute on Java 7 to 16 can be analyzed. The analysis understands Java 15 standard language features.
     .. [4] ECJ is supported when the build invokes it via the Maven Compiler plugin or the Takari Lifecycle plugin.
     .. [5] JSX and Flow code, YAML, JSON, HTML, and XML files may also be analyzed with JavaScript files.
     .. [6] TypeScript analysis is performed by running the JavaScript extractor with TypeScript enabled. This is the default for LGTM.

From 00a71a1c41590163d9989cb6f3f354f2c0d11b06 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 3 Jun 2021 14:17:29 +0200
Subject: [PATCH 1319/1429] Python: Port sensitive data modeling

No longer using points-to :tada:
---
 .../dataflow/new/SensitiveDataSources.qll     | 96 +++++++++++++++++--
 .../TestSensitiveDataSources.ql               | 23 ++++-
 .../dataflow/sensitive-data/test.py           |  8 +-
 3 files changed, 110 insertions(+), 17 deletions(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
index ea3f135ed98..e06ab347374 100644
--- a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
+++ b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
@@ -8,7 +8,6 @@ private import semmle.python.dataflow.new.DataFlow
 // Need to import since frameworks can extend `RemoteFlowSource::Range`
 private import semmle.python.Frameworks
 private import semmle.python.Concepts
-private import semmle.python.security.SensitiveData as OldSensitiveData
 private import semmle.python.security.internal.SensitiveDataHeuristics as SensitiveDataHeuristics
 
 // We export these explicitly, so we don't also export the `HeuristicNames` module.
@@ -49,17 +48,94 @@ module SensitiveDataSource {
   }
 }
 
-// TODO: rewrite this to not rely on the old points-to implementation
-private class PortOfOldModeling extends SensitiveDataSource::Range {
-  OldSensitiveData::SensitiveData::Source oldSensitiveSource;
+/** Actual sensitive data modeling */
+private module SensitiveDataModeling {
+  private import SensitiveDataHeuristics::HeuristicNames
 
-  PortOfOldModeling() { this.asCfgNode() = oldSensitiveSource }
+  /**
+   * Gets a reference to a function that is considered to be a sensitive source of
+   * `classification`.
+   */
+  private DataFlow::LocalSourceNode sensitiveFunction(
+    DataFlow::TypeTracker t, SensitiveDataClassification classification
+  ) {
+    t.start() and
+    exists(Function f |
+      nameIndicatesSensitiveData(f.getName(), classification) and
+      result.asExpr() = f.getDefinition()
+    )
+    or
+    exists(DataFlow::TypeTracker t2 | result = sensitiveFunction(t2, classification).track(t2, t))
+  }
 
-  override SensitiveDataClassification getClassification() {
-    exists(OldSensitiveData::SensitiveData classification |
-      oldSensitiveSource.isSourceOf(classification)
-    |
-      classification = "sensitive.data." + result
+  /**
+   * Gets a reference to a function that is considered to be a sensitive source of
+   * `classification`.
+   */
+  DataFlow::Node sensitiveFunction(SensitiveDataClassification classification) {
+    sensitiveFunction(DataFlow::TypeTracker::end(), classification).flowsTo(result)
+  }
+
+  /**
+   * Gets a reference to a string constant that, if used as the key in a lookup,
+   * indicates the presence of sensitive data with `classification`.
+   */
+  private DataFlow::LocalSourceNode sensitiveLookupStringConst(
+    DataFlow::TypeTracker t, SensitiveDataClassification classification
+  ) {
+    t.start() and
+    nameIndicatesSensitiveData(result.asExpr().(StrConst).getText(), classification)
+    or
+    exists(DataFlow::TypeTracker t2 |
+      result = sensitiveLookupStringConst(t2, classification).track(t2, t)
     )
   }
+
+  /**
+   * Gets a reference to a string constant that, if used as the key in a lookup,
+   * indicates the presence of sensitive data with `classification`.
+   */
+  DataFlow::Node sensitiveLookupStringConst(SensitiveDataClassification classification) {
+    sensitiveLookupStringConst(DataFlow::TypeTracker::end(), classification).flowsTo(result)
+  }
+
+  /** A function call that is considered a source of sensitive data. */
+  class SensitiveFunctionCall extends SensitiveDataSource::Range, DataFlow::CallCfgNode {
+    SensitiveDataClassification classification;
+
+    SensitiveFunctionCall() {
+      this.getFunction() = sensitiveFunction(classification)
+      or
+      nameIndicatesSensitiveData(this.getFunction().asCfgNode().(NameNode).getId(), classification)
+    }
+
+    override SensitiveDataClassification getClassification() { result = classification }
+  }
+
+  /** An attribute access that is considered a source of sensitive data. */
+  class SensitiveAttributeAccess extends SensitiveDataSource::Range {
+    SensitiveDataClassification classification;
+
+    SensitiveAttributeAccess() {
+      nameIndicatesSensitiveData(this.(DataFlow::AttrRead).getAttributeName(), classification)
+      or
+      // I considered excluding any `from ... import something_sensitive`, but then realized that
+      // we should flag up `form ... import password as ...` as a password
+      this.(DataFlow::AttrRead).getAttributeNameExpr() = sensitiveLookupStringConst(classification)
+    }
+
+    override SensitiveDataClassification getClassification() { result = classification }
+  }
+
+  /** A call to `get` on an object, where the key indicates the result will be sensitive data. */
+  class SensitiveGetCall extends SensitiveDataSource::Range, DataFlow::CallCfgNode {
+    SensitiveDataClassification classification;
+
+    SensitiveGetCall() {
+      this.getFunction().asCfgNode().(AttrNode).getName() = "get" and
+      this.getArg(0) = sensitiveLookupStringConst(classification)
+    }
+
+    override SensitiveDataClassification getClassification() { result = classification }
+  }
 }
diff --git a/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql b/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql
index ce2a8a9a4fd..200387b2275 100644
--- a/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql
+++ b/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql
@@ -2,19 +2,32 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import TestUtilities.InlineExpectationsTest
 import semmle.python.dataflow.new.SensitiveDataSources
+private import semmle.python.ApiGraphs
 
 class SensitiveDataSourcesTest extends InlineExpectationsTest {
   SensitiveDataSourcesTest() { this = "SensitiveDataSourcesTest" }
 
-  override string getARelevantTag() { result = "SensitiveDataSource" }
+  override string getARelevantTag() { result in ["SensitiveDataSource", "SensitiveUse"] }
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(location.getFile().getRelativePath()) and
     exists(SensitiveDataSource source |
-      location = source.getLocation() and
-      element = source.toString() and
-      value = source.getClassification() and
-      tag = "SensitiveDataSource"
+      (
+        location = source.getLocation() and
+        element = source.toString() and
+        value = source.getClassification() and
+        tag = "SensitiveDataSource"
+      )
+      or
+      exists(DataFlow::Node use |
+        use = API::builtin("print").getACall().getArg(_) and
+        DataFlow::localFlow(source, use) and
+        location = use.getLocation() and
+        element = use.toString() and
+        value = source.getClassification() and
+        tag = "SensitiveUse"
+
+      )
     )
   }
 }
diff --git a/python/ql/test/experimental/dataflow/sensitive-data/test.py b/python/ql/test/experimental/dataflow/sensitive-data/test.py
index 75e0367e776..d9c2a56cf41 100644
--- a/python/ql/test/experimental/dataflow/sensitive-data/test.py
+++ b/python/ql/test/experimental/dataflow/sensitive-data/test.py
@@ -1,5 +1,6 @@
 
-from not_found import get_passwd, account_id
+from not_found import get_passwd # $ SensitiveDataSource=password
+from not_found import account_id # $ SensitiveDataSource=id
 
 def get_password():
     pass
@@ -30,7 +31,7 @@ foo.username # $ SensitiveDataSource=id
 
 # plain variables
 password = some_function()
-print(password) # $ MISSING: SensitiveDataSource=password
+print(password) # $ MISSING: SensitiveUse=password
 
 # Special handling of lookups of sensitive properties
 request.args["password"], # $ MISSING: SensitiveDataSource=password
@@ -41,3 +42,6 @@ request.args.get(x) # $ SensitiveDataSource=password
 
 # I don't think handling `getlist` is super important, just included it to show what we don't handle
 request.args.getlist("password")[0] # $ MISSING: SensitiveDataSource=password
+
+from not_found import password2 as foo # $ SensitiveDataSource=password
+print(foo) # $ SensitiveUse=password

From d6532e280a8f959829f1fb30d329d548a114d17e Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 3 Jun 2021 14:19:22 +0200
Subject: [PATCH 1320/1429] Python: minor cleanup in SensitiveDataSources

---
 .../ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
index e06ab347374..90e9a31382e 100644
--- a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
+++ b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
@@ -5,9 +5,8 @@
 
 private import python
 private import semmle.python.dataflow.new.DataFlow
-// Need to import since frameworks can extend `RemoteFlowSource::Range`
+// Need to import `semmle.python.Frameworks` since frameworks can extend `SensitiveDataSource::Range`
 private import semmle.python.Frameworks
-private import semmle.python.Concepts
 private import semmle.python.security.internal.SensitiveDataHeuristics as SensitiveDataHeuristics
 
 // We export these explicitly, so we don't also export the `HeuristicNames` module.

From 925e67d734dcc0c104e3cb1286a260eb93eadfd4 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 3 Jun 2021 14:21:07 +0200
Subject: [PATCH 1321/1429] Python: Model sensitive data from subscripts

---
 .../python/dataflow/new/SensitiveDataSources.qll     | 12 ++++++++++++
 .../experimental/dataflow/sensitive-data/test.py     |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
index 90e9a31382e..02b04ef84ea 100644
--- a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
+++ b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
@@ -126,6 +126,18 @@ private module SensitiveDataModeling {
     override SensitiveDataClassification getClassification() { result = classification }
   }
 
+  /** A subscript, where the key indicates the result will be sensitive data. */
+  class SensitiveSubscript extends SensitiveDataSource::Range {
+    SensitiveDataClassification classification;
+
+    SensitiveSubscript() {
+      this.asCfgNode().(SubscriptNode).getIndex() =
+        sensitiveLookupStringConst(classification).asCfgNode()
+    }
+
+    override SensitiveDataClassification getClassification() { result = classification }
+  }
+
   /** A call to `get` on an object, where the key indicates the result will be sensitive data. */
   class SensitiveGetCall extends SensitiveDataSource::Range, DataFlow::CallCfgNode {
     SensitiveDataClassification classification;
diff --git a/python/ql/test/experimental/dataflow/sensitive-data/test.py b/python/ql/test/experimental/dataflow/sensitive-data/test.py
index d9c2a56cf41..a3e85dfb367 100644
--- a/python/ql/test/experimental/dataflow/sensitive-data/test.py
+++ b/python/ql/test/experimental/dataflow/sensitive-data/test.py
@@ -34,7 +34,7 @@ password = some_function()
 print(password) # $ MISSING: SensitiveUse=password
 
 # Special handling of lookups of sensitive properties
-request.args["password"], # $ MISSING: SensitiveDataSource=password
+request.args["password"], # $ SensitiveDataSource=password
 request.args.get("password") # $ SensitiveDataSource=password
 
 x = "password"

From f5fd0f8d1ce66e5a45cb6b418c9791f9f3c66f43 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 3 Jun 2021 14:25:15 +0200
Subject: [PATCH 1322/1429] Python: Model sensitive data based on parameter
 names

---
 .../python/dataflow/new/SensitiveDataSources.qll      | 11 +++++++++++
 .../test/experimental/dataflow/sensitive-data/test.py |  5 ++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
index 02b04ef84ea..d244f144c11 100644
--- a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
+++ b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
@@ -149,4 +149,15 @@ private module SensitiveDataModeling {
 
     override SensitiveDataClassification getClassification() { result = classification }
   }
+
+  /** A parameter where the name indicates it will receive sensitive data. */
+  class SensitiveParameter extends SensitiveDataSource::Range, DataFlow::ParameterNode {
+    SensitiveDataClassification classification;
+
+    SensitiveParameter() {
+      nameIndicatesSensitiveData(this.getParameter().getName(), classification)
+    }
+
+    override SensitiveDataClassification getClassification() { result = classification }
+  }
 }
diff --git a/python/ql/test/experimental/dataflow/sensitive-data/test.py b/python/ql/test/experimental/dataflow/sensitive-data/test.py
index a3e85dfb367..25dbc60de92 100644
--- a/python/ql/test/experimental/dataflow/sensitive-data/test.py
+++ b/python/ql/test/experimental/dataflow/sensitive-data/test.py
@@ -29,7 +29,10 @@ foo = ObjectFromDatabase()
 foo.secret # $ SensitiveDataSource=secret
 foo.username # $ SensitiveDataSource=id
 
-# plain variables
+# based on variable/parameter names
+def my_func(password): # $ SensitiveDataSource=password
+    print(password) # $ SensitiveUse=password
+
 password = some_function()
 print(password) # $ MISSING: SensitiveUse=password
 

From 350f79e1e1513bb8a104ef156782fe7159fe5b94 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Fri, 4 Jun 2021 11:10:50 +0200
Subject: [PATCH 1323/1429] Python: Model sensitive data based on variable
 names

---
 .../dataflow/new/SensitiveDataSources.qll     | 37 +++++++++++++++++++
 .../TestSensitiveDataSources.ql               |  3 +-
 .../dataflow/sensitive-data/test.py           | 12 +++++-
 3 files changed, 49 insertions(+), 3 deletions(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
index d244f144c11..45bb7b89a60 100644
--- a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
+++ b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
@@ -111,6 +111,43 @@ private module SensitiveDataModeling {
     override SensitiveDataClassification getClassification() { result = classification }
   }
 
+  /**
+   * Any kind of variable assignment (also including with/for) where the name indicates
+   * it contains sensitive data.
+   *
+   * Note: We _could_ make any access to a variable with a sensitive name a source of
+   * sensitive data, but to make path explanations in data-flow/taint-tracking good,
+   * we don't want that, since it works against allowing users to understand the flow
+   * in the program (which is the whole point).
+   *
+   * Note: To make data-flow/taint-tracking work, the expression that is _assigned_ to
+   * the variable is marked as the source (as compared to marking the variable as the
+   * source).
+   */
+  class SensitiveVariableAssignment extends SensitiveDataSource::Range {
+    SensitiveDataClassification classification;
+
+    SensitiveVariableAssignment() {
+      exists(DefinitionNode def |
+        nameIndicatesSensitiveData(def.(NameNode).getId(), classification) and
+        (
+          this.asCfgNode() = def.getValue()
+          or
+          this.asCfgNode() = def.getValue().(ForNode).getSequence()
+        ) and
+        not this.asExpr() instanceof FunctionExpr and
+        not this.asExpr() instanceof ClassExpr
+      )
+      or
+      exists(With with |
+        nameIndicatesSensitiveData(with.getOptionalVars().(Name).getId(), classification) and
+        this.asExpr() = with.getContextExpr()
+      )
+    }
+
+    override SensitiveDataClassification getClassification() { result = classification }
+  }
+
   /** An attribute access that is considered a source of sensitive data. */
   class SensitiveAttributeAccess extends SensitiveDataSource::Range {
     SensitiveDataClassification classification;
diff --git a/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql b/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql
index 200387b2275..39a6da19599 100644
--- a/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql
+++ b/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql
@@ -1,5 +1,6 @@
 import python
 import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
 import TestUtilities.InlineExpectationsTest
 import semmle.python.dataflow.new.SensitiveDataSources
 private import semmle.python.ApiGraphs
@@ -21,7 +22,7 @@ class SensitiveDataSourcesTest extends InlineExpectationsTest {
       or
       exists(DataFlow::Node use |
         use = API::builtin("print").getACall().getArg(_) and
-        DataFlow::localFlow(source, use) and
+        TaintTracking::localTaint(source, use) and
         location = use.getLocation() and
         element = use.toString() and
         value = source.getClassification() and
diff --git a/python/ql/test/experimental/dataflow/sensitive-data/test.py b/python/ql/test/experimental/dataflow/sensitive-data/test.py
index 25dbc60de92..57ad6a43762 100644
--- a/python/ql/test/experimental/dataflow/sensitive-data/test.py
+++ b/python/ql/test/experimental/dataflow/sensitive-data/test.py
@@ -29,12 +29,20 @@ foo = ObjectFromDatabase()
 foo.secret # $ SensitiveDataSource=secret
 foo.username # $ SensitiveDataSource=id
 
+
 # based on variable/parameter names
 def my_func(password): # $ SensitiveDataSource=password
     print(password) # $ SensitiveUse=password
 
-password = some_function()
-print(password) # $ MISSING: SensitiveUse=password
+password = some_function() # $ SensitiveDataSource=password
+print(password) # $ SensitiveUse=password
+
+for password in some_function2(): # $ SensitiveDataSource=password
+    print(password) # $ SensitiveUse=password
+
+with some_function3() as password: # $ SensitiveDataSource=password
+    print(password) # $ SensitiveUse=password
+
 
 # Special handling of lookups of sensitive properties
 request.args["password"], # $ SensitiveDataSource=password

From 46f90006c2736bd6ae229c73186b3344e26a1026 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Fri, 4 Jun 2021 13:13:13 +0200
Subject: [PATCH 1324/1429] add model for whatwg-fetch

---
 javascript/change-notes/2021-06-04-whatwg-fetch.md    |  4 ++++
 .../semmle/javascript/frameworks/ClientRequests.qll   |  2 ++
 .../frameworks/ClientRequests/ClientRequests.expected |  3 +++
 .../library-tests/frameworks/ClientRequests/tst.js    | 11 ++++++++++-
 4 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 javascript/change-notes/2021-06-04-whatwg-fetch.md

diff --git a/javascript/change-notes/2021-06-04-whatwg-fetch.md b/javascript/change-notes/2021-06-04-whatwg-fetch.md
new file mode 100644
index 00000000000..13edbbdbb77
--- /dev/null
+++ b/javascript/change-notes/2021-06-04-whatwg-fetch.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* URIs used in the [whatwg-fetch](https://www.npmjs.com/package/whatwg-fetch) library are now recognized as sinks for `js/request-forgery`.
+  Affected packages are
+    [whatwg-fetch](https://www.npmjs.com/package/whatwg-fetch)
\ No newline at end of file
diff --git a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
index 18204c5b59b..3d496f28177 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
@@ -302,6 +302,8 @@ module ClientRequest {
       exists(DataFlow::SourceNode fetch |
         fetch = DataFlow::moduleImport(["node-fetch", "cross-fetch", "isomorphic-fetch"])
         or
+        fetch = DataFlow::moduleMember("whatwg-fetch", "fetch")
+        or
         fetch = DataFlow::globalVarRef("fetch") // https://fetch.spec.whatwg.org/#fetch-api
       |
         this = fetch.getACall() and
diff --git a/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected b/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected
index 27a9fa10f72..827be151d5b 100644
--- a/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected
+++ b/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected
@@ -88,6 +88,7 @@ test_ClientRequest
 | tst.js:274:1:283:2 | httpPro ... true\\n}) |
 | tst.js:286:20:286:55 | new Web ... :8080') |
 | tst.js:296:5:299:6 | axios({ ... \\n    }) |
+| tst.js:312:12:312:36 | fetchPo ... o/bar') |
 test_getADataNode
 | tst.js:53:5:53:23 | axios({data: data}) | tst.js:53:18:53:21 | data |
 | tst.js:57:5:57:39 | axios.p ... data2}) | tst.js:57:19:57:23 | data1 |
@@ -230,6 +231,7 @@ test_getUrl
 | tst.js:286:20:286:55 | new Web ... :8080') | tst.js:286:34:286:54 | 'ws://l ... t:8080' |
 | tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:296:11:299:5 | {\\n      ... ,\\n    } |
 | tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:298:14:298:44 | "http:/ ... -axios" |
+| tst.js:312:12:312:36 | fetchPo ... o/bar') | tst.js:312:26:312:35 | '/foo/bar' |
 test_getAResponseDataNode
 | tst.js:19:5:19:23 | requestPromise(url) | tst.js:19:5:19:23 | requestPromise(url) | text | true |
 | tst.js:21:5:21:23 | superagent.get(url) | tst.js:21:5:21:23 | superagent.get(url) | stream | true |
@@ -301,3 +303,4 @@ test_getAResponseDataNode
 | tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:302:28:302:39 | err.response | json | false |
 | tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:303:26:303:37 | err.response | json | false |
 | tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:304:27:304:38 | err.response | json | false |
+| tst.js:312:12:312:36 | fetchPo ... o/bar') | tst.js:312:12:312:36 | fetchPo ... o/bar') | fetch.response | true |
diff --git a/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js b/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js
index 40dcfc481f4..b2b9d8256ca 100644
--- a/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js
+++ b/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js
@@ -304,4 +304,13 @@ function moreAxios() {
             const agent = err.response.headers.useragent;
         }
     );
-}
\ No newline at end of file
+}
+
+import { fetch as fetchPolyfill } from 'whatwg-fetch'
+
+function usePolyfill() {
+    return fetchPolyfill('/foo/bar')
+        .then(function (response) {
+            return response.text()
+        })
+}

From fc0fc740ac83f2a751150472d5d5c4201f91ce5f Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 2 Jun 2021 11:23:10 +0200
Subject: [PATCH 1325/1429] C#: Add test for extension method calls

---
 .../ExtensionMethodCalls.expected             | 40 +++++++++++++++++
 .../ExtensionMethodCalls.ql                   | 14 ++++++
 .../extension-method-call/methods.cs          | 43 +++++++++++++++++++
 3 files changed, 97 insertions(+)
 create mode 100644 csharp/ql/test/library-tests/extension-method-call/ExtensionMethodCalls.expected
 create mode 100644 csharp/ql/test/library-tests/extension-method-call/ExtensionMethodCalls.ql
 create mode 100644 csharp/ql/test/library-tests/extension-method-call/methods.cs

diff --git a/csharp/ql/test/library-tests/extension-method-call/ExtensionMethodCalls.expected b/csharp/ql/test/library-tests/extension-method-call/ExtensionMethodCalls.expected
new file mode 100644
index 00000000000..c9e0e80a79f
--- /dev/null
+++ b/csharp/ql/test/library-tests/extension-method-call/ExtensionMethodCalls.expected
@@ -0,0 +1,40 @@
+methodCallTargets
+| methods.cs:19:13:19:22 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) |
+| methods.cs:20:13:20:27 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) |
+| methods.cs:21:13:21:30 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<double>(double) |
+| methods.cs:22:13:22:33 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<object>(object) |
+| methods.cs:23:13:23:34 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) |
+| methods.cs:24:13:24:39 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) |
+| methods.cs:25:13:25:42 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<double>(string, double) |
+| methods.cs:26:13:26:45 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<object>(string, object) |
+| methods.cs:28:13:28:22 | call to method Ext1 | methods.cs:10:28:10:31 | Ext1 | Ext1(string, int) |
+| methods.cs:29:13:29:34 | call to method Ext1 | methods.cs:10:28:10:31 | Ext1 | Ext1(string, int) |
+| methods.cs:31:13:31:21 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) |
+| methods.cs:32:13:32:26 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) |
+| methods.cs:33:13:33:22 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) |
+| methods.cs:34:13:34:30 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) |
+| methods.cs:35:13:35:30 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<object>(object, int) |
+| methods.cs:36:13:36:33 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) |
+| methods.cs:37:13:37:38 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) |
+| methods.cs:38:13:38:34 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) |
+| methods.cs:39:13:39:42 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) |
+| methods.cs:40:13:40:42 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<object>(object, int) |
+genericMethodCallTargets
+| methods.cs:19:13:19:22 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
+| methods.cs:20:13:20:27 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
+| methods.cs:21:13:21:30 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<double>(double) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
+| methods.cs:22:13:22:33 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<object>(object) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
+| methods.cs:23:13:23:34 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
+| methods.cs:24:13:24:39 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
+| methods.cs:25:13:25:42 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<double>(string, double) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
+| methods.cs:26:13:26:45 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<object>(string, object) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
+| methods.cs:31:13:31:21 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
+| methods.cs:32:13:32:26 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
+| methods.cs:33:13:33:22 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
+| methods.cs:34:13:34:30 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
+| methods.cs:35:13:35:30 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<object>(object, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
+| methods.cs:36:13:36:33 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
+| methods.cs:37:13:37:38 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
+| methods.cs:38:13:38:34 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
+| methods.cs:39:13:39:42 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
+| methods.cs:40:13:40:42 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<object>(object, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
diff --git a/csharp/ql/test/library-tests/extension-method-call/ExtensionMethodCalls.ql b/csharp/ql/test/library-tests/extension-method-call/ExtensionMethodCalls.ql
new file mode 100644
index 00000000000..afdbe77fce8
--- /dev/null
+++ b/csharp/ql/test/library-tests/extension-method-call/ExtensionMethodCalls.ql
@@ -0,0 +1,14 @@
+import csharp
+
+query predicate methodCallTargets(MethodCall mc, Method m, string sig) {
+  m = mc.getTarget() and sig = m.toStringWithTypes()
+}
+
+query predicate genericMethodCallTargets(
+  MethodCall mc, ConstructedMethod cm, string sig1, UnboundGenericMethod ugm, string sig2
+) {
+  cm = mc.getTarget() and
+  sig1 = cm.toStringWithTypes() and
+  ugm = cm.getUnboundGeneric() and
+  sig2 = ugm.toStringWithTypes()
+}
diff --git a/csharp/ql/test/library-tests/extension-method-call/methods.cs b/csharp/ql/test/library-tests/extension-method-call/methods.cs
new file mode 100644
index 00000000000..05803d6cb3f
--- /dev/null
+++ b/csharp/ql/test/library-tests/extension-method-call/methods.cs
@@ -0,0 +1,43 @@
+using System;
+
+namespace Test
+{
+
+    public static class Extensions
+    {
+        public static void Ext0<T>(this string self, T arg) { }
+
+        public static void Ext1(this string self, int arg) { }
+
+        public static void Ext2<T>(this T self, int arg) { }
+    }
+
+    public class Program
+    {
+        public static void M()
+        {
+            "".Ext0(1);
+            "".Ext0<int>(1);
+            "".Ext0<double>(1);
+            "".Ext0<object>(null);
+            Extensions.Ext0("", 1);
+            Extensions.Ext0<int>("", 1);
+            Extensions.Ext0<double>("", 1);
+            Extensions.Ext0<object>("", null);
+
+            "".Ext1(1);
+            Extensions.Ext1("", 1);
+
+            1.Ext2(1);
+            1.Ext2<int>(1);
+            "".Ext2(1);
+            "".Ext2<string>(1);
+            "".Ext2<object>(1);
+            Extensions.Ext2(1, 1);
+            Extensions.Ext2<int>(1, 1);
+            Extensions.Ext2("", 1);
+            Extensions.Ext2<string>("", 1);
+            Extensions.Ext2<object>("", 1);
+        }
+    }
+}

From e05e2365ea7d173585fdb42ba96051608d49173e Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 1 Jun 2021 13:01:44 +0200
Subject: [PATCH 1326/1429] C#: Extract correct method symbol as target of
 extension method calls

---
 .../extractor/Semmle.Extraction.CSharp/Entities/Method.cs | 4 ++++
 .../extension-method-call/ExtensionMethodCalls.expected   | 8 ++++----
 csharp/ql/test/library-tests/methods/Parameters8.expected | 5 ++---
 3 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
index e5822ccbf58..3861614f00f 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
@@ -272,6 +272,10 @@ namespace Semmle.Extraction.CSharp.Entities
                 case MethodKind.Constructor:
                     return Constructor.Create(cx, methodDecl);
                 case MethodKind.ReducedExtension:
+                    return OrdinaryMethod.Create(cx,
+                        methodDecl.ReducedFrom!.IsGenericMethod && methodDecl.TypeArguments.Any()
+                            ? methodDecl.ReducedFrom!.Construct(methodDecl.TypeArguments, methodDecl.TypeArgumentNullableAnnotations)
+                            : methodDecl.ReducedFrom!);
                 case MethodKind.Ordinary:
                 case MethodKind.DelegateInvoke:
                     return OrdinaryMethod.Create(cx, methodDecl);
diff --git a/csharp/ql/test/library-tests/extension-method-call/ExtensionMethodCalls.expected b/csharp/ql/test/library-tests/extension-method-call/ExtensionMethodCalls.expected
index c9e0e80a79f..f2300266f4b 100644
--- a/csharp/ql/test/library-tests/extension-method-call/ExtensionMethodCalls.expected
+++ b/csharp/ql/test/library-tests/extension-method-call/ExtensionMethodCalls.expected
@@ -1,8 +1,8 @@
 methodCallTargets
 | methods.cs:19:13:19:22 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) |
 | methods.cs:20:13:20:27 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) |
-| methods.cs:21:13:21:30 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<double>(double) |
-| methods.cs:22:13:22:33 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<object>(object) |
+| methods.cs:21:13:21:30 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<double>(string, double) |
+| methods.cs:22:13:22:33 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<object>(string, object) |
 | methods.cs:23:13:23:34 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) |
 | methods.cs:24:13:24:39 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) |
 | methods.cs:25:13:25:42 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<double>(string, double) |
@@ -22,8 +22,8 @@ methodCallTargets
 genericMethodCallTargets
 | methods.cs:19:13:19:22 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
 | methods.cs:20:13:20:27 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
-| methods.cs:21:13:21:30 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<double>(double) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
-| methods.cs:22:13:22:33 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<object>(object) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
+| methods.cs:21:13:21:30 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<double>(string, double) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
+| methods.cs:22:13:22:33 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<object>(string, object) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
 | methods.cs:23:13:23:34 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
 | methods.cs:24:13:24:39 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
 | methods.cs:25:13:25:42 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<double>(string, double) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
diff --git a/csharp/ql/test/library-tests/methods/Parameters8.expected b/csharp/ql/test/library-tests/methods/Parameters8.expected
index 62c4d495009..21ec8aeae13 100644
--- a/csharp/ql/test/library-tests/methods/Parameters8.expected
+++ b/csharp/ql/test/library-tests/methods/Parameters8.expected
@@ -16,11 +16,10 @@
 | methods.cs:73:21:73:24 | F | methods.cs:73:28:73:28 | x |
 | methods.cs:78:21:78:21 | F | methods.cs:78:30:78:30 | x |
 | methods.cs:78:21:78:21 | F | methods.cs:78:40:78:40 | y |
-| methods.cs:100:27:100:33 | ToInt32 | methods.cs:100:35:100:47 | s |
 | methods.cs:100:27:100:33 | ToInt32 | methods.cs:100:47:100:47 | s |
 | methods.cs:105:28:105:33 | ToBool | methods.cs:105:47:105:47 | s |
 | methods.cs:105:28:105:33 | ToBool | methods.cs:105:69:105:69 | f |
-| methods.cs:110:27:110:34 | Slice | methods.cs:110:36:110:50 | source |
+| methods.cs:110:27:110:34 | Slice | methods.cs:110:45:110:50 | source |
 | methods.cs:110:27:110:34 | Slice | methods.cs:110:45:110:50 | source |
 | methods.cs:110:27:110:34 | Slice | methods.cs:110:57:110:61 | index |
 | methods.cs:110:27:110:34 | Slice | methods.cs:110:57:110:61 | index |
@@ -35,7 +34,7 @@
 | methods.cs:146:14:146:20 | Method2 | methods.cs:146:65:146:65 | e |
 | methods.cs:169:27:169:30 | Plus | methods.cs:169:41:169:44 | left |
 | methods.cs:169:27:169:30 | Plus | methods.cs:169:51:169:55 | right |
-| methods.cs:174:65:174:74 | SkipTwo | methods.cs:174:76:174:126 | list |
+| methods.cs:174:65:174:74 | SkipTwo | methods.cs:174:123:174:126 | list |
 | methods.cs:174:65:174:74 | SkipTwo | methods.cs:174:123:174:126 | list |
 | methods.cs:174:65:174:74 | SkipTwo | methods.cs:174:133:174:133 | i |
 | methods.cs:174:65:174:74 | SkipTwo | methods.cs:174:133:174:133 | i |

From 127d66ccd17b1b24defd98f4a02b45f5e1516460 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 2 Jun 2021 15:37:08 +0200
Subject: [PATCH 1327/1429] Remove unneeded ReducedExtension method handling

---
 .../Entities/Method.cs                        | 33 ++------------
 .../Entities/OrdinaryMethod.cs                | 19 ++++----
 .../Entities/Parameter.cs                     | 44 +------------------
 3 files changed, 14 insertions(+), 82 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
index 3861614f00f..5c113ae2214 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
@@ -20,26 +20,6 @@ namespace Semmle.Extraction.CSharp.Entities
             IEnumerable<IParameterSymbol> parameters = Symbol.Parameters;
             IEnumerable<IParameterSymbol> originalParameters = originalMethod.Symbol.Parameters;
 
-            if (IsReducedExtension)
-            {
-                if (this == originalMethod)
-                {
-                    // Non-generic reduced extensions must be extracted exactly like the
-                    // non-reduced counterparts
-                    parameters = Symbol.ReducedFrom!.Parameters;
-                }
-                else
-                {
-                    // Constructed reduced extensions are special because their non-reduced
-                    // counterparts are not constructed. Therefore, we need to manually add
-                    // the `this` parameter based on the type of the receiver
-                    var originalThisParamSymbol = originalMethod.Symbol.Parameters.First();
-                    var originalThisParam = Parameter.Create(Context, originalThisParamSymbol, originalMethod);
-                    ConstructedExtensionParameter.Create(Context, this, originalThisParam);
-                    originalParameters = originalParameters.Skip(1);
-                }
-            }
-
             foreach (var p in parameters.Zip(originalParameters, (paramSymbol, originalParam) => new { paramSymbol, originalParam }))
             {
                 var original = SymbolEqualityComparer.Default.Equals(p.paramSymbol, p.originalParam)
@@ -208,9 +188,7 @@ namespace Semmle.Extraction.CSharp.Entities
             trapFile.Write('(');
             var index = 0;
 
-            var @params = method.MethodKind == MethodKind.ReducedExtension
-                ? method.ReducedFrom!.Parameters
-                : method.Parameters;
+            var @params = method.Parameters;
 
             foreach (var param in @params)
             {
@@ -301,10 +279,7 @@ namespace Semmle.Extraction.CSharp.Entities
             }
         }
 
-        public Method OriginalDefinition =>
-            IsReducedExtension
-                ? Create(Context, Symbol.ReducedFrom!)
-                : Create(Context, Symbol.OriginalDefinition);
+        public Method OriginalDefinition => Create(Context, Symbol.OriginalDefinition);
 
         public override Location? FullLocation => ReportingLocation;
 
@@ -322,9 +297,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public bool IsBoundGeneric => IsGeneric && !IsUnboundGeneric;
 
-        private bool IsReducedExtension => Symbol.MethodKind == MethodKind.ReducedExtension;
-
-        protected IMethodSymbol ConstructedFromSymbol => Symbol.ConstructedFrom.ReducedFrom ?? Symbol.ConstructedFrom;
+        protected IMethodSymbol ConstructedFromSymbol => Symbol.ConstructedFrom;
 
         bool IExpressionParentEntity.IsTopLevelParent => true;
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/OrdinaryMethod.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/OrdinaryMethod.cs
index 0b16b4ec9fe..576eb913433 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/OrdinaryMethod.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/OrdinaryMethod.cs
@@ -15,14 +15,7 @@ namespace Semmle.Extraction.CSharp.Entities
 
         protected override IMethodSymbol BodyDeclaringSymbol => Symbol.PartialImplementationPart ?? Symbol;
 
-        public IMethodSymbol SourceDeclaration
-        {
-            get
-            {
-                var reducedFrom = Symbol.ReducedFrom ?? Symbol;
-                return reducedFrom.OriginalDefinition;
-            }
-        }
+        public IMethodSymbol SourceDeclaration => Symbol.OriginalDefinition;
 
         public override Microsoft.CodeAnalysis.Location ReportingLocation => Symbol.GetSymbolLocation();
 
@@ -53,7 +46,15 @@ namespace Semmle.Extraction.CSharp.Entities
             ExtractCompilerGenerated(trapFile);
         }
 
-        public static new OrdinaryMethod Create(Context cx, IMethodSymbol method) => OrdinaryMethodFactory.Instance.CreateEntityFromSymbol(cx, method);
+        public static new OrdinaryMethod Create(Context cx, IMethodSymbol method)
+        {
+            if (method.MethodKind == MethodKind.ReducedExtension)
+            {
+                cx.Extractor.Logger.Log(Util.Logging.Severity.Warning, "Reduced extension method symbols should not be directly extracted.");
+            }
+
+            return OrdinaryMethodFactory.Instance.CreateEntityFromSymbol(cx, method);
+        }
 
         private class OrdinaryMethodFactory : CachedEntityFactory<IMethodSymbol, OrdinaryMethod>
         {
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
index 9d69372174e..95a93d69c12 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Parameter.cs
@@ -27,20 +27,7 @@ namespace Semmle.Extraction.CSharp.Entities
             None, Ref, Out, Params, This, In
         }
 
-        protected virtual int Ordinal
-        {
-            get
-            {
-                // For some reason, methods of kind ReducedExtension
-                // omit the "this" parameter, so the parameters are
-                // actually numbered from 1.
-                // This is to be consistent from the original (unreduced) extension method.
-                var isReducedExtension =
-                    Symbol.ContainingSymbol is IMethodSymbol method &&
-                    method.MethodKind == MethodKind.ReducedExtension;
-                return Symbol.Ordinal + (isReducedExtension ? 1 : 0);
-            }
-        }
+        protected virtual int Ordinal => Symbol.Ordinal;
 
         private Kind ParamKind
         {
@@ -270,33 +257,4 @@ namespace Semmle.Extraction.CSharp.Entities
             public override VarargsParam Create(Context cx, Method init) => new VarargsParam(cx, init);
         }
     }
-
-    internal class ConstructedExtensionParameter : Parameter
-    {
-        private readonly ITypeSymbol constructedType;
-
-        private ConstructedExtensionParameter(Context cx, Method method, Parameter original)
-            : base(cx, original.Symbol, method, original)
-        {
-            constructedType = method.Symbol.ReceiverType!;
-        }
-
-        public override void Populate(TextWriter trapFile)
-        {
-            var typeKey = Type.Create(Context, constructedType);
-            trapFile.@params(this, Original.Symbol.Name, typeKey.TypeRef, 0, Kind.This, Parent!, Original);
-            trapFile.param_location(this, Original.Location);
-        }
-
-        public static ConstructedExtensionParameter Create(Context cx, Method method, Parameter parameter) =>
-            ExtensionParamFactory.Instance.CreateEntity(cx, (new SymbolEqualityWrapper(parameter.Symbol), new SymbolEqualityWrapper(method.Symbol.ReceiverType!)), (method, parameter));
-
-        private class ExtensionParamFactory : CachedEntityFactory<(Method, Parameter), ConstructedExtensionParameter>
-        {
-            public static ExtensionParamFactory Instance { get; } = new ExtensionParamFactory();
-
-            public override ConstructedExtensionParameter Create(Context cx, (Method, Parameter) init) =>
-                new ConstructedExtensionParameter(cx, init.Item1, init.Item2);
-        }
-    }
 }

From f98781db63731a477a9182836d78bf3679425013 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 3 Jun 2021 08:52:42 +0200
Subject: [PATCH 1328/1429] Fix non-constructed generic extension method
 extraction

---
 .../Entities/Method.cs                        |  9 ++-
 .../ExtensionMethodCalls.expected             | 78 ++++++++++---------
 .../extension-method-call/methods.cs          |  4 +
 3 files changed, 49 insertions(+), 42 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
index 5c113ae2214..20c0033c4de 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Method.cs
@@ -250,10 +250,11 @@ namespace Semmle.Extraction.CSharp.Entities
                 case MethodKind.Constructor:
                     return Constructor.Create(cx, methodDecl);
                 case MethodKind.ReducedExtension:
-                    return OrdinaryMethod.Create(cx,
-                        methodDecl.ReducedFrom!.IsGenericMethod && methodDecl.TypeArguments.Any()
-                            ? methodDecl.ReducedFrom!.Construct(methodDecl.TypeArguments, methodDecl.TypeArgumentNullableAnnotations)
-                            : methodDecl.ReducedFrom!);
+                    if (SymbolEqualityComparer.Default.Equals(methodDecl, methodDecl.ConstructedFrom))
+                    {
+                        return OrdinaryMethod.Create(cx, methodDecl.ReducedFrom!);
+                    }
+                    return OrdinaryMethod.Create(cx, methodDecl.ReducedFrom!.Construct(methodDecl.TypeArguments, methodDecl.TypeArgumentNullableAnnotations));
                 case MethodKind.Ordinary:
                 case MethodKind.DelegateInvoke:
                     return OrdinaryMethod.Create(cx, methodDecl);
diff --git a/csharp/ql/test/library-tests/extension-method-call/ExtensionMethodCalls.expected b/csharp/ql/test/library-tests/extension-method-call/ExtensionMethodCalls.expected
index f2300266f4b..f88833695ac 100644
--- a/csharp/ql/test/library-tests/extension-method-call/ExtensionMethodCalls.expected
+++ b/csharp/ql/test/library-tests/extension-method-call/ExtensionMethodCalls.expected
@@ -1,40 +1,42 @@
 methodCallTargets
-| methods.cs:19:13:19:22 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) |
-| methods.cs:20:13:20:27 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) |
-| methods.cs:21:13:21:30 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<double>(string, double) |
-| methods.cs:22:13:22:33 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<object>(string, object) |
-| methods.cs:23:13:23:34 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) |
-| methods.cs:24:13:24:39 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) |
-| methods.cs:25:13:25:42 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<double>(string, double) |
-| methods.cs:26:13:26:45 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<object>(string, object) |
-| methods.cs:28:13:28:22 | call to method Ext1 | methods.cs:10:28:10:31 | Ext1 | Ext1(string, int) |
-| methods.cs:29:13:29:34 | call to method Ext1 | methods.cs:10:28:10:31 | Ext1 | Ext1(string, int) |
-| methods.cs:31:13:31:21 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) |
-| methods.cs:32:13:32:26 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) |
-| methods.cs:33:13:33:22 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) |
-| methods.cs:34:13:34:30 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) |
-| methods.cs:35:13:35:30 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<object>(object, int) |
-| methods.cs:36:13:36:33 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) |
-| methods.cs:37:13:37:38 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) |
-| methods.cs:38:13:38:34 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) |
-| methods.cs:39:13:39:42 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) |
-| methods.cs:40:13:40:42 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<object>(object, int) |
+| methods.cs:14:60:14:73 | call to method Ext3 | methods.cs:14:28:14:34 | Ext3 | Ext3<T>(T, int) |
+| methods.cs:16:60:16:74 | call to method Ext4 | methods.cs:16:28:16:34 | Ext4 | Ext4<T>(T, int) |
+| methods.cs:23:13:23:22 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) |
+| methods.cs:24:13:24:27 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) |
+| methods.cs:25:13:25:30 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<double>(string, double) |
+| methods.cs:26:13:26:33 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<object>(string, object) |
+| methods.cs:27:13:27:34 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) |
+| methods.cs:28:13:28:39 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) |
+| methods.cs:29:13:29:42 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<double>(string, double) |
+| methods.cs:30:13:30:45 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<object>(string, object) |
+| methods.cs:32:13:32:22 | call to method Ext1 | methods.cs:10:28:10:31 | Ext1 | Ext1(string, int) |
+| methods.cs:33:13:33:34 | call to method Ext1 | methods.cs:10:28:10:31 | Ext1 | Ext1(string, int) |
+| methods.cs:35:13:35:21 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) |
+| methods.cs:36:13:36:26 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) |
+| methods.cs:37:13:37:22 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) |
+| methods.cs:38:13:38:30 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) |
+| methods.cs:39:13:39:30 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<object>(object, int) |
+| methods.cs:40:13:40:33 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) |
+| methods.cs:41:13:41:38 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) |
+| methods.cs:42:13:42:34 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) |
+| methods.cs:43:13:43:42 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) |
+| methods.cs:44:13:44:42 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<object>(object, int) |
 genericMethodCallTargets
-| methods.cs:19:13:19:22 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
-| methods.cs:20:13:20:27 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
-| methods.cs:21:13:21:30 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<double>(string, double) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
-| methods.cs:22:13:22:33 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<object>(string, object) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
-| methods.cs:23:13:23:34 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
-| methods.cs:24:13:24:39 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
-| methods.cs:25:13:25:42 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<double>(string, double) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
-| methods.cs:26:13:26:45 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<object>(string, object) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
-| methods.cs:31:13:31:21 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
-| methods.cs:32:13:32:26 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
-| methods.cs:33:13:33:22 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
-| methods.cs:34:13:34:30 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
-| methods.cs:35:13:35:30 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<object>(object, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
-| methods.cs:36:13:36:33 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
-| methods.cs:37:13:37:38 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
-| methods.cs:38:13:38:34 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
-| methods.cs:39:13:39:42 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
-| methods.cs:40:13:40:42 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<object>(object, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
+| methods.cs:23:13:23:22 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
+| methods.cs:24:13:24:27 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
+| methods.cs:25:13:25:30 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<double>(string, double) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
+| methods.cs:26:13:26:33 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<object>(string, object) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
+| methods.cs:27:13:27:34 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
+| methods.cs:28:13:28:39 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<int>(string, int) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
+| methods.cs:29:13:29:42 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<double>(string, double) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
+| methods.cs:30:13:30:45 | call to method Ext0 | methods.cs:8:28:8:34 | Ext0 | Ext0<object>(string, object) | methods.cs:8:28:8:34 | Ext0 | Ext0<T>(string, T) |
+| methods.cs:35:13:35:21 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
+| methods.cs:36:13:36:26 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
+| methods.cs:37:13:37:22 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
+| methods.cs:38:13:38:30 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
+| methods.cs:39:13:39:30 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<object>(object, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
+| methods.cs:40:13:40:33 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
+| methods.cs:41:13:41:38 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<int>(int, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
+| methods.cs:42:13:42:34 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
+| methods.cs:43:13:43:42 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<string>(string, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
+| methods.cs:44:13:44:42 | call to method Ext2 | methods.cs:12:28:12:34 | Ext2 | Ext2<object>(object, int) | methods.cs:12:28:12:34 | Ext2 | Ext2<T>(T, int) |
diff --git a/csharp/ql/test/library-tests/extension-method-call/methods.cs b/csharp/ql/test/library-tests/extension-method-call/methods.cs
index 05803d6cb3f..e587a645d68 100644
--- a/csharp/ql/test/library-tests/extension-method-call/methods.cs
+++ b/csharp/ql/test/library-tests/extension-method-call/methods.cs
@@ -10,6 +10,10 @@ namespace Test
         public static void Ext1(this string self, int arg) { }
 
         public static void Ext2<T>(this T self, int arg) { }
+
+        public static void Ext3<T>(this T self, int arg) { self.Ext3(arg); }
+
+        public static void Ext4<T>(this T self, int arg) { Ext4(self, arg); }
     }
 
     public class Program

From ea968268101a1f56d263ff9b8f129e1cfc9f2f9f Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 4 Jun 2021 11:05:25 +0100
Subject: [PATCH 1329/1429] C++: Add a test of charLoc and subsumes.

---
 cpp/ql/test/library-tests/locations/charloc/charloc.cpp   | 8 ++++++++
 .../test/library-tests/locations/charloc/charloc.expected | 6 ++++++
 cpp/ql/test/library-tests/locations/charloc/charloc.ql    | 7 +++++++
 3 files changed, 21 insertions(+)
 create mode 100644 cpp/ql/test/library-tests/locations/charloc/charloc.cpp
 create mode 100644 cpp/ql/test/library-tests/locations/charloc/charloc.expected
 create mode 100644 cpp/ql/test/library-tests/locations/charloc/charloc.ql

diff --git a/cpp/ql/test/library-tests/locations/charloc/charloc.cpp b/cpp/ql/test/library-tests/locations/charloc/charloc.cpp
new file mode 100644
index 00000000000..4f6595e465c
--- /dev/null
+++ b/cpp/ql/test/library-tests/locations/charloc/charloc.cpp
@@ -0,0 +1,8 @@
+
+void test()
+{
+  1;
+  2 + 3;
+          (
+4);
+}
diff --git a/cpp/ql/test/library-tests/locations/charloc/charloc.expected b/cpp/ql/test/library-tests/locations/charloc/charloc.expected
new file mode 100644
index 00000000000..0920b05a9af
--- /dev/null
+++ b/cpp/ql/test/library-tests/locations/charloc/charloc.expected
@@ -0,0 +1,6 @@
+| charloc.cpp | 1 | 39 | 39 | 1 |
+| charloc.cpp | 2 | 48 | 48 | 2 |
+| charloc.cpp | 3 | 52 | 52 | 3 |
+| charloc.cpp | 4 | 64 | 64 | 4 |
+| charloc.cpp | (...) | 65 | 65 | (...) |
+| charloc.cpp | ... + ... | 48 | 52 | ... + ..., 2, 3 |
diff --git a/cpp/ql/test/library-tests/locations/charloc/charloc.ql b/cpp/ql/test/library-tests/locations/charloc/charloc.ql
new file mode 100644
index 00000000000..e12f69eb28f
--- /dev/null
+++ b/cpp/ql/test/library-tests/locations/charloc/charloc.ql
@@ -0,0 +1,7 @@
+import cpp
+
+from File f, Expr e, Location l, int start, int end
+where
+  e.getLocation() = l and
+  l.charLoc(f, start, end)
+select f.getBaseName(), e.toString(), start, end, concat(Expr e2, Location l2 | e2.getLocation() = l2 and l.subsumes(l2) | e2.toString(), ", ")

From a93246d28b04804ceb9c595731a7eeeaa9a576b3 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 4 Jun 2021 13:04:23 +0100
Subject: [PATCH 1330/1429] C++: Fix maxCols.

---
 cpp/ql/src/semmle/code/cpp/Location.qll              |  2 +-
 .../library-tests/locations/charloc/charloc.expected | 12 ++++++------
 cpp/ql/test/query-tests/definitions/locationInfo.ql  |  2 +-
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/Location.qll b/cpp/ql/src/semmle/code/cpp/Location.qll
index 8d3653ea1c0..e3b22fb59e1 100644
--- a/cpp/ql/src/semmle/code/cpp/Location.qll
+++ b/cpp/ql/src/semmle/code/cpp/Location.qll
@@ -128,7 +128,7 @@ deprecated library class LocationExpr extends Location, @location_expr { }
  * Gets the length of the longest line in file `f`.
  */
 pragma[nomagic]
-private int maxCols(File f) { result = max(Location l | l.getFile() = f | l.getEndColumn()) }
+private int maxCols(File f) { result = max(Location l | l.getFile() = f | [l.getStartColumn(), l.getEndColumn()]) }
 
 /**
  * A C/C++ element that has a location in a file
diff --git a/cpp/ql/test/library-tests/locations/charloc/charloc.expected b/cpp/ql/test/library-tests/locations/charloc/charloc.expected
index 0920b05a9af..4ccec12906e 100644
--- a/cpp/ql/test/library-tests/locations/charloc/charloc.expected
+++ b/cpp/ql/test/library-tests/locations/charloc/charloc.expected
@@ -1,6 +1,6 @@
-| charloc.cpp | 1 | 39 | 39 | 1 |
-| charloc.cpp | 2 | 48 | 48 | 2 |
-| charloc.cpp | 3 | 52 | 52 | 3 |
-| charloc.cpp | 4 | 64 | 64 | 4 |
-| charloc.cpp | (...) | 65 | 65 | (...) |
-| charloc.cpp | ... + ... | 48 | 52 | ... + ..., 2, 3 |
+| charloc.cpp | 1 | 47 | 47 | 1 |
+| charloc.cpp | 2 | 58 | 58 | 2 |
+| charloc.cpp | 3 | 62 | 62 | 3 |
+| charloc.cpp | 4 | 78 | 78 | 4 |
+| charloc.cpp | (...) | 77 | 79 | (...), 4 |
+| charloc.cpp | ... + ... | 58 | 62 | ... + ..., 2, 3 |
diff --git a/cpp/ql/test/query-tests/definitions/locationInfo.ql b/cpp/ql/test/query-tests/definitions/locationInfo.ql
index 1f747b10027..92f7b511c5f 100644
--- a/cpp/ql/test/query-tests/definitions/locationInfo.ql
+++ b/cpp/ql/test/query-tests/definitions/locationInfo.ql
@@ -11,7 +11,7 @@ class Link extends Top {
  * Gets the length of the longest line in file `f`.
  */
 pragma[nomagic]
-private int maxCols(File f) { result = max(Location l | l.getFile() = f | l.getEndColumn()) }
+private int maxCols(File f) { result = max(Location l | l.getFile() = f | [l.getStartColumn(), l.getEndColumn()]) }
 
 /**
  * Gets the location of an element that has a link-to-definition (in a similar manner to

From 2a9904d1fdea7ea1f287b622d8468210c658f2de Mon Sep 17 00:00:00 2001
From: Felicity Chapman <felicitymay@github.com>
Date: Fri, 4 Jun 2021 12:59:49 +0100
Subject: [PATCH 1331/1429] Make minimal changes to CodeQL docs

---
 .../analyzing-databases-with-the-codeql-cli.rst        | 10 +++++++++-
 .../using-custom-queries-with-the-codeql-cli.rst       |  4 ++--
 .../writing-codeql-queries/about-codeql-queries.rst    |  3 +++
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst b/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
index 6d30fee7f65..caadf3ecfb0 100644
--- a/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
+++ b/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
@@ -24,11 +24,12 @@ Before starting an analysis you must:
 Running ``codeql database analyze``
 ------------------------------------
 
-When you run ``database analyze``, it does two things:
+When you run ``database analyze``, it:
 
 #. Executes one or more query files, by running them over a CodeQL database.
 #. Interprets the results, based on certain query metadata, so that alerts can be
    displayed in the correct location in the source code.
+#. Reports the results of any diagnostic queries to standard output.
 
 You can analyze a database by running the following command::
 
@@ -142,6 +143,13 @@ These are stored alongside the code scanning suites with names of the form: ``<l
 For information about creating custom query suites, see ":doc:`Creating
 CodeQL query suites <creating-codeql-query-suites>`."
 
+Diagnostic information
+......................
+
+The code scanning query suites include additional diagnostic queries. When the database analysis is complete, the CLI generates the results file and reports any diagnostic data to standard output. If you choose to generate SARIF output, the diagnostic data is also included as `notification objects <https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317894>`__ in the SARIF file.
+
+If the analysis found fewer results for standard queries than you expected, review the results of the diagnostic queries to check whether the CodeQL database is likely to be a good representation of the codebase that you want to analyze.
+
 Running all queries in a directory
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/docs/codeql/codeql-cli/using-custom-queries-with-the-codeql-cli.rst b/docs/codeql/codeql-cli/using-custom-queries-with-the-codeql-cli.rst
index aa9e45927f1..b504f010a88 100644
--- a/docs/codeql/codeql-cli/using-custom-queries-with-the-codeql-cli.rst
+++ b/docs/codeql/codeql-cli/using-custom-queries-with-the-codeql-cli.rst
@@ -33,8 +33,8 @@ following two properties to ensure that the results are interpreted correctly:
 
 - Query identifier (``@id``): a sequence of words composed of lowercase letters or
   digits, delimited by ``/`` or ``-``, identifying and classifying the query. 
-- Query type (``@kind``): identifies the query is an alert (``@kind problem``)
-  or a path (``@kind path-problem``).
+- Query type (``@kind``): identifies the query is an alert (``@kind problem``),
+  a path (``@kind path-problem``), or a diagnostic metric (``@kind diagnostic``).
 
 For more information about these metadata properties, see ":ref:`Metadata for CodeQL queries
 <metadata-for-codeql-queries>`" and the `Query metadata style guide
diff --git a/docs/codeql/writing-codeql-queries/about-codeql-queries.rst b/docs/codeql/writing-codeql-queries/about-codeql-queries.rst
index 171d2596b3f..c1d91ddcbe0 100644
--- a/docs/codeql/writing-codeql-queries/about-codeql-queries.rst
+++ b/docs/codeql/writing-codeql-queries/about-codeql-queries.rst
@@ -58,6 +58,7 @@ Query metadata is used to identify your custom queries when they are added to th
     Queries that are contributed to the open source repository, added to a query pack in LGTM, or used to analyze a database with the :ref:`CodeQL CLI <codeql-cli>` must have a query type (``@kind``) specified. The ``@kind`` property indicates how to interpret and display the results of the query analysis:
 
     - Alert query metadata must contain ``@kind problem``.
+    - Diagnostic query metadata must contain ``@kind diagnostic``.
     - Path query metadata must contain ``@kind path-problem``.
 
     When you define the ``@kind`` property of a custom query you must also ensure that the rest of your query has the correct structure in order to be valid, as described below.
@@ -114,6 +115,8 @@ You can modify the alert message defined in the final column of the ``select`` s
 
 Select clauses for path queries (``@kind path-problem``) are crafted to display both an alert and the source and sink of an associated path graph. For more information, see ":doc:`Creating path queries <creating-path-queries>`."
 
+Select clauses for diagnostic queries (``@kind diagnostic``) have different requirements. For examples, see the `diagnostic queries in the CodeQL repository <https://github.com/github/codeql/search?q=%22%40kind+diagnostic%22>`__.
+
 Viewing the standard CodeQL queries
 ***********************************
 

From 42202402a49dbc6def34eec4ea729e346dfb9c6c Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Fri, 4 Jun 2021 14:29:53 +0200
Subject: [PATCH 1332/1429] Address review comments

---
 .../code/csharp/dataflow/internal/FlowSummaryImpl.qll  |  8 ++++----
 .../dataflow/internal/FlowSummaryImplSpecific.qll      |  3 +++
 .../code/java/dataflow/internal/DataFlowDispatch.qll   | 10 +---------
 .../code/java/dataflow/internal/FlowSummaryImpl.qll    |  8 ++++----
 .../java/dataflow/internal/FlowSummaryImplSpecific.qll |  3 +++
 5 files changed, 15 insertions(+), 17 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
index 22b4b343524..ddafb23274b 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
@@ -712,8 +712,8 @@ module Private {
       exists(SourceOrSinkElement e |
         sourceElement(e, output, kind) and
         if outputNeedsReference(specLast(output))
-        then viableCallable(ref.asCall()) = any(InterpretNode n | n.asElement() = e).asCallable()
-        else ref.asElement() = e
+        then e = ref.getCallTarget()
+        else e = ref.asElement()
       )
     }
 
@@ -721,8 +721,8 @@ module Private {
       exists(SourceOrSinkElement e |
         sinkElement(e, input, kind) and
         if inputNeedsReference(specLast(input))
-        then viableCallable(ref.asCall()) = any(InterpretNode n | n.asElement() = e).asCallable()
-        else ref.asElement() = e
+        then e = ref.getCallTarget()
+        else e = ref.asElement()
       )
     }
 
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll
index 4764ed17c22..efab6eb9e3c 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll
@@ -136,6 +136,9 @@ class InterpretNode extends TInterpretNode {
   /** Gets the callable that this node corresponds to, if any. */
   DataFlowCallable asCallable() { result = this.asElement() }
 
+  /** Gets the target of this call, if any. */
+  Callable getCallTarget() { result = this.asCall().getARuntimeTarget() }
+
   /** Gets a textual representation of this node. */
   string toString() {
     result = this.asElement().toString()
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowDispatch.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowDispatch.qll
index 8324959190a..2b6179bfc96 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowDispatch.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowDispatch.qll
@@ -4,21 +4,13 @@ private import DataFlowUtil
 private import semmle.code.java.dataflow.InstanceAccess
 private import semmle.code.java.dataflow.FlowSummary
 private import semmle.code.java.dispatch.VirtualDispatch as VirtualDispatch
-private import semmle.code.java.dataflow.internal.FlowSummaryImplSpecific
 
 private module DispatchImpl {
   /** Gets a viable implementation of the target of the given `Call`. */
   Callable viableCallable(Call c) {
     result = VirtualDispatch::viableCallable(c)
     or
-    result = c.getCallee().getSourceDeclaration() and
-    (
-      result instanceof SummarizedCallable
-      or
-      sourceElement(result, _, _)
-      or
-      sinkElement(result, _, _)
-    )
+    result.(SummarizedCallable) = c.getCallee().getSourceDeclaration()
   }
 
   /**
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
index 22b4b343524..ddafb23274b 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
@@ -712,8 +712,8 @@ module Private {
       exists(SourceOrSinkElement e |
         sourceElement(e, output, kind) and
         if outputNeedsReference(specLast(output))
-        then viableCallable(ref.asCall()) = any(InterpretNode n | n.asElement() = e).asCallable()
-        else ref.asElement() = e
+        then e = ref.getCallTarget()
+        else e = ref.asElement()
       )
     }
 
@@ -721,8 +721,8 @@ module Private {
       exists(SourceOrSinkElement e |
         sinkElement(e, input, kind) and
         if inputNeedsReference(specLast(input))
-        then viableCallable(ref.asCall()) = any(InterpretNode n | n.asElement() = e).asCallable()
-        else ref.asElement() = e
+        then e = ref.getCallTarget()
+        else e = ref.asElement()
       )
     }
 
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
index 61e04946a4e..bd18ecabc58 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
@@ -125,6 +125,9 @@ class InterpretNode extends TInterpretNode {
   /** Gets the callable that this node corresponds to, if any. */
   DataFlowCallable asCallable() { result = this.asElement() }
 
+  /** Gets the target of this call, if any. */
+  Callable getCallTarget() { result = this.asCall().getCallee().getSourceDeclaration() }
+
   /** Gets a textual representation of this node. */
   string toString() {
     result = this.asElement().toString()

From 4f4bf59cd4bf83c85936012da391efb888c1101f Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Thu, 3 Jun 2021 11:41:41 +0200
Subject: [PATCH 1333/1429] C#: Add tuple member tests

---
 csharp/ql/test/library-tests/tuples/tuple.cs  | 21 +++++
 .../test/library-tests/tuples/tuples.expected | 87 +++++++++++++++++++
 csharp/ql/test/library-tests/tuples/tuples.ql | 12 +++
 3 files changed, 120 insertions(+)
 create mode 100644 csharp/ql/test/library-tests/tuples/tuple.cs
 create mode 100644 csharp/ql/test/library-tests/tuples/tuples.expected
 create mode 100644 csharp/ql/test/library-tests/tuples/tuples.ql

diff --git a/csharp/ql/test/library-tests/tuples/tuple.cs b/csharp/ql/test/library-tests/tuples/tuple.cs
new file mode 100644
index 00000000000..7f6719d127a
--- /dev/null
+++ b/csharp/ql/test/library-tests/tuples/tuple.cs
@@ -0,0 +1,21 @@
+using System;
+
+public class Program
+{
+    public static void Main()
+    {
+        var x = (1, 2);
+        Console.WriteLine(x.GetType());
+        x = new ValueTuple<int, int>(1, 2);
+        Console.WriteLine(x.GetType());
+
+        var y = (1, 2, 3, 4, 5, 6, 7);
+        Console.WriteLine(y.GetType());
+
+        var z = (1, 2, 3, 4, 5, 6, 7, 8);
+        Console.WriteLine(z.GetType());
+
+        var w = (1, 2, 3, 4, 5, 6, 7, 8, 9, 10);
+        Console.WriteLine(w.GetType());
+    }
+}
\ No newline at end of file
diff --git a/csharp/ql/test/library-tests/tuples/tuples.expected b/csharp/ql/test/library-tests/tuples/tuples.expected
new file mode 100644
index 00000000000..e81cc8f364a
--- /dev/null
+++ b/csharp/ql/test/library-tests/tuples/tuples.expected
@@ -0,0 +1,87 @@
+members1
+| tuple.cs:7:17:7:22 | (Int32,Int32) | CompareTo((int, int)) |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | CompareTo(object) |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | CompareTo(object, IComparer) |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | Equals((int, int)) |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | Equals(object) |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | Equals(object, IEqualityComparer) |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | GetHashCode() |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | GetHashCode(IEqualityComparer) |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | Item1 |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | Item2 |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | Item[int] |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | Length |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | ToString() |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | ToStringEnd() |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple() |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple(int, int) |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | CompareTo((int, int, int, int, int, int, int)) |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | CompareTo(object) |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | CompareTo(object, IComparer) |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Equals((int, int, int, int, int, int, int)) |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Equals(object) |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Equals(object, IEqualityComparer) |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | GetHashCode() |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | GetHashCode(IEqualityComparer) |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item1 |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item2 |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item3 |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item4 |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item5 |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item6 |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item7 |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item[int] |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Length |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ToString() |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ToStringEnd() |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple() |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple(int, int, int, int, int, int, int) |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | CompareTo((int, int, int, int, int, int, int, int)) |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | CompareTo(object) |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | CompareTo(object, IComparer) |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Equals((int, int, int, int, int, int, int, int)) |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Equals(object) |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Equals(object, IEqualityComparer) |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | GetHashCode() |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | GetHashCode(IEqualityComparer) |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item1 |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item2 |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item3 |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item4 |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item5 |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item6 |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item7 |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item8 |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item[int] |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Length |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Rest |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ToString() |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ToStringEnd() |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple() |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple(int, int, int, int, int, int, int, (int)) |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | CompareTo((int, int, int, int, int, int, int, int, int, int)) |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | CompareTo(object) |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | CompareTo(object, IComparer) |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Equals((int, int, int, int, int, int, int, int, int, int)) |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Equals(object) |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Equals(object, IEqualityComparer) |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | GetHashCode() |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | GetHashCode(IEqualityComparer) |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item1 |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item2 |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item3 |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item4 |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item5 |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item6 |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item7 |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item8 |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item9 |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item10 |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item[int] |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Length |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Rest |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ToString() |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ToStringEnd() |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple() |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple(int, int, int, int, int, int, int, (int, int, int)) |
+members2
diff --git a/csharp/ql/test/library-tests/tuples/tuples.ql b/csharp/ql/test/library-tests/tuples/tuples.ql
new file mode 100644
index 00000000000..29e26815d1a
--- /dev/null
+++ b/csharp/ql/test/library-tests/tuples/tuples.ql
@@ -0,0 +1,12 @@
+import csharp
+
+query predicate members1(TupleType t, string m) {
+  t.fromSource() and
+  m = t.getAMember().toStringWithTypes()
+}
+
+query predicate members2(TupleType t, string s, string m) {
+  t.fromSource() and
+  s = t.getUnderlyingType().toStringWithTypes() and
+  m = t.getUnderlyingType().getAMember().toStringWithTypes()
+}

From 33daa2c41de25e8e44c5a3bc6c381e6c8afeecde Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Wed, 19 May 2021 17:51:22 +0200
Subject: [PATCH 1334/1429] Fix container type extraction of tuple members

---
 .../Entities/CachedSymbol.cs                  |   6 +-
 .../csharp/dataflow/LibraryTypeDataFlow.qll   |  11 +-
 .../library-tests/csharp7/TupleTypes.expected |   4 +-
 .../dataflow/library/FlowSummaries.expected   | 183 +++++++++---------
 .../test/library-tests/tuples/tuples.expected | 170 ++++++++--------
 5 files changed, 192 insertions(+), 182 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/CachedSymbol.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/CachedSymbol.cs
index d6fb0d65e5d..378bda881f7 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/CachedSymbol.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/CachedSymbol.cs
@@ -16,7 +16,11 @@ namespace Semmle.Extraction.CSharp.Entities
         {
         }
 
-        public virtual Type? ContainingType => Symbol.ContainingType is not null ? Type.Create(Context, Symbol.ContainingType) : null;
+        public virtual Type? ContainingType => Symbol.ContainingType is not null
+            ? Symbol.ContainingType.IsTupleType
+                ? NamedType.CreateNamedTypeFromTupleType(Context, Symbol.ContainingType)
+                : Type.Create(Context, Symbol.ContainingType)
+            : null;
 
         public void PopulateModifiers(TextWriter trapFile)
         {
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/LibraryTypeDataFlow.qll b/csharp/ql/src/semmle/code/csharp/dataflow/LibraryTypeDataFlow.qll
index 32f22b97914..a7c6869a4cc 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/LibraryTypeDataFlow.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/LibraryTypeDataFlow.qll
@@ -1848,8 +1848,15 @@ class SystemTupleFlow extends LibraryTypeDataFlow, ValueOrRefType {
         c.(Constructor).getDeclaringType() = this and
         t = this
         or
-        c = this.getAMethod(any(string name | name.regexpMatch("Create(<,*>)?"))) and
-        t = c.getReturnType().getUnboundDeclaration()
+        exists(ValueOrRefType namedType |
+          namedType = this or namedType = this.(TupleType).getUnderlyingType()
+        |
+          c = namedType.getAMethod(any(string name | name.regexpMatch("Create(<,*>)?"))) and
+          (
+            t = c.getReturnType().getUnboundDeclaration() or
+            t = c.getReturnType().(TupleType).getUnderlyingType().getUnboundDeclaration()
+          )
+        )
       )
       or
       c =
diff --git a/csharp/ql/test/library-tests/csharp7/TupleTypes.expected b/csharp/ql/test/library-tests/csharp7/TupleTypes.expected
index 480fb5639aa..dfb6bca2890 100644
--- a/csharp/ql/test/library-tests/csharp7/TupleTypes.expected
+++ b/csharp/ql/test/library-tests/csharp7/TupleTypes.expected
@@ -3,8 +3,8 @@
 | (Int32,Double) | (int, double) | ValueTuple<Int32, Double> | 2 | 0 | CSharp7.cs:215:6:215:8 | Item1 |
 | (Int32,Double) | (int, double) | ValueTuple<Int32, Double> | 2 | 1 | CSharp7.cs:215:11:215:16 | Item2 |
 | (Int32,Int32) | (int, int) | ValueTuple<Int32, Int32> | 2 | 0 | CSharp7.cs:64:10:64:10 | Item1 |
-| (Int32,Int32) | (int, int) | ValueTuple<Int32, Int32> | 2 | 1 | file://:0:0:0:0 | Item2 |
+| (Int32,Int32) | (int, int) | ValueTuple<Int32, Int32> | 2 | 1 | CSharp7.cs:64:17:64:17 | Item2 |
 | (String,Int32) | (string, int) | ValueTuple<String, Int32> | 2 | 0 | CSharp7.cs:84:17:84:17 | Item1 |
-| (String,Int32) | (string, int) | ValueTuple<String, Int32> | 2 | 1 | file://:0:0:0:0 | Item2 |
+| (String,Int32) | (string, int) | ValueTuple<String, Int32> | 2 | 1 | CSharp7.cs:84:23:84:23 | Item2 |
 | (String,String) | (string, string) | ValueTuple<String, String> | 2 | 0 | CSharp7.cs:89:19:89:27 | Item1 |
 | (String,String) | (string, string) | ValueTuple<String, String> | 2 | 1 | CSharp7.cs:89:30:89:33 | Item2 |
diff --git a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected
index 81782ee2d7c..10499656cb1 100644
--- a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected
+++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected
@@ -1,96 +1,4 @@
 | MS.Internal.Xml.Linq.ComponentModel.XDeferredAxis<>.GetEnumerator() | element of argument -1 -> property Current of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5, T6, T7, T8>(T1, T2, T3, T4, T5, T6, T7, T8) | argument 0 -> field Item1 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5, T6, T7, T8>(T1, T2, T3, T4, T5, T6, T7, T8) | argument 1 -> field Item2 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5, T6, T7, T8>(T1, T2, T3, T4, T5, T6, T7, T8) | argument 2 -> field Item3 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5, T6, T7, T8>(T1, T2, T3, T4, T5, T6, T7, T8) | argument 3 -> field Item4 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5, T6, T7, T8>(T1, T2, T3, T4, T5, T6, T7, T8) | argument 4 -> field Item5 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5, T6, T7, T8>(T1, T2, T3, T4, T5, T6, T7, T8) | argument 5 -> field Item6 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5, T6, T7, T8>(T1, T2, T3, T4, T5, T6, T7, T8) | argument 6 -> field Item7 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5, T6, T7, T8>(T1, T2, T3, T4, T5, T6, T7, T8) | argument 7 -> field Item8 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5, T6, T7>(T1, T2, T3, T4, T5, T6, T7) | argument 0 -> field Item1 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5, T6, T7>(T1, T2, T3, T4, T5, T6, T7) | argument 1 -> field Item2 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5, T6, T7>(T1, T2, T3, T4, T5, T6, T7) | argument 2 -> field Item3 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5, T6, T7>(T1, T2, T3, T4, T5, T6, T7) | argument 3 -> field Item4 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5, T6, T7>(T1, T2, T3, T4, T5, T6, T7) | argument 4 -> field Item5 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5, T6, T7>(T1, T2, T3, T4, T5, T6, T7) | argument 5 -> field Item6 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5, T6, T7>(T1, T2, T3, T4, T5, T6, T7) | argument 6 -> field Item7 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5, T6>(T1, T2, T3, T4, T5, T6) | argument 0 -> field Item1 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5, T6>(T1, T2, T3, T4, T5, T6) | argument 1 -> field Item2 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5, T6>(T1, T2, T3, T4, T5, T6) | argument 2 -> field Item3 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5, T6>(T1, T2, T3, T4, T5, T6) | argument 3 -> field Item4 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5, T6>(T1, T2, T3, T4, T5, T6) | argument 4 -> field Item5 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5, T6>(T1, T2, T3, T4, T5, T6) | argument 5 -> field Item6 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5>(T1, T2, T3, T4, T5) | argument 0 -> field Item1 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5>(T1, T2, T3, T4, T5) | argument 1 -> field Item2 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5>(T1, T2, T3, T4, T5) | argument 2 -> field Item3 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5>(T1, T2, T3, T4, T5) | argument 3 -> field Item4 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4, T5>(T1, T2, T3, T4, T5) | argument 4 -> field Item5 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4>(T1, T2, T3, T4) | argument 0 -> field Item1 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4>(T1, T2, T3, T4) | argument 1 -> field Item2 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4>(T1, T2, T3, T4) | argument 2 -> field Item3 of return (normal) | true |
-| System.().Create<T1, T2, T3, T4>(T1, T2, T3, T4) | argument 3 -> field Item4 of return (normal) | true |
-| System.().Create<T1, T2, T3>(T1, T2, T3) | argument 0 -> field Item1 of return (normal) | true |
-| System.().Create<T1, T2, T3>(T1, T2, T3) | argument 1 -> field Item2 of return (normal) | true |
-| System.().Create<T1, T2, T3>(T1, T2, T3) | argument 2 -> field Item3 of return (normal) | true |
-| System.().Create<T1, T2>(T1, T2) | argument 0 -> field Item1 of return (normal) | true |
-| System.().Create<T1, T2>(T1, T2) | argument 1 -> field Item2 of return (normal) | true |
-| System.().Create<T1>(T1) | argument 0 -> field Item1 of return (normal) | true |
-| System.(T1).ValueTuple(T1) | argument 0 -> field Item1 of return (normal) | true |
-| System.(T1).get_Item(int) | field Item1 of argument -1 -> return (normal) | true |
-| System.(T1,T2).ValueTuple(T1, T2) | argument 0 -> field Item1 of return (normal) | true |
-| System.(T1,T2).ValueTuple(T1, T2) | argument 1 -> field Item2 of return (normal) | true |
-| System.(T1,T2).get_Item(int) | field Item1 of argument -1 -> return (normal) | true |
-| System.(T1,T2).get_Item(int) | field Item2 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3).ValueTuple(T1, T2, T3) | argument 0 -> field Item1 of return (normal) | true |
-| System.(T1,T2,T3).ValueTuple(T1, T2, T3) | argument 1 -> field Item2 of return (normal) | true |
-| System.(T1,T2,T3).ValueTuple(T1, T2, T3) | argument 2 -> field Item3 of return (normal) | true |
-| System.(T1,T2,T3).get_Item(int) | field Item1 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3).get_Item(int) | field Item2 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3).get_Item(int) | field Item3 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4).ValueTuple(T1, T2, T3, T4) | argument 0 -> field Item1 of return (normal) | true |
-| System.(T1,T2,T3,T4).ValueTuple(T1, T2, T3, T4) | argument 1 -> field Item2 of return (normal) | true |
-| System.(T1,T2,T3,T4).ValueTuple(T1, T2, T3, T4) | argument 2 -> field Item3 of return (normal) | true |
-| System.(T1,T2,T3,T4).ValueTuple(T1, T2, T3, T4) | argument 3 -> field Item4 of return (normal) | true |
-| System.(T1,T2,T3,T4).get_Item(int) | field Item1 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4).get_Item(int) | field Item2 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4).get_Item(int) | field Item3 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4).get_Item(int) | field Item4 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4,T5).ValueTuple(T1, T2, T3, T4, T5) | argument 0 -> field Item1 of return (normal) | true |
-| System.(T1,T2,T3,T4,T5).ValueTuple(T1, T2, T3, T4, T5) | argument 1 -> field Item2 of return (normal) | true |
-| System.(T1,T2,T3,T4,T5).ValueTuple(T1, T2, T3, T4, T5) | argument 2 -> field Item3 of return (normal) | true |
-| System.(T1,T2,T3,T4,T5).ValueTuple(T1, T2, T3, T4, T5) | argument 3 -> field Item4 of return (normal) | true |
-| System.(T1,T2,T3,T4,T5).ValueTuple(T1, T2, T3, T4, T5) | argument 4 -> field Item5 of return (normal) | true |
-| System.(T1,T2,T3,T4,T5).get_Item(int) | field Item1 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4,T5).get_Item(int) | field Item2 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4,T5).get_Item(int) | field Item3 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4,T5).get_Item(int) | field Item4 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4,T5).get_Item(int) | field Item5 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6).ValueTuple(T1, T2, T3, T4, T5, T6) | argument 0 -> field Item1 of return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6).ValueTuple(T1, T2, T3, T4, T5, T6) | argument 1 -> field Item2 of return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6).ValueTuple(T1, T2, T3, T4, T5, T6) | argument 2 -> field Item3 of return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6).ValueTuple(T1, T2, T3, T4, T5, T6) | argument 3 -> field Item4 of return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6).ValueTuple(T1, T2, T3, T4, T5, T6) | argument 4 -> field Item5 of return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6).ValueTuple(T1, T2, T3, T4, T5, T6) | argument 5 -> field Item6 of return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6).get_Item(int) | field Item1 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6).get_Item(int) | field Item2 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6).get_Item(int) | field Item3 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6).get_Item(int) | field Item4 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6).get_Item(int) | field Item5 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6).get_Item(int) | field Item6 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6,T7).ValueTuple(T1, T2, T3, T4, T5, T6, T7) | argument 0 -> field Item1 of return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6,T7).ValueTuple(T1, T2, T3, T4, T5, T6, T7) | argument 1 -> field Item2 of return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6,T7).ValueTuple(T1, T2, T3, T4, T5, T6, T7) | argument 2 -> field Item3 of return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6,T7).ValueTuple(T1, T2, T3, T4, T5, T6, T7) | argument 3 -> field Item4 of return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6,T7).ValueTuple(T1, T2, T3, T4, T5, T6, T7) | argument 4 -> field Item5 of return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6,T7).ValueTuple(T1, T2, T3, T4, T5, T6, T7) | argument 5 -> field Item6 of return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6,T7).ValueTuple(T1, T2, T3, T4, T5, T6, T7) | argument 6 -> field Item7 of return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6,T7).get_Item(int) | field Item1 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6,T7).get_Item(int) | field Item2 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6,T7).get_Item(int) | field Item3 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6,T7).get_Item(int) | field Item4 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6,T7).get_Item(int) | field Item5 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6,T7).get_Item(int) | field Item6 of argument -1 -> return (normal) | true |
-| System.(T1,T2,T3,T4,T5,T6,T7).get_Item(int) | field Item7 of argument -1 -> return (normal) | true |
 | System.Array.Add(object) | argument 0 -> element of argument -1 | true |
 | System.Array.AsReadOnly<T>(T[]) | element of argument 0 -> element of return (normal) | true |
 | System.Array.Clone() | element of argument 0 -> element of return (normal) | true |
@@ -2785,6 +2693,41 @@
 | System.Uri.get_OriginalString() | argument -1 -> return (normal) | false |
 | System.Uri.get_PathAndQuery() | argument -1 -> return (normal) | false |
 | System.Uri.get_Query() | argument -1 -> return (normal) | false |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5, T6, T7, T8>(T1, T2, T3, T4, T5, T6, T7, T8) | argument 0 -> field Item1 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5, T6, T7, T8>(T1, T2, T3, T4, T5, T6, T7, T8) | argument 1 -> field Item2 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5, T6, T7, T8>(T1, T2, T3, T4, T5, T6, T7, T8) | argument 2 -> field Item3 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5, T6, T7, T8>(T1, T2, T3, T4, T5, T6, T7, T8) | argument 3 -> field Item4 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5, T6, T7, T8>(T1, T2, T3, T4, T5, T6, T7, T8) | argument 4 -> field Item5 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5, T6, T7, T8>(T1, T2, T3, T4, T5, T6, T7, T8) | argument 5 -> field Item6 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5, T6, T7, T8>(T1, T2, T3, T4, T5, T6, T7, T8) | argument 6 -> field Item7 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5, T6, T7>(T1, T2, T3, T4, T5, T6, T7) | argument 0 -> field Item1 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5, T6, T7>(T1, T2, T3, T4, T5, T6, T7) | argument 1 -> field Item2 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5, T6, T7>(T1, T2, T3, T4, T5, T6, T7) | argument 2 -> field Item3 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5, T6, T7>(T1, T2, T3, T4, T5, T6, T7) | argument 3 -> field Item4 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5, T6, T7>(T1, T2, T3, T4, T5, T6, T7) | argument 4 -> field Item5 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5, T6, T7>(T1, T2, T3, T4, T5, T6, T7) | argument 5 -> field Item6 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5, T6, T7>(T1, T2, T3, T4, T5, T6, T7) | argument 6 -> field Item7 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5, T6>(T1, T2, T3, T4, T5, T6) | argument 0 -> field Item1 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5, T6>(T1, T2, T3, T4, T5, T6) | argument 1 -> field Item2 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5, T6>(T1, T2, T3, T4, T5, T6) | argument 2 -> field Item3 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5, T6>(T1, T2, T3, T4, T5, T6) | argument 3 -> field Item4 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5, T6>(T1, T2, T3, T4, T5, T6) | argument 4 -> field Item5 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5, T6>(T1, T2, T3, T4, T5, T6) | argument 5 -> field Item6 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5>(T1, T2, T3, T4, T5) | argument 0 -> field Item1 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5>(T1, T2, T3, T4, T5) | argument 1 -> field Item2 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5>(T1, T2, T3, T4, T5) | argument 2 -> field Item3 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5>(T1, T2, T3, T4, T5) | argument 3 -> field Item4 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4, T5>(T1, T2, T3, T4, T5) | argument 4 -> field Item5 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4>(T1, T2, T3, T4) | argument 0 -> field Item1 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4>(T1, T2, T3, T4) | argument 1 -> field Item2 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4>(T1, T2, T3, T4) | argument 2 -> field Item3 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3, T4>(T1, T2, T3, T4) | argument 3 -> field Item4 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3>(T1, T2, T3) | argument 0 -> field Item1 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3>(T1, T2, T3) | argument 1 -> field Item2 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2, T3>(T1, T2, T3) | argument 2 -> field Item3 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2>(T1, T2) | argument 0 -> field Item1 of return (normal) | true |
+| System.ValueTuple.Create<T1, T2>(T1, T2) | argument 1 -> field Item2 of return (normal) | true |
+| System.ValueTuple.Create<T1>(T1) | argument 0 -> field Item1 of return (normal) | true |
 | System.ValueTuple<,,,,,,,>.ValueTuple(T1, T2, T3, T4, T5, T6, T7, TRest) | argument 0 -> field Item1 of return (normal) | true |
 | System.ValueTuple<,,,,,,,>.ValueTuple(T1, T2, T3, T4, T5, T6, T7, TRest) | argument 1 -> field Item2 of return (normal) | true |
 | System.ValueTuple<,,,,,,,>.ValueTuple(T1, T2, T3, T4, T5, T6, T7, TRest) | argument 2 -> field Item3 of return (normal) | true |
@@ -2799,6 +2742,62 @@
 | System.ValueTuple<,,,,,,,>.get_Item(int) | field Item5 of argument -1 -> return (normal) | true |
 | System.ValueTuple<,,,,,,,>.get_Item(int) | field Item6 of argument -1 -> return (normal) | true |
 | System.ValueTuple<,,,,,,,>.get_Item(int) | field Item7 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,,,,>.ValueTuple(T1, T2, T3, T4, T5, T6, T7) | argument 0 -> field Item1 of return (normal) | true |
+| System.ValueTuple<,,,,,,>.ValueTuple(T1, T2, T3, T4, T5, T6, T7) | argument 1 -> field Item2 of return (normal) | true |
+| System.ValueTuple<,,,,,,>.ValueTuple(T1, T2, T3, T4, T5, T6, T7) | argument 2 -> field Item3 of return (normal) | true |
+| System.ValueTuple<,,,,,,>.ValueTuple(T1, T2, T3, T4, T5, T6, T7) | argument 3 -> field Item4 of return (normal) | true |
+| System.ValueTuple<,,,,,,>.ValueTuple(T1, T2, T3, T4, T5, T6, T7) | argument 4 -> field Item5 of return (normal) | true |
+| System.ValueTuple<,,,,,,>.ValueTuple(T1, T2, T3, T4, T5, T6, T7) | argument 5 -> field Item6 of return (normal) | true |
+| System.ValueTuple<,,,,,,>.ValueTuple(T1, T2, T3, T4, T5, T6, T7) | argument 6 -> field Item7 of return (normal) | true |
+| System.ValueTuple<,,,,,,>.get_Item(int) | field Item1 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,,,,>.get_Item(int) | field Item2 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,,,,>.get_Item(int) | field Item3 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,,,,>.get_Item(int) | field Item4 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,,,,>.get_Item(int) | field Item5 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,,,,>.get_Item(int) | field Item6 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,,,,>.get_Item(int) | field Item7 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,,,>.ValueTuple(T1, T2, T3, T4, T5, T6) | argument 0 -> field Item1 of return (normal) | true |
+| System.ValueTuple<,,,,,>.ValueTuple(T1, T2, T3, T4, T5, T6) | argument 1 -> field Item2 of return (normal) | true |
+| System.ValueTuple<,,,,,>.ValueTuple(T1, T2, T3, T4, T5, T6) | argument 2 -> field Item3 of return (normal) | true |
+| System.ValueTuple<,,,,,>.ValueTuple(T1, T2, T3, T4, T5, T6) | argument 3 -> field Item4 of return (normal) | true |
+| System.ValueTuple<,,,,,>.ValueTuple(T1, T2, T3, T4, T5, T6) | argument 4 -> field Item5 of return (normal) | true |
+| System.ValueTuple<,,,,,>.ValueTuple(T1, T2, T3, T4, T5, T6) | argument 5 -> field Item6 of return (normal) | true |
+| System.ValueTuple<,,,,,>.get_Item(int) | field Item1 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,,,>.get_Item(int) | field Item2 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,,,>.get_Item(int) | field Item3 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,,,>.get_Item(int) | field Item4 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,,,>.get_Item(int) | field Item5 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,,,>.get_Item(int) | field Item6 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,,>.ValueTuple(T1, T2, T3, T4, T5) | argument 0 -> field Item1 of return (normal) | true |
+| System.ValueTuple<,,,,>.ValueTuple(T1, T2, T3, T4, T5) | argument 1 -> field Item2 of return (normal) | true |
+| System.ValueTuple<,,,,>.ValueTuple(T1, T2, T3, T4, T5) | argument 2 -> field Item3 of return (normal) | true |
+| System.ValueTuple<,,,,>.ValueTuple(T1, T2, T3, T4, T5) | argument 3 -> field Item4 of return (normal) | true |
+| System.ValueTuple<,,,,>.ValueTuple(T1, T2, T3, T4, T5) | argument 4 -> field Item5 of return (normal) | true |
+| System.ValueTuple<,,,,>.get_Item(int) | field Item1 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,,>.get_Item(int) | field Item2 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,,>.get_Item(int) | field Item3 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,,>.get_Item(int) | field Item4 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,,>.get_Item(int) | field Item5 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,>.ValueTuple(T1, T2, T3, T4) | argument 0 -> field Item1 of return (normal) | true |
+| System.ValueTuple<,,,>.ValueTuple(T1, T2, T3, T4) | argument 1 -> field Item2 of return (normal) | true |
+| System.ValueTuple<,,,>.ValueTuple(T1, T2, T3, T4) | argument 2 -> field Item3 of return (normal) | true |
+| System.ValueTuple<,,,>.ValueTuple(T1, T2, T3, T4) | argument 3 -> field Item4 of return (normal) | true |
+| System.ValueTuple<,,,>.get_Item(int) | field Item1 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,>.get_Item(int) | field Item2 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,>.get_Item(int) | field Item3 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,,>.get_Item(int) | field Item4 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,>.ValueTuple(T1, T2, T3) | argument 0 -> field Item1 of return (normal) | true |
+| System.ValueTuple<,,>.ValueTuple(T1, T2, T3) | argument 1 -> field Item2 of return (normal) | true |
+| System.ValueTuple<,,>.ValueTuple(T1, T2, T3) | argument 2 -> field Item3 of return (normal) | true |
+| System.ValueTuple<,,>.get_Item(int) | field Item1 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,>.get_Item(int) | field Item2 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,,>.get_Item(int) | field Item3 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,>.ValueTuple(T1, T2) | argument 0 -> field Item1 of return (normal) | true |
+| System.ValueTuple<,>.ValueTuple(T1, T2) | argument 1 -> field Item2 of return (normal) | true |
+| System.ValueTuple<,>.get_Item(int) | field Item1 of argument -1 -> return (normal) | true |
+| System.ValueTuple<,>.get_Item(int) | field Item2 of argument -1 -> return (normal) | true |
+| System.ValueTuple<>.ValueTuple(T1) | argument 0 -> field Item1 of return (normal) | true |
+| System.ValueTuple<>.get_Item(int) | field Item1 of argument -1 -> return (normal) | true |
 | System.Web.HttpCookie.get_Value() | argument -1 -> return (normal) | false |
 | System.Web.HttpCookie.get_Values() | argument -1 -> return (normal) | false |
 | System.Web.HttpServerUtility.UrlEncode(string) | argument 0 -> return (normal) | false |
diff --git a/csharp/ql/test/library-tests/tuples/tuples.expected b/csharp/ql/test/library-tests/tuples/tuples.expected
index e81cc8f364a..3f2dbd06202 100644
--- a/csharp/ql/test/library-tests/tuples/tuples.expected
+++ b/csharp/ql/test/library-tests/tuples/tuples.expected
@@ -1,87 +1,87 @@
 members1
-| tuple.cs:7:17:7:22 | (Int32,Int32) | CompareTo((int, int)) |
-| tuple.cs:7:17:7:22 | (Int32,Int32) | CompareTo(object) |
-| tuple.cs:7:17:7:22 | (Int32,Int32) | CompareTo(object, IComparer) |
-| tuple.cs:7:17:7:22 | (Int32,Int32) | Equals((int, int)) |
-| tuple.cs:7:17:7:22 | (Int32,Int32) | Equals(object) |
-| tuple.cs:7:17:7:22 | (Int32,Int32) | Equals(object, IEqualityComparer) |
-| tuple.cs:7:17:7:22 | (Int32,Int32) | GetHashCode() |
-| tuple.cs:7:17:7:22 | (Int32,Int32) | GetHashCode(IEqualityComparer) |
-| tuple.cs:7:17:7:22 | (Int32,Int32) | Item1 |
-| tuple.cs:7:17:7:22 | (Int32,Int32) | Item2 |
-| tuple.cs:7:17:7:22 | (Int32,Int32) | Item[int] |
-| tuple.cs:7:17:7:22 | (Int32,Int32) | Length |
-| tuple.cs:7:17:7:22 | (Int32,Int32) | ToString() |
-| tuple.cs:7:17:7:22 | (Int32,Int32) | ToStringEnd() |
-| tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple() |
-| tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple(int, int) |
-| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | CompareTo((int, int, int, int, int, int, int)) |
-| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | CompareTo(object) |
-| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | CompareTo(object, IComparer) |
-| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Equals((int, int, int, int, int, int, int)) |
-| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Equals(object) |
-| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Equals(object, IEqualityComparer) |
-| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | GetHashCode() |
-| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | GetHashCode(IEqualityComparer) |
-| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item1 |
-| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item2 |
-| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item3 |
-| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item4 |
-| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item5 |
-| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item6 |
-| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item7 |
-| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item[int] |
-| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Length |
-| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ToString() |
-| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ToStringEnd() |
-| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple() |
-| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple(int, int, int, int, int, int, int) |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | CompareTo((int, int, int, int, int, int, int, int)) |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | CompareTo(object) |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | CompareTo(object, IComparer) |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Equals((int, int, int, int, int, int, int, int)) |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Equals(object) |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Equals(object, IEqualityComparer) |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | GetHashCode() |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | GetHashCode(IEqualityComparer) |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item1 |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item2 |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item3 |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item4 |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item5 |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item6 |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item7 |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item8 |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item[int] |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Length |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Rest |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ToString() |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ToStringEnd() |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple() |
-| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple(int, int, int, int, int, int, int, (int)) |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | CompareTo((int, int, int, int, int, int, int, int, int, int)) |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | CompareTo(object) |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | CompareTo(object, IComparer) |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Equals((int, int, int, int, int, int, int, int, int, int)) |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Equals(object) |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Equals(object, IEqualityComparer) |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | GetHashCode() |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | GetHashCode(IEqualityComparer) |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item1 |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item2 |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item3 |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item4 |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item5 |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item6 |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item7 |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item8 |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item9 |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item10 |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Item[int] |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Length |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | Rest |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ToString() |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ToStringEnd() |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple() |
-| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple(int, int, int, int, int, int, int, (int, int, int)) |
 members2
+| tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | CompareTo((int, int)) |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | CompareTo(object) |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | CompareTo(object, IComparer) |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | Equals((int, int)) |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | Equals(object) |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | Equals(object, IEqualityComparer) |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | GetHashCode() |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | GetHashCode(IEqualityComparer) |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | Item1 |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | Item2 |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | Item[int] |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | Length |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | ToString() |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | ToStringEnd() |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | ValueTuple() |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | ValueTuple(int, int) |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | CompareTo((int, int, int, int, int, int, int)) |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | CompareTo(object) |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | CompareTo(object, IComparer) |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | Equals((int, int, int, int, int, int, int)) |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | Equals(object) |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | Equals(object, IEqualityComparer) |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | GetHashCode() |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | GetHashCode(IEqualityComparer) |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | Item1 |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | Item2 |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | Item3 |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | Item4 |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | Item5 |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | Item6 |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | Item7 |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | Item[int] |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | Length |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | ToString() |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | ToStringEnd() |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | ValueTuple() |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | ValueTuple(int, int, int, int, int, int, int) |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | CompareTo((int, int, int, int, int, int, int, int)) |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | CompareTo(object) |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | CompareTo(object, IComparer) |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | Equals((int, int, int, int, int, int, int, int)) |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | Equals(object) |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | Equals(object, IEqualityComparer) |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | GetHashCode() |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | GetHashCode(IEqualityComparer) |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | Item1 |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | Item2 |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | Item3 |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | Item4 |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | Item5 |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | Item6 |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | Item7 |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | Item8 |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | Item[int] |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | Length |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | Rest |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | ToString() |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | ToStringEnd() |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | ValueTuple() |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | ValueTuple(int, int, int, int, int, int, int, (int)) |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | CompareTo((int, int, int, int, int, int, int, int, int, int)) |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | CompareTo(object) |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | CompareTo(object, IComparer) |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | Equals((int, int, int, int, int, int, int, int, int, int)) |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | Equals(object) |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | Equals(object, IEqualityComparer) |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | GetHashCode() |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | GetHashCode(IEqualityComparer) |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | Item1 |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | Item2 |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | Item3 |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | Item4 |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | Item5 |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | Item6 |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | Item7 |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | Item8 |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | Item9 |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | Item10 |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | Item[int] |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | Length |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | Rest |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | ToString() |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | ToStringEnd() |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | ValueTuple() |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | ValueTuple(int, int, int, int, int, int, int, (int, int, int)) |

From 75060baaa3ee7430403c127d6ed126705d83674a Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 4 Jun 2021 13:38:14 +0200
Subject: [PATCH 1335/1429] Add change note

---
 csharp/change-notes/2021-06-04-tuple-members.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 csharp/change-notes/2021-06-04-tuple-members.md

diff --git a/csharp/change-notes/2021-06-04-tuple-members.md b/csharp/change-notes/2021-06-04-tuple-members.md
new file mode 100644
index 00000000000..035b2141b28
--- /dev/null
+++ b/csharp/change-notes/2021-06-04-tuple-members.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Members extracted from `TupleTypes` have been fixed to be assigned to the underlying ``struct ValueTuple`N``.
\ No newline at end of file

From b3a2998d96633c41734f9253004d28a520886ff6 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Fri, 4 Jun 2021 14:34:45 +0200
Subject: [PATCH 1336/1429] Fix failing test after rebase

---
 csharp/ql/test/library-tests/tuples/tuples.expected | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/csharp/ql/test/library-tests/tuples/tuples.expected b/csharp/ql/test/library-tests/tuples/tuples.expected
index 3f2dbd06202..d5ae6b741c2 100644
--- a/csharp/ql/test/library-tests/tuples/tuples.expected
+++ b/csharp/ql/test/library-tests/tuples/tuples.expected
@@ -8,6 +8,7 @@ members2
 | tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | Equals(object, IEqualityComparer) |
 | tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | GetHashCode() |
 | tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | GetHashCode(IEqualityComparer) |
+| tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | GetHashCodeCore(IEqualityComparer) |
 | tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | Item1 |
 | tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | Item2 |
 | tuple.cs:7:17:7:22 | (Int32,Int32) | ValueTuple<Int32, Int32> | Item[int] |
@@ -24,6 +25,7 @@ members2
 | tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | Equals(object, IEqualityComparer) |
 | tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | GetHashCode() |
 | tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | GetHashCode(IEqualityComparer) |
+| tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | GetHashCodeCore(IEqualityComparer) |
 | tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | Item1 |
 | tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | Item2 |
 | tuple.cs:12:17:12:37 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32> | Item3 |
@@ -45,6 +47,7 @@ members2
 | tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | Equals(object, IEqualityComparer) |
 | tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | GetHashCode() |
 | tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | GetHashCode(IEqualityComparer) |
+| tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | GetHashCodeCore(IEqualityComparer) |
 | tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | Item1 |
 | tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | Item2 |
 | tuple.cs:15:17:15:40 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32)> | Item3 |
@@ -68,6 +71,7 @@ members2
 | tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | Equals(object, IEqualityComparer) |
 | tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | GetHashCode() |
 | tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | GetHashCode(IEqualityComparer) |
+| tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | GetHashCodeCore(IEqualityComparer) |
 | tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | Item1 |
 | tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | Item2 |
 | tuple.cs:18:17:18:47 | (Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32,Int32) | ValueTuple<Int32, Int32, Int32, Int32, Int32, Int32, Int32, (Int32,Int32,Int32)> | Item3 |

From b24dc810c9fd64c57bdf9aa6eba3a92f57f69443 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 3 Jun 2021 20:21:08 +0100
Subject: [PATCH 1337/1429] C++: Combine results from
 cpp/weak-cryptographic-algorithm that are in the same file.

---
 .../CWE/CWE-327/BrokenCryptoAlgorithm.ql      | 123 ++++++++++--------
 .../CWE-327/BrokenCryptoAlgorithm.expected    |  50 +++----
 2 files changed, 95 insertions(+), 78 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
index 7162b000dfc..24f0b216d09 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -28,7 +28,7 @@ Function getAnInsecureEncryptionFunction() {
 /**
  * A function with additional evidence it is related to encryption.
  */
-Function getAdditionalEvidenceFunction() {
+Function getAnAdditionalEvidenceFunction() {
   (
     isEncryptionAdditionalEvidence(result.getName()) or
     isEncryptionAdditionalEvidence(result.getAParameter().getName())
@@ -47,7 +47,7 @@ Macro getAnInsecureEncryptionMacro() {
 /**
  * A macro with additional evidence it is related to encryption.
  */
-Macro getAdditionalEvidenceMacro() {
+Macro getAnAdditionalEvidenceMacro() {
   isEncryptionAdditionalEvidence(result.getName()) and
   exists(result.getAnInvocation())
 }
@@ -63,61 +63,78 @@ EnumConstant getAnInsecureEncryptionEnumConst() { isInsecureEncryption(result.ge
 EnumConstant getAdditionalEvidenceEnumConst() { isEncryptionAdditionalEvidence(result.getName()) }
 
 /**
- * A function call we have a high confidence is related to use of an insecure
- * encryption algorithm.
+ * A function call we have a high confidence is related to use of an insecure encryption algorithm, along
+ * with an associated `Element` which might be the best point to blame, and a description of that element.
  */
-class InsecureFunctionCall extends FunctionCall {
-  Element blame;
-  string explain;
+predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string description) {
+  // find use of an insecure algorithm name
+  (
+    fc.getTarget() = getAnInsecureEncryptionFunction() and
+    blame = fc and
+    description = "call to " + fc.getTarget().getName()
+    or
+    exists(MacroInvocation mi |
+      (
+        mi.getAnExpandedElement() = fc or
+        mi.getAnExpandedElement() = fc.getAnArgument()
+      ) and
+      mi.getMacro() = getAnInsecureEncryptionMacro() and
+      blame = mi and
+      description = "invocation of macro " + mi.getMacro().getName()
+    )
+    or
+    exists(EnumConstantAccess ec |
+      ec = fc.getAnArgument() and
+      ec.getTarget() = getAnInsecureEncryptionEnumConst() and
+      blame = ec and
+      description = "access of enum constant " + ec.getTarget().getName()
+    )
+  ) and
+  // find additional evidence that this function is related to encryption.
+  (
+    fc.getTarget() = getAnAdditionalEvidenceFunction()
+    or
+    exists(MacroInvocation mi |
+      (
+        mi.getAnExpandedElement() = fc or
+        mi.getAnExpandedElement() = fc.getAnArgument()
+      ) and
+      mi.getMacro() = getAnAdditionalEvidenceMacro()
+    )
+    or
+    exists(EnumConstantAccess ec |
+      ec = fc.getAnArgument() and
+      ec.getTarget() = getAdditionalEvidenceEnumConst()
+    )
+  )
+}
 
-  InsecureFunctionCall() {
-    // find use of an insecure algorithm name
-    (
-      getTarget() = getAnInsecureEncryptionFunction() and
-      blame = this and
-      explain = "function call"
-      or
-      exists(MacroInvocation mi |
-        (
-          mi.getAnExpandedElement() = this or
-          mi.getAnExpandedElement() = this.getAnArgument()
-        ) and
-        mi.getMacro() = getAnInsecureEncryptionMacro() and
-        blame = mi and
-        explain = "macro invocation"
-      )
-      or
-      exists(EnumConstantAccess ec |
-        ec = this.getAnArgument() and
-        ec.getTarget() = getAnInsecureEncryptionEnumConst() and
-        blame = ec and
-        explain = "enum constant access"
-      )
-    ) and
-    // find additional evidence that this function is related to encryption.
-    (
-      getTarget() = getAdditionalEvidenceFunction()
-      or
-      exists(MacroInvocation mi |
-        (
-          mi.getAnExpandedElement() = this or
-          mi.getAnExpandedElement() = this.getAnArgument()
-        ) and
-        mi.getMacro() = getAdditionalEvidenceMacro()
-      )
-      or
-      exists(EnumConstantAccess ec |
-        ec = this.getAnArgument() and
-        ec.getTarget() = getAdditionalEvidenceEnumConst()
-      )
+/**
+ * An element that is the `blame` of an `InsecureFunctionCall`.
+ */
+class BlamedElement extends Element {
+  string description;
+
+  BlamedElement() { getInsecureEncryptionEvidence(_, this, description) }
+
+  /**
+   * Holds if this is the `num`-th `BlamedElement` in `f`.
+   */
+  predicate hasFileRank(File f, int num) {
+    exists(int loc |
+      getLocation().charLoc(f, loc, _) and
+      loc =
+        rank[num](BlamedElement other, int loc2 | other.getLocation().charLoc(f, loc2, _) | loc2)
     )
   }
 
-  Element getBlame() { result = blame }
-
-  string getDescription() { result = explain }
+  string getDescription() { result = description }
 }
 
-from InsecureFunctionCall c
-select c.getBlame(),
-  "This " + c.getDescription() + " specifies a broken or weak cryptographic algorithm."
+from File f, BlamedElement firstResult, BlamedElement thisResult
+where
+  firstResult.hasFileRank(f, 1) and
+  thisResult.hasFileRank(f, _)
+select firstResult,
+  "This file makes use of a broken or weak cryptographic algorithm (specified by $@).", thisResult,
+  thisResult.getDescription()
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
index 19cdfa5e9c7..d27d5c4bbca 100644
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
@@ -1,25 +1,25 @@
-| test2.cpp:49:4:49:24 | call to my_des_implementation | This function call specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:62:33:62:40 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:124:4:124:24 | call to my_des_implementation | This function call specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:144:27:144:29 | DES | This enum constant access specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:172:28:172:35 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:175:28:175:34 | USE_DES | This enum constant access specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:182:38:182:45 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:185:38:185:44 | USE_DES | This enum constant access specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:238:2:238:20 | call to encrypt | This function call specifies a broken or weak cryptographic algorithm. |
-| test2.cpp:245:5:245:11 | call to encrypt | This function call specifies a broken or weak cryptographic algorithm. |
-| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:39:2:39:31 | ENCRYPT_WITH_RC2(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:41:2:41:32 | ENCRYPT_WITH_3DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:42:2:42:38 | ENCRYPT_WITH_TRIPLE_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:51:2:51:32 | DES_DO_ENCRYPTION(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:52:2:52:31 | RUN_DES_ENCODING(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:53:2:53:25 | DES_ENCODE(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:54:2:54:26 | DES_SET_KEY(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:88:2:88:11 | call to encryptDES | This function call specifies a broken or weak cryptographic algorithm. |
-| test.cpp:89:2:89:11 | call to encryptRC2 | This function call specifies a broken or weak cryptographic algorithm. |
-| test.cpp:91:2:91:12 | call to encrypt3DES | This function call specifies a broken or weak cryptographic algorithm. |
-| test.cpp:92:2:92:17 | call to encryptTripleDES | This function call specifies a broken or weak cryptographic algorithm. |
-| test.cpp:101:2:101:15 | call to do_des_encrypt | This function call specifies a broken or weak cryptographic algorithm. |
-| test.cpp:102:2:102:12 | call to DES_Set_Key | This function call specifies a broken or weak cryptographic algorithm. |
-| test.cpp:121:2:121:24 | INIT_ENCRYPT_WITH_DES() | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:49:4:49:24 | call to my_des_implementation | call to my_des_implementation |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:62:33:62:40 | ALGO_DES | invocation of macro ALGO_DES |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:124:4:124:24 | call to my_des_implementation | call to my_des_implementation |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:144:27:144:29 | DES | access of enum constant DES |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:172:28:172:35 | ALGO_DES | invocation of macro ALGO_DES |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:175:28:175:34 | USE_DES | access of enum constant USE_DES |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:182:38:182:45 | ALGO_DES | invocation of macro ALGO_DES |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:185:38:185:44 | USE_DES | access of enum constant USE_DES |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:238:2:238:20 | call to encrypt | call to encrypt |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:245:5:245:11 | call to encrypt | call to encrypt |
+| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | invocation of macro ENCRYPT_WITH_DES |
+| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:39:2:39:31 | ENCRYPT_WITH_RC2(data,amount) | invocation of macro ENCRYPT_WITH_RC2 |
+| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:41:2:41:32 | ENCRYPT_WITH_3DES(data,amount) | invocation of macro ENCRYPT_WITH_3DES |
+| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:42:2:42:38 | ENCRYPT_WITH_TRIPLE_DES(data,amount) | invocation of macro ENCRYPT_WITH_TRIPLE_DES |
+| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:51:2:51:32 | DES_DO_ENCRYPTION(data,amount) | invocation of macro DES_DO_ENCRYPTION |
+| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:52:2:52:31 | RUN_DES_ENCODING(data,amount) | invocation of macro RUN_DES_ENCODING |
+| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:53:2:53:25 | DES_ENCODE(data,amount) | invocation of macro DES_ENCODE |
+| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:54:2:54:26 | DES_SET_KEY(data,amount) | invocation of macro DES_SET_KEY |
+| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:88:2:88:11 | call to encryptDES | call to encryptDES |
+| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:89:2:89:11 | call to encryptRC2 | call to encryptRC2 |
+| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:91:2:91:12 | call to encrypt3DES | call to encrypt3DES |
+| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:92:2:92:17 | call to encryptTripleDES | call to encryptTripleDES |
+| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:101:2:101:15 | call to do_des_encrypt | call to do_des_encrypt |
+| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:102:2:102:12 | call to DES_Set_Key | call to DES_Set_Key |
+| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:121:2:121:24 | INIT_ENCRYPT_WITH_DES() | invocation of macro INIT_ENCRYPT_WITH_DES |

From 7f119dd5a9531465945531092ba52dc1baf7feed Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Fri, 4 Jun 2021 15:27:36 +0200
Subject: [PATCH 1338/1429] Python: Add change-note

---
 .../change-notes/2021-06-04-sensitive-data-modeling-expanded.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 python/change-notes/2021-06-04-sensitive-data-modeling-expanded.md

diff --git a/python/change-notes/2021-06-04-sensitive-data-modeling-expanded.md b/python/change-notes/2021-06-04-sensitive-data-modeling-expanded.md
new file mode 100644
index 00000000000..bfce4d208d5
--- /dev/null
+++ b/python/change-notes/2021-06-04-sensitive-data-modeling-expanded.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Expanded modeling of sensitive data sources to include: subscripting with a key that indicates sensitive data (`obj["password"]`), parameters whose names indicate sensitive data (`def func(password):`), and assignments to variables whose names indicate sensitive data (`password = ...`).

From 919555cae4c5d6ec0b2922032aaac2d61af27768 Mon Sep 17 00:00:00 2001
From: Felicity Chapman <felicitymay@github.com>
Date: Fri, 4 Jun 2021 15:13:24 +0100
Subject: [PATCH 1339/1429] Remove info for legacy tools

---
 .../ql-language-specification.rst             | 15 +--
 docs/codeql/support/index.rst                 |  1 -
 docs/codeql/support/notes-ql-users.rst        | 91 -------------------
 3 files changed, 3 insertions(+), 104 deletions(-)
 delete mode 100644 docs/codeql/support/notes-ql-users.rst

diff --git a/docs/codeql/ql-language-reference/ql-language-specification.rst b/docs/codeql/ql-language-reference/ql-language-specification.rst
index fb89100b401..bfe78669c7b 100644
--- a/docs/codeql/ql-language-reference/ql-language-specification.rst
+++ b/docs/codeql/ql-language-reference/ql-language-specification.rst
@@ -71,23 +71,14 @@ language="java"/>``).
 A ``qlpack.yml`` file defines a :ref:`QL pack <about-ql-packs>`.
 The content of a ``qlpack.yml`` file is described in the CodeQL CLI documentation. This file
 will not be recognized when using legacy tools that are not based
-on the CodeQL CLI (that is, LGTM.com, LGTM Enterprise, ODASA, CodeQL for
-Eclipse, and CodeQL for Visual Studio).
+on the CodeQL CLI (that is, LGTM.com and LGTM Enterprise).
 
 If both a ``queries.xml`` and a ``qlpack.yml`` exist in the same
 directory, the latter takes precedence (and the former is assumed to
 exist for compatibility with older tooling).
 
-In legacy QL tools that don't recognize ``qlpack.yml`` files, the default
-value of the library path for
-each supported language is hard-coded. The tools contain directories within the ODASA
-distribution that define the default CodeQL libraries for the selected
-language. Which language to use depends on the ``language`` attribute
-of the ``queries.xml`` file if not overridden with a ``--language``
-option to the ODASA CLI.
-
-On the other hand, the CodeQL CLI and newer tools based on it (such as
-GitHub Code Scanning and the CodeQL extension for Visual Studio Code)
+The CodeQL CLI and newer tools based on it (such as,
+GitHub code scanning and the CodeQL extension for Visual Studio Code)
 construct a library path using QL packs. For each QL pack
 added to the library path, the QL packs named in its
 ``libraryPathDependencies`` will be subsequently added to the library
diff --git a/docs/codeql/support/index.rst b/docs/codeql/support/index.rst
index f9cdf40e227..89812242fce 100644
--- a/docs/codeql/support/index.rst
+++ b/docs/codeql/support/index.rst
@@ -16,5 +16,4 @@ For details of the CodeQL libraries, see `CodeQL standard libraries <https://cod
 .. toctree::
    :hidden:
 
-   notes-ql-users
    ql-training
\ No newline at end of file
diff --git a/docs/codeql/support/notes-ql-users.rst b/docs/codeql/support/notes-ql-users.rst
deleted file mode 100644
index 7e5f032279e..00000000000
--- a/docs/codeql/support/notes-ql-users.rst
+++ /dev/null
@@ -1,91 +0,0 @@
-Notes for legacy QL CLI users
-=============================
-
-If you've previously used the QL command-line tools (``odasa``), you'll notice a
-few key differences when you use the new CodeQL products:
-
-* "QL snapshots" are now called `CodeQL databases <https://help.semmle.com/codeql/glossary.html#codeql-database>`__. 
-* The process of creating a CodeQL database is much simpler and more streamlined.
-  There's no need to create ``projects`` or ``snapshots``---just check out the
-  code and build it using the CodeQL CLI ``codeql database create`` command.
-* Queries are run against CodeQL databases using the CodeQL CLI ``codeql
-  database analyze`` command.
-
-For more information, see `Creating CodeQL databases
-<https://help.semmle.com/codeql/codeql-cli/procedures/create-codeql-database.html>`__ and 
-`Analyzing databases with the CodeQL CLI <https://help.semmle.com/codeql/codeql-cli/procedures/analyze-codeql-database.html>`__.
-For detailed guidance about equivalent commands, see `Overview of common commands
-<#overview-of-common-commands>`__ below.
-
-.. _database-compatibiilty-notes:
-
-Database compatibility notes
-----------------------------
-
-A CodeQL database created by the CodeQL CLI serves the same purpose as a QL
-snapshot created using ``odasa``. They both contain a code database to query and
-usually a source reference for results display. However, they are not identical
-formats and, if you use the legacy QL tools alongside the CodeQL tools, you need
-to be aware of the following:
-
-* Existing QL snapshots, exported using the legacy CLI, can be used with the new
-  CodeQL tools. Unzip the snapshot and treat the directory as a database. If it
-  was built with an earlier version of the legacy CLI, you may need to upgrade
-  the database using ``codeql database upgrade``. For more information, see the
-  `database upgrade reference documentation
-  <https://help.semmle.com/codeql/codeql-cli/commands/database-upgrade.html>`__.
-
-* CodeQL databases are not directly compatible with CodeQL for Eclipse.
-  However, you can "bundle" a CodeQL database into the equivalent of a QL
-  exported snapshot by running::
-
-    codeql database bundle --include-uncompressed-source -o <output-zip> <codeql-database>
-  
-  The resulting database can be imported into CodeQL for Eclipse. For more
-  information, see the `database bundle reference documentation <https://help.semmle.com/codeql/codeql-cli/commands/database-bundle.html>`__.
-
-* .. include:: ../reusables/index-files-note.rst
-
-* CodeQL databases cannot be directly uploaded to an LGTM Enterprise instance.
-  For more information, see `Preparing CodeQL databases to upload to LGTM 
-  <https://help.semmle.com/lgtm-enterprise/admin/help/prepare-database-upload.html>`__
-  in the LGTM admin help.
-
-Query suites
-------------
-
-CodeQL includes a new, more flexible, format for query suites. Legacy query
-suite definitions are not compatible with the new CodeQL tools. For more
-information about CodeQL query suites, see `Creating CodeQL query suites
-<https://help.semmle.com/codeql/codeql-cli/procedures/query-suites.html>`__. 
-
-Overview of common commands 
----------------------------
-
-If you're switching from the legacy ODASA CLI to the new CodeQL CLI, 
-the table below shows which commands replace the most
-common ODASA processes.
-
-+------------------------------------------+---------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| ``odasa`` command                        | Corresponding ``codeql`` command                                                                  | Notes                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-+==========================================+===================================================================================================+=========================================================================================================================================================================================================================================================================================================================================================================================================================================================================+
-| ``bootstrap``                            | n/a                                                                                               | CodeQL analysis does not use ``project`` files during database creation. For more information about creating databases, see `Creating CodeQL databases <https://help.semmle.com/codeql/codeql-cli/procedures/create-codeql-database.html>`__.                                                                                                                                                                                                                           |
-+------------------------------------------+---------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| ``addSnapshot``, ``addLatestSnapshot``   | n/a                                                                                               | To obtain the version of the code you want to analyze, just run your normal check-out commands.                                                                                                                                                                                                                                                                                                                                                                         |
-+------------------------------------------+---------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| ``buildSnapshot``                        | `database create <https://help.semmle.com/codeql/codeql-cli/commands/database-create.html>`__     | When creating a CodeQL database, you specfiy build commands in the command line, rather than in a project file. For more information, see `Creating CodeQL databases <https://help.semmle.com/codeql/codeql-cli/procedures/create-codeql-database.html>`__.                                                                                                                                                                                                             |
-+------------------------------------------+---------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| ``analyzeSnapshot``                      | `database analyze <https://help.semmle.com/codeql/codeql-cli/commands/database-analyze.html>`__   | For more information, see `Analyzing databases with the CodeQL CLI <https://help.semmle.com/codeql/codeql-cli/procedures/analyze-codeql-database.html>`__.                                                                                                                                                                                                                                                                                                              |
-+------------------------------------------+---------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| ``archiveSnapshot``                      | `database cleanup <https://help.semmle.com/codeql/codeql-cli/commands/database-cleanup.html>`__   | Use ``database cleanup`` to reduce the size of a CodeQL database by deleting temporary data.                                                                                                                                                                                                                                                                                                                                                                            |
-+------------------------------------------+---------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| ``export``                               | `database bundle <https://help.semmle.com/codeql/codeql-cli/commands/database-bundle.html>`__     | You don't need to export databases before adding them to VS Code. However, you should "bundle" CodeQL databases before using them with LGTM Enterprise, CodeQL for Eclipse, or CodeQL for Visual Studio. For more information, see `Preparing CodeQL databases to upload to LGTM <https://help.semmle.com/lgtm-enterprise/admin/help/prepare-database-upload.html>`__ in the LGTM admin help and the `Database compatibility notes <#database-compatibility-notes>`__.  |
-+------------------------------------------+---------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| ``prepareQueries``                       | `query compile <https://help.semmle.com/codeql/codeql-cli/commands/query-compile.html>`__         | Queries are compiled when you run ``database analyze`` and other query-running commands. You can speed up compilation by running ``query compile`` separately using more threads.                                                                                                                                                                                                                                                                                       |
-+------------------------------------------+---------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| ``qltest``                               | `test run <https://help.semmle.com/codeql/codeql-cli/commands/test-run.html>`__                   | For more information about running regression tests, see `Testing custom queries <https://help.semmle.com/codeql/codeql-cli/procedures/test-queries.html>`__.                                                                                                                                                                                                                                                                                                           |
-+------------------------------------------+---------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| ``runQuery``                             | `query run <https://help.semmle.com/codeql/codeql-cli/commands/query-run.html>`__                 | Use ``query run`` to quickly view results in your terminal. To generate interpreted results that can be viewed in source code, use ``database analyze``.                                                                                                                                                                                                                                                                                                                |
-+------------------------------------------+---------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
-| ``upgrade``                              | `database upgrade <https://help.semmle.com/codeql/codeql-cli/commands/database-upgrade.html>`__   | For more information, see `Upgrading CodeQL databases <https://help.semmle.com/codeql/codeql-cli/procedures/upgrade-codeql-database.html>`__.                                                                                                                                                                                                                                                                                                                           |
-+------------------------------------------+---------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
\ No newline at end of file

From 3c6a1f165b534ed8a8edead7fa018f4f5c8f9499 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 4 Jun 2021 16:19:11 +0100
Subject: [PATCH 1340/1429] Update cpp/ql/src/semmle/code/cpp/Location.qll

Co-authored-by: Jonas Jensen <jbj@github.com>
---
 cpp/ql/src/semmle/code/cpp/Location.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/Location.qll b/cpp/ql/src/semmle/code/cpp/Location.qll
index e3b22fb59e1..8fc67f3b9df 100644
--- a/cpp/ql/src/semmle/code/cpp/Location.qll
+++ b/cpp/ql/src/semmle/code/cpp/Location.qll
@@ -128,7 +128,7 @@ deprecated library class LocationExpr extends Location, @location_expr { }
  * Gets the length of the longest line in file `f`.
  */
 pragma[nomagic]
-private int maxCols(File f) { result = max(Location l | l.getFile() = f | [l.getStartColumn(), l.getEndColumn()]) }
+private int maxCols(File f) { result = max(Location l | l.getFile() = f | l.getStartColumn().maximum(l.getEndColumn())) }
 
 /**
  * A C/C++ element that has a location in a file

From 799e19bdc2d5f2866ba8045fb453efa60de25016 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Fri, 4 Jun 2021 16:21:04 +0100
Subject: [PATCH 1341/1429] C++: Update the other version as well.

---
 cpp/ql/test/query-tests/definitions/locationInfo.ql | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cpp/ql/test/query-tests/definitions/locationInfo.ql b/cpp/ql/test/query-tests/definitions/locationInfo.ql
index 92f7b511c5f..28c5da3ea27 100644
--- a/cpp/ql/test/query-tests/definitions/locationInfo.ql
+++ b/cpp/ql/test/query-tests/definitions/locationInfo.ql
@@ -11,8 +11,8 @@ class Link extends Top {
  * Gets the length of the longest line in file `f`.
  */
 pragma[nomagic]
-private int maxCols(File f) { result = max(Location l | l.getFile() = f | [l.getStartColumn(), l.getEndColumn()]) }
-
+private int maxCols(File f) { result = max(Location l | l.getFile() = f | l.getStartColumn().maximum(l.getEndColumn())) }
+ 
 /**
  * Gets the location of an element that has a link-to-definition (in a similar manner to
  * `Location.charLoc`)

From f2d7988d7253dbfcc4ebd0dfa931b834de741112 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 4 Jun 2021 18:46:05 +0200
Subject: [PATCH 1342/1429] C++: Add tests involving various non-const and
 const smart pointers.

---
 .../library-tests/ir/ir/PrintAST.expected     | 139 ++++++++++++++++++
 .../test/library-tests/ir/ir/raw_ir.expected  |  95 ++++++++++++
 cpp/ql/test/library-tests/ir/ir/smart_ptr.cpp |  28 ++++
 3 files changed, 262 insertions(+)

diff --git a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
index 4b997627182..295ad79b9e2 100644
--- a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
+++ b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
@@ -11445,6 +11445,145 @@ smart_ptr.cpp:
 #   19|             Type = [ClassTemplateInstantiation] shared_ptr<float>
 #   19|             ValueCategory = lvalue
 #   20|     getStmt(2): [ReturnStmt] return ...
+#   22| [TopLevelFunction] void shared_ptr_const_int(std::shared_ptr<int const>)
+#   22|   <params>: 
+#   22|     getParameter(0): [Parameter] (unnamed parameter 0)
+#   22|         Type = [ClassTemplateInstantiation] shared_ptr<const int>
+#   23| [TopLevelFunction] void shared_ptr_const_int_ptr(std::shared_ptr<int* const>)
+#   23|   <params>: 
+#   23|     getParameter(0): [Parameter] (unnamed parameter 0)
+#   23|         Type = [ClassTemplateInstantiation] shared_ptr<int *const>
+#   24| [TopLevelFunction] void shared_ptr_shared_ptr_const_int(std::shared_ptr<std::shared_ptr<int const>>)
+#   24|   <params>: 
+#   24|     getParameter(0): [Parameter] (unnamed parameter 0)
+#   24|         Type = [ClassTemplateInstantiation] shared_ptr<shared_ptr<const int>>
+#   25| [TopLevelFunction] void shared_ptr_const_shared_ptr_int(std::shared_ptr<std::shared_ptr<int> const>)
+#   25|   <params>: 
+#   25|     getParameter(0): [Parameter] (unnamed parameter 0)
+#   25|         Type = [ClassTemplateInstantiation] shared_ptr<const shared_ptr<int>>
+#   26| [TopLevelFunction] void shared_ptr_const_shared_ptr_const_int(std::shared_ptr<std::shared_ptr<int const> const>)
+#   26|   <params>: 
+#   26|     getParameter(0): [Parameter] (unnamed parameter 0)
+#   26|         Type = [ClassTemplateInstantiation] shared_ptr<const shared_ptr<const int>>
+#   28| [TopLevelFunction] void call_shared_ptr_consts()
+#   28|   <params>: 
+#   28|   getEntryPoint(): [BlockStmt] { ... }
+#   29|     getStmt(0): [DeclStmt] declaration
+#   29|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of sp_const_int
+#   29|           Type = [ClassTemplateInstantiation] shared_ptr<const int>
+#   31|     getStmt(1): [ExprStmt] ExprStmt
+#   31|       getExpr(): [FunctionCall] call to shared_ptr_const_int
+#   31|           Type = [VoidType] void
+#   31|           ValueCategory = prvalue
+#   31|         getArgument(0): [ConstructorCall] call to shared_ptr
+#   31|             Type = [VoidType] void
+#   31|             ValueCategory = prvalue
+#   31|           getArgument(0): [VariableAccess] sp_const_int
+#   31|               Type = [ClassTemplateInstantiation] shared_ptr<const int>
+#   31|               ValueCategory = lvalue
+#   31|           getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
+#   31|               Type = [LValueReferenceType] const shared_ptr<const int> &
+#   31|               ValueCategory = prvalue
+#   31|             getExpr(): [CStyleCast] (const shared_ptr<const int>)...
+#   31|                 Conversion = [GlvalueConversion] glvalue conversion
+#   31|                 Type = [SpecifiedType] const shared_ptr<const int>
+#   31|                 ValueCategory = lvalue
+#   31|         getArgument(0).getFullyConverted(): [TemporaryObjectExpr] temporary object
+#   31|             Type = [ClassTemplateInstantiation] shared_ptr<const int>
+#   31|             ValueCategory = lvalue
+#   33|     getStmt(2): [DeclStmt] declaration
+#   33|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of sp_const_int_pointer
+#   33|           Type = [ClassTemplateInstantiation] shared_ptr<int *const>
+#   35|     getStmt(3): [ExprStmt] ExprStmt
+#   35|       getExpr(): [FunctionCall] call to shared_ptr_const_int_ptr
+#   35|           Type = [VoidType] void
+#   35|           ValueCategory = prvalue
+#   35|         getArgument(0): [ConstructorCall] call to shared_ptr
+#   35|             Type = [VoidType] void
+#   35|             ValueCategory = prvalue
+#   35|           getArgument(0): [VariableAccess] sp_const_int_pointer
+#   35|               Type = [ClassTemplateInstantiation] shared_ptr<int *const>
+#   35|               ValueCategory = lvalue
+#   35|           getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
+#   35|               Type = [LValueReferenceType] const shared_ptr<int *const> &
+#   35|               ValueCategory = prvalue
+#   35|             getExpr(): [CStyleCast] (const shared_ptr<int *const>)...
+#   35|                 Conversion = [GlvalueConversion] glvalue conversion
+#   35|                 Type = [SpecifiedType] const shared_ptr<int *const>
+#   35|                 ValueCategory = lvalue
+#   35|         getArgument(0).getFullyConverted(): [TemporaryObjectExpr] temporary object
+#   35|             Type = [ClassTemplateInstantiation] shared_ptr<int *const>
+#   35|             ValueCategory = lvalue
+#   37|     getStmt(4): [DeclStmt] declaration
+#   37|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of sp_sp_const_int
+#   37|           Type = [ClassTemplateInstantiation] shared_ptr<shared_ptr<const int>>
+#   39|     getStmt(5): [ExprStmt] ExprStmt
+#   39|       getExpr(): [FunctionCall] call to shared_ptr_shared_ptr_const_int
+#   39|           Type = [VoidType] void
+#   39|           ValueCategory = prvalue
+#   39|         getArgument(0): [ConstructorCall] call to shared_ptr
+#   39|             Type = [VoidType] void
+#   39|             ValueCategory = prvalue
+#   39|           getArgument(0): [VariableAccess] sp_sp_const_int
+#   39|               Type = [ClassTemplateInstantiation] shared_ptr<shared_ptr<const int>>
+#   39|               ValueCategory = lvalue
+#   39|           getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
+#   39|               Type = [LValueReferenceType] const shared_ptr<shared_ptr<const int>> &
+#   39|               ValueCategory = prvalue
+#   39|             getExpr(): [CStyleCast] (const shared_ptr<shared_ptr<const int>>)...
+#   39|                 Conversion = [GlvalueConversion] glvalue conversion
+#   39|                 Type = [SpecifiedType] const shared_ptr<shared_ptr<const int>>
+#   39|                 ValueCategory = lvalue
+#   39|         getArgument(0).getFullyConverted(): [TemporaryObjectExpr] temporary object
+#   39|             Type = [ClassTemplateInstantiation] shared_ptr<shared_ptr<const int>>
+#   39|             ValueCategory = lvalue
+#   41|     getStmt(6): [DeclStmt] declaration
+#   41|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of sp_const_sp_int
+#   41|           Type = [ClassTemplateInstantiation] shared_ptr<const shared_ptr<int>>
+#   43|     getStmt(7): [ExprStmt] ExprStmt
+#   43|       getExpr(): [FunctionCall] call to shared_ptr_const_shared_ptr_int
+#   43|           Type = [VoidType] void
+#   43|           ValueCategory = prvalue
+#   43|         getArgument(0): [ConstructorCall] call to shared_ptr
+#   43|             Type = [VoidType] void
+#   43|             ValueCategory = prvalue
+#   43|           getArgument(0): [VariableAccess] sp_const_sp_int
+#   43|               Type = [ClassTemplateInstantiation] shared_ptr<const shared_ptr<int>>
+#   43|               ValueCategory = lvalue
+#   43|           getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
+#   43|               Type = [LValueReferenceType] const shared_ptr<const shared_ptr<int>> &
+#   43|               ValueCategory = prvalue
+#   43|             getExpr(): [CStyleCast] (const shared_ptr<const shared_ptr<int>>)...
+#   43|                 Conversion = [GlvalueConversion] glvalue conversion
+#   43|                 Type = [SpecifiedType] const shared_ptr<const shared_ptr<int>>
+#   43|                 ValueCategory = lvalue
+#   43|         getArgument(0).getFullyConverted(): [TemporaryObjectExpr] temporary object
+#   43|             Type = [ClassTemplateInstantiation] shared_ptr<const shared_ptr<int>>
+#   43|             ValueCategory = lvalue
+#   45|     getStmt(8): [DeclStmt] declaration
+#   45|       getDeclarationEntry(0): [VariableDeclarationEntry] definition of sp_const_sp_const_int
+#   45|           Type = [ClassTemplateInstantiation] shared_ptr<const shared_ptr<const int>>
+#   47|     getStmt(9): [ExprStmt] ExprStmt
+#   47|       getExpr(): [FunctionCall] call to shared_ptr_const_shared_ptr_const_int
+#   47|           Type = [VoidType] void
+#   47|           ValueCategory = prvalue
+#   47|         getArgument(0): [ConstructorCall] call to shared_ptr
+#   47|             Type = [VoidType] void
+#   47|             ValueCategory = prvalue
+#   47|           getArgument(0): [VariableAccess] sp_const_sp_const_int
+#   47|               Type = [ClassTemplateInstantiation] shared_ptr<const shared_ptr<const int>>
+#   47|               ValueCategory = lvalue
+#   47|           getArgument(0).getFullyConverted(): [ReferenceToExpr] (reference to)
+#   47|               Type = [LValueReferenceType] const shared_ptr<const shared_ptr<const int>> &
+#   47|               ValueCategory = prvalue
+#   47|             getExpr(): [CStyleCast] (const shared_ptr<const shared_ptr<const int>>)...
+#   47|                 Conversion = [GlvalueConversion] glvalue conversion
+#   47|                 Type = [SpecifiedType] const shared_ptr<const shared_ptr<const int>>
+#   47|                 ValueCategory = lvalue
+#   47|         getArgument(0).getFullyConverted(): [TemporaryObjectExpr] temporary object
+#   47|             Type = [ClassTemplateInstantiation] shared_ptr<const shared_ptr<const int>>
+#   47|             ValueCategory = lvalue
+#   48|     getStmt(10): [ReturnStmt] return ...
 struct_init.cpp:
 #    1| [TopLevelFunction] int handler1(void*)
 #    1|   <params>: 
diff --git a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
index 6bcfd2c43e4..25be8df2c70 100644
--- a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
@@ -7977,6 +7977,101 @@ smart_ptr.cpp:
 #   17|     v17_10(void)                    = AliasedUse                       : ~m?
 #   17|     v17_11(void)                    = ExitFunction                     : 
 
+#   28| void call_shared_ptr_consts()
+#   28|   Block 0
+#   28|     v28_1(void)                                           = EnterFunction                                          : 
+#   28|     mu28_2(unknown)                                       = AliasedDefinition                                      : 
+#   28|     mu28_3(unknown)                                       = InitializeNonLocal                                     : 
+#   29|     r29_1(glval<shared_ptr<const int>>)                   = VariableAddress[sp_const_int]                          : 
+#   29|     mu29_2(shared_ptr<const int>)                         = Uninitialized[sp_const_int]                            : &:r29_1
+#   31|     r31_1(glval<unknown>)                                 = FunctionAddress[shared_ptr_const_int]                  : 
+#   31|     r31_2(glval<shared_ptr<const int>>)                   = VariableAddress[#temp31:26]                            : 
+#   31|     mu31_3(shared_ptr<const int>)                         = Uninitialized[#temp31:26]                              : &:r31_2
+#   31|     r31_4(glval<unknown>)                                 = FunctionAddress[shared_ptr]                            : 
+#   31|     r31_5(glval<shared_ptr<const int>>)                   = VariableAddress[sp_const_int]                          : 
+#   31|     r31_6(glval<shared_ptr<const int>>)                   = Convert                                                : r31_5
+#   31|     r31_7(shared_ptr<const int> &)                        = CopyValue                                              : r31_6
+#   31|     v31_8(void)                                           = Call[shared_ptr]                                       : func:r31_4, this:r31_2, 0:r31_7
+#   31|     mu31_9(unknown)                                       = ^CallSideEffect                                        : ~m?
+#   31|     mu31_10(shared_ptr<const int>)                        = ^IndirectMustWriteSideEffect[-1]                       : &:r31_2
+#   31|     v31_11(void)                                          = ^IndirectReadSideEffect[0]                             : &:r31_7, ~m?
+#   31|     r31_12(shared_ptr<const int>)                         = Load[#temp31:26]                                       : &:r31_2, ~m?
+#   31|     v31_13(void)                                          = Call[shared_ptr_const_int]                             : func:r31_1, 0:r31_12
+#   31|     mu31_14(unknown)                                      = ^CallSideEffect                                        : ~m?
+#   31|     v31_15(void)                                          = ^BufferReadSideEffect[0]                               : &:r31_12, ~m?
+#   33|     r33_1(glval<shared_ptr<int *const>>)                  = VariableAddress[sp_const_int_pointer]                  : 
+#   33|     mu33_2(shared_ptr<int *const>)                        = Uninitialized[sp_const_int_pointer]                    : &:r33_1
+#   35|     r35_1(glval<unknown>)                                 = FunctionAddress[shared_ptr_const_int_ptr]              : 
+#   35|     r35_2(glval<shared_ptr<int *const>>)                  = VariableAddress[#temp35:30]                            : 
+#   35|     mu35_3(shared_ptr<int *const>)                        = Uninitialized[#temp35:30]                              : &:r35_2
+#   35|     r35_4(glval<unknown>)                                 = FunctionAddress[shared_ptr]                            : 
+#   35|     r35_5(glval<shared_ptr<int *const>>)                  = VariableAddress[sp_const_int_pointer]                  : 
+#   35|     r35_6(glval<shared_ptr<int *const>>)                  = Convert                                                : r35_5
+#   35|     r35_7(shared_ptr<int *const> &)                       = CopyValue                                              : r35_6
+#   35|     v35_8(void)                                           = Call[shared_ptr]                                       : func:r35_4, this:r35_2, 0:r35_7
+#   35|     mu35_9(unknown)                                       = ^CallSideEffect                                        : ~m?
+#   35|     mu35_10(shared_ptr<int *const>)                       = ^IndirectMustWriteSideEffect[-1]                       : &:r35_2
+#   35|     v35_11(void)                                          = ^IndirectReadSideEffect[0]                             : &:r35_7, ~m?
+#   35|     r35_12(shared_ptr<int *const>)                        = Load[#temp35:30]                                       : &:r35_2, ~m?
+#   35|     v35_13(void)                                          = Call[shared_ptr_const_int_ptr]                         : func:r35_1, 0:r35_12
+#   35|     mu35_14(unknown)                                      = ^CallSideEffect                                        : ~m?
+#   35|     v35_15(void)                                          = ^BufferReadSideEffect[0]                               : &:r35_12, ~m?
+#   37|     r37_1(glval<shared_ptr<shared_ptr<const int>>>)       = VariableAddress[sp_sp_const_int]                       : 
+#   37|     mu37_2(shared_ptr<shared_ptr<const int>>)             = Uninitialized[sp_sp_const_int]                         : &:r37_1
+#   39|     r39_1(glval<unknown>)                                 = FunctionAddress[shared_ptr_shared_ptr_const_int]       : 
+#   39|     r39_2(glval<shared_ptr<shared_ptr<const int>>>)       = VariableAddress[#temp39:37]                            : 
+#   39|     mu39_3(shared_ptr<shared_ptr<const int>>)             = Uninitialized[#temp39:37]                              : &:r39_2
+#   39|     r39_4(glval<unknown>)                                 = FunctionAddress[shared_ptr]                            : 
+#   39|     r39_5(glval<shared_ptr<shared_ptr<const int>>>)       = VariableAddress[sp_sp_const_int]                       : 
+#   39|     r39_6(glval<shared_ptr<shared_ptr<const int>>>)       = Convert                                                : r39_5
+#   39|     r39_7(shared_ptr<shared_ptr<const int>> &)            = CopyValue                                              : r39_6
+#   39|     v39_8(void)                                           = Call[shared_ptr]                                       : func:r39_4, this:r39_2, 0:r39_7
+#   39|     mu39_9(unknown)                                       = ^CallSideEffect                                        : ~m?
+#   39|     mu39_10(shared_ptr<shared_ptr<const int>>)            = ^IndirectMustWriteSideEffect[-1]                       : &:r39_2
+#   39|     v39_11(void)                                          = ^IndirectReadSideEffect[0]                             : &:r39_7, ~m?
+#   39|     r39_12(shared_ptr<shared_ptr<const int>>)             = Load[#temp39:37]                                       : &:r39_2, ~m?
+#   39|     v39_13(void)                                          = Call[shared_ptr_shared_ptr_const_int]                  : func:r39_1, 0:r39_12
+#   39|     mu39_14(unknown)                                      = ^CallSideEffect                                        : ~m?
+#   39|     v39_15(void)                                          = ^BufferReadSideEffect[0]                               : &:r39_12, ~m?
+#   41|     r41_1(glval<shared_ptr<const shared_ptr<int>>>)       = VariableAddress[sp_const_sp_int]                       : 
+#   41|     mu41_2(shared_ptr<const shared_ptr<int>>)             = Uninitialized[sp_const_sp_int]                         : &:r41_1
+#   43|     r43_1(glval<unknown>)                                 = FunctionAddress[shared_ptr_const_shared_ptr_int]       : 
+#   43|     r43_2(glval<shared_ptr<const shared_ptr<int>>>)       = VariableAddress[#temp43:37]                            : 
+#   43|     mu43_3(shared_ptr<const shared_ptr<int>>)             = Uninitialized[#temp43:37]                              : &:r43_2
+#   43|     r43_4(glval<unknown>)                                 = FunctionAddress[shared_ptr]                            : 
+#   43|     r43_5(glval<shared_ptr<const shared_ptr<int>>>)       = VariableAddress[sp_const_sp_int]                       : 
+#   43|     r43_6(glval<shared_ptr<const shared_ptr<int>>>)       = Convert                                                : r43_5
+#   43|     r43_7(shared_ptr<const shared_ptr<int>> &)            = CopyValue                                              : r43_6
+#   43|     v43_8(void)                                           = Call[shared_ptr]                                       : func:r43_4, this:r43_2, 0:r43_7
+#   43|     mu43_9(unknown)                                       = ^CallSideEffect                                        : ~m?
+#   43|     mu43_10(shared_ptr<const shared_ptr<int>>)            = ^IndirectMustWriteSideEffect[-1]                       : &:r43_2
+#   43|     v43_11(void)                                          = ^IndirectReadSideEffect[0]                             : &:r43_7, ~m?
+#   43|     r43_12(shared_ptr<const shared_ptr<int>>)             = Load[#temp43:37]                                       : &:r43_2, ~m?
+#   43|     v43_13(void)                                          = Call[shared_ptr_const_shared_ptr_int]                  : func:r43_1, 0:r43_12
+#   43|     mu43_14(unknown)                                      = ^CallSideEffect                                        : ~m?
+#   43|     v43_15(void)                                          = ^BufferReadSideEffect[0]                               : &:r43_12, ~m?
+#   45|     r45_1(glval<shared_ptr<const shared_ptr<const int>>>) = VariableAddress[sp_const_sp_const_int]                 : 
+#   45|     mu45_2(shared_ptr<const shared_ptr<const int>>)       = Uninitialized[sp_const_sp_const_int]                   : &:r45_1
+#   47|     r47_1(glval<unknown>)                                 = FunctionAddress[shared_ptr_const_shared_ptr_const_int] : 
+#   47|     r47_2(glval<shared_ptr<const shared_ptr<const int>>>) = VariableAddress[#temp47:43]                            : 
+#   47|     mu47_3(shared_ptr<const shared_ptr<const int>>)       = Uninitialized[#temp47:43]                              : &:r47_2
+#   47|     r47_4(glval<unknown>)                                 = FunctionAddress[shared_ptr]                            : 
+#   47|     r47_5(glval<shared_ptr<const shared_ptr<const int>>>) = VariableAddress[sp_const_sp_const_int]                 : 
+#   47|     r47_6(glval<shared_ptr<const shared_ptr<const int>>>) = Convert                                                : r47_5
+#   47|     r47_7(shared_ptr<const shared_ptr<const int>> &)      = CopyValue                                              : r47_6
+#   47|     v47_8(void)                                           = Call[shared_ptr]                                       : func:r47_4, this:r47_2, 0:r47_7
+#   47|     mu47_9(unknown)                                       = ^CallSideEffect                                        : ~m?
+#   47|     mu47_10(shared_ptr<const shared_ptr<const int>>)      = ^IndirectMustWriteSideEffect[-1]                       : &:r47_2
+#   47|     v47_11(void)                                          = ^IndirectReadSideEffect[0]                             : &:r47_7, ~m?
+#   47|     r47_12(shared_ptr<const shared_ptr<const int>>)       = Load[#temp47:43]                                       : &:r47_2, ~m?
+#   47|     v47_13(void)                                          = Call[shared_ptr_const_shared_ptr_const_int]            : func:r47_1, 0:r47_12
+#   47|     mu47_14(unknown)                                      = ^CallSideEffect                                        : ~m?
+#   47|     v47_15(void)                                          = ^BufferReadSideEffect[0]                               : &:r47_12, ~m?
+#   48|     v48_1(void)                                           = NoOp                                                   : 
+#   28|     v28_4(void)                                           = ReturnVoid                                             : 
+#   28|     v28_5(void)                                           = AliasedUse                                             : ~m?
+#   28|     v28_6(void)                                           = ExitFunction                                           : 
+
 struct_init.cpp:
 #   16| void let_info_escape(Info*)
 #   16|   Block 0
diff --git a/cpp/ql/test/library-tests/ir/ir/smart_ptr.cpp b/cpp/ql/test/library-tests/ir/ir/smart_ptr.cpp
index 980c7767009..f40c54bde44 100644
--- a/cpp/ql/test/library-tests/ir/ir/smart_ptr.cpp
+++ b/cpp/ql/test/library-tests/ir/ir/smart_ptr.cpp
@@ -18,3 +18,31 @@ void call_shared_ptr_arg(float* p) {
     shared_ptr<float> sp(p);
     shared_ptr_arg(sp);
 }
+
+void shared_ptr_const_int(shared_ptr<const int>);
+void shared_ptr_const_int_ptr(shared_ptr<int* const>);
+void shared_ptr_shared_ptr_const_int(shared_ptr<shared_ptr<const int>>);
+void shared_ptr_const_shared_ptr_int(shared_ptr<const shared_ptr<int>>);
+void shared_ptr_const_shared_ptr_const_int(shared_ptr<const shared_ptr<const int>>);
+
+void call_shared_ptr_consts() {
+    shared_ptr<const int> sp_const_int;
+    // cannot modify *sp_const_int
+    shared_ptr_const_int(sp_const_int);
+
+    shared_ptr<int* const> sp_const_int_pointer;
+    // can modify **sp_const_int_pointer
+    shared_ptr_const_int_ptr(sp_const_int_pointer);
+
+    shared_ptr<shared_ptr<const int>> sp_sp_const_int;
+    // can modify *sp_const_int_pointer
+    shared_ptr_shared_ptr_const_int(sp_sp_const_int);
+
+    shared_ptr<const shared_ptr<int>> sp_const_sp_int;
+    // can modify **sp_const_int_pointer
+    shared_ptr_const_shared_ptr_int(sp_const_sp_int);
+
+    shared_ptr<const shared_ptr<const int>> sp_const_sp_const_int;
+    // cannot modify *sp_const_int_pointer or **sp_const_int_pointer
+    shared_ptr_const_shared_ptr_const_int(sp_const_sp_const_int);
+}
\ No newline at end of file

From 27586d77f87a51d42204745b8c7f1351cbf60131 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 4 Jun 2021 18:46:52 +0200
Subject: [PATCH 1343/1429] C++: Copy isDeeplyConst{Below} into SideEffects and
 modify it so that it works for smart pointers.

---
 .../raw/internal/SideEffects.qll              | 60 ++++++++++++++++++-
 1 file changed, 59 insertions(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll
index e7de9d26326..50245fafde2 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll
@@ -10,6 +10,64 @@ private import semmle.code.cpp.ir.implementation.Opcode
 private import semmle.code.cpp.models.interfaces.PointerWrapper
 private import semmle.code.cpp.models.interfaces.SideEffect
 
+private predicate isDeeplyConst(Type t) {
+  t.isConst() and
+  isDeeplyConstBelow(t)
+  or
+  isDeeplyConst(t.(Decltype).getBaseType())
+  or
+  isDeeplyConst(t.(ReferenceType).getBaseType())
+  or
+  exists(SpecifiedType specType | specType = t |
+    specType.getASpecifier().getName() = "const" and
+    isDeeplyConstBelow(specType.getBaseType())
+  )
+  or
+  isDeeplyConst(t.(ArrayType).getBaseType())
+}
+
+private predicate isDeeplyConstBelow(Type t) {
+  t instanceof BuiltInType
+  or
+  not t instanceof PointerWrapper and
+  t instanceof Class
+  or
+  t instanceof Enum
+  or
+  isDeeplyConstBelow(t.(Decltype).getBaseType())
+  or
+  isDeeplyConst(t.(PointerType).getBaseType())
+  or
+  isDeeplyConst(t.(ReferenceType).getBaseType())
+  or
+  isDeeplyConstBelow(t.(SpecifiedType).getBaseType())
+  or
+  isDeeplyConst(t.(ArrayType).getBaseType())
+  or
+  isDeeplyConst(t.(GNUVectorType).getBaseType())
+  or
+  isDeeplyConst(t.(FunctionPointerIshType).getBaseType())
+  or
+  isDeeplyConst(t.(PointerWrapper).getTemplateArgument(0))
+  or
+  isDeeplyConst(t.(PointerToMemberType).getBaseType())
+  or
+  isDeeplyConstBelow(t.(TypedefType).getBaseType())
+}
+
+private predicate isConstPointerLike(Type t) {
+  (
+    t instanceof PointerWrapper
+    or
+    t instanceof PointerType
+    or
+    t instanceof ArrayType
+    or
+    t instanceof ReferenceType
+  ) and
+  isDeeplyConstBelow(t)
+}
+
 /**
  * Holds if the specified call has a side effect that does not come from a `SideEffectFunction`
  * model.
@@ -45,7 +103,7 @@ private predicate hasDefaultSideEffect(Call call, ParameterIndex i, boolean buff
       ) and
       (
         isWrite = true and
-        not call.getTarget().getParameter(i).getType().isDeeplyConstBelow()
+        not isConstPointerLike(call.getTarget().getParameter(i).getUnderlyingType())
         or
         isWrite = false
       )

From 8e8c2e677a8a8950bf55fbb4d0eab46e3d1bea31 Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Fri, 4 Jun 2021 18:49:20 +0200
Subject: [PATCH 1344/1429] C++: Accept test changes.

---
 cpp/ql/test/library-tests/ir/ir/raw_ir.expected | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
index 25be8df2c70..3746b0e2c6c 100644
--- a/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
+++ b/cpp/ql/test/library-tests/ir/ir/raw_ir.expected
@@ -7933,6 +7933,7 @@ smart_ptr.cpp:
 #   12|     v12_10(void)                                       = Call[unique_ptr_arg]             : func:r12_1, 0:r12_9
 #   12|     mu12_11(unknown)                                   = ^CallSideEffect                  : ~m?
 #   12|     v12_12(void)                                       = ^BufferReadSideEffect[0]         : &:r12_9, ~m?
+#   12|     mu12_13(unknown)                                   = ^BufferMayWriteSideEffect[0]     : &:r12_9
 #   13|     v13_1(void)                                        = NoOp                             : 
 #   10|     v10_8(void)                                        = ReturnIndirection[p]             : &:r10_6, ~m?
 #   10|     v10_9(void)                                        = ReturnVoid                       : 
@@ -7971,6 +7972,7 @@ smart_ptr.cpp:
 #   19|     v19_13(void)                    = Call[shared_ptr_arg]             : func:r19_1, 0:r19_12
 #   19|     mu19_14(unknown)                = ^CallSideEffect                  : ~m?
 #   19|     v19_15(void)                    = ^BufferReadSideEffect[0]         : &:r19_12, ~m?
+#   19|     mu19_16(unknown)                = ^BufferMayWriteSideEffect[0]     : &:r19_12
 #   20|     v20_1(void)                     = NoOp                             : 
 #   17|     v17_8(void)                     = ReturnIndirection[p]             : &:r17_6, ~m?
 #   17|     v17_9(void)                     = ReturnVoid                       : 
@@ -8016,6 +8018,7 @@ smart_ptr.cpp:
 #   35|     v35_13(void)                                          = Call[shared_ptr_const_int_ptr]                         : func:r35_1, 0:r35_12
 #   35|     mu35_14(unknown)                                      = ^CallSideEffect                                        : ~m?
 #   35|     v35_15(void)                                          = ^BufferReadSideEffect[0]                               : &:r35_12, ~m?
+#   35|     mu35_16(unknown)                                      = ^BufferMayWriteSideEffect[0]                           : &:r35_12
 #   37|     r37_1(glval<shared_ptr<shared_ptr<const int>>>)       = VariableAddress[sp_sp_const_int]                       : 
 #   37|     mu37_2(shared_ptr<shared_ptr<const int>>)             = Uninitialized[sp_sp_const_int]                         : &:r37_1
 #   39|     r39_1(glval<unknown>)                                 = FunctionAddress[shared_ptr_shared_ptr_const_int]       : 
@@ -8033,6 +8036,7 @@ smart_ptr.cpp:
 #   39|     v39_13(void)                                          = Call[shared_ptr_shared_ptr_const_int]                  : func:r39_1, 0:r39_12
 #   39|     mu39_14(unknown)                                      = ^CallSideEffect                                        : ~m?
 #   39|     v39_15(void)                                          = ^BufferReadSideEffect[0]                               : &:r39_12, ~m?
+#   39|     mu39_16(unknown)                                      = ^BufferMayWriteSideEffect[0]                           : &:r39_12
 #   41|     r41_1(glval<shared_ptr<const shared_ptr<int>>>)       = VariableAddress[sp_const_sp_int]                       : 
 #   41|     mu41_2(shared_ptr<const shared_ptr<int>>)             = Uninitialized[sp_const_sp_int]                         : &:r41_1
 #   43|     r43_1(glval<unknown>)                                 = FunctionAddress[shared_ptr_const_shared_ptr_int]       : 
@@ -8050,6 +8054,7 @@ smart_ptr.cpp:
 #   43|     v43_13(void)                                          = Call[shared_ptr_const_shared_ptr_int]                  : func:r43_1, 0:r43_12
 #   43|     mu43_14(unknown)                                      = ^CallSideEffect                                        : ~m?
 #   43|     v43_15(void)                                          = ^BufferReadSideEffect[0]                               : &:r43_12, ~m?
+#   43|     mu43_16(unknown)                                      = ^BufferMayWriteSideEffect[0]                           : &:r43_12
 #   45|     r45_1(glval<shared_ptr<const shared_ptr<const int>>>) = VariableAddress[sp_const_sp_const_int]                 : 
 #   45|     mu45_2(shared_ptr<const shared_ptr<const int>>)       = Uninitialized[sp_const_sp_const_int]                   : &:r45_1
 #   47|     r47_1(glval<unknown>)                                 = FunctionAddress[shared_ptr_const_shared_ptr_const_int] : 

From ac3ded7d5a4c199056cf8c572ac666b0654fa6c6 Mon Sep 17 00:00:00 2001
From: Dave Bartolomeo <dbartol@github.com>
Date: Sun, 6 Jun 2021 09:04:18 -0400
Subject: [PATCH 1345/1429] Replace an odd `queries.xml` with `qlpack.yml`

This one C++ test has its own `queries.xml` to make "outside-of-source" path filtering work, as detailed in commit 2550788598010fa2117274607c9d58f64f997f34. I've replaced the `queries.xml` with `qlpack.yml`, added a comment, and added that pack to the `.codeqlmanifest.json` at the root of the repo. This will allow the library dependencies of this pack to be resolved without the need for a `--search-path` option with the upcoming packaging changes.
---
 .codeqlmanifest.json                                        | 1 +
 .../Security/CWE/CWE-190/semmle/tainted/qlpack.yml          | 6 ++++++
 .../Security/CWE/CWE-190/semmle/tainted/queries.xml         | 1 -
 3 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml
 delete mode 100644 cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/queries.xml

diff --git a/.codeqlmanifest.json b/.codeqlmanifest.json
index 30efc842b00..81d370e793d 100644
--- a/.codeqlmanifest.json
+++ b/.codeqlmanifest.json
@@ -1,5 +1,6 @@
 { "provide": [ "*/ql/src/qlpack.yml",
                "*/ql/test/qlpack.yml",
+               "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
                "*/ql/examples/qlpack.yml",
                "*/upgrades/qlpack.yml",
                "misc/legacy-support/*/qlpack.yml",
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml
new file mode 100644
index 00000000000..6cae1aa77cb
--- /dev/null
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml
@@ -0,0 +1,6 @@
+# This directory has its own qlpack for reasons detailed in commit 2550788598010fa2117274607c9d58f64f997f34
+name: codeql-cpp-tests-cwe-190-tainted
+version: 0.0.0
+libraryPathDependencies: codeql-cpp
+extractor: cpp
+tests: .
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/queries.xml b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/queries.xml
deleted file mode 100644
index 99f4a7278c2..00000000000
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/queries.xml
+++ /dev/null
@@ -1 +0,0 @@
-<queries language="cpp"/>

From dd2fe2a489e3294ec02443dab3d16ecca299a1f6 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Fri, 4 Jun 2021 17:16:12 +0200
Subject: [PATCH 1346/1429] add the resolve library as a sink to
 js/path-injection

---
 javascript/change-notes/2021-06-04-resolve.md         |  4 ++++
 .../security/dataflow/TaintedPathCustomizations.qll   | 11 +++++++++++
 .../Security/CWE-022/TaintedPath/TaintedPath.expected |  8 ++++++++
 .../Security/CWE-022/TaintedPath/tainted-require.js   |  5 +++++
 4 files changed, 28 insertions(+)
 create mode 100644 javascript/change-notes/2021-06-04-resolve.md

diff --git a/javascript/change-notes/2021-06-04-resolve.md b/javascript/change-notes/2021-06-04-resolve.md
new file mode 100644
index 00000000000..f0c419816c6
--- /dev/null
+++ b/javascript/change-notes/2021-06-04-resolve.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Paths used with the [resolve](https://npmjs.com/package/resolve) command are seen as sinks for the `js/path-injection` query.
+  Affected packages are
+    [resolve](https://npmjs.com/package/resolve)
\ No newline at end of file
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
index ebc877e0e25..92c51aee551 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -577,6 +577,17 @@ module TaintedPath {
     }
   }
 
+  /**
+   * An expression whose value is resolved to a module using the [resolve](http://npmjs.com/package/resolve) library.
+   */
+  class ResolveModuleSink extends Sink {
+    ResolveModuleSink() {
+      this = API::moduleImport("resolve").getACall().getArgument(0)
+      or
+      this = API::moduleImport("resolve").getMember("sync").getACall().getArgument(0)
+    }
+  }
+
   /**
    * A path argument to a file system access.
    */
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
index 5d8806c0501..ecf82260dc7 100644
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -2594,6 +2594,12 @@ nodes
 | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-require.js:7:19:7:37 | req.param("module") |
+| tainted-require.js:12:24:12:42 | req.param("module") |
+| tainted-require.js:12:24:12:42 | req.param("module") |
+| tainted-require.js:12:24:12:42 | req.param("module") |
+| tainted-require.js:12:24:12:42 | req.param("module") |
+| tainted-require.js:12:24:12:42 | req.param("module") |
+| tainted-require.js:12:24:12:42 | req.param("module") |
 | tainted-sendFile.js:8:16:8:33 | req.param("gimme") |
 | tainted-sendFile.js:8:16:8:33 | req.param("gimme") |
 | tainted-sendFile.js:8:16:8:33 | req.param("gimme") |
@@ -7090,6 +7096,7 @@ edges
 | tainted-access-paths.js:31:23:31:25 | obj | tainted-access-paths.js:31:23:31:30 | obj.sub4 |
 | tainted-access-paths.js:31:23:31:25 | obj | tainted-access-paths.js:31:23:31:30 | obj.sub4 |
 | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") |
+| tainted-require.js:12:24:12:42 | req.param("module") | tainted-require.js:12:24:12:42 | req.param("module") |
 | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") |
 | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") |
 | tainted-sendFile.js:18:43:18:58 | req.param("dir") | tainted-sendFile.js:18:43:18:58 | req.param("dir") |
@@ -8304,6 +8311,7 @@ edges
 | tainted-access-paths.js:30:23:30:30 | obj.sub4 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:30:23:30:30 | obj.sub4 | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-access-paths.js:31:23:31:30 | obj.sub4 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:31:23:31:30 | obj.sub4 | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value |
+| tainted-require.js:12:24:12:42 | req.param("module") | tainted-require.js:12:24:12:42 | req.param("module") | tainted-require.js:12:24:12:42 | req.param("module") | This path depends on $@. | tainted-require.js:12:24:12:42 | req.param("module") | a user-provided value |
 | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | a user-provided value |
 | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | a user-provided value |
 | tainted-sendFile.js:18:43:18:58 | req.param("dir") | tainted-sendFile.js:18:43:18:58 | req.param("dir") | tainted-sendFile.js:18:43:18:58 | req.param("dir") | This path depends on $@. | tainted-sendFile.js:18:43:18:58 | req.param("dir") | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js
index 443ccdd31b0..9ad9a6c317d 100644
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js
@@ -6,3 +6,8 @@ app.get('/some/path', function(req, res) {
   // BAD: loading a module based on un-sanitized query parameters
   var m = require(req.param("module"));
 });
+
+const resolve = require("resolve");
+app.get('/some/path', function(req, res) {
+  var module = resolve(req.param("module")); // NOT OK - resolving module based on query parameters
+});
\ No newline at end of file

From 0adc001df05b6f84501ea8522065ce9fd9a18799 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Sun, 6 Jun 2021 22:48:53 +0200
Subject: [PATCH 1347/1429] add taint-step for `serialize-javascript`

---
 .../2021-06-06-serialize-javascript.md        |  4 ++++
 .../ql/src/semmle/javascript/JsonParsers.qll  |  3 ++-
 .../javascript/security/dataflow/Xss.qll      | 20 +++++++++++++++++++
 .../TaintTracking/BasicTaintTracking.expected |  1 +
 .../test/library-tests/TaintTracking/tst.js   |  3 +++
 .../ReflectedXss/ReflectedXss.expected        | 16 +++++++++++++++
 .../ReflectedXssWithCustomSanitizer.expected  |  1 +
 .../Security/CWE-079/ReflectedXss/tst2.js     | 14 +++++++++++++
 8 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 javascript/change-notes/2021-06-06-serialize-javascript.md

diff --git a/javascript/change-notes/2021-06-06-serialize-javascript.md b/javascript/change-notes/2021-06-06-serialize-javascript.md
new file mode 100644
index 00000000000..7affd6fc4c8
--- /dev/null
+++ b/javascript/change-notes/2021-06-06-serialize-javascript.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The dataflow libraries now model dataflow in the [`serialize-javascript`](https://npmjs.com/package/serialize-javascript) library.
+  Affected packages are
+    [serialize-javascript](https://npmjs.com/package/serialize-javascript)
diff --git a/javascript/ql/src/semmle/javascript/JsonParsers.qll b/javascript/ql/src/semmle/javascript/JsonParsers.qll
index d3c112d36cd..3a670003bd8 100644
--- a/javascript/ql/src/semmle/javascript/JsonParsers.qll
+++ b/javascript/ql/src/semmle/javascript/JsonParsers.qll
@@ -29,7 +29,8 @@ private class PlainJsonParserCall extends JsonParserCall {
       callee = DataFlow::moduleImport("parse-json") or
       callee = DataFlow::moduleImport("json-parse-better-errors") or
       callee = DataFlow::moduleImport("json-safe-parse") or
-      callee = AngularJS::angular().getAPropertyRead("fromJson")
+      callee = AngularJS::angular().getAPropertyRead("fromJson") or
+      callee = DataFlow::moduleImport("serialize-javascript")
     )
   }
 
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
index 81e69a5229b..90b4e798a83 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
@@ -55,6 +55,17 @@ module Shared {
     }
   }
 
+  /**
+   * A call to `serialize-javascript`, which prevents XSS vulnerabilities unless
+   * the `unsafe` option is set.t
+   */
+  class SerializeJavascriptSanitizer extends Sanitizer, DataFlow::CallNode {
+    SerializeJavascriptSanitizer() {
+      this = DataFlow::moduleImport("serialize-javascript").getACall() and
+      not this.getOptionArgument(1, "unsafe").mayHaveBooleanValue(true)
+    }
+  }
+
   private import semmle.javascript.security.dataflow.IncompleteHtmlAttributeSanitizationCustomizations::IncompleteHtmlAttributeSanitization as IncompleteHTML
 
   /**
@@ -359,6 +370,9 @@ module DomBasedXss {
 
   private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
 
+  private class SerializeJavascriptSanitizer extends Sanitizer, Shared::SerializeJavascriptSanitizer {
+  }
+
   private class IsEscapedInSwitchSanitizer extends Sanitizer, Shared::IsEscapedInSwitchSanitizer { }
 
   private class QuoteGuard extends SanitizerGuard, Shared::QuoteGuard { }
@@ -497,6 +511,9 @@ module ReflectedXss {
 
   private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
 
+  private class SerializeJavascriptSanitizer extends Sanitizer, Shared::SerializeJavascriptSanitizer {
+  }
+
   private class IsEscapedInSwitchSanitizer extends Sanitizer, Shared::IsEscapedInSwitchSanitizer { }
 
   private class QuoteGuard extends SanitizerGuard, Shared::QuoteGuard { }
@@ -534,6 +551,9 @@ module StoredXss {
 
   private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
 
+  private class SerializeJavascriptSanitizer extends Sanitizer, Shared::SerializeJavascriptSanitizer {
+  }
+
   private class IsEscapedInSwitchSanitizer extends Sanitizer, Shared::IsEscapedInSwitchSanitizer { }
 
   private class QuoteGuard extends SanitizerGuard, Shared::QuoteGuard { }
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
index 0eaafa38965..cf070e8610c 100644
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -166,6 +166,7 @@ typeInferenceMismatch
 | tst.js:2:13:2:20 | source() | tst.js:45:10:45:24 | x.map(x2 => x2) |
 | tst.js:2:13:2:20 | source() | tst.js:47:10:47:30 | Buffer. ...  'hex') |
 | tst.js:2:13:2:20 | source() | tst.js:48:10:48:22 | new Buffer(x) |
+| tst.js:2:13:2:20 | source() | tst.js:51:10:51:31 | seriali ... ript(x) |
 | xml.js:5:18:5:25 | source() | xml.js:8:14:8:17 | text |
 | xml.js:12:17:12:24 | source() | xml.js:13:14:13:19 | result |
 | xml.js:23:18:23:25 | source() | xml.js:20:14:20:17 | attr |
diff --git a/javascript/ql/test/library-tests/TaintTracking/tst.js b/javascript/ql/test/library-tests/TaintTracking/tst.js
index 61613507b9e..22e5368e3ef 100644
--- a/javascript/ql/test/library-tests/TaintTracking/tst.js
+++ b/javascript/ql/test/library-tests/TaintTracking/tst.js
@@ -46,4 +46,7 @@ function test() {
 
     sink(Buffer.from(x, 'hex')); // NOT OK
     sink(new Buffer(x));         // NOT OK
+
+    const serializeJavaScript = require("serialize-javascript");
+    sink(serializeJavaScript(x)) // NOT OK
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
index b1d940b437c..7e1526213f2 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
@@ -182,6 +182,14 @@ nodes
 | tst2.js:36:12:36:12 | p |
 | tst2.js:37:12:37:18 | other.p |
 | tst2.js:37:12:37:18 | other.p |
+| tst2.js:43:7:43:24 | p |
+| tst2.js:43:9:43:9 | p |
+| tst2.js:43:9:43:9 | p |
+| tst2.js:49:7:49:53 | unsafe |
+| tst2.js:49:16:49:53 | seriali ...  true}) |
+| tst2.js:49:36:49:36 | p |
+| tst2.js:51:12:51:17 | unsafe |
+| tst2.js:51:12:51:17 | unsafe |
 | tst3.js:5:7:5:24 | p |
 | tst3.js:5:9:5:9 | p |
 | tst3.js:5:9:5:9 | p |
@@ -338,6 +346,13 @@ edges
 | tst2.js:30:9:30:9 | p | tst2.js:30:7:30:24 | p |
 | tst2.js:33:11:33:11 | p | tst2.js:37:12:37:18 | other.p |
 | tst2.js:33:11:33:11 | p | tst2.js:37:12:37:18 | other.p |
+| tst2.js:43:7:43:24 | p | tst2.js:49:36:49:36 | p |
+| tst2.js:43:9:43:9 | p | tst2.js:43:7:43:24 | p |
+| tst2.js:43:9:43:9 | p | tst2.js:43:7:43:24 | p |
+| tst2.js:49:7:49:53 | unsafe | tst2.js:51:12:51:17 | unsafe |
+| tst2.js:49:7:49:53 | unsafe | tst2.js:51:12:51:17 | unsafe |
+| tst2.js:49:16:49:53 | seriali ...  true}) | tst2.js:49:7:49:53 | unsafe |
+| tst2.js:49:36:49:36 | p | tst2.js:49:16:49:53 | seriali ...  true}) |
 | tst3.js:5:7:5:24 | p | tst3.js:6:12:6:12 | p |
 | tst3.js:5:7:5:24 | p | tst3.js:6:12:6:12 | p |
 | tst3.js:5:9:5:9 | p | tst3.js:5:7:5:24 | p |
@@ -385,4 +400,5 @@ edges
 | tst2.js:21:14:21:14 | p | tst2.js:14:9:14:9 | p | tst2.js:21:14:21:14 | p | Cross-site scripting vulnerability due to $@. | tst2.js:14:9:14:9 | p | user-provided value |
 | tst2.js:36:12:36:12 | p | tst2.js:30:9:30:9 | p | tst2.js:36:12:36:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
 | tst2.js:37:12:37:18 | other.p | tst2.js:30:9:30:9 | p | tst2.js:37:12:37:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
+| tst2.js:51:12:51:17 | unsafe | tst2.js:43:9:43:9 | p | tst2.js:51:12:51:17 | unsafe | Cross-site scripting vulnerability due to $@. | tst2.js:43:9:43:9 | p | user-provided value |
 | tst3.js:6:12:6:12 | p | tst3.js:5:9:5:9 | p | tst3.js:6:12:6:12 | p | Cross-site scripting vulnerability due to $@. | tst3.js:5:9:5:9 | p | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
index 6a919f7b43a..722625cd4e2 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
@@ -39,4 +39,5 @@
 | tst2.js:21:14:21:14 | p | Cross-site scripting vulnerability due to $@. | tst2.js:14:9:14:9 | p | user-provided value |
 | tst2.js:36:12:36:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
 | tst2.js:37:12:37:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
+| tst2.js:51:12:51:17 | unsafe | Cross-site scripting vulnerability due to $@. | tst2.js:43:9:43:9 | p | user-provided value |
 | tst3.js:6:12:6:12 | p | Cross-site scripting vulnerability due to $@. | tst3.js:5:9:5:9 | p | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js
index 034b0791217..5ceff682707 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js
@@ -35,4 +35,18 @@ app.get('/baz', function(req, res) {
 
   res.send(p); // NOT OK
   res.send(other.p); // NOT OK
+});
+
+const serializeJavaScript = require('serialize-javascript');
+
+app.get('/baz', function(req, res) {
+  let { p } = req.params;
+
+  var serialized = serializeJavaScript(p);
+
+  res.send(serialized); // OK
+  
+  var unsafe = serializeJavaScript(p, {unsafe: true});
+
+  res.send(unsafe); // NOT OK
 });
\ No newline at end of file

From 5961dd1459af76c6e52509b8fbaea1fcd90f3376 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Sun, 6 Jun 2021 22:54:12 +0200
Subject: [PATCH 1348/1429] add another test for the `resolve` library

---
 .../CWE-022/TaintedPath/TaintedPath.expected  | 24 ++++++++++++-------
 .../CWE-022/TaintedPath/tainted-require.js    |  6 ++++-
 2 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
index ecf82260dc7..5610fc70be2 100644
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -2594,12 +2594,18 @@ nodes
 | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-require.js:7:19:7:37 | req.param("module") |
 | tainted-require.js:7:19:7:37 | req.param("module") |
-| tainted-require.js:12:24:12:42 | req.param("module") |
-| tainted-require.js:12:24:12:42 | req.param("module") |
-| tainted-require.js:12:24:12:42 | req.param("module") |
-| tainted-require.js:12:24:12:42 | req.param("module") |
-| tainted-require.js:12:24:12:42 | req.param("module") |
-| tainted-require.js:12:24:12:42 | req.param("module") |
+| tainted-require.js:12:29:12:47 | req.param("module") |
+| tainted-require.js:12:29:12:47 | req.param("module") |
+| tainted-require.js:12:29:12:47 | req.param("module") |
+| tainted-require.js:12:29:12:47 | req.param("module") |
+| tainted-require.js:12:29:12:47 | req.param("module") |
+| tainted-require.js:12:29:12:47 | req.param("module") |
+| tainted-require.js:14:11:14:29 | req.param("module") |
+| tainted-require.js:14:11:14:29 | req.param("module") |
+| tainted-require.js:14:11:14:29 | req.param("module") |
+| tainted-require.js:14:11:14:29 | req.param("module") |
+| tainted-require.js:14:11:14:29 | req.param("module") |
+| tainted-require.js:14:11:14:29 | req.param("module") |
 | tainted-sendFile.js:8:16:8:33 | req.param("gimme") |
 | tainted-sendFile.js:8:16:8:33 | req.param("gimme") |
 | tainted-sendFile.js:8:16:8:33 | req.param("gimme") |
@@ -7096,7 +7102,8 @@ edges
 | tainted-access-paths.js:31:23:31:25 | obj | tainted-access-paths.js:31:23:31:30 | obj.sub4 |
 | tainted-access-paths.js:31:23:31:25 | obj | tainted-access-paths.js:31:23:31:30 | obj.sub4 |
 | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") |
-| tainted-require.js:12:24:12:42 | req.param("module") | tainted-require.js:12:24:12:42 | req.param("module") |
+| tainted-require.js:12:29:12:47 | req.param("module") | tainted-require.js:12:29:12:47 | req.param("module") |
+| tainted-require.js:14:11:14:29 | req.param("module") | tainted-require.js:14:11:14:29 | req.param("module") |
 | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") |
 | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") |
 | tainted-sendFile.js:18:43:18:58 | req.param("dir") | tainted-sendFile.js:18:43:18:58 | req.param("dir") |
@@ -8311,7 +8318,8 @@ edges
 | tainted-access-paths.js:30:23:30:30 | obj.sub4 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:30:23:30:30 | obj.sub4 | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-access-paths.js:31:23:31:30 | obj.sub4 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:31:23:31:30 | obj.sub4 | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | tainted-require.js:7:19:7:37 | req.param("module") | This path depends on $@. | tainted-require.js:7:19:7:37 | req.param("module") | a user-provided value |
-| tainted-require.js:12:24:12:42 | req.param("module") | tainted-require.js:12:24:12:42 | req.param("module") | tainted-require.js:12:24:12:42 | req.param("module") | This path depends on $@. | tainted-require.js:12:24:12:42 | req.param("module") | a user-provided value |
+| tainted-require.js:12:29:12:47 | req.param("module") | tainted-require.js:12:29:12:47 | req.param("module") | tainted-require.js:12:29:12:47 | req.param("module") | This path depends on $@. | tainted-require.js:12:29:12:47 | req.param("module") | a user-provided value |
+| tainted-require.js:14:11:14:29 | req.param("module") | tainted-require.js:14:11:14:29 | req.param("module") | tainted-require.js:14:11:14:29 | req.param("module") | This path depends on $@. | tainted-require.js:14:11:14:29 | req.param("module") | a user-provided value |
 | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:8:16:8:33 | req.param("gimme") | a user-provided value |
 | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | This path depends on $@. | tainted-sendFile.js:10:16:10:33 | req.param("gimme") | a user-provided value |
 | tainted-sendFile.js:18:43:18:58 | req.param("dir") | tainted-sendFile.js:18:43:18:58 | req.param("dir") | tainted-sendFile.js:18:43:18:58 | req.param("dir") | This path depends on $@. | tainted-sendFile.js:18:43:18:58 | req.param("dir") | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js
index 9ad9a6c317d..23f89c55c39 100644
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/tainted-require.js
@@ -9,5 +9,9 @@ app.get('/some/path', function(req, res) {
 
 const resolve = require("resolve");
 app.get('/some/path', function(req, res) {
-  var module = resolve(req.param("module")); // NOT OK - resolving module based on query parameters
+  var module = resolve.sync(req.param("module")); // NOT OK - resolving module based on query parameters
+
+  resolve(req.param("module"), { basedir: __dirname }, function(err, res) { // NOT OK - resolving module based on query parameters
+    var module = res;
+  });
 });
\ No newline at end of file

From 17be6e1271c59dde1dda37ecb6b0432a0be583d2 Mon Sep 17 00:00:00 2001
From: Alex Denisov <alexdenisov@github.com>
Date: Mon, 7 Jun 2021 09:10:28 +0200
Subject: [PATCH 1349/1429] C++: Fix string literal expectation

---
 .../variables/getanassignedvalue/getanassignedvalue.expected    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/test/library-tests/variables/getanassignedvalue/getanassignedvalue.expected b/cpp/ql/test/library-tests/variables/getanassignedvalue/getanassignedvalue.expected
index bfde183c480..89977601d47 100644
--- a/cpp/ql/test/library-tests/variables/getanassignedvalue/getanassignedvalue.expected
+++ b/cpp/ql/test/library-tests/variables/getanassignedvalue/getanassignedvalue.expected
@@ -1,4 +1,3 @@
-| file://:0:0:0:0 | abc | test.cpp:53:6:53:11 | chars1 |
 | file://:0:0:0:0 | {...} | test.cpp:38:22:38:22 | v |
 | test.cpp:4:9:4:11 | 10 | test.cpp:4:6:4:6 | v |
 | test.cpp:5:15:5:16 | & ... | test.cpp:5:7:5:11 | ptr_v |
@@ -23,5 +22,6 @@
 | test.cpp:48:18:48:18 | 4 | test.cpp:31:6:31:8 | num |
 | test.cpp:48:21:48:26 | Four | test.cpp:32:14:32:16 | str |
 | test.cpp:52:19:52:27 | {...} | test.cpp:52:5:52:11 | myArray |
+| test.cpp:53:17:53:21 | abc | test.cpp:53:6:53:11 | chars1 |
 | test.cpp:54:17:54:31 | {...} | test.cpp:54:6:54:11 | chars2 |
 | test.cpp:55:16:55:20 | abc | test.cpp:55:7:55:12 | chars3 |

From 9dcb26d1519bb9d3fcde0387c390529be2fb2aa7 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 7 Jun 2021 10:05:48 +0200
Subject: [PATCH 1350/1429] Python: Autoformat

I had not set up the pre-commit hook properly
---
 python/ql/src/semmle/python/frameworks/Django.qll         | 4 ----
 .../frameworks/internal/PoorMansFunctionResolution.qll    | 8 ++------
 2 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Django.qll b/python/ql/src/semmle/python/frameworks/Django.qll
index fbe967d629f..33d2bebddfe 100644
--- a/python/ql/src/semmle/python/frameworks/Django.qll
+++ b/python/ql/src/semmle/python/frameworks/Django.qll
@@ -1388,9 +1388,6 @@ private module PrivateDjango {
   // ---------------------------------------------------------------------------
   // Helpers
   // ---------------------------------------------------------------------------
-
-
-
   // ---------------------------------------------------------------------------
   // Form and form field modeling
   // ---------------------------------------------------------------------------
@@ -1458,7 +1455,6 @@ private module PrivateDjango {
   // ---------------------------------------------------------------------------
   // routing modeling
   // ---------------------------------------------------------------------------
-
   /**
    * In order to recognize a class as being a django view class, based on the `as_view`
    * call, we need to be able to track such calls on _any_ class. This is provided by
diff --git a/python/ql/src/semmle/python/frameworks/internal/PoorMansFunctionResolution.qll b/python/ql/src/semmle/python/frameworks/internal/PoorMansFunctionResolution.qll
index 78764bf53bc..03e40c2244c 100644
--- a/python/ql/src/semmle/python/frameworks/internal/PoorMansFunctionResolution.qll
+++ b/python/ql/src/semmle/python/frameworks/internal/PoorMansFunctionResolution.qll
@@ -44,9 +44,7 @@ private Expr lastDecoratorCall(Function func) {
  * print(inst.my_method)
  * ```
  */
-private DataFlow::LocalSourceNode poorMansFunctionTracker(
-  DataFlow::TypeTracker t, Function func
-) {
+private DataFlow::LocalSourceNode poorMansFunctionTracker(DataFlow::TypeTracker t, Function func) {
   t.start() and
   (
     not exists(func.getADecorator()) and
@@ -61,9 +59,7 @@ private DataFlow::LocalSourceNode poorMansFunctionTracker(
     result.asExpr() = lastDecoratorCall(func)
   )
   or
-  exists(DataFlow::TypeTracker t2 |
-    result = poorMansFunctionTracker(t2, func).track(t2, t)
-  )
+  exists(DataFlow::TypeTracker t2 | result = poorMansFunctionTracker(t2, func).track(t2, t))
 }
 
 /**

From e82ad6fc22a7d607b2f5ffdfc90803ca8231e935 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 7 Jun 2021 10:13:26 +0200
Subject: [PATCH 1351/1429] Python: Add missing QLDoc

---
 python/ql/src/semmle/python/frameworks/Aiohttp.qll | 6 ++++++
 python/ql/src/semmle/python/frameworks/Yarl.qll    | 1 +
 2 files changed, 7 insertions(+)

diff --git a/python/ql/src/semmle/python/frameworks/Aiohttp.qll b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
index 24f141807ba..05260d4e128 100644
--- a/python/ql/src/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -328,6 +328,10 @@ module AiohttpWebModel {
     override string getSourceType() { result = "aiohttp.web.Request" }
   }
 
+  /**
+   * A read of the `request` attribute on an instance of a aiohttp.web View class,
+   * which is the request being processed currently.
+   */
   class AiohttpViewClassRequestAttributeRead extends Request::InstanceSource,
     RemoteFlowSource::Range, DataFlow::Node {
     AiohttpViewClassRequestAttributeRead() {
@@ -378,6 +382,7 @@ module AiohttpWebModel {
     }
   }
 
+  /** An attribute read on a `aiohttp.web.Request` that is a `MultiDictProxy` instance. */
   class AiohttpRequestMultiDictProxyInstances extends Multidict::MultiDictProxy::InstanceSource {
     AiohttpRequestMultiDictProxyInstances() {
       this.(DataFlow::AttrRead).getObject() = Request::instance() and
@@ -385,6 +390,7 @@ module AiohttpWebModel {
     }
   }
 
+  /** An attribute read on a `aiohttp.web.Request` that is a `yarl.URL` instance. */
   class AiohttpRequestYarlUrlInstances extends Yarl::Url::InstanceSource {
     AiohttpRequestYarlUrlInstances() {
       this.(DataFlow::AttrRead).getObject() = Request::instance() and
diff --git a/python/ql/src/semmle/python/frameworks/Yarl.qll b/python/ql/src/semmle/python/frameworks/Yarl.qll
index b91a407832f..eedecf9b8ec 100644
--- a/python/ql/src/semmle/python/frameworks/Yarl.qll
+++ b/python/ql/src/semmle/python/frameworks/Yarl.qll
@@ -111,6 +111,7 @@ module Yarl {
       }
     }
 
+    /** An attribute read on a `yarl.URL` that is a `MultiDictProxy` instance. */
     class YarlUrlMultiDictProxyInstance extends Multidict::MultiDictProxy::InstanceSource {
       YarlUrlMultiDictProxyInstance() {
         this.(DataFlow::AttrRead).getObject() = Yarl::Url::instance() and

From 52f1930e1d896165cfd3396ceca251c89f70ec6f Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Mon, 7 Jun 2021 11:37:05 +0200
Subject: [PATCH 1352/1429] Add key-read-steps as local additional taint steps

---
 .../src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll | 1 +
 1 file changed, 1 insertion(+)

diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
index 93b8641d11b..966daea783f 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -69,6 +69,7 @@ private module Cached {
     |
       f instanceof ArrayContent or
       f instanceof CollectionContent or
+      f instanceof MapKeyContent or
       f instanceof MapValueContent
     )
     or

From 6f05fd4839c95fa08eb7cf5758ec4485fec6c235 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 7 Jun 2021 11:01:00 +0100
Subject: [PATCH 1353/1429] C++: Autoformat.

---
 cpp/ql/src/semmle/code/cpp/Location.qll                | 4 +++-
 cpp/ql/test/library-tests/locations/charloc/charloc.ql | 3 ++-
 cpp/ql/test/query-tests/definitions/locationInfo.ql    | 6 ++++--
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/Location.qll b/cpp/ql/src/semmle/code/cpp/Location.qll
index 8fc67f3b9df..2a730ea5768 100644
--- a/cpp/ql/src/semmle/code/cpp/Location.qll
+++ b/cpp/ql/src/semmle/code/cpp/Location.qll
@@ -128,7 +128,9 @@ deprecated library class LocationExpr extends Location, @location_expr { }
  * Gets the length of the longest line in file `f`.
  */
 pragma[nomagic]
-private int maxCols(File f) { result = max(Location l | l.getFile() = f | l.getStartColumn().maximum(l.getEndColumn())) }
+private int maxCols(File f) {
+  result = max(Location l | l.getFile() = f | l.getStartColumn().maximum(l.getEndColumn()))
+}
 
 /**
  * A C/C++ element that has a location in a file
diff --git a/cpp/ql/test/library-tests/locations/charloc/charloc.ql b/cpp/ql/test/library-tests/locations/charloc/charloc.ql
index e12f69eb28f..9ac69c6055e 100644
--- a/cpp/ql/test/library-tests/locations/charloc/charloc.ql
+++ b/cpp/ql/test/library-tests/locations/charloc/charloc.ql
@@ -4,4 +4,5 @@ from File f, Expr e, Location l, int start, int end
 where
   e.getLocation() = l and
   l.charLoc(f, start, end)
-select f.getBaseName(), e.toString(), start, end, concat(Expr e2, Location l2 | e2.getLocation() = l2 and l.subsumes(l2) | e2.toString(), ", ")
+select f.getBaseName(), e.toString(), start, end,
+  concat(Expr e2, Location l2 | e2.getLocation() = l2 and l.subsumes(l2) | e2.toString(), ", ")
diff --git a/cpp/ql/test/query-tests/definitions/locationInfo.ql b/cpp/ql/test/query-tests/definitions/locationInfo.ql
index 28c5da3ea27..7c8bf331d1c 100644
--- a/cpp/ql/test/query-tests/definitions/locationInfo.ql
+++ b/cpp/ql/test/query-tests/definitions/locationInfo.ql
@@ -11,8 +11,10 @@ class Link extends Top {
  * Gets the length of the longest line in file `f`.
  */
 pragma[nomagic]
-private int maxCols(File f) { result = max(Location l | l.getFile() = f | l.getStartColumn().maximum(l.getEndColumn())) }
- 
+private int maxCols(File f) {
+  result = max(Location l | l.getFile() = f | l.getStartColumn().maximum(l.getEndColumn()))
+}
+
 /**
  * Gets the location of an element that has a link-to-definition (in a similar manner to
  * `Location.charLoc`)

From e09774be03a58f01ef70ac4018a3a6f428c123ba Mon Sep 17 00:00:00 2001
From: Felicity Chapman <felicitymay@github.com>
Date: Mon, 7 Jun 2021 11:49:28 +0100
Subject: [PATCH 1354/1429] Address technical review feedback

---
 .../analyzing-databases-with-the-codeql-cli.rst          | 8 ++++----
 .../using-custom-queries-with-the-codeql-cli.rst         | 6 ++++--
 .../writing-codeql-queries/about-codeql-queries.rst      | 9 +++++----
 3 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst b/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
index caadf3ecfb0..cda82640152 100644
--- a/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
+++ b/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
@@ -143,12 +143,12 @@ These are stored alongside the code scanning suites with names of the form: ``<l
 For information about creating custom query suites, see ":doc:`Creating
 CodeQL query suites <creating-codeql-query-suites>`."
 
-Diagnostic information
-......................
+Diagnostic and summary information
+..................................
 
-The code scanning query suites include additional diagnostic queries. When the database analysis is complete, the CLI generates the results file and reports any diagnostic data to standard output. If you choose to generate SARIF output, the diagnostic data is also included as `notification objects <https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317894>`__ in the SARIF file.
+The code scanning query suites include additional diagnostic and summary queries. When the database analysis is complete, the CLI generates the results file and reports any diagnostic and summary data to standard output. If you choose to generate SARIF output, the additional data is also included in the SARIF file.
 
-If the analysis found fewer results for standard queries than you expected, review the results of the diagnostic queries to check whether the CodeQL database is likely to be a good representation of the codebase that you want to analyze.
+If the analysis found fewer results for standard queries than you expected, review the results of the diagnostic and summary queries to check whether the CodeQL database is likely to be a good representation of the codebase that you want to analyze.
 
 Running all queries in a directory
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/docs/codeql/codeql-cli/using-custom-queries-with-the-codeql-cli.rst b/docs/codeql/codeql-cli/using-custom-queries-with-the-codeql-cli.rst
index b504f010a88..51d63ed3709 100644
--- a/docs/codeql/codeql-cli/using-custom-queries-with-the-codeql-cli.rst
+++ b/docs/codeql/codeql-cli/using-custom-queries-with-the-codeql-cli.rst
@@ -33,8 +33,10 @@ following two properties to ensure that the results are interpreted correctly:
 
 - Query identifier (``@id``): a sequence of words composed of lowercase letters or
   digits, delimited by ``/`` or ``-``, identifying and classifying the query. 
-- Query type (``@kind``): identifies the query is an alert (``@kind problem``),
-  a path (``@kind path-problem``), or a diagnostic metric (``@kind diagnostic``).
+- Query type (``@kind``): identifies the query as a simple alert (``@kind problem``),
+  an alert documented by a sequence of code locations (``@kind path-problem``), 
+  for extractor troubleshooting (``@kind diagnostic``), or a summary metric 
+  (``@kind metric`` and ``@tags summary``).
 
 For more information about these metadata properties, see ":ref:`Metadata for CodeQL queries
 <metadata-for-codeql-queries>`" and the `Query metadata style guide
diff --git a/docs/codeql/writing-codeql-queries/about-codeql-queries.rst b/docs/codeql/writing-codeql-queries/about-codeql-queries.rst
index c1d91ddcbe0..cd36acd2ac8 100644
--- a/docs/codeql/writing-codeql-queries/about-codeql-queries.rst
+++ b/docs/codeql/writing-codeql-queries/about-codeql-queries.rst
@@ -57,9 +57,10 @@ Query metadata is used to identify your custom queries when they are added to th
 
     Queries that are contributed to the open source repository, added to a query pack in LGTM, or used to analyze a database with the :ref:`CodeQL CLI <codeql-cli>` must have a query type (``@kind``) specified. The ``@kind`` property indicates how to interpret and display the results of the query analysis:
 
-    - Alert query metadata must contain ``@kind problem``.
-    - Diagnostic query metadata must contain ``@kind diagnostic``.
-    - Path query metadata must contain ``@kind path-problem``.
+    - Alert query metadata must contain ``@kind problem`` to identify the results as a simple alert.
+    - Path query metadata must contain ``@kind path-problem`` to identify the results as an alert documented by a sequence of code locations.
+    - Diagnostic query metadata must contain ``@kind diagnostic`` to identify the results as troubleshooting data about the extraction process.
+    - Summary query metadata must contain ``@kind metric`` and ``@tags summary`` to identify the results as summary metrics for the CodeQL database.
 
     When you define the ``@kind`` property of a custom query you must also ensure that the rest of your query has the correct structure in order to be valid, as described below.
 
@@ -115,7 +116,7 @@ You can modify the alert message defined in the final column of the ``select`` s
 
 Select clauses for path queries (``@kind path-problem``) are crafted to display both an alert and the source and sink of an associated path graph. For more information, see ":doc:`Creating path queries <creating-path-queries>`."
 
-Select clauses for diagnostic queries (``@kind diagnostic``) have different requirements. For examples, see the `diagnostic queries in the CodeQL repository <https://github.com/github/codeql/search?q=%22%40kind+diagnostic%22>`__.
+Select clauses for diagnostic queries (``@kind diagnostic``) and summary metric queries (``@kind metric`` and ``@tags summary``) have different requirements. For examples, see the `diagnostic queries <https://github.com/github/codeql/search?q=%22%40kind+diagnostic%22>`__ and the `summary metric queries <https://github.com/github/codeql/search?q=%22%40kind+metric%22+%22%40tags+summary%22>`__  in the CodeQL repository.
 
 Viewing the standard CodeQL queries
 ***********************************

From d292be38801b51c2107e663a41a388c75a4b724d Mon Sep 17 00:00:00 2001
From: Felicity Chapman <felicitymay@github.com>
Date: Mon, 7 Jun 2021 12:00:20 +0100
Subject: [PATCH 1355/1429] Update the revised section

---
 .../codeql-cli/analyzing-databases-with-the-codeql-cli.rst    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst b/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
index cda82640152..db2e19606ec 100644
--- a/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
+++ b/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
@@ -29,7 +29,7 @@ When you run ``database analyze``, it:
 #. Executes one or more query files, by running them over a CodeQL database.
 #. Interprets the results, based on certain query metadata, so that alerts can be
    displayed in the correct location in the source code.
-#. Reports the results of any diagnostic queries to standard output.
+#. Reports the results of any diagnostic and summary queries to standard output.
 
 You can analyze a database by running the following command::
 
@@ -146,7 +146,7 @@ CodeQL query suites <creating-codeql-query-suites>`."
 Diagnostic and summary information
 ..................................
 
-The code scanning query suites include additional diagnostic and summary queries. When the database analysis is complete, the CLI generates the results file and reports any diagnostic and summary data to standard output. If you choose to generate SARIF output, the additional data is also included in the SARIF file.
+The code scanning query suites include additional queries to report diagnostic data generated by the extractor during database creation and summary metrics for the CodeQL database generated. When the database analysis command completes, the CLI generates the results file and reports any diagnostic and summary data to standard output. If you choose to generate SARIF output, the additional data is also included in the SARIF file.
 
 If the analysis found fewer results for standard queries than you expected, review the results of the diagnostic and summary queries to check whether the CodeQL database is likely to be a good representation of the codebase that you want to analyze.
 

From 3819a361b5c2368a43a415be8f266250c6691860 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 7 Jun 2021 14:16:33 +0200
Subject: [PATCH 1356/1429] Python: Autoformat

---
 .../sensitive-data/TestSensitiveDataSources.ql        | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql b/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql
index 39a6da19599..2548f313b20 100644
--- a/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql
+++ b/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql
@@ -13,12 +13,10 @@ class SensitiveDataSourcesTest extends InlineExpectationsTest {
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(location.getFile().getRelativePath()) and
     exists(SensitiveDataSource source |
-      (
-        location = source.getLocation() and
-        element = source.toString() and
-        value = source.getClassification() and
-        tag = "SensitiveDataSource"
-      )
+      location = source.getLocation() and
+      element = source.toString() and
+      value = source.getClassification() and
+      tag = "SensitiveDataSource"
       or
       exists(DataFlow::Node use |
         use = API::builtin("print").getACall().getArg(_) and
@@ -27,7 +25,6 @@ class SensitiveDataSourcesTest extends InlineExpectationsTest {
         element = use.toString() and
         value = source.getClassification() and
         tag = "SensitiveUse"
-
       )
     )
   }

From 5419143e726d03d93676e54dca2ef1aa9b1ef27b Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 7 Jun 2021 15:20:55 +0200
Subject: [PATCH 1357/1429] remove `createHashHistory` from the `history` sink

---
 .../security/dataflow/ClientSideUrlRedirectCustomizations.qll   | 2 +-
 .../query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
index 9bca989e984..5e8147da309 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
@@ -198,7 +198,7 @@ module ClientSideUrlRedirect {
     HistoryWriteUrlSink() {
       this =
         API::moduleImport("history")
-            .getMember(["createBrowserHistory", "createHashHistory"])
+            .getMember("createBrowserHistory")
             .getReturn()
             .getMember(["push", "replace"])
             .getACall()
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js
index 63956a651a2..43bef2cb4cf 100644
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js
@@ -61,7 +61,7 @@ function bar() {
     history.push(payload); // NOT OK
 }
 function baz() {
-    const history = require('history').createHashHistory();
+    const history = require('history').createBrowserHistory();
     var payload = history.location.hash.substr(1);
 
     history.replace(payload); // NOT OK

From a63b0b28d43526f0ac2c038ccae68ed9a7e59ca7 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 7 Jun 2021 15:42:13 +0200
Subject: [PATCH 1358/1429] refactor the history library model, add support for
 the global variable

---
 javascript/ql/src/javascript.qll              |  1 +
 .../semmle/javascript/frameworks/History.qll  | 54 +++++++++++++++++++
 .../ClientSideUrlRedirectCustomizations.qll   |  8 +--
 .../javascript/security/dataflow/DOM.qll      | 27 ----------
 .../ClientSideUrlRedirect.expected            | 12 +++++
 .../CWE-601/ClientSideUrlRedirect/tst13.js    |  7 +++
 6 files changed, 75 insertions(+), 34 deletions(-)
 create mode 100644 javascript/ql/src/semmle/javascript/frameworks/History.qll

diff --git a/javascript/ql/src/javascript.qll b/javascript/ql/src/javascript.qll
index 95db948bbd4..3d1bb230908 100644
--- a/javascript/ql/src/javascript.qll
+++ b/javascript/ql/src/javascript.qll
@@ -93,6 +93,7 @@ import semmle.javascript.frameworks.FormParsers
 import semmle.javascript.frameworks.jQuery
 import semmle.javascript.frameworks.JWT
 import semmle.javascript.frameworks.Handlebars
+import semmle.javascript.frameworks.History
 import semmle.javascript.frameworks.Immutable
 import semmle.javascript.frameworks.LazyCache
 import semmle.javascript.frameworks.LodashUnderscore
diff --git a/javascript/ql/src/semmle/javascript/frameworks/History.qll b/javascript/ql/src/semmle/javascript/frameworks/History.qll
new file mode 100644
index 00000000000..aca0b46fde5
--- /dev/null
+++ b/javascript/ql/src/semmle/javascript/frameworks/History.qll
@@ -0,0 +1,54 @@
+/** Provides classes and predicates modelling aspects of the [`history`](https://npmjs.org/package/history) library. */
+
+import javascript
+
+module History {
+  /** The global variable `HistoryLibrary` as an entry point for API graphs. */
+  private class HistoryGlobalEntry extends API::EntryPoint {
+    HistoryGlobalEntry() { this = "HistoryLibrary" }
+
+    override DataFlow::SourceNode getAUse() { result = DataFlow::globalVarRef("HistoryLibrary") }
+
+    override DataFlow::Node getARhs() { none() }
+  }
+
+  /**
+   * Gets a reference to the [`history`](https://npmjs.org/package/history) library.
+   */
+  private API::Node history() {
+    result = [API::moduleImport("history"), API::root().getASuccessor(any(HistoryGlobalEntry h))]
+  }
+
+  /**
+   * Gets a browser history instance.
+   * This history instance uses the native browser history API.
+   */
+  API::Node getBrowserHistory() { result = history().getMember("createBrowserHistory").getReturn() }
+
+  /**
+   * Gets a hash history instance.
+   * This history instance only manipulates the URL hash, which cannot cause XSS.
+   */
+  API::Node getHashHistory() { result = history().getMember("createHashHistory").getReturn() }
+
+  /**
+   * A user-controlled location value read from the [history](http://npmjs.org/package/history) library.
+   */
+  private class HistoryLibaryRemoteFlow extends ClientSideRemoteFlowSource {
+    ClientSideRemoteFlowKind kind;
+
+    HistoryLibaryRemoteFlow() {
+      exists(API::Node loc | loc = [getBrowserHistory(), getHashHistory()].getMember("location") |
+        this = loc.getMember("hash").getAnImmediateUse() and kind.isFragment()
+        or
+        this = loc.getMember("pathname").getAnImmediateUse() and kind.isPath()
+        or
+        this = loc.getMember("search").getAnImmediateUse() and kind.isQuery()
+      )
+    }
+
+    override string getSourceType() { result = "Window location" }
+
+    override ClientSideRemoteFlowKind getKind() { result = kind }
+  }
+}
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
index 5e8147da309..49b50255a73 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
@@ -196,13 +196,7 @@ module ClientSideUrlRedirect {
    */
   class HistoryWriteUrlSink extends ScriptUrlSink {
     HistoryWriteUrlSink() {
-      this =
-        API::moduleImport("history")
-            .getMember("createBrowserHistory")
-            .getReturn()
-            .getMember(["push", "replace"])
-            .getACall()
-            .getArgument(0)
+      this = History::getBrowserHistory().getMember(["push", "replace"]).getACall().getArgument(0)
     }
   }
 
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll b/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
index 42f5924f6aa..204f04e9c52 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
@@ -272,30 +272,3 @@ private class WindowLocationFlowSource extends ClientSideRemoteFlowSource {
 
   override ClientSideRemoteFlowKind getKind() { result = kind }
 }
-
-/**
- * A user-controlled location value read from the [history](http://npmjs.org/package/history) library.
- */
-private class HistoryLibaryRemoteFlow extends ClientSideRemoteFlowSource {
-  ClientSideRemoteFlowKind kind;
-
-  HistoryLibaryRemoteFlow() {
-    exists(API::Node loc |
-      loc =
-        API::moduleImport("history")
-            .getMember(["createBrowserHistory", "createHashHistory"])
-            .getReturn()
-            .getMember("location")
-    |
-      this = loc.getMember("hash").getAnImmediateUse() and kind.isFragment()
-      or
-      this = loc.getMember("pathname").getAnImmediateUse() and kind.isPath()
-      or
-      this = loc.getMember("search").getAnImmediateUse() and kind.isQuery()
-    )
-  }
-
-  override string getSourceType() { result = "Window location" }
-
-  override ClientSideRemoteFlowKind getKind() { result = kind }
-}
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
index d3edd76979b..0c386238b57 100644
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/ClientSideUrlRedirect.expected
@@ -141,6 +141,12 @@ nodes
 | tst13.js:65:19:65:49 | history ... bstr(1) |
 | tst13.js:67:21:67:27 | payload |
 | tst13.js:67:21:67:27 | payload |
+| tst13.js:72:9:72:49 | payload |
+| tst13.js:72:19:72:39 | history ... on.hash |
+| tst13.js:72:19:72:39 | history ... on.hash |
+| tst13.js:72:19:72:49 | history ... bstr(1) |
+| tst13.js:74:21:74:27 | payload |
+| tst13.js:74:21:74:27 | payload |
 | tst.js:2:19:2:69 | /.*redi ... n.href) |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
@@ -328,6 +334,11 @@ edges
 | tst13.js:65:19:65:39 | history ... on.hash | tst13.js:65:19:65:49 | history ... bstr(1) |
 | tst13.js:65:19:65:39 | history ... on.hash | tst13.js:65:19:65:49 | history ... bstr(1) |
 | tst13.js:65:19:65:49 | history ... bstr(1) | tst13.js:65:9:65:49 | payload |
+| tst13.js:72:9:72:49 | payload | tst13.js:74:21:74:27 | payload |
+| tst13.js:72:9:72:49 | payload | tst13.js:74:21:74:27 | payload |
+| tst13.js:72:19:72:39 | history ... on.hash | tst13.js:72:19:72:49 | history ... bstr(1) |
+| tst13.js:72:19:72:39 | history ... on.hash | tst13.js:72:19:72:49 | history ... bstr(1) |
+| tst13.js:72:19:72:49 | history ... bstr(1) | tst13.js:72:9:72:49 | payload |
 | tst.js:2:19:2:69 | /.*redi ... n.href) | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
 | tst.js:2:19:2:69 | /.*redi ... n.href) | tst.js:2:19:2:72 | /.*redi ... ref)[1] |
 | tst.js:2:47:2:63 | document.location | tst.js:2:47:2:68 | documen ... on.href |
@@ -421,6 +432,7 @@ edges
 | tst13.js:53:28:53:28 | e | tst13.js:52:34:52:34 | e | tst13.js:53:28:53:28 | e | Untrusted URL redirection due to $@. | tst13.js:52:34:52:34 | e | user-provided value |
 | tst13.js:61:18:61:24 | payload | tst13.js:59:19:59:42 | documen ... .search | tst13.js:61:18:61:24 | payload | Untrusted URL redirection due to $@. | tst13.js:59:19:59:42 | documen ... .search | user-provided value |
 | tst13.js:67:21:67:27 | payload | tst13.js:65:19:65:39 | history ... on.hash | tst13.js:67:21:67:27 | payload | Untrusted URL redirection due to $@. | tst13.js:65:19:65:39 | history ... on.hash | user-provided value |
+| tst13.js:74:21:74:27 | payload | tst13.js:72:19:72:39 | history ... on.hash | tst13.js:74:21:74:27 | payload | Untrusted URL redirection due to $@. | tst13.js:72:19:72:39 | history ... on.hash | user-provided value |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] | tst.js:2:47:2:63 | document.location | tst.js:2:19:2:72 | /.*redi ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:2:47:2:63 | document.location | user-provided value |
 | tst.js:2:19:2:72 | /.*redi ... ref)[1] | tst.js:2:47:2:68 | documen ... on.href | tst.js:2:19:2:72 | /.*redi ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:2:47:2:68 | documen ... on.href | user-provided value |
 | tst.js:6:20:6:59 | indirec ... ref)[1] | tst.js:6:34:6:50 | document.location | tst.js:6:20:6:59 | indirec ... ref)[1] | Untrusted URL redirection due to $@. | tst.js:6:34:6:50 | document.location | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js
index 43bef2cb4cf..ce4c497a25f 100644
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst13.js
@@ -64,5 +64,12 @@ function baz() {
     const history = require('history').createBrowserHistory();
     var payload = history.location.hash.substr(1);
 
+    history.replace(payload); // NOT OK
+}
+
+function quz() {
+    const history = HistoryLibrary.createBrowserHistory();
+    var payload = history.location.hash.substr(1);
+
     history.replace(payload); // NOT OK
 }
\ No newline at end of file

From 71019419e29efd9c906d0d8d0f50ab79d8dffd62 Mon Sep 17 00:00:00 2001
From: Felicity Chapman <felicitymay@github.com>
Date: Mon, 7 Jun 2021 15:13:43 +0100
Subject: [PATCH 1359/1429] Update following writer review

---
 .../codeql-cli/analyzing-databases-with-the-codeql-cli.rst      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst b/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
index db2e19606ec..a9bcd8ff4e1 100644
--- a/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
+++ b/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
@@ -146,7 +146,7 @@ CodeQL query suites <creating-codeql-query-suites>`."
 Diagnostic and summary information
 ..................................
 
-The code scanning query suites include additional queries to report diagnostic data generated by the extractor during database creation and summary metrics for the CodeQL database generated. When the database analysis command completes, the CLI generates the results file and reports any diagnostic and summary data to standard output. If you choose to generate SARIF output, the additional data is also included in the SARIF file.
+When you create a CodeQL database, the extractor stores diagnostic data in the database. The code scanning query suites include additional queries to report on this diagnostic data and calculate summary metrics. When the database analysis command completes, the CLI generates the results file and reports any diagnostic and summary data to standard output. If you choose to generate SARIF output, the additional data is also included in the SARIF file.
 
 If the analysis found fewer results for standard queries than you expected, review the results of the diagnostic and summary queries to check whether the CodeQL database is likely to be a good representation of the codebase that you want to analyze.
 

From 4cf3c11e83757bff2fa6d432d1c6f8e4801101de Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 7 Jun 2021 16:31:06 +0200
Subject: [PATCH 1360/1429] JS: Add lines of user code summary query

---
 javascript/ql/src/Summary/LinesOfUserCode.ql  | 21 +++++++++++++++++++
 .../query-tests/Summary/LinesOfCode.expected  |  2 +-
 .../Summary/LinesOfUserCode.expected          |  1 +
 .../query-tests/Summary/LinesOfUserCode.qlref |  1 +
 .../test/query-tests/Summary/src/foo.min.js   |  1 +
 5 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 javascript/ql/src/Summary/LinesOfUserCode.ql
 create mode 100644 javascript/ql/test/query-tests/Summary/LinesOfUserCode.expected
 create mode 100644 javascript/ql/test/query-tests/Summary/LinesOfUserCode.qlref
 create mode 100644 javascript/ql/test/query-tests/Summary/src/foo.min.js

diff --git a/javascript/ql/src/Summary/LinesOfUserCode.ql b/javascript/ql/src/Summary/LinesOfUserCode.ql
new file mode 100644
index 00000000000..61ad13519cb
--- /dev/null
+++ b/javascript/ql/src/Summary/LinesOfUserCode.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Total lines of user written JavaScript and TypeScript code in the database
+ * @description The total number of lines of JavaScript and TypeScript code from the source code directory,
+ *   excluding auto-generated files and files in `node_modules`. This query counts the lines of code, excluding
+ *   whitespace or comments.
+ * @kind metric
+ * @tags summary
+ *       lines-of-code
+ * @id js/summary/lines-of-user-code
+ */
+
+import javascript
+import semmle.javascript.GeneratedCode
+
+select sum(File f |
+    not f.getATopLevel().isExterns() and
+    exists(f.getRelativePath()) and
+    not isGeneratedCode(f)
+  |
+    f.getNumberOfLinesOfCode()
+  )
diff --git a/javascript/ql/test/query-tests/Summary/LinesOfCode.expected b/javascript/ql/test/query-tests/Summary/LinesOfCode.expected
index 0c89049708a..f0a02d5bd57 100644
--- a/javascript/ql/test/query-tests/Summary/LinesOfCode.expected
+++ b/javascript/ql/test/query-tests/Summary/LinesOfCode.expected
@@ -1 +1 @@
-| 12 |
+| 13 |
diff --git a/javascript/ql/test/query-tests/Summary/LinesOfUserCode.expected b/javascript/ql/test/query-tests/Summary/LinesOfUserCode.expected
new file mode 100644
index 00000000000..0c89049708a
--- /dev/null
+++ b/javascript/ql/test/query-tests/Summary/LinesOfUserCode.expected
@@ -0,0 +1 @@
+| 12 |
diff --git a/javascript/ql/test/query-tests/Summary/LinesOfUserCode.qlref b/javascript/ql/test/query-tests/Summary/LinesOfUserCode.qlref
new file mode 100644
index 00000000000..548874fe786
--- /dev/null
+++ b/javascript/ql/test/query-tests/Summary/LinesOfUserCode.qlref
@@ -0,0 +1 @@
+Summary/LinesOfUserCode.ql
\ No newline at end of file
diff --git a/javascript/ql/test/query-tests/Summary/src/foo.min.js b/javascript/ql/test/query-tests/Summary/src/foo.min.js
new file mode 100644
index 00000000000..8b28d8991c1
--- /dev/null
+++ b/javascript/ql/test/query-tests/Summary/src/foo.min.js
@@ -0,0 +1 @@
+!function(){document.body.appendChild(document.createElement('span'));document.body.appendChild(document.createElement('span'));document.body.appendChild(document.createElement('span'))}()
\ No newline at end of file

From 09a2c055a7c50b8e1bda0291985a0f6367ed9bff Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 7 Jun 2021 16:50:01 +0200
Subject: [PATCH 1361/1429] add test for the `serverless` express API

---
 .../frameworks/ServerLess/test.expected          |  1 +
 .../frameworks/ServerLess/tst6/handler.js        |  9 +++++++++
 .../frameworks/ServerLess/tst6/serverless.yml    | 16 ++++++++++++++++
 3 files changed, 26 insertions(+)
 create mode 100644 javascript/ql/test/library-tests/frameworks/ServerLess/tst6/handler.js
 create mode 100644 javascript/ql/test/library-tests/frameworks/ServerLess/tst6/serverless.yml

diff --git a/javascript/ql/test/library-tests/frameworks/ServerLess/test.expected b/javascript/ql/test/library-tests/frameworks/ServerLess/test.expected
index 96ef06a352b..4eeed666c44 100644
--- a/javascript/ql/test/library-tests/frameworks/ServerLess/test.expected
+++ b/javascript/ql/test/library-tests/frameworks/ServerLess/test.expected
@@ -3,3 +3,4 @@
 | tst3/function/index.js:1:36:1:40 | event |
 | tst4/app.js:1:36:1:40 | event |
 | tst5/app.js:1:36:1:40 | event |
+| tst6/handler.js:6:23:6:36 | req.query.name |
diff --git a/javascript/ql/test/library-tests/frameworks/ServerLess/tst6/handler.js b/javascript/ql/test/library-tests/frameworks/ServerLess/tst6/handler.js
new file mode 100644
index 00000000000..2d375ff29e3
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/ServerLess/tst6/handler.js
@@ -0,0 +1,9 @@
+const serverless = require("serverless-http");
+const express = require("express");
+const app = express();
+
+app.get("/", (req, res, next) => {
+  res.send("Hello " + req.query.name);
+});
+
+module.exports.handler = serverless(app);
diff --git a/javascript/ql/test/library-tests/frameworks/ServerLess/tst6/serverless.yml b/javascript/ql/test/library-tests/frameworks/ServerLess/tst6/serverless.yml
new file mode 100644
index 00000000000..6aa8b60d8d6
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/ServerLess/tst6/serverless.yml
@@ -0,0 +1,16 @@
+service: aws-node-express-api
+
+frameworkVersion: '2'
+
+provider:
+  name: aws
+  runtime: nodejs12.x
+  lambdaHashingVersion: '20201221'
+
+functions:
+  api:
+    handler: handler.handler
+    events:
+      - http:
+          path: /
+          method: ANY
\ No newline at end of file

From a12954a4038de4e6f0c55d40673b7f7ef8e3fd8e Mon Sep 17 00:00:00 2001
From: Alex Denisov <alexdenisov@github.com>
Date: Mon, 7 Jun 2021 17:15:21 +0200
Subject: [PATCH 1362/1429] C++: Remove outdated comment

---
 cpp/ql/test/library-tests/variables/getanassignedvalue/test.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/test/library-tests/variables/getanassignedvalue/test.cpp b/cpp/ql/test/library-tests/variables/getanassignedvalue/test.cpp
index 60740acc424..490535775c6 100644
--- a/cpp/ql/test/library-tests/variables/getanassignedvalue/test.cpp
+++ b/cpp/ql/test/library-tests/variables/getanassignedvalue/test.cpp
@@ -50,6 +50,6 @@ myStruct2 v3 = {{4, "Four"}}; // assigments to `v3`, `ms2`, `num`, `str`
 // ---
 
 int myArray[10] = {1, 2, 3}; // assigment to `myArray`
-char chars1[] = "abc"; // assignment to `chars1` (literal "abc" has no location)
+char chars1[] = "abc"; // assignment to `chars1`
 char chars2[] = {'a', 'b', 'c'}; // assigment to `chars2`
 char *chars3 = "abc"; // assigment to `chars3`

From bcf08e6472b4723476cb05cb7161f8d012a82112 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 7 Jun 2021 17:19:19 +0200
Subject: [PATCH 1363/1429] add remote flow source for the `serverless` library

---
 .../javascript/frameworks/ServerLess.qll      | 12 +++++++--
 .../frameworks/ServerLess/test.expected       |  1 +
 .../frameworks/ServerLess/tst7/handler.js     |  4 +++
 .../frameworks/ServerLess/tst7/serverless.yml | 25 +++++++++++++++++++
 4 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 javascript/ql/test/library-tests/frameworks/ServerLess/tst7/handler.js
 create mode 100644 javascript/ql/test/library-tests/frameworks/ServerLess/tst7/serverless.yml

diff --git a/javascript/ql/src/semmle/javascript/frameworks/ServerLess.qll b/javascript/ql/src/semmle/javascript/frameworks/ServerLess.qll
index 15dd6a3da59..59dfa3047cd 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/ServerLess.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/ServerLess.qll
@@ -1,13 +1,13 @@
 /**
  * Provides classes and predicates for working with serverless handlers.
- * E.g. AWS: https://docs.aws.amazon.com/lambda/latest/dg/nodejs-handler.html
+ * E.g. [AWS](https://docs.aws.amazon.com/lambda/latest/dg/nodejs-handler.html) or [serverless](https://npmjs.com/package/serverless)
  */
 
 import javascript
 
 /**
  * Provides classes and predicates for working with serverless handlers.
- * In particular a `RemoteFlowSource` is added for AWS and Alibaba serverless.
+ * In particular a `RemoteFlowSource` is added for AWS, Alibaba, and serverless.
  */
 private module ServerLess {
   /**
@@ -24,6 +24,14 @@ private module ServerLess {
         then codeURI = properties.lookup("CodeUri").(YAMLScalar).getValue()
         else codeURI = ""
       )
+      or
+      // The `serverless` library, which specifies a top-level `functions` property
+      exists(YAMLMapping functions |
+        functions = resource.lookup("functions") and
+        not exists(resource.getParentNode()) and
+        handler = functions.getValue(_).(YAMLMapping).lookup("handler").(YAMLScalar).getValue() and
+        codeURI = ""
+      )
     )
   }
 
diff --git a/javascript/ql/test/library-tests/frameworks/ServerLess/test.expected b/javascript/ql/test/library-tests/frameworks/ServerLess/test.expected
index 4eeed666c44..ede10467263 100644
--- a/javascript/ql/test/library-tests/frameworks/ServerLess/test.expected
+++ b/javascript/ql/test/library-tests/frameworks/ServerLess/test.expected
@@ -4,3 +4,4 @@
 | tst4/app.js:1:36:1:40 | event |
 | tst5/app.js:1:36:1:40 | event |
 | tst6/handler.js:6:23:6:36 | req.query.name |
+| tst7/handler.js:1:34:1:38 | event |
diff --git a/javascript/ql/test/library-tests/frameworks/ServerLess/tst7/handler.js b/javascript/ql/test/library-tests/frameworks/ServerLess/tst7/handler.js
new file mode 100644
index 00000000000..1a66c96d5c0
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/ServerLess/tst7/handler.js
@@ -0,0 +1,4 @@
+export async function myFunction(event, context, callback) {
+  const body = JSON.parse(event.body);
+  // do something
+}
\ No newline at end of file
diff --git a/javascript/ql/test/library-tests/frameworks/ServerLess/tst7/serverless.yml b/javascript/ql/test/library-tests/frameworks/ServerLess/tst7/serverless.yml
new file mode 100644
index 00000000000..c5e9dfa0faa
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/ServerLess/tst7/serverless.yml
@@ -0,0 +1,25 @@
+
+service: serverless-myChecker
+
+plugins:
+  - serverless-webpack
+  - serverless-offline
+
+custom:
+  webpack:
+    webpackConfig: ./webpack.config.js
+    includeModules: true
+
+provider:
+  name: aws
+  runtime: nodejs12.x
+  profile: personal
+  region: eu-west-1
+
+functions:
+  myChecker:
+    handler: handler.myFunction
+    events:
+      - http:
+          path: webhook
+          method: post
\ No newline at end of file

From 7f09edcf596e2507e45523183b144ff3369d9302 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 7 Jun 2021 17:25:18 +0200
Subject: [PATCH 1364/1429] add change note

---
 javascript/change-notes/2021-06-07-serverless.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 javascript/change-notes/2021-06-07-serverless.md

diff --git a/javascript/change-notes/2021-06-07-serverless.md b/javascript/change-notes/2021-06-07-serverless.md
new file mode 100644
index 00000000000..0b4f49d1705
--- /dev/null
+++ b/javascript/change-notes/2021-06-07-serverless.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Events from the [`serverless`](https://npmjs.com/package/serverless) package are recognized a source of remote user input.
+  Affected packages are
+    [serverless](https://npmjs.com/package/serverless)

From aad738ba9fe73fb6f07c569eac1e631f158cf5ac Mon Sep 17 00:00:00 2001
From: Felicity Chapman <felicitymay@github.com>
Date: Mon, 7 Jun 2021 17:05:40 +0100
Subject: [PATCH 1365/1429] Update
 docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst

Co-authored-by: Andrew Eisenberg <aeisenberg@github.com>
---
 .../codeql-cli/analyzing-databases-with-the-codeql-cli.rst      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst b/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
index a9bcd8ff4e1..da87b3d57d5 100644
--- a/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
+++ b/docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
@@ -146,7 +146,7 @@ CodeQL query suites <creating-codeql-query-suites>`."
 Diagnostic and summary information
 ..................................
 
-When you create a CodeQL database, the extractor stores diagnostic data in the database. The code scanning query suites include additional queries to report on this diagnostic data and calculate summary metrics. When the database analysis command completes, the CLI generates the results file and reports any diagnostic and summary data to standard output. If you choose to generate SARIF output, the additional data is also included in the SARIF file.
+When you create a CodeQL database, the extractor stores diagnostic data in the database. The code scanning query suites include additional queries to report on this diagnostic data and calculate summary metrics. When the ``database analyze`` command completes, the CLI generates the results file and reports any diagnostic and summary data to standard output. If you choose to generate SARIF output, the additional data is also included in the SARIF file.
 
 If the analysis found fewer results for standard queries than you expected, review the results of the diagnostic and summary queries to check whether the CodeQL database is likely to be a good representation of the codebase that you want to analyze.
 

From be7abede228fcb2d75d7c8925e7d96bdc9957c23 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Mon, 7 Jun 2021 20:04:17 +0200
Subject: [PATCH 1366/1429] add model for the `joi` library

---
 javascript/change-notes/2021-06-07-joi.md     |  4 ++
 .../ql/src/semmle/javascript/JsonSchema.qll   | 57 ++++++++++++++++++-
 .../javascript/security/dataflow/Xss.qll      |  2 +
 .../ExceptionXss/ExceptionXss.expected        |  5 ++
 .../Security/CWE-079/ExceptionXss/ajv.js      | 13 +++++
 .../CWE-089/untyped/DatabaseAccesses.expected |  4 ++
 .../CWE-089/untyped/SqlInjection.expected     | 22 +++++++
 .../CWE-089/untyped/json-schema-validator.js  | 27 +++++++++
 8 files changed, 131 insertions(+), 3 deletions(-)
 create mode 100644 javascript/change-notes/2021-06-07-joi.md

diff --git a/javascript/change-notes/2021-06-07-joi.md b/javascript/change-notes/2021-06-07-joi.md
new file mode 100644
index 00000000000..0f10a524465
--- /dev/null
+++ b/javascript/change-notes/2021-06-07-joi.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The security queries now recognize the JSON schema validation from the [joi](https://npmjs.org/package/joi) library.
+  Affected packages are
+    [joi](https://npmjs.org/package/joi)
diff --git a/javascript/ql/src/semmle/javascript/JsonSchema.qll b/javascript/ql/src/semmle/javascript/JsonSchema.qll
index 5c3306bf64b..13ce7d325fa 100644
--- a/javascript/ql/src/semmle/javascript/JsonSchema.qll
+++ b/javascript/ql/src/semmle/javascript/JsonSchema.qll
@@ -8,8 +8,8 @@ import javascript
  * Provides classes and predicates for working with JSON schema libraries.
  */
 module JsonSchema {
-  /** A call that validates an input against a JSON schema. */
-  abstract class ValidationCall extends DataFlow::CallNode {
+  /** A node that validates an input against a JSON schema. */
+  abstract class ValidationCall extends DataFlow::Node {
     /** Gets the data flow node whose value is being validated. */
     abstract DataFlow::Node getInput();
 
@@ -89,7 +89,7 @@ module JsonSchema {
     }
 
     /** A call to the `validate` method of `ajv`. */
-    class AjvValidationCall extends ValidationCall {
+    class AjvValidationCall extends ValidationCall, DataFlow::CallNode {
       Instance instance;
       int argIndex;
 
@@ -126,4 +126,55 @@ module JsonSchema {
       }
     }
   }
+
+  /** Provides a model for working with the [`joi`](https://npmjs.org/package/joi) library. */
+  module Joi {
+    /** A schema created using `joi.object()` or other schemas that might refer an object schema. */
+    private API::Node objectSchema() {
+      // A call that creates a schema that might be an object schema.
+      result =
+        API::moduleImport("joi")
+            .getMember([
+                "object", "alternatives", "all", "link", "compile", "allow", "valid", "when",
+                "build", "options"
+              ])
+            .getReturn()
+      or
+      // A call to a schema that returns another schema.
+      // Read from the [index.d.ts](https://github.com/sideway/joi/blob/master/lib/index.d.ts) file.
+      result =
+        objectSchema()
+            .getMember([
+                // AnySchema
+                "allow", "alter", "bind", "cache", "cast", "concat", "default", "description",
+                "disallow", "empty", "equal", "error", "example", "exist", "external", "failover",
+                "forbidden", "fork", "id", "invalid", "keep", "label", "message", "messages",
+                "meta", "not", "note", "only", "optional", "options", "prefs", "preferences",
+                "presence", "raw", "required", "rule", "shared", "strict", "strip", "tag", "tailor",
+                "unit", "valid", "warn", "warning", "when",
+                // ObjectSchema
+                "and", "append", "assert", "instance", "keys", "length", "max", "min", "nand", "or",
+                "oxor", "pattern", "ref", "regex", "rename", "schema", "unknown", "with", "without",
+                "xor"
+              ])
+            .getReturn()
+    }
+
+    /**
+     * A read of the `error` property from a validation result, seen as a `ValidationCall`.
+     * If `error` exists, then the validation failed.
+     */
+    class JoiValidationErrorRead extends ValidationCall {
+      API::CallNode validateCall;
+
+      JoiValidationErrorRead() {
+        validateCall = objectSchema().getMember("validate").getACall() and
+        this = validateCall.getReturn().getMember("error").getAnImmediateUse()
+      }
+
+      override DataFlow::Node getInput() { result = validateCall.getArgument(0) }
+
+      override boolean getPolarity() { result = false }
+    }
+  }
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
index 90b4e798a83..1c10309d70b 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
@@ -617,6 +617,8 @@ module ExceptionXss {
   private class JsonSchemaValidationError extends Source {
     JsonSchemaValidationError() {
       this = any(JsonSchema::Ajv::Instance i).getAValidationError().getAnImmediateUse()
+      or
+      this = any(JsonSchema::Joi::JoiValidationErrorRead r)
     }
 
     override string getDescription() { result = "JSON schema validation error" }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ExceptionXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ExceptionXss.expected
index 0d03b367331..0ff9bcb932a 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ExceptionXss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ExceptionXss.expected
@@ -2,6 +2,9 @@ nodes
 | ajv.js:11:18:11:33 | ajv.errorsText() |
 | ajv.js:11:18:11:33 | ajv.errorsText() |
 | ajv.js:11:18:11:33 | ajv.errorsText() |
+| ajv.js:24:18:24:26 | val.error |
+| ajv.js:24:18:24:26 | val.error |
+| ajv.js:24:18:24:26 | val.error |
 | exception-xss.js:2:6:2:28 | foo |
 | exception-xss.js:2:12:2:28 | document.location |
 | exception-xss.js:2:12:2:28 | document.location |
@@ -89,6 +92,7 @@ nodes
 | exception-xss.js:182:19:182:23 | error |
 edges
 | ajv.js:11:18:11:33 | ajv.errorsText() | ajv.js:11:18:11:33 | ajv.errorsText() |
+| ajv.js:24:18:24:26 | val.error | ajv.js:24:18:24:26 | val.error |
 | exception-xss.js:2:6:2:28 | foo | exception-xss.js:9:11:9:13 | foo |
 | exception-xss.js:2:6:2:28 | foo | exception-xss.js:15:9:15:11 | foo |
 | exception-xss.js:2:6:2:28 | foo | exception-xss.js:21:11:21:13 | foo |
@@ -170,6 +174,7 @@ edges
 | exception-xss.js:180:26:180:30 | error | exception-xss.js:182:19:182:23 | error |
 #select
 | ajv.js:11:18:11:33 | ajv.errorsText() | ajv.js:11:18:11:33 | ajv.errorsText() | ajv.js:11:18:11:33 | ajv.errorsText() | $@ is reinterpreted as HTML without escaping meta-characters. | ajv.js:11:18:11:33 | ajv.errorsText() | JSON schema validation error |
+| ajv.js:24:18:24:26 | val.error | ajv.js:24:18:24:26 | val.error | ajv.js:24:18:24:26 | val.error | $@ is reinterpreted as HTML without escaping meta-characters. | ajv.js:24:18:24:26 | val.error | JSON schema validation error |
 | exception-xss.js:11:18:11:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:11:18:11:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text |
 | exception-xss.js:17:18:17:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:17:18:17:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text |
 | exception-xss.js:23:18:23:18 | e | exception-xss.js:2:12:2:28 | document.location | exception-xss.js:23:18:23:18 | e | $@ is reinterpreted as HTML without escaping meta-characters. | exception-xss.js:2:12:2:28 | document.location | Exception text |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ajv.js b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ajv.js
index 2ebbc46a4b3..36dd5181a1b 100644
--- a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ajv.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss/ajv.js
@@ -11,3 +11,16 @@ app.post('/polldata', (req, res) => {
         res.send(ajv.errorsText()); // NOT OK
     }
 });
+
+const joi = require("joi");
+const joiSchema = joi.object().keys({
+    name: joi.string().required(),
+    age: joi.number().required()
+}).with('name', 'age');
+
+app.post('/votedata', (req, res) => {
+    const val = joiSchema.validate(req.body);
+    if (val.error) {
+        res.send(val.error); // NOT OK
+    }
+});
\ No newline at end of file
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected
index 6252e53b5ab..893df134268 100644
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected
@@ -2,6 +2,10 @@
 | json-schema-validator.js:30:13:30:27 | doc.find(query) |
 | json-schema-validator.js:33:13:33:27 | doc.find(query) |
 | json-schema-validator.js:35:9:35:23 | doc.find(query) |
+| json-schema-validator.js:53:13:53:27 | doc.find(query) |
+| json-schema-validator.js:55:13:55:27 | doc.find(query) |
+| json-schema-validator.js:59:13:59:27 | doc.find(query) |
+| json-schema-validator.js:61:13:61:27 | doc.find(query) |
 | marsdb-flow-to.js:14:3:14:22 | db.myDoc.find(query) |
 | marsdb.js:16:3:16:17 | doc.find(query) |
 | minimongo.js:18:3:18:17 | doc.find(query) |
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
index ac856dabb7b..e62af9b5c5e 100644
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
@@ -7,6 +7,16 @@ nodes
 | json-schema-validator.js:33:22:33:26 | query |
 | json-schema-validator.js:35:18:35:22 | query |
 | json-schema-validator.js:35:18:35:22 | query |
+| json-schema-validator.js:50:15:50:48 | query |
+| json-schema-validator.js:50:23:50:48 | JSON.pa ... y.data) |
+| json-schema-validator.js:50:34:50:47 | req.query.data |
+| json-schema-validator.js:50:34:50:47 | req.query.data |
+| json-schema-validator.js:55:22:55:26 | query |
+| json-schema-validator.js:55:22:55:26 | query |
+| json-schema-validator.js:59:22:59:26 | query |
+| json-schema-validator.js:59:22:59:26 | query |
+| json-schema-validator.js:61:22:61:26 | query |
+| json-schema-validator.js:61:22:61:26 | query |
 | marsdb-flow-to.js:10:9:10:18 | query |
 | marsdb-flow-to.js:10:17:10:18 | {} |
 | marsdb-flow-to.js:11:17:11:24 | req.body |
@@ -329,6 +339,15 @@ edges
 | json-schema-validator.js:25:23:25:48 | JSON.pa ... y.data) | json-schema-validator.js:25:15:25:48 | query |
 | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:25:23:25:48 | JSON.pa ... y.data) |
 | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:25:23:25:48 | JSON.pa ... y.data) |
+| json-schema-validator.js:50:15:50:48 | query | json-schema-validator.js:55:22:55:26 | query |
+| json-schema-validator.js:50:15:50:48 | query | json-schema-validator.js:55:22:55:26 | query |
+| json-schema-validator.js:50:15:50:48 | query | json-schema-validator.js:59:22:59:26 | query |
+| json-schema-validator.js:50:15:50:48 | query | json-schema-validator.js:59:22:59:26 | query |
+| json-schema-validator.js:50:15:50:48 | query | json-schema-validator.js:61:22:61:26 | query |
+| json-schema-validator.js:50:15:50:48 | query | json-schema-validator.js:61:22:61:26 | query |
+| json-schema-validator.js:50:23:50:48 | JSON.pa ... y.data) | json-schema-validator.js:50:15:50:48 | query |
+| json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:50:23:50:48 | JSON.pa ... y.data) |
+| json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:50:23:50:48 | JSON.pa ... y.data) |
 | marsdb-flow-to.js:10:9:10:18 | query | marsdb-flow-to.js:14:17:14:21 | query |
 | marsdb-flow-to.js:10:9:10:18 | query | marsdb-flow-to.js:14:17:14:21 | query |
 | marsdb-flow-to.js:10:17:10:18 | {} | marsdb-flow-to.js:10:9:10:18 | query |
@@ -723,6 +742,9 @@ edges
 #select
 | json-schema-validator.js:33:22:33:26 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:33:22:33:26 | query | This query depends on $@. | json-schema-validator.js:25:34:25:47 | req.query.data | a user-provided value |
 | json-schema-validator.js:35:18:35:22 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:35:18:35:22 | query | This query depends on $@. | json-schema-validator.js:25:34:25:47 | req.query.data | a user-provided value |
+| json-schema-validator.js:55:22:55:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:55:22:55:26 | query | This query depends on $@. | json-schema-validator.js:50:34:50:47 | req.query.data | a user-provided value |
+| json-schema-validator.js:59:22:59:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:59:22:59:26 | query | This query depends on $@. | json-schema-validator.js:50:34:50:47 | req.query.data | a user-provided value |
+| json-schema-validator.js:61:22:61:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:61:22:61:26 | query | This query depends on $@. | json-schema-validator.js:50:34:50:47 | req.query.data | a user-provided value |
 | marsdb-flow-to.js:14:17:14:21 | query | marsdb-flow-to.js:11:17:11:24 | req.body | marsdb-flow-to.js:14:17:14:21 | query | This query depends on $@. | marsdb-flow-to.js:11:17:11:24 | req.body | a user-provided value |
 | marsdb.js:16:12:16:16 | query | marsdb.js:13:17:13:24 | req.body | marsdb.js:16:12:16:16 | query | This query depends on $@. | marsdb.js:13:17:13:24 | req.body | a user-provided value |
 | minimongo.js:18:12:18:16 | query | minimongo.js:15:17:15:24 | req.body | minimongo.js:18:12:18:16 | query | This query depends on $@. | minimongo.js:15:17:15:24 | req.body | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/json-schema-validator.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/json-schema-validator.js
index 93f09a51adb..a3bfcfd4a30 100644
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/json-schema-validator.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/json-schema-validator.js
@@ -35,3 +35,30 @@ app.post('/documents/find', (req, res) => {
         doc.find(query); // NOT OK
     });
 });
+
+import Joi from 'joi';
+
+const joiSchema = Joi.object({
+    date: Joi.string().required(),
+    title: Joi.string().required()
+}).with('date', 'title');
+
+app.post('/documents/insert', (req, res) => {
+    MongoClient.connect('mongodb://localhost:27017/test', async (err, db) => {
+        let doc = db.collection('doc');
+
+        const query = JSON.parse(req.query.data);
+        const validate = joiSchema.validate(query);
+        if (!validate.error) {
+            doc.find(query); // OK
+        } else {
+            doc.find(query); // NOT OK
+        }
+        try {
+            await joiSchema.validateAsync(query);
+            doc.find(query); // OK - but still flagged [INCONSISTENCY]
+        } catch (e) {
+            doc.find(query); // NOT OK
+        }
+    });
+});
\ No newline at end of file

From 1ad08677c2ee3ae04d26daaec4885d180798d0ea Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Sun, 6 Jun 2021 23:50:35 +0200
Subject: [PATCH 1367/1429] model `serve-handler` in
 `js/exposure-of-private-files`

---
 .../change-notes/2021-06-06-serve-handler.md  |  4 +++
 .../Security/CWE-200/PrivateFileExposure.ql   | 27 ++++++++++++++++---
 .../CWE-200/PrivateFileExposure.expected      |  1 +
 .../Security/CWE-200/private-file-exposure.js | 11 +++++++-
 4 files changed, 38 insertions(+), 5 deletions(-)
 create mode 100644 javascript/change-notes/2021-06-06-serve-handler.md

diff --git a/javascript/change-notes/2021-06-06-serve-handler.md b/javascript/change-notes/2021-06-06-serve-handler.md
new file mode 100644
index 00000000000..4b4090bbcd8
--- /dev/null
+++ b/javascript/change-notes/2021-06-06-serve-handler.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Private folders exposed using the [`serve-handler`](https://npmjs.com/package/serve-handler) library is not recognized by `js/exposure-of-private-files`.
+  Affected packages are
+    [serve-handler](https://npmjs.com/package/serve-handler)
\ No newline at end of file
diff --git a/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql b/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql
index 981d6210715..d112563f89a 100644
--- a/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql
+++ b/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql
@@ -126,8 +126,27 @@ DataFlow::CallNode servesAPrivateFolder(string description) {
   result.getArgument(0) = getAPrivateFolderPath(description)
 }
 
-from Express::RouteSetup setup, string path
+/**
+ * Gets an [`express`](https://npmjs.com/package/express) route-setup
+ * that exposes a private folder described by `path`.
+ */
+Express::RouteSetup getAnExposingExpressSetup(string path) {
+  result.isUseCall() and
+  result.getArgument([0 .. 1]) = servesAPrivateFolder(path).getEnclosingExpr()
+}
+
+/**
+ * Gets a call to [`serve-handler`](https://npmjs.com/package/serve-handler)
+ * that exposes a private folder described by `path`.
+ */
+DataFlow::CallNode getAnExposingServeSetup(string path) {
+  result = DataFlow::moduleImport("serve-handler").getACall() and
+  result.getOptionArgument(2, "public") = getAPrivateFolderPath(path)
+}
+
+from DataFlow::Node node, string path
 where
-  setup.isUseCall() and
-  setup.getArgument([0 .. 1]) = servesAPrivateFolder(path).getEnclosingExpr()
-select setup, "Serves " + path + ", which can contain private information."
+  node = getAnExposingExpressSetup(path).flow()
+  or
+  node = getAnExposingServeSetup(path)
+select node, "Serves " + path + ", which can contain private information."
diff --git a/javascript/ql/test/query-tests/Security/CWE-200/PrivateFileExposure.expected b/javascript/ql/test/query-tests/Security/CWE-200/PrivateFileExposure.expected
index ccbb8b8efd7..3cf199ce371 100644
--- a/javascript/ql/test/query-tests/Security/CWE-200/PrivateFileExposure.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-200/PrivateFileExposure.expected
@@ -19,4 +19,5 @@
 | private-file-exposure.js:42:1:42:66 | app.use ... dir())) | Serves the home folder, which can contain private information. |
 | private-file-exposure.js:43:1:43:46 | app.use ... )("/")) | Serves the root folder, which can contain private information. |
 | private-file-exposure.js:51:5:51:88 | app.use ... les'))) | Serves the folder "../node_modules", which can contain private information. |
+| private-file-exposure.js:70:5:70:71 | serveHa ... ular"}) | Serves the folder "./node_modules/angular", which can contain private information. |
 | subfolder/private-file-exposure-2.js:6:1:6:34 | app.use ... rname)) | Serves the folder query-tests/Security/CWE-200/subfolder, which can contain private information. |
diff --git a/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js b/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js
index 63528fd37ba..210773fba7e 100644
--- a/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js
+++ b/javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js
@@ -61,4 +61,13 @@ function good() {
     app.use("bootstrap", express.static('./node_modules/bootstrap/dist')); // OK
 }
 
-app.use(express.static(__dirname)) // NOT OK
\ No newline at end of file
+app.use(express.static(__dirname)) // NOT OK
+
+const serveHandler = require("serve-handler");
+const http = require("http");
+
+http.createServer((request, response) => {
+    serveHandler(request, response, {public: "./node_modules/angular"}); // NOT OK
+
+    serveHandler(request, response); // OK
+}).listen(8080);
\ No newline at end of file

From b1d7c61d8e339fc841e91ce7f9a57b4d05aace4a Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 8 Jun 2021 09:56:32 +0200
Subject: [PATCH 1368/1429] add missing qldoc

---
 javascript/ql/src/semmle/javascript/frameworks/History.qll | 1 +
 1 file changed, 1 insertion(+)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/History.qll b/javascript/ql/src/semmle/javascript/frameworks/History.qll
index aca0b46fde5..05be7ec36dd 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/History.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/History.qll
@@ -2,6 +2,7 @@
 
 import javascript
 
+/** Provides classes modelling the [`history`](https://npmjs.org/package/history) library. */
 module History {
   /** The global variable `HistoryLibrary` as an entry point for API graphs. */
   private class HistoryGlobalEntry extends API::EntryPoint {

From 8b4c3c446247f2ecb95abc4177654605d1a23fc6 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 8 Jun 2021 11:18:49 +0200
Subject: [PATCH 1369/1429] refactor `ValidationCall` back to a `CallNode`

---
 .../ql/src/semmle/javascript/JsonSchema.qll   | 41 ++++++++++++-------
 .../javascript/security/TaintedObject.qll     |  5 ++-
 .../javascript/security/dataflow/Xss.qll      |  2 +-
 3 files changed, 30 insertions(+), 18 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/JsonSchema.qll b/javascript/ql/src/semmle/javascript/JsonSchema.qll
index 13ce7d325fa..ad7b804bde5 100644
--- a/javascript/ql/src/semmle/javascript/JsonSchema.qll
+++ b/javascript/ql/src/semmle/javascript/JsonSchema.qll
@@ -8,13 +8,24 @@ import javascript
  * Provides classes and predicates for working with JSON schema libraries.
  */
 module JsonSchema {
-  /** A node that validates an input against a JSON schema. */
-  abstract class ValidationCall extends DataFlow::Node {
+  /** A call that validates an input against a JSON schema. */
+  abstract class ValidationCall extends DataFlow::CallNode {
     /** Gets the data flow node whose value is being validated. */
     abstract DataFlow::Node getInput();
 
-    /** Gets the return value that indicates successful validation. */
+    /**
+     * Gets if the return value indicates successfull or unsuccessful validation.
+     * Is not defined if the return value from this call does not directly
+     * indicate success.
+     */
     boolean getPolarity() { result = true }
+
+    /**
+     * Gets a value that indicates whether the validation was successful.
+     */
+    DataFlow::Node getAValidationResultAccess(boolean polarity) {
+      result = this and polarity = getPolarity()
+    }
   }
 
   /** A data flow node that is used a JSON schema. */
@@ -89,7 +100,7 @@ module JsonSchema {
     }
 
     /** A call to the `validate` method of `ajv`. */
-    class AjvValidationCall extends ValidationCall, DataFlow::CallNode {
+    class AjvValidationCall extends ValidationCall {
       Instance instance;
       int argIndex;
 
@@ -161,20 +172,20 @@ module JsonSchema {
     }
 
     /**
-     * A read of the `error` property from a validation result, seen as a `ValidationCall`.
-     * If `error` exists, then the validation failed.
+     * A call to the `validate` method from the [`joi`](https://npmjs.org/package/joi) library.
+     * The `error` property in the result indicates whether the validation was successful.
      */
-    class JoiValidationErrorRead extends ValidationCall {
-      API::CallNode validateCall;
+    class JoiValidationErrorRead extends ValidationCall, API::CallNode {
+      JoiValidationErrorRead() { this = objectSchema().getMember("validate").getACall() }
 
-      JoiValidationErrorRead() {
-        validateCall = objectSchema().getMember("validate").getACall() and
-        this = validateCall.getReturn().getMember("error").getAnImmediateUse()
+      override DataFlow::Node getInput() { result = this.getArgument(0) }
+
+      override boolean getPolarity() { none() }
+
+      override DataFlow::Node getAValidationResultAccess(boolean polarity) {
+        result = this.getReturn().getMember("error").getAnImmediateUse() and
+        polarity = false
       }
-
-      override DataFlow::Node getInput() { result = validateCall.getArgument(0) }
-
-      override boolean getPolarity() { result = false }
     }
   }
 }
diff --git a/javascript/ql/src/semmle/javascript/security/TaintedObject.qll b/javascript/ql/src/semmle/javascript/security/TaintedObject.qll
index 444dec2ae71..eabbd0a920d 100644
--- a/javascript/ql/src/semmle/javascript/security/TaintedObject.qll
+++ b/javascript/ql/src/semmle/javascript/security/TaintedObject.qll
@@ -115,11 +115,12 @@ module TaintedObject {
    */
   private class JsonSchemaValidationGuard extends SanitizerGuard {
     JsonSchema::ValidationCall call;
+    boolean polarity;
 
-    JsonSchemaValidationGuard() { this = call }
+    JsonSchemaValidationGuard() { this = call.getAValidationResultAccess(polarity) }
 
     override predicate sanitizes(boolean outcome, Expr e, FlowLabel label) {
-      outcome = call.getPolarity() and
+      outcome = polarity and
       e = call.getInput().asExpr() and
       label = label()
     }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
index 1c10309d70b..b07bf8eed48 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
@@ -618,7 +618,7 @@ module ExceptionXss {
     JsonSchemaValidationError() {
       this = any(JsonSchema::Ajv::Instance i).getAValidationError().getAnImmediateUse()
       or
-      this = any(JsonSchema::Joi::JoiValidationErrorRead r)
+      this = any(JsonSchema::Joi::JoiValidationErrorRead r).getAValidationResultAccess(_)
     }
 
     override string getDescription() { result = "JSON schema validation error" }

From 32545a134647df35844031433b33fc41ce0a988f Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 8 Jun 2021 10:59:03 +0100
Subject: [PATCH 1370/1429] C++: Add CWE-789 tag to
 cpp/uncontrolled-allocation-size.

---
 cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
index 75cac365a1a..84a10ec082b 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
@@ -9,6 +9,7 @@
  * @tags reliability
  *       security
  *       external/cwe/cwe-190
+ *       external/cwe/cwe-789
  */
 
 import cpp

From ba6d504746726e1c0ae3d86eaebfaadd75422742 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 8 Jun 2021 13:12:23 +0200
Subject: [PATCH 1371/1429] fix typo in `SerializeJavascriptSanitizer` qldoc

---
 javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
index 90b4e798a83..a264d00e553 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
@@ -57,7 +57,7 @@ module Shared {
 
   /**
    * A call to `serialize-javascript`, which prevents XSS vulnerabilities unless
-   * the `unsafe` option is set.t
+   * the `unsafe` option is set to `true`.
    */
   class SerializeJavascriptSanitizer extends Sanitizer, DataFlow::CallNode {
     SerializeJavascriptSanitizer() {

From 4b98af0c2ba81a78970265596ec8275446d3db83 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Tue, 8 Jun 2021 13:13:33 +0200
Subject: [PATCH 1372/1429] fix typo in `prettier` qldoc

Co-authored-by: Asger F <asgerf@github.com>
---
 .../javascript/security/dataflow/TaintedPathCustomizations.qll  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
index d0814cd51d3..91fb8f3b996 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -651,7 +651,7 @@ module TaintedPath {
   }
 
   /**
-   * An argument given to the `prettier` library specificing the location of a config file.
+   * An argument given to the `prettier` library specifying the location of a config file.
    */
   private class PrettierFileSink extends TaintedPath::Sink {
     PrettierFileSink() {

From afd35f2e218dd6153d3f62e53308759cef384a26 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 8 Jun 2021 16:19:25 +0200
Subject: [PATCH 1373/1429] Python: Fix wording of change-note

`aiohttp.web` is a web _framework_, and not a web _server_.
---
 python/change-notes/2021-06-03-aiohttp-webserver-modeling.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/change-notes/2021-06-03-aiohttp-webserver-modeling.md b/python/change-notes/2021-06-03-aiohttp-webserver-modeling.md
index a62a9c4b75e..22a836671e3 100644
--- a/python/change-notes/2021-06-03-aiohttp-webserver-modeling.md
+++ b/python/change-notes/2021-06-03-aiohttp-webserver-modeling.md
@@ -1,2 +1,2 @@
 lgtm,codescanning
-* Added modeling of sources/sinks when using `aiohttp.web` to create web servers.
+* Added modeling of sources/sinks when using the `aiohttp.web` web framework.

From 09de1bcf44b2d308dbbd82142c3693844f1847fe Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 8 Jun 2021 18:51:37 +0200
Subject: [PATCH 1374/1429] Python: Add tests for type-tracking attrs on
 instances

---
 .../dataflow/typetracking/attribute_tests.py  | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/python/ql/test/experimental/dataflow/typetracking/attribute_tests.py b/python/ql/test/experimental/dataflow/typetracking/attribute_tests.py
index af8fe9bd4e3..41eecb591a5 100644
--- a/python/ql/test/experimental/dataflow/typetracking/attribute_tests.py
+++ b/python/ql/test/experimental/dataflow/typetracking/attribute_tests.py
@@ -99,3 +99,39 @@ def dunder_dict_indirect_read():
     do_stuff(y) # $ MISSING: tracked
 
 
+# ------------------------------------------------------------------------------
+# Tracking of attribute on class instance
+# ------------------------------------------------------------------------------
+
+# attribute set in method
+# inspired by https://github.com/github/codeql/pull/6023
+class MyClass2(object):
+    def __init__(self): # $ tracked=foo
+        self.foo = tracked # $ tracked=foo tracked
+
+    def print_foo(self): # $ MISSING: tracked=foo
+        print(self.foo) # $ MISSING: tracked=foo tracked
+
+    def possibly_uncalled_method(self):
+        print(self.foo) # $ MISSING: tracked
+
+instance = MyClass2()
+print(instance.foo) # $ MISSING: tracked=foo tracked
+instance.print_foo() # $ MISSING: tracked=foo
+
+
+# attribute set from outside of class
+class MyClass3(object):
+    def print_self(self): # $ tracked=foo
+        print(self) # $ tracked=foo
+
+    def print_foo(self): # $ tracked=foo
+        print(self.foo) # $ tracked=foo tracked
+
+    def possibly_uncalled_method(self):
+        print(self.foo) # $ MISSING: tracked
+
+instance = MyClass3() # $ tracked=foo
+instance.print_self() # $ tracked=foo
+instance.foo = tracked # $ tracked=foo tracked
+instance.print_foo() # $ tracked=foo

From dcd448b7430bfa32ea35149882cae0eaf5151f8c Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 8 Jun 2021 18:57:54 +0200
Subject: [PATCH 1375/1429] Python: Refactor formatting

---
 .../dataflow/typetracking/attribute_tests.py             | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/python/ql/test/experimental/dataflow/typetracking/attribute_tests.py b/python/ql/test/experimental/dataflow/typetracking/attribute_tests.py
index 41eecb591a5..b8487e22ee3 100644
--- a/python/ql/test/experimental/dataflow/typetracking/attribute_tests.py
+++ b/python/ql/test/experimental/dataflow/typetracking/attribute_tests.py
@@ -30,8 +30,9 @@ def test_incompatible_types():
     x.field = str("Hello") # $str=field str SPURIOUS: int=field int
     expects_string(x) # $ str=field SPURIOUS: int=field
 
-
+# ------------------------------------------------------------------------------
 # Attributes assigned statically to a class
+# ------------------------------------------------------------------------------
 
 class MyClass: # $tracked=field
     field = tracked # $tracked
@@ -40,7 +41,9 @@ lookup = MyClass.field # $tracked tracked=field
 instance = MyClass() # $tracked=field
 lookup2 = instance.field # MISSING: tracked
 
-## Dynamic attribute access
+# ------------------------------------------------------------------------------
+# Dynamic attribute access
+# ------------------------------------------------------------------------------
 
 # Via `getattr`/`setattr`
 
@@ -105,6 +108,7 @@ def dunder_dict_indirect_read():
 
 # attribute set in method
 # inspired by https://github.com/github/codeql/pull/6023
+
 class MyClass2(object):
     def __init__(self): # $ tracked=foo
         self.foo = tracked # $ tracked=foo tracked
@@ -121,6 +125,7 @@ instance.print_foo() # $ MISSING: tracked=foo
 
 
 # attribute set from outside of class
+
 class MyClass3(object):
     def print_self(self): # $ tracked=foo
         print(self) # $ tracked=foo

From 3d2de03674adff646bccec2d47dd641507a42be6 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 8 Jun 2021 19:03:24 +0200
Subject: [PATCH 1376/1429] Python: Add type-tracking test for attr set in
 function

---
 .../dataflow/typetracking/attribute_tests.py             | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/python/ql/test/experimental/dataflow/typetracking/attribute_tests.py b/python/ql/test/experimental/dataflow/typetracking/attribute_tests.py
index b8487e22ee3..c1240bd92b9 100644
--- a/python/ql/test/experimental/dataflow/typetracking/attribute_tests.py
+++ b/python/ql/test/experimental/dataflow/typetracking/attribute_tests.py
@@ -30,6 +30,15 @@ def test_incompatible_types():
     x.field = str("Hello") # $str=field str SPURIOUS: int=field int
     expects_string(x) # $ str=field SPURIOUS: int=field
 
+# set in different function
+def set_foo(some_class_instance): # $ tracked=foo
+    some_class_instance.foo = tracked # $ tracked=foo tracked
+
+def test_set_x():
+    x = SomeClass()
+    set_foo(x)
+    print(x.foo) # MISSING: tracked
+
 # ------------------------------------------------------------------------------
 # Attributes assigned statically to a class
 # ------------------------------------------------------------------------------

From 3e171adaab1a27cbf478c973bdb1f6dd71075199 Mon Sep 17 00:00:00 2001
From: Erik Krogh Kristensen <erik-krogh@github.com>
Date: Wed, 9 Jun 2021 10:45:55 +0200
Subject: [PATCH 1377/1429] update qldoc

Co-authored-by: Asger F <asgerf@github.com>
---
 javascript/ql/src/semmle/javascript/JsonSchema.qll | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/JsonSchema.qll b/javascript/ql/src/semmle/javascript/JsonSchema.qll
index ad7b804bde5..15994d537e9 100644
--- a/javascript/ql/src/semmle/javascript/JsonSchema.qll
+++ b/javascript/ql/src/semmle/javascript/JsonSchema.qll
@@ -14,8 +14,9 @@ module JsonSchema {
     abstract DataFlow::Node getInput();
 
     /**
-     * Gets if the return value indicates successfull or unsuccessful validation.
-     * Is not defined if the return value from this call does not directly
+     * Gets the return value that indicates successful validation, if any.
+     *
+     * Has no result if the return value from this call does not directly
      * indicate success.
      */
     boolean getPolarity() { result = true }

From 89cba216ca6086832756428675a4badcd652dc7e Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 9 Jun 2021 14:15:59 +0200
Subject: [PATCH 1378/1429] Python: Apply suggestions from code review

Co-authored-by: Taus <tausbn@github.com>
---
 .../dataflow/typetracking/attribute_tests.py       | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/python/ql/test/experimental/dataflow/typetracking/attribute_tests.py b/python/ql/test/experimental/dataflow/typetracking/attribute_tests.py
index c1240bd92b9..351ba6397fd 100644
--- a/python/ql/test/experimental/dataflow/typetracking/attribute_tests.py
+++ b/python/ql/test/experimental/dataflow/typetracking/attribute_tests.py
@@ -35,9 +35,9 @@ def set_foo(some_class_instance): # $ tracked=foo
     some_class_instance.foo = tracked # $ tracked=foo tracked
 
 def test_set_x():
-    x = SomeClass()
-    set_foo(x)
-    print(x.foo) # MISSING: tracked
+    x = SomeClass() # $ MISSING: tracked=foo
+    set_foo(x) # $ MISSING: tracked=foo
+    print(x.foo) # $ MISSING: tracked=foo tracked
 
 # ------------------------------------------------------------------------------
 # Attributes assigned statically to a class
@@ -125,8 +125,8 @@ class MyClass2(object):
     def print_foo(self): # $ MISSING: tracked=foo
         print(self.foo) # $ MISSING: tracked=foo tracked
 
-    def possibly_uncalled_method(self):
-        print(self.foo) # $ MISSING: tracked
+    def possibly_uncalled_method(self): # $ MISSING: tracked=foo
+        print(self.foo) # $ MISSING: tracked=foo tracked
 
 instance = MyClass2()
 print(instance.foo) # $ MISSING: tracked=foo tracked
@@ -142,8 +142,8 @@ class MyClass3(object):
     def print_foo(self): # $ tracked=foo
         print(self.foo) # $ tracked=foo tracked
 
-    def possibly_uncalled_method(self):
-        print(self.foo) # $ MISSING: tracked
+    def possibly_uncalled_method(self): # $ MISSING: tracked=foo
+        print(self.foo) # $ MISSING: tracked=foo tracked
 
 instance = MyClass3() # $ tracked=foo
 instance.print_self() # $ tracked=foo

From aaddd3623644926c02c693ca7727d77494971706 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Wed, 9 Jun 2021 14:20:50 +0200
Subject: [PATCH 1379/1429] Python: Add another type-tracking attr test

This one just works out of the box :muscle:
---
 .../dataflow/typetracking/attribute_tests.py           | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/python/ql/test/experimental/dataflow/typetracking/attribute_tests.py b/python/ql/test/experimental/dataflow/typetracking/attribute_tests.py
index 351ba6397fd..617fae422cb 100644
--- a/python/ql/test/experimental/dataflow/typetracking/attribute_tests.py
+++ b/python/ql/test/experimental/dataflow/typetracking/attribute_tests.py
@@ -39,6 +39,16 @@ def test_set_x():
     set_foo(x) # $ MISSING: tracked=foo
     print(x.foo) # $ MISSING: tracked=foo tracked
 
+# return from a different function
+def create_with_foo():
+    x = SomeClass() # $ tracked=foo
+    x.foo = tracked # $ tracked=foo tracked
+    return x # $ tracked=foo
+
+def test_create_with_foo():
+    x = create_with_foo() # $ tracked=foo
+    print(x.foo) # $ tracked=foo tracked
+
 # ------------------------------------------------------------------------------
 # Attributes assigned statically to a class
 # ------------------------------------------------------------------------------

From 879bfbbd4e61eee70210f5baf4f05553b573886b Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Date: Wed, 9 Jun 2021 15:02:31 +0200
Subject: [PATCH 1380/1429] C++: Match the join order from before #5522.

---
 .../ir/implementation/aliased_ssa/internal/AliasAnalysis.qll    | 2 +-
 .../ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll  | 2 +-
 .../ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
index 181c6d2c464..9997b5b49a7 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll
@@ -411,7 +411,7 @@ predicate addressOperandAllocationAndOffset(
     allocation.getABaseInstruction() = base and
     hasBaseAndOffset(addrOperand, base, bitOffset) and
     not exists(Instruction previousBase |
-      hasBaseAndOffset(addrOperand, previousBase, _) and
+      hasBaseAndOffset(addrOperand, pragma[only_bind_out](previousBase), _) and
       previousBase = base.getAnOperand().getDef()
     )
   )
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
index 181c6d2c464..9997b5b49a7 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -411,7 +411,7 @@ predicate addressOperandAllocationAndOffset(
     allocation.getABaseInstruction() = base and
     hasBaseAndOffset(addrOperand, base, bitOffset) and
     not exists(Instruction previousBase |
-      hasBaseAndOffset(addrOperand, previousBase, _) and
+      hasBaseAndOffset(addrOperand, pragma[only_bind_out](previousBase), _) and
       previousBase = base.getAnOperand().getDef()
     )
   )
diff --git a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
index 181c6d2c464..9997b5b49a7 100644
--- a/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
+++ b/csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll
@@ -411,7 +411,7 @@ predicate addressOperandAllocationAndOffset(
     allocation.getABaseInstruction() = base and
     hasBaseAndOffset(addrOperand, base, bitOffset) and
     not exists(Instruction previousBase |
-      hasBaseAndOffset(addrOperand, previousBase, _) and
+      hasBaseAndOffset(addrOperand, pragma[only_bind_out](previousBase), _) and
       previousBase = base.getAnOperand().getDef()
     )
   )

From 405b2c84d67252f16556c90010b08b4efc3f48f3 Mon Sep 17 00:00:00 2001
From: shati-patel <42641846+shati-patel@users.noreply.github.com>
Date: Wed, 9 Jun 2021 15:25:28 +0100
Subject: [PATCH 1381/1429] Clarify how to think about rank aggregate

- Mention that `rank[1](...)` is the same as `min(...)`
- Make this (+ note about 1-based indexing) more visible
---
 docs/codeql/ql-language-reference/expressions.rst | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/codeql/ql-language-reference/expressions.rst b/docs/codeql/ql-language-reference/expressions.rst
index f8869e427a0..5ca896e5b41 100644
--- a/docs/codeql/ql-language-reference/expressions.rst
+++ b/docs/codeql/ql-language-reference/expressions.rst
@@ -308,7 +308,10 @@ The following aggregates are available in QL:
 
       rank[4](int i | i = [5 .. 15] | i)
 
-  Note that the rank indices start at ``1``, so ``rank[0](...)`` returns no results.
+  .. pull-quote:: Note
+
+     - Rank indices start at ``1``, so ``rank[0](...)`` returns no results.
+     - ``rank[1](...)`` is the same as ``min(...)``.
 
 .. index:: strictconcat, strictcount, strictsum
 

From 0c9b53a9b27d25067cbd0b82ee8bb9659b80413c Mon Sep 17 00:00:00 2001
From: shati-patel <42641846+shati-patel@users.noreply.github.com>
Date: Wed, 9 Jun 2021 15:27:01 +0100
Subject: [PATCH 1382/1429] Fix table formatting

---
 docs/codeql/ql-language-reference/expressions.rst | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/docs/codeql/ql-language-reference/expressions.rst b/docs/codeql/ql-language-reference/expressions.rst
index 5ca896e5b41..00f3a5265de 100644
--- a/docs/codeql/ql-language-reference/expressions.rst
+++ b/docs/codeql/ql-language-reference/expressions.rst
@@ -533,14 +533,21 @@ The query produces these results:
 
 +-----------+---------+------+
 |  variant  | person  | cost |
-+-----------+---------+------+
++===========+=========+======+
 | default   | Alice   | 201  |
++-----------+---------+------+
 | default   | Bob     | 100  |
++-----------+---------+------+
 | default   | Charles | 100  |
++-----------+---------+------+
 | default   | Diane   | 0    |
++-----------+---------+------+
 | monotonic | Alice   | 101  |
++-----------+---------+------+
 | monotonic | Alice   | 200  |
++-----------+---------+------+
 | monotonic | Bob     | 100  |
++-----------+---------+------+
 | monotonic | Diane   | 0    |
 +-----------+---------+------+
 

From b5420a6f3975566e4f4ccfdffc2ef92b3f3f387b Mon Sep 17 00:00:00 2001
From: shati-patel <42641846+shati-patel@users.noreply.github.com>
Date: Wed, 9 Jun 2021 15:52:46 +0100
Subject: [PATCH 1383/1429] Update wording

---
 docs/codeql/ql-language-reference/expressions.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/codeql/ql-language-reference/expressions.rst b/docs/codeql/ql-language-reference/expressions.rst
index 00f3a5265de..08a925b50b8 100644
--- a/docs/codeql/ql-language-reference/expressions.rst
+++ b/docs/codeql/ql-language-reference/expressions.rst
@@ -310,7 +310,7 @@ The following aggregates are available in QL:
 
   .. pull-quote:: Note
 
-     - Rank indices start at ``1``, so ``rank[0](...)`` returns no results.
+     - Rank indices start at ``1``, so ``rank[0](...)`` has no result.
      - ``rank[1](...)`` is the same as ``min(...)``.
 
 .. index:: strictconcat, strictcount, strictsum

From 28e2cdb54e19acad7551548963e6e34e8acb198f Mon Sep 17 00:00:00 2001
From: "John L. Singleton" <jsinglet@github.com>
Date: Wed, 9 Jun 2021 16:12:58 -0400
Subject: [PATCH 1384/1429] adding standard C/C++ fixed width, minimum width,
 and maximum width types

---
 .../semmle/code/cpp/commons/CommonType.qll    | 256 +++++++++++++++++-
 .../types/cstd_types/cstd_types.cpp           |  77 ++++++
 .../cstd_types/cstd_types_fixedwidth.expected |   8 +
 .../types/cstd_types/cstd_types_fixedwidth.ql |   5 +
 .../cstd_types_fixedwidthenum.expected        |   2 +
 .../cstd_types/cstd_types_fixedwidthenum.ql   |   5 +
 .../cstd_types_maximumwidth.expected          |   2 +
 .../cstd_types/cstd_types_maximumwidth.ql     |   5 +
 .../cstd_types_minimumwidth.expected          |  16 ++
 .../cstd_types/cstd_types_minimumwidth.ql     |   5 +
 .../test/library-tests/types/types/types.cpp  |   3 +
 11 files changed, 378 insertions(+), 6 deletions(-)
 create mode 100644 cpp/ql/test/library-tests/types/cstd_types/cstd_types.cpp
 create mode 100644 cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidth.expected
 create mode 100644 cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidth.ql
 create mode 100644 cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidthenum.expected
 create mode 100644 cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidthenum.ql
 create mode 100644 cpp/ql/test/library-tests/types/cstd_types/cstd_types_maximumwidth.expected
 create mode 100644 cpp/ql/test/library-tests/types/cstd_types/cstd_types_maximumwidth.ql
 create mode 100644 cpp/ql/test/library-tests/types/cstd_types/cstd_types_minimumwidth.expected
 create mode 100644 cpp/ql/test/library-tests/types/cstd_types/cstd_types_minimumwidth.ql

diff --git a/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll b/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
index 253a2767077..27bf19c0c54 100644
--- a/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
+++ b/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
@@ -63,13 +63,258 @@ class Ptrdiff_t extends Type {
   override string getAPrimaryQlClass() { result = "Ptrdiff_t" }
 }
 
+/**
+ * A common base type for describing the C/C++ fixed-width numeric types
+ */
+abstract class FixedWidthIntegralType extends UserType {
+  FixedWidthIntegralType() { this.getUnderlyingType() instanceof IntegralType }
+}
+
+/**
+ * A common base type for describing the C/C++ minimum-width numeric types.
+ */
+abstract class MinimumWidthIntegralType extends UserType {
+  MinimumWidthIntegralType() { this.getUnderlyingType() instanceof IntegralType }
+}
+
+/**
+ * A common base type for describing the C/C++ maximum-width numeric types.
+ */
+abstract class MaximumWidthIntegralType extends UserType {
+  MaximumWidthIntegralType() { this.getUnderlyingType() instanceof IntegralType }
+}
+
+/**
+ * A common base type for describing enum types that are based on fixed-width types.
+ */
+class FixedWidthEnumType extends UserType {
+  FixedWidthEnumType() {
+    this.(Enum).getExplicitUnderlyingType() instanceof FixedWidthIntegralType
+  }
+}
+
+/**
+ *  The C/C++ `int8_t` type.
+ */
+class Int8_t extends FixedWidthIntegralType {
+  Int8_t() { this.hasGlobalOrStdName("int8_t") }
+
+  override string getAPrimaryQlClass() { result = "Int8_t" }
+}
+
+/**
+ *  The C/C++ `int16_t` type.
+ */
+class Int16_t extends FixedWidthIntegralType {
+  Int16_t() { this.hasGlobalOrStdName("int16_t") }
+
+  override string getAPrimaryQlClass() { result = "Int16_t" }
+}
+
+/**
+ *  The C/C++ `int32_t` type.
+ */
+class Int32_t extends FixedWidthIntegralType {
+  Int32_t() { this.hasGlobalOrStdName("int32_t") }
+
+  override string getAPrimaryQlClass() { result = "Int32_t" }
+}
+
+/**
+ *  The C/C++ `int64_t` type.
+ */
+class Int64_t extends FixedWidthIntegralType {
+  Int64_t() { this.hasGlobalOrStdName("int64_t") }
+
+  override string getAPrimaryQlClass() { result = "Int64_t" }
+}
+
+/**
+ *  The C/C++ `uint8_t` type.
+ */
+class UInt8_t extends FixedWidthIntegralType {
+  UInt8_t() { this.hasGlobalOrStdName("uint8_t") }
+
+  override string getAPrimaryQlClass() { result = "UInt8_t" }
+}
+
+/**
+ *  The C/C++ `uint16_t` type.
+ */
+class UInt16_t extends FixedWidthIntegralType {
+  UInt16_t() { this.hasGlobalOrStdName("uint16_t") }
+
+  override string getAPrimaryQlClass() { result = "UInt16_t" }
+}
+
+/**
+ *  The C/C++ `uint32_t` type.
+ */
+class UInt32_t extends FixedWidthIntegralType {
+  UInt32_t() { this.hasGlobalOrStdName("uint32_t") }
+
+  override string getAPrimaryQlClass() { result = "UInt32_t" }
+}
+
+/**
+ *  The C/C++ `uint64_t` type.
+ */
+class UInt64_t extends FixedWidthIntegralType {
+  UInt64_t() { this.hasGlobalOrStdName("uint64_t") }
+
+  override string getAPrimaryQlClass() { result = "UInt64_t" }
+}
+
+/**
+ *  The C/C++ `int_least8_t` type.
+ */
+class Int_least8_t extends MinimumWidthIntegralType {
+  Int_least8_t() { this.hasGlobalOrStdName("int_least8_t") }
+
+  override string getAPrimaryQlClass() { result = "Int_least8_t" }
+}
+
+/**
+ *  The C/C++ `int_least16_t` type.
+ */
+class Int_least16_t extends MinimumWidthIntegralType {
+  Int_least16_t() { this.hasGlobalOrStdName("int_least16_t") }
+
+  override string getAPrimaryQlClass() { result = "Int_least16_t" }
+}
+
+/**
+ *  The C/C++ `int_least32_t` type.
+ */
+class Int_least32_t extends MinimumWidthIntegralType {
+  Int_least32_t() { this.hasGlobalOrStdName("int_least32_t") }
+
+  override string getAPrimaryQlClass() { result = "Int_least32_t" }
+}
+
+/**
+ *  The C/C++ `int_least64_t` type.
+ */
+class Int_least64_t extends MinimumWidthIntegralType {
+  Int_least64_t() { this.hasGlobalOrStdName("int_least64_t") }
+
+  override string getAPrimaryQlClass() { result = "Int_least64_t" }
+}
+
+/**
+ *  The C/C++ `uint_least8_t` type.
+ */
+class UInt_least8_t extends MinimumWidthIntegralType {
+  UInt_least8_t() { this.hasGlobalOrStdName("uint_least8_t") }
+
+  override string getAPrimaryQlClass() { result = "UInt_least8_t" }
+}
+
+/**
+ *  The C/C++ `uint_least16_t` type.
+ */
+class UInt_least16_t extends MinimumWidthIntegralType {
+  UInt_least16_t() { this.hasGlobalOrStdName("uint_least16_t") }
+
+  override string getAPrimaryQlClass() { result = "UInt_least16_t" }
+}
+
+/**
+ *  The C/C++ `uint_least32_t` type.
+ */
+class UInt_least32_t extends MinimumWidthIntegralType {
+  UInt_least32_t() { this.hasGlobalOrStdName("uint_least32_t") }
+
+  override string getAPrimaryQlClass() { result = "UInt_least32_t" }
+}
+
+/**
+ *  The C/C++ `uint_least64_t` type.
+ */
+class UInt_least64_t extends MinimumWidthIntegralType {
+  UInt_least64_t() { this.hasGlobalOrStdName("uint_least64_t") }
+
+  override string getAPrimaryQlClass() { result = "UInt_least64_t" }
+}
+
+/**
+ *  The C/C++ `int_fast8_t` type.
+ */
+class Int_fast8_t extends MinimumWidthIntegralType {
+  Int_fast8_t() { this.hasGlobalOrStdName("int_fast8_t") }
+
+  override string getAPrimaryQlClass() { result = "Int_fast8_t" }
+}
+
+/**
+ *  The C/C++ `int_fast16_t` type.
+ */
+class Int_fast16_t extends MinimumWidthIntegralType {
+  Int_fast16_t() { this.hasGlobalOrStdName("int_fast16_t") }
+
+  override string getAPrimaryQlClass() { result = "Int_fast16_t" }
+}
+
+/**
+ *  The C/C++ `int_fast32_t` type.
+ */
+class Int_fast32_t extends MinimumWidthIntegralType {
+  Int_fast32_t() { this.hasGlobalOrStdName("int_fast32_t") }
+
+  override string getAPrimaryQlClass() { result = "Int_fast32_t" }
+}
+
+/**
+ *  The C/C++ `int_fast64_t` type.
+ */
+class Int_fast64_t extends MinimumWidthIntegralType {
+  Int_fast64_t() { this.hasGlobalOrStdName("int_fast64_t") }
+
+  override string getAPrimaryQlClass() { result = "Int_fast64_t" }
+}
+
+/**
+ *  The C/C++ `uint_fast8_t` type.
+ */
+class UInt_fast8_t extends MinimumWidthIntegralType {
+  UInt_fast8_t() { this.hasGlobalOrStdName("uint_fast8_t") }
+
+  override string getAPrimaryQlClass() { result = "UInt_fast8_t" }
+}
+
+/**
+ *  The C/C++ `uint_fast16_t` type.
+ */
+class UInt_fast16_t extends MinimumWidthIntegralType {
+  UInt_fast16_t() { this.hasGlobalOrStdName("uint_fast16_t") }
+
+  override string getAPrimaryQlClass() { result = "UInt_fast16_t" }
+}
+
+/**
+ *  The C/C++ `uint_fast32_t` type.
+ */
+class UInt_fast32_t extends MinimumWidthIntegralType {
+  UInt_fast32_t() { this.hasGlobalOrStdName("uint_fast32_t") }
+
+  override string getAPrimaryQlClass() { result = "UInt_fast32_t" }
+}
+
+/**
+ *  The C/C++ `uint_fast64_t` type.
+ */
+class UInt_fast64_t extends MinimumWidthIntegralType {
+  UInt_fast64_t() { this.hasGlobalOrStdName("uint_fast64_t") }
+
+  override string getAPrimaryQlClass() { result = "UInt_fast64_t" }
+}
+
 /**
  * The C/C++ `intmax_t` type.
  */
-class Intmax_t extends Type {
+class Intmax_t extends MaximumWidthIntegralType {
   Intmax_t() {
-    this.getUnderlyingType() instanceof IntegralType and
-    this.hasName("intmax_t")
+    this.hasGlobalOrStdName("intmax_t")
   }
 
   override string getAPrimaryQlClass() { result = "Intmax_t" }
@@ -78,10 +323,9 @@ class Intmax_t extends Type {
 /**
  * The C/C++ `uintmax_t` type.
  */
-class Uintmax_t extends Type {
+class Uintmax_t extends MaximumWidthIntegralType {
   Uintmax_t() {
-    this.getUnderlyingType() instanceof IntegralType and
-    this.hasName("uintmax_t")
+    this.hasGlobalOrStdName("uintmax_t")
   }
 
   override string getAPrimaryQlClass() { result = "Uintmax_t" }
diff --git a/cpp/ql/test/library-tests/types/cstd_types/cstd_types.cpp b/cpp/ql/test/library-tests/types/cstd_types/cstd_types.cpp
new file mode 100644
index 00000000000..1f5d262978e
--- /dev/null
+++ b/cpp/ql/test/library-tests/types/cstd_types/cstd_types.cpp
@@ -0,0 +1,77 @@
+typedef signed char        int8_t;
+typedef short              int16_t;
+typedef int                int32_t;
+typedef long long          int64_t;
+typedef unsigned char      uint8_t;
+typedef unsigned short     uint16_t;
+typedef unsigned int       uint32_t;
+typedef unsigned long long uint64_t;
+
+typedef signed char        int_least8_t;
+typedef short              int_least16_t;
+typedef int                int_least32_t;
+typedef long long          int_least64_t;
+typedef unsigned char      uint_least8_t;
+typedef unsigned short     uint_least16_t;
+typedef unsigned int       uint_least32_t;
+typedef unsigned long long uint_least64_t;
+
+typedef signed char        int_fast8_t;
+typedef int                int_fast16_t;
+typedef int                int_fast32_t;
+typedef long long          int_fast64_t;
+typedef unsigned char      uint_fast8_t;
+typedef unsigned int       uint_fast16_t;
+typedef unsigned int       uint_fast32_t;
+typedef unsigned long long uint_fast64_t;
+
+typedef long long          intmax_t;
+typedef unsigned long long uintmax_t;
+
+int8_t i8;
+int16_t i16;
+int32_t i32;
+int64_t i64;
+uint8_t ui8;
+uint16_t ui16;
+uint32_t ui32;
+uint64_t ui64;
+int_least8_t  l8;
+int_least16_t l16;
+int_least32_t l32;
+int_least64_t l64;
+uint_least8_t ul8;
+uint_least16_t ul16;
+uint_least32_t ul32;
+uint_least64_t ul64;
+int_fast8_t if8;
+int_fast16_t if16;
+int_fast32_t if32;
+int_fast64_t if64;
+uint_fast8_t uf8;
+uint_fast16_t uf16;
+uint_fast32_t uf32;
+uint_fast64_t uf64;
+intmax_t im;
+uintmax_t uim;
+
+enum E0 : int8_t {
+    e0
+};
+
+enum class E1 : int8_t {
+    e1
+};
+
+enum E2 {
+    e2
+};
+
+enum class E3 {
+    e3
+};
+
+E0 _e0;
+E1 _e1;
+E2 _e2;
+E3 _e3; 
\ No newline at end of file
diff --git a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidth.expected b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidth.expected
new file mode 100644
index 00000000000..4fd1837922b
--- /dev/null
+++ b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidth.expected
@@ -0,0 +1,8 @@
+| cstd_types.cpp:31:8:31:9 | i8 | CTypedefType, Int8_t |
+| cstd_types.cpp:32:9:32:11 | i16 | CTypedefType, Int16_t |
+| cstd_types.cpp:33:9:33:11 | i32 | CTypedefType, Int32_t |
+| cstd_types.cpp:34:9:34:11 | i64 | CTypedefType, Int64_t |
+| cstd_types.cpp:35:9:35:11 | ui8 | CTypedefType, UInt8_t |
+| cstd_types.cpp:36:10:36:13 | ui16 | CTypedefType, UInt16_t |
+| cstd_types.cpp:37:10:37:13 | ui32 | CTypedefType, UInt32_t |
+| cstd_types.cpp:38:10:38:13 | ui64 | CTypedefType, UInt64_t |
diff --git a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidth.ql b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidth.ql
new file mode 100644
index 00000000000..9acd310c395
--- /dev/null
+++ b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidth.ql
@@ -0,0 +1,5 @@
+import cpp
+
+from Variable v, FixedWidthIntegralType t
+where v.getType() = t
+select v, concat(t.getAQlClass(), ", ")
\ No newline at end of file
diff --git a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidthenum.expected b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidthenum.expected
new file mode 100644
index 00000000000..d9884b22b00
--- /dev/null
+++ b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidthenum.expected
@@ -0,0 +1,2 @@
+| cstd_types.cpp:74:4:74:6 | _e0 | Enum, FixedWidthEnumType |
+| cstd_types.cpp:75:4:75:6 | _e1 | FixedWidthEnumType, ScopedEnum |
diff --git a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidthenum.ql b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidthenum.ql
new file mode 100644
index 00000000000..b394aa3ba40
--- /dev/null
+++ b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidthenum.ql
@@ -0,0 +1,5 @@
+import cpp
+
+from Variable v, FixedWidthEnumType t
+where v.getType() = t
+select v, concat(t.getAQlClass(), ", ")
\ No newline at end of file
diff --git a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_maximumwidth.expected b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_maximumwidth.expected
new file mode 100644
index 00000000000..3983b4efec4
--- /dev/null
+++ b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_maximumwidth.expected
@@ -0,0 +1,2 @@
+| cstd_types.cpp:55:10:55:11 | im | CTypedefType, Intmax_t |
+| cstd_types.cpp:56:11:56:13 | uim | CTypedefType, Uintmax_t |
diff --git a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_maximumwidth.ql b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_maximumwidth.ql
new file mode 100644
index 00000000000..db15c574243
--- /dev/null
+++ b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_maximumwidth.ql
@@ -0,0 +1,5 @@
+import cpp
+
+from Variable v, MaximumWidthIntegralType t
+where v.getType() = t
+select v, concat(t.getAQlClass(), ", ")
\ No newline at end of file
diff --git a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_minimumwidth.expected b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_minimumwidth.expected
new file mode 100644
index 00000000000..848430a2785
--- /dev/null
+++ b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_minimumwidth.expected
@@ -0,0 +1,16 @@
+| cstd_types.cpp:39:15:39:16 | l8 | CTypedefType, Int_least8_t |
+| cstd_types.cpp:40:15:40:17 | l16 | CTypedefType, Int_least16_t |
+| cstd_types.cpp:41:15:41:17 | l32 | CTypedefType, Int_least32_t |
+| cstd_types.cpp:42:15:42:17 | l64 | CTypedefType, Int_least64_t |
+| cstd_types.cpp:43:15:43:17 | ul8 | CTypedefType, UInt_least8_t |
+| cstd_types.cpp:44:16:44:19 | ul16 | CTypedefType, UInt_least16_t |
+| cstd_types.cpp:45:16:45:19 | ul32 | CTypedefType, UInt_least32_t |
+| cstd_types.cpp:46:16:46:19 | ul64 | CTypedefType, UInt_least64_t |
+| cstd_types.cpp:47:13:47:15 | if8 | CTypedefType, Int_fast8_t |
+| cstd_types.cpp:48:14:48:17 | if16 | CTypedefType, Int_fast16_t |
+| cstd_types.cpp:49:14:49:17 | if32 | CTypedefType, Int_fast32_t |
+| cstd_types.cpp:50:14:50:17 | if64 | CTypedefType, Int_fast64_t |
+| cstd_types.cpp:51:14:51:16 | uf8 | CTypedefType, UInt_fast8_t |
+| cstd_types.cpp:52:15:52:18 | uf16 | CTypedefType, UInt_fast16_t |
+| cstd_types.cpp:53:15:53:18 | uf32 | CTypedefType, UInt_fast32_t |
+| cstd_types.cpp:54:15:54:18 | uf64 | CTypedefType, UInt_fast64_t |
diff --git a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_minimumwidth.ql b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_minimumwidth.ql
new file mode 100644
index 00000000000..fb23c09397f
--- /dev/null
+++ b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_minimumwidth.ql
@@ -0,0 +1,5 @@
+import cpp
+
+from Variable v, MinimumWidthIntegralType t
+where v.getType() = t
+select v, concat(t.getAQlClass(), ", ")
\ No newline at end of file
diff --git a/cpp/ql/test/library-tests/types/types/types.cpp b/cpp/ql/test/library-tests/types/types/types.cpp
index 903ede7c49b..08fdc3bf7b5 100644
--- a/cpp/ql/test/library-tests/types/types/types.cpp
+++ b/cpp/ql/test/library-tests/types/types/types.cpp
@@ -80,3 +80,6 @@ size_t st;
 ssize_t sst;
 ptrdiff_t pdt;
 wchar_t wct;
+
+std::int8_t i8;
+

From 1fe3c9d093310b6e6ecd8689fd5e870f3424f92c Mon Sep 17 00:00:00 2001
From: "John L. Singleton" <jsinglet@github.com>
Date: Wed, 9 Jun 2021 17:11:39 -0400
Subject: [PATCH 1385/1429] removed accidental modification.

---
 cpp/ql/test/library-tests/types/types/types.cpp | 2 --
 1 file changed, 2 deletions(-)

diff --git a/cpp/ql/test/library-tests/types/types/types.cpp b/cpp/ql/test/library-tests/types/types/types.cpp
index 08fdc3bf7b5..6a816cae302 100644
--- a/cpp/ql/test/library-tests/types/types/types.cpp
+++ b/cpp/ql/test/library-tests/types/types/types.cpp
@@ -81,5 +81,3 @@ ssize_t sst;
 ptrdiff_t pdt;
 wchar_t wct;
 
-std::int8_t i8;
-

From b91a0dbe1608eaf0b9586638aeca07d6a926ef99 Mon Sep 17 00:00:00 2001
From: "John L. Singleton" <jsinglet@github.com>
Date: Wed, 9 Jun 2021 17:12:59 -0400
Subject: [PATCH 1386/1429] removed accidental modification.

---
 cpp/ql/test/library-tests/types/types/types.cpp | 1 -
 1 file changed, 1 deletion(-)

diff --git a/cpp/ql/test/library-tests/types/types/types.cpp b/cpp/ql/test/library-tests/types/types/types.cpp
index 6a816cae302..903ede7c49b 100644
--- a/cpp/ql/test/library-tests/types/types/types.cpp
+++ b/cpp/ql/test/library-tests/types/types/types.cpp
@@ -80,4 +80,3 @@ size_t st;
 ssize_t sst;
 ptrdiff_t pdt;
 wchar_t wct;
-

From 01cac13a48517f43547c5487d47bd9214bee26d4 Mon Sep 17 00:00:00 2001
From: "John L. Singleton" <jsinglet@github.com>
Date: Wed, 9 Jun 2021 17:16:26 -0400
Subject: [PATCH 1387/1429] format ql test files.

---
 .../library-tests/types/cstd_types/cstd_types_fixedwidth.ql     | 2 +-
 .../library-tests/types/cstd_types/cstd_types_fixedwidthenum.ql | 2 +-
 .../library-tests/types/cstd_types/cstd_types_maximumwidth.ql   | 2 +-
 .../library-tests/types/cstd_types/cstd_types_minimumwidth.ql   | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidth.ql b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidth.ql
index 9acd310c395..18e9cf4469e 100644
--- a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidth.ql
+++ b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidth.ql
@@ -2,4 +2,4 @@ import cpp
 
 from Variable v, FixedWidthIntegralType t
 where v.getType() = t
-select v, concat(t.getAQlClass(), ", ")
\ No newline at end of file
+select v, concat(t.getAQlClass(), ", ")
diff --git a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidthenum.ql b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidthenum.ql
index b394aa3ba40..7e9cd7c2b54 100644
--- a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidthenum.ql
+++ b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidthenum.ql
@@ -2,4 +2,4 @@ import cpp
 
 from Variable v, FixedWidthEnumType t
 where v.getType() = t
-select v, concat(t.getAQlClass(), ", ")
\ No newline at end of file
+select v, concat(t.getAQlClass(), ", ")
diff --git a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_maximumwidth.ql b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_maximumwidth.ql
index db15c574243..bfd5f88e54c 100644
--- a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_maximumwidth.ql
+++ b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_maximumwidth.ql
@@ -2,4 +2,4 @@ import cpp
 
 from Variable v, MaximumWidthIntegralType t
 where v.getType() = t
-select v, concat(t.getAQlClass(), ", ")
\ No newline at end of file
+select v, concat(t.getAQlClass(), ", ")
diff --git a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_minimumwidth.ql b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_minimumwidth.ql
index fb23c09397f..30f393b66cb 100644
--- a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_minimumwidth.ql
+++ b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_minimumwidth.ql
@@ -2,4 +2,4 @@ import cpp
 
 from Variable v, MinimumWidthIntegralType t
 where v.getType() = t
-select v, concat(t.getAQlClass(), ", ")
\ No newline at end of file
+select v, concat(t.getAQlClass(), ", ")

From eb4f168dd4841fa2690afee9c0e66c48f6b2a3fd Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 10 Jun 2021 14:09:47 +0200
Subject: [PATCH 1388/1429] Python: Clarify SensitiveAttributeAccess

The comment about imports was placed wrong. I also realized we didn't
even have a single test-case for
`this.(DataFlow::AttrRead).getAttributeNameExpr() = sensitiveLookupStringConst(classification)`
so I added that (notice that this is only `getattr(foo, x)` and not
`getattr(foo, "password")`)
---
 .../src/semmle/python/dataflow/new/SensitiveDataSources.qll | 6 ++++--
 python/ql/test/experimental/dataflow/sensitive-data/test.py | 3 +++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
index 45bb7b89a60..84f3b6ec4c8 100644
--- a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
+++ b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
@@ -153,10 +153,12 @@ private module SensitiveDataModeling {
     SensitiveDataClassification classification;
 
     SensitiveAttributeAccess() {
-      nameIndicatesSensitiveData(this.(DataFlow::AttrRead).getAttributeName(), classification)
-      or
+      // Things like `foo.<sensitive-name>` or `from <module> import <sensitive-name>`
       // I considered excluding any `from ... import something_sensitive`, but then realized that
       // we should flag up `form ... import password as ...` as a password
+      nameIndicatesSensitiveData(this.(DataFlow::AttrRead).getAttributeName(), classification)
+      or
+      // Things like `getattr(foo, <reference-to-string>)`
       this.(DataFlow::AttrRead).getAttributeNameExpr() = sensitiveLookupStringConst(classification)
     }
 
diff --git a/python/ql/test/experimental/dataflow/sensitive-data/test.py b/python/ql/test/experimental/dataflow/sensitive-data/test.py
index 57ad6a43762..714c1401980 100644
--- a/python/ql/test/experimental/dataflow/sensitive-data/test.py
+++ b/python/ql/test/experimental/dataflow/sensitive-data/test.py
@@ -29,6 +29,9 @@ foo = ObjectFromDatabase()
 foo.secret # $ SensitiveDataSource=secret
 foo.username # $ SensitiveDataSource=id
 
+getattr(foo, "password") # $ SensitiveDataSource=password
+x = "password"
+getattr(foo, x) # $ SensitiveDataSource=password
 
 # based on variable/parameter names
 def my_func(password): # $ SensitiveDataSource=password

From c341643ec1058161d961a25427d2c0de42e44738 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 10 Jun 2021 14:18:09 +0200
Subject: [PATCH 1389/1429] Python: Add more tests for sensitive function
 handling

---
 .../dataflow/sensitive-data/test.py           | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/python/ql/test/experimental/dataflow/sensitive-data/test.py b/python/ql/test/experimental/dataflow/sensitive-data/test.py
index 714c1401980..c143e62f230 100644
--- a/python/ql/test/experimental/dataflow/sensitive-data/test.py
+++ b/python/ql/test/experimental/dataflow/sensitive-data/test.py
@@ -24,6 +24,25 @@ safe_to_store = encrypt_password(pwd)
 f = get_password
 f() # $ SensitiveDataSource=password
 
+# more tests of functions we don't have definition for
+x = unkown_func_not_even_imported_get_password() # $ SensitiveDataSource=password
+print(x) # $ SensitiveUse=password
+
+f = get_passwd
+x = f() # $ MISSING: SensitiveDataSource=password
+print(x) # $ MISSING: SensitiveUse=password
+
+import not_found
+f = not_found.get_passwd # $ SensitiveDataSource=password
+x = f() # $ MISSING: SensitiveDataSource=password
+print(x) # $ MISSING: SensitiveUse=password
+
+def my_func(non_sensitive_name):
+    x = non_sensitive_name() # $ MISSING: SensitiveDataSource=password
+    print(x) # $ MISSING: SensitiveUse=password
+f = not_found.get_passwd # $ SensitiveDataSource=password
+my_func(f)
+
 # attributes
 foo = ObjectFromDatabase()
 foo.secret # $ SensitiveDataSource=secret

From f167143a8479cb06f50ec522952930f75c2216b5 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 10 Jun 2021 15:01:31 +0200
Subject: [PATCH 1390/1429] Python: Use real config in TestSensitiveDataSources

This will enable better tests in just one second
---
 .../TestSensitiveDataSources.ql               | 20 +++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql b/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql
index 2548f313b20..9b78bc0dff5 100644
--- a/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql
+++ b/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql
@@ -1,3 +1,6 @@
+// /**
+//  * @kind path-problem
+//  */
 import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
@@ -19,8 +22,7 @@ class SensitiveDataSourcesTest extends InlineExpectationsTest {
       tag = "SensitiveDataSource"
       or
       exists(DataFlow::Node use |
-        use = API::builtin("print").getACall().getArg(_) and
-        TaintTracking::localTaint(source, use) and
+        any(SensitiveUseConfiguration config).hasFlow(source, use) and
         location = use.getLocation() and
         element = use.toString() and
         value = source.getClassification() and
@@ -29,3 +31,17 @@ class SensitiveDataSourcesTest extends InlineExpectationsTest {
     )
   }
 }
+
+class SensitiveUseConfiguration extends TaintTracking::Configuration {
+  SensitiveUseConfiguration() { this = "SensitiveUseConfiguration" }
+
+  override predicate isSource(DataFlow::Node node) { node instanceof SensitiveDataSource }
+
+  override predicate isSink(DataFlow::Node node) {
+    node = API::builtin("print").getACall().getArg(_)
+  }
+}
+// import DataFlow::PathGraph
+// from SensitiveUseConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+// where cfg.hasFlowPath(source, sink)
+// select sink, source, sink, "taint from $@", source.getNode(), "here"

From ea0c1d7db3daa39f36704110c347e76470977bd0 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 10 Jun 2021 15:07:03 +0200
Subject: [PATCH 1391/1429] Python: Better handling of sensitive functions

This solution was the best I could come up with, but it _is_ a bit
brittle since you need to remember to add this additional taint step
to any configuration that relies on sensitive data sources... I don't
see an easy way around this though :|
---
 .../dataflow/new/SensitiveDataSources.qll     | 41 +++++++++++++++++++
 .../dataflow/WeakSensitiveDataHashing.qll     |  9 ++++
 .../TestSensitiveDataSources.ql               |  4 ++
 .../dataflow/sensitive-data/test.py           | 12 +++---
 4 files changed, 60 insertions(+), 6 deletions(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
index 84f3b6ec4c8..a812b48ba74 100644
--- a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
+++ b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
@@ -93,6 +93,8 @@ private module SensitiveDataModeling {
   /**
    * Gets a reference to a string constant that, if used as the key in a lookup,
    * indicates the presence of sensitive data with `classification`.
+   *
+   * Also see `extraStepForCalls`.
    */
   DataFlow::Node sensitiveLookupStringConst(SensitiveDataClassification classification) {
     sensitiveLookupStringConst(DataFlow::TypeTracker::end(), classification).flowsTo(result)
@@ -105,12 +107,49 @@ private module SensitiveDataModeling {
     SensitiveFunctionCall() {
       this.getFunction() = sensitiveFunction(classification)
       or
+      // to cover functions that we don't have the definition for, and where the
+      // reference to the function has not already been marked as being sensitive
       nameIndicatesSensitiveData(this.getFunction().asCfgNode().(NameNode).getId(), classification)
     }
 
     override SensitiveDataClassification getClassification() { result = classification }
   }
 
+  /**
+   * Holds if the step from `nodeFrom` to `nodeTo` should be considered a
+   * taint-flow step for sensitive-data, to ensure calls are handled correctly.
+   *
+   * To handle calls properly, while preserving a good source for path explanations,
+   * you need to include this predicate as an additional taint step in your taint-tracking
+   * configurations.
+   *
+   * The core problem can be illustrated by the example below. If we consider the
+   * `print` a sink, what path and what source do we want to show? My initial approach
+   * would be to use type-tracking to propagate from the `not_found.get_passwd` attribute
+   * lookup, to the use of `non_sensitive_name`, and then create a new `SensitiveDataSource::Range`
+   * like `SensitiveFunctionCall`. Although that seems likely to work, it will also end up
+   * with a non-optimal path, which starts at _bad source_, and therefore doesn't show
+   * how we figured out that `non_sensitive_name`
+   * could be a function that returns a password (and in cases where there is many calls to
+   * `my_func` it will be annoying for someone to figure this out manually).
+   *
+   * By including this additional taint-step in the taint-tracking configuration, it's possible
+   * to get a path explanation going from _good source_ to the sink.
+   *
+   * ```python
+   * def my_func(non_sensitive_name):
+   *     x = non_sensitive_name() # <-- bad source
+   *     print(x) # <-- sink
+   *
+   * import not_found
+   * f = not_found.get_passwd # <-- good source
+   * my_func(f)
+   * ```
+   */
+  predicate extraStepForCalls(DataFlow::Node nodeFrom, DataFlow::CallCfgNode nodeTo) {
+    nodeTo.getFunction() = nodeFrom
+  }
+
   /**
    * Any kind of variable assignment (also including with/for) where the name indicates
    * it contains sensitive data.
@@ -200,3 +239,5 @@ private module SensitiveDataModeling {
     override SensitiveDataClassification getClassification() { result = classification }
   }
 }
+
+predicate sensitiveDataExtraStepForCalls = SensitiveDataModeling::extraStepForCalls/2;
diff --git a/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashing.qll b/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashing.qll
index 59cd69db4b2..f7aec512772 100644
--- a/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashing.qll
+++ b/python/ql/src/semmle/python/security/dataflow/WeakSensitiveDataHashing.qll
@@ -13,6 +13,7 @@ private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Concepts
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.BarrierGuards
+private import semmle.python.dataflow.new.SensitiveDataSources
 
 /**
  * Provides a taint-tracking configuration for detecting use of a broken or weak
@@ -38,6 +39,10 @@ module NormalHashFunction {
       or
       node instanceof Sanitizer
     }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+      sensitiveDataExtraStepForCalls(node1, node2)
+    }
   }
 }
 
@@ -70,5 +75,9 @@ module ComputationallyExpensiveHashFunction {
       or
       node instanceof Sanitizer
     }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+      sensitiveDataExtraStepForCalls(node1, node2)
+    }
   }
 }
diff --git a/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql b/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql
index 9b78bc0dff5..f2cd5684f3a 100644
--- a/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql
+++ b/python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql
@@ -40,6 +40,10 @@ class SensitiveUseConfiguration extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node node) {
     node = API::builtin("print").getACall().getArg(_)
   }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    sensitiveDataExtraStepForCalls(node1, node2)
+  }
 }
 // import DataFlow::PathGraph
 // from SensitiveUseConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
diff --git a/python/ql/test/experimental/dataflow/sensitive-data/test.py b/python/ql/test/experimental/dataflow/sensitive-data/test.py
index c143e62f230..8fa166638b3 100644
--- a/python/ql/test/experimental/dataflow/sensitive-data/test.py
+++ b/python/ql/test/experimental/dataflow/sensitive-data/test.py
@@ -29,17 +29,17 @@ x = unkown_func_not_even_imported_get_password() # $ SensitiveDataSource=passwor
 print(x) # $ SensitiveUse=password
 
 f = get_passwd
-x = f() # $ MISSING: SensitiveDataSource=password
-print(x) # $ MISSING: SensitiveUse=password
+x = f()
+print(x) # $ SensitiveUse=password
 
 import not_found
 f = not_found.get_passwd # $ SensitiveDataSource=password
-x = f() # $ MISSING: SensitiveDataSource=password
-print(x) # $ MISSING: SensitiveUse=password
+x = f()
+print(x) # $ SensitiveUse=password
 
 def my_func(non_sensitive_name):
-    x = non_sensitive_name() # $ MISSING: SensitiveDataSource=password
-    print(x) # $ MISSING: SensitiveUse=password
+    x = non_sensitive_name()
+    print(x) # $ SensitiveUse=password
 f = not_found.get_passwd # $ SensitiveDataSource=password
 my_func(f)
 

From 14c419a75fd894cef94aee0062e6916631415aa5 Mon Sep 17 00:00:00 2001
From: "John L. Singleton" <jsinglet@github.com>
Date: Thu, 10 Jun 2021 09:39:43 -0400
Subject: [PATCH 1392/1429] autoformatting

---
 cpp/ql/src/semmle/code/cpp/commons/CommonType.qll | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll b/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
index 27bf19c0c54..be91e278f80 100644
--- a/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
+++ b/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
@@ -88,9 +88,7 @@ abstract class MaximumWidthIntegralType extends UserType {
  * A common base type for describing enum types that are based on fixed-width types.
  */
 class FixedWidthEnumType extends UserType {
-  FixedWidthEnumType() {
-    this.(Enum).getExplicitUnderlyingType() instanceof FixedWidthIntegralType
-  }
+  FixedWidthEnumType() { this.(Enum).getExplicitUnderlyingType() instanceof FixedWidthIntegralType }
 }
 
 /**
@@ -313,9 +311,7 @@ class UInt_fast64_t extends MinimumWidthIntegralType {
  * The C/C++ `intmax_t` type.
  */
 class Intmax_t extends MaximumWidthIntegralType {
-  Intmax_t() {
-    this.hasGlobalOrStdName("intmax_t")
-  }
+  Intmax_t() { this.hasGlobalOrStdName("intmax_t") }
 
   override string getAPrimaryQlClass() { result = "Intmax_t" }
 }
@@ -324,9 +320,7 @@ class Intmax_t extends MaximumWidthIntegralType {
  * The C/C++ `uintmax_t` type.
  */
 class Uintmax_t extends MaximumWidthIntegralType {
-  Uintmax_t() {
-    this.hasGlobalOrStdName("uintmax_t")
-  }
+  Uintmax_t() { this.hasGlobalOrStdName("uintmax_t") }
 
   override string getAPrimaryQlClass() { result = "Uintmax_t" }
 }

From f174d7a0e0ae4886039e824048b52b667fe1aa86 Mon Sep 17 00:00:00 2001
From: "John L. Singleton" <jsinglet@github.com>
Date: Thu, 10 Jun 2021 09:52:22 -0400
Subject: [PATCH 1393/1429] Comment changes

---
 cpp/ql/src/semmle/code/cpp/commons/CommonType.qll | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll b/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
index be91e278f80..41feb355f29 100644
--- a/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
+++ b/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
@@ -64,28 +64,28 @@ class Ptrdiff_t extends Type {
 }
 
 /**
- * A common base type for describing the C/C++ fixed-width numeric types
+ * A C/C++ fixed-width numeric type, such as `int8_t`.
  */
 abstract class FixedWidthIntegralType extends UserType {
   FixedWidthIntegralType() { this.getUnderlyingType() instanceof IntegralType }
 }
 
 /**
- * A common base type for describing the C/C++ minimum-width numeric types.
+ * A C/C++ minimum-width numeric type, such as `int_least8_t` or `uint_fast16_t`.
  */
 abstract class MinimumWidthIntegralType extends UserType {
   MinimumWidthIntegralType() { this.getUnderlyingType() instanceof IntegralType }
 }
 
 /**
- * A common base type for describing the C/C++ maximum-width numeric types.
+ * A C/C++ maximum-width numeric type, either `intmax_t` or `uintmax_t`.
  */
 abstract class MaximumWidthIntegralType extends UserType {
   MaximumWidthIntegralType() { this.getUnderlyingType() instanceof IntegralType }
 }
 
 /**
- * A common base type for describing enum types that are based on fixed-width types.
+ * An enum type based on a fixed-width integer type. For instance, `enum e: uint8_t = { a, b };`
  */
 class FixedWidthEnumType extends UserType {
   FixedWidthEnumType() { this.(Enum).getExplicitUnderlyingType() instanceof FixedWidthIntegralType }

From dd457f9641a82dc9b8e06e31790176ff87ee93aa Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Thu, 10 Jun 2021 15:58:56 +0200
Subject: [PATCH 1394/1429] Python: Fix tests

---
 python/ql/test/experimental/meta/ConceptsTest.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/ql/test/experimental/meta/ConceptsTest.qll b/python/ql/test/experimental/meta/ConceptsTest.qll
index 12a808cb60e..779333fa045 100644
--- a/python/ql/test/experimental/meta/ConceptsTest.qll
+++ b/python/ql/test/experimental/meta/ConceptsTest.qll
@@ -349,7 +349,7 @@ class CryptographicOperationTest extends InlineExpectationsTest {
         tag = "CryptographicOperation"
         or
         element = cryptoOperation.toString() and
-        value = value_from_expr(cryptoOperation.getAnInput().asExpr()) and
+        value = prettyNodeForInlineTest(cryptoOperation.getAnInput()) and
         tag = "CryptographicOperationInput"
         or
         element = cryptoOperation.toString() and

From 0d3f53b0136bae3153d6e5414f0207576a66b525 Mon Sep 17 00:00:00 2001
From: "John L. Singleton" <jsinglet@github.com>
Date: Thu, 10 Jun 2021 11:16:58 -0400
Subject: [PATCH 1395/1429] Changes to structure per feedback of @jbj

---
 .../semmle/code/cpp/commons/CommonType.qll    | 113 ++++++++++++------
 .../cstd_types_fastestminimumwidth.expected   |   8 ++
 .../cstd_types_fastestminimumwidth.ql         |   5 +
 .../cstd_types/cstd_types_fixedwidth.expected |  16 +--
 .../cstd_types_maximumwidth.expected          |   4 +-
 .../cstd_types_minimumwidth.expected          |  24 ++--
 6 files changed, 110 insertions(+), 60 deletions(-)
 create mode 100644 cpp/ql/test/library-tests/types/cstd_types/cstd_types_fastestminimumwidth.expected
 create mode 100644 cpp/ql/test/library-tests/types/cstd_types/cstd_types_fastestminimumwidth.ql

diff --git a/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll b/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
index 41feb355f29..1699d45f32e 100644
--- a/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
+++ b/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
@@ -64,24 +64,69 @@ class Ptrdiff_t extends Type {
 }
 
 /**
- * A C/C++ fixed-width numeric type, such as `int8_t`.
+ * A parent class representing C/C++ typedef'd `UserTypes` such as `int8_t`.
  */
-abstract class FixedWidthIntegralType extends UserType {
-  FixedWidthIntegralType() { this.getUnderlyingType() instanceof IntegralType }
+private class IntegralUnderlyingUserType extends UserType {
+  IntegralUnderlyingUserType() { this.getUnderlyingType() instanceof IntegralType }
 }
 
 /**
- * A C/C++ minimum-width numeric type, such as `int_least8_t` or `uint_fast16_t`.
+ * A C/C++ fixed-width numeric type, such as `int8_t`.
  */
-abstract class MinimumWidthIntegralType extends UserType {
-  MinimumWidthIntegralType() { this.getUnderlyingType() instanceof IntegralType }
+class FixedWidthIntegralType extends UserType {
+  FixedWidthIntegralType() {
+    this instanceof Int8_t or
+    this instanceof Int16_t or
+    this instanceof Int32_t or
+    this instanceof Int64_t or
+    this instanceof UInt8_t or
+    this instanceof UInt16_t or
+    this instanceof UInt32_t or
+    this instanceof UInt64_t
+  }
+}
+
+/**
+ * A C/C++ minimum-width numeric type, such as `int_least8_t`.
+ */
+class MinimumWidthIntegralType extends UserType {
+  MinimumWidthIntegralType() {
+    this instanceof Int_least8_t or
+    this instanceof Int_least16_t or
+    this instanceof Int_least32_t or
+    this instanceof Int_least64_t or
+    this instanceof UInt_least8_t or
+    this instanceof UInt_least16_t or
+    this instanceof UInt_least32_t or
+    this instanceof UInt_least64_t
+  }
+}
+
+/**
+ * A C/C++ minimum-width numeric type, representing the fastest integer type with a
+ * width of at least `N` such as `int_fast8_t`.
+ */
+class FastestMinimumWidthIntegralType extends UserType {
+  FastestMinimumWidthIntegralType() {
+    this instanceof Int_fast8_t or
+    this instanceof Int_fast16_t or
+    this instanceof Int_fast32_t or
+    this instanceof Int_fast64_t or
+    this instanceof UInt_fast8_t or
+    this instanceof UInt_fast16_t or
+    this instanceof UInt_fast32_t or
+    this instanceof UInt_fast64_t
+  }
 }
 
 /**
  * A C/C++ maximum-width numeric type, either `intmax_t` or `uintmax_t`.
  */
-abstract class MaximumWidthIntegralType extends UserType {
-  MaximumWidthIntegralType() { this.getUnderlyingType() instanceof IntegralType }
+class MaximumWidthIntegralType extends UserType {
+  MaximumWidthIntegralType() {
+    this instanceof Intmax_t or
+    this instanceof Uintmax_t
+  }
 }
 
 /**
@@ -94,7 +139,7 @@ class FixedWidthEnumType extends UserType {
 /**
  *  The C/C++ `int8_t` type.
  */
-class Int8_t extends FixedWidthIntegralType {
+class Int8_t extends IntegralUnderlyingUserType {
   Int8_t() { this.hasGlobalOrStdName("int8_t") }
 
   override string getAPrimaryQlClass() { result = "Int8_t" }
@@ -103,7 +148,7 @@ class Int8_t extends FixedWidthIntegralType {
 /**
  *  The C/C++ `int16_t` type.
  */
-class Int16_t extends FixedWidthIntegralType {
+class Int16_t extends IntegralUnderlyingUserType {
   Int16_t() { this.hasGlobalOrStdName("int16_t") }
 
   override string getAPrimaryQlClass() { result = "Int16_t" }
@@ -112,7 +157,7 @@ class Int16_t extends FixedWidthIntegralType {
 /**
  *  The C/C++ `int32_t` type.
  */
-class Int32_t extends FixedWidthIntegralType {
+class Int32_t extends IntegralUnderlyingUserType {
   Int32_t() { this.hasGlobalOrStdName("int32_t") }
 
   override string getAPrimaryQlClass() { result = "Int32_t" }
@@ -121,7 +166,7 @@ class Int32_t extends FixedWidthIntegralType {
 /**
  *  The C/C++ `int64_t` type.
  */
-class Int64_t extends FixedWidthIntegralType {
+class Int64_t extends IntegralUnderlyingUserType {
   Int64_t() { this.hasGlobalOrStdName("int64_t") }
 
   override string getAPrimaryQlClass() { result = "Int64_t" }
@@ -130,7 +175,7 @@ class Int64_t extends FixedWidthIntegralType {
 /**
  *  The C/C++ `uint8_t` type.
  */
-class UInt8_t extends FixedWidthIntegralType {
+class UInt8_t extends IntegralUnderlyingUserType {
   UInt8_t() { this.hasGlobalOrStdName("uint8_t") }
 
   override string getAPrimaryQlClass() { result = "UInt8_t" }
@@ -139,7 +184,7 @@ class UInt8_t extends FixedWidthIntegralType {
 /**
  *  The C/C++ `uint16_t` type.
  */
-class UInt16_t extends FixedWidthIntegralType {
+class UInt16_t extends IntegralUnderlyingUserType {
   UInt16_t() { this.hasGlobalOrStdName("uint16_t") }
 
   override string getAPrimaryQlClass() { result = "UInt16_t" }
@@ -148,7 +193,7 @@ class UInt16_t extends FixedWidthIntegralType {
 /**
  *  The C/C++ `uint32_t` type.
  */
-class UInt32_t extends FixedWidthIntegralType {
+class UInt32_t extends IntegralUnderlyingUserType {
   UInt32_t() { this.hasGlobalOrStdName("uint32_t") }
 
   override string getAPrimaryQlClass() { result = "UInt32_t" }
@@ -157,7 +202,7 @@ class UInt32_t extends FixedWidthIntegralType {
 /**
  *  The C/C++ `uint64_t` type.
  */
-class UInt64_t extends FixedWidthIntegralType {
+class UInt64_t extends IntegralUnderlyingUserType {
   UInt64_t() { this.hasGlobalOrStdName("uint64_t") }
 
   override string getAPrimaryQlClass() { result = "UInt64_t" }
@@ -166,7 +211,7 @@ class UInt64_t extends FixedWidthIntegralType {
 /**
  *  The C/C++ `int_least8_t` type.
  */
-class Int_least8_t extends MinimumWidthIntegralType {
+class Int_least8_t extends IntegralUnderlyingUserType {
   Int_least8_t() { this.hasGlobalOrStdName("int_least8_t") }
 
   override string getAPrimaryQlClass() { result = "Int_least8_t" }
@@ -175,7 +220,7 @@ class Int_least8_t extends MinimumWidthIntegralType {
 /**
  *  The C/C++ `int_least16_t` type.
  */
-class Int_least16_t extends MinimumWidthIntegralType {
+class Int_least16_t extends IntegralUnderlyingUserType {
   Int_least16_t() { this.hasGlobalOrStdName("int_least16_t") }
 
   override string getAPrimaryQlClass() { result = "Int_least16_t" }
@@ -184,7 +229,7 @@ class Int_least16_t extends MinimumWidthIntegralType {
 /**
  *  The C/C++ `int_least32_t` type.
  */
-class Int_least32_t extends MinimumWidthIntegralType {
+class Int_least32_t extends IntegralUnderlyingUserType {
   Int_least32_t() { this.hasGlobalOrStdName("int_least32_t") }
 
   override string getAPrimaryQlClass() { result = "Int_least32_t" }
@@ -193,7 +238,7 @@ class Int_least32_t extends MinimumWidthIntegralType {
 /**
  *  The C/C++ `int_least64_t` type.
  */
-class Int_least64_t extends MinimumWidthIntegralType {
+class Int_least64_t extends IntegralUnderlyingUserType {
   Int_least64_t() { this.hasGlobalOrStdName("int_least64_t") }
 
   override string getAPrimaryQlClass() { result = "Int_least64_t" }
@@ -202,7 +247,7 @@ class Int_least64_t extends MinimumWidthIntegralType {
 /**
  *  The C/C++ `uint_least8_t` type.
  */
-class UInt_least8_t extends MinimumWidthIntegralType {
+class UInt_least8_t extends IntegralUnderlyingUserType {
   UInt_least8_t() { this.hasGlobalOrStdName("uint_least8_t") }
 
   override string getAPrimaryQlClass() { result = "UInt_least8_t" }
@@ -211,7 +256,7 @@ class UInt_least8_t extends MinimumWidthIntegralType {
 /**
  *  The C/C++ `uint_least16_t` type.
  */
-class UInt_least16_t extends MinimumWidthIntegralType {
+class UInt_least16_t extends IntegralUnderlyingUserType {
   UInt_least16_t() { this.hasGlobalOrStdName("uint_least16_t") }
 
   override string getAPrimaryQlClass() { result = "UInt_least16_t" }
@@ -220,7 +265,7 @@ class UInt_least16_t extends MinimumWidthIntegralType {
 /**
  *  The C/C++ `uint_least32_t` type.
  */
-class UInt_least32_t extends MinimumWidthIntegralType {
+class UInt_least32_t extends IntegralUnderlyingUserType {
   UInt_least32_t() { this.hasGlobalOrStdName("uint_least32_t") }
 
   override string getAPrimaryQlClass() { result = "UInt_least32_t" }
@@ -229,7 +274,7 @@ class UInt_least32_t extends MinimumWidthIntegralType {
 /**
  *  The C/C++ `uint_least64_t` type.
  */
-class UInt_least64_t extends MinimumWidthIntegralType {
+class UInt_least64_t extends IntegralUnderlyingUserType {
   UInt_least64_t() { this.hasGlobalOrStdName("uint_least64_t") }
 
   override string getAPrimaryQlClass() { result = "UInt_least64_t" }
@@ -238,7 +283,7 @@ class UInt_least64_t extends MinimumWidthIntegralType {
 /**
  *  The C/C++ `int_fast8_t` type.
  */
-class Int_fast8_t extends MinimumWidthIntegralType {
+class Int_fast8_t extends IntegralUnderlyingUserType {
   Int_fast8_t() { this.hasGlobalOrStdName("int_fast8_t") }
 
   override string getAPrimaryQlClass() { result = "Int_fast8_t" }
@@ -247,7 +292,7 @@ class Int_fast8_t extends MinimumWidthIntegralType {
 /**
  *  The C/C++ `int_fast16_t` type.
  */
-class Int_fast16_t extends MinimumWidthIntegralType {
+class Int_fast16_t extends IntegralUnderlyingUserType {
   Int_fast16_t() { this.hasGlobalOrStdName("int_fast16_t") }
 
   override string getAPrimaryQlClass() { result = "Int_fast16_t" }
@@ -256,7 +301,7 @@ class Int_fast16_t extends MinimumWidthIntegralType {
 /**
  *  The C/C++ `int_fast32_t` type.
  */
-class Int_fast32_t extends MinimumWidthIntegralType {
+class Int_fast32_t extends IntegralUnderlyingUserType {
   Int_fast32_t() { this.hasGlobalOrStdName("int_fast32_t") }
 
   override string getAPrimaryQlClass() { result = "Int_fast32_t" }
@@ -265,7 +310,7 @@ class Int_fast32_t extends MinimumWidthIntegralType {
 /**
  *  The C/C++ `int_fast64_t` type.
  */
-class Int_fast64_t extends MinimumWidthIntegralType {
+class Int_fast64_t extends IntegralUnderlyingUserType {
   Int_fast64_t() { this.hasGlobalOrStdName("int_fast64_t") }
 
   override string getAPrimaryQlClass() { result = "Int_fast64_t" }
@@ -274,7 +319,7 @@ class Int_fast64_t extends MinimumWidthIntegralType {
 /**
  *  The C/C++ `uint_fast8_t` type.
  */
-class UInt_fast8_t extends MinimumWidthIntegralType {
+class UInt_fast8_t extends IntegralUnderlyingUserType {
   UInt_fast8_t() { this.hasGlobalOrStdName("uint_fast8_t") }
 
   override string getAPrimaryQlClass() { result = "UInt_fast8_t" }
@@ -283,7 +328,7 @@ class UInt_fast8_t extends MinimumWidthIntegralType {
 /**
  *  The C/C++ `uint_fast16_t` type.
  */
-class UInt_fast16_t extends MinimumWidthIntegralType {
+class UInt_fast16_t extends IntegralUnderlyingUserType {
   UInt_fast16_t() { this.hasGlobalOrStdName("uint_fast16_t") }
 
   override string getAPrimaryQlClass() { result = "UInt_fast16_t" }
@@ -292,7 +337,7 @@ class UInt_fast16_t extends MinimumWidthIntegralType {
 /**
  *  The C/C++ `uint_fast32_t` type.
  */
-class UInt_fast32_t extends MinimumWidthIntegralType {
+class UInt_fast32_t extends IntegralUnderlyingUserType {
   UInt_fast32_t() { this.hasGlobalOrStdName("uint_fast32_t") }
 
   override string getAPrimaryQlClass() { result = "UInt_fast32_t" }
@@ -301,7 +346,7 @@ class UInt_fast32_t extends MinimumWidthIntegralType {
 /**
  *  The C/C++ `uint_fast64_t` type.
  */
-class UInt_fast64_t extends MinimumWidthIntegralType {
+class UInt_fast64_t extends IntegralUnderlyingUserType {
   UInt_fast64_t() { this.hasGlobalOrStdName("uint_fast64_t") }
 
   override string getAPrimaryQlClass() { result = "UInt_fast64_t" }
@@ -310,7 +355,7 @@ class UInt_fast64_t extends MinimumWidthIntegralType {
 /**
  * The C/C++ `intmax_t` type.
  */
-class Intmax_t extends MaximumWidthIntegralType {
+class Intmax_t extends IntegralUnderlyingUserType {
   Intmax_t() { this.hasGlobalOrStdName("intmax_t") }
 
   override string getAPrimaryQlClass() { result = "Intmax_t" }
@@ -319,7 +364,7 @@ class Intmax_t extends MaximumWidthIntegralType {
 /**
  * The C/C++ `uintmax_t` type.
  */
-class Uintmax_t extends MaximumWidthIntegralType {
+class Uintmax_t extends IntegralUnderlyingUserType {
   Uintmax_t() { this.hasGlobalOrStdName("uintmax_t") }
 
   override string getAPrimaryQlClass() { result = "Uintmax_t" }
diff --git a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fastestminimumwidth.expected b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fastestminimumwidth.expected
new file mode 100644
index 00000000000..13fe25a4819
--- /dev/null
+++ b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fastestminimumwidth.expected
@@ -0,0 +1,8 @@
+| cstd_types.cpp:47:13:47:15 | if8 | CTypedefType, FastestMinimumWidthIntegralType, Int_fast8_t |
+| cstd_types.cpp:48:14:48:17 | if16 | CTypedefType, FastestMinimumWidthIntegralType, Int_fast16_t |
+| cstd_types.cpp:49:14:49:17 | if32 | CTypedefType, FastestMinimumWidthIntegralType, Int_fast32_t |
+| cstd_types.cpp:50:14:50:17 | if64 | CTypedefType, FastestMinimumWidthIntegralType, Int_fast64_t |
+| cstd_types.cpp:51:14:51:16 | uf8 | CTypedefType, FastestMinimumWidthIntegralType, UInt_fast8_t |
+| cstd_types.cpp:52:15:52:18 | uf16 | CTypedefType, FastestMinimumWidthIntegralType, UInt_fast16_t |
+| cstd_types.cpp:53:15:53:18 | uf32 | CTypedefType, FastestMinimumWidthIntegralType, UInt_fast32_t |
+| cstd_types.cpp:54:15:54:18 | uf64 | CTypedefType, FastestMinimumWidthIntegralType, UInt_fast64_t |
\ No newline at end of file
diff --git a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fastestminimumwidth.ql b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fastestminimumwidth.ql
new file mode 100644
index 00000000000..6600e69572e
--- /dev/null
+++ b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fastestminimumwidth.ql
@@ -0,0 +1,5 @@
+import cpp
+
+from Variable v, FastestMinimumWidthIntegralType t
+where v.getType() = t
+select v, concat(t.getAQlClass(), ", ")
diff --git a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidth.expected b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidth.expected
index 4fd1837922b..d1c64343636 100644
--- a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidth.expected
+++ b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_fixedwidth.expected
@@ -1,8 +1,8 @@
-| cstd_types.cpp:31:8:31:9 | i8 | CTypedefType, Int8_t |
-| cstd_types.cpp:32:9:32:11 | i16 | CTypedefType, Int16_t |
-| cstd_types.cpp:33:9:33:11 | i32 | CTypedefType, Int32_t |
-| cstd_types.cpp:34:9:34:11 | i64 | CTypedefType, Int64_t |
-| cstd_types.cpp:35:9:35:11 | ui8 | CTypedefType, UInt8_t |
-| cstd_types.cpp:36:10:36:13 | ui16 | CTypedefType, UInt16_t |
-| cstd_types.cpp:37:10:37:13 | ui32 | CTypedefType, UInt32_t |
-| cstd_types.cpp:38:10:38:13 | ui64 | CTypedefType, UInt64_t |
+| cstd_types.cpp:31:8:31:9 | i8 | CTypedefType, FixedWidthIntegralType, Int8_t |
+| cstd_types.cpp:32:9:32:11 | i16 | CTypedefType, FixedWidthIntegralType, Int16_t |
+| cstd_types.cpp:33:9:33:11 | i32 | CTypedefType, FixedWidthIntegralType, Int32_t |
+| cstd_types.cpp:34:9:34:11 | i64 | CTypedefType, FixedWidthIntegralType, Int64_t |
+| cstd_types.cpp:35:9:35:11 | ui8 | CTypedefType, FixedWidthIntegralType, UInt8_t |
+| cstd_types.cpp:36:10:36:13 | ui16 | CTypedefType, FixedWidthIntegralType, UInt16_t |
+| cstd_types.cpp:37:10:37:13 | ui32 | CTypedefType, FixedWidthIntegralType, UInt32_t |
+| cstd_types.cpp:38:10:38:13 | ui64 | CTypedefType, FixedWidthIntegralType, UInt64_t |
diff --git a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_maximumwidth.expected b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_maximumwidth.expected
index 3983b4efec4..0bf7779fcaf 100644
--- a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_maximumwidth.expected
+++ b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_maximumwidth.expected
@@ -1,2 +1,2 @@
-| cstd_types.cpp:55:10:55:11 | im | CTypedefType, Intmax_t |
-| cstd_types.cpp:56:11:56:13 | uim | CTypedefType, Uintmax_t |
+| cstd_types.cpp:55:10:55:11 | im | CTypedefType, Intmax_t, MaximumWidthIntegralType |
+| cstd_types.cpp:56:11:56:13 | uim | CTypedefType, MaximumWidthIntegralType, Uintmax_t |
diff --git a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_minimumwidth.expected b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_minimumwidth.expected
index 848430a2785..2984f07be8c 100644
--- a/cpp/ql/test/library-tests/types/cstd_types/cstd_types_minimumwidth.expected
+++ b/cpp/ql/test/library-tests/types/cstd_types/cstd_types_minimumwidth.expected
@@ -1,16 +1,8 @@
-| cstd_types.cpp:39:15:39:16 | l8 | CTypedefType, Int_least8_t |
-| cstd_types.cpp:40:15:40:17 | l16 | CTypedefType, Int_least16_t |
-| cstd_types.cpp:41:15:41:17 | l32 | CTypedefType, Int_least32_t |
-| cstd_types.cpp:42:15:42:17 | l64 | CTypedefType, Int_least64_t |
-| cstd_types.cpp:43:15:43:17 | ul8 | CTypedefType, UInt_least8_t |
-| cstd_types.cpp:44:16:44:19 | ul16 | CTypedefType, UInt_least16_t |
-| cstd_types.cpp:45:16:45:19 | ul32 | CTypedefType, UInt_least32_t |
-| cstd_types.cpp:46:16:46:19 | ul64 | CTypedefType, UInt_least64_t |
-| cstd_types.cpp:47:13:47:15 | if8 | CTypedefType, Int_fast8_t |
-| cstd_types.cpp:48:14:48:17 | if16 | CTypedefType, Int_fast16_t |
-| cstd_types.cpp:49:14:49:17 | if32 | CTypedefType, Int_fast32_t |
-| cstd_types.cpp:50:14:50:17 | if64 | CTypedefType, Int_fast64_t |
-| cstd_types.cpp:51:14:51:16 | uf8 | CTypedefType, UInt_fast8_t |
-| cstd_types.cpp:52:15:52:18 | uf16 | CTypedefType, UInt_fast16_t |
-| cstd_types.cpp:53:15:53:18 | uf32 | CTypedefType, UInt_fast32_t |
-| cstd_types.cpp:54:15:54:18 | uf64 | CTypedefType, UInt_fast64_t |
+| cstd_types.cpp:39:15:39:16 | l8 | CTypedefType, Int_least8_t, MinimumWidthIntegralType |
+| cstd_types.cpp:40:15:40:17 | l16 | CTypedefType, Int_least16_t, MinimumWidthIntegralType |
+| cstd_types.cpp:41:15:41:17 | l32 | CTypedefType, Int_least32_t, MinimumWidthIntegralType |
+| cstd_types.cpp:42:15:42:17 | l64 | CTypedefType, Int_least64_t, MinimumWidthIntegralType |
+| cstd_types.cpp:43:15:43:17 | ul8 | CTypedefType, MinimumWidthIntegralType, UInt_least8_t |
+| cstd_types.cpp:44:16:44:19 | ul16 | CTypedefType, MinimumWidthIntegralType, UInt_least16_t |
+| cstd_types.cpp:45:16:45:19 | ul32 | CTypedefType, MinimumWidthIntegralType, UInt_least32_t |
+| cstd_types.cpp:46:16:46:19 | ul64 | CTypedefType, MinimumWidthIntegralType, UInt_least64_t |

From bd7c4163561f21273bbe3e80b4518ddf6682d6cd Mon Sep 17 00:00:00 2001
From: "John L. Singleton" <jsinglet@github.com>
Date: Thu, 10 Jun 2021 11:21:11 -0400
Subject: [PATCH 1396/1429] comment change

---
 cpp/ql/src/semmle/code/cpp/commons/CommonType.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll b/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
index 1699d45f32e..8ec3ae2761a 100644
--- a/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
+++ b/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
@@ -64,7 +64,7 @@ class Ptrdiff_t extends Type {
 }
 
 /**
- * A parent class representing C/C++ typedef'd `UserTypes` such as `int8_t`.
+ * A parent class representing C/C++ a typedef'd `UserType` such as `int8_t`.
  */
 private class IntegralUnderlyingUserType extends UserType {
   IntegralUnderlyingUserType() { this.getUnderlyingType() instanceof IntegralType }

From a594afb8284b69066e30d80d752e9de9e57d99d8 Mon Sep 17 00:00:00 2001
From: Calum Grant <calumgrant@github.com>
Date: Mon, 24 May 2021 17:16:22 +0100
Subject: [PATCH 1397/1429] Add security-severity metadata

---
 .../Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql   | 1 +
 cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql                 | 1 +
 cpp/ql/src/Critical/DescriptorNeverClosed.ql                    | 1 +
 cpp/ql/src/Critical/FileMayNotBeClosed.ql                       | 1 +
 cpp/ql/src/Critical/FileNeverClosed.ql                          | 1 +
 cpp/ql/src/Critical/GlobalUseBeforeInit.ql                      | 1 +
 cpp/ql/src/Critical/InconsistentNullnessTesting.ql              | 1 +
 cpp/ql/src/Critical/InitialisationNotRun.ql                     | 1 +
 cpp/ql/src/Critical/LateNegativeTest.ql                         | 1 +
 cpp/ql/src/Critical/MemoryMayNotBeFreed.ql                      | 1 +
 cpp/ql/src/Critical/MemoryNeverFreed.ql                         | 1 +
 cpp/ql/src/Critical/MissingNegativityTest.ql                    | 1 +
 cpp/ql/src/Critical/MissingNullTest.ql                          | 1 +
 cpp/ql/src/Critical/NewFreeMismatch.ql                          | 1 +
 cpp/ql/src/Critical/OverflowCalculated.ql                       | 1 +
 cpp/ql/src/Critical/OverflowDestination.ql                      | 1 +
 cpp/ql/src/Critical/OverflowStatic.ql                           | 1 +
 cpp/ql/src/Critical/ReturnStackAllocatedObject.ql               | 1 +
 cpp/ql/src/Critical/SizeCheck.ql                                | 1 +
 cpp/ql/src/Critical/SizeCheck2.ql                               | 1 +
 cpp/ql/src/Critical/UseAfterFree.ql                             | 1 +
 cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql   | 1 +
 cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql              | 1 +
 cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql        | 1 +
 cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql | 1 +
 cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql              | 1 +
 cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql               | 1 +
 cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql   | 1 +
 cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql       | 1 +
 .../src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql   | 1 +
 cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql        | 1 +
 .../Likely Bugs/Memory Management/ImproperNullTermination.ql    | 1 +
 cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql     | 1 +
 .../Likely Bugs/Memory Management/PotentialBufferOverflow.ql    | 1 +
 cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql  | 1 +
 .../src/Likely Bugs/Memory Management/SuspiciousCallToMemset.ql | 1 +
 .../Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql    | 1 +
 cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql    | 1 +
 cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql  | 1 +
 cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql   | 1 +
 cpp/ql/src/Likely Bugs/OO/SelfAssignmentCheck.ql                | 1 +
 cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql                    | 1 +
 .../src/Likely Bugs/Underspecified Functions/TooFewArguments.ql | 1 +
 cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql           | 1 +
 cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql | 1 +
 cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql   | 1 +
 cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql                  | 1 +
 cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql                  | 1 +
 cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql                       | 1 +
 cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql                   | 1 +
 cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql | 1 +
 cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql               | 1 +
 cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql            | 1 +
 cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql                 | 1 +
 cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql            | 1 +
 cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql               | 1 +
 cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql      | 1 +
 cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql | 1 +
 cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql     | 1 +
 cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql     | 1 +
 .../CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql     | 1 +
 .../src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql  | 1 +
 cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql            | 1 +
 cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql       | 1 +
 cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql  | 1 +
 cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql      | 1 +
 cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql       | 1 +
 cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql        | 1 +
 .../CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql     | 1 +
 cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql     | 1 +
 cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql         | 1 +
 cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql         | 1 +
 cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql           | 1 +
 cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql      | 1 +
 cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql        | 1 +
 cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql            | 1 +
 cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql         | 1 +
 cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql      | 1 +
 .../Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql  | 1 +
 cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql      | 1 +
 cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql  | 1 +
 cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql  | 1 +
 cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql      | 1 +
 cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql            | 1 +
 cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql    | 1 +
 cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql            | 1 +
 cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql | 1 +
 cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql          | 1 +
 cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql     | 1 +
 cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql | 1 +
 cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql               | 1 +
 cpp/ql/src/Security/CWE/CWE-764/TwiceLocked.ql                  | 1 +
 cpp/ql/src/Security/CWE/CWE-764/UnreleasedLock.ql               | 1 +
 cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql             | 1 +
 .../CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql   | 1 +
 csharp/ql/src/Bad Practices/UseOfHtmlInputHidden.ql             | 1 +
 csharp/ql/src/Configuration/EmptyPasswordInConfigurationFile.ql | 1 +
 csharp/ql/src/Configuration/PasswordInConfigurationFile.ql      | 1 +
 csharp/ql/src/Input Validation/UseOfFileUpload.ql               | 1 +
 csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransform.ql       | 1 +
 csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql | 1 +
 csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql          | 2 ++
 .../ql/src/Security Features/CWE-016/ASPNetMaxRequestLength.ql  | 1 +
 .../src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql | 1 +
 .../Security Features/CWE-016/ASPNetRequestValidationMode.ql    | 1 +
 csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.ql  | 1 +
 .../src/Security Features/CWE-020/UntrustedDataToExternalAPI.ql | 1 +
 csharp/ql/src/Security Features/CWE-022/TaintedPath.ql          | 1 +
 csharp/ql/src/Security Features/CWE-022/ZipSlip.ql              | 1 +
 csharp/ql/src/Security Features/CWE-078/CommandInjection.ql     | 1 +
 .../ql/src/Security Features/CWE-078/StoredCommandInjection.ql  | 1 +
 csharp/ql/src/Security Features/CWE-079/StoredXSS.ql            | 1 +
 csharp/ql/src/Security Features/CWE-079/XSS.ql                  | 1 +
 .../ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql | 1 +
 csharp/ql/src/Security Features/CWE-089/SqlInjection.ql         | 1 +
 csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql        | 1 +
 csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql  | 1 +
 csharp/ql/src/Security Features/CWE-091/XMLInjection.ql         | 1 +
 csharp/ql/src/Security Features/CWE-094/CodeInjection.ql        | 1 +
 csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql    | 1 +
 csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql | 1 +
 .../ql/src/Security Features/CWE-114/AssemblyPathInjection.ql   | 1 +
 csharp/ql/src/Security Features/CWE-117/LogForging.ql           | 1 +
 .../src/Security Features/CWE-119/LocalUnvalidatedArithmetic.ql | 1 +
 .../src/Security Features/CWE-134/UncontrolledFormatString.ql   | 1 +
 .../src/Security Features/CWE-201/ExposureInTransmittedData.ql  | 1 +
 .../Security Features/CWE-209/ExceptionInformationExposure.ql   | 1 +
 .../CWE-248/MissingASPNETGlobalErrorHandler.ql                  | 1 +
 csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql     | 1 +
 .../ql/src/Security Features/CWE-321/HardcodedEncryptionKey.ql  | 2 ++
 .../CWE-321/HardcodedSymmetricEncryptionKey.ql                  | 2 ++
 csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql  | 1 +
 .../ql/src/Security Features/CWE-327/InsecureSQLConnection.ql   | 1 +
 .../CWE-352/MissingAntiForgeryTokenValidation.ql                | 1 +
 .../Security Features/CWE-359/ExposureOfPrivateInformation.ql   | 1 +
 csharp/ql/src/Security Features/CWE-384/AbandonSession.ql       | 1 +
 csharp/ql/src/Security Features/CWE-451/MissingXFrameOptions.ql | 1 +
 csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.ql | 1 +
 .../ql/src/Security Features/CWE-502/UnsafeDeserialization.ql   | 1 +
 .../CWE-502/UnsafeDeserializationUntrustedInput.ql              | 1 +
 .../ql/src/Security Features/CWE-548/ASPNetDirectoryListing.ql  | 1 +
 csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql          | 1 +
 .../src/Security Features/CWE-611/UntrustedDataInsecureXml.ql   | 1 +
 csharp/ql/src/Security Features/CWE-611/UseXmlSecureResolver.ql | 1 +
 csharp/ql/src/Security Features/CWE-614/RequireSSL.ql           | 1 +
 csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql | 1 +
 csharp/ql/src/Security Features/CWE-643/XPathInjection.ql       | 1 +
 csharp/ql/src/Security Features/CWE-730/ReDoS.ql                | 1 +
 csharp/ql/src/Security Features/CWE-730/RegexInjection.ql       | 1 +
 .../src/Security Features/CWE-798/HardcodedConnectionString.ql  | 1 +
 csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql | 1 +
 csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql    | 1 +
 .../ql/src/Security Features/CWE-838/InappropriateEncoding.ql   | 1 +
 csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql  | 1 +
 csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql    | 1 +
 csharp/ql/src/Security Features/Encryption using ECB.ql         | 1 +
 csharp/ql/src/Security Features/HeaderCheckingDisabled.ql       | 1 +
 csharp/ql/src/Security Features/InadequateRSAPadding.ql         | 1 +
 csharp/ql/src/Security Features/InsecureRandomness.ql           | 1 +
 csharp/ql/src/Security Features/InsufficientKeySize.ql          | 1 +
 csharp/ql/src/Security Features/PersistentCookie.ql             | 1 +
 csharp/ql/src/Security Features/WeakEncryption.ql               | 1 +
 java/ql/src/Frameworks/JavaEE/EJB/EjbContainerInterference.ql   | 1 +
 java/ql/src/Frameworks/JavaEE/EJB/EjbFileIO.ql                  | 1 +
 java/ql/src/Frameworks/JavaEE/EJB/EjbNative.ql                  | 1 +
 java/ql/src/Frameworks/JavaEE/EJB/EjbReflection.ql              | 1 +
 java/ql/src/Frameworks/JavaEE/EJB/EjbSecurityConfiguration.ql   | 1 +
 java/ql/src/Frameworks/JavaEE/EJB/EjbSerialization.ql           | 1 +
 java/ql/src/Frameworks/JavaEE/EJB/EjbSetSocketOrUrlFactory.ql   | 1 +
 java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql           | 1 +
 java/ql/src/Likely Bugs/Arithmetic/RandomUsedOnce.ql            | 1 +
 java/ql/src/Likely Bugs/Concurrency/UnreleasedLock.ql           | 1 +
 java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql  | 1 +
 java/ql/src/Security/CWE/CWE-022/TaintedPath.ql                 | 1 +
 java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql            | 1 +
 java/ql/src/Security/CWE/CWE-022/ZipSlip.ql                     | 1 +
 java/ql/src/Security/CWE/CWE-078/ExecRelative.ql                | 1 +
 java/ql/src/Security/CWE/CWE-078/ExecTainted.ql                 | 1 +
 java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql            | 1 +
 java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql               | 1 +
 java/ql/src/Security/CWE/CWE-079/XSS.ql                         | 1 +
 java/ql/src/Security/CWE/CWE-079/XSSLocal.ql                    | 1 +
 java/ql/src/Security/CWE/CWE-089/SqlTainted.ql                  | 1 +
 java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql             | 1 +
 java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql                | 1 +
 java/ql/src/Security/CWE/CWE-090/LdapInjection.ql               | 1 +
 java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql      | 1 +
 java/ql/src/Security/CWE/CWE-094/JexlInjection.ql               | 1 +
 java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql   | 1 +
 java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql      | 1 +
 java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql           | 1 +
 java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql      | 1 +
 .../CWE/CWE-129/ImproperValidationOfArrayConstruction.ql        | 1 +
 .../ImproperValidationOfArrayConstructionCodeSpecified.ql       | 1 +
 .../CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql   | 1 +
 .../src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql  | 1 +
 .../CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql  | 1 +
 .../Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql | 1 +
 .../Security/CWE/CWE-134/ExternallyControlledFormatString.ql    | 1 +
 .../CWE/CWE-134/ExternallyControlledFormatStringLocal.ql        | 1 +
 java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql           | 1 +
 java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql      | 1 +
 java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql      | 1 +
 java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql | 1 +
 java/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql     | 1 +
 java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql          | 1 +
 java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql  | 1 +
 java/ql/src/Security/CWE/CWE-312/CleartextStorageClass.ql       | 1 +
 java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql      | 1 +
 java/ql/src/Security/CWE/CWE-312/CleartextStorageProperties.ql  | 1 +
 java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql                   | 1 +
 java/ql/src/Security/CWE/CWE-319/UseSSL.ql                      | 1 +
 java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql       | 1 +
 java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql       | 1 +
 java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql  | 1 +
 java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql             | 2 ++
 java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql       | 1 +
 java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql        | 1 +
 java/ql/src/Security/CWE/CWE-367/TOCTOURace.ql                  | 1 +
 java/ql/src/Security/CWE/CWE-421/SocketAuthRace.ql              | 1 +
 java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql       | 1 +
 java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql                 | 1 +
 java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql            | 1 +
 java/ql/src/Security/CWE/CWE-611/XXE.ql                         | 1 +
 java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql              | 1 +
 java/ql/src/Security/CWE/CWE-643/XPathInjection.ql              | 1 +
 .../ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql | 1 +
 java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql          | 1 +
 java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql     | 1 +
 .../ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql | 1 +
 java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql | 1 +
 .../src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql  | 1 +
 .../src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql  | 1 +
 java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql      | 1 +
 java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql           | 1 +
 java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql     | 1 +
 .../ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql | 1 +
 java/ql/src/Security/CWE/CWE-833/LockOrderInconsistency.ql      | 1 +
 java/ql/src/Security/CWE/CWE-835/InfiniteLoop.ql                | 1 +
 javascript/ql/src/AngularJS/DisablingSce.ql                     | 2 ++
 javascript/ql/src/AngularJS/DoubleCompilation.ql                | 2 ++
 javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql             | 1 +
 javascript/ql/src/DOM/TargetBlank.ql                            | 1 +
 javascript/ql/src/Electron/AllowRunningInsecureContent.ql       | 2 ++
 javascript/ql/src/Electron/DisablingWebSecurity.ql              | 2 ++
 javascript/ql/src/Electron/EnablingNodeIntegration.ql           | 1 +
 javascript/ql/src/Performance/PolynomialReDoS.ql                | 1 +
 javascript/ql/src/Performance/ReDoS.ql                          | 1 +
 javascript/ql/src/RegExp/IdentityReplacement.ql                 | 1 +
 javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql  | 1 +
 javascript/ql/src/Security/CWE-020/IncompleteUrlSchemeCheck.ql  | 1 +
 .../src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql  | 1 +
 javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql      | 1 +
 javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql       | 1 +
 .../ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql       | 1 +
 .../ql/src/Security/CWE-020/UselessRegExpCharacterEscape.ql     | 1 +
 javascript/ql/src/Security/CWE-022/TaintedPath.ql               | 1 +
 javascript/ql/src/Security/CWE-022/ZipSlip.ql                   | 1 +
 javascript/ql/src/Security/CWE-073/TemplateObjectInjection.ql   | 1 +
 javascript/ql/src/Security/CWE-078/CommandInjection.ql          | 1 +
 javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql  | 1 +
 .../Security/CWE-078/ShellCommandInjectionFromEnvironment.ql    | 1 +
 .../ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql   | 1 +
 javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql           | 2 ++
 javascript/ql/src/Security/CWE-079/ExceptionXss.ql              | 1 +
 javascript/ql/src/Security/CWE-079/ReflectedXss.ql              | 1 +
 javascript/ql/src/Security/CWE-079/StoredXss.ql                 | 1 +
 javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql    | 1 +
 javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql        | 1 +
 javascript/ql/src/Security/CWE-079/Xss.ql                       | 1 +
 javascript/ql/src/Security/CWE-079/XssThroughDom.ql             | 1 +
 javascript/ql/src/Security/CWE-089/SqlInjection.ql              | 1 +
 javascript/ql/src/Security/CWE-094/CodeInjection.ql             | 1 +
 javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql  | 1 +
 javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.ql | 1 +
 javascript/ql/src/Security/CWE-116/DoubleEscaping.ql            | 1 +
 .../src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql | 1 +
 .../Security/CWE-116/IncompleteMultiCharacterSanitization.ql    | 1 +
 javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql    | 1 +
 javascript/ql/src/Security/CWE-116/UnsafeHtmlExpansion.ql       | 1 +
 javascript/ql/src/Security/CWE-117/LogInjection.ql              | 1 +
 javascript/ql/src/Security/CWE-134/TaintedFormatString.ql       | 1 +
 javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql          | 1 +
 javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql       | 1 +
 javascript/ql/src/Security/CWE-201/PostMessageStar.ql           | 1 +
 javascript/ql/src/Security/CWE-209/StackTraceExposure.ql        | 1 +
 .../ql/src/Security/CWE-295/DisablingCertificateValidation.ql   | 1 +
 javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql         | 1 +
 javascript/ql/src/Security/CWE-312/CleartextLogging.ql          | 1 +
 javascript/ql/src/Security/CWE-312/CleartextStorage.ql          | 1 +
 .../ql/src/Security/CWE-313/PasswordInConfigurationFile.ql      | 1 +
 javascript/ql/src/Security/CWE-327/BadRandomness.ql             | 1 +
 javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql     | 1 +
 javascript/ql/src/Security/CWE-338/InsecureRandomness.ql        | 1 +
 .../src/Security/CWE-346/CorsMisconfigurationForCredentials.ql  | 1 +
 javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql     | 1 +
 .../ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql     | 1 +
 javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql   | 1 +
 javascript/ql/src/Security/CWE-451/MissingXFrameOptions.ql      | 1 +
 javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql     | 1 +
 .../ql/src/Security/CWE-506/HardcodedDataInterpretedAsCode.ql   | 1 +
 javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql     | 1 +
 javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql     | 1 +
 javascript/ql/src/Security/CWE-611/Xxe.ql                       | 1 +
 .../Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql    | 1 +
 javascript/ql/src/Security/CWE-643/XpathInjection.ql            | 1 +
 javascript/ql/src/Security/CWE-730/RegExpInjection.ql           | 1 +
 javascript/ql/src/Security/CWE-730/ServerCrash.ql               | 2 ++
 .../ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.ql     | 1 +
 javascript/ql/src/Security/CWE-770/MissingRateLimiting.ql       | 1 +
 javascript/ql/src/Security/CWE-776/XmlBomb.ql                   | 1 +
 javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql      | 1 +
 javascript/ql/src/Security/CWE-807/ConditionalBypass.ql         | 1 +
 .../ql/src/Security/CWE-807/DifferentKindsComparisonBypass.ql   | 1 +
 javascript/ql/src/Security/CWE-829/InsecureDownload.ql          | 1 +
 javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql        | 1 +
 .../Security/CWE-843/TypeConfusionThroughParameterTampering.ql  | 1 +
 javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql          | 1 +
 .../ql/src/Security/CWE-915/PrototypePollutingAssignment.ql     | 1 +
 .../ql/src/Security/CWE-915/PrototypePollutingFunction.ql       | 1 +
 .../ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql      | 1 +
 javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql  | 1 +
 javascript/ql/src/Security/CWE-918/RequestForgery.ql            | 1 +
 python/ql/src/Expressions/UseofInput.ql                         | 2 ++
 python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql     | 2 ++
 .../Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql | 1 +
 python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql      | 1 +
 .../src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql  | 1 +
 python/ql/src/Security/CWE-022/PathInjection.ql                 | 1 +
 python/ql/src/Security/CWE-022/TarSlip.ql                       | 1 +
 python/ql/src/Security/CWE-078/CommandInjection.ql              | 1 +
 python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql         | 1 +
 python/ql/src/Security/CWE-079/ReflectedXss.ql                  | 1 +
 python/ql/src/Security/CWE-089/SqlInjection.ql                  | 1 +
 python/ql/src/Security/CWE-094/CodeInjection.ql                 | 1 +
 python/ql/src/Security/CWE-209/StackTraceExposure.ql            | 1 +
 python/ql/src/Security/CWE-215/FlaskDebug.ql                    | 1 +
 python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql      | 1 +
 python/ql/src/Security/CWE-295/RequestWithoutValidation.ql      | 1 +
 python/ql/src/Security/CWE-312/CleartextLogging.ql              | 1 +
 python/ql/src/Security/CWE-312/CleartextStorage.ql              | 1 +
 python/ql/src/Security/CWE-326/WeakCryptoKey.ql                 | 1 +
 python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql         | 1 +
 python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql       | 1 +
 python/ql/src/Security/CWE-327/InsecureProtocol.ql              | 1 +
 python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql      | 1 +
 python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql         | 1 +
 python/ql/src/Security/CWE-502/UnsafeDeserialization.ql         | 1 +
 python/ql/src/Security/CWE-601/UrlRedirect.ql                   | 1 +
 python/ql/src/Security/CWE-732/WeakFilePermissions.ql           | 1 +
 python/ql/src/Security/CWE-798/HardcodedCredentials.ql          | 1 +
 python/ql/src/Statements/ExecUsed.ql                            | 1 +
 352 files changed, 364 insertions(+)

diff --git a/cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql b/cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql
index 36024ddbc70..ecf739b91be 100644
--- a/cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql	
+++ b/cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql	
@@ -5,6 +5,7 @@
  * @kind problem
  * @id cpp/offset-use-before-range-check
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @tags reliability
  *       security
diff --git a/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql b/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
index 135b9a644d1..24cd9dc16fd 100644
--- a/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
+++ b/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
@@ -4,6 +4,7 @@
  * @kind problem
  * @id cpp/descriptor-may-not-be-closed
  * @problem.severity warning
+ * @security-severity 5.9
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775
diff --git a/cpp/ql/src/Critical/DescriptorNeverClosed.ql b/cpp/ql/src/Critical/DescriptorNeverClosed.ql
index ae50e625602..331d787be62 100644
--- a/cpp/ql/src/Critical/DescriptorNeverClosed.ql
+++ b/cpp/ql/src/Critical/DescriptorNeverClosed.ql
@@ -4,6 +4,7 @@
  * @kind problem
  * @id cpp/descriptor-never-closed
  * @problem.severity warning
+ * @security-severity 5.9
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775
diff --git a/cpp/ql/src/Critical/FileMayNotBeClosed.ql b/cpp/ql/src/Critical/FileMayNotBeClosed.ql
index c97e7cacca3..395bac61f0b 100644
--- a/cpp/ql/src/Critical/FileMayNotBeClosed.ql
+++ b/cpp/ql/src/Critical/FileMayNotBeClosed.ql
@@ -4,6 +4,7 @@
  * @kind problem
  * @id cpp/file-may-not-be-closed
  * @problem.severity warning
+ * @security-severity 5.9
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775
diff --git a/cpp/ql/src/Critical/FileNeverClosed.ql b/cpp/ql/src/Critical/FileNeverClosed.ql
index 0286c78437f..eeeed80af92 100644
--- a/cpp/ql/src/Critical/FileNeverClosed.ql
+++ b/cpp/ql/src/Critical/FileNeverClosed.ql
@@ -4,6 +4,7 @@
  * @kind problem
  * @id cpp/file-never-closed
  * @problem.severity warning
+ * @security-severity 5.9
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775
diff --git a/cpp/ql/src/Critical/GlobalUseBeforeInit.ql b/cpp/ql/src/Critical/GlobalUseBeforeInit.ql
index 5483a0f2fbe..7abfaeb9ebe 100644
--- a/cpp/ql/src/Critical/GlobalUseBeforeInit.ql
+++ b/cpp/ql/src/Critical/GlobalUseBeforeInit.ql
@@ -4,6 +4,7 @@
  * @kind problem
  * @id cpp/global-use-before-init
  * @problem.severity warning
+ * @security-severity 6.9
  * @tags reliability
  *       security
  *       external/cwe/cwe-457
diff --git a/cpp/ql/src/Critical/InconsistentNullnessTesting.ql b/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
index 86e2cb4fb29..b356c64b3fc 100644
--- a/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
+++ b/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
@@ -4,6 +4,7 @@
  * @kind problem
  * @id cpp/inconsistent-nullness-testing
  * @problem.severity warning
+ * @security-severity 3.6
  * @tags reliability
  *       security
  *       external/cwe/cwe-476
diff --git a/cpp/ql/src/Critical/InitialisationNotRun.ql b/cpp/ql/src/Critical/InitialisationNotRun.ql
index 6295543084b..d4bb90962f7 100644
--- a/cpp/ql/src/Critical/InitialisationNotRun.ql
+++ b/cpp/ql/src/Critical/InitialisationNotRun.ql
@@ -4,6 +4,7 @@
  * @kind problem
  * @id cpp/initialization-not-run
  * @problem.severity warning
+ * @security-severity 6.4
  * @tags reliability
  *       security
  *       external/cwe/cwe-456
diff --git a/cpp/ql/src/Critical/LateNegativeTest.ql b/cpp/ql/src/Critical/LateNegativeTest.ql
index 098a224c818..98d1d7cba2b 100644
--- a/cpp/ql/src/Critical/LateNegativeTest.ql
+++ b/cpp/ql/src/Critical/LateNegativeTest.ql
@@ -6,6 +6,7 @@
  * @kind problem
  * @id cpp/late-negative-test
  * @problem.severity warning
+ * @security-severity 10.0
  * @tags reliability
  *       security
  *       external/cwe/cwe-823
diff --git a/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql b/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
index 9c09ec4c5f3..3726117615e 100644
--- a/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
+++ b/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
@@ -4,6 +4,7 @@
  * @kind problem
  * @id cpp/memory-may-not-be-freed
  * @problem.severity warning
+ * @security-severity 3.6
  * @tags efficiency
  *       security
  *       external/cwe/cwe-401
diff --git a/cpp/ql/src/Critical/MemoryNeverFreed.ql b/cpp/ql/src/Critical/MemoryNeverFreed.ql
index 59f6f1da4df..89ca2245d7f 100644
--- a/cpp/ql/src/Critical/MemoryNeverFreed.ql
+++ b/cpp/ql/src/Critical/MemoryNeverFreed.ql
@@ -4,6 +4,7 @@
  * @kind problem
  * @id cpp/memory-never-freed
  * @problem.severity warning
+ * @security-severity 3.6
  * @tags efficiency
  *       security
  *       external/cwe/cwe-401
diff --git a/cpp/ql/src/Critical/MissingNegativityTest.ql b/cpp/ql/src/Critical/MissingNegativityTest.ql
index 565217578e0..937510afec6 100644
--- a/cpp/ql/src/Critical/MissingNegativityTest.ql
+++ b/cpp/ql/src/Critical/MissingNegativityTest.ql
@@ -5,6 +5,7 @@
  * @kind problem
  * @id cpp/missing-negativity-test
  * @problem.severity warning
+ * @security-severity 10.0
  * @tags reliability
  *       security
  *       external/cwe/cwe-823
diff --git a/cpp/ql/src/Critical/MissingNullTest.ql b/cpp/ql/src/Critical/MissingNullTest.ql
index ea81eee8eb6..dcd45f2baf1 100644
--- a/cpp/ql/src/Critical/MissingNullTest.ql
+++ b/cpp/ql/src/Critical/MissingNullTest.ql
@@ -4,6 +4,7 @@
  * @kind problem
  * @id cpp/missing-null-test
  * @problem.severity recommendation
+ * @security-severity 3.6
  * @tags reliability
  *       security
  *       external/cwe/cwe-476
diff --git a/cpp/ql/src/Critical/NewFreeMismatch.ql b/cpp/ql/src/Critical/NewFreeMismatch.ql
index 68e58b3acaf..09356762e43 100644
--- a/cpp/ql/src/Critical/NewFreeMismatch.ql
+++ b/cpp/ql/src/Critical/NewFreeMismatch.ql
@@ -3,6 +3,7 @@
  * @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @precision high
  * @id cpp/new-free-mismatch
  * @tags reliability
diff --git a/cpp/ql/src/Critical/OverflowCalculated.ql b/cpp/ql/src/Critical/OverflowCalculated.ql
index a52e0d82670..01cb7b3eaa3 100644
--- a/cpp/ql/src/Critical/OverflowCalculated.ql
+++ b/cpp/ql/src/Critical/OverflowCalculated.ql
@@ -4,6 +4,7 @@
  * @kind problem
  * @id cpp/overflow-calculated
  * @problem.severity warning
+ * @security-severity 5.9
  * @tags reliability
  *       security
  *       external/cwe/cwe-131
diff --git a/cpp/ql/src/Critical/OverflowDestination.ql b/cpp/ql/src/Critical/OverflowDestination.ql
index bff3cac9326..c89ec46cb42 100644
--- a/cpp/ql/src/Critical/OverflowDestination.ql
+++ b/cpp/ql/src/Critical/OverflowDestination.ql
@@ -5,6 +5,7 @@
  * @kind problem
  * @id cpp/overflow-destination
  * @problem.severity warning
+ * @security-severity 10.0
  * @precision low
  * @tags reliability
  *       security
diff --git a/cpp/ql/src/Critical/OverflowStatic.ql b/cpp/ql/src/Critical/OverflowStatic.ql
index 011c38ff734..d287f43b1c8 100644
--- a/cpp/ql/src/Critical/OverflowStatic.ql
+++ b/cpp/ql/src/Critical/OverflowStatic.ql
@@ -4,6 +4,7 @@
  *              may result in a buffer overflow.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 10.0
  * @precision medium
  * @id cpp/static-buffer-overflow
  * @tags reliability
diff --git a/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql b/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
index e3873e487dd..72ff93e24ab 100644
--- a/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
+++ b/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
@@ -4,6 +4,7 @@
  * @kind problem
  * @id cpp/return-stack-allocated-object
  * @problem.severity warning
+ * @security-severity 2.9
  * @tags reliability
  *       security
  *       external/cwe/cwe-562
diff --git a/cpp/ql/src/Critical/SizeCheck.ql b/cpp/ql/src/Critical/SizeCheck.ql
index 849b4ba5f77..7fff35cf717 100644
--- a/cpp/ql/src/Critical/SizeCheck.ql
+++ b/cpp/ql/src/Critical/SizeCheck.ql
@@ -4,6 +4,7 @@
  *              an instance of the type of the pointer may result in a buffer overflow
  * @kind problem
  * @problem.severity warning
+ * @security-severity 6.4
  * @precision medium
  * @id cpp/allocation-too-small
  * @tags reliability
diff --git a/cpp/ql/src/Critical/SizeCheck2.ql b/cpp/ql/src/Critical/SizeCheck2.ql
index 31364cbfe2d..f9a09b66352 100644
--- a/cpp/ql/src/Critical/SizeCheck2.ql
+++ b/cpp/ql/src/Critical/SizeCheck2.ql
@@ -4,6 +4,7 @@
  *              multiple instances of the type of the pointer may result in a buffer overflow
  * @kind problem
  * @problem.severity warning
+ * @security-severity 6.4
  * @precision medium
  * @id cpp/suspicious-allocation-size
  * @tags reliability
diff --git a/cpp/ql/src/Critical/UseAfterFree.ql b/cpp/ql/src/Critical/UseAfterFree.ql
index 8fd228ca7e4..1b714267ef1 100644
--- a/cpp/ql/src/Critical/UseAfterFree.ql
+++ b/cpp/ql/src/Critical/UseAfterFree.ql
@@ -4,6 +4,7 @@
  * @kind problem
  * @id cpp/use-after-free
  * @problem.severity warning
+ * @security-severity 5.9
  * @tags reliability
  *       security
  *       external/cwe/cwe-416
diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql b/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
index c503a8f3ee2..1037e4d9063 100644
--- a/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql	
+++ b/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql	
@@ -6,6 +6,7 @@
  *              to a larger type.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision very-high
  * @id cpp/bad-addition-overflow-check
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql b/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
index 76ff682f7e5..941fecc453d 100644
--- a/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql	
+++ b/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql	
@@ -4,6 +4,7 @@
  *              be a sign that the result can overflow the type converted from.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @id cpp/integer-multiplication-cast-to-long
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql b/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
index ecd11db43fb..6da994e6729 100644
--- a/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql	
+++ b/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql	
@@ -5,6 +5,7 @@
  *              unsigned integer values.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @id cpp/signed-overflow-check
  * @tags correctness
diff --git a/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql b/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
index 66e18c4f677..19e50a3f368 100644
--- a/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql	
+++ b/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql	
@@ -6,6 +6,7 @@
  *              use the width of the base type, leading to misaligned reads.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 10.0
  * @precision high
  * @id cpp/upcast-array-pointer-arithmetic
  * @tags correctness
diff --git a/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql b/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
index 324c9128ba5..f480501f7ba 100644
--- a/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql	
+++ b/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql	
@@ -6,6 +6,7 @@
  *              from an untrusted source, this can be used for exploits.
  * @kind problem
  * @problem.severity recommendation
+ * @security-severity 6.9
  * @precision high
  * @id cpp/non-constant-format
  * @tags maintainability
diff --git a/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql b/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
index 566758c10bd..78427655c22 100644
--- a/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql	
+++ b/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql	
@@ -3,6 +3,7 @@
  * @description Using the return value from snprintf without proper checks can cause overflow.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @id cpp/overflowing-snprintf
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql b/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
index 9412364183c..1147c6c66a1 100644
--- a/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql	
+++ b/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql	
@@ -4,6 +4,7 @@
  *              a source of security issues.
  * @kind problem
  * @problem.severity error
+ * @security-severity 2.9
  * @precision high
  * @id cpp/wrong-number-format-arguments
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql b/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
index 92486a030b1..d1624e484fe 100644
--- a/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql	
+++ b/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql	
@@ -4,6 +4,7 @@
  *              behavior.
  * @kind problem
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @id cpp/wrong-type-format-argument
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql b/cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql
index bb20c220186..1b20aa1b224 100644
--- a/cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql	
+++ b/cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql	
@@ -6,6 +6,7 @@
  * @kind problem
  * @id cpp/incorrect-not-operator-usage
  * @problem.severity warning
+ * @security-severity 3.6
  * @precision medium
  * @tags security
  *       external/cwe/cwe-480
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql b/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
index e684cb525e7..1af4ba839b5 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql	
@@ -3,6 +3,7 @@
  * @description Using alloca in a loop can lead to a stack overflow
  * @kind problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @precision high
  * @id cpp/alloca-in-loop
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql b/cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql
index 2a4b2d16507..c72086060fd 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql	
@@ -5,6 +5,7 @@
  * @kind problem
  * @id cpp/improper-null-termination
  * @problem.severity warning
+ * @security-severity 5.9
  * @tags security
  *       external/cwe/cwe-170
  *       external/cwe/cwe-665
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql b/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
index 134f6101ea1..3035d3ba2ea 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql	
@@ -4,6 +4,7 @@
  *              on undefined behavior and may lead to memory corruption.
  * @kind problem
  * @problem.severity error
+ * @security-severity 2.9
  * @precision high
  * @id cpp/pointer-overflow-check
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/PotentialBufferOverflow.ql b/cpp/ql/src/Likely Bugs/Memory Management/PotentialBufferOverflow.ql
index 9f611ae9bf6..23cf7e8364b 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/PotentialBufferOverflow.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/PotentialBufferOverflow.ql	
@@ -6,6 +6,7 @@
  * @kind problem
  * @id cpp/potential-buffer-overflow
  * @problem.severity warning
+ * @security-severity 10.0
  * @tags reliability
  *       security
  *       external/cwe/cwe-676
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql b/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql
index 87120de0603..4a9fc949f89 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql	
@@ -4,6 +4,7 @@
  *              as the third argument may result in a buffer overflow.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 10.0
  * @precision medium
  * @id cpp/bad-strncpy-size
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToMemset.ql b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToMemset.ql
index 2ccdda23bfd..8e41b414794 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToMemset.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToMemset.ql	
@@ -7,6 +7,7 @@
  * @kind problem
  * @id cpp/suspicious-call-to-memset
  * @problem.severity recommendation
+ * @security-severity 10.0
  * @precision medium
  * @tags reliability
  *       correctness
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
index 5e211fc3da6..28742629b37 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql	
@@ -3,6 +3,7 @@
  * @description Calling 'strncat' with an incorrect size argument may result in a buffer overflow.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 10.0
  * @precision medium
  * @id cpp/unsafe-strncat
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql
index b887894707c..9198cd0497e 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql	
@@ -5,6 +5,7 @@
  *              the machine pointer size.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id cpp/suspicious-sizeof
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql b/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql
index 57dac90c850..94e230e8838 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql	
@@ -5,6 +5,7 @@
  * @kind problem
  * @id cpp/uninitialized-local
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @tags security
  *       external/cwe/cwe-665
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql b/cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql
index 2d595c0c050..2eb8d0b4060 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql	
@@ -4,6 +4,7 @@
  *              may result in a buffer overflow
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id cpp/unsafe-strcat
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/OO/SelfAssignmentCheck.ql b/cpp/ql/src/Likely Bugs/OO/SelfAssignmentCheck.ql
index c8e10709f1c..2702cbdcea7 100644
--- a/cpp/ql/src/Likely Bugs/OO/SelfAssignmentCheck.ql	
+++ b/cpp/ql/src/Likely Bugs/OO/SelfAssignmentCheck.ql	
@@ -6,6 +6,7 @@
  * @kind problem
  * @id cpp/self-assignment-check
  * @problem.severity warning
+ * @security-severity 5.9
  * @tags reliability
  *       security
  *       external/cwe/cwe-826
diff --git a/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql b/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
index 0d3aee42c54..746a2761e49 100644
--- a/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql	
+++ b/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql	
@@ -6,6 +6,7 @@
  * @kind path-problem
  * @id cpp/unsafe-use-of-this
  * @problem.severity error
+ * @security-severity 3.6
  * @precision very-high
  * @tags correctness
  *       language-features
diff --git a/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql b/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
index b803f2b1fbc..3196143c5d1 100644
--- a/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql	
+++ b/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql	
@@ -7,6 +7,7 @@
  *              undefined data.
  * @kind problem
  * @problem.severity error
+ * @security-severity 2.9
  * @precision very-high
  * @id cpp/too-few-arguments
  * @tags correctness
diff --git a/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql b/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
index bbb77e807e7..77c4f149cac 100644
--- a/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
@@ -5,6 +5,7 @@
  * @kind problem
  * @id cpp/memset-may-be-deleted
  * @problem.severity warning
+ * @security-severity 6.4
  * @precision high
  * @tags security
  *       external/cwe/cwe-14
diff --git a/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql b/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
index e4f0cc7883d..0396d5c7bb0 100644
--- a/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
+++ b/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
@@ -5,6 +5,7 @@
  * @kind path-problem
  * @precision low
  * @problem.severity error
+ * @security-severity 5.9
  * @tags security external/cwe/cwe-20
  */
 
diff --git a/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql b/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
index ca6d2d00e8c..196fe57f74b 100644
--- a/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
+++ b/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
@@ -5,6 +5,7 @@
  * @kind path-problem
  * @precision low
  * @problem.severity error
+ * @security-severity 5.9
  * @tags security external/cwe/cwe-20
  */
 
diff --git a/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql b/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
index 496b957cca3..c96b6f6dc5b 100644
--- a/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+++ b/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
@@ -4,6 +4,7 @@
  *              attacker to access unexpected resources.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 6.4
  * @precision medium
  * @id cpp/path-injection
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
index 69d6ce9b98f..d3020406f15 100644
--- a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
@@ -5,6 +5,7 @@
  *              to command injection.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision low
  * @id cpp/command-line-injection
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
index d1e2fa12913..0b56e972320 100644
--- a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
+++ b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
@@ -4,6 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 2.9
  * @precision high
  * @id cpp/cgi-xss
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
index 5ed84f45250..1e4536f0942 100644
--- a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
@@ -5,6 +5,7 @@
  *              to SQL Injection.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @id cpp/sql-injection
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
index 943c13f9c5d..3aba72ed741 100644
--- a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
@@ -5,6 +5,7 @@
  *              commands.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 6.0
  * @precision medium
  * @id cpp/uncontrolled-process-operation
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql b/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
index 00dc569c2f2..c61498ac2e0 100644
--- a/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
+++ b/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
@@ -6,6 +6,7 @@
  * @kind problem
  * @id cpp/overflow-buffer
  * @problem.severity recommendation
+ * @security-severity 10.0
  * @tags security
  *       external/cwe/cwe-119
  *       external/cwe/cwe-121
diff --git a/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql b/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
index 77d514bc7b6..01d8d8db4e2 100644
--- a/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
@@ -5,6 +5,7 @@
  *              overflow.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id cpp/badly-bounded-write
  * @tags reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql b/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
index 4ee20508e45..6832561e10c 100644
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
@@ -4,6 +4,7 @@
  *              of data written may overflow.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision medium
  * @id cpp/overrunning-write
  * @tags reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql b/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
index 79ba1e17df2..73ef5e62fb2 100644
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
@@ -5,6 +5,7 @@
  *              take extreme values.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision medium
  * @id cpp/overrunning-write-with-float
  * @tags reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
index f1a8b4e8544..656b52b03bf 100644
--- a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
@@ -4,6 +4,7 @@
  *              of data written may overflow.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision medium
  * @id cpp/unbounded-write
  * @tags reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql b/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
index bfb3a2fbb81..3dacc443a74 100644
--- a/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
+++ b/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
@@ -5,6 +5,7 @@
  *              a specific value to terminate the argument list.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id cpp/unterminated-variadic-call
  * @tags reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql b/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
index c073cf37af8..59498017b1f 100644
--- a/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
@@ -6,6 +6,7 @@
  * @kind problem
  * @id cpp/unclear-array-index-validation
  * @problem.severity warning
+ * @security-severity 5.9
  * @tags security
  *       external/cwe/cwe-129
  */
diff --git a/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql b/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
index 7ee6acdcd59..b31213b09f3 100644
--- a/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
+++ b/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
@@ -5,6 +5,7 @@
  *              terminator can cause a buffer overrun.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id cpp/no-space-for-terminator
  * @tags reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
index b64091263e0..0593679c3f5 100644
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
@@ -5,6 +5,7 @@
  *              or data representation problems.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 6.9
  * @precision high
  * @id cpp/tainted-format-string
  * @tags reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
index d38f3eb24c2..67853b9e361 100644
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
@@ -5,6 +5,7 @@
  *              or data representation problems.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 6.9
  * @precision high
  * @id cpp/tainted-format-string-through-global
  * @tags reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql b/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
index 511c7a1d79f..b2844c319ba 100644
--- a/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
@@ -5,6 +5,7 @@
  * @kind problem
  * @id cpp/user-controlled-null-termination-tainted
  * @problem.severity warning
+ * @security-severity 10.0
  * @tags security
  *       external/cwe/cwe-170
  */
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
index 7416af15865..ad4d0389f0c 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
@@ -4,6 +4,7 @@
  *              not validated can cause overflows.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision low
  * @id cpp/tainted-arithmetic
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
index 0899c7dff1a..359ac7a0d1a 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -4,6 +4,7 @@
  *              validated can cause overflows.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id cpp/uncontrolled-arithmetic
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
index 668b07d72af..9addbab5c1c 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
@@ -6,6 +6,7 @@
  * @kind problem
  * @id cpp/arithmetic-with-extreme-values
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision low
  * @tags security
  *       reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
index 2d21ed8a3b2..1ec3c6554fe 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
@@ -5,6 +5,7 @@
  * @id cpp/comparison-with-wider-type
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @tags reliability
  *       security
diff --git a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
index 7a7aa716e8a..7e4880ffca6 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
@@ -5,6 +5,7 @@
  * @kind problem
  * @id cpp/integer-overflow-tainted
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision low
  * @tags security
  *       external/cwe/cwe-190
diff --git a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
index 84a10ec082b..765a2519a38 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
@@ -4,6 +4,7 @@
  *              user can result in integer overflow.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision medium
  * @id cpp/uncontrolled-allocation-size
  * @tags reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
index ff339af8b67..ddd7bf3430f 100644
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -4,6 +4,7 @@
  * @kind problem
  * @id cpp/unsigned-difference-expression-compared-zero
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @tags security
  *       correctness
diff --git a/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql b/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
index 605321b51d0..bde1e265690 100644
--- a/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
+++ b/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
@@ -4,6 +4,7 @@
  * @kind problem
  * @id cpp/hresult-boolean-conversion
  * @problem.severity error
+ * @security-severity 4.2
  * @precision high
  * @tags security
  *       external/cwe/cwe-253
diff --git a/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql b/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
index 80b5ee49e97..7cdd5c34b8b 100644
--- a/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
+++ b/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
@@ -5,6 +5,7 @@
  *              vulnerable to spoofing attacks.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.8
  * @precision medium
  * @id cpp/user-controlled-bypass
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
index 3e84c0a87d9..6785700d077 100644
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
@@ -4,6 +4,7 @@
  *              to an attacker.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id cpp/cleartext-storage-buffer
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
index 8e447bafd90..fcf2a00435e 100644
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -4,6 +4,7 @@
  *              to an attacker.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 6.4
  * @precision medium
  * @id cpp/cleartext-storage-file
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
index fb5454d523e..ccb67f54d3a 100644
--- a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
+++ b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
@@ -4,6 +4,7 @@
  *              database can expose it to an attacker.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 6.4
  * @precision medium
  * @id cpp/cleartext-storage-database
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
index 24f0b216d09..848adfd7adc 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -4,6 +4,7 @@
  *              an attacker to compromise security.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.2
  * @precision medium
  * @id cpp/weak-cryptographic-algorithm
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql b/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
index a7ffadc07be..5ee196994ac 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
@@ -4,6 +4,7 @@
  *              attackers to retrieve portions of memory.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.2
  * @precision very-high
  * @id cpp/openssl-heartbleed
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql b/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
index 052cce56198..7d19e323f2b 100644
--- a/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
+++ b/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
@@ -5,6 +5,7 @@
  *              the two operations.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id cpp/toctou-race-condition
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql b/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
index c0f44a0c3d6..73e0d8794ad 100644
--- a/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
+++ b/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
@@ -4,6 +4,7 @@
  * @id cpp/unsafe-create-process-call
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision medium
  * @msrc.severity important
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql b/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
index 3b76a5447dd..3d6c54e33ae 100644
--- a/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
+++ b/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
@@ -5,6 +5,7 @@
  *              state, and reading the variable may result in undefined behavior.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 6.9
  * @opaque-id SM02313
  * @id cpp/conditionally-uninitialized-variable
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
index d49eef4202a..a582813ed5f 100644
--- a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
@@ -4,6 +4,7 @@
  *              can cause buffer overflow conditions.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id cpp/suspicious-pointer-scaling
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql
index d333a2b37bc..c1bfb9c4ee9 100644
--- a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql
@@ -5,6 +5,7 @@
  * @kind problem
  * @id cpp/incorrect-pointer-scaling-char
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision low
  * @tags security
  *       external/cwe/cwe-468
diff --git a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
index 42bf03e8628..aa267a25f4e 100644
--- a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
@@ -4,6 +4,7 @@
  *              can cause buffer overflow conditions.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id cpp/suspicious-pointer-scaling-void
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
index d356ba7bbc4..7532f7e9fcf 100644
--- a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
@@ -5,6 +5,7 @@
  *              implicitly scaled.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @id cpp/suspicious-add-sizeof
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
index 63eca292297..ead50c9620e 100644
--- a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
+++ b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
@@ -5,6 +5,7 @@
  *              attack plan.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @precision medium
  * @id cpp/system-data-exposure
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql b/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
index d883b2e7356..35955665a9e 100644
--- a/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
+++ b/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
@@ -3,6 +3,7 @@
  * @description Use of a standard library function that does not guard against buffer overflow.
  * @kind problem
  * @problem.severity error
+ * @security-severity 10.0
  * @precision very-high
  * @id cpp/dangerous-function-overflow
  * @tags reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql b/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
index 32bdfbaf100..07a7ef1de9b 100644
--- a/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
+++ b/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
@@ -4,6 +4,7 @@
  *              may be dangerous.
  * @kind problem
  * @problem.severity error
+ * @security-severity 10.0
  * @precision high
  * @id cpp/dangerous-cin
  * @tags reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql b/cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
index 4316fe229b2..4e281b238bc 100644
--- a/cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
+++ b/cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
@@ -3,6 +3,7 @@
  * @description Use of a standard library function that is not thread-safe.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 10.0
  * @precision high
  * @id cpp/potentially-dangerous-function
  * @tags reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql b/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
index 0d866ff1196..321684dc93c 100644
--- a/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
+++ b/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
@@ -6,6 +6,7 @@
  * @kind problem
  * @id cpp/incorrect-string-type-conversion
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @tags security
  *       external/cwe/cwe-704
diff --git a/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql b/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
index 95790298347..67dce658ed8 100644
--- a/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
+++ b/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
@@ -3,6 +3,7 @@
  * @description Creating a file that is world-writable can allow an attacker to write to the file.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id cpp/world-writable-file-creation
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql b/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
index 3e4ebfadac9..72399cec376 100644
--- a/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
+++ b/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
@@ -7,6 +7,7 @@
  * @id cpp/unsafe-dacl-security-descriptor
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @tags security
  *       external/cwe/cwe-732
diff --git a/cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql b/cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql
index f53f84a4fb0..2a0d765f239 100644
--- a/cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql
+++ b/cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql
@@ -5,6 +5,7 @@
  * @kind problem
  * @id cpp/lock-order-cycle
  * @problem.severity error
+ * @security-severity 6.9
  * @tags security
  *       external/cwe/cwe-764
  *       external/cwe/cwe-833
diff --git a/cpp/ql/src/Security/CWE/CWE-764/TwiceLocked.ql b/cpp/ql/src/Security/CWE/CWE-764/TwiceLocked.ql
index 0eb7e8451e5..c32e747f3e4 100644
--- a/cpp/ql/src/Security/CWE/CWE-764/TwiceLocked.ql
+++ b/cpp/ql/src/Security/CWE/CWE-764/TwiceLocked.ql
@@ -5,6 +5,7 @@
  * @kind problem
  * @id cpp/twice-locked
  * @problem.severity error
+ * @security-severity 6.9
  * @precision low
  * @tags security
  *       external/cwe/cwe-764
diff --git a/cpp/ql/src/Security/CWE/CWE-764/UnreleasedLock.ql b/cpp/ql/src/Security/CWE/CWE-764/UnreleasedLock.ql
index 1c0ee4a500f..8f3d9e92149 100644
--- a/cpp/ql/src/Security/CWE/CWE-764/UnreleasedLock.ql
+++ b/cpp/ql/src/Security/CWE/CWE-764/UnreleasedLock.ql
@@ -5,6 +5,7 @@
  * @kind problem
  * @id cpp/unreleased-lock
  * @problem.severity error
+ * @security-severity 6.9
  * @precision low
  * @tags security
  *       external/cwe/cwe-764
diff --git a/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql b/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql
index e60f592b2af..08a5ceb49db 100644
--- a/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql
+++ b/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql
@@ -5,6 +5,7 @@
  *              attack.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 6.4
  * @precision medium
  * @id cpp/tainted-permissions-check
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql b/cpp/ql/src/Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql
index e088b9a666d..cd85179d14d 100644
--- a/cpp/ql/src/Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql
+++ b/cpp/ql/src/Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql
@@ -6,6 +6,7 @@
  * @kind problem
  * @id cpp/infinite-loop-with-unsatisfiable-exit-condition
  * @problem.severity warning
+ * @security-severity 3.6
  * @tags security
  *       external/cwe/cwe-835
  */
diff --git a/csharp/ql/src/Bad Practices/UseOfHtmlInputHidden.ql b/csharp/ql/src/Bad Practices/UseOfHtmlInputHidden.ql
index 93c3850e103..09ee699163f 100644
--- a/csharp/ql/src/Bad Practices/UseOfHtmlInputHidden.ql	
+++ b/csharp/ql/src/Bad Practices/UseOfHtmlInputHidden.ql	
@@ -3,6 +3,7 @@
  * @description Finds uses of hidden fields on forms
  * @kind problem
  * @problem.severity recommendation
+ * @security-severity 6.4
  * @precision medium
  * @id cs/web/html-hidden-input
  * @tags security
diff --git a/csharp/ql/src/Configuration/EmptyPasswordInConfigurationFile.ql b/csharp/ql/src/Configuration/EmptyPasswordInConfigurationFile.ql
index 315e5e084bd..e7dee2143c1 100644
--- a/csharp/ql/src/Configuration/EmptyPasswordInConfigurationFile.ql
+++ b/csharp/ql/src/Configuration/EmptyPasswordInConfigurationFile.ql
@@ -3,6 +3,7 @@
  * @description Finds empty passwords in configuration files.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id cs/empty-password-in-configuration
  * @tags security
diff --git a/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql b/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql
index 85c332345d6..eb4756ea962 100644
--- a/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql
+++ b/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql
@@ -3,6 +3,7 @@
  * @description Finds passwords in configuration files.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @precision medium
  * @id cs/password-in-configuration
  * @tags security
diff --git a/csharp/ql/src/Input Validation/UseOfFileUpload.ql b/csharp/ql/src/Input Validation/UseOfFileUpload.ql
index f3a3b0aeffa..4eb96e2c072 100644
--- a/csharp/ql/src/Input Validation/UseOfFileUpload.ql	
+++ b/csharp/ql/src/Input Validation/UseOfFileUpload.ql	
@@ -3,6 +3,7 @@
  * @description Finds uses of file upload
  * @kind problem
  * @problem.severity recommendation
+ * @security-severity 5.9
  * @precision high
  * @id cs/web/file-upload
  * @tags security
diff --git a/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransform.ql b/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransform.ql
index 4f7e83b8be0..1ee9c4a2bfa 100644
--- a/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransform.ql	
+++ b/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransform.ql	
@@ -5,6 +5,7 @@
  *              but under some circumstances may also result in incorrect results.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 6.9
  * @precision medium
  * @id cs/thread-unsafe-icryptotransform-field-in-class
  * @tags concurrency
diff --git a/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql b/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql
index 1c8018e3b27..33f8a8ab47c 100644
--- a/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql	
+++ b/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql	
@@ -6,6 +6,7 @@
  *              but under some circumstances may also result in incorrect results.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 6.9
  * @precision medium
  * @id cs/thread-unsafe-icryptotransform-captured-in-lambda
  * @tags concurrency
diff --git a/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql b/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql
index 447306e4522..c9b2112b488 100644
--- a/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql	
+++ b/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql	
@@ -4,12 +4,14 @@
  *              debug builds provide additional information useful to a malicious attacker.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision very-high
  * @id cs/web/debug-binary
  * @tags security
  *       maintainability
  *       frameworks/asp.net
  *       external/cwe/cwe-11
+ *       external/cwe/cwe-532
  */
 
 import csharp
diff --git a/csharp/ql/src/Security Features/CWE-016/ASPNetMaxRequestLength.ql b/csharp/ql/src/Security Features/CWE-016/ASPNetMaxRequestLength.ql
index d2c232b3bd3..6c58c910089 100644
--- a/csharp/ql/src/Security Features/CWE-016/ASPNetMaxRequestLength.ql	
+++ b/csharp/ql/src/Security Features/CWE-016/ASPNetMaxRequestLength.ql	
@@ -4,6 +4,7 @@
  *              denial-of-service attacks.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 6.9
  * @id cs/web/large-max-request-length
  * @tags security
  *       frameworks/asp.net
diff --git a/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql b/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql
index 7985cec592a..362b8a70ebe 100644
--- a/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql	
+++ b/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql	
@@ -3,6 +3,7 @@
  * @description ASP.NET pages should not disable the built-in request validation.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 6.9
  * @id cs/web/request-validation-disabled
  * @tags security
  *       frameworks/asp.net
diff --git a/csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.ql b/csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.ql
index 0e3e92fa821..a270a5928bb 100644
--- a/csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.ql	
+++ b/csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.ql	
@@ -6,6 +6,7 @@
  * @kind problem
  * @id cs/insecure-request-validation-mode
  * @problem.severity warning
+ * @security-severity 6.9
  * @tags security
  *       external/cwe/cwe-016
  */
diff --git a/csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.ql b/csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.ql
index 24de3f11075..cda257234ab 100644
--- a/csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.ql	
+++ b/csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.ql	
@@ -4,6 +4,7 @@
  * @kind problem
  * @id cs/serialization-check-bypass
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @tags security
  *       external/cwe/cwe-20
diff --git a/csharp/ql/src/Security Features/CWE-020/UntrustedDataToExternalAPI.ql b/csharp/ql/src/Security Features/CWE-020/UntrustedDataToExternalAPI.ql
index a1183b7392d..c378e31d8aa 100644
--- a/csharp/ql/src/Security Features/CWE-020/UntrustedDataToExternalAPI.ql	
+++ b/csharp/ql/src/Security Features/CWE-020/UntrustedDataToExternalAPI.ql	
@@ -5,6 +5,7 @@
  * @kind path-problem
  * @precision low
  * @problem.severity error
+ * @security-severity 5.9
  * @tags security external/cwe/cwe-20
  */
 
diff --git a/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql b/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql
index f25dd129f0c..bf75ab47904 100644
--- a/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql	
+++ b/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql	
@@ -3,6 +3,7 @@
  * @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @id cs/path-injection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql b/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql
index 57a39e39d6c..5f6855701ed 100644
--- a/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql	
+++ b/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql	
@@ -6,6 +6,7 @@
  * @kind path-problem
  * @id cs/zipslip
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @tags security
  *       external/cwe/cwe-022
diff --git a/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql b/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql
index ece6dc5a0db..7056d3222f2 100644
--- a/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql	
@@ -4,6 +4,7 @@
  *              user to change the meaning of the command.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id cs/command-line-injection
  * @tags correctness
diff --git a/csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql b/csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql
index b7a3c724d02..b8264b4d8a1 100644
--- a/csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql	
@@ -4,6 +4,7 @@
  *              user to change the meaning of the command.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision medium
  * @id cs/stored-command-line-injection
  * @tags correctness
diff --git a/csharp/ql/src/Security Features/CWE-079/StoredXSS.ql b/csharp/ql/src/Security Features/CWE-079/StoredXSS.ql
index 3c9b22583a8..fcf10553a6a 100644
--- a/csharp/ql/src/Security Features/CWE-079/StoredXSS.ql	
+++ b/csharp/ql/src/Security Features/CWE-079/StoredXSS.ql	
@@ -4,6 +4,7 @@
  *              scripting vulnerability if the data was originally user-provided.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 2.9
  * @precision medium
  * @id cs/web/stored-xss
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-079/XSS.ql b/csharp/ql/src/Security Features/CWE-079/XSS.ql
index 77543c3c244..d58a7828a6f 100644
--- a/csharp/ql/src/Security Features/CWE-079/XSS.ql	
+++ b/csharp/ql/src/Security Features/CWE-079/XSS.ql	
@@ -4,6 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 2.9
  * @precision high
  * @id cs/web/xss
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql b/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql
index d13702cc9ad..fde86253edc 100644
--- a/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql	
@@ -4,6 +4,7 @@
  *              of malicious SQL code by the user.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 6.4
  * @precision medium
  * @id cs/second-order-sql-injection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql b/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql
index 3214b34792e..456e36db36e 100644
--- a/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql	
@@ -4,6 +4,7 @@
  *              malicious SQL code by the user.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @id cs/sql-injection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql b/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql
index cbe927fd7dd..e0e667ed8da 100644
--- a/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql	
@@ -4,6 +4,7 @@
  *              malicious LDAP code by the user.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id cs/ldap-injection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql b/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql
index 2618ab3f146..0c705fbce33 100644
--- a/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql	
@@ -4,6 +4,7 @@
  *              insertion of malicious LDAP code by the user.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision medium
  * @id cs/stored-ldap-injection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql b/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql
index f06485e43a1..4e2548895ad 100644
--- a/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql	
@@ -5,6 +5,7 @@
  * @kind problem
  * @id cs/xml-injection
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @tags security
  *       external/cwe/cwe-091
diff --git a/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql b/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql
index 486328bdf3c..8c711400d61 100644
--- a/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql	
@@ -4,6 +4,7 @@
  *              malicious code.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 10.0
  * @precision high
  * @id cs/code-injection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql b/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql
index d6960ef735e..ca32d21b3cb 100644
--- a/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql	
@@ -4,6 +4,7 @@
  *              malicious user providing an unintended resource.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id cs/resource-injection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql b/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql
index ab629d1f4d5..b13d357980b 100644
--- a/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql	
+++ b/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql	
@@ -4,6 +4,7 @@
  *              schema.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 3.6
  * @precision high
  * @id cs/xml/missing-validation
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql b/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql
index 9b1f1fd20a9..54b578d3072 100644
--- a/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql	
@@ -6,6 +6,7 @@
  * @kind problem
  * @id cs/assembly-path-injection
  * @problem.severity error
+ * @security-severity 6.0
  * @precision high
  * @tags security
  *       external/cwe/cwe-114
diff --git a/csharp/ql/src/Security Features/CWE-117/LogForging.ql b/csharp/ql/src/Security Features/CWE-117/LogForging.ql
index 400beef0daf..b7642d4e15a 100644
--- a/csharp/ql/src/Security Features/CWE-117/LogForging.ql	
+++ b/csharp/ql/src/Security Features/CWE-117/LogForging.ql	
@@ -4,6 +4,7 @@
  *              insertion of forged log entries by a malicious user.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id cs/log-forging
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-119/LocalUnvalidatedArithmetic.ql b/csharp/ql/src/Security Features/CWE-119/LocalUnvalidatedArithmetic.ql
index 9f88c2a4eac..263429e6995 100644
--- a/csharp/ql/src/Security Features/CWE-119/LocalUnvalidatedArithmetic.ql	
+++ b/csharp/ql/src/Security Features/CWE-119/LocalUnvalidatedArithmetic.ql	
@@ -5,6 +5,7 @@
  *              to return any value.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 10.0
  * @precision high
  * @id cs/unvalidated-local-pointer-arithmetic
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql b/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql
index a22c13bbb97..7494412e3b3 100644
--- a/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql	
+++ b/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql	
@@ -4,6 +4,7 @@
  *              and cause a denial of service.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 6.9
  * @precision high
  * @id cs/uncontrolled-format-string
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql b/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql
index b8b18c6b56d..fa40db533d5 100644
--- a/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql	
+++ b/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql	
@@ -3,6 +3,7 @@
  * @description Transmitting sensitive information to the user is a potential security risk.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 1.4
  * @precision high
  * @id cs/sensitive-data-transmission
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql b/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql
index d9db652c8d8..23e72e4e5e9 100644
--- a/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql	
+++ b/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql	
@@ -5,6 +5,7 @@
  *              developing a subsequent exploit.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 3.6
  * @precision high
  * @id cs/information-exposure-through-exception
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql b/csharp/ql/src/Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql
index 33e791feb42..323630d0c4e 100644
--- a/csharp/ql/src/Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql	
+++ b/csharp/ql/src/Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql	
@@ -4,6 +4,7 @@
  *              a global error handler, otherwise they may leak exception information.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @precision high
  * @id cs/web/missing-global-error-handler
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql b/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql
index 44209db60cb..b19ca4ff1bd 100644
--- a/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql	
+++ b/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql	
@@ -4,6 +4,7 @@
  *              attacker.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id cs/cleartext-storage-of-sensitive-information
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKey.ql b/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKey.ql
index 15dd46bc1f2..ff244adee95 100644
--- a/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKey.ql	
+++ b/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKey.ql	
@@ -4,7 +4,9 @@
  * @kind problem
  * @id cs/hardcoded-key
  * @problem.severity error
+ * @security-severity 5.9
  * @tags security
+ *       external/cwe/cwe-320
  */
 
 /*
diff --git a/csharp/ql/src/Security Features/CWE-321/HardcodedSymmetricEncryptionKey.ql b/csharp/ql/src/Security Features/CWE-321/HardcodedSymmetricEncryptionKey.ql
index 4113651677b..2cabc38aa8b 100644
--- a/csharp/ql/src/Security Features/CWE-321/HardcodedSymmetricEncryptionKey.ql	
+++ b/csharp/ql/src/Security Features/CWE-321/HardcodedSymmetricEncryptionKey.ql	
@@ -4,7 +4,9 @@
  * @kind path-problem
  * @id cs/hard-coded-symmetric-encryption-key
  * @problem.severity error
+ * @security-severity 3.6
  * @tags security
+ *       external/cwe/cwe-321
  */
 
 /*
diff --git a/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql b/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql
index dbd400b3a95..a843008e582 100644
--- a/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql	
+++ b/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql	
@@ -5,6 +5,7 @@
  * @kind path-problem
  * @id cs/adding-cert-to-root-store
  * @problem.severity error
+ * @security-severity 5.2
  * @tags security
  *       external/cwe/cwe-327
  */
diff --git a/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql b/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql
index ffdbc531ade..a16358b1f90 100644
--- a/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql	
+++ b/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql	
@@ -4,6 +4,7 @@
  * @kind path-problem
  * @id cs/insecure-sql-connection
  * @problem.severity error
+ * @security-severity 5.2
  * @precision medium
  * @tags security
  *       external/cwe/cwe-327
diff --git a/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql b/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql
index 134031adf43..fb40413716f 100644
--- a/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql	
+++ b/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql	
@@ -4,6 +4,7 @@
  *              allows a malicious attacker to submit a request on behalf of the user.
  * @kind problem
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @id cs/web/missing-token-validation
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql b/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql
index 7f765d7c0aa..20323b66bb9 100644
--- a/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql	
+++ b/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql	
@@ -4,6 +4,7 @@
  *              unauthorized persons.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 3.6
  * @precision high
  * @id cs/exposure-of-sensitive-information
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-384/AbandonSession.ql b/csharp/ql/src/Security Features/CWE-384/AbandonSession.ql
index c9a397c02c6..75daa5fc10c 100644
--- a/csharp/ql/src/Security Features/CWE-384/AbandonSession.ql	
+++ b/csharp/ql/src/Security Features/CWE-384/AbandonSession.ql	
@@ -5,6 +5,7 @@
  *              their session.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id cs/session-reuse
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-451/MissingXFrameOptions.ql b/csharp/ql/src/Security Features/CWE-451/MissingXFrameOptions.ql
index abf3f0a55ad..87757be5400 100644
--- a/csharp/ql/src/Security Features/CWE-451/MissingXFrameOptions.ql	
+++ b/csharp/ql/src/Security Features/CWE-451/MissingXFrameOptions.ql	
@@ -4,6 +4,7 @@
  *              overlay their own UI on top of the site by using an iframe.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id cs/web/missing-x-frame-options
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.ql b/csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.ql
index 31d28311908..76035d9fcba 100644
--- a/csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.ql	
+++ b/csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.ql	
@@ -5,6 +5,7 @@
  * @kind problem
  * @id cs/deserialized-delegate
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @tags security
  *       external/cwe/cwe-502
diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql
index 40022d40573..338347c0887 100644
--- a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql	
+++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql	
@@ -5,6 +5,7 @@
  * @kind problem
  * @id cs/unsafe-deserialization
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision low
  * @tags security
  *       external/cwe/cwe-502
diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql
index 80a3762a8bc..32981563ab6 100644
--- a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql	
+++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql	
@@ -5,6 +5,7 @@
  * @kind path-problem
  * @id cs/unsafe-deserialization-untrusted-input
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @tags security
  *       external/cwe/cwe-502
diff --git a/csharp/ql/src/Security Features/CWE-548/ASPNetDirectoryListing.ql b/csharp/ql/src/Security Features/CWE-548/ASPNetDirectoryListing.ql
index ba40219f3db..82532ed40e0 100644
--- a/csharp/ql/src/Security Features/CWE-548/ASPNetDirectoryListing.ql	
+++ b/csharp/ql/src/Security Features/CWE-548/ASPNetDirectoryListing.ql	
@@ -3,6 +3,7 @@
  * @description Directory browsing should not be enabled in production as it can leak sensitive information.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @precision very-high
  * @id cs/web/directory-browse-enabled
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql b/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql
index a3ece934561..37594e7cf72 100644
--- a/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql	
+++ b/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql	
@@ -4,6 +4,7 @@
  *              may cause redirection to malicious web sites.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 2.7
  * @precision high
  * @id cs/web/unvalidated-url-redirection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql b/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql
index 9acb765252f..2b37eb33390 100644
--- a/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql	
+++ b/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql	
@@ -3,6 +3,7 @@
  * @description Untrusted XML is read with an insecure resolver and DTD processing enabled.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id cs/xml/insecure-dtd-handling
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-611/UseXmlSecureResolver.ql b/csharp/ql/src/Security Features/CWE-611/UseXmlSecureResolver.ql
index d1159a39f99..1073c873d8c 100644
--- a/csharp/ql/src/Security Features/CWE-611/UseXmlSecureResolver.ql	
+++ b/csharp/ql/src/Security Features/CWE-611/UseXmlSecureResolver.ql	
@@ -4,6 +4,7 @@
  *              be restricted using a secure resolver or disabling DTD processing.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision low
  * @id cs/insecure-xml-read
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-614/RequireSSL.ql b/csharp/ql/src/Security Features/CWE-614/RequireSSL.ql
index 0cfd4868c29..49dd6e52e13 100644
--- a/csharp/ql/src/Security Features/CWE-614/RequireSSL.ql	
+++ b/csharp/ql/src/Security Features/CWE-614/RequireSSL.ql	
@@ -5,6 +5,7 @@
  *              is used at all times.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.2
  * @precision high
  * @id cs/web/requiressl-not-set
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql b/csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql
index 5078afd9b33..5d3ee1db4e7 100644
--- a/csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql	
@@ -4,6 +4,7 @@
  *              user is vulnerable to insertion of malicious code by the user.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision medium
  * @id cs/xml/stored-xpath-injection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql b/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql
index 5506ef6b637..a158ccfab69 100644
--- a/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql	
@@ -4,6 +4,7 @@
  *              malicious code by the user.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id cs/xml/xpath-injection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-730/ReDoS.ql b/csharp/ql/src/Security Features/CWE-730/ReDoS.ql
index 94db79a0693..79ade61af90 100644
--- a/csharp/ql/src/Security Features/CWE-730/ReDoS.ql	
+++ b/csharp/ql/src/Security Features/CWE-730/ReDoS.ql	
@@ -4,6 +4,7 @@
  *              exponential time on certain input.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 3.6
  * @precision high
  * @id cs/redos
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql b/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql
index ad0974235e9..5aca2ad9c49 100644
--- a/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql	
@@ -5,6 +5,7 @@
  *              exponential time on certain inputs.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 3.6
  * @precision high
  * @id cs/regex-injection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql b/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql
index b9e2ee248cc..0aa5f9026d1 100644
--- a/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql	
+++ b/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql	
@@ -3,6 +3,7 @@
  * @description Credentials are hard-coded in a connection string in the source code of the application.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id cs/hardcoded-connection-string-credentials
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql b/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql
index 06b69d95b5f..7b183189921 100644
--- a/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql	
+++ b/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql	
@@ -3,6 +3,7 @@
  * @description Credentials are hard coded in the source code of the application.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id cs/hardcoded-credentials
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql b/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql
index e3ba8463b76..3922c262031 100644
--- a/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql	
+++ b/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql	
@@ -4,6 +4,7 @@
  *              passing through authentication systems.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @id cs/user-controlled-bypass
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql b/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql
index 88a0b970a7a..8b8bd478031 100644
--- a/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql	
+++ b/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql	
@@ -4,6 +4,7 @@
  *              pose a security risk.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision low
  * @id cs/inappropriate-encoding
  * @tags security
diff --git a/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql b/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql
index f3cce1c36f5..472a87441ed 100644
--- a/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql	
+++ b/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql	
@@ -3,6 +3,7 @@
  * @description Finds cookies with an overly broad domain.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 6.4
  * @precision high
  * @id cs/web/broad-cookie-domain
  * @tags security
diff --git a/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql b/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql
index a75b41794dd..ec6953f72e1 100644
--- a/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql	
+++ b/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql	
@@ -3,6 +3,7 @@
  * @description Finds cookies with an overly broad path.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 6.4
  * @precision high
  * @id cs/web/broad-cookie-path
  * @tags security
diff --git a/csharp/ql/src/Security Features/Encryption using ECB.ql b/csharp/ql/src/Security Features/Encryption using ECB.ql
index 2d36bd99306..72c63b9c565 100644
--- a/csharp/ql/src/Security Features/Encryption using ECB.ql	
+++ b/csharp/ql/src/Security Features/Encryption using ECB.ql	
@@ -3,6 +3,7 @@
  * @description Highlights uses of the encryption mode 'CipherMode.ECB'. This mode should normally not be used because it is vulnerable to replay attacks.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.2
  * @precision high
  * @id cs/ecb-encryption
  * @tags security
diff --git a/csharp/ql/src/Security Features/HeaderCheckingDisabled.ql b/csharp/ql/src/Security Features/HeaderCheckingDisabled.ql
index 85793c0a730..94d01609100 100644
--- a/csharp/ql/src/Security Features/HeaderCheckingDisabled.ql	
+++ b/csharp/ql/src/Security Features/HeaderCheckingDisabled.ql	
@@ -3,6 +3,7 @@
  * @description Finds places where header checking is disabled.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @precision high
  * @id cs/web/disabled-header-checking
  * @tags security
diff --git a/csharp/ql/src/Security Features/InadequateRSAPadding.ql b/csharp/ql/src/Security Features/InadequateRSAPadding.ql
index 6176e4ac74e..ddeb9b370f6 100644
--- a/csharp/ql/src/Security Features/InadequateRSAPadding.ql	
+++ b/csharp/ql/src/Security Features/InadequateRSAPadding.ql	
@@ -3,6 +3,7 @@
  * @description Finds uses of RSA encryption with inadequate padding.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.2
  * @precision high
  * @id cs/inadequate-rsa-padding
  * @tags security
diff --git a/csharp/ql/src/Security Features/InsecureRandomness.ql b/csharp/ql/src/Security Features/InsecureRandomness.ql
index ef1665819f7..434f8c287f2 100644
--- a/csharp/ql/src/Security Features/InsecureRandomness.ql	
+++ b/csharp/ql/src/Security Features/InsecureRandomness.ql	
@@ -5,6 +5,7 @@
  *              be generated.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @id cs/insecure-randomness
  * @tags security
diff --git a/csharp/ql/src/Security Features/InsufficientKeySize.ql b/csharp/ql/src/Security Features/InsufficientKeySize.ql
index d5e50a60d7f..70caea4b179 100644
--- a/csharp/ql/src/Security Features/InsufficientKeySize.ql	
+++ b/csharp/ql/src/Security Features/InsufficientKeySize.ql	
@@ -3,6 +3,7 @@
  * @description Finds uses of encryption algorithms with too small a key size
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.2
  * @precision high
  * @id cs/insufficient-key-size
  * @tags security
diff --git a/csharp/ql/src/Security Features/PersistentCookie.ql b/csharp/ql/src/Security Features/PersistentCookie.ql
index 7305bdaf239..c7041cb7a36 100644
--- a/csharp/ql/src/Security Features/PersistentCookie.ql	
+++ b/csharp/ql/src/Security Features/PersistentCookie.ql	
@@ -3,6 +3,7 @@
  * @description Persistent cookies are vulnerable to attacks.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @id cs/web/persistent-cookie
  * @tags security
diff --git a/csharp/ql/src/Security Features/WeakEncryption.ql b/csharp/ql/src/Security Features/WeakEncryption.ql
index e0666d48d19..b6d543d6de7 100644
--- a/csharp/ql/src/Security Features/WeakEncryption.ql	
+++ b/csharp/ql/src/Security Features/WeakEncryption.ql	
@@ -3,6 +3,7 @@
  * @description Finds uses of encryption algorithms that are weak and obsolete
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.2
  * @precision high
  * @id cs/weak-encryption
  * @tags security
diff --git a/java/ql/src/Frameworks/JavaEE/EJB/EjbContainerInterference.ql b/java/ql/src/Frameworks/JavaEE/EJB/EjbContainerInterference.ql
index 79dd15510e8..6b08a14c244 100644
--- a/java/ql/src/Frameworks/JavaEE/EJB/EjbContainerInterference.ql
+++ b/java/ql/src/Frameworks/JavaEE/EJB/EjbContainerInterference.ql
@@ -7,6 +7,7 @@
  *              Such operations could interfere with the EJB container's operation.
  * @kind problem
  * @problem.severity error
+ * @security-severity 4.9
  * @precision low
  * @id java/ejb/container-interference
  * @tags reliability
diff --git a/java/ql/src/Frameworks/JavaEE/EJB/EjbFileIO.ql b/java/ql/src/Frameworks/JavaEE/EJB/EjbFileIO.ql
index 51f0105cb07..62b2d5f48ec 100644
--- a/java/ql/src/Frameworks/JavaEE/EJB/EjbFileIO.ql
+++ b/java/ql/src/Frameworks/JavaEE/EJB/EjbFileIO.ql
@@ -5,6 +5,7 @@
  *              for enterprise components.
  * @kind problem
  * @problem.severity error
+ * @security-severity 4.9
  * @precision low
  * @id java/ejb/file-io
  * @tags reliability
diff --git a/java/ql/src/Frameworks/JavaEE/EJB/EjbNative.ql b/java/ql/src/Frameworks/JavaEE/EJB/EjbNative.ql
index 16736a1669e..787ae9a72c5 100644
--- a/java/ql/src/Frameworks/JavaEE/EJB/EjbNative.ql
+++ b/java/ql/src/Frameworks/JavaEE/EJB/EjbNative.ql
@@ -4,6 +4,7 @@
  *              Such use could compromise security and system stability.
  * @kind problem
  * @problem.severity error
+ * @security-severity 4.9
  * @precision low
  * @id java/ejb/native-code
  * @tags reliability
diff --git a/java/ql/src/Frameworks/JavaEE/EJB/EjbReflection.ql b/java/ql/src/Frameworks/JavaEE/EJB/EjbReflection.ql
index fa28edc7393..4e6eea2cbf1 100644
--- a/java/ql/src/Frameworks/JavaEE/EJB/EjbReflection.ql
+++ b/java/ql/src/Frameworks/JavaEE/EJB/EjbReflection.ql
@@ -4,6 +4,7 @@
  *              as this could compromise security.
  * @kind problem
  * @problem.severity error
+ * @security-severity 4.9
  * @precision low
  * @id java/ejb/reflection
  * @tags external/cwe/cwe-573
diff --git a/java/ql/src/Frameworks/JavaEE/EJB/EjbSecurityConfiguration.ql b/java/ql/src/Frameworks/JavaEE/EJB/EjbSecurityConfiguration.ql
index eb08dcb8060..4efde8d82bf 100644
--- a/java/ql/src/Frameworks/JavaEE/EJB/EjbSecurityConfiguration.ql
+++ b/java/ql/src/Frameworks/JavaEE/EJB/EjbSecurityConfiguration.ql
@@ -5,6 +5,7 @@
  *              This functionality is reserved for the EJB container for security reasons.
  * @kind problem
  * @problem.severity error
+ * @security-severity 4.9
  * @precision low
  * @id java/ejb/security-configuration-access
  * @tags external/cwe/cwe-573
diff --git a/java/ql/src/Frameworks/JavaEE/EJB/EjbSerialization.ql b/java/ql/src/Frameworks/JavaEE/EJB/EjbSerialization.ql
index d6e5c1fc9b1..02c493c7a70 100644
--- a/java/ql/src/Frameworks/JavaEE/EJB/EjbSerialization.ql
+++ b/java/ql/src/Frameworks/JavaEE/EJB/EjbSerialization.ql
@@ -4,6 +4,7 @@
  *              the Java serialization protocol, since their use could compromise security.
  * @kind problem
  * @problem.severity error
+ * @security-severity 4.9
  * @precision low
  * @id java/ejb/substitution-in-serialization
  * @tags external/cwe/cwe-573
diff --git a/java/ql/src/Frameworks/JavaEE/EJB/EjbSetSocketOrUrlFactory.ql b/java/ql/src/Frameworks/JavaEE/EJB/EjbSetSocketOrUrlFactory.ql
index 4a1524ee1b3..8011b3c1d22 100644
--- a/java/ql/src/Frameworks/JavaEE/EJB/EjbSetSocketOrUrlFactory.ql
+++ b/java/ql/src/Frameworks/JavaEE/EJB/EjbSetSocketOrUrlFactory.ql
@@ -5,6 +5,7 @@
  *              compromise security or interfere with the EJB container's operation.
  * @kind problem
  * @problem.severity error
+ * @security-severity 4.9
  * @precision low
  * @id java/ejb/socket-or-stream-handler-factory
  * @tags reliability
diff --git a/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql b/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql
index aec8e9bc94c..52bb9f04289 100644
--- a/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql	
+++ b/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql	
@@ -5,6 +5,7 @@
  *              numeric errors such as overflows.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision very-high
  * @id java/implicit-cast-in-compound-assignment
  * @tags reliability
diff --git a/java/ql/src/Likely Bugs/Arithmetic/RandomUsedOnce.ql b/java/ql/src/Likely Bugs/Arithmetic/RandomUsedOnce.ql
index 7f87d6bd062..fb1a44b2222 100644
--- a/java/ql/src/Likely Bugs/Arithmetic/RandomUsedOnce.ql	
+++ b/java/ql/src/Likely Bugs/Arithmetic/RandomUsedOnce.ql	
@@ -4,6 +4,7 @@
  *              guarantee an evenly distributed sequence of random numbers.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id java/random-used-once
  * @tags reliability
diff --git a/java/ql/src/Likely Bugs/Concurrency/UnreleasedLock.ql b/java/ql/src/Likely Bugs/Concurrency/UnreleasedLock.ql
index 40fb18543d1..4a3fc548085 100644
--- a/java/ql/src/Likely Bugs/Concurrency/UnreleasedLock.ql	
+++ b/java/ql/src/Likely Bugs/Concurrency/UnreleasedLock.ql	
@@ -4,6 +4,7 @@
  *              may cause a deadlock.
  * @kind problem
  * @problem.severity error
+ * @security-severity 6.9
  * @precision medium
  * @id java/unreleased-lock
  * @tags reliability
diff --git a/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql b/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
index 35c6a69c022..bf2e3f06f26 100644
--- a/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
+++ b/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
@@ -5,6 +5,7 @@
  * @kind path-problem
  * @precision low
  * @problem.severity error
+ * @security-severity 5.9
  * @tags security external/cwe/cwe-20
  */
 
diff --git a/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql b/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
index 01d89cc8e06..ac3ec8664a2 100644
--- a/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+++ b/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
@@ -3,6 +3,7 @@
  * @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @id java/path-injection
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql b/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql
index a64f88997e8..90b77661500 100644
--- a/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql
@@ -3,6 +3,7 @@
  * @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 6.4
  * @precision medium
  * @id java/path-injection-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql b/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
index 6342a444a64..1a70b273d84 100644
--- a/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
+++ b/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
@@ -6,6 +6,7 @@
  * @kind path-problem
  * @id java/zipslip
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @tags security
  *       external/cwe/cwe-022
diff --git a/java/ql/src/Security/CWE/CWE-078/ExecRelative.ql b/java/ql/src/Security/CWE/CWE-078/ExecRelative.ql
index 80cd9c0dee3..f7d844f225a 100644
--- a/java/ql/src/Security/CWE/CWE-078/ExecRelative.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecRelative.ql
@@ -4,6 +4,7 @@
  *              malicious changes in the PATH environment variable.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id java/relative-path-command
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql b/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
index 7b191e76241..fc409bcfd5a 100644
--- a/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
@@ -4,6 +4,7 @@
  *              changes in the strings.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id java/command-line-injection
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql
index f7c49dbd4f6..c98a45a06d8 100644
--- a/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql
@@ -4,6 +4,7 @@
  *              changes in the strings.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 5.9
  * @precision medium
  * @id java/command-line-injection-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
index a0fa793872f..a3b88b40ae7 100644
--- a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
@@ -4,6 +4,7 @@
  *              insertion of special characters in the strings.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id java/concatenated-command-line
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-079/XSS.ql b/java/ql/src/Security/CWE/CWE-079/XSS.ql
index ae7cec3277d..d864d24a95e 100644
--- a/java/ql/src/Security/CWE/CWE-079/XSS.ql
+++ b/java/ql/src/Security/CWE/CWE-079/XSS.ql
@@ -4,6 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 2.9
  * @precision high
  * @id java/xss
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql b/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql
index a11a3ade0fd..44ab185b3b5 100644
--- a/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql
@@ -4,6 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 2.9
  * @precision medium
  * @id java/xss-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql b/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
index 86e98754c14..d002bb96ce1 100644
--- a/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
@@ -4,6 +4,7 @@
  *              malicious code by the user.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @id java/sql-injection
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
index 56c052e7b1b..ada846dcf47 100644
--- a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
@@ -4,6 +4,7 @@
  *              malicious code by the user.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 6.4
  * @precision medium
  * @id java/sql-injection-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql b/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql
index c6fd810b74c..9ddd5def883 100644
--- a/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql
@@ -4,6 +4,7 @@
  *              characters is vulnerable to insertion of malicious code.
  * @kind problem
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @id java/concatenated-sql-query
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql b/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql
index 6b5b37f1093..5a7ab632a55 100644
--- a/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql
@@ -4,6 +4,7 @@
  *              malicious LDAP code by the user.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id java/ldap-injection
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql b/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
index aef404aabd1..f865d7d16b1 100644
--- a/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
+++ b/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
@@ -3,6 +3,7 @@
  * @description User-controlled data may be evaluated as a Java EL expression, leading to arbitrary code execution.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 10.0
  * @precision high
  * @id java/insecure-bean-validation
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql b/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
index c9827d3a123..cf555aa3442 100644
--- a/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
@@ -4,6 +4,7 @@
  *              may lead to arbitrary code execution.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 10.0
  * @precision high
  * @id java/jexl-expression-injection
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql b/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql
index 936da80a9d9..84d9ba734e2 100644
--- a/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql
+++ b/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql
@@ -3,6 +3,7 @@
  * @description Using a deprecated artifact repository may eventually give attackers access for a supply chain attack.
  * @kind problem
  * @problem.severity error
+ * @security-severity 6.5
  * @precision very-high
  * @id java/maven/dependency-upon-bintray
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
index 0193093e72c..76fa154ae7b 100644
--- a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
+++ b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
@@ -5,6 +5,7 @@
  *              an HTTP header.
  * @kind problem
  * @problem.severity error
+ * @security-severity 3.6
  * @precision high
  * @id java/netty-http-response-splitting
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
index add36e91963..92468d61936 100644
--- a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
+++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
@@ -4,6 +4,7 @@
  *              makes code vulnerable to attack by header splitting.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 3.6
  * @precision high
  * @id java/http-response-splitting
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
index 7a748276aba..ff9a379d1f7 100644
--- a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
@@ -4,6 +4,7 @@
  *              makes code vulnerable to attack by header splitting.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 3.6
  * @precision medium
  * @id java/http-response-splitting-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql
index b3d9b9f1884..ca5d05db10c 100644
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql
@@ -3,6 +3,7 @@
  * @description Using unvalidated external input as the argument to a construction of an array can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id java/improper-validation-of-array-construction
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql
index 16519955c6d..f3471027561 100644
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql
@@ -4,6 +4,7 @@
  *              a construction of an array can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 5.9
  * @precision medium
  * @id java/improper-validation-of-array-construction-code-specified
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql
index 6938946ce0c..94e06109da4 100644
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql
@@ -4,6 +4,7 @@
  *              a construction of an array can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 5.9
  * @precision medium
  * @id java/improper-validation-of-array-construction-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql
index 9f0d9fa92a2..5fe23b564d6 100644
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql
@@ -3,6 +3,7 @@
  * @description Using external input as an index to an array, without proper validation, can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id java/improper-validation-of-array-index
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql
index 9d0098cab63..99c819533cb 100644
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql
@@ -4,6 +4,7 @@
  *              proper validation, can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 5.9
  * @precision medium
  * @id java/improper-validation-of-array-index-code-specified
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql
index 37e68292f66..c246bcff158 100644
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql
@@ -4,6 +4,7 @@
  *              proper validation, can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 5.9
  * @precision medium
  * @id java/improper-validation-of-array-index-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
index 7a9e3a2baab..0208955e10f 100644
--- a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
+++ b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
@@ -3,6 +3,7 @@
  * @description Using external input in format strings can lead to exceptions or information leaks.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 6.9
  * @precision high
  * @id java/tainted-format-string
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql
index 72f2c4e4bd7..5dd2f629393 100644
--- a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql
@@ -3,6 +3,7 @@
  * @description Using external input in format strings can lead to exceptions or information leaks.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 6.9
  * @precision medium
  * @id java/tainted-format-string-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql b/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
index 958698d46eb..261c6891039 100644
--- a/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
+++ b/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
@@ -4,6 +4,7 @@
  *              overflows.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id java/tainted-arithmetic
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql
index 3b6da268508..54e3fa1b10a 100644
--- a/java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql
@@ -4,6 +4,7 @@
  *              overflows.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 5.9
  * @precision medium
  * @id java/tainted-arithmetic-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
index c0814e42ef7..ad67e3b55bc 100644
--- a/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+++ b/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -4,6 +4,7 @@
  *              overflows.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id java/uncontrolled-arithmetic
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql b/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
index 0264b9d9b27..0ffcbec38e6 100644
--- a/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
+++ b/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
@@ -4,6 +4,7 @@
  *              is then used in an arithmetic expression, this may result in an overflow.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 5.9
  * @precision medium
  * @id java/extreme-value-arithmetic
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql b/java/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
index 03138948178..c6e72a94b65 100644
--- a/java/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+++ b/java/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
@@ -4,6 +4,7 @@
  *              to behave unexpectedly.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id java/comparison-with-wider-type
  * @tags reliability
diff --git a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
index 233e2694afa..bf96ee8d1bb 100644
--- a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
+++ b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
@@ -5,6 +5,7 @@
  *              that are useful to an attacker for developing a subsequent exploit.
  * @kind problem
  * @problem.severity error
+ * @security-severity 3.6
  * @precision high
  * @id java/stack-trace-exposure
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql b/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
index 0bf7a164826..d7a5f374953 100644
--- a/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
+++ b/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
@@ -3,6 +3,7 @@
  * @description Marking a certificate as valid for a host without checking the certificate hostname allows an attacker to perform a machine-in-the-middle attack.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 4.9
  * @precision high
  * @id java/unsafe-hostname-verification
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-312/CleartextStorageClass.ql b/java/ql/src/Security/CWE/CWE-312/CleartextStorageClass.ql
index 41919152c6a..00527d4ab60 100644
--- a/java/ql/src/Security/CWE/CWE-312/CleartextStorageClass.ql
+++ b/java/ql/src/Security/CWE/CWE-312/CleartextStorageClass.ql
@@ -3,6 +3,7 @@
  * @description Storing sensitive information in cleartext can expose it to an attacker.
  * @kind problem
  * @problem.severity recommendation
+ * @security-severity 5.9
  * @precision medium
  * @id java/cleartext-storage-in-class
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql b/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql
index 60d5a246979..7a3c55379de 100644
--- a/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql
+++ b/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql
@@ -3,6 +3,7 @@
  * @description Storing sensitive information in cleartext can expose it to an attacker.
  * @kind problem
  * @problem.severity error
+ * @security-severity 2.9
  * @precision high
  * @id java/cleartext-storage-in-cookie
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-312/CleartextStorageProperties.ql b/java/ql/src/Security/CWE/CWE-312/CleartextStorageProperties.ql
index 7a9626f94dd..7f05192357d 100644
--- a/java/ql/src/Security/CWE/CWE-312/CleartextStorageProperties.ql
+++ b/java/ql/src/Security/CWE/CWE-312/CleartextStorageProperties.ql
@@ -3,6 +3,7 @@
  * @description Storing sensitive information in cleartext can expose it to an attacker.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 6.4
  * @precision medium
  * @id java/cleartext-storage-in-properties
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql b/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
index 77980f033f0..544197f0252 100644
--- a/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
+++ b/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
@@ -3,6 +3,7 @@
  * @description Non-HTTPS connections can be intercepted by third parties.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 5.2
  * @precision medium
  * @id java/non-https-url
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-319/UseSSL.ql b/java/ql/src/Security/CWE/CWE-319/UseSSL.ql
index 070c766ba10..b4fabf15940 100644
--- a/java/ql/src/Security/CWE/CWE-319/UseSSL.ql
+++ b/java/ql/src/Security/CWE/CWE-319/UseSSL.ql
@@ -3,6 +3,7 @@
  * @description Non-SSL connections can be intercepted by third parties.
  * @kind problem
  * @problem.severity recommendation
+ * @security-severity 5.2
  * @precision medium
  * @id java/non-ssl-connection
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql b/java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql
index b594f9d8fc1..6fa51d4caf2 100644
--- a/java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql
+++ b/java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql
@@ -4,6 +4,7 @@
  *              third parties.
  * @kind problem
  * @problem.severity recommendation
+ * @security-severity 5.2
  * @precision medium
  * @id java/non-ssl-socket-factory
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
index d67637b0a48..194d7ecf7d5 100644
--- a/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -3,6 +3,7 @@
  * @description Using broken or weak cryptographic algorithms can allow an attacker to compromise security.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.2
  * @precision high
  * @id java/weak-cryptographic-algorithm
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql b/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
index 7b026efb7ae..fac3d66f2b8 100644
--- a/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
+++ b/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
@@ -3,6 +3,7 @@
  * @description Using broken or weak cryptographic algorithms can allow an attacker to compromise security.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.2
  * @precision medium
  * @id java/potentially-weak-cryptographic-algorithm
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql b/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql
index e0a53b59977..2cd7bbae1dd 100644
--- a/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql
+++ b/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql
@@ -3,9 +3,11 @@
  * @description Using a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id java/predictable-seed
  * @tags security
+ *       external/cwe/cwe-335
  */
 
 import java
diff --git a/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql b/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql
index 8eda68ebe70..6a456fbae32 100644
--- a/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql
+++ b/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql
@@ -3,6 +3,7 @@
  * @description Using a vulnerable version of JHipster to generate random numbers makes it easier for attackers to take over accounts.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision very-high
  * @id java/jhipster-prng
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql b/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
index 354dee75d83..d7fe7b8611e 100644
--- a/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
+++ b/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
@@ -4,6 +4,7 @@
  *              a Cross-Site Request Forgery (CSRF) attack.
  * @kind problem
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @id java/spring-disabled-csrf-protection
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-367/TOCTOURace.ql b/java/ql/src/Security/CWE/CWE-367/TOCTOURace.ql
index d88b946e44d..740dd6ba314 100644
--- a/java/ql/src/Security/CWE/CWE-367/TOCTOURace.ql
+++ b/java/ql/src/Security/CWE/CWE-367/TOCTOURace.ql
@@ -4,6 +4,7 @@
  *              if the state may be changed between the check and use.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id java/toctou-race-condition
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-421/SocketAuthRace.ql b/java/ql/src/Security/CWE/CWE-421/SocketAuthRace.ql
index 7b2870a1b28..d4301a3d620 100644
--- a/java/ql/src/Security/CWE/CWE-421/SocketAuthRace.ql
+++ b/java/ql/src/Security/CWE/CWE-421/SocketAuthRace.ql
@@ -3,6 +3,7 @@
  * @description Opening a socket after authenticating via a different channel may allow an attacker to connect to the port first.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 10.0
  * @precision medium
  * @id java/socket-auth-race-condition
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
index bb4df03cd4f..82dd42c3c32 100644
--- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
+++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
@@ -4,6 +4,7 @@
  *              execute arbitrary code.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id java/unsafe-deserialization
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql b/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
index 455f6add626..7d072091245 100644
--- a/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
+++ b/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
@@ -4,6 +4,7 @@
  *              may cause redirection to malicious web sites.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 2.7
  * @precision high
  * @id java/unvalidated-url-redirection
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql b/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql
index e060d15ab9f..4f60a15d8a6 100644
--- a/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql
@@ -4,6 +4,7 @@
  *              may cause redirection to malicious web sites.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 2.7
  * @precision medium
  * @id java/unvalidated-url-redirection-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-611/XXE.ql b/java/ql/src/Security/CWE/CWE-611/XXE.ql
index 432cc6d38d7..dc277337769 100644
--- a/java/ql/src/Security/CWE/CWE-611/XXE.ql
+++ b/java/ql/src/Security/CWE/CWE-611/XXE.ql
@@ -4,6 +4,7 @@
  * references may lead to disclosure of confidential data or denial of service.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id java/xxe
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql b/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
index 8a8bc656aba..ef6d143ece8 100644
--- a/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
+++ b/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
@@ -4,6 +4,7 @@
  *              interception.
  * @kind problem
  * @problem.severity error
+ * @security-severity 2.9
  * @precision high
  * @id java/insecure-cookie
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql b/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
index 7e23aa7cb77..0dd73370569 100644
--- a/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
@@ -4,6 +4,7 @@
  *              malicious code by the user.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id java/xml/xpath-injection
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql b/java/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
index f1449012363..662e2c487ab 100644
--- a/java/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
+++ b/java/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
@@ -3,6 +3,7 @@
  * @description Certain standard library routines are dangerous to call.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 10.0
  * @precision medium
  * @id java/potentially-dangerous-function
  * @tags reliability
diff --git a/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql b/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
index 1f54800a091..0518b99e221 100644
--- a/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
+++ b/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
@@ -4,6 +4,7 @@
  *              can cause unexpected truncation.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id java/tainted-numeric-cast
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql
index 9dadb0ae443..519e4c398ee 100644
--- a/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql
@@ -4,6 +4,7 @@
  *              can cause unexpected truncation.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 5.9
  * @precision medium
  * @id java/tainted-numeric-cast-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql b/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql
index f87733f0e9f..3797f11dfd5 100644
--- a/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql
+++ b/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql
@@ -4,6 +4,7 @@
  *              the file may be modified or removed by external actors.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id java/world-writable-file-read
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
index c76527bc538..5300e3864ef 100644
--- a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
+++ b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
@@ -3,6 +3,7 @@
  * @description Using a hard-coded credential in a call to a sensitive Java API may compromise security.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision medium
  * @id java/hardcoded-credential-api-call
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql
index 0d955b4ed08..8583f4bef39 100644
--- a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql
+++ b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql
@@ -3,6 +3,7 @@
  * @description Comparing a parameter to a hard-coded credential may compromise security.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision low
  * @id java/hardcoded-credential-comparison
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql
index 93d0dde665a..724916f1511 100644
--- a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql
+++ b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql
@@ -3,6 +3,7 @@
  * @description Using a hard-coded credential in a sensitive call may compromise security.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision low
  * @id java/hardcoded-credential-sensitive-call
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql b/java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql
index 7c0ca38263e..4464268a5ec 100644
--- a/java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql
+++ b/java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql
@@ -3,6 +3,7 @@
  * @description Hard-coding a password string may compromise security.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision low
  * @id java/hardcoded-password-field
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql b/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql
index fd813dd3dd8..6f1c7275bb4 100644
--- a/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql
+++ b/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql
@@ -4,6 +4,7 @@
  *              passing through authentication systems.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision medium
  * @id java/user-controlled-bypass
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql b/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql
index 542b98b157d..7eb03c1ecd7 100644
--- a/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql
+++ b/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql
@@ -4,6 +4,7 @@
  *              permissions being granted.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id java/tainted-permissions-check
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql b/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql
index 50c2dc1e05e..d3b833eaf72 100644
--- a/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql
+++ b/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql
@@ -3,6 +3,7 @@
  * @description Non-HTTPS connections can be intercepted by third parties.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision very-high
  * @id java/maven/non-https-url
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-833/LockOrderInconsistency.ql b/java/ql/src/Security/CWE/CWE-833/LockOrderInconsistency.ql
index 795c5e1c925..241965f4b09 100644
--- a/java/ql/src/Security/CWE/CWE-833/LockOrderInconsistency.ql
+++ b/java/ql/src/Security/CWE/CWE-833/LockOrderInconsistency.ql
@@ -3,6 +3,7 @@
  * @description Acquiring multiple locks in a different order may cause deadlock.
  * @kind problem
  * @problem.severity recommendation
+ * @security-severity 6.9
  * @precision medium
  * @id java/lock-order-inconsistency
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-835/InfiniteLoop.ql b/java/ql/src/Security/CWE/CWE-835/InfiniteLoop.ql
index cc02dfb3f09..4fe1c38c6d5 100644
--- a/java/ql/src/Security/CWE/CWE-835/InfiniteLoop.ql
+++ b/java/ql/src/Security/CWE/CWE-835/InfiniteLoop.ql
@@ -5,6 +5,7 @@
  *              looping.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @precision medium
  * @id java/unreachable-exit-in-loop
  * @tags security
diff --git a/javascript/ql/src/AngularJS/DisablingSce.ql b/javascript/ql/src/AngularJS/DisablingSce.ql
index c4aa3822d04..eae9a924a2c 100644
--- a/javascript/ql/src/AngularJS/DisablingSce.ql
+++ b/javascript/ql/src/AngularJS/DisablingSce.ql
@@ -3,11 +3,13 @@
  * @description Disabling strict contextual escaping (SCE) can cause security vulnerabilities.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision very-high
  * @id js/angular/disabling-sce
  * @tags security
  *       maintainability
  *       frameworks/angularjs
+ *       external/cwe/cwe-116
  */
 
 import javascript
diff --git a/javascript/ql/src/AngularJS/DoubleCompilation.ql b/javascript/ql/src/AngularJS/DoubleCompilation.ql
index 024e65bef51..e81351ea0d4 100644
--- a/javascript/ql/src/AngularJS/DoubleCompilation.ql
+++ b/javascript/ql/src/AngularJS/DoubleCompilation.ql
@@ -4,10 +4,12 @@
  *              unexpected behavior of directives, performance problems, and memory leaks.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @id js/angular/double-compilation
  * @tags reliability
  *       frameworks/angularjs
  *       security
+ *       external/cwe/cwe-1176
  * @precision very-high
  */
 
diff --git a/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql b/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql
index 0e5a48ba8a9..b17c3188328 100644
--- a/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql
+++ b/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql
@@ -3,6 +3,7 @@
  * @description URL whitelists that are too permissive can cause security vulnerabilities.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 6.4
  * @precision very-high
  * @id js/angular/insecure-url-whitelist
  * @tags security
diff --git a/javascript/ql/src/DOM/TargetBlank.ql b/javascript/ql/src/DOM/TargetBlank.ql
index 82885c1d63c..588552c9bff 100644
--- a/javascript/ql/src/DOM/TargetBlank.ql
+++ b/javascript/ql/src/DOM/TargetBlank.ql
@@ -4,6 +4,7 @@
  *              link type 'noopener' or 'noreferrer' are a potential security risk.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @id js/unsafe-external-link
  * @tags maintainability
  *       security
diff --git a/javascript/ql/src/Electron/AllowRunningInsecureContent.ql b/javascript/ql/src/Electron/AllowRunningInsecureContent.ql
index b6d1141cfcb..8a4535992d9 100644
--- a/javascript/ql/src/Electron/AllowRunningInsecureContent.ql
+++ b/javascript/ql/src/Electron/AllowRunningInsecureContent.ql
@@ -3,9 +3,11 @@
  * @description Enabling allowRunningInsecureContent can allow remote code execution.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision very-high
  * @tags security
  *       frameworks/electron
+ *       external/cwe/cwe-494
  * @id js/enabling-electron-insecure-content
  */
 
diff --git a/javascript/ql/src/Electron/DisablingWebSecurity.ql b/javascript/ql/src/Electron/DisablingWebSecurity.ql
index 792759d9cf6..07b4d98ad3c 100644
--- a/javascript/ql/src/Electron/DisablingWebSecurity.ql
+++ b/javascript/ql/src/Electron/DisablingWebSecurity.ql
@@ -3,9 +3,11 @@
  * @description Disabling webSecurity can cause critical security vulnerabilities.
  * @kind problem
  * @problem.severity error
+ * @security-severity 2.9
  * @precision very-high
  * @tags security
  *       frameworks/electron
+ *       external/cwe/cwe-79
  * @id js/disabling-electron-websecurity
  */
 
diff --git a/javascript/ql/src/Electron/EnablingNodeIntegration.ql b/javascript/ql/src/Electron/EnablingNodeIntegration.ql
index e0ef84a2015..6bf424d52e9 100644
--- a/javascript/ql/src/Electron/EnablingNodeIntegration.ql
+++ b/javascript/ql/src/Electron/EnablingNodeIntegration.ql
@@ -3,6 +3,7 @@
  * @description Enabling `nodeIntegration` or `nodeIntegrationInWorker` can expose the application to remote code execution.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 10.0
  * @precision low
  * @id js/enabling-electron-renderer-node-integration
  * @tags security
diff --git a/javascript/ql/src/Performance/PolynomialReDoS.ql b/javascript/ql/src/Performance/PolynomialReDoS.ql
index 616bf66c719..d463b450bfe 100644
--- a/javascript/ql/src/Performance/PolynomialReDoS.ql
+++ b/javascript/ql/src/Performance/PolynomialReDoS.ql
@@ -4,6 +4,7 @@
  *              to match may be vulnerable to denial-of-service attacks.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @precision high
  * @id js/polynomial-redos
  * @tags security
diff --git a/javascript/ql/src/Performance/ReDoS.ql b/javascript/ql/src/Performance/ReDoS.ql
index 8d33e7bc507..39b8dbce9b3 100644
--- a/javascript/ql/src/Performance/ReDoS.ql
+++ b/javascript/ql/src/Performance/ReDoS.ql
@@ -5,6 +5,7 @@
  *              attacks.
  * @kind problem
  * @problem.severity error
+ * @security-severity 3.6
  * @precision high
  * @id js/redos
  * @tags security
diff --git a/javascript/ql/src/RegExp/IdentityReplacement.ql b/javascript/ql/src/RegExp/IdentityReplacement.ql
index 2a6e354cc9c..8d74e735053 100644
--- a/javascript/ql/src/RegExp/IdentityReplacement.ql
+++ b/javascript/ql/src/RegExp/IdentityReplacement.ql
@@ -3,6 +3,7 @@
  * @description Replacing a substring with itself has no effect and may indicate a mistake.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @id js/identity-replacement
  * @precision very-high
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql b/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
index 68b0200ebed..ba4db85c448 100644
--- a/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
+++ b/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
@@ -3,6 +3,7 @@
  * @description Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @id js/incomplete-hostname-regexp
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-020/IncompleteUrlSchemeCheck.ql b/javascript/ql/src/Security/CWE-020/IncompleteUrlSchemeCheck.ql
index 0675b189cd1..a40924a1311 100644
--- a/javascript/ql/src/Security/CWE-020/IncompleteUrlSchemeCheck.ql
+++ b/javascript/ql/src/Security/CWE-020/IncompleteUrlSchemeCheck.ql
@@ -4,6 +4,7 @@
  *              and "data:" suggests a logic error or even a security vulnerability.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @id js/incomplete-url-scheme-check
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql b/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
index 554cf7759d2..a9e2366c4a2 100644
--- a/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
+++ b/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
@@ -3,6 +3,7 @@
  * @description Security checks on the substrings of an unparsed URL are often vulnerable to bypassing.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @id js/incomplete-url-substring-sanitization
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql b/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql
index 8aa706c4952..640f0f5ed34 100644
--- a/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql
+++ b/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql
@@ -3,6 +3,7 @@
  * @description Using indexOf to implement endsWith functionality is error-prone if the -1 case is not explicitly handled.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id js/incorrect-suffix-check
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql b/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql
index 916edfb4f02..4cbd92613e8 100644
--- a/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql
+++ b/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql
@@ -3,6 +3,7 @@
  * @description Regular expressions without anchors can be vulnerable to bypassing.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id js/regex/missing-regexp-anchor
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql b/javascript/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql
index a35c2e57f22..3c87f57f3df 100644
--- a/javascript/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql
+++ b/javascript/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql
@@ -5,6 +5,7 @@
  * @kind path-problem
  * @precision low
  * @problem.severity error
+ * @security-severity 5.9
  * @tags security external/cwe/cwe-20
  */
 
diff --git a/javascript/ql/src/Security/CWE-020/UselessRegExpCharacterEscape.ql b/javascript/ql/src/Security/CWE-020/UselessRegExpCharacterEscape.ql
index 7c3365a0434..a48fbbb84b9 100644
--- a/javascript/ql/src/Security/CWE-020/UselessRegExpCharacterEscape.ql
+++ b/javascript/ql/src/Security/CWE-020/UselessRegExpCharacterEscape.ql
@@ -5,6 +5,7 @@
  *              behave unexpectedly.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id js/useless-regexp-character-escape
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-022/TaintedPath.ql b/javascript/ql/src/Security/CWE-022/TaintedPath.ql
index f7f79c63042..cda0074aa86 100644
--- a/javascript/ql/src/Security/CWE-022/TaintedPath.ql
+++ b/javascript/ql/src/Security/CWE-022/TaintedPath.ql
@@ -4,6 +4,7 @@
  *              unexpected resources.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @id js/path-injection
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-022/ZipSlip.ql b/javascript/ql/src/Security/CWE-022/ZipSlip.ql
index e9c92163d05..4282de76742 100644
--- a/javascript/ql/src/Security/CWE-022/ZipSlip.ql
+++ b/javascript/ql/src/Security/CWE-022/ZipSlip.ql
@@ -6,6 +6,7 @@
  * @kind path-problem
  * @id js/zipslip
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @tags security
  *       external/cwe/cwe-022
diff --git a/javascript/ql/src/Security/CWE-073/TemplateObjectInjection.ql b/javascript/ql/src/Security/CWE-073/TemplateObjectInjection.ql
index 33b5b4211a6..7f413152df1 100644
--- a/javascript/ql/src/Security/CWE-073/TemplateObjectInjection.ql
+++ b/javascript/ql/src/Security/CWE-073/TemplateObjectInjection.ql
@@ -3,6 +3,7 @@
  * @description Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 10.0
  * @precision high
  * @id js/template-object-injection
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-078/CommandInjection.ql b/javascript/ql/src/Security/CWE-078/CommandInjection.ql
index d1c22e33989..aa9b3920e06 100644
--- a/javascript/ql/src/Security/CWE-078/CommandInjection.ql
+++ b/javascript/ql/src/Security/CWE-078/CommandInjection.ql
@@ -4,6 +4,7 @@
  *              user to change the meaning of the command.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id js/command-line-injection
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql b/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql
index 1a22af72b27..ae665a250e7 100644
--- a/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql
+++ b/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql
@@ -5,6 +5,7 @@
  *              command-line injection vulnerabilities.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id js/indirect-command-line-injection
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql b/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql
index a5e51b1c71d..cccb26ec545 100644
--- a/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql
+++ b/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql
@@ -4,6 +4,7 @@
  *              environment may cause subtle bugs or vulnerabilities.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @id js/shell-command-injection-from-environment
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql b/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql
index 1b4d5523ba4..d0d0129e214 100644
--- a/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql
+++ b/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql
@@ -4,6 +4,7 @@
  *              user to change the meaning of the command.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id js/shell-command-constructed-from-input
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql b/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql
index 6b0ed59e632..81134d6bb5b 100644
--- a/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql
+++ b/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql
@@ -3,11 +3,13 @@
  * @description Using the  `cat` process to read a file is unnecessarily complex, inefficient, unportable, and can lead to subtle bugs, or even security vulnerabilities.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id js/unnecessary-use-of-cat
  * @tags correctness
  *       security
  *       maintainability
+ *       external/cwe/cwe-078
  */
 
 import javascript
diff --git a/javascript/ql/src/Security/CWE-079/ExceptionXss.ql b/javascript/ql/src/Security/CWE-079/ExceptionXss.ql
index 7c9cedc1705..b82676dca61 100644
--- a/javascript/ql/src/Security/CWE-079/ExceptionXss.ql
+++ b/javascript/ql/src/Security/CWE-079/ExceptionXss.ql
@@ -4,6 +4,7 @@
  *              can lead to a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 2.9
  * @precision high
  * @id js/xss-through-exception
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-079/ReflectedXss.ql b/javascript/ql/src/Security/CWE-079/ReflectedXss.ql
index 79ff3ce4a92..958d5296e71 100644
--- a/javascript/ql/src/Security/CWE-079/ReflectedXss.ql
+++ b/javascript/ql/src/Security/CWE-079/ReflectedXss.ql
@@ -4,6 +4,7 @@
  *              a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 2.9
  * @precision high
  * @id js/reflected-xss
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-079/StoredXss.ql b/javascript/ql/src/Security/CWE-079/StoredXss.ql
index fd7331fd0cc..df674173c28 100644
--- a/javascript/ql/src/Security/CWE-079/StoredXss.ql
+++ b/javascript/ql/src/Security/CWE-079/StoredXss.ql
@@ -4,6 +4,7 @@
  *              a stored cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 2.9
  * @precision high
  * @id js/stored-xss
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql b/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql
index d6199af4598..ca4564a5968 100644
--- a/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql
+++ b/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql
@@ -4,6 +4,7 @@
  *              user to perform a cross-site scripting attack.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 2.9
  * @precision high
  * @id js/html-constructed-from-input
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql b/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql
index 922d0c681e8..fdbdc74f2a5 100644
--- a/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql
+++ b/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql
@@ -3,6 +3,7 @@
  * @description A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 2.9
  * @precision high
  * @id js/unsafe-jquery-plugin
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-079/Xss.ql b/javascript/ql/src/Security/CWE-079/Xss.ql
index 3925febb008..7ae8268ca0f 100644
--- a/javascript/ql/src/Security/CWE-079/Xss.ql
+++ b/javascript/ql/src/Security/CWE-079/Xss.ql
@@ -4,6 +4,7 @@
  *              a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 2.9
  * @precision high
  * @id js/xss
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-079/XssThroughDom.ql b/javascript/ql/src/Security/CWE-079/XssThroughDom.ql
index 5c6bdd11815..9e3b1231346 100644
--- a/javascript/ql/src/Security/CWE-079/XssThroughDom.ql
+++ b/javascript/ql/src/Security/CWE-079/XssThroughDom.ql
@@ -4,6 +4,7 @@
  *              can lead to a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 2.9
  * @precision high
  * @id js/xss-through-dom
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-089/SqlInjection.ql b/javascript/ql/src/Security/CWE-089/SqlInjection.ql
index f33376fcf58..43e7ef9f5de 100644
--- a/javascript/ql/src/Security/CWE-089/SqlInjection.ql
+++ b/javascript/ql/src/Security/CWE-089/SqlInjection.ql
@@ -4,6 +4,7 @@
  *              malicious code by the user.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @id js/sql-injection
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-094/CodeInjection.ql b/javascript/ql/src/Security/CWE-094/CodeInjection.ql
index 0f2f1b24186..df22801f530 100644
--- a/javascript/ql/src/Security/CWE-094/CodeInjection.ql
+++ b/javascript/ql/src/Security/CWE-094/CodeInjection.ql
@@ -4,6 +4,7 @@
  *              code execution.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 2.9
  * @precision high
  * @id js/code-injection
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql b/javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql
index 6dbfb9c37e3..e33a2ff38fa 100644
--- a/javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql
+++ b/javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql
@@ -3,6 +3,7 @@
  * @description Escaping code as HTML does not provide protection against code injection.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 2.9
  * @precision high
  * @id js/bad-code-sanitization
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.ql b/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.ql
index f28ce03c554..bae55692732 100644
--- a/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.ql
+++ b/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.ql
@@ -3,6 +3,7 @@
  * @description Invoking user-controlled methods on certain objects can lead to remote code execution.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 10.0
  * @precision high
  * @id js/unsafe-dynamic-method-access
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql b/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
index 7e79b21c7fd..84053c9767e 100644
--- a/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
+++ b/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
@@ -5,6 +5,7 @@
  *              and conversely it has to be unescaped last to avoid double-unescaping.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @id js/double-escaping
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql b/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql
index 7e3688a9386..a38cc7be61d 100644
--- a/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql
+++ b/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql
@@ -5,6 +5,7 @@
  *              scripting vulnerability.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @precision high
  * @id js/incomplete-html-attribute-sanitization
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql b/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
index d19cb2716c2..326d7c0e335 100644
--- a/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
+++ b/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
@@ -3,6 +3,7 @@
  * @description A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @id js/incomplete-multi-character-sanitization
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql b/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
index 612f7a4f97d..1894326a989 100644
--- a/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
+++ b/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
@@ -4,6 +4,7 @@
  *              meta-character may be ineffective.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @id js/incomplete-sanitization
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-116/UnsafeHtmlExpansion.ql b/javascript/ql/src/Security/CWE-116/UnsafeHtmlExpansion.ql
index cdb97396a89..5141e3403ef 100644
--- a/javascript/ql/src/Security/CWE-116/UnsafeHtmlExpansion.ql
+++ b/javascript/ql/src/Security/CWE-116/UnsafeHtmlExpansion.ql
@@ -4,6 +4,7 @@
  *              tags may lead to cross-site scripting vulnerabilities.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 2.9
  * @precision very-high
  * @id js/unsafe-html-expansion
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-117/LogInjection.ql b/javascript/ql/src/Security/CWE-117/LogInjection.ql
index ac475373f93..038992e0876 100644
--- a/javascript/ql/src/Security/CWE-117/LogInjection.ql
+++ b/javascript/ql/src/Security/CWE-117/LogInjection.ql
@@ -4,6 +4,7 @@
  *              insertion of forged log entries by a malicious user.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision medium
  * @id js/log-injection
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql b/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql
index 3c12cc1d3f9..fff23183a9a 100644
--- a/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql
+++ b/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql
@@ -3,6 +3,7 @@
  * @description Using external input in format strings can lead to garbled output.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 6.9
  * @precision high
  * @id js/tainted-format-string
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql b/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql
index 0d8b39e4aca..d13c5218349 100644
--- a/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql
+++ b/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql
@@ -3,6 +3,7 @@
  * @description Directly sending file data in an outbound network request can indicate unauthorized information disclosure.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @precision medium
  * @id js/file-access-to-http
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql b/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql
index d112563f89a..5ea4fbc6a3a 100644
--- a/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql
+++ b/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql
@@ -4,6 +4,7 @@
  *              of private information.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @id js/exposure-of-private-files
  * @tags security
  *       external/cwe/cwe-200
diff --git a/javascript/ql/src/Security/CWE-201/PostMessageStar.ql b/javascript/ql/src/Security/CWE-201/PostMessageStar.ql
index e746b28a3d4..991eaa3c6e3 100644
--- a/javascript/ql/src/Security/CWE-201/PostMessageStar.ql
+++ b/javascript/ql/src/Security/CWE-201/PostMessageStar.ql
@@ -5,6 +5,7 @@
  *              information leaks.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 1.4
  * @precision high
  * @id js/cross-window-information-leak
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql b/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql
index 1a4a2613675..1ff12bae7cb 100644
--- a/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql
+++ b/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql
@@ -5,6 +5,7 @@
  *              to an attacker for developing a subsequent exploit.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @precision very-high
  * @id js/stack-trace-exposure
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql b/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql
index f18ff4a3535..a17d41dffc9 100644
--- a/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql
+++ b/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql
@@ -3,6 +3,7 @@
  * @description Disabling cryptographic certificate validation can cause security vulnerabilities.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.2
  * @precision very-high
  * @id js/disabling-certificate-validation
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql b/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql
index a9bf66506f1..e2b9f3a9b84 100644
--- a/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql
+++ b/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql
@@ -4,6 +4,7 @@
  *              expose it to an attacker.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id js/build-artifact-leak
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-312/CleartextLogging.ql b/javascript/ql/src/Security/CWE-312/CleartextLogging.ql
index 2d65ae9c471..99933087daa 100644
--- a/javascript/ql/src/Security/CWE-312/CleartextLogging.ql
+++ b/javascript/ql/src/Security/CWE-312/CleartextLogging.ql
@@ -4,6 +4,7 @@
  *              expose it to an attacker.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id js/clear-text-logging
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-312/CleartextStorage.ql b/javascript/ql/src/Security/CWE-312/CleartextStorage.ql
index b59f8e74844..6d2fbe2c6a5 100644
--- a/javascript/ql/src/Security/CWE-312/CleartextStorage.ql
+++ b/javascript/ql/src/Security/CWE-312/CleartextStorage.ql
@@ -4,6 +4,7 @@
  *              attacker.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id js/clear-text-storage-of-sensitive-data
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql b/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
index a6a8f746758..df6cb0d6046 100644
--- a/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
+++ b/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
@@ -3,6 +3,7 @@
  * @description Storing unencrypted passwords in configuration files is unsafe.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @precision medium
  * @id js/password-in-configuration-file
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-327/BadRandomness.ql b/javascript/ql/src/Security/CWE-327/BadRandomness.ql
index 1168af1d448..b6ef62f3eea 100644
--- a/javascript/ql/src/Security/CWE-327/BadRandomness.ql
+++ b/javascript/ql/src/Security/CWE-327/BadRandomness.ql
@@ -4,6 +4,7 @@
  *              the results and compromise security.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.2
  * @precision high
  * @id js/biased-cryptographic-random
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql b/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
index efc5714c8f6..f79c59d9ccc 100644
--- a/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
@@ -3,6 +3,7 @@
  * @description Using broken or weak cryptographic algorithms can compromise security.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.2
  * @precision high
  * @id js/weak-cryptographic-algorithm
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql b/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql
index 6db8ea0054e..16b32b409ba 100644
--- a/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql
+++ b/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql
@@ -5,6 +5,7 @@
  *              be generated.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @id js/insecure-randomness
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql b/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql
index 2df657b59f7..1a7d592498b 100644
--- a/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql
+++ b/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql
@@ -3,6 +3,7 @@
  * @description Misconfiguration of CORS HTTP headers allows for leaks of secret credentials.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.2
  * @precision high
  * @id js/cors-misconfiguration-for-credentials
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql b/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
index ceb88ea0496..d18fae34091 100644
--- a/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
+++ b/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
@@ -4,6 +4,7 @@
  *              submit requests on behalf of the user.
  * @kind problem
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @id js/missing-token-validation
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql b/javascript/ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql
index 69ce56fd17f..9c18a5fe686 100644
--- a/javascript/ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql
+++ b/javascript/ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql
@@ -3,6 +3,7 @@
  * @description Processing user-controlled object hierarchies inefficiently can lead to denial of service.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @precision high
  * @id js/resource-exhaustion-from-deep-object-traversal
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql b/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql
index 818d3ab6af1..1cb5511cda3 100644
--- a/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql
+++ b/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql
@@ -4,6 +4,7 @@
  *              denial-of-service attacks.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @precision medium
  * @id js/remote-property-injection
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-451/MissingXFrameOptions.ql b/javascript/ql/src/Security/CWE-451/MissingXFrameOptions.ql
index c4da7f68fc8..e21bffa6498 100644
--- a/javascript/ql/src/Security/CWE-451/MissingXFrameOptions.ql
+++ b/javascript/ql/src/Security/CWE-451/MissingXFrameOptions.ql
@@ -4,6 +4,7 @@
  *              overlay their own UI on top of the site by using an iframe.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision low
  * @id js/missing-x-frame-options
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql b/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql
index 29251e1c5e6..795c9372527 100644
--- a/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql
+++ b/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql
@@ -4,6 +4,7 @@
  *              execute arbitrary code.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @id js/unsafe-deserialization
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-506/HardcodedDataInterpretedAsCode.ql b/javascript/ql/src/Security/CWE-506/HardcodedDataInterpretedAsCode.ql
index 9c5bca8dc0e..e1e68854227 100644
--- a/javascript/ql/src/Security/CWE-506/HardcodedDataInterpretedAsCode.ql
+++ b/javascript/ql/src/Security/CWE-506/HardcodedDataInterpretedAsCode.ql
@@ -5,6 +5,7 @@
  *              be avoided.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.2
  * @precision medium
  * @id js/hardcoded-data-interpreted-as-code
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql b/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql
index c6748b82074..a93dfd8dc34 100644
--- a/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql
+++ b/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql
@@ -4,6 +4,7 @@
  *              may cause redirection to malicious web sites.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 2.9
  * @precision high
  * @id js/client-side-unvalidated-url-redirection
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql b/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql
index a39144d2478..d0d68278ff0 100644
--- a/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql
+++ b/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql
@@ -4,6 +4,7 @@
  *              may cause redirection to malicious web sites.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 2.7
  * @id js/server-side-unvalidated-url-redirection
  * @tags security
  *       external/cwe/cwe-601
diff --git a/javascript/ql/src/Security/CWE-611/Xxe.ql b/javascript/ql/src/Security/CWE-611/Xxe.ql
index 3334a0db498..42ff8cc2338 100644
--- a/javascript/ql/src/Security/CWE-611/Xxe.ql
+++ b/javascript/ql/src/Security/CWE-611/Xxe.ql
@@ -4,6 +4,7 @@
  *              entity expansion is vulnerable to XXE attacks.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id js/xxe
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql b/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql
index c8e581bacf9..332d29e0cb7 100644
--- a/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql
+++ b/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql
@@ -4,6 +4,7 @@
  *              attacks and leak password reset tokens.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id js/host-header-forgery-in-email-generation
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-643/XpathInjection.ql b/javascript/ql/src/Security/CWE-643/XpathInjection.ql
index 5f30bb3ee21..675b078a5d6 100644
--- a/javascript/ql/src/Security/CWE-643/XpathInjection.ql
+++ b/javascript/ql/src/Security/CWE-643/XpathInjection.ql
@@ -4,6 +4,7 @@
  *              malicious code by the user.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id js/xpath-injection
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-730/RegExpInjection.ql b/javascript/ql/src/Security/CWE-730/RegExpInjection.ql
index ccff952e095..cd7ee8a2509 100644
--- a/javascript/ql/src/Security/CWE-730/RegExpInjection.ql
+++ b/javascript/ql/src/Security/CWE-730/RegExpInjection.ql
@@ -5,6 +5,7 @@
  *              exponential time on certain inputs.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 3.6
  * @precision high
  * @id js/regex-injection
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-730/ServerCrash.ql b/javascript/ql/src/Security/CWE-730/ServerCrash.ql
index b81126b33cd..a05351f851f 100644
--- a/javascript/ql/src/Security/CWE-730/ServerCrash.ql
+++ b/javascript/ql/src/Security/CWE-730/ServerCrash.ql
@@ -4,9 +4,11 @@
  *              attacks.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @precision high
  * @id js/server-crash
  * @tags security
+ *       external/cwe/cwe-248
  *       external/cwe/cwe-730
  */
 
diff --git a/javascript/ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.ql b/javascript/ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.ql
index a4726566451..f21382d68d9 100644
--- a/javascript/ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.ql
+++ b/javascript/ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.ql
@@ -4,6 +4,7 @@
  *              an unexpected target, which could cause an exception.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 4.2
  * @precision high
  * @id js/unvalidated-dynamic-method-call
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-770/MissingRateLimiting.ql b/javascript/ql/src/Security/CWE-770/MissingRateLimiting.ql
index 5e011a0ca7e..6827b23d067 100644
--- a/javascript/ql/src/Security/CWE-770/MissingRateLimiting.ql
+++ b/javascript/ql/src/Security/CWE-770/MissingRateLimiting.ql
@@ -5,6 +5,7 @@
  *              to denial-of-service attacks.
  * @kind problem
  * @problem.severity error
+ * @security-severity 3.6
  * @precision high
  * @id js/missing-rate-limiting
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-776/XmlBomb.ql b/javascript/ql/src/Security/CWE-776/XmlBomb.ql
index a9f9647ca35..26c16a37bf0 100644
--- a/javascript/ql/src/Security/CWE-776/XmlBomb.ql
+++ b/javascript/ql/src/Security/CWE-776/XmlBomb.ql
@@ -4,6 +4,7 @@
  *              entity expansion is vulnerable to denial-of-service attacks.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @precision high
  * @id js/xml-bomb
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
index 39b5365e609..c17bfac7836 100644
--- a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
+++ b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -4,6 +4,7 @@
  *              to gain unauthorized access.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @id js/hardcoded-credentials
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql b/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql
index e6359281614..a94780bec1e 100644
--- a/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql
+++ b/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql
@@ -3,6 +3,7 @@
  * @description Conditions that the user controls are not suited for making security-related decisions.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision medium
  * @id js/user-controlled-bypass
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-807/DifferentKindsComparisonBypass.ql b/javascript/ql/src/Security/CWE-807/DifferentKindsComparisonBypass.ql
index 95ed134251b..d8cf7ef3716 100644
--- a/javascript/ql/src/Security/CWE-807/DifferentKindsComparisonBypass.ql
+++ b/javascript/ql/src/Security/CWE-807/DifferentKindsComparisonBypass.ql
@@ -3,6 +3,7 @@
  * @description Comparing different kinds of HTTP request data may be a symptom of an insufficient security check.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision low
  * @id js/different-kinds-comparison-bypass
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-829/InsecureDownload.ql b/javascript/ql/src/Security/CWE-829/InsecureDownload.ql
index ce764d627a1..2df6d29f038 100644
--- a/javascript/ql/src/Security/CWE-829/InsecureDownload.ql
+++ b/javascript/ql/src/Security/CWE-829/InsecureDownload.ql
@@ -4,6 +4,7 @@
  *              opens up for potential man-in-the-middle attacks.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @id js/insecure-download
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql b/javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql
index 36576c8adde..726f88272fc 100644
--- a/javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql
+++ b/javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql
@@ -4,6 +4,7 @@
  *              property can cause indefinite looping.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @id js/loop-bound-injection
  * @tags security
  *       external/cwe/cwe-834
diff --git a/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql b/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql
index 6a065c9735b..218cb70f571 100644
--- a/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql
+++ b/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql
@@ -3,6 +3,7 @@
  * @description Sanitizing an HTTP request parameter may be ineffective if the user controls its type.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id js/type-confusion-through-parameter-tampering
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql b/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql
index b3b8d52a869..72393fd4f5a 100644
--- a/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql
+++ b/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql
@@ -3,6 +3,7 @@
  * @description Writing network data directly to the file system allows arbitrary file upload and might indicate a backdoor.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id js/http-to-file-access
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql b/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql
index cc611640527..4447eef043a 100644
--- a/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql
+++ b/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql
@@ -5,6 +5,7 @@
  *              and possibly escalate to remote code execution or cross-site scripting.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @precision high
  * @id js/prototype-polluting-assignment
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql b/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql
index 2ca0fdb2724..3980557174b 100644
--- a/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql
+++ b/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql
@@ -4,6 +4,7 @@
  *              the cause of accidental modification of a built-in prototype object.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @precision high
  * @id js/prototype-pollution-utility
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql b/javascript/ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql
index 80a99563918..2bc625bcedd 100644
--- a/javascript/ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql
+++ b/javascript/ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql
@@ -5,6 +5,7 @@
  *              and possibly escalate to remote code execution or cross-site scripting.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 3.6
  * @precision high
  * @id js/prototype-pollution
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql b/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql
index 2f1df96f3ec..995ede73f38 100644
--- a/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql
+++ b/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql
@@ -3,6 +3,7 @@
  * @description Creating a hash of a password with low computational effort makes the hash vulnerable to password cracking attacks.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @id js/insufficient-password-hash
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-918/RequestForgery.ql b/javascript/ql/src/Security/CWE-918/RequestForgery.ql
index 43096ea6240..8d56a477177 100644
--- a/javascript/ql/src/Security/CWE-918/RequestForgery.ql
+++ b/javascript/ql/src/Security/CWE-918/RequestForgery.ql
@@ -3,6 +3,7 @@
  * @description Sending network requests with user-controlled data allows for request forgery attacks.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision medium
  * @id js/request-forgery
  * @tags security
diff --git a/python/ql/src/Expressions/UseofInput.ql b/python/ql/src/Expressions/UseofInput.ql
index bf2a71de22e..68566ab0f95 100644
--- a/python/ql/src/Expressions/UseofInput.ql
+++ b/python/ql/src/Expressions/UseofInput.ql
@@ -4,7 +4,9 @@
  * @kind problem
  * @tags security
  *       correctness
+ *       security/cwe/cwe-78
  * @problem.severity error
+ * @security-severity 5.9
  * @sub-severity high
  * @precision high
  * @id py/use-of-input
diff --git a/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql b/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql
index 069f255f198..e5cc90196d1 100644
--- a/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql
+++ b/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql
@@ -4,7 +4,9 @@
  * and is therefore associated with security risks.
  * @kind problem
  * @tags security
+ *       external/cwe/cwe-200
  * @problem.severity error
+ * @security-severity 3.6
  * @sub-severity low
  * @precision high
  * @id py/bind-socket-all-network-interfaces
diff --git a/python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql b/python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql
index dfa1b1d7864..17af70d836f 100644
--- a/python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql
+++ b/python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql
@@ -5,6 +5,7 @@
  * @kind path-problem
  * @precision low
  * @problem.severity error
+ * @security-severity 5.9
  * @tags security external/cwe/cwe-20
  */
 
diff --git a/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql b/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
index cebaa4fdd2e..be44f462d53 100644
--- a/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
+++ b/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
@@ -3,6 +3,7 @@
  * @description Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @id py/incomplete-hostname-regexp
  * @tags correctness
diff --git a/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql b/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
index 839ed358c3b..5b25f8fe595 100644
--- a/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
+++ b/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
@@ -3,6 +3,7 @@
  * @description Security checks on the substrings of an unparsed URL are often vulnerable to bypassing.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @id py/incomplete-url-substring-sanitization
  * @tags correctness
diff --git a/python/ql/src/Security/CWE-022/PathInjection.ql b/python/ql/src/Security/CWE-022/PathInjection.ql
index 9d67d9b734c..7083f12ab2b 100644
--- a/python/ql/src/Security/CWE-022/PathInjection.ql
+++ b/python/ql/src/Security/CWE-022/PathInjection.ql
@@ -3,6 +3,7 @@
  * @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 6.4
  * @sub-severity high
  * @precision high
  * @id py/path-injection
diff --git a/python/ql/src/Security/CWE-022/TarSlip.ql b/python/ql/src/Security/CWE-022/TarSlip.ql
index 98bbdba7139..cb6faccd1e2 100644
--- a/python/ql/src/Security/CWE-022/TarSlip.ql
+++ b/python/ql/src/Security/CWE-022/TarSlip.ql
@@ -6,6 +6,7 @@
  * @kind path-problem
  * @id py/tarslip
  * @problem.severity error
+ * @security-severity 6.4
  * @precision medium
  * @tags security
  *       external/cwe/cwe-022
diff --git a/python/ql/src/Security/CWE-078/CommandInjection.ql b/python/ql/src/Security/CWE-078/CommandInjection.ql
index 25375cd691b..5a2a475ea10 100755
--- a/python/ql/src/Security/CWE-078/CommandInjection.ql
+++ b/python/ql/src/Security/CWE-078/CommandInjection.ql
@@ -4,6 +4,7 @@
  *              user to change the meaning of the command.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @sub-severity high
  * @precision high
  * @id py/command-line-injection
diff --git a/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql b/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
index ff3870678d8..fb443d15d2c 100644
--- a/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
+++ b/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
@@ -4,6 +4,7 @@
  *              cause a cross-site scripting vulnerability.
  * @kind problem
  * @problem.severity error
+ * @security-severity 2.9
  * @precision medium
  * @id py/jinja2/autoescape-false
  * @tags security
diff --git a/python/ql/src/Security/CWE-079/ReflectedXss.ql b/python/ql/src/Security/CWE-079/ReflectedXss.ql
index a1af18e7a8a..ca81f589b0e 100644
--- a/python/ql/src/Security/CWE-079/ReflectedXss.ql
+++ b/python/ql/src/Security/CWE-079/ReflectedXss.ql
@@ -4,6 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 2.9
  * @sub-severity high
  * @precision high
  * @id py/reflective-xss
diff --git a/python/ql/src/Security/CWE-089/SqlInjection.ql b/python/ql/src/Security/CWE-089/SqlInjection.ql
index 849041dd658..c7ce0ebd4a7 100644
--- a/python/ql/src/Security/CWE-089/SqlInjection.ql
+++ b/python/ql/src/Security/CWE-089/SqlInjection.ql
@@ -4,6 +4,7 @@
  *              malicious SQL code by the user.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @id py/sql-injection
  * @tags security
diff --git a/python/ql/src/Security/CWE-094/CodeInjection.ql b/python/ql/src/Security/CWE-094/CodeInjection.ql
index a81889ee619..7f7a391db81 100644
--- a/python/ql/src/Security/CWE-094/CodeInjection.ql
+++ b/python/ql/src/Security/CWE-094/CodeInjection.ql
@@ -4,6 +4,7 @@
  *              code execution.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 10.0
  * @sub-severity high
  * @precision high
  * @id py/code-injection
diff --git a/python/ql/src/Security/CWE-209/StackTraceExposure.ql b/python/ql/src/Security/CWE-209/StackTraceExposure.ql
index a2f3b7540fd..c092f399055 100644
--- a/python/ql/src/Security/CWE-209/StackTraceExposure.ql
+++ b/python/ql/src/Security/CWE-209/StackTraceExposure.ql
@@ -5,6 +5,7 @@
  *              developing a subsequent exploit.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 3.6
  * @precision high
  * @id py/stack-trace-exposure
  * @tags security
diff --git a/python/ql/src/Security/CWE-215/FlaskDebug.ql b/python/ql/src/Security/CWE-215/FlaskDebug.ql
index 67de5a9ccec..f55844ae1b5 100644
--- a/python/ql/src/Security/CWE-215/FlaskDebug.ql
+++ b/python/ql/src/Security/CWE-215/FlaskDebug.ql
@@ -3,6 +3,7 @@
  * @description Running a Flask app in debug mode may allow an attacker to run arbitrary code through the Werkzeug debugger.
  * @kind problem
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @id py/flask-debug
  * @tags security
diff --git a/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql b/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql
index ee39c198475..adc04dc2984 100644
--- a/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql
+++ b/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql
@@ -3,6 +3,7 @@
  * @description Accepting unknown host keys can allow man-in-the-middle attacks.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.2
  * @precision high
  * @id py/paramiko-missing-host-key-validation
  * @tags security
diff --git a/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql b/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql
index 173ffbe7671..97711bacbbb 100644
--- a/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql
+++ b/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql
@@ -3,6 +3,7 @@
  * @description Making a request without certificate validation can allow man-in-the-middle attacks.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.2
  * @precision medium
  * @id py/request-without-cert-validation
  * @tags security
diff --git a/python/ql/src/Security/CWE-312/CleartextLogging.ql b/python/ql/src/Security/CWE-312/CleartextLogging.ql
index 071ab9db141..c5f4c334557 100644
--- a/python/ql/src/Security/CWE-312/CleartextLogging.ql
+++ b/python/ql/src/Security/CWE-312/CleartextLogging.ql
@@ -4,6 +4,7 @@
  *              expose it to an attacker.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id py/clear-text-logging-sensitive-data
  * @tags security
diff --git a/python/ql/src/Security/CWE-312/CleartextStorage.ql b/python/ql/src/Security/CWE-312/CleartextStorage.ql
index 2c33837b464..8ae5af8ef35 100644
--- a/python/ql/src/Security/CWE-312/CleartextStorage.ql
+++ b/python/ql/src/Security/CWE-312/CleartextStorage.ql
@@ -4,6 +4,7 @@
  *              attacker.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id py/clear-text-storage-sensitive-data
  * @tags security
diff --git a/python/ql/src/Security/CWE-326/WeakCryptoKey.ql b/python/ql/src/Security/CWE-326/WeakCryptoKey.ql
index 67f94640506..0f48dc91a88 100644
--- a/python/ql/src/Security/CWE-326/WeakCryptoKey.ql
+++ b/python/ql/src/Security/CWE-326/WeakCryptoKey.ql
@@ -3,6 +3,7 @@
  * @description Use of a cryptographic key that is too small may allow the encryption to be broken.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.2
  * @precision high
  * @id py/weak-crypto-key
  * @tags security
diff --git a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
index 731b0730bfb..9c64ece8b11 100644
--- a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
@@ -3,6 +3,7 @@
  * @description Using broken or weak cryptographic algorithms can compromise security.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.2
  * @precision high
  * @id py/weak-cryptographic-algorithm
  * @tags security
diff --git a/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql b/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql
index d58049fadae..07dfe9e412a 100644
--- a/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql
@@ -5,6 +5,7 @@
  * @id py/insecure-default-protocol
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.2
  * @precision high
  * @tags security
  *       external/cwe/cwe-327
diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.ql b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
index e1d64dca0a7..bb9c2f71ca2 100644
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
@@ -4,6 +4,7 @@
  * @id py/insecure-protocol
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.2
  * @precision high
  * @tags security
  *       external/cwe/cwe-327
diff --git a/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql b/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql
index 2df0148cce4..e5bc4b95c82 100644
--- a/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql
+++ b/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql
@@ -3,6 +3,7 @@
  * @description Using broken or weak cryptographic hashing algorithms can compromise security.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision high
  * @id py/weak-sensitive-data-hashing
  * @tags security
diff --git a/python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql b/python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql
index 174a841598c..d224d35e2f6 100644
--- a/python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql
+++ b/python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql
@@ -4,6 +4,7 @@
  * @kind problem
  * @id py/insecure-temporary-file
  * @problem.severity error
+ * @security-severity 5.9
  * @sub-severity high
  * @precision high
  * @tags external/cwe/cwe-377
diff --git a/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql b/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql
index 9035b9be959..7994431d940 100644
--- a/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql
+++ b/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql
@@ -4,6 +4,7 @@
  * @kind path-problem
  * @id py/unsafe-deserialization
  * @problem.severity error
+ * @security-severity 5.9
  * @sub-severity high
  * @precision high
  * @tags external/cwe/cwe-502
diff --git a/python/ql/src/Security/CWE-601/UrlRedirect.ql b/python/ql/src/Security/CWE-601/UrlRedirect.ql
index 944726e1c98..77948b01779 100644
--- a/python/ql/src/Security/CWE-601/UrlRedirect.ql
+++ b/python/ql/src/Security/CWE-601/UrlRedirect.ql
@@ -4,6 +4,7 @@
  *              may cause redirection to malicious web sites.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 2.7
  * @sub-severity low
  * @id py/url-redirection
  * @tags security
diff --git a/python/ql/src/Security/CWE-732/WeakFilePermissions.ql b/python/ql/src/Security/CWE-732/WeakFilePermissions.ql
index 7163d02b530..e964df073df 100644
--- a/python/ql/src/Security/CWE-732/WeakFilePermissions.ql
+++ b/python/ql/src/Security/CWE-732/WeakFilePermissions.ql
@@ -4,6 +4,7 @@
  * @kind problem
  * @id py/overly-permissive-file
  * @problem.severity warning
+ * @security-severity 5.9
  * @sub-severity high
  * @precision medium
  * @tags external/cwe/cwe-732
diff --git a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
index f62e89abcf7..84bf1e2f16e 100644
--- a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
+++ b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -3,6 +3,7 @@
  * @description Credentials are hard coded in the source code of the application.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision medium
  * @id py/hardcoded-credentials
  * @tags security
diff --git a/python/ql/src/Statements/ExecUsed.ql b/python/ql/src/Statements/ExecUsed.ql
index e1e4bb45c6b..000eb3a4418 100644
--- a/python/ql/src/Statements/ExecUsed.ql
+++ b/python/ql/src/Statements/ExecUsed.ql
@@ -5,6 +5,7 @@
  * @tags security
  *       correctness
  * @problem.severity error
+ * @security-severity 4.2
  * @sub-severity high
  * @precision low
  * @id py/use-of-exec

From 2a013241728fb531933b7e3fe7fe30be350ebc4a Mon Sep 17 00:00:00 2001
From: "John L. Singleton" <jsinglet@github.com>
Date: Thu, 10 Jun 2021 17:09:32 -0400
Subject: [PATCH 1398/1429] more maintainable pattern for class abstractions

---
 .../semmle/code/cpp/commons/CommonType.qll    | 106 +++++++-----------
 1 file changed, 42 insertions(+), 64 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll b/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
index 8ec3ae2761a..dbe2954447e 100644
--- a/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
+++ b/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
@@ -73,60 +73,38 @@ private class IntegralUnderlyingUserType extends UserType {
 /**
  * A C/C++ fixed-width numeric type, such as `int8_t`.
  */
-class FixedWidthIntegralType extends UserType {
-  FixedWidthIntegralType() {
-    this instanceof Int8_t or
-    this instanceof Int16_t or
-    this instanceof Int32_t or
-    this instanceof Int64_t or
-    this instanceof UInt8_t or
-    this instanceof UInt16_t or
-    this instanceof UInt32_t or
-    this instanceof UInt64_t
-  }
+abstract private class TFixedWidthIntegralType extends IntegralUnderlyingUserType { }
+
+class FixedWidthIntegralType extends TFixedWidthIntegralType {
+  FixedWidthIntegralType() { this instanceof TFixedWidthIntegralType }
 }
 
 /**
  * A C/C++ minimum-width numeric type, such as `int_least8_t`.
  */
-class MinimumWidthIntegralType extends UserType {
-  MinimumWidthIntegralType() {
-    this instanceof Int_least8_t or
-    this instanceof Int_least16_t or
-    this instanceof Int_least32_t or
-    this instanceof Int_least64_t or
-    this instanceof UInt_least8_t or
-    this instanceof UInt_least16_t or
-    this instanceof UInt_least32_t or
-    this instanceof UInt_least64_t
-  }
+abstract private class TMinimumWidthIntegralType extends IntegralUnderlyingUserType { }
+
+class MinimumWidthIntegralType extends TMinimumWidthIntegralType {
+  MinimumWidthIntegralType() { this instanceof TMinimumWidthIntegralType }
 }
 
 /**
  * A C/C++ minimum-width numeric type, representing the fastest integer type with a
  * width of at least `N` such as `int_fast8_t`.
  */
-class FastestMinimumWidthIntegralType extends UserType {
-  FastestMinimumWidthIntegralType() {
-    this instanceof Int_fast8_t or
-    this instanceof Int_fast16_t or
-    this instanceof Int_fast32_t or
-    this instanceof Int_fast64_t or
-    this instanceof UInt_fast8_t or
-    this instanceof UInt_fast16_t or
-    this instanceof UInt_fast32_t or
-    this instanceof UInt_fast64_t
-  }
+abstract private class TFastestMinimumWidthIntegralType extends IntegralUnderlyingUserType { }
+
+class FastestMinimumWidthIntegralType extends TFastestMinimumWidthIntegralType {
+  FastestMinimumWidthIntegralType() { this instanceof TFastestMinimumWidthIntegralType }
 }
 
 /**
  * A C/C++ maximum-width numeric type, either `intmax_t` or `uintmax_t`.
  */
-class MaximumWidthIntegralType extends UserType {
-  MaximumWidthIntegralType() {
-    this instanceof Intmax_t or
-    this instanceof Uintmax_t
-  }
+abstract private class TMaximumWidthIntegralType extends IntegralUnderlyingUserType { }
+
+class MaximumWidthIntegralType extends TMaximumWidthIntegralType {
+  MaximumWidthIntegralType() { this instanceof TMaximumWidthIntegralType }
 }
 
 /**
@@ -139,7 +117,7 @@ class FixedWidthEnumType extends UserType {
 /**
  *  The C/C++ `int8_t` type.
  */
-class Int8_t extends IntegralUnderlyingUserType {
+class Int8_t extends TFixedWidthIntegralType {
   Int8_t() { this.hasGlobalOrStdName("int8_t") }
 
   override string getAPrimaryQlClass() { result = "Int8_t" }
@@ -148,7 +126,7 @@ class Int8_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `int16_t` type.
  */
-class Int16_t extends IntegralUnderlyingUserType {
+class Int16_t extends TFixedWidthIntegralType {
   Int16_t() { this.hasGlobalOrStdName("int16_t") }
 
   override string getAPrimaryQlClass() { result = "Int16_t" }
@@ -157,7 +135,7 @@ class Int16_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `int32_t` type.
  */
-class Int32_t extends IntegralUnderlyingUserType {
+class Int32_t extends TFixedWidthIntegralType {
   Int32_t() { this.hasGlobalOrStdName("int32_t") }
 
   override string getAPrimaryQlClass() { result = "Int32_t" }
@@ -166,7 +144,7 @@ class Int32_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `int64_t` type.
  */
-class Int64_t extends IntegralUnderlyingUserType {
+class Int64_t extends TFixedWidthIntegralType {
   Int64_t() { this.hasGlobalOrStdName("int64_t") }
 
   override string getAPrimaryQlClass() { result = "Int64_t" }
@@ -175,7 +153,7 @@ class Int64_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `uint8_t` type.
  */
-class UInt8_t extends IntegralUnderlyingUserType {
+class UInt8_t extends TFixedWidthIntegralType {
   UInt8_t() { this.hasGlobalOrStdName("uint8_t") }
 
   override string getAPrimaryQlClass() { result = "UInt8_t" }
@@ -184,7 +162,7 @@ class UInt8_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `uint16_t` type.
  */
-class UInt16_t extends IntegralUnderlyingUserType {
+class UInt16_t extends TFixedWidthIntegralType {
   UInt16_t() { this.hasGlobalOrStdName("uint16_t") }
 
   override string getAPrimaryQlClass() { result = "UInt16_t" }
@@ -193,7 +171,7 @@ class UInt16_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `uint32_t` type.
  */
-class UInt32_t extends IntegralUnderlyingUserType {
+class UInt32_t extends TFixedWidthIntegralType {
   UInt32_t() { this.hasGlobalOrStdName("uint32_t") }
 
   override string getAPrimaryQlClass() { result = "UInt32_t" }
@@ -202,7 +180,7 @@ class UInt32_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `uint64_t` type.
  */
-class UInt64_t extends IntegralUnderlyingUserType {
+class UInt64_t extends TFixedWidthIntegralType {
   UInt64_t() { this.hasGlobalOrStdName("uint64_t") }
 
   override string getAPrimaryQlClass() { result = "UInt64_t" }
@@ -211,7 +189,7 @@ class UInt64_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `int_least8_t` type.
  */
-class Int_least8_t extends IntegralUnderlyingUserType {
+class Int_least8_t extends TMinimumWidthIntegralType {
   Int_least8_t() { this.hasGlobalOrStdName("int_least8_t") }
 
   override string getAPrimaryQlClass() { result = "Int_least8_t" }
@@ -220,7 +198,7 @@ class Int_least8_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `int_least16_t` type.
  */
-class Int_least16_t extends IntegralUnderlyingUserType {
+class Int_least16_t extends TMinimumWidthIntegralType {
   Int_least16_t() { this.hasGlobalOrStdName("int_least16_t") }
 
   override string getAPrimaryQlClass() { result = "Int_least16_t" }
@@ -229,7 +207,7 @@ class Int_least16_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `int_least32_t` type.
  */
-class Int_least32_t extends IntegralUnderlyingUserType {
+class Int_least32_t extends TMinimumWidthIntegralType {
   Int_least32_t() { this.hasGlobalOrStdName("int_least32_t") }
 
   override string getAPrimaryQlClass() { result = "Int_least32_t" }
@@ -238,7 +216,7 @@ class Int_least32_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `int_least64_t` type.
  */
-class Int_least64_t extends IntegralUnderlyingUserType {
+class Int_least64_t extends TMinimumWidthIntegralType {
   Int_least64_t() { this.hasGlobalOrStdName("int_least64_t") }
 
   override string getAPrimaryQlClass() { result = "Int_least64_t" }
@@ -247,7 +225,7 @@ class Int_least64_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `uint_least8_t` type.
  */
-class UInt_least8_t extends IntegralUnderlyingUserType {
+class UInt_least8_t extends TMinimumWidthIntegralType {
   UInt_least8_t() { this.hasGlobalOrStdName("uint_least8_t") }
 
   override string getAPrimaryQlClass() { result = "UInt_least8_t" }
@@ -256,7 +234,7 @@ class UInt_least8_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `uint_least16_t` type.
  */
-class UInt_least16_t extends IntegralUnderlyingUserType {
+class UInt_least16_t extends TMinimumWidthIntegralType {
   UInt_least16_t() { this.hasGlobalOrStdName("uint_least16_t") }
 
   override string getAPrimaryQlClass() { result = "UInt_least16_t" }
@@ -265,7 +243,7 @@ class UInt_least16_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `uint_least32_t` type.
  */
-class UInt_least32_t extends IntegralUnderlyingUserType {
+class UInt_least32_t extends TMinimumWidthIntegralType {
   UInt_least32_t() { this.hasGlobalOrStdName("uint_least32_t") }
 
   override string getAPrimaryQlClass() { result = "UInt_least32_t" }
@@ -274,7 +252,7 @@ class UInt_least32_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `uint_least64_t` type.
  */
-class UInt_least64_t extends IntegralUnderlyingUserType {
+class UInt_least64_t extends TMinimumWidthIntegralType {
   UInt_least64_t() { this.hasGlobalOrStdName("uint_least64_t") }
 
   override string getAPrimaryQlClass() { result = "UInt_least64_t" }
@@ -283,7 +261,7 @@ class UInt_least64_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `int_fast8_t` type.
  */
-class Int_fast8_t extends IntegralUnderlyingUserType {
+class Int_fast8_t extends TFastestMinimumWidthIntegralType {
   Int_fast8_t() { this.hasGlobalOrStdName("int_fast8_t") }
 
   override string getAPrimaryQlClass() { result = "Int_fast8_t" }
@@ -292,7 +270,7 @@ class Int_fast8_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `int_fast16_t` type.
  */
-class Int_fast16_t extends IntegralUnderlyingUserType {
+class Int_fast16_t extends TFastestMinimumWidthIntegralType {
   Int_fast16_t() { this.hasGlobalOrStdName("int_fast16_t") }
 
   override string getAPrimaryQlClass() { result = "Int_fast16_t" }
@@ -301,7 +279,7 @@ class Int_fast16_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `int_fast32_t` type.
  */
-class Int_fast32_t extends IntegralUnderlyingUserType {
+class Int_fast32_t extends TFastestMinimumWidthIntegralType {
   Int_fast32_t() { this.hasGlobalOrStdName("int_fast32_t") }
 
   override string getAPrimaryQlClass() { result = "Int_fast32_t" }
@@ -310,7 +288,7 @@ class Int_fast32_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `int_fast64_t` type.
  */
-class Int_fast64_t extends IntegralUnderlyingUserType {
+class Int_fast64_t extends TFastestMinimumWidthIntegralType {
   Int_fast64_t() { this.hasGlobalOrStdName("int_fast64_t") }
 
   override string getAPrimaryQlClass() { result = "Int_fast64_t" }
@@ -319,7 +297,7 @@ class Int_fast64_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `uint_fast8_t` type.
  */
-class UInt_fast8_t extends IntegralUnderlyingUserType {
+class UInt_fast8_t extends TFastestMinimumWidthIntegralType {
   UInt_fast8_t() { this.hasGlobalOrStdName("uint_fast8_t") }
 
   override string getAPrimaryQlClass() { result = "UInt_fast8_t" }
@@ -328,7 +306,7 @@ class UInt_fast8_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `uint_fast16_t` type.
  */
-class UInt_fast16_t extends IntegralUnderlyingUserType {
+class UInt_fast16_t extends TFastestMinimumWidthIntegralType {
   UInt_fast16_t() { this.hasGlobalOrStdName("uint_fast16_t") }
 
   override string getAPrimaryQlClass() { result = "UInt_fast16_t" }
@@ -337,7 +315,7 @@ class UInt_fast16_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `uint_fast32_t` type.
  */
-class UInt_fast32_t extends IntegralUnderlyingUserType {
+class UInt_fast32_t extends TFastestMinimumWidthIntegralType {
   UInt_fast32_t() { this.hasGlobalOrStdName("uint_fast32_t") }
 
   override string getAPrimaryQlClass() { result = "UInt_fast32_t" }
@@ -346,7 +324,7 @@ class UInt_fast32_t extends IntegralUnderlyingUserType {
 /**
  *  The C/C++ `uint_fast64_t` type.
  */
-class UInt_fast64_t extends IntegralUnderlyingUserType {
+class UInt_fast64_t extends TFastestMinimumWidthIntegralType {
   UInt_fast64_t() { this.hasGlobalOrStdName("uint_fast64_t") }
 
   override string getAPrimaryQlClass() { result = "UInt_fast64_t" }
@@ -355,7 +333,7 @@ class UInt_fast64_t extends IntegralUnderlyingUserType {
 /**
  * The C/C++ `intmax_t` type.
  */
-class Intmax_t extends IntegralUnderlyingUserType {
+class Intmax_t extends TMaximumWidthIntegralType {
   Intmax_t() { this.hasGlobalOrStdName("intmax_t") }
 
   override string getAPrimaryQlClass() { result = "Intmax_t" }
@@ -364,7 +342,7 @@ class Intmax_t extends IntegralUnderlyingUserType {
 /**
  * The C/C++ `uintmax_t` type.
  */
-class Uintmax_t extends IntegralUnderlyingUserType {
+class Uintmax_t extends TMaximumWidthIntegralType {
   Uintmax_t() { this.hasGlobalOrStdName("uintmax_t") }
 
   override string getAPrimaryQlClass() { result = "Uintmax_t" }

From 219dc71ae648640cbe6f538192cd5c0c46ed0654 Mon Sep 17 00:00:00 2001
From: "John L. Singleton" <jsinglet@github.com>
Date: Thu, 10 Jun 2021 17:15:06 -0400
Subject: [PATCH 1399/1429] changlog entry

---
 cpp/change-notes/2021-06-10-std-types.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 cpp/change-notes/2021-06-10-std-types.md

diff --git a/cpp/change-notes/2021-06-10-std-types.md b/cpp/change-notes/2021-06-10-std-types.md
new file mode 100644
index 00000000000..aeaccf01875
--- /dev/null
+++ b/cpp/change-notes/2021-06-10-std-types.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Added definitions for types found in `cstdint`. Added types `FixedWidthIntegralType`, `MinimumWidthIntegralType`, `FastestMinimumWidthIntegralType`, and `MaximumWidthIntegralType` to describe types such as `int8_t`, `int_least8_t`, `int_fast8_t`, and `intmax_t` respectively. 
+* Changed definition of `Intmax_t` and `Uintmax_t` to be part of the new type structure. 
+* Added a type `FixedWidthEnumType` which describes enums based on afixed-width integer type. For instance, `enum e: uint8_t = { a, b };`.

From cd61fb47530fe24e8ddba2c344785b148f28769c Mon Sep 17 00:00:00 2001
From: "John L. Singleton" <jsinglet@github.com>
Date: Thu, 10 Jun 2021 19:54:58 -0400
Subject: [PATCH 1400/1429] this should be abstract

---
 cpp/ql/src/semmle/code/cpp/commons/CommonType.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll b/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
index dbe2954447e..2e08c6abb35 100644
--- a/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
+++ b/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
@@ -66,7 +66,7 @@ class Ptrdiff_t extends Type {
 /**
  * A parent class representing C/C++ a typedef'd `UserType` such as `int8_t`.
  */
-private class IntegralUnderlyingUserType extends UserType {
+private abstract class IntegralUnderlyingUserType extends UserType {
   IntegralUnderlyingUserType() { this.getUnderlyingType() instanceof IntegralType }
 }
 

From 46f7a2b5725e8626d2342afc8dd46a4c1aa85a00 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Fri, 11 Jun 2021 11:28:11 +0200
Subject: [PATCH 1401/1429] Python: Apply suggestions from code review

Co-authored-by: yoff <lerchedahl@gmail.com>
---
 .../src/semmle/python/frameworks/Aiohttp.qll  | 28 +++++++++----------
 1 file changed, 13 insertions(+), 15 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Aiohttp.qll b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
index 05260d4e128..7fd489b3795 100644
--- a/python/ql/src/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -27,14 +27,14 @@ module AiohttpWebModel {
    * See https://docs.aiohttp.org/en/stable/web_reference.html#view.
    */
   module View {
-    /** Gets a reference to the `flask.views.View` class or any subclass. */
+    /** Gets a reference to the `aiohttp.web.View` class or any subclass. */
     API::Node subclassRef() {
       result = API::moduleImport("aiohttp").getMember("web").getMember("View").getASubclass*()
     }
   }
 
   // -- route modeling --
-  /** Gets a reference to a `aiohttp.web.Application` instance. */
+  /** Gets a reference to an `aiohttp.web.Application` instance. */
   API::Node applicationInstance() {
     // Not sure whether you're allowed to add routes _after_ starting the app, for
     // example in the middle of handling a http request... but I'm guessing that for 99%
@@ -43,7 +43,7 @@ module AiohttpWebModel {
     result = API::moduleImport("aiohttp").getMember("web").getMember("Application").getReturn()
   }
 
-  /** Gets a reference to a `aiohttp.web.UrlDispatcher` instance. */
+  /** Gets a reference to an `aiohttp.web.UrlDispatcher` instance. */
   API::Node urlDispathcerInstance() {
     result = API::moduleImport("aiohttp").getMember("web").getMember("UrlDispatcher").getReturn()
     or
@@ -106,9 +106,7 @@ module AiohttpWebModel {
       Function getARequestHandler() {
         this.getHandlerArg() = poorMansFunctionTracker(result)
         or
-        exists(AiohttpViewClass cls |
-          cls = this.getViewClass() and
-          result = cls.getARequestHandler()
+       result = this.getViewClass().(AiohttpViewClass).getARequestHandler()
         )
       }
     }
@@ -142,7 +140,7 @@ module AiohttpWebModel {
     }
   }
 
-  /** An aiohttp route setup that uses coroutines (async function) as request handler. */
+  /** An aiohttp route setup that uses coroutines (async function) as request handlers. */
   class AiohttpCoroutineRouteSetup extends AiohttpRouteSetup {
     AiohttpCoroutineRouteSetup() { this.getHandlerArg() = poorMansFunctionTracker(_) }
   }
@@ -187,7 +185,7 @@ module AiohttpWebModel {
     }
   }
 
-  /** A route-setup using a decorator, such as `route`, `view`, `get`, `post`, etc. on a `aiohttp.web.RouteTableDef`. */
+  /** A route-setup using a decorator, such as `route`, `view`, `get`, `post`, etc. on an `aiohttp.web.RouteTableDef`. */
   class AiohttpDecoratorRouteSetup extends AiohttpRouteSetup::Range, DataFlow::CallCfgNode {
     /** At what index route arguments starts, so we can handle "route" version together with get/post/... */
     int routeArgsStart;
@@ -232,7 +230,7 @@ module AiohttpWebModel {
     }
   }
 
-  /** A class that we consider a aiohttp.web View class. */
+  /** A class that we consider an aiohttp.web View class. */
   abstract class AiohttpViewClass extends Class, SelfRefMixin {
     /** Gets a function that could handle incoming requests, if any. */
     Function getARequestHandler() {
@@ -243,12 +241,12 @@ module AiohttpWebModel {
     }
   }
 
-  /** A class that has a super-type which is a aiohttp.web View class. */
+  /** A class that has a super-type which is an aiohttp.web View class. */
   class AiohttpViewClassFromSuperClass extends AiohttpViewClass {
     AiohttpViewClassFromSuperClass() { this.getABase() = View::subclassRef().getAUse().asExpr() }
   }
 
-  /** A class that is used in a route-setup, therefore being considered a aiohttp.web View class. */
+  /** A class that is used in a route-setup, therefore being considered an aiohttp.web View class. */
   class AiohttpViewClassFromRouteSetup extends AiohttpViewClass {
     AiohttpViewClassFromRouteSetup() { this = any(AiohttpRouteSetup rs).getViewClass() }
   }
@@ -299,7 +297,7 @@ module AiohttpWebModel {
   }
 
   /**
-   * A parameter that will receive a `aiohttp.web.Request` instance when a request
+   * A parameter that will receive an `aiohttp.web.Request` instance when a request
    * handler is invoked.
    */
   class AiohttpRequestHandlerRequestParam extends Request::InstanceSource, RemoteFlowSource::Range,
@@ -329,7 +327,7 @@ module AiohttpWebModel {
   }
 
   /**
-   * A read of the `request` attribute on an instance of a aiohttp.web View class,
+   * A read of the `request` attribute on an instance of an aiohttp.web View class,
    * which is the request being processed currently.
    */
   class AiohttpViewClassRequestAttributeRead extends Request::InstanceSource,
@@ -382,7 +380,7 @@ module AiohttpWebModel {
     }
   }
 
-  /** An attribute read on a `aiohttp.web.Request` that is a `MultiDictProxy` instance. */
+  /** An attribute read on an `aiohttp.web.Request` that is a `MultiDictProxy` instance. */
   class AiohttpRequestMultiDictProxyInstances extends Multidict::MultiDictProxy::InstanceSource {
     AiohttpRequestMultiDictProxyInstances() {
       this.(DataFlow::AttrRead).getObject() = Request::instance() and
@@ -390,7 +388,7 @@ module AiohttpWebModel {
     }
   }
 
-  /** An attribute read on a `aiohttp.web.Request` that is a `yarl.URL` instance. */
+  /** An attribute read on an `aiohttp.web.Request` that is a `yarl.URL` instance. */
   class AiohttpRequestYarlUrlInstances extends Yarl::Url::InstanceSource {
     AiohttpRequestYarlUrlInstances() {
       this.(DataFlow::AttrRead).getObject() = Request::instance() and

From 8b8e1334cc36d0c927265e9a6eb13d9b3f9e0fad Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Fri, 11 Jun 2021 11:42:14 +0200
Subject: [PATCH 1402/1429] Python: Fix syntax error

---
 python/ql/src/semmle/python/frameworks/Aiohttp.qll | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Aiohttp.qll b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
index 7fd489b3795..db3b865cdd4 100644
--- a/python/ql/src/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -106,8 +106,7 @@ module AiohttpWebModel {
       Function getARequestHandler() {
         this.getHandlerArg() = poorMansFunctionTracker(result)
         or
-       result = this.getViewClass().(AiohttpViewClass).getARequestHandler()
-        )
+        result = this.getViewClass().(AiohttpViewClass).getARequestHandler()
       }
     }
 

From 2d31ef7016003f0fc1c27137bf0f763a6689c131 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Fri, 11 Jun 2021 11:57:15 +0200
Subject: [PATCH 1403/1429] Python: Fix last TODOs in aiohttp tests

---
 .../frameworks/aiohttp/taint_test.py          | 33 +++++++++++++++----
 1 file changed, 27 insertions(+), 6 deletions(-)

diff --git a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
index 2bc3e529402..4704edcc3a5 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -3,6 +3,7 @@ from aiohttp import web
 async def test_taint(request: web.Request): # $ requestHandler
 
     ensure_tainted(
+        # see https://docs.aiohttp.org/en/stable/web_reference.html#request-and-base-request
         request, # $ tainted
 
         # yarl.URL (see `yarl` framework tests)
@@ -32,10 +33,7 @@ async def test_taint(request: web.Request): # $ requestHandler
         request.headers, # $ tainted
         request.headers.getone("key"), # $ tainted
 
-        # https://docs.python.org/3/library/asyncio-protocol.html#asyncio-transport
-        # TODO
-        request.transport, # $ tainted
-        request.transport.get_extra_info("key"), # $ MISSING: tainted
+
 
         # dict-like (readonly)
         request.cookies, # $ tainted
@@ -50,9 +48,22 @@ async def test_taint(request: web.Request): # $ requestHandler
 
         # aiohttp.StreamReader
         # see https://docs.aiohttp.org/en/stable/streams.html#aiohttp.StreamReader
-        # TODO
         request.content, # $ tainted
+        await request.content.read(), # $ MISSING: tainted
+        await request.content.readany(), # $ MISSING: tainted
+        await request.content.readexactly(42), # $ MISSING: tainted
+        await request.content.readline(), # $ MISSING: tainted
+        await request.content.readchunk(), # $ MISSING: tainted
+        (await request.content.readchunk())[0], # $ MISSING: tainted
+        [line async for line in request.content], # $ MISSING: tainted
+        [data async for data in request.content.iter_chunked(1024)], # $ MISSING: tainted
+        [data async for data in request.content.iter_any()], # $ MISSING: tainted
+        [data async for data, _ in request.content.iter_chunks()], # $ MISSING: tainted
+        request.content.read_nowait(), # $ MISSING: tainted
+
+        # aiohttp.StreamReader
         request._payload, # $ tainted
+        await request._payload.readany(), # $ MISSING: tainted
 
         request.content_type, # $ tainted
         request.charset, # $ tainted
@@ -66,9 +77,19 @@ async def test_taint(request: web.Request): # $ requestHandler
 
         request.clone(scheme="https"), # $ tainted
 
-        # TODO: like request.transport.get_extra_info
+        # asyncio.Transport
+        # https://docs.python.org/3/library/asyncio-protocol.html#asyncio-transport
+        # example given in https://docs.aiohttp.org/en/stable/web_reference.html#aiohttp.web.BaseRequest.transport
+        # uses `peername` to get IP address of client
+        request.transport, # $ tainted
+        request.transport.get_extra_info("key"), # $ MISSING: tainted
+
+        # Like request.transport.get_extra_info
         request.get_extra_info("key"), # $ tainted
 
+        # Like request.transport.get_extra_info
+        request.protocol.transport.get_extra_info("key"), # $ MISSING: tainted
+
         # bytes
         await request.read(), # $ tainted
 

From c828c7031f431c5dcdf2c5629d07c3ea35905958 Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Fri, 11 Jun 2021 12:04:11 +0200
Subject: [PATCH 1404/1429] Add change note

---
 java/change-notes/2021-06-11-tainted-key-read-steps.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 java/change-notes/2021-06-11-tainted-key-read-steps.md

diff --git a/java/change-notes/2021-06-11-tainted-key-read-steps.md b/java/change-notes/2021-06-11-tainted-key-read-steps.md
new file mode 100644
index 00000000000..a0e03053c35
--- /dev/null
+++ b/java/change-notes/2021-06-11-tainted-key-read-steps.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Data flow now propagates taint from tainted Maps to read steps of their keys (e.g. `tainted.keySet()`).

From df67028a1deef3704a9f39b7c35b9776acf71e97 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Fri, 11 Jun 2021 12:05:39 +0200
Subject: [PATCH 1405/1429] Python: Model `aiohttp.StreamReader`

---
 .../src/semmle/python/frameworks/Aiohttp.qll  | 68 +++++++++++++++++++
 .../frameworks/aiohttp/taint_test.py          | 16 ++---
 2 files changed, 76 insertions(+), 8 deletions(-)

diff --git a/python/ql/src/semmle/python/frameworks/Aiohttp.qll b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
index db3b865cdd4..2f28f5e2126 100644
--- a/python/ql/src/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -295,6 +295,66 @@ module AiohttpWebModel {
     DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
   }
 
+  /**
+   * Provides models for the `aiohttp.StreamReader` class
+   *
+   * See https://docs.aiohttp.org/en/stable/streams.html#aiohttp.StreamReader
+   */
+  module StreamReader {
+    /**
+     * A source of instances of `aiohttp.StreamReader`, extend this class to model new instances.
+     *
+     * This can include instantiations of the class, return values from function
+     * calls, or a special parameter that will be set when functions are called by an external
+     * library.
+     *
+     * Use `StreamReader::instance()` predicate to get
+     * references to instances of `aiohttp.StreamReader`.
+     */
+    abstract class InstanceSource extends DataFlow::LocalSourceNode { }
+
+    /** Gets a reference to an instance of `aiohttp.StreamReader`. */
+    private DataFlow::LocalSourceNode instance(DataFlow::TypeTracker t) {
+      t.start() and
+      result instanceof InstanceSource
+      or
+      exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
+    }
+
+    /** Gets a reference to an instance of `aiohttp.StreamReader`. */
+    DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
+
+    /**
+     * Taint propagation for `aiohttp.StreamReader`.
+     */
+    private class AiohttpStreamReaderAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
+      override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+        // Methods
+        //
+        // TODO: When we have tools that make it easy, model these properly to handle
+        // `meth = obj.meth; meth()`. Until then, we'll use this more syntactic approach
+        // (since it allows us to at least capture the most common cases).
+        nodeFrom = StreamReader::instance() and
+        exists(DataFlow::AttrRead attr | attr.getObject() = nodeFrom |
+          // normal methods
+          attr.getAttributeName() in ["read_nowait"] and
+          nodeTo.(DataFlow::CallCfgNode).getFunction() = attr
+          or
+          // async methods
+          exists(Await await, DataFlow::CallCfgNode call |
+            attr.getAttributeName() in [
+                "read", "readany", "readexactly", "readline", "readchunk", "iter_chunked",
+                "iter_any", "iter_chunks"
+              ] and
+            call.getFunction() = attr and
+            await.getValue() = call.asExpr() and
+            nodeTo.asExpr() = await
+          )
+        )
+      }
+    }
+  }
+
   /**
    * A parameter that will receive an `aiohttp.web.Request` instance when a request
    * handler is invoked.
@@ -395,6 +455,14 @@ module AiohttpWebModel {
     }
   }
 
+  /** An attribute read on an `aiohttp.web.Request` that is a `aiohttp.StreamReader` instance. */
+  class AiohttpRequestStreamReaderInstances extends StreamReader::InstanceSource {
+    AiohttpRequestStreamReaderInstances() {
+      this.(DataFlow::AttrRead).getObject() = Request::instance() and
+      this.(DataFlow::AttrRead).getAttributeName() in ["content", "_payload"]
+    }
+  }
+
   // ---------------------------------------------------------------------------
   // aiohttp.web Response modeling
   // ---------------------------------------------------------------------------
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
index 4704edcc3a5..db0c4cd0c6b 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -49,21 +49,21 @@ async def test_taint(request: web.Request): # $ requestHandler
         # aiohttp.StreamReader
         # see https://docs.aiohttp.org/en/stable/streams.html#aiohttp.StreamReader
         request.content, # $ tainted
-        await request.content.read(), # $ MISSING: tainted
-        await request.content.readany(), # $ MISSING: tainted
-        await request.content.readexactly(42), # $ MISSING: tainted
-        await request.content.readline(), # $ MISSING: tainted
-        await request.content.readchunk(), # $ MISSING: tainted
-        (await request.content.readchunk())[0], # $ MISSING: tainted
+        await request.content.read(), # $ tainted
+        await request.content.readany(), # $ tainted
+        await request.content.readexactly(42), # $ tainted
+        await request.content.readline(), # $ tainted
+        await request.content.readchunk(), # $ tainted
+        (await request.content.readchunk())[0], # $ tainted
         [line async for line in request.content], # $ MISSING: tainted
         [data async for data in request.content.iter_chunked(1024)], # $ MISSING: tainted
         [data async for data in request.content.iter_any()], # $ MISSING: tainted
         [data async for data, _ in request.content.iter_chunks()], # $ MISSING: tainted
-        request.content.read_nowait(), # $ MISSING: tainted
+        request.content.read_nowait(), # $ tainted
 
         # aiohttp.StreamReader
         request._payload, # $ tainted
-        await request._payload.readany(), # $ MISSING: tainted
+        await request._payload.readany(), # $ tainted
 
         request.content_type, # $ tainted
         request.charset, # $ tainted

From 153e0c4ac305000b1954b1a53cb3a33d55e4d231 Mon Sep 17 00:00:00 2001
From: Joe Farebrother <joefarebrother@github.com>
Date: Wed, 10 Mar 2021 11:49:28 +0000
Subject: [PATCH 1406/1429] Add modelling for more `com.google.common.base`
 methods

---
 .../code/java/frameworks/guava/Base.qll       | 39 ++++++++++++++++++-
 1 file changed, 38 insertions(+), 1 deletion(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/guava/Base.qll b/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
index fc1ee0e6cb7..01e90e7b0a7 100644
--- a/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
+++ b/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
@@ -42,7 +42,44 @@ private class GuavaBaseCsv extends SummaryModelCsv {
         "com.google.common.base;Splitter;false;splitToStream;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Splitter$MapSplitter;false;split;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Preconditions;false;checkNotNull;;;Argument[0];ReturnValue;value",
-        "com.google.common.base;MoreObjects;false;firstNonNull;;;Argument[0..1];ReturnValue;value"
+        "com.google.common.base;MoreObjects;false;firstNonNull;;;Argument[0..1];ReturnValue;value",
+        "com.google.common.base;Verify;false;verifyNotNull;;;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Ascii;false;toLowerCase;(CharSequence);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Ascii;false;toLowerCase;(String);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Ascii;false;toUpperCase;(CharSequence);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Ascii;false;toUpperCase;(String);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Ascii;false;truncate;(CharSequence,int,String);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Ascii;false;truncate;(CharSequence,int,String);;Argument[2];ReturnValue;taint",
+        "com.google.common.base;CaseFormat;true;to;(CharFormat,String);;Argument[1];ReturnValue;taint",
+        "com.google.common.base;Converter;true;apply;;;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Converter;true;convert;;;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Converter;true;convertAll;;;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Supplier;true;get;();;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Suppliers;false;ofInstance;(T);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Suppliers;false;memoize;(Supplier<T>);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Suppliers;false;memoizeWithExpiration;(Supplier<T>,long,TimeUnit);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Suppliers;false;synchronizedSupplier;(Supplier<T>);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Optional;true;fromJavaUtil;(Optional<T>);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Optional;true;fromNullable;(T);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Optional;true;get;();;Argument[-1];ReturnValue;taint",
+        "com.google.common.base;Optional;true;asSet;();;Argument[-1];ReturnValue;taint",
+        "com.google.common.base;Optional;true;of;(T);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Optional;true;or;;;Argument[-1];ReturnValue;taint",
+        "com.google.common.base;Optional;true;presentInstances;;;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Optional;true;toJavaUtil;();;Argument[-1];ReturnValue;taint",
+        "com.google.common.base;Optional;true;toJavaUtil;(Optional<T>);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;MoreObjects;false;firstNonNull;(T,T);;Argument;ReturnValue;value",
+        "com.google.common.base;MoreObjects;false;toStringHelper;(String);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;MoreObjects$ToStringHelper;false;add;;;Argument[0];ReturnValue;taint",
+        "com.google.common.base;MoreObjects$ToStringHelper;false;add;;;Argument[0];Argument[-1];taint",
+        "com.google.common.base;MoreObjects$ToStringHelper;false;add;;;Argument[-1];ReturnValue;value",
+        "com.google.common.base;MoreObjects$ToStringHelper;false;add;(String,Object);;Argument[1];ReturnValue;taint",
+        "com.google.common.base;MoreObjects$ToStringHelper;false;add;(String,Object);;Argument[1];Argument[-1];taint",
+        "com.google.common.base;MoreObjects$ToStringHelper;false;addValue;;;Argument[-1];ReturnValue;value",
+        "com.google.common.base;MoreObjects$ToStringHelper;false;addValue;(Object);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;MoreObjects$ToStringHelper;false;addValue;(Object);;Argument[0];Argument[-1];taint",
+        "com.google.common.base;MoreObjects$ToStringHelper;false;omitNullValues;();;Argument[-1];ReturnValue;value",
+        "com.google.common.base;MoreObjects$ToStringHelper;false;toString;();;Argument[-1];ReturnValue;taint"
       ]
   }
 }

From 04ffe803668b7f42b49d34ad52fbd9551dc97fa2 Mon Sep 17 00:00:00 2001
From: Joe Farebrother <joefarebrother@github.com>
Date: Wed, 10 Mar 2021 15:12:27 +0000
Subject: [PATCH 1407/1429] Add unit tests

---
 .../code/java/frameworks/guava/Base.qll       |   4 +-
 .../frameworks/guava/TestBase.java            |  45 ++++++
 .../com/google/common/base/Ascii.java         |  58 ++++++++
 .../com/google/common/base/CaseFormat.java    |  32 +++++
 .../com/google/common/base/Converter.java     |  55 +++++++
 .../com/google/common/base/MoreObjects.java   | 101 ++++++++++++-
 .../com/google/common/base/Optional.java      |   4 +-
 .../com/google/common/base/Suppliers.java     |  45 ++++++
 .../com/google/common/base/Verify.java        | 136 ++++++++++++++++++
 9 files changed, 473 insertions(+), 7 deletions(-)
 create mode 100644 java/ql/test/stubs/guava-30.0/com/google/common/base/Ascii.java
 create mode 100644 java/ql/test/stubs/guava-30.0/com/google/common/base/CaseFormat.java
 create mode 100644 java/ql/test/stubs/guava-30.0/com/google/common/base/Converter.java
 create mode 100644 java/ql/test/stubs/guava-30.0/com/google/common/base/Suppliers.java
 create mode 100644 java/ql/test/stubs/guava-30.0/com/google/common/base/Verify.java

diff --git a/java/ql/src/semmle/code/java/frameworks/guava/Base.qll b/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
index 01e90e7b0a7..174d8d19f33 100644
--- a/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
+++ b/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
@@ -50,7 +50,7 @@ private class GuavaBaseCsv extends SummaryModelCsv {
         "com.google.common.base;Ascii;false;toUpperCase;(String);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Ascii;false;truncate;(CharSequence,int,String);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Ascii;false;truncate;(CharSequence,int,String);;Argument[2];ReturnValue;taint",
-        "com.google.common.base;CaseFormat;true;to;(CharFormat,String);;Argument[1];ReturnValue;taint",
+        "com.google.common.base;CaseFormat;true;to;(CaseFormat,String);;Argument[1];ReturnValue;taint",
         "com.google.common.base;Converter;true;apply;;;Argument[0];ReturnValue;taint",
         "com.google.common.base;Converter;true;convert;;;Argument[0];ReturnValue;taint",
         "com.google.common.base;Converter;true;convertAll;;;Argument[0];ReturnValue;taint",
@@ -65,6 +65,8 @@ private class GuavaBaseCsv extends SummaryModelCsv {
         "com.google.common.base;Optional;true;asSet;();;Argument[-1];ReturnValue;taint",
         "com.google.common.base;Optional;true;of;(T);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Optional;true;or;;;Argument[-1];ReturnValue;taint",
+        "com.google.common.base;Optional;true;or;;;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Optional;true;orNull;();;Argument[-1];ReturnValue;taint",
         "com.google.common.base;Optional;true;presentInstances;;;Argument[0];ReturnValue;taint",
         "com.google.common.base;Optional;true;toJavaUtil;();;Argument[-1];ReturnValue;taint",
         "com.google.common.base;Optional;true;toJavaUtil;(Optional<T>);;Argument[0];ReturnValue;taint",
diff --git a/java/ql/test/library-tests/frameworks/guava/TestBase.java b/java/ql/test/library-tests/frameworks/guava/TestBase.java
index 8da63965d58..c91bd06c4f8 100644
--- a/java/ql/test/library-tests/frameworks/guava/TestBase.java
+++ b/java/ql/test/library-tests/frameworks/guava/TestBase.java
@@ -2,6 +2,7 @@ package com.google.common.base;
 
 import java.util.Map;
 import java.util.HashMap;
+import java.util.concurrent.TimeUnit;
 
 class TestBase {
     String taint() { return "tainted"; }
@@ -59,6 +60,50 @@ class TestBase {
 
     void test4() {
         sink(Preconditions.checkNotNull(taint())); // $numTaintFlow=1
+        sink(Verify.verifyNotNull(taint())); // $numTaintFlow=1
+    }
+
+    void test5() {
+        sink(Ascii.toLowerCase(taint())); // $numTaintFlow=1
+        sink(Ascii.toUpperCase(taint())); // $numTaintFlow=1
+        sink(Ascii.truncate(taint(), 3, "...")); // $numTaintFlow=1
+        sink(Ascii.truncate("abcabcabc", 3, taint())); // $numTaintFlow=1
+        sink(CaseFormat.LOWER_CAMEL.to(CaseFormat.UPPER_UNDERSCORE, taint())); // $numTaintFlow=1
+        sink(CaseFormat.LOWER_HYPHEN.converterTo(CaseFormat.UPPER_CAMEL).convert(taint())); // $numTaintFlow=1
+        sink(CaseFormat.LOWER_UNDERSCORE.converterTo(CaseFormat.LOWER_HYPHEN).reverse().convert(taint())); // $numTaintFlow=1
+    }
+
+    void test6() {
+        sink(Suppliers.memoize(Suppliers.memoizeWithExpiration(Suppliers.synchronizedSupplier(Suppliers.ofInstance(taint())), 3, TimeUnit.HOURS))); // $numTaintFlow=1
+    }
+
+    void test7() {
+        sink(MoreObjects.firstNonNull(taint(), "abc")); // $numTaintFlow=1
+        sink(MoreObjects.firstNonNull(null, taint())); // $numTaintFlow=1
+        sink(MoreObjects.toStringHelper(taint()).add("x", 3).omitNullValues().toString()); // $numTaintFlow=1
+        sink(MoreObjects.toStringHelper((Object) taint()).toString());
+        sink(MoreObjects.toStringHelper("a").add("x", 3).add(taint(), 4).toString()); // $numTaintFlow=1
+        sink(MoreObjects.toStringHelper("a").add("x", taint()).toString()); // $numTaintFlow=1
+        sink(MoreObjects.toStringHelper("a").addValue(taint()).toString()); // $numTaintFlow=1
+        MoreObjects.ToStringHelper h = MoreObjects.toStringHelper("a");
+        h.add("x", 3).add(taint(), 4);
+        sink(h.add("z",5).toString()); // $numTaintFlow=1
+    }
+
+    void test8() {
+        Optional<String> x = Optional.of(taint());
+        sink(x); // $numTaintFlow=1
+        sink(x.get()); // $numTaintFlow=1
+        sink(x.or("hi")); // $numTaintFlow=1
+        sink(x.orNull()); // $numTaintFlow=1
+        sink(x.asSet()); // $numTaintFlow=1
+        sink(Optional.fromJavaUtil(x.toJavaUtil())); // $numTaintFlow=1
+        sink(Optional.fromJavaUtil(Optional.toJavaUtil(x))); // $numTaintFlow=1
+        sink(x.asSet()); // $numTaintFlow=1
+        sink(Optional.fromNullable(taint())); // $numTaintFlow=1
+        sink(Optional.absent().or(x)); // $numTaintFlow=1
+        sink(Optional.absent().or(taint())); // $numTaintFlow=1
+        sink(Optional.presentInstances(Optional.of(x).asSet())); // $numTaintFlow=1
     }
 
     void test5() {
diff --git a/java/ql/test/stubs/guava-30.0/com/google/common/base/Ascii.java b/java/ql/test/stubs/guava-30.0/com/google/common/base/Ascii.java
new file mode 100644
index 00000000000..f5feafe474f
--- /dev/null
+++ b/java/ql/test/stubs/guava-30.0/com/google/common/base/Ascii.java
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2010 The Guava Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package com.google.common.base;
+
+public final class Ascii {
+  public static String toLowerCase(String string) {
+    return null;
+  }
+
+  public static String toLowerCase(CharSequence chars) {
+    return null;
+  }
+
+  public static char toLowerCase(char c) {
+    return '0';
+  }
+
+  public static String toUpperCase(String string) {
+    return null;
+  }
+
+  public static String toUpperCase(CharSequence chars) {
+    return null;
+  }
+
+  public static char toUpperCase(char c) {
+    return '0';
+  }
+
+  public static boolean isLowerCase(char c) {
+    return false;
+  }
+
+  public static boolean isUpperCase(char c) {
+    return false;
+  }
+
+  public static String truncate(CharSequence seq, int maxLength, String truncationIndicator) {
+    return null;
+  }
+
+  public static boolean equalsIgnoreCase(CharSequence s1, CharSequence s2) {
+    return false;
+  }
+
+}
diff --git a/java/ql/test/stubs/guava-30.0/com/google/common/base/CaseFormat.java b/java/ql/test/stubs/guava-30.0/com/google/common/base/CaseFormat.java
new file mode 100644
index 00000000000..4d0df360197
--- /dev/null
+++ b/java/ql/test/stubs/guava-30.0/com/google/common/base/CaseFormat.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2006 The Guava Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package com.google.common.base;
+
+public enum CaseFormat {
+  LOWER_HYPHEN,
+  LOWER_UNDERSCORE,
+  LOWER_CAMEL,
+  UPPER_CAMEL,
+  UPPER_UNDERSCORE;
+
+  public final String to(CaseFormat format, String str) {
+    return null;
+  }
+
+  public Converter<String, String> converterTo(CaseFormat targetFormat) {
+    return null;
+  }
+
+}
diff --git a/java/ql/test/stubs/guava-30.0/com/google/common/base/Converter.java b/java/ql/test/stubs/guava-30.0/com/google/common/base/Converter.java
new file mode 100644
index 00000000000..d4e59f3ff91
--- /dev/null
+++ b/java/ql/test/stubs/guava-30.0/com/google/common/base/Converter.java
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2008 The Guava Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package com.google.common.base;
+import org.checkerframework.checker.nullness.qual.Nullable;
+
+public abstract class Converter<A, B> implements Function<A, B> {
+  public final @Nullable B convert(@Nullable A a) {
+    return null;
+  }
+
+  public Iterable<B> convertAll(final Iterable<? extends A> fromIterable) {
+    return null;
+  }
+
+  public Converter<B, A> reverse() {
+    return null;
+  }
+
+  public final <C> Converter<A, C> andThen(Converter<B, C> secondConverter) {
+    return null;
+  }
+
+  @Override
+  public final @Nullable B apply(@Nullable A a) {
+    return null;
+  }
+
+  @Override
+  public boolean equals(@Nullable Object object) {
+    return false;
+  }
+
+  public static <A, B> Converter<A, B> from(
+      Function<? super A, ? extends B> forwardFunction,
+      Function<? super B, ? extends A> backwardFunction) {
+    return null;
+  }
+
+  public static <T> Converter<T, T> identity() {
+    return null;
+  }
+
+}
diff --git a/java/ql/test/stubs/guava-30.0/com/google/common/base/MoreObjects.java b/java/ql/test/stubs/guava-30.0/com/google/common/base/MoreObjects.java
index 3f4912b021b..31e3638adec 100644
--- a/java/ql/test/stubs/guava-30.0/com/google/common/base/MoreObjects.java
+++ b/java/ql/test/stubs/guava-30.0/com/google/common/base/MoreObjects.java
@@ -1,9 +1,102 @@
-package com.google.common.base;
+/*
+ * Copyright (C) 2014 The Guava Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
 
+package com.google.common.base;
 import org.checkerframework.checker.nullness.qual.Nullable;
 
 public final class MoreObjects {
-    public static <T> T firstNonNull(@Nullable T first, @Nullable T second) {
-        return null;
+  public static <T> T firstNonNull(@Nullable T first, @Nullable T second) {
+    return null;
+  }
+
+  public static ToStringHelper toStringHelper(Object self) {
+    return null;
+  }
+
+  public static ToStringHelper toStringHelper(Class<?> clazz) {
+    return null;
+  }
+
+  public static ToStringHelper toStringHelper(String className) {
+    return null;
+  }
+
+  public static final class ToStringHelper {
+    public ToStringHelper omitNullValues() {
+      return null;
     }
-}
\ No newline at end of file
+
+    public ToStringHelper add(String name, @Nullable Object value) {
+      return null;
+    }
+
+    public ToStringHelper add(String name, boolean value) {
+      return null;
+    }
+
+    public ToStringHelper add(String name, char value) {
+      return null;
+    }
+
+    public ToStringHelper add(String name, double value) {
+      return null;
+    }
+
+    public ToStringHelper add(String name, float value) {
+      return null;
+    }
+
+    public ToStringHelper add(String name, int value) {
+      return null;
+    }
+
+    public ToStringHelper add(String name, long value) {
+      return null;
+    }
+
+    public ToStringHelper addValue(@Nullable Object value) {
+      return null;
+    }
+
+    public ToStringHelper addValue(boolean value) {
+      return null;
+    }
+
+    public ToStringHelper addValue(char value) {
+      return null;
+    }
+
+    public ToStringHelper addValue(double value) {
+      return null;
+    }
+
+    public ToStringHelper addValue(float value) {
+      return null;
+    }
+
+    public ToStringHelper addValue(int value) {
+      return null;
+    }
+
+    public ToStringHelper addValue(long value) {
+      return null;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+  }
+}
diff --git a/java/ql/test/stubs/guava-30.0/com/google/common/base/Optional.java b/java/ql/test/stubs/guava-30.0/com/google/common/base/Optional.java
index f6f757ac994..3f39995651a 100644
--- a/java/ql/test/stubs/guava-30.0/com/google/common/base/Optional.java
+++ b/java/ql/test/stubs/guava-30.0/com/google/common/base/Optional.java
@@ -31,11 +31,11 @@ public abstract class Optional<T> implements Serializable {
   }
 
   public static <T> @Nullable Optional<T> fromJavaUtil(
-      java.util.Optional<T> javaUtilOptional) {
+      java.util.@Nullable Optional<T> javaUtilOptional) {
     return null;
   }
 
-  public static <T> java.util.Optional<T> toJavaUtil(
+  public static <T> java.util.@Nullable Optional<T> toJavaUtil(
       @Nullable Optional<T> googleOptional) {
     return null;
   }
diff --git a/java/ql/test/stubs/guava-30.0/com/google/common/base/Suppliers.java b/java/ql/test/stubs/guava-30.0/com/google/common/base/Suppliers.java
new file mode 100644
index 00000000000..5e5b2d47820
--- /dev/null
+++ b/java/ql/test/stubs/guava-30.0/com/google/common/base/Suppliers.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2007 The Guava Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package com.google.common.base;
+import java.util.concurrent.TimeUnit;
+import org.checkerframework.checker.nullness.qual.Nullable;
+
+public final class Suppliers {
+  public static <F, T> Supplier<T> compose(Function<? super F, T> function, Supplier<F> supplier) {
+    return null;
+  }
+
+  public static <T> Supplier<T> memoize(Supplier<T> delegate) {
+    return null;
+  }
+
+  public static <T> Supplier<T> memoizeWithExpiration(
+      Supplier<T> delegate, long duration, TimeUnit unit) {
+    return null;
+  }
+
+  public static <T> Supplier<T> ofInstance(@Nullable T instance) {
+    return null;
+  }
+
+  public static <T> Supplier<T> synchronizedSupplier(Supplier<T> delegate) {
+    return null;
+  }
+
+  public static <T> Function<Supplier<T>, T> supplierFunction() {
+    return null;
+  }
+
+}
diff --git a/java/ql/test/stubs/guava-30.0/com/google/common/base/Verify.java b/java/ql/test/stubs/guava-30.0/com/google/common/base/Verify.java
new file mode 100644
index 00000000000..8016ec83489
--- /dev/null
+++ b/java/ql/test/stubs/guava-30.0/com/google/common/base/Verify.java
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2013 The Guava Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package com.google.common.base;
+import org.checkerframework.checker.nullness.qual.Nullable;
+
+public final class Verify {
+  public static void verify(boolean expression) {
+  }
+
+  public static void verify(
+      boolean expression,
+      @Nullable String errorMessageTemplate,
+      @Nullable Object @Nullable ... errorMessageArgs) {
+  }
+
+  public static void verify(boolean expression, @Nullable String errorMessageTemplate, char p1) {
+  }
+
+  public static void verify(boolean expression, @Nullable String errorMessageTemplate, int p1) {
+  }
+
+  public static void verify(boolean expression, @Nullable String errorMessageTemplate, long p1) {
+  }
+
+  public static void verify(
+      boolean expression, @Nullable String errorMessageTemplate, @Nullable Object p1) {
+  }
+
+  public static void verify(
+      boolean expression, @Nullable String errorMessageTemplate, char p1, char p2) {
+  }
+
+  public static void verify(
+      boolean expression, @Nullable String errorMessageTemplate, int p1, char p2) {
+  }
+
+  public static void verify(
+      boolean expression, @Nullable String errorMessageTemplate, long p1, char p2) {
+  }
+
+  public static void verify(
+      boolean expression, @Nullable String errorMessageTemplate, @Nullable Object p1, char p2) {
+  }
+
+  public static void verify(
+      boolean expression, @Nullable String errorMessageTemplate, char p1, int p2) {
+  }
+
+  public static void verify(
+      boolean expression, @Nullable String errorMessageTemplate, int p1, int p2) {
+  }
+
+  public static void verify(
+      boolean expression, @Nullable String errorMessageTemplate, long p1, int p2) {
+  }
+
+  public static void verify(
+      boolean expression, @Nullable String errorMessageTemplate, @Nullable Object p1, int p2) {
+  }
+
+  public static void verify(
+      boolean expression, @Nullable String errorMessageTemplate, char p1, long p2) {
+  }
+
+  public static void verify(
+      boolean expression, @Nullable String errorMessageTemplate, int p1, long p2) {
+  }
+
+  public static void verify(
+      boolean expression, @Nullable String errorMessageTemplate, long p1, long p2) {
+  }
+
+  public static void verify(
+      boolean expression, @Nullable String errorMessageTemplate, @Nullable Object p1, long p2) {
+  }
+
+  public static void verify(
+      boolean expression, @Nullable String errorMessageTemplate, char p1, @Nullable Object p2) {
+  }
+
+  public static void verify(
+      boolean expression, @Nullable String errorMessageTemplate, int p1, @Nullable Object p2) {
+  }
+
+  public static void verify(
+      boolean expression, @Nullable String errorMessageTemplate, long p1, @Nullable Object p2) {
+  }
+
+  public static void verify(
+      boolean expression,
+      @Nullable String errorMessageTemplate,
+      @Nullable Object p1,
+      @Nullable Object p2) {
+  }
+
+  public static void verify(
+      boolean expression,
+      @Nullable String errorMessageTemplate,
+      @Nullable Object p1,
+      @Nullable Object p2,
+      @Nullable Object p3) {
+  }
+
+  public static void verify(
+      boolean expression,
+      @Nullable String errorMessageTemplate,
+      @Nullable Object p1,
+      @Nullable Object p2,
+      @Nullable Object p3,
+      @Nullable Object p4) {
+  }
+
+  public static <T> T verifyNotNull(@Nullable T reference) {
+    return null;
+  }
+
+  public static <T> T verifyNotNull(
+      @Nullable T reference,
+      @Nullable String errorMessageTemplate,
+      @Nullable Object @Nullable ... errorMessageArgs) {
+    return null;
+  }
+
+}

From dc19d1db359387854028ad9fd64b47e35ef4064d Mon Sep 17 00:00:00 2001
From: Joe Farebrother <joefarebrother@github.com>
Date: Wed, 10 Mar 2021 15:18:46 +0000
Subject: [PATCH 1408/1429] Add change note

---
 java/change-notes/2021-03-10-guava-base.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 java/change-notes/2021-03-10-guava-base.md

diff --git a/java/change-notes/2021-03-10-guava-base.md b/java/change-notes/2021-03-10-guava-base.md
new file mode 100644
index 00000000000..f2bdd9fe95d
--- /dev/null
+++ b/java/change-notes/2021-03-10-guava-base.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Increased coverage of the Guava framework by modelling additional classes in the `com.google.common.base` package. This may result in more results for security queries on projects where the Guava framework is used. 
\ No newline at end of file

From dee93783a290b0067500e15bc768d9536073f526 Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Fri, 11 Jun 2021 13:56:55 +0200
Subject: [PATCH 1409/1429] Python: Update .expected for
 py/weak-sensitive-data-hashing

Now there is a path from the _imports_ of the functions that would
return sensitive data, so we produce more alerts.

I'm not entirely happy about this "double reporting", but I'm not sure
how to get around it without either:

1. disabling the extra taint-step for calls. Not ideal since we would
   loose good sources.
2. disabling the extra sources based on function name. Not ideal since
   we would loose good sources.
3. disabling the extra sources based on function name, for those calls
   that would be handled with the extra taint-step for calls. Not ideal
   since that would require running the data-flow query initially to
   prune these out :|

So for now, I think the best approach is to accept some risk on this,
and ship to learn :)
---
 .../WeakSensitiveDataHashing.expected         | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected
index 3a7dc65ddb4..50d4cfcc62d 100644
--- a/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected
+++ b/python/ql/test/query-tests/Security/CWE-327-WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected
@@ -1,27 +1,71 @@
 edges
+| test_cryptodome.py:0:0:0:0 | ModuleVariableNode for Global Variable get_certificate in Module test_cryptodome | test_cryptodome.py:6:17:6:31 | ControlFlowNode for get_certificate |
+| test_cryptodome.py:0:0:0:0 | ModuleVariableNode for Global Variable get_password in Module test_cryptodome | test_cryptodome.py:13:17:13:28 | ControlFlowNode for get_password |
+| test_cryptodome.py:0:0:0:0 | ModuleVariableNode for Global Variable get_password in Module test_cryptodome | test_cryptodome.py:20:17:20:28 | ControlFlowNode for get_password |
+| test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | test_cryptodome.py:2:23:2:34 | GSSA Variable get_password |
+| test_cryptodome.py:2:23:2:34 | GSSA Variable get_password | test_cryptodome.py:0:0:0:0 | ModuleVariableNode for Global Variable get_password in Module test_cryptodome |
+| test_cryptodome.py:2:37:2:51 | ControlFlowNode for ImportMember | test_cryptodome.py:2:37:2:51 | GSSA Variable get_certificate |
+| test_cryptodome.py:2:37:2:51 | GSSA Variable get_certificate | test_cryptodome.py:0:0:0:0 | ModuleVariableNode for Global Variable get_certificate in Module test_cryptodome |
+| test_cryptodome.py:6:17:6:31 | ControlFlowNode for get_certificate | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous |
 | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous |
+| test_cryptodome.py:13:17:13:28 | ControlFlowNode for get_password | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous |
 | test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous |
+| test_cryptodome.py:20:17:20:28 | ControlFlowNode for get_password | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous |
 | test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous |
+| test_cryptography.py:0:0:0:0 | ModuleVariableNode for Global Variable get_certificate in Module test_cryptography | test_cryptography.py:7:17:7:31 | ControlFlowNode for get_certificate |
+| test_cryptography.py:0:0:0:0 | ModuleVariableNode for Global Variable get_password in Module test_cryptography | test_cryptography.py:15:17:15:28 | ControlFlowNode for get_password |
+| test_cryptography.py:0:0:0:0 | ModuleVariableNode for Global Variable get_password in Module test_cryptography | test_cryptography.py:23:17:23:28 | ControlFlowNode for get_password |
+| test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | test_cryptography.py:3:23:3:34 | GSSA Variable get_password |
+| test_cryptography.py:3:23:3:34 | GSSA Variable get_password | test_cryptography.py:0:0:0:0 | ModuleVariableNode for Global Variable get_password in Module test_cryptography |
+| test_cryptography.py:3:37:3:51 | ControlFlowNode for ImportMember | test_cryptography.py:3:37:3:51 | GSSA Variable get_certificate |
+| test_cryptography.py:3:37:3:51 | GSSA Variable get_certificate | test_cryptography.py:0:0:0:0 | ModuleVariableNode for Global Variable get_certificate in Module test_cryptography |
+| test_cryptography.py:7:17:7:31 | ControlFlowNode for get_certificate | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous |
 | test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous |
+| test_cryptography.py:15:17:15:28 | ControlFlowNode for get_password | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous |
 | test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous |
+| test_cryptography.py:23:17:23:28 | ControlFlowNode for get_password | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous |
 | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous |
 nodes
+| test_cryptodome.py:0:0:0:0 | ModuleVariableNode for Global Variable get_certificate in Module test_cryptodome | semmle.label | ModuleVariableNode for Global Variable get_certificate in Module test_cryptodome |
+| test_cryptodome.py:0:0:0:0 | ModuleVariableNode for Global Variable get_password in Module test_cryptodome | semmle.label | ModuleVariableNode for Global Variable get_password in Module test_cryptodome |
+| test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
+| test_cryptodome.py:2:23:2:34 | GSSA Variable get_password | semmle.label | GSSA Variable get_password |
+| test_cryptodome.py:2:37:2:51 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
+| test_cryptodome.py:2:37:2:51 | GSSA Variable get_certificate | semmle.label | GSSA Variable get_certificate |
+| test_cryptodome.py:6:17:6:31 | ControlFlowNode for get_certificate | semmle.label | ControlFlowNode for get_certificate |
 | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | semmle.label | ControlFlowNode for get_certificate() |
 | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous |
+| test_cryptodome.py:13:17:13:28 | ControlFlowNode for get_password | semmle.label | ControlFlowNode for get_password |
 | test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
 | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous |
+| test_cryptodome.py:20:17:20:28 | ControlFlowNode for get_password | semmle.label | ControlFlowNode for get_password |
 | test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
 | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous |
+| test_cryptography.py:0:0:0:0 | ModuleVariableNode for Global Variable get_certificate in Module test_cryptography | semmle.label | ModuleVariableNode for Global Variable get_certificate in Module test_cryptography |
+| test_cryptography.py:0:0:0:0 | ModuleVariableNode for Global Variable get_password in Module test_cryptography | semmle.label | ModuleVariableNode for Global Variable get_password in Module test_cryptography |
+| test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
+| test_cryptography.py:3:23:3:34 | GSSA Variable get_password | semmle.label | GSSA Variable get_password |
+| test_cryptography.py:3:37:3:51 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
+| test_cryptography.py:3:37:3:51 | GSSA Variable get_certificate | semmle.label | GSSA Variable get_certificate |
+| test_cryptography.py:7:17:7:31 | ControlFlowNode for get_certificate | semmle.label | ControlFlowNode for get_certificate |
 | test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | semmle.label | ControlFlowNode for get_certificate() |
 | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous |
+| test_cryptography.py:15:17:15:28 | ControlFlowNode for get_password | semmle.label | ControlFlowNode for get_password |
 | test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
 | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous |
+| test_cryptography.py:23:17:23:28 | ControlFlowNode for get_password | semmle.label | ControlFlowNode for get_password |
 | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | semmle.label | ControlFlowNode for get_password() |
 | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | semmle.label | ControlFlowNode for dangerous |
 #select
+| test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | test_cryptodome.py:2:37:2:51 | ControlFlowNode for ImportMember | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptodome.py:2:37:2:51 | ControlFlowNode for ImportMember | Sensitive data (certificate) |
 | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | test_cryptodome.py:8:19:8:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptodome.py:6:17:6:33 | ControlFlowNode for get_certificate() | Sensitive data (certificate) |
+| test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | Sensitive data (password) |
 | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | test_cryptodome.py:15:19:15:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:13:17:13:30 | ControlFlowNode for get_password() | Sensitive data (password) |
+| test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:2:23:2:34 | ControlFlowNode for ImportMember | Sensitive data (password) |
 | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | test_cryptodome.py:24:19:24:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptodome.py:20:17:20:30 | ControlFlowNode for get_password() | Sensitive data (password) |
+| test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | test_cryptography.py:3:37:3:51 | ControlFlowNode for ImportMember | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptography.py:3:37:3:51 | ControlFlowNode for ImportMember | Sensitive data (certificate) |
 | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | test_cryptography.py:9:19:9:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure. | test_cryptography.py:7:17:7:33 | ControlFlowNode for get_certificate() | Sensitive data (certificate) |
+| test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | Sensitive data (password) |
 | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | test_cryptography.py:17:19:17:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:15:17:15:30 | ControlFlowNode for get_password() | Sensitive data (password) |
+| test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:3:23:3:34 | ControlFlowNode for ImportMember | Sensitive data (password) |
 | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | test_cryptography.py:27:19:27:27 | ControlFlowNode for dangerous | $@ is used in a hashing algorithm (SHA256) that is insecure for password hashing, since it is not a computationally expensive hash function. | test_cryptography.py:23:17:23:30 | ControlFlowNode for get_password() | Sensitive data (password) |

From 53f7633662c41e3a487b8adb5d002800dd4fc67c Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Fri, 11 Jun 2021 14:53:30 +0200
Subject: [PATCH 1410/1429] Python: Model `await request.post()` as
 MultiDictProxy

as highlight as being quite easy to do by @yoff :+1:
---
 python/ql/src/semmle/python/frameworks/Aiohttp.qll   | 12 ++++++++++++
 .../library-tests/frameworks/aiohttp/taint_test.py   |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/frameworks/Aiohttp.qll b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
index 2f28f5e2126..6a3a5fb6d53 100644
--- a/python/ql/src/semmle/python/frameworks/Aiohttp.qll
+++ b/python/ql/src/semmle/python/frameworks/Aiohttp.qll
@@ -444,6 +444,18 @@ module AiohttpWebModel {
     AiohttpRequestMultiDictProxyInstances() {
       this.(DataFlow::AttrRead).getObject() = Request::instance() and
       this.(DataFlow::AttrRead).getAttributeName() in ["query", "headers"]
+      or
+      // Handle the common case of `x = await request.post()`
+      // but don't try to handle anything else, since we don't have an easy way to do this yet.
+      // TODO: more complete handling of `await request.post()`
+      exists(Await await, DataFlow::CallCfgNode call, DataFlow::AttrRead read |
+        this.asExpr() = await
+      |
+        read.(DataFlow::AttrRead).getObject() = Request::instance() and
+        read.(DataFlow::AttrRead).getAttributeName() = "post" and
+        call.getFunction() = read and
+        await.getValue() = call.asExpr()
+      )
     }
   }
 
diff --git a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
index db0c4cd0c6b..ce715f22c0c 100644
--- a/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
+++ b/python/ql/test/library-tests/frameworks/aiohttp/taint_test.py
@@ -104,7 +104,7 @@ async def test_taint(request: web.Request): # $ requestHandler
 
         # multidict.MultiDictProxy[str] (see `multidict` framework tests)
         await request.post(), # $ tainted
-        (await request.post()).getone("key"), # $ MISSING: tainted
+        (await request.post()).getone("key"), # $ tainted
     )
 
     import yarl

From 9c946a79c7e0e40baf3bf507ad213171cd3b4196 Mon Sep 17 00:00:00 2001
From: "John L. Singleton" <jsinglet@gmail.com>
Date: Fri, 11 Jun 2021 09:49:44 -0400
Subject: [PATCH 1411/1429] Update cpp/change-notes/2021-06-10-std-types.md

Co-authored-by: Jonas Jensen <jbj@github.com>
---
 cpp/change-notes/2021-06-10-std-types.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/change-notes/2021-06-10-std-types.md b/cpp/change-notes/2021-06-10-std-types.md
index aeaccf01875..86577ce14a0 100644
--- a/cpp/change-notes/2021-06-10-std-types.md
+++ b/cpp/change-notes/2021-06-10-std-types.md
@@ -1,4 +1,4 @@
 lgtm,codescanning
 * Added definitions for types found in `cstdint`. Added types `FixedWidthIntegralType`, `MinimumWidthIntegralType`, `FastestMinimumWidthIntegralType`, and `MaximumWidthIntegralType` to describe types such as `int8_t`, `int_least8_t`, `int_fast8_t`, and `intmax_t` respectively. 
 * Changed definition of `Intmax_t` and `Uintmax_t` to be part of the new type structure. 
-* Added a type `FixedWidthEnumType` which describes enums based on afixed-width integer type. For instance, `enum e: uint8_t = { a, b };`.
+* Added a type `FixedWidthEnumType` which describes enums based on a fixed-width integer type. For instance, `enum e: uint8_t = { a, b };`.

From 678597f3f929f63d5419f5d9851b46ffd1452905 Mon Sep 17 00:00:00 2001
From: Joe Farebrother <joefarebrother@github.com>
Date: Fri, 11 Jun 2021 15:08:27 +0100
Subject: [PATCH 1412/1429] Update CSV rows for collection flow

---
 .../code/java/frameworks/guava/Base.qll       | 54 +++++++++++--------
 .../frameworks/guava/TestBase.java            |  9 +---
 2 files changed, 34 insertions(+), 29 deletions(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/guava/Base.qll b/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
index 174d8d19f33..bd3c2d47689 100644
--- a/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
+++ b/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
@@ -22,8 +22,17 @@ private class GuavaBaseCsv extends SummaryModelCsv {
         "com.google.common.base;Joiner;false;withKeyValueSeparator;(String);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Joiner;false;withKeyValueSeparator;(String);;Argument[-1];ReturnValue;taint",
         "com.google.common.base;Joiner;false;withKeyValueSeparator;(char);;Argument[-1];ReturnValue;taint",
-        // Note: The signatures of some of the appendTo methods involve collection flow
-        "com.google.common.base;Joiner;false;appendTo;;;Argument[-1..3];Argument[0];taint",
+        "com.google.common.base;Joiner;false;appendTo;(Appendable,Object,Object,Object[]);;Argument[1..2];Argument[0];taint",
+        "com.google.common.base;Joiner;false;appendTo;(Appendable,Object,Object,Object[]);;ArrayElement of Argument[3];Argument[0];taint",
+        "com.google.common.base;Joiner;false;appendTo;(Appendable,Iterable);;Element of Argument[1];Argument[-1];taint",
+        "com.google.common.base;Joiner;false;appendTo;(Appendable,Object[]);;ArrayElement of Argument[1];Argument[-1];taint",
+        "com.google.common.base;Joiner;false;appendTo;(Appendable,Iterator);;Element of Argument[1];Argument[-1];taint",
+        "com.google.common.base;Joiner;false;appendTo;(StringBuilder,Object,Object,Object[]);;Argument[1..2];Argument[0];taint",
+        "com.google.common.base;Joiner;false;appendTo;(StringBuilder,Object,Object,Object[]);;ArrayElement of Argument[3];Argument[0];taint",
+        "com.google.common.base;Joiner;false;appendTo;(StringBuilder,Iterable);;Element of Argument[1];Argument[-1];taint",
+        "com.google.common.base;Joiner;false;appendTo;(StringBuilder,Object[]);;ArrayElement of Argument[1];Argument[-1];taint",
+        "com.google.common.base;Joiner;false;appendTo;(StringBuilder,Iterator);;Element of Argument[1];Argument[-1];taint",
+        "com.google.common.base;Joiner;false;appendTo;;;Argument[-1];Argument[0];taint",
         "com.google.common.base;Joiner;false;appendTo;;;Argument[0];ReturnValue;value",
         "com.google.common.base;Joiner;false;join;;;Argument[-1..2];ReturnValue;taint",
         "com.google.common.base;Joiner$MapJoiner;false;useForNull;(String);;Argument[0];ReturnValue;taint",
@@ -42,7 +51,6 @@ private class GuavaBaseCsv extends SummaryModelCsv {
         "com.google.common.base;Splitter;false;splitToStream;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Splitter$MapSplitter;false;split;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Preconditions;false;checkNotNull;;;Argument[0];ReturnValue;value",
-        "com.google.common.base;MoreObjects;false;firstNonNull;;;Argument[0..1];ReturnValue;value",
         "com.google.common.base;Verify;false;verifyNotNull;;;Argument[0];ReturnValue;taint",
         "com.google.common.base;Ascii;false;toLowerCase;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Ascii;false;toLowerCase;(String);;Argument[0];ReturnValue;taint",
@@ -51,26 +59,28 @@ private class GuavaBaseCsv extends SummaryModelCsv {
         "com.google.common.base;Ascii;false;truncate;(CharSequence,int,String);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Ascii;false;truncate;(CharSequence,int,String);;Argument[2];ReturnValue;taint",
         "com.google.common.base;CaseFormat;true;to;(CaseFormat,String);;Argument[1];ReturnValue;taint",
-        "com.google.common.base;Converter;true;apply;;;Argument[0];ReturnValue;taint",
-        "com.google.common.base;Converter;true;convert;;;Argument[0];ReturnValue;taint",
-        "com.google.common.base;Converter;true;convertAll;;;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Converter;true;apply;(Object);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Converter;true;convert;(Object);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Converter;true;convertAll;(Iterable);;Element of Argument[0];Element of ReturnValue;taint",
         "com.google.common.base;Supplier;true;get;();;Argument[0];ReturnValue;taint",
-        "com.google.common.base;Suppliers;false;ofInstance;(T);;Argument[0];ReturnValue;taint",
-        "com.google.common.base;Suppliers;false;memoize;(Supplier<T>);;Argument[0];ReturnValue;taint",
-        "com.google.common.base;Suppliers;false;memoizeWithExpiration;(Supplier<T>,long,TimeUnit);;Argument[0];ReturnValue;taint",
-        "com.google.common.base;Suppliers;false;synchronizedSupplier;(Supplier<T>);;Argument[0];ReturnValue;taint",
-        "com.google.common.base;Optional;true;fromJavaUtil;(Optional<T>);;Argument[0];ReturnValue;taint",
-        "com.google.common.base;Optional;true;fromNullable;(T);;Argument[0];ReturnValue;taint",
-        "com.google.common.base;Optional;true;get;();;Argument[-1];ReturnValue;taint",
-        "com.google.common.base;Optional;true;asSet;();;Argument[-1];ReturnValue;taint",
-        "com.google.common.base;Optional;true;of;(T);;Argument[0];ReturnValue;taint",
-        "com.google.common.base;Optional;true;or;;;Argument[-1];ReturnValue;taint",
-        "com.google.common.base;Optional;true;or;;;Argument[0];ReturnValue;taint",
-        "com.google.common.base;Optional;true;orNull;();;Argument[-1];ReturnValue;taint",
-        "com.google.common.base;Optional;true;presentInstances;;;Argument[0];ReturnValue;taint",
-        "com.google.common.base;Optional;true;toJavaUtil;();;Argument[-1];ReturnValue;taint",
-        "com.google.common.base;Optional;true;toJavaUtil;(Optional<T>);;Argument[0];ReturnValue;taint",
-        "com.google.common.base;MoreObjects;false;firstNonNull;(T,T);;Argument;ReturnValue;value",
+        "com.google.common.base;Suppliers;false;ofInstance;(Object);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Suppliers;false;memoize;(Supplier);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Suppliers;false;memoizeWithExpiration;(Supplier,long,TimeUnit);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Suppliers;false;synchronizedSupplier;(Supplier);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Optional;true;fromJavaUtil;(Optional);;Element of Argument[0];Element of ReturnValue;value",
+        "com.google.common.base;Optional;true;fromNullable;(Object);;Argument[0];Element of ReturnValue;value",
+        "com.google.common.base;Optional;true;get;();;Element of Argument[-1];ReturnValue;value",
+        "com.google.common.base;Optional;true;asSet;();;Element of Argument[-1];Element of ReturnValue;value",
+        "com.google.common.base;Optional;true;of;(Object);;Argument[0];Element of ReturnValue;value",
+        "com.google.common.base;Optional;true;or;;;Element of Argument[-1];ReturnValue;value",
+        "com.google.common.base;Optional;true;or;(Optional);;Element of Argument[0];ReturnValue;value",
+        "com.google.common.base;Optional;true;or;(Supplier);;Argument[0];ReturnValue;value",
+        "com.google.common.base;Optional;true;or;(Object);;Argument[0];ReturnValue;value",
+        "com.google.common.base;Optional;true;orNull;();;Element of Argument[-1];ReturnValue;value",
+        "com.google.common.base;Optional;true;presentInstances;(Iterable);;Element of Element of Argument[0];Element of ReturnValue;value",
+        "com.google.common.base;Optional;true;toJavaUtil;();;Element of Argument[-1];Element of ReturnValue;value",
+        "com.google.common.base;Optional;true;toJavaUtil;(Optional);;Element of Argument[0];Element of ReturnValue;value",
+        "com.google.common.base;MoreObjects;false;firstNonNull;(Object,Object);;Argument[0..1];ReturnValue;value",
         "com.google.common.base;MoreObjects;false;toStringHelper;(String);;Argument[0];ReturnValue;taint",
         "com.google.common.base;MoreObjects$ToStringHelper;false;add;;;Argument[0];ReturnValue;taint",
         "com.google.common.base;MoreObjects$ToStringHelper;false;add;;;Argument[0];Argument[-1];taint",
diff --git a/java/ql/test/library-tests/frameworks/guava/TestBase.java b/java/ql/test/library-tests/frameworks/guava/TestBase.java
index c91bd06c4f8..ed3654f9de5 100644
--- a/java/ql/test/library-tests/frameworks/guava/TestBase.java
+++ b/java/ql/test/library-tests/frameworks/guava/TestBase.java
@@ -78,8 +78,9 @@ class TestBase {
     }
 
     void test7() {
-        sink(MoreObjects.firstNonNull(taint(), "abc")); // $numTaintFlow=1
+        sink(MoreObjects.firstNonNull(taint(), taint())); // $numTaintFlow=2
         sink(MoreObjects.firstNonNull(null, taint())); // $numTaintFlow=1
+        sink(MoreObjects.firstNonNull(taint(), null)); // $numTaintFlow=1
         sink(MoreObjects.toStringHelper(taint()).add("x", 3).omitNullValues().toString()); // $numTaintFlow=1
         sink(MoreObjects.toStringHelper((Object) taint()).toString());
         sink(MoreObjects.toStringHelper("a").add("x", 3).add(taint(), 4).toString()); // $numTaintFlow=1
@@ -105,10 +106,4 @@ class TestBase {
         sink(Optional.absent().or(taint())); // $numTaintFlow=1
         sink(Optional.presentInstances(Optional.of(x).asSet())); // $numTaintFlow=1
     }
-
-    void test5() {
-        sink(MoreObjects.firstNonNull(taint(), taint())); // $numTaintFlow=2
-        sink(MoreObjects.firstNonNull(null, taint())); // $numTaintFlow=1
-        sink(MoreObjects.firstNonNull(taint(), null)); // $numTaintFlow=1
-    }
 }

From 8c6c011be28097abb6696f4dae9637e7715156e8 Mon Sep 17 00:00:00 2001
From: "John L. Singleton" <jsinglet@github.com>
Date: Fri, 11 Jun 2021 10:17:05 -0400
Subject: [PATCH 1413/1429] Formatting fixes, comment moving.

---
 .../src/semmle/code/cpp/commons/CommonType.qll | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll b/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
index 2e08c6abb35..5d6c64630a6 100644
--- a/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
+++ b/cpp/ql/src/semmle/code/cpp/commons/CommonType.qll
@@ -66,43 +66,43 @@ class Ptrdiff_t extends Type {
 /**
  * A parent class representing C/C++ a typedef'd `UserType` such as `int8_t`.
  */
-private abstract class IntegralUnderlyingUserType extends UserType {
+abstract private class IntegralUnderlyingUserType extends UserType {
   IntegralUnderlyingUserType() { this.getUnderlyingType() instanceof IntegralType }
 }
 
+abstract private class TFixedWidthIntegralType extends IntegralUnderlyingUserType { }
+
 /**
  * A C/C++ fixed-width numeric type, such as `int8_t`.
  */
-abstract private class TFixedWidthIntegralType extends IntegralUnderlyingUserType { }
-
 class FixedWidthIntegralType extends TFixedWidthIntegralType {
   FixedWidthIntegralType() { this instanceof TFixedWidthIntegralType }
 }
 
+abstract private class TMinimumWidthIntegralType extends IntegralUnderlyingUserType { }
+
 /**
  * A C/C++ minimum-width numeric type, such as `int_least8_t`.
  */
-abstract private class TMinimumWidthIntegralType extends IntegralUnderlyingUserType { }
-
 class MinimumWidthIntegralType extends TMinimumWidthIntegralType {
   MinimumWidthIntegralType() { this instanceof TMinimumWidthIntegralType }
 }
 
+abstract private class TFastestMinimumWidthIntegralType extends IntegralUnderlyingUserType { }
+
 /**
  * A C/C++ minimum-width numeric type, representing the fastest integer type with a
  * width of at least `N` such as `int_fast8_t`.
  */
-abstract private class TFastestMinimumWidthIntegralType extends IntegralUnderlyingUserType { }
-
 class FastestMinimumWidthIntegralType extends TFastestMinimumWidthIntegralType {
   FastestMinimumWidthIntegralType() { this instanceof TFastestMinimumWidthIntegralType }
 }
 
+abstract private class TMaximumWidthIntegralType extends IntegralUnderlyingUserType { }
+
 /**
  * A C/C++ maximum-width numeric type, either `intmax_t` or `uintmax_t`.
  */
-abstract private class TMaximumWidthIntegralType extends IntegralUnderlyingUserType { }
-
 class MaximumWidthIntegralType extends TMaximumWidthIntegralType {
   MaximumWidthIntegralType() { this instanceof TMaximumWidthIntegralType }
 }

From 3869ab76d137619aa0d1f2e39c02388d62c81b35 Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Fri, 11 Jun 2021 20:20:22 +0000
Subject: [PATCH 1414/1429] Python: Promote shared type tracking library

This was slightly messier than anticipated, as I hadn't accounted for
the dozen uses of `startInAttr` in our codebase. To circumvent this,
I decided to put the type tracking implementation in the `internal`
directory, and wrap it with a file that ensures the old interface still
works.
---
 .../python/dataflow/new/TypeTracker.qll       | 453 +-----------------
 .../dataflow/new/internal}/TypeTracker.qll    |   0
 .../new/internal}/TypeTrackerSpecific.qll     |   0
 3 files changed, 15 insertions(+), 438 deletions(-)
 rename python/ql/src/{experimental/typetracking => semmle/python/dataflow/new/internal}/TypeTracker.qll (100%)
 rename python/ql/src/{experimental/typetracking => semmle/python/dataflow/new/internal}/TypeTrackerSpecific.qll (100%)

diff --git a/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll b/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll
index 5dc7bb85b06..d683ece7bac 100644
--- a/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll
+++ b/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll
@@ -1,461 +1,38 @@
-/** Step Summaries and Type Tracking */
+/**
+ * This file acts as a wrapper for `internal.TypeTracker`, exposing some of the functionality with
+ * names that are more appropriate for Python.
+ */
 
 private import python
-private import internal.DataFlowPublic
-private import internal.DataFlowPrivate
+private import internal.TypeTracker as Internal
 
 /** Any string that may appear as the name of an attribute or access path. */
-class AttributeName extends string {
-  AttributeName() { this = any(AttrRef a).getAttributeName() }
-}
+class AttributeName = Internal::ContentName;
 
 /** Either an attribute name, or the empty string (representing no attribute). */
-class OptionalAttributeName extends string {
-  OptionalAttributeName() { this instanceof AttributeName or this = "" }
-}
-
-/**
- * A description of a step on an inter-procedural data flow path.
- */
-private newtype TStepSummary =
-  LevelStep() or
-  CallStep() or
-  ReturnStep() or
-  StoreStep(AttributeName attr) or
-  LoadStep(AttributeName attr)
-
-/**
- * INTERNAL: Use `TypeTracker` or `TypeBackTracker` instead.
- *
- * A description of a step on an inter-procedural data flow path.
- */
-class StepSummary extends TStepSummary {
-  /** Gets a textual representation of this step summary. */
-  string toString() {
-    this instanceof LevelStep and result = "level"
-    or
-    this instanceof CallStep and result = "call"
-    or
-    this instanceof ReturnStep and result = "return"
-    or
-    exists(string attr | this = StoreStep(attr) | result = "store " + attr)
-    or
-    exists(string attr | this = LoadStep(attr) | result = "load " + attr)
-  }
-}
-
-/** Provides predicates for updating step summaries (`StepSummary`s). */
-module StepSummary {
-  /**
-   * Gets the summary that corresponds to having taken a forwards
-   * heap and/or inter-procedural step from `nodeFrom` to `nodeTo`.
-   */
-  cached
-  predicate step(LocalSourceNode nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {
-    exists(Node mid | nodeFrom.flowsTo(mid) and smallstep(mid, nodeTo, summary))
-  }
-
-  /**
-   * Gets the summary that corresponds to having taken a forwards
-   * local, heap and/or inter-procedural step from `nodeFrom` to `nodeTo`.
-   *
-   * Unlike `StepSummary::step`, this predicate does not compress
-   * type-preserving steps.
-   */
-  predicate smallstep(Node nodeFrom, Node nodeTo, StepSummary summary) {
-    jumpStep(nodeFrom, nodeTo) and
-    summary = LevelStep()
-    or
-    callStep(nodeFrom, nodeTo) and summary = CallStep()
-    or
-    returnStep(nodeFrom, nodeTo) and
-    summary = ReturnStep()
-    or
-    exists(string attr |
-      basicStoreStep(nodeFrom, nodeTo, attr) and
-      summary = StoreStep(attr)
-      or
-      basicLoadStep(nodeFrom, nodeTo, attr) and summary = LoadStep(attr)
-    )
-  }
-}
-
-/**
- * Gets a callable for the call where `nodeFrom` is used as the `i`'th argument.
- *
- * Helper predicate to avoid bad join order experienced in `callStep`.
- * This happened when `isParameterOf` was joined _before_ `getCallable`.
- */
-pragma[nomagic]
-private DataFlowCallable getCallableForArgument(ArgumentNode nodeFrom, int i) {
-  exists(DataFlowCall call |
-    nodeFrom.argumentOf(call, i) and
-    result = call.getCallable()
-  )
-}
-
-/** Holds if `nodeFrom` steps to `nodeTo` by being passed as a parameter in a call. */
-predicate callStep(ArgumentNode nodeFrom, ParameterNode nodeTo) {
-  // TODO: Support special methods?
-  exists(DataFlowCallable callable, int i |
-    callable = getCallableForArgument(nodeFrom, i) and
-    nodeTo.isParameterOf(callable, i)
-  )
-}
-
-/** Holds if `nodeFrom` steps to `nodeTo` by being returned from a call. */
-predicate returnStep(ReturnNode nodeFrom, Node nodeTo) {
-  exists(DataFlowCall call |
-    nodeFrom.getEnclosingCallable() = call.getCallable() and nodeTo.asCfgNode() = call.getNode()
-  )
-}
-
-/**
- * Holds if `nodeFrom` is being written to the `attr` attribute of the object in `nodeTo`.
- *
- * Note that the choice of `nodeTo` does not have to make sense "chronologically".
- * All we care about is whether the `attr` attribute of `nodeTo` can have a specific type,
- * and the assumption is that if a specific type appears here, then any access of that
- * particular attribute can yield something of that particular type.
- *
- * Thus, in an example such as
- *
- * ```python
- * def foo(y):
- *    x = Foo()
- *    bar(x)
- *    x.attr = y
- *    baz(x)
- *
- * def bar(x):
- *    z = x.attr
- * ```
- * for the attribute write `x.attr = y`, we will have `attr` being the literal string `"attr"`,
- * `nodeFrom` will be `y`, and `nodeTo` will be the object `Foo()` created on the first line of the
- * function. This means we will track the fact that `x.attr` can have the type of `y` into the
- * assignment to `z` inside `bar`, even though this attribute write happens _after_ `bar` is called.
- */
-predicate basicStoreStep(Node nodeFrom, LocalSourceNode nodeTo, string attr) {
-  exists(AttrWrite a |
-    a.mayHaveAttributeName(attr) and
-    nodeFrom = a.getValue() and
-    nodeTo.flowsTo(a.getObject())
-  )
-}
-
-/**
- * Holds if `nodeTo` is the result of accessing the `attr` attribute of `nodeFrom`.
- */
-predicate basicLoadStep(Node nodeFrom, Node nodeTo, string attr) {
-  exists(AttrRead a |
-    a.mayHaveAttributeName(attr) and
-    nodeFrom = a.getObject() and
-    nodeTo = a
-  )
-}
-
-/**
- * A utility class that is equivalent to `boolean` but does not require type joining.
- */
-private class Boolean extends boolean {
-  Boolean() { this = true or this = false }
-}
-
-private newtype TTypeTracker = MkTypeTracker(Boolean hasCall, OptionalAttributeName attr)
-
-/**
- * Summary of the steps needed to track a value to a given dataflow node.
- *
- * This can be used to track objects that implement a certain API in order to
- * recognize calls to that API. Note that type-tracking does not by itself provide a
- * source/sink relation, that is, it may determine that a node has a given type,
- * but it won't determine where that type came from.
- *
- * It is recommended that all uses of this type are written in the following form,
- * for tracking some type `myType`:
- * ```
- * private DataFlow::LocalSourceNode myType(DataFlow::TypeTracker t) {
- *   t.start() and
- *   result = < source of myType >
- *   or
- *   exists (DataFlow::TypeTracker t2 |
- *     result = myType(t2).track(t2, t)
- *   )
- * }
- *
- * DataFlow::Node myType() { myType(DataFlow::TypeTracker::end()).flowsTo(result) }
- * ```
- *
- * Instead of `result = myType(t2).track(t2, t)`, you can also use the equivalent
- * `t = t2.step(myType(t2), result)`. If you additionally want to track individual
- * intra-procedural steps, use `t = t2.smallstep(myCallback(t2), result)`.
- */
-class TypeTracker extends TTypeTracker {
-  Boolean hasCall;
-  OptionalAttributeName attr;
-
-  TypeTracker() { this = MkTypeTracker(hasCall, attr) }
-
-  /** Gets the summary resulting from appending `step` to this type-tracking summary. */
-  cached
-  TypeTracker append(StepSummary step) {
-    step = LevelStep() and result = this
-    or
-    step = CallStep() and result = MkTypeTracker(true, attr)
-    or
-    step = ReturnStep() and hasCall = false and result = this
-    or
-    step = LoadStep(attr) and result = MkTypeTracker(hasCall, "")
-    or
-    exists(string p | step = StoreStep(p) and attr = "" and result = MkTypeTracker(hasCall, p))
-  }
-
-  /** Gets a textual representation of this summary. */
-  string toString() {
-    exists(string withCall, string withAttr |
-      (if hasCall = true then withCall = "with" else withCall = "without") and
-      (if attr != "" then withAttr = " with attribute " + attr else withAttr = "") and
-      result = "type tracker " + withCall + " call steps" + withAttr
-    )
-  }
-
-  /**
-   * Holds if this is the starting point of type tracking.
-   */
-  predicate start() { hasCall = false and attr = "" }
+class OptionalAttributeName = Internal::OptionalContentName;
 
+class TypeTracker extends Internal::TypeTracker {
   /**
    * Holds if this is the starting point of type tracking, and the value starts in the attribute named `attrName`.
    * The type tracking only ends after the attribute has been loaded.
    */
-  predicate startInAttr(AttributeName attrName) { hasCall = false and attr = attrName }
-
-  /**
-   * Holds if this is the starting point of type tracking
-   * when tracking a parameter into a call, but not out of it.
-   */
-  predicate call() { hasCall = true and attr = "" }
-
-  /**
-   * Holds if this is the end point of type tracking.
-   */
-  predicate end() { attr = "" }
-
-  /**
-   * INTERNAL. DO NOT USE.
-   *
-   * Holds if this type has been tracked into a call.
-   */
-  boolean hasCall() { result = hasCall }
+  predicate startInAttr(string attrName) { this.startInContent(attrName) }
 
   /**
    * INTERNAL. DO NOT USE.
    *
    * Gets the attribute associated with this type tracker.
    */
-  string getAttr() { result = attr }
-
-  /**
-   * Gets a type tracker that starts where this one has left off to allow continued
-   * tracking.
-   *
-   * This predicate is only defined if the type has not been tracked into an attribute.
-   */
-  TypeTracker continue() { attr = "" and result = this }
-
-  /**
-   * Gets the summary that corresponds to having taken a forwards
-   * heap and/or inter-procedural step from `nodeFrom` to `nodeTo`.
-   */
-  pragma[inline]
-  TypeTracker step(LocalSourceNode nodeFrom, LocalSourceNode nodeTo) {
-    exists(StepSummary summary |
-      StepSummary::step(nodeFrom, pragma[only_bind_out](nodeTo), pragma[only_bind_into](summary)) and
-      result = this.append(pragma[only_bind_into](summary))
-    )
-  }
-
-  /**
-   * Gets the summary that corresponds to having taken a forwards
-   * local, heap and/or inter-procedural step from `nodeFrom` to `nodeTo`.
-   *
-   * Unlike `TypeTracker::step`, this predicate exposes all edges
-   * in the flow graph, and not just the edges between `Node`s.
-   * It may therefore be less performant.
-   *
-   * Type tracking predicates using small steps typically take the following form:
-   * ```ql
-   * DataFlow::Node myType(DataFlow::TypeTracker t) {
-   *   t.start() and
-   *   result = < source of myType >
-   *   or
-   *   exists (DataFlow::TypeTracker t2 |
-   *     t = t2.smallstep(myType(t2), result)
-   *   )
-   * }
-   *
-   * DataFlow::Node myType() {
-   *   result = myType(DataFlow::TypeTracker::end())
-   * }
-   * ```
-   */
-  pragma[inline]
-  TypeTracker smallstep(Node nodeFrom, Node nodeTo) {
-    exists(StepSummary summary |
-      StepSummary::smallstep(nodeFrom, nodeTo, summary) and
-      result = this.append(summary)
-    )
-    or
-    simpleLocalFlowStep(nodeFrom, nodeTo) and
-    result = this
-  }
+  string getAttr() { result = this.getContent() }
 }
 
-/** Provides predicates for implementing custom `TypeTracker`s. */
-module TypeTracker {
-  /**
-   * Gets a valid end point of type tracking.
-   */
-  TypeTracker end() { result.end() }
-}
+module TypeTracker = Internal::TypeTracker;
 
-private newtype TTypeBackTracker = MkTypeBackTracker(Boolean hasReturn, OptionalAttributeName attr)
+class StepSummary = Internal::StepSummary;
 
-/**
- * Summary of the steps needed to back-track a use of a value to a given dataflow node.
- *
- * This can for example be used to track callbacks that are passed to a certain API,
- * so we can model specific parameters of that callback as having a certain type.
- *
- * Note that type back-tracking does not provide a source/sink relation, that is,
- * it may determine that a node will be used in an API call somewhere, but it won't
- * determine exactly where that use was, or the path that led to the use.
- *
- * It is recommended that all uses of this type are written in the following form,
- * for back-tracking some callback type `myCallback`:
- *
- * ```
- * private DataFlow::LocalSourceNode myCallback(DataFlow::TypeBackTracker t) {
- *   t.start() and
- *   result = (< some API call >).getArgument(< n >).getALocalSource()
- *   or
- *   exists (DataFlow::TypeBackTracker t2 |
- *     result = myCallback(t2).backtrack(t2, t)
- *   )
- * }
- *
- * DataFlow::LocalSourceNode myCallback() { result = myCallback(DataFlow::TypeBackTracker::end()) }
- * ```
- *
- * Instead of `result = myCallback(t2).backtrack(t2, t)`, you can also use the equivalent
- * `t2 = t.step(result, myCallback(t2))`. If you additionally want to track individual
- * intra-procedural steps, use `t2 = t.smallstep(result, myCallback(t2))`.
- */
-class TypeBackTracker extends TTypeBackTracker {
-  Boolean hasReturn;
-  string attr;
+module StepSummary = Internal::StepSummary;
 
-  TypeBackTracker() { this = MkTypeBackTracker(hasReturn, attr) }
+class TypeBackTracker = Internal::TypeBackTracker;
 
-  /** Gets the summary resulting from prepending `step` to this type-tracking summary. */
-  TypeBackTracker prepend(StepSummary step) {
-    step = LevelStep() and result = this
-    or
-    step = CallStep() and hasReturn = false and result = this
-    or
-    step = ReturnStep() and result = MkTypeBackTracker(true, attr)
-    or
-    exists(string p | step = LoadStep(p) and attr = "" and result = MkTypeBackTracker(hasReturn, p))
-    or
-    step = StoreStep(attr) and result = MkTypeBackTracker(hasReturn, "")
-  }
-
-  /** Gets a textual representation of this summary. */
-  string toString() {
-    exists(string withReturn, string withAttr |
-      (if hasReturn = true then withReturn = "with" else withReturn = "without") and
-      (if attr != "" then withAttr = " with attribute " + attr else withAttr = "") and
-      result = "type back-tracker " + withReturn + " return steps" + withAttr
-    )
-  }
-
-  /**
-   * Holds if this is the starting point of type tracking.
-   */
-  predicate start() { hasReturn = false and attr = "" }
-
-  /**
-   * Holds if this is the end point of type tracking.
-   */
-  predicate end() { attr = "" }
-
-  /**
-   * INTERNAL. DO NOT USE.
-   *
-   * Holds if this type has been back-tracked into a call through return edge.
-   */
-  boolean hasReturn() { result = hasReturn }
-
-  /**
-   * Gets a type tracker that starts where this one has left off to allow continued
-   * tracking.
-   *
-   * This predicate is only defined if the type has not been tracked into an attribute.
-   */
-  TypeBackTracker continue() { attr = "" and result = this }
-
-  /**
-   * Gets the summary that corresponds to having taken a backwards
-   * heap and/or inter-procedural step from `nodeTo` to `nodeFrom`.
-   */
-  pragma[inline]
-  TypeBackTracker step(LocalSourceNode nodeFrom, LocalSourceNode nodeTo) {
-    exists(StepSummary summary |
-      StepSummary::step(pragma[only_bind_out](nodeFrom), nodeTo, pragma[only_bind_into](summary)) and
-      this = result.prepend(pragma[only_bind_into](summary))
-    )
-  }
-
-  /**
-   * Gets the summary that corresponds to having taken a backwards
-   * local, heap and/or inter-procedural step from `nodeTo` to `nodeFrom`.
-   *
-   * Unlike `TypeBackTracker::step`, this predicate exposes all edges
-   * in the flowgraph, and not just the edges between
-   * `LocalSourceNode`s. It may therefore be less performant.
-   *
-   * Type tracking predicates using small steps typically take the following form:
-   * ```ql
-   * DataFlow::Node myType(DataFlow::TypeBackTracker t) {
-   *   t.start() and
-   *   result = < some API call >.getArgument(< n >)
-   *   or
-   *   exists (DataFlow::TypeBackTracker t2 |
-   *     t = t2.smallstep(result, myType(t2))
-   *   )
-   * }
-   *
-   * DataFlow::Node myType() {
-   *   result = myType(DataFlow::TypeBackTracker::end())
-   * }
-   * ```
-   */
-  pragma[inline]
-  TypeBackTracker smallstep(Node nodeFrom, Node nodeTo) {
-    exists(StepSummary summary |
-      StepSummary::smallstep(nodeFrom, nodeTo, summary) and
-      this = result.prepend(summary)
-    )
-    or
-    simpleLocalFlowStep(nodeFrom, nodeTo) and
-    this = result
-  }
-}
-
-/** Provides predicates for implementing custom `TypeBackTracker`s. */
-module TypeBackTracker {
-  /**
-   * Gets a valid end point of type back-tracking.
-   */
-  TypeBackTracker end() { result.end() }
-}
+module TypeBackTracker = Internal::TypeBackTracker;
diff --git a/python/ql/src/experimental/typetracking/TypeTracker.qll b/python/ql/src/semmle/python/dataflow/new/internal/TypeTracker.qll
similarity index 100%
rename from python/ql/src/experimental/typetracking/TypeTracker.qll
rename to python/ql/src/semmle/python/dataflow/new/internal/TypeTracker.qll
diff --git a/python/ql/src/experimental/typetracking/TypeTrackerSpecific.qll b/python/ql/src/semmle/python/dataflow/new/internal/TypeTrackerSpecific.qll
similarity index 100%
rename from python/ql/src/experimental/typetracking/TypeTrackerSpecific.qll
rename to python/ql/src/semmle/python/dataflow/new/internal/TypeTrackerSpecific.qll

From 8016715fb6a1c215baae9e798a15ed6ab35c5c2d Mon Sep 17 00:00:00 2001
From: Taus <tausbn@github.com>
Date: Fri, 11 Jun 2021 20:35:58 +0000
Subject: [PATCH 1415/1429] Python: Add missing QLDoc

---
 .../python/dataflow/new/TypeTracker.qll       | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll b/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll
index d683ece7bac..be44d184b1f 100644
--- a/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll
+++ b/python/ql/src/semmle/python/dataflow/new/TypeTracker.qll
@@ -12,6 +12,33 @@ class AttributeName = Internal::ContentName;
 /** Either an attribute name, or the empty string (representing no attribute). */
 class OptionalAttributeName = Internal::OptionalContentName;
 
+/**
+ * Summary of the steps needed to track a value to a given dataflow node.
+ *
+ * This can be used to track objects that implement a certain API in order to
+ * recognize calls to that API. Note that type-tracking does not by itself provide a
+ * source/sink relation, that is, it may determine that a node has a given type,
+ * but it won't determine where that type came from.
+ *
+ * It is recommended that all uses of this type are written in the following form,
+ * for tracking some type `myType`:
+ * ```ql
+ * DataFlow::LocalSourceNode myType(DataFlow::TypeTracker t) {
+ *   t.start() and
+ *   result = < source of myType >
+ *   or
+ *   exists (DataFlow::TypeTracker t2 |
+ *     result = myType(t2).track(t2, t)
+ *   )
+ * }
+ *
+ * DataFlow::LocalSourceNode myType() { myType(DataFlow::TypeTracker::end()) }
+ * ```
+ *
+ * Instead of `result = myType(t2).track(t2, t)`, you can also use the equivalent
+ * `t = t2.step(myType(t2), result)`. If you additionally want to track individual
+ * intra-procedural steps, use `t = t2.smallstep(myCallback(t2), result)`.
+ */
 class TypeTracker extends Internal::TypeTracker {
   /**
    * Holds if this is the starting point of type tracking, and the value starts in the attribute named `attrName`.

From 60b466981339279c5f0f512897484a4d04dcd80d Mon Sep 17 00:00:00 2001
From: Felicity Chapman <felicitymay@github.com>
Date: Mon, 14 Jun 2021 08:41:28 +0100
Subject: [PATCH 1416/1429] Remove sentence about legacy tools

---
 .../ql-language-reference/ql-language-specification.rst       | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/docs/codeql/ql-language-reference/ql-language-specification.rst b/docs/codeql/ql-language-reference/ql-language-specification.rst
index bfe78669c7b..bd305bdbadc 100644
--- a/docs/codeql/ql-language-reference/ql-language-specification.rst
+++ b/docs/codeql/ql-language-reference/ql-language-specification.rst
@@ -69,9 +69,7 @@ of the active database schema (for example, ``<queries
 language="java"/>``).
 
 A ``qlpack.yml`` file defines a :ref:`QL pack <about-ql-packs>`.
-The content of a ``qlpack.yml`` file is described in the CodeQL CLI documentation. This file
-will not be recognized when using legacy tools that are not based
-on the CodeQL CLI (that is, LGTM.com and LGTM Enterprise).
+The content of a ``qlpack.yml`` file is described in the CodeQL CLI documentation.
 
 If both a ``queries.xml`` and a ``qlpack.yml`` exist in the same
 directory, the latter takes precedence (and the former is assumed to

From 36cb2076005bb2fae85b1d8d1c21ee9f3fe19276 Mon Sep 17 00:00:00 2001
From: Joe Farebrother <joefarebrother@github.com>
Date: Mon, 14 Jun 2021 11:20:07 +0100
Subject: [PATCH 1417/1429] Increase precision of tests to test value flow

---
 .../code/java/frameworks/guava/Base.qll       |  9 ++---
 .../frameworks/guava/TestBase.java            | 34 +++++++++---------
 .../frameworks/guava/TestIO.java              |  2 +-
 .../library-tests/frameworks/guava/flow.ql    | 35 ++++++++++++++++---
 4 files changed, 53 insertions(+), 27 deletions(-)

diff --git a/java/ql/src/semmle/code/java/frameworks/guava/Base.qll b/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
index bd3c2d47689..cb34d3da7ed 100644
--- a/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
+++ b/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
@@ -51,7 +51,7 @@ private class GuavaBaseCsv extends SummaryModelCsv {
         "com.google.common.base;Splitter;false;splitToStream;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Splitter$MapSplitter;false;split;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Preconditions;false;checkNotNull;;;Argument[0];ReturnValue;value",
-        "com.google.common.base;Verify;false;verifyNotNull;;;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Verify;false;verifyNotNull;;;Argument[0];ReturnValue;value",
         "com.google.common.base;Ascii;false;toLowerCase;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Ascii;false;toLowerCase;(String);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Ascii;false;toUpperCase;(CharSequence);;Argument[0];ReturnValue;taint",
@@ -72,9 +72,10 @@ private class GuavaBaseCsv extends SummaryModelCsv {
         "com.google.common.base;Optional;true;get;();;Element of Argument[-1];ReturnValue;value",
         "com.google.common.base;Optional;true;asSet;();;Element of Argument[-1];Element of ReturnValue;value",
         "com.google.common.base;Optional;true;of;(Object);;Argument[0];Element of ReturnValue;value",
-        "com.google.common.base;Optional;true;or;;;Element of Argument[-1];ReturnValue;value",
-        "com.google.common.base;Optional;true;or;(Optional);;Element of Argument[0];ReturnValue;value",
-        "com.google.common.base;Optional;true;or;(Supplier);;Argument[0];ReturnValue;value",
+        "com.google.common.base;Optional;true;or;(Optional);;Element of Argument[-1..0];Element of ReturnValue;value",
+        "com.google.common.base;Optional;true;or;(Supplier);;Element of Argument[-1];ReturnValue;value",
+        "com.google.common.base;Optional;true;or;(Supplier);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Optional;true;or;(Object);;Element of Argument[-1];ReturnValue;value",
         "com.google.common.base;Optional;true;or;(Object);;Argument[0];ReturnValue;value",
         "com.google.common.base;Optional;true;orNull;();;Element of Argument[-1];ReturnValue;value",
         "com.google.common.base;Optional;true;presentInstances;(Iterable);;Element of Element of Argument[0];Element of ReturnValue;value",
diff --git a/java/ql/test/library-tests/frameworks/guava/TestBase.java b/java/ql/test/library-tests/frameworks/guava/TestBase.java
index ed3654f9de5..fb197c959ca 100644
--- a/java/ql/test/library-tests/frameworks/guava/TestBase.java
+++ b/java/ql/test/library-tests/frameworks/guava/TestBase.java
@@ -3,6 +3,7 @@ package com.google.common.base;
 import java.util.Map;
 import java.util.HashMap;
 import java.util.concurrent.TimeUnit;
+import java.util.Set;
 
 class TestBase {
     String taint() { return "tainted"; }
@@ -15,7 +16,7 @@ class TestBase {
         sink(Strings.padStart(x, 10, ' ')); // $numTaintFlow=1
         sink(Strings.padEnd(x, 10, ' ')); // $numTaintFlow=1
         sink(Strings.repeat(x, 3)); // $numTaintFlow=1
-        sink(Strings.emptyToNull(Strings.nullToEmpty(x))); // $numTaintFlow=1
+        sink(Strings.emptyToNull(Strings.nullToEmpty(x))); // $numValueFlow=1
         sink(Strings.lenientFormat(x, 3)); // $numTaintFlow=1
         sink(Strings.commonPrefix(x, "abc")); 
         sink(Strings.commonSuffix(x, "cde")); 
@@ -59,8 +60,8 @@ class TestBase {
     }
 
     void test4() {
-        sink(Preconditions.checkNotNull(taint())); // $numTaintFlow=1
-        sink(Verify.verifyNotNull(taint())); // $numTaintFlow=1
+        sink(Preconditions.checkNotNull(taint())); // $numValueFlow=1
+        sink(Verify.verifyNotNull(taint())); // $numValueFlow=1
     }
 
     void test5() {
@@ -78,9 +79,9 @@ class TestBase {
     }
 
     void test7() {
-        sink(MoreObjects.firstNonNull(taint(), taint())); // $numTaintFlow=2
-        sink(MoreObjects.firstNonNull(null, taint())); // $numTaintFlow=1
-        sink(MoreObjects.firstNonNull(taint(), null)); // $numTaintFlow=1
+        sink(MoreObjects.firstNonNull(taint(), taint())); // $numValueFlow=2
+        sink(MoreObjects.firstNonNull(null, taint())); // $numValueFlow=1
+        sink(MoreObjects.firstNonNull(taint(), null)); // $numValueFlow=1
         sink(MoreObjects.toStringHelper(taint()).add("x", 3).omitNullValues().toString()); // $numTaintFlow=1
         sink(MoreObjects.toStringHelper((Object) taint()).toString());
         sink(MoreObjects.toStringHelper("a").add("x", 3).add(taint(), 4).toString()); // $numTaintFlow=1
@@ -94,16 +95,15 @@ class TestBase {
     void test8() {
         Optional<String> x = Optional.of(taint());
         sink(x); // $numTaintFlow=1
-        sink(x.get()); // $numTaintFlow=1
-        sink(x.or("hi")); // $numTaintFlow=1
-        sink(x.orNull()); // $numTaintFlow=1
-        sink(x.asSet()); // $numTaintFlow=1
-        sink(Optional.fromJavaUtil(x.toJavaUtil())); // $numTaintFlow=1
-        sink(Optional.fromJavaUtil(Optional.toJavaUtil(x))); // $numTaintFlow=1
-        sink(x.asSet()); // $numTaintFlow=1
-        sink(Optional.fromNullable(taint())); // $numTaintFlow=1
-        sink(Optional.absent().or(x)); // $numTaintFlow=1
-        sink(Optional.absent().or(taint())); // $numTaintFlow=1
-        sink(Optional.presentInstances(Optional.of(x).asSet())); // $numTaintFlow=1
+        sink(x.get()); // $numValueFlow=1
+        sink(x.or("hi")); // $numValueFlow=1
+        sink(x.orNull()); // $numValueFlow=1
+        sink(x.asSet().toArray()[0]); // $numValueFlow=1
+        sink(Optional.fromJavaUtil(x.toJavaUtil()).get()); // $numValueFlow=1
+        sink(Optional.fromJavaUtil(Optional.toJavaUtil(x)).get()); // $numValueFlow=1
+        sink(Optional.fromNullable(taint()).get()); // $numValueFlow=1
+        sink(Optional.absent().or(x).get()); // $numValueFlow=1
+        sink(Optional.absent().or(taint())); // $numValueFlow=1
+        sink(Optional.presentInstances(Set.of(x)).iterator().next()); // $numValueFlow=1
     }
 }
diff --git a/java/ql/test/library-tests/frameworks/guava/TestIO.java b/java/ql/test/library-tests/frameworks/guava/TestIO.java
index 685f18cc807..9871b49ac0f 100644
--- a/java/ql/test/library-tests/frameworks/guava/TestIO.java
+++ b/java/ql/test/library-tests/frameworks/guava/TestIO.java
@@ -106,7 +106,7 @@ class TestIO {
     }
 
     void test4() throws IOException {
-        sink(Closer.create().register((Closeable) taint())); // $numTaintFlow=1
+        sink(Closer.create().register((Closeable) taint())); // $numValueFlow=1
         sink(new LineReader(rtaint()).readLine()); // $numTaintFlow=1
         sink(Files.simplifyPath(staint())); // $numTaintFlow=1
         sink(Files.getFileExtension(staint())); // $numTaintFlow=1
diff --git a/java/ql/test/library-tests/frameworks/guava/flow.ql b/java/ql/test/library-tests/frameworks/guava/flow.ql
index cdab4fcb3e6..2c65808f15c 100644
--- a/java/ql/test/library-tests/frameworks/guava/flow.ql
+++ b/java/ql/test/library-tests/frameworks/guava/flow.ql
@@ -2,8 +2,20 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import TestUtilities.InlineExpectationsTest
 
-class Conf extends TaintTracking::Configuration {
-  Conf() { this = "qltest:frameworks:guava" }
+class TaintFlowConf extends TaintTracking::Configuration {
+  TaintFlowConf() { this = "qltest:frameworks:guava-taint" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+  }
+}
+
+class ValueFlowConf extends DataFlow::Configuration {
+  ValueFlowConf() { this = "qltest:frameworks:guava-value" }
 
   override predicate isSource(DataFlow::Node n) {
     n.asExpr().(MethodAccess).getMethod().hasName("taint")
@@ -17,15 +29,28 @@ class Conf extends TaintTracking::Configuration {
 class HasFlowTest extends InlineExpectationsTest {
   HasFlowTest() { this = "HasFlowTest" }
 
-  override string getARelevantTag() { result = "numTaintFlow" }
+  override string getARelevantTag() { result = ["numTaintFlow", "numValueFlow"] }
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "numTaintFlow" and
-    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf, int num | conf.hasFlow(src, sink) |
+    exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf tconf, int num |
+      tconf.hasFlow(src, sink)
+    |
+      not any(ValueFlowConf vconf).hasFlow(src, sink) and
       value = num.toString() and
       sink.getLocation() = location and
       element = sink.toString() and
-      num = strictcount(DataFlow::Node src2 | conf.hasFlow(src2, sink))
+      num = strictcount(DataFlow::Node src2 | tconf.hasFlow(src2, sink))
+    )
+    or
+    tag = "numValueFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf vconf, int num |
+      vconf.hasFlow(src, sink)
+    |
+      value = num.toString() and
+      sink.getLocation() = location and
+      element = sink.toString() and
+      num = strictcount(DataFlow::Node src2 | vconf.hasFlow(src2, sink))
     )
   }
 }

From bc375196d114bc573e6b13324ec29d9d6395ed9b Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 14 Jun 2021 13:40:53 +0200
Subject: [PATCH 1418/1429] JS: Extract script tags with lang=tsx

---
 .../semmle/js/extractor/HTMLExtractor.java    |  2 +-
 .../TypeScript/EmbeddedInScript/Test.expected | 24 ++++++++++++++-----
 .../TypeScript/EmbeddedInScript/other.ts      |  2 ++
 .../TypeScript/EmbeddedInScript/test_tsx.vue  |  6 +++++
 4 files changed, 27 insertions(+), 7 deletions(-)
 create mode 100644 javascript/ql/test/library-tests/TypeScript/EmbeddedInScript/test_tsx.vue

diff --git a/javascript/extractor/src/com/semmle/js/extractor/HTMLExtractor.java b/javascript/extractor/src/com/semmle/js/extractor/HTMLExtractor.java
index 004cd893d27..0e6cd756433 100644
--- a/javascript/extractor/src/com/semmle/js/extractor/HTMLExtractor.java
+++ b/javascript/extractor/src/com/semmle/js/extractor/HTMLExtractor.java
@@ -271,7 +271,7 @@ public class HTMLExtractor implements IExtractor {
 
   private boolean isTypeScriptTag(Element script) {
     String language = getScriptLanguage(script);
-    if ("ts".equals(language) || "typescript".equals(language)) return true;
+    if ("ts".equals(language) || "tsx".equals(language) || "typescript".equals(language)) return true;
     String type = getAttributeValueLC(script, "type");
     if (type != null && type.contains("typescript")) return true;
     return false;
diff --git a/javascript/ql/test/library-tests/TypeScript/EmbeddedInScript/Test.expected b/javascript/ql/test/library-tests/TypeScript/EmbeddedInScript/Test.expected
index d98eb712e00..9f9b7fc24ec 100644
--- a/javascript/ql/test/library-tests/TypeScript/EmbeddedInScript/Test.expected
+++ b/javascript/ql/test/library-tests/TypeScript/EmbeddedInScript/Test.expected
@@ -1,5 +1,6 @@
 classDeclaration
 | test.vue:3:18:5:3 | class M ... er;\\n  } |
+| test_tsx.vue:3:18:5:3 | class M ... er;\\n  } |
 exprType
 | htmlfile.html:4:22:4:24 | foo | () => void |
 | htmlfile.html:4:22:4:24 | foo | () => void |
@@ -10,17 +11,28 @@ exprType
 | htmlfile.html:5:26:5:42 | foo() as number[] | number[] |
 | other.ts:1:8:1:16 | Component | typeof default in library-tests/TypeScript/EmbeddedInScript/test.vue |
 | other.ts:1:23:1:34 | "./test.vue" | any |
-| other.ts:3:1:3:15 | new Component() | MyComponent |
-| other.ts:3:5:3:13 | Component | typeof default in library-tests/TypeScript/EmbeddedInScript/test.vue |
-| other.ts:5:17:5:19 | foo | () => void |
+| other.ts:2:8:2:19 | ComponentTsx | typeof default in library-tests/TypeScript/EmbeddedInScript/test_tsx.vue |
+| other.ts:2:26:2:41 | "./test_tsx.vue" | any |
+| other.ts:4:1:4:15 | new Component() | MyComponent |
+| other.ts:4:5:4:13 | Component | typeof default in library-tests/TypeScript/EmbeddedInScript/test.vue |
+| other.ts:5:1:5:18 | new ComponentTsx() | MyComponentTsx |
+| other.ts:5:5:5:16 | ComponentTsx | typeof default in library-tests/TypeScript/EmbeddedInScript/test_tsx.vue |
+| other.ts:7:17:7:19 | foo | () => void |
 | test.vue:2:15:2:19 | other | typeof library-tests/TypeScript/EmbeddedInScript/other.ts |
 | test.vue:2:26:2:34 | "./other" | any |
 | test.vue:3:24:3:34 | MyComponent | MyComponent |
 | test.vue:4:7:4:7 | x | number |
+| test_tsx.vue:2:15:2:19 | other | typeof library-tests/TypeScript/EmbeddedInScript/other.ts |
+| test_tsx.vue:2:26:2:34 | "./other" | any |
+| test_tsx.vue:3:24:3:37 | MyComponentTsx | MyComponentTsx |
+| test_tsx.vue:4:7:4:7 | x | number |
 symbols
-| other.ts:1:1:6:0 | <toplevel> | library-tests/TypeScript/EmbeddedInScript/other.ts |
+| other.ts:1:1:8:0 | <toplevel> | library-tests/TypeScript/EmbeddedInScript/other.ts |
 | test.vue:2:3:6:0 | <toplevel> | library-tests/TypeScript/EmbeddedInScript/test.vue |
+| test_tsx.vue:2:3:6:0 | <toplevel> | library-tests/TypeScript/EmbeddedInScript/test_tsx.vue |
 importTarget
-| htmlfile.html:4:13:4:42 | import  ... other"; | other.ts:1:1:6:0 | <toplevel> |
+| htmlfile.html:4:13:4:42 | import  ... other"; | other.ts:1:1:8:0 | <toplevel> |
 | other.ts:1:1:1:35 | import  ... t.vue"; | test.vue:2:3:6:0 | <toplevel> |
-| test.vue:2:3:2:35 | import  ... other"; | other.ts:1:1:6:0 | <toplevel> |
+| other.ts:2:1:2:42 | import  ... x.vue"; | test_tsx.vue:2:3:6:0 | <toplevel> |
+| test.vue:2:3:2:35 | import  ... other"; | other.ts:1:1:8:0 | <toplevel> |
+| test_tsx.vue:2:3:2:35 | import  ... other"; | other.ts:1:1:8:0 | <toplevel> |
diff --git a/javascript/ql/test/library-tests/TypeScript/EmbeddedInScript/other.ts b/javascript/ql/test/library-tests/TypeScript/EmbeddedInScript/other.ts
index 9dfd9d98838..17cfb9f4bfa 100644
--- a/javascript/ql/test/library-tests/TypeScript/EmbeddedInScript/other.ts
+++ b/javascript/ql/test/library-tests/TypeScript/EmbeddedInScript/other.ts
@@ -1,5 +1,7 @@
 import Component from "./test.vue";
+import ComponentTsx from "./test_tsx.vue";
 
 new Component();
+new ComponentTsx();
 
 export function foo() {};
diff --git a/javascript/ql/test/library-tests/TypeScript/EmbeddedInScript/test_tsx.vue b/javascript/ql/test/library-tests/TypeScript/EmbeddedInScript/test_tsx.vue
new file mode 100644
index 00000000000..b9313c903f1
--- /dev/null
+++ b/javascript/ql/test/library-tests/TypeScript/EmbeddedInScript/test_tsx.vue
@@ -0,0 +1,6 @@
+<script lang='tsx'>
+  import * as other from "./other";
+  export default class MyComponentTsx {
+      x!: number;
+  }
+</script>

From c58942092f1467a2ec5b5a2bb91d59989e79f8fa Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 14 Jun 2021 13:43:11 +0200
Subject: [PATCH 1419/1429] JS: Add change note

---
 javascript/change-notes/2021-06-14-script-with-tsx-lang.md | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 javascript/change-notes/2021-06-14-script-with-tsx-lang.md

diff --git a/javascript/change-notes/2021-06-14-script-with-tsx-lang.md b/javascript/change-notes/2021-06-14-script-with-tsx-lang.md
new file mode 100644
index 00000000000..9457f0c3a6f
--- /dev/null
+++ b/javascript/change-notes/2021-06-14-script-with-tsx-lang.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Script tags with the `lang="tsx"` attribute are now recognized as containing TypeScript code
+  and are analyzed accordingly.

From d19bc1252b65f8405e56e787bf829706d75577ab Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 14 Jun 2021 15:06:42 +0200
Subject: [PATCH 1420/1429] Python: limit size of `extraStepForCalls` predicate

On django/django, this reduced the number of results in
`extraStepForCalls` from 201,283 to 541
---
 .../dataflow/new/SensitiveDataSources.qll     | 24 ++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
index a812b48ba74..de2ccbd5b84 100644
--- a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
+++ b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
@@ -115,6 +115,25 @@ private module SensitiveDataModeling {
     override SensitiveDataClassification getClassification() { result = classification }
   }
 
+  /**
+   * Tracks any modeled source of sensitive data (with any classification),
+   * to limit the scope of `extraStepForCalls`. See it's QLDoc for more context.
+   */
+  private DataFlow::LocalSourceNode possibleSensitiveCallable(DataFlow::TypeTracker t) {
+    t.start() and
+    result instanceof SensitiveDataSource
+    or
+    exists(DataFlow::TypeTracker t2 | result = possibleSensitiveCallable(t2).track(t2, t))
+  }
+
+  /**
+   * Tracks any modeled source of sensitive data (with any classification),
+   * to limit the scope of `extraStepForCalls`. See it's QLDoc for more context.
+   */
+  private DataFlow::Node possibleSensitiveCallable() {
+    possibleSensitiveCallable(DataFlow::TypeTracker::end()).flowsTo(result)
+  }
+
   /**
    * Holds if the step from `nodeFrom` to `nodeTo` should be considered a
    * taint-flow step for sensitive-data, to ensure calls are handled correctly.
@@ -147,7 +166,10 @@ private module SensitiveDataModeling {
    * ```
    */
   predicate extraStepForCalls(DataFlow::Node nodeFrom, DataFlow::CallCfgNode nodeTo) {
-    nodeTo.getFunction() = nodeFrom
+    // However, we do still use the type-tracking approach to limit the size of this
+    // predicate.
+    nodeTo.getFunction() = nodeFrom and
+    nodeFrom = possibleSensitiveCallable()
   }
 
   /**

From 6b63e032a9c88d2c6e9cf0e8b73099959dfe6701 Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Fri, 4 Jun 2021 14:57:02 +0200
Subject: [PATCH 1421/1429] C#: Populate labels earlier

---
 csharp/extractor/Semmle.Extraction/Context.cs | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/csharp/extractor/Semmle.Extraction/Context.cs b/csharp/extractor/Semmle.Extraction/Context.cs
index b08fb98fc55..410b3c6980a 100644
--- a/csharp/extractor/Semmle.Extraction/Context.cs
+++ b/csharp/extractor/Semmle.Extraction/Context.cs
@@ -35,12 +35,14 @@ namespace Semmle.Extraction
         // A recursion guard against writing to the trap file whilst writing an id to the trap file.
         private bool writingLabel = false;
 
+        private readonly Queue<IEntity> labelQueue = new();
+
         protected void DefineLabel(IEntity entity)
         {
             if (writingLabel)
             {
                 // Don't define a label whilst writing a label.
-                PopulateLater(() => DefineLabel(entity));
+                labelQueue.Enqueue(entity);
             }
             else
             {
@@ -52,6 +54,10 @@ namespace Semmle.Extraction
                 finally
                 {
                     writingLabel = false;
+                    if (labelQueue.Any())
+                    {
+                        DefineLabel(labelQueue.Dequeue());
+                    }
                 }
             }
         }

From e71264d1d2255a46f88cbc1625baebf3097765d8 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 14 Jun 2021 16:03:16 +0100
Subject: [PATCH 1422/1429] C++: Lines of user code query.

---
 cpp/ql/src/Summary/LinesOfUserCode.ql | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 cpp/ql/src/Summary/LinesOfUserCode.ql

diff --git a/cpp/ql/src/Summary/LinesOfUserCode.ql b/cpp/ql/src/Summary/LinesOfUserCode.ql
new file mode 100644
index 00000000000..67d3aa6a8e0
--- /dev/null
+++ b/cpp/ql/src/Summary/LinesOfUserCode.ql
@@ -0,0 +1,17 @@
+/**
+ * @name Total lines of user written C/C++ code in the database
+ * @description The total number of lines of C/C++ code from the source code directory, excluding auto-generated files. This query counts the lines of code, excluding whitespace or comments. Note: If external libraries are included in the codebase either in a checked-in virtual environment or as vendored code, that will currently be counted as user written code.
+ * @kind metric
+ * @tags summary
+ *       lines-of-code
+ * @id cpp/summary/lines-of-user-code
+ */
+
+import cpp
+import semmle.code.cpp.AutogeneratedFile
+
+select sum(File f |
+    f.fromSource() and exists(f.getRelativePath()) and not f instanceof AutogeneratedFile
+  |
+    f.getMetrics().getNumberOfLinesOfCode()
+  )

From 1e1ae2797453b18cd36376a90785dce92bdaf1a3 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 14 Jun 2021 16:06:20 +0100
Subject: [PATCH 1423/1429] C++: Test the new query.

---
 cpp/ql/test/query-tests/Summary/LinesOfUserCode.expected | 1 +
 cpp/ql/test/query-tests/Summary/LinesOfUserCode.qlref    | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 cpp/ql/test/query-tests/Summary/LinesOfUserCode.expected
 create mode 100644 cpp/ql/test/query-tests/Summary/LinesOfUserCode.qlref

diff --git a/cpp/ql/test/query-tests/Summary/LinesOfUserCode.expected b/cpp/ql/test/query-tests/Summary/LinesOfUserCode.expected
new file mode 100644
index 00000000000..a75c288c151
--- /dev/null
+++ b/cpp/ql/test/query-tests/Summary/LinesOfUserCode.expected
@@ -0,0 +1 @@
+| 93 |
diff --git a/cpp/ql/test/query-tests/Summary/LinesOfUserCode.qlref b/cpp/ql/test/query-tests/Summary/LinesOfUserCode.qlref
new file mode 100644
index 00000000000..baaa947e6af
--- /dev/null
+++ b/cpp/ql/test/query-tests/Summary/LinesOfUserCode.qlref
@@ -0,0 +1 @@
+Summary/LinesOfUserCode.ql

From d7db18213de47288e25c3e5810b6f6f4cad909ae Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 14 Jun 2021 16:12:43 +0100
Subject: [PATCH 1424/1429] C++: Add a generated file to the test.

---
 cpp/ql/test/query-tests/Summary/LinesOfCode.expected |  2 +-
 cpp/ql/test/query-tests/Summary/generated-file.cpp   | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 cpp/ql/test/query-tests/Summary/generated-file.cpp

diff --git a/cpp/ql/test/query-tests/Summary/LinesOfCode.expected b/cpp/ql/test/query-tests/Summary/LinesOfCode.expected
index a75c288c151..8628859feb7 100644
--- a/cpp/ql/test/query-tests/Summary/LinesOfCode.expected
+++ b/cpp/ql/test/query-tests/Summary/LinesOfCode.expected
@@ -1 +1 @@
-| 93 |
+| 96 |
diff --git a/cpp/ql/test/query-tests/Summary/generated-file.cpp b/cpp/ql/test/query-tests/Summary/generated-file.cpp
new file mode 100644
index 00000000000..e15ecb227b9
--- /dev/null
+++ b/cpp/ql/test/query-tests/Summary/generated-file.cpp
@@ -0,0 +1,12 @@
+/**
+ * This file is generated by abc.xyz.  Do not edit!
+ *
+ * (except that this isn't really a generated file, but the above is the typical sort of comment
+ *  you see at the beginning of a true generated file).
+ */
+
+int generated_function() {
+	// ...
+
+	return 1;
+}

From 53bef94b753ef363be4abac51de509096ce3b14b Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Tue, 15 Jun 2021 09:34:54 +0200
Subject: [PATCH 1425/1429] JS: Extractor version bump

---
 javascript/extractor/src/com/semmle/js/extractor/Main.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/extractor/src/com/semmle/js/extractor/Main.java b/javascript/extractor/src/com/semmle/js/extractor/Main.java
index 5d417940d75..a86fa422c39 100644
--- a/javascript/extractor/src/com/semmle/js/extractor/Main.java
+++ b/javascript/extractor/src/com/semmle/js/extractor/Main.java
@@ -43,7 +43,7 @@ public class Main {
    * A version identifier that should be updated every time the extractor changes in such a way that
    * it may produce different tuples for the same file under the same {@link ExtractorConfig}.
    */
-  public static final String EXTRACTOR_VERSION = "2021-05-31";
+  public static final String EXTRACTOR_VERSION = "2021-06-15";
 
   public static final Pattern NEWLINE = Pattern.compile("\n");
 

From b154f034cb8a1af5de446407f33ac5cc5414cd8b Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 15 Jun 2021 12:55:52 +0200
Subject: [PATCH 1426/1429] Python: Fix names of supported PyPI packages

---
 docs/codeql/support/reusables/frameworks.rst                | 3 ++-
 python/ql/src/semmle/python/frameworks/MySQLdb.qll          | 6 ++++--
 .../src/semmle/python/frameworks/MysqlConnectorPython.qll   | 6 ++++--
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/docs/codeql/support/reusables/frameworks.rst b/docs/codeql/support/reusables/frameworks.rst
index d39b85931ce..0205c4b2df9 100644
--- a/docs/codeql/support/reusables/frameworks.rst
+++ b/docs/codeql/support/reusables/frameworks.rst
@@ -166,7 +166,8 @@ Python built-in support
    multidict, Utility library
    yarl, Utility library
    mysql-connector-python, Database
-   MySQLdb, Database
+   mysql-connector, Database
+   MySQL-python, Database
    psycopg2, Database
    sqlite3, Database
    cryptography, Cryptography library
diff --git a/python/ql/src/semmle/python/frameworks/MySQLdb.qll b/python/ql/src/semmle/python/frameworks/MySQLdb.qll
index 4f9c799d640..5f10cdc0c84 100644
--- a/python/ql/src/semmle/python/frameworks/MySQLdb.qll
+++ b/python/ql/src/semmle/python/frameworks/MySQLdb.qll
@@ -1,5 +1,7 @@
 /**
- * Provides classes modeling security-relevant aspects of the `MySQLdb` PyPI package.
+ * Provides classes modeling security-relevant aspects of the `MySQL-python` PyPI package
+ * (imported as `MySQLdb`).
+ *
  * See
  * - https://mysqlclient.readthedocs.io/index.html
  * - https://pypi.org/project/MySQL-python/
@@ -13,7 +15,7 @@ private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.PEP249
 
 /**
- * Provides models for the `MySQLdb` PyPI package.
+ * Provides models for the `MySQL-python` PyPI package (imported as `MySQLdb`).
  * See
  * - https://mysqlclient.readthedocs.io/index.html
  * - https://pypi.org/project/MySQL-python/
diff --git a/python/ql/src/semmle/python/frameworks/MysqlConnectorPython.qll b/python/ql/src/semmle/python/frameworks/MysqlConnectorPython.qll
index 989fb668746..89cbb857235 100644
--- a/python/ql/src/semmle/python/frameworks/MysqlConnectorPython.qll
+++ b/python/ql/src/semmle/python/frameworks/MysqlConnectorPython.qll
@@ -1,5 +1,6 @@
 /**
- * Provides classes modeling security-relevant aspects of the `mysql-connector-python` package.
+ * Provides classes modeling security-relevant aspects of the `mysql-connector-python`
+ * and `mysql-connector` (old package name) PyPI packages (imported as `mysql`).
  * See
  * - https://dev.mysql.com/doc/connector-python/en/
  * - https://dev.mysql.com/doc/connector-python/en/connector-python-example-connecting.html
@@ -13,7 +14,8 @@ private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.PEP249
 
 /**
- * Provides models for the `mysql-connector-python` package.
+ * Provides classes modeling security-relevant aspects of the `mysql-connector-python`
+ * and `mysql-connector` (old package name) PyPI packages (imported as `mysql`).
  * See
  * - https://dev.mysql.com/doc/connector-python/en/
  * - https://dev.mysql.com/doc/connector-python/en/connector-python-example-connecting.html

From b1fb68bc541829a410bca4dd989e11678e59cebd Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Tue, 15 Jun 2021 13:00:54 +0200
Subject: [PATCH 1427/1429] Python: Rename .qll file for mysql-connector-python
 support

Just like our support for the `PyYAML` PyPI package that you import with
`import yaml` is in `Yaml.qll`.

Since this file does not provide any public predicates/modules, it
should be safe to rename it.
---
 python/ql/src/semmle/python/Frameworks.qll                      | 2 +-
 .../python/frameworks/{MysqlConnectorPython.qll => Mysql.qll}   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename python/ql/src/semmle/python/frameworks/{MysqlConnectorPython.qll => Mysql.qll} (97%)

diff --git a/python/ql/src/semmle/python/Frameworks.qll b/python/ql/src/semmle/python/Frameworks.qll
index 523f844954b..0eed2efaf77 100644
--- a/python/ql/src/semmle/python/Frameworks.qll
+++ b/python/ql/src/semmle/python/Frameworks.qll
@@ -14,7 +14,7 @@ private import semmle.python.frameworks.Flask
 private import semmle.python.frameworks.Idna
 private import semmle.python.frameworks.Invoke
 private import semmle.python.frameworks.Multidict
-private import semmle.python.frameworks.MysqlConnectorPython
+private import semmle.python.frameworks.Mysql
 private import semmle.python.frameworks.MySQLdb
 private import semmle.python.frameworks.Psycopg2
 private import semmle.python.frameworks.PyMySQL
diff --git a/python/ql/src/semmle/python/frameworks/MysqlConnectorPython.qll b/python/ql/src/semmle/python/frameworks/Mysql.qll
similarity index 97%
rename from python/ql/src/semmle/python/frameworks/MysqlConnectorPython.qll
rename to python/ql/src/semmle/python/frameworks/Mysql.qll
index 89cbb857235..5049124ad83 100644
--- a/python/ql/src/semmle/python/frameworks/MysqlConnectorPython.qll
+++ b/python/ql/src/semmle/python/frameworks/Mysql.qll
@@ -20,7 +20,7 @@ private import semmle.python.frameworks.PEP249
  * - https://dev.mysql.com/doc/connector-python/en/
  * - https://dev.mysql.com/doc/connector-python/en/connector-python-example-connecting.html
  */
-private module MysqlConnectorPython {
+private module Mysql {
   // ---------------------------------------------------------------------------
   // mysql
   // ---------------------------------------------------------------------------

From 44b30b70da8e40e2d2abba7cbbf5083a59fd3bab Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 15 Jun 2021 16:27:27 +0200
Subject: [PATCH 1428/1429] C#: Fix Modifiable::isUnsafe to handle declarations
 extracted from assemblies

---
 csharp/ql/src/semmle/code/csharp/Member.qll    | 7 ++++++-
 csharp/ql/test/library-tests/unsafe/unsafe4.ql | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/csharp/ql/src/semmle/code/csharp/Member.qll b/csharp/ql/src/semmle/code/csharp/Member.qll
index 520df43cfb8..65fe94a0c50 100644
--- a/csharp/ql/src/semmle/code/csharp/Member.qll
+++ b/csharp/ql/src/semmle/code/csharp/Member.qll
@@ -86,7 +86,12 @@ class Modifiable extends Declaration, @modifiable {
   predicate isConst() { this.hasModifier("const") }
 
   /** Holds if this declaration is `unsafe`. */
-  predicate isUnsafe() { this.hasModifier("unsafe") }
+  predicate isUnsafe() {
+    this.hasModifier("unsafe") or
+    this.(Parameterizable).getAParameter().getType() instanceof PointerType or
+    this.(Property).getType() instanceof PointerType or
+    this.(Callable).getReturnType() instanceof PointerType
+  }
 
   /** Holds if this declaration is `async`. */
   predicate isAsync() { this.hasModifier("async") }
diff --git a/csharp/ql/test/library-tests/unsafe/unsafe4.ql b/csharp/ql/test/library-tests/unsafe/unsafe4.ql
index 8aa38fc8fbb..c086e0c00a5 100644
--- a/csharp/ql/test/library-tests/unsafe/unsafe4.ql
+++ b/csharp/ql/test/library-tests/unsafe/unsafe4.ql
@@ -1,3 +1,3 @@
 import csharp
 
-select any(Modifiable m | m.isUnsafe())
+select any(Modifiable m | m.isUnsafe() and m.fromSource())

From 74c4765ab999a9dcfeefa8d465c90921aa852a01 Mon Sep 17 00:00:00 2001
From: Tamas Vajk <tamasvajk@github.com>
Date: Tue, 15 Jun 2021 16:28:26 +0200
Subject: [PATCH 1429/1429] Add change note

---
 csharp/change-notes/2021-06-15-unsafe-non-source-code.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 csharp/change-notes/2021-06-15-unsafe-non-source-code.md

diff --git a/csharp/change-notes/2021-06-15-unsafe-non-source-code.md b/csharp/change-notes/2021-06-15-unsafe-non-source-code.md
new file mode 100644
index 00000000000..8e45080b132
--- /dev/null
+++ b/csharp/change-notes/2021-06-15-unsafe-non-source-code.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The `Modifiable::isUnsafe` predicate has been fixed to handle symbols that are not extracted from source code.
\ No newline at end of file